commit 61757ac78bbff8364c24e9aabdc612a35ae76911
Author: Robin Sommer <robin@icir.org>
Date:   Mon Sep 27 20:42:30 2010 -0700

    Initial import of svn+ssh:://svn.icir.org/bro/trunk/bro as of r7088

diff --git a/AUTHORS b/AUTHORS
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/CHANGES b/CHANGES
new file mode 100644
index 0000000000..ef3f8c35d1
--- /dev/null
+++ b/CHANGES
@@ -0,0 +1,7466 @@
+@(#) $Id: CHANGES 7076 2010-09-13 02:42:27Z vern $
+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+1.5.2.7 Sun Sep 12 19:39:49 PDT 2010
+
+- Addressed a number of lint nits (Vern Paxson).
+
+
+1.5.2.6 Sun Sep 12 17:00:13 PDT 2010
+
+- The SWIG file now explicitly lists those pieces from broccoli.h which it
+  wants to wrap, rather than just including all of broccoli.h (Robin Sommer).
+  This fixes the problem that the SWIG bindings depend on what configure
+  finds out about the availability of libpcap even though the corresponding
+  functions don't need to be wrapped anyway.
+
+- http-header.bro now includes a global include_header: set[string]
+  (Robin Sommer).  If it contains any strings, then only those headers
+  will be processed.  If left empty, then you continue to get the current
+  behavior of processing all headers.
+
+- Several changes to drop.bro (Robin Sommer):
+
+	* If true, the new flag Drop::dont_drop_locals indicates that
+	  local hosts should never be dropped.  On by default.
+
+	* If true, the new flag Drop::debugging activates extensive debugging
+	  output for the catch-and-release logic.  Off by default.
+
+	* The timeout for tracking dropping information is now 1 day
+	  rather than 7 days, to better echo the one-restart-a-day semantics
+	  used in the past.
+
+	* Bug fix for hosts once dropped by later cleared; some state
+	  for them persisted.
+
+- Portability fix for Broccoli Python bindings on 64-bit platforms (Robin
+  Sommer).
+
+- The HTTP analyzer no longer attempts to track Server/User-Agent
+  versions, as these are hugely voluminous (Seth Hall).  Ideally this
+  would still be available as an option for someone who truly wants
+  the full set.
+
+- HTTP and SMTP no longer have extra-short inactivity timeouts, as
+  these were too often leading to premature expiration of a connection
+  (Robin Sommer).
+
+- The "rst" tool (aux/rst/) now takes an optional "-I <text>" argument
+  that instructs it to inject <text> as payload rather than sending a RST
+  packet (Vern Paxson).  <text> must be NUL-terminated, and the NUL is not
+  included.
+
+- Bug fix for crashes in the DNS analyzer when processing replies for
+  which no request was seen (Robin Sommer).
+
+
+1.5.2.5 Mon Jul 19 16:20:58 PDT 2010
+
+- Removed now-quite-stale SSHv1 overflow detection, as it's more prone
+  to false positives than useful detection (Vern Paxson).
+
+
+1.5.2.4 Fri Jun  4 16:02:11 PDT 2010
+
+- Bug fixes for terminating connections (Tyler Schoenke and Vern Paxson).
+
+
+1.5.2.3 Wed Mar 24 18:23:57 PDT 2010
+
+- Bug fixes for --enable-int64 and for avoiding bogus statistics /
+  bad memory references when generating profiling information upon
+  exit (Vern Paxson).
+
+
+1.5.2.2 Tue Jan 12 12:33:42 PST 2010
+
+- Broccoli compiler warning fixes (Kevin Lo).
+
+
+1.5.2.1 Sun Jan 10 16:59:01 PST 2010
+
+- Bug fix for Active Mapping support (Kevin Lo).
+
+
+1.5.2 Sat Dec 26 18:38:37 PST 2009
+
+- Portability fixes for --enable-int64 (Vern Paxson).
+
+
+1.5.1 Fri Dec 18 15:17:12 PST 2009
+
+- Due to a Python configuration problem, the original 1.5 distribution
+  did not include the BroControl component, which also introduced a
+  portability problem for CentOS.  These issues have now been fixed (Robin
+  Sommer and Vern Paxson).
+
+
+1.5 Wed Dec 16 21:28:47 PST 2009
+
+- Bro now comes with a new framework, BroControl, for managing an
+  operational Bro setup, including support for installation, configuration,
+  and maintainance tasks such a log archival and mail notification.  The
+  framework transparently supports both traditional standalone setups as
+  well as cluster installations in which multiple Bro boxes coordinate to
+  analyze a high-volume network link.
+
+  See aux/broctl/README for more information about BroControl.
+
+  Note, BroControl supersedes the older BroLite system, which is no longer
+  supported and has been deprecated for a while now.
+
+- Numerous adjustments to DPD = dynamic protocol detection (Robin Sommer):
+
+    o The Analyzer::ProtocolViolation?() method can now be passed the
+      offending data (which POP3, SMTP, and FTP now do).  This information
+      is added to the "reason" string passed to the script level.
+
+    o SMTP now more accurately reports violations.
+
+    o FTP stops processing when client & server successfully negotiate
+      an AUTH scheme (leading to subsequent encryption).
+
+    o Analyzer::ProtocolViolation() is virtual, and
+      TCP_ApplicationAnalyzer() overrides it to not report violations
+      for any partial connections, because very likely these arise just
+      due to the analyzer getting confused.
+
+    o TCP::IsPartial() returns true if any side did not start with
+      a SYN packet (used to be just be for the originator).
+
+    o The connection_state_remove handler in conn.bro now has a higher
+      &priority so that other handlers for the same event can use
+      determine_service() and see any changes it performs.
+
+    o DynDisable:max_volume specifies a volume limit (default 10K).
+      Once a connection exceeds this limit, further protocol
+      limitations will neither raise ProtocolViolation notices nor
+      cause the analyzer to be disabled.
+
+    o The event engine no longer raises protocol_violation events for
+      TCP connections which had gaps, as these have proven too unreliable.
+      (Note that, ideally, the *analyzers* should avoid reporting
+      protocol_violations when they can't reliably parse a connection
+      anymore after a gap; but many don't.)
+
+- A set of new script functions provide support for incrementally computing
+  MD5 checksums (Seth Hall).
+
+	md5_hash_init(index: any): bool
+		Initializes an incremental hashing instance.  "index" is
+		a value of arbitrary type, used to identify this particular
+		instance (you can have multiple concurrent instances by
+		using different index values).  Returns T on success,
+		F on failure (such as the index is already in use).
+
+	md5_hash_update(index: any, data: string): bool
+		For the given hashing instance, updates the hash
+		based on the given data.  Returns T on success, F on
+		failure (such as the index has not been initialized).
+
+	md5_hash_finish(index: any): string
+		Returns the MD5-printable hash for the given index
+		and terminates the instance, or the string "" if the
+		index was not active.
+
+- Bro now supports a believed-to-be-robust mechanism for estimating the
+  proportion of traffic that it failed to capture ("measurement drops"),
+  which can arise due to overload in either Bro itself, the kernel's
+  packet filter, or problems with the link tapping mechanism (Vern Paxson).
+  The event engine can generate estimates for either live traffic or what
+  was previously recorded in a trace file, though traces subject to some
+  forms of selective omission (such as skipping over parts of a connection
+  to reduce storage) can lead to erroneous values.
+
+  The estimates are based on observing gaps in TCP data streams, and
+  come in two forms: the rate at which such gaps appear, and the relative
+  volume of data missing due to the gaps.  (We've found however that the
+  volume-based estimator is not robust due to occasional packets with
+  incorrect sequence numbers, so this estimator is off by default.)
+
+  The easy way to get the estimates is to load capture-loss.bro.
+  By default, it generates a CaptureLossSummary notice upon Bro's exit,
+  which can look like:
+
+	1130222759.344066 CaptureLossSummary estimated rate = 0.00089124 / 0.000970997 (events/bytes)
+
+  If the estimated loss is none, however, it suppresses this notice,
+  unless you redef CaptureLoss::summary_if_none to T.
+
+  You can also get finer-grained access by defining a "gap_report"
+  event handler and redef'ing gap_report_freq to a non-zero interval
+  (such as "10 sec").  This event allows you to pinpoint regions in
+  time that exhibit significant capture loss.  See capture-loss.bro
+  for an example of a handler for this event.
+
+  Finally, these changes include a number of fixes to Bro's
+  ack_above_hole/content_gap analysis, which is now significantly
+  more robust.
+
+- GeoIP support now supports ASN lookups via the built-in
+  function lookup_asn(a: addr): count (Scott Campbell and Seth Hall).
+
+- The GeoIP built-in's lookup_location() and lookup_asn() now
+  support IPv6 (Seth Hall).  Note, the current GeoIP distribution
+  doesn't include any IPv6 databases, so for now these won't succeed,
+  but the hooks are in place for when databases become available.
+
+- lookup_location() now falls back back to the country database if
+  the city database isn't available (Seth Hall).
+
+- The new SuccessfulPasswordGuessing Notice is generated when a host
+  has been seen attempting password guessing (currently only for FTP
+  sessions) and then successfully logs in (Royal Chan).  You can control the
+  threshold for such reports in terms of how many attempts the host must
+  have made by redef'ing the variable password_guessing_success_threshhold,
+  which defaults to 20.
+
+- The new script http-detect-passwd.bro analyzes the Web items returned
+  for fetches that appear to be accessing the passwd file (Akhil Dhar).
+  It generates a PasswordFullFetch Notice if it appears that the item
+  includes a full password file, and PasswordShadowFetch if it looks like
+  a shadowed password file.
+
+- The new built-in
+
+	system_env(cmd: string, env: table[string] of string)
+
+  works like system(), but puts the table entries into the environment
+  before invoking the command (Robin Sommer).  Each <index> in the table
+  creates an environment variable of the form "BRO_ARG_<index>", whose
+  value is the corresponding table entry.
+
+- The new script function
+
+	execute_with_notice(cmd: string, notice_info)
+
+  executes "cmd" with an environment containing the fields of the
+  notice_info, i.e., the information associated with a Notice (Robin Sommer).
+  Per the new system_env() function above, the environment variables appear
+  as "BRO_ARG_<tag>", where <tag> is the field tag as it appears in
+  notice.log when you enable use_tagging.
+
+- The new built-in enable_raw_output(file) acts the same as
+  the attribute &raw_output (Seth Hall).
+
+- The new built-in file_opened(f: file) event is generated any time Bro
+  opens a script-level file (Justin Azoff).  You can use this, for example,
+  if you want to ensure that a given file has a prelude in it such as
+  human-readable headers, even when the file is rotated.
+
+- The notice_info record has a new field
+
+	aux: table[string] of string &optional
+
+  which you can use for information specific to a given type of notice
+  (Robin Sommer).  Entries in $aux appear as "aux_<index>" tags in notice.log.
+
+- Another new notice_info record field is the boolean do_alarm (default=T),
+  which, if set to F, overides a notice action otherwise specifying to
+  generate an alarm (Robin Sommer).  In other words, if do_alarm is F, no
+  alarm will be generated independent of the notice action.
+
+  This is a work-around for the fact that we can't specify more than one
+  action.  In particular, we couldn't NOTICE_DROP but then *not* alarm,
+  which we now can by returning NOTICE_DROP yet setting do_alarm to F.
+
+- The notice_info record field $dropped now appears in the tagged output
+  format if true (Robin Sommer).
+
+- NOTICEs relating to scan detection now no longer include the connection
+  that triggered the notice, as it really doesn't contain any useful
+  information, given that the particular trigger simply depends on the
+  detection algorithm and its parameters (Robin Sommer).  However, we do
+  explicitly set $p (port number) in the notice, and also $n with the
+  number of attempts.
+
+- drop.bro now hardwires a Catch-and-Release redrop after seeing one
+  connection from a previously-dropped-but-already-released host
+  (Robin Sommer).
+
+- drop.bro now provides some new hooks (Robin Sommer):
+
+	event address_dropped(a: addr)
+		Generated when an address has been dropped.
+
+	event address_restored(a: addr)
+		Generated when connectivity to an address has been restored,
+		such as using the Catch-and-Release mechanism.
+
+	event address_cleared(a: addr)
+		Generated when an address that was dropped in the past is
+		no longer being monitored looking for new connections
+		(as part of the Catch-and-Release mechanism).
+
+- The new built-in function
+
+	hexdump(data_str: string) : string
+
+  returns a hex dump representation of the given input data (Christian
+  Kreibich).  The dump renders 16 bytes per line, with hex on the left and
+  ASCII (where printable) on the right.
+
+- Bro's notion of when a TCP connection begins now dastes to the first
+  instance of an initial SYN packet seen, rather than the last (Gregor Maier).
+
+- The Time Machine script tm-contents.bro now generates
+
+	event contents_saved: event(c: connection, orig_file: string,
+					resp_file: string)
+
+  when the content of a connection has been completely saved to disk
+  (Robin Sommer).
+
+- The mime.bro script now exports the MIME header callback table, and also
+  marks it as &redef'able so you can modify its entries (Matthias Vallentin).
+  The mime_log file is also now exported.
+
+- A new signature file, policy/sigs/http-bots.sig, contains signatures
+  to detect some of the current HTTP based controlled bot families (Seth Hall).
+
+- The signature engine's HTTP pattern matching has been fixed (Seth Hall)
+  to align with the documentation at:
+
+  http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Signatures#Content_conditions
+
+  In particular, the content condition "http" is now referred to as
+  "http-request" (though "http" still works for backward compatibility),
+  "http-request-header" and "http-reply-header" now provide access to
+  headers seen in only one direction, and similarly for "http-request-body"
+  and "http-reply-body".  (This latter is still accessible as "http-body"
+  for backwards compatibility.)
+
+- The new script variable max_remote_events_processed: count (default 10)
+  sets a limit on the number of remote events processed in each round,
+  before tending to other inputs (Robin Sommer).
+
+- If you set the new script variable dump_used_event_handlers to T,
+  then on startup Bro dumps out all of the event handlers that the
+  loaded set of scripts can invoke (Matthias Vallenti).
+
+- Summaries for DNS PTR scanning now use a separate Notice,
+  DNS_PTR_Scan_Summary, rather than overloading DNS_PTR_Scan (Robin Sommer).
+
+- scan.bro now provides a table skip_dest_server_ports: set[addr, port]
+  which lists servers (defined as an address and a port) excluded from
+  scan detection computations (Craig Leres and Jay Krous).
+
+- When redefining values on the command line directly (using var=value),
+  quotation marks are now implicit only if "var" is a variable of type
+  string (Christian Kreibich).  This allows other string-like values
+  (such as enum's) to be passed as well.
+
+- scan.bro now explicitly loads conn.bro so that it can itself
+  be loaded independently (Robin Sommer).
+
+- login.bro depends on scan.bro (because of tracking authentication
+  "scans"), so now it explicitly loads it (Vern Paxson).
+
+- UDP_datagram_length_mismatch is now by default flagged just once per
+  originating host rather than once per connection, as it can generate
+  tons of messages (Vern Paxson).
+
+- Removed now-long-boring flagging of access to Solaris "listen"
+  service as "hot" (Vern Paxson).
+
+- Removal of libedit, since libreadline provides similar functionality
+  (Christian Kreibich).
+
+- Added scripts missing from distribution: dce.bro, ncp.bro, and smb.bro
+  (Vern Paxson).
+
+- ssh.bro now exports ssh_ports (Seth Hall)
+
+- A number of improvements to inter-Bro communication (Robin Sommer).
+
+ (1) Remote communication now no longer includes location information for
+ serialized objects; that removes quite a bit of redundacy from the network
+ traffic.
+ 
+ (2) The new option 'remote_check_sync_consistency" disables the cross-check
+ on the receiving side of &synchronized state of whether the current value
+ of a variable has the value expected by the sender. Transmitting the
+ original values in addition to the updates generates quite a bit CPU &
+ network load in some cases (in particular, a table of tables). The default
+ for remote_check_sync_consistency is off, and so far that in particular
+ seems to reduce the proxy's load quite a bit.
+
+ (3) Complete overhaul of the internal caching of serialized objects.  The
+ objective of the caching is avoid retransmitting already sent values over
+ and over again. It turns out, however, that some objects are very stable
+ and hardly change or get replaced (e.g., Bro types); while other change
+ all the time and are hardly reused some time later (e.g., Vals).  Now
+ we maintain *two* caches independently for these types of objects; one
+ with a low turn-over one and another with a high one.  This should reduce
+ CPU load on both sender and receiver sides.
+ 
+ The new scheme is only used if both communicating Bros support it; with
+ older Bros, as well as with Broccoli, we continue using the old scheme.
+
+- Some reworking of remote printing (Robin Sommer), as follows.  Bro now
+  uses a new interprocess message rather than print_hook events, to better
+  manage buffering and associated load (these can produce failures depending
+  on system configuration; see remote.log).  A number of timeouts and
+  buffer sizes have been tuned.  Internally, EINTR errors are now treated
+  separately from EAGAIN.  Finally, even with remote_check_sync_consistency=F,
+  one type of consistency check was still being done; this is no longer
+  the case.
+
+- The DNS analyzer now generates events (dns_query_reply/dns_rejected)
+  for replies with zero questions (Robin Sommer).
+
+- Perftools support for incompatible changes in the 1.0 API (Robin Sommer).
+
+- Rearranged (generally reducing, though not always) some state timeouts
+  associated with scan detection (Robin Sommer).  In addition, when a
+  scanning address crosses ignore_scanners_threshold (meaning that it will
+  be ignored from now on anyway), it gets discarded from all state-tracking
+  tables.  Finally, the ignore_scanners_threshold now applies all kinds
+  of scans, not just address scans.
+
+- Substantial Broccoli updates, including a new initialization requirement
+  that breaks backward compatibility, support for enqueueing serialized
+  event data for transmission, and OpenSSL threadsafe initialization.
+  See aux/broccoli/ChangeLog for details (Christian Kreibich, Robin
+  Sommer, and Matthias Vallentin).
+
+- Broccoli hashtable optimisation. See aux/broccoli/ChangeLog for
+  details (Christian Kreibich & Matthias Vallentin).
+
+- Broccoli memory leak fixed, see aux/broccoli/ChangeLog for details
+  (Christian Kreibich).
+
+- Broccoli: updates to bropipe tool (Steve Chan and Robin Sommer).
+
+- Bug fixes for Broccoli Python bindings (Robin Sommer and Matthias Vallentin).
+
+- Fixed nasty bug due to module scoping that completely kept stepping-stone
+  detection from working (Vern Paxson).
+
+- A serious bug in the packet sorter has been fixed (Robin Sommer).
+
+- Bug fix for extra NULs getting embedded in escaped strings (Seth Hall).
+
+- Bug fix for HTTP messages that use "Connection: close" rather than length
+  headers, which yielded erroneous reassembled messages with \r\n's when
+  only \n's were present (Bernhard Ager).
+
+- Fix for reporting on ICMP flows that are expired from the flow table
+  (Vern Paxson).  Previously there was a race condition if the flow
+  was flushed prior to its summary timer expiring.
+
+- The -l option (list the scripts that Bro loads) now correctly prints
+  scripts loaded by the prefix mechanism, and uses indentation to indicate
+  the load hierarchy (Robin Sommer).
+
+- A bug has been fixed (really, worked around) in drop.bro that prevented
+  dropped addresses from being properly restored (Robin Sommer).
+
+- Fixes for deadlocking problems in the Broccoli protocol. See
+  aux/broccoli/ChangeLog for details (Christian Kreibich & Robin Sommer).
+
+- Bug fix for DNS analyzer on 64-bit machines (Gregor Maier).
+
+- Bug fix for asynchronous DNS lookups to prevent some successful lookups
+  being reported as timed out (Robin Sommer).
+
+- Bug fix for tracking line numbers associated with compound statements
+  (Po-Ching Lin).
+
+- Fix for a rare condition in which the main Bro process couldn't kill
+  its child process (Robin Sommer).
+
+- Fix for file rotation when the underlying file is deleted before the
+  timer expires (Robin Sommer).
+
+- Fix for potential crash when communication connections break down,
+  and also for releasing cached objects (Robin Sommer).
+
+- Fix for default table entries computed by function invocation to not
+  cache previous results (Robin Sommer).
+
+- Fix for Bro's internal DNS resolution (Scott Campbell and Robin Sommer).
+
+- Portability fix for DAG packet capture (Gregor Maier).
+
+- Portability fix for --enable-brov6 (Robin Sommer).
+
+- Portability fixes for FreeBSD (Vern Paxson).
+
+- A work around for new_packet() crashing on IPv6 packets (Vern Paxson).
+  For now, IPv6 packets are skipped.  Also, for fragments the event handler
+  is now only called for the fully reassembled packet.
+
+- The new configuration option --disable-nbdns supports disabling non-blocking
+  DNS at configure time (Sean McCreary).  Note, there are some known problems
+  with it in some environments.
+
+- A number of configuration fixes and enhancements (Christian Kreibich
+  and Robin Sommer).
+
+- Consistency nit for the configuration process (Seth Hall).
+
+- A number of reference-counting and other memory management fixes
+  (Robin Sommer).
+
+- Bug fix for inter-Bro communication lockup (Seth Hall and Robin Sommer).
+
+- Bug fix for computing TCP payload length in new_packet event (Lothar Braun).
+
+- Bug fix for sending boolean True values via Broccoli (Seth Hall).
+
+- make distcheck fix to clean up .bif.bro files (Christian Kreibich).
+
+- Bug fix for DPD's recognition of SSLv2 connections (Seth Hall).
+
+- Bug fix for &default for tables indexed by subnets (Seth Hall).
+
+- A bug has been fixed that could crash Bro when you called get_event_peer()
+  after a remote connection had already disppeared (Robin Sommer).
+
+- Introduced a work-around for crashes that occur when Bro exits
+  due to handling a signal (Robin Sommer).
+
+- Bug fix for checkpoint.bro - don't schedule timers for times that
+  aren't actually in the future (Robin Sommer).
+
+- Hostname formatting fix for anon.bro (Fabian Schneider).
+
+- Bug fix for redundant .log extension in Time Machine log file
+  (reported by CS Lee).
+
+- Removed now-outdated special-casing of Linux reporting of packet filter
+  statistics (Peter Wurzinger and Robin Sommer).
+
+- A number of memory leaks fixed (Robin Sommer).
+
+- Addressed warnings from newer versions of g++ (Robin Sommer and Vern Paxson).
+
+- Fixed an invocation issue in the ca-create script that prevented it from
+  working with recent OpenSSL versions (Craig Leres & Christian Kreibich).
+
+- Comment fixed in drop-adapt (Justin Azoff).
+
+- Duplicate code removed from Val (Seth Hall).
+
+
+1.4 Fri Oct 17 11:08:52 PDT 2008
+
+- We are no longer supporting a previous Bro release as the "stable"
+  version.  Rather, the model now is that the current public release will
+  aim for increasing stability (occasionally updated with fixes), and those
+  who wish to use a "bleeding-edge" snapshot can do so via access to the
+  public SVN source code repository, as explained at
+
+	  http://bro-ids.org/wiki/index.php/Subversion#Public_Access
+
+  Note that all previous releases remain available from the download page;
+  what is changing is that we no longer commit to support for the most
+  recent of these.
+
+- We have clarified the copyright statement that covers most of the
+  code to remove the "advertising clause" that derived from older
+  BSD licenses, and we have removed copyright wording from most source
+  code files.  See COPYING for the current wording and a list of
+  files that retain their own copyright notices.
+
+- Bro now supports analyzing NetFlow v5 data, i.e., from Cisco routers
+  (Bernhard Ager).  NetFlow can be useful for intrusion detection as it
+  allows analysis of traffic from many different points in the network.
+  Bro can now read NetFlow data from a UDP socket, as well as (mostly
+  for debugging purposes) from a file in a specialized format.  You can
+  create these files with the programs given in aux/nftools.
+
+  Command line switches:
+
+	  -Y|--netflow <ip>:<prt>[=<id>] | read flow from socket
+
+	    This is the usual way of getting NetFlow data into Bro by
+	    opening a UDP socket on <ip>:<prt> and reading all incoming
+	    packets.  Setting the <ip> to 0.0.0.0 should work on most
+	    platforms.  Optionally you may set an identifier <id> for the
+	    source - useful if there are many different sources you want
+	    to analyze in parallel. This might also be necessary if you
+	    want to use this feature with a clustered Bro.
+
+	    Examples:
+		      bro -Y 0.0.0.0:5555 netflow
+		      bro -i eth0 -Y 10.0.0.1:1234=src1 brolite netflow
+
+	  -y|--flowfile <file>[=<ident>] 
+
+	    Used to read from a file. You can optionally include an
+	    identifier for the source.
+
+	    Examples: 
+		      bro -y myflowfile netflow
+		      bro -y myflowfile=src1 otherflowfile=src2 netflow
+
+  Netflow Events:
+
+	  event netflow_v5_header(h: nf_v5_header)
+
+	    Generated upon reading a new NetFlow PDU, as summarized in the
+	    argument.  The field h_id gives the flow source identifier and
+	    a serial number. You can use this field to associate subsequent
+	    netflow_v5_record events with their header.
+
+	  event netflow_v5_record (r: nf_v5_record)
+
+	    Every record within a NFv5 PDU generates a corresponding
+	    netflow_v5_record() event.  The relatively complex timestamp
+	    format of NFv5 is already converted to Bro's time type, and
+	    the TCP header flags are separated into bools.
+
+  The distribution includes an example analysis script, netflow.bro.
+  It simply dumps received NetFlow records.  If netflow_restitch is T
+  (the default), then Bro performs flow restitching as well, and two
+  script variables become relevant:
+
+	  global netflow_finished_conn_expire = 310 sec &redef;
+
+	    specifies how long to wait for additional flow records after
+	    a RST or FIN for
+
+	  const netflow_table_expire = 31 min;
+
+	    Its setting only affects table declarations, and therefore
+	    cannot be usefully redef'd.
+
+  Auxiliary programs:
+
+	    Bro uses a custom format for flow data stored in files,
+	    to enable preserving timestamps of the PDU arrivals and the
+	    exporter's IP address.  The tools nfcollector and ftwire2bro
+	    in aux/nftools/ provide ways to manipulate the Bro NF file
+	    format.  The first dumps NetFlow data from a UDP socket to
+	    stdout or to a file in Bro format.  The second converts NetFlow
+	    data in "wire" format to Bro format, and, while doing so,
+	    fakes up the exporter's IP address and timestamp.  You can get
+	    "wire" format from normal flow-tools files, e.g., by using
+	    'flow-export -f 4'.  Please note that the Bro format is just
+	    a hack to allow for easier debugging.  Therefore the format
+	    is not in fact platform independent, and not suitable for data
+	    storage.
+
+- A new DHCP analyzer generates the following events (Po-Ching Lin):
+
+	event dhcp_discover(c: connection, msg: dhcp_msg, req_addr: addr)
+	event dhcp_offer(c: connection, msg: dhcp_msg, mask: addr,
+	event dhcp_request(c: connection, msg: dhcp_msg,
+	event dhcp_decline(c: connection, msg: dhcp_msg)
+	event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr,
+	event dhcp_nak(c: connection, msg: dhcp_msg)
+	event dhcp_release(c: connection, msg: dhcp_msg)
+	event dhcp_inform(c: connection, msg: dhcp_msg)
+
+  where dhcp_msg values look like:
+
+	type dhcp_msg: record {
+		op: count;	# 1 = BOOTREQUEST, 2 = BOOTREPLY
+		m_type: count;	# the type of DHCP message
+		xid: count;	# transaction ID of a DHCP session
+		h_addr: string;	# hardware address of the client
+		ciaddr: addr;	# original IP address of the client
+		yiaddr: addr;	# IP address assigned to the client
+	};
+
+  See dhcp.bro for the corresponding analysis script (which could
+  probably use some refinements).
+
+  Note, this analyzer is implemented using BinPAC, so you will need
+  to specify --use-binpac to activate it.
+
+- A BitTorrent analyzer is now available (Nadi Sarrar).  See the policy
+  scripts bittorrent.bro and bt-tracker.bro for the events generated for
+  analyzing transfers and tracker dialogs, respectively.
+
+- The "Bro Lite" configuration is now deprecated and will not in
+  general be supported (Robin Sommer & Vern Paxson).
+
+- "make install" now only installs a core set of files (Robin Sommer).
+  Policy files are now installed in <prefix>/share/bro/* (or whatever
+  configure determines $datadir to be), which is now in Bro's default
+  search path.  It creates a directory <prefix>/share/bro/site for local
+  policy files, and the default BROPATH is extended to include this.  The
+  default path no longer includes policy/local.  You can install the
+  additional files used by the (now deprecated) "Bro Lite" configuration
+  using "make install-brolite".
+
+- Substantial updates to Broccoli, including support for container
+  types (tables and sets) as well as a new metadata structure for event
+  callbacks, facilitating truly generic event handler implementations
+  (Christian Kreibich, Seth Hall and Robin Sommer). See aux/broccoli/ChangeLog
+  for details.
+
+- Extensive changes to allow Bro to process packets captured in the
+  past intermingled with those captured in real-time (Matthias Vallentin
+  and Robin Sommer).  This operation reflects combining Bro with use of
+  "Time Machine" functionality for packet capture.
+
+- We have unfortunately had to disable support for configuring Bro
+  to use ClamAV, since it turns out that the key interface we need
+  for processing blocks of memory directly rather than whole files
+  is no longer supported by the package, and in fact was buggy even
+  when it was (Robin Sommer).
+
+- The new signature option "http-body /<regexp>/" matches <regexp>
+  on the body data of HTTP entities (Robin Sommer).  The matching is
+  done after decompressing the body, if necessary.
+
+- The new built-in function identify_data(data: string, return_mime: bool)
+  analyzes the string "data" and returns its type according to libmagic,
+  if installed (Seth Hall).  The second argument controls whether it should
+  be returned as a MIME-type or just an identifying string.  For example,
+  identify_data("MZpofigu", F) returns the string "MS-DOS executable", and
+  print identify_data("MZpofigu", T) returns "application/x-dosexec".
+
+- The new analysis script http-identified-files.bro identifies the
+  type of items returned by Web servers using libMagic (if available)
+  and generates notices for interesting types and mismatches between
+  URLs and types (Seth Hall).
+
+  You configure it using two variables.  watched_mime_types is a pattern
+  (default /application\/x-dosexec/ | /application\/x-executable/ ) for
+  which any MIME type matching the pattern generates a HTTP_WatchedMIMEType
+  notice.
+
+  mime_types_extensions is a table mapping strings to patterns specifying
+  how URLs for the given MIME type should appear.  (Ideally, this would
+  be a table mapping patterns to patterns, but Bro doesn't currently support
+  that.)  It defaults to:
+
+		["application/x-dosexec"] = /\.([eE][xX][eE]|[dD][lL][lL])/
+
+  i.e., do Windows executables end in .exe or .dll.
+
+  You can also redef the pattern ignored_urls to specify URLs that should
+  not generate complaints.  It defaults to matching Windows Update.
+
+- The new script http-extract-items.bro extracts the items from HTTP
+  traffic into individual files (Vern Paxson).  Files are named:
+
+	<prefix>.<n>.<orig-addr>_<orig-port>.<resp-addr>_<resp-port>.<is-orig>
+
+  where <prefix> is a redef'able prefix (default: "http-item"), <n> is a
+  number uniquely identifying the item, the next four are describe the
+  connection tuple, and <is-orig> is "orig" if the item was transferred
+  from the originator to the responder, "resp" otherwise.
+
+- The workings of how Bro interfaces to external programs for dropping/
+  restoring connectivity of misbehaving hosts has been significantly
+  reworked (Brian Tierney and Robin Sommer).
+
+  First, dropping decisions used to be made directly by analyzer scripts,
+  such as scan.bro directly calling drop_address().  Now instead the
+  scripts generate Notices and then the notice policy can have an
+  action of NOTICE_DROP to codify that the response to the given Notice
+  is to drop the source.  The new notice_action_filter of drop_source
+  drops the source of notices, and drop_source_and_terminate both
+  drops the source and terminates the corresponding connection.
+
+  So, to drop all sources triggering a specific notice, one can now, e.g.,
+  write:
+  
+	redef notice_action_filters += { [Hot::SSH_Overflow] = drop_source };
+
+  Related to this change, notice_info has a new field $dropped, set to
+  true if the Notice triggered a (successful) drop.
+
+  Second, by redef'ing Drop::use_catch_release to T (default F) you can
+  activate "catch-and-release" logic.  You use this mode when you need to
+  manage a limited number of possible blocks, or to build in automatic
+  "forgiveness" in situations where blocked sources might become benign
+  (such as due to dynamic IP addresses).  If a source has been idle for
+  Drop::drop_time, then it is unblocked.  However, if it is again seen as
+  block-worthy, then it is blocked for an interval of Drop::long_drop_time.
+
+  Third, ICMP scanning is now reported by its own notice, ICMPAddressScan,
+  rather than Scan::AddressScan.
+
+- Google's perftools have replaced mpatrol for leak-checking and
+  heap-profiling (Robin Sommer).  If Bro is compiled with --enable-perftools
+  and configure finds the perftools, there are two command-line options
+  available:
+
+	-m turns on leak checking of the main packet loop, with some
+	   uninteresting leaks are suppressed.  Currently, with one
+	   exception (the RPC analyzer; problem not yet found), it reports
+	   no leaks when running the test suite.
+
+	-M turns on heap profiling: Bro will take a snapshot of the heap
+	   before starting the main packet loop and another one when
+	   finished. These snapshots can then be analyzed with pprof.
+
+  For more information about the perftools see 
+  
+	http://code.google.com/p/google-perftools
+
+- Notice tags are now generated in a pseudo-unique fashion that, with high
+  probability, ensures that tags generated by separate Bro processes don't
+  clash when logged to a common location, such as for a Bro cluster (Robin
+  Sommer).  Tags are now string's rather than count's, and are associated
+  with all notices, not just that are connection-related.  You can however
+  redef the string notice_tag_prefix or the function new_notice_tag to
+  further control how such tags are generated.
+
+- Four new built-ins for type conversion (Robin Sommer):
+
+	function double_to_interval(d: double): interval
+	function addr_to_count(a: addr): count
+	function port_to_count(p: port): count
+	function count_to_port(c: count, t: transport_proto): port
+
+- Many policy scripts have been modified to use modules & scoping
+  (Robin Sommer and Matthias Vallentin), which may require updates to
+  existing scripts/refinements.
+
+- The new script variable dpd_conn_logs (default F), if true, changes the
+  semantics of the service field in connection logs written to conn.log,
+  as follows (Robin Sommer).  It becomes a comma-separated list of analyzers
+  confirmed by DPD to parse the connection's payload.  If no analyzer could
+  confirm its protocol, but the connection uses a well-known port, the
+  service is the name of the port with "?" appended (e.g., "http?"), as
+  long as the corresponding analyzer has not declined the connection.
+  In addition, ftp-data sessions are labeled "ftp-data" and portmapper
+  connections are labeled with the specific method-call (just as before).
+
+  dpd_conn_logs defaults to F because the change in semantics may break
+  scripts that parse conn.logs; but it will likely change to the default
+  in the future. With dpd_conn_logs turned off, conn logs are generated
+  as they used to be, with a few rare exceptions (with previous versions,
+  the service field was sometimes determined while the connection was still
+  alive; now it's always determined at the time when the conn.log entry
+  is written out).
+
+- The SSL analyzer has been rewritten using BinPAC, with a number of
+  robustness improvements (Tobias Kiesling).  It currently is only used
+  if you execute with --use-binpac.
+
+- Python bindings for Broccoli are now available in
+  aux/broccoli/bindings/python/ (Robin Sommer).  See README/README.html
+  in that director for details.
+
+- The new "auth" option in remote.bro indicates whether a given side is
+  considered "authoritative" for shared state, in which case it sends its
+  initial state to &sync'ed peers (Robin Sommer).  When two peers synchronize
+  their state, one side sends its current set of state to the other as
+  soon as the remote connection is established.  The one sending the state
+  used to be the one who has been running longer; now it can also be
+  explicitly set via the "auth" flag in the Remote::Destination.
+
+- Two new tuning parameters for scan.bro (Robin Sommer):
+
+  ignore_scanners_threshold (default 0):
+
+	If a host has scanned more than this many hosts, it is completely
+	excluded from further scan detection.  0 disables.
+
+  addr_scan_trigger (default 0):
+
+	A host is only tracked for address scanning once it has contacted
+	this many different hosts.  Primarily intended for using a two-stage
+	scan detection with a Bro cluster: first, each node searches locally
+	for scanners by looking for hosts contacting more than
+	addr_scan_trigger destinations.  Those hosts which do are then
+	globally tracked throughout the cluster by &synchronizing the scan
+	detector tables.
+
+- When Bro serializes functions, it now does so by default using only
+  their name, rather than their full value (Robin Sommer).  This prevents 
+  propagation of expiration functions associated with tables and sets.
+  Note, currently there is no mechanism provided to switch from the
+  default behavior, but the internal hooks are in place to do so.
+
+- The new built-in variable trace_output_file gives the name of the -w
+  output trace file (Robin Sommer).
+
+- Bro no longer installs new file rotation timers when shutting down
+  (Robin Sommer).
+
+- The new policy scripts remote-print-id{,-reply}.bro support convenient
+  access to printing the identifiers of a remote Bro (Robin Sommer).
+  You use the script remote-print-id.bro to request and receive the
+  printing; the remote Bro must have loaded remote-print-id-reply.bro
+  in order to process the request.
+
+  Example use:
+
+	  bro -e 'redef PrintID::dst="<dst>" PrintID::id="<name-of-id>"'
+			<other scripts> remote-print-id
+
+- scan.bro has been heavily modified to better support distributed scan
+  analysis (Matthias Vallentin and Robin Sommer).
+
+- The check for unused event handlers is now turned off by default
+  (Robin Sommer).  To enable, use "redef check_for_unused_event_handlers = T".
+
+- The new script drop.bro has been split off from scan.bro to isolate
+  the logic concerning dropping addresses to block scans (Robin Sommer).
+
+- The new -l flag lists each script as it is loaded (Robin Sommer).
+
+- Textual descriptions of identifiers now include their attributes
+  (Robin Sommer).
+
+- The new predefined function prefixed_id() returns a session identifier with
+  its peer-ID prepended if it's associated with a remote Bro (Robin Sommer).
+  This is now used when generating writing log files.
+
+- remote.bro now assigns a priority of -10 to its bro_init() event handler
+  to allow others a chance to modify destinations (Robin Sommer).
+
+- A large number of BinPAC updates (Ruoming Pang and Robin Sommer).
+
+- The new built-in type_name(v): string returns the name of the type
+  of the value v (Vern Paxson).  For example, "typename(5.2)" returns
+  "double".  This function is mainly for internal debugging (i.e.,
+  finding mismatches between values generated by the event engine
+  versus how their type is expected by the script layer).
+
+- The new built-in str_shell_escape() does some basic escaping on strings
+  that will be passed to system() (Christian Kreibich).  Note, this function
+  isn't ready (robust enough) for routine use, however.
+
+- The new built-in disable_print_hook(file) acts the same as
+  the attribute &disable_print_hook (Robin Sommer).
+
+- The new script terminate-connection.bro factors out the terminate_connection()
+  functionality that used to be in conn.bro (Robin Sommer).
+
+- The new attribute &group=<tag> can be associated with event handlers
+  to group them together into a set that can be manipulated as a whole
+  (Robin Sommer).  <tag> is a string reflecting the name given to the group.
+
+  The built-in enable_event_group(group: string) turns on all the analyzers
+  in a given group, and disable_event_group(group: string) deactivates them.
+
+- The new attribute &raw_output applies to variables of type file, disabling
+  escaping of non-printable characters (Seth Hall).
+
+- You can now iterate over the characters in a string value using
+  a "for" loop, e.g., "for ( c in str ) ..." (Robin Sommer).
+
+- The new built-in
+
+      function cat_sep%(sep: string, def: string, ...%): string
+
+  works similarly to cat(), except that it (a) separates the values
+  by "sep" and (b) substitutes "def" for empty strings (Seth Hall).
+
+- The function string_escape() now takes a string of characters to escape
+  rather than a single character (Robin Sommer).  Each character in the
+  string is preceded by '\' in the return value (also any embedded '\'s,
+  as before).
+
+- The new built-in function global_ids() returns a table of all global
+  identifiers along with associated information (Robin Sommer).  The
+  return value has type table[string] of script_id, indexed by the name
+  of the identifier and yielding records with the following fields:
+
+	type script_id: record {
+		type_name: string;
+		exported: bool;
+		constant: bool;
+		enum_constant: bool;
+		redefinable: bool;
+		value: any &optional;
+	};
+
+- The new script function find_last(str: string, re: pattern) returns
+  the last occurrence of the given pattern in the given string, or
+  an empty string if no match (Robin Sommer).  Note that this function
+  returns the match that starts at the largest index in the string, which
+  is not necessarily the longest match.  For example, a pattern of /.*/
+  will return just the final character in the string.
+
+- The new script variable record_all_packets, if redef'd to T (default F),
+  instructs Bro to record every packet it processes (Robin Sommer).
+  Prior to introducing this variable, Bro applied a few heuristics to
+  reduce recording volume.  Setting this variable also causes packets
+  to be recorded very early in processing, which can be helpful for
+  debugging crashes.
+
+- If the new script flag ssl_log_ciphers is set to T (default), ssl.bro
+  logs the ciphers seen (Robin Sommer).
+
+- Much more expanded Time Machine support, now located in
+  policy/time-machine/ (Robin Sommer),
+
+- The new command line option --status-file <file> (alias -U) specifies
+  the name of a file into which Bro will write an indicator of its current
+  processing status (Robin Sommer).  Possible values include "INITIALIZING",
+  "RUNNING", "TERMINATING", "TERMINATED".
+
+- The new policy script targeted-scan.bro looks for repeated access from
+  the same source to the same server, to detect things like SSH
+  password-guessing attacks (Jim Mellander).
+
+- The "alternative" style for printing strings (i.e., a fmt() argument
+  of "%As") now renders the raw string, other than escape-expanding
+  embedded NULs (Vern Paxson).  This change may be temporary, pending
+  development of more fine-grained control over string rendering.
+
+- For now we have removed the %S functionality for fmt() (Robin Sommer).
+  %S was meant to print "raw" strings, but later processing of such
+  printing still introduces artifacts.
+
+- GeoIP information now includes latitude and longitude (Seth Hall).
+
+- ssh.bro now supports the variable skip_processing_after_handshake
+  which directs the event engine to omit any further processing of an
+  SSH connection after its initial handshake (Seth Hall and Robin Sommer).
+  This can help with performance for large file transfers but precludes
+  some kinds of analyses (e.g., tracking connection size).  This change
+  also adds a scope of "SSH".
+
+- Email notification of notices now allows for separate destinations
+  depending on notice type (in particular, a regular mail destination
+  versus a pager destination), and also escapes the notice to prevent
+  injection attacks (Seth Hall and Robin Sommer).
+
+- The new policy script conn-flood.bro is a simple connection-flooding
+  detector, mainly meant as a demonstration (Robin Sommer).
+
+- A large number of additions to the TLS/SSL known-ciphers suite (Seth Hall).
+
+- Serialization now uses 64-bit IDs to cache items rather than 32-bit,
+  for robustness during long-running execution (Robin Sommer).
+
+- The new script variable tcp_max_initial_window specifies, for flows
+  for which ACKs have never been seen, the maximum volume of initial
+  data after which Bro will assume that it is seeing only one side
+  of the connection and will not buffer data for consistency checking
+  awaiting the later arrival of ACKs (Robin Sommer).  It defaults to 4 KB.
+  (Note, this used to be an internal value, so the behavior is not new.)
+  Set to 0 to turn off this functionality and have Bro attempt to
+  track all such flows.
+
+- The new script variable tcp_max_above_hole_without_any_acks specifies,
+  for flows for which ACKs have never been seen, the maximum volume of
+  data above a sequence hole that Bro will tolerate for a connection
+  before giving up on tracking the flow (Robin Sommer).  It defaults to 4 KB.
+  (Note, this differs from tcp_max_initial_window in that this threshold
+  applies to sequence holes rather than the beginning of flows.  Like
+  tcp_max_initial_window this used to be an internal value.)  Set to 0 to
+  turn off this functionality.
+
+- The new script variable tcp_excessive_data_without_further_acks specifies
+  a threshold similar to tcp_max_above_hole_without_any_acks, but for
+  flows for which Bro has seen ACKs (Robin Sommer).  It defaults to 10 MB.
+  Set to 0 to turn off the functionality.
+
+- Equal signs ("=") in text for notices are now escaped when using the
+  tagged format to keep them unambiguous from the "=" delimiters
+  (Robin Sommer).
+
+- The final tallies for notices are now processed as NoticeTally
+  NOTICE's rather than directly alarm'd (Robin Sommer).
+
+- WeirdActivity notices now include an associated connection when appropriate
+  (Robin Sommer).
+
+- Support for large (> 2^32 bytes) pcap trace files (Po-Ching Lin).
+
+- Scoped names ("...::...") are now allowed in signature "eval"
+  constructs (Christian Kreibich).
+
+- scan.bro is now decoupled from conn.bro, i.e., you can @load the
+  latter without getting the former (Vern Paxson).  As part of this
+  change, the logic to invoke TRW is now in scan.bro.
+
+- weird.bro has been updated with a number of missing Weird's (Vern Paxson).
+
+- If when using inter-Bro communication the child Bro process terminates,
+  it now also terminates the parent process (Robin Sommer).
+
+- BinPAC analyzers now interoperate with DPD (Robin Sommer).
+
+- Some http.bro processing options are now exported so they can be
+  accessed in other scripts (Robin Sommer).
+
+- SMTP analysis now applies to port 587/tcp as well as 25/tcp (Robin Sommer).
+
+- $conn is now set in ServerFound notices (Robin Sommer).
+
+- You can now create empty sets and tables using set() and table(),
+  i.e., the usual set/table constructors with no arguments (Vern Paxson).
+  By themselves, these have an unspecified type - you can't use them
+  directly other than to assign them.  For example,
+
+	local bad_guys: set[addr];
+	...
+	bad_guys = set();	# start over assuming no bad guys
+
+- A number of scripts have been (slightly) simplified to use the
+  new empty set()/table() constructors (Vern Paxson).  Note that
+  these still aren't usable for field assignments in record constructors,
+  nor for attributes like &default = ...
+
+- Removed unused syntax for declaring sets based on a list of initial
+  values (Vern Paxson).
+
+- set() and table() can now be used as arguments to function calls
+  (Vern Paxson).
+
+- The vestigial &match attribute has been removed.
+
+- POP3 is now recognized using Dynamic Protocol Detection (Seth Hall).
+
+- The new event expected_connection_seen(c: connection, a: AnalyzerTag)
+  is generated whenever a connection is seen for which we have previously
+  scheduled an analyzer via expect_connection() (Robin Sommer).
+
+- The new built-in capture_state_updates logs all changes applied to
+  &synchronized variables, in a fashion similar to the capture_events()
+  built-in (Robin Sommer).  An accompanying policy script,
+  capture-state-updates.bro, turns this on to the file state-updates.bst.
+
+- If the new script variable suppress_local_output is set (default: F),
+  Bro suppresses printing to local files if there's a receiver for
+  print_hook events (Robin Sommer).  This option is however ignored
+  for files with a &disable_print_hook attribute.
+
+- The new notice action filter function file_if_remote specifies
+  that notices from sent from remote source addresses should
+  have an action NOTICE_FILE (Robin Sommer).
+
+- The new notice action filter function file_local_bro_notices specifies
+  that notices generated by the local Bro instance (as opposed to a
+  remote peer) should have an action NOTICE_FILE (Robin Sommer).
+
+- An arbitrary tag can now be past to post-processors for log rotation
+  (Robin Sommer).
+
+- Default inactivity timeouts for interactive services shortened to 
+  1 hour (Robin Sommer).
+
+- The scanning variables distinct_{peers,ports,low_ports} are now
+  redef'able (Robin Sommer).
+
+- The new -S (--summary-only) option for site-report.pl directs to
+  only generate connection summaries (Brian Tierney)
+
+- More useful default config file for edit-brorule.pl (Brian Tierney).
+
+- Bro now includes a test suite in testing/istate/ for its "independent
+  state" functionality (Robin Sommer).
+
+- Support for parallel builds via make -j (Christian Kreibich).
+
+- Bro's default search path now includes includes policy/sigs/ and
+  policy/time-machine/ (Robin Sommer).
+
+- Bro's internal processing of interprocess communication has been
+  significantly overhauled to prevent potentially fatal race conditions
+  (Robin Sommer).
+
+- Bro now checks calls to fmt() at compile-time to ensure that the
+  correct number of arguments are present (Vern Paxson).  This is useful
+  in addition to Bro's run-time checking for arguments matching their
+  corresponding format-specifiers in the case of rarely-executed statements
+  that might not generate such run-time checks in routine testing.
+
+- The ports associated with Telnet and Rlogin are now redef'able (Robin Sommer).
+
+- MIME processing now removes leading whitespace from MIME headers
+  (Sanmeet Bhatia and Robin Sommer).
+
+- TCP "weird" events reported by the connection compressor now match
+  (other than a few rare corner-cases) those produced for normal TCP
+  processing (rmkml and Robin Sommer).
+
+- Added Scan::suppress_UDP_scan_checks to control false positives
+  on scan detection in environments with P2P protocols that use UDP
+  (Vern Paxson).
+
+- The internal analyzer interface now includes an EndOfData() method that
+  analyzers can use to report that all of a message has been delivered
+  (Robin Sommer).
+
+- Fix for a significant memory leak in processing UDP when using -w
+  (Robin Sommer).  Note: this change turns off by default trace rewriting
+  for generic UDP traffic.
+
+- Two serious regular expression bugs fixed (Vern Paxson).  In the
+  first, searching for a regular expression inside a string would
+  fail if the pattern occurred only after an embedded newline.  In
+  the second, insufficient buffer was allocated when compiling regular
+  expressions, leading to memory corruption.
+
+- Base64 decoding bug fixes (Christian Kreibich and Ruoming Pang).
+
+- Automatic rotation of files is now disabled for contents files written
+  by the TCP reassembler, which otherwise leads to mangled files
+  (Robin Sommer).
+
+- Bro now ships with an updated version of libpcap (0.9.8), which hopefully
+  fixes problems managing trace files > 4 GB in size.
+
+- Significant bug fixes for gzip- and deflate-encoded Web items (Robin Sommer).
+
+- Bug fix for secondary-filter.bro (Vern Paxson).
+
+- Removed a naming ambiguity regarding TCP states (Vern Paxson).
+
+- Bug fix for signature scanner not matching all of its input (Vern Paxson).
+
+- Bug fix for using port values in signatures (Robin Sommer).
+
+- Minor policy script tweaks: state management for weird's, processing
+  of Notice tags associated with connections, and dependencies for
+  irc-bot.bro (Robin Sommer).
+
+- aux/ portability fixes (Vern Paxson).
+
+- Workarounds added for a BinPAC deficiency, which is that code in %cleanup
+  clauses can also be executed during recovery from exceptions when parsing
+  new data.  This means that any delete's or Unref()'s need to also set the
+  corresponding pointer to nil (Vern Paxson).
+
+- Bug fix for crashes with the non-BinPAC SSL analyzer (Robin Sommer).
+
+- Tweak to peer-status.bro since Bro now requires events to be
+  declared prior to reference in a "schedule" statement (Robin Sommer).
+
+- The signature keyword "enable" now optionally accepts the syntax
+  "foo:bar" to specify "activate analyzer bar as a child of analyzer foo"
+  (Robin Sommer).  This is used for example for an XML-over-HTTP analyzer
+  that's in the works.
+
+- irc-bot-syslog.bro now uses open_log_file() for its log file (including
+  the logging suffix) rather than a direct open (Vern Paxson).
+
+- Bug fix for tracking Blaster across a Bro Cluster (Robin Sommer).
+
+- Bug fix for the HTTP BinPAC analyzer chopping the trailing character
+  off of HTTP headers when generating the http_all_headers event (Gregor Maier).
+
+- Bug fix for HTTP chunked items for which the chunk size line was terminated
+  by CRLF but the CR and LF came in separate packets (Gregor Maier).
+
+- A bug has been fixed that would cause partial lines (for line-oriented
+  protocols) to fail to be processed when a connection terminated
+  (Robin Sommer).
+
+- Bro no longer treats a signal arriving before a previous signal has
+  been processed as fatal, nor does it attempt processing of a termination
+  signal if seemingly there are no race conditions to worry about
+  (Robin Sommer).  Both of these changes are an attempt to improve
+  Bro's robustness.
+
+- Fix for attributes such as &encrypt not working in initial declarations
+  but only in later redef's (Seth Hall and Robin Sommer).
+
+- Fixes for memory leaks in SSL processing (Seth Hall and Robin Sommer).
+
+- Fix for POP3 analyzer to not treat lines like "<space>." as message
+  terminators (Robin Sommer).
+
+- Bug fix for crashes arising from nil pointers in list expressions
+  (Seth Hall and Robin Sommer).
+
+- Bug fix: a signature's "enable" would activate the corresponding analyzer
+  even if no event handlers were defined for it (Robin Sommer).
+
+- Bug fixes to prevent crashes when mixing set_contents_file() with
+  subsequent explicit close(), and to ensure all data written to
+  file upon connection tear-down (Gert Doering and Robin Sommer).
+
+- Configuration support for MacPorts and Fink package management systems
+  (Christian Kreibich & Vern Paxson).
+
+- Communication-only Bro's now send out email alarms (Robin Sommer).
+
+- Writes to a file that fail due are now run-time errors rather than
+  fatal internal errors, since often these occur due to the disk
+  being full (Robin Sommer).
+
+- Byte-order bug fix for lookup_location() (Robin Sommer).
+
+- BinPAC portability fix for 64-bit machines (Bernhard Ager and Robin Sommer).
+
+- Portability fixes for newer versions of gcc (Jan Gerrit Goebel and
+  Robin Sommer).
+
+- Some support for porting to Solaris (Stephan Toggweiler).
+
+- Connection compressor bug fix for source and destination having the
+  same IP address, such as when monitoring loopback (Robin Sommer).
+
+- Connection compressor bug fix for connections with multiple SYNs
+  (Robin Sommer).
+
+- Bug fix for using already-declared local variables for looping
+  over vectors in a "for" loop (Robin Sommer & Vern Paxson).
+
+- Bug fix for not processing truncated UDP packets (Tom Kho and Robin Sommer).
+
+- Bounds-check added to BinPAC-generated code (Tom Kho and Robin Sommer).
+
+- Bug fix for checking whether an IPv6 address is part of a subnet
+  (Seth Hall).
+
+- Bug fixes for crashes relating to asynchronous DNS lookups performed
+  at start-up (Robin Sommer).  These changes also lowered the timeout
+  before assuming failure from 20 seconds down to 5 seconds.
+
+- Portability and const-ness fixes (Kevin Lo and Robin Sommer).
+
+- Suppression of some content-gap complaints when running on traces
+  that have been filtered down to only TCP control packets (Robin Sommer).
+
+- Removed unnecessary dependency in notice-action-filters.bro
+  that led to errors when loading icmp.bro by itself (Vern Paxson).
+
+- Bug fix for potential infinite loop in client communiation (Robin Sommer).
+
+- Bug fix in reference counting that could eventually lead to roll-over
+  (Robin Sommer).
+
+- Bug fix in communication initialization (Robin Sommer).
+
+- Internal documentation fix: timers are specified using absolute time,
+  not relative (Robin Sommer).
+
+- Performance improvement for built-in find_all() function when running
+  on large strings (Robin Sommer).
+
+- Memory leak fixes (Robin Sommer, Bernhard Ager, Christian Kreibich).
+
+- Bug fix for error recovery when encountering an unknown link layer
+  (Bernhard Ager).
+
+- Bug fix for reversing client & server in a connection (Po-Ching Lin).
+
+- Bug fix for packet_contents when capture length exceeds the IP payload
+  length due to Ethernet frame padding (Christian Kreibich).
+
+- Bug fix for tcp_packet event erroneously including Ethernet padding
+  in its contents (Vern Paxson).
+
+- Bug fix for lookup_connection built-in (Seth Hall).
+
+- Portability nit for libedit tarball (Vern Paxson).
+
+- Broccoli portability fix for NetBSD (Christoph Leuzinger).
+
+- Type-checking for script-level event invocation was completedly broken -
+  now fixed (Vern Paxson).
+
+- Portability fixes for different versions of g++/STL (Nicholas Weaver
+  and Vern Paxson).
+
+- Fix for dynamic detection of SSL via DPD (Robin Sommer).
+
+- IPv6 portability fix for BinPAC-based DNS analyzer (Vern Paxson).
+  Note, more portability work is needed for it.
+
+- Bug fix for bifcl error messages (Vern Paxson).
+
+- Minor bug fix for remote communication, plus some improved communication
+  logging (Robin Sommer).
+
+- Bug fix for &printhook (Robin Sommer).
+
+- Bug fix for error message output (Robin Sommer).
+
+- Bug fix for termination cleanup (Robin Sommer).
+
+- Bug fix for some Rlogin corner cases (Robin Sommer & Vern Paxson).
+
+- Bug fix for bifcl generation of "interval" types (Vern Paxson).
+
+- Bug fix for getting connection memory statistics when Bro is
+  exiting (Robin Sommer).
+
+- Config fix: --enable-debug now turns off -O2 for gcc (Robin Sommer).
+
+- Bug fixes for "heavy" analysis (Vern Paxson).
+
+- Broccoli bug fixes for types net and port (Robin Sommer).
+
+- Bug fixes for Telnet environment options (Robin Sommer).
+
+- Bug fix for accessing remote peer description (Robin Sommer).
+
+- A fix for the connection compressor generating new_connection too
+  late (Robin Sommer).
+
+- Fixes for DAG support, including configuration and multiple
+  interfaces (Robin Sommer).
+
+- Bug fix for serializing time-stamps of table entries (Robin Sommer).
+
+- Bug fix for dealing with peer IDs for remote communication (Robin Sommer).
+
+- Bug fix to avoid installing timers when timers have already
+  been canceled (Robin Sommer).
+
+- Bug fix for interplay between serializing connections and
+  connection compressor (Robin Sommer).
+
+- Memory leak fix for enum's (Robin Sommer).
+
+- Bug fix for files being closed prior to bro_done() (Vern Paxson).
+
+- aux/broccoli/contrib was not included in distribution (Robin Sommer).
+
+- Auto-configuration bug fix for BinPAC (Craig Leres).
+
+- Bug fix for dynamic protocol detection (Robin Sommer).
+
+- A number of configuration fixes for installation and portability
+  (Christian Kreibich, Brian Tierney, Robin Sommer, Dan Kopecek).
+
+
+1.3 Mon Jul 16 22:11:00 PDT 2007
+
+- The Bro manual has been wikified at:
+
+	http://www.bro-ids.org/wiki/index.php/User_Manual
+
+  and this is the format in which it will evolve in the future
+  (Christian Kreibich).
+
+- Much more extensive support for SMB, NetBIOS and NCP (Chris Grier).
+
+- The new attribute &priority=n defines the order of execution for handlers
+  of the same event (Robin Sommer).  Handlers with higher priority are
+  executed first.  n is an integer expression that must evaluate to a
+  constant when the script is loaded.
+
+  Example:
+          > cat foo.bro
+          event bro_init() &priority = -5 { print -5; }
+          event bro_init() &priority =  5 { print 5; }
+          event bro_init()                { print 0; }	# default priority=0
+          > ./bro foo.bro
+          5
+          0
+          -5
+
+  The connection_state_remove() handler in conn.bro now has priority
+  -10 and therefore executes after all other handlers for this event.
+  This fixes a long-standing problem of sometimes $addl fields not showing
+  up in connection summaries.
+
+- The new expressions record(...), table(...), set(...) and vector(...) 
+  are constructors for the corresponding aggregate types (Vern Paxson).
+  For example,
+
+	record($foo = "hi", $bar = -6)
+
+  is the same as the existing constructor
+
+	[$foo = "hi", $bar = -6]
+
+  For tables, sets, and vectors, the "..." values within the ()'s have
+  the same syntax as those that you can list in variable initializations.
+  For example,
+
+	table([1, T] = "black", [4, F] = "red")
+
+  returns a table of type "table[count, bool] of string".
+
+	set(4, 3, -1)
+
+  is a value of type "set[int]".
+
+- You can associate attributes with table() and set() constructors
+  (Robin Sommer).  For example:
+
+         local s = set(1.2.3.4) &read_expire = 5 secs;
+
+  associates a 5-second read expiration with the set assigned to s.
+
+- Bro now explicitly supports port numbers reflecting a transport protocol
+  type of "unknown" (Christian Kreibich).  Currently, this means "not TCP,
+  UDP or ICMP".  The numerical value of such a port is the IP protocol,
+  so ranges from 0..255.  For example:
+
+    global p: port = 0/unknown;
+
+    print fmt("%s", p);
+    print fmt("p is TCP? %s", get_port_transport_proto(p) == tcp);
+    print fmt("p is unknown? %s",
+		get_port_transport_proto(p) == unknown_transport);
+
+  yields
+
+    0/unknown
+    p is TCP? F
+    p is unknown? T
+
+  In comparisons of different protocol types, the following holds:
+  unknown < TCP < UDP < ICMP.
+
+- If your system supports "GeoIP" (see http://www.maxmind.com/app/geolitecity
+  for a corresponding city database), then the new script function
+
+	  lookup_location(a: addr): geo_location
+
+  returns a record of geographic information associated with an address
+  (Seth Hall).  The geo_location record has $country_code, $region and
+  $city fields.  If no information is available, each of these will be
+  set to empty strings.
+
+  If Bro hasn't been configured with GeoIP support, or if the address is
+  IPv6 that cannot be directly converted to IPv4, then Bro produces a
+  run-time error and likewise returns empty strings.
+
+- Signature-matching on HTTP components now processes the URI with
+  escape sequences expanded (Robin Sommer).  Ideally, there would be
+  two signature keywords, one for decoded URIs (corresponding to this
+  case) and one that allows matching against the URI as originally
+  transmitted.
+
+- The connection compressor is no longer considered experimental, and
+  is used by default (Robin Sommer).
+
+- The new function lookup_hostname(host: string): addr_set asychronously
+  looks up the IPv4 address(es) of the given host via DNS (Robin Sommer).
+  Like lookup_addr(), this function can only be used within a "when"
+  statement.
+
+- The new built-in
+
+	raw_bytes_to_v4_addr(s: string): addr
+
+  takes a string that points to at least 4 bytes, and returns an address
+  corresponding to interpreting these as being an IPv4 address in network
+  order (Vern Paxson; suggested by Mike Dopheide).
+
+- Trace-rewriting support for DNS, SMB (Chris Grier).
+
+- The new script function find_all(str: string, re: pattern): string_set
+  returns a string_set giving all occurrences of the pattern "re" in
+  the string "str" (Robin Sommer).  (Note that string_set's are unordered.)
+
+- The new policy script save-peer-status.bro generates a log
+  to peer_status.$BRO_LOG_SUFFIX of updates received from
+  communication peers (Robin Sommer).
+
+- The policy script print-filter.bro now includes two (scoped) variables,
+  terminate_bro and to_file, which control whether to exit after printing
+  the filter (default T) and whether to write to the log file
+  pcap_filter.$BRO_LOG_SUFFIX or (default) to stdout (Robin Sommer).
+
+- The new script variable check_for_unused_event_handlers controls whether
+  Bro checks for unused event handlers (Robin Sommer).  It defaults to T,
+  which was the past behavior (always report).
+
+- Bro now terminates if the only pending activity is future timers
+  (Robin Sommer).  It used to wait for those timers to expire, but this
+  can cause fundamental problems if the timers are associated with table
+  management (since these might never completely drain).
+
+- Tables and sets inside of records are now initialized to empty
+  values rather than uninitialized (Vern Paxson).
+
+- A new variable allow_services_from (in hot.bro) complements the
+  existing allow_service_to variable (Brian Tierney).  It specifies
+  that access to the given service from the given originator is
+  allowed.
+
+- global_sizes() no longer reports internal variables (Robin Sommer).
+
+- The IRC analyzer is now activated if any of the (many) IRC event
+  handlers are defined (Robin Sommer).
+
+- The default value for tcp_close_delay is now 5 sec rather than 0 sec
+  (Robin Sommer).  This prevents some spurious connection events.
+
+- Improved logic for dealing with "reversed" connections such
+  as backscatter (Vern Paxson).
+
+- You can now left-justify fields when using fmt() with "%-" like
+  in sprintf (Christian Kreibich).
+
+- Updates to DNS query types (Larry Leviton).
+
+- Added mechanism to http-header.bro to skip printing some HTTP headers
+  (Larry Leviton).
+
+- The IrcHotWord notice now sets the associated connection (Robin Sommer).
+
+- If a notice has a tag, it's no longer overridden (Robin Sommer).
+
+- ServerFound notices now set the port field (Robin Sommer).
+
+- The built-in lookup_ID() now returns the string "<unknown id>" if the
+  ID does not exist, rather than a run-time error (Robin Sommer).
+
+- The new tuning option ProtocolDetector::suppress_servers specifies a
+  set of analyzers for which Bro generates ServerFound notices, but not
+  ProtocolFound (Robin Sommer).  This both reduces log file size and
+  conserves memory.
+
+- A new notice_action_filter, tally_notice_type_and_ignore, works the same
+  as tally_notice_type but returns IGNORE (Robin Sommer)
+
+- Setting summary_interval == 0 disables the creation of irc-bots.summary.log 
+  (Robin Sommer).
+
+- If you @load foo and a directory "foo" is in your path, Bro no longer
+  tries to load it (Robin Sommer).
+
+- A number of BinPAC fixes and enhancements (Ruoming Pang, Chris Grier
+  and Vern Paxson).
+
+- BinPAC now resides in aux/binpac rather than src/binpac (Ruoming Pang
+  and Christian Kreibich).  This reflects a decoupling of it from Bro so
+  that it can be used to generate protocol analyzers for other projects too.
+
+- Removed example Inktomi entries from skip_scan_sources initialization,
+  since they no longer exist (Vern Paxson).
+
+- The variable make notice_once_per_orig_tally_interval is now
+  redef'able (Brian Tierney).
+
+- SIGPROF to the communication child process now logs resource stats to
+  remote.log (Matthias Vallentin).
+
+- The new built-in getpid(): count returns Bro's process ID (Robin Sommer).
+
+- Patterns for detecting IRC-based bots updated (Robin Sommer).
+
+- irc-bot-syslog now logs just bots, not all IRC client/servers (Robin Sommer).
+
+- The new variable suppress_notice_actions in notice.bro suppresses
+  notice_actions events for selected notice types (Robin Sommer).
+
+- Files opened during operation now rotate just like those opened at
+  startup (Robin Sommer).
+
+- ResourceStats now also logs elapsed time and the reported number of
+  packets-on-the-link (Mark Dedlow).
+
+- Printing a "file" value now produces its name (Robin Sommer).
+
+- Removed deliberate truncation of payload in port 80 FIN packets
+  (Vern Paxson).
+
+- remote.log now includes received peer_descriptions (Robin Sommer).
+
+- Significant POP3 analyzer speed-ups (Vern Paxson).
+
+- Updated README (Vern Paxson).
+
+- Fix for "@load a" followed by "@load a.bro" not loading the same file
+  twice (Robin Sommer).
+
+- Bug fixes for propagating state operations to uninitialized variables
+  and for spurious state inconsistency messags (Robin Sommer).
+
+- Bug fix for sending final sync-points during pseudo-realtime mode
+  (Robin Sommer).
+
+- Fix for possible buffer overflow (Christian Kreibich).
+
+- Bug fix for spurious end-of-file's during inter-Bro communication
+  (Robin Sommer).
+
+- Bug fix for dpd_match_only_beginning=F (Robin Sommer).
+
+- Bug fix for updating timestamps (Christian Kreibich).
+
+- Bug fix for skipping ADU processing in adu.bro (Christian Kreibich
+  and Zhichun Li).
+
+- Fix for ICMPs that carry ICMP headers (or non-TCP/UDP/ICMP headers)
+  within them (Vern Paxson).
+
+- Fix for files being rotated after the timer queue has been deleted
+  (Vern Paxson).
+
+- Bug fix for signature-matching with IPv6 subnets (Vern Paxson).
+
+- Bug fix for connection compressor setting connection origin (Robin Sommer).
+
+- Bug fix for interconn.bro when processing peculiar connections (Vern Paxson).
+
+- Fix for off-by-one buffer in sscanf call (Christian Kreibich).
+
+- Fixed inefficiency/warning flagged by g++ (Vern Paxson).
+
+- Bug fix for NUL string termination in SMB processing (Zhichun Li).
+
+- Fix for over-ref'ing of file Val's (Vern Paxson).
+
+- Fixes for some g++ warnings (Christian Kreibich, Vern Paxson).
+
+- gcc 3.4.2 portability fixes (Robin Sommer).
+
+- Minor build fixes for Broccoli, including a version bump to match that
+  of Bro.  See aux/broccoli/ChangeLog for details.
+
+- distcheck fixes (Christian Kreibich).
+
+- Configuration portability fixes (Matthias Vallentin, Jean-philippe Luiggi).
+
+- OpenBSD portability fixes (Jean-philippe Luiggi, Christian Kreibich).
+
+
+1.2.1 Mon Dec 11 16:22:58 PST 2006
+
+- Fixed delayed triggering of new_connection events when using the
+  connection compressor.
+
+- Fixed tracking of first packet in TCP analyzer. (Reported by Guohan Lu)
+
+- The syslog built-in got lost during some previous merge.
+
+- Fixed crash if local variable is given as timeout value for table.
+  (Reported by Mike Wood.)
+
+- Fixed using "time" values as table indices.
+
+- Added ssh to default brolite DPD configuration. 
+
+- Fixed catching up to real-time in case of lull. 
+
+- Fixed Broccoli "BRO_DATA_FORMAT_VERSION" to match version in Bro.
+
+- Fixed Makefile problem in doc directory.
+
+- Fixed Makefile dependency problem in binpac directory.
+
+- Added Linux tuning to brolite install script.
+
+- Modified Makefile to include broccoli/contrib. 
+
+- Adding missing initialization to remote serializer. 
+
+- Minor documentation updates for reference manual and Broccoli. 
+
+
+1.2 Tue Oct 17 12:09:49 PDT 2006
+
+- Bro now supports DPD, dynamic protocol detection (Robin Sommer, Holger
+  Dreger, and Michael Mai).  With DPD, Bro can analyze protocols regardless
+  of what port numbers they use: it infers the protocol based on which
+  application analyzers can parse it without error.  Adding this functionality
+  involved extensive changes to Bro's internals, but also now enables
+  multiple Bro analyzers to work on the same connection, either concurrently
+  or one nested inside the other (we have not taken much advantage of this
+  latter capability yet, but see the FTP events discussed below).
+
+  There are a number of new policy scripts, events, and variables associated
+  with DPD processing, as follows.
+
+  Scripts:
+
+	You activate DPD by @load'ing dpd.bro.  It in turn instructs Bro
+	to load the signature file policy/sigs/dpd.sig.  Note that Bro
+	uses signatures to expedite deciding which analyzers to try on
+	a given connection; it does *not* simply use the signatures to
+	make the determination of which protocol is in use, as this is
+	insufficiently robust.  (At this point, Bro provides signatures
+	for FTP, IRC, HTTP, SMTP, and SSH.  In the future we plan to add
+	other protocols.)
+
+	Along with dpd.bro, you need to @load detect-protocols.bro or
+	detect-protocols-http.bro. The former enables general detection
+	of application-layer protocols, while the latter does further
+	inspection of HTTP sessions to characterize applications running
+	on top of HTTP such as Gnutella or SOAP.   (Loading dpd.bro
+	is separate from loading one of these scripts because in principle
+	Bro could use a different means than signatures to activate
+	the analyzers, although currently it does not.)
+
+	If you @load dyn-disable.bro, then once an analyzer determines
+	that it does not match a given connection, it is deactivated
+	(and a Notice is generated).  Otherwise, it still proceeds to try
+	its best to analyze the connection (to possibly be more robust
+	against evasion).
+
+	The scripts dce.bro and smb.bro enable DPD for the Windows DCE and
+	SMB protocols, respectively.  (Note that analysis of these protocols
+	is undergoing a major expansion, not yet complete.)
+
+  Events:
+
+	event protocol_confirmation(c: connection, atype: count, aid: count)
+		Generated when the given connection has been confirmed as
+		conforming with the application type (protocol) specified
+		by atype. aid is a globally unique analyzer ID that identifies
+		a particular analyzer instance.
+
+		The values for atype are symbolic names associated with
+		each of Bro's analyzers, such as ANALYZER_IRC.  See the
+		initialization at the beginning of Analyzer.cc for the
+		full set of names.
+
+		The function analyzer_name(atype: count): string translates
+		these symbolic names into text.  For example,
+
+			analyzer_name(ANALYZER_IRC)
+
+		yields "IRC".
+
+	event protocol_violation(c: connection, atype: count, aid: count,
+				reason: string)
+		Generated when the given connection has been found to
+		violate the protocol of the given application type, with
+		"reason" giving details.
+
+  Variables:
+
+	dpd_buffer_size: count (default 1024)
+		Specifies how much pending data Bro keeps for connections
+		that have not been classified yet.  Once this fills, the
+		data is deleted, though classification can still continue
+		(see below).
+
+	dpd_match_only_beginning: bool (default T)
+		If set, specifies that Bro should stop signature matching
+		if it has processed dpd_buffer_size bytes.
+
+	dpd_ignore_ports: bool (default F)
+		If set, then Bro does not take into consideration the port
+		numbers associated with connections when attempting to
+		classify them (which can otherwise help the process in
+		some cases).
+
+	dpd_reassemble_first_packets: bool (default T)
+		If set, then Bro does TCP stream reassembly before applying
+		signature-matching to detect protocols.
+
+	likely_server_ports: set[port]
+		Specifies a list of ports that Bro will consider as likely
+		used by servers.  For example, if Bro sees a connection
+		that has already been established (so it does not know
+		which side sent the initial SYN), and one side uses a port
+		in this set, then it will assume that that side is the
+		server (connection responder).  The set is empty unless
+		you populate it or @load server-ports.bro, which specifies
+		a large number of values.
+
+	dpd_config: table[AnalyzerTag] of dpd_protocol_config
+		Specifies the DPD configuration associated with each tag.
+		The type dpd_protocol_config is simply:
+
+			type dpd_protocol_config: record {
+				 ports: set[port] &optional;
+			};
+
+		i.e., an optional $ports field specifying a set of ports
+		associatd with the tag.  For example, ftp.bro now includes
+		the equivalent of:
+
+			redef dpd_config += {
+				[ANALYZER_FTP] = [$ports = 21/tcp]
+			};
+
+  Functions:
+
+	The function
+
+		expect_connection(orig: addr, resp: addr, resp_p: port,
+					analyzer: count, tout: interval)
+
+	is called to alert Bro that a new connection is expected, initiated
+	by orig to a server running on resp's port resp_p (note: orig's port
+	is not specified) which will correspond to the specified analyzer
+	(e.g., "FILE", which is used to analyze files transferred by FTP -
+	see next item).  "tout" is a timeout to associate with the waiting.
+
+	The function
+
+		function disable_analyzer(cid: conn_id, aid: count)
+
+	instructs Bro to disable the analyzer that generated the current
+	event, assuming the analyzer is associated with the given connection
+	ID.  This is used by the dyn-disable.bro script discussed above.
+
+- A much more complete BinPAC compiler, along with new HTTP, DNS, and
+  RPC/Portmap analyzers in binpac (Ruoming Pang). The flag "--use-binpac"
+  activates the BinPAC-based analyzers (currently for HTTP and DNS).
+  See www.cs.princeton.edu/~rpang/binpac-paper.pdf for a description of
+  BinPAC, and let Ruoming know if you are interested in using BinPAC to build
+  new analyzers.
+
+- A new type of analyzer, FILE, analyzes the contents of a connection as
+  though it were a data file (Robin Sommer).  Currently, it can generate
+  two events:
+
+	event file_transferred(c: connection, prefix: string, descr: string,
+				mime_type: string)
+		Indicates that the connection transferred a file. "prefix"
+		is the beginning of the file's data; "descr" and "mime_type"
+		are indicators of the file's type, as reported by the
+		"libmagic" library.
+
+		descr/mime_type are only set if Bro is configured on a
+		system that includes the "libmagic" library.
+
+	event file_virus(c: connection, virname: string)
+		Indicates the connection transferred an executable
+		corresponding to a known virus of the given name.
+
+		This functionality is only available if Bro is configured
+		on a system that includes the "libclamav" library.
+
+  Note, this analyzer is enabled via a call to expect_connection by
+  the FTP analyzer.
+
+- New events relating to IRC analysis (Robin Sommer):
+
+	event irc_client(c: connection, prefix: string, data: string)
+		Generated upon seing a client message sent over the given
+		IRC connection.  "prefix" is the command's prefix as defined
+		by the IRC protocol.  It is used by servers to indicate the
+		true origin of the message; it may be empty.  "data" contains
+		the message.
+
+	event irc_server(c: connection, prefix: string, data: string)
+		Same for server messages.
+
+	event irc_user_message(c: connection, user: string, host: string,
+				server: string, real_name: string)
+		Generated upon seeing an IRC "USER" command.
+
+	event irc_password_message(c: connection, password: string)
+		Generated upon seeing an IRC "PASS" command.
+
+	event irc_channel_topic(c: connection, channel: string, topic: string)
+		Generated upon seeing an IRC server reply that includes
+		the channel topic.
+
+	event irc_global_users(c: connection, prefix: string, msg: string)
+		Generated upon seeing an IRC server reply that includes
+		a count of the number of IRC users.
+
+- The new experimental script irc-bot.bro tracks IRC-based bots (Robin Sommer).
+  The accompanying script irc-bot-syslog.bro syslog's the state of the
+  bot analysis every IrcBot::summary_interval seconds (default 1 minute).
+
+- The new script proxy.bro looks for open Web proxies by matching incoming
+  requests to a server with outgoing requests it makes (Robin Sommer).  It
+  generates HTTPProxyFound Notices when it finds one.
+
+- Changes to notices.bro (Robin Sommer):
+
+	- notice_policy_item's now have a default $result of
+	  NOTICE_FILE and a default $priority of 1.
+
+	- The new notice_action_filter, notice_alarm_per_orig, alarms
+	  on the first NoticeType from a specific source.  Subsequent
+	  instances are tallied.
+
+	- notice_action_filters now reside in the new script
+	  notice-action-filter.bro (automatically loaded by notice.bro).
+        
+	- The notice actions NOTICE_ALARM_PER_CONN, NOTICE_ALARM_PER_ORIG,
+	  and NOTICE_ALARM_ONCE have been removed, as they were never
+	  actually implemented.
+
+	- If the notice_policy returns IGNORE or FILE, the action_filters
+	  filters are no longer consulted.
+
+- A new attribute for tables and sets, &mergeable, changes the semantics
+  of assignments, as follows (Robin Sommer).  Given two &mergeable tables/sets
+  A and B, an assignment "A = B" becomes actually a join "A = A \cup B"
+  (i.e., union).  The envisoned use is to help avoid race conditions
+  when doing remote state synchronization.
+
+- The semantics of &synchronized expire_funcs has changed (Robin Sommer).
+  Now, when a table entry is expired and the operation is propagated to a
+  a peer, the peer will call its expire_function.
+
+- TRW analysis now skips UDP traffic because it currently treats
+  all UDP connections as failures (Robin Sommer).
+     
+- trw.bro has been split into trw-impl.bro (the algorithm) and
+  trw.bro (which simply activates the analysis), to facilitate writing
+  scripts that have hooks into TRW analysis but don't presume it's
+  active (Robin Sommer).
+
+- The option report_remote_notices in remote.bro has been replaced
+  by a new script you include, remote-report-notices.bro (Robin Sommer).
+
+- The new function connect_peer() explicitly connects to a remote host
+  (Robin Sommer).
+
+- The new script remote-send-id.bro sends the current value of an ID
+  to a remote Bro and then terminates processing (Robin Sommer).  It's
+  intended for use from the command-line, as in
+
+	bro -e "redef dst="<dst>" id="<name-of-id>" <scripts> remote-send-id
+
+  The other scripts must set up the connection. <dst> is an index into
+  Remote::destinations corresponding to the destination.
+
+- New built-ins {suspend,resume}_state_updates() can be called to
+  temporarily avoid propagating updates to &sync'ed values (Robin Sommer).
+  This can avoid duplicated activity.
+
+- The new function terminate_communication() instructs Bro to end its
+  communication with remote peers (Robin Sommer).
+
+- The new event remote_state_access_performed is raised when remote state
+  access has been performed (Robin Sommer).  This is primarily for debugging.
+
+- The log() built-in has been renamed to ln() to avoid conflict (Vern Paxson).
+
+- bifcl now generates event generation wrapper functions from event.bif
+  (Ruoming Pang).  For example, to generate event http_reply, currently
+  one writes:
+
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(fmt("%.1f", reply_version)));
+		vl->append(new Val(reply_code, TYPE_COUNT));
+		if ( reply_reason_phrase )
+			vl->append(reply_reason_phrase);
+		else
+			vl->append(new StringVal("<empty>"));
+		ConnectionEvent(http_reply, vl);
+
+  In the future, one will be able to just call bro_event_http_reply(), and
+  the code generated by bifcl looks like:
+
+	void bro_event_http_reply(Connection* c, StringVal* version,
+					bro_uint_t code, StringVal* reason)
+		{
+		val_list* vl = new val_list;
+
+		vl->append(c->BuildConnVal());
+		vl->append(version);
+		vl->append(new Val(code, TYPE_COUNT));
+		vl->append(reason);
+
+		mgr.QueueEvent(http_reply, vl, SOURCE_LOCAL, c);
+		}
+
+  Accompanying this change is a semantic shift to types "string" and "port"
+  in .bif files.  They used to be translated to C++ types BroString* and
+  uint32, respectively.  Now they are translated to StringVal* and PortVal*.
+  The functions in bro.bif are changed accordingly, and please be aware
+  of this change when you write built-in functions in future.
+
+  Also for this change, the parameter 'new' for rsh_request has been renamed
+  'new_session', as 'new' is a reserved word for C++.
+
+- Some ICMP "connections" now have services identified ("icmp-echo",
+  "icmp-unreach") rather than just listing the service as "other"
+  (Ruoming Pang).
+
+- The new option remote_trace_sync_interval specifies an interval after
+  which each Bro will stop processing its trace and wait for all others
+  to signal that they have reached the same time (Robin Sommer).  The
+  intent is support for operating Bro in a distributed cluster fashion
+  (and in particular for debugging such clusters when running off-line
+  on traces).
+
+  This option only works in pseudo-realtime mode, and requires the new
+  global remote_trace_sync_peers to give the total number of remote peers
+  (not including self).  Signaling is done via a new communication message
+  type.
+
+- Extensions for DNS transformation/anonymization, including introduction
+  of trace transformation for protocols other than TCP (Jason Lee).
+  Not yet fully developed/debugged.
+
+- Extensions for HTTP transformation/anonymization (Martin Casado).
+  Not yet fully developed/debugged.
+
+- The $conn field is now included in HTTPProxyFound notices (Robin Sommer).
+
+- Changed service inference algorithm to favor lower-numbered
+  likely-servers over higher-numbered ones (Vern Paxson).
+
+- In pseudo-realtime mode, Bro now uses real-time for deciding which
+  peer should send state (Robin Sommer).
+
+- Time synchronization for Bro's running on traces in pseudo-realtime mode
+  added (Robin Sommer).
+
+- Avoidance of false content gaps improved when sorting packets with
+  out-of-order timestamps (Ruoming Pang).
+
+- Packets from the packet sorter are now more robustly drained upon
+  termination of input (Ruoming Pang).
+
+- Documentation for deep-copy updated (Christian Kreibich).
+
+- Nasty fragment reassembly bug fixed (Vern Paxson).
+
+- Serious bugs in EDNS0 processing fixed (Vern Paxson).
+
+- Fixed significant misfeature of interconn.bro that stopped all processing
+  of a connection once it makes a detection (Vern Paxson).
+
+- Fixes for &read_expire operation across synchronizes tables (Robin Sommer).
+
+- Fixes for multiple peers exchanging initial &sync state simultaneously
+  (Robin Sommer).
+
+- Improvements to graceful termination of Bro when communicating with
+  remote peers (Robin Sommer).
+
+- Fix for ICMP analyzer not always generating icmp_sent events
+  (Robin Sommer).  This appears to still need some work, as now
+  it generates redundant events.
+
+- Fix for initial exchange of &sync state which could lead to 
+  referencing unknown IDs (Robin Sommer).
+
+- Fix to scan detection for differing semantics of connection compressor
+  vs. non-compressor (Robin Sommer).
+
+- Bug fix for distinguishing regular expression matches of length 0 from
+  those of length 1 (Ruoming Pang).
+
+- Fix for SSH version parsing in the presence of content gaps (Robin Sommer).
+
+- Bug fix for IRC that could lead to crashes (Robin Sommer).
+
+- Bug fix to refrain from adding new timers when a connection has
+  already been removed from the connection table (Robin Sommer).
+
+- Bug fix for packet_contents not including the transport-layer header
+  (Robin Sommer).
+
+- Some memory leaks fixed (Robin Sommer).
+
+- A bunch of portability and distribution problems fixed (Christian
+  Kreibich, Robin Sommer, Vern Paxson).
+
+
+1.1 Mon May 15 10:50:33 PDT 2006
+
+- Bro now supports a "when" statement for taking action upon something
+  becoming true asynchronously (Robin Sommer).  This provides a powerful
+  new mechanism with numerous applications.
+
+  Syntax:
+
+	when '(' <expr> ')' <stmt> [timeout <interval> '{ <stmts> '}']
+
+  where the first <stmt> can be a single statement or a block enclosed
+  in {}'s, but the set associated with "timeout" must be enclosed in
+  {}'s (to reduce ambiguities in Bro's grammar).
+
+  Bro executes the first statement when <expr> becomes true. If you give
+  a timeout and the condition has not been satisfied before it expires, Bro
+  executes the second statement instead.
+
+  A simple example:
+
+	global t: table[addr] of count;
+	event connection_established(c: connection)
+	    {
+	    local orig = c$id$orig_h;
+	    if ( orig !in t )
+		{
+		t[orig] = 1;
+
+		when ( t[orig] == 5 )
+		    print fmt("%s has established 5 connections", orig);
+		timeout 1 hr
+		    {
+		    print fmt("%s has NOT established 5 connections", orig);
+		    delete t[orig];
+		    }
+		}
+	    else
+		++t[orig];
+	    }
+
+  Notes:
+	- The condition may be evaluated more than once, and at arbitrary
+	  times.
+
+	- When the when-body is executed, the condition is guaranteed to be
+	  still satisfied.
+
+	- Expression reevaluation is primarily triggered by modifications
+	  to globals.  However, reevaluations do not take place immediately
+	  but potentially at a later point.  This means that if we change a
+	  global to a value which would execute the trigger but then change
+	  it back, the change may go unnoticed.
+
+	- Inside the condition you may introduce new locals.  For example,
+
+	    when ( (local x = foo()) && x == 42 ) ...
+
+	  Such an assignment always yields true as its expression value
+	  (but the assignment might be delayed, for example if foo() is
+	  a delayed function call - see below).
+
+  Delaying function calls
+  =======================
+
+  Functions called inside the condition of a when-clause may delay their
+  results until they're ready. This works for both script-level and built-in
+  functions.
+
+  For script-level functions, there is a new construct, "return <when-stmt>",
+  to delay a function's result. When used, the function returns at the
+  time the when-stmt's condition becomes true, and it yields the value
+  that the when-stmt's body then returns. Toy example:
+
+      global X: table[string] of count;
+
+      function a() : count
+	    {
+	    # This delays until condition becomes true.
+	    return when ( "a" in X )
+		  {
+		  return X["a"];
+		  }
+	    timeout 5 min
+		  {
+		  return 0;
+		  }
+	    }
+
+      event bro_init()
+	    {
+	    # Installs a trigger which fires if a() returns 42.
+	    when ( a() == 42 ) { print "Yippie!"; }
+
+	    X["a"] = 42;
+	    }
+
+  There's also a new built-in function which can delay
+
+	lookup_addr(host: addr)
+
+  performs asynchronous DNS address->hostname lookups. Example:
+
+	    local h; addr;
+	    [...]
+	    when (local name = lookup_addr(h)) { print h, name; }
+
+  See the function gen_hot_notice_with_hostnames() in conn.bro for
+  a more worked-out example of using the "when" clause to translate the
+  local address in SensitiveConnection notices to a hostname (contributed
+  by Brian Tierney).  This functionality is activated by redef'ing
+  xlate_hot_local_addr to T.
+
+  Here is the full evaluation model of a when's condition:
+
+       - The condition may be evaluated more than once, at arbitrary times.
+
+       - It is always fully evaluated, no matter whether some former
+	 evaluation has been suspended by a delaying function call.
+
+       - All function calls which do not delay are always *fully* executed
+	 each time the condition is evaluated.
+
+       - Function calls which delay are only executed *once*; their result is
+	 cached and re-used in the case the condition is evaluated again.
+
+       - The condition is guaranteed to be true when the body is executed
+	 (potentially using cached function results)
+
+- By default Bro now uses a configuration similar to what used to be
+  activated using reduce-memory.bro, along with some additional state
+  timeouts that are new (Robin Sommer and Vern Paxson).  This allows for
+  better state management out-of-the-box, at the cost of some precision
+  of analysis and resilience to evasion.  In particular, the intent is to
+  move towards being able to run Bro continuously without inexorably growing
+  the amount of memory used until exhaustion.
+
+  You can access a configuration similar to the previous default state
+  management settings by loading heavy-analysis.bro.  It turns on a
+  load-prefix of "heavy", so when you load XXX.bro, a file heavy.XXX.bro
+  will also be automatically loaded if present.  Note that, as was the
+  case for reduce-memory, you need to load heavy-analysis prior to other
+  files for it to have effect.
+
+- The new module clear-passwords.bro monitors login/FTP/IRC/POP traffic
+  for cleartext passwords (Jason Lee).
+
+- The new script service-probe.bro looks for remote hosts that repeatedly
+  connect to the same service on local hosts (for a configurable set of
+  services and connection sizes) in order to detect brute-forcing attacks
+  such as password-guessing (Jim Mellander).
+
+- A new ARP analyzer generates three events:
+
+	event arp_request(mac_src: string, mac_dst: string,
+			SPA: addr, SHA: string, TPA: addr, THA: string);
+
+	event arp_reply(mac_src: string, mac_dst: string,
+			SPA: addr, SHA: string, TPA: addr, THA: string);
+
+	event bad_arp(SPA: addr, SHA: string, TPA: addr, THA: string,
+			explanation: string);
+
+  with a corresponding policy script arp.bro (Chema Gonzalez and Vern Paxson).
+  It writes logs to arp.$BRO_LOG_SUFFIX.  It has not been tested much yet.
+
+- Bro Lite changes (Jason Lee):
+	- default user for is now user 'bro'
+	- now uses the correct sysctl on FreeBSD 6
+	- now uses the correct Perl path if site-report.pl not installed
+	  into '/usr/local/bro'
+	- no longer prompts to encrypt email unless you pick to email reports
+
+- The default Bro Lite install now only checkpoints Bro once a week
+  (Brian Tierney).
+
+- Implicit Bro file extensions (such as .bro for policy scripts and .sig
+  for signatures) are now searched for first rather than only if the
+  non-extension-version of the file doesn't exist (Vern Paxson).  For
+  example, running "bro -r trace mt" now first searches $BROPATH for
+  "mt.bro" before searching for "mt", whereas it used to do these in
+  the other order.
+
+- There's now a simpler mechanism for redef'ing variables on the command-line
+  (Christian Kreibich).  Any command line arguments of the form <var>=<val>
+  are now expanded into policy code of the form "redef var=val;", where
+  <val> is wrapped in quotation marks if the value appears to be a string
+  and doesn't have quotation marks already.  This works with strings with
+  whitespace such as foo="Hello World"; however, note that it means you
+  can't use the mechanism to redef an enum value.
+
+- The Bro distribution now includes (and builds by default) Christian
+  Kreibich's Broccoli library (Bro C Client Library), which enables programs
+  to communicate with running Bro's (Christian Kreibich and Jason Lee).
+  Configure with --disable-broccoli to turn this off.
+
+- Built-in functions log(x: double): double and exp(x: double): double
+  which do natural logarithms and their inverses (Jaeyeon Jung).
+
+- The new built-in function gethostname() returns the local host's name
+  (Jason Lee & Robin Sommer).
+
+- The new built-in function reading_traces() returns true if Bro
+  is reading trace files (Robin Sommer).
+
+- The new built-ins suspend_processing() and continue_processing() provide
+  script-level control for instructing the event engine to stop or resume
+  processing packets (Robin Sommer).  This is useful for coordinating
+  simultaneous processing by multiple Bro's.
+
+- Email notices are now by default sent via /bin/mail, with "[Bro Alarm]"
+  in the subject.
+
+- redef'ing a function now replaces the existing body rather than
+  supplementing it (Robin Sommer), which was a bug.
+
+- You can now configure Bro to process encapsulated IP packets either
+  by setting, as before, a fixed encap_hdr_size (for VLANs), or setting
+  parse_udp_tunnels to T (Ruoming Pang).  For the latter, you specify a
+  UDP tunnel port using udp_tunnel_port (the previous variable "tunnel_port"
+  has gone away); or you can leave it set to its default of 0/udp, in which
+  case Bro will look for IP encapsulated in UDP packets on any port.
+
+- Added a simple form of profiling based on sampling the work done
+  per-packet (Vern Paxson).  The event engine generates a
+
+	event load_sample(samples: load_sample_info, CPU: interval, dmem: int)
+
+  event every load_sample_freq packets (roughly; it's randomized), where
+  load_sample_freq defaults to 20.  "samples" is simply a set[string]; it
+  contains the names of the functions, event handlers, and their source
+  files that were accessed during the processing of the sampled packet,
+  along with an estimate of the CPU cost of processing the packet and
+  (currently broken) memory allocated/freed.
+
+- Bro now includes experimental support for Endace DAG cards (Gregor Maier
+  and Robin Sommer).  To activate, configure with
+
+	--with-DAG=/path/to/dagtool/installation
+
+  and use "dag0" as the network interface. You may need to configure the
+  card with the dagtools first. In general, if dagsnap works, Bro should
+  work as well.
+
+- Log rotation has changed in a number of ways (Mark Dedlow & Robin Sommer):
+
+	  * The new variable log_rotate_base_time: string, if defined,
+	    specifies that logs should be rotated at log_rotate_base_time +
+	    i * rotate_interval intervals. Format is as a string in
+	    24-hour time, "%H:%M", e.g, "12:00".  This format may change
+	    in the future to instead be a Bro time type.
+
+	  * RotateLogs::date_format can be redefined to change format of
+	    timestamps in rotated files.
+
+	  * RotateLogs::build_name() can be redefined to implement an
+	    arbitrary naming scheme for rotated files.
+
+  Note, this code has not been extensively tested.
+
+- Bro now by default builds a version of malloc bundled with its
+  distribution (Vern Paxson & Brian Tierney).
+
+- The syntax for the clone operator now looks like a function call,
+  "copy(x)" (Vern Paxson).
+
+- The new flag DNS::logging (default F), if T, disables generation of
+  dns.log (which is often uninteresting and very large), though it
+  still performs analysis leading to NOTICEs (Robin Sommer).
+
+- A new global, hostile_domain_list, has been added to dns.bro which
+  lists domains to be flagged if A or MX records are queried (Scott Campbell).
+
+- Added globals dns_skip_all_{auth,addl} to skip all DNS AUTH/ADDL processing
+  (Vern Paxson).  Skipping these is on (true) by default, because such
+  processing is quite expensive.
+
+- backdoor.bro now turns off by default some detectors that from experience
+  have too many false positives, or (such as for HTTP) too many uninteresting
+  true positives (Brian Tierney).  In addition:
+
+	- the module now generates a BackdoorFound notice for each backdoor
+
+	- the new variable dump_backdoor_packets (default F) if set causes
+	  the packet that triggered the backdoor detection to be written to
+	  backdoor-packets/<tag>:<time> 
+
+	- the new variable backdoor_ignore_host_port_pairs is a set[addr, port]
+	  specify host/port combinations to ignore
+
+	- 587/tcp is now recognized as another SMTP port, and 7000/tcp as
+	  a popular IRC port ignored by default
+
+	- brolite-backdoor.bro is a sample of using backdoor.bro
+
+- A bunch of enhancements and fixes for the IRC backdoor detector
+  (Vern Paxson).
+
+- The cf utility in aux/cf/ now gets the format to use (unless you specify
+  -f fmt) from $CFTIMEFMT in the environment.  You can now specify -f
+  without a format to revert to the default format.  This change also
+  includes a significant performance improvement when processing large
+  files (Mark Dedlow and Craig Leres).
+
+- Cleanups for brolite.bro and brolite-backdoor.bro (Brian Tierney).
+  brolite.bro now uses rotate-logs by default.
+
+- backdoor.bro now enables analysis of partial connections (Vern Paxson).
+
+- brolite config cleanup: removed smtp.bro from default, increased
+  max_timer_expires, changed default BROPATH to look at site dir
+  first (Brian Tierney).
+
+- The reference manual has been updated for the terminology changes
+  of log -> alarm, alert -> notice, and rule -> signature (Vern Paxson).
+  Some vestiges of the older terminology remain, in part because they're
+  still present in some facets of Bro.
+
+- The new script function get_current_packet(): pcap_packet returns
+  the current packet as a "pcap_packet" record with fields $ts_sec,
+  $ts_usec, $caplen, $len (all of type count) and $data (a string)
+  reflecting the corresponding libpcap values (Christian Kreibich).
+  You can write this packet to a dump file using the new function
+  dump_packet(pkt: pcap_packet, file_name: string): bool, which writes
+  (or appends) the packet to a file of the given name, returning T
+  on success and F on error.
+
+- The new fmt() specifier 'T'  converts values of type "time" to ISO
+  format timestamps, analogous to how 'D' does this for ISO dates
+  (Mark Dedlow).  fmt("%T", <time>) is equivalent to
+  fmt("%s", strftime("%F-%T.%N", <time>)), except that strftime
+  does not (yet) offer "%N" for nanoseconds (but see 'date +%F-%T.%N').
+
+- The new %S format for fmt() inserts a "raw" version of the given string -
+  that is, embedded NULs, control characters, etc., are present without
+  any escaping (Christian Kreibich).
+
+- Zero-padding and field widths now work for all fmt() formats rather than
+  just %e/%f/%g (Christian Kreibich).   For example, you can now say:
+
+	local filename = fmt("log-%04.txt", ++counter);
+
+  and get logfiles log-0001.txt, log-0002.txt, ..., log-0999.txt, etc.
+
+- The 'x' format specifier now supports values of type "addr", converting
+  them t hex (Mark Dedlow).  For example,
+
+	  fmt("str=%s hex=%x", 1.2.3.4, 1.2.3.4)
+
+  produces
+
+	str=1.2.3.4 hex=01020304
+
+  The field designation is either %08x (if compiled for IPv4 only) or
+  %08x%08x%08x%08x (if compiled with IPv6 support).
+
+- firewall.bro has been extended to support multiple independent
+  rule-sets (by calling begin() for the start of the next one),
+  specifying sets of addresses, being FTP-aware, and with a more
+  streamlined Notice message (Robin Sommer).
+
+- The HTTP script variables maintain_http_sessions and http_sessions
+  are now exported so they can be redefined or, for the latter, have
+  timeouts added/adjusted (Robin Sommer).
+
+- You can load the new policy script log-append.bro to change Bro's
+  behavior so that when it runs appends to existing log files rather
+  than overwriting them (Mark Dedlow).
+
+- New &disable_print_hook attribute for files (Robin Sommer).  If set,
+  print statements to the file don't trigger the print_hook event.  This
+  is useful to keep the output of certain files from being propagated to
+  peers.
+
+- You can now associate "classes" with remote peers (Robin Sommer).  When
+  connecting, a node may send a specific class to which it considers itself
+  belonging. The accepting side can then tune its configuration based on
+  the received class.
+
+  This is primarily for the having multiple unrelated Broccolis running on the
+  same host, all connecting to the same remote Bro (e.g., sshd and syslog
+  sensors).
+
+  To use this, on the Bro side the record Remote::Destination now has a
+  field "class: string" (default: unset).  If set, the given config entry
+  only applies for connecting remote peers that send the given class.
+  If it is set and we're connecting to another peer, we propagate the class.
+
+  Example:
+
+      On the listening Bro:
+
+	    redef Remote::destinations += {
+		["peer-1"] =
+			[$host = 127.0.0.1, $class="ftp", $events = /ftp.*/],
+	        ["peer-2"] =
+			[$host = 127.0.0.1, $class="http", $events = /http.*/]
+	    };
+
+      On peer 1:
+
+	    redef Remote::destinations += {
+		  ["master"] =
+			[$host = 127.0.0.1, $class="ftp",
+			 $events = /.*/, $connect=T]
+	    };
+
+      On peer 2:
+
+	    redef Remote::destinations += {
+		  ["master"] =
+			[$host = 127.0.0.1, $class="http",
+			 $events = /.*/, $connect=T]
+	    };
+
+  All of these may run on the same host.
+
+- A bunch of changes to adu.bro (Christian Kreibich):
+
+	- New ADU_MAX_DEPTH limits depth (at ADU granularity) into a
+	  flow up to which ADUs are reported.
+
+	- Handles UDP.
+
+	- New event adu_done(c: connection) signals that no further ADUs
+	  will be delivered for a connection.  This is useful since adu.bro
+	  relies on event connection_state_remove() to remove state, and
+	  if a policy using adu.bro likewise uses this event type then
+	  event sequencing can cause adu_tx/rx events to occur after
+	  connection_state_remove() has been processed.
+
+	- Now correctly clips ADU to maximum allowed size.  (Note, this
+	  has been temporarily commented out because it relies on a new
+	  string function that has not yet been integrated into the
+	  main distribution.)
+
+	- Now can ignore specific connections dynamically.
+
+	- TCP content gaps are now recognized and ADU delivery is for now
+	  stopped for such flows, unless explicitly requested. 
+
+	- No longer logs to file in test mode.
+
+- The new function add_notice_tag() explicitly adds a unique notice tag
+  to a connection's $addl field (Robin Sommer).  This is sometimes necessary
+  to ensure that the tag appears in the connection summary.
+
+- Bro now performs serialization (such as when checkpointing &persistent
+  tables or communicating them between Bro's) in an incremental fashion,
+  intermingling transfers of large tables with ongoing packet processing
+  (Robin Sommer).  Doing so helps avoid packet drops for large items. 
+  This has not yet been implemented for the initial handshake done
+  for &synchronized items.
+
+- ssl.bro now stores certificates by default in the subdirectory "certs/"
+  (Robin Sommer).
+
+- Analysis of weak/unknown ciphersuites in ssl.bro reworked (Holger Dreger).
+
+- New cipher for SSL analysis, SSL_CK_RC4_64_WITH_MD5 (Holger Dreger).
+
+- load-levels and cpu-adapt now log their adaptations to the log file
+  rather than generating alarms (Robin Sommer).
+
+- The default adaptation levels in cpu-adapt have been tweaked for better
+  behavior (Robin Sommer).
+
+- A new structure of the event loop (implemented by Robin Sommer) is now
+  enabled during configuration by default (Christian Kreibich).  You can
+  revert to the previous structure using --disable-select-loop.
+
+- When configuring Bro, the version of pcap that comes with the Bro
+  distribution is no longer used by default (Jason Lee).  Instead,
+  the system one is used, or one at the same directory level as Bro.
+  To use the Bro distribution version, configure with --enable-shippedpcap.
+
+- backdoor.bro now has comments clarifying that it does not itself
+  alter capture_filters (Vern Paxson).
+
+- If you set backdoor_stat_period to 0 sec, then this now turns off
+  the periodic component of backdoor analysis (Holger Dreger).
+
+- The filters specified in notice_action_filters now take an additional
+  argument specifying the action that has been determined so far (Robin
+  Sommer).  This allows the filter to decide to not change the current
+  action, if it so wishes.
+
+- The new event notice_alarm(n: notice_info, action: NoticeAction) is
+  generated for every notice that results in an alarm (Robin Sommer).
+
+- Tallying of notices is now done using a notice, which has type NoticeTally
+  (Robin Sommer).
+
+- The new notice action filter alarm_always_notice specifies an action
+  of NOTICE_ALARM_ALWAYS (Vern Paxson).
+
+- If the watchdog expires and Bro isn't generating a packet trace file,
+  the current packet is saved to "watchdog-pkt.pcap" (Robin Sommer).
+
+- New boolean globals tcp_contents_deliver_all_{orig,resp} allow easy
+  requesting of content delivery for all TCP traffic in orig/resp directions
+  (Christian Kreibich).
+
+- The new event udp_contents(u: connection, is_orig: bool, contents: string)
+  delivers the contents of UDP packets analogous to tcp_contents (Christian
+  Kreibich).  The boolean globals udp_content_deliver_all_{orig,resp} and
+  tables udp_content_delivery_ports_{orig,resp} control for which ports
+  content is delivered, analogous to the globals that control tcp_contents.
+
+- New option --set-seed=n sets the random number seed to n (Vern Paxson).
+
+- Notices now report current time for remotely-received notices rather
+  than network time (Brian Tierney).
+  
+- Notices now include a tag es=<peer_description> any time a peer
+  description is defined, not just for remote notices (Robin Sommer).
+
+- The global log_as_connection has been removed from icmp.bro, which now
+  only logs ICMP flows via the usual connection logging (Vern Paxson).
+
+- The Destination variable $accept_state has been renamed $accept_input
+  to better reflect its meaning (Vern Paxson).
+
+- A remote destination's $sync field now indicates whether to accept
+  ongoing state changes from peers, rather than just upon start-up
+  (Robin Sommer).  The variable $accept_state controls whether we
+  accept events.
+
+- Logging of forms of Bro communication has been unified (Robin Sommer).
+
+- Updates for packet filtering documentation (Christian Kreibich).
+
+- A new global, stp_skip_src, lists sources that should be skipped for
+  stepping-stone analysis (Vern Paxson).  ssh-stepping.bro adds sources to
+  this list if they've instantiated more than src_fanout_no_stp_analysis_thresh
+  connections, keeping them blocked until they've been idle for 15 seconds.
+
+- Added a default notice-policy.bro as an example (Brian Tierney).
+
+- Expanded on descriptive text in notice-policy.bro (Vern Paxson).
+
+- ef removed from aux/hf/, as it's of little use and a headache to
+  maintain for portability (Vern Paxson).
+
+- The version of libpcap bundled with the distribution has been
+  elevated to 0.8.3 (Jason Lee).
+
+- Bro now compiles again if non-blocking DNS is not available (Robin Sommer).
+
+- Resource statistics logging now differentiates between offline
+  processing vs. remote-communication-only (Mark Dedlow and Robin Sommer).
+
+- The script variable ICMP::distinct_pairs now times out its state,
+  with a default of 15 minutes after creation (Robin Sommer).
+
+- The Bro version reported now includes "-debug" if Bro was configured
+  with --enable-debug (Robin Sommer).
+
+- scan.bro now defaults "shut_down_all_scans" to T, meaning it by
+  default detects scans on all ports, not just those in the set
+  shut_down_scans (Vern Paxson).  Please note, this variable is
+  misnamed - it should be "detect_all_scans" - but that change is
+  waiting on reworking the basic structure of scan detection.
+
+- Major bug fix for signature matcher missing matches on analyzer data
+  (Robin Sommer).  For example, a condition "http /foo/" would only have
+  match with the first URL in a connection, not subsequent ones.  Fixing
+  this changes the calling sequence of the match_signatures() built-in to
+  take an additional final parameter, "clear", which, if set, resets the
+  matcher to its starting state prior to matching.
+
+- Serious bug in regular expression matching - and hence signature engine -
+  fixed (Robin Sommer).
+
+- Bug fix for formatting (via fmt()) of very long strings (Vern Paxson).
+
+- Fixed mail_reports.sh to correctly find sendmail binary on various systems
+  (Brian Tierney).
+
+- Numerous changes to Bro's internal string representation, and more
+  flexibility in how strings are rendered for display (Christian Kreibich).
+
+- Pseudo-real-time now can be initialized using an optional argument
+  that corresponds to the degree of time compression (Robin Sommer).
+  For example, --pseudo-realtime=0.5 causes time to advance half as fast
+  as it would in real-time.  The default value is 1.0; any value > 0 is
+  allowed.
+
+- The SSH analyzer now looks for just linefeeds as line terminators when
+  extracting version strings, rather than carriage-return-line-feeds, to
+  match actual implementations rather than the RFC (suggested by Chema
+  Gonzalez).
+
+- Playing back events from files now working again (Robin Sommer).
+
+- Bro now uses current_time() rather than network_time to track the
+  modification time of variables, since network_time doesn't advance
+  when only receiving events (Robin Sommer).
+
+- Bug fixes for IPv6 support, including processing UDP traffic
+  (which had been completely broken) and subtle interactions (actually,
+  lack thereof) between the connection compressor and IPv6 that
+  could lead to crashes (Vern Paxson).
+
+- Portability tweaks for NetBSD, 64-bit Linux SuSe and FreeBSD 5.4
+  (Christian Kreibich, Jason Lee and Vern Paxson).
+
+- Bug fix for IPv6 "::" constants that start with hex digits specified
+  using 0x (Vern Paxson).
+
+- Calling the built-in terminate() function twice now has no additional
+  effect (Christian Kreibich).  It used to terminate Bro abruptly, without
+  cleanly shutting down.
+
+- Removed active.bro; use active_connection() + connection_record() instead
+  (Vern Paxson).
+
+- Bro lite reports now work with rotated logs files (Brian Tierney)
+
+- Bug fix for conditions such as "payload /^user/", which now work equivalent
+  to "payload /user/" (Robin Sommer).
+
+- Tweaks to sensitive patterns in HTTP request URIs to reduce false
+  positives (Brian Tierney).
+
+- Bug fixes for strip() built-in function (Holger Dreger).
+
+- Memory leak in built-in function to_addr() fixed (Ruoming Pang).
+
+- Bug fix for "hot" connections sometimes not having their notice tag
+  appearing in connection summaries (Robin Sommer).
+
+- Bug fixes for IRC analysis (Vern Paxson and Robin Sommer).
+
+- Syslogging now works if Bro is running in communication-only mode
+  i.e., live, but not reading a network interface (Robin Sommer).
+
+- Bug fix to allow tuning of TRW parameters (Vern Paxson).
+
+- Bug fixes for SSL analysis (Holger Dreger).
+
+- Removed logic that inverted orig/resp in some scans (Vern Paxson).
+
+- Lint & memory allocation tweaks (Vern Paxson).
+
+- Bug fixes for inactivity timeouts (Robin Sommer).
+
+- Bug fix for Bro Lite cron job (Jason Lee).
+
+- When binding to a listening port for remote communication fails,
+  the port number is now reported (Robin Sommer).
+
+- Some spurious reporting removed from configure output (Jason Lee).
+
+- Fix for "weird"'s generated by connection compressor but not
+  recognized at the policy script level (Vern Paxson).
+
+- Fixes for detecting content gaps and not matching previously delivered
+  data (Ruoming Pang).
+
+- Bug fixes for TCP rewriter (Ruoming Pang).
+
+- Bug fixes for crashes in SSL analyzer (Vern Paxson).
+
+- Bug fix for avoiding busy-waiting when a communication child dies
+  (Robin Sommer).
+
+- Bug fix for BiF's that use 'T' and 'F' in character constants
+  (Vern Paxson).
+
+- Memory leak fixes (Robin Sommer, Christian Kreibich, Vern Paxson and
+  Ruoming Pang).
+
+- The peer table for inter-Bro communication is now correctly indexed by a
+  peer_id (Robin Sommer).
+
+- Bug fix for exchange of initial &synchronized state which could
+  prevent communication from entering main phase (Robin Sommer).
+
+- Bug fix for propagating incremented table values derived from
+  a table's &default (Robin Sommer).
+
+- Bug fixes for the POP3 analyzer when analyzing non-NUL-terminated strings
+  or bad base64 encodings (Vern Paxson).
+
+- Updates for Bro's internal hash functions (Ruoming Pang).
+
+- The debug and communication log files now comply with $BRO_LOG_SUFFIX
+  (Robin Sommer).
+
+- Some internal debugging additions (Ruoming Pang).
+
+- Internal cleanup regarding "const" strings (Ruoming Pang).
+
+- A number of casts changed to use modern C++-style pointer casting
+  such as reinterpret_cast and static_cast (Ruoming Pang).
+
+- Bug fixes for inter-Bro communication on 64-bit systems (Robin Sommer).
+
+- Bug fixes for detecting errors for SSL connections (Robin Sommer).
+
+- Potential null pointer dereference fixed (Robin Sommer).
+
+- Inter-Bro communication is now more reliable in the presence of errors
+  (Robin Sommer).
+
+- Performance enhancement for tracking values whose elements might
+  change (Robin Sommer).
+
+- Fixes for peers having differing enum lists (Robin Sommer).  This can
+  occur because they're running different scripts and which do different
+  redef +='s to add enum values.
+
+- += now works for interval types (Vern Paxson).
+
+- Bug fix for exchanging peer descriptions (Robin Sommer).
+
+- Bug fix for processing multipart-MIME HTTP messages with content-length 
+  headers (Ruoming Pang).
+  
+- Bug fix for failing to escape "'s in HTTP server replies (Robin Sommer).
+
+- Bug fix for propagating increment operations on tables (Robin Sommer).
+
+- Bug fixes for files (Robin Sommer): set open time to current time if
+  network time is not initialized; when deserializing files, prevent them
+  from being closed immediately due to reference-counting interaction.
+
+- Bug fix to prevent reporting some scans twice (Robin Sommer).
+
+- Bug fix for printing enum's (Christian Kreibich).
+
+- When not configured with --enable debug, Bro now still accepts (yet ignores)
+  option -B (Robin Sommer). 
+
+- Serialization enhancements and fixes, including a change of the
+  protocol version number (Robin Sommer).
+
+- Bug fix for logging inter-Bro communication (Robin Sommer).
+
+- Bug fixes for enumerating attributes and timers (Robin Sommer).
+
+- Bug fix for signatures matching first on one side of the connection,
+  and then on the other, being reported twice (Robin Sommer).
+
+- Inter-Bro communication now continues to work even when packet processing
+  has been suspended (Robin Sommer).
+
+- Fix for running multiple Bro's together in pseudo-realtime (Robin Sommer).
+
+- Tweak to print-resources.bro so it can be loaded standalone (Vern Paxson).
+
+- Bug fix for &persistent state not being save if Bro wasn't running
+  with an input source (Robin Sommer).
+
+- Bug fix for which process ID to check to see if children are still alive
+  (Robin Sommer).
+
+- Bug fix for no longer crashing if the expiration function associated
+  with a table deletes the element from the table rather than returning
+  an interval of 0 secs to indicate it should be deleted (Chema Gonzalez).
+
+- Bug fix for OutboundTFTP notice: now checks to ensure that not only is
+  the source local, but the destination is not local (Vern Paxson).
+
+- Bug fix for a subtle interaction mediated by errno, which could cause a
+  failed read() to later confuse pcap_dispatch() (Chema Gonzalez).
+
+- Bug fix for TCP contents assertion checking (Ruoming Pang).
+
+- Bug fix for error output on small RPC fragments (Ruoming Pang).
+
+- Fix for connection compressor bug in tracking connection history
+  (Robin Sommer).
+  
+- Bug fix for potential floating point exception in signature engine's
+  resource-profiling code (Robin Sommer).
+
+- Bug fix for low-level List data structure when replacing a list element
+  beyond the end of a list (Robin Sommer).
+
+- Bug fix in initializing capabilities when setting up communication between
+  Bro peers (Robin Sommer).
+
+- A number of connection compressor bug fixes: weird's for spontaneous
+  FINs and RSTs, consistent processing of "connections" that begin with
+  RSTs, correct checksum computations, and weird's printed to stderr if
+  no event handler defined (Robin Sommer).
+
+- load_sample_freq is now &redef (Vern Paxson).
+
+- Bug fix for backdoor detector incorrectly matching substrings (Vern Paxson).
+
+- Bug fix for canceling timers sometimes failing to cancel all of
+  them (Robin Sommer).
+
+- Error handling during un-serialization now handled more robustly
+  (Robin Sommer).
+
+- Bug fix for division by zero if expensive_profiling_multiple
+  set to zero (Robin Sommer).
+
+- Bug fix for connection logs failing to track all of the annotation
+  ($addl) associated with a connection (Vern Paxson).
+
+- Portability fix for BinPAC (Ruoming Pang).
+
+- Fix to NFS analyzer for missing values in events reporting failed requests
+  (Vern Paxson).
+
+- autogen.sh now aborts as soon as one of the tools it invokes fails
+  (Christian Kreibich).
+
+- Fixed bug where not having SSL would cause bro to not compile (Jason Lee).
+
+- State-holding fix for adu.bro (Christian Kreibich).
+
+- A number of configuration tweaks (Craig Leres & Christian Kreibich).
+
+- Fix for sig-functions.bro: checks isApache* functions, which ensure
+  that Apache is indeed in the software set before accessing the index
+  (Brian Tierney and Robin Sommer).
+
+- Smith-Waterman fixes and test suite script (Christian Kreibich).
+
+
+1.0 Sun Oct 23 17:27:45 PDT 2005
+
+- Bro now includes BinPAC (Binary Protocol Analyzer Compiler), a language
+  and compiler for automating the construction of analyzers for binary
+  protocols (Ruoming Pang).
+
+- Ruoming has used BinPAC to rewrite the analyzers for DCE/RPC (with
+  significant enhancements, including adding the endpoing mapper) and SMB
+  (likewise enhanced and bug-fixed), and creating a new analyzer for NCP
+  (Netware Core Protocol).  The NCP analyzer generates two events:
+
+	ncp_request(c: connection, frame_type: count, length: count,
+			func: count)
+
+	ncp_reply(c: connection, frame_type: count, length: count,
+			req_frame: count, req_func: count,
+			completion_code: count)
+
+- The beginnings of an analyzer for NetBIOS name service (Ruoming Pang).
+  It generates the following events:
+
+	event nbns_standard_name_query(c: connection)
+	event nbns_nbstat_query(c: connection)
+	event nbns_name_reg_request(c: connection)
+	event nbns_nb_name_query(c: connection)
+
+- New IRC analyzer (Roland Gruber).  It generates a lot of events; see
+  policy/irc.bro.  Note, the formatting of the log file will at some point
+  be changed to be more uniform and streamlined.
+
+- ICMP events now include an initial parameter of type "connection",
+  the same as for TCP & UDP flows (Ruoming Pang).  This facilitates
+  traffic analysis by associating generic connection events such as
+  connection_state_remove with ICMP events.  This affects:
+
+	event icmp_sent(c: connection, icmp: icmp_conn)
+	event icmp_echo_request(c: connection, icmp: icmp_conn,
+			id: count, seq: count, payload: string)
+	event icmp_echo_reply(c: connection, icmp: icmp_conn, id: count,
+			seq: count, payload: string)
+	event icmp_unreachable(c: connection, icmp: icmp_conn,
+			code: count, context: icmp_context)
+	event icmp_time_exceeded(c: connection, icmp: icmp_conn,
+			code: count, context: icmp_context)
+
+- New POP3 analyzer (Florian Schimandl, Hugh Dollman and Robin Sommer).
+  Loading pop3.bro analyzes the protocol messages, and loading mime-pop.bro
+  also extracts the email headers and content.
+
+- New events (Ruoming Pang):
+
+	connection_first_ACK(c: connection)
+		generated upon the ACK completing a TCP handshake. Useful
+		in detecting "blink scans" (a FIN coming from the client
+		right after the ACK)
+
+	tcp_rexmit(c: connection, is_orig: bool, seq: count, len: count,
+			data_in_flight: count, window: count)
+		generated when a TCP sender retransmits data
+
+	rpc_call(c: connection, prog: count, ver: count, proc: count,
+			status: count, start_time: time,
+			call_len: count, reply_len: count)
+		can be used to process RPC calls in a generic fashion
+
+	nfs_reply_status(n: connection, status: count)
+		supplies the status of NFS server replies
+
+	netbios_session_raw_message(c: connection, is_orig: bool, msg: string)
+		access to a NetBIOS SSN message in raw terms
+
+	smb_get_dfs_referral(c: connection, max_referral_level: count,
+				file_name: string)
+		generated for SMB DFS referal requests
+ 
+	dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count)
+		low-level event generated for each DNS request/reponse
+
+	dce_rpc_bind(c: connection, uuid: string)
+		generated for DCE RPC binds
+
+	dce_rpc_message(c: connection, is_orig: bool, ptype: dce_rpc_ptype,
+			msg: string)
+		low-level access to DCE RPC messages; see const.bif for
+		dce_rpc_ptype values
+
+	epm_map_response(c: connection, uuid: string, p: port, h: addr)
+		reply from DCE portmapper
+
+- New operator |x|, a sizeof operator (Christian Kreibich).  It yields
+  absolute values for numerical values, file size for files, the number
+  of enums for an enum type, the number of addresses in subnets, number
+  of fields in records, numeric equivalent for addresses, the number of
+  elements in vectors/sets/tables, and the length of strings.
+
+- A new clone operator, "* <expr>", produces deep copies of aggregate
+  values and the usual duplicates for atomic ones (Christian Kreibich).
+  For example, while:
+
+	   1	type foo: record {
+	   2		c: count;
+	   3		s: string;
+	   4	};
+	   5
+	   6	f1$c = 10;
+	   7	f1$s = "Hello";
+	   8
+	   9	f2 = f1;
+	   10	f1$c = 20;
+	   11	f1$s = "World";
+	   12
+	   13	print fmt("%d/%s %d/%s", f1$c, f1$s, f2$c, f2$s);
+
+  yields "20/World 20/World", changing line 9 to:
+
+	f2 = *f1;
+
+  yields "20/World 10/Hello".
+
+- New operators "+=" and "-=", which work on both numerical values and
+  strings (Christian Kreibich).
+
+- "+" now works on strings: s1 + s2 yields the concatenation of both
+  (Christian Kreibich).
+
+- You can now express the equivalent of ICMP "port numbers" using
+  <number>/icmp, where <number> is the ICMP type (Ruoming Pang).
+
+- Bro now accepts long versions of options, such as --readfile for -r
+  (Christian Kreibich).
+
+- Bro now has a "pseudo-realtime" mode, activated by --pseudo-realtime,
+  that causes it to mimic real-time operation when executing against
+  a trace (Robin Sommer).  This is useful for evaluating performance in
+  a controlled fashion.
+
+- SMTP analyzer changes (Roger Winslow): support for 554 code in RCPT
+  responses; logging when the server refuses the argument to RCPT;
+  support for 502 code in response to a HELP command.
+
+- Addition of two universal hash functions: H3 (from David Moore, based
+  on code by Ken Keys) and TwoWise (Dietzfelbinger, from Yin Zhang)
+  (Ruoming Pang).  Use --enable-h3 and --enable-dietzfelbinger to enable
+  them (used as the hash function for short data).  H3 is used by default.
+
+- The "bif" compiler for compiling Bro built-in functions now supports
+  an "enum" type (Ruoming Pang).  The syntax is:
+
+	enum dce_rpc_ptype 
+	%{
+		DCE_RPC_REQUEST,
+		DCE_RPC_PING,
+		DCE_RPC_RESPONSE,
+	%}
+
+  which is translated to an enum declaration of "dce_rpc_ptype" in
+  Bro, an EnumType* enum_dce_rpc_ptype in NetVar.{h,cc} and a C++ enum
+  BroEnum::dce_rpc_ptype {...}. 
+
+  One limitation is that redef's on enum types cannot be taken into
+  account because the bif is parsed at compile time.
+
+- 64-bit integer support via --enable-int64 (Ruoming Pang).
+
+- The new, experimental policy script adu.bro provides a generic way to
+  extract application-layer ADUs (Christian Kreibich).  It heuristicly
+  groups blocks of content sent from one side to another, uninterrupted
+  by any data in the opposite direction, into an approximate ADU (request
+  or reply).  These then generate adu_tx (originator -> responder) and
+  adu_rx (responder -> originator) events.  You can control on which ports
+  it does this analysis, as well as the amount of data inspected nad
+  grouped, using variables documented in the script.
+
+- The new built-in function
+
+	function str_smith_waterman(s1: string, s2: string, params: sw_params)
+	: sw_substring_vec
+
+  computes the Smith-Waterman overlap between two strings (Christian Kreibich).
+  The third parameter is a record with two fields, $min_toklen (minimum
+  length for common tokens) and $sw_variant, which takes a value of 0
+  for single-matching and 1 for multiple-matching.
+
+  The return value is a vector of sw_substring records, which hold the
+  following fields:
+
+	str: string;	# the common subsequence
+	index1: count;	# where it occurs in input string 1
+	index2: count;	# where it occurs in input string 2
+	new: bool;	# true if start of new alignment
+
+- If you set the new control variable record_state_history to T, then
+  connections recorded to the conn.$BRO_LOG_SUFFIX log file will include
+  a field that shows the different states encountered during the connection
+  (Mark Allman):
+
+	Symbol	State
+	------	-----
+	S	Initial SYN seen for TCP connection.
+	H	SYN-ACK seen for TCP connection.
+	D	Data packet seen (TCP or UDP).
+	A	Pure ACK seen for TCP connection.
+	F	FIN seen for TCP connection.
+	R	RST seen for TCP connection.
+	I	TCP connection included a FIN+RST packet.
+	Q	TCP connection included a packet with multiple connection
+		control flags other than FIN+RST (e.g., SYN+RST).
+	C	Connection included one or more packets with failed checksums
+		(TCP or UDP).
+
+  The symbols are printed in upper-case for connection originators and
+  lower-case for responders.  The S/H/F/R symbols are also repeated if
+  Bro sees the corresponding control packet subsequently with a different
+  sequence number.
+
+  For example, a TCP connection which Bro saw from the beginning, i.e.,
+  a normal establishment, followed by the client (originator) first sending
+  data, then the server responding, followed by the server initiating a
+  normal close which the client then completes, will be annotated as
+  "ShADadfF".
+
+- The "for" looping construct now can be used to iterate over the non-empty
+  indices of a vector (Christian Kreibich).
+
+- If you set the new variable skip_http_data to T (default: F), then the
+  HTTP analyzer will attempt to not reassemble the data portions of HTTP
+  request/responses (Ruoming Pang).  This can be a performance benefit
+  in environments with high volumes of HTTP traffic, though it may not be
+  a large win if the processing is dominated by executing the policy script.
+
+- The new built-in
+
+	remask_addr(a1: addr, a2: addr, top_bits_from_a1: count): addr
+
+  take some top bits (e.g. subnet address) from a1 and remaining bits
+  (intra-subnet part) from a2 and merge them to get a new address (Ruoming
+  Pang).  Useful for anonymizing at the subnet level while preserving
+  serial scans.
+
+- The new built-in
+
+	decode_netbios_name(name: string): string
+
+  takes a string in NetBIOS encoding and returns its original form
+  (Ruoming Pang).
+
+- The new variable ignore_keep_alive_rexmit controls whether to
+  include keep-alives when counting retransmitted packets (Ruoming Pang).
+  It defaults to F (i.e., do count them).
+
+- The calling sequence of dce_rpc_request and dce_rpc_reply have changed to:
+
+	event dce_rpc_request(c: connection, opnum: count, stub: string)
+	event dce_rpc_response(c: connection, opnum: count, stub: string)
+
+  (Ruoming Pang).  Use dce_rpc_message to get access to the RPC type and
+  the raw message.
+
+- The calling sequence of the netbios_session_message event has changed to:
+
+	netbios_ssn_message(c: connection, is_orig: bool,
+				msg_type: count, data_len: count)
+
+  (Ruoming Pang).  Previously it was parameterized with the connection
+  and the raw message (now available via netbios_session_raw_message).
+
+- The calling sequences of smb_com_{read,write}_andx have changed to
+  no longer include the is_orig parameter because it is in fact fixed for
+  these events (Ruoming Pang).
+
+- The calling sequence of smb_message has changed (Ruoming Pang) to:
+
+	smb_message(c: connection, is_orig: bool, cmd: string,
+			body_length: count)
+
+- Bug fix specifying the &default value for tables that yield function
+  values (Ruoming Pang).  For example:
+
+	type tcp_content_handler_func:
+		function (c: connection, is_orig: bool, seq: count,
+				contents: string);
+
+	function default_tcp_content_handler(c: connection, is_orig: bool,
+						seq: count, contents: string)
+		{
+		# do something ...
+		}
+
+	const tcp_content_orig_handlers: table[port] of
+		tcp_content_handler_func = {} &redef &default =
+			default_tcp_content_handler;
+
+  Previously, Bro would take the function given with &default as the default
+  function to call when accessing a missing element, rather than a default
+  *value* to directly return. Bro now checks the value type against the
+  function type to see if they match in type.
+
+- The new variables forward_remote_events and forward_remote_state_changes
+  specify whether to broadcast events/state received from one peer to other
+  peers (Robin Sommer).  Both default to F.  Note, these options are temporary;
+  they will disappear when we add a more sophisticated script-level
+  communication framework. 
+
+- Vectors can now be initialized using the syntax such as
+
+	global foo: vector of string = ["foo","bar"];
+
+  (Robin Sommer).
+
+- Bug fixes for &synchronize'ing vectors (Robin Sommer).
+
+- The internal implementation of strings in the policy language has
+  been heavily revamped (Christian Kreibich).
+
+- String built-in functions are now in strings.bif rather than bro.bif
+  (Christian Kreibich).  This includes two new built-ins:
+
+	str_split(s: string, idx: index_vec): string_vec
+	strstr(big: string, little: string): count
+
+  string_vec is a new policy script type that is an alias for
+  "vector of string".
+
+- The new options --load-seeds <file> and --save-seeds <file> let you
+  record Bro's seeds to a file and then re-use these seeds in a later
+  invocation (Christian Kreibich). The primary intended usage is to
+  provide determinism in hash table iterations etc. for debugging purposes.
+
+- Communication protocol changes (Robin Sommer):
+
+  * Internal PING/PONG messages to measure round-trip times.  The new script
+    remote-ping.bro issues PINGs every second and logs to remote.log.
+
+  * Optional data compression if libz is available.  Remote::Peer$compression
+    specifies compression level, with no compression being the default.
+
+  * Inter-Bro communication is now performed in four explicit phases:
+
+    //  Setup:
+    //      Initial phase.
+    //      VERSION messages must be exchanged.
+    //      Ends when both peers have sent VERSION.
+    //  Handshake:
+    //      REQUEST_EVENTS/REQUEST_SYNC/CAPTURE_FILTER/CAPS/selected SERIALs 
+    //        may be exchanged.
+    //      Phase ends when both peers have sent PHASE_DONE.
+    //  State synchronization:
+    //      Entered iff at least one of the peers has sent REQUEST_SYNC.    
+    //      The peer with the smallest runtime (incl. in VERSION msg) sends
+    //        SERIAL messages comprising all of its state.
+    //      Phase ends when peer sends another PHASE_DONE.
+    //  Running:
+    //      Peers exchange SERIAL (and PING/PONG) messages.
+    //      Phase ends with connection tear-down by one of the peers.
+
+  * Serializing network packets includes textual tags for identification.
+
+  * Serializing files includes the state of buffering.
+
+- Pending events for remote peers are now flushed when Bro terminates,
+  and the net_done event is *not* propagated to peers (Robin Sommer).
+
+- Makefile.am cleanups (Christian Kreibich).
+
+- libpcap portability fix for OpenBSD (Gordon Willem Klok).
+
+- Performance bug fix for SMTP relay detection (Vern Paxson).
+
+- sprintf -> snprintf tweak (Vern Paxson).
+
+- Bug fix for serializer regular-expression matchers (Robin Sommer).
+
+- Some fixes for access to uninitialized variables/state (Christian Kreibich
+  and Vern Paxson).
+
+- More informative messages for some internal errors (Christian Kreibich).
+
+- Bug fixes for implementation of vectors (Christian Kreibich).
+
+- Fixes for FreeBSD 5 installs (Jason Lee).
+
+- gcc 4.0 compatibility (Christian Kreibich).
+
+- Bug fix for correctly propagating libpcap failures (Chema Gonzalez).
+
+- Bug fixes for prefix-preserving IP address anonymization (Chema Gonzalez).
+
+- The MIME analyzer in mime.bro is now in "module MIME" (Vern Paxson).
+
+- Bug fix for the IRC backdoor detector (Scott Campbell).
+
+- The capture filter used for NFS traffic now includes UDP fragments,
+  since NFS UDP traffic is often fragmented (Ruoming Pang).
+
+- New internal mechanisms to suspend/resume processing to enable a Bro
+  receiving synchronized state to put its own packet processing on hold
+  (Robin Sommer).
+
+- A bug with the serialization cache not being used for modified objects
+  has been fixed (Robin Sommer).
+
+- A number of enhancements to inter-Bro communication performance and error
+  handling improved (Robin Sommer).
+
+- Internal restructuring to fix problems with dispatching packets when
+  using the packet sorter (Ruoming Pang).
+
+- Christian Kreibich has contributed a number of fixes for code flaws
+  such as potentially unsafe library calls.
+
+
+0.9a10 Tue Sep  6 10:41:53 PDT 2005
+
+- Fixes for portability to 64-bit architectures (Christian Kreibich).
+
+- Bug fix for broken syslog'ing of alarms (Scott Campbell).
+
+- The manual has been updated to clarify that aggregate values in events
+  are passed as shallow copies, so that modifications to elements of the
+  values after posting the event but before it's handled will be visible
+  to the handlers for the events (Christian Kreibich).
+
+- HTTP logging now includes the host from the Host header in the request
+  (Craig Leres).  Note, currenty this only is done when using http-reply.bro,
+  not if you only analyze requests.
+
+- You can now specify a passphrase for the SSL cert used for inter-Bro
+  communication by redef'ing the variaable "ssl_passphrase" (Christian
+  Kreibich).  Leaving it unchanged causes the passphrase to be read
+  interactively.
+
+- Certificates created using ca-issue now have 2-year lifetimes rather
+  than the default of 30 days (Christian Kreibich).
+
+- A problem with handshaking between Bro peers has been fixed (Christian
+  Kreibich).
+
+- A bug has been fixed in scanning false positives due to backscatter
+  in the form of SYN ACKs (Vern Paxson).
+
+- Alerts sent via email now use a From address configured from bro.cfg
+  (Randy Mcclelland-Bane).  Also, if sending an alert via gpg fails,
+  it's sent instead as plaintext.
+
+- Scan notices now include information about the connection that
+  triggered the scan detection decision (Vern Paxson).
+
+- Exported some TRW variables so the user can adjust their associated
+  timers (Vern Paxson).
+
+- The new script variable dns_max_queries sets a maximum on the number of
+  queries that can appear in a DNS request (Scott Campbell & Vern Paxson).
+  If more queries appear, the request is treated as non-DNS traffic and
+  ignored.  The variable defaults to a value of 5.  Setting it to 0 turns
+  off this functionality, so Bro processes all apparent requests.
+
+- The "weird" messages generated by the DNS analyzer now have a more
+  regular naming structure and processing (Scott Campbell and Vern Paxson).
+
+- Tweaked bif_arg.cc to pass gcc4.0 and bro.bif to not collide with
+  uuid in OSX 10.4 (Jason Lee).  Now works on OSX 10.4, though use
+  --disable-localpcap when compiling.
+
+- Bro now compiles cleanly under OpenBSD (Jason Lee).
+
+- NOTE: the connection compressor has a known serious bug and should
+  not be used at present.  Since it is an experimental feature, fixing it
+  is deferred to the next release.
+
+- Some bugs fixed in the management of hash keys when using the
+  connection compressor (Robin Sommer).
+
+- Tweak for the connection compressor to generate truncated_header weird's
+  (Robin Sommer).
+
+- Temporary bug fix for type clash in SSL version numbers (Vern Paxson)
+  by making them consistently of type int.  The correct fix is probably
+  for them to be consistently of type count, depending on how Bro's notion
+  of general version processing, and its SSL analyzer, both evolve.
+
+- Bug fix for trace rewriting failing if Bro was not compiled to check
+  assertions (Martin Casado).
+
+- Fixed logic bug in signal handling regarding whether we're currently
+  idle waiting for input vs. processing a packet or the event queue
+  (Vern Paxson).  Note, this change has not been heavily tested.
+
+- Some bug fixes for correct operation when DNS names fail to resolve
+  (Vern Paxson).  It's not clear that these fixes are complete, however.
+
+- Fixed to not compile libpcap when --disable-localpcap is given to configure
+  (Jason Lee).
+
+- Fixed configuration of local pcap for IPv6 if --enable-brov6 is specified
+  (Jason Lee).
+
+- A problem with "make install" when building from the libpcap included
+  in the sources has been fixed (Christian Kreibich).
+
+
+0.9a9 Thu May 19 23:31:33 PDT 2005
+
+- First cut at analyzer for NFS (Vern Paxson).  It generates the following
+  events:
+	event nfs_request_null(n: connection)
+	event nfs_request_getattr(n: connection, fh: string, attrs: nfs3_attrs)
+	event nfs_request_lookup(n: connection, req: nfs3_lookup_args,
+				rep: nfs3_lookup_reply)
+	event nfs_request_fsstat(n: connection, root_fh: string,
+				stat: nfs3_fsstat)
+	event nfs_attempt_null(n: connection, status: count)
+	event nfs_attempt_getattr(n: connection, status: count, fh: string)
+	event nfs_attempt_lookup(n: connection, status: count,
+				req: nfs3_lookup_args,
+				dir_attrs: nfs3_opt_attrs)
+	event nfs_attempt_fsstat(n: connection, status: count,
+				root_fh: string, obj_attrs: nfs3_opt_attrs)
+
+- The new script OS-fingerprint.bro integrates Bro's new passive OS
+  fingerprinting mechanism with the software.bro framework (Vern Paxson).
+
+- You can now operate on patterns using && and || (Vern Paxson).
+  If p1 and p2 are patterns, then p1 && p2 yields a pattern that matches
+  their concatenation and p1 || p2 yields a pattern that matches either.
+  Note that the syntax for this may change in the future to a single '&'
+  or '|', which would be more consistent with the use of '|' in
+  constructing pattern constants.
+
+- An experimental "connection compressor" tracks not-yet-established
+  connections using much less memory than Bro normally does (Robin Sommer).
+  This is potentially a major win during flooding attacks and high-speed
+  scans.  You activate it by setting use_connection_compressor to T.  You
+  can then control the granularity of its processing using the variables
+  cc_handle_resets, cc_handle_only_syns, and cc_instantiate_on_data.  See
+  bro.init for brief discussion of these.
+
+- The experimental new script firewall.bro supports firewall-rule-like
+  processing of connections in terms of allow/deny (Robin Sommer).  It is
+  not particularly efficient.
+
+- sensor-sshd.bro provides an experimental interface for receiving
+  events from instrumented SSH servers that communicate with Bro via
+  the Broccoli client library (Christian Kreibich and Robin Sommer).
+  Supporting this also entailed extensions to login.bro so it can
+  process the events even though they don't correspond to a connection
+  known to Bro's event engine.
+
+- The new built-in function match_signatures() can be used in a policy
+  script to send text directly into the signature engine (Robin Sommer).
+
+- Correction: the 0.9a8 CHANGES states that the mail_script variable used
+  for NOTICE_EMAIL defaults to mail_script.sh.  The correct value is instead
+  "mail_notice.sh".
+
+- The scripts rsh.bro and passwords.bro, and the passive-fingerprinting
+  signatures policy/sigs/p0fsyn.osf were inadvertantly left out of the
+  0.9a8 distribution.
+
+- Added s2b (snort to bro) files into the distribution. (Jason Lee)
+
+- Non-blocking packet capture under Linux has been fixed (Robin Sommer).
+
+- Fixed printing of DNS replies, which used to work but was broken
+  a number of months ago (Vern Paxson).
+
+- The new script brolite-sigs separates out how signatures are configured
+  in Bro Lite so the functionality can be enabled/disabled with a simple
+  load statement (Roger Winslow).  That is, to use signatures with Bro
+  lite, simply add "@load brolite-sigs".
+
+- The new script variable enable_syslog (default T) controls whether
+  alarm's are syslog'd (Robin Sommer).  As before, syslogs can only happen
+  when Bro is reading from live network traffic (this should be changed
+  at some point, to accommodate real-time Bro's that don't read the network
+  but collect events from other sensors).  Previously, in that case syslog's
+  always happened; now, you can turn them off using this variable.
+
+- The new script variable expensive_profiling_multiple controls how
+  often, when doing profiling, to perform more expensive forms of
+  profiling, in particular, memory consumption profiling (Robin Sommer).
+  If profiling_interval is set to 15 sec and expensive_profiling_multiple
+  is set to 20, then expensive profiling will be done every 5 minutes
+  (these are the defaults now in profiling.bro).  Also, the profiling_update
+  event now includes a second argument, expensive: bool, which indicates
+  whether the update corresponds to one of these expensive profiling
+  intervals.
+
+- First cut at parsing DNS AAAA replies (Scott Campbell).  This is quite
+  incomplete - currently, the replies are turned into fake A record replies,
+  due to the difficulty of dealing with IPv6 addresses if Bro wasn't built
+  to analyze IPv6 traffic.
+
+- software.bro has been tweaked to have a new control variable,
+  "only_report_local" (default F).  If true, then only software versions
+  for local addresses (as determined by is_local_addr()) will be
+  reported.
+
+- synflood.bro now has a script variable max_sources (default 100) that
+  specifies the maximum number of sources to track for a given victim
+  (Robin Sommer).
+
+- Remote peers now negotiate their versions of the serialization format
+  (Robin Sommer). If they don't agree then the connection is terminated.
+
+- Generic UDP request/response processing has been moved into the new
+  policy script udp-common.bro, which, unlike udp.bro, does *not* set the
+  packet filter to capture all UDP traffic (Robin Sommer).  A number
+  of UDP-based policy scripts have been modified to use udp-common.bro
+  rather than udp.bro.
+
+- When printing serialized/independent state, access times are now
+  again included (Robin Sommer).
+
+- Bro's implementation of timers has been switched (reverted) to using
+  priority queues (Vern Paxson).
+
+- The http-request.bro script variables skip_remote_sensitive_URIs and
+  const sensitive_post_URIs are now exported so they can be accessed
+  externally (Robin Sommer).
+
+- Some new rootkit filenames have been added to ftp.bro and
+  http-request.bro (Brian Tierney).  The plan is to eventually
+  merge these lists so there's only one main list.
+
+- trw.bro is now scoped as a module "TRW" (Brian Tierney).
+
+- Better support of the '--disable-localpcap' flag to configure, and
+  consolidated all the pcap checks in configure.in (Jason Lee).
+
+- A bug in processing bare carriage-returns in Telnet input/output
+  has been fixed (Vern Paxson).
+
+- The Bro Lite bro.rc script has been tweaked to use the 'ax' flags
+  instead of '-ax' (Jason Lee).
+
+- A bug with reporting ICMP "ports" (i.e., type + code) has been fixed
+  (Vern Paxson).
+
+- Bug fix for excessively large RPC messages (Ruoming Pang).
+
+- A bug with /0 subnet prefixes has been fixed (Robin Sommer).
+
+- The function record_connection() now takes the file to write to
+  as its first argument (Robin Sommer).
+
+- remote.bro now tracks whether a given Destination is connected
+  (Robin Sommer).
+
+- mail_notice.sh is now installed as part of installing a distribution
+  (Jason Lee).
+
+- Fixed bug where the sort order for the test suite changed depending
+  on locale. (Jason Lee)
+
+- Bug fix for email_notice() when notice_action_filters not defined for
+  given notice (Vern Paxson).
+
+- The test suite test for rare-events fixed to not give false positives
+  (Jason Lee).
+
+- Date added for 0.9a8 release.
+
+
+0.9a8 Wed Feb 16 17:09:34 PST 2005
+
+- aux/rst/ contains the source for the "rst" tool used by Bro (via the
+  policy script function terminate_connection() in conn.bro) to tear
+  down established connections by forging RST packets.
+
+- Bro's main event loop has been reworked (Robin Sommer).  This should
+  (1) not cause any visible differences in most cases, (2) improve
+  performance in some cases, (3) fixed problems running Bro without
+  a network input (but still receiving asynchronous input from remote
+  event sources).  There are some more changes coming to this soon.
+
+- Passive OS fingerprinting has been added, based on Michal Zalewski's
+  "p0f" tool (Holger Dreger).  Currently, it's limited to fingerprinting
+  clients based on the initial SYNs they send.  To use it, define
+  an event handler:
+
+	OS_version_found(c: connection, host: addr, OS: OS_version)
+
+  OS_version is a record containing a string $genre (e.g., "Solaris"),
+  a string $detail (e.g., "2.0.27"), a count $dist (hop-count distance
+  from monitor to host), and $match_type, which specifies via an
+  enumerated type whether the match was direct from a signature,
+  generic to the genre, or "fuzzy".
+
+  The match is done against a passive fingerprinting signature file,
+  which is specified by the variable passive_fingerprint_file.
+  It defaults to "sigs/p0fsyn", which is found using $BROPATH
+  and has an "osf" suffix added.
+
+  You can restrict the matching to only be performed for hosts from
+  particular subnets by adding those subnets to the variable
+  generate_OS_version_event.  If it's empty (default), then all subnets
+  are analyzed.
+
+  Note, the passive fingerprinting should be integrated with the
+  version-tracking in software.bro, but this hasn't been done yet.
+
+- Support for IPv6 has been repaired and brought up to date.  Note, however,
+  that inter-Bro communication currently only works over IPv4.
+
+- Signature-matching is now off by default in brolite.bro.  If you want
+  to use it, define use_signatures = T prior to @load'ing it.
+
+- Notices are now tied to their corresponding connections (Scott Campbell).
+
+- New backdoor detectors for IRC, SMTP, Gaobot (Scott Campbell).
+
+- Signature matches now have a connection associated with them (Scott Campbell).
+
+- Bro scripts that set initial timers (via "schedule" statements in a
+  bro_init handler) but don't have any source of network input (trace
+  files or live interfaces) now execute in real-time, with network_time
+  set to the current time, rather than having their timers expire immediately.
+
+- Default timeouts have been added to tables in trw.bro and http.bro, which
+  have been found operationally to potentially grow very large (Scott Campbell).
+
+- The new policy script large-conns.bro can be included in order to
+  track the size of TCP connections (each direction is referred to
+  as a "flow") using a secondary packet filter (Chema Gonzalez).
+  This method is completely separate from Bro's usual size accounting,
+  and offers the advantages that it tracks sizes even for connections
+  that don't terminate (or for which Bro misses their establishment)
+  and for connections with sizes > 4 GB.
+
+  The interface is via the function:
+
+	function estimate_flow_size_and_remove(cid: conn_id, orig: bool)
+
+  If $orig=T, then an estimate of the size of the forward (originator)
+  direction is returned.  If $orig=F, then the reverse (responder) direction
+  is returned.  In both cases, what's returned is a "flow_size_est" record,
+  which includes a flag, $have_est, indicating whether there was any
+  estimate formed. If $have_est is T, then the record also includes
+  an estimate in bounded by $lower (lower bound) and $upper (upper bound).
+  The estimate also includes $num_inconsistent, which, if > 0, means that
+  the estimates came from sequence numbers that were inconsistent, and
+  thus something is wrong - perhaps packet drops by the secondary filter).
+  Finally, calling the function causes the flow's record to be deleted.
+
+- An RSH analyzer has been contributed by Manu (ManuX@rstack.org).
+  It generates rsh_request and rsh_reply events, and the following notices:
+
+	  DifferentRSH_Usernames
+		Client and server username differ.
+
+	  FailedRSH_Authentication
+		Attempt to authenticate via RSH failed.
+
+	  InteractiveRSH
+		The RSH session appears to be interactive (multiple
+		lines of user commands).
+
+	  SensitiveRSH_Input
+	  SensitiveRSH_Output
+		RSH client input or server output match input_trouble/
+		full_input_trouble or output_trouble/full_output_trouble.
+
+- The new notice action NOTICE_EMAIL indicates that in addition to
+  logging an alarm, it should also be sent out as email (Scott Campbell).
+  By default, email is only sent if Bro is running on live traffic;
+  you can override this via redef'ing the script variable mail_notification.
+  Mail is sent using the script specified by the mail_script variable
+  (default: "mail_script.sh", which is now included in the distribution,
+  but at present is not installed), which must be in $PATH.  The mail
+  is sent to the username specified in mail_dest (default: the local
+  "bro" user, though you can change this to name@domain).
+
+  Note that specifying email as a separate notice action may change
+  in the future, to instead be an attribute that's associated with
+  other notice actions.  For example, it may make sense to want
+  to specify both NOTICE_ALARM_PER_CONN and NOTICE_EMAIL; currently,
+  however, you can't do this.
+
+- A similar notice action NOTICE_PAGE does the same thing as NOTICE_EMAIL
+  except it send the mail to mail_page_dest (Scott Campbell).
+
+- You can now use the attribute &rotate_size for file objects to
+  specify the maximum file size in bytes (Robin Sommer). If the limit
+  is reached, the file is rotated similiarly as is already done with
+  &rotate (which, for consistency, has been renamed to &rotate_interval).
+
+  For both &rotate_size and &rotate_interval, when they trigger they
+  now generate events (rotate_size and rotate_interval, respectively;
+  each takes the file as the sole argument) rather than invoking
+  &postprocessor, which has been removed.
+
+  There's also a new variable log_rotate_size to set a global size maximum.
+
+  Related to log rotation are the following new built-in functions:
+
+	rotate_file(f: file) closes the file, moves it to a temporary
+	name, and opens a new one. It returns the new "rotate_info"
+	record, which gives the temporary name and the open/close times.
+
+	rotate_file_by_name(s: string): similar, but call by the name
+	of the file rather than a Bro script value.  This is needed
+	because some files are not represented by file objects but need
+	to be rotated nevertheless (most importantly, the tcpdump save
+	file and the dump files for dump_current_packet()). This function
+	rotates the file with the given name.
+
+  Finally, you can load the new policy script rotate-logs.bro to
+  get default behavior of rotating all log files every hour.
+
+- The new "@unload <script>" directive specifies that future @load's of
+  <script> should be skipped.  This is useful for overriding analyzers
+  loaded by scripts that pull in a bunch of analysis.  For example,
+
+	@unload ntp
+	@load mt
+
+  would load all of the "mt" analyzers *except* ntp.bro.
+
+- The new built-in function get_file_name(f: file): string returns
+  the filename associated with a file (John McNicholas).
+
+- The new built-in function get_contents_file(id: conn_id, direction: count)
+  returns the contents file (set using set_contents_file()) for the given
+  direction (John McNicholas).
+
+- The new built-ins time_to_double() and double_to_time() convert between
+  double values and time values (Robin Sommer).  The new built-in floor()
+  returns the floor of a double value; this returned value is also a double.
+  Thus, floor(-3.4) returns -4.0.
+
+- Support for sending packets between Bro's (Robin Sommer).
+
+- Bro now has a geneal mechanism internal for traversing policy scripts
+  (Umesh Shankar).  Various script analyses can be specified using the
+  new -z flag.
+
+  Currently, the one supported form of analysis is "-z notice", which
+  prints all of the different types of notices that the script you've
+  loaded can generate.  For example, "bro -z notice ftp" will generate:
+
+	  Found NOTICE: BackscatterSeen
+	  Found NOTICE: FTP_PrivPort
+	  Found NOTICE: FTP_BadPort
+	  Found NOTICE: PortScan
+	  Found NOTICE: FTP_ExcessiveFilename
+	  Found NOTICE: ScanSummary
+	  Found NOTICE: AddressDropped
+	  Found NOTICE: DroppedPackets
+	  Found NOTICE: SensitiveConnection
+	  Found NOTICE: FTP_UnexpectedConn
+	  Found NOTICE: SSH_Overflow
+	  Found NOTICE: FTP_Sensitive
+	  Found NOTICE: TerminatingConnection
+	  Found NOTICE: PasswordGuessing
+	  Found NOTICE: AddressDropIgnored
+	  Found NOTICE: AddressScan
+
+- The signature rule language now supports an "active" keyword,
+  which can be set to "true" or "false", with the latter turning
+  off the rule (Roger Winslow).  If set to false the signature will
+  not be loaded into the rule matcher, otherwise it is.
+
+- The signature rule language now supports meta data of the form
+  ".MMM<whitespace>XXX", where MMM is arbitrary text which makes up the name
+  of the meta data option and where XXX is arbitrary text up to the end
+  of the current line (Roger Winslow).  The intent is that some forms of
+  meta-data will be regularized/standardized in the future - information
+  such as date modifed, category/class, weighting, etc.  For now, it
+  provides a way to annotate rules with nominally more structure than just
+  using comments (though it is currently treated the same, i.e., everything
+  is ignored).
+
+- The following meta data option names are now reserved: .version, .revision,
+  .version-date, .revision-date, .date-created, .location
+
+- The new enumerated type "transport_proto" is used to specify different
+  types of transport protocols: "tcp", "udp", "icmp", and "unknown_transport".
+  Associated with it are new built-in functions: is_udp_prot(), is_icmp_port(),
+  get_conn_transport_proto, and get_port_transport_proto.  The latter two
+  map a given connection and a given "port" value to their corresponding
+  transport_proto value.
+
+- A bunch of tuning (regular expressions for sensitive login sessions,
+  scan detection thresholds, forbidden/hot usernames and filenames,
+  sensitive URIs, "weird" actions) have been incorporated from
+  operational configurations.
+
+- Serious bugs in managing large numbers of files fixed.
+
+- A serious bug with negative DNS TTL settings (and, more generally,
+  with negative timer values) fixed.
+
+- The traditional connection logging format is no longer supported.
+
+- The SMTP analyzer's state machine processing has been modified to
+  correctly deal with clients that (incorrectly) pipeline their commands
+  (Ruoming Pang).
+
+- A bug fixed in detecting SMTP relays for connections w/o message bodies
+  (Ruoming Pang).
+
+- A bunch of bugs in recording connection summaries for UDP flows
+  have been fixed.
+
+- A new script module, passwords.bro, generates PasswordExposed notices
+  for activity (currently just rlogin/telnet logins) that expose passwords.
+
+- A new script module, file-flush.bro, can be loaded to cause all log
+  files to be flushed every file_flush_interval (default: 10) seconds.
+  This is handy if you like to watch the files in real time.
+
+- Zone transfers now generate a ZoneTransfer notice, unless the host
+  making the request is in DNS::zone_transfers_okay.
+
+- Bro's DNS cache (generated using -P and accessed using -F) is
+  now kept in the .state/ subdirectory rather than in the user's
+  home directory (Roger Winslow).
+
+- Some changes to remote propagation of events/values and detection of
+  state inconsistencies (Robin Sommer).
+
+- A fix for avoiding delays on low-volume links for some systems for
+  which it can take a long time to fill up the pcap buffer, and pcap doesn't
+  return partial buffers (Robin Sommer).
+
+- A bug in table expiration timers has been fixed (Robin Sommer).
+
+- A bug in comparing subnets has been fixed.
+
+- A bug in using a non-constant value for a &write_expire attribute
+  has been fixed.
+
+- A bug in using CONTENTS_BOTH for writing reassembled streams to
+  files has been fixed (John McNicholas).
+
+- A subtle but potentially damaging bug in fragment reassembly has
+  been fixed.
+
+- A bug with using local variables of vector types has been fixed.
+
+- A bug with comparing strings has been fixed.
+
+- Bro no longer generates the RST_with_data "weird", as with modern
+  stacks it's no longer any sort of strange occurrence.
+
+- Related to this, the signature rule matcher no longer matches
+  against the payload of RST packets.  (Note, this is an imcompatibility
+  with Snort.)
+
+- Portmapper mappings are now written in the connection log in
+  alphabetical order.
+
+- The event engine variable frag_timeout now defaults to 5 minutes if you
+  load frag.bro, and is accessed via redef rather than by defining the
+  global directly.
+
+- The interval that signatures.bro waits for until generating a signature
+  summary can now be set using the new script variable sig_summary_interval,
+  and a bug in generating the summaries has been fixed (Robin Sommer).
+
+- The new script peer-status.bro generates periodic "update" events regarding
+  a remote peer's status (Robin Sommer).  These take the form:
+
+	type peer_status: record {
+		res: bro_resources;
+		stats: net_stats;
+		current_time: time;
+		cpu: double;		# average CPU load since last update
+		default_filter: string;	# default capture filter
+	};
+
+- The bro_resources record returned by resource_usage() now includes
+  three additional fields, $version (the version of Bro), $debug
+  (T if Bro was compiled with debugging information), and $start_time
+  (the time Bro began executing - clock time, not network time).
+
+- The new built-in function same_object(o1: any, o2: any): bool
+  returns true if its arguments refer to the same object, false
+  otherwise.  This can be useful for comparing tables, for example
+  in calls to table element expiration functions.
+
+- The new built-in function bro_is_terminating(): bool returns true if
+  Bro is done reading from its network input source(s) and is now
+  in its final termination cleanup (Robin Sommer).
+
+- A new built-in strftime() formats a timestamp, returning a string
+  (Robin Sommer).
+
+- A new built-in file_size() returns the size of the file with a
+  given name (Robin Sommer - note: *not* a Bro file value).
+
+- A potential deadlock with inter-Bro communication has been fixed
+  (Robin Sommer).
+
+- Bro now always forks a copy of itself when executing, as this
+  can save considerable memory when using inter-Bro communication
+  (Robin Sommer).
+
+- The Bro interconnection protocol now includes explicit handshaking
+  during session establishment to mark that a peer is ready (Robin Sommer).
+  Implementing this includes a change in the wire protocol that is
+  incompatible with the protocol used in the past.
+
+- The TCP inactivity timer is now started whenever a connection
+  transitions from a pre-establishment state (including "inactive")
+  to some sort of established state (Robin Sommer).  Prior to this
+  fix, connections for which a proper SYN handshake was not seen would
+  not be timed out as inactive.
+
+- The --disable-openssl configure option has been removed; now
+  the only option is --with-openssl, and --with-openssl=no disables
+  use of OpenSSL (Gregor Maier).
+
+- A bug in invoking &expire_func functions has been fixed (Robin Sommer).
+
+- A bug in logfile rotation has been fixed (Robin Sommer).
+
+- A bug in recognizing negative floating point values has been fixed.
+
+- worm.bro now suppresses the default signature action for worms
+  it knows about, since it generates events for them (Robin Sommer).
+  The list of worms detected via signatures now includes Bagle-BC.
+
+- Signatures for known worms are now skipped when doing signature
+  summaries and scan detection, if worm.bro is loaded (Robin Sommer).
+
+- request_remote_events and request_remote_sync now implicitly
+  do set_accept_state, too.
+
+- Better error handling for SSL connections (Robin Sommer).
+
+- Bug fixed which caused diagnostic messages to be lost when using
+  inter-Bro communication (Robin Sommer).
+
+- gcc 3.4 portability fixes (Brian Lindauer).
+
+- Solaris portability fixes (Robin Sommer).
+
+- The Bro distribution now includes and uses its own version of libpcap
+  for portability reasons (Jason Lee).
+
+- Some minor bug fixes to handling of tcpdump save files (Robin Sommer).
+
+- Detection added for a (now quite old) SSHv1 overflow attack.
+
+- A bug in skipping processing of connections for large chunks of
+  data has been fixed (Chema Gonzalez).
+
+- Some memory leaks fixed (Robin Sommer).
+
+- fmt()'s "%d" format now accepts values of enum types.
+
+
+0.9a7 Mon Nov  1 13:21:05 PST 2004
+
+- New terminology:
+
+	o We've found that the term "log" has been too overloaded,
+	  sometimes meaning "something to record for audit purposes" and
+	  other times meaning "something worthy of getting the operator's
+	  attention right now, for example via syslog".
+
+	  We are now using "log" to only refer to the first of these,
+	  and refer to the second as "alarm".
+
+	o We've found that "alert" (and the ALERT() function, etc) is
+	  likewise confusing.  Some expect it to mean something alarm-worthy
+	  (to use the new name from the previous item), while others
+	  expect it to mean the output from a sensor, which might not
+	  be worth getting the operator's attention.
+
+	  We are now using "notice" to refer to what had previously
+	  been called "alert".  So, for example, rather than call ALERT()
+	  you call NOTICE() to enter something into the I've-seen-something-
+	  maybe-it's-worth-an-alarm framework.  The first field associated
+	  with such a call was $alert, which is now $note.  These notifications
+	  are logged to notice.$BRO_LOG_SUFFIX rather than "alert."...
+
+  These changes show up in many places in the policy scripts.  Some
+  globals log_XXX are now alarm_XXX or notice_XXX.  However, uses of
+  "log" that refer to "something to record for audit purposes" remain
+  using that name.
+
+- Bro now uses the "automake" suite of tools for its configuration
+  (Jason Lee).  This includes major reworking of its Makefile's
+  and configuration/installation scripts.
+
+- Bro now flags event handlers that are never invoked (Umesh Shankar).
+  This catches typos like:
+
+	event bro_initt() { ... }
+
+- The scripts directory now includes scripts for generating nightly
+  reports (Roger Winslow).  Note that these are not presently a supported
+  part of the public Bro distribution, but will become so in the
+  not-too-distant future.
+
+- policy/brolite.bro contains a first version of the "Bro Lite" configuration
+  (Scott Campbell, Roger Winslow, et al).  This also is not presently
+  supported for the public Bro distribution, but will become so.
+
+- Major overhaul of the internal serialization framework (Robin Sommer).
+  Some more changes are forthcoming, though not on this scale.
+
+- Changed packet capture/drop statistics to (1) explicitly track received
+  packets, (2) work better under Linux, (3) report link counts when available
+  (Robin Sommer).  The net_stats record field "interface_drops" has been
+  renamed "pkts_link".  It reports the number of packets captured by the
+  NIC (if available), rather than the number dropped by the NIC (which never
+  actually worked, anyway).
+
+- The DNS analysis has been extended to deal with TSIG and to better deal
+  with EDNS0 records, and its overall structure reworked somewhat
+  (Scott Campbell & Roger Winslow).  The scripts in dns.bro are now
+  inside "module DNS" scope.
+
+- Improved logging of ICMP flows (Scott Campbell).  This includes the
+  addition of a "len" field in icmp_conn.  Some significant additional
+  changes/improvements to ICMP processing will be coming very soon.
+
+- The Bro README and "quick start" documentation has been updated
+  (Brian Tierney and Jim Rothfuss).
+
+- Some significant state-holding problems in the presence of packet filtering
+  or packet drops have been fixed.
+
+- You can now instruct the signature engine to constrain the number of
+  regular expressions it groups together into a single matcher using the
+  new script variable "sig_max_group_size" (Robin Sommer).  This can result
+  in significant memory savings for large sets of signatures.  It can
+  increase the CPU processing required; however, in our testing so far
+  this does not appear to be the case.
+
+- The signature engine now provides better location information in its
+  error messages (Robin Sommer).
+
+- statistics.bro has been renamed profiling.bro.  Along with this change,
+  the following script variables have been renamed:
+
+	do_statistics => do_profiling
+	statistics_file => profiling_file
+	statistics_interval => profiling_interval
+
+- A new script, stats.bro, can be included to generate light-weight
+  running statistics on memory and CPU use.
+
+- A new script, print-sig-states.bro, can be included to generate
+  periodic dumps of signature-matching statistics (Robin Sommer).
+
+- The connect_clear()/connect_ssl() built-ins have been replaced
+  by a single connect() function (Robin Sommer).
+
+- Remote Bro's (more generally, remote event sources) are now represented
+  in policy scripts using the new "event_peer" type rather than as an
+  addr/port pair, and get_event_source() has been renamed get_event_peer()
+  (Robin Sommer).  The new function get_local_event_peer() returns an
+  event_peer corresponding to the local Bro.
+
+- The new script remote-print.bro can be used to print all events
+  received from remote sources (Robin Sommer).
+
+- When you call send_state(), an event finished_send_state() is now
+  generated when all of the state has been sent (Robin Sommer).
+
+- If you define a handler for the new print_hook() event, then it
+  will be invoked every time a "print" statement executes (Robin Sommer).
+
+- The -g flag no longer takes a directory as an argument, but always
+  uses the .state directory (Robin Sommer).
+
+- The new -I flag prints the value of a given identifier and exits
+  (Robin Sommer).  This flag may go away in the future.  For now,
+  its role is that it prints timestamps of things like table elements,
+  which are no longer printed by a regular "print" statement.
+
+- If a connection proceeds as SYN ->, <- RST, RST ->, this is now
+  reported as a regular rejected ("REJ") connection, rather than
+  one reset by the originator ("RSTO").
+
+- The TCP analyzer now attempts to detect connections for which
+  one side's packets are being filtered out.  It does this using
+  two C++ variables (not presently accessible at the script level),
+
+	const int max_initial_window = 4096;
+	const int max_above_hole_without_any_acks = 4096;
+
+  If more than max_initial_window data has been sent by one side and no
+  ACKs have been seen by the other side, then it's assumed that no ACKs
+  will ever show up, and the buffer for the data should be reclaimed
+  immediately after it's reassembled.  max_above_hole_without_any_acks
+  plays a similar role, but for the case when measurement drops have
+  lead to Bro holding data for a sender for which it will never see
+  an ACK (which would be an "ACK above hole"), so it should give up
+  on buffering it.
+
+- A portability bug in Bro's parser code has been fixed (Jason Lee).
+
+- STARTTLS for SMTP now causes the SMTP session to be ignored, rather
+  than generating a slew of error messages because the session becomes
+  unparseable.
+
+- Bro's "watchdog" handler is now less prone to crashing due to
+  using non-reentrant library calls (Jason Lee).
+
+- Better error message when reading an input file encounters an error.
+
+- adtrace now prints its usage when invoked without the required
+  arguments (Jason Lee).
+
+- A bug in using recursive script functions has been fixed.
+
+- A bunch of whitespace/code layout tweaks.
+
+
+0.9a4 Wed Sep  8 17:33:54 PDT 2004
+
+- The directory structure of the Bro distribution has changed (Jason Lee).
+  The source code is now in a subdirectory, src/, and the scripts
+  snort2bro (and snort2bro.cfg) and make-ftp-safe-vocabulary.awk have
+  been moved into scripts/.
+
+- "make install" has been revamped (Jason Lee).
+
+- The format of the alert log file has changed.  Fields in it are
+  colon-separated.  THIS WILL LIKELY CHANGE SOON.
+
+- The policy for formatting signature matches has been revamped,
+  including colon-separated fields in the signature log file
+  (Roger Winslow).  THIS WILL LIKELY CHANGE SOON.
+
+- The BRO_ID environment variable has been renamed BRO_LOG_SUFFIX.
+
+- A new flag, -e, lets you specify Bro code to execute via the command
+  line (Christian Kreibich).  So, for example,
+
+	bro -r mytrace.tcpdump -e 'redef traditional_conn_format = T' tcp 
+
+  will run tcp.bro on the trace "mytrace.tcpdump", but with
+  traditional_conn_format redefined to be true.  Note that statements
+  have an implicit ';' added to them for convenience.
+
+- A new signature alert, "MultipleSigResponders", is generated if a
+  host triggers the same signature on multiple responders.
+
+- Bro now supports "packet profiling", which provides fairly fine-grained
+  statistics on number of packets processed, volume, elapsed real/user/system
+  time, and change in memory consumption (Holger Dreger).  Three variables
+  control the output.  The double pkt_profile_freq controls the frequency
+  of output.  The units in which it's interpreted depends on the setting
+  of the pkt_profile_mode variable (which is of type pkt_profile_modes,
+  an enum).  A value of PKT_PROFILE_MODE_SECS means that statistics
+  are generated every pkt_profile_freq seconds; PKT_PROFILE_MODE_PKTS
+  means every pkt_profile_freq packets; and PKT_PROFILE_MODE_BYTES, every
+  pkt_profile_freq bytes.  The default (PKT_PROFILE_MODE_NONE) means
+  to not generate packet profiling.
+
+  Packet profiling is written to the new log file, pkt_profile_file.
+  If you "@load pkt-profile", you can turn on packet profiling using
+  some handy defaults.
+
+- statistics.bro now reports on how many TCP connections are in
+  <originator-state, responder-state> for the different TCP endpoint
+  states (SYN sent, SYN ack'd, connection established, etc.).
+  Contributed by Holger Dreger.
+
+- tcp_content_delivery_ports_{orig,resp} are now table's of bool rather
+  than set's (Ruoming Pang).  The semantics are that if you have a
+  tcp_contents event handler, then if the orig/resp port is in the given
+  table *and the yield value is T*, then the event will be invoked.  This
+  allows you to now explicitly skip over some ports.
+
+- The processing of default values in tables has been changed internally
+  (Ruoming Pang).  It's possible this has introduced some subtle bugs
+  (as some of these came up during testing).
+
+- A serious bug in Base64 processing has been fixed (Ruoming Pang).
+
+- The NetBIOS and SMB analyzers have been updated in minor ways
+  (Ruoming Pang).
+
+- statistics.bro now reports a "lag" figure indicating the elasped
+  time between the last expired timer's target expiration time and
+  the current packet timestamp (Robin Sommer).  Lag can grow if Bro
+  is getting behind in timer expiration due to the setting of
+  max_timer_expires.
+
+- Bro's default filter is now "tcp or udp or icmp" rather than
+  "tcp or udp".
+
+- alert_info records now have an optional port associated with them
+  (for example, to be used to describe scan activity).
+
+- A bug has been fixed in which deleting a table element with an
+  associated timer could crash Bro (Robin Sommer).
+
+- A bug that would cause a crash for malformed EPASV directives
+  has been fixed (Robin Sommer).
+
+- A bug with inactivity timeouts not being generated for partial
+  connections has been fixed (Robin Sommer).
+
+- A bug in synflood.bro has been fixed (Robin Sommer).
+
+- Some tuning adjustments to incremental expiration of table entries
+  (Robin Sommer).
+
+- Improved portability to Darwin (Christian Kreibich).
+
+- alert_info records now have additional optional fields, "iconn"
+  (associated ICMP connection), "dst" (destination address), and
+  "p" (associated port).  The source_is_responder fields has been
+  removed.
+
+- The default packet filter now includes "icmp".
+
+- Some memory allocation/free mismatches & minor leaks (Robin Sommer).
+
+- Minor tweaks to ssl.bro (Robin Sommer).
+
+- Bro now supports "null" link layers (Christian Kreibich).
+
+- aux/adtrace contains a program that spits out MAC/IP information
+  from traces (Holger Dreger).
+
+- A bug in handling malformed RPCs has been fixed (Scott Campbell).
+
+- The formatting of "weird" messages that have additional parameters
+  has been changed to be more regularized with other "weird" messages.
+
+- The new "weird" type "base64_illegal_encoding" takes the place of
+  some previously unstructured Base64 "weird" errors.
+
+- A tweak to ftp.bro will give it slightly more consistent results 
+  for some forms of unusual traffic.
+
+
+0.9a3 Wed Jul  7 22:06:26 PDT 2004
+
+- Improved ICMP processing, including scan detection (Scott Campbell).
+
+- ICMP "connections" are now considered unidirectional.
+
+- Fixed broken VLAN support (integration of original patch was incomplete).
+
+- Fixed a bug in erroneously generating additional "ContentGap"
+  alerts after an initial one.
+
+- Connection durations are now always reported as floating-point decimal,
+  never in exponential notation.
+
+- Removed unused time parameter from a bunch of internal calls.
+
+- Fixed some compilation warnings.
+
+- "make clean" now removes generated policy/*.bif.bro files (Christian
+  Kreibich).
+
+
+0.9a2 Fri Jun 11 00:07:04 PDT 2004
+
+- NetBIOS analysis has been extended with a CIFS/SMB analyzer (Ruoming Pang).
+  While this is incomplete, it has many important elements.  The corresponding
+  events:
+
+	smb_message(c: connection, is_orig: bool, cmd: string, msg: string)
+	smb_com_tree_connect_andx(c: connection, path: string, service: string)
+	smb_com_nt_create_andx(c: connection, name: string)
+	smb_com_transaction(c: connection, is_orig: bool, subcmd: count,
+				name: string, data: string)
+	smb_com_transaction2(c: connection, is_orig: bool, subcmd: count,
+				name: string, data: string)
+	smb_com_read_andx(c: connection, is_orig: bool, data: string)
+	smb_com_write_andx(c: connection, is_orig: bool, data: string)
+
+  This analyzer is still experimental.
+
+- Greater support for vectors (Umesh Shankar), much of it taken from
+  the 'S' language.
+
+  You can use a boolean vector as an index into another vector (providing
+  both are the same length) and each 'T' value in the index extracts the
+  corresponding element from the indexed vector.  For example, "x[x > 3]"
+  returns a vector whose elements are those elements of x that are greater
+  than, while if y is a vector of the same length as x then "y[x > 3]"
+  extracts those elements of y that have the same position as the elements
+  in x that are greater than 3.
+
+  You can also use an arithmetic vector to index another vector.  Each
+  element present in the index is extracted.  So, for example:
+
+	global a: vector of count;
+	global b: vector of string;
+
+	a[1] = 3;
+	a[2] = 3;
+	a[3] = 1;
+
+	b[1] = "foo";
+	b[2] = "bar";
+	b[3] = "bletch";
+
+	print b[a];
+
+  prints:
+
+	[bletch, bletch, foo]
+
+- The new built-ins any_set() and all_set() return true if for a given
+  boolean vector any element is true or all of the elements is true
+  (Umesh Shankar).  So, for example, "any_set(x < 0)" returns T if 
+  an element of x is less than zero.
+
+- The new built-in sort() takes a vector as an argument and sorts it
+  *in place* (Umesh Shankar).  (The in-place semantics may change in the
+  future.)  An optional second argument can be used to specify a
+  function to call for comparing elements, and is required for non-arithmetic
+  vectors.  For example, the following could be used to sort a vector
+  of strings based solely on the length of the strings:
+
+	function string_compare(a : string, b: string): int
+		{
+		local la = byte_len(a);
+		local lb = byte_len(b);
+
+		return (la < lb) ? -1 : ((lb > la) ? 1 : 0);
+		}
+
+- The new function order() has the same calling sequence as sort(),
+  but instead of returning (and altering in place) the sorted vector,
+  it returns a "vector of count" giving the *indices* that if used
+  to index the vector will return it sorted.  So, for example,
+  given two vectors x and y of the same length (but not necessarily
+  of the same type),
+
+	local x_sort_indices = order(x);
+	x = x[x_sort_indices];
+	y = y[x_sort_indices];
+
+  will assign x to a sorted version of itself and also rearrange y such
+  that elements of y that were paired with elements of x originally
+  remain paired after the sorting.
+
+- The ICMP analyzer now has a general notion of "context", i.e., the packet
+  associated with ICMP status messages such as Unreachable or Time Exceeded
+  (Ruoming Pang).  This changes the parameters to the icmp_unreachable
+  event.  A new event, icmp_time_exceed, is now also available.
+
+- The tcp_segment even has been replaced by a pair of new events (Ruoming Pang):
+
+	tcp_packet(c: connection, is_orig: bool, flags: string, seq: count,
+			ack: count, len: count, payload: string)
+
+  is invoked for each TCP packet.  "flags" is a string containing "SFAPU"
+  for the SYN/FIN/etc TCP flags.
+
+	  tcp_contents(c: connection, is_orig: bool, seq: count,
+			contents: string)
+
+  is invoked for each chunk of the byte-stream that has been reassembled
+  in sequence, providing it satisfies tcp_content_delivery_ports_{orig,resp},
+  per the next item.
+
+- You can specify the set of ports for which contents should be reassembled
+  for the originator (responder, respectively) stream using the new sets
+  tcp_content_delivery_ports_{orig,resp} (Ruoming Pang).  This can be
+  useful for user-level stream analysis for protocols not known to Bro's
+  event engine.  These controls may change to a "table of bool" in the future,
+  in order to support an &default attribute.
+
+- New built-in functions (Ruoming Pang):
+
+	function interval_to_double(i: interval): double
+		Converts a value of type "interval" to "double".
+
+	function write_file(f: file, data: string): bool
+		Writes the given string to the given file, returning
+		F on error.
+
+	function is_ascii(str: string): bool
+		Returns T if the given string consists entirely of
+		ASCII characters (i.e., in the range 0..127).
+
+	function sqrt(x: double): double
+		Returns the square-root of x, or -1 and a run-time error
+		if x is < 0.
+
+	function uuid_to_string(uuid: string): string
+		Takes a UUID and returns its string representation, where
+		UUID = Universal Unique Identifier as defined per
+		http://www.opengroup.org/onlinepubs/9629399/apdxa.htm#tagcjh_20
+
+	function string_to_ascii_hex(s: string): string
+		Returns the ASCII hex representation of the given string.
+		For example, string_to_ascii_hex("foo") returns "666f6f".
+
+	function match_pattern(s: string, p:pattern): pattern_match_result
+		Matches the given pattern against the given string, returning
+		a record with three fields:
+
+			matched: bool;	# T if a match was found, F otherwise
+			str: string;	# portion of string that first matched
+			off: count;	# 1-based offset where match starts
+
+		For example,
+			match_pattern("foobar", /o*[a-k]/)
+		returns
+			[matched=T, str=f, off=1]
+		because the *first* match is for zero o's followed by an [a-k],
+		while
+			match_pattern("foobar", /o+[a-k]/)
+		returns
+			[matched=T, str=oob, off=2]
+
+- Functions that terminate without returning a value when they were declared
+  to do so now generate a run-time warning (Christian Kreibich).  Functions
+  in the standard set of policy scripts that did this have been fixed.
+
+- The new event non_dns_request(c: connection, msg: string) is generate
+  to make the contents of malformed DNS requests available for analysis,
+  with the assumption that these are actually some other protocol entirely
+  (Ruoming Pang).
+
+- If you redef truncate_http_URI to have a value >= 0, then any HTTP
+  URIs generated by the event engine will be truncated to this length
+  (Ruoming Pang).  This can be convenient when analyzing traffic that
+  generates huge URIs (as do some automated attacks).
+
+- "SEARCH" is now recognized as a standard HTTP method (Ruoming Pang).
+
+- The new event connection_EOF(c: connection, is_orig: bool) is generated
+  when one side of a connection closes (Ruoming Pang).
+
+- synflood.bro and the corresponding event engine internals now works
+  in terms of probabilities (0.0-1.0) instead of percentages (0-100)
+  (Robin Sommer).  The script has had several tweaks, including using
+  new_connection() rather than connection_attempt(), which gives it
+  quicker response and broader coverage (it'll detect non-TCP flooding,
+  too, so "synflood" is now a bit of a misnomer), at the cost of perhaps
+  more CPU load.
+
+- A signature for Witty has been added to policy/sigs/worm.sig (Ruoming Pang).
+
+- Makefile now has a "test" target.  Currently this only works for internal
+  development (we haven't put together a public test suite yet; that will
+  take some time due to the need to make sure no sensitive information leaks).
+
+- The built-in function generator now knows about "double" as a built-in type
+  (Ruoming Pang).
+
+- Some generated files have been removed from the Bro distribution since
+  they're redundant (Ruoming Pang).
+
+- A bug has been fixed in which contents files might not be correctly
+  written upon termination of Bro (Ruoming Pang).
+
+- A bug has been fixed in which UDP connections didn't generate
+  new_connection events (Ruoming Pang).
+
+- Support for the Linux "cooked capture" link layer (Ruoming Pang).
+
+- BPF support has been factored into a separate class, BPF_Program, which
+  makes for easier portability (Christian Kreibich).
+
+- A serious low-level Dictionary bug has been fixed (Christian Kreibich).
+
+- A bug that could cause Bro to crash if it receives an event from another
+  Bro that it isn't able to process has been fixed (Christian Kreibich).
+
+- A bug in set file descriptors non-blocking has been fixed
+  (Christian Kreibich).
+
+- A bug that could cause some error messages to generate crashes has
+  been fixed.
+
+- The global skip_event_tcp_option has been removed.
+
+
+0.9a1 Mon Jun  7 01:33:00 PDT 2004
+
+- 0.8a85 is the new STABLE release, to be updated only for bug (and
+  portability) fixes.  0.9a1 is the new CURRENT release, which will have
+  both bug fixes and new functionality.
+
+- Support for FTP EPRT, EPSV (Holger Dreger).
+
+- Change to timer management to recover memory more quickly (Robin Sommer).
+
+- Tweaks to eliminate a number of compiler warnings (Robin Sommer).
+
+- Statistics now report number of connections terminated due
+  to inactivity (Robin Sommer).
+
+- New Makefile target, pub-tar-no-doc builds a public tarball but
+  without the (large) doc/ subdirectory.
+
+- Bug fix for identd requests with illegal port numbers.
+
+- The example of a scanning source to skip in scan.bro has been changed
+  from an AltaVista robot (now obsolete) to a Google robot.
+
+- Some previously fatal internal errors have now been turned into
+  "internal warnings", which Bro is able to continue operating
+  in their presence.
+
+
+0.8a84 Wed May 26 23:33:39 PDT 2004
+
+- autoconf tweaks for portability to Darwin (Christian Kreibich).
+
+- Fixed subtle bug in chunked-IO reads (Christian Kreibich).
+
+- Fixed bug for the "discarder" framework in which specifying an
+  IP discarder would cause other TCP/UDP/ICMP discarders not being
+  invoked (Christian Kreibich).
+
+- Fatal bug in signature matching fixed (Robin Sommer).
+
+- Missing member variable initialization fixed (Robin Sommer).  (Needed for
+  compilation with new versions of gcc.)
+
+- Makefile bug for "make install" fixed.
+
+- Fixed bug that could lead to Bro crashing if an SMTP session
+  had data sent after a RST.
+
+- Removed some out-of-date SMTP analysis warning messages.
+
+
+0.8a82 Tue Apr 27 11:53:24 PDT 2004
+
+- Fixed inactivity timer loop when a packet arrives exactly when
+  the timer is set to expire.
+
+
+0.8a81 Mon Apr 26 22:46:37 PDT 2004
+
+- A bunch of memory leaks fixed (Chema Gonzalez).
+
+- A new HTTP analyzer variable, content_truncation_limit, controls
+  how much of an HTTP request/reply contents element (i.e., what's
+  passed to http_entity_data - this is *not* the entire content, but
+  the next chunk's worth) is logged in the log file.  It defaults
+  to 40 bytes.  Setting it to 0 means "log all of it".
+
+- Fix to avoid crashing for malformed RPC requests.
+
+- Improved OpenSSL auto-configuration (Robin Sommer).
+
+- Fix for compiling without OpenSSL.
+
+- A new built-in, double_to_count(), converts a value of type "double"
+  to the corresponding "count" (Chema Gonzalez).  We should probably
+  add floor(), ceil(), etc.
+
+- Parameterization of trw.bro tweaked (Jaeyeon Jung).
+
+
+0.8a79 Wed Mar 24 22:02:53 PST 2004
+
+- Bro now has an SSL analyzer, written by Michael Kuhn and Benedikt Ostermaier,
+  with further development by Scott Campbell.  It generates the following
+  events:
+
+	event process_X509_extensions(c: connection, ex: X509_extension)
+	event ssl_X509_error(c: connection, err: int, err_string: string)
+	event ssl_certificate(c: connection, cert: X509, is_server: bool)
+	event ssl_certificate_seen(c: connection, is_server: bool)
+	event ssl_conn_alert(c: connection, version: count, level: count,
+				description: count)
+	event ssl_conn_attempt(c: connection, version: int)
+	event ssl_conn_established(c: connection, version: int,
+				cipher_suite: count)
+	event ssl_conn_reused(c: connection, session_id: sessionID)
+	event ssl_conn_server_reply(c: connection, version: int)
+	event ssl_conn_weak(name: string, c: connection)
+	event ssl_session_insertion(c: connection, id: sessionID)
+
+  Note, it still has a lot of rough edges; particularly, handling
+  non-conformant input.  It also generates unnecessary ContentGap alerts
+  due to the way it runs multiple analyzers (SSLv2 and SSLv3) on a single
+  connection.  This will be fixed in the fairly near-term future.
+
+- The manual has been updated with chapters on signatures (Robin Sommer)
+  and using the interactive debugger (Umesh Shankar), along with a partial
+  description of the new SSL analyzer (Michael Kuhn and Benedikt Ostermaier)
+  and a number of updates to the documentation of built-in functions (Umesh
+  Shankar), though this latter is still not complete since Umesh actually
+  contributed this quite a while ago.
+
+- Ruoming Pang has contributed a crude analyzer for DCE/RPC (used for Windows).
+  It generates simple dce_rpc_request and dce_rpc_reply events.  It should
+  not be considered stable.
+
+- The traditional connection logging format (traditional_conn_format)
+  is no longer the default.  The 0.8a70 release notes stated that this
+  was the case but this time it really is :-).
+
+- An experimental "vector" type has been added (Umesh Shankar).  A vector
+  is an aggregate type.  For example:
+
+	local suspect_hosts: vector of addr;
+
+  You can randomly access elements starting with the first as 1, e.g.,
+
+	suspect_hosts[1] = 10.0.0.8;
+
+  and can also add elements at later postions even if there are gaps:
+
+	suspect_hosts[31337] = 10.0.0.9;
+
+  *The semantics and capabilities of vectors will be changing considerably.*
+
+- Umesh Shankar has developed a framework for generating IDMEF messages.
+  Currently it needs a modified version of libidmef, which is not included
+  in this distribution.  Contact me or Umesh if you want a copy.
+
+- A new attribute &synchronized causes the given global variable to
+  be *synchronized* across concurrent instances of Bro (which are
+  intercommunicating via remote.bro).  Any change made by one of them
+  to the variable will be reflected (soon after) in the copy at
+  the others.  A new event remote_state_inconsistency is generated
+  if two instances both change the value before they're synchronized.
+  (Contributed by Robin Sommer.)
+
+- trw.bro implements a new scan detection algorithm, Threshold Random Walk
+  (Jaeyeon Jung).  It's described in an upcoming IEEE S&P symposium paper.
+  The analyzer generates two events:
+
+	TRWAddressScan, # source flagged as scanner by TRW algorithm
+	TRWScanSummary, # summary of scanning activities reported by TRW
+
+  TRW is generally much more sensitive than Bro's regular detection algorithm.
+
+- vlan.bro provides support for VLAN encapsulation.  More generally, Bro
+  now has support for any sort of constant-offset encapsulation (Vinod
+  Yegneswaran).  You specify the header size by redef'ing encap_hdr_size.
+  You can also redef tunnel_port to be a UDP port which Bro treats as being
+  the encapsulation (in the packet stream - not addressed to it) rather
+  than all traffic.
+
+- If you turn on statistics (i.e., via @load statistics) and also redef
+  segment_profiling to T, then Bro will generate to the statistics file
+  a trace of its "segment" processing.  A segment is a unit of internal
+  execution.  Profiles look like:
+
+	1058517499.615430 segment-processing-packet dt=0.000013 dmem=0
+	1058517499.615430 segment-draining-events dt=0.000012 dmem=0
+	1058517499.615671 segment-expiring-timers dt=0.000010 dmem=0
+	1058517499.615671 segment-processing-packet dt=0.000010 dmem=0
+	1058517499.615671 segment-draining-events dt=0.000012 dmem=0
+	1058517499.615671 segment-policy/conn.bro:282 dt=0.000011 dmem=0
+	1058517499.615671 segment-policy/conn.bro:253 dt=0.000012 dmem=0
+
+  The first line states that at the given (packet) timestamp, the event
+  engine processed a packet, taking 13 usec of CPU time to do so, and
+  not consuming any memory (from the kernel's perspective; this is *not*
+  fine-grained memory consumption).  The next lines indicate 12 usec were
+  spent draining events and 10 usec expiring timers.  The last two lines
+  indicate that the functions at lines 282 and 253 in conn.bro were
+  executed, requiring 11 usec and 12 usec, respectively.
+
+  Note #1: timings are just what rusage() reports, so not necessarily
+  very accurate for small times.
+
+  Note #2: there's a bug in tracking function line numbers that hasn't
+  been ferreted out yet, so they're only roughly correct.
+
+- The inactivity_timeout global has been split into tcp_inactivity_timeout/
+  udp_inactivity_timeout/icmp_inactivity_timeout (Robin Sommer).  Using
+  this, the default inactivity timeouts for UDP and ICMP have been changed
+  from "no timeout" to 10 seconds.  This is needed because otherwise
+  analyzing a stream of UDP or ICMP traffic generally gobbles up memory
+  quickly and never recovers it; and there's seems little point in trying
+  to consolidate long-lived-but-often-inactive UDP/ICMP streams.
+
+- The new policy script cpu-adapt.bro is an extension to load-levels.bro
+  (see CHANGES for 0.8a37 below) to adapt the packet filter based on the
+  current CPU load. If the load is below cpu_lower_limit (default 40%),
+  the load-level is decreased.  If it's above cpu_upper_limit (default
+  90%), it's increased.  (Robin Sommer)
+ 
+- The new policy script hand-over.bro can be used for a new running
+  instance of Bro to smoothly take over operation from an old instance,
+  i.e., it implements hand-over of state between two Bro instances when
+  checkpointing (Robin Sommer). First, all persistent data (i.e. variables
+  declared &persistent and connections for which make_connection_persistent()
+  has been called) is transferred from the old instance to the new instance.
+  Then the old instance terminates itself and the new one starts processing.
+
+  The host from which we want to take over the state has to be added to
+  remote_peers_clear (or remote_peers_ssl), setting hand_over to T. The
+  host which is allowed to perform a hand-over with us has to be added
+  with a port of 0/tcp and hand_over=T. An example for a handover between
+  two instances on the same machine:
+
+  @load hand-over
+  redef remote_peers_clear += {
+        [127.0.0.1, 47756/tcp] = [$hand_over = T],
+        [127.0.0.1, 0/tcp] = [$hand_over = T]
+        };
+
+  (This interface may be subject to change in the future.)
+
+- New script functions (Robin Sommer):
+
+      function terminate()
+          Terminates Bro via SIGTERM.
+
+      function dump_config()
+          Dumps Bro's full configuration into state_dir (one file per
+          variable/type/function, etc.)
+
+      function send_state(ip: addr, p: port)
+          Send all of persistent state to the remote host.
+
+      function set_accept_state(ip: addr, p: port, accept: bool)
+          If accept is true, state sent by the given host will be
+          accepted (default: false)
+
+      function make_connection_persistent(c: connection)
+          Declare the given connection state to be persistent (i.e.
+          to be saved upon termination and exchanged by send_state).
+          checkpoint.bro uses this to declare some services to be
+          persistent by default.
+
+      function is_local_interface(ip: addr): bool
+          Returns true if the given address is assigned to a local interface.
+
+- Printing of sets and tables now includes timestamps indicating when the
+  element was added (Robin Sommer):
+
+         ID did_ssh_version = {
+            [129.187.20.9, F] = 1 @11/01-15:55,
+            [212.144.77.26, T] = 2 @11/01-15:55,
+            [141.84.116.26, T] = 10 @11/01-15:55,
+            [217.232.245.249, T] = 1 @11/01-15:55,
+            [217.235.217.149, T] = 1 @11/01-15:55,
+            [129.187.39.13, F] = 2 @11/01-15:55,
+            [129.187.208.139, F] = 1 @11/01-15:55,
+            }
+
+  The format may change in the future, and will probably be made an option.
+
+- Similarly, you can print functions to get both a timestamp of the last
+  time the given block was executed and a count of how often (Robin Sommer):
+
+	  ID record_connection = record_connection
+	  (@11/01-16:03 #6549)
+	  {
+	  id = c$id;
+	  local_init = is_local_addr(id$orig_h);
+	  local_addr = local_init ? id$orig_h : id$resp_h;
+		    remote_addr = local_init ? id$resp_h : id$orig_h;
+	  flags = local_init ? "L" : "";
+	  if (remote_addr in neighbor_nets)
+		  (@<never> #0)
+		  flags = cat(flags, "U");
+
+	  if ("" == flags)
+		  (@11/01-16:03 #2110)
+		  flags = "X";
+
+	  is_tcp = is_tcp_port(id$orig_p);
+	  ;
+	  if (is_tcp)
+		  (@11/01-16:03 #6549)
+		  {
+		  if (c$orig$state in conn_closed || c$resp$state in conn_closed
+)
+			  (@11/01-16:03 #4739)
+			  duration = fmt("%.6g", c$duration);
+		  else
+			  (@11/01-16:03 #1810)
+			  duration = "?";
+	  [...]
+
+- You can now specify numbers using hex constants, e.g., 0xabcd = 43981
+  (Michael Kuhn and Benedikt Ostermaier).
+
+- A new function, join_string_array(sep: string, a: string_array) concatenates
+  strings in 'a' and inserts 'sep' between every two adjacent elements
+  (Ruoming Pang).  E.g., join_string_array("", {"a", "b", "c"}) returns
+  "a b c", and join_string_array("", a) is the same as cat_string_array(a).
+
+- checkpoint.bro now makes some services persistent by default
+  (Robin Sommer).
+
+- The new_packet event now includes both the associated connection
+  and a pkt_hdr describing the packet (Robin Sommer).
+
+- The functions functions connect_ssl() and connect_clear() have been replaced
+  by a single connect() function taking an additional parameter to
+  differentiate the types (Robin Sommer).
+
+- The new function stop_listening() unbinds the listen port (Robin Sommer).
+
+- A new flag packet_filter_default says whether the Bro-level packet-filter
+  will by default accept all or reject everything (Robin Sommer).
+
+- Function calls can now be sent to remote Bro's, though there isn't yet
+  an interface for accessing this from the script level (Robin Sommer).
+
+- Bro now has an generalized internal framework for serializing objects
+  and monitoring access to state (Robin Sommer).
+
+- Better memory allocation accounting (Robin Sommer).
+
+- A minor tweak to the output generated by statistics.bro.
+
+- Improved localization of source code for functions in messages (but
+  there are still some bug).
+
+- Autoconf looks for -ltermcap (Robin Sommer).
+
+- Fixes for bugs in the management of table expiration values (Chema Gonzalez).
+
+- A bug in printing "void" values has been fixed (Chema Gonzalez).
+
+- -t bug fixed (Chema Gonzalez).
+
+- A bug has been fixed in which sometimes "expression value ignored"
+  was erroneously generated.
+
+- A bug with packet_contents and UDP packets with checksum errors
+  has been fixed (Ruoming Pang).
+
+- A memory leak in packet timestamp sorting via packet_sort_window
+  has been fixed (Ruoming Pang).
+
+- A bug has been fixed in expanding NULs when printing strings (Ruoming Pang).
+
+- Bug fixes for extracting connection contents via contents.bro (Ruoming Pang).
+
+- Bogus error message "Can't install default pcap filter" when using -F
+  removed.
+
+
+0.8a70 Sun Feb  8 14:19:45 PST 2004
+
+- Bro has a new home page at
+
+	http://www-nrg.ee.lbl.gov/bro.html
+
+  It includes a "wish list" of Bro development projects:
+
+	http://www-nrg.ee.lbl.gov/bro-wishlist.html
+
+- The "match" expression has been completely overhauled (Umesh Shankar).
+  It now has the syntax:
+
+	match EXPR1 using EXPR2
+
+  Its semantics are complicated, but it's very powerful (see its use for
+  alert filtering below).  EXPR1 can have any type T.  EXPR2 must be of
+  type "set[R]", where R is a record type.  R must have the following fields:
+
+	$pred	- type is "function(T): bool".  This is the predicate
+		  associated with the record.  It is passed in EXPR1's
+		  value and returns true or false.
+
+	$result	- can have any type T'.  This is the value to use when
+		  if $pred returns true for EXPR1.
+
+	$priority - type must be arithmetic (count, int, double).  This
+		  is the priority associated with the match of EXPR1
+		  if $pred returns true.
+  
+  The way the expression works is that EXPR1 is evaluated yielding a
+  value V.  EXPR2 is then evaluated yielding a set of records whose
+  type includes the above fields.  Bro then spins through each of the
+  records in the set and tests whether its $pred predicate holds for V.
+  If so, it records the given $result and the associated $priority.
+  It then returns for the value of the entire expression the $result
+  with the highest $priority.
+
+  Here's an example.  The following script:
+
+	global match_stuff = {
+		[$pred = function(a: count): bool { return a > 5; },
+		 $result = "it's big",
+		 $priority = 2],
+
+		[$pred = function(a: count): bool { return a > 15; },
+		 $result = "it's really big",
+		 $priority = 3],
+
+		[$pred = function(a: count): bool { return T; },
+		 $result = "default",
+		 $priority = 0],
+	};
+
+	print match 0 using match_stuff;
+	print match 10 using match_stuff;
+	print match 20 using match_stuff;
+
+  when executed will print:
+
+	default
+	it's big
+	it's really big
+
+  (Note that Bro actually will first evalute $priority before evaluating
+  $pred, and if it already has a better (higher) priority result, it
+  will not bother calling $pred.)
+
+- There's a new syntax for designating function values (Umesh Shankar).
+  It currently only works when associating a function value with a
+  record field in a record constructor:
+
+	[$foo(bad_guy: addr) = { launch_counter_DDOS(bad_guy); return 3.14; }]
+
+  is equivalent to:
+
+	[$foo = function(bad_guy: addr): double = {
+			launch_counter_DDOS(bad_guy);
+			return 3.14;
+	}]
+
+  The goal is to make such functions easier on the eye to express.
+  The changes are (1) no "function" keywork necessary, (2) no function
+  return type necessary (note, it is inferred from the "return" statement
+  in the function body; eventually this will work for all functions, not
+  just those in record constructors), (3) the '=' sign comes after the ')'
+  rather than before the keyword "function".
+
+  Given this syntax, we can rewrite the initialization of match_stuff
+  in the example above as:
+
+	global match_stuff = {
+		[$pred(a: count) = { return a > 5; },
+		 $result = "it's big",
+		 $priority = 2],
+
+		[$pred(a: count) = { return a > 15; },
+		 $result = "it's really big",
+		 $priority = 3],
+
+		[$pred(a: count) = { return T; },
+		 $result = "default",
+		 $priority = 0],
+	};
+
+- The motivation behind these elaborate new mechanisms is to provide a
+  powerful and streamlined way to filter alerts.  According, alert.bro
+  now processes any alerts generated via ALERT() through a new global,
+  alert_policy.  alert_policy's type is set[alert_policy_item], where
+  alert_policy_item is:
+
+	type alert_policy_item: record {
+		result: AlertAction;
+		pred: function(a: alert_info): bool;
+		priority: count;
+	};
+
+  The idea is that you specify your alert post-filtering by redef'ing
+  new elements into alert_policy.  For example, here are two post-filtering
+  rules used at LBL to weed out uninteresting alerts:
+
+	# Ignore connections marked as sensitive because they're
+	# NTP to otherwise-sensitive hosts (first clause) or they happen
+	# to involve 2766/tcp (Solaris Listen), which happens frequently
+	# to ftp.ee.lbl.gov if Bro misses the PORT negotiation.
+	[$pred(a: alert_info) =
+		{
+		return a$alert == SensitiveConnection &&
+			(a$conn$id$resp_p == 123/udp || # NTP
+			 a$msg == /Solaris listen service/);
+		},
+	 $result = ALERT_FILE,
+	 $priority = 1],
+
+
+	# Ignore sensitive URIs if the request was unsuccessful (code 404,
+	# or not answered.)
+	[$pred(a: alert_info) =
+		{
+		return a$alert == HTTP::HTTP_SensitiveURI &&
+			a$msg == /.*((\(404)|(no reply)).*/;
+		},
+	 $result = ALERT_FILE,
+	 $priority = 1],
+
+  These rules are part of:
+
+	redef alert_policy += {
+		... these records and others ...
+	};
+
+  The idea behind them is to demote certain alerts that would ordinarily
+  be syslog'd (i.e., the associated action is ALERT_LOG_ALWAYS) to instead
+  just be recorded in the alert.$BRO_ID file.  Naturally, there are
+  many other possibilities.  For example:
+
+	[$pred(a: alert_info) = {
+		if ( a$alert == FTP::FTP_Sensitive &&
+		     a$msg == /.*crown_jewels.*/ )
+			{
+			system("page_the_duty_officer \"crown jewels theft!\"");
+			return T;
+			}
+		else
+			return F;
+		},
+	$result = ALERT_LOG_ALWAYS,
+	$priority = 1000],
+
+  would run the program page_the_duty_officer with the argument "crown
+  jewels theft!" if an FTP_Sensitive alert was generated and the log message
+  included the text "crown_jewels".  More generally, post-filtering needn't
+  just be about deciding on how the alert is logged; the processing can
+  run programs, update tables, etc., just like any other function call might.
+
+- You can use the new function tally_alert_type in an alert_action_filters
+  initialization in order to suppress immediate logging of an alert and
+  instead have Bro generate a summary of how many times the given alert
+  was seen when it exits.  You can use another new function, file_alert,
+  to specify an alert_action_filters initialization that causes the alerts
+  to just be written to the alert.$BRO_ID file but not otherwise logged.
+
+  For example:
+
+	redef alert_action_filters += {
+		# Just summarize various packet capture glitches.
+		[[RetransmissionInconsistency, ContentGap, DroppedPackets,
+		  AckAboveHole]] =
+			tally_alert_type,
+
+		[RemoteWorm] = file_alert,
+	};
+
+  would specify that RetransmissionInconsistency (etc.) alerts should just
+  be reported in the log file (log.$BRO_ID) as a total count, and
+  RemoteWorm should only be put in the alert.$BRO_ID file, but not
+  otherwise logged or counted.
+
+  You could get the same functionality by writing alert_policy records,
+  but they're quite a bit bulkier than the above.  Note that
+  alert_action_filters entries take precedence over alert_policy
+  records, but are evaluated *after* the "match" on alert_policy,
+  so if you have predicates in alert_policy with side-effects (like the
+  invocation of page_the_duty_officer in the example above), those
+  will still happen.
+
+- The alert_info record (which is used in calls to ALERT) now has
+  slots for some more additional information:
+
+	user: string;	# can hold an assocaited username
+	filename: string;	# an associated filename
+	method: string;	# associated HTTP method
+	URL: string;	# associated URL
+	n: count;	# any associated count/number/status code
+
+  (These are all &optional, so you don't need to specify them if they're
+  not appropriate.)  A number of ALERT's in the default policy scripts
+  have been changed to include these.  The intent is to add more such
+  information in the future.  Ideally, alert_policy records shouldn't
+  be doing checks like "a$msg == /.*((\(404)|(no reply)).*/" but instead
+  extracting the status code directly from a field of 'a' (which is an
+  alert_info record).
+
+- ALERT now fills in the '$id' field in the alert_info record with
+  the $id of the associated connection, if the caller didn't suppy
+  a $id but did supply a $conn.  Likewise, it will fill in $src with
+  the $orig_h from $id (after first filling in $id).  The net result
+  is that you can rely on $id and $src being set for any alert that
+  has an associated connection.
+
+- The HTTP analysis scripts (policy/http*.bro) have been converted to
+  use the "module" facility, similar to how ftp.bro was converted for
+  0.8a48.  This may require changing some of your own scripts, generally
+  just to add "HTTP::" qualifiers.
+
+- Now that the variables associated with FTP analysis are part of an
+  "FTP" module, the "ftp_" prefix associated with:
+
+	ftp_excessive_filename_len
+	ftp_excessive_filename_trunc_len
+	ftp_guest_ids
+	ftp_hot_cmds
+	ftp_hot_files
+	ftp_hot_guest_files
+	ftp_ignore_invalid_PORT
+	ftp_ignore_privileged_PASVs
+	ftp_log
+	ftp_skip_hot
+
+  has been removed, and these are now called:
+
+	excessive_filename_len
+	excessive_filename_trunc_len
+	guest_ids
+	hot_cmds
+	hot_files
+	hot_guest_files
+	ignore_invalid_PORT
+	ignore_privileged_PASVs
+	log_file
+	skip_hot
+
+  To get to them from other scripts, you specify, for example,
+
+	redef FTP::guest_ids = { .... };
+
+  whereas before you had to use:
+
+	redef FTP::ftp_guest_ids = { .... };
+
+- The new connection logging format introduced in 0.8a57 is now the
+  default, unless you redef the new variable "traditional_conn_format"
+  to be T (Robin Sommer).  Connections using unidentified ephemeral
+  ports now have a service of simply "other" rather than other-XXXX.
+  The 'U' connection status flag has been removed (unless you're using
+  traditional_conn_format).
+
+- Tables can now be directly indexed by records, and indexing using records
+  is no longer interchangeable with using a corresponding list of indices
+  (Umesh Shankar).  This may require adjustments to existing policy
+  scripts.
+
+- Hostnames such as www.google.com now have type set[addr] rather than
+  a funky internal list type.
+
+- The new function dump_current_packet(file_name: string) dumps a copy of
+  the current packet to the file with the given name, appending it if the
+  file already exists (Robin Sommer).  The file is in tcpdump format.
+  A handy use for this is in an event handler for signature_match(),
+  to record packets that match given signatures.
+
+- The event new_packet() is invoked for each new packet (Robin Sommer).
+  It currently doesn't provide the packet contents but soon will in
+  a fashion similar to secondary-filter.bro.
+
+- "cf -f fmt" specifies a strtime() format.  -u specifics UTC time rather
+  than local time (Mark Delow and Craig Leres).  cf now has a man page
+  (Craig Leres).
+
+- Two new variables, backdoor_ignore_local and backdoor_ignore_remote,
+  can be used to specify backdoor signatures that should be ignored
+  if the server is local/remote.
+
+- A bug has been fixed in which a "next" executed in the final iteration
+  of a for loop would mangle the subsequent processing of the outer
+  statements (Chema Gonzalez).
+
+- Bug fixes for MIME and Base64 processing (Ruoming Pang).
+
+- pcap.bro now builds its filter in the opposite order (restrict_filters
+  first), which can improve packet filtering performance (Robin Sommer).
+
+- A bug in &default has been fixed.
+
+- More SSL autoconf tweaks (Robin Sommer).
+
+- Portability for different pcap_compile_nopcap() calling sequences
+  (Chema Gonzalez).
+
+- Some tweaks for a minor reduction in memory consumption.
+
+- A memory leak for secondary packet filters has been fixed.
+
+- The localization of error messages (what script line they correspond to)
+  has been improved.
+
+
+0.8a58 Tue Dec 16 08:55:47 PST 2003
+
+- Compatibility with older versions of libpcap (Chema Gonzalez).
+
+
+0.8a57 Tue Dec  9 10:14:30 PST 2003
+
+- The format of Bro's connection summaries is changing.  The new format
+  looks like
+
+	  1069437569.904605 0.230644 1.2.3.4 5.6.7.8 http 59377 80 tcp 610 275 S3 L
+
+  That is, <timestamp>, <duration>, <originator address>, <responder address>,
+  <service>, <originator port>, <responder port>, <originator bytes>,
+  <responder bytes>, <connection state>, <flags>.  (Robin Sommer)
+
+  The script variable traditional_conn_format=T specifies to use the old
+  format rather than this new one.  This is *currently* the default, but
+  will change soon to default to F instead.  If you have comments on this
+  new format, we'd like to hear them.
+
+- The SigAction's available in signatures.bro have been extended (Robin Sommer).
+  SIG_FILE_BUT_NO_SCAN is like SIG_FILE but without any horizontal/vertical
+  processing; SIG_LOG_ONCE logs only an alert only the first time it occurs;
+  SIG_LOG_PER_ORIG logs only the first instance of an alert generated by a
+  particular originator; SIG_COUNT has been renamed SIG_COUNT_PER_RESP; and
+  SIG_SUMMARY suppresses logging of individual alerts but generates a
+  per-originator summary.
+
+- A new -p option for snort2bro tells it to only process signatures that
+  include matching on payload (Robin Sommer).
+
+- You can now explicitly include or exclude particular SIDs when
+  running snort2bro by specifying a configuration file via -c (Robin
+  Sommer).  The format is simple, just "include" or "ignore" followed
+  by the SID number:
+
+	# sid-526 BAD TRAFFIC data in TCP SYN packet 
+	ignore	526 
+
+	# sid-623 matches a null-flags stealth scan.  Include it even
+	# if we build with -p, since it doesn't tend to generate any
+	# false positives.
+	include	623
+
+  The new "snort2bro.cfg" file gives examples (i.e., the above).
+
+- Bro can now serialize functions and event handlers, meaning that these
+  can be passed as values between Bro's and dumped using -g (Robin Sommer).
+  One of the main goals in supporting this is to allow in situ alteration
+  of the Bro's configuration (e.g., you can edit a function and change its
+  functioning and have a running Bro pick up the change without having to
+  stop and be restarted).  Such dynamic reconfiguration is experimentally
+  supported via -g <dir> (see below).
+
+- &persistent state is now stored in the *directory* given by state_dir
+  (default: "./.state"), one file per variable, rather than a single file
+  (Robin Sommer).
+
+- Storing &persistent state to disk is now done incrementally: after writing
+  each file, there's a delay of state_write_delay (default: 0.1 secs) before
+  working on the next file (Robin Sommer). This may introduce small
+  inconsistencies, but prevents load spikes that can lead to packet drops.
+  Currently, there is no mechanism to incrementally store a single variable
+  (like a large table), although there is already some framework in place
+  to eventually support this.
+
+- The *experimental* new -g <dir> option dumps the script-level configuration
+  (excluding things defined in internal default scripts like bro.init)
+  into the directory <dir>. These files may be printed with "bro -x <file>",
+  or copied into the state_dir of a running Bro, which will then pick up
+  the change if it has loaded checkpoint.bro.  (When picking up changes,
+  event handlers are always added, while functions, types, and variables
+  replace the current ones).
+
+- Table values are now incrementally expired rather than all at once
+  (Robin Sommer).  That is, if the expiration timer goes off and hundreds
+  of values should now be expired, the work of doing so is spread over
+  chunks of table_expire_size (default: 50) at a time, separated by a
+  delay of table_expire_delay (default: 0.1 secs).  This change aims to
+  prevent large processing spikes that can lead to packet drops.
+
+- New built-ins sub() and gsub() act like awk's functions of the same
+  name, changing substrings (either first, or all) that match a given
+  regular expression to a given target string.  (Note, the calling sequence
+  differs from the order used by awk.)
+
+- The new auxiliary script aux/scripts/mvlog is a handy way to manage
+  checkpointed logs.  See the script for documentation.
+
+- The &expire_func function now takes two arguments.  The second is
+  of type "any" and corresponds to the index(es) of the element being
+  expired.  To access the individual indices, you use a new assignment form:
+
+	[a, b, c] = index_val;
+
+  (where index_val is the second argument of type "any").  This assigns
+  a to the first index, b to the second, and c to the third.  NOTE: the
+  use of "any" types here is *temporary* and will be changing in the
+  future to a general "tuple" notion.  (Robin Sommer)
+
+- scan.bro and conn.bro have been reworked to consume less memory and to
+  support more flexible state expiration (Robin Sommer).
+
+- The new builtin rescan_state() causes Bro to re-read any persistent
+  data values (Robin Sommer).
+
+- snort2bro now supports continued lines ("\<newline>") (Robin Sommer).
+
+- The calling sequences of the software_version_found() and
+  software_parse_error() events has changed, and a new event,
+  software_unparsed_version_found(), is invoked for raw version
+  strings (i.e., the version string prior to the event engine
+  attempting to parse it into version/major/minor) (Robin Sommer).
+
+- Software version tracking for clients now tracks all versions, not just
+  the latest version (Robin Sommer).
+
+- alert_info records now include an optional field event_src, which is the
+  source of the event if it was received from an external Bro (Robin Sommer).
+
+- Regular expressions now support {} iteration values of 0, and generate
+  better error messages.
+
+- Output generated by icmp.bro is now redirected into an "icmp" log file
+  (Robin Sommer).
+
+- autoconf tweaks for configuring OpenSSL on Linux (Ruoming Pang, Robin Sommer).
+  Tested on RedHat (thanks to Anton Chuvakin), Debian, FreeBSD, Solaris.
+
+- You can now turn off using OpenSSL even if the OS supports it, via
+  configuring with --disable-openssl (Robin Sommer).
+
+- Variable size computations (per global_sizes()) are now more accurate
+  (Robin Sommer).
+
+- A bug with combining file encryption and log rotation has been
+  fixed (Robin Sommer).
+
+- A problem tracking directionality in signatures fixed (Robin Sommer).
+
+- Bro now continues running if DNS is not functioning (Robin Sommer).
+
+- Rewriter memory use has been significantly reduced (Ruoming Pang).
+
+- Some bugs with -A/-w interaction have been fixed (Ruoming Pang).
+
+
+0.8a48 Tue Oct 21 15:56:13 PDT 2003
+
+- There is now a mechanism in place for multiple Bro's to communicate with
+  one another via sockets (Robin Sommer).  *This is quite experimental at
+  this point* and may have significant bugs and/or need significant
+  enhancements.
+
+  By loading listen-clear.bro or listen-ssl.bro, an instance of Bro starts
+  to listen on a TCP port.  The first of these listens for unencrypted
+  connections and the second for connections encrypted via OpenSSL.  To
+  connect to a listening Bro, you load remote-clear.bro or remote-ssl.bro.
+  For this connection, you specify which events you want to receive by
+  giving a regular expression (e.g.  "/http_*/" for all HTTP events),
+  although only those events for which you have defined a local handler
+  are actually requested.  Communication is uni-directional in the sense
+  that for a certain connection the events go only from Bro-A to Bro-B but
+  not from B to A (you could set up a second connection for the other
+  direction, though).
+
+  The OpenSSL certificate used to authorize remote  Bro's is specified in
+  the script variable "ssl_ca_certificate" and the private key and certificate
+  for the local Bro via "ssl_private_key".
+
+  If Bro A connects to Bro B, by default it sends over its capture_filter.
+  But Bro B uses it only if it has loaded remote-pcap.bro.  This is the
+  beginning of structuring inter-Bro trust mechanisms.  It is done via two
+  new events, remote_capture_filter(ip: addr, p: port, filter: string) and
+  send_capture_filter(ip: addr, p: port, s: string) : bool.
+
+  The implementation forks a second process which does the socket
+  communication, so that the main process should not be affected too much.
+  The two processes communicate via a pipe.
+
+  You can call is_remote_event() to determine whether the event currently
+  being handled was originated by a remote Bro (if T) or the local Bro
+  (if F).
+
+  If a connection with a remote Bro terminates (for whatever reason), Bro
+  may try to reconnect automatically.
+
+  A new function, get_event_source(), returns a record event_source
+  describing the source that raised the last event.
+
+  See doc/ssl.txt for an explanation of how to create the keys/certificates.   
+
+- A fledgling Gnutella analyzer has been contributed (Mark Allman).
+  It generates the following events:
+
+	event gnutella_text_msg(c: connection, orig: bool, headers: string)
+	event gnutella_binary_msg(c: connection, orig: bool, msg_type: count,
+					ttl: count, hops: count, msg_len: count,
+					payload: string, payload_len: count,
+					trunc: bool, complete: bool)
+	event gnutella_partial_binary_msg(c: connection, orig: bool,
+						msg: string, len: count)
+	event gnutella_establish(c: connection)
+	event gnutella_not_establish(c: connection)
+	event gnutella_http_notify(c: connection)
+
+- Bro now supports a secondary channel for acquiring packets (Chema Gonzalez).
+  You access it by redef'ing the new global "secondary_filters", adding
+  table[string] of event(filter: string, pkt: pkt_hdr).  The string
+  specifies a tcpdump filter; anytime a packet matches the filter
+  (including packets that would *not* otherwise be matched by
+  capture_filter), then the given event handler is invoked.
+
+  For example,
+
+	  redef secondary_filters += {
+		  ["tcp[13] & 7 != 0"] = rst_syn_fin_flag,
+	  }
+  
+  will invoke rst_syn_fin_flag() anytime a TCP packet is seen for
+  which the SYN/FIN/RST bits are non-zero.  The event handler will
+  be passed the string "tcp[13] & 7 != 0" (so it can tell which
+  of possibly multiple filters matched) and a pkt_hdr value, which
+  includes the IP header and, if present, the TCP, UDP or ICMP header.
+
+  Another example, and what motivated the addition, is:
+
+	  redef secondary_filters += {
+		["ip[10:2] & 0xffc == 0x398"] = sampled_1_in_1024_packet,
+	  }
+
+  which will invoke sampled_1_in_1024_packet() any time the given
+  10 bits in the IP checksum match the pattern 0x398.  If the checksum
+  field is uniformly distributed then this roughly corresponds to
+  1-in-1024 random sampling.  (Chema has also developed BPF additions
+  to support true random sampling.)
+
+  See policy/secondary-filter.bro for examples.
+
+- Bro now does a much better job of keeping track of how much memory
+  has been allocated for different structures (Robin Sommer).
+
+  This includes more accurate computations for global_size().
+
+  In addition, if you redef "statistics_interval" to be a non-zero time
+  interval, then with that periodicity a summary of memory usage (including
+  memory used by event engine components) is dumped to the file
+  "statistics_file".  In addition, at this point a "do_statistics" event
+  is generated.  You can also call the new built-in statistics_update()
+  to generate memory statistics on demand.
+
+  The above structure is likely to change in the future.  statistics_interval
+  will probably go away, to be replaced by either explicit calls to
+  statistics_update() (which you can do on a timer if you like by using
+  "schedule"), or by a built-in function that returns a record of all
+  the statistics, that you can then format however you want.
+
+- A major memory leak in HTTP analysis has been fixed (Ruoming Pang).
+
+- New attributes &rotate = <interval expression> and
+  &postprocessor = <string expression> can be associated with a file
+  variable in order to specify how often the file should be rotated to a
+  new filename on disk, and, when rotation occurs, the name of a shell
+  program to run on the now-older version as a postprocessor (Robin Sommer).
+
+- Similarly, log_postprocessor and log_rotate_interval specify the default
+  values for files.  Unless redef'd, these themselves default to the empty
+  string (= no postprocessing) and 0.0 seconds (no rotation).  (Robin Sommer)
+
+- A new attribute, &encrypt, applies to variables of "file" type.  It specifies
+  that the version on disk should be encrypted, using either the key specified
+  as the value of the attribute, or, if no value is specified, using the
+  value of the new script variable log_encryption_key.  The key is an OpenSSL
+  public key; it's used to then embed a Blowfish session key.  (Robin Sommer)
+
+  A new utility, aux/bdcat/bdcat ("Bro decrypt cat") can be used to decrypt
+  the files. 
+
+- The internal structure of TCP analysis has been significantly altered.
+  Previously, TCP_Endpoint tracked endpoint state and TCP_EndpointContents
+  (derived from it) did stream reassembly.  These have now been separated;
+  TCP_Endpoint still tracks endpoint state, but TCP_EndointContents has
+  become TCP_Contents, and is only loosely coupled with TCP_Endpoint.
+  The reason for this change is to lay the groundwork for (1) applying
+  an application analyzer to a connection after several packets for
+  the connection have already been read, and (2) applying *multiple*
+  application analyzers to a single connection.
+
+- Bro now supports the universal hashing if USE_UHASH is defined
+  (Ruoming Pang).  Universal hashing is a lighter-weight alternative
+  to MD5 hashing that retains the property of being very difficult
+  for an attacker to guess.  It comes in two flavors, a 32-bit
+  version (which you get with USE_UHASH) and a faster 16-bit version
+  (which you get if you also define USE_NH).  Bro will likely switch
+  to using these by default in the near future, as their performance
+  gain over MD5 is significant.
+
+- New built-in functions srand() and rand() provide access to the
+  usual C-style random number seeding & generation (Chema Gonzalez).
+
+- You can now specify server/client addresses to leave in the clear in
+  IP address anonymization (via the built-in variables preserve_orig_addr
+  and preserve_resp_addr). Correspondingly, the built-in function for
+  IP anonymization now takes a parameter to specify the type of the address
+  (orig, resp, or other), instead of the method of anonymization
+  (seq, random, prefix-preserving).  (Ruoming Pang)
+
+- Trace anonymization now has prelminary support for handling TCP options
+  via the new event "tcp_option" (Ruoming Pang).  It is only invoked
+  if skip_event_tcp_option is F (it defaults to T).
+
+- A new event, tcp_segment, is similar to the event "packet_content"
+  but provides more information: is_orig (directionality), sequence
+  number, and acknowledgement number (Ruoming Pang).
+
+- ./configure finds OpenSSL if it's in some standard location.  Otherwise,
+  you may specify it --with-openssl=<path>.  If OpenSSL is not available,
+  Bro compiles cleanly without and gives warnings if a script tries use SSL.
+  (Robin Sommer)
+
+- The internal links in manual/entire.html have been fixed so they
+  now work (Chema Gonzalez).
+
+- A new policy script, blaster.bro, detects instances of the W32.Blaster
+  worm (Robin Sommer).
+
+- Signature files (for input to the signature engine) now reside in
+  policy/sigs/*.sig.  This directory is now on the default $BROPATH.
+
+- sig.ex.ssl-worm.bro and sig.ex.web-rules.bro have been updated
+  to reflect changes in keywords (Robin Sommer).  They've been
+  renamed to ex.ssl-worm.sig and ex.web-rules.sig and reside
+  in policy/sigs/, per the above.
+
+- The module facility has been changed to have its scope limited to
+  the current file plus any additional files that are automatically
+  processed based on its name plus $BRO_PREFIXES.
+
+- As an experiment, ftp.bro has been modified to a style that includes
+  using "module FTP".  Likely other policy scripts will be converted
+  in the near future, and their variable names changed accordingly
+  (e.g., "ftp_hot_files" will become "FTP::hot_files").
+
+- The new "match" expression has been modified to allow any yield type
+  rather than just strings.  It is likely to change significantly again
+  soon.
+
+- Iterating over multi-dimensional tables/sets now works (Robin Sommer).
+  For example:
+
+    const remote_peers_ssl : table[addr, port] of Peer &redef;
+    [...]
+    for ( [ip, p] in remote_peers_ssl )
+        connect_ssl(ip, p, remote_peers_ssl[ip, p]$retry); 
+
+- Checkpointing of persistent state on SIGHUP now happens via bro.init
+  (Robin Sommer).  Not tested.
+
+- fmt() now supports %x for hexadecimal formatting (Chema Gonzalez).
+
+- alert.bro logs the source for remote alerts; by redefining the new
+  "event_source_description: string" locally, you can specify how a
+  Bro is to refered to on the remote side.  (Robin Sommer)
+
+- software.bro now tracks HTTP clients, too (Robin Sommer).  This
+  will be extended in the near future.
+
+- Some FreeBSD 5.X porting tweaks (Sergey Osokin).
+
+
+0.8a37 Wed Sep  3 23:20:21 PDT 2003
+
+- A new attribute, "&persistent", indicates that a global variable's
+  state should persist on disk (Robin Sommer).  Currently, they
+  reside in the file "state.bst".
+
+  For example, given the following script:
+
+	global a = 0 &persistent;
+
+	event bro_init()
+		{
+		print ++a;
+		}
+
+  then every time you run it, a increases by one.
+
+  You can dump the state file using "bro -x state.bst <scriptname>".
+  (There's also a partially-implemented XML dumper which you invoke via
+  "bro -X state.bst <scriptname>".)
+
+  If you send Bro a HUP signal, then it will synchronize all persistent
+  state to disk (checkpoint) at that point.  More generally, the policy
+  script can do so at any time by calling the new built-in checkpoint_state().
+
+  By including the new policy script "checkpoint", you can have Bro
+  automatically checkpoint every time checkpoint_interval elapses
+  (default 15 minutes).
+
+- You can also record events to disk by loading the "capture-events"
+  policy script, or calling the new capture_events() built-in (Robin Sommer).
+  The events are written to the file events.bst.  You can dump these
+  using bro -x (or -X), as above.  You can also replay them using
+  "bro -R <file>".  By replaying them using the same policy script as
+  generated them, you should get the same output.  For example:
+
+	bro -r tracefile myscript capture-events
+
+	...
+
+	bro -R events.log myscript
+
+- An experimental module facility has been added (Umesh Shankar).
+
+  The module facility implements namespaces. Everything is in some namespace
+  or other. The default namespace is called "GLOBAL" and is searched by
+  default when doing name resolution. The scoping operator is "::" as in
+  C++. You can only access things in the current namespace, things in the
+  GLOBAL namespace, or things that have been explicitly exported from a
+  different namespace. Exported variables and functions still require
+  fully-qualified names. The syntax is as follows:
+
+  module foo;  # Sets the current namespace to "foo"
+  export {
+	int i;
+	int j;
+  }
+  int k;
+
+  module bar;
+  int i;
+
+  foo::i = 1;
+  bar::i = 2;
+  print i;    # bar::i (since we're currently in module bar)
+  j = 3;      # ERROR: j is exported, but the fully qualified name
+              #        foo::j is required
+  foo::k = 4; # ERROR: k is not exported
+
+  The same goes for calling functions.
+
+  One restriction currently in place is that variables not in the "GLOBAL"
+  namespace can't shadow those in GLOBAL, so you can't have
+
+    module GLOBAL;
+    global i: int;
+
+    module other_module;
+    global i: int;
+
+  It is a little confusing that the "global" declaration really only means
+  that the variable i is global to the current module, not that it is truly
+  global and thus visible everywhere (that would require that it be in
+  GLOBAL, or if using the full name is ok, that it be exported).  Perhaps
+  there will be a change to the syntax in the future to address this.
+
+  The "module" statement cuts across @load commands, so that if you say:
+
+	module foo;
+	@load other_script;
+
+  then other_script will be in module foo. Likewise if other_script changes
+  to module bar, then the current module will be module bar even after
+  other_script is done.  However, this functionality may change in the future
+  if it proves problematic.
+
+  The policy scripts in the Bro distribution have not yet been updated to
+  use it, but there is a backward-compatibility feature so that existing
+  scripts should work without modification. In particular, everything is
+  put in GLOBAL by default.
+
+- The hooks are now in place for communicating events between running
+  Bro's.  An experimental implementation of doing so (written by Robin
+  Sommer) will be integrated shortly.
+
+- A side-effect of getting those hooks in place is that event handlers must
+  now be directly specified (by naming them) rather than indirectly
+  (for example, by indexing a table whose value yields an event handler).
+  This may be fixed soon.
+
+- An experimental "match" expression scans a list of predicates to find
+  the first one that's both true and has the highest priority (Umesh Shankar).
+
+  The general form is:
+
+	match some_record on {
+		[ priority, class_name, predicate ],
+		...
+	}
+
+  where "predicate" is evaluated in the context of the value (and type) of
+  some_record.  For example, if some_record has a field "num_alerts"
+  then predicate could be "$num_alerts > 5".
+
+  "priority" is a non-negative integer (i.e., of type "count"), and,
+  for now, "class_name" is a string.
+
+  For example,
+
+	global c: conn_id;
+
+	c = [ $orig_h = 0.0.0.0, $orig_p = 0/tcp,
+	      $resp_h = 1.1.1.1, $resp_p = 1/tcp ];
+
+	print match c on {
+		[ 2, "emptyweb", $orig_h == 0.0.0.0 && $resp_p == 80/tcp ],
+		[ 1, "emptyhost", $orig_h == 0.0.0.0 ],
+		[ 0, "should not match", 1 == 0 ]
+	};
+
+  will print "emptyhost".
+
+  The initial intent behind this is to eventually provide more flexible
+  customization of alert processing, though it clearly has broader
+  applicable.  *It is very likely that the semantics and perhaps the syntax
+  of "match" will change in the near future.*
+
+- Bro's packet filter is now computed via pcap.bro (which is automatically
+  included via bro.init).  It uses two new built-ins:
+
+	precompile_pcap_filter(id: PcapFilterID, s: string):  bool
+	install_pcap_filter(id: PcapFilterID): bool
+
+  The first is for precompiling a pcap filter so it can be installed
+  or turned off dynamically. Associating an ID with the filter, you can
+  then activate the filter by calling the second function (installing a
+  new filter replaces the current one).  (Robin Sommer)
+
+  Be default, pcap.bro is responsible for building a pcap string based on
+  the capture/restrict_filters defined by the various analyzers. It compiles
+  and installs this filter, so there is no observable difference in usage
+  to the old implementation, except capture/restrict_filter are now *tables*
+  rather than strings, and are written as plural rather than singular.
+  So the analyzers need to define something like this:
+
+	[finger.bro]
+	redef capture_filters += { ["finger"] = "port finger" };
+
+  This then allows "finger" to be used as the name for the corresponding
+  filter element (see the next item).
+
+- load-level.bro is an experimental policy script for allowing Bro to
+  shed or add on load (in terms of which protocols it analyzes).  It
+  provides three interface functions for setting the current loadlevel:
+
+	# level is LoadLevel1, ..., LoadLevel10
+	function set_load_level(level: PcapFilterID): bool
+
+	function increase_load_level()
+	function decrease_load_level()
+
+  load-levels.bro defines ten different load levels (from 1 to 10, with 10
+  being the one with the most load imposed on the system), which are
+  configured by defining capture_load_level/restrict_load_levels: Example:
+
+	redef capture_load_levels += {
+		["dns"]          = LoadLevel1,
+		["smtp"]         = LoadLevel2,
+		["http-reply"]   = LoadLevel3,
+		["http-request"] = LoadLevel8,
+	};
+
+  This means for example: "include the capture_filter associated with
+  'http-reply' if the current load level is 3 or below".  There's a similar
+  mechanism for restrict_filters:
+
+	redef restrict_filters += {
+		["cs-only"] = "net 131.159.0.0/16",
+	};
+
+	redef restrict_load_levels += {
+		["cs-only"] = LoadLevel7,
+	};
+
+  This applies the given restrict_filter if the current load level is 7
+  or *above*.
+
+  The pcap filters belonging to the ten load levels are built and pre-compiled
+  on startup. The three functions shown above just call install_pcap_filter()
+  then.  (Robin Sommer)
+
+- drop-adapt.bro tries to adjust the load level based on the current
+  packet drop rate (Robin Sommer).
+
+- synflood.bro is an experimental policy script for detecting SYN floods.
+  It is not yet documented, other than brief comments in the script.
+  (Robin Sommer)
+
+- Subnet lookups now use Patricia trees instead of brute-force, which should
+  make them significantly more efficient for large lists, e.g., local nets.
+  (Robin Sommer)
+
+- Due to the addition of modules, which use a C++-style "::" scope
+  designator, you now need to use "0x" to introduce IPv6 address constants
+  that use "::" to specify a series of empty octets.  For example, you
+  used to be able to specify "deadbeef::cafe", but now this needs to be
+  "0xdeadbeef::cafe".  Note that "1::2" can still be written without needing
+  a "0x" prefix; it's just hex constants that start with letters that need
+  the prefix.
+
+- A new built-in, escape_string(), takes a string and returns a copy of
+  it that uses escape sequences for any problematic characters (Robin Sommer).
+
+- A number of low-level bug fixes and portability tweaks (Robin Sommer,
+  Ruoming Pang, Christian Kreibich, Chema Gonzalez).
+
+- A new timer, status_update_timer, fires for each ongoing connection
+  every connection_status_update_interval seconds (default = 0 seconds,
+  which means "don't fire).  (Robin Sommer)
+
+- An additional Bro-level packet filter can filter/sample packets
+  based on their src/dest ip/subnet (using a Patricia tree for
+  efficiency; Robin Sommer). install_src_addr_filter(ip, flags, p) drops
+  packets originating from ip with probability p (0..100) if none of the
+  given TCP flags is set. install_src_net_filter, install_dst_addr_filter
+  and install_dst_net_filter" work similarly.  The corresponding "uninstall_*"
+  functions remove the filters again.
+
+- The @if/@else/@endif mechanisms have been made more powerful (Robin Sommer).
+
+- New configure option --enable-debug to compile without optimization
+  (Robin Sommer).
+
+- Small tweaks to the mpatrol support (Robin Sommer).
+
+- SMTP is now one of the services which can use a small inactivity timeout
+  in inactivity.bro (Robin Sommer).
+
+- Alerts for signatures which are triggered by worms may be suppressed if
+  we already know that the triggering host is indeed infected by a worm
+  (Robin Sommer).
+
+- Matches of a signature can now be counted per destination host
+  (Robin Sommer).
+
+- snort2bro now ignores sid-526 ("BAD TRAFFIC data in TCP SYN packet";
+  Robin Sommer). Due to different semantics of Bro (matching stream-wise)
+  and Snort (matching packet-wise) this signature generates a lot of
+  false positives.
+
+
+0.8a34 Sun Jul 13 09:11:32 PDT 2003
+
+- The new "subnet" type corresponds to a CIDR prefix (Robin Sommer).
+  You can use the '/' operator to convert an address to a subnet.  The
+  "in" operator tests whether an address matches a subnet (e.g., "1.2.3.4
+  in 1.2.255.255/16" yields T).
+
+  You can index tables with index type "subnet" using addresses to retrieve
+  the table entry with the longest-matching prefix for that address, and
+  a number of tables/sets in the default scripts have been converted to
+  this form.  So for example the local_16_nets and local_24_nets variables
+  have been replaced by local_nets, which has type "set[subnet]",
+  is_local_addr() now refers to it, and skip_scan_nets_{16,24} have
+  likewise been consolidated into skip_scan_nets.
+
+  One present deficiency is that subnets can't be used in tables/sets
+  with multiple indices.  Fixing this is going to take some time ...
+  Another deficiency is that the longest-match lookup is not very
+  efficient.
+
+  Caution: this feature has been only briefly tested with IPv6.
+
+- ALERT now generates an event "alert_action" which includes the alert_info
+  and AlertAction associated with an alert.  You can define your own handler
+  to further customize alert processing.
+
+- The "snort2bro" conversion utility has been extended to recognize some
+  of the new Snort options (depth, distance, within; Robin Sommer).  For
+  example:
+
+      alert .... ( ... content:"|00 01 86 B8|";
+		       content:"|00 00 00 02|"; distance:4; within:4;
+		       content:"%x %x"; distance:16; within:256;
+		       ... )
+
+  is converted to:
+
+      signature sid-1891 {
+	  ...
+	  payload /.*\x00\x01\x86\xB8.{4}\x00\x00\x00\x02.{16}.{0,251}%x %x/
+	  }
+
+  Note that not all of the new Snort options are supported yet.
+
+- You can refer to script variables within signatures (Robin Sommer).
+  For example, the following is now possible:
+
+	signature sid-547 {
+	  ip-proto == tcp
+	  src-ip != local_nets
+	  dst-ip == local_nets
+	  dst-port == 21
+	  event "FTP \"MKD  \" possible warez site"
+	  tcp-state established
+	  payload /[mM][kK][dD]  /
+	  }
+
+  This makes the signatures independent of the environment ("local_nets"
+  in the above examle).  snort2bro now converts some well-known Snort
+  variables into corresponding Bro variables, a number of which are listed
+  in policy/site.bro.
+
+- The default action for signature matches is now logging insted of only
+  writing it to a file (Robin Sommer).
+
+- You can now use the '^' and '$' regular expression operators inside
+  subpatterns.  For example, /foo$/ | /^bar/ works now.
+
+- You can now use "msec" for milliseconds (in addition to "usec" for
+  microseconds, "sec" for seconds, etc).
+
+- The log_file_name and open_log_file functions are now redef'able
+  if you want to change their behavior.
+
+- Bro now exits more cleanly upon exhaustion of memory (Robin Sommer).
+
+- A bug was fixed for the case of getrlimit() returning RLIM_INFINITY for
+  the maximum number of open files.
+
+- Numerous additions of std:: scoping to address porting issues (Robin Sommer).
+
+- gcc 3.X and Solaris portability fixes.
+
+- A new event RemoteWorm is the complement of LocalWorm (Robin Sommer).
+
+- A bug in which the FTP analyzer would complain about failing to be able
+  to look up a connection has been fixed (Robin Sommer).
+
+- You can now configure Bro using "--with-mpatrol" to activate MPatrol
+  debugging hooks.  When built in this mode, -m dumps the leak table
+  and -M shows unfreed parts of the heap.  These dumps can also be
+  triggered using SIGUSR1 / SIGUSR2, respectively.  (Robin Sommmer)
+
+- A script function get_contents_type() which returns the type of reassembling
+  being done for a connection (none/orig-side/resp-side/both; Robin Sommer).
+
+- A minor bug fix for the regular expression matcher (Robin Sommer).
+
+
+0.8a32 Thu Jun 12 23:33:21 PDT 2003
+
+- The low-level hash functions have been reimplemented to use HMAC-MD5 to
+  counter the "algorithmic complexity attacks" discussed in the USENIX
+  Security 2003 paper by Scott Crosby & Dan Wallach
+  (http://www.cs.rice.edu/~scrosby/hash/) (Ruoming Pang and Vern Paxson)
+
+- Ruoming Pang has made extensive changes to the anonymization/transformation
+  framework.  A paper describing it will appear in SIGCOMM 2003, and will
+  be included with the Bro distribution once the final copy is ready.
+
+- Internal hash tables now resize incrementally, and more quickly.
+  This makes a big difference in avoiding lengthy processing pauses when
+  processing large volumes of traffic. (Craig Leres)
+
+- gcc 3.1 and Linux portability tweaks.
+
+- The calling sequence of http_request() has changed.  It now includes both
+  the original URI and the escaped URI.  This was made explicit because
+  we found that if only the original was passed in, it was too easy to forget
+  to expand the escapes in it; and if only the escaped was passed in,
+  some attacks could be missed. (Ruoming Pang)
+
+- Signature rules can now refer to "finger" payload as well as HTTP and FTP
+  (Robin Sommer).
+
+- The signature engine now includes keywords "dst-ip", "dst-port",
+  "ip-proto", "src-ip", "src-port".  (Robin Sommer)
+
+- Packet sorting now defaults to off.
+
+- The FTP analysis now attempts to track the current directory (Ruoming Pang).
+
+- A number of scan detection additions have been added (Scott Campbell):
+
+	activate_landmine_check = F
+		if T, then access to more than landmine_thresh_trigger
+		addresses in landmine_address (a set of addresses)
+		constitutes a scan
+
+	activate_priv_port_check = T
+		if T, then inbound access to more than priv_scan_trigger
+		privileged ports (i.e., ports < 1024) is considered a port
+		scan.  You can exclude particular services from the count
+		via troll_skip_service, which defaults to { smtp, ftp,
+		ssh, 20/tcp, http }.
+
+- The SMTP analysis now includes a new alert, HotEmailRecipient, which
+  is triggered by mail sent to any of the addresses specified in
+  the pattern hot_recipients (which defaults to a bare /@/).
+
+- The new built-in cat_string_array_n() is like cat_string_array() except
+  it takes starting and ending indices as additional arguments (Ruoming Pang).
+
+- The new built-in sort_string_array() takes a string array and returns
+  a sorted version (Ruoming Pang).  It currently uses an N^2 algorithm
+  so shouldn't be used on large arrays.
+
+- The new built-in subst() substitutes all instances of a given pattern
+  in a given string with another string (Ruoming Pang).  For example,
+  subst("fooboo", /oo/, "xxx") returns "fxxxbxxx".
+
+- The new built-in cut_tail() trims characters from the end of a string
+  (Ruoming Pang).  For example, cut_tail("fooboo", 2) returns "foob".
+
+- sub_bytes() can now take a negative argument, which is with respect to
+  the end of the string rather than the beginning (Ruoming Pang).
+
+- The new built-in md5_hmac() returns an HMAC-MD5 hash of the given string
+  (Ruoming Pang).  The HMAC secret key is generated from available entropy
+  when Bro starts up, or it can be specified for repeatability using
+  the new -K flag.
+
+- The new built-in split_all() is like split() except that the returned
+  array also includes the parts of the string that match the pattern
+  used for the splitting (Ruoming Pang).
+
+- The new built-in split_n() splits up to a given number of instances,
+  optionally returning the parts matching the split pattern (Ruoming Pang).
+
+- The new built-in split_complete() is the most general of the split functions
+  (the others are written in terms of it).  It splits a given string
+  with separators that appear in either a given pattern or a given set
+  of strings, optionally including the text matching the separators in
+  its return value, and optionally limiting the number of matches to
+  a specified maximum.  (Ruoming Pang)
+
+- The new built-in to_string_literal() returns an escaped version of a string
+  suitable to feeding into Bro's parser.  For example, calling it on
+  "foo\nbar" (where '\n' is an embedded newline) returns "foo\x0abar".
+  (Ruoming Pang)
+
+- subst_substring() has been renamed subst_string (Ruoming Pang).
+
+- unescape_URI() no longer takes the connection as an argument (Ruoming Pang).
+
+- config.guess and config.sub updated
+
+- String escape expansion has been refined (Ruoming Pang) and some bugs
+  fixed.  It now supports a format that's consistent with Bro string literals.
+
+- Scanning of octal and hex escape sequences now stops after 3 or 2
+  characters, respectively.  For example, "\0007" now expands to a
+  NUL followed by the character '7'.  (Ruoming Pang)
+
+- Bug fixes for handling of bare <CR> and <LF>'s when <CRLF> expected
+  (Ruoming Pang), and associated "weird" events.
+
+- A bug in signature matching reassembly has been fixed (Robin Sommer).
+
+- A bug in reporting "bad connection size" for connection sizes > 2GB
+  has been fixed.
+
+- A bug in computing sizes for large partial connections has been fixed.
+
+- A bug in delayed generation of connection closed events has been fixed.
+
+- A framework has been added for compression of some "weird" events
+  to only be generated once-per-connection (Ruoming Pang).
+
+- Some of the "weird"'s generated by the HTTP analyzer have been regularized.
+
+- Some memory management fixes.
+
+- A performance problem in allocating List objects was fixed.
+
+- The copyright dates have been updated (Craig Leres).
+
+
+0.8a22 Wed Jan 15 16:47:18 PST 2003
+
+- There is now a "conditional compilation" feature similar to C's preprocessor
+  (contributed by Robin Sommer).  "@if (expr)" will include the remaining
+  input lines up to "@endif" only if the given expression evaluates to true.
+  "@ifdef (id)" will do so only if the given identifier has been defined,
+  and "@ifndef (id)" only if it has not been defined.  There's currently
+  no "@else" directive, and conditionals cannot be nested.  Both of these
+  will be added in the future.
+
+- New built-in functions (contributed by Ruoming Pang): parse_dotted_addr
+  takes a string in A1.A2.A3.A4 form an returns a corresponding "addr" value.
+  unescape_URI takes a URI that possibly has embedded escape sequences
+  ("%61" for 'a') and expands the sequences.
+
+- The URIs in HTTP requests are no longer automaticaly escaped.  Instead,
+  they need to be manually escaped using unescape_URI.  As this is likely
+  error-prone (users forgetting to do so), the plan is to change the
+  calling sequence of http_request in the near future so that *both* the
+  escaped and the unescaped URI are passed in.
+
+- A number of g++ 3.0 porting tweaks have been added (thanks to Sean Irvine).
+
+- The term "rule" has been systematically changed to "signature" (Robin Sommer).
+
+- The functionality of monitoring packet drops has been moved into its
+  own policy script, netstats.bro (Robin Sommer).
+
+- A number of rewriter and location bugs have been fixed.
+
+- Some missing HTTP "weird"'s have now been included in weird.bro.
+
+
+0.8a21 Thu Nov 28 23:31:38 PST 2002
+
+- A new mechanism will reorder packets within a window of packet_sort_window
+  if due to their sequence numbers they appear to be out of order.  This
+  can help a great deal when reading from multiple NICs.  (Contributed by
+  Ruoming Pang.)
+
+- A bug in regular-expression matching in which for example
+  "2a1" == /[0-9]+/ would evaluate as true was fixed (Ruoming Pang).
+
+- There's now a rewriter/anonymizer for FTP (Ruoming Pang).
+
+- The rewriter/transformation framework now supports a notion of
+  delaying transformation decisions until later (Ruoming Pang).
+
+- An incompatibility with bison 1.75 has been identified.  The problem
+  is that bison 1.75 generates incomplete location information for empty
+  grammar productions (those for which the RHS is empty).  This will
+  be fixed soon.
+
+- Some bugs in the signature engine have been fixed (Robin Sommer).
+
+- The sources no longer use the not-fully-portable hash_map template
+  (Umesh Shankar).
+
+- Some bugs with the debugger getting confused about source line number
+  locations, and also with the -t option, have been fixed (Umesh Shankar).
+
+- If a content gap occurs wholly inside an HTTP entity, then the analyzer
+  will skip over the entity and continue processing any subseqeuent HTTP
+  items, rather than giving up on processing the connection (Ruoming Pang).
+
+- The following new built-in functions have been contributed by
+  Ruoming Pang:
+
+	function cat_string_array(a: string_array): string
+	function split_all(str: string, re: pattern): string_array
+	function strstr(big: string, little: string): count
+	function subst_substring(s: string, from: string, to: string): string
+	function int_to_count(n: int): count
+	function fmt_ftp_port(a: addr, p: port): string
+
+
+0.8a20 Sun Nov 17 20:09:31 PST 2002
+
+- This is the first "public" Bro release (one accessible directly via
+  the Web).  The README has been correspondingly updated.
+
+- The user manual has been significantly expanded, and source for it is
+  now included in the release.
+
+- Some "active mapping" bug fixes (contributed by Umesh Shankar).
+
+- The configuration script now checks for the presence of the necessary
+  BIND libraries/headers, and also for bogus --enable options (contributed
+  by Craig Leres).
+
+- backdoor.bro now includes a tcpdump filter for detecting (some) KaZaA
+  traffic.
+
+- http-reply.bro now tracks the sizes of request/response entities.
+
+- http-request.bro now treats an URL accessing variants of /etc/netconfig
+  as sensitive.
+
+
+0.8a18 Sun Oct 27 15:28:23 PST 2002
+
+- Improvements to the performance of the SMTP analyzer (Ruoming Pang).
+  A new function, skip_smtp_data, skips over the content of an SMTP
+  message.
+
+- If you're doing trace rewriting and specify -w but don't specify -A,
+  then the rewritten traffic goes to the -w save file, along with the
+  usual non-transformed traffic (Ruoming Pang).  If a connection is
+  being transformed (which is specified by the new rewriting_smtp_trace
+  and rewriting_http_trace globals), then only its transformed packets
+  are written to the -w file; not the original packets.  This allows
+  a potentially large degree of trace compression.  There's also a
+  new variable omit_rewrite_place_holder, which directs that when rewriting
+  a trace, packets that are placeholders for now-missing packets (because
+  you've excised content) are *not* generated.  This diminishes the
+  timing fidelity of the transformed trace, but also can save a large
+  amount of space.
+
+- SMTP relay analysis is now standalone from regular SMTP analysis
+  (Ruoming Pang).
+
+- Some memory management and error propagation fixes (Ruoming Pang and
+  Vern Paxson).
+
+
+0.8a16 Wed Oct 23 23:48:40 PDT 2002
+
+- "--enable-brov6" was broken by some recent changes.  It now works again.
+
+- Some "make distclean" tweaks.
+
+- Error checking for "redef enum".
+
+
+0.8a15 Tue Oct 22 00:02:51 PDT 2002
+
+- Fixed Makefile bug which left out wide-spread dependencies on
+  event.bif.netvar_h.
+
+
+0.8a14 Mon Oct 21 01:16:46 PDT 2002
+
+- The "add" statement has been implemented.  This allows you to add
+  elements to sets.  A bunch of policy scripts that used to use
+  "table [] of bool"'s for this purpose have been modified to instead
+  use sets.
+
+- You can now extend the elements of an enum using "redef enum foo += { ... }"
+  where the additional names are listed in the braces (contributed by
+  Umesh Shankar).  A number of policy scripts have been tweaked to use
+  this for the (fairly) new Alert enum.  This allows you to create new
+  Alert's without alert.bro having to know about them.
+
+- Some bugs in identifying error locations have been fixed.
+
+- -A now supports anonymizing IP addresses (contributed by Ruoming Pang).
+  This includes four new functions: preserve_prefix, preserve_subnet, and
+  preserve_net (which direct that the corresponding prefix/net/subnet
+  not be anonymized) and anonymize_addr (which returns the anonymized
+  version of the given address.
+
+- Some bugs in HTTP -A have been fixed (thanks to Ruoming Pang).
+
+- The beginnings of support for CIDR prefixes has been added by
+  Ruoming Pang.
+
+- Porting tweaks (use of map's rather than hash_map's, courtesy of
+  Umesh Shankar; libedit comments fixed).
+
+- http-detail.bro has gone away.
+
+- Some more copyright and $Header -> $Id fixes.
+
+- There is now a function string_cat() which concatenates two strings
+  and returns the result (contributed by Ruoming Pang).  This function
+  is useful in place of the regular cat() because the latter will
+  expand escape sequences etc.  It probably shouldn't, and that may
+  change in the future.
+
+
+0.8a11 Sun Oct 13 10:53:07 PDT 2002
+
+- The framework for defining built-in functions has been extended
+  so it's also now the way to specify the interface to event handlers.
+  See event.bif.  (Contributed by Ruoming Pang)
+
+- A new policy script, http-abstract.bro, can be loaded when doing HTTP
+  transformation (via http-rewriter.bro), contributed by Ruoming Pang.
+  It trims HTTP text responses to the first "http_abstract_max_length" bytes.
+
+- A new built-in, skip_http_entity_data, specifies that the entity
+  associated with the current HTTP request/response should be skipped
+  (Ruoming Pang).
+
+- More changes have been made to the mechanisms for tracking source
+  file locations in order to pinpoint error messages.  If you encounter
+  problems, please let me know.
+
+- If you try to configure but your resolve library lacks res_mkquery(),
+  this is now a fatal error (Craig Leres).  Ideally, someone will modify
+  DNS_Mgr.cc to work even if only blocking DNS is available ...
+
+- In most (not all, yet) of the sources, the copyright notices have
+  been updated, $Header has been changed to $Id, and config.h is included
+  (Craig Leres).
+
+
+0.8a10 Tue Oct  8 16:05:42 PDT 2002
+
+- The way that Bro tracks the source-file location associated with
+  different objects has been tweaked, with a resulting savings of
+  about 10% in Bro's memory use and a smidgen of CPU time, too.
+
+- Built-in functions now are better about identifying source-file locations
+  associated with errors.
+
+- The http.$BRO_ID log file format has changed to no longer track
+  individual request streams.  (So it is now closer to how it used
+  to operate in 0.7.)
+
+- The autoconf setup has been tweaked so that you use:
+
+	--enable-brov6              enable IPV6 processing
+	--enable-activemapping      enable active mapping processing
+	--enable-expire-dfa-states  enable DFA state expiration
+
+  rather than --with-XXX as was the case in 0.8a9.
+
+
+0.8a9 Mon Oct  7 10:15:12 PDT 2002
+
+- A bunch of configuration/autoconf/portability tweaks (Craig Leres).
+  These include compiling under Solaris.
+
+  When running ../configure, you can now specify:
+
+	--with-brov6              enable IPV6 processing
+	--with-activemapping      enable active mapping processing
+	--with-expire-dfa-states  enable DFA state expiration
+
+  You no longer set these via editing the Makefile.
+
+- Some bugs with HTTP 1.0 keep-alive connections fixed (Ruoming Pang).
+
+- The "hf" suite of utilities is no longer distributed in aux/.  Instead,
+  get it directly from ftp://ftp.ee.lbl.gov/hf.tar.gz.
+
+- bro_logchk has been renamed bro-logchk.pl and is now distributed in aux/
+  (it was supposed to be before, but was inadvertantly left out of the list
+  of distribution files).
+
+
+0.8a7 Fri Oct  4 22:24:30 PDT 2002
+
+- HTTP reply analysis has been split into a number of policy script files:
+
+	http-body.bro
+	http-detail.bro
+	http-entity.bro
+	http-event.bro
+	http-header.bro
+	http-reply.bro
+	http-rewriter.bro
+
+  so you can readily trade off how detailed the HTTP processing is vs.
+  the CPU/memory it consumes (contributed by Ruoming Pang).
+
+- Bro now generates login_prompt events when the $TTYPROMPT environment
+  variable is passed during a login session, in order to detect the
+  recently publicized Solaris remote /bin/login exploit.
+
+- Ruoming Pang has extended the framework for defining "rewriter" functions
+  to now also serve as the way to define general built-in functions.
+
+- bro.init has been rearranged to have a more logical structure (courtesy
+  of Ruoming Pang).
+
+- Craig Leres contributed a number of portability & autoconf tweaks.
+
+- Craig Leres has extended nb_dns.{h,c} to support IPv6 DNS lookups.
+  Bro does not yet take advantage of these extensions.
+
+- The beginnings of portability to gcc 3.2 were added.  There unfortunately
+  is more work to do here!
+
+- The README has finally been updated to have more correspondence with
+  the 0.8 release.
+
+
+0.8a6 Wed Oct  2 18:58:12 PDT 2002
+
+- Upgrade to autoconf 2.53 (Craig Leres).
+
+
+0.8a5 Tue Oct  1 19:04:53 PDT 2002
+
+- The regular expression matcher how has a mechanism to stop scanning when
+  no further match is possible (Robin Sommer).  If you find problems with
+  regular expression matching, especially if you're using EXPIRE_DFA_STATES,
+  please let us know!
+
+- Rule/signature files are now searched for using $BROPATH (Robin Sommer).
+  In addition, you can define a list of signature files to incorporate
+  using the new global "signature_files".  For example,
+
+	redef signature_files += "web-stuff"
+
+  will look for web-stuff and web-stuff.sig along $BROPATH.
+
+- The tcp_deliver_undelivered variable is now tcp_match_undelivered and
+  only applies to delivering otherwise-undelivered data to the signature
+  matcher; such data is *not* delivered to any associated analyzer.
+  (Robin Sommer)
+
+- The framework for tracking version numbers now allows negative as
+  well as positive versions (Robin Sommer).
+
+
+0.8a4 Tue Oct  1 15:54:58 PDT 2002
+
+- Support for extracting the contents of HTTP replies (and POST's),
+  and for transforming/anonymizing HTTP traffic, contributed by Ruoming Pang.
+
+- Some minor internal tweaks to the timer management to help track patterns
+  of timer expiration.
+
+
+0.8a3 Mon Sep 23 22:48:07 PDT 2002
+
+- HTTP reply handling refined in policy scripts.
+
+- New built-in functions to_int(), to_count() convert strings to
+  integers/counts.
+
+- Bug fixes for DNS_Mgr and IPv6.
+
+- AckAboveHole alerts now ignored (just written to alert.$BRO_ID) by default.
+
+- Packets belong to ignored connections (for example, partial connections if
+  partial_connection_ok is false) are no longer recorded to the save file.
+
+- Some minor formatting/naming tweaks.
+
+
+0.8a1 Sat Sep 21 22:09:23 PDT 2002
+
+- IPv6 support enabled if you build using -DBROv6.  Deficiencies: Bro
+  doesn't yet look up hostnames for AAAA records; no handling of extension
+  headers (if you have traces of these, please send them to me!); no
+  handling of FTP PORT/PASV w/ IPv6 addresses (again, if you have traces,
+  please send them!); DNS analyzer doesn't understand AAAA yet (again,
+  please send me traces!); you have to change the capture_filter line
+  in tcp.bro (as indicated in the script) in order to process TCP traffic,
+  due to deficiencies in libpcap's support for IPv6.
+
+- Bro is migrating towards a more structured way of handling log messages /
+  alerts.  Analyzers now @load alert.bro, which has a function ALERT()
+  for processing alerts.  Soon this function will provide a variety of
+  filtering/processing hooks; expect changes.
+
+- Bro now has an HTTP response analyzer (contributed by Ruoming Pang).
+  The HTTP policy scripts have been split up into http.bro (just general
+  definitions), http-request.bro (handles requests; loaded by http.bro),
+  http-reply.bro (handles replies; you need to explicitly load this), and
+  http-detail.bro (handles individual headers).  http-reply.bro will be
+  undergoing some significant reworking in the near future; probably the
+  scripts will be merged back into a single http.bro plus http-detail.bro.
+
+- ssl-worm.bro contains a prototype policy script for detecting the
+  Scalper SSL worm (contributed by Robin Sommer).  It uses the signature
+  file sig.ex.ssl-worm.bro.  If someone has traces of Scalper in action
+  to send us, that would be great.
+
+- A new policy script, contents.bro, extracts the contents of each
+  Bro connection into its own pair of files (one file for each
+  direction).  Use in conjunction with -f or discarder_XXX() to
+  extract specific connections.
+
+- A new built-in function, strcmp(), returns the usual comparison between
+  two strings (contributed by Robin Sommer).
+
+- A new event, content_gap(), is generated when Bro detects that it is
+  forced to skip over data in a reconstructed TCP stream because it is
+  missing from the packet input.
+
+- BIND8 is no longer included with the distribution.  If this causes you
+  problems, let me know.
+
+- aux/scripts/bro_logchk is a Perl script for parsing Bro HTTP & FTP logs
+  (contributed by Jim Barlow).
+
+- You can now compare addresses to see which is larger.  a < b means
+  that in network order, the octets making up 'a' are ordered before
+  those for 'b'.  E.g., 128.2.3.4 < 128.2.3.5 < 129.0.0.1.  Note that
+  IPv4 addresses are all < IPv6 addresses (other than IPv4 addresses
+  that are embedded in IPv6 addresses, e.g., ::128.2.3.4 < 128.2.3.5).
+
+- Serious bug in TCP option handling fixed.
+
+- Some bugs in CRLF handling fixed (courtesy Ruoming Pang).
+
+- Bug in the implementation of &optional fixed.
+
+- Bug in computing memory statistics when not reading packets (from
+  an interface or the trace file) fixed.
+
+- You can now include a trailing comma after the last item in an
+  "enum" enumeration list.
+
+- port-name.bro now maps 389/tcp to "ldap".
+
+- A bug has been fixed in loading files multiple times
+
+
+v0.7a175 Thu Aug 29 21:14:34 PDT 2002
+
+- bro -s <file> reads in a *signature* file to search for regular expressions
+  in packet payloads or TCP byte streams (written by Robin Sommer).
+  See policy/rules.bro for an example of a policy script for processing
+  the matches.
+
+  Note that this feature is experimental, and will be evolving in the
+  near future.
+
+- The python script "snort2bro" reads in Snort signatures and translates
+  them into Bro signature rules, suitable for processing using -s.
+
+  An example of its operation is seen by running
+
+	python snort2bro < sig.ex.web-rules.snort
+
+  which, after reading in sig.ex.classification.config and
+  sig.ex.reference.config, generates the output given in
+  sig.ex.web-rules.bro, which is suitable to use as input to
+  bro -s.
+
+- bro -d invokes a gdb-like debugger (written by Umesh Shankar).  You can
+  set breakpoints and watchpoints, examine tracebacks, print Bro expressions,
+  and the like.  Type "help" for on-line help.
+
+- bro -t <tracefile> turns on tracing of the policy script execution,
+  written to the given file.
+
+- Bro now includes an SMTP analyzer, which includes processing MIME
+  message bodies (written by Ruoming Pang).  See smtp.bro and mime.bro
+  for related policy scripts.  smtp.bro includes several experimental
+  techniques for detecting mail relaying.
+
+- You can now define enumerated types, such as
+
+	type scanner_type: enum {
+		SCANNER_STEALTH, SCANNER_HIGH_SPEED, SCANNER_AMBIGUOUS,
+	};
+
+  Enumerated types can be compared for equality with one another, and used
+  as table indices, but cannot be converted to/from integers.
+
+- bro -A <file> invokes an experimental, general trace transformation/
+  anonymization framework (written by Ruoming Pang) which writes a modified
+  tcpdump trace file from the input (which can be the network or another
+  trace file) with potentially extensive modifications to the recorded
+  packets.
+
+  Transformers are built from .rw files (currently, {finger,ftp,ident,smtp}.rw),
+  which are processed by the utility "rwcl" to generate both event engine
+  analyzer components and rewriter policy scripts (for example, after
+  configuring and building Bro, you'll find the scripts
+  policy/{finger,ftp,ident,smtp}.rw.bro).
+
+  See policy/smtp-rewriter.bro for an example of a policy script that
+  performs transformation/anonymization.
+
+- New built-ins:
+
+	split(s: string, p: pattern): string_array;
+
+	  takes a string and splits it into pieces at each occurrence of
+	  the regular expression pattern p.  (The functionality is like
+	  that in awk.)  It returns a string_array, which is a table[count]
+	  of string that is indexed starting at 1, giving the different
+	  pieces.
+
+	  For example,
+
+		split("foobar", /o/)
+
+	  returns a 3-element table, for which [1] is the string "f",
+	  [2] is the string "" (empty), and [3] is the string "bar".
+
+	split1(s: string, p: pattern): string_array;
+
+	  split1() does the same thing as split(), but only performs splitting
+	  at the first occurrence, so it returns either a one-element table
+	  (if the pattern doesn't appear in the string) or a two-element
+	  table.  split1("foobar", /o/) returns a 2-element table for which
+	  [1] is "f" and [2] is "obar".
+
+	md5_hash(s: string): string
+
+	  returns (in human-readable form) the MD5 hash of a given string.
+
+	  So, for example,
+
+		md5_hash("foobar")
+
+	  yields "3858f62230ac3c915f300c664312c63f".
+
+	to_addr(s: string): addr
+
+	  takes a string representing an address in "dotted quad" format
+	  and returns the correponding "addr" value.
+
+	set_buf(f: file, buffered: bool)
+
+	  sets the given file to have its writes buffered or unbuffered
+	  depending on the value of "buffered".  It does not return a value.
+
+	connection_exists: function(c: conn_id): bool
+
+	  returns T if the given connection identifier corresponds to a
+	  currently instantiated connection (one for which the event engine
+	  has state), F otherwise.
+
+	lookup_connection(c: conn_id): connection
+
+	  returns the "connection" record associated with the given
+	  connection identifier, or a fatal run-time error if there
+	  isn't one.
+
+	set_inactivity_timeout(c: conn_id, timeout: interval): interval
+
+	  sets the inactivity timeout for the given connection to the
+	  given interval, returning the old interval.
+
+	  If the interval is non-zero, then when no packets have been
+	  processed for a connection after that much time has elapsed,
+	  the connection is deleted, and an "inactivity_timeout" event
+	  generated.
+
+	get_matcher_stats(): matcher_stats
+
+	  used for gathering statistics about the signature matcher
+
+	rewriting_trace(): bool
+
+	  returns T if -A was specified (anonymize/rewrite a trace),
+	  F otherwise.
+
+- New events:
+
+	connection_state_remove(c: connection);
+
+	  Invoked when the event engine has removed the connection from
+	  its state.
+
+	connection_SYN_packet(c: connection, pkt: SYN_packet);
+
+	  Invoked for each SYN/SYN-ACK packet.
+
+	connection_timeout(c: connection);
+
+	  Invoked when the event engine times out a connection - for
+	  example, because the originator sent a SYN that was never
+	  answered, so the connection was never established.
+
+	connection_reused: event(c: connection);
+
+	  Invoked when the event engine decides that a new SYN for
+	  an existing connection reflects a reuse of the connection
+	  four-tuple, rather than belonging to the existing connection.
+
+- New globals:
+
+	const ignore_checksums = F &redef;
+
+	  If true, then the event engine does not verify checksums (and
+	  hence will not discard packets with bad checksums).
+
+	const tcp_deliver_undelivered = F &redef;
+
+	  If true, then when the event engine closes a connection, if
+	  that connection has a chunk of data not yet delivered to its
+	  analyzer (which only happens if the data is above a sequence
+	  hole, indicating either a packet filter glitch or a protocol
+	  botch), then the undelivered data will at that point be delivered
+	  to the connection's analyzer.
+
+	const tcp_reassembler_ports_orig: set[port] = {} &redef;
+	const tcp_reassembler_ports_resp: set[port] = {} &redef;
+
+	  Sets of ports for which, if a connection has the corresponding
+	  originator/responder port, then the event engine will reassemble
+	  the byte stream of the connection.
+
+	  Normally, the event engine reassembles byte streams for any
+	  connection for which there's an analyzer, and otherwise doesn't.
+	  These variables can be used to force reassembly for the originator
+	  or responder side (respectively) of connections for which there
+	  isn't otherwise an analyzer.  This is useful when doing signature
+	  matching on reassembled byte streams, for protocols that are
+	  not otherwise analyzed by the event engine.
+
+	const table_expire_interval = 1 min &redef;
+
+	  How often to check table entries to see whether they've expired
+	  (see &read_expire, etc., below).
+
+	const requires_trace_commitment = F;
+
+	  If true, then when rewriting/anonymizing traces, nothing will
+	  actually be written to the edited trace file unless you call:
+
+		rewrite_commit_trace(c: connection, commit: bool, future: bool)
+
+	  If "future" is true, then future rewritten packets will be
+	  automatically commited; otherwise, writing them to the trace
+	  file requires another explicit rewrite_commit_trace() call.
+
+	const inactivity_timeout = 0 secs &redef;
+
+	  As noted above, when a connection becomes inactive, time it out
+	  after this interval.  If 0 secs, then don't time it out.
+
+- An SSH analyzer extracts SSH client/server version information.  See
+  ssh.bro for the related policy script.
+
+- There's now a (very) simple TFTP analyzer available in tftp.bro.
+
+- You can now set the global "frag_timeout" to an interval which controls
+  how long fragments are kept before discarding them (contributed by Ashley
+  Thomas).  If you don't set the global, or set it to 0.0 sec, then fragments
+  are kept around indefinitely.
+
+- An implementation of an experimental anti-evasion technique, "active
+  mapping", has been written by Umesh Shankar.  It is not yet ready for
+  general use, and isn't compiled in unless -DACTIVE_MAPPING.
+
+- Four new attributes can now be associated with tables (implemented
+  by Robin Sommer): &read_expire, &write_expire, and &create_expire
+  will delete table entries after a given interval has elapsed since
+  the table entry was last read, written, or created.  For example:
+
+	global a: table[addr] of count &default=0 &create_expire = 5 sec;
+
+  will delete each entry added to it 5 seconds after the entry was added,
+  regardless of subsequent read/write activity to the element.
+
+  &expire_func allows you to associate a function with the table such that
+  whenever an entry expires, the function is invoked.  It's passed the
+  value of the table entry (not the index - perhaps this should be changed),
+  and returns an "interval" value.  If the interval is <= 0.0 seconds, then
+  the table entry is immediately deleted.  Otherwise, it is deleted after
+  the given interval has elapsed.
+
+- When listing multiple attributes, you no longer separate them with
+  commas.  For example, if you used to have:
+
+	global a: table[string] of count &default=0, &redef;
+
+  you now need to use:
+
+	global a: table[string] of count &default=0 &redef;
+
+- You can now construct records using
+
+	[$field1 = <expression>, $field2 = <expression>, ...]
+
+  Such record values can be assigned to other records providing that the
+  target value's type includes all of the fields (same name and type)
+  present in the record value, and that any missing fields have the
+  &optional or &default attribute (see next item).
+
+  You can also include a record value inside the record constructor, and
+  all of its fields will be included in the constructed record value.
+
+- Record fields can now be annotated with &optional, to indicate
+  that the field needn't be present, or &default, which indicates
+  a default value to provide if the field is missing.
+
+- You can query as to whether a record has a value for a given field
+  using the new "?$" operator.  So for example:
+
+	type my_rec: record {
+		num: count &default = 0;
+		msg: string;	# mandatory, since no &optional/&default
+	};
+
+	global r: my_rec;
+
+	r = [$msg = "hello"];
+
+	print r?$num, r?$msg, r$num;
+
+  will print "F, T, 0," because even though 'r' has a default value
+  for $num (which shows up when printing r$num), that field is missing,
+  hence r?$num is F.
+
+- An experimental scheme has been added (by Umesh Shankar) for managing
+  general attributes associated either with all values ("global attributes")
+  or particular particular values.  This scheme is likely to change in
+  the near future, and hence isn't explained here further.
+
+- The DNS analysis now includes ADDL and AUTH records, and much richer
+  policy script analysis (per policy/dns.bro).
+
+- You can now "redef" a function or event handler to override its
+  previous definition.  For a function, this looks like:
+
+	redef log_hook = function(msg: string): bool
+		{
+		...
+		}
+
+  For an event handler, it's just the usual definition preceded by "redef.
+  For example,
+
+	redef event ack_above_hole(c: connection) { }
+
+  would replace the default ack_above_hole handler with one that does nothing.
+
+- HTTP server and HTTP proxy backdoor detectors have been added,
+  generating http_signature_found and http_proxy_signature_found,
+  respectively (contributed by Ruoming Pang).
+
+- A KaZaA backdoor detector has been added, which generates
+  kazaa_signature_found for likely KaZaA connections.
+
+- The new policy scripts flag-irc.bro and flag-warez.bro provide
+  hooks for defining site policies for detecting IRC and access
+  to warez.
+
+- portmapper.bro now tracks the services it sees, and the names are
+  used in connection summaries rather than generic services like port-656.
+
+- bro -C (or redef'ing the "ignore_checksums" global to T) instructs
+  Bro to ignore any checksum errors and go ahead and analyze such packets.
+
+- The (trivial) policy script print-globals.bro dumps out all of the policy
+  script global variables and the amount of memory they consume.
+
+- The policy script code-red.bro has been renamed worm.bro and generalized
+  to detect Nimda as well as Code Red 1 & 2.
+
+- A bunch of additional default sensitive URIs have been added to http.bro.
+  http.bro also now doesn't report worm-related URIs.
+
+- A bunch of less common portnames were removed from port-names.bro.
+
+- Empty regular expressions are now allowed.
+
+- The finger_request event now has a third parameter, the additional
+  text after the username.
+
+- More systematic handling of NULs and CRLF by the event engine.
+
+- Hex escape sequences now must have exactly two hexadecimal characters.
+
+- FYI - work has begun on significantly altering the way that policy
+  scripts generate alerts.
+
+- Work has begun (by Robin Sommer) on a general framework for tracking
+  client/server versions.  See software.bro.
+
+- Work has begun on a NETBIOS analyzer (see NetbiosSSN.cc).  Contributions
+  (e.g., finishing it :-) welcome.
+
+- Work has begun on migrating the internals to process IPv6 in addition
+  to IPv4.
+
+- A number of bug fixes, leaks, and memory allocation lint tweaks.
+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+v0.7a90 Thu Sep 06 00:50:43 PDT 2001
+
+- Better state management, especially for use in high-volume sites.  There
+  are now a number of ways to track the resources consumed by Bro while it
+  runs, and to reduce the amount of memory Bro consumes.  Adding
+
+	@load print-resources
+
+  will log a summary of the resources consumed by Bro when it exits, and
+
+	@load reduce-memory
+
+  will change a number of default values in order to significantly diminish
+  the amount of memory Bro requires.
+
+  Other ways to lower the required memory discussed in the next three items.
+
+- The global "maintain_http_sessions" now controls whether http.bro tracks
+  multiple HTTP connections between the same hosts as a single HTTP session.
+  Doing so costs a considerable amount of state (so set to F for reducing
+  the memory impact of HTTP analysis).
+
+- The global "suppress_scan_checks", if true, turns off address and port
+  scan detection.  (You can't achieve this by simply not @load'ing scan.bro,
+  because it's loaded by some of the default policy scripts.)  Turning it
+  off can save a lot of memory.
+
+- Note, the ident.bro is also expensive in terms of state-holding.
+
+- New library functions:
+
+	- resource_usage() returns a record detailing real time,
+	  CPU time, memory, other getrusage info, and the current
+	  and maximum number of TCP/UDP/ICMP connections, and
+	  timers and fragments.
+
+	- val_size() returns the size in bytes needed to represent
+	  a given value (which can be a record, a table, or a
+	  simple constant, for example).  It's not fully accurate
+	  but is in the right ballpark.
+
+	- global_sizes() return a table mapping every global
+	  variable to its size (per val_size()).  Useful for
+	  tracking which ones are growing large over time.
+
+- You can now control a number of timers related to Bro's connection
+  management.  Setting them to lower values generally decreases the
+  amount of state Bro has to keep (see reduce-memory.bro), though
+  this can also make it easier for an attacker to evade detection:
+
+	tcp_SYN_timeout: interval
+		Controls how long Bro waits after seeing the
+		beginning of a connection (whether due to a SYN
+		or not; the timer is misnamed) before checking
+		whether it elicited any reply.
+
+	tcp_session_timer: interval
+		After a connection has closed, wait this long for
+		further activity before checking whether to time
+		out its state.
+
+	tcp_connection_linger: interval
+		When checking a closed connection for further
+		activity, Bro should consider it inactive if there
+		hasn't been any for this long.  It also complains
+		if the connection is reused before this much time
+		has elapsed.
+
+	tcp_attempt_delay: interval
+		Bro waits this long upon seeing an initial SYN
+		before timing out the connection attempt.
+
+	tcp_close_delay: interval
+		Upon seeing a normal connection close, Bro flushes
+		state after this much time.
+
+	tcp_reset_delay: interval
+		Upon seeing a RST, Bro flushes state after this
+		much time.
+
+	tcp_partial_close_delay: interval
+		Bro generates a connection_partial_close event this
+		much time after one half of a partial connection
+		closes, assuming there has been no subsequent
+		activity.
+
+	non_analyzed_lifetime: interval
+		If a connection belongs to an application that you
+		aren't analyzing, Bro times it out after this
+		interval.  If 0 secs (default), then it doesn't
+		time it out.
+
+	dns_session_timeout: interval
+	ntp_session_timeout: interval
+	rpc_timeout: interval
+		Bro waits this long before timing out a DNS/NTP/RPC
+		request.
+
+	max_timer_expires: count
+		The maximum number of timers to expire after
+		processing each new packet.  The value trades off
+		spreading out the timer expiration load with
+		possibly having to hold state longer.  A value of 0
+		means "process all expired timers with each new
+		packet".
+
+- Two new flags control other facets of Bro's connection management,
+  and thus state-holding:
+
+	partial_connection_ok: bool
+		Whether Bro should analyze connections for which
+		it doesn't see the beginning, only the middle.
+		This can be very expensive to do in the face of
+		stealth-scanning, which looks like a bunch of
+		partial connections.
+
+		Note, the HTTP analyzer has been modified to
+		now always skip partial connections.  This should
+		instead be user controllable.
+
+	tcp_SYN_ack_ok: bool
+		If true, Bro instantiates connection state when
+		it sees a SYN ack but not the initial SYN (even
+		if partial_connection_ok is false).  The intent
+		behind this knob (which is not well tested) is
+		to allow you to filter out initial SYNs and only
+		react to SYN acks.  This keeps Bro from holding
+		state during SYN scans and SYN flooding, except
+		for when the destination responds.
+
+- Some other miscellaneous thresholds that you can now modify from your
+  policy script:
+
+	heartbeat_interval: count
+		How often to generate net_stats_update() events.
+		This timer really isn't needed any more, since
+		you can use "schedule" to achieve the same effect.
+
+	tcp_storm_thresh: count
+		If Bro sees this many FINs/RSTs in a row, it
+		flags them as a "storm".
+
+	tcp_storm_interarrival_thresh: interval
+		The FINs/RSTs must come with this much time or less
+		between them.
+
+- The state management for line-oriented applications like HTTP requests
+  has been improved.
+
+- The HTTP analyzer now expands %hex sequences.  If anyone has a Unicode
+  expander to contribute, that'd be terrific.
+
+- The Code Red detection is more robust (fewer false positives).
+
+- A new redefinable variable, skip_services, lists applications that should
+  not be analyzed for purposes of detecting scans.  (Default:  ident)
+  The point of having this (poorly named) hook is so that code-red.bro
+  can add "http" to it, to avoid reporting the zillions of Code Red scans
+  that a site can see.
+
+- Bro now matches regular expressions using lazy DFA evaluation.  The upshot
+  of this is (1) it no longer maintains .bro-RE-cache.v1, (2) it starts
+  up fast regardless of whether you've added new regular expressions, (3)
+  you can afford to add lots of regular expressions, and (4) it's actually
+  a bit faster.
+
+- The list of "hot_ids" has been expanded with a number of other common
+  root-privileged accounts.
+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+v0.7a61 Fri Apr 06 14:51:47 PDT 2001
+
+- An NTP analyzer has been added.  See policy/ntp.bro for a corresponding
+  policy file that detects the newly discovered NTP remote buffer overflow
+  attack.
+
+- example-attacks/ is a new directory that contains trace files of attacks.
+  Currently, there are just two to play with:
+
+	bro -r example-attacks/ftp-site-exec.trace mt
+
+  will run on a trace of a "site exec" overflow attack, and
+
+	bro -r example-attacks/ntp-attack.trace mt ntp
+
+  will run on an example of the NTP overflow.
+
+- The doc/ directory includes the postscript and HTML versions of the
+  first draft of the Bro manual.
+
+- A new policy file, icmp.bro, has preliminary (and only partially developed)
+  policy for analyzing ICMP.
+
+- The file libpcap.bufsize.patch includes the patch necessary on some systems
+  to increase the maximum libpcap buffer size.
+
+- You can now use anonymous functions in &default expressions, so for
+  example you can do:
+
+	global foo: table[count] of string = {
+		[1] = "1st", [2] = "2nd", [3] = "3rd",
+	} &default = function(n: count): string { return fmt("%dth", n); };
+
+  and then referring to foo[5] will yield "5th".
+
+- There's now a "for" statement to iterate over the indices of a table
+  or the members of a set:
+
+	for ( i in foo )
+
+  for the above "foo" will iterate with i assigned to 1, 2, and 3; *but
+  not in general in that order*.
+
+- The function contains_string() has been removed, and now you can instead
+  use an expression like
+
+	"bar" in "foobar"
+
+  which will yield T.
+
+- The scan detection now has a mechanism for attempting to detect SYN flooding
+  backscatter and flagging it as different from a stealth scan.
+
+- New event handlers:
+
+	new_connection_contents()
+		like new_connection(), but reassembles the
+		stream so you can use set_content_files() to
+		write it to a file
+
+	udp_session_done()
+		invoked when a UDP session (which is defined on
+		a per-protocol basis; currently only for NTP)
+		finishes.
+
+	ntp_message()
+		invoked for each NTP message
+
+- UDP processing now does accounting for detecting scans.
+
+- UDP processing now tracks numbers of requests/replies for sessions that
+  support that notion.  The connections are annotated by udp_session_done()
+  with "[m,n]" for "m" requests and "n" replies, providing either m or n > 1.
+
+- New variable accessible from policy:
+
+	watchdog_interval
+		how often the watchdog should check for whether
+		Bro is making internal progress
+
+- A bunch of functions no longer have a first argument of the current time;
+  get it instead from network_time() if you need it:
+
+	authentication_accepted
+	authentication_rejected
+	conn_weird
+	conn_weird_addl
+	flow_weird
+	net_weird
+
+- A bunch of functions now return bool rather than int values:
+
+	set_contents_file
+	set_login_state
+	set_record_packets
+	skip_further_processing
+
+- The variable "hot_dests" has been renamed to "hot_dsts".
+
+- 111/tcp is now identified as "portmap" rather than "rpc".
+
+- Connections flagged as hot for some types of characteristics are now
+  annotated with the reason associated with the decision.  (I think a lot
+  more of this is needed.)
+
+- Portmapper dumps are annotated with the results of the mapping.  This
+  will be streamlined in the future.
+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+v0.7a48 Wed Sep 13 14:37:30 PDT 2000
+
+- Changes between this release and v0.6 missing :-(
+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+v0.6 Wed Jul 21 17:02:50 PDT 1999
+
+- Support for regular expressions added.  You specify lex-style regular
+  expressions between '/'s, for example "/\/etc\/(passwd|shadow)/" has
+  the type "pattern" and matches /etc/passwd or /etc/shadow (the slashes
+  in the pattern need to be escaped or else they'd delimit the end of the
+  pattern).  Pattern-matching is via the "in" operator, so for example:
+
+	if ( filename in /\/etc\/(passwd|shadow)/ )
+		sensitive_file_access(filename);
+
+  or
+
+	const sensitive_files = /\/etc\/(passwd|shadow)/;
+
+	...
+
+	if ( filename in sensitive_files )
+		sensitive_file_access(filename);
+
+  Presently the "in" operator requires that the entire left-hand side
+  be matched by the pattern.  So, for example, if you want to find the
+  string "eggdrop" anywhere inside the string "line", you would use
+
+	if ( line in /.*eggdrop.*/ )
+
+  If you leave off either of the .*'s, then eggdrop will only be matched
+  at the beginning or end of the line.
+
+  In the future, there will be mechanisms for specifying whether you
+  want to match anywhere in a line, or anchored; accordingly, *the above
+  syntax is subject to change*.
+
+  Bro compiles regular expressions into DFAs for fast matching.  This can take
+  quite a bit of time for complicated patterns.  Consequently, it maintains a
+  cache of compiled regular expressions in $HOME/.bro-RE-cache-v1.  You can
+  always safely remove this file; Bro will recreate/repopulate it as needed.
+  It does not clean up unused entries from it, so if you change your patterns
+  frequently, you will accumulated lots of old ones and should delete the
+  file to garbage collect them.
+
+- An rlogin analysis module has been added and the telnet analysis
+  generalized to generic "login" analysis, with the following events:
+
+	login_failure(c: connection, user: string, client_user: string,
+			password: string, line: string)
+		Generated on a failed attempt to log in.  client_user is
+		the remote user name, if the login is via the rlogin
+		protocol.
+	login_success(c: connection, user: string, client_user: string,
+					password: string, line: string)
+		Generated on a successful attempt to log in.
+
+	login_input_line(c: connection, line: string)
+		Generated per line of input typed by the user.
+	login_output_line(c: connection, line: string)
+		Generated per line of output generated by the server.
+
+	login_confused(c: connection, msg: string, line: string)
+		Generated when a login dialog confuses the heuristic
+		analyzer.  msg is a tag for the state mismatch that
+		was unexpected, line is the corresponding dialog text.
+
+	login_confused_text(c: connection, line: string)
+		Once a connection is in the confused state, then this
+		is generated for each subsequent line.
+
+	login_terminal(c: connection, terminal: string)
+		Generated if the terminal type associated with the
+		connection is seen.
+
+	login_display(c: connection, display: string)
+		Generated if the display associated with the connection
+		is seen.
+
+	excessive_line(c: connection)
+		Generated when the connection has produced an excessively
+		long line.
+
+  login_input_line() and login_output_line() are very powerful for
+  detecting intrusions, when coupled with regular-expression matching.
+
+  login_terminal() is used to detect backdoors that are triggered
+  by the terminal environment variable.
+
+- An ident analysis module has been added (port 113).  It generates
+  ident_request, ident_reply, and ident_error events.  Port 113 used
+  to be referred to as "auth"; now it's referred to as "ident".
+
+- A new type of scan detection has been added, which is triggered
+  by a remote host trying a large number of username/password
+  combinations.  See the account_tried() function in scan.bro.
+
+- The default search path for .bro files is now
+
+	  .:priv-policy:policy:pub-policy:/usr/local/lib/bro
+
+  where priv-policy/ is intended for private policy and pub-policy/
+  for public policy.  The Bro alpha distribution ships with a
+  sample set of pub-policy scripts.
+
+- New built-ins:
+
+	system(s: string): int
+		executes the given shell command using system()
+		and returns its status.
+
+	set_contents_file(c: conn_id, direction: count, f: file)
+		copies connection c's reassembled byte stream in
+		either the originator-to-responder direction (if
+		direction is CONTENTS_ORIG) or the responder-to-
+		originator direction (CONTENTS_RESP) to the file f.
+
+	reading_live_traffic(): bool
+		returns true if Bro is running on live traffic (read
+		from a network interface), false if it's reading from
+		a save file.
+
+	mkdir(f: string): bool
+		creates the given directory, returning true if it
+		was able to, false if not.
+
+	get_orig_seq(c: conn_id): count;
+		returns the highest sequence number sent by the
+		originator of connection c.
+	get_resp_seq(c: conn_id): count;
+		same for c's responder.
+
+- Additional new events (other than those related to the new analyzers):
+
+	new_connection(c: connection)
+		is generated whenever a new connection is seen.
+
+	partial_connection(c: connection)
+		is generated whenever a new partial connection (one
+		that doesn't begin with a SYN handshake) is seen.
+
+	pm_bad_port(r: connection, bad_p: count)
+		is generated when a portmapper response contains
+		a bad port number.
+
+- Functions, tables and sets can now be assigned.  Assignment is
+  made by reference to the underlying object.
+
+- Bro no longer looks up identifiers using getservbyname() to see if they
+  should be interpreted as port numbers, since this led to portability
+  problems.  Instead, a number of constants are defined in bro.init:
+  bgp, domain, finger, ftp, gopher, http, ident, rlogin, smtp, ssh and telnet,
+
+- Bro now supports an arbitrary number of open files (not bound by
+  the system's limit on file descriptors).
+
+- There's now a finger_reply event to go with finger_request.
+
+- A bunch more RPC service names have been added, thanks to Job de Haas
+  and others.
+
+- A bug has been fixed in the watchdog handling that caused it to
+  sometimes expire after a period of network inactivity.
+
+- The Bro paper in doc/ has been revised (it isn't quite up-to-date,
+  but considerably closer than the USENIX version).
+
+- There has been a large amount of reworking of the internals, both
+  to Bro itself and in the policy scripts.  If you find something you're
+  wondering about, feel free to send me mail asking about it.
+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+v0.5 Sun Oct  4 00:19:35 PDT 1998
+
+- Added Linux support.
+
+- Major autoconf changes.
+
+- Some tweaks to suppress g++ warnings.
+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+v0.4 Fri Sep 11 00:08:04 PDT 1998
+
+- The new aux/ directory has some utility programs and scripts.
+  See aux/README for details.
+
+- Documentation (though exceedingly limited) describing the connection
+  log summaries generated by policy/tcp.bro now available in doc/conn-logs.
+
+- The Telnet username recognition code has been heavily reworked and is
+  now significantly more robust.
+
+- A new policy file, policy/scan.bro, detects port and address scanning.
+
+- Bro now detects the "Land" attack (a trivial addition to its spoof
+  detection).
+
+- The distribution now comes with BIND 8.1.2.
+
+- A new flavor of "weird" event has been added, flow_weird, for unusual
+  events associated with <src IP addr, dst IP addr> flows (i.e., a coarser
+  granularity than TCP or UDP connections).
+
+- Bro now reassembles fragments, checking for overlaps and consistency.
+  Associated with fragments are the following flow_weird's:
+
+	excessively_large_fragment
+	excessively_small_fragment
+	fragment_inconsistency
+	fragment_overlap
+	fragment_protocol_inconsistency
+	fragment_size_inconsistency
+	fragment_with_DF
+	incompletely_captured_fragment
+
+- The TCP stream reassembly code was rewritten to share functionality
+  with the new fragment reassembly code.
+
+- If a handler for it is present, then Bro will generate "packet_contents"
+  events containing the contents of each packet it receives.  This is just
+  for experimenting with, and, in particular, this event does *not* reflect
+  TCP stream reassembly.
+
+- The handling of "conn_weird" events in tcp.bro now has more options.
+  In the weird_action table, WEIRD_LOG_ALWAYS means that the weird event
+  should always be logged; WEIRD_LOG_PER_CONN means that it should be
+  logged once per connection; and WEIRD_LOG_PER_ORIG that it should be
+  launched once per originator IP address.
+
+- The example hot.bro now includes provisions for flagging sensitive
+  inbound and outbound services.
+
+- Bro now limits the number of events processed when draining the event
+  queue after processing a packet.  This makes Bro less prone to packet
+  loss during high-speed scans.
+
+- The line-oriented TCP endpoint class was split into TCP_EndpointLine,
+  which supports the line-oriented functionality, and TCP_NVT (derived
+  from TCP_EndpointLine), which implements the Network Virtual Terminal
+  used by Telnet and FTP.
+
+- The TCP_NVT class now understands the Telnet Environment option.
+
+- Escape sequences are now '\' followed by 1 or more octal digits,
+  instead of excatly three octal digits (which is error prone).
+
+- If the watchdog timer expires, it now reports the number of events
+  processed in the current batch of packets, as well as other timing
+  information.
+
+- Bro now should not report packet drops that occur after it has begun
+  to exit (these can occur when draining the pending event queue takes
+  a while).
+
+- Bro now detects TCP acknowledgements that occur above a sequence
+  hole, generating an ack_above_hole event.  Nominally, this indicates
+  packet filter drops, but in fact some buggy TCPs manage to do this :-(.
+
+- Fledgling HTTP support added.  An http_request event is generated when
+  a new HTTP request is seen, and http_stats is generated when an HTTP
+  connection terminates, giving (uninteresting to most people) statistics
+  concerning the request(s).  A lot more is needed: parsing persistent
+  connections and HTTP replies, for one.  This is just a start.  A stub
+  for http_reply exists but these events are not presently generated.
+
+- Ported to Linux (thanks to Pascal Bouchareine).
+
+- A bug in to_lower() and to_upper() was fixed.
+
+- The reporting for unexpected FTP connections now more directly
+  identifies the corresponding FTP session.
+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+v0.3 Fri Feb 13 19:59:39 PST 1998
+
+- Timers are now implemented using calendar queues rather than priority
+  queues (with thanks to Craig Leres).
+
+- The new byte_len() built-in returns the length of a string interpreted
+  as a set of bytes (including any NUL bytes, especially the final one
+  for a typical string).
+
+- The new sub_bytes() built-in extracts a subset of a string interpreted
+  as a set of bytes (i.e., immune to any embedded NULs).
+
+- Fixed bad interaction with the latest version of libpcap that on some
+  BPF systems would cause Bro to exit any time a little bit of time went by
+  without any traffic matching its filter.
+
+- A bug with constant-folding of the ?: operator has been fixed.
+
+- A new "conn_stats" event delivers statistical analysis (number of packets
+  transmitted, retransmitted, out-of-order, replicated) of each connection.
+  If you define a handler for it, then *no* other TCP processing is done.
+  This was added for off-line analysis of traces with large numbers of
+  connections in them.
+
+- Some minor portability tweaks.
+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+v0.2 Sat Oct 25 11:22:37 PDT 1997
+
+- Added autoconf support, thanks to Scott Denton.
+
+- Ported to FreeBSD, Solaris.
+
+- Fixed a bug in which partial connections were ignored even for
+  protocols (e.g., FTP) that can make use of partial dialogs.
+
+- Included BIND version 8 sources directly in the distribution.
+
+- Better usage() information (again thanks to Scott), -h and -v flags.
+
+- README, CHANGES files created.
diff --git a/COPYING b/COPYING
new file mode 100644
index 0000000000..f4bafa114c
--- /dev/null
+++ b/COPYING
@@ -0,0 +1,49 @@
+Copyright (c) 1995-2008, The Regents of the University of California,
+through Lawrence Berkeley National Laboratory. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+(1) Redistributions of source code must retain the above copyright notice,
+    this list of conditions and the following disclaimer.
+
+(2) Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the distribution.
+
+(3) Neither the name of the University of California, Lawrence Berkeley
+    National Laboratory, U.S. Dept. of Energy, International Computer
+    Science Institute, nor the names of contributors may be used to endorse
+    or promote products derived from this software without specific prior
+    written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+Note that some files in the Bro distribution carry their own copyright
+notices.  The above applies to the Bro scripts in policy/ (other than as
+noted below) and the source files in src/ , other than:
+
+	policy/sigs/p0fsyn.osf
+	src/H3.h
+	src/OSFinger.cc
+	src/OSFinger.h
+	src/bsd-getopt-long.c
+	src/bsd-getopt-long.h
+	src/md5.c
+	src/md5.h
+	src/patricia.c
+	src/patricia.h
+
+In addition, the build components such as Makefile.in, acinclude.m4, and
+others have separate copyrights, as do a number of the elements in the
+aux/ subdirectory and in scripts/s2b/snort_rules2.2/ .
diff --git a/ChangeLog b/ChangeLog
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/Checklist-for-Release b/Checklist-for-Release
new file mode 100644
index 0000000000..f5f477f766
--- /dev/null
+++ b/Checklist-for-Release
@@ -0,0 +1,42 @@
+- Make sure BroV6 works.
+
+- Make sure --enable-int64 builds w/o warnings.
+
+- Update TODO-For-Next-Release.
+
+- Build distribution on a system with an up-to-date yacc (MacOS suffices).
+
+- make distcheck
+
+- Edit CHANGES to final version.
+
+- Fix VERSION to final value.
+
+- Update version info (and perhaps other stuff) in README.
+
+- Check everything in.
+
+- Make an SVN branch for the release:
+
+    svn cp svn+ssh://svn.icir.org/bro/trunk \
+	    svn+ssh://svn.icir.org/bro/releases/release_1_X
+
+- scp bro-XXX.tar.gz crd.lbl.gov:/ftp/BROIDS/
+  scp CHANGES crd.lbl.gov:/ftp/BROIDS/bro-change-log.txt
+
+- Fix symlinks on crd:
+
+	bro-1.X-release.tar.gz
+	bro-1.X-current.tar.gz
+	bro-1.<n>-release.tar.gz
+
+- Update crd:/www/BROIDS/download.html to reflect new version.  This page
+  is generated from trunk/bro-web/download.xml.  Edit this file, and also
+  update the (web page) version in build.xml, the copyright year in
+  navigation.xml, and create a news entry in news.xml.
+
+  Type 'ant style' on a machine with 'ant' installed, and copy
+  html/*.html to crd.lbl.gov:/www/BROIDS/ .
+
+- Send email to bro@bro-ids.org.  Look for "release now available" in
+  previous messages as a template.
diff --git a/FILES.bin b/FILES.bin
new file mode 100644
index 0000000000..f0b07e4bec
--- /dev/null
+++ b/FILES.bin
@@ -0,0 +1,3 @@
+README
+VERSION
+bro
diff --git a/INSTALL b/INSTALL
new file mode 100644
index 0000000000..0e71d2bfe3
--- /dev/null
+++ b/INSTALL
@@ -0,0 +1,104 @@
+Prerequisites
+=============
+
+Bro relies on the following libraries and tools, which need to be installed
+before you begin with the installation:
+
+    * Libpcap
+	   If libpcap is already installed on the system, by default Bro
+	   will use that one.  Otherwise, it falls back to a version shipped
+	   with the Bro distribution.
+
+    * Flex
+	   Flex is already installed on most systems, so with luck you can
+	   skip having to install it yourself.
+
+    * Bison or byacc
+	   These come with many systems, but if you get errors compiling
+	   parse.y, you will need to install them.  bison is available
+	   from GNU sites such as ftp.gnu.org.
+
+    * BIND8 headers and libraries
+           These are usually already installed as well.
+
+    * Autotools
+	   If you have checked the source out from Bro's Subversion
+	   repository, you need the autotools suite installed.  In this
+	   case, run "./autogen.sh" first right after the check out.
+	   Otherwise the installation steps below will fail.
+
+Bro can also make uses of some optional libraries if they are found at
+installation time:
+
+    * OpenSSL
+           For analysis of SSL certificates by the HTTP analyzer, and 
+           for encrypted Bro-to-Bro communication.
+
+    * Libmagic
+           For identifying file types (e.g., in FTP transfers).
+           
+    * LibGeoIP
+           For geo-locating IP addresses.
+           
+    * Libz
+	   For decompressing HTTP bodies by the HTTP analyzer, and for
+	   compressed Bro-to-Bro communication.
+
+    * Endace's DAG tools:
+           For native support of Endace DAG cards.
+
+
+Installation
+============
+
+To build and install into /usr/local:
+
+	> ./configure
+	> make
+	> make install
+
+This will install the Bro binary into /usr/local/bin/bro and the policy
+files into /usr/local/share/bro.
+
+As usual you can specify a different installation directory with
+
+   > ./configure --prefix=<dir>".
+
+Run "./configure --help" for more options. 
+
+
+Running Bro
+===========
+
+Bro is a complex program and it takes a bit of time to get familiar
+with it.  In the following we give a few simple examples.  See
+http://www.bro-ids.org/wiki for more information.
+
+To run a policy file from /usr/local/share/bro, such as mt.bro, on a
+previously captured tcpdump save file named foo:
+
+	bro -r foo mt.bro
+
+To run from interface le0:
+
+	bro -i le0 mt
+
+You can alternatively specify interface and scripts to load in your own
+policy file:
+
+	@load mt
+	redef interfaces = "le0";
+
+and then run
+
+    bro ./my-policy.bro
+
+You can see the BPF filter Bro will use (if not overridden) by executing
+
+	bro mt print-filter
+
+To run interactively (e.g., for playing with expression evaluation):
+
+	bro
+
+"bro -h" lists the various options.
diff --git a/Makefile.am b/Makefile.am
new file mode 100644
index 0000000000..bdbdc25ef5
--- /dev/null
+++ b/Makefile.am
@@ -0,0 +1,64 @@
+## Process this file with automake to produce Makefile.in
+
+# snag the whole linux-include directory
+EXTRA_DIST = CHANGES README VERSION shtool linux-include \
+	autogen.sh depcomp ylwrap
+
+# When running distcheck, make sure we skip building GtkDoc-based
+# documentation. This applies to Broccoli only, and needs to be
+# duplicated here because DISTCHECK_CONFIGURE_FLAGS isn't otherwise
+# noticed.
+#
+DISTCHECK_CONFIGURE_FLAGS = --disable-gtk-doc
+
+chown = @CHOWN@
+
+# aux before src so we compile the libpcap
+SUBDIRS = aux src scripts policy doc
+
+test:
+	( cd ../testing && $(MAKE) test )
+
+install-broctl:
+	$(MAKE) install
+	( cd aux/broctl && $(MAKE) install-broctl )
+
+# Deprecated. Don't use. 
+install-brolite:
+	$(MAKE) install
+	$(INSTALL) -d $(prefix)/logs
+	$(INSTALL) -d $(prefix)/archive
+	$(INSTALL) -d $(prefix)/var
+	( cd scripts && $(MAKE) install-brolite )
+	( cd aux && $(MAKE) install-brolite )
+	- @CHOWN@ -R `cat scripts/bro_user_id` ${prefix}/
+	@echo "*********************************************************"
+	@echo "Please run \"${prefix}/etc/bro.rc --start\" to start bro"
+	@echo "*********************************************************"
+
+docs:
+	( cd doc && $(MAKE) doc )
+
+doc-install:
+	( cd doc && $(MAKE) doc-install )
+
+update:
+	( cd scripts && $(MAKE) update )
+	( cd policy && $(MAKE) install )
+
+update-sigs:
+	(cd scripts && $(MAKE) update-sigs )
+
+reports:
+	( cd scripts && $(MAKE) reports )
+
+# make sure we don't leak CVS/SVN or private policy files
+dist-hook:
+	rm -rf `find $(distdir) -name CVS`
+	rm -rf `find $(distdir) -name .svn`
+	rm -rf $(distdir)/policy/local 
+
+release:
+	./autogen.sh
+	./configure
+	$(MAKE) distcheck
diff --git a/NEWS b/NEWS
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/README b/README
new file mode 100644
index 0000000000..160aea36b7
--- /dev/null
+++ b/README
@@ -0,0 +1,36 @@
+This is release 1.5 of Bro, a system for detecting network intruders in
+real-time using passive network monitoring.
+
+Please see the file INSTALL for installation instructions and some examples
+on how to run Bro.  For more documentation, see the Bro Wiki:
+
+  http://www.bro-ids.org/wiki/index.php/User_Manual
+
+Please note that this documentation is preliminary and still missing pieces.
+PDF and HTML versions of older versions of the manuals are also available
+in the doc/ directory.
+
+There's also in doc/misc/conn-logs/ a brief summary of the connection logs
+generated by the sample policy scripts (which are in policy/).
+
+Numerous other Bro-related publications, including a paper describing the
+system, can be found at
+
+  http://www.bro-ids.org/publications.html
+
+Some auxiliary scripts and utilities are available in the aux/ directory.
+Note that these are not installed by default.
+
+Send comments, etc., to the Bro mailing list, bro@bro-ids.org.  However,
+please note that you must first subscribe to the list in order to be able
+to post to it.
+
+- Vern Paxson & Robin Sommer, on behalf of the Bro development team
+
+Lawrence Berkeley National Laboratory
+University of California, Berkeley  USA
+
+ICSI Center for Internet Research (ICIR)
+International Computer Science Institute
+Berkeley, CA  USA
+vern@icir.org / robin@icir.org
diff --git a/TODO-For-Next-Release b/TODO-For-Next-Release
new file mode 100644
index 0000000000..e8985b669e
--- /dev/null
+++ b/TODO-For-Next-Release
@@ -0,0 +1,9 @@
+Plan for 1.6:
+	Originally, with 1.5 we were going to start working with --use-binpac
+	as the default.  However, this has been deferred pending development
+	of BinPAC++.  We might however turn on BinPAC for the SSL analyzer,
+	for which the BinPAC version is more robust.  It, though, doesn't
+	support storing certs to disk, which some folks use operationally.
+
+	Given DPD means we might not filter traffic anyway, we no longer
+	have such a good excuse for not dealing with IPv6 options.
diff --git a/VERSION b/VERSION
new file mode 100644
index 0000000000..dcfb77b1f4
--- /dev/null
+++ b/VERSION
@@ -0,0 +1 @@
+1.5.2.7
diff --git a/acinclude.m4 b/acinclude.m4
new file mode 100644
index 0000000000..b8554a299b
--- /dev/null
+++ b/acinclude.m4
@@ -0,0 +1,1007 @@
+dnl @(#) $Id: acinclude.m4 6084 2008-08-27 16:13:23Z vern $ (LBL)
+dnl
+dnl Copyright (c) 1995, 1996, 1997, 1998, 1999, 2002, 2003
+dnl	The Regents of the University of California.  All rights reserved.
+dnl
+dnl Redistribution and use in source and binary forms, with or without
+dnl modification, are permitted provided that: (1) source code distributions
+dnl retain the above copyright notice and this paragraph in its entirety, (2)
+dnl distributions including binary code include the above copyright notice and
+dnl this paragraph in its entirety in the documentation or other materials
+dnl provided with the distribution, and (3) all advertising materials mentioning
+dnl features or use of this software display the following acknowledgement:
+dnl ``This product includes software developed by the University of California,
+dnl Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
+dnl the University nor the names of its contributors may be used to endorse
+dnl or promote products derived from this software without specific prior
+dnl written permission.
+dnl THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
+dnl WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+dnl MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+dnl
+dnl LBL autoconf macros
+dnl
+
+dnl
+dnl Define RETSIGTYPE and RETSIGVAL
+dnl
+dnl usage:
+dnl
+dnl	AC_LBL_TYPE_SIGNAL
+dnl
+dnl results:
+dnl
+dnl	RETSIGTYPE (defined)
+dnl	RETSIGVAL (defined)
+dnl
+AC_DEFUN([AC_LBL_TYPE_SIGNAL],
+    [[AC_BEFORE([$0], [AC_LBL_LIBPCAP])
+    AC_TYPE_SIGNAL
+    if test "$ac_cv_type_signal" = void ; then
+	    AC_DEFINE(RETSIGVAL,,[signal function return value])
+    else
+	    AC_DEFINE(RETSIGVAL,(0))
+    fi
+    case "$target_os" in
+
+    irix*)
+	    AC_DEFINE(_BSD_SIGNALS,,[irix's BSD style signals])
+	    ;;
+
+    *)
+	    dnl prefer sigset() to sigaction()
+	    AC_CHECK_FUNCS(sigset)
+	    if test $ac_cv_func_sigset = yes ; then
+		    AC_DEFINE(signal,sigset,[use sigset() instead of signal()])
+	    else
+		    AC_CHECK_FUNCS(sigaction)
+	    fi
+	    ;;
+    esac]])
+
+dnl
+dnl Determine which compiler we're using (cc or gcc)
+dnl If using gcc, determine the version number
+dnl If using cc, require that it support ansi prototypes
+dnl If using gcc, use -O2 (otherwise use -O)
+dnl If using cc, explicitly specify /usr/local/include
+dnl
+dnl usage:
+dnl
+dnl	AC_LBL_C_INIT(copt, incls)
+dnl
+dnl results:
+dnl
+dnl	$1 (copt set)
+dnl	$2 (incls set)
+dnl	CC
+dnl	LDFLAGS
+dnl	LBL_CFLAGS
+dnl
+AC_DEFUN([AC_LBL_C_INIT],
+    [AC_PREREQ(2.12)
+    AC_BEFORE([$0], [AC_PROG_CC])
+    AC_BEFORE([$0], [AC_LBL_FIXINCLUDES])
+    AC_BEFORE([$0], [AC_LBL_DEVEL])
+    AC_ARG_WITH(gcc, [  --without-gcc           don't use gcc])
+    $1="-O"
+    $2=""
+    if test "${srcdir}" != "." ; then
+	    $2='-I$(srcdir)'
+    fi
+    if test "${CFLAGS+set}" = set; then
+	    LBL_CFLAGS="$CFLAGS"
+    fi
+    if test -z "$CC" ; then
+	    case "$target_os" in
+
+	    bsdi*)
+		    AC_CHECK_PROG(SHLICC2, shlicc2, yes, no)
+		    if test $SHLICC2 = yes ; then
+			    CC=shlicc2
+			    export CC
+		    fi
+		    ;;
+	    esac
+    fi
+    if test -z "$CC" -a "$with_gcc" = no ; then
+	    CC=cc
+	    export CC
+    fi
+    AC_PROG_CC
+    if test "$GCC" != yes ; then
+	    AC_MSG_CHECKING(that $CC handles ansi prototypes)
+	    AC_CACHE_VAL(ac_cv_lbl_cc_ansi_prototypes,
+		AC_TRY_COMPILE(
+		    [#include <sys/types.h>],
+		    [int frob(int, char *)],
+		    ac_cv_lbl_cc_ansi_prototypes=yes,
+		    ac_cv_lbl_cc_ansi_prototypes=no))
+	    AC_MSG_RESULT($ac_cv_lbl_cc_ansi_prototypes)
+	    if test $ac_cv_lbl_cc_ansi_prototypes = no ; then
+		    case "$target_os" in
+
+		    hpux*)
+			    AC_MSG_CHECKING(for HP-UX ansi compiler ($CC -Aa -D_HPUX_SOURCE))
+			    savedcflags="$CFLAGS"
+			    CFLAGS="-Aa -D_HPUX_SOURCE $CFLAGS"
+			    AC_CACHE_VAL(ac_cv_lbl_cc_hpux_cc_aa,
+				AC_TRY_COMPILE(
+				    [#include <sys/types.h>],
+				    [int frob(int, char *)],
+				    ac_cv_lbl_cc_hpux_cc_aa=yes,
+				    ac_cv_lbl_cc_hpux_cc_aa=no))
+			    AC_MSG_RESULT($ac_cv_lbl_cc_hpux_cc_aa)
+			    if test $ac_cv_lbl_cc_hpux_cc_aa = no ; then
+				    AC_MSG_ERROR(see the INSTALL doc for more info)
+			    fi
+			    CFLAGS="$savedcflags"
+			    $1="-Aa $$1"
+			    AC_DEFINE(_HPUX_SOURCE,,[HP-UX ansi compiler])
+			    ;;
+
+		    *)
+			    AC_MSG_ERROR(see the INSTALL doc for more info)
+			    ;;
+		    esac
+	    fi
+	    $2="$$2 -I/usr/local/include"
+	    LDFLAGS="$LDFLAGS -L/usr/local/lib"
+
+	    case "$target_os" in
+
+	    irix*)
+		    $1="$$1 -xansi -signed -g3"
+		    ;;
+
+	    osf*)
+		    $1="$$1 -std1 -g3"
+		    ;;
+
+	    ultrix*)
+		    AC_MSG_CHECKING(that Ultrix $CC hacks const in prototypes)
+		    AC_CACHE_VAL(ac_cv_lbl_cc_const_proto,
+			AC_TRY_COMPILE(
+			    [#include <sys/types.h>],
+			    [struct a { int b; };
+			    void c(const struct a *)],
+			    ac_cv_lbl_cc_const_proto=yes,
+			    ac_cv_lbl_cc_const_proto=no))
+		    AC_MSG_RESULT($ac_cv_lbl_cc_const_proto)
+		    if test $ac_cv_lbl_cc_const_proto = no ; then
+			    AC_DEFINE(const,,[ultrix can't hack const])
+		    fi
+		    ;;
+	    esac
+    fi
+])
+
+dnl AC_LBL_ENABLE_CHECK(brov6 activemapping expire-dfa-states)
+dnl
+dnl This allows us to check for bogus configure enable/disable
+dnl command line options
+dnl
+dnl usage:
+dnl
+dnl	AC_LBL_ENABLE_CHECK(opt ...)
+dnl
+AC_DEFUN([AC_LBL_ENABLE_CHECK],
+    [set |
+	sed -n -e 's/^enable_\([[^=]]*\)=[[^=]]*$/\1/p' |
+	while read var; do
+	    ok=0
+        for o in option_checking m4_translit([$1], -, _); do
+		    if test "${o}" = "${var}" ; then
+			    ok=1
+			    break
+		    fi
+	    done
+	    if test ${ok} -eq 0 ; then
+		    # It's hard to kill configure script from subshell!
+		    AC_MSG_ERROR(unknown enable option: ${var})
+		    exit 1
+	    fi
+	done
+	if test $? -ne 0 ; then
+		exit 1
+	fi])
+
+dnl
+dnl Use pfopen.c if available and pfopen() not in standard libraries
+dnl Require libpcap
+dnl Look for libpcap in ..
+dnl Use the installed libpcap if there is no local version
+dnl
+dnl usage:
+dnl
+dnl	AC_LBL_LIBPCAP(pcapdep, incls)
+dnl
+dnl results:
+dnl
+dnl	$1 (pcapdep set)
+dnl	$2 (incls appended)
+dnl	LIBS
+dnl	LDFLAGS
+dnl	LBL_LIBS
+dnl
+AC_DEFUN([AC_LBL_LIBPCAP],
+    [AC_REQUIRE([AC_LBL_LIBRARY_NET])
+    dnl
+    dnl save a copy before locating libpcap.a
+    dnl
+    LBL_LIBS="$LIBS"
+    pfopen=/usr/examples/packetfilter/pfopen.c
+    if test -f $pfopen ; then
+	    AC_CHECK_FUNCS(pfopen)
+	    if test $ac_cv_func_pfopen = "no" ; then
+		    AC_MSG_RESULT(Using $pfopen)
+		    LIBS="$LIBS $pfopen"
+	    fi
+    fi
+    AC_MSG_CHECKING(for local pcap library)
+    libpcap=FAIL
+    lastdir=FAIL
+    dnl Since config is at the top level, .. is meaningless for subdirs, get
+    dnl the full path
+    oneup=`(cd ..; pwd)`
+    places=`ls .. | sed -e 's,/$,,' -e "s,^,$oneup/," | \
+	egrep '/libpcap-[[0-9]]*\.[[0-9]]*(\.[[0-9]]*)?([[ab]][[0-9]]*)?$'`
+    for dir in $places $oneup/libpcap libpcap ; do
+	    basedir=`echo $dir | sed -e 's/[[ab]][[0-9]]*$//'`
+	    if test $lastdir = $basedir ; then
+		    dnl skip alphas when an actual release is present
+		    continue;
+	    fi
+	    lastdir=$dir
+	    if test -r $dir/pcap.c ; then
+		    libpcap=$dir/libpcap.a
+		    d=$dir
+		    dnl continue and select the last one that exists
+	    fi
+    done
+    if test "x$libpcap" = xFAIL ; then
+	    AC_MSG_RESULT(not found)
+	    AC_CHECK_LIB(pcap, pcap_open_live, libpcap="-lpcap")
+	    unset ac_cv_lib_pcap_pcap_open_live
+	    if test "x$libpcap" = xFAIL ; then
+		    CFLAGS="$CFLAGS -I/usr/local/include"
+		    LIBS="$LIBS -L/usr/local/lib"
+		    AC_CHECK_LIB(pcap, pcap_open_live, libpcap="-lpcap")
+		    unset ac_cv_lib_pcap_pcap_open_live
+		    if test "x$libpcap" = xFAIL ; then
+			    AC_MSG_ERROR(see the INSTALL doc for more info)
+		    fi
+		    $2="$$2 -I/usr/local/include"
+	    fi
+	    LIBS="$LIBS -lpcap"
+    else
+	    $1=$libpcap
+	    $2="-I$d $$2"
+	    AC_MSG_RESULT($libpcap)
+    fi
+    if test "x$libpcap" != "x-lpcap" ; then
+      LIBS="-L$d -lpcap $LIBS"
+    fi
+
+    dnl check libpcap is modern enough for Bro (>= 0.6.1)
+    AC_CHECK_LIB(pcap, pcap_freecode)
+    if test "$ac_cv_lib_pcap_pcap_freecode" = no ; then
+	    AC_DEFINE([DONT_HAVE_LIBPCAP_PCAP_FREECODE],[],[Old libpcap versions (< 0.6.1) need defining pcap_freecode and pcap_compile_nopcap])
+    fi
+
+		dnl check pcap headers location
+    AC_MSG_CHECKING(for pcap headers)
+		pcap_header_locations="\
+			$PWD/../libpcap \
+			/usr/include \
+			/usr/include/pcap \
+			/usr/src/sys \
+			/usr/local/include \
+			/usr/local/src/libpcap \
+            $d"
+		pcap_includes=FAIL
+		for dir in $pcap_header_locations; do
+			if test -r $dir/pcap.h ; then
+				pcap_includes=$dir
+				break
+			fi
+		done
+    if test "x$pcap_includes" = xFAIL ; then
+			AC_MSG_ERROR(couldn't find pcap.h)
+    fi
+    if test "x$pcap_includes" != x/usr/include ; then
+	    AC_MSG_RESULT($pcap_includes)
+	    V_INCLS="$V_INCLS -I$pcap_includes"
+    else
+        AC_MSG_RESULT($pcap_includes)
+    fi
+
+		dnl check if pcap_compile_nopcap needs error parameter (NetBSDism)
+    if test "$ac_cv_lib_pcap_pcap_freecode" = yes ; then
+			CFLAGS="$CFLAGS -I$pcap_includes"
+			AC_MSG_CHECKING(if pcap_compile_nopcap needs error parameter)
+			AC_LINK_IFELSE(
+				[AC_LANG_PROGRAM([[
+					#include <pcap.h>
+					]], [[
+					int snaplen;
+					int linktype;
+					struct bpf_program fp;
+					int optimize;
+					bpf_u_int32 netmask;
+					char str[10];
+					snaplen = 50;
+					linktype = DLT_EN10MB;
+					optimize = 1;
+					netmask = 0L;
+					str[0] = 'i'; str[1] = 'p'; str[2] = '\0';
+					(void)pcap_compile_nopcap(snaplen, linktype, &fp, str, optimize, netmask);
+					]])],result="ok",result="wrong")
+			if test "$result" = "ok" ; then
+				AC_MSG_RESULT(not needed)
+			else
+				AC_LINK_IFELSE(
+					[AC_LANG_PROGRAM([[
+						#include <pcap.h>
+						]], [[
+						int snaplen;
+						int linktype;
+						struct bpf_program fp;
+						int optimize;
+						bpf_u_int32 netmask;
+						char str[10];
+						char error[1024];
+						snaplen = 50;
+						linktype = DLT_EN10MB;
+						optimize = 1;
+						netmask = 0L;
+						str[0] = 'i'; str[1] = 'p'; str[2] = '\0';
+						(void)pcap_compile_nopcap(snaplen, linktype, &fp, str, optimize, netmask, &error);
+						]])],result="ok",result="wrong")
+				if test "$result" = "ok" ; then
+					AC_DEFINE([LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER],[],
+							[Some libpcap versions use an extra parameter (error) in pcap_compile_nopcap])
+					AC_MSG_RESULT(needed)
+				else
+					AC_MSG_ERROR(don't know (weird pcap_compile_nopcap))
+				fi
+			fi
+		fi
+
+
+    case "$target_os" in
+
+    aix*)
+	    pseexe="/lib/pse.exp"
+	    AC_MSG_CHECKING(for $pseexe)
+	    if test -f $pseexe ; then
+		    AC_MSG_RESULT(yes)
+		    LIBS="$LIBS -I:$pseexe"
+	    fi
+	    ;;
+    esac])
+
+dnl
+dnl Define RETSIGTYPE and RETSIGVAL
+dnl
+dnl usage:
+dnl
+dnl	AC_LBL_TYPE_SIGNAL
+dnl
+dnl results:
+dnl
+dnl	RETSIGTYPE (defined)
+dnl	RETSIGVAL (defined)
+dnl
+AC_DEFUN([AC_LBL_TYPE_SIGNAL],
+    [AC_BEFORE([$0], [AC_LBL_LIBPCAP])
+    AC_TYPE_SIGNAL
+    if test "$ac_cv_type_signal" = void ; then
+	    AC_DEFINE(RETSIGVAL,,[signal function return value])
+    else
+	    AC_DEFINE(RETSIGVAL,(0))
+    fi
+    case "$target_os" in
+
+    irix*)
+	    AC_DEFINE(_BSD_SIGNALS,,[irix's BSD style signals])
+	    ;;
+
+    *)
+	    dnl prefer sigset() to sigaction()
+	    AC_CHECK_FUNCS(sigset)
+	    if test $ac_cv_func_sigset = yes ; then
+		    AC_DEFINE(signal,sigset,[use sigset() instead of signal()])
+	    else
+		    AC_CHECK_FUNCS(sigaction)
+	    fi
+	    ;;
+    esac])
+
+dnl
+dnl If using gcc, make sure we have ANSI ioctl definitions
+dnl
+dnl usage:
+dnl
+dnl	AC_LBL_FIXINCLUDES
+dnl
+AC_DEFUN([AC_LBL_FIXINCLUDES],
+    [if test "$GCC" = yes ; then
+	    AC_MSG_CHECKING(for ANSI ioctl definitions)
+	    AC_CACHE_VAL(ac_cv_lbl_gcc_fixincludes,
+		AC_TRY_COMPILE(
+		    [/*
+		     * This generates a "duplicate case value" when fixincludes
+		     * has not be run.
+		     */
+#		include <sys/types.h>
+#		include <sys/time.h>
+#		include <sys/ioctl.h>
+#		ifdef HAVE_SYS_IOCCOM_H
+#		include <sys/ioccom.h>
+#		endif],
+		    [switch (0) {
+		    case _IO('A', 1):;
+		    case _IO('B', 1):;
+		    }],
+		    ac_cv_lbl_gcc_fixincludes=yes,
+		    ac_cv_lbl_gcc_fixincludes=no))
+	    AC_MSG_RESULT($ac_cv_lbl_gcc_fixincludes)
+	    if test $ac_cv_lbl_gcc_fixincludes = no ; then
+		    # Don't cache failure
+		    unset ac_cv_lbl_gcc_fixincludes
+		    AC_MSG_ERROR(see the INSTALL for more info)
+	    fi
+    fi])
+
+dnl
+dnl Check for flex, default to lex
+dnl Require flex 2.4 or higher
+dnl Check for bison, default to yacc
+dnl Default to lex/yacc if both flex and bison are not available
+dnl Define the yy prefix string if using flex and bison
+dnl
+dnl usage:
+dnl
+dnl	AC_LBL_LEX_AND_YACC(lex, yacc, yyprefix)
+dnl
+dnl results:
+dnl
+dnl	$1 (lex set)
+dnl	$2 (yacc appended)
+dnl	$3 (optional flex and bison -P prefix)
+dnl
+AC_DEFUN([AC_LBL_LEX_AND_YACC],
+    [AC_ARG_WITH(flex, [  --without-flex          don't use flex])
+    AC_ARG_WITH(bison, [  --without-bison         don't use bison])
+    if test "$with_flex" = no ; then
+	    $1=lex
+    else
+	    AC_CHECK_PROGS($1, flex, lex)
+    fi
+    if test "$$1" = flex ; then
+	    # The -V flag was added in 2.4
+	    AC_MSG_CHECKING(for flex 2.4 or higher)
+	    AC_CACHE_VAL(ac_cv_lbl_flex_v24,
+		if flex -V >/dev/null 2>&1; then
+			ac_cv_lbl_flex_v24=yes
+		else
+			ac_cv_lbl_flex_v24=no
+		fi)
+	    AC_MSG_RESULT($ac_cv_lbl_flex_v24)
+	    if test $ac_cv_lbl_flex_v24 = no ; then
+		    s="2.4 or higher required"
+		    AC_MSG_WARN(ignoring obsolete flex executable ($s))
+		    $1=lex
+	    fi
+    fi
+    if test "$with_bison" = no ; then
+	    $2=yacc
+    else
+	    AC_CHECK_PROGS($2, bison, yacc)
+    fi
+    if test "$$2" = bison ; then
+	    $2="$$2 -y"
+    fi
+    if test "$$1" != lex -a "$$2" = yacc -o "$$1" = lex -a "$$2" != yacc ; then
+	    AC_MSG_WARN(don't have both flex and bison; reverting to lex/yacc)
+	    $1=lex
+	    $2=yacc
+    fi
+    if test "$$1" = flex -a -n "$3" ; then
+	    $1="$$1 -P$3"
+	    $2="$$2 -p $3"
+    fi])
+
+dnl
+dnl Checks to see if union wait is used with WEXITSTATUS()
+dnl
+dnl usage:
+dnl
+dnl	AC_LBL_UNION_WAIT
+dnl
+dnl results:
+dnl
+dnl	DECLWAITSTATUS (defined)
+dnl
+AC_DEFUN([AC_LBL_UNION_WAIT],
+    [AC_MSG_CHECKING(if union wait is used)
+    AC_CACHE_VAL(ac_cv_lbl_union_wait,
+	AC_TRY_COMPILE([
+#	include <sys/types.h>
+#	include <sys/wait.h>],
+	    [int status;
+	    u_int i = WEXITSTATUS(status);
+	    u_int j = waitpid(0, &status, 0);],
+	    ac_cv_lbl_union_wait=no,
+	    ac_cv_lbl_union_wait=yes))
+    AC_MSG_RESULT($ac_cv_lbl_union_wait)
+    if test $ac_cv_lbl_union_wait = yes ; then
+	    AC_DEFINE(DECLWAITSTATUS,union wait)
+    else
+	    AC_DEFINE(DECLWAITSTATUS,int)
+    fi])
+
+dnl
+dnl Checks to see if the sockaddr struct has the 4.4 BSD sa_len member
+dnl
+dnl usage:
+dnl
+dnl	AC_LBL_SOCKADDR_SA_LEN
+dnl
+dnl results:
+dnl
+dnl	HAVE_SOCKADDR_SA_LEN (defined)
+dnl
+AC_DEFUN([AC_LBL_SOCKADDR_SA_LEN],
+    [AC_CHECK_MEMBERS(struct sockaddr.sa_len,,,[
+#	include <sys/types.h>
+#	include <sys/socket.h>])])
+
+dnl
+dnl Makes sure socklen_t is defined
+dnl
+dnl usage:
+dnl
+dnl	AC_LBL_SOCKLEN_T
+dnl
+dnl results:
+dnl
+dnl	socklen_t (defined if missing)
+dnl
+AC_DEFUN([AC_LBL_SOCKLEN_T],
+    [AC_MSG_CHECKING(for socklen_t in sys/socket.h using $CC)
+    AC_CACHE_VAL(ac_cv_lbl_socklen_t,
+	AC_TRY_COMPILE([
+#	include "confdefs.h"
+#	include <sys/types.h>
+#	include <sys/socket.h>
+#	if STDC_HEADERS
+#	include <stdlib.h>
+#	include <stddef.h>
+#	endif],
+	[socklen_t i],
+	ac_cv_lbl_socklen_t=yes,
+	ac_cv_lbl_socklen_t=no))
+    AC_MSG_RESULT($ac_cv_lbl_socklen_t)
+    if test $ac_cv_lbl_socklen_t = no ; then
+	    AC_DEFINE(socklen_t, int, [Define socklen_t if missing])
+    fi])
+
+dnl
+dnl Checks to see if the IFF_LOOPBACK exists as a define or enum
+dnl
+dnl   (stupidly some versions of linux use an enum...)
+dnl
+dnl usage:
+dnl
+dnl	AC_LBL_IFF_LOOPBACK
+dnl
+dnl results:
+dnl
+dnl	HAVE_IFF_LOOPBACK (defined)
+dnl
+AC_DEFUN([AC_LBL_IFF_LOOPBACK],
+    [AC_MSG_CHECKING(for IFF_LOOPBACK define/enum)
+    AC_CACHE_VAL(ac_cv_lbl_have_iff_loopback,
+	AC_TRY_COMPILE([
+#	include <sys/param.h>
+#	include <sys/file.h>
+#	include <sys/ioctl.h>
+#	include <sys/socket.h>
+#	ifdef HAVE_SYS_SOCKIO_H
+#	include <sys/sockio.h>
+#	endif
+#	include <sys/time.h>
+#	include <net/if.h>
+#	include <netinet/in.h>],
+	[int i = IFF_LOOPBACK],
+	ac_cv_lbl_have_iff_loopback=yes,
+	ac_cv_lbl_have_iff_loopback=no))
+    AC_MSG_RESULT($ac_cv_lbl_have_iff_loopback)
+    if test $ac_cv_lbl_have_iff_loopback = yes ; then
+	    AC_DEFINE(HAVE_IFF_LOOPBACK,, [Have IFF_LOOPBACK define/enum])
+    fi])
+
+dnl
+dnl Checks to see if -R is used
+dnl
+dnl usage:
+dnl
+dnl	AC_LBL_HAVE_RUN_PATH
+dnl
+dnl results:
+dnl
+dnl	ac_cv_lbl_have_run_path (yes or no)
+dnl
+AC_DEFUN([AC_LBL_HAVE_RUN_PATH],
+    [AC_MSG_CHECKING(for ${CC-cc} -R)
+    AC_CACHE_VAL(ac_cv_lbl_have_run_path,
+	[echo 'main(){}' > conftest.c
+	${CC-cc} -o conftest conftest.c -R/a1/b2/c3 >conftest.out 2>&1
+	if test ! -s conftest.out ; then
+		ac_cv_lbl_have_run_path=yes
+	else
+		ac_cv_lbl_have_run_path=no
+	fi
+	rm -f conftest*])
+    AC_MSG_RESULT($ac_cv_lbl_have_run_path)
+    ])
+
+dnl
+dnl Due to the stupid way it's implemented, AC_CHECK_TYPE is nearly useless.
+dnl
+dnl usage:
+dnl
+dnl	AC_LBL_CHECK_TYPE
+dnl
+dnl results:
+dnl
+dnl	int32_t (defined)
+dnl	u_int32_t (defined)
+dnl
+AC_DEFUN([AC_LBL_CHECK_TYPE],
+    [AC_MSG_CHECKING(for $1 using $CC)
+    AC_CACHE_VAL(ac_cv_lbl_have_$1,
+	AC_TRY_COMPILE([
+#	include "confdefs.h"
+#	include <sys/types.h>
+#	if STDC_HEADERS
+#	include <stdlib.h>
+#	include <stddef.h>
+#	endif],
+	[$1 i],
+	ac_cv_lbl_have_$1=yes,
+	ac_cv_lbl_have_$1=no))
+    AC_MSG_RESULT($ac_cv_lbl_have_$1)
+    if test $ac_cv_lbl_have_$1 = no ; then
+	    AC_DEFINE($1, $2, Define $1)
+    fi])
+
+dnl
+dnl Checks to see if unaligned memory accesses fail
+dnl
+dnl usage:
+dnl
+dnl	AC_LBL_UNALIGNED_ACCESS
+dnl
+dnl results:
+dnl
+dnl	LBL_ALIGN (DEFINED)
+dnl
+AC_DEFUN([AC_LBL_UNALIGNED_ACCESS],
+    [AC_MSG_CHECKING(if unaligned accesses fail)
+    AC_CACHE_VAL(ac_cv_lbl_unaligned_fail,
+	[case "$target_cpu" in
+
+	alpha|hp*|mips|sparc)
+		ac_cv_lbl_unaligned_fail=yes
+		;;
+
+	*)
+		cat >conftest.c <<EOF
+#		include <sys/types.h>
+#		include <sys/wait.h>
+#		include <stdio.h>
+		unsigned char a[[5]] = { 1, 2, 3, 4, 5 };
+		main() {
+		unsigned int i;
+		pid_t pid;
+		int status;
+		/* avoid "core dumped" message */
+		pid = fork();
+		if (pid <  0)
+			exit(2);
+		if (pid > 0) {
+			/* parent */
+			pid = waitpid(pid, &status, 0);
+			if (pid < 0)
+				exit(3);
+			exit(!WIFEXITED(status));
+		}
+		/* child */
+		i = *(unsigned int *)&a[[1]];
+		printf("%d\n", i);
+		exit(0);
+		}
+EOF
+		${CC-cc} -o conftest $CFLAGS $CPPFLAGS $LDFLAGS \
+		    conftest.c $LIBS >/dev/null 2>&1
+		if test ! -x conftest ; then
+			dnl failed to compile for some reason
+			ac_cv_lbl_unaligned_fail=yes
+		else
+			./conftest >conftest.out
+			if test ! -s conftest.out ; then
+				ac_cv_lbl_unaligned_fail=yes
+			else
+				ac_cv_lbl_unaligned_fail=no
+			fi
+		fi
+		rm -f conftest* core core.conftest
+		;;
+	esac])
+    AC_MSG_RESULT($ac_cv_lbl_unaligned_fail)
+    if test $ac_cv_lbl_unaligned_fail = yes ; then
+	    AC_DEFINE(LBL_ALIGN)
+    fi])
+
+dnl
+dnl add all warning option to CFLAGS
+dnl
+dnl usage:
+dnl
+dnl	AC_LBL_CHECK_WALL(copt)
+dnl
+dnl results:
+dnl
+dnl	$1 (copt appended)
+dnl	ac_cv_lbl_gcc_vers
+dnl
+AC_DEFUN([AC_LBL_CHECK_WALL],
+    [ if test "$GCC" = yes ; then
+	    if test "$SHLICC2" = yes ; then
+		    ac_cv_lbl_gcc_vers=2
+		    $1="`echo $$1 | sed -e 's/-O/-O2/'`"
+	    else
+		    AC_MSG_CHECKING(gcc version)
+		    AC_CACHE_VAL(ac_cv_lbl_gcc_vers,
+			# Gag, the gcc folks keep changing the output...
+			ac_cv_lbl_gcc_vers=`$CC --version 2>&1 | \
+			    sed -e '1!d' -e 's/.* //' -e 's/\..*//'`)
+		    AC_MSG_RESULT($ac_cv_lbl_gcc_vers)
+		    if test $ac_cv_lbl_gcc_vers -gt 1 ; then
+			    $1="`echo $$1 | sed -e 's/-O/-O2/'`"
+		    fi
+	    fi
+	    if test "${LBL_CFLAGS+set}" != set; then
+		    if test "$ac_cv_prog_cc_g" = yes ; then
+			    $1="-g $$1"
+		    fi
+		    $1="$$1 -Wall"
+		    if test $ac_cv_lbl_gcc_vers -gt 1 ; then
+			    $1="$$1 -Wmissing-prototypes -Wstrict-prototypes"
+		    fi
+	    fi
+    else
+	    case "$target_os" in
+
+	    irix6*)
+		    $1="$$1 -fullwarn -n32"
+		    ;;
+
+	    *)
+		    ;;
+	    esac
+    fi])
+
+dnl
+dnl If using gcc and the file .devel exists:
+dnl	Compile with -g (if supported) and -Wall
+dnl	If using gcc 2, do extra prototype checking
+dnl	If an os prototype include exists, symlink os-proto.h to it
+dnl
+dnl usage:
+dnl
+dnl	AC_LBL_DEVEL(copt)
+dnl
+dnl results:
+dnl
+dnl	$1 (copt appended)
+dnl	HAVE_OS_PROTO_H (defined)
+dnl	os-proto.h (symlinked)
+dnl
+AC_DEFUN([AC_LBL_DEVEL],
+    [rm -f os-proto.h
+    if test "${LBL_CFLAGS+set}" = set; then
+	    $1="$$1 ${LBL_CFLAGS}"
+    fi
+    if test -f .devel ; then
+	    AC_LBL_CHECK_WALL($1)
+	    os=`echo $target_os | sed -e 's/\([[0-9]][[0-9]]*\)[[^0-9]].*$/\1/'`
+	    name="lbl/os-$os.h"
+	    if test -f $name ; then
+		    ln -s $name os-proto.h
+		    AC_DEFINE(HAVE_OS_PROTO_H,,[have os-proto.h])
+	    else
+		    AC_MSG_WARN(can't find $name)
+	    fi
+    fi])
+
+dnl
+dnl Improved version of AC_CHECK_LIB
+dnl
+dnl Thanks to John Hawkinson (jhawk@mit.edu)
+dnl
+dnl usage:
+dnl
+dnl	AC_LBL_CHECK_LIB(LIBRARY, FUNCTION [, ACTION-IF-FOUND [,
+dnl	    ACTION-IF-NOT-FOUND [, OTHER-LIBRARIES]]])
+dnl
+dnl results:
+dnl
+dnl	LIBS
+dnl
+
+define(AC_LBL_CHECK_LIB,
+[AC_MSG_CHECKING([for $2 in -l$1])
+dnl Use a cache variable name containing both the library and function name,
+dnl because the test really is for library $1 defining function $2, not
+dnl just for library $1.  Separate tests with the same $1 and different $2's
+dnl may have different results.
+ac_lib_var=`echo $1['_']$2['_']$5 | sed 'y%./+- %__p__%'`
+AC_CACHE_VAL(ac_cv_lbl_lib_$ac_lib_var,
+[ac_save_LIBS="$LIBS"
+LIBS="-l$1 $5 $LIBS"
+AC_TRY_LINK(dnl
+ifelse([$2], [main], , dnl Avoid conflicting decl of main.
+[/* Override any gcc2 internal prototype to avoid an error.  */
+]ifelse(AC_LANG, CPLUSPLUS, [#ifdef __cplusplus
+extern "C"
+#endif
+])dnl
+[/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+char $2();
+]),
+	    [$2()],
+	    eval "ac_cv_lbl_lib_$ac_lib_var=yes",
+	    eval "ac_cv_lbl_lib_$ac_lib_var=no")
+LIBS="$ac_save_LIBS"
+])dnl
+if eval "test \"`echo '$ac_cv_lbl_lib_'$ac_lib_var`\" = yes"; then
+  AC_MSG_RESULT(yes)
+  ifelse([$3], ,
+[changequote(, )dnl
+  ac_tr_lib=HAVE_LIB`echo $1 | sed -e 's/[^a-zA-Z0-9_]/_/g' \
+    -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'`
+changequote([, ])dnl
+  AC_DEFINE_UNQUOTED($ac_tr_lib)
+  LIBS="-l$1 $LIBS"
+], [$3])
+else
+  AC_MSG_RESULT(no)
+ifelse([$4], , , [$4
+])dnl
+fi
+])
+
+dnl
+dnl AC_LBL_LIBRARY_NET
+dnl
+dnl This test is for network applications that need socket() and
+dnl gethostbyname() -ish functions.  Under Solaris, those applications
+dnl need to link with "-lsocket -lnsl".  Under IRIX, they need to link
+dnl with "-lnsl" but should *not* link with "-lsocket" because
+dnl libsocket.a breaks a number of things (for instance:
+dnl gethostbyname() under IRIX 5.2, and snoop sockets under most
+dnl versions of IRIX).
+dnl
+dnl Unfortunately, many application developers are not aware of this,
+dnl and mistakenly write tests that cause -lsocket to be used under
+dnl IRIX.  It is also easy to write tests that cause -lnsl to be used
+dnl under operating systems where neither are necessary (or useful),
+dnl such as SunOS 4.1.4, which uses -lnsl for TLI.
+dnl
+dnl This test exists so that every application developer does not test
+dnl this in a different, and subtly broken fashion.
+
+dnl It has been argued that this test should be broken up into two
+dnl seperate tests, one for the resolver libraries, and one for the
+dnl libraries necessary for using Sockets API. Unfortunately, the two
+dnl are carefully intertwined and allowing the autoconf user to use
+dnl them independantly potentially results in unfortunate ordering
+dnl dependancies -- as such, such component macros would have to
+dnl carefully use indirection and be aware if the other components were
+dnl executed. Since other autoconf macros do not go to this trouble,
+dnl and almost no applications use sockets without the resolver, this
+dnl complexity has not been implemented.
+dnl
+dnl The check for libresolv is in case you are attempting to link
+dnl statically and happen to have a libresolv.a lying around (and no
+dnl libnsl.a).
+dnl
+AC_DEFUN([AC_LBL_LIBRARY_NET], [
+    # Most operating systems have gethostbyname() in the default searched
+    # libraries (i.e. libc):
+    AC_CHECK_FUNC(gethostbyname, ,
+	# Some OSes (eg. Solaris) place it in libnsl:
+	AC_CHECK_LIB(nsl, gethostbyname, ,
+	    # Some strange OSes (SINIX) have it in libsocket:
+	    AC_CHECK_LIB(socket, gethostbyname, ,
+		# Unfortunately libsocket sometimes depends on libnsl.
+		# AC_CHECK_LIB's API is essentially broken so the
+		# following ugliness is necessary:
+		AC_CHECK_LIB(socket, gethostbyname,
+		    LIBS="-lsocket -lnsl $LIBS",
+		    AC_CHECK_LIB(resolv, gethostbyname),
+		    -lnsl))))
+    AC_CHECK_FUNC(socket, , AC_CHECK_LIB(socket, socket, ,
+	AC_CHECK_LIB(socket, socket, LIBS="-lsocket -lnsl $LIBS", ,
+	    -lnsl)))
+    # DLPI needs putmsg under HPUX so test for -lstr while we're at it
+    AC_CHECK_LIB(str, putmsg)
+    ])
+
+
+dnl
+dnl Checks to see if declaring syslog() and openlog() as returning int
+dnl is compatible with <syslog.h> and <stdlib.h>, or if we should not
+dnl declare them explicitly.
+dnl
+dnl usage:
+dnl
+dnl	AC_BRO_SYSLOG_INT
+dnl
+dnl results:
+dnl
+dnl	SYSLOG_INT (either defined or not defined)
+dnl
+AC_DEFUN([AC_BRO_SYSLOG_INT],
+    [AC_LANG_CPLUSPLUS
+    AC_MSG_CHECKING(if syslog returns int)
+    AC_CACHE_VAL(ac_cv_bro_syslog_int,
+	AC_TRY_COMPILE([
+#	include <stdlib.h>
+#	include <syslog.h>
+	    extern "C" {
+		int openlog(const char* ident, int logopt, int facility);
+		int syslog(int priority, const char* message_fmt, ...);
+		int closelog();
+	    }],,
+	    ac_cv_bro_syslog_int=yes,
+	    ac_cv_bro_syslog_int=no))
+    AC_MSG_RESULT($ac_cv_bro_syslog_int)
+    if test $ac_cv_bro_syslog_int = yes ; then
+	    AC_DEFINE(SYSLOG_INT,,[should we declare syslog() and openlog()])
+    fi])
+
+dnl
+dnl Checks to see if we should explicitly declare socket() and friends.
+dnl
+dnl usage:
+dnl
+dnl	AC_BRO_SOCK_DECL
+dnl
+dnl results:
+dnl
+dnl	DO_SOCK_DECL (either defined or not defined)
+dnl
+AC_DEFUN([AC_BRO_SOCK_DECL],
+    [AC_LANG_C
+    AC_MSG_CHECKING(if we should declare socket and friends)
+    AC_CACHE_VAL(ac_cv_bro_sock_decl,
+	AC_TRY_COMPILE([
+#	include <sys/types.h>
+#	include <sys/socket.h>
+	extern int socket(int, int, int);
+	extern int connect(int, const struct sockaddr *, int);
+	extern int send(int, const void *, int, int);
+	extern int recvfrom(int, void *, int, int, struct sockaddr *, int *);
+	    ],,
+	    ac_cv_bro_sock_decl=yes,
+	    ac_cv_bro_sock_decl=no))
+    AC_MSG_RESULT($ac_cv_bro_sock_decl)
+    if test $ac_cv_bro_sock_decl = yes ; then
+	    AC_DEFINE(DO_SOCK_DECL,,[should explicitly declare socket() and friends])
+    fi])
diff --git a/autogen.sh b/autogen.sh
new file mode 100755
index 0000000000..817498c141
--- /dev/null
+++ b/autogen.sh
@@ -0,0 +1,143 @@
+#!/bin/sh
+
+# Initialization script to set up the initial configuration files etc.
+# shtool usage inspired by the autogen script of the ferite scripting
+# language -- cheers Chris :)
+#
+# This is 'borrowed' from netdude, with minor changes for bro 
+
+BLD_ON=`./shtool echo -n -e %B`
+BLD_OFF=`./shtool echo -n -e %b`
+
+srcdir=`dirname $0`
+NAME=bro
+
+DIE=0
+
+echo
+echo "               "${BLD_ON}"BRO Build Tools Setup"${BLD_OFF}
+echo "===================================================="
+echo
+echo "Checking whether we have all tools available ..."
+
+(autoconf --version) < /dev/null > /dev/null 2>&1 || {
+  echo
+  echo ${BLD_ON}"Error"${BLD_OFF}": You must have \`autoconf' installed to."
+  echo "Download the appropriate package for your distribution,"
+  echo "or get the source tarball at ftp://ftp.gnu.org/pub/gnu/"
+  DIE=1
+}
+
+(automake --version) < /dev/null > /dev/null 2>&1 || {
+  echo
+  echo ${BLD_ON}"Error"${BLD_OFF}": You must have \`automake' installed."
+  echo "Get ftp://ftp.gnu.org/pub/gnu/automake-1.3.tar.gz"
+  echo "(or a newer version if it is available)"
+  DIE=1
+  NO_AUTOMAKE=yes
+}
+
+# if no automake, don't bother testing for aclocal
+test -n "$NO_AUTOMAKE" || (aclocal --version) < /dev/null > /dev/null 2>&1 || {
+  echo
+  echo ${BLD_ON}"Error"${BLD_OFF}": Missing \`aclocal'.  The version of \`automake'"
+  echo "installed doesn't appear recent enough."
+  echo "Get ftp://ftp.gnu.org/pub/gnu/automake-1.3.tar.gz"
+  echo "(or a newer version if it is available)"
+  DIE=1
+}
+
+if test "$DIE" -eq 1; then
+  exit 1
+fi
+
+echo "All necessary tools found."
+echo
+
+if [ -d autom4te.cache ] ; then
+    echo "Removing autom4te.cache ..."
+    rm -rf autom4te.cache
+    #echo
+    #echo ${BLD_ON}"Error"${BLD_OFF}": autom4te.cache directory exists"
+    #echo "please remove it, and rerun this script"
+    #echo 
+    #exit 1
+fi
+
+echo
+echo "running "${BLD_ON}"aclocal"${BLD_OFF}
+echo "----------------------------------------------------"
+aclocal -I . $ACLOCAL_FLAGS
+if [ $? -ne 0 ]; then
+    echo "*** ERROR($NAME), aborting."
+    exit 1
+fi
+
+echo
+echo "running "${BLD_ON}"autoheader"${BLD_OFF}
+echo "----------------------------------------------------"
+autoheader
+if [ $? -ne 0 ]; then
+    echo "*** ERROR($NAME), aborting."
+    exit 1
+fi
+
+echo
+echo "running "${BLD_ON}"automake"${BLD_OFF}
+echo "----------------------------------------------------"
+automake -a -c 
+if [ $? -ne 0 ]; then
+    echo "*** ERROR($NAME), aborting."
+    exit 1
+fi
+
+echo
+echo "running "${BLD_ON}"autoconf"${BLD_OFF}
+echo "----------------------------------------------------"
+autoconf
+if [ $? -ne 0 ]; then
+    echo "*** ERROR($NAME), aborting."
+    exit 1
+fi
+
+echo
+echo
+echo "Running aux/binpac/autogen.sh"
+echo "----------------------------------------------------"
+(cd aux/binpac/ && BROBUILD=yes ./autogen.sh)
+if [ $? -ne 0 ]; then
+    echo "*** ERROR($NAME), aborting."
+    exit 1
+fi
+
+echo
+echo
+echo "Running aux/broccoli/autogen.sh"
+echo "----------------------------------------------------"
+(cd aux/broccoli/ && BROBUILD=yes ./autogen.sh)
+if [ $? -ne 0 ]; then
+    echo "*** ERROR($NAME), aborting."
+    exit 1
+fi
+
+echo
+echo
+echo "Running aux/broctl/aux/capstats/autogen.sh"
+echo "----------------------------------------------------"
+(cd aux/broctl/aux/capstats && ./autogen.sh)
+if [ $? -ne 0 ]; then
+    echo "*** ERROR($NAME), aborting."
+    exit 1
+fi
+
+echo
+echo 
+echo "Setup finished. Now run:"
+echo
+echo "  $ "${BLD_ON}"./configure"${BLD_OFF}" (with options as needed, try --help)"
+echo
+echo "and then"
+echo
+echo "  $ "${BLD_ON}"make"${BLD_OFF}
+echo "  # "${BLD_ON}"make install"${BLD_OFF}
+echo
diff --git a/aux/Makefile.am b/aux/Makefile.am
new file mode 100644
index 0000000000..d109d7ce05
--- /dev/null
+++ b/aux/Makefile.am
@@ -0,0 +1,77 @@
+## Process this file with automake to produce Makefile.in
+
+LIBPCAP_VER = libpcap-0.9.8
+LIBPCAP_LIB = $(LIBPCAP_VER)/libpcap.a
+
+EXTRA_DIST = README $(LIBPCAP_VER).tar.gz
+
+# if we don't have ssl, can't build bdcat
+if USE_SSL
+bdcat_dir = bdcat
+else
+bdcat_dir =
+endif
+
+# don't compile libpcap if they did a '--disable-localpcap' to configure
+if USE_LOCALPCAP
+built_srcs =  $(LIBPCAP_LIB)
+LARGE_FILE =  "-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE"
+else
+built_srcs =  
+endif
+
+if USEV6
+PCAPARGS = --enable-ipv6
+else
+PCAPARGS = 
+endif
+
+if USE_BROCCOLI
+broccoli = broccoli
+else
+broccoli =
+endif
+
+if USE_BROCTL
+broctl = broctl
+else
+broctl =
+endif
+
+BUILT_SOURCES = $(built_srcs)
+
+SUBDIRS = adtrace binpac cf hf nftools rst scripts \
+		$(bdcat_dir) $(broccoli) $(broctl)
+
+DIST_SUBDIRS = adtrace binpac cf hf nftools rst scripts \
+		$(bdcat_dir) $(broccoli) $(broctl)
+
+clean-local:
+	rm -rf $(LIBPCAP_VER)
+
+
+$(LIBPCAP_LIB): $(top_srcdir)/aux/$(LIBPCAP_VER).tar.gz
+	@echo "Unpacking libpcap sources"
+	@gzip -d < $(top_srcdir)/aux/$(LIBPCAP_VER).tar.gz | tar xf -
+	@echo "Building libpcap"
+	( cd $(LIBPCAP_VER) && ./configure --prefix=$(prefix) $(PCAPARGS) CFLAGS=$(LARGE_FILE) && $(MAKE) )
+	@chmod -R 755 $(LIBPCAP_VER)
+
+
+# This is a hack. These are hardcoded here to mimic the previous
+# brolite installation. While these should better go into the 
+# subdirs' Makefile.am, it's not really worth the effort as 
+# we will get rid of all this at some point anyway.
+install-brolite:
+	$(INSTALL) ./hf/hf ${bindir}
+	$(INSTALL) ./hf/nf ${bindir}
+	$(INSTALL) ./hf/pf ${bindir}
+	$(INSTALL) ./cf/cf ${bindir}
+	$(INSTALL) ./rst/rst ${bindir}
+	- install -d $(prefix)/scripts/
+	$(INSTALL) ./scripts/host-to-addrs $(prefix)/scripts
+	$(INSTALL) ./scripts/bro-logchk.pl $(prefix)/scripts
+	$(INSTALL) ./scripts/host-grep $(prefix)/scripts
+	$(INSTALL) ./scripts/mvlog $(prefix)/scripts
+
+
diff --git a/aux/README b/aux/README
new file mode 100644
index 0000000000..ace78cb3a0
--- /dev/null
+++ b/aux/README
@@ -0,0 +1,61 @@
+This directory contains handy auxiliary programs:
+
+adtrace/
+	Makefile and source for the adtrace utility. This program is used
+	in conjunction with the localnetMAC.pl perl script to compute the
+	network address that compose the internal and extern nets that bro
+	is monitoring. This program when run by itself just reads a pcap
+	(tcpcump) file and writes out the src MAC, dst MAC, src IP, dst
+	IP for each packet seen in the file. This output is processed by
+	the localnetMAC.pl script during 'make install'.
+
+bdcat/
+	A utility for decrypting encrypted Bro log files.
+
+binpac/
+	A compiler for generating protocol analyzers from high-level,
+	declarative specifications.  Used extensively for constructing
+	Bro's protocol analyzers, but capable of stand-alone use for
+	building analyzers outside of the Bro system.
+
+broccoli/
+	A C client library for interfacing programs with the Bro system.
+	Enables sending and receiving of Bro values and events.
+
+cf/
+	Makefile and source for the "cf" utility.  cf reads lines from
+	stdin and if the line begins with a number, then it assumes that
+	the number corresponds to a Unix timestamp and replaces it with
+	the corresponding local time in a readable format.  Useful for
+	running on log files.  See cf/cf.man.txt for documentation.
+
+contrib/
+	Unsupported contributions to Bro.
+
+hf/
+	The main utility in this subdirectory is hf, which translates
+	any dotted-quad (in text) appearing on stdin to the corresponding
+	DNS hostname (via a PTR lookup) on stdout.
+
+nftools/
+	Utilities for dealing with Bro's custom file format for storing
+	NetFlow records.  nfcollector reads NetFlow data from a socket
+	and writes it in Bro's format.  ftwire2bro reads NetFlow "wire"
+	format (e.g., as generated by a 'flow-export' directive) and writes
+	it in Bro's format.
+
+rst/
+	Makefile and source for the rst utility. "rst" can be invoked by
+	a Bro script to terminate an established TCP connection by forging
+	RST tear-down packets.  See terminate_connection() in conn.bro.
+
+scripts/
+	A set of utility scripts for munching on Bro connection summaries.
+
+	bro_logchk: orders and scans through FTP and HTTP logs
+	host-grep: greps a summary file for a particular host's activities
+	host-to-addrs: converts a hostname to a list of IP addresses
+	hot-report: formats a summary file in a readable fashion
+	ip-grep: returns a grep pattern for a given IP address
+	mon-report: summarizes a particular host's activity
+	mvlog: compresses and archives log files
diff --git a/aux/adtrace/Makefile.am b/aux/adtrace/Makefile.am
new file mode 100644
index 0000000000..858a6fb362
--- /dev/null
+++ b/aux/adtrace/Makefile.am
@@ -0,0 +1,10 @@
+## Process this file with automake to produce Makefile.in
+
+AM_CFLAGS=@V_INCLS@
+
+# Should use AM_ vars, but automake 1.5 errors out.
+#AM_LDFLAGS = @LDFLAGS@
+LDFLAGS = @LDFLAGS@
+
+noinst_PROGRAMS = adtrace
+adtrace_SOURCES = adtrace.c ether.h ethertype.h ip.h
diff --git a/aux/adtrace/adtrace.c b/aux/adtrace/adtrace.c
new file mode 100644
index 0000000000..4c2c9e1136
--- /dev/null
+++ b/aux/adtrace/adtrace.c
@@ -0,0 +1,92 @@
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <pcap.h>
+
+#include "../../config.h"
+#include "ip.h"
+#include "ether.h" 
+#include "ethertype.h"
+
+pcap_t *p;
+
+const u_char*  printEAddr(const u_char* pkt, u_char* endp){
+  const struct ether_header *ep;
+  int i=0;
+  ep = (const struct ether_header*) pkt;
+
+  if (pkt+ETHER_HDRLEN > endp ||
+      ntohs(ep->ether_type) != ETHERTYPE_IP){
+    return 0;
+  }
+
+  for (i = 0; i<ETHER_ADDR_LEN; i++){
+    if (i>0) putchar(':');
+    printf("%02x", ep->ether_shost[i]);
+  }
+  putchar (' ');
+  for (i = 0; i<ETHER_ADDR_LEN; i++){
+    if (i>0) putchar(':');
+    printf("%02x", ep->ether_dhost[i]);
+  }
+  putchar(' ');
+  return (pkt+ETHER_HDRLEN);
+}
+
+void printIPAddr(const u_char* pkt, u_char* endp){
+  const struct ip* iph;
+  if (pkt+sizeof(struct ip) > endp) return;
+  iph = (const struct ip*) pkt;
+  fputs ((char*) inet_ntoa(iph->ip_src), stdout);
+  putchar(' ');
+  puts ((char*) inet_ntoa(iph->ip_dst));
+}
+
+void handler(u_char *user, const struct pcap_pkthdr *head, const u_char *packet){
+  u_char* endp;
+
+  endp =(u_char*) packet + head->caplen;
+  packet = printEAddr(packet, endp);
+  if (packet)
+    printIPAddr(packet, endp);
+}
+
+void usage(char *av[])
+{
+	fprintf(stderr,"usage: %s filename \n", av[0]);
+	exit(1);
+}
+
+int main (int argc, char *argv[])
+{
+  char *file;
+  char errbuf[PCAP_ERRBUF_SIZE];
+  u_char* pkt, endp; 
+  struct pcap_pkthdr *head;
+
+  if ( argc != 2 ) 
+	  usage(argv);
+
+  file = argv[1];
+
+  p = pcap_open_offline(file, errbuf);
+  if(p==NULL){
+    fprintf (stderr, "cannot open %s: %s\n", file, errbuf);
+    exit(2);
+  }
+  
+  if (pcap_datalink(p) != DLT_EN10MB){
+    fputs ("sorry, currently only ethernet links supported\n", stderr);
+    exit(1); //if it is not ethernet we are watching we won't have MACs
+  }
+
+  pcap_loop(p, -1, handler, NULL);
+  pcap_close(p);
+  return(0);
+}
+
diff --git a/aux/adtrace/ether.h b/aux/adtrace/ether.h
new file mode 100644
index 0000000000..77d0377945
--- /dev/null
+++ b/aux/adtrace/ether.h
@@ -0,0 +1,59 @@
+/* @(#) $Header$ (LBL) */
+/*
+ * Copyright (c) 1982, 1986, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)if_ether.h	8.3 (Berkeley) 5/2/95
+ */
+
+#define	ETHERMTU	1500
+
+/*
+ * The number of bytes in an ethernet (MAC) address.
+ */
+#define	ETHER_ADDR_LEN		6
+
+/*
+ * Structure of a DEC/Intel/Xerox or 802.3 Ethernet header.
+ */
+struct	ether_header {
+	u_int8_t	ether_dhost[ETHER_ADDR_LEN];
+	u_int8_t	ether_shost[ETHER_ADDR_LEN];
+	u_int16_t	ether_type;
+};
+
+/*
+ * Length of a DEC/Intel/Xerox or 802.3 Ethernet header; note that some
+ * compilers may pad "struct ether_header" to a multiple of 4 bytes,
+ * for example, so "sizeof (struct ether_header)" may not give the right
+ * answer.
+ */
+#define ETHER_HDRLEN		14
diff --git a/aux/adtrace/ethertype.h b/aux/adtrace/ethertype.h
new file mode 100644
index 0000000000..1f6aab6776
--- /dev/null
+++ b/aux/adtrace/ethertype.h
@@ -0,0 +1,122 @@
+/*
+ * Copyright (c) 1993, 1994, 1996
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that: (1) source code distributions
+ * retain the above copyright notice and this paragraph in its entirety, (2)
+ * distributions including binary code include the above copyright notice and
+ * this paragraph in its entirety in the documentation or other materials
+ * provided with the distribution, and (3) all advertising materials mentioning
+ * features or use of this software display the following acknowledgement:
+ * ``This product includes software developed by the University of California,
+ * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
+ * the University nor the names of its contributors may be used to endorse
+ * or promote products derived from this software without specific prior
+ * written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ *
+ * @(#) $Header$ (LBL)
+ */
+
+/*
+ * Ethernet types.
+ *
+ * We wrap the declarations with #ifdef, so that if a file includes
+ * <netinet/if_ether.h>, which may declare some of these, we don't
+ * get a bunch of complaints from the C compiler about redefinitions
+ * of these values.
+ *
+ * We declare all of them here so that no file has to include
+ * <netinet/if_ether.h> if all it needs are ETHERTYPE_ values.
+ */
+
+#ifndef ETHERTYPE_PUP
+#define	ETHERTYPE_PUP		0x0200	/* PUP protocol */
+#endif
+#ifndef ETHERTYPE_IP
+#define	ETHERTYPE_IP		0x0800	/* IP protocol */
+#endif
+#ifndef ETHERTYPE_ARP
+#define ETHERTYPE_ARP		0x0806	/* Addr. resolution protocol */
+#endif
+#ifndef ETHERTYPE_REVARP
+#define ETHERTYPE_REVARP	0x8035	/* reverse Addr. resolution protocol */
+#endif
+#ifndef ETHERTYPE_NS
+#define ETHERTYPE_NS		0x0600
+#endif
+#ifndef	ETHERTYPE_SPRITE
+#define	ETHERTYPE_SPRITE	0x0500
+#endif
+#ifndef ETHERTYPE_TRAIL
+#define ETHERTYPE_TRAIL		0x1000
+#endif
+#ifndef	ETHERTYPE_MOPDL
+#define	ETHERTYPE_MOPDL		0x6001
+#endif
+#ifndef	ETHERTYPE_MOPRC
+#define	ETHERTYPE_MOPRC		0x6002
+#endif
+#ifndef	ETHERTYPE_DN
+#define	ETHERTYPE_DN		0x6003
+#endif
+#ifndef	ETHERTYPE_LAT
+#define	ETHERTYPE_LAT		0x6004
+#endif
+#ifndef ETHERTYPE_SCA
+#define ETHERTYPE_SCA		0x6007
+#endif
+#ifndef ETHERTYPE_REVARP
+#define ETHERTYPE_REVARP	0x8035
+#endif
+#ifndef	ETHERTYPE_LANBRIDGE
+#define	ETHERTYPE_LANBRIDGE	0x8038
+#endif
+#ifndef	ETHERTYPE_DECDNS
+#define	ETHERTYPE_DECDNS	0x803c
+#endif
+#ifndef	ETHERTYPE_DECDTS
+#define	ETHERTYPE_DECDTS	0x803e
+#endif
+#ifndef	ETHERTYPE_VEXP
+#define	ETHERTYPE_VEXP		0x805b
+#endif
+#ifndef	ETHERTYPE_VPROD
+#define	ETHERTYPE_VPROD		0x805c
+#endif
+#ifndef ETHERTYPE_ATALK
+#define ETHERTYPE_ATALK		0x809b
+#endif
+#ifndef ETHERTYPE_AARP
+#define ETHERTYPE_AARP		0x80f3
+#endif
+#ifndef	ETHERTYPE_8021Q
+#define	ETHERTYPE_8021Q		0x8100
+#endif
+#ifndef ETHERTYPE_IPX
+#define ETHERTYPE_IPX		0x8137
+#endif
+#ifndef ETHERTYPE_IPV6
+#define ETHERTYPE_IPV6		0x86dd
+#endif
+#ifndef ETHERTYPE_PPP
+#define	ETHERTYPE_PPP		0x880b
+#endif
+#ifndef	ETHERTYPE_MPLS
+#define	ETHERTYPE_MPLS		0x8847
+#endif
+#ifndef	ETHERTYPE_MPLS_MULTI
+#define	ETHERTYPE_MPLS_MULTI	0x8848
+#endif
+#ifndef ETHERTYPE_PPPOED
+#define ETHERTYPE_PPPOED	0x8863
+#endif
+#ifndef ETHERTYPE_PPPOES
+#define ETHERTYPE_PPPOES	0x8864
+#endif
+#ifndef	ETHERTYPE_LOOPBACK
+#define	ETHERTYPE_LOOPBACK	0x9000
+#endif
diff --git a/aux/adtrace/ip.h b/aux/adtrace/ip.h
new file mode 100644
index 0000000000..3d930537c9
--- /dev/null
+++ b/aux/adtrace/ip.h
@@ -0,0 +1,159 @@
+/* @(#) $Header$ (LBL) */
+/*
+ * Copyright (c) 1982, 1986, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)ip.h	8.2 (Berkeley) 6/1/94
+ */
+
+/*
+ * Definitions for internet protocol version 4.
+ * Per RFC 791, September 1981.
+ */
+#define	IPVERSION	4
+
+/*
+ * Structure of an internet header, naked of options.
+ *
+ * We declare ip_len and ip_off to be short, rather than u_short
+ * pragmatically since otherwise unsigned comparisons can result
+ * against negative integers quite easily, and fail in subtle ways.
+ */
+struct ip {
+	u_int8_t	ip_vhl;		/* header length, version */
+#define IP_V(ip)	(((ip)->ip_vhl & 0xf0) >> 4)
+#define IP_HL(ip)	((ip)->ip_vhl & 0x0f)
+	u_int8_t	ip_tos;		/* type of service */
+	u_int16_t	ip_len;		/* total length */
+	u_int16_t	ip_id;		/* identification */
+	u_int16_t	ip_off;		/* fragment offset field */
+#define	IP_DF 0x4000			/* dont fragment flag */
+#define	IP_MF 0x2000			/* more fragments flag */
+#define	IP_OFFMASK 0x1fff		/* mask for fragmenting bits */
+	u_int8_t	ip_ttl;		/* time to live */
+	u_int8_t	ip_p;		/* protocol */
+	u_int16_t	ip_sum;		/* checksum */
+	struct	in_addr ip_src,ip_dst;	/* source and dest address */
+};
+
+#define	IP_MAXPACKET	65535		/* maximum packet size */
+
+/*
+ * Definitions for IP type of service (ip_tos)
+ */
+#define	IPTOS_LOWDELAY		0x10
+#define	IPTOS_THROUGHPUT	0x08
+#define	IPTOS_RELIABILITY	0x04
+
+/*
+ * Definitions for IP precedence (also in ip_tos) (hopefully unused)
+ */
+#define	IPTOS_PREC_NETCONTROL		0xe0
+#define	IPTOS_PREC_INTERNETCONTROL	0xc0
+#define	IPTOS_PREC_CRITIC_ECP		0xa0
+#define	IPTOS_PREC_FLASHOVERRIDE	0x80
+#define	IPTOS_PREC_FLASH		0x60
+#define	IPTOS_PREC_IMMEDIATE		0x40
+#define	IPTOS_PREC_PRIORITY		0x20
+#define	IPTOS_PREC_ROUTINE		0x00
+
+/*
+ * Definitions for options.
+ */
+#define	IPOPT_COPIED(o)		((o)&0x80)
+#define	IPOPT_CLASS(o)		((o)&0x60)
+#define	IPOPT_NUMBER(o)		((o)&0x1f)
+
+#define	IPOPT_CONTROL		0x00
+#define	IPOPT_RESERVED1		0x20
+#define	IPOPT_DEBMEAS		0x40
+#define	IPOPT_RESERVED2		0x60
+
+#define	IPOPT_EOL		0		/* end of option list */
+#define	IPOPT_NOP		1		/* no operation */
+
+#define	IPOPT_RR		7		/* record packet route */
+#define	IPOPT_TS		68		/* timestamp */
+#define	IPOPT_SECURITY		130		/* provide s,c,h,tcc */
+#define	IPOPT_LSRR		131		/* loose source route */
+#define	IPOPT_SATID		136		/* satnet id */
+#define	IPOPT_SSRR		137		/* strict source route */
+
+/*
+ * Offsets to fields in options other than EOL and NOP.
+ */
+#define	IPOPT_OPTVAL		0		/* option ID */
+#define	IPOPT_OLEN		1		/* option length */
+#define IPOPT_OFFSET		2		/* offset within option */
+#define	IPOPT_MINOFF		4		/* min value of above */
+
+/*
+ * Time stamp option structure.
+ */
+struct	ip_timestamp {
+	u_int8_t	ipt_code;	/* IPOPT_TS */
+	u_int8_t	ipt_len;	/* size of structure (variable) */
+	u_int8_t	ipt_ptr;	/* index of current entry */
+	u_int8_t	ipt_oflwflg;	/* flags, overflow counter */
+#define IPTS_OFLW(ip)	(((ipt)->ipt_oflwflg & 0xf0) >> 4)
+#define IPTS_FLG(ip)	((ipt)->ipt_oflwflg & 0x0f)
+	union ipt_timestamp {
+		u_int32_t ipt_time[1];
+		struct	ipt_ta {
+			struct in_addr ipt_addr;
+			u_int32_t ipt_time;
+		} ipt_ta[1];
+	} ipt_timestamp;
+};
+
+/* flag bits for ipt_flg */
+#define	IPOPT_TS_TSONLY		0		/* timestamps only */
+#define	IPOPT_TS_TSANDADDR	1		/* timestamps and addresses */
+#define	IPOPT_TS_PRESPEC	3		/* specified modules only */
+
+/* bits for security (not byte swapped) */
+#define	IPOPT_SECUR_UNCLASS	0x0000
+#define	IPOPT_SECUR_CONFID	0xf135
+#define	IPOPT_SECUR_EFTO	0x789a
+#define	IPOPT_SECUR_MMMM	0xbc4d
+#define	IPOPT_SECUR_RESTR	0xaf13
+#define	IPOPT_SECUR_SECRET	0xd788
+#define	IPOPT_SECUR_TOPSECRET	0x6bc5
+
+/*
+ * Internet implementation parameters.
+ */
+#define	MAXTTL		255		/* maximum time to live (seconds) */
+#define	IPDEFTTL	64		/* default ttl, from RFC 1340 */
+#define	IPFRAGTTL	60		/* time to live for frags, slowhz */
+#define	IPTTLDEC	1		/* subtracted when forwarding */
+
+#define	IP_MSS		576		/* default maximum segment size */
diff --git a/aux/bdcat/Makefile.am b/aux/bdcat/Makefile.am
new file mode 100644
index 0000000000..8a4427d3d1
--- /dev/null
+++ b/aux/bdcat/Makefile.am
@@ -0,0 +1,4 @@
+## Process this file with automake to produce Makefile.in
+
+noinst_PROGRAMS = bdcat
+bdcat_SOURCES = bdcat.cc
diff --git a/aux/bdcat/bdcat.cc b/aux/bdcat/bdcat.cc
new file mode 100644
index 0000000000..631f1b3801
--- /dev/null
+++ b/aux/bdcat/bdcat.cc
@@ -0,0 +1,175 @@
+// $Id: bdcat.cc 6 2004-04-30 00:31:26Z jason $
+//
+// Decrypts Bro's log files.
+//
+// Usage: bdcat [-k file-with-secret-rsa-key] [files...]
+//
+// The key file may be alternatively set via the env variable BDCAT_KEY.
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <netinet/in.h>
+
+#include "openssl/evp.h"
+#include "openssl/pem.h"
+#include "openssl/err.h"
+
+EVP_PKEY* SecKey = 0;
+EVP_CIPHER* CipherType = 0;
+
+void cryptcat(FILE* f)
+	{
+	unsigned char magic[7];
+	unsigned long secret_len;
+
+	// Read file header.
+	if ( ! (fread(&magic, 7, 1, f) &&
+		fread(&secret_len, sizeof(secret_len), 1, f)) )
+		{
+		fprintf(stderr, "can't read file header: %s\n", strerror(errno));
+		exit(1);
+		}
+
+	if ( memcmp("BROENC1", (const char*) magic, 7) != 0 )
+		{
+		fputs("not a Bro encrypted file\n", stderr);
+		exit(1);
+		}
+
+	secret_len = ntohl(secret_len);
+	int iv_len = EVP_CIPHER_iv_length(CipherType);
+	unsigned char secret[secret_len];
+	unsigned char iv[iv_len];
+
+	if ( ! (fread(&secret, secret_len, 1, f) &&
+		fread(&iv, iv_len, 1, f)) )
+		{
+		fprintf(stderr, "can't read file header: %s\n", strerror(errno));
+		exit(1);
+		}
+
+	// Decrypt data.
+	EVP_CIPHER_CTX cipher_ctx;
+	if ( ! EVP_OpenInit(&cipher_ctx, CipherType,
+				secret, secret_len, iv, SecKey) )
+		{
+		fprintf( stderr, "can't init decryption: %s\n",
+				ERR_error_string(ERR_get_error(), 0));
+		exit(1);
+		return;
+		}
+
+	int block_size = EVP_CIPHER_block_size(CipherType);
+	unsigned char buffer_in[block_size];
+	unsigned char buffer_out[block_size];
+
+	int inl, outl;
+	while ( (inl = fread(buffer_in, 1, block_size, f)) )
+		{
+		if ( ! EVP_OpenUpdate(&cipher_ctx, buffer_out,
+					&outl, buffer_in, inl) )
+			{
+			fprintf( stderr, "can't decrypt: %s\n",
+				 ERR_error_string(ERR_get_error(), 0));
+			exit(1);
+			}
+
+		if ( outl && ! fwrite(buffer_out, outl, 1, stdout) )
+			{
+			fprintf(stderr, "can't write to stdout: %s\n",
+					strerror(errno));
+			exit(1);
+			}
+		}
+
+	if ( ! EVP_OpenFinal(&cipher_ctx, buffer_out, &outl) )
+		{
+		fprintf( stderr, "can't decrypt: %s\n",
+				 ERR_error_string(ERR_get_error(), 0));
+		exit(1);
+		}
+
+	if ( outl && ! fwrite(buffer_out, outl, 1, stdout) )
+		{
+		fprintf(stderr, "can't write to stdout: %s\n", strerror(errno));
+		exit(1);
+		}
+
+	fclose(f);
+	}
+
+void Usage()
+	{
+	fprintf(stderr, "bdcat [-k <sec-key-file>] [files]\n");
+	exit(1);
+	}
+
+int main(int argc, char** argv)
+	{
+	char* keyfile = getenv("BDCAT_KEY");
+
+	// Read options.
+	char op;
+	while ( (op = getopt(argc, argv, "k:")) >= 0 )
+		{
+		if ( op == 'k' )
+			keyfile = optarg;
+		else
+			Usage();
+		}
+
+	if ( ! keyfile )
+		{
+		fputs("no keyfile given\n", stderr);
+		exit(1);
+		}
+
+	// Init crypto.
+
+	ERR_load_crypto_strings();
+	OpenSSL_add_all_algorithms();
+
+	FILE* f = fopen(keyfile, "r");
+	if ( ! f )
+		{
+		fprintf(stderr, "can't open key file %s: %s\n",
+				keyfile, strerror(errno));
+		exit(1);
+		}
+
+	SecKey = PEM_read_PrivateKey(f, 0, 0, 0);
+	if ( ! SecKey )
+		{
+		fprintf(stderr, "can't read key from %s: %s\n", keyfile,
+				ERR_error_string(ERR_get_error(), 0));
+		exit(1);
+		}
+
+	fclose(f);
+
+	// Depending on the OpenSSL version, EVP_*_cbc()
+	// returns a const or a non-const.
+	CipherType = (EVP_CIPHER*) EVP_bf_cbc();
+
+	// Decrypt the files.
+	if ( optind == argc )
+		cryptcat(stdin);
+	else
+		{
+		while ( optind < argc )
+			{
+			FILE* f = fopen(argv[optind], "r");
+			if ( ! f )
+				{
+				fprintf(stderr, "can't open %s: %s\n",
+						argv[optind], strerror(errno));
+				exit(1);
+				}
+
+			cryptcat(f);
+			++optind;
+			}
+		}
+	}
diff --git a/aux/binpac/AUTHORS b/aux/binpac/AUTHORS
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/aux/binpac/CHANGES b/aux/binpac/CHANGES
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/aux/binpac/COPYING b/aux/binpac/COPYING
new file mode 100644
index 0000000000..2a9a9e934b
--- /dev/null
+++ b/aux/binpac/COPYING
@@ -0,0 +1,18 @@
+// Copyright (c) 1995-2007
+//      The Regents of the University of California.  All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that: (1) source code distributions
+// retain the above copyright notice and this paragraph in its entirety, (2)
+// distributions including binary code include the above copyright notice and
+// this paragraph in its entirety in the documentation or other materials
+// provided with the distribution, and (3) all advertising materials mentioning
+// features or use of this software display the following acknowledgement:
+// ``This product includes software developed by the University of California,
+// Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
+// the University nor the names of its contributors may be used to endorse
+// or promote products derived from this software without specific prior
+// written permission.
+// THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
+// WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
diff --git a/aux/binpac/ChangeLog b/aux/binpac/ChangeLog
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/aux/binpac/INSTALL b/aux/binpac/INSTALL
new file mode 100644
index 0000000000..095b1eb406
--- /dev/null
+++ b/aux/binpac/INSTALL
@@ -0,0 +1,231 @@
+Installation Instructions
+*************************
+
+Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002, 2004 Free
+Software Foundation, Inc.
+
+This file is free documentation; the Free Software Foundation gives
+unlimited permission to copy, distribute and modify it.
+
+Basic Installation
+==================
+
+These are generic installation instructions.
+
+   The `configure' shell script attempts to guess correct values for
+various system-dependent variables used during compilation.  It uses
+those values to create a `Makefile' in each directory of the package.
+It may also create one or more `.h' files containing system-dependent
+definitions.  Finally, it creates a shell script `config.status' that
+you can run in the future to recreate the current configuration, and a
+file `config.log' containing compiler output (useful mainly for
+debugging `configure').
+
+   It can also use an optional file (typically called `config.cache'
+and enabled with `--cache-file=config.cache' or simply `-C') that saves
+the results of its tests to speed up reconfiguring.  (Caching is
+disabled by default to prevent problems with accidental use of stale
+cache files.)
+
+   If you need to do unusual things to compile the package, please try
+to figure out how `configure' could check whether to do them, and mail
+diffs or instructions to the address given in the `README' so they can
+be considered for the next release.  If you are using the cache, and at
+some point `config.cache' contains results you don't want to keep, you
+may remove or edit it.
+
+   The file `configure.ac' (or `configure.in') is used to create
+`configure' by a program called `autoconf'.  You only need
+`configure.ac' if you want to change it or regenerate `configure' using
+a newer version of `autoconf'.
+
+The simplest way to compile this package is:
+
+  1. `cd' to the directory containing the package's source code and type
+     `./configure' to configure the package for your system.  If you're
+     using `csh' on an old version of System V, you might need to type
+     `sh ./configure' instead to prevent `csh' from trying to execute
+     `configure' itself.
+
+     Running `configure' takes awhile.  While running, it prints some
+     messages telling which features it is checking for.
+
+  2. Type `make' to compile the package.
+
+  3. Optionally, type `make check' to run any self-tests that come with
+     the package.
+
+  4. Type `make install' to install the programs and any data files and
+     documentation.
+
+  5. You can remove the program binaries and object files from the
+     source code directory by typing `make clean'.  To also remove the
+     files that `configure' created (so you can compile the package for
+     a different kind of computer), type `make distclean'.  There is
+     also a `make maintainer-clean' target, but that is intended mainly
+     for the package's developers.  If you use it, you may have to get
+     all sorts of other programs in order to regenerate files that came
+     with the distribution.
+
+Compilers and Options
+=====================
+
+Some systems require unusual options for compilation or linking that the
+`configure' script does not know about.  Run `./configure --help' for
+details on some of the pertinent environment variables.
+
+   You can give `configure' initial values for configuration parameters
+by setting variables in the command line or in the environment.  Here
+is an example:
+
+     ./configure CC=c89 CFLAGS=-O2 LIBS=-lposix
+
+   *Note Defining Variables::, for more details.
+
+Compiling For Multiple Architectures
+====================================
+
+You can compile the package for more than one kind of computer at the
+same time, by placing the object files for each architecture in their
+own directory.  To do this, you must use a version of `make' that
+supports the `VPATH' variable, such as GNU `make'.  `cd' to the
+directory where you want the object files and executables to go and run
+the `configure' script.  `configure' automatically checks for the
+source code in the directory that `configure' is in and in `..'.
+
+   If you have to use a `make' that does not support the `VPATH'
+variable, you have to compile the package for one architecture at a
+time in the source code directory.  After you have installed the
+package for one architecture, use `make distclean' before reconfiguring
+for another architecture.
+
+Installation Names
+==================
+
+By default, `make install' will install the package's files in
+`/usr/local/bin', `/usr/local/man', etc.  You can specify an
+installation prefix other than `/usr/local' by giving `configure' the
+option `--prefix=PREFIX'.
+
+   You can specify separate installation prefixes for
+architecture-specific files and architecture-independent files.  If you
+give `configure' the option `--exec-prefix=PREFIX', the package will
+use PREFIX as the prefix for installing programs and libraries.
+Documentation and other data files will still use the regular prefix.
+
+   In addition, if you use an unusual directory layout you can give
+options like `--bindir=DIR' to specify different values for particular
+kinds of files.  Run `configure --help' for a list of the directories
+you can set and what kinds of files go in them.
+
+   If the package supports it, you can cause programs to be installed
+with an extra prefix or suffix on their names by giving `configure' the
+option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
+
+Optional Features
+=================
+
+Some packages pay attention to `--enable-FEATURE' options to
+`configure', where FEATURE indicates an optional part of the package.
+They may also pay attention to `--with-PACKAGE' options, where PACKAGE
+is something like `gnu-as' or `x' (for the X Window System).  The
+`README' should mention any `--enable-' and `--with-' options that the
+package recognizes.
+
+   For packages that use the X Window System, `configure' can usually
+find the X include and library files automatically, but if it doesn't,
+you can use the `configure' options `--x-includes=DIR' and
+`--x-libraries=DIR' to specify their locations.
+
+Specifying the System Type
+==========================
+
+There may be some features `configure' cannot figure out automatically,
+but needs to determine by the type of machine the package will run on.
+Usually, assuming the package is built to be run on the _same_
+architectures, `configure' can figure that out, but if it prints a
+message saying it cannot guess the machine type, give it the
+`--build=TYPE' option.  TYPE can either be a short name for the system
+type, such as `sun4', or a canonical name which has the form:
+
+     CPU-COMPANY-SYSTEM
+
+where SYSTEM can have one of these forms:
+
+     OS KERNEL-OS
+
+   See the file `config.sub' for the possible values of each field.  If
+`config.sub' isn't included in this package, then this package doesn't
+need to know the machine type.
+
+   If you are _building_ compiler tools for cross-compiling, you should
+use the `--target=TYPE' option to select the type of system they will
+produce code for.
+
+   If you want to _use_ a cross compiler, that generates code for a
+platform different from the build platform, you should specify the
+"host" platform (i.e., that on which the generated programs will
+eventually be run) with `--host=TYPE'.
+
+Sharing Defaults
+================
+
+If you want to set default values for `configure' scripts to share, you
+can create a site shell script called `config.site' that gives default
+values for variables like `CC', `cache_file', and `prefix'.
+`configure' looks for `PREFIX/share/config.site' if it exists, then
+`PREFIX/etc/config.site' if it exists.  Or, you can set the
+`CONFIG_SITE' environment variable to the location of the site script.
+A warning: not all `configure' scripts look for a site script.
+
+Defining Variables
+==================
+
+Variables not defined in a site shell script can be set in the
+environment passed to `configure'.  However, some packages may run
+configure again during the build, and the customized values of these
+variables may be lost.  In order to avoid this problem, you should set
+them in the `configure' command line, using `VAR=value'.  For example:
+
+     ./configure CC=/usr/local2/bin/gcc
+
+will cause the specified gcc to be used as the C compiler (unless it is
+overridden in the site shell script).
+
+`configure' Invocation
+======================
+
+`configure' recognizes the following options to control how it operates.
+
+`--help'
+`-h'
+     Print a summary of the options to `configure', and exit.
+
+`--version'
+`-V'
+     Print the version of Autoconf used to generate the `configure'
+     script, and exit.
+
+`--cache-file=FILE'
+     Enable the cache: use and save the results of the tests in FILE,
+     traditionally `config.cache'.  FILE defaults to `/dev/null' to
+     disable caching.
+
+`--config-cache'
+`-C'
+     Alias for `--cache-file=config.cache'.
+
+`--quiet'
+`--silent'
+`-q'
+     Do not print messages saying which checks are being made.  To
+     suppress all normal output, redirect it to `/dev/null' (any error
+     messages will still be shown).
+
+`--srcdir=DIR'
+     Look for the package's source code in directory DIR.  Usually
+     `configure' can determine that directory automatically.
+
+`configure' also accepts some other, not widely useful, options.  Run
+`configure --help' for more details.
+
diff --git a/aux/binpac/Makefile.am b/aux/binpac/Makefile.am
new file mode 100644
index 0000000000..7c93dcde5c
--- /dev/null
+++ b/aux/binpac/Makefile.am
@@ -0,0 +1,4 @@
+## Process this file with automake to produce Makefile.in
+
+EXTRA_DIST = README VERSION CHANGES TODO depcomp shtool autogen.sh
+SUBDIRS = lib src
diff --git a/aux/binpac/NEWS b/aux/binpac/NEWS
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/aux/binpac/README b/aux/binpac/README
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/aux/binpac/TODO b/aux/binpac/TODO
new file mode 100644
index 0000000000..4b2833f224
--- /dev/null
+++ b/aux/binpac/TODO
@@ -0,0 +1,34 @@
+Big features
+* Variable context (xid, call in RPC)? -- no variable context
+* Helpers
+* Connection states and actions
+* Case and analyzer redef
+* &also withinput
+* Explicit analyzer context (interface + instantiation) "withcontext"
++ Interface with C++ and Bro (events, extern, weird)
++ Incremental input
++ ASCII protocols
++ Reassembly
+- Dealing with exceptions
+- Dependency analysis to save parsing time on unused fields
+- Performance measurement
+
+Small features
+* Restructure the code: break up pac.{h,cc}
+* ref counting (to keep certain structures)
+* analyzer context as a parameter of class
+* &autolength
+* find a better name for "analyzer_context" ("analcxt", "context", "analyzer") $context
+* &if
+* &autolength (now &restofdata)
+* Use vector<> instead of array<>?
+* set end_of_data when &length = ...
+- make the `default' case mandatory?
+- &inline
+- &warn and &check? (follow &if)
+- typedef?
+
+Binpac 1
+- create a namespace for each .pac file
+- type equivalence
+- byteorder() for every type?
diff --git a/aux/binpac/VERSION b/aux/binpac/VERSION
new file mode 100644
index 0000000000..49d59571fb
--- /dev/null
+++ b/aux/binpac/VERSION
@@ -0,0 +1 @@
+0.1
diff --git a/aux/binpac/autogen.sh b/aux/binpac/autogen.sh
new file mode 100755
index 0000000000..4f01b6fbf2
--- /dev/null
+++ b/aux/binpac/autogen.sh
@@ -0,0 +1,114 @@
+#!/bin/sh
+
+# Initialization script to set up the initial configuration files etc.
+# shtool usage inspired by the autogen script of the ferite scripting
+# language -- cheers Chris :)
+#
+# This is 'borrowed' from netdude, with minor changes for bro 
+
+BLD_ON=`./shtool echo -n -e %B`
+BLD_OFF=`./shtool echo -n -e %b`
+
+srcdir=`dirname $0`
+NAME=binpac
+
+DIE=0
+
+echo
+echo "              "${BLD_ON}"Binpac Build Tools Setup"${BLD_OFF}
+echo "===================================================="
+echo
+echo "Checking whether we have all tools available ..."
+
+(autoconf --version) < /dev/null > /dev/null 2>&1 || {
+  echo
+  echo ${BLD_ON}"Error"${BLD_OFF}": You must have \`autoconf' installed to."
+  echo "Download the appropriate package for your distribution,"
+  echo "or get the source tarball at ftp://ftp.gnu.org/pub/gnu/"
+  DIE=1
+}
+
+(automake --version) < /dev/null > /dev/null 2>&1 || {
+  echo
+  echo ${BLD_ON}"Error"${BLD_OFF}": You must have \`automake' installed."
+  echo "Get ftp://ftp.gnu.org/pub/gnu/automake-1.3.tar.gz"
+  echo "(or a newer version if it is available)"
+  DIE=1
+  NO_AUTOMAKE=yes
+}
+
+# if no automake, don't bother testing for aclocal
+test -n "$NO_AUTOMAKE" || (aclocal --version) < /dev/null > /dev/null 2>&1 || {
+  echo
+  echo ${BLD_ON}"Error"${BLD_OFF}": Missing \`aclocal'.  The version of \`automake'"
+  echo "installed doesn't appear recent enough."
+  echo "Get ftp://ftp.gnu.org/pub/gnu/automake-1.3.tar.gz"
+  echo "(or a newer version if it is available)"
+  DIE=1
+}
+
+if test "$DIE" -eq 1; then
+  exit 1
+fi
+
+echo "All necessary tools found."
+echo
+
+if [ -d autom4te.cache ] ; then
+    echo "Removing autom4te.cache ..."
+    rm -rf autom4te.cache
+    #echo
+    #echo ${BLD_ON}"Error"${BLD_OFF}": autom4te.cache directory exists"
+    #echo "please remove it, and rerun this script"
+    #echo 
+    #exit 1
+fi
+
+echo
+echo "running "${BLD_ON}"aclocal"${BLD_OFF}
+echo "----------------------------------------------------"
+aclocal -I . $ACLOCAL_FLAGS
+if [ $? -ne 0 ]; then
+    echo "*** ERROR($NAME), aborting."
+    exit 1
+fi
+
+echo
+echo "running "${BLD_ON}"autoheader"${BLD_OFF}
+echo "----------------------------------------------------"
+autoheader
+if [ $? -ne 0 ]; then
+    echo "*** ERROR($NAME), aborting."
+    exit 1
+fi
+
+echo
+echo "running "${BLD_ON}"automake"${BLD_OFF}
+echo "----------------------------------------------------"
+automake -a -c 
+if [ $? -ne 0 ]; then
+    echo "*** ERROR($NAME), aborting."
+    exit 1
+fi
+
+echo
+echo "running "${BLD_ON}"autoconf"${BLD_OFF}
+echo "----------------------------------------------------"
+autoconf
+if [ $? -ne 0 ]; then
+    echo "*** ERROR($NAME), aborting."
+    exit 1
+fi
+
+if ! test "x$BROBUILD" = xyes; then
+echo 
+echo "Setup finished. Now run:"
+echo
+echo "  $ "${BLD_ON}"./configure"${BLD_OFF}" (with options as needed, try --help)"
+echo
+echo "and then"
+echo
+echo "  $ "${BLD_ON}"make"${BLD_OFF}
+echo "  # "${BLD_ON}"make install"${BLD_OFF}
+echo
+fi
diff --git a/aux/binpac/configure.in b/aux/binpac/configure.in
new file mode 100644
index 0000000000..e4d4c3074a
--- /dev/null
+++ b/aux/binpac/configure.in
@@ -0,0 +1,55 @@
+AC_INIT
+AC_CONFIG_SRCDIR([src/pac_main.cc])
+
+AC_CANONICAL_SYSTEM
+
+AC_CONFIG_AUX_DIR(.)
+AM_CONFIG_HEADER(config.h)
+AM_INIT_AUTOMAKE(binpac,  esyscmd([tr -d '\n' < VERSION]))
+
+dnl Commands for funkier shell output:
+BLD_ON=`./shtool echo -n -e %B`
+BLD_OFF=`./shtool echo -n -e %b`
+
+dnl ################################################
+dnl # Checks for programs
+dnl ################################################
+AM_PROG_LEX
+AC_PROG_YACC
+AC_PROG_CXX
+AC_PROG_RANLIB
+AC_PROG_INSTALL
+
+m4_ifdef([AC_COMPUTE_INT], [], [AC_DEFUN([AC_COMPUTE_INT], [_AC_COMPUTE_INT([$2],[$1],[$3],[$4])])])
+
+AC_COMPUTE_INT([SIZEOF_UNSIGNED_INT], [sizeof(unsigned int)])
+AC_SUBST(SIZEOF_UNSIGNED_INT)
+
+AC_ARG_ENABLE(debug,
+    [  --enable-debug          no compiler optimizations],
+    debug="yes"
+    CFLAGS="-DDEBUG `echo $CFLAGS | sed -e 's/-O2//'`"
+    CXXFLAGS="-DDEBUG `echo $CXXFLAGS | sed -e 's/-O2//'`",
+    debug="no")
+
+AC_C_BIGENDIAN(
+	AC_DEFINE(WORDS_BIGENDIAN,1,[whether words are stored with the most significant byte first])
+	dnl This is intentionally named differently so as to not collide with WORDS_BIGENDIAN
+	HOST_BIGENDIAN="#define HOST_BIGENDIAN 1"
+	AC_SUBST(HOST_BIGENDIAN))
+
+AC_CONFIG_FILES([
+Makefile 
+src/Makefile 
+lib/Makefile
+lib/binpac.h
+])
+AC_OUTPUT
+
+echo
+echo "                "${BLD_ON}"Binpac Configuration Summary"${BLD_OFF}
+echo "=========================================================="
+echo
+echo "  - Debugging enabled:      "${BLD_ON}$debug${BLD_OFF}
+echo
+exit 0
diff --git a/aux/binpac/lib/Makefile.am b/aux/binpac/lib/Makefile.am
new file mode 100644
index 0000000000..7ff8dca88f
--- /dev/null
+++ b/aux/binpac/lib/Makefile.am
@@ -0,0 +1,8 @@
+## Process this file with automake to produce Makefile.in
+
+noinst_LIBRARIES = libbinpac.a
+
+libbinpac_a_SOURCES = \
+	binpac_buffer.cc binpac_bytestring.cc \
+	binpac.h binpac_analyzer.h binpac_buffer.h \
+	binpac_bytestring.h binpac_exception.h binpac_regex.h
diff --git a/aux/binpac/lib/README b/aux/binpac/lib/README
new file mode 100644
index 0000000000..c57ca2ebab
--- /dev/null
+++ b/aux/binpac/lib/README
@@ -0,0 +1,3 @@
+This directory contains a library needed by generated C++ code from
+binpac. Note that the library is not needed by the binpac compiler
+itself.
diff --git a/aux/binpac/lib/binpac.h.in b/aux/binpac/lib/binpac.h.in
new file mode 100644
index 0000000000..920a699409
--- /dev/null
+++ b/aux/binpac/lib/binpac.h.in
@@ -0,0 +1,142 @@
+// $Id: binpac.h,v 1.1.4.2 2006/06/02 15:13:13 rpang Exp $
+// Do not edit binpac.h, edit binpac.h.in instead!
+
+#ifndef binpac_h
+#define binpac_h
+
+#include <sys/param.h>
+
+@HOST_BIGENDIAN@
+#ifdef HOST_BIGENDIAN
+#  define HOST_BYTEORDER	bigendian
+#else
+#  define HOST_BYTEORDER	littleendian
+#endif
+
+#include <assert.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <string>
+#include <memory>
+
+#define BINPAC_ASSERT(x)	assert(x)
+
+using namespace std;
+
+namespace binpac {
+
+const int bigendian = 0;
+const int littleendian = 1;
+const int unspecified_byteorder = -1;
+
+#ifndef pac_type_defs
+#define pac_type_defs
+
+typedef char 		int8;
+typedef short 		int16;
+typedef long 		int32;
+typedef unsigned char 	uint8;
+typedef unsigned short 	uint16;
+typedef unsigned int 	uint32;
+typedef void		*nullptr;
+typedef void		*voidptr;
+typedef uint8		*byteptr;
+typedef const uint8	*const_byteptr;
+typedef const char	*const_charptr;
+
+#if @SIZEOF_UNSIGNED_INT@ != 4
+#error "unexpected size of unsigned int"
+#endif
+
+#endif /* pac_type_defs */
+
+/* Handling byte order */
+
+namespace {
+
+inline int16 pac_swap(int16 x)
+	{
+	return (x >> 8) | ((x & 0xff) << 8);
+	}
+
+inline uint16 pac_swap(uint16 x)
+	{
+	return (x >> 8) | ((x & 0xff) << 8);
+	}
+
+inline int32 pac_swap(int32 x)
+	{
+	return 	(x >> 24) | 
+		((x & 0xff0000) >> 8) | 
+		((x & 0xff00) << 8) | 
+		((x & 0xff) << 24);
+	}
+
+inline uint32 pac_swap(uint32 x)
+	{
+	return 	(x >> 24) | 
+		((x & 0xff0000) >> 8) | 
+		((x & 0xff00) << 8) | 
+		((x & 0xff) << 24);
+	}
+
+#define FixByteOrder(byteorder, x)	(byteorder == HOST_BYTEORDER ? (x) : pac_swap(x))
+
+template <class T>
+inline T UnMarshall(const u_char *data, int byteorder)
+	{
+	T result = 0;
+	for ( int i = 0; i < (int) sizeof(T); ++i )
+		result = ( result << 8 ) | 
+			data[byteorder == bigendian ? i : sizeof(T) - 1 - i];
+	return result;
+	}
+
+inline const char* do_fmt(const char* format, va_list ap)
+	{
+	static char buf[1024];
+	vsnprintf(buf, sizeof(buf), format, ap);
+	return buf;
+	}
+
+inline string strfmt(const char* format, ...)
+	{
+	va_list ap;
+	va_start(ap, format);
+	const char* r = do_fmt(format, ap);
+	va_end(ap);
+	return string(r);
+	}
+
+} // anonymous namespace
+
+#define binpac_fmt(x...) strfmt(x).c_str()
+
+class RefCount
+{
+public:
+	RefCount() 	{ count = 1; }
+	void Ref() 	{ ++count; }
+	int Unref() 	{ BINPAC_ASSERT(count > 0); return --count; }
+
+private:
+	int count;
+};
+
+namespace {
+	inline void Unref(RefCount *x)
+		{
+		if ( x && x->Unref() <= 0 )
+			delete x;
+		}
+}  // anonymous namespace
+
+} // namespace binpac
+
+#include "binpac_analyzer.h"
+#include "binpac_buffer.h"
+#include "binpac_bytestring.h"
+#include "binpac_exception.h"
+#include "binpac_regex.h"
+
+#endif /* binpac_h */
diff --git a/aux/binpac/lib/binpac_analyzer.h b/aux/binpac/lib/binpac_analyzer.h
new file mode 100644
index 0000000000..b9228da5de
--- /dev/null
+++ b/aux/binpac/lib/binpac_analyzer.h
@@ -0,0 +1,27 @@
+#ifndef binpac_an_h
+#define binpac_an_h
+
+namespace binpac {
+
+// TODO: Add the Done() function
+
+// The interface for a connection analyzer
+class ConnectionAnalyzer {
+public:
+	virtual ~ConnectionAnalyzer() {}
+	virtual void NewData(bool is_orig,
+	                     const u_char *begin_of_data, 
+	                     const u_char *end_of_data) = 0;
+};
+
+// The interface for a flow analyzer
+class FlowAnalyzer {
+public:
+	virtual ~FlowAnalyzer() {}
+	virtual void NewData(const u_char *begin_of_data, 
+	                     const u_char *end_of_data) = 0;
+};
+
+}  // namespace binpac
+
+#endif  // binpac_an_h
diff --git a/aux/binpac/lib/binpac_buffer.cc b/aux/binpac/lib/binpac_buffer.cc
new file mode 100644
index 0000000000..1b12b58eab
--- /dev/null
+++ b/aux/binpac/lib/binpac_buffer.cc
@@ -0,0 +1,465 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>	// for memcpy
+
+#define binpac_regex_h
+
+#include "binpac.h"
+#include "binpac_buffer.h"
+
+namespace binpac {
+
+extern double network_time();
+
+namespace {
+	const u_char CR = '\r';
+	const u_char LF = '\n';
+}
+
+FlowBuffer::FlowBuffer(LineBreakStyle linebreak_style)
+	{
+	buffer_length_ = 0;
+	buffer_ = 0;
+
+	orig_data_begin_ = 0;
+	orig_data_end_ = 0;
+
+	linebreak_style_ = linebreak_style;
+	ResetLineState();
+
+	mode_ = UNKNOWN_MODE;
+	frame_length_ = 0;
+	chunked_ = false;
+
+	data_seq_at_orig_data_end_ = 0;
+	eof_ = false;
+	have_pending_request_ = false;
+
+	buffer_n_ = 0;
+
+	NewMessage();
+	}
+
+FlowBuffer::~FlowBuffer()
+	{
+	if ( buffer_ )
+		free(buffer_);
+	}
+
+void FlowBuffer::NewMessage()
+	{
+	BINPAC_ASSERT(frame_length_ >= 0);
+
+	int bytes_to_advance = 0;
+	if ( buffer_n_ == 0 ) 
+		{
+		switch ( mode_ ) 
+			{
+			case LINE_MODE:
+				bytes_to_advance = (frame_length_ + 
+					(linebreak_style_ == STRICT_CRLF ? 
+						2 : 1));
+				break;
+			case FRAME_MODE:
+				bytes_to_advance = frame_length_;
+				break;
+			case UNKNOWN_MODE:
+				break;
+			}
+		}
+
+	orig_data_begin_ += bytes_to_advance;
+	BINPAC_ASSERT(orig_data_begin_ <= orig_data_end_);
+
+	buffer_n_ = 0;
+	message_complete_ = false;
+	}
+
+void FlowBuffer::ResetLineState()
+	{
+	switch ( linebreak_style_ )
+		{
+		case CR_OR_LF:
+			state_ = CR_OR_LF_0;
+			break;
+		case STRICT_CRLF:
+			state_ = STRICT_CRLF_0;
+			break;
+		default:
+			BINPAC_ASSERT(0);
+			break;
+		}
+	}
+
+void FlowBuffer::ExpandBuffer(int length)
+	{
+	if ( buffer_length_ >= length )
+		return;
+	// So length > 0
+	if ( length < 512 )
+		length = 512;
+	
+	if ( length < buffer_length_ * 2 )
+		length = buffer_length_ * 2;
+
+	// Allocate a new buffer and copy the existing contents
+	buffer_length_ = length;
+	u_char *new_buf = (u_char *) realloc(buffer_, buffer_length_);
+	BINPAC_ASSERT(new_buf);
+#if 0
+	u_char* new_buf = new u_char[buffer_length_];
+	if ( buffer_ && buffer_n_ > 0 )
+		memcpy(new_buf, buffer_, buffer_n_);
+	delete [] buffer_;
+#endif
+	buffer_ = new_buf;
+	}
+
+void FlowBuffer::NewLine()
+	{
+	FlowBuffer::NewMessage();
+	mode_ = LINE_MODE;
+	frame_length_ = 0;
+	chunked_ = false;
+	have_pending_request_ = true;
+	if ( state_ == FRAME_0 )
+		ResetLineState();
+	MarkOrCopyLine();
+	}
+
+void FlowBuffer::NewFrame(int frame_length, bool chunked)
+	{
+	FlowBuffer::NewMessage();
+	mode_ = FRAME_MODE;
+	frame_length_ = frame_length;
+	chunked_ = chunked;
+	have_pending_request_ = true;
+	MarkOrCopyFrame();
+	}
+
+void FlowBuffer::GrowFrame(int length)
+	{
+	BINPAC_ASSERT(frame_length_ >= 0);
+	if ( length <= frame_length_ )
+		return;
+	BINPAC_ASSERT(! chunked_ || frame_length_ == 0);
+	mode_ = FRAME_MODE;
+	frame_length_ = length;
+	MarkOrCopyFrame();
+	}
+
+void FlowBuffer::DiscardData()
+	{
+	mode_ = UNKNOWN_MODE;
+	message_complete_ = false;
+	have_pending_request_ = false;
+	orig_data_begin_ = orig_data_end_ = 0;
+
+	buffer_n_ = 0;
+	frame_length_ = 0;
+	}
+
+void FlowBuffer::set_eof()
+	{
+	// fprintf(stderr, "EOF\n");
+	eof_ = true;
+	if ( chunked_ )
+		frame_length_ = orig_data_end_ - orig_data_begin_;
+	if ( frame_length_ < 0 )
+		frame_length_ = 0;
+	}
+
+void FlowBuffer::NewData(const_byteptr begin, const_byteptr end)
+	{
+	BINPAC_ASSERT(begin <= end);
+
+	ClearPreviousData();
+
+	BINPAC_ASSERT((buffer_n_ == 0 && message_complete_) || 
+		orig_data_begin_ == orig_data_end_);
+
+	orig_data_begin_ = begin;
+	orig_data_end_ = end;
+	data_seq_at_orig_data_end_ += (end - begin);
+
+	MarkOrCopy();
+	}
+
+void FlowBuffer::MarkOrCopy()
+	{
+	if ( ! message_complete_ )
+		{
+		switch ( mode_ ) 
+			{
+			case LINE_MODE:
+				MarkOrCopyLine();
+				break;
+
+			case FRAME_MODE:
+				MarkOrCopyFrame();
+				break;
+		
+			default:
+				break;
+			}
+		}
+	}
+
+void FlowBuffer::ClearPreviousData()
+	{
+	// All previous data must have been processed or buffered already
+	if ( orig_data_begin_ < orig_data_end_ )
+		{
+		BINPAC_ASSERT(buffer_n_ == 0);
+		if ( chunked_ )
+			{
+			if ( frame_length_ > 0 )
+				{
+				frame_length_ -= 
+					(orig_data_end_ - orig_data_begin_);
+				}
+			orig_data_begin_ = orig_data_end_;
+			}
+		}
+	}
+
+void FlowBuffer::NewGap(int length)
+	{
+	ClearPreviousData();
+
+	if ( chunked_ && frame_length_ >= 0 )
+		{
+		frame_length_ -= length;
+		if ( frame_length_ < 0 )
+			frame_length_ = 0;
+		}
+
+	orig_data_begin_ = orig_data_end_ = 0;
+	MarkOrCopy();
+	}
+
+void FlowBuffer::MarkOrCopyLine()
+	{
+	switch ( linebreak_style_ )
+		{
+		case CR_OR_LF:
+			MarkOrCopyLine_CR_OR_LF();
+			break;
+		case STRICT_CRLF:
+			MarkOrCopyLine_STRICT_CRLF();
+			break;
+		default:
+			BINPAC_ASSERT(0);
+			break;
+		}
+	}
+
+/*
+Finite state automaton for CR_OR_LF:
+(!--line is complete, *--add to buffer)
+
+CR_OR_LF_0:
+	CR:	CR_OR_LF_1 !
+	LF:	CR_OR_LF_0 !
+	.:	CR_OR_LF_0 *
+
+CR_OR_LF_1:
+	CR:	CR_OR_LF_1 !
+	LF:	CR_OR_LF_0
+	.:	CR_OR_LF_0 *
+*/
+
+void FlowBuffer::MarkOrCopyLine_CR_OR_LF()
+	{
+	if ( state_ == CR_OR_LF_1 && 
+	     orig_data_begin_ < orig_data_end_ && *orig_data_begin_ == LF )
+		{
+		state_ = CR_OR_LF_0;
+		++orig_data_begin_;
+		}
+
+	const_byteptr data;
+	for ( data = orig_data_begin_; data < orig_data_end_; ++data )
+		{
+		switch ( *data )
+			{
+			case CR:
+				state_ = CR_OR_LF_1;
+				goto found_end_of_line;
+
+			case LF:
+				// state_ = CR_OR_LF_0;
+				goto found_end_of_line;
+
+			default:
+				// state_ = CR_OR_LF_0;
+				break;
+			}
+		}
+
+	AppendToBuffer(orig_data_begin_, orig_data_end_ - orig_data_begin_);
+	return;
+
+found_end_of_line:
+	if ( buffer_n_ == 0 )
+		{
+		frame_length_ = data - orig_data_begin_;
+		}
+	else
+		{
+		AppendToBuffer(orig_data_begin_, data + 1 - orig_data_begin_);
+		// But eliminate the last CR or LF
+		--buffer_n_;
+		}
+	message_complete_ = true;
+
+#if DEBUG_FLOW_BUFFER
+	fprintf(stderr, "%.6f Line complete: [%s]\n",
+		network_time(),
+		string((const char *) begin(), (const char *) end()).c_str());
+#endif
+	}
+
+/*
+Finite state automaton and STRICT_CRLF:
+(!--line is complete, *--add to buffer)
+
+STRICT_CRLF_0:
+	CR:	STRICT_CRLF_1 *
+	LF:	STRICT_CRLF_0 *
+	.:	STRICT_CRLF_0 *
+
+STRICT_CRLF_1:
+	CR:	STRICT_CRLF_1 *
+	LF:	STRICT_CRLF_0 ! (--buffer_n_)
+	.:	STRICT_CRLF_0 *
+*/
+
+void FlowBuffer::MarkOrCopyLine_STRICT_CRLF()
+	{
+	const_byteptr data;
+	for ( data = orig_data_begin_; data < orig_data_end_; ++data )
+		{
+		switch ( *data )
+			{
+			case CR:
+				state_ = STRICT_CRLF_1;
+				break;
+
+			case LF:
+				if ( state_ == STRICT_CRLF_1 )
+					{
+					state_ = STRICT_CRLF_0;
+					goto found_end_of_line;
+					}
+				break;
+
+			default:
+				state_ = STRICT_CRLF_0;
+				break;
+			}
+		}
+
+	AppendToBuffer(orig_data_begin_, orig_data_end_ - orig_data_begin_);
+	return;
+
+found_end_of_line:
+	if ( buffer_n_ == 0 )
+		{
+		frame_length_ = data - 1 - orig_data_begin_;
+		}
+	else
+		{
+		AppendToBuffer(orig_data_begin_, data + 1 - orig_data_begin_);
+		// Pop the preceding CR and LF from the buffer
+		buffer_n_ -= 2;
+		}
+
+	message_complete_ = true;
+
+#if DEBUG_FLOW_BUFFER
+	fprintf(stderr, "%.6f Line complete: [%s]\n",
+		network_time(),
+		string((const char *) begin(), (const char *) end()).c_str());
+#endif
+	}
+
+// Invariants:
+// 
+// When buffer_n_ == 0:
+// Frame = [orig_data_begin_..(orig_data_begin_ + frame_length_)]
+// 
+// When buffer_n_ > 0:
+// Frame = [0..buffer_n_][orig_data_begin_..]
+
+void FlowBuffer::MarkOrCopyFrame()
+	{
+	if ( mode_ == FRAME_MODE && state_ == CR_OR_LF_1 && 
+	     orig_data_begin_ < orig_data_end_ )
+		{
+		// Skip the lingering LF
+		if ( *orig_data_begin_ == LF )
+			{
+			++orig_data_begin_;
+			}
+		state_ = FRAME_0;
+		}
+
+	if ( buffer_n_ == 0 )
+		{
+		// If there is enough data
+		if ( frame_length_ >= 0 &&
+		     orig_data_end_ - orig_data_begin_ >= frame_length_ )
+			{
+			// Do nothing except setting the message complete flag
+			message_complete_ = true;
+			}
+		else 
+			{
+			if ( ! chunked_ )
+				{
+				AppendToBuffer(orig_data_begin_, 
+					orig_data_end_ - orig_data_begin_);
+				}
+			message_complete_ = false;
+			}
+		}
+	else
+		{
+		BINPAC_ASSERT(!chunked_);
+		int bytes_to_copy = orig_data_end_ - orig_data_begin_;
+		message_complete_ = false;
+		if ( frame_length_ >= 0 && buffer_n_ + bytes_to_copy >= frame_length_ ) 
+			{
+			bytes_to_copy = frame_length_ - buffer_n_;
+			message_complete_ = true;
+			}
+		AppendToBuffer(orig_data_begin_, bytes_to_copy);
+		}
+
+#if DEBUG_FLOW_BUFFER
+	if ( message_complete_ )
+		{
+		fprintf(stderr, "%.6f frame complete: [%s]\n",
+			network_time(),
+			string((const char *) begin(), 
+				(const char *) end()).c_str());
+		}
+#endif
+	}
+
+void FlowBuffer::AppendToBuffer(const_byteptr data, int len)
+	{
+	if ( len <= 0 )
+		return;
+
+	BINPAC_ASSERT(! chunked_);
+	ExpandBuffer(buffer_n_ + len);
+	memcpy(buffer_ + buffer_n_, data, len);
+	buffer_n_ += len;
+
+	orig_data_begin_ += len;
+	BINPAC_ASSERT(orig_data_begin_ <= orig_data_end_);
+	}
+
+}  // namespace binpac
diff --git a/aux/binpac/lib/binpac_buffer.h b/aux/binpac/lib/binpac_buffer.h
new file mode 100644
index 0000000000..2eb197e7b9
--- /dev/null
+++ b/aux/binpac/lib/binpac_buffer.h
@@ -0,0 +1,148 @@
+#ifndef binpac_buffer_h
+#define binpac_buffer_h
+
+#include <sys/types.h>
+#include "binpac.h"
+
+namespace binpac {
+
+class FlowBuffer {
+public:
+	enum LineBreakStyle { 
+		CR_OR_LF, 	// CR or LF or CRLF
+		STRICT_CRLF, 	// CR followed by LF
+		CR_LF_NUL,	// CR or LF or CR-LF or CR-NUL
+	};
+
+	FlowBuffer(LineBreakStyle linebreak_style = CR_OR_LF);
+	virtual ~FlowBuffer();
+
+	void NewData(const_byteptr begin, const_byteptr end);
+	void NewGap(int length);
+
+	// Discard unprocessed data
+	void DiscardData();
+
+	// Whether there is enough data for the frame
+	bool ready() const{ return message_complete_ || mode_ == UNKNOWN_MODE; }
+
+	inline const_byteptr begin() const
+		{
+		BINPAC_ASSERT(ready());
+		return ( buffer_n_ == 0 ) ? 
+			orig_data_begin_ : buffer_;
+		}
+
+	inline const_byteptr end() const
+		{
+		BINPAC_ASSERT(ready());
+		if ( buffer_n_ == 0 )
+			{
+			BINPAC_ASSERT(frame_length_ >= 0);
+			const_byteptr end = orig_data_begin_ + frame_length_;
+			BINPAC_ASSERT(end <= orig_data_end_);
+			return end;
+			}
+		else
+			return buffer_ + buffer_n_;
+		}
+
+	inline int data_length() const
+		{
+		if ( buffer_n_ > 0 ) 
+			return buffer_n_;
+
+		if ( frame_length_ < 0 ||
+		     orig_data_begin_ + frame_length_ > orig_data_end_ )
+			return orig_data_end_ - orig_data_begin_;
+		else
+			return frame_length_;
+		}
+
+	inline bool data_available() const
+	        {
+		return buffer_n_ > 0 || orig_data_end_ > orig_data_begin_;
+		}
+
+	void NewLine();
+	// A negative frame_length represents a frame till EOF
+	void NewFrame(int frame_length, bool chunked_);
+	void GrowFrame(int new_frame_length);
+
+	int data_seq() const
+		{ 
+		int data_seq_at_orig_data_begin = 
+			data_seq_at_orig_data_end_ - 
+			(orig_data_end_ - orig_data_begin_);
+		if ( buffer_n_ > 0 )
+			return data_seq_at_orig_data_begin;
+		else
+			return data_seq_at_orig_data_begin + data_length(); 
+		}
+	bool eof() const	{ return eof_; }
+	void set_eof();
+
+	bool have_pending_request() const { return have_pending_request_; }
+
+protected:
+	// Reset the buffer for a new message
+	void NewMessage();
+
+	void ClearPreviousData();
+
+	// Expand the buffer to at least <length> bytes. If there 
+	// are contents in the existing buffer, copy them to the new
+	// buffer.
+	void ExpandBuffer(int length);
+
+	// Reset line state when transit from frame mode to line mode.
+	void ResetLineState();
+
+	void AppendToBuffer(const_byteptr data, int len);
+
+	// MarkOrCopy{Line,Frame} sets message_complete_ and
+	// marks begin/end pointers if a line/frame is complete, 
+	// otherwise it clears message_complete_ and copies all 
+	// the original data to the buffer.
+	//
+	void MarkOrCopy();
+	void MarkOrCopyLine();
+	void MarkOrCopyFrame();
+
+	void MarkOrCopyLine_CR_OR_LF();
+	void MarkOrCopyLine_STRICT_CRLF();
+
+	int 	buffer_n_;		// number of bytes in the buffer
+	int 	buffer_length_;	// size of the buffer
+	u_char	*buffer_;
+	bool 	message_complete_;
+	int 	frame_length_;
+	bool	chunked_;
+	const_byteptr orig_data_begin_, orig_data_end_;
+
+	LineBreakStyle linebreak_style_;
+
+	enum {
+		UNKNOWN_MODE,
+		LINE_MODE,
+		FRAME_MODE,
+	} mode_;
+
+	enum {
+		CR_OR_LF_0,
+		CR_OR_LF_1,
+		STRICT_CRLF_0,
+		STRICT_CRLF_1,
+		FRAME_0,
+	} state_;
+
+	int 	data_seq_at_orig_data_end_;
+	bool 	eof_;
+	bool    have_pending_request_;
+};
+
+typedef FlowBuffer *flow_buffer_t;
+
+}  // namespace binpac
+
+#endif // binpac_buffer_h
diff --git a/aux/binpac/lib/binpac_bytestring.cc b/aux/binpac/lib/binpac_bytestring.cc
new file mode 100644
index 0000000000..b74fe369b1
--- /dev/null
+++ b/aux/binpac/lib/binpac_bytestring.cc
@@ -0,0 +1,24 @@
+#define binpac_regex_h
+
+#include <stdlib.h>
+#include "binpac_bytestring.h"
+
+namespace binpac 
+{
+
+std::string std_string(bytestring const *s)
+	{
+	return std::string((const char *) s->begin(), (const char *) s->end());
+	}
+
+int bytestring_to_int(bytestring const *s)
+	{
+	return atoi((const char *) s->begin());
+	}
+
+double bytestring_to_double(bytestring const *s)
+	{
+	return atof((const char *) s->begin());
+	}
+
+}  // namespace binpac
diff --git a/aux/binpac/lib/binpac_bytestring.h b/aux/binpac/lib/binpac_bytestring.h
new file mode 100644
index 0000000000..13d1879aed
--- /dev/null
+++ b/aux/binpac/lib/binpac_bytestring.h
@@ -0,0 +1,199 @@
+#ifndef binpac_bytestring_h
+#define binpac_bytestring_h
+
+#include <string.h>
+#include <string>
+#include "binpac.h"
+
+namespace binpac
+{
+
+template<class T> class datastring;
+
+template <class T>
+class const_datastring
+{
+public:
+	const_datastring()
+		: begin_(0), end_(0)
+		{ 
+		}
+
+	const_datastring(T const *data, int length)
+		: begin_(data), end_(data + length)
+		{
+		}
+
+	const_datastring(const T *begin, const T *end)
+		: begin_(begin), end_(end)
+		{
+		}
+
+	const_datastring(datastring<T> const &s)
+		: begin_(s.begin()), end_(s.end())
+		{
+		}
+
+	void init(const T *data, int length)
+		{
+		begin_ = data;
+		end_ = data + length;
+		}
+
+	T const *begin() const	{ return begin_; }
+	T const *end() const	{ return end_; }
+	int length() const	{ return end_ - begin_; }
+
+	T const &operator[](int index) const
+		{
+		return begin()[index];
+		}
+
+	bool operator==(const_datastring<T> const &s)
+		{
+		if ( length() != s.length() )
+			return false;
+		return memcmp((const void *) begin(), (const void *) s.begin(),
+			sizeof(T) * length()) == 0;
+		}
+
+	void set_begin(T const *begin)	{ begin_ = begin; }
+	void set_end(T const *end)	{ end_ = end; }
+
+private:
+	T const *begin_; 
+	T const *end_;
+};
+
+typedef const_datastring<uint8>	const_bytestring;
+
+template<class T>
+class datastring
+{
+public:
+	datastring()
+		{ 
+		clear();
+		}
+
+	datastring(T *data, int len)
+		{
+		set(data, len);
+		}
+
+	datastring(T const *begin, T const *end)
+		{
+		set_const(begin, end - begin);
+		}
+
+	datastring(datastring<T> const &x)
+		: data_(x.data()), length_(x.length())
+		{
+		}
+
+	explicit datastring(const_datastring<T> const &x)
+		{
+		set_const(x.begin(), x.length());
+		}
+
+	datastring const &operator=(datastring<T> const &x)
+		{
+		BINPAC_ASSERT(!data_);
+		set(x.data(), x.length());
+		return *this;
+		}
+
+	void init(T const *begin, int length)
+		{
+		BINPAC_ASSERT(!data_);
+		set_const(begin, length);
+		}
+
+	void clear()
+		{
+		data_ = 0; length_ = 0;
+		}
+
+	void free()
+		{
+		if ( data_ )
+			delete [] data_;
+		clear();
+		}
+
+	void clone()
+		{
+		set_const(begin(), length());
+		}
+
+	datastring const &operator=(const_datastring<T> const &x)
+		{
+		BINPAC_ASSERT(!data_);
+		set_const(x.begin(), x.length());
+		return *this;
+		}
+
+	T const &operator[](int index) const
+		{
+		return begin()[index];
+		}
+
+	T *data() const		{ return data_; }
+	int length() const	{ return length_; }
+
+	T const *begin() const	{ return data_; }
+	T const *end() const	{ return data_ + length_; }
+
+private:
+	void set(T *data, int len)
+		{
+		data_ = data;
+		length_ = len;
+		}
+
+	void set_const(T const *data, int len)
+		{
+		length_ = len;
+		data_ = new T[len + 1];
+		memcpy(data_, data, sizeof(T) * len);
+		data_[len] = 0;
+		}
+
+	T * data_;
+	int length_;
+};
+
+typedef datastring<uint8> bytestring;
+
+inline const char *c_str(bytestring const &s)
+	{
+	return (const char *) s.begin();
+	}
+
+inline std::string std_str(const_bytestring const &s) 
+	{
+	return std::string((const char *) s.begin(), (const char *) s.end());
+	}
+
+inline bool operator==(bytestring const &s1, const char *s2)
+	{
+	return strcmp(c_str(s1), s2) == 0;
+	}
+
+inline void get_pointers(const_bytestring const &s, 
+		uint8 const **pbegin, uint8 const **pend)
+	{
+	*pbegin = s.begin();
+	*pend = s.end();
+	}
+
+inline void get_pointers(bytestring const *s, 
+		uint8 const **pbegin, uint8 const **pend)
+	{
+	*pbegin = s->begin();
+	*pend = s->end();
+	}
+
+} // namespace binpac
+
+#endif  // binpac_bytestring_h
diff --git a/aux/binpac/lib/binpac_exception.h b/aux/binpac/lib/binpac_exception.h
new file mode 100644
index 0000000000..3feda3d69d
--- /dev/null
+++ b/aux/binpac/lib/binpac_exception.h
@@ -0,0 +1,112 @@
+#ifndef binpac_exception_h
+#define binpac_exception_h
+
+namespace binpac {
+
+class Exception
+{
+public:
+	Exception(const char* m = 0)
+		: msg_("binpac exception: ")
+		{
+		if ( m )
+			append(m);
+		// abort();
+		}
+
+	void append(string m) 		{ msg_ += m; }
+	string msg() const		{ return msg_; }
+	const char* c_msg() const 	{ return msg().c_str(); }
+
+protected:
+	string msg_;
+};
+
+class ExceptionOutOfBound : public Exception
+{
+public:
+	ExceptionOutOfBound(const char* where, int len_needed, int len_given)
+		{
+		append(binpac_fmt("out_of_bound: %s: %d > %d", 
+			where, len_needed, len_given));
+		}
+};
+
+class ExceptionInvalidCase : public Exception
+{
+public:
+	ExceptionInvalidCase(const char* location, 
+			int index,
+			const char *expected)
+		: location_(location), 
+		  index_(index), 
+		  expected_(expected)
+		{
+		append(binpac_fmt("invalid case: %s: %d (%s)",
+			location, index, expected));
+		}
+
+protected:
+	const char* location_;
+	int index_;
+	string expected_;
+};
+
+class ExceptionInvalidCaseIndex : public Exception
+{
+public:
+	ExceptionInvalidCaseIndex(const char* location, 
+			int index)
+		: location_(location), 
+		  index_(index)
+		{
+		append(binpac_fmt("invalid index for case: %s: %d",
+			location, index));
+		}
+
+protected:
+	const char* location_;
+	int index_;
+};
+
+class ExceptionInvalidOffset : public Exception
+{
+public:
+	ExceptionInvalidOffset(const char* location, 
+			int min_offset, int offset)
+		: location_(location), 
+		  min_offset_(min_offset), offset_(offset)
+		{
+		append(binpac_fmt("invalid offset: %s: min_offset = %d, offset = %d",
+			location, min_offset, offset));
+		}
+
+protected:
+	const char* location_;
+	int min_offset_, offset_;
+};
+
+class ExceptionStringMismatch : public Exception
+{
+public:
+	ExceptionStringMismatch(const char* location, 
+			const char *expected, const char *actual_data)
+		{
+		append(binpac_fmt("string mismatch at %s: \nexpected pattern: \"%s\"\nactual data: \"%s\"",
+			location, expected, actual_data));
+		}
+};
+
+class ExceptionInvalidStringLength : public Exception
+{
+public:
+	ExceptionInvalidStringLength(const char* location, int len)
+		{
+		append(binpac_fmt("invalid length string: %s: %d",
+			location, len));
+		}
+};
+
+}
+
+#endif  // binpac_exception_h
diff --git a/aux/binpac/lib/binpac_regex.cc b/aux/binpac/lib/binpac_regex.cc
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/aux/binpac/lib/binpac_regex.h b/aux/binpac/lib/binpac_regex.h
new file mode 100644
index 0000000000..b41e6dbb90
--- /dev/null
+++ b/aux/binpac/lib/binpac_regex.h
@@ -0,0 +1,43 @@
+#ifndef binpac_regex_h
+#define binpac_regex_h
+
+#include "binpac.h"
+#include "RE.h"
+
+class RE_Matcher;
+
+namespace binpac
+{
+
+class RegExMatcher {
+public:
+	RegExMatcher(const char *pattern)
+		: pattern_(pattern)
+		{
+		re_matcher_ = 0;
+		}
+
+	~RegExMatcher()
+		{
+		delete re_matcher_;
+		}
+
+	// Returns the length of longest match, or -1 on mismatch.
+	int MatchPrefix(const_byteptr data, int len)
+		{
+		if ( ! re_matcher_ )
+			{
+			re_matcher_ = new RE_Matcher(pattern_.c_str());
+			re_matcher_->Compile();
+			}
+		return re_matcher_->MatchPrefix(data, len);
+		}
+
+private:
+	string pattern_;
+	RE_Matcher *re_matcher_;
+};
+
+}  // namespace binpac
+
+#endif  // binpac_regex_h
diff --git a/aux/binpac/patches/binpac-1.patch b/aux/binpac/patches/binpac-1.patch
new file mode 100644
index 0000000000..ade4e41065
--- /dev/null
+++ b/aux/binpac/patches/binpac-1.patch
@@ -0,0 +1,31 @@
+diff -urN bro-1.2.1-orig/src/binpac/pac_expr.cc bro-1.2.1-ssl-binpac/src/binpac/pac_expr.cc
+--- bro-1.2.1-orig/src/binpac/pac_expr.cc	2006-07-26 15:02:40.000000000 -0700
++++ bro-1.2.1-ssl-binpac/src/binpac/pac_expr.cc	2007-05-04 14:31:11.728494000 -0700
+@@ -776,6 +776,27 @@
+ 			}
+ 			break;
+ 
++		case EXPR_CALLARGS:
++		        {
++		        mhs = 0;
++			if ( args_ )
++			        for ( uint i = 0; i < args_->size(); ++i )
++				        mhs = mhs_max(mhs, args_->at(i)->MinimalHeaderSize(env));
++			}
++		        break;
++		case EXPR_CASE:
++		        {
++		        mhs = operand_[0]->MinimalHeaderSize(env);
++			for ( uint i = 0; i < cases_->size(); ++i )
++			        {
++				CaseExpr * ce = cases_->at(i);
++				if ( ce->index() )
++				        for ( uint j = 0; j < ce->index()->size(); ++j )
++						mhs = mhs_max(mhs, ce->index()->at(j)->MinimalHeaderSize(env));
++				mhs = mhs_max(mhs, ce->value()->MinimalHeaderSize(env));
++				}
++			}
++			break;
+ 		default:
+ 			// Evaluate every operand by default
+ 			mhs = 0;
diff --git a/aux/binpac/patches/binpac-2.patch b/aux/binpac/patches/binpac-2.patch
new file mode 100644
index 0000000000..378c33027a
--- /dev/null
+++ b/aux/binpac/patches/binpac-2.patch
@@ -0,0 +1,97 @@
+diff -urN bro-1.2.1-orig/src/binpac/pac_expr.cc bro-1.2.1-ssl-binpac/src/binpac/pac_expr.cc
+--- bro-1.2.1-orig/src/binpac/pac_expr.cc	2006-07-26 15:02:40.000000000 -0700
++++ bro-1.2.1-ssl-binpac/src/binpac/pac_expr.cc	2007-05-04 14:31:11.728494000 -0700
+@@ -245,6 +245,12 @@
+ 	out_cc->println("%s %s;", 
+ 	                val_type->DataTypeStr().c_str(), 
+ 	                env->LValue(val_var));
++
++	// force evaluation of IDs appearing in case stmt
++       operand_[0]->ForceIDEval(out_cc, env);
++	foreach(i, CaseExprList, cases_)
++		(*i)->value()->ForceIDEval(out_cc, env);
++
+ 	out_cc->println("switch ( %s )", operand_[0]->EvalExpr(out_cc, env));
+ 
+ 	out_cc->inc_indent();
+@@ -386,6 +392,49 @@
+ 		}
+ 	}
+ 
++void Expr::ForceIDEval(Output* out_cc, Env* env)
++        {
++	switch ( expr_type_ )
++		{
++		case EXPR_NUM:
++		case EXPR_SIZEOF:
++		case EXPR_OFFSETOF:
++			break;
++
++		case EXPR_ID:
++			if ( ! env->Evaluated(id_) )
++				env->Evaluate(out_cc, id_);
++			break;
++
++		case EXPR_MEMBER:
++			operand_[0]->ForceIDEval(out_cc, env);
++			break;
++
++		case EXPR_CALLARGS:
++		        {
++		        foreach(i, ExprList, args_)
++			        (*i)->ForceIDEval(out_cc, env);
++			}
++			break;
++
++		case EXPR_CASE:
++		        {
++		        operand_[0]->ForceIDEval(out_cc, env);
++			foreach(i, CaseExprList, cases_)
++				(*i)->value()->ForceIDEval(out_cc, env);
++		        }
++			break;
++
++		default:
++			// Evaluate every operand by default
++			for ( int i = 0; i < 3; ++i )
++				if ( operand_[i] )
++					operand_[i]->ForceIDEval(out_cc, env);
++			break;
++		}
++	}
++
++
+ const char* Expr::EvalExpr(Output* out_cc, Env* env)
+ 	{
+ 	GenEval(out_cc, env);
+diff -urN bro-1.2.1-orig/src/binpac/pac_expr.h bro-1.2.1-ssl-binpac/src/binpac/pac_expr.h
+--- bro-1.2.1-orig/src/binpac/pac_expr.h	2006-07-26 15:02:39.000000000 -0700
++++ bro-1.2.1-ssl-binpac/src/binpac/pac_expr.h	2007-05-04 14:16:31.624287000 -0700
+@@ -56,6 +56,11 @@
+ 	//
+ 	const char *EvalExpr(Output *out, Env *env);
+ 
++	// force evaulation of IDs contained in this expression;
++	// necessary with case expr and conditional let fields (&if)
++	// for correct parsing of fields
++	void ForceIDEval(Output *out_cc, Env *env);
++
+ 	// Returns the set_* function of the expression. 
+ 	// The expression must be of form ID or x.ID.
+ 	string SetFunc(Output *out, Env *env);
+diff -urN bro-1.2.1-orig/src/binpac/pac_let.cc bro-1.2.1-ssl-binpac/src/binpac/pac_let.cc
+--- bro-1.2.1-orig/src/binpac/pac_let.cc	2006-07-26 15:02:39.000000000 -0700
++++ bro-1.2.1-ssl-binpac/src/binpac/pac_let.cc	2007-05-04 15:32:09.695568000 -0700
+@@ -80,7 +80,12 @@
+ 	if ( type_->attr_if_expr() )
+ 		{
+ 		// A conditional field
++
+ 		env->Evaluate(out_cc, type_->has_value_var());
++
++		// force evaluation of IDs contained in this expr
++		expr()->ForceIDEval(out_cc, env);
++
+ 		out_cc->println("if ( %s )", 
+ 			env->RValue(type_->has_value_var()));
+ 		out_cc->inc_indent();
diff --git a/aux/binpac/patches/binpac-3.patch b/aux/binpac/patches/binpac-3.patch
new file mode 100644
index 0000000000..9832a245b6
--- /dev/null
+++ b/aux/binpac/patches/binpac-3.patch
@@ -0,0 +1,37 @@
+diff -urN bro-1.2.1-orig/src/binpac/pac_let.cc bro-1.2.1-ssl-binpac/src/binpac/pac_let.cc
+--- bro-1.2.1-orig/src/binpac/pac_let.cc	2006-07-26 15:02:39.000000000 -0700
++++ bro-1.2.1-ssl-binpac/src/binpac/pac_let.cc	2007-05-04 15:32:09.695568000 -0700
+@@ -108,11 +108,6 @@
+ void LetField::GenEval(Output* out_cc, Env* env)
+ 	{
+ 	GenParseCode(out_cc, env);
+-	if ( type_->attr_if_expr() )
+-		{
+-		out_cc->println("BINPAC_ASSERT(%s);", 
+-			env->RValue(type_->has_value_var()));
+-		}
+ 	}
+ 
+ LetDecl::LetDecl(ID *id, Type *type, Expr *expr)
+diff -urN bro-1.2.1-orig/src/binpac/pac_type.cc bro-1.2.1-ssl-binpac/src/binpac/pac_type.cc
+--- bro-1.2.1-orig/src/binpac/pac_type.cc	2006-07-26 15:02:40.000000000 -0700
++++ bro-1.2.1-ssl-binpac/src/binpac/pac_type.cc	2007-05-24 10:56:42.140658000 -0700
+@@ -316,9 +316,15 @@
+ 	{
+ 	if ( DefineValueVar() )
+ 		{
+-		out_h->println("%s %s const	{ return %s; }", 
+-			DataTypeConstRefStr().c_str(), 
+-			env->RValue(value_var()), lvalue());
++		if ( attr_if_expr_ )
++		        out_h->println("%s %s const { BINPAC_ASSERT(%s); return %s; }",
++			        DataTypeConstRefStr().c_str(), 
++			        env->RValue(value_var()),
++			        env->RValue(has_value_var()), lvalue());
++		else
++		        out_h->println("%s %s const { return %s; }",
++			        DataTypeConstRefStr().c_str(), 
++			        env->RValue(value_var()), lvalue());
+ 		}
+ 
+ 	foreach (i, FieldList, fields_)
diff --git a/aux/binpac/patches/binpac-4.patch b/aux/binpac/patches/binpac-4.patch
new file mode 100644
index 0000000000..560fb4051b
--- /dev/null
+++ b/aux/binpac/patches/binpac-4.patch
@@ -0,0 +1,12 @@
+diff -urN bro-1.2.1-orig/src/binpac/pac_record.cc bro-1.2.1-ssl-binpac/src/binpac/pac_record.cc
+--- bro-1.2.1-orig/src/binpac/pac_record.cc	2006-07-26 15:02:40.000000000 -0700
++++ bro-1.2.1-ssl-binpac/src/binpac/pac_record.cc	2007-05-08 16:13:33.373850000 -0700
+@@ -123,7 +123,7 @@
+ void RecordType::DoGenParseCode(Output* out_cc, Env* env, 
+ 		const DataPtr& data, int flags)
+ 	{
+-	if ( StaticSize(env) >= 0 )
++	if ( !incremental_input() && StaticSize(env) >= 0 )
+ 		GenBoundaryCheck(out_cc, env, data);
+ 
+ 	if ( incremental_parsing() )
diff --git a/aux/binpac/patches/binpac-5.patch b/aux/binpac/patches/binpac-5.patch
new file mode 100644
index 0000000000..ae31fa1711
--- /dev/null
+++ b/aux/binpac/patches/binpac-5.patch
@@ -0,0 +1,66 @@
+diff -urN bro-1.2.1-orig/src/binpac/pac_paramtype.cc bro-1.2.1-ssl-binpac/src/binpac/pac_paramtype.cc
+--- bro-1.2.1-orig/src/binpac/pac_paramtype.cc	2006-07-26 15:02:40.000000000 -0700
++++ bro-1.2.1-ssl-binpac/src/binpac/pac_paramtype.cc	2007-05-10 15:09:47.470104000 -0700
+@@ -208,7 +208,13 @@
+ 	const char *parse_func;
+ 	string parse_params;
+ 
+-	if ( ref_type->incremental_input() )
++	if ( buffer_mode() == BUFFER_NOTHING )
++	        {
++		ASSERT(!ref_type->incremental_input());
++		parse_func = kParseFuncWithoutBuffer;
++		parse_params = "0, 0";
++		}
++	else if ( ref_type->incremental_input() )
+ 		{
+ 		parse_func = kParseFuncWithBuffer;
+ 		parse_params = env->RValue(flow_buffer_id);
+@@ -239,15 +245,24 @@
+ 
+ 	if ( incremental_input() )
+ 		{
+-		ASSERT(parsing_complete_var());
+-		out_cc->println("%s = %s;",
+-			env->LValue(parsing_complete_var()),
+-			call_parse_func.c_str());
+-
+-		// parsing_complete_var might have been already
+-		// evaluated when set to false
+-		if ( ! env->Evaluated(parsing_complete_var()) )
+-			env->SetEvaluated(parsing_complete_var());
++		if ( buffer_mode() == BUFFER_NOTHING )
++		        {
++		        out_cc->println("%s;", call_parse_func.c_str());
++			out_cc->println("%s = true;", 
++				env->LValue(parsing_complete_var()));
++			}
++		else
++		        {
++			ASSERT(parsing_complete_var());
++			out_cc->println("%s = %s;",
++				env->LValue(parsing_complete_var()),
++				call_parse_func.c_str());
++
++			// parsing_complete_var might have been already
++			// evaluated when set to false
++			if ( ! env->Evaluated(parsing_complete_var()) )
++			        env->SetEvaluated(parsing_complete_var());
++			}
+ 		}
+ 	else
+ 		{
+diff -urN bro-1.2.1-orig/src/binpac/pac_type.cc bro-1.2.1-ssl-binpac/src/binpac/pac_type.cc
+--- bro-1.2.1-orig/src/binpac/pac_type.cc	2006-07-26 15:02:40.000000000 -0700
++++ bro-1.2.1-ssl-binpac/src/binpac/pac_type.cc	2007-05-24 10:56:42.140658000 -0700
+@@ -501,8 +501,8 @@
+ 
+ 		if ( buffer_mode() == BUFFER_NOTHING )
+ 			{
+-			out_cc->println("%s = true;", 
+-				env->LValue(parsing_complete_var()));
++			// this is the empty type
++			DoGenParseCode(out_cc, env, data, flags);
+ 			}
+ 		else if ( buffer_input() )
+ 			{
diff --git a/aux/binpac/patches/binpac-6.patch b/aux/binpac/patches/binpac-6.patch
new file mode 100644
index 0000000000..fec16c1084
--- /dev/null
+++ b/aux/binpac/patches/binpac-6.patch
@@ -0,0 +1,28 @@
+diff -urN bro-1.2.1-orig/src/binpac/lib/binpac_buffer.h bro-1.2.1-ssl-binpac/src/binpac/lib/binpac_buffer.h
+--- bro-1.2.1-orig/src/binpac/lib/binpac_buffer.h	2006-07-26 15:02:38.000000000 -0700
++++ bro-1.2.1-ssl-binpac/src/binpac/lib/binpac_buffer.h	2007-05-09 16:14:54.501656000 -0700
+@@ -59,6 +59,11 @@
+ 			return frame_length_;
+ 		}
+ 
++	inline bool data_available() const
++	        {
++		return buffer_n_ > 0 || orig_data_end_ > orig_data_begin_;
++		}
++
+ 	void NewLine();
+ 	// A negative frame_length represents a frame till EOF
+ 	void NewFrame(int frame_length, bool chunked_);
+diff -urN bro-1.2.1-orig/src/binpac/pac_flow.cc bro-1.2.1-ssl-binpac/src/binpac/pac_flow.cc
+--- bro-1.2.1-orig/src/binpac/pac_flow.cc	2006-10-12 14:13:12.000000000 -0700
++++ bro-1.2.1-ssl-binpac/src/binpac/pac_flow.cc	2007-05-22 16:43:55.997562000 -0700
+@@ -272,7 +272,8 @@
+ 		env_->RValue(begin_of_data), 
+ 		env_->RValue(end_of_data)); 
+ 
+-	out_cc->println("while ( true )");
++	out_cc->println("while ( %s->data_available() )",
++		env_->LValue(flow_buffer_id));
+ 	out_cc->inc_indent();
+ 	out_cc->println("{");
+ 
diff --git a/aux/binpac/patches/binpac-7.patch b/aux/binpac/patches/binpac-7.patch
new file mode 100644
index 0000000000..263f00bf2c
--- /dev/null
+++ b/aux/binpac/patches/binpac-7.patch
@@ -0,0 +1,21 @@
+diff -urN bro-1.2.1-orig/src/binpac/pac_type.cc bro-1.2.1-ssl-binpac/src/binpac/pac_type.cc
+--- bro-1.2.1-orig/src/binpac/pac_type.cc	2006-07-26 15:02:40.000000000 -0700
++++ bro-1.2.1-ssl-binpac/src/binpac/pac_type.cc	2007-05-24 10:56:42.140658000 -0700
+@@ -393,7 +393,7 @@
+ 			break;
+ 
+ 		case BUFFER_BY_LENGTH:
+-			if ( buffering_state_var_field_ )
++		        if ( env->GetDataType(buffering_state_id) )
+ 				{
+ 				out_cc->println("if ( %s == 0 )",
+ 					env->RValue(buffering_state_id));
+@@ -421,7 +421,7 @@
+ 				frame_buffer_arg.c_str(),
+ 				attr_chunked() ? "true" : "false");
+ 
+-			if ( buffering_state_var_field_ )
++			if ( env->GetDataType(buffering_state_id) )
+ 				{
+ 				out_cc->println("%s = 1;",
+ 					env->LValue(buffering_state_id));
diff --git a/aux/binpac/patches/binpac-8.patch b/aux/binpac/patches/binpac-8.patch
new file mode 100644
index 0000000000..b69a1676dd
--- /dev/null
+++ b/aux/binpac/patches/binpac-8.patch
@@ -0,0 +1,190 @@
+diff -urN bro-1.2.1-orig/src/binpac/pac_analyzer.cc bro-1.2.1-ssl-binpac/src/binpac/pac_analyzer.cc
+--- bro-1.2.1-orig/src/binpac/pac_analyzer.cc	2006-07-26 15:02:40.000000000 -0700
++++ bro-1.2.1-ssl-binpac/src/binpac/pac_analyzer.cc	2007-05-22 17:00:10.091531000 -0700
+@@ -26,8 +26,9 @@
+ 	helpers_ = new AnalyzerHelperList();
+ 	functions_ = new FunctionList();
+ 
+-	constructor_helper_ = 0;
+-	destructor_helper_ = 0;
++	constructor_helpers_ = new AnalyzerHelperList();
++	destructor_helpers_ = new AnalyzerHelperList();
++	eof_helpers_ = new AnalyzerHelperList();
+ 
+ 	SetAnalyzerContext();
+ 
+@@ -41,6 +42,9 @@
+ 	delete_list(AnalyzerHelperList, helpers_);
+ 	delete_list(FunctionList, functions_);
+ 	delete_list(ParamList, params_);
++	delete_list(AnalyzerHelperList, constructor_helpers_);
++	delete_list(AnalyzerHelperList, destructor_helpers_);
++	delete_list(AnalyzerHelperList, eof_helpers_);
+ 	}
+ 
+ void AnalyzerDecl::AddElements(AnalyzerElementList *elemlist)
+@@ -75,28 +79,20 @@
+ 				AnalyzerHelper *helper_elem = 
+ 					(AnalyzerHelper *) elem;
+ 
+-				if ( helper_elem->helper_type() == 
+-				     AnalyzerHelper::INIT_CODE)
+-					{
+-					if ( constructor_helper_ )
+-						{
+-						throw Exception(elem,
+-							"Repeated definition of %init code");
+-						}
+-					constructor_helper_ = helper_elem;
++				switch ( helper_elem->helper_type() )
++				        {
++					case AnalyzerHelper::INIT_CODE:
++					        constructor_helpers_->push_back(helper_elem);
++						break;
++					case AnalyzerHelper::CLEANUP_CODE:
++ 				                destructor_helpers_->push_back(helper_elem);
++						break;
++					case AnalyzerHelper::EOF_CODE:
++					        eof_helpers_->push_back(helper_elem);
++						break;
++					default:
++					        helpers_->push_back(helper_elem);
+ 					}
+-				else if ( helper_elem->helper_type() == 
+-				          AnalyzerHelper::CLEANUP_CODE)
+-					{
+-					if ( destructor_helper_ )
+-						{
+-						throw Exception(elem,
+-							"Repeated definition of %cleanup code");
+-						}
+-					destructor_helper_ = helper_elem;
+-					}
+-				else
+-					helpers_->push_back(helper_elem);
+ 				}
+ 				break;
+ 			case AnalyzerElement::FUNCTION:
+@@ -217,15 +213,19 @@
+ void AnalyzerDecl::GenInitCode(Output *out_cc)
+ 	{
+ 	TypeDecl::GenInitCode(out_cc);
+-	if ( constructor_helper_ )
+-		constructor_helper_->GenCode(0, out_cc, this);
++	foreach(i, AnalyzerHelperList, constructor_helpers_)
++		{
++		(*i)->GenCode(0, out_cc, this);
++		}
+ 	}
+ 
+ void AnalyzerDecl::GenCleanUpCode(Output *out_cc)
+ 	{
+ 	TypeDecl::GenCleanUpCode(out_cc);
+-	if ( destructor_helper_ )
+-		destructor_helper_->GenCode(0, out_cc, this);
++	foreach(i, AnalyzerHelperList, destructor_helpers_)
++		{
++		(*i)->GenCode(0, out_cc, this);
++		}
+ 	}
+ 
+ void AnalyzerDecl::GenStateVarDecls(Output *out_h)
+@@ -295,6 +295,7 @@
+ 			break;
+ 		case INIT_CODE:
+ 		case CLEANUP_CODE:
++		case EOF_CODE:
+ 			out = out_cc;
+ 			break;
+ 		}
+diff -urN bro-1.2.1-orig/src/binpac/pac_analyzer.h bro-1.2.1-ssl-binpac/src/binpac/pac_analyzer.h
+--- bro-1.2.1-orig/src/binpac/pac_analyzer.h	2006-07-26 15:02:39.000000000 -0700
++++ bro-1.2.1-ssl-binpac/src/binpac/pac_analyzer.h	2007-05-22 16:32:08.397926000 -0700
+@@ -76,8 +76,9 @@
+ 	AnalyzerHelperList *helpers_;
+ 	FunctionList *functions_;
+ 
+-	AnalyzerHelper *constructor_helper_;
+-	AnalyzerHelper *destructor_helper_;
++	AnalyzerHelperList *constructor_helpers_;
++	AnalyzerHelperList *destructor_helpers_;
++	AnalyzerHelperList *eof_helpers_;
+ };
+ 
+ class AnalyzerElement : public Object
+@@ -117,6 +118,7 @@
+ 		MEMBER_DECLS,
+ 		INIT_CODE,
+ 		CLEANUP_CODE,
++		EOF_CODE,
+ 	};
+ 	AnalyzerHelper(Type helper_type, EmbeddedCode *code)
+ 		: AnalyzerElement(HELPER),
+diff -urN bro-1.2.1-orig/src/binpac/pac_conn.cc bro-1.2.1-ssl-binpac/src/binpac/pac_conn.cc
+--- bro-1.2.1-orig/src/binpac/pac_conn.cc	2006-07-26 15:02:40.000000000 -0700
++++ bro-1.2.1-ssl-binpac/src/binpac/pac_conn.cc	2007-05-22 16:42:35.406135000 -0700
+@@ -97,6 +97,12 @@
+ 	out_cc->println("%s->%s();",
+ 	                env_->LValue(downflow_id),
+ 	                kFlowEOF);
++
++	foreach(i, AnalyzerHelperList, eof_helpers_)
++		{
++		(*i)->GenCode(0, out_cc, this);
++		}
++
+ 	out_cc->dec_indent();
+ 	
+ 	out_cc->println("}");
+diff -urN bro-1.2.1-orig/src/binpac/pac_flow.cc bro-1.2.1-ssl-binpac/src/binpac/pac_flow.cc
+--- bro-1.2.1-orig/src/binpac/pac_flow.cc	2006-10-12 14:13:12.000000000 -0700
++++ bro-1.2.1-ssl-binpac/src/binpac/pac_flow.cc	2007-05-22 16:43:55.997562000 -0700
+@@ -151,6 +151,11 @@
+ 	out_cc->inc_indent();
+ 	out_cc->println("{");
+ 
++	foreach(i, AnalyzerHelperList, eof_helpers_)
++		{
++		(*i)->GenCode(0, out_cc, this);
++		}
++
+ 	if ( dataunit_->type() == AnalyzerDataUnit::FLOWUNIT )
+ 		{
+ 		out_cc->println("%s->set_eof();", 
+diff -urN bro-1.2.1-orig/src/binpac/pac_parse.yy bro-1.2.1-ssl-binpac/src/binpac/pac_parse.yy
+--- bro-1.2.1-orig/src/binpac/pac_parse.yy	2006-10-12 14:13:12.000000000 -0700
++++ bro-1.2.1-ssl-binpac/src/binpac/pac_parse.yy	2007-05-22 16:56:09.280526000 -0700
+@@ -22,7 +22,7 @@
+ %token TOK_STATE TOK_ACTION TOK_WHEN TOK_HELPER 
+ %token TOK_DATAUNIT TOK_FLOWDIR TOK_WITHCONTEXT
+ %token TOK_LPB_EXTERN TOK_LPB_HEADER TOK_LPB_CODE 
+-%token TOK_LPB_MEMBER TOK_LPB_INIT TOK_LPB_CLEANUP 
++%token TOK_LPB_MEMBER TOK_LPB_INIT TOK_LPB_CLEANUP TOK_LPB_EOF
+ %token TOK_LPB TOK_RPB 
+ %token TOK_EMBEDDED_ATOM TOK_EMBEDDED_STRING
+ %token TOK_PAC_VAL TOK_PAC_SET TOK_PAC_TYPE TOK_PAC_TYPEOF TOK_PAC_CONST_DEF 
+@@ -795,6 +795,10 @@
+ 				{
+ 				$$ = new AnalyzerHelper(AnalyzerHelper::CLEANUP_CODE, $2);
+ 				}
++		|	TOK_LPB_EOF embedded_code TOK_RPB
++				{
++				$$ = new AnalyzerHelper(AnalyzerHelper::EOF_CODE, $2);
++				}
+ 		|	TOK_FLOWDIR '=' tok_id optargs ';'
+ 				{
+ 				$$ = new AnalyzerFlow((AnalyzerFlow::Direction) $1, $3, $4);
+diff -urN bro-1.2.1-orig/src/binpac/pac_scan.ll bro-1.2.1-ssl-binpac/src/binpac/pac_scan.ll
+--- bro-1.2.1-orig/src/binpac/pac_scan.ll	2006-07-26 15:02:40.000000000 -0700
++++ bro-1.2.1-ssl-binpac/src/binpac/pac_scan.ll	2007-05-22 16:55:19.349644000 -0700
+@@ -96,6 +96,10 @@
+ 				BEGIN(EC);
+ 				return TOK_LPB_MEMBER;
+ 				}
++<INITIAL>"%eof{"		{
++				BEGIN(EC);
++				return TOK_LPB_EOF;
++				}
+ <INITIAL>"%{"			{
+ 				BEGIN(EC);
+ 				return TOK_LPB;
diff --git a/aux/binpac/patches/binpac-patch-doc.txt b/aux/binpac/patches/binpac-patch-doc.txt
new file mode 100644
index 0000000000..052285eaea
--- /dev/null
+++ b/aux/binpac/patches/binpac-patch-doc.txt
@@ -0,0 +1,87 @@
+binpac fixes
+----------------
+
+numbers of issues below correspond to the patch numbers
+
+(1) correct calculation of minimal header size in pac_expr.cc
+- problem: EXPR_CALLARGS and EXPR_CASE not considered for the calculation
+  of minimal header size
+- solution: added two cases in switch stmt of Expr::MinimalHeaderSize
+  for EXPR_CALLARGS and EXPR_CASE
+
+
+(2) ensure parsing of fields first referenced in a case expression or
+    let field with an &if attribute
+- problem: in cases where the if expression evaluates to false or the
+  proper case does not occur, fields get not parsed at all
+- solution: force evaluation of all IDs referenced in a let field with
+  if attribute or a case expression before the body of the corresponding
+  switch stmt or the if stmt
+- added public method Expr::ForceIDEval, properly called before
+  generating the code of a field with if attribute or the case expression
+
+
+(3) properly assert the use of fields with an if attribute
+- problem: the use of fields with an if attribute was not asserted in all
+  cases and asserted in the wrong way in some others due to the
+  corresponding BINPAC_ASSERT only called upon parsing the field
+- solution: perform BINPAC_ASSERT upon calling the fields accessor
+  function
+- moved BINPAC_ASSERT statement from LetField::GenEval to
+  Type::GenPubDecls
+
+
+(4) incremental input with records with a non-negative StaticSize
+- problem: incremental input with records with a StaticSize >= 0
+  cannot be performed due to necessary length attribute, leading to
+  an invalid call of GenBoundaryCheck in RecordType::DoGenParseCode
+- solution: added a check for incremental input in
+  RecordType::DoGenParseCode before calling GenBoundaryCheck
+
+
+(5) empty type with incremental input
+- problem: with an empty type and incremental input, although the
+  Parse function is created, it is never called, leading to problems,
+  if additional actions are to be performed when encountering that
+  empty type
+- solution: generate call to Parse of empty type in Type::GenParseBuffer
+
+
+(6) parsing loop in flow ParseBuffer (while(true))
+- problem: while(true) leads to problems after parsing of a type is
+  complete; at this time, it is unexpected that parsing continues, even
+  if no data is available in the flow buffer
+- solution: check if data is available before starting a new parsing
+  cycle
+- added a method data_available to FlowBuffer
+- changed while(true) in FlowDecl::GenCodeFlowUnit to
+  while(flow_buffer_->data_available())
+
+
+(7) initialization of flow buffer in CaseType with bufferable fields
+    in cases
+- problem: initialization of buffer occurs in every Parse call,
+  regardless if it was initialized before or not; initialization
+  is correct only on first such occurence
+- solution: check to buffer_state is to be created always when
+  buffering_state_id is in environment in Type::GenBufferConfig
+- changed condition from buffering_state_var_field_ to
+  env->GetDataType(buffering_state_id)
+
+
+(8) allowing init and cleanup code to be redefined, as well as addition
+    of code to FlowEOF calls in analyzer and flow
+- problem 1: when refining an analyzer or flow definition, additional
+  init and cleanup code was not allowed, if these were already defined
+  before; this leads to problems when adding new members, as these
+  cannot be initialized and destroyed properly
+- solution: allow init and cleanup code to be specified more than once
+- changed deifnitions and usage of constructor_helper and
+  destructor_helper to allow for lists of constructor and destructor
+  helpers (similar to member declarations) in pac_analyzer.h and
+  pac_analyzer.cc
+- problem 2: in some cases, it is desirable to execute code when
+  encountering the end of the input stream, which is not possible in
+  binpac
+- solution: added a %eof binpac primitive similar to %init, which adds
+  code to the FlowEOF function of an analyzer or a flow
diff --git a/aux/binpac/patches/brosslbinpacanalyzerpatches.zip b/aux/binpac/patches/brosslbinpacanalyzerpatches.zip
new file mode 100644
index 0000000000..4d89326f71
Binary files /dev/null and b/aux/binpac/patches/brosslbinpacanalyzerpatches.zip differ
diff --git a/aux/binpac/patches/nadi-bittorrent.patch b/aux/binpac/patches/nadi-bittorrent.patch
new file mode 100644
index 0000000000..1ce6cc0313
--- /dev/null
+++ b/aux/binpac/patches/nadi-bittorrent.patch
@@ -0,0 +1,172 @@
+Index: pac_type.h
+===================================================================
+--- pac_type.h	(revision 4130)
++++ pac_type.h	(working copy)
+@@ -78,12 +78,6 @@
+ 	string EvalByteOrder(Output *out_cc, Env *env) const;
+ 
+ 	virtual string EvalMember(const ID *member_id) const;
+-#if 0
+-	// member_env() is used for finding a member of the type.
+-	// Thus member_env() of a ParameterizedType should return 
+-	// ReferredDataType()->env()
+-	// virtual Env *member_env() const;
+-#endif
+ 
+ 	// The variable defined by the type
+ 	const ID *value_var() const		{ return value_var_; }
+@@ -223,6 +217,8 @@
+ 
+ 	virtual bool ByteOrderSensitive() const = 0;
+ 
++	bool NeedsBufferingStateVar() const;
++
+ 	void GenBufferingLoop(Output* out_cc, Env* env, int flags);
+ 	void GenParseBuffer(Output* out_cc, Env* env, int flags);
+ 	void GenParseCode2(Output* out_cc, Env* env, const DataPtr& data, int flags);
+Index: lib/binpac_buffer.h
+===================================================================
+--- lib/binpac_buffer.h	(revision 4130)
++++ lib/binpac_buffer.h	(working copy)
+@@ -24,18 +24,18 @@
+ 	void DiscardData();
+ 
+ 	// Whether there is enough data for the frame
+-	bool ready() const{ return message_complete_; }
++	bool ready() const{ return message_complete_ || mode_ == UNKNOWN_MODE; }
+ 
+ 	inline const_byteptr begin() const
+ 		{
+-		BINPAC_ASSERT(message_complete_);
++		BINPAC_ASSERT(ready());
+ 		return ( buffer_n_ == 0 ) ? 
+ 			orig_data_begin_ : buffer_;
+ 		}
+ 
+ 	inline const_byteptr end() const
+ 		{
+-		BINPAC_ASSERT(message_complete_);
++		BINPAC_ASSERT(ready());
+ 		if ( buffer_n_ == 0 )
+ 			{
+ 			BINPAC_ASSERT(frame_length_ >= 0);
+Index: pac_type.cc
+===================================================================
+--- pac_type.cc	(revision 4130)
++++ pac_type.cc	(working copy)
+@@ -285,9 +285,8 @@
+ 			parsing_complete_var, extern_type_bool->Clone());
+ 		parsing_complete_var_field_->Prepare(env);
+ 
+-		if ( ( buffer_mode() == BUFFER_BY_LENGTH ||
+-		       buffer_mode() == BUFFER_BY_LINE ) &&
+-		       ! env->GetDataType(buffering_state_id) )
++		if ( NeedsBufferingStateVar() && 
++		     !env->GetDataType(buffering_state_id) )
+ 			{
+ 			buffering_state_var_field_ = new PrivVarField(
+ 				buffering_state_id->clone(), 
+@@ -387,17 +386,17 @@
+ 			break;
+ 
+ 		case BUFFER_BY_LENGTH:
+-			if ( buffering_state_var_field_ )
+-				{
+-				out_cc->println("if ( %s == 0 )",
+-					env->RValue(buffering_state_id));
+-				out_cc->inc_indent();
+-				out_cc->println("{");
+-				}
++			if ( !NeedsBufferingStateVar() )
++				break;
+ 
++			ASSERT(env->GetDataType(buffering_state_id));
++			out_cc->println("if ( %s == 0 )",
++				env->RValue(buffering_state_id));
++			out_cc->inc_indent();
++			out_cc->println("{");
++
+ 			if ( attr_length_expr_ )
+ 				{
+-				// frame_buffer_arg = attr_length_expr_->EvalExpr(out_cc, env);
+ 				frame_buffer_arg = strfmt("%d", InitialBufferLength());
+ 				}
+ 			else if ( attr_restofflow_ )
+@@ -407,7 +406,7 @@
+ 				}
+ 			else
+ 				{
+-				frame_buffer_arg = strfmt("%d", InitialBufferLength());
++				ASSERT(0);
+ 				}
+ 
+ 			out_cc->println("%s->NewFrame(%s, %s);",
+@@ -415,16 +414,14 @@
+ 				frame_buffer_arg.c_str(),
+ 				attr_chunked() ? "true" : "false");
+ 
+-			if ( buffering_state_var_field_ )
+-				{
+-				out_cc->println("%s = 1;",
+-					env->LValue(buffering_state_id));
+-				out_cc->println("}");
+-				out_cc->dec_indent();
+-				}
++			out_cc->println("%s = 1;",
++				env->LValue(buffering_state_id));
++			out_cc->println("}");
++			out_cc->dec_indent();
+ 			break;
+ 
+ 		case BUFFER_BY_LINE:
++			ASSERT(env->GetDataType(buffering_state_id));
+ 			out_cc->println("if ( %s == 0 )",
+ 				env->RValue(buffering_state_id));
+ 			out_cc->inc_indent();
+@@ -890,6 +887,25 @@
+ 	return ! attr_byteorder_expr() && ByteOrderSensitive(); 
+ 	}
+ 
++bool Type::NeedsBufferingStateVar() const
++	{
++	if ( !incremental_input() )
++		return false;
++	switch ( buffer_mode() )
++		{
++		case BUFFER_NOTHING:
++		case NOT_BUFFERABLE:
++			return false;
++		case BUFFER_BY_LINE:
++			return true;
++		case BUFFER_BY_LENGTH:
++			return ( attr_length_expr_ || attr_restofflow_ );
++		default:
++			ASSERT(0);
++			return false;
++		}
++	}
++
+ bool Type::DoTraverse(DataDepVisitor *visitor)
+ 	{
+ 	foreach (i, FieldList, fields_)
+Index: pac_flow.cc
+===================================================================
+--- pac_flow.cc	(revision 4130)
++++ pac_flow.cc	(working copy)
+@@ -224,15 +224,13 @@
+ 	out_cc->println("catch ( Exception const &e )");
+ 	out_cc->inc_indent();
+ 	out_cc->println("{");
+-	out_cc->println("DEBUG_MSG(\"%%.6f binpac exception: %%s\\n\", network_time(), e.c_msg());");
+ 	GenCleanUpCode(out_cc);
+ 	if ( dataunit_->type() == AnalyzerDataUnit::FLOWUNIT )
+ 		{
+ 		out_cc->println("%s->DiscardData();",
+ 			env_->LValue(flow_buffer_id));
+-		out_cc->println("BINPAC_ASSERT(!%s->ready());",
+-			env_->RValue(flow_buffer_id));
+ 		}
++	out_cc->println("throw e;");
+ 	out_cc->println("}");
+ 	out_cc->dec_indent();
+ 
diff --git a/aux/binpac/shtool b/aux/binpac/shtool
new file mode 100755
index 0000000000..4c1a7396fd
--- /dev/null
+++ b/aux/binpac/shtool
@@ -0,0 +1,716 @@
+#!/bin/sh
+##
+##  GNU shtool -- The GNU Portable Shell Tool
+##  Copyright (c) 1994-2000 Ralf S. Engelschall <rse@engelschall.com>
+##
+##  See http://www.gnu.org/software/shtool/ for more information.
+##  See ftp://ftp.gnu.org/gnu/shtool/ for latest version.
+##
+##  Version 1.4.9 (16-Apr-2000)
+##  Ingredients: 3/17 available modules
+##
+
+##
+##  This program is free software; you can redistribute it and/or modify
+##  it under the terms of the GNU General Public License as published by
+##  the Free Software Foundation; either version 2 of the License, or
+##  (at your option) any later version.
+##
+##  This program is distributed in the hope that it will be useful,
+##  but WITHOUT ANY WARRANTY; without even the implied warranty of
+##  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+##  General Public License for more details.
+##
+##  You should have received a copy of the GNU General Public License
+##  along with this program; if not, write to the Free Software
+##  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+##  USA, or contact Ralf S. Engelschall <rse@engelschall.com>.
+##
+##  Notice: Given that you include this file verbatim into your own
+##  source tree, you are justified in saying that it remains separate
+##  from your package, and that this way you are simply just using GNU
+##  shtool. So, in this situation, there is no requirement that your
+##  package itself is licensed under the GNU General Public License in
+##  order to take advantage of GNU shtool.
+##
+
+##
+##  Usage: shtool [<options>] [<cmd-name> [<cmd-options>] [<cmd-args>]]
+##
+##  Available commands:
+##    echo       Print string with optional construct expansion
+##    install    Install a program, script or datafile
+##    mkdir      Make one or more directories
+##
+##  Not available commands (because module was not built-in):
+##    mdate      Pretty-print modification time of a file or dir
+##    table      Pretty-print a field-separated list as a table
+##    prop       Display progress with a running propeller
+##    move       Move files with simultaneous substitution
+##    mkln       Make link with calculation of relative paths
+##    mkshadow   Make a shadow tree through symbolic links
+##    fixperm    Fix file permissions inside a source tree
+##    tarball    Roll distribution tarballs
+##    guessos    Simple operating system guesser
+##    arx        Extended archive command
+##    slo        Separate linker options by library class
+##    scpp       Sharing C Pre-Processor
+##    version    Generate and maintain a version information file
+##    path       Deal with program paths
+##
+
+if [ $# -eq 0 ]; then
+    echo "$0:Error: invalid command line" 1>&2
+    echo "$0:Hint:  run \`$0 -h' for usage" 1>&2
+    exit 1
+fi
+if [ ".$1" = ".-h" -o ".$1" = ".--help" ]; then
+    echo "This is GNU shtool, version 1.4.9 (16-Apr-2000)"
+    echo "Copyright (c) 1994-2000 Ralf S. Engelschall <rse@engelschall.com>"
+    echo "Report bugs to <bug-shtool@gnu.org>"
+    echo ''
+    echo "Usage: shtool [<options>] [<cmd-name> [<cmd-options>] [<cmd-args>]]" 
+    echo ''
+    echo 'Available global <options>:'
+    echo '  -v, --version   display shtool version information'
+    echo '  -h, --help      display shtool usage help page (this one)'
+    echo '  -d, --debug     display shell trace information'
+    echo ''
+    echo 'Available <cmd-name> [<cmd-options>] [<cmd-args>]:'
+    echo '  echo     [-n] [-e] [<str> ...]'
+    echo '  install  [-v] [-t] [-c] [-C] [-s] [-m<mode>] [-o<owner>] [-g<group>]'
+    echo '           [-e<ext>] <file> <path>'
+    echo '  mkdir    [-t] [-f] [-p] [-m<mode>] <dir> [<dir> ...]'
+    echo ''
+    echo 'Not available <cmd-name> (because module was not built-in):'
+    echo '  mdate    [-n] [-z] [-s] [-d] [-f<str>] [-o<spec>] <path>'
+    echo '  table    [-F<sep>] [-w<width>] [-c<cols>] [-s<strip>] <str><sep><str>...'
+    echo '  prop     [-p<str>]'
+    echo '  move     [-v] [-t] [-e] [-p] <src-file> <dst-file>'
+    echo '  mkln     [-t] [-f] [-s] <src-path> [<src-path> ...] <dst-path>'
+    echo '  mkshadow [-v] [-t] [-a] <src-dir> <dst-dir>'
+    echo '  fixperm  [-v] [-t] <path> [<path> ...]'
+    echo '  tarball  [-t] [-v] [-o <tarball>] [-c <prog>] [-d <dir>] [-u'
+    echo '           <user>] [-g <group>] [-e <pattern>] <path> [<path> ...]'
+    echo '  guessos  '
+    echo '  arx      [-t] [-C<cmd>] <op> <archive> [<file> ...]'
+    echo '  slo      [-p<str>] -- -L<dir> -l<lib> [-L<dir> -l<lib> ...]'
+    echo '  scpp     [-v] [-p] [-f<filter>] [-o<ofile>] [-t<tfile>] [-M<mark>]'
+    echo '           [-D<dname>] [-C<cname>] <file> [<file> ...]'
+    echo '  version  [-l<lang>] [-n<name>] [-p<prefix>] [-s<version>] [-i<knob>]'
+    echo '           [-d<type>] <file>'
+    echo '  path     [-s] [-r] [-d] [-b] [-m] [-p<path>] <str> [<str> ...]'
+    echo ''
+    exit 0
+fi
+if [ ".$1" = ".-v" -o ".$1" = ."--version" ]; then
+    echo "GNU shtool 1.4.9 (16-Apr-2000)"
+    exit 0
+fi
+if [ ".$1" = ".-d" -o ".$1" = ."--debug" ]; then
+    shift
+    set -x
+fi
+name=`echo "$0" | sed -e 's;.*/\([^/]*\)$;\1;' -e 's;-sh$;;' -e 's;\.sh$;;'`
+case "$name" in
+    echo|install|mkdir )
+        #   implicit tool command selection
+        tool="$name"
+        ;;
+    * )
+        #   explicit tool command selection
+        tool="$1"
+        shift
+        ;;
+esac
+arg_spec=""
+opt_spec=""
+gen_tmpfile=no
+
+##
+##  DISPATCH INTO SCRIPT PROLOG
+##
+
+case $tool in
+    echo )
+        str_tool="echo"
+        str_usage="[-n] [-e] [<str> ...]"
+        arg_spec="0+"
+        opt_spec="n.e."
+        opt_n=no
+        opt_e=no
+        ;;
+    install )
+        str_tool="install"
+        str_usage="[-v] [-t] [-c] [-C] [-s] [-m<mode>] [-o<owner>] [-g<group>] [-e<ext>] <file> <path>"
+        arg_spec="2="
+        opt_spec="v.t.c.C.s.m:o:g:e:"
+        opt_v=no
+        opt_t=no
+        opt_c=no
+        opt_C=no
+        opt_s=no
+        opt_m=""
+        opt_o=""
+        opt_g=""
+        opt_e=""
+        ;;
+    mkdir )
+        str_tool="mkdir"
+        str_usage="[-t] [-f] [-p] [-m<mode>] <dir> [<dir> ...]"
+        arg_spec="1+"
+        opt_spec="t.f.p.m:"
+        opt_t=no
+        opt_f=no
+        opt_p=no
+        opt_m=""
+        ;;
+    -* )
+        echo "$0:Error: unknown option \`$tool'" 2>&1
+        echo "$0:Hint:  run \`$0 -h' for usage" 2>&1
+        exit 1
+        ;;
+    * )
+        echo "$0:Error: unknown command \`$tool'" 2>&1
+        echo "$0:Hint:  run \`$0 -h' for usage" 2>&1
+        exit 1
+        ;;
+esac
+
+##
+##  COMMON UTILITY CODE
+##
+
+#   determine name of tool
+if [ ".$tool" != . ]; then
+    #   used inside shtool script
+    toolcmd="$0 $tool"
+    toolcmdhelp="shtool $tool"
+    msgprefix="shtool:$tool"
+else
+    #   used as standalone script
+    toolcmd="$0"
+    toolcmdhelp="sh $0"
+    msgprefix="$str_tool"
+fi
+
+#   parse argument specification string
+eval `echo $arg_spec |\
+      sed -e 's/^\([0-9]*\)\([+=]\)/arg_NUMS=\1; arg_MODE=\2/'`
+
+#   parse option specification string
+eval `echo h.$opt_spec |\
+      sed -e 's/\([a-zA-Z0-9]\)\([.:+]\)/opt_MODE_\1=\2;/g'`
+
+#   interate over argument line
+opt_PREV=''
+while [ $# -gt 0 ]; do
+    #   special option stops processing
+    if [ ".$1" = ".--" ]; then
+        shift
+        break
+    fi
+
+    #   determine option and argument
+    opt_ARG_OK=no
+    if [ ".$opt_PREV" != . ]; then
+        #   merge previous seen option with argument
+        opt_OPT="$opt_PREV"
+        opt_ARG="$1"
+        opt_ARG_OK=yes
+        opt_PREV=''
+    else
+        #   split argument into option and argument
+        case "$1" in
+            -[a-zA-Z0-9]*)
+                eval `echo "x$1" |\
+                      sed -e 's/^x-\([a-zA-Z0-9]\)/opt_OPT="\1";/' \
+                          -e 's/";\(.*\)$/"; opt_ARG="\1"/'`
+                ;;
+            -[a-zA-Z0-9])
+                opt_OPT=`echo "x$1" | cut -c3-`
+                opt_ARG=''
+                ;;
+            *)
+                break
+                ;;
+        esac
+    fi
+
+    #   eat up option
+    shift
+
+    #   determine whether option needs an argument
+    eval "opt_MODE=\$opt_MODE_${opt_OPT}"
+    if [ ".$opt_ARG" = . -a ".$opt_ARG_OK" != .yes ]; then
+        if [ ".$opt_MODE" = ".:" -o ".$opt_MODE" = ".+" ]; then
+            opt_PREV="$opt_OPT"
+            continue
+        fi
+    fi
+
+    #   process option
+    case $opt_MODE in
+        '.' )
+            #   boolean option
+            eval "opt_${opt_OPT}=yes"
+            ;;
+        ':' )
+            #   option with argument (multiple occurances override)
+            eval "opt_${opt_OPT}=\"\$opt_ARG\""
+            ;;
+        '+' )
+            #   option with argument (multiple occurances append)
+            eval "opt_${opt_OPT}=\"\$opt_${opt_OPT} \$opt_ARG\""
+            ;;
+        * )
+            echo "$msgprefix:Error: unknown option: \`-$opt_OPT'" 1>&2
+            echo "$msgprefix:Hint:  run \`$toolcmdhelp -h' or \`man shtool' for details" 1>&2
+            exit 1
+            ;;
+    esac
+done
+if [ ".$opt_PREV" != . ]; then
+    echo "$msgprefix:Error: missing argument to option \`-$opt_PREV'" 1>&2
+    echo "$msgprefix:Hint:  run \`$toolcmdhelp -h' or \`man shtool' for details" 1>&2
+    exit 1
+fi
+
+#   process help option
+if [ ".$opt_h" = .yes ]; then
+    echo "Usage: $toolcmdhelp $str_usage"
+    exit 0
+fi
+
+#   complain about incorrect number of arguments
+case $arg_MODE in
+    '=' )
+        if [ $# -ne $arg_NUMS ]; then
+            echo "$msgprefix:Error: invalid number of arguments (exactly $arg_NUMS expected)" 1>&2
+            echo "$msgprefix:Hint:  run \`$toolcmd -h' or \`man shtool' for details" 1>&2
+            exit 1
+        fi
+        ;;
+    '+' )
+        if [ $# -lt $arg_NUMS ]; then
+            echo "$msgprefix:Error: invalid number of arguments (at least $arg_NUMS expected)" 1>&2
+            echo "$msgprefix:Hint:  run \`$toolcmd -h' or \`man shtool' for details" 1>&2
+            exit 1
+        fi
+        ;;
+esac
+
+#   establish a temporary file on request
+if [ ".$gen_tmpfile" = .yes ]; then
+    if [ ".$TMPDIR" != . ]; then
+        tmpdir="$TMPDIR"
+    elif [ ".$TEMPDIR" != . ]; then
+        tmpdir="$TEMPDIR"
+    else
+        tmpdir="/tmp"
+    fi
+    tmpfile="$tmpdir/.shtool.$$"
+    rm -f $tmpfile >/dev/null 2>&1
+    touch $tmpfile
+fi
+
+##
+##  DISPATCH INTO SCRIPT BODY
+##
+
+case $tool in
+
+echo )
+    ##
+    ##  echo -- Print string with optional construct expansion
+    ##  Copyright (c) 1998-2000 Ralf S. Engelschall <rse@engelschall.com>
+    ##  Originally written for WML as buildinfo
+    ##
+    
+    text="$*"
+    
+    #   check for broken escape sequence expansion
+    seo=''
+    bytes=`echo '\1' | wc -c | awk '{ printf("%s", $1); }'`
+    if [ ".$bytes" != .3 ]; then
+        bytes=`echo -E '\1' | wc -c | awk '{ printf("%s", $1); }'`
+        if [ ".$bytes" = .3 ]; then
+            seo='-E'
+        fi
+    fi
+    
+    #   check for existing -n option (to suppress newline)
+    minusn=''
+    bytes=`echo -n 123 2>/dev/null | wc -c | awk '{ printf("%s", $1); }'`
+    if [ ".$bytes" = .3 ]; then
+        minusn='-n'
+    fi
+    
+    #   determine terminal bold sequence
+    term_bold='' 
+    term_norm=''
+    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%[Bb]'`" != . ]; then
+        case $TERM in
+            #   for the most important terminal types we directly know the sequences
+            xterm|xterm*|vt220|vt220*)
+                term_bold=`awk 'BEGIN { printf("%c%c%c%c", 27, 91, 49, 109); }' </dev/null 2>/dev/null`
+                term_norm=`awk 'BEGIN { printf("%c%c%c", 27, 91, 109); }' </dev/null 2>/dev/null`
+                ;;
+            vt100|vt100*)
+                term_bold=`awk 'BEGIN { printf("%c%c%c%c%c%c", 27, 91, 49, 109, 0, 0); }' </dev/null 2>/dev/null`
+                term_norm=`awk 'BEGIN { printf("%c%c%c%c%c", 27, 91, 109, 0, 0); }' </dev/null 2>/dev/null`
+                ;;
+            #   for all others, we try to use a possibly existing `tput' or `tcout' utility
+            * )
+                paths=`echo $PATH | sed -e 's/:/ /g'`
+                for tool in tput tcout; do
+                    for dir in $paths; do
+                        if [ -r "$dir/$tool" ]; then
+                            for seq in bold md smso; do # 'smso' is last
+                                bold="`$dir/$tool $seq 2>/dev/null`"
+                                if [ ".$bold" != . ]; then
+                                    term_bold="$bold"
+                                    break
+                                fi
+                            done
+                            if [ ".$term_bold" != . ]; then
+                                for seq in sgr0 me rmso reset; do # 'reset' is last
+                                    norm="`$dir/$tool $seq 2>/dev/null`"
+                                    if [ ".$norm" != . ]; then
+                                        term_norm="$norm"
+                                        break
+                                    fi
+                                done
+                            fi
+                            break
+                        fi
+                    done
+                    if [ ".$term_bold" != . -a ".$term_norm" != . ]; then
+                        break;
+                    fi
+                done
+                ;;
+        esac
+        if [ ".$term_bold" = . -o ".$term_norm" = . ]; then
+            echo "$msgprefix:Warning: unable to determine terminal sequence for bold mode" 1>&2
+        fi
+    fi
+    
+    #   determine user name
+    username=''
+    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%[uU]'`" != . ]; then
+        username="$LOGNAME"
+        if [ ".$username" = . ]; then
+            username="$USER"
+            if [ ".$username" = . ]; then
+                username="`(whoami) 2>/dev/null |\
+                           awk '{ printf("%s", $1); }'`"
+                if [ ".$username" = . ]; then
+                    username="`(who am i) 2>/dev/null |\
+                               awk '{ printf("%s", $1); }'`"
+                    if [ ".$username" = . ]; then
+                        username='unknown'
+                    fi
+                fi
+            fi
+        fi
+    fi
+    
+    #   determine user id
+    userid=''
+    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%U'`" != . ]; then
+        userid="`(id -u) 2>/dev/null`"
+        if [ ".$userid" = . ]; then
+            str="`(id) 2>/dev/null`"
+            if [ ".`echo $str | grep '^uid[ 	]*=[ 	]*[0-9]*('`" != . ]; then
+                userid=`echo $str | sed -e 's/^uid[ 	]*=[ 	]*//' -e 's/(.*//'`
+            fi
+            if [ ".$userid" = . ]; then
+                userid=`egrep "^${username}:" /etc/passwd 2>/dev/null | \
+                        sed -e 's/[^:]*:[^:]*://' -e 's/:.*$//'`
+                if [ ".$userid" = . ]; then
+                    userid=`(ypcat passwd) 2>/dev/null |
+                            egrep "^${username}:" | \
+                            sed -e 's/[^:]*:[^:]*://' -e 's/:.*$//'`
+                    if [ ".$userid" = . ]; then
+                        userid='?'
+                    fi
+                fi
+            fi
+        fi
+    fi
+    
+    #   determine host name
+    hostname=''
+    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%h'`" != . ]; then
+        hostname="`(uname -n) 2>/dev/null |\
+                   awk '{ printf("%s", $1); }'`"
+        if [ ".$hostname" = . ]; then
+            hostname="`(hostname) 2>/dev/null |\
+                       awk '{ printf("%s", $1); }'`"
+            if [ ".$hostname" = . ]; then
+                hostname='unknown'
+            fi
+        fi
+        case $hostname in
+            *.* )
+                domainname=".`echo $hostname | cut -d. -f2-`"
+                hostname="`echo $hostname | cut -d. -f1`"
+                ;;
+        esac
+    fi
+    
+    #   determine domain name
+    domainname=''
+    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%d'`" != . ]; then
+        if [ ".$domainname" = . ]; then
+            if [ -f /etc/resolv.conf ]; then
+                domainname="`egrep '^[ 	]*domain' /etc/resolv.conf | head -1 |\
+                             sed -e 's/.*domain//' \
+                                 -e 's/^[ 	]*//' -e 's/^ *//' -e 's/^	*//' \
+                                 -e 's/^\.//' -e 's/^/./' |\
+                             awk '{ printf("%s", $1); }'`"
+                if [ ".$domainname" = . ]; then
+                    domainname="`egrep '^[ 	]*search' /etc/resolv.conf | head -1 |\
+                                 sed -e 's/.*search//' \
+                                     -e 's/^[ 	]*//' -e 's/^ *//' -e 's/^	*//' \
+                                     -e 's/ .*//' -e 's/	.*//' \
+                                     -e 's/^\.//' -e 's/^/./' |\
+                                 awk '{ printf("%s", $1); }'`"
+                fi
+            fi
+        fi
+    fi
+    
+    #   determine current time
+    time_day=''
+    time_month=''
+    time_year=''
+    time_monthname=''
+    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%[DMYm]'`" != . ]; then
+        time_day=`date '+%d'`
+        time_month=`date '+%m'`
+        time_year=`date '+%Y' 2>/dev/null`
+        if [ ".$time_year" = . ]; then
+            time_year=`date '+%y'`
+            case $time_year in
+                [5-9][0-9]) time_year="19$time_year" ;;
+                [0-4][0-9]) time_year="20$time_year" ;;
+            esac
+        fi
+        case $time_month in
+            1|01) time_monthname='Jan' ;;
+            2|02) time_monthname='Feb' ;;
+            3|03) time_monthname='Mar' ;;
+            4|04) time_monthname='Apr' ;;
+            5|05) time_monthname='May' ;;
+            6|06) time_monthname='Jun' ;;
+            7|07) time_monthname='Jul' ;;
+            8|08) time_monthname='Aug' ;;
+            9|09) time_monthname='Sep' ;;
+              10) time_monthname='Oct' ;;
+              11) time_monthname='Nov' ;;
+              12) time_monthname='Dec' ;;
+        esac
+    fi
+    
+    #   expand special ``%x'' constructs
+    if [ ".$opt_e" = .yes ]; then
+        text=`echo $seo "$text" |\
+              sed -e "s/%B/${term_bold}/g" \
+                  -e "s/%b/${term_norm}/g" \
+                  -e "s/%u/${username}/g" \
+                  -e "s/%U/${userid}/g" \
+                  -e "s/%h/${hostname}/g" \
+                  -e "s/%d/${domainname}/g" \
+                  -e "s/%D/${time_day}/g" \
+                  -e "s/%M/${time_month}/g" \
+                  -e "s/%Y/${time_year}/g" \
+                  -e "s/%m/${time_monthname}/g" 2>/dev/null`
+    fi
+    
+    #   create output
+    if [ .$opt_n = .no ]; then
+        echo $seo "$text"
+    else
+        #   the harder part: echo -n is best, because
+        #   awk may complain about some \xx sequences.
+        if [ ".$minusn" != . ]; then
+            echo $seo $minusn "$text"
+        else
+            echo dummy | awk '{ printf("%s", TEXT); }' TEXT="$text"
+        fi
+    fi
+    ;;
+
+install )
+    ##
+    ##  install -- Install a program, script or datafile
+    ##  Copyright (c) 1997-2000 Ralf S. Engelschall <rse@engelschall.com>
+    ##  Originally written for shtool
+    ##
+    
+    src="$1"
+    dst="$2"
+    
+    #  If destination is a directory, append the input filename
+    if [ -d $dst ]; then
+        dst=`echo "$dst" | sed -e 's:/$::'`
+        dstfile=`echo "$src" | sed -e 's;.*/\([^/]*\)$;\1;'`
+        dst="$dst/$dstfile"
+    fi
+    
+    #  Add a possible extension to src and dst
+    if [ ".$opt_e" != . ]; then
+        src="$src$opt_e"
+        dst="$dst$opt_e"
+    fi
+    
+    #  Check for correct arguments
+    if [ ".$src" = ".$dst" ]; then
+        echo "$msgprefix:Error: source and destination are the same" 1>&2
+        exit 1
+    fi
+    
+    #  Make a temp file name in the destination directory
+    dstdir=`echo $dst | sed -e 's;[^/]*$;;' -e 's;\(.\)/$;\1;' -e 's;^$;.;'`
+    dsttmp="$dstdir/#INST@$$#"
+    
+    #  Verbosity
+    if [ ".$opt_v" = .yes ]; then
+        echo "$src -> $dst" 1>&2
+    fi
+    
+    #  Copy or move the file name to the temp name
+    #  (because we might be not allowed to change the source)
+    if [ ".$opt_C" = .yes ]; then
+        opt_c=yes
+    fi
+    if [ ".$opt_c" = .yes ]; then
+        if [ ".$opt_t" = .yes ]; then
+            echo "cp $src $dsttmp" 1>&2
+        fi
+        cp $src $dsttmp || exit $?
+    else
+        if [ ".$opt_t" = .yes ]; then
+            echo "mv $src $dsttmp" 1>&2
+        fi
+        mv $src $dsttmp || exit $?
+    fi
+    
+    #  Adjust the target file
+    #  (we do chmod last to preserve setuid bits)
+    if [ ".$opt_s" = .yes ]; then
+        if [ ".$opt_t" = .yes ]; then
+            echo "strip $dsttmp" 1>&2
+        fi
+        strip $dsttmp || exit $?
+    fi
+    if [ ".$opt_o" != . ]; then
+        if [ ".$opt_t" = .yes ]; then
+            echo "chown $opt_o $dsttmp" 1>&2
+        fi
+        chown $opt_o $dsttmp || exit $?
+    fi
+    if [ ".$opt_g" != . ]; then
+        if [ ".$opt_t" = .yes ]; then
+            echo "chgrp $opt_g $dsttmp" 1>&2
+        fi
+        chgrp $opt_g $dsttmp || exit $?
+    fi
+    if [ ".$opt_m" != . ]; then
+        if [ ".$opt_t" = .yes ]; then
+            echo "chmod $opt_m $dsttmp" 1>&2
+        fi
+        chmod $opt_m $dsttmp || exit $?
+    fi
+    
+    #   Determine whether to do a quick install
+    #   (has to be done _after_ the strip was already done)
+    quick=no
+    if [ ".$opt_C" = .yes ]; then
+        if [ -r $dst ]; then
+            if cmp -s $src $dst; then
+                quick=yes
+            fi
+        fi
+    fi
+    
+    #   Finally install the file to the real destination
+    if [ $quick = yes ]; then
+        if [ ".$opt_t" = .yes ]; then
+            echo "rm -f $dsttmp" 1>&2
+        fi
+        rm -f $dsttmp
+    else
+        if [ ".$opt_t" = .yes ]; then
+            echo "rm -f $dst && mv $dsttmp $dst" 1>&2
+        fi
+        rm -f $dst && mv $dsttmp $dst
+    fi
+    ;;
+
+mkdir )
+    ##
+    ##  mkdir -- Make one or more directories
+    ##  Copyright (c) 1996-2000 Ralf S. Engelschall <rse@engelschall.com>
+    ##  Originally written for public domain by Noah Friedman <friedman@prep.ai.mit.edu>
+    ##  Cleaned up and enhanced for shtool
+    ##
+    
+    errstatus=0
+    for p in ${1+"$@"}; do
+        #   if the directory already exists...
+        if [ -d "$p" ]; then
+            if [ ".$opt_f" = .no ] && [ ".$opt_p" = .no ]; then
+                echo "$msgprefix:Error: directory already exists: $p" 1>&2
+                errstatus=1
+                break
+            else
+                continue
+            fi
+        fi
+        #   if the directory has to be created...
+        if [ ".$opt_p" = .no ]; then
+            if [ ".$opt_t" = .yes ]; then
+                echo "mkdir $p" 1>&2
+            fi
+            mkdir $p || errstatus=$?
+        else
+            #   the smart situation
+            set fnord `echo ":$p" |\
+                       sed -e 's/^:\//%/' \
+                           -e 's/^://' \
+                           -e 's/\// /g' \
+                           -e 's/^%/\//'`
+            shift
+            pathcomp=''
+            for d in ${1+"$@"}; do
+                pathcomp="$pathcomp$d"
+                case "$pathcomp" in
+                    -* ) pathcomp="./$pathcomp" ;;
+                esac
+                if [ ! -d "$pathcomp" ]; then
+                    if [ ".$opt_t" = .yes ]; then
+                        echo "mkdir $pathcomp" 1>&2
+                    fi
+                    mkdir $pathcomp || errstatus=$?
+                    if [ ".$opt_m" != . ]; then
+                        if [ ".$opt_t" = .yes ]; then
+                            echo "chmod $opt_m $pathcomp" 1>&2
+                        fi
+                        chmod $opt_m $pathcomp || errstatus=$?
+                    fi
+                fi
+                pathcomp="$pathcomp/"
+            done
+        fi
+    done
+    exit $errstatus
+    ;;
+
+esac
+
+exit 0
+
+##EOF##
diff --git a/aux/binpac/src/Makefile.am b/aux/binpac/src/Makefile.am
new file mode 100644
index 0000000000..2dc2816c35
--- /dev/null
+++ b/aux/binpac/src/Makefile.am
@@ -0,0 +1,62 @@
+## Process this file with automake to produce Makefile.in
+
+AM_YFLAGS = -d -t -v
+AM_CPPFLAGS = -W -Wall -Wno-unused
+
+noinst_PROGRAMS = binpac
+
+binpac_SOURCES = \
+	pac_scan.ll pac_parse.yy \
+	pac_action.cc \
+	pac_analyzer.cc \
+	pac_array.cc \
+	pac_attr.cc \
+	pac_btype.cc \
+	pac_case.cc \
+	pac_conn.cc \
+	pac_context.cc \
+	pac_cstr.cc \
+	pac_datadep.cc \
+	pac_dataptr.cc \
+	pac_dataunit.cc \
+	pac_decl.cc \
+	pac_embedded.cc \
+	pac_enum.cc \
+	pac_expr.cc \
+	pac_exttype.cc \
+	pac_field.cc \
+	pac_flow.cc \
+	pac_func.cc \
+	pac_id.cc \
+	pac_inputbuf.cc \
+	pac_let.cc \
+	pac_param.cc \
+	pac_paramtype.cc \
+	pac_primitive.cc \
+	pac_record.cc \
+	pac_redef.cc \
+	pac_regex.cc \
+	pac_state.cc \
+	pac_strtype.cc \
+	pac_type.cc \
+	pac_typedecl.cc \
+	pac_withinput.cc \
+	pac_output.cc pac_utils.cc pac_exception.cc \
+	pac_main.cc \
+	pac_action.h pac_analyzer.h pac_array.h pac_attr.h pac_btype.h \
+	pac_case.h pac_cclass.h pac_common.h pac_conn.h pac_context.h \
+	pac_cstr.h pac_ctype.h pac_datadep.h pac_dataptr.h pac_dataunit.h \
+	pac_dbg.h pac_decl-inl.h pac_decl.h pac_embedded.h pac_enum.h \
+	pac_exception.h pac_expr.h pac_exttype.h pac_field.h pac_flow.h \
+	pac_func.h pac_id.h pac_inputbuf.h pac_let.h pac_number.h \
+	pac_output.h pac_param.h pac_paramtype.h pac_parse.h pac_primitive.h \
+	pac_record.h pac_redef.h pac_regex.h pac_state.h pac_strtype.h \
+	pac_type.h pac_typedecl.h pac_utils.h pac_varfield.h pac_withinput.h
+
+EXTRA_DIST = pac_expr.def pac_type.def pac_externtype.def
+
+DISTCLEANFILES = pac_parse.cc pac_parse.h pac_scan.cc y.output
+
+# Manual rules below:
+
+pac_scan.o:	pac_parse.h
diff --git a/aux/binpac/src/pac_action.cc b/aux/binpac/src/pac_action.cc
new file mode 100644
index 0000000000..0b1ac3574f
--- /dev/null
+++ b/aux/binpac/src/pac_action.cc
@@ -0,0 +1,119 @@
+#include "pac_embedded.h"
+#include "pac_exception.h"
+#include "pac_id.h"
+#include "pac_output.h"
+#include "pac_type.h"
+#include "pac_typedecl.h"
+#include "pac_utils.h"
+
+#include "pac_action.h"
+
+AnalyzerAction::AnalyzerAction(ID *action_id, 
+	                       When when, 
+	                       ActionParam *param, 
+	                       EmbeddedCode *code)
+	: AnalyzerElement(ACTION),
+	  action_id_(action_id),
+	  when_(when),
+	  param_(param),
+	  code_(code),
+	  analyzer_(0) 
+	{
+	}
+
+AnalyzerAction::~AnalyzerAction()
+	{
+	delete action_id_;
+	delete param_;
+	delete code_;
+	}
+
+string AnalyzerAction::action_function() const
+	{
+	return strfmt("Action_%s", action_id_->Name());
+	}
+
+void AnalyzerAction::InstallHook(AnalyzerDecl *analyzer)
+	{
+	ASSERT(0);
+	analyzer_ = analyzer;
+	// param_->MainDataType()->InstallAction(this);
+	}
+
+void AnalyzerAction::GenCode(Output *out_h, Output *out_cc, AnalyzerDecl *decl)
+	{
+	Env action_func_env(decl->env(), this);
+	action_func_env.AddID(param_->id(), 
+	                      TEMP_VAR, 
+	                      param_->DataType());
+	action_func_env.SetEvaluated(param_->id());
+
+	string action_func_proto = 
+		strfmt("%s(%s)", 
+		       action_function().c_str(), 
+		       ParamDecls(&action_func_env).c_str());
+
+	out_h->println("void %s;", action_func_proto.c_str());
+
+	out_cc->println("void %s::%s", 
+	                decl->class_name().c_str(), 
+	                action_func_proto.c_str());
+	out_cc->inc_indent();
+	out_cc->println("{");
+
+	code_->GenCode(out_cc, &action_func_env);
+
+	out_cc->println("");
+	out_cc->println("}");
+	out_cc->dec_indent();
+	out_cc->println("");
+	}
+
+string AnalyzerAction::ParamDecls(Env *env) const
+	{
+	return param_->DeclStr(env);
+	}
+
+Type *ActionParam::MainDataType() const
+	{
+	// Note: this is not equal to DataType()
+	Type *main_type = TypeDecl::LookUpType(type()->type_id());
+
+	if ( ! main_type )
+		{
+		throw Exception(type()->type_id(), 
+		                "type not defined");
+		}
+
+	return main_type;
+	}
+
+Type *ActionParam::DataType() const
+	{
+	Type *main_type = MainDataType();
+
+	if ( ! type()->field_id() )
+		{
+		return main_type;
+		}
+	else
+		{
+		Type *member_type = 
+			main_type->MemberDataType(type()->field_id());
+		if ( ! member_type )
+			{
+			throw Exception(type()->field_id(),
+				fmt("cannot find member type for `%s.%s'",
+				    type()->type_id()->Name(),
+				    type()->field_id()->Name()));
+			}
+		return member_type;
+		}
+	}
+
+string ActionParam::DeclStr(Env *env) const
+	{
+	return strfmt("%s %s", 
+	              DataType()->DataTypeStr().c_str(), 
+	              env->LValue(id()));
+	}
diff --git a/aux/binpac/src/pac_action.h b/aux/binpac/src/pac_action.h
new file mode 100644
index 0000000000..df0828b823
--- /dev/null
+++ b/aux/binpac/src/pac_action.h
@@ -0,0 +1,74 @@
+#ifndef pac_action_h
+#define pac_action_h
+
+// Classes representing analyzer actions.
+
+#include "pac_common.h"
+#include "pac_analyzer.h"
+
+class AnalyzerAction : public AnalyzerElement
+{
+public:
+	enum When { BEFORE, AFTER };
+
+	AnalyzerAction(ID *action_id, 
+	               When when, 
+	               ActionParam *param, 
+	               EmbeddedCode *code);
+
+	~AnalyzerAction();
+
+	When when() const		{ return when_; }
+	ActionParam *param() const	{ return param_; }
+	AnalyzerDecl *analyzer() const	{ return analyzer_; }
+	string action_function() const;
+
+	// Generate function prototype and code for the action
+	void GenCode(Output *out_h, Output *out_cc, AnalyzerDecl *decl);
+
+	// Install the hook at the corresponding data type parsing
+	// function to invoke the action.
+	void InstallHook(AnalyzerDecl *analyzer);
+
+private:
+	string ParamDecls(Env *env) const;
+
+	ID *action_id_;
+	When when_;
+	ActionParam *param_;
+	EmbeddedCode *code_;
+	AnalyzerDecl *analyzer_;
+};
+
+class ActionParam
+{
+public:
+	ActionParam(const ID *id, ActionParamType *type)
+		: id_(id), type_(type) {}
+
+	const ID *id() const		{ return id_; }
+	ActionParamType *type() const	{ return type_; }
+
+	Type *MainDataType() const;
+	Type *DataType() const;
+	string DeclStr(Env *env) const;
+
+private:
+	const ID *id_;
+	ActionParamType *type_;
+};
+
+class ActionParamType
+{
+public:
+	ActionParamType(const ID *type_id, const ID *field_id = 0)
+		: type_id_(type_id), field_id_(field_id) {}
+
+	const ID *type_id() const	{ return type_id_; }
+	const ID *field_id() const	{ return field_id_; }
+
+protected:
+	const ID *type_id_, *field_id_;
+};
+
+#endif  // pac_action_h
diff --git a/aux/binpac/src/pac_analyzer.cc b/aux/binpac/src/pac_analyzer.cc
new file mode 100644
index 0000000000..0c01190a9d
--- /dev/null
+++ b/aux/binpac/src/pac_analyzer.cc
@@ -0,0 +1,358 @@
+#include "pac_action.h"
+#include "pac_context.h"
+#include "pac_embedded.h"
+#include "pac_exception.h"
+#include "pac_expr.h"
+#include "pac_flow.h"
+#include "pac_func.h"
+#include "pac_output.h"
+#include "pac_param.h"
+#include "pac_paramtype.h"
+#include "pac_state.h"
+#include "pac_type.h"
+#include "pac_varfield.h"
+
+#include "pac_analyzer.h"
+
+AnalyzerDecl::AnalyzerDecl(ID *id, 
+                           DeclType decl_type,
+                           ParamList *params)
+	: TypeDecl(id, params, new DummyType())
+	{
+	decl_type_ = decl_type;
+
+	statevars_ = new StateVarList();
+	actions_ = new AnalyzerActionList();
+	helpers_ = new AnalyzerHelperList();
+	functions_ = new FunctionList();
+
+	constructor_helpers_ = new AnalyzerHelperList();
+	destructor_helpers_ = new AnalyzerHelperList();
+	eof_helpers_ = new AnalyzerHelperList();
+
+	SetAnalyzerContext();
+
+	env_ = 0;
+	}
+
+AnalyzerDecl::~AnalyzerDecl()
+	{
+	delete_list(StateVarList, statevars_);
+	delete_list(AnalyzerActionList, actions_);
+	delete_list(AnalyzerHelperList, helpers_);
+	delete_list(FunctionList, functions_);
+	delete_list(ParamList, params_);
+	delete_list(AnalyzerHelperList, constructor_helpers_);
+	delete_list(AnalyzerHelperList, destructor_helpers_);
+	delete_list(AnalyzerHelperList, eof_helpers_);
+	}
+
+void AnalyzerDecl::AddElements(AnalyzerElementList *elemlist)
+	{
+	ASSERT(! env_);
+	foreach(i, AnalyzerElementList, elemlist)
+		{
+		AnalyzerElement *elem = *i;
+		switch ( elem->type() )
+			{
+			case AnalyzerElement::STATE:
+				{
+				ASSERT(0);
+				AnalyzerState *state_elem = 
+					(AnalyzerState *) elem;
+				statevars_->insert(
+					statevars_->end(),
+					state_elem->statevars()->begin(),
+					state_elem->statevars()->end());
+				}
+				break;
+			case AnalyzerElement::ACTION:
+				{
+				ASSERT(0);
+				AnalyzerAction *action_elem = 
+					(AnalyzerAction *) elem;
+				actions_->push_back(action_elem);
+				}
+				break;
+			case AnalyzerElement::HELPER:
+				{
+				AnalyzerHelper *helper_elem = 
+					(AnalyzerHelper *) elem;
+
+				switch ( helper_elem->helper_type() )
+				        {
+					case AnalyzerHelper::INIT_CODE:
+					        constructor_helpers_->push_back(helper_elem);
+						break;
+					case AnalyzerHelper::CLEANUP_CODE:
+ 				                destructor_helpers_->push_back(helper_elem);
+						break;
+					case AnalyzerHelper::EOF_CODE:
+					        eof_helpers_->push_back(helper_elem);
+						break;
+					default:
+					        helpers_->push_back(helper_elem);
+					}
+				}
+				break;
+			case AnalyzerElement::FUNCTION:
+				{
+				AnalyzerFunction *func_elem = 
+					(AnalyzerFunction *) elem;
+				Function *func = func_elem->function();
+				func->set_analyzer_decl(this);
+				functions_->push_back(func);
+				}
+				break;
+			case AnalyzerElement::FLOW:
+				{
+				AnalyzerFlow *flow_elem = 
+					(AnalyzerFlow *) elem;
+				ProcessFlowElement(flow_elem);
+				}
+				break;
+			case AnalyzerElement::DATAUNIT:
+				{
+				AnalyzerDataUnit *dataunit_elem = 
+					(AnalyzerDataUnit *) elem;
+				ProcessDataUnitElement(dataunit_elem);
+				}
+				break;
+			}
+		}
+	}
+
+string AnalyzerDecl::class_name() const
+	{ 
+	return id_->Name(); 
+	}
+
+void AnalyzerDecl::Prepare()
+	{
+	TypeDecl::Prepare();
+
+	ASSERT(statevars_->empty());
+	ASSERT(actions_->empty());
+
+	foreach(i, FunctionList, functions_)
+		{
+		Function *function = *i;
+		function->Prepare(env_);
+		}
+	foreach(i, StateVarList, statevars_)
+		{
+		StateVar *statevar = *i;
+		env_->AddID(statevar->id(), STATE_VAR, statevar->type());
+		}
+	foreach(i, AnalyzerActionList, actions_)
+		{
+		AnalyzerAction *action = *i;
+		action->InstallHook(this);
+		}
+	}
+
+void AnalyzerDecl::GenForwardDeclaration(Output* out_h)
+	{
+	out_h->println("class %s;", class_name().c_str());
+	foreach(i, FunctionList, functions_)
+		{
+		Function *function = *i;
+		function->GenForwardDeclaration(out_h);
+		}
+	}
+
+void AnalyzerDecl::GenActions(Output *out_h, Output *out_cc)
+	{
+	foreach(i, AnalyzerActionList, actions_)
+		{
+		(*i)->GenCode(out_h, out_cc, this);
+		}
+	}
+
+void AnalyzerDecl::GenHelpers(Output *out_h, Output *out_cc)
+	{
+	foreach(i, AnalyzerHelperList, helpers_)
+		{
+		(*i)->GenCode(out_h, out_cc, this);
+		}
+	}
+
+void AnalyzerDecl::GenPubDecls(Output *out_h, Output *out_cc)
+	{
+	TypeDecl::GenPubDecls(out_h, out_cc);
+
+	GenProcessFunc(out_h, out_cc);
+	GenGapFunc(out_h, out_cc);
+	GenEOFFunc(out_h, out_cc);
+	out_h->println("");
+
+	if ( ! functions_->empty() )
+		{
+		out_h->println("// Functions");
+		GenFunctions(out_h, out_cc);
+		out_h->println("");
+		}
+
+	// TODO: export public state variables
+	}
+
+void AnalyzerDecl::GenPrivDecls(Output *out_h, Output *out_cc)
+	{
+	TypeDecl::GenPrivDecls(out_h, out_cc);
+
+	if ( ! helpers_->empty() )
+		{
+		out_h->println("");
+		out_h->println("// Additional members");
+		GenHelpers(out_h, out_cc);
+		}
+
+	// TODO: declare state variables
+	}
+
+void AnalyzerDecl::GenInitCode(Output *out_cc)
+	{
+	TypeDecl::GenInitCode(out_cc);
+	foreach(i, AnalyzerHelperList, constructor_helpers_)
+		{
+		(*i)->GenCode(0, out_cc, this);
+		}
+	}
+
+void AnalyzerDecl::GenCleanUpCode(Output *out_cc)
+	{
+	TypeDecl::GenCleanUpCode(out_cc);
+	foreach(i, AnalyzerHelperList, destructor_helpers_)
+		{
+		(*i)->GenCode(0, out_cc, this);
+		}
+	}
+
+void AnalyzerDecl::GenStateVarDecls(Output *out_h)
+	{
+	foreach(i, StateVarList, statevars_)
+		{
+		StateVar *var = *i;
+		var->GenDecl(out_h, env_);
+		}
+	}
+
+void AnalyzerDecl::GenStateVarSetFunctions(Output *out_h)
+	{
+	foreach(i, StateVarList, statevars_)
+		{
+		StateVar *var = *i;
+		var->GenSetFunction(out_h, env_);
+		}
+	}
+
+void AnalyzerDecl::GenStateVarInitCode(Output *out_cc)
+	{
+	foreach(i, StateVarList, statevars_)
+		{
+		StateVar *var = *i;
+		var->GenInitCode(out_cc, env_);
+		}
+	}
+
+void AnalyzerDecl::GenStateVarCleanUpCode(Output *out_cc)
+	{
+	foreach(i, StateVarList, statevars_)
+		{
+		StateVar *var = *i;
+		var->GenCleanUpCode(out_cc, env_);
+		}
+	}
+
+void AnalyzerDecl::GenFunctions(Output *out_h, Output *out_cc)
+	{
+	foreach(i, FunctionList, functions_)
+		{
+		Function *function = *i;
+		function->GenCode(out_h, out_cc);
+		}
+	}
+
+AnalyzerState::~AnalyzerState()
+	{
+	// Note: do not delete elements of statevars_, because they
+	// are referenced by the AnalyzerDecl.
+	delete statevars_;
+	}
+
+AnalyzerHelper::~AnalyzerHelper()
+	{
+	delete code_;
+	}
+
+void AnalyzerHelper::GenCode(Output *out_h, Output *out_cc, AnalyzerDecl *decl)
+	{
+	Output *out = 0;
+	switch ( helper_type_ )
+		{
+		case MEMBER_DECLS:
+			out = out_h;
+			break;
+		case INIT_CODE:
+		case CLEANUP_CODE:
+		case EOF_CODE:
+			out = out_cc;
+			break;
+		}
+	ASSERT(out);
+	code()->GenCode(out, decl->env());
+	}
+
+FlowField::FlowField(ID *flow_id, ParameterizedType *flow_type)
+	: Field(FLOW_FIELD, 
+		TYPE_NOT_TO_BE_PARSED | CLASS_MEMBER | PUBLIC_READABLE, 
+		flow_id, flow_type)
+	{
+	}
+
+void FlowField::GenInitCode(Output *out_cc, Env *env)
+	{
+	type_->GenPreParsing(out_cc, env);
+	}
+
+AnalyzerFlow::AnalyzerFlow(Direction dir, ID *type_id, ExprList *params)
+	: AnalyzerElement(FLOW),
+	  dir_(dir),
+	  type_id_(type_id)
+	{
+	if ( ! params )
+		params = new ExprList();
+
+	// Add "this" to the list of params
+	params->insert(params->begin(), new Expr(this_id->clone()));
+
+	ID *flow_id = ((dir == UP) ? upflow_id : downflow_id)->clone();
+
+	ParameterizedType *flow_type = new ParameterizedType(type_id_, params);
+
+	flow_field_ = new FlowField(flow_id, flow_type);
+
+	flow_decl_ = 0;
+	}
+
+AnalyzerFlow::~AnalyzerFlow()
+	{
+	delete flow_field_;
+	}
+
+FlowDecl *AnalyzerFlow::flow_decl()
+	{
+	DEBUG_MSG("Getting flow_decl for %s\n", type_id_->Name());
+	if ( ! flow_decl_ )
+		{
+		Decl *decl = Decl::LookUpDecl(type_id_);
+		if ( decl && decl->decl_type() == Decl::FLOW )
+			flow_decl_ = static_cast<FlowDecl *>(decl);
+		if ( ! flow_decl_ )
+			{
+			throw Exception(this, 
+			                "cannot find the flow declaration");
+			}
+		}
+	return flow_decl_;
+	}
diff --git a/aux/binpac/src/pac_analyzer.h b/aux/binpac/src/pac_analyzer.h
new file mode 100644
index 0000000000..a5fd5245aa
--- /dev/null
+++ b/aux/binpac/src/pac_analyzer.h
@@ -0,0 +1,168 @@
+#ifndef pac_analyzer_h
+#define pac_analyzer_h
+
+#include "pac_common.h"
+#include "pac_field.h"
+#include "pac_typedecl.h"
+
+class AnalyzerElement;
+class AnalyzerState;
+class AnalyzerAction;	// defined in pac_action.h
+class AnalyzerHelper;
+class AnalyzerFlow;
+class AnalyzerDataUnit;
+class AnalyzerFunction;
+class ConnDecl;
+class FlowDecl;
+typedef vector<AnalyzerHelper *> AnalyzerHelperList;
+typedef vector<Function *> FunctionList;
+
+class AnalyzerDecl : public TypeDecl
+{
+public:
+	AnalyzerDecl(ID *id, DeclType decl_type, ParamList *params);
+	~AnalyzerDecl();
+
+	void AddElements(AnalyzerElementList *elemlist);
+
+	void Prepare();
+	void GenForwardDeclaration(Output *out_h);
+	// void GenCode(Output *out_h, Output *out_cc);
+
+	void GenInitCode(Output *out_cc);
+	void GenCleanUpCode(Output *out_cc);
+
+	string class_name() const;
+	// string cookie_name() const;
+
+protected:
+	virtual void ProcessFlowElement(AnalyzerFlow *flow_elem) = 0;
+	virtual void ProcessDataUnitElement(AnalyzerDataUnit *dataunit_elem) = 0;
+
+	// Generate public/private declarations for member functions and 
+	// variables
+	void GenPubDecls(Output *out_h, Output *out_cc);
+	void GenPrivDecls(Output *out_h, Output *out_cc);
+
+	// Generate the NewData() function
+	virtual void GenProcessFunc(Output *out_h, Output *out_cc) = 0;
+
+	// Generate the NewGap() function
+	virtual void GenGapFunc(Output *out_h, Output *out_cc) = 0;
+
+	// Generate the FlowEOF() function
+	virtual void GenEOFFunc(Output *out_h, Output *out_cc) = 0;
+
+	// Generate the functions
+	void GenFunctions(Output *out_h, Output *out_cc);
+
+	// Generate the action functions
+	void GenActions(Output *out_h, Output *out_cc);
+
+	// Generate the helper code segments
+	void GenHelpers(Output *out_h, Output *out_cc);
+
+	// Generate declarations for state variables and their set functions
+	void GenStateVarDecls(Output *out_h);
+	void GenStateVarSetFunctions(Output *out_h);
+
+	// Generate code for initializing and cleaning up (including
+	// memory de-allocating) state variables
+	void GenStateVarInitCode(Output *out_cc);
+	void GenStateVarCleanUpCode(Output *out_cc);
+
+	StateVarList *statevars_;
+	AnalyzerActionList *actions_;
+	AnalyzerHelperList *helpers_;
+	FunctionList *functions_;
+
+	AnalyzerHelperList *constructor_helpers_;
+	AnalyzerHelperList *destructor_helpers_;
+	AnalyzerHelperList *eof_helpers_;
+};
+
+class AnalyzerElement : public Object
+{
+public:
+	enum ElementType { STATE, ACTION, FUNCTION, HELPER, FLOW, DATAUNIT };
+	AnalyzerElement(ElementType type)
+		: type_(type) {}
+	virtual ~AnalyzerElement() {}
+
+	ElementType type() const	{ return type_; }
+
+private:
+	ElementType type_;
+};
+
+// A collection of variables representing analyzer states.
+class AnalyzerState : public AnalyzerElement
+{
+public:
+	AnalyzerState(StateVarList *statevars)
+		: AnalyzerElement(STATE),
+		  statevars_(statevars) {}
+	~AnalyzerState();
+
+	StateVarList *statevars() const	{ return statevars_; }
+
+private:
+	StateVarList *statevars_;
+};
+
+// A collection of embedded C++ code
+class AnalyzerHelper : public AnalyzerElement
+{
+public:
+	enum Type {
+		MEMBER_DECLS,
+		INIT_CODE,
+		CLEANUP_CODE,
+		EOF_CODE,
+	};
+	AnalyzerHelper(Type helper_type, EmbeddedCode *code)
+		: AnalyzerElement(HELPER),
+		  helper_type_(helper_type), 
+		  code_(code) {}
+	~AnalyzerHelper();
+
+	Type helper_type() const	{ return helper_type_; }
+
+	void GenCode(Output *out_h, Output *out_cc, AnalyzerDecl *decl);
+
+	EmbeddedCode *code() const	{ return code_; }
+
+private:
+	Type helper_type_;
+	EmbeddedCode *code_;
+};
+
+// The type and parameters of (uni-directional) flows of a connection.
+
+class FlowField : public Field
+{
+public:
+	FlowField(ID *flow_id, ParameterizedType *flow_type);
+	void GenInitCode(Output *out, Env *env);
+};
+
+class AnalyzerFlow : public AnalyzerElement
+{
+public:
+	enum Direction { UP, DOWN };
+	AnalyzerFlow(Direction dir, ID *type_id, ExprList *params);
+	~AnalyzerFlow();
+
+	Direction dir() const		{ return dir_; }
+	FlowField *flow_field() const	{ return flow_field_; }
+
+	FlowDecl *flow_decl();
+
+private:
+	Direction dir_;
+	ID *type_id_;
+	FlowField *flow_field_;
+	FlowDecl *flow_decl_;
+};
+
+#endif  // pac_analyzer_h
diff --git a/aux/binpac/src/pac_array.cc b/aux/binpac/src/pac_array.cc
new file mode 100644
index 0000000000..7477ba050b
--- /dev/null
+++ b/aux/binpac/src/pac_array.cc
@@ -0,0 +1,700 @@
+#include "pac_attr.h"
+#include "pac_dataptr.h"
+#include "pac_exception.h"
+#include "pac_expr.h"
+#include "pac_exttype.h"
+#include "pac_id.h"
+#include "pac_number.h"
+#include "pac_output.h"
+#include "pac_utils.h"
+#include "pac_varfield.h"
+
+#include "pac_array.h"
+
+ArrayType::ArrayType(Type *elemtype, Expr *length)
+	: Type(ARRAY), elemtype_(elemtype), length_(length)
+	{
+	init();
+
+	switch ( elemtype_->tot() )
+		{
+		case BUILTIN:
+		case PARAMETERIZED:
+		case STRING:
+		case EXTERN:
+			break;
+
+		case ARRAY:
+		case CASE:
+		case DUMMY:
+		case EMPTY:
+		case RECORD:
+		case UNDEF:
+			ASSERT(0);
+			break;
+		}
+	}
+
+void ArrayType::init()
+	{
+	arraylength_var_field_ = 0;
+	elem_it_var_field_ = 0;
+	elem_var_field_ = 0;
+	elem_dataptr_var_field_ = 0;
+	elem_input_var_field_ = 0;
+
+	elem_dataptr_until_expr_ = 0;
+
+	end_of_array_loop_label_ = "@@@";
+
+	vector_str_ = strfmt("vector<%s>", elemtype_->DataTypeStr().c_str());
+
+	datatype_str_ = strfmt("%s *", vector_str_.c_str());
+
+	attr_generic_until_expr_ = 0;
+	attr_until_element_expr_ = 0;
+	attr_until_input_expr_ = 0;
+	}
+
+ArrayType::~ArrayType()
+	{
+	delete arraylength_var_field_;
+	delete elem_it_var_field_;
+	delete elem_var_field_;
+	delete elem_dataptr_var_field_;
+	delete elem_input_var_field_;
+
+	delete elem_dataptr_until_expr_;
+	}
+
+Type *ArrayType::DoClone() const
+	{
+	Type *elemtype = elemtype_->Clone();
+	if ( ! elemtype )
+		return 0;
+	return new ArrayType(elemtype, length_);
+	}
+
+bool ArrayType::DefineValueVar() const
+	{
+	return true;
+	}
+
+string ArrayType::DataTypeStr() const
+	{
+	return datatype_str_;
+	}
+
+Type *ArrayType::ElementDataType() const
+	{
+	return elemtype_;
+	}
+
+string ArrayType::EvalElement(const string &array, const string &index) const
+	{
+	return strfmt("(*(%s))[%s]", array.c_str(), index.c_str());
+	}
+
+const ID *ArrayType::arraylength_var() const
+	{
+	return arraylength_var_field_ ? arraylength_var_field_->id() : 0;
+	}
+
+const ID *ArrayType::elem_it_var() const
+	{
+	return elem_it_var_field_ ? elem_it_var_field_->id() : 0;
+	}
+
+const ID *ArrayType::elem_var() const
+	{
+	return elem_var_field_ ? elem_var_field_->id() : 0;
+	}
+
+const ID *ArrayType::elem_dataptr_var() const
+	{
+	return elem_dataptr_var_field_ ? elem_dataptr_var_field_->id() : 0;
+	}
+
+const ID *ArrayType::elem_input_var() const
+	{
+	return elem_input_var_field_ ? elem_input_var_field_->id() : 0;
+	}
+
+void ArrayType::ProcessAttr(Attr *a)
+	{
+	Type::ProcessAttr(a);
+
+	switch ( a->type() )
+		{
+		case ATTR_RESTOFDATA:
+			{
+			if ( elemtype_->StaticSize(env()) != 1 )
+				{
+				throw Exception(elemtype_, 
+					"&restofdata can be applied"
+					" to only byte arrays");
+				}
+			if ( length_ )
+				{
+				throw Exception(length_, 
+					"&restofdata cannot be applied"
+					" to arrays with specified length");
+				}
+			attr_restofdata_ = true;
+			// As the array automatically extends to the end of 
+			// data, we do not have to check boundary.
+			SetBoundaryChecked();
+			}
+			break;
+
+		case ATTR_RESTOFFLOW:
+			attr_restofflow_ = true;
+			// TODO: handle &restofflow
+			break;
+
+		case ATTR_UNTIL:
+			{
+			bool ref_element = a->expr()->HasReference(element_macro_id);
+			bool ref_input = a->expr()->HasReference(input_macro_id);
+			if ( ref_element && ref_input )
+				{
+				throw Exception(a->expr(), 
+					"cannot reference both $element and $input "
+					"in the same &until---please separate them.");
+				}
+
+			if ( ref_element )
+				{
+				if ( attr_until_element_expr_ )
+					{
+					throw Exception(a->expr(), 
+						"multiple &until on $element");
+					}
+				attr_until_element_expr_ = a->expr();
+				}
+			else if ( ref_input )
+				{
+				if ( attr_until_input_expr_ )
+					{
+					throw Exception(a->expr(), 
+						"multiple &until on $input");
+					}
+				attr_until_input_expr_ = a->expr();
+				}
+			else
+				{
+				if ( attr_generic_until_expr_ )
+					{
+					throw Exception(a->expr(), 
+						"multiple &until condition");
+					}
+				attr_generic_until_expr_ = a->expr();
+				}
+			}
+			break;
+
+		default:
+			break;
+		}
+	}
+
+void ArrayType::Prepare(Env *env, int flags)
+	{
+	if ( flags & TO_BE_PARSED )
+		{
+		ID *arraylength_var = new ID(fmt("%s__arraylength", value_var()->Name()));
+		ID *elem_var = new ID(fmt("%s__elem", value_var()->Name()));
+		ID *elem_it_var = new ID(fmt("%s__it", elem_var->Name()));
+
+		elem_var_field_ = 
+			new ParseVarField(Field::CLASS_MEMBER, elem_var, elemtype_);
+		AddField(elem_var_field_);
+
+		if ( incremental_parsing() )
+			{
+			arraylength_var_field_ = 
+				new PrivVarField(arraylength_var, extern_type_int->Clone());
+			elem_it_var_field_ = 
+				new PrivVarField(elem_it_var, extern_type_int->Clone());
+
+			AddField(arraylength_var_field_);
+			AddField(elem_it_var_field_);
+			}
+		else
+			{
+			arraylength_var_field_ = 
+				new TempVarField(arraylength_var, extern_type_int->Clone());
+			elem_it_var_field_ = 
+				new TempVarField(elem_it_var, extern_type_int->Clone());
+
+			arraylength_var_field_->Prepare(env);
+			elem_it_var_field_->Prepare(env);
+
+			// Add elem_dataptr_var only when not parsing incrementally
+			ID *elem_dataptr_var = 
+				new ID(fmt("%s__dataptr", elem_var->Name()));
+			elem_dataptr_var_field_ = new TempVarField(
+				elem_dataptr_var, 
+				extern_type_const_byteptr->Clone());
+			elem_dataptr_var_field_->Prepare(env);
+
+			// until(dataptr >= end_of_data)
+			elem_dataptr_until_expr_ = new Expr(
+				Expr::EXPR_GE, 
+				new Expr(elem_dataptr_var->clone()),
+				new Expr(end_of_data->clone()));
+			}
+
+		if ( attr_until_input_expr_ )
+			{
+			elemtype_->SetUntilCheck(this);
+			}
+
+		end_of_array_loop_label_ = strfmt("end_of_%s", value_var()->Name());
+		}
+
+	Type::Prepare(env, flags);
+	}
+
+void ArrayType::GenArrayLength(Output *out_cc, Env *env, const DataPtr& data)
+	{
+	if ( env->Evaluated(arraylength_var()) )
+		return;
+
+	if ( ! incremental_parsing() )
+		{
+		arraylength_var_field_->GenTempDecls(out_cc, env);
+		arraylength_var_field_->GenInitCode(out_cc, env);
+		}
+
+	if ( length_ )
+		{
+		out_cc->println("%s = %s;", 
+			env->LValue(arraylength_var()), 
+			length_->EvalExpr(out_cc, env));
+
+		env->SetEvaluated(arraylength_var());
+
+		// Check for overlong array length. We cap it at the
+		// maximum data size as we won't store more elements.
+		out_cc->println("if ( t_begin_of_data + %s > t_end_of_data + 1 )",
+			env->LValue(arraylength_var()));
+		out_cc->inc_indent();
+		out_cc->println("{");
+		out_cc->println("%s = t_end_of_data - t_begin_of_data + 1;",
+			env->LValue(arraylength_var()));
+		out_cc->println("}");
+		out_cc->dec_indent();
+		
+		// Check negative array length
+		out_cc->println("if ( %s < 0 )",
+			env->LValue(arraylength_var())); 
+		out_cc->inc_indent();
+		out_cc->println("{");
+		out_cc->println("%s = 0;",
+			env->LValue(arraylength_var())); 
+		out_cc->println("}");
+		out_cc->dec_indent();
+		}
+	else if ( attr_restofdata_ )
+		{
+		ASSERT(elemtype_->StaticSize(env) == 1);
+		out_cc->println("%s = (%s) - (%s);", 
+			env->LValue(arraylength_var()), 
+			env->RValue(end_of_data),
+			data.ptr_expr());
+		env->SetEvaluated(arraylength_var());
+		}
+	}
+
+void ArrayType::GenPubDecls(Output *out_h, Env *env)
+	{
+	Type::GenPubDecls(out_h, env);
+
+	if ( declared_as_type() )
+		{
+		out_h->println("int size() const	{ return %s ? %s->size() : 0; }",
+			env->RValue(value_var()),
+			env->RValue(value_var()));
+		out_h->println("%s operator[](int index) const { BINPAC_ASSERT(%s); return (*%s)[index]; }",
+			elemtype_->DataTypeConstRefStr().c_str(),
+			env->RValue(value_var()),
+			env->RValue(value_var()));
+		}
+	}
+
+void ArrayType::GenPrivDecls(Output *out_h, Env *env)
+	{
+	ASSERT(elem_var_field_->type() == elemtype_);
+	ASSERT(elemtype_->value_var());
+	Type::GenPrivDecls(out_h, env);
+	}
+
+void ArrayType::GenInitCode(Output *out_cc, Env *env)
+	{
+	// Do not initiate the array here
+	// out_cc->println("%s = new %s;", lvalue(), vector_str_.c_str());
+	out_cc->println("%s = 0;", lvalue());
+
+	Type::GenInitCode(out_cc, env);
+	if ( incremental_parsing() )
+		{
+		out_cc->println("%s = -1;", 
+			env->LValue(elem_it_var()));
+		}
+	}
+
+void ArrayType::GenCleanUpCode(Output *out_cc, Env *env)
+	{
+	Type::GenCleanUpCode(out_cc, env);
+	if ( elemtype_->NeedsCleanUp() )
+		{
+		if ( ! elem_var_field_ )
+			{
+			ID *elem_var = new ID(fmt("%s__elem", value_var()->Name()));
+			elem_var_field_ = 
+				new ParseVarField(
+					Field::NOT_CLASS_MEMBER, 
+					elem_var, 
+					elemtype_);
+			elem_var_field_->Prepare(env);
+			}
+
+		out_cc->println("if ( %s )", env->RValue(value_var()));
+		out_cc->inc_indent();
+		out_cc->println("{");
+
+		out_cc->println("for ( int i = 0; i < (int) %s->size(); ++i )",
+			env->RValue(value_var()));
+		out_cc->inc_indent();
+		out_cc->println("{");
+		out_cc->println("%s %s = (*%s)[i];", 
+			elemtype_->DataTypeStr().c_str(), 
+			env->LValue(elem_var()), 
+			lvalue());
+		elemtype_->GenCleanUpCode(out_cc, env);
+		out_cc->println("}");
+		out_cc->dec_indent();
+
+		out_cc->println("}");
+		out_cc->dec_indent();
+		}
+	out_cc->println("delete %s;", lvalue());
+	}
+
+string ArrayType::GenArrayInit(Output *out_cc, Env *env, bool known_array_length)
+	{
+	string array_str;
+
+	array_str = lvalue();
+	if ( incremental_parsing() )
+		{
+		out_cc->println("if ( %s < 0 )", 
+			env->LValue(elem_it_var()));
+		out_cc->inc_indent();
+		out_cc->println("{");
+		out_cc->println("// Initialize only once");
+		out_cc->println("%s = 0;", env->LValue(elem_it_var()));
+		}
+
+	out_cc->println("%s = new %s;", 
+		lvalue(), vector_str_.c_str());
+
+	if ( known_array_length )
+		{
+		out_cc->println("%s->reserve(%s);", 
+			lvalue(), env->RValue(arraylength_var()));
+		}
+
+	if ( incremental_parsing() )
+		{
+		out_cc->println("}");
+		out_cc->dec_indent();
+		}
+
+	return array_str;
+	}
+
+void ArrayType::GenElementAssignment(Output *out_cc, Env *env,
+		string const &array_str, bool use_vector)
+	{
+	// Assign the element
+	if ( ! use_vector )
+		{
+		out_cc->println("%s[%s] = %s;", 
+			array_str.c_str(), 
+			env->LValue(elem_it_var()), 
+			env->LValue(elem_var()));
+		}
+	else
+		{
+		out_cc->println("%s->push_back(%s);", 
+			array_str.c_str(), 
+			env->LValue(elem_var()));
+		}
+	}
+
+void ArrayType::DoGenParseCode(Output *out_cc, Env *env, 
+		const DataPtr& data, int flags)
+	{
+	GenArrayLength(out_cc, env, data);
+
+	// Otherwise these variables are declared as member variables
+	if ( ! incremental_parsing() )
+		{
+		// Declare and initialize temporary variables
+		elem_var_field_->GenInitCode(out_cc, env);
+		elem_it_var_field_->GenTempDecls(out_cc, env);
+		out_cc->println("%s = 0;", env->LValue(elem_it_var()));
+		env->SetEvaluated(elem_it_var());
+		}
+
+	/*
+	If the input length can be determined without parsing
+	individual elements, generate the boundary checking before
+	parsing (unless in the case of incremental parsing).
+
+	There are two cases when the input length can be determined:
+	1. The array has a static size;
+	2. The array length can be computed before parsing and
+   	each element is of constant size.
+	*/
+
+	bool compute_size_var = false;
+
+	if ( incremental_input() )
+		{
+		// Do not compute size_var on incremental input
+		compute_size_var = false;
+		
+		if ( ! incremental_parsing() &&
+		     ( StaticSize(env) >= 0 ||
+		       ( env->Evaluated(arraylength_var()) && 
+		         elemtype_->StaticSize(env) >= 0 ) ) )
+			{
+			GenBoundaryCheck(out_cc, env, data);
+			}
+		}
+	else
+		{
+		compute_size_var = AddSizeVar(out_cc, env);
+		}
+
+	bool known_array_length = env->Evaluated(arraylength_var());
+	string array_str = GenArrayInit(out_cc, env, known_array_length);
+
+	bool use_vector = true;
+
+	ASSERT(elem_it_var());
+
+	DataPtr elem_data(env, 0, 0);
+
+	if ( elem_dataptr_var() )
+		{
+		out_cc->println("const_byteptr %s = %s;", 
+			env->LValue(elem_dataptr_var()), data.ptr_expr());
+		env->SetEvaluated(elem_dataptr_var());
+
+		elem_data = DataPtr(env, elem_dataptr_var(), 0);
+		}
+
+	string for_condition = known_array_length ?
+		strfmt("%s < %s", 
+			env->LValue(elem_it_var()), 
+			env->RValue(arraylength_var())) :
+		"/* forever */";
+
+	out_cc->println("for (; %s; ++%s)", 
+		for_condition.c_str(), 
+		env->LValue(elem_it_var()));
+	out_cc->inc_indent();
+	out_cc->println("{");
+
+	if ( attr_generic_until_expr_ )
+		GenUntilCheck(out_cc, env, attr_generic_until_expr_, true);
+
+	if ( elem_dataptr_var() )
+		GenUntilCheck(out_cc, env, elem_dataptr_until_expr_, false);
+	
+	elemtype_->GenPreParsing(out_cc, env);
+	elemtype_->GenParseCode(out_cc, env, elem_data, flags);
+
+	if ( incremental_parsing() ) 
+		{
+		out_cc->println("if ( ! %s )", 
+			elemtype_->parsing_complete(env).c_str());
+		out_cc->inc_indent();
+		out_cc->println("goto %s;", kNeedMoreData);
+		out_cc->dec_indent();
+		}
+
+	GenElementAssignment(out_cc, env, array_str, use_vector);
+
+	if ( elem_dataptr_var() )
+		{
+		out_cc->println("%s += %s;", 
+			env->LValue(elem_dataptr_var()), 
+			elemtype_->DataSize(0, env, elem_data).c_str());
+		out_cc->println("BINPAC_ASSERT(%s <= %s);",
+			env->RValue(elem_dataptr_var()), 
+			env->RValue(end_of_data));
+		}
+
+	if ( attr_until_element_expr_ )
+		GenUntilCheck(out_cc, env, attr_until_element_expr_, false);
+
+	if ( elemtype_->IsPointerType() )
+		out_cc->println("%s = 0;", env->LValue(elem_var()));
+
+	out_cc->println("}");
+	out_cc->dec_indent();
+
+	out_cc->dec_indent();
+	out_cc->println("%s: ;", end_of_array_loop_label_.c_str());
+	out_cc->inc_indent();
+
+	if ( compute_size_var && elem_dataptr_var() && ! env->Evaluated(size_var()) )
+		{
+		// Compute the data size
+		out_cc->println("%s = %s - (%s);", 
+			env->LValue(size_var()),
+			env->RValue(elem_dataptr_var()),
+			data.ptr_expr());
+		env->SetEvaluated(size_var());
+		}
+	}
+
+void ArrayType::GenUntilInputCheck(Output *out_cc, Env *env)
+	{
+	ID *elem_input_var_id = new ID(
+		fmt("%s__elem_input", value_var()->Name()));
+	elem_input_var_field_ = new TempVarField(
+		elem_input_var_id, extern_type_const_bytestring->Clone());
+	elem_input_var_field_->Prepare(env);
+
+	out_cc->println("%s %s(%s, %s);", 
+		extern_type_const_bytestring->DataTypeStr().c_str(),
+		env->LValue(elem_input_var()),
+		env->RValue(begin_of_data),
+		env->RValue(end_of_data));
+	env->SetEvaluated(elem_input_var());
+
+	GenUntilCheck(out_cc, env, attr_until_input_expr_, true);
+	}
+
+void ArrayType::GenUntilCheck(Output *out_cc, Env *env, 
+		Expr *until_expr, bool delete_elem)
+	{
+	ASSERT(until_expr);
+
+	Env check_env(env, this);
+	check_env.AddMacro(element_macro_id, 
+		new Expr(elem_var()->clone()));
+	if ( elem_input_var() )
+		{
+		check_env.AddMacro(input_macro_id, 
+			new Expr(elem_input_var()->clone()));
+		}
+
+	out_cc->println("// Check &until(%s)", until_expr->orig());
+	out_cc->println("if ( %s )", 
+		until_expr->EvalExpr(out_cc, &check_env));
+	out_cc->inc_indent();
+	out_cc->println("{");
+	if ( parsing_complete_var() )
+		{
+		out_cc->println("%s = true;",
+			env->LValue(parsing_complete_var()));
+		}
+
+	if ( elemtype_->IsPointerType() )
+		{
+		if ( delete_elem )
+			elemtype_->GenCleanUpCode(out_cc, env);
+		else
+			out_cc->println("%s = 0;", env->LValue(elem_var()));
+		}
+
+	out_cc->println("goto %s;", end_of_array_loop_label_.c_str());
+	out_cc->println("}");
+	out_cc->dec_indent();
+	}
+
+void ArrayType::GenDynamicSize(Output *out_cc, Env *env,
+		const DataPtr& data)
+	{
+	ASSERT(! incremental_input());
+	DEBUG_MSG("Generating dynamic size for array `%s'\n", 
+		value_var()->Name());
+
+	int elem_w = elemtype_->StaticSize(env);
+	if ( elem_w >= 0 &&
+	     ! attr_until_element_expr_ && 
+	     ! attr_until_input_expr_ &&
+	     ( length_ || attr_restofdata_ ) )
+		{
+		// If the elements have a fixed size,
+		// we only need to compute the number of elements
+		bool compute_size_var = AddSizeVar(out_cc, env);
+		ASSERT(compute_size_var);
+		GenArrayLength(out_cc, env, data);
+		ASSERT(env->Evaluated(arraylength_var()));
+		out_cc->println("%s = %d * %s;",
+			env->LValue(size_var()), elem_w, env->RValue(arraylength_var()));
+		env->SetEvaluated(size_var());
+		}
+	else
+		{
+		// Otherwise we need parse the array dynamically
+		GenParseCode(out_cc, env, data, 0);
+		}
+	}
+
+int ArrayType::StaticSize(Env *env) const
+	{
+	int num = 0;
+
+	if ( ! length_ || ! length_->ConstFold(env, &num) )
+		return -1;
+
+	int elem_w = elemtype_->StaticSize(env);
+	if ( elem_w < 0 )
+		return -1;
+
+	DEBUG_MSG("static size of %s:%s = %d * %d\n", 
+		decl_id()->Name(), lvalue(), elem_w, num);
+
+	return num * elem_w;
+	}
+
+void ArrayType::SetBoundaryChecked()
+	{
+	Type::SetBoundaryChecked();
+	elemtype_->SetBoundaryChecked();
+	}
+
+void ArrayType::DoMarkIncrementalInput()
+	{
+	elemtype_->MarkIncrementalInput(); 
+	}
+
+bool ArrayType::RequiresAnalyzerContext()
+	{ 
+	return Type::RequiresAnalyzerContext() ||
+	       ( length_ && length_->RequiresAnalyzerContext() ) || 
+	       elemtype_->RequiresAnalyzerContext(); 
+	}
+
+bool ArrayType::DoTraverse(DataDepVisitor *visitor)
+	{ 
+	if ( ! Type::DoTraverse(visitor) )
+		return false;
+
+	if ( length_ && ! length_->Traverse(visitor) )
+		return false;
+
+	if ( ! elemtype_->Traverse(visitor) )
+		return false; 
+
+	return true;
+	}
diff --git a/aux/binpac/src/pac_array.h b/aux/binpac/src/pac_array.h
new file mode 100644
index 0000000000..022ef2ea4a
--- /dev/null
+++ b/aux/binpac/src/pac_array.h
@@ -0,0 +1,92 @@
+#ifndef pac_array_h
+#define pac_array_h
+
+#include "pac_common.h"
+#include "pac_type.h"
+
+// Fixed-length array and variable length sequence with an ending pattern
+
+class ArrayType : public Type
+{
+public:
+	ArrayType(Type *arg_elemtype, Expr *arg_length = 0);
+	~ArrayType();
+
+	bool DefineValueVar() const;
+	string DataTypeStr() const;
+	string DefaultValue() const	{ return "0"; }
+	Type *ElementDataType() const;
+
+	string EvalElement(const string &array, const string &index) const;
+
+	void ProcessAttr(Attr *a);
+
+	void Prepare(Env *env, int flags);
+
+	void GenPubDecls(Output *out, Env *env);
+	void GenPrivDecls(Output *out, Env *env);
+
+	void GenInitCode(Output *out, Env *env);
+	void GenCleanUpCode(Output *out, Env *env);
+
+	int StaticSize(Env *env) const;
+
+	void SetBoundaryChecked();
+	void GenUntilInputCheck(Output *out_cc, Env *env);
+
+	bool IsPointerType() const	{ return true; }
+
+protected:
+	void init();
+
+	void DoGenParseCode(Output *out, Env *env, const DataPtr& data, int flags);
+	void GenDynamicSize(Output *out, Env *env, const DataPtr& data);
+	void GenArrayLength(Output *out_cc, Env *env, const DataPtr& data);
+	string GenArrayInit(Output *out_cc, Env *env, bool known_array_length);
+	void GenElementAssignment(Output *out_cc, Env *env,
+		string const &array_str, bool use_vector);
+	void GenUntilCheck(Output *out_cc, Env *env, 
+		Expr *until_condition, bool delete_elem);
+
+	bool ByteOrderSensitive() const 
+		{ 
+		return elemtype_->RequiresByteOrder(); 
+		}
+	bool RequiresAnalyzerContext();
+
+	Type *DoClone() const;
+
+	void DoMarkIncrementalInput();
+
+	const ID *arraylength_var() const;
+	const ID *elem_it_var() const;
+	const ID *elem_var() const;
+	const ID *elem_dataptr_var() const;
+	const ID *elem_input_var() const;
+
+protected:
+	bool DoTraverse(DataDepVisitor *visitor);
+
+private:
+	Type *elemtype_;
+	Expr *length_;
+
+	string vector_str_;
+	string datatype_str_;
+	string end_of_array_loop_label_;
+
+	Field *arraylength_var_field_;
+	Field *elem_it_var_field_;
+	Field *elem_var_field_;
+	Field *elem_dataptr_var_field_;
+	Field *elem_input_var_field_;
+
+	// This does not come from &until, but is internally generated
+	Expr *elem_dataptr_until_expr_;
+
+	Expr *attr_generic_until_expr_;
+	Expr *attr_until_element_expr_;
+	Expr *attr_until_input_expr_;
+};
+
+#endif  // pac_array_h
diff --git a/aux/binpac/src/pac_attr.cc b/aux/binpac/src/pac_attr.cc
new file mode 100644
index 0000000000..cfd6263be6
--- /dev/null
+++ b/aux/binpac/src/pac_attr.cc
@@ -0,0 +1,57 @@
+#include "pac_attr.h"
+#include "pac_expr.h"
+
+bool Attr::DoTraverse(DataDepVisitor *visitor)
+	{
+	if ( expr_ && ! expr_->Traverse(visitor) )
+		return false;
+	return true;
+	}
+
+bool Attr::RequiresAnalyzerContext() const
+	{
+	return (expr_ && expr_->RequiresAnalyzerContext());
+	}
+
+void Attr::init()
+	{
+	expr_ = 0;
+	seqend_ = 0;
+	}
+
+Attr::Attr(AttrType type)
+	: DataDepElement(DataDepElement::ATTR)
+	{
+	type_ = type;
+	init();
+	}
+
+Attr::Attr(AttrType type, Expr *expr)
+	: DataDepElement(DataDepElement::ATTR)
+	{
+	type_ = type;
+	init();
+	expr_ = expr;
+	}
+
+Attr::Attr(AttrType type, ExprList *exprlist)
+	: DataDepElement(DataDepElement::ATTR)
+	{
+	type_ = type;
+	init();
+	expr_ = new Expr(exprlist);
+	}
+
+Attr::Attr(AttrType type, SeqEnd *seqend)
+	: DataDepElement(DataDepElement::ATTR)
+	{
+	type_ = type;
+	init();
+	seqend_ = seqend;
+	}
+
+LetAttr::LetAttr(FieldList *letfields)
+	: Attr(ATTR_LET)
+	{
+	letfields_ = letfields;
+	}
diff --git a/aux/binpac/src/pac_attr.h b/aux/binpac/src/pac_attr.h
new file mode 100644
index 0000000000..67bdbedc8d
--- /dev/null
+++ b/aux/binpac/src/pac_attr.h
@@ -0,0 +1,61 @@
+#ifndef pac_attr_h
+#define pac_attr_h
+
+#include "pac_common.h"
+#include "pac_datadep.h"
+
+enum AttrType { 
+	ATTR_BYTEORDER, 
+	ATTR_CHECK, 
+	ATTR_CHUNKED,
+	ATTR_EXPORTSOURCEDATA,
+	ATTR_IF,
+	ATTR_LENGTH, 
+	ATTR_LET,
+	ATTR_LINEBREAKER,
+	ATTR_MULTILINE,
+	ATTR_ONELINE,
+	ATTR_REFCOUNT,
+	ATTR_REQUIRES,
+	ATTR_RESTOFDATA, 
+	ATTR_RESTOFFLOW, 
+	ATTR_TRANSIENT,
+	ATTR_UNTIL,
+};
+
+class Attr : public Object, public DataDepElement
+{
+public:
+	Attr(AttrType type);
+	Attr(AttrType type, Expr *expr);
+	Attr(AttrType type, ExprList *exprlist);
+	Attr(AttrType type, SeqEnd *seqend);
+
+	AttrType type() const 		{ return type_; }
+	Expr *expr() const		{ return expr_; }
+	SeqEnd *seqend() const		{ return seqend_; }
+
+	bool RequiresAnalyzerContext() const;
+
+protected:
+	bool DoTraverse(DataDepVisitor *visitor);
+
+protected:
+	void init();
+
+	AttrType type_;
+	Expr *expr_;
+	SeqEnd *seqend_;
+};
+
+class LetAttr : public Attr
+{
+public:
+	LetAttr(FieldList *letfields);
+	FieldList *letfields() const	{ return letfields_; }
+
+private:
+	FieldList *letfields_;
+};
+
+#endif  // pac_attr_h
diff --git a/aux/binpac/src/pac_btype.cc b/aux/binpac/src/pac_btype.cc
new file mode 100644
index 0000000000..a7df6f7bf3
--- /dev/null
+++ b/aux/binpac/src/pac_btype.cc
@@ -0,0 +1,144 @@
+#include "pac_btype.h"
+#include "pac_dataptr.h"
+#include "pac_id.h"
+#include "pac_output.h"
+
+Type *BuiltInType::DoClone() const
+	{
+	return new BuiltInType(bit_type());
+	}
+
+bool BuiltInType::IsNumericType() const
+	{
+	BITType t = bit_type();
+	return (t == INT8 || t == INT16 || t == INT32 ||
+	        t == UINT8 || t == UINT16 || t == UINT32);
+	}
+
+bool BuiltInType::CompatibleBuiltInTypes(BuiltInType *type1, 
+	                                 BuiltInType *type2)
+	{
+	return type1->IsNumericType() && type2->IsNumericType();
+	}
+
+static const char* basic_pactype_name[] = {
+#	define TYPE_DEF(name, pactype, ctype, size)	pactype,
+#	include "pac_type.def"
+#	undef TYPE_DEF
+	0,
+};
+
+void BuiltInType::static_init()
+	{
+	for ( int bit_type = 0; basic_pactype_name[bit_type]; ++bit_type )
+		{
+		Type::AddPredefinedType(
+			basic_pactype_name[bit_type], 
+			new BuiltInType((BITType) bit_type));
+		}
+	}
+
+int BuiltInType::LookUpByName(const char* name)
+	{
+	ASSERT(0);
+	for ( int i = 0; basic_pactype_name[i]; ++i )
+		if ( strcmp(basic_pactype_name[i], name) == 0 )
+			return i;
+	return -1;
+	}
+
+static const char* basic_ctype_name[] = {
+#	define TYPE_DEF(name, pactype, ctype, size)	ctype,
+#	include "pac_type.def"
+#	undef TYPE_DEF
+	0,
+};
+
+bool BuiltInType::DefineValueVar() const
+	{
+	return bit_type_ != EMPTY;
+	}
+
+string BuiltInType::DataTypeStr() const
+	{
+	return basic_ctype_name[bit_type_];
+	}
+
+int BuiltInType::StaticSize(Env* /* env */) const
+	{
+	static const size_t basic_type_size[] = 
+		{
+#		define TYPE_DEF(name, pactype, ctype, size)	size,
+#		include "pac_type.def"
+#		undef TYPE_DEF
+		};
+
+	return basic_type_size[bit_type_];
+	}
+
+void BuiltInType::DoMarkIncrementalInput()
+	{
+	if ( bit_type_ == EMPTY )
+		return;
+	Type::DoMarkIncrementalInput();
+	}
+
+void BuiltInType::GenInitCode(Output* out_cc, Env* env)
+	{
+	if ( bit_type_ != EMPTY )
+		out_cc->println("%s = 0;", env->LValue(value_var()));
+	Type::GenInitCode(out_cc, env);
+	}
+
+void BuiltInType::GenDynamicSize(Output* out_cc, Env* env, const DataPtr& data)
+	{
+	/* should never be called */
+	ASSERT(0);
+	}
+
+void BuiltInType::DoGenParseCode(Output* out_cc, Env* env,
+		const DataPtr& data, int flags)
+	{
+	if ( bit_type_ == EMPTY )
+		return;
+
+	// There is no need to generate the size variable
+	// out_cc->println("%s = sizeof(%s);", size_var(), DataTypeStr().c_str());
+
+	GenBoundaryCheck(out_cc, env, data);
+
+	if ( anonymous_value_var() )
+		return;
+
+	switch ( bit_type_ ) 
+		{
+		case EMPTY:
+			// do nothing
+			break;
+
+		case INT8:
+		case UINT8:
+			out_cc->println("%s = *((%s const *) (%s));",
+				lvalue(), DataTypeStr().c_str(), data.ptr_expr()); 
+			break;
+		case INT16:
+		case UINT16:
+		case INT32:
+		case UINT32:
+#if 0
+			out_cc->println("%s = UnMarshall<%s>(%s, %s);",
+				lvalue(), 
+				DataTypeStr().c_str(), 
+				data.ptr_expr(),
+				EvalByteOrder(out_cc, env).c_str());
+#else
+			out_cc->println("%s = FixByteOrder(%s, *((%s const *) (%s)));",
+				lvalue(), 
+				EvalByteOrder(out_cc, env).c_str(),
+				DataTypeStr().c_str(), 
+				data.ptr_expr());
+#endif
+			break;
+		}
+	}
+
diff --git a/aux/binpac/src/pac_btype.h b/aux/binpac/src/pac_btype.h
new file mode 100644
index 0000000000..4bdbf9390b
--- /dev/null
+++ b/aux/binpac/src/pac_btype.h
@@ -0,0 +1,52 @@
+#ifndef pac_btype_h
+#define pac_btype_h
+
+#include "pac_type.h"
+
+class BuiltInType : public Type
+{
+public:
+	enum BITType {
+#		define TYPE_DEF(name, pactype, ctype, size)	name,
+#		include "pac_type.def"
+#		undef TYPE_DEF
+	};
+
+	static int LookUpByName(const char *name);
+
+	BuiltInType(BITType bit_type)
+		: Type(bit_type == BuiltInType::EMPTY ? Type::EMPTY : BUILTIN),
+		  bit_type_(bit_type) {}
+
+	BITType bit_type() const	{ return bit_type_; }
+
+	bool IsNumericType() const;
+
+	bool DefineValueVar() const;
+	string DataTypeStr() const;
+	string DefaultValue() const	{ return "0"; }
+
+	int StaticSize(Env *env) const;
+
+	bool IsPointerType() const	{ return false; }
+
+	bool ByteOrderSensitive() const { return StaticSize(0) >= 2; }
+
+	void GenInitCode(Output *out_cc, Env *env);
+
+	void DoMarkIncrementalInput();
+
+protected:
+	void DoGenParseCode(Output *out, Env *env, const DataPtr& data, int flags);
+	void GenDynamicSize(Output *out, Env *env, const DataPtr& data);
+	Type *DoClone() const;
+
+	BITType bit_type_;
+
+public:
+	static void static_init();
+	static bool CompatibleBuiltInTypes(BuiltInType *type1, 
+	                                   BuiltInType *type2);
+};
+
+#endif  // pac_btype_h
diff --git a/aux/binpac/src/pac_case.cc b/aux/binpac/src/pac_case.cc
new file mode 100644
index 0000000000..b809d61b6e
--- /dev/null
+++ b/aux/binpac/src/pac_case.cc
@@ -0,0 +1,391 @@
+#include "pac_exception.h"
+#include "pac_expr.h"
+#include "pac_exttype.h"
+#include "pac_id.h"
+#include "pac_output.h"
+#include "pac_typedecl.h"
+#include "pac_utils.h"
+
+#include "pac_case.h"
+
+CaseType::CaseType(Expr* index_expr, CaseFieldList* cases)
+	: Type(CASE), index_expr_(index_expr), cases_(cases) 
+	{
+	index_var_ = 0;
+	foreach(i, CaseFieldList, cases_)
+		AddField(*i);
+	}
+
+CaseType::~CaseType()
+	{
+	delete index_var_;
+	delete index_expr_;
+	delete cases_;
+	}
+
+void CaseType::AddCaseField(CaseField *f)
+	{
+	// All fields must be added before Prepare()
+	ASSERT(!env());
+
+	AddField(f);
+	cases_->push_back(f);
+	}
+
+bool CaseType::DefineValueVar() const
+	{
+	return false;
+	}
+
+string CaseType::DataTypeStr() const
+	{
+	ASSERT(type_decl());
+	return strfmt("%s *", type_decl()->class_name().c_str());
+	}
+
+Type *CaseType::ValueType() const
+	{
+	foreach (i, CaseFieldList, cases_)
+		{
+		CaseField *c = *i;
+		return c->type();
+		}
+	ASSERT(0);
+	return 0;
+	}
+
+string CaseType::DefaultValue() const
+	{
+	return ValueType()->DefaultValue();
+	}
+
+void CaseType::Prepare(Env* env, int flags)
+	{
+	ASSERT(flags & TO_BE_PARSED);
+
+	index_var_ = new ID(fmt("%s_case_index", value_var()->Name()));
+	env->AddID(index_var_, MEMBER_VAR, extern_type_int);
+
+	// Sort the cases_ to put the default case at the end of the list
+	CaseFieldList::iterator default_case_it = 
+		cases_->end(); // to avoid warning
+	CaseField *default_case = 0;
+
+	foreach (i, CaseFieldList, cases_)
+		{
+		CaseField *c = *i;
+		if ( ! c->index() )
+			{
+			if ( default_case )
+				throw Exception(c, "duplicate default case");
+			default_case_it = i;
+			default_case = c;
+			}
+		}
+	if ( default_case )
+		{
+		cases_->erase(default_case_it);
+		cases_->push_back(default_case);
+		}
+
+	foreach (i, CaseFieldList, cases_)
+		{
+		CaseField *c = *i;
+		c->set_index_var(index_var_);
+		c->set_case_type(this);
+		}
+
+	Type::Prepare(env, flags);
+	}
+
+void CaseType::GenPrivDecls(Output* out_h, Env* env)
+	{
+	out_h->println("int %s;", env->LValue(index_var_));
+	Type::GenPrivDecls(out_h, env);
+	}
+
+void CaseType::GenPubDecls(Output* out_h, Env* env)
+	{
+	out_h->println("int %s const	{ return %s; }",
+		env->RValue(index_var_), env->LValue(index_var_));
+	Type::GenPubDecls(out_h, env);
+	}
+
+void CaseType::GenInitCode(Output* out_cc, Env* env)
+	{
+	out_cc->println("%s = -1;", env->LValue(index_var_));
+	Type::GenInitCode(out_cc, env);
+	}
+
+void CaseType::GenCleanUpCode(Output* out_cc, Env* env)
+	{
+	Type::GenCleanUpCode(out_cc, env);
+
+	env->set_in_branch(true);
+	out_cc->println("switch ( %s )", env->RValue(index_var_));
+	out_cc->inc_indent();
+	out_cc->println("{");
+	foreach (i, CaseFieldList, cases_)
+		{
+		CaseField *c = *i;
+		c->GenCleanUpCode(out_cc, env);
+		}
+	out_cc->println("}");
+	out_cc->dec_indent();
+	env->set_in_branch(false);
+	}
+
+void CaseType::DoGenParseCode(Output* out_cc, Env* env,
+		const DataPtr& data, int flags)
+	{
+	if ( StaticSize(env) >= 0 )
+		GenBoundaryCheck(out_cc, env, data);
+
+	bool compute_size_var = false;
+
+	if ( ! incremental_input() )
+		compute_size_var = AddSizeVar(out_cc, env);
+
+	out_cc->println("%s = %s;", 
+		env->LValue(index_var_), index_expr_->EvalExpr(out_cc, env));
+	env->SetEvaluated(index_var_);
+	
+	env->set_in_branch(true);
+	out_cc->println("switch ( %s )", env->RValue(index_var_));
+	out_cc->inc_indent();
+	out_cc->println("{");
+	bool has_default_case = false;
+	foreach (i, CaseFieldList, cases_)
+		{
+		CaseField *c = *i;
+		c->GenParseCode(out_cc, env, data, 
+			compute_size_var ? size_var() : 0);
+		if ( c->IsDefaultCase() )
+			has_default_case = true;
+		}
+
+	if ( ! has_default_case )
+		{
+		out_cc->println("default:");
+		out_cc->inc_indent();
+		out_cc->println("throw ExceptionInvalidCaseIndex(\"%s\", %s);", 
+			decl_id()->Name(), env->RValue(index_var_));
+		out_cc->println("break;");
+		out_cc->dec_indent();
+		}
+	out_cc->println("}");
+	out_cc->dec_indent();
+	env->set_in_branch(false);
+
+	if ( compute_size_var )
+		env->SetEvaluated(size_var());
+	}
+
+void CaseType::GenDynamicSize(Output* out_cc, Env* env,
+		const DataPtr& data)
+	{
+	GenParseCode(out_cc, env, data, 0);
+	}
+
+int CaseType::StaticSize(Env* env) const
+	{
+	int static_w = -1;
+	foreach (i, CaseFieldList, cases_)
+		{
+		CaseField *c = *i;
+		int w = c->StaticSize(env);
+		if ( w < 0 || ( static_w >= 0 && w != static_w ) )
+			return -1;
+		static_w = w;
+		}
+	return static_w;
+	}
+
+void CaseType::SetBoundaryChecked()
+	{
+	Type::SetBoundaryChecked();
+	foreach (i, CaseFieldList, cases_)
+		{
+		CaseField *c = *i;
+		c->SetBoundaryChecked();
+		}
+	}
+
+void CaseType::DoMarkIncrementalInput()
+	{
+	foreach (i, CaseFieldList, cases_)
+		{
+		CaseField *c = *i;
+		c->type()->MarkIncrementalInput();
+		}
+	}
+
+bool CaseType::ByteOrderSensitive() const
+	{
+	foreach (i, CaseFieldList, cases_)
+		{
+		CaseField *c = *i;
+		if ( c->RequiresByteOrder() )
+			return true;
+		}
+	return false;
+	}
+
+CaseField::CaseField(ExprList* index, ID* id, Type* type)
+	: Field(CASE_FIELD, 
+		TYPE_TO_BE_PARSED | CLASS_MEMBER | PUBLIC_READABLE, 
+		id, type), 
+	  index_(index)
+	{
+	ASSERT(type_);
+	type_->set_value_var(id, MEMBER_VAR);
+	case_type_ = 0;
+	}
+
+CaseField::~CaseField()
+	{
+	delete_list(ExprList, index_);
+	}
+
+void GenCaseStr(ExprList *index_list, Output *out_cc, Env *env)
+	{
+	if ( index_list )
+		{
+		foreach(i, ExprList, index_list)
+			{
+			Expr *index_expr = *i;
+			int index_const;
+			
+			if ( ! index_expr->ConstFold(env, &index_const) )
+				throw ExceptionNonConstExpr(index_expr);
+			out_cc->println("case %d:", index_const);
+			}
+		}
+	else
+		{
+		out_cc->println("default:");
+		}
+	}
+
+void CaseField::Prepare(Env* env)
+	{
+	ASSERT(index_var_);
+	Field::Prepare(env);
+	}
+
+void CaseField::GenPubDecls(Output* out_h, Env* env)
+	{
+	if ( ! ((flags_ & PUBLIC_READABLE) && (flags_ & CLASS_MEMBER)) )
+		return;
+
+	// Skip type "empty"
+	if ( type_->DataTypeStr().empty() )
+		return;
+
+	out_h->println("%s %s const",
+		type_->DataTypeConstRefStr().c_str(), env->RValue(id_));
+
+	out_h->inc_indent();
+	out_h->println("{");
+
+	if ( ! index_ )
+		out_h->println("return %s;", lvalue());
+	else
+		{
+		out_h->println("switch ( %s )", env->RValue(index_var_));
+		out_h->inc_indent();
+		out_h->println("{");
+		GenCaseStr(index_, out_h, env);
+		out_h->inc_indent();
+		out_h->println("break;  // OK");
+		out_h->dec_indent();
+
+		out_h->println("default:");
+		out_h->inc_indent();
+		out_h->println("throw ExceptionInvalidCase(\"%s\", %s, \"%s\");", 
+		               id_->LocName(), 
+		               env->RValue(index_var_), 
+		               OrigExprList(index_).c_str());
+		out_h->println("break;");
+		out_h->dec_indent();
+
+		out_h->println("}");
+		out_h->dec_indent();
+
+		out_h->println("return %s;", lvalue());
+		}
+
+	out_h->println("}");
+	out_h->dec_indent();
+	}
+
+void CaseField::GenInitCode(Output* out_cc, Env* env)
+	{
+	// GenCaseStr(index_, out_cc, env);
+	// out_cc->inc_indent();
+	// out_cc->println("{");
+	// out_cc->println("// Initialize \"%s\"", id_->Name());
+	type_->GenInitCode(out_cc, env);
+	// out_cc->println("}");
+	// out_cc->println("break;");
+	// out_cc->dec_indent();
+	}
+
+void CaseField::GenCleanUpCode(Output* out_cc, Env* env)
+	{
+	GenCaseStr(index_, out_cc, env);
+	out_cc->inc_indent();
+	out_cc->println("// Clean up \"%s\"", id_->Name());
+	out_cc->println("{");
+	if ( ! anonymous_field() )
+		type_->GenCleanUpCode(out_cc, env);
+	out_cc->println("}");
+	out_cc->println("break;");
+	out_cc->dec_indent();
+	}
+
+void CaseField::GenParseCode(Output* out_cc, Env* env, 
+		const DataPtr& data, const ID* size_var)
+	{
+	GenCaseStr(index_, out_cc, env);
+	out_cc->inc_indent();
+	out_cc->println("// Parse \"%s\"", id_->Name());
+	out_cc->println("{");
+	
+	{
+	Env case_env(env, this);
+	Env *env = &case_env;
+
+	type_->GenPreParsing(out_cc, env);
+	type_->GenParseCode(out_cc, env, data, 0);
+	if ( size_var )
+		{
+		out_cc->println("%s = %s;", 
+			env->LValue(size_var),
+			type_->DataSize(out_cc, env, data).c_str());
+		}
+	if ( type_->incremental_input() )
+		{
+		ASSERT(case_type()->parsing_complete_var());
+		out_cc->println("%s = %s;", 
+			env->LValue(case_type()->parsing_complete_var()),
+			env->RValue(type_->parsing_complete_var()));
+		}
+	out_cc->println("}");
+	}
+
+	out_cc->println("break;");
+	out_cc->dec_indent();
+	}
+
+bool CaseField::DoTraverse(DataDepVisitor *visitor)
+	{ 
+	return Field::DoTraverse(visitor) &&
+	       type()->Traverse(visitor); 
+	}
+
+bool CaseField::RequiresAnalyzerContext() const 
+	{ 
+	return Field::RequiresAnalyzerContext() ||
+	       type()->RequiresAnalyzerContext(); 
+	}
diff --git a/aux/binpac/src/pac_case.h b/aux/binpac/src/pac_case.h
new file mode 100644
index 0000000000..c9e416cfe1
--- /dev/null
+++ b/aux/binpac/src/pac_case.h
@@ -0,0 +1,99 @@
+#ifndef pac_case_h
+#define pac_case_h
+
+#include "pac_common.h"
+#include "pac_field.h"
+#include "pac_id.h"
+#include "pac_type.h"
+
+class CaseType : public Type
+{
+public:
+	CaseType(Expr *index, CaseFieldList *cases);
+	~CaseType();
+
+	void AddCaseField(CaseField *f);
+
+	bool DefineValueVar() const;
+	string DataTypeStr() const;
+	string DefaultValue() const;
+
+	void Prepare(Env *env, int flags);
+
+	void GenPubDecls(Output *out, Env *env);
+	void GenPrivDecls(Output *out, Env *env);
+
+	void GenInitCode(Output *out, Env *env);
+	void GenCleanUpCode(Output *out, Env *env);
+
+	int StaticSize(Env *env) const;
+
+	void SetBoundaryChecked();
+
+	Type *ValueType() const;
+
+	bool IsPointerType() const	{ return ValueType()->IsPointerType(); }
+
+protected:
+	void DoGenParseCode(Output *out, Env *env, const DataPtr& data, int flags);
+	void GenDynamicSize(Output *out, Env *env, const DataPtr& data);
+	Type *DoClone() const 	{ return 0; }
+	void DoMarkIncrementalInput();
+
+	bool ByteOrderSensitive() const;
+
+	Expr *index_expr_;
+	ID *index_var_;
+	CaseFieldList *cases_;
+
+	typedef map<const ID*, CaseField*, ID_ptr_cmp> member_map_t;
+	member_map_t member_map_;
+};
+
+class CaseField : public Field
+{
+public:
+	CaseField(ExprList *index, ID *id, Type *type);
+	~CaseField();
+
+	CaseType *case_type() const	{ return case_type_; }
+	void set_case_type(CaseType *t)	{ case_type_ = t; }
+
+	ExprList *index() const		{ return index_; }
+
+	const char *lvalue() const	{ return type_->lvalue(); }
+
+	const char *CaseStr(Env *env);
+	void set_index_var(const ID *var) { index_var_ = var; }
+	
+	void Prepare(Env *env);
+
+	void GenPubDecls(Output *out, Env *env);
+
+	void GenInitCode(Output *out, Env *env);
+	void GenCleanUpCode(Output *out, Env *env);
+	void GenParseCode(Output *out, Env *env, 
+		const DataPtr& data, const ID *size_var);
+
+	int StaticSize(Env *env) const 	{ return type_->StaticSize(env); }
+
+	bool IsDefaultCase() const	{ return ! index_; }
+	void SetBoundaryChecked()	{ type_->SetBoundaryChecked(); }
+
+	bool RequiresByteOrder() const	{ return type_->RequiresByteOrder(); }
+	bool RequiresAnalyzerContext() const;
+
+protected:
+	bool DoTraverse(DataDepVisitor *visitor);
+
+protected:
+	CaseType *case_type_;
+	ExprList *index_;
+	const ID *index_var_;
+};
+
+// Generate a list of "case X:" lines from index_list. Each index
+// expression must be constant foldable.
+void GenCaseStr(ExprList *index_list, Output *out_cc, Env *env);
+
+#endif  // pac_case_h
diff --git a/aux/binpac/src/pac_cclass.h b/aux/binpac/src/pac_cclass.h
new file mode 100644
index 0000000000..87a7595996
--- /dev/null
+++ b/aux/binpac/src/pac_cclass.h
@@ -0,0 +1,81 @@
+#ifndef pac_cclass_h
+#define pac_cclass_h
+
+class CClass;
+class CClassMember;
+class CClassMethod;
+class CType;
+class CVariable;
+
+typedef vector<CClassMember *> CClassMemberList;
+typedef vector<CClassMethod *> CClassMethodList;
+typedef vector<CVariable *> CVariableList;
+
+#include "pac_common.h"
+
+// Represents a C++ class.
+// 
+// For now we adopt a simple model:
+// 
+// 1. All members have a protected member variable "name_" and a
+// public constant access method "name()".
+// 
+// 2. All methods are public.
+//
+// 3. We do not check repeated names.
+
+class CClass
+{
+public:
+	CClass(const string &class_name);
+
+	void AddMember(CClassMember *member);
+	void AddMethod(CClassMember *method);
+
+	void GenForwardDeclaration(Output *out_h);
+	void GenCode(Output *out_h, Output *out_cc);
+
+protected:
+	string class_name_;
+	CClassMemberList *members_;
+	CClassMethodList *methods_;
+};
+
+class CVariable
+{
+public:
+	CClassMember(const string &name, CType *type);
+
+	string name() const { return name_; }
+	CType *type() const { return type_; }
+
+protected:
+	string name_;
+	CType *type_;
+};
+
+class CClassMember
+{
+public:
+	CClassMember(CVariable *var);
+	void GenCode(Output *out_h, Output *out_cc);
+
+	string decl() const;
+
+protected:
+	CVariable *var_;
+};
+
+class CClassMethod
+{
+public:
+	CClassMethod(CVariable *var, CVariableList *params);
+
+	string decl() const;
+
+protected:
+	CVariable *var_;
+	CVariableList *params_;
+};
+
+#endif  // pac_cclass_h
diff --git a/aux/binpac/src/pac_common.h b/aux/binpac/src/pac_common.h
new file mode 100644
index 0000000000..81e59c184e
--- /dev/null
+++ b/aux/binpac/src/pac_common.h
@@ -0,0 +1,134 @@
+#ifndef pac_common_h
+#define pac_common_h
+
+#include "pac_utils.h"
+
+#include <vector>
+
+#include <ctype.h>
+#include <string.h>
+#include <stdlib.h>
+
+using namespace std;
+
+extern bool FLAGS_pac_debug;
+extern vector<string> FLAGS_include_directories;
+extern string input_filename;
+extern int line_number;
+
+// Definition of class Object, which is the base class for all objects
+// representing language elements -- identifiers, types, expressions,
+// etc.
+
+class Object
+{
+public:
+	Object()
+		{
+		filename = input_filename;
+		line_num = line_number;
+		location = strfmt("%s:%d", filename.c_str(), line_number);
+		}
+
+	~Object()
+		{
+		}
+
+	const char* Location() const	{ return location.c_str(); }
+
+protected:
+	string filename;
+	int line_num;
+	string location;
+};
+
+class ActionParam;
+class ActionParamType;
+class AnalyzerAction;
+class AnalyzerContextDecl;
+class AnalyzerDecl;
+class AnalyzerElement;
+class ArrayType;
+class Attr;
+class CClass;
+class CType;
+class ConstString;
+class CaseExpr;
+class CaseField;
+class ContextField;
+class DataPtr;
+class Decl;
+class EmbeddedCode;
+class Enum;
+class Env;
+class ExternType;
+class Expr;
+class Field;
+class Function;
+class InputBuffer;
+class LetDef;
+class LetField;
+class ID;
+class Number;
+class Output;
+class PacPrimitive;
+class Param;
+class ParameterizedType;
+class RecordType;
+class RecordField;
+class RecordDataField;
+class RecordPaddingField;
+class RegEx;
+class SeqEnd;
+class StateVar;
+class Type;
+class TypeDecl;
+class WithInputField;
+
+// The ID of the current declaration.
+extern const ID* current_decl_id;
+
+typedef vector<ActionParam*>		ActionParamList;
+typedef vector<AnalyzerAction*> 	AnalyzerActionList;
+typedef vector<AnalyzerElement*>	AnalyzerElementList;
+typedef vector<Attr*> 			AttrList;
+typedef vector<CaseExpr*> 		CaseExprList;
+typedef vector<CaseField*> 		CaseFieldList;
+typedef vector<ContextField*> 		ContextFieldList;
+typedef vector<Decl*> 			DeclList;
+typedef vector<Enum*>			EnumList;
+typedef vector<Expr*> 			ExprList;
+typedef vector<Field*> 			FieldList;
+typedef vector<LetField*> 		LetFieldList;
+typedef vector<Number*>			NumList;
+typedef vector<Param*> 			ParamList;
+typedef vector<RecordField*> 		RecordFieldList;
+typedef vector<StateVar*>		StateVarList;
+
+#define foreach(i, ct, pc) \
+	if ( pc ) \
+		for ( ct::iterator i = (pc)->begin(); i != (pc)->end(); ++i )
+
+#define delete_list(ct, pc) \
+	{ \
+	foreach(delete_list_i, ct, pc) 		\
+		delete *delete_list_i;		\
+	delete pc;				\
+	pc = 0;					\
+	}
+
+// Constants
+const char * const kComputeFrameLength = "compute_frame_length";
+const char * const kFlowBufferClass = "FlowBuffer";
+const char * const kFlowBufferVar = "flow_buffer";
+const char * const kFlowEOF = "FlowEOF";
+const char * const kFlowGap = "NewGap";
+const char * const kInitialBufferLengthFunc = "initial_buffer_length";
+const char * const kNeedMoreData = "need_more_data";
+const char * const kNewData = "NewData";
+const char * const kParseFuncWithBuffer = "ParseBuffer";
+const char * const kParseFuncWithoutBuffer = "Parse";
+const char * const kRefCountClass = "binpac::RefCount";
+const char * const kTypeWithLengthClass = "binpac::TypeWithLength";
+
+#endif  // pac_common_h
diff --git a/aux/binpac/src/pac_conn.cc b/aux/binpac/src/pac_conn.cc
new file mode 100644
index 0000000000..d9159cae5a
--- /dev/null
+++ b/aux/binpac/src/pac_conn.cc
@@ -0,0 +1,169 @@
+#include "pac_analyzer.h"
+#include "pac_dataunit.h"
+#include "pac_embedded.h"
+#include "pac_exception.h"
+#include "pac_expr.h"
+#include "pac_flow.h"
+#include "pac_output.h"
+#include "pac_paramtype.h"
+#include "pac_type.h"
+
+#include "pac_conn.h"
+
+ConnDecl::ConnDecl(ID *conn_id, 
+                   ParamList *params,
+                   AnalyzerElementList *elemlist)
+	: AnalyzerDecl(conn_id, CONN, params)
+	{
+	flows_[0] = flows_[1] = 0;
+	AddElements(elemlist);
+	data_type_ = new ParameterizedType(conn_id->clone(), 0);
+	}
+
+ConnDecl::~ConnDecl()
+	{
+	delete flows_[0];
+	delete flows_[1];
+	}
+
+void ConnDecl::AddBaseClass(vector<string> *base_classes) const
+	{
+	base_classes->push_back("binpac::ConnectionAnalyzer"); 
+	} 
+
+void ConnDecl::ProcessFlowElement(AnalyzerFlow *flow_elem)
+	{
+	int flow_index;
+
+	if ( flow_elem->dir() == AnalyzerFlow::UP )
+		flow_index = 0;
+	else
+		flow_index = 1;
+
+	if ( flows_[flow_index] )
+		{
+		throw Exception(flow_elem,
+		                fmt("%sflow already defined", 
+		                    flow_index == 0 ? "up" : "down"));
+		}
+
+	flows_[flow_index] = flow_elem;
+	type_->AddField(flow_elem->flow_field());
+	}
+
+void ConnDecl::ProcessDataUnitElement(AnalyzerDataUnit *dataunit_elem)
+	{
+	throw Exception(
+		dataunit_elem, 
+		"dataunit should be defined in only a flow declaration");
+	}
+
+void ConnDecl::Prepare()
+	{
+	AnalyzerDecl::Prepare();
+
+	flows_[0]->flow_decl()->set_conn_decl(this);
+	flows_[1]->flow_decl()->set_conn_decl(this);
+	}
+
+void ConnDecl::GenPubDecls(Output *out_h, Output *out_cc)
+	{
+	AnalyzerDecl::GenPubDecls(out_h, out_cc);
+	}
+
+void ConnDecl::GenPrivDecls(Output *out_h, Output *out_cc)
+	{
+	AnalyzerDecl::GenPrivDecls(out_h, out_cc);
+	}
+
+void ConnDecl::GenEOFFunc(Output *out_h, Output *out_cc)
+	{
+	string proto = strfmt("%s(bool is_orig)", kFlowEOF);
+
+	out_h->println("void %s;", proto.c_str());
+
+	out_cc->println("void %s::%s", class_name().c_str(), proto.c_str());
+	out_cc->inc_indent();
+	out_cc->println("{");
+
+	out_cc->println("if ( is_orig )");
+	out_cc->inc_indent();
+	out_cc->println("%s->%s();",
+	                env_->LValue(upflow_id),
+	                kFlowEOF);
+	out_cc->dec_indent();
+	out_cc->println("else");
+	out_cc->inc_indent();
+	out_cc->println("%s->%s();",
+	                env_->LValue(downflow_id),
+	                kFlowEOF);
+
+	foreach(i, AnalyzerHelperList, eof_helpers_)
+		{
+		(*i)->GenCode(0, out_cc, this);
+		}
+
+	out_cc->dec_indent();
+	
+	out_cc->println("}");
+	out_cc->dec_indent();
+	out_cc->println("");
+	}
+
+void ConnDecl::GenGapFunc(Output *out_h, Output *out_cc)
+	{
+	string proto = strfmt("%s(bool is_orig, int gap_length)", kFlowGap);
+
+	out_h->println("void %s;", proto.c_str());
+
+	out_cc->println("void %s::%s", class_name().c_str(), proto.c_str());
+	out_cc->inc_indent();
+	out_cc->println("{");
+
+	out_cc->println("if ( is_orig )");
+	out_cc->inc_indent();
+	out_cc->println("%s->%s(gap_length);",
+	                env_->LValue(upflow_id),
+	                kFlowGap);
+	out_cc->dec_indent();
+	out_cc->println("else");
+	out_cc->inc_indent();
+	out_cc->println("%s->%s(gap_length);",
+	                env_->LValue(downflow_id),
+	                kFlowGap);
+	out_cc->dec_indent();
+	
+	out_cc->println("}");
+	out_cc->dec_indent();
+	out_cc->println("");
+	}
+
+void ConnDecl::GenProcessFunc(Output *out_h, Output *out_cc)
+	{
+	string proto = 
+		strfmt("%s(bool is_orig, const_byteptr begin, const_byteptr end)",
+		       kNewData);
+
+	out_h->println("void %s;", proto.c_str());
+
+	out_cc->println("void %s::%s", class_name().c_str(), proto.c_str());
+	out_cc->inc_indent();
+	out_cc->println("{");
+
+	out_cc->println("if ( is_orig )");
+	out_cc->inc_indent();
+	out_cc->println("%s->%s(begin, end);",
+	                env_->LValue(upflow_id),
+	                kNewData);
+	out_cc->dec_indent();
+	out_cc->println("else");
+	out_cc->inc_indent();
+	out_cc->println("%s->%s(begin, end);",
+	                env_->LValue(downflow_id),
+	                kNewData);
+	out_cc->dec_indent();
+	
+	out_cc->println("}");
+	out_cc->dec_indent();
+	out_cc->println("");
+	}
diff --git a/aux/binpac/src/pac_conn.h b/aux/binpac/src/pac_conn.h
new file mode 100644
index 0000000000..0247bf7f7b
--- /dev/null
+++ b/aux/binpac/src/pac_conn.h
@@ -0,0 +1,34 @@
+#ifndef pac_conn_h
+#define pac_conn_h
+
+#include "pac_decl.h"
+#include "pac_analyzer.h"
+
+class ConnDecl : public AnalyzerDecl
+{
+public:
+	ConnDecl(ID *conn_id, ParamList *params, AnalyzerElementList *elemlist);
+	~ConnDecl();
+
+	void Prepare();
+
+	Type* DataType() const	{ return data_type_; }
+
+protected:
+	void AddBaseClass(vector<string> *base_classes) const;
+
+	void GenProcessFunc(Output *out_h, Output *out_cc);
+	void GenGapFunc(Output *out_h, Output *out_cc);
+	void GenEOFFunc(Output *out_h, Output *out_cc);
+
+	void GenPubDecls(Output *out_h, Output *out_cc);
+	void GenPrivDecls(Output *out_h, Output *out_cc);
+
+	void ProcessFlowElement(AnalyzerFlow *flow_elem);
+	void ProcessDataUnitElement(AnalyzerDataUnit *dataunit_elem);
+
+	AnalyzerFlow *flows_[2];
+	Type *data_type_;
+};
+
+#endif  // pac_conn_h
diff --git a/aux/binpac/src/pac_context.cc b/aux/binpac/src/pac_context.cc
new file mode 100644
index 0000000000..94e4c4ce47
--- /dev/null
+++ b/aux/binpac/src/pac_context.cc
@@ -0,0 +1,120 @@
+#include "pac_analyzer.h"
+#include "pac_exception.h"
+#include "pac_exttype.h"
+#include "pac_flow.h"
+#include "pac_id.h"
+#include "pac_output.h"
+#include "pac_param.h"
+#include "pac_paramtype.h"
+#include "pac_type.h"
+#include "pac_utils.h"
+
+#include "pac_context.h"
+
+ContextField::ContextField(ID *id, Type *type)
+	: Field(CONTEXT_FIELD, 
+		TYPE_NOT_TO_BE_PARSED | CLASS_MEMBER | PUBLIC_READABLE, 
+		id, type)
+	{
+	}
+
+AnalyzerContextDecl *AnalyzerContextDecl::current_analyzer_context_ = 0;
+
+namespace {
+	ParamList *ContextFieldsToParams(ContextFieldList *context_fields)
+		{
+		// Convert context fields to parameters
+		ParamList *params = new ParamList();
+		foreach(i, ContextFieldList, context_fields)
+			{
+			ContextField *f = *i;
+			params->push_back(
+				new Param(f->id()->clone(), 
+				f->type()));
+			}
+		return params;
+		}
+} // namespace private
+
+AnalyzerContextDecl::AnalyzerContextDecl(
+		ID *id, 
+		ContextFieldList *context_fields)
+	: TypeDecl(new ID(fmt("Context%s", id->Name())), 
+		ContextFieldsToParams(context_fields), 
+		new DummyType())
+	{
+	context_name_id_ = id;
+	if ( current_analyzer_context_ != 0 )
+		{
+		throw Exception(this, 
+		                fmt("multiple declaration of analyzer context; "
+		                    "the previous one is `%s'",
+		                    current_analyzer_context_->id()->Name()));
+		}
+	else
+		current_analyzer_context_ = this;
+
+	context_fields_ = context_fields;
+
+	param_type_ = new ParameterizedType(id_->clone(), 0);
+
+	flow_buffer_added_ = false;
+
+	DEBUG_MSG("Context type: %s\n", param_type()->class_name().c_str());
+	}
+
+AnalyzerContextDecl::~AnalyzerContextDecl()
+	{
+	delete context_name_id_;
+	delete_list(ContextFieldList, context_fields_);
+	}
+
+void AnalyzerContextDecl::GenForwardDeclaration(Output *out_h)
+	{
+	GenNamespaceBegin(out_h);
+	TypeDecl::GenForwardDeclaration(out_h);
+	}
+
+void AnalyzerContextDecl::GenCode(Output *out_h, Output *out_cc)
+	{
+	GenNamespaceBegin(out_h);
+	GenNamespaceBegin(out_cc);
+	TypeDecl::GenCode(out_h, out_cc);
+	}
+
+void AnalyzerContextDecl::GenNamespaceBegin(Output *out) const
+	{
+	out->println("namespace %s {", context_name_id()->Name());
+	}
+
+void AnalyzerContextDecl::GenNamespaceEnd(Output *out) const
+	{
+	out->println("} // namespace %s", context_name_id()->Name());
+	}
+
+void AnalyzerContextDecl::AddFlowBuffer()
+	{
+	if ( flow_buffer_added_ )
+		return;
+
+	AddParam(new Param(
+		new ID(kFlowBufferVar), 
+		FlowDecl::flow_buffer_type()->Clone()));
+
+	flow_buffer_added_ = true;
+	}
+
+string AnalyzerContextDecl::mb_buffer(Env *env)
+	{
+	// A hack. The orthodox way would be to build an Expr of
+	// context.flow_buffer_var, and then EvalExpr.
+	return fmt("%s->%s()", 
+		env->RValue(analyzer_context_id), 
+		kFlowBufferVar);
+	}
+
+Type *DummyType::DoClone() const
+	{
+	// Fields will be copied in Type::Clone().
+	return new DummyType();
+	}
diff --git a/aux/binpac/src/pac_context.h b/aux/binpac/src/pac_context.h
new file mode 100644
index 0000000000..29704e0b8d
--- /dev/null
+++ b/aux/binpac/src/pac_context.h
@@ -0,0 +1,97 @@
+#ifndef pac_context_h
+#define pac_context_h
+
+#include "pac_common.h"
+#include "pac_field.h"
+#include "pac_type.h"
+#include "pac_typedecl.h"
+
+// AnalyzerContext represents a cookie that an analyzer gives to
+// parse functions of various message types. The cookie is parsed
+// to every parse function (if necessary) as parameter 'binpac_context'.
+// 
+// The members of the cookie is declared through 'analyzer' declarations,
+// such as in:
+//
+// analyzer SunRPC withcontext {
+//        connection:     RPC_Conn;
+//        flow:           RPC_Flow;
+// };      
+//
+// The cookie usually contains the connection and flow in which 
+// the message appears, and the context information can be 
+// accessed as members of the cookie, such as 
+// ``binpac_context.connection''.
+
+class ContextField : public Field
+{
+public:
+	ContextField(ID *id, Type *type);
+};
+
+class AnalyzerContextDecl : public TypeDecl
+{
+public:
+	AnalyzerContextDecl(ID *id, ContextFieldList *context_fields);
+	~AnalyzerContextDecl();
+
+	void AddFlowBuffer();
+
+	const ID *context_name_id() const { return context_name_id_; }
+
+	// The type of analyzer context as a parameter
+	ParameterizedType *param_type() const { return param_type_; }
+
+	void GenForwardDeclaration(Output *out_h);
+	void GenCode(Output *out_h, Output *out_cc);
+
+	void GenNamespaceBegin(Output *out) const;
+	void GenNamespaceEnd(Output *out) const;
+
+private:
+	ID *context_name_id_;
+	ContextFieldList *context_fields_;
+	ParameterizedType *param_type_;
+	bool flow_buffer_added_;
+
+// static members
+public:
+	static AnalyzerContextDecl *current_analyzer_context()
+		{
+		return current_analyzer_context_;
+		}
+
+	static string mb_buffer(Env *env);
+
+private:
+	static AnalyzerContextDecl *current_analyzer_context_;
+};
+
+class DummyType : public Type 
+{
+public:
+	DummyType() : Type(DUMMY) {}
+
+	bool DefineValueVar() const 	{ return false; }
+	string DataTypeStr() const 	{ ASSERT(0); return ""; }
+
+	int StaticSize(Env* env) const 	{ ASSERT(0); return -1; }
+
+	bool ByteOrderSensitive() const { return false; }
+
+	bool IsPointerType() const 	{ ASSERT(0); return false; }
+
+	void DoGenParseCode(Output* out, Env* env,
+			const DataPtr& data, int flags)
+		{ ASSERT(0); }
+
+	// Generate code for computing the dynamic size of the type
+	void GenDynamicSize(Output* out, Env* env, const DataPtr& data)
+		{ ASSERT(0); }
+
+protected:
+	Type *DoClone()	const;
+	void DoMarkIncrementalInput()		{ ASSERT(0); }
+};
+
+#endif  // pac_context_h
diff --git a/aux/binpac/src/pac_cstr.cc b/aux/binpac/src/pac_cstr.cc
new file mode 100644
index 0000000000..2d41bf7d1b
--- /dev/null
+++ b/aux/binpac/src/pac_cstr.cc
@@ -0,0 +1,127 @@
+#include "pac_cstr.h"
+#include "pac_dbg.h"
+#include "pac_exception.h"
+
+namespace {
+
+class EscapeException
+{
+public:
+	explicit EscapeException(const string &s)
+		{
+		msg_ = s;
+		}
+
+	const string &msg() const	{ return msg_; }
+
+private:
+	string msg_;
+};
+
+// Copied from util.cc of Bro
+int expand_escape(const char*& s)
+	{
+	switch ( *(s++) ) {
+	case 'b': return '\b';
+	case 'f': return '\f';
+	case 'n': return '\n';
+	case 'r': return '\r';
+	case 't': return '\t';
+	case 'a': return '\a';
+	case 'v': return '\v';
+
+	case '0': case '1': case '2': case '3': case '4':
+	case '5': case '6': case '7':
+		{ // \<octal>{1,3}
+		--s;	// put back the first octal digit
+		const char* start = s;
+
+		// Don't increment inside loop control
+		// because if isdigit() is a macro it might
+		// expand into multiple increments ...
+
+		// Here we define a maximum length for escape sequence
+		// to allow easy handling of string like: "^H0" as
+		// "\0100".
+
+		for ( int len = 0; len < 3 && isascii(*s) && isdigit(*s); ++s, ++len)
+			;
+
+		int result;
+		if ( sscanf(start, "%3o", &result) != 1 )
+			{
+			throw EscapeException(fmt("bad octal escape: \"%s", start));
+			result = 0;
+			}
+
+		return result;
+		}
+
+	case 'x':
+		{ /* \x<hex> */
+		const char* start = s;
+
+		// Look at most 2 characters, so that "\x0ddir" -> "^Mdir".
+		for ( int len = 0; len < 2 && isascii(*s) && isxdigit(*s);
+		      ++s, ++len)
+			;
+
+		int result;
+		if ( sscanf(start, "%2x", &result) != 1 )
+			{
+			throw EscapeException(fmt("bad hexadecimal escape: \"%s", start));
+			result = 0;
+			}
+
+		return result;
+		}
+
+	default:
+		return s[-1];
+	}
+	}
+
+}  // private namespace
+
+ConstString::ConstString(const string &s)
+	: str_(s)
+	{
+	// Copied from scan.l of Bro
+	try 
+		{
+		const char* text = str_.c_str();
+		int len = strlen(text) + 1;
+		int i = 0;
+
+		char* s = new char[len];
+
+		// Skip leading quote.
+		for ( ++text; *text; ++text )
+			{
+			if ( *text == '\\' )
+				{
+				++text;	// skip '\'
+				s[i++] = expand_escape(text);
+				--text;	// point to end of sequence
+				}
+			else
+				{
+				s[i++] = *text;
+				}
+			}
+		ASSERT(i < len);
+
+		// Get rid of trailing quote.
+		ASSERT(s[i-1] == '"');
+		s[i-1] = '\0';
+
+		unescaped_ = s;
+		delete [] s;
+		}
+	catch(EscapeException const &e)
+		{
+		// Throw again with the object
+		throw Exception(this, e.msg().c_str());
+		}
+	}
+
diff --git a/aux/binpac/src/pac_cstr.h b/aux/binpac/src/pac_cstr.h
new file mode 100644
index 0000000000..d1faaf7604
--- /dev/null
+++ b/aux/binpac/src/pac_cstr.h
@@ -0,0 +1,23 @@
+#ifndef pac_cstr_h
+#define pac_cstr_h
+
+#include "pac_common.h"
+
+class ConstString : public Object
+{
+public:
+	ConstString(const string &s);
+
+	// The string in its escaped form, with surrounding '"'s
+	const string &str() const	{ return str_; }
+	const char *c_str() const	{ return str_.c_str(); }
+
+	// The unescaped string, without surrounding '"'s
+	const string &unescaped() const { return unescaped_; }
+
+private:
+	string str_;
+	string unescaped_;
+};
+
+#endif  // pac_cstr_h
diff --git a/aux/binpac/src/pac_ctype.cc b/aux/binpac/src/pac_ctype.cc
new file mode 100644
index 0000000000..cfde2f461b
--- /dev/null
+++ b/aux/binpac/src/pac_ctype.cc
@@ -0,0 +1,21 @@
+#include "pac_ctype.h"
+
+string CType::DeclareInstance(const string &var) const
+	{
+	return strfmt("%s %s", name().c_str(), var.c_str());
+	}
+
+string CType::DeclareConstReference(const string &var) const
+	{
+	return strfmt("%s const &%s", name().c_str(), var.c_str());
+	}
+
+string CType::DeclareConstPointer(const string &var) const
+	{
+	return strfmt("%s const *%s", name().c_str(), var.c_str());
+	}
+
+string CType::DeclarePointer(const string &var) const
+	{
+	return strfmt("%s *%s", name().c_str(), var.c_str());
+	}
diff --git a/aux/binpac/src/pac_ctype.h b/aux/binpac/src/pac_ctype.h
new file mode 100644
index 0000000000..aebbc34d6a
--- /dev/null
+++ b/aux/binpac/src/pac_ctype.h
@@ -0,0 +1,23 @@
+#ifndef pac_ctype_h
+#define pac_ctype_h
+
+#include "pac_common.h"
+
+// Represents a C++ type
+class CType
+{
+public:
+	CType(const string &name);
+
+	string name() const 	{ return name_; }
+
+	string DeclareInstance(const string &var) const;
+	string DeclareConstReference(const string &var) const;
+	string DeclareConstPointer(const string &var) const;
+	string DeclarePointer(const string &var) const;
+
+protected:
+	string name_;
+};
+
+#endif  // pac_ctype_h
diff --git a/aux/binpac/src/pac_datadep.cc b/aux/binpac/src/pac_datadep.cc
new file mode 100644
index 0000000000..8c43e0e106
--- /dev/null
+++ b/aux/binpac/src/pac_datadep.cc
@@ -0,0 +1,76 @@
+#include "pac_datadep.h"
+#include "pac_expr.h"
+#include "pac_id.h"
+#include "pac_type.h"
+
+DataDepElement::DataDepElement(DDE_Type type) 
+	: dde_type_(type), in_traversal(false)
+	{ 
+	}
+
+bool DataDepElement::Traverse(DataDepVisitor *visitor)
+	{
+	// Avoid infinite loop
+	if ( in_traversal )
+		return true;
+	if ( ! visitor->PreProcess(this) )
+		return false;
+
+	in_traversal = true;
+	bool cont = DoTraverse(visitor);
+	in_traversal = false;
+
+	if ( ! cont )
+		return false;
+	if ( ! visitor->PostProcess(this) )
+		return false;
+	return true;
+	}
+
+Expr *DataDepElement::expr()
+	{ 
+	return static_cast<Expr *>(this); 
+	}
+
+Type *DataDepElement::type()
+	{ 
+	return static_cast<Type *>(this); 
+	}
+
+bool RequiresAnalyzerContext::PreProcess(DataDepElement *element)
+	{
+	switch ( element->dde_type() ) 
+		{
+		case DataDepElement::EXPR:
+			ProcessExpr(element->expr());
+			break;
+		default:
+			break;
+		}
+
+	// Continue traversal until we know the answer is 'yes'
+	return ! requires_analyzer_context_;
+	}
+
+bool RequiresAnalyzerContext::PostProcess(DataDepElement *element)
+	{
+	return ! requires_analyzer_context_;
+	}
+
+void RequiresAnalyzerContext::ProcessExpr(Expr *expr)
+	{
+	if ( expr->expr_type() == Expr::EXPR_ID )
+		{
+		requires_analyzer_context_ = 
+			(requires_analyzer_context_ || 
+		       	 *expr->id() == *analyzer_context_id ||
+		       	 *expr->id() == *context_macro_id);
+		}
+	}
+
+bool RequiresAnalyzerContext::compute(DataDepElement *element)
+	{
+	RequiresAnalyzerContext visitor;
+	element->Traverse(&visitor);
+	return visitor.requires_analyzer_context_;
+	}
diff --git a/aux/binpac/src/pac_datadep.h b/aux/binpac/src/pac_datadep.h
new file mode 100644
index 0000000000..a45053fb01
--- /dev/null
+++ b/aux/binpac/src/pac_datadep.h
@@ -0,0 +1,71 @@
+#ifndef pac_datadep_h
+#define pac_datadep_h
+
+// To provide a way to traverse through the data dependency graph.
+// That is, to evaluate X, what must be evaluated.
+
+#include "pac_common.h"
+#include "pac_dbg.h"
+
+class DataDepVisitor;
+
+class DataDepElement {
+public:
+	enum DDE_Type {
+		ATTR,
+		CASEEXPR,
+		EXPR,
+		FIELD,
+		INPUT_BUFFER,
+		PARAM,
+		TYPE,
+	};
+
+	DataDepElement(DDE_Type type);
+	virtual ~DataDepElement() {}
+
+	// Returns whether to continue traversal
+	bool Traverse(DataDepVisitor *visitor);
+
+	// Returns whether to continue traversal
+	virtual bool DoTraverse(DataDepVisitor *visitor) = 0;
+
+	DDE_Type dde_type() const	{ return dde_type_; }
+	Expr *expr();
+	Type *type();
+
+protected:
+	DDE_Type dde_type_;
+	bool in_traversal;
+};
+
+class DataDepVisitor {
+public:
+	virtual ~DataDepVisitor() {}
+	// Returns whether to continue traversal
+	virtual bool PreProcess(DataDepElement *element) = 0;
+	virtual bool PostProcess(DataDepElement *element) = 0;
+};
+
+class RequiresAnalyzerContext : public DataDepVisitor {
+public:
+	RequiresAnalyzerContext() : requires_analyzer_context_(false) {}
+
+	// Returns whether to continue traversal
+	bool PreProcess(DataDepElement *element);
+	bool PostProcess(DataDepElement *element);
+
+	bool requires_analyzer_context() const
+		{
+		return requires_analyzer_context_;
+		}
+
+	static bool compute(DataDepElement *element);
+
+protected:
+	void ProcessExpr(Expr *expr);
+
+	bool requires_analyzer_context_;
+};
+
+#endif // pac_datadep_h
diff --git a/aux/binpac/src/pac_dataptr.cc b/aux/binpac/src/pac_dataptr.cc
new file mode 100644
index 0000000000..beac6997cb
--- /dev/null
+++ b/aux/binpac/src/pac_dataptr.cc
@@ -0,0 +1,66 @@
+#include "pac_exception.h"
+#include "pac_id.h"
+#include "pac_output.h"
+#include "pac_utils.h"
+
+#include "pac_dataptr.h"
+
+DataPtr::DataPtr(Env* env, const ID* id, const int offset)
+	: id_(id), offset_(offset)
+	{
+	if ( id_ )
+		{
+		if ( ! env->Evaluated(id_) )
+			throw ExceptionIDNotEvaluated(id_);
+
+		if ( offset_ == 0 )
+			ptr_expr_ = strfmt("%s", env->RValue(id_));
+		else
+			ptr_expr_ = strfmt("(%s + %d)", env->RValue(id_), offset_);
+		}
+	else
+		ptr_expr_ = "(null id)";
+	}
+
+int DataPtr::AbsOffset(const ID* base_ptr) const
+	{
+	return ( id() == base_ptr ) ? offset() : -1;
+	}
+
+char* DataPtr::AbsOffsetExpr(Env* env, const ID* base_ptr) const
+	{
+	if ( AbsOffset(base_ptr) >= 0 )
+		return nfmt("%d", offset());
+	else
+		return nfmt("(%s - %s)", ptr_expr(), env->RValue(base_ptr));
+	}
+
+void DataPtr::GenBoundaryCheck(Output* out_cc, Env* env,
+		const char* data_size, const char* data_name) const
+	{
+	ASSERT(id_);
+
+	out_cc->println("// Checking out-of-bound for \"%s\"", data_name);
+	out_cc->println("if ( %s + (%s) > %s )",
+		ptr_expr(),
+		data_size,
+		env->RValue(end_of_data));
+
+	out_cc->inc_indent(); 
+	out_cc->println("{");
+
+	char* data_offset = AbsOffsetExpr(env, begin_of_data); 
+
+	out_cc->println("// Handle out-of-bound condition");
+	out_cc->println("throw ExceptionOutOfBound(\"%s\",", data_name);
+	out_cc->println("	(%s) + (%s), ", 
+		data_offset, data_size);
+	out_cc->println("	(%s) - (%s));", 
+		env->RValue(end_of_data), env->RValue(begin_of_data));
+
+	delete [] data_offset;
+
+	out_cc->println("}");
+	out_cc->dec_indent(); 
+	}
+
diff --git a/aux/binpac/src/pac_dataptr.h b/aux/binpac/src/pac_dataptr.h
new file mode 100644
index 0000000000..602843ff56
--- /dev/null
+++ b/aux/binpac/src/pac_dataptr.h
@@ -0,0 +1,47 @@
+#ifndef pac_dataptr_h
+#define pac_dataptr_h
+
+#include <string>
+#include "pac_common.h"
+
+// A data pointer is represented by an data pointer variable
+// plus a constant offset.
+
+class DataPtr
+{
+public:
+	DataPtr(Env* env, const ID* arg_id, const int arg_off);
+
+	DataPtr const &operator=(DataPtr const &x)
+		{
+		id_ = x.id();
+		offset_ = x.offset();
+		ptr_expr_ = x.ptr_expr();
+
+		return *this;
+		}
+
+	const ID* id() const 	{ return id_; }
+	int offset() const 	{ return offset_; }
+
+	const char* ptr_expr() const
+		{
+		ASSERT(id_); 
+		return ptr_expr_.c_str(); 
+		}
+
+	int AbsOffset(const ID* base_ptr) const;
+	char* AbsOffsetExpr(Env* env, const ID* base_ptr) const;
+
+	void GenBoundaryCheck(Output* out, 
+                              Env* env, 
+                              const char* data_size, 
+                              const char* data_name) const;
+
+protected:
+	const ID* id_;
+	int offset_;
+	string ptr_expr_;
+};
+
+#endif  // pac_dataptr_h
diff --git a/aux/binpac/src/pac_dataunit.cc b/aux/binpac/src/pac_dataunit.cc
new file mode 100644
index 0000000000..2b7218963d
--- /dev/null
+++ b/aux/binpac/src/pac_dataunit.cc
@@ -0,0 +1,60 @@
+#include "pac_context.h"
+#include "pac_dataunit.h"
+#include "pac_output.h"
+#include "pac_paramtype.h"
+#include "pac_varfield.h"
+
+AnalyzerDataUnit::AnalyzerDataUnit(
+		DataUnitType type, 
+		ID *id, 
+		ExprList *type_params,
+		ExprList *context_params)
+	: AnalyzerElement(DATAUNIT),
+	  type_(type),
+	  id_(id),
+	  type_params_(type_params),
+	  context_params_(context_params) 
+	{
+	data_type_ = new ParameterizedType(id_, type_params_);
+	context_type_ = new ParameterizedType(
+		AnalyzerContextDecl::current_analyzer_context()->id()->clone(),
+		context_params_);
+
+	dataunit_var_field_ = new ParseVarField(
+		Field::CLASS_MEMBER,
+		dataunit_id->clone(),
+		data_type());
+	context_var_field_ = new PrivVarField(
+		analyzer_context_id->clone(),
+		context_type());
+	}
+
+AnalyzerDataUnit::~AnalyzerDataUnit()
+	{
+	delete dataunit_var_field_;
+	delete context_var_field_;
+	}
+
+void AnalyzerDataUnit::Prepare(Env *env)
+	{
+	dataunit_var_field_->Prepare(env);
+	context_var_field_->Prepare(env);
+	}
+
+void AnalyzerDataUnit::GenNewDataUnit(Output *out_cc, Env *env)
+	{
+	out_cc->println("%s = new %s(%s);",
+		env->LValue(dataunit_id),
+		data_type()->class_name().c_str(),
+		data_type()->EvalParameters(out_cc, env).c_str());
+	}
+
+void AnalyzerDataUnit::GenNewContext(Output *out_cc, Env *env)
+	{
+	out_cc->println("%s = new %s(%s);", 
+		env->LValue(analyzer_context_id),
+		context_type()->class_name().c_str(),
+		context_type()->EvalParameters(out_cc, env).c_str());
+	env->SetEvaluated(analyzer_context_id);
+	}
+
diff --git a/aux/binpac/src/pac_dataunit.h b/aux/binpac/src/pac_dataunit.h
new file mode 100644
index 0000000000..eb76378afa
--- /dev/null
+++ b/aux/binpac/src/pac_dataunit.h
@@ -0,0 +1,49 @@
+#ifndef pac_dataunit_h
+#define pac_dataunit_h
+
+#include "pac_analyzer.h"
+
+// The type and parameters of input data unit of a flow. For instance, the
+// data unit of a DCE/RPC flow is DCE_RPC_PDU.
+
+class AnalyzerDataUnit : public AnalyzerElement
+{
+public:
+	enum DataUnitType { DATAGRAM, FLOWUNIT };
+	AnalyzerDataUnit(
+		DataUnitType type, 
+		ID *id, 
+		ExprList *type_params, 
+		ExprList *context_params);
+	~AnalyzerDataUnit();
+
+	void Prepare(Env *env);
+
+	// Initializes dataunit_id
+	void GenNewDataUnit(Output *out_cc, Env *env);
+	// Initializes analyzer_context_id
+	void GenNewContext(Output *out_cc, Env *env);
+
+	DataUnitType type() const		{ return type_; }
+	const ID *id() const			{ return id_; }
+	ExprList *type_params() const		{ return type_params_; }
+	ExprList *context_params() const	{ return context_params_; }
+
+	ParameterizedType *data_type() const	{ return data_type_; }
+	ParameterizedType *context_type() const	{ return context_type_; }
+
+	Field *dataunit_var_field() const	{ return dataunit_var_field_; }
+	Field *context_var_field() const	{ return context_var_field_; }
+
+private:
+	DataUnitType type_;
+	ID *id_;
+	ExprList *type_params_;
+	ExprList *context_params_;
+	ParameterizedType *data_type_;
+	ParameterizedType *context_type_;
+	Field *dataunit_var_field_;
+	Field *context_var_field_;
+};
+
+#endif // pac_dataunit_h
diff --git a/aux/binpac/src/pac_dbg.h b/aux/binpac/src/pac_dbg.h
new file mode 100644
index 0000000000..bcd87639fb
--- /dev/null
+++ b/aux/binpac/src/pac_dbg.h
@@ -0,0 +1,14 @@
+/* $Id: pac_dbg.h 3265 2006-06-09 21:16:12Z rpang $ */
+
+#ifndef pac_dbg_h
+#define pac_dbg_h
+
+#include <assert.h>
+#include <stdio.h>
+
+extern bool FLAGS_pac_debug;
+
+#define ASSERT(x)	assert(x)
+#define DEBUG_MSG(x...)	if ( FLAGS_pac_debug ) fprintf(stderr, x)
+
+#endif /* pac_dbg_h */
diff --git a/aux/binpac/src/pac_decl-inl.h b/aux/binpac/src/pac_decl-inl.h
new file mode 100644
index 0000000000..97c369fa9f
--- /dev/null
+++ b/aux/binpac/src/pac_decl-inl.h
@@ -0,0 +1,6 @@
+#ifndef pac_decl_inl_h
+#define pac_decl_inl_h
+
+#include "pac_id.h"
+
+#endif  // pac_decl_inl_h
diff --git a/aux/binpac/src/pac_decl.cc b/aux/binpac/src/pac_decl.cc
new file mode 100644
index 0000000000..3c3ae95aa9
--- /dev/null
+++ b/aux/binpac/src/pac_decl.cc
@@ -0,0 +1,191 @@
+#include "pac_attr.h"
+#include "pac_context.h"
+#include "pac_dataptr.h"
+#include "pac_embedded.h"
+#include "pac_exception.h"
+#include "pac_expr.h"
+#include "pac_exttype.h"
+#include "pac_id.h"
+#include "pac_output.h"
+#include "pac_param.h"
+#include "pac_record.h"
+#include "pac_type.h"
+#include "pac_utils.h"
+
+#include "pac_decl.h"
+
+DeclList *Decl::decl_list_ = 0;
+Decl::DeclMap Decl::decl_map_;
+
+Decl::Decl(ID* id, DeclType decl_type)
+	: id_(id), decl_type_(decl_type), attrlist_(0)
+	{
+	decl_map_[id_] = this;
+	if ( ! decl_list_ )
+		decl_list_ = new DeclList();
+	decl_list_->push_back(this);
+
+	DEBUG_MSG("Finished Decl %s\n", id_->Name());
+
+	analyzer_context_ = 0;
+	}
+
+Decl::~Decl()
+	{
+	delete id_;
+	delete_list(AttrList, attrlist_);
+	}
+
+void Decl::AddAttrs(AttrList* attrs)
+	{
+	if ( ! attrs )
+		return;
+	if ( ! attrlist_ )
+		attrlist_ = new AttrList();
+	foreach ( i, AttrList, attrs )
+		{
+		attrlist_->push_back(*i);
+		ProcessAttr(*i);
+		}
+	}
+
+void Decl::ProcessAttr(Attr *attr)
+	{
+	throw Exception(attr, "unhandled attribute");
+	}
+
+void Decl::SetAnalyzerContext()
+	{
+	analyzer_context_ = 
+		AnalyzerContextDecl::current_analyzer_context();
+	if ( ! analyzer_context_ )
+		{
+		throw Exception(this, 
+		                "analyzer context not defined");
+		}
+	}
+
+void Decl::ProcessDecls(Output *out_h, Output *out_cc)
+	{
+	if ( ! decl_list_ )
+		return;
+
+	foreach(i, DeclList, decl_list_)
+		{
+		Decl *decl = *i;
+		current_decl_id = decl->id();
+		decl->Prepare();
+		}
+
+	foreach(i, DeclList, decl_list_)
+		{
+		Decl *decl = *i;
+		current_decl_id = decl->id();
+		decl->GenExternDeclaration(out_h);
+		}
+
+	out_h->println("namespace binpac {\n");
+	out_cc->println("namespace binpac {\n");
+
+	AnalyzerContextDecl *analyzer_context =
+		AnalyzerContextDecl::current_analyzer_context();
+
+	foreach(i, DeclList, decl_list_)
+		{
+		Decl *decl = *i;
+		current_decl_id = decl->id();
+		decl->GenForwardDeclaration(out_h);
+		}
+
+	if ( analyzer_context )
+		analyzer_context->GenNamespaceEnd(out_h);
+
+	out_h->println("");
+
+	foreach(i, DeclList, decl_list_)
+		{
+		Decl *decl = *i;
+		current_decl_id = decl->id();
+		decl->GenCode(out_h, out_cc);
+		}
+
+	if ( analyzer_context )
+		{
+		analyzer_context->GenNamespaceEnd(out_h);
+		analyzer_context->GenNamespaceEnd(out_cc);
+		}
+
+	out_h->println("}  // namespace binpac");
+	out_cc->println("}  // namespace binpac");
+	}
+
+Decl* Decl::LookUpDecl(const ID* id)
+	{
+	DeclMap::iterator it = decl_map_.find(id);
+	if ( it == decl_map_.end() )
+		return 0;
+	return it->second;
+	}
+
+int HelperDecl::helper_id_seq = 0;
+
+HelperDecl::HelperDecl(HelperType helper_type, 
+                       ID* context_id, 
+                       EmbeddedCode* code)
+ 	: Decl(new ID(fmt("helper_%d", ++helper_id_seq)), HELPER), 
+	  helper_type_(helper_type),
+	  context_id_(context_id),
+	  code_(code)
+	{
+	}
+
+HelperDecl::~HelperDecl()
+	{
+	delete context_id_;
+	delete code_;
+	}
+
+void HelperDecl::Prepare()
+	{
+	// Do nothing
+	}
+
+void HelperDecl::GenExternDeclaration(Output *out_h)
+	{
+	if ( helper_type_ == EXTERN )
+		code_->GenCode(out_h, global_env());
+	}
+
+void HelperDecl::GenCode(Output *out_h, Output *out_cc)
+	{
+	Env *env = global_env();
+
+#if 0
+	if ( context_id_ )
+		{
+		Decl *decl = Decl::LookUpDecl(context_id_);
+		if ( ! decl )
+			{
+			throw Exception(context_id_, 
+			                fmt("cannot find declaration for %s", 
+			                    context_id_->Name()));
+			}
+		env = decl->env();
+		if ( ! env )
+			{
+			throw Exception(context_id_,
+			                fmt("not a type or analyzer: %s",
+			                    context_id_->Name()));
+			}
+		}
+#endif
+
+	if ( helper_type_ == HEADER )
+		code_->GenCode(out_h, env);
+	else if ( helper_type_ == CODE )
+		code_->GenCode(out_cc, env);
+	else if ( helper_type_ == EXTERN )
+		; // do nothing
+	else
+		ASSERT(0);
+	}
diff --git a/aux/binpac/src/pac_decl.h b/aux/binpac/src/pac_decl.h
new file mode 100644
index 0000000000..6151022d20
--- /dev/null
+++ b/aux/binpac/src/pac_decl.h
@@ -0,0 +1,81 @@
+#ifndef pac_decl_h
+#define pac_decl_h
+
+#include "pac_common.h"
+#include "pac_id.h"
+
+class Decl : public Object
+{
+public:
+	// Note: ANALYZER is not for AnalyzerDecl (which is an
+	// abstract class) , but for AnalyzerContextDecl.
+	enum DeclType { ENUM, LET, TYPE, FUNC, CONN, FLOW, ANALYZER, HELPER, REGEX };
+
+	Decl(ID *id, DeclType decl_type);
+	virtual ~Decl();
+
+	const ID *id() const		{ return id_; }
+	DeclType decl_type() const	{ return decl_type_; }
+	AnalyzerContextDecl *analyzer_context() const 
+		{ return analyzer_context_; }
+
+	// NULL except for TypeDecl or AnalyzerDecl
+	virtual Env *env() const	{ return 0; }
+
+	virtual void Prepare() = 0;
+
+	// Generate declarations out of the "binpac" namespace
+	virtual void GenExternDeclaration(Output *out_h) { /* do nothing */ }
+
+	// Generate declarations before definition of classes
+	virtual void GenForwardDeclaration(Output *out_h) = 0;
+
+	virtual void GenCode(Output *out_h, Output *out_cc) = 0;
+
+	void TakeExprList();
+	void AddAttrs(AttrList *attrlist);
+	void SetAnalyzerContext();
+
+protected:
+	virtual void ProcessAttr(Attr *a);
+
+	ID *id_;
+	DeclType decl_type_;
+	AttrList *attrlist_;
+	ExprList *expr_list_;
+	AnalyzerContextDecl *analyzer_context_;
+
+public:
+	static void ProcessDecls(Output *out_h, Output *out_cc);
+	static Decl *LookUpDecl(const ID *id);
+
+private:
+	static DeclList *decl_list_;
+	typedef map<const ID *, Decl*, ID_ptr_cmp> DeclMap;
+	static DeclMap decl_map_;
+};
+
+class HelperDecl : public Decl
+{
+public:
+	enum HelperType {
+		HEADER, CODE, EXTERN,
+	};
+	HelperDecl(HelperType type, ID *context_id, EmbeddedCode *code);
+	~HelperDecl();
+
+	void Prepare();
+	void GenExternDeclaration(Output *out_h);
+	void GenForwardDeclaration(Output *out_h) { /* do nothing */ }
+	void GenCode(Output *out_h, Output *out_cc);
+
+private:
+	HelperType helper_type_;
+	ID *context_id_;
+	ID *helper_id_;
+	EmbeddedCode *code_;
+
+	static int helper_id_seq;
+};
+
+#endif  // pac_decl_h
diff --git a/aux/binpac/src/pac_embedded.cc b/aux/binpac/src/pac_embedded.cc
new file mode 100644
index 0000000000..aca2d03a19
--- /dev/null
+++ b/aux/binpac/src/pac_embedded.cc
@@ -0,0 +1,82 @@
+#include "pac_id.h"
+#include "pac_primitive.h"
+#include "pac_output.h"
+
+#include "pac_embedded.h"
+
+EmbeddedCodeSegment::EmbeddedCodeSegment(const string &s)
+	: s_(s), primitive_(0)
+	{
+	}
+
+EmbeddedCodeSegment::EmbeddedCodeSegment(PacPrimitive *primitive)
+	: s_(""), primitive_(primitive)
+	{
+	}
+
+EmbeddedCodeSegment::~EmbeddedCodeSegment()
+	{
+	delete primitive_;
+	}
+
+string EmbeddedCodeSegment::ToCode(Env *env)
+	{
+	if ( primitive_ &&  s_.empty() )
+		s_ = primitive_->ToCode(env);
+	return s_;
+	}
+
+EmbeddedCode::EmbeddedCode()
+	{
+	segments_ = new EmbeddedCodeSegmentList();
+	}
+
+EmbeddedCode::~EmbeddedCode()
+	{
+	delete_list(EmbeddedCodeSegmentList, segments_);
+	}
+
+void EmbeddedCode::Append(int atom)
+	{
+	current_segment_ += static_cast<char>(atom);
+	}
+
+void EmbeddedCode::Append(const char *str)
+	{
+	current_segment_ += str;
+	}
+
+void EmbeddedCode::Append(PacPrimitive *primitive)
+	{
+	if ( ! current_segment_.empty() )
+		{
+		segments_->push_back(new EmbeddedCodeSegment(current_segment_));
+		current_segment_ = "";
+		}
+	segments_->push_back(new EmbeddedCodeSegment(primitive));
+	}
+
+void EmbeddedCode::GenCode(Output *out, Env *env)
+	{
+	if ( ! current_segment_.empty() )
+		{
+		segments_->push_back(new EmbeddedCodeSegment(current_segment_));
+		current_segment_ = "";
+		}
+
+	// TODO: return to the generated file after embedded code
+	// out->print("#line %d \"%s\"\n", line_num, filename.c_str());
+
+	// Allow use of RValue for undefined ID, in which case the
+	// ID's name is used as its RValue
+	env->set_allow_undefined_id(true);
+
+	foreach(i, EmbeddedCodeSegmentList, segments_)
+		{
+		EmbeddedCodeSegment *segment = *i;
+		out->print("%s", segment->ToCode(env).c_str());
+		}
+
+	env->set_allow_undefined_id(false);
+	out->print("\n");
+	}
diff --git a/aux/binpac/src/pac_embedded.h b/aux/binpac/src/pac_embedded.h
new file mode 100644
index 0000000000..b84de746e1
--- /dev/null
+++ b/aux/binpac/src/pac_embedded.h
@@ -0,0 +1,42 @@
+#ifndef pac_embedded_h
+#define pac_embedded_h
+
+#include "pac_common.h"
+
+class EmbeddedCodeSegment
+{
+public:
+	explicit EmbeddedCodeSegment(const string &s);
+	explicit EmbeddedCodeSegment(PacPrimitive *primitive);
+	~EmbeddedCodeSegment();
+
+	string ToCode(Env *env);
+
+private:
+	string s_;
+	PacPrimitive *primitive_;
+};
+
+typedef vector<EmbeddedCodeSegment *> EmbeddedCodeSegmentList;
+
+class EmbeddedCode : public Object
+{
+public:
+	EmbeddedCode();
+	~EmbeddedCode();
+
+	// Append a character
+	void Append(int atom);
+	void Append(const char *str);
+
+	// Append a PAC primitive
+	void Append(PacPrimitive *primitive);
+
+	void GenCode(Output *out, Env *env);
+
+private:
+	string current_segment_;
+	EmbeddedCodeSegmentList *segments_;
+};
+
+#endif  // pac_embedded_h
diff --git a/aux/binpac/src/pac_enum.cc b/aux/binpac/src/pac_enum.cc
new file mode 100644
index 0000000000..deb1711bc6
--- /dev/null
+++ b/aux/binpac/src/pac_enum.cc
@@ -0,0 +1,70 @@
+#include "pac_exception.h"
+#include "pac_enum.h"
+#include "pac_expr.h"
+#include "pac_exttype.h"
+#include "pac_output.h"
+#include "pac_typedecl.h"
+
+Enum::Enum(ID* id, Expr* expr)
+	: id_(id), expr_(expr)
+	{
+	}
+
+Enum::~Enum()
+	{
+	delete id_;
+	delete expr_;
+	}
+
+void Enum::GenHeader(Output* out_h, int *pval)
+	{
+	ASSERT(pval);
+	if ( expr_ )
+		{
+		if ( ! expr_->ConstFold(global_env(), pval) )
+			throw ExceptionNonConstExpr(expr_);
+		out_h->println("%s = %d,", id_->Name(), *pval);
+		}
+	else
+		out_h->println("%s,", id_->Name());
+	global_env()->AddConstID(id_, *pval);
+	}
+
+EnumDecl::EnumDecl(ID *id, EnumList *enumlist)
+	: Decl(id, ENUM), enumlist_(enumlist) 
+	{
+	ID *type_id = id->clone();
+	datatype_ = new ExternType(type_id, ExternType::NUMBER);
+	extern_typedecl_ = new TypeDecl(type_id, 0, datatype_);
+	}
+
+EnumDecl::~EnumDecl()
+	{ 
+	delete_list(EnumList, enumlist_); 
+	delete extern_typedecl_;
+	}
+
+void EnumDecl::Prepare() 
+	{ 
+	// Do nothing 
+	}
+
+void EnumDecl::GenForwardDeclaration(Output *out_h)
+	{ 
+	out_h->println("enum %s {", id_->Name());
+	out_h->inc_indent();
+	int c = 0;
+	foreach(i, EnumList, enumlist_)
+		{
+		(*i)->GenHeader(out_h, &c);
+		++c;
+		}
+	out_h->dec_indent();
+	out_h->println("};");
+	}
+
+void EnumDecl::GenCode(Output* out_h, Output* /* out_cc */)
+	{
+	// Do nothing 
+	}
+
diff --git a/aux/binpac/src/pac_enum.h b/aux/binpac/src/pac_enum.h
new file mode 100644
index 0000000000..6b255912b6
--- /dev/null
+++ b/aux/binpac/src/pac_enum.h
@@ -0,0 +1,37 @@
+#ifndef pac_enum_h
+#define pac_enum_h
+
+#include "pac_decl.h"
+
+class Enum
+{
+public:
+	Enum(ID *id, Expr *expr = 0);
+	~Enum();
+
+	void GenHeader(Output *out_h, int *pval);
+
+private:
+	ID *id_;
+	Expr *expr_;
+};
+
+class EnumDecl : public Decl
+{
+public:
+	EnumDecl(ID *id, EnumList *enumlist);
+	~EnumDecl();
+
+	Type *DataType() const	{ return datatype_; }
+
+	void Prepare();
+	void GenForwardDeclaration(Output *out_h);
+	void GenCode(Output *out_h, Output *out_cc);
+
+private:
+	EnumList *enumlist_;
+	Type *datatype_;
+	TypeDecl *extern_typedecl_;
+};
+
+#endif // pac_enum_h
diff --git a/aux/binpac/src/pac_exception.cc b/aux/binpac/src/pac_exception.cc
new file mode 100644
index 0000000000..462ef8e18f
--- /dev/null
+++ b/aux/binpac/src/pac_exception.cc
@@ -0,0 +1,70 @@
+#include "pac_exception.h"
+#include "pac_expr.h"
+#include "pac_id.h"
+#include "pac_utils.h"
+
+Exception::Exception(const Object* o, const char* msg)
+	{
+	if ( o )
+		{
+		msg_ = o->Location();
+		msg_ += ": error : ";
+		}
+	if ( msg )
+		msg_ += msg;
+	if ( FLAGS_pac_debug ) 
+		{
+		DEBUG_MSG("Exception: %s\n", msg_.c_str());
+		abort();
+		}
+	}
+
+ExceptionIDNotFound::ExceptionIDNotFound(const ID* id)
+	: Exception(id), id_(id) 
+	{
+	append(fmt("`%s' undeclared", id_->Name()));
+	}
+
+ExceptionIDRedefinition::ExceptionIDRedefinition(const ID* id)
+	: Exception(id), id_(id) 
+	{
+	append(fmt("`%s' redefined", id_->Name()));
+	}
+
+ExceptionIDNotEvaluated::ExceptionIDNotEvaluated(const ID* id)
+	: Exception(id), id_(id) 
+	{
+	append(fmt("ID `%s' not evaluated before used", id->Name()));
+	}
+
+ExceptionIDNotField::ExceptionIDNotField(const ID* id)
+	: Exception(id), id_(id) 
+	{
+	append(fmt("ID `%s' is not a field", id_->Name()));
+	}
+
+ExceptionMemberNotFound::ExceptionMemberNotFound(const ID* type_id, 
+                                                 const ID *member_id)
+	: Exception(member_id), type_id_(type_id), member_id_(member_id)
+	{
+	append(fmt("type %s does not have member `%s'",
+	           type_id_->Name(), member_id_->Name()));
+	}
+
+ExceptionCyclicDependence::ExceptionCyclicDependence(const ID* id)
+	: Exception(id), id_(id) 
+	{
+	append(fmt("cyclic dependence through `%s'", id_->Name()));
+	}
+
+ExceptionPaddingError::ExceptionPaddingError(const Object* o, const char* msg)
+	: Exception(o)
+	{
+	append(msg);
+	}
+
+ExceptionNonConstExpr::ExceptionNonConstExpr(const Expr* expr)
+	: Exception(expr)
+	{
+	append(fmt("Expression `%s' is not constant", expr->orig()));
+	}
diff --git a/aux/binpac/src/pac_exception.h b/aux/binpac/src/pac_exception.h
new file mode 100644
index 0000000000..7653ffeacc
--- /dev/null
+++ b/aux/binpac/src/pac_exception.h
@@ -0,0 +1,97 @@
+// $Id: pac_exception.h 3225 2006-06-08 00:00:01Z vern $
+
+#ifndef pac_exception_h
+#define pac_exception_h
+
+#include <string>
+using namespace std;
+
+#include "pac_common.h"
+
+class Exception
+{
+public:
+	Exception(const Object* o, const char* msg = 0);
+
+	const char* msg() const 	{ return msg_.c_str(); }
+	void append(const char* s) 	{ msg_ += s; }
+
+private:
+	string msg_;
+};
+
+class ExceptionIDNotFound : public Exception
+{
+public:
+	ExceptionIDNotFound(const ID* id);
+	const ID* id() const { return id_; }
+
+private:
+	const ID* id_;
+};
+
+class ExceptionIDRedefinition : public Exception
+{
+public:
+	ExceptionIDRedefinition(const ID* id);
+	const ID* id() const { return id_; }
+
+private:
+	const ID* id_;
+};
+
+class ExceptionIDNotEvaluated : public Exception
+{
+public:
+	ExceptionIDNotEvaluated(const ID* id);
+	const ID* id() const { return id_; }
+
+private:
+	const ID* id_;
+};
+
+class ExceptionCyclicDependence : public Exception
+{
+public:
+	ExceptionCyclicDependence(const ID* id);
+	const ID* id() const { return id_; }
+
+private:
+	const ID* id_;
+};
+
+class ExceptionPaddingError : public Exception
+{
+public:
+	ExceptionPaddingError(const Object* o, const char* msg);
+};
+
+class ExceptionIDNotField : public Exception
+{
+public:
+	ExceptionIDNotField(const ID* id);
+	const ID* id() const { return id_; }
+
+private:
+	const ID* id_;
+};
+
+class ExceptionMemberNotFound : public Exception
+{
+public:
+	ExceptionMemberNotFound(const ID* type_id, const ID *member_id);
+
+private:
+	const ID *type_id_, *member_id_;
+};
+
+class ExceptionNonConstExpr : public Exception
+{
+public:
+	ExceptionNonConstExpr(const Expr* expr);
+
+private:
+	const Expr *expr;
+};
+
+#endif /* pac_exception_h */
diff --git a/aux/binpac/src/pac_expr.cc b/aux/binpac/src/pac_expr.cc
new file mode 100644
index 0000000000..02303bc953
--- /dev/null
+++ b/aux/binpac/src/pac_expr.cc
@@ -0,0 +1,1041 @@
+#include "pac_case.h"
+#include "pac_cstr.h"
+#include "pac_exception.h"
+#include "pac_expr.h"
+#include "pac_exttype.h"
+#include "pac_id.h"
+#include "pac_number.h"
+#include "pac_output.h"
+#include "pac_record.h"
+#include "pac_regex.h"
+#include "pac_strtype.h"
+#include "pac_typedecl.h"
+#include "pac_utils.h"
+
+string OrigExprList(ExprList *list)
+	{
+	bool first = true;
+	string str;
+	foreach(i, ExprList, list)
+		{
+		Expr *expr = *i;
+		if ( first )
+			first = false;
+		else
+			str += ", ";
+		str += expr->orig();
+		}
+	return str;
+	}
+
+string EvalExprList(ExprList *exprlist, Output *out, Env *env)
+	{
+	string val_list("");
+	bool first = true;
+
+	foreach(i, ExprList, exprlist)
+		{
+		if ( ! first )
+			val_list += ", ";
+		val_list += (*i)->EvalExpr(out, env);
+		first = false;
+		}
+
+	return val_list;
+	}
+
+static const char* expr_fmt[] = 
+{
+#	define EXPR_DEF(type, num_op, fmt) fmt,
+#	include "pac_expr.def"
+#	undef EXPR_DEF
+};
+
+void Expr::init()
+	{
+	id_ = 0;
+	num_ = 0;
+	cstr_ = 0;
+	regex_ = 0;
+	num_operands_ = 0;
+	operand_[0] = 0;
+	operand_[1] = 0;
+	operand_[2] = 0;
+	args_ = 0;
+	cases_ = 0;
+	}
+
+Expr::Expr(ID* arg_id)
+	: DataDepElement(EXPR)
+	{
+	init();
+	expr_type_ = EXPR_ID;
+	id_ = arg_id;
+	num_operands_ = 0;
+	orig_ = fmt("%s", id_->Name());
+	}
+
+Expr::Expr(Number* arg_num)
+	: DataDepElement(EXPR)
+	{
+	init();
+	expr_type_ = EXPR_NUM;
+	num_ = arg_num;
+	num_operands_ = 0;
+	orig_ = fmt("((int) %s)", num_->Str());
+	}
+
+Expr::Expr(ConstString *cstr)
+	: DataDepElement(EXPR)
+	{
+	init();
+	expr_type_ = EXPR_CSTR;
+	cstr_ = cstr;
+	num_operands_ = 0;
+	orig_ = cstr_->str();
+	}
+
+Expr::Expr(RegEx *regex)
+	: DataDepElement(EXPR)
+	{
+	init();
+	expr_type_ = EXPR_REGEX;
+	regex_ = regex;
+	num_operands_ = 0;
+	orig_ = fmt("/%s/", regex_->str().c_str());
+	}
+
+Expr::Expr(ExprType arg_type, Expr* op1)
+	: DataDepElement(EXPR)
+	{
+	init();
+	expr_type_ = arg_type;
+	num_operands_ = 1;
+	operand_[0] = op1;
+	orig_ = fmt(expr_fmt[expr_type_], op1->orig());
+	}
+
+Expr::Expr(ExprType arg_type, Expr* op1, Expr* op2)
+	: DataDepElement(EXPR)
+	{
+	init();
+	expr_type_ = arg_type;
+	num_operands_ = 2;
+	operand_[0] = op1;
+	operand_[1] = op2;
+	operand_[2] = 0;
+	orig_ = fmt(expr_fmt[expr_type_], op1->orig(), op2->orig());
+	}
+
+Expr::Expr(ExprType arg_type, Expr* op1, Expr* op2, Expr* op3)
+	: DataDepElement(EXPR)
+	{
+	init();
+	expr_type_ = arg_type;
+	num_operands_ = 3;
+	operand_[0] = op1;
+	operand_[1] = op2;
+	operand_[2] = op3;
+	orig_ = fmt(expr_fmt[expr_type_], op1->orig(), op2->orig(), op3->orig());
+	}
+
+Expr::Expr(ExprList *args)
+	: DataDepElement(EXPR)
+	{
+	init();
+	expr_type_ = EXPR_CALLARGS;
+	num_operands_ = -1;
+	args_ = args;
+
+	orig_ = OrigExprList(args_);
+	}
+
+Expr::Expr(Expr *index, CaseExprList *cases)
+	: DataDepElement(EXPR)
+	{
+	init();
+	expr_type_ = EXPR_CASE;
+	num_operands_ = -1;
+	operand_[0] = index;
+	cases_ = cases;
+
+	orig_ = strfmt("case %s of { ", index->orig());
+	foreach(i, CaseExprList, cases_)
+		{
+		CaseExpr *c = *i;
+		orig_ += strfmt("%s => %s; ", 
+		                OrigExprList(c->index()).c_str(), 
+		                c->value()->orig());
+		}
+	orig_ += "}";
+	}
+
+Expr::~Expr()
+	{
+	delete id_;
+	delete operand_[0];
+	delete operand_[1];
+	delete operand_[2];
+	delete_list(ExprList, args_);
+	delete_list(CaseExprList, cases_);
+	}
+
+void Expr::AddCaseExpr(CaseExpr *case_expr)
+	{
+	ASSERT(str_.empty());
+	ASSERT(expr_type_ == EXPR_CASE);
+	ASSERT(cases_);
+	cases_->push_back(case_expr);
+	}
+
+void Expr::GenStrFromFormat(Env *env)
+	{
+	// The format != "@custom@"
+	ASSERT(*expr_fmt[expr_type_] != '@');
+
+	switch ( num_operands_ )
+		{
+		case 1:
+			str_ = fmt(expr_fmt[expr_type_], 
+				operand_[0]->str());
+			break; 
+		case 2:
+			str_ = fmt(expr_fmt[expr_type_], 
+				operand_[0]->str(),
+				operand_[1]->str());
+			break; 
+		case 3:
+			str_ = fmt(expr_fmt[expr_type_], 
+				operand_[0]->str(),
+				operand_[1]->str(),
+				operand_[2]->str());
+			break; 
+		default:
+			DEBUG_MSG("num_operands_ = %d, orig = %s\n", num_operands_, orig());
+			ASSERT(0);
+			break;
+		}
+	}
+
+namespace {
+
+	RecordField *GetRecordField(const ID *id, Env *env)
+		{
+		Field* field = env->GetField(id);
+		ASSERT(field);
+		if ( field->tof() != RECORD_FIELD &&
+		     field->tof() != PADDING_FIELD )
+			throw Exception(id, "not a record field");
+		RecordField *r = static_cast<RecordField *>(field);
+		ASSERT(r);
+		return r;
+		}
+
+}  // private namespace
+
+void Expr::GenCaseEval(Output *out_cc, Env *env)
+	{
+	ASSERT(expr_type_ == EXPR_CASE);
+	ASSERT(operand_[0]);
+	ASSERT(cases_);
+
+	Type *val_type = DataType(env);
+	ID *val_var = env->AddTempID(val_type);
+
+	out_cc->println("%s %s;", 
+	                val_type->DataTypeStr().c_str(), 
+	                env->LValue(val_var));
+
+	// force evaluation of IDs appearing in case stmt
+        operand_[0]->ForceIDEval(out_cc, env);
+	foreach(i, CaseExprList, cases_)
+		(*i)->value()->ForceIDEval(out_cc, env);
+
+	out_cc->println("switch ( %s )", operand_[0]->EvalExpr(out_cc, env));
+
+	out_cc->inc_indent();
+	out_cc->println("{");
+
+	CaseExpr *default_case = 0;
+	foreach(i, CaseExprList, cases_)
+		{
+		CaseExpr *c = *i;
+		ExprList *index = c->index();
+		if ( ! index )
+			{
+			if ( default_case )
+				throw Exception(c, "duplicate default cases");
+			default_case = c;
+			}
+		else
+			{
+			GenCaseStr(index, out_cc, env);
+			out_cc->inc_indent();
+			out_cc->println("%s = %s;", 
+			                env->LValue(val_var),
+			                c->value()->EvalExpr(out_cc, env));
+			out_cc->println("break;");
+			out_cc->dec_indent();
+			}
+		}
+
+	// Generate the default case after all other cases
+	GenCaseStr(0, out_cc, env);
+	out_cc->inc_indent();
+	if ( default_case )
+		{
+		out_cc->println("%s = %s;", 
+	                	env->LValue(val_var),
+		                default_case->value()->EvalExpr(out_cc, env));
+		}
+	else
+		{
+		out_cc->println("throw ExceptionInvalidCaseIndex(\"%s\", %s);",
+			Location(), operand_[0]->EvalExpr(out_cc, env));
+		}
+	out_cc->println("break;");
+	out_cc->dec_indent();
+
+	out_cc->println("}");
+	out_cc->dec_indent();
+
+	env->SetEvaluated(val_var);
+	str_ = env->RValue(val_var);
+	}
+
+void Expr::GenEval(Output* out_cc, Env* env)
+	{
+	switch ( expr_type_ )
+		{
+		case EXPR_NUM:
+			str_ = num_->Str();
+			break;
+
+		case EXPR_ID:
+			if ( ! env->Evaluated(id_) )
+				env->Evaluate(out_cc, id_);
+			str_ = env->RValue(id_);
+			break;
+
+		case EXPR_MEMBER:
+			{
+			/*
+			For member expressions such X.Y, evaluating
+			X only is sufficient. (Actually trying to
+			evaluate Y will lead to error because Y is
+			not defined in the current environment.)
+			*/
+			operand_[0]->GenEval(out_cc, env);
+
+			Type *ty0 = operand_[0]->DataType(env);
+
+			str_ = fmt("%s%s",
+				operand_[0]->EvalExpr(out_cc, env),
+				ty0 ? 
+				ty0->EvalMember(operand_[1]->id()).c_str() :
+				fmt("->%s()", operand_[1]->id()->Name()));
+			}
+			break;
+
+		case EXPR_SUBSCRIPT:
+			{
+			operand_[0]->GenEval(out_cc, env);
+			operand_[1]->GenEval(out_cc, env);
+
+			string v0 = operand_[0]->EvalExpr(out_cc, env);
+			string v1 = operand_[1]->EvalExpr(out_cc, env);
+			
+			Type *ty0 = operand_[0]->DataType(env);
+			if ( ty0 )
+				str_ = ty0->EvalElement(v0, v1);
+			else
+				str_ = fmt("%s[%s]", v0.c_str(), v1.c_str());
+			}
+			break;
+
+		case EXPR_SIZEOF:
+			{
+			const ID *id = operand_[0]->id();
+			RecordField *rf;
+			Type *ty;
+
+			try 
+				{
+				if ( (rf = GetRecordField(id, env)) != 0 )
+					{
+					str_ = fmt("%s", rf->FieldSize(out_cc, env));
+					}
+				}
+			catch ( ExceptionIDNotFound &e )
+				{
+				if ( (ty = TypeDecl::LookUpType(id)) != 0 )
+					{
+					int ty_size = ty->StaticSize(global_env());
+					if ( ty_size >= 0 )
+						str_ = fmt("%d", ty_size);
+					else
+						throw Exception(id, "unknown size");
+					}
+				else
+					throw Exception(id, "not a record field or type");
+				}
+			}
+			break;
+
+		case EXPR_OFFSETOF:
+			{
+			const ID *id = operand_[0]->id();
+			RecordField *rf = GetRecordField(id, env);
+			str_ = fmt("%s", rf->FieldOffset(out_cc, env));
+			}
+			break;
+
+		case EXPR_CALLARGS:
+			str_ = EvalExprList(args_, out_cc, env);
+			break;
+
+		case EXPR_CASE:
+			GenCaseEval(out_cc, env);
+			break;
+
+		default:
+			// Evaluate every operand by default
+			for ( int i = 0; i < 3; ++i )
+				if ( operand_[i] )
+					operand_[i]->GenEval(out_cc, env);
+			GenStrFromFormat(env);
+			break;
+		}
+	}
+
+void Expr::ForceIDEval(Output* out_cc, Env* env)
+        {
+	switch ( expr_type_ )
+		{
+		case EXPR_NUM:
+		case EXPR_SIZEOF:
+		case EXPR_OFFSETOF:
+			break;
+
+		case EXPR_ID:
+			if ( ! env->Evaluated(id_) )
+				env->Evaluate(out_cc, id_);
+			break;
+
+		case EXPR_MEMBER:
+			operand_[0]->ForceIDEval(out_cc, env);
+			break;
+
+		case EXPR_CALLARGS:
+		        {
+		        foreach(i, ExprList, args_)
+			        (*i)->ForceIDEval(out_cc, env);
+			}
+			break;
+
+		case EXPR_CASE:
+		        {
+		        operand_[0]->ForceIDEval(out_cc, env);
+			foreach(i, CaseExprList, cases_)
+				(*i)->value()->ForceIDEval(out_cc, env);
+		        }
+			break;
+
+		default:
+			// Evaluate every operand by default
+			for ( int i = 0; i < 3; ++i )
+				if ( operand_[i] )
+					operand_[i]->ForceIDEval(out_cc, env);
+			break;
+		}
+	}
+
+
+const char* Expr::EvalExpr(Output* out_cc, Env* env)
+	{
+	GenEval(out_cc, env);
+	return str();
+	}
+
+Type *Expr::DataType(Env *env) const
+	{
+	Type *data_type;
+
+	switch ( expr_type_ )
+		{
+		case EXPR_ID:
+			data_type = env->GetDataType(id_);
+			break;
+
+		case EXPR_MEMBER:
+			{
+			// Get type of the parent
+			Type *parent_type = operand_[0]->DataType(env);
+			if ( ! parent_type )
+				return 0;
+			data_type = parent_type->MemberDataType(operand_[1]->id());
+			}
+			break;
+
+		case EXPR_SUBSCRIPT:
+			{
+			// Get type of the parent
+			Type *parent_type = operand_[0]->DataType(env);
+			data_type = parent_type->ElementDataType();
+			}
+			break;
+
+		case EXPR_PAREN:
+			data_type = operand_[0]->DataType(env);
+			break;
+
+		case EXPR_COND:
+			{
+			Type *type1 = operand_[1]->DataType(env);
+			Type *type2 = operand_[2]->DataType(env);
+			if ( ! Type::CompatibleTypes(type1, type2) )
+				{
+				throw Exception(this, 
+					fmt("type mismatch: %s vs %s",
+					    type1->DataTypeStr().c_str(),
+					    type2->DataTypeStr().c_str()));
+				}
+			data_type = type1;
+			}
+			break;
+
+		case EXPR_CALL:
+			data_type = operand_[0]->DataType(env);
+			break;
+
+		case EXPR_CASE:
+			{
+			if ( cases_ && ! cases_->empty() )
+				{
+				Type *type1 = 
+					cases_->front()->value()->DataType(env);
+				foreach(i, CaseExprList, cases_)
+					{
+					Type *type2 = 
+						(*i)->value()->DataType(env);
+					if ( ! Type::CompatibleTypes(type1, type2) )
+						{
+						throw Exception(this, 
+							fmt("type mismatch: %s vs %s",
+					    		    type1->DataTypeStr().c_str(),
+					                    type2->DataTypeStr().c_str()));
+						}
+					if ( type1 == extern_type_nullptr )
+						type1 = type2;
+					}
+				data_type = type1;
+				}
+			else
+				data_type = 0;
+			}
+			break;
+
+		case EXPR_NUM:
+		case EXPR_SIZEOF:
+		case EXPR_OFFSETOF:
+		case EXPR_NEG:
+		case EXPR_PLUS:
+		case EXPR_MINUS:
+		case EXPR_TIMES:
+		case EXPR_DIV:
+		case EXPR_MOD:
+		case EXPR_BITNOT:
+		case EXPR_BITAND:
+		case EXPR_BITOR:
+		case EXPR_BITXOR:
+		case EXPR_LSHIFT:
+		case EXPR_RSHIFT:
+		case EXPR_EQUAL:
+		case EXPR_GE:
+		case EXPR_LE:
+		case EXPR_GT:
+		case EXPR_LT:
+		case EXPR_NOT:
+		case EXPR_AND:
+		case EXPR_OR:
+			data_type = extern_type_int;
+			break;
+
+		default:
+			data_type = 0;
+			break;
+		}
+
+	return data_type;
+	}
+
+string Expr::DataTypeStr(Env *env) const
+	{
+	Type *type = DataType(env);
+
+	if ( ! type )
+		{
+		throw Exception(this, 
+		                fmt("cannot find data type for expression `%s'",
+		                    orig()));
+		}
+
+	return type->DataTypeStr();
+	}
+
+string Expr::SetFunc(Output *out, Env *env)
+	{
+	switch ( expr_type_ )
+		{
+		case EXPR_ID:
+			return set_function(id_);
+		case EXPR_MEMBER:
+			{
+			// Evaluate the parent
+			string parent_val(operand_[0]->EvalExpr(out, env));
+			return parent_val 
+				+ "->" 
+				+ set_function(operand_[1]->id());
+			}
+			break;
+		default:
+			throw Exception(this, 
+			                fmt("cannot generate set function "
+			                    "for expression `%s'", orig()));
+			break;
+		}
+	}
+
+bool Expr::ConstFold(Env* env, int* pn) const
+	{
+	switch ( expr_type_ ) 
+		{
+		case EXPR_NUM:	
+			*pn = num_->Num();
+			return true;
+		case EXPR_ID:
+			return env->GetConstant(id_, pn);
+		default:	
+			// ### FIXME: folding consts
+			return false;
+		}
+	}
+
+// TODO: build a generic data dependency extraction process
+namespace {
+
+	// Maximum of two minimal header sizes
+	int mhs_max(int h1, int h2) 
+		{
+		if ( h1 < 0 || h2 < 0 )
+			return -1;
+		else
+			{
+			// return max(h1, h2);
+			return h1 > h2 ? h1 : h2;
+			}
+		}
+			
+	// MHS required to evaluate the field
+	int mhs_letfield(Env* env, LetField* field)
+		{
+		return field->expr()->MinimalHeaderSize(env);
+		}
+
+	int mhs_recordfield(Env* env, RecordField* field)
+		{
+		int offset = field->static_offset();
+		if ( offset < 0 )  // offset cannot be statically determined
+			return -1;
+		int size = field->StaticSize(env, offset);
+		if ( size < 0 )  // size cannot be statically determined
+			return -1;
+		return offset + size;
+		}
+
+	int mhs_casefield(Env* env, CaseField* field)
+		{
+		// TODO: deal with the index
+		int size = field->StaticSize(env);
+		if ( size < 0 )  // size cannot be statically determined
+			return -1;
+		return size;
+		}
+
+	int mhs_field(Env* env, Field* field)
+		{
+		int mhs = -1;
+		switch ( field->tof() )
+			{
+			case LET_FIELD:
+				{
+				LetField *f = 
+					static_cast<LetField *>(field);
+				ASSERT(f);
+				mhs = mhs_letfield(env, f);
+				}
+				break;
+
+			case CONTEXT_FIELD:
+			case FLOW_FIELD:
+				ASSERT(0);
+				break;
+
+			case PARAM_FIELD:
+				mhs = 0;
+				break;
+
+			case RECORD_FIELD:
+			case PADDING_FIELD:
+				{
+				RecordField *f = 
+					static_cast<RecordField *>(field);
+				ASSERT(f);
+				mhs = mhs_recordfield(env, f);
+				}
+				break;
+
+			case CASE_FIELD:
+				{
+				CaseField *f = 
+					static_cast<CaseField *>(field);
+				ASSERT(f);
+				mhs = mhs_casefield(env, f);
+				}
+				break;
+
+			case PARSE_VAR_FIELD:
+			case PRIV_VAR_FIELD:
+			case PUB_VAR_FIELD:
+			case TEMP_VAR_FIELD:
+				mhs = 0;
+				break;
+
+			case WITHINPUT_FIELD:
+				{
+				// ### TODO: fix this
+				mhs = -1;
+				}
+				break;
+			}
+		return mhs;
+		}
+
+	int mhs_id(Env *env, const ID *id)
+		{
+		int mhs = -1;
+		switch ( env->GetIDType(id) ) 
+			{
+			case CONST:
+			case GLOBAL_VAR:
+			case TEMP_VAR:
+			case STATE_VAR:
+			case FUNC_ID:
+			case FUNC_PARAM:
+				mhs = 0;
+				break;
+			case MEMBER_VAR:
+			case PRIV_MEMBER_VAR:
+				{
+				Field* field = env->GetField(id);
+				if ( ! field )
+					throw ExceptionIDNotField(id);
+				mhs = mhs_field(env, field);
+				}
+				break;
+			case UNION_VAR:
+				// TODO: deal with UNION_VAR
+				mhs = -1;
+				break;
+			case MACRO:
+				{
+				Expr *e = env->GetMacro(id);
+				mhs = e->MinimalHeaderSize(env);
+				}
+				break;
+			}
+		return mhs;
+		}
+}
+
+int Expr::MinimalHeaderSize(Env *env)
+	{
+	int mhs;
+
+	switch ( expr_type_ )
+		{
+		case EXPR_NUM:
+			// Zero byte is required
+			mhs = 0;
+			break;
+
+		case EXPR_ID:
+			mhs = mhs_id(env, id_);
+			break;
+
+		case EXPR_MEMBER:
+			// TODO: this is not a tight bound because
+			// one actually does not have to parse the
+			// whole record to compute one particular
+			// field.
+			mhs = operand_[0]->MinimalHeaderSize(env);
+			break;
+
+		case EXPR_SUBSCRIPT:
+			{
+			int index;
+			Type *array_type = operand_[0]->DataType(env);
+			Type *elem_type = array_type->ElementDataType();
+			int elem_size = elem_type->StaticSize(env);
+			if ( elem_size >= 0 &&
+			     operand_[1]->ConstFold(env, &index) )
+				{
+				mhs = elem_size * index;
+				}
+			else
+				{
+				mhs = -1;
+				}
+			}
+
+		case EXPR_SIZEOF:
+			{
+			const ID* id = operand_[0]->id();
+			ASSERT(id);
+			RecordField *rf;
+			Type *ty;
+
+			if ( (rf = GetRecordField(id, env)) != 0 )
+				{
+				if ( rf->StaticSize(env, -1) >= 0 )
+					mhs = 0;
+				else
+					mhs = mhs_recordfield(env, rf);
+				}
+
+			else if ( (ty = TypeDecl::LookUpType(id)) != 0 )
+				{
+				mhs = 0;
+				}
+
+			else
+				throw Exception(id, "not a record field or type");
+			}
+			break;
+
+		case EXPR_OFFSETOF:
+			{
+			const ID* id = operand_[0]->id();
+			ASSERT(id);
+			RecordField *field = GetRecordField(id, env);
+			
+			mhs = field->static_offset();
+			if ( mhs < 0 )
+				{
+				mhs = 0;
+				// Take the MHS of the preceding (non-let) field
+				RecordField* prev_field = field->prev();
+				ASSERT(prev_field);
+				mhs = mhs_recordfield(env, prev_field);
+				}
+			}
+			break;
+
+		case EXPR_CALLARGS:
+		        {
+		        mhs = 0;
+			if ( args_ )
+			        for ( unsigned int i = 0; i < args_->size(); ++i )
+					mhs = mhs_max(mhs, (*args_)[i]->MinimalHeaderSize(env));
+			}
+		        break;
+		case EXPR_CASE:
+		        {
+		        mhs = operand_[0]->MinimalHeaderSize(env);
+			for ( unsigned int i = 0; i < cases_->size(); ++i )
+			        {
+				CaseExpr * ce = (*cases_)[i];
+				if ( ce->index() )
+				        for ( unsigned int j = 0; j < ce->index()->size(); ++j )
+						mhs = mhs_max(mhs, (*ce->index())[j]->MinimalHeaderSize(env));
+				mhs = mhs_max(mhs, ce->value()->MinimalHeaderSize(env));
+				}
+			}
+			break;
+		default:
+			// Evaluate every operand by default
+			mhs = 0;
+			for ( int i = 0; i < 3; ++i )
+				if ( operand_[i] )
+					mhs = mhs_max(mhs, operand_[i]->MinimalHeaderSize(env));
+			break;
+		}
+
+	return mhs;
+	}
+
+bool Expr::HasReference(const ID *id) const
+	{
+	switch ( expr_type_ )
+		{
+		case EXPR_ID:
+			return *id == *id_;
+
+		case EXPR_MEMBER:
+			return operand_[0]->HasReference(id);
+
+		case EXPR_CALLARGS:
+			{
+			foreach(i, ExprList, args_)
+				if ( (*i)->HasReference(id) )
+					return true;
+			}
+			return false;
+
+		case EXPR_CASE:
+			{
+			foreach(i, CaseExprList, cases_)
+				if ( (*i)->HasReference(id) )
+					return true;
+			}
+			return false;
+
+		default:
+			// Evaluate every operand by default
+			for ( int i = 0; i < 3; ++i )
+				{
+				if ( operand_[i] && 
+				     operand_[i]->HasReference(id) )
+					{
+					return true;
+					}
+				}
+			return false;
+		}
+	}
+
+bool Expr::DoTraverse(DataDepVisitor *visitor)
+	{
+	switch ( expr_type_ )
+		{
+		case EXPR_ID:
+			break;
+
+		case EXPR_MEMBER:
+			/*
+			For member expressions such X.Y, evaluating
+			X only is sufficient. (Actually trying to
+			evaluate Y will lead to error because Y is
+			not defined in the current environment.)
+			*/
+			if ( ! operand_[0]->Traverse(visitor) )
+				return false;
+			break;
+
+		case EXPR_CALLARGS:
+			{
+			foreach(i, ExprList, args_)
+				if ( ! (*i)->Traverse(visitor) )
+					return false;
+			}
+			break;
+
+		case EXPR_CASE:
+			{
+			foreach(i, CaseExprList, cases_)
+				if ( ! (*i)->Traverse(visitor) )
+					return false;
+			}
+			break;
+
+		default:
+			// Evaluate every operand by default
+			for ( int i = 0; i < 3; ++i )
+				{
+				if ( operand_[i] && 
+				     ! operand_[i]->Traverse(visitor) )
+					{
+					return false;
+					}
+				}
+			break;
+		}
+
+	return true;
+	}
+
+bool Expr::RequiresAnalyzerContext() const
+	{
+	switch ( expr_type_ )
+		{
+		case EXPR_ID:
+			return *id_ == *analyzer_context_id;
+
+		case EXPR_MEMBER:
+			/*
+			For member expressions such X.Y, evaluating
+			X only is sufficient. (Actually trying to
+			evaluate Y will lead to error because Y is
+			not defined in the current environment.)
+			*/
+			return operand_[0]->RequiresAnalyzerContext();
+
+		case EXPR_CALLARGS:
+			{
+			foreach(i, ExprList, args_)
+				if ( (*i)->RequiresAnalyzerContext() )
+					return true;
+			}
+			return false;
+
+		case EXPR_CASE:
+			{
+			foreach(i, CaseExprList, cases_)
+				if ( (*i)->RequiresAnalyzerContext() )
+					return true;
+			}
+			return false;
+
+		default:
+			// Evaluate every operand by default
+			for ( int i = 0; i < 3; ++i )
+				if ( operand_[i] && 
+				     operand_[i]->RequiresAnalyzerContext() )
+					{
+					DEBUG_MSG("'%s' requires analyzer context\n", operand_[i]->orig());
+					return true;
+					}
+			return false;
+		}
+	}
+
+CaseExpr::CaseExpr(ExprList *index, Expr *value)
+	: DataDepElement(DataDepElement::CASEEXPR), 
+	  index_(index), value_(value)
+	{
+	}
+
+CaseExpr::~CaseExpr()
+	{
+	delete_list(ExprList, index_);
+	delete value_;
+	}
+
+bool CaseExpr::DoTraverse(DataDepVisitor *visitor)
+	{
+	foreach(i, ExprList, index_)
+		if ( ! (*i)->Traverse(visitor) )
+			return false;
+	return value_->Traverse(visitor);
+	}
+
+bool CaseExpr::HasReference(const ID *id) const
+	{
+	return value_->HasReference(id);
+	}
+
+bool CaseExpr::RequiresAnalyzerContext() const
+	{
+	// index_ should evaluate to constants
+	return value_->RequiresAnalyzerContext();
+	}
diff --git a/aux/binpac/src/pac_expr.def b/aux/binpac/src/pac_expr.def
new file mode 100644
index 0000000000..d7c0319522
--- /dev/null
+++ b/aux/binpac/src/pac_expr.def
@@ -0,0 +1,34 @@
+EXPR_DEF(EXPR_ID, 		0, "%s")
+EXPR_DEF(EXPR_NUM,		0, "%s")
+EXPR_DEF(EXPR_CSTR,		0, "%s")
+EXPR_DEF(EXPR_REGEX,		0, "REGEX(%s)")
+EXPR_DEF(EXPR_SUBSCRIPT,	2, "@element@(%s[%s])") 
+EXPR_DEF(EXPR_MEMBER,		2, "@%s->%s@") 
+EXPR_DEF(EXPR_PAREN,		1, " ( %s ) ") 
+EXPR_DEF(EXPR_CALL,		1, "%s(%s)")
+EXPR_DEF(EXPR_CALLARGS,		-1, "@custom@")
+EXPR_DEF(EXPR_SIZEOF,		1, "@sizeof(%s)@")
+EXPR_DEF(EXPR_OFFSETOF,		1, "@offsetof(%s)@")
+EXPR_DEF(EXPR_NEG,		1, "-%s") 
+EXPR_DEF(EXPR_PLUS,		2, "%s + %s")
+EXPR_DEF(EXPR_MINUS,		2, "%s - %s")
+EXPR_DEF(EXPR_TIMES,		2, "%s * %s")
+EXPR_DEF(EXPR_DIV,		2, "%s / %s")
+EXPR_DEF(EXPR_MOD,		2, "%s %% %s")
+EXPR_DEF(EXPR_BITNOT,		1, "~%s")
+EXPR_DEF(EXPR_BITAND,		2, "%s & %s")
+EXPR_DEF(EXPR_BITOR,		2, "%s | %s")
+EXPR_DEF(EXPR_BITXOR,		2, "%s ^ %s")
+EXPR_DEF(EXPR_LSHIFT,		2, "%s << %s")
+EXPR_DEF(EXPR_RSHIFT,		2, "%s >> %s")
+EXPR_DEF(EXPR_EQUAL,		2, "%s == %s")
+EXPR_DEF(EXPR_NEQ,		2, "%s != %s")
+EXPR_DEF(EXPR_GE,		2, "%s >= %s")
+EXPR_DEF(EXPR_LE,		2, "%s <= %s")
+EXPR_DEF(EXPR_GT,		2, "%s > %s")
+EXPR_DEF(EXPR_LT,		2, "%s < %s")
+EXPR_DEF(EXPR_NOT,		1, "! %s")
+EXPR_DEF(EXPR_AND,		2, "%s && %s")
+EXPR_DEF(EXPR_OR,		2, "%s || %s")
+EXPR_DEF(EXPR_COND,		3, "%s ? %s : %s")
+EXPR_DEF(EXPR_CASE,		-1, "@custom@")
diff --git a/aux/binpac/src/pac_expr.h b/aux/binpac/src/pac_expr.h
new file mode 100644
index 0000000000..be1e70c6ea
--- /dev/null
+++ b/aux/binpac/src/pac_expr.h
@@ -0,0 +1,139 @@
+#ifndef pac_expr_h
+#define pac_expr_h
+
+#include "pac_common.h"
+#include "pac_datadep.h"
+
+class CaseExpr;
+
+class Expr : public Object, public DataDepElement
+{
+public:
+	enum ExprType {
+#		define EXPR_DEF(type, x, y) type,
+#		include "pac_expr.def"
+#		undef EXPR_DEF
+	};
+
+	void init();
+
+	Expr(ID *id);
+	Expr(Number *num);
+	Expr(ConstString *s);
+	Expr(RegEx *regex);
+	Expr(ExprList *args);	// for EXPR_CALLARGS
+	Expr(Expr *index, CaseExprList *cases);
+
+	Expr(ExprType type, Expr *op1);
+	Expr(ExprType type, Expr *op1, Expr *op2);
+	Expr(ExprType type, Expr *op1, Expr *op2, Expr *op3);
+
+	virtual ~Expr();
+
+	const char *orig() const	{ return orig_.c_str(); }
+	const ID *id() const 		{ return id_; }
+	const char *str() const		{ return str_.c_str(); }
+	ExprType expr_type() const	{ return expr_type_; }
+
+	void AddCaseExpr(CaseExpr *case_expr);
+
+	// Returns the data "type" of the expression. Here we only
+	// do a serious job for the EXPR_MEMBER and EXPR_SUBSCRIPT
+	// operators. For arithmetic operations, we fall back
+	// to "int".
+	Type *DataType(Env *env) const;
+	string DataTypeStr(Env *env) const;
+
+	// Note: EvalExpr() may generate C++ statements in order to evaluate 
+	// variables in the expression, so the following is wrong:
+	//
+	// out->print("int x = ");
+	// out->println("%s", expr->EvalExpr(out, env));
+	//
+	// While putting them together is right:
+	//
+	// out->println("int x = %s", expr->EvalExpr(out, env));
+	//
+	const char *EvalExpr(Output *out, Env *env);
+
+	// force evaulation of IDs contained in this expression;
+	// necessary with case expr and conditional let fields (&if)
+	// for correct parsing of fields
+	void ForceIDEval(Output *out_cc, Env *env);
+
+	// Returns the set_* function of the expression. 
+	// The expression must be of form ID or x.ID.
+	string SetFunc(Output *out, Env *env);
+
+	// Returns true if the expression folds to an integer
+	// constant with env, and puts the constant in *pn.
+	//
+	bool ConstFold(Env *env, int *pn) const;
+
+	// Whether id is referenced in the expression
+	bool HasReference(const ID *id) const;
+
+	// Suppose the data for type might be incomplete, what is
+	// the minimal number of bytes from data head required to
+	// compute the expression? For example, how many bytes of frame
+	// header do we need to determine the length of the frame?
+	//
+	// The parameter <env> points to the Env of a type.
+	// 
+	// Returns -1 if the number is not a constant.
+	//
+	int MinimalHeaderSize(Env *env);
+
+	// Whether evaluation of the expression requires the analyzer context
+	bool RequiresAnalyzerContext() const;
+
+protected:
+	bool DoTraverse(DataDepVisitor *visitor);
+
+private:
+	ExprType expr_type_;
+
+	int num_operands_;
+	Expr *operand_[3];
+
+	ID *id_;		// EXPR_ID
+	Number *num_;		// EXPR_NUM
+	ConstString *cstr_;	// EXPR_CSTR
+	RegEx *regex_;		// EXPR_REGEX
+	ExprList *args_;	// EXPR_CALLARGS
+	CaseExprList *cases_;	// EXPR_CASE
+
+	string str_;		// value string
+	string orig_;		// original string for debugging info
+
+	void GenStrFromFormat(Env *env);
+	void GenEval(Output *out, Env *env);
+	void GenCaseEval(Output *out_cc, Env *env);
+};
+
+string OrigExprList(ExprList *exprlist);
+string EvalExprList(ExprList *exprlist, Output *out, Env *env);
+
+// An entry of the case expression, consisting of one or more constant
+// expressions for the case index and a value expression.
+class CaseExpr : public Object, public DataDepElement
+{
+public:
+	CaseExpr(ExprList *index, Expr *value);
+	virtual ~CaseExpr();
+
+	ExprList *index() const 	{ return index_; }
+	Expr *value() const 		{ return value_; }
+
+	bool HasReference(const ID *id) const;
+	bool RequiresAnalyzerContext() const;
+
+protected:
+	bool DoTraverse(DataDepVisitor *visitor);
+
+private:
+	ExprList *index_;
+	Expr *value_;
+};
+
+#endif  // pac_expr_h
diff --git a/aux/binpac/src/pac_externtype.def b/aux/binpac/src/pac_externtype.def
new file mode 100644
index 0000000000..aeac5a51b0
--- /dev/null
+++ b/aux/binpac/src/pac_externtype.def
@@ -0,0 +1,15 @@
+EXTERNTYPE(bool, bool, NUMBER)
+EXTERNTYPE(int, int, NUMBER)
+EXTERNTYPE(double, double, NUMBER)
+EXTERNTYPE(string, string, PLAIN)
+EXTERNTYPE(void, void, PLAIN)
+EXTERNTYPE(voidptr, void, POINTER)
+EXTERNTYPE(nullptr, nullptr, PLAIN)
+EXTERNTYPE(bytearray, bytearray, PLAIN)
+EXTERNTYPE(const_charptr, const_charptr, PLAIN)
+EXTERNTYPE(const_byteptr, const_byteptr, PLAIN)
+// EXTERNTYPE(const_byteseg, const_byteseg, PLAIN)
+EXTERNTYPE(const_bytestring, const_bytestring, PLAIN)
+// EXTERNTYPE(bytestring, bytestring, PLAIN)
+EXTERNTYPE(re_matcher, re_matcher, PLAIN)
+EXTERNTYPE(flowbuffer, FlowBuffer, POINTER)
diff --git a/aux/binpac/src/pac_exttype.cc b/aux/binpac/src/pac_exttype.cc
new file mode 100644
index 0000000000..659d4cdc5e
--- /dev/null
+++ b/aux/binpac/src/pac_exttype.cc
@@ -0,0 +1,76 @@
+#include "pac_exttype.h"
+#include "pac_id.h"
+#include "pac_decl.h"
+
+bool ExternType::DefineValueVar() const
+	{
+	return true;
+	}
+
+string ExternType::DataTypeStr() const
+	{ 
+	switch ( ext_type_ )
+		{
+		case PLAIN:
+		case NUMBER:
+			return id_->Name(); 
+		case POINTER:
+			return string(id_->Name()) + " *"; 
+		default:
+			ASSERT(0);
+			return "";
+		}
+	}
+
+int ExternType::StaticSize(Env* env) const
+	{
+	ASSERT(0);
+	return -1;
+	}
+
+bool ExternType::ByteOrderSensitive() const 
+	{ 
+	return false;
+	}
+
+string ExternType::EvalMember(const ID *member_id) const
+	{
+	return strfmt("%s%s", 
+		ext_type_ == POINTER ? "->" : ".",
+		member_id->Name());
+	}
+
+void ExternType::DoGenParseCode(Output* out, Env* env, const DataPtr& data, int flags)
+	{
+	ASSERT(0);
+	}
+
+void ExternType::GenDynamicSize(Output* out, Env* env, const DataPtr& data)
+	{
+	ASSERT(0);
+	}
+
+Type *ExternType::DoClone() const
+	{ 
+	return new ExternType(id_->clone(), ext_type_); 
+	}
+
+// Definitions of pre-defined external types
+
+#define EXTERNTYPE(name, ctype, exttype) ExternType *extern_type_##name = 0;
+#include "pac_externtype.def"
+#undef EXTERNTYPE
+
+void ExternType::static_init()
+	{
+	ID *id;
+	// TypeDecl *decl;
+	// decl = new TypeDecl(id, 0, extern_type_##name);
+
+#define EXTERNTYPE(name, ctype, exttype) \
+	id = new ID(#ctype); \
+	extern_type_##name = new ExternType(id, ExternType::exttype); \
+	Type::AddPredefinedType(#name, extern_type_##name); 
+#include "pac_externtype.def"
+#undef EXTERNTYPE
+	}
diff --git a/aux/binpac/src/pac_exttype.h b/aux/binpac/src/pac_exttype.h
new file mode 100644
index 0000000000..6d81608195
--- /dev/null
+++ b/aux/binpac/src/pac_exttype.h
@@ -0,0 +1,47 @@
+#ifndef pac_exttype_h
+#define pac_exttype_h
+
+#include "pac_type.h"
+
+// ExternType represent external C++ types that are not defined in
+// PAC specification (therefore they cannot appear in data layout
+// spefication, e.g., in a record field). The type name is copied
+// literally to the compiled code. 
+
+class ExternType : public Type
+{
+public:
+	enum EXTType { PLAIN, NUMBER, POINTER };
+	ExternType(const ID *id, EXTType ext_type)
+		: Type(EXTERN), 
+		  id_(id), 
+		  ext_type_(ext_type) {}
+
+	bool DefineValueVar() const;
+	string DataTypeStr() const;
+	int StaticSize(Env *env) const;
+	bool ByteOrderSensitive() const;
+
+	string EvalMember(const ID *member_id) const;
+	bool IsNumericType() const		{ return ext_type_ == NUMBER; }
+	bool IsPointerType() const		{ return ext_type_ == POINTER; }
+
+protected:
+	void DoGenParseCode(Output *out, Env *env, const DataPtr& data, int flags);
+	void GenDynamicSize(Output *out, Env *env, const DataPtr& data);
+
+	Type *DoClone() const;
+
+private:
+	const ID *id_;
+	EXTType ext_type_;
+
+public:
+	static void static_init();
+};
+
+#define EXTERNTYPE(name, ctype, exttype) extern ExternType *extern_type_##name;
+#include "pac_externtype.def"
+#undef EXTERNTYPE
+
+#endif  // pac_exttype_h
diff --git a/aux/binpac/src/pac_field.cc b/aux/binpac/src/pac_field.cc
new file mode 100644
index 0000000000..0ee70e4b28
--- /dev/null
+++ b/aux/binpac/src/pac_field.cc
@@ -0,0 +1,143 @@
+#include "pac_attr.h"
+#include "pac_common.h"
+#include "pac_exception.h"
+#include "pac_field.h"
+#include "pac_id.h"
+#include "pac_type.h"
+
+Field::Field(FieldType tof, int flags, ID *id, Type *type)
+	: DataDepElement(DataDepElement::FIELD),
+	  tof_(tof), flags_(flags), id_(id), type_(type)
+	{
+	decl_id_ = current_decl_id;
+	field_id_str_ = strfmt("%s:%s", decl_id()->Name(), id_->Name());
+	attrs_ = 0;
+	}
+
+Field::~Field()
+	{
+	delete id_;
+	delete type_;
+	delete_list(AttrList, attrs_);
+	}
+
+void Field::AddAttr(AttrList* attrs)
+	{
+	if ( ! attrs_ )
+		{
+		attrs_ = attrs;
+		}
+	else
+		{
+		attrs_->insert(attrs_->end(), attrs->begin(), attrs->end());
+		delete attrs;
+		}
+
+	foreach(i, AttrList, attrs)
+		ProcessAttr(*i);
+	}
+
+void Field::ProcessAttr(Attr *a)
+	{
+	switch ( a->type() )
+		{
+		case ATTR_IF:
+			if ( tof() != LET_FIELD &&
+			     tof() != WITHINPUT_FIELD )
+				{
+				throw Exception(a, 
+					"&if can only be applied to a "
+					"let field");
+				}
+			break;
+		default:
+			break;
+		}
+
+	if ( type_ )
+		type_->ProcessAttr(a);
+	}
+
+bool Field::anonymous_field() const
+	{
+	return type_ && type_->anonymous_value_var();
+	}
+
+int Field::ValueVarType() const
+	{
+	if ( flags_ & CLASS_MEMBER )
+		return (flags_ & PUBLIC_READABLE) ? MEMBER_VAR : PRIV_MEMBER_VAR;
+	else
+		return TEMP_VAR;
+	}
+
+void Field::Prepare(Env *env)
+	{
+	if ( type_ )
+		{
+		if ( anonymous_field() )
+			flags_ &= ~(CLASS_MEMBER | PUBLIC_READABLE);
+		if ( ! type_->persistent() )
+			flags_ &= (~PUBLIC_READABLE);
+
+		type_->set_value_var(id(), ValueVarType());
+		type_->Prepare(env, 
+			flags_ & TYPE_TO_BE_PARSED ? 
+				Type::TO_BE_PARSED : 0);
+		env->SetField(id(), this);
+		}
+	}
+
+void Field::GenPubDecls(Output* out_h, Env* env)
+	{
+	if ( type_ && (flags_ & PUBLIC_READABLE) && (flags_ & CLASS_MEMBER) )
+		type_->GenPubDecls(out_h, env);
+	}
+
+void Field::GenPrivDecls(Output* out_h, Env* env)
+	{
+	// Generate private declaration only if it is a class member
+	if ( type_ && (flags_ & CLASS_MEMBER) )
+		type_->GenPrivDecls(out_h, env);
+	}
+
+void Field::GenTempDecls(Output* out_h, Env* env)
+	{
+	// Generate temp field
+	if ( type_ && !(flags_ & CLASS_MEMBER) )
+		type_->GenPrivDecls(out_h, env);
+	}
+
+void Field::GenInitCode(Output* out_cc, Env* env)
+	{
+	if ( type_ && ! anonymous_field() )
+		type_->GenInitCode(out_cc, env);
+	}
+
+void Field::GenCleanUpCode(Output* out_cc, Env* env)
+	{
+	if ( type_ && ! anonymous_field() )
+		type_->GenCleanUpCode(out_cc, env);
+	}
+
+bool Field::DoTraverse(DataDepVisitor *visitor)
+	{
+	// Check parameterized type
+	if ( type_ && ! type_->Traverse(visitor) )
+		return false;
+	foreach(i, AttrList, attrs_)
+		if ( ! (*i)->Traverse(visitor) )
+			return false;
+	return true;
+	}
+
+bool Field::RequiresAnalyzerContext() const
+	{
+	// Check parameterized type
+	if ( type_ && type_->RequiresAnalyzerContext() )
+		return true;
+	foreach(i, AttrList, attrs_)
+		if ( (*i)->RequiresAnalyzerContext() )
+			return true;
+	return false;
+	}
diff --git a/aux/binpac/src/pac_field.h b/aux/binpac/src/pac_field.h
new file mode 100644
index 0000000000..169c8110ec
--- /dev/null
+++ b/aux/binpac/src/pac_field.h
@@ -0,0 +1,84 @@
+#ifndef pac_field_h
+#define pac_field_h
+
+#include "pac_common.h"
+#include "pac_datadep.h"
+
+// A "field" is a member of class.
+
+enum FieldType {
+	CASE_FIELD, 
+	CONTEXT_FIELD,
+	FLOW_FIELD,
+	LET_FIELD, 
+	PADDING_FIELD, 
+	PARAM_FIELD,
+	RECORD_FIELD, 
+	PARSE_VAR_FIELD,
+	PRIV_VAR_FIELD,
+	PUB_VAR_FIELD,
+	TEMP_VAR_FIELD,
+	WITHINPUT_FIELD,
+};
+
+class Field : public Object, public DataDepElement
+{
+public:
+	Field(FieldType tof, int flags, ID *id, Type *type);
+	// Field flags
+
+	// Whether the field will be evaluated by calling the Parse()
+	// function of the type
+	static const int TYPE_TO_BE_PARSED = 1;	
+	static const int TYPE_NOT_TO_BE_PARSED = 0;
+
+	// Whether the field is a member of the class or a temp
+	// variable
+	static const int CLASS_MEMBER = 2;
+	static const int NOT_CLASS_MEMBER = 0;
+
+	// Whether the field is public readable
+	static const int PUBLIC_READABLE = 4;
+	static const int NOT_PUBLIC_READABLE = 0;
+
+	virtual ~Field();
+
+	FieldType tof() const 	{ return tof_; }
+	const ID* id() const		{ return id_; }
+	Type *type() const		{ return type_; }
+	const ID* decl_id() const	{ return decl_id_; }
+
+	bool anonymous_field() const;
+
+	void AddAttr(AttrList* attrs);
+
+	// The field interface
+	virtual void ProcessAttr(Attr *attr);
+	virtual void Prepare(Env* env);
+
+	virtual void GenPubDecls(Output* out, Env* env);
+	virtual void GenPrivDecls(Output* out, Env* env);
+	virtual void GenTempDecls(Output* out, Env* env);
+
+	virtual void GenInitCode(Output* out, Env* env);
+	virtual void GenCleanUpCode(Output* out, Env* env);
+
+	virtual bool RequiresAnalyzerContext() const;
+
+protected:
+	int ValueVarType() const;
+	bool ToBeParsed() const;
+
+	bool DoTraverse(DataDepVisitor *visitor);
+
+protected:
+	FieldType tof_;
+	int flags_;
+	ID* id_;
+	Type *type_;
+	const ID* decl_id_;
+	string field_id_str_;
+	AttrList* attrs_;
+};
+
+#endif  // pac_field_h
diff --git a/aux/binpac/src/pac_flow.cc b/aux/binpac/src/pac_flow.cc
new file mode 100644
index 0000000000..adf574e879
--- /dev/null
+++ b/aux/binpac/src/pac_flow.cc
@@ -0,0 +1,340 @@
+#include "pac_analyzer.h"
+#include "pac_conn.h"
+#include "pac_context.h"
+#include "pac_dataptr.h"
+#include "pac_dataunit.h"
+#include "pac_embedded.h"
+#include "pac_exception.h"
+#include "pac_expr.h"
+#include "pac_exttype.h"
+#include "pac_flow.h"
+#include "pac_output.h"
+#include "pac_param.h"
+#include "pac_paramtype.h"
+#include "pac_type.h"
+#include "pac_varfield.h"
+
+
+FlowDecl::FlowDecl(ID *id, 
+                   ParamList *params, 
+                   AnalyzerElementList *elemlist)
+	: AnalyzerDecl(id, FLOW, params)
+	{
+	dataunit_ = 0;
+	conn_decl_ = 0;
+	flow_buffer_var_field_ = 0;
+	AddElements(elemlist);
+	}
+
+FlowDecl::~FlowDecl()
+	{
+	delete flow_buffer_var_field_;
+	delete dataunit_;
+	}
+
+ParameterizedType *FlowDecl::flow_buffer_type_ = 0;
+
+ParameterizedType *FlowDecl::flow_buffer_type()
+	{
+	if ( ! flow_buffer_type_ )
+		{
+		flow_buffer_type_ = new ParameterizedType(new ID(kFlowBufferClass), 0);
+		}
+	return flow_buffer_type_;
+	}
+
+void FlowDecl::AddBaseClass(vector<string> *base_classes) const
+	{
+	base_classes->push_back("binpac::FlowAnalyzer"); 
+	} 
+
+void FlowDecl::ProcessFlowElement(AnalyzerFlow *flow_elem)
+	{
+	throw Exception(
+		flow_elem, 
+		"flow should be defined in only a connection declaration");
+	}
+
+void FlowDecl::ProcessDataUnitElement(AnalyzerDataUnit *dataunit_elem)
+	{
+	if ( dataunit_ )
+		{
+		throw Exception(dataunit_elem,
+		                "dataunit already defined");
+		}
+	dataunit_ = dataunit_elem;
+
+	if ( dataunit_->type() == AnalyzerDataUnit::FLOWUNIT )
+		{
+		dataunit_->data_type()->MarkIncrementalInput();
+
+		flow_buffer_var_field_ = new PrivVarField(
+			flow_buffer_id->clone(),
+			FlowDecl::flow_buffer_type()->Clone());
+		type_->AddField(flow_buffer_var_field_);
+
+		ASSERT(AnalyzerContextDecl::current_analyzer_context());
+		AnalyzerContextDecl::current_analyzer_context()->AddFlowBuffer();
+
+		// Add an argument to the context initiation
+		dataunit_->context_type()->AddParamArg(
+			new Expr(flow_buffer_var_field_->id()->clone()));
+		}
+	}
+
+void FlowDecl::Prepare()
+	{
+	// Add the connection parameter
+	if ( ! conn_decl_ )
+		{
+		throw Exception(this, 
+		                "no connection is not declared for the flow");
+		}
+
+	if ( ! params_ )
+		params_ = new ParamList();
+
+	params_->insert(params_->begin(),
+	                new Param(connection_id->clone(), 
+	                          conn_decl_->DataType()));
+
+	AnalyzerDecl::Prepare();
+
+	dataunit_->Prepare(env_);
+	}
+
+void FlowDecl::GenPubDecls(Output *out_h, Output *out_cc)
+	{
+	AnalyzerDecl::GenPubDecls(out_h, out_cc);
+	}
+
+void FlowDecl::GenPrivDecls(Output *out_h, Output *out_cc)
+	{
+	// Declare the data unit
+	dataunit_->dataunit_var_field()->GenPrivDecls(out_h, env_);
+
+	// Declare the analyzer context
+	dataunit_->context_var_field()->GenPrivDecls(out_h, env_);
+
+	AnalyzerDecl::GenPrivDecls(out_h, out_cc);
+	}
+
+void FlowDecl::GenInitCode(Output *out_cc)
+	{
+	AnalyzerDecl::GenInitCode(out_cc);
+
+	out_cc->println("%s = 0;",
+	                env_->LValue(dataunit_id));
+	out_cc->println("%s = 0;",
+	                env_->LValue(analyzer_context_id));
+
+	if ( dataunit_->type() == AnalyzerDataUnit::FLOWUNIT )
+		{
+		flow_buffer_var_field_->type()->GenPreParsing(out_cc, env_);
+		env_->SetEvaluated(flow_buffer_var_field_->id());
+		}
+	}
+
+void FlowDecl::GenCleanUpCode(Output *out_cc)
+	{
+	GenDeleteDataUnit(out_cc);
+	AnalyzerDecl::GenCleanUpCode(out_cc);
+	}
+
+void FlowDecl::GenEOFFunc(Output *out_h, Output *out_cc)
+	{
+	string proto = strfmt("%s()", kFlowEOF);
+
+	out_h->println("void %s;", proto.c_str());
+
+	out_cc->println("void %s::%s", class_name().c_str(), proto.c_str());
+	out_cc->inc_indent();
+	out_cc->println("{");
+
+	foreach(i, AnalyzerHelperList, eof_helpers_)
+		{
+		(*i)->GenCode(0, out_cc, this);
+		}
+
+	if ( dataunit_->type() == AnalyzerDataUnit::FLOWUNIT )
+		{
+		out_cc->println("%s->set_eof();", 
+			env_->LValue(flow_buffer_id));
+		out_cc->println("%s(0, 0);", kNewData);
+		}
+	
+	out_cc->println("}");
+	out_cc->dec_indent();
+	}
+
+void FlowDecl::GenGapFunc(Output *out_h, Output *out_cc)
+	{
+	string proto = strfmt("%s(int gap_length)", kFlowGap);
+
+	out_h->println("void %s;", proto.c_str());
+
+	out_cc->println("void %s::%s", class_name().c_str(), proto.c_str());
+	out_cc->inc_indent();
+	out_cc->println("{");
+
+	if ( dataunit_->type() == AnalyzerDataUnit::FLOWUNIT )
+		{
+		out_cc->println("%s->NewGap(gap_length);", 
+			env_->LValue(flow_buffer_id));
+		}
+	
+	out_cc->println("}");
+	out_cc->dec_indent();
+	}
+
+void FlowDecl::GenProcessFunc(Output *out_h, Output *out_cc)
+	{
+	env_->AddID(begin_of_data, TEMP_VAR, extern_type_const_byteptr);
+	env_->AddID(end_of_data, TEMP_VAR, extern_type_const_byteptr);
+
+	string proto = 
+		strfmt("%s(const_byteptr %s, const_byteptr %s)",
+			kNewData,
+			env_->LValue(begin_of_data),
+			env_->LValue(end_of_data));
+
+	out_h->println("void %s;", proto.c_str());
+
+	out_cc->println("void %s::%s", class_name().c_str(), proto.c_str());
+	out_cc->inc_indent();
+	out_cc->println("{");
+
+	out_cc->println("try");
+	out_cc->inc_indent();
+	out_cc->println("{");
+
+	env_->SetEvaluated(begin_of_data);
+	env_->SetEvaluated(end_of_data);
+
+	switch ( dataunit_->type() )
+		{
+		case AnalyzerDataUnit::DATAGRAM:
+			GenCodeDatagram(out_cc);
+			break;
+		case AnalyzerDataUnit::FLOWUNIT:
+			GenCodeFlowUnit(out_cc);
+			break;
+		default:
+			ASSERT(0);
+		}
+
+	out_cc->println("}");
+	out_cc->dec_indent();
+
+	out_cc->println("catch ( Exception const &e )");
+	out_cc->inc_indent();
+	out_cc->println("{");
+	GenCleanUpCode(out_cc);
+	if ( dataunit_->type() == AnalyzerDataUnit::FLOWUNIT )
+		{
+		out_cc->println("%s->DiscardData();",
+			env_->LValue(flow_buffer_id));
+		}
+	out_cc->println("throw e;");
+	out_cc->println("}");
+	out_cc->dec_indent();
+
+	out_cc->println("}");
+	out_cc->dec_indent();
+	out_cc->println("");
+	}
+
+void FlowDecl::GenNewDataUnit(Output *out_cc)
+	{
+	Type *unit_datatype = dataunit_->data_type();
+	// dataunit_->data_type()->GenPreParsing(out_cc, env_);
+	dataunit_->GenNewDataUnit(out_cc, env_);
+	if ( unit_datatype->buffer_input() &&
+	     unit_datatype->buffer_mode() == Type::BUFFER_BY_LENGTH )
+		{
+		out_cc->println("%s->NewFrame(0, false);", 
+			env_->LValue(flow_buffer_id));
+		}
+	dataunit_->GenNewContext(out_cc, env_);
+	}
+
+void FlowDecl::GenDeleteDataUnit(Output *out_cc)
+	{
+	// Do not just delete dataunit, because we may just want to Unref it.
+	// out_cc->println("delete %s;", env_->LValue(dataunit_id));
+	dataunit_->data_type()->GenCleanUpCode(out_cc, env_);
+	dataunit_->context_type()->GenCleanUpCode(out_cc, env_);
+	}
+
+void FlowDecl::GenCodeFlowUnit(Output *out_cc)
+	{
+	Type *unit_datatype = dataunit_->data_type();
+
+	out_cc->println("%s->NewData(%s, %s);",
+		env_->LValue(flow_buffer_id),
+		env_->RValue(begin_of_data), 
+		env_->RValue(end_of_data)); 
+
+	out_cc->println("while ( %s->data_available() && ",
+		env_->LValue(flow_buffer_id));
+	out_cc->inc_indent();
+	out_cc->println("( !%s->have_pending_request() || %s->ready() ) )",
+		env_->LValue(flow_buffer_id), env_->LValue(flow_buffer_id));
+	out_cc->println("{");
+
+	// Generate a new dataunit if necessary
+	out_cc->println("if ( ! %s )", env_->LValue(dataunit_id));
+	out_cc->inc_indent();
+	out_cc->println("{");
+	out_cc->println("BINPAC_ASSERT(!%s);", 
+		env_->LValue(analyzer_context_id));
+	GenNewDataUnit(out_cc);
+	out_cc->println("}");
+	out_cc->dec_indent();
+
+	DataPtr data(env_, 0, 0);
+	unit_datatype->GenParseCode(out_cc, env_, data, 0);
+
+	out_cc->println("if ( %s )", 
+		unit_datatype->parsing_complete(env_).c_str());
+	out_cc->inc_indent();
+	out_cc->println("{");
+	out_cc->println("// Clean up the flow unit after parsing");
+	GenDeleteDataUnit(out_cc);
+	// out_cc->println("BINPAC_ASSERT(%s == 0);", env_->LValue(dataunit_id));
+	out_cc->println("}");
+	out_cc->dec_indent();
+	out_cc->println("else");
+	out_cc->inc_indent();
+	out_cc->println("{");
+	out_cc->println("// Resume upon next input segment");
+	out_cc->println("BINPAC_ASSERT(!%s->ready());",
+		env_->RValue(flow_buffer_id));
+	out_cc->println("break;");
+	out_cc->println("}");
+	out_cc->dec_indent();
+
+	out_cc->println("}");
+	out_cc->dec_indent();
+	}
+
+void FlowDecl::GenCodeDatagram(Output *out_cc)
+	{
+	Type *unit_datatype = dataunit_->data_type();
+	GenNewDataUnit(out_cc);
+
+	string parse_params = strfmt("%s, %s", 
+		env_->RValue(begin_of_data), 
+		env_->RValue(end_of_data)); 
+
+	if ( RequiresAnalyzerContext::compute(unit_datatype) )
+		{
+		parse_params += ", ";
+		parse_params += env_->RValue(analyzer_context_id);
+		}
+
+	DataPtr dataptr(env_, begin_of_data, 0);
+	unit_datatype->GenParseCode(out_cc, env_, dataptr, 0);
+
+	GenDeleteDataUnit(out_cc);
+	}
diff --git a/aux/binpac/src/pac_flow.h b/aux/binpac/src/pac_flow.h
new file mode 100644
index 0000000000..652f206992
--- /dev/null
+++ b/aux/binpac/src/pac_flow.h
@@ -0,0 +1,47 @@
+#ifndef pac_flow_h
+#define pac_flow_h
+
+#include "pac_analyzer.h"
+
+class FlowDecl : public AnalyzerDecl
+{
+public:
+	FlowDecl(ID *flow_id, ParamList *params, AnalyzerElementList *elemlist);
+	~FlowDecl();
+
+	void Prepare();
+
+	void set_conn_decl(ConnDecl *c)	{ conn_decl_ = c; }
+
+	static ParameterizedType *flow_buffer_type();
+
+protected:
+	void AddBaseClass(vector<string> *base_classes) const;
+
+	void GenInitCode(Output *out_cc);
+	void GenCleanUpCode(Output *out_cc);
+	void GenProcessFunc(Output *out_h, Output *out_cc);
+	void GenEOFFunc(Output *out_h, Output *out_cc);
+	void GenGapFunc(Output *out_h, Output *out_cc);
+
+	void GenPubDecls(Output *out_h, Output *out_cc);
+	void GenPrivDecls(Output *out_h, Output *out_cc);
+
+	void ProcessFlowElement(AnalyzerFlow *flow_elem);
+	void ProcessDataUnitElement(AnalyzerDataUnit *dataunit_elem);
+
+private:
+	void GenNewDataUnit(Output *out_cc);
+	void GenDeleteDataUnit(Output *out_cc);
+	void GenCodeFlowUnit(Output *out_cc);
+	void GenCodeDatagram(Output *out_cc);
+
+	AnalyzerDataUnit *dataunit_;
+	ConnDecl *conn_decl_;
+
+	Field *flow_buffer_var_field_;
+
+	static ParameterizedType *flow_buffer_type_;
+};
+
+#endif  // pac_flow_h
diff --git a/aux/binpac/src/pac_func.cc b/aux/binpac/src/pac_func.cc
new file mode 100644
index 0000000000..8bde6e10f6
--- /dev/null
+++ b/aux/binpac/src/pac_func.cc
@@ -0,0 +1,123 @@
+#include "pac_embedded.h"
+#include "pac_expr.h"
+#include "pac_func.h"
+#include "pac_output.h"
+#include "pac_param.h"
+#include "pac_type.h"
+
+Function::Function(ID *id, Type *type, ParamList *params)
+ 	: id_(id), type_(type), params_(params), expr_(0), code_(0)
+	{
+	analyzer_decl_ = 0;
+	env_ = 0;
+	}
+
+Function::~Function()
+	{
+	delete id_;
+	delete type_;
+	delete_list(ParamList, params_);
+	delete env_;
+	delete expr_;
+	delete code_;
+	}
+
+void Function::Prepare(Env *env)
+	{
+	env->AddID(id_, FUNC_ID, type_);
+	env->SetEvaluated(id_);
+
+	env_ = new Env(env, this);
+
+	foreach(i, ParamList, params_)
+		{
+		Param *p = *i;
+		env_->AddID(p->id(), FUNC_PARAM, p->type());
+		env_->SetEvaluated(p->id());
+		}
+	}
+
+void Function::GenForwardDeclaration(Output* out_h)
+	{
+	// Do nothing
+	}
+
+void Function::GenCode(Output* out_h, Output* out_cc)
+	{
+	out_h->println("%s %s(%s);", 
+		type_->DataTypeStr().c_str(),
+		id_->Name(),
+		ParamDecls(params_).c_str());
+
+	string class_str = "";
+	if ( analyzer_decl_ )
+		class_str = strfmt("%s::", analyzer_decl_->id()->Name());
+
+	string proto_str = strfmt("%s %s%s(%s)", 
+				type_->DataTypeStr().c_str(),
+				class_str.c_str(),
+				id_->Name(),
+				ParamDecls(params_).c_str());
+
+	ASSERT(!(expr_ && code_));
+
+	if ( expr_ )
+		{
+		out_cc->println("%s", proto_str.c_str());
+
+		out_cc->inc_indent();
+		out_cc->println("{");
+
+		out_cc->println("return static_cast<%s>(%s);", 
+			type_->DataTypeStr().c_str(),
+			expr_->EvalExpr(out_cc, env_));
+
+		out_cc->println("}");
+		out_cc->dec_indent();
+		}
+
+	else if ( code_ )
+		{
+		out_cc->println("%s", proto_str.c_str());
+
+		out_cc->inc_indent();
+		out_cc->println("{");
+
+		code_->GenCode(out_cc, env_);
+
+		out_cc->println("}");
+		out_cc->dec_indent();
+		}
+
+	out_cc->println("");
+	}
+
+FuncDecl::FuncDecl(Function *function)
+	: Decl(function->id()->clone(), FUNC), function_(function)
+	{
+	function_->Prepare(global_env());
+	}
+
+FuncDecl::~FuncDecl()
+	{
+	delete function_;
+	}
+
+void FuncDecl::Prepare()
+	{
+	}
+
+void FuncDecl::GenForwardDeclaration(Output *out_h)
+	{
+	function_->GenForwardDeclaration(out_h);
+	}
+
+void FuncDecl::GenCode(Output *out_h, Output *out_cc)
+	{
+	function_->GenCode(out_h, out_cc);
+	}
+
+AnalyzerFunction::AnalyzerFunction(Function *function)
+	: AnalyzerElement(FUNCTION), function_(function)
+	{
+	}
diff --git a/aux/binpac/src/pac_func.h b/aux/binpac/src/pac_func.h
new file mode 100644
index 0000000000..df862323bb
--- /dev/null
+++ b/aux/binpac/src/pac_func.h
@@ -0,0 +1,68 @@
+#ifndef pac_func_h
+#define pac_func_h
+
+#include "pac_decl.h"
+#include "pac_analyzer.h"
+
+class Function : public Object
+{
+public:
+	Function(ID *id, Type *type, ParamList *params);
+	~Function();
+
+	ID *id() const			{ return id_; }
+
+	AnalyzerDecl *analyzer_decl() const { return analyzer_decl_; }
+	void set_analyzer_decl(AnalyzerDecl *decl) { analyzer_decl_ = decl; }
+
+	Expr *expr() const		{ return expr_; }
+	void set_expr(Expr *expr) 	{ expr_ = expr; }
+
+	EmbeddedCode *code() const	{ return code_; }
+	void set_code(EmbeddedCode *code) { code_ = code; }
+
+	void Prepare(Env *env);
+	void GenForwardDeclaration(Output *out_h);
+	void GenCode(Output *out_h, Output *out_cc);
+
+private:
+	Env *env_;
+
+	ID *id_;
+	Type *type_;
+	ParamList *params_;
+
+	AnalyzerDecl *analyzer_decl_;
+
+	Expr *expr_;
+	EmbeddedCode *code_;
+};
+
+class FuncDecl : public Decl
+{
+public:
+	FuncDecl(Function *function);
+	~FuncDecl();
+
+	Function *function() const	{ return function_; }
+
+	void Prepare();
+	void GenForwardDeclaration(Output *out_h);
+	void GenCode(Output *out_h, Output *out_cc);
+
+private:
+	Function *function_;
+};
+
+class AnalyzerFunction : public AnalyzerElement
+{
+public:
+	AnalyzerFunction(Function *function);
+
+	Function *function() const	{ return function_; }
+
+private:
+	Function *function_;
+};
+
+#endif // pac_func_h
diff --git a/aux/binpac/src/pac_id.cc b/aux/binpac/src/pac_id.cc
new file mode 100644
index 0000000000..5eb7a0d985
--- /dev/null
+++ b/aux/binpac/src/pac_id.cc
@@ -0,0 +1,440 @@
+#include "pac_exception.h"
+#include "pac_expr.h"
+#include "pac_exttype.h"
+#include "pac_field.h"
+#include "pac_id.h"
+#include "pac_type.h"
+#include "pac_utils.h"
+
+const ID *default_value_var = 0;
+const ID *null_id = 0;
+const ID *null_byteseg_id = 0;
+const ID *null_decl_id = 0;
+const ID *begin_of_data = 0;
+const ID *end_of_data = 0;
+const ID *len_of_data = 0;
+const ID *byteorder_id = 0;
+const ID *bigendian_id = 0;
+const ID *littleendian_id = 0;
+const ID *unspecified_byteorder_id = 0;
+const ID *const_true_id = 0;
+const ID *const_false_id = 0;
+const ID *analyzer_context_id = 0;
+const ID *context_macro_id = 0;
+const ID *this_id = 0;
+const ID *sourcedata_id = 0;
+const ID *connection_id = 0;
+const ID *upflow_id = 0;
+const ID *downflow_id = 0;
+const ID *dataunit_id = 0;
+const ID *flow_buffer_id = 0;
+const ID *element_macro_id = 0;
+const ID *input_macro_id = 0;
+const ID *cxt_connection_id = 0;
+const ID *cxt_flow_id = 0;
+const ID *parsing_state_id = 0;
+const ID *buffering_state_id = 0;
+
+int ID::anonymous_id_seq = 0;
+
+ID *ID::NewAnonymousID(const string &prefix)
+	{
+	ID *id = new ID(fmt("%s%03d", prefix.c_str(), ++anonymous_id_seq));
+	id->anonymous_id_ = true;
+	return id;
+	}
+
+IDRecord::IDRecord(Env *arg_env, const ID* arg_id, IDType arg_id_type)
+	: env(arg_env), id(arg_id), id_type(arg_id_type)
+	{
+	eval = 0;
+	evaluated = in_evaluation = false;
+	setfunc = "";  // except for STATE_VAR
+	switch (id_type)
+		{
+		case MEMBER_VAR:
+			rvalue = strfmt("%s()", id->Name());
+			lvalue = strfmt("%s_", id->Name());
+			break;
+		case PRIV_MEMBER_VAR:
+			rvalue = strfmt("%s_", id->Name());
+			lvalue = strfmt("%s_", id->Name());
+			break;
+		case UNION_VAR:
+			rvalue = strfmt("%s()", id->Name());
+			lvalue = strfmt("%s_", id->Name());
+			break;
+		case CONST:
+		case GLOBAL_VAR:
+			rvalue = strfmt("%s", id->Name());
+			lvalue = strfmt("%s", id->Name());
+			break;
+		case TEMP_VAR:
+			rvalue = strfmt("t_%s", id->Name());
+			lvalue = strfmt("t_%s", id->Name());
+			break;
+		case STATE_VAR:
+			rvalue = strfmt("%s()", id->Name());
+			lvalue = strfmt("%s_", id->Name());
+			break;
+		case MACRO:
+			rvalue = "@MACRO@";
+			lvalue = "@MACRO@";
+			break;
+		case FUNC_ID:
+			rvalue = strfmt("%s", id->Name());
+			lvalue = "@FUNC_ID@";
+			break;
+		case FUNC_PARAM:
+			rvalue = strfmt("%s", id->Name());
+			lvalue = "@FUNC_PARAM@";
+			break;
+		}
+	field = 0;
+	constant_set = false;
+	}
+
+IDRecord::~IDRecord()
+	{
+	}
+
+void IDRecord::SetConstant(int c)			
+	{ 
+	ASSERT(id_type == CONST);
+	constant_set = true;
+	constant = c; 
+	}
+
+bool IDRecord::GetConstant(int *pc) const
+	{ 
+	if ( constant_set ) 
+		*pc = constant;
+	return constant_set;
+	}
+
+void IDRecord::SetMacro(Expr *e)
+	{
+	ASSERT(id_type == MACRO);
+	macro = e;
+	}
+
+Expr *IDRecord::GetMacro() const
+	{
+	ASSERT(id_type == MACRO);
+	return macro;
+	}
+
+void IDRecord::SetEvaluated(bool v)
+	{
+	if ( v )
+		ASSERT(! evaluated);
+	evaluated = v;
+	}
+
+void IDRecord::Evaluate(Output* out, Env* env)	
+	{ 
+	if ( evaluated )
+		return;
+
+	if ( ! out )
+		throw ExceptionIDNotEvaluated(id);
+
+	if ( ! eval )
+		throw Exception(id, "no evaluation method");
+		
+	if ( in_evaluation )
+		throw ExceptionCyclicDependence(id);
+
+	in_evaluation = true;
+	eval->GenEval(out, env); 
+	in_evaluation = false;
+
+	evaluated = true;
+	}
+
+const char* IDRecord::RValue() const
+	{
+	if ( id_type == MACRO )
+		return macro->EvalExpr(0, env);
+
+	if ( id_type == TEMP_VAR && ! evaluated )
+		throw ExceptionIDNotEvaluated(id);
+
+	return rvalue.c_str();
+	}
+
+const char* IDRecord::LValue() const
+	{
+	ASSERT(id_type != MACRO && id_type != FUNC_ID);
+	return lvalue.c_str();
+	}
+
+Env::Env(Env* parent_env, Object* context_object)
+	: parent(parent_env), context_object_(context_object)
+	{
+	allow_undefined_id_ = false;
+	in_branch_ = false;
+	}
+
+Env::~Env()
+	{
+	for ( id_map_t::iterator it = id_map.begin(); it != id_map.end(); ++it )
+		{
+		delete it->second;
+		it->second = 0;
+		}
+	}
+
+void Env::AddID(const ID* id, IDType id_type, Type *data_type)
+	{
+	DEBUG_MSG("To add ID `%s'...\n", id->Name());
+	id_map_t::iterator it = id_map.find(id);
+	if ( it != id_map.end() )
+		{
+		DEBUG_MSG("Duplicate definition: `%s'\n", it->first->Name());
+		throw ExceptionIDRedefinition(id);
+		}
+	id_map[id] = new IDRecord(this, id, id_type);
+	// TODO: figure out when data_type must be non-NULL
+	// ASSERT(data_type);
+	SetDataType(id, data_type);
+	}
+
+void Env::AddConstID(const ID* id, const int c, Type *type)
+	{
+	if ( ! type )
+		type = extern_type_int;
+	AddID(id, CONST, type);
+	SetConstant(id, c);
+	SetEvaluated(id);  // a constant is always evaluated
+	}
+
+void Env::AddMacro(const ID *id, Expr *macro)
+	{
+	AddID(id, MACRO, macro->DataType(this));
+	SetMacro(id, macro);
+	SetEvaluated(id);
+	}
+
+ID *Env::AddTempID(Type *type)
+	{
+	ID *id = ID::NewAnonymousID("t_var_");
+	AddID(id, TEMP_VAR, type);
+	return id;
+	}
+
+IDRecord* Env::lookup(const ID* id, bool recursive, bool raise_exception) const
+	{
+	ASSERT(id);
+
+	id_map_t::const_iterator it = id_map.find(id);
+	if ( it != id_map.end() )
+		return it->second;
+
+	if ( recursive && parent )
+		return parent->lookup(id, recursive, raise_exception);
+
+	if ( raise_exception )
+		throw ExceptionIDNotFound(id);
+	else
+		return 0;
+	}
+
+IDType Env::GetIDType(const ID* id) const
+	{
+	return lookup(id, true, true)->GetType();
+	}
+
+const char* Env::RValue(const ID* id) const
+	{
+	IDRecord *r = lookup(id, true, false);
+	if ( r )
+		return r->RValue();
+	else
+		{
+		if ( allow_undefined_id() )
+			return id->Name();
+		else
+			throw ExceptionIDNotFound(id);
+		}
+	}
+
+const char* Env::LValue(const ID* id) const
+	{
+	return lookup(id, true, true)->LValue();
+	}
+
+void Env::SetEvalMethod(const ID* id, Evaluatable* eval)
+	{
+	lookup(id, true, true)->SetEvalMethod(eval);
+	}
+
+void Env::Evaluate(Output* out, const ID* id)
+	{
+	IDRecord *r = lookup(id, true, !allow_undefined_id());
+	if ( r )
+		r->Evaluate(out, this);
+	}
+
+bool Env::Evaluated(const ID* id) const
+	{
+	IDRecord *r = lookup(id, true, !allow_undefined_id());
+	if ( r )
+		return r->Evaluated();
+	else
+		// Assume undefined variables are already evaluated
+		return true;  
+	}
+
+void Env::SetEvaluated(const ID* id, bool v)
+	{
+	if ( in_branch() )
+		{
+		Field *f = GetField(id);
+		if (f && f->tof() == LET_FIELD)
+			{
+			throw Exception(
+				context_object_,
+				fmt("INTERNAL ERROR: "
+				"evaluating let field '%s' in a branch! "
+				"To work around this problem, "
+				"add '&requires(%s)' to the case type. "
+				"Sorry for the inconvenience.\n",
+				id->Name(),
+				id->Name()));
+			ASSERT(0);
+			}
+		}
+
+	IDRecord *r = lookup(id, false, false);
+	if ( r )
+		r->SetEvaluated(v);
+	else if ( parent )
+		parent->SetEvaluated(id, v);
+	else
+		throw ExceptionIDNotFound(id);
+	}
+
+void Env::SetField(const ID* id, Field* field)
+	{
+	lookup(id, false, true)->SetField(field);
+	}
+
+Field* Env::GetField(const ID* id) const
+	{
+	return lookup(id, true, true)->GetField();
+	}
+
+void Env::SetDataType(const ID* id, Type* type)
+	{
+	lookup(id, true, true)->SetDataType(type);
+	}
+
+Type* Env::GetDataType(const ID* id) const
+	{
+	IDRecord *r = lookup(id, true, false);
+	if ( r )
+		return r->GetDataType();
+	else
+		return 0;  
+	}
+
+string Env::DataTypeStr(const ID *id) const
+	{
+	Type *type = GetDataType(id);
+	if ( ! type )
+		throw Exception(id, "data type not defined");
+	return type->DataTypeStr();
+	}
+
+void Env::SetConstant(const ID* id, int constant)
+	{
+	lookup(id, false, true)->SetConstant(constant);
+	}
+
+bool Env::GetConstant(const ID* id, int* pc) const
+	{
+	ASSERT(pc);
+	// lookup without raising exception
+	IDRecord* r = lookup(id, true, false);
+	if ( r )
+		return r->GetConstant(pc);
+	else
+		return false;
+	}
+
+void Env::SetMacro(const ID* id, Expr *macro)
+	{
+	lookup(id, true, true)->SetMacro(macro);
+	}
+
+Expr* Env::GetMacro(const ID* id) const
+	{
+	return lookup(id, true, true)->GetMacro();
+	}
+
+void init_builtin_identifiers()
+	{
+	default_value_var = new ID("val");
+	null_id = new ID("NULL");
+	null_byteseg_id = new ID("null_byteseg");
+	begin_of_data = new ID("begin_of_data");
+	end_of_data = new ID("end_of_data");
+	len_of_data = new ID("length_of_data");
+	byteorder_id = new ID("byteorder");
+	bigendian_id = new ID("bigendian");
+	littleendian_id = new ID("littleendian");
+	unspecified_byteorder_id = new ID("unspecified_byteorder");
+	const_true_id = new ID("true");
+	const_false_id = new ID("false");
+	analyzer_context_id = new ID("context");
+	this_id = new ID("this");
+	sourcedata_id = new ID("sourcedata");
+	connection_id = new ID("connection");
+	upflow_id = new ID("upflow");
+	downflow_id = new ID("downflow");
+	dataunit_id = new ID("dataunit");
+	flow_buffer_id = new ID("flow_buffer");
+	element_macro_id = new ID("$element");
+	input_macro_id = new ID("$input"); 
+	context_macro_id = new ID("$context"); 
+	parsing_state_id = new ID("parsing_state");
+	buffering_state_id = new ID("buffering_state");
+
+	null_decl_id = new ID("<null-decl>");
+	current_decl_id = null_decl_id;
+	}
+
+Env* global_env()
+	{
+	static Env *the_global_env = 0;
+
+	if ( ! the_global_env )
+		{
+		the_global_env = new Env(0, 0);
+
+		// These two are defined in binpac.h, so we do not need to
+		// generate code for them.
+		the_global_env->AddConstID(bigendian_id, 0);
+		the_global_env->AddConstID(littleendian_id, 1);
+		the_global_env->AddConstID(unspecified_byteorder_id, -1);
+		the_global_env->AddConstID(const_false_id, 0);
+		the_global_env->AddConstID(const_true_id, 1);
+		// A hack for ID "this"
+		the_global_env->AddConstID(this_id, 0);
+		the_global_env->AddConstID(null_id, 0, extern_type_nullptr);
+
+#if 0
+		the_global_env->AddID(null_byteseg_id, 
+			GLOBAL_VAR, 
+			extern_type_const_byteseg);
+#endif
+		}
+
+	return the_global_env;
+	}
+
+string set_function(const ID *id)
+	{
+	return strfmt("set_%s", id->Name());
+	}
diff --git a/aux/binpac/src/pac_id.h b/aux/binpac/src/pac_id.h
new file mode 100644
index 0000000000..6ac89687d4
--- /dev/null
+++ b/aux/binpac/src/pac_id.h
@@ -0,0 +1,246 @@
+#ifndef pac_id_h
+#define pac_id_h
+
+#include <map>
+#include <string>
+using namespace std;
+
+#include "pac_common.h"
+#include "pac_dbg.h"
+#include "pac_utils.h"
+
+// Classes handling identifiers.
+// 
+// ID -- name and location of definition of an ID
+//
+// IDRecord -- association of an ID, its definition type (const, global, temp, 
+//   member, or union member), and its evaluation method. 
+//
+// Evaluatable -- interface for a variable or a field that needs be evaluated
+//   before referenced.
+//
+// Env -- a mapping from ID names to their L/R-value expressions and evaluation
+//   methods.
+
+enum IDType {
+	CONST,
+	GLOBAL_VAR,
+	TEMP_VAR,
+	MEMBER_VAR,
+	PRIV_MEMBER_VAR,
+	UNION_VAR,
+	STATE_VAR,
+	MACRO,
+	FUNC_ID,
+	FUNC_PARAM,
+};
+
+class ID;
+class IDRecord;
+class Env;
+class Evaluatable;
+
+class ID : public Object
+{
+public:
+	ID(const char *arg_name)
+		: name(arg_name), anonymous_id_(false)
+		{
+		locname = nfmt("%s:%s", Location(), Name());
+		}
+	~ID()
+		{
+		delete locname;
+		}
+
+	bool operator==(ID const &x) const { return name == x.Name(); }
+
+	const char *Name() const 	{ return name.c_str(); }
+	const char *LocName() const 	{ return locname; }
+	bool is_anonymous() const	{ return anonymous_id_; }
+
+	ID *clone() const		{ return new ID(Name()); }
+
+protected:
+	string name;
+	bool anonymous_id_;
+	char *locname;
+	friend class ID_ptr_cmp;
+
+public:
+	static ID *NewAnonymousID(const string &prefix);
+private:
+	static int anonymous_id_seq;
+};
+
+// A comparison operator for pointers to ID's.
+class ID_ptr_cmp
+{
+public:
+	bool operator()(const ID *const & id1, const ID *const & id2) const
+		{
+		ASSERT(id1);
+		ASSERT(id2);
+		return id1->name < id2->name;
+		}
+};
+
+class IDRecord
+{
+public:
+	IDRecord(Env *env, const ID *id, IDType id_type);
+	~IDRecord();
+
+	IDType GetType() const			{ return id_type; }
+
+	void SetDataType(Type *type) 		{ data_type = type; }
+	Type *GetDataType() const		{ return data_type; }
+
+	void SetEvalMethod(Evaluatable *arg_eval) { eval = arg_eval; }
+	void Evaluate(Output *out, Env *env);
+	void SetEvaluated(bool v);
+	bool Evaluated() const 			{ return evaluated; }
+
+	void SetField(Field *f)			{ field = f; }
+	Field *GetField() const			{ return field; }
+
+	void SetConstant(int c);			
+	bool GetConstant(int *pc) const;
+
+	void SetMacro(Expr *expr);
+	Expr *GetMacro() const;
+
+	const char * RValue() const;
+	const char * LValue() const;
+
+protected:
+	Env *env;
+	const ID *id;
+	IDType id_type;
+
+	string rvalue;
+	string lvalue;
+	string setfunc;
+
+	Type *data_type;
+
+	Field *field;
+
+	int constant;
+	bool constant_set;
+
+	Expr *macro;
+
+	bool evaluated;
+	bool in_evaluation;	// to detect cyclic dependence
+	Evaluatable *eval;
+};
+
+class Evaluatable
+{
+public:
+	virtual ~Evaluatable() {}
+	virtual void GenEval(Output *out, Env *env) = 0;
+};
+
+class Env
+{
+public:
+	Env(Env *parent_env, Object *context_object);
+	~Env();
+
+	bool allow_undefined_id() const		{ return allow_undefined_id_; }
+	void set_allow_undefined_id(bool x)	{ allow_undefined_id_ = x; }
+
+	bool in_branch() const			{ return in_branch_; }
+	void set_in_branch(bool x)		{ in_branch_ = x; }
+
+	void AddID(const ID *id, IDType id_type, Type *type);
+	void AddConstID(const ID *id, const int c, Type *type = 0);
+	void AddMacro(const ID *id, Expr *expr);
+
+	// Generate a temp ID with a unique name
+	ID *AddTempID(Type *type);
+
+	IDType GetIDType(const ID *id) const;
+	const char * RValue(const ID *id) const;
+	const char * LValue(const ID *id) const;
+	// const char *SetFunc(const ID *id) const;
+
+	// Set evaluation method for the ID
+	void SetEvalMethod(const ID *id, Evaluatable *eval);
+
+	// Evaluate the ID according to the evaluation method. It
+	// assumes the ID has an evaluation emthod. It does nothing
+	// if the ID has already been evaluated.
+	void Evaluate(Output *out, const ID *id);
+
+	// Whether the ID has already been evaluated.
+	bool Evaluated(const ID *id) const;
+
+	// Set the ID as evaluated (or not).
+	void SetEvaluated(const ID *id, bool v = true);
+
+	void SetField(const ID *id, Field *field);
+	Field *GetField(const ID *id) const;
+
+	bool GetConstant(const ID *id, int *pc) const;
+
+	Expr *GetMacro(const ID *id) const;
+
+	Type *GetDataType(const ID *id) const;
+
+	string DataTypeStr(const ID *id) const;
+
+protected:
+	IDRecord *lookup(const ID *id, 
+	                 bool recursive, 
+	                 bool raise_exception) const;
+
+	void SetDataType(const ID *id, Type *type);
+	void SetConstant(const ID *id, int constant);
+	void SetMacro(const ID *id, Expr *macro);
+
+private:
+	Env *parent;
+	Object *context_object_;
+	typedef map<const ID*, IDRecord*, ID_ptr_cmp> id_map_t;
+	id_map_t id_map;
+	bool allow_undefined_id_;
+	bool in_branch_;
+};
+
+extern const ID *default_value_var;
+extern const ID *null_id;
+extern const ID *null_byteseg_id;
+extern const ID *begin_of_data;
+extern const ID *end_of_data;
+extern const ID *len_of_data;
+extern const ID *byteorder_id;
+extern const ID *bigendian_id;
+extern const ID *littleendian_id;
+extern const ID *unspecified_byteorder_id;
+extern const ID *analyzer_context_id;
+extern const ID *context_macro_id;
+extern const ID *this_id;
+extern const ID *sourcedata_id;
+// extern const ID *sourcedata_begin_id;
+// extern const ID *sourcedata_end_id;
+extern const ID *connection_id;
+extern const ID *upflow_id;
+extern const ID *downflow_id;
+extern const ID *dataunit_id;
+extern const ID *flow_buffer_id;
+extern const ID *element_macro_id;
+extern const ID *cxt_connection_id;
+extern const ID *cxt_flow_id;
+extern const ID *input_macro_id;
+extern const ID *parsing_state_id;
+extern const ID *buffering_state_id;
+
+extern void init_builtin_identifiers();
+extern Env *global_env();
+
+extern string set_function(const ID *id);
+
+#endif // pac_id_h
diff --git a/aux/binpac/src/pac_inputbuf.cc b/aux/binpac/src/pac_inputbuf.cc
new file mode 100644
index 0000000000..1974860693
--- /dev/null
+++ b/aux/binpac/src/pac_inputbuf.cc
@@ -0,0 +1,44 @@
+#include "pac_expr.h"
+#include "pac_exttype.h"
+#include "pac_id.h"
+#include "pac_inputbuf.h"
+#include "pac_output.h"
+#include "pac_type.h"
+
+InputBuffer::InputBuffer(Expr *expr)
+	: DataDepElement(INPUT_BUFFER), expr_(expr)
+	{
+	}
+
+bool InputBuffer::DoTraverse(DataDepVisitor *visitor)
+	{
+	if ( expr_ && ! expr_->Traverse(visitor) )
+		return false;
+	return true;
+	}
+
+bool InputBuffer::RequiresAnalyzerContext() const
+	{
+	return expr_->RequiresAnalyzerContext();
+	}
+
+DataPtr InputBuffer::GenDataBeginEnd(Output *out_cc, Env *env)
+	{
+	env->AddID(begin_of_data, TEMP_VAR, extern_type_const_byteptr);
+	env->AddID(end_of_data, TEMP_VAR, extern_type_const_byteptr);
+
+	out_cc->println("%s %s, %s;",
+		extern_type_const_byteptr->DataTypeStr().c_str(),
+		env->LValue(begin_of_data),
+		env->LValue(end_of_data));
+
+	out_cc->println("get_pointers(%s, &%s, &%s);",
+		expr_->EvalExpr(out_cc, env),
+		env->LValue(begin_of_data),
+		env->LValue(end_of_data));
+
+	env->SetEvaluated(begin_of_data);
+	env->SetEvaluated(end_of_data);
+
+	return DataPtr(env, begin_of_data, 0);
+	}
diff --git a/aux/binpac/src/pac_inputbuf.h b/aux/binpac/src/pac_inputbuf.h
new file mode 100644
index 0000000000..f03a5193ab
--- /dev/null
+++ b/aux/binpac/src/pac_inputbuf.h
@@ -0,0 +1,24 @@
+#ifndef pac_inputbuf_h
+#define pac_inputbuf_h
+
+#include "pac_datadep.h"
+#include "pac_dataptr.h"
+
+class Expr;
+
+class InputBuffer : public Object, public DataDepElement
+{
+public:
+	InputBuffer(Expr *expr);
+
+	bool RequiresAnalyzerContext() const;
+	DataPtr GenDataBeginEnd(Output *out_cc, Env *env);
+
+protected:
+	bool DoTraverse(DataDepVisitor *visitor);
+
+private:
+	Expr *expr_;
+};
+
+#endif // pac_inputbuf_h
diff --git a/aux/binpac/src/pac_let.cc b/aux/binpac/src/pac_let.cc
new file mode 100644
index 0000000000..ebd7caef90
--- /dev/null
+++ b/aux/binpac/src/pac_let.cc
@@ -0,0 +1,167 @@
+#include "pac_expr.h"
+#include "pac_exttype.h"
+#include "pac_let.h"
+#include "pac_output.h"
+#include "pac_type.h"
+
+namespace {
+
+void GenLetEval(const ID *id, Expr *expr, string prefix, Output* out, Env* env)
+	{
+	if ( expr )
+		{
+		}
+	}
+
+} // private namespace
+
+LetField::LetField(ID* id, Type *type, Expr* expr)
+	: Field(LET_FIELD, 
+		TYPE_NOT_TO_BE_PARSED | CLASS_MEMBER | PUBLIC_READABLE, 
+		id, type), 
+	  expr_(expr)
+	{
+	ASSERT(expr_);
+	}
+
+LetField::~LetField()
+	{
+	delete expr_;
+	}
+
+bool LetField::DoTraverse(DataDepVisitor *visitor)
+	{ 
+	return Field::DoTraverse(visitor) &&
+	       expr()->Traverse(visitor); 
+	}
+
+bool LetField::RequiresAnalyzerContext() const 
+	{ 
+	return Field::RequiresAnalyzerContext() ||
+	       (expr() && expr()->RequiresAnalyzerContext()); 
+	}
+
+void LetField::Prepare(Env* env)
+	{
+	if ( ! type_ )
+		{
+		ASSERT(expr_);
+		type_ = expr_->DataType(env);
+		if ( type_ )
+			type_ = type_->Clone();		
+		else
+			type_ = extern_type_int->Clone();
+
+		foreach(i, AttrList, attrs_)
+			ProcessAttr(*i);
+		}
+
+	Field::Prepare(env);
+	env->SetEvalMethod(id_, this);
+	}
+
+void LetField::GenInitCode(Output* out_cc, Env* env)
+	{
+	int v;
+	if ( expr_ && expr_->ConstFold(env, &v) )
+		{
+		DEBUG_MSG("Folding const for `%s'\n", id_->Name());
+		GenEval(out_cc, env);
+		}
+	else
+		type_->GenInitCode(out_cc, env);
+	}
+
+void LetField::GenParseCode(Output* out_cc, Env* env)
+	{
+	if ( env->Evaluated(id_) )
+		return;
+
+	if ( type_->attr_if_expr() )
+		{
+		// A conditional field
+
+		env->Evaluate(out_cc, type_->has_value_var());
+
+		// force evaluation of IDs contained in this expr
+		expr()->ForceIDEval(out_cc, env);
+
+		out_cc->println("if ( %s )", 
+			env->RValue(type_->has_value_var()));
+		out_cc->inc_indent();
+		out_cc->println("{");
+		}
+
+	out_cc->println("%s = %s;", 
+		env->LValue(id_), 
+	       	expr()->EvalExpr(out_cc, env));
+	if ( ! env->Evaluated(id_) )
+		env->SetEvaluated(id_);
+
+	if ( type_->attr_if_expr() )
+		{
+		out_cc->println("}");
+		out_cc->dec_indent();
+		}
+	}
+
+void LetField::GenEval(Output* out_cc, Env* env)
+	{
+	GenParseCode(out_cc, env);
+	}
+
+LetDecl::LetDecl(ID *id, Type *type, Expr *expr)
+ 	: Decl(id, LET), type_(type), expr_(expr)
+	{
+	if ( ! type_ )
+		{
+		ASSERT(expr_);
+	        type_ = expr_->DataType(global_env());
+		if ( type_ )
+			type_ = type_->Clone();		
+		else
+			type_ = extern_type_int->Clone();
+		}
+
+	Env *env = global_env();
+	int c;
+	if ( expr_ && expr_->ConstFold(env, &c) )
+		env->AddConstID(id_, c);
+	else
+		env->AddID(id_, GLOBAL_VAR, type_);
+	}
+
+LetDecl::~LetDecl()
+	{
+	delete id_;
+	delete type_;
+	delete expr_;
+	}
+
+void LetDecl::Prepare()
+	{
+	}
+
+void LetDecl::GenForwardDeclaration(Output* out_h)
+	{
+	}
+
+void LetDecl::GenCode(Output * out_h, Output *out_cc)
+	{
+	out_h->println("extern %s const %s;",
+		type_->DataTypeStr().c_str(),
+		global_env()->RValue(id_));
+	GenEval(out_cc, global_env());
+	}
+
+void LetDecl::GenEval(Output *out_cc, Env * /* env */)
+	{
+	Env *env = global_env();
+	out_cc->println("%s %s = %s;", 
+		fmt("%s const", type_->DataTypeStr().c_str()),
+		env->LValue(id_), 
+	       	expr_->EvalExpr(out_cc, env));
+
+	if ( ! env->Evaluated(id_) )
+		env->SetEvaluated(id_);
+	}
diff --git a/aux/binpac/src/pac_let.h b/aux/binpac/src/pac_let.h
new file mode 100644
index 0000000000..aba8128511
--- /dev/null
+++ b/aux/binpac/src/pac_let.h
@@ -0,0 +1,48 @@
+#ifndef pac_let_h
+#define pac_let_h
+
+#include "pac_decl.h"
+#include "pac_field.h"
+
+class LetField : public Field, Evaluatable
+{
+public:
+	LetField(ID* arg_id, Type *type, Expr* arg_expr);
+	~LetField();
+
+	Expr *expr() const			{ return expr_; }
+
+	void Prepare(Env* env);
+
+	void GenInitCode(Output* out, Env* env);
+	void GenParseCode(Output* out, Env* env);
+	void GenEval(Output* out, Env* env);
+
+	bool RequiresAnalyzerContext() const;
+
+protected:
+	bool DoTraverse(DataDepVisitor *visitor);
+
+protected:
+	Expr* expr_;
+};
+
+class LetDecl : public Decl, Evaluatable
+{
+public:
+	LetDecl(ID *id, Type *type, Expr *expr);
+	~LetDecl();
+
+	Expr *expr() const	{ return expr_; }
+
+	void Prepare();
+	void GenForwardDeclaration(Output *out_h);
+	void GenCode(Output *out_h, Output *out_cc);
+	void GenEval(Output* out, Env* env);
+
+private:
+	Type *type_;
+	Expr *expr_;
+};
+
+#endif  // pac_let_h
diff --git a/aux/binpac/src/pac_main.cc b/aux/binpac/src/pac_main.cc
new file mode 100644
index 0000000000..7c98e526fa
--- /dev/null
+++ b/aux/binpac/src/pac_main.cc
@@ -0,0 +1,259 @@
+// $Id: pac_main.cc 3320 2006-06-20 21:19:33Z rpang $
+
+#include <unistd.h>
+#include <ctype.h>
+
+#include "pac_common.h"
+#include "pac_decl.h"
+#include "pac_exttype.h"
+#include "pac_id.h"
+#include "pac_output.h"
+#include "pac_parse.h"
+#include "pac_type.h"
+#include "pac_utils.h"
+#include "pac_exception.h"
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+extern int yydebug;
+extern int yyparse();
+extern void switch_to_file(FILE* fp_input);
+string input_filename;
+
+bool FLAGS_pac_debug = false;
+string FLAGS_output_directory;
+vector<string> FLAGS_include_directories;
+
+Output* header_output = 0;
+Output* source_output = 0;
+
+void add_to_include_directories(string dirs)
+	{
+	unsigned int dir_begin = 0, dir_end;
+	while ( dir_begin < dirs.length() )
+		{
+		for ( dir_end = dir_begin; dir_end < dirs.length(); ++dir_end)
+			if ( dirs[dir_end] == ':' )
+				break;
+
+		string dir = dirs.substr(dir_begin, dir_end - dir_begin);
+
+		// Add a trailing '/' if necessary
+		if ( dir.length() > 0 && *(dir.end() - 1) != '/' )
+			dir += '/';
+			
+		FLAGS_include_directories.push_back(dir);
+		dir_begin = dir_end + 1;
+		}
+	}
+
+void pac_init()
+	{
+	init_builtin_identifiers();
+	Type::init();
+	}
+
+void insert_comments(Output* out, const char* source_filename)
+	{
+	out->println("// This file is automatically generated from %s.\n",
+		source_filename);
+	}
+
+void insert_basictype_defs(Output* out)
+	{
+	out->println("#ifndef pac_type_defs");
+	out->println("#define pac_type_defs");
+	out->println("");
+	out->println("typedef char int8;");
+	out->println("typedef short int16;");
+	out->println("typedef long int32;");
+	out->println("typedef unsigned char uint8;");
+	out->println("typedef unsigned short uint16;");
+	out->println("typedef unsigned long uint32;");
+	out->println("");
+	out->println("#endif /* pac_type_defs */");
+	out->println("");
+	}
+
+void insert_byteorder_macros(Output* out)
+	{
+	out->println("#define FixByteOrder16(x)	(byteorder == HOST_BYTEORDER ? (x) : pac_swap16(x))");
+	out->println("#define FixByteOrder32(x)	(byteorder == HOST_BYTEORDER ? (x) : pac_swap32(x))");
+	out->println("");
+	}
+
+const char* to_id(const char* s)
+	{
+	static char t[1024];
+	int i;
+	for ( i = 0; s[i] && i < (int) sizeof(t) - 1; ++i )
+		t[i] = isalnum(s[i]) ? s[i] : '_';
+	if ( isdigit(t[0]) )
+		t[0] = '_'; 
+	t[i] = '\0';
+	return t;
+	}
+
+int compile(const char* filename)
+	{
+	FILE* fp_input = fopen(filename, "r");
+	if ( ! fp_input )
+		{
+		perror(fmt("Error in opening %s", filename));
+		return -1;
+		}
+	input_filename = filename;
+
+	string basename;
+
+	if ( ! FLAGS_output_directory.empty() )
+		{
+		// Strip leading directories of filename
+		const char *last_slash = strrchr(filename, '/');
+		if ( last_slash )
+			basename = last_slash + 1;
+		else
+			basename = filename;
+		basename = FLAGS_output_directory + "/" + basename;
+		}
+	else
+		basename = filename;
+
+	// If the file name ends with ".pac"
+	if ( basename.length() > 4 &&
+	     basename.substr(basename.length() - 4) == ".pac" )
+		{
+		basename = basename.substr(0, basename.length() - 4);
+		}
+
+	basename += "_pac";
+
+	DEBUG_MSG("Output file: %s.{h,cc}\n", basename.c_str());
+
+	int ret = 0;
+
+	try 
+		{
+		switch_to_file(fp_input);
+		if ( yyparse() )
+			return 1;
+
+		Output out_h(fmt("%s.h", basename.c_str()));
+		Output out_cc(fmt("%s.cc", basename.c_str()));
+
+		header_output = &out_h;
+		source_output = &out_cc;
+
+		insert_comments(&out_h, filename);
+		insert_comments(&out_cc, filename);
+
+		const char* filename_id = to_id(filename);
+
+		out_h.println("#ifndef %s_h", filename_id);
+		out_h.println("#define %s_h", filename_id);
+		out_h.println("");
+		out_h.println("#include <vector>");
+		out_h.println("");
+		out_h.println("#include \"binpac.h\"");
+		out_h.println("");
+
+		out_cc.println("#include \"%s.h\"\n", basename.c_str());
+
+		Decl::ProcessDecls(&out_h, &out_cc);
+
+		out_h.println("#endif /* %s_h */", filename_id);
+		} 
+	catch ( OutputException& e ) 
+		{
+		fprintf(stderr, "Error in compiling %s: %s\n",
+			filename, e.errmsg());
+		ret = 1;
+		}
+	catch ( Exception& e )
+		{
+		fprintf(stderr, "%s\n", e.msg());
+		exit(1);
+		}
+
+	header_output = 0;
+	source_output = 0;
+	input_filename = "";
+	fclose(fp_input);
+
+	return ret;
+	}
+
+void usage()
+	{
+#ifdef VERSION
+	fprintf(stderr, "binpac version %s\n", VERSION);
+#endif
+	fprintf(stderr, "usage: binpac [options] <pac files>\n");
+	fprintf(stderr, "     <pac files>           | pac-language input files\n");
+	fprintf(stderr, "     -d <dir>              | use given directory for compiler output\n");
+	fprintf(stderr, "     -D                    | enable debugging output\n");
+	fprintf(stderr, "     -h                    | show command line help\n");
+	fprintf(stderr, "     -I <dir>              | include <dir> in input file search path\n");
+	exit(1);
+	}
+
+int main(int argc, char* argv[])
+	{
+#ifdef HAVE_MALLOC_OPTIONS
+	extern char *malloc_options;
+#endif
+	int o;
+	while ( (o = getopt(argc, argv, "DI:d:h")) != -1 )
+		{
+		switch(o)
+			{
+			case 'D': 
+				yydebug = 1;
+				FLAGS_pac_debug = true;
+#ifdef HAVE_MALLOC_OPTIONS
+				malloc_options = "A";
+#endif
+				break;
+
+			case 'I':
+				// Add to FLAGS_include_directories
+				add_to_include_directories(optarg);
+				break;
+
+			case 'd': 
+				FLAGS_output_directory = optarg;
+				break;
+
+			case 'h':
+				usage();
+				break;
+			}
+		}
+
+	// Strip the trailing '/'s
+	while ( ! FLAGS_output_directory.empty() &&
+	        *(FLAGS_output_directory.end() - 1) == '/' )
+		{
+		FLAGS_output_directory.erase(FLAGS_output_directory.end()-1);
+		}
+
+	// Add the current directory to FLAGS_include_directories
+	add_to_include_directories(".");
+
+	pac_init();
+
+	argc -= optind;
+	argv += optind;
+	if ( argc == 0 )
+		compile("-");
+
+	int ret = 0;
+	for ( int i = 0; i < argc; ++i )
+		if ( compile(argv[i]) )
+			ret = 1;
+
+	return ret;
+	}
+
diff --git a/aux/binpac/src/pac_number.h b/aux/binpac/src/pac_number.h
new file mode 100644
index 0000000000..f923068700
--- /dev/null
+++ b/aux/binpac/src/pac_number.h
@@ -0,0 +1,21 @@
+#ifndef pac_number_h
+#define pac_number_h
+
+#include "pac_common.h"
+
+class Number : public Object
+{
+public:
+	Number(int arg_n)
+		: s(fmt("%d", arg_n)), n(arg_n) {}
+	Number(const char* arg_s, int arg_n)
+		: s(arg_s), n(arg_n) {}
+	const char* Str() const 	{ return s.c_str(); }
+	int Num() const 		{ return n; }
+
+protected:
+	const string s;
+	const int n;
+};
+
+#endif  // pac_number_h
diff --git a/aux/binpac/src/pac_output.cc b/aux/binpac/src/pac_output.cc
new file mode 100644
index 0000000000..404b4422cc
--- /dev/null
+++ b/aux/binpac/src/pac_output.cc
@@ -0,0 +1,61 @@
+// $Id: pac_output.cc 3225 2006-06-08 00:00:01Z vern $
+
+#include <string.h>
+#include <errno.h>
+#include <stdarg.h>
+#include <stdio.h>
+
+#include "pac_utils.h"
+#include "pac_output.h"
+
+OutputException::OutputException(const char* arg_msg)
+	{
+	msg = arg_msg;
+	}
+
+OutputException::~OutputException()
+	{
+	}
+
+Output::Output(const char* filename)
+	{
+	fp = fopen(filename, "w");
+	if ( ! fp )
+		throw OutputException(strerror(errno));
+	indent_ = 0;
+	}
+
+Output::~Output()
+	{
+	if ( fp )
+		fclose(fp);
+	}
+
+int Output::print(const char* fmt, va_list ap)
+	{
+	int r = vfprintf(fp, fmt, ap);
+	if ( r == -1 )
+		throw OutputException(strerror(errno));
+	return r;
+	}
+
+int Output::print(const char* fmt, ...)
+	{
+	va_list ap;
+	va_start(ap, fmt);
+	return print(fmt, ap);
+	}
+
+int Output::println(const char* fmt, ...)
+	{
+	for ( int i = 0; i < indent(); ++i )
+		fprintf(fp, "\t");
+
+	int r;
+	va_list ap;
+	va_start(ap, fmt);
+	r = print(fmt, ap);
+
+	fprintf(fp, "\n");
+	return r;
+	}
diff --git a/aux/binpac/src/pac_output.h b/aux/binpac/src/pac_output.h
new file mode 100644
index 0000000000..9911f3a2b4
--- /dev/null
+++ b/aux/binpac/src/pac_output.h
@@ -0,0 +1,42 @@
+// $Id: pac_output.h 3225 2006-06-08 00:00:01Z vern $
+
+#ifndef pac_output_h
+#define pac_output_h
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <string>
+
+using namespace std;
+
+class OutputException {
+public:
+	OutputException(const char* arg_msg);
+	~OutputException();
+	const char* errmsg() const { return msg.c_str(); }
+
+protected:
+	string msg;
+};
+
+class Output {
+public:
+	Output(const char *filename);
+	~Output();
+
+	int println(const char* fmt, ...);
+	int print(const char* fmt, ...);
+
+	int indent() const { return indent_; }
+
+	void inc_indent() { ++indent_; }
+	void dec_indent() { --indent_; }
+
+protected:
+	int print(const char* fmt, va_list ap);
+
+	FILE* fp;
+	int indent_;
+};
+
+#endif /* pac_output_h */
diff --git a/aux/binpac/src/pac_param.cc b/aux/binpac/src/pac_param.cc
new file mode 100644
index 0000000000..21e452ee05
--- /dev/null
+++ b/aux/binpac/src/pac_param.cc
@@ -0,0 +1,70 @@
+#include "pac_decl.h"
+#include "pac_exttype.h"
+#include "pac_field.h"
+#include "pac_id.h"
+#include "pac_output.h"
+#include "pac_type.h"
+#include "pac_utils.h"
+
+#include "pac_param.h"
+
+Param::Param(ID* id, Type *type)
+	: id_(id), type_(type)
+	{
+	if ( ! type_ )
+		type_ = extern_type_int->Clone();
+
+	decl_str_ = strfmt("%s %s", 
+	                   type_->DataTypeConstRefStr().c_str(), 
+	                   id_->Name());
+
+	param_field_ = new ParamField(this);
+	}
+
+Param::~Param()
+	{
+	}
+
+const string &Param::decl_str() const
+	{ 
+	ASSERT(!decl_str_.empty()); 
+	return decl_str_; 
+	}
+
+string ParamDecls(ParamList *params)
+	{
+	string param_decls;
+
+	int first = 1;
+	foreach (i, ParamList, params)
+			{
+			Param* p = *i;
+			const char* decl_str = p->decl_str().c_str();
+			if ( first )
+				first = 0;
+			else
+				param_decls += ", ";
+			param_decls += decl_str;
+			}
+	return param_decls;
+	}
+
+ParamField::ParamField(const Param *param)
+	: Field(PARAM_FIELD, 
+		TYPE_NOT_TO_BE_PARSED | CLASS_MEMBER | PUBLIC_READABLE,
+		param->id(), 
+		param->type())
+	{
+	}
+
+void ParamField::GenInitCode(Output *out_cc, Env *env)
+	{
+	out_cc->println("%s = %s;", 
+		env->LValue(id()), id()->Name());
+	env->SetEvaluated(id());
+	}
+
+void ParamField::GenCleanUpCode(Output* out_cc, Env* env)
+	{
+	// Do nothing
+	}
diff --git a/aux/binpac/src/pac_param.h b/aux/binpac/src/pac_param.h
new file mode 100644
index 0000000000..5efc60fd3a
--- /dev/null
+++ b/aux/binpac/src/pac_param.h
@@ -0,0 +1,48 @@
+#ifndef pac_param_h
+#define pac_param_h
+
+#include "pac_common.h"
+#include "pac_field.h"
+
+class Param : public Object
+{
+public:
+	Param(ID* id, Type* type); 
+	~Param();
+
+	ID *id() const			{ return id_; }
+	Type *type() const		{ return type_; }
+	const string & decl_str() const;
+	Field *param_field() const	{ return param_field_; }
+
+private:
+	ID* id_;
+	Type* type_;
+	string decl_str_;
+	Field *param_field_;
+};
+
+class ParamField : public Field
+{
+public:
+	ParamField(const Param *param);
+
+	void GenInitCode(Output *out, Env *env);
+	void GenCleanUpCode(Output* out, Env* env);
+};
+
+// Returns the string with a list of param declarations separated by ','.
+string ParamDecls(ParamList *params);
+
+#if 0
+// Generate assignments to parameters, in the form of "%s_ = %s;" % (id, id).
+void GenParamAssignments(ParamList *params, Output *out_cc, Env *env);
+
+// Generate public access methods to parameter members.
+void GenParamPubDecls(ParamList *params, Output *out_h, Env *env);
+
+// Generate private definitions of parameter members.
+void GenParamPrivDecls(ParamList *params, Output *out_h, Env *env);
+#endif
+
+#endif  // pac_param_h
diff --git a/aux/binpac/src/pac_paramtype.cc b/aux/binpac/src/pac_paramtype.cc
new file mode 100644
index 0000000000..96e79735a3
--- /dev/null
+++ b/aux/binpac/src/pac_paramtype.cc
@@ -0,0 +1,289 @@
+#include "pac_context.h"
+#include "pac_dataptr.h"
+#include "pac_exception.h"
+#include "pac_expr.h"
+#include "pac_output.h"
+#include "pac_paramtype.h"
+#include "pac_typedecl.h"
+
+ParameterizedType::ParameterizedType(ID* type_id, ExprList* args)
+	: Type(PARAMETERIZED), type_id_(type_id), args_(args)
+	{
+	checking_requires_analyzer_context_ = false;
+	}
+
+ParameterizedType::~ParameterizedType()
+	{
+	}
+
+string ParameterizedType::EvalMember(const ID *member_id) const
+	{
+	Type *ty = ReferredDataType(true);
+	return strfmt("->%s", ty->env()->RValue(member_id));
+	}
+
+string ParameterizedType::class_name() const
+	{ 
+	return type_id_->Name(); 
+	}
+
+Type *ParameterizedType::DoClone() const
+	{
+	return new ParameterizedType(type_id_->clone(), args_);
+	}
+
+void ParameterizedType::AddParamArg(Expr *arg)
+	{
+	args_->push_back(arg);
+	}
+
+bool ParameterizedType::DefineValueVar() const
+	{
+	return true;
+	}
+
+string ParameterizedType::DataTypeStr() const
+	{
+	return strfmt("%s *", type_id_->Name());
+	}
+
+Type *ParameterizedType::MemberDataType(const ID *member_id) const
+	{
+	Type *ref_type = TypeDecl::LookUpType(type_id_);
+	if ( ! ref_type )
+		return 0;
+	return ref_type->MemberDataType(member_id);
+	}
+
+Type *ParameterizedType::ReferredDataType(bool throw_exception) const
+	{
+	Type* type = TypeDecl::LookUpType(type_id_);
+	if ( ! type )
+		{
+		DEBUG_MSG("WARNING: cannot find referenced type for %s\n",
+			type_id_->Name());
+		if ( throw_exception )
+			throw ExceptionIDNotFound(type_id_);
+		}
+	return type;
+	}
+
+int ParameterizedType::StaticSize(Env* env) const
+	{
+	return ReferredDataType(true)->StaticSize(env);
+	}
+
+void ParameterizedType::DoMarkIncrementalInput()
+	{
+	Type *ty = ReferredDataType(true);
+
+	ty->MarkIncrementalInput();
+
+	buffer_input_ = ty->buffer_input();
+	incremental_parsing_ = ty->incremental_parsing();
+	}
+
+Type::BufferMode ParameterizedType::buffer_mode() const
+	{
+	// Note that the precedence is on attributes (&oneline or &length) 
+	// specified on the parameterized type directly than on the type
+	// declaration. 
+	//
+	// If both &oneline and &length are specified at the same place, 
+	// use &length.
+	//
+	BufferMode mode = Type::buffer_mode();
+	Type *ty = ReferredDataType(true);
+
+	if ( mode != NOT_BUFFERABLE )
+		return mode;
+	else if ( ty->BufferableByLength() )
+		return BUFFER_BY_LENGTH;
+	else if ( ty->BufferableByLine() )
+		return BUFFER_BY_LINE;
+
+	return NOT_BUFFERABLE;
+	}
+
+bool ParameterizedType::ByteOrderSensitive() const
+	{
+	return ReferredDataType(true)->RequiresByteOrder();
+	}
+
+bool ParameterizedType::DoTraverse(DataDepVisitor *visitor)
+	{
+	if ( ! Type::DoTraverse(visitor) )
+		return false;
+
+	foreach(i, ExprList, args_)
+		if ( ! (*i)->Traverse(visitor) )
+			return false;
+
+	Type *ty = ReferredDataType(false);
+	if ( ty && ! ty->Traverse(visitor) )
+		return false;
+
+	return true;
+	}
+
+bool ParameterizedType::RequiresAnalyzerContext()
+	{
+	if ( checking_requires_analyzer_context_ )
+		return false;
+	checking_requires_analyzer_context_ = true;
+
+	bool ret = false;
+	// If any argument expression refers to analyzer context
+	foreach(i, ExprList, args_)
+		if ( (*i)->RequiresAnalyzerContext() )
+			{
+			ret = true;
+			break;
+			}
+	ret = ret ||
+	      Type::RequiresAnalyzerContext();
+
+	if ( ! ret )
+		{
+		Type *ty = ReferredDataType(false);
+		if ( ty )
+	      		ret = ty->RequiresAnalyzerContext();
+		}
+
+	checking_requires_analyzer_context_ = false;
+	return ret;
+	}
+
+void ParameterizedType::GenInitCode(Output* out_cc, Env* env)
+	{
+	ASSERT(persistent());
+	out_cc->println("%s = 0;", env->LValue(value_var()));
+	Type::GenInitCode(out_cc, env);
+	}
+
+void ParameterizedType::GenCleanUpCode(Output* out_cc, Env* env)
+	{
+	Type *ty = ReferredDataType(false);
+	if ( ty && ty->attr_refcount() )
+		out_cc->println("Unref(%s);", lvalue());
+	else
+		out_cc->println("delete %s;", lvalue());
+	out_cc->println("%s = 0;", lvalue());
+	Type::GenCleanUpCode(out_cc, env);
+	}
+
+string ParameterizedType::EvalParameters(Output* out_cc, Env *env) const
+	{
+	string arg_str;
+
+	int first = 1;
+	foreach (i, ExprList, args_)
+		{
+		Expr* e = *i;
+		if ( first )
+			first = 0;
+		else
+			arg_str += ", ";
+		arg_str += e->EvalExpr(out_cc, env);
+		}
+
+	return arg_str;
+	}
+
+void ParameterizedType::GenNewInstance(Output *out_cc, Env *env)
+	{
+	out_cc->println("%s = new %s(%s);", 
+		lvalue(), 
+		type_id_->Name(), 
+		EvalParameters(out_cc, env).c_str());
+	}
+
+void ParameterizedType::DoGenParseCode(Output* out_cc, Env* env,
+		const DataPtr& data, int flags)
+	{
+	DEBUG_MSG("DoGenParseCode for %s\n", type_id_->Name());
+
+	Type *ref_type = ReferredDataType(true);
+
+	const char *parse_func;
+	string parse_params;
+
+	if ( buffer_mode() == BUFFER_NOTHING )
+	        {
+		ASSERT(!ref_type->incremental_input());
+		parse_func = kParseFuncWithoutBuffer;
+		parse_params = "0, 0";
+		}
+	else if ( ref_type->incremental_input() )
+		{
+		parse_func = kParseFuncWithBuffer;
+		parse_params = env->RValue(flow_buffer_id);
+		}
+	else
+		{
+		parse_func = kParseFuncWithoutBuffer;
+		parse_params = strfmt("%s, %s",
+			data.ptr_expr(), 
+			env->RValue(end_of_data));
+		}
+
+	if ( RequiresAnalyzerContext::compute(ref_type) )
+		{
+		parse_params += strfmt(", %s", env->RValue(analyzer_context_id));
+		}
+
+	if ( ref_type->RequiresByteOrder() )
+		{
+		env->Evaluate(out_cc, byteorder_id);
+		parse_params += strfmt(", %s", env->RValue(byteorder_id));
+		}
+
+	string call_parse_func = strfmt("%s->%s(%s)",
+			lvalue(), // parse() needs an LValue
+			parse_func,
+			parse_params.c_str());
+
+	if ( incremental_input() )
+		{
+		if ( buffer_mode() == BUFFER_NOTHING )
+		        {
+		        out_cc->println("%s;", call_parse_func.c_str());
+			out_cc->println("%s = true;", 
+				env->LValue(parsing_complete_var()));
+			}
+		else
+		        {
+			ASSERT(parsing_complete_var());
+			out_cc->println("%s = %s;",
+				env->LValue(parsing_complete_var()),
+				call_parse_func.c_str());
+
+			// parsing_complete_var might have been already
+			// evaluated when set to false
+			if ( ! env->Evaluated(parsing_complete_var()) )
+			        env->SetEvaluated(parsing_complete_var());
+			}
+		}
+	else
+		{
+		if ( AddSizeVar(out_cc, env) )
+			{
+			out_cc->println("%s = %s;", 
+				env->LValue(size_var()),
+				call_parse_func.c_str());
+			env->SetEvaluated(size_var());
+			}
+		else
+			{
+			out_cc->println("%s;", 
+				call_parse_func.c_str());
+			}
+		}
+	}
+
+void ParameterizedType::GenDynamicSize(Output* out_cc, Env* env,
+		const DataPtr& data)
+	{
+	GenParseCode(out_cc, env, data, 0);
+	}
+
diff --git a/aux/binpac/src/pac_paramtype.h b/aux/binpac/src/pac_paramtype.h
new file mode 100644
index 0000000000..4a2ef4e1d7
--- /dev/null
+++ b/aux/binpac/src/pac_paramtype.h
@@ -0,0 +1,62 @@
+#ifndef pac_paramtype_h
+#define pac_paramtype_h
+
+#include "pac_type.h"
+
+// An instantiated type: ID + expression list
+class ParameterizedType : public Type
+{
+public:
+	ParameterizedType(ID *type_id, ExprList *args);
+	~ParameterizedType();
+
+	Type *clone() const;
+
+	string EvalMember(const ID *member_id) const;
+	// Env *member_env() const;
+
+	void AddParamArg(Expr *arg);
+
+	bool DefineValueVar() const;
+	string DataTypeStr() const;
+	string DefaultValue() const	{ return "0"; }
+	Type *MemberDataType(const ID *member_id) const;
+
+	// "throw_exception" specifies whether to throw an exception
+	// if the referred data type is not found
+	Type *ReferredDataType(bool throw_exception) const;
+
+	void GenCleanUpCode(Output *out, Env *env);
+
+	int StaticSize(Env *env) const;
+
+	bool IsPointerType() const	{ return true; }
+
+	bool ByteOrderSensitive() const;
+	bool RequiresAnalyzerContext();
+
+	void GenInitCode(Output *out_cc, Env *env);
+
+	string class_name() const;
+	string EvalParameters(Output *out_cc, Env *env) const;
+
+	BufferMode buffer_mode() const;
+
+protected:
+	void GenNewInstance(Output *out, Env *env);
+
+	bool DoTraverse(DataDepVisitor *visitor);
+	Type *DoClone() const;
+	void DoMarkIncrementalInput();
+
+private:
+	ID *type_id_;
+	ExprList *args_;
+	char *data_type_;
+	bool checking_requires_analyzer_context_;
+
+	void DoGenParseCode(Output *out, Env *env, const DataPtr& data, int flags);
+	void GenDynamicSize(Output *out, Env *env, const DataPtr& data);
+};
+
+#endif  // pac_paramtype_h
diff --git a/aux/binpac/src/pac_parse.yy b/aux/binpac/src/pac_parse.yy
new file mode 100644
index 0000000000..3d7f9a328f
--- /dev/null
+++ b/aux/binpac/src/pac_parse.yy
@@ -0,0 +1,1095 @@
+/* $Id: pac_parse.yy 3225 2006-06-08 00:00:01Z vern $ */
+
+%token TOK_TYPE TOK_RECORD TOK_CASE TOK_ENUM TOK_LET TOK_FUNCTION
+%token TOK_REFINE TOK_CASEFUNC TOK_CASETYPE TOK_TYPEATTR
+%token TOK_HELPERHEADER TOK_HELPERCODE
+%token TOK_RIGHTARROW TOK_DEFAULT TOK_OF 
+%token TOK_PADDING TOK_TO TOK_ALIGN
+%token TOK_WITHINPUT
+%token TOK_INT8 TOK_INT16 TOK_INT32
+%token TOK_UINT8 TOK_UINT16 TOK_UINT32
+%token TOK_ID TOK_NUMBER TOK_REGEX TOK_STRING
+%token TOK_BEGIN_RE TOK_END_RE
+%token TOK_ATTR_ALSO
+%token TOK_ATTR_BYTEORDER TOK_ATTR_CHECK TOK_ATTR_CHUNKED 
+%token TOK_ATTR_EXPORTSOURCEDATA TOK_ATTR_IF
+%token TOK_ATTR_LENGTH TOK_ATTR_LET 
+%token TOK_ATTR_LINEBREAKER TOK_ATTR_MULTILINE TOK_ATTR_ONELINE
+%token TOK_ATTR_REFCOUNT TOK_ATTR_REQUIRES 
+%token TOK_ATTR_RESTOFDATA TOK_ATTR_RESTOFFLOW
+%token TOK_ATTR_TRANSIENT TOK_ATTR_UNTIL
+%token TOK_ANALYZER TOK_CONNECTION TOK_FLOW 
+%token TOK_STATE TOK_ACTION TOK_WHEN TOK_HELPER 
+%token TOK_DATAUNIT TOK_FLOWDIR TOK_WITHCONTEXT
+%token TOK_LPB_EXTERN TOK_LPB_HEADER TOK_LPB_CODE 
+%token TOK_LPB_MEMBER TOK_LPB_INIT TOK_LPB_CLEANUP TOK_LPB_EOF
+%token TOK_LPB TOK_RPB 
+%token TOK_EMBEDDED_ATOM TOK_EMBEDDED_STRING
+%token TOK_PAC_VAL TOK_PAC_SET TOK_PAC_TYPE TOK_PAC_TYPEOF TOK_PAC_CONST_DEF 
+%token TOK_END_PAC
+%token TOK_EXTERN
+
+%nonassoc '=' TOK_PLUSEQ
+%left ';'
+%left ','
+%left '?' ':'
+%left TOK_OR
+%left TOK_AND
+%nonassoc TOK_EQUAL TOK_NEQ TOK_LE TOK_GE '<' '>'
+%left '&' '|' '^'
+%left TOK_LSHIFT TOK_RSHIFT 
+%left '+' '-'
+%left '*' '/' '%'
+%right '~' '!'
+%right TOK_SIZEOF TOK_OFFSETOF
+%right '(' ')' '[' ']'
+%left '.'
+
+%type <actionparam> actionparam
+%type <actionparamtype> actionparamtype
+%type <aelem> sah
+%type <aelemlist> sahlist conn flow
+%type <attr> attr
+%type <attrlist> optattrs attrlist
+%type <caseexpr> caseexpr
+%type <caseexprlist> caseexprlist
+%type <casefield> casefield casefield0
+%type <casefieldlist> casefieldlist
+%type <contextfield> contextfield
+%type <contextfieldlist> analyzercontext contextfieldlist
+%type <decl> decl decl_with_attr decl_without_attr
+%type <embedded_code> embedded_code
+%type <enumlist> enumlist enumlist1
+%type <enumitem> enumitem
+%type <expr> expr caseindex optinit optlinebreaker
+%type <exprlist> exprlist optexprlist optargs
+%type <field> withinputfield letfield
+%type <fieldlist> letfieldlist
+%type <function> funcproto function
+%type <id> TOK_ID tok_id optfieldid 
+%type <input> input
+%type <num> TOK_NUMBER
+%type <pacprimitive> embedded_pac_primitive
+%type <param> param
+%type <paramlist> optparams paramlist
+%type <recordfield> recordfield recordfield0 padding 
+%type <recordfieldlist> recordfieldlist
+%type <regex> regex
+%type <statevar> statevar
+%type <statevarlist> statevarlist
+%type <str> TOK_EMBEDDED_STRING TOK_STRING TOK_REGEX
+%type <cstr> cstr
+%type <type> type type3 type2 type1 opttype
+%type <val> TOK_EMBEDDED_ATOM TOK_WHEN TOK_FLOWDIR TOK_DATAUNIT
+
+%{
+
+#include "pac_action.h"
+#include "pac_analyzer.h"
+#include "pac_array.h"
+#include "pac_attr.h"
+#include "pac_case.h"
+#include "pac_common.h"
+#include "pac_conn.h"
+#include "pac_context.h"
+#include "pac_cstr.h"
+#include "pac_dataptr.h"
+#include "pac_dataunit.h"
+#include "pac_dbg.h"
+#include "pac_decl.h"
+#include "pac_embedded.h"
+#include "pac_enum.h"
+#include "pac_exception.h"
+#include "pac_expr.h"
+#include "pac_exttype.h"
+#include "pac_flow.h"
+#include "pac_func.h"
+#include "pac_id.h"
+#include "pac_inputbuf.h"
+#include "pac_let.h"
+#include "pac_output.h"
+#include "pac_param.h"
+#include "pac_paramtype.h"
+#include "pac_primitive.h"
+#include "pac_record.h"
+#include "pac_redef.h"
+#include "pac_regex.h"
+#include "pac_state.h"
+#include "pac_strtype.h"
+#include "pac_type.h"
+#include "pac_utils.h"
+#include "pac_withinput.h"
+
+extern int yyerror(const char msg[]);
+extern int yylex();
+extern int yychar;
+extern char* yytext;
+extern int yyleng;
+extern void begin_RE();
+extern void end_RE();
+
+extern string input_filename;
+extern int line_number;
+extern Output* header_output;
+extern Output* source_output;
+
+%}
+
+%union {
+	ActionParam		*actionparam;
+	ActionParamType		*actionparamtype;
+	AnalyzerElement		*aelem;
+	AnalyzerElementList	*aelemlist;
+	Attr			*attr;
+	AttrList		*attrlist;
+	ConstString		*cstr;
+	CaseExpr		*caseexpr;
+	CaseExprList		*caseexprlist;
+	CaseField		*casefield;
+	CaseFieldList 		*casefieldlist;
+	ContextField		*contextfield;
+	ContextFieldList 	*contextfieldlist;
+	Decl			*decl;
+	EmbeddedCode		*embedded_code;
+	Enum			*enumitem;
+	EnumList		*enumlist;
+	Expr			*expr;
+	ExprList 		*exprlist;
+	Field 			*field;
+	FieldList 		*fieldlist;
+	Function		*function;
+	ID			*id;
+	InputBuffer		*input;
+	LetFieldList		*letfieldlist;
+	LetField		*letfield;
+	Number			*num;
+	PacPrimitive		*pacprimitive;
+	Param 			*param;
+	ParamList 		*paramlist;
+	RecordFieldList 	*recordfieldlist;
+	RecordField		*recordfield;
+	RegEx			*regex;
+	StateVar		*statevar;
+	StateVarList		*statevarlist;
+	const char		*str;
+	Type 			*type;
+	int			val;
+}
+
+%%
+
+decls		:	/* empty */
+				{
+				// Put initialization here
+				}
+		|	decls  decl optsemicolon
+				{
+				}
+		;
+
+decl		:	decl_with_attr optattrs
+				{
+				$$ = $1;
+				$1->AddAttrs($2);
+				}
+		|	decl_without_attr
+				{
+				$$ = $1;
+				}
+		;
+
+decl_with_attr	:	TOK_TYPE tok_id { current_decl_id = $2; } optparams '=' type
+				{
+				TypeDecl* decl = new TypeDecl($2, $4, $6);
+				$$ = decl;
+				}
+		|	TOK_LET tok_id { current_decl_id = $2; } opttype optinit
+				{
+				$$ = new LetDecl($2, $4, $5);
+				}
+		|	TOK_FUNCTION function
+				{
+				current_decl_id = $2->id();
+				$$ = new FuncDecl($2);
+				}
+		|	TOK_ENUM tok_id { current_decl_id = $2; } '{' enumlist '}'
+				{
+				$$ = new EnumDecl($2, $5);
+				}
+		|	TOK_EXTERN TOK_TYPE tok_id { current_decl_id = $3; }
+				{
+				Type *extern_type = new ExternType($3, ExternType::PLAIN);
+				$$ = new TypeDecl($3, 0, extern_type);
+				}
+		|	TOK_ANALYZER tok_id { current_decl_id = $2; } TOK_WITHCONTEXT analyzercontext
+				{
+				$$ = new AnalyzerContextDecl($2, $5);
+				}
+		|	TOK_ANALYZER tok_id { current_decl_id = $2; } optparams '{' conn '}'
+				{
+				$$ = new ConnDecl($2, $4, $6);
+				}
+		|	TOK_CONNECTION tok_id { current_decl_id = $2; } optparams '{' conn '}'
+				{
+				$$ = new ConnDecl($2, $4, $6);
+				}
+		|	TOK_FLOW tok_id { current_decl_id = $2; } optparams '{' flow '}'
+				{
+				$$ = new FlowDecl($2, $4, $6);
+				}
+		|	TOK_REFINE TOK_CASETYPE tok_id TOK_PLUSEQ '{' casefieldlist '}'
+				{
+				$$ = ProcessCaseTypeRedef($3, $6);
+				}
+		|	TOK_REFINE TOK_CASEFUNC tok_id TOK_PLUSEQ '{' caseexprlist '}'
+				{
+				$$ = ProcessCaseExprRedef($3, $6);
+				}
+		|	TOK_REFINE TOK_ANALYZER tok_id TOK_PLUSEQ '{' sahlist '}'
+				{
+				$$ = ProcessAnalyzerRedef($3, Decl::CONN, $6);
+				}
+		|	TOK_REFINE TOK_CONNECTION tok_id TOK_PLUSEQ '{' sahlist '}'
+				{
+				$$ = ProcessAnalyzerRedef($3, Decl::CONN, $6);
+				}
+		|	TOK_REFINE TOK_FLOW tok_id TOK_PLUSEQ '{' sahlist '}'
+				{
+				$$ = ProcessAnalyzerRedef($3, Decl::FLOW, $6);
+				}
+		;
+
+decl_without_attr: 	TOK_LPB_HEADER embedded_code TOK_RPB
+				{
+				$$ = new HelperDecl(HelperDecl::HEADER, 0, $2);
+				}
+		|	TOK_LPB_CODE embedded_code TOK_RPB
+				{
+				$$ = new HelperDecl(HelperDecl::CODE, 0, $2);
+				}
+		|	TOK_LPB_EXTERN embedded_code TOK_RPB
+				{
+				$$ = new HelperDecl(HelperDecl::EXTERN, 0, $2);
+				}
+		|	TOK_REFINE TOK_TYPEATTR tok_id TOK_PLUSEQ attrlist
+				{
+				$$ = ProcessTypeAttrRedef($3, $5);
+				}
+		;
+
+optsemicolon	:	/* nothing */
+		|	';'
+		;
+
+tok_id		:	TOK_ID
+				{
+				$$ = $1;
+				}
+		|	TOK_CONNECTION
+				{
+				$$ = new ID("connection");
+				}
+		|	TOK_ANALYZER
+				{
+				$$ = new ID("analyzer");
+				}
+		|	TOK_FLOW
+				{
+				$$ = new ID("flow");
+				}
+		| 	TOK_FUNCTION
+				{
+				$$ = new ID("function");
+				}
+		|	TOK_TYPE
+				{
+				$$ = new ID("type");
+				}
+		;
+
+analyzercontext :	'{' contextfieldlist '}'
+				{
+				$$ = $2;
+				}
+		;
+
+contextfieldlist:	contextfieldlist contextfield ';'
+				{
+				$1->push_back($2);
+				$$ = $1;
+				}
+		|	/* nothing */
+				{
+				$$ = new ContextFieldList();
+				}
+		;
+
+contextfield	:	tok_id ':' type1
+				{
+				$$ = new ContextField($1, $3);
+				}
+		;
+
+funcproto	:	tok_id '(' paramlist ')' ':' type2
+				{
+				$$ = new Function($1, $6, $3);
+				}
+		;
+
+function	:	funcproto '=' expr
+				{
+				$1->set_expr($3);
+				$$ = $1;
+				}
+		|	funcproto TOK_LPB embedded_code TOK_RPB
+				{
+				$1->set_code($3);
+				$$ = $1;
+				}
+		|	funcproto ';'
+				{
+				$$ = $1;
+				}
+		;
+
+optparams	:	'(' paramlist ')'
+				{
+				$$ = $2;
+				}
+		|	/* empty */
+				{
+				$$ = 0;
+				}
+		;
+
+paramlist	:	paramlist ',' param 
+				{
+				$1->push_back($3);
+				$$ = $1;
+				}
+		|	param
+				{
+				$$ = new ParamList();
+				$$->push_back($1);
+				}
+		|	/* empty */
+				{
+				$$ = new ParamList();
+				}
+		;
+
+param		:	tok_id ':' type2
+				{
+				$$ = new Param($1, $3);
+				}
+		;
+
+optinit		:	/* nothing */
+				{
+				$$ = 0;
+				}
+		|	'=' expr
+				{
+				$$ = $2;
+				}
+		;
+
+opttype		:	/* nothing */
+				{
+				$$ = 0;
+				}
+		|	':' type2
+				{
+				$$ = $2;
+				}
+		;
+
+type		: 	type3
+				{
+				$$ = $1;
+				}
+		;
+
+/* type3 is for record or type2 */
+type3		:	type2
+				{
+				$$ = $1;
+				}
+		|	TOK_RECORD '{' recordfieldlist '}'
+				{
+				$$ = new RecordType($3);
+				}
+		;
+
+/* type2 is for array or case or type1 */
+type2		:	type1
+				{
+				$$ = $1;
+				}
+		|	type1 '[' expr ']'
+				{
+				$$ = new ArrayType($1, $3);
+				}
+		|	type1 '[' ']'
+				{
+				$$ = new ArrayType($1);
+				}
+		|	TOK_CASE caseindex TOK_OF '{' casefieldlist '}'
+				{
+				$$ = new CaseType($2, $5);
+				}
+		;
+
+/* type1 is for built-in, parameterized, or string types */
+type1		: 	tok_id
+				{
+				$$ = Type::LookUpByID($1);
+				}
+		|	tok_id '(' exprlist ')'
+				{
+				$$ = new ParameterizedType($1, $3);
+				}
+		|	regex
+				{
+				$$ = new StringType($1);
+				}
+		|	cstr
+				{
+				$$ = new StringType($1);
+				}
+		;
+
+recordfieldlist	:	recordfieldlist recordfield ';'
+				{
+				$1->push_back($2);
+				$$ = $1;
+				}
+		|	/* empty */	
+				{
+				$$ = new RecordFieldList();
+				}
+		;
+
+recordfield	: 	recordfield0 optattrs
+				{
+				$1->AddAttr($2);
+				$$ = $1;
+				}
+		;
+
+recordfield0	:	optfieldid type2
+				{
+				$$ = new RecordDataField($1, $2);
+				}
+		|	padding
+				{
+				$$ = $1;
+				}
+		;
+
+padding		:	optfieldid TOK_PADDING '[' expr ']'
+				{
+				$$ = new RecordPaddingField(
+					$1, PAD_BY_LENGTH, $4);
+				}
+		|	optfieldid TOK_PADDING TOK_TO expr
+				{
+				$$ = new RecordPaddingField(
+					$1, PAD_TO_OFFSET, $4);
+				}
+		|	optfieldid TOK_PADDING TOK_ALIGN expr
+				{
+				$$ = new RecordPaddingField(
+					$1, PAD_TO_NEXT_WORD, $4);
+				}
+		;
+
+optfieldid	:	tok_id ':'
+				{
+				$$ = $1;
+				}
+		|	':'
+				{
+				$$ = ID::NewAnonymousID("anonymous_field_");
+				}
+		;
+
+caseindex	:	expr
+				{
+				$$ = $1;
+				}
+		;
+
+casefieldlist	:	casefieldlist casefield ';'
+				{
+				$1->push_back($2);
+				$$ = $1;
+				}
+		|	/* empty */	
+				{
+				$$ = new CaseFieldList();
+				}
+		;
+
+casefield	:	casefield0 optattrs
+				{
+				$1->AddAttr($2);	
+				$$ = $1;
+				}
+		;
+
+casefield0	:	exprlist TOK_RIGHTARROW tok_id ':' type2
+				{
+				$$ = new CaseField($1, $3, $5);
+				}
+		|	TOK_DEFAULT TOK_RIGHTARROW tok_id ':' type2
+				{
+				$$ = new CaseField(0, $3, $5);
+				}
+		;
+
+optexprlist	:	/* nothing */
+				{
+				$$ = 0;
+				}
+		|	exprlist
+				{
+				$$ = $1;
+				}
+		;
+
+exprlist	:	exprlist ',' expr
+				{
+				$1->push_back($3);
+				$$ = $1;
+				}
+		|	expr
+				{
+				$$ = new ExprList();
+				$$->push_back($1);
+				}
+		;
+
+expr		:	tok_id
+				{
+				$$ = new Expr($1);
+				}
+		|	TOK_NUMBER
+				{
+				$$ = new Expr($1);
+				}
+		|	expr '[' expr ']'
+				{
+				$$ = new Expr(Expr::EXPR_SUBSCRIPT, $1, $3);
+				}
+		|	expr '.' tok_id
+				{
+				$$ = new Expr(Expr::EXPR_MEMBER, $1, new Expr($3));
+				}
+		|	TOK_SIZEOF '(' tok_id ')'
+				{
+				$$ = new Expr(Expr::EXPR_SIZEOF, new Expr($3));
+				}
+		|	TOK_OFFSETOF '(' tok_id ')'
+				{
+				$$ = new Expr(Expr::EXPR_OFFSETOF, new Expr($3));
+				}
+		|	'(' expr ')'
+				{
+				$$ = new Expr(Expr::EXPR_PAREN, $2);
+				}
+		|	expr '(' optexprlist ')'
+				{
+				$$ = new Expr(Expr::EXPR_CALL, 
+				              $1, 
+				              new Expr($3));
+				}
+		|	'-' expr
+				{
+				$$ = new Expr(Expr::EXPR_NEG, $2);
+				}
+		|	expr '+' expr
+				{
+				$$ = new Expr(Expr::EXPR_PLUS, $1, $3);
+				}
+		|	expr '-' expr
+				{
+				$$ = new Expr(Expr::EXPR_MINUS, $1, $3);
+				}
+		|	expr '*' expr
+				{
+				$$ = new Expr(Expr::EXPR_TIMES, $1, $3);
+				}
+		|	expr '/' expr
+				{
+				$$ = new Expr(Expr::EXPR_DIV, $1, $3);
+				}
+		|	expr '%' expr
+				{
+				$$ = new Expr(Expr::EXPR_MOD, $1, $3);
+				}
+		|	'~' expr
+				{
+				$$ = new Expr(Expr::EXPR_BITNOT, $2);
+				}
+		|	expr '&' expr
+				{
+				$$ = new Expr(Expr::EXPR_BITAND, $1, $3);
+				}
+		|	expr '|' expr
+				{
+				$$ = new Expr(Expr::EXPR_BITOR, $1, $3);
+				}
+		|	expr '^' expr
+				{
+				$$ = new Expr(Expr::EXPR_BITXOR, $1, $3);
+				}
+		|	expr TOK_LSHIFT expr
+				{
+				$$ = new Expr(Expr::EXPR_LSHIFT, $1, $3);
+				}
+		|	expr TOK_RSHIFT expr
+				{
+				$$ = new Expr(Expr::EXPR_RSHIFT, $1, $3);
+				}
+		|	expr TOK_EQUAL expr
+				{
+				$$ = new Expr(Expr::EXPR_EQUAL, $1, $3);
+				}
+		|	expr TOK_NEQ expr
+				{
+				$$ = new Expr(Expr::EXPR_NEQ, $1, $3);
+				}
+		|	expr TOK_GE expr
+				{
+				$$ = new Expr(Expr::EXPR_GE, $1, $3);
+				}
+		|	expr TOK_LE expr
+				{
+				$$ = new Expr(Expr::EXPR_LE, $1, $3);
+				}
+		|	expr '>' expr
+				{
+				$$ = new Expr(Expr::EXPR_GT, $1, $3);
+				}
+		|	expr '<' expr
+				{
+				$$ = new Expr(Expr::EXPR_LT, $1, $3);
+				}
+		|	'!' expr
+				{
+				$$ = new Expr(Expr::EXPR_NOT, $2);
+				}
+		|	expr TOK_AND expr
+				{
+				$$ = new Expr(Expr::EXPR_AND, $1, $3);
+				}
+		|	expr TOK_OR expr
+				{
+				$$ = new Expr(Expr::EXPR_OR, $1, $3);
+				}
+		|	expr '?' expr ':' expr
+				{
+				$$ = new Expr(Expr::EXPR_COND, $1, $3, $5);
+				}
+		|	TOK_CASE expr TOK_OF '{' caseexprlist '}' 
+				{
+				$$ = new Expr($2, $5);
+				}
+		|	cstr
+				{
+				$$ = new Expr($1);
+				}
+		|	regex
+				{
+				$$ = new Expr($1);
+				}
+		;
+
+cstr		:	TOK_STRING
+				{
+				$$ = new ConstString($1);
+				}
+		;
+
+regex		: 	TOK_BEGIN_RE TOK_REGEX TOK_END_RE
+				{ 
+				$$ = new RegEx($2); 
+				}
+		;
+
+caseexprlist	:	/* nothing */
+				{
+				$$ = new CaseExprList();
+				}
+		|	caseexprlist caseexpr ';'
+				{
+				$1->push_back($2);
+				$$ = $1;
+				}
+		;
+
+caseexpr	:	exprlist TOK_RIGHTARROW expr
+				{
+				$$ = new CaseExpr($1, $3);
+				}
+		|	TOK_DEFAULT TOK_RIGHTARROW expr
+				{
+				$$ = new CaseExpr(0, $3);
+				}
+		;
+
+enumlist	: 	enumlist1
+				{
+				$$ = $1;
+				}
+		|	enumlist1 ','
+				{
+				$$ = $1;
+				}
+		;
+
+enumlist1	:	enumlist1 ',' enumitem
+				{
+				$1->push_back($3);
+				$$ = $1;
+				}
+		|	enumitem
+				{
+				$$ = new EnumList();
+				$$->push_back($1);
+				}
+		;
+
+enumitem	:	tok_id
+				{
+				$$ = new Enum($1);
+				}
+		|	tok_id '=' expr
+				{
+				$$ = new Enum($1, $3);
+				}
+		;
+
+conn		:	sahlist
+				{
+				$$ = $1;
+				}
+		;
+
+flow		:	sahlist
+				{
+				$$ = $1;
+				}
+		;
+
+/* State-Action-Helper List */
+sahlist		:	/* empty */
+				{
+				$$ = new AnalyzerElementList();
+				}
+		|	sahlist sah
+				{
+				$1->push_back($2);
+				$$ = $1;
+				}
+		;
+
+sah		:	TOK_LPB_MEMBER embedded_code TOK_RPB
+				{
+				$$ = new AnalyzerHelper(AnalyzerHelper::MEMBER_DECLS, $2);
+				}
+		|	TOK_LPB_INIT embedded_code TOK_RPB
+				{
+				$$ = new AnalyzerHelper(AnalyzerHelper::INIT_CODE, $2);
+				}
+		|	TOK_LPB_CLEANUP embedded_code TOK_RPB
+				{
+				$$ = new AnalyzerHelper(AnalyzerHelper::CLEANUP_CODE, $2);
+				}
+		|	TOK_LPB_EOF embedded_code TOK_RPB
+				{
+				$$ = new AnalyzerHelper(AnalyzerHelper::EOF_CODE, $2);
+				}
+		|	TOK_FLOWDIR '=' tok_id optargs ';'
+				{
+				$$ = new AnalyzerFlow((AnalyzerFlow::Direction) $1, $3, $4);
+				}
+		|	TOK_DATAUNIT '=' tok_id optargs TOK_WITHCONTEXT '(' optexprlist ')' ';'
+				{
+				$$ = new AnalyzerDataUnit(
+					(AnalyzerDataUnit::DataUnitType) $1, 
+					$3, 
+					$4,
+					$7);
+				}
+		|	TOK_FUNCTION function
+				{
+				$$ = new AnalyzerFunction($2);
+				}
+		|	TOK_STATE '{' statevarlist '}'
+				{
+				$$ = new AnalyzerState($3);
+				}
+		|	TOK_ACTION tok_id TOK_WHEN '(' actionparam ')' TOK_LPB embedded_code TOK_RPB
+				{
+				$$ = new AnalyzerAction($2, (AnalyzerAction::When) $3, $5, $8);
+				}
+		;
+
+statevarlist	:	/* empty */
+				{
+				$$ = new StateVarList();
+				}
+		|	statevarlist statevar ';'
+				{
+				$1->push_back($2);
+				$$ = $1;
+				}
+		;
+
+statevar	:	tok_id ':' type1
+				{
+				$$ = new StateVar($1, $3);
+				}
+		;
+
+actionparam	:	tok_id TOK_LE actionparamtype
+				{
+				$$ = new ActionParam($1, $3);
+				}
+		;
+
+actionparamtype :	tok_id
+				{
+				$$ = new ActionParamType($1);
+				}
+		|	tok_id '.' tok_id
+				{
+				$$ = new ActionParamType($1, $3);
+				}
+		;
+
+embedded_code	:	/* empty */
+				{
+				$$ = new EmbeddedCode();
+				}
+		|	embedded_code TOK_EMBEDDED_ATOM
+				{
+				$1->Append($2);
+				$$ = $1;
+				}
+		|	embedded_code TOK_EMBEDDED_STRING
+				{
+				$1->Append($2);
+				$$ = $1;
+				}
+		|	embedded_code embedded_pac_primitive
+				{
+				$1->Append($2);
+				$$ = $1;
+				}
+		;
+
+embedded_pac_primitive:	TOK_PAC_VAL expr TOK_END_PAC
+				{
+				$$ = new PPVal($2);
+				}
+		|	TOK_PAC_SET expr TOK_END_PAC
+				{
+				$$ = new PPSet($2);
+				}
+		|	TOK_PAC_TYPE expr TOK_END_PAC
+				{
+				$$ = new PPType($2);
+				}
+		|	TOK_PAC_CONST_DEF tok_id '=' expr TOK_END_PAC
+				{
+				$$ = new PPConstDef($2, $4);
+				}
+		;
+
+optargs		:	/* empty */
+				{
+				$$ = 0;
+				}
+		|	'(' optexprlist ')'
+				{
+				$$ = $2;
+				}
+		;
+
+letfieldlist	:	letfieldlist letfield ';' 
+				{
+				$1->push_back($2);
+				$$ = $1;
+				}
+		|	letfieldlist withinputfield ';'
+				{
+				$1->push_back($2);
+				$$ = $1;
+				}
+		|	/* empty */
+				{
+				$$ = new FieldList();
+				}
+		;
+
+letfield	:	tok_id opttype optinit optattrs
+				{
+				$$ = new LetField($1, $2, $3);
+				$$->AddAttr($4);
+				}
+		;
+
+withinputfield	:	tok_id ':' type1 TOK_WITHINPUT input optattrs
+				{
+				$$ = new WithInputField($1, $3, $5);
+				$$->AddAttr($6);
+				}
+		;
+
+/* There can be other forms of input */
+input		:	expr
+				{
+				$$ = new InputBuffer($1);
+				}
+		;
+
+optattrs	:	/* empty */	
+				{
+				$$ = 0;
+				}
+		|	attrlist
+				{
+				$$ = $1;
+				}
+		;
+
+attrlist	:	attrlist optcomma attr
+				{
+				if ( $3 )
+					$1->push_back($3);
+				$$ = $1;
+				}
+		|	attr
+				{
+				$$ = new AttrList();
+				if ( $1 )
+					$$->push_back($1);
+				}
+		;
+
+optcomma	:	/* nothing */
+		|	','
+		;
+
+attr		:	TOK_ATTR_BYTEORDER '=' expr
+				{
+				$$ = new Attr(ATTR_BYTEORDER, $3);
+				}
+		|	TOK_ATTR_CHECK expr 
+				{
+				$$ = new Attr(ATTR_CHECK, $2);
+				}
+		|	TOK_ATTR_CHUNKED
+				{
+				$$ = new Attr(ATTR_CHUNKED);
+				}
+		|	TOK_ATTR_EXPORTSOURCEDATA
+				{
+				$$ = new Attr(ATTR_EXPORTSOURCEDATA);
+				}
+		|	TOK_ATTR_IF expr 
+				{
+				$$ = new Attr(ATTR_IF, $2);
+				}
+		|	TOK_ATTR_LENGTH '=' expr
+				{
+				$$ = new Attr(ATTR_LENGTH, $3);
+				}
+		|	TOK_ATTR_LET '{' letfieldlist '}'
+				{
+				$$ = new LetAttr($3);
+				}
+		|	TOK_ATTR_LINEBREAKER '=' expr
+				{
+				$$ = new Attr(ATTR_LINEBREAKER, $3);
+				}
+		|	TOK_ATTR_MULTILINE '(' expr ')'
+				{
+				$$ = new Attr(ATTR_MULTILINE, $3);
+				}
+		|	TOK_ATTR_ONELINE optlinebreaker
+				{
+				$$ = new Attr(ATTR_ONELINE, $2);
+				}
+		|	TOK_ATTR_REFCOUNT
+				{
+				$$ = new Attr(ATTR_REFCOUNT);
+				}
+		|	TOK_ATTR_REQUIRES '(' optexprlist ')'
+				{
+				$$ = new Attr(ATTR_REQUIRES, $3);
+				}
+		|	TOK_ATTR_RESTOFDATA
+				{
+				$$ = new Attr(ATTR_RESTOFDATA);
+				}
+		|	TOK_ATTR_RESTOFFLOW
+				{
+				$$ = new Attr(ATTR_RESTOFFLOW);
+				}
+		|	TOK_ATTR_TRANSIENT
+				{
+				$$ = new Attr(ATTR_TRANSIENT);
+				}
+		|	TOK_ATTR_UNTIL expr
+				{
+				$$ = new Attr(ATTR_UNTIL, $2);
+				}
+		;
+
+optlinebreaker	:	/* nothing */
+				{
+				$$ = 0;
+				}
+		|	'(' expr ')'
+				{
+				$$ = $2;
+				}
+		;
+
+%%
+
+const ID* current_decl_id = 0;
+
+int yyerror(const char msg[])
+	{
+	char* msgbuf = 
+		new char[strlen(msg) + yyleng + 64];
+
+	if ( ! yychar || ! yytext || yytext[0] == '\0' )
+		sprintf(msgbuf, "%s, at end of file", msg);
+
+	else if ( yytext[0] == '\n' )
+		sprintf(msgbuf, "%s, on previous line", msg);
+
+	else
+		sprintf(msgbuf, "%s, at or near \"%s\"", msg, yytext);
+
+	/*
+	extern int column;
+	sprintf(msgbuf, "%*s\n%*s\n", column, "^", column, msg);
+	*/
+
+	if ( ! input_filename.empty() )
+		fprintf(stderr, "%s:%d: ", input_filename.c_str(), line_number);
+	else
+		fprintf(stderr, "line %d: ", line_number);
+	fprintf(stderr, "%s", msgbuf);
+	fprintf(stderr, " (yychar=%d)", yychar);
+	fprintf(stderr, "\n");
+
+	return 0;
+        }
diff --git a/aux/binpac/src/pac_primitive.cc b/aux/binpac/src/pac_primitive.cc
new file mode 100644
index 0000000000..c4893a63ed
--- /dev/null
+++ b/aux/binpac/src/pac_primitive.cc
@@ -0,0 +1,39 @@
+#include "pac_dbg.h"
+#include "pac_expr.h"
+#include "pac_id.h"
+#include "pac_primitive.h"
+#include "pac_type.h"
+
+string PPVal::ToCode(Env *env)
+	{
+	ASSERT(expr_);
+	return string(expr_->EvalExpr(0, env));
+	}
+
+string PPSet::ToCode(Env *env)
+	{
+	ASSERT(expr_);
+	return expr_->SetFunc(0, env);
+	}
+
+string PPType::ToCode(Env *env)
+	{
+	Type *type = expr_->DataType(env);
+	if ( ! type )
+		{
+		}
+	return type->DataTypeStr();
+	}
+
+string PPConstDef::ToCode(Env *env)
+	{
+	Type *type = expr_->DataType(env);
+	env->AddID(id_, TEMP_VAR, type);
+	env->SetEvaluated(id_);
+
+	string type_str = type->DataTypeStr();
+	return strfmt("%s %s = %s", 
+	              type_str.c_str(),
+	              env->LValue(id_),
+	              expr_->EvalExpr(0, env));
+	}
diff --git a/aux/binpac/src/pac_primitive.h b/aux/binpac/src/pac_primitive.h
new file mode 100644
index 0000000000..47d06a1e72
--- /dev/null
+++ b/aux/binpac/src/pac_primitive.h
@@ -0,0 +1,75 @@
+#ifndef pac_primitive_h
+#define pac_primitive_h
+
+#include "pac_common.h"
+
+class PacPrimitive
+{
+public:
+	enum PrimitiveType { VAL, SET, TYPE, CONST_DEF };
+
+	explicit PacPrimitive(PrimitiveType type) : type_(type) {}
+	virtual ~PacPrimitive() {}
+
+	PrimitiveType type() const	{ return type(); }
+
+	virtual string ToCode(Env *env) = 0;
+
+private:
+	PrimitiveType type_;
+};
+
+class PPVal : public PacPrimitive
+{
+public:
+	PPVal(Expr *expr) : PacPrimitive(VAL), expr_(expr) {}
+	Expr *expr() const	{ return expr_; }
+
+	string ToCode(Env *env);
+
+private:
+	Expr *expr_;
+};
+
+class PPSet : public PacPrimitive
+{
+public:
+	PPSet(Expr *expr) : PacPrimitive(SET), expr_(expr) {}
+	Expr *expr() const	{ return expr_; }
+
+	string ToCode(Env *env);
+
+private:
+	Expr *expr_;
+};
+
+class PPType : public PacPrimitive
+{
+public:
+	PPType(Expr *expr) : PacPrimitive(TYPE), expr_(expr) {}
+	Expr *expr() const	{ return expr_; }
+
+	string ToCode(Env *env);
+
+private:
+	Expr *expr_;
+};
+
+class PPConstDef : public PacPrimitive
+{
+public:
+	PPConstDef(const ID *id, Expr *expr) 
+		: PacPrimitive(CONST_DEF), 
+		  id_(id),
+		  expr_(expr) {}
+	const ID *id() const	{ return id_; }
+	Expr *expr() const	{ return expr_; }
+
+	string ToCode(Env *env);
+
+private:
+	const ID *id_;
+	Expr *expr_;
+};
+
+#endif  // pac_primitive_h
diff --git a/aux/binpac/src/pac_record.cc b/aux/binpac/src/pac_record.cc
new file mode 100644
index 0000000000..9875195033
--- /dev/null
+++ b/aux/binpac/src/pac_record.cc
@@ -0,0 +1,680 @@
+#include "pac_attr.h"
+#include "pac_dataptr.h"
+#include "pac_exception.h"
+#include "pac_expr.h"
+#include "pac_exttype.h"
+#include "pac_field.h"
+#include "pac_output.h"
+#include "pac_record.h"
+#include "pac_type.h"
+#include "pac_typedecl.h"
+#include "pac_utils.h"
+#include "pac_varfield.h"
+
+
+RecordType::RecordType(RecordFieldList* record_fields)
+	: Type(RECORD)
+	{
+	// Here we assume that the type is a standalone type.
+	value_var_ = 0;
+
+	// Put all fields in fields_
+	foreach (i, RecordFieldList, record_fields)
+		AddField(*i);
+
+	// Put RecordField's in record_fields_
+	record_fields_ = record_fields;
+
+	parsing_dataptr_var_field_ = 0;
+	}
+
+RecordType::~RecordType()
+	{
+	// Do not delete_list(RecordFieldList, record_fields_)
+	// because the fields are also in fields_.
+	delete record_fields_;
+	delete parsing_dataptr_var_field_;
+	}
+
+const ID *RecordType::parsing_dataptr_var() const
+	{ 
+	return parsing_dataptr_var_field_ ?
+		parsing_dataptr_var_field_->id() : 0;
+	}
+
+bool RecordType::DefineValueVar() const
+	{
+	return false;
+	}
+
+string RecordType::DataTypeStr() const
+	{
+	ASSERT(type_decl());
+	return strfmt("%s *", type_decl()->class_name().c_str());
+	}
+
+void RecordType::Prepare(Env* env, int flags)
+	{
+	ASSERT(flags & TO_BE_PARSED);
+
+	RecordField *prev = 0;
+	int offset = 0;
+	int seq = 0;
+	foreach (i, RecordFieldList, record_fields_)
+		{
+		RecordField *f = *i;
+		f->set_record_type(this);
+		f->set_prev(prev);
+		if ( prev )
+			prev->set_next(f);
+		prev = f;
+		if ( offset >= 0 )
+			{
+			f->set_static_offset(offset);
+			int w = f->StaticSize(env, offset);
+			if ( w < 0 )
+				offset = -1;
+			else
+				offset += w;
+			}
+		++seq;
+		f->set_parsing_state_seq(seq);
+		}
+
+	if ( incremental_parsing() )
+		{
+#if 0
+		ASSERT(! parsing_state_var_field_);
+		ID *parsing_state_var_id = new ID("parsing_state");
+		parsing_state_var_field_ = new PrivVarField(
+			parsing_state_var_id, extern_type_int->Clone());
+		AddField(parsing_state_var_field_);
+
+		ID *parsing_dataptr_var_id = new ID("parsing_dataptr");
+		parsing_dataptr_var_field_ = new TempVarField(
+			parsing_dataptr_var_id, extern_type_const_byteptr->Clone());
+		parsing_dataptr_var_field_->Prepare(env);
+#endif
+		}
+
+	Type::Prepare(env, flags);
+	}
+
+void RecordType::GenPubDecls(Output* out_h, Env* env)
+	{
+	Type::GenPubDecls(out_h, env);
+	}
+
+void RecordType::GenPrivDecls(Output* out_h, Env* env)
+	{
+	Type::GenPrivDecls(out_h, env);
+	}
+
+void RecordType::GenInitCode(Output* out_cc, Env* env)
+	{
+	Type::GenInitCode(out_cc, env);
+	}
+
+void RecordType::GenCleanUpCode(Output* out_cc, Env* env)
+	{
+	Type::GenCleanUpCode(out_cc, env);
+	}
+
+void RecordType::DoGenParseCode(Output* out_cc, Env* env, 
+		const DataPtr& data, int flags)
+	{
+	  if ( !incremental_input() && StaticSize(env) >= 0 )
+		GenBoundaryCheck(out_cc, env, data);
+
+	if ( incremental_parsing() )
+		{
+		out_cc->println("switch ( %s ) {",
+			env->LValue(parsing_state_id));
+
+		out_cc->println("case 0:");
+		out_cc->inc_indent();
+		foreach (i, RecordFieldList, record_fields_)
+			{
+			RecordField *f = *i;
+			f->GenParseCode(out_cc, env);
+			out_cc->println("");
+			}
+		out_cc->println("");
+		out_cc->println("%s = true;", 
+			env->LValue(parsing_complete_var()));
+		out_cc->dec_indent();
+		out_cc->println("}");
+		}
+	else
+		{
+		ASSERT(	data.id() == begin_of_data && 
+			data.offset() == 0 );
+		foreach (i, RecordFieldList, record_fields_)
+			{
+			RecordField *f = *i;
+			f->GenParseCode(out_cc, env);
+			out_cc->println("");
+			}
+		if ( incremental_input() )
+			{
+			ASSERT(parsing_complete_var());
+			out_cc->println("%s = true;", 
+				env->LValue(parsing_complete_var()));
+			}
+		}
+
+	if ( ! incremental_input() && AddSizeVar(out_cc, env) )
+		{
+		const DataPtr& end_of_record_dataptr = 
+			record_fields_->back()->getFieldEnd(out_cc, env);
+
+		out_cc->println("%s = %s - %s;", 
+			env->LValue(size_var()), 
+			end_of_record_dataptr.ptr_expr(), 
+			env->RValue(begin_of_data));
+		env->SetEvaluated(size_var());
+		}
+
+	if ( ! boundary_checked() )
+		{
+		RecordField *last_field = record_fields_->back();
+		if ( ! last_field->BoundaryChecked() )
+			GenBoundaryCheck(out_cc, env, data);
+		}
+	}
+
+void RecordType::GenDynamicSize(Output* out_cc, Env* env,
+		const DataPtr& data)
+	{
+	GenParseCode(out_cc, env, data, 0);
+	}
+
+int RecordType::StaticSize(Env* env) const
+	{
+	int tot_w = 0;
+	foreach (i, RecordFieldList, record_fields_)
+		{
+		RecordField *f = *i;
+		int w = f->StaticSize(env, tot_w);
+		if ( w < 0 )
+			return -1;
+		tot_w += w;
+		}
+	return tot_w;
+	}
+
+void RecordType::SetBoundaryChecked()
+	{
+	Type::SetBoundaryChecked();
+	foreach (i, RecordFieldList, record_fields_)
+		{
+		RecordField *f = *i;
+		f->SetBoundaryChecked();
+		}
+	}
+
+void RecordType::DoMarkIncrementalInput()
+	{
+	foreach (i, RecordFieldList, record_fields_)
+		{
+		RecordField *f = *i;
+		f->type()->MarkIncrementalInput();
+		}
+	}
+
+bool RecordType::DoTraverse(DataDepVisitor *visitor)
+	{
+	return Type::DoTraverse(visitor);
+	}
+
+bool RecordType::ByteOrderSensitive() const
+	{
+	foreach (i, RecordFieldList, record_fields_)
+		{
+		RecordField *f = *i;
+		if ( f->RequiresByteOrder() )
+			return true;
+		}
+	return false;
+	}
+
+RecordField::RecordField(FieldType tof, ID *id, Type *type)
+	: Field(tof, 
+		TYPE_TO_BE_PARSED | CLASS_MEMBER | PUBLIC_READABLE,
+		id, type)
+	{
+	begin_of_field_dataptr = 0;
+	end_of_field_dataptr = 0;
+	field_size_expr = 0;
+	field_offset_expr = 0;
+	end_of_field_dataptr_var = 0;
+	record_type_ = 0;
+	prev_ = 0;
+	next_ = 0;
+	static_offset_ = -1;
+	boundary_checked_ = false;
+	}
+
+RecordField::~RecordField()
+	{
+	delete begin_of_field_dataptr;
+	delete end_of_field_dataptr;
+	delete [] field_size_expr;
+	delete [] field_offset_expr;
+	delete end_of_field_dataptr_var;
+	}
+
+const DataPtr& RecordField::getFieldBegin(Output* out_cc, Env* env)
+	{
+	if ( prev() )
+		return prev()->getFieldEnd(out_cc, env);
+	else
+		{
+		// The first field
+		if ( ! begin_of_field_dataptr )
+			{
+			begin_of_field_dataptr = 
+				new DataPtr(env, begin_of_data, 0);
+			}
+		return *begin_of_field_dataptr;
+		}	
+	}
+
+const DataPtr& RecordField::getFieldEnd(Output* out_cc, Env* env)
+	{
+	if ( end_of_field_dataptr )
+		return *end_of_field_dataptr;
+
+	const DataPtr& begin_ptr = getFieldBegin(out_cc, env);
+
+	if ( record_type()->incremental_parsing() )
+		{
+		ASSERT(0);
+		if ( ! end_of_field_dataptr )
+			{
+			const ID *dataptr_var = 
+				record_type()->parsing_dataptr_var();
+			ASSERT(dataptr_var);
+
+			end_of_field_dataptr = 
+				new DataPtr(env, dataptr_var, 0);
+			}
+		}
+	else
+		{
+		int field_offset;
+		if ( begin_ptr.id() == begin_of_data )
+			field_offset = begin_ptr.offset();
+		else
+			field_offset = -1;	// unknown
+			
+		int field_size = StaticSize(env, field_offset);
+		if ( field_size >= 0 ) // can be statically determinted 
+			{
+			end_of_field_dataptr = new DataPtr(
+				env,
+				begin_ptr.id(), 
+				begin_ptr.offset() + field_size);
+			}
+		else
+			{
+			// If not, we add a variable for the offset after the field
+			end_of_field_dataptr_var = new ID(
+				fmt("dataptr_after_%s", id()->Name()));
+			env->AddID(end_of_field_dataptr_var, 
+		           	TEMP_VAR, 
+		           	extern_type_const_byteptr);
+
+			GenFieldEnd(out_cc, env, begin_ptr);
+
+			end_of_field_dataptr = new DataPtr(
+				env, 
+				end_of_field_dataptr_var, 
+				0);
+			}
+		}
+
+	return *end_of_field_dataptr;
+	}
+
+const char* RecordField::FieldSize(Output* out_cc, Env* env)
+	{
+	if ( field_size_expr )
+		return field_size_expr;
+
+	const DataPtr& begin = getFieldBegin(out_cc, env);
+	const DataPtr& end = getFieldEnd(out_cc, env);
+	if ( begin.id() == end.id() )
+		field_size_expr = nfmt("%d", end.offset() - begin.offset());
+	else
+		field_size_expr = nfmt("(%s - %s)", end.ptr_expr(), begin.ptr_expr());
+	return field_size_expr;
+	}
+
+const char* RecordField::FieldOffset(Output* out_cc, Env* env)
+	{
+	if ( field_offset_expr )
+		return field_offset_expr;
+
+	const DataPtr& begin = getFieldBegin(out_cc, env);
+	if ( begin.id() == begin_of_data )
+		field_offset_expr = nfmt("%d", begin.offset());
+	else
+		field_offset_expr = nfmt("(%s - %s)", 
+			begin.ptr_expr(), env->RValue(begin_of_data));
+	return field_offset_expr;
+	}
+
+// The reasoning behind AttemptBoundaryCheck is: "If my next field
+// can check its boundary, then I don't have to check mine, and it
+// will save me a boundary-check."
+bool RecordField::AttemptBoundaryCheck(Output* out_cc, Env* env)
+	{
+	if ( boundary_checked_ )
+		return true;
+
+	// If I do not even know my size till I parse the data, my
+	// next field won't be able to check its boundary now.  
+
+	const DataPtr& begin = getFieldBegin(out_cc, env);
+	if ( StaticSize(env, begin.AbsOffset(begin_of_data)) < 0 )
+		return false;
+
+	// Now we ask the next field to check its boundary. 
+	if ( next() && next()->AttemptBoundaryCheck(out_cc, env) ) 
+		{
+		// If it works, we are all set
+		SetBoundaryChecked();
+		return true;
+		}
+	else
+		// If it fails, then I can still try to do it by myself
+		return GenBoundaryCheck(out_cc, env);
+	}
+
+RecordDataField::RecordDataField(ID* id, Type* type)
+	: RecordField(RECORD_FIELD, id, type)
+	{
+	ASSERT(type_);
+	}
+
+RecordDataField::~RecordDataField()
+	{
+	}
+
+void RecordDataField::Prepare(Env* env)
+	{
+	Field::Prepare(env);
+	env->SetEvalMethod(id_, this);
+	env->SetField(id_, this);
+	}
+
+void RecordDataField::GenParseCode(Output* out_cc, Env* env)
+	{
+	if ( env->Evaluated(id()) )
+		return;
+
+	// Always evaluate record fields in order if parsing
+	// is incremental.
+	if ( record_type()->incremental_parsing() && prev() )
+		prev()->GenParseCode(out_cc, env);
+
+	DataPtr data(env, 0, 0);
+	if ( ! record_type()->incremental_parsing() )
+		{
+		data = getFieldBegin(out_cc, env);	
+		AttemptBoundaryCheck(out_cc, env);
+		}
+
+	out_cc->println("// Parse \"%s\"", id_->Name());
+#if 0
+	out_cc->println("DEBUG_MSG(\"%%.6f Parse %s\\n\", network_time());", 
+		id_->Name());
+#endif
+	type_->GenPreParsing(out_cc, env);
+	if ( type_->incremental_input() )
+		{
+		// The enclosing record type must be incrementally parsed
+		out_cc->println("%s = %d;", 
+			env->LValue(parsing_state_id),
+			parsing_state_seq());
+		out_cc->dec_indent();
+		out_cc->println("case %d:", parsing_state_seq());
+		out_cc->inc_indent();
+		out_cc->println("{");
+		}
+
+	type_->GenParseCode(out_cc, env, data, 0);
+
+	if ( record_type()->incremental_parsing() )
+		{
+		ASSERT(type_->incremental_input());
+
+		out_cc->println("if ( ! (%s) )", 
+			type_->parsing_complete(env).c_str());
+		out_cc->inc_indent();
+		out_cc->println("goto %s;", kNeedMoreData);
+		out_cc->dec_indent();
+		}
+
+	if ( record_type()->incremental_parsing() )
+		{
+#if 0
+		const ID *dataptr_var = 
+			record_type()->parsing_dataptr_var();
+		ASSERT(dataptr_var);
+		out_cc->println("%s += (%s);",
+			env->LValue(dataptr_var),
+			type_->DataSize(out_cc, env, data).c_str());
+#endif
+		out_cc->println("}");
+		}
+
+	SetBoundaryChecked();
+	}
+
+void RecordDataField::GenEval(Output* out_cc, Env* env)
+	{
+	GenParseCode(out_cc, env);
+	}
+
+void RecordDataField::GenFieldEnd(Output* out_cc, Env* env, 
+		const DataPtr& field_begin)
+	{
+	out_cc->println("const_byteptr const %s = %s + (%s);", 
+		env->LValue(end_of_field_dataptr_var),
+		field_begin.ptr_expr(),
+		type_->DataSize(out_cc, env, field_begin).c_str());
+	env->SetEvaluated(end_of_field_dataptr_var);
+
+	out_cc->println("BINPAC_ASSERT(%s <= %s);",
+		env->RValue(end_of_field_dataptr_var),
+		env->RValue(end_of_data));
+	}
+
+void RecordDataField::SetBoundaryChecked()
+	{
+	RecordField::SetBoundaryChecked();
+	type_->SetBoundaryChecked();
+	}
+
+bool RecordDataField::GenBoundaryCheck(Output* out_cc, Env* env)
+	{
+	if ( boundary_checked_ )
+		return true;
+
+	type_->GenBoundaryCheck(out_cc, env, getFieldBegin(out_cc, env));
+
+	SetBoundaryChecked();
+	return true;
+	}
+
+bool RecordDataField::DoTraverse(DataDepVisitor *visitor)
+	{ 
+	return Field::DoTraverse(visitor);
+	}
+
+bool RecordDataField::RequiresAnalyzerContext() const 
+	{ 
+	return Field::RequiresAnalyzerContext() ||
+	       type()->RequiresAnalyzerContext(); 
+	}
+
+RecordPaddingField::RecordPaddingField(ID* id, PaddingType ptype, Expr* expr)
+	: RecordField(PADDING_FIELD, id, 0), ptype_(ptype), expr_(expr)
+	{
+	wordsize_ = -1;
+	}
+
+RecordPaddingField::~RecordPaddingField()
+	{
+	}
+
+void RecordPaddingField::Prepare(Env* env)
+	{
+	Field::Prepare(env);
+	if ( ptype_ == PAD_TO_NEXT_WORD )
+		{
+		if ( ! expr_->ConstFold(env, &wordsize_) )
+			throw ExceptionPaddingError(this, 
+				fmt("padding word size not a constant"));
+		}
+	}
+
+void RecordPaddingField::GenParseCode(Output* out_cc, Env* env)
+	{
+	// Always evaluate record fields in order if parsing
+	// is incremental.
+	if ( record_type()->incremental_parsing() && prev() )
+		prev()->GenParseCode(out_cc, env);
+	}
+
+int RecordPaddingField::StaticSize(Env* env, int offset) const
+	{
+	int length;
+	int target_offset;
+	int offset_in_word;
+
+	switch ( ptype_ )
+		{
+		case PAD_BY_LENGTH:
+			return expr_->ConstFold(env, &length) ? length : -1;
+
+		case PAD_TO_OFFSET:
+			// If the current offset cannot be statically
+			// determined, we need to Generate code to
+			// check the offset
+			if ( offset == -1 )
+				return -1;
+
+			if ( ! expr_->ConstFold(env, &target_offset) )
+				return -1;
+
+			// If both the current and target offsets
+			// can be statically computed, we can get its
+			// static size
+			if ( offset > target_offset )
+				throw ExceptionPaddingError(
+					this,
+					fmt("current offset = %d, "
+					    "target offset = %d", 
+					    offset, target_offset));
+			return target_offset - offset;
+
+		case PAD_TO_NEXT_WORD:
+			if ( offset == -1 || wordsize_ == -1 )
+				return -1;
+
+			offset_in_word = offset % wordsize_;
+			return ( offset_in_word == 0 ) ? 
+				0 : wordsize_ - offset_in_word;
+		}
+
+	return -1;
+	}
+
+void RecordPaddingField::GenFieldEnd(Output* out_cc, Env* env, const DataPtr& field_begin)
+	{
+	ASSERT(! env->Evaluated(end_of_field_dataptr_var));
+
+	char* padding_var;
+	switch ( ptype_ )
+		{
+		case PAD_BY_LENGTH:
+			out_cc->println("const_byteptr const %s = %s + (%s);",
+				env->LValue(end_of_field_dataptr_var),
+				field_begin.ptr_expr(),
+				expr_->EvalExpr(out_cc, env));
+			break;
+
+		case PAD_TO_OFFSET:
+			out_cc->println("const_byteptr %s = %s + (%s);",
+				env->LValue(end_of_field_dataptr_var),
+				env->RValue(begin_of_data),
+				expr_->EvalExpr(out_cc, env));
+			out_cc->println("if ( %s < %s )",
+				env->LValue(end_of_field_dataptr_var),
+				field_begin.ptr_expr());
+			out_cc->inc_indent();
+			out_cc->println("{");
+			out_cc->println("// throw ExceptionInvalidOffset(\"%s\", %s - %s, %s);",
+				id_->LocName(), 
+				field_begin.ptr_expr(),
+				env->RValue(begin_of_data),
+				expr_->EvalExpr(out_cc, env));
+			out_cc->println("%s = %s;", 
+				env->LValue(end_of_field_dataptr_var),
+				field_begin.ptr_expr());
+			out_cc->println("}");
+			out_cc->dec_indent();
+			break;
+
+		case PAD_TO_NEXT_WORD:
+			padding_var = nfmt("%s__size", id()->Name());
+			out_cc->println("int %s = (%s - %s) %% %d;",
+				padding_var, 
+				field_begin.ptr_expr(),
+				env->RValue(begin_of_data),
+				wordsize_);
+			out_cc->println("%s = (%s == 0) ? 0 : %d - %s;",
+				padding_var,
+				padding_var,
+				wordsize_,
+				padding_var);
+			out_cc->println("const_byteptr const %s = %s + %s;",
+				env->LValue(end_of_field_dataptr_var), 
+				field_begin.ptr_expr(),
+				padding_var);
+			delete [] padding_var;
+			break;
+		}
+
+	env->SetEvaluated(end_of_field_dataptr_var);
+	}
+
+bool RecordPaddingField::GenBoundaryCheck(Output* out_cc, Env* env)
+	{
+	if ( boundary_checked_ )
+		return true;
+
+	const DataPtr& begin = getFieldBegin(out_cc, env);
+
+	char* size;
+	int ss = StaticSize(env, begin.AbsOffset(begin_of_data));
+	ASSERT ( ss >= 0 );
+ 	size = nfmt("%d", ss);
+	
+	begin.GenBoundaryCheck(out_cc, env, size, field_id_str_.c_str());
+
+	delete [] size;
+
+	SetBoundaryChecked();
+	return true;
+	}
+
+bool RecordPaddingField::DoTraverse(DataDepVisitor *visitor)
+	{ 
+	return Field::DoTraverse(visitor) && 
+	       (! expr_ || expr_->Traverse(visitor));
+	}
+
diff --git a/aux/binpac/src/pac_record.h b/aux/binpac/src/pac_record.h
new file mode 100644
index 0000000000..04daa3a9f4
--- /dev/null
+++ b/aux/binpac/src/pac_record.h
@@ -0,0 +1,169 @@
+#ifndef pac_record_h
+#define pac_record_h
+
+#include "pac_common.h"
+#include "pac_field.h"
+#include "pac_id.h"
+#include "pac_let.h"
+#include "pac_type.h"
+
+class RecordType : public Type
+{
+public:
+	RecordType(RecordFieldList* fields);
+	~RecordType();
+
+	bool DefineValueVar() const;
+	string DataTypeStr() const;
+
+	void Prepare(Env* env, int flags);
+
+	void GenPubDecls(Output* out, Env* env);
+	void GenPrivDecls(Output* out, Env* env);
+
+	void GenInitCode(Output* out, Env* env);
+	void GenCleanUpCode(Output* out, Env* env);
+
+	int StaticSize(Env* env) const;
+
+	void SetBoundaryChecked();
+
+	const ID *parsing_dataptr_var() const;
+
+	bool IsPointerType() const	{ ASSERT(0); return false; }
+
+protected:
+	void DoGenParseCode(Output* out, Env* env, const DataPtr& data, int flags);
+	void GenDynamicSize(Output* out, Env* env, const DataPtr& data);
+
+	Type *DoClone() const 	{ return 0; }
+
+	void DoMarkIncrementalInput();
+
+	bool DoTraverse(DataDepVisitor *visitor);
+	bool ByteOrderSensitive() const;
+
+private:
+	Field *parsing_dataptr_var_field_;
+	RecordFieldList* record_fields_;
+};
+
+// A data field of a record type. A RecordField corresponds to a
+// segment of input data, and therefore RecordField's are ordered---each
+// of them has a known previous and next field.
+
+class RecordField : public Field
+{
+public:
+	RecordField(FieldType tof, ID* id, Type *type);
+	~RecordField();
+
+	RecordType *record_type() const		{ return record_type_; }
+	void set_record_type(RecordType* ty) 	{ record_type_ = ty; }
+
+	virtual void GenParseCode(Output* out, Env* env) = 0;
+
+	RecordField* prev() const		{ return prev_; }
+	RecordField* next() const		{ return next_; }
+	void set_prev(RecordField* f) 		{ prev_ = f; }
+	void set_next(RecordField* f) 		{ next_ = f; }
+
+	int static_offset() const 		{ return static_offset_; }
+	void set_static_offset(int offset)	{ static_offset_ = offset; }
+
+	int parsing_state_seq() const		{ return parsing_state_seq_; }
+	void set_parsing_state_seq(int x) 	{ parsing_state_seq_ = x; }
+
+	virtual int StaticSize(Env* env, int offset) const = 0;
+	const char* FieldSize(Output* out, Env* env);
+	const char* FieldOffset(Output* out, Env* env);
+
+	virtual bool BoundaryChecked() const	{ return boundary_checked_; }
+	virtual void SetBoundaryChecked()	{ boundary_checked_ = true; }
+
+	virtual bool RequiresByteOrder() const = 0;
+
+	friend class RecordType;
+
+protected:
+	RecordType* record_type_;
+	RecordField* prev_;
+	RecordField* next_;
+	bool boundary_checked_;
+	int static_offset_;
+	int parsing_state_seq_;
+
+	DataPtr* begin_of_field_dataptr;
+	DataPtr* end_of_field_dataptr;
+	char* field_size_expr;
+	char* field_offset_expr;
+	ID* end_of_field_dataptr_var;
+
+	const DataPtr& getFieldBegin(Output* out_cc, Env* env);
+	const DataPtr& getFieldEnd(Output* out_cc, Env* env);
+	virtual void GenFieldEnd(Output* out, Env* env, const DataPtr& begin) = 0; 
+
+	bool AttemptBoundaryCheck(Output* out_cc, Env* env);
+	virtual bool GenBoundaryCheck(Output* out_cc, Env* env) = 0;
+};
+
+class RecordDataField : public RecordField, public Evaluatable
+{
+public:
+	RecordDataField(ID* arg_id, Type* arg_type);
+	~RecordDataField();
+
+	// Instantiates abstract class Field
+	void Prepare(Env* env);
+	void GenParseCode(Output* out, Env* env);
+
+	// Instantiates abstract class Evaluatable
+	void GenEval(Output* out, Env* env);
+
+	int StaticSize(Env* env, int) const 	{ return type()->StaticSize(env); }
+
+	void SetBoundaryChecked();
+
+	bool RequiresByteOrder() const
+		{ return type()->RequiresByteOrder(); }
+	bool RequiresAnalyzerContext() const;
+
+protected:
+	void GenFieldEnd(Output* out, Env* env, const DataPtr& begin); 
+	bool GenBoundaryCheck(Output* out_cc, Env* env);
+	bool DoTraverse(DataDepVisitor *visitor);
+};
+
+enum PaddingType { PAD_BY_LENGTH, PAD_TO_OFFSET, PAD_TO_NEXT_WORD };
+
+class RecordPaddingField : public RecordField
+{
+public:
+	RecordPaddingField(ID* id, PaddingType ptype, Expr* expr);
+	~RecordPaddingField();
+
+	void Prepare(Env* env);
+
+	void GenPubDecls(Output* out, Env* env) 	{ /* nothing */ }
+	void GenPrivDecls(Output* out, Env* env) 	{ /* nothing */ }
+
+	void GenInitCode(Output* out, Env* env) 	{ /* nothing */ }
+	void GenCleanUpCode(Output* out, Env* env)	{ /* nothing */ }
+	void GenParseCode(Output* out, Env* env);
+
+	int StaticSize(Env* env, int offset) const;
+
+	bool RequiresByteOrder() const		{ return false; }
+
+protected:
+	void GenFieldEnd(Output* out, Env* env, const DataPtr& begin); 
+	bool GenBoundaryCheck(Output* out_cc, Env* env);
+	bool DoTraverse(DataDepVisitor *visitor);
+
+private:
+	PaddingType ptype_;
+	Expr* expr_;
+	int wordsize_;
+};
+
+#endif  // pac_record_h
diff --git a/aux/binpac/src/pac_redef.cc b/aux/binpac/src/pac_redef.cc
new file mode 100644
index 0000000000..9f09b457bd
--- /dev/null
+++ b/aux/binpac/src/pac_redef.cc
@@ -0,0 +1,173 @@
+#include "pac_analyzer.h"
+#include "pac_case.h"
+#include "pac_exception.h"
+#include "pac_expr.h"
+#include "pac_func.h"
+#include "pac_record.h"
+#include "pac_redef.h"
+#include "pac_type.h"
+#include "pac_typedecl.h"
+
+namespace {
+
+Decl *find_decl(const ID *id)
+	{
+	Decl *decl = Decl::LookUpDecl(id);
+	if ( ! decl )
+		{
+		throw Exception(id, 
+		                fmt("cannot find declaration for %s", 
+		                    id->Name()));
+		}
+
+	return decl;
+	}
+
+}
+
+Decl *ProcessTypeRedef(const ID *id, FieldList *fieldlist)
+	{
+	Decl *decl = find_decl(id);
+
+	if ( decl->decl_type() != Decl::TYPE )
+		{
+		throw Exception(id, 
+		                fmt("not a type declaration: %s", 
+		                    id->Name()));
+		}
+
+	TypeDecl *type_decl = static_cast<TypeDecl *>(decl);
+	ASSERT(type_decl);
+	Type *type = type_decl->type();
+
+	foreach(i, FieldList, fieldlist)
+		{
+		Field *f = *i;
+
+		// One cannot change data layout in 'redef'.
+		// Only 'let' or 'action' can be added
+		if ( f->tof() == LET_FIELD ||
+		     f->tof() == WITHINPUT_FIELD )
+			{
+			type->AddField(f);
+			}
+		else if ( f->tof() == RECORD_FIELD || 
+		          f->tof() == PADDING_FIELD )
+			{
+			throw Exception(f, 
+				"cannot change data layout in redef");
+			}
+		else if ( f->tof() == CASE_FIELD )
+			{
+			throw Exception(f, 
+				"use 'redef case' adding cases");
+			}
+		}
+
+	return decl;
+	}
+
+Decl *ProcessCaseTypeRedef(const ID *id, CaseFieldList *casefieldlist)
+	{
+	Decl *decl = find_decl(id);
+
+	if ( decl->decl_type() != Decl::TYPE )
+		{
+		throw Exception(id, 
+		                fmt("not a type declaration: %s", 
+		                    id->Name()));
+		}
+
+	TypeDecl *type_decl = static_cast<TypeDecl *>(decl);
+	ASSERT(type_decl);
+
+	Type *type = type_decl->type();
+	if ( type->tot() != Type::CASE )
+		{
+		throw Exception(id, 
+		                fmt("not a case type: %s", 
+		                    id->Name()));
+		}
+
+	CaseType *casetype = static_cast<CaseType*>(type);
+	ASSERT(casetype);
+
+	foreach(i, CaseFieldList, casefieldlist)
+		{
+		CaseField *f = *i;
+		casetype->AddCaseField(f);
+		}
+
+	return decl;
+	}
+
+Decl *ProcessCaseExprRedef(const ID *id, CaseExprList *caseexprlist)
+	{
+	Decl *decl = find_decl(id);
+
+	if ( decl->decl_type() != Decl::FUNC )
+		{
+		throw Exception(id, 
+		                fmt("not a function declaration: %s", 
+		                    id->Name()));
+		}
+
+	FuncDecl *func_decl = static_cast<FuncDecl *>(decl);
+	ASSERT(func_decl);
+
+	Expr *expr = func_decl->function()->expr();
+	if ( ! expr ||expr->expr_type() != Expr::EXPR_CASE )
+		{
+		throw Exception(id, 
+		                fmt("function not defined by a case expression: %s", 
+		                    id->Name()));
+		}
+
+	foreach(i, CaseExprList, caseexprlist)
+		{
+		CaseExpr *e = *i;
+		expr->AddCaseExpr(e);
+		}
+	
+	return decl;
+	}
+
+Decl *ProcessAnalyzerRedef(const ID *id, 
+		Decl::DeclType decl_type, 
+		AnalyzerElementList *elements)
+	{
+	Decl *decl = find_decl(id);
+
+	if ( decl->decl_type() != decl_type )
+		{
+		throw Exception(id, 
+		                fmt("not a connection/flow declaration: %s", 
+		                    id->Name()));
+		}
+
+	AnalyzerDecl *analyzer_decl = static_cast<AnalyzerDecl *>(decl);
+	ASSERT(analyzer_decl);
+
+	analyzer_decl->AddElements(elements);
+
+	return decl;
+	}
+
+Decl *ProcessTypeAttrRedef(const ID *id, AttrList *attrlist)
+	{
+	Decl *decl = find_decl(id);
+
+	if ( decl->decl_type() != Decl::TYPE )
+		{
+		throw Exception(id, 
+		                fmt("not a type declaration: %s", 
+		                    id->Name()));
+		}
+
+	TypeDecl *type_decl = static_cast<TypeDecl *>(decl);
+	ASSERT(type_decl);
+
+	type_decl->AddAttrs(attrlist);
+
+	return decl;
+	}
diff --git a/aux/binpac/src/pac_redef.h b/aux/binpac/src/pac_redef.h
new file mode 100644
index 0000000000..9a9c3030c4
--- /dev/null
+++ b/aux/binpac/src/pac_redef.h
@@ -0,0 +1,13 @@
+#ifndef pac_redef_h
+#define pac_redef_h
+
+#include "pac_decl.h"
+
+Decl *ProcessCaseTypeRedef(const ID *id, CaseFieldList *casefieldlist);
+Decl *ProcessCaseExprRedef(const ID *id, CaseExprList *caseexprlist);
+Decl *ProcessAnalyzerRedef(const ID *id, 
+			Decl::DeclType decl_type, 
+			AnalyzerElementList *elements);
+Decl *ProcessTypeAttrRedef(const ID *id, AttrList *attrlist);
+
+#endif  // pac_redef_h
diff --git a/aux/binpac/src/pac_regex.cc b/aux/binpac/src/pac_regex.cc
new file mode 100644
index 0000000000..6265c02876
--- /dev/null
+++ b/aux/binpac/src/pac_regex.cc
@@ -0,0 +1,82 @@
+#include "pac_exttype.h"
+#include "pac_id.h"
+#include "pac_output.h"
+#include "pac_regex.h"
+#include "pac_type.h"
+
+// Depends on the regular expression library we are using
+const char *RegEx::kREMatcherType = "RegExMatcher";
+const char *RegEx::kMatchPrefix = "MatchPrefix";
+
+string escape_char(const string &s)
+	{
+	char buf[s.length() * 2 + 1];
+	int j = 0;
+	for ( int i = 0; i < (int) s.length(); ++i )
+		{
+		if ( s[i] == '\\' )
+			{
+			if ( i + 1 < (int) s.length() ) 
+				{
+				buf[j++] = '\\';
+				if ( s[i+1] == '/' )
+					buf[j-1] = s[++i];
+				else if ( s[i+1] == '/' || s[i+1] == '\\' || s[i+1] == '"' )
+					buf[j++] = s[++i];
+				else
+					buf[j++] = '\\';
+				}
+			}
+		else if ( s[i] == '"' )
+			{
+			buf[j++] = '\\';
+			buf[j++] = '"';
+			}
+		else
+			{
+			buf[j++] = s[i];
+			}
+		}
+
+	buf[j++] = '\0';
+
+	return string(buf);
+	}
+
+RegEx::RegEx(const string &s)
+	{
+	str_ = escape_char(s);
+	string prefix = strfmt("%s_re_", current_decl_id->Name());
+	matcher_id_ = ID::NewAnonymousID(prefix);
+	decl_ = new RegExDecl(this);
+	}
+
+RegEx::~RegEx()
+	{
+	}
+
+RegExDecl::RegExDecl(RegEx *regex)
+	: Decl(regex->matcher_id(), REGEX)
+	{
+	regex_ = regex;
+	}
+
+void RegExDecl::Prepare()
+	{
+	global_env()->AddID(id(), GLOBAL_VAR, extern_type_re_matcher);
+	}
+
+void RegExDecl::GenForwardDeclaration(Output *out_h)
+	{
+	out_h->println("extern %s %s;\n", 
+		RegEx::kREMatcherType,
+		global_env()->LValue(regex_->matcher_id()));
+	}
+
+void RegExDecl::GenCode(Output *out_h, Output *out_cc)
+	{
+	out_cc->println("%s %s(\"%s\");\n", 
+		RegEx::kREMatcherType,
+		global_env()->LValue(regex_->matcher_id()),
+		regex_->str().c_str());
+	}
diff --git a/aux/binpac/src/pac_regex.h b/aux/binpac/src/pac_regex.h
new file mode 100644
index 0000000000..47c601b729
--- /dev/null
+++ b/aux/binpac/src/pac_regex.h
@@ -0,0 +1,41 @@
+#ifndef pac_regex_h
+#define pac_regex_h
+
+#include "pac_common.h"
+#include "pac_decl.h"
+
+class RegExDecl;
+
+class RegEx : public Object
+{
+public:
+	RegEx(const string &str);
+	~RegEx();
+
+	const string &str() const	{ return str_; }
+	ID *matcher_id() const		{ return matcher_id_; }
+
+private:
+	string str_;
+	ID *matcher_id_;
+	RegExDecl *decl_;
+
+public:
+	static const char *kREMatcherType;
+	static const char *kMatchPrefix;
+};
+
+class RegExDecl : public Decl
+{
+public:
+	RegExDecl(RegEx *regex);
+
+	void Prepare();
+	void GenForwardDeclaration(Output *out_h); 
+	void GenCode(Output *out_h, Output *out_cc);
+
+private:
+	RegEx *regex_;
+};
+
+#endif  // pac_regex_h
diff --git a/aux/binpac/src/pac_scan.ll b/aux/binpac/src/pac_scan.ll
new file mode 100644
index 0000000000..ec435ea4ea
--- /dev/null
+++ b/aux/binpac/src/pac_scan.ll
@@ -0,0 +1,356 @@
+%{
+// $Id: pac_scan.ll 3361 2006-07-06 18:06:49Z rpang $
+
+#include "pac_action.h"
+#include "pac_array.h"
+#include "pac_attr.h"
+#include "pac_case.h"
+#include "pac_common.h"
+#include "pac_conn.h"
+#include "pac_dataptr.h"
+#include "pac_dataunit.h"
+#include "pac_dbg.h"
+#include "pac_decl.h"
+#include "pac_exception.h"
+#include "pac_expr.h"
+#include "pac_flow.h"
+#include "pac_id.h"
+#include "pac_number.h"
+#include "pac_output.h"
+#include "pac_param.h"
+#include "pac_parse.h"
+#include "pac_record.h"
+#include "pac_type.h"
+#include "pac_utils.h"
+
+int line_number = 1;
+
+int begin_pac_primitive(int tok);
+int end_pac_primitive();
+
+int string_token(int tok)
+	{
+	yylval.str = copy_string(yytext);
+	return tok;
+	}
+
+int char_token(int tok)
+	{
+	yylval.val = yytext[0];
+	return tok;
+	}
+
+void include_file(const char *filename);
+
+%}
+
+/* EC -- embedded code state */
+/* PP -- PAC primitive state */
+/* INCL -- @include line */
+
+%s EC INCL PP RE
+
+WS	[ \t]+
+ID	[A-Za-z_][A-Za-z_0-9]*
+D	[0-9]+
+HEX	[0-9a-fA-F]+
+FILE	[A-Za-z._0-9\-]+
+ESCSEQ	(\\([^\n]|[0-7]{3}|x[[:xdigit:]]{2}))
+
+%option nounput
+
+%%
+
+<INITIAL>"%include"		{
+				BEGIN(INCL);
+				}
+
+<INCL>{WS}			/* skip whitespace */
+
+<INCL>{FILE}			{
+				BEGIN(INITIAL);
+				include_file(yytext);
+				}
+
+<INITIAL>"%extern{"		{
+				BEGIN(EC);
+				return TOK_LPB_EXTERN;
+				}
+<INITIAL>"%header{"		{
+				BEGIN(EC);
+				return TOK_LPB_HEADER;
+				}
+<INITIAL>"%code{"		{
+				BEGIN(EC);
+				return TOK_LPB_CODE;
+				}
+<INITIAL>"%init{"		{
+				BEGIN(EC);
+				return TOK_LPB_INIT;
+				}
+<INITIAL>"%cleanup{"		{
+				BEGIN(EC);
+				return TOK_LPB_CLEANUP;
+				}
+<INITIAL>"%member{"		{
+				BEGIN(EC);
+				return TOK_LPB_MEMBER;
+				}
+<INITIAL>"%eof{"		{
+				BEGIN(EC);
+				return TOK_LPB_EOF;
+				}
+<INITIAL>"%{"			{
+				BEGIN(EC);
+				return TOK_LPB;
+				}
+<EC>"%}"			{
+				BEGIN(INITIAL);
+				return TOK_RPB;
+				}
+
+<EC>"${"			return begin_pac_primitive(TOK_PAC_VAL);
+<EC>"$set{"			return begin_pac_primitive(TOK_PAC_SET); 
+<EC>"$type{"			return begin_pac_primitive(TOK_PAC_TYPE);
+<EC>"$typeof{"			return begin_pac_primitive(TOK_PAC_TYPEOF);
+<EC>"$const_def{"		return begin_pac_primitive(TOK_PAC_CONST_DEF);
+
+<EC>"//".*			return string_token(TOK_EMBEDDED_STRING);
+<EC>.				return char_token(TOK_EMBEDDED_ATOM);
+<EC>\n				{ ++line_number; return char_token(TOK_EMBEDDED_ATOM); }
+
+<PP>"}"				return end_pac_primitive();
+
+<INITIAL,PP>\n			++line_number;
+<INITIAL>#.*			/* eat comments */
+<INITIAL,PP>{WS}		/* eat whitespace */
+
+<INITIAL>"RE/"			{
+				BEGIN(RE);
+				return TOK_BEGIN_RE;
+				}
+
+<RE>([^/\\\n]|{ESCSEQ})+	return string_token(TOK_REGEX);
+
+<RE>"/"				{
+				BEGIN(INITIAL);
+				return TOK_END_RE;
+				}
+
+<RE>[\\\n]			return yytext[0];
+
+<INITIAL>analyzer		return TOK_ANALYZER;
+<INITIAL>enum			return TOK_ENUM;
+<INITIAL>extern			return TOK_EXTERN;
+<INITIAL>flow			return TOK_FLOW;
+<INITIAL>function		return TOK_FUNCTION;
+<INITIAL>let			return TOK_LET;
+<INITIAL>refine			return TOK_REFINE;
+<INITIAL>type			return TOK_TYPE;
+
+<INITIAL>align			return TOK_ALIGN;
+<INITIAL>case			return TOK_CASE;
+<INITIAL>casefunc		return TOK_CASEFUNC;
+<INITIAL>casetype		return TOK_CASETYPE;
+<INITIAL>connection		return TOK_CONNECTION;
+<INITIAL>datagram		{
+				yylval.val = AnalyzerDataUnit::DATAGRAM;
+				return TOK_DATAUNIT;
+				}
+<INITIAL>default 		return TOK_DEFAULT;
+<INITIAL>downflow		{
+				yylval.val = AnalyzerFlow::DOWN;
+				return TOK_FLOWDIR;
+				}
+<INITIAL>flowunit		{
+				yylval.val = AnalyzerDataUnit::FLOWUNIT;
+				return TOK_DATAUNIT;
+				}
+<INITIAL>of			return TOK_OF;
+<INITIAL>offsetof 		return TOK_OFFSETOF;
+<INITIAL>padding		return TOK_PADDING;
+<INITIAL>record			return TOK_RECORD;
+<INITIAL>sizeof			return TOK_SIZEOF;
+<INITIAL>to			return TOK_TO;
+<INITIAL>typeattr		return TOK_TYPEATTR;
+<INITIAL>upflow			{
+				yylval.val = AnalyzerFlow::UP;
+				return TOK_FLOWDIR;
+				}
+<INITIAL>withcontext		return TOK_WITHCONTEXT;
+<INITIAL>withinput		return TOK_WITHINPUT;
+
+<INITIAL>&also			return TOK_ATTR_ALSO;
+<INITIAL>&byteorder		return TOK_ATTR_BYTEORDER;
+<INITIAL>&check			return TOK_ATTR_CHECK;
+<INITIAL>&chunked		return TOK_ATTR_CHUNKED;
+<INITIAL>&exportsourcedata	return TOK_ATTR_EXPORTSOURCEDATA;
+<INITIAL>&if			return TOK_ATTR_IF;
+<INITIAL>&length		return TOK_ATTR_LENGTH;
+<INITIAL>&let			return TOK_ATTR_LET;
+<INITIAL>&linebreaker		return TOK_ATTR_LINEBREAKER;
+<INITIAL>&oneline		return TOK_ATTR_ONELINE;
+<INITIAL>&refcount		return TOK_ATTR_REFCOUNT;
+<INITIAL>&requires		return TOK_ATTR_REQUIRES;
+<INITIAL>&restofdata		return TOK_ATTR_RESTOFDATA;
+<INITIAL>&restofflow		return TOK_ATTR_RESTOFFLOW;
+<INITIAL>&transient		return TOK_ATTR_TRANSIENT;
+<INITIAL>&until			return TOK_ATTR_UNTIL;
+
+<INITIAL,PP>"0x"{HEX}		{
+				int n;
+				sscanf(yytext + 2, "%x", &n);
+				yylval.num = new Number(yytext, n);
+				return TOK_NUMBER;
+				}
+
+<INITIAL,PP>{D}			{
+				int n;
+				sscanf(yytext, "%d", &n);
+				yylval.num = new Number(yytext, n);
+				return TOK_NUMBER;
+				}
+
+<INITIAL,PP>{ID}		{
+				yylval.id = new ID(yytext);
+				return TOK_ID;
+				}
+
+<INITIAL>"$"{ID}		{
+				yylval.id = new ID(yytext);
+				return TOK_ID;
+				}
+
+<INITIAL>\"([^\\\n\"]|{ESCSEQ})*\" return string_token(TOK_STRING);
+
+<INITIAL,PP>"=="		return TOK_EQUAL;
+<INITIAL,PP>"!="		return TOK_NEQ;
+<INITIAL,PP>">="		return TOK_GE;
+<INITIAL,PP>"<="		return TOK_LE;
+<INITIAL,PP>"<<"		return TOK_LSHIFT;
+<INITIAL,PP>">>"		return TOK_RSHIFT;
+<INITIAL,PP>"&&"		return TOK_AND;
+<INITIAL,PP>"||"		return TOK_OR;
+<INITIAL,PP>"+="		return TOK_PLUSEQ;
+<INITIAL>"->"			return TOK_RIGHTARROW;
+
+<INITIAL,PP>[\.!%*/+\-&|\^,:;<=>?()\[\]{}~]	return yytext[0];
+
+%%
+
+void begin_RE()
+	{
+	BEGIN(RE);
+	}
+
+void end_RE()
+	{
+	BEGIN(INITIAL);
+	}
+
+// The DECL state is deprecated
+void begin_decl()
+	{
+	// BEGIN(DECL);
+	}
+
+void end_decl()
+	{
+	// BEGIN(INITIAL);
+	}
+
+int begin_pac_primitive(int tok)
+	{
+	BEGIN(PP);
+	return tok;
+	}
+
+int end_pac_primitive()
+	{
+	BEGIN(EC);
+	return TOK_END_PAC;
+	}
+
+const int MAX_INCLUDE_DEPTH = 100;
+
+struct IncludeState {
+	YY_BUFFER_STATE yystate;
+	string input_filename;
+	int line_number;
+};
+
+IncludeState include_stack[MAX_INCLUDE_DEPTH];
+int include_stack_ptr = 0;
+
+void switch_to_file(FILE *fp)
+	{
+	yy_switch_to_buffer(yy_create_buffer(fp, YY_BUF_SIZE));
+	}
+
+void switch_to_file(const char *filename)
+	{
+	if ( include_stack_ptr >= MAX_INCLUDE_DEPTH )
+		{
+		fprintf( stderr, "Includes nested too deeply" );
+		exit( 1 );
+		}
+
+	IncludeState state = 
+		{ YY_CURRENT_BUFFER, input_filename, line_number };
+	include_stack[include_stack_ptr++] = state;
+
+	FILE *fp = fopen(filename, "r");
+
+	if ( ! fp )
+		{
+		fprintf(stderr, "%s:%d: error: cannot include file \"%s\"\n", 
+			input_filename.c_str(), line_number,filename);
+		--include_stack_ptr;
+		return;
+		}
+
+	yyin = fp;
+	input_filename = string(filename);
+	line_number = 1;
+	switch_to_file(yyin);
+	fprintf(stderr, "switching to file %s\n", input_filename.c_str());
+	}
+
+void include_file(const char *filename)
+	{
+	ASSERT(filename);
+
+	string full_filename;
+	if ( filename[0] == '/' || filename[0] == '.' )
+		full_filename = filename;
+	else
+		{
+		int i;
+		for ( i = 0; i < (int) FLAGS_include_directories.size(); ++i )
+			{
+			full_filename = FLAGS_include_directories[i] + filename;
+			DEBUG_MSG("Try include file: \"%s\"\n", 
+				full_filename.c_str());
+			if ( access(full_filename.c_str(), R_OK) == 0 )
+				break;
+			}
+		if ( i >= (int) FLAGS_include_directories.size() )
+			full_filename = filename;
+		}
+
+	switch_to_file(full_filename.c_str());
+	}
+
+int yywrap()
+	{
+	yy_delete_buffer(YY_CURRENT_BUFFER);
+	--include_stack_ptr;
+	if ( include_stack_ptr < 0 )
+		return 1;
+
+	IncludeState state = include_stack[include_stack_ptr];
+	yy_switch_to_buffer(state.yystate);
+	input_filename = state.input_filename;
+	line_number = state.line_number;
+	return 0;
+	}
diff --git a/aux/binpac/src/pac_state.cc b/aux/binpac/src/pac_state.cc
new file mode 100644
index 0000000000..83ee974391
--- /dev/null
+++ b/aux/binpac/src/pac_state.cc
@@ -0,0 +1,36 @@
+#include "pac_id.h"
+#include "pac_output.h"
+#include "pac_type.h"
+
+#include "pac_state.h"
+
+void StateVar::GenDecl(Output *out_h, Env *env)
+	{
+	out_h->println("%s %s;", 
+		type_->DataTypeStr().c_str(), 
+		env->LValue(id_));
+	}
+
+void StateVar::GenAccessFunction(Output *out_h, Env *env)
+	{
+	out_h->println("%s %s const	{ return %s; }", 
+		type_->DataTypeConstRefStr().c_str(), 
+		env->RValue(id_), 
+		env->LValue(id_));
+	}
+
+void StateVar::GenSetFunction(Output *out_h, Env *env)
+	{
+	out_h->println("void %s(%s x) 	{ %s = x; }", 
+		set_function(id_).c_str(),
+		type_->DataTypeConstRefStr().c_str(), 
+		env->LValue(id_));
+	}
+
+void StateVar::GenInitCode(Output *out_cc, Env *env)
+	{
+	}
+
+void StateVar::GenCleanUpCode(Output *out_cc, Env *env)
+	{
+	}
diff --git a/aux/binpac/src/pac_state.h b/aux/binpac/src/pac_state.h
new file mode 100644
index 0000000000..82bb580f47
--- /dev/null
+++ b/aux/binpac/src/pac_state.h
@@ -0,0 +1,28 @@
+#ifndef pac_state_h
+#define pac_state_h
+
+// Classes representing analyzer states.
+
+#include "pac_common.h"
+
+class StateVar
+{
+public:
+	StateVar(ID *id, Type *type)
+		: id_(id), type_(type) {}
+
+	const ID *id() const	{ return id_; }
+	Type *type() const	{ return type_; }
+
+	void GenDecl(Output *out_h, Env *env);
+	void GenAccessFunction(Output *out_h, Env *env);
+	void GenSetFunction(Output *out_h, Env *env);
+	void GenInitCode(Output *out_cc, Env *env);
+	void GenCleanUpCode(Output *out_cc, Env *env);
+
+private:
+	ID *id_;
+	Type *type_;
+};
+
+#endif  // pac_state_h
diff --git a/aux/binpac/src/pac_strtype.cc b/aux/binpac/src/pac_strtype.cc
new file mode 100644
index 0000000000..48e1eb5ad0
--- /dev/null
+++ b/aux/binpac/src/pac_strtype.cc
@@ -0,0 +1,425 @@
+#include "pac_attr.h"
+#include "pac_btype.h"
+#include "pac_cstr.h"
+#include "pac_dataptr.h"
+#include "pac_exception.h"
+#include "pac_expr.h"
+#include "pac_exttype.h"
+#include "pac_id.h"
+#include "pac_output.h"
+#include "pac_regex.h"
+#include "pac_strtype.h"
+#include "pac_varfield.h"
+
+const char *StringType::kStringTypeName = "bytestring";
+const char *StringType::kConstStringTypeName = "const_bytestring";
+
+StringType::StringType(StringTypeEnum anystr)
+	: Type(STRING), type_(ANYSTR), str_(0), regex_(0)
+	{
+	ASSERT(anystr == ANYSTR);
+	init();
+	}
+
+StringType::StringType(ConstString *str)
+	: Type(STRING), type_(CSTR), str_(str), regex_(0)
+	{
+	init();
+	}
+
+StringType::StringType(RegEx *regex)
+	: Type(STRING), type_(REGEX), str_(0), regex_(regex)
+	{
+	ASSERT(regex_);
+	init();
+	}
+
+void StringType::init()
+	{
+	string_length_var_field_ = 0;
+	elem_datatype_ = new BuiltInType(BuiltInType::UINT8);
+	}
+
+StringType::~StringType()
+	{
+	// TODO: Unref for Objects
+	// Question: why Unref?
+	// 
+	// Unref(str_);
+	// Unref(regex_);
+
+	delete string_length_var_field_;
+	delete elem_datatype_;
+	}
+
+Type *StringType::DoClone() const
+	{
+	StringType *clone;
+
+	switch ( type_ )
+		{
+		case ANYSTR:
+			clone = new StringType(ANYSTR);
+			break;
+		case CSTR:
+			clone = new StringType(str_);
+			break;
+		case REGEX:
+			clone = new StringType(regex_);
+			break;
+		default:
+			ASSERT(0);
+			return 0;
+		}
+
+	return clone;
+	}
+
+bool StringType::DefineValueVar() const
+	{
+	return true;
+	}
+
+string StringType::DataTypeStr() const
+	{
+	return strfmt("%s", 
+		persistent() ? kStringTypeName : kConstStringTypeName);
+	}
+
+Type *StringType::ElementDataType() const
+	{
+	return elem_datatype_;
+	}
+
+void StringType::ProcessAttr(Attr *a)
+	{
+	Type::ProcessAttr(a);
+
+	switch ( a->type() )
+		{
+		case ATTR_CHUNKED:
+			{
+			if ( type_ != ANYSTR )
+				{
+				throw Exception(a, 
+					"&chunked can be applied"
+					" to only type bytestring");
+				}
+			attr_chunked_ = true;
+			SetBoundaryChecked();
+			}
+			break;
+
+		case ATTR_RESTOFDATA:
+			{
+			if ( type_ != ANYSTR )
+				{
+				throw Exception(a, 
+					"&restofdata can be applied"
+					" to only type bytestring");
+				}
+			attr_restofdata_ = true;
+			// As the string automatically extends to the end of 
+			// data, we do not have to check boundary.
+			SetBoundaryChecked();
+			}
+			break;
+
+		case ATTR_RESTOFFLOW:
+			{
+			if ( type_ != ANYSTR )
+				{
+				throw Exception(a, 
+					"&restofflow can be applied"
+					" to only type bytestring");
+				}
+			attr_restofflow_ = true;
+			// As the string automatically extends to the end of 
+			// flow, we do not have to check boundary.
+			SetBoundaryChecked();
+			}
+			break;
+
+		default:
+			break;
+		}
+	}
+
+void StringType::Prepare(Env* env, int flags)
+	{
+	if ( (flags & TO_BE_PARSED) && StaticSize(env) < 0 )
+		{
+		ID *string_length_var = new ID(fmt("%s_string_length", 
+			value_var() ? value_var()->Name() : "val"));
+		string_length_var_field_ = new TempVarField(
+			string_length_var, extern_type_int->Clone());
+		string_length_var_field_->Prepare(env);
+		}
+	Type::Prepare(env, flags);
+	}
+
+void StringType::GenPubDecls(Output* out_h, Env* env)
+	{
+	Type::GenPubDecls(out_h, env);
+	}
+
+void StringType::GenPrivDecls(Output* out_h, Env* env)
+	{
+	Type::GenPrivDecls(out_h, env);
+	}
+
+void StringType::GenInitCode(Output* out_cc, Env* env)
+	{
+	Type::GenInitCode(out_cc, env);
+	}
+
+void StringType::GenCleanUpCode(Output* out_cc, Env* env)
+	{
+	Type::GenCleanUpCode(out_cc, env);
+	if ( persistent() )
+		out_cc->println("%s.free();", env->LValue(value_var()));
+	}
+
+void StringType::DoMarkIncrementalInput()
+	{
+	if ( attr_restofflow_ )
+		{
+		// Do nothing
+		ASSERT(type_ == ANYSTR);
+		}
+	else
+		{
+		Type::DoMarkIncrementalInput();
+		}
+	}
+
+int StringType::StaticSize(Env* env) const
+	{
+	switch ( type_ )
+		{
+		case CSTR:
+			// Use length of the unescaped string
+			return str_->unescaped().length();
+		case REGEX:
+			// TODO: static size for a regular expression?
+		case ANYSTR:
+			return -1;
+
+		default:
+			ASSERT(0);
+			return -1;
+		}
+	}
+
+const ID *StringType::string_length_var() const
+	{
+	return string_length_var_field_ ? string_length_var_field_->id() : 0;
+	}
+
+void StringType::GenDynamicSize(Output* out_cc, Env* env,
+		const DataPtr& data)
+	{
+	ASSERT(StaticSize(env) < 0);
+	DEBUG_MSG("Generating dynamic size for string `%s'\n", 
+		value_var()->Name());
+
+	if ( env->Evaluated(string_length_var()) )
+		return;
+
+	string_length_var_field_->GenTempDecls(out_cc, env);
+
+	switch ( type_ )
+		{
+		case ANYSTR:
+			GenDynamicSizeAnyStr(out_cc, env, data);
+			break;
+		case CSTR:
+			ASSERT(0);
+			break;
+		case REGEX:
+			// TODO: static size for a regular expression?
+			GenDynamicSizeRegEx(out_cc, env, data);
+			break;
+		}
+
+	if ( ! incremental_input() && AddSizeVar(out_cc, env) )
+		{
+		out_cc->println("%s = %s;", 
+			env->LValue(size_var()),
+			env->RValue(string_length_var()));
+		env->SetEvaluated(size_var());
+		}
+	}
+
+string StringType::GenStringSize(Output* out_cc, Env* env, 
+		const DataPtr& data)
+	{
+	int static_size = StaticSize(env);
+	if ( static_size >= 0 )
+		return strfmt("%d", static_size);
+	GenDynamicSize(out_cc, env, data);
+	return env->RValue(string_length_var());
+	}
+
+void StringType::DoGenParseCode(Output* out_cc, Env* env, 
+		const DataPtr& data, int flags)
+	{
+	string str_size = GenStringSize(out_cc, env, data);
+
+	// Generate additional checking
+	switch ( type_ )
+		{
+		case CSTR:
+			GenCheckingCStr(out_cc, env, data, str_size);
+			break;
+		case REGEX:
+		case ANYSTR:
+			break;
+		}
+
+	if ( ! anonymous_value_var() )
+		{
+		// Set the value variable
+		out_cc->println("// check for negative sizes");
+		out_cc->println("if ( %s < 0 )",
+			str_size.c_str());
+		out_cc->println("throw ExceptionInvalidStringLength(\"%s\", %s);",
+			Location(), str_size.c_str());
+		out_cc->println("%s.init(%s, %s);",
+			env->LValue(value_var()),
+			data.ptr_expr(),
+			str_size.c_str());
+		}
+
+	if ( parsing_complete_var() )
+		{
+		out_cc->println("%s = true;", 
+			env->LValue(parsing_complete_var()));
+		}
+	}
+
+void StringType::GenStringMismatch(Output* out_cc, Env* env, 
+		const DataPtr& data, const char *pattern)
+	{
+	out_cc->println("throw ExceptionStringMismatch(\"%s\", %s, %s);",
+		Location(), 
+		pattern,
+		fmt("string((const char *) (%s), (const char *) %s).c_str()", 
+			data.ptr_expr(),
+			env->RValue(end_of_data)));
+	}
+
+void StringType::GenCheckingCStr(Output* out_cc, Env* env, 
+		const DataPtr& data, const string &str_size)
+	{
+	// TODO: extend it for dynamic strings
+	ASSERT(type_ == CSTR);
+
+	GenBoundaryCheck(out_cc, env, data);
+
+	string str_val = str_->str();
+
+	// Compare the string and report error on mismatch
+	out_cc->println("if ( memcmp(%s, %s, %s) != 0 )",
+		data.ptr_expr(), 
+		str_val.c_str(),
+		str_size.c_str());
+	out_cc->inc_indent();
+	out_cc->println("{");
+	GenStringMismatch(out_cc, env, data, str_val.c_str());
+	out_cc->println("}");
+	out_cc->dec_indent();
+	}
+
+void StringType::GenDynamicSizeRegEx(Output* out_cc, Env* env, 
+		const DataPtr& data)
+	{
+	// string_length_var = 
+	// 	matcher.match_prefix(
+	// 		begin,
+	//		end);
+
+	out_cc->println("%s = ",
+		env->LValue(string_length_var()));
+	out_cc->inc_indent();
+
+	out_cc->println("%s.%s(", 
+		env->RValue(regex_->matcher_id()),
+		RegEx::kMatchPrefix);
+
+	out_cc->inc_indent();
+	out_cc->println("%s,",
+		data.ptr_expr());
+	out_cc->println("%s - %s);", 
+		env->RValue(end_of_data),
+		data.ptr_expr());
+
+	out_cc->dec_indent();
+	out_cc->dec_indent();
+
+	env->SetEvaluated(string_length_var());
+
+	out_cc->println("if ( %s < 0 )", 
+		env->RValue(string_length_var()));
+	out_cc->inc_indent();
+	out_cc->println("{");
+	GenStringMismatch(out_cc, env, data, 
+		fmt("\"%s\"", regex_->str().c_str()));
+	out_cc->println("}");
+	out_cc->dec_indent();
+	}
+
+void StringType::GenDynamicSizeAnyStr(Output* out_cc, Env* env, 
+		const DataPtr& data)
+	{
+	ASSERT(type_ == ANYSTR);
+
+	if ( attr_restofdata_ || attr_oneline_ )
+		{
+		out_cc->println("%s = (%s) - (%s);", 
+			env->LValue(string_length_var()),
+			env->RValue(end_of_data),
+			data.ptr_expr());
+		}
+	else if ( attr_restofflow_ )
+		{
+		out_cc->println("%s = (%s) - (%s);", 
+			env->LValue(string_length_var()),
+			env->RValue(end_of_data),
+			data.ptr_expr());
+		}
+	else if ( attr_length_expr_ )
+		{
+		out_cc->println("%s = %s;", 
+			env->LValue(string_length_var()),
+			attr_length_expr_->EvalExpr(out_cc, env));
+		}
+	else
+		{
+		throw Exception(this,
+			"cannot determine length of bytestring");
+		}
+
+	env->SetEvaluated(string_length_var());
+	}
+
+bool StringType::DoTraverse(DataDepVisitor *visitor)
+	{ 
+	if ( ! Type::DoTraverse(visitor) )
+		return false;
+
+	switch ( type_ )
+		{
+		case ANYSTR:
+		case CSTR:
+		case REGEX:
+			break;
+		}
+
+	return true;
+	}
+
+void StringType::static_init()
+	{
+	Type::AddPredefinedType("bytestring", new StringType(ANYSTR));
+	}
diff --git a/aux/binpac/src/pac_strtype.h b/aux/binpac/src/pac_strtype.h
new file mode 100644
index 0000000000..55b35e54ab
--- /dev/null
+++ b/aux/binpac/src/pac_strtype.h
@@ -0,0 +1,82 @@
+#ifndef pac_strtype_h
+#define pac_strtype_h
+
+#include "pac_type.h"
+
+// TODO: question: shall we merge it with ArrayType?
+class StringType : public Type
+{
+public:
+	enum StringTypeEnum { CSTR, REGEX, ANYSTR };
+
+	explicit StringType(StringTypeEnum anystr);
+	explicit StringType(ConstString *str);
+	explicit StringType(RegEx *regex);
+	~StringType();
+
+	bool DefineValueVar() const;
+	string DataTypeStr() const;
+	string DefaultValue() const	{ return "0"; }
+	Type *ElementDataType() const;
+
+	void Prepare(Env* env, int flags);
+
+	void GenPubDecls(Output* out, Env* env);
+	void GenPrivDecls(Output* out, Env* env);
+
+	void GenInitCode(Output* out, Env* env);
+	void GenCleanUpCode(Output* out, Env* env);
+
+	void DoMarkIncrementalInput();
+
+	int StaticSize(Env* env) const;
+
+	bool IsPointerType() const	{ return false; }
+
+	void ProcessAttr(Attr *a);
+
+protected:
+	void init();
+
+	// Generate computation of size of the string and returns the string 
+	// representing a constant integer or name of the length variable.
+	string GenStringSize(Output* out_cc, Env* env, const DataPtr& data);
+
+	// Generate a string mismatch exception
+	void GenStringMismatch(Output* out_cc, Env* env, 
+		const DataPtr& data, const char *pattern);
+
+	void DoGenParseCode(Output* out, Env* env, const DataPtr& data, int flags);
+
+	void GenCheckingCStr(Output* out, Env* env, 
+		const DataPtr& data, const string &str_size);
+
+	void GenDynamicSize(Output* out, Env* env, const DataPtr& data);
+	void GenDynamicSizeAnyStr(Output* out_cc, Env* env, const DataPtr& data);
+	void GenDynamicSizeRegEx(Output* out_cc, Env* env, const DataPtr& data);
+
+	Type *DoClone() const;
+
+	// TODO: insensitive towards byte order till we support unicode
+	bool ByteOrderSensitive() const 	{ return false; }
+
+protected:
+	bool DoTraverse(DataDepVisitor *visitor);
+
+private:
+	const ID *string_length_var() const;
+
+	StringTypeEnum type_;
+	ConstString *str_;
+	RegEx *regex_;
+	Field *string_length_var_field_;
+	Type *elem_datatype_;
+
+public:
+	static void static_init();
+private:
+	static const char *kStringTypeName;
+	static const char *kConstStringTypeName;
+};
+
+#endif  // pac_strtype_h
diff --git a/aux/binpac/src/pac_type.cc b/aux/binpac/src/pac_type.cc
new file mode 100644
index 0000000000..a30295aa0e
--- /dev/null
+++ b/aux/binpac/src/pac_type.cc
@@ -0,0 +1,1137 @@
+#include "pac_action.h"
+#include "pac_array.h"
+#include "pac_attr.h"
+#include "pac_btype.h"
+#include "pac_context.h"
+#include "pac_dataptr.h"
+#include "pac_decl.h"
+#include "pac_exception.h"
+#include "pac_expr.h"
+#include "pac_exttype.h"
+#include "pac_field.h"
+#include "pac_id.h"
+#include "pac_let.h"
+#include "pac_output.h"
+#include "pac_paramtype.h"
+#include "pac_strtype.h"
+#include "pac_type.h"
+#include "pac_utils.h"
+#include "pac_varfield.h"
+#include "pac_withinput.h"
+
+
+Type::type_map_t Type::type_map_;
+
+Type::Type(TypeType tot) 
+	: DataDepElement(DataDepElement::TYPE), tot_(tot)
+	{ 
+	type_decl_ = 0;
+	type_decl_id_ = current_decl_id;
+	declared_as_type_ = false;
+	env_ = 0;
+	value_var_ = default_value_var; 
+	ASSERT(value_var_);
+	value_var_type_ = MEMBER_VAR;
+	anonymous_value_var_ = false;
+	size_var_field_ = 0;
+	size_expr_ = 0;
+	boundary_checked_ = false;
+	parsing_complete_var_field_ = 0;
+	parsing_state_var_field_ = 0;
+	buffering_state_var_field_ = 0;
+	has_value_field_ = 0;
+
+	array_until_input_ = 0;
+
+	incremental_input_ = false;
+	buffer_input_ = false;
+	incremental_parsing_ = false;
+
+	fields_ = new FieldList();
+
+	attrs_ = new AttrList();
+	attr_byteorder_expr_ = 0;
+	attr_checks_ = new ExprList();
+	attr_chunked_ = false;
+	attr_exportsourcedata_ = false;
+	attr_if_expr_ = 0;
+	attr_length_expr_ = 0;
+	attr_letfields_ = 0;
+	attr_multiline_end_ = 0;
+	attr_oneline_ = false;
+	attr_refcount_ = false;
+	attr_requires_ = 0;
+	attr_restofdata_ = false;
+	attr_restofflow_ = false;
+	attr_transient_ = false;
+	}
+
+Type::~Type()
+	{
+	delete size_var_field_;
+	delete parsing_complete_var_field_;
+	delete parsing_state_var_field_;
+	delete buffering_state_var_field_;
+	delete has_value_field_;
+	delete [] size_expr_;
+	delete_list(FieldList, fields_);
+	delete attrs_;
+	delete attr_byteorder_expr_;
+	delete attr_if_expr_;
+	delete attr_length_expr_;
+	delete_list(ExprList, attr_checks_);
+	delete attr_requires_;
+	}
+
+Type *Type::Clone() const
+	{
+	Type *clone = DoClone();
+	if ( clone )
+		{
+		foreach(i, FieldList, fields_)
+			{
+			Field *f = *i;
+			clone->AddField(f);
+			}
+
+		foreach(i, AttrList, attrs_)
+			{
+			Attr *a = *i;
+			clone->ProcessAttr(a);
+			}
+		}
+	return clone;
+	}
+
+string Type::EvalMember(const ID *member_id) const
+	{
+	ASSERT(0);
+	return "@@@";
+	}
+
+string Type::EvalElement(const string &array, const string &index) const
+	{
+	return strfmt("%s[%s]", array.c_str(), index.c_str());
+	}
+
+const ID *Type::decl_id() const
+	{ 
+	return type_decl_id_;
+	}
+
+void Type::set_type_decl(const TypeDecl *decl, bool declared_as_type)	
+	{ 
+	type_decl_ = decl; 
+	type_decl_id_ = decl->id();
+	declared_as_type_ = declared_as_type;
+	}
+
+void Type::set_value_var(const ID* arg_id, int arg_id_type)
+ 	{ 
+	value_var_ = arg_id; 
+	value_var_type_ = arg_id_type; 
+
+	if ( value_var_ )
+		anonymous_value_var_ = value_var_->is_anonymous();
+	}
+
+const ID *Type::size_var() const
+	{
+	return size_var_field_ ? size_var_field_->id() : 0;
+	}
+
+void Type::AddField(Field *f)
+	{
+	ASSERT(f);
+	fields_->push_back(f);
+	}
+
+void Type::ProcessAttr(Attr* a)
+	{
+	switch ( a->type() )
+		{
+		case ATTR_BYTEORDER:
+			attr_byteorder_expr_ = a->expr();
+			break;
+
+		case ATTR_CHECK:
+			attr_checks_->push_back(a->expr());
+			break;
+
+		case ATTR_EXPORTSOURCEDATA:
+			attr_exportsourcedata_ = true;
+			break;
+
+		case ATTR_LENGTH:
+			attr_length_expr_ = a->expr();
+			break;
+
+		case ATTR_IF:
+			attr_if_expr_ = a->expr();
+			break;
+
+		case ATTR_LET:
+			{
+			LetAttr *letattr = static_cast<LetAttr *>(a);
+			if ( ! attr_letfields_ )
+				attr_letfields_ = letattr->letfields();
+			else
+				{
+				// Append to attr_letfields_
+				attr_letfields_->insert(
+					attr_letfields_->end(),
+					letattr->letfields()->begin(),
+					letattr->letfields()->end());
+				}
+			}
+			break;
+
+		case ATTR_LINEBREAKER:
+			ASSERT(0);
+			break;
+
+		case ATTR_MULTILINE:
+			attr_multiline_end_ = a->expr();
+			break;
+
+		case ATTR_ONELINE:
+			attr_oneline_ = true;
+			break;
+
+		case ATTR_REFCOUNT:
+			attr_refcount_ = true;
+			break;
+
+		case ATTR_REQUIRES:
+			attr_requires_ = a->expr();
+			break;
+
+		case ATTR_TRANSIENT:
+			attr_transient_ = true;
+			break;
+		
+		case ATTR_CHUNKED:
+		case ATTR_UNTIL:
+		case ATTR_RESTOFDATA:
+		case ATTR_RESTOFFLOW:
+			// Ignore 
+			// ... these are processed by {
+			// {ArrayType, StringType}::ProcessAttr
+			break;
+		}
+
+	attrs_->push_back(a);
+	}
+
+string Type::EvalByteOrder(Output *out_cc, Env *env) const
+	{
+	// If &byteorder is specified for a field, rather
+	// than a type declaration, we do not add a byteorder variable
+	// to the class, but instead evaluate it directly.
+	if ( attr_byteorder_expr() && ! declared_as_type() )
+		return attr_byteorder_expr()->EvalExpr(out_cc, global_env());
+	env->Evaluate(out_cc, byteorder_id);
+	return env->RValue(byteorder_id);
+	}
+
+void Type::Prepare(Env* env, int flags)
+	{
+	env_ = env;
+	ASSERT(env_);
+
+	// The name of the value variable
+	if ( value_var() )	
+		{
+		data_id_str_ = strfmt("%s:%s", 
+			decl_id()->Name(), value_var()->Name());
+		}
+	else
+		{
+		data_id_str_ = strfmt("%s", decl_id()->Name());
+		}
+
+	if ( value_var() )
+		{
+		env_->AddID(value_var(), 
+			static_cast<IDType>(value_var_type_), 
+			this);
+		lvalue_ = strfmt("%s", env_->LValue(value_var()));
+		}
+
+	foreach(i, FieldList, attr_letfields_)
+		{
+		AddField(*i);
+		}
+
+	if ( attr_exportsourcedata_ )
+		{
+		ASSERT(flags & TO_BE_PARSED);
+		AddField(new PubVarField(sourcedata_id->clone(),
+			extern_type_const_bytestring->Clone()));
+		}
+
+	// An optional field
+	if ( attr_if_expr() )
+		{
+		ASSERT(value_var());
+		ID *has_value_id = new ID(fmt("has_%s", value_var()->Name()));
+		has_value_field_ = new LetField(has_value_id, 
+			extern_type_bool->Clone(),
+			attr_if_expr());
+		AddField(has_value_field_);
+		}
+
+	if ( incremental_input() )
+		{
+		ASSERT(flags & TO_BE_PARSED);
+		ID *parsing_complete_var = 
+			new ID(fmt("%s_parsing_complete", 
+				value_var() ? value_var()->Name() : "val"));
+		DEBUG_MSG("Adding parsing complete var: %s\n",
+			parsing_complete_var->Name());
+		parsing_complete_var_field_ = new TempVarField(
+			parsing_complete_var, extern_type_bool->Clone());
+		parsing_complete_var_field_->Prepare(env);
+
+		if ( NeedsBufferingStateVar() && 
+		       ! env->GetDataType(buffering_state_id) )
+			{
+			buffering_state_var_field_ = new PrivVarField(
+				buffering_state_id->clone(), 
+				extern_type_int->Clone());
+			AddField(buffering_state_var_field_);
+			}
+
+		if ( incremental_parsing() && tot_ == RECORD )
+			{
+			ASSERT(! parsing_state_var_field_);
+			parsing_state_var_field_ = new PrivVarField(
+				parsing_state_id->clone(), 
+				extern_type_int->Clone());
+			AddField(parsing_state_var_field_);
+			}
+		}
+
+	foreach (i, FieldList, fields_)
+		{
+		Field *f = *i;
+		f->Prepare(env);
+		}
+	}
+
+void Type::GenPubDecls(Output* out_h, Env* env)
+	{
+	if ( DefineValueVar() )
+		{
+		if ( attr_if_expr_ )
+		        out_h->println("%s %s const { BINPAC_ASSERT(%s); return %s; }",
+			        DataTypeConstRefStr().c_str(), 
+			        env->RValue(value_var()),
+			        env->RValue(has_value_var()), lvalue());
+		else
+		        out_h->println("%s %s const { return %s; }",
+			        DataTypeConstRefStr().c_str(), 
+			        env->RValue(value_var()), lvalue());
+		}
+
+	foreach (i, FieldList, fields_)
+		{
+		Field *f = *i;
+		f->GenPubDecls(out_h, env);
+		}
+	}
+
+void Type::GenPrivDecls(Output* out_h, Env* env)
+	{
+	if ( DefineValueVar() )
+		{
+		out_h->println("%s %s;", 
+			DataTypeStr().c_str(), 
+			env->LValue(value_var()));
+		}
+
+	foreach (i, FieldList, fields_)
+		{
+		Field *f = *i;
+		f->GenPrivDecls(out_h, env);
+		}
+	}
+
+void Type::GenInitCode(Output* out_cc, Env* env)
+	{
+	foreach (i, FieldList, fields_)
+		{
+		Field *f = *i;
+		f->GenInitCode(out_cc, env);
+		}
+
+	if ( parsing_state_var_field_ )
+		{
+		out_cc->println("%s = 0;", 
+			env->LValue(parsing_state_var_field_->id()));
+		}
+
+	if ( buffering_state_var_field_ )
+		{
+		out_cc->println("%s = 0;", 
+			env->LValue(buffering_state_var_field_->id()));
+		}
+	}
+
+void Type::GenCleanUpCode(Output* out_cc, Env* env)
+	{
+	foreach (i, FieldList, fields_)
+		{
+		Field *f = *i;
+		if ( f->tof() != CASE_FIELD )
+			f->GenCleanUpCode(out_cc, env);
+		}
+	}
+
+void Type::GenBufferConfiguration(Output *out_cc, Env *env)
+	{
+	ASSERT(buffer_input());
+
+	string frame_buffer_arg;
+	
+	switch ( buffer_mode() )
+		{
+		case BUFFER_NOTHING:
+			break;
+
+		case BUFFER_BY_LENGTH:
+			if ( ! NeedsBufferingStateVar() )
+ 				break;
+		
+			if ( buffering_state_var_field_ )
+				{
+				out_cc->println("if ( %s == 0 )",
+					env->RValue(buffering_state_id));
+				out_cc->inc_indent();
+				out_cc->println("{");
+				}
+
+			if ( attr_length_expr_ )
+				{
+				// frame_buffer_arg = attr_length_expr_->EvalExpr(out_cc, env);
+				frame_buffer_arg = strfmt("%d", InitialBufferLength());
+				}
+			else if ( attr_restofflow_ )
+				{
+				ASSERT(attr_chunked());
+				frame_buffer_arg = "-1";
+				}
+			else
+				{
+				ASSERT(0);
+				}
+
+			out_cc->println("%s->NewFrame(%s, %s);",
+				env->LValue(flow_buffer_id),
+				frame_buffer_arg.c_str(),
+				attr_chunked() ? "true" : "false");
+
+			if ( buffering_state_var_field_ )
+				{
+				out_cc->println("%s = 1;",
+					env->LValue(buffering_state_id));
+				out_cc->println("}");
+				out_cc->dec_indent();
+				}
+			break;
+
+		case BUFFER_BY_LINE:
+			out_cc->println("if ( %s == 0 )",
+				env->RValue(buffering_state_id));
+			out_cc->inc_indent();
+			out_cc->println("{");
+
+			out_cc->println("%s->NewLine();",
+				env->LValue(flow_buffer_id));
+
+			out_cc->println("%s = 1;",
+				env->LValue(buffering_state_id));
+			out_cc->println("}");
+			out_cc->dec_indent();
+			break;
+
+		default:
+			ASSERT(0);
+			break;
+		}
+	}
+
+void Type::GenPreParsing(Output *out_cc, Env *env)
+	{
+	if ( incremental_input() && IsPointerType() )
+		{
+		out_cc->println("if ( ! %s )", env->LValue(value_var()));
+		out_cc->inc_indent();
+		out_cc->println("{");
+		GenNewInstance(out_cc, env);
+		out_cc->println("}");
+		out_cc->dec_indent();
+		}
+	else
+		GenNewInstance(out_cc, env);
+
+	if ( buffer_input() )
+		{
+		GenBufferConfiguration(out_cc, env);
+		}
+	}
+
+// Wrappers around DoGenParseCode, which does the real job
+void Type::GenParseCode(Output* out_cc, Env* env, const DataPtr& data, int flags)
+	{
+	if ( value_var() && env->Evaluated(value_var()) )
+		return;
+
+	DEBUG_MSG("GenParseCode for %s\n", data_id_str_.c_str());
+
+	if ( attr_if_expr() )
+		{
+		ASSERT(has_value_var());
+		ASSERT(env->Evaluated(has_value_var()));
+		}
+
+	if ( value_var() && anonymous_value_var() )
+		{
+		GenPrivDecls(out_cc, env);
+		GenInitCode(out_cc, env);
+		}
+
+	if ( incremental_input() )
+		{
+		parsing_complete_var_field_->GenTempDecls(out_cc, env);
+
+		out_cc->println("%s = false;", 
+			env->LValue(parsing_complete_var()));
+		env->SetEvaluated(parsing_complete_var());
+
+		if ( buffer_mode() == BUFFER_NOTHING )
+			{
+			out_cc->println("%s = true;", 
+				env->LValue(parsing_complete_var()));
+			}
+		else if ( buffer_input() )
+			{
+			if ( declared_as_type() )
+				GenParseBuffer(out_cc, env, flags);
+			else
+				GenBufferingLoop(out_cc, env, flags);
+			}
+		else
+			GenParseCode2(out_cc, env, data, flags);
+		}
+	else
+		{
+		if ( attr_length_expr_)
+			{
+			EvalLengthExpr(out_cc, env);
+
+			GenBoundaryCheck(out_cc, env, data);
+
+			out_cc->println("{");
+			out_cc->println("// Setting %s with &length", 
+				env->RValue(end_of_data)); 
+			out_cc->println("%s %s = %s + %s;",
+				extern_type_const_byteptr->DataTypeStr().c_str(),
+				env->LValue(end_of_data),
+				data.ptr_expr(),
+				EvalLengthExpr(out_cc, env).c_str());
+
+			GenParseCode2(out_cc, env, data, flags);
+
+			out_cc->println("}");
+			}
+		else
+			{
+			GenParseCode2(out_cc, env, data, flags);
+			}
+		}
+	}
+
+void Type::GenBufferingLoop(Output* out_cc, Env* env, int flags)
+	{
+	out_cc->println("while ( ! %s && %s->ready() )", 
+		env->LValue(parsing_complete_var()),
+		env->LValue(flow_buffer_id));
+
+	out_cc->inc_indent();
+	out_cc->println("{");
+
+	Env buffer_env(env, this);
+	GenParseBuffer(out_cc, &buffer_env, flags);
+
+	out_cc->println("}");
+	out_cc->dec_indent();
+	}
+
+void Type::GenParseBuffer(Output* out_cc, Env* env, int flags)
+	{
+	ASSERT(incremental_input());
+
+	const ID *data_begin;
+
+	if ( ! incremental_parsing() )
+		{
+		env->AddID(begin_of_data, TEMP_VAR, extern_type_const_byteptr);
+		env->AddID(end_of_data, TEMP_VAR, extern_type_const_byteptr);
+
+		out_cc->println("%s %s = %s->begin();",
+			env->DataTypeStr(begin_of_data).c_str(),
+			env->LValue(begin_of_data),
+			env->RValue(flow_buffer_id));
+
+		out_cc->println("%s %s = %s->end();",
+			env->DataTypeStr(end_of_data).c_str(),
+			env->LValue(end_of_data),
+			env->RValue(flow_buffer_id));
+
+		env->SetEvaluated(begin_of_data);
+		env->SetEvaluated(end_of_data);
+
+		data_begin = begin_of_data;
+		}
+	else
+		data_begin = 0;
+
+	if ( array_until_input_ )
+		{
+		if ( incremental_parsing() )
+			{
+			throw Exception(this, 
+				"cannot handle &until($input...) "
+				"for incrementally parsed type");
+			}
+		array_until_input_->GenUntilInputCheck(out_cc, env);
+		}
+
+	DataPtr data(env, data_begin, 0);
+
+	if ( attr_length_expr() )
+		{
+		ASSERT(buffer_mode() == BUFFER_BY_LENGTH);
+		out_cc->println("switch ( %s )", 
+			env->LValue(buffering_state_id));
+		out_cc->inc_indent();
+		out_cc->println("{");
+		out_cc->println("case 0:");
+		out_cc->inc_indent();
+		GenBufferConfiguration(out_cc, env);
+		out_cc->println("%s = 1;", env->LValue(buffering_state_id));
+		out_cc->println("break;");
+		out_cc->dec_indent();
+
+		out_cc->println("case 1:");
+		out_cc->inc_indent();
+
+		out_cc->println("{");
+
+		out_cc->println("%s = 2;", env->LValue(buffering_state_id));
+
+		Env frame_length_env(env, this);
+		out_cc->println("%s->GrowFrame(%s);", 
+			env->LValue(flow_buffer_id),
+			attr_length_expr_->EvalExpr(out_cc, &frame_length_env));
+		out_cc->println("}");
+		out_cc->println("break;");
+
+		out_cc->dec_indent();
+		out_cc->println("case 2:");
+		out_cc->inc_indent();
+
+		out_cc->println("BINPAC_ASSERT(%s->ready());", 
+			env->RValue(flow_buffer_id));
+		out_cc->println("if ( %s->ready() )", 
+			env->RValue(flow_buffer_id));
+		out_cc->inc_indent();
+		out_cc->println("{");
+
+		Env parse_env(env, this);
+		GenParseCode2(out_cc, &parse_env, data, 0);
+		
+		out_cc->println("BINPAC_ASSERT(%s);", 
+			parsing_complete(env).c_str());
+		out_cc->println("%s = 0;", 
+			env->LValue(buffering_state_id));
+		out_cc->println("}");
+		out_cc->dec_indent();
+
+		out_cc->println("break;");
+
+		out_cc->dec_indent();
+		out_cc->println("default:");
+		out_cc->inc_indent();
+
+		out_cc->println("BINPAC_ASSERT(%s <= 2);",
+			env->LValue(buffering_state_id));
+		out_cc->println("break;");
+		
+		out_cc->dec_indent();
+		out_cc->println("}");
+		out_cc->dec_indent();
+		}
+	else if ( attr_restofflow_ )
+		{
+		out_cc->println("BINPAC_ASSERT(%s->eof());", 
+			env->RValue(flow_buffer_id));
+		GenParseCode2(out_cc, env, data, 0);
+		}
+	else if ( buffer_mode() == BUFFER_BY_LINE )
+		{
+		GenParseCode2(out_cc, env, data, 0);
+		out_cc->println("%s = 0;", env->LValue(buffering_state_id));
+		}
+	else
+		GenParseCode2(out_cc, env, data, 0);
+	}
+
+void Type::GenParseCode2(Output* out_cc, Env* env, 
+		const DataPtr& data, int flags)
+	{
+	DEBUG_MSG("GenParseCode2 for %s\n", data_id_str_.c_str());
+
+	if ( attr_exportsourcedata_ )
+		{
+		if ( incremental_parsing() )
+			{
+			throw Exception(this, 
+				"cannot export raw data for incrementally parsed types");
+			}
+
+		out_cc->println("%s = const_bytestring(%s, %s);",
+			env->LValue(sourcedata_id),
+			data.ptr_expr(),
+			env->RValue(end_of_data));
+		env->SetEvaluated(sourcedata_id);
+	
+		GenParseCode3(out_cc, env, data, flags);
+
+		string datasize_str = DataSize(out_cc, env, data);
+		out_cc->println("%s.set_end(%s + %s);",
+			env->LValue(sourcedata_id),
+			data.ptr_expr(),
+			datasize_str.c_str());
+		}
+	else
+		{
+		GenParseCode3(out_cc, env, data, flags);
+		}
+	}
+
+void Type::GenParseCode3(Output* out_cc, Env* env, const DataPtr& data, int flags)
+	{
+	if ( attr_requires_ )
+		attr_requires_->EvalExpr(out_cc, env);
+
+	foreach(i, FieldList, fields_)
+		{
+		Field *f = *i;
+		f->GenTempDecls(out_cc, env);
+		}
+
+	DoGenParseCode(out_cc, env, data, flags);
+
+	if ( incremental_input() )
+		{
+		out_cc->println("if ( %s )", parsing_complete(env).c_str());
+		out_cc->inc_indent();
+		out_cc->println("{");
+		}
+
+	out_cc->println("// Evaluate 'let' and 'withinput' fields");
+	foreach(i, FieldList, fields_)
+		{
+		Field *f = *i;
+		if ( f->tof() == LET_FIELD )
+			{
+			LetField *lf = static_cast<LetField *>(f);
+			lf->GenParseCode(out_cc, env);
+			}
+		else if ( f->tof() == WITHINPUT_FIELD )
+			{
+			WithInputField *af = static_cast<WithInputField *>(f);
+			af->GenParseCode(out_cc, env);
+			}
+		}
+
+	if ( value_var() && anonymous_value_var() )
+		{
+		GenCleanUpCode(out_cc, env);
+		}
+
+	if ( incremental_input() )
+		{
+		out_cc->println("}");
+		out_cc->dec_indent();
+		}
+
+	if ( value_var() )
+		env->SetEvaluated(value_var());
+
+	if ( size_var() )
+		ASSERT(env->Evaluated(size_var()));
+	}
+
+Type *Type::MemberDataType(const ID *member_id) const
+	{
+	DEBUG_MSG("MemberDataType: %s::%s\n", type_decl_id_->Name(), member_id->Name());
+	ASSERT(env_);
+	env_->set_allow_undefined_id(true);
+	Type *t = env_->GetDataType(member_id);
+	env_->set_allow_undefined_id(false);
+	return t;
+	}
+
+Type *Type::ElementDataType() const
+	{
+	return 0;
+	}
+
+// Returns false if it is not necessary to add size_var
+// (it is already added or the type has a fixed size).
+bool Type::AddSizeVar(Output* out_cc, Env* env)
+	{
+	if ( size_var() )
+		{
+		DEBUG_MSG("size var `%s' already added\n", size_var()->Name());
+		ASSERT(env->Evaluated(size_var()));
+		return false;
+		}
+
+	if ( StaticSize(env) >= 0 )
+		return false;
+
+	ASSERT(! incremental_input());
+
+	ID *size_var_id = new ID(fmt("%s__size", 
+		value_var() ? value_var()->Name() : decl_id()->Name()));
+
+	DEBUG_MSG("adding size var `%s' to env %p\n", size_var_id->Name(), env);
+
+	size_var_field_ = new TempVarField(
+		size_var_id, extern_type_int->Clone());
+	size_var_field_->Prepare(env);
+	size_var_field_->GenTempDecls(out_cc, env);
+
+	return true;
+	}
+
+string Type::EvalLengthExpr(Output* out_cc, Env* env)
+	{
+	ASSERT(!incremental_input());
+	ASSERT(attr_length_expr_);
+	int static_length;
+	if ( attr_length_expr_->ConstFold(env, &static_length) )
+		return strfmt("%d", static_length);
+	// How do we make sure size_var is evaluated with attr_length_expr_?
+	if ( AddSizeVar(out_cc, env) )
+		{
+		out_cc->println("%s = %s;",
+			env->LValue(size_var()),
+			attr_length_expr_->EvalExpr(out_cc, env));
+		env->SetEvaluated(size_var());
+		}
+	return env->RValue(size_var());
+	}
+
+string Type::DataSize(Output* out_cc, Env* env, const DataPtr& data)
+	{
+	if ( attr_length_expr_ )
+		return EvalLengthExpr(out_cc, env);
+
+	int ss = StaticSize(env);
+	if ( ss >= 0 )
+		{
+		return strfmt("%d", ss);
+		}
+	else
+		{
+		if ( ! size_var() || ! env->Evaluated(size_var()) )
+			{
+			ASSERT(out_cc != 0);
+			GenDynamicSize(out_cc, env, data);
+			ASSERT(size_var());
+			}
+		return env->RValue(size_var());
+		}
+	}
+
+void Type::GenBoundaryCheck(Output* out_cc, Env* env,
+		const DataPtr& data)
+	{
+	if ( boundary_checked() )
+		return;
+
+	data.GenBoundaryCheck(out_cc, env, 
+		DataSize(out_cc, env, data).c_str(),
+		data_id_str_.c_str());
+
+	SetBoundaryChecked();
+	}
+
+bool Type::NeedsCleanUp() const
+	{
+	switch ( tot_ )
+		{
+		case EMPTY:
+		case BUILTIN:
+			return false;
+		case ARRAY:
+		case PARAMETERIZED:
+		case STRING:
+			return true;
+		default:
+			ASSERT(0);
+			return true;
+		}
+	return true;
+	}
+
+bool Type::RequiresByteOrder() const
+	{ 
+	return ! attr_byteorder_expr() && ByteOrderSensitive(); 
+	}
+
+bool Type::NeedsBufferingStateVar() const
+	{
+	if ( !incremental_input() )
+		return false;
+	switch ( buffer_mode() )
+		{
+		case BUFFER_NOTHING:
+		case NOT_BUFFERABLE:
+			return false;
+		case BUFFER_BY_LINE:
+			return true;
+		case BUFFER_BY_LENGTH:
+			return ( attr_length_expr_ || attr_restofflow_ );
+		default:
+			ASSERT(0);
+			return false;
+		}
+	}
+
+bool Type::DoTraverse(DataDepVisitor *visitor)
+	{
+	foreach (i, FieldList, fields_)
+		{
+		if ( ! (*i)->Traverse(visitor) )
+			return false;
+		}
+
+	foreach(i, AttrList, attrs_)
+		{
+		if ( ! (*i)->Traverse(visitor) )
+			return false;
+		}
+
+	return true;
+	}
+
+bool Type::RequiresAnalyzerContext()
+	{
+	ASSERT(0);
+
+	if ( buffer_input() )
+		return true;
+	
+	foreach (i, FieldList, fields_)
+		{
+		Field *f = *i;
+		if ( f->RequiresAnalyzerContext() )
+			return true;
+		}
+
+	foreach(i, AttrList, attrs_)
+		if ( (*i)->RequiresAnalyzerContext() )
+			return true;
+
+	return false;
+	}
+
+bool Type::IsEmptyType() const
+	{
+	return ( StaticSize(global_env()) == 0 );
+	}
+
+void Type::MarkIncrementalInput()
+	{
+	DEBUG_MSG("Handle incremental input for %s.%s\n", 
+		decl_id()->Name(),
+		value_var() ? value_var()->Name() : "*");
+
+	incremental_input_ = true;
+	if ( Bufferable() )
+		buffer_input_ = true;
+	else
+		{
+		incremental_parsing_ = true;
+		DoMarkIncrementalInput();
+		}
+	}
+
+void Type::DoMarkIncrementalInput()
+	{
+	throw Exception(this, "cannot handle incremental input");
+	}
+
+bool Type::BufferableByLength() const
+	{
+	// If the input is an "frame buffer" with specified length
+	return attr_length_expr_ || attr_restofflow_;
+	}
+
+bool Type::BufferableByLine() const
+	{
+	// If the input is an ASCII line;
+	return attr_oneline_;
+	}
+
+bool Type::Bufferable() const
+	{
+	// If the input is an ASCII line or an "frame buffer"
+	return IsEmptyType() || BufferableByLength() || BufferableByLine();
+	}
+
+Type::BufferMode Type::buffer_mode() const
+	{
+	if ( IsEmptyType() )
+		return BUFFER_NOTHING;
+	else if ( BufferableByLength() )
+		return BUFFER_BY_LENGTH;
+	else if ( BufferableByLine() )
+		return BUFFER_BY_LINE;
+	return NOT_BUFFERABLE;
+	}
+
+const ID *Type::parsing_complete_var() const
+	{
+	if ( parsing_complete_var_field_ )
+		return parsing_complete_var_field_->id();
+	else
+		return 0;
+	}
+
+string Type::parsing_complete(Env *env) const
+	{
+	ASSERT(parsing_complete_var());
+	return env->RValue(parsing_complete_var());
+	}
+
+const ID *Type::has_value_var() const
+	{
+	if ( has_value_field_ )
+		return has_value_field_->id();
+	else
+		return 0;
+	}
+
+int Type::InitialBufferLength() const
+	{
+	if ( ! attr_length_expr_ )
+		return 0;
+	return attr_length_expr_->MinimalHeaderSize(env());
+	}
+
+bool Type::CompatibleTypes(Type *type1, Type *type2)
+	{
+	// If we cannot deduce one of the data types, assume that
+	// they are compatible.
+	if ( ! type1 || ! type2 )
+		return true;
+
+	// We do not have enough information about extern types
+	if ( type1->tot() == EXTERN || type2->tot() == EXTERN )
+		return true;
+
+	if ( type1->tot() != type2->tot() )
+		{
+		if ( type1->IsNumericType() && type2->IsNumericType() )
+			return true;
+		else
+			return false;
+		}
+
+	switch( type1->tot() )
+		{
+		case UNDEF:
+		case EMPTY:
+			return true;
+		case BUILTIN:
+			{
+			BuiltInType *t1 = 
+				static_cast<BuiltInType *>(type1);
+			BuiltInType *t2 = 
+				static_cast<BuiltInType *>(type2);
+			return BuiltInType::CompatibleBuiltInTypes(t1, t2);
+			}
+
+		case PARAMETERIZED:
+		case RECORD:
+		case CASE:
+		case EXTERN:
+			return type1->DataTypeStr() == type2->DataTypeStr();
+			break;
+			
+		case ARRAY:
+			{
+			ArrayType *t1 = 
+				static_cast<ArrayType *>(type1);
+			ArrayType *t2 = 
+				static_cast<ArrayType *>(type2);
+			return CompatibleTypes(t1->ElementDataType(),
+			                       t2->ElementDataType());
+			}
+
+		default:
+			ASSERT(0);
+			return false;
+		}
+	}
+
+Type *Type::LookUpByID(ID *id)
+	{
+	// 1. Is it a pre-defined type?
+	string name = id->Name();
+	if ( type_map_.find(name) != type_map_.end() )
+		{
+		return type_map_[name]->Clone();
+		}
+
+	// 2. Is it a simple declared type?
+	Type *type = TypeDecl::LookUpType(id);
+	if ( type )
+		{
+		// Note: as a Type is always associated with a variable, 
+		// return a clone.
+		switch ( type->tot() )
+			{
+			case Type::BUILTIN:
+			case Type::EXTERN:
+	       		case Type::STRING:
+				return type->Clone();
+
+	       		case Type::ARRAY:
+			default:
+				break;
+			}
+		}
+
+	return new ParameterizedType(id, 0);
+	}
+
+void Type::AddPredefinedType(const string &type_name, Type *type)
+	{
+	ASSERT(type_map_.find(type_name) == type_map_.end());
+	type_map_[type_name] = type;
+	}
+
+void Type::init()
+	{
+	BuiltInType::static_init();
+	ExternType::static_init();
+	StringType::static_init();
+	}
diff --git a/aux/binpac/src/pac_type.def b/aux/binpac/src/pac_type.def
new file mode 100644
index 0000000000..62939ec671
--- /dev/null
+++ b/aux/binpac/src/pac_type.def
@@ -0,0 +1,8 @@
+// TYPEDEF(type_id,	pac_type,	c_type,		size)
+TYPE_DEF(INT8, 		"int8",		"int8",		1)
+TYPE_DEF(INT16,		"int16",	"int16",	2)
+TYPE_DEF(INT32,	 	"int32",	"int32",	4)
+TYPE_DEF(UINT8,		"uint8",	"uint8",	1)
+TYPE_DEF(UINT16,	"uint16",	"uint16",	2)
+TYPE_DEF(UINT32, 	"uint32",	"uint32",	4)
+TYPE_DEF(EMPTY,		"empty",	"", 		0)
diff --git a/aux/binpac/src/pac_type.h b/aux/binpac/src/pac_type.h
new file mode 100644
index 0000000000..08252cf637
--- /dev/null
+++ b/aux/binpac/src/pac_type.h
@@ -0,0 +1,309 @@
+#ifndef pac_type_h
+#define pac_type_h
+
+#include <map>
+using namespace std;
+
+#include "pac_common.h"
+#include "pac_datadep.h"
+#include "pac_dbg.h"
+
+class Type : public Object, public DataDepElement
+{
+public:
+	enum TypeType {
+		UNDEF = -1,
+		EMPTY,
+		BUILTIN,
+		PARAMETERIZED,
+		RECORD,
+		CASE,
+		ARRAY,
+		STRING,
+		EXTERN,
+		DUMMY,
+	};
+
+	explicit Type(TypeType tot);
+	virtual ~Type();
+
+	Type *Clone() const;
+
+	// Type of type
+	TypeType tot() const			{ return tot_; }
+
+	////////////////////////////////////////
+	// Code generation
+	virtual void Prepare(Env *env, int flags);
+
+	// Flag(s) for Prepare()
+	static const int TO_BE_PARSED = 1;
+
+	virtual void GenPubDecls(Output *out, Env *env);
+	virtual void GenPrivDecls(Output *out, Env *env);
+
+	virtual void GenInitCode(Output *out, Env *env);
+	virtual void GenCleanUpCode(Output *out, Env *env);
+
+	void GenPreParsing(Output *out, Env *env);
+	void GenParseCode(Output *out, Env *env, const DataPtr& data, int flags);
+
+	////////////////////////////////////////
+	// TODO: organize the various methods below
+
+	// The LValue string of the variable defined by the type. 
+	// For example, if the type defines a record field, the 
+	// lvalue is the member variable corresponding to the field; 
+	// if the type appears in a type decl, then the lvalue is the
+	// default value var.
+	//
+	const char *lvalue() const		{ return lvalue_.c_str(); }
+
+	// The TypeDecl that defined the type.
+	//
+	const TypeDecl *type_decl() const	{ return type_decl_; }
+	void set_type_decl(const TypeDecl *decl, bool declared_as_type);
+
+	// Returns whether the type appears in a type declaration
+	// (true) or as type specification of a field (false).
+	//
+	bool declared_as_type() const		{ return declared_as_type_; }
+
+	// The ID of the decl in which the type appear. 
+	//
+	const ID *decl_id() const;
+
+	Env *env() const			{ return env_; }
+
+	string EvalByteOrder(Output *out_cc, Env *env) const;
+
+	virtual string EvalMember(const ID *member_id) const;
+	virtual string EvalElement(const string &array, 
+	                           const string &index) const;
+
+	// The variable defined by the type
+	const ID *value_var() const		{ return value_var_; }
+	void set_value_var(const ID *arg_id, int arg_id_type);
+
+	bool anonymous_value_var() const	{ return anonymous_value_var_; }
+
+	const ID *size_var() const;
+
+	// Adds a variable to env to represent the size of this type.
+	// Returns false if we do not need a size variable (because 
+	// the type has a static size) or the size variable is already added.
+	bool AddSizeVar(Output *out, Env *env);
+
+	const ID *parsing_state_var() const;
+
+	const ID *has_value_var() const;
+
+	void AddField(Field *f);
+
+	void AddCheck(Expr *expr)		{ /* TODO */ }
+
+	virtual bool DefineValueVar() const = 0;
+
+	// Returns C++ datatype string
+	virtual string DataTypeStr() const = 0;
+
+	// Returns const reference of the C++ data type (unless the type
+	// is numeric or pointer)
+	string DataTypeConstRefStr() const
+		{
+		string data_type = DataTypeStr();
+		if ( ! IsPointerType() && ! IsNumericType() )
+			data_type += " const &";
+		return data_type;
+		}
+
+	// Returns a default value for the type
+	virtual string DefaultValue() const	
+		{ 
+		ASSERT(0); return "@@@";
+		}
+
+	// Returns the data type of the member field/case
+	virtual Type *MemberDataType(const ID *member_id) const;
+
+	// Returns the data type of the element type of an array
+	virtual Type *ElementDataType() const;
+
+	// Whether the type needs clean-up at deallocation.
+	bool NeedsCleanUp() const;
+
+	// Whether byte order must be determined before parsing the type.
+	bool RequiresByteOrder() const;
+
+	// Whether class of the type requires a parameter of analyzer context. 
+	virtual bool RequiresAnalyzerContext();
+
+	virtual bool IsPointerType() const = 0;
+	virtual bool IsNumericType() const	{ return false; }
+	bool IsEmptyType() const;
+
+	////////////////////////////////////////
+	// Attributes
+	virtual void ProcessAttr(Attr *a);
+
+	bool  attr_chunked() const		{ return attr_chunked_; }
+	Expr *attr_byteorder_expr() const	{ return attr_byteorder_expr_; }
+	Expr *attr_if_expr() const		{ return attr_if_expr_; }
+	// TODO: generate the length expression automatically.
+	Expr *attr_length_expr() const		{ return attr_length_expr_; }
+	bool  attr_refcount() const		{ return attr_refcount_; }
+	bool  attr_transient() const		{ return attr_transient_; }
+
+	// Whether the value remains valid outside the parse function
+	bool persistent() const
+		{
+		return ! attr_transient() && ! attr_chunked();
+		}
+
+	void SetUntilCheck(ArrayType *t)	{ array_until_input_ = t; }
+
+	////////////////////////////////////////
+	// Size and boundary checking
+	virtual int StaticSize(Env *env) const = 0;
+	string DataSize(Output *out, Env *env, const DataPtr& data);
+
+	bool boundary_checked() const		{ return boundary_checked_; }
+	virtual void SetBoundaryChecked() 	{ boundary_checked_ = true; }
+	void GenBoundaryCheck(Output *out, Env *env, const DataPtr& data);
+
+	////////////////////////////////////////
+	// Handling incremental input
+	// 
+	// There are two ways to handle incremental input: (1) to
+	// buffer the input before parsing; (2) to parse incrementally.
+	// 
+	// The type must be "bufferable" for (1). While for (2),
+	// each member of the type must be able to handle incremental
+	// input.
+
+	void MarkIncrementalInput();
+	virtual void DoMarkIncrementalInput();
+
+	// Whether the type may receive incremental input
+	bool incremental_input() const		{ return incremental_input_; }
+
+	// Whether parsing should also be incremental
+	bool incremental_parsing() const	{ return incremental_parsing_; }
+
+	// Whether we should buffer the input
+	bool buffer_input() const		{ return buffer_input_; }
+
+	// Whether parsing of the type is completed
+	const ID *parsing_complete_var() const;
+	string parsing_complete(Env *env) const;
+
+	// Whether the input is bufferable
+	bool Bufferable() const;
+	bool BufferableByLength() const;
+	bool BufferableByLine() const;
+
+	enum BufferMode {
+		NOT_BUFFERABLE,
+		BUFFER_NOTHING,		// for type "empty"
+		BUFFER_BY_LENGTH,
+		BUFFER_BY_LINE,
+	};
+	virtual BufferMode buffer_mode() const;
+
+	void GenBufferConfiguration(Output *out, Env *env);
+
+	int InitialBufferLength() const;
+
+protected:
+	virtual void GenNewInstance(Output *out, Env *env) {}
+
+	virtual bool ByteOrderSensitive() const = 0;
+
+	bool NeedsBufferingStateVar() const;
+
+	void GenBufferingLoop(Output* out_cc, Env* env, int flags);
+	void GenParseBuffer(Output* out_cc, Env* env, int flags);
+	void GenParseCode2(Output* out_cc, Env* env, const DataPtr& data, int flags);
+	void GenParseCode3(Output* out_cc, Env* env, const DataPtr& data, int flags);
+
+	virtual void DoGenParseCode(Output *out, Env *env,
+		const DataPtr& data, 
+		int flags) = 0;
+
+	string EvalLengthExpr(Output* out_cc, Env* env);
+
+	// Generate code for computing the dynamic size of the type
+	virtual void GenDynamicSize(Output *out, Env *env,
+		const DataPtr& data) = 0;
+
+	bool DoTraverse(DataDepVisitor *visitor);
+
+	virtual Type *DoClone() const = 0;
+
+protected:
+	TypeType tot_;
+	const TypeDecl *type_decl_;
+	bool declared_as_type_;
+	const ID *type_decl_id_;
+	Env *env_;
+
+	const ID *value_var_;
+	bool anonymous_value_var_;	// whether the ID is anonymous
+
+	string data_id_str_;
+	int value_var_type_;
+	Field *size_var_field_;
+	char *size_expr_;
+	bool boundary_checked_;
+	string lvalue_;
+	FieldList *fields_;
+
+	bool incremental_input_;
+	bool incremental_parsing_;
+	bool buffer_input_;
+
+	// A boolean variable on whether parsing of the type is completed
+	Field *parsing_complete_var_field_;
+
+	// An integer variable holding the parsing state
+	Field *parsing_state_var_field_;
+
+	Field *buffering_state_var_field_;
+
+	// The array type with &until($input...) condition, if
+	// "this" is the element type
+	ArrayType *array_until_input_;
+
+	// A "has_*" member var for fields with &if
+	LetField *has_value_field_;
+
+	// Attributes
+	AttrList *attrs_;
+
+	Expr *attr_byteorder_expr_;
+	ExprList *attr_checks_;
+	bool attr_chunked_;
+	bool attr_exportsourcedata_;
+	Expr *attr_if_expr_;
+	Expr *attr_length_expr_;
+	FieldList *attr_letfields_;
+	Expr *attr_multiline_end_;
+	bool attr_oneline_;
+	bool attr_refcount_;
+	Expr *attr_requires_;
+	bool attr_restofdata_;
+	bool attr_restofflow_;
+	bool attr_transient_;
+
+public:
+	static void init();
+	static bool CompatibleTypes(Type *type1, Type *type2);
+	static void AddPredefinedType(const string &type_name, Type *type);
+	static Type *LookUpByID(ID *id);
+
+protected:
+	typedef map<string, Type *> type_map_t;
+	static type_map_t type_map_;
+};
+
+#endif  // pac_type_h
diff --git a/aux/binpac/src/pac_typedecl.cc b/aux/binpac/src/pac_typedecl.cc
new file mode 100644
index 0000000000..c989869d20
--- /dev/null
+++ b/aux/binpac/src/pac_typedecl.cc
@@ -0,0 +1,409 @@
+#include "pac_attr.h"
+#include "pac_context.h"
+#include "pac_dataptr.h"
+#include "pac_embedded.h"
+#include "pac_enum.h"
+#include "pac_exception.h"
+#include "pac_expr.h"
+#include "pac_exttype.h"
+#include "pac_id.h"
+#include "pac_output.h"
+#include "pac_param.h"
+#include "pac_paramtype.h"
+#include "pac_record.h"
+#include "pac_type.h"
+#include "pac_typedecl.h"
+#include "pac_utils.h"
+
+TypeDecl::TypeDecl(ID* id, ParamList* params, Type* type)
+	: Decl(id, TYPE), params_(params), type_(type)
+	{
+	env_ = 0;
+	type_->set_type_decl(this, true);
+	}
+
+TypeDecl::~TypeDecl()
+	{
+	delete env_;
+	delete type_;
+
+	delete_list(ParamList, params_);
+	}
+
+void TypeDecl::ProcessAttr(Attr* a)
+	{
+	type_->ProcessAttr(a);
+	}
+
+void TypeDecl::AddParam(Param *param)
+	{
+	// Cannot work after Prepare()
+	ASSERT(! env_);
+	params_->push_back(param);
+	}
+
+void TypeDecl::Prepare()
+	{
+	DEBUG_MSG("Preparing type %s\n", id()->Name());
+
+	if ( type_->tot() != Type::EXTERN && type_->tot() != Type::DUMMY )
+		SetAnalyzerContext();
+
+	// As a type ID can be used in the same way function is, add the
+	// id as a FUNC_ID and set it as evaluated.
+	global_env()->AddID(id(), FUNC_ID, type_);
+	global_env()->SetEvaluated(id());
+
+	env_ = new Env(global_env(), this);
+
+	foreach (i, ParamList, params_)
+		{
+		Param* p = *i;
+		// p->Prepare(env_);
+		type_->AddField(p->param_field());
+		}
+
+	if ( type_->attr_byteorder_expr() )
+		{
+		DEBUG_MSG("Adding byteorder field to %s\n",
+			id()->Name());
+		type_->AddField(new LetField(byteorder_id->clone(), 
+		                         extern_type_int, 
+		                         type_->attr_byteorder_expr()));
+		}
+
+	type_->Prepare(env_, Type::TO_BE_PARSED);
+	}
+
+string TypeDecl::class_name() const
+	{ 
+	return id_->Name(); 
+	}
+
+void TypeDecl::GenForwardDeclaration(Output* out_h)
+	{
+	// Do not generate declaration for external types
+	if ( type_->tot() == Type::EXTERN )
+		return;
+	out_h->println("class %s;", class_name().c_str());
+	}
+
+void TypeDecl::GenCode(Output* out_h, Output* out_cc)
+	{
+	// Do not generate code for external types
+	if ( type_->tot() == Type::EXTERN || type_->tot() == Type::STRING )
+		return;
+
+	fprintf(stderr, "Generating code for %s\n", class_name().c_str());
+
+	if ( RequiresAnalyzerContext::compute(type_) )
+		{
+		DEBUG_MSG("%s requires analyzer context\n", 
+			id()->Name());
+		Type *param_type = analyzer_context()->param_type();
+		env_->AddID(analyzer_context_id, TEMP_VAR, param_type);
+		env_->SetEvaluated(analyzer_context_id);
+		env_->AddMacro(context_macro_id, 
+			new Expr(analyzer_context_id->clone()));
+		}
+
+	// Add parameter "byteorder"
+	if ( type_->RequiresByteOrder() && ! type_->attr_byteorder_expr() )
+		{
+		env_->AddID(byteorder_id, TEMP_VAR, extern_type_int);
+		env_->SetEvaluated(byteorder_id);
+		}
+
+	vector<string> base_classes;
+
+	AddBaseClass(&base_classes);
+
+	if ( type_->attr_refcount() )
+		base_classes.push_back(kRefCountClass);
+
+	// The first line of class definition
+	out_h->println("");
+	out_h->print("class %s", class_name().c_str());
+	bool first = true;
+	foreach(i, vector<string>, &base_classes)
+		{
+		if ( first )
+			{
+			out_h->print(" : public %s", i->c_str());
+			first = false;
+			}
+		else
+			out_h->print(", public %s", i->c_str());
+		}
+	out_h->print("\n");
+
+	// Public members
+	out_h->println("{");
+	out_h->println("public:");
+	out_h->inc_indent();
+
+	GenConstructorFunc(out_h, out_cc);
+	GenDestructorFunc(out_h, out_cc);
+
+	if ( type_->attr_length_expr() )
+		GenInitialBufferLengthFunc(out_h, out_cc);
+
+	GenParseFunc(out_h, out_cc);
+
+	out_h->println("");
+	out_h->println("// Member access functions");
+	type_->GenPubDecls(out_h, env_);
+	out_h->println("");
+
+	GenPubDecls(out_h, out_cc);
+
+	out_h->dec_indent();
+	out_h->println("protected:");
+	out_h->inc_indent();
+
+	GenPrivDecls(out_h, out_cc);
+	type_->GenPrivDecls(out_h, env_);
+
+	out_h->dec_indent();
+	out_h->println("};\n");
+	}
+
+void TypeDecl::GenPubDecls(Output* out_h, Output *out_cc)
+	{
+	// GenParamPubDecls(params_, out_h, env_);
+	}
+
+void TypeDecl::GenPrivDecls(Output* out_h, Output *out_cc)
+	{
+	// GenParamPrivDecls(params_, out_h, env_);
+	}
+
+void TypeDecl::GenInitCode(Output *out_cc)
+	{
+	}
+
+void TypeDecl::GenCleanUpCode(Output *out_cc)
+	{
+	}
+
+void TypeDecl::GenConstructorFunc(Output* out_h, Output* out_cc)
+	{
+	string params_str = ParamDecls(params_);
+
+	string proto = 
+		strfmt("%s(%s)", class_name().c_str(), params_str.c_str());
+
+	out_h->println("%s;", proto.c_str());
+
+	out_cc->println("%s::%s", class_name().c_str(), proto.c_str());
+	out_cc->inc_indent();
+
+	out_cc->println("{");
+
+	// GenParamAssignments(params_, out_cc, env_);
+
+	type_->GenInitCode(out_cc, env_);
+	GenInitCode(out_cc);
+
+	out_cc->println("}\n");
+	out_cc->dec_indent();
+	}
+
+void TypeDecl::GenDestructorFunc(Output* out_h, Output* out_cc)
+	{
+	string proto = strfmt("~%s()", class_name().c_str());
+
+	out_h->println("%s;", proto.c_str());
+
+	out_cc->println("%s::%s", class_name().c_str(), proto.c_str());
+	out_cc->inc_indent();
+	out_cc->println("{");
+
+	GenCleanUpCode(out_cc);
+	type_->GenCleanUpCode(out_cc, env_);
+
+	out_cc->println("}\n");
+	out_cc->dec_indent();
+	}
+
+string TypeDecl::ParseFuncPrototype(Env* env)
+	{
+	const char *func_name = 0;
+	const char *return_type = 0;
+	string params;
+
+	if ( type_->incremental_input() )
+		{
+		func_name = kParseFuncWithBuffer;
+		return_type = "bool";
+		params = strfmt("flow_buffer_t %s",
+			env->LValue(flow_buffer_id));
+		}
+	else
+		{
+		func_name = kParseFuncWithoutBuffer;
+		return_type = "int";
+		params = strfmt("const_byteptr const %s, const_byteptr const %s",
+			env->LValue(begin_of_data), 
+			env->LValue(end_of_data));
+		}
+
+	if ( RequiresAnalyzerContext::compute(type_) )
+		{
+		Type *param_type = analyzer_context()->param_type();
+		params += fmt(", %s %s", 
+			param_type->DataTypeConstRefStr().c_str(),
+			env->LValue(analyzer_context_id));
+		}
+
+	// Add parameter "byteorder"
+	if ( type_->RequiresByteOrder() && ! type_->attr_byteorder_expr() )
+		{
+		params += fmt(", int %s", env->LValue(byteorder_id));
+		}
+
+	// Returns "<return type> %s<func name>(<params>)%s".
+	return strfmt("%s %%s%s(%s)%%s", 
+		return_type, func_name, params.c_str());
+	}
+
+void TypeDecl::GenParsingEnd(Output *out_cc, Env *env, const DataPtr &data)
+	{
+	string ret_val_0, ret_val_1;
+
+	if ( type_->incremental_input() )
+		{
+		ret_val_0 = type_->parsing_complete(env).c_str();
+		ret_val_1 = "false";
+		}
+	else
+		{
+		ret_val_0 = type_->DataSize(0, env, data).c_str();
+		ret_val_1 = "@@@";
+
+		out_cc->println("BINPAC_ASSERT(%s + (%s) <= %s);", 
+			env->RValue(begin_of_data),
+			ret_val_0.c_str(),
+			env->RValue(end_of_data));
+		}
+
+	if ( type_->incremental_parsing() && 
+	     ( type_->tot() == Type::RECORD || type_->tot() == Type::ARRAY ) )
+		{
+		// In which case parsing may jump to label 
+		// "need_more_data" ...
+		out_cc->println("BINPAC_ASSERT(%s);",
+			type_->parsing_complete(env).c_str());
+		out_cc->println("return %s;", ret_val_0.c_str());
+
+		out_cc->println("");
+		out_cc->dec_indent();
+		out_cc->println("%s:", kNeedMoreData);
+		out_cc->inc_indent();
+		out_cc->println("BINPAC_ASSERT(!(%s));",
+			type_->parsing_complete(env).c_str());
+		out_cc->println("return %s;", ret_val_1.c_str());
+		}
+	else if ( type_->incremental_input() )
+		{
+		out_cc->println("return %s;", ret_val_0.c_str());
+		}
+	else	
+		{
+		out_cc->println("return %s;", ret_val_0.c_str());
+		}
+	}
+
+void TypeDecl::GenParseFunc(Output* out_h, Output* out_cc)
+	{
+	if ( type_->tot() == Type::DUMMY )
+		return;
+
+	// Env within the parse function
+	Env p_func_env(env_, this);
+	Env *env = &p_func_env;
+
+	if ( type_->incremental_input() )
+		{
+		env->AddID(flow_buffer_id, TEMP_VAR, extern_type_flowbuffer);
+		env->SetEvaluated(flow_buffer_id);
+		}
+	else
+		{
+		env->AddID(begin_of_data, TEMP_VAR, extern_type_const_byteptr);
+		env->AddID(end_of_data, TEMP_VAR, extern_type_const_byteptr);
+
+		env->SetEvaluated(begin_of_data);
+		env->SetEvaluated(end_of_data);
+		}
+
+	string proto;
+	proto = ParseFuncPrototype(env);
+
+#if 0
+	if ( func_type == PARSE )
+		{
+		out_h->println("// 1. If the message is completely parsed, returns number of");
+		out_h->println("//    input bytes parsed.");
+		out_h->println("// 2. If the input is not complete but the type supports");
+		out_h->println("//    incremental input, returns number of input bytes + 1");
+		out_h->println("//    (%s - %s + 1).",
+			env->LValue(end_of_data), 
+			env->LValue(begin_of_data)); 
+		out_h->println("// 3. An exception will be thrown on error.");
+		}
+#endif
+
+	out_h->println(proto.c_str(), "", ";");
+
+	out_cc->println(proto.c_str(), fmt("%s::", class_name().c_str()), "");
+	out_cc->inc_indent();
+	out_cc->println("{");
+
+	DataPtr data(env, 0, 0);
+
+	if ( ! type_->incremental_input() )
+		data = DataPtr(env, begin_of_data, 0);
+	type_->GenParseCode(out_cc, env, data, 0);
+	GenParsingEnd(out_cc, env, data);
+
+	out_cc->println("}\n");
+	out_cc->dec_indent();
+	}
+
+void TypeDecl::GenInitialBufferLengthFunc(Output* out_h, Output* out_cc)
+	{
+	string func(kInitialBufferLengthFunc);
+
+	int init_buffer_length = type_->InitialBufferLength();
+
+	if ( init_buffer_length < 0 )  // cannot be statically determined
+		{
+		throw Exception(type()->attr_length_expr(), 
+		                fmt("cannot determine initial buffer length"
+		                    " for type %s", id_->Name()));
+		}
+
+	out_h->println("int %s() const { return %d; }", 
+	               func.c_str(),
+	               init_buffer_length);
+	}
+
+Type* TypeDecl::LookUpType(const ID *id)
+	{
+	Decl *decl = LookUpDecl(id);
+	if ( ! decl )
+		return 0;
+	switch ( decl->decl_type() )
+		{
+		case TYPE:
+		case CONN:
+		case FLOW:
+			return static_cast<TypeDecl *>(decl)->type();
+		case ENUM:
+			return static_cast<EnumDecl *>(decl)->DataType();
+		default:
+			return 0;
+		}
+	}
+
diff --git a/aux/binpac/src/pac_typedecl.h b/aux/binpac/src/pac_typedecl.h
new file mode 100644
index 0000000000..37631af18e
--- /dev/null
+++ b/aux/binpac/src/pac_typedecl.h
@@ -0,0 +1,49 @@
+#ifndef pac_typedecl_h
+#define pac_typedecl_h
+
+#include "pac_decl.h"
+
+class TypeDecl : public Decl
+{
+public:
+	TypeDecl(ID *arg_id, ParamList *arg_params, Type *arg_type);
+	~TypeDecl();
+	void Prepare();
+	void GenForwardDeclaration(Output *out_h);
+	void GenCode(Output *out_h, Output *out_cc);
+
+	Env *env() const	{ return env_; }
+	Type *type() const	{ return type_; }
+	string class_name() const;
+	static Type *LookUpType(const ID *id);
+
+protected:
+	void AddParam(Param *param);
+	virtual void AddBaseClass(vector<string> *base_classes) const {}
+	void ProcessAttr(Attr *a);
+
+	virtual void GenPubDecls(Output *out_h, Output *out_cc);
+	virtual void GenPrivDecls(Output *out_h, Output *out_cc);
+	virtual void GenInitCode(Output *out_cc);
+	virtual void GenCleanUpCode(Output *out_cc);
+
+	void GenConstructorFunc(Output *out_h, Output *out_cc);
+	void GenDestructorFunc(Output *out_h, Output *out_cc);
+
+	string ParseFuncPrototype(Env* env);
+	void GenParseFunc(Output *out_h, Output *out_cc);
+
+	void GenParsingEnd(Output *out_cc, Env *env, const DataPtr &data);
+
+	void GenInitialBufferLengthFunc(Output *out_h, Output *out_cc);
+
+protected:
+	Env *env_;
+
+	ParamList *params_;
+	Type *type_;
+
+	bool inherits_frame_buffer_;
+};
+
+#endif  // pac_typedecl_h
diff --git a/aux/binpac/src/pac_utils.cc b/aux/binpac/src/pac_utils.cc
new file mode 100644
index 0000000000..a9118fc256
--- /dev/null
+++ b/aux/binpac/src/pac_utils.cc
@@ -0,0 +1,43 @@
+// $Id: pac_utils.cc 3225 2006-06-08 00:00:01Z vern $
+
+#include <stdarg.h>
+#include <string.h>
+#include <stdio.h>
+
+#include "pac_utils.h"
+
+char* copy_string(const char* s)
+        {
+        char* c = new char[strlen(s)+1];
+        strcpy(c, s);
+        return c;
+        }
+
+namespace {
+
+const char* do_fmt(const char* format, va_list ap)
+	{
+	static char buf[1024];
+	vsnprintf(buf, sizeof(buf), format, ap);
+	return buf;
+	}
+
+}
+
+string strfmt(const char* format, ...)
+	{
+	va_list ap;
+	va_start(ap, format);
+	const char* r = do_fmt(format, ap);
+	va_end(ap);
+	return string(r);
+	}
+
+char* nfmt(const char* format, ...)
+	{
+	va_list ap;
+	va_start(ap, format);
+	const char* r = do_fmt(format, ap);
+	va_end(ap);
+	return copy_string(r);
+	}
diff --git a/aux/binpac/src/pac_utils.h b/aux/binpac/src/pac_utils.h
new file mode 100644
index 0000000000..deef850245
--- /dev/null
+++ b/aux/binpac/src/pac_utils.h
@@ -0,0 +1,17 @@
+// $Id: pac_utils.h 3225 2006-06-08 00:00:01Z vern $
+
+#ifndef pac_utils_h
+#define pac_utils_h
+
+#include <sys/types.h>
+#include <string>
+using namespace std;
+
+char* copy_string(const char* s);
+string strfmt(const char* fmt, ...);
+char* nfmt(const char* fmt, ...);
+
+// const char* fmt(const char* fmt, ...);
+#define fmt(x...) strfmt(x).c_str()
+
+#endif /* pac_utils_h */
diff --git a/aux/binpac/src/pac_varfield.cc b/aux/binpac/src/pac_varfield.cc
new file mode 100644
index 0000000000..76f36910f6
--- /dev/null
+++ b/aux/binpac/src/pac_varfield.cc
@@ -0,0 +1,6 @@
+#include "pac_varfield.h"
+
+void PrivVarField::Prepare(Env *env)
+	{
+	Field::Prepare(env);
+	}
diff --git a/aux/binpac/src/pac_varfield.h b/aux/binpac/src/pac_varfield.h
new file mode 100644
index 0000000000..8fea8879f9
--- /dev/null
+++ b/aux/binpac/src/pac_varfield.h
@@ -0,0 +1,51 @@
+#ifndef pac_varfield_h
+#define pac_varfield_h
+
+#include "pac_field.h"
+
+// A private variable evaluated with parsing
+class ParseVarField : public Field
+{
+public:
+	ParseVarField(int is_class_member, ID* id, Type *type) 
+	: Field(PARSE_VAR_FIELD, 
+		TYPE_TO_BE_PARSED | is_class_member | NOT_PUBLIC_READABLE,
+		id, type) {}
+	void GenPubDecls(Output* out, Env* env) { /* do nothing */ }
+};
+
+// A public variable
+class PubVarField : public Field
+{
+public:
+	PubVarField(ID* id, Type *type) 
+	: Field(PUB_VAR_FIELD, 
+		TYPE_NOT_TO_BE_PARSED | CLASS_MEMBER | PUBLIC_READABLE, 
+		id, type) {}
+	~PubVarField() {}
+};
+
+// A private variable
+class PrivVarField : public Field
+{
+public:
+	PrivVarField(ID* id, Type *type) 
+	: Field(PRIV_VAR_FIELD, 
+		TYPE_NOT_TO_BE_PARSED | CLASS_MEMBER | NOT_PUBLIC_READABLE, 
+		id, type) {}
+	~PrivVarField() {}
+
+	void GenPubDecls(Output* out, Env* env) { /* do nothing */ }
+};
+
+class TempVarField : public Field
+{
+public:
+	TempVarField(ID* id, Type *type) 
+	: Field(TEMP_VAR_FIELD, 
+		TYPE_NOT_TO_BE_PARSED | NOT_CLASS_MEMBER, 
+		id, type) {}
+	~TempVarField() {}
+};
+
+#endif  // pac_varfield_h
diff --git a/aux/binpac/src/pac_withinput.cc b/aux/binpac/src/pac_withinput.cc
new file mode 100644
index 0000000000..8c39053046
--- /dev/null
+++ b/aux/binpac/src/pac_withinput.cc
@@ -0,0 +1,80 @@
+#include "pac_withinput.h"
+#include "pac_dataptr.h"
+#include "pac_expr.h"
+#include "pac_inputbuf.h"
+#include "pac_output.h"
+#include "pac_type.h"
+
+WithInputField::WithInputField(ID* id, Type *type, InputBuffer* input)
+	: Field(WITHINPUT_FIELD, 
+		TYPE_TO_BE_PARSED | CLASS_MEMBER | PUBLIC_READABLE, 
+		id, type), 
+	  input_(input)
+	{
+	ASSERT(type_);
+	ASSERT(input_);
+	}
+
+WithInputField::~WithInputField()
+	{
+	delete input_;
+	}
+
+bool WithInputField::DoTraverse(DataDepVisitor *visitor)
+	{ 
+	return Field::DoTraverse(visitor) &&
+	       input()->Traverse(visitor); 
+	}
+
+bool WithInputField::RequiresAnalyzerContext() const 
+	{ 
+	return Field::RequiresAnalyzerContext() ||
+	       (input() && input()->RequiresAnalyzerContext()); 
+	}
+
+void WithInputField::Prepare(Env* env)
+	{
+	Field::Prepare(env);
+	env->SetEvalMethod(id_, this);
+	}
+
+void WithInputField::GenEval(Output* out_cc, Env* env)
+	{
+	GenParseCode(out_cc, env);
+	if ( type_->attr_if_expr() )
+		{
+		out_cc->println("BINPAC_ASSERT(%s);", 
+			env->RValue(type_->has_value_var()));
+		}
+	}
+	
+void WithInputField::GenParseCode(Output* out_cc, Env* env)
+	{
+	out_cc->println("// Parse \"%s\"", id_->Name());
+	if ( type_->attr_if_expr() )
+		{
+		// A conditional field
+		env->Evaluate(out_cc, type_->has_value_var());
+		out_cc->println("if ( %s )", 
+			env->RValue(type_->has_value_var()));
+		out_cc->inc_indent();
+		out_cc->println("{");
+		}
+	else
+		out_cc->println("{");
+
+	Env field_env(env, this);
+	ASSERT(! type_->incremental_input());
+	type_->GenPreParsing(out_cc, &field_env);
+	type_->GenParseCode(out_cc, &field_env, 
+		input()->GenDataBeginEnd(out_cc, &field_env),
+		0);
+
+	if ( type_->attr_if_expr() )
+		{
+		out_cc->println("}");
+		out_cc->dec_indent();
+		}
+	else
+		out_cc->println("}");
+	}
diff --git a/aux/binpac/src/pac_withinput.h b/aux/binpac/src/pac_withinput.h
new file mode 100644
index 0000000000..18b086d61a
--- /dev/null
+++ b/aux/binpac/src/pac_withinput.h
@@ -0,0 +1,38 @@
+#ifndef pac_withinput_h
+#define pac_withinput_h
+
+#include "pac_datadep.h"
+#include "pac_decl.h"
+#include "pac_field.h"
+
+class WithInputField : public Field, public Evaluatable
+{
+public:
+	WithInputField(ID* id, Type *type, InputBuffer* input);
+	virtual ~WithInputField();
+
+	InputBuffer *input() const	{ return input_; }
+
+	void Prepare(Env* env);
+
+	// void GenPubDecls(Output* out, Env* env);
+	// void GenPrivDecls(Output* out, Env* env);
+
+	// void GenInitCode(Output* out, Env* env);
+	// void GenCleanUpCode(Output* out, Env* env);
+
+	void GenParseCode(Output* out, Env* env);
+
+	// Instantiate the Evaluatable interface
+	void GenEval(Output* out, Env* env);
+
+	bool RequiresAnalyzerContext() const;
+
+protected:
+	bool DoTraverse(DataDepVisitor *visitor);
+
+protected:
+	InputBuffer *input_;
+};
+
+#endif  // pac_withinput_h
diff --git a/aux/broccoli/AUTHORS b/aux/broccoli/AUTHORS
new file mode 100644
index 0000000000..7167bfcffc
--- /dev/null
+++ b/aux/broccoli/AUTHORS
@@ -0,0 +1,3 @@
+Christian Kreibich <christian AT icir.org> and various contributors,
+see ChangeLog for details.
+
diff --git a/aux/broccoli/COPYING b/aux/broccoli/COPYING
new file mode 100644
index 0000000000..265fcf14d4
--- /dev/null
+++ b/aux/broccoli/COPYING
@@ -0,0 +1,21 @@
+
+Broccoli is copyright (C) 2000-2009 Christian Kreibich <christian@icir.org>.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/aux/broccoli/ChangeLog b/aux/broccoli/ChangeLog
new file mode 100644
index 0000000000..8d5c52cf88
--- /dev/null
+++ b/aux/broccoli/ChangeLog
@@ -0,0 +1,1547 @@
+Broccoli Changelog
+========================================================================
+
+Tue Jan 12 12:32:12 PST 2010             Christian <christian@whoop.org>
+
+- Build warning fixes (Kevin Lo).
+
+------------------------------------------------------------------------
+
+Fri Oct  9 18:42:05 PDT 2009             Christian <christian@whoop.org>
+
+- Version bump to 1.5.
+
+------------------------------------------------------------------------
+
+Fri Sep 25 10:09:03 PDT 2009             Christian <christian@whoop.org>
+
+- Bropipe fixes: set a connection class for robustness reasons;
+  removes some C/C++ confusion (Seth Hall).
+
+------------------------------------------------------------------------
+
+Mon Jun 29 17:56:00 PDT 2009             Christian <christian@whoop.org>
+
+- SWIG bindings update.
+
+------------------------------------------------------------------------
+
+Mon Jun 29 15:29:35 PDT 2009             Christian <christian@whoop.org>
+
+- Support for sending raw serialized events via the new API function
+  bro_event_send_raw(), with much help from Matthias Vallentin.
+
+------------------------------------------------------------------------
+
+Mon Jun 29 15:20:58 PDT 2009             Christian <christian@whoop.org>
+
+- Fix for buffered data remaining in transmit buffer when calling
+  for_event_queue_flush().
+
+- Added bro_conn_get_connstats() which reports statistical information 
+  about a connection in a new dedicated structure BroConnStats. For now 
+  this is only the amount of data buffered in the rx/tx buffers.
+
+------------------------------------------------------------------------
+
+Mon Jun 29 15:18:10 PDT 2009             Christian <christian@whoop.org>
+
+- All multiprocess/-threading synchronization code has been removed.
+
+------------------------------------------------------------------------
+
+Mon Jun 29 15:10:59 PDT 2009             Christian <christian@whoop.org>
+
+- Broccoli now requires initialization before any connections may be
+  created. The reason is twofold: (i) it provides a clean method for
+  initializing relevant parts of Broccoli in multithreaded environments,
+  and (ii) it allows configuration of parts of Broccoli where the
+  normal approach via configuration files is insufficient.
+
+  For details on the initialization process, refer to the manual, but
+  generally speaking, a call to
+
+    bro_init(NULL);
+
+  at the beginning of your application is all that is required. For the
+  time being, a number of high-level API calls double-check whether you
+  have called bro_init() previously.
+
+- Broccoli now supports the callback functions OpenSSL requires for
+  thread-safe operation.  Implement those callbacks as required by your 
+  threading library, hook them into a BroCtx structure previously
+  initialized using bro_ctx_init(), and pass the structure to  
+  bro_init().  This will hook the callbacks into OpenSSL for you. 
+
+  O'Reilly's book "Network Security with OpenSSL" provides an example
+  of how to implement the callbacks.
+
+------------------------------------------------------------------------
+
+Thu Jun 25 16:46:37 PDT 2009             Christian <christian@whoop.org>
+
+- Fix to Python bindings: added required bro_init() call (Matthias
+  Vallentin).
+
+------------------------------------------------------------------------
+
+Thu May 28 10:27:30 PDT 2009             Christian <christian@whoop.org>
+
+- The BroEvMeta structure used in compact event callbacks now allows
+  access to the timestamp of event creation.
+
+------------------------------------------------------------------------
+
+Fri Mar 27 23:39:10 CET 2009             Christian <christian@whoop.org>
+
+- Fixed a memory leak triggered by bro_event_send() but actually caused
+  by lack of cleanup after an underlying string duplication. Thanks to
+  Steve Chan and Matthias Vallentin for helpful feedback.
+
+------------------------------------------------------------------------
+
+Wed Mar 25 11:26:16 CET 2009             Christian <christian@whoop.org>
+
+Formatting robustness fixes to bropipe (Steve Chan).
+
+------------------------------------------------------------------------
+
+Thu Feb 12 19:28:24 PST 2009             Christian <christian@whoop.org>
+
+- Updates to contributed bropipe command (Steve Chan):
+  - Proper parsing of default host/port.
+  - Support for "urlstring" type, which urlencodes spaces in strings
+    and other special characters.
+
+------------------------------------------------------------------------
+
+Thu Dec 11 09:37:12 PST 2008             Christian <christian@whoop.org>
+
+- Optimization: the internal slots vector of hashtables is now lazily
+  allocated when the first actual insertion happens. Since hashtables
+  are used in various places in the BroVal structures but frequently
+  remain empty, the savings are substantial. Thanks to Matthias
+  Vallentin for pointing this out.
+
+------------------------------------------------------------------------
+
+Mon Nov  3 11:07:49 PST 2008             Christian <christian@whoop.org>
+
+- Fixes for I/O deadlocking problems:
+
+  - A bug in the implementation of BRO_CFLAG_YIELD has been
+    fixed. Input processing now only yields after the
+    handshake is complete on *both* endpoints.
+
+  - When events arrive during bro_conn_connect(), it could happen
+    that deadlock ensues if no additional data are sent and
+    __bro_io_process_input() can not read new input data. It no
+    longer returns immediately in that case, and instead attempts
+    to process any available input data.
+
+------------------------------------------------------------------------
+
+Sat Oct  4 15:05:07 CEST 2008            Christian <christian@whoop.org>
+
+- Added bro_record_get_nth_name() to the API (Seth Hall).
+- make install no longer worked for documentation, apparently as part
+  of Bro's make install cleanup. This isn't quite right since gtk-doc
+  documentation is normally installed in a well-known place and 
+  Broccoli will normally need to be installed via "make install", but 
+  for now I'm leaving it uninstalled and instead provide a specific 
+  "install-docs" target for people who want documentation installed.
+- Documentation updated where missing, and rebuilt.
+- Copyright years updated.
+
+------------------------------------------------------------------------
+
+Mon Sep 22 21:34:13 CEST 2008            Christian <christian@whoop.org>
+
+- Updated broping.bro (and broping-record.bro, slightly) to explicitly 
+  declare the used event types ahead of their use.
+
+------------------------------------------------------------------------
+
+Mon Sep  8 11:30:35 CEST 2008            Christian <christian@whoop.org>
+
+- Use of caching on received objects is now disabled by default, but can
+  be enabled using the new connection flag BRO_CFLAG_CACHE.  The old
+  BRO_CFLAG_DONTCACHE is kept for backward compatibility but no longer
+  does anything. Keeping the caches between Bro instances and Broccoli
+  synchronized still needs to be implemented completely, and in the
+  meantime no caching is the safer default.  Thanks to Stephen Chan for
+  helping track this down.
+
+------------------------------------------------------------------------
+
+Wed Jul 16 01:47:16 PDT 2008             Christian <christian@whoop.org>
+
+- Python bindings for Broccoli are now provided in the bindings/python
+  subdirectory (Robin Sommer).  They are not built automatically. See 
+  the instructions in bindings/python/README for details.
+- Minor documentation setup tweaks.
+
+------------------------------------------------------------------------
+
+Thu May 15 14:05:10 PDT 2008             Christian <christian@whoop.org>
+
+Event callbacks of the "compact" type are now able to obtain start- and
+end pointers of the currently processed event in serialized form, from
+the receive buffer stored with the connection handle.
+
+------------------------------------------------------------------------
+
+Wed Feb 20 13:53:51 PST 2008             Christian <christian@whoop.org>
+
+- Fix to __bro_openssl_read(), which handled some error cases
+  reported by BIO_read() incorrectly. (Robin Sommer)
+- Clarifications to documentation of bro_conn_active() and
+  bro_conn_process_input().
+- Version bump to 1.4.0.
+
+------------------------------------------------------------------------
+
+Thu Sep 13 13:56:58 PDT 2007             Christian <christian@whoop.org>
+
+- autogen.sh now uses --force when running libtoolize, which at least
+  in some setups seems to be necessary to avoid bizarre build issues.
+  (In the particular case encountered, these looked like run-together 
+  ar and runlib invocations). Thanks to Po-Ching Lin for helping nail
+  this down.
+
+------------------------------------------------------------------------
+
+Mon Sep 10 18:17:29 PDT 2007             Christian <christian@whoop.org>
+
+- Broccoli now supports table and set container types. Have a look at
+  the bro_table_...() and bro_set_...() families of functions in
+  broccoli.h, the updated manual, and the updated broconn and brotable
+  examples in the test/ directory.
+
+------------------------------------------------------------------------
+
+Tue Sep  4 15:53:27 PDT 2007             Christian <christian@whoop.org>
+
+- Major bugfix for capabilities exchange during handshake: Broccoli did
+  not convert into NBO, causing successful event exchange to fail. :(
+  Amazingly, this means disabling cache usage per Broccoli's request
+  never worked...
+
+------------------------------------------------------------------------
+
+Tue Sep  4 12:36:53 PDT 2007             Christian <christian@whoop.org>
+
+- Changed the way compact argument passing to event callbacks works.
+  All event metadata is now represented by a single argument, a pointer
+  to a BroEvMeta structure. It contains the name of the event, the
+  number of arguments, and the arguments along with their types.
+
+  Updated documentation and broping demo accordingly.
+
+  NOTE: This introduces an API incompatibility. If you were previously
+        using the compact callback API, you will need to update your
+        code! I bumped up the library version info to 2:0:0 to signal
+        this.  
+
+- Fixed a bug in the implementation of BRO_CFLAG_YIELD and some SGML-
+  violating documentation of same.
+
+------------------------------------------------------------------------
+
+Thu Aug 16 15:24:51 CEST 2007            Christian <christian@whoop.org>
+
+- Include autogen.sh in the distribution.
+
+------------------------------------------------------------------------
+
+Sat Aug 11 04:59:35 PDT 2007                      Robin <robin@icir.org>
+	
+- New flag for Broccoli's connections: with BRO_CFLAG_YIELD,
+  bro_conn_process_input() processes at most one event at a time and then
+  returns (Robin Sommer).
+
+- The new Broccoli function bro_conn_new_socket() creates a connection
+  from an existing socket, which can then be used with listen()/accept()
+  to have Broccoli listen for incoming connections (Robin Sommer).
+	
+------------------------------------------------------------------------
+
+Fri Jul  6 18:18:05 PDT 2007             Christian <christian@whoop.org>
+
+- Bumped up the version number to 1.3. Now that Broccoli is bundled
+  with Bro, it makes sense to keep Broccoli's release version number
+  in synch with Bro's.
+- Added the automake-provided ylwrap wrapper script to the distribution.
+  This is for compatibility reasons: some automakes believe that
+  Broccoli requires ylwrap, others don't. The distcheck target however
+  needs ylwrap when it *is* required, so it's easiest to just provide
+  one. It can always be overwritten locally, should the need arise.
+
+------------------------------------------------------------------------
+
+Wed Mar  7 10:49:25 PST 2007             Christian <christian@whoop.org>
+
+- Data format version number bumped up, in sync with Bro again.
+
+------------------------------------------------------------------------
+
+Mon Dec  4 12:07:12 PST 2006             Christian <christian@whoop.org>
+
+- Updated broconn.c to new bro_record_get_named_val().
+
+------------------------------------------------------------------------
+
+Tue Nov 28 11:16:04 PST 2006             Christian <christian@whoop.org>
+
+- Run-time type information is now also available for the values stored
+  in records (previously there was only type-checking, but no way to
+  obtain the type of the vals). See the manual and API documentation of
+  the functions bro_record_get_nth_val() and bro_record_get_named_val()
+  for details.
+
+------------------------------------------------------------------------
+
+Mon Nov 27 18:38:06 PST 2006             Christian <christian@whoop.org>
+
+- Compact argument passing for event callbacks: as an alternative to the
+  argument passing style used so far for event callbacks (dubbed "expan-
+  ded"), one can now request "compressed" passing by using the
+  bro_event_registry_add_compact() variant. Instead of passing every
+  event argument as a separate pointer, compact passing provides only
+  the number of arguments, and a pointer to an array of BroEvArgs.
+  The elements of this array then provide pointers to the actual argu-
+  ments as well as pointers to the new BroValMeta metadata structure,
+  which currently contains type information about the argument.
+
+  This style is better suited for applications that don't know the type
+  of events they will have to handle at compile time, for example when
+  writing language bindings.
+
+  broping.c features example code, also see the manual for detailed
+  explanation.
+
+------------------------------------------------------------------------
+
+Mon Nov 27 16:32:52 PST 2006             Christian <christian@whoop.org>
+
+- Bumped up version to 0.9
+- I'm starting to use shared library version numbers to indicate API
+  changes. Their correspondence to the release version number will be
+  listed in VERSION.
+- Fixed a warning in bro_packet.c
+
+------------------------------------------------------------------------
+
+Mon Nov 27 16:23:46 PST 2006             Christian <christian@whoop.org>
+
+- Renamed cvs.pl to svn.pl
+- Bumped up BRO_DATA_FORMAT_VERSION to 13, to match that of Bro trunk.
+
+------------------------------------------------------------------------
+
+Mon Nov 27 16:21:28 PST 2006             Christian <christian@whoop.org>
+
+- Updating my commit script to SVN -- let's see if this works...
+
+------------------------------------------------------------------------
+
+Mon May 15 19:21:30 BST 2006             Christian <christian@whoop.org>
+
+- Correction to the explanation of bro_event_registry_add(), pointed
+  out by Robin Sommer.
+
+------------------------------------------------------------------------
+
+Mon May  8 08:14:31 PDT 2006             Christian <christian@whoop.org>
+
+- Added config.sub and config.guess versions that seem to work well with
+  MacOS X to the tree, to remove the dependency on the libtool/automake
+  versions installed on the machine where tarballs are built.
+
+- Removed -f from libtoolize invocation in autogen.sh, so we don't
+  overwrite the above.
+
+- Fixed COPYING, which wasn't actually referring to Broccoli. :)
+
+------------------------------------------------------------------------
+
+Sat May  6 20:17:32 BST 2006             Christian <christian@whoop.org>
+
+- Last-minute tweaks bring last-minute brokenness, especially when
+  configuring without --enable-debug... :(
+
+------------------------------------------------------------------------
+
+Tue May  2 13:25:31 BST 2006             Christian <christian@whoop.org>
+
+- Added generated HTML documentation to CVS, so it is guaranteed to be
+  included in tarballs generated via dist/distcheck, regardless of
+  whether GtkDoc support exists on the build system or not. 
+
+------------------------------------------------------------------------
+
+Tue May  2 02:31:39 BST 2006             Christian <christian@whoop.org>
+
+- Changed connection setup debugging output to state more clearly
+  whether an SSL or cleartext connection is attempted, as suggested
+  by Brian Tierney.
+- New configuration item /broccoli/use_ssl to enable/disable SSL
+  connections, as suggested by Jason Lee. Documentation and sample
+  configuration in broccoli.conf updated accordingly, look at the latter
+  for a quick explanation.
+- A bunch of small tweaks to get distcheck to work properly when invoked
+  from the Bro tree.
+- Other doc/Makefile.am cleanups.
+
+------------------------------------------------------------------------
+
+Sat Apr 29 19:12:07 PDT 2006             Christian <christian@whoop.org>
+
+- Fixed bogusness in docs/Makefile.am's dist-hook target. Should now
+  work much better in general, and in particular not bomb out with
+  non-GNU make.
+
+------------------------------------------------------------------------
+
+Fri Apr  7 23:52:20 BST 2006             Christian <christian@whoop.org>
+
+- Bumped up BRO_DATA_FORMAT_VERSION to 12, to match the one in Bro's
+  CVS HEAD again.
+
+------------------------------------------------------------------------
+
+Mon Mar 27 22:59:04 BST 2006             Christian <christian@whoop.org>
+
+- This should fix a memleak detected by Jim Mellander and reported with
+  a test case by Mark Dedlow.
+
+------------------------------------------------------------------------
+
+Fri Mar  3 16:40:56 GMT 2006             Christian <christian@whoop.org>
+
+- Warning for invalid permissions on ~/.broccoli.conf has been upgraded
+  from debugging output to stderr, per request from Mark Dedlow.
+- Only check validity of config file name assembled via getenv("HOME")
+  if it yields a filename different from the one assembled via the
+  passwd entry.
+
+------------------------------------------------------------------------
+
+Thu Mar  2 17:57:49 GMT 2006             Christian <christian@whoop.org>
+
+- Reintroducing file needed for distcheck.
+
+------------------------------------------------------------------------
+
+Thu Mar  2 16:27:55 GMT 2006             Christian <christian@whoop.org>
+
+- Debugging fixlet.
+
+------------------------------------------------------------------------
+
+Fri Feb  3 20:31:08 GMT 2006             Christian <christian@whoop.org>
+
+- Embarrassing debugging output fixes.
+
+------------------------------------------------------------------------
+
+Fri Jan 27 23:40:23 GMT 2006             Christian <christian@whoop.org>
+
+- Only do lock operations when there's any need for them.
+
+------------------------------------------------------------------------
+
+Fri Jan 27 18:30:06 GMT 2006             Christian <christian@whoop.org>
+
+I am *so* fired. Overlooked a very clear warning that bro_io.c:lock()
+wasn't returning a value.
+
+------------------------------------------------------------------------
+
+Wed Jan 18 10:45:33 GMT 2006             Christian <christian@whoop.org>
+
+- Fixed call trace debugging inconsistencies, this will hopefully fix a
+  case of runaway call trace indentation depth that Robin + Stefan have
+  bumped into.
+
+------------------------------------------------------------------------
+
+Wed Jan  4 16:21:07 GMT 2006             Christian <christian@whoop.org>
+
+- Documentation fixlet, pointed out by Stefan Kornexl.
+
+------------------------------------------------------------------------
+
+Thu Dec 22 00:48:20 GMT 2005             Christian <christian@whoop.org>
+
+- Attempt at a more portable detecting of [g]libtoolize. Let me know if
+  this works any better.
+
+------------------------------------------------------------------------
+
+Mon Dec 19 17:48:19 PST 2005             Christian <christian@whoop.org>
+
+- Moved brosendpkts.c and rcvpackets.bro from test/ to contrib/, i.e.,
+  out of the default build process. brosendpkts.c defines variables in
+  the middle of main(), which some compilers tolerate while others
+  don't. This should fix build issues reported by Brian Tierney.
+
+------------------------------------------------------------------------
+
+Thu Dec 15 18:38:18 GMT 2005             Christian <christian@whoop.org>
+
+Configuration tweaks to run smoothly when invoked from a Bro build.
+
+- Added AC_CONFIG_AUX_DIR(.) to make sure things are exclusively run
+  out of our tree.
+- Added flags to autogen.sh and configure.in to indicate that we're
+  part of a Bro build.
+
+------------------------------------------------------------------------
+
+Fri Dec  2 14:04:05 GMT 2005             Christian <christian@whoop.org>
+
+- Removed EXTRA_DIST for the test app policies, since they are included
+  in the tarball and installed anyway via pkgdata_DATA.
+
+------------------------------------------------------------------------
+
+Fri Dec  2 13:59:27 GMT 2005             Christian <christian@whoop.org>
+
+- Added "brosendpkts", a test program for sending pcap packets to a Bro,
+  plus the accompanying Bro policy. Contributed by Stefan Kornexl and
+  Robin Sommer, with a tiny tweak to build only when pcap support is
+  available.
+
+------------------------------------------------------------------------
+
+Wed Nov 23 11:59:03 PST 2005             Christian <christian@whoop.org>
+
+- Avoided the keyword "class" to prevent problems with using broccoli.h
+  in a C++ context. Pointed out by Stefan Kornexl.
+
+------------------------------------------------------------------------
+
+Tue Nov  8 14:10:23 PST 2005             Christian <christian@whoop.org>
+
+- Added support for connection classes, updated documentation.
+
+------------------------------------------------------------------------
+
+Mon Oct 31 19:37:55 PST 2005             Christian <christian@whoop.org>
+
+- Support for specifying type names along with values. This is done
+through a new and optional argument to bro_event_add_val(), bro_
+record_add_val(), and friends. See manual for details.
+
+- Added a test program "broenum" for demonstrating this. When running
+Bro with the provided broenum.bro policy, it sends a single event with
+an enum val to the remote Bro, which will print both numerical and
+string representations of the value. For example, broenum.bro defines
+an enum type
+
+  type enumtype: enum { ENUM1, ENUM2, ENUM3, ENUM4 };
+
+Given this,
+
+  $ broenum -n 0              yields	 Received enum val 0/ENUM1
+  $ broenum -n 1              yields	 Received enum val 1/ENUM2
+  $ broenum -n 4              yields	 Received enum val 4/<undefined>
+
+You can also test predefined enums:
+
+  $ broenum -t transport_proto -n 1
+
+yields
+
+  Received enum val 1/tcp
+
+------------------------------------------------------------------------
+
+Mon Oct 31 17:07:15 PST 2005             Christian <christian@whoop.org>
+
+Changed commit script to pass the commit message through the generated
+file via -F, instead of via -m and the command line. D'oh.
+
+------------------------------------------------------------------------
+
+Mon Oct 31 17:03:47 PST 2005             Christian <christian@whoop.org>
+
+- Support for the new abbreviated serialization format for types. Need
+to come up with a decent API for actually using this feature now.
+
+------------------------------------------------------------------------
+
+Mon Oct 31 11:25:22 PST 2005             Christian <christian@whoop.org>
+
+Several changes to handshake implementation and API(!).
+
+- Refactored the handshake code to make the multiple phases of the
+connection's initialization phase more explicit. Our own and the peer's
+handshake state are now tracked separately. conn_init_configure() takes
+care of our state machine with a separate function per phase, and
+__bro_io_process_input() handles the peer's state.
+
+- Added support for capabilities. The only capability Broccoli currently
+supports is a non-capability: it can ask the remote Bro not to use the
+serialization cache. In order to do so, pass BRO_CONN_DONTCACHE as
+a connection flag when obtaining the connection handle. Needs more
+testing.
+
+- Several API changes. Given the more complex handshake procedure that
+is in place now, the old approach of only completing the handshake half-
+way in bro_connect() so the user can requests before calling
+bro_conn_await_handshake() (or alternatively, passing
+BRO_CONN_COMPLETE_HANDSHAKE as a connection flag) is just too messy now.
+The two steps of obtaining a connection handle and establishing a
+connection have been split into separate functions, so the user can
+register event handlers in between.
+
+What was
+
+ BroConn *bc = bro_connect(..., BRO_CFLAGS_NONE);
+
+ bro_event_registry_add(bc,...);
+ bro_event_registry_add(bc,...);
+ bro_event_registry_request(bc);
+
+ bro_conn_await_handshake(bc);
+ /* ... */
+ bro_disconnect(bc);
+
+is now
+
+ BroConn *bc = bro_conn_new(..., BRO_CFLAGS_NONE);
+
+ bro_event_registry_add(bc,...);
+ bro_event_registry_add(bc,...);
+
+ bro_conn_connect(bc);
+ /* ... */
+ bro_conn_delete(bc);
+
+Note that the explicit call to bro_event_registry_request() is gone as
+bro_conn_connect() will automatically request event types for which
+handlers have been installed via bro_event_registry_add(). What was
+
+ BroConn *bc = bro_connect(..., BRO_CFLAGS_COMPLETE_HANDSHAKE);
+ bro_disconnect(bc);
+
+is now
+
+ BroConn *bc = bro_conn_new(..., BRO_CFLAGS_NONE);
+ bro_conn_connect(bc);
+ /* ... */
+ bro_conn_delete(bc);
+
+I might add bro_conn_disconnect() in the near future. It'd allow us
+to keep a completely configured connection handle around and use it
+repeatedly for establishing connections.
+
+Sorry for the inconvenience but I really think this is a lot nicer than
+the old API. The examples and documentation have been updated accor-
+dingly.	
+
+------------------------------------------------------------------------
+
+Sat Oct 29 15:43:18 PDT 2005             Christian <christian@whoop.org>
+
+Added an optional age list to the hash table implementation. We'll
+need this to duplicate Bro's object serialization caching strategy.
+
+------------------------------------------------------------------------
+
+Fri Oct 28 15:26:55 PDT 2005             Christian <christian@whoop.org>
+
+Brothers and sisters, hallelujah! On the 27th day Christian looked at
+record vals in the Broccoli, and he saw that it was leaking like a
+sieve. So Christian ran the valgrind. On the 28th day Christian still
+looked at Broccoli, with tired eyes, ground the vals[1] a bit more,
+and he saw that it was plugged[2].
+
+Amen. :)
+
+[1] Really really bad pun. Sorry.
+[2] I get zero memleaks on broping -r -c 100 now. :)
+
+------------------------------------------------------------------------
+
+Thu Oct 27 20:02:39 PDT 2005             Christian <christian@whoop.org>
+
+First crack at reference-counted sobjects. I need reference counting
+in order to get rid of objects in the serialization cache (since they
+can contain nested objects etc -- it's nasty), which I had ignored so
+far. There are still leaks in the event transmission code, dammit. :(
+
+------------------------------------------------------------------------
+
+Thu Oct 27 15:06:10 PDT 2005             Christian <christian@whoop.org>
+
+Added my own list implementation due to suckiness of the TAILQ_xxx
+macro stuff which I never liked anyway. The problem is that elements
+of lists built using these macros can only have each member exactly
+once as the prev/next pointers are part of the structs.
+
+A few uses of TAILQ_xxx remain, these will go in the near future.
+
+------------------------------------------------------------------------
+
+Tue Oct 25 19:57:42 PDT 2005             Christian <christian@whoop.org>
+
+Partial support for enum vals, per request from Weidong. Sending enum
+vals should work, though the underlying enum types aren't fully handled
+yet.
+
+------------------------------------------------------------------------
+
+Mon Oct 24 16:31:56 PDT 2005             Christian <christian@whoop.org>
+
+TODO item: clean up generated parser/lexer files when we know we can
+regenerate them. make clean currently does not erase them, which caused
+Weidong some trouble.
+
+------------------------------------------------------------------------
+
+Fri Oct 21 17:48:51 PDT 2005             Christian <christian@whoop.org>
+
+Clarification to the manual, after a question from Weidong.
+
+------------------------------------------------------------------------
+
+Fri Oct 14 18:05:39 PDT 2005             Christian <christian@whoop.org>
+
+Transparent reconnects should work again (took all *day*, argh -- I
+totally broke it with the connection sharing stuff). Try broping while
+occasionally stopping and restarting the Bro side.
+
+Fixed a number of memleaks -- broping is now leak-free according to
+valgrind.
+
+Clarifications in the debugging output.
+
+------------------------------------------------------------------------
+
+Fri Oct 14 12:07:10 PDT 2005             Christian <christian@whoop.org>
+
+Added documentation for the new user data argument to
+bro_event_registry_add().
+
+------------------------------------------------------------------------
+
+Fri Oct 14 11:48:00 PDT 2005             Christian <christian@whoop.org>
+
+Added user data to event handler callbacks. This is necessary for
+example when using class members in C++ as callbacks since the object
+needs to be provided at the time of dereferencing. It's also easier to
+use than the existing bro_conn_{set,get}_data() mechanism.
+
+Updated documentation with more details on the broccoli-config script.
+
+------------------------------------------------------------------------
+
+Thu Oct 13 15:08:56 PDT 2005             Christian <christian@whoop.org>
+
+When supporting packets (the default), check whether pcap.h actually
+exists. This has thus far just been assumed. We don't actually use
+the library, so there's no need to test for it.
+
+------------------------------------------------------------------------
+
+Mon Oct 10 20:37:15 PDT 2005             Christian <christian@whoop.org>
+
+Changed bro_record_get_named_val() and bro_record_get_nth_val() to
+return a pointer to the queried value directly, instead of through
+a pointer argument. These arguments' type used to be void* though it
+should really be void**, but switching to void** causes lots of warnings
+with current GCCs ('dereferencing type-punned pointer will break
+strict-aliasing rules'). NULL is perfectly usable as an error indicator
+here, and thus used from now on. Updated manual, broping, and broconn
+accordingly.
+
+------------------------------------------------------------------------
+
+Tue Sep 20 17:19:58 PDT 2005             Christian <christian@whoop.org>
+
+Fixed a varargs buglet that is tolerated on Linux but not BSD. Pointed
+out by Scott Campbell.
+
+------------------------------------------------------------------------
+
+Fri Sep  9 18:48:54 PDT 2005             Christian <christian@whoop.org>
+
+Support for textual tags on packets, also an upgrade to more complex
+handshake procedure that allows for synchronization of state (Robin
+Sommer).
+
+Note: as of this change, at least Bro 1.0a2 is required.
+
+------------------------------------------------------------------------
+
+Wed Aug 10 01:36:47 BST 2005             Christian <christian@whoop.org>
+
+Fixed my insecure usage of snprintf.
+
+------------------------------------------------------------------------
+
+Tue Jul 19 10:11:49 PDT 2005             Christian <christian@whoop.org>
+
+Forgot to include broconn's policy file in the distribution.
+
+------------------------------------------------------------------------
+
+Mon Jul 18 16:34:22 PDT 2005             Christian <christian@whoop.org>
+
+Fixed a bug that caused the lookup of record fields by name to fail.
+
+------------------------------------------------------------------------
+
+Fri Jul  1 00:44:49 BST 2005             Christian <christian@whoop.org>
+
+The sequence of tests determining which config file to read from
+failed to fall back properly to the global config file in case of
+incorrect user permissions. Fixed.
+
+------------------------------------------------------------------------
+
+Mon Jun 27 19:34:56 PDT 2005             Christian <christian@whoop.org>
+
+Added bro_buf_reset() to the user-visible API.
+
+------------------------------------------------------------------------
+
+Mon Jun 27 17:58:53 PDT 2005             Christian <christian@whoop.org>
+
+When a configuration item cannot be found in the current config file
+section, a lookup is also attempted in the default section (the one
+at the top of the file, before any sections are defined). This allows
+the sections to override the default section, which is what one would
+expect.
+
+------------------------------------------------------------------------
+
+Mon Jun 27 14:43:56 PDT 2005             Christian <christian@whoop.org>
+
+Debugging output tweak. When providing the SSL cert passphrase via
+the config file, do no longer report it in the debugging output.
+
+------------------------------------------------------------------------
+
+Mon Jun 27 12:33:52 PDT 2005             Christian <christian@whoop.org>
+
+Cosmetics in the debugging output of __bro_openssl_write().
+
+------------------------------------------------------------------------
+
+Fri Jun 24 18:13:49 PDT 2005             Christian <christian@whoop.org>
+
+Added --build flag to broccoli-config. It reports various details
+about the build, for example whether debugging support was compiled in.
+
+------------------------------------------------------------------------
+
+Fri Jun 24 10:37:23 PDT 2005             Christian <christian@whoop.org>
+
+I'm adding a little test app that subscribes to a few connection
+events and prints out the fields of the received connection records,
+both for testing and code demonstration purposes. So far it has
+highlighted a bug in Bro that occurs when a remote app is a pure
+requester of events and not sending anything. Fix pending.
+
+------------------------------------------------------------------------
+
+Mon Jun 20 18:21:24 PDT 2005             Christian <christian@whoop.org>
+
+Show the names of requested events in the debugging output -- it
+had to be deciphered from the hex string which isn't that much fun.
+
+------------------------------------------------------------------------
+
+Thu Jun 16 14:02:59 PDT 2005             Christian <christian@whoop.org>
+
+Better documentation of how to extract record fields.
+
+------------------------------------------------------------------------
+
+Thu Jun 16 11:51:02 PDT 2005             Christian <christian@whoop.org>
+
+- Added bro_string_get_data() and bro_string_get_length() to avoid
+making people access BroString's internal fields directly.
+
+- Moved BroString's internal storage format to uchar*.
+
+------------------------------------------------------------------------
+
+Sun Jun 12 19:17:31 PDT 2005             Christian <christian@whoop.org>
+
+Debugging output now shows the correct function and line numbers again.
+I had accidentially moved __FUNCTION__ and __LINE__ into bro_debug.c :(
+
+------------------------------------------------------------------------
+
+Fri Jun  3 15:00:48 PDT 2005             Christian <christian@whoop.org>
+
+I broke the sanity checks for semaphore initialization when I moved
+the semaphore structures to shared memory. Fixed.
+
+------------------------------------------------------------------------
+
+Mon May 16 22:25:41 PDT 2005             Christian <christian@whoop.org>
+
+- Debugging output now goes to stderr instead of stdout. That keeps it
+out of the way if an instrumented app dups() stdout to another file
+descriptor.
+- Debugging output is now disabled by default (even when compiled in),
+so it needs to be enabled explicitly in the code or in the config file.
+
+------------------------------------------------------------------------
+
+Fri May 13 18:24:23 PDT 2005             Christian <christian@whoop.org>
+
+Synchronization fixes and minor cleanups.
+
+- Unsuccessful connection attempts to remote Bros in combination with
+connection sharing caused the caller to hang indefinitely. This should
+now be fixed, but required some fairly intricate tweaks to the locking
+constructs. Still needs more testing.
+
+- Bumped version to 0.8.
+
+------------------------------------------------------------------------
+
+Fri May  6 23:09:29 BST 2005             Christian <christian@whoop.org>
+
+This is the 0.7.1 release.
+
+------------------------------------------------------------------------
+
+Fri May  6 14:44:53 PDT 2005             Christian <christian@whoop.org>
+
+Documentation for shareable connection handles.
+
+------------------------------------------------------------------------
+
+Fri May  6 12:11:17 PDT 2005             Christian <christian@whoop.org>
+
+Build fixlets.
+
+- Don't only test for the first of the documentation extraction tools,
+but also for those used later on.
+
+- Few more signedness warnings fixed.
+
+------------------------------------------------------------------------
+
+Wed May  4 18:33:40 PDT 2005             Christian <christian@whoop.org>
+
+Fixed a whole bunch of signedness warnings reported by gcc 4 on MacOS
+10.4. Thanks to Roger for the quick reply.
+
+------------------------------------------------------------------------
+
+Wed May  4 17:41:40 PDT 2005             Christian <christian@whoop.org>
+
+Fix for a little-endian bug that I managed to introduce when testing on
+Solaris ... *sigh* :(
+
+------------------------------------------------------------------------
+
+Wed May  4 17:30:07 PDT 2005             Christian <christian@whoop.org>
+
+A number of portability fixes after testing the build on Linux, FreeBSD
+and Solaris.
+
+------------------------------------------------------------------------
+
+Mon May  2 20:17:04 PDT 2005             Christian <christian@whoop.org>
+
+Fixed an obvious bug the config file parser. I'm baffled as to how it
+could go unnoticed for so long.
+
+------------------------------------------------------------------------
+
+Mon May  2 20:11:25 PDT 2005             Christian <christian@whoop.org>
+
+Portability fixes.
+
+- Use -pthread (not -lpthread) in both the --cflags and --libs options
+to broccoli-config, if required. -lpthread does not work on BSDs, where
+-pthread has different effects on the linker.
+
+- s/System V/SYSV/ in configure script output for consistency.
+
+- Bumped version to 0.7.1.
+
+It should build correctly on BSDs and Linux now. Still need to check
+whether synchronization actually works on the BSDs.
+
+------------------------------------------------------------------------
+
+Fri Apr 29 23:12:01 BST 2005             Christian <christian@whoop.org>
+
+If the configure script determines we need -lpthread, it's a good idea
+to actually reflect that in broccoli-config.
+
+------------------------------------------------------------------------
+
+Fri Apr 29 22:36:26 BST 2005             Christian <christian@whoop.org>
+
+Fix for SYSV semaphores pointed out by Craig Leres -- I completely
+forgot to test the SYSV stuff before the release. *sigh*.
+
+------------------------------------------------------------------------
+
+Thu Apr 28 13:46:57 BST 2005             Christian <christian@whoop.org>
+
+- This is the 0.7 release.
+
+------------------------------------------------------------------------
+
+Thu Apr 28 13:43:44 BST 2005             Christian <christian@whoop.org>
+
+RPM spec file fixlet.
+
+------------------------------------------------------------------------
+
+Wed Apr 27 18:04:57 BST 2005             Christian <christian@whoop.org>
+
+Preparations for the 0.7 release.
+
+------------------------------------------------------------------------
+
+Wed Mar 16 18:34:27 GMT 2005             Christian <christian@whoop.org>
+
+I think shared connections w/ SSL work. :) They key aspects are
+
+- We want to be able to use a single connection handle in arbitrary
+process/thread scenarios: in sshd, a single handle created in the
+listening process should work in all forked children (right now I'm
+created separate ones in each child, yuck), in Apache it should work
+in all servicing threads (creating a separate connection in each
+servicing thread would be far too costly), etc.
+
+- However, all SSL I/O on a single BIO must happen in the same *thread*
+according to openssl-users -- same process seems intuitive because of
+cipher streams etc; why it's per thread I don't know.
+
+The approach is now as follows: when a connection handle is marked as
+shareable, an I/O handler process is forked off during handle setup
+that processes all I/O for a single connection handle exclusively.
+Data are processed through separate tx/rx buffers that live in shared
+memory and are protected by semaphores. Additionally, a number of
+fields in the connection handle also live in shared memory so can be
+used to send back and forth messages etc. By using global semaphores as
+condition variables, rx/tx requests are dispatched to the I/O handler
+process. Therefore this should work for all multi-process/thread
+scenarios in which processes/threads are created after the connection
+handle is set up.
+
+This all is transparent when a connection is not marked shareable. The
+main optimization left to do now is to make the locking more fine-
+grained -- a throughput comparison is going to be interesting...
+
+I haven't tried transparent reconnects again; I'd presume I managed
+to break them in the process.
+
+------------------------------------------------------------------------
+
+Mon Mar 14 17:31:17 GMT 2005             Christian <christian@whoop.org>
+
+- Lots of work on shared connection handles. This is going to take a
+while to work robustly. For now steer clear of BRO_CFLAG_SHAREABLE.
+
+- Fixed wrong ordering of semaphore locks in __bro_io_msg_queue_flush().
+
+- The connection hack to work around OpenSSL's 'temporary unavailable'
+beliefs is now only used when the problem occurs, namely during
+reconnects.
+
+- Fixed a bug in the Posix version of __bro_sem_new() that prevented
+processes from creating more than one different semaphores. Doh.
+
+- Bumped BRO_DATA_FORMAT_VERSION to 9, to sync up with Bro tree.
+
+- Added __bro_sem_get(), returning the current value of a sempahore,
+with implementations for Posix + SYSV.
+
+- Lots of calltracing added.
+
+------------------------------------------------------------------------
+
+Mon Mar 14 10:24:54 GMT 2005             Christian <christian@whoop.org>
+
+Code for shared connection handles with SSL enabled. Pretty much done,
+but needs a lot of testing now.
+
+------------------------------------------------------------------------
+
+Sat Mar 12 18:13:58 GMT 2005             Christian <christian@whoop.org>
+
+Beginning of support for sharing connection handles for SSL-enabled
+connections. Since supporting this is complex, it will be optional,
+and enabled by using the new BRO_CFLAG_SHAREABLE connection flag.
+
+------------------------------------------------------------------------
+
+Fri Mar 11 14:50:23 GMT 2005             Christian <christian@whoop.org>
+
+Move to AC_PROG_LIBTOOL.
+
+------------------------------------------------------------------------
+
+Fri Mar 11 14:33:57 GMT 2005             Christian <christian@whoop.org>
+
+Portability and robustness fixes.
+
+- auto* calls in autgen.sh are now checked for success and cause the
+script to abort on error.
+- Instead of trying to figure out what libraries the various OSs need
+in order to be able to use Posix semaphors, I'm now attempting to use
+the -pthread flag directly. If that fails, we just fall back to SYSV
+semaphores.
+- All semaphore + shmem implementations are now included in the tarball,
+the point is to include them selectively in the *build*.
+- Stevens' ifdef magic for union semun doesn't work on at least OpenBSD
+so I'm using the BSD_HOST macro from config.h now.
+- Apparently AM_PROG_LIBTOOL causes some people trouble so we need to
+check how to get that working realiably :(
+
+------------------------------------------------------------------------
+
+Mon Feb 21 14:45:51 GMT 2005             Christian <christian@whoop.org>
+
+- Partial-write bugfix. When we succeed only partially in writing out
+a message, report success, not failure. Failure is handled by queuing
+the message for later transmission, but we have already sent it
+partially and the rest is still stuck in the output buffer, so if we
+queue it again, it'll get sent at least twice.
+
+I had noticed that out of 100000 events sent by 100 processes in
+parallel, typically around 100020 arrived :)
+
+------------------------------------------------------------------------
+
+Sat Feb 19 21:04:46 GMT 2005             Christian <christian@whoop.org>
+
+- Lots of synchronization work. This generally seems to work now! :) It
+required one major addition: support for shared memory. The problem is
+that if multiple threads/processes attempt to write at the same time
+and one write succeeds only partially, then *whichever* thread/process
+gets to write next needs to write out the rest before writing any new
+messages. The only alternative is to have write operations block until
+entire messages are sent, which seems dangerous from an instrumentation
+point of view. To share the remaining message data, shared memory is
+required: both the tx and rx buffers now operate in shared memory and
+are protected by semaphores. The current implementation uses SYSV shared
+memory.
+
+I think shared memory is a good idea in general; for example it could be
+used during instrumentation to get information from one corner of an app
+to another without changing the application's structure. I don't think
+we'll need  this right away, but it's nice to have a possible technique
+for it.
+
+- bro_disconnect() is now more tricky to use than before: if you use
+it in a parallel setting, you *must* call it from the same process that
+called bro_connect() and you must do so *after* all the other processes
+have finished using the connection (typically this is not hard to do, so
+I think we can live with that).
+
+The reason is that semaphores + shared memory need to be uninstalled
+specifically and I haven't yet figured out a way to automate reference
+counting so that the last thread/process using a connection could do
+this automatically. It would be very cool if the functions that are
+used for deinstallation could be asked to fail while the IPC objects are
+still in use, but that's not the case.
+
+- You can still build the whole thing without semaphores or shared mem
+and it'll work for single-threaded apps. The configure script now issues
+a warning if not all tools required for stable parallel operation can be
+found.
+
+- Added bro_event_queue_length_max() to allow applications to find out
+the maximum queue length before messages will get dropped. brohose uses
+this to wait until the queue gets half full before insisting on a flush.
+
+------------------------------------------------------------------------
+
+Fri Feb 18 17:14:40 GMT 2005             Christian <christian@whoop.org>
+
+- SYSV semaphore implementation. Configure checks are included
+and work as follows: if both Posix + SYSV semaphores are found,
+Posix are preferred, however the user can override this by passing
+--disable-posix-semaphores. Semaphores are still not actually used.
+
+
+------------------------------------------------------------------------
+
+Thu Feb 17 22:24:12 GMT 2005             Christian <christian@whoop.org>
+
+- First shot at semaphore support. Checking for Posix named semaphores
+and making sure they actually work at configure time was the hardest
+part; actual semaphore code untested and still unused. No ifdefs
+anywhere :)
+
+------------------------------------------------------------------------
+
+Thu Feb 17 20:06:00 GMT 2005             Christian <christian@whoop.org>
+
+- Incompletely sent chunks are now recognized and remaining parts are
+shipped as soon as possible: repeated brohose -n 1 -e 1000 runs do not
+take out Bro any more. :)
+
+------------------------------------------------------------------------
+
+Thu Feb 17 19:21:15 GMT 2005             Christian <christian@whoop.org>
+
+- Added "brohose", which lets you hose a Bro with events by forking a
+configurable number of processes, and having each process pump out an
+event a configurable number of times as fast as possible. This is meant
+as both a stress-testing tool for the protocol as well as obviously for
+the synchronization stuff that'll go into Broccoli soon.
+
+------------------------------------------------------------------------
+
+Wed Feb 16 17:40:47 GMT 2005             Christian <christian@whoop.org>
+
+- Documentation for the configuration options for debugging output.
+
+------------------------------------------------------------------------
+
+Thu Feb 10 11:39:57 GMT 2005             Christian <christian@whoop.org>
+
+- Changed bro_event_queue_empty() to bro_event_queue_length(),
+which is more useful in general and can be used to find out
+whether the queue is empty, too.
+
+------------------------------------------------------------------------
+
+Tue Feb  8 14:45:58 GMT 2005             Christian <christian@whoop.org>
+
+- This is release 0.6.
+
+------------------------------------------------------------------------
+
+Mon Feb  7 14:54:15 GMT 2005             Christian <christian@whoop.org>
+
+- Additional byte swaps for IP addresses + subnets for compatibility
+with Bro.
+
+------------------------------------------------------------------------
+
+Sun Feb  6 23:55:07 GMT 2005             Christian <christian@whoop.org>
+
+- Debugging output can now be configured from the config file,
+using the /broccoli/debug_messages and /broccoli/debug_calltrace
+config items.
+
+------------------------------------------------------------------------
+
+Tue Feb  1 21:34:17 GMT 2005             Christian <christian@whoop.org>
+
+- During handshake, data format compatibility is now confirmed as well
+as matching protocol version.
+
+------------------------------------------------------------------------
+
+Tue Feb  1 21:04:43 GMT 2005             Christian <christian@whoop.org>
+
+- Initial commit of support for sending/receiving libpcap packets.
+Totally untested, and not documented yet. More on this once support
+for packets is committed into the Bro tree.
+
+------------------------------------------------------------------------
+
+Tue Feb  1 18:39:02 GMT 2005             Christian <christian@whoop.org>
+
+- Transparent reconnects now also work for non-SSL connections. I was
+just lucky that the SSL handshake prevented the same problem from
+occurring in the SSL-enabled case. Two fixes were necessary:
+
+ 1) a separate attempt to connect to the peer that I have full control
+    over, and
+ 2) a fixlet in queue management that caused the event that
+    triggers the reconnect to be sent before any handshake information
+    for the new connection, thus causing a connection teardown by the
+    Bro end because the version number was not seen at the right time.
+
+
+------------------------------------------------------------------------
+
+Mon Jan 31 19:38:36 GMT 2005             Christian <christian@whoop.org>
+
+- Fixed a few spots where D_ENTER was not balanced with D_RETURN
+- Added an int-to-string table for message types, for debugging
+- Added a flag to the connection structure that prevents reconnect
+attempts while one is already in progress
+- Made io_msg_queue() private to bro_io.c because it was only called
+from there.
+
+------------------------------------------------------------------------
+
+Fri Jan 28 12:35:03 GMT 2005             Christian <christian@whoop.org>
+
+- Changed the error semantics of in __bro_io_msg_queue() so that queuing
+a message after failure to send is not a failure. This fixes an issue
+with handshake completion that I have observed with broping across
+different machines, where events could still get lost despite explicit
+request to complete the handshake.
+
+------------------------------------------------------------------------
+
+Sun Jan 16 20:45:42 GMT 2005             Christian <christian@whoop.org>
+
+- Serialization/Unserialization for ports fixed, support for ICMP ports.
+
+------------------------------------------------------------------------
+
+Sat Jan 15 13:58:16 GMT 2005             Christian <christian@whoop.org>
+
+- Sending and receiving IP addresses and subnets was broken, fixed now.
+- Fixed a small memleak when first-time connection setup fails.
+
+------------------------------------------------------------------------
+
+Thu Jan 13 21:03:45 GMT 2005             Christian <christian@whoop.org>
+
+- When using reconnects, Broccoli will now not attempt to reconnect
+more than once every 5s.
+
+------------------------------------------------------------------------
+
+Thu Jan 13 20:43:13 GMT 2005             Christian <christian@whoop.org>
+
+- Added connection flag BRO_CFLAG_ALWAYS_QUEUE that causes events
+always to be queued in the connection's event queue regardless of
+whether the peer is currently dead or not.
+
+- Moved the test of whether the peer requested an event that is
+about to be sent or not to the point where the event actually is
+about to be sent, from the point where it is requested to be sent.
+The difference is that now an event will get silently dropped on
+the floor if after a connection outage and a reconnect, a change
+in the events requested from the peer will prevent the old queued
+events to be sent anyway, even if they are no longer requested.
+
+------------------------------------------------------------------------
+
+Wed Jan 12 20:46:10 GMT 2005             Christian <christian@whoop.org>
+
+- Added support for transparent reconnects for broken connections.
+When using BRO_CFLAG_RECONNECT, Broccoli now attempts to reconnect
+whenever a peer died and the user tries to read from or write to
+the peer. This can aways be triggered manually using
+bro_reconnect().
+
+- Added bro_conn_alive() to determine if a connection is currently
+alive or not.
+
+------------------------------------------------------------------------
+
+Tue Jan 11 17:33:51 GMT 2005             Christian <christian@whoop.org>
+
+- Added connection flags parameter to bro_connect() and
+bro_connect_str(): BRO_CFLAG_COMPLETE_HANDSHAKE completes
+the handshake right away before returning from bro_connect()/
+bro_connect_str(), and BRO_CFLAG_RECONNECT still needs to be
+implemented. Documentation updated accordingly.
+
+------------------------------------------------------------------------
+
+Sat Jan  8 21:07:30 CET 2005             Christian <christian@whoop.org>
+
+- Allow empty (or comments-only) configuration files.
+
+------------------------------------------------------------------------
+
+Sat Jan  8 20:52:56 CET 2005             Christian <christian@whoop.org>
+
+- Fixed the home directory lookup via getpwent() -- now correctly looks
+up the entry of the current effective user. Doh.
+
+- Beginning of code for connection flags to use when creating a
+connection, for example for handshake behaviour, automatic reconnection
+attempts, etc.
+
+------------------------------------------------------------------------
+
+Tue Jan  4 23:28:59 CET 2005             Christian <christian@whoop.org>
+
+- constness fixes for functions that accept values for events and
+record fields.
+
+------------------------------------------------------------------------
+
+Tue Jan  4 22:07:35 CET 2005             Christian <christian@whoop.org>
+
+- Encrpyted connections now extract as much data as possible from
+the underlying buffer by calling BIO_read() optimistically.
+
+- For encrypted connections, the passphrase for the certificate's
+private key can now be specified in the configuration file using key
+"/broccoli/host_pass".
+
+- Added support for the handshake message in the Bro protocol.
+
+- If the ca_cert or host_cert keys are found in the config file, but
+there is a problem loading the crypto files, don't attempt to connect.
+
+- Completed documentation on encrypted communication, explaining the
+use of ca-create and ca-issue.
+
+- Fixed several bugs in the handling of sections in config files.
+Matching of domain names is now case-insensitive.
+
+- The ~/.broccoli.conf file is now only used when it is readable only
+by the user owning it.
+
+- More robustness for corner cases of buffer sizes.
+
+- Fixed a bug in sending messages that consist of only a single chunk
+(like the handshake message).
+
+- The library now attempts to initialize the random number generator
+in OpenSSL from /dev/random if possible.
+
+------------------------------------------------------------------------
+
+Fri Dec 24 11:58:08 CET 2004             Christian <christian@whoop.org>
+
+- If the ca_cert or host_cert keys are found in the config file, but
+there is a problem loading the crypto files, don't attempt to connect.
+
+- Completed documentation on encrypted communication, explaining the
+use of ca-create and ca-issue.
+
+- Fixed several bugs in the handling of sections in config files.
+
+------------------------------------------------------------------------
+
+Thu Dec 23 14:33:56 GMT 2004             Christian <christian@whoop.org>
+
+- Added sections support for configuration files. Sections can be 
+declared at arbitrary points in the config file, using the same syntax
+as in OpenSSL config files. There can be a global section at the
+beginning of the file, before the first declared sections. Sections are
+selected using bro_conf_set_domain().
+
+- Support for a per-user config file in ~/.broccoli.conf. This does
+not override settings in the global config file but completely replaces
+it, i.e., when the user-specific file is found, the global one is
+ignored.
+
+- Added bro_conn_await_handshake() that blocks for limitable amount of
+time, waiting for the handshake of a new Bro connection to complete.
+This still needs some fixing, but is definitely necessary to prevent
+weird races from occurring when a client tries to use a new connection
+that has not yet been established completely.
+
+- Test applications are now linked to static libraries. This will
+hopefully keep the build more portable.
+
+- Use of LFLAGS and YFLAGS moved to AM_LFLAGS and AM_YFLAGS, given the
+warnings issued when using automake 1.9.
+
+- First shot at fixing the buffer flushing issues I see when using 
+encrypted connections.
+
+------------------------------------------------------------------------
+
+Fri Dec 10 16:31:26 GMT 2004             Christian <christian@whoop.org>
+
+- Added + fixed OpenSSL code to support encrypted communication.
+- Added OpenSSL as requirement to spec file.
+- Changed broping policies to always use the same port
+- Updated broccoli.conf: added keys for the CA's and the host's cert.
+	
+------------------------------------------------------------------------
+
+Thu Dec  9 14:59:24 GMT 2004             Christian <christian@whoop.org>
+
+- Build fixes in case documentation tools are not found
+- Documentation polishing -- only SSL setup section todo still.
+
+------------------------------------------------------------------------
+
+Thu Dec  9 00:48:05 GMT 2004             Christian <christian@whoop.org>
+
+- Final documentation passes for the 0.6 release.
+
+------------------------------------------------------------------------
+
+Mon Dec  6 17:18:55 GMT 2004             Christian <christian@whoop.org>
+
+- More documentation, explaining the data types, records, Bro policy
+configuration, started section on SSL setup (copied from Robin right
+now), and minor fixes.
+
+------------------------------------------------------------------------
+
+Mon Dec  6 15:17:05 GMT 2004             Christian <christian@whoop.org>
+
+- Added spec file for building RPMs -- seems to work
+- Aest policies are now installed in $prefix/share/broccoli
+
+------------------------------------------------------------------------
+
+Mon Dec  6 00:22:02 GMT 2004             Christian <christian@whoop.org>
+
+- Dropped the ..._raw() functions for records. These won't be used
+internally ever. Their implementation moved to bro.c, and only the high-
+level code remained in bro_record.c.
+
+- Added bro_event_set_val() to replace a val in an existing event.
+There's not much use in resending an existing event unless it is
+identical, which is not that useful. High-level code is in
+__bro_event_set_val().
+
+- Made it more clear in the comments explaining the
+bro_record_get_..._val() functions that the "result" argument must
+actually be the address of a pointer. (void * as argument type means
+that the compiler does not issue a warning when passing in, say, a
+double * -- but it would do so if we would use void **.)
+
+------------------------------------------------------------------------
+
+Sun Dec  5 22:05:53 GMT 2004             Christian <christian@whoop.org>
+
+- Updates to the cvs wrapper script: surround with date and name
+only in the ChangeLog, not in the commit message itself.
+
+------------------------------------------------------------------------
+
+Sun Dec  5 02:15:29 GMT 2004             Christian <christian@whoop.org>
+
+- Fixed a bug in __bro_val_clone(): forgot to handle BRO_INTTYPE_OTHER.
+
+- Changed --enable-debugging flag to --enable-debug, for consistency
+with the Bro tree.
+
+- Fixed bugs in several cloning implementations that didn't call the
+parent's implementation.
+
+------------------------------------------------------------------------
+
+Sun Dec  5 01:40:52 GMT 2004             Christian <christian@whoop.org>
+
+- Added __bro_event_copy() to clone events internally.
+
+- Events are now duplicated in __bro_io_event_queue() before they're
+sent so the user's event remains unaffected (and thus could be sent
+repeatedly etc).
+
+- Extensive pass over the documentation; still a good deal to do.
+
+------------------------------------------------------------------------
+
+Sat Dec  4 03:09:05 GMT 2004             Christian <christian@whoop.org>
+
+More work on documentation, much is outdated now.
+
+------------------------------------------------------------------------
+
+Sat Dec  4 02:05:30 GMT 2004             Christian <christian@whoop.org>
+ 
+- Started a ChangeLog. No detailed ChangeLog information was kept
+previous to this commit.
+ 
+------------------------------------------------------------------------
diff --git a/aux/broccoli/INSTALL b/aux/broccoli/INSTALL
new file mode 100644
index 0000000000..b42a17ac46
--- /dev/null
+++ b/aux/broccoli/INSTALL
@@ -0,0 +1,182 @@
+Basic Installation
+==================
+
+   These are generic installation instructions.
+
+   The `configure' shell script attempts to guess correct values for
+various system-dependent variables used during compilation.  It uses
+those values to create a `Makefile' in each directory of the package.
+It may also create one or more `.h' files containing system-dependent
+definitions.  Finally, it creates a shell script `config.status' that
+you can run in the future to recreate the current configuration, a file
+`config.cache' that saves the results of its tests to speed up
+reconfiguring, and a file `config.log' containing compiler output
+(useful mainly for debugging `configure').
+
+   If you need to do unusual things to compile the package, please try
+to figure out how `configure' could check whether to do them, and mail
+diffs or instructions to the address given in the `README' so they can
+be considered for the next release.  If at some point `config.cache'
+contains results you don't want to keep, you may remove or edit it.
+
+   The file `configure.in' is used to create `configure' by a program
+called `autoconf'.  You only need `configure.in' if you want to change
+it or regenerate `configure' using a newer version of `autoconf'.
+
+The simplest way to compile this package is:
+
+  1. `cd' to the directory containing the package's source code and type
+     `./configure' to configure the package for your system.  If you're
+     using `csh' on an old version of System V, you might need to type
+     `sh ./configure' instead to prevent `csh' from trying to execute
+     `configure' itself.
+
+     Running `configure' takes awhile.  While running, it prints some
+     messages telling which features it is checking for.
+
+  2. Type `make' to compile the package.
+
+  3. Optionally, type `make check' to run any self-tests that come with
+     the package.
+
+  4. Type `make install' to install the programs and any data files and
+     documentation.
+
+  5. You can remove the program binaries and object files from the
+     source code directory by typing `make clean'.  To also remove the
+     files that `configure' created (so you can compile the package for
+     a different kind of computer), type `make distclean'.  There is
+     also a `make maintainer-clean' target, but that is intended mainly
+     for the package's developers.  If you use it, you may have to get
+     all sorts of other programs in order to regenerate files that came
+     with the distribution.
+
+Compilers and Options
+=====================
+
+   Some systems require unusual options for compilation or linking that
+the `configure' script does not know about.  You can give `configure'
+initial values for variables by setting them in the environment.  Using
+a Bourne-compatible shell, you can do that on the command line like
+this:
+     CC=c89 CFLAGS=-O2 LIBS=-lposix ./configure
+
+Or on systems that have the `env' program, you can do it like this:
+     env CPPFLAGS=-I/usr/local/include LDFLAGS=-s ./configure
+
+Compiling For Multiple Architectures
+====================================
+
+   You can compile the package for more than one kind of computer at the
+same time, by placing the object files for each architecture in their
+own directory.  To do this, you must use a version of `make' that
+supports the `VPATH' variable, such as GNU `make'.  `cd' to the
+directory where you want the object files and executables to go and run
+the `configure' script.  `configure' automatically checks for the
+source code in the directory that `configure' is in and in `..'.
+
+   If you have to use a `make' that does not supports the `VPATH'
+variable, you have to compile the package for one architecture at a time
+in the source code directory.  After you have installed the package for
+one architecture, use `make distclean' before reconfiguring for another
+architecture.
+
+Installation Names
+==================
+
+   By default, `make install' will install the package's files in
+`/usr/local/bin', `/usr/local/man', etc.  You can specify an
+installation prefix other than `/usr/local' by giving `configure' the
+option `--prefix=PATH'.
+
+   You can specify separate installation prefixes for
+architecture-specific files and architecture-independent files.  If you
+give `configure' the option `--exec-prefix=PATH', the package will use
+PATH as the prefix for installing programs and libraries.
+Documentation and other data files will still use the regular prefix.
+
+   In addition, if you use an unusual directory layout you can give
+options like `--bindir=PATH' to specify different values for particular
+kinds of files.  Run `configure --help' for a list of the directories
+you can set and what kinds of files go in them.
+
+   If the package supports it, you can cause programs to be installed
+with an extra prefix or suffix on their names by giving `configure' the
+option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
+
+Optional Features
+=================
+
+   Some packages pay attention to `--enable-FEATURE' options to
+`configure', where FEATURE indicates an optional part of the package.
+They may also pay attention to `--with-PACKAGE' options, where PACKAGE
+is something like `gnu-as' or `x' (for the X Window System).  The
+`README' should mention any `--enable-' and `--with-' options that the
+package recognizes.
+
+   For packages that use the X Window System, `configure' can usually
+find the X include and library files automatically, but if it doesn't,
+you can use the `configure' options `--x-includes=DIR' and
+`--x-libraries=DIR' to specify their locations.
+
+Specifying the System Type
+==========================
+
+   There may be some features `configure' can not figure out
+automatically, but needs to determine by the type of host the package
+will run on.  Usually `configure' can figure that out, but if it prints
+a message saying it can not guess the host type, give it the
+`--host=TYPE' option.  TYPE can either be a short name for the system
+type, such as `sun4', or a canonical name with three fields:
+     CPU-COMPANY-SYSTEM
+
+See the file `config.sub' for the possible values of each field.  If
+`config.sub' isn't included in this package, then this package doesn't
+need to know the host type.
+
+   If you are building compiler tools for cross-compiling, you can also
+use the `--target=TYPE' option to select the type of system they will
+produce code for and the `--build=TYPE' option to select the type of
+system on which you are compiling the package.
+
+Sharing Defaults
+================
+
+   If you want to set default values for `configure' scripts to share,
+you can create a site shell script called `config.site' that gives
+default values for variables like `CC', `cache_file', and `prefix'.
+`configure' looks for `PREFIX/share/config.site' if it exists, then
+`PREFIX/etc/config.site' if it exists.  Or, you can set the
+`CONFIG_SITE' environment variable to the location of the site script.
+A warning: not all `configure' scripts look for a site script.
+
+Operation Controls
+==================
+
+   `configure' recognizes the following options to control how it
+operates.
+
+`--cache-file=FILE'
+     Use and save the results of the tests in FILE instead of
+     `./config.cache'.  Set FILE to `/dev/null' to disable caching, for
+     debugging `configure'.
+
+`--help'
+     Print a summary of the options to `configure', and exit.
+
+`--quiet'
+`--silent'
+`-q'
+     Do not print messages saying which checks are being made.  To
+     suppress all normal output, redirect it to `/dev/null' (any error
+     messages will still be shown).
+
+`--srcdir=DIR'
+     Look for the package's source code in directory DIR.  Usually
+     `configure' can determine that directory automatically.
+
+`--version'
+     Print the version of Autoconf used to generate the `configure'
+     script, and exit.
+
+`configure' also accepts some other, not widely useful, options.
diff --git a/aux/broccoli/Makefile.am b/aux/broccoli/Makefile.am
new file mode 100644
index 0000000000..0a3046a11b
--- /dev/null
+++ b/aux/broccoli/Makefile.am
@@ -0,0 +1,20 @@
+## Process this file with automake to produce Makefile.in
+
+SUBDIRS = src test docs bindings
+
+# When running distcheck, make sure we skip building documentation.
+#
+DISTCHECK_CONFIGURE_FLAGS = --disable-gtk-doc
+
+MAINTAINERCLEANFILES = Makefile.in aclocal.m4 config.guess \
+                       config.h.in config.sub configure install-sh \
+		       ltconfig ltmain.sh missing mkinstalldirs \
+		       stamp-h.in
+
+bin_SCRIPTS = broccoli-config
+dist_sysconf_DATA = broccoli.conf
+
+EXTRA_DIST = README AUTHORS COPYING depcomp ylwrap shtool \
+	compat/sys/queue.h broccoli.spec contrib \
+	autogen.sh
+
diff --git a/aux/broccoli/NEWS b/aux/broccoli/NEWS
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/aux/broccoli/README b/aux/broccoli/README
new file mode 100644
index 0000000000..d34833c367
--- /dev/null
+++ b/aux/broccoli/README
@@ -0,0 +1,66 @@
+
+			B  R  O  C  C  O  L  I
+
+		 The Bro Client Communications Library
+
+                        http://www.bro-ids.org
+
+________________________________________________________________________
+
+This package contains Broccoli, the Bro client communications library.
+It allows you to create client sensors for the Bro intrusion detection
+system. Broccoli can speak a good subset of the Bro communication
+protocol, in particular, it can receive Bro IDs, send and receive Bro
+events, and send and receive event requests to/from peering Bros. You
+can currently create and receive values of pure types like integers,
+counters, timestamps, IP addresses, port numbers, booleans, and strings.
+
+The library uses OpenSSL for encrypted communication. Other than that,
+the library has no other dependencies and has been tested on Linux, the
+BSDs, and Solaris. A Windows build has not currently been tried but
+is part of our future plans. If you succeed in building Broccoli on
+other platforms, let us know!
+
+To build, do the usual ./configure; make; make install routine. Here's
+a list of the current configure options:
+	
+  --enable-debug
+ 
+  This one enables lots of debugging output. Be sure to disable this
+  when using the library in a production environment! The output could
+  easily end up in undersired places when the stdout of the program
+  you've instrumented is used in other ways.
+
+  --with-configfile=FILE
+  
+  Broccoli can read key/value pairs from a config file. By default it
+  is located in the etc directory of the installation root (exception:
+  when using --prefix=/usr, /etc is used instead of /usr/etc). The
+  default config file name is broccoli.conf. Using --with-configfile,
+  you can override the location and name of the config file.
+
+To use the library in other programs & configure scripts, use the
+broccoli-config script. It gives you the necessary configuration flags
+and linker flags for your system, see --cflags and --libs.
+
+The API is contained in broccoli.h and pretty well documented. A few
+usage examples can be found in the test directory, in particular, the
+broping tool can be used to test event transmission and reception. Have
+a look at the policy file broping.bro for the events that need to be
+defined at the peering Bro. Try broping -h for a look at the available
+options.
+
+Broccoli knows two kinds of version numbers: the release version number
+(as in "broccoli-x.y.tar.gz", or as shipped with Bro) and the shared
+library API version number. The former relates to changes in the tree,
+the latter to compatibility changes in the API. You can see their
+correspondence in VERSION.
+
+Comments, feedback and patches are appreciated, please send them to
+the Bro mailing list at bro(at)bro-ids.org or directly to the author at
+christian (at) icir.org.
+
+						Enjoy!
+					        --Christian.
+________________________________________________________________________
+$Id: README 4043 2007-03-01 23:15:14Z kreibich $
diff --git a/aux/broccoli/TODO b/aux/broccoli/TODO
new file mode 100644
index 0000000000..10d875aac6
--- /dev/null
+++ b/aux/broccoli/TODO
@@ -0,0 +1,27 @@
+- Separate method pointers (i.e., the vtable) in the various classes into
+  separate "class" structs (think klass in Gtk). Right now these waste
+  space because they're allocated with every instance, but since they're
+  not used extensively it hasn't really been worth it so far.
+
+- The init methods must be allowed to fail. Currently allocations in that
+  method can fail but this failure can not be signaled to the caller.
+
+- Add an error variable so the user has a way to figure out what happened
+  when things go wrong.
+
+- Add support for at least a small number of expressions -- needed in
+  bro_attr.[ch].
+
+- Add support for tables/sets.
+
+- Add a server-suitable API, i.e., how can one write an application that
+  listens on a given port, using Broccoli.
+
+- When configure determined that lex+yacc exist, make clean doesn't clean
+  up the generated lexer/parser C files. I presume this is because I keep
+  them all in EXTRA_DIST. Ensure make clean removes the generated files
+  when we know we can regenerate them.
+
+- There's a segfault lurking in __bro_record_get_nth_val() with records
+  that don't have all members assigned to. Investigate whether dummy
+  val approach really works or whether it's a design flaw.
diff --git a/aux/broccoli/autogen.sh b/aux/broccoli/autogen.sh
new file mode 100755
index 0000000000..ef3e9188f5
--- /dev/null
+++ b/aux/broccoli/autogen.sh
@@ -0,0 +1,131 @@
+#!/bin/sh
+
+# Initialization script to set up the initial configuration files etc.
+# shtool usage inspired by the autogen script of the ferite scripting
+# language -- cheers Chris :)
+
+BLD_ON=`./shtool echo -n -e %B`
+BLD_OFF=`./shtool echo -n -e %b`
+
+LT=libtoolize
+DIE=0
+NAME=broccoli
+
+echo
+echo "             "${BLD_ON}"Broccoli Build Tools Setup"${BLD_OFF}
+echo "===================================================="
+echo
+echo "Checking whether we have all tools available ..."
+
+(autoconf --version) < /dev/null > /dev/null 2>&1 || {
+  echo
+  echo ${BLD_ON}"Error"${BLD_OFF}": You must have \`autoconf' installed to."
+  echo "Download the appropriate package for your distribution,"
+  echo "or get the source tarball at ftp://ftp.gnu.org/pub/gnu/"
+  DIE=1
+}
+
+($LT --version) < /dev/null > /dev/null 2>&1 || {
+  LT=glibtoolize
+
+  ($LT --version) < /dev/null > /dev/null 2>&1 || {
+    echo
+    echo ${BLD_ON}"Error"${BLD_OFF}": You must have \`libtool' installed."
+    echo "Download the appropriate package for your distribution,"
+    echo "or get the source tarball at ftp://ftp.gnu.org/pub/gnu/"
+    DIE=1
+  }
+}
+
+(automake --version) < /dev/null > /dev/null 2>&1 || {
+  echo
+  echo ${BLD_ON}"Error"${BLD_OFF}": You must have \`automake' installed."
+  echo "Get ftp://ftp.gnu.org/pub/gnu/automake-1.3.tar.gz"
+  echo "(or a newer version if it is available)"
+  DIE=1
+  NO_AUTOMAKE=yes
+}
+
+
+# if no automake, don't bother testing for aclocal
+test -n "$NO_AUTOMAKE" || (aclocal --version) < /dev/null > /dev/null 2>&1 || {
+  echo
+  echo ${BLD_ON}"Error"${BLD_OFF}": Missing \`aclocal'.  The version of \`automake'"
+  echo "installed doesn't appear recent enough."
+  echo "Get ftp://ftp.gnu.org/pub/gnu/automake-1.3.tar.gz"
+  echo "(or a newer version if it is available)"
+  DIE=1
+}
+
+if test "$DIE" -eq 1; then
+  exit 1
+fi
+
+echo "All necessary tools found."
+echo
+
+if [ -d autom4te.cache ] ; then
+    echo "Removing autom4te.cache ..."
+    rm -rf autom4te.cache
+fi
+
+echo
+echo "running "${BLD_ON}$LT${BLD_OFF}
+echo "----------------------------------------------------"
+$LT -c -f
+if [ $? -ne 0 ]; then
+    echo "*** ERROR($NAME), aborting."
+    exit 1
+fi
+
+echo
+echo "running "${BLD_ON}"aclocal"${BLD_OFF}
+echo "----------------------------------------------------"
+aclocal -I . $ACLOCAL_FLAGS
+if [ $? -ne 0 ]; then
+    echo "*** ERROR($NAME), aborting."
+    exit 1
+fi
+
+echo
+echo "running "${BLD_ON}"autoheader"${BLD_OFF}
+echo "----------------------------------------------------"
+autoheader
+if [ $? -ne 0 ]; then
+    echo "*** ERROR($NAME), aborting."
+    exit 1
+fi
+
+echo
+echo "running "${BLD_ON}"automake"${BLD_OFF}
+echo "----------------------------------------------------"
+automake -a -c
+if [ $? -ne 0 ]; then
+    echo "*** ERROR($NAME), aborting."
+    exit 1
+fi
+
+echo
+echo "running "${BLD_ON}"autoconf"${BLD_OFF}
+echo "----------------------------------------------------"
+autoconf
+if [ $? -ne 0 ]; then
+    echo "*** ERROR($NAME), aborting."
+    exit 1
+fi
+
+if ! test "x$BROBUILD" = xyes; then
+echo
+echo 
+echo "Setup finished. Now run:"
+echo
+echo "  $ "${BLD_ON}"./configure"${BLD_OFF}" (with options as needed, try --help)"
+echo
+echo "and then"
+echo
+echo "  $ "${BLD_ON}"make"${BLD_OFF}
+echo "  # "${BLD_ON}"make install"${BLD_OFF}
+echo
+echo "  (or use "${BLD_ON}"gmake"${BLD_OFF}" when make on your platform isn't GNU make)"
+echo
+fi
diff --git a/aux/broccoli/bindings/Makefile.am b/aux/broccoli/bindings/Makefile.am
new file mode 100644
index 0000000000..dfc9c49f30
--- /dev/null
+++ b/aux/broccoli/bindings/Makefile.am
@@ -0,0 +1,18 @@
+# While recursive inclusion is possible, this would include
+# *anything* found in there, which is not what we want. --cpk
+#
+EXTRA_DIST = \
+./python/README \
+./python/README.html \
+./python/TODO \
+./python/broccoli_intern.i \
+./python/broccoli_intern.py \
+./python/broccoli_intern_wrap.c \
+./python/broccoli.py \
+./python/Makefile \
+./python/setup.py \
+./python/tests \
+./python/tests/broping.py \
+./python/tests/broping-record.py \
+./python/tests/test.bro \
+./python/tests/test.py
diff --git a/aux/broccoli/bindings/python/Makefile b/aux/broccoli/bindings/python/Makefile
new file mode 100644
index 0000000000..35bfa53b1b
--- /dev/null
+++ b/aux/broccoli/bindings/python/Makefile
@@ -0,0 +1,18 @@
+# $Id$
+#
+# Makefile not need to build module. Use "python setup.py install" instead.
+
+CLEAN=build broccoli_intern_wrap.c broccoli_intern.py README.html *.pyc 
+
+all : doc broccoli_intern_wrap.c
+ 
+broccoli_intern_wrap.c :  broccoli_intern.i
+	swig -python -I../../src -o broccoli_intern_wrap.c broccoli_intern.i
+
+doc : README.html
+
+clean:
+	rm -rf $(CLEAN)
+
+README.html : README
+	-asciidoc -a toc -b xhtml11-custom README
diff --git a/aux/broccoli/bindings/python/README b/aux/broccoli/bindings/python/README
new file mode 100644
index 0000000000..d8b0b2f466
--- /dev/null
+++ b/aux/broccoli/bindings/python/README
@@ -0,0 +1,240 @@
+//	-*- AsciiDoc -*-
+Python Bindings for Broccoli
+============================
+
+Overview
+--------
+
+This Python module provides bindings for
+http://www.icir.org/christian/broccoli/index.html[Broccoli], Bro's
+client communication library. In general, the bindings provide the
+same functionality as Broccoli's C API. 
+
+Download
+--------
+
+Since Bro 1.4, a stable version of the Python module ships as part
+of the Bro distribution in +aux/broccoli/bindings/python+. 
+
+The most current development version is part of the Bro Subversion
+repository. To get it, use:
+
+   > svn checkout http://svn.icir.org/bro/trunk/bro/aux/broccoli/bindings/python
+
+Installation
+------------
+
+Installation of the Python module is pretty straight-forward. After
+Broccoli itself has been
+http://www.icir.org/christian/broccoli/manual/c55.html[installed],
+it follows the standard installation process for Python modules:
+
+    > python setup.py install
+
+Try the following to test the installation. If you do not see any
+error message, everything should be fine:
+
+    > python -c "import broccoli"
+    > 
+
+Usage
+-----
+
+The following examples demonstrate how to send and receive Bro
+events in Python. 
+
+The main challenge when using Broccoli from Python is dealing with
+the data types of Bro event parameters as there is no one-to-one
+mapping between Bro's types and Python's types. The Python modules
+automatically maps between those types which both systems provide
+(such as strings) and provides a set of wrapper classes for Bro
+types which do not have a direct Python equivalent (such as IP
+addresses). 
+
+Connecting to Bro
+~~~~~~~~~~~~~~~~~
+
+The following code sets up a connection from Python to a remote Bro
+instance (or another Broccoli) and provides a connection handle for
+further communication:
+
+     from broccoli import *
+     bc = Connection("127.0.0.1:47758")
+     
+An +IOError+ will be raised if the connection cannot be established. 
+
+Sending Events
+~~~~~~~~~~~~~~
+
+Once you have a connection handle +bc+ set up as shown above, you can
+start sending events:
+
+     bc.send("foo", 5, "attack!")
+
+This sends an event called +foo+ with two parameters, +5+ and
++attack!+. Broccoli operates asynchronously, i.e., events scheduled
+with +send()+ are not always sent out immediately but might be
+queued for later transmission. To ensure that all events get out
+(and incoming events are processed, see below), you need to call
++bc.processInput()+ regularly.
+
+Data Types
+~~~~~~~~~~
+
+In the example above, the types of the event parameters are
+automatically derived from the corresponding Python types: the first
+parameter (+5+) has the Bro type +int+ and the second one
+(+attack!+) has Bro type +string+. 
+
+For types which do not have a Python equivalent, the +broccoli+
+module provides wrapper classes which have the same names as the
+corresponding Bro types. For example, to send an event called +bar+
+with one +addr+ argument and one +count+ argument, you can write:
+
+     bc.send("bar", addr("192.168.1.1"), count(42))
+
+The following table summarizes the available atomic types and their
+usage.
+
+.Bro vs. Python types
+[grid="all"] 
+.---------.-----------.-------------------------- 
+Bro Type   Python Type   Example
+-------------------------------------------------
+addr                   +addr("192.168.1.1")+
+bool       bool        +True+
+count                  +count(42)+
+double     float       +3.14+             
+enum                   _Type currently not supported_
+int 	   int         +5+
+interval               +interval(60)+
+net                    _Type currently not supported_
+port	               +port("80/tcp")+
+string     string      +"attack!"+
+subnet                 +subnet("192.168.1.0/24")+
+time                   +time(1111111111.0)+
+-------------------------------------------------
+
+The +broccoli+ module also supports sending Bro records as event
+parameters. To send a record, you first define a record type. For
+example, a Bro record type
+
+    type my_record: record {
+        a: int;
+        b: addr;
+        c: subnet;
+    };
+    
+turns into Python as
+
+    my_record = record_type("a", "b", "c")
+  
+As the example shows, Python only needs to know the attribute names
+but not their types. The types are derived automatically in the same
+way as discussed above for atomic event parameters. 
+
+Now you can instantiate a record instance of the newly defined type
+and send it out:
+
+    rec = record(my_record)
+    rec.a = 5
+    rec.b = addr("192.168.1.1")
+    rec.c = subnet("192.168.1.0/24")
+    bc.send("my_event", rec)
+    
+NOTE: The Python module does not support nested records at this
+time. 
+
+Receiving Events
+~~~~~~~~~~~~~~~~
+
+To receive events, you define a callback function having the same
+name as the event and mark it with the +event+ decorator:
+
+   @event
+   def foo(arg1, arg2):
+       print arg1, arg2    
+
+Once you start calling +bc.processInput()+ regularly (see above),
+each received +foo+ event will trigger the callback function. 
+
+By default, the event's arguments are always passed in with built-in
+Python types. For Bro types which do not have a direct Python
+equivalent (see table above), a substitute built-in type is used
+which corresponds to the type the wrapper class' constructor expects
+(see the examples in the table). For example, Bro type +addr+ is
+passed in as a string and Bro type +time+ is passed in as a float.
+
+Alternatively, you can define a _typed_ prototype for the event. If you
+do so, arguments will first be type-checked and then passed to the
+call-back with the specified type (which means instances of the
+wrapper classes for non-Python types). Example:
+
+   @event(count, addr)
+   def bar(arg1, arg2):
+       print arg1, arg2
+
+Here, +arg1+ will be an instance of the +count+ wrapper class and
++arg2+ will be an instance of the +addr+ wrapper class. 
+
+Protoyping works similarly with built-in Python types:
+
+   @event(int, string):
+   def foo(arg1, arg2):
+       print arg1, arg2
+       
+In general, the prototype specifies the types in which the callback
+wants to receive the arguments. This actually provides support for
+simple type casts as some types support conversion to into something
+different. If for instance the event source sends an event with a
+single port argument, +@event(port)+ will pass the port as an
+instance of the +port+ wrapper class; +@event(string)+ will pass it
+as a string (e.g., +"80/tcp"+); and +@event(int)+ will pass it as an
+integer without protocol information (e.g., just +80+). If an
+argument cannot be converted into the specified type, a +TypeError+
+will be raised.
+
+To receive an event with a record parameter, the record type first
+needs to be defined, as described above. Then the type can be used
+with the +@event+ decorator in the same way as atomic types:
+
+   my_record = record_type("a", "b", "c")
+   @event(my_record)
+   def my_event(rec):
+       print rec.a, rec.b, rec.c
+
+Helper Functions
+----------------
+
+The +broccoli+ module provides one helper function: +current_time()+
+returns the current time as a float which, if necessary, can be
+wrapped into a +time+ parameter (i.e., +time(current_time()+)
+
+Examples
+--------
+
+There are some example scripts in
+http://svn.icir.org/bro/branches/robin/work/aux/broccoli/bindings/python/tests/[+aux/broccoli/bindings/python/tests+]:
+
+   - http://svn.icir.org/bro/branches/robin/work/aux/broccoli/bindings/python/tests/broping.py[+broping.py+]
+   is a (simplified) Python version of Broccoli's test program
+   +broping+. Start Bro with
+   http://svn.icir.org/bro/branches/robin/work/aux/broccoli/test/broping.bro[+aux/broccoli/test/broping.bro+].
+   
+   - Similarly,
+   http://svn.icir.org/bro/branches/robin/work/aux/broccoli/bindings/python/tests/broping-record.py[+broping-record.py+]
+   is a Python version of Broccoli's +broping+ for records. Start
+   Bro with
+   http://svn.icir.org/bro/branches/robin/work/aux/broccoli/test/broping-record.bro[+aux/broccoli/test/broping-record.bro+].
+   
+   - http://svn.icir.org/bro/branches/robin/work/aux/broccoli/bindings/python/tests/test.py[+test.py+]
+   is a very ugly but comprehensive regression test and part of the
+   communication test-suite. Start Bro with
+   http://svn.icir.org/bro/branches/robin/work/aux/broccoli/bindings/python/tests/test.bro[+test.bro+].
+   
+   
+
+
+
+
+
diff --git a/aux/broccoli/bindings/python/README.html b/aux/broccoli/bindings/python/README.html
new file mode 100644
index 0000000000..d8792f8485
--- /dev/null
+++ b/aux/broccoli/bindings/python/README.html
@@ -0,0 +1,800 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
+    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+<meta name="generator" content="AsciiDoc 8.2.3" />
+<style type="text/css">
+/* Debug borders */
+p, li, dt, dd, div, pre, h1, h2, h3, h4, h5, h6 {
+/*
+  border: 1px solid red;
+*/
+}
+
+body {
+  background:#ffffff;
+  margin:0;
+  padding:20px 10px;
+  font-size: small;
+  font-family: sans-serif;
+  color: #505050;
+  margin: 1em 10% 1em 10%;
+}
+
+a {
+  color: #005000;
+}
+
+a:visited {
+  color: #005000;
+}
+
+a:hover {
+  color: #002000;
+}
+
+em {
+  font-style: italic;
+}
+
+strong {
+  font-weight: bold;
+}
+
+tt {
+  color: #000000;
+}
+
+h1, h2, h3, h4, h5, h6, div#toctitle {
+  color: #227022;
+  font-family: sans-serif;
+  margin-top: 1.2em;
+  margin-bottom: 0.5em;
+  line-height: 1.3;
+  font-weight: normal;
+}
+
+h1, h2, h3, div#toctitle {
+  border-bottom: 1px solid;
+  border-color: #000000;
+}
+
+h1 {
+  font-size: x-large;
+  }
+
+h2, div#toctitle {
+  padding-top: 0.5em;
+  font-size: medium;
+}
+h3 {
+  float: left;
+  font-size: small;
+}
+h3 + * {
+  clear: left;
+}
+
+div.sectionbody {
+  font-family: sans-serif;
+  margin-left: 0;
+}
+
+hr {
+  border: 1px solid;
+}
+
+p {
+  margin-top: 0.5em;
+  margin-bottom: 0.5em;
+}
+
+pre {
+  padding: 0;
+  margin: 0;
+}
+
+span#author {
+  color: #338033;
+  font-family: sans-serif;
+  font-size: 1.1em;
+}
+span#email {
+}
+span#revision {
+  font-family: sans-serif;
+}
+
+div#footer {
+  font-family: sans-serif;
+  font-size: x-small;
+  border-top: 1px solid;
+  padding-top: 0.5em;
+  margin-top: 4.0em;
+}
+div#footer-text {
+  float: left;
+  padding-bottom: 0.5em;
+}
+div#footer-badges {
+  float: right;
+  padding-bottom: 0.5em;
+}
+
+div#preamble,
+div.tableblock, div.imageblock, div.exampleblock, div.verseblock,
+div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,
+div.admonitionblock {
+  margin-top: 1.5em;
+  margin-left: 1em;
+  margin-bottom: 1.5em;
+/*  background: #eeffcc; */
+}
+div.admonitionblock {
+  margin-top: 2.5em;
+  margin-bottom: 2.5em;
+}
+
+div.content { /* Block element content. */
+  padding: 0;
+}
+
+/* Block element titles. */
+div.title, caption.title {
+  font-family: sans-serif;
+  text-align: left;
+  margin-top: 1.0em;
+  margin-bottom: 0.5em;
+}
+div.title + * {
+  margin-top: 0;
+}
+
+td div.title:first-child {
+  margin-top: 0.0em;
+}
+div.content div.title:first-child {
+  margin-top: 0.0em;
+}
+div.content + div.title {
+  margin-top: 0.0em;
+}
+
+div.sidebarblock > div.content {
+  background: #ffffee;
+  border: 1px solid;
+  padding: 0.5em;
+}
+
+div.listingblock {
+  margin-right: 0%;
+}
+div.listingblock > div.content {
+  border: 1px solid;
+  background: #f4f4f4;
+  padding: 0.5em;
+}
+
+div.quoteblock > div.content {
+  padding-left: 2.0em;
+}
+
+div.attribution {
+  text-align: right;
+}
+
+div.verseblock + div.attribution {
+  text-align: left;
+}
+
+div.admonitionblock .icon {
+  vertical-align: top;
+  font-size: 1.1em;
+  color: #338033;
+  padding-right: 0.5em;
+}
+div.admonitionblock td.content {
+  padding-left: 0.5em;
+  border-left: 2px solid;
+}
+
+div.exampleblock > div.content {
+  border-left: 2px solid;
+  padding: 0.5em;
+}
+
+div.verseblock div.content {
+  white-space: pre;
+}
+
+div.imageblock div.content { padding-left: 0; }
+div.imageblock img { border: 1px solid ; }
+span.image img { border-style: none; }
+
+dl {
+  margin-top: 0.8em;
+  margin-bottom: 0.8em;
+}
+dt {
+  margin-top: 0.5em;
+  margin-bottom: 0;
+  font-style: italic;
+}
+dd > *:first-child {
+  margin-top: 0;
+}
+
+ul, ol {
+    list-style-position: outside;
+}
+div.olist2 ol {
+  list-style-type: lower-alpha;
+}
+
+div.tableblock > table {
+  border: 3px solid #527bbd;
+}
+
+div.addrblock > table {
+  border: 0px 0px 0px 0px;
+  border-style: none none none none;
+  padding: 0px;
+  margin: 10px;
+  color: #000000;
+}
+
+table.addrblockbg {
+  /*
+  border-top: 1px solid;
+  border-bottom: 1px solid;
+  */
+  background: #e0ffe0 ;
+  border-style: none;
+  outline-style: none;
+}
+
+thead {
+  font-family: sans-serif;
+  color: #000000;
+}
+tfoot {
+  font-weight: bold;
+  color: #000000;
+}
+
+div.hlist {
+  margin-top: 0.8em;
+  margin-bottom: 0.8em;
+}
+div.hlist td {
+  padding-bottom: 5px;
+}
+td.hlist1 {
+  vertical-align: top;
+  font-style: italic;
+  padding-right: 0.8em;
+}
+td.hlist2 {
+  vertical-align: top;
+}
+
+@media print {
+  div#footer-badges { display: none; }
+}
+
+div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {
+  margin-top: .5ex;
+  margin-bottom: 0;
+  margin-left: 2em;
+  line-height: 1.3;
+}
+div.toclevel1 {
+  margin-top: 1ex;
+}
+div.toclevel2 {
+  margin-left: 4em;
+}
+
+div.toclevel3 {
+  margin-left: 6em;
+}
+div.toclevel4 {
+  margin-left: 8em;
+}
+/* Workarounds for IE6's broken and incomplete CSS2. */
+
+div.sidebar-content {
+  background: #ffffee;
+  border: 1px solid silver;
+  padding: 0.5em;
+}
+div.sidebar-title, div.image-title {
+  font-family: sans-serif;
+  font-weight: bold;
+  margin-top: 0.0em;
+  margin-bottom: 0.5em;
+}
+
+div.listingblock div.content {
+  border: 1px solid silver;
+  background: #f4f4f4;
+  padding: 0.5em;
+}
+
+div.quoteblock-content {
+  padding-left: 2.0em;
+}
+
+div.exampleblock-content {
+  border-left: 2px solid silver;
+  padding-left: 0.5em;
+}
+
+/* IE6 sets dynamically generated links as visited. */
+div#toc a:visited { color: blue; }
+</style>
+<script type="text/javascript">
+/*<![CDATA[*/
+window.onload = function(){generateToc(2)}
+/* Author: Mihai Bazon, September 2002
+ * http://students.infoiasi.ro/~mishoo
+ *
+ * Table Of Content generator
+ * Version: 0.4
+ *
+ * Feel free to use this script under the terms of the GNU General Public
+ * License, as long as you do not remove or alter this notice.
+ */
+
+ /* modified by Troy D. Hanson, September 2006. License: GPL */
+ /* modified by Stuart Rackham, October 2006. License: GPL */
+
+function getText(el) {
+  var text = "";
+  for (var i = el.firstChild; i != null; i = i.nextSibling) {
+    if (i.nodeType == 3 /* Node.TEXT_NODE */) // IE doesn't speak constants.
+      text += i.data;
+    else if (i.firstChild != null)
+      text += getText(i);
+  }
+  return text;
+}
+
+function TocEntry(el, text, toclevel) {
+  this.element = el;
+  this.text = text;
+  this.toclevel = toclevel;
+}
+
+function tocEntries(el, toclevels) {
+  var result = new Array;
+  var re = new RegExp('[hH]([2-'+(toclevels+1)+'])');
+  // Function that scans the DOM tree for header elements (the DOM2
+  // nodeIterator API would be a better technique but not supported by all
+  // browsers).
+  var iterate = function (el) {
+    for (var i = el.firstChild; i != null; i = i.nextSibling) {
+      if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {
+        var mo = re.exec(i.tagName)
+        if (mo)
+          result[result.length] = new TocEntry(i, getText(i), mo[1]-1);
+        iterate(i);
+      }
+    }
+  }
+  iterate(el);
+  return result;
+}
+
+// This function does the work. toclevels = 1..4.
+function generateToc(toclevels) {
+  var toc = document.getElementById("toc");
+  var entries = tocEntries(document.getElementsByTagName("body")[0], toclevels);
+  for (var i = 0; i < entries.length; ++i) {
+    var entry = entries[i];
+    if (entry.element.id == "")
+      entry.element.id = "toc" + i;
+    var a = document.createElement("a");
+    a.href = "#" + entry.element.id;
+    a.appendChild(document.createTextNode(entry.text));
+    var div = document.createElement("div");
+    div.appendChild(a);
+    div.className = "toclevel" + entry.toclevel;
+    toc.appendChild(div);
+  }
+}
+/*]]>*/
+</script>
+<title>Python Bindings for Broccoli</title>
+</head>
+<body>
+<div id="header">
+<h1>Python Bindings for Broccoli</h1>
+<div id="toc">
+  <div id="toctitle">Table of Contents</div>
+  <noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>
+</div>
+</div>
+<h2>Overview</h2><p/>
+<div class="sectionbody">
+<p>This Python module provides bindings for
+<a href="http://www.icir.org/christian/broccoli/index.html">Broccoli</a>, Bro's
+client communication library. In general, the bindings provide the
+same functionality as Broccoli's C API.</p>
+</div>
+<h2>Download</h2><p/>
+<div class="sectionbody">
+<p>Since Bro 1.4, a stable version of the Python module ships as part
+of the Bro distribution in <tt>aux/broccoli/bindings/python</tt>.</p>
+<p>The most current development version is part of the Bro Subversion
+repository. To get it, use:</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt; svn checkout http://svn.icir.org/bro/trunk/bro/aux/broccoli/bindings/python</tt></pre>
+</div></div>
+</div>
+<h2>Installation</h2><p/>
+<div class="sectionbody">
+<p>Installation of the Python module is pretty straight-forward. After
+Broccoli itself has been
+<a href="http://www.icir.org/christian/broccoli/manual/c55.html">installed</a>,
+it follows the standard installation process for Python modules:</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt; python setup.py install</tt></pre>
+</div></div>
+<p>Try the following to test the installation. If you do not see any
+error message, everything should be fine:</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt; python -c "import broccoli"
+&gt;</tt></pre>
+</div></div>
+</div>
+<h2>Usage</h2><p/>
+<div class="sectionbody">
+<p>The following examples demonstrate how to send and receive Bro
+events in Python.</p>
+<p>The main challenge when using Broccoli from Python is dealing with
+the data types of Bro event parameters as there is no one-to-one
+mapping between Bro's types and Python's types. The Python modules
+automatically maps between those types which both systems provide
+(such as strings) and provides a set of wrapper classes for Bro
+types which do not have a direct Python equivalent (such as IP
+addresses).</p>
+<h3>Connecting to Bro</h3><p/>
+<p>The following code sets up a connection from Python to a remote Bro
+instance (or another Broccoli) and provides a connection handle for
+further communication:</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>from broccoli import *
+bc = Connection("127.0.0.1:47758")</tt></pre>
+</div></div>
+<p>An <tt>IOError</tt> will be raised if the connection cannot be established.</p>
+<h3>Sending Events</h3><p/>
+<p>Once you have a connection handle <tt>bc</tt> set up as shown above, you can
+start sending events:</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>bc.send("foo", 5, "attack!")</tt></pre>
+</div></div>
+<p>This sends an event called <tt>foo</tt> with two parameters, <tt>5</tt> and
+<tt>attack!</tt>. Broccoli operates asynchronously, i.e., events scheduled
+with <tt>send()</tt> are not always sent out immediately but might be
+queued for later transmission. To ensure that all events get out
+(and incoming events are processed, see below), you need to call
+<tt>bc.processInput()</tt> regularly.</p>
+<h3>Data Types</h3><p/>
+<p>In the example above, the types of the event parameters are
+automatically derived from the corresponding Python types: the first
+parameter (<tt>5</tt>) has the Bro type <tt>int</tt> and the second one
+(<tt>attack!</tt>) has Bro type <tt>string</tt>.</p>
+<p>For types which do not have a Python equivalent, the <tt>broccoli</tt>
+module provides wrapper classes which have the same names as the
+corresponding Bro types. For example, to send an event called <tt>bar</tt>
+with one <tt>addr</tt> argument and one <tt>count</tt> argument, you can write:</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>bc.send("bar", addr("192.168.1.1"), count(42))</tt></pre>
+</div></div>
+<p>The following table summarizes the available atomic types and their
+usage.</p>
+<div class="tableblock">
+<table rules="all"
+frame="hsides"
+cellspacing="0" cellpadding="4">
+<caption class="title">Table: Bro vs. Python types</caption>
+<col width="114" />
+<col width="137" />
+<col width="308" />
+<thead>
+  <tr>
+    <th align="center">
+    Bro Type
+    </th>
+    <th align="center">
+    Python Type
+    </th>
+    <th align="center">
+    Example
+    </th>
+  </tr>
+</thead>
+<tbody valign="top">
+  <tr>
+    <td align="center">
+    addr
+    </td>
+    <td align="center">
+    
+    </td>
+    <td align="center">
+    <tt>addr("192.168.1.1")</tt>
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+    bool
+    </td>
+    <td align="center">
+    bool
+    </td>
+    <td align="center">
+    <tt>True</tt>
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+    count
+    </td>
+    <td align="center">
+    
+    </td>
+    <td align="center">
+    <tt>count(42)</tt>
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+    double
+    </td>
+    <td align="center">
+    float
+    </td>
+    <td align="center">
+    <tt>3.14</tt>
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+    enum
+    </td>
+    <td align="center">
+    
+    </td>
+    <td align="center">
+    <em>Type currently not supported</em>
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+    int
+    </td>
+    <td align="center">
+    int
+    </td>
+    <td align="center">
+    <tt>5</tt>
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+    interval
+    </td>
+    <td align="center">
+    
+    </td>
+    <td align="center">
+    <tt>interval(60)</tt>
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+    net
+    </td>
+    <td align="center">
+    
+    </td>
+    <td align="center">
+    <em>Type currently not supported</em>
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+    port
+    </td>
+    <td align="center">
+    
+    </td>
+    <td align="center">
+    <tt>port("80/tcp")</tt>
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+    string
+    </td>
+    <td align="center">
+    string
+    </td>
+    <td align="center">
+    <tt>"attack!"</tt>
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+    subnet
+    </td>
+    <td align="center">
+    
+    </td>
+    <td align="center">
+    <tt>subnet("192.168.1.0/24")</tt>
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+    time
+    </td>
+    <td align="center">
+    
+    </td>
+    <td align="center">
+    <tt>time(1111111111.0)</tt>
+    </td>
+  </tr>
+</tbody>
+</table>
+</div>
+<p>The <tt>broccoli</tt> module also supports sending Bro records as event
+parameters. To send a record, you first define a record type. For
+example, a Bro record type</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>type my_record: record {
+    a: int;
+    b: addr;
+    c: subnet;
+};</tt></pre>
+</div></div>
+<p>turns into Python as</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>my_record = record_type("a", "b", "c")</tt></pre>
+</div></div>
+<p>As the example shows, Python only needs to know the attribute names
+but not their types. The types are derived automatically in the same
+way as discussed above for atomic event parameters.</p>
+<p>Now you can instantiate a record instance of the newly defined type
+and send it out:</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>rec = record(my_record)
+rec.a = 5
+rec.b = addr("192.168.1.1")
+rec.c = subnet("192.168.1.0/24")
+bc.send("my_event", rec)</tt></pre>
+</div></div>
+<div class="admonitionblock">
+<table><tr>
+<td class="icon">
+<div class="title">Note</div>
+</td>
+<td class="content">The Python module does not support nested records at this
+time.</td>
+</tr></table>
+</div>
+<h3>Receiving Events</h3><p/>
+<p>To receive events, you define a callback function having the same
+name as the event and mark it with the <tt>event</tt> decorator:</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>@event
+def foo(arg1, arg2):
+    print arg1, arg2</tt></pre>
+</div></div>
+<p>Once you start calling <tt>bc.processInput()</tt> regularly (see above),
+each received <tt>foo</tt> event will trigger the callback function.</p>
+<p>By default, the event's arguments are always passed in with built-in
+Python types. For Bro types which do not have a direct Python
+equivalent (see table above), a substitute built-in type is used
+which corresponds to the type the wrapper class' constructor expects
+(see the examples in the table). For example, Bro type <tt>addr</tt> is
+passed in as a string and Bro type <tt>time</tt> is passed in as a float.</p>
+<p>Alternatively, you can define a <em>typed</em> prototype for the event. If you
+do so, arguments will first be type-checked and then passed to the
+call-back with the specified type (which means instances of the
+wrapper classes for non-Python types). Example:</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>@event(count, addr)
+def bar(arg1, arg2):
+    print arg1, arg2</tt></pre>
+</div></div>
+<p>Here, <tt>arg1</tt> will be an instance of the <tt>count</tt> wrapper class and
+<tt>arg2</tt> will be an instance of the <tt>addr</tt> wrapper class.</p>
+<p>Protoyping works similarly with built-in Python types:</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>@event(int, string):
+def foo(arg1, arg2):
+    print arg1, arg2</tt></pre>
+</div></div>
+<p>In general, the prototype specifies the types in which the callback
+wants to receive the arguments. This actually provides support for
+simple type casts as some types support conversion to into something
+different. If for instance the event source sends an event with a
+single port argument, <tt>@event(port)</tt> will pass the port as an
+instance of the <tt>port</tt> wrapper class; <tt>@event(string)</tt> will pass it
+as a string (e.g., <tt>"80/tcp"</tt>); and <tt>@event(int)</tt> will pass it as an
+integer without protocol information (e.g., just <tt>80</tt>). If an
+argument cannot be converted into the specified type, a <tt>TypeError</tt>
+will be raised.</p>
+<p>To receive an event with a record parameter, the record type first
+needs to be defined, as described above. Then the type can be used
+with the <tt>@event</tt> decorator in the same way as atomic types:</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>my_record = record_type("a", "b", "c")
+@event(my_record)
+def my_event(rec):
+    print rec.a, rec.b, rec.c</tt></pre>
+</div></div>
+</div>
+<h2>Helper Functions</h2><p/>
+<div class="sectionbody">
+<p>The <tt>broccoli</tt> module provides one helper function: <tt>current_time()</tt>
+returns the current time as a float which, if necessary, can be
+wrapped into a <tt>time</tt> parameter (i.e., <tt>time(current_time()</tt>)</p>
+</div>
+<h2>Examples</h2><p/>
+<div class="sectionbody">
+<p>There are some example scripts in
+<a href="http://svn.icir.org/bro/branches/robin/work/aux/broccoli/bindings/python/tests/"><tt>aux/broccoli/bindings/python/tests</tt></a>:</p>
+<ul>
+<li>
+<p>
+<a href="http://svn.icir.org/bro/branches/robin/work/aux/broccoli/bindings/python/tests/broping.py"><tt>broping.py</tt></a>
+   is a (simplified) Python version of Broccoli's test program
+   <tt>broping</tt>. Start Bro with
+   <a href="http://svn.icir.org/bro/branches/robin/work/aux/broccoli/test/broping.bro"><tt>aux/broccoli/test/broping.bro</tt></a>.
+</p>
+</li>
+<li>
+<p>
+Similarly,
+   <a href="http://svn.icir.org/bro/branches/robin/work/aux/broccoli/bindings/python/tests/broping-record.py"><tt>broping-record.py</tt></a>
+   is a Python version of Broccoli's <tt>broping</tt> for records. Start
+   Bro with
+   <a href="http://svn.icir.org/bro/branches/robin/work/aux/broccoli/test/broping-record.bro"><tt>aux/broccoli/test/broping-record.bro</tt></a>.
+</p>
+</li>
+<li>
+<p>
+<a href="http://svn.icir.org/bro/branches/robin/work/aux/broccoli/bindings/python/tests/test.py"><tt>test.py</tt></a>
+   is a very ugly but comprehensive regression test and part of the
+   communication test-suite. Start Bro with
+   <a href="http://svn.icir.org/bro/branches/robin/work/aux/broccoli/bindings/python/tests/test.bro"><tt>test.bro</tt></a>.
+</p>
+</li>
+</ul>
+</div>
+<div id="footer">
+<div id="footer-text">
+<a href="http://www.icir.org/robin">Back to Homepage</a><br />
+</div>
+</div>
+</body>
+</html>
diff --git a/aux/broccoli/bindings/python/TODO b/aux/broccoli/bindings/python/TODO
new file mode 100644
index 0000000000..0bfc98af3e
--- /dev/null
+++ b/aux/broccoli/bindings/python/TODO
@@ -0,0 +1,7 @@
+
+- nested records are not support. 
+- type net does not work because I'm too lazy to implement the parsing ...
+- type enum disabled because there seems to be some Broccoli problem with them.
+- would be nice to have some more standard operations (+,-, etc.)
+  defined for the wrapper classes.
+- listen() not available in Python
diff --git a/aux/broccoli/bindings/python/broccoli.py b/aux/broccoli/bindings/python/broccoli.py
new file mode 100644
index 0000000000..e8992eed32
--- /dev/null
+++ b/aux/broccoli/bindings/python/broccoli.py
@@ -0,0 +1,425 @@
+
+import socket
+import struct
+from types import FunctionType 
+
+from _broccoli_intern import *
+
+bro_init(None)
+
+##### Connection class which capsulates a Broccoli connection.
+class Connection:
+    # Connection to destination given as string "host:port"
+    def __init__(self, destination, broclass="", flags=BRO_CFLAG_RECONNECT | BRO_CFLAG_ALWAYS_QUEUE, connect=True):
+        self.bc = bro_conn_new_str(destination, flags)
+        self.destination = destination
+        if not self.bc:
+            raise IOError("cannot init Broccoli connection handle")
+        
+        self._registerHandlers()
+        
+        if broclass:
+            bro_conn_set_class(self.bc, broclass)
+        
+        if connect:
+            self.connect();
+
+    # If the instance was created with connect=False, this will trigger the connect.
+    def connect(self):
+        if not bro_conn_connect(self.bc):
+            raise IOError("cannot connect to %s" % self.destination)
+        
+    # Hand control to Broccoli's I/O loop.
+    # Returns true if the send queue is non-empty.
+    def processInput(self):
+        bro_conn_process_input(self.bc);
+        return bro_event_queue_length(self.bc) > 0
+
+    # Send an event of name with args.
+    def send(self, name, *args):
+        ev = bro_event_new(name)
+        for arg in args:
+            bro_event_add_val(ev, _getInternalVal(arg));
+            
+        bro_event_send(self.bc, ev);
+        bro_event_free(ev);
+        self.processInput()
+        
+    # Explicit subscribe
+    def subscribe(self, event_name, callback):
+        ev = event(callback)
+        bro_event_registry_add_compact(self.bc, event_name, ev);
+
+    # Register all decorated event callbacks.
+    def _registerHandlers(self):
+        for ev in _Events:
+            bro_event_registry_add_compact(self.bc, ev.__name__, ev);
+
+            
+##### Wrapped helper functions.        
+def current_time():
+    return bro_util_current_time()
+
+##### Decorator @event(val-type1, val-type2, val-type3, ...)
+
+# List of all functions declared with the @event decorator 
+# (more precisely, list of all of their wrappers; see below).
+_Events = []
+
+def event(*types):
+
+    # We wrap the event callback into a function which turns the 2-tuples (type,val)
+    # that we get from the C layer into the corresponding Python object.
+    def make_wrapper(func):
+        
+        def wrapped_f(*args):
+            
+	    new_args = []
+            
+            ptypes = types
+            if not ptypes:
+                # Allow omitting types. 
+                ptypes =  [None] *len(args)
+                
+            for (arg, type) in zip(args, ptypes):
+                # Split the 2-tuples passed to us by the C layer.
+                (btype, val) = arg
+                # Create an instance of the corresponding Python type.
+		new_args += [instantiate(btype, val, type)]
+                
+            # Finally call the callback.
+	    return func(*new_args);
+
+        # Pretend the wrapper has the name of the actual callback (rather than "wrapped_f" ...)
+	wrapped_f.func_name = func.func_name
+	
+        # Add the wrapped function to the list of events handlers.
+        global _Events
+        _Events += [wrapped_f]
+            
+        return wrapped_f
+
+    # Allow @event instead of @event()
+    if len(types) == 1 and type(types[0]) == FunctionType:
+        func = types[0]
+        types = ()
+        return make_wrapper(func)
+    
+    else:
+        return make_wrapper
+
+##### Data types
+
+# For those Bro types which do not direcly correspond to Python type, we create
+# wrapper classes. For those which do (int, float), we use the Python type directly.
+
+# Base class for our wrapper classes.
+# For atomic types, the classes here act as both type and instances. For non-atomic
+# types (i.e., records) we define separate type and instance classes below. 
+class Val:
+    # Type is the Bro type BRO_TYPE_*.
+    # Val is representation of the Val in a standard Python type. 
+    def __init__(self, type, val):
+        self.type = type
+        self.val = val
+        
+        self.__class__._bro_type = type # Doing it once would be sufficient.
+
+    def __str__(self):
+	return str(self.val)
+	
+    # Convert value into a 2-tuple (type, val) as expected by the C layer.
+    def internalVal(self):
+        return (self.type, self.val)
+    
+class count(Val):
+    def __init__(self, val):
+        Val.__init__(self, BRO_TYPE_COUNT, int(val))
+
+    @staticmethod
+    def _factory(val, dst_type):
+        v = count(val)
+        if dst_type == int or not dst_type:
+            return v.val
+        _typeCheck(dst_type, count)
+        return v
+
+class interval(Val):
+    def __init__(self, val):
+        Val.__init__(self, BRO_TYPE_INTERVAL, float(val))
+	
+    @staticmethod
+    def _factory(val, dst_type):
+        v = interval(val)
+        if dst_type == float or not dst_type:
+            return v.val
+        _typeCheck(dst_type, interval)
+        return v
+
+class time(Val):
+    def __init__(self, val):
+        Val.__init__(self, BRO_TYPE_TIME, float(val))
+	
+    @staticmethod
+    def _factory(val, dst_type):
+        v = time(val)
+        if dst_type == float or not dst_type:
+            return v.val
+        _typeCheck(dst_type, time)
+        return v
+
+class port(Val):
+    
+    protos_by_name = { "tcp": 6, "udp": 17, "icmp": 1 }
+    protos_by_num =  { 6: "tcp", 17: "udp", 1: "icmp" }
+    
+    def __init__(self, str=None, internal=None):
+        v = internal and internal or self._parse(str)
+        Val.__init__(self, BRO_TYPE_PORT, v)
+
+    def __str__(self):
+        (port, proto) = self.val
+        try:
+            return "%d/%s" % (port, self.protos_by_num[proto])
+        except IndexError:
+            return "%s/unknown" % port
+        
+    @staticmethod
+    def _factory(val, dst_type):
+        v = port(internal=val)
+        if dst_type == str or not dst_type:
+            return str(v)
+        if dst_type == int:
+            return v[0]
+        _typeCheck(dst_type, port)
+        return v
+    
+    def _parse(self, str):
+        (port, proto) = str.split("/")
+        try:
+            return (int(port), self.protos_by_name[proto.lower()])
+        except (IndexError, ValueError):
+            return (0, 0)
+        
+class addr(Val):
+    def __init__(self, str=None, internal=None):
+        v = internal and internal or self._parse(str)
+        Val.__init__(self, BRO_TYPE_IPADDR, v)
+
+    def __str__(self):
+        return socket.inet_ntoa(struct.pack('=l', self.val))
+        
+    @staticmethod
+    def _factory(val, dst_type):
+        v = addr(internal=val)
+        if dst_type == str or not dst_type:
+            return str(v)
+        _typeCheck(dst_type, addr)
+        return v
+    
+    def _parse(self, str):
+        return struct.unpack('=l',socket.inet_aton(str))[0]
+
+# Not supported at this point. Need to write a parse function.
+class net(Val):
+    def __init__(self, str=None, internal=None):
+        v = internal and internal or self._parse(str)
+        Val.__init__(self, BRO_TYPE_NET, v)
+
+    def __str__(self):
+        return "X.X.X"  # FIXME
+        
+    @staticmethod
+    def _factory(val, dst_type):
+        v = net(internal=val)
+        if dst_type == str or not dst_type:
+            return str(v)
+        _typeCheck(dst_type, net)
+        return v
+    
+    def _parse(self, str):
+        return 0   # FIXME
+
+class subnet(Val):
+    def __init__(self, str=None, internal=None):
+        v = internal and internal or self._parse(str)
+        Val.__init__(self, BRO_TYPE_SUBNET, v)
+
+    def __str__(self):
+        (net, mask) = self.val
+        return "%s/%d" % (socket.inet_ntoa(struct.pack('=l', net)), mask)
+    
+    @staticmethod
+    def _factory(val, dst_type):
+        v = subnet(internal=val)
+        if dst_type == str or not dst_type:
+            return str(v)
+        _typeCheck(dst_type, subnet)
+        return v
+    
+    def _parse(self, str):
+        (net, mask) = str.split("/")
+        return (struct.unpack('=l',socket.inet_aton(net))[0], int(mask))
+
+# Not supported at this point since Broccoli seems to have problems with
+# enums. Also need to write parse functions.
+class enum(Val):
+    def __init__(self, str=None, internal=None):
+        v = internal and internal or self._parse(str)
+        Val.__init__(self, BRO_TYPE_ENUM, v)
+
+    def __str__(self):
+        return "XXXX"  # FIXME
+        
+    @staticmethod
+    def _factory(val, dst_type):
+        v = enum(internal=val)
+        _typeCheck(dst_type, enum)
+        return v
+    
+    def _parse(self, str):
+        return 0   # FIXME
+    
+# Helper class for unset values.    
+class unknown(Val):        
+    def __init__(self):
+        Val.__init__(self, BRO_TYPE_UNKNOWN, None)
+
+# Dictionary of all defined record types.         
+RecTypes = {}
+
+# Type class for records, which maps field names to indices.
+# E.g., conn_id = record_type("orig_h", "orig_p", "resp_h", "resp_p")
+class record_type:
+    def __init__(self, *fields):
+        self.fields = fields
+	
+	global RecTypes
+        # Remember this type by its name.
+	RecTypes[self.__class__.__name__] = self
+
+    @classmethod
+    def _factory(self, vals, dst_type):
+        # FIXME: Add _typeCheck(),
+        # FIXME: For recursive records we'd need to pass the right record type
+        # here instead of none, which we don't have. How to do that?
+        
+        # Get the type.
+        rec_type = RecTypes[dst_type.__class__.__name__]
+        
+        # Init the field values.
+        vals = [instantiate(btype, val, None) for (btype, val) in vals]
+        
+	return record(rec_type, vals)
+
+# Class for record instances.
+class record(Val):
+    def __init__(self, type, vals = None):
+        Val.__init__(self, BRO_TYPE_RECORD, {})
+        
+        # Save the record's type.
+	self._type = type
+
+        if not vals:
+            # Use Nones if we didn't get any values.
+            vals = [None] * len(type.fields)
+
+        # Initialize record fields.
+        for (key, val) in zip(type.fields, vals):
+            self.val[key] = val
+                
+    def internalVal(self):
+        vals = [_getInternalVal(self.val.get(f, unknown())) for f in self._type.fields]
+        return (BRO_TYPE_RECORD, vals)
+
+    # Provide attribute access via "val.attr".
+    def __getattr__(self, key):
+        if "_type" in self.__dict__ and key in self._type.fields:
+            return self.val[key]
+        raise AttributeError
+        
+    def __setattr__(self, key, val):
+        try:
+            if key in self._type.fields:
+                self.val[key] = val
+                return
+        except AttributeError:
+            pass
+
+        # FIXME: Check that key is defined in type.
+        self.__dict__[key] = val
+
+# Helper to check whether two Python types match.
+def _typeCheck(type1, type2):
+    def typeToBro(type):
+        # Do the Python types manually.
+        if type == int:
+            return BRO_TYPE_INT;
+        if type == bool:
+            return BRO_TYPE_BOOL;
+        if type == float:
+            return BRO_TYPE_DOUBLE;
+        if type == str:
+            return BRO_TYPE_STRING;
+        return type._bro_type
+    
+    if type1 and type2 and typeToBro(type1) != typeToBro(type2):
+        raise TypeError
+
+# Helper to create the 2-tuple val.
+def _getInternalVal(arg):
+
+    if arg == None:
+        raise ValueError("uninitialized event argument")
+
+    if type(arg) == int:
+        return (BRO_TYPE_INT, arg)
+    elif type(arg) == bool:
+        return (BRO_TYPE_BOOL, arg)
+    elif type(arg) == str:
+        return(BRO_TYPE_STRING, arg)
+    elif type(arg) == float:
+        return(BRO_TYPE_DOUBLE, arg)
+    else:
+        return arg.internalVal()
+    
+# Factories for Python internal types.
+def _int_factory(val, dst_type):
+    return int(val)
+
+def _bool_factory(val, dst_type):
+    return bool(val)
+
+def _string_factory(val, dst_type):
+    return str(val)
+
+def _float_factory(val, dst_type):
+    return float(val)
+
+string = str    
+double = float
+
+# Table of factories for all supported types so that we can dynamically
+# instantiate them.
+_Factories = {
+    BRO_TYPE_INT: _int_factory,
+    BRO_TYPE_BOOL: _bool_factory,
+    BRO_TYPE_COUNT: count._factory,
+    BRO_TYPE_TIME: time._factory,
+    BRO_TYPE_INTERVAL: interval._factory,
+    BRO_TYPE_DOUBLE: _float_factory,
+    BRO_TYPE_STRING: _string_factory,
+    BRO_TYPE_PORT: port._factory,
+    BRO_TYPE_IPADDR: addr._factory,
+    BRO_TYPE_NET: net._factory,
+    BRO_TYPE_SUBNET: subnet._factory,
+    BRO_TYPE_ENUM: enum._factory,
+    BRO_TYPE_RECORD: record_type._factory,
+}
+
+def instantiate(src_type, val, dst_type):
+    return _Factories[src_type](val, dst_type)
+
+        
+
+
diff --git a/aux/broccoli/bindings/python/broccoli_intern.i b/aux/broccoli/bindings/python/broccoli_intern.i
new file mode 100644
index 0000000000..95e7757f37
--- /dev/null
+++ b/aux/broccoli/bindings/python/broccoli_intern.i
@@ -0,0 +1,392 @@
+// $Id$
+
+%module broccoli_intern
+%{
+// Include the header in the wrapper code.
+#include <broccoli.h>
+
+// Broccoli internal struct. Easier to copy that here than to include a bunch
+// of Broccoli's internal headers.  
+struct bro_record {
+    void *val_list;
+    int val_len;
+};
+    
+typedef BroRecord bro_record ;
+
+// Builds a 2-tuple (type, object).     
+PyObject* makeTypeTuple(int type, PyObject *val)
+{
+ 	PyObject *tuple = PyTuple_New(2);
+    PyTuple_SetItem(tuple, 0, PyInt_FromLong(type));
+    PyTuple_SetItem(tuple, 1, val);
+    return tuple;
+}
+
+// Parses a 2-tuple (type, object). Return 1 on success. 
+// Borrows input's reference to object.
+int parseTypeTuple(PyObject* input, int *type, PyObject **val)
+{
+    if ( ! (PyTuple_Check(input) && PyTuple_Size(input) == 2) ) {
+		PyErr_SetString(PyExc_RuntimeError, "argument must be 2-tuple");
+		return 0;
+    }
+    
+	PyObject *ptype = PyTuple_GetItem(input, 0);
+	PyObject *pval = PyTuple_GetItem(input, 1);
+	
+	if ( ! PyInt_Check(ptype) ) {
+		PyErr_SetString(PyExc_RuntimeError, "first tuple element must be integer");
+		return 0;
+    }
+    
+    *type = PyInt_AsLong(ptype);
+    
+	if ( *type < 0 || *type > BRO_TYPE_MAX ) {
+		PyErr_SetString(PyExc_RuntimeError, "unknown type in tuple");
+		return 0;
+    }
+    
+    *val = pval;
+    return 1;
+}
+
+// Release the memory associated with the Broccoli value.
+void freeBroccoliVal(int type, void* data)
+{
+    if ( ! data )
+        return;
+    
+    switch ( type ) {
+      case BRO_TYPE_STRING:
+        free(((BroString *)data)->str_val);
+        free(data);
+        break;
+        
+      case BRO_TYPE_RECORD:
+        bro_record_free((BroRecord *)data);
+        break;
+        
+      default:
+        free(data);
+    }
+    
+}
+
+// Converts a Broccoli value into a Python object.
+PyObject* valToPyObj(int type, void* data)
+{
+ 	PyObject* val = 0;
+
+	switch (type) {
+      case BRO_TYPE_BOOL:
+        val = PyBool_FromLong(*((int *)data));   
+        break;
+        
+      case BRO_TYPE_INT:
+      case BRO_TYPE_COUNT:
+      case BRO_TYPE_COUNTER:
+      case BRO_TYPE_IPADDR:
+      case BRO_TYPE_NET: {
+        val = PyInt_FromLong(*((long *)data));
+        break;
+      }
+        
+      case BRO_TYPE_DOUBLE:
+      case BRO_TYPE_TIME:
+      case BRO_TYPE_INTERVAL: {
+          val = PyFloat_FromDouble(*((double *)data));
+          break;
+      }
+        
+      case BRO_TYPE_STRING: {
+          BroString *str = (BroString*)data;
+          val = PyString_FromStringAndSize(str->str_val, str->str_len);
+          break;
+      }
+
+      case BRO_TYPE_ENUM: {
+          val = PyTuple_New(2);
+          PyTuple_SetItem(val, 0, PyBool_FromLong(*((int *)data)));
+          PyTuple_SetItem(val, 1, PyString_FromString("broccoli-doesnt-give-use-the-enum-type! :-("));
+          break;
+      }
+        
+        
+      case BRO_TYPE_PORT: {
+          BroPort *port = (BroPort*)data;
+          val = PyTuple_New(2);
+          PyTuple_SetItem(val, 0, PyInt_FromLong(port->port_num));
+          PyTuple_SetItem(val, 1, PyInt_FromLong(port->port_proto));
+          break;
+      }
+            
+      case BRO_TYPE_SUBNET: {
+          BroSubnet *subnet = (BroSubnet*)data;
+          val = PyTuple_New(2);
+          PyTuple_SetItem(val, 0, PyInt_FromLong(subnet->sn_net));
+          PyTuple_SetItem(val, 1, PyInt_FromLong(subnet->sn_width));
+          break;
+      }
+        
+      case BRO_TYPE_RECORD: { 
+          BroRecord *rec = (BroRecord*)data;
+          PyObject *fields = PyList_New(rec->val_len);
+          int i;
+          for ( i = 0; i < rec->val_len; i++ ) {
+              int type = BRO_TYPE_UNKNOWN;
+              void *data = bro_record_get_nth_val(rec, i, &type);
+              PyList_SetItem(fields, i, valToPyObj(type, data));
+          }
+          val = fields;
+          break;
+      }
+    
+      default:
+        PyErr_SetString(PyExc_RuntimeError, "unknown type");
+        return 0;
+        
+    }
+    
+    return makeTypeTuple(type, val);
+}
+    
+// Converts a Python object into Broccoli value.
+int pyObjToVal(PyObject *val, int type, const char **type_name, void** data)
+{
+	*type_name = 0;
+    *data = 0;
+
+    switch (type) {
+      case BRO_TYPE_BOOL:
+      case BRO_TYPE_INT:
+      case BRO_TYPE_COUNT:
+      case BRO_TYPE_COUNTER:
+      case BRO_TYPE_IPADDR:
+      case BRO_TYPE_NET: {
+          int* tmp = (int *)malloc(sizeof(int));
+		  *tmp = PyInt_AsLong(val);
+          *data = tmp;
+          break;
+      }
+        
+      case BRO_TYPE_DOUBLE:
+      case BRO_TYPE_TIME:
+      case BRO_TYPE_INTERVAL: {
+          double* tmp = (double *)malloc(sizeof(double));
+		  *tmp = PyFloat_AsDouble(val);
+          *data = tmp;
+          break;
+      }
+
+      case BRO_TYPE_STRING: {
+          BroString* str = (BroString *)malloc(sizeof(BroString));
+          
+          const char* tmp = PyString_AsString(val);
+          if ( ! tmp )
+              return 0;
+          
+          str->str_len = strlen(tmp);
+          str->str_val = strdup(tmp);
+          *data = str;
+          break;
+      }
+
+      case BRO_TYPE_ENUM: {
+          if ( ! (PyTuple_Check(val) && PyTuple_Size(val) == 2) ) {
+              PyErr_SetString(PyExc_RuntimeError, "enum must be 2-tuple");
+              return 0;
+          }
+          
+          int* tmp = (int *)malloc(sizeof(int));
+		  *tmp = PyInt_AsLong(PyTuple_GetItem(val, 0));
+          *data = tmp;
+          
+          const char* enum_type = PyString_AsString(PyTuple_GetItem(val, 1));
+          if ( ! enum_type )
+              return 0;
+          
+          *type_name = strdup(enum_type);
+          break;
+      }
+        
+      case BRO_TYPE_PORT: {
+          if ( ! (PyTuple_Check(val) && PyTuple_Size(val) == 2) ) {
+              PyErr_SetString(PyExc_RuntimeError, "port must be 2-tuple");
+              return 0;
+          }
+    
+          BroPort* port = (BroPort *)malloc(sizeof(BroPort));
+          port->port_num = PyInt_AsLong(PyTuple_GetItem(val, 0));
+          port->port_proto = PyInt_AsLong(PyTuple_GetItem(val, 1));
+          *data = port;
+          break;
+      }
+            
+      case BRO_TYPE_SUBNET: {
+          if ( ! (PyTuple_Check(val) && PyTuple_Size(val) == 2) ) {
+              PyErr_SetString(PyExc_RuntimeError, "subnet must be 2-tuple");
+              return 0;
+          }
+    
+          BroSubnet* subnet = (BroSubnet *)malloc(sizeof(BroSubnet));
+          subnet->sn_net = PyInt_AsLong(PyTuple_GetItem(val, 0));
+          subnet->sn_width = PyInt_AsLong(PyTuple_GetItem(val, 1));
+          *data = subnet;
+          break;
+      }
+        
+      case BRO_TYPE_RECORD: {
+          BroRecord *rec = bro_record_new();
+          int i;
+          for ( i = 0; i < PyList_Size(val); i++ ) {
+              int ftype;
+              PyObject *fval;
+              if ( ! parseTypeTuple(PyList_GetItem(val, i), &ftype, &fval) )
+                  return 0;
+                  
+              const char *ftype_name;
+              void *fdata;
+              if ( ! pyObjToVal(fval, ftype, &ftype_name, &fdata) ) 
+                  return 0;
+              
+              bro_record_add_val(rec, "<unknown>", ftype, 0, fdata);
+              freeBroccoliVal(ftype, fdata);
+          }
+          
+          *data = rec;
+          break;
+      }
+        
+      default:
+        PyErr_SetString(PyExc_RuntimeError, "unknown type");
+        return 0;
+    }
+    
+    return 1;
+}
+
+// C-level event handler for events. We register all events with this callback,
+// passing the target Python function in via data. 
+void event_callback(BroConn *bc, void *data, BroEvMeta *meta)
+{
+    PyObject *func = (PyObject*)data;
+    
+	int i;
+	PyObject *pyargs = PyTuple_New(meta->ev_numargs);
+	for ( i = 0; i < meta->ev_numargs; i++ )
+		PyTuple_SetItem(pyargs, i, valToPyObj(meta->ev_args[i].arg_type, meta->ev_args[i].arg_data));
+	
+	PyObject *result = PyObject_Call(func, pyargs, 0);
+
+    Py_DECREF(pyargs);
+    
+    if ( result )
+	    Py_DECREF(result);
+}
+
+%}
+
+// For bro_event_registry_add_compact().
+%typemap(in) (BroCompactEventFunc func, void *user_data)
+{
+    if ( ! PyFunction_Check($input) ) {
+        PyErr_SetString(PyExc_RuntimeError, "callback must be a function");
+        return NULL;
+    }
+    
+	$1 = event_callback;
+	$2 = $input;
+    Py_INCREF($input);
+}
+
+// For bro_event_add_val() and bro_record_add_val().
+%typemap(in) (int type, const char *type_name, const void *val)
+{
+    int type;
+    const char* type_name;
+    void *data;
+
+    PyObject *val;
+
+//bro_debug_messages = 1;
+//bro_debug_calltrace = 1;
+
+
+    if ( ! parseTypeTuple($input, &type, &val) )
+        return NULL;
+    
+    if ( ! pyObjToVal(val, type, &type_name, &data) )
+        return NULL;
+    
+    $1 = type;
+    $2 = type_name;
+    $3 = data;
+}
+
+%typemap(freearg) (int type, const char *type_name, const void *val)
+{
+    // Broccoli makes copies of the passed data so we need to clean up.
+    freeBroccoliVal($1, $3);
+    
+    if ( $2 )
+        free($2);
+}
+
+///// The following is a subset of broccoli.h for which we provide wrappers. 
+
+#define BRO_TYPE_UNKNOWN           0
+#define BRO_TYPE_BOOL              1
+#define BRO_TYPE_INT               2
+#define BRO_TYPE_COUNT             3
+#define BRO_TYPE_COUNTER           4
+#define BRO_TYPE_DOUBLE            5
+#define BRO_TYPE_TIME              6
+#define BRO_TYPE_INTERVAL          7
+#define BRO_TYPE_STRING            8
+#define BRO_TYPE_PATTERN           9
+#define BRO_TYPE_ENUM             10
+#define BRO_TYPE_TIMER            11
+#define BRO_TYPE_PORT             12
+#define BRO_TYPE_IPADDR           13
+#define BRO_TYPE_NET              14
+#define BRO_TYPE_SUBNET           15
+#define BRO_TYPE_ANY              16
+#define BRO_TYPE_TABLE            17
+#define BRO_TYPE_UNION            18
+#define BRO_TYPE_RECORD           19
+#define BRO_TYPE_LIST             20
+#define BRO_TYPE_FUNC             21
+#define BRO_TYPE_FILE             22
+#define BRO_TYPE_VECTOR           23
+#define BRO_TYPE_ERROR            24
+#define BRO_TYPE_PACKET           25 
+#define BRO_TYPE_SET              26
+#define BRO_TYPE_MAX              27
+#define BRO_CFLAG_NONE                      0
+#define BRO_CFLAG_RECONNECT           (1 << 0)
+#define BRO_CFLAG_ALWAYS_QUEUE        (1 << 1)
+#define BRO_CFLAG_SHAREABLE           (1 << 2)
+#define BRO_CFLAG_DONTCACHE           (1 << 3)
+#define BRO_CFLAG_YIELD               (1 << 4)
+#define BRO_CFLAG_CACHE               (1 << 5)
+
+// The exact types of these don't really matter as we're only
+// passing pointers around.
+typedef void BroCtx;
+typedef void BroConn;
+typedef void BroEvent;
+
+int            bro_init(const BroCtx *ctx);
+BroConn       *bro_conn_new_str(const char *hostname, int flags);
+void           bro_conn_set_class(BroConn *bc, const char *classname);
+int            bro_conn_connect(BroConn *bc);
+int            bro_conn_process_input(BroConn *bc);
+int            bro_event_queue_length(BroConn *bc);
+BroEvent      *bro_event_new(const char *event_name);
+void           bro_event_free(BroEvent *be);
+int            bro_event_add_val(BroEvent *be, int type, const char *type_name,const void *val);
+int            bro_event_send(BroConn *bc, BroEvent *be);
+void           bro_event_registry_add_compact(BroConn *bc, const char *event_name, BroCompactEventFunc func, void *user_data);
+double         bro_util_current_time(void);
+                          
diff --git a/aux/broccoli/bindings/python/broccoli_intern.py b/aux/broccoli/bindings/python/broccoli_intern.py
new file mode 100644
index 0000000000..0acd03f869
--- /dev/null
+++ b/aux/broccoli/bindings/python/broccoli_intern.py
@@ -0,0 +1,99 @@
+# This file was automatically generated by SWIG (http://www.swig.org).
+# Version 1.3.31
+#
+# Don't modify this file, modify the SWIG interface instead.
+# This file is compatible with both classic and new-style classes.
+
+import _broccoli_intern
+import new
+new_instancemethod = new.instancemethod
+try:
+    _swig_property = property
+except NameError:
+    pass # Python < 2.2 doesn't have 'property'.
+def _swig_setattr_nondynamic(self,class_type,name,value,static=1):
+    if (name == "thisown"): return self.this.own(value)
+    if (name == "this"):
+        if type(value).__name__ == 'PySwigObject':
+            self.__dict__[name] = value
+            return
+    method = class_type.__swig_setmethods__.get(name,None)
+    if method: return method(self,value)
+    if (not static) or hasattr(self,name):
+        self.__dict__[name] = value
+    else:
+        raise AttributeError("You cannot add attributes to %s" % self)
+
+def _swig_setattr(self,class_type,name,value):
+    return _swig_setattr_nondynamic(self,class_type,name,value,0)
+
+def _swig_getattr(self,class_type,name):
+    if (name == "thisown"): return self.this.own()
+    method = class_type.__swig_getmethods__.get(name,None)
+    if method: return method(self)
+    raise AttributeError,name
+
+def _swig_repr(self):
+    try: strthis = "proxy of " + self.this.__repr__()
+    except: strthis = ""
+    return "<%s.%s; %s >" % (self.__class__.__module__, self.__class__.__name__, strthis,)
+
+import types
+try:
+    _object = types.ObjectType
+    _newclass = 1
+except AttributeError:
+    class _object : pass
+    _newclass = 0
+del types
+
+
+BRO_TYPE_UNKNOWN = _broccoli_intern.BRO_TYPE_UNKNOWN
+BRO_TYPE_BOOL = _broccoli_intern.BRO_TYPE_BOOL
+BRO_TYPE_INT = _broccoli_intern.BRO_TYPE_INT
+BRO_TYPE_COUNT = _broccoli_intern.BRO_TYPE_COUNT
+BRO_TYPE_COUNTER = _broccoli_intern.BRO_TYPE_COUNTER
+BRO_TYPE_DOUBLE = _broccoli_intern.BRO_TYPE_DOUBLE
+BRO_TYPE_TIME = _broccoli_intern.BRO_TYPE_TIME
+BRO_TYPE_INTERVAL = _broccoli_intern.BRO_TYPE_INTERVAL
+BRO_TYPE_STRING = _broccoli_intern.BRO_TYPE_STRING
+BRO_TYPE_PATTERN = _broccoli_intern.BRO_TYPE_PATTERN
+BRO_TYPE_ENUM = _broccoli_intern.BRO_TYPE_ENUM
+BRO_TYPE_TIMER = _broccoli_intern.BRO_TYPE_TIMER
+BRO_TYPE_PORT = _broccoli_intern.BRO_TYPE_PORT
+BRO_TYPE_IPADDR = _broccoli_intern.BRO_TYPE_IPADDR
+BRO_TYPE_NET = _broccoli_intern.BRO_TYPE_NET
+BRO_TYPE_SUBNET = _broccoli_intern.BRO_TYPE_SUBNET
+BRO_TYPE_ANY = _broccoli_intern.BRO_TYPE_ANY
+BRO_TYPE_TABLE = _broccoli_intern.BRO_TYPE_TABLE
+BRO_TYPE_UNION = _broccoli_intern.BRO_TYPE_UNION
+BRO_TYPE_RECORD = _broccoli_intern.BRO_TYPE_RECORD
+BRO_TYPE_LIST = _broccoli_intern.BRO_TYPE_LIST
+BRO_TYPE_FUNC = _broccoli_intern.BRO_TYPE_FUNC
+BRO_TYPE_FILE = _broccoli_intern.BRO_TYPE_FILE
+BRO_TYPE_VECTOR = _broccoli_intern.BRO_TYPE_VECTOR
+BRO_TYPE_ERROR = _broccoli_intern.BRO_TYPE_ERROR
+BRO_TYPE_PACKET = _broccoli_intern.BRO_TYPE_PACKET
+BRO_TYPE_SET = _broccoli_intern.BRO_TYPE_SET
+BRO_TYPE_MAX = _broccoli_intern.BRO_TYPE_MAX
+BRO_CFLAG_NONE = _broccoli_intern.BRO_CFLAG_NONE
+BRO_CFLAG_RECONNECT = _broccoli_intern.BRO_CFLAG_RECONNECT
+BRO_CFLAG_ALWAYS_QUEUE = _broccoli_intern.BRO_CFLAG_ALWAYS_QUEUE
+BRO_CFLAG_SHAREABLE = _broccoli_intern.BRO_CFLAG_SHAREABLE
+BRO_CFLAG_DONTCACHE = _broccoli_intern.BRO_CFLAG_DONTCACHE
+BRO_CFLAG_YIELD = _broccoli_intern.BRO_CFLAG_YIELD
+BRO_CFLAG_CACHE = _broccoli_intern.BRO_CFLAG_CACHE
+bro_init = _broccoli_intern.bro_init
+bro_conn_new_str = _broccoli_intern.bro_conn_new_str
+bro_conn_set_class = _broccoli_intern.bro_conn_set_class
+bro_conn_connect = _broccoli_intern.bro_conn_connect
+bro_conn_process_input = _broccoli_intern.bro_conn_process_input
+bro_event_queue_length = _broccoli_intern.bro_event_queue_length
+bro_event_new = _broccoli_intern.bro_event_new
+bro_event_free = _broccoli_intern.bro_event_free
+bro_event_add_val = _broccoli_intern.bro_event_add_val
+bro_event_send = _broccoli_intern.bro_event_send
+bro_event_registry_add_compact = _broccoli_intern.bro_event_registry_add_compact
+bro_util_current_time = _broccoli_intern.bro_util_current_time
+
+
diff --git a/aux/broccoli/bindings/python/broccoli_intern_wrap.c b/aux/broccoli/bindings/python/broccoli_intern_wrap.c
new file mode 100644
index 0000000000..fdae51ce8c
--- /dev/null
+++ b/aux/broccoli/bindings/python/broccoli_intern_wrap.c
@@ -0,0 +1,3922 @@
+/* ----------------------------------------------------------------------------
+ * This file was automatically generated by SWIG (http://www.swig.org).
+ * Version 1.3.31
+ * 
+ * This file is not intended to be easily readable and contains a number of 
+ * coding conventions designed to improve portability and efficiency. Do not make
+ * changes to this file unless you know what you are doing--modify the SWIG 
+ * interface file instead. 
+ * ----------------------------------------------------------------------------- */
+
+#define SWIGPYTHON
+#define SWIG_PYTHON_DIRECTOR_NO_VTABLE
+/* -----------------------------------------------------------------------------
+ *  This section contains generic SWIG labels for method/variable
+ *  declarations/attributes, and other compiler dependent labels.
+ * ----------------------------------------------------------------------------- */
+
+/* template workaround for compilers that cannot correctly implement the C++ standard */
+#ifndef SWIGTEMPLATEDISAMBIGUATOR
+# if defined(__SUNPRO_CC)
+#   if (__SUNPRO_CC <= 0x560)
+#     define SWIGTEMPLATEDISAMBIGUATOR template
+#   else
+#     define SWIGTEMPLATEDISAMBIGUATOR 
+#   endif
+# else
+#   define SWIGTEMPLATEDISAMBIGUATOR 
+# endif
+#endif
+
+/* inline attribute */
+#ifndef SWIGINLINE
+# if defined(__cplusplus) || (defined(__GNUC__) && !defined(__STRICT_ANSI__))
+#   define SWIGINLINE inline
+# else
+#   define SWIGINLINE
+# endif
+#endif
+
+/* attribute recognised by some compilers to avoid 'unused' warnings */
+#ifndef SWIGUNUSED
+# if defined(__GNUC__)
+#   if !(defined(__cplusplus)) || (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4))
+#     define SWIGUNUSED __attribute__ ((__unused__)) 
+#   else
+#     define SWIGUNUSED
+#   endif
+# elif defined(__ICC)
+#   define SWIGUNUSED __attribute__ ((__unused__)) 
+# else
+#   define SWIGUNUSED 
+# endif
+#endif
+
+#ifndef SWIGUNUSEDPARM
+# ifdef __cplusplus
+#   define SWIGUNUSEDPARM(p)
+# else
+#   define SWIGUNUSEDPARM(p) p SWIGUNUSED 
+# endif
+#endif
+
+/* internal SWIG method */
+#ifndef SWIGINTERN
+# define SWIGINTERN static SWIGUNUSED
+#endif
+
+/* internal inline SWIG method */
+#ifndef SWIGINTERNINLINE
+# define SWIGINTERNINLINE SWIGINTERN SWIGINLINE
+#endif
+
+/* exporting methods */
+#if (__GNUC__ >= 4) || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4)
+#  ifndef GCC_HASCLASSVISIBILITY
+#    define GCC_HASCLASSVISIBILITY
+#  endif
+#endif
+
+#ifndef SWIGEXPORT
+# if defined(_WIN32) || defined(__WIN32__) || defined(__CYGWIN__)
+#   if defined(STATIC_LINKED)
+#     define SWIGEXPORT
+#   else
+#     define SWIGEXPORT __declspec(dllexport)
+#   endif
+# else
+#   if defined(__GNUC__) && defined(GCC_HASCLASSVISIBILITY)
+#     define SWIGEXPORT __attribute__ ((visibility("default")))
+#   else
+#     define SWIGEXPORT
+#   endif
+# endif
+#endif
+
+/* calling conventions for Windows */
+#ifndef SWIGSTDCALL
+# if defined(_WIN32) || defined(__WIN32__) || defined(__CYGWIN__)
+#   define SWIGSTDCALL __stdcall
+# else
+#   define SWIGSTDCALL
+# endif 
+#endif
+
+/* Deal with Microsoft's attempt at deprecating C standard runtime functions */
+#if !defined(SWIG_NO_CRT_SECURE_NO_DEPRECATE) && defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
+# define _CRT_SECURE_NO_DEPRECATE
+#endif
+
+
+/* Python.h has to appear first */
+#include <Python.h>
+
+/* -----------------------------------------------------------------------------
+ * swigrun.swg
+ *
+ * This file contains generic CAPI SWIG runtime support for pointer
+ * type checking.
+ * ----------------------------------------------------------------------------- */
+
+/* This should only be incremented when either the layout of swig_type_info changes,
+   or for whatever reason, the runtime changes incompatibly */
+#define SWIG_RUNTIME_VERSION "3"
+
+/* define SWIG_TYPE_TABLE_NAME as "SWIG_TYPE_TABLE" */
+#ifdef SWIG_TYPE_TABLE
+# define SWIG_QUOTE_STRING(x) #x
+# define SWIG_EXPAND_AND_QUOTE_STRING(x) SWIG_QUOTE_STRING(x)
+# define SWIG_TYPE_TABLE_NAME SWIG_EXPAND_AND_QUOTE_STRING(SWIG_TYPE_TABLE)
+#else
+# define SWIG_TYPE_TABLE_NAME
+#endif
+
+/*
+  You can use the SWIGRUNTIME and SWIGRUNTIMEINLINE macros for
+  creating a static or dynamic library from the swig runtime code.
+  In 99.9% of the cases, swig just needs to declare them as 'static'.
+  
+  But only do this if is strictly necessary, ie, if you have problems
+  with your compiler or so.
+*/
+
+#ifndef SWIGRUNTIME
+# define SWIGRUNTIME SWIGINTERN
+#endif
+
+#ifndef SWIGRUNTIMEINLINE
+# define SWIGRUNTIMEINLINE SWIGRUNTIME SWIGINLINE
+#endif
+
+/*  Generic buffer size */
+#ifndef SWIG_BUFFER_SIZE
+# define SWIG_BUFFER_SIZE 1024
+#endif
+
+/* Flags for pointer conversions */
+#define SWIG_POINTER_DISOWN        0x1
+
+/* Flags for new pointer objects */
+#define SWIG_POINTER_OWN           0x1
+
+
+/* 
+   Flags/methods for returning states.
+   
+   The swig conversion methods, as ConvertPtr, return and integer 
+   that tells if the conversion was successful or not. And if not,
+   an error code can be returned (see swigerrors.swg for the codes).
+   
+   Use the following macros/flags to set or process the returning
+   states.
+   
+   In old swig versions, you usually write code as:
+
+     if (SWIG_ConvertPtr(obj,vptr,ty.flags) != -1) {
+       // success code
+     } else {
+       //fail code
+     }
+
+   Now you can be more explicit as:
+
+    int res = SWIG_ConvertPtr(obj,vptr,ty.flags);
+    if (SWIG_IsOK(res)) {
+      // success code
+    } else {
+      // fail code
+    }
+
+   that seems to be the same, but now you can also do
+
+    Type *ptr;
+    int res = SWIG_ConvertPtr(obj,(void **)(&ptr),ty.flags);
+    if (SWIG_IsOK(res)) {
+      // success code
+      if (SWIG_IsNewObj(res) {
+        ...
+	delete *ptr;
+      } else {
+        ...
+      }
+    } else {
+      // fail code
+    }
+    
+   I.e., now SWIG_ConvertPtr can return new objects and you can
+   identify the case and take care of the deallocation. Of course that
+   requires also to SWIG_ConvertPtr to return new result values, as
+
+      int SWIG_ConvertPtr(obj, ptr,...) {         
+        if (<obj is ok>) {			       
+          if (<need new object>) {		       
+            *ptr = <ptr to new allocated object>; 
+            return SWIG_NEWOBJ;		       
+          } else {				       
+            *ptr = <ptr to old object>;	       
+            return SWIG_OLDOBJ;		       
+          } 				       
+        } else {				       
+          return SWIG_BADOBJ;		       
+        }					       
+      }
+
+   Of course, returning the plain '0(success)/-1(fail)' still works, but you can be
+   more explicit by returning SWIG_BADOBJ, SWIG_ERROR or any of the
+   swig errors code.
+
+   Finally, if the SWIG_CASTRANK_MODE is enabled, the result code
+   allows to return the 'cast rank', for example, if you have this
+
+       int food(double)
+       int fooi(int);
+
+   and you call
+ 
+      food(1)   // cast rank '1'  (1 -> 1.0)
+      fooi(1)   // cast rank '0'
+
+   just use the SWIG_AddCast()/SWIG_CheckState()
+
+
+ */
+#define SWIG_OK                    (0) 
+#define SWIG_ERROR                 (-1)
+#define SWIG_IsOK(r)               (r >= 0)
+#define SWIG_ArgError(r)           ((r != SWIG_ERROR) ? r : SWIG_TypeError)  
+
+/* The CastRankLimit says how many bits are used for the cast rank */
+#define SWIG_CASTRANKLIMIT         (1 << 8)
+/* The NewMask denotes the object was created (using new/malloc) */
+#define SWIG_NEWOBJMASK            (SWIG_CASTRANKLIMIT  << 1)
+/* The TmpMask is for in/out typemaps that use temporal objects */
+#define SWIG_TMPOBJMASK            (SWIG_NEWOBJMASK << 1)
+/* Simple returning values */
+#define SWIG_BADOBJ                (SWIG_ERROR)
+#define SWIG_OLDOBJ                (SWIG_OK)
+#define SWIG_NEWOBJ                (SWIG_OK | SWIG_NEWOBJMASK)
+#define SWIG_TMPOBJ                (SWIG_OK | SWIG_TMPOBJMASK)
+/* Check, add and del mask methods */
+#define SWIG_AddNewMask(r)         (SWIG_IsOK(r) ? (r | SWIG_NEWOBJMASK) : r)
+#define SWIG_DelNewMask(r)         (SWIG_IsOK(r) ? (r & ~SWIG_NEWOBJMASK) : r)
+#define SWIG_IsNewObj(r)           (SWIG_IsOK(r) && (r & SWIG_NEWOBJMASK))
+#define SWIG_AddTmpMask(r)         (SWIG_IsOK(r) ? (r | SWIG_TMPOBJMASK) : r)
+#define SWIG_DelTmpMask(r)         (SWIG_IsOK(r) ? (r & ~SWIG_TMPOBJMASK) : r)
+#define SWIG_IsTmpObj(r)           (SWIG_IsOK(r) && (r & SWIG_TMPOBJMASK))
+
+
+/* Cast-Rank Mode */
+#if defined(SWIG_CASTRANK_MODE)
+#  ifndef SWIG_TypeRank
+#    define SWIG_TypeRank             unsigned long
+#  endif
+#  ifndef SWIG_MAXCASTRANK            /* Default cast allowed */
+#    define SWIG_MAXCASTRANK          (2)
+#  endif
+#  define SWIG_CASTRANKMASK          ((SWIG_CASTRANKLIMIT) -1)
+#  define SWIG_CastRank(r)           (r & SWIG_CASTRANKMASK)
+SWIGINTERNINLINE int SWIG_AddCast(int r) { 
+  return SWIG_IsOK(r) ? ((SWIG_CastRank(r) < SWIG_MAXCASTRANK) ? (r + 1) : SWIG_ERROR) : r;
+}
+SWIGINTERNINLINE int SWIG_CheckState(int r) { 
+  return SWIG_IsOK(r) ? SWIG_CastRank(r) + 1 : 0; 
+}
+#else /* no cast-rank mode */
+#  define SWIG_AddCast
+#  define SWIG_CheckState(r) (SWIG_IsOK(r) ? 1 : 0)
+#endif
+
+
+
+
+#include <string.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef void *(*swig_converter_func)(void *);
+typedef struct swig_type_info *(*swig_dycast_func)(void **);
+
+/* Structure to store inforomation on one type */
+typedef struct swig_type_info {
+  const char             *name;			/* mangled name of this type */
+  const char             *str;			/* human readable name of this type */
+  swig_dycast_func        dcast;		/* dynamic cast function down a hierarchy */
+  struct swig_cast_info  *cast;			/* linked list of types that can cast into this type */
+  void                   *clientdata;		/* language specific type data */
+  int                    owndata;		/* flag if the structure owns the clientdata */
+} swig_type_info;
+
+/* Structure to store a type and conversion function used for casting */
+typedef struct swig_cast_info {
+  swig_type_info         *type;			/* pointer to type that is equivalent to this type */
+  swig_converter_func     converter;		/* function to cast the void pointers */
+  struct swig_cast_info  *next;			/* pointer to next cast in linked list */
+  struct swig_cast_info  *prev;			/* pointer to the previous cast */
+} swig_cast_info;
+
+/* Structure used to store module information
+ * Each module generates one structure like this, and the runtime collects
+ * all of these structures and stores them in a circularly linked list.*/
+typedef struct swig_module_info {
+  swig_type_info         **types;		/* Array of pointers to swig_type_info structures that are in this module */
+  size_t                 size;		        /* Number of types in this module */
+  struct swig_module_info *next;		/* Pointer to next element in circularly linked list */
+  swig_type_info         **type_initial;	/* Array of initially generated type structures */
+  swig_cast_info         **cast_initial;	/* Array of initially generated casting structures */
+  void                    *clientdata;		/* Language specific module data */
+} swig_module_info;
+
+/* 
+  Compare two type names skipping the space characters, therefore
+  "char*" == "char *" and "Class<int>" == "Class<int >", etc.
+
+  Return 0 when the two name types are equivalent, as in
+  strncmp, but skipping ' '.
+*/
+SWIGRUNTIME int
+SWIG_TypeNameComp(const char *f1, const char *l1,
+		  const char *f2, const char *l2) {
+  for (;(f1 != l1) && (f2 != l2); ++f1, ++f2) {
+    while ((*f1 == ' ') && (f1 != l1)) ++f1;
+    while ((*f2 == ' ') && (f2 != l2)) ++f2;
+    if (*f1 != *f2) return (*f1 > *f2) ? 1 : -1;
+  }
+  return (l1 - f1) - (l2 - f2);
+}
+
+/*
+  Check type equivalence in a name list like <name1>|<name2>|...
+  Return 0 if not equal, 1 if equal
+*/
+SWIGRUNTIME int
+SWIG_TypeEquiv(const char *nb, const char *tb) {
+  int equiv = 0;
+  const char* te = tb + strlen(tb);
+  const char* ne = nb;
+  while (!equiv && *ne) {
+    for (nb = ne; *ne; ++ne) {
+      if (*ne == '|') break;
+    }
+    equiv = (SWIG_TypeNameComp(nb, ne, tb, te) == 0) ? 1 : 0;
+    if (*ne) ++ne;
+  }
+  return equiv;
+}
+
+/*
+  Check type equivalence in a name list like <name1>|<name2>|...
+  Return 0 if equal, -1 if nb < tb, 1 if nb > tb
+*/
+SWIGRUNTIME int
+SWIG_TypeCompare(const char *nb, const char *tb) {
+  int equiv = 0;
+  const char* te = tb + strlen(tb);
+  const char* ne = nb;
+  while (!equiv && *ne) {
+    for (nb = ne; *ne; ++ne) {
+      if (*ne == '|') break;
+    }
+    equiv = (SWIG_TypeNameComp(nb, ne, tb, te) == 0) ? 1 : 0;
+    if (*ne) ++ne;
+  }
+  return equiv;
+}
+
+
+/* think of this as a c++ template<> or a scheme macro */
+#define SWIG_TypeCheck_Template(comparison, ty)         \
+  if (ty) {                                             \
+    swig_cast_info *iter = ty->cast;                    \
+    while (iter) {                                      \
+      if (comparison) {                                 \
+        if (iter == ty->cast) return iter;              \
+        /* Move iter to the top of the linked list */   \
+        iter->prev->next = iter->next;                  \
+        if (iter->next)                                 \
+          iter->next->prev = iter->prev;                \
+        iter->next = ty->cast;                          \
+        iter->prev = 0;                                 \
+        if (ty->cast) ty->cast->prev = iter;            \
+        ty->cast = iter;                                \
+        return iter;                                    \
+      }                                                 \
+      iter = iter->next;                                \
+    }                                                   \
+  }                                                     \
+  return 0
+
+/*
+  Check the typename
+*/
+SWIGRUNTIME swig_cast_info *
+SWIG_TypeCheck(const char *c, swig_type_info *ty) {
+  SWIG_TypeCheck_Template(strcmp(iter->type->name, c) == 0, ty);
+}
+
+/* Same as previous function, except strcmp is replaced with a pointer comparison */
+SWIGRUNTIME swig_cast_info *
+SWIG_TypeCheckStruct(swig_type_info *from, swig_type_info *into) {
+  SWIG_TypeCheck_Template(iter->type == from, into);
+}
+
+/*
+  Cast a pointer up an inheritance hierarchy
+*/
+SWIGRUNTIMEINLINE void *
+SWIG_TypeCast(swig_cast_info *ty, void *ptr) {
+  return ((!ty) || (!ty->converter)) ? ptr : (*ty->converter)(ptr);
+}
+
+/* 
+   Dynamic pointer casting. Down an inheritance hierarchy
+*/
+SWIGRUNTIME swig_type_info *
+SWIG_TypeDynamicCast(swig_type_info *ty, void **ptr) {
+  swig_type_info *lastty = ty;
+  if (!ty || !ty->dcast) return ty;
+  while (ty && (ty->dcast)) {
+    ty = (*ty->dcast)(ptr);
+    if (ty) lastty = ty;
+  }
+  return lastty;
+}
+
+/*
+  Return the name associated with this type
+*/
+SWIGRUNTIMEINLINE const char *
+SWIG_TypeName(const swig_type_info *ty) {
+  return ty->name;
+}
+
+/*
+  Return the pretty name associated with this type,
+  that is an unmangled type name in a form presentable to the user.
+*/
+SWIGRUNTIME const char *
+SWIG_TypePrettyName(const swig_type_info *type) {
+  /* The "str" field contains the equivalent pretty names of the
+     type, separated by vertical-bar characters.  We choose
+     to print the last name, as it is often (?) the most
+     specific. */
+  if (!type) return NULL;
+  if (type->str != NULL) {
+    const char *last_name = type->str;
+    const char *s;
+    for (s = type->str; *s; s++)
+      if (*s == '|') last_name = s+1;
+    return last_name;
+  }
+  else
+    return type->name;
+}
+
+/* 
+   Set the clientdata field for a type
+*/
+SWIGRUNTIME void
+SWIG_TypeClientData(swig_type_info *ti, void *clientdata) {
+  swig_cast_info *cast = ti->cast;
+  /* if (ti->clientdata == clientdata) return; */
+  ti->clientdata = clientdata;
+  
+  while (cast) {
+    if (!cast->converter) {
+      swig_type_info *tc = cast->type;
+      if (!tc->clientdata) {
+	SWIG_TypeClientData(tc, clientdata);
+      }
+    }    
+    cast = cast->next;
+  }
+}
+SWIGRUNTIME void
+SWIG_TypeNewClientData(swig_type_info *ti, void *clientdata) {
+  SWIG_TypeClientData(ti, clientdata);
+  ti->owndata = 1;
+}
+  
+/*
+  Search for a swig_type_info structure only by mangled name
+  Search is a O(log #types)
+  
+  We start searching at module start, and finish searching when start == end.  
+  Note: if start == end at the beginning of the function, we go all the way around
+  the circular list.
+*/
+SWIGRUNTIME swig_type_info *
+SWIG_MangledTypeQueryModule(swig_module_info *start, 
+                            swig_module_info *end, 
+		            const char *name) {
+  swig_module_info *iter = start;
+  do {
+    if (iter->size) {
+      register size_t l = 0;
+      register size_t r = iter->size - 1;
+      do {
+	/* since l+r >= 0, we can (>> 1) instead (/ 2) */
+	register size_t i = (l + r) >> 1; 
+	const char *iname = iter->types[i]->name;
+	if (iname) {
+	  register int compare = strcmp(name, iname);
+	  if (compare == 0) {	    
+	    return iter->types[i];
+	  } else if (compare < 0) {
+	    if (i) {
+	      r = i - 1;
+	    } else {
+	      break;
+	    }
+	  } else if (compare > 0) {
+	    l = i + 1;
+	  }
+	} else {
+	  break; /* should never happen */
+	}
+      } while (l <= r);
+    }
+    iter = iter->next;
+  } while (iter != end);
+  return 0;
+}
+
+/*
+  Search for a swig_type_info structure for either a mangled name or a human readable name.
+  It first searches the mangled names of the types, which is a O(log #types)
+  If a type is not found it then searches the human readable names, which is O(#types).
+  
+  We start searching at module start, and finish searching when start == end.  
+  Note: if start == end at the beginning of the function, we go all the way around
+  the circular list.
+*/
+SWIGRUNTIME swig_type_info *
+SWIG_TypeQueryModule(swig_module_info *start, 
+                     swig_module_info *end, 
+		     const char *name) {
+  /* STEP 1: Search the name field using binary search */
+  swig_type_info *ret = SWIG_MangledTypeQueryModule(start, end, name);
+  if (ret) {
+    return ret;
+  } else {
+    /* STEP 2: If the type hasn't been found, do a complete search
+       of the str field (the human readable name) */
+    swig_module_info *iter = start;
+    do {
+      register size_t i = 0;
+      for (; i < iter->size; ++i) {
+	if (iter->types[i]->str && (SWIG_TypeEquiv(iter->types[i]->str, name)))
+	  return iter->types[i];
+      }
+      iter = iter->next;
+    } while (iter != end);
+  }
+  
+  /* neither found a match */
+  return 0;
+}
+
+/* 
+   Pack binary data into a string
+*/
+SWIGRUNTIME char *
+SWIG_PackData(char *c, void *ptr, size_t sz) {
+  static const char hex[17] = "0123456789abcdef";
+  register const unsigned char *u = (unsigned char *) ptr;
+  register const unsigned char *eu =  u + sz;
+  for (; u != eu; ++u) {
+    register unsigned char uu = *u;
+    *(c++) = hex[(uu & 0xf0) >> 4];
+    *(c++) = hex[uu & 0xf];
+  }
+  return c;
+}
+
+/* 
+   Unpack binary data from a string
+*/
+SWIGRUNTIME const char *
+SWIG_UnpackData(const char *c, void *ptr, size_t sz) {
+  register unsigned char *u = (unsigned char *) ptr;
+  register const unsigned char *eu = u + sz;
+  for (; u != eu; ++u) {
+    register char d = *(c++);
+    register unsigned char uu;
+    if ((d >= '0') && (d <= '9'))
+      uu = ((d - '0') << 4);
+    else if ((d >= 'a') && (d <= 'f'))
+      uu = ((d - ('a'-10)) << 4);
+    else 
+      return (char *) 0;
+    d = *(c++);
+    if ((d >= '0') && (d <= '9'))
+      uu |= (d - '0');
+    else if ((d >= 'a') && (d <= 'f'))
+      uu |= (d - ('a'-10));
+    else 
+      return (char *) 0;
+    *u = uu;
+  }
+  return c;
+}
+
+/* 
+   Pack 'void *' into a string buffer.
+*/
+SWIGRUNTIME char *
+SWIG_PackVoidPtr(char *buff, void *ptr, const char *name, size_t bsz) {
+  char *r = buff;
+  if ((2*sizeof(void *) + 2) > bsz) return 0;
+  *(r++) = '_';
+  r = SWIG_PackData(r,&ptr,sizeof(void *));
+  if (strlen(name) + 1 > (bsz - (r - buff))) return 0;
+  strcpy(r,name);
+  return buff;
+}
+
+SWIGRUNTIME const char *
+SWIG_UnpackVoidPtr(const char *c, void **ptr, const char *name) {
+  if (*c != '_') {
+    if (strcmp(c,"NULL") == 0) {
+      *ptr = (void *) 0;
+      return name;
+    } else {
+      return 0;
+    }
+  }
+  return SWIG_UnpackData(++c,ptr,sizeof(void *));
+}
+
+SWIGRUNTIME char *
+SWIG_PackDataName(char *buff, void *ptr, size_t sz, const char *name, size_t bsz) {
+  char *r = buff;
+  size_t lname = (name ? strlen(name) : 0);
+  if ((2*sz + 2 + lname) > bsz) return 0;
+  *(r++) = '_';
+  r = SWIG_PackData(r,ptr,sz);
+  if (lname) {
+    strncpy(r,name,lname+1);
+  } else {
+    *r = 0;
+  }
+  return buff;
+}
+
+SWIGRUNTIME const char *
+SWIG_UnpackDataName(const char *c, void *ptr, size_t sz, const char *name) {
+  if (*c != '_') {
+    if (strcmp(c,"NULL") == 0) {
+      memset(ptr,0,sz);
+      return name;
+    } else {
+      return 0;
+    }
+  }
+  return SWIG_UnpackData(++c,ptr,sz);
+}
+
+#ifdef __cplusplus
+}
+#endif
+
+/*  Errors in SWIG */
+#define  SWIG_UnknownError    	   -1 
+#define  SWIG_IOError        	   -2 
+#define  SWIG_RuntimeError   	   -3 
+#define  SWIG_IndexError     	   -4 
+#define  SWIG_TypeError      	   -5 
+#define  SWIG_DivisionByZero 	   -6 
+#define  SWIG_OverflowError  	   -7 
+#define  SWIG_SyntaxError    	   -8 
+#define  SWIG_ValueError     	   -9 
+#define  SWIG_SystemError    	   -10
+#define  SWIG_AttributeError 	   -11
+#define  SWIG_MemoryError    	   -12 
+#define  SWIG_NullReferenceError   -13
+
+
+
+
+/* Add PyOS_snprintf for old Pythons */
+#if PY_VERSION_HEX < 0x02020000
+# if defined(_MSC_VER) || defined(__BORLANDC__) || defined(_WATCOM)
+#  define PyOS_snprintf _snprintf
+# else
+#  define PyOS_snprintf snprintf
+# endif
+#endif
+
+/* A crude PyString_FromFormat implementation for old Pythons */
+#if PY_VERSION_HEX < 0x02020000
+
+#ifndef SWIG_PYBUFFER_SIZE
+# define SWIG_PYBUFFER_SIZE 1024
+#endif
+
+static PyObject *
+PyString_FromFormat(const char *fmt, ...) {
+  va_list ap;
+  char buf[SWIG_PYBUFFER_SIZE * 2];
+  int res;
+  va_start(ap, fmt);
+  res = vsnprintf(buf, sizeof(buf), fmt, ap);
+  va_end(ap);
+  return (res < 0 || res >= (int)sizeof(buf)) ? 0 : PyString_FromString(buf);
+}
+#endif
+
+/* Add PyObject_Del for old Pythons */
+#if PY_VERSION_HEX < 0x01060000
+# define PyObject_Del(op) PyMem_DEL((op))
+#endif
+#ifndef PyObject_DEL
+# define PyObject_DEL PyObject_Del
+#endif
+
+/* A crude PyExc_StopIteration exception for old Pythons */
+#if PY_VERSION_HEX < 0x02020000
+# ifndef PyExc_StopIteration
+#  define PyExc_StopIteration PyExc_RuntimeError
+# endif
+# ifndef PyObject_GenericGetAttr
+#  define PyObject_GenericGetAttr 0
+# endif
+#endif
+/* Py_NotImplemented is defined in 2.1 and up. */
+#if PY_VERSION_HEX < 0x02010000
+# ifndef Py_NotImplemented
+#  define Py_NotImplemented PyExc_RuntimeError
+# endif
+#endif
+
+
+/* A crude PyString_AsStringAndSize implementation for old Pythons */
+#if PY_VERSION_HEX < 0x02010000
+# ifndef PyString_AsStringAndSize
+#  define PyString_AsStringAndSize(obj, s, len) {*s = PyString_AsString(obj); *len = *s ? strlen(*s) : 0;}
+# endif
+#endif
+
+/* PySequence_Size for old Pythons */
+#if PY_VERSION_HEX < 0x02000000
+# ifndef PySequence_Size
+#  define PySequence_Size PySequence_Length
+# endif
+#endif
+
+
+/* PyBool_FromLong for old Pythons */
+#if PY_VERSION_HEX < 0x02030000
+static
+PyObject *PyBool_FromLong(long ok)
+{
+  PyObject *result = ok ? Py_True : Py_False;
+  Py_INCREF(result);
+  return result;
+}
+#endif
+
+/* Py_ssize_t for old Pythons */
+/* This code is as recommended by: */
+/* http://www.python.org/dev/peps/pep-0353/#conversion-guidelines */
+#if PY_VERSION_HEX < 0x02050000 && !defined(PY_SSIZE_T_MIN)
+typedef int Py_ssize_t;
+# define PY_SSIZE_T_MAX INT_MAX
+# define PY_SSIZE_T_MIN INT_MIN
+#endif
+
+/* -----------------------------------------------------------------------------
+ * error manipulation
+ * ----------------------------------------------------------------------------- */
+
+SWIGRUNTIME PyObject*
+SWIG_Python_ErrorType(int code) {
+  PyObject* type = 0;
+  switch(code) {
+  case SWIG_MemoryError:
+    type = PyExc_MemoryError;
+    break;
+  case SWIG_IOError:
+    type = PyExc_IOError;
+    break;
+  case SWIG_RuntimeError:
+    type = PyExc_RuntimeError;
+    break;
+  case SWIG_IndexError:
+    type = PyExc_IndexError;
+    break;
+  case SWIG_TypeError:
+    type = PyExc_TypeError;
+    break;
+  case SWIG_DivisionByZero:
+    type = PyExc_ZeroDivisionError;
+    break;
+  case SWIG_OverflowError:
+    type = PyExc_OverflowError;
+    break;
+  case SWIG_SyntaxError:
+    type = PyExc_SyntaxError;
+    break;
+  case SWIG_ValueError:
+    type = PyExc_ValueError;
+    break;
+  case SWIG_SystemError:
+    type = PyExc_SystemError;
+    break;
+  case SWIG_AttributeError:
+    type = PyExc_AttributeError;
+    break;
+  default:
+    type = PyExc_RuntimeError;
+  }
+  return type;
+}
+
+
+SWIGRUNTIME void
+SWIG_Python_AddErrorMsg(const char* mesg)
+{
+  PyObject *type = 0;
+  PyObject *value = 0;
+  PyObject *traceback = 0;
+
+  if (PyErr_Occurred()) PyErr_Fetch(&type, &value, &traceback);
+  if (value) {
+    PyObject *old_str = PyObject_Str(value);
+    PyErr_Clear();
+    Py_XINCREF(type);
+    PyErr_Format(type, "%s %s", PyString_AsString(old_str), mesg);
+    Py_DECREF(old_str);
+    Py_DECREF(value);
+  } else {
+    PyErr_Format(PyExc_RuntimeError, mesg);
+  }
+}
+
+
+
+#if defined(SWIG_PYTHON_NO_THREADS)
+#  if defined(SWIG_PYTHON_THREADS)
+#    undef SWIG_PYTHON_THREADS
+#  endif
+#endif
+#if defined(SWIG_PYTHON_THREADS) /* Threading support is enabled */
+#  if !defined(SWIG_PYTHON_USE_GIL) && !defined(SWIG_PYTHON_NO_USE_GIL)
+#    if (PY_VERSION_HEX >= 0x02030000) /* For 2.3 or later, use the PyGILState calls */
+#      define SWIG_PYTHON_USE_GIL
+#    endif
+#  endif
+#  if defined(SWIG_PYTHON_USE_GIL) /* Use PyGILState threads calls */
+#    ifndef SWIG_PYTHON_INITIALIZE_THREADS
+#     define SWIG_PYTHON_INITIALIZE_THREADS  PyEval_InitThreads() 
+#    endif
+#    ifdef __cplusplus /* C++ code */
+       class SWIG_Python_Thread_Block {
+         bool status;
+         PyGILState_STATE state;
+       public:
+         void end() { if (status) { PyGILState_Release(state); status = false;} }
+         SWIG_Python_Thread_Block() : status(true), state(PyGILState_Ensure()) {}
+         ~SWIG_Python_Thread_Block() { end(); }
+       };
+       class SWIG_Python_Thread_Allow {
+         bool status;
+         PyThreadState *save;
+       public:
+         void end() { if (status) { PyEval_RestoreThread(save); status = false; }}
+         SWIG_Python_Thread_Allow() : status(true), save(PyEval_SaveThread()) {}
+         ~SWIG_Python_Thread_Allow() { end(); }
+       };
+#      define SWIG_PYTHON_THREAD_BEGIN_BLOCK   SWIG_Python_Thread_Block _swig_thread_block
+#      define SWIG_PYTHON_THREAD_END_BLOCK     _swig_thread_block.end()
+#      define SWIG_PYTHON_THREAD_BEGIN_ALLOW   SWIG_Python_Thread_Allow _swig_thread_allow
+#      define SWIG_PYTHON_THREAD_END_ALLOW     _swig_thread_allow.end()
+#    else /* C code */
+#      define SWIG_PYTHON_THREAD_BEGIN_BLOCK   PyGILState_STATE _swig_thread_block = PyGILState_Ensure()
+#      define SWIG_PYTHON_THREAD_END_BLOCK     PyGILState_Release(_swig_thread_block)
+#      define SWIG_PYTHON_THREAD_BEGIN_ALLOW   PyThreadState *_swig_thread_allow = PyEval_SaveThread()
+#      define SWIG_PYTHON_THREAD_END_ALLOW     PyEval_RestoreThread(_swig_thread_allow)
+#    endif
+#  else /* Old thread way, not implemented, user must provide it */
+#    if !defined(SWIG_PYTHON_INITIALIZE_THREADS)
+#      define SWIG_PYTHON_INITIALIZE_THREADS
+#    endif
+#    if !defined(SWIG_PYTHON_THREAD_BEGIN_BLOCK)
+#      define SWIG_PYTHON_THREAD_BEGIN_BLOCK
+#    endif
+#    if !defined(SWIG_PYTHON_THREAD_END_BLOCK)
+#      define SWIG_PYTHON_THREAD_END_BLOCK
+#    endif
+#    if !defined(SWIG_PYTHON_THREAD_BEGIN_ALLOW)
+#      define SWIG_PYTHON_THREAD_BEGIN_ALLOW
+#    endif
+#    if !defined(SWIG_PYTHON_THREAD_END_ALLOW)
+#      define SWIG_PYTHON_THREAD_END_ALLOW
+#    endif
+#  endif
+#else /* No thread support */
+#  define SWIG_PYTHON_INITIALIZE_THREADS
+#  define SWIG_PYTHON_THREAD_BEGIN_BLOCK
+#  define SWIG_PYTHON_THREAD_END_BLOCK
+#  define SWIG_PYTHON_THREAD_BEGIN_ALLOW
+#  define SWIG_PYTHON_THREAD_END_ALLOW
+#endif
+
+/* -----------------------------------------------------------------------------
+ * Python API portion that goes into the runtime
+ * ----------------------------------------------------------------------------- */
+
+#ifdef __cplusplus
+extern "C" {
+#if 0
+} /* cc-mode */
+#endif
+#endif
+
+/* -----------------------------------------------------------------------------
+ * Constant declarations
+ * ----------------------------------------------------------------------------- */
+
+/* Constant Types */
+#define SWIG_PY_POINTER 4
+#define SWIG_PY_BINARY  5
+
+/* Constant information structure */
+typedef struct swig_const_info {
+  int type;
+  char *name;
+  long lvalue;
+  double dvalue;
+  void   *pvalue;
+  swig_type_info **ptype;
+} swig_const_info;
+
+#ifdef __cplusplus
+#if 0
+{ /* cc-mode */
+#endif
+}
+#endif
+
+
+/* -----------------------------------------------------------------------------
+ * See the LICENSE file for information on copyright, usage and redistribution
+ * of SWIG, and the README file for authors - http://www.swig.org/release.html.
+ *
+ * pyrun.swg
+ *
+ * This file contains the runtime support for Python modules
+ * and includes code for managing global variables and pointer
+ * type checking.
+ *
+ * ----------------------------------------------------------------------------- */
+
+/* Common SWIG API */
+
+/* for raw pointers */
+#define SWIG_Python_ConvertPtr(obj, pptr, type, flags)  SWIG_Python_ConvertPtrAndOwn(obj, pptr, type, flags, 0)
+#define SWIG_ConvertPtr(obj, pptr, type, flags)         SWIG_Python_ConvertPtr(obj, pptr, type, flags)
+#define SWIG_ConvertPtrAndOwn(obj,pptr,type,flags,own)  SWIG_Python_ConvertPtrAndOwn(obj, pptr, type, flags, own)
+#define SWIG_NewPointerObj(ptr, type, flags)            SWIG_Python_NewPointerObj(ptr, type, flags)
+#define SWIG_CheckImplicit(ty)                          SWIG_Python_CheckImplicit(ty) 
+#define SWIG_AcquirePtr(ptr, src)                       SWIG_Python_AcquirePtr(ptr, src)
+#define swig_owntype                                    int
+
+/* for raw packed data */
+#define SWIG_ConvertPacked(obj, ptr, sz, ty)            SWIG_Python_ConvertPacked(obj, ptr, sz, ty)
+#define SWIG_NewPackedObj(ptr, sz, type)                SWIG_Python_NewPackedObj(ptr, sz, type)
+
+/* for class or struct pointers */
+#define SWIG_ConvertInstance(obj, pptr, type, flags)    SWIG_ConvertPtr(obj, pptr, type, flags)
+#define SWIG_NewInstanceObj(ptr, type, flags)           SWIG_NewPointerObj(ptr, type, flags)
+
+/* for C or C++ function pointers */
+#define SWIG_ConvertFunctionPtr(obj, pptr, type)        SWIG_Python_ConvertFunctionPtr(obj, pptr, type)
+#define SWIG_NewFunctionPtrObj(ptr, type)               SWIG_Python_NewPointerObj(ptr, type, 0)
+
+/* for C++ member pointers, ie, member methods */
+#define SWIG_ConvertMember(obj, ptr, sz, ty)            SWIG_Python_ConvertPacked(obj, ptr, sz, ty)
+#define SWIG_NewMemberObj(ptr, sz, type)                SWIG_Python_NewPackedObj(ptr, sz, type)
+
+
+/* Runtime API */
+
+#define SWIG_GetModule(clientdata)                      SWIG_Python_GetModule()
+#define SWIG_SetModule(clientdata, pointer)             SWIG_Python_SetModule(pointer)
+#define SWIG_NewClientData(obj)                         PySwigClientData_New(obj)
+
+#define SWIG_SetErrorObj                                SWIG_Python_SetErrorObj                            
+#define SWIG_SetErrorMsg                        	SWIG_Python_SetErrorMsg				   
+#define SWIG_ErrorType(code)                    	SWIG_Python_ErrorType(code)                        
+#define SWIG_Error(code, msg)            		SWIG_Python_SetErrorMsg(SWIG_ErrorType(code), msg) 
+#define SWIG_fail                        		goto fail					   
+
+
+/* Runtime API implementation */
+
+/* Error manipulation */
+
+SWIGINTERN void 
+SWIG_Python_SetErrorObj(PyObject *errtype, PyObject *obj) {
+  SWIG_PYTHON_THREAD_BEGIN_BLOCK; 
+  PyErr_SetObject(errtype, obj);
+  Py_DECREF(obj);
+  SWIG_PYTHON_THREAD_END_BLOCK;
+}
+
+SWIGINTERN void 
+SWIG_Python_SetErrorMsg(PyObject *errtype, const char *msg) {
+  SWIG_PYTHON_THREAD_BEGIN_BLOCK;
+  PyErr_SetString(errtype, (char *) msg);
+  SWIG_PYTHON_THREAD_END_BLOCK;
+}
+
+#define SWIG_Python_Raise(obj, type, desc)  SWIG_Python_SetErrorObj(SWIG_Python_ExceptionType(desc), obj)
+
+/* Set a constant value */
+
+SWIGINTERN void
+SWIG_Python_SetConstant(PyObject *d, const char *name, PyObject *obj) {   
+  PyDict_SetItemString(d, (char*) name, obj);
+  Py_DECREF(obj);                            
+}
+
+/* Append a value to the result obj */
+
+SWIGINTERN PyObject*
+SWIG_Python_AppendOutput(PyObject* result, PyObject* obj) {
+#if !defined(SWIG_PYTHON_OUTPUT_TUPLE)
+  if (!result) {
+    result = obj;
+  } else if (result == Py_None) {
+    Py_DECREF(result);
+    result = obj;
+  } else {
+    if (!PyList_Check(result)) {
+      PyObject *o2 = result;
+      result = PyList_New(1);
+      PyList_SetItem(result, 0, o2);
+    }
+    PyList_Append(result,obj);
+    Py_DECREF(obj);
+  }
+  return result;
+#else
+  PyObject*   o2;
+  PyObject*   o3;
+  if (!result) {
+    result = obj;
+  } else if (result == Py_None) {
+    Py_DECREF(result);
+    result = obj;
+  } else {
+    if (!PyTuple_Check(result)) {
+      o2 = result;
+      result = PyTuple_New(1);
+      PyTuple_SET_ITEM(result, 0, o2);
+    }
+    o3 = PyTuple_New(1);
+    PyTuple_SET_ITEM(o3, 0, obj);
+    o2 = result;
+    result = PySequence_Concat(o2, o3);
+    Py_DECREF(o2);
+    Py_DECREF(o3);
+  }
+  return result;
+#endif
+}
+
+/* Unpack the argument tuple */
+
+SWIGINTERN int
+SWIG_Python_UnpackTuple(PyObject *args, const char *name, int min, int max, PyObject **objs)
+{
+  if (!args) {
+    if (!min && !max) {
+      return 1;
+    } else {
+      PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got none", 
+		   name, (min == max ? "" : "at least "), min);
+      return 0;
+    }
+  }  
+  if (!PyTuple_Check(args)) {
+    PyErr_SetString(PyExc_SystemError, "UnpackTuple() argument list is not a tuple");
+    return 0;
+  } else {
+    register int l = PyTuple_GET_SIZE(args);
+    if (l < min) {
+      PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d", 
+		   name, (min == max ? "" : "at least "), min, l);
+      return 0;
+    } else if (l > max) {
+      PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d", 
+		   name, (min == max ? "" : "at most "), max, l);
+      return 0;
+    } else {
+      register int i;
+      for (i = 0; i < l; ++i) {
+	objs[i] = PyTuple_GET_ITEM(args, i);
+      }
+      for (; l < max; ++l) {
+	objs[l] = 0;
+      }
+      return i + 1;
+    }    
+  }
+}
+
+/* A functor is a function object with one single object argument */
+#if PY_VERSION_HEX >= 0x02020000
+#define SWIG_Python_CallFunctor(functor, obj)	        PyObject_CallFunctionObjArgs(functor, obj, NULL);
+#else
+#define SWIG_Python_CallFunctor(functor, obj)	        PyObject_CallFunction(functor, "O", obj);
+#endif
+
+/*
+  Helper for static pointer initialization for both C and C++ code, for example
+  static PyObject *SWIG_STATIC_POINTER(MyVar) = NewSomething(...);
+*/
+#ifdef __cplusplus
+#define SWIG_STATIC_POINTER(var)  var
+#else
+#define SWIG_STATIC_POINTER(var)  var = 0; if (!var) var
+#endif
+
+/* -----------------------------------------------------------------------------
+ * Pointer declarations
+ * ----------------------------------------------------------------------------- */
+
+/* Flags for new pointer objects */
+#define SWIG_POINTER_NOSHADOW       (SWIG_POINTER_OWN      << 1)
+#define SWIG_POINTER_NEW            (SWIG_POINTER_NOSHADOW | SWIG_POINTER_OWN)
+
+#define SWIG_POINTER_IMPLICIT_CONV  (SWIG_POINTER_DISOWN   << 1)
+
+#ifdef __cplusplus
+extern "C" {
+#if 0
+} /* cc-mode */
+#endif
+#endif
+
+/*  How to access Py_None */
+#if defined(_WIN32) || defined(__WIN32__) || defined(__CYGWIN__)
+#  ifndef SWIG_PYTHON_NO_BUILD_NONE
+#    ifndef SWIG_PYTHON_BUILD_NONE
+#      define SWIG_PYTHON_BUILD_NONE
+#    endif
+#  endif
+#endif
+
+#ifdef SWIG_PYTHON_BUILD_NONE
+#  ifdef Py_None
+#   undef Py_None
+#   define Py_None SWIG_Py_None()
+#  endif
+SWIGRUNTIMEINLINE PyObject * 
+_SWIG_Py_None(void)
+{
+  PyObject *none = Py_BuildValue((char*)"");
+  Py_DECREF(none);
+  return none;
+}
+SWIGRUNTIME PyObject * 
+SWIG_Py_None(void)
+{
+  static PyObject *SWIG_STATIC_POINTER(none) = _SWIG_Py_None();
+  return none;
+}
+#endif
+
+/* The python void return value */
+
+SWIGRUNTIMEINLINE PyObject * 
+SWIG_Py_Void(void)
+{
+  PyObject *none = Py_None;
+  Py_INCREF(none);
+  return none;
+}
+
+/* PySwigClientData */
+
+typedef struct {
+  PyObject *klass;
+  PyObject *newraw;
+  PyObject *newargs;
+  PyObject *destroy;
+  int delargs;
+  int implicitconv;
+} PySwigClientData;
+
+SWIGRUNTIMEINLINE int 
+SWIG_Python_CheckImplicit(swig_type_info *ty)
+{
+  PySwigClientData *data = (PySwigClientData *)ty->clientdata;
+  return data ? data->implicitconv : 0;
+}
+
+SWIGRUNTIMEINLINE PyObject *
+SWIG_Python_ExceptionType(swig_type_info *desc) {
+  PySwigClientData *data = desc ? (PySwigClientData *) desc->clientdata : 0;
+  PyObject *klass = data ? data->klass : 0;
+  return (klass ? klass : PyExc_RuntimeError);
+}
+
+
+SWIGRUNTIME PySwigClientData * 
+PySwigClientData_New(PyObject* obj)
+{
+  if (!obj) {
+    return 0;
+  } else {
+    PySwigClientData *data = (PySwigClientData *)malloc(sizeof(PySwigClientData));
+    /* the klass element */
+    data->klass = obj;
+    Py_INCREF(data->klass);
+    /* the newraw method and newargs arguments used to create a new raw instance */
+    if (PyClass_Check(obj)) {
+      data->newraw = 0;
+      data->newargs = obj;
+      Py_INCREF(obj);
+    } else {
+#if (PY_VERSION_HEX < 0x02020000)
+      data->newraw = 0;
+#else
+      data->newraw = PyObject_GetAttrString(data->klass, (char *)"__new__");
+#endif
+      if (data->newraw) {
+	Py_INCREF(data->newraw);
+	data->newargs = PyTuple_New(1);
+	PyTuple_SetItem(data->newargs, 0, obj);
+      } else {
+	data->newargs = obj;
+      }
+      Py_INCREF(data->newargs);
+    }
+    /* the destroy method, aka as the C++ delete method */
+    data->destroy = PyObject_GetAttrString(data->klass, (char *)"__swig_destroy__");
+    if (PyErr_Occurred()) {
+      PyErr_Clear();
+      data->destroy = 0;
+    }
+    if (data->destroy) {
+      int flags;
+      Py_INCREF(data->destroy);
+      flags = PyCFunction_GET_FLAGS(data->destroy);
+#ifdef METH_O
+      data->delargs = !(flags & (METH_O));
+#else
+      data->delargs = 0;
+#endif
+    } else {
+      data->delargs = 0;
+    }
+    data->implicitconv = 0;
+    return data;
+  }
+}
+
+SWIGRUNTIME void 
+PySwigClientData_Del(PySwigClientData* data)
+{
+  Py_XDECREF(data->newraw);
+  Py_XDECREF(data->newargs);
+  Py_XDECREF(data->destroy);
+}
+
+/* =============== PySwigObject =====================*/
+
+typedef struct {
+  PyObject_HEAD
+  void *ptr;
+  swig_type_info *ty;
+  int own;
+  PyObject *next;
+} PySwigObject;
+
+SWIGRUNTIME PyObject *
+PySwigObject_long(PySwigObject *v)
+{
+  return PyLong_FromVoidPtr(v->ptr);
+}
+
+SWIGRUNTIME PyObject *
+PySwigObject_format(const char* fmt, PySwigObject *v)
+{
+  PyObject *res = NULL;
+  PyObject *args = PyTuple_New(1);
+  if (args) {
+    if (PyTuple_SetItem(args, 0, PySwigObject_long(v)) == 0) {
+      PyObject *ofmt = PyString_FromString(fmt);
+      if (ofmt) {
+	res = PyString_Format(ofmt,args);
+	Py_DECREF(ofmt);
+      }
+      Py_DECREF(args);
+    }
+  }
+  return res;
+}
+
+SWIGRUNTIME PyObject *
+PySwigObject_oct(PySwigObject *v)
+{
+  return PySwigObject_format("%o",v);
+}
+
+SWIGRUNTIME PyObject *
+PySwigObject_hex(PySwigObject *v)
+{
+  return PySwigObject_format("%x",v);
+}
+
+SWIGRUNTIME PyObject *
+#ifdef METH_NOARGS
+PySwigObject_repr(PySwigObject *v)
+#else
+PySwigObject_repr(PySwigObject *v, PyObject *args)
+#endif
+{
+  const char *name = SWIG_TypePrettyName(v->ty);
+  PyObject *hex = PySwigObject_hex(v);    
+  PyObject *repr = PyString_FromFormat("<Swig Object of type '%s' at 0x%s>", name, PyString_AsString(hex));
+  Py_DECREF(hex);
+  if (v->next) {
+#ifdef METH_NOARGS
+    PyObject *nrep = PySwigObject_repr((PySwigObject *)v->next);
+#else
+    PyObject *nrep = PySwigObject_repr((PySwigObject *)v->next, args);
+#endif
+    PyString_ConcatAndDel(&repr,nrep);
+  }
+  return repr;  
+}
+
+SWIGRUNTIME int
+PySwigObject_print(PySwigObject *v, FILE *fp, int SWIGUNUSEDPARM(flags))
+{
+#ifdef METH_NOARGS
+  PyObject *repr = PySwigObject_repr(v);
+#else
+  PyObject *repr = PySwigObject_repr(v, NULL);
+#endif
+  if (repr) {
+    fputs(PyString_AsString(repr), fp);
+    Py_DECREF(repr);
+    return 0; 
+  } else {
+    return 1; 
+  }
+}
+
+SWIGRUNTIME PyObject *
+PySwigObject_str(PySwigObject *v)
+{
+  char result[SWIG_BUFFER_SIZE];
+  return SWIG_PackVoidPtr(result, v->ptr, v->ty->name, sizeof(result)) ?
+    PyString_FromString(result) : 0;
+}
+
+SWIGRUNTIME int
+PySwigObject_compare(PySwigObject *v, PySwigObject *w)
+{
+  void *i = v->ptr;
+  void *j = w->ptr;
+  return (i < j) ? -1 : ((i > j) ? 1 : 0);
+}
+
+SWIGRUNTIME PyTypeObject* _PySwigObject_type(void);
+
+SWIGRUNTIME PyTypeObject*
+PySwigObject_type(void) {
+  static PyTypeObject *SWIG_STATIC_POINTER(type) = _PySwigObject_type();
+  return type;
+}
+
+SWIGRUNTIMEINLINE int
+PySwigObject_Check(PyObject *op) {
+  return ((op)->ob_type == PySwigObject_type())
+    || (strcmp((op)->ob_type->tp_name,"PySwigObject") == 0);
+}
+
+SWIGRUNTIME PyObject *
+PySwigObject_New(void *ptr, swig_type_info *ty, int own);
+
+SWIGRUNTIME void
+PySwigObject_dealloc(PyObject *v)
+{
+  PySwigObject *sobj = (PySwigObject *) v;
+  PyObject *next = sobj->next;
+  if (sobj->own) {
+    swig_type_info *ty = sobj->ty;
+    PySwigClientData *data = ty ? (PySwigClientData *) ty->clientdata : 0;
+    PyObject *destroy = data ? data->destroy : 0;
+    if (destroy) {
+      /* destroy is always a VARARGS method */
+      PyObject *res;
+      if (data->delargs) {
+	/* we need to create a temporal object to carry the destroy operation */
+	PyObject *tmp = PySwigObject_New(sobj->ptr, ty, 0);
+	res = SWIG_Python_CallFunctor(destroy, tmp);
+	Py_DECREF(tmp);
+      } else {
+	PyCFunction meth = PyCFunction_GET_FUNCTION(destroy);
+	PyObject *mself = PyCFunction_GET_SELF(destroy);
+	res = ((*meth)(mself, v));
+      }
+      Py_XDECREF(res);
+    } else {
+      const char *name = SWIG_TypePrettyName(ty);
+#if !defined(SWIG_PYTHON_SILENT_MEMLEAK)
+      printf("swig/python detected a memory leak of type '%s', no destructor found.\n", name);
+#endif
+    }
+  } 
+  Py_XDECREF(next);
+  PyObject_DEL(v);
+}
+
+SWIGRUNTIME PyObject* 
+PySwigObject_append(PyObject* v, PyObject* next)
+{
+  PySwigObject *sobj = (PySwigObject *) v;
+#ifndef METH_O
+  PyObject *tmp = 0;
+  if (!PyArg_ParseTuple(next,(char *)"O:append", &tmp)) return NULL;
+  next = tmp;
+#endif
+  if (!PySwigObject_Check(next)) {
+    return NULL;
+  }
+  sobj->next = next;
+  Py_INCREF(next);
+  return SWIG_Py_Void();
+}
+
+SWIGRUNTIME PyObject* 
+#ifdef METH_NOARGS
+PySwigObject_next(PyObject* v)
+#else
+PySwigObject_next(PyObject* v, PyObject *SWIGUNUSEDPARM(args))
+#endif
+{
+  PySwigObject *sobj = (PySwigObject *) v;
+  if (sobj->next) {    
+    Py_INCREF(sobj->next);
+    return sobj->next;
+  } else {
+    return SWIG_Py_Void();
+  }
+}
+
+SWIGINTERN PyObject*
+#ifdef METH_NOARGS
+PySwigObject_disown(PyObject *v)
+#else
+PySwigObject_disown(PyObject* v, PyObject *SWIGUNUSEDPARM(args))
+#endif
+{
+  PySwigObject *sobj = (PySwigObject *)v;
+  sobj->own = 0;
+  return SWIG_Py_Void();
+}
+
+SWIGINTERN PyObject*
+#ifdef METH_NOARGS
+PySwigObject_acquire(PyObject *v)
+#else
+PySwigObject_acquire(PyObject* v, PyObject *SWIGUNUSEDPARM(args))
+#endif
+{
+  PySwigObject *sobj = (PySwigObject *)v;
+  sobj->own = SWIG_POINTER_OWN;
+  return SWIG_Py_Void();
+}
+
+SWIGINTERN PyObject*
+PySwigObject_own(PyObject *v, PyObject *args)
+{
+  PyObject *val = 0;
+#if (PY_VERSION_HEX < 0x02020000)
+  if (!PyArg_ParseTuple(args,(char *)"|O:own",&val))
+#else
+  if (!PyArg_UnpackTuple(args, (char *)"own", 0, 1, &val)) 
+#endif
+    {
+      return NULL;
+    } 
+  else
+    {
+      PySwigObject *sobj = (PySwigObject *)v;
+      PyObject *obj = PyBool_FromLong(sobj->own);
+      if (val) {
+#ifdef METH_NOARGS
+	if (PyObject_IsTrue(val)) {
+	  PySwigObject_acquire(v);
+	} else {
+	  PySwigObject_disown(v);
+	}
+#else
+	if (PyObject_IsTrue(val)) {
+	  PySwigObject_acquire(v,args);
+	} else {
+	  PySwigObject_disown(v,args);
+	}
+#endif
+      } 
+      return obj;
+    }
+}
+
+#ifdef METH_O
+static PyMethodDef
+swigobject_methods[] = {
+  {(char *)"disown",  (PyCFunction)PySwigObject_disown,  METH_NOARGS,  (char *)"releases ownership of the pointer"},
+  {(char *)"acquire", (PyCFunction)PySwigObject_acquire, METH_NOARGS,  (char *)"aquires ownership of the pointer"},
+  {(char *)"own",     (PyCFunction)PySwigObject_own,     METH_VARARGS, (char *)"returns/sets ownership of the pointer"},
+  {(char *)"append",  (PyCFunction)PySwigObject_append,  METH_O,       (char *)"appends another 'this' object"},
+  {(char *)"next",    (PyCFunction)PySwigObject_next,    METH_NOARGS,  (char *)"returns the next 'this' object"},
+  {(char *)"__repr__",(PyCFunction)PySwigObject_repr,    METH_NOARGS,  (char *)"returns object representation"},
+  {0, 0, 0, 0}  
+};
+#else
+static PyMethodDef
+swigobject_methods[] = {
+  {(char *)"disown",  (PyCFunction)PySwigObject_disown,  METH_VARARGS,  (char *)"releases ownership of the pointer"},
+  {(char *)"acquire", (PyCFunction)PySwigObject_acquire, METH_VARARGS,  (char *)"aquires ownership of the pointer"},
+  {(char *)"own",     (PyCFunction)PySwigObject_own,     METH_VARARGS,  (char *)"returns/sets ownership of the pointer"},
+  {(char *)"append",  (PyCFunction)PySwigObject_append,  METH_VARARGS,  (char *)"appends another 'this' object"},
+  {(char *)"next",    (PyCFunction)PySwigObject_next,    METH_VARARGS,  (char *)"returns the next 'this' object"},
+  {(char *)"__repr__",(PyCFunction)PySwigObject_repr,   METH_VARARGS,  (char *)"returns object representation"},
+  {0, 0, 0, 0}  
+};
+#endif
+
+#if PY_VERSION_HEX < 0x02020000
+SWIGINTERN PyObject *
+PySwigObject_getattr(PySwigObject *sobj,char *name)
+{
+  return Py_FindMethod(swigobject_methods, (PyObject *)sobj, name);
+}
+#endif
+
+SWIGRUNTIME PyTypeObject*
+_PySwigObject_type(void) {
+  static char swigobject_doc[] = "Swig object carries a C/C++ instance pointer";
+  
+  static PyNumberMethods PySwigObject_as_number = {
+    (binaryfunc)0, /*nb_add*/
+    (binaryfunc)0, /*nb_subtract*/
+    (binaryfunc)0, /*nb_multiply*/
+    (binaryfunc)0, /*nb_divide*/
+    (binaryfunc)0, /*nb_remainder*/
+    (binaryfunc)0, /*nb_divmod*/
+    (ternaryfunc)0,/*nb_power*/
+    (unaryfunc)0,  /*nb_negative*/
+    (unaryfunc)0,  /*nb_positive*/
+    (unaryfunc)0,  /*nb_absolute*/
+    (inquiry)0,    /*nb_nonzero*/
+    0,		   /*nb_invert*/
+    0,		   /*nb_lshift*/
+    0,		   /*nb_rshift*/
+    0,		   /*nb_and*/
+    0,		   /*nb_xor*/
+    0,		   /*nb_or*/
+    (coercion)0,   /*nb_coerce*/
+    (unaryfunc)PySwigObject_long, /*nb_int*/
+    (unaryfunc)PySwigObject_long, /*nb_long*/
+    (unaryfunc)0,                 /*nb_float*/
+    (unaryfunc)PySwigObject_oct,  /*nb_oct*/
+    (unaryfunc)PySwigObject_hex,  /*nb_hex*/
+#if PY_VERSION_HEX >= 0x02020000
+    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_true_divide */ 
+#elif PY_VERSION_HEX >= 0x02000000
+    0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_or */
+#endif
+  };
+
+  static PyTypeObject pyswigobject_type;  
+  static int type_init = 0;
+  if (!type_init) {
+    const PyTypeObject tmp
+      = {
+	PyObject_HEAD_INIT(NULL)
+	0,				    /* ob_size */
+	(char *)"PySwigObject",		    /* tp_name */
+	sizeof(PySwigObject),		    /* tp_basicsize */
+	0,			            /* tp_itemsize */
+	(destructor)PySwigObject_dealloc,   /* tp_dealloc */
+	(printfunc)PySwigObject_print,	    /* tp_print */
+#if PY_VERSION_HEX < 0x02020000
+	(getattrfunc)PySwigObject_getattr,  /* tp_getattr */ 
+#else
+	(getattrfunc)0,			    /* tp_getattr */ 
+#endif
+	(setattrfunc)0,			    /* tp_setattr */ 
+	(cmpfunc)PySwigObject_compare,	    /* tp_compare */ 
+	(reprfunc)PySwigObject_repr,	    /* tp_repr */    
+	&PySwigObject_as_number,	    /* tp_as_number */
+	0,				    /* tp_as_sequence */
+	0,				    /* tp_as_mapping */
+	(hashfunc)0,			    /* tp_hash */
+	(ternaryfunc)0,			    /* tp_call */
+	(reprfunc)PySwigObject_str,	    /* tp_str */
+	PyObject_GenericGetAttr,            /* tp_getattro */
+	0,				    /* tp_setattro */
+	0,		                    /* tp_as_buffer */
+	Py_TPFLAGS_DEFAULT,	            /* tp_flags */
+	swigobject_doc, 	            /* tp_doc */        
+	0,                                  /* tp_traverse */
+	0,                                  /* tp_clear */
+	0,                                  /* tp_richcompare */
+	0,                                  /* tp_weaklistoffset */
+#if PY_VERSION_HEX >= 0x02020000
+	0,                                  /* tp_iter */
+	0,                                  /* tp_iternext */
+	swigobject_methods,		    /* tp_methods */ 
+	0,			            /* tp_members */
+	0,				    /* tp_getset */	    	
+	0,			            /* tp_base */	        
+	0,				    /* tp_dict */	    	
+	0,				    /* tp_descr_get */  	
+	0,				    /* tp_descr_set */  	
+	0,				    /* tp_dictoffset */ 	
+	0,				    /* tp_init */	    	
+	0,				    /* tp_alloc */	    	
+	0,			            /* tp_new */	    	
+	0,	                            /* tp_free */	   
+        0,                                  /* tp_is_gc */  
+	0,				    /* tp_bases */   
+	0,				    /* tp_mro */
+	0,				    /* tp_cache */   
+ 	0,				    /* tp_subclasses */
+	0,				    /* tp_weaklist */
+#endif
+#if PY_VERSION_HEX >= 0x02030000
+	0,                                  /* tp_del */
+#endif
+#ifdef COUNT_ALLOCS
+	0,0,0,0                             /* tp_alloc -> tp_next */
+#endif
+      };
+    pyswigobject_type = tmp;
+    pyswigobject_type.ob_type = &PyType_Type;
+    type_init = 1;
+  }
+  return &pyswigobject_type;
+}
+
+SWIGRUNTIME PyObject *
+PySwigObject_New(void *ptr, swig_type_info *ty, int own)
+{
+  PySwigObject *sobj = PyObject_NEW(PySwigObject, PySwigObject_type());
+  if (sobj) {
+    sobj->ptr  = ptr;
+    sobj->ty   = ty;
+    sobj->own  = own;
+    sobj->next = 0;
+  }
+  return (PyObject *)sobj;
+}
+
+/* -----------------------------------------------------------------------------
+ * Implements a simple Swig Packed type, and use it instead of string
+ * ----------------------------------------------------------------------------- */
+
+typedef struct {
+  PyObject_HEAD
+  void *pack;
+  swig_type_info *ty;
+  size_t size;
+} PySwigPacked;
+
+SWIGRUNTIME int
+PySwigPacked_print(PySwigPacked *v, FILE *fp, int SWIGUNUSEDPARM(flags))
+{
+  char result[SWIG_BUFFER_SIZE];
+  fputs("<Swig Packed ", fp); 
+  if (SWIG_PackDataName(result, v->pack, v->size, 0, sizeof(result))) {
+    fputs("at ", fp); 
+    fputs(result, fp); 
+  }
+  fputs(v->ty->name,fp); 
+  fputs(">", fp);
+  return 0; 
+}
+  
+SWIGRUNTIME PyObject *
+PySwigPacked_repr(PySwigPacked *v)
+{
+  char result[SWIG_BUFFER_SIZE];
+  if (SWIG_PackDataName(result, v->pack, v->size, 0, sizeof(result))) {
+    return PyString_FromFormat("<Swig Packed at %s%s>", result, v->ty->name);
+  } else {
+    return PyString_FromFormat("<Swig Packed %s>", v->ty->name);
+  }  
+}
+
+SWIGRUNTIME PyObject *
+PySwigPacked_str(PySwigPacked *v)
+{
+  char result[SWIG_BUFFER_SIZE];
+  if (SWIG_PackDataName(result, v->pack, v->size, 0, sizeof(result))){
+    return PyString_FromFormat("%s%s", result, v->ty->name);
+  } else {
+    return PyString_FromString(v->ty->name);
+  }  
+}
+
+SWIGRUNTIME int
+PySwigPacked_compare(PySwigPacked *v, PySwigPacked *w)
+{
+  size_t i = v->size;
+  size_t j = w->size;
+  int s = (i < j) ? -1 : ((i > j) ? 1 : 0);
+  return s ? s : strncmp((char *)v->pack, (char *)w->pack, 2*v->size);
+}
+
+SWIGRUNTIME PyTypeObject* _PySwigPacked_type(void);
+
+SWIGRUNTIME PyTypeObject*
+PySwigPacked_type(void) {
+  static PyTypeObject *SWIG_STATIC_POINTER(type) = _PySwigPacked_type();
+  return type;
+}
+
+SWIGRUNTIMEINLINE int
+PySwigPacked_Check(PyObject *op) {
+  return ((op)->ob_type == _PySwigPacked_type()) 
+    || (strcmp((op)->ob_type->tp_name,"PySwigPacked") == 0);
+}
+
+SWIGRUNTIME void
+PySwigPacked_dealloc(PyObject *v)
+{
+  if (PySwigPacked_Check(v)) {
+    PySwigPacked *sobj = (PySwigPacked *) v;
+    free(sobj->pack);
+  }
+  PyObject_DEL(v);
+}
+
+SWIGRUNTIME PyTypeObject*
+_PySwigPacked_type(void) {
+  static char swigpacked_doc[] = "Swig object carries a C/C++ instance pointer";
+  static PyTypeObject pyswigpacked_type;
+  static int type_init = 0;  
+  if (!type_init) {
+    const PyTypeObject tmp
+      = {
+	PyObject_HEAD_INIT(NULL)
+	0,				    /* ob_size */	
+	(char *)"PySwigPacked",		    /* tp_name */	
+	sizeof(PySwigPacked),		    /* tp_basicsize */	
+	0,				    /* tp_itemsize */	
+	(destructor)PySwigPacked_dealloc,   /* tp_dealloc */	
+	(printfunc)PySwigPacked_print,	    /* tp_print */   	
+	(getattrfunc)0,			    /* tp_getattr */ 	
+	(setattrfunc)0,			    /* tp_setattr */ 	
+	(cmpfunc)PySwigPacked_compare,	    /* tp_compare */ 	
+	(reprfunc)PySwigPacked_repr,	    /* tp_repr */    	
+	0,	                            /* tp_as_number */	
+	0,				    /* tp_as_sequence */
+	0,				    /* tp_as_mapping */	
+	(hashfunc)0,			    /* tp_hash */	
+	(ternaryfunc)0,			    /* tp_call */	
+	(reprfunc)PySwigPacked_str,	    /* tp_str */	
+	PyObject_GenericGetAttr,            /* tp_getattro */
+	0,				    /* tp_setattro */
+	0,		                    /* tp_as_buffer */
+	Py_TPFLAGS_DEFAULT,	            /* tp_flags */
+	swigpacked_doc, 	            /* tp_doc */
+	0,                                  /* tp_traverse */
+	0,                                  /* tp_clear */
+	0,                                  /* tp_richcompare */
+	0,                                  /* tp_weaklistoffset */
+#if PY_VERSION_HEX >= 0x02020000
+	0,                                  /* tp_iter */
+	0,                                  /* tp_iternext */
+	0,		                    /* tp_methods */ 
+	0,			            /* tp_members */
+	0,				    /* tp_getset */	    	
+	0,			            /* tp_base */	        
+	0,				    /* tp_dict */	    	
+	0,				    /* tp_descr_get */  	
+	0,				    /* tp_descr_set */  	
+	0,				    /* tp_dictoffset */ 	
+	0,				    /* tp_init */	    	
+	0,				    /* tp_alloc */	    	
+	0,			            /* tp_new */	    	
+	0, 	                            /* tp_free */	   
+        0,                                  /* tp_is_gc */  
+	0,				    /* tp_bases */   
+	0,				    /* tp_mro */
+	0,				    /* tp_cache */   
+ 	0,				    /* tp_subclasses */
+	0,				    /* tp_weaklist */
+#endif
+#if PY_VERSION_HEX >= 0x02030000
+	0,                                  /* tp_del */
+#endif
+#ifdef COUNT_ALLOCS
+	0,0,0,0                             /* tp_alloc -> tp_next */
+#endif
+      };
+    pyswigpacked_type = tmp;
+    pyswigpacked_type.ob_type = &PyType_Type;
+    type_init = 1;
+  }
+  return &pyswigpacked_type;
+}
+
+SWIGRUNTIME PyObject *
+PySwigPacked_New(void *ptr, size_t size, swig_type_info *ty)
+{
+  PySwigPacked *sobj = PyObject_NEW(PySwigPacked, PySwigPacked_type());
+  if (sobj) {
+    void *pack = malloc(size);
+    if (pack) {
+      memcpy(pack, ptr, size);
+      sobj->pack = pack;
+      sobj->ty   = ty;
+      sobj->size = size;
+    } else {
+      PyObject_DEL((PyObject *) sobj);
+      sobj = 0;
+    }
+  }
+  return (PyObject *) sobj;
+}
+
+SWIGRUNTIME swig_type_info *
+PySwigPacked_UnpackData(PyObject *obj, void *ptr, size_t size)
+{
+  if (PySwigPacked_Check(obj)) {
+    PySwigPacked *sobj = (PySwigPacked *)obj;
+    if (sobj->size != size) return 0;
+    memcpy(ptr, sobj->pack, size);
+    return sobj->ty;
+  } else {
+    return 0;
+  }
+}
+
+/* -----------------------------------------------------------------------------
+ * pointers/data manipulation
+ * ----------------------------------------------------------------------------- */
+
+SWIGRUNTIMEINLINE PyObject *
+_SWIG_This(void)
+{
+  return PyString_FromString("this");
+}
+
+SWIGRUNTIME PyObject *
+SWIG_This(void)
+{
+  static PyObject *SWIG_STATIC_POINTER(swig_this) = _SWIG_This();
+  return swig_this;
+}
+
+/* #define SWIG_PYTHON_SLOW_GETSET_THIS */
+
+SWIGRUNTIME PySwigObject *
+SWIG_Python_GetSwigThis(PyObject *pyobj) 
+{
+  if (PySwigObject_Check(pyobj)) {
+    return (PySwigObject *) pyobj;
+  } else {
+    PyObject *obj = 0;
+#if (!defined(SWIG_PYTHON_SLOW_GETSET_THIS) && (PY_VERSION_HEX >= 0x02030000))
+    if (PyInstance_Check(pyobj)) {
+      obj = _PyInstance_Lookup(pyobj, SWIG_This());      
+    } else {
+      PyObject **dictptr = _PyObject_GetDictPtr(pyobj);
+      if (dictptr != NULL) {
+	PyObject *dict = *dictptr;
+	obj = dict ? PyDict_GetItem(dict, SWIG_This()) : 0;
+      } else {
+#ifdef PyWeakref_CheckProxy
+	if (PyWeakref_CheckProxy(pyobj)) {
+	  PyObject *wobj = PyWeakref_GET_OBJECT(pyobj);
+	  return wobj ? SWIG_Python_GetSwigThis(wobj) : 0;
+	}
+#endif
+	obj = PyObject_GetAttr(pyobj,SWIG_This());
+	if (obj) {
+	  Py_DECREF(obj);
+	} else {
+	  if (PyErr_Occurred()) PyErr_Clear();
+	  return 0;
+	}
+      }
+    }
+#else
+    obj = PyObject_GetAttr(pyobj,SWIG_This());
+    if (obj) {
+      Py_DECREF(obj);
+    } else {
+      if (PyErr_Occurred()) PyErr_Clear();
+      return 0;
+    }
+#endif
+    if (obj && !PySwigObject_Check(obj)) {
+      /* a PyObject is called 'this', try to get the 'real this'
+	 PySwigObject from it */ 
+      return SWIG_Python_GetSwigThis(obj);
+    }
+    return (PySwigObject *)obj;
+  }
+}
+
+/* Acquire a pointer value */
+
+SWIGRUNTIME int
+SWIG_Python_AcquirePtr(PyObject *obj, int own) {
+  if (own) {
+    PySwigObject *sobj = SWIG_Python_GetSwigThis(obj);
+    if (sobj) {
+      int oldown = sobj->own;
+      sobj->own = own;
+      return oldown;
+    }
+  }
+  return 0;
+}
+
+/* Convert a pointer value */
+
+SWIGRUNTIME int
+SWIG_Python_ConvertPtrAndOwn(PyObject *obj, void **ptr, swig_type_info *ty, int flags, int *own) {
+  if (!obj) return SWIG_ERROR;
+  if (obj == Py_None) {
+    if (ptr) *ptr = 0;
+    return SWIG_OK;
+  } else {
+    PySwigObject *sobj = SWIG_Python_GetSwigThis(obj);
+    while (sobj) {
+      void *vptr = sobj->ptr;
+      if (ty) {
+	swig_type_info *to = sobj->ty;
+	if (to == ty) {
+	  /* no type cast needed */
+	  if (ptr) *ptr = vptr;
+	  break;
+	} else {
+	  swig_cast_info *tc = SWIG_TypeCheck(to->name,ty);
+	  if (!tc) {
+	    sobj = (PySwigObject *)sobj->next;
+	  } else {
+	    if (ptr) *ptr = SWIG_TypeCast(tc,vptr);
+	    break;
+	  }
+	}
+      } else {
+	if (ptr) *ptr = vptr;
+	break;
+      }
+    }
+    if (sobj) {
+      if (own) *own = sobj->own;
+      if (flags & SWIG_POINTER_DISOWN) {
+	sobj->own = 0;
+      }
+      return SWIG_OK;
+    } else {
+      int res = SWIG_ERROR;
+      if (flags & SWIG_POINTER_IMPLICIT_CONV) {
+	PySwigClientData *data = ty ? (PySwigClientData *) ty->clientdata : 0;
+	if (data && !data->implicitconv) {
+	  PyObject *klass = data->klass;
+	  if (klass) {
+	    PyObject *impconv;
+	    data->implicitconv = 1; /* avoid recursion and call 'explicit' constructors*/
+	    impconv = SWIG_Python_CallFunctor(klass, obj);
+	    data->implicitconv = 0;
+	    if (PyErr_Occurred()) {
+	      PyErr_Clear();
+	      impconv = 0;
+	    }
+	    if (impconv) {
+	      PySwigObject *iobj = SWIG_Python_GetSwigThis(impconv);
+	      if (iobj) {
+		void *vptr;
+		res = SWIG_Python_ConvertPtrAndOwn((PyObject*)iobj, &vptr, ty, 0, 0);
+		if (SWIG_IsOK(res)) {
+		  if (ptr) {
+		    *ptr = vptr;
+		    /* transfer the ownership to 'ptr' */
+		    iobj->own = 0;
+		    res = SWIG_AddCast(res);
+		    res = SWIG_AddNewMask(res);
+		  } else {
+		    res = SWIG_AddCast(res);		    
+		  }
+		}
+	      }
+	      Py_DECREF(impconv);
+	    }
+	  }
+	}
+      }
+      return res;
+    }
+  }
+}
+
+/* Convert a function ptr value */
+
+SWIGRUNTIME int
+SWIG_Python_ConvertFunctionPtr(PyObject *obj, void **ptr, swig_type_info *ty) {
+  if (!PyCFunction_Check(obj)) {
+    return SWIG_ConvertPtr(obj, ptr, ty, 0);
+  } else {
+    void *vptr = 0;
+    
+    /* here we get the method pointer for callbacks */
+    const char *doc = (((PyCFunctionObject *)obj) -> m_ml -> ml_doc);
+    const char *desc = doc ? strstr(doc, "swig_ptr: ") : 0;
+    if (desc) {
+      desc = ty ? SWIG_UnpackVoidPtr(desc + 10, &vptr, ty->name) : 0;
+      if (!desc) return SWIG_ERROR;
+    }
+    if (ty) {
+      swig_cast_info *tc = SWIG_TypeCheck(desc,ty);
+      if (!tc) return SWIG_ERROR;
+      *ptr = SWIG_TypeCast(tc,vptr);
+    } else {
+      *ptr = vptr;
+    }
+    return SWIG_OK;
+  }
+}
+
+/* Convert a packed value value */
+
+SWIGRUNTIME int
+SWIG_Python_ConvertPacked(PyObject *obj, void *ptr, size_t sz, swig_type_info *ty) {
+  swig_type_info *to = PySwigPacked_UnpackData(obj, ptr, sz);
+  if (!to) return SWIG_ERROR;
+  if (ty) {
+    if (to != ty) {
+      /* check type cast? */
+      swig_cast_info *tc = SWIG_TypeCheck(to->name,ty);
+      if (!tc) return SWIG_ERROR;
+    }
+  }
+  return SWIG_OK;
+}  
+
+/* -----------------------------------------------------------------------------
+ * Create a new pointer object
+ * ----------------------------------------------------------------------------- */
+
+/*
+  Create a new instance object, whitout calling __init__, and set the
+  'this' attribute.
+*/
+
+SWIGRUNTIME PyObject* 
+SWIG_Python_NewShadowInstance(PySwigClientData *data, PyObject *swig_this)
+{
+#if (PY_VERSION_HEX >= 0x02020000)
+  PyObject *inst = 0;
+  PyObject *newraw = data->newraw;
+  if (newraw) {
+    inst = PyObject_Call(newraw, data->newargs, NULL);
+    if (inst) {
+#if !defined(SWIG_PYTHON_SLOW_GETSET_THIS)
+      PyObject **dictptr = _PyObject_GetDictPtr(inst);
+      if (dictptr != NULL) {
+	PyObject *dict = *dictptr;
+	if (dict == NULL) {
+	  dict = PyDict_New();
+	  *dictptr = dict;
+	  PyDict_SetItem(dict, SWIG_This(), swig_this);
+	}
+      }
+#else
+      PyObject *key = SWIG_This();
+      PyObject_SetAttr(inst, key, swig_this);
+#endif
+    }
+  } else {
+    PyObject *dict = PyDict_New();
+    PyDict_SetItem(dict, SWIG_This(), swig_this);
+    inst = PyInstance_NewRaw(data->newargs, dict);
+    Py_DECREF(dict);
+  }
+  return inst;
+#else
+#if (PY_VERSION_HEX >= 0x02010000)
+  PyObject *inst;
+  PyObject *dict = PyDict_New();
+  PyDict_SetItem(dict, SWIG_This(), swig_this);
+  inst = PyInstance_NewRaw(data->newargs, dict);
+  Py_DECREF(dict);
+  return (PyObject *) inst;
+#else
+  PyInstanceObject *inst = PyObject_NEW(PyInstanceObject, &PyInstance_Type);
+  if (inst == NULL) {
+    return NULL;
+  }
+  inst->in_class = (PyClassObject *)data->newargs;
+  Py_INCREF(inst->in_class);
+  inst->in_dict = PyDict_New();
+  if (inst->in_dict == NULL) {
+    Py_DECREF(inst);
+    return NULL;
+  }
+#ifdef Py_TPFLAGS_HAVE_WEAKREFS
+  inst->in_weakreflist = NULL;
+#endif
+#ifdef Py_TPFLAGS_GC
+  PyObject_GC_Init(inst);
+#endif
+  PyDict_SetItem(inst->in_dict, SWIG_This(), swig_this);
+  return (PyObject *) inst;
+#endif
+#endif
+}
+
+SWIGRUNTIME void
+SWIG_Python_SetSwigThis(PyObject *inst, PyObject *swig_this)
+{
+ PyObject *dict;
+#if (PY_VERSION_HEX >= 0x02020000) && !defined(SWIG_PYTHON_SLOW_GETSET_THIS)
+ PyObject **dictptr = _PyObject_GetDictPtr(inst);
+ if (dictptr != NULL) {
+   dict = *dictptr;
+   if (dict == NULL) {
+     dict = PyDict_New();
+     *dictptr = dict;
+   }
+   PyDict_SetItem(dict, SWIG_This(), swig_this);
+   return;
+ }
+#endif
+ dict = PyObject_GetAttrString(inst, (char*)"__dict__");
+ PyDict_SetItem(dict, SWIG_This(), swig_this);
+ Py_DECREF(dict);
+} 
+
+
+SWIGINTERN PyObject *
+SWIG_Python_InitShadowInstance(PyObject *args) {
+  PyObject *obj[2];
+  if (!SWIG_Python_UnpackTuple(args,(char*)"swiginit", 2, 2, obj)) {
+    return NULL;
+  } else {
+    PySwigObject *sthis = SWIG_Python_GetSwigThis(obj[0]);
+    if (sthis) {
+      PySwigObject_append((PyObject*) sthis, obj[1]);
+    } else {
+      SWIG_Python_SetSwigThis(obj[0], obj[1]);
+    }
+    return SWIG_Py_Void();
+  }
+}
+
+/* Create a new pointer object */
+
+SWIGRUNTIME PyObject *
+SWIG_Python_NewPointerObj(void *ptr, swig_type_info *type, int flags) {
+  if (!ptr) {
+    return SWIG_Py_Void();
+  } else {
+    int own = (flags & SWIG_POINTER_OWN) ? SWIG_POINTER_OWN : 0;
+    PyObject *robj = PySwigObject_New(ptr, type, own);
+    PySwigClientData *clientdata = type ? (PySwigClientData *)(type->clientdata) : 0;
+    if (clientdata && !(flags & SWIG_POINTER_NOSHADOW)) {
+      PyObject *inst = SWIG_Python_NewShadowInstance(clientdata, robj);
+      if (inst) {
+	Py_DECREF(robj);
+	robj = inst;
+      }
+    }
+    return robj;
+  }
+}
+
+/* Create a new packed object */
+
+SWIGRUNTIMEINLINE PyObject *
+SWIG_Python_NewPackedObj(void *ptr, size_t sz, swig_type_info *type) {
+  return ptr ? PySwigPacked_New((void *) ptr, sz, type) : SWIG_Py_Void();
+}
+
+/* -----------------------------------------------------------------------------*
+ *  Get type list 
+ * -----------------------------------------------------------------------------*/
+
+#ifdef SWIG_LINK_RUNTIME
+void *SWIG_ReturnGlobalTypeList(void *);
+#endif
+
+SWIGRUNTIME swig_module_info *
+SWIG_Python_GetModule(void) {
+  static void *type_pointer = (void *)0;
+  /* first check if module already created */
+  if (!type_pointer) {
+#ifdef SWIG_LINK_RUNTIME
+    type_pointer = SWIG_ReturnGlobalTypeList((void *)0);
+#else
+    type_pointer = PyCObject_Import((char*)"swig_runtime_data" SWIG_RUNTIME_VERSION,
+				    (char*)"type_pointer" SWIG_TYPE_TABLE_NAME);
+    if (PyErr_Occurred()) {
+      PyErr_Clear();
+      type_pointer = (void *)0;
+    }
+#endif
+  }
+  return (swig_module_info *) type_pointer;
+}
+
+#if PY_MAJOR_VERSION < 2
+/* PyModule_AddObject function was introduced in Python 2.0.  The following function
+   is copied out of Python/modsupport.c in python version 2.3.4 */
+SWIGINTERN int
+PyModule_AddObject(PyObject *m, char *name, PyObject *o)
+{
+  PyObject *dict;
+  if (!PyModule_Check(m)) {
+    PyErr_SetString(PyExc_TypeError,
+		    "PyModule_AddObject() needs module as first arg");
+    return SWIG_ERROR;
+  }
+  if (!o) {
+    PyErr_SetString(PyExc_TypeError,
+		    "PyModule_AddObject() needs non-NULL value");
+    return SWIG_ERROR;
+  }
+  
+  dict = PyModule_GetDict(m);
+  if (dict == NULL) {
+    /* Internal error -- modules must have a dict! */
+    PyErr_Format(PyExc_SystemError, "module '%s' has no __dict__",
+		 PyModule_GetName(m));
+    return SWIG_ERROR;
+  }
+  if (PyDict_SetItemString(dict, name, o))
+    return SWIG_ERROR;
+  Py_DECREF(o);
+  return SWIG_OK;
+}
+#endif
+
+SWIGRUNTIME void
+SWIG_Python_DestroyModule(void *vptr)
+{
+  swig_module_info *swig_module = (swig_module_info *) vptr;
+  swig_type_info **types = swig_module->types;
+  size_t i;
+  for (i =0; i < swig_module->size; ++i) {
+    swig_type_info *ty = types[i];
+    if (ty->owndata) {
+      PySwigClientData *data = (PySwigClientData *) ty->clientdata;
+      if (data) PySwigClientData_Del(data);
+    }
+  }
+  Py_DECREF(SWIG_This());
+}
+
+SWIGRUNTIME void
+SWIG_Python_SetModule(swig_module_info *swig_module) {
+  static PyMethodDef swig_empty_runtime_method_table[] = { {NULL, NULL, 0, NULL} };/* Sentinel */
+
+  PyObject *module = Py_InitModule((char*)"swig_runtime_data" SWIG_RUNTIME_VERSION,
+				   swig_empty_runtime_method_table);
+  PyObject *pointer = PyCObject_FromVoidPtr((void *) swig_module, SWIG_Python_DestroyModule);
+  if (pointer && module) {
+    PyModule_AddObject(module, (char*)"type_pointer" SWIG_TYPE_TABLE_NAME, pointer);
+  } else {
+    Py_XDECREF(pointer);
+  }
+}
+
+/* The python cached type query */
+SWIGRUNTIME PyObject *
+SWIG_Python_TypeCache(void) {
+  static PyObject *SWIG_STATIC_POINTER(cache) = PyDict_New();
+  return cache;
+}
+
+SWIGRUNTIME swig_type_info *
+SWIG_Python_TypeQuery(const char *type)
+{
+  PyObject *cache = SWIG_Python_TypeCache();
+  PyObject *key = PyString_FromString(type); 
+  PyObject *obj = PyDict_GetItem(cache, key);
+  swig_type_info *descriptor;
+  if (obj) {
+    descriptor = (swig_type_info *) PyCObject_AsVoidPtr(obj);
+  } else {
+    swig_module_info *swig_module = SWIG_Python_GetModule();
+    descriptor = SWIG_TypeQueryModule(swig_module, swig_module, type);
+    if (descriptor) {
+      obj = PyCObject_FromVoidPtr(descriptor, NULL);
+      PyDict_SetItem(cache, key, obj);
+      Py_DECREF(obj);
+    }
+  }
+  Py_DECREF(key);
+  return descriptor;
+}
+
+/* 
+   For backward compatibility only
+*/
+#define SWIG_POINTER_EXCEPTION  0
+#define SWIG_arg_fail(arg)      SWIG_Python_ArgFail(arg)
+#define SWIG_MustGetPtr(p, type, argnum, flags)  SWIG_Python_MustGetPtr(p, type, argnum, flags)
+
+SWIGRUNTIME int
+SWIG_Python_AddErrMesg(const char* mesg, int infront)
+{
+  if (PyErr_Occurred()) {
+    PyObject *type = 0;
+    PyObject *value = 0;
+    PyObject *traceback = 0;
+    PyErr_Fetch(&type, &value, &traceback);
+    if (value) {
+      PyObject *old_str = PyObject_Str(value);
+      Py_XINCREF(type);
+      PyErr_Clear();
+      if (infront) {
+	PyErr_Format(type, "%s %s", mesg, PyString_AsString(old_str));
+      } else {
+	PyErr_Format(type, "%s %s", PyString_AsString(old_str), mesg);
+      }
+      Py_DECREF(old_str);
+    }
+    return 1;
+  } else {
+    return 0;
+  }
+}
+  
+SWIGRUNTIME int
+SWIG_Python_ArgFail(int argnum)
+{
+  if (PyErr_Occurred()) {
+    /* add information about failing argument */
+    char mesg[256];
+    PyOS_snprintf(mesg, sizeof(mesg), "argument number %d:", argnum);
+    return SWIG_Python_AddErrMesg(mesg, 1);
+  } else {
+    return 0;
+  }
+}
+
+SWIGRUNTIMEINLINE const char *
+PySwigObject_GetDesc(PyObject *self)
+{
+  PySwigObject *v = (PySwigObject *)self;
+  swig_type_info *ty = v ? v->ty : 0;
+  return ty ? ty->str : (char*)"";
+}
+
+SWIGRUNTIME void
+SWIG_Python_TypeError(const char *type, PyObject *obj)
+{
+  if (type) {
+#if defined(SWIG_COBJECT_TYPES)
+    if (obj && PySwigObject_Check(obj)) {
+      const char *otype = (const char *) PySwigObject_GetDesc(obj);
+      if (otype) {
+	PyErr_Format(PyExc_TypeError, "a '%s' is expected, 'PySwigObject(%s)' is received",
+		     type, otype);
+	return;
+      }
+    } else 
+#endif      
+    {
+      const char *otype = (obj ? obj->ob_type->tp_name : 0); 
+      if (otype) {
+	PyObject *str = PyObject_Str(obj);
+	const char *cstr = str ? PyString_AsString(str) : 0;
+	if (cstr) {
+	  PyErr_Format(PyExc_TypeError, "a '%s' is expected, '%s(%s)' is received",
+		       type, otype, cstr);
+	} else {
+	  PyErr_Format(PyExc_TypeError, "a '%s' is expected, '%s' is received",
+		       type, otype);
+	}
+	Py_XDECREF(str);
+	return;
+      }
+    }   
+    PyErr_Format(PyExc_TypeError, "a '%s' is expected", type);
+  } else {
+    PyErr_Format(PyExc_TypeError, "unexpected type is received");
+  }
+}
+
+
+/* Convert a pointer value, signal an exception on a type mismatch */
+SWIGRUNTIME void *
+SWIG_Python_MustGetPtr(PyObject *obj, swig_type_info *ty, int argnum, int flags) {
+  void *result;
+  if (SWIG_Python_ConvertPtr(obj, &result, ty, flags) == -1) {
+    PyErr_Clear();
+    if (flags & SWIG_POINTER_EXCEPTION) {
+      SWIG_Python_TypeError(SWIG_TypePrettyName(ty), obj);
+      SWIG_Python_ArgFail(argnum);
+    }
+  }
+  return result;
+}
+
+
+#ifdef __cplusplus
+#if 0
+{ /* cc-mode */
+#endif
+}
+#endif
+
+
+
+#define SWIG_exception_fail(code, msg) do { SWIG_Error(code, msg); SWIG_fail; } while(0) 
+
+#define SWIG_contract_assert(expr, msg) if (!(expr)) { SWIG_Error(SWIG_RuntimeError, msg); SWIG_fail; } else 
+
+
+
+/* -------- TYPES TABLE (BEGIN) -------- */
+
+#define SWIGTYPE_p_BroCompactEventFunc swig_types[0]
+#define SWIGTYPE_p_char swig_types[1]
+#define SWIGTYPE_p_void swig_types[2]
+static swig_type_info *swig_types[4];
+static swig_module_info swig_module = {swig_types, 3, 0, 0, 0, 0};
+#define SWIG_TypeQuery(name) SWIG_TypeQueryModule(&swig_module, &swig_module, name)
+#define SWIG_MangledTypeQuery(name) SWIG_MangledTypeQueryModule(&swig_module, &swig_module, name)
+
+/* -------- TYPES TABLE (END) -------- */
+
+#if (PY_VERSION_HEX <= 0x02000000)
+# if !defined(SWIG_PYTHON_CLASSIC)
+#  error "This python version requires swig to be run with the '-classic' option"
+# endif
+#endif
+
+/*-----------------------------------------------
+              @(target):= _broccoli_intern.so
+  ------------------------------------------------*/
+#define SWIG_init    init_broccoli_intern
+
+#define SWIG_name    "_broccoli_intern"
+
+#define SWIGVERSION 0x010331 
+#define SWIG_VERSION SWIGVERSION
+
+
+#define SWIG_as_voidptr(a) (void *)((const void *)(a)) 
+#define SWIG_as_voidptrptr(a) ((void)SWIG_as_voidptr(*a),(void**)(a)) 
+
+
+// Include the header in the wrapper code.
+#include <broccoli.h>
+
+// Broccoli internal struct. Easier to copy that here than to include a bunch
+// of Broccoli's internal headers.  
+struct bro_record {
+    void *val_list;
+    int val_len;
+};
+    
+typedef BroRecord bro_record ;
+
+// Builds a 2-tuple (type, object).     
+PyObject* makeTypeTuple(int type, PyObject *val)
+{
+ 	PyObject *tuple = PyTuple_New(2);
+    PyTuple_SetItem(tuple, 0, PyInt_FromLong(type));
+    PyTuple_SetItem(tuple, 1, val);
+    return tuple;
+}
+
+// Parses a 2-tuple (type, object). Return 1 on success. 
+// Borrows input's reference to object.
+int parseTypeTuple(PyObject* input, int *type, PyObject **val)
+{
+    if ( ! (PyTuple_Check(input) && PyTuple_Size(input) == 2) ) {
+		PyErr_SetString(PyExc_RuntimeError, "argument must be 2-tuple");
+		return 0;
+    }
+    
+	PyObject *ptype = PyTuple_GetItem(input, 0);
+	PyObject *pval = PyTuple_GetItem(input, 1);
+	
+	if ( ! PyInt_Check(ptype) ) {
+		PyErr_SetString(PyExc_RuntimeError, "first tuple element must be integer");
+		return 0;
+    }
+    
+    *type = PyInt_AsLong(ptype);
+    
+	if ( *type < 0 || *type > BRO_TYPE_MAX ) {
+		PyErr_SetString(PyExc_RuntimeError, "unknown type in tuple");
+		return 0;
+    }
+    
+    *val = pval;
+    return 1;
+}
+
+// Release the memory associated with the Broccoli value.
+void freeBroccoliVal(int type, void* data)
+{
+    if ( ! data )
+        return;
+    
+    switch ( type ) {
+      case BRO_TYPE_STRING:
+        free(((BroString *)data)->str_val);
+        free(data);
+        break;
+        
+      case BRO_TYPE_RECORD:
+        bro_record_free((BroRecord *)data);
+        break;
+        
+      default:
+        free(data);
+    }
+    
+}
+
+// Converts a Broccoli value into a Python object.
+PyObject* valToPyObj(int type, void* data)
+{
+ 	PyObject* val = 0;
+
+	switch (type) {
+      case BRO_TYPE_BOOL:
+        val = PyBool_FromLong(*((int *)data));   
+        break;
+        
+      case BRO_TYPE_INT:
+      case BRO_TYPE_COUNT:
+      case BRO_TYPE_COUNTER:
+      case BRO_TYPE_IPADDR:
+      case BRO_TYPE_NET: {
+        val = PyInt_FromLong(*((long *)data));
+        break;
+      }
+        
+      case BRO_TYPE_DOUBLE:
+      case BRO_TYPE_TIME:
+      case BRO_TYPE_INTERVAL: {
+          val = PyFloat_FromDouble(*((double *)data));
+          break;
+      }
+        
+      case BRO_TYPE_STRING: {
+          BroString *str = (BroString*)data;
+          val = PyString_FromStringAndSize(str->str_val, str->str_len);
+          break;
+      }
+
+      case BRO_TYPE_ENUM: {
+          val = PyTuple_New(2);
+          PyTuple_SetItem(val, 0, PyBool_FromLong(*((int *)data)));
+          PyTuple_SetItem(val, 1, PyString_FromString("broccoli-doesnt-give-use-the-enum-type! :-("));
+          break;
+      }
+        
+        
+      case BRO_TYPE_PORT: {
+          BroPort *port = (BroPort*)data;
+          val = PyTuple_New(2);
+          PyTuple_SetItem(val, 0, PyInt_FromLong(port->port_num));
+          PyTuple_SetItem(val, 1, PyInt_FromLong(port->port_proto));
+          break;
+      }
+            
+      case BRO_TYPE_SUBNET: {
+          BroSubnet *subnet = (BroSubnet*)data;
+          val = PyTuple_New(2);
+          PyTuple_SetItem(val, 0, PyInt_FromLong(subnet->sn_net));
+          PyTuple_SetItem(val, 1, PyInt_FromLong(subnet->sn_width));
+          break;
+      }
+        
+      case BRO_TYPE_RECORD: { 
+          BroRecord *rec = (BroRecord*)data;
+          PyObject *fields = PyList_New(rec->val_len);
+          int i;
+          for ( i = 0; i < rec->val_len; i++ ) {
+              int type = BRO_TYPE_UNKNOWN;
+              void *data = bro_record_get_nth_val(rec, i, &type);
+              PyList_SetItem(fields, i, valToPyObj(type, data));
+          }
+          val = fields;
+          break;
+      }
+    
+      default:
+        PyErr_SetString(PyExc_RuntimeError, "unknown type");
+        return 0;
+        
+    }
+    
+    return makeTypeTuple(type, val);
+}
+    
+// Converts a Python object into Broccoli value.
+int pyObjToVal(PyObject *val, int type, const char **type_name, void** data)
+{
+	*type_name = 0;
+    *data = 0;
+
+    switch (type) {
+      case BRO_TYPE_BOOL:
+      case BRO_TYPE_INT:
+      case BRO_TYPE_COUNT:
+      case BRO_TYPE_COUNTER:
+      case BRO_TYPE_IPADDR:
+      case BRO_TYPE_NET: {
+          int* tmp = (int *)malloc(sizeof(int));
+		  *tmp = PyInt_AsLong(val);
+          *data = tmp;
+          break;
+      }
+        
+      case BRO_TYPE_DOUBLE:
+      case BRO_TYPE_TIME:
+      case BRO_TYPE_INTERVAL: {
+          double* tmp = (double *)malloc(sizeof(double));
+		  *tmp = PyFloat_AsDouble(val);
+          *data = tmp;
+          break;
+      }
+
+      case BRO_TYPE_STRING: {
+          BroString* str = (BroString *)malloc(sizeof(BroString));
+          
+          const char* tmp = PyString_AsString(val);
+          if ( ! tmp )
+              return 0;
+          
+          str->str_len = strlen(tmp);
+          str->str_val = strdup(tmp);
+          *data = str;
+          break;
+      }
+
+      case BRO_TYPE_ENUM: {
+          if ( ! (PyTuple_Check(val) && PyTuple_Size(val) == 2) ) {
+              PyErr_SetString(PyExc_RuntimeError, "enum must be 2-tuple");
+              return 0;
+          }
+          
+          int* tmp = (int *)malloc(sizeof(int));
+		  *tmp = PyInt_AsLong(PyTuple_GetItem(val, 0));
+          *data = tmp;
+          
+          const char* enum_type = PyString_AsString(PyTuple_GetItem(val, 1));
+          if ( ! enum_type )
+              return 0;
+          
+          *type_name = strdup(enum_type);
+          break;
+      }
+        
+      case BRO_TYPE_PORT: {
+          if ( ! (PyTuple_Check(val) && PyTuple_Size(val) == 2) ) {
+              PyErr_SetString(PyExc_RuntimeError, "port must be 2-tuple");
+              return 0;
+          }
+    
+          BroPort* port = (BroPort *)malloc(sizeof(BroPort));
+          port->port_num = PyInt_AsLong(PyTuple_GetItem(val, 0));
+          port->port_proto = PyInt_AsLong(PyTuple_GetItem(val, 1));
+          *data = port;
+          break;
+      }
+            
+      case BRO_TYPE_SUBNET: {
+          if ( ! (PyTuple_Check(val) && PyTuple_Size(val) == 2) ) {
+              PyErr_SetString(PyExc_RuntimeError, "subnet must be 2-tuple");
+              return 0;
+          }
+    
+          BroSubnet* subnet = (BroSubnet *)malloc(sizeof(BroSubnet));
+          subnet->sn_net = PyInt_AsLong(PyTuple_GetItem(val, 0));
+          subnet->sn_width = PyInt_AsLong(PyTuple_GetItem(val, 1));
+          *data = subnet;
+          break;
+      }
+        
+      case BRO_TYPE_RECORD: {
+          BroRecord *rec = bro_record_new();
+          int i;
+          for ( i = 0; i < PyList_Size(val); i++ ) {
+              int ftype;
+              PyObject *fval;
+              if ( ! parseTypeTuple(PyList_GetItem(val, i), &ftype, &fval) )
+                  return 0;
+                  
+              const char *ftype_name;
+              void *fdata;
+              if ( ! pyObjToVal(fval, ftype, &ftype_name, &fdata) ) 
+                  return 0;
+              
+              bro_record_add_val(rec, "<unknown>", ftype, 0, fdata);
+              freeBroccoliVal(ftype, fdata);
+          }
+          
+          *data = rec;
+          break;
+      }
+        
+      default:
+        PyErr_SetString(PyExc_RuntimeError, "unknown type");
+        return 0;
+    }
+    
+    return 1;
+}
+
+// C-level event handler for events. We register all events with this callback,
+// passing the target Python function in via data. 
+void event_callback(BroConn *bc, void *data, BroEvMeta *meta)
+{
+    PyObject *func = (PyObject*)data;
+    
+	int i;
+	PyObject *pyargs = PyTuple_New(meta->ev_numargs);
+	for ( i = 0; i < meta->ev_numargs; i++ )
+		PyTuple_SetItem(pyargs, i, valToPyObj(meta->ev_args[i].arg_type, meta->ev_args[i].arg_data));
+	
+	PyObject *result = PyObject_Call(func, pyargs, 0);
+
+    Py_DECREF(pyargs);
+    
+    if ( result )
+	    Py_DECREF(result);
+}
+
+
+
+  #define SWIG_From_long   PyInt_FromLong 
+
+
+SWIGINTERNINLINE PyObject *
+SWIG_From_int  (int value)
+{    
+  return SWIG_From_long  (value);
+}
+
+
+SWIGINTERN swig_type_info*
+SWIG_pchar_descriptor(void)
+{
+  static int init = 0;
+  static swig_type_info* info = 0;
+  if (!init) {
+    info = SWIG_TypeQuery("_p_char");
+    init = 1;
+  }
+  return info;
+}
+
+
+SWIGINTERN int
+SWIG_AsCharPtrAndSize(PyObject *obj, char** cptr, size_t* psize, int *alloc)
+{
+  if (PyString_Check(obj)) {
+    char *cstr; Py_ssize_t len;
+    PyString_AsStringAndSize(obj, &cstr, &len);
+    if (cptr)  {
+      if (alloc) {
+	/* 
+	   In python the user should not be able to modify the inner
+	   string representation. To warranty that, if you define
+	   SWIG_PYTHON_SAFE_CSTRINGS, a new/copy of the python string
+	   buffer is always returned.
+
+	   The default behavior is just to return the pointer value,
+	   so, be careful.
+	*/ 
+#if defined(SWIG_PYTHON_SAFE_CSTRINGS)
+	if (*alloc != SWIG_OLDOBJ) 
+#else
+	if (*alloc == SWIG_NEWOBJ) 
+#endif
+	  {
+	    *cptr = (char *)memcpy((char *)malloc((len + 1)*sizeof(char)), cstr, sizeof(char)*(len + 1));
+	    *alloc = SWIG_NEWOBJ;
+	  }
+	else {
+	  *cptr = cstr;
+	  *alloc = SWIG_OLDOBJ;
+	}
+      } else {
+	*cptr = PyString_AsString(obj);
+      }
+    }
+    if (psize) *psize = len + 1;
+    return SWIG_OK;
+  } else {
+    swig_type_info* pchar_descriptor = SWIG_pchar_descriptor();
+    if (pchar_descriptor) {
+      void* vptr = 0;
+      if (SWIG_ConvertPtr(obj, &vptr, pchar_descriptor, 0) == SWIG_OK) {
+	if (cptr) *cptr = (char *) vptr;
+	if (psize) *psize = vptr ? (strlen((char *)vptr) + 1) : 0;
+	if (alloc) *alloc = SWIG_OLDOBJ;
+	return SWIG_OK;
+      }
+    }
+  }
+  return SWIG_TypeError;
+}
+
+
+
+
+
+#include <limits.h>
+#ifndef LLONG_MIN
+# define LLONG_MIN	LONG_LONG_MIN
+#endif
+#ifndef LLONG_MAX
+# define LLONG_MAX	LONG_LONG_MAX
+#endif
+#ifndef ULLONG_MAX
+# define ULLONG_MAX	ULONG_LONG_MAX
+#endif
+
+
+SWIGINTERN int
+SWIG_AsVal_double (PyObject *obj, double *val)
+{
+  int res = SWIG_TypeError;
+  if (PyFloat_Check(obj)) {
+    if (val) *val = PyFloat_AsDouble(obj);
+    return SWIG_OK;
+  } else if (PyInt_Check(obj)) {
+    if (val) *val = PyInt_AsLong(obj);
+    return SWIG_OK;
+  } else if (PyLong_Check(obj)) {
+    double v = PyLong_AsDouble(obj);
+    if (!PyErr_Occurred()) {
+      if (val) *val = v;
+      return SWIG_OK;
+    } else {
+      PyErr_Clear();
+    }
+  }
+#ifdef SWIG_PYTHON_CAST_MODE
+  {
+    int dispatch = 0;
+    double d = PyFloat_AsDouble(obj);
+    if (!PyErr_Occurred()) {
+      if (val) *val = d;
+      return SWIG_AddCast(SWIG_OK);
+    } else {
+      PyErr_Clear();
+    }
+    if (!dispatch) {
+      long v = PyLong_AsLong(obj);
+      if (!PyErr_Occurred()) {
+	if (val) *val = v;
+	return SWIG_AddCast(SWIG_AddCast(SWIG_OK));
+      } else {
+	PyErr_Clear();
+      }
+    }
+  }
+#endif
+  return res;
+}
+
+
+#include <float.h>
+
+
+#include <math.h>
+
+
+SWIGINTERNINLINE int
+SWIG_CanCastAsInteger(double *d, double min, double max) {
+  double x = *d;
+  if ((min <= x && x <= max)) {
+   double fx = floor(x);
+   double cx = ceil(x);
+   double rd =  ((x - fx) < 0.5) ? fx : cx; /* simple rint */
+   if ((errno == EDOM) || (errno == ERANGE)) {
+     errno = 0;
+   } else {
+     double summ, reps, diff;
+     if (rd < x) {
+       diff = x - rd;
+     } else if (rd > x) {
+       diff = rd - x;
+     } else {
+       return 1;
+     }
+     summ = rd + x;
+     reps = diff/summ;
+     if (reps < 8*DBL_EPSILON) {
+       *d = rd;
+       return 1;
+     }
+   }
+  }
+  return 0;
+}
+
+
+SWIGINTERN int
+SWIG_AsVal_long (PyObject *obj, long* val)
+{
+  if (PyInt_Check(obj)) {
+    if (val) *val = PyInt_AsLong(obj);
+    return SWIG_OK;
+  } else if (PyLong_Check(obj)) {
+    long v = PyLong_AsLong(obj);
+    if (!PyErr_Occurred()) {
+      if (val) *val = v;
+      return SWIG_OK;
+    } else {
+      PyErr_Clear();
+    }
+  }
+#ifdef SWIG_PYTHON_CAST_MODE
+  {
+    int dispatch = 0;
+    long v = PyInt_AsLong(obj);
+    if (!PyErr_Occurred()) {
+      if (val) *val = v;
+      return SWIG_AddCast(SWIG_OK);
+    } else {
+      PyErr_Clear();
+    }
+    if (!dispatch) {
+      double d;
+      int res = SWIG_AddCast(SWIG_AsVal_double (obj,&d));
+      if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, LONG_MIN, LONG_MAX)) {
+	if (val) *val = (long)(d);
+	return res;
+      }
+    }
+  }
+#endif
+  return SWIG_TypeError;
+}
+
+
+SWIGINTERN int
+SWIG_AsVal_int (PyObject * obj, int *val)
+{
+  long v;
+  int res = SWIG_AsVal_long (obj, &v);
+  if (SWIG_IsOK(res)) {
+    if ((v < INT_MIN || v > INT_MAX)) {
+      return SWIG_OverflowError;
+    } else {
+      if (val) *val = (int)(v);
+    }
+  }  
+  return res;
+}
+
+
+  #define SWIG_From_double   PyFloat_FromDouble 
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+SWIGINTERN PyObject *_wrap_bro_init(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  BroCtx *arg1 = (BroCtx *) 0 ;
+  int result;
+  int res1 ;
+  PyObject * obj0 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"O:bro_init",&obj0)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0,SWIG_as_voidptrptr(&arg1), 0, 0);
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_init" "', argument " "1"" of type '" "BroCtx const *""'"); 
+  }
+  result = (int)bro_init((void const *)arg1);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_bro_conn_new_str(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  char *arg1 = (char *) 0 ;
+  int arg2 ;
+  BroConn *result = 0 ;
+  int res1 ;
+  char *buf1 = 0 ;
+  int alloc1 = 0 ;
+  int val2 ;
+  int ecode2 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"OO:bro_conn_new_str",&obj0,&obj1)) SWIG_fail;
+  res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1);
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_conn_new_str" "', argument " "1"" of type '" "char const *""'");
+  }
+  arg1 = (char *)(buf1);
+  ecode2 = SWIG_AsVal_int(obj1, &val2);
+  if (!SWIG_IsOK(ecode2)) {
+    SWIG_exception_fail(SWIG_ArgError(ecode2), "in method '" "bro_conn_new_str" "', argument " "2"" of type '" "int""'");
+  } 
+  arg2 = (int)(val2);
+  result = (BroConn *)bro_conn_new_str((char const *)arg1,arg2);
+  resultobj = SWIG_NewPointerObj(SWIG_as_voidptr(result), SWIGTYPE_p_void, 0 |  0 );
+  if (alloc1 == SWIG_NEWOBJ) free((char*)buf1);
+  return resultobj;
+fail:
+  if (alloc1 == SWIG_NEWOBJ) free((char*)buf1);
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_bro_conn_set_class(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  BroConn *arg1 = (BroConn *) 0 ;
+  char *arg2 = (char *) 0 ;
+  int res1 ;
+  int res2 ;
+  char *buf2 = 0 ;
+  int alloc2 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"OO:bro_conn_set_class",&obj0,&obj1)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0,SWIG_as_voidptrptr(&arg1), 0, 0);
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_conn_set_class" "', argument " "1"" of type '" "BroConn *""'"); 
+  }
+  res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2);
+  if (!SWIG_IsOK(res2)) {
+    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "bro_conn_set_class" "', argument " "2"" of type '" "char const *""'");
+  }
+  arg2 = (char *)(buf2);
+  bro_conn_set_class(arg1,(char const *)arg2);
+  resultobj = SWIG_Py_Void();
+  if (alloc2 == SWIG_NEWOBJ) free((char*)buf2);
+  return resultobj;
+fail:
+  if (alloc2 == SWIG_NEWOBJ) free((char*)buf2);
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_bro_conn_connect(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  BroConn *arg1 = (BroConn *) 0 ;
+  int result;
+  int res1 ;
+  PyObject * obj0 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"O:bro_conn_connect",&obj0)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0,SWIG_as_voidptrptr(&arg1), 0, 0);
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_conn_connect" "', argument " "1"" of type '" "BroConn *""'"); 
+  }
+  result = (int)bro_conn_connect(arg1);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_bro_conn_process_input(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  BroConn *arg1 = (BroConn *) 0 ;
+  int result;
+  int res1 ;
+  PyObject * obj0 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"O:bro_conn_process_input",&obj0)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0,SWIG_as_voidptrptr(&arg1), 0, 0);
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_conn_process_input" "', argument " "1"" of type '" "BroConn *""'"); 
+  }
+  result = (int)bro_conn_process_input(arg1);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_bro_event_queue_length(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  BroConn *arg1 = (BroConn *) 0 ;
+  int result;
+  int res1 ;
+  PyObject * obj0 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"O:bro_event_queue_length",&obj0)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0,SWIG_as_voidptrptr(&arg1), 0, 0);
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_event_queue_length" "', argument " "1"" of type '" "BroConn *""'"); 
+  }
+  result = (int)bro_event_queue_length(arg1);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_bro_event_new(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  char *arg1 = (char *) 0 ;
+  BroEvent *result = 0 ;
+  int res1 ;
+  char *buf1 = 0 ;
+  int alloc1 = 0 ;
+  PyObject * obj0 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"O:bro_event_new",&obj0)) SWIG_fail;
+  res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1);
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_event_new" "', argument " "1"" of type '" "char const *""'");
+  }
+  arg1 = (char *)(buf1);
+  result = (BroEvent *)bro_event_new((char const *)arg1);
+  resultobj = SWIG_NewPointerObj(SWIG_as_voidptr(result), SWIGTYPE_p_void, 0 |  0 );
+  if (alloc1 == SWIG_NEWOBJ) free((char*)buf1);
+  return resultobj;
+fail:
+  if (alloc1 == SWIG_NEWOBJ) free((char*)buf1);
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_bro_event_free(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  BroEvent *arg1 = (BroEvent *) 0 ;
+  int res1 ;
+  PyObject * obj0 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"O:bro_event_free",&obj0)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0,SWIG_as_voidptrptr(&arg1), 0, 0);
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_event_free" "', argument " "1"" of type '" "BroEvent *""'"); 
+  }
+  bro_event_free(arg1);
+  resultobj = SWIG_Py_Void();
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_bro_event_add_val(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  BroEvent *arg1 = (BroEvent *) 0 ;
+  int arg2 ;
+  char *arg3 = (char *) 0 ;
+  void *arg4 = (void *) 0 ;
+  int result;
+  int res1 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"OO:bro_event_add_val",&obj0,&obj1)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0,SWIG_as_voidptrptr(&arg1), 0, 0);
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_event_add_val" "', argument " "1"" of type '" "BroEvent *""'"); 
+  }
+  {
+    int type;
+    const char* type_name;
+    void *data;
+    
+    PyObject *val;
+    
+    //bro_debug_messages = 1;
+    //bro_debug_calltrace = 1;
+    
+    
+    if ( ! parseTypeTuple(obj1, &type, &val) )
+    return NULL;
+    
+    if ( ! pyObjToVal(val, type, &type_name, &data) )
+    return NULL;
+    
+    arg2 = type;
+    arg3 = type_name;
+    arg4 = data;
+  }
+  result = (int)bro_event_add_val(arg1,arg2,(char const *)arg3,(void const *)arg4);
+  resultobj = SWIG_From_int((int)(result));
+  {
+    // Broccoli makes copies of the passed data so we need to clean up.
+    freeBroccoliVal(arg2, arg4);
+    
+    if ( arg3 )
+    free(arg3);
+  }
+  return resultobj;
+fail:
+  {
+    // Broccoli makes copies of the passed data so we need to clean up.
+    freeBroccoliVal(arg2, arg4);
+    
+    if ( arg3 )
+    free(arg3);
+  }
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_bro_event_send(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  BroConn *arg1 = (BroConn *) 0 ;
+  BroEvent *arg2 = (BroEvent *) 0 ;
+  int result;
+  int res1 ;
+  int res2 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"OO:bro_event_send",&obj0,&obj1)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0,SWIG_as_voidptrptr(&arg1), 0, 0);
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_event_send" "', argument " "1"" of type '" "BroConn *""'"); 
+  }
+  res2 = SWIG_ConvertPtr(obj1,SWIG_as_voidptrptr(&arg2), 0, 0);
+  if (!SWIG_IsOK(res2)) {
+    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "bro_event_send" "', argument " "2"" of type '" "BroEvent *""'"); 
+  }
+  result = (int)bro_event_send(arg1,arg2);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_bro_event_registry_add_compact(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  BroConn *arg1 = (BroConn *) 0 ;
+  char *arg2 = (char *) 0 ;
+  BroCompactEventFunc arg3 ;
+  void *arg4 = (void *) 0 ;
+  int res1 ;
+  int res2 ;
+  char *buf2 = 0 ;
+  int alloc2 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  PyObject * obj2 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"OOO:bro_event_registry_add_compact",&obj0,&obj1,&obj2)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0,SWIG_as_voidptrptr(&arg1), 0, 0);
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "bro_event_registry_add_compact" "', argument " "1"" of type '" "BroConn *""'"); 
+  }
+  res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2);
+  if (!SWIG_IsOK(res2)) {
+    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "bro_event_registry_add_compact" "', argument " "2"" of type '" "char const *""'");
+  }
+  arg2 = (char *)(buf2);
+  {
+    if ( ! PyFunction_Check(obj2) ) {
+      PyErr_SetString(PyExc_RuntimeError, "callback must be a function");
+      return NULL;
+    }
+    
+    arg3 = event_callback;
+    arg4 = obj2;
+    Py_INCREF(obj2);
+  }
+  bro_event_registry_add_compact(arg1,(char const *)arg2,arg3,arg4);
+  resultobj = SWIG_Py_Void();
+  if (alloc2 == SWIG_NEWOBJ) free((char*)buf2);
+  return resultobj;
+fail:
+  if (alloc2 == SWIG_NEWOBJ) free((char*)buf2);
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_bro_util_current_time(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  double result;
+  
+  if (!PyArg_ParseTuple(args,(char *)":bro_util_current_time")) SWIG_fail;
+  result = (double)bro_util_current_time();
+  resultobj = SWIG_From_double((double)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+static PyMethodDef SwigMethods[] = {
+	 { (char *)"bro_init", _wrap_bro_init, METH_VARARGS, NULL},
+	 { (char *)"bro_conn_new_str", _wrap_bro_conn_new_str, METH_VARARGS, NULL},
+	 { (char *)"bro_conn_set_class", _wrap_bro_conn_set_class, METH_VARARGS, NULL},
+	 { (char *)"bro_conn_connect", _wrap_bro_conn_connect, METH_VARARGS, NULL},
+	 { (char *)"bro_conn_process_input", _wrap_bro_conn_process_input, METH_VARARGS, NULL},
+	 { (char *)"bro_event_queue_length", _wrap_bro_event_queue_length, METH_VARARGS, NULL},
+	 { (char *)"bro_event_new", _wrap_bro_event_new, METH_VARARGS, NULL},
+	 { (char *)"bro_event_free", _wrap_bro_event_free, METH_VARARGS, NULL},
+	 { (char *)"bro_event_add_val", _wrap_bro_event_add_val, METH_VARARGS, NULL},
+	 { (char *)"bro_event_send", _wrap_bro_event_send, METH_VARARGS, NULL},
+	 { (char *)"bro_event_registry_add_compact", _wrap_bro_event_registry_add_compact, METH_VARARGS, NULL},
+	 { (char *)"bro_util_current_time", _wrap_bro_util_current_time, METH_VARARGS, NULL},
+	 { NULL, NULL, 0, NULL }
+};
+
+
+/* -------- TYPE CONVERSION AND EQUIVALENCE RULES (BEGIN) -------- */
+
+static swig_type_info _swigt__p_BroCompactEventFunc = {"_p_BroCompactEventFunc", "BroCompactEventFunc *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_char = {"_p_char", "char *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_void = {"_p_void", "void *|BroEvent *", 0, 0, (void*)0, 0};
+
+static swig_type_info *swig_type_initial[] = {
+  &_swigt__p_BroCompactEventFunc,
+  &_swigt__p_char,
+  &_swigt__p_void,
+};
+
+static swig_cast_info _swigc__p_BroCompactEventFunc[] = {  {&_swigt__p_BroCompactEventFunc, 0, 0, 0},{0, 0, 0, 0}};
+static swig_cast_info _swigc__p_char[] = {  {&_swigt__p_char, 0, 0, 0},{0, 0, 0, 0}};
+static swig_cast_info _swigc__p_void[] = {  {&_swigt__p_void, 0, 0, 0},{0, 0, 0, 0}};
+
+static swig_cast_info *swig_cast_initial[] = {
+  _swigc__p_BroCompactEventFunc,
+  _swigc__p_char,
+  _swigc__p_void,
+};
+
+
+/* -------- TYPE CONVERSION AND EQUIVALENCE RULES (END) -------- */
+
+static swig_const_info swig_const_table[] = {
+{0, 0, 0, 0.0, 0, 0}};
+
+#ifdef __cplusplus
+}
+#endif
+/* -----------------------------------------------------------------------------
+ * Type initialization:
+ * This problem is tough by the requirement that no dynamic 
+ * memory is used. Also, since swig_type_info structures store pointers to 
+ * swig_cast_info structures and swig_cast_info structures store pointers back
+ * to swig_type_info structures, we need some lookup code at initialization. 
+ * The idea is that swig generates all the structures that are needed. 
+ * The runtime then collects these partially filled structures. 
+ * The SWIG_InitializeModule function takes these initial arrays out of 
+ * swig_module, and does all the lookup, filling in the swig_module.types
+ * array with the correct data and linking the correct swig_cast_info
+ * structures together.
+ *
+ * The generated swig_type_info structures are assigned staticly to an initial 
+ * array. We just loop through that array, and handle each type individually.
+ * First we lookup if this type has been already loaded, and if so, use the
+ * loaded structure instead of the generated one. Then we have to fill in the
+ * cast linked list. The cast data is initially stored in something like a
+ * two-dimensional array. Each row corresponds to a type (there are the same
+ * number of rows as there are in the swig_type_initial array). Each entry in
+ * a column is one of the swig_cast_info structures for that type.
+ * The cast_initial array is actually an array of arrays, because each row has
+ * a variable number of columns. So to actually build the cast linked list,
+ * we find the array of casts associated with the type, and loop through it 
+ * adding the casts to the list. The one last trick we need to do is making
+ * sure the type pointer in the swig_cast_info struct is correct.
+ *
+ * First off, we lookup the cast->type name to see if it is already loaded. 
+ * There are three cases to handle:
+ *  1) If the cast->type has already been loaded AND the type we are adding
+ *     casting info to has not been loaded (it is in this module), THEN we
+ *     replace the cast->type pointer with the type pointer that has already
+ *     been loaded.
+ *  2) If BOTH types (the one we are adding casting info to, and the 
+ *     cast->type) are loaded, THEN the cast info has already been loaded by
+ *     the previous module so we just ignore it.
+ *  3) Finally, if cast->type has not already been loaded, then we add that
+ *     swig_cast_info to the linked list (because the cast->type) pointer will
+ *     be correct.
+ * ----------------------------------------------------------------------------- */
+
+#ifdef __cplusplus
+extern "C" {
+#if 0
+} /* c-mode */
+#endif
+#endif
+
+#if 0
+#define SWIGRUNTIME_DEBUG
+#endif
+
+
+SWIGRUNTIME void
+SWIG_InitializeModule(void *clientdata) {
+  size_t i;
+  swig_module_info *module_head, *iter;
+  int found;
+  
+  clientdata = clientdata;
+  
+  /* check to see if the circular list has been setup, if not, set it up */
+  if (swig_module.next==0) {
+    /* Initialize the swig_module */
+    swig_module.type_initial = swig_type_initial;
+    swig_module.cast_initial = swig_cast_initial;
+    swig_module.next = &swig_module;
+  }
+  
+  /* Try and load any already created modules */
+  module_head = SWIG_GetModule(clientdata);
+  if (!module_head) {
+    /* This is the first module loaded for this interpreter */
+    /* so set the swig module into the interpreter */
+    SWIG_SetModule(clientdata, &swig_module);
+    module_head = &swig_module;
+  } else {
+    /* the interpreter has loaded a SWIG module, but has it loaded this one? */
+    found=0;
+    iter=module_head;
+    do {
+      if (iter==&swig_module) {
+        found=1;
+        break;
+      }
+      iter=iter->next;
+    } while (iter!= module_head);
+    
+    /* if the is found in the list, then all is done and we may leave */
+    if (found) return;
+    /* otherwise we must add out module into the list */
+    swig_module.next = module_head->next;
+    module_head->next = &swig_module;
+  }
+  
+  /* Now work on filling in swig_module.types */
+#ifdef SWIGRUNTIME_DEBUG
+  printf("SWIG_InitializeModule: size %d\n", swig_module.size);
+#endif
+  for (i = 0; i < swig_module.size; ++i) {
+    swig_type_info *type = 0;
+    swig_type_info *ret;
+    swig_cast_info *cast;
+    
+#ifdef SWIGRUNTIME_DEBUG
+    printf("SWIG_InitializeModule: type %d %s\n", i, swig_module.type_initial[i]->name);
+#endif
+    
+    /* if there is another module already loaded */
+    if (swig_module.next != &swig_module) {
+      type = SWIG_MangledTypeQueryModule(swig_module.next, &swig_module, swig_module.type_initial[i]->name);
+    }
+    if (type) {
+      /* Overwrite clientdata field */
+#ifdef SWIGRUNTIME_DEBUG
+      printf("SWIG_InitializeModule: found type %s\n", type->name);
+#endif
+      if (swig_module.type_initial[i]->clientdata) {
+        type->clientdata = swig_module.type_initial[i]->clientdata;
+#ifdef SWIGRUNTIME_DEBUG
+        printf("SWIG_InitializeModule: found and overwrite type %s \n", type->name);
+#endif
+      }
+    } else {
+      type = swig_module.type_initial[i];
+    }
+    
+    /* Insert casting types */
+    cast = swig_module.cast_initial[i];
+    while (cast->type) {
+      /* Don't need to add information already in the list */
+      ret = 0;
+#ifdef SWIGRUNTIME_DEBUG
+      printf("SWIG_InitializeModule: look cast %s\n", cast->type->name);
+#endif
+      if (swig_module.next != &swig_module) {
+        ret = SWIG_MangledTypeQueryModule(swig_module.next, &swig_module, cast->type->name);
+#ifdef SWIGRUNTIME_DEBUG
+        if (ret) printf("SWIG_InitializeModule: found cast %s\n", ret->name);
+#endif
+      }
+      if (ret) {
+        if (type == swig_module.type_initial[i]) {
+#ifdef SWIGRUNTIME_DEBUG
+          printf("SWIG_InitializeModule: skip old type %s\n", ret->name);
+#endif
+          cast->type = ret;
+          ret = 0;
+        } else {
+          /* Check for casting already in the list */
+          swig_cast_info *ocast = SWIG_TypeCheck(ret->name, type);
+#ifdef SWIGRUNTIME_DEBUG
+          if (ocast) printf("SWIG_InitializeModule: skip old cast %s\n", ret->name);
+#endif
+          if (!ocast) ret = 0;
+        }
+      }
+      
+      if (!ret) {
+#ifdef SWIGRUNTIME_DEBUG
+        printf("SWIG_InitializeModule: adding cast %s\n", cast->type->name);
+#endif
+        if (type->cast) {
+          type->cast->prev = cast;
+          cast->next = type->cast;
+        }
+        type->cast = cast;
+      }
+      cast++;
+    }
+    /* Set entry in modules->types array equal to the type */
+    swig_module.types[i] = type;
+  }
+  swig_module.types[i] = 0;
+  
+#ifdef SWIGRUNTIME_DEBUG
+  printf("**** SWIG_InitializeModule: Cast List ******\n");
+  for (i = 0; i < swig_module.size; ++i) {
+    int j = 0;
+    swig_cast_info *cast = swig_module.cast_initial[i];
+    printf("SWIG_InitializeModule: type %d %s\n", i, swig_module.type_initial[i]->name);
+    while (cast->type) {
+      printf("SWIG_InitializeModule: cast type %s\n", cast->type->name);
+      cast++;
+      ++j;
+    }
+    printf("---- Total casts: %d\n",j);
+  }
+  printf("**** SWIG_InitializeModule: Cast List ******\n");
+#endif
+}
+
+/* This function will propagate the clientdata field of type to
+* any new swig_type_info structures that have been added into the list
+* of equivalent types.  It is like calling
+* SWIG_TypeClientData(type, clientdata) a second time.
+*/
+SWIGRUNTIME void
+SWIG_PropagateClientData(void) {
+  size_t i;
+  swig_cast_info *equiv;
+  static int init_run = 0;
+  
+  if (init_run) return;
+  init_run = 1;
+  
+  for (i = 0; i < swig_module.size; i++) {
+    if (swig_module.types[i]->clientdata) {
+      equiv = swig_module.types[i]->cast;
+      while (equiv) {
+        if (!equiv->converter) {
+          if (equiv->type && !equiv->type->clientdata)
+          SWIG_TypeClientData(equiv->type, swig_module.types[i]->clientdata);
+        }
+        equiv = equiv->next;
+      }
+    }
+  }
+}
+
+#ifdef __cplusplus
+#if 0
+{
+  /* c-mode */
+#endif
+}
+#endif
+
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+  
+  /* Python-specific SWIG API */
+#define SWIG_newvarlink()                             SWIG_Python_newvarlink()
+#define SWIG_addvarlink(p, name, get_attr, set_attr)  SWIG_Python_addvarlink(p, name, get_attr, set_attr)
+#define SWIG_InstallConstants(d, constants)           SWIG_Python_InstallConstants(d, constants)
+  
+  /* -----------------------------------------------------------------------------
+   * global variable support code.
+   * ----------------------------------------------------------------------------- */
+  
+  typedef struct swig_globalvar {
+    char       *name;                  /* Name of global variable */
+    PyObject *(*get_attr)(void);       /* Return the current value */
+    int       (*set_attr)(PyObject *); /* Set the value */
+    struct swig_globalvar *next;
+  } swig_globalvar;
+  
+  typedef struct swig_varlinkobject {
+    PyObject_HEAD
+    swig_globalvar *vars;
+  } swig_varlinkobject;
+  
+  SWIGINTERN PyObject *
+  swig_varlink_repr(swig_varlinkobject *SWIGUNUSEDPARM(v)) {
+    return PyString_FromString("<Swig global variables>");
+  }
+  
+  SWIGINTERN PyObject *
+  swig_varlink_str(swig_varlinkobject *v) {
+    PyObject *str = PyString_FromString("(");
+    swig_globalvar  *var;
+    for (var = v->vars; var; var=var->next) {
+      PyString_ConcatAndDel(&str,PyString_FromString(var->name));
+      if (var->next) PyString_ConcatAndDel(&str,PyString_FromString(", "));
+    }
+    PyString_ConcatAndDel(&str,PyString_FromString(")"));
+    return str;
+  }
+  
+  SWIGINTERN int
+  swig_varlink_print(swig_varlinkobject *v, FILE *fp, int SWIGUNUSEDPARM(flags)) {
+    PyObject *str = swig_varlink_str(v);
+    fprintf(fp,"Swig global variables ");
+    fprintf(fp,"%s\n", PyString_AsString(str));
+    Py_DECREF(str);
+    return 0;
+  }
+  
+  SWIGINTERN void
+  swig_varlink_dealloc(swig_varlinkobject *v) {
+    swig_globalvar *var = v->vars;
+    while (var) {
+      swig_globalvar *n = var->next;
+      free(var->name);
+      free(var);
+      var = n;
+    }
+  }
+  
+  SWIGINTERN PyObject *
+  swig_varlink_getattr(swig_varlinkobject *v, char *n) {
+    PyObject *res = NULL;
+    swig_globalvar *var = v->vars;
+    while (var) {
+      if (strcmp(var->name,n) == 0) {
+        res = (*var->get_attr)();
+        break;
+      }
+      var = var->next;
+    }
+    if (res == NULL && !PyErr_Occurred()) {
+      PyErr_SetString(PyExc_NameError,"Unknown C global variable");
+    }
+    return res;
+  }
+  
+  SWIGINTERN int
+  swig_varlink_setattr(swig_varlinkobject *v, char *n, PyObject *p) {
+    int res = 1;
+    swig_globalvar *var = v->vars;
+    while (var) {
+      if (strcmp(var->name,n) == 0) {
+        res = (*var->set_attr)(p);
+        break;
+      }
+      var = var->next;
+    }
+    if (res == 1 && !PyErr_Occurred()) {
+      PyErr_SetString(PyExc_NameError,"Unknown C global variable");
+    }
+    return res;
+  }
+  
+  SWIGINTERN PyTypeObject*
+  swig_varlink_type(void) {
+    static char varlink__doc__[] = "Swig var link object";
+    static PyTypeObject varlink_type;
+    static int type_init = 0;  
+    if (!type_init) {
+      const PyTypeObject tmp
+      = {
+        PyObject_HEAD_INIT(NULL)
+        0,                                  /* Number of items in variable part (ob_size) */
+        (char *)"swigvarlink",              /* Type name (tp_name) */
+        sizeof(swig_varlinkobject),         /* Basic size (tp_basicsize) */
+        0,                                  /* Itemsize (tp_itemsize) */
+        (destructor) swig_varlink_dealloc,   /* Deallocator (tp_dealloc) */ 
+        (printfunc) swig_varlink_print,     /* Print (tp_print) */
+        (getattrfunc) swig_varlink_getattr, /* get attr (tp_getattr) */
+        (setattrfunc) swig_varlink_setattr, /* Set attr (tp_setattr) */
+        0,                                  /* tp_compare */
+        (reprfunc) swig_varlink_repr,       /* tp_repr */
+        0,                                  /* tp_as_number */
+        0,                                  /* tp_as_sequence */
+        0,                                  /* tp_as_mapping */
+        0,                                  /* tp_hash */
+        0,                                  /* tp_call */
+        (reprfunc)swig_varlink_str,        /* tp_str */
+        0,                                  /* tp_getattro */
+        0,                                  /* tp_setattro */
+        0,                                  /* tp_as_buffer */
+        0,                                  /* tp_flags */
+        varlink__doc__,                     /* tp_doc */
+        0,                                  /* tp_traverse */
+        0,                                  /* tp_clear */
+        0,                                  /* tp_richcompare */
+        0,                                  /* tp_weaklistoffset */
+#if PY_VERSION_HEX >= 0x02020000
+        0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* tp_iter -> tp_weaklist */
+#endif
+#if PY_VERSION_HEX >= 0x02030000
+        0,                                  /* tp_del */
+#endif
+#ifdef COUNT_ALLOCS
+        0,0,0,0                             /* tp_alloc -> tp_next */
+#endif
+      };
+      varlink_type = tmp;
+      varlink_type.ob_type = &PyType_Type;
+      type_init = 1;
+    }
+    return &varlink_type;
+  }
+  
+  /* Create a variable linking object for use later */
+  SWIGINTERN PyObject *
+  SWIG_Python_newvarlink(void) {
+    swig_varlinkobject *result = PyObject_NEW(swig_varlinkobject, swig_varlink_type());
+    if (result) {
+      result->vars = 0;
+    }
+    return ((PyObject*) result);
+  }
+  
+  SWIGINTERN void 
+  SWIG_Python_addvarlink(PyObject *p, char *name, PyObject *(*get_attr)(void), int (*set_attr)(PyObject *p)) {
+    swig_varlinkobject *v = (swig_varlinkobject *) p;
+    swig_globalvar *gv = (swig_globalvar *) malloc(sizeof(swig_globalvar));
+    if (gv) {
+      size_t size = strlen(name)+1;
+      gv->name = (char *)malloc(size);
+      if (gv->name) {
+        strncpy(gv->name,name,size);
+        gv->get_attr = get_attr;
+        gv->set_attr = set_attr;
+        gv->next = v->vars;
+      }
+    }
+    v->vars = gv;
+  }
+  
+  SWIGINTERN PyObject *
+  SWIG_globals(void) {
+    static PyObject *_SWIG_globals = 0; 
+    if (!_SWIG_globals) _SWIG_globals = SWIG_newvarlink();  
+    return _SWIG_globals;
+  }
+  
+  /* -----------------------------------------------------------------------------
+   * constants/methods manipulation
+   * ----------------------------------------------------------------------------- */
+  
+  /* Install Constants */
+  SWIGINTERN void
+  SWIG_Python_InstallConstants(PyObject *d, swig_const_info constants[]) {
+    PyObject *obj = 0;
+    size_t i;
+    for (i = 0; constants[i].type; ++i) {
+      switch(constants[i].type) {
+      case SWIG_PY_POINTER:
+        obj = SWIG_NewPointerObj(constants[i].pvalue, *(constants[i]).ptype,0);
+        break;
+      case SWIG_PY_BINARY:
+        obj = SWIG_NewPackedObj(constants[i].pvalue, constants[i].lvalue, *(constants[i].ptype));
+        break;
+      default:
+        obj = 0;
+        break;
+      }
+      if (obj) {
+        PyDict_SetItemString(d, constants[i].name, obj);
+        Py_DECREF(obj);
+      }
+    }
+  }
+  
+  /* -----------------------------------------------------------------------------*/
+  /* Fix SwigMethods to carry the callback ptrs when needed */
+  /* -----------------------------------------------------------------------------*/
+  
+  SWIGINTERN void
+  SWIG_Python_FixMethods(PyMethodDef *methods,
+    swig_const_info *const_table,
+    swig_type_info **types,
+    swig_type_info **types_initial) {
+    size_t i;
+    for (i = 0; methods[i].ml_name; ++i) {
+      const char *c = methods[i].ml_doc;
+      if (c && (c = strstr(c, "swig_ptr: "))) {
+        int j;
+        swig_const_info *ci = 0;
+        const char *name = c + 10;
+        for (j = 0; const_table[j].type; ++j) {
+          if (strncmp(const_table[j].name, name, 
+              strlen(const_table[j].name)) == 0) {
+            ci = &(const_table[j]);
+            break;
+          }
+        }
+        if (ci) {
+          size_t shift = (ci->ptype) - types;
+          swig_type_info *ty = types_initial[shift];
+          size_t ldoc = (c - methods[i].ml_doc);
+          size_t lptr = strlen(ty->name)+2*sizeof(void*)+2;
+          char *ndoc = (char*)malloc(ldoc + lptr + 10);
+          if (ndoc) {
+            char *buff = ndoc;
+            void *ptr = (ci->type == SWIG_PY_POINTER) ? ci->pvalue : 0;
+            if (ptr) {
+              strncpy(buff, methods[i].ml_doc, ldoc);
+              buff += ldoc;
+              strncpy(buff, "swig_ptr: ", 10);
+              buff += 10;
+              SWIG_PackVoidPtr(buff, ptr, ty->name, lptr);
+              methods[i].ml_doc = ndoc;
+            }
+          }
+        }
+      }
+    }
+  } 
+  
+#ifdef __cplusplus
+}
+#endif
+
+/* -----------------------------------------------------------------------------*
+ *  Partial Init method
+ * -----------------------------------------------------------------------------*/
+
+#ifdef __cplusplus
+extern "C"
+#endif
+SWIGEXPORT void SWIG_init(void) {
+  PyObject *m, *d;
+  
+  /* Fix SwigMethods to carry the callback ptrs when needed */
+  SWIG_Python_FixMethods(SwigMethods, swig_const_table, swig_types, swig_type_initial);
+  
+  m = Py_InitModule((char *) SWIG_name, SwigMethods);
+  d = PyModule_GetDict(m);
+  
+  SWIG_InitializeModule(0);
+  SWIG_InstallConstants(d,swig_const_table);
+  
+  
+  SWIG_Python_SetConstant(d, "BRO_TYPE_UNKNOWN",SWIG_From_int((int)(0)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_BOOL",SWIG_From_int((int)(1)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_INT",SWIG_From_int((int)(2)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_COUNT",SWIG_From_int((int)(3)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_COUNTER",SWIG_From_int((int)(4)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_DOUBLE",SWIG_From_int((int)(5)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_TIME",SWIG_From_int((int)(6)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_INTERVAL",SWIG_From_int((int)(7)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_STRING",SWIG_From_int((int)(8)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_PATTERN",SWIG_From_int((int)(9)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_ENUM",SWIG_From_int((int)(10)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_TIMER",SWIG_From_int((int)(11)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_PORT",SWIG_From_int((int)(12)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_IPADDR",SWIG_From_int((int)(13)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_NET",SWIG_From_int((int)(14)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_SUBNET",SWIG_From_int((int)(15)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_ANY",SWIG_From_int((int)(16)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_TABLE",SWIG_From_int((int)(17)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_UNION",SWIG_From_int((int)(18)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_RECORD",SWIG_From_int((int)(19)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_LIST",SWIG_From_int((int)(20)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_FUNC",SWIG_From_int((int)(21)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_FILE",SWIG_From_int((int)(22)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_VECTOR",SWIG_From_int((int)(23)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_ERROR",SWIG_From_int((int)(24)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_PACKET",SWIG_From_int((int)(25)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_SET",SWIG_From_int((int)(26)));
+  SWIG_Python_SetConstant(d, "BRO_TYPE_MAX",SWIG_From_int((int)(27)));
+  SWIG_Python_SetConstant(d, "BRO_CFLAG_NONE",SWIG_From_int((int)(0)));
+  SWIG_Python_SetConstant(d, "BRO_CFLAG_RECONNECT",SWIG_From_int((int)((1 << 0))));
+  SWIG_Python_SetConstant(d, "BRO_CFLAG_ALWAYS_QUEUE",SWIG_From_int((int)((1 << 1))));
+  SWIG_Python_SetConstant(d, "BRO_CFLAG_SHAREABLE",SWIG_From_int((int)((1 << 2))));
+  SWIG_Python_SetConstant(d, "BRO_CFLAG_DONTCACHE",SWIG_From_int((int)((1 << 3))));
+  SWIG_Python_SetConstant(d, "BRO_CFLAG_YIELD",SWIG_From_int((int)((1 << 4))));
+  SWIG_Python_SetConstant(d, "BRO_CFLAG_CACHE",SWIG_From_int((int)((1 << 5))));
+}
+
diff --git a/aux/broccoli/bindings/python/setup.py b/aux/broccoli/bindings/python/setup.py
new file mode 100755
index 0000000000..1960f22203
--- /dev/null
+++ b/aux/broccoli/bindings/python/setup.py
@@ -0,0 +1,21 @@
+#! /usr/bin/env python
+
+import os
+import sys
+
+from distutils.core import setup, Extension
+
+setup(name="pybroccoli", 
+    version="0.1",
+    author="Robin Sommer",
+    author_email="robin@icir.org",
+    license="GPL",
+    url="http://www.icir.org/robin/pybroccoli",
+    py_modules=['broccoli'],
+    ext_modules = [ 
+        Extension("_broccoli_intern", ["broccoli_intern_wrap.c"],
+                  include_dirs=["../../src"],
+                  library_dirs=["../../src/.libs"],
+                  libraries=["broccoli"])]
+)
+
diff --git a/aux/broccoli/bindings/python/tests/broping-record.py b/aux/broccoli/bindings/python/tests/broping-record.py
new file mode 100755
index 0000000000..305e5821ec
--- /dev/null
+++ b/aux/broccoli/bindings/python/tests/broping-record.py
@@ -0,0 +1,30 @@
+#! /usr/bin/env python
+#
+# Use with broccoli/test/broping-record.bro.
+
+from time import sleep
+from broccoli import *
+
+ping_data = record_type("seq", "src_time")
+pong_data = record_type("seq", "src_time", "dst_time")
+
+@event(pong_data)
+def pong(data):
+    print "pong event: seq=%i, time=%f/%f s" % (data.seq, 
+        data.dst_time - data.src_time, current_time() - data.src_time)
+
+bc = Connection("127.0.0.1:47758")
+
+seq = 1
+
+while True:
+    data = record(ping_data)
+    data.seq = count(seq)
+    data.src_time = time(current_time())
+    bc.send("ping", data)
+    
+    seq += 1
+    sleep(1)
+    
+
+
diff --git a/aux/broccoli/bindings/python/tests/broping.py b/aux/broccoli/bindings/python/tests/broping.py
new file mode 100755
index 0000000000..eec1d9efb3
--- /dev/null
+++ b/aux/broccoli/bindings/python/tests/broping.py
@@ -0,0 +1,24 @@
+#! /usr/bin/env python
+#
+# Use with broccoli/test/broping.bro.
+
+from time import sleep
+from broccoli import *
+
+@event
+def pong(src_time, dst_time, seq):
+    print "pong event: seq=%i, time=%f/%f s" % (seq, 
+        dst_time - src_time, current_time() - src_time)
+             
+bc = Connection("127.0.0.1:47758")
+
+seq = 1
+
+while True:
+    bc.send("ping", time(current_time()), count(seq))
+
+    seq += 1
+    sleep(1)
+    
+
+
diff --git a/aux/broccoli/bindings/python/tests/test.bro b/aux/broccoli/bindings/python/tests/test.bro
new file mode 100644
index 0000000000..0bb72722b3
--- /dev/null
+++ b/aux/broccoli/bindings/python/tests/test.bro
@@ -0,0 +1,57 @@
+
+@load listen-clear
+redef listen_port_clear    = 47758/tcp;
+
+redef Remote::destinations += {
+	["broping"] = [$host = 127.0.0.1, $events = /test1|test3/, $connect=F, $ssl=F]
+};
+
+
+### Testing atomic types.
+
+type foo: enum { CONST1, CONST2, CONST3 };
+
+# No enum currently as Broccoli has trouble receiving them.
+global test2: event(a: int, b: count, c: time, d: interval, e: bool, f: double, g: string, h: port, i: addr, j: net, k: subnet);
+global test2b: event(a: int, b: count, c: time, d: interval, e: bool, f: double, g: string, h: port, i: addr, j: net, k: subnet);
+
+event test1(a: int, b: count, c: time, d: interval, e: bool, f: double, g: string, h: port, i: addr, j: net, k: subnet)
+{
+    print "==== atomic";
+    print a;
+    print b;
+    print c;
+    print d;
+    print e;
+    print f;
+    print g;
+    print h;
+    print i;
+    print j;
+    print k;
+    
+    event test2(-4, 42, current_time(), 1min, T, 3.14, "Hurz", 12345/udp, 1.2.3.4, 10.0., 22.33.44.0/24);
+    event test2(a,b,c,d,e,f,g,h,i,j,k);
+    event test2b(a,b,c,d,e,f,g,h,i,j,k);
+}
+
+### Testing record types.
+
+type rec: record {
+    a: int;
+    b: addr;
+};
+
+global test4: event(r: rec);
+
+event test3(r: rec)
+{
+    print "==== record";
+    print r$a, r$b;
+    event test4(r);
+    
+    local r2 : rec;
+    r2$a = 99;
+    r2$b = 3.4.5.1;
+    event test4(r2);
+}
diff --git a/aux/broccoli/bindings/python/tests/test.py b/aux/broccoli/bindings/python/tests/test.py
new file mode 100755
index 0000000000..95143708f8
--- /dev/null
+++ b/aux/broccoli/bindings/python/tests/test.py
@@ -0,0 +1,89 @@
+#! /usr/bin/env python
+
+import time as Time
+
+from broccoli import *
+
+@event
+def test2(a,b,c,d,e,f,g,h,i,j,k):
+    global recv
+    recv += 1
+    print "==== atomic a %d ====" % recv
+    print repr(a), a
+    print repr(b), b
+    print repr(c), c
+    print repr(d), d
+    print repr(e), e
+    print repr(f), f
+    print repr(g), g
+    print repr(h), h
+    print repr(i), i
+    print repr(j), j
+    print repr(j), k
+
+# Same except with typing this time.    
+@event(int,count,time,interval,bool,double,addr,port,addr,net,subnet)
+def test2b(a,b,c,d,e,f,g,h,i,j,k):
+    print "==== atomic b %d ====" % recv
+    print repr(a), a
+    print repr(b), b
+    print repr(c), c
+    print repr(d), d
+    print repr(e), e
+    print repr(f), f
+    print repr(g), g
+    print repr(h), h
+    print repr(i), i
+    print repr(j), j
+    print repr(j), k
+    
+rec = record_type("a", "b")    
+    
+@event(rec)    
+def test4(r):
+    global recv
+    recv += 1
+    print "==== record %d ====" % recv
+    print repr(r)
+    print repr(r.a), r.a
+    print repr(r.b), r.b
+    
+bc = Connection("127.0.0.1:47758")
+
+bc.send("test1", 
+    int(-10), 
+    count(2), 
+    time(current_time()), 
+    interval(120), 
+    bool(False), 
+    double(1.5), 
+    string("Servus"), 
+    port("5555/tcp"), 
+    addr("6.7.6.5"), 
+    net("20.0."), 
+    subnet("192.168.0.0/16")
+    )
+
+recv = 0
+while True:
+    bc.processInput();
+    if recv == 2:
+        break
+    Time.sleep(1)
+
+    
+r = record(rec)
+r.a = 42;
+r.b = addr("6.6.7.7")
+
+bc.send("test3", r)
+    
+recv = 0
+while True:
+    bc.processInput();
+    if recv == 2:
+        break
+    Time.sleep(1)
+    
+    
+
diff --git a/aux/broccoli/broccoli-config.in b/aux/broccoli/broccoli-config.in
new file mode 100644
index 0000000000..952bc82cb3
--- /dev/null
+++ b/aux/broccoli/broccoli-config.in
@@ -0,0 +1,66 @@
+#!/bin/sh
+
+buildinfo=@BUILDINFO@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+exec_prefix_set=no
+
+usage="\
+Usage: broccoli-config [--build] [--prefix[=DIR]] [--exec-prefix[=DIR]] [--version] [--libs] [--cflags] [--config]"
+
+if test $# -eq 0; then
+      echo "${usage}" 1>&2
+      exit 1
+fi
+
+while test $# -gt 0; do
+  case "$1" in
+  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  case $1 in
+    --build)
+      echo $buildinfo
+      ;;
+    --prefix=*)
+      prefix=$optarg
+      if test $exec_prefix_set = no ; then
+        exec_prefix=$optarg
+      fi
+      ;;
+    --prefix)
+      echo $prefix
+      ;;
+    --exec-prefix=*)
+      exec_prefix=$optarg
+      exec_prefix_set=yes
+      ;;
+    --exec-prefix)
+      echo $exec_prefix
+      ;;
+    --version)
+      echo @VERSION@
+      ;;
+    --cflags)
+      if test @includedir@ != /usr/include ; then
+        includes=-I@includedir@
+      fi
+      echo $includes -I$prefix/include @BRO_CFLAGSADD@ -DBROCCOLI 
+      ;;
+    --libs)
+      libdirs=-L@libdir@
+      echo $libdirs -lbroccoli @BRO_LIBADD@
+      ;;
+    --config)
+      echo @BRO_SYSCONF_FILE@
+      ;;
+    *)
+      echo "${usage}" 1>&2
+      exit 1
+      ;;
+  esac
+  shift
+done
+
+exit 0
diff --git a/aux/broccoli/broccoli.conf b/aux/broccoli/broccoli.conf
new file mode 100644
index 0000000000..c067d01f49
--- /dev/null
+++ b/aux/broccoli/broccoli.conf
@@ -0,0 +1,61 @@
+# This is the Broccoli system-wide configuration file. 
+#
+# The config file is structured into sections. The settings in each
+# section are called a domain. Each domain is identified as follows:
+#
+# [ name ]
+# 
+# where "name" is a single word consisting of alphanumeric letters
+# without whitespace. The beginning of the document can contain
+# additional settings, these comprise the default domain. It will be
+# used when bro_conf_set_domain() is never used.
+#
+# Entries are of the form <identifier> <value>, where the identifier
+# is a sequence of letters, and value can be a string (including
+# whitespace), and floating point or integer numbers. Comments start
+# with a "#" and go to the end of the line. For boolean values, you
+# may also use "yes", "on", "true", "no", "off", or "false".
+# Strings may contain whitespace, but need to be surrounded by
+# double quotes '"'.
+#
+# You can name identifiers any way you like, but to keep things
+# organized we recommend a hierarchical structure. Case matters.
+#
+# Examples:
+#
+# Foo/PeerName		mybro.securesite.com
+# Foo/PortNum		123
+# Bar/SomeFloat		1.23443543
+# Bar/SomeLongStr	"Hello World"
+#
+
+# Debugging output
+# ----------------
+#/broccoli/debug_messages	yes
+#/broccoli/debug_calltrace	yes
+
+# Encryption setup
+# ----------------
+#
+# In order to configure encrypted communications, you have to point
+# these two entries to this agent's certificate + private key and
+# the trusted CA's certificate, respectively. You can optionally
+# store the passphrase for this agent's private key in the config
+# file as well, but you should obviously only do so when the config
+# file has appropriate access restrictions. Check the manual for
+# details.
+#
+# use_ssl is the main switch to control whether the SSL settings
+# are used (yes/on/1) or not (no/false/0). When use_ssl is not
+# present, SSL is attempted if certificates are configured, other-
+# wise cleartext connections are used. When it is present and enabled,
+# then setup is aborted if certificates are not found. In no case
+# does an SSL setup ever fall back to a cleartext one.
+#
+#/broccoli/use_ssl      yes
+#/broccoli/ca_cert      <path>/ca_cert.pem
+#/broccoli/host_cert    <path>/bro_cert.pem
+#/broccoli/host_pass    foo
+
+# Your settings below
+# -------------------
diff --git a/aux/broccoli/broccoli.spec b/aux/broccoli/broccoli.spec
new file mode 100644
index 0000000000..74a09e4ca8
--- /dev/null
+++ b/aux/broccoli/broccoli.spec
@@ -0,0 +1,69 @@
+# This spec file creates a single relocatable RPM.
+#
+%define prefix /usr
+
+Summary: The Bro Client Communications Library
+Name: broccoli
+Version: 0.9
+Release: 1
+License: BSD
+Group: Development/Libraries
+URL: http://www.bro-ids.org
+Source: http://www.icir.org/christian/downloads/%{name}-%{version}.tar.gz
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
+Packager: Christian Kreibich <christian@whoop.org> 
+Requires: openssl >= 0.9.7a
+Requires: openssl-devel >= 0.9.7a
+Prefix: %{prefix}
+
+%description
+Broccoli enables your applications to speak the Bro communication protocol,
+allowing you to compose, send, request, and receive events. You can register
+your own event handlers. You can talk to other Broccoli applications or Bro
+agents -- Bro agents cannot tell whether they are talking to another
+Bro or a Broccoli application. Communications can be SSL-encrypted. Broccoli
+turns Bro into a distributed policy-controlled event management system.
+
+%prep
+%setup -q
+# Needed for snapshot releases.
+if [ ! -f configure ]; then
+  CFLAGS="$RPM_OPT_FLAGS" ./autogen.sh --prefix=%prefix
+else
+  CFLAGS="$RPM_OPT_FLAGS" ./configure --prefix=%prefix
+fi
+
+%build
+
+if [ "$SMP" != "" ]; then
+  (make "MAKE=make -k -j $SMP"; exit 0)
+  make
+else
+  make
+fi
+
+%install
+rm -rf $RPM_BUILD_ROOT
+make prefix=$RPM_BUILD_ROOT%{prefix} sysconfdir=$RPM_BUILD_ROOT/etc install
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post -p /sbin/ldconfig
+
+%postun -p /sbin/ldconfig
+
+%files
+%defattr(-,root,root,-)
+%doc AUTHORS COPYING ChangeLog NEWS README TODO
+%doc %{prefix}/share/gtk-doc/html/broccoli
+%{prefix}/lib/lib*.so.*
+%{prefix}/lib/lib*a
+%{prefix}/include/broccoli.h
+%{prefix}/bin/bro*
+%{prefix}/share/broccoli/*.bro
+/etc/broccoli.conf
+
+%changelog
+* Tue Dec  6 2004 Christian Kreibich <christian@whoop.org> 
+- Added spec file to tree.
diff --git a/aux/broccoli/compat/sys/queue.h b/aux/broccoli/compat/sys/queue.h
new file mode 100644
index 0000000000..5b6e2a0a23
--- /dev/null
+++ b/aux/broccoli/compat/sys/queue.h
@@ -0,0 +1,241 @@
+/*
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)queue.h	8.3 (Berkeley) 12/13/93
+ */
+
+#ifndef	_SYS_QUEUE_H
+#define	_SYS_QUEUE_H 1
+
+/*
+ * This file defines three types of data structures: lists, tail queues,
+ * and circular queues.
+ *
+ * A list is headed by a single forward pointer (or an array of forward
+ * pointers for a hash table header). The elements are doubly linked
+ * so that an arbitrary element can be removed without a need to
+ * traverse the list. New elements can be added to the list after
+ * an existing element or at the head of the list. A list may only be
+ * traversed in the forward direction.
+ *
+ * A tail queue is headed by a pair of pointers, one to the head of the
+ * list and the other to the tail of the list. The elements are doubly
+ * linked so that an arbitrary element can be removed without a need to
+ * traverse the list. New elements can be added to the list after
+ * an existing element, at the head of the list, or at the end of the
+ * list. A tail queue may only be traversed in the forward direction.
+ *
+ * A circle queue is headed by a pair of pointers, one to the head of the
+ * list and the other to the tail of the list. The elements are doubly
+ * linked so that an arbitrary element can be removed without a need to
+ * traverse the list. New elements can be added to the list before or after
+ * an existing element, at the head of the list, or at the end of the list.
+ * A circle queue may be traversed in either direction, but has a more
+ * complex end of list detection.
+ *
+ * For details on the use of these macros, see the queue(3) manual page.
+ */
+
+/*
+ * List definitions.
+ */
+#define LIST_HEAD(name, type)						\
+struct name {								\
+	struct type *lh_first;	/* first element */			\
+}
+
+#define LIST_ENTRY(type)						\
+struct {								\
+	struct type *le_next;	/* next element */			\
+	struct type **le_prev;	/* address of previous next element */	\
+}
+
+/*
+ * List functions.
+ */
+#define	LIST_INIT(head) {						\
+	(head)->lh_first = NULL;					\
+}
+
+#define LIST_INSERT_AFTER(listelm, elm, field) {			\
+	if (((elm)->field.le_next = (listelm)->field.le_next) != NULL)	\
+		(listelm)->field.le_next->field.le_prev =		\
+		    &(elm)->field.le_next;				\
+	(listelm)->field.le_next = (elm);				\
+	(elm)->field.le_prev = &(listelm)->field.le_next;		\
+}
+
+#define LIST_INSERT_HEAD(head, elm, field) {				\
+	if (((elm)->field.le_next = (head)->lh_first) != NULL)		\
+		(head)->lh_first->field.le_prev = &(elm)->field.le_next;\
+	(head)->lh_first = (elm);					\
+	(elm)->field.le_prev = &(head)->lh_first;			\
+}
+
+#define LIST_REMOVE(elm, field) {					\
+	if ((elm)->field.le_next != NULL)				\
+		(elm)->field.le_next->field.le_prev = 			\
+		    (elm)->field.le_prev;				\
+	*(elm)->field.le_prev = (elm)->field.le_next;			\
+}
+
+/*
+ * Tail queue definitions.
+ */
+#define TAILQ_HEAD(name, type)						\
+struct name {								\
+	struct type *tqh_first;	/* first element */			\
+	struct type **tqh_last;	/* addr of last next element */		\
+}
+
+#define TAILQ_ENTRY(type)						\
+struct {								\
+	struct type *tqe_next;	/* next element */			\
+	struct type **tqe_prev;	/* address of previous next element */	\
+}
+
+/*
+ * Tail queue functions.
+ */
+#define	TAILQ_INIT(head) {						\
+	(head)->tqh_first = NULL;					\
+	(head)->tqh_last = &(head)->tqh_first;				\
+}
+
+#define TAILQ_INSERT_HEAD(head, elm, field) {				\
+	if (((elm)->field.tqe_next = (head)->tqh_first) != NULL)	\
+		(elm)->field.tqe_next->field.tqe_prev =			\
+		    &(elm)->field.tqe_next;				\
+	else								\
+		(head)->tqh_last = &(elm)->field.tqe_next;		\
+	(head)->tqh_first = (elm);					\
+	(elm)->field.tqe_prev = &(head)->tqh_first;			\
+}
+
+#define TAILQ_INSERT_TAIL(head, elm, field) {				\
+	(elm)->field.tqe_next = NULL;					\
+	(elm)->field.tqe_prev = (head)->tqh_last;			\
+	*(head)->tqh_last = (elm);					\
+	(head)->tqh_last = &(elm)->field.tqe_next;			\
+}
+
+#define TAILQ_INSERT_AFTER(head, listelm, elm, field) {			\
+	if (((elm)->field.tqe_next = (listelm)->field.tqe_next) != NULL)\
+		(elm)->field.tqe_next->field.tqe_prev = 		\
+		    &(elm)->field.tqe_next;				\
+	else								\
+		(head)->tqh_last = &(elm)->field.tqe_next;		\
+	(listelm)->field.tqe_next = (elm);				\
+	(elm)->field.tqe_prev = &(listelm)->field.tqe_next;		\
+}
+
+#define TAILQ_REMOVE(head, elm, field) {				\
+	if (((elm)->field.tqe_next) != NULL)				\
+		(elm)->field.tqe_next->field.tqe_prev = 		\
+		    (elm)->field.tqe_prev;				\
+	else								\
+		(head)->tqh_last = (elm)->field.tqe_prev;		\
+	*(elm)->field.tqe_prev = (elm)->field.tqe_next;			\
+}
+
+/*
+ * Circular queue definitions.
+ */
+#define CIRCLEQ_HEAD(name, type)					\
+struct name {								\
+	struct type *cqh_first;		/* first element */		\
+	struct type *cqh_last;		/* last element */		\
+}
+
+#define CIRCLEQ_ENTRY(type)						\
+struct {								\
+	struct type *cqe_next;		/* next element */		\
+	struct type *cqe_prev;		/* previous element */		\
+}
+
+/*
+ * Circular queue functions.
+ */
+#define	CIRCLEQ_INIT(head) {						\
+	(head)->cqh_first = (void *)(head);				\
+	(head)->cqh_last = (void *)(head);				\
+}
+
+#define CIRCLEQ_INSERT_AFTER(head, listelm, elm, field) {		\
+	(elm)->field.cqe_next = (listelm)->field.cqe_next;		\
+	(elm)->field.cqe_prev = (listelm);				\
+	if ((listelm)->field.cqe_next == (void *)(head))		\
+		(head)->cqh_last = (elm);				\
+	else								\
+		(listelm)->field.cqe_next->field.cqe_prev = (elm);	\
+	(listelm)->field.cqe_next = (elm);				\
+}
+
+#define CIRCLEQ_INSERT_BEFORE(head, listelm, elm, field) {		\
+	(elm)->field.cqe_next = (listelm);				\
+	(elm)->field.cqe_prev = (listelm)->field.cqe_prev;		\
+	if ((listelm)->field.cqe_prev == (void *)(head))		\
+		(head)->cqh_first = (elm);				\
+	else								\
+		(listelm)->field.cqe_prev->field.cqe_next = (elm);	\
+	(listelm)->field.cqe_prev = (elm);				\
+}
+
+#define CIRCLEQ_INSERT_HEAD(head, elm, field) {				\
+	(elm)->field.cqe_next = (head)->cqh_first;			\
+	(elm)->field.cqe_prev = (void *)(head);				\
+	if ((head)->cqh_last == (void *)(head))				\
+		(head)->cqh_last = (elm);				\
+	else								\
+		(head)->cqh_first->field.cqe_prev = (elm);		\
+	(head)->cqh_first = (elm);					\
+}
+
+#define CIRCLEQ_INSERT_TAIL(head, elm, field) {				\
+	(elm)->field.cqe_next = (void *)(head);				\
+	(elm)->field.cqe_prev = (head)->cqh_last;			\
+	if ((head)->cqh_first == (void *)(head))			\
+		(head)->cqh_first = (elm);				\
+	else								\
+		(head)->cqh_last->field.cqe_next = (elm);		\
+	(head)->cqh_last = (elm);					\
+}
+
+#define	CIRCLEQ_REMOVE(head, elm, field) {				\
+	if ((elm)->field.cqe_next == (void *)(head))			\
+		(head)->cqh_last = (elm)->field.cqe_prev;		\
+	else								\
+		(elm)->field.cqe_next->field.cqe_prev =			\
+		    (elm)->field.cqe_prev;				\
+	if ((elm)->field.cqe_prev == (void *)(head))			\
+		(head)->cqh_first = (elm)->field.cqe_next;		\
+	else								\
+		(elm)->field.cqe_prev->field.cqe_next =			\
+		    (elm)->field.cqe_next;				\
+}
+#endif	/* sys/queue.h */
diff --git a/aux/broccoli/configure.in b/aux/broccoli/configure.in
new file mode 100644
index 0000000000..61e07de967
--- /dev/null
+++ b/aux/broccoli/configure.in
@@ -0,0 +1,297 @@
+dnl Process this file with autoconf to produce a configure script.
+
+AC_INIT
+AC_CONFIG_SRCDIR([src/broccoli.h.in])
+
+AC_CANONICAL_TARGET
+AC_CANONICAL_HOST
+
+AC_CONFIG_AUX_DIR(.)
+AM_CONFIG_HEADER(config.h)
+AM_INIT_AUTOMAKE(broccoli, 1.5.0)
+
+dnl Commands for funkier shell output:
+BLD_ON=`./shtool echo -n -e %B`
+BLD_OFF=`./shtool echo -n -e %b`
+
+AC_PROG_CC
+AM_PROG_CC_STDC
+AC_HEADER_STDC
+AC_PROG_INSTALL
+AM_PROG_LEX
+AC_PROG_YACC
+
+dnl According to the autobook, we need to add this extra directive
+dnl before AM_PROG_LIBTOOL to make libtool work on Windows:
+AC_LIBTOOL_WIN32_DLL
+AC_PROG_LIBTOOL
+
+
+dnl Okay, the lex and yacc checks suck big time because they
+dnl just fall back to assgning "yacc" to YACC and "lex" to LEX
+dnl (in the best case -- I even just get ":" sometimes) as a
+dnl fallback, without checking if those actually exist.
+dnl (Someone correct me if this is wrong, though I doubt it)
+dnl So in those cases, run an extra AC_PROG_CHECK to see if we
+dnl actually have them. Argh.
+have_lex=true
+have_yacc=true
+
+if test "x$YACC" = "xyacc"; then 
+   AC_PATH_PROG(have_yacc, yacc, no)
+fi
+
+if test ! "x$LEX" = "xflex"; then 
+   AC_PATH_PROG(have_lex, lex, no)
+fi
+
+AM_CONDITIONAL(HAVE_LEX_AND_YACC, test "x$have_yacc" != "xno" && test "x$have_lex" != "xno")
+
+AC_C_BIGENDIAN       
+
+AM_CONDITIONAL(SOLARIS_HOST, false)
+AM_CONDITIONAL(LINUX_HOST, false)
+AM_CONDITIONAL(BSD_HOST, false)
+AM_CONDITIONAL(APPLE_HOST, false)
+AM_CONDITIONAL(WINDOWS_HOST, false)
+
+bro_libcrypto=crypto
+bro_libssl=ssl
+
+case "$host" in
+  *-solaris*)
+    AC_DEFINE(SOLARIS_HOST, 1, [Whether this is a Solaris host])
+    AM_CONDITIONAL(SOLARIS_HOST, true)
+    BRO_LIBADD="-lsocket -lnsl"
+    ;;
+  *-linux*)
+    AC_DEFINE(LINUX_HOST, 1, [Whether this is a Linux host])
+    AM_CONDITIONAL(LINUX_HOST, true)
+    ;;
+  *bsd*)
+    AC_DEFINE(BSD_HOST, 1, [Whether this is a BSD host])
+    AM_CONDITIONAL(BSD_HOST, true)
+    ;;
+  *apple*)
+    AC_DEFINE(APPLE_HOST, 1, [Whether this is a APPLE host])
+    AM_CONDITIONAL(APPLE_HOST, true)
+    ;;
+  *-mingw32*)
+    AC_DEFINE(WINDOWS_HOST, 1, [Whether this run on Windows in a MinGW environment])
+    AM_CONDITIONAL(WINDOWS_HOST, true)
+    bro_libcrypto=eay32
+    bro_libssl=ssleay32
+    BRO_LIBADD="-lwsock32"
+    ;;
+esac
+
+AC_SUBST(BRO_LIBADD)
+AC_SUBST(BRO_CFLAGSADD)
+
+dnl ##################################################
+dnl # Check for getuid() and getpwuid().
+dnl ##################################################
+AC_CHECK_FUNCS([geteuid getpwuid])
+
+dnl ##################################################
+dnl # Check for type uint in sys/types.h
+dnl ##################################################
+AC_CHECK_TYPE([uint],,
+	      [TYPEDEF_UINT="typedef unsigned int uint;"
+	       AC_SUBST(TYPEDEF_UINT)])
+
+dnl ##################################################
+dnl # Config directory and config file:
+dnl # Define BRO_SYSCONF_DIR and BRO_SYSCONF_FILE.
+dnl ##################################################
+
+dnl Unless --disable-etc-tweak is given, we check if
+dnl the prefix is /usr, and in that case tweak sysconfdir
+dnl to /etc (nobody cares about /usr/etc really). 
+dnl Otherwise we use what's given.
+dnl
+AC_ARG_ENABLE(etc-tweak,
+	      AC_HELP_STRING([--disable-etc-tweak], [Do not tweak config file location to /etc if prefix is /usr]),
+	      etc_tweak="no",
+	      etc_tweak="yes")
+
+BRO_SYSCONF_DIR=`eval eval eval eval "echo $sysconfdir"`
+
+if test x$etc_tweak = xyes; then
+  if test "x${sysconfdir}" = 'x${prefix}/etc'; then
+    if test "x${prefix}" = "x/usr"; then
+      sysconfdir="/etc"
+      BRO_SYSCONF_DIR="$sysconfdir"
+    elif test "x${prefix}" = "xNONE"; then
+      BRO_SYSCONF_DIR="${ac_default_prefix}/etc"
+    fi
+  fi
+fi
+
+AC_DEFINE_UNQUOTED(BRO_SYSCONF_DIR, "$BRO_SYSCONF_DIR", [Configuration directory])
+AC_SUBST(BRO_SYSCONF_DIR)
+
+dnl Now derive config file name from that, or use the
+dnl requested one if provided.
+
+AC_ARG_WITH(configfile,
+	    AC_HELP_STRING([--with-configfile=FILE], [Use config file at location <FILE>]),
+	    [BRO_SYSCONF_FILE="$withval"],
+	    [BRO_SYSCONF_FILE="$BRO_SYSCONF_DIR/broccoli.conf"])
+
+AC_DEFINE_UNQUOTED(BRO_SYSCONF_FILE, "$BRO_SYSCONF_FILE", [Location of config file])
+AC_SUBST(BRO_SYSCONF_FILE)
+
+dnl ##################################################
+dnl # Packet support enable/disable switch
+dnl ##################################################
+AC_ARG_WITH(pcap-headers,
+            [  --with-pcap-headers=PATH      Add PATH to include path searched for pcap.h],
+	    CPPFLAGS="$CPPFLAGS -I$withval")
+
+AC_ARG_ENABLE(packets,
+	      AC_HELP_STRING([--disable-packets], [Do not support tx/rx of pcap packets]),
+	      packet_support="no",
+	      packet_support="yes")
+
+if test "$packet_support" = "yes"; then
+   AC_CHECK_HEADERS(pcap.h, , packet_support="no")
+   if test "$packet_support" = "yes"; then
+      BRO_PCAP_SUPPORT="#define BRO_PCAP_SUPPORT"
+   fi
+fi
+
+AM_CONDITIONAL(BRO_PCAP_SUPPORT, test "$packet_support" = "yes")
+AC_SUBST(BRO_PCAP_SUPPORT)
+
+dnl ##################################################
+dnl # Debugging enable/disable switch
+dnl ##################################################
+AC_ARG_ENABLE(debug,
+	      AC_HELP_STRING([--enable-debug], [Use debugging macros to produce helpful output (disabled by default)]),
+	      debug="yes",
+	      debug="no")
+
+if test x$debug = xyes; then
+   
+
+  AC_DEFINE_UNQUOTED(BRO_DEBUG, 1, [Enable debugging output])
+fi
+
+
+dnl ##################################################
+dnl # Check for OpenSSL.
+dnl ##################################################
+dnl
+dnl This is mostly easy, with one exception: in the MinGW
+dnl environment, instead of libcrypto we need to look for
+dnl libeay32.a, and instead of libssl we need to look for
+dnl ssleay32.a. This is with the OpenSSL for Windows package
+dnl from http://www.slproweb.com/products/Win32OpenSSL.html.
+dnl
+AC_ARG_WITH(openssl,
+            [  --with-openssl=DIR       Use OpenSSL installation in DIR],
+	    [CPPFLAGS="-I$withval/include $CPPFLAGS"
+	     LIBS="-L$withval/lib $LIBS"])
+AC_ARG_WITH(kerberos,
+            [  --with-kerberos=DIR      Use Kerberos installation in DIR],
+	    [CPPFLAGS="$CPPFLAGS -I$withval/include" ],
+	    [if test -d "/usr/kerberos"; then CPPFLAGS="$CPPFLAGS -I/usr/kerberos/include"; fi])
+
+AC_CHECK_HEADERS([openssl/ssl.h],,
+		 [AC_MSG_ERROR([cannot find openssl/ssl.h, sorry])])
+AC_CHECK_LIB($bro_libcrypto, OPENSSL_add_all_algorithms_conf,,
+	     [AC_MSG_ERROR([cannot find libcrypto, sorry])], $BRO_LIBADD)
+AC_CHECK_LIB($bro_libssl, SSL_new,,
+	     [AC_MSG_ERROR([cannot find libssl, sorry])], $BRO_LIBADD)
+
+
+dnl ##################################################
+dnl # Check for gtk-doc.
+dnl ##################################################
+
+AC_ARG_WITH(html-dir, [  --with-html-dir=PATH path to installed docs ])
+
+if test "x$with_html_dir" = "x" ; then
+  HTML_DIR='${datadir}/gtk-doc/html'
+else
+  HTML_DIR=$with_html_dir
+fi
+
+AC_SUBST(HTML_DIR)
+
+AC_CHECK_PROG(GTKDOC, gtkdoc-mkdb, true, false)
+AC_PATH_PROG(OPENJADE, openjade, no)
+
+gtk_doc_min_version_maj=0
+gtk_doc_min_version_min=6
+
+if test x$GTKDOC = xtrue -a x$OPENJADE != xno; then
+    gtk_doc_version=`gtkdoc-mkdb --version`
+    AC_MSG_CHECKING([gtk-doc version ($gtk_doc_version) >= $gtk_doc_min_version_maj.$gtk_doc_min_version_min])
+    if perl <<EOF ; then
+      exit (("$gtk_doc_version" =~ /^(\d+)\.(\d+)$/ &&
+            (("\$1" > "$gtk_doc_min_version_maj") ||
+             (("\$1" == "$gtk_doc_min_version_maj") &&
+              ("\$2" >= "$gtk_doc_min_version_min")))) ? 0 : 1);
+EOF
+      AC_MSG_RESULT(yes)
+   else
+      AC_MSG_RESULT(no)
+      GTKDOC=false
+   fi
+fi
+
+dnl Let people disable the gtk-doc stuff.
+AC_ARG_ENABLE(gtk-doc, [  --enable-gtk-doc  Use gtk-doc to build documentation [default=auto]], enable_gtk_doc="$enableval", enable_gtk_doc=auto)
+if test x$enable_gtk_doc = xauto ; then
+  if test x$GTKDOC = xtrue ; then
+    enable_gtk_doc=yes
+  else
+    enable_gtk_doc=no
+  fi
+fi
+
+AM_CONDITIONAL(ENABLE_GTK_DOC, test x$enable_gtk_doc = xyes)
+
+dnl ##################################################
+dnl # Fix build info output string for broccoli-config
+dnl ##################################################
+broc_buildinfo=`uname -n`
+broc_builddate=`date`
+broc_builddebug="Debugging support: $debug"
+BUILDINFO="\"$broc_buildinfo, $broc_builddate, $broc_builddebug\""
+AC_SUBST(BUILDINFO)
+
+AC_CONFIG_FILES([
+Makefile
+broccoli-config
+src/Makefile
+src/broccoli.h
+test/Makefile
+docs/Makefile
+docs/mkhtml
+bindings/Makefile
+])
+AC_CONFIG_COMMANDS([default],[[
+chmod +x broccoli-config
+chmod +x docs/mkhtml
+]],[[]])
+AC_OUTPUT
+
+echo  
+echo "               "${BLD_ON}"Broccoli Configuration Summary"${BLD_OFF}
+echo "=========================================================="
+echo
+echo "   - Debugging enabled:     "${BLD_ON}$debug${BLD_OFF}
+echo "   - Pcap packet support:   "${BLD_ON}$packet_support${BLD_OFF}
+echo
+if test "x$bro_build" = xno; then
+echo "  Now run:"
+echo
+echo "  $ "${BLD_ON}"make"${BLD_OFF}
+echo "  # "${BLD_ON}"make install"${BLD_OFF}
+echo
+echo "  (or use "${BLD_ON}"gmake"${BLD_OFF}" when make on your platform isn't GNU make)"
+echo
+fi
diff --git a/aux/broccoli/contrib/README b/aux/broccoli/contrib/README
new file mode 100644
index 0000000000..28e72b8d06
--- /dev/null
+++ b/aux/broccoli/contrib/README
@@ -0,0 +1,12 @@
+This directory contains code contributed by others, until it's clear
+where's the best place to put it.
+
+Note: given broccoli-config, the generic build command for a Broccoli
+application is
+
+  $ <compiler> -o output <source files> `broccoli-config --cflags` \
+  `broccoli-config --libs`
+
+					        --Christian.
+________________________________________________________________________
+$Id: README 2035 2005-12-20 04:16:11Z vern $
diff --git a/aux/broccoli/contrib/broclient.cc b/aux/broccoli/contrib/broclient.cc
new file mode 100644
index 0000000000..21693b8052
--- /dev/null
+++ b/aux/broccoli/contrib/broclient.cc
@@ -0,0 +1,339 @@
+#include <string>
+#include <vector>
+#include <iostream>
+#include <iomanip>
+#include <errno.h>
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+
+#include <broccoli.h>
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+using std::string;
+using std::vector;
+using std::cout;
+using std::cin;
+using std::cerr;
+
+string default_host = "127.0.0.1";
+string default_port = "47757";
+string host;
+string port;
+
+int count = -1;
+int seq;
+
+void
+usage(void)
+	{
+	cout << "broclient - sends events with string arguments from stdin to a running Bro\n"
+		"USAGE: broclient [-p port=47757] [host=127.0.0.1]\n"
+		"Input format (each line): event_name type=arg1 type=arg2...\n";
+	exit(0);
+	}
+
+void
+showtypes(void)
+	{
+	cout << "Legitimate event types are:\n"
+		"string, int, count, double, bool, time, \n"
+		"interval, port, addr, net, subnet\n\n"
+		"eamples: string=foo, port=23/tcp, addr=10.10.10.10, \n"
+		"net=10.10.10.0 and subnet=10.0.0.0/8\n";
+	exit(0);
+	}
+
+
+void tokenize(const string& str, vector<string>& tokens)
+	{
+	int num_tokens = 0;
+	char delim = '\0';
+
+	for ( unsigned int i = 0; i < str.length(); ++i )
+		{
+		while ( isspace(str[i]) )
+			++i;
+
+		string next_arg;
+
+		if (str[i] == '"' || str[i] == '\'')
+			{
+			delim = str[i];
+			++i;
+			}
+		else
+			delim = '\0';
+			
+
+		for ( ; str[i]; ++i )
+			{
+			if ( delim && str[i] == '\\' && 
+			     i < str.length() && str[i+1] == delim )
+				{
+				++i;
+				next_arg.push_back(str[i]);
+				}
+
+			else if ( delim && str[i] == delim )
+				{
+				++i;
+				break;
+				}
+
+			else if ( ! delim && isspace(str[i]) )
+				break;
+			else
+				next_arg.push_back(str[i]);
+			}
+
+		tokens.push_back(next_arg);
+		}
+	}
+
+
+
+int
+main(int argc, char **argv)
+	{
+	int opt, use_record = 0, debugging = 0;
+	BroConn *bc;
+	extern char *optarg;
+	extern int optind;
+
+	bro_init(NULL);
+
+	bro_debug_calltrace = 0;
+	bro_debug_messages  = 0;
+
+	host = default_host;
+	port = default_port;
+
+	while ( (opt = getopt(argc, argv, "p:dh?")) != -1)
+		{
+		switch (opt)
+			{
+			case 'd':
+				debugging++;
+
+				if (debugging == 1)
+					bro_debug_messages = 1;
+	  
+				if (debugging > 1)
+					bro_debug_calltrace = 1;
+				break;
+
+			case 'h':
+			case '?':
+				usage();
+
+			case 'p':
+				port = optarg;
+				break;
+
+			default:
+				usage();
+			}
+		}
+
+	argc -= optind;
+	argv += optind;
+
+	if (argc > 0)
+		host = argv[0];
+
+	/* Connect to Bro */
+	if (! (bc = bro_conn_new_str( (host + ":" + port).c_str(), BRO_CFLAG_NONE )))
+		{
+		cerr << "Could not obtain connection handle for Bro at " << 
+			host.c_str() << ":" << port.c_str() << "\n";
+		exit(-1);
+		}
+
+	cout << "Connecting... \n";
+	if (! bro_conn_connect(bc))
+		{
+		cout << "Could not connect to Bro.\n";
+		exit(-1);
+		}
+  
+	cout << "Handshake Complete \n";
+	/* Enter pinging loop */
+	while ( ! cin.eof() )
+		{
+		string inp;
+		vector<string> tokens;
+		cout << "Calling getline .. \n";
+		std::getline(cin, inp);
+
+		tokenize(inp, tokens);
+		if ( tokens.size() == 0 )
+			continue;
+
+		BroEvent *ev;
+
+		cout << "Calling bro_conn_process_input .. \n";
+		bro_conn_process_input(bc);
+
+		cout << "Generating Bro event \n";
+		if ( (ev = bro_event_new(tokens[0].c_str())) )
+			{
+      
+			for ( unsigned int i = 1; i < tokens.size(); ++i )
+				{
+				// this is something of a nasty hack, but it does work
+
+				string tkn,tkn_type,tkn_data;
+				char delim = '=';
+
+				tkn=tokens[i].c_str();
+				string::size_type position = tkn.find_first_of("=",0);
+
+				tkn_type = tkn.substr(0,position);
+				tkn_data = tkn.substr(position+1,tkn.length());
+
+				if ( tkn_type == "string" )
+					{
+					BroString arg;
+					bro_string_init(&arg);
+					bro_string_set(&arg, tkn_data.c_str());
+					bro_event_add_val(ev, BRO_TYPE_STRING, NULL, &arg);
+					bro_string_cleanup(&arg);
+					}
+				else if ( tkn_type == "int" )
+					{
+					int bint;
+					bint = atoi(tkn_data.c_str());
+					bro_event_add_val(ev, BRO_TYPE_INT, NULL, (int*)bint);
+					}
+				else if ( tkn_type == "count" )
+					{
+					uint32 buint;
+					buint = atoi(tkn_data.c_str());
+					bro_event_add_val(ev, BRO_TYPE_COUNT, NULL, (uint32*)buint);
+					}
+				else if ( tkn_type == "double" )
+					{
+					double bdouble;
+					char* end_s;
+					bdouble = strtod(tkn_data.c_str(),&end_s);
+					bro_event_add_val(ev, BRO_TYPE_DOUBLE, NULL, &bdouble);
+					}
+				else if ( tkn_type == "bool" )
+					{
+					int bbool=0;
+
+					if ( tkn_data == "T" || 
+						tkn_data == "TRUE" || 
+						tkn_data == "1" )
+						bbool = 1;
+					
+					bro_event_add_val(ev, BRO_TYPE_BOOL, NULL, &bbool);
+					}
+				else if ( tkn_type == "time" )
+					{
+					double btime;
+					char* end_s;
+					btime = strtod(tkn_data.c_str(),&end_s);
+					bro_event_add_val(ev, BRO_TYPE_TIME, NULL, &btime);
+					}
+				else if ( tkn_type == "interval" )
+					{
+					double binterval;
+					char* end_s;
+					binterval = strtod(tkn_data.c_str(),&end_s);
+					bro_event_add_val(ev, BRO_TYPE_INTERVAL, NULL, &binterval);
+					}
+				else if ( tkn_type == "port" )
+					{
+					BroPort BP;	
+					string port_value;
+					string::size_type port_offset;
+					int broport;
+					
+					//determine protocol type, start with tcp/udp do icmp
+					// later since the 'ports' are not as simple...
+					if ( tkn_data.find("tcp",0) <  tkn_data.length() )
+						BP.port_proto = IPPROTO_TCP;
+					else BP.port_proto = IPPROTO_UDP;
+
+					// parse out the numeric values
+					port_offset = tkn_data.find_first_of("/",0);
+					port_value = tkn_data.substr(0,port_offset);
+
+					broport = atoi(port_value.c_str());
+					BP.port_num = broport;
+
+					bro_event_add_val(ev, BRO_TYPE_PORT, NULL, &BP);
+					
+					}
+				else if ( tkn_type == "addr" )
+					{
+					uint32 badd;
+					// badd=htonl((uint32)inet_addr(tkn_data.c_str()));
+					badd=(uint32)inet_addr(tkn_data.c_str());
+
+					bro_event_add_val(ev, BRO_TYPE_IPADDR, NULL, &badd);
+					}	
+				else if ( tkn_type == "net" )
+					{
+					uint32 bnet;
+					// bnet=htonl((uint32)inet_addr(tkn_data.c_str()));
+					bnet=(uint32)inet_addr(tkn_data.c_str());
+
+					bro_event_add_val(ev, BRO_TYPE_NET, NULL, &bnet);
+					}
+				else if ( tkn_type == "subnet" )
+					{
+					// this is assuming a string that looks like
+					// "subnet=10.0.0.0/8"
+					BroSubnet BS;
+					string subnet_value;
+					string subnet_width;
+					string::size_type mask_offset;
+					uint32 sn_net, sn_width;
+
+					//parse out numeric values
+					mask_offset = tkn_data.find_first_of("/",0);
+					subnet_value = tkn_data.substr(0,mask_offset);
+					subnet_width = tkn_data.substr(mask_offset+1,tkn_data.length());
+
+					sn_net = (uint32)inet_addr(subnet_value.c_str());
+					sn_width = (uint32)atol(subnet_width.c_str());
+
+					BS.sn_net = sn_net;
+					BS.sn_width = sn_width;
+
+					bro_event_add_val(ev, BRO_TYPE_SUBNET, NULL, &BS);
+					}
+				else
+					{
+					// there is something wrong here
+					cerr << "unknown data type: " << tkn_type << "\n\n";
+					bro_event_free(ev);
+					showtypes();
+					}
+
+				}
+			
+			/* Ship it -- sends it if possible, queues it otherwise */
+		        cout << "Sending event to Bro \n";
+			if ( ! bro_event_send(bc, ev) )
+				cerr << "event could not be sent right away\n";
+
+			bro_event_free(ev);
+			}
+		}
+
+
+	/* Disconnect from Bro */
+	bro_conn_delete(bc);
+	
+	return 0;
+	}
diff --git a/aux/broccoli/contrib/bropipe.cc b/aux/broccoli/contrib/bropipe.cc
new file mode 100644
index 0000000000..e1b059f372
--- /dev/null
+++ b/aux/broccoli/contrib/bropipe.cc
@@ -0,0 +1,657 @@
+// $Id: bropipe.cc 6940 2009-11-14 00:38:53Z robin $
+// bropipe.cc: pipe version of generic client
+// 02/04/05
+//
+// to compile:  g++ `broccoli-config --cflags` `broccoli-config --libs` -o bropipe bropipe.cc
+//
+
+
+#include <vector>
+#include <iostream>
+#include <iomanip>
+#include <errno.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <string.h>
+#include "broccoli.h"
+
+using std::string;
+using std::vector;
+using std::cout;
+using std::cin;
+using std::cerr;
+
+string default_host = "127.0.0.1";
+string default_port = "47757";
+string default_input_file = "brocsock";
+string default_log_file = "/tmp/bropipe.log";
+
+string conn_str;
+string host;
+string port;
+string input_file;
+string log_file;
+int debug;
+BroConn *bc;
+
+// The following are declarations needed for the modp_burl string decoding
+// functions. They were cribbed from the stringencoders-v3.7.0 source tree.
+// syc 1/20/09
+
+/**
+ * \file
+ * <pre>
+ * BFASTURL.c High performance URL encoder/decoder
+ * http://code.google.com/p/stringencoders/
+ *
+ * Copyright &copy; 2006,2007  Nick Galbreath -- nickg [at] modp [dot] com
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ *
+ *   Neither the name of the modp.com nor the names of its
+ *   contributors may be used to endorse or promote products derived from
+ *   this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * This is the standard "new" BSD license:
+ * http://www.opensource.org/licenses/bsd-license.php
+ * </PRE>
+ */
+
+static const uint32_t gsHexDecodeMap[256] = {
+256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+  0,   1,   2,   3,   4,   5,   6,   7,   8,   9, 256, 256,
+256, 256, 256, 256, 256,  10,  11,  12,  13,  14,  15, 256,
+256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+256,  10,  11,  12,  13,  14,  15, 256, 256, 256, 256, 256,
+256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+ 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256, 256,
+256, 256, 256, 256
+};
+
+
+int modp_burl_decode(char* dest, const char* s, int len)
+{
+    uint32_t d = 0; // used for decoding %XX
+    const uint8_t* src = (const uint8_t*) s;
+    const char* deststart = dest;
+    const uint8_t* srcend = (const uint8_t*)(src + len);
+    const uint8_t* srcendloop = (const uint8_t*)(srcend - 2);
+
+    while (src < srcendloop) {
+        switch (*src) {
+        case '+':
+            *dest++ = ' ';
+            src++;
+            break;
+        case '%':
+            d = (gsHexDecodeMap[(uint32_t)(*(src + 1))] << 4) |
+                gsHexDecodeMap[(uint32_t)(*(src + 2))];
+            if (d < 256) { // if one of the hex chars is bad,  d >= 256
+                *dest = (char) d;
+                dest++;
+                src += 3;
+            } else {
+                *dest++ = '%';
+                src++;
+            }
+            break;
+        default:
+            *dest++ = *src++;
+        }
+    }
+
+    // handle last two chars
+    // dont decode "%XX"
+    while (src < srcend) {
+        switch (*src) {
+        case '+':
+            *dest++ = ' ';
+            src++;
+            break;
+        default:
+            *dest++ = *src++;
+        }
+    }
+
+    *dest = '\0';
+    return dest - deststart; // compute "strlen" of dest.
+}
+
+void usage(void)
+	{
+	cout << "bropipe - sends events with string arguments from file to a\n"
+		"	running Bro\n"
+		"USAGE: bropipe [-p port=47757] [-f input] [host=127.0.0.1[:port]] [-d]\n"
+		"Input format (each line): event_name type=arg1 type=arg2...\n";
+	exit(0);
+	}
+
+void showtypes(void)
+	{
+	cout << "Legitimate event types are:\n"
+		"	string, urlstring, int, count, double, bool, time, \n"
+		"	interval, port, addr, net, subnet\n\n"
+		"	examples: string=foo, port=23/tcp, addr=10.10.10.10, \n"
+		"	net=10.10.10.0, subnet=10.0.0.0/8\n"
+		"	urlstring is a url encoded string type - use this when\n"
+		"	whitespace can be found in the strings\n";
+	exit(0);
+	}
+
+void tokenize(const string& str, vector<string>& tokens)
+	{
+	int num_tokens = 0;
+	char delim = '\0';
+ 
+	for ( unsigned int i = 0; i < str.length(); ++i ) {
+		while ( isspace(str[i]) )
+		      ++i;
+ 
+		string next_arg;
+ 
+		if (str[i] == '"' || str[i] == '\'')
+			{
+			delim = str[i];
+			++i;
+			}
+		else
+		delim = '\0';
+ 
+		for ( ; str[i]; ++i )
+			{
+			if ( delim && str[i] == '\\' &&
+				 i < str.length() && str[i+1] == delim )
+				{
+				++i;
+				next_arg.push_back(str[i]);
+				}
+	 
+			else if ( delim && str[i] == delim )
+				{
+				++i;
+				break;
+				}
+ 
+			else if ( ! delim && isspace(str[i]) )
+				break;
+			else
+				next_arg.push_back(str[i]);
+			}
+ 
+		tokens.push_back(next_arg);
+		}
+	}
+
+void ntokenize(const string& str, vector<string>& inText)
+		{
+		int num_tokens = 0;
+		char delim = '\n';
+																											
+		for ( unsigned int i = 0; i < str.length(); ++i )
+				{
+				while ( isspace(str[i]) )
+				++i;
+																											
+				string next_arg;
+																											
+				if (str[i] == '"' || str[i] == '\'')
+						{
+						delim = str[i];
+						++i;
+						}
+				else
+				delim = '\n';
+																											
+				for ( ; str[i]; ++i )
+						{
+						if ( delim && str[i] == '\\' &&
+								 i < str.length() && str[i+1] == delim )
+								{
+								next_arg.push_back(str[i]);
+								++i;
+								}
+																											
+						else if ( delim && str[i] == delim )
+								{
+								break;
+								}
+																											
+						else if ( ! delim && isspace(str[i]) )
+								break;
+						else
+								next_arg.push_back(str[i]);
+						}
+								
+				inText.push_back(next_arg);
+				}
+		}
+
+
+FILE * open_input_stream()
+	{
+	FILE *fp;
+
+	if (input_file == "-") 
+		{
+		fp = stdin;
+		if (debug)
+			fprintf(stderr, "DEBUG: input is STDIN.\n");
+		}
+	else
+		{
+		if (debug)
+			fprintf(stderr, "DEBUG: try opening `%s' as input\n", input_file.c_str());
+		fp = fopen(input_file.c_str(),"r");
+	  	if (fp == NULL)
+		  	{
+			if (debug)
+				fprintf(stderr, "DEBUG: can't open, so creating pipe %s\n", input_file.c_str());
+
+			mkfifo(input_file.c_str(), S_IRUSR | S_IRGRP | S_IROTH );
+	  		fp = fopen(input_file.c_str(),"r");
+
+			if (fp==NULL) 
+				fprintf(stderr, "Failed to create pipe %s\n", input_file.c_str());
+			else
+				if (debug)
+					fprintf(stderr, "DEBUG: created and opened pipe `%s'\n", input_file.c_str());
+
+	  		}
+		}
+
+	return(fp);
+	}
+
+
+int make_connection()
+	{
+	// now connect to the bro host - on failure, try again three times
+	// the flags here are telling us to block on connect, reconnect in the
+	// event of a connection failure, and queue up events in the event of a
+	// failure to the bro host
+	//
+	// the flags have been modified to allow for connect back and event queuing
+
+	if ((bc = bro_conn_new_str(conn_str.c_str(), BRO_CFLAG_RECONNECT | BRO_CFLAG_ALWAYS_QUEUE)))
+		{
+		if (debug)
+			fprintf(stderr, "DEBUG: got BroConn handle\n");
+		}
+	else
+		{
+		fprintf(stderr, "fatal: could not get BroConn handle.\n");
+		exit(-1);
+		}
+
+        if (debug)
+	    fprintf(stderr, "DEBUG: attempt to connect to %s...", conn_str.c_str());
+
+	bro_conn_set_class(bc, "bropipe");
+
+        while (!bro_conn_connect (bc)) {
+            fprintf (stderr, "could not connect to Bro at %s:%s.\n",
+                     host.c_str (), port.c_str ());
+            fprintf (stderr, "Will try again in 5 seconds \n");
+            sleep (5);
+        }
+
+        if (debug)
+            fprintf(stderr, "DEBUG: connected\n");
+                                                
+	return(0);
+	}
+
+int main(int argc, char **argv)
+	{
+	int fd,rc,n;
+	int j;
+	int ecount=0;
+	fd_set readfds;
+	char buf[1024];
+	char *urlstr = NULL;
+	int urlstrsz = 0;
+
+	struct timeval tv;
+	FILE *fp;
+
+	int opt, use_record = 0;
+	extern char *optarg;
+	extern int optind;
+
+	bro_init(NULL);
+
+	host = default_host + ":" + default_port;
+	input_file = default_input_file;
+
+	while ( (opt = getopt(argc, argv, "l:f:p:dDh?")) != -1)
+	{
+		switch (opt)
+			{
+			case 'l':
+				log_file = optarg;				
+				break;
+
+			case 'f':
+				input_file = optarg;				
+				break;
+
+			case 'd':
+				debug++;
+				break;
+ 
+			case 'D':
+				debug++; 
+				debug++;
+				break;
+
+			case 'h':
+			case '?':
+				usage();
+				break;
+ 
+			case 'p':
+				port = optarg;
+				break;
+ 
+			default:
+				usage();
+				break;
+			}
+	}
+ 
+	argc -= optind;
+	argv += optind;
+
+	if (argc == 1) {
+	  host = argv[0];
+	  if (host.find(':') == string::npos)
+	    host += ":" + default_port;
+	}
+
+
+    if (argc > 1)
+        usage();
+        
+    // config destination connection string
+    conn_str = host;
+    if (port != "")
+        {
+        conn_str += ":"; 
+        conn_str += port;
+        }
+
+	// open input 
+	fp = open_input_stream();
+	if (fp == NULL) {
+		fprintf(stderr, "fatal: failed to get input stream\n");
+		return(1);
+	}
+
+	if (!debug || debug < 2) 
+		make_connection();
+	else 
+		if (debug)
+			fprintf(stderr, "DEBUG: not connecting to Bro (debug level >1)\n");
+
+
+
+	// socket and pipe are set up, now start processing
+	if(debug)
+		fprintf(stderr, "DEBUG: waiting for data on input stream...\n");
+
+	while(fgets(buf, sizeof(buf), fp)) 
+		{
+		ecount++;
+		string inp;
+		vector<string> inText; //text inputts within the pipe
+		vector<string> tokens;
+
+		if (debug) 
+			fprintf(stderr, "DEBUG: read event #%d: %s", ecount, buf);
+
+		if(debug >1)
+			continue;
+		
+		
+		inp = buf;
+		ntokenize(inp, inText);
+
+		BroEvent *ev;
+		bro_conn_process_input(bc);
+
+		for(j=0;j<inText.size();++j) 
+		{
+
+		tokens.clear(); // make sure that the vector is clear
+		tokenize(inText[j].c_str(), tokens);
+	        // if this line didn't tokenize to anything, skip the rest of the block
+                if ( tokens.size() == 0)
+                     continue;
+
+		if ( ev = bro_event_new(tokens[0].c_str()) )
+			{
+			for ( unsigned int i = 1; i < tokens.size(); ++i )
+				{
+				// this is something of a nasty hack, but it does work
+				string tkn,tkn_type,tkn_data;
+				char delim = '=';
+ 
+				tkn=tokens[i].c_str();
+				string::size_type position = tkn.find_first_of("=",0);
+ 
+				tkn_type = tkn.substr(0,position);
+				tkn_data = tkn.substr(position+1,tkn.length());
+ 
+				if ( tkn_type == "string" )
+					{
+					BroString arg;
+					bro_string_init(&arg);
+					bro_string_set(&arg,tkn_data.c_str());
+					bro_event_add_val(ev, BRO_TYPE_STRING, NULL, &arg);
+					bro_string_cleanup(&arg);
+					}
+				else if (tkn_type == "urlstring")
+				        {
+					BroString arg;
+					bro_string_init(&arg);
+					int sz= strlen(tkn_data.c_str()) + 1;
+					if ( sz > urlstrsz) {
+					    if (urlstr)
+					        free( urlstr);
+					    urlstr = (char *)malloc( sz);
+					    if (urlstr == NULL) {
+					        fprintf( stderr,"Could not allocate %d bytes for url conversion buffer\n",sz);
+						return(1);
+					    }
+					    urlstrsz = sz;
+					}
+					modp_burl_decode(urlstr,tkn_data.c_str(),strlen(tkn_data.c_str()));
+					bro_string_set(&arg,urlstr);
+					bro_event_add_val(ev, BRO_TYPE_STRING, NULL, &arg);
+					bro_string_cleanup(&arg);
+					}
+					  
+				else if ( tkn_type == "int" )
+					{
+					int bint;
+					bint = atoi(tkn_data.c_str());
+					bro_event_add_val(ev, BRO_TYPE_INT, NULL, &bint);
+					}
+				else if ( tkn_type == "count" )
+					{
+					uint32 buint;
+					buint = atoi(tkn_data.c_str());
+					bro_event_add_val(ev, BRO_TYPE_COUNT, NULL, &buint);
+					}
+				else if ( tkn_type == "double" )
+					{
+					double bdouble;
+					char* end_s;
+					bdouble = strtod(tkn_data.c_str(),&end_s);
+					bro_event_add_val(ev, BRO_TYPE_DOUBLE, NULL, &bdouble);
+					}
+				else if ( tkn_type == "bool" )
+					{
+					int bbool=0;
+ 
+					if ( tkn_data == "T" ||
+						tkn_data == "TRUE" ||
+						tkn_data == "1" )
+						bbool = 1;	
+ 
+					bro_event_add_val(ev, BRO_TYPE_BOOL, NULL, &bbool);
+					}	
+				else if ( tkn_type == "time" )	
+					{	
+					double btime;
+					char* end_s;
+					btime = strtod(tkn_data.c_str(),&end_s);
+					bro_event_add_val(ev, BRO_TYPE_TIME, NULL, &btime);
+					}
+				else if ( tkn_type == "interval" )
+					{
+					double binterval;
+					char* end_s;
+					binterval = strtod(tkn_data.c_str(),&end_s);
+					bro_event_add_val(ev, BRO_TYPE_INTERVAL, NULL, &binterval);
+					}
+				else if ( tkn_type == "port" )
+					{
+					BroPort BP;
+					string port_value;
+					string::size_type port_offset;
+					int broport;
+ 
+					//determine protocol type, start with tcp/udp do icmp
+					// later since the 'ports' are not as simple...
+					if ( tkn_data.find("tcp",0) <tkn_data.length() )
+						BP.port_proto = IPPROTO_TCP;
+					else BP.port_proto = IPPROTO_UDP;
+ 
+					// parse out the numeric values
+					port_offset = tkn_data.find_first_of("/",0);
+					port_value = tkn_data.substr(0,port_offset);
+ 
+					broport = atoi(port_value.c_str());
+					BP.port_num = broport;
+					bro_event_add_val(ev, BRO_TYPE_PORT, NULL, &BP);
+					}
+				else if ( tkn_type == "addr" )
+					{	
+					uint32 badd;
+					badd=(uint32)inet_addr(tkn_data.c_str());
+					//badd=htonl((uint32)inet_addr(tkn_data.c_str()));
+ 
+					bro_event_add_val(ev, BRO_TYPE_IPADDR, NULL, &badd);
+					}
+				else if ( tkn_type == "net" )
+					{
+					uint32 bnet;
+					// bnet=htonl((uint32)inet_addr(tkn_data.c_str()));
+					bnet=(uint32)inet_addr(tkn_data.c_str());
+ 
+					bro_event_add_val(ev, BRO_TYPE_NET, NULL, &bnet);
+					}
+				else if ( tkn_type == "subnet" )
+					{
+					// this is assuming a string that looks like
+					// "subnet=10.0.0.0/8"
+					BroSubnet BS;
+					string subnet_value;
+					string subnet_width;
+					string::size_type mask_offset;
+					uint32 sn_net, sn_width;
+ 
+					//parse out numeric values
+					mask_offset = tkn_data.find_first_of("/",0);
+					subnet_value = tkn_data.substr(0,mask_offset);
+					subnet_width = tkn_data.substr(mask_offset+1,tkn_data.length());
+ 
+					sn_net = (uint32)inet_addr(subnet_value.c_str());
+					sn_width = (uint32)atol(subnet_width.c_str());
+ 
+					BS.sn_net = sn_net;
+					BS.sn_width = sn_width;
+ 
+					bro_event_add_val(ev, BRO_TYPE_SUBNET,NULL,  &BS);
+					}
+				else
+					{
+					// there is something wrong here with the data
+					// type.  since it might be binary data, don't 
+					// punt it out.  Also showtypes() will just toss
+					// junk to the bro, so comment out.
+					cerr << "unknown data type " << tkn_type << "\n";
+					//cerr << " from -|" << inText[j].c_str() << "|-\n";
+					//showtypes();
+					}
+ 
+				}
+			}
+			/* Ship it -- sends it if possible, queues it otherwise */
+			if ( !bro_conn_alive(bc) )
+				{
+				cerr << "connection bad, resetting\n";
+				make_connection();
+				}
+			//else
+			//	cerr << "connection ok!\n";
+
+
+			//bro_event_send(bc, ev);
+			if ( ! bro_event_send(bc, ev) )
+				cerr << "event could not be sent right away\n";
+
+			// now clean up after ourselves...
+			bro_event_free(ev);	
+		}			
+	}
+	fclose(fp);
+
+	if (debug)
+		fprintf(stderr, "DEBUG: End of input stream; exiting\n");
+}
+
+
diff --git a/aux/broccoli/contrib/brosendpkts.c b/aux/broccoli/contrib/brosendpkts.c
new file mode 100644
index 0000000000..7cc4e2cf1f
--- /dev/null
+++ b/aux/broccoli/contrib/brosendpkts.c
@@ -0,0 +1,90 @@
+/* NOTE: This file needs to be cleaned up to build with all
+ * C compilers -- no variable definitions in the middle of
+ * functions, etc. Conditional compilation depending on
+ * whether we're using a Broccoli with or without pcap support
+ * can be done with #ifdef BRO_PCAP_SUPPORT. --ck.
+ */
+
+#include <string.h>
+#include <broccoli.h>
+#include <pcap.h>
+
+void usage() {
+  fprintf(stderr, "usage: brosendpkts -r file -b host:port [-t tag]\n");
+  exit(1);
+} 
+
+
+int main(int argc, char** argv) {
+  char* filename=NULL;
+  char* bro_connection=NULL;
+  char* tag="";
+
+  bro_init(NULL);
+
+  int opt;
+  while ((opt=getopt(argc, argv, "r:b:t:h?")) != -1) {
+    switch(opt) {
+    case 'r':
+      filename=strdup(optarg);
+      break;
+    case 'b':
+      bro_connection=strdup(optarg);
+      break;
+    case 't':
+      tag=strdup(optarg);
+      break;
+    case 'h':
+    case '?':
+    default:
+      usage();
+    }
+  }
+  argc -= optind;
+  argv += optind;
+
+
+  if (filename==NULL || bro_connection==NULL) usage();
+
+  BroConn *broccoli_p=bro_conn_new_str(bro_connection, BRO_CFLAG_NONE);
+  if (!broccoli_p)
+    {
+	fprintf(stderr, "can't instantiate connection object\n");
+	exit(1);
+	}
+								   
+  if (! bro_conn_connect(broccoli_p)) {
+    fprintf(stderr, "Bro connection to %s failed\n",
+	    bro_connection);
+    exit(1);
+  }
+  printf("connected to Bro %s\n", bro_connection);
+
+  char pcap_errbuf[PCAP_ERRBUF_SIZE]="";
+  pcap_t* pcap_p=pcap_open_offline(filename, pcap_errbuf);
+
+  if (!pcap_p) {
+    fprintf(stderr, "pcap eror: %s\n", pcap_errbuf);
+    exit(1);
+  }
+
+  bro_conn_set_packet_ctxt(broccoli_p, pcap_datalink(pcap_p));
+
+  const uchar* packet_p=NULL;
+  struct pcap_pkthdr pkthdr;
+  
+  int pkt_cnt=0;
+  while ((packet_p=pcap_next(pcap_p, &pkthdr))) {
+    pkt_cnt++;
+    BroPacket* broccoli_packet_p=bro_packet_new(&pkthdr, packet_p, tag);
+    bro_packet_send(broccoli_p, broccoli_packet_p);
+    bro_packet_free(broccoli_packet_p);
+  }
+
+  printf("sent %d packets\n",pkt_cnt);
+  
+  bro_conn_delete(broccoli_p);
+  printf("connection to Bro %s closed\n", bro_connection);
+
+  return 0;
+}
diff --git a/aux/broccoli/contrib/rcvpackets.bro b/aux/broccoli/contrib/rcvpackets.bro
new file mode 100644
index 0000000000..339bf815b8
--- /dev/null
+++ b/aux/broccoli/contrib/rcvpackets.bro
@@ -0,0 +1,11 @@
+
+@load listen-clear
+	
+redef Remote::destinations +=  {
+    ["broccoli"] = [$host=127.0.0.1, $accept_state=T, $sync=F]
+};
+	
+
+	
+	
+	
diff --git a/aux/broccoli/docs/Makefile.am b/aux/broccoli/docs/Makefile.am
new file mode 100644
index 0000000000..9828f010e0
--- /dev/null
+++ b/aux/broccoli/docs/Makefile.am
@@ -0,0 +1,205 @@
+## Process this file with automake to produce Makefile.in
+
+# This is a blank Makefile.am for using gtk-doc.
+# Copy this to your project's API docs directory and modify the variables to
+# suit your project. See the GTK+ Makefiles in gtk+/docs/reference for examples
+# of using the various options.
+
+# The name of the module, e.g. 'glib'.
+DOC_MODULE=broccoli
+
+# The top-level SGML file. Change it if you want.
+DOC_MAIN_SGML_FILE=$(DOC_MODULE)-manual.sgml
+
+# The directory containing the source code. Relative to $(srcdir).
+# CAUTION: this will usually be the current directory.
+# gtk-doc will search all .c & .h files beneath here for inline comments
+# documenting functions and macros.
+DOC_SOURCE_DIR=$(top_srcdir)/src
+
+# Extra options to pass to gtkdoc-scanobj or gtkdoc-scangobj.
+SCANOBJ_OPTIONS=
+
+# Extra options to supply to gtkdoc-scan.
+SCAN_OPTIONS=
+
+# Extra options to supply to gtkdoc-mkdb.
+MKDB_OPTIONS=--ignore-files=bro_lexer.c
+
+# Extra options to supply to gtkdoc-fixref.
+FIXXREF_OPTIONS=
+
+# Used for dependencies.
+HFILE_GLOB=
+CFILE_GLOB=
+
+# Header files to ignore when scanning.
+IGNORE_HFILES=
+
+# Images to copy into HTML directory.
+HTML_IMAGES = \
+	images/caution.gif \
+	images/note.gif \
+	images/warning.gif \
+	images/logo.jpg
+
+# Other HTML stuff that needs installing
+HTML_MISC = \
+	stylesheet.css
+
+# Extra SGML files that are included by $(DOC_MAIN_SGML_FILE).
+content_files =
+
+# Other files to distribute.
+extra_files = broccoli.types
+
+# CFLAGS and LDFLAGS for compiling scan program. Only needed if your app/lib
+# contains GtkObjects/GObjects and you want to document signals and properties.
+GTKDOC_CFLAGS =
+GTKDOC_LIBS =
+
+GTKDOC_CC=$(LIBTOOL) --mode=compile $(CC)
+GTKDOC_LD=$(LIBTOOL) --mode=link $(CC)
+
+# If you need to override some of the declarations, place them in the
+# $(DOC_MODULE)-overrides.txt file and uncomment the second line here.
+DOC_OVERRIDES =
+#DOC_OVERRIDES = $(DOC_MODULE)-overrides.txt
+
+# You can pass in a different stylesheet (or none, for the default look).
+STYLESHEET=stylesheet.dsl
+
+###########################################################################
+# Everything below here is generic and you shouldn't need to change it.
+###########################################################################
+
+TARGET_DIR=$(HTML_DIR)/$(DOC_MODULE)
+
+EXTRA_DIST = 				\
+	$(content_files)		\
+	$(extra_files)			\
+	$(HTML_IMAGES)			\
+	$(HTML_MISC)			\
+	$(DOC_MAIN_SGML_FILE)		\
+	$(DOC_MODULE).types		\
+	$(DOC_MODULE)-sections.txt	\
+	$(DOC_OVERRIDES)                \
+	broccoli.types			\
+	mkhtml				\
+	stylesheet.dsl
+
+DOC_STAMPS=scan-build.stamp tmpl-build.stamp sgml-build.stamp html-build.stamp \
+	   $(srcdir)/tmpl.stamp $(srcdir)/sgml.stamp $(srcdir)/html.stamp
+
+SCANOBJ_FILES = 		 \
+	$(DOC_MODULE).args 	 \
+	$(DOC_MODULE).hierarchy  \
+	$(DOC_MODULE).interfaces \
+	$(DOC_MODULE).prerequisites \
+	$(DOC_MODULE).signals
+
+if ENABLE_GTK_DOC
+all-local: html-build.stamp
+
+#### scan ####
+
+scan-build.stamp: $(HFILE_GLOB)
+	@echo '*** Scanning header files ***'
+	if grep -l '^..*$$' $(srcdir)/$(DOC_MODULE).types > /dev/null ; then \
+	    CC="$(GTKDOC_CC)" LD="$(GTKDOC_LD)" CFLAGS="$(GTKDOC_CFLAGS)" LDFLAGS="$(GTKDOC_LIBS)" gtkdoc-scanobj $(SCANOBJ_OPTIONS) --module=$(DOC_MODULE) --output-dir=$(srcdir) ; \
+	else \
+	    cd $(srcdir) ; \
+	    for i in $(SCANOBJ_FILES) ; do \
+               test -f $(srcdir)/$$i || touch $(srcdir)/$$i ; \
+	    done \
+	fi
+	cd $(srcdir) && \
+	  gtkdoc-scan --module=$(DOC_MODULE) --source-dir=$(DOC_SOURCE_DIR) --ignore-headers="$(IGNORE_HFILES)" $(SCAN_OPTIONS) $(EXTRA_HFILES)
+	touch scan-build.stamp
+
+$(DOC_MODULE)-decl.txt $(SCANOBJ_FILES): scan-build.stamp
+	@true
+
+#### templates ####
+
+tmpl-build.stamp: $(DOC_MODULE)-decl.txt $(SCANOBJ_FILES) $(DOC_MODULE)-sections.txt $(DOC_OVERRIDES)
+	@echo '*** Rebuilding template files ***'
+	cd $(srcdir) && gtkdoc-mktmpl --module=$(DOC_MODULE)
+	touch tmpl-build.stamp
+
+tmpl.stamp: tmpl-build.stamp
+	@true
+
+#### sgml ####
+
+sgml-build.stamp: tmpl.stamp $(CFILE_GLOB)
+	@echo '*** Building SGML ***'
+	cd $(srcdir) && \
+	gtkdoc-mkdb --module=$(DOC_MODULE) --source-dir=$(DOC_SOURCE_DIR) --main-sgml-file=$(DOC_MAIN_SGML_FILE) $(MKDB_OPTIONS)
+	touch sgml-build.stamp
+
+sgml.stamp: sgml-build.stamp
+	@true
+
+#### html ####
+
+html-build.stamp: sgml.stamp $(DOC_MAIN_SGML_FILE) $(content_files)
+	@echo '*** Building HTML ***'
+	test -d $(srcdir)/html || mkdir $(srcdir)/html
+	mkhtmldir=`cd $(srcdir) && pwd` && \
+	cd $(srcdir)/html && $$mkhtmldir/mkhtml $(DOC_MODULE) ../$(DOC_MAIN_SGML_FILE) $$mkhtmldir/$(STYLESHEET)
+	test "x$(HTML_MISC)" = "x" || ( cd $(srcdir) && cp $(HTML_MISC) html )
+	@echo '-- Fixing Crossreferences' 
+	cd $(srcdir) && gtkdoc-fixxref --module-dir=html --html-dir=$(HTML_DIR) $(FIXXREF_OPTIONS)
+	touch html-build.stamp
+else
+all-local:
+endif
+
+##############
+
+clean-local:
+	rm -f *~ *.bak $(SCANOBJ_FILES) *-unused.txt $(DOC_STAMPS)
+
+maintainer-clean-local: clean
+	cd $(srcdir) && rm -rf sgml html $(DOC_MODULE)-decl-list.txt $(DOC_MODULE)-decl.txt
+
+# Manual rule here, global install was removed as part of Bro's "make
+# install" cleanup for the 1.4 release. --cpk
+#
+install-docs:
+	$(mkinstalldirs) $(DESTDIR)$(TARGET_DIR)/images
+	(installfiles=`echo $(srcdir)/html/*.html`; \
+	if test "$$installfiles" = '$(srcdir)/html/*.html'; \
+	then echo '-- Nothing to install'; \
+	else \
+	  for i in $$installfiles; do \
+	    echo '-- Installing '$$i; \
+	    $(INSTALL_DATA) $$i $(DESTDIR)$(TARGET_DIR); \
+	  done; \
+	  echo '-- Installing $(srcdir)/images/'; \
+	  for i in $(HTML_IMAGES); do \
+	    $(INSTALL_DATA) $(srcdir)/$$i $(DESTDIR)$(TARGET_DIR)/images; \
+	  done; \
+	  echo '-- Installing additional files'; \
+	  for i in $(HTML_MISC); do \
+	    $(INSTALL_DATA) $(srcdir)/$$i $(DESTDIR)$(TARGET_DIR); \
+	  done; \
+	fi)
+
+uninstall-local:
+	rm -rf $(DESTDIR)$(TARGET_DIR)
+
+dist-hook:
+	mkdir -p $(distdir)/tmpl
+	mkdir -p $(distdir)/sgml
+	mkdir -p $(distdir)/html/images
+	-cp $(srcdir)/tmpl/*.sgml $(distdir)/tmpl
+	-cp $(srcdir)/sgml/*.sgml $(distdir)/sgml
+	-cp $(srcdir)/html/*.html $(distdir)/html
+	for i in $(HTML_MISC); do \
+	  cp $(srcdir)/$$i $(distdir)/html; \
+	done
+	for i in $(HTML_IMAGES); do \
+	  cp $(srcdir)/$$i $(distdir)/html/images ; \
+	done
diff --git a/aux/broccoli/docs/broccoli-manual.sgml b/aux/broccoli/docs/broccoli-manual.sgml
new file mode 100644
index 0000000000..e4c20ff491
--- /dev/null
+++ b/aux/broccoli/docs/broccoli-manual.sgml
@@ -0,0 +1,1822 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.2//EN" [
+<!ENTITY bc "<function>broccoli</function>">
+<!ENTITY bcc "<filename>broccoli-config</filename>">
+<!ENTITY bc-latest-rel "1.5">
+<!ENTITY bc-header SYSTEM "sgml/broccoli.sgml">
+<!ENTITY bp "<function>broping</function>">
+]>
+<book id="index">
+  <title>Broccoli: The Bro Client Communications Library</title>
+  <bookinfo>
+    <mediaobject>
+      <imageobject>
+	<imagedata fileref="images/logo.jpg" format="jpg" align="center">
+      </imageobject>
+      <textobject>
+	<phrase>Broccoli Logo</phrase>
+      </textobject>
+    </mediaobject>
+    <abstract>
+      <para>
+	This is documentation for release <emphasis>&bc-latest-rel;</emphasis>
+	of Broccoli, compatible with Bro IDS releases of <emphasis>1.4</emphasis>
+	or newer. Broccoli is free software under terms of the BSD license as given
+	in the <link linkend="license" endterm="license.title">License</link>
+	section. This documentation is always available on the web for download
+	and online browsing at
+	<ulink url="http://www.icir.org/christian/broccoli">http://www.icir.org/christian/broccoli</ulink>.
+      </para>
+      <para>Feedback, patches and bug reports are all welcome, please
+	<ulink url="http://mailman.icsi.berkeley.edu/mailman/listinfo/bro">join the Bro mailing list</ulink>.
+      </para>
+      <para>
+	Yet Another SRG/ICIR Production &mdash;
+	<ulink url="http://www.cl.cam.ac.uk/Research/SRG">http://www.cl.cam.ac.uk/Research/SRG</ulink> &mdash;
+	<ulink url="http://www.icir.org">http://www.icir.org</ulink>
+      </para>
+    </abstract>
+  </bookinfo>
+
+  <chapter>
+    <title>Introduction</title>
+    <para>
+    Welcome! You're looking at the Broccoli manual. Thanks for reading this.
+    </para>
+    <sect1>
+      <title>What is Broccoli?</title>
+      <para>
+	Broccoli is the <emphasis>BRO</emphasis> <emphasis>C</emphasis>lient
+	<emphasis>CO</emphasis>mmunications <emphasis>LI</emphasis>brary. It allows
+	you to write applications that speak the communication protocol of the
+	<ulink url="http://www.bro-ids.org">Bro intrusion detection system</ulink>.	
+	In this document, we assume that you are familiar with the basic concepts
+	of Bro. If you need a refresher, please have a look at the
+	<ulink url="http://www.icir.org/vern/papers/bro-CN99.html">original paper</ulink>,
+	the <ulink url="http://www.bro-ids.org/Bro-user-manual/index.html">user manual</ulink>,
+	and the material on <ulink url="http://www.bro-ids.org">bro-ids.org</ulink> in general.
+      </para>      
+    </sect1>
+    <sect1>
+      <title>Why do I care?</title>
+      <para>
+        Having a single IDS on your network is good, but things become a lot more interesting
+	when you can communicate information among multiple vantage points in your network.
+	Bro agents can communicate with other Bro agents, sending and receiving events and
+	other state information. In the Bro context this is particularly interesting because
+	it means that you can build sophisticated policy-controlled distributed event
+	management systems.
+      </para>
+      <para>
+	Broccoli enters the picture when it comes to integrating components that are not
+	Bro agents themselves. Broccoli lets you create applications that can speak the Bro
+	communication protocol. You can compose, send, request, and receive events.
+	You can register your own event handlers. You can talk to other Broccoli
+	applications or Bro agents &mdash; Bro agents cannot tell whether they are talking
+	to another Bro or a Broccoli application. Broccoli allows you to integrate applications
+	of your choosing into a distributed policy-controlled event management system.
+	Broccoli is intended
+	to be portable: it should build on Linux, the BSDs, Solaris, and Windows
+	(in the <ulink url="http://www.mingw.org">MinGW</ulink> environment).
+      </para>
+      <para>
+	Unlike other distributed IDSs, Bro does not assume a strict sensor&ndash;manager
+	hierarchy in the information flow. Instead, Bro agents can request delivery of
+	arbitrary <emphasis>events</emphasis>
+	from other instances. When an event is triggered in a Bro agent, it checks
+	whether any connected agents have requested notification of this event,
+	and send a <emphasis>copy</emphasis> of the event, including the <emphasis>event arguments</emphasis>.
+	Recall that in Bro, an event handler is essentially a function defined in
+	the Bro language, and an event materializes through invocation of an event handler.
+	Each remote agent can define its own event handlers.
+      </para>
+      <para>
+        Broccoli applications will typically do one or more of the following:
+      </para>
+      <itemizedlist>	 
+	<listitem>
+	  <para>
+	   <emphasis>Configuration/Management Tasks:</emphasis> the Broccoli application
+	   is used to configure remotely running Bros without the need for a restart.
+	  </para>
+	</listitem>
+	<listitem>
+	  <para>
+	   <emphasis>Interfacing other Systems:</emphasis> the Broccoli application
+	   is used to convert Bro events to other alert/notice formats, for into
+	   syslogd entries.
+	  </para>
+	</listitem>
+	<listitem>
+	  <para>
+	   <emphasis>Host-based Sensor Feeds into Bro:</emphasis> the Broccoli
+	   application reports events based on host-based activity generated in
+	   kernel space or user space applications.
+	  </para>
+	</listitem>
+      </itemizedlist>	 
+    </sect1>
+  </chapter>
+
+  <chapter>
+    <title>Installing Broccoli</title>
+    <para>
+      The installation process will hopefully be painless: Broccoli is installed from source
+      using the usual <command>./configure &lt;options&gt; && make && make install</command>
+      routine after extraction of the tarball. Or if you're on a Linux systems supporting
+      RPMs, we provide those as well.
+    </para>
+    <para>
+      The relevant configuration options to pass to configure are:
+      <itemizedlist>	 
+	<listitem>
+	  <para><command>--prefix=&lt;DIR&gt;</command>: sets the installation root to DIR.
+	  The default is to install below <filename>/usr/local</filename>.</para>
+	</listitem>
+	<listitem>
+	  <para><command>--enable-debug</command>: enables debugging output.
+          Please refer to the <link linkend="broccoli-debugging">Broccoli debugging</link>
+	  section for details on configuring and using debugging output.
+          </para>
+	</listitem>
+	<listitem>
+	  <para><command>--with-configfile=&lt;FILE&gt;</command>: use FILE as location of configuration file.
+	  See the section on <link linkend="config-files">configuration files</link>
+	  below for more on this.
+	  </para>
+	</listitem>
+	<listitem>
+	  <para><command>--with-openssl=&lt;DIR&gt;</command>: use the OpenSSL installation below DIR.</para>
+	</listitem>
+	<listitem>
+	  <para><command>--with-kerberos=&lt;DIR&gt;</command>: use the Kerberos installation below DIR.</para>
+	</listitem>
+      </itemizedlist>
+    </para>
+    <para>
+      After installation, you'll find the library in shared and static versions in <filename>&lt;prefix&gt;/lib</filename>
+      the header file for compilation in <filename>&lt;prefix&gt;/include</filename>, and the
+      manual in HTML below <filename>&lt;prefix&gt;/share/gtk-doc/html/broccoli</filename>.      
+    </para>
+    <para>
+      When installing from source, you can get rid of the installation using <command>make uninstall</command>.
+    </para>
+  </chapter>
+  
+  <chapter>
+    <title>Using Broccoli</title>
+    <para>
+    </para>
+
+    <sect1>
+      <title>Obtaining information about your build using <filename>broccoli-config</filename></title>
+      <para>
+	Similarly to many other software packages, the Broccoli distribution
+	provides a script that you can use to obtain details about your
+	Broccoli setup. The script currently provides the following flags:
+	<itemizedlist>	 
+	  <listitem>
+	    <para><command>--build</command> prints the name of the machine the build was
+		made on, when, and whether debugging support was enabled or not.</para>
+	  </listitem>
+	  <listitem>
+	    <para><command>--prefix</command> prints the directory in the filesystem
+		below which Broccoli was installed.</para>
+	  </listitem>
+	  <listitem>
+	    <para><command>--version</command> prints the version of the distribution
+		you have installed.</para>
+	  </listitem>
+	  <listitem>
+	    <para><command>--libs</command> prints the flags to pass to the
+		linker in order to link in the Broccoli library.</para>
+	  </listitem>
+	  <listitem>
+	    <para><command>--cflags</command> prints the flags to pass to the
+		compiler in order to properly include Broccoli's header file.</para>
+	  </listitem>
+	  <listitem>
+	    <para><command>--config</command> prints the location of the system-wide
+		config file your installation will use.</para>
+	  </listitem>
+	</itemizedlist>	 
+      </para>
+      <para>
+	  The <filename>--cflags</filename> and <filename>--libs</filename> flags
+	  are the suggested way of obtaining the necessary information for integrating
+	  Broccoli into your build environment. It is generally recommended to use
+	  <filename>broccoli-config</filename> for this purpose, rather than, say,
+	  develop new <command>autoconf </command> tests. 
+          If you use the <command>autoconf</command>/<command>automake</command>
+          tools, we recommend something along the following lines for your
+	  <filename>configure</filename> script:
+      </para>      
+      <programlisting>
+<![CDATA[
+dnl ##################################################
+dnl # Check for Broccoli
+dnl ##################################################
+AC_ARG_WITH(broccoli-config,
+    AC_HELP_STRING([--with-broccoli-config=FILE], [Use given broccoli-config]),
+    [ brocfg="$withval" ],
+    [ AC_PATH_GENERIC(broccoli,,
+          brocfg="broccoli-config",
+          AC_MSG_ERROR(Cannot find Broccoli: Is broccoli-config in path? Use more fertilizer?)) ])
+
+broccoli_libs=`$brocfg --libs`
+broccoli_cflags=`$brocfg --cflags`
+AC_SUBST(broccoli_libs)
+AC_SUBST(broccoli_cflags)
+]]>
+      </programlisting>
+      <para>
+      You can then use the compiler/linker flags in your Makefile.in/ams by
+      substituting in the values accordingly, which might look as follows:
+      </para>
+      <programlisting>
+<![CDATA[
+CFLAGS = -W -Wall -g -DFOOBAR @broccoli_cflags@
+LDFLAGS = -L/usr/lib/foobar @broccoli_libs@
+]]>
+      </programlisting>
+    </sect1>
+
+    <sect1>
+      <title>Suggestions for instrumenting applications</title>
+      <para>
+          Often you will want to make existing applications Bro-aware,
+	  that is, <emphasis>instrument</emphasis> them so that they can send and
+	  receive Bro events at appropriate moments in the execution flow.
+	  This will involve modifying an existing code tree, so care needs to
+	  be taken to avoid unwanted side effects. By protecting the instrumented
+	  code with
+	  <function>#ifdef</function>/<function>#endif</function>
+	  statements you can still build the original application, using the
+	  instrumented source tree. The &bcc; script helps you in doing so because
+	  it already adds <function>-DBROCCOLI</function> to the compiler flags
+	  reported when run with the <filename>--cflags</filename> option:
+      </para>
+      <programlisting>
+<![CDATA[
+cpk25@localhost:/home/cpk25 > broccoli-config --cflags
+-I/usr/local/include -I/usr/local/include -DBROCCOLI
+]]>
+      </programlisting>
+      <para>
+	  So simply surround all inserted code with a preprocessor check
+	  for <function>BROCCOLI</function> and you will be able to
+	  build the original application as soon as <function>BROCCOLI</function>
+	  is not defined.
+      </para>
+    </sect1>
+    <sect1>
+      <title>The Broccoli API</title>
+      <para>
+          Time for some code. In the code snippets below we will introduce variables
+	  whenever context requires them and not necessarily when C requires them.
+	  The library does not require calling a global initialization function.
+	  In order to make the API known, include <filename>broccoli.h</filename>:
+      </para>
+      <programlisting>
+<![CDATA[
+#ifdef BROCCOLI
+#include <broccoli.h>
+#endif
+]]>
+      </programlisting>
+      <note>
+        <para><emphasis>A note on Broccoli's memory management philosophy:</emphasis></para>
+	  <para>Broccoli generally does not release objects you allocate.
+	    The approach taken is "you clean up what you allocate."
+	</para>
+      </note>
+
+      <sect2>
+	<title>Initialization</title>
+        <para>
+	  Broccoli requires global initialization before most of its
+	  other other functions can be used. Generally, the way to
+	  initialize Broccoli is as follows:
+        </para>
+        <programlisting>
+<![CDATA[
+bro_init(NULL);
+]]>
+        </programlisting>
+        <para>
+          The argument to
+          <link linkend="bro-init"><function>bro_init()</function></link>
+          provides optional initialization context, and may be kept
+          <constant>NULL</constant> for normal use. If required, you may
+          allocate a <filename>BroCtx</filename> structure locally,
+          initialize it using
+          <link linkend="bro-ctx-init"><function>bro_ctx_init()</function></link>,
+          fill in additional values as required and and subsequently pass it to
+          <link linkend="bro-init"><function>bro_init()</function></link>:
+        </para>
+        <programlisting>
+<![CDATA[
+BroCtx ctx;
+bro_ctx_init(&ctx);
+/* Make adjustments to the context structure as required... */
+bro_init(&ctx);
+]]>
+        </programlisting>
+	<caution>
+          <para>
+          The <filename>BroCtx</filename> structure currently contains
+          a set of five different callback function pointers.  These
+          are <emphasis>required</emphasis> for thread-safe operation
+          of OpenSSL (Broccoli itself is thread-safe).  If you intend
+          to use Broccoli in a multithreaded environment, you need to
+          implement functions and register them via the
+          <filename>BroCtx</filename> structure.  The O'Reilly book
+          "Network Security with OpenSSL" by Viega et al. shows how to
+          implement these callbacks.
+          </para>
+	</caution>
+	<caution>
+	  <para>You <emphasis>must</emphasis> call
+          <link linkend="bro-init"><function>bro_init()</function></link>
+	  at the start of your application. Undefined behavior may result
+          if you don't.
+          </para>
+	</caution>
+      </sect2>
+
+      <sect2>
+	<title>Data types in Broccoli</title>
+        <para>
+	  Broccoli declares a number of data types in <filename>broccoli.h</filename> that
+	  you should know about. The more complex ones are kept opaque, while you do get
+	  access to the fields in the simpler ones. The full list is as follows:
+
+	  <itemizedlist>	 
+	    <listitem>
+	      <para>Simple signed and unsigned types: <type>int</type>, <type>uint</type>,
+	        <type>uint32</type>, <type>uint16</type> and <type>uchar</type>.</para>
+	    </listitem>
+	    <listitem>
+	      <para>Connection handles: <type>BroConn</type>, kept opaque.</para>
+	    </listitem>
+	    <listitem>
+	      <para>Bro events: <type>BroEvent</type>, kept opaque.</para>
+	    </listitem>
+	    <listitem>
+	      <para>Buffer objects: <type>BroBuf</type>, kept opaque. See the separate
+	      <link linkend="buffers">section on buffer management</link> for details.</para>
+	    </listitem>
+	    <listitem>
+	      <para>Ports: <type>BroPort</type> for network ports, defined as follows:
+	      </para>
+	      <programlisting>
+<![CDATA[
+typedef struct bro_port {
+  uint16       port_num;   /* port number in host byte order */
+  int          port_proto; /* IPPROTO_xxx */
+} BroPort;
+]]>
+              </programlisting>
+	    </listitem>
+	    <listitem>
+	      <para>Records: <type>BroRecord</type>, kept opaque. See the separate
+	      <link linkend="records">section on record handling</link> for details.</para>
+	    </listitem>
+	    <listitem>
+	      <para>Strings (character and binary): <type>BroString</type>, defined as follows:
+	      </para>
+	      <programlisting>
+<![CDATA[
+typedef struct bro_string {
+  int          str_len;
+  char        *str_val;
+} BroString;
+]]>
+              </programlisting>
+	      <para>
+	      BroStrings are mostly kept transparent for convenience; please have a look at the
+	      string API:
+<link linkend="bro-string-init"><function>bro_string_init()</function></link>,
+<link linkend="bro-string-set"><function>bro_string_set()</function></link>,
+<link linkend="bro-string-set-data"><function>bro_string_set_data()</function></link>,
+<link linkend="bro-string-copy"><function>bro_string_copy()</function></link>,
+<link linkend="bro-string-cleanup"><function>bro_string_cleanup()</function></link>, and
+<link linkend="bro-string-free"><function>bro_string_free()</function></link>.
+	      </para>
+	    </listitem>
+	    <listitem>
+	      <para>Tables: <type>BroTable</type>, kept opaque. See the separate
+	      <link linkend="tables">section on table handling</link> for details.</para>
+	    </listitem>
+	    <listitem>
+	      <para>Sets: <type>BroSet</type>, kept opaque. See the separate
+	      <link linkend="sets">section on table handling</link> for details.</para>
+	    </listitem>
+	    <listitem>
+	      <para>Subnets: <type>BroSubnet</type>, defined as follows:
+	      </para>
+	      <programlisting>
+<![CDATA[
+typedef struct bro_subnet
+{
+  uint32       sn_net;     /* IP address in network byte order */
+  uint32       sn_width;   /* Length of prefix to consider. */
+} BroSubnet;
+]]>
+              </programlisting>
+	    </listitem>
+	  </itemizedlist>
+	</para>
+      </sect2>
+
+      <sect2>
+	<title>Managing connections</title>
+        <para>
+	    You can use Broccoli to establish a connection to a remote Bro, or to create a
+	    Broccoli-enabled server application that other Bros will connect to. (This
+	    means that in principle, you can also use Broccoli purely as middleware and
+	    have multiple Broccoli applications communicate directly.)
+        </para>
+        <para>	    
+	    In order to establish a connection to a remote Bro, you first obtain a connection
+	    handle. You then use this connection handle to request events, connect to the
+	    remote Bro, send events, etc. Connection handles are pointers to <function>BroConn</function>
+	    structures, which are kept opaque. Use
+	    <link linkend="bro-conn-new"><function>bro_conn_new()</function></link> or
+	    <link linkend="bro-conn-new-str"><function>bro_conn_new_str()</function></link>
+	    to obtain a handle, depending on what parameters are more convenient for
+	    you: the former accepts the IP address and port number as separate numerical
+	    arguments, the latter uses a single string to encode both, in "hostname:port"
+	    format.
+        </para>
+        <para>
+	    To write a Broccoli-enabled server, you first need to implement the usual
+	    <function>socket()</function> / <function>bind()</function> /
+	    <function>listen()</function> / <function>accept()</function> routine.
+	    Once you have obtained a file descriptor for the new connection from <function>accept()</function>,
+	    you pass it to the third function that returns a <function>BroConn</function>
+	    handle, 
+	    <link linkend="bro-conn-new-socket"><function>bro_conn_new_socket()</function></link>.
+	    The rest of the connection handling then proceeds as in the client scenario.
+        </para>
+        <para>	    
+	    All three calls accept additional flags for fine-tuning connection behaviour.
+	    These flags are:
+	    <itemizedlist>	    
+              <listitem>
+                <para><constant>BRO_CFLAG_NONE</constant>: no functionality. Use when
+		  no flags are desired.
+		</para>
+              </listitem>
+              <listitem>
+                <para><constant>BRO_CFLAG_RECONNECT</constant>:
+		  When using this option, Broccoli will attempt to reconnect to the peer
+		  after lost connectivity transparently. Essentially whenever you try to
+		  read from or write to the peer and its connection broke down, a
+		  full reconnect including complete handshaking is attempted. You can check
+		  whether the connection to a peer is alive at any time using
+	    	  <link linkend="bro-conn-alive"><function>bro_conn_alive()</function></link>.
+		</para>
+	      </listitem> 
+              <listitem>
+                <para><constant>BRO_CFLAG_ALWAYS_QUEUE</constant>:
+		  When using this option, Broccoli will queue any events you send for
+		  later transmission when a connection is currently down. Without using this
+		  flag, any events you attempt to send while a connection is down get dropped
+		  on the floor. Note that Broccoli maintains a maximum queue size per connection
+		  so if you attempt to send lots of events while the connection is down, the
+		  oldest events may start to get dropped nonetheless. Again, you can check
+		  whether the connection is currently okay by using
+	    	  <link linkend="bro-conn-alive"><function>bro_conn_alive()</function></link>.
+		</para>
+	      </listitem> 		  
+              <listitem>
+                <para><constant>BRO_CFLAG_DONTCACHE</constant>:
+		  When using this option, Broccoli will ask the peer not to use caching on
+		  the objects it sends to us. This is the default, and the flag need not
+		  normally be used. It is kept to maintain backward compatibility.
+		</para>
+	      </listitem> 		  
+              <listitem>
+                <para><constant>BRO_CFLAG_CACHE</constant>:
+		  When using this option, Broccoli will ask the peer to use caching on
+		  the objects it sends to us. Caching is normally disabled.
+		</para>
+	      </listitem> 		  
+              <listitem>
+                <para><constant>BRO_CFLAG_YIELD</constant>: When
+                using this option,
+                <function>bro_conn_process_input()</function>
+                processes at most one event at a time and then
+                returns. 
+		</para>
+              </listitem>
+	    </itemizedlist>
+                
+        </para>
+	<para>
+	    By obtaining a connection handle, you do not also establish a connection right
+	    away. This is done using 
+	    <link linkend="bro-conn-connect"><function>bro_conn_connect()</function></link>.
+	    The main reason for this is to allow you to subscribe to events
+	    (using
+	    <link linkend="bro-event-registry-add"><function>bro_event_registry_add()</function></link>,
+	    see <link linkend="receiving-events">below</link>)
+	    before establishing the connection. Upon returning from 
+	    <link linkend="bro-conn-connect"><function>bro_conn_connect()</function></link>
+	    you are guaranteed to receive all instances of the event types you have
+	    requested, while later on during the connection some time may elapse between
+	    the issuing of a request for events and the processing of that request at the
+	    remote end.
+	    Connections are established via TCP, optionally using SSL encryption. See
+	    <link linkend="encryption">"Configuring encrypted communication"</link> below for more
+	    information on setting up enncryption.
+	    The port numbers Bro agents and Broccoli applications listen on can vary from peer
+	    to peer. 
+	</para>
+	<para>
+	    Finally, <link linkend="bro-conn-delete"><function>bro_conn_delete()</function></link>
+	    terminates a connection and releases all resources associated with it.
+	    You can create as many connections as you like, to one or more peers.
+	    You can obtain the file descriptor of a connection using
+	    <link linkend="bro-conn-get-fd"><function>bro_conn_get_fd()</function></link>.
+        </para>
+        <programlisting>
+<![CDATA[
+char host_str = "bro.yourorganization.com";
+int port      = 1234;
+struct hostent *host;
+BroConn *bc;
+
+if (! (host = gethostbyname(host_str)) ||
+    ! (host->h_addr_list[0])) {
+	/* Error handling -- could not resolve host */
+}
+
+/* In this example, we obtain a connection handle, then register event handlers,
+ * and finally connect to the remote Bro.
+ *
+ * First obtain a connection handle:
+ */
+if (! (bc = bro_conn_new((struct in_addr*) host->h_addr_list[0], htons(port), BRO_CFLAG_NONE))) {
+	/* Error handling  - could not get connection handle */
+}
+
+/* Register event handlers:
+ */
+bro_event_registry_add(bc, "foo", bro_foo_handler, NULL);
+/* ... */
+
+/* Now connect to the peer:
+ */
+if (! bro_conn_connect(bc)) {
+	/* Error handling - could not connect to remote Bro. */
+}
+
+/* Send and receive events ... */
+
+/* Disconnect from Bro and clean up connection */
+bro_conn_delete(bc);
+]]>
+        </programlisting>
+        <para>
+	    Or simply use the string-based version:
+	</para>
+        <programlisting>
+<![CDATA[
+char host_str = "bro.yourcompany.com:1234";
+BroConn *bc;
+
+/* In this example we don't request any events from the peer, but
+ * we ask it not to use the serialization cache.
+ *
+ * Again, first obtain a connection handle:
+ */
+if (! (bc = bro_conn_new_str(host_str, BRO_CFLAG_DONTCACHE))) {
+	/* Error handling  - could not get connection handle */
+}
+
+/* Now connect to the peer:
+ */
+if (! bro_conn_connect(bc)) {
+	/* Error handling - could not connect to remote Bro. */
+}
+
+/* ... */
+]]>
+        </programlisting>
+      </sect2>
+
+      <sect2>
+	<title>Connection classes</title>
+        <para>
+	    When you want to establish connections from multiple Broccoli applications
+	    with different purposes, the peer needs a means to understand what kind of
+	    application each connection belongs to. The real meaning of "kind of application"
+	    here is "sets of event types to request", because depending on the class of
+	    an application, the peer will likey want to receive different types of events.
+	</para>
+	<para>
+	    Broccoli lets you set the class of a connection using
+	    <link linkend="bro-conn-set-class"><function>bro_conn_set_class()</function></link>.
+	    When using this feature, you need to call that function before issuing a
+	    <link linkend="bro-conn-connect"><function>bro_conn_connect()</function></link>,
+	    since the class of a connection is determined at connection startup.
+	</para>
+        <programlisting>
+<![CDATA[
+if (! (bc = bro_conn_new_str(host_str, BRO_CFLAG_DONTCACHE))) {
+	/* Error handling  - could not get connection handle */
+}
+
+/* Set class of this connection: */
+bro_conn_set_class(bc, "syslog");
+
+if (! bro_conn_connect(bc)) {
+	/* Error handling - could not connect to remote Bro. */
+}
+]]>
+        </programlisting>
+	<para>
+	    If your peer is a Bro node, you need to match the chosen connection class in
+	    the remote Bro's <function>Remote::destinations</function> configuration.
+	    See <link linkend="bro-event-config">below</link> for how to do this.
+	    Finally, in order to obtain the class of a connection as indicated by the remote side, use
+	    <link linkend="bro-conn-get-peer-class"><function>bro_conn_get_peer_class()</function></link>.
+	</para>
+      </sect2> 
+
+      <sect2>
+	<title>Composing and sending events</title>
+        <para>
+	    In order to send an event to the remote Bro agent, you first create
+	    an empty event structure with the name of the event, then add parameters
+	    to pass to the event handler at the remote agent, and then send off the
+	    event.
+        </para>
+	<note>
+	  <para>
+            <emphasis>Bro peers ignore unrequested events.</emphasis>
+          </para>
+          <para>
+	    You need to make sure that the remote Bro agent is interested in receiving
+	    the events you send. This interest is expressed in policy configuration.
+	    We'll explain this in more detail <link linkend="bro-event-config">below</link>
+	    and for now assume that our remote peer is configured to receive the
+	    events we send.
+          </para>
+	</note>
+        <para>
+	    Let's assume we want to request a report of all connections a remote
+	    Bro currently keeps state for that match a given destination port and
+	    host name and that have amassed more than a certain number of bytes.
+	    The idea is to send an event to the remote Bro that contains the
+	    query, identifiable through a request ID, and have the remote Bro
+	    answer us with <function>remote_conn</function> events
+	    containing the information we asked for. The definition of our
+	    requesting event could look as follows in the Bro policy:
+        </para>
+        <programlisting>
+<![CDATA[
+event report_conns(req_id: int, dest_host: string, dest_port: port, min_size: count);
+]]>
+        </programlisting>
+        <para>
+            First, create a new event:
+        </para>
+        <programlisting>
+<![CDATA[
+BroEvent *ev;
+
+if (! (ev = bro_event_new("report_conns"))) {
+	/* Error handling - could not allocate new event. */
+}
+]]>
+        </programlisting>
+	<para>
+	    Now we need to add parameters to the event. The sequence and types must
+	    match the event handler declaration &mdash; check the Bro policy to make
+	    sure they match. The function to use for adding parameter values is
+	    <link linkend="bro-event-add-val"><function>bro_event_add_val()</function></link>
+	    All values are passed as <emphasis>pointer arguments</emphasis> and are copied internally,
+	    so the object you're pointing to stays unmodified at all times. You clean
+	    up what you allocate. In order to indicate the type of the value passed into the
+	    function, you need to pass a numerical type identifier along as well.
+            <link linkend="table-1">Table 1</link> lists the value types that Broccoli supports along with
+	    the type identifier and data structures to point to.
+	</para>
+<table frame="sides" id="table-1">
+<title>Types, type tags, and data structures for event parameters in Broccoli</title>
+<tgroup cols="3" align="left" colsep="1" rowsep="1">
+<thead>
+<row>
+  <entry align="center">Type</entry>
+  <entry align="center">Type tag</entry>
+  <entry align="center">Data type pointed to</entry>
+</row>
+</thead>
+<tbody>
+<row>
+  <entry>Boolean</entry>
+  <entry><constant>BRO_TYPE_BOOL</constant></entry>
+  <entry><function>int</function></entry>
+</row><row>
+  <entry>Integer value</entry>
+  <entry><constant>BRO_TYPE_INT</constant></entry>
+  <entry><function>int</function></entry>
+</row><row>
+  <entry>Counter (nonnegative integers)</entry>
+  <entry><constant>BRO_TYPE_COUNT</constant></entry>
+  <entry><function>uint32</function></entry>
+</row><row>
+  <entry>Enums (enumerated values)</entry>
+  <entry><constant>BRO_TYPE_ENUM</constant></entry>
+  <entry><function>int</function> (see also the description of
+         <link linkend="bro-event-add-val"><function>bro_event_add_val()</function></link>'s
+	 <function>type_name</function> argument below)</entry>
+</row><row>
+  <entry>Floating-point number</entry>
+  <entry><constant>BRO_TYPE_DOUBLE</constant></entry>
+  <entry><function>double</function></entry>
+</row><row>
+  <entry>Timestamp</entry>
+  <entry><constant>BRO_TYPE_TIME</constant></entry>
+  <entry><function>double</function> (see also
+         <link linkend="bro-util-timeval-to-double"><function>bro_util_timeval_to_double()</function></link> and
+	 <link linkend="bro-util-current-time"><function>bro_util_current_time()</function></link>)</entry>
+</row><row>
+  <entry>Time interval</entry>
+  <entry><constant>BRO_TYPE_INTERVAL</constant></entry>
+  <entry><function>double</function></entry>
+</row><row>
+  <entry>Strings (text and binary)</entry>
+  <entry><constant>BRO_TYPE_STRING</constant></entry>
+  <entry><function>BroString</function> (see also the family of <function>bro_string_xxx()</function> functions)</entry>
+</row><row>
+  <entry>Network ports</entry>
+  <entry><constant>BRO_TYPE_PORT</constant></entry>
+  <entry><function>BroPort</function>, with the port number in host byte order</entry>
+</row><row>
+  <entry>IPv4 address</entry>
+  <entry><constant>BRO_TYPE_IPADDR</constant></entry>
+  <entry><function>uint32</function>, in network byte order</entry>
+</row><row>
+  <entry>IPv4 network</entry>
+  <entry><constant>BRO_TYPE_NET</constant></entry>
+  <entry><function>uint32</function>, in network byte order</entry>
+</row><row>
+  <entry>IPv4 subnet</entry>
+  <entry><constant>BRO_TYPE_SUBNET</constant></entry>
+  <entry><function>BroSubnet</function>, with the sn_net member in network byte order</entry>
+</row><row>
+  <entry>Record</entry>
+  <entry><constant>BRO_TYPE_RECORD</constant></entry>
+  <entry><function>BroRecord</function> (see also the family of
+	 <function>bro_record_xxx()</function> functions and their
+	  explanation below)</entry>
+</row>
+<row>
+  <entry>Table</entry>
+  <entry><constant>BRO_TYPE_TABLE</constant></entry>
+  <entry><function>BroTable</function> (see also the family of
+	 <function>bro_table_xxx()</function> functions and their
+	  explanation below)</entry>
+</row>
+<row>
+  <entry>Record</entry>
+  <entry><constant>BRO_TYPE_SET</constant></entry>
+  <entry><function>BroSet</function> (see also the family of
+	 <function>bro_set_xxx()</function> functions and their
+	  explanation below)</entry>
+</row>
+</tbody>
+</tgroup>
+</table>
+	<para>
+	    Knowing these, we can now compose a 
+	   <function>request_connections</function> event:
+        </para>
+        <programlisting>
+<![CDATA[
+BroString dest_host;
+BroPort dest_port;
+uint32 min_size;
+int req_id = 0;
+
+bro_event_add_val(ev, BRO_TYPE_INT, NULL, &req_id);
+req_id++;
+
+bro_string_set(&dest_host, "desthost.destdomain.com");
+bro_event_add_val(ev, BRO_TYPE_STRING, NULL, &dest_host);
+bro_string_cleanup(&dest_host);
+
+dest_port.dst_port = 80;
+dest_port.dst_proto = IPPROTO_TCP;
+bro_event_add_val(ev, BRO_TYPE_PORT, NULL, &dest_port);
+
+min_size = 1000;
+bro_event_add_val(ev, BRO_TYPE_COUNT, NULL, &min_size);
+]]>
+        </programlisting>
+	<para>
+	    The third argument to
+	    <link linkend="bro-event-add-val"><function>bro_event_add_val()</function></link>
+	    lets you specify a specialization of the types listed in
+	    <link linkend="table-1">Table 1</link>. This is generally not necessary
+	    except for one situationn: When using <constant>BRO_TYPE_ENUM</constant>. You currently
+	    cannot define
+	    a Bro-level enum type in Broccoli, and thus when sending an enum value, you
+	    have to specify the type of the enum along with the value. For example, in order
+	    to add an instance of enum <function>transport_type</function> defined in
+	    Bro's <filename>bro.init</filename>, you would use
+	    <programlisting>
+<![CDATA[
+int transport_proto = 2;
+/* ... */
+bro_event_add_val(ev, BRO_TYPE_ENUM, "transport_proto", &transport_proto);
+]]>
+	    </programlisting>
+	    to get the equivalent of "udp" on the remote side. The same system is used
+	    to point out type names when calling
+	    <link linkend="bro-event-set-val"><function>bro_event_set_val()</function></link>,
+	    <link linkend="bro-record-add-val"><function>bro_record_add_val()</function></link>,
+	    <link linkend="bro-record-set-nth-val"><function>bro_record_set_nth_val()</function></link>, and
+	    <link linkend="bro-record-set-named-val"><function>bro_record_set_named_val()</function></link>.
+	</para>
+	<para>
+	    All that's left to do now is to send off the event. For this, use
+	    <link linkend="bro-event-send"><function>bro_event_send()</function></link>
+	    and pass it the connection handle and the event. The function returns
+	    <constant>TRUE</constant> when the event could be sent right away or if
+	    it was queued for later delivery. <constant>FALSE</constant> is returned
+	    on error. If the event get queued, this does not indicate an error &mdash;
+	    likely the connection was just not
+	    ready to send the event at this point. Whenever you call
+	    <link linkend="bro-event-send"><function>bro_event_send()</function></link>,
+            Broccoli attempts to send as much of an existing event queue as possible.
+	    Again, the event is copied internally to make it easier for you to
+	    send the same event repeatedly. You clean up what you allocate.
+	</para>
+        <programlisting>
+<![CDATA[
+bro_event_send(bc, ev);
+bro_event_free(ev);
+]]>
+        </programlisting>
+        <para>
+	    Two other functions may be useful to you:
+	    <link linkend="bro-event-queue-length"><function>bro_event_queue_length()</function></link>
+            tells you how many events are currently queued, and 
+	    <link linkend="bro-event-queue-flush"><function>bro_event_queue_flush()</function></link>
+	    attempts to flush the current event queue and returns the number of events that do remain
+	    in the queue after the flush. <emphasis>Note:</emphasis> you do not normally need
+	    to call this function, queue flushing is attempted every time you send an event.
+        </para>
+      </sect2>
+
+      <sect2>
+	<title id="receiving-events">Receiving events</title>
+        <para>
+	  Receiving events is a little more work because you need to
+        </para>
+        <orderedlist>	 
+	  <listitem>
+	    <para>tell Broccoli what to do when requested events arrive,</para>
+	  </listitem>
+	  <listitem>
+	    <para>let the remote Bro agent know that you would like to receive those events,</para>
+	  </listitem>
+	  <listitem>
+	    <para>find a spot in the code path suitable for extracting and processing arriving events.</para>
+	  </listitem>	 
+        </orderedlist>
+	<para>
+	  Each of these steps is explained in the following sections.
+	</para>
+
+	<sect3>
+	  <title>Implementing event callbacks</title>
+	  <para>
+            When Broccoli receives an event, it tries to dispatch the event to callbacks
+	    registered for that event type. The place where callbacks get registered is
+	    called the callback registry. Any callbacks registered for the arriving
+	    event's name are invoked with the parameters shipped with the event. There
+	    are two styles of argument passing to the event callbacks.
+	    Which one is better suited depends on your application.
+	    <itemizedlist>
+              <listitem>
+		<para><emphasis>Expanded argument passing.</emphasis> Each event argument
+		  is passed via a pointer to the callback. This makes best sense when you
+		  know the type of the event and of its arguments, because it provides you
+		  immediate access to arguments as when using a normal C function.
+		</para>
+		<para>
+	    	  In order to register a callback with expanded argument passing, use
+	  	  <link linkend="bro-event-registry-add"><function>bro_event_registry_add()</function></link>
+		  and pass it the connection handle, the name of the event for which you
+	          register the callback, the callback itself that matches the signature
+	          of the <filename>BroEventFunc</filename> type, and any user data (or
+	          <constant>NULL</constant>) you want to see passed to the callback on
+	          each invocation. The callback's type is defined rather generically as follows:
+	        </para>
+                <programlisting>
+<![CDATA[
+typedef void (*BroEventFunc) (BroConn *bc, void *user_data, ...);
+]]>
+                </programlisting>
+                <para>
+                  It requires a connection handle as its first argument
+	          and a pointer to user-provided callback data as the second argument.
+                  Broccoli will pass the connection handle of the connection on which the event
+                  arrived through to the callback. <function>BroEventFunc</function>s
+	          are variadic, because each callback you provide is directly invoked with
+	          pointers to the parameters of the event, in a format directly usable in C.
+	          All you need to know is what type to point to in order to receive the
+	          parameters in the right layout. Refer to <link linkend="table-1">Table 1</link>
+	          again for a summary of those types. Record types are more involved and are
+	          addressed in more detail <link linkend="records">below</link>.
+                </para>
+	        <note>
+	          <para>Note that <emphasis>all</emphasis> parameters are passed to the
+	            callback as pointers, even elementary types such as <constant>int</constant>s
+	            that would normally be passed directly.
+		    Also note that Broccoli manages the lifecycle of event parameters
+	            and therefore you do <emphasis>not</emphasis> have to clean them up inside
+	            the event handler. 
+                  </para>
+                </note>
+                <para>
+	          Continuing our example, we will want to process the connection reports
+	          that contain the responses to our <function>report_conns</function>
+	          event. Let's assume those look as follows:
+	        </para>
+                <programlisting>
+<![CDATA[
+event remote_conn(req_id: int, conn: connection);
+]]>
+                </programlisting>
+	        <para>
+                  The reply events contain the request ID so we can associate requests
+	          with replies, and a connection record (defined in <filename>bro.init</filename>
+	          in Bro. (It'd be nicer to report all replies in a single event but we'll
+	          ignore that for now.) For this event, our callback would look like this:
+	        </para>
+                <programlisting>
+<![CDATA[
+void remote_conn_cb(BroConn *bc, void *user_data, int *req_id, BroRecord *conn);
+]]>
+                </programlisting>
+	        <para>
+	          Once more, you clean up what you allocate, and since you never allocated the
+	      	  space these arguments point to, you also don't clean them up. Finally, we register
+	      	  the callback using
+	      	  <link linkend="bro-event-registry-add"><function>bro_event_registry_add()</function></link>:	    
+		</para>
+	        <programlisting>
+<![CDATA[
+bro_event_registry_add(bc, "remote_conn", remote_conn_cb, NULL);
+]]>
+	        </programlisting>
+		<para>
+		  In this case we have no additional data to be passed into the
+		  callback, so we use <constant>NULL</constant> for the last argument.
+		  If you have multiple events you are interested in, register
+		  each one in this fashion.
+		</para>
+	      </listitem>
+	      <listitem>
+		<para><emphasis>Compact argument passing.</emphasis> This is designed for
+		  situations when you have to determine how to handle different types of
+		  events at runtime, for example when writing language bindings or when
+		  implementing generic event handlers for multiple event types.
+		  The callback is passed a connection handle and the
+		  user data as above but is only passed one additional pointer, to a
+		  <type>BroEvMeta</type> structure. This structure contains all metadata
+		  about the event, including its name, timestamp (in UTC) of creation,
+		  number of arguments, the arguments'
+		  types (via type tags as listed in <link linkend="table-1">Table 1</link>),
+		  and the arguments themselves.
+		</para>
+		<para>
+	    	  In order to register a callback with compact argument passing, use
+	  	  <link linkend="bro-event-registry-add-compact"><function>bro_event_registry_add_compact()</function></link>
+		  and pass it similar arguments as you'd use with
+	  	  <link linkend="bro-event-registry-add"><function>bro_event_registry_add()</function></link>.
+		  The callback's type is defined as follows:
+	        </para>
+                <programlisting>
+<![CDATA[
+typedef void (*BroCompactEventFunc) (BroConn *bc, void *user_data, BroEvMeta *meta);
+]]>
+                </programlisting>
+	        <note>
+	          <para>As before, Broccoli manages the lifecycle of event parameters.
+	            You do not  have to clean up the <type>BroEvMeta</type>
+		    structure or any of its contents.
+                  </para>
+                </note>
+                <para>
+		  Below is sample code for extracting the arguments form the <type>BroEvMeta</type>
+		  structure, using our running example. This is still written with the assumption
+		  that we know the types of the arguments, but note that this is not a requirement
+		  for this style of callback.
+	        </para>
+                <programlisting>
+<![CDATA[
+void remote_conn_cb(BroConn *bc, void *user_data, BroEvMeta *meta)
+{
+	int *req_id;
+	BroRecord *rec;
+
+	/* For demonstration, print out the event's name: */
+
+	printf("Handling a %s event.\n", meta->ev_name);
+
+	/* Sanity-check the number of arguments: */
+
+	if (meta->ev_numargs != 2)
+		{ /* error */ }
+
+	/* Sanity-check the argument types: */
+
+	if (meta->ev_args[0].arg_type != BRO_TYPE_INT)
+		{ /* error */ }
+
+	if (meta->ev_args[1].arg_type != BRO_TYPE_RECORD)
+		{ /* error */ }
+
+	req_id = (int *) meta->ev_args[0].arg_data;
+	rec = (BroRecord *) meta->ev_args[1].arg_data;
+
+	/* ... */
+}
+]]>
+                </programlisting>
+	        <para>
+		  Finally, register the callback using
+	      	  <link linkend="bro-event-registry-add-compact"><function>bro_event_registry_add_compact()</function></link>:	    
+		</para>
+	        <programlisting>
+<![CDATA[
+bro_event_registry_add_compact(bc, "remote_conn", remote_conn_cb, NULL);
+]]>
+	        </programlisting>
+	      </listitem>
+	    </itemizedlist>
+	  </para>
+	</sect3>
+
+	<sect3>
+	  <title id="event-request">Requesting event delivery</title>
+          <para>
+	    At this point, Broccoli knows what to do with the requested events upon
+	    arrival.  What's left to do is to let the remote Bro know that you
+	    would like to receive the events for which you registered. If you haven't
+	    yet called <link linkend="bro-conn-connect"><function>bro_conn_connect()</function></link>,
+	    then there is nothing to do, since that function will request the registered
+	    events anyway. Once connected, you can still request events. To do so, call
+	    <link linkend="bro-event-registry-request"><function>bro_event_registry_request()</function></link>:
+	  </para>
+          <programlisting>
+<![CDATA[
+bro_event_registry_request(bc);
+]]>
+          </programlisting>
+          <para>
+	    This mechanism also implies that no unrequested events will be delivered
+	    to us (and if that happened for whatever reason, the event would simply
+	    be dropped on the floor).
+	  </para>
+	  <note>
+	    <para><emphasis>Note that at the moment you cannot unrequest events, nor
+		can you request events based on predicates on the values of the
+		events' arguments.</emphasis></para>
+          </note>
+	</sect3>
+
+	<sect3>
+	  <title>Reading events from the connection handle</title>
+	  <para>
+	    At this point the remote Bro will start sending you the requested events
+	    once they are triggered. What is left to do is to read the arriving events
+	    from the connection and trigger dispatching them to the registered callbacks.
+	  </para>
+	  <para>
+	    If you are writing a new Bro-enabled application, this is easy, and you can
+	    choose among two approaches: polling explicitly via Broccoli's API, or using
+	    <function>select()</function> on the file handle associated with a <type>BroConn</type>.
+	    The former case is particularly straightforward; all you need to do is
+	    call 
+	    <link linkend="bro-conn-process-input"><function>bro_conn_process_input()</function></link>,
+	    which will go off and check if any events have arrived and if so, dispatch
+	    them accordingly. This function does not block &mdash; if no events have
+	    arrived, then the call will return immediately. For more fine-grained control
+	    over your I/O handling, you will probably want to use
+	    <link linkend="bro-conn-get-fd"><function>bro_conn_get_fd()</function></link>
+	    to obtain the file descriptor of your connection and then incorporate that
+	    in your standard <function>FD_SET</function>/<function>select()</function>
+	    code. Once you have determined that data in fact are ready to be read from
+	    the obtained file descriptor, you can then try another
+	    <link linkend="bro-conn-process-input"><function>bro_conn_process_input()</function></link>,
+	    this time knowing that it'll find something to dispatch.
+	  </para>
+	  <para>
+	    As a side note, if you don't process arriving events frequently enough,
+	    then TCP's flow control will start to slow down the sender until eventually
+	    events will queue up and be dropped at the sending end.
+	  </para>
+	</sect3>
+      </sect2>
+
+      <sect2>
+	<title id="records">Handling records</title>
+        <para>
+	  Broccoli supports record structures, i.e., types that pack a set of values
+	  together, placing each value into its own field. In Broccoli, the way you handle
+	  records is somewhat similar to events:
+	  after creating an empty record (of opaque type <type>BroRecord</type>, you can
+	  iteratively add fields and values to it. The main difference is that you must specify a
+	  field name with the value; each value in a record can be identified both by position
+	  (a numerical index starting from zero), and by field name. You can retrieve vals
+	  in a record by field index or field name. You can also reassign values.
+	  There is no explicit, IDL-style definition of record types. You define the type of
+	  a record implicitly by the sequence of field names and the sequence of the types
+	  of the values you put into the record.
+	</para>
+	<para>
+	  Note that all fields in a record must be assigned before it can be shipped.
+	</para>
+	<para>
+	  The API for record composition consists of
+	  <link linkend="bro-record-new"><function>bro_record_new()</function></link>,
+	  <link linkend="bro-record-free"><function>bro_record_free()</function></link>,
+	  <link linkend="bro-record-add-val"><function>bro_record_add_val()</function></link>,
+	  <link linkend="bro-record-set-nth-val"><function>bro_record_set_nth_val()</function></link>, and
+	  <link linkend="bro-record-set-named-val"><function>bro_record_set_named_val()</function></link>.
+	</para>
+	<para>
+	  On records that use field names, the names of individual fields can be extracted using
+	  <link linkend="bro-record-get-nth-name"><function>bro_record_get_nth_name()</function></link>.
+	  Extracting values from a record is done using
+	  <link linkend="bro-record-get-nth-val"><function>bro_record_get_nth_val()</function></link> and
+	  <link linkend="bro-record-get-named-val"><function>bro_record_get_named_val()</function></link>.
+	  The former allows numerical indexing of the fields in the record, the latter provides
+	  name-based lookups. Both need to be passed the record you want to extract a value from,
+	  the index or name of the field, and either a pointer to an <type>int</type> holding a
+	  <type>BRO_TYPE_xxx</type> value (see again <link linkend="table-1">Table 1</link> for a
+	  summary of those types) or <constant>NULL</constant>. The pointer, if not
+	  <constant>NULL</constant>, serves two purposes: type checking and type retrieval.
+	  Type checking is performed if the value of the <type>int</type> upon calling the
+	  functions is not <type>BRO_TYPE_UNKNOWN</type>. The type tag of the requested record
+	  field then has to match the type tag stored in the <type>int</type>, otherwise
+          <constant>NULL</constant> is returned. If the <type>int</type> stores <type>BRO_TYPE_UNKNOWN</type>
+          upon calling, no type-checking is performed. In <emphasis>both</emphasis> cases,
+	  the <emphasis>actual</emphasis> type of the
+	  requested record field is returned in the <type>int</type> pointed to upon
+	  return from the function. Since you have no guarantees of the type of the value
+	  upon return if you pass <constant>NULL</constant> as the <type>int</type> pointer,
+	  this is a bad idea and either <type>BRO_TYPE_UNKNOWN</type> or another type value
+	  should always be used.
+        </para>
+        <para>
+	  For example, you could extract the value of the record field "label", which
+	  we assume should be a string, in the following ways:
+	</para>
+        <programlisting>
+<![CDATA[
+BroRecord *rec = /* obtained somehow */
+BroString *string;
+int type;
+
+/* --- Example 1 --- */
+
+type = BRO_TYPE_STRING; /* Use type-checking, will not accept other type */
+
+if (! (string = bro_record_get_named_val(rec, "label", &type))) {
+	/* Error handling, either there's no field of that value,
+	 * or the value is not of BRO_TYPE_STRING. The actual
+	 * type is now stored in "type".
+	 */
+}
+
+/* --- Example 2 --- */
+
+type = BRO_TYPE_UNKNOWN; /* No type checking, just report the existant type */
+
+if (! (string = bro_record_get_named_val(rec, "label", &type))) {
+	/* Error handling, no field of that name exists. */
+}
+
+printf("The type of the value in field 'label' is %i\n", type);
+
+/* --- Example 3 --- */
+
+if (! (string = bro_record_get_named_val(rec, "label", NULL))) {
+	/* Error handling, no field of that name exists. */
+}
+
+/* We now have a value, but we can't really be sure of its type */
+
+]]>
+        </programlisting>	
+	<para>
+	  Record fields can be records, for example in the case of Bro's standard
+	  connection record type. In this case, in order to get to a nested record, you
+	  use <constant>BRO_TYPE_RECORD</constant>:
+	</para>
+        <programlisting>
+<![CDATA[
+void remote_conn_cb(BroConn *bc, int *req_id, BroRecord *conn) {
+	BroRecord *conn_id;
+	int type = BRO_TYPE_RECORD;
+	if (! (conn_id = bro_record_get_named_val(conn, "id", &type))) {
+		/* Error handling */
+	}
+}
+]]>
+        </programlisting>	
+      </sect2>
+
+      <sect2>
+	<title id="tables">Handling tables</title>
+        <para>
+	  Broccoli supports Bro-style tables, i.e., associative containers that map
+	  instances of a key type to an instance of a value type. A given key
+	  can only ever point to a single value. The key type can be
+	  <emphasis>composite</emphasis>, i.e., it may consist of an ordered
+	  sequence ofdifferent types, or it can be <emphasis>direct</emphasis>,
+	  i.e., consisting of a single type (such as an integer, a string, or
+	  a record).
+        </para>
+	<para>
+	  The API for table manipulation consists of
+	  <link linkend="bro-table-new"><function>bro_table_new()</function></link>,
+	  <link linkend="bro-table-free"><function>bro_table_free()</function></link>,
+	  <link linkend="bro-table-insert"><function>bro_table_insert()</function></link>,
+	  <link linkend="bro-table-find"><function>bro_table_find()</function></link>,
+	  <link linkend="bro-table-get-size"><function>bro_table_get_size()</function></link>,
+	  <link linkend="bro-table-get-types"><function>bro_table_get_types()</function></link>,
+	  and
+	  <link linkend="bro-table-foreach"><function>bro_table_foreach()</function></link>.
+        </para>
+	<para>
+	  Tables are handled similarly to records in that typing is determined
+	  dynamically by the initial key/value pair inserted. The resulting types
+	  can be obtained via 	
+	  <link linkend="bro-table-get-types"><function>bro_table_get_types()</function></link>.
+	  Should the types not have been determined yet, <constant>BRO_TYPE_UNKNOWN</constant>
+	  will result. Also, as with records,
+	  values inserted into the table are copied internally, and the ones passed
+	  to the insertion functions remain unaffected.
+        </para>
+	<para>
+	  In contrast to records, table entries can be iterated. By passing a function
+	  of signature 
+	  <link linkend="brotablecallback"><function>BroTableCallback()</function></link>
+	  and a pointer to data of your choosing,
+	  <link linkend="bro-table-foreach"><function>bro_table_foreach()</function></link>
+	  will invoke the given function for each key/value pair stored in the table.
+	  Return <constant>TRUE</constant> to keep the iteration going, or <constant>FALSE</constant>
+	  to stop it.
+        </para>
+	<caution><para>
+	  The main thing to know about Broccoli's tables is how to use composite key
+	  types. To avoid additional API calls, you may treat composite key types
+	  exactly as records, though you do not need to use field names when assigning
+	  elements to individual fields. So in order to insert a key/value pair, you
+	  create a record with the needed items assigned to its slots, and use this
+	  record as the key object. In order to differentiate composite index types
+	  from direct ones consisting of a single record, use <constant>BRO_TYPE_LIST</constant>
+	  as the type of the record, as opposed to <constant>BRO_TYPE_RECORD</constant>.
+	  Broccoli will then know to interpret the record
+	  as an ordered sequence of items making up a composite element, not a regular
+	  record.
+        </para></caution>
+	<para>
+	  <filename>brotable.c</filename> in the test subdirectory of the Broccoli tree
+	  contains an extensive example of using tables with composite as well as direct
+	  indexing types.
+        </para>
+      </sect2>
+
+      <sect2>
+	<title id="sets">Handling sets</title>
+        <para>
+	  Sets are essentially tables with void value types.
+	  The API for set manipulation consists of
+	  <link linkend="bro-set-new"><function>bro_set_new()</function></link>,
+	  <link linkend="bro-set-free"><function>bro_set_free()</function></link>,
+	  <link linkend="bro-set-insert"><function>bro_set_insert()</function></link>,
+	  <link linkend="bro-set-find"><function>bro_set_find()</function></link>,
+	  <link linkend="bro-set-get-size"><function>bro_set_get_size()</function></link>,
+	  <link linkend="bro-set-get-type"><function>bro_set_get_type()</function></link>,
+	  and
+	  <link linkend="bro-set-foreach"><function>bro_set_foreach()</function></link>.
+        </para>
+      </sect2>
+
+      <sect2>
+	<title>Associating data with connections</title>
+        <para>
+	    You will often find that you would like to connect data with
+	    a <filename>BroConn</filename>. Broccoli provides an API that
+	    lets you associate data items with a connection handle through
+	    a string-based key&ndash;value registry. The functions of interest
+	    are
+	    <link linkend="bro-conn-data-set"><function>bro_conn_data_set()</function></link>,
+	    <link linkend="bro-conn-data-get"><function>bro_conn_data_get()</function></link>, and
+	    <link linkend="bro-conn-data-del"><function>bro_conn_data_del()</function></link>.
+	    You need to provide a string identifier for a data item and can then use
+	    that string to register, look up, and remove the associated data item.
+	    Note that there is currently no mechanism to trigger a destructor
+	    function for registered data items when the Bro connection is terminated.
+	    You therefore need to make sure that all data items that you do
+	    not have pointers to via some other means are properly released before
+	    calling 
+	    <link linkend="bro-disconnect"><function>bro_disconnect()</function></link>.
+        </para>
+      </sect2>
+
+      <sect2>
+	<title id="config-files">Configuration files</title>
+        <para>	  
+	    Imagine you have instrumented the mother of all server applications.
+	    Building it takes forever, and every now and then you need to change
+	    some of the parameters that your Broccoli code uses, such as the host names
+	    of the Bro agents to talk to.
+	    To allow you to do this quickly, Broccoli comes with support for
+	    configuration files. All you need to do is change the settings in the
+	    file and restart the application (we're considering adding support
+	    for volatile configuration items that are read from the file every
+	    time they are requested).	  
+        </para>
+        <para>
+	    A configuration is read from a single configuration file.
+	    This file can be read from two different locations:
+	    <itemizedlist>
+              <listitem>
+                <para>The system-wide configuration file. You can obtain the location
+	          of this config file by running <filename>broccoli-config --config</filename>.
+		</para>
+              </listitem>
+              <listitem>
+                <para>Alternatively, a per-user configuration file stored in <filename>~/.broccoli.conf</filename>
+		  can be used.
+		</para>
+              </listitem>
+            </itemizedlist>
+            If a user has a configuration file in <filename>~/.broccoli.conf</filename>,
+	    it is used exclusively, otherwise the global one is used.
+         </para>
+         <caution>
+	  <para><emphasis><filename>~/.broccoli.conf</filename> will only be used if
+	    it is a regular file, not executable, and neither group nor others have
+	    any permissions on the file. That is, the file's permissions must look
+	    like <function>-rw-------</function> or <function>-r--------</function>.
+	    </emphasis></para>
+         </caution>
+         <para>
+	    In the configuration file, a "#" anywhere starts a comment that runs
+	    to the end of the line. Configuration items are specified as key-value
+	    pairs:
+        </para>
+        <programlisting>
+<![CDATA[
+# This is the Broccoli system-wide configuration file.
+#
+# Entries are of the form <identifier> <value>, where the identifier
+# is a sequence of letters, and value can be a string (including
+# whitespace), and floating point or integer numbers. Comments start
+# with a "#" and go to the end of the line. For boolean values, you
+# may also use "yes", "on", "true", "no", "off", or "false".
+# Strings may contain whitespace, but need to be surrounded by
+# double quotes '"'.
+#
+# Examples:
+#
+Foo/PeerName          mybro.securesite.com
+Foo/PortNum           123
+Bar/SomeFloat         1.23443543
+Bar/SomeLongStr       "Hello World"
+]]>
+        </programlisting>
+        <para>
+            You can also have multiple sections in your configuration. Your application can
+	    select a section as the current one, and queries for configuration settings will
+	    then only be answered with values specified in that section. A section is started
+	    by putting its name (no whitespace please) between square brackets. Configuration
+	    items positioned before the first section title are in the default domain and
+	    will be used by default.
+        </para>
+        <programlisting>
+<![CDATA[
+# This section contains all settings for myapp.
+[ myapp ]
+]]>
+        </programlisting>
+        <para>
+	    You can name identifiers any way you like, but to keep things
+	    organized it is recommended to keep a namespace hierarchy similar
+	    to the file system. In the code, you can query configuration
+	    items using
+	    <link linkend="bro-conf-get-str"><function>bro_conf_get_str()</function></link>,
+            <link linkend="bro-conf-get-int"><function>bro_conf_get_int()</function></link>, and
+            <link linkend="bro-conf-get-dbl"><function>bro_conf_get_dbl()</function></link>.
+	    You can switch between sections using 
+            <link linkend="bro-conf-set-domain"><function>bro_conf_set_domain()</function></link>.
+        </para>
+      </sect2>      
+
+      <sect2>
+	<title id="buffers">Using dynamic buffers</title>
+        <para>
+	    Broccoli provides an API for dynamically allocatable, growable, shrinkable,
+	    and consumable buffers with <function>BroBuf</function>s. You may or may
+	    not find this useful &mdash; Broccoli mainly provides this feature in
+	    <filename>broccoli.h</filename> because these buffers are used internally
+	    anyway and because they are typical case of something that people implement
+	    themselves over and over again, for example to collect a set of data before
+	    sending it through a file descriptor, etc.
+        </para>
+        <para>
+	    The buffers work as follows. The structure implementing a buffer is
+	    called BroBuf. BroBufs are initialized to a default size when created via
+	    <link linkend="bro-buf-new"><function>bro_buf_new()</function></link>,
+	    and released using 
+	    <link linkend="bro-buf-free"><function>bro_buf_free()</function></link>.
+            Each BroBuf has a content
+	    pointer that points to an arbitrary location between the start of the
+            buffer and the first byte after the last byte currently
+            used in the buffer (see buf_off in the illustration below). The content
+	    pointer can seek to arbitrary locations, and data can be copied from and
+	    into the buffer, adjusting the content pointer accordingly.
+	    You can repeatedly append data to end of the buffer's used contents using
+	    <link linkend="bro-buf-append"><function>bro_buf_append()</function></link>.	    
+        </para>
+        <programlisting>
+<![CDATA[
+
+   <---------------- allocated buffer space ------------>
+   <======== used buffer space ========>
+   ^              ^                    ^               ^                 
+   |              |                    |               |
+   `buf           `buf_ptr             `buf_off        `buf_len
+]]>
+        </programlisting>
+        <para>
+	    Have a look at the following functions for the details:
+	    <link linkend="bro-buf-new"><function>bro_buf_new()</function></link>,
+	    <link linkend="bro-buf-free"><function>bro_buf_free()</function></link>,
+	    <link linkend="bro-buf-append"><function>bro_buf_append()</function></link>,
+	    <link linkend="bro-buf-consume"><function>bro_buf_consume()</function></link>,
+	    <link linkend="bro-buf-reset"><function>bro_buf_reset()</function></link>,
+	    <link linkend="bro-buf-get"><function>bro_buf_get()</function></link>,
+	    <link linkend="bro-buf-get-end"><function>bro_buf_get_end()</function></link>,
+	    <link linkend="bro-buf-get-size"><function>bro_buf_get_size()</function></link>,
+	    <link linkend="bro-buf-get-used-size"><function>bro_buf_get_used_size()</function></link>,
+	    <link linkend="bro-buf-ptr-get"><function>bro_buf_ptr_get()</function></link>,
+	    <link linkend="bro-buf-ptr-tell"><function>bro_buf_ptr_tell()</function></link>,
+	    <link linkend="bro-buf-ptr-seek"><function>bro_buf_ptr_seek()</function></link>,
+	    <link linkend="bro-buf-ptr-check"><function>bro_buf_ptr_check()</function></link>, and
+	    <link linkend="bro-buf-ptr-read"><function>bro_buf_ptr_read()</function></link>.
+        </para>
+      </sect2>
+    </sect1>
+
+    <sect1>
+      <title id="encryption">Configuring encrypted communication</title>
+      <para>
+	Encrypted communication between Bro peers takes place over an SSL connection in
+	which both endpoints of the connection are authenticated. This requires at least
+	some PKI in the form of a certificate authority (CA) which you use to issue and sign
+	certificates for your Bro peers. To facilitate the SSL setup, each peer requires
+	three documents: a certificate signed by the CA and containing the public key, the
+	corresponding private key, and a copy of the CA's certificate.
+      </para>
+      <para>
+        The OpenSSL command line tool <command>openssl</command> can be used to create all
+	files neccessary, but its unstructured arguments and poor documentation make it
+	a pain to use and waste lots of people a lot of time<footnote><para>In other
+	documents and books on OpenSSL you will find this expressed more politely, using
+	terms such as "daunting to the uninitiated", "challenging", "complex", "intimidating".
+	</para></footnote>. Therefore, the Bro distribution comes with two scripts,
+	<command>ca-create</command> and <command>ca-issue</command>. You use the former
+	once to set up your CA, and the latter to create a certificate for each of the Bro
+	peers in your infrastructure.
+	<itemizedlist>	 
+	  <listitem>
+	    <para><command>ca-create</command> lets you choose a directory in which the
+	      CA maintains its files. If you set <varname>BRO_CA_DIR</varname> in your
+	      environment, it will be used for this purpose. After entering a passphrase
+	      for the private key of your CA, you can find the self-signed certificate
+	      of your CA in <filename>$BRO_CA_DIR/ca_cert.pem</filename>.
+	    </para>
+	  </listitem>
+	  <listitem>
+	    <para><command>ca-issue</command> first requires the directory of the CA,
+	      offering <filename>$BRO_CA_DIR</filename> if that is found. It asks you for
+	      a prefix for the certificate to be generated, for the passphrase of the
+	      private key of the CA so the new certificate can be signed, for the
+	      passphrase for the new private key, and for a few parameters that make up
+	      the "distinguished name" of the certificate. This name (i.e., the combination
+	      of all the fields you enter a value for) must be unique among all your Bro
+	      peers. Once that is done, you find a new certificate named
+	      <filename>&lt;prefix&gt;.pem</filename> in your current
+	      directory. This file actually consists of two of the three cryptographic
+	      documents mentioned above, namely the new certificate and the private key.
+              We refer to it as "certificate" for simplicity.
+	    </para>
+	  </listitem>
+	</itemizedlist>
+	In order to enable encrypted communication for your Broccoli application, you
+	need to put the CA certificate and the peer certificate in the
+	<varname>/broccoli/ca_cert</varname> and 
+	<varname>/broccoli/host_cert</varname> keys, respectively, in the configuration file.
+	To quickly enable/disable a certificate configuration, the
+	<varname>/broccoli/use_ssl</varname> key can be used.
+	<caution>
+          <para><emphasis>This is where you configure whether to use encrypted or unencrypted
+	    connections.</emphasis></para>
+          <para>If the <varname>/broccoli/use_ssl</varname> key is present and set to one of
+		"yes", "true", "on", or 1, then SSL will be used and an incorrect or
+		missing certificate configuration will cause connection attempts to fail.
+		If the key's value is one of "no", "false", "off", or 0, then in no case
+		will SSL be used and connections will always be cleartext.
+	  </para>
+          <para>If the <varname>/broccoli/use_ssl</varname> key is <emphasis>not</emphasis>
+		present, then SSL will be used if a certificate configuration is
+		found, and invalid certificates will cause the connection to fail.
+		If no certificates are configured, cleartext connections will be used.
+	  </para>
+	  <para>In no case does an SSL-enabled setup ever fall back to a cleartext one.</para>
+        </caution>
+      </para>
+      <programlisting>
+<![CDATA[
+/broccoli/use_ssl	   yes
+/broccoli/ca_cert          <path>/ca_cert.pem
+/broccoli/host_cert        <path>/bro_cert.pem
+]]>
+      </programlisting>
+      <para>
+        In a Bro policy, you need to load the <filename>listen-ssl.bro</filename> policy and
+	redef <varname>ssl_ca_certificate</varname> and <varname>ssl_private_key</varname>,
+	defined in <filename>bro.init</filename>:
+      </para>
+      <programlisting>
+<![CDATA[
+@load listen-ssl
+
+redef ssl_ca_certificate   = "<path>/ca_cert.pem";
+redef ssl_private_key      = "<path>/bro.pem";
+]]>
+      </programlisting>
+      <para>
+	By default, you will be prompted for the passphrase for the private key matching
+	the public key in your agent's certificate. Depending on your application's user
+	interface and deployment, this may be inappropriate. You can store the passphrase
+	in the config file as well, using the following identifier:
+      </para>
+      <programlisting>
+<![CDATA[
+/broccoli/host_pass        foobar
+]]>
+      </programlisting>
+      <caution>
+        <para><emphasis>Make sure that access to your configuration is restricted.</emphasis></para>
+        <para>
+	  If you provide the passphrase this way, it is obviously essential to have
+	  restrictive permissions on the configuration file. Broccoli partially enforces
+	  this. Please refer to the section on
+	  <link linkend="config-files">configuration files</link> for details.
+        </para>
+      </caution>
+    </sect1>
+
+    <sect1>
+      <title id="bro-event-config">Configuring event reception in Bro policies</title>
+      <para>
+	Before a remote Bro will accept your connection and your events, it needs to have its
+	policy configured accordingly:	  
+	<orderedlist>	 
+	  <listitem>
+	    <para>Load either <filename>listen-ssl</filename> or <filename>listen-clear</filename>,
+	      depending on whether you want to have encrypted or cleartext communication. Obviously,
+	      encrypting the event exchange is recommended and cleartext should only be used for
+	      early experimental setups. See below for details on how to set up encrypted
+	      communication via SSL.
+	    </para>
+	  </listitem>
+	  <listitem>
+	    <para>
+	      You need to find a port to use for the Bros and Broccoli applications that will
+	      listen for connections. Every such agent can use a different port, though default
+	      ports are provided in the Bro policies.
+	      To change the port the Bro agent will be listening on from its default
+	      redefine the <varname>listen_port_ssl</varname> or
+	      <varname>listen_port_clear</varname> variables from <filename>listen-clear.bro</filename>
+	      or <filename>listen-ssl.bro</filename>, respectively. Have a look at these policies as well
+	      as <filename>remote.bro</filename> for the default values. Here is the policy
+	      for the unencrypted case:
+	    </para>
+	    <programlisting>
+<![CDATA[
+@load listen-clear
+
+redef listen_port_clear = 12345/tcp;
+]]>
+            </programlisting>
+	    <para>
+	      Including the settings for the cryptographic files introduced in the previous section, 
+	      here is the encrypted one:
+	    </para>
+	    <programlisting>
+<![CDATA[
+@load listen-ssl
+
+redef listen_port_ssl = 12345/tcp;
+redef ssl_ca_certificate   = "<path>/ca_cert.pem";
+redef ssl_private_key      = "<path>/bro.pem";
+]]>
+            </programlisting>
+	  </listitem>
+	  <listitem>
+	    <para>
+	      The policy controlling which peers a Bro agent will communicate with and how this
+	      communication will happen are defined in the <varname>destinations</varname> table
+	      defined in <filename>remote.bro</filename>. This table contains entries of type
+	      <type>Destination</type>, whose members mostly provide default values so you do not
+	      need to define everything. You need to come up with a tag for the connection
+	      under which it can be found in the table (a creative one would be "broccoli"),
+	      the IP address of the peer, the pattern of names of the events the Bro will accept
+	      from you, whether you want Bro to connect to your
+	      machine on startup or not, if so, a port to connect to (defaults are
+	      <varname>default_port_ssl</varname> and <varname>default_port_clear</varname>, also
+	      defined in <filename>remote.bro</filename>), a retry timeout, whether to use SSL,
+	      and the class of a connection as set on the Broccoli side via
+	    <link linkend="bro-conn-set-class"><function>bro_conn_set_class()</function></link>.
+	    </para>
+	    <para>
+	      An example could look as follows:
+	    </para>
+	    <programlisting>
+<![CDATA[
+
+redef Remote::destinations += {
+	["broping"] = [$host = 127.0.0.1, $class="broping", $events = /ping/, $connect=F, $ssl=F]
+};
+]]>
+            </programlisting>
+	    <para>
+	      This example is taken from <filename>broping.bro</filename>, the policy the
+	      remote Bro must run when you want to use the <command>broping</command> tool
+	      explained in the <link linkend="testing">section on testing</link> below.
+	      It will allow an agent on the local host to connect and send "ping" events.
+	      Our Bro will not attempt to connect, and incoming connections will be expected
+	      in cleartext.
+	    </para>
+	  </listitem>
+	</orderedlist>
+      </para>
+    </sect1>
+
+    <sect1>
+      <title id="broccoli-debugging">Configuring debugging output</title>
+      <para>
+	  If your Broccoli installation was configured with <command>--enable-debug</command>,
+	  Broccoli will report two kinds of debugging information: (<emphasis>i</emphasis>)
+	  function call traces and
+	  (<emphasis>ii</emphasis>) individual debugging messages. Both are enabled by default, but can be adjusted
+	  in two ways.
+	  <itemizedlist>	 
+	    <listitem>
+	      <para>In the configuration file: in the appropriate section of the configuration
+	        file, you can set the keys <function>/broccoli/debug_messages</function> and
+		<function>/broccoli/debug_calltrace</function> to <function>on</function>/<function>off</function>
+		to enable/disable the corresponding output.
+	      </para>
+            </listitem>
+	    <listitem>
+	      <para>In code: you can set the variables 
+	      	<link linkend="bro-debug-calltrace"><function>bro_debug_calltrace</function></link> and
+	        <link linkend="bro-debug-messages"><function>bro_debug_messages</function></link>
+	        to 1/0 at any time to enable/disable the corresponding output.
+	      </para>
+            </listitem>
+	  </itemizedlist>	 
+      </para>
+      <para>
+	  By default, debugging output is inactive (even with debuggin support compiled in).
+	  You need to enable it explicitly either in your code by assigning 1 to 
+	  <link linkend="bro-debug-calltrace"><function>bro_debug_calltrace</function></link> and
+	  <link linkend="bro-debug-messages"><function>bro_debug_messages</function></link>,
+	  or by enabling it in the configuration file.
+      </para>
+    </sect1>
+
+    <sect1>
+      <title id="testing">Test programs</title>
+      <para>
+	  The Broccoli distribution comes with a few small test programs,
+	  located in the <filename>test/</filename> directory of the tree.
+	  The most notable one is &bp;
+	  <footnote><para>Pronunciation is said to be somewhere on the continuum between
+	  "brooping" and "burping".</para></footnote>, a mini-version of ping.
+	  It sends "ping" events to a remote Bro agent, expecting "pong" events
+	  in return. It operates in two flavours: one uses atomic types for sending
+	  information across, and the other one uses records. The Bro agent you want
+	  to ping needs to run either the <filename>broping.bro</filename> or
+	  <filename>broping-record.bro</filename> policies. You can find these
+	  in the <filename>test/</filename> directory of the source tree, and
+	  in <filename>&lt;prefix&gt/share/broccoli</filename> in the installed
+	  version. <filename>broping.bro</filename> is shown below. By default,
+	  pinging a Bro on the same machine is configured. If you want your Bro
+	  to be pinged from another machine, you need to update the
+	  <varname>destinations</varname> variable accordingly.
+      </para>
+      <programlisting>
+<![CDATA[
+@load listen-clear;
+
+global ping_log = open_log_file("ping");
+
+redef Remote::destinations += {
+	["broping"] = [$host = 127.0.0.1, $events = /ping/, $connect=F, $retry = 60 secs, $ssl=F]
+};
+
+event ping(src_time: time, seq: count)
+{
+        event pong(src_time, current_time(), seq);
+}
+
+event pong(src_time: time, dst_time: time, seq: count)
+{
+        print ping_log, fmt("ping received, seq %d, %f at src, %f at dest, one-way: %f",
+                            seq, src_time, dst_time, dst_time-src_time);
+}
+]]>
+      </programlisting>
+      <para>
+        &bp; sends ping events to Bro. Bro accepts those because they are configured
+	accordingly in the destinations table. As shown in the policy, ping events
+	trigger pong events, and &bc; requests delivery of all pong events back to it.
+	When running &bp;, you'll see something like this:
+      </para>
+      <programlisting>
+<![CDATA[
+cpk25@localhost:/home/cpk25/devel/broccoli > ./test/broping
+pong event from 127.0.0.1: seq=1, time=0.004700/1.010303 s
+pong event from 127.0.0.1: seq=2, time=0.053777/1.010266 s
+pong event from 127.0.0.1: seq=3, time=0.006435/1.010284 s
+pong event from 127.0.0.1: seq=4, time=0.020278/1.010319 s
+pong event from 127.0.0.1: seq=5, time=0.004563/1.010187 s
+pong event from 127.0.0.1: seq=6, time=0.005685/1.010393 s
+]]>
+      </programlisting>
+    </sect1>      
+  </chapter>
+  
+  <chapter id="api">
+    <title id="api.title">Broccoli API Reference</title>
+    &bc-header;
+  </chapter>
+
+  <appendix>
+    <title>Appendix</title>
+    <sect1 id="license">
+      <title id="license.title">License</title>
+      <para>
+	Copyright (C) 2004-2008 Christian Kreibich and various contributors.
+      </para>
+      <para>	
+	Permission is hereby granted, free of charge, to any person obtaining a copy
+	of this software and associated documentation files (the "Software"), to
+	deal in the Software without restriction, including without limitation the
+	rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+	sell copies of the Software, and to permit persons to whom the Software is
+	furnished to do so, subject to the following conditions:
+      </para>
+      <para>
+	The above copyright notice and this permission notice shall be included in
+	all copies of the Software and its documentation and acknowledgment shall be
+	given in the documentation and software packages that this Software was
+	used.
+      </para>
+      <para>	
+	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+	IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+	THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+	IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+	CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.	
+      </para>
+    </sect1>
+    <sect1 id="about">
+      <title>About this document</title>
+      <para>
+	This documentation is maintained in SGML <ulink url="http://www.docbook.org">DocBook</ulink>,
+	API documentation is extracted from the code using the
+	<ulink url="http://www.gtk.org/gtk-doc/"><command>gtk-doc</command></ulink> tools.
+      </para>
+    </sect1>
+  </appendix>
+</book>
diff --git a/aux/broccoli/docs/broccoli-sections.txt b/aux/broccoli/docs/broccoli-sections.txt
new file mode 100644
index 0000000000..2c32d932ff
--- /dev/null
+++ b/aux/broccoli/docs/broccoli-sections.txt
@@ -0,0 +1,91 @@
+<SECTION>
+<FILE>broccoli</FILE>
+bro_debug_calltrace
+bro_debug_messages
+BroEventFunc
+BroCompactEventFunc
+bro_conn_new
+bro_conn_new_str
+bro_conn_new_socket
+bro_conn_set_class
+bro_conn_get_peer_class
+bro_conn_connect
+bro_conn_alive
+bro_conn_delete
+bro_conn_adopt_events
+bro_conn_get_fd
+bro_conn_process_input
+bro_conn_data_set
+bro_conn_data_get
+bro_conn_data_del
+bro_event_new
+bro_event_free
+bro_event_add_val
+bro_event_set_val
+bro_event_send
+bro_event_queue_length
+bro_event_queue_flush
+bro_event_registry_add
+bro_event_registry_add_compact
+bro_event_registry_remove
+bro_event_registry_request
+bro_buf_new
+bro_buf_free
+bro_buf_append
+bro_buf_consume
+bro_buf_reset
+bro_buf_get
+bro_buf_get_end
+bro_buf_get_size
+bro_buf_get_used_size
+bro_buf_ptr_get
+bro_buf_ptr_tell
+bro_buf_ptr_seek
+bro_buf_ptr_check
+bro_buf_ptr_read
+bro_buf_ptr_write
+bro_conf_get_int
+bro_conf_get_dbl
+bro_conf_get_str
+bro_conf_set_domain
+bro_string_init
+bro_string_set
+bro_string_set_data
+bro_string_get_data
+bro_string_get_length
+bro_string_copy
+bro_string_cleanup
+bro_string_free
+bro_record_new
+bro_record_free
+bro_record_add_val
+bro_record_get_nth_val
+bro_record_get_nth_name
+bro_record_get_named_val
+bro_record_set_nth_val
+bro_record_set_named_val
+BroTableCallback
+bro_table_new
+bro_table_free
+bro_table_insert
+bro_table_find
+bro_table_get_size
+bro_table_get_types
+bro_table_foreach
+BroSetCallback
+bro_set_new
+bro_set_free
+bro_set_insert
+bro_set_find
+bro_set_get_size
+bro_set_get_type
+bro_set_foreach
+bro_conn_set_packet_ctxt
+bro_conn_get_packet_ctxt
+bro_packet_new
+bro_packet_clone
+bro_packet_free
+bro_packet_send
+bro_util_current_time
+bro_util_timeval_to_double
+</SECTION>
diff --git a/aux/broccoli/docs/broccoli.types b/aux/broccoli/docs/broccoli.types
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/aux/broccoli/docs/html/a3621.html b/aux/broccoli/docs/html/a3621.html
new file mode 100644
index 0000000000..cc9d735b8d
--- /dev/null
+++ b/aux/broccoli/docs/html/a3621.html
@@ -0,0 +1,210 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>Appendix</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
+REL="HOME"
+TITLE="Broccoli: The Bro Client Communications Library"
+HREF="index.html"><LINK
+REL="PREVIOUS"
+TITLE="broccoli"
+HREF="broccoli-broccoli.html"><LINK
+REL="STYLESHEET"
+TYPE="text/css"
+HREF="stylesheet.css"></HEAD
+><BODY
+CLASS="APPENDIX"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>Broccoli: The Bro Client Communications Library</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="broccoli-broccoli.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+>&nbsp;</TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="APPENDIX"
+><H1
+><A
+NAME="AEN3621"
+></A
+>Appendix A. Appendix</H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>A.1. <A
+HREF="a3621.html#LICENSE"
+>License</A
+></DT
+><DT
+>A.2. <A
+HREF="a3621.html#ABOUT"
+>About this document</A
+></DT
+></DL
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="LICENSE"
+>A.1. License</A
+></H1
+><P
+>	Copyright (C) 2004-2008 Christian Kreibich and various contributors.
+      </P
+><P
+>	
+	Permission is hereby granted, free of charge, to any person obtaining a copy
+	of this software and associated documentation files (the "Software"), to
+	deal in the Software without restriction, including without limitation the
+	rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+	sell copies of the Software, and to permit persons to whom the Software is
+	furnished to do so, subject to the following conditions:
+      </P
+><P
+>	The above copyright notice and this permission notice shall be included in
+	all copies of the Software and its documentation and acknowledgment shall be
+	given in the documentation and software packages that this Software was
+	used.
+      </P
+><P
+>	
+	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+	IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+	THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+	IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+	CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.	
+      </P
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="ABOUT"
+>A.2. About this document</A
+></H1
+><P
+>	This documentation is maintained in SGML <A
+HREF="http://www.docbook.org"
+TARGET="_top"
+>DocBook</A
+>,
+	API documentation is extracted from the code using the
+	<A
+HREF="http://www.gtk.org/gtk-doc/"
+TARGET="_top"
+><B
+CLASS="COMMAND"
+>gtk-doc</B
+></A
+> tools.
+      </P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="broccoli-broccoli.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="index.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>&nbsp;</TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>broccoli</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>&nbsp;</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/aux/broccoli/docs/html/api.html b/aux/broccoli/docs/html/api.html
new file mode 100644
index 0000000000..cb4a6b72e5
--- /dev/null
+++ b/aux/broccoli/docs/html/api.html
@@ -0,0 +1,139 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<HTML
+><HEAD
+><TITLE
+>Broccoli API Reference</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
+REL="HOME"
+TITLE="Broccoli: The Bro Client Communications Library"
+HREF="index.html"><LINK
+REL="PREVIOUS"
+TITLE="Using Broccoli"
+HREF="c84.html"><LINK
+REL="NEXT"
+TITLE="broccoli"
+HREF="broccoli-broccoli.html"><LINK
+REL="STYLESHEET"
+TYPE="text/css"
+HREF="stylesheet.css"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>Broccoli: The Bro Client Communications Library</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="c84.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="broccoli-broccoli.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="API"
+></A
+>Chapter 4. Broccoli API Reference</H1
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="c84.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="index.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="broccoli-broccoli.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Using Broccoli</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>broccoli</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/aux/broccoli/docs/html/broccoli-broccoli.html b/aux/broccoli/docs/html/broccoli-broccoli.html
new file mode 100644
index 0000000000..5dd659d482
--- /dev/null
+++ b/aux/broccoli/docs/html/broccoli-broccoli.html
@@ -0,0 +1,6645 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<HTML
+><HEAD
+><TITLE
+>broccoli</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
+REL="HOME"
+TITLE="Broccoli: The Bro Client Communications Library"
+HREF="index.html"><LINK
+REL="UP"
+TITLE="Broccoli API Reference"
+HREF="api.html"><LINK
+REL="PREVIOUS"
+TITLE="Broccoli API Reference"
+HREF="api.html"><LINK
+REL="NEXT"
+TITLE="Appendix"
+HREF="a3637.html"><LINK
+REL="STYLESHEET"
+TYPE="text/css"
+HREF="stylesheet.css"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>Broccoli: The Bro Client Communications Library</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="api.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="a3637.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><H1
+><A
+NAME="BROCCOLI-BROCCOLI"
+></A
+>broccoli</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN868"
+></A
+><H2
+>Name</H2
+>broccoli&nbsp;--&nbsp;</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="BROCCOLI-BROCCOLI.SYNOPSIS"
+></A
+><H2
+>Synopsis</H2
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="SYNOPSIS"
+>extern              int <A
+HREF="broccoli-broccoli.html#BRO-DEBUG-CALLTRACE"
+>bro_debug_calltrace</A
+>;
+extern              int <A
+HREF="broccoli-broccoli.html#BRO-DEBUG-MESSAGES"
+>bro_debug_messages</A
+>;
+void                (<A
+HREF="broccoli-broccoli.html#BROEVENTFUNC"
+>*BroEventFunc</A
+>)                     (BroConn *bc,
+                                                         void *user_data,
+                                                         ...);
+void                (<A
+HREF="broccoli-broccoli.html#BROCOMPACTEVENTFUNC"
+>*BroCompactEventFunc</A
+>)              (BroConn *bc,
+                                                         void *user_data,
+                                                         BroEvMeta *meta);
+BroConn*            <A
+HREF="broccoli-broccoli.html#BRO-CONN-NEW"
+>bro_conn_new</A
+>                        (struct in_addr *ip_addr,
+                                                         uint16 port,
+                                                         int flags);
+BroConn*            <A
+HREF="broccoli-broccoli.html#BRO-CONN-NEW-STR"
+>bro_conn_new_str</A
+>                    (const char *hostname,
+                                                         int flags);
+BroConn*            <A
+HREF="broccoli-broccoli.html#BRO-CONN-NEW-SOCKET"
+>bro_conn_new_socket</A
+>                 (int socket,
+                                                         int flags);
+void                <A
+HREF="broccoli-broccoli.html#BRO-CONN-SET-CLASS"
+>bro_conn_set_class</A
+>                  (BroConn *bc,
+                                                         const char *classname);
+const char*         <A
+HREF="broccoli-broccoli.html#BRO-CONN-GET-PEER-CLASS"
+>bro_conn_get_peer_class</A
+>             (const BroConn *bc);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-CONN-CONNECT"
+>bro_conn_connect</A
+>                    (BroConn *bc);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-CONN-ALIVE"
+>bro_conn_alive</A
+>                      (const BroConn *bc);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-CONN-DELETE"
+>bro_conn_delete</A
+>                     (BroConn *bc);
+void                <A
+HREF="broccoli-broccoli.html#BRO-CONN-ADOPT-EVENTS"
+>bro_conn_adopt_events</A
+>               (BroConn *src,
+                                                         BroConn *dst);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-CONN-GET-FD"
+>bro_conn_get_fd</A
+>                     (BroConn *bc);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-CONN-PROCESS-INPUT"
+>bro_conn_process_input</A
+>              (BroConn *bc);
+void                <A
+HREF="broccoli-broccoli.html#BRO-CONN-DATA-SET"
+>bro_conn_data_set</A
+>                   (BroConn *bc,
+                                                         const char *key,
+                                                         void *val);
+void*               <A
+HREF="broccoli-broccoli.html#BRO-CONN-DATA-GET"
+>bro_conn_data_get</A
+>                   (BroConn *bc,
+                                                         const char *key);
+void*               <A
+HREF="broccoli-broccoli.html#BRO-CONN-DATA-DEL"
+>bro_conn_data_del</A
+>                   (BroConn *bc,
+                                                         const char *key);
+BroEvent*           <A
+HREF="broccoli-broccoli.html#BRO-EVENT-NEW"
+>bro_event_new</A
+>                       (const char *event_name);
+void                <A
+HREF="broccoli-broccoli.html#BRO-EVENT-FREE"
+>bro_event_free</A
+>                      (BroEvent *be);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-EVENT-ADD-VAL"
+>bro_event_add_val</A
+>                   (BroEvent *be,
+                                                         int type,
+                                                         const char *type_name,
+                                                         const void *val);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-EVENT-SET-VAL"
+>bro_event_set_val</A
+>                   (BroEvent *be,
+                                                         int val_num,
+                                                         int type,
+                                                         const char *type_name,
+                                                         const void *val);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-EVENT-SEND"
+>bro_event_send</A
+>                      (BroConn *bc,
+                                                         BroEvent *be);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-EVENT-QUEUE-LENGTH"
+>bro_event_queue_length</A
+>              (BroConn *bc);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-EVENT-QUEUE-FLUSH"
+>bro_event_queue_flush</A
+>               (BroConn *bc);
+void                <A
+HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD"
+>bro_event_registry_add</A
+>              (BroConn *bc,
+                                                         const char *event_name,
+                                                         <A
+HREF="broccoli-broccoli.html#BROEVENTFUNC"
+>BroEventFunc</A
+> func,
+                                                         void *user_data);
+void                <A
+HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD-COMPACT"
+>bro_event_registry_add_compact</A
+>      (BroConn *bc,
+                                                         const char *event_name,
+                                                         <A
+HREF="broccoli-broccoli.html#BROCOMPACTEVENTFUNC"
+>BroCompactEventFunc</A
+> func,
+                                                         void *user_data);
+void                <A
+HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-REMOVE"
+>bro_event_registry_remove</A
+>           (BroConn *bc,
+                                                         const char *event_name);
+void                <A
+HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-REQUEST"
+>bro_event_registry_request</A
+>          (BroConn *bc);
+BroBuf*             <A
+HREF="broccoli-broccoli.html#BRO-BUF-NEW"
+>bro_buf_new</A
+>                         (void);
+void                <A
+HREF="broccoli-broccoli.html#BRO-BUF-FREE"
+>bro_buf_free</A
+>                        (BroBuf *buf);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-BUF-APPEND"
+>bro_buf_append</A
+>                      (BroBuf *buf,
+                                                         void *data,
+                                                         int data_len);
+void                <A
+HREF="broccoli-broccoli.html#BRO-BUF-CONSUME"
+>bro_buf_consume</A
+>                     (BroBuf *buf);
+void                <A
+HREF="broccoli-broccoli.html#BRO-BUF-RESET"
+>bro_buf_reset</A
+>                       (BroBuf *buf);
+uchar*              <A
+HREF="broccoli-broccoli.html#BRO-BUF-GET"
+>bro_buf_get</A
+>                         (BroBuf *buf);
+uchar*              <A
+HREF="broccoli-broccoli.html#BRO-BUF-GET-END"
+>bro_buf_get_end</A
+>                     (BroBuf *buf);
+uint                <A
+HREF="broccoli-broccoli.html#BRO-BUF-GET-SIZE"
+>bro_buf_get_size</A
+>                    (BroBuf *buf);
+uint                <A
+HREF="broccoli-broccoli.html#BRO-BUF-GET-USED-SIZE"
+>bro_buf_get_used_size</A
+>               (BroBuf *buf);
+uchar*              <A
+HREF="broccoli-broccoli.html#BRO-BUF-PTR-GET"
+>bro_buf_ptr_get</A
+>                     (BroBuf *buf);
+uint32              <A
+HREF="broccoli-broccoli.html#BRO-BUF-PTR-TELL"
+>bro_buf_ptr_tell</A
+>                    (BroBuf *buf);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-BUF-PTR-SEEK"
+>bro_buf_ptr_seek</A
+>                    (BroBuf *buf,
+                                                         int offset,
+                                                         int whence);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-BUF-PTR-CHECK"
+>bro_buf_ptr_check</A
+>                   (BroBuf *buf,
+                                                         int size);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-BUF-PTR-READ"
+>bro_buf_ptr_read</A
+>                    (BroBuf *buf,
+                                                         void *data,
+                                                         int size);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-BUF-PTR-WRITE"
+>bro_buf_ptr_write</A
+>                   (BroBuf *buf,
+                                                         void *data,
+                                                         int size);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-CONF-GET-INT"
+>bro_conf_get_int</A
+>                    (const char *val_name,
+                                                         int *val);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-CONF-GET-DBL"
+>bro_conf_get_dbl</A
+>                    (const char *val_name,
+                                                         double *val);
+const char*         <A
+HREF="broccoli-broccoli.html#BRO-CONF-GET-STR"
+>bro_conf_get_str</A
+>                    (const char *val_name);
+void                <A
+HREF="broccoli-broccoli.html#BRO-CONF-SET-DOMAIN"
+>bro_conf_set_domain</A
+>                 (const char *domain);
+void                <A
+HREF="broccoli-broccoli.html#BRO-STRING-INIT"
+>bro_string_init</A
+>                     (BroString *bs);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-STRING-SET"
+>bro_string_set</A
+>                      (BroString *bs,
+                                                         const char *s);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-STRING-SET-DATA"
+>bro_string_set_data</A
+>                 (BroString *bs,
+                                                         const uchar *data,
+                                                         int data_len);
+const uchar*        <A
+HREF="broccoli-broccoli.html#BRO-STRING-GET-DATA"
+>bro_string_get_data</A
+>                 (const BroString *bs);
+uint32              <A
+HREF="broccoli-broccoli.html#BRO-STRING-GET-LENGTH"
+>bro_string_get_length</A
+>               (const BroString *bs);
+BroString*          <A
+HREF="broccoli-broccoli.html#BRO-STRING-COPY"
+>bro_string_copy</A
+>                     (BroString *bs);
+void                <A
+HREF="broccoli-broccoli.html#BRO-STRING-CLEANUP"
+>bro_string_cleanup</A
+>                  (BroString *bs);
+void                <A
+HREF="broccoli-broccoli.html#BRO-STRING-FREE"
+>bro_string_free</A
+>                     (BroString *bs);
+BroRecord*          <A
+HREF="broccoli-broccoli.html#BRO-RECORD-NEW"
+>bro_record_new</A
+>                      (void);
+void                <A
+HREF="broccoli-broccoli.html#BRO-RECORD-FREE"
+>bro_record_free</A
+>                     (BroRecord *rec);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-RECORD-ADD-VAL"
+>bro_record_add_val</A
+>                  (BroRecord *rec,
+                                                         const char *name,
+                                                         int type,
+                                                         const char *type_name,
+                                                         const void *val);
+void*               <A
+HREF="broccoli-broccoli.html#BRO-RECORD-GET-NTH-VAL"
+>bro_record_get_nth_val</A
+>              (BroRecord *rec,
+                                                         int num,
+                                                         int *type);
+const char*         <A
+HREF="broccoli-broccoli.html#BRO-RECORD-GET-NTH-NAME"
+>bro_record_get_nth_name</A
+>             (BroRecord *rec,
+                                                         int num);
+void*               <A
+HREF="broccoli-broccoli.html#BRO-RECORD-GET-NAMED-VAL"
+>bro_record_get_named_val</A
+>            (BroRecord *rec,
+                                                         const char *name,
+                                                         int *type);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-RECORD-SET-NTH-VAL"
+>bro_record_set_nth_val</A
+>              (BroRecord *rec,
+                                                         int num,
+                                                         int type,
+                                                         const char *type_name,
+                                                         const void *val);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-RECORD-SET-NAMED-VAL"
+>bro_record_set_named_val</A
+>            (BroRecord *rec,
+                                                         const char *name,
+                                                         int type,
+                                                         const char *type_name,
+                                                         const void *val);
+int                 (<A
+HREF="broccoli-broccoli.html#BROTABLECALLBACK"
+>*BroTableCallback</A
+>)                 (void *key,
+                                                         void *val,
+                                                         void *user_data);
+BroTable*           <A
+HREF="broccoli-broccoli.html#BRO-TABLE-NEW"
+>bro_table_new</A
+>                       (void);
+void                <A
+HREF="broccoli-broccoli.html#BRO-TABLE-FREE"
+>bro_table_free</A
+>                      (BroTable *tbl);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-TABLE-INSERT"
+>bro_table_insert</A
+>                    (BroTable *tbl,
+                                                         int key_type,
+                                                         const void *key,
+                                                         int val_type,
+                                                         const void *val);
+void*               <A
+HREF="broccoli-broccoli.html#BRO-TABLE-FIND"
+>bro_table_find</A
+>                      (BroTable *tbl,
+                                                         const void *key);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-TABLE-GET-SIZE"
+>bro_table_get_size</A
+>                  (BroTable *tbl);
+void                <A
+HREF="broccoli-broccoli.html#BRO-TABLE-GET-TYPES"
+>bro_table_get_types</A
+>                 (BroTable *tbl,
+                                                         int *key_type,
+                                                         int *val_type);
+void                <A
+HREF="broccoli-broccoli.html#BRO-TABLE-FOREACH"
+>bro_table_foreach</A
+>                   (BroTable *tbl,
+                                                         <A
+HREF="broccoli-broccoli.html#BROTABLECALLBACK"
+>BroTableCallback</A
+> cb,
+                                                         void *user_data);
+int                 (<A
+HREF="broccoli-broccoli.html#BROSETCALLBACK"
+>*BroSetCallback</A
+>)                   (void *val,
+                                                         void *user_data);
+BroSet*             <A
+HREF="broccoli-broccoli.html#BRO-SET-NEW"
+>bro_set_new</A
+>                         (void);
+void                <A
+HREF="broccoli-broccoli.html#BRO-SET-FREE"
+>bro_set_free</A
+>                        (BroSet *set);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-SET-INSERT"
+>bro_set_insert</A
+>                      (BroSet *set,
+                                                         int type,
+                                                         const void *val);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-SET-FIND"
+>bro_set_find</A
+>                        (BroSet *set,
+                                                         const void *key);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-SET-GET-SIZE"
+>bro_set_get_size</A
+>                    (BroSet *set);
+void                <A
+HREF="broccoli-broccoli.html#BRO-SET-GET-TYPE"
+>bro_set_get_type</A
+>                    (BroSet *set,
+                                                         int *type);
+void                <A
+HREF="broccoli-broccoli.html#BRO-SET-FOREACH"
+>bro_set_foreach</A
+>                     (BroSet *set,
+                                                         <A
+HREF="broccoli-broccoli.html#BROSETCALLBACK"
+>BroSetCallback</A
+> cb,
+                                                         void *user_data);
+void                <A
+HREF="broccoli-broccoli.html#BRO-CONN-SET-PACKET-CTXT"
+>bro_conn_set_packet_ctxt</A
+>            (BroConn *bc,
+                                                         int link_type);
+void                <A
+HREF="broccoli-broccoli.html#BRO-CONN-GET-PACKET-CTXT"
+>bro_conn_get_packet_ctxt</A
+>            (BroConn *bc,
+                                                         int *link_type);
+BroPacket*          <A
+HREF="broccoli-broccoli.html#BRO-PACKET-NEW"
+>bro_packet_new</A
+>                      (const struct pcap_pkthdr *hdr,
+                                                         const u_char *data,
+                                                         const char *tag);
+BroPacket*          <A
+HREF="broccoli-broccoli.html#BRO-PACKET-CLONE"
+>bro_packet_clone</A
+>                    (const BroPacket *packet);
+void                <A
+HREF="broccoli-broccoli.html#BRO-PACKET-FREE"
+>bro_packet_free</A
+>                     (BroPacket *packet);
+int                 <A
+HREF="broccoli-broccoli.html#BRO-PACKET-SEND"
+>bro_packet_send</A
+>                     (BroConn *bc,
+                                                         BroPacket *packet);
+double              <A
+HREF="broccoli-broccoli.html#BRO-UTIL-CURRENT-TIME"
+>bro_util_current_time</A
+>               (void);
+double              <A
+HREF="broccoli-broccoli.html#BRO-UTIL-TIMEVAL-TO-DOUBLE"
+>bro_util_timeval_to_double</A
+>          (const struct timeval *tv);</PRE
+></TD
+></TR
+></TABLE
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="BROCCOLI-BROCCOLI.DESCRIPTION"
+></A
+><H2
+>Description</H2
+><P
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="BROCCOLI-BROCCOLI.DETAILS"
+></A
+><H2
+>Details</H2
+><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-DEBUG-CALLTRACE"
+></A
+><H3
+>bro_debug_calltrace</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>extern int bro_debug_calltrace;</PRE
+></TD
+></TR
+></TABLE
+><P
+>If you have debugging support built in (i.e., your package was configured
+with --enable-debugging), you can enable/disable debugging output for
+call tracing by setting this to 0 (off) or 1 (on). Default is off.</P
+><P
+></P
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-DEBUG-MESSAGES"
+></A
+><H3
+>bro_debug_messages</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>extern int bro_debug_messages;</PRE
+></TD
+></TR
+></TABLE
+><P
+>If you have debugging support built in (i.e., your package was configured
+with --enable-debugging), you can enable/disable debugging messages
+by setting this to 0 (off) or 1 (on). Default is off.</P
+><P
+></P
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BROEVENTFUNC"
+></A
+><H3
+>BroEventFunc ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                (*BroEventFunc)                     (BroConn *bc,
+                                                         void *user_data,
+                                                         ...);</PRE
+></TD
+></TR
+></TABLE
+><P
+>This is the signature of callbacks for handling received
+Bro events, called in the argument-expanded style.  For details
+see <A
+HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD"
+><CODE
+CLASS="FUNCTION"
+>bro_event_registry_add()</CODE
+></A
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> Bro connection handle.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>user_data</TT
+>&nbsp;:</DT
+><DD
+><P
+> user data provided to <A
+HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD"
+><CODE
+CLASS="FUNCTION"
+>bro_event_registry_add()</CODE
+></A
+>.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>...</TT
+>&nbsp;:</DT
+><DD
+><P
+> varargs.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BROCOMPACTEVENTFUNC"
+></A
+><H3
+>BroCompactEventFunc ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                (*BroCompactEventFunc)              (BroConn *bc,
+                                                         void *user_data,
+                                                         BroEvMeta *meta);</PRE
+></TD
+></TR
+></TABLE
+><P
+>This is the signature of callbacks for handling received
+Bro events, called in the compact-argument style. For details
+see <A
+HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD-COMPACT"
+><CODE
+CLASS="FUNCTION"
+>bro_event_registry_add_compact()</CODE
+></A
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> Bro connection handle.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>user_data</TT
+>&nbsp;:</DT
+><DD
+><P
+> user data provided to <A
+HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD-COMPACT"
+><CODE
+CLASS="FUNCTION"
+>bro_event_registry_add_compact()</CODE
+></A
+>.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>meta</TT
+>&nbsp;:</DT
+><DD
+><P
+> metadata for the event</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-CONN-NEW"
+></A
+><H3
+>bro_conn_new ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>BroConn*            bro_conn_new                        (struct in_addr *ip_addr,
+                                                         uint16 port,
+                                                         int flags);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function creates a new Bro connection handle for communication with
+Bro through a network. Depending on the flags passed in, the connection
+and its setup process can be adjusted. If you don't want to pass any
+flags, use <TT
+CLASS="LITERAL"
+>BRO_CFLAG_NONE</TT
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>ip_addr</TT
+>&nbsp;:</DT
+><DD
+><P
+> 4-byte IP address of Bro to contact, in network byte order.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>port</TT
+>&nbsp;:</DT
+><DD
+><P
+> port of machine at <TT
+CLASS="PARAMETER"
+>ip_addr</TT
+> to contact, in network byte order.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>flags</TT
+>&nbsp;:</DT
+><DD
+><P
+> an or-combination of the <TT
+CLASS="LITERAL"
+>BRO_CONN_xxx</TT
+> flags.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> pointer to a newly allocated and initialized
+Bro connection structure. You need this structure for all
+other calls in order to identify the connection to Bro.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-CONN-NEW-STR"
+></A
+><H3
+>bro_conn_new_str ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>BroConn*            bro_conn_new_str                    (const char *hostname,
+                                                         int flags);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function is identical to <A
+HREF="broccoli-broccoli.html#BRO-CONN-NEW"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_new()</CODE
+></A
+>, but allows you to specify the
+host and port to connect to in a string as "&lt;hostname&gt;:&lt;port&gt;". <TT
+CLASS="PARAMETER"
+>flags</TT
+> can
+be used to adjust the connection features and the setup process. If you don't
+want to pass any flags, use <TT
+CLASS="LITERAL"
+>BRO_CFLAG_NONE</TT
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>hostname</TT
+>&nbsp;:</DT
+><DD
+><P
+> string describing the host and port to connect to.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>flags</TT
+>&nbsp;:</DT
+><DD
+><P
+> an or-combination of the <TT
+CLASS="LITERAL"
+>BRO_CONN_xxx</TT
+> flags.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> pointer to a newly allocated and initialized
+Bro connection structure. You need this structure for all
+other calls in order to identify the connection to Bro.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-CONN-NEW-SOCKET"
+></A
+><H3
+>bro_conn_new_socket ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>BroConn*            bro_conn_new_socket                 (int socket,
+                                                         int flags);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function is identical to <A
+HREF="broccoli-broccoli.html#BRO-CONN-NEW"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_new()</CODE
+></A
+>, but allows you to pass in an
+open socket to use for the communication. <TT
+CLASS="PARAMETER"
+>flags</TT
+> can be used to
+adjust the connection features and the setup process. If you don't want to
+pass any flags, use <TT
+CLASS="LITERAL"
+>BRO_CFLAG_NONE</TT
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>socket</TT
+>&nbsp;:</DT
+><DD
+><P
+> open socket.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>flags</TT
+>&nbsp;:</DT
+><DD
+><P
+> an or-combination of the <TT
+CLASS="LITERAL"
+>BRO_CONN_xxx</TT
+> flags.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> pointer to a newly allocated and initialized
+Bro connection structure. You need this structure for all
+other calls in order to identify the connection to Bro.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-CONN-SET-CLASS"
+></A
+><H3
+>bro_conn_set_class ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_conn_set_class                  (BroConn *bc,
+                                                         const char *classname);</PRE
+></TD
+></TR
+></TABLE
+><P
+>Broccoli connections can indicate that they belong to a certain class
+of connections, which is needed primarily if multiple Bro/Broccoli
+instances are running on the same node and connect to a single remote
+peer. You can set this class with this function, and you have to do so
+before calling <CODE
+CLASS="FUNCTION"
+>bro_connect()</CODE
+> since the connection class is determined
+upon connection establishment. You remain responsible for the memory
+pointed to by <TT
+CLASS="PARAMETER"
+>classname</TT
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> connection handle.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>classname</TT
+>&nbsp;:</DT
+><DD
+><P
+> class identifier.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-CONN-GET-PEER-CLASS"
+></A
+><H3
+>bro_conn_get_peer_class ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>const char*         bro_conn_get_peer_class             (const BroConn *bc);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> connection handle.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> a string containing the connection class indicated by the peer,
+if any, otherwise <TT
+CLASS="LITERAL"
+>NULL</TT
+>.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-CONN-CONNECT"
+></A
+><H3
+>bro_conn_connect ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_conn_connect                    (BroConn *bc);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function attempts to set up and configure a connection to
+the peer configured when the connection handle was obtained.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> connection handle.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> <TT
+CLASS="LITERAL"
+>TRUE</TT
+> on success, <TT
+CLASS="LITERAL"
+>FALSE</TT
+> on failure.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-CONN-ALIVE"
+></A
+><H3
+>bro_conn_alive ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_conn_alive                      (const BroConn *bc);</PRE
+></TD
+></TR
+></TABLE
+><P
+>This predicate reports whether the connection handle is currently
+usable for sending/receiving data or not, e.g. because the peer
+died. The function does not actively check and update the
+connection's state, it only reports the value of flags indicating
+its status. In particular, this means that when calling
+<A
+HREF="broccoli-broccoli.html#BRO-CONN-ALIVE"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_alive()</CODE
+></A
+> directly after a <CODE
+CLASS="FUNCTION"
+>select()</CODE
+> on the connection's
+descriptor, <A
+HREF="broccoli-broccoli.html#BRO-CONN-ALIVE"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_alive()</CODE
+></A
+> may return an incorrent value. It will
+however return the correct value after a subsequent call to
+<A
+HREF="broccoli-broccoli.html#BRO-CONN-PROCESS-INPUT"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_process_input()</CODE
+></A
+>. Also note that the connection is also
+dead after the connection handle is obtained and before
+<A
+HREF="broccoli-broccoli.html#BRO-CONN-CONNECT"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_connect()</CODE
+></A
+> is called.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> Bro connection handle.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> <TT
+CLASS="LITERAL"
+>TRUE</TT
+> if the connection is alive, <TT
+CLASS="LITERAL"
+>FALSE</TT
+> otherwise.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-CONN-DELETE"
+></A
+><H3
+>bro_conn_delete ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_conn_delete                     (BroConn *bc);</PRE
+></TD
+></TR
+></TABLE
+><P
+>This function will terminate the given connection if necessary
+and release all resources associated with the connection handle.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> Bro connection handle</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> <TT
+CLASS="LITERAL"
+>FALSE</TT
+> on error, <TT
+CLASS="LITERAL"
+>TRUE</TT
+> otherwise.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-CONN-ADOPT-EVENTS"
+></A
+><H3
+>bro_conn_adopt_events ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_conn_adopt_events               (BroConn *src,
+                                                         BroConn *dst);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function makes the connection identified by <TT
+CLASS="PARAMETER"
+>dst</TT
+> use the same event
+mask as the one identified by <TT
+CLASS="PARAMETER"
+>src</TT
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>src</TT
+>&nbsp;:</DT
+><DD
+><P
+> Bro connection handle for connection whose event list to adopt.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>dst</TT
+>&nbsp;:</DT
+><DD
+><P
+> Bro connection handle for connection whose event list to change.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-CONN-GET-FD"
+></A
+><H3
+>bro_conn_get_fd ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_conn_get_fd                     (BroConn *bc);</PRE
+></TD
+></TR
+></TABLE
+><P
+>If you need to know the file descriptor of the connection
+(such as when <CODE
+CLASS="FUNCTION"
+>select()</CODE
+>ing it etc), use this accessor function.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> Bro connection handle.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> file descriptor for connection <TT
+CLASS="PARAMETER"
+>bc</TT
+>, or negative value
+on error.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-CONN-PROCESS-INPUT"
+></A
+><H3
+>bro_conn_process_input ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_conn_process_input              (BroConn *bc);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function reads all input sent to the local sensor by the
+Bro peering at the connection identified by <TT
+CLASS="PARAMETER"
+>bc</TT
+>. It is up
+to you to find a spot in the application you're instrumenting
+to make sure this is called. This function cannot block.
+<A
+HREF="broccoli-broccoli.html#BRO-CONN-ALIVE"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_alive()</CODE
+></A
+> will report the actual state of the connection
+after a call to <A
+HREF="broccoli-broccoli.html#BRO-CONN-PROCESS-INPUT"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_process_input()</CODE
+></A
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> Bro connection handle</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> <TT
+CLASS="LITERAL"
+>TRUE</TT
+> if any input was processed, <TT
+CLASS="LITERAL"
+>FALSE</TT
+> otherwise.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-CONN-DATA-SET"
+></A
+><H3
+>bro_conn_data_set ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_conn_data_set                   (BroConn *bc,
+                                                         const char *key,
+                                                         void *val);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function stores <TT
+CLASS="PARAMETER"
+>val</TT
+> under name <TT
+CLASS="PARAMETER"
+>key</TT
+> in the connection handle <TT
+CLASS="PARAMETER"
+>bc</TT
+>.
+<TT
+CLASS="PARAMETER"
+>key</TT
+> is copied internally so you do not need to duplicate it before
+passing.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> Bro connection handle.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>key</TT
+>&nbsp;:</DT
+><DD
+><P
+> name of the data item.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>val</TT
+>&nbsp;:</DT
+><DD
+><P
+> data item.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-CONN-DATA-GET"
+></A
+><H3
+>bro_conn_data_get ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void*               bro_conn_data_get                   (BroConn *bc,
+                                                         const char *key);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function tries to look up the data item with name <TT
+CLASS="PARAMETER"
+>key</TT
+> and
+if found, returns it.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> Bro connection handle.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>key</TT
+>&nbsp;:</DT
+><DD
+><P
+> name of the data item.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> data item if lookup was successful, <TT
+CLASS="LITERAL"
+>NULL</TT
+> otherwise.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-CONN-DATA-DEL"
+></A
+><H3
+>bro_conn_data_del ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void*               bro_conn_data_del                   (BroConn *bc,
+                                                         const char *key);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function tries to remove the data item with name <TT
+CLASS="PARAMETER"
+>key</TT
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> Bro connection handle.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>key</TT
+>&nbsp;:</DT
+><DD
+><P
+> name of the data item.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> the removed data item if it exists, <TT
+CLASS="LITERAL"
+>NULL</TT
+> otherwise.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-EVENT-NEW"
+></A
+><H3
+>bro_event_new ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>BroEvent*           bro_event_new                       (const char *event_name);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function creates a new empty event with the given
+name and returns it.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>event_name</TT
+>&nbsp;:</DT
+><DD
+><P
+> name of the Bro event.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> new event, or <TT
+CLASS="LITERAL"
+>NULL</TT
+> if allocation failed.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-EVENT-FREE"
+></A
+><H3
+>bro_event_free ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_event_free                      (BroEvent *be);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function releases all memory associated with <TT
+CLASS="PARAMETER"
+>be</TT
+>. Note 
+that you do NOT have to call this after sending an event.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>be</TT
+>&nbsp;:</DT
+><DD
+><P
+> event to release.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-EVENT-ADD-VAL"
+></A
+><H3
+>bro_event_add_val ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_event_add_val                   (BroEvent *be,
+                                                         int type,
+                                                         const char *type_name,
+                                                         const void *val);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function adds the given <TT
+CLASS="PARAMETER"
+>val</TT
+> to the argument list of
+event <TT
+CLASS="PARAMETER"
+>be</TT
+>. The type of <TT
+CLASS="PARAMETER"
+>val</TT
+> is derived from <TT
+CLASS="PARAMETER"
+>type</TT
+>, and may be
+specialized to the type named <TT
+CLASS="PARAMETER"
+>type_name</TT
+>. If <TT
+CLASS="PARAMETER"
+>type_name</TT
+> is not
+desired, use <TT
+CLASS="LITERAL"
+>NULL</TT
+>.</P
+><P
+><TT
+CLASS="PARAMETER"
+>val</TT
+> remains the caller's responsibility and is copied internally.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>be</TT
+>&nbsp;:</DT
+><DD
+><P
+> event to add to.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>type</TT
+>&nbsp;:</DT
+><DD
+><P
+> numerical type identifier (a <TT
+CLASS="LITERAL"
+>BRO_TYPE_xxx</TT
+> constant).</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>type_name</TT
+>&nbsp;:</DT
+><DD
+><P
+> optional name of specialized type.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>val</TT
+>&nbsp;:</DT
+><DD
+><P
+> value to add to event.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> <TT
+CLASS="LITERAL"
+>TRUE</TT
+> if the operation was successful, <TT
+CLASS="LITERAL"
+>FALSE</TT
+> otherwise.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-EVENT-SET-VAL"
+></A
+><H3
+>bro_event_set_val ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_event_set_val                   (BroEvent *be,
+                                                         int val_num,
+                                                         int type,
+                                                         const char *type_name,
+                                                         const void *val);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function replaces whatever value is currently stored in the
+event pointed to by <TT
+CLASS="PARAMETER"
+>be</TT
+> with the val specified through the <TT
+CLASS="PARAMETER"
+>type</TT
+> and
+<TT
+CLASS="PARAMETER"
+>val</TT
+> arguments. If the event does not currently hold enough
+values to replace one in position <TT
+CLASS="PARAMETER"
+>val_num</TT
+>, the function does
+nothing. If you want to indicate a type specialized from <TT
+CLASS="PARAMETER"
+>type</TT
+>,
+use <TT
+CLASS="PARAMETER"
+>type_name</TT
+> to give its name, otherwise pass <TT
+CLASS="LITERAL"
+>NULL</TT
+> for <TT
+CLASS="PARAMETER"
+>type_name</TT
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>be</TT
+>&nbsp;:</DT
+><DD
+><P
+> event handle.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>val_num</TT
+>&nbsp;:</DT
+><DD
+><P
+> number of the value to replace, starting at 0.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>type</TT
+>&nbsp;:</DT
+><DD
+><P
+> numerical type identifier (a <TT
+CLASS="LITERAL"
+>BRO_TYPE_xxx</TT
+> constant).</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>type_name</TT
+>&nbsp;:</DT
+><DD
+><P
+> optional name of specialized type.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>val</TT
+>&nbsp;:</DT
+><DD
+><P
+> value to put in.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> <TT
+CLASS="LITERAL"
+>TRUE</TT
+> if successful, <TT
+CLASS="LITERAL"
+>FALSE</TT
+> on error.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-EVENT-SEND"
+></A
+><H3
+>bro_event_send ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_event_send                      (BroConn *bc,
+                                                         BroEvent *be);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function tries to send <TT
+CLASS="PARAMETER"
+>be</TT
+> to the Bro agent connected
+through <TT
+CLASS="PARAMETER"
+>bc</TT
+>. Regardless of the outcome, you do NOT have
+to release the event afterwards using <A
+HREF="broccoli-broccoli.html#BRO-EVENT-FREE"
+><CODE
+CLASS="FUNCTION"
+>bro_event_free()</CODE
+></A
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> Bro connection handle</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>be</TT
+>&nbsp;:</DT
+><DD
+><P
+> event to send.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> <TT
+CLASS="LITERAL"
+>TRUE</TT
+> if the event got sent or queued for later transmission,
+<TT
+CLASS="LITERAL"
+>FALSE</TT
+> on error. There are no automatic repeated send attempts
+(to minimize the effect on the code that Broccoli is linked to).
+If you have to make sure that everything got sent, you have
+to try to empty the queue using <A
+HREF="broccoli-broccoli.html#BRO-EVENT-QUEUE-FLUSH"
+><CODE
+CLASS="FUNCTION"
+>bro_event_queue_flush()</CODE
+></A
+>, and
+also look at <CODE
+CLASS="FUNCTION"
+>bro_event_queue_empty()</CODE
+>.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-EVENT-QUEUE-LENGTH"
+></A
+><H3
+>bro_event_queue_length ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_event_queue_length              (BroConn *bc);</PRE
+></TD
+></TR
+></TABLE
+><P
+>Use this function to find out how many events are currently queued
+on the client side.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> Bro connection handle</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> number of items currently queued.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-EVENT-QUEUE-FLUSH"
+></A
+><H3
+>bro_event_queue_flush ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_event_queue_flush               (BroConn *bc);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function tries to send as many queued events to the Bro
+agent as possible.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> Bro connection handle</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> remaining queue length after flush.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-EVENT-REGISTRY-ADD"
+></A
+><H3
+>bro_event_registry_add ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_event_registry_add              (BroConn *bc,
+                                                         const char *event_name,
+                                                         <A
+HREF="broccoli-broccoli.html#BROEVENTFUNC"
+>BroEventFunc</A
+> func,
+                                                         void *user_data);</PRE
+></TD
+></TR
+></TABLE
+><P
+>This function registers the callback <TT
+CLASS="PARAMETER"
+>func</TT
+> to be invoked when events
+of name <TT
+CLASS="PARAMETER"
+>event_name</TT
+> arrive on connection <TT
+CLASS="PARAMETER"
+>bc</TT
+>. <TT
+CLASS="PARAMETER"
+>user_data</TT
+> is passed along
+to the callback, which will receive it as the second parameter. You
+need to ensure that the memory <TT
+CLASS="PARAMETER"
+>user_data</TT
+> points to is valid during the
+time the callback might be invoked.</P
+><P
+>Note that this function only registers the callback in the state
+associated with <TT
+CLASS="PARAMETER"
+>bc</TT
+>. If you use <A
+HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD"
+><CODE
+CLASS="FUNCTION"
+>bro_event_registry_add()</CODE
+></A
+> and <TT
+CLASS="PARAMETER"
+>bc</TT
+>
+has not yet been connected via <A
+HREF="broccoli-broccoli.html#BRO-CONN-CONNECT"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_connect()</CODE
+></A
+>, then no further
+action is required. <A
+HREF="broccoli-broccoli.html#BRO-CONN-CONNECT"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_connect()</CODE
+></A
+> request ant registered event types.
+If however you are requesting additional event types after the connection has
+been established, then you also need to call <A
+HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-REQUEST"
+><CODE
+CLASS="FUNCTION"
+>bro_event_registry_request()</CODE
+></A
+>
+in order to signal to the peering Bro that you want to receive those events.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> Bro connection handle</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>event_name</TT
+>&nbsp;:</DT
+><DD
+><P
+> Name of events that trigger callback</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>func</TT
+>&nbsp;:</DT
+><DD
+><P
+> callback to invoke.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>user_data</TT
+>&nbsp;:</DT
+><DD
+><P
+> user data passed through to the callback.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-EVENT-REGISTRY-ADD-COMPACT"
+></A
+><H3
+>bro_event_registry_add_compact ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_event_registry_add_compact      (BroConn *bc,
+                                                         const char *event_name,
+                                                         <A
+HREF="broccoli-broccoli.html#BROCOMPACTEVENTFUNC"
+>BroCompactEventFunc</A
+> func,
+                                                         void *user_data);</PRE
+></TD
+></TR
+></TABLE
+><P
+>This function registers the callback <TT
+CLASS="PARAMETER"
+>func</TT
+> to be invoked when events
+of name <TT
+CLASS="PARAMETER"
+>event_name</TT
+> arrive on connection <TT
+CLASS="PARAMETER"
+>bc</TT
+>. <TT
+CLASS="PARAMETER"
+>user_data</TT
+> is passed along
+to the callback, which will receive it as the second parameter. You
+need to ensure that the memory <TT
+CLASS="PARAMETER"
+>user_data</TT
+> points to is valid during the
+time the callback might be invoked. See <A
+HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD"
+><CODE
+CLASS="FUNCTION"
+>bro_event_registry_add()</CODE
+></A
+> for
+details.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> Bro connection handle</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>event_name</TT
+>&nbsp;:</DT
+><DD
+><P
+> Name of events that trigger callback</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>func</TT
+>&nbsp;:</DT
+><DD
+><P
+> callback to invoke.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>user_data</TT
+>&nbsp;:</DT
+><DD
+><P
+> user data passed through to the callback.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-EVENT-REGISTRY-REMOVE"
+></A
+><H3
+>bro_event_registry_remove ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_event_registry_remove           (BroConn *bc,
+                                                         const char *event_name);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function removes all callbacks for event <TT
+CLASS="PARAMETER"
+>event_name</TT
+> from the
+event registry for connection <TT
+CLASS="PARAMETER"
+>bc</TT
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> Bro connection handle</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>event_name</TT
+>&nbsp;:</DT
+><DD
+><P
+> event to ignore from now on.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-EVENT-REGISTRY-REQUEST"
+></A
+><H3
+>bro_event_registry_request ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_event_registry_request          (BroConn *bc);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function requests the events you have previously requested using
+<A
+HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD"
+><CODE
+CLASS="FUNCTION"
+>bro_event_registry_add()</CODE
+></A
+> from the Bro listening on <TT
+CLASS="PARAMETER"
+>bc</TT
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> Bro connection handle</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-BUF-NEW"
+></A
+><H3
+>bro_buf_new ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>BroBuf*             bro_buf_new                         (void);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+>a new buffer object, or <TT
+CLASS="LITERAL"
+>NULL</TT
+> on error. Use paired with
+<A
+HREF="broccoli-broccoli.html#BRO-BUF-FREE"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_free()</CODE
+></A
+>.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-BUF-FREE"
+></A
+><H3
+>bro_buf_free ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_buf_free                        (BroBuf *buf);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function releases all memory held by the buffer pointed
+to by <TT
+CLASS="PARAMETER"
+>buf</TT
+>. Use paired with <A
+HREF="broccoli-broccoli.html#BRO-BUF-NEW"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_new()</CODE
+></A
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>buf</TT
+>&nbsp;:</DT
+><DD
+><P
+> buffer pointer.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-BUF-APPEND"
+></A
+><H3
+>bro_buf_append ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_buf_append                      (BroBuf *buf,
+                                                         void *data,
+                                                         int data_len);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function appends data to the end of the buffer,
+enlarging it if necessary to hold the <TT
+CLASS="PARAMETER"
+>len</TT
+> new bytes.
+NOTE: it does not modify the buffer pointer. It only
+appends new data where buf_off is currently pointing
+and updates it accordingly. If you DO want the buffer
+pointer to be updated, have a look at <A
+HREF="broccoli-broccoli.html#BRO-BUF-PTR-WRITE"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_ptr_write()</CODE
+></A
+>
+instead.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>buf</TT
+>&nbsp;:</DT
+><DD
+><P
+> buffer pointer.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>data</TT
+>&nbsp;:</DT
+><DD
+><P
+> new data to append to buffer.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>data_len</TT
+>&nbsp;:</DT
+><DD
+><P
+> size of <TT
+CLASS="PARAMETER"
+>data</TT
+>.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> <TT
+CLASS="LITERAL"
+>TRUE</TT
+> if successful, <TT
+CLASS="LITERAL"
+>FALSE</TT
+> otherwise.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-BUF-CONSUME"
+></A
+><H3
+>bro_buf_consume ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_buf_consume                     (BroBuf *buf);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function removes the buffer contents between the start
+of the buffer and the point where the buffer pointer
+currently points to. The idea is that you call <A
+HREF="broccoli-broccoli.html#BRO-BUF-PTR-READ"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_ptr_read()</CODE
+></A
+>
+a few times to extract data from the buffer, and then
+call <A
+HREF="broccoli-broccoli.html#BRO-BUF-CONSUME"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_consume()</CODE
+></A
+> to signal to the buffer that the
+extracted data are no longer needed inside the buffer.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>buf</TT
+>&nbsp;:</DT
+><DD
+><P
+> buffer pointer.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-BUF-RESET"
+></A
+><H3
+>bro_buf_reset ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_buf_reset                       (BroBuf *buf);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function resets the buffer pointers to the beginning of the
+currently allocated buffer, i.e., it marks the buffer as empty.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>buf</TT
+>&nbsp;:</DT
+><DD
+><P
+> buffer pointer.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-BUF-GET"
+></A
+><H3
+>bro_buf_get ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>uchar*              bro_buf_get                         (BroBuf *buf);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>buf</TT
+>&nbsp;:</DT
+><DD
+><P
+> buffer pointer.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+>the entire buffer's contents.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-BUF-GET-END"
+></A
+><H3
+>bro_buf_get_end ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>uchar*              bro_buf_get_end                     (BroBuf *buf);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>buf</TT
+>&nbsp;:</DT
+><DD
+><P
+> buffer pointer.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> a pointer to the first byte in the
+buffer that is not currently used.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-BUF-GET-SIZE"
+></A
+><H3
+>bro_buf_get_size ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>uint                bro_buf_get_size                    (BroBuf *buf);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>buf</TT
+>&nbsp;:</DT
+><DD
+><P
+> buffer pointer.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> the number of actual bytes allocated for the
+buffer.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-BUF-GET-USED-SIZE"
+></A
+><H3
+>bro_buf_get_used_size ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>uint                bro_buf_get_used_size               (BroBuf *buf);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>buf</TT
+>&nbsp;:</DT
+><DD
+><P
+> buffer pointer.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> number of bytes currently used.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-BUF-PTR-GET"
+></A
+><H3
+>bro_buf_ptr_get ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>uchar*              bro_buf_ptr_get                     (BroBuf *buf);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>buf</TT
+>&nbsp;:</DT
+><DD
+><P
+> buffer pointer.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> current buffer content pointer.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-BUF-PTR-TELL"
+></A
+><H3
+>bro_buf_ptr_tell ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>uint32              bro_buf_ptr_tell                    (BroBuf *buf);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>buf</TT
+>&nbsp;:</DT
+><DD
+><P
+> buffer pointer.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> current offset of buffer content pointer.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-BUF-PTR-SEEK"
+></A
+><H3
+>bro_buf_ptr_seek ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_buf_ptr_seek                    (BroBuf *buf,
+                                                         int offset,
+                                                         int whence);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function adjusts the position of <TT
+CLASS="PARAMETER"
+>buf</TT
+>'s content
+pointer. Call semantics are identical to <CODE
+CLASS="FUNCTION"
+>fseek()</CODE
+>, thus
+use <TT
+CLASS="PARAMETER"
+>offset</TT
+> to indicate the offset by which to jump and
+use <TT
+CLASS="LITERAL"
+>SEEK_SET</TT
+>, <TT
+CLASS="LITERAL"
+>SEEK_CUR</TT
+>, or <TT
+CLASS="LITERAL"
+>SEEK_END</TT
+> to specify the
+position relative to which to adjust.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>buf</TT
+>&nbsp;:</DT
+><DD
+><P
+> buffer pointer.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>offset</TT
+>&nbsp;:</DT
+><DD
+><P
+> number of bytes by which to adjust pointer, positive or negative.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>whence</TT
+>&nbsp;:</DT
+><DD
+><P
+> location relative to which to adjust.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> <TT
+CLASS="LITERAL"
+>TRUE</TT
+> if adjustment could be made, <TT
+CLASS="LITERAL"
+>FALSE</TT
+>
+if not (e.g. because the offset requested is not within
+legal bounds).</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-BUF-PTR-CHECK"
+></A
+><H3
+>bro_buf_ptr_check ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_buf_ptr_check                   (BroBuf *buf,
+                                                         int size);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function checks whether <TT
+CLASS="PARAMETER"
+>size</TT
+> bytes could be read from the
+buffer using <A
+HREF="broccoli-broccoli.html#BRO-BUF-PTR-READ"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_ptr_read()</CODE
+></A
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>buf</TT
+>&nbsp;:</DT
+><DD
+><P
+> buffer pointer.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>size</TT
+>&nbsp;:</DT
+><DD
+><P
+> number of bytes to check for availability.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> <TT
+CLASS="LITERAL"
+>TRUE</TT
+> if <TT
+CLASS="PARAMETER"
+>size</TT
+> bytes can be read, <TT
+CLASS="LITERAL"
+>FALSE</TT
+> if not.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-BUF-PTR-READ"
+></A
+><H3
+>bro_buf_ptr_read ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_buf_ptr_read                    (BroBuf *buf,
+                                                         void *data,
+                                                         int size);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function copies <TT
+CLASS="PARAMETER"
+>size</TT
+> bytes into <TT
+CLASS="PARAMETER"
+>data</TT
+> if the buffer
+has <TT
+CLASS="PARAMETER"
+>size</TT
+> bytes available from the current location of
+the buffer content pointer onward, incrementing the content
+pointer accordingly. If not, the function doesn't do anything.
+It behaves thus different from the normal <CODE
+CLASS="FUNCTION"
+>read()</CODE
+> in that
+it either copies the amount requested or nothing.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>buf</TT
+>&nbsp;:</DT
+><DD
+><P
+> buffer pointer.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>data</TT
+>&nbsp;:</DT
+><DD
+><P
+> destination area.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>size</TT
+>&nbsp;:</DT
+><DD
+><P
+> number of bytes to copy into <TT
+CLASS="PARAMETER"
+>data</TT
+>.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> <TT
+CLASS="LITERAL"
+>TRUE</TT
+> if <TT
+CLASS="PARAMETER"
+>size</TT
+> bytes were copied, <TT
+CLASS="LITERAL"
+>FALSE</TT
+> if not.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-BUF-PTR-WRITE"
+></A
+><H3
+>bro_buf_ptr_write ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_buf_ptr_write                   (BroBuf *buf,
+                                                         void *data,
+                                                         int size);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function writes <TT
+CLASS="PARAMETER"
+>size</TT
+> bytes of the area pointed to by <TT
+CLASS="PARAMETER"
+>data</TT
+>
+into the buffer <TT
+CLASS="PARAMETER"
+>buf</TT
+> at the current location of its content pointer,
+adjusting the content pointer accordingly. If the buffer doesn't have
+enough space to receive <TT
+CLASS="PARAMETER"
+>size</TT
+> bytes, more space is allocated.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>buf</TT
+>&nbsp;:</DT
+><DD
+><P
+> buffer pointer.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>data</TT
+>&nbsp;:</DT
+><DD
+><P
+> data to write.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>size</TT
+>&nbsp;:</DT
+><DD
+><P
+> number of bytes to copy into <TT
+CLASS="PARAMETER"
+>data</TT
+>.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> <TT
+CLASS="LITERAL"
+>TRUE</TT
+> if <TT
+CLASS="PARAMETER"
+>size</TT
+> bytes were copied, <TT
+CLASS="LITERAL"
+>FALSE</TT
+> if an error
+occurred and the bytes could not be copied.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-CONF-GET-INT"
+></A
+><H3
+>bro_conf_get_int ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_conf_get_int                    (const char *val_name,
+                                                         int *val);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function tries to find an integer item named <TT
+CLASS="PARAMETER"
+>val_name</TT
+> in the
+configuration. If it is found, its value is placed into the
+int pointed to by <TT
+CLASS="PARAMETER"
+>val</TT
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>val_name</TT
+>&nbsp;:</DT
+><DD
+><P
+> key name for the value.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>val</TT
+>&nbsp;:</DT
+><DD
+><P
+> result pointer for the value.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> <TT
+CLASS="LITERAL"
+>TRUE</TT
+> if <TT
+CLASS="PARAMETER"
+>val_name</TT
+> was found, <TT
+CLASS="LITERAL"
+>FALSE</TT
+> otherwise.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-CONF-GET-DBL"
+></A
+><H3
+>bro_conf_get_dbl ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_conf_get_dbl                    (const char *val_name,
+                                                         double *val);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function tries to find a double float item named <TT
+CLASS="PARAMETER"
+>val_name</TT
+> 
+in the configuration. If it is found, its value is placed into the
+double pointed to by <TT
+CLASS="PARAMETER"
+>val</TT
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>val_name</TT
+>&nbsp;:</DT
+><DD
+><P
+> key name for the value.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>val</TT
+>&nbsp;:</DT
+><DD
+><P
+> result pointer for the value.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> <TT
+CLASS="LITERAL"
+>TRUE</TT
+> if <TT
+CLASS="PARAMETER"
+>val_name</TT
+> was found, <TT
+CLASS="LITERAL"
+>FALSE</TT
+> otherwise.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-CONF-GET-STR"
+></A
+><H3
+>bro_conf_get_str ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>const char*         bro_conf_get_str                    (const char *val_name);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function tries to find a string item named <TT
+CLASS="PARAMETER"
+>val_name</TT
+> in the
+configuration.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>val_name</TT
+>&nbsp;:</DT
+><DD
+><P
+> key name for the value.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> the config item if <TT
+CLASS="PARAMETER"
+>val_name</TT
+> was found, <TT
+CLASS="LITERAL"
+>NULL</TT
+> otherwise.
+A returned string is stored internally and not to be modified. If
+you need to keep it around, <CODE
+CLASS="FUNCTION"
+>strdup()</CODE
+> it.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-CONF-SET-DOMAIN"
+></A
+><H3
+>bro_conf_set_domain ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_conf_set_domain                 (const char *domain);</PRE
+></TD
+></TR
+></TABLE
+><P
+>Broccoli's config files are divided into sections. At the beginning of
+each config file you can have an unnamed section that will be used by
+default. Case is irrelevant. By passing <TT
+CLASS="LITERAL"
+>NULL</TT
+> for <TT
+CLASS="PARAMETER"
+>domain</TT
+>, you select
+the default domain, otherwise the one that matches <TT
+CLASS="PARAMETER"
+>domain</TT
+>. <TT
+CLASS="PARAMETER"
+>domain</TT
+> is
+copied internally.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>domain</TT
+>&nbsp;:</DT
+><DD
+><P
+> name of the domain, or <TT
+CLASS="LITERAL"
+>NULL</TT
+>.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-STRING-INIT"
+></A
+><H3
+>bro_string_init ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_string_init                     (BroString *bs);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function initializes the BroString pointed to by <TT
+CLASS="PARAMETER"
+>bs</TT
+>. Use this
+function before using the members of a BroString you're using on the
+stack.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bs</TT
+>&nbsp;:</DT
+><DD
+><P
+> string pointer.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-STRING-SET"
+></A
+><H3
+>bro_string_set ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_string_set                      (BroString *bs,
+                                                         const char *s);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function initializes the BroString pointed to by <TT
+CLASS="PARAMETER"
+>bs</TT
+> to the string
+given in <TT
+CLASS="PARAMETER"
+>s</TT
+>. <TT
+CLASS="PARAMETER"
+>s</TT
+>'s content is copied, so you can modify or free <TT
+CLASS="PARAMETER"
+>s</TT
+>
+after calling this, and you need to call <A
+HREF="broccoli-broccoli.html#BRO-STRING-CLEANUP"
+><CODE
+CLASS="FUNCTION"
+>bro_string_cleanup()</CODE
+></A
+> on the
+BroString pointed to by <TT
+CLASS="PARAMETER"
+>bs</TT
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bs</TT
+>&nbsp;:</DT
+><DD
+><P
+> string pointer.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>s</TT
+>&nbsp;:</DT
+><DD
+><P
+> C ASCII string.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> <TT
+CLASS="LITERAL"
+>TRUE</TT
+> is successful, <TT
+CLASS="LITERAL"
+>FALSE</TT
+> otherwise.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-STRING-SET-DATA"
+></A
+><H3
+>bro_string_set_data ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_string_set_data                 (BroString *bs,
+                                                         const uchar *data,
+                                                         int data_len);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function initializes the BroString pointed to by <TT
+CLASS="PARAMETER"
+>bs</TT
+> to <TT
+CLASS="PARAMETER"
+>data_len</TT
+>
+bytes starting at <TT
+CLASS="PARAMETER"
+>data</TT
+>. <TT
+CLASS="PARAMETER"
+>data</TT
+>'s content is copied, so you can modify
+or free <TT
+CLASS="PARAMETER"
+>data</TT
+> after calling this.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bs</TT
+>&nbsp;:</DT
+><DD
+><P
+> string pointer.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>data</TT
+>&nbsp;:</DT
+><DD
+><P
+> arbitrary data.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>data_len</TT
+>&nbsp;:</DT
+><DD
+><P
+> length of <TT
+CLASS="PARAMETER"
+>data</TT
+>.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> <TT
+CLASS="LITERAL"
+>TRUE</TT
+> is successful, <TT
+CLASS="LITERAL"
+>FALSE</TT
+> otherwise.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-STRING-GET-DATA"
+></A
+><H3
+>bro_string_get_data ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>const uchar*        bro_string_get_data                 (const BroString *bs);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function returns a pointer to the string's internal data. You
+can copy out the string using this function in combination with
+<A
+HREF="broccoli-broccoli.html#BRO-STRING-GET-LENGTH"
+><CODE
+CLASS="FUNCTION"
+>bro_string_get_length()</CODE
+></A
+>, for obtaining the string's length.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bs</TT
+>&nbsp;:</DT
+><DD
+><P
+> string pointer.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> pointer to string, or <TT
+CLASS="LITERAL"
+>NULL</TT
+> on error.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-STRING-GET-LENGTH"
+></A
+><H3
+>bro_string_get_length ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>uint32              bro_string_get_length               (const BroString *bs);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bs</TT
+>&nbsp;:</DT
+><DD
+><P
+> string pointer.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> the string's length.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-STRING-COPY"
+></A
+><H3
+>bro_string_copy ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>BroString*          bro_string_copy                     (BroString *bs);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bs</TT
+>&nbsp;:</DT
+><DD
+><P
+> string pointer.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> a deep copy of the BroString pointed to by <TT
+CLASS="PARAMETER"
+>bs</TT
+>, or <TT
+CLASS="LITERAL"
+>NULL</TT
+> on
+error.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-STRING-CLEANUP"
+></A
+><H3
+>bro_string_cleanup ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_string_cleanup                  (BroString *bs);</PRE
+></TD
+></TR
+></TABLE
+><P
+>This function releases all contents claimed by the BroString pointed
+to by <TT
+CLASS="PARAMETER"
+>bs</TT
+>, without releasing that BroString structure itself. Use
+this when manipulating a BroString on the stack, paired with
+<A
+HREF="broccoli-broccoli.html#BRO-STRING-INIT"
+><CODE
+CLASS="FUNCTION"
+>bro_string_init()</CODE
+></A
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bs</TT
+>&nbsp;:</DT
+><DD
+><P
+> string pointer.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-STRING-FREE"
+></A
+><H3
+>bro_string_free ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_string_free                     (BroString *bs);</PRE
+></TD
+></TR
+></TABLE
+><P
+>This function releases the entire BroString pointed to by <TT
+CLASS="PARAMETER"
+>bs</TT
+>, including
+the BroString structure itself.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bs</TT
+>&nbsp;:</DT
+><DD
+><P
+> string pointer.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-RECORD-NEW"
+></A
+><H3
+>bro_record_new ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>BroRecord*          bro_record_new                      (void);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function allocates and initializes a new empty record. BroRecords
+are used for adding and retrieving records vals to/from events. You
+do not have to specify a record type separately when you create a
+record. The type is defined implicitly by the sequence of types formed
+by the sequence of vals added to the record, along with the names for
+each val. See the manual for details.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> a new record, or <TT
+CLASS="LITERAL"
+>NULL</TT
+> on error.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-RECORD-FREE"
+></A
+><H3
+>bro_record_free ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_record_free                     (BroRecord *rec);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function releases all memory consumed by the record pointed to
+by <TT
+CLASS="PARAMETER"
+>rec</TT
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>rec</TT
+>&nbsp;:</DT
+><DD
+><P
+> record handle.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-RECORD-ADD-VAL"
+></A
+><H3
+>bro_record_add_val ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_record_add_val                  (BroRecord *rec,
+                                                         const char *name,
+                                                         int type,
+                                                         const char *type_name,
+                                                         const void *val);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function adds a new field to the record pointed to by <TT
+CLASS="PARAMETER"
+>rec</TT
+> and
+assigns the value passed in to that field. The field name is given
+in <TT
+CLASS="PARAMETER"
+>name</TT
+>, the type of the val is given in <TT
+CLASS="PARAMETER"
+>type</TT
+> and must be one of
+the <TT
+CLASS="LITERAL"
+>BRO_TYPE_xxx</TT
+> constants defined in broccoli.h. The type you give
+implies what data type <TT
+CLASS="PARAMETER"
+>val</TT
+> must be pointing to; see the manual for
+details. If you want to indicate a type specialized from <TT
+CLASS="PARAMETER"
+>type</TT
+>,
+use <TT
+CLASS="PARAMETER"
+>type_name</TT
+> to give its name, otherwise pass <TT
+CLASS="LITERAL"
+>NULL</TT
+> for <TT
+CLASS="PARAMETER"
+>type_name</TT
+>.
+It is possible to leave fields unassigned, in that case, pass in
+<TT
+CLASS="LITERAL"
+>NULL</TT
+> for <TT
+CLASS="PARAMETER"
+>val</TT
+>.</P
+><P
+><TT
+CLASS="PARAMETER"
+>val</TT
+> remains the caller's responsibility and is copied internally.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>rec</TT
+>&nbsp;:</DT
+><DD
+><P
+> record handle.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>name</TT
+>&nbsp;:</DT
+><DD
+><P
+> field name of the added val.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>type</TT
+>&nbsp;:</DT
+><DD
+><P
+> numerical type tag of the new val.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>type_name</TT
+>&nbsp;:</DT
+><DD
+><P
+> optional name of specialized type.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>val</TT
+>&nbsp;:</DT
+><DD
+><P
+> pointer to the new val*.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> <TT
+CLASS="LITERAL"
+>TRUE</TT
+> on success, <TT
+CLASS="LITERAL"
+>FALSE</TT
+> on error.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-RECORD-GET-NTH-VAL"
+></A
+><H3
+>bro_record_get_nth_val ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void*               bro_record_get_nth_val              (BroRecord *rec,
+                                                         int num,
+                                                         int *type);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function returns the <TT
+CLASS="PARAMETER"
+>num</TT
+>'th value of the record pointed to
+by <TT
+CLASS="PARAMETER"
+>rec</TT
+>, expected to be of <TT
+CLASS="PARAMETER"
+>type</TT
+>. The returned value is internal
+and needs to be duplicated if you want to keep it around. Upon
+return, the int pointed to by <TT
+CLASS="PARAMETER"
+>type</TT
+> tells you the type of the returned
+val, as a BRO_TYPE_xxx type tag. If the int pointed to upon calling
+the function has the value BRO_TYPE_UNKNOWN, no type checking is
+performed and the value is returned. If it is any other type tag,
+its value is compared to that of the value, and if they match, the
+value is returned. Otherwise, the return value is <TT
+CLASS="LITERAL"
+>NULL</TT
+>. If you don't
+care about type enforcement and don't want to know the value's type,
+you may pass <TT
+CLASS="LITERAL"
+>NULL</TT
+> for <TT
+CLASS="PARAMETER"
+>type</TT
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>rec</TT
+>&nbsp;:</DT
+><DD
+><P
+> record handle.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>num</TT
+>&nbsp;:</DT
+><DD
+><P
+> field index, starting from 0.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>type</TT
+>&nbsp;:</DT
+><DD
+><P
+> value-result argument for the expected/actual type of the value.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> pointer to queried value on success, <TT
+CLASS="LITERAL"
+>NULL</TT
+> on error.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-RECORD-GET-NTH-NAME"
+></A
+><H3
+>bro_record_get_nth_name ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>const char*         bro_record_get_nth_name             (BroRecord *rec,
+                                                         int num);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function returns the <TT
+CLASS="PARAMETER"
+>num</TT
+>'th name of the record pointed to by <TT
+CLASS="PARAMETER"
+>rec</TT
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>rec</TT
+>&nbsp;:</DT
+><DD
+><P
+> record handle.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>num</TT
+>&nbsp;:</DT
+><DD
+><P
+> field index, starting from 0.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> field name on success, <TT
+CLASS="LITERAL"
+>NULL</TT
+> on error.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-RECORD-GET-NAMED-VAL"
+></A
+><H3
+>bro_record_get_named_val ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void*               bro_record_get_named_val            (BroRecord *rec,
+                                                         const char *name,
+                                                         int *type);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function returns the value of the field named <TT
+CLASS="PARAMETER"
+>name</TT
+> in the
+record pointed to by <TT
+CLASS="PARAMETER"
+>rec</TT
+>. The returned value is internal and needs
+to be duplicated if you want to keep it around. <TT
+CLASS="PARAMETER"
+>type</TT
+> works as with
+<A
+HREF="broccoli-broccoli.html#BRO-RECORD-GET-NTH-VAL"
+><CODE
+CLASS="FUNCTION"
+>bro_record_get_nth_val()</CODE
+></A
+>, see there for more details.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>rec</TT
+>&nbsp;:</DT
+><DD
+><P
+> record handle.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>name</TT
+>&nbsp;:</DT
+><DD
+><P
+> field name.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>type</TT
+>&nbsp;:</DT
+><DD
+><P
+> value-result argument for the expected/actual type of the value.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> pointer to queried value on success, <TT
+CLASS="LITERAL"
+>NULL</TT
+> on error.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-RECORD-SET-NTH-VAL"
+></A
+><H3
+>bro_record_set_nth_val ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_record_set_nth_val              (BroRecord *rec,
+                                                         int num,
+                                                         int type,
+                                                         const char *type_name,
+                                                         const void *val);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function replaces the <TT
+CLASS="PARAMETER"
+>num</TT
+>'th value of the record pointed to
+by <TT
+CLASS="PARAMETER"
+>rec</TT
+>, expected to be of <TT
+CLASS="PARAMETER"
+>type</TT
+>. All values are copied internally
+so what <TT
+CLASS="PARAMETER"
+>val</TT
+> points to stays unmodified. The value of <TT
+CLASS="PARAMETER"
+>type</TT
+> implies
+what <TT
+CLASS="PARAMETER"
+>result</TT
+> must be pointing to. See the manual for details.
+If you want to indicate a type specialized from <TT
+CLASS="PARAMETER"
+>type</TT
+>, use
+<TT
+CLASS="PARAMETER"
+>type_name</TT
+> to give its name, otherwise pass <TT
+CLASS="LITERAL"
+>NULL</TT
+> for <TT
+CLASS="PARAMETER"
+>type_name</TT
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>rec</TT
+>&nbsp;:</DT
+><DD
+><P
+> record handle.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>num</TT
+>&nbsp;:</DT
+><DD
+><P
+> field index, starting from 0.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>type</TT
+>&nbsp;:</DT
+><DD
+><P
+> expected type of the value.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>type_name</TT
+>&nbsp;:</DT
+><DD
+><P
+> optional name of specialized type.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>val</TT
+>&nbsp;:</DT
+><DD
+><P
+> pointer to new val.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> <TT
+CLASS="LITERAL"
+>TRUE</TT
+> on success, <TT
+CLASS="LITERAL"
+>FALSE</TT
+> on error.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-RECORD-SET-NAMED-VAL"
+></A
+><H3
+>bro_record_set_named_val ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_record_set_named_val            (BroRecord *rec,
+                                                         const char *name,
+                                                         int type,
+                                                         const char *type_name,
+                                                         const void *val);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function replaces the value named <TT
+CLASS="PARAMETER"
+>name</TT
+> in the record pointed to
+by <TT
+CLASS="PARAMETER"
+>rec</TT
+>, expected to be of <TT
+CLASS="PARAMETER"
+>type</TT
+>. All values are copied internally
+so what <TT
+CLASS="PARAMETER"
+>val</TT
+> points to stays unmodified. The value of <TT
+CLASS="PARAMETER"
+>type</TT
+> implies
+what <TT
+CLASS="PARAMETER"
+>result</TT
+> must be pointing to. See the manual for details.
+If you want to indicate a type specialized from <TT
+CLASS="PARAMETER"
+>type</TT
+>,
+use <TT
+CLASS="PARAMETER"
+>type_name</TT
+> to give its name, otherwise pass <TT
+CLASS="LITERAL"
+>NULL</TT
+> for <TT
+CLASS="PARAMETER"
+>type_name</TT
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>rec</TT
+>&nbsp;:</DT
+><DD
+><P
+> record handle.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>name</TT
+>&nbsp;:</DT
+><DD
+><P
+> field name.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>type</TT
+>&nbsp;:</DT
+><DD
+><P
+> expected type of the value.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>type_name</TT
+>&nbsp;:</DT
+><DD
+><P
+> optional name of specialized type.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>val</TT
+>&nbsp;:</DT
+><DD
+><P
+> pointer to new val.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> <TT
+CLASS="LITERAL"
+>TRUE</TT
+> on success, <TT
+CLASS="LITERAL"
+>FALSE</TT
+> on error.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BROTABLECALLBACK"
+></A
+><H3
+>BroTableCallback ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 (*BroTableCallback)                 (void *key,
+                                                         void *val,
+                                                         void *user_data);</PRE
+></TD
+></TR
+></TABLE
+><P
+>This is the signature of callbacks used when iterating over all
+elements stored in a BroSet.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>key</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>val</TT
+>&nbsp;:</DT
+><DD
+><P
+> a pointer to an element in the set.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>user_data</TT
+>&nbsp;:</DT
+><DD
+><P
+> user data passed through.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> TRUE if iteration should continue, FALSE if done.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-TABLE-NEW"
+></A
+><H3
+>bro_table_new ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>BroTable*           bro_table_new                       (void);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+>&#13;</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-TABLE-FREE"
+></A
+><H3
+>bro_table_free ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_table_free                      (BroTable *tbl);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>tbl</TT
+>&nbsp;:</DT
+><DD
+><P
+>&#13;</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-TABLE-INSERT"
+></A
+><H3
+>bro_table_insert ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_table_insert                    (BroTable *tbl,
+                                                         int key_type,
+                                                         const void *key,
+                                                         int val_type,
+                                                         const void *val);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>tbl</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>key_type</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>key</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>val_type</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>val</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+>&#13;</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-TABLE-FIND"
+></A
+><H3
+>bro_table_find ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void*               bro_table_find                      (BroTable *tbl,
+                                                         const void *key);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>tbl</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>key</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+>&#13;</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-TABLE-GET-SIZE"
+></A
+><H3
+>bro_table_get_size ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_table_get_size                  (BroTable *tbl);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>tbl</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+>&#13;</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-TABLE-GET-TYPES"
+></A
+><H3
+>bro_table_get_types ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_table_get_types                 (BroTable *tbl,
+                                                         int *key_type,
+                                                         int *val_type);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>tbl</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>key_type</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>val_type</TT
+>&nbsp;:</DT
+><DD
+><P
+>&#13;</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-TABLE-FOREACH"
+></A
+><H3
+>bro_table_foreach ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_table_foreach                   (BroTable *tbl,
+                                                         <A
+HREF="broccoli-broccoli.html#BROTABLECALLBACK"
+>BroTableCallback</A
+> cb,
+                                                         void *user_data);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>tbl</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>cb</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>user_data</TT
+>&nbsp;:</DT
+><DD
+><P
+>&#13;</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BROSETCALLBACK"
+></A
+><H3
+>BroSetCallback ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 (*BroSetCallback)                   (void *val,
+                                                         void *user_data);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>val</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>user_data</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+>&#13;</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-SET-NEW"
+></A
+><H3
+>bro_set_new ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>BroSet*             bro_set_new                         (void);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+>&#13;</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-SET-FREE"
+></A
+><H3
+>bro_set_free ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_set_free                        (BroSet *set);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>set</TT
+>&nbsp;:</DT
+><DD
+><P
+>&#13;</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-SET-INSERT"
+></A
+><H3
+>bro_set_insert ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_set_insert                      (BroSet *set,
+                                                         int type,
+                                                         const void *val);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>set</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>type</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>val</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+>&#13;</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-SET-FIND"
+></A
+><H3
+>bro_set_find ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_set_find                        (BroSet *set,
+                                                         const void *key);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>set</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>key</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+>&#13;</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-SET-GET-SIZE"
+></A
+><H3
+>bro_set_get_size ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_set_get_size                    (BroSet *set);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>set</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+>&#13;</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-SET-GET-TYPE"
+></A
+><H3
+>bro_set_get_type ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_set_get_type                    (BroSet *set,
+                                                         int *type);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>set</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>type</TT
+>&nbsp;:</DT
+><DD
+><P
+>&#13;</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-SET-FOREACH"
+></A
+><H3
+>bro_set_foreach ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_set_foreach                     (BroSet *set,
+                                                         <A
+HREF="broccoli-broccoli.html#BROSETCALLBACK"
+>BroSetCallback</A
+> cb,
+                                                         void *user_data);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>set</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>cb</TT
+>&nbsp;:</DT
+><DD
+><P
+></P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>user_data</TT
+>&nbsp;:</DT
+><DD
+><P
+>&#13;</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-CONN-SET-PACKET-CTXT"
+></A
+><H3
+>bro_conn_set_packet_ctxt ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_conn_set_packet_ctxt            (BroConn *bc,
+                                                         int link_type);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function sets the packet context for <TT
+CLASS="PARAMETER"
+>bc</TT
+> for future BroPackets
+handled by this connection.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> connection handle.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>link_type</TT
+>&nbsp;:</DT
+><DD
+><P
+> libpcap DLT linklayer type.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-CONN-GET-PACKET-CTXT"
+></A
+><H3
+>bro_conn_get_packet_ctxt ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_conn_get_packet_ctxt            (BroConn *bc,
+                                                         int *link_type);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function returns <TT
+CLASS="PARAMETER"
+>bc</TT
+>'s current packet context through <TT
+CLASS="PARAMETER"
+>link_type</TT
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> connection handle.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>link_type</TT
+>&nbsp;:</DT
+><DD
+><P
+> result pointer for libpcap DLT linklayer type.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-PACKET-NEW"
+></A
+><H3
+>bro_packet_new ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>BroPacket*          bro_packet_new                      (const struct pcap_pkthdr *hdr,
+                                                         const u_char *data,
+                                                         const char *tag);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function creates a new BroPacket by copying <TT
+CLASS="PARAMETER"
+>hdr</TT
+> and <TT
+CLASS="PARAMETER"
+>data</TT
+> internally.
+Release the resulting packet using <A
+HREF="broccoli-broccoli.html#BRO-PACKET-FREE"
+><CODE
+CLASS="FUNCTION"
+>bro_packet_free()</CODE
+></A
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>hdr</TT
+>&nbsp;:</DT
+><DD
+><P
+> pointer to libpcap packet header.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>data</TT
+>&nbsp;:</DT
+><DD
+><P
+> pointer to libpcap packet data.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>tag</TT
+>&nbsp;:</DT
+><DD
+><P
+> pointer to ASCII tag (0 for no tag).</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+>&#13;</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-PACKET-CLONE"
+></A
+><H3
+>bro_packet_clone ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>BroPacket*          bro_packet_clone                    (const BroPacket *packet);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>packet</TT
+>&nbsp;:</DT
+><DD
+><P
+> packet to clone.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> a copy of <TT
+CLASS="PARAMETER"
+>packet</TT
+>, or <TT
+CLASS="LITERAL"
+>NULL</TT
+> on error.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-PACKET-FREE"
+></A
+><H3
+>bro_packet_free ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void                bro_packet_free                     (BroPacket *packet);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function releases all memory occupied by a packet previously allocated
+using <A
+HREF="broccoli-broccoli.html#BRO-PACKET-NEW"
+><CODE
+CLASS="FUNCTION"
+>bro_packet_new()</CODE
+></A
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>packet</TT
+>&nbsp;:</DT
+><DD
+><P
+> packet to release.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-PACKET-SEND"
+></A
+><H3
+>bro_packet_send ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int                 bro_packet_send                     (BroConn *bc,
+                                                         BroPacket *packet);</PRE
+></TD
+></TR
+></TABLE
+><P
+>The function sends <TT
+CLASS="PARAMETER"
+>packet</TT
+> to the Bro peer connected via <TT
+CLASS="PARAMETER"
+>bc</TT
+>.</P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>bc</TT
+>&nbsp;:</DT
+><DD
+><P
+> connection on which to send packet.</P
+></DD
+><DT
+><TT
+CLASS="PARAMETER"
+>packet</TT
+>&nbsp;:</DT
+><DD
+><P
+> packet to send.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> <TT
+CLASS="LITERAL"
+>TRUE</TT
+> if successful, <TT
+CLASS="LITERAL"
+>FALSE</TT
+> otherwise.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-UTIL-CURRENT-TIME"
+></A
+><H3
+>bro_util_current_time ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>double              bro_util_current_time               (void);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> the current system time as a double, in seconds, suitable
+for passing to <CODE
+CLASS="FUNCTION"
+>bro_event_add_time()</CODE
+>.</P
+></DD
+></DL
+></DIV
+></DIV
+><HR><DIV
+CLASS="REFSECT2"
+><A
+NAME="BRO-UTIL-TIMEVAL-TO-DOUBLE"
+></A
+><H3
+>bro_util_timeval_to_double ()</H3
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>double              bro_util_timeval_to_double          (const struct timeval *tv);</PRE
+></TD
+></TR
+></TABLE
+><P
+></P
+><P
+></P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="PARAMETER"
+>tv</TT
+>&nbsp;:</DT
+><DD
+><P
+> pointer to timeval structure.</P
+></DD
+><DT
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Returns</B
+></SPAN
+>&nbsp;:</DT
+><DD
+><P
+> a double encoding the timestamp given in <TT
+CLASS="PARAMETER"
+>tv</TT
+> in a floating
+point double, with the fraction of a second between 0.0 and 1.0.</P
+></DD
+></DL
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="api.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="index.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="a3637.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Broccoli API Reference</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="api.html"
+ACCESSKEY="U"
+>Up</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Appendix</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/aux/broccoli/docs/html/c20.html b/aux/broccoli/docs/html/c20.html
new file mode 100644
index 0000000000..d903a4f4f9
--- /dev/null
+++ b/aux/broccoli/docs/html/c20.html
@@ -0,0 +1,330 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<HTML
+><HEAD
+><TITLE
+>Introduction</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
+REL="HOME"
+TITLE="Broccoli: The Bro Client Communications Library"
+HREF="index.html"><LINK
+REL="PREVIOUS"
+TITLE="Broccoli: The Bro Client Communications Library"
+HREF="index.html"><LINK
+REL="NEXT"
+TITLE="Installing Broccoli"
+HREF="c54.html"><LINK
+REL="STYLESHEET"
+TYPE="text/css"
+HREF="stylesheet.css"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>Broccoli: The Bro Client Communications Library</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="index.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="c54.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="AEN20"
+></A
+>Chapter 1. Introduction</H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>1.1. <A
+HREF="c20.html#AEN23"
+>What is Broccoli?</A
+></DT
+><DT
+>1.2. <A
+HREF="c20.html#AEN34"
+>Why do I care?</A
+></DT
+></DL
+></DIV
+><P
+>    Welcome! You're looking at the Broccoli manual. Thanks for reading this.
+    </P
+><BR
+CLEAR="all"><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN23"
+>1.1. What is Broccoli?</A
+></H1
+><P
+>	Broccoli is the <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>BRO</B
+></SPAN
+> <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>C</B
+></SPAN
+>lient
+	<SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>CO</B
+></SPAN
+>mmunications <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>LI</B
+></SPAN
+>brary. It allows
+	you to write applications that speak the communication protocol of the
+	<A
+HREF="http://www.bro-ids.org"
+TARGET="_top"
+>Bro intrusion detection system</A
+>.	
+	In this document, we assume that you are familiar with the basic concepts
+	of Bro. If you need a refresher, please have a look at the
+	<A
+HREF="http://www.icir.org/vern/papers/bro-CN99.html"
+TARGET="_top"
+>original paper</A
+>,
+	the <A
+HREF="http://www.bro-ids.org/Bro-user-manual/index.html"
+TARGET="_top"
+>user manual</A
+>,
+	and the material on <A
+HREF="http://www.bro-ids.org"
+TARGET="_top"
+>bro-ids.org</A
+> in general.
+      </P
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN34"
+>1.2. Why do I care?</A
+></H1
+><P
+>        Having a single IDS on your network is good, but things become a lot more interesting
+	when you can communicate information among multiple vantage points in your network.
+	Bro agents can communicate with other Bro agents, sending and receiving events and
+	other state information. In the Bro context this is particularly interesting because
+	it means that you can build sophisticated policy-controlled distributed event
+	management systems.
+      </P
+><P
+>	Broccoli enters the picture when it comes to integrating components that are not
+	Bro agents themselves. Broccoli lets you create applications that can speak the Bro
+	communication protocol. You can compose, send, request, and receive events.
+	You can register your own event handlers. You can talk to other Broccoli
+	applications or Bro agents &mdash; Bro agents cannot tell whether they are talking
+	to another Bro or a Broccoli application. Broccoli allows you to integrate applications
+	of your choosing into a distributed policy-controlled event management system.
+	Broccoli is intended
+	to be portable: it should build on Linux, the BSDs, Solaris, and Windows
+	(in the <A
+HREF="http://www.mingw.org"
+TARGET="_top"
+>MinGW</A
+> environment).
+      </P
+><P
+>	Unlike other distributed IDSs, Bro does not assume a strict sensor&ndash;manager
+	hierarchy in the information flow. Instead, Bro agents can request delivery of
+	arbitrary <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>events</B
+></SPAN
+>
+	from other instances. When an event is triggered in a Bro agent, it checks
+	whether any connected agents have requested notification of this event,
+	and send a <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>copy</B
+></SPAN
+> of the event, including the <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>event arguments</B
+></SPAN
+>.
+	Recall that in Bro, an event handler is essentially a function defined in
+	the Bro language, and an event materializes through invocation of an event handler.
+	Each remote agent can define its own event handlers.
+      </P
+><P
+>        Broccoli applications will typically do one or more of the following:
+      </P
+><P
+></P
+><UL
+><LI
+><P
+>	   <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Configuration/Management Tasks:</B
+></SPAN
+> the Broccoli application
+	   is used to configure remotely running Bros without the need for a restart.
+	  </P
+></LI
+><LI
+><P
+>	   <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Interfacing other Systems:</B
+></SPAN
+> the Broccoli application
+	   is used to convert Bro events to other alert/notice formats, for into
+	   syslogd entries.
+	  </P
+></LI
+><LI
+><P
+>	   <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Host-based Sensor Feeds into Bro:</B
+></SPAN
+> the Broccoli
+	   application reports events based on host-based activity generated in
+	   kernel space or user space applications.
+	  </P
+></LI
+></UL
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="index.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="index.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="c54.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Broccoli: The Bro Client Communications Library</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Installing Broccoli</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/aux/broccoli/docs/html/c54.html b/aux/broccoli/docs/html/c54.html
new file mode 100644
index 0000000000..b80639b22c
--- /dev/null
+++ b/aux/broccoli/docs/html/c54.html
@@ -0,0 +1,227 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<HTML
+><HEAD
+><TITLE
+>Installing Broccoli</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
+REL="HOME"
+TITLE="Broccoli: The Bro Client Communications Library"
+HREF="index.html"><LINK
+REL="PREVIOUS"
+TITLE="Introduction"
+HREF="c20.html"><LINK
+REL="NEXT"
+TITLE="Using Broccoli"
+HREF="c84.html"><LINK
+REL="STYLESHEET"
+TYPE="text/css"
+HREF="stylesheet.css"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>Broccoli: The Bro Client Communications Library</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="c20.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="c84.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="AEN54"
+></A
+>Chapter 2. Installing Broccoli</H1
+><P
+>      The installation process will hopefully be painless: Broccoli is installed from source
+      using the usual <B
+CLASS="COMMAND"
+>./configure &lt;options&gt; &#38;&#38; make &#38;&#38; make install</B
+>
+      routine after extraction of the tarball. Or if you're on a Linux systems supporting
+      RPMs, we provide those as well.
+    </P
+><P
+>      The relevant configuration options to pass to configure are:
+      <P
+></P
+><UL
+><LI
+><P
+><B
+CLASS="COMMAND"
+>--prefix=&lt;DIR&gt;</B
+>: sets the installation root to DIR.
+	  The default is to install below <TT
+CLASS="FILENAME"
+>/usr/local</TT
+>.</P
+></LI
+><LI
+><P
+><B
+CLASS="COMMAND"
+>--enable-debug</B
+>: enables debugging output.
+          Please refer to the <A
+HREF="c84.html#AEN818"
+>Broccoli debugging</A
+>
+	  section for details on configuring and using debugging output.
+          </P
+></LI
+><LI
+><P
+><B
+CLASS="COMMAND"
+>--with-configfile=&lt;FILE&gt;</B
+>: use FILE as location of configuration file.
+	  See the section on <A
+HREF="c84.html#AEN665"
+>configuration files</A
+>
+	  below for more on this.
+	  </P
+></LI
+><LI
+><P
+><B
+CLASS="COMMAND"
+>--with-openssl=&lt;DIR&gt;</B
+>: use the OpenSSL installation below DIR.</P
+></LI
+><LI
+><P
+><B
+CLASS="COMMAND"
+>--with-kerberos=&lt;DIR&gt;</B
+>: use the Kerberos installation below DIR.</P
+></LI
+></UL
+>
+    </P
+><P
+>      After installation, you'll find the library in shared and static versions in <TT
+CLASS="FILENAME"
+>&lt;prefix&gt;/lib</TT
+>
+      the header file for compilation in <TT
+CLASS="FILENAME"
+>&lt;prefix&gt;/include</TT
+>, and the
+      manual in HTML below <TT
+CLASS="FILENAME"
+>&lt;prefix&gt;/share/gtk-doc/html/broccoli</TT
+>.      
+    </P
+><P
+>      When installing from source, you can get rid of the installation using <B
+CLASS="COMMAND"
+>make uninstall</B
+>.
+    </P
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="c20.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="index.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="c84.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Introduction</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Using Broccoli</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/aux/broccoli/docs/html/c84.html b/aux/broccoli/docs/html/c84.html
new file mode 100644
index 0000000000..66175af506
--- /dev/null
+++ b/aux/broccoli/docs/html/c84.html
@@ -0,0 +1,4038 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<HTML
+><HEAD
+><TITLE
+>Using Broccoli</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
+REL="HOME"
+TITLE="Broccoli: The Bro Client Communications Library"
+HREF="index.html"><LINK
+REL="PREVIOUS"
+TITLE="Installing Broccoli"
+HREF="c54.html"><LINK
+REL="NEXT"
+TITLE="Broccoli API Reference"
+HREF="api.html"><LINK
+REL="STYLESHEET"
+TYPE="text/css"
+HREF="stylesheet.css"></HEAD
+><BODY
+CLASS="CHAPTER"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>Broccoli: The Bro Client Communications Library</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="c54.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="api.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="CHAPTER"
+><H1
+><A
+NAME="AEN84"
+></A
+>Chapter 3. Using Broccoli</H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>3.1. <A
+HREF="c84.html#AEN87"
+>Obtaining information about your build using <TT
+CLASS="FILENAME"
+>broccoli-config</TT
+></A
+></DT
+><DT
+>3.2. <A
+HREF="c84.html#AEN121"
+>Suggestions for instrumenting applications</A
+></DT
+><DT
+>3.3. <A
+HREF="c84.html#AEN134"
+>The Broccoli API</A
+></DT
+><DT
+>3.4. <A
+HREF="c84.html#AEN738"
+>Configuring encrypted communication</A
+></DT
+><DT
+>3.5. <A
+HREF="c84.html#AEN784"
+>Configuring event reception in Bro policies</A
+></DT
+><DT
+>3.6. <A
+HREF="c84.html#AEN818"
+>Configuring debugging output</A
+></DT
+><DT
+>3.7. <A
+HREF="c84.html#AEN842"
+>Test programs</A
+></DT
+></DL
+></DIV
+><P
+>    </P
+><BR
+CLEAR="all"><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN87"
+>3.1. Obtaining information about your build using <TT
+CLASS="FILENAME"
+>broccoli-config</TT
+></A
+></H1
+><P
+>	Similarly to many other software packages, the Broccoli distribution
+	provides a script that you can use to obtain details about your
+	Broccoli setup. The script currently provides the following flags:
+	<P
+></P
+><UL
+><LI
+><P
+><B
+CLASS="COMMAND"
+>--build</B
+> prints the name of the machine the build was
+		made on, when, and whether debugging support was enabled or not.</P
+></LI
+><LI
+><P
+><B
+CLASS="COMMAND"
+>--prefix</B
+> prints the directory in the filesystem
+		below which Broccoli was installed.</P
+></LI
+><LI
+><P
+><B
+CLASS="COMMAND"
+>--version</B
+> prints the version of the distribution
+		you have installed.</P
+></LI
+><LI
+><P
+><B
+CLASS="COMMAND"
+>--libs</B
+> prints the flags to pass to the
+		linker in order to link in the Broccoli library.</P
+></LI
+><LI
+><P
+><B
+CLASS="COMMAND"
+>--cflags</B
+> prints the flags to pass to the
+		compiler in order to properly include Broccoli's header file.</P
+></LI
+><LI
+><P
+><B
+CLASS="COMMAND"
+>--config</B
+> prints the location of the system-wide
+		config file your installation will use.</P
+></LI
+></UL
+>	 
+      </P
+><P
+>	  The <TT
+CLASS="FILENAME"
+>--cflags</TT
+> and <TT
+CLASS="FILENAME"
+>--libs</TT
+> flags
+	  are the suggested way of obtaining the necessary information for integrating
+	  Broccoli into your build environment. It is generally recommended to use
+	  <TT
+CLASS="FILENAME"
+>broccoli-config</TT
+> for this purpose, rather than, say,
+	  develop new <B
+CLASS="COMMAND"
+>autoconf </B
+> tests. 
+          If you use the <B
+CLASS="COMMAND"
+>autoconf</B
+>/<B
+CLASS="COMMAND"
+>automake</B
+>
+          tools, we recommend something along the following lines for your
+	  <TT
+CLASS="FILENAME"
+>configure</TT
+> script:
+      </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>dnl ##################################################
+dnl # Check for Broccoli
+dnl ##################################################
+AC_ARG_WITH(broccoli-config,
+    AC_HELP_STRING([--with-broccoli-config=FILE], [Use given broccoli-config]),
+    [ brocfg="$withval" ],
+    [ AC_PATH_GENERIC(broccoli,,
+          brocfg="broccoli-config",
+          AC_MSG_ERROR(Cannot find Broccoli: Is broccoli-config in path? Use more fertilizer?)) ])
+
+broccoli_libs=`$brocfg --libs`
+broccoli_cflags=`$brocfg --cflags`
+AC_SUBST(broccoli_libs)
+AC_SUBST(broccoli_cflags)
+      </PRE
+></TD
+></TR
+></TABLE
+><P
+>      You can then use the compiler/linker flags in your Makefile.in/ams by
+      substituting in the values accordingly, which might look as follows:
+      </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>CFLAGS = -W -Wall -g -DFOOBAR @broccoli_cflags@
+LDFLAGS = -L/usr/lib/foobar @broccoli_libs@
+      </PRE
+></TD
+></TR
+></TABLE
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN121"
+>3.2. Suggestions for instrumenting applications</A
+></H1
+><P
+>          Often you will want to make existing applications Bro-aware,
+	  that is, <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>instrument</B
+></SPAN
+> them so that they can send and
+	  receive Bro events at appropriate moments in the execution flow.
+	  This will involve modifying an existing code tree, so care needs to
+	  be taken to avoid unwanted side effects. By protecting the instrumented
+	  code with
+	  <CODE
+CLASS="FUNCTION"
+>#ifdef</CODE
+>/<CODE
+CLASS="FUNCTION"
+>#endif</CODE
+>
+	  statements you can still build the original application, using the
+	  instrumented source tree. The <TT
+CLASS="FILENAME"
+>broccoli-config</TT
+> script helps you in doing so because
+	  it already adds <CODE
+CLASS="FUNCTION"
+>-DBROCCOLI</CODE
+> to the compiler flags
+	  reported when run with the <TT
+CLASS="FILENAME"
+>--cflags</TT
+> option:
+      </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>cpk25@localhost:/home/cpk25 &#62; broccoli-config --cflags
+-I/usr/local/include -I/usr/local/include -DBROCCOLI
+      </PRE
+></TD
+></TR
+></TABLE
+><P
+>	  So simply surround all inserted code with a preprocessor check
+	  for <CODE
+CLASS="FUNCTION"
+>BROCCOLI</CODE
+> and you will be able to
+	  build the original application as soon as <CODE
+CLASS="FUNCTION"
+>BROCCOLI</CODE
+>
+	  is not defined.
+      </P
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN134"
+>3.3. The Broccoli API</A
+></H1
+><P
+>          Time for some code. In the code snippets below we will introduce variables
+	  whenever context requires them and not necessarily when C requires them.
+	  The library does not require calling a global initialization function.
+	  In order to make the API known, include <TT
+CLASS="FILENAME"
+>broccoli.h</TT
+>:
+      </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>#ifdef BROCCOLI
+#include &#60;broccoli.h&#62;
+#endif
+      </PRE
+></TD
+></TR
+></TABLE
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>A note on Broccoli's memory management philosophy:</B
+></SPAN
+></P
+><P
+>Broccoli generally does not release objects you allocate.
+	    The approach taken is "you clean up what you allocate."
+	</P
+></TD
+></TR
+></TABLE
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN143"
+>3.3.1. Initialization</A
+></H2
+><P
+>	  Broccoli requires global initialization before most of its
+	  other other functions can be used. Generally, the way to
+	  initialize Broccoli is as follows:
+        </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>bro_init(NULL);
+        </PRE
+></TD
+></TR
+></TABLE
+><P
+>          The argument to
+          <CODE
+CLASS="FUNCTION"
+>bro_init()</CODE
+>
+          provides optional initialization context, and may be kept
+          <CODE
+CLASS="CONSTANT"
+>NULL</CODE
+> for normal use. If required, you may
+          allocate a <TT
+CLASS="FILENAME"
+>BroCtx</TT
+> structure locally,
+          initialize it using
+          <CODE
+CLASS="FUNCTION"
+>bro_ctx_init()</CODE
+>,
+          fill in additional values as required and and subsequently pass it to
+          <CODE
+CLASS="FUNCTION"
+>bro_init()</CODE
+>:
+        </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>BroCtx ctx;
+bro_ctx_init(&#38;ctx);
+/* Make adjustments to the context structure as required... */
+bro_init(&#38;ctx);
+        </PRE
+></TD
+></TR
+></TABLE
+><DIV
+CLASS="CAUTION"
+><P
+></P
+><TABLE
+CLASS="CAUTION"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="images/caution.gif"
+HSPACE="5"
+ALT="Caution"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>          The <TT
+CLASS="FILENAME"
+>BroCtx</TT
+> structure currently contains
+          a set of five different callback function pointers.  These
+          are <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>required</B
+></SPAN
+> for thread-safe operation
+          of OpenSSL (Broccoli itself is thread-safe).  If you intend
+          to use Broccoli in a multithreaded environment, you need to
+          implement functions and register them via the
+          <TT
+CLASS="FILENAME"
+>BroCtx</TT
+> structure.  The O'Reilly book
+          "Network Security with OpenSSL" by Viega et al. shows how to
+          implement these callbacks.
+          </P
+></TD
+></TR
+></TABLE
+></DIV
+><DIV
+CLASS="CAUTION"
+><P
+></P
+><TABLE
+CLASS="CAUTION"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="images/caution.gif"
+HSPACE="5"
+ALT="Caution"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>You <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>must</B
+></SPAN
+> call
+          <CODE
+CLASS="FUNCTION"
+>bro_init()</CODE
+>
+	  at the start of your application. Undefined behavior may result
+          if you don't.
+          </P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN167"
+>3.3.2. Data types in Broccoli</A
+></H2
+><P
+>	  Broccoli declares a number of data types in <TT
+CLASS="FILENAME"
+>broccoli.h</TT
+> that
+	  you should know about. The more complex ones are kept opaque, while you do get
+	  access to the fields in the simpler ones. The full list is as follows:
+
+	  <P
+></P
+><UL
+><LI
+><P
+>Simple signed and unsigned types: <SPAN
+CLASS="TYPE"
+>int</SPAN
+>, <SPAN
+CLASS="TYPE"
+>uint</SPAN
+>,
+	        <SPAN
+CLASS="TYPE"
+>uint32</SPAN
+>, <SPAN
+CLASS="TYPE"
+>uint16</SPAN
+> and <SPAN
+CLASS="TYPE"
+>uchar</SPAN
+>.</P
+></LI
+><LI
+><P
+>Connection handles: <SPAN
+CLASS="TYPE"
+>BroConn</SPAN
+>, kept opaque.</P
+></LI
+><LI
+><P
+>Bro events: <SPAN
+CLASS="TYPE"
+>BroEvent</SPAN
+>, kept opaque.</P
+></LI
+><LI
+><P
+>Buffer objects: <SPAN
+CLASS="TYPE"
+>BroBuf</SPAN
+>, kept opaque. See the separate
+	      <A
+HREF="c84.html#AEN696"
+>section on buffer management</A
+> for details.</P
+></LI
+><LI
+><P
+>Ports: <SPAN
+CLASS="TYPE"
+>BroPort</SPAN
+> for network ports, defined as follows:
+	      </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>typedef struct bro_port {
+  uint16       port_num;   /* port number in host byte order */
+  int          port_proto; /* IPPROTO_xxx */
+} BroPort;
+              </PRE
+></TD
+></TR
+></TABLE
+></LI
+><LI
+><P
+>Records: <SPAN
+CLASS="TYPE"
+>BroRecord</SPAN
+>, kept opaque. See the separate
+	      <A
+HREF="c84.html#AEN554"
+>section on record handling</A
+> for details.</P
+></LI
+><LI
+><P
+>Strings (character and binary): <SPAN
+CLASS="TYPE"
+>BroString</SPAN
+>, defined as follows:
+	      </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>typedef struct bro_string {
+  int          str_len;
+  char        *str_val;
+} BroString;
+              </PRE
+></TD
+></TR
+></TABLE
+><P
+>	      BroStrings are mostly kept transparent for convenience; please have a look at the
+	      string API:
+<A
+HREF="broccoli-broccoli.html#BRO-STRING-INIT"
+><CODE
+CLASS="FUNCTION"
+>bro_string_init()</CODE
+></A
+>,
+<A
+HREF="broccoli-broccoli.html#BRO-STRING-SET"
+><CODE
+CLASS="FUNCTION"
+>bro_string_set()</CODE
+></A
+>,
+<A
+HREF="broccoli-broccoli.html#BRO-STRING-SET-DATA"
+><CODE
+CLASS="FUNCTION"
+>bro_string_set_data()</CODE
+></A
+>,
+<A
+HREF="broccoli-broccoli.html#BRO-STRING-COPY"
+><CODE
+CLASS="FUNCTION"
+>bro_string_copy()</CODE
+></A
+>,
+<A
+HREF="broccoli-broccoli.html#BRO-STRING-CLEANUP"
+><CODE
+CLASS="FUNCTION"
+>bro_string_cleanup()</CODE
+></A
+>, and
+<A
+HREF="broccoli-broccoli.html#BRO-STRING-FREE"
+><CODE
+CLASS="FUNCTION"
+>bro_string_free()</CODE
+></A
+>.
+	      </P
+></LI
+><LI
+><P
+>Tables: <SPAN
+CLASS="TYPE"
+>BroTable</SPAN
+>, kept opaque. See the separate
+	      <A
+HREF="c84.html#AEN599"
+>section on table handling</A
+> for details.</P
+></LI
+><LI
+><P
+>Sets: <SPAN
+CLASS="TYPE"
+>BroSet</SPAN
+>, kept opaque. See the separate
+	      <A
+HREF="c84.html#AEN636"
+>section on table handling</A
+> for details.</P
+></LI
+><LI
+><P
+>Subnets: <SPAN
+CLASS="TYPE"
+>BroSubnet</SPAN
+>, defined as follows:
+	      </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>typedef struct bro_subnet
+{
+  uint32       sn_net;     /* IP address in network byte order */
+  uint32       sn_width;   /* Length of prefix to consider. */
+} BroSubnet;
+              </PRE
+></TD
+></TR
+></TABLE
+></LI
+></UL
+>
+	</P
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN226"
+>3.3.3. Managing connections</A
+></H2
+><P
+>	    You can use Broccoli to establish a connection to a remote Bro, or to create a
+	    Broccoli-enabled server application that other Bros will connect to. (This
+	    means that in principle, you can also use Broccoli purely as middleware and
+	    have multiple Broccoli applications communicate directly.)
+        </P
+><P
+>	    
+	    In order to establish a connection to a remote Bro, you first obtain a connection
+	    handle. You then use this connection handle to request events, connect to the
+	    remote Bro, send events, etc. Connection handles are pointers to <CODE
+CLASS="FUNCTION"
+>BroConn</CODE
+>
+	    structures, which are kept opaque. Use
+	    <A
+HREF="broccoli-broccoli.html#BRO-CONN-NEW"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_new()</CODE
+></A
+> or
+	    <A
+HREF="broccoli-broccoli.html#BRO-CONN-NEW-STR"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_new_str()</CODE
+></A
+>
+	    to obtain a handle, depending on what parameters are more convenient for
+	    you: the former accepts the IP address and port number as separate numerical
+	    arguments, the latter uses a single string to encode both, in "hostname:port"
+	    format.
+        </P
+><P
+>	    To write a Broccoli-enabled server, you first need to implement the usual
+	    <CODE
+CLASS="FUNCTION"
+>socket()</CODE
+> / <CODE
+CLASS="FUNCTION"
+>bind()</CODE
+> /
+	    <CODE
+CLASS="FUNCTION"
+>listen()</CODE
+> / <CODE
+CLASS="FUNCTION"
+>accept()</CODE
+> routine.
+	    Once you have obtained a file descriptor for the new connection from <CODE
+CLASS="FUNCTION"
+>accept()</CODE
+>,
+	    you pass it to the third function that returns a <CODE
+CLASS="FUNCTION"
+>BroConn</CODE
+>
+	    handle, 
+	    <A
+HREF="broccoli-broccoli.html#BRO-CONN-NEW-SOCKET"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_new_socket()</CODE
+></A
+>.
+	    The rest of the connection handling then proceeds as in the client scenario.
+        </P
+><P
+>	    
+	    All three calls accept additional flags for fine-tuning connection behaviour.
+	    These flags are:
+	    <P
+></P
+><UL
+><LI
+><P
+><CODE
+CLASS="CONSTANT"
+>BRO_CFLAG_NONE</CODE
+>: no functionality. Use when
+		  no flags are desired.
+		</P
+></LI
+><LI
+><P
+><CODE
+CLASS="CONSTANT"
+>BRO_CFLAG_RECONNECT</CODE
+>:
+		  When using this option, Broccoli will attempt to reconnect to the peer
+		  after lost connectivity transparently. Essentially whenever you try to
+		  read from or write to the peer and its connection broke down, a
+		  full reconnect including complete handshaking is attempted. You can check
+		  whether the connection to a peer is alive at any time using
+	    	  <A
+HREF="broccoli-broccoli.html#BRO-CONN-ALIVE"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_alive()</CODE
+></A
+>.
+		</P
+></LI
+><LI
+><P
+><CODE
+CLASS="CONSTANT"
+>BRO_CFLAG_ALWAYS_QUEUE</CODE
+>:
+		  When using this option, Broccoli will queue any events you send for
+		  later transmission when a connection is currently down. Without using this
+		  flag, any events you attempt to send while a connection is down get dropped
+		  on the floor. Note that Broccoli maintains a maximum queue size per connection
+		  so if you attempt to send lots of events while the connection is down, the
+		  oldest events may start to get dropped nonetheless. Again, you can check
+		  whether the connection is currently okay by using
+	    	  <A
+HREF="broccoli-broccoli.html#BRO-CONN-ALIVE"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_alive()</CODE
+></A
+>.
+		</P
+></LI
+><LI
+><P
+><CODE
+CLASS="CONSTANT"
+>BRO_CFLAG_DONTCACHE</CODE
+>:
+		  When using this option, Broccoli will ask the peer not to use caching on
+		  the objects it sends to us. This is the default, and the flag need not
+		  normally be used. It is kept to maintain backward compatibility.
+		</P
+></LI
+><LI
+><P
+><CODE
+CLASS="CONSTANT"
+>BRO_CFLAG_CACHE</CODE
+>:
+		  When using this option, Broccoli will ask the peer to use caching on
+		  the objects it sends to us. Caching is normally disabled.
+		</P
+></LI
+><LI
+><P
+><CODE
+CLASS="CONSTANT"
+>BRO_CFLAG_YIELD</CODE
+>: When
+                using this option,
+                <CODE
+CLASS="FUNCTION"
+>bro_conn_process_input()</CODE
+>
+                processes at most one event at a time and then
+                returns. 
+		</P
+></LI
+></UL
+>
+                
+        </P
+><P
+>	    By obtaining a connection handle, you do not also establish a connection right
+	    away. This is done using 
+	    <A
+HREF="broccoli-broccoli.html#BRO-CONN-CONNECT"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_connect()</CODE
+></A
+>.
+	    The main reason for this is to allow you to subscribe to events
+	    (using
+	    <A
+HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD"
+><CODE
+CLASS="FUNCTION"
+>bro_event_registry_add()</CODE
+></A
+>,
+	    see <A
+HREF="c84.html#AEN461"
+>below</A
+>)
+	    before establishing the connection. Upon returning from 
+	    <A
+HREF="broccoli-broccoli.html#BRO-CONN-CONNECT"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_connect()</CODE
+></A
+>
+	    you are guaranteed to receive all instances of the event types you have
+	    requested, while later on during the connection some time may elapse between
+	    the issuing of a request for events and the processing of that request at the
+	    remote end.
+	    Connections are established via TCP, optionally using SSL encryption. See
+	    <A
+HREF="c84.html#AEN738"
+>"Configuring encrypted communication"</A
+> below for more
+	    information on setting up enncryption.
+	    The port numbers Bro agents and Broccoli applications listen on can vary from peer
+	    to peer. 
+	</P
+><P
+>	    Finally, <A
+HREF="broccoli-broccoli.html#BRO-CONN-DELETE"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_delete()</CODE
+></A
+>
+	    terminates a connection and releases all resources associated with it.
+	    You can create as many connections as you like, to one or more peers.
+	    You can obtain the file descriptor of a connection using
+	    <A
+HREF="broccoli-broccoli.html#BRO-CONN-GET-FD"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_get_fd()</CODE
+></A
+>.
+        </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>char host_str = "bro.yourorganization.com";
+int port      = 1234;
+struct hostent *host;
+BroConn *bc;
+
+if (! (host = gethostbyname(host_str)) ||
+    ! (host-&#62;h_addr_list[0])) {
+	/* Error handling -- could not resolve host */
+}
+
+/* In this example, we obtain a connection handle, then register event handlers,
+ * and finally connect to the remote Bro.
+ *
+ * First obtain a connection handle:
+ */
+if (! (bc = bro_conn_new((struct in_addr*) host-&#62;h_addr_list[0], htons(port), BRO_CFLAG_NONE))) {
+	/* Error handling  - could not get connection handle */
+}
+
+/* Register event handlers:
+ */
+bro_event_registry_add(bc, "foo", bro_foo_handler, NULL);
+/* ... */
+
+/* Now connect to the peer:
+ */
+if (! bro_conn_connect(bc)) {
+	/* Error handling - could not connect to remote Bro. */
+}
+
+/* Send and receive events ... */
+
+/* Disconnect from Bro and clean up connection */
+bro_conn_delete(bc);
+        </PRE
+></TD
+></TR
+></TABLE
+><P
+>	    Or simply use the string-based version:
+	</P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>char host_str = "bro.yourcompany.com:1234";
+BroConn *bc;
+
+/* In this example we don't request any events from the peer, but
+ * we ask it not to use the serialization cache.
+ *
+ * Again, first obtain a connection handle:
+ */
+if (! (bc = bro_conn_new_str(host_str, BRO_CFLAG_DONTCACHE))) {
+	/* Error handling  - could not get connection handle */
+}
+
+/* Now connect to the peer:
+ */
+if (! bro_conn_connect(bc)) {
+	/* Error handling - could not connect to remote Bro. */
+}
+
+/* ... */
+        </PRE
+></TD
+></TR
+></TABLE
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN286"
+>3.3.4. Connection classes</A
+></H2
+><P
+>	    When you want to establish connections from multiple Broccoli applications
+	    with different purposes, the peer needs a means to understand what kind of
+	    application each connection belongs to. The real meaning of "kind of application"
+	    here is "sets of event types to request", because depending on the class of
+	    an application, the peer will likey want to receive different types of events.
+	</P
+><P
+>	    Broccoli lets you set the class of a connection using
+	    <A
+HREF="broccoli-broccoli.html#BRO-CONN-SET-CLASS"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_set_class()</CODE
+></A
+>.
+	    When using this feature, you need to call that function before issuing a
+	    <A
+HREF="broccoli-broccoli.html#BRO-CONN-CONNECT"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_connect()</CODE
+></A
+>,
+	    since the class of a connection is determined at connection startup.
+	</P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>if (! (bc = bro_conn_new_str(host_str, BRO_CFLAG_DONTCACHE))) {
+	/* Error handling  - could not get connection handle */
+}
+
+/* Set class of this connection: */
+bro_conn_set_class(bc, "syslog");
+
+if (! bro_conn_connect(bc)) {
+	/* Error handling - could not connect to remote Bro. */
+}
+        </PRE
+></TD
+></TR
+></TABLE
+><P
+>	    If your peer is a Bro node, you need to match the chosen connection class in
+	    the remote Bro's <CODE
+CLASS="FUNCTION"
+>Remote::destinations</CODE
+> configuration.
+	    See <A
+HREF="c84.html#AEN784"
+>below</A
+> for how to do this.
+	    Finally, in order to obtain the class of a connection as indicated by the remote side, use
+	    <A
+HREF="broccoli-broccoli.html#BRO-CONN-GET-PEER-CLASS"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_get_peer_class()</CODE
+></A
+>.
+	</P
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN300"
+>3.3.5. Composing and sending events</A
+></H2
+><P
+>	    In order to send an event to the remote Bro agent, you first create
+	    an empty event structure with the name of the event, then add parameters
+	    to pass to the event handler at the remote agent, and then send off the
+	    event.
+        </P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>            <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Bro peers ignore unrequested events.</B
+></SPAN
+>
+          </P
+><P
+>	    You need to make sure that the remote Bro agent is interested in receiving
+	    the events you send. This interest is expressed in policy configuration.
+	    We'll explain this in more detail <A
+HREF="c84.html#AEN784"
+>below</A
+>
+	    and for now assume that our remote peer is configured to receive the
+	    events we send.
+          </P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+>	    Let's assume we want to request a report of all connections a remote
+	    Bro currently keeps state for that match a given destination port and
+	    host name and that have amassed more than a certain number of bytes.
+	    The idea is to send an event to the remote Bro that contains the
+	    query, identifiable through a request ID, and have the remote Bro
+	    answer us with <CODE
+CLASS="FUNCTION"
+>remote_conn</CODE
+> events
+	    containing the information we asked for. The definition of our
+	    requesting event could look as follows in the Bro policy:
+        </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>event report_conns(req_id: int, dest_host: string, dest_port: port, min_size: count);
+        </PRE
+></TD
+></TR
+></TABLE
+><P
+>            First, create a new event:
+        </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>BroEvent *ev;
+
+if (! (ev = bro_event_new("report_conns"))) {
+	/* Error handling - could not allocate new event. */
+}
+        </PRE
+></TD
+></TR
+></TABLE
+><P
+>	    Now we need to add parameters to the event. The sequence and types must
+	    match the event handler declaration &mdash; check the Bro policy to make
+	    sure they match. The function to use for adding parameter values is
+	    <A
+HREF="broccoli-broccoli.html#BRO-EVENT-ADD-VAL"
+><CODE
+CLASS="FUNCTION"
+>bro_event_add_val()</CODE
+></A
+>
+	    All values are passed as <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>pointer arguments</B
+></SPAN
+> and are copied internally,
+	    so the object you're pointing to stays unmodified at all times. You clean
+	    up what you allocate. In order to indicate the type of the value passed into the
+	    function, you need to pass a numerical type identifier along as well.
+            <A
+HREF="c84.html#TABLE-1"
+>Table 1</A
+> lists the value types that Broccoli supports along with
+	    the type identifier and data structures to point to.
+	</P
+><DIV
+CLASS="TABLE"
+><A
+NAME="TABLE-1"
+></A
+><P
+><B
+>Table 3-1. Types, type tags, and data structures for event parameters in Broccoli</B
+></P
+><TABLE
+BORDER="1"
+FRAME="vsides"
+RULES="all"
+CLASS="CALSTABLE"
+><COL><COL><COL><THEAD
+><TR
+><TH
+ALIGN="CENTER"
+>Type</TH
+><TH
+ALIGN="CENTER"
+>Type tag</TH
+><TH
+ALIGN="CENTER"
+>Data type pointed to</TH
+></TR
+></THEAD
+><TBODY
+><TR
+><TD
+>Boolean</TD
+><TD
+><CODE
+CLASS="CONSTANT"
+>BRO_TYPE_BOOL</CODE
+></TD
+><TD
+><CODE
+CLASS="FUNCTION"
+>int</CODE
+></TD
+></TR
+><TR
+><TD
+>Integer value</TD
+><TD
+><CODE
+CLASS="CONSTANT"
+>BRO_TYPE_INT</CODE
+></TD
+><TD
+><CODE
+CLASS="FUNCTION"
+>int</CODE
+></TD
+></TR
+><TR
+><TD
+>Counter (nonnegative integers)</TD
+><TD
+><CODE
+CLASS="CONSTANT"
+>BRO_TYPE_COUNT</CODE
+></TD
+><TD
+><CODE
+CLASS="FUNCTION"
+>uint32</CODE
+></TD
+></TR
+><TR
+><TD
+>Enums (enumerated values)</TD
+><TD
+><CODE
+CLASS="CONSTANT"
+>BRO_TYPE_ENUM</CODE
+></TD
+><TD
+><CODE
+CLASS="FUNCTION"
+>int</CODE
+> (see also the description of
+         <A
+HREF="broccoli-broccoli.html#BRO-EVENT-ADD-VAL"
+><CODE
+CLASS="FUNCTION"
+>bro_event_add_val()</CODE
+></A
+>'s
+	 <CODE
+CLASS="FUNCTION"
+>type_name</CODE
+> argument below)</TD
+></TR
+><TR
+><TD
+>Floating-point number</TD
+><TD
+><CODE
+CLASS="CONSTANT"
+>BRO_TYPE_DOUBLE</CODE
+></TD
+><TD
+><CODE
+CLASS="FUNCTION"
+>double</CODE
+></TD
+></TR
+><TR
+><TD
+>Timestamp</TD
+><TD
+><CODE
+CLASS="CONSTANT"
+>BRO_TYPE_TIME</CODE
+></TD
+><TD
+><CODE
+CLASS="FUNCTION"
+>double</CODE
+> (see also
+         <A
+HREF="broccoli-broccoli.html#BRO-UTIL-TIMEVAL-TO-DOUBLE"
+><CODE
+CLASS="FUNCTION"
+>bro_util_timeval_to_double()</CODE
+></A
+> and
+	 <A
+HREF="broccoli-broccoli.html#BRO-UTIL-CURRENT-TIME"
+><CODE
+CLASS="FUNCTION"
+>bro_util_current_time()</CODE
+></A
+>)</TD
+></TR
+><TR
+><TD
+>Time interval</TD
+><TD
+><CODE
+CLASS="CONSTANT"
+>BRO_TYPE_INTERVAL</CODE
+></TD
+><TD
+><CODE
+CLASS="FUNCTION"
+>double</CODE
+></TD
+></TR
+><TR
+><TD
+>Strings (text and binary)</TD
+><TD
+><CODE
+CLASS="CONSTANT"
+>BRO_TYPE_STRING</CODE
+></TD
+><TD
+><CODE
+CLASS="FUNCTION"
+>BroString</CODE
+> (see also the family of <CODE
+CLASS="FUNCTION"
+>bro_string_xxx()</CODE
+> functions)</TD
+></TR
+><TR
+><TD
+>Network ports</TD
+><TD
+><CODE
+CLASS="CONSTANT"
+>BRO_TYPE_PORT</CODE
+></TD
+><TD
+><CODE
+CLASS="FUNCTION"
+>BroPort</CODE
+>, with the port number in host byte order</TD
+></TR
+><TR
+><TD
+>IPv4 address</TD
+><TD
+><CODE
+CLASS="CONSTANT"
+>BRO_TYPE_IPADDR</CODE
+></TD
+><TD
+><CODE
+CLASS="FUNCTION"
+>uint32</CODE
+>, in network byte order</TD
+></TR
+><TR
+><TD
+>IPv4 network</TD
+><TD
+><CODE
+CLASS="CONSTANT"
+>BRO_TYPE_NET</CODE
+></TD
+><TD
+><CODE
+CLASS="FUNCTION"
+>uint32</CODE
+>, in network byte order</TD
+></TR
+><TR
+><TD
+>IPv4 subnet</TD
+><TD
+><CODE
+CLASS="CONSTANT"
+>BRO_TYPE_SUBNET</CODE
+></TD
+><TD
+><CODE
+CLASS="FUNCTION"
+>BroSubnet</CODE
+>, with the sn_net member in network byte order</TD
+></TR
+><TR
+><TD
+>Record</TD
+><TD
+><CODE
+CLASS="CONSTANT"
+>BRO_TYPE_RECORD</CODE
+></TD
+><TD
+><CODE
+CLASS="FUNCTION"
+>BroRecord</CODE
+> (see also the family of
+	 <CODE
+CLASS="FUNCTION"
+>bro_record_xxx()</CODE
+> functions and their
+	  explanation below)</TD
+></TR
+><TR
+><TD
+>Table</TD
+><TD
+><CODE
+CLASS="CONSTANT"
+>BRO_TYPE_TABLE</CODE
+></TD
+><TD
+><CODE
+CLASS="FUNCTION"
+>BroTable</CODE
+> (see also the family of
+	 <CODE
+CLASS="FUNCTION"
+>bro_table_xxx()</CODE
+> functions and their
+	  explanation below)</TD
+></TR
+><TR
+><TD
+>Record</TD
+><TD
+><CODE
+CLASS="CONSTANT"
+>BRO_TYPE_SET</CODE
+></TD
+><TD
+><CODE
+CLASS="FUNCTION"
+>BroSet</CODE
+> (see also the family of
+	 <CODE
+CLASS="FUNCTION"
+>bro_set_xxx()</CODE
+> functions and their
+	  explanation below)</TD
+></TR
+></TBODY
+></TABLE
+></DIV
+><P
+>	    Knowing these, we can now compose a 
+	   <CODE
+CLASS="FUNCTION"
+>request_connections</CODE
+> event:
+        </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>BroString dest_host;
+BroPort dest_port;
+uint32 min_size;
+int req_id = 0;
+
+bro_event_add_val(ev, BRO_TYPE_INT, NULL, &#38;req_id);
+req_id++;
+
+bro_string_set(&#38;dest_host, "desthost.destdomain.com");
+bro_event_add_val(ev, BRO_TYPE_STRING, NULL, &#38;dest_host);
+bro_string_cleanup(&#38;dest_host);
+
+dest_port.dst_port = 80;
+dest_port.dst_proto = IPPROTO_TCP;
+bro_event_add_val(ev, BRO_TYPE_PORT, NULL, &#38;dest_port);
+
+min_size = 1000;
+bro_event_add_val(ev, BRO_TYPE_COUNT, NULL, &#38;min_size);
+        </PRE
+></TD
+></TR
+></TABLE
+><P
+>	    The third argument to
+	    <A
+HREF="broccoli-broccoli.html#BRO-EVENT-ADD-VAL"
+><CODE
+CLASS="FUNCTION"
+>bro_event_add_val()</CODE
+></A
+>
+	    lets you specify a specialization of the types listed in
+	    <A
+HREF="c84.html#TABLE-1"
+>Table 1</A
+>. This is generally not necessary
+	    except for one situationn: When using <CODE
+CLASS="CONSTANT"
+>BRO_TYPE_ENUM</CODE
+>. You currently
+	    cannot define
+	    a Bro-level enum type in Broccoli, and thus when sending an enum value, you
+	    have to specify the type of the enum along with the value. For example, in order
+	    to add an instance of enum <CODE
+CLASS="FUNCTION"
+>transport_type</CODE
+> defined in
+	    Bro's <TT
+CLASS="FILENAME"
+>bro.init</TT
+>, you would use
+	    <TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>int transport_proto = 2;
+/* ... */
+bro_event_add_val(ev, BRO_TYPE_ENUM, "transport_proto", &#38;transport_proto);
+	    </PRE
+></TD
+></TR
+></TABLE
+>
+	    to get the equivalent of "udp" on the remote side. The same system is used
+	    to point out type names when calling
+	    <A
+HREF="broccoli-broccoli.html#BRO-EVENT-SET-VAL"
+><CODE
+CLASS="FUNCTION"
+>bro_event_set_val()</CODE
+></A
+>,
+	    <A
+HREF="broccoli-broccoli.html#BRO-RECORD-ADD-VAL"
+><CODE
+CLASS="FUNCTION"
+>bro_record_add_val()</CODE
+></A
+>,
+	    <A
+HREF="broccoli-broccoli.html#BRO-RECORD-SET-NTH-VAL"
+><CODE
+CLASS="FUNCTION"
+>bro_record_set_nth_val()</CODE
+></A
+>, and
+	    <A
+HREF="broccoli-broccoli.html#BRO-RECORD-SET-NAMED-VAL"
+><CODE
+CLASS="FUNCTION"
+>bro_record_set_named_val()</CODE
+></A
+>.
+	</P
+><P
+>	    All that's left to do now is to send off the event. For this, use
+	    <A
+HREF="broccoli-broccoli.html#BRO-EVENT-SEND"
+><CODE
+CLASS="FUNCTION"
+>bro_event_send()</CODE
+></A
+>
+	    and pass it the connection handle and the event. The function returns
+	    <CODE
+CLASS="CONSTANT"
+>TRUE</CODE
+> when the event could be sent right away or if
+	    it was queued for later delivery. <CODE
+CLASS="CONSTANT"
+>FALSE</CODE
+> is returned
+	    on error. If the event get queued, this does not indicate an error &mdash;
+	    likely the connection was just not
+	    ready to send the event at this point. Whenever you call
+	    <A
+HREF="broccoli-broccoli.html#BRO-EVENT-SEND"
+><CODE
+CLASS="FUNCTION"
+>bro_event_send()</CODE
+></A
+>,
+            Broccoli attempts to send as much of an existing event queue as possible.
+	    Again, the event is copied internally to make it easier for you to
+	    send the same event repeatedly. You clean up what you allocate.
+	</P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>bro_event_send(bc, ev);
+bro_event_free(ev);
+        </PRE
+></TD
+></TR
+></TABLE
+><P
+>	    Two other functions may be useful to you:
+	    <A
+HREF="broccoli-broccoli.html#BRO-EVENT-QUEUE-LENGTH"
+><CODE
+CLASS="FUNCTION"
+>bro_event_queue_length()</CODE
+></A
+>
+            tells you how many events are currently queued, and 
+	    <A
+HREF="broccoli-broccoli.html#BRO-EVENT-QUEUE-FLUSH"
+><CODE
+CLASS="FUNCTION"
+>bro_event_queue_flush()</CODE
+></A
+>
+	    attempts to flush the current event queue and returns the number of events that do remain
+	    in the queue after the flush. <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Note:</B
+></SPAN
+> you do not normally need
+	    to call this function, queue flushing is attempted every time you send an event.
+        </P
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN461"
+>3.3.6. Receiving events</A
+></H2
+><P
+>	  Receiving events is a little more work because you need to
+        </P
+><P
+></P
+><OL
+TYPE="1"
+><LI
+><P
+>tell Broccoli what to do when requested events arrive,</P
+></LI
+><LI
+><P
+>let the remote Bro agent know that you would like to receive those events,</P
+></LI
+><LI
+><P
+>find a spot in the code path suitable for extracting and processing arriving events.</P
+></LI
+></OL
+><P
+>	  Each of these steps is explained in the following sections.
+	</P
+><BR
+CLEAR="all"><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN472"
+>3.3.6.1. Implementing event callbacks</A
+></H3
+><P
+>            When Broccoli receives an event, it tries to dispatch the event to callbacks
+	    registered for that event type. The place where callbacks get registered is
+	    called the callback registry. Any callbacks registered for the arriving
+	    event's name are invoked with the parameters shipped with the event. There
+	    are two styles of argument passing to the event callbacks.
+	    Which one is better suited depends on your application.
+	    <P
+></P
+><UL
+><LI
+><P
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Expanded argument passing.</B
+></SPAN
+> Each event argument
+		  is passed via a pointer to the callback. This makes best sense when you
+		  know the type of the event and of its arguments, because it provides you
+		  immediate access to arguments as when using a normal C function.
+		</P
+><P
+>	    	  In order to register a callback with expanded argument passing, use
+	  	  <A
+HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD"
+><CODE
+CLASS="FUNCTION"
+>bro_event_registry_add()</CODE
+></A
+>
+		  and pass it the connection handle, the name of the event for which you
+	          register the callback, the callback itself that matches the signature
+	          of the <TT
+CLASS="FILENAME"
+>BroEventFunc</TT
+> type, and any user data (or
+	          <CODE
+CLASS="CONSTANT"
+>NULL</CODE
+>) you want to see passed to the callback on
+	          each invocation. The callback's type is defined rather generically as follows:
+	        </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>typedef void (*BroEventFunc) (BroConn *bc, void *user_data, ...);
+                </PRE
+></TD
+></TR
+></TABLE
+><P
+>                  It requires a connection handle as its first argument
+	          and a pointer to user-provided callback data as the second argument.
+                  Broccoli will pass the connection handle of the connection on which the event
+                  arrived through to the callback. <CODE
+CLASS="FUNCTION"
+>BroEventFunc</CODE
+>s
+	          are variadic, because each callback you provide is directly invoked with
+	          pointers to the parameters of the event, in a format directly usable in C.
+	          All you need to know is what type to point to in order to receive the
+	          parameters in the right layout. Refer to <A
+HREF="c84.html#TABLE-1"
+>Table 1</A
+>
+	          again for a summary of those types. Record types are more involved and are
+	          addressed in more detail <A
+HREF="c84.html#AEN554"
+>below</A
+>.
+                </P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="90%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>Note that <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>all</B
+></SPAN
+> parameters are passed to the
+	            callback as pointers, even elementary types such as <CODE
+CLASS="CONSTANT"
+>int</CODE
+>s
+	            that would normally be passed directly.
+		    Also note that Broccoli manages the lifecycle of event parameters
+	            and therefore you do <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>not</B
+></SPAN
+> have to clean them up inside
+	            the event handler. 
+                  </P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+>	          Continuing our example, we will want to process the connection reports
+	          that contain the responses to our <CODE
+CLASS="FUNCTION"
+>report_conns</CODE
+>
+	          event. Let's assume those look as follows:
+	        </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>event remote_conn(req_id: int, conn: connection);
+                </PRE
+></TD
+></TR
+></TABLE
+><P
+>                  The reply events contain the request ID so we can associate requests
+	          with replies, and a connection record (defined in <TT
+CLASS="FILENAME"
+>bro.init</TT
+>
+	          in Bro. (It'd be nicer to report all replies in a single event but we'll
+	          ignore that for now.) For this event, our callback would look like this:
+	        </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void remote_conn_cb(BroConn *bc, void *user_data, int *req_id, BroRecord *conn);
+                </PRE
+></TD
+></TR
+></TABLE
+><P
+>	          Once more, you clean up what you allocate, and since you never allocated the
+	      	  space these arguments point to, you also don't clean them up. Finally, we register
+	      	  the callback using
+	      	  <A
+HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD"
+><CODE
+CLASS="FUNCTION"
+>bro_event_registry_add()</CODE
+></A
+>:	    
+		</P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>bro_event_registry_add(bc, "remote_conn", remote_conn_cb, NULL);
+	        </PRE
+></TD
+></TR
+></TABLE
+><P
+>		  In this case we have no additional data to be passed into the
+		  callback, so we use <CODE
+CLASS="CONSTANT"
+>NULL</CODE
+> for the last argument.
+		  If you have multiple events you are interested in, register
+		  each one in this fashion.
+		</P
+></LI
+><LI
+><P
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Compact argument passing.</B
+></SPAN
+> This is designed for
+		  situations when you have to determine how to handle different types of
+		  events at runtime, for example when writing language bindings or when
+		  implementing generic event handlers for multiple event types.
+		  The callback is passed a connection handle and the
+		  user data as above but is only passed one additional pointer, to a
+		  <SPAN
+CLASS="TYPE"
+>BroEvMeta</SPAN
+> structure. This structure contains all metadata
+		  about the event, including its name, timestamp (in UTC) of creation,
+		  number of arguments, the arguments'
+		  types (via type tags as listed in <A
+HREF="c84.html#TABLE-1"
+>Table 1</A
+>),
+		  and the arguments themselves.
+		</P
+><P
+>	    	  In order to register a callback with compact argument passing, use
+	  	  <A
+HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD-COMPACT"
+><CODE
+CLASS="FUNCTION"
+>bro_event_registry_add_compact()</CODE
+></A
+>
+		  and pass it similar arguments as you'd use with
+	  	  <A
+HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD"
+><CODE
+CLASS="FUNCTION"
+>bro_event_registry_add()</CODE
+></A
+>.
+		  The callback's type is defined as follows:
+	        </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>typedef void (*BroCompactEventFunc) (BroConn *bc, void *user_data, BroEvMeta *meta);
+                </PRE
+></TD
+></TR
+></TABLE
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="90%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>As before, Broccoli manages the lifecycle of event parameters.
+	            You do not  have to clean up the <SPAN
+CLASS="TYPE"
+>BroEvMeta</SPAN
+>
+		    structure or any of its contents.
+                  </P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+>		  Below is sample code for extracting the arguments form the <SPAN
+CLASS="TYPE"
+>BroEvMeta</SPAN
+>
+		  structure, using our running example. This is still written with the assumption
+		  that we know the types of the arguments, but note that this is not a requirement
+		  for this style of callback.
+	        </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void remote_conn_cb(BroConn *bc, void *user_data, BroEvMeta *meta)
+{
+	int *req_id;
+	BroRecord *rec;
+
+	/* For demonstration, print out the event's name: */
+
+	printf("Handling a %s event.\n", meta-&#62;ev_name);
+
+	/* Sanity-check the number of arguments: */
+
+	if (meta-&#62;ev_numargs != 2)
+		{ /* error */ }
+
+	/* Sanity-check the argument types: */
+
+	if (meta-&#62;ev_args[0].arg_type != BRO_TYPE_INT)
+		{ /* error */ }
+
+	if (meta-&#62;ev_args[1].arg_type != BRO_TYPE_RECORD)
+		{ /* error */ }
+
+	req_id = (int *) meta-&#62;ev_args[0].arg_data;
+	rec = (BroRecord *) meta-&#62;ev_args[1].arg_data;
+
+	/* ... */
+}
+                </PRE
+></TD
+></TR
+></TABLE
+><P
+>		  Finally, register the callback using
+	      	  <A
+HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-ADD-COMPACT"
+><CODE
+CLASS="FUNCTION"
+>bro_event_registry_add_compact()</CODE
+></A
+>:	    
+		</P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>bro_event_registry_add_compact(bc, "remote_conn", remote_conn_cb, NULL);
+	        </PRE
+></TD
+></TR
+></TABLE
+></LI
+></UL
+>
+	  </P
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN527"
+>3.3.6.2. Requesting event delivery</A
+></H3
+><P
+>	    At this point, Broccoli knows what to do with the requested events upon
+	    arrival.  What's left to do is to let the remote Bro know that you
+	    would like to receive the events for which you registered. If you haven't
+	    yet called <A
+HREF="broccoli-broccoli.html#BRO-CONN-CONNECT"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_connect()</CODE
+></A
+>,
+	    then there is nothing to do, since that function will request the registered
+	    events anyway. Once connected, you can still request events. To do so, call
+	    <A
+HREF="broccoli-broccoli.html#BRO-EVENT-REGISTRY-REQUEST"
+><CODE
+CLASS="FUNCTION"
+>bro_event_registry_request()</CODE
+></A
+>:
+	  </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>bro_event_registry_request(bc);
+          </PRE
+></TD
+></TR
+></TABLE
+><P
+>	    This mechanism also implies that no unrequested events will be delivered
+	    to us (and if that happened for whatever reason, the event would simply
+	    be dropped on the floor).
+	  </P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Note that at the moment you cannot unrequest events, nor
+		can you request events based on predicates on the values of the
+		events' arguments.</B
+></SPAN
+></P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT3"
+><H3
+CLASS="SECT3"
+><A
+NAME="AEN539"
+>3.3.6.3. Reading events from the connection handle</A
+></H3
+><P
+>	    At this point the remote Bro will start sending you the requested events
+	    once they are triggered. What is left to do is to read the arriving events
+	    from the connection and trigger dispatching them to the registered callbacks.
+	  </P
+><P
+>	    If you are writing a new Bro-enabled application, this is easy, and you can
+	    choose among two approaches: polling explicitly via Broccoli's API, or using
+	    <CODE
+CLASS="FUNCTION"
+>select()</CODE
+> on the file handle associated with a <SPAN
+CLASS="TYPE"
+>BroConn</SPAN
+>.
+	    The former case is particularly straightforward; all you need to do is
+	    call 
+	    <A
+HREF="broccoli-broccoli.html#BRO-CONN-PROCESS-INPUT"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_process_input()</CODE
+></A
+>,
+	    which will go off and check if any events have arrived and if so, dispatch
+	    them accordingly. This function does not block &mdash; if no events have
+	    arrived, then the call will return immediately. For more fine-grained control
+	    over your I/O handling, you will probably want to use
+	    <A
+HREF="broccoli-broccoli.html#BRO-CONN-GET-FD"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_get_fd()</CODE
+></A
+>
+	    to obtain the file descriptor of your connection and then incorporate that
+	    in your standard <CODE
+CLASS="FUNCTION"
+>FD_SET</CODE
+>/<CODE
+CLASS="FUNCTION"
+>select()</CODE
+>
+	    code. Once you have determined that data in fact are ready to be read from
+	    the obtained file descriptor, you can then try another
+	    <A
+HREF="broccoli-broccoli.html#BRO-CONN-PROCESS-INPUT"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_process_input()</CODE
+></A
+>,
+	    this time knowing that it'll find something to dispatch.
+	  </P
+><P
+>	    As a side note, if you don't process arriving events frequently enough,
+	    then TCP's flow control will start to slow down the sender until eventually
+	    events will queue up and be dropped at the sending end.
+	  </P
+></DIV
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN554"
+>3.3.7. Handling records</A
+></H2
+><P
+>	  Broccoli supports record structures, i.e., types that pack a set of values
+	  together, placing each value into its own field. In Broccoli, the way you handle
+	  records is somewhat similar to events:
+	  after creating an empty record (of opaque type <SPAN
+CLASS="TYPE"
+>BroRecord</SPAN
+>, you can
+	  iteratively add fields and values to it. The main difference is that you must specify a
+	  field name with the value; each value in a record can be identified both by position
+	  (a numerical index starting from zero), and by field name. You can retrieve vals
+	  in a record by field index or field name. You can also reassign values.
+	  There is no explicit, IDL-style definition of record types. You define the type of
+	  a record implicitly by the sequence of field names and the sequence of the types
+	  of the values you put into the record.
+	</P
+><P
+>	  Note that all fields in a record must be assigned before it can be shipped.
+	</P
+><P
+>	  The API for record composition consists of
+	  <A
+HREF="broccoli-broccoli.html#BRO-RECORD-NEW"
+><CODE
+CLASS="FUNCTION"
+>bro_record_new()</CODE
+></A
+>,
+	  <A
+HREF="broccoli-broccoli.html#BRO-RECORD-FREE"
+><CODE
+CLASS="FUNCTION"
+>bro_record_free()</CODE
+></A
+>,
+	  <A
+HREF="broccoli-broccoli.html#BRO-RECORD-ADD-VAL"
+><CODE
+CLASS="FUNCTION"
+>bro_record_add_val()</CODE
+></A
+>,
+	  <A
+HREF="broccoli-broccoli.html#BRO-RECORD-SET-NTH-VAL"
+><CODE
+CLASS="FUNCTION"
+>bro_record_set_nth_val()</CODE
+></A
+>, and
+	  <A
+HREF="broccoli-broccoli.html#BRO-RECORD-SET-NAMED-VAL"
+><CODE
+CLASS="FUNCTION"
+>bro_record_set_named_val()</CODE
+></A
+>.
+	</P
+><P
+>	  On records that use field names, the names of individual fields can be extracted using
+	  <A
+HREF="broccoli-broccoli.html#BRO-RECORD-GET-NTH-NAME"
+><CODE
+CLASS="FUNCTION"
+>bro_record_get_nth_name()</CODE
+></A
+>.
+	  Extracting values from a record is done using
+	  <A
+HREF="broccoli-broccoli.html#BRO-RECORD-GET-NTH-VAL"
+><CODE
+CLASS="FUNCTION"
+>bro_record_get_nth_val()</CODE
+></A
+> and
+	  <A
+HREF="broccoli-broccoli.html#BRO-RECORD-GET-NAMED-VAL"
+><CODE
+CLASS="FUNCTION"
+>bro_record_get_named_val()</CODE
+></A
+>.
+	  The former allows numerical indexing of the fields in the record, the latter provides
+	  name-based lookups. Both need to be passed the record you want to extract a value from,
+	  the index or name of the field, and either a pointer to an <SPAN
+CLASS="TYPE"
+>int</SPAN
+> holding a
+	  <SPAN
+CLASS="TYPE"
+>BRO_TYPE_xxx</SPAN
+> value (see again <A
+HREF="c84.html#TABLE-1"
+>Table 1</A
+> for a
+	  summary of those types) or <CODE
+CLASS="CONSTANT"
+>NULL</CODE
+>. The pointer, if not
+	  <CODE
+CLASS="CONSTANT"
+>NULL</CODE
+>, serves two purposes: type checking and type retrieval.
+	  Type checking is performed if the value of the <SPAN
+CLASS="TYPE"
+>int</SPAN
+> upon calling the
+	  functions is not <SPAN
+CLASS="TYPE"
+>BRO_TYPE_UNKNOWN</SPAN
+>. The type tag of the requested record
+	  field then has to match the type tag stored in the <SPAN
+CLASS="TYPE"
+>int</SPAN
+>, otherwise
+          <CODE
+CLASS="CONSTANT"
+>NULL</CODE
+> is returned. If the <SPAN
+CLASS="TYPE"
+>int</SPAN
+> stores <SPAN
+CLASS="TYPE"
+>BRO_TYPE_UNKNOWN</SPAN
+>
+          upon calling, no type-checking is performed. In <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>both</B
+></SPAN
+> cases,
+	  the <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>actual</B
+></SPAN
+> type of the
+	  requested record field is returned in the <SPAN
+CLASS="TYPE"
+>int</SPAN
+> pointed to upon
+	  return from the function. Since you have no guarantees of the type of the value
+	  upon return if you pass <CODE
+CLASS="CONSTANT"
+>NULL</CODE
+> as the <SPAN
+CLASS="TYPE"
+>int</SPAN
+> pointer,
+	  this is a bad idea and either <SPAN
+CLASS="TYPE"
+>BRO_TYPE_UNKNOWN</SPAN
+> or another type value
+	  should always be used.
+        </P
+><P
+>	  For example, you could extract the value of the record field "label", which
+	  we assume should be a string, in the following ways:
+	</P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>BroRecord *rec = /* obtained somehow */
+BroString *string;
+int type;
+
+/* --- Example 1 --- */
+
+type = BRO_TYPE_STRING; /* Use type-checking, will not accept other type */
+
+if (! (string = bro_record_get_named_val(rec, "label", &#38;type))) {
+	/* Error handling, either there's no field of that value,
+	 * or the value is not of BRO_TYPE_STRING. The actual
+	 * type is now stored in "type".
+	 */
+}
+
+/* --- Example 2 --- */
+
+type = BRO_TYPE_UNKNOWN; /* No type checking, just report the existant type */
+
+if (! (string = bro_record_get_named_val(rec, "label", &#38;type))) {
+	/* Error handling, no field of that name exists. */
+}
+
+printf("The type of the value in field 'label' is %i\n", type);
+
+/* --- Example 3 --- */
+
+if (! (string = bro_record_get_named_val(rec, "label", NULL))) {
+	/* Error handling, no field of that name exists. */
+}
+
+/* We now have a value, but we can't really be sure of its type */
+
+        </PRE
+></TD
+></TR
+></TABLE
+><P
+>	  Record fields can be records, for example in the case of Bro's standard
+	  connection record type. In this case, in order to get to a nested record, you
+	  use <CODE
+CLASS="CONSTANT"
+>BRO_TYPE_RECORD</CODE
+>:
+	</P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>void remote_conn_cb(BroConn *bc, int *req_id, BroRecord *conn) {
+	BroRecord *conn_id;
+	int type = BRO_TYPE_RECORD;
+	if (! (conn_id = bro_record_get_named_val(conn, "id", &#38;type))) {
+		/* Error handling */
+	}
+}
+        </PRE
+></TD
+></TR
+></TABLE
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN599"
+>3.3.8. Handling tables</A
+></H2
+><P
+>	  Broccoli supports Bro-style tables, i.e., associative containers that map
+	  instances of a key type to an instance of a value type. A given key
+	  can only ever point to a single value. The key type can be
+	  <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>composite</B
+></SPAN
+>, i.e., it may consist of an ordered
+	  sequence ofdifferent types, or it can be <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>direct</B
+></SPAN
+>,
+	  i.e., consisting of a single type (such as an integer, a string, or
+	  a record).
+        </P
+><P
+>	  The API for table manipulation consists of
+	  <A
+HREF="broccoli-broccoli.html#BRO-TABLE-NEW"
+><CODE
+CLASS="FUNCTION"
+>bro_table_new()</CODE
+></A
+>,
+	  <A
+HREF="broccoli-broccoli.html#BRO-TABLE-FREE"
+><CODE
+CLASS="FUNCTION"
+>bro_table_free()</CODE
+></A
+>,
+	  <A
+HREF="broccoli-broccoli.html#BRO-TABLE-INSERT"
+><CODE
+CLASS="FUNCTION"
+>bro_table_insert()</CODE
+></A
+>,
+	  <A
+HREF="broccoli-broccoli.html#BRO-TABLE-FIND"
+><CODE
+CLASS="FUNCTION"
+>bro_table_find()</CODE
+></A
+>,
+	  <A
+HREF="broccoli-broccoli.html#BRO-TABLE-GET-SIZE"
+><CODE
+CLASS="FUNCTION"
+>bro_table_get_size()</CODE
+></A
+>,
+	  <A
+HREF="broccoli-broccoli.html#BRO-TABLE-GET-TYPES"
+><CODE
+CLASS="FUNCTION"
+>bro_table_get_types()</CODE
+></A
+>,
+	  and
+	  <A
+HREF="broccoli-broccoli.html#BRO-TABLE-FOREACH"
+><CODE
+CLASS="FUNCTION"
+>bro_table_foreach()</CODE
+></A
+>.
+        </P
+><P
+>	  Tables are handled similarly to records in that typing is determined
+	  dynamically by the initial key/value pair inserted. The resulting types
+	  can be obtained via 	
+	  <A
+HREF="broccoli-broccoli.html#BRO-TABLE-GET-TYPES"
+><CODE
+CLASS="FUNCTION"
+>bro_table_get_types()</CODE
+></A
+>.
+	  Should the types not have been determined yet, <CODE
+CLASS="CONSTANT"
+>BRO_TYPE_UNKNOWN</CODE
+>
+	  will result. Also, as with records,
+	  values inserted into the table are copied internally, and the ones passed
+	  to the insertion functions remain unaffected.
+        </P
+><P
+>	  In contrast to records, table entries can be iterated. By passing a function
+	  of signature 
+	  <A
+HREF="broccoli-broccoli.html#BROTABLECALLBACK"
+><CODE
+CLASS="FUNCTION"
+>BroTableCallback()</CODE
+></A
+>
+	  and a pointer to data of your choosing,
+	  <A
+HREF="broccoli-broccoli.html#BRO-TABLE-FOREACH"
+><CODE
+CLASS="FUNCTION"
+>bro_table_foreach()</CODE
+></A
+>
+	  will invoke the given function for each key/value pair stored in the table.
+	  Return <CODE
+CLASS="CONSTANT"
+>TRUE</CODE
+> to keep the iteration going, or <CODE
+CLASS="CONSTANT"
+>FALSE</CODE
+>
+	  to stop it.
+        </P
+><DIV
+CLASS="CAUTION"
+><P
+></P
+><TABLE
+CLASS="CAUTION"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="images/caution.gif"
+HSPACE="5"
+ALT="Caution"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>	  The main thing to know about Broccoli's tables is how to use composite key
+	  types. To avoid additional API calls, you may treat composite key types
+	  exactly as records, though you do not need to use field names when assigning
+	  elements to individual fields. So in order to insert a key/value pair, you
+	  create a record with the needed items assigned to its slots, and use this
+	  record as the key object. In order to differentiate composite index types
+	  from direct ones consisting of a single record, use <CODE
+CLASS="CONSTANT"
+>BRO_TYPE_LIST</CODE
+>
+	  as the type of the record, as opposed to <CODE
+CLASS="CONSTANT"
+>BRO_TYPE_RECORD</CODE
+>.
+	  Broccoli will then know to interpret the record
+	  as an ordered sequence of items making up a composite element, not a regular
+	  record.
+        </P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+>	  <TT
+CLASS="FILENAME"
+>brotable.c</TT
+> in the test subdirectory of the Broccoli tree
+	  contains an extensive example of using tables with composite as well as direct
+	  indexing types.
+        </P
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN636"
+>3.3.9. Handling sets</A
+></H2
+><P
+>	  Sets are essentially tables with void value types.
+	  The API for set manipulation consists of
+	  <A
+HREF="broccoli-broccoli.html#BRO-SET-NEW"
+><CODE
+CLASS="FUNCTION"
+>bro_set_new()</CODE
+></A
+>,
+	  <A
+HREF="broccoli-broccoli.html#BRO-SET-FREE"
+><CODE
+CLASS="FUNCTION"
+>bro_set_free()</CODE
+></A
+>,
+	  <A
+HREF="broccoli-broccoli.html#BRO-SET-INSERT"
+><CODE
+CLASS="FUNCTION"
+>bro_set_insert()</CODE
+></A
+>,
+	  <A
+HREF="broccoli-broccoli.html#BRO-SET-FIND"
+><CODE
+CLASS="FUNCTION"
+>bro_set_find()</CODE
+></A
+>,
+	  <A
+HREF="broccoli-broccoli.html#BRO-SET-GET-SIZE"
+><CODE
+CLASS="FUNCTION"
+>bro_set_get_size()</CODE
+></A
+>,
+	  <A
+HREF="broccoli-broccoli.html#BRO-SET-GET-TYPE"
+><CODE
+CLASS="FUNCTION"
+>bro_set_get_type()</CODE
+></A
+>,
+	  and
+	  <A
+HREF="broccoli-broccoli.html#BRO-SET-FOREACH"
+><CODE
+CLASS="FUNCTION"
+>bro_set_foreach()</CODE
+></A
+>.
+        </P
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN653"
+>3.3.10. Associating data with connections</A
+></H2
+><P
+>	    You will often find that you would like to connect data with
+	    a <TT
+CLASS="FILENAME"
+>BroConn</TT
+>. Broccoli provides an API that
+	    lets you associate data items with a connection handle through
+	    a string-based key&ndash;value registry. The functions of interest
+	    are
+	    <A
+HREF="broccoli-broccoli.html#BRO-CONN-DATA-SET"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_data_set()</CODE
+></A
+>,
+	    <A
+HREF="broccoli-broccoli.html#BRO-CONN-DATA-GET"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_data_get()</CODE
+></A
+>, and
+	    <A
+HREF="broccoli-broccoli.html#BRO-CONN-DATA-DEL"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_data_del()</CODE
+></A
+>.
+	    You need to provide a string identifier for a data item and can then use
+	    that string to register, look up, and remove the associated data item.
+	    Note that there is currently no mechanism to trigger a destructor
+	    function for registered data items when the Bro connection is terminated.
+	    You therefore need to make sure that all data items that you do
+	    not have pointers to via some other means are properly released before
+	    calling 
+	    <CODE
+CLASS="FUNCTION"
+>bro_disconnect()</CODE
+>.
+        </P
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN665"
+>3.3.11. Configuration files</A
+></H2
+><P
+>	  
+	    Imagine you have instrumented the mother of all server applications.
+	    Building it takes forever, and every now and then you need to change
+	    some of the parameters that your Broccoli code uses, such as the host names
+	    of the Bro agents to talk to.
+	    To allow you to do this quickly, Broccoli comes with support for
+	    configuration files. All you need to do is change the settings in the
+	    file and restart the application (we're considering adding support
+	    for volatile configuration items that are read from the file every
+	    time they are requested).	  
+        </P
+><P
+>	    A configuration is read from a single configuration file.
+	    This file can be read from two different locations:
+	    <P
+></P
+><UL
+><LI
+><P
+>The system-wide configuration file. You can obtain the location
+	          of this config file by running <TT
+CLASS="FILENAME"
+>broccoli-config --config</TT
+>.
+		</P
+></LI
+><LI
+><P
+>Alternatively, a per-user configuration file stored in <TT
+CLASS="FILENAME"
+>~/.broccoli.conf</TT
+>
+		  can be used.
+		</P
+></LI
+></UL
+>
+            If a user has a configuration file in <TT
+CLASS="FILENAME"
+>~/.broccoli.conf</TT
+>,
+	    it is used exclusively, otherwise the global one is used.
+         </P
+><DIV
+CLASS="CAUTION"
+><P
+></P
+><TABLE
+CLASS="CAUTION"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="images/caution.gif"
+HSPACE="5"
+ALT="Caution"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+><TT
+CLASS="FILENAME"
+>~/.broccoli.conf</TT
+> will only be used if
+	    it is a regular file, not executable, and neither group nor others have
+	    any permissions on the file. That is, the file's permissions must look
+	    like <CODE
+CLASS="FUNCTION"
+>-rw-------</CODE
+> or <CODE
+CLASS="FUNCTION"
+>-r--------</CODE
+>.
+	    </B
+></SPAN
+></P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+>	    In the configuration file, a "#" anywhere starts a comment that runs
+	    to the end of the line. Configuration items are specified as key-value
+	    pairs:
+        </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+># This is the Broccoli system-wide configuration file.
+#
+# Entries are of the form &#60;identifier&#62; &#60;value&#62;, where the identifier
+# is a sequence of letters, and value can be a string (including
+# whitespace), and floating point or integer numbers. Comments start
+# with a "#" and go to the end of the line. For boolean values, you
+# may also use "yes", "on", "true", "no", "off", or "false".
+# Strings may contain whitespace, but need to be surrounded by
+# double quotes '"'.
+#
+# Examples:
+#
+Foo/PeerName          mybro.securesite.com
+Foo/PortNum           123
+Bar/SomeFloat         1.23443543
+Bar/SomeLongStr       "Hello World"
+        </PRE
+></TD
+></TR
+></TABLE
+><P
+>            You can also have multiple sections in your configuration. Your application can
+	    select a section as the current one, and queries for configuration settings will
+	    then only be answered with values specified in that section. A section is started
+	    by putting its name (no whitespace please) between square brackets. Configuration
+	    items positioned before the first section title are in the default domain and
+	    will be used by default.
+        </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+># This section contains all settings for myapp.
+[ myapp ]
+        </PRE
+></TD
+></TR
+></TABLE
+><P
+>	    You can name identifiers any way you like, but to keep things
+	    organized it is recommended to keep a namespace hierarchy similar
+	    to the file system. In the code, you can query configuration
+	    items using
+	    <A
+HREF="broccoli-broccoli.html#BRO-CONF-GET-STR"
+><CODE
+CLASS="FUNCTION"
+>bro_conf_get_str()</CODE
+></A
+>,
+            <A
+HREF="broccoli-broccoli.html#BRO-CONF-GET-INT"
+><CODE
+CLASS="FUNCTION"
+>bro_conf_get_int()</CODE
+></A
+>, and
+            <A
+HREF="broccoli-broccoli.html#BRO-CONF-GET-DBL"
+><CODE
+CLASS="FUNCTION"
+>bro_conf_get_dbl()</CODE
+></A
+>.
+	    You can switch between sections using 
+            <A
+HREF="broccoli-broccoli.html#BRO-CONF-SET-DOMAIN"
+><CODE
+CLASS="FUNCTION"
+>bro_conf_set_domain()</CODE
+></A
+>.
+        </P
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="AEN696"
+>3.3.12. Using dynamic buffers</A
+></H2
+><P
+>	    Broccoli provides an API for dynamically allocatable, growable, shrinkable,
+	    and consumable buffers with <CODE
+CLASS="FUNCTION"
+>BroBuf</CODE
+>s. You may or may
+	    not find this useful &mdash; Broccoli mainly provides this feature in
+	    <TT
+CLASS="FILENAME"
+>broccoli.h</TT
+> because these buffers are used internally
+	    anyway and because they are typical case of something that people implement
+	    themselves over and over again, for example to collect a set of data before
+	    sending it through a file descriptor, etc.
+        </P
+><P
+>	    The buffers work as follows. The structure implementing a buffer is
+	    called BroBuf. BroBufs are initialized to a default size when created via
+	    <A
+HREF="broccoli-broccoli.html#BRO-BUF-NEW"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_new()</CODE
+></A
+>,
+	    and released using 
+	    <A
+HREF="broccoli-broccoli.html#BRO-BUF-FREE"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_free()</CODE
+></A
+>.
+            Each BroBuf has a content
+	    pointer that points to an arbitrary location between the start of the
+            buffer and the first byte after the last byte currently
+            used in the buffer (see buf_off in the illustration below). The content
+	    pointer can seek to arbitrary locations, and data can be copied from and
+	    into the buffer, adjusting the content pointer accordingly.
+	    You can repeatedly append data to end of the buffer's used contents using
+	    <A
+HREF="broccoli-broccoli.html#BRO-BUF-APPEND"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_append()</CODE
+></A
+>.	    
+        </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>&#13;   &#60;---------------- allocated buffer space ------------&#62;
+   &#60;======== used buffer space ========&#62;
+   ^              ^                    ^               ^                 
+   |              |                    |               |
+   `buf           `buf_ptr             `buf_off        `buf_len
+        </PRE
+></TD
+></TR
+></TABLE
+><P
+>	    Have a look at the following functions for the details:
+	    <A
+HREF="broccoli-broccoli.html#BRO-BUF-NEW"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_new()</CODE
+></A
+>,
+	    <A
+HREF="broccoli-broccoli.html#BRO-BUF-FREE"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_free()</CODE
+></A
+>,
+	    <A
+HREF="broccoli-broccoli.html#BRO-BUF-APPEND"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_append()</CODE
+></A
+>,
+	    <A
+HREF="broccoli-broccoli.html#BRO-BUF-CONSUME"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_consume()</CODE
+></A
+>,
+	    <A
+HREF="broccoli-broccoli.html#BRO-BUF-RESET"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_reset()</CODE
+></A
+>,
+	    <A
+HREF="broccoli-broccoli.html#BRO-BUF-GET"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_get()</CODE
+></A
+>,
+	    <A
+HREF="broccoli-broccoli.html#BRO-BUF-GET-END"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_get_end()</CODE
+></A
+>,
+	    <A
+HREF="broccoli-broccoli.html#BRO-BUF-GET-SIZE"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_get_size()</CODE
+></A
+>,
+	    <A
+HREF="broccoli-broccoli.html#BRO-BUF-GET-USED-SIZE"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_get_used_size()</CODE
+></A
+>,
+	    <A
+HREF="broccoli-broccoli.html#BRO-BUF-PTR-GET"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_ptr_get()</CODE
+></A
+>,
+	    <A
+HREF="broccoli-broccoli.html#BRO-BUF-PTR-TELL"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_ptr_tell()</CODE
+></A
+>,
+	    <A
+HREF="broccoli-broccoli.html#BRO-BUF-PTR-SEEK"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_ptr_seek()</CODE
+></A
+>,
+	    <A
+HREF="broccoli-broccoli.html#BRO-BUF-PTR-CHECK"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_ptr_check()</CODE
+></A
+>, and
+	    <A
+HREF="broccoli-broccoli.html#BRO-BUF-PTR-READ"
+><CODE
+CLASS="FUNCTION"
+>bro_buf_ptr_read()</CODE
+></A
+>.
+        </P
+></DIV
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN738"
+>3.4. Configuring encrypted communication</A
+></H1
+><P
+>	Encrypted communication between Bro peers takes place over an SSL connection in
+	which both endpoints of the connection are authenticated. This requires at least
+	some PKI in the form of a certificate authority (CA) which you use to issue and sign
+	certificates for your Bro peers. To facilitate the SSL setup, each peer requires
+	three documents: a certificate signed by the CA and containing the public key, the
+	corresponding private key, and a copy of the CA's certificate.
+      </P
+><P
+>        The OpenSSL command line tool <B
+CLASS="COMMAND"
+>openssl</B
+> can be used to create all
+	files neccessary, but its unstructured arguments and poor documentation make it
+	a pain to use and waste lots of people a lot of time<A
+NAME="AEN743"
+HREF="#FTN.AEN743"
+><SPAN
+CLASS="footnote"
+>[1]</SPAN
+></A
+>. Therefore, the Bro distribution comes with two scripts,
+	<B
+CLASS="COMMAND"
+>ca-create</B
+> and <B
+CLASS="COMMAND"
+>ca-issue</B
+>. You use the former
+	once to set up your CA, and the latter to create a certificate for each of the Bro
+	peers in your infrastructure.
+	<P
+></P
+><UL
+><LI
+><P
+><B
+CLASS="COMMAND"
+>ca-create</B
+> lets you choose a directory in which the
+	      CA maintains its files. If you set <CODE
+CLASS="VARNAME"
+>BRO_CA_DIR</CODE
+> in your
+	      environment, it will be used for this purpose. After entering a passphrase
+	      for the private key of your CA, you can find the self-signed certificate
+	      of your CA in <TT
+CLASS="FILENAME"
+>$BRO_CA_DIR/ca_cert.pem</TT
+>.
+	    </P
+></LI
+><LI
+><P
+><B
+CLASS="COMMAND"
+>ca-issue</B
+> first requires the directory of the CA,
+	      offering <TT
+CLASS="FILENAME"
+>$BRO_CA_DIR</TT
+> if that is found. It asks you for
+	      a prefix for the certificate to be generated, for the passphrase of the
+	      private key of the CA so the new certificate can be signed, for the
+	      passphrase for the new private key, and for a few parameters that make up
+	      the "distinguished name" of the certificate. This name (i.e., the combination
+	      of all the fields you enter a value for) must be unique among all your Bro
+	      peers. Once that is done, you find a new certificate named
+	      <TT
+CLASS="FILENAME"
+>&lt;prefix&gt;.pem</TT
+> in your current
+	      directory. This file actually consists of two of the three cryptographic
+	      documents mentioned above, namely the new certificate and the private key.
+              We refer to it as "certificate" for simplicity.
+	    </P
+></LI
+></UL
+>
+	In order to enable encrypted communication for your Broccoli application, you
+	need to put the CA certificate and the peer certificate in the
+	<CODE
+CLASS="VARNAME"
+>/broccoli/ca_cert</CODE
+> and 
+	<CODE
+CLASS="VARNAME"
+>/broccoli/host_cert</CODE
+> keys, respectively, in the configuration file.
+	To quickly enable/disable a certificate configuration, the
+	<CODE
+CLASS="VARNAME"
+>/broccoli/use_ssl</CODE
+> key can be used.
+	<DIV
+CLASS="CAUTION"
+><P
+></P
+><TABLE
+CLASS="CAUTION"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="images/caution.gif"
+HSPACE="5"
+ALT="Caution"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>This is where you configure whether to use encrypted or unencrypted
+	    connections.</B
+></SPAN
+></P
+><P
+>If the <CODE
+CLASS="VARNAME"
+>/broccoli/use_ssl</CODE
+> key is present and set to one of
+		"yes", "true", "on", or 1, then SSL will be used and an incorrect or
+		missing certificate configuration will cause connection attempts to fail.
+		If the key's value is one of "no", "false", "off", or 0, then in no case
+		will SSL be used and connections will always be cleartext.
+	  </P
+><P
+>If the <CODE
+CLASS="VARNAME"
+>/broccoli/use_ssl</CODE
+> key is <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>not</B
+></SPAN
+>
+		present, then SSL will be used if a certificate configuration is
+		found, and invalid certificates will cause the connection to fail.
+		If no certificates are configured, cleartext connections will be used.
+	  </P
+><P
+>In no case does an SSL-enabled setup ever fall back to a cleartext one.</P
+></TD
+></TR
+></TABLE
+></DIV
+>
+      </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>/broccoli/use_ssl	   yes
+/broccoli/ca_cert          &#60;path&#62;/ca_cert.pem
+/broccoli/host_cert        &#60;path&#62;/bro_cert.pem
+      </PRE
+></TD
+></TR
+></TABLE
+><P
+>        In a Bro policy, you need to load the <TT
+CLASS="FILENAME"
+>listen-ssl.bro</TT
+> policy and
+	redef <CODE
+CLASS="VARNAME"
+>ssl_ca_certificate</CODE
+> and <CODE
+CLASS="VARNAME"
+>ssl_private_key</CODE
+>,
+	defined in <TT
+CLASS="FILENAME"
+>bro.init</TT
+>:
+      </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>@load listen-ssl
+
+redef ssl_ca_certificate   = "&#60;path&#62;/ca_cert.pem";
+redef ssl_private_key      = "&#60;path&#62;/bro.pem";
+      </PRE
+></TD
+></TR
+></TABLE
+><P
+>	By default, you will be prompted for the passphrase for the private key matching
+	the public key in your agent's certificate. Depending on your application's user
+	interface and deployment, this may be inappropriate. You can store the passphrase
+	in the config file as well, using the following identifier:
+      </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>/broccoli/host_pass        foobar
+      </PRE
+></TD
+></TR
+></TABLE
+><DIV
+CLASS="CAUTION"
+><P
+></P
+><TABLE
+CLASS="CAUTION"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="images/caution.gif"
+HSPACE="5"
+ALT="Caution"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+><SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>Make sure that access to your configuration is restricted.</B
+></SPAN
+></P
+><P
+>	  If you provide the passphrase this way, it is obviously essential to have
+	  restrictive permissions on the configuration file. Broccoli partially enforces
+	  this. Please refer to the section on
+	  <A
+HREF="c84.html#AEN665"
+>configuration files</A
+> for details.
+        </P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN784"
+>3.5. Configuring event reception in Bro policies</A
+></H1
+><P
+>	Before a remote Bro will accept your connection and your events, it needs to have its
+	policy configured accordingly:	  
+	<P
+></P
+><OL
+TYPE="1"
+><LI
+><P
+>Load either <TT
+CLASS="FILENAME"
+>listen-ssl</TT
+> or <TT
+CLASS="FILENAME"
+>listen-clear</TT
+>,
+	      depending on whether you want to have encrypted or cleartext communication. Obviously,
+	      encrypting the event exchange is recommended and cleartext should only be used for
+	      early experimental setups. See below for details on how to set up encrypted
+	      communication via SSL.
+	    </P
+></LI
+><LI
+><P
+>	      You need to find a port to use for the Bros and Broccoli applications that will
+	      listen for connections. Every such agent can use a different port, though default
+	      ports are provided in the Bro policies.
+	      To change the port the Bro agent will be listening on from its default
+	      redefine the <CODE
+CLASS="VARNAME"
+>listen_port_ssl</CODE
+> or
+	      <CODE
+CLASS="VARNAME"
+>listen_port_clear</CODE
+> variables from <TT
+CLASS="FILENAME"
+>listen-clear.bro</TT
+>
+	      or <TT
+CLASS="FILENAME"
+>listen-ssl.bro</TT
+>, respectively. Have a look at these policies as well
+	      as <TT
+CLASS="FILENAME"
+>remote.bro</TT
+> for the default values. Here is the policy
+	      for the unencrypted case:
+	    </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>@load listen-clear
+
+redef listen_port_clear = 12345/tcp;
+            </PRE
+></TD
+></TR
+></TABLE
+><P
+>	      Including the settings for the cryptographic files introduced in the previous section, 
+	      here is the encrypted one:
+	    </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>@load listen-ssl
+
+redef listen_port_ssl = 12345/tcp;
+redef ssl_ca_certificate   = "&#60;path&#62;/ca_cert.pem";
+redef ssl_private_key      = "&#60;path&#62;/bro.pem";
+            </PRE
+></TD
+></TR
+></TABLE
+></LI
+><LI
+><P
+>	      The policy controlling which peers a Bro agent will communicate with and how this
+	      communication will happen are defined in the <CODE
+CLASS="VARNAME"
+>destinations</CODE
+> table
+	      defined in <TT
+CLASS="FILENAME"
+>remote.bro</TT
+>. This table contains entries of type
+	      <SPAN
+CLASS="TYPE"
+>Destination</SPAN
+>, whose members mostly provide default values so you do not
+	      need to define everything. You need to come up with a tag for the connection
+	      under which it can be found in the table (a creative one would be "broccoli"),
+	      the IP address of the peer, the pattern of names of the events the Bro will accept
+	      from you, whether you want Bro to connect to your
+	      machine on startup or not, if so, a port to connect to (defaults are
+	      <CODE
+CLASS="VARNAME"
+>default_port_ssl</CODE
+> and <CODE
+CLASS="VARNAME"
+>default_port_clear</CODE
+>, also
+	      defined in <TT
+CLASS="FILENAME"
+>remote.bro</TT
+>), a retry timeout, whether to use SSL,
+	      and the class of a connection as set on the Broccoli side via
+	    <A
+HREF="broccoli-broccoli.html#BRO-CONN-SET-CLASS"
+><CODE
+CLASS="FUNCTION"
+>bro_conn_set_class()</CODE
+></A
+>.
+	    </P
+><P
+>	      An example could look as follows:
+	    </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>&#13;redef Remote::destinations += {
+	["broping"] = [$host = 127.0.0.1, $class="broping", $events = /ping/, $connect=F, $ssl=F]
+};
+            </PRE
+></TD
+></TR
+></TABLE
+><P
+>	      This example is taken from <TT
+CLASS="FILENAME"
+>broping.bro</TT
+>, the policy the
+	      remote Bro must run when you want to use the <B
+CLASS="COMMAND"
+>broping</B
+> tool
+	      explained in the <A
+HREF="c84.html#AEN842"
+>section on testing</A
+> below.
+	      It will allow an agent on the local host to connect and send "ping" events.
+	      Our Bro will not attempt to connect, and incoming connections will be expected
+	      in cleartext.
+	    </P
+></LI
+></OL
+>
+      </P
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN818"
+>3.6. Configuring debugging output</A
+></H1
+><P
+>	  If your Broccoli installation was configured with <B
+CLASS="COMMAND"
+>--enable-debug</B
+>,
+	  Broccoli will report two kinds of debugging information: (<SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>i</B
+></SPAN
+>)
+	  function call traces and
+	  (<SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>ii</B
+></SPAN
+>) individual debugging messages. Both are enabled by default, but can be adjusted
+	  in two ways.
+	  <P
+></P
+><UL
+><LI
+><P
+>In the configuration file: in the appropriate section of the configuration
+	        file, you can set the keys <CODE
+CLASS="FUNCTION"
+>/broccoli/debug_messages</CODE
+> and
+		<CODE
+CLASS="FUNCTION"
+>/broccoli/debug_calltrace</CODE
+> to <CODE
+CLASS="FUNCTION"
+>on</CODE
+>/<CODE
+CLASS="FUNCTION"
+>off</CODE
+>
+		to enable/disable the corresponding output.
+	      </P
+></LI
+><LI
+><P
+>In code: you can set the variables 
+	      	<A
+HREF="broccoli-broccoli.html#BRO-DEBUG-CALLTRACE"
+><CODE
+CLASS="FUNCTION"
+>bro_debug_calltrace</CODE
+></A
+> and
+	        <A
+HREF="broccoli-broccoli.html#BRO-DEBUG-MESSAGES"
+><CODE
+CLASS="FUNCTION"
+>bro_debug_messages</CODE
+></A
+>
+	        to 1/0 at any time to enable/disable the corresponding output.
+	      </P
+></LI
+></UL
+>	 
+      </P
+><P
+>	  By default, debugging output is inactive (even with debuggin support compiled in).
+	  You need to enable it explicitly either in your code by assigning 1 to 
+	  <A
+HREF="broccoli-broccoli.html#BRO-DEBUG-CALLTRACE"
+><CODE
+CLASS="FUNCTION"
+>bro_debug_calltrace</CODE
+></A
+> and
+	  <A
+HREF="broccoli-broccoli.html#BRO-DEBUG-MESSAGES"
+><CODE
+CLASS="FUNCTION"
+>bro_debug_messages</CODE
+></A
+>,
+	  or by enabling it in the configuration file.
+      </P
+></DIV
+><BR
+CLEAR="all"><DIV
+CLASS="SECT1"
+><H1
+CLASS="SECT1"
+><A
+NAME="AEN842"
+>3.7. Test programs</A
+></H1
+><P
+>	  The Broccoli distribution comes with a few small test programs,
+	  located in the <TT
+CLASS="FILENAME"
+>test/</TT
+> directory of the tree.
+	  The most notable one is <CODE
+CLASS="FUNCTION"
+>broping</CODE
+>
+	  <A
+NAME="AEN847"
+HREF="#FTN.AEN847"
+><SPAN
+CLASS="footnote"
+>[2]</SPAN
+></A
+>, a mini-version of ping.
+	  It sends "ping" events to a remote Bro agent, expecting "pong" events
+	  in return. It operates in two flavours: one uses atomic types for sending
+	  information across, and the other one uses records. The Bro agent you want
+	  to ping needs to run either the <TT
+CLASS="FILENAME"
+>broping.bro</TT
+> or
+	  <TT
+CLASS="FILENAME"
+>broping-record.bro</TT
+> policies. You can find these
+	  in the <TT
+CLASS="FILENAME"
+>test/</TT
+> directory of the source tree, and
+	  in <TT
+CLASS="FILENAME"
+>&lt;prefix&gt;/share/broccoli</TT
+> in the installed
+	  version. <TT
+CLASS="FILENAME"
+>broping.bro</TT
+> is shown below. By default,
+	  pinging a Bro on the same machine is configured. If you want your Bro
+	  to be pinged from another machine, you need to update the
+	  <CODE
+CLASS="VARNAME"
+>destinations</CODE
+> variable accordingly.
+      </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>@load listen-clear;
+
+global ping_log = open_log_file("ping");
+
+redef Remote::destinations += {
+	["broping"] = [$host = 127.0.0.1, $events = /ping/, $connect=F, $retry = 60 secs, $ssl=F]
+};
+
+event ping(src_time: time, seq: count)
+{
+        event pong(src_time, current_time(), seq);
+}
+
+event pong(src_time: time, dst_time: time, seq: count)
+{
+        print ping_log, fmt("ping received, seq %d, %f at src, %f at dest, one-way: %f",
+                            seq, src_time, dst_time, dst_time-src_time);
+}
+      </PRE
+></TD
+></TR
+></TABLE
+><P
+>        <CODE
+CLASS="FUNCTION"
+>broping</CODE
+> sends ping events to Bro. Bro accepts those because they are configured
+	accordingly in the destinations table. As shown in the policy, ping events
+	trigger pong events, and <CODE
+CLASS="FUNCTION"
+>broccoli</CODE
+> requests delivery of all pong events back to it.
+	When running <CODE
+CLASS="FUNCTION"
+>broping</CODE
+>, you'll see something like this:
+      </P
+><TABLE
+WIDTH="100%"
+BORDER="0"
+BGCOLOR="#eaeaf0"
+><TR
+><TD
+><PRE
+CLASS="PROGRAMLISTING"
+>cpk25@localhost:/home/cpk25/devel/broccoli &#62; ./test/broping
+pong event from 127.0.0.1: seq=1, time=0.004700/1.010303 s
+pong event from 127.0.0.1: seq=2, time=0.053777/1.010266 s
+pong event from 127.0.0.1: seq=3, time=0.006435/1.010284 s
+pong event from 127.0.0.1: seq=4, time=0.020278/1.010319 s
+pong event from 127.0.0.1: seq=5, time=0.004563/1.010187 s
+pong event from 127.0.0.1: seq=6, time=0.005685/1.010393 s
+      </PRE
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+><H3
+CLASS="FOOTNOTES"
+>Notes</H3
+><TABLE
+BORDER="0"
+CLASS="FOOTNOTES"
+WIDTH="100%"
+><TR
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+WIDTH="5%"
+><A
+NAME="FTN.AEN743"
+HREF="c84.html#AEN743"
+><SPAN
+CLASS="footnote"
+>[1]</SPAN
+></A
+></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+WIDTH="95%"
+><P
+>In other
+	documents and books on OpenSSL you will find this expressed more politely, using
+	terms such as "daunting to the uninitiated", "challenging", "complex", "intimidating".
+	</P
+></TD
+></TR
+><TR
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+WIDTH="5%"
+><A
+NAME="FTN.AEN847"
+HREF="c84.html#AEN847"
+><SPAN
+CLASS="footnote"
+>[2]</SPAN
+></A
+></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+WIDTH="95%"
+><P
+>Pronunciation is said to be somewhere on the continuum between
+	  "brooping" and "burping".</P
+></TD
+></TR
+></TABLE
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="c54.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="index.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="api.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Installing Broccoli</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Broccoli API Reference</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/aux/broccoli/docs/html/index.html b/aux/broccoli/docs/html/index.html
new file mode 100644
index 0000000000..75cb71912e
--- /dev/null
+++ b/aux/broccoli/docs/html/index.html
@@ -0,0 +1,331 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<HTML
+><HEAD
+><TITLE
+>Broccoli: The Bro Client Communications Library</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
+REL="NEXT"
+TITLE="Introduction"
+HREF="c20.html"><LINK
+REL="STYLESHEET"
+TYPE="text/css"
+HREF="stylesheet.css"></HEAD
+><BODY
+CLASS="BOOK"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="BOOK"
+><DIV
+CLASS="TITLEPAGE"
+><H1
+CLASS="TITLE"
+><A
+NAME="INDEX"
+>Broccoli: The Bro Client Communications Library</A
+></H1
+><DIV
+CLASS="MEDIAOBJECT"
+><P
+><IMG
+SRC="images/logo.jpg"
+ALIGN="CENTER"></P
+></DIV
+><DIV
+><DIV
+CLASS="ABSTRACT"
+><P
+></P
+><A
+NAME="AEN9"
+></A
+><P
+>	This is documentation for release <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>1.5</B
+></SPAN
+>
+	of Broccoli, compatible with Bro IDS releases of <SPAN
+CLASS="emphasis"
+><B
+CLASS="EMPHASIS"
+>1.5</B
+></SPAN
+>
+	or newer. Broccoli is free software under terms of the BSD license as given
+	in the <A
+HREF="a3637.html#LICENSE"
+>License</A
+>
+	section. This documentation is always available on the web for download
+	and online browsing at
+	<A
+HREF="http://www.icir.org/christian/broccoli"
+TARGET="_top"
+>http://www.icir.org/christian/broccoli</A
+>.
+      </P
+><P
+>Feedback, patches and bug reports are all welcome, please
+	<A
+HREF="http://mailman.icsi.berkeley.edu/mailman/listinfo/bro"
+TARGET="_top"
+>join the Bro mailing list</A
+>.
+      </P
+><P
+>	Yet Another SRG/ICIR Production &mdash;
+	<A
+HREF="http://www.cl.cam.ac.uk/Research/SRG"
+TARGET="_top"
+>http://www.cl.cam.ac.uk/Research/SRG</A
+> &mdash;
+	<A
+HREF="http://www.icir.org"
+TARGET="_top"
+>http://www.icir.org</A
+>
+      </P
+><P
+></P
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>1. <A
+HREF="c20.html"
+>Introduction</A
+></DT
+><DD
+><DL
+><DT
+>1.1. <A
+HREF="c20.html#AEN23"
+>What is Broccoli?</A
+></DT
+><DT
+>1.2. <A
+HREF="c20.html#AEN34"
+>Why do I care?</A
+></DT
+></DL
+></DD
+><DT
+>2. <A
+HREF="c54.html"
+>Installing Broccoli</A
+></DT
+><DT
+>3. <A
+HREF="c84.html"
+>Using Broccoli</A
+></DT
+><DD
+><DL
+><DT
+>3.1. <A
+HREF="c84.html#AEN87"
+>Obtaining information about your build using <TT
+CLASS="FILENAME"
+>broccoli-config</TT
+></A
+></DT
+><DT
+>3.2. <A
+HREF="c84.html#AEN121"
+>Suggestions for instrumenting applications</A
+></DT
+><DT
+>3.3. <A
+HREF="c84.html#AEN134"
+>The Broccoli API</A
+></DT
+><DD
+><DL
+><DT
+>3.3.1. <A
+HREF="c84.html#AEN143"
+>Initialization</A
+></DT
+><DT
+>3.3.2. <A
+HREF="c84.html#AEN167"
+>Data types in Broccoli</A
+></DT
+><DT
+>3.3.3. <A
+HREF="c84.html#AEN226"
+>Managing connections</A
+></DT
+><DT
+>3.3.4. <A
+HREF="c84.html#AEN286"
+>Connection classes</A
+></DT
+><DT
+>3.3.5. <A
+HREF="c84.html#AEN300"
+>Composing and sending events</A
+></DT
+><DT
+>3.3.6. <A
+HREF="c84.html#AEN461"
+>Receiving events</A
+></DT
+><DT
+>3.3.7. <A
+HREF="c84.html#AEN554"
+>Handling records</A
+></DT
+><DT
+>3.3.8. <A
+HREF="c84.html#AEN599"
+>Handling tables</A
+></DT
+><DT
+>3.3.9. <A
+HREF="c84.html#AEN636"
+>Handling sets</A
+></DT
+><DT
+>3.3.10. <A
+HREF="c84.html#AEN653"
+>Associating data with connections</A
+></DT
+><DT
+>3.3.11. <A
+HREF="c84.html#AEN665"
+>Configuration files</A
+></DT
+><DT
+>3.3.12. <A
+HREF="c84.html#AEN696"
+>Using dynamic buffers</A
+></DT
+></DL
+></DD
+><DT
+>3.4. <A
+HREF="c84.html#AEN738"
+>Configuring encrypted communication</A
+></DT
+><DT
+>3.5. <A
+HREF="c84.html#AEN784"
+>Configuring event reception in Bro policies</A
+></DT
+><DT
+>3.6. <A
+HREF="c84.html#AEN818"
+>Configuring debugging output</A
+></DT
+><DT
+>3.7. <A
+HREF="c84.html#AEN842"
+>Test programs</A
+></DT
+></DL
+></DD
+><DT
+>4. <A
+HREF="api.html"
+>Broccoli API Reference</A
+></DT
+><DD
+><DL
+><DT
+><A
+HREF="broccoli-broccoli.html"
+>broccoli</A
+>&nbsp;--&nbsp;</DT
+></DL
+></DD
+><DT
+>A. <A
+HREF="a3637.html"
+>Appendix</A
+></DT
+><DD
+><DL
+><DT
+>A.1. <A
+HREF="a3637.html#LICENSE"
+>License</A
+></DT
+><DT
+>A.2. <A
+HREF="a3637.html#ABOUT"
+>About this document</A
+></DT
+></DL
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="c20.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Introduction</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
diff --git a/aux/broccoli/docs/html/index.sgml b/aux/broccoli/docs/html/index.sgml
new file mode 100644
index 0000000000..fec1661891
--- /dev/null
+++ b/aux/broccoli/docs/html/index.sgml
@@ -0,0 +1 @@
+<ANCHOR id ="BROCCOLI-BROCCOLI" href="broccoli/broccoli-broccoli.html">
diff --git a/aux/broccoli/docs/html/stylesheet.css b/aux/broccoli/docs/html/stylesheet.css
new file mode 100644
index 0000000000..be89020cf9
--- /dev/null
+++ b/aux/broccoli/docs/html/stylesheet.css
@@ -0,0 +1,30 @@
+body          { margin-left:10px;
+		margin-right:10px;
+		margin-top:10px;
+		margin-bottom:10px;
+		color:#101010;
+                background-repeat:no-repeat;
+              }
+
+h1.title      { text-align:center; }
+.abstract     { text-align:center;
+		margin-left:100px;
+		margin-right:100px; }
+
+.caption      { margin-left:100px;
+		margin-right:100px;
+		font-style:italic; }
+
+.programlisting { font-size:12px;
+		  font-family:courier;
+		}
+
+.type 		{ font-size:12px;
+		  font-family:courier;
+		}
+
+.mediaobject  { text-align:center; }
+
+span, h1, h2, h3, h4, p, div, table { font-family:arial,helvetica; }
+
+li            { margin-bottom:10px }
diff --git a/aux/broccoli/docs/images/caution.gif b/aux/broccoli/docs/images/caution.gif
new file mode 100644
index 0000000000..cf7c80e772
Binary files /dev/null and b/aux/broccoli/docs/images/caution.gif differ
diff --git a/aux/broccoli/docs/images/logo.jpg b/aux/broccoli/docs/images/logo.jpg
new file mode 100644
index 0000000000..35c50f6c4d
Binary files /dev/null and b/aux/broccoli/docs/images/logo.jpg differ
diff --git a/aux/broccoli/docs/images/note.gif b/aux/broccoli/docs/images/note.gif
new file mode 100644
index 0000000000..d731483816
Binary files /dev/null and b/aux/broccoli/docs/images/note.gif differ
diff --git a/aux/broccoli/docs/images/warning.gif b/aux/broccoli/docs/images/warning.gif
new file mode 100644
index 0000000000..2abc1cfb89
Binary files /dev/null and b/aux/broccoli/docs/images/warning.gif differ
diff --git a/aux/broccoli/docs/mkhtml.in b/aux/broccoli/docs/mkhtml.in
new file mode 100755
index 0000000000..126e3dac65
--- /dev/null
+++ b/aux/broccoli/docs/mkhtml.in
@@ -0,0 +1,35 @@
+#!/bin/sh
+#
+# Hacked version of gtkdoc-mkhtml to allow using different stylesheets.
+
+usage="\
+Usage: mkhtml MODULE SGML_FILE STYLESHEET"
+
+if test "x$1" = "x--version"; then
+      echo "0.10"
+      exit 0
+fi
+
+if test $# -lt 2; then
+      echo "${usage}" 1>&2
+      exit 1
+fi
+
+module=$1
+document=$2
+gtkdocdir=/usr/share/gtk-doc
+
+# Delete the old index.sgml file, if it exists.
+if test -f index.sgml; then
+      rm -f index.sgml
+fi
+
+stylesheet=$gtkdocdir/gtk-doc.dsl
+if test $# -ge 3; then
+    stylesheet=$3
+fi
+
+@OPENJADE@ -t sgml -w no-idref -d $stylesheet $document
+sed s%href=\"%href=\"$module/% < index.sgml > index.sgml.tmp && mv index.sgml.tmp index.sgml
+
+echo "timestamp" > ../html.stamp
diff --git a/aux/broccoli/docs/stylesheet.css b/aux/broccoli/docs/stylesheet.css
new file mode 100644
index 0000000000..be89020cf9
--- /dev/null
+++ b/aux/broccoli/docs/stylesheet.css
@@ -0,0 +1,30 @@
+body          { margin-left:10px;
+		margin-right:10px;
+		margin-top:10px;
+		margin-bottom:10px;
+		color:#101010;
+                background-repeat:no-repeat;
+              }
+
+h1.title      { text-align:center; }
+.abstract     { text-align:center;
+		margin-left:100px;
+		margin-right:100px; }
+
+.caption      { margin-left:100px;
+		margin-right:100px;
+		font-style:italic; }
+
+.programlisting { font-size:12px;
+		  font-family:courier;
+		}
+
+.type 		{ font-size:12px;
+		  font-family:courier;
+		}
+
+.mediaobject  { text-align:center; }
+
+span, h1, h2, h3, h4, p, div, table { font-family:arial,helvetica; }
+
+li            { margin-bottom:10px }
diff --git a/aux/broccoli/docs/stylesheet.dsl b/aux/broccoli/docs/stylesheet.dsl
new file mode 100644
index 0000000000..b1b086a0f8
--- /dev/null
+++ b/aux/broccoli/docs/stylesheet.dsl
@@ -0,0 +1,263 @@
+<!DOCTYPE style-sheet PUBLIC "-//James Clark//DTD DSSSL Style Sheet//EN" [
+<!ENTITY dbstyle PUBLIC "-//Norman Walsh//DOCUMENT DocBook HTML Stylesheet//EN" CDATA DSSSL>
+]>
+
+<style-sheet>
+<style-specification use="docbook">
+<style-specification-body>
+
+;; These are some customizations to the standard HTML output produced by the
+;; Modular DocBook Stylesheets.
+;; I've copied parts of a few functions from the stylesheets so these should
+;; be checked occasionally to ensure they are up to date.
+;;
+;; The last check was with version 1.40 of the stylesheets.
+;; It will not work with versions < 1.19 since the $shade-verbatim-attr$
+;; function was added then. Versions 1.19 to 1.39 may be OK, if you're lucky!
+
+;;(define %generate-book-toc% #f)
+
+
+;; The email content should not line wrap in HTML, that looks ugly.
+;; (okay there shouldn't be whitespace in there but when people want
+;; to avoid an @ they can fill in all kinds of things).
+(element email 
+  ($mono-seq$ 
+   (make sequence 
+     (make element gi: "NOBR"
+	   (literal "&#60;")
+	   (make element gi: "A"
+		 attributes: (list (list "HREF" 
+					 (string-append "mailto:" 
+							(data (current-node)))))
+		 (process-children))
+	   (literal "&#62;")))))
+
+
+;; We want to have some control over how sections are split up into
+;; separate pages.
+(define (chunk-element-list)
+  (list (normalize "preface")
+        (normalize "chapter")
+        (normalize "appendix")
+        (normalize "article")
+        (normalize "glossary")
+        (normalize "bibliography")
+        (normalize "index")
+        (normalize "colophon")
+        (normalize "setindex")
+        (normalize "reference")
+        (normalize "refentry")
+        (normalize "part")
+;; Commented out to prevent splitting up every section into its own document
+;;        (normalize "sect1")
+;;        (normalize "section")
+        (normalize "book") ;; just in case nothing else matches...
+        (normalize "set")  ;; sets are definitely chunks...
+        ))
+
+
+;; If a Chapter has role="no-toc" we don't generate a table of contents.
+;; This is useful if a better contents page has been added manually, e.g. for
+;; the GTK+ Widgets & Objects page. (But it is a bit of a hack.)
+(define ($generate-chapter-toc$)
+  (not (equal? (attribute-string (normalize "role") (current-node)) "no-toc")))
+
+(define %chapter-autolabel% 
+  ;; Are chapters enumerated?
+  #t)
+
+(define %section-autolabel% 
+  ;; Are sections enumerated?
+  #t)
+
+(define %use-id-as-filename% #t)
+
+(define %html-ext% ".html")
+
+(define %shade-verbatim% #t)
+
+(define (book-titlepage-separator side)
+  (empty-sosofo))
+
+
+(define ($shade-verbatim-attr$)
+  ;; Attributes used to create a shaded verbatim environment.
+  (list
+   (list "WIDTH" "100%")
+   (list "BORDER" "0")
+   (list "BGCOLOR" "#eaeaf0")))
+
+
+;; This overrides the refsect2 definition (copied from 1.20, dbrfntry.dsl).
+;; It puts a horizontal rule before each function/struct/... description,
+;; except the first one in the refsect1.
+(element refsect2
+  (make sequence
+    (if (first-sibling?)
+	(empty-sosofo)
+	(make empty-element gi: "HR"))
+    ($block-container$)))
+
+;; Override the book declaration, so that we generate a crossreference
+;; for the book
+
+(element book 
+  (let* ((bookinfo  (select-elements (children (current-node)) (normalize "bookinfo")))
+	 (ititle   (select-elements (children bookinfo) (normalize "title")))
+	 (title    (if (node-list-empty? ititle)
+		       (select-elements (children (current-node)) (normalize "title"))
+		       (node-list-first ititle)))
+	 (nl       (titlepage-info-elements (current-node) bookinfo))
+	 (tsosofo  (with-mode head-title-mode
+		     (process-node-list title)))
+	 (dedication (select-elements (children (current-node)) (normalize "dedication"))))
+    (make sequence
+     (html-document 
+      tsosofo
+      (make element gi: "DIV"
+	    attributes: '(("CLASS" "BOOK"))
+	    (if %generate-book-titlepage%
+		(make sequence
+		  (book-titlepage nl 'recto)
+		  (book-titlepage nl 'verso))
+		(empty-sosofo))
+	    
+	    (if (node-list-empty? dedication)
+		(empty-sosofo)
+		(with-mode dedication-page-mode
+		  (process-node-list dedication)))
+	    
+	    (if (not (generate-toc-in-front))
+		(process-children)
+		(empty-sosofo))
+	    
+	    (if %generate-book-toc%
+		(build-toc (current-node) (toc-depth (current-node)))
+		(empty-sosofo))
+	    
+	    ;;	  (let loop ((gilist %generate-book-lot-list%))
+	    ;;	    (if (null? gilist)
+	    ;;		(empty-sosofo)
+	    ;;		(if (not (node-list-empty? 
+	    ;;			  (select-elements (descendants (current-node))
+	    ;;					   (car gilist))))
+	    ;;		    (make sequence
+	    ;;		      (build-lot (current-node) (car gilist))
+	    ;;		      (loop (cdr gilist)))
+	    ;;		    (loop (cdr gilist)))))
+	  
+	    (if (generate-toc-in-front)
+		(process-children)
+		(empty-sosofo))))
+     (make entity 
+       system-id: "index.sgml"
+       (with-mode generate-index-mode
+	 (process-children))))))
+
+;; Mode for generating cross references
+
+(define (process-child-elements)
+  (process-node-list
+   (node-list-map (lambda (snl)
+                    (if (equal? (node-property 'class-name snl) 'element)
+                        snl
+                        (empty-node-list)))
+                  (children (current-node)))))
+
+(mode generate-index-mode
+  (element anchor
+    (if (attribute-string "href" (current-node))
+	(empty-sosofo)
+	(make formatting-instruction data:
+	      (string-append "\less-than-sign;ANCHOR id =\""
+			     (attribute-string "id" (current-node))
+			     "\" href=\""
+			     (href-to (current-node))
+			     "\"\greater-than-sign;
+"))))
+
+  ;; We also want to be able to link to complete RefEntry.
+  (element refentry
+    (make sequence
+      (make formatting-instruction data:
+	    (string-append "\less-than-sign;ANCHOR id =\""
+			   (attribute-string "id" (current-node))
+			   "\" href=\""
+			   (href-to (current-node))
+			   "\"\greater-than-sign;
+"))
+      (process-child-elements)))
+
+  (default
+    (process-child-elements)))
+
+;; For hypertext links for which no target is found in the document, we output
+;; our own special tag which we use later to resolve cross-document links.
+(element link 
+  (let* ((target (element-with-id (attribute-string (normalize "linkend")))))
+    (if (node-list-empty? target)
+      (make element gi: "GTKDOCLINK"
+	    attributes: (list
+			 (list "HREF" (attribute-string (normalize "linkend"))))
+            (process-children))
+      (make element gi: "A"
+            attributes: (list
+                         (list "HREF" (href-to target)))
+            (process-children)))))
+
+
+
+
+(define ($section-body$)
+  (make sequence
+    (make empty-element gi: "BR"
+	  attributes: (list (list "CLEAR" "all")))
+    (make element gi: "DIV"
+	  attributes: (list (list "CLASS" (gi)))
+	  ($section-separator$)
+	  ($section-title$)
+	  (process-children))))
+
+;; We want to use a stylesheet!
+(define %css-decoration%
+  ;; Enable CSS decoration of elements
+  #t)
+(define %stylesheet%
+  ;; Name of the stylesheet to use
+  "stylesheet.css")
+
+
+;; I want my own graphics with admonitions.
+(define %admon-graphics%
+  ;; Use graphics in admonitions?
+  #t)
+(define %admon-graphics-path%
+  ;; Path to admonition graphics
+  "images/")
+
+
+;; Some stuff I really didn't like -- italics are
+;; pretty hard to read most of the time. Don't use
+;; them for parameter names and structure fields.
+(element parameter ($mono-seq$))
+(element structfield ($mono-seq$))
+
+;; And don't use italics for emphasis either, just
+;; use bold text.
+(element emphasis
+  (let* ((class (if (and (attribute-string (normalize "role"))
+			 %emphasis-propagates-style%)
+		    (attribute-string (normalize "role"))
+		    "emphasis")))
+    (make element gi: "SPAN"
+	  attributes: (list (list "CLASS" class))
+	  (if (and (attribute-string (normalize "role"))
+		   (or (equal? (attribute-string (normalize "role")) "strong")
+		       (equal? (attribute-string (normalize "role")) "bold")))
+	      ($bold-seq$) ($bold-seq$)))))
+
+</style-specification-body>
+</style-specification>
+<external-specification id="docbook" document="dbstyle">
+</style-sheet>
diff --git a/aux/broccoli/shtool b/aux/broccoli/shtool
new file mode 100755
index 0000000000..4c1a7396fd
--- /dev/null
+++ b/aux/broccoli/shtool
@@ -0,0 +1,716 @@
+#!/bin/sh
+##
+##  GNU shtool -- The GNU Portable Shell Tool
+##  Copyright (c) 1994-2000 Ralf S. Engelschall <rse@engelschall.com>
+##
+##  See http://www.gnu.org/software/shtool/ for more information.
+##  See ftp://ftp.gnu.org/gnu/shtool/ for latest version.
+##
+##  Version 1.4.9 (16-Apr-2000)
+##  Ingredients: 3/17 available modules
+##
+
+##
+##  This program is free software; you can redistribute it and/or modify
+##  it under the terms of the GNU General Public License as published by
+##  the Free Software Foundation; either version 2 of the License, or
+##  (at your option) any later version.
+##
+##  This program is distributed in the hope that it will be useful,
+##  but WITHOUT ANY WARRANTY; without even the implied warranty of
+##  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+##  General Public License for more details.
+##
+##  You should have received a copy of the GNU General Public License
+##  along with this program; if not, write to the Free Software
+##  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+##  USA, or contact Ralf S. Engelschall <rse@engelschall.com>.
+##
+##  Notice: Given that you include this file verbatim into your own
+##  source tree, you are justified in saying that it remains separate
+##  from your package, and that this way you are simply just using GNU
+##  shtool. So, in this situation, there is no requirement that your
+##  package itself is licensed under the GNU General Public License in
+##  order to take advantage of GNU shtool.
+##
+
+##
+##  Usage: shtool [<options>] [<cmd-name> [<cmd-options>] [<cmd-args>]]
+##
+##  Available commands:
+##    echo       Print string with optional construct expansion
+##    install    Install a program, script or datafile
+##    mkdir      Make one or more directories
+##
+##  Not available commands (because module was not built-in):
+##    mdate      Pretty-print modification time of a file or dir
+##    table      Pretty-print a field-separated list as a table
+##    prop       Display progress with a running propeller
+##    move       Move files with simultaneous substitution
+##    mkln       Make link with calculation of relative paths
+##    mkshadow   Make a shadow tree through symbolic links
+##    fixperm    Fix file permissions inside a source tree
+##    tarball    Roll distribution tarballs
+##    guessos    Simple operating system guesser
+##    arx        Extended archive command
+##    slo        Separate linker options by library class
+##    scpp       Sharing C Pre-Processor
+##    version    Generate and maintain a version information file
+##    path       Deal with program paths
+##
+
+if [ $# -eq 0 ]; then
+    echo "$0:Error: invalid command line" 1>&2
+    echo "$0:Hint:  run \`$0 -h' for usage" 1>&2
+    exit 1
+fi
+if [ ".$1" = ".-h" -o ".$1" = ".--help" ]; then
+    echo "This is GNU shtool, version 1.4.9 (16-Apr-2000)"
+    echo "Copyright (c) 1994-2000 Ralf S. Engelschall <rse@engelschall.com>"
+    echo "Report bugs to <bug-shtool@gnu.org>"
+    echo ''
+    echo "Usage: shtool [<options>] [<cmd-name> [<cmd-options>] [<cmd-args>]]" 
+    echo ''
+    echo 'Available global <options>:'
+    echo '  -v, --version   display shtool version information'
+    echo '  -h, --help      display shtool usage help page (this one)'
+    echo '  -d, --debug     display shell trace information'
+    echo ''
+    echo 'Available <cmd-name> [<cmd-options>] [<cmd-args>]:'
+    echo '  echo     [-n] [-e] [<str> ...]'
+    echo '  install  [-v] [-t] [-c] [-C] [-s] [-m<mode>] [-o<owner>] [-g<group>]'
+    echo '           [-e<ext>] <file> <path>'
+    echo '  mkdir    [-t] [-f] [-p] [-m<mode>] <dir> [<dir> ...]'
+    echo ''
+    echo 'Not available <cmd-name> (because module was not built-in):'
+    echo '  mdate    [-n] [-z] [-s] [-d] [-f<str>] [-o<spec>] <path>'
+    echo '  table    [-F<sep>] [-w<width>] [-c<cols>] [-s<strip>] <str><sep><str>...'
+    echo '  prop     [-p<str>]'
+    echo '  move     [-v] [-t] [-e] [-p] <src-file> <dst-file>'
+    echo '  mkln     [-t] [-f] [-s] <src-path> [<src-path> ...] <dst-path>'
+    echo '  mkshadow [-v] [-t] [-a] <src-dir> <dst-dir>'
+    echo '  fixperm  [-v] [-t] <path> [<path> ...]'
+    echo '  tarball  [-t] [-v] [-o <tarball>] [-c <prog>] [-d <dir>] [-u'
+    echo '           <user>] [-g <group>] [-e <pattern>] <path> [<path> ...]'
+    echo '  guessos  '
+    echo '  arx      [-t] [-C<cmd>] <op> <archive> [<file> ...]'
+    echo '  slo      [-p<str>] -- -L<dir> -l<lib> [-L<dir> -l<lib> ...]'
+    echo '  scpp     [-v] [-p] [-f<filter>] [-o<ofile>] [-t<tfile>] [-M<mark>]'
+    echo '           [-D<dname>] [-C<cname>] <file> [<file> ...]'
+    echo '  version  [-l<lang>] [-n<name>] [-p<prefix>] [-s<version>] [-i<knob>]'
+    echo '           [-d<type>] <file>'
+    echo '  path     [-s] [-r] [-d] [-b] [-m] [-p<path>] <str> [<str> ...]'
+    echo ''
+    exit 0
+fi
+if [ ".$1" = ".-v" -o ".$1" = ."--version" ]; then
+    echo "GNU shtool 1.4.9 (16-Apr-2000)"
+    exit 0
+fi
+if [ ".$1" = ".-d" -o ".$1" = ."--debug" ]; then
+    shift
+    set -x
+fi
+name=`echo "$0" | sed -e 's;.*/\([^/]*\)$;\1;' -e 's;-sh$;;' -e 's;\.sh$;;'`
+case "$name" in
+    echo|install|mkdir )
+        #   implicit tool command selection
+        tool="$name"
+        ;;
+    * )
+        #   explicit tool command selection
+        tool="$1"
+        shift
+        ;;
+esac
+arg_spec=""
+opt_spec=""
+gen_tmpfile=no
+
+##
+##  DISPATCH INTO SCRIPT PROLOG
+##
+
+case $tool in
+    echo )
+        str_tool="echo"
+        str_usage="[-n] [-e] [<str> ...]"
+        arg_spec="0+"
+        opt_spec="n.e."
+        opt_n=no
+        opt_e=no
+        ;;
+    install )
+        str_tool="install"
+        str_usage="[-v] [-t] [-c] [-C] [-s] [-m<mode>] [-o<owner>] [-g<group>] [-e<ext>] <file> <path>"
+        arg_spec="2="
+        opt_spec="v.t.c.C.s.m:o:g:e:"
+        opt_v=no
+        opt_t=no
+        opt_c=no
+        opt_C=no
+        opt_s=no
+        opt_m=""
+        opt_o=""
+        opt_g=""
+        opt_e=""
+        ;;
+    mkdir )
+        str_tool="mkdir"
+        str_usage="[-t] [-f] [-p] [-m<mode>] <dir> [<dir> ...]"
+        arg_spec="1+"
+        opt_spec="t.f.p.m:"
+        opt_t=no
+        opt_f=no
+        opt_p=no
+        opt_m=""
+        ;;
+    -* )
+        echo "$0:Error: unknown option \`$tool'" 2>&1
+        echo "$0:Hint:  run \`$0 -h' for usage" 2>&1
+        exit 1
+        ;;
+    * )
+        echo "$0:Error: unknown command \`$tool'" 2>&1
+        echo "$0:Hint:  run \`$0 -h' for usage" 2>&1
+        exit 1
+        ;;
+esac
+
+##
+##  COMMON UTILITY CODE
+##
+
+#   determine name of tool
+if [ ".$tool" != . ]; then
+    #   used inside shtool script
+    toolcmd="$0 $tool"
+    toolcmdhelp="shtool $tool"
+    msgprefix="shtool:$tool"
+else
+    #   used as standalone script
+    toolcmd="$0"
+    toolcmdhelp="sh $0"
+    msgprefix="$str_tool"
+fi
+
+#   parse argument specification string
+eval `echo $arg_spec |\
+      sed -e 's/^\([0-9]*\)\([+=]\)/arg_NUMS=\1; arg_MODE=\2/'`
+
+#   parse option specification string
+eval `echo h.$opt_spec |\
+      sed -e 's/\([a-zA-Z0-9]\)\([.:+]\)/opt_MODE_\1=\2;/g'`
+
+#   interate over argument line
+opt_PREV=''
+while [ $# -gt 0 ]; do
+    #   special option stops processing
+    if [ ".$1" = ".--" ]; then
+        shift
+        break
+    fi
+
+    #   determine option and argument
+    opt_ARG_OK=no
+    if [ ".$opt_PREV" != . ]; then
+        #   merge previous seen option with argument
+        opt_OPT="$opt_PREV"
+        opt_ARG="$1"
+        opt_ARG_OK=yes
+        opt_PREV=''
+    else
+        #   split argument into option and argument
+        case "$1" in
+            -[a-zA-Z0-9]*)
+                eval `echo "x$1" |\
+                      sed -e 's/^x-\([a-zA-Z0-9]\)/opt_OPT="\1";/' \
+                          -e 's/";\(.*\)$/"; opt_ARG="\1"/'`
+                ;;
+            -[a-zA-Z0-9])
+                opt_OPT=`echo "x$1" | cut -c3-`
+                opt_ARG=''
+                ;;
+            *)
+                break
+                ;;
+        esac
+    fi
+
+    #   eat up option
+    shift
+
+    #   determine whether option needs an argument
+    eval "opt_MODE=\$opt_MODE_${opt_OPT}"
+    if [ ".$opt_ARG" = . -a ".$opt_ARG_OK" != .yes ]; then
+        if [ ".$opt_MODE" = ".:" -o ".$opt_MODE" = ".+" ]; then
+            opt_PREV="$opt_OPT"
+            continue
+        fi
+    fi
+
+    #   process option
+    case $opt_MODE in
+        '.' )
+            #   boolean option
+            eval "opt_${opt_OPT}=yes"
+            ;;
+        ':' )
+            #   option with argument (multiple occurances override)
+            eval "opt_${opt_OPT}=\"\$opt_ARG\""
+            ;;
+        '+' )
+            #   option with argument (multiple occurances append)
+            eval "opt_${opt_OPT}=\"\$opt_${opt_OPT} \$opt_ARG\""
+            ;;
+        * )
+            echo "$msgprefix:Error: unknown option: \`-$opt_OPT'" 1>&2
+            echo "$msgprefix:Hint:  run \`$toolcmdhelp -h' or \`man shtool' for details" 1>&2
+            exit 1
+            ;;
+    esac
+done
+if [ ".$opt_PREV" != . ]; then
+    echo "$msgprefix:Error: missing argument to option \`-$opt_PREV'" 1>&2
+    echo "$msgprefix:Hint:  run \`$toolcmdhelp -h' or \`man shtool' for details" 1>&2
+    exit 1
+fi
+
+#   process help option
+if [ ".$opt_h" = .yes ]; then
+    echo "Usage: $toolcmdhelp $str_usage"
+    exit 0
+fi
+
+#   complain about incorrect number of arguments
+case $arg_MODE in
+    '=' )
+        if [ $# -ne $arg_NUMS ]; then
+            echo "$msgprefix:Error: invalid number of arguments (exactly $arg_NUMS expected)" 1>&2
+            echo "$msgprefix:Hint:  run \`$toolcmd -h' or \`man shtool' for details" 1>&2
+            exit 1
+        fi
+        ;;
+    '+' )
+        if [ $# -lt $arg_NUMS ]; then
+            echo "$msgprefix:Error: invalid number of arguments (at least $arg_NUMS expected)" 1>&2
+            echo "$msgprefix:Hint:  run \`$toolcmd -h' or \`man shtool' for details" 1>&2
+            exit 1
+        fi
+        ;;
+esac
+
+#   establish a temporary file on request
+if [ ".$gen_tmpfile" = .yes ]; then
+    if [ ".$TMPDIR" != . ]; then
+        tmpdir="$TMPDIR"
+    elif [ ".$TEMPDIR" != . ]; then
+        tmpdir="$TEMPDIR"
+    else
+        tmpdir="/tmp"
+    fi
+    tmpfile="$tmpdir/.shtool.$$"
+    rm -f $tmpfile >/dev/null 2>&1
+    touch $tmpfile
+fi
+
+##
+##  DISPATCH INTO SCRIPT BODY
+##
+
+case $tool in
+
+echo )
+    ##
+    ##  echo -- Print string with optional construct expansion
+    ##  Copyright (c) 1998-2000 Ralf S. Engelschall <rse@engelschall.com>
+    ##  Originally written for WML as buildinfo
+    ##
+    
+    text="$*"
+    
+    #   check for broken escape sequence expansion
+    seo=''
+    bytes=`echo '\1' | wc -c | awk '{ printf("%s", $1); }'`
+    if [ ".$bytes" != .3 ]; then
+        bytes=`echo -E '\1' | wc -c | awk '{ printf("%s", $1); }'`
+        if [ ".$bytes" = .3 ]; then
+            seo='-E'
+        fi
+    fi
+    
+    #   check for existing -n option (to suppress newline)
+    minusn=''
+    bytes=`echo -n 123 2>/dev/null | wc -c | awk '{ printf("%s", $1); }'`
+    if [ ".$bytes" = .3 ]; then
+        minusn='-n'
+    fi
+    
+    #   determine terminal bold sequence
+    term_bold='' 
+    term_norm=''
+    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%[Bb]'`" != . ]; then
+        case $TERM in
+            #   for the most important terminal types we directly know the sequences
+            xterm|xterm*|vt220|vt220*)
+                term_bold=`awk 'BEGIN { printf("%c%c%c%c", 27, 91, 49, 109); }' </dev/null 2>/dev/null`
+                term_norm=`awk 'BEGIN { printf("%c%c%c", 27, 91, 109); }' </dev/null 2>/dev/null`
+                ;;
+            vt100|vt100*)
+                term_bold=`awk 'BEGIN { printf("%c%c%c%c%c%c", 27, 91, 49, 109, 0, 0); }' </dev/null 2>/dev/null`
+                term_norm=`awk 'BEGIN { printf("%c%c%c%c%c", 27, 91, 109, 0, 0); }' </dev/null 2>/dev/null`
+                ;;
+            #   for all others, we try to use a possibly existing `tput' or `tcout' utility
+            * )
+                paths=`echo $PATH | sed -e 's/:/ /g'`
+                for tool in tput tcout; do
+                    for dir in $paths; do
+                        if [ -r "$dir/$tool" ]; then
+                            for seq in bold md smso; do # 'smso' is last
+                                bold="`$dir/$tool $seq 2>/dev/null`"
+                                if [ ".$bold" != . ]; then
+                                    term_bold="$bold"
+                                    break
+                                fi
+                            done
+                            if [ ".$term_bold" != . ]; then
+                                for seq in sgr0 me rmso reset; do # 'reset' is last
+                                    norm="`$dir/$tool $seq 2>/dev/null`"
+                                    if [ ".$norm" != . ]; then
+                                        term_norm="$norm"
+                                        break
+                                    fi
+                                done
+                            fi
+                            break
+                        fi
+                    done
+                    if [ ".$term_bold" != . -a ".$term_norm" != . ]; then
+                        break;
+                    fi
+                done
+                ;;
+        esac
+        if [ ".$term_bold" = . -o ".$term_norm" = . ]; then
+            echo "$msgprefix:Warning: unable to determine terminal sequence for bold mode" 1>&2
+        fi
+    fi
+    
+    #   determine user name
+    username=''
+    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%[uU]'`" != . ]; then
+        username="$LOGNAME"
+        if [ ".$username" = . ]; then
+            username="$USER"
+            if [ ".$username" = . ]; then
+                username="`(whoami) 2>/dev/null |\
+                           awk '{ printf("%s", $1); }'`"
+                if [ ".$username" = . ]; then
+                    username="`(who am i) 2>/dev/null |\
+                               awk '{ printf("%s", $1); }'`"
+                    if [ ".$username" = . ]; then
+                        username='unknown'
+                    fi
+                fi
+            fi
+        fi
+    fi
+    
+    #   determine user id
+    userid=''
+    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%U'`" != . ]; then
+        userid="`(id -u) 2>/dev/null`"
+        if [ ".$userid" = . ]; then
+            str="`(id) 2>/dev/null`"
+            if [ ".`echo $str | grep '^uid[ 	]*=[ 	]*[0-9]*('`" != . ]; then
+                userid=`echo $str | sed -e 's/^uid[ 	]*=[ 	]*//' -e 's/(.*//'`
+            fi
+            if [ ".$userid" = . ]; then
+                userid=`egrep "^${username}:" /etc/passwd 2>/dev/null | \
+                        sed -e 's/[^:]*:[^:]*://' -e 's/:.*$//'`
+                if [ ".$userid" = . ]; then
+                    userid=`(ypcat passwd) 2>/dev/null |
+                            egrep "^${username}:" | \
+                            sed -e 's/[^:]*:[^:]*://' -e 's/:.*$//'`
+                    if [ ".$userid" = . ]; then
+                        userid='?'
+                    fi
+                fi
+            fi
+        fi
+    fi
+    
+    #   determine host name
+    hostname=''
+    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%h'`" != . ]; then
+        hostname="`(uname -n) 2>/dev/null |\
+                   awk '{ printf("%s", $1); }'`"
+        if [ ".$hostname" = . ]; then
+            hostname="`(hostname) 2>/dev/null |\
+                       awk '{ printf("%s", $1); }'`"
+            if [ ".$hostname" = . ]; then
+                hostname='unknown'
+            fi
+        fi
+        case $hostname in
+            *.* )
+                domainname=".`echo $hostname | cut -d. -f2-`"
+                hostname="`echo $hostname | cut -d. -f1`"
+                ;;
+        esac
+    fi
+    
+    #   determine domain name
+    domainname=''
+    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%d'`" != . ]; then
+        if [ ".$domainname" = . ]; then
+            if [ -f /etc/resolv.conf ]; then
+                domainname="`egrep '^[ 	]*domain' /etc/resolv.conf | head -1 |\
+                             sed -e 's/.*domain//' \
+                                 -e 's/^[ 	]*//' -e 's/^ *//' -e 's/^	*//' \
+                                 -e 's/^\.//' -e 's/^/./' |\
+                             awk '{ printf("%s", $1); }'`"
+                if [ ".$domainname" = . ]; then
+                    domainname="`egrep '^[ 	]*search' /etc/resolv.conf | head -1 |\
+                                 sed -e 's/.*search//' \
+                                     -e 's/^[ 	]*//' -e 's/^ *//' -e 's/^	*//' \
+                                     -e 's/ .*//' -e 's/	.*//' \
+                                     -e 's/^\.//' -e 's/^/./' |\
+                                 awk '{ printf("%s", $1); }'`"
+                fi
+            fi
+        fi
+    fi
+    
+    #   determine current time
+    time_day=''
+    time_month=''
+    time_year=''
+    time_monthname=''
+    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%[DMYm]'`" != . ]; then
+        time_day=`date '+%d'`
+        time_month=`date '+%m'`
+        time_year=`date '+%Y' 2>/dev/null`
+        if [ ".$time_year" = . ]; then
+            time_year=`date '+%y'`
+            case $time_year in
+                [5-9][0-9]) time_year="19$time_year" ;;
+                [0-4][0-9]) time_year="20$time_year" ;;
+            esac
+        fi
+        case $time_month in
+            1|01) time_monthname='Jan' ;;
+            2|02) time_monthname='Feb' ;;
+            3|03) time_monthname='Mar' ;;
+            4|04) time_monthname='Apr' ;;
+            5|05) time_monthname='May' ;;
+            6|06) time_monthname='Jun' ;;
+            7|07) time_monthname='Jul' ;;
+            8|08) time_monthname='Aug' ;;
+            9|09) time_monthname='Sep' ;;
+              10) time_monthname='Oct' ;;
+              11) time_monthname='Nov' ;;
+              12) time_monthname='Dec' ;;
+        esac
+    fi
+    
+    #   expand special ``%x'' constructs
+    if [ ".$opt_e" = .yes ]; then
+        text=`echo $seo "$text" |\
+              sed -e "s/%B/${term_bold}/g" \
+                  -e "s/%b/${term_norm}/g" \
+                  -e "s/%u/${username}/g" \
+                  -e "s/%U/${userid}/g" \
+                  -e "s/%h/${hostname}/g" \
+                  -e "s/%d/${domainname}/g" \
+                  -e "s/%D/${time_day}/g" \
+                  -e "s/%M/${time_month}/g" \
+                  -e "s/%Y/${time_year}/g" \
+                  -e "s/%m/${time_monthname}/g" 2>/dev/null`
+    fi
+    
+    #   create output
+    if [ .$opt_n = .no ]; then
+        echo $seo "$text"
+    else
+        #   the harder part: echo -n is best, because
+        #   awk may complain about some \xx sequences.
+        if [ ".$minusn" != . ]; then
+            echo $seo $minusn "$text"
+        else
+            echo dummy | awk '{ printf("%s", TEXT); }' TEXT="$text"
+        fi
+    fi
+    ;;
+
+install )
+    ##
+    ##  install -- Install a program, script or datafile
+    ##  Copyright (c) 1997-2000 Ralf S. Engelschall <rse@engelschall.com>
+    ##  Originally written for shtool
+    ##
+    
+    src="$1"
+    dst="$2"
+    
+    #  If destination is a directory, append the input filename
+    if [ -d $dst ]; then
+        dst=`echo "$dst" | sed -e 's:/$::'`
+        dstfile=`echo "$src" | sed -e 's;.*/\([^/]*\)$;\1;'`
+        dst="$dst/$dstfile"
+    fi
+    
+    #  Add a possible extension to src and dst
+    if [ ".$opt_e" != . ]; then
+        src="$src$opt_e"
+        dst="$dst$opt_e"
+    fi
+    
+    #  Check for correct arguments
+    if [ ".$src" = ".$dst" ]; then
+        echo "$msgprefix:Error: source and destination are the same" 1>&2
+        exit 1
+    fi
+    
+    #  Make a temp file name in the destination directory
+    dstdir=`echo $dst | sed -e 's;[^/]*$;;' -e 's;\(.\)/$;\1;' -e 's;^$;.;'`
+    dsttmp="$dstdir/#INST@$$#"
+    
+    #  Verbosity
+    if [ ".$opt_v" = .yes ]; then
+        echo "$src -> $dst" 1>&2
+    fi
+    
+    #  Copy or move the file name to the temp name
+    #  (because we might be not allowed to change the source)
+    if [ ".$opt_C" = .yes ]; then
+        opt_c=yes
+    fi
+    if [ ".$opt_c" = .yes ]; then
+        if [ ".$opt_t" = .yes ]; then
+            echo "cp $src $dsttmp" 1>&2
+        fi
+        cp $src $dsttmp || exit $?
+    else
+        if [ ".$opt_t" = .yes ]; then
+            echo "mv $src $dsttmp" 1>&2
+        fi
+        mv $src $dsttmp || exit $?
+    fi
+    
+    #  Adjust the target file
+    #  (we do chmod last to preserve setuid bits)
+    if [ ".$opt_s" = .yes ]; then
+        if [ ".$opt_t" = .yes ]; then
+            echo "strip $dsttmp" 1>&2
+        fi
+        strip $dsttmp || exit $?
+    fi
+    if [ ".$opt_o" != . ]; then
+        if [ ".$opt_t" = .yes ]; then
+            echo "chown $opt_o $dsttmp" 1>&2
+        fi
+        chown $opt_o $dsttmp || exit $?
+    fi
+    if [ ".$opt_g" != . ]; then
+        if [ ".$opt_t" = .yes ]; then
+            echo "chgrp $opt_g $dsttmp" 1>&2
+        fi
+        chgrp $opt_g $dsttmp || exit $?
+    fi
+    if [ ".$opt_m" != . ]; then
+        if [ ".$opt_t" = .yes ]; then
+            echo "chmod $opt_m $dsttmp" 1>&2
+        fi
+        chmod $opt_m $dsttmp || exit $?
+    fi
+    
+    #   Determine whether to do a quick install
+    #   (has to be done _after_ the strip was already done)
+    quick=no
+    if [ ".$opt_C" = .yes ]; then
+        if [ -r $dst ]; then
+            if cmp -s $src $dst; then
+                quick=yes
+            fi
+        fi
+    fi
+    
+    #   Finally install the file to the real destination
+    if [ $quick = yes ]; then
+        if [ ".$opt_t" = .yes ]; then
+            echo "rm -f $dsttmp" 1>&2
+        fi
+        rm -f $dsttmp
+    else
+        if [ ".$opt_t" = .yes ]; then
+            echo "rm -f $dst && mv $dsttmp $dst" 1>&2
+        fi
+        rm -f $dst && mv $dsttmp $dst
+    fi
+    ;;
+
+mkdir )
+    ##
+    ##  mkdir -- Make one or more directories
+    ##  Copyright (c) 1996-2000 Ralf S. Engelschall <rse@engelschall.com>
+    ##  Originally written for public domain by Noah Friedman <friedman@prep.ai.mit.edu>
+    ##  Cleaned up and enhanced for shtool
+    ##
+    
+    errstatus=0
+    for p in ${1+"$@"}; do
+        #   if the directory already exists...
+        if [ -d "$p" ]; then
+            if [ ".$opt_f" = .no ] && [ ".$opt_p" = .no ]; then
+                echo "$msgprefix:Error: directory already exists: $p" 1>&2
+                errstatus=1
+                break
+            else
+                continue
+            fi
+        fi
+        #   if the directory has to be created...
+        if [ ".$opt_p" = .no ]; then
+            if [ ".$opt_t" = .yes ]; then
+                echo "mkdir $p" 1>&2
+            fi
+            mkdir $p || errstatus=$?
+        else
+            #   the smart situation
+            set fnord `echo ":$p" |\
+                       sed -e 's/^:\//%/' \
+                           -e 's/^://' \
+                           -e 's/\// /g' \
+                           -e 's/^%/\//'`
+            shift
+            pathcomp=''
+            for d in ${1+"$@"}; do
+                pathcomp="$pathcomp$d"
+                case "$pathcomp" in
+                    -* ) pathcomp="./$pathcomp" ;;
+                esac
+                if [ ! -d "$pathcomp" ]; then
+                    if [ ".$opt_t" = .yes ]; then
+                        echo "mkdir $pathcomp" 1>&2
+                    fi
+                    mkdir $pathcomp || errstatus=$?
+                    if [ ".$opt_m" != . ]; then
+                        if [ ".$opt_t" = .yes ]; then
+                            echo "chmod $opt_m $pathcomp" 1>&2
+                        fi
+                        chmod $opt_m $pathcomp || errstatus=$?
+                    fi
+                fi
+                pathcomp="$pathcomp/"
+            done
+        fi
+    done
+    exit $errstatus
+    ;;
+
+esac
+
+exit 0
+
+##EOF##
diff --git a/aux/broccoli/src/Makefile.am b/aux/broccoli/src/Makefile.am
new file mode 100644
index 0000000000..8044b37a1f
--- /dev/null
+++ b/aux/broccoli/src/Makefile.am
@@ -0,0 +1,91 @@
+## Process this file with automake to produce Makefile.in
+
+# A list of all the files in the current directory which can be regenerated
+MAINTAINERCLEANFILES = Makefile.in Makefile
+
+# A list of everything we build locally, for distcheck.
+DISTCLEANFILES = bro_parser.c bro_parser.h bro_lexer.c
+
+# Always include the lexer and parser source and generated output in
+# the distribution, regardless of whether we have lex and yacc on
+# this system.
+#
+EXTRA_DIST = bro_parser.y bro_lexer.l bro_lexer.c bro_parser.c bro_parser.h
+
+# On Solaris, we need to specifically include networking libraries.
+# On Windows, we need to specifically include winsock. These are
+# handled through the substitution of BRO_LIBADD, which gets defined
+# according to the platform detection mechanism in the configure script.
+#
+# On Windows, we also need extra flags for the linker to build a DLL.
+# The approach taken here is described in more detail in
+# http://sources.redhat.com/autobook/autobook/autobook_253.html#SEC253
+#
+libbroccoli_la_LIBADD = @BRO_LIBADD@
+
+if WINDOWS_HOST
+libbroccoli_la_LDFLAGS = -mwindows -no-undefined -version-info 0:0:0
+else
+libbroccoli_la_LDFLAGS = -version-info 3:0:0
+endif
+
+# Optionally include support files for pcap packets
+#
+if BRO_PCAP_SUPPORT
+PACKET_FILES = bro_packet.c bro_packet.h
+else
+PACKET_FILES =
+endif
+
+# Use the parser source files when we do have lex/yacc, and the generated
+# parser code otherwise. Seeing .y/.l's triggers yacc/lex automatically.
+if HAVE_LEX_AND_YACC
+PARSER_FILES = bro_parser.y bro_lexer.l
+else
+PARSER_FILES = bro_lexer.c bro_parser.c bro_parser.h
+endif
+
+# lex/yacc flags -- those need to be defined regardless of whether
+# we have those tools because of automake bogosity.
+LEX_OUTPUT_ROOT = lex.bro
+AM_LFLAGS  = -Pbro
+AM_YFLAGS  = -d -v -p bro
+
+DEBUGFLAGS = -W -Wall -Wno-unused
+INCLUDES =  $(DEBUGFLAGS) -I$(top_srcdir)/compat
+
+# Make sure the main header file gets installed in the appropriate
+# include directory:
+include_HEADERS = broccoli.h
+
+# Most importantly, make sure we build a library out of all this.
+lib_LTLIBRARIES = libbroccoli.la
+
+# The sources. If we have lex and yacc, the .y and .l files for
+# the parser are included, otherwise the generated .c/.h's.
+libbroccoli_la_SOURCES = $(PARSER_FILES) \
+	$(PACKET_FILES) 		 \
+	broccoli.h			 \
+	bro.c				 \
+	bro_attr.c bro_attr.h		 \
+	bro_attrs.c bro_attrs.h		 \
+	bro_buf.h bro_buf.c 		 \
+	bro_config.h bro_config.c	 \
+	bro_debug.h bro_debug.c		 \
+	bro_event.h bro_event.c 	 \
+	bro_event_reg.h bro_event_reg.c  \
+	bro_hashtable.h bro_hashtable.c  \
+	bro_id.h bro_id.c		 \
+	bro_io.h bro_io.c 		 \
+	bro_list.h bro_list.c		 \
+	bro_location.h bro_location.c	 \
+	bro_object.h bro_object.c        \
+	bro_openssl.h bro_openssl.c	 \
+	bro_record.h bro_record.c	 \
+	bro_sobject.h bro_sobject.c	 \
+	bro_table.h bro_table.c          \
+	bro_type.h bro_type.c		 \
+	bro_type_decl.h bro_type_decl.c  \
+	bro_types.h			 \
+	bro_util.h bro_util.c 		 \
+	bro_val.h bro_val.c
diff --git a/aux/broccoli/src/bro.c b/aux/broccoli/src/bro.c
new file mode 100644
index 0000000000..c7e04d1315
--- /dev/null
+++ b/aux/broccoli/src/bro.c
@@ -0,0 +1,1976 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#include <stdlib.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/time.h>
+#include <time.h>
+#include <signal.h>
+
+#ifdef __MINGW32__
+#include <winsock.h>
+#else
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#endif
+
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include "broccoli.h"
+#include "bro_debug.h"
+#include "bro_buf.h"
+#include "bro_config.h"
+#include "bro_hashtable.h"
+#include "bro_types.h"
+#include "bro_type.h"
+#include "bro_val.h"
+#include "bro_id.h"
+#include "bro_event.h"
+#include "bro_event_reg.h"
+#include "bro_io.h"
+#include "bro_util.h"
+#include "bro_openssl.h"
+#include "bro_record.h"
+#include "bro_table.h"
+#ifdef BRO_PCAP_SUPPORT
+#include "bro_packet.h"
+#endif
+
+
+/* Don't attempt to reconnect more than once every 5 seconds: */
+#define BRO_RECONNECT_MAX_RATE   5
+
+/* Default maximum cache size. */
+#define BRO_MAX_CACHE_SIZE       1000
+
+/* Macro for putting safety brakes on some functions to ensure the
+ * user is now calling bro_init() first.
+ */
+#define BRO_SAFETY_CHECK init_check(__FUNCTION__);
+
+/* Pointer to BroCtx provided by the user at initialization time. */
+const BroCtx *global_ctx = NULL;
+
+/* To make MinGW happy, we provide an initialization handler for the
+ * DLL if we are building on Windows.
+ */
+#ifdef __MINGW32__
+int main() { return 0; }
+#endif
+
+static int
+conn_init_await(BroConn *bc, int conn_state)
+{
+  /* Wait for a maximum of 10 seconds until the connection
+   * reaches the desired state. We check every 0.2 seconds.
+   */
+  int i = 0, intervals = 10 * 5 + 1;
+
+  D_ENTER;
+
+  if (bc->state->conn_state_self == conn_state)
+    {
+      D(("Self already in requested state.\n"));
+      D_RETURN_(TRUE);
+    }
+
+  /* Set our own connection state to the requested one.
+   */
+  bc->state->conn_state_self = conn_state;
+
+  /* Wait for a while, processing the peer's input,
+   * and return as soon as we reach the desired state.
+   */
+  while (i++ < intervals)
+    {
+      struct timeval timeout;
+      timeout.tv_sec  = 0;
+      timeout.tv_usec = 200000;
+
+      if (bc->state->conn_state_peer >= conn_state)
+	D_RETURN_(TRUE);
+      
+      if (select(0, NULL, NULL, NULL, &timeout) < 0)
+	{
+	  D(("select() caused '%s'\n", strerror(errno)));
+	  D_RETURN_(FALSE);
+	}
+      
+      __bro_io_process_input(bc);      
+    }
+  
+  D_RETURN_(FALSE);
+}
+  
+static int
+conn_init_setup(BroConn *bc)
+{
+  BroBuf buf;
+  uint32 descriptor[4];
+  int result;
+
+  D_ENTER;
+   
+  descriptor[0] = htonl((uint32) BRO_PROTOCOL_VERSION);
+  descriptor[1] = htonl((uint32) BRO_MAX_CACHE_SIZE);
+  descriptor[2] = htonl((uint32) BRO_DATA_FORMAT_VERSION);
+  descriptor[3] = 0; /* Relative uptime of the process */
+
+  __bro_buf_init(&buf);
+  __bro_buf_append(&buf, descriptor, 4 * sizeof(uint32));
+
+  if (bc->class)
+    __bro_buf_append(&buf, bc->class, strlen(bc->class) + 1);
+
+  if (! __bro_io_raw_queue(bc, BRO_MSG_VERSION,
+			   __bro_buf_get(&buf),
+			   __bro_buf_get_used_size(&buf)))
+    {
+      D(("Setup data not sent to %p\n", bc));
+      __bro_buf_cleanup(&buf);
+      D_RETURN_(FALSE);
+    }
+
+  __bro_buf_cleanup(&buf);
+
+  /* This phase does NOT send PHASE_END ... */
+  
+  D(("Phase done to peer on %p, self now in HANDSHAKE stage.\n", bc));
+  result = conn_init_await(bc, BRO_CONNSTATE_HANDSHAKE);  
+  D_RETURN_(result);
+}
+
+static int
+conn_init_handshake(BroConn *bc)
+{
+  uint32 caps[3];
+  int result;
+
+  D_ENTER;
+
+  /* --- Request events, if any -------------------------------------- */
+  if (bc->ev_reg->num_handlers > 0)
+    __bro_event_reg_request(bc);
+
+  /* --- Capabilities ------------------------------------------------ */
+
+  /* We never compress at the moment. */
+
+  /* Unless user requested caching, tell peer we do not cache. Note
+   * that at the moment we never cache data we send, so this only
+   * affects received data.
+   */
+  caps[0] = 0;
+  caps[1] = 0;
+  caps[2] = 0;
+
+  caps[0] |= (bc->conn_flags & BRO_CFLAG_CACHE) ? 0 : BRO_CAP_DONTCACHE;
+
+  caps[0] = htonl(caps[0]);
+  caps[1] = htonl(caps[1]);
+  caps[2] = htonl(caps[2]);
+
+  if (! __bro_io_raw_queue(bc, BRO_MSG_CAPS,
+			   (uchar*) caps, 3 * sizeof(uint32)))
+    {
+      D(("Handshake data not sent to %p\n", bc));
+      D_RETURN_(FALSE);
+    }
+
+  /* --- End of phase ------------------------------------------------ */
+  
+  if (! __bro_io_raw_queue(bc, BRO_MSG_PHASE_DONE, NULL, 0))
+    {
+      D(("End-of-Handshake not sent to %p\n", bc));
+      D_RETURN_(FALSE);
+    }
+  
+  if (bc->state->sync_state_requested)
+    {
+      D(("Phase done to peer on %p, sync requested, self now in SYNC stage.\n", bc));
+      result = conn_init_await(bc, BRO_CONNSTATE_SYNC);  
+    }
+  else
+    {
+      D(("Phase done to peer on %p, no sync requested, self now in RUNNING stage.\n", bc));
+      result = conn_init_await(bc, BRO_CONNSTATE_RUNNING);  
+    }
+
+  D_RETURN_(result);
+}
+
+static int
+conn_init_sync(BroConn *bc)
+{
+  int result = TRUE;
+
+  D_ENTER;
+
+  /* If the peer requested synced state, we just send another phase done.
+   * Otherwise we don't do anything and immediately move to the "running"
+   * state.
+   */
+  if (bc->state->sync_state_requested)
+    {
+      if (! __bro_io_raw_queue(bc, BRO_MSG_PHASE_DONE, NULL, 0))
+	{
+	  D(("End-of-Sync not sent to %p\n", bc));
+	  D_RETURN_(FALSE);
+	}
+
+      D(("Phase done to peer on %p\n", bc));
+    }
+  
+  D(("Self now in RUNNING stage.\n"));
+  result = conn_init_await(bc, BRO_CONNSTATE_RUNNING);
+  
+  D_RETURN_(result);
+}
+
+/* This function walks lock-step with the peer through
+ * the entire handshake procedure.
+ */
+static int
+conn_init_configure(BroConn *bc)
+{
+  if (! conn_init_setup(bc))
+    return FALSE;
+  if (! conn_init_handshake(bc))
+    return FALSE;
+  if (! conn_init_sync(bc))
+    return FALSE;
+  
+  return TRUE;
+}
+
+static int
+conn_init(BroConn *bc)
+{
+  D_ENTER;
+
+  if (! (bc->rx_buf = __bro_buf_new()))
+    goto error_exit;
+  if (! (bc->tx_buf = __bro_buf_new()))
+    goto error_exit;
+
+  if (! (bc->state = calloc(1, sizeof(BroConnState))))
+    goto error_exit;
+  
+  bc->state->conn_state_self = BRO_CONNSTATE_SETUP;
+  bc->state->conn_state_peer = BRO_CONNSTATE_SETUP;
+
+  if (! __bro_openssl_connect(bc))
+    goto error_exit;
+
+  D_RETURN_(TRUE);
+  
+ error_exit:
+  __bro_buf_free(bc->rx_buf);
+  __bro_buf_free(bc->tx_buf);
+  bc->rx_buf = NULL;
+  bc->tx_buf = NULL;
+
+  D_RETURN_(FALSE);
+}
+
+static void
+conn_free(BroConn *bc)
+{
+  D_ENTER;
+
+  __bro_openssl_shutdown(bc);
+
+  if (bc->state)
+    free(bc->state);
+
+  __bro_buf_free(bc->rx_buf);
+  __bro_buf_free(bc->tx_buf);
+  bc->rx_buf = NULL;
+  bc->tx_buf = NULL;
+
+  D_RETURN;
+}
+
+static void
+init_check(const char *func)
+{
+  if (global_ctx == NULL) {
+    fprintf(stderr,
+	    "*** Broccoli error: %s called without prior initialization.\n"
+	    "*** Initialization of the Broccoli library is now required.\n"
+	    "*** See documentation for details. Aborting.\n",
+	    func);
+    exit(-1);
+  }
+}
+
+int
+bro_init(const BroCtx* ctx)
+{
+  if (global_ctx != NULL)
+    return TRUE;
+
+  if (ctx == NULL) {
+    ctx = calloc(1, sizeof(BroCtx));
+    bro_ctx_init((BroCtx*) ctx);
+  }
+
+  global_ctx = ctx;
+  __bro_conf_init();
+  if (! __bro_openssl_init())
+    return FALSE;
+
+  return TRUE;
+}
+
+void
+bro_ctx_init(BroCtx *ctx)
+{
+  memset(ctx, 0, sizeof(BroCtx));
+}
+
+BroConn *
+bro_conn_new_str(const char *hostname, int flags)
+{
+  BroConn *bc;
+  static int counter = 0;
+  
+  BRO_SAFETY_CHECK;
+
+  D_ENTER;
+  
+  if (! hostname || !*hostname)
+    D_RETURN_(NULL);
+  
+  if (! (bc = (BroConn *) calloc(1, sizeof(BroConn))))
+    D_RETURN_(NULL);
+  
+  D(("Connecting to host %s\n", hostname));
+
+  bc->conn_flags = flags;
+  bc->id_pid = getpid();
+  bc->id_num = counter++;
+  bc->peer = strdup(hostname);
+  bc->io_cache_maxsize = BRO_MAX_CACHE_SIZE;
+  bc->socket = -1;
+
+  TAILQ_INIT(&bc->msg_queue);
+  bc->msg_queue_len = 0;
+
+  if (! (bc->ev_reg = __bro_event_reg_new()))
+    goto error_exit;
+
+  if (! (bc->io_cache = __bro_ht_new(__bro_ht_int_hash,
+				     __bro_ht_int_cmp,
+				     NULL,
+				     (BroHTFreeFunc) __bro_sobject_release,
+				     TRUE)))
+    goto error_exit;
+  
+  if (! (bc->data = __bro_ht_new(__bro_ht_str_hash,
+				 __bro_ht_str_cmp,
+				 __bro_ht_mem_free,
+				 NULL, FALSE)))
+    goto error_exit;
+  
+  if (! (bc->ev_mask = __bro_ht_new(__bro_ht_str_hash,
+				    __bro_ht_str_cmp,
+				    __bro_ht_mem_free,
+				    NULL, FALSE)))
+    goto error_exit;  
+  
+  D_RETURN_(bc);
+
+ error_exit:
+  __bro_event_reg_free(bc->ev_reg);
+  __bro_ht_free(bc->ev_mask);
+  __bro_ht_free(bc->io_cache);
+  __bro_ht_free(bc->data);
+  
+  if (bc->peer)
+    free(bc->peer);
+  
+  free(bc);
+  D_RETURN_(NULL);
+}
+
+
+BroConn *
+bro_conn_new(struct in_addr *ip_addr, uint16 port, int flags)
+{
+  BroConn *bc;
+  char hostname[1024];
+
+  BRO_SAFETY_CHECK;
+
+  D_ENTER;
+  __bro_util_snprintf(hostname, 1024, "%s:%hu", inet_ntoa(*ip_addr), ntohs(port));
+  bc = bro_conn_new_str(hostname, flags);
+  D_RETURN_(bc);
+}
+
+BroConn *
+bro_conn_new_socket(int fd, int flags)
+{
+  BroConn *bc;
+
+  BRO_SAFETY_CHECK;
+
+  D_ENTER;
+
+  if ( fd < 0 )
+    D_RETURN_(NULL);
+
+  bc = bro_conn_new_str("<fd>", flags);
+  if (! bc)
+    D_RETURN_(NULL);
+
+  bc->socket = fd;
+  D_RETURN_(bc);
+}
+
+void
+bro_conn_set_class(BroConn *bc, const char *class)
+{
+  if (! bc)
+    return;
+
+  if (bc->class)
+    free(bc->class);
+
+  bc->class = strdup(class);
+}
+
+const char *
+bro_conn_get_peer_class(const BroConn *bc)
+{
+  if (! bc)
+    return NULL;
+
+  return bc->peer_class;
+}
+
+void
+bro_conn_get_connstats(const BroConn *bc, BroConnStats *cs)
+{
+  if (! bc || ! cs)
+    return;
+
+  memset(cs, 0, sizeof(BroConnStats));
+  cs->tx_buflen =  __bro_buf_get_used_size(bc->tx_buf);
+  cs->rx_buflen =  __bro_buf_get_used_size(bc->rx_buf);
+}
+
+int
+bro_conn_connect(BroConn *bc)
+{
+  D_ENTER;
+
+  if (! bc)
+    D_RETURN_(FALSE);
+
+  if ( (bc->conn_flags & BRO_CFLAG_SHAREABLE))
+    fprintf(stderr, "WARNING: BRO_CFLAG_SHAREABLE is no longer supported.\n");
+
+  if (! conn_init(bc))
+    D_RETURN_(FALSE);
+  
+  /* Handshake procedure. */
+  if (! conn_init_configure(bc))
+    D_RETURN_(FALSE);
+
+  D_RETURN_(TRUE);
+}
+
+
+int
+bro_conn_reconnect(BroConn *bc)
+{
+  BroMsg *msg, *msg_first, **msg_last;
+  int msg_queue_len;
+  time_t current_time;
+
+  D_ENTER;
+
+  if (! bc)
+    D_RETURN_(FALSE);
+
+  if (bc->state->in_reconnect)
+    D_RETURN_(FALSE);
+  
+  if ( (current_time = time(NULL)) > 0)
+    {
+      if (current_time - bc->state->last_reconnect < BRO_RECONNECT_MAX_RATE)
+	{
+	  D(("Less than %i seconds since last reconnect attempt, not reconnecting.\n",
+	     BRO_RECONNECT_MAX_RATE));
+	  D_RETURN_(FALSE);
+	}
+
+      bc->state->last_reconnect = current_time;
+    }
+  
+  D(("Attempting reconnection...\n"));
+  bc->state->in_reconnect = TRUE;
+  
+  /* NOTE: the sequencing in this function is quite tricky and very picky.
+   * Don't move things around unneccesarily ...
+   */
+  bc->state->tx_dead = bc->state->rx_dead = FALSE;
+  
+  /* Clean up the old connection state: */
+  bc->state->conn_state_self = BRO_CONNSTATE_SETUP;
+  bc->state->conn_state_peer = BRO_CONNSTATE_SETUP;
+  bc->state->sync_state_requested = FALSE;
+  
+  if (bc->bio)
+    {
+      BIO_free_all(bc->bio);
+      bc->bio = NULL;
+    }
+
+  /* Attempt to establish new connection */
+  if (! __bro_openssl_reconnect(bc))
+    goto error_return;
+
+  __bro_buf_reset(bc->rx_buf);
+  __bro_buf_reset(bc->tx_buf);
+
+  /* Only *after* we managed to connect, we clear the event mask for events
+   * the peer expects, etc. If we do this earlier and fail to connect, then future
+   * sent events never trigger a reconnect because they're never sent since
+   * they don't seem to be requested.
+   */
+
+  /* Temporarily unhook messages from the message queue so the new messages
+   * get sent right away. We hook the old ones back in below.
+   */
+  msg_first = bc->msg_queue.tqh_first;
+  msg_last  = bc->msg_queue.tqh_last;
+  msg_queue_len = bc->msg_queue_len;
+  bc->msg_queue_len = 0;
+  TAILQ_INIT(&bc->msg_queue);
+
+  __bro_ht_free(bc->ev_mask);
+
+  if (! (bc->ev_mask = __bro_ht_new(__bro_ht_str_hash,
+				    __bro_ht_str_cmp,
+				    __bro_ht_mem_free,
+				    NULL, FALSE)))				    
+    goto reset_error_return;
+
+  __bro_ht_free(bc->io_cache);
+  
+  if (! (bc->io_cache = __bro_ht_new(__bro_ht_int_hash,
+				     __bro_ht_int_cmp,
+				     NULL,
+				     (BroHTFreeFunc) __bro_sobject_release,
+				     TRUE)))
+    goto reset_error_return;
+
+  if (! conn_init_configure(bc))
+    goto reset_error_return;
+
+  /* Hook old events back in */
+  if (bc->msg_queue_len == 0)
+    bc->msg_queue.tqh_first = msg_first;
+  else
+    {
+      msg_first->msg_queue.tqe_prev = bc->msg_queue.tqh_last;
+      *bc->msg_queue.tqh_last = msg_first;
+    }
+
+  bc->msg_queue.tqh_last = msg_last;
+  bc->msg_queue_len += msg_queue_len;
+
+  D(("Reconnect completed successfully.\n"));
+  bc->state->in_reconnect = FALSE;
+  
+  D_RETURN_(TRUE);
+
+ reset_error_return:
+
+  /* If the reconnect went wrong somehow, nuke the queue and
+   * place old queue contents back in.
+   */
+  while ( (msg = bc->msg_queue.tqh_first))
+    {
+      TAILQ_REMOVE(&bc->msg_queue, msg, msg_queue);
+      __bro_io_msg_free(msg);
+    }
+  
+  bc->msg_queue.tqh_first = msg_first;
+  bc->msg_queue.tqh_last = msg_last;
+  bc->msg_queue_len = msg_queue_len;
+  
+ error_return:
+  bc->state->tx_dead = bc->state->rx_dead = TRUE;
+  bc->state->in_reconnect = FALSE;
+
+  D_RETURN_(FALSE);
+}
+
+
+int 
+bro_conn_delete(BroConn *bc)
+{
+  BroMsg *msg;
+
+  D_ENTER;
+
+  if (!bc || !bc->state)
+    D_RETURN_(FALSE);
+
+  if (! bc->state->tx_dead)
+    {
+      /* Try to flush command queue */
+      __bro_io_msg_queue_flush(bc);
+    }
+
+  while ( (msg = bc->msg_queue.tqh_first))
+    {
+      TAILQ_REMOVE(&bc->msg_queue, msg, msg_queue);
+      __bro_io_msg_free(msg);
+    }
+
+  __bro_ht_free(bc->ev_mask);
+  __bro_event_reg_free(bc->ev_reg);
+  __bro_ht_free(bc->io_cache);
+  __bro_ht_free(bc->data);
+
+  conn_free(bc);
+
+  if (bc->class)
+    free(bc->class);
+  if (bc->peer_class)
+    free(bc->peer_class);
+
+  if (bc->peer)
+    free(bc->peer);
+
+  free(bc);
+  D_RETURN_(TRUE);
+}
+
+
+int
+bro_conn_alive(const BroConn *bc)
+{
+  if (!bc || !bc->state)
+    return FALSE;
+
+  return (! bc->state->tx_dead && ! bc->state->rx_dead);
+}
+
+
+static int
+conn_adopt_events_cb(char *ev_name, void *data, BroHT *dst)
+{
+  char *key;
+
+  /* If the event is already reported, ignore. */
+  if (__bro_ht_get(dst, ev_name))
+    return TRUE;
+  
+  D(("Adopting event %s\n", ev_name));
+  key = strdup(ev_name);
+  __bro_ht_add(dst, key, key);
+  
+  return TRUE;
+  data = NULL;
+}
+
+void
+bro_conn_adopt_events(BroConn *src, BroConn *dst)
+{
+  D_ENTER;
+
+  if (!src || !dst)
+    D_RETURN;
+
+  __bro_ht_foreach(src->ev_mask, (BroHTCallback) conn_adopt_events_cb, dst->ev_mask);
+
+  D_RETURN;
+}
+
+
+int
+bro_conn_get_fd(BroConn *bc)
+{
+  int fd;
+
+  if (! bc || !bc->state || bc->state->tx_dead || bc->state->rx_dead || !bc->bio)
+    return -1;
+  
+#ifdef __MINGW32__
+  return 0;
+#else
+  BIO_get_fd(bc->bio, &fd);
+  return fd;
+#endif
+}
+
+
+int
+bro_conn_process_input(BroConn *bc)
+{
+  if (! bc || !bc->state || bc->state->rx_dead)
+    return FALSE;
+
+  return __bro_io_process_input(bc);
+}
+
+
+int
+bro_event_queue_length(BroConn *bc)
+{
+  if (! bc)
+    return 0;
+
+  return bc->msg_queue_len;
+}
+
+
+int
+bro_event_queue_length_max(BroConn *bc)
+{
+  return BRO_MSG_QUEUELEN_MAX;
+  bc = NULL;
+}
+
+
+int            
+bro_event_queue_flush(BroConn *bc)
+{
+  return __bro_io_msg_queue_flush(bc);
+}
+
+
+int
+bro_event_send(BroConn *bc, BroEvent *ev)
+{
+  int result;
+
+  D_ENTER;
+
+  if (! bc || !ev)
+    {
+      D(("Input error\n"));
+      D_RETURN_(FALSE);
+    }
+
+  D(("Sending event with %i args\n", __bro_list_length(ev->val_list)));
+  result = __bro_io_event_queue(bc, ev);
+  D_RETURN_(result);
+}
+
+
+int
+bro_event_send_raw(BroConn *bc, const uchar *data, int data_len)
+{
+  BroBuf *buf = NULL;
+
+  D_ENTER;
+
+  if (! bc || !data)
+    {
+      D(("Input error\n"));
+      D_RETURN_(FALSE);
+    }
+
+  if (data_len == 0)
+    {
+      D(("Nothing to send\n"));
+      D_RETURN_(TRUE);
+    }
+
+  if (! (buf = __bro_buf_new()))
+    {
+      D(("Out of memory\n"));
+      D_RETURN_(FALSE);
+    }
+      
+  __bro_buf_write_char(buf, 'e');
+  __bro_buf_write_data(buf, data, data_len);
+
+  __bro_io_rawbuf_queue(bc, BRO_MSG_SERIAL, buf);
+  __bro_io_msg_queue_flush(bc);
+
+  D_RETURN_(TRUE);
+}
+
+
+void
+bro_conn_data_set(BroConn *bc, const char *key, void *val)
+{
+  if (!bc || !key || !*key)
+    return;
+
+  __bro_ht_add(bc->data, strdup(key), val);
+}
+
+
+void *
+bro_conn_data_get(BroConn *bc, const char *key)
+{
+  if (!bc || !key || !*key)
+    return NULL;
+
+  return __bro_ht_get(bc->data, (void *) key);
+}
+
+
+void *
+bro_conn_data_del(BroConn *bc, const char *key)
+{
+  if (!bc || !key || !*key)
+    return NULL;
+  
+  return __bro_ht_del(bc->data, (void *) key);
+}
+
+
+/* ----------------------------- Bro Events -------------------------- */
+
+BroEvent *
+bro_event_new(const char *event_name)
+{
+  BroString name;
+  BroEvent *result;
+
+  bro_string_set(&name, event_name);
+  result = __bro_event_new(&name);
+  bro_string_cleanup(&name);
+
+  return result;
+}
+
+
+void
+bro_event_free(BroEvent *be)
+{
+  __bro_event_free(be);
+}
+
+
+int
+bro_event_add_val(BroEvent *be, int type, const char *type_name, const void *val)
+{
+  BroVal *v;
+
+  D_ENTER;
+
+  if (! be || ! val || type < 0 || type >= BRO_TYPE_MAX)
+    {
+      D(("Invalid input: (%p, %i, %p)\n", be, type, val));
+      D_RETURN_(FALSE);
+    }
+  
+  if (! (v = __bro_val_new_of_type(type, type_name)))
+    D_RETURN_(FALSE);
+
+  if (! __bro_val_assign(v, val))
+    {
+      __bro_sobject_release((BroSObject *) v);
+      D_RETURN_(FALSE);
+    }
+
+  __bro_event_add_val(be, v);
+
+  D_RETURN_(TRUE);
+}
+
+
+int
+bro_event_set_val(BroEvent *be, int val_num,
+		  int type, const char *type_name,
+		  const void *val)
+{
+  BroVal *v;
+  int result;
+
+  D_ENTER;
+
+  if (! be || ! val || type < 0 || type >= BRO_TYPE_MAX)
+    {
+      D(("Invalid input: (%p, %i, %p)\n", be, type, val));
+      D_RETURN_(FALSE);
+    }
+
+  if (! (v = __bro_val_new_of_type(type, type_name)))
+    D_RETURN_(FALSE);
+
+  if (! __bro_val_assign(v, val))
+    {
+      __bro_sobject_release((BroSObject *) v);
+      D_RETURN_(FALSE);
+    }
+  
+  result = __bro_event_set_val(be, val_num, v);
+  D_RETURN_(result);
+}
+
+
+void
+bro_event_registry_add(BroConn *bc,
+		       const char *event_name,
+		       BroEventFunc func,
+		       void *user_data)		       
+{
+  __bro_event_reg_add(bc, event_name, func, user_data);
+}
+
+
+void
+bro_event_registry_add_compact(BroConn *bc,
+			       const char *event_name,
+			       BroCompactEventFunc func,
+			       void *user_data)		       
+{
+  __bro_event_reg_add_compact(bc, event_name, func, user_data);
+}
+
+
+void
+bro_event_registry_remove(BroConn *bc, const char *event_name)
+{
+  __bro_event_reg_remove(bc, event_name);
+}
+
+
+void
+bro_event_registry_request(BroConn *bc)
+{
+  D_ENTER;
+  
+  if (!bc || !bc->state)
+    D_RETURN;
+
+  /* A connection that isn't up and running yet cannot request
+   * events. The handshake phase will request any registered
+   * events automatically.
+   */
+  if (bc->state->conn_state_self != BRO_CONNSTATE_RUNNING)
+    D_RETURN;
+  
+  __bro_event_reg_request(bc);
+  
+  D_RETURN;
+}
+
+
+
+/* ------------------------ Dynamic-size Buffers --------------------- */
+
+BroBuf *
+bro_buf_new(void)
+{
+  BroBuf *buf;
+
+  if (! (buf = calloc(1, sizeof(BroBuf))))
+    return NULL;
+
+  __bro_buf_init(buf);
+  return buf;
+}
+
+
+void
+bro_buf_free(BroBuf *buf)
+{
+  if (!buf)
+    return;
+
+  __bro_buf_cleanup(buf);
+  free(buf);
+}
+
+
+int
+bro_buf_append(BroBuf *buf, void *data, int data_len)
+{
+  return __bro_buf_append(buf, data, data_len);
+}
+
+
+void
+bro_buf_consume(BroBuf *buf)
+{
+  __bro_buf_consume(buf);
+}
+
+
+void
+bro_buf_reset(BroBuf *buf)
+{
+  __bro_buf_reset(buf);
+}
+
+
+uchar *
+bro_buf_get(BroBuf *buf)
+{
+  return __bro_buf_get(buf);
+}
+
+
+uchar *
+bro_buf_get_end(BroBuf *buf)
+{
+  return __bro_buf_get_end(buf);
+}
+
+
+uint
+bro_buf_get_size(BroBuf *buf)
+{
+  return __bro_buf_get_size(buf);
+}
+
+
+uint
+bro_buf_get_used_size(BroBuf *buf)
+{
+  return __bro_buf_get_used_size(buf);
+}
+
+
+uchar *
+bro_buf_ptr_get(BroBuf *buf)
+{
+  return __bro_buf_ptr_get(buf);
+}
+
+
+uint32
+bro_buf_ptr_tell(BroBuf *buf)
+{
+  return __bro_buf_ptr_tell(buf);
+}
+
+
+int
+bro_buf_ptr_seek(BroBuf *buf, int offset, int whence)
+{
+  return __bro_buf_ptr_seek(buf, offset, whence);
+}
+
+
+int
+bro_buf_ptr_check(BroBuf *buf, int size)
+{
+  return __bro_buf_ptr_check(buf, size);
+}
+
+
+int
+bro_buf_ptr_read(BroBuf *buf, void *data, int size)
+{
+  return __bro_buf_ptr_read(buf, data, size);
+}
+
+
+int
+bro_buf_ptr_write(BroBuf *buf, void *data, int size)
+{
+  return __bro_buf_ptr_write(buf, data, size);
+}
+
+
+
+/* ------------------------ Configuration Access --------------------- */
+
+void
+bro_conf_set_domain(const char *domain)
+{
+  BRO_SAFETY_CHECK;
+  __bro_conf_set_domain(domain);
+}
+
+
+int
+bro_conf_get_int(const char *val_name, int *val)
+{
+  BRO_SAFETY_CHECK;
+
+  if (! val_name || ! val)
+    return FALSE;
+
+  return __bro_conf_get_int(val_name, val);
+}
+
+
+int
+bro_conf_get_dbl(const char *val_name, double *val)
+{
+  BRO_SAFETY_CHECK;
+
+  if (! val_name || ! val)
+    return FALSE;
+
+  return __bro_conf_get_dbl(val_name, val);
+}
+
+
+const char *
+bro_conf_get_str(const char *val_name)
+{
+  BRO_SAFETY_CHECK;
+
+  if (! val_name)
+    return FALSE;
+  
+  return __bro_conf_get_str(val_name);
+}
+
+
+/* -------------------------- Record Handling ------------------------ */
+
+BroRecord *
+bro_record_new(void)
+{
+  return __bro_record_new();
+}
+
+
+void
+bro_record_free(BroRecord *rec)
+{
+  __bro_record_free(rec);
+}
+
+int
+bro_record_get_length(BroRecord *rec)
+{
+  return __bro_record_get_length(rec);
+}
+
+int
+bro_record_add_val(BroRecord *rec, const char *name,
+		   int type, const char *type_name, const void *val)
+{
+  BroVal *v;
+
+  D_ENTER;
+
+  if (! rec)
+    {
+      D(("Input error: (%p, %s, %i, %p)\n", rec, name, type, val));
+      D_RETURN_(FALSE);
+    }
+  
+  if (! (v = __bro_val_new_of_type(type, type_name)))
+    {
+      D(("Could not get val of type %i\n", type));
+      D_RETURN_(FALSE);
+    }
+  
+  if (! name)
+    name = "";
+
+  __bro_sobject_data_set((BroSObject *) v, "field", strdup(name));
+
+  if (! __bro_val_assign(v, val))
+    {
+      D(("Could not assign value to the new val.\n"));
+      __bro_sobject_release((BroSObject *) v);
+      D_RETURN_(FALSE);
+    }
+
+  __bro_record_add_val(rec, v);
+  D_RETURN_(TRUE);
+}
+
+
+const char* 
+bro_record_get_nth_name(BroRecord *rec, int num)
+{
+  const char *name;
+ 
+  if ( (name = __bro_record_get_nth_name(rec, num)))
+    return name;
+
+  return NULL;
+}
+ 
+
+void *
+bro_record_get_nth_val(BroRecord *rec, int num, int *type)
+{
+  BroVal *val;
+  int type_found;
+  void *result = NULL;
+
+  if (type && (*type < BRO_TYPE_UNKNOWN || *type >= BRO_TYPE_MAX))
+    {
+      D(("Invalid value for type pointer (%i)\n", *type));
+      return NULL;
+    }
+
+  if (! (val = __bro_record_get_nth_val(rec, num)))
+    return NULL;
+
+  /* Now transform the val into a form expected in *result,
+   * based on the type given in the val.
+   */
+  if (! __bro_val_get_data(val, &type_found, &result))
+    return NULL;
+  
+  if (type)
+    {
+      if (*type != BRO_TYPE_UNKNOWN && type_found != *type)
+	{
+	  D(("Type mismatch: expected type tag %i, found type tag %i\n", *type, type_found));
+	  result = NULL;
+	}
+      
+      *type = type_found;
+    }
+  
+  return result;
+}
+
+
+void *
+bro_record_get_named_val(BroRecord *rec, const char *name, int *type)
+{
+  BroVal *val;
+  int type_found;
+  void *result = NULL;
+ 
+  if (type && (*type < BRO_TYPE_UNKNOWN || *type >= BRO_TYPE_MAX))
+    {
+      D(("Invalid value for type pointer (%i)\n", *type));
+      return NULL;
+    }
+ 
+  if (! (val = __bro_record_get_named_val(rec, name)))
+    return NULL;
+
+  /* Now transform the val into a form expected in *result,
+   * based on the type given in the val.
+   */
+  if (! __bro_val_get_data(val, &type_found, &result))
+    return NULL;
+  
+  if (type)
+    {
+      if (*type != BRO_TYPE_UNKNOWN && type_found != *type)
+	{
+	  D(("Type mismatch: expected type tag %i for field '%s', found tag %i\n",
+	     *type, name, type_found));
+	  result = NULL;
+	}
+
+      *type = type_found;
+    }
+  
+  return result;
+}
+
+
+int
+bro_record_set_nth_val(BroRecord *rec, int num,
+		       int type, const char *type_name, const void *val)
+{
+  BroVal *v;
+  char *name;
+
+  D_ENTER;
+
+  if (! rec || num < 0 || num >= rec->val_len ||
+      type < 0 || type >= BRO_TYPE_MAX || ! val)
+    {
+      D(("Input error: (%p, %i, %i, %p)\n", rec, num, type, val));
+      D_RETURN_(FALSE);
+    }
+  
+  if (! (v = __bro_record_get_nth_val(rec, num)))
+    D_RETURN_(FALSE);
+
+  if (! (name = __bro_sobject_data_get((BroSObject *) v, "field")))
+    D_RETURN_(FALSE);
+  
+  if (! (v = __bro_val_new_of_type(type, type_name)))
+    {
+      D(("Could not get val of type %i\n", type));
+      D_RETURN_(FALSE);
+    }
+  
+  __bro_sobject_data_set((BroSObject *) v, "field", strdup(name));
+
+  if (! __bro_val_assign(v, val))
+    {
+      D(("Could not assign value to the new val.\n"));
+      __bro_sobject_release((BroSObject *) v);
+      D_RETURN_(FALSE);
+    }
+
+  __bro_record_set_nth_val(rec, num, v);
+  D_RETURN_(TRUE);
+}
+
+
+int
+bro_record_set_named_val(BroRecord *rec, const char *name,
+			 int type, const char *type_name, const void *val)
+{
+  BroVal *v;
+
+  D_ENTER;
+
+  if (! rec || ! name || !*name ||
+      type < 0 || type >= BRO_TYPE_MAX || ! val)
+    {
+      D(("Input error: (%p, %s, %i, %p)\n", rec, name, type, val));
+      D_RETURN_(FALSE);
+    }
+  
+  if (! (v = __bro_val_new_of_type(type, type_name)))
+    {
+      D(("Could not get val of type %i\n", type));
+      D_RETURN_(FALSE);
+    }
+    
+  if (! __bro_val_assign(v, val))
+    {
+      D(("Could not assign value to the new val.\n"));
+      __bro_sobject_release((BroSObject *) v);
+      D_RETURN_(FALSE);
+    }
+  
+  __bro_record_set_named_val(rec, name, v);
+  D_RETURN_(TRUE);
+}
+
+
+/* -------------------------- Tables & Sets -------------------------- */
+
+BroTable *
+bro_table_new(void)
+{
+  BroTable *tbl;
+
+  D_ENTER;
+  tbl = __bro_table_new();
+  D_RETURN_(tbl);
+}
+
+
+void
+bro_table_free(BroTable *tbl)
+{
+  D_ENTER;
+  __bro_table_free(tbl);
+  D_RETURN;
+}
+
+
+int
+bro_table_insert(BroTable *tbl,
+		 int key_type, const void *key,
+		 int val_type, const void *val)
+{
+  BroVal *vv = NULL;
+  BroListVal *lv;
+
+  D_ENTER;
+
+  if (! tbl || !key || !val)
+    D_RETURN_(FALSE);
+
+  if (tbl->tbl_key_type != BRO_TYPE_UNKNOWN &&
+      tbl->tbl_key_type != key_type)
+    {
+      D(("Type mismatch when inserting key of type %d, expecting %d\n",
+	 key_type, tbl->tbl_key_type));
+      D_RETURN_(FALSE);
+    }
+
+  tbl->tbl_key_type = key_type;
+
+  if (tbl->tbl_val_type != BRO_TYPE_UNKNOWN &&
+      tbl->tbl_val_type != val_type)
+    {
+      D(("Type mismatch when inserting val of type %d, expecting %d\n",
+	 val_type, tbl->tbl_val_type));
+      D_RETURN_(FALSE);
+    }
+
+  tbl->tbl_val_type = val_type;
+
+  /* Now need to creat BroVals out of the raw data provided.
+   * If the key_type is BRO_TYPE_LIST, it means the argument
+   * is expected to be a BroRecord and its elements will be
+   * used as elements of a list of values, as used internally
+   * by Bro. For all other BRO_TYPE_xxx values, the type is
+   * used in the obvious way.
+   */
+  lv = __bro_list_val_new();
+  
+  if (key_type == BRO_TYPE_LIST)
+    {
+      /* We need to unroll the record elements and put them
+       * all in the list val.
+       */
+      
+      BroRecord *rec = (BroRecord*) key;
+      int i;
+
+      for (i = 0; i < __bro_record_get_length(rec); i++)
+	{
+	  /* We can here leverage the fact that internally, all
+	   * elements of a BroRec are BroVals.
+	   */
+	  BroVal *v = __bro_record_get_nth_val(rec, i);
+	  BroVal *v_copy = (BroVal*) __bro_sobject_copy((BroSObject*) v);
+	  __bro_list_val_append(lv, v_copy); 
+	}
+    }
+  else
+    {
+      BroVal *kv;
+
+      /* In this case we actually need to create a BroVal from
+       * the user's raw data first.
+       */
+      if (! (kv = __bro_val_new_of_type(key_type, NULL)))
+	{
+	  D(("Could not create val of type %d\n", key_type));
+	  D_RETURN_(FALSE);
+	}
+      
+      __bro_val_assign(kv, key);
+      __bro_list_val_append(lv, kv);
+    }  
+  
+  if (val)
+    {
+      if (! (vv = __bro_val_new_of_type(val_type, NULL)))
+	{
+	  D(("Could not crate val of type %d\n", val_type));
+	  D_RETURN_(FALSE);
+	}
+      
+      __bro_val_assign(vv, val);
+    }
+
+  __bro_table_insert(tbl, (BroVal*) lv, vv);  
+  
+  D_RETURN_(TRUE);
+}
+
+
+void *
+bro_table_find(BroTable *tbl, const void *key)
+{
+  BroListVal *lv;
+  BroVal *val, *result_val;
+  void *result = NULL;
+  BroRecord *rec = NULL;
+
+  D_ENTER;
+
+  lv = __bro_list_val_new();
+
+  if (tbl->tbl_key_type == BRO_TYPE_LIST)
+    {
+      /* Need to interpret the given key as a record and hook its
+       * elements into the list. Below we unhook the list from the
+       * ListVal before releasing it.
+       */
+      rec = (BroRecord *) key;
+      lv->list = rec->val_list;
+      lv->len = rec->val_len;
+    }
+  else
+    {
+      if (! (val = __bro_val_new_of_type(tbl->tbl_key_type, NULL)))
+	{
+	  D(("Could not create val of type %d.\n", tbl->tbl_key_type));
+	  D_RETURN_(NULL);
+	}
+      
+      __bro_val_assign(val, key);
+      __bro_list_val_append(lv, val);
+    }
+  
+  if ( (result_val = __bro_table_find(tbl, (BroVal*) lv)))
+    {
+      if (! __bro_val_get_data(result_val, NULL, &result))
+	{
+	  __bro_sobject_release((BroSObject*) lv);
+	  D_RETURN_(NULL);	  
+	}
+    }
+  
+  if (rec)
+    {
+      lv->list = NULL;
+      lv->len = 0;
+    }
+
+  __bro_sobject_release((BroSObject*) lv);
+  
+  D_RETURN_(result);
+}
+
+
+int
+bro_table_get_size(BroTable *tbl)
+{
+  int result;
+
+  D_ENTER;
+  result = __bro_table_get_size(tbl);
+  D_RETURN_(result);
+}
+
+typedef struct bro_table_cb_data
+{ 
+  void *user_data;
+  BroTableCallback cb;
+  int is_set;
+} BroTableCBData;
+
+static int
+bro_table_foreach_cb(BroListVal *key, BroVal *val, BroTableCBData *data)
+{
+  int result;
+  void *key_data = NULL, *val_data = NULL;
+  BroRecord *rec = NULL;
+  
+  if (__bro_list_val_get_length(key) > 1)
+    {
+      /* Need to shrink-wrap it into a record. */
+      BroList *l;
+      rec = __bro_record_new();
+      
+      for (l = key->list; l; l = __bro_list_next(l))
+	{
+	  BroVal *tmp = (BroVal*) __bro_list_data(l);
+	  
+	  /* __bro_record_add_val() does not internally copy the added
+	   * val. Without bumping up the val's refcount, __bro_record_free()
+	   * below would possibly nuke the val when it decrements the count
+	   * by 1.
+	   */
+	  __bro_sobject_ref((BroSObject*) tmp);
+	  __bro_record_add_val(rec, tmp);
+	}
+
+      key_data = (void*) rec;
+    }
+  else
+    {
+      /* Direct passthrough. */
+      BroVal *v = __bro_list_val_get_front(key);
+      D(("Index type is atomic, type %d/%d\n",
+	 v->val_type->tag, v->val_type->internal_tag));
+    
+      if (! __bro_val_get_data(v, NULL, &key_data))
+	{
+	  D(("Failed to obtain user-suitable data representation.\n"));
+	  return TRUE;
+	}
+    }
+  
+  if (! data->is_set && ! __bro_val_get_data(val, NULL, &val_data))
+    {
+      D(("Failed to obtain user-suitable data representation.\n"));
+      result = FALSE;
+      goto return_result;
+    }
+  
+  result = data->cb(key_data, val_data, data->user_data);
+  
+ return_result:
+  if (rec)
+    __bro_record_free(rec);
+  
+  return result;
+}
+
+void
+bro_table_foreach(BroTable *tbl,
+		  BroTableCallback cb,
+		  void *user_data)
+{
+  BroTableCBData data;
+
+  D_ENTER;
+
+  data.user_data = user_data;
+  data.cb = cb;
+  data.is_set = __bro_table_is_set(tbl);
+
+  __bro_table_foreach(tbl,
+		      (BroTableCallback) bro_table_foreach_cb,
+		      &data);
+  D_RETURN;
+}
+
+void
+bro_table_get_types(BroTable *tbl,
+		    int *key_type, int *val_type)
+{
+  if (! tbl)
+    return;
+
+  if (key_type)
+    *key_type = tbl->tbl_key_type;
+  if (val_type)
+    *val_type = tbl->tbl_val_type;
+}
+
+
+BroSet *
+bro_set_new(void)
+{
+  BroSet *result;
+
+  D_ENTER;
+  result = (BroSet*) __bro_table_new();
+  D_RETURN_(result);
+}
+
+void
+bro_set_free(BroSet *set)
+{
+  D_ENTER;
+  __bro_table_free((BroTable*) set);
+  D_RETURN;
+}
+
+int
+bro_set_insert(BroSet *set, int type, const void *val)
+{
+  int result;
+
+  D_ENTER;
+  
+  result = bro_table_insert((BroTable*) set,
+			    type, val,
+			    BRO_TYPE_UNKNOWN, NULL);
+  
+  D_RETURN_(result);
+}
+
+int
+bro_set_find(BroSet *set, const void *key)
+{
+  int result;
+
+  D_ENTER;
+  result = (bro_table_find((BroTable*) set, key) != NULL);
+  D_RETURN_(result);
+}
+
+int
+bro_set_get_size(BroSet *set)
+{
+  int result;
+
+  D_ENTER;
+  result = __bro_table_get_size((BroTable*) set);
+  D_RETURN_(result);
+}
+
+typedef struct bro_set_cb_data
+{ 
+  void *user_data;
+  BroSetCallback cb;
+} BroSetCBData;
+
+static int
+bro_set_foreach_cb(void *key, void *val, BroSetCBData *data)
+{
+  return data->cb(key, data->user_data);
+}
+
+void
+bro_set_foreach(BroSet *set,
+		BroSetCallback cb,
+		void *user_data)
+{
+  BroSetCBData data;
+
+  D_ENTER;
+  
+  data.user_data = user_data;
+  data.cb = cb;
+
+  bro_table_foreach((BroTable*) set,
+		    (BroTableCallback) bro_set_foreach_cb,
+		    &data);
+  
+  D_RETURN;
+}
+
+void
+bro_set_get_type(BroSet *set, int *type)
+{
+  return bro_table_get_types((BroTable*) set, type, NULL);
+}
+
+/* ------------------------------ Strings ---------------------------- */
+
+void
+bro_string_init(BroString *bs)
+{
+  if (! bs)
+    return;
+
+  memset(bs, 0, sizeof(BroString));
+}
+
+
+int
+bro_string_set(BroString *bs, const char *s)
+{
+  if (! bs || !s)
+    return FALSE;
+  
+  return bro_string_set_data(bs, (const uchar *) s, strlen(s));
+}
+
+
+int
+bro_string_set_data(BroString *bs, const uchar *data, int data_len)
+{
+  uchar *data_copy;
+  
+  if (! bs || !data || data_len < 0)
+    return FALSE;
+  
+  if (! (data_copy = malloc(data_len + 1)))
+    return FALSE;
+  
+  memcpy(data_copy, data, data_len);
+  data_copy[data_len] = '\0';
+  
+  bs->str_len = data_len;
+  bs->str_val = data_copy;
+
+  return TRUE;
+}
+
+
+const uchar   *
+bro_string_get_data(const BroString *bs)
+{
+  return bs ? bs->str_val : NULL;
+}
+
+
+uint32
+bro_string_get_length(const BroString *bs)
+{
+  return bs ? bs->str_len : 0;
+}
+
+
+BroString *
+bro_string_copy(BroString *bs)
+{
+  BroString *result;
+
+  if (! bs)
+    return NULL;
+
+  if (! (result = calloc(1, sizeof(BroString))))
+    return NULL;
+
+  bro_string_assign(bs, result);
+  return result;
+}
+
+
+void
+bro_string_assign(BroString *src, BroString *dst)
+{
+  if (! src || ! dst)
+    return;
+
+  bro_string_cleanup(dst);
+  dst->str_len = src->str_len;
+
+  if (! (dst->str_val = malloc(dst->str_len + 1)))
+    {
+      D(("Out of memory.\n"));
+      dst->str_len = 0;
+      return;
+    }
+
+  memcpy(dst->str_val, src->str_val, dst->str_len);
+  dst->str_val[dst->str_len] = '\0';
+}
+
+
+void
+bro_string_cleanup(BroString *bs)
+{
+  if (! bs)
+    return;
+
+  if (bs->str_val)
+    free(bs->str_val);
+
+  memset(bs, 0, sizeof(BroString));
+}
+
+
+void
+bro_string_free(BroString *bs)
+{
+  if (! bs)
+    return;
+
+  bro_string_cleanup(bs);
+  free(bs);
+}
+
+/* ----------------------- Pcap Packet Handling ---------------------- */
+#ifdef BRO_PCAP_SUPPORT
+
+void
+bro_conn_set_packet_ctxt(BroConn *bc, int link_type)
+{
+  if (! bc)
+    return;
+
+  bc->pcap_link_type = link_type;
+}
+
+
+void
+bro_conn_get_packet_ctxt(BroConn *bc, int *link_type)
+{
+  if (! bc)
+    return;
+
+  if (link_type)
+    *link_type = bc->pcap_link_type;
+}
+
+
+BroPacket *
+bro_packet_new(const struct pcap_pkthdr *hdr, const u_char *data, const char *tag)
+{
+  BroPacket *packet;
+
+  if (! hdr || ! data)
+    return NULL;
+
+  if (! (packet = calloc(1, sizeof(BroPacket))))
+    return NULL;
+ 
+  packet->pkt_pcap_hdr = *hdr;
+  packet->pkt_tag = strdup(tag ? tag : "");
+
+  if (! (packet->pkt_data = malloc(hdr->caplen)))
+    {
+      free(packet);
+      return NULL;
+    }
+
+  memcpy((u_char *) packet->pkt_data, data, hdr->caplen);
+  return packet;
+}
+
+
+BroPacket *
+bro_packet_clone(const BroPacket *src)
+{
+  BroPacket *dst;
+  
+  if (! (dst = calloc(1, sizeof(BroPacket))))
+    return NULL;
+  
+  if (! __bro_packet_clone(dst, src))
+    {
+      bro_packet_free(dst);
+      return NULL;
+    }
+
+  return dst;
+}
+
+
+void
+bro_packet_free(BroPacket *packet)
+{
+  if (! packet)
+    return;
+
+  if (packet->pkt_data)
+    free((u_char *) packet->pkt_data);
+
+  if (packet->pkt_tag)
+    free((u_char *) packet->pkt_tag);
+
+  free(packet);
+}
+
+int
+bro_packet_send(BroConn *bc, BroPacket *packet)
+{
+  if (! bc || ! packet)
+    {
+      D(("Invalid input.\n"));
+      return FALSE;
+    }
+
+  return __bro_io_packet_queue(bc, packet);
+}
+
+#endif
+
+/* --------------------------- Miscellaneous ------------------------- */
+
+double
+bro_util_current_time(void)
+{
+  return __bro_util_get_time();
+}
+
+
+double 
+bro_util_timeval_to_double(const struct timeval *tv)
+{
+  return __bro_util_timeval_to_double(tv);
+}
+
+
+
diff --git a/aux/broccoli/src/bro_attr.c b/aux/broccoli/src/bro_attr.c
new file mode 100644
index 0000000000..ad92dfe622
--- /dev/null
+++ b/aux/broccoli/src/bro_attr.c
@@ -0,0 +1,132 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/time.h>
+
+#ifdef __EMX__
+#include <strings.h>
+#endif 
+
+#include <bro_types.h>
+#include <bro_val.h>
+#include <bro_debug.h>
+#include <bro_attr.h>
+
+
+BroAttr *
+__bro_attr_new(void)
+{
+  BroAttr *attr;
+
+  D_ENTER;
+  
+  if (! (attr = calloc(1, sizeof(BroAttr))))
+    D_RETURN_(NULL);
+  
+  D_RETURN_(attr);
+}
+
+
+BroAttr *
+__bro_attr_copy(BroAttr *attr)
+{
+  BroAttr *copy;
+
+  D_ENTER;
+
+  if (! (copy = __bro_attr_new()))
+    D_RETURN_(NULL);
+
+  if (! attr)
+    D_RETURN_(NULL);
+
+  copy->tag = attr->tag;
+  
+  /* FIXME copy->expr = __bro_sobject_copy((BroSObject *) attr->expr); */
+  
+  D_RETURN_(copy);
+}
+
+
+void
+__bro_attr_free(BroAttr *attr)
+{
+  D_ENTER;
+
+  /* FIXME __bro_expr_free(attr->expr); */
+  free(attr);
+
+  D_RETURN;
+}
+
+
+int
+__bro_attr_read(BroAttr *attr, BroConn *bc)
+{
+  char opt;
+
+  D_ENTER;
+  
+  if (! __bro_buf_read_char(bc->rx_buf, &opt))
+    D_RETURN_(FALSE);
+  if (opt)
+    {
+      /* FIXME
+      if (attr->expr)
+	__bro_expr_free(attr->expr);
+      if (! (attr->expr = (BroExpr *) __bro_sobject_unserialize(SER_IS_EXPR, buf)))
+	D_RETURN_(FALSE);
+      */
+    }
+  
+  if (! __bro_buf_read_char(bc->rx_buf, &attr->tag))
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+
+int
+__bro_attr_write(BroAttr *attr, BroConn *bc)
+{
+  D_ENTER;
+  
+  if (! __bro_buf_write_char(bc->tx_buf, attr->expr ? 1 : 0))
+    D_RETURN_(FALSE);
+  if (attr->expr && ! __bro_sobject_serialize((BroSObject *) attr->expr, bc))
+    D_RETURN_(FALSE);
+  
+  if (! __bro_buf_write_char(bc->tx_buf, attr->tag))
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
diff --git a/aux/broccoli/src/bro_attr.h b/aux/broccoli/src/bro_attr.h
new file mode 100644
index 0000000000..b82756ee03
--- /dev/null
+++ b/aux/broccoli/src/bro_attr.h
@@ -0,0 +1,74 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_attr_h
+#define broccoli_attr_h
+
+#include <bro_object.h>
+
+/* Definitions of attribute type identifiers.
+ * They must match the values of attr_tag in Bro's Attrs.h.
+ */
+#define BRO_ATTR_OPTIONAL          0
+#define BRO_ATTR_DEFAULT           1
+#define BRO_ATTR_REDEF             2
+#define BRO_ATTR_ROTATE_INTERVAL   3
+#define BRO_ATTR_ROTATE_SIZE       4
+#define BRO_ATTR_ADD_FUNC          5
+#define BRO_ATTR_DEL_FUNC          6
+#define BRO_ATTR_EXPIRE_FUNC       7
+#define BRO_ATTR_EXPIRE_READ       8
+#define BRO_ATTR_EXPIRE_WRITE      9
+#define BRO_ATTR_EXPIRE_CREATE    10
+#define BRO_ATTR_PERSISTENT       11
+#define BRO_ATTR_SYNCHRONIZED     12
+#define BRO_ATTR_POSTPROCESSOR    13
+#define BRO_ATTR_ENCRYPT          14
+#define BRO_ATTR_MATCH            15
+
+typedef struct bro_expr
+{
+} BroExpr;
+
+/* NOTE: these attributes do *not* follow the inheritance approach,
+ * unlike the attributes in Bro. This is because they're not currently
+ * using the serialization framework like the rest of the Bro objects,
+ * and all we need for Broccoli purposes is a (non-inherited) simple
+ * way to read and write an attribute.
+ */
+typedef struct bro_attr
+{
+  char             tag;
+  BroExpr         *expr;
+} BroAttr;
+
+BroAttr         *__bro_attr_new(void);
+BroAttr         *__bro_attr_copy(BroAttr *attr);
+void             __bro_attr_free(BroAttr *attr);
+
+int              __bro_attr_read(BroAttr *attr, BroConn *bc);
+int              __bro_attr_write(BroAttr *attr, BroConn *bc);
+
+#endif
diff --git a/aux/broccoli/src/bro_attrs.c b/aux/broccoli/src/bro_attrs.c
new file mode 100644
index 0000000000..8ec4aafc96
--- /dev/null
+++ b/aux/broccoli/src/bro_attrs.c
@@ -0,0 +1,258 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/time.h>
+
+#ifdef __EMX__
+#include <strings.h>
+#endif 
+
+#include <bro_types.h>
+#include <bro_debug.h>
+#include <bro_attrs.h>
+#include <bro_type.h>
+
+
+BroAttrs         *
+__bro_attrs_new(void)
+{
+  BroAttrs *attrs;
+
+  D_ENTER;
+  
+  if (! (attrs = calloc(1, sizeof(BroAttrs))))
+    D_RETURN_(NULL);
+
+  __bro_attrs_init(attrs);
+  D_RETURN_(attrs);
+}
+
+
+void
+__bro_attrs_init(BroAttrs *attrs)
+{
+  BroSObject *sobj = (BroSObject *) attrs;
+
+  D_ENTER;
+
+  __bro_object_init((BroObject *) attrs);
+
+  sobj->read  = (BroSObjectRead) __bro_attrs_read;
+  sobj->write = (BroSObjectWrite) __bro_attrs_write;
+  sobj->free  = (BroSObjectFree) __bro_attrs_free;
+  sobj->clone = (BroSObjectClone) __bro_attrs_clone;
+  sobj->hash  = (BroSObjectHash) __bro_attrs_hash;
+  sobj->cmp   = (BroSObjectCmp) __bro_attrs_cmp;
+
+  sobj->type_id = SER_ATTRIBUTES;
+
+  D_RETURN;
+}
+
+
+void
+__bro_attrs_free(BroAttrs *attrs)
+{
+  uint32 i;
+
+  D_ENTER;
+
+  __bro_sobject_release((BroSObject *) attrs->type);
+  
+  for (i = 0; i < attrs->num_attrs; i++)
+    __bro_attr_free(attrs->attrs[i]);
+  free(attrs->attrs);
+  
+  __bro_object_free((BroObject *) attrs);
+  D_RETURN;
+}
+
+
+int
+__bro_attrs_read(BroAttrs *attrs, BroConn *bc)
+{
+  uint32 i;
+
+  D_ENTER;
+
+  if (! __bro_object_read((BroObject *) attrs, bc))
+    D_RETURN_(FALSE);
+
+  if (attrs->type)
+    __bro_sobject_release((BroSObject *) attrs->type);
+
+  if (! (attrs->type = (BroType *) __bro_sobject_unserialize(SER_IS_TYPE, bc)))
+    D_RETURN_(FALSE);
+
+  if (attrs->attrs)
+    {
+      for (i = 0; i < attrs->num_attrs; i++)
+	__bro_attr_free(attrs->attrs[i]);
+      free(attrs->attrs);
+    }
+
+  if (! __bro_buf_read_int(bc->rx_buf, &attrs->num_attrs))
+    D_RETURN_(FALSE);
+  
+  if (! (attrs->attrs = calloc(attrs->num_attrs, sizeof(BroAttr*))))
+    D_RETURN_(FALSE);
+  
+  for (i = 0; i < attrs->num_attrs; i++)
+    {
+      BroAttr *attr;
+      
+      if (! (attr = __bro_attr_new()))
+	D_RETURN_(FALSE);
+      
+      if (! __bro_attr_read(attr, bc))
+	D_RETURN_(FALSE);
+      
+      attrs->attrs[i] = attr;
+    }
+  
+  D_RETURN_(TRUE);
+}
+
+
+int
+__bro_attrs_write(BroAttrs *attrs, BroConn *bc)
+{
+  uint32 i;
+  
+  D_ENTER;
+
+  if (! __bro_object_write((BroObject *) attrs, bc))
+    D_RETURN_(FALSE);
+  
+  if (! __bro_sobject_serialize((BroSObject *) attrs->type, bc))
+    D_RETURN_(FALSE);
+  
+  if (! __bro_buf_write_int(bc->tx_buf, attrs->num_attrs))
+    D_RETURN_(FALSE);
+  
+  for (i = 0; i < attrs->num_attrs; i++)
+    {
+      if (! __bro_sobject_serialize((BroSObject *) attrs->attrs[i], bc))
+	D_RETURN_(FALSE);
+    }
+  
+  D_RETURN_(TRUE);
+}
+
+
+int
+__bro_attrs_clone(BroAttrs *dst, BroAttrs *src)
+{
+  uint32 i;
+
+  D_ENTER;
+
+  if (! __bro_object_clone((BroObject *) dst, (BroObject *) src))
+    D_RETURN_(FALSE);
+
+  if (src->type && ! (dst->type = (BroType *) __bro_sobject_copy((BroSObject *) dst->type)))
+    D_RETURN_(FALSE);
+
+  if (dst->attrs)
+    {
+      for (i = 0; i < dst->num_attrs; i++)
+	__bro_attr_free(dst->attrs[i]);
+      free(dst->attrs);
+    }
+
+  dst->num_attrs = src->num_attrs;
+
+  if (! (dst->attrs = calloc(dst->num_attrs, sizeof(BroAttr *))))
+    D_RETURN_(FALSE);
+  
+  for (i = 0; i < dst->num_attrs; i++)
+    {
+      if (! (dst->attrs[i] = __bro_attr_copy(src->attrs[i])))
+	D_RETURN_(FALSE);
+    }
+  
+  D_RETURN_(TRUE);
+}
+
+uint32
+__bro_attrs_hash(BroAttrs *attrs)
+{
+  uint32 result, i, shift;
+
+  D_ENTER;
+
+  if (! attrs)
+    D_RETURN_(0);
+
+  result = __bro_sobject_hash((BroSObject*) attrs->type) ^ attrs->num_attrs;
+  
+  /* Cycle through the attributes and XOR their tags, also
+   * cycling through a shifting regime shifting by 0, 8, 16,
+   * 24, 0, etc.
+   */
+  for (i = 0, shift = 0; i < attrs->num_attrs; i++, shift += 8)
+    {
+      uint32 val;
+
+      if (shift > 24)
+	shift = 0;
+      
+      val = (uint32) attrs->attrs[i]->tag;
+      result ^= val << shift;
+    }
+  
+  D_RETURN_(result);
+}
+
+int
+__bro_attrs_cmp(BroAttrs *attrs1, BroAttrs *attrs2)
+{
+  uint32 i, j;
+  
+  D_ENTER;
+  
+  if (! __bro_sobject_cmp((BroSObject*) attrs1->type, (BroSObject*) attrs2->type))
+    D_RETURN_(FALSE);
+  
+  if (attrs1->num_attrs != attrs2->num_attrs)
+    D_RETURN_(FALSE);
+  
+  for (i = 0, j = 0; i < attrs1->num_attrs && attrs2->num_attrs;
+       i++, j++)
+    {
+      if (attrs1->attrs[i]->tag != attrs2->attrs[j]->tag)
+	D_RETURN_(FALSE);
+    }
+  
+  D_RETURN_(TRUE);
+}
+
diff --git a/aux/broccoli/src/bro_attrs.h b/aux/broccoli/src/bro_attrs.h
new file mode 100644
index 0000000000..4c221ce613
--- /dev/null
+++ b/aux/broccoli/src/bro_attrs.h
@@ -0,0 +1,51 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_attrs_h
+#define broccoli_attrs_h
+
+#include <bro_types.h>
+#include <bro_attr.h>
+
+typedef struct bro_attrs
+{
+  BroObject        object;
+
+  BroType         *type;
+  uint32           num_attrs;
+  BroAttr        **attrs;
+} BroAttrs;
+
+BroAttrs        *__bro_attrs_new(void);
+void             __bro_attrs_init(BroAttrs *attrs);
+void             __bro_attrs_free(BroAttrs *attrs);
+
+int              __bro_attrs_read(BroAttrs *attrs, BroConn *bc);
+int              __bro_attrs_write(BroAttrs *attrs, BroConn *bc);
+int              __bro_attrs_clone(BroAttrs *dst, BroAttrs *src);
+uint32           __bro_attrs_hash(BroAttrs *attrs);
+int              __bro_attrs_cmp(BroAttrs *attrs1, BroAttrs *attrs2);
+
+#endif
diff --git a/aux/broccoli/src/bro_buf.c b/aux/broccoli/src/bro_buf.c
new file mode 100644
index 0000000000..4d89f108ea
--- /dev/null
+++ b/aux/broccoli/src/bro_buf.c
@@ -0,0 +1,588 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+
+#ifdef __EMX__
+#include <strings.h>
+#endif 
+
+#include <bro_buf.h>
+#include <bro_types.h>
+#include <bro_debug.h>
+#include <bro_util.h>
+
+#define BRO_BUF_DEFAULT   4096
+
+#ifdef BRO_DEBUG
+
+/* Use this to get detailed output of what is read --
+ * useful for debugging serialization format bugs.
+ */
+#define DEBUG_READS
+
+#endif
+
+#ifndef DEBUG_READS
+#  define D(x)
+#endif
+
+BroBuf *
+__bro_buf_new(void)
+{
+  BroBuf *buf;
+
+  if (! (buf = calloc(1, sizeof(BroBuf))))
+    return NULL;
+
+  __bro_buf_init(buf);
+  buf->may_grow = TRUE;
+
+  return buf;
+}
+
+BroBuf *
+__bro_buf_new_mem(u_char *mem, int mem_size)
+{
+  BroBuf *buf;
+
+  if (! mem)
+    {
+      D(("Input error.\n"));
+      return NULL;
+    }
+
+  if ((size_t) mem_size < sizeof(BroBuf) + BRO_BUF_DEFAULT)
+    {
+      D(("Given memory chunk of size %i is not big enough, need at least %i\n",
+	 mem_size, sizeof(BroBuf) + BRO_BUF_DEFAULT));
+      return NULL;
+    }
+
+  buf = (BroBuf *) mem;
+  memset(buf, 0, sizeof(BroBuf));
+
+  buf->buf = mem + sizeof(BroBuf);
+  buf->buf_len = mem_size - sizeof(BroBuf);
+  buf->may_grow = FALSE;
+
+  return buf;
+}
+
+
+void
+__bro_buf_free(BroBuf *buf)
+{
+  if (! buf)
+    return;
+  
+  __bro_buf_cleanup(buf);
+  free(buf);
+}
+
+void
+__bro_buf_init(BroBuf *buf)
+{
+  D_ENTER;
+
+  if (!buf)
+    D_RETURN;
+
+  memset(buf, 0, sizeof(BroBuf));
+  buf->buf = calloc(1, BRO_BUF_DEFAULT);
+  buf->buf_len = BRO_BUF_DEFAULT;
+
+  D_RETURN;
+}
+
+
+void     
+__bro_buf_cleanup(BroBuf *buf)
+{
+  D_ENTER;
+
+  if (!buf)
+    D_RETURN;
+
+  if (buf->buf)
+    free(buf->buf);
+
+  memset(buf, 0, sizeof(BroBuf));
+
+  D_RETURN;
+}
+
+
+int
+__bro_buf_append(BroBuf *buf, void *data, int data_len)
+{
+  if (!buf)
+    return FALSE;
+  
+  if (data_len == 0)
+    return TRUE;
+  
+  if (buf->buf_off + data_len >= buf->buf_len)
+    {
+      uchar *new_buf;
+      
+      if (! buf->may_grow)
+	{
+	  D(("Cannot expand this buffer, sorry.\n"));
+	  return FALSE;
+	}
+      
+      buf->buf_len += MAX(BRO_BUF_DEFAULT, data_len);
+      
+      D(("Reallocating buffer\n"));      
+      if (! (new_buf = realloc(buf->buf, sizeof(uchar) * buf->buf_len)))
+	{
+	  D(("Realloc'ing buffer failed.\n"));
+	  return FALSE;
+	}
+      
+      buf->buf = new_buf;
+    }
+  
+  memcpy(buf->buf + buf->buf_off, data, data_len);
+  buf->buf_off += data_len;
+
+  return TRUE;
+}
+
+
+void
+__bro_buf_consume(BroBuf *buf)
+{
+  if (!buf || buf->buf_ptr == 0)
+    return;
+
+  D(("Consuming %i bytes in buffer.\n", buf->buf_ptr));
+  memmove(buf->buf, buf->buf + buf->buf_ptr, buf->buf_len - buf->buf_ptr);
+  buf->buf_off -= buf->buf_ptr;
+  buf->buf_ptr = 0;
+}
+
+
+void
+__bro_buf_reset(BroBuf *buf)
+{
+  if (! buf)
+    return;
+  
+  buf->buf_off = buf->buf_ptr = 0;
+}
+
+
+uchar *
+__bro_buf_get(BroBuf *buf)
+{
+  if (!buf)
+    return NULL;
+
+  return buf->buf;
+}
+
+uchar *
+__bro_buf_get_end(BroBuf *buf)
+{
+  if (!buf)
+    return NULL;
+
+  return (buf->buf + buf->buf_off);
+}
+
+
+uint     
+__bro_buf_get_size(BroBuf *buf)
+{
+  if (!buf)
+    return 0;
+
+  return buf->buf_len;
+}
+
+
+uint     
+__bro_buf_get_used_size(BroBuf *buf)
+{
+  if (!buf)
+    return 0;
+
+  return buf->buf_off;
+}
+
+
+uchar *
+__bro_buf_ptr_get(BroBuf *buf)
+{
+  if (!buf)
+    return NULL;
+
+  return (buf->buf + buf->buf_ptr);
+}
+
+
+uint32
+__bro_buf_ptr_tell(BroBuf *buf)
+{
+  if (!buf)
+    return 0;
+
+  return buf->buf_ptr;
+}
+
+
+int
+__bro_buf_ptr_seek(BroBuf *buf, int offset, int whence)
+{
+  if (!buf)
+    return FALSE;
+
+  switch (whence)
+    {
+    case SEEK_SET:
+      if (offset >= 0 && (uint32) offset <= buf->buf_off)
+	{
+	  buf->buf_ptr = offset;
+	  return TRUE;
+	}
+      break;
+
+    case SEEK_CUR:
+      if ((int) buf->buf_ptr + offset >= 0 &&
+	  buf->buf_ptr + offset <= buf->buf_off)
+	{
+	  buf->buf_ptr += offset;
+	  return TRUE;
+	}
+      break;
+
+    case SEEK_END:
+      if ((int) buf->buf_off + offset >= 0 &&
+	  buf->buf_off + offset <= buf->buf_off)
+	{
+	  buf->buf_ptr = buf->buf_off + offset;
+	  return TRUE;
+	}
+      break;
+      
+    default:
+      break;
+    }
+
+  return FALSE;
+}
+
+
+int      
+__bro_buf_ptr_check(BroBuf *buf, int size)
+{
+  if (!buf || size < 0)
+    return FALSE;
+
+  if (buf->buf_ptr + size > buf->buf_off)
+    {
+      D(("Checking for %i bytes available, but have only %i\n",
+	 size, buf->buf_off - buf->buf_ptr));
+      return FALSE;
+    }
+
+  return TRUE;
+}
+
+
+int
+__bro_buf_ptr_read(BroBuf *buf, void *data, int size)
+{
+  if (size == 0)
+    return TRUE;
+
+  if (!buf || !data)
+    return FALSE;
+
+  if (! __bro_buf_ptr_check(buf, size))
+    return FALSE;
+
+  memcpy(data, buf->buf + buf->buf_ptr, size);
+  buf->buf_ptr += size;
+
+  return TRUE;
+}
+
+
+int
+__bro_buf_ptr_write(BroBuf *buf, const void *data, int size)
+{
+  if (! buf || size < 0)
+    return FALSE;
+  
+  if (size == 0)
+    return TRUE;
+  
+  if (! data)
+    {
+      D(("Input error -- data length is %i but no data given.\n", size));
+      return FALSE;
+    }
+
+  if (buf->buf_ptr + size >= buf->buf_len)
+    {
+      /* Check how much the requested amount is bigger than
+       * what we have, and add some extra buffering on top of it.
+       */
+      uchar *new_buf;
+      int inc = size - (buf->buf_off - buf->buf_ptr);
+      
+      if (! buf->may_grow)
+	{
+	  D(("Cannot expand this buffer, sorry.\n"));
+	  return FALSE;
+	}
+      
+      D(("Reallocating buffer\n"));      
+
+      if (! (new_buf = realloc(buf->buf, buf->buf_len + inc + BRO_BUF_DEFAULT)))
+	{
+	  D(("Realloc'ing buffer failed.\n"));
+	  return FALSE;
+	}
+      
+      buf->buf_len += inc + BRO_BUF_DEFAULT;
+      buf->buf = new_buf;
+    }
+  
+  memcpy(buf->buf + buf->buf_ptr, data, size);
+  buf->buf_ptr += size;
+  
+  if (buf->buf_off < buf->buf_ptr)
+    buf->buf_off = buf->buf_ptr;
+  
+  return TRUE;
+}
+
+
+
+/* I/O API below ---------------------------------------------------- */
+
+int 
+__bro_buf_read_data(BroBuf *buf, void *dest, int size)
+{
+  return __bro_buf_ptr_read(buf, dest, size);
+}
+
+
+int
+__bro_buf_read_char(BroBuf *buf, char *val)
+{
+  int result;
+  
+  result = __bro_buf_ptr_read(buf, val, sizeof(char));
+  D(("Read char: %i/0x%02x\n", *val, *val));
+  
+  return result;
+}
+
+
+int
+__bro_buf_read_string(BroBuf *buf, BroString *val)
+{
+  if (!buf || !val)
+    return FALSE;
+  
+  bro_string_init(val);
+  
+  if (! __bro_buf_read_int(buf, &val->str_len))
+    return FALSE;
+  
+  /* We create space for the string's length plus one extra byte that
+   * we use as the string terminator so things work with normal C strings.
+   */
+  if (! (val->str_val = malloc(val->str_len + 1)))
+    return FALSE;
+  
+  if (val->str_len > 0)
+    {
+      if (! (__bro_buf_ptr_read(buf, val->str_val, val->str_len)))
+	{
+	  free(val->str_val);
+	  return FALSE;
+	}
+    }
+  
+  /* Terminate the string.
+   */
+  val->str_val[val->str_len] = '\0';
+  
+  D(("Read string: '%s'\n", val->str_val));
+  return TRUE;
+}
+
+
+int
+__bro_buf_read_double(BroBuf *buf, double *d)
+{
+  if (! buf || ! d)
+    return FALSE;
+
+  if (! __bro_buf_ptr_read(buf, d, sizeof(double)))
+    return FALSE;
+  
+  *d = __bro_util_ntohd(*d);
+  D(("Read double: %f\n", *d));
+
+  return TRUE;
+}
+
+
+int
+__bro_buf_read_int(BroBuf *buf, uint32 *i)
+{
+  if (! __bro_buf_ptr_read(buf, i, sizeof(uint32)))
+    return FALSE;
+  
+  *i = ntohl(*i);
+  D(("Read int: %i/0x%08x\n", *i, *i));
+
+  return TRUE;
+}
+
+
+int
+__bro_buf_read_short(BroBuf *buf, uint16 *i)
+{
+  if (! __bro_buf_ptr_read(buf, i, sizeof(uint16)))
+    return FALSE;
+  
+  *i = ntohs(*i);
+  D(("Read short: %i/0x%04x\n", *i, *i));
+
+  return TRUE;
+}
+
+
+int
+__bro_buf_write_data(BroBuf *buf, const void *data, int size)
+{
+  return __bro_buf_ptr_write(buf, data, size);
+}
+
+
+int
+__bro_buf_write_char(BroBuf *buf, char val)
+{
+  int result;
+  
+  result = __bro_buf_ptr_write(buf, &val, sizeof(char));
+  D(("Wrote char: %i/0x%02x\n", val, val));
+  return result;
+}
+
+
+int
+__bro_buf_write_string(BroBuf *buf, BroString *val)
+{
+  int result;
+  BroString tmp_val;
+
+  if (! buf)
+    return FALSE;
+
+  if (! val)
+    {
+      tmp_val.str_val = (uchar*) "";
+      tmp_val.str_len = 0;
+      
+      val = &tmp_val;
+    }
+  
+  if (! (__bro_buf_write_int(buf, val->str_len)))
+    return FALSE;
+  
+  result = __bro_buf_write_data(buf, val->str_val, val->str_len);
+  
+  D(("Wrote string: '%s'\n", val->str_val));
+  return result;
+}
+
+
+int
+__bro_buf_write_double(BroBuf *buf, double d)
+{
+  int result;
+  double d_tmp;
+
+  if (! buf)
+    return FALSE;
+
+  d_tmp = __bro_util_htond(d);
+  result =  __bro_buf_ptr_write(buf, &d_tmp, sizeof(double));
+  D(("Wrote double: %f\n", d));
+
+  return result;
+}
+
+
+int
+__bro_buf_write_int(BroBuf *buf, uint32 i)
+{
+  int result;
+  uint32 i_tmp;
+
+  if (! buf)
+    return FALSE;
+
+  i_tmp = htonl(i);
+  result = __bro_buf_write_data(buf, &i_tmp, sizeof(uint32));
+  D(("Wrote int: %i/0x%08x\n", i, i));
+
+  return result;
+}
+
+
+int
+__bro_buf_write_short(BroBuf *buf, uint16 i)
+{
+  int result;
+  uint16 i_tmp;
+  
+  if (! buf)
+    return FALSE;
+  
+  i_tmp = htons(i);
+  result =__bro_buf_write_data(buf, &i_tmp, sizeof(uint16));
+  D(("Wrote short: %i/0x%04x\n", i, i));
+
+  return result;
+}
diff --git a/aux/broccoli/src/bro_buf.h b/aux/broccoli/src/bro_buf.h
new file mode 100644
index 0000000000..e378b9d85d
--- /dev/null
+++ b/aux/broccoli/src/bro_buf.h
@@ -0,0 +1,125 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_buf_h
+#define broccoli_buf_h
+
+#include <stdio.h>
+#include <broccoli.h>
+
+/*
+ * BroBufs are self-allocating, seekable, and read/writable
+ * buffers. You can repeatedly append data to the buffer
+ * while the buffer makes sure it is large enough to handle
+ * the amount requested. A buffer has a content pointer that
+ * points to an arbitrary location between the start of the
+ * buffer and the first byte after the last byte currently
+ * used in the buffer (buf_off). The content pointer can be
+ * seeked to arbitrary locations, and data can be copied from
+ * the buffer, adjusting the content pointer at the same time.
+ *
+ * Illustration:
+ *
+ * <---------------- allocated buffer space ------------>
+ * <======== used buffer space ========>
+ * ^              ^                    ^               ^                 
+ * |              |                    |               |
+ * `buf           `buf_ptr             `buf_off        `buf_len
+ */
+
+struct bro_buf {
+  uchar       *buf;
+  
+  /* The size of the allocated buffer BUF: */
+  uint32       buf_len;
+
+  /* The first byte in BUF after the ones occupied */
+  uint32       buf_off;
+
+  /* A pointer to a position between the start of BUF
+   * and BUF + BUF_OFF.
+   */
+  uint32       buf_ptr;
+
+  /* Flag that indicates whether or not the allocated buffer
+   * can grow or not. It can't if we require the buffer to
+   * live in a fixed amount of memory.
+   */
+  int          may_grow;
+};
+
+/* See API comments in broccoli.h for details */
+
+BroBuf  *__bro_buf_new(void);
+
+/* Creates a new buffer using a given chunk of memory. We use
+ * this for example to allocate a buffer in shared memory.
+ */
+BroBuf  *__bro_buf_new_mem(u_char *mem, int mem_size);
+
+void     __bro_buf_free(BroBuf *buf);
+
+/* Initializes an existing buffer structure to default values */
+void     __bro_buf_init(BroBuf *buf);
+void     __bro_buf_cleanup(BroBuf *buf);
+
+int      __bro_buf_append(BroBuf *buf, void *data, int data_len);
+void     __bro_buf_consume(BroBuf *buf);
+void     __bro_buf_reset(BroBuf *buf);
+
+uchar   *__bro_buf_get(BroBuf *buf);
+uchar   *__bro_buf_get_end(BroBuf *buf);
+uint     __bro_buf_get_size(BroBuf *buf);
+uint     __bro_buf_get_used_size(BroBuf *buf);
+uchar   *__bro_buf_ptr_get(BroBuf *buf);
+uint32   __bro_buf_ptr_tell(BroBuf *buf);
+int      __bro_buf_ptr_seek(BroBuf *buf, int offset, int whence);
+int      __bro_buf_ptr_check(BroBuf *buf, int size);
+int      __bro_buf_ptr_read(BroBuf *buf, void *data, int size);
+int      __bro_buf_ptr_write(BroBuf *buf, const void *data, int size);
+
+
+/* Buffer-based I/O API --------------------------------------------- */
+
+/* The read functions read data from the given buffer into the variables
+ * pointed to by the arguments, the write functions to the opposite and
+ * write the passed-in parameters into the given buffers.
+ */
+
+int      __bro_buf_read_data(BroBuf *buf, void *dest, int size);
+int      __bro_buf_read_char(BroBuf *buf, char *val);
+int      __bro_buf_read_string(BroBuf *buf, BroString *val);
+int      __bro_buf_read_double(BroBuf *buf, double *d);
+int      __bro_buf_read_int(BroBuf *buf, uint32 *i);
+int      __bro_buf_read_short(BroBuf *buf, uint16 *i);
+
+int      __bro_buf_write_data(BroBuf *buf, const void *data, int size);
+int      __bro_buf_write_char(BroBuf *buf, char val);
+int      __bro_buf_write_string(BroBuf *buf, BroString *val);
+int      __bro_buf_write_double(BroBuf *buf, double d);
+int      __bro_buf_write_int(BroBuf *buf, uint32 i);
+int      __bro_buf_write_short(BroBuf *buf, uint16 i);
+
+#endif
diff --git a/aux/broccoli/src/bro_config.c b/aux/broccoli/src/bro_config.c
new file mode 100644
index 0000000000..3edd6abc12
--- /dev/null
+++ b/aux/broccoli/src/bro_config.c
@@ -0,0 +1,492 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <errno.h>
+#include <pwd.h>
+#include <sys/param.h>
+#include <ctype.h>
+
+#ifdef __EMX__
+#include <strings.h>
+#endif 
+
+#include <bro_types.h>
+#include <bro_hashtable.h>
+#include <bro_debug.h>
+#include <bro_config.h>
+
+typedef enum {
+  BRO_CONF_INT,
+  BRO_CONF_DBL,
+  BRO_CONF_STR,
+  BRO_CONF_NET,
+  BRO_CONF_ERR
+} BroConfType;
+
+typedef struct bro_conf_it
+{
+  char        *ci_name;
+  BroConfType  ci_type;
+  
+  union {
+    int             ci_int;
+    double          ci_dbl;
+    char           *ci_str;
+  } ci_val;
+  
+#define ci_int ci_val.ci_int
+#define ci_dbl ci_val.ci_dbl
+#define ci_str ci_val.ci_str
+
+} BroConfIt;
+
+
+static char *config_file = BRO_SYSCONF_FILE;
+
+/* The name of the current domain, may be NULL. */
+static char  *cur_dom;
+
+/* The default domain's configuration, used when cur_dom == NULL. */
+static BroHT *default_conf;
+
+/* While parsing the configuration, we switch from domain to domain
+ * as contained in the file, but leave the user's currently selected
+ * domain unaffected. We point to the current domain while parsing
+ * using parsing_conf, which by default is the same as default_conf.
+ */
+static BroHT *parsing_conf;
+
+/* A hashtable of hashtables, indexed by domain names. The inner
+ * hash tables contain BroConfIt items, indexed by strings.
+ */
+static BroHT *dom_conf;
+
+extern int __bro_parse_config(const char *filename);
+
+
+static BroConfIt *
+conf_item_new(const char *name, BroConfType type, void *val)
+{
+  BroConfIt *ci;
+
+  if (! (ci = calloc(1, sizeof(BroConfIt))))
+    return NULL;
+
+  ci->ci_name = strdup(name);
+  ci->ci_type = type;
+
+  switch (type)
+    {
+    case BRO_CONF_INT:
+      ci->ci_int = *((int*) val);
+      break;
+
+    case BRO_CONF_DBL:
+      ci->ci_dbl = *((double*) val);
+      break;
+
+    case BRO_CONF_STR:
+      ci->ci_str = strdup((char *) val);
+      break;
+
+    default:
+      free(ci);
+      return NULL;
+    }
+
+  return ci;
+}
+
+static void
+conf_item_free(BroConfIt *ci)
+{
+  if (!ci)
+    return;
+
+  if (ci->ci_name)
+    free(ci->ci_name);
+  
+  if (ci->ci_type == BRO_CONF_STR)
+    {
+      memset(ci->ci_str, 0, strlen(ci->ci_str));
+      free(ci->ci_str);
+      ci->ci_str = NULL;
+    }
+  
+  free(ci);
+}
+
+static int
+conf_permissions_ok(struct stat *st)
+{
+  /* We consider the file okay if it is not a link, only
+   * the owner can read it, and the current user can open it.
+   */
+  if (S_ISREG(st->st_mode)      &&  /* regular file  */
+      (st->st_mode & S_IRUSR)   &&  /* user-readable */
+      ! (st->st_mode & S_IXUSR) &&  /* not user-exec'able (paranoia) */
+      ! (st->st_mode & S_IRWXG) &&  /* no group permissions */
+      ! (st->st_mode & S_IRWXO))    /* no other permissions */
+    {
+      if (st->st_uid == geteuid())
+	return TRUE;
+    }      
+  
+  fprintf(stderr, "Insufficient permissions for reading ~/.broccoli.conf.\n");
+  fprintf(stderr, "NOTE: ~/.broccoli.conf must be regular file and -rw-------\n");
+  return FALSE;
+}
+
+static char *
+get_passwd_home(void)
+{
+#if defined(HAVE_GETEUID) && defined(HAVE_GETPWUID)
+  struct passwd *passwd;
+  uid_t uid = geteuid();
+
+  if ( (passwd = getpwuid(uid)))
+    {
+      D(("Getting home directory from user %u's passwd entry: %s.\n", uid, passwd->pw_dir)); 
+      return strdup(passwd->pw_dir);
+    }
+#endif
+
+  return NULL;
+}
+
+
+void
+__bro_conf_init(void)
+{
+  static int deja_vu = FALSE;
+  struct stat st;    
+  char *pwd_home = NULL;
+  char home_config[MAXPATHLEN];
+  char home_config2[MAXPATHLEN];
+  int try_env = TRUE, debug_messages, debug_calltrace;
+
+  if (deja_vu)
+    return;
+
+  home_config[0] = '\0';
+  home_config2[0] = '\0';
+
+  parsing_conf = default_conf = __bro_ht_new(__bro_ht_str_hash,
+					     __bro_ht_str_cmp,
+					     NULL,
+					     (BroHTFreeFunc)conf_item_free,
+					     FALSE);
+  
+  dom_conf = __bro_ht_new(__bro_ht_str_hash,
+			  __bro_ht_str_cmp,
+			  __bro_ht_mem_free,
+			  (BroHTFreeFunc)__bro_ht_free,
+			  FALSE);
+  
+  /* Now figure out what config file to read: if the user
+   * has a ~/.broccoli.conf, use that, otherwise use the
+   * global one. We first try via the passwd entry, then
+   * fall back to using $HOME.
+   */
+  if ( (pwd_home = get_passwd_home()))
+    {
+      __bro_util_snprintf(home_config, MAXPATHLEN, "%s/.broccoli.conf", pwd_home);      
+      free(pwd_home);
+
+      if (stat(home_config, &st) == 0 && conf_permissions_ok(&st))
+	{
+	  config_file = strdup(home_config);
+	  try_env = FALSE;
+	}	
+    }
+  
+  if (try_env)
+    {
+      __bro_util_snprintf(home_config2, MAXPATHLEN, "%s/.broccoli.conf", getenv("HOME"));
+      
+      /* Only check this variant if it didn't yield the same file as the
+       * pwd-based filename.
+       */
+      if (strcmp(home_config, home_config2) &&
+	  stat(home_config2, &st) == 0 && conf_permissions_ok(&st))
+	config_file = strdup(home_config2);
+    }
+  
+  __bro_parse_config(config_file);
+  deja_vu = TRUE;
+
+  /* Read out debugging verbosity settings and assign if found. */
+  if (__bro_conf_get_int("/broccoli/debug_messages", &debug_messages))
+    bro_debug_messages = debug_messages;
+  if (__bro_conf_get_int("/broccoli/debug_calltrace", &debug_calltrace))
+    bro_debug_calltrace = debug_calltrace;
+  
+}
+
+static BroHT *
+assert_domain(void)
+{
+  BroHT *conf = default_conf;
+
+  D(("Selecting configuration domain, name is %s\n", cur_dom));
+
+  if (cur_dom && ! (conf = (BroHT *)  __bro_ht_get(dom_conf, cur_dom)))
+    {
+      D(("Allocating domain '%s'\n", cur_dom));
+      
+      conf = __bro_ht_new(__bro_ht_str_hash,
+			  __bro_ht_str_cmp,
+			  NULL,
+			  (BroHTFreeFunc)conf_item_free,
+			  FALSE);
+      
+      __bro_ht_add(dom_conf, strdup(cur_dom), conf);
+    }
+  
+  return conf;
+}
+
+
+void
+__bro_conf_set_domain(const char *new_domain)
+{
+  /* First reset to the default domain */
+  if (cur_dom)
+    free(cur_dom);
+  cur_dom = NULL;
+  
+  /* Then if given, switch to the new one. */
+  if (new_domain && *new_domain)
+    {
+      char *str;
+
+      str = cur_dom = strdup(new_domain);
+
+      while (*str != '\0')
+	{
+	  *str = tolower(*str);
+	  str++;
+	}
+      
+      D(("Configuration domain set to '%s'\n", cur_dom));
+    }
+}
+
+
+void
+__bro_conf_set_storage_domain(const char *storage_domain)
+{
+  if (! storage_domain || ! *storage_domain)
+    {
+      parsing_conf = default_conf;
+      return;
+    }
+
+  if (! (parsing_conf = (BroHT *)  __bro_ht_get(dom_conf, storage_domain)))
+    {
+      D(("Allocating domain '%s'\n", storage_domain));
+      
+      parsing_conf = __bro_ht_new(__bro_ht_str_hash,
+				  __bro_ht_str_cmp,
+				  NULL,
+				  (BroHTFreeFunc)conf_item_free,
+				  FALSE);
+      
+      __bro_ht_add(dom_conf, strdup(storage_domain), parsing_conf);
+    }
+}
+
+
+const char   *
+__bro_conf_get_domain(void)
+{
+  return cur_dom;
+}
+
+
+void
+__bro_conf_add_int(const char *val_name, int val)
+{
+  BroConfIt *ci;
+
+  if (! (ci = conf_item_new(val_name, BRO_CONF_INT, &val)))
+    return;
+
+  __bro_ht_add(parsing_conf, ci->ci_name, ci);
+}
+
+
+void
+__bro_conf_add_dbl(const char *val_name, double val)
+{
+  BroConfIt *ci;
+
+  if (! (ci = conf_item_new(val_name, BRO_CONF_DBL, &val)))
+    return;
+
+  __bro_ht_add(parsing_conf, ci->ci_name, ci);
+}
+
+
+void
+__bro_conf_add_str(const char *val_name, char *val)
+{
+  BroConfIt *ci;
+
+  if (! (ci = conf_item_new(val_name, BRO_CONF_STR, val)))
+    return;
+
+  __bro_ht_add(parsing_conf, ci->ci_name, ci);
+}
+
+
+int
+__bro_conf_get_int(const char *val_name, int *val)
+{
+  BroConfIt *ci;
+  BroHT *conf;
+
+  __bro_conf_init();
+  conf = assert_domain();
+
+  do {
+    if (! (ci = __bro_ht_get(conf, (void*) val_name)))
+      break;    
+    if (ci->ci_type != BRO_CONF_INT)
+      break;
+
+    *val = ci->ci_int;
+    return TRUE;
+
+  } while (0);
+
+  do {
+    if (! (ci = __bro_ht_get(default_conf, (void*) val_name)))
+      break;   
+    if (ci->ci_type != BRO_CONF_INT)
+      break;
+
+    *val = ci->ci_int;
+    return TRUE;
+
+  } while (0);
+
+  return FALSE;
+}
+
+
+int
+__bro_conf_get_dbl(const char *val_name, double *val)
+{
+  BroConfIt *ci;
+  BroHT *conf;
+
+  __bro_conf_init();
+  conf = assert_domain();
+
+  do {
+    if (! (ci = __bro_ht_get(conf, (void*) val_name)))
+      break;
+    if (ci->ci_type != BRO_CONF_DBL)
+      break;
+
+    *val = ci->ci_dbl;
+    return TRUE;
+  } while (0);
+
+  do {
+    if (! (ci = __bro_ht_get(default_conf, (void*) val_name)))
+      break;
+    if (ci->ci_type != BRO_CONF_DBL)
+      break;
+
+    *val = ci->ci_dbl;
+    return TRUE;
+  } while (0);
+
+  return FALSE;
+}
+
+
+const char *  
+__bro_conf_get_str(const char *val_name)
+{
+  BroConfIt *ci;
+  BroHT *conf;
+
+  __bro_conf_init();
+  conf = assert_domain();
+
+  do {
+    if (! (ci = __bro_ht_get(conf, (void*) val_name)))
+      break;
+    if (ci->ci_type != BRO_CONF_STR)
+      break;
+    
+    return ci->ci_str;
+  } while (0);
+
+  do {
+    if (! (ci = __bro_ht_get(default_conf, (void*) val_name)))
+      break;
+    if (ci->ci_type != BRO_CONF_STR)
+      break;
+    
+    return ci->ci_str;
+  } while (0);
+  
+  return NULL;
+}
+
+
+int
+__bro_conf_forget_item(const char *val_name)
+{
+  BroConfIt *ci;
+  BroHT *conf;
+
+  __bro_conf_init();
+  conf = assert_domain();
+
+  if (! (ci = __bro_ht_del(conf, (void*) val_name)))
+    {
+      if (! (ci = __bro_ht_del(default_conf, (void*) val_name)))
+	return FALSE;
+    }
+
+  conf_item_free(ci);
+  return TRUE;
+}
+
diff --git a/aux/broccoli/src/bro_config.h b/aux/broccoli/src/bro_config.h
new file mode 100644
index 0000000000..91f22c1336
--- /dev/null
+++ b/aux/broccoli/src/bro_config.h
@@ -0,0 +1,44 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_config_h
+#define broccoli_config_h
+
+void          __bro_conf_init(void);
+void          __bro_conf_set_domain(const char *domain);
+void          __bro_conf_set_storage_domain(const char *domain);
+const char   *__bro_conf_get_domain(void);
+
+void          __bro_conf_add_int(const char *val_name, int val);
+void          __bro_conf_add_dbl(const char *val_name, double val);
+void          __bro_conf_add_str(const char *val_name, char *val);
+
+int           __bro_conf_get_int(const char *val_name, int *val);
+int           __bro_conf_get_dbl(const char *val_name, double *val);
+const char *  __bro_conf_get_str(const char *val_name);
+
+int           __bro_conf_forget_item(const char *val_name);
+
+#endif
diff --git a/aux/broccoli/src/bro_debug.c b/aux/broccoli/src/bro_debug.c
new file mode 100644
index 0000000000..d5162268e8
--- /dev/null
+++ b/aux/broccoli/src/bro_debug.c
@@ -0,0 +1,90 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifdef HAVE_CONFIG_H
+#  include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdarg.h>
+
+#include <bro_debug.h>
+#include <bro_util.h>
+
+int bro_debug_calltrace = 0;
+int bro_debug_messages  = 0;
+
+static int calldepth = 0;
+
+static void 
+debug_whitespace(void)
+{
+  int i;
+  
+  for (i = 0; i < 2*calldepth; i++)
+    fprintf(stderr, "-");
+}
+
+
+void
+bro_debug(const char *fmt, ...)
+{
+  va_list argp;
+
+  if (bro_debug_messages)
+    {
+      va_start(argp, fmt);
+      vfprintf(stderr, fmt, argp);
+      va_end(argp);
+    }
+}
+
+
+void
+bro_debug_enter(const char *function, int line)
+{
+  if (! bro_debug_calltrace)
+    return;
+
+  fprintf(stderr, "%u ", getpid());
+  calldepth++;
+  debug_whitespace();
+  fprintf(stderr, "> %s(%i)\n", function, line);
+}
+
+
+void
+bro_debug_return(const char *function, int line)
+{
+  if (! bro_debug_calltrace)
+    return;
+
+  fprintf(stderr, "%u <", getpid());
+  debug_whitespace();
+  fprintf(stderr, " %s(%i)\n", function, line);
+  
+  if (--calldepth < 0)
+    calldepth = 0;
+}
diff --git a/aux/broccoli/src/bro_debug.h b/aux/broccoli/src/bro_debug.h
new file mode 100644
index 0000000000..cc60f5af38
--- /dev/null
+++ b/aux/broccoli/src/bro_debug.h
@@ -0,0 +1,81 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef __broccoli_debug_h
+#define __broccoli_debug_h
+
+#include <unistd.h>
+#include <stdio.h>
+
+#include <broccoli.h>
+#include <bro_util.h>
+
+void    bro_debug_enter(const char *function, int line);
+void    bro_debug_return(const char *function, int line);
+
+#ifdef BRO_DEBUG
+
+void    bro_debug(const char *msg, ...);
+
+/**
+ * D - prints debugging output
+ * @x: debugging information.
+ *
+ * Use this macro to output debugging information. @x is
+ * the content as you would pass it to printf(), including
+ * braces to make the arguments appear as one argument to
+ * the macro. The macro is void if BRO_DEBUG is not defined
+ * at compile time.
+ */
+#undef  D
+#define D(x)                  do { bro_debug("%u %f %s/%i ", getpid(), __bro_util_get_time(),  __FILE__, __LINE__); bro_debug x ; } while (0) 
+
+#undef  D_ENTER
+#define D_ENTER               bro_debug_enter(__FUNCTION__, __LINE__)
+
+#undef  D_RETURN
+#define D_RETURN              do { bro_debug_return(__FUNCTION__, __LINE__); return; } while (0)
+
+#undef  D_RETURN_
+#define D_RETURN_(x)          do { bro_debug_return(__FUNCTION__, __LINE__); return (x); } while (0)
+
+#else
+
+#undef  D
+#define D(x)  
+
+#undef  D_ENTER
+#define D_ENTER
+
+#undef  D_RETURN
+#define D_RETURN              return
+
+#undef  D_RETURN_
+#define D_RETURN_(x)          return (x)
+
+#endif /* BRO_DEBUG */
+
+#endif 
+
diff --git a/aux/broccoli/src/bro_event.c b/aux/broccoli/src/bro_event.c
new file mode 100644
index 0000000000..45b0dc1f9f
--- /dev/null
+++ b/aux/broccoli/src/bro_event.c
@@ -0,0 +1,247 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/time.h>
+
+#ifdef __EMX__
+#include <strings.h>
+#endif 
+
+#include <bro_types.h>
+#include <bro_type.h>
+#include <bro_val.h>
+#include <bro_debug.h>
+#include <bro_event.h>
+
+BroEvent      *
+__bro_event_new(BroString *name)
+{
+  BroEvent *ev;
+
+  if (!name)
+    return NULL;
+
+  if (! (ev = calloc(1, sizeof(BroEvent))))
+    return NULL;
+
+  if (! bro_string_set_data(&(ev->name), name->str_val, name->str_len))
+    {
+      free(ev);
+      return NULL;
+    }
+
+  return ev;
+}
+
+
+void           
+__bro_event_free(BroEvent *ev)
+{
+  if (!ev)
+    return;
+
+  bro_string_cleanup(&ev->name);
+  __bro_list_free(ev->val_list, (BroFunc) __bro_sobject_release);
+  free(ev);
+}
+
+
+BroEvent      *
+__bro_event_copy(BroEvent *ev)
+{
+  BroEvent *ev_copy;
+  BroVal *val, *val_copy;
+  BroList *l;
+
+  if (! ev)
+    return NULL;
+  
+  if (! (ev_copy = __bro_event_new(&ev->name)))
+    return NULL;
+  
+  for (l = ev->val_list; l; l = __bro_list_next(l))
+    {
+      val = __bro_list_data(l);
+
+      if (! (val_copy = (BroVal *) __bro_sobject_copy((BroSObject *) val)))
+	{
+	  __bro_event_free(ev_copy);
+	  return NULL;
+	}
+      
+      __bro_event_add_val(ev_copy, val_copy);
+    }
+  
+  D(("Copied event has %i arguments.\n", __bro_list_length(ev->val_list)));
+
+  return ev_copy;
+}
+
+
+const char *
+__bro_event_get_name(BroEvent *ev)
+{
+  if (! ev)
+    return NULL;
+
+  return (const char*) ev->name.str_val;
+}
+
+
+int
+__bro_event_serialize(BroEvent *ev, BroConn *bc)
+{
+  BroVal *val;
+  BroList *l;
+
+  D_ENTER;
+
+  /* Prepare the beginning of a serialized event call --
+   * event identifier, event name plus argument description.
+   */
+  if (! __bro_buf_write_char(bc->tx_buf, 'e'))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_write_string(bc->tx_buf, &ev->name))
+    D_RETURN_(FALSE);
+  
+  if (! __bro_buf_write_double(bc->tx_buf, __bro_util_get_time()))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_write_int(bc->tx_buf, ev->val_len))
+    D_RETURN_(FALSE);
+    
+  /* Now serialize each remaining parameter into the buffer: */
+  D(("Serializing event parameters\n"));
+  for (l = ev->val_list; l; l = __bro_list_next(l))
+    {
+      val = __bro_list_data(l);
+
+      if (! __bro_sobject_serialize((BroSObject *) val, bc))
+	D_RETURN_(FALSE);
+
+      D(("  Serialized one argument\n"));
+    }
+
+  D_RETURN_(TRUE);
+}
+
+
+BroEvent *
+__bro_event_unserialize(BroConn *bc)
+{
+  int i;
+  BroString ev_name;
+  double ev_ts;
+  uint32 ev_args;
+  BroEvent *ev = NULL;
+  BroVal *val = NULL;
+
+  D_ENTER;
+  
+  if (! __bro_buf_read_string(bc->rx_buf, &ev_name))
+    {
+      D(("Couldn't read event name.\n"));
+      D_RETURN_(NULL);
+    }
+  
+  if (! __bro_buf_read_double(bc->rx_buf, &ev_ts))
+    {
+      D(("Couldn't read event time.\n"));
+      bro_string_cleanup(&ev_name);
+      D_RETURN_(NULL);
+    }
+  
+  if (! __bro_buf_read_int(bc->rx_buf, &ev_args))
+    {
+      D(("Couldn't read number of event arguments.\n"));
+      bro_string_cleanup(&ev_name);
+      D_RETURN_(NULL);
+    }
+  
+  D(("Reading %i arguments for event %s\n", ev_args, ev_name.str_val));
+  ev = __bro_event_new(&ev_name);
+  ev->ts = ev_ts;
+  bro_string_cleanup(&ev_name);
+  
+  for (i = 0; i < (int) ev_args; i++)
+    {
+      D(("Reading parameter %i\n", i+1));
+      if (! (val = (BroVal *) __bro_sobject_unserialize(SER_IS_VAL, bc)))
+	{
+	  D(("Couldn't read parameter val %i.\n", i+1));
+	  __bro_event_free(ev);
+	  D_RETURN_(NULL);
+	}
+      
+      __bro_event_add_val(ev, val);
+    }
+
+  D_RETURN_(ev);
+}
+
+
+void
+__bro_event_add_val(BroEvent *ev, BroVal *v)
+{
+  D_ENTER;
+  ev->val_list = __bro_list_append(ev->val_list, v);
+  ev->val_len++;
+  D_RETURN;
+}
+
+
+int
+__bro_event_set_val(BroEvent *ev, int val_num, BroVal *v)
+{
+  BroList *l;
+
+  D_ENTER;
+
+  if (val_num < 0 || val_num >= ev->val_len)
+    {
+      D(("Invalid val index: given %i, having %i elements.\n", val_num, ev->val_len));
+      D_RETURN_(FALSE);
+    }
+
+  if ( (l = __bro_list_nth(ev->val_list, val_num)))
+    {
+      BroVal *val = __bro_list_set_data(l, v);
+      __bro_sobject_release((BroSObject *) val);
+      D_RETURN_(TRUE);
+    }
+
+  D_RETURN_(FALSE);
+}
diff --git a/aux/broccoli/src/bro_event.h b/aux/broccoli/src/bro_event.h
new file mode 100644
index 0000000000..5a65c85320
--- /dev/null
+++ b/aux/broccoli/src/bro_event.h
@@ -0,0 +1,43 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_event_h
+#define broccoli_event_h
+
+#include <broccoli.h>
+#include <bro_val.h>
+
+BroEvent      *__bro_event_new(BroString *name);
+void           __bro_event_free(BroEvent *be);
+BroEvent      *__bro_event_copy(BroEvent *be);
+const char    *__bro_event_get_name(BroEvent *be);
+
+int            __bro_event_serialize(BroEvent *be, BroConn *bc);
+BroEvent      *__bro_event_unserialize(BroConn *bc);
+
+void           __bro_event_add_val(BroEvent *be, BroVal *val);
+int            __bro_event_set_val(BroEvent *be, int val_num, BroVal *val);
+
+#endif
diff --git a/aux/broccoli/src/bro_event_reg.c b/aux/broccoli/src/bro_event_reg.c
new file mode 100644
index 0000000000..67aa1b8860
--- /dev/null
+++ b/aux/broccoli/src/bro_event_reg.c
@@ -0,0 +1,643 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+
+#ifdef __EMX__
+#include <strings.h>
+#endif 
+
+#include <bro_types.h>
+#include <bro_event.h>
+#include <bro_debug.h>
+#include <bro_io.h>
+#include <bro_event_reg.h>
+
+typedef void (*BroEvDispatcher)(BroConn *bc, BroEventCB *cb, BroEvent *ev);
+
+#define DISPATCH_TABLE_SIZE 15
+
+/* Goes through all vals in the given event ev and extracts
+ * from each val a pointer to its actual value, storing it
+ * into the vals array.
+ */
+static int
+event_reg_init_vals(BroEvent *ev, void **vals)
+{
+  int i;
+  BroList *l;
+  BroVal *val;
+  
+  for (i = 0, l = ev->val_list; l; i++, l = __bro_list_next(l))
+    {
+      val = __bro_list_data(l);
+      
+      if (! __bro_val_get_data(val, NULL, &(vals[i])))
+	{
+	  D(("Error during callback parameter marshaling of parameter %i\n", i));
+	  return FALSE;
+	}
+    }
+  
+  return TRUE;
+}
+
+/* Goes through all vals in the given event ev and extracts
+ * from each val a pointer to its actual value and the type
+ * of the val, storing it into the given BroEvArg and BroValMeta
+ * structures.
+ */
+static int
+event_reg_init_args(BroEvent *ev, BroEvArg *args)
+{
+  int i;
+  BroList *l;
+  BroVal *val;
+  
+  for (i = 0, l = ev->val_list; l; l = __bro_list_next(l), args++, i++)
+    {
+      val = __bro_list_data(l);
+
+      if (! __bro_val_get_data(val, &args->arg_type, &args->arg_data))
+	{
+	  D(("Error during callback parameter marshaling of parameter %i\n", i));
+	  return FALSE;
+	}
+    }
+  
+  return TRUE;
+}
+
+static void
+dispatcher_compact(BroConn *bc, BroEventCB *cb, BroEvent *ev)
+{
+  BroEvMeta meta;
+  BroEvArg *args = NULL;
+
+  memset(&meta, 0, sizeof(meta));
+
+  if (! (args = calloc(ev->val_len, sizeof(BroEvArg)))) {
+    D(("Out of memory when allocating %d BroEvArgs\n", ev->val_len));
+    return;
+  }
+  
+  meta.ev_name = (const char*) bro_string_get_data(&ev->name);
+  meta.ev_ts = ev->ts;
+  meta.ev_numargs = ev->val_len;
+  meta.ev_args = args;
+  meta.ev_start = (const uchar*) bc->rx_ev_start;
+  meta.ev_end = (const uchar*) bc->rx_ev_end;
+
+  if (! event_reg_init_args(ev, args)) {
+    free(args);
+    return;
+  }
+  
+  cb->cb_compact_func(bc, cb->cb_user_data, &meta);
+
+  free(args);
+}
+
+static void
+dispatcher0(BroConn *bc, BroEventCB *cb, BroEvent *ev)
+{
+  cb->cb_expanded_func(bc, cb->cb_user_data);
+  return; ev = 0;
+}
+
+static void
+dispatcher1(BroConn *bc, BroEventCB *cb, BroEvent *ev)
+{
+  void *vals[1];
+  
+  if (! event_reg_init_vals(ev, vals))
+    return;
+  
+  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0]);
+}
+
+static void
+dispatcher2(BroConn *bc, BroEventCB *cb, BroEvent *ev)
+{
+  void *vals[2];
+  
+  if (! event_reg_init_vals(ev, vals))
+    return;
+  
+  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1]);
+}
+
+static void
+dispatcher3(BroConn *bc, BroEventCB *cb, BroEvent *ev)
+{
+  void *vals[3];
+  
+  if (! event_reg_init_vals(ev, vals))
+    return;
+  
+  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2]);
+}
+
+static void
+dispatcher4(BroConn *bc, BroEventCB *cb, BroEvent *ev)
+{
+  void *vals[4];
+  
+  if (! event_reg_init_vals(ev, vals))
+    return;
+  
+  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2], vals[3]);
+}
+
+static void
+dispatcher5(BroConn *bc, BroEventCB *cb, BroEvent *ev)
+{
+  void *vals[5];
+  
+  if (! event_reg_init_vals(ev, vals))
+    return;
+  
+  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
+		       vals[3], vals[4]);
+}
+
+static void
+dispatcher6(BroConn *bc, BroEventCB *cb, BroEvent *ev)
+{
+  void *vals[6];
+  
+  if (! event_reg_init_vals(ev, vals))
+    return;
+  
+  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
+		       vals[3], vals[4], vals[5]);
+}
+
+static void
+dispatcher7(BroConn *bc, BroEventCB *cb, BroEvent *ev)
+{
+  void *vals[7];
+  
+  if (! event_reg_init_vals(ev, vals))
+    return;
+  
+  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
+		       vals[3], vals[4], vals[5], vals[6]);
+}
+
+static void
+dispatcher8(BroConn *bc, BroEventCB *cb, BroEvent *ev)
+{
+  void *vals[8];
+  
+  if (! event_reg_init_vals(ev, vals))
+    return;
+  
+  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
+		       vals[3], vals[4], vals[5], vals[6], vals[7]);
+}
+
+static void
+dispatcher9(BroConn *bc, BroEventCB *cb, BroEvent *ev)
+{
+  void *vals[9];
+  
+  if (! event_reg_init_vals(ev, vals))
+    return;
+  
+  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
+		       vals[3], vals[4], vals[5], vals[6], vals[7],
+		       vals[8]);
+}
+
+static void
+dispatcher10(BroConn *bc, BroEventCB *cb, BroEvent *ev)
+{
+  void *vals[10];
+  
+  if (! event_reg_init_vals(ev, vals))
+    return;
+  
+  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
+		       vals[3], vals[4], vals[5], vals[6], vals[7],
+		       vals[8], vals[9]);
+}
+
+static void
+dispatcher11(BroConn *bc, BroEventCB *cb, BroEvent *ev)
+{
+  void *vals[11];
+  
+  if (! event_reg_init_vals(ev, vals))
+    return;
+  
+  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
+		       vals[3], vals[4], vals[5], vals[6], vals[7],
+		       vals[8], vals[9], vals[10]);
+}
+
+static void
+dispatcher12(BroConn *bc, BroEventCB *cb, BroEvent *ev)
+{
+  void *vals[12];
+  
+  if (! event_reg_init_vals(ev, vals))
+    return;
+  
+  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
+		       vals[3], vals[4], vals[5], vals[6], vals[7],
+		       vals[8], vals[9], vals[10], vals[11]);
+}
+
+static void
+dispatcher13(BroConn *bc, BroEventCB *cb, BroEvent *ev)
+{
+  void *vals[13];
+  
+  if (! event_reg_init_vals(ev, vals))
+    return;
+  
+  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
+		       vals[3], vals[4], vals[5], vals[6], vals[7],
+		       vals[8], vals[9], vals[10], vals[11], vals[12]);
+}
+
+static void
+dispatcher14(BroConn *bc, BroEventCB *cb, BroEvent *ev)
+{
+  void *vals[14];
+  
+  if (! event_reg_init_vals(ev, vals))
+    return;
+  
+  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
+		       vals[3], vals[4], vals[5], vals[6], vals[7],
+		       vals[8], vals[9], vals[10], vals[11], vals[12],
+	      vals[13]);
+}
+
+static void
+dispatcher15(BroConn *bc, BroEventCB *cb, BroEvent *ev)
+{
+  void *vals[15];
+  
+  if (! event_reg_init_vals(ev, vals))
+    return;
+  
+  cb->cb_expanded_func(bc, cb->cb_user_data, vals[0], vals[1], vals[2],
+		       vals[3], vals[4], vals[5], vals[6], vals[7],
+		       vals[8], vals[9], vals[10], vals[11], vals[12],
+		       vals[13], vals[14]);
+}
+
+static BroEvDispatcher disp_table[] = 
+  {
+    dispatcher0, dispatcher1, dispatcher2, dispatcher3,
+    dispatcher4, dispatcher5, dispatcher6, dispatcher7,
+    dispatcher8, dispatcher9, dispatcher10, dispatcher11,
+    dispatcher12, dispatcher13, dispatcher14, dispatcher15,
+  };
+
+static BroEventHandler*
+event_reg_handler_new(const char *ev_name)
+{
+  BroEventHandler *beh;
+
+  if (!ev_name || !*ev_name)
+    return NULL;
+
+  if (! (beh = calloc(1, sizeof(BroEventHandler))))
+    return NULL;
+
+  beh->ev_name = strdup(ev_name);
+  TAILQ_INIT(&beh->cb_list);
+  
+  return beh;
+}
+
+static void
+event_reg_handler_free(BroEventHandler *beh)
+{
+  BroEventCB *cb;
+
+  if (!beh)
+    return;
+
+  if (beh->ev_name)
+    free(beh->ev_name);
+
+  while ( (cb = beh->cb_list.tqh_first))
+    {
+      TAILQ_REMOVE(&beh->cb_list, cb, cb_list);
+      free(cb);
+    }
+  
+  free(beh);  
+}
+
+static void
+event_reg_handler_dispatch(BroConn *bc, BroEventHandler *beh, BroEvent *ev)
+{
+  BroEventCB *cb;
+
+  if (!beh || !ev)
+    return;
+
+  if (ev->val_len > DISPATCH_TABLE_SIZE)
+    return;
+
+  for (cb = beh->cb_list.tqh_first; cb; cb = cb->cb_list.tqe_next)
+    {
+      switch (cb->cb_style) {
+      case BRO_CALLBACK_EXPANDED:
+	disp_table[ev->val_len](bc, cb, ev);
+	break;
+
+      case BRO_CALLBACK_COMPACT:
+	dispatcher_compact(bc, cb, ev);
+	break;
+
+      default:
+	;
+      };
+    }
+}
+
+
+BroEventReg   *
+__bro_event_reg_new(void)
+{
+  BroEventReg *reg;
+
+  if (! (reg = calloc(1, sizeof(BroEventReg))))
+    return NULL;
+
+  TAILQ_INIT(&reg->handler_list);
+  return reg;
+}
+
+
+void
+__bro_event_reg_free(BroEventReg *reg)
+{
+  BroEventHandler *beh;
+
+  if (!reg)
+    return;
+
+  while ( (beh = reg->handler_list.tqh_first))
+    {
+      TAILQ_REMOVE(&reg->handler_list, beh, handler_list);
+      event_reg_handler_free(beh);
+    }
+
+  free(reg);
+}
+
+static void           
+event_reg_add(BroEventCB *cb, BroEventReg *reg,
+	      const char *ev_name)
+{
+  BroEventHandler *beh;
+
+  for (beh = reg->handler_list.tqh_first; beh; beh = beh->handler_list.tqe_next)
+    {
+      if (strcmp(beh->ev_name, ev_name))
+	continue;
+      
+      /* We have found a handler for this event.
+       * Add the new callback and return.
+       */
+      TAILQ_INSERT_TAIL(&beh->cb_list, cb, cb_list);      
+      reg->num_handlers++;
+      return;
+    }
+  
+  /* We don't have a handler for this event yet.
+   * Create it, add a callback for the given func,
+   * and register it.
+   */
+  if (! (beh = event_reg_handler_new(ev_name)))
+    {
+      free(cb);
+      return;
+    }
+
+  TAILQ_INSERT_TAIL(&beh->cb_list, cb, cb_list);
+  TAILQ_INSERT_TAIL(&reg->handler_list, beh, handler_list);  
+  reg->num_handlers++;
+}
+
+void           
+__bro_event_reg_add(BroConn *bc, const char *ev_name,
+		    BroEventFunc func, void *user_data)
+{
+  BroEventHandler *beh;
+  BroEventCB *cb;
+  BroEventReg *reg;
+
+  if (!bc || !ev_name || !*ev_name)
+    return;
+  if (! (reg = bc->ev_reg))
+    return;
+      
+  /* Create a new callback data structure */
+  if (! (cb = calloc(1, sizeof(BroEventCB))))
+    return;
+  
+  cb->cb_expanded_func = func;
+  cb->cb_user_data = user_data;
+  cb->cb_style = BRO_CALLBACK_EXPANDED;
+  
+  event_reg_add(cb, reg, ev_name);
+}
+
+
+void           
+__bro_event_reg_add_compact(BroConn *bc, const char *ev_name,
+			    BroCompactEventFunc func, void *user_data)
+{
+  BroEventHandler *beh;
+  BroEventCB *cb;
+  BroEventReg *reg;
+
+  if (!bc || !ev_name || !*ev_name)
+    return;
+  if (! (reg = bc->ev_reg))
+    return;
+      
+  /* Create a new callback data structure */
+  if (! (cb = calloc(1, sizeof(BroEventCB))))
+    return;
+  
+  cb->cb_compact_func = func;
+  cb->cb_user_data = user_data;
+  cb->cb_style = BRO_CALLBACK_COMPACT;
+  
+  event_reg_add(cb, reg, ev_name);
+}
+
+
+int
+__bro_event_reg_remove(BroConn *bc, const char *ev_name)
+{
+  BroEventHandler *beh;
+  BroEventReg *reg;
+
+  if (!bc || !ev_name || !*ev_name)
+    return FALSE;
+  if (! (reg = bc->ev_reg))
+    return FALSE;
+
+  for (beh = reg->handler_list.tqh_first; beh; beh = beh->handler_list.tqe_next)
+    {
+      if (strcmp(beh->ev_name, ev_name))
+	continue;
+
+      TAILQ_REMOVE(&reg->handler_list, beh, handler_list);
+      event_reg_handler_free(beh);
+      reg->num_handlers--;
+      return TRUE;
+    }
+
+  return FALSE;
+}
+
+
+int
+__bro_event_reg_request(BroConn *bc)
+{
+  BroEventReg *reg;
+  BroEventHandler *beh;
+  BroRequest *req;
+  int len = 0;
+  int result;
+  char *ptr;
+
+  D_ENTER;
+
+  if (!bc)
+    D_RETURN_(FALSE);
+  
+  if (! (reg = bc->ev_reg))
+    D_RETURN_(FALSE);
+  
+  /* Go over all handlers once, and collect the total length of
+   * all event names including terminating 0s.
+   */
+  for (beh = reg->handler_list.tqh_first; beh; beh = beh->handler_list.tqe_next)
+    len += strlen(beh->ev_name) + 1;
+
+  /* Allocate a request structure for that length */
+  if (! (req = __bro_event_request_new(len)))
+    D_RETURN_(FALSE);
+
+  /* Go through again and copy all event names into the
+   * request structure.
+   */
+  ptr = req->req_dat;
+  for (beh = reg->handler_list.tqh_first; beh; beh = beh->handler_list.tqe_next)
+    {
+      D(("Requesting event '%s'\n", beh->ev_name));
+      memcpy(ptr, beh->ev_name, strlen(beh->ev_name));
+      ptr += strlen(ptr) + 1;
+    }
+  
+  if (! __bro_io_request_queue(bc, req))
+    D_RETURN_(FALSE);
+
+  D_RETURN_(TRUE);
+}
+
+
+void
+__bro_event_reg_dispatch(BroConn *bc, BroEvent *ev)
+{
+  BroEventReg *reg;
+  BroEventHandler *beh;
+
+  D_ENTER;
+
+  if (!bc || !ev || ! (reg = bc->ev_reg))
+    {
+      D(("Input error\n"));
+      D_RETURN;
+    }
+  
+  D(("Dispatching event '%s' with %i paramaters.\n", ev->name.str_val, ev->val_len));
+
+  for (beh = reg->handler_list.tqh_first; beh; beh = beh->handler_list.tqe_next)
+    {
+      if (strcmp(__bro_event_get_name(ev), beh->ev_name) == 0)
+	event_reg_handler_dispatch(bc, beh, ev);
+    }  
+  
+  D_RETURN;
+}
+
+
+BroRequest *
+__bro_event_request_new(int len)
+{
+  BroRequest *req;
+
+  if (len <= 0)
+    return NULL;
+
+  if (! (req = calloc(1, sizeof(BroRequest))))
+    return NULL;
+
+  if (! (req->req_dat = calloc(len + 1, sizeof(char))))
+    {
+      free(req);
+      return NULL;
+    }
+  
+  req->req_len = len;
+  return req;
+}
+
+
+void
+__bro_event_request_free(BroRequest *req)
+{
+  if (! req)
+    return;
+
+  if (req->req_dat)
+    free(req->req_dat);
+  
+  free(req);
+}
+
diff --git a/aux/broccoli/src/bro_event_reg.h b/aux/broccoli/src/bro_event_reg.h
new file mode 100644
index 0000000000..e3320bb713
--- /dev/null
+++ b/aux/broccoli/src/bro_event_reg.h
@@ -0,0 +1,51 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_event_reg_h
+#define broccoli_event_reg_h
+
+#include <broccoli.h>
+
+BroEventReg   *__bro_event_reg_new(void);
+void           __bro_event_reg_free(BroEventReg *reg);
+
+void           __bro_event_reg_add(BroConn *bc,
+				   const char *ev_name,
+				   BroEventFunc func,
+				   void *user_data);
+
+void           __bro_event_reg_add_compact(BroConn *bc,
+					   const char *ev_name,
+					   BroCompactEventFunc func,
+					   void *user_data);
+
+int            __bro_event_reg_remove(BroConn *bc, const char *ev_name);
+int            __bro_event_reg_request(BroConn *bc);
+void           __bro_event_reg_dispatch(BroConn *bc, BroEvent *ev);
+
+BroRequest    *__bro_event_request_new(int len);
+void           __bro_event_request_free(BroRequest *req);
+
+#endif
diff --git a/aux/broccoli/src/bro_hashtable.c b/aux/broccoli/src/bro_hashtable.c
new file mode 100644
index 0000000000..a450207dcb
--- /dev/null
+++ b/aux/broccoli/src/bro_hashtable.c
@@ -0,0 +1,424 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/time.h>
+
+#ifdef __EMX__
+#include <strings.h>
+#endif 
+
+#include <bro_types.h>
+#include <bro_debug.h>
+#include <bro_list.h>
+#include <bro_hashtable.h>
+
+#define BRO_HT_NUM_SLOTS 127
+
+#ifdef BRO_DEBUG
+#define DEBUG_HTS
+#endif
+
+#ifdef DEBUG_HTS
+#  define DEBUG_HT(x) do { printf("%s/%i: ", __FILE__, __LINE__); printf x ; } while (0);
+#else
+#  define DEBUG_HT(x)
+#endif
+
+typedef struct bro_hash_item
+{
+  /* For the age list in the hashtable. We know every node will
+   * occur only once in the hashtable, and we want the items 
+   * themselves to be the nodes, so the macros are okay.
+   */
+  TAILQ_ENTRY(bro_hash_item) age_list;
+
+  void         *it_key;
+  void         *it_data;
+
+} BroHTIt;
+
+typedef TAILQ_HEAD(hi_list, bro_hash_item) BroHIList;
+
+struct bro_ht
+{
+  BroList     **ht_slots;
+  int           ht_numslots;
+  int           ht_size;
+
+  /* Age list for elements in hash table, only used if
+   * requested in __bro_ht_new(). The youngest element
+   * of the age list sits at the *tail* of the list,
+   * the oldest is at the *front*.
+   */
+  int           use_age_list;
+  BroHIList     age_list;
+
+  BroHTHashFunc ht_hash_func;
+  BroHTCmpFunc  ht_cmp_func;
+  BroHTFreeFunc ht_key_free_func;
+  BroHTFreeFunc ht_val_free_func;
+};
+
+
+BroHT *
+__bro_ht_new(BroHTHashFunc hash_func,
+	     BroHTCmpFunc cmp_func,
+	     BroHTFreeFunc key_free_func,
+	     BroHTFreeFunc val_free_func,
+	     int use_age_list)
+{
+  BroHT *ht;
+  int i;
+
+  D_ENTER;
+
+  /* It may be okay if we get no free_funcs ... */
+  if (!hash_func || !cmp_func)
+    D_RETURN_(NULL);
+
+  if (! (ht = calloc(1, sizeof(BroHT))))
+    D_RETURN_(NULL);
+
+  ht->ht_numslots = BRO_HT_NUM_SLOTS;
+  ht->ht_size = 0;
+  ht->use_age_list = use_age_list;
+  ht->ht_hash_func = hash_func;
+  ht->ht_cmp_func = cmp_func;
+  ht->ht_key_free_func = key_free_func;
+  ht->ht_val_free_func = val_free_func;
+
+  /* ht_slots is kept NULL here to avoid work on tables that are never
+   * inserted into.
+   */
+  
+  /* Initialize the age list no matter whether it'll be
+   * used or not.
+   */
+  TAILQ_INIT(&ht->age_list);
+  
+  D_RETURN_(ht);
+}
+
+
+void
+__bro_ht_free(BroHT *ht)
+{
+  BroList *l;
+  BroHTIt *it;
+  int i;
+
+  D_ENTER;
+
+  if (! ht)
+    D_RETURN;
+
+  /* Age list doesn't need cleaning up as its nodes are 
+   * entries in the regular hashtable, which are cleaned
+   * up now:
+   */
+  
+  if (ht->ht_slots == NULL)
+    {
+      free(ht);
+      D_RETURN;
+    }
+
+  for (i = 0; i < ht->ht_numslots; i++)
+    {
+      for (l = ht->ht_slots[i]; l; l = __bro_list_next(l))
+	{
+	  it = __bro_list_data(l);
+
+	  if (ht->ht_key_free_func)    
+	    ht->ht_key_free_func(it->it_key);
+
+	  if (ht->ht_val_free_func)
+	    ht->ht_val_free_func(it->it_data);
+
+	  free(it);
+	}
+      
+      __bro_list_free(ht->ht_slots[i], NULL);
+    }
+  
+  free(ht->ht_slots);
+  free(ht);
+  D_RETURN;
+}
+
+
+int
+__bro_ht_add(BroHT *ht, void *key, void *data)
+{
+  uint32 slot;
+  BroHTIt *it;
+
+  D_ENTER;
+
+  if (!ht || !key)
+    {
+      D(("Input error: (%p, %p, %p)\n", ht, key, data));
+      D_RETURN_(FALSE);
+    }
+  
+  if (! (it = calloc(1, sizeof(BroHTIt))))
+    {
+      D(("Out of memory.\n"));
+      D_RETURN_(FALSE);
+    }
+  
+  it->it_key = key;
+  it->it_data = data;
+  
+  if (ht->ht_slots == NULL)
+    {
+      if (! (ht->ht_slots = calloc(ht->ht_numslots, sizeof(BroList*))))
+	{
+	  D(("Out of memory.\n"));
+	  D_RETURN_(FALSE);
+	}
+    }
+  
+  slot = ht->ht_hash_func(key) % ht->ht_numslots;
+  ht->ht_slots[slot] = __bro_list_append(ht->ht_slots[slot], it);
+  ht->ht_size++;
+
+  if (ht->use_age_list)
+    TAILQ_INSERT_TAIL(&ht->age_list, it, age_list);
+
+  D_RETURN_(TRUE);
+}
+
+
+void *
+__bro_ht_get(BroHT *ht, const void *key)
+{
+  BroList *l;
+  BroHTIt *it;
+  uint32 slot;
+  
+  if (!ht || !key)
+    {
+      D(("Input error: (%p, %p)\n", ht, key));
+      return NULL;
+    }
+
+  if (!ht->ht_slots)
+    return NULL;
+  
+  slot = ht->ht_hash_func(key) % ht->ht_numslots;
+
+  for (l = ht->ht_slots[slot]; l; l = __bro_list_next(l))
+    {
+      it = __bro_list_data(l);
+      
+      if (ht->ht_cmp_func(it->it_key, key))
+	{
+	  if (ht->use_age_list)
+	    {
+	      TAILQ_REMOVE(&ht->age_list, it, age_list);
+	      TAILQ_INSERT_TAIL(&ht->age_list, it, age_list);
+	    }
+
+	  return it->it_data;
+	}
+    }
+
+  return NULL;
+}
+
+
+void     *
+__bro_ht_del(BroHT *ht, void *key)
+{
+  void *result;
+  BroHTIt *it;
+  BroList *l;
+  uint32 slot;
+
+  D_ENTER;
+
+  if (!ht || !key)
+    D_RETURN_(NULL);
+
+  if (!ht->ht_slots)
+    D_RETURN_(NULL);
+  
+  slot = ht->ht_hash_func(key) % ht->ht_numslots;
+  
+  for (l = ht->ht_slots[slot]; l; l = __bro_list_next(l))
+    {
+      it = __bro_list_data(l);
+
+      if (ht->ht_cmp_func(it->it_key, key))
+	{
+	  result = it->it_data;
+	  ht->ht_slots[slot] = __bro_list_remove(ht->ht_slots[slot], l);
+	  ht->ht_size--;
+	  
+	  /* Free the key if possible -- don't free the
+	   * value, as we just return that.
+	   */
+	  if (ht->ht_key_free_func)
+	    ht->ht_key_free_func(it->it_key);
+	  
+	  if (ht->use_age_list)
+	    TAILQ_REMOVE(&ht->age_list, it, age_list);
+	  
+	  free(it);
+	  
+	  D_RETURN_(result);
+	}
+    }
+  
+  D_RETURN_(NULL);
+}
+
+
+int
+__bro_ht_get_size(BroHT *ht)
+{
+  if (! ht)
+    return -1;
+
+  return ht->ht_size;
+}
+
+
+void
+__bro_ht_get_oldest(BroHT *ht, void **key, void **data)
+{
+  if (! ht || !ht->use_age_list)
+    {
+      if (key)
+	*key = NULL;
+      if (data)
+	*data = NULL;
+
+      return;
+    }
+
+  if (key)
+    *key = ht->age_list.tqh_first->it_key;
+  
+  if (data)
+    *data = ht->age_list.tqh_first->it_data;
+}
+
+
+int
+__bro_ht_evict_oldest(BroHT *ht)
+{
+  if (! ht)
+    return 0;
+  
+  if (ht->use_age_list && ht->age_list.tqh_first)
+    __bro_ht_del(ht, ht->age_list.tqh_first->it_key);
+  
+  return ht->ht_size;
+}
+
+
+void
+__bro_ht_foreach(BroHT *ht, BroHTCallback callback, void *user_data)
+{
+  BroList *l;
+  BroHTIt *it;
+  int i;
+
+  if (!ht || !callback)
+    return;
+  
+  if (!ht->ht_slots)
+    return;
+
+  for (i = 0; i < ht->ht_numslots; i++)
+    {
+      for (l = ht->ht_slots[i]; l; l = __bro_list_next(l))
+	{
+	  it = __bro_list_data(l);
+
+	  if (! callback(it->it_key, it->it_data, user_data))
+	    return;
+	}
+    }
+}
+
+
+uint32
+__bro_ht_str_hash(const void *val)
+{
+  char *val_ptr;
+  uint32 hash;
+  
+  if (!val)
+    return 0;
+
+  val_ptr = (char *) val;
+  
+  for (hash = 0; *val_ptr != '\0'; val_ptr++)
+    hash = (64 * hash + *val_ptr);
+
+  return hash;
+}
+
+
+int
+__bro_ht_str_cmp(const void *val1, const void *val2)
+{
+  if (! val1 || ! val2)
+    return FALSE;
+
+  return strcmp((char*) val1, (char*) val2) == 0;
+}
+
+
+void
+__bro_ht_mem_free(void *data)
+{
+  if (data)
+    free(data);
+}
+
+
+uint32
+__bro_ht_int_hash(const void *val)
+{
+  return (uint32)(uintptr_t) val;
+}
+
+
+int
+__bro_ht_int_cmp(const void *val1, const void *val2)
+{
+  return val1 == val2;
+}
diff --git a/aux/broccoli/src/bro_hashtable.h b/aux/broccoli/src/bro_hashtable.h
new file mode 100644
index 0000000000..b289d68768
--- /dev/null
+++ b/aux/broccoli/src/bro_hashtable.h
@@ -0,0 +1,110 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_ht_h
+#define broccoli_ht_h
+
+#include <broccoli.h>
+
+typedef struct bro_ht BroHT;
+
+/* Hash function -- pass something in, get integer back.
+ */
+typedef uint32 (*BroHTHashFunc)(const void *data);	     
+
+/* Key comparison function -- compares two keys, returns %TRUE
+ * if equal, %FALSE otherwise, NOT -1/0/1.
+ */
+typedef int (*BroHTCmpFunc)(const void *key1, const void *key2);
+
+/* Destructor function, one for keys, one for values.
+ */
+typedef void (*BroHTFreeFunc)(void *data);
+
+/**
+ * BroHTCallback - The signature of functions used with __bro_ht_foreach()
+ * @key: key of current hash table item
+ * @data: value part of current hash table item.
+ * @user_data: arbitrary user data passed through from __bro_ht_foreach().
+ *
+ * Returning %FALSE signals abortion of the loop.
+ */
+typedef int (*BroHTCallback)(void *key, void *data, void *user_data);
+
+/**
+ * __bro_ht_new - creates new hashtable.
+ * @hash_func: hashing function to use, see BroHTHashFunc.
+ * @cmp_func: element comparison function to use, see BroHTCmpFunc.
+ * @key_free_func: callback for erasing key of an item, if desirable.
+ * @val_free_func: callback for erasing data item itself, if desirable.
+ * @use_age_list: whether to maintain an age list (%TRUE) or not (%FALSE).
+ *
+ * The function creates and returns a new hashtable. @key_free_func and
+ * @val_free_func can be used to clean up contained elements automatically
+ * as they are removed from the table. If you don't want this feature,
+ * pass %NULL -- you can still iterate over all items in the table using
+ * __bro_ht_foreach().
+ *
+ * The table can optionally maintain an age list (see
+ * __bro_ht_get_oldest() and __bro_ht_evict_oldest()), pass %TRUE to
+ * @use_age_list if desired.
+ *
+ * Returns: new table, or %NULL when out of memory.
+ */
+BroHT    *__bro_ht_new(BroHTHashFunc hash_func,
+		       BroHTCmpFunc cmp_func,
+		       BroHTFreeFunc key_free_func,
+		       BroHTFreeFunc val_free_func,
+		       int use_age_list);
+
+void      __bro_ht_free(BroHT *ht);
+
+int       __bro_ht_add(BroHT *ht, void *key, void *data);
+void     *__bro_ht_get(BroHT *ht, const void *key);
+void     *__bro_ht_del(BroHT *ht, void *key);
+int       __bro_ht_get_size(BroHT *ht);
+
+void      __bro_ht_foreach(BroHT *ht, BroHTCallback cb, void *user_data);
+
+/* Returns pointers to key and value of oldest item in the table,
+ * if age list is maintained. Otherwise sets both @key and @data
+ * to %NULL.
+ */
+void      __bro_ht_get_oldest(BroHT *ht, void **key, void **data);
+
+/* If age list is used, removes oldest element from the table
+ * and returns number of items in the table after eviction.
+ * If age list is not used, does nothing and returns table size.
+ */
+int       __bro_ht_evict_oldest(BroHT *ht);
+
+uint32    __bro_ht_str_hash(const void *val);
+int       __bro_ht_str_cmp(const void *val1, const void *val2);
+void      __bro_ht_mem_free(void *data);
+
+uint32    __bro_ht_int_hash(const void *val);
+int       __bro_ht_int_cmp(const void *val1, const void *val2);
+
+#endif
diff --git a/aux/broccoli/src/bro_id.c b/aux/broccoli/src/bro_id.c
new file mode 100644
index 0000000000..a72b85fd59
--- /dev/null
+++ b/aux/broccoli/src/bro_id.c
@@ -0,0 +1,296 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/time.h>
+
+#ifdef __EMX__
+#include <strings.h>
+#endif 
+
+#include <bro_types.h>
+#include <bro_debug.h>
+#include <bro_id.h>
+
+BroID *
+__bro_id_new(void)
+{
+  BroID *id;
+
+  D_ENTER;
+
+  if (! (id = calloc(1, sizeof(BroID))))
+    D_RETURN_(NULL);
+
+  __bro_id_init(id);
+
+  D_RETURN_(id);
+}
+
+void
+__bro_id_init(BroID *id)
+{
+  BroSObject *sobj = (BroSObject *) id;
+
+  D_ENTER;
+
+  /* First initialize parent */
+  __bro_object_init((BroObject *) id);
+
+  /* Now hook our callbacks into the vtable */
+  sobj->read  = (BroSObjectRead) __bro_id_read;
+  sobj->write = (BroSObjectWrite) __bro_id_write;
+  sobj->free  = (BroSObjectFree) __bro_id_free;
+  sobj->clone = (BroSObjectClone) __bro_id_clone;
+  sobj->hash  = (BroSObjectHash) __bro_id_hash;
+  sobj->cmp   = (BroSObjectCmp) __bro_id_cmp;
+
+  sobj->type_id = SER_ID;
+
+  /* And finally initialize our own stuff */
+  bro_string_init(&id->name);
+  id->type = __bro_type_new();
+
+  /* For now we don't have attrs + val, these get
+   * hooked in on demand.
+   */
+  D_RETURN;
+}
+
+void
+__bro_id_free(BroID *id)
+{
+  D_ENTER;
+
+  if (!id)
+    D_RETURN;
+
+  /* First clean up our stuff */
+  bro_string_cleanup(&id->name);
+
+  __bro_sobject_release((BroSObject *) id->type);
+  __bro_sobject_release((BroSObject *) id->attrs);
+  __bro_sobject_release((BroSObject *) id->val);
+  
+  /* Then clean up parent -- will eventually call free() */
+  __bro_object_free((BroObject *) id);
+
+  D_RETURN;
+}
+
+int
+__bro_id_read(BroID *id, BroConn *bc)
+{
+  char opt;
+
+  D_ENTER;
+
+  if (! id || ! bc)
+    D_RETURN_(FALSE);
+
+  if (! __bro_object_read((BroObject *) id, bc))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_read_string(bc->rx_buf, &id->name))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_read_char(bc->rx_buf, &id->scope))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_read_char(bc->rx_buf, &id->is_export))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_read_int(bc->rx_buf, &id->is_const))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_read_int(bc->rx_buf, &id->is_enum_const))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_read_int(bc->rx_buf, &id->is_type))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_read_int(bc->rx_buf, &id->offset))
+    D_RETURN_(FALSE);
+  
+  if (! __bro_buf_read_char(bc->rx_buf, &id->infer_return_type))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_read_char(bc->rx_buf, &id->weak_ref))
+    D_RETURN_(FALSE);
+  
+  if (id->type)
+    __bro_sobject_release((BroSObject*) id->type);
+  if (! (id->type = (BroType *) __bro_sobject_unserialize(SER_IS_TYPE, bc)))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_read_char(bc->rx_buf, &opt))
+    D_RETURN_(FALSE);
+  if (opt)
+    {
+      if (id->attrs)
+	__bro_sobject_release((BroSObject *) id->attrs);
+
+      if (! (id->attrs = (BroAttrs *) __bro_sobject_unserialize(SER_ATTRIBUTES, bc)))
+	D_RETURN_(FALSE);
+    }
+
+  if (! __bro_buf_read_char(bc->rx_buf, &opt))
+    D_RETURN_(FALSE);
+  if (opt)
+    {
+      if (id->val)
+	__bro_sobject_release((BroSObject *) id->val);
+
+      if (! (id->val = (BroVal *) __bro_sobject_unserialize(SER_IS_VAL, bc)))
+	D_RETURN_(FALSE);
+    }
+  
+  D_RETURN_(TRUE);
+}
+
+int
+__bro_id_write(BroID *id, BroConn *bc)
+{
+  D_ENTER;
+
+  if (! id || ! bc)
+    D_RETURN_(FALSE);
+
+  if (! __bro_object_write((BroObject *) id, bc))
+    D_RETURN_(FALSE);
+  
+  if (! __bro_buf_write_string(bc->tx_buf, &id->name))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_write_char(bc->tx_buf, id->scope))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_write_char(bc->tx_buf, id->is_export))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_write_int(bc->tx_buf, id->is_const))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_write_int(bc->tx_buf, id->is_enum_const))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_write_int(bc->tx_buf, id->is_type))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_write_int(bc->tx_buf, id->offset))
+    D_RETURN_(FALSE);
+  
+  if (! __bro_buf_write_char(bc->tx_buf, id->infer_return_type))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_write_char(bc->tx_buf, id->weak_ref))
+    D_RETURN_(FALSE);
+  
+  if (! __bro_sobject_serialize((BroSObject *) id->type, bc))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_write_char(bc->tx_buf, id->attrs ? 1 : 0))
+    D_RETURN_(FALSE);
+  if (id->attrs && ! __bro_sobject_serialize((BroSObject *) id->attrs, bc))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_write_char(bc->tx_buf, id->val ? 1 : 0))
+    D_RETURN_(FALSE);
+  if (id->attrs && ! __bro_sobject_serialize((BroSObject *) id->val, bc))
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+
+int
+__bro_id_clone(BroID *dst, BroID *src)
+{
+  BroString *string;
+
+  D_ENTER;
+  
+  if (! __bro_object_clone((BroObject *) dst, (BroObject *) src))
+    D_RETURN_(FALSE);
+  
+  if (! (string = bro_string_copy(&src->name)))
+    D_RETURN_(FALSE);
+  
+  dst->name = *string;
+  dst->scope = src->scope;
+  dst->is_export = src->is_export;
+  dst->is_const = src->is_const;
+  dst->is_enum_const = src->is_enum_const;
+  dst->is_type = src->is_type;
+  dst->offset = src->offset;
+  dst->infer_return_type = src->infer_return_type;
+  dst->weak_ref = src->weak_ref;
+  
+  if (src->type && ! (dst->type = (BroType *) __bro_sobject_copy((BroSObject *) src->type)))
+    D_RETURN_(FALSE);
+  
+  if (src->val && ! (dst->val = (BroVal *) __bro_sobject_copy((BroSObject *) src->val)))
+    D_RETURN_(FALSE);
+  
+  if (src->attrs && ! (dst->attrs = (BroAttrs *) __bro_sobject_copy((BroSObject *) src->attrs)))
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+
+uint32
+__bro_id_hash(BroID *id)
+{
+  uint32 result = 0;
+
+  D_ENTER;
+
+  if (! id)
+    D_RETURN_(0);
+
+  result ^= __bro_ht_str_hash(id->name.str_val);
+  result ^= ((uint32) id->scope) << 8;
+  result ^= (uint32) id->is_export;
+  result ^= id->is_const;
+  result ^= id->is_enum_const;
+  result ^= id->is_type;
+  result ^= id->offset;
+  
+  D_RETURN_(result);
+}
+
+
+int
+__bro_id_cmp(BroID *id1, BroID *id2)
+{
+  D_ENTER;
+
+  if (! id1 || ! id2)
+    D_RETURN_(FALSE);
+
+  D_RETURN_(__bro_ht_str_cmp(id1->name.str_val, id2->name.str_val));
+}
diff --git a/aux/broccoli/src/bro_id.h b/aux/broccoli/src/bro_id.h
new file mode 100644
index 0000000000..fe81ed0b39
--- /dev/null
+++ b/aux/broccoli/src/bro_id.h
@@ -0,0 +1,65 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_id_h
+#define broccoli_id_h
+
+#include <bro_object.h>
+#include <bro_val.h>
+#include <bro_type.h>
+#include <bro_attrs.h>
+
+struct bro_id
+{
+  BroObject                    object;
+  BroString                    name;
+  char                         scope;
+
+  char                         is_export;
+  uint32                       is_const;
+  uint32                       is_enum_const;
+  uint32                       is_type;
+
+  uint32                       offset;
+
+  char                         infer_return_type;
+  char                         weak_ref;
+
+  BroType                     *type;
+  BroVal                      *val;
+  BroAttrs                    *attrs;
+};
+
+BroID         *__bro_id_new(void);
+void           __bro_id_init(BroID *id);
+void           __bro_id_free(BroID *id);
+
+int            __bro_id_write(BroID *id, BroConn *bc);
+int            __bro_id_read(BroID *id, BroConn *bc);
+int            __bro_id_clone(BroID *dst, BroID *src);
+uint32         __bro_id_hash(BroID *obj);
+int            __bro_id_cmp(BroID *obj1, BroID *obj2);
+
+#endif
diff --git a/aux/broccoli/src/bro_io.c b/aux/broccoli/src/bro_io.c
new file mode 100644
index 0000000000..2e4ad36902
--- /dev/null
+++ b/aux/broccoli/src/bro_io.c
@@ -0,0 +1,1205 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/param.h>
+#include <errno.h>
+
+#ifdef __MINGW32__
+#include <winsock.h>
+#else
+#include <sys/socket.h>
+#include <netinet/in.h>
+#endif
+
+#include <bro_types.h>
+#include <bro_debug.h>
+#include <bro_buf.h>
+#include <bro_event.h>
+#include <bro_event_reg.h>
+#include <bro_util.h>
+#include <bro_type.h>
+#include <bro_val.h>
+#include <bro_io.h>
+#include <bro_id.h>
+#ifdef BRO_PCAP_SUPPORT
+#include <bro_packet.h>
+#endif
+
+/* A static array that can translate message types into strings so
+ * it's clearer what's going on when debugging:
+ */
+static char * msg_type_str[] = {
+  "BRO_MSG_NONE",
+  "BRO_MSG_VERSION",
+  "BRO_MSG_SERIAL",
+  "BRO_MSG_CLOSE",
+  "BRO_MSG_CLOSE_ALL",
+  "BRO_MSG_ERROR",
+  "BRO_MSG_CONNECTTO",
+  "BRO_MSG_CONNECTED",
+  "BRO_MSG_REQUEST",
+  "BRO_MSG_LISTEN",
+  "BRO_MSG_LISTEN_STOP",
+  "BRO_MSG_STATS",
+  "BRO_MSG_CAPTURE_FILTER",
+  "BRO_MSG_REQUEST_SYNC",
+  "BRO_MSG_PHASE_DONE",
+  "BRO_MSG_PING",
+  "BRO_MSG_PONG",
+  "BRO_MSG_CAPS",
+  "BRO_MSG_COMPRESS",
+};
+
+static const char *
+msg_type_2_str(int type)
+{
+  if (type < 0 || type >= BRO_MSG_MAX)
+    return "<invalid>";
+
+  return msg_type_str[type];
+}
+
+/* The maximum number of attempts we make in one go in order
+ * to extract data from the pipe. It appears that OpenSSL does
+ * not fully hide the record-oriented transfer and repeated
+ * writes at one end also require repeated reads at the other
+ * end. If anyone can confirm or deny this, please get in touch.
+ */
+#define BRO_BIO_READ_ROUNDS_MAX   20
+
+/* Reading-related --------------------------------------------------- */
+
+static int
+io_read_chunk_size(BroConn *bc, uint32 *chunk_size)
+{
+  if (! __bro_buf_ptr_read(bc->rx_buf, chunk_size, sizeof(uint32)))
+    {
+      D(("Couldn't read chunk size\n"));
+      return FALSE;
+    }
+
+  *chunk_size = ntohl(*chunk_size);
+
+  if (! __bro_buf_ptr_check(bc->rx_buf, *chunk_size))
+    {
+      D(("Not all chunk data available\n"));
+      return FALSE;
+    }
+
+  D(("We have a chunk of size %i\n", *chunk_size));
+  return TRUE;
+}
+
+static int
+io_read_msg_hdr(BroConn *bc, BroMsgHeader *msg_hdr)
+{
+  if (! __bro_buf_ptr_read(bc->rx_buf, msg_hdr, sizeof(BroMsgHeader)))
+    {
+      D(("Couldn't read message header\n"));
+      return FALSE;
+    }
+  
+  msg_hdr->hdr_peer_id = ntohs(msg_hdr->hdr_peer_id);
+  
+  return TRUE;
+}
+
+static int
+io_msg_fill_rx(BroConn *bc)
+{
+  BroBuf tmp_buf;
+  int i, n, total = 0;
+
+  if (bc->state->rx_dead)
+    {
+      if (! (bc->conn_flags & BRO_CFLAG_RECONNECT))
+	return FALSE;
+      
+      D(("Connection dead and we want to reconnect ...\n"));
+      
+      if (! bro_conn_reconnect(bc))
+	return FALSE;
+    }
+  
+  for (i = 0; i < BRO_BIO_READ_ROUNDS_MAX; i++)
+    {
+      __bro_buf_init(&tmp_buf);
+
+      n = __bro_openssl_read(bc, __bro_buf_get(&tmp_buf),
+			     __bro_buf_get_size(&tmp_buf));
+      
+      if (n <= 0)
+	{
+	  __bro_buf_cleanup(&tmp_buf);      	  
+	  
+	  if (n < 0)
+	    {
+	      D(("Read returned error after %i/%i rounds and %i bytes\n",
+		 i, BRO_BIO_READ_ROUNDS_MAX, total));
+	      return -1;
+	    }
+#ifdef BRO_DEBUG
+	  if (total > 0)
+	    D(("Read %i bytes in %i/%i rounds.\n",
+	       total, i, BRO_BIO_READ_ROUNDS_MAX));
+#endif	  
+	  if (total == 0)
+	    continue;
+	  
+	  return total;
+	}
+      
+      __bro_buf_append(bc->rx_buf, __bro_buf_get(&tmp_buf), n);
+      __bro_buf_cleanup(&tmp_buf);
+      total += n;      
+    }
+  
+  D(("Read %i bytes in %i/%i rounds.\n",
+     total, i, BRO_BIO_READ_ROUNDS_MAX));
+  
+  return total;
+}
+
+
+static int
+io_skip_chunk(BroBuf *buf, uint32 buf_off, uint32 chunk_size)
+{
+  if (! buf)
+    return FALSE;
+
+  if (! __bro_buf_ptr_seek(buf, buf_off, SEEK_SET))
+    return FALSE;
+
+  /* We skip a uint32 for the chunk size and then chunk_size
+   * bytes.
+   */
+  if (! __bro_buf_ptr_seek(buf, sizeof(uint32) + chunk_size, SEEK_CUR))
+    return FALSE;
+  
+  D(("Skipping %i + %i\n", sizeof(uint32), chunk_size));
+
+  return TRUE;
+}
+
+
+static int
+io_process_serialization(BroConn *bc)
+{
+  BroVal vbuf;
+
+  D_ENTER;
+
+  if (! __bro_buf_read_char(bc->rx_buf, &vbuf.val_char))
+    {
+      D(("Couldn't read serialization type\n"));
+      D_RETURN_(FALSE);
+    }
+
+  switch (vbuf.val_char)
+    {
+    case 'e':
+      {
+	BroEvent *ev;
+
+	bc->rx_ev_start = (const char*) bro_buf_ptr_get(bc->rx_buf);
+
+	D(("Processing serialized event.\n"));
+	if (! (ev = __bro_event_unserialize(bc)))
+	  {
+	    bc->rx_ev_start = bc->rx_ev_end = NULL;
+	    D_RETURN_(FALSE);
+	  }
+
+	bc->rx_ev_end = (const char*) bro_buf_ptr_get(bc->rx_buf);	
+	__bro_event_reg_dispatch(bc, ev);
+	__bro_event_free(ev);      
+	bc->rx_ev_start = bc->rx_ev_end = NULL;
+      }
+      break;
+
+    case 'i':
+      {
+	BroID *id;
+
+	D(("Processing serialized ID.\n"));
+	if (! (id = (BroID *) __bro_sobject_unserialize(SER_IS_ID, bc)))
+	  D_RETURN_(FALSE);
+	
+	D(("ID read successfully.\n"));
+	/* Except we don't do anything with it yet. :) */
+	__bro_sobject_release((BroSObject *) id);
+      }
+      break;
+
+    case 'p':
+      {
+#ifdef BRO_PCAP_SUPPORT
+	BroPacket *packet;
+	
+	if (! (packet = __bro_packet_unserialize(bc)))
+	  D_RETURN_(FALSE);
+	
+	D(("Packet read successfully.\n"));
+	bro_packet_free(packet);
+#else
+	D_RETURN_(FALSE);
+#endif
+      }
+      break;
+
+    default:
+      /* We do not handle anything else yet -- just say
+       * we are happy and return.
+       */
+      D(("Unknown serialization of type %c\n", vbuf.val_char));
+      D_RETURN_(FALSE);
+    }
+
+  /* After a complete unserialization, we enforce the size limit
+   * of the cache. We can't do it on the go as a new object that
+   * is unserialized may still contain references to previously
+   * cached items which we might evict.
+   */
+  while (__bro_ht_get_size(bc->io_cache) > bc->io_cache_maxsize)
+    __bro_ht_evict_oldest(bc->io_cache);
+  
+  D_RETURN_(TRUE);
+}
+
+
+/* Writing-related --------------------------------------------------- */
+
+static int
+io_fill_raw(BroBuf *buf, BroBuf *data)
+{
+  return __bro_buf_write_data(buf, __bro_buf_get(data), __bro_buf_get_used_size(data));
+}
+
+
+static int
+io_fill_request(BroBuf *buf, BroRequest *req)
+{
+  return __bro_buf_write_data(buf, req->req_dat, req->req_len);
+}
+
+static int
+io_fill_msg_header(BroBuf *buf, BroMsgHeader *mh)
+{
+  mh->hdr_peer_id = htonl(mh->hdr_peer_id);
+  return __bro_buf_write_data(buf, mh, sizeof(BroMsgHeader));
+}
+
+static int
+io_msg_empty_tx(BroConn *bc)
+{
+  int n;
+  int todo;
+
+  D_ENTER;
+
+  if (bc->state->tx_dead && (bc->conn_flags & BRO_CFLAG_RECONNECT))
+    bro_conn_reconnect(bc);      
+
+  if (bc->state->tx_dead)
+    {
+      D(("Connection dead, not writing anything. Todo: %i\n", __bro_buf_get_used_size(bc->tx_buf)));
+      D_RETURN_(FALSE);
+    }
+
+  /* This function loops until the entire buffer contents
+   * are written out. This is not perfect but easier for now.
+   * Revisit this as a FIXME.
+   */
+  for ( ; ; )
+    {
+      todo = __bro_buf_get_used_size(bc->tx_buf);
+
+      if (todo == 0)
+	D_RETURN_(TRUE);
+      
+      n = __bro_openssl_write(bc, __bro_buf_get(bc->tx_buf), todo);
+      
+      /* If we couldn't write out anything at all, then we report
+       * failure.
+       */      
+      if (n < 0)
+	{
+	  D(("SSL error -- nothing written.\n"));
+	  D_RETURN_(FALSE);
+	}
+      
+      if (0 < n && n < todo)
+	{
+	  /* We have an incomplete write. Consume what we were
+	   * able to write out.
+	   */
+	  D(("*** Incomplete write: %i/%i\n", n, todo));
+	  
+	  if (! __bro_buf_ptr_seek(bc->tx_buf, n, SEEK_SET))
+	    {
+	      /* This should never happen. */
+	      D(("*** Buffer contents are screwed :(\n"));
+	      D_RETURN_(FALSE);
+	    }
+	  
+	  __bro_buf_consume(bc->tx_buf);
+	}
+      
+      D(("<<< Sent %i/%i bytes.\n", n, todo));
+      
+      if (n == todo)
+	{
+	  /* If we wrote out everything that was left, report success. */
+	  __bro_buf_reset(bc->tx_buf);
+	  D_RETURN_(TRUE);
+	}
+    }
+}
+
+static int      
+io_msg_fill_tx(BroConn *bc, BroMsg *msg)
+{
+  int result = TRUE;
+
+  D_ENTER;
+
+  if (!bc || !msg)
+    {
+      D(("Input error.\n"));
+      D_RETURN_(FALSE);
+    }
+
+  /* Check if anything is still left in the input buffer. In that case,
+   * we don't fill anything in but return right away, so the message
+   * gets queued.
+   */
+  if (__bro_buf_get_used_size(bc->tx_buf) > 0)
+    {
+      D(("Buffer not empty; not filling!\n"));
+      D_RETURN_(FALSE);
+    }
+  
+  D((">>> Attempting write of %s\n", msg_type_2_str(msg->msg_header.hdr_type)));
+
+  /* We will collect the message chunk in the connection's tx buffer.
+   * We append stuff to it as we go along and at the end write it out.
+   * When being sent, he buffer has the amount of octets to send at
+   * the beginning, so the reader knows how much is coming.
+   */
+  __bro_buf_reset(bc->tx_buf);
+
+  msg->msg_header_size = sizeof(BroMsgHeader);
+  
+  if (! __bro_buf_write_int(bc->tx_buf, msg->msg_header_size))
+    {
+      __bro_buf_reset(bc->tx_buf);
+      D_RETURN_(FALSE);
+    }
+  
+  /* Hook in the Bro message header */
+  if (! io_fill_msg_header(bc->tx_buf, &msg->msg_header))
+    {
+      __bro_buf_reset(bc->tx_buf);
+      D_RETURN_(FALSE);
+    }
+  
+  if (msg->msg_cont_type != BRO_MSG_CONT_NONE)
+    {
+      uint32 msg_size_pos, msg_size_end;
+
+      /* This starts another chunk of data (in Bro protocol speak),
+       * but here we cannot yet know how big the chunk will be.
+       * We save the offset in the buffer and return to it later,
+       * overwriting the value with the then correct one.
+       */
+      msg_size_pos = __bro_buf_get_used_size(bc->tx_buf);
+      if (! __bro_buf_write_int(bc->tx_buf, msg->msg_size))
+	{
+	  __bro_buf_reset(bc->tx_buf);
+	  D_RETURN_(FALSE);
+	}
+      
+      /* Gather the payload of the message we are about
+       * to send into the buffer BUF.
+       */
+      switch (msg->msg_cont_type)
+	{
+	case BRO_MSG_CONT_RAW:
+	  D(("Filling raw data into buffer\n"));
+	  if (! io_fill_raw(bc->tx_buf, msg->msg_cont_raw))
+	    {
+	      __bro_buf_reset(bc->tx_buf);
+	      D_RETURN_(FALSE);
+	    }
+	  break;
+	  
+	case BRO_MSG_CONT_EVENT:
+	  /* Check if the peer actually requested the event, and if not,
+	   * drop it silently (i.e., still return success).
+	   */
+	  if (! __bro_ht_get(bc->ev_mask, msg->msg_cont_ev->name.str_val))
+	    {
+	      D(("Event '%s' not requested by peer -- dropping.\n",
+		 msg->msg_cont_ev->name.str_val));
+	      __bro_buf_reset(bc->tx_buf);
+
+	      /* This is not an error but a silent drop, so we
+	       * return success.
+	       */
+	      D_RETURN_(TRUE);
+	    }
+	  
+	  D(("Filling event into buffer\n"));
+	  
+	  if (! __bro_event_serialize(msg->msg_cont_ev, bc))
+	    {
+	      D(("Error during serialization.\n"));
+	      __bro_buf_reset(bc->tx_buf);
+	      D_RETURN_(FALSE);	
+	    }
+	  break;
+	  
+	case BRO_MSG_CONT_REQUEST:
+	  D(("Filling request into buffer\n"));
+	  if (! io_fill_request(bc->tx_buf, msg->msg_cont_req))
+	    {
+	      __bro_buf_reset(bc->tx_buf);
+	      D_RETURN_(FALSE);	
+	    }
+	  break;
+
+#ifdef BRO_PCAP_SUPPORT	  
+	case BRO_MSG_CONT_PACKET:
+	  if (! __bro_packet_serialize(msg->msg_cont_packet, bc))
+	    {
+	      __bro_buf_reset(bc->tx_buf);	      
+	      D_RETURN_(FALSE);
+	    }
+	  break;
+#endif
+	default:
+	  D(("ERROR -- invalid message content code %i\n", msg->msg_cont_type));
+	  break;
+	}
+      
+      /* Now calculate length of entire transmission --
+       * we know where we wrote the uint32 containing the
+       * size of the chunk, and we know where we are now,
+       * so the length is their difference, minus the uint32
+       * itself.
+       */
+      msg_size_end = __bro_buf_get_used_size(bc->tx_buf);
+      msg->msg_size = msg_size_end - msg_size_pos - sizeof(uint32);
+      D(("Serialized message sized %i bytes.\n", msg->msg_size));
+      
+      if (! __bro_buf_ptr_seek(bc->tx_buf, msg_size_pos, SEEK_SET))
+	{
+	  D(("Cannot seek to position %u -- we're screwed.\n", msg_size_pos));
+	  __bro_buf_reset(bc->tx_buf);
+	  D_RETURN_(FALSE);
+	}
+      
+      if (! __bro_buf_write_int(bc->tx_buf, msg->msg_size))
+	{
+	  __bro_buf_reset(bc->tx_buf);
+	  D_RETURN_(FALSE);
+	}
+    }
+  
+  D_RETURN_(result);
+}
+
+
+static int
+io_msg_queue(BroConn *bc, BroMsg *msg)
+{
+  D_ENTER;
+
+  if (!bc || !msg)
+    D_RETURN_(FALSE);
+
+  /* If anything is left over in the buffer, write it out now.
+   * We don't care if it succeeds or not.
+   */
+  io_msg_empty_tx(bc);
+
+  /* If the queue is empty, try to send right away.
+   * If not, enqueue the event, and try to flush.
+   */
+  D(("Enqueing msg of type %s\n", msg_type_2_str(msg->msg_header.hdr_type)));
+
+  if (! bc->msg_queue.tqh_first)
+    {
+      D(("No queue yet.\n"));
+      if (io_msg_fill_tx(bc, msg))
+	{
+	  D(("Message serialized.\n"));
+
+	  if (io_msg_empty_tx(bc))
+	    {
+	      D(("Message sent.\n"));
+	    }
+
+	  __bro_io_msg_free(msg);
+	  bc->state->io_msg = BRO_IOMSG_WRITE;
+	  D_RETURN_(TRUE);
+	}
+    }
+  
+  if (bc->state->tx_dead && ! (bc->conn_flags & BRO_CFLAG_ALWAYS_QUEUE))
+    {
+      D(("Connection %p disconnected, and no queuing requested: dropping message.\n", bc));
+      __bro_io_msg_free(msg);
+      D_RETURN_(FALSE);
+    }
+
+  TAILQ_INSERT_TAIL(&bc->msg_queue, msg, msg_queue);
+  bc->msg_queue_len++;
+  D(("Queue length now %i\n", bc->msg_queue_len));
+  
+  __bro_io_msg_queue_flush(bc);
+
+  /* Check that the queue does not grow too big: */
+  while (bc->msg_queue_len > BRO_MSG_QUEUELEN_MAX)
+    {
+      BroMsg *msg = bc->msg_queue.tqh_first;
+
+      TAILQ_REMOVE(&bc->msg_queue, msg, msg_queue);
+      __bro_io_msg_free(msg);
+      bc->msg_queue_len--;
+      
+      D(("Dropped one message due to excess queue length, now %i\n", bc->msg_queue_len));
+    }
+  
+  D_RETURN_(TRUE);
+}
+
+
+/* Non-static stuff below: ------------------------------------------- */
+
+BroMsg *
+__bro_io_msg_new(char type, uint32 peer_id)
+{
+  static int msg_counter = 0;
+  BroMsg *msg;
+
+  if (! (msg = calloc(1, sizeof(BroMsg))))
+    return NULL;  
+  
+  msg->msg_header.hdr_type = type;
+  msg->msg_header.hdr_peer_id = peer_id;
+  msg->msg_cont_type = BRO_MSG_CONT_NONE;
+  msg->msg_num = msg_counter++;
+
+  return msg;
+}
+
+
+void
+__bro_io_msg_free(BroMsg *msg)
+{
+  if (!msg)
+    return;
+
+  switch (msg->msg_cont_type)
+    {
+    case BRO_MSG_CONT_RAW:
+      __bro_buf_free(msg->msg_cont_raw);
+      break;
+      
+    case BRO_MSG_CONT_EVENT:
+      __bro_event_free(msg->msg_cont_ev);
+      break;
+      
+    case BRO_MSG_CONT_REQUEST:
+      __bro_event_request_free(msg->msg_cont_req);
+      break;
+#ifdef BRO_PCAP_SUPPORT
+    case BRO_MSG_CONT_PACKET:
+      bro_packet_free(msg->msg_cont_packet);
+      break;
+#endif
+
+    default:
+      break;
+    }
+  
+  free(msg);
+}
+
+
+void     
+__bro_io_msg_set_cont(BroMsg *msg, int type, void *content)
+{
+  if (!msg)
+    return;
+
+  msg->msg_cont_type = type;
+
+  switch (type)
+    {
+    case BRO_MSG_CONT_RAW:
+      msg->msg_cont_raw = (BroBuf*) content;
+      D(("Setting raw buffer content for message, type now %i, buffer data: %p\n",
+	 msg->msg_cont_type, content));
+      break;
+      
+    case BRO_MSG_CONT_EVENT:
+      msg->msg_cont_ev = (BroEvent *) content;
+      D(("Setting event content for message, type now %i, event: %s\n",
+	 msg->msg_cont_type, msg->msg_cont.msg_ev->name.str_val));
+      break;
+      
+    case BRO_MSG_CONT_REQUEST:
+      msg->msg_cont_req = (BroRequest *) content;
+      D(("Setting request content for message, type now %i\n", msg->msg_cont_type));
+      break;
+
+#ifdef BRO_PCAP_SUPPORT
+    case BRO_MSG_CONT_PACKET:
+      msg->msg_cont_packet = (BroPacket *) content;
+      break;
+#endif
+
+    default:
+      msg->msg_cont_type = BRO_MSG_CONT_NONE;
+    }
+}
+
+
+int      
+__bro_io_msg_queue_flush(BroConn *bc)
+{
+  BroMsg *msg;
+  int result;
+
+  D_ENTER;
+    
+  if (! bc)
+    D_RETURN_(-1);
+  
+  for ( ; ; )
+    {
+      if (! io_msg_empty_tx(bc))
+	break;
+
+      if (! (msg = bc->msg_queue.tqh_first))
+	break;
+      
+      if (! io_msg_fill_tx(bc, msg))
+	break;
+      
+      TAILQ_REMOVE(&bc->msg_queue, msg, msg_queue);
+      __bro_io_msg_free(msg);
+      bc->msg_queue_len--;
+      
+      bc->state->io_msg = BRO_IOMSG_WRITE;
+    }
+  
+  result = bc->msg_queue_len;  
+  D_RETURN_(result);
+}
+
+
+void
+__bro_io_msg_queue_dump(BroConn *bc, const char *message)
+{
+  BroMsg *msg;
+  
+  printf("%s: connection %p, length %i\n", message, bc, bc->msg_queue_len);
+  
+  for (msg = bc->msg_queue.tqh_first; msg; msg = msg->msg_queue.tqe_next)
+    printf(" -- %s(%i)\n", msg_type_2_str(msg->msg_header.hdr_type), msg->msg_num);
+}
+
+int
+__bro_io_raw_queue(BroConn *bc, int type, uchar *data, int data_len)
+{
+  BroMsg *msg;
+  int result = FALSE;
+  
+  D_ENTER;
+
+  if (!bc)
+    D_RETURN_(FALSE);
+  
+  if (! (msg = __bro_io_msg_new(type, 0)))
+    D_RETURN_(FALSE);
+
+  if (data_len > 0)
+    {      
+      BroBuf *buf;
+
+      if (! (buf = __bro_buf_new()))
+	{
+	  __bro_io_msg_free(msg);
+	  D_RETURN_(FALSE);
+	}
+      
+      __bro_buf_append(buf, data, data_len);
+      __bro_io_msg_set_cont(msg, BRO_MSG_CONT_RAW, buf);
+    }
+
+  result = io_msg_queue(bc, msg);
+  
+  D_RETURN_(result);
+}
+
+int
+__bro_io_rawbuf_queue(BroConn *bc, int type, BroBuf *buf)
+{
+  BroMsg *msg;
+  int result = FALSE;
+  
+  D_ENTER;
+
+  if (!bc || !buf)
+    D_RETURN_(FALSE);
+  
+  if (! (msg = __bro_io_msg_new(type, 0)))
+    D_RETURN_(FALSE);
+
+  __bro_io_msg_set_cont(msg, BRO_MSG_CONT_RAW, buf);
+  result = io_msg_queue(bc, msg);
+  
+  D_RETURN_(result);
+}
+
+int
+__bro_io_event_queue(BroConn *bc, BroEvent *ev)
+{
+  BroEvent *ev_copy;
+  BroMsg *msg;
+  int result;
+
+  D_ENTER;
+
+  if (!bc)
+    D_RETURN_(FALSE);
+  
+  if (! (msg = __bro_io_msg_new(BRO_MSG_SERIAL, 0)))
+    D_RETURN_(FALSE);
+
+  if (! (ev_copy = __bro_event_copy(ev)))
+    {
+      D(("Could not clone event\n"));
+      D_RETURN_(FALSE);
+    }
+
+  __bro_io_msg_set_cont(msg, BRO_MSG_CONT_EVENT, ev_copy);
+  result = io_msg_queue(bc, msg);
+  D_RETURN_(result);  
+}
+
+int
+__bro_io_request_queue(BroConn *bc, BroRequest *req)
+{
+  BroMsg *msg;
+  int result;
+
+  D_ENTER;
+
+  if (!bc)
+    D_RETURN_(FALSE);
+
+  if (! (msg = __bro_io_msg_new(BRO_MSG_REQUEST, 0)))
+    D_RETURN_(FALSE);
+
+  __bro_io_msg_set_cont(msg, BRO_MSG_CONT_REQUEST, req);
+  result = io_msg_queue(bc, msg);
+  D_RETURN_(result);
+}
+
+#ifdef BRO_PCAP_SUPPORT
+int
+__bro_io_packet_queue(BroConn *bc, BroPacket *packet)
+{
+  BroPacket *clone;
+  BroMsg *msg;
+  int result;
+
+  D_ENTER;
+
+  if (!bc)
+    D_RETURN_(FALSE);
+
+  if (! (msg = __bro_io_msg_new(BRO_MSG_SERIAL, 0)))
+    D_RETURN_(FALSE);
+
+  if (! (clone = bro_packet_clone(packet)))
+    {
+      __bro_io_msg_free(msg);
+      D_RETURN_(FALSE);
+    }
+  
+  __bro_io_msg_set_cont(msg, BRO_MSG_CONT_PACKET, clone);
+  result = io_msg_queue(bc, msg);
+  D_RETURN_(result);
+}
+#endif
+
+int
+__bro_io_process_input(BroConn *bc)
+{
+  uint32          buf_off, chunk_size;
+  BroMsgHeader    msg_hdr;
+  int             result = FALSE;
+  
+  D_ENTER;
+  
+  /* Read all available data into receive buffer. Our socket is
+   * nonblocking so if nothing's available we'll be back right
+   * away. If nothing was read, the subsequent for loop will exit
+   * right away, so the io_msg_fill_rx() return code need not be
+   * checked here.
+   */
+  io_msg_fill_rx(bc);
+
+  /* Try to process as much in the input buffer as we can */
+  for ( ; ; )
+    {  
+      D(("----- Attempting to extract a message\n"));
+
+      /* Get the current offset of the buffer pointer to make
+       * sure we can reset to it if things go wrong.
+       */
+      buf_off = __bro_buf_ptr_tell(bc->rx_buf);
+      
+      /* Now check the buffer contents and see if there's enough
+       * for us to analyze it. Start with a uint32 for the size
+       * of the first chunk, and then the chunk itself.
+       */
+      if (! io_read_chunk_size(bc, &chunk_size))
+	goto reset_return;
+      
+      if (chunk_size != sizeof(BroMsgHeader))
+	{
+	  D(("Received chunk should be %i bytes, but is %i\n",
+	     sizeof(BroMsgHeader), chunk_size));
+	  io_skip_chunk(bc->rx_buf, buf_off, chunk_size);
+	  result = TRUE;
+	  continue;
+	}
+      
+      if (! io_read_msg_hdr(bc, &msg_hdr))
+	goto reset_return;
+      
+      switch (msg_hdr.hdr_type)
+	{
+	case BRO_MSG_REQUEST:
+	  {
+	    char *tmp = NULL, *tmp2 = NULL;
+	        
+	    D(("Received MSQ_REQUEST\n"));
+	        
+	    /* We need to read another chunk, whose data will contain
+	     * a sequence of 0-terminated strings, each one being the
+	     * name of an event that the peering Bro is interested in.
+	     */
+	    if (! io_read_chunk_size(bc, &chunk_size))
+	      goto reset_return;
+	        
+	    if (! (tmp = (char *) malloc(chunk_size * sizeof(char))))
+	      goto reset_return;
+	        
+	    if (! __bro_buf_read_data(bc->rx_buf, tmp, chunk_size))
+	      {
+		free(tmp);
+		goto reset_return;
+	      }
+	        
+	    for (tmp2 = tmp; tmp2 < tmp + chunk_size; tmp2 = tmp2 + strlen(tmp2) + 1)
+	      {
+		char *key;
+
+		if (__bro_ht_get(bc->ev_mask, tmp2))
+		  continue;
+		
+		key = strdup(tmp2);
+		__bro_ht_add(bc->ev_mask, key, key);
+		D(("Will report event '%s'\n", tmp2));
+	      }
+
+	    D(("Now reporting %i event(s).\n", __bro_ht_get_size(bc->ev_mask)));
+	    free(tmp);
+	  }
+	  break;
+	    
+	case BRO_MSG_VERSION:
+	  {
+	    uchar *data;
+	    uint32 proto_version;
+	    uint32 cache_size;
+	    uint32 data_version;
+	    uint32 runtime; /* unused */
+
+	    D(("Received MSG_VERSION\n"));
+
+	    /* We need to read another chunk for the raw data.
+	     */
+	    if (! io_read_chunk_size(bc, &chunk_size))
+	      goto reset_return;
+
+	    if (! (data = malloc(sizeof(uchar) * chunk_size)))
+	      goto reset_return;
+
+	    if (! __bro_buf_read_data(bc->rx_buf, data, chunk_size))
+	      {
+		free(data);
+		goto reset_return;
+	      }
+	        
+	    proto_version = ntohl(((uint32 *) data)[0]);
+	    cache_size    = ntohl(((uint32 *) data)[1]);
+	    data_version  = ntohl(((uint32 *) data)[2]);
+	    runtime       = ntohl(((uint32 *) data)[3]);
+
+	    /* If there are more bytes than required for the 4 uint32s
+	     * used above, it means that the peer has sent a connection class
+	     * identifier. Extract and register in the handle.
+	     */
+	    if (chunk_size > 4 * sizeof(uint32))
+	      {
+		if (bc->peer_class)
+		  free(bc->peer_class);
+		
+		bc->peer_class = strdup((char *) (data + 4 * sizeof(uint32)));
+	      }
+
+	    if (proto_version != BRO_PROTOCOL_VERSION)
+	      {
+		D(("EEEK -- we speak protocol version %i, peer speeks %i. Aborting.\n",
+		   BRO_PROTOCOL_VERSION, proto_version));		
+		__bro_openssl_shutdown(bc);
+		goto reset_return;
+	      } else {
+		D(("Protocols compatible, we speak version %i\n", BRO_PROTOCOL_VERSION));
+	      }
+	    
+	    if (data_version != 0 && data_version != BRO_DATA_FORMAT_VERSION)
+	      {
+		D(("EEEK -- we speak data format version %i, peer speeks %i. Aborting.\n",
+		   BRO_DATA_FORMAT_VERSION, data_version));		
+		__bro_openssl_shutdown(bc);
+		goto reset_return;
+	      } else {
+		D(("Data formats compatible, we speak version %i\n", BRO_DATA_FORMAT_VERSION));
+	      }
+	    
+	    bc->io_cache_maxsize = cache_size;
+	    D(("Receiver cache size set to %i entries.\n", cache_size));
+	    free(data);
+
+	    bc->state->conn_state_peer = BRO_CONNSTATE_HANDSHAKE;
+	    D(("VERSION received, on %p, peer now in HANDSHAKE stage.\n"));
+	  }
+	  break;
+	    
+	case BRO_MSG_SERIAL:
+	  {
+	    uint32 pre_serial;
+	        
+	    D(("Received MSQ_SERIAL\n"));
+	    pre_serial = __bro_buf_ptr_tell(bc->rx_buf);
+
+	    if (! io_read_chunk_size(bc, &chunk_size))
+	      goto reset_return;
+	        
+	    if (! io_process_serialization(bc))
+	      io_skip_chunk(bc->rx_buf, pre_serial, chunk_size);
+	  }
+	  break;
+	    
+	case BRO_MSG_CAPTURE_FILTER:
+	  {
+	    uint32 pre_capture;
+
+	    D(("Received MSQ_CAPTURE_FILTER\n"));
+	    pre_capture = __bro_buf_ptr_tell(bc->rx_buf);
+	        
+	    if (! io_read_chunk_size(bc, &chunk_size))
+	      goto reset_return;
+	        
+	    io_skip_chunk(bc->rx_buf, pre_capture, chunk_size);
+	  }
+	  break;
+
+	case BRO_MSG_PHASE_DONE:
+	  /* No additional content for this one. */
+	  switch (bc->state->conn_state_peer)
+	    {
+	    case BRO_CONNSTATE_HANDSHAKE:
+	      /* When we complete the handshake phase, it depends
+	       * on whether or not the peer has requested synced
+	       * state. If so, enter the sync phase, otherwise
+	       * we're up and running.
+	       */
+	      if (bc->state->sync_state_requested)
+		{
+		  bc->state->conn_state_peer = BRO_CONNSTATE_SYNC;
+		  D(("Phase done from peer on %p, sync requested, peer now in SYNC stage.\n", bc));
+		}
+	      else
+		{
+		  bc->state->conn_state_peer = BRO_CONNSTATE_RUNNING;
+		  D(("Phase done from peer on %p, no sync requested, peer now in RUNNING stage.\n", bc));
+		}
+	      break;
+
+	    case BRO_CONNSTATE_SYNC:
+	      bc->state->conn_state_peer = BRO_CONNSTATE_RUNNING;
+	      D(("Phase done from peer on %p, peer now in RUNNING stage.\n", bc));
+	      break;
+	      
+	    default:
+	      D(("Ignoring PHASE_DONE in conn state %i/%i on conn %p\n",
+		 bc->state->conn_state_self, bc->state->conn_state_peer, bc));
+	    }
+	  break;
+	  
+	case BRO_MSG_REQUEST_SYNC:
+		{   	  
+	    uchar *data;
+		
+	    D(("Received MSQ_REQUEST_SYNC, peer now in SYNC stage.\n"));
+		
+	    bc->state->sync_state_requested = 1;
+	    bc->state->conn_state_peer = BRO_CONNSTATE_SYNC;
+
+	    /* We need to read another chunk for the raw data.
+	     */
+	    if (! io_read_chunk_size(bc, &chunk_size))
+	      goto reset_return;
+
+	    if (! (data = malloc(sizeof(uchar) * chunk_size)))
+	      goto reset_return;
+
+	    if (! __bro_buf_read_data(bc->rx_buf, data, chunk_size))
+	      {
+		free(data);
+		goto reset_return;
+	      }
+	    D(("Skipping sync interpretation\n"));
+	    free(data);
+	    break;
+	  }
+	
+	
+	case BRO_MSG_CAPS:
+	  {
+	    uchar *data;
+
+	    D(("Received MSG_CAPS\n"));
+
+	    /* We need to read another chunk for the raw data.
+	     */
+	    if (! io_read_chunk_size(bc, &chunk_size))
+	      goto reset_return;
+
+	    if (! (data = malloc(sizeof(uchar) * chunk_size)))
+	      goto reset_return;
+
+	    if (! __bro_buf_read_data(bc->rx_buf, data, chunk_size))
+	      {
+		free(data);
+		goto reset_return;
+	      }
+	    D(("Skipping capabilities interpretation\n"));
+	    free(data);
+	    break;
+	  }
+
+	default:
+	  D(("Skipping unknown message type %i\n", msg_hdr.hdr_type));
+	  break;
+	}
+      
+      __bro_buf_consume(bc->rx_buf);
+      result = TRUE;
+
+      if ((bc->conn_flags & BRO_CFLAG_YIELD) &&
+	  bc->state->conn_state_self == BRO_CONNSTATE_RUNNING &&
+	  bc->state->conn_state_peer == BRO_CONNSTATE_RUNNING)	  
+	break;
+    }
+  
+ reset_return:
+  __bro_buf_ptr_seek(bc->rx_buf, buf_off, SEEK_SET);
+  D_RETURN_(result);
+}
+
+
+void
+__bro_io_loop(BroConn *bc)
+{
+  D_ENTER;
+  
+  for ( ; ; )
+    {
+      D(("I/O loop iteration\n"));
+      
+      switch (bc->state->io_msg)
+	{
+	case BRO_IOMSG_STOP:
+	  D(("I/O process %u exiting by request.\n", getpid()));
+	  __bro_openssl_shutdown(bc);
+	  exit(0);
+	  
+	case BRO_IOMSG_WRITE:
+	  if (bc->state->tx_dead)
+	    break;
+
+	  if (! io_msg_empty_tx(bc))
+	    {	      
+	      D(("I/O handler %u encountered write error.\n", getpid()));
+	      __bro_openssl_shutdown(bc);
+	    }
+	  break;
+
+	case BRO_IOMSG_READ:
+	  if (bc->state->rx_dead)
+	    break;
+
+	  if (io_msg_fill_rx(bc) < 0)
+	    {
+	      D(("I/O handler %u encountered read error.\n", getpid()));
+	      __bro_openssl_shutdown(bc);
+	    }
+	  break;
+	}
+            
+      bc->state->io_msg = BRO_IOMSG_NONE;
+    }  
+}
diff --git a/aux/broccoli/src/bro_io.h b/aux/broccoli/src/bro_io.h
new file mode 100644
index 0000000000..62b4cace38
--- /dev/null
+++ b/aux/broccoli/src/bro_io.h
@@ -0,0 +1,142 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_io_h
+#define broccoli_io_h
+
+#include <broccoli.h>
+#include <bro_sobject.h>
+
+/**
+ * __bro_io_msg_new -- allocates a new message destined to a given peer.
+ */
+BroMsg * __bro_io_msg_new(char type, uint32 peer_id);
+
+/**
+ * __bro_io_msg_free -- releases message plus any data hooked into it.
+ * @msg: msg to free.
+ */
+void     __bro_io_msg_free(BroMsg *msg);
+
+/**
+ * __bro_io_msg_set_cont -- sets the content of a message.
+ * @msg: message to set content of.
+ * @type: type of the message, a BRO_MSG_CONT_xxx constant.
+ * @content: the content itself.
+ *
+ * The function sets @msg's content, of given @type, to @content.
+ * Note that __bro_io_msg_free will release the data pointed to
+ * by @content, depending on @type!
+ */
+void     __bro_io_msg_set_cont(BroMsg *msg, int type, void *content);
+
+int      __bro_io_msg_queue_flush(BroConn *bc);
+void     __bro_io_msg_queue_dump(BroConn *bc, const char *message);
+
+/**
+ * __bro_io_raw_queue -- enqueues raw data.
+ * @bc: connection handle.
+ * @type: type of the message, a BRO_MSG_xxx value.
+ * @data: raw bytes of data
+ * @data_len: length of @data.
+ *
+ * The function enqueues a message containing raw data for a
+ * message of type @type.
+ *
+ * Returns: %FALSE on error, %TRUE otherwise.
+ */
+int      __bro_io_raw_queue(BroConn *bc, int type,
+			    uchar *data, int data_len);
+
+/**
+ * __bro_io_rawbuf_queue -- enqueues raw buffer data.
+ * @bc: connection handle.
+ * @type: type of the message, a BRO_MSG_xxx value.
+ * @buf: buffer with payload to be enqueued.
+ *
+ * The function enqueues a message containing raw buffer data for a
+ * message of type @type.
+ *
+ * NOTE: @buf's ownership is taken over by the function. You do not
+ * need to clean it up, and should not expect the pointer to it to
+ * remain valid.
+ *
+ * Returns: %FALSE on error, %TRUE otherwise.
+ */
+int      __bro_io_rawbuf_queue(BroConn *bc, int type, BroBuf *buf);
+
+/**
+ * __bro_io_event_queue -- enqueues an event.
+ * @bc: connection handle.
+ * @ev: event handle.
+ *
+ * The function enqueues an event for later transmission.
+ *
+ * Returns: %FALSE on error, %TRUE otherwise.
+ */
+int      __bro_io_event_queue(BroConn *bc, BroEvent *ev);
+
+/**
+ * __bro_io_request_queue -- enqueues a request.
+ * @bc: connection handle.
+ * @req: request handle.
+ *
+ * The function enqueues an request for later transmission.
+ *
+ * Returns: %FALSE on error, %TRUE otherwise.
+ */
+int      __bro_io_request_queue(BroConn *bc, BroRequest *req);
+
+/**
+ * __bro_io_packet_queue - enqueues a pcap packet.
+ * @bc: connection handle.
+ * @packet: pcap packet.
+ *
+ * The function enqueues a pcap packet wrapped via bro_packet_new()
+ * for later transmission.
+ *
+ * Returns: %FALSE on error, %TRUE otherwise.
+ */
+#ifdef BRO_PCAP_SUPPORT
+int      __bro_io_packet_queue(BroConn *bc, BroPacket *packet);
+#endif
+
+
+int      __bro_io_process_input(BroConn *bc);
+
+void     __bro_io_writer_loop(BroConn *bc);
+
+/**
+ * __bro_io_loop -- performs I/O in the handler process.
+ * @bc: connection handle.
+ *
+ * This function is the implementation of the I/O handler processes.
+ * It sits in a blocking loop and depending on the request sent to it via
+ * bc->state->io_msg it performs the requested I/O operation. It does not
+ * return unless the connection encounters an error or teardown is requested.
+ */
+void     __bro_io_loop(BroConn *bc);
+
+#endif
diff --git a/aux/broccoli/src/bro_lexer.l b/aux/broccoli/src/bro_lexer.l
new file mode 100644
index 0000000000..0353e922e5
--- /dev/null
+++ b/aux/broccoli/src/bro_lexer.l
@@ -0,0 +1,42 @@
+%option noyywrap
+
+%{
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <string.h>
+#include "broccoli.h"
+#include "bro_debug.h"
+#include "bro_parser.h"
+
+int broerror(char *fmt, ...);
+#define yyerror broerror
+#define yylval brolval
+
+extern int bro_parse_lineno;
+
+%}
+
+
+%%
+[\[\]]	                 return yytext[0];
+
+yes|true|on    		 { yylval.i = 1; return BROINT; }
+no|false|off    	 { yylval.i = 0; return BROINT; }
+[ \t]+           	 ;
+[0-9]+                   { yylval.i = strtol(yytext, NULL, 10); return BROINT; }
+[0-9]+\.[0-9]+           { yylval.d = strtod(yytext, NULL); return BRODOUBLE; }
+[[:alnum:][:punct:]]+    { yylval.s = strdup(yytext); return BROWORD; }
+\".*\"                   { yylval.s = strdup(yytext+1);
+                           yylval.s[strlen(yylval.s) - 1] = '\0';
+                           return BROSTRING;
+                         }
+
+"#".*\n                  { bro_parse_lineno++; }
+"//".*\n                 { bro_parse_lineno++; }
+\n                       { bro_parse_lineno++; }
+
+.                        { D(("Syntax error: '%s'\n", yytext)); }
+
+%%
diff --git a/aux/broccoli/src/bro_list.c b/aux/broccoli/src/bro_list.c
new file mode 100644
index 0000000000..729a6a033d
--- /dev/null
+++ b/aux/broccoli/src/bro_list.c
@@ -0,0 +1,302 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <bro_debug.h>
+#include <bro_list.h>
+
+struct bro_list
+{
+  struct bro_list *prev;
+  struct bro_list *next;
+  void            *data;
+};
+
+
+BroList *
+__bro_list_new(void *data)
+{
+  BroList *l;
+
+  l = calloc(1, sizeof(BroList));
+  l->prev = l->next = NULL;
+  l->data = data;
+
+  return l;
+}
+
+
+void      
+__bro_list_free(BroList *l, BroFunc free_func)
+{
+  BroList *lnext;
+
+  while (l)
+    {
+      lnext = l->next;
+      if (l->data && free_func)
+	{
+	  free_func(l->data);     
+	}
+      free(l);
+      l = lnext;
+    }
+}
+
+
+BroList *
+__bro_list_head(BroList *l)
+{
+  if (!l)
+    return NULL;
+
+  while (l->prev)
+    l = l->prev;
+  
+  return l;
+}
+
+
+BroList *
+__bro_list_next(BroList *l)
+{
+  if (!l)
+    return NULL;
+
+  return l->next;
+}
+
+
+BroList *
+__bro_list_prev(BroList *l)
+{
+  if (!l)
+    return NULL;
+
+  return l->prev;
+}
+
+
+BroList *
+__bro_list_nth(BroList *l, int n)
+{
+  while (l && n > 0)
+    {
+      l = l->next;
+      n--;
+    }
+
+  return l;
+}
+
+
+int      
+__bro_list_length(BroList *l)
+{
+  int i = 0;
+
+  while (l)
+    {
+      i++;
+      l = l->next;
+    }
+
+  return i;
+}
+
+
+BroList *
+__bro_list_append(BroList *l, void *data)
+{
+  BroList *ltmp = NULL;
+  BroList *lnew = NULL;
+
+  lnew = __bro_list_new(data);
+
+  if (l)
+    {
+      ltmp = l;
+
+      while (ltmp->next)
+	ltmp = ltmp->next;
+ 
+      ltmp->next = lnew;
+    }
+
+  lnew->prev = ltmp;
+  return l ? l : lnew;
+}
+
+
+BroList *
+__bro_list_prepend(BroList *l, void *data)
+{
+  BroList *lnew;
+
+  lnew = __bro_list_new(data);
+  lnew->next = l;
+
+  if (l)
+    l->prev = lnew;
+
+  return lnew;
+}
+
+
+BroList *
+__bro_list_insert(BroList *l, void *data)
+{
+  BroList *new;
+
+  /* Data item can be NULL if user wants that */
+  if (!l)
+    return NULL;
+
+  new = __bro_list_new(data);
+  new->next = l->next;
+  new->prev = l;
+  
+  l->next = new;
+
+  if (new->next)
+    new->next->prev = l;
+  
+  return new;
+}
+
+
+BroList *
+__bro_list_remove(BroList *l, BroList *item)
+{
+  BroList *prev;
+  BroList *next;
+
+  if (!l)
+    return NULL;
+
+  prev = item->prev;
+  next = item->next;
+  free(item);
+
+  /* first item */
+  if (!prev)
+    {
+      if (!next)
+	return NULL;
+      else
+	{
+	  next->prev = NULL;
+	  return next;
+	}
+    }
+
+  /* last item */
+  if (!next)
+    {
+      if (!prev)
+	return l;
+      else
+	{
+	  prev->next = NULL;
+	  return l;
+	}      
+    }
+
+  /* middle item */
+  prev->next = next;
+  next->prev = prev;
+
+  return l;
+}
+
+
+void     *
+__bro_list_data(BroList *l)
+{
+  if (!l)
+    return NULL;
+
+  return l->data;
+}
+
+
+void    *
+__bro_list_set_data(BroList *l, void *data)
+{
+  void *result;
+
+  if (!l)
+    return NULL;
+
+  result = l->data;
+  l->data = data;
+
+  return result;
+}
+
+
+BroList *
+__bro_list_move_to_front(BroList *l, BroList *item)
+{
+  BroList *prev;
+  BroList *next;
+
+  if (!l || !item)
+    return NULL;
+
+  prev = item->prev;
+  next = item->next;
+
+  /* first item already */
+  if (!prev)
+    return l;
+
+  /* last item */
+  if (!next)
+    {
+      prev->next = NULL;
+      item->prev = NULL;
+      item->next = l;
+      l->prev = item;
+
+      return item;
+    }      
+
+  /* middle item */
+  prev->next = next;
+  next->prev = prev;
+
+  item->next = l;
+  item->prev = NULL;
+  l->prev = item;
+
+  return item;
+}
diff --git a/aux/broccoli/src/bro_list.h b/aux/broccoli/src/bro_list.h
new file mode 100644
index 0000000000..84479425cb
--- /dev/null
+++ b/aux/broccoli/src/bro_list.h
@@ -0,0 +1,94 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_list_h
+#define broccoli_list_h
+
+typedef struct bro_list BroList;
+typedef void(*BroFunc) (void *data);
+
+/* Create new list with data item.
+ */
+BroList *__bro_list_new(void *data);
+
+/* Erase entire list, applying free_func to each item
+ * in order to free it. Pass %NULL for free_func if no-op
+ * is desired.
+ */
+void     __bro_list_free(BroList *l, BroFunc free_func);
+
+/* Given list element, returns the head of list by
+ * walking back to it.
+ */
+BroList *__bro_list_head(BroList *l);
+
+/* Next/prev items. */
+BroList *__bro_list_next(BroList *l);
+BroList *__bro_list_prev(BroList *l);
+
+/* Returns nth list member, starting at 0, or NULL if not found.
+ */
+BroList *__bro_list_nth(BroList *l, int n);
+
+/* Returns length of list, or 0 on error.
+ */
+int      __bro_list_length(BroList *l);
+
+/* Appends item to end of list and returns pointer to
+ * the list. NOTE: O(N) runtime. Try to use
+ * __bro_list_prepend() or track last list
+ * element in case lists contain more than a handful
+ * of elements.
+ */
+BroList *__bro_list_append(BroList *l, void *data);
+
+/* Prepends item and returns pointer to it.
+ */
+BroList *__bro_list_prepend(BroList *l, void *data);
+
+/* Inserts new node for @data after @l.
+ * Returns pointer to new item.
+ */
+BroList *__bro_list_insert(BroList *l, void *data);
+
+/* Removes a node and returns a pointer to the first
+ * element of the resulting list.
+ */
+BroList *__bro_list_remove(BroList *l, BroList *ll);
+
+/* List node data element accessor.
+ */
+void    *__bro_list_data(BroList *l);
+
+/* Set data of list node, return old ones.
+ */
+void    *__bro_list_set_data(BroList *l, void *data);
+
+/* Moves an item to the front of the list. For implementing
+ * MRU/LRU schemes.
+ */
+BroList *__bro_list_move_to_front(BroList *l, BroList *item);
+
+#endif
diff --git a/aux/broccoli/src/bro_location.c b/aux/broccoli/src/bro_location.c
new file mode 100644
index 0000000000..38f342f815
--- /dev/null
+++ b/aux/broccoli/src/bro_location.c
@@ -0,0 +1,212 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/time.h>
+
+#ifdef __EMX__
+#include <strings.h>
+#endif 
+
+#include <bro_debug.h>
+#include <bro_location.h>
+
+BroLoc      *
+__bro_loc_new(void)
+{
+  BroLoc *loc;
+
+  D_ENTER;
+
+  if (! (loc = calloc(1, sizeof(BroLoc)))) {
+    D_RETURN_(NULL);
+  }
+
+  __bro_loc_init(loc);
+  
+  D_RETURN_(loc);
+}
+
+
+void
+__bro_loc_init(BroLoc *loc)
+{
+  BroSObject *sobj = (BroSObject *) loc;
+
+  D_ENTER;
+
+  __bro_sobject_init(sobj);
+
+  sobj->read  = (BroSObjectRead) __bro_loc_read;
+  sobj->write = (BroSObjectWrite)__bro_loc_write;
+  sobj->free  = (BroSObjectFree) __bro_loc_free;
+  sobj->clone = (BroSObjectClone) __bro_loc_clone;
+  sobj->hash  = (BroSObjectHash) __bro_loc_hash;
+  sobj->cmp   = (BroSObjectCmp) __bro_loc_cmp;
+  
+  sobj->type_id = SER_LOCATION;
+  bro_string_init(&loc->filename);
+
+  D_RETURN;
+}
+
+
+void
+__bro_loc_free(BroLoc *loc)
+{
+  D_ENTER;
+
+  if (! loc)
+    D_RETURN;
+
+  bro_string_cleanup(&loc->filename);
+  __bro_sobject_free((BroSObject *) loc);
+
+  D_RETURN;
+}
+
+
+int
+__bro_loc_read(BroLoc *loc, BroConn *bc)
+{
+  D_ENTER;
+  
+  if (! loc || ! bc)
+    D_RETURN_(FALSE);
+  
+  if (! __bro_sobject_read((BroSObject *) loc, bc))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_read_string(bc->rx_buf, &loc->filename))
+    D_RETURN_(FALSE);  
+  if (! __bro_buf_read_int(bc->rx_buf, &loc->first_line))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_read_int(bc->rx_buf, &loc->last_line))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_read_int(bc->rx_buf, &loc->first_column))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_read_int(bc->rx_buf, &loc->last_column))
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+
+int
+__bro_loc_write(BroLoc *loc, BroConn *bc)
+{
+  D_ENTER;
+
+  if (! loc || ! bc)
+    D_RETURN_(FALSE);
+  
+  if (! __bro_sobject_write((BroSObject *) loc, bc))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_write_string(bc->tx_buf, &loc->filename))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_write_int(bc->tx_buf, loc->first_line))
+    D_RETURN_(FALSE);  
+  if (! __bro_buf_write_int(bc->tx_buf, loc->last_line))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_write_int(bc->tx_buf, loc->first_column))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_write_int(bc->tx_buf, loc->last_column))
+    D_RETURN_(FALSE);
+
+  D_RETURN_(TRUE);
+}
+
+
+int
+__bro_loc_clone(BroLoc *dst, BroLoc *src)
+{
+  BroString *string;
+
+  D_ENTER;
+
+  if (! __bro_sobject_clone((BroSObject *) dst, (BroSObject *) src))
+    D_RETURN_(FALSE);
+  
+  if (! (string = bro_string_copy(&src->filename)))
+    D_RETURN_(FALSE);
+  
+  dst->filename = *string;
+  dst->first_line = src->first_line;
+  dst->last_line = src->last_line;
+  dst->first_column = src->first_column;
+  dst->last_column = src->last_column;
+  
+  D_RETURN_(TRUE);
+}
+
+
+uint32
+__bro_loc_hash(BroLoc *loc)
+{
+  uint32 result;
+
+  D_ENTER;
+
+  if (! loc)
+    D_RETURN_(0);
+
+  result = __bro_ht_str_hash(loc->filename.str_val);
+  result ^= loc->first_line;
+  result ^= loc->last_line;
+  result ^= loc->first_column;
+  result ^= loc->last_column;
+
+  D_RETURN_(result);
+
+}
+
+
+int
+__bro_loc_cmp(BroLoc *loc1, BroLoc *loc2)
+{
+  D_ENTER;
+
+  if (! __bro_ht_str_cmp(loc1->filename.str_val, loc2->filename.str_val))
+    D_RETURN_(FALSE);
+  
+  if (loc1->first_line != loc2->first_line ||
+      loc1->last_line != loc2->last_line ||
+      loc1->first_column < loc2->first_column ||
+      loc1->last_column < loc2->last_column ||
+      loc1->last_column > loc2->last_column)
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
diff --git a/aux/broccoli/src/bro_location.h b/aux/broccoli/src/bro_location.h
new file mode 100644
index 0000000000..4843a31299
--- /dev/null
+++ b/aux/broccoli/src/bro_location.h
@@ -0,0 +1,56 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_location_h
+#define broccoli_location_h
+
+#include <bro_types.h>
+#include <bro_sobject.h>
+
+typedef struct bro_loc BroLoc;
+
+struct bro_loc
+{
+  BroSObject       sobject;
+  
+  BroString        filename;
+  uint32           first_line;
+  uint32           last_line;
+  uint32           first_column;
+  uint32           last_column;
+};
+
+BroLoc          *__bro_loc_new(void);
+void             __bro_loc_init(BroLoc *loc);
+void             __bro_loc_free(BroLoc *loc);
+
+int              __bro_loc_read(BroLoc *loc, BroConn *bc);
+int              __bro_loc_write(BroLoc *loc, BroConn *bc);
+int              __bro_loc_clone(BroLoc *dst, BroLoc *src);
+
+uint32           __bro_loc_hash(BroLoc *loc);
+int              __bro_loc_cmp(BroLoc *loc1, BroLoc *loc2);
+
+#endif
diff --git a/aux/broccoli/src/bro_object.c b/aux/broccoli/src/bro_object.c
new file mode 100644
index 0000000000..f388c80984
--- /dev/null
+++ b/aux/broccoli/src/bro_object.c
@@ -0,0 +1,183 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/time.h>
+
+#ifdef __EMX__
+#include <strings.h>
+#endif 
+
+#include <bro_debug.h>
+#include <bro_location.h>
+#include <bro_object.h>
+
+BroObject      *
+__bro_object_new(void)
+{
+  BroObject *obj;
+
+  D_ENTER;
+
+  if (! (obj = calloc(1, sizeof(BroObject))))
+    D_RETURN_(NULL);
+
+  __bro_object_init(obj);
+
+  D_RETURN_(obj);
+}
+
+void
+__bro_object_init(BroObject *obj)
+{
+  BroSObject *sobj = (BroSObject *) obj;
+
+  D_ENTER;
+
+  __bro_sobject_init(sobj);
+
+  sobj->read  = (BroSObjectRead) __bro_object_read;
+  sobj->write = (BroSObjectWrite)__bro_object_write;
+  sobj->free  = (BroSObjectFree) __bro_object_free;
+  sobj->clone = (BroSObjectClone) __bro_object_clone;
+  sobj->hash  = (BroSObjectHash) __bro_object_hash;
+  sobj->cmp   = (BroSObjectCmp) __bro_object_cmp;
+  
+  D_RETURN;
+}
+
+void
+__bro_object_free(BroObject *obj)
+{
+  D_ENTER;
+
+  if (! obj)
+    D_RETURN;
+  
+  __bro_sobject_release((BroSObject *) obj->loc);
+  __bro_sobject_free((BroSObject *) obj);
+  
+  D_RETURN;
+}
+
+
+int
+__bro_object_read(BroObject *obj, BroConn *bc)
+{
+  char opt;
+
+  D_ENTER;
+
+  if (! __bro_sobject_read((BroSObject *) obj, bc))
+    D_RETURN_(FALSE);
+    
+  if (! __bro_buf_read_char(bc->rx_buf, &opt))
+    D_RETURN_(FALSE);
+  if (opt)
+    {
+      if (! (obj->loc = (BroLoc *) __bro_sobject_unserialize(SER_LOCATION, bc)))
+	D_RETURN_(FALSE);      
+    }
+
+  D_RETURN_(TRUE);
+}
+
+
+int
+__bro_object_write(BroObject *obj, BroConn *bc)
+{
+  D_ENTER;
+  
+  if (! __bro_sobject_write((BroSObject *) obj, bc))
+    D_RETURN_(FALSE);
+  
+  if (! __bro_buf_write_char(bc->tx_buf, obj->loc ? 1 : 0))
+    D_RETURN_(FALSE);
+
+  if (obj->loc && ! __bro_sobject_serialize((BroSObject *) obj->loc, bc))
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+
+int
+__bro_object_clone(BroObject *dst, BroObject *src)
+{
+  D_ENTER;
+  
+  if (! __bro_sobject_clone((BroSObject *) dst, (BroSObject *) src))
+    {
+      D(("Cloning parent failed.\n"));
+      D_RETURN_(FALSE);
+    }
+  
+  if (src->loc && ! (dst->loc = (BroLoc *) __bro_sobject_copy((BroSObject *) src->loc)))
+    {
+      D(("Cloning location failed.\n"));
+      D_RETURN_(FALSE);
+    }
+  
+  D_RETURN_(TRUE);
+}
+
+
+uint32
+__bro_object_hash(BroObject *obj)
+{
+  uint32 result;
+  
+  D_ENTER;
+
+  if (! obj)
+    D_RETURN_(0);
+  
+  result = __bro_sobject_hash((BroSObject *) obj);
+  result ^= __bro_loc_hash(obj->loc);
+
+  D_RETURN_(result);
+
+}
+
+
+int
+__bro_object_cmp(BroObject *obj1, BroObject *obj2)
+{
+  D_ENTER;
+  
+  if (! obj1 || ! obj2)
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(__bro_loc_cmp(obj1->loc, obj2->loc));
+}
diff --git a/aux/broccoli/src/bro_object.h b/aux/broccoli/src/bro_object.h
new file mode 100644
index 0000000000..b5fdca6b8b
--- /dev/null
+++ b/aux/broccoli/src/bro_object.h
@@ -0,0 +1,51 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_object_h
+#define broccoli_object_h
+
+#include <bro_location.h>
+#include <bro_sobject.h>
+
+typedef struct bro_object
+{
+  /* See comments in bro_sobject.h for how Broccoli models
+   * classes, objects, and inheritance. --cpk
+   */
+  BroSObject       sobject;
+  BroLoc          *loc;
+} BroObject;
+
+BroObject       *__bro_object_new(void);
+void             __bro_object_init(BroObject *obj);
+void             __bro_object_free(BroObject *obj);
+
+int              __bro_object_read(BroObject *obj, BroConn *bc);
+int              __bro_object_write(BroObject *obj, BroConn *bc);
+int              __bro_object_clone(BroObject *dst, BroObject *src);
+uint32           __bro_object_hash(BroObject *obj);
+int              __bro_object_cmp(BroObject *obj1, BroObject *obj2);
+
+#endif
diff --git a/aux/broccoli/src/bro_openssl.c b/aux/broccoli/src/bro_openssl.c
new file mode 100644
index 0000000000..cd1fbccfe5
--- /dev/null
+++ b/aux/broccoli/src/bro_openssl.c
@@ -0,0 +1,730 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <errno.h>
+#include <string.h>
+#include <strings.h>
+#include <signal.h>
+#include <netdb.h>
+
+#ifdef __MINGW32__
+#include <winsock.h>
+#else
+#include <fcntl.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <sys/un.h>
+#include <netinet/in.h>
+#endif
+
+#ifdef __EMX__
+#include <sys/select.h>
+#endif 
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include <openssl/ssl.h>
+#include <openssl/x509v3.h>
+
+#include <broccoli.h>
+#include <bro_types.h>
+#include <bro_debug.h>
+#include <bro_config.h>
+#include <bro_openssl.h>
+
+/* PLEASE NOTE: this file deals with handling I/O through OpenSSL in
+ * an unencrypted and an encrypted fashion. There are no ifdefs for one
+ * mode or the other, because using OpenSSL connection abstraction helps
+ * portability so we always use OpenSSL, even when not encryting traffic.
+ *
+ * Encryption is automatically attempted if the certificate files can be
+ * read from configuration items "/broccoli/host_cert" and "/broccoli/ca_cert".
+ * (Note that when Bro peers communicate over an encrypted channel, they
+ * both need to certify themselves).
+ *
+ * Much of the code here is from the O'Reilly book on OpenSSL, by Viega,
+ * Messier, and Chandra. However the problem with their example application
+ * is that they use SSL_read/SSL_write, thus losing the transparency of
+ * the generic BIO_... functions regarding the use of encryption (we do
+ * allow for plaintext communication as well). Since I don't want to write
+ * duplicate code for the encrypted and unencrypted traffic, I use the
+ * approach given in man BIO_f_ssl(3), which uses BIO_new_ssl_connect()
+ * so I can still speak into a BIO at all times. In the case of no encryption,
+ * it'll simply be a regular BIO.
+ *
+ * We currently do not support the following:
+ * - ephemeral keying.
+ * - session caching.
+ *
+ * I haven't specifically looked at whether this code supports session
+ * renegotiation.
+ */
+
+/* Broccoli initialization context; defined in bro.c. */
+extern const BroCtx *global_ctx;
+
+/* The connection creation context. If this context is NULL,
+ * it means we are not using encryption.
+ */
+static SSL_CTX *ctx = NULL;
+
+#ifdef BRO_DEBUG
+static void
+print_errors(void)
+{
+  if (bro_debug_messages)
+    {
+      D(("OpenSSL error dump:\n"));
+      if (ERR_peek_error() == 0)
+	fprintf(stdout, "--> %s\n", strerror(errno));
+      else
+	ERR_print_errors_fp(stdout);
+    }
+}
+#else
+#define print_errors()
+#endif
+
+
+static int
+verify_cb(int ok, X509_STORE_CTX *store)
+{
+  char data[256];
+  int depth, err;
+  X509 *cert;
+
+  if (ok)
+    return ok;
+
+  cert = X509_STORE_CTX_get_current_cert(store);
+  depth = X509_STORE_CTX_get_error_depth(store);
+  err = X509_STORE_CTX_get_error(store);
+  
+  D(("Handshake failure: verification problem at depth %i:\n", depth));
+  X509_NAME_oneline(X509_get_issuer_name(cert), data, 256);
+  D(("  issuer  = %s\n", data));
+  X509_NAME_oneline(X509_get_subject_name(cert), data, 256);
+  D(("  subject = %s\n", data));
+  D(("  error code %i: %s\n", err, X509_verify_cert_error_string(err)));
+  
+  return ok;
+}
+
+
+static int
+prng_init_file(char *file)
+{
+  struct stat st;
+  int fd, flags, i;
+  uchar buf[1024];
+  
+  /* Check if file  is available, and try to seed the PRNG
+   * from it. If things fail, do nothing and rely on OpenSSL to
+   * initialize from /dev/urandom.
+   */
+  
+  if (stat(file, &st) != 0)
+    {
+      D(("%s does not exist, not seeding from it.\n", file));
+      return FALSE;
+    }
+    
+  /* Now we need to figure out how much entropy the device
+   * can provide. We try to read 1K, and accept if it can
+   * read at least 256 bytes.
+   */
+  if ( (fd = open(file, O_RDONLY)) < 0)
+    {
+      D(("Could not read from %s.\n", file));
+      return FALSE;
+    }
+    
+  if ( (flags = fcntl(fd, F_GETFL, 0)) < 0)
+    {
+      D(("can't obtain socket flags: %s", strerror(errno)));
+      close(fd);
+      return FALSE;
+    }
+  
+  if ( fcntl(fd, F_SETFL, flags|O_NONBLOCK) < 0 )
+    {
+      D(("can't set fd to non-blocking: %s.", strerror(errno)));
+      close(fd);
+      return FALSE;
+    }
+    
+  if ( (i = read(fd, buf, 1024)) < 256)
+    {
+      D(("Could only read %i bytes from %s, not enough.\n", i, file));
+      close(fd);
+      return FALSE;
+    }
+  
+  D(("Seeding PRNG from %s, using %i bytes.\n", file, i));
+  close(fd);
+  RAND_seed(buf, i);
+  
+  return TRUE;
+}
+
+
+
+static void
+prng_init(void)
+{
+  static int deja_vu = FALSE;
+  
+  if (deja_vu)
+    return;
+  
+  if (prng_init_file("/dev/random"))
+    {
+      deja_vu = TRUE;
+      return;
+    }
+
+  if (prng_init_file("/dev/urandom"))
+    {
+      deja_vu = TRUE;
+      return;
+    }
+  
+  D(("*** CAUTION: Unable to initialize random number generator ***\n"));
+}
+
+
+static int
+pem_passwd_cb(char *buf, int size, int rwflag, void *pass)
+{
+  /* Note that if |pass| < size, the remainder in buf will be
+   * zero-padded by strncpy().
+   */
+  strncpy(buf, (char *) pass, size);
+  buf[size - 1] = '\0';
+
+  return strlen(buf);
+  rwflag = 0;
+}
+
+int
+__bro_openssl_init(void)
+{
+  static int deja_vu = FALSE;
+  int use_ssl = FALSE;
+  const char *our_cert, *our_pass, *ca_cert;
+  
+  D_ENTER;
+
+  if (deja_vu)
+    D_RETURN_(TRUE);
+
+  deja_vu = TRUE;
+
+  /* I hope these should go before SSL_library_init() -- not even the
+   * O'Reilly book is clear on that. :( --cpk
+   */
+  if (global_ctx)
+    {
+      if (global_ctx->id_func)
+	CRYPTO_set_id_callback(global_ctx->id_func);
+      if (global_ctx->lock_func)
+	CRYPTO_set_locking_callback(global_ctx->lock_func);
+      if (global_ctx->dl_create_func)
+	CRYPTO_set_dynlock_create_callback(global_ctx->dl_create_func);
+      if (global_ctx->dl_lock_func)
+	CRYPTO_set_dynlock_lock_callback(global_ctx->dl_lock_func);
+      if (global_ctx->dl_free_func)
+	CRYPTO_set_dynlock_destroy_callback(global_ctx->dl_free_func);
+    }
+  
+  SSL_library_init();
+  prng_init();
+  
+#ifdef BRO_DEBUG
+  D(("Loading OpenSSL error strings for debugging\n"));
+  SSL_load_error_strings();
+#endif
+
+  if (__bro_conf_get_int("/broccoli/use_ssl", &use_ssl) && ! use_ssl)
+    {
+      D(("SSL disabled in configuration, not using SSL.\n"));
+      D_RETURN_(TRUE);
+    }
+
+  if (! (our_cert = __bro_conf_get_str("/broccoli/host_cert")))
+    {
+      if (use_ssl)
+	{
+	  D(("SSL requested but host certificate not given -- aborting.\n"));
+	  D_RETURN_(FALSE);
+	}
+      else
+	{
+	  D(("use_ssl not used and host certificate not given -- not using SSL.\n"));
+	  D_RETURN_(TRUE);
+	}
+    }
+
+  /* At this point we either haven't seen use_ssl but a host_cert, or
+   * we have seen use_ssl and it is set to true. Either way, we attempt
+   * to set up an SSL connection now and abort if this fails in any way.
+   */
+
+  if (! (ctx = SSL_CTX_new(SSLv3_method())))
+    D_RETURN_(FALSE);
+  
+  /* We expect things to be stored in PEM format, which means that we
+   * can store multiple entities in one file. In this case, our own
+   * certificate is expected to be stored along with the private key
+   * in the file pointed to by preference setting /broccoli/certificate.
+   *
+   * See page 121 in O'Reilly's OpenSSL book for details.
+   */
+  if (SSL_CTX_use_certificate_chain_file(ctx, our_cert) != 1)
+    {
+      D(("Error loading certificate from '%s'.\n", our_cert));
+      goto error_return;
+    }
+  
+  if ( (our_pass = __bro_conf_get_str("/broccoli/host_pass")))
+    {
+      D(("Host passphrase given in config file, not prompting for input.\n"));
+      SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);
+      SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *) our_pass);
+    }
+  
+  if (SSL_CTX_use_PrivateKey_file(ctx, our_cert, SSL_FILETYPE_PEM) != 1)
+    {
+      D(("SSL used but error loading private key from '%s' -- aborting.\n", our_cert));
+      goto error_return;
+    }
+  
+  /* We should not need the passphrase, if existant, ever again.
+   * Therefore we erase it from memory now.
+   */
+  if (our_pass)
+    {
+      our_pass = NULL;
+      __bro_conf_forget_item("/broccoli/host_pass");
+    }
+
+  /* For validation purposes, our trusted CA's certificate will
+   * be needed as well:
+   */
+  if (! (ca_cert = __bro_conf_get_str("/broccoli/ca_cert")))
+    {
+      D(("SSL used but CA certificate not given -- aborting."));
+      goto error_return;
+    }
+  
+  if (! SSL_CTX_load_verify_locations(ctx, ca_cert, 0))
+    {
+      D(("SSL used but CA certificate could not be loaded -- aborting\n"));
+      goto error_return;
+    }
+  
+  /* Only use real ciphers.
+   */
+  if (! SSL_CTX_set_cipher_list(ctx, "HIGH"))
+    {
+      D(("SSL used but can't set cipher list -- aborting\n"));
+      goto error_return;
+    }
+  
+  /* We require certificates from all communication peers, regardless of
+   * whether we're the "server" or "client" (these concepts are blurred in our
+   * case anyway). In order to be able to give better error feedback, we
+   * add our own verification filter callback, "verify_cb".
+   */
+  SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+		     verify_cb);
+  
+  D(("SSL setup successful.\n"));
+  D_RETURN_(TRUE);
+  
+ error_return:
+  SSL_CTX_free(ctx);
+  ctx = NULL;
+  D_RETURN_(FALSE);
+}
+
+int
+__bro_openssl_rand_bytes(u_char *buf, int num)
+{
+  if (! buf || num <= 0)
+    return FALSE;
+
+  /* Make sure PRNG is initialized; has effect only once. */
+  prng_init();
+
+  if (RAND_bytes(buf, num) > 0)
+    return TRUE;
+  
+  RAND_pseudo_bytes(buf, num);
+  return TRUE;
+}
+
+
+int
+__bro_openssl_encrypted(void)
+{
+  return ctx != NULL;
+}
+
+static int
+openssl_connect_impl(BIO *bio, int with_hack)
+{
+  int sockfd, port;
+  struct sockaddr_in addr;
+  char *hostname, *colon;
+  struct hostent *he;
+ 
+  /* Okay, I must ask you not to scream now. All the rest of this function
+   * is to make sure that we detect whether the peer is listening or not.
+   * OpenSSL sometimes considers failure to connect() a temporary problem
+   * and I cannot figure out a way to force it to give up when connection
+   * establishment fails. So we establish our own connection and tear it
+   * down right away in case we succeeded. Unfortunately I cannot seem to
+   * figure out a way to just make OpenSSL use the existing connection
+   * either. It's such a mess.
+   */
+
+  /* In the encrypted case we do not have this problem, since the handshake
+   * here is a real one that only succeeds when the remote side answers.
+   */
+  if (ctx)
+    return BIO_do_connect(bio);
+  
+  if (! with_hack)
+    return 1;
+
+  /* I've found BIO_get_conn_...() to be broken even after calling
+   * BIO_do_connect() first, so I'm just doing this whole crap here
+   * manually to get to hostname and port.
+   */
+  if (! (hostname = strdup(BIO_get_conn_hostname(bio))))
+    {
+      D(("Out of memory.\n"));
+      return 0;
+    }
+
+  if (! (colon = strchr(hostname, ':')))
+    {
+      free(hostname);
+      return 0;
+    }
+
+  *colon = '\0';
+  port = atoi(colon + 1);
+  D(("OpenSSL kludge: manual connection to %s:%s\n", hostname, colon+1));
+  
+  if (! (he = gethostbyname(hostname)))
+    {
+      D(("gethostbyname() failed.\n"));
+      free(hostname);
+      return 0;
+    }
+  
+  free(hostname);
+  
+  if (he->h_addr_list[0] == NULL)
+    {
+      D(("Could not resolve hostname.\n"));
+      return 0;
+    }
+  
+  if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+    {
+      D(("Could not create socket: %s\n", strerror(errno)));   
+      return 0;
+    }
+  
+  bzero(&addr, sizeof(struct sockaddr_in));
+  addr.sin_family = AF_INET;
+  addr.sin_port = htons(port);
+  addr.sin_addr = *((struct in_addr *) he->h_addr_list[0]);
+
+  if (connect(sockfd, (struct sockaddr *) &addr, sizeof(struct sockaddr_in)) != 0)
+    goto error_return;
+
+  close(sockfd);
+  return 1;
+
+ error_return:
+  D(("Connection error: %s\n", strerror(errno)));
+  close(sockfd);
+  return 0;
+}
+
+
+static int
+openssl_connect(BroConn *bc, int with_hack)
+{
+ int flags;
+  BIO *bio = NULL;
+
+  D_ENTER;
+
+  if (! bc || ! bc->peer || ! *(bc->peer))
+    D_RETURN_(FALSE);
+  
+  /* Make sure OpenSSL is initialised -- this has effect only once */
+  if (! __bro_openssl_init())
+    D_RETURN_(FALSE);
+
+  /* If we got a socket, we wrap it into a BIO and are done. */
+  if (bc->socket >= 0)
+    {
+      if (! (bio = BIO_new_socket(bc->socket, BIO_CLOSE)))
+	{
+	  D(("Error creating connection BIO from socket.\n"));
+	  goto err_return;
+	}
+
+      if ( (flags = fcntl(bc->socket, F_GETFL, 0)) < 0)
+	{
+	  D(("Error getting socket flags.\n"));
+	  goto err_return;
+	}
+	
+	if ( fcntl(bc->socket, F_SETFL, flags|O_NONBLOCK) < 0 )
+	{
+	  D(("Error setting socket to non-blocking.\n"));
+	  goto err_return;
+	}
+	
+	/* Don't know whether this is needed but it does not hurt either. 
+	 * It is however not sufficient to just call this; we manually need to
+	 * set the socket to non-blocking as done above. */
+	BIO_set_nbio(bio, 1);
+
+	bc->bio = bio;
+	D(("Connection created from externally provided socket.\n"));
+	D_RETURN_(TRUE);
+    }
+
+  /* If we managed to set up a context object, we use encryption. */
+  if (ctx)
+    {
+      if (! (bio = BIO_new_ssl_connect(ctx)))
+	{
+	  D(("Error creating SSL connection BIO.\n"));
+	  goto err_return;
+	}
+
+      BIO_set_conn_hostname(bio, bc->peer);
+    }
+  else
+    {
+      if (! (bio = BIO_new_connect(bc->peer)))
+	{
+	  D(("Error creating non-SSL connection BIO.\n"));
+	  goto err_return;
+	}
+    }
+
+  /* BIO_set_nbio's manpage says we need to set nonblocking before
+   * connecting.
+   */
+  BIO_set_nbio(bio, 1);
+
+  /* This is not exactly elegant but we want to make sure we only
+   * return once the potential SSL handshake is complete.
+   */
+  for ( ; ; )
+    {
+      if (openssl_connect_impl(bio, with_hack) > 0)
+	break;    
+
+      if ( ! BIO_should_retry(bio))
+	{
+	  D(("Error connecting to peer.\n"));
+	  goto err_return;
+	}
+    }
+  
+  bc->bio = bio;
+  D(("Connection established successfully.\n"));
+
+  D_RETURN_(TRUE);
+
+ err_return:
+
+  print_errors();
+
+#ifdef BRO_DEBUG
+  if (ctx)
+    D(("--- SSL CONNECTION SETUP FAILED. ---"));
+  else
+    D(("--- CLEARTEXT CONNECTION SETUP FAILED. ---"));
+#endif  
+
+  if (bio)
+    BIO_free_all(bio);
+  
+  bc->state->rx_dead = bc->state->tx_dead = TRUE;
+  bc->bio = NULL;
+  D_RETURN_(FALSE);
+}
+
+
+int
+__bro_openssl_connect(BroConn *bc)
+{
+  return openssl_connect(bc, FALSE);
+}
+
+int
+__bro_openssl_reconnect(BroConn *bc)
+{
+  return openssl_connect(bc, TRUE);
+}
+
+
+void
+__bro_openssl_shutdown(BroConn *bc)
+{
+  if (!bc || !bc->bio)
+    return;
+  
+  if (getpid() != bc->id_pid)
+    return;
+  
+  if (bc->state->rx_dead)
+    return;
+  
+  bc->state->rx_dead = bc->state->tx_dead = TRUE;
+  
+  BIO_flush(bc->bio);
+  BIO_free_all(bc->bio);
+  bc->bio = NULL;
+}
+
+
+int       
+__bro_openssl_read(BroConn *bc, uchar *buf, uint buf_size)
+{
+  int n;
+
+  D_ENTER;
+  
+  /* It's important here to use <= for comparison, since, as the
+   * invaluable O'Reilly OpenSSL book reports, "for each of the four
+   * reading and writing functions, a 0 or -1 return value may or may
+   * not necessarily indicate that an error has occurred." This may or
+   * may not necessarily be indicative of the incredible PITA that
+   * OpenSSL is. --cpk
+   */
+  if ( (n = BIO_read(bc->bio, buf, buf_size)) <= 0)
+    {
+      if (BIO_should_retry(bc->bio))
+	D_RETURN_(0);
+      
+      __bro_openssl_shutdown(bc);
+      D(("Connection closed, BIO_read() returned %i.\n", n));      
+      print_errors();
+      D_RETURN_(-1);
+    }
+    
+  D_RETURN_(n);
+}
+
+
+int
+__bro_openssl_write(BroConn *bc, uchar *buf, uint buf_size)
+{
+  int n;
+  void *old_sig;
+  
+  D_ENTER;
+  
+#ifdef BRO_DEBUG
+  if (bro_debug_messages)
+    {
+      unsigned int i = 0;
+      int last_hex = 0;
+
+      D(("Sending %u bytes: ", buf_size));
+ 
+      for (i = 0; i < buf_size; i++)
+	{
+	  if (buf[i] >= 32 && buf[i] <= 126)
+	    {
+	      printf("%s%c", last_hex ? " " : "", buf[i]);
+	      last_hex = 0;
+	    }
+	  else
+	    {
+	      printf(" 0x%.2x", buf[i]);
+	      last_hex = 1;
+	    }
+	}
+      printf("\n");
+    }
+#endif
+
+  /* We may get a SIGPIPE if we write to a connection whose peer
+   * died. Since we don't know the application context in which
+   * we're running, we temporarily set the SIGPIPE handler to our
+   * own and then set it back to the old one after we wrote.
+   */
+  old_sig = signal(SIGPIPE, SIG_IGN);
+  
+  n = BIO_write(bc->bio, buf, buf_size);
+  
+  if (n <= 0)
+    {
+      if (BIO_should_retry(bc->bio))
+	{
+	  n = 0;
+	  goto error_return;
+	}
+
+      print_errors();
+      __bro_openssl_shutdown(bc);
+      D(("Connection closed.\n"));
+      n = -1;
+    }
+  
+  BIO_flush(bc->bio);
+
+ error_return:
+  
+  if (old_sig != SIG_ERR)
+    signal(SIGPIPE, old_sig);
+  
+  D_RETURN_(n);
+}
diff --git a/aux/broccoli/src/bro_openssl.h b/aux/broccoli/src/bro_openssl.h
new file mode 100644
index 0000000000..0a450e9d46
--- /dev/null
+++ b/aux/broccoli/src/bro_openssl.h
@@ -0,0 +1,57 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_openssl_h
+#define broccoli_openssl_h
+
+#include <broccoli.h>
+
+int       __bro_openssl_init(void);
+int       __bro_openssl_encrypted(void);
+int       __bro_openssl_rand_bytes(u_char *buf, int num);
+
+int       __bro_openssl_connect(BroConn *bc);
+
+/* Like __bro_openssl_connect, but uses gross manual-connect hack to make
+ * sure peer is actually available.
+ */
+int       __bro_openssl_reconnect(BroConn *bc);
+
+void      __bro_openssl_shutdown(BroConn *bc);
+
+int       __bro_openssl_read(BroConn *bc, uchar *buf, uint buf_size);
+
+/**
+ * __bro_openssl_write - writes a chunk of data to the connection.
+ * @bc: Bro connection handle.
+ * @buf: buffer of data to write.
+ * @buf_size: size of buffer pointed to by @buf.
+ *
+ * Returns: value < 0 on error, 1 if all data was written, 0
+ * otherwise (*no* data being written).
+ */
+int       __bro_openssl_write(BroConn *bc, uchar *buf, uint buf_size);
+
+#endif
diff --git a/aux/broccoli/src/bro_packet.c b/aux/broccoli/src/bro_packet.c
new file mode 100644
index 0000000000..da6d484a88
--- /dev/null
+++ b/aux/broccoli/src/bro_packet.c
@@ -0,0 +1,201 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/time.h>
+
+#ifdef __EMX__
+#include <strings.h>
+#endif 
+
+#include <bro_types.h>
+#include <bro_debug.h>
+#include <bro_packet.h>
+
+
+static int
+packet_get_link_header_size(int dl)
+{
+  switch (dl)
+    {
+    case DLT_NULL:
+      return 4;
+      
+    case DLT_EN10MB:
+      return 14;
+      
+    case DLT_FDDI:
+      return 13 + 8;
+#ifdef LINUX_HOST      
+    case DLT_LINUX_SLL:
+      return 16;
+#endif
+    case DLT_RAW:
+      return 0;
+    }
+  
+  D(("WARNING: unknown DLT type %i encountered.\n", dl));
+  return -1;
+}
+
+
+BroPacket     *
+__bro_packet_unserialize(BroConn *bc)
+{
+  BroPacket *packet;
+
+  if (! (packet = calloc(1, sizeof(BroPacket))))
+    return NULL;
+
+  if (! __bro_packet_read(packet, bc))
+    {
+      bro_packet_free(packet);
+      return NULL;
+    }
+
+  return packet;
+}
+
+
+int
+__bro_packet_serialize(BroPacket *packet, BroConn *bc)
+{
+  D_ENTER;
+
+  /* Prepare the beginning of a serialized packet.
+   */
+  if (! __bro_buf_write_char(bc->tx_buf, 'p'))
+    D_RETURN_(FALSE);
+
+  if (! __bro_packet_write(packet, bc))
+    D_RETURN_(FALSE);
+
+  D_RETURN_(TRUE);
+}
+
+
+int
+__bro_packet_read(BroPacket *packet, BroConn *bc)
+{
+  BroString packet_data;
+  BroString packet_tag;
+  uint32 tv_sec, tv_usec, len, pcap_link_type;
+  
+  D_ENTER;
+  
+  if (! packet || ! bc)
+    D_RETURN_(FALSE);
+  
+  packet->pkt_link_type = bc->pcap_link_type;
+  packet->pkt_hdr_size  = packet_get_link_header_size(bc->pcap_link_type);
+
+  if (! __bro_buf_read_int(bc->rx_buf, &tv_sec))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_read_int(bc->rx_buf, &tv_usec))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_read_int(bc->rx_buf, &len))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_read_int(bc->rx_buf, &pcap_link_type))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_read_string(bc->rx_buf, &packet_tag))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_read_string(bc->rx_buf, &packet_data))
+    D_RETURN_(FALSE);
+  
+  packet->pkt_pcap_hdr.ts.tv_sec = tv_sec;
+  packet->pkt_pcap_hdr.ts.tv_usec = tv_usec;
+  packet->pkt_pcap_hdr.len = len;
+  packet->pkt_pcap_hdr.caplen = packet_data.str_len;
+  packet->pkt_link_type = pcap_link_type;
+  packet->pkt_data = (const u_char *) packet_data.str_val;
+  packet->pkt_tag = (const char *) packet_tag.str_val;
+  packet->pkt_time = bro_util_current_time();
+  
+  D_RETURN_(TRUE);
+}
+
+int
+__bro_packet_write(BroPacket *packet, BroConn *bc)
+{
+  BroString packet_data;
+  BroString packet_tag;
+  
+  D_ENTER;
+  
+  if (! packet || ! bc)
+    D_RETURN_(FALSE);
+  
+  if (! __bro_buf_write_int(bc->tx_buf, (uint32)packet->pkt_pcap_hdr.ts.tv_sec))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_write_int(bc->tx_buf, (uint32)packet->pkt_pcap_hdr.ts.tv_usec))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_write_int(bc->tx_buf, (uint32)packet->pkt_pcap_hdr.len))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_write_int(bc->tx_buf, (uint32)bc->pcap_link_type))
+    D_RETURN_(FALSE);
+
+  bro_string_init(&packet_tag);
+  packet_tag.str_len = strlen(packet->pkt_tag);
+  packet_tag.str_val = (u_char *) packet->pkt_tag;
+
+  if (! __bro_buf_write_string(bc->tx_buf, &packet_tag))
+    D_RETURN_(FALSE);
+
+  bro_string_init(&packet_data);
+  packet_data.str_len = packet->pkt_pcap_hdr.caplen;
+  packet_data.str_val = (u_char *) packet->pkt_data;
+
+  if (! __bro_buf_write_string(bc->tx_buf, &packet_data))
+    D_RETURN_(FALSE);
+    
+  D_RETURN_(TRUE);
+}
+
+
+int
+__bro_packet_clone(BroPacket *dst, const BroPacket *src)
+{
+  D_ENTER;
+  
+  *dst = *src;
+  
+  if (! (dst->pkt_tag = strdup(src->pkt_tag)))
+    D_RETURN_(FALSE);
+
+  if (! (dst->pkt_data = malloc(src->pkt_pcap_hdr.caplen)))
+    D_RETURN_(FALSE);
+
+  memcpy((u_char *) dst->pkt_data, src->pkt_data, src->pkt_pcap_hdr.caplen);
+  D_RETURN_(TRUE);
+}
diff --git a/aux/broccoli/src/bro_packet.h b/aux/broccoli/src/bro_packet.h
new file mode 100644
index 0000000000..138a5bf477
--- /dev/null
+++ b/aux/broccoli/src/bro_packet.h
@@ -0,0 +1,36 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_packet_h
+#define broccoli_packet_h
+
+BroPacket     *__bro_packet_unserialize(BroConn *bc);
+int            __bro_packet_serialize(BroPacket *packet, BroConn *bc);
+
+int            __bro_packet_read(BroPacket *packet, BroConn *bc);
+int            __bro_packet_write(BroPacket *packet, BroConn *bc);
+int            __bro_packet_clone(BroPacket *dst, const BroPacket *src);
+
+#endif
diff --git a/aux/broccoli/src/bro_parser.y b/aux/broccoli/src/bro_parser.y
new file mode 100644
index 0000000000..67811ce53d
--- /dev/null
+++ b/aux/broccoli/src/bro_parser.y
@@ -0,0 +1,124 @@
+%{
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <stdio.h>
+#include <errno.h>
+
+#include "bro_debug.h"
+#include "bro_config.h"
+
+int brolex(void);
+int broparse(void);
+int broerror(char *, ...);
+
+#define yylex brolex
+#define yyparse broparse
+#define yyerror broerror
+
+int bro_parse_errors = 0;
+int bro_parse_lineno = 0;
+const char *bro_parse_filename = NULL;
+ 
+%}
+
+%union {
+  int   i;
+  char *s;
+  double d;
+}
+
+%token <i> BROINT
+%token <s> BROWORD BROSTRING
+%token <d> BRODOUBLE
+
+%%
+configfile:
+	   | options
+           ;
+options:     option
+           | options option
+           ;
+
+option:      domain
+           | intopt
+           | stringopt
+           | floatopt
+           ;
+
+intopt:      BROWORD BROINT	{ __bro_conf_add_int($1, $2);
+				  free($1);
+				}
+           ;
+
+stringopt:   BROWORD BROSTRING  { __bro_conf_add_str($1, $2);
+                                  free($1); free($2);
+				}
+	   | BROWORD BROWORD    { __bro_conf_add_str($1, $2);
+                                  free($1); free($2);
+				}
+           ;
+
+floatopt:    BROWORD BRODOUBLE	{ __bro_conf_add_dbl($1, $2);
+				  free($1);
+				}
+           ;
+
+domain:      '[' BROWORD ']'	{ __bro_conf_set_storage_domain($2);
+				  free($2); 
+				}
+           ;
+%%
+
+int
+yyerror(char *fmt, ...)
+{
+  va_list ap;
+  bro_parse_errors++;
+  
+#ifdef BRO_DEBUG
+  va_start(ap, fmt);
+  fprintf(stderr, "%s:%d: ", bro_parse_filename, bro_parse_lineno);
+  vfprintf(stderr, fmt, ap);
+  fprintf(stderr, "\n");
+  va_end(ap);
+#endif
+  return 0;
+}
+
+int
+__bro_parse_config(const char *filename)
+{
+  const char *domain;
+  extern FILE *broin;
+
+  /* Save the current config domain */
+  if ( (domain = __bro_conf_get_domain()))
+    domain = strdup(domain);
+  
+  D(("Parsing configuration from '%s'.\n", filename));
+
+  if (! (broin = fopen(filename, "r")))
+    {
+      D(("Error opening config file %s: %s\n", filename, strerror(errno)));
+      return -1;
+    }
+  
+  bro_parse_lineno = 1;
+  bro_parse_filename = filename;
+  bro_parse_errors = 0;
+
+  yyparse();
+  fclose(broin);
+
+  /* Reset the config domain to the original one. */
+  __bro_conf_set_domain(domain);
+  
+  return (bro_parse_errors ? -1 : 0);
+}
diff --git a/aux/broccoli/src/bro_record.c b/aux/broccoli/src/bro_record.c
new file mode 100644
index 0000000000..032773a028
--- /dev/null
+++ b/aux/broccoli/src/bro_record.c
@@ -0,0 +1,349 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+
+#ifdef __EMX__
+#include <strings.h>
+#endif 
+
+#include <bro_types.h>
+#include <bro_io.h>
+#include <bro_debug.h>
+#include <bro_val.h>
+#include <bro_record.h>
+
+
+BroRecord *
+__bro_record_new(void)
+{
+  BroRecord *rec;
+
+  if (! (rec = calloc(1, sizeof(BroRecord))))
+    return NULL;
+
+  return rec;
+}
+
+
+void
+__bro_record_free(BroRecord *rec)
+{
+  BroList *l;
+
+  if (! rec)
+    return;
+
+  for (l = rec->val_list; l; l = __bro_list_next(l))
+    {
+      char *field;
+      BroSObject *obj = __bro_list_data(l);
+      
+      if ( (field = __bro_sobject_data_del(obj, "field")))
+	free(field);
+      
+      __bro_sobject_release(obj);
+    }
+  
+  __bro_list_free(rec->val_list, NULL);
+  free(rec);
+}
+
+int
+__bro_record_get_length(BroRecord *rec)
+{
+  D_ENTER;
+
+  if (! rec)
+    D_RETURN_(0);
+
+  D_RETURN_(rec->val_len);
+}
+
+BroRecord     *
+__bro_record_copy(BroRecord *rec)
+{
+  BroList *l;
+  BroVal *val, *val_copy;
+  BroRecord *copy;
+
+  D_ENTER;
+  
+  if (! rec)
+    D_RETURN_(NULL);
+  
+  if (! (copy = __bro_record_new()))
+    D_RETURN_(NULL);
+
+  for (l = rec->val_list; l; l = __bro_list_next(l))
+    {
+      char *field;
+      
+      val = __bro_list_data(l);
+      
+      /* Check if it's an assigned val or not */
+      if (! val->val_type)
+	{
+	  D(("Error: unassigned val in record.\n"));
+	  goto error_return;
+	}
+      
+      if (! (val_copy = (BroVal *) __bro_sobject_copy((BroSObject *) val)))
+	goto error_return;
+      
+#ifdef BRO_DEBUG
+      if (! val_copy->val_type)
+	D(("WARNING -- typeless val duplicated as %p, original %p had type %p\n",
+	   val_copy, val, val->val_type));
+#endif
+      if (! (field = __bro_sobject_data_get((BroSObject *) val, "field")))
+	{
+	  D(("Val %p in record %p doesn't have a field name.\n", val, rec));
+	  goto error_return;
+	}
+            
+      __bro_sobject_data_set((BroSObject *) val_copy, "field", strdup(field));      
+      __bro_record_add_val(copy, val_copy);
+    }
+  
+  D_RETURN_(copy);
+  
+ error_return:
+  __bro_record_free(copy);
+  D_RETURN_(NULL);
+}
+
+
+void
+__bro_record_add_val(BroRecord *rec, BroVal *val)
+{
+  if (! rec || ! val)
+    return;
+  
+  rec->val_list = __bro_list_append(rec->val_list, val);
+  rec->val_len++;
+}
+
+
+BroVal *
+__bro_record_get_nth_val(BroRecord *rec, int num)
+{
+  BroList *l;
+  
+  if (! rec || num < 0 || num >= rec->val_len)
+    return NULL;
+
+  if( (l = __bro_list_nth(rec->val_list, num)))
+    return __bro_list_data(l);
+  
+  return NULL;
+}
+
+
+const char *
+__bro_record_get_nth_name(BroRecord *rec, int num)
+{
+  BroList *l;
+
+  if (! rec || num < 0 || num >= rec->val_len)
+    return NULL;
+
+  if( (l = __bro_list_nth(rec->val_list, num)))
+    return __bro_sobject_data_get((BroSObject *) __bro_list_data(l), "field");
+  
+  return NULL;
+}
+
+
+BroVal *
+__bro_record_get_named_val(BroRecord *rec, const char *name)
+{
+  BroList *l;
+  BroVal *val;
+  
+  if (! rec || ! name || ! *name)
+    return NULL;
+  
+  for (l = rec->val_list; l; l = __bro_list_next(l))
+    {
+      char *val_name;
+      
+      val = __bro_list_data(l);
+      val_name = __bro_sobject_data_get((BroSObject *) val, "field");
+      
+      if (val_name && ! strcmp(val_name, name))
+	return val;
+    }
+  
+  return NULL;
+}
+
+
+int
+__bro_record_set_nth_val(BroRecord *rec, int num, BroVal *v)
+{
+  BroVal *val;
+  BroList *l;
+  
+  if (! rec || num < 0 || num >= rec->val_len || ! v)
+    return FALSE;
+  
+  if ( (l = __bro_list_nth(rec->val_list, num)))
+    {
+      val = __bro_list_set_data(l, v);
+      __bro_sobject_release((BroSObject *) val);	  
+      return TRUE;
+    }
+  
+  return FALSE;
+}
+
+
+int
+__bro_record_set_nth_name(BroRecord *rec, int num, const char *name)
+{  
+  BroVal *val;
+  BroList *l;
+
+  if (! rec || num < 0 || num >= rec->val_len || ! name)
+    return FALSE;
+
+  if ( (l = __bro_list_nth(rec->val_list, num)))
+    {
+      char *val_name;
+
+      val = __bro_list_data(l);
+      val_name = __bro_sobject_data_del((BroSObject *) val, "field");
+      if (val_name)
+	free(val_name);
+
+      __bro_sobject_data_set((BroSObject *) val, "field", strdup(name));
+      return TRUE;
+    }
+
+  return FALSE;
+}
+
+
+int
+__bro_record_set_named_val(BroRecord *rec, const char *name, BroVal *v)
+{
+  BroVal *val;
+  BroList *l;
+  
+  if (! rec || ! name || !*name || ! v)
+    return FALSE;
+
+  for (l = rec->val_list; l; l = __bro_list_next(l))
+    {
+      char *val_name;
+      
+      val = __bro_list_data(l);
+      val_name = __bro_sobject_data_get((BroSObject *) val, "field");
+      
+      if (val_name && ! strcmp(val_name, name))
+	{
+	  /* We're about to delete the old val, make sure it doesn't have
+	   * the name tag associated with it.
+	   */
+	  __bro_sobject_data_del((BroSObject *) val, "field");
+	  free(val_name);
+
+	  /* If the new val has a name tag, likewise delete it.
+	   */
+	  if ( (val_name = __bro_sobject_data_del((BroSObject *) val, "field")))
+	    free(val_name);
+
+	  /* Set the new val's name tag
+	   */
+	  __bro_sobject_data_set((BroSObject *) v, "field", strdup(name));
+
+	  __bro_list_set_data(l, v);
+	  __bro_sobject_release((BroSObject *) val);	  
+
+	  return TRUE;
+	}
+    }
+  
+  return FALSE;
+}
+
+uint32
+__bro_record_hash(BroRecord *rec)
+{
+  uint32 result;
+  BroList *l;
+  
+  D_ENTER;
+  
+  if (! rec)
+    D_RETURN_(0);
+  
+  result = rec->val_len;
+  
+  for (l = rec->val_list; l; l = __bro_list_next(l))
+    result ^= __bro_sobject_hash((BroSObject*) __bro_list_data(l));
+
+  D_RETURN_(result);
+}
+
+int
+__bro_record_cmp(BroRecord *rec1, BroRecord *rec2)
+{
+  BroList *l1, *l2;
+
+  D_ENTER;
+
+  if (! rec1 || ! rec2)
+    D_RETURN_(FALSE);
+
+  if (rec1->val_len != rec2->val_len)
+    D_RETURN_(FALSE);
+
+  for (l1 = rec1->val_list, l2 = rec2->val_list; l1 && l2;
+       l1 = __bro_list_next(l1), l2 = __bro_list_next(l2))
+    {
+      if (! __bro_sobject_cmp((BroSObject*) __bro_list_data(l1),
+			      (BroSObject*) __bro_list_data(l2)))
+	D_RETURN_(FALSE);
+    }
+
+  if (l1 || l2)
+    {
+      D(("WARNING -- value list inconsistency.\n"));
+      D_RETURN_(FALSE);
+    }
+  
+  D_RETURN_(TRUE);
+}
diff --git a/aux/broccoli/src/bro_record.h b/aux/broccoli/src/bro_record.h
new file mode 100644
index 0000000000..41bef26678
--- /dev/null
+++ b/aux/broccoli/src/bro_record.h
@@ -0,0 +1,62 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_record_h
+#define broccoli_record_h
+
+#include <broccoli.h>
+#include <bro_types.h>
+
+/* Typedef is in broccoli.h because the users need to know it -- we keep
+ * it opaque for them though by defining it here.
+ */
+struct bro_record
+{
+  BroList                     *val_list;
+  int                          val_len;
+};
+
+BroRecord     *__bro_record_new(void);
+void           __bro_record_free(BroRecord *rec);
+BroRecord     *__bro_record_copy(BroRecord *rec);
+int            __bro_record_get_length(BroRecord *rec);
+
+/* Adds the given val as a new field and adopts ownership,
+ * i.e, the value is not duplicated internally.
+ */
+void           __bro_record_add_val(BroRecord *rec, BroVal *val);
+
+BroVal        *__bro_record_get_nth_val(BroRecord *rec, int num);
+const char    *__bro_record_get_nth_name(BroRecord *rec, int num);
+BroVal        *__bro_record_get_named_val(BroRecord *rec, const char *name);
+
+int            __bro_record_set_nth_val(BroRecord *rec, int num, BroVal *val);
+int            __bro_record_set_nth_name(BroRecord *rec, int num, const char *name);
+int            __bro_record_set_named_val(BroRecord *rec, const char *name, BroVal *val);
+
+uint32         __bro_record_hash(BroRecord *rec);
+int            __bro_record_cmp(BroRecord *rec1, BroRecord *rec2);
+
+#endif
diff --git a/aux/broccoli/src/bro_sem.h b/aux/broccoli/src/bro_sem.h
new file mode 100644
index 0000000000..d061429649
--- /dev/null
+++ b/aux/broccoli/src/bro_sem.h
@@ -0,0 +1,106 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_sem_h
+#define broccoli_sem_h
+
+#include <broccoli.h>
+
+typedef struct bro_sem_impl BroSemImpl;
+
+typedef struct bro_sem {
+  int          sem_blocked;
+  BroSemImpl  *sem_impl;
+} BroSem;
+
+/* Broccoli semaphore abstractions.
+ * ================================
+ *
+ * Semaphores are created with __bro_sem_new() and released with
+ * __bro_sem_free(). Before being used they have to be
+ * __bro_sem_attach()ed and after using them __bro_sem_detach()ed.
+ *
+ * Semaphores are initalized to 0.
+ *
+ * All functions can be called with NULL parameters, for robustness.
+ */
+
+int     __bro_sem_init(BroSem *sem, const BroConn *bc);
+void    __bro_sem_cleanup(BroSem *sem);
+
+int     __bro_sem_attach(BroSem *sem);
+int     __bro_sem_detach(BroSem *sem);
+
+/**
+ * __bro_sem_decr - decreases semaphore.
+ * @sem: semaphore.
+ *
+ * The function decreases the value of the semaphore by one, returning
+ * if the initial value was greater than 0, and blocking otherwise.
+ * 
+ * Returns: %TRUE on success, %FALSE otherwise.
+ */
+int     __bro_sem_decr(BroSem *sem);
+
+
+/**
+ * __bro_sem_trydecr - decreases semaphore, but never blocks
+ * @sem: semaphore.
+ *
+ * The function decreases the value of the semaphore by one, returning
+ * if the initial value was greater than 0. If the semaphore is
+ * currently locked, the function returns %FALSE immediately.
+ * 
+ * Returns: %TRUE on success, %FALSE otherwise.
+ */
+int     __bro_sem_trydecr(BroSem *sem);
+
+
+/**
+ * __bro_sem_incr - increases semaphore.
+ * @sem: semaphore.
+ *
+ * The function increases the value of the semaphore by 1.
+ *
+ * Returns: %TRUE on success, %FALSE otherwise.
+ */
+int     __bro_sem_incr(BroSem *sem);
+
+
+/**
+ * __bro_sem_get - returns current value of sempahore.
+ * @sem: semaphore.
+ * @result: result pointer.
+ *
+ * The function returns the current value of the semaphore through
+ * the @result pointer.
+ *
+ * Returns: %TRUE on success, %FALSE otherwise.
+ */
+int     __bro_sem_get(BroSem *sem, int *result);
+
+int     __bro_sem_get_blocked(BroSem *sem, int *result);
+
+#endif
diff --git a/aux/broccoli/src/bro_sem_none.c b/aux/broccoli/src/bro_sem_none.c
new file mode 100644
index 0000000000..e805f96aab
--- /dev/null
+++ b/aux/broccoli/src/bro_sem_none.c
@@ -0,0 +1,76 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <bro_sem.h>
+
+struct bro_sem { };
+
+BroSem *
+__bro_sem_new(const BroConn *bc)
+{
+  bc = NULL;
+  return NULL;
+}
+
+
+void
+__bro_sem_free(BroSem *sem)
+{
+  sem = NULL;
+}
+
+
+int
+__bro_sem_attach(BroSem *sem)
+{
+  return TRUE;
+  sem = NULL;
+}
+
+
+int
+__bro_sem_detach(BroSem *sem)
+{
+  return TRUE;
+  sem = NULL;
+}
+
+
+int
+__bro_sem_decr(BroSem *sem)
+{
+  sem = NULL;
+}
+
+
+int
+__bro_sem_incr(BroSem *sem)
+{
+  sem = NULL;
+}
diff --git a/aux/broccoli/src/bro_sem_posix.c b/aux/broccoli/src/bro_sem_posix.c
new file mode 100644
index 0000000000..d1bf8486ea
--- /dev/null
+++ b/aux/broccoli/src/bro_sem_posix.c
@@ -0,0 +1,213 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <fcntl.h>
+#include <semaphore.h>
+#include <errno.h>
+
+#ifdef __EMX__
+#include <strings.h>
+#endif 
+
+#include <bro_debug.h>
+#include <bro_util.h>
+#include <bro_types.h>
+#include <bro_sem.h>
+
+struct bro_sem_impl { 
+  char    *name;
+  sem_t   *sem;
+};
+
+int
+__bro_sem_init(BroSem *sem, const BroConn *bc)
+{
+  static int counter = 0;
+  char sem_name[512]; 
+  
+  D_ENTER;
+  
+  if (! sem || ! bc)
+    D_RETURN_(FALSE);
+  
+  memset(sem, 0, sizeof(BroSem));
+  
+  if (! (sem->sem_impl = calloc(1, sizeof(BroSemImpl))))
+    D_RETURN_(FALSE);
+  
+  __bro_util_snprintf(sem_name, 512, "/broccoli-%u-%i-%i", bc->id_pid, bc->id_num, counter++);
+  sem->sem_impl->name = strdup(sem_name);
+  sem->sem_impl->sem = sem_open(sem_name, O_CREAT, S_IRWXU, 1);
+  
+  if (sem->sem_impl->sem == SEM_FAILED)
+    {
+      if (sem->sem_impl->name)
+	free(sem->sem_impl->name);
+      
+      free(sem->sem_impl);
+      
+      D(("POSIX semaphore creation failed: %s\n", strerror(errno)));
+      D_RETURN_(FALSE);
+    }
+  
+  D_RETURN_(TRUE);
+}
+
+
+void
+__bro_sem_cleanup(BroSem *sem)
+{
+  D_ENTER;
+  
+  if (! sem || ! sem->sem_impl)
+    D_RETURN;
+  
+  sem_unlink(sem->sem_impl->name);
+  
+  free(sem->sem_impl->name);
+  free(sem->sem_impl);
+  memset(sem, 0, sizeof(BroSem));
+  
+  D_RETURN;
+}
+
+
+int
+__bro_sem_attach(BroSem *sem)
+{
+  /* Unused in Posix. */
+  return TRUE;
+  sem = NULL;
+}
+
+
+int
+__bro_sem_detach(BroSem *sem)
+{
+  if (! sem || ! sem->sem_impl)
+    return FALSE;
+
+  sem_close(sem->sem_impl->sem);
+  return TRUE;
+}
+
+
+int
+__bro_sem_decr(BroSem *sem)
+{
+  D_ENTER;
+  
+  if (! sem || ! sem->sem_impl)
+    D_RETURN_(FALSE);
+
+  sem->sem_blocked++;
+
+  if (sem_wait(sem->sem_impl->sem) < 0)
+    {
+      D(("sem_wait() error: %s\n", strerror(errno)));
+      sem->sem_blocked--;
+      D_RETURN_(FALSE);
+    }
+  
+  sem->sem_blocked--;
+  D_RETURN_(TRUE);
+}
+
+
+int
+__bro_sem_trydecr(BroSem *sem)
+{
+  if (! sem || ! sem->sem_impl)
+    return FALSE;
+
+  sem->sem_blocked++;
+
+  if (sem_trywait(sem->sem_impl->sem) < 0)
+    {
+      sem->sem_blocked--;
+
+      if (errno == EAGAIN)
+	return FALSE;
+
+      D(("sem_wait() error: %s\n", strerror(errno)));
+      return FALSE;
+    }
+  
+  sem->sem_blocked--;
+  return TRUE;
+}
+
+
+int
+__bro_sem_incr(BroSem *sem)
+{
+  D_ENTER;
+
+  if (! sem || ! sem->sem_impl)
+    D_RETURN_(FALSE);
+
+  if (sem_post(sem->sem_impl->sem) < 0)
+    {
+      D(("sem_post() error: %s\n", strerror(errno)));
+      D_RETURN_(FALSE);
+    }
+  
+  D_RETURN_(TRUE);
+}
+
+
+int
+__bro_sem_get(BroSem *sem, int *result)
+{
+  if (! sem || ! sem->sem_impl || ! result)
+    return FALSE;
+
+  if (! sem_getvalue(sem->sem_impl->sem, result))
+    return FALSE;
+  
+  return TRUE;
+}
+
+
+int
+__bro_sem_get_blocked(BroSem *sem, int *result)
+{
+  if (! sem || ! sem->sem_impl || ! result)
+    return FALSE;
+
+  *result = sem->sem_blocked;
+
+  return TRUE;
+}
diff --git a/aux/broccoli/src/bro_sem_sysv.c b/aux/broccoli/src/bro_sem_sysv.c
new file mode 100644
index 0000000000..0c13d30373
--- /dev/null
+++ b/aux/broccoli/src/bro_sem_sysv.c
@@ -0,0 +1,255 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/ipc.h>
+#include <sys/sem.h>
+#include <sys/stat.h>
+#include <errno.h>
+#include <string.h>
+
+#include <bro_debug.h>
+#include <bro_util.h>
+#include <bro_openssl.h>
+#include <bro_sem.h>
+
+#define BRO_SEM_ATTEMPTS_MAX 50
+
+#ifdef SEM_R
+#define BRO_SEMFLAGS SEM_A|SEM_R
+#else
+#define BRO_SEMFLAGS S_IRWXU
+#endif
+
+/* It's not my fault -- blame the standards and deviating
+ * implementations for this goop. :(
+ */
+#if defined(BSD_HOST) && ! defined(__NetBSD__)
+/* union semun is defined by including <sys/sem.h> */
+#else
+/* according to X/OPEN we have to define it ourselves */
+union semun {
+  int val;                  /* value for SETVAL */
+  struct semid_ds *buf;     /* buffer for IPC_STAT, IPC_SET */
+  unsigned short *array;    /* array for GETALL, SETALL */
+  /* Linux specific part: */
+  struct seminfo *__buf;    /* buffer for IPC_INFO */
+};
+#endif
+
+
+struct bro_sem_impl { 
+  int      sem_id;
+};
+
+
+int
+__bro_sem_init(BroSem *sem, const BroConn *bc)
+{
+  int sem_id = -1;
+  union semun arg;
+
+  D_ENTER;
+
+  if (! sem || ! sem->sem_impl)
+    D_RETURN_(FALSE);
+
+  memset(sem, 0, sizeof(BroSem));
+
+  /* Attempt to allocate the semaphore set */
+  if ( (sem_id = semget(IPC_PRIVATE, 1, IPC_CREAT|IPC_EXCL|BRO_SEMFLAGS)) < 0)
+    {
+      D(("semget error: %s\n", strerror(errno)));
+      D_RETURN_(FALSE);
+    }
+  
+  /* Initialize the semaphore. Note: I'm not 100% sure whether this
+   * code is prone to the race condition that Stevens describes on
+   * p. 284 of UNP Vol 2 (IPC). It would likely be safer to take
+   * precautions, this is a FIXME.
+   */
+  arg.val = 1;
+  if (semctl(sem_id, 0, SETVAL, arg) < 0)
+    {
+      D(("semctl failed: %s\n", strerror(errno)));
+      D_RETURN_(FALSE);
+    }
+  
+  if (! (sem->sem_impl = calloc(1, sizeof(BroSemImpl))))
+    D_RETURN_(FALSE);
+  
+  sem->sem_impl->sem_id = sem_id;
+  
+  D_RETURN_(TRUE);
+  bc = NULL;
+}
+
+
+void
+__bro_sem_cleanup(BroSem *sem)
+{
+  D_ENTER;
+
+  if (! sem || ! sem->sem_impl)
+    D_RETURN;
+  
+  if (semctl(sem->sem_impl->sem_id, 0, IPC_RMID) < 0)
+    {
+      D(("semctl could not remove semaphore: %s.\n", strerror(errno)));
+    }
+  
+  free(sem->sem_impl);
+  memset(sem, 0, sizeof(BroSem));
+  D_RETURN;
+}
+
+
+int
+__bro_sem_attach(BroSem *sem)
+{
+  /* Unused in SYSV. */
+  return TRUE;
+  sem = NULL;
+}
+
+
+int
+__bro_sem_detach(BroSem *sem)
+{
+  /* Unused in SYSV. */
+  return TRUE;
+  sem = NULL;
+}
+
+
+int
+__bro_sem_decr(BroSem *sem)
+{
+  struct sembuf opt;
+
+  if (! sem || ! sem->sem_impl)
+    return FALSE;
+
+  /* This hopefully does the following atomically:
+   * 
+   * (1) block until the semaphore's value becomes >= 1
+   * (2) subtracts 1 from the semaphore's value (i.e., sets it to 0)
+   * (3) wakes up thread.
+   *
+   * This is how I parse Stevens UNP Vol 2 (IPC), p. 287.
+   */
+  opt.sem_num =  0;
+  opt.sem_op  = -1;
+  opt.sem_flg =  0;
+  sem->sem_blocked++;
+
+  if (semop(sem->sem_impl->sem_id, &opt, 1) < 0)
+    {
+      sem->sem_blocked--;
+      return FALSE;
+    }
+  
+  sem->sem_blocked--;
+  return TRUE;
+}
+
+
+int
+__bro_sem_trydecr(BroSem *sem)
+{
+  struct sembuf opt;
+
+  if (! sem || ! sem->sem_impl)
+    return FALSE;
+
+  opt.sem_num =  0;
+  opt.sem_op  = -1;
+  opt.sem_flg =  IPC_NOWAIT;
+  sem->sem_blocked++;
+
+  if (semop(sem->sem_impl->sem_id, &opt, 1) < 0)
+    {
+      sem->sem_blocked--;
+      return FALSE;
+    }
+
+  sem->sem_blocked--;
+  return TRUE;
+}
+
+
+int
+__bro_sem_incr(BroSem *sem)
+{
+  struct sembuf opt;
+  
+  if (! sem || ! sem->sem_impl)
+    return FALSE;
+  
+  /* Add one to the semaphore's value. That one should
+   * be easy ...
+   */
+  opt.sem_num =  0;
+  opt.sem_op  =  1;
+  opt.sem_flg =  0;
+  
+  if (semop(sem->sem_impl->sem_id, &opt, 1) < 0)
+    return FALSE;
+  
+  return TRUE;
+}
+
+
+int
+__bro_sem_get(BroSem *sem, int *result)
+{
+  if (! sem || ! sem->sem_impl || ! result)
+    return FALSE;
+  
+  if (semctl(sem->sem_impl->sem_id, 0, GETVAL, result) < 0)
+    {
+      D(("semctl failed: %s\n", strerror(errno)));
+      return FALSE;
+    }
+  
+  return TRUE;
+}
+
+
+int
+__bro_sem_get_blocked(BroSem *sem, int *result)
+{
+  if (! sem || ! sem->sem_impl || ! result)
+    return FALSE;
+  
+  *result = sem->sem_blocked;
+  
+  return TRUE;
+}
diff --git a/aux/broccoli/src/bro_shm.h b/aux/broccoli/src/bro_shm.h
new file mode 100644
index 0000000000..0d5590e3a8
--- /dev/null
+++ b/aux/broccoli/src/bro_shm.h
@@ -0,0 +1,43 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_shm_h
+#define broccoli_shm_h
+
+#include <stdlib.h>
+#include <broccoli.h>
+
+typedef struct bro_shared_mem BroSharedMem;
+
+BroSharedMem  *__bro_shm_new(int size);
+void           __bro_shm_free(BroSharedMem *shm);
+
+int            __bro_shm_attach(BroSharedMem *shm);
+int            __bro_shm_detach(BroSharedMem *shm);
+
+void          *__bro_shm_get_mem(const BroSharedMem *shm);
+int            __bro_shm_get_size(const BroSharedMem *shm);
+
+#endif
diff --git a/aux/broccoli/src/bro_shm_none.c b/aux/broccoli/src/bro_shm_none.c
new file mode 100644
index 0000000000..da49307b41
--- /dev/null
+++ b/aux/broccoli/src/bro_shm_none.c
@@ -0,0 +1,103 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <bro_shm.h>
+
+struct bro_shared_mem {
+  void    *mem;
+  int      mem_size;
+};
+
+BroSharedMem  *
+__bro_shm_new(int size)
+{
+  BroSharedMem *shm;
+
+  if (size <= 0)
+    return NULL;
+
+  if (! (shm = calloc(1, sizeof(BroSharedMem))))
+    return NULL;
+  
+  if (! (shm->mem = malloc(size)))
+    {
+      free(shm);
+      return NULL;
+    }
+
+  shm->mem_size = size;
+
+  return shm;
+}
+
+
+void
+__bro_shm_free(BroSharedMem *shm)
+{
+  if (! shm)
+    return;
+
+  if (shm->mem)
+    free(shm->mem);
+
+  free(shm);
+}
+
+
+void *
+__bro_shm_get_mem(const BroSharedMem *shm)
+{
+  if (! shm)
+    return NULL;
+
+  return shm->mem;
+}
+
+
+int
+__bro_shm_get_size(const BroSharedMem *shm)
+{
+  return shm->mem_size;
+}
+
+
+int
+__bro_shm_attach(BroSharedMem *shm)
+{
+  return TRUE; 
+  shm = NULL;
+}
+
+
+int
+__bro_shm_detach(BroSharedMem *shm)
+{
+  return TRUE;
+  shm = NULL;
+}
diff --git a/aux/broccoli/src/bro_shm_sysv.c b/aux/broccoli/src/bro_shm_sysv.c
new file mode 100644
index 0000000000..294c300258
--- /dev/null
+++ b/aux/broccoli/src/bro_shm_sysv.c
@@ -0,0 +1,135 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/ipc.h>
+#include <sys/stat.h>
+#include <sys/shm.h>
+#include <errno.h>
+#include <string.h>
+
+#include <bro_debug.h>
+#include <bro_shm.h>
+
+struct bro_shared_mem {
+  int      shm_id;
+  int      shm_size;
+  void    *shm_mem;
+
+  int      shm_attached;
+};
+
+BroSharedMem  *
+__bro_shm_new(int size)
+{
+  int shm_id;
+  BroSharedMem *shm;
+
+  if (size <= 0)
+    return NULL;
+
+  if ( (shm_id = shmget(IPC_PRIVATE,size,  IPC_CREAT|IPC_EXCL|S_IRWXU)) < 0)
+    {
+      D(("shmget error: %s\n", strerror(errno)));
+      return NULL;
+    }
+  
+  if (! (shm = calloc(1, sizeof(BroSharedMem))))
+    return NULL;
+  
+  shm->shm_id = shm_id;
+  shm->shm_size = size;
+
+  return shm;
+}
+
+
+void
+__bro_shm_free(BroSharedMem *shm)
+{
+  if (! shm)
+    return;
+
+  shmctl(shm->shm_id, IPC_RMID, NULL);
+  free(shm);
+}
+
+
+void *
+__bro_shm_get_mem(const BroSharedMem *shm)
+{
+  if (! shm || ! shm->shm_attached)
+    return NULL;
+  
+  return shm->shm_mem;
+}
+
+
+int
+__bro_shm_get_size(const BroSharedMem *shm)
+{
+  return shm->shm_size;
+}
+
+
+
+int
+__bro_shm_attach(BroSharedMem *shm)
+{
+  if (! shm)
+    return FALSE;
+
+  shm->shm_mem = shmat(shm->shm_id, NULL, 0);
+  
+  if ((int) shm->shm_mem == -1)
+    {
+      D(("shmat problem: %s.\n", strerror(errno)));
+      return FALSE;
+    }
+
+  shm->shm_attached = TRUE;
+  return TRUE;
+}
+
+
+int
+__bro_shm_detach(BroSharedMem *shm)
+{
+  if (! shm || ! shm->shm_attached)
+    return FALSE;
+
+  if (shmdt(shm->shm_mem) < 0)
+    {
+      D(("shmdt problem: %s.\n", strerror(errno)));
+      return FALSE;
+    }
+ 
+  return TRUE;
+}
diff --git a/aux/broccoli/src/bro_sobject.c b/aux/broccoli/src/bro_sobject.c
new file mode 100644
index 0000000000..c995cbb270
--- /dev/null
+++ b/aux/broccoli/src/bro_sobject.c
@@ -0,0 +1,519 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/time.h>
+
+#ifdef __EMX__
+#include <strings.h>
+#endif 
+
+#include <bro_debug.h>
+#include <bro_attr.h>
+#include <bro_attrs.h>
+#include <bro_id.h>
+#include <bro_location.h>
+#include <bro_object.h>
+#include <bro_type.h>
+#include <bro_val.h>
+#include <bro_sobject.h>
+
+static uint32 __bro_sobject_hash_impl(BroSObject *obj);
+static int    __bro_sobject_cmp_impl(BroSObject *obj1, BroSObject *obj2);
+
+/* Factory for object instances -- essentially a mapping from a type ID
+ * to a function taking no arguments and returning an object derived
+ * from BroSObject.
+ */
+typedef struct bro_obj_factory_entry
+{
+  uint16       type_id;
+  BroSObject  *(* create)(void);
+} BroObjFactoryEntry;
+
+static BroObjFactoryEntry obj_factories[] = {
+  { SER_OBJ,              (BroSObjectNew) __bro_object_new },
+  { SER_VAL,              (BroSObjectNew) __bro_val_new },
+  { SER_INTERVAL_VAL,     (BroSObjectNew) __bro_val_new },
+  { SER_PORT_VAL,         (BroSObjectNew) __bro_val_new },
+  { SER_ADDR_VAL,         (BroSObjectNew) __bro_val_new },
+  { SER_SUBNET_VAL,       (BroSObjectNew) __bro_val_new },
+  { SER_NET_VAL,          (BroSObjectNew) __bro_val_new },
+  { SER_STRING_VAL,       (BroSObjectNew) __bro_val_new },
+  { SER_ENUM_VAL,         (BroSObjectNew) __bro_val_new },
+  { SER_LIST_VAL,         (BroSObjectNew) __bro_list_val_new },
+  { SER_MUTABLE_VAL,      (BroSObjectNew) __bro_mutable_val_new },
+  { SER_RECORD_VAL,       (BroSObjectNew) __bro_record_val_new },
+  { SER_TABLE_VAL,        (BroSObjectNew) __bro_table_val_new },
+
+  { SER_TYPE,             (BroSObjectNew) __bro_type_new },
+  { SER_TYPE_LIST,        (BroSObjectNew) __bro_type_list_new },
+  { SER_RECORD_TYPE,      (BroSObjectNew) __bro_record_type_new },
+  { SER_INDEX_TYPE,       (BroSObjectNew) __bro_index_type_new },
+  { SER_TABLE_TYPE,       (BroSObjectNew) __bro_table_type_new },
+  { SER_SET_TYPE,         (BroSObjectNew) __bro_set_type_new },
+  { SER_ATTRIBUTES,       (BroSObjectNew) __bro_attrs_new },
+  { SER_ID,               (BroSObjectNew) __bro_id_new },
+  { SER_LOCATION,         (BroSObjectNew) __bro_loc_new },
+};
+
+
+BroSObject *
+__bro_sobject_create(uint16 type_id)
+{
+  int i, num_factories;
+
+  D_ENTER;
+
+  num_factories = sizeof(obj_factories) / sizeof(BroObjFactoryEntry);
+  
+  for (i = 0; i < num_factories; i++)
+    {
+      if (obj_factories[i].type_id == type_id && obj_factories[i].create)
+	{
+	  BroSObject *result = obj_factories[i].create();
+	  D_RETURN_(result);
+	}
+    }
+  
+  D(("Creation of object type 0x%04x failed.\n", type_id));
+  D_RETURN_(NULL);
+}
+
+
+void
+__bro_sobject_release(BroSObject *obj)
+{
+  D_ENTER;
+
+  if (! obj)
+    D_RETURN;
+
+  obj->ref_count--;
+
+  if (obj->ref_count > 0)
+    {
+      D(("Object %p has non-zero refcount, not releasing\n", obj));
+      D_RETURN;
+    }
+
+  if (obj->free)
+    obj->free(obj);
+  
+  D_RETURN;
+}
+
+
+void
+__bro_sobject_ref(BroSObject *obj)
+{
+  obj->ref_count++;
+}
+
+
+BroSObject      *
+__bro_sobject_copy(BroSObject *obj)
+{
+  BroSObject *clone;
+  
+  D_ENTER;
+  
+  if (! obj)
+    D_RETURN_(NULL);
+  
+  if (! (clone = __bro_sobject_create(obj->type_id)))
+    D_RETURN_(NULL);
+  
+  if (clone->clone)
+    clone->clone(clone, obj);
+  
+  D_RETURN_(clone);
+}
+
+
+BroSObject      *
+__bro_sobject_new(void)
+{
+  BroSObject *obj;
+
+  D_ENTER;
+  
+  if (! (obj = calloc(1, sizeof(BroSObject))))
+    D_RETURN_(NULL);
+  
+  __bro_sobject_init(obj);
+    
+  D_RETURN_(obj);
+}
+
+void
+__bro_sobject_init(BroSObject *obj)
+{
+  D_ENTER;
+  
+  obj->ref_count = 1;
+
+  if (! (obj->data = __bro_ht_new(__bro_ht_str_hash,
+				  __bro_ht_str_cmp,
+				  __bro_ht_mem_free,
+				  NULL,
+				  FALSE)))
+    {
+      D(("Out of memory.\n"));
+      /* FIXME -- add return value to initializer methods. */
+    }
+  
+  obj->read  = __bro_sobject_read;
+  obj->write = __bro_sobject_write;
+  obj->free  = __bro_sobject_free;
+  obj->clone = __bro_sobject_clone;
+  obj->hash  = __bro_sobject_hash_impl;
+  obj->cmp   = __bro_sobject_cmp_impl;
+
+  D_RETURN;
+}
+
+void
+__bro_sobject_free(BroSObject *obj)
+{
+  D_ENTER;
+
+  if (! obj)
+    D_RETURN;
+
+  __bro_ht_free(obj->data);
+  free(obj);
+
+  D_RETURN;
+}
+
+
+int
+__bro_sobject_clone(BroSObject *dst, BroSObject *src)
+{
+  D_ENTER;
+  
+  dst->perm_id = src->perm_id;
+  dst->type_id = src->type_id; /* Should aready be set, but what the heck .. */
+  dst->ref_count = 1;
+ 
+  /* We don't clone the contents of the data hashtable -- 
+   * actually we can't right now ...
+   */
+ 
+  D_RETURN_(TRUE);
+}
+
+
+static uint32
+__bro_sobject_hash_impl(BroSObject *obj)
+{
+  uint32 result;
+  
+  D_ENTER;
+  
+  if (! obj)
+    D_RETURN_(0);
+  
+  result = obj->perm_id ^ (uint32) obj->type_id;
+  
+  D_RETURN_(result);
+}
+
+
+static int
+__bro_sobject_cmp_impl(BroSObject *obj1, BroSObject *obj2)
+{
+  D_ENTER;
+  
+  if (! obj1 || ! obj2)
+    D_RETURN_(FALSE);
+  
+  if (obj1->perm_id != obj2->perm_id)
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+
+uint32
+__bro_sobject_hash(BroSObject *obj)
+{
+  D_ENTER;
+
+  if (! obj)
+    D_RETURN_(0);
+
+  D_RETURN_(obj->hash(obj));
+}
+
+int
+__bro_sobject_cmp(BroSObject *obj1, BroSObject *obj2)
+{
+  D_ENTER;
+
+  if (! obj1 || !obj2)
+    D_RETURN_(FALSE);
+
+  D_RETURN_(obj1->cmp(obj1, obj2));
+}
+
+
+int
+__bro_sobject_serialize(BroSObject *obj, BroConn *bc)
+{
+  char full_obj;
+
+  D_ENTER;
+
+  if (! obj || !bc)
+    D_RETURN_(FALSE);
+
+  /* Special case for types: they indicate at the very beginning
+   * whether they're transferred in their entirety or just via
+   * their name (in which case we can't do much at the moment).
+   */
+  if ( (obj->type_id & SER_TYPE_MASK) == SER_IS_TYPE)
+    {      
+      BroType *type = (BroType *) obj;
+      
+      D(("Serializing type %X as type\n", obj->type_id));
+
+      if (! __bro_buf_write_char(bc->tx_buf, type->is_complete))
+	D_RETURN_(FALSE);
+      
+      if (! type->is_complete)
+	{
+	  if (! __bro_buf_write_string(bc->tx_buf, &type->type_name))
+	    D_RETURN_(FALSE);
+	  
+	  D(("Type sent by type-name '%s' only.\n", bro_string_get_data(&type->type_name)));
+	  D_RETURN_(TRUE);
+	}
+    }
+  
+  /* FIXME: for now we never use the serialization cache when sending. */
+  full_obj = 1;
+  
+  if (! __bro_buf_write_char(bc->tx_buf, full_obj))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_write_int(bc->tx_buf, obj->perm_id))
+    D_RETURN_(FALSE);
+
+  if (! obj->write(obj, bc))
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+
+BroSObject      *
+__bro_sobject_unserialize(uint16 type_id_wanted, BroConn *bc)
+{
+  BroSObject *obj;
+  char full_obj;
+  uint32 perm_id;
+  uint16 type_id;
+
+  D_ENTER;
+
+  if (! bc)
+    D_RETURN_(NULL);
+  
+  /* Same special case for types as in __bro_sobject_serialize().
+   */
+  if ( (type_id_wanted & SER_TYPE_MASK) == SER_IS_TYPE)
+    {
+      D(("Unserializing a type, checking for name-only format.\n"));
+
+      if (! __bro_buf_read_char(bc->rx_buf, &full_obj))
+	D_RETURN_(NULL);
+
+      if (! full_obj)
+	{
+	  BroString tmp;
+	  bro_string_init(&tmp);
+	  
+	  /* We only get the name. */
+	  if (! __bro_buf_read_string(bc->rx_buf, &tmp))
+	    D_RETURN_(FALSE);
+	  
+	  /* We don't really have a namespace in which we can now
+	   * look up the type, so there's not much we can do!
+	   */
+	  D(("Received name-only type '%s', reporting failure.\n",
+	     bro_string_get_data(&tmp)));
+	  D_RETURN_(FALSE);
+	}
+    }
+  
+  if (! __bro_buf_read_char(bc->rx_buf, &full_obj))
+    D_RETURN_(NULL);
+  
+  if (! __bro_buf_read_int(bc->rx_buf, &perm_id))
+    D_RETURN_(NULL);
+
+  if (! full_obj)
+    {
+#ifdef BRO_DEBUG
+      if (! (bc->conn_flags & BRO_CFLAG_CACHE))
+	D(("WARNING: no caching requested, yet peer sends cached data.\n"));
+#endif
+      if (! (obj = __bro_ht_get(bc->io_cache, (void *)(uintptr_t)  perm_id)))
+	{
+	  D(("Cache inconsistency: cache should contain object %i\n", perm_id));
+	  D_RETURN_(NULL);
+	}
+      
+      __bro_sobject_ref(obj);
+
+      D(("Returning object %i/%p from cache.\n", perm_id, obj));
+      D_RETURN_(obj);
+    }
+ 
+  if (! __bro_buf_read_short(bc->rx_buf, &type_id))
+    D_RETURN_(NULL);
+  
+  /* Now check if the stuff that's arriving is actually an
+   * instance of the type we'd like to see -- we can only do
+   * primitive checking for inherited types (when we want to
+   * know that it's a type, say, but we cannot know what exact
+   * kind of type) -- so we just check whether all the bits set
+   * in both type id's match:
+   */
+  if ((type_id_wanted & SER_TYPE_MASK) != (type_id & SER_TYPE_MASK))
+    {
+      D(("Type mismatch in serialization: wanted %04x, got %04x.\n",
+	 type_id_wanted, type_id));
+      D_RETURN_(NULL);
+    }
+  
+  if (! (obj = __bro_sobject_create(type_id)))
+    D_RETURN_(NULL);
+  
+  /* Polymorphism: depending on the constructor of the object,
+   * this call will start from the bottom of the hierarchy and
+   * read members in step by step, so by the time we return
+   * from this function the object is fully unserialized.
+   */
+  if (! obj->read(obj, bc))
+    {
+      D(("Reading object %i of type 0x%04x FAILED.\n", perm_id, type_id));
+      __bro_sobject_release(obj);
+      D_RETURN_(NULL);
+    }
+
+  /* If we have asked the peer to use caching,
+   * make sure the object is in the cache:
+   */
+  if ( (bc->conn_flags & BRO_CFLAG_CACHE) &&
+       ! __bro_ht_get(bc->io_cache, (void *)(uintptr_t) perm_id))
+    {
+      D(("Storing object %i in cache.\n", perm_id));
+      __bro_ht_add(bc->io_cache, (void *)(uintptr_t) perm_id, obj);
+      obj->perm_id = perm_id;
+      __bro_sobject_ref(obj);
+    }
+
+  D(("Object %i of type 0x%04x unserialized successfully.\n", perm_id, type_id));
+  D_RETURN_(obj);
+}
+
+
+int
+__bro_sobject_read(BroSObject *obj, BroConn *bc)
+{
+  D_ENTER;
+  D_RETURN_(TRUE);
+
+  obj = NULL;
+  bc = NULL;
+}
+
+
+int
+__bro_sobject_write(BroSObject *obj, BroConn *bc)
+{
+  D_ENTER;
+  
+  if (! __bro_buf_write_short(bc->tx_buf, obj->type_id))
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+
+void
+__bro_sobject_data_set(BroSObject *obj, const char *key, void *val)
+{
+  D_ENTER;
+
+  if (! obj || ! key || ! *key)
+    D_RETURN;
+
+  __bro_ht_add(obj->data, strdup(key), val);
+  /* D(("Setting data item '%s' in object %p\n", key, obj)); */
+
+  D_RETURN;
+}
+
+
+void *
+__bro_sobject_data_get(BroSObject *obj, const char *key)
+{
+  void *result;
+
+  if (! obj || ! key || ! *key)
+    return NULL;
+
+  result = __bro_ht_get(obj->data, (void *) key);
+  /* D(("Retrieving data item '%s' from object %p yields %p\n", key, obj, result)); */
+  return result;
+}
+
+
+void *
+__bro_sobject_data_del(BroSObject *obj, const char *key)
+{
+  void *result;
+  
+  D_ENTER;
+  
+  if (! obj || ! key || ! *key)
+    D_RETURN_(NULL);
+  
+  result = __bro_ht_del(obj->data, (void *) key);
+  /* D(("Removing data item '%s' from object %p yields %p\n", key, obj, result)); */
+  D_RETURN_(result);
+}
diff --git a/aux/broccoli/src/bro_sobject.h b/aux/broccoli/src/bro_sobject.h
new file mode 100644
index 0000000000..c633fb2177
--- /dev/null
+++ b/aux/broccoli/src/bro_sobject.h
@@ -0,0 +1,263 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_serial_object_h
+#define broccoli_serial_object_h
+
+#include <broccoli.h>
+#include <bro_types.h>
+
+/* A whole bunch of definitons taken straight out of Bro and run through cpp :)
+ * These are type tags -- see explanation in SerialTypes.h in the Bro tree. We use
+ * these tags to map to the default constructor implementation for an
+ * object upon unserialization.
+ */
+#define SER_TYPE_MASK                 0xff00
+#define SER_NONE                      0
+
+
+/* "Abstract" parent classes, not used directly */
+#define SER_IS_OBJ                    0x8000
+#define SER_IS_CONNECTION            (0x0100 | SER_IS_OBJ)
+#define SER_IS_TIMER                  0x0200
+#define SER_IS_TCP_ENDPOINT           0x0300
+#define SER_IS_TCP_ANALYZER          (0x0400 | SER_IS_OBJ)
+#define SER_IS_TCP_ENDPOINT_ANALYZER (0x0500 | SER_IS_OBJ)
+#define SER_IS_TCP_CONTENTS           0x0600
+#define SER_IS_REASSEMBLER            0x0700
+#define SER_IS_VAL                   (0x0800 | SER_IS_OBJ)
+#define SER_IS_EXPR                  (0x0900 | SER_IS_OBJ)
+#define SER_IS_TYPE                  (0x0a00 | SER_IS_OBJ)
+#define SER_IS_STMT                  (0x0b00 | SER_IS_OBJ)
+#define SER_IS_ATTRIBUTES            (0x0c00 | SER_IS_OBJ)
+#define SER_IS_EVENT_HANDLER          0x0d00
+#define SER_IS_FILE                  (0x0e00 | SER_IS_OBJ)
+#define SER_IS_FUNC                  (0x0f00 | SER_IS_OBJ)
+#define SER_IS_ID                    (0x1000 | SER_IS_OBJ)
+#define SER_IS_STATE_ACCESS           0x1100
+#define SER_IS_CASE                  (0x1200 | SER_IS_OBJ)
+#define SER_IS_LOCATION               0x1300
+#define SER_IS_RE_MATCHER             0x1400
+
+/* Usable derivations */
+#define SER_OBJ                      (1  | SER_IS_OBJ)
+#define SER_VAL                      (1  | SER_IS_VAL)
+#define SER_INTERVAL_VAL             (2  | SER_IS_VAL)
+#define SER_PORT_VAL                 (3  | SER_IS_VAL)
+#define SER_ADDR_VAL                 (4  | SER_IS_VAL)
+#define SER_NET_VAL                  (5  | SER_IS_VAL)
+#define SER_SUBNET_VAL               (6  | SER_IS_VAL)
+#define SER_STRING_VAL               (7  | SER_IS_VAL)
+#define SER_PATTERN_VAL              (8  | SER_IS_VAL)
+#define SER_LIST_VAL                 (9  | SER_IS_VAL)
+#define SER_TABLE_VAL                (10 | SER_IS_VAL)
+#define SER_RECORD_VAL               (11 | SER_IS_VAL)
+#define SER_ENUM_VAL                 (12 | SER_IS_VAL)
+#define SER_VECTOR_VAL               (13 | SER_IS_VAL)
+#define SER_MUTABLE_VAL              (14 | SER_IS_VAL)
+
+#define SER_EXPR                     (1  | SER_IS_EXPR)
+#define SER_NAME_EXPR                (2  | SER_IS_EXPR)
+#define SER_CONST_EXPR               (3  | SER_IS_EXPR)
+#define SER_UNARY_EXPR               (4  | SER_IS_EXPR)
+#define SER_BINARY_EXPR              (5  | SER_IS_EXPR)
+#define SER_INCR_EXPR                (6  | SER_IS_EXPR)
+#define SER_NOT_EXPR                 (7  | SER_IS_EXPR)
+#define SER_POS_EXPR                 (8  | SER_IS_EXPR)
+#define SER_NEG_EXPR                 (9  | SER_IS_EXPR)
+#define SER_ADD_EXPR                 (10 | SER_IS_EXPR)
+#define SER_SUB_EXPR                 (11 | SER_IS_EXPR)
+#define SER_TIMES_EXPR               (12 | SER_IS_EXPR)
+#define SER_DIVIDE_EXPR              (13 | SER_IS_EXPR)
+#define SER_MOD_EXPR                 (14 | SER_IS_EXPR)
+#define SER_BOOL_EXPR                (15 | SER_IS_EXPR)
+#define SER_EQ_EXPR                  (16 | SER_IS_EXPR)
+#define SER_REL_EXPR                 (17 | SER_IS_EXPR)
+#define SER_COND_EXPR                (18 | SER_IS_EXPR)
+#define SER_REF_EXPR                 (19 | SER_IS_EXPR)
+#define SER_ASSIGN_EXPR              (20 | SER_IS_EXPR)
+#define SER_INDEX_EXPR               (21 | SER_IS_EXPR)
+#define SER_FIELD_EXPR               (22 | SER_IS_EXPR)
+#define SER_HAS_FIELD_EXPR           (23 | SER_IS_EXPR)
+#define SER_RECORD_CONSTRUCTOR_EXPR  (24 | SER_IS_EXPR)
+#define SER_FIELD_ASSIGN_EXPR        (25 | SER_IS_EXPR)
+#define SER_RECORD_MATCH_EXPR        (26 | SER_IS_EXPR)
+#define SER_ARITH_COERCE_EXPR        (27 | SER_IS_EXPR)
+#define SER_RECORD_COERCE_EXPR       (28 | SER_IS_EXPR)
+#define SER_FLATTEN_EXPR             (29 | SER_IS_EXPR)
+#define SER_SCHEDULE_EXPR            (30 | SER_IS_EXPR)
+#define SER_IN_EXPR                  (31 | SER_IS_EXPR)
+#define SER_CALL_EXPR                (32 | SER_IS_EXPR)
+#define SER_EVENT_EXPR               (33 | SER_IS_EXPR)
+#define SER_LIST_EXPR                (34 | SER_IS_EXPR)
+#define SER_RECORD_ASSIGN_EXPR       (35 | SER_IS_EXPR)
+
+#define SER_TYPE                     (1  | SER_IS_TYPE)
+#define SER_TYPE_LIST                (2  | SER_IS_TYPE)
+#define SER_INDEX_TYPE               (3  | SER_IS_TYPE)
+#define SER_TABLE_TYPE               (4  | SER_IS_TYPE)
+#define SER_SET_TYPE                 (5  | SER_IS_TYPE)
+#define SER_FUNC_TYPE                (6  | SER_IS_TYPE)
+#define SER_RECORD_TYPE              (7  | SER_IS_TYPE)
+#define SER_SUBNET_TYPE              (8  | SER_IS_TYPE)
+#define SER_FILE_TYPE                (9  | SER_IS_TYPE)
+#define SER_ENUM_TYPE                (10 | SER_IS_TYPE)
+#define SER_VECTOR_TYPE              (11 | SER_IS_TYPE)
+
+#define SER_ATTRIBUTES               (1  | SER_IS_ATTRIBUTES)
+
+#define SER_EVENT_HANDLER            (1  | SER_IS_EVENT_HANDLER)
+#define SER_FILE                     (1  | SER_IS_FILE)
+
+#define SER_FUNC                     (1  | SER_IS_FUNC)
+#define SER_BRO_FUNC                 (2  | SER_IS_FUNC)
+#define SER_DEBUG_FUNC               (3  | SER_IS_FUNC)
+#define SER_BUILTIN_FUNC             (4  | SER_IS_FUNC)
+
+#define SER_ID                       (1  | SER_IS_ID)
+#define SER_STATE_ACCESS             (1  | SER_IS_STATE_ACCESS)
+#define SER_CASE                     (1  | SER_IS_CASE)
+#define SER_LOCATION                 (1  | SER_IS_LOCATION)
+#define SER_RE_MATCHER               (1  | SER_IS_RE_MATCHER)
+
+typedef struct bro_serial_object BroSObject;
+
+typedef BroSObject *(* BroSObjectNew) (void);
+
+/* Signatures for all functions which we virtualize. */
+typedef int (* BroSObjectRead) (BroSObject *obj, BroConn *bc);
+typedef int (* BroSObjectWrite) (BroSObject *obj, BroConn *bc);
+typedef void (* BroSObjectFree) (BroSObject *obj);
+typedef int (* BroSObjectClone) (BroSObject *dst, BroSObject *src);
+typedef uint32 (* BroSObjectHash) (BroSObject *obj);
+typedef int (* BroSObjectCmp) (BroSObject *obj1, BroSObject *obj2);
+
+/* BroSObjects are the base "class" of objects that can be serialized.
+ * They mirror SerialObj in Bro. The way Broccoli realizes classes,
+ * objects, and inheritance is as follows:
+ *
+ * (1) There is no distinction between classes and the objects that
+ *     are created from them. That means that each object carries with
+ *     it all the function pointers needed to implement polymorphism.
+ *     Yes, this wastes space, but for now I don't think it wastes
+ *     enough to justify the additional complexity of explicit-class,
+ *     Gtk-style object orientation in C.
+ *
+ * (2) Currently, the only virtualized functions are the ones defined
+ *     in BroSObject below, though this may change in the future.
+ *     These functions implement reading/writing from/to a buffer,
+ *     cleanup, cloning, hashing to a uint32, and strcmp()-style
+ *     instance comparison.
+ *
+ *     Implementations of these functions need to work in typical OO
+ *     fashion, i.e., they may need to call the implementation of the
+ *     parent "class" explicitly. This is the case for the (un)seriali-
+ *     zation functions (which need to read/write all elements of the
+ *     inheritance chain. It is not the case for the virtual ..._hash()
+ *     and ..._cmp() implementations, which usually define equality
+ *     and the computed hash value exclusively from the most derived
+ *     type's values.
+ *
+ * (3) Instances of BroSObject are usually created either by
+ *     unserializing them from a buffer (via __bro_sobject_unserialize())
+ *     or by specialized "constructors" in inherited classes. The
+ *     main constructor of this sort if __bro_val_new_of_type(), which
+ *     initializes BroVals with correct type information.
+ *     
+ *     Instances of BroSObject are to be deallocated via
+ *     __bro_sobject_release(). Since BroSObjects may be referenced
+ *     in multiple locations (the serialization cache being a main
+ *     example), you must not explicitly release the memory associated
+ *     with a BroSObject but let the BroSObject implementation decide
+ *     when to do so.
+ */
+struct bro_serial_object
+{
+  /* The value by which the object is identified in the
+   * serialization cache.
+   */
+  uint32           perm_id;
+
+  /* One of the SER_xxx values above to identify the type
+   * of object upon (un)serialization.
+   */
+  uint16           type_id;
+
+  /* Reference count, used for unserialized objects that
+   * sit in the connection's serialization cache and may
+   * be referenced by multiple SObjects.
+   */
+  int              ref_count;
+
+  /* Storage for arbitrary user data:
+   */
+  BroHT           *data;
+
+  BroSObjectRead   read;
+  BroSObjectWrite  write;
+  BroSObjectFree   free;
+  BroSObjectClone  clone;
+  BroSObjectHash   hash;
+  BroSObjectCmp    cmp;
+};
+
+BroSObject      *__bro_sobject_create(uint16 type_id);
+void             __bro_sobject_release(BroSObject *obj);
+void             __bro_sobject_ref(BroSObject *obj);
+BroSObject      *__bro_sobject_copy(BroSObject *obj);
+
+BroSObject      *__bro_sobject_new(void);
+
+void             __bro_sobject_init(BroSObject *obj);
+void             __bro_sobject_free(BroSObject *obj);
+
+/* We need the connection handle for the next two and not just
+ * a buffer because we might need the cache associated with the
+ * connection.
+ */
+int              __bro_sobject_serialize(BroSObject *obj, BroConn *bc);
+BroSObject      *__bro_sobject_unserialize(uint16 type_id, BroConn *bc);
+
+/* Hash a SObject or compare them. These are the virtualized
+ * functions -- the actual implementation of these functions
+ * for SObjects themselves are static in bro_sobject.c.
+ */
+uint32           __bro_sobject_hash(BroSObject *obj);
+int              __bro_sobject_cmp(BroSObject *obj1, BroSObject *obj2);
+
+int              __bro_sobject_read(BroSObject *obj, BroConn *bc);
+int              __bro_sobject_write(BroSObject *obj, BroConn *bc);
+int              __bro_sobject_clone(BroSObject *dst, BroSObject *src);
+
+/* Our base class has a facility for associating arbitrary stuff
+ * with each instance. Make sure to clean up the associated items
+ * before releasing the instance, because the object doesn't know
+ * how to do this.
+ */
+void             __bro_sobject_data_set(BroSObject *obj, const char *key, void *val);
+void            *__bro_sobject_data_get(BroSObject *obj, const char *key);
+void            *__bro_sobject_data_del(BroSObject *obj, const char *key);
+
+#endif
diff --git a/aux/broccoli/src/bro_table.c b/aux/broccoli/src/bro_table.c
new file mode 100644
index 0000000000..1197e27e1e
--- /dev/null
+++ b/aux/broccoli/src/bro_table.c
@@ -0,0 +1,227 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+
+#ifdef __EMX__
+#include <strings.h>
+#endif 
+
+#include <bro_types.h>
+#include <bro_io.h>
+#include <bro_debug.h>
+#include <bro_val.h>
+#include <bro_table.h>
+
+
+BroTable *
+__bro_table_new(void)
+{
+  BroTable *tbl;
+
+  if (! (tbl = calloc(1, sizeof(BroTable))))
+    return NULL;
+
+  tbl->tbl_impl = __bro_ht_new((BroHTHashFunc) __bro_table_hash_key,
+			       (BroHTCmpFunc) __bro_table_cmp_key,
+			       (BroHTFreeFunc) __bro_sobject_release,
+			       (BroHTFreeFunc) __bro_sobject_release, FALSE);
+
+  if (! tbl->tbl_impl)
+    {
+      free(tbl);
+      return NULL;
+    }
+  
+  return tbl;
+}
+
+void
+__bro_table_free(BroTable *tbl)
+{
+  if (! tbl)
+    return;
+
+  __bro_ht_free(tbl->tbl_impl);
+  free(tbl);
+}
+
+static int __bro_table_copy_cb(BroVal *key, BroVal *val, BroTable *dest)
+{
+  __bro_table_insert(dest, key, val);
+  return TRUE; /* Continue the iteration */
+}
+
+BroTable *
+__bro_table_copy(BroTable *tbl)
+{
+  BroVal *val, *val_copy;
+  BroTable *copy;
+
+  if (! tbl)
+    return NULL;
+  
+  if (! (copy = __bro_table_new()))
+    return NULL;
+  
+  __bro_ht_foreach(tbl->tbl_impl,
+		   (BroHTCallback) __bro_table_copy_cb,
+		   (void *) copy);
+  
+  return copy;
+}
+
+void
+__bro_table_insert(BroTable *tbl, BroVal *key, BroVal *val)
+{
+  if (! tbl || ! key) /* NULL for val is okay -- that's a set. */
+    return;
+  
+  __bro_ht_add(tbl->tbl_impl, key, val);  
+}
+
+BroVal *
+__bro_table_find(BroTable *tbl, const BroVal *key)
+{
+  if (! tbl || ! key)
+    return NULL;
+
+  return __bro_ht_get(tbl->tbl_impl, key);
+}
+
+int
+__bro_table_get_size(BroTable *tbl)
+{
+  if (! tbl)
+    return -1;
+  
+  return __bro_ht_get_size(tbl->tbl_impl);
+}
+
+void
+__bro_table_foreach(BroTable *tbl, BroTableCallback cb, void *user_data)
+{
+  if (! tbl || ! cb)
+    return;
+
+  __bro_ht_foreach(tbl->tbl_impl, cb, user_data);
+}
+
+int
+__bro_table_is_set(BroTable *tbl)
+{
+  return tbl->tbl_val_type == BRO_TYPE_UNKNOWN;
+}
+
+uint32
+__bro_table_hash_key(BroVal *key)
+{
+  return ((BroSObject *) key)->hash((BroSObject *) key);
+}
+
+int
+__bro_table_cmp_key(BroVal *val1, BroVal *val2)
+{
+  BroSObject *obj1 = (BroSObject *) val1;
+  BroSObject *obj2 = (BroSObject *) val2;
+
+  return obj1->cmp(obj1, obj2);
+}
+
+static int
+__bro_table_hash_cb(BroVal *key, BroVal *val, int *result)
+{
+  *result ^= __bro_sobject_hash((BroSObject*) key);
+  *result ^= __bro_sobject_hash((BroSObject*) val);
+  return TRUE;
+}
+
+uint32
+__bro_table_hash(BroTable *tbl)
+{
+  uint32 result;
+  
+  D_ENTER;
+  
+  if (! tbl)
+    D_RETURN_(0);
+  
+  result = __bro_ht_get_size(tbl->tbl_impl);
+  
+  __bro_ht_foreach(tbl->tbl_impl, (BroHTCallback) __bro_table_hash_cb, &result);
+  
+  D_RETURN_(result);
+}
+
+typedef struct bro_table_cmp
+{
+  BroHT *table;
+  int result;
+} BroTableCmp;
+
+static int
+__bro_table_cmp_cb(BroVal *key, BroVal *val, BroTableCmp *cmp)
+{
+  BroVal *val2 = __bro_ht_get(cmp->table, key);
+
+  if (! val2)
+    goto no_luck;
+  
+  if (! __bro_sobject_cmp((BroSObject*) val, (BroSObject*) val2))
+    goto no_luck;
+
+  return TRUE;
+
+ no_luck:  
+  cmp->result = FALSE;
+  return FALSE;
+}
+
+int
+__bro_table_cmp(BroTable *tbl1, BroTable *tbl2)
+{
+  BroTableCmp cmp;
+
+  D_ENTER;
+
+  cmp.table = tbl2->tbl_impl;
+  cmp.result = TRUE;
+  
+  if (__bro_ht_get_size(tbl1->tbl_impl) != __bro_ht_get_size(tbl2->tbl_impl))
+    D_RETURN_(FALSE);
+
+  __bro_ht_foreach(tbl1->tbl_impl, (BroHTCallback) __bro_table_cmp_cb, &cmp);
+
+  D_RETURN_(TRUE);
+}
diff --git a/aux/broccoli/src/bro_table.h b/aux/broccoli/src/bro_table.h
new file mode 100644
index 0000000000..d12e629d31
--- /dev/null
+++ b/aux/broccoli/src/bro_table.h
@@ -0,0 +1,72 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_table_h
+#define broccoli_table_h
+
+#include <broccoli.h>
+#include <bro_types.h>
+#include <bro_hashtable.h>
+
+/* BroTable is the table type we export to the user. It relies
+ * on BroHTs for the implementation.
+ *
+ * Related typedefs are in broccoli.h because the users need
+ * to know them -- we keep the definition opaque here.
+ */
+struct bro_table
+{
+  /* The underlying hashtable */
+  BroHT   *tbl_impl;
+  int tbl_key_type, tbl_val_type;
+};
+
+BroTable      *__bro_table_new(void);
+void           __bro_table_free(BroTable *tbl);
+BroTable      *__bro_table_copy(BroTable *tbl);
+
+/* Inserts the given key-val pair and adopts ownership,
+ * i.e., the values are not duplicated internally.
+ */
+void           __bro_table_insert(BroTable *tbl, BroVal *key, BroVal *val);
+
+BroVal        *__bro_table_find(BroTable *tbl, const BroVal *key);
+int            __bro_table_get_size(BroTable *tbl);
+
+void           __bro_table_foreach(BroTable *tbl, BroTableCallback cb, void *user_data);
+
+/* Sets are just tables that have no meaningful values associated
+ * with the keys. As long as a table's tbl_val_type remains unknown,
+ * a table is in fact a set.
+ */
+int            __bro_table_is_set(BroTable *tbl);
+
+uint32         __bro_table_hash_key(BroVal *key);
+int            __bro_table_cmp_key(BroVal *val1, BroVal *val2);
+
+uint32         __bro_table_hash(BroTable *tbl);
+int            __bro_table_cmp(BroTable *tbl1, BroTable *tbl2);
+
+#endif
diff --git a/aux/broccoli/src/bro_type.c b/aux/broccoli/src/bro_type.c
new file mode 100644
index 0000000000..0d87693719
--- /dev/null
+++ b/aux/broccoli/src/bro_type.c
@@ -0,0 +1,1303 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/time.h>
+
+#ifdef __EMX__
+#include <strings.h>
+#endif 
+
+#include <bro_types.h>
+#include <bro_val.h>
+#include <bro_debug.h>
+#include <bro_object.h>
+#include <bro_type_decl.h>
+#include <bro_type.h>
+
+/* The virtual implementations of BroSObject's functions are
+ * kept static in this module, and so are the ..._init() methods
+ * not currently needed by other, derived classes.
+ */
+
+static void         __bro_type_init(BroType *type);
+static void         __bro_type_free(BroType *type);
+static int          __bro_type_read(BroType *type, BroConn *bc);
+static int          __bro_type_write(BroType *type, BroConn *bc);
+static int          __bro_type_clone(BroType *dst, BroType *src);
+static uint32       __bro_type_hash(BroType *type);
+static int          __bro_type_cmp(BroType *type1, BroType *type2);
+
+static void         __bro_type_list_init(BroTypeList *tl);
+static void         __bro_type_list_free(BroTypeList *tl);
+static int          __bro_type_list_read(BroTypeList *tl, BroConn *bc);
+static int          __bro_type_list_write(BroTypeList *tl, BroConn *bc);
+static int          __bro_type_list_clone(BroTypeList *dst, BroTypeList *src);
+static uint32       __bro_type_list_hash(BroTypeList *tl);
+static int          __bro_type_list_cmp(BroTypeList *tl1, BroTypeList *tl2);
+
+static void         __bro_record_type_init(BroRecordType *rt);
+static void         __bro_record_type_free(BroRecordType *rt);
+static int          __bro_record_type_read(BroRecordType *rt, BroConn *bc);
+static int          __bro_record_type_write(BroRecordType *rt, BroConn *bc);
+static int          __bro_record_type_clone(BroRecordType *dst, BroRecordType *src);
+static uint32       __bro_record_type_hash(BroRecordType *rt);
+static int          __bro_record_type_cmp(BroRecordType *rt1, BroRecordType *rt2);
+
+static void         __bro_index_type_init(BroIndexType *it);
+static void         __bro_index_type_free(BroIndexType *it);
+static int          __bro_index_type_read(BroIndexType *it, BroConn *bc);
+static int          __bro_index_type_write(BroIndexType *it, BroConn *bc);
+static int          __bro_index_type_clone(BroIndexType *dst, BroIndexType *src);
+static uint32       __bro_index_type_hash(BroIndexType *it);
+static int          __bro_index_type_cmp(BroIndexType *it1, BroIndexType *it2);
+
+static void         __bro_table_type_init(BroTableType *tt);
+static void         __bro_table_type_free(BroTableType *tt);
+static int          __bro_table_type_read(BroTableType *tt, BroConn *bc);
+static int          __bro_table_type_write(BroTableType *tt, BroConn *bc);
+static int          __bro_table_type_clone(BroTableType *dst, BroTableType *src);
+static uint32       __bro_table_type_hash(BroTableType *tt);
+static int          __bro_table_type_cmp(BroTableType *tt1, BroTableType *tt2);
+
+static void         __bro_set_type_init(BroSetType *st);
+static void         __bro_set_type_free(BroSetType *st);
+static int          __bro_set_type_read(BroSetType *st, BroConn *bc);
+static int          __bro_set_type_write(BroSetType *st, BroConn *bc);
+static int          __bro_set_type_clone(BroSetType *dst, BroSetType *src);
+static uint32       __bro_set_type_hash(BroSetType *st);
+static int          __bro_set_type_cmp(BroSetType *st1, BroSetType *st2);
+
+
+BroType *
+__bro_type_new(void)
+{
+  BroType *type;
+
+  D_ENTER;
+
+  if (! (type = calloc(1, sizeof(BroType))))
+    D_RETURN_(NULL);
+
+  __bro_type_init(type);
+
+  D_RETURN_(type);
+}
+
+
+BroType *
+__bro_type_new_of_type(int type_tag, const char *type_name)
+{
+  BroType *type = NULL;
+  int internal_tag;
+  char is_nbo = 0;
+  
+  D_ENTER;
+  
+  switch (type_tag)
+    {
+    case BRO_TYPE_BOOL:
+    case BRO_TYPE_INT:
+    case BRO_TYPE_ENUM:
+      internal_tag = BRO_INTTYPE_INT;
+      break;
+      
+    case BRO_TYPE_COUNT:
+    case BRO_TYPE_COUNTER:
+      internal_tag = BRO_INTTYPE_UNSIGNED;
+      break;
+      
+    case BRO_TYPE_PORT:
+      internal_tag = BRO_INTTYPE_UNSIGNED;
+      is_nbo = 1;
+      break;
+      
+    case BRO_TYPE_DOUBLE:
+    case BRO_TYPE_TIME:
+    case BRO_TYPE_INTERVAL:
+      internal_tag = BRO_INTTYPE_DOUBLE;
+      break;
+      
+    case BRO_TYPE_STRING:
+      internal_tag = BRO_INTTYPE_STRING;
+      break;
+      
+    case BRO_TYPE_IPADDR:
+    case BRO_TYPE_NET:
+      internal_tag = BRO_INTTYPE_IPADDR;
+      break;
+      
+    case BRO_TYPE_SUBNET:
+      internal_tag = BRO_INTTYPE_SUBNET;
+      break;
+      
+    case BRO_TYPE_PATTERN:
+    case BRO_TYPE_TIMER:
+    case BRO_TYPE_ANY:
+    case BRO_TYPE_UNION:
+    case BRO_TYPE_LIST:      
+    case BRO_TYPE_FUNC:
+    case BRO_TYPE_FILE:
+    case BRO_TYPE_VECTOR:
+      internal_tag = BRO_INTTYPE_OTHER;
+      break;
+
+    case BRO_TYPE_TABLE:
+      if (! (type = (BroType *) __bro_table_type_new()))
+	D_RETURN_(NULL);
+      
+      internal_tag = BRO_INTTYPE_OTHER;
+      break;
+      
+    case BRO_TYPE_RECORD:
+      if (! (type = (BroType *) __bro_record_type_new()))
+	D_RETURN_(NULL);
+      
+      internal_tag = BRO_INTTYPE_OTHER;
+      break;
+      
+    case BRO_TYPE_SET:
+      if (! (type = (BroType *) __bro_set_type_new()))
+	D_RETURN_(NULL);
+
+      internal_tag = BRO_INTTYPE_OTHER;
+      break;
+
+    case BRO_TYPE_ERROR:
+    default:
+      internal_tag = BRO_INTTYPE_ERROR;
+    }
+
+  if (! type)
+    {
+      if (! (type = __bro_type_new()))
+	D_RETURN_(NULL);
+    }
+ 
+  type->tag          = type_tag;
+  type->internal_tag = internal_tag;
+  type->is_nbo       = is_nbo;
+  type->is_complete  = TRUE;
+  
+  if (type_name)
+    {
+      type->is_complete = FALSE;
+      bro_string_set(&type->type_name, type_name);
+    }
+
+  D_RETURN_(type);
+}
+
+
+static void
+__bro_type_init(BroType *type)
+{
+  BroSObject *sobj = (BroSObject *) type;
+
+  D_ENTER;
+
+  __bro_object_init((BroObject *) type);
+
+  sobj->read  = (BroSObjectRead) __bro_type_read;
+  sobj->write = (BroSObjectWrite) __bro_type_write;
+  sobj->free  = (BroSObjectFree) __bro_type_free;
+  sobj->clone = (BroSObjectClone) __bro_type_clone;
+  sobj->hash  = (BroSObjectHash) __bro_type_hash;
+  sobj->cmp   = (BroSObjectCmp) __bro_type_cmp;
+
+  sobj->type_id = SER_TYPE;
+
+  bro_string_init(&type->type_name);
+  type->is_complete = TRUE;
+
+  D_RETURN;
+}
+
+
+static void
+__bro_type_free(BroType *type)
+{
+  D_ENTER;
+  bro_string_cleanup(&type->type_name);
+  __bro_sobject_release((BroSObject *) type->attrs_type);
+  __bro_object_free((BroObject *) type);
+  D_RETURN;
+}
+
+
+static int
+__bro_type_read(BroType *type, BroConn *bc)
+{
+  char opt;
+  
+  D_ENTER;
+
+  if (! __bro_object_read((BroObject *) type, bc))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_read_char(bc->rx_buf, &type->tag))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_read_char(bc->rx_buf, &type->internal_tag))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_read_char(bc->rx_buf, &type->is_nbo))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_read_char(bc->rx_buf, &type->is_base_type))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_read_char(bc->rx_buf, &type->is_global_attrs_type))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_read_char(bc->rx_buf, &opt))
+    D_RETURN_(FALSE);
+  if (opt)
+    {
+      if (type->attrs_type)
+	__bro_sobject_release((BroSObject *) type->attrs_type);
+      
+      if (! (type->attrs_type = (BroRecordType *)
+	     __bro_sobject_unserialize(SER_RECORD_TYPE, bc)))
+	D_RETURN_(FALSE);
+    }
+
+  D_RETURN_(TRUE);
+}
+
+
+static int
+__bro_type_write(BroType *type, BroConn *bc)
+{
+  D_ENTER;
+
+   if (! __bro_object_write((BroObject *) type, bc))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_write_char(bc->tx_buf, type->tag))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_write_char(bc->tx_buf, type->internal_tag))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_write_char(bc->tx_buf, type->is_nbo))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_write_char(bc->tx_buf, type->is_base_type))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_write_char(bc->tx_buf, type->is_global_attrs_type))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_write_char(bc->tx_buf, type->attrs_type ? 1 : 0))
+    D_RETURN_(FALSE);
+  
+  if (type->attrs_type && ! __bro_sobject_serialize((BroSObject *) type->attrs_type, bc))
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+
+static int
+__bro_type_clone(BroType *dst, BroType *src)
+{
+  D_ENTER;
+
+  if (! __bro_object_clone((BroObject *) dst, (BroObject *) src))
+    D_RETURN_(FALSE);
+
+  dst->tag = src->tag;
+  dst->internal_tag = src->internal_tag;
+  dst->is_nbo = src->is_nbo;
+  dst->is_base_type = src->is_base_type;
+  dst->is_global_attrs_type = src->is_global_attrs_type;
+  dst->is_complete = src->is_complete;
+  bro_string_set(&dst->type_name, (const char *) bro_string_get_data(&src->type_name));
+
+  if (src->attrs_type &&
+      ! (dst->attrs_type = (BroRecordType *) __bro_sobject_copy((BroSObject *) src->attrs_type)))
+    D_RETURN_(FALSE);
+
+  D_RETURN_(TRUE);
+}
+
+
+static uint32
+__bro_type_hash(BroType *type)
+{
+  uint32 result;
+
+  D_ENTER;
+
+  if (! type)
+    D_RETURN_(0);
+
+  result = __bro_ht_str_hash(type->type_name.str_val);
+  result ^= (uint32) type->tag;
+  result ^= ((uint32) type->internal_tag) << 8;
+  result ^= ((uint32) type->is_nbo) << 8;
+  result ^= ((uint32) type->is_base_type) << 8;
+  result ^= (uint32) type->is_global_attrs_type;
+  result ^= ((uint32) type->is_complete) << 8;
+
+  D_RETURN_(result);
+
+}
+
+
+static int
+__bro_type_cmp(BroType *type1, BroType *type2)
+{
+  int result;
+
+  D_ENTER;
+ 
+  if (! type1 || ! type2)
+    D_RETURN_(FALSE);
+
+  if (type1->type_name.str_val && type2->type_name.str_val &&
+      ! __bro_ht_str_cmp(type1->type_name.str_val, type2->type_name.str_val))
+    D_RETURN_(FALSE);
+  
+  if (type1->tag != type2->tag ||
+      type1->internal_tag != type2->internal_tag ||
+      type1->is_nbo != type2->is_nbo ||
+      type1->is_base_type != type2->is_base_type ||
+      type1->is_global_attrs_type != type2->is_global_attrs_type ||
+      type1->is_complete != type2->is_complete)
+    D_RETURN_(FALSE);
+
+  D_RETURN_(TRUE);
+
+}
+
+BroTypeList *
+__bro_type_list_new(void)
+{
+  BroTypeList *tl;
+
+  D_ENTER;
+
+  if (! (tl = calloc(1, sizeof(BroTypeList))))
+    D_RETURN_(NULL);
+
+  __bro_type_list_init(tl);
+
+  D_RETURN_(tl);
+}
+
+
+static void
+__bro_type_list_init(BroTypeList *tl)
+{
+  BroSObject *sobj = (BroSObject *) tl;
+
+  D_ENTER;
+  
+  __bro_type_init((BroType *) tl);
+  
+  sobj->read  = (BroSObjectRead) __bro_type_list_read;
+  sobj->write = (BroSObjectWrite) __bro_type_list_write;
+  sobj->free  = (BroSObjectFree) __bro_type_list_free;
+  sobj->clone = (BroSObjectClone) __bro_type_list_clone;
+  sobj->hash  = (BroSObjectHash) __bro_type_list_hash;
+  sobj->cmp   = (BroSObjectCmp) __bro_type_list_cmp;  
+
+  sobj->type_id = SER_TYPE_LIST;
+
+  tl->types = NULL;
+
+  D_RETURN;
+}
+
+
+static void
+__bro_type_list_free(BroTypeList *tl)
+{
+  D_ENTER;
+
+  __bro_list_free(tl->types, (BroFunc) __bro_sobject_release);
+  __bro_sobject_release((BroSObject *) tl->pure_type);  
+  __bro_type_free((BroType *) tl);
+  
+  D_RETURN;
+}
+
+
+static int
+__bro_type_list_read(BroTypeList *tl, BroConn *bc)
+{
+  char opt;
+  uint32 i;
+
+  D_ENTER;
+
+  if (! __bro_type_read((BroType *) tl, bc))
+    D_RETURN_(FALSE);
+  
+  if (! __bro_buf_read_char(bc->rx_buf, &opt))
+    D_RETURN_(FALSE);
+  
+  /* Clean out old optional pure type */
+  if (tl->pure_type)
+    __bro_sobject_release((BroSObject *) tl->pure_type);
+  
+  if (opt)
+    {
+      if (! (tl->pure_type = (BroType *) __bro_sobject_unserialize(SER_IS_TYPE, bc)))
+	D_RETURN_(FALSE);
+    }
+  
+  if (! __bro_buf_read_int(bc->rx_buf, &tl->num_types))
+    D_RETURN_(FALSE);
+  
+  if (tl->num_types > 0)
+    {
+      for (i = 0; i < tl->num_types; i++)
+	{
+	  BroType *type;
+	  
+	  if (! (type = (BroType *) __bro_sobject_unserialize(SER_IS_TYPE, bc)))
+	    D_RETURN_(FALSE);
+	  
+	  tl->types = __bro_list_append(tl->types, type);
+	}
+    }
+  
+  D_RETURN_(TRUE);
+}
+
+
+static int
+__bro_type_list_write(BroTypeList *tl, BroConn *bc)
+{
+  BroList *l;
+
+  D_ENTER;
+
+  if (! __bro_type_write((BroType *) tl, bc))
+    D_RETURN_(FALSE);
+  
+  if (! __bro_buf_write_char(bc->tx_buf, tl->pure_type ? 1 : 0))
+    D_RETURN_(FALSE);
+  
+  if (tl->pure_type && ! __bro_sobject_serialize((BroSObject *) tl->pure_type, bc))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_write_int(bc->tx_buf, tl->num_types))
+    D_RETURN_(FALSE);
+
+  for (l = tl->types; l; l = __bro_list_next(l))
+    {
+      if (! __bro_sobject_serialize((BroSObject *) __bro_list_data(l), bc))
+	D_RETURN_(FALSE);
+    }
+  
+  D_RETURN_(TRUE);
+}
+
+
+static int
+__bro_type_list_clone(BroTypeList *dst, BroTypeList *src)
+{
+  BroList *l;
+  BroType *type;
+
+  D_ENTER;
+
+  if (! __bro_type_clone((BroType *) dst, (BroType *) src))
+    D_RETURN_(FALSE);
+
+  dst->num_types = src->num_types;
+
+  if (dst->types)
+    __bro_list_free(dst->types, (BroFunc) __bro_sobject_release);
+
+  dst->types = NULL;
+  
+  for (l = src->types; l; l = __bro_list_next(l))
+    {
+      BroType *type_copy;
+
+      type = __bro_list_data(l);
+      
+      if (! (type_copy = (BroType *) __bro_sobject_copy((BroSObject *) type)))
+	D_RETURN_(FALSE);
+
+      dst->types = __bro_list_append(dst->types, type_copy);
+    }
+  
+  if (src->pure_type && ! (dst->pure_type = (BroType *) __bro_sobject_copy((BroSObject *) src->pure_type)))
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+
+static uint32
+__bro_type_list_hash(BroTypeList *tl)
+{
+  uint32 result;
+  BroList *l;
+
+  D_ENTER;
+
+  if (! tl)
+    D_RETURN_(0);
+
+  result = tl->num_types;
+  result ^= __bro_sobject_hash((BroSObject*) tl->pure_type);
+  
+  for (l = tl->types; l; l = __bro_list_next(l))
+    result ^= __bro_sobject_hash((BroSObject*) __bro_list_data(l));
+  
+  D_RETURN_(result);
+}
+
+
+static int
+__bro_type_list_cmp(BroTypeList *tl1, BroTypeList *tl2)
+{
+  BroList *l1, *l2;
+
+  D_ENTER;
+
+  if (! tl1 || ! tl2)
+    D_RETURN_(FALSE);
+  
+  if (tl1->num_types != tl2->num_types ||
+      ! __bro_sobject_cmp((BroSObject*) tl1->pure_type,
+			  (BroSObject*) tl2->pure_type))
+    D_RETURN_(FALSE);
+  
+  for (l1 = tl1->types, l2 = tl2->types; l1 && l2;
+       l1 = __bro_list_next(l1), l2 = __bro_list_next(l2))
+    {
+      if (! __bro_sobject_cmp((BroSObject*) __bro_list_data(l1),
+			      (BroSObject*) __bro_list_data(l2)))
+	D_RETURN_(FALSE);
+    }
+  
+  if (l1 || l2) D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+
+BroRecordType *
+__bro_record_type_new(void)
+{
+  BroRecordType *rt;
+  
+  D_ENTER;
+  
+  if (! (rt = calloc(1, sizeof(BroRecordType))))
+    D_RETURN_(NULL);
+  
+  __bro_record_type_init(rt);
+
+  D_RETURN_(rt);
+}
+
+
+static void
+__bro_record_type_init(BroRecordType *rt)
+{
+  BroSObject *sobj = (BroSObject *) rt;
+
+  D_ENTER;
+  
+  __bro_type_init((BroType *) rt);
+  
+  sobj->read  = (BroSObjectRead) __bro_record_type_read;
+  sobj->write = (BroSObjectWrite) __bro_record_type_write;
+  sobj->free  = (BroSObjectFree) __bro_record_type_free;
+  sobj->clone = (BroSObjectClone) __bro_record_type_clone;
+  sobj->hash  = (BroSObjectHash) __bro_record_type_hash;
+  sobj->cmp   = (BroSObjectCmp) __bro_record_type_cmp;
+  
+  sobj->type_id = SER_RECORD_TYPE;
+  
+  D_RETURN;
+}
+
+
+static void
+__bro_record_type_free(BroRecordType *rt)
+{
+  D_ENTER;
+  
+  __bro_sobject_release((BroSObject *) rt->base);
+  __bro_list_free(rt->type_decls, (BroFunc) __bro_type_decl_free);
+  __bro_type_free((BroType *) rt);
+  
+  D_RETURN;
+}
+
+
+void
+__bro_record_type_add_type(BroRecordType *rt, const char *field, BroType *type)
+{
+  BroTypeDecl *td;
+  
+  D_ENTER;
+  
+  if (! rt || ! type)
+    D_RETURN;
+  
+  if (! (td = __bro_type_decl_new()))
+    D_RETURN;
+
+  if (! (td->type = (BroType *) __bro_sobject_copy((BroSObject *) type)))
+    {
+      D(("Cloning of type failed.\n"));
+      __bro_type_decl_free(td);
+      D_RETURN;
+    }
+  
+  if (! bro_string_set(&td->id, field))
+    {
+      __bro_type_decl_free(td);
+      D_RETURN;
+    }
+  
+  rt->type_decls = __bro_list_append(rt->type_decls, td);
+  rt->num_fields++;
+  rt->num_types++;
+  D_RETURN;
+}
+
+
+const char *
+__bro_record_type_get_nth_field(BroRecordType *rt, int num)
+{
+  BroList *l;
+  
+  if (! rt || num < 0 || (uint) num >= rt->num_fields)
+    return NULL;
+  
+  if( (l = __bro_list_nth(rt->type_decls, num)))
+    {
+      BroTypeDecl *td = __bro_list_data(l);
+      return (const char *) td->id.str_val;
+    }
+  
+  return NULL;
+}
+
+
+static int
+__bro_record_type_read(BroRecordType *rt, BroConn *bc)
+{
+  uint32 i;
+  char opt;
+
+  D_ENTER;
+
+  if (! __bro_type_read((BroType *) rt, bc))
+    D_RETURN_(FALSE);
+
+  /* Read type declarations */
+
+  rt->type_decls = NULL;
+  rt->num_fields = 0;
+  rt->num_types = 0;
+
+  if (! __bro_buf_read_int(bc->rx_buf, &rt->num_fields))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_read_char(bc->rx_buf, &opt))
+    D_RETURN_(FALSE);
+  if (opt)
+    {
+      if (! __bro_buf_read_int(bc->rx_buf, &rt->num_types))
+	D_RETURN_(FALSE);
+      
+      if (rt->num_types > 0)
+	{
+	  for (i = 0; i < rt->num_types; i++)
+	    {
+	      BroTypeDecl *td;
+	      
+	      if (! (td = __bro_type_decl_new()))
+		D_RETURN_(FALSE);
+	      
+	      if (! __bro_type_decl_read(td, bc))
+		D_RETURN_(FALSE);
+
+	      rt->type_decls = __bro_list_append(rt->type_decls, td);
+	    }
+	}
+    }
+
+  /* Read optional base */
+
+  __bro_sobject_release((BroSObject *) rt->base);
+  rt->base = NULL;
+  
+  if (! __bro_buf_read_char(bc->rx_buf, &opt))
+    D_RETURN_(FALSE);
+  if (opt)
+    {
+      if (! (rt->base = (BroTypeList *) __bro_sobject_unserialize(SER_TYPE_LIST, bc)))
+	D_RETURN_(FALSE);
+    }
+  
+  D_RETURN_(TRUE);
+}
+
+
+static int
+__bro_record_type_write(BroRecordType *rt, BroConn *bc)
+{
+  BroList *l;
+
+  D_ENTER;
+
+  if (! __bro_type_write((BroType *) rt, bc))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_write_int(bc->tx_buf, rt->num_fields))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_write_char(bc->tx_buf, rt->type_decls ? 1 : 0))
+    D_RETURN_(FALSE);
+  
+  if (! __bro_buf_write_int(bc->tx_buf, rt->num_types))
+    D_RETURN_(FALSE);
+  
+  for (l = rt->type_decls; l; l = __bro_list_next(l))
+    {
+      BroTypeDecl *td = __bro_list_data(l);
+      
+      if (! __bro_type_decl_write(td, bc))
+	D_RETURN_(FALSE);
+    }
+  
+  if (! __bro_buf_write_char(bc->tx_buf, rt->base ? 1 : 0))
+    D_RETURN_(FALSE);
+  
+  if (rt->base && ! __bro_sobject_serialize((BroSObject *) rt->base, bc))
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+
+static int
+__bro_record_type_clone(BroRecordType *dst, BroRecordType *src)
+{
+  BroList *l;
+
+  D_ENTER;
+
+  if (! __bro_type_clone((BroType *) dst, (BroType *) src))
+    D_RETURN_(FALSE);
+  
+  if (src->base && ! (dst->base = (BroTypeList *) __bro_sobject_copy((BroSObject *) src->base)))
+    D_RETURN_(FALSE);
+  
+  dst->num_fields = src->num_fields;
+  dst->num_types = src->num_types;
+  
+  for (l = src->type_decls; l; l = __bro_list_next(l))
+    {
+      BroTypeDecl *td = __bro_list_data(l);
+      BroTypeDecl *td_copy = __bro_type_decl_copy(td);
+      
+      if (! td_copy)
+	D_RETURN_(FALSE);
+ 
+      dst->type_decls = __bro_list_append(dst->type_decls, td_copy);
+    }
+  
+  D_RETURN_(TRUE);
+}
+
+
+static uint32
+__bro_record_type_hash(BroRecordType *rt)
+{
+  uint32 result;
+  BroList *l;
+
+  D_ENTER;
+
+  if (! rt)
+    D_RETURN_(0);
+
+  result = __bro_type_list_hash(rt->base);
+  result ^= rt->num_fields;
+  result ^= rt->num_types << 16;
+  
+  for (l = rt->type_decls; l; l = __bro_list_next(l))
+    result ^= __bro_type_decl_hash((BroTypeDecl*) __bro_list_data(l));
+
+  D_RETURN_(result);
+}
+
+
+static int
+__bro_record_type_cmp(BroRecordType *rt1, BroRecordType *rt2)
+{
+  BroList *l1, *l2;
+
+  D_ENTER;
+
+  if (! rt1 || ! rt2)
+    D_RETURN_(FALSE);
+  
+  if (rt1->num_fields != rt2->num_fields ||
+      rt1->num_types != rt2->num_types ||
+      ! __bro_type_list_cmp(rt1->base, rt2->base))
+    D_RETURN_(FALSE);
+  
+  for (l1 = rt1->type_decls, l2 = rt2->type_decls; l1 && l2;
+       l1 = __bro_list_next(l1), l2 = __bro_list_next(l2))
+    {
+      if (! __bro_type_decl_cmp((BroTypeDecl*) __bro_list_data(l1),
+				(BroTypeDecl*) __bro_list_data(l2)))
+	D_RETURN_(FALSE);
+    }
+  
+  if (l1 || l2)
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+
+BroIndexType *
+__bro_index_type_new(void)
+{
+  BroIndexType *it;
+  
+  D_ENTER;
+  
+  if (! (it = calloc(1, sizeof(BroIndexType))))
+    D_RETURN_(NULL);
+  
+  __bro_index_type_init(it);
+
+  D_RETURN_(it);
+}
+
+static void
+__bro_index_type_init(BroIndexType *it)
+{
+  BroSObject *sobj = (BroSObject *) it;
+
+  D_ENTER;
+  
+  __bro_type_init((BroType *) it);
+  
+  sobj->read  = (BroSObjectRead) __bro_index_type_read;
+  sobj->write = (BroSObjectWrite) __bro_index_type_write;
+  sobj->free  = (BroSObjectFree) __bro_index_type_free;
+  sobj->clone = (BroSObjectClone) __bro_index_type_clone;
+  sobj->hash  = (BroSObjectHash) __bro_index_type_hash;
+  sobj->cmp   = (BroSObjectCmp) __bro_index_type_cmp;
+  
+  sobj->type_id = SER_INDEX_TYPE;
+  
+  D_RETURN;
+}
+
+static void
+__bro_index_type_free(BroIndexType *it)
+{
+  D_ENTER;
+  
+  __bro_sobject_release((BroSObject *) it->indices);
+  __bro_sobject_release((BroSObject *) it->yield_type);
+  __bro_type_free((BroType *) it);
+  
+  D_RETURN;
+}
+
+void
+__bro_index_type_set_indices(BroIndexType *it, BroTypeList *indices)
+{
+  BroTypeList *tl;
+
+  D_ENTER;
+
+  if (! it || ! indices)
+    D_RETURN;
+
+  if (! (tl = __bro_type_list_new()))
+    D_RETURN;
+
+  if (! __bro_type_list_clone(tl, indices))
+    {
+      __bro_type_list_free(tl);
+      D_RETURN;
+    }
+
+  it->indices = tl;
+
+  D_RETURN;
+}
+
+void
+__bro_index_type_set_yield_type(BroIndexType *it, BroType *yield_type)
+{
+  D_ENTER;
+  
+  if (! it || ! yield_type)
+    D_RETURN;
+  
+  if (! (it->yield_type = (BroType *) __bro_sobject_copy((BroSObject *) yield_type)))
+    D_RETURN;
+  
+  D_RETURN;
+}
+
+static int
+__bro_index_type_read(BroIndexType *it, BroConn *bc)
+{
+  char opt;
+
+  D_ENTER;
+
+  if (! __bro_type_read((BroType *) it, bc))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_read_char(bc->rx_buf, &opt))
+    D_RETURN_(FALSE);
+  if (opt)
+    {
+      if (! (it->yield_type = (BroType *) __bro_sobject_unserialize(SER_TYPE, bc)))
+	D_RETURN_(FALSE);
+    }
+  
+  if (! (it->indices = (BroTypeList *) __bro_sobject_unserialize(SER_TYPE_LIST, bc)))
+    D_RETURN_(FALSE);
+
+  D_RETURN_(TRUE);  
+}
+
+static int
+__bro_index_type_write(BroIndexType *it, BroConn *bc)
+{
+  D_ENTER;
+
+  if (! __bro_type_write((BroType *) it, bc))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_write_char(bc->tx_buf, it->yield_type ? 1 : 0))
+    D_RETURN_(FALSE);
+
+  if (it->yield_type && ! __bro_sobject_serialize((BroSObject *) it->yield_type, bc))
+    D_RETURN_(FALSE);
+  
+  if (! __bro_sobject_serialize((BroSObject *) it->indices, bc))
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+static int
+__bro_index_type_clone(BroIndexType *dst, BroIndexType *src)
+{
+  D_ENTER;
+
+  if (! __bro_type_clone((BroType *) dst, (BroType *) src))
+    D_RETURN_(FALSE);
+
+  if (src->yield_type && ! (dst->yield_type = (BroType *) __bro_sobject_copy((BroSObject *) src->yield_type)))
+    D_RETURN_(FALSE);
+
+  if (! (dst->indices = (BroTypeList *) __bro_sobject_copy((BroSObject *) src->indices)))
+    D_RETURN_(FALSE);
+
+  D_RETURN_(TRUE);
+}
+
+static uint32
+__bro_index_type_hash(BroIndexType *it)
+{
+  uint32 result;
+
+  D_ENTER;
+
+  if (! it)
+    D_RETURN_(0);
+
+  result = __bro_type_list_hash(it->indices);
+  result ^= __bro_sobject_hash((BroSObject*) it->yield_type);
+
+  D_RETURN_(result);
+}
+
+static int
+__bro_index_type_cmp(BroIndexType *it1, BroIndexType *it2)
+{
+  D_ENTER;
+
+  if (! it1 || ! it2)
+    D_RETURN_(FALSE);
+
+  if (! __bro_type_list_cmp(it1->indices, it2->indices) ||
+      ! __bro_sobject_cmp((BroSObject*) it1->yield_type,
+			  (BroSObject*) it2->yield_type))
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+
+BroTableType *
+__bro_table_type_new(void)
+{
+  BroTableType *tt;
+  
+  D_ENTER;
+  
+  if (! (tt = calloc(1, sizeof(BroTableType))))
+    D_RETURN_(NULL);
+  
+  __bro_table_type_init(tt);
+
+  D_RETURN_(tt);
+}
+
+static void
+__bro_table_type_init(BroTableType *tt)
+{
+  BroSObject *sobj = (BroSObject *) tt;
+
+  D_ENTER;
+  
+  __bro_index_type_init((BroIndexType *) tt); 
+
+  sobj->read  = (BroSObjectRead) __bro_table_type_read;
+  sobj->write = (BroSObjectWrite) __bro_table_type_write;
+  sobj->free  = (BroSObjectFree) __bro_table_type_free;
+  sobj->clone = (BroSObjectClone) __bro_table_type_clone;
+  sobj->hash  = (BroSObjectHash) __bro_table_type_hash;
+  sobj->cmp   = (BroSObjectCmp) __bro_table_type_cmp;
+  
+  sobj->type_id = SER_TABLE_TYPE;
+  
+  D_RETURN;
+}
+
+static void
+__bro_table_type_free(BroTableType *tt)
+{
+  D_ENTER;
+  __bro_index_type_free((BroIndexType *) tt);  
+  D_RETURN;
+}
+
+static int
+__bro_table_type_read(BroTableType *tt, BroConn *bc)
+{
+  D_ENTER;
+  
+  if (! __bro_index_type_read((BroIndexType *) tt, bc))
+    D_RETURN_(FALSE);
+
+  D_RETURN_(TRUE);
+}
+
+static int
+__bro_table_type_write(BroTableType *tt, BroConn *bc)
+{
+  D_ENTER;
+
+  if (! __bro_index_type_write((BroIndexType *) tt, bc))
+    D_RETURN_(FALSE);
+
+  D_RETURN_(TRUE);
+}
+
+static int
+__bro_table_type_clone(BroTableType *dst, BroTableType *src)
+{
+  D_ENTER;
+  
+  if (! __bro_index_type_clone((BroIndexType *) dst, (BroIndexType *) src))
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+static uint32
+__bro_table_type_hash(BroTableType *tt)
+{
+  uint32 result;
+
+  D_ENTER;
+  result = __bro_index_type_hash((BroIndexType*) tt);
+  D_RETURN_(result);
+}
+
+static int
+__bro_table_type_cmp(BroTableType *tt1, BroTableType *tt2)
+{
+  D_ENTER;
+  
+  if (! tt1 || ! tt2)
+    D_RETURN_(FALSE);
+
+  D_RETURN_(__bro_index_type_cmp((BroIndexType*) tt1,
+				 (BroIndexType*) tt2));
+}
+
+
+BroSetType *
+__bro_set_type_new(void)
+{
+  BroSetType *st;
+  
+  D_ENTER;
+  
+  if (! (st = calloc(1, sizeof(BroSetType))))
+    D_RETURN_(NULL);
+  
+  __bro_set_type_init(st);
+  
+  D_RETURN_(st);
+}
+
+static void
+__bro_set_type_init(BroSetType *st)
+{
+  BroSObject *sobj = (BroSObject *) st;
+
+  D_ENTER;
+  
+  __bro_table_type_init((BroTableType *) st); 
+  
+  sobj->read  = (BroSObjectRead) __bro_set_type_read;
+  sobj->write = (BroSObjectWrite) __bro_set_type_write;
+  sobj->free  = (BroSObjectFree) __bro_set_type_free;
+  sobj->clone = (BroSObjectClone) __bro_set_type_clone;
+  sobj->hash  = (BroSObjectHash) __bro_set_type_hash;
+  sobj->cmp   = (BroSObjectCmp) __bro_set_type_cmp;
+  
+  sobj->type_id = SER_SET_TYPE;
+  
+  D_RETURN;
+}
+
+static void
+__bro_set_type_free(BroSetType *st)
+{
+  D_ENTER;  
+  __bro_table_type_free((BroTableType *) st);  
+  D_RETURN;
+}
+
+static int
+__bro_set_type_read(BroSetType *st, BroConn *bc)
+{
+  char opt;
+
+  D_ENTER;
+  
+  if (! __bro_table_type_read((BroTableType *) st, bc))
+    D_RETURN_(FALSE);
+
+  /* To allow unambiguous differentiation between tables and sets,
+   * we set the type tag to set here, in divergence of Bro's
+   * internal procedure.
+   */
+  ((BroType*) st)->tag = BRO_TYPE_SET;
+
+  if (! __bro_buf_read_char(bc->rx_buf, &opt))
+    D_RETURN_(FALSE);
+  if (opt)
+    {
+      D(("Error: expressions are not yet supported. Sorry.\n"));
+      D_RETURN_(FALSE);
+    }
+  
+  D_RETURN_(TRUE);
+}
+
+static int
+__bro_set_type_write(BroSetType *st, BroConn *bc)
+{
+  int ret;
+
+  D_ENTER;
+
+  /* Compatibility hack for Bro: its type tags don't differentiate
+   * between sets and tables (they always indicate table types), so
+   * we must ensure here that we do appear as a table type.
+   */
+  ((BroType*) st)->tag = BRO_TYPE_TABLE;  
+  ret = __bro_table_type_write((BroTableType *) st, bc);
+  ((BroType*) st)->tag = BRO_TYPE_SET;  
+  
+  if (! ret)
+    D_RETURN_(FALSE);
+  
+  /* We never send expressions. */
+  if (! __bro_buf_write_char(bc->tx_buf, FALSE))
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+static int
+__bro_set_type_clone(BroSetType *dst, BroSetType *src)
+{
+  D_ENTER;
+  
+  if (! __bro_table_type_clone((BroTableType *) dst, (BroTableType *) src))
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+static uint32
+__bro_set_type_hash(BroSetType *st)
+{
+  uint32 result;
+
+  D_ENTER;
+  result = __bro_table_type_hash((BroTableType*) st);
+  D_RETURN_(result);
+}
+
+static int
+__bro_set_type_cmp(BroSetType *st1, BroSetType *st2)
+{
+  int result;
+
+  D_ENTER;
+  
+  if (! st1 || ! st2)
+    D_RETURN_(FALSE);
+  
+  result = __bro_table_type_cmp((BroTableType*) st1,
+				(BroTableType*) st2);;
+  D_RETURN_(result);
+}
diff --git a/aux/broccoli/src/bro_type.h b/aux/broccoli/src/bro_type.h
new file mode 100644
index 0000000000..c8c92c4b6f
--- /dev/null
+++ b/aux/broccoli/src/bro_type.h
@@ -0,0 +1,124 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_type_h
+#define broccoli_type_h
+
+#include <bro_attrs.h>
+#include <bro_object.h>
+
+/* Internal types used to represent a Bro type.
+ * Taken from Type.h.
+ */
+#define BRO_INTTYPE_INT            1
+#define BRO_INTTYPE_UNSIGNED       2
+#define BRO_INTTYPE_DOUBLE         3
+#define BRO_INTTYPE_STRING         4
+#define BRO_INTTYPE_IPADDR         5
+#define BRO_INTTYPE_SUBNET         6
+#define BRO_INTTYPE_OTHER          7
+#define BRO_INTTYPE_ERROR          8
+
+/* typedefs are in bro_types.h */
+
+struct bro_type
+{
+  BroObject        object;
+
+  char             tag;
+  char             internal_tag;
+
+  char             is_nbo;
+  char             is_base_type;
+  char             is_global_attrs_type;
+  
+  /* Whether or not this is a complete type object or
+   * just the name of type. In the latter case, type_name
+   * (below) will contain the name of the type.
+   */
+  char             is_complete;
+
+  BroString        type_name;
+
+  BroRecordType   *attrs_type;
+};
+
+struct bro_type_list
+{
+  BroType          type;
+
+  uint32           num_types;
+  BroList         *types;
+  BroType         *pure_type;
+};
+
+struct bro_record_type
+{
+  BroType          type;
+
+  BroTypeList     *base;
+  uint32           num_fields;
+
+  uint32           num_types;
+  BroList         *type_decls;
+};
+
+struct bro_index_type
+{
+  BroType          type;
+
+  BroTypeList     *indices;
+  BroType         *yield_type; /* optional */
+};
+
+struct bro_table_type
+{
+  BroIndexType     type;
+};
+
+struct bro_set_type
+{
+  BroTableType     type;
+};
+
+BroType         *__bro_type_new(void);
+BroType         *__bro_type_new_of_type(int type, const char *type_name);
+void             __bro_type_set_incomplete_impl(BroType *type, const BroString *type_name);
+
+BroTypeList     *__bro_type_list_new(void);
+
+BroRecordType   *__bro_record_type_new(void);
+void             __bro_record_type_add_type(BroRecordType *rt, const char *field, BroType *type);
+const char      *__bro_record_type_get_nth_field(BroRecordType *rt, int num);
+
+BroIndexType    *__bro_index_type_new(void);
+void             __bro_index_type_set_indices(BroIndexType *it, BroTypeList *indices);
+void             __bro_index_tye_set_yield_type(BroIndexType *it, BroType *yield_type);
+
+BroTableType    *__bro_table_type_new(void);
+
+BroSetType      *__bro_set_type_new();
+
+#endif
diff --git a/aux/broccoli/src/bro_type_decl.c b/aux/broccoli/src/bro_type_decl.c
new file mode 100644
index 0000000000..2c061ef875
--- /dev/null
+++ b/aux/broccoli/src/bro_type_decl.c
@@ -0,0 +1,196 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <bro_debug.h>
+#include <bro_type_decl.h>
+
+BroTypeDecl *
+__bro_type_decl_new(void)
+{
+  BroTypeDecl *td;
+
+  D_ENTER;
+
+  if (! (td = calloc(1, sizeof(BroTypeDecl))))
+    D_RETURN_(NULL);
+
+  D_RETURN_(td);
+}
+
+
+BroTypeDecl     *
+__bro_type_decl_copy(BroTypeDecl *td)
+{
+  BroTypeDecl *copy;
+
+  D_ENTER;
+
+  if (! td)
+    D_RETURN_(NULL);
+
+  if (! (copy = __bro_type_decl_new()))
+    D_RETURN_(NULL);
+
+  if (td->attrs && ! (copy->attrs = (BroAttrs *) __bro_sobject_copy((BroSObject *) td->attrs)))
+    goto error_result;
+
+  if (td->type && ! (copy->type = (BroType *) __bro_sobject_copy((BroSObject *) td->type)))
+    goto error_result;
+  
+  if (! (bro_string_set_data(&copy->id,
+			     bro_string_get_data(&td->id),
+			     bro_string_get_length(&td->id))))
+    goto error_result;
+  
+  D_RETURN_(copy);
+  
+ error_result:
+  __bro_type_decl_free(copy);
+  D_RETURN_(NULL);
+}
+
+
+void
+__bro_type_decl_free(BroTypeDecl *td)
+{
+  D_ENTER;
+
+  if (! td)
+    D_RETURN;
+  
+  __bro_sobject_release((BroSObject *) td->type);
+  __bro_sobject_release((BroSObject *) td->attrs);
+  bro_string_cleanup(&td->id);
+  free(td);
+  
+  D_RETURN;
+}
+
+
+int
+__bro_type_decl_read(BroTypeDecl *td, BroConn *bc)
+{
+  char opt;
+
+  D_ENTER;
+
+  if (! td || !bc)
+    D_RETURN_(FALSE);
+
+  /* Read an optional BroAttrs */
+
+  if (td->attrs)
+    __bro_sobject_release((BroSObject *) td->attrs);
+  td->attrs = NULL;
+
+  if (! __bro_buf_read_char(bc->rx_buf, &opt))
+    D_RETURN_(FALSE);
+  if (opt)
+    {
+      if (! (td->attrs = (BroAttrs *) __bro_sobject_unserialize(SER_ATTRIBUTES, bc)))
+	D_RETURN_(FALSE);
+    }
+
+  /* Read a type */
+
+  if (td->type)
+    __bro_sobject_release((BroSObject *) td->type);
+  td->type = NULL;
+
+  if (! (td->type = (BroType *) __bro_sobject_unserialize(SER_IS_TYPE, bc)))
+    D_RETURN_(FALSE);
+
+  /* Read ID name string */
+  
+  bro_string_cleanup(&td->id);
+  if (! __bro_buf_read_string(bc->rx_buf, &td->id))
+    D_RETURN_(FALSE);
+
+  D_RETURN_(TRUE);
+}
+
+
+int
+__bro_type_decl_write(BroTypeDecl *td, BroConn *bc)
+{
+  D_ENTER;
+
+  if (! td || !bc)
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_write_char(bc->tx_buf, td->attrs ? 1 : 0))
+    D_RETURN_(FALSE);
+
+  if (td->attrs && ! __bro_sobject_serialize((BroSObject *) td->attrs, bc))
+    D_RETURN_(FALSE);
+  
+  if (! __bro_sobject_serialize((BroSObject *) td->type, bc))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_write_string(bc->tx_buf, &td->id))
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+
+uint32
+__bro_type_decl_hash(BroTypeDecl *td)
+{
+  uint32 result;
+
+  D_ENTER;
+
+  if (! td)
+    D_RETURN_(0);
+
+  result = __bro_ht_str_hash(td->id.str_val);
+  result ^= __bro_sobject_hash((BroSObject*) td->attrs);
+  result ^= __bro_sobject_hash((BroSObject*) td->type);
+
+  D_RETURN_(result);
+}
+
+
+int
+__bro_type_decl_cmp(BroTypeDecl *td1, BroTypeDecl *td2)
+{
+  D_ENTER;
+
+  if (! td1 || ! td2)
+    D_RETURN_(FALSE);
+
+  if (! __bro_sobject_cmp((BroSObject*) td1->attrs, (BroSObject*) td2->attrs) ||
+      ! __bro_sobject_cmp((BroSObject*) td1->type, (BroSObject*) td2->type))
+    D_RETURN_(FALSE);  
+  
+  D_RETURN_(TRUE);
+}
+
+
diff --git a/aux/broccoli/src/bro_type_decl.h b/aux/broccoli/src/bro_type_decl.h
new file mode 100644
index 0000000000..8c579e5ed4
--- /dev/null
+++ b/aux/broccoli/src/bro_type_decl.h
@@ -0,0 +1,53 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_type_decl_h
+#define broccoli_type_decl_h
+
+#include <bro_attrs.h>
+#include <bro_type.h>
+
+/* BroTypeDecls live outside the inheritance chain and are currently
+ * only of interest for bro_type.c. The function names only resemble
+ * the virtualized ones for easier integration with the virtualized
+ * code.
+ */
+
+typedef struct bro_type_decl
+{
+  BroAttrs        *attrs;
+  BroType         *type;
+  BroString        id;
+} BroTypeDecl;
+
+BroTypeDecl *__bro_type_decl_new(void);
+BroTypeDecl *__bro_type_decl_copy(BroTypeDecl *td);
+void         __bro_type_decl_free(BroTypeDecl *td);
+int          __bro_type_decl_read(BroTypeDecl *td, BroConn *bc);
+int          __bro_type_decl_write(BroTypeDecl *td, BroConn *bc);
+uint32       __bro_type_decl_hash(BroTypeDecl *td);
+int          __bro_type_decl_cmp(BroTypeDecl *td1, BroTypeDecl *td2);
+
+#endif
diff --git a/aux/broccoli/src/bro_types.h b/aux/broccoli/src/bro_types.h
new file mode 100644
index 0000000000..847125413b
--- /dev/null
+++ b/aux/broccoli/src/bro_types.h
@@ -0,0 +1,414 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_types_h
+#define broccoli_types_h
+
+#include <sys/queue.h>
+#include <openssl/bio.h>
+
+#include <broccoli.h>
+#include <bro_buf.h>
+#include <bro_hashtable.h>
+#include <bro_list.h>
+#include <bro_openssl.h>
+
+/* Protocol version */
+#define BRO_PROTOCOL_VERSION       0x06
+
+/* Data format version */
+#define BRO_DATA_FORMAT_VERSION    18
+
+/* The maximum number of messages we queue before we start
+ * dropping messages. Might be worth moving this to the
+ * config file.
+ *
+ * FIXME: this should become configurable via the config file.
+ *
+ */
+#define BRO_MSG_QUEUELEN_MAX      1000
+
+/* Message codes, taken from RemoteSerializer.cc.
+ * Don't know why the hex -- 0a-0f seem to be missing.
+ * Doesn't really matter though.
+ */
+#define BRO_MSG_NONE               0x00
+#define BRO_MSG_VERSION            0x01
+#define BRO_MSG_SERIAL             0x02
+#define BRO_MSG_CLOSE              0x03
+#define BRO_MSG_CLOSE_ALL          0x04
+#define BRO_MSG_ERROR              0x05
+#define BRO_MSG_CONNECTTO          0x06
+#define BRO_MSG_CONNECTED          0x07
+#define BRO_MSG_REQUEST            0x08
+#define BRO_MSG_LISTEN             0x09
+#define BRO_MSG_LISTEN_STOP        0x0a
+#define BRO_MSG_STATS              0x0b
+#define BRO_MSG_CAPTURE_FILTER     0x0c
+#define BRO_MSG_REQUEST_SYNC       0x0d
+#define BRO_MSG_PHASE_DONE         0x0e
+#define BRO_MSG_PING               0x0f
+#define BRO_MSG_PONG               0x10
+#define BRO_MSG_CAPS               0x11
+#define BRO_MSG_COMPRESS           0x12
+#define BRO_MSG_MAX                0x13
+
+/* State of the handshake of a connection. Both sides
+ * can be in the handshake phase or have finished it.
+ */
+#define BRO_CONNSTATE_SETUP        0 /* Version numbers, cache size...*/
+#define BRO_CONNSTATE_HANDSHAKE    1 /* Event request, capabilities... */
+#define BRO_CONNSTATE_SYNC         2 /* State synchronization */
+#define BRO_CONNSTATE_RUNNING      3 /* Up and running. */
+
+/* Capabilities we might have.
+ */
+#define BRO_CAP_COMPRESS           1
+#define BRO_CAP_DONTCACHE          2
+
+/* Message payload types -- these do not
+ * respond to anything inside Bro and are
+ * used only locally.
+ */
+#define BRO_MSG_CONT_NONE          0
+#define BRO_MSG_CONT_RAW           1 /* BroBufs, for strings, integer arrays, etc */
+#define BRO_MSG_CONT_EVENT         2 /* Events */
+#define BRO_MSG_CONT_REQUEST       3 /* Requests for events etc */
+#define BRO_MSG_CONT_PACKET        4 /* Pcap packets */
+
+/* Messages between master process and I/O handler in
+ * shared connections case.
+ */
+#define BRO_IOMSG_NONE             0
+#define BRO_IOMSG_STOP             1
+#define BRO_IOMSG_READ             2
+#define BRO_IOMSG_WRITE            3
+
+/* Event handler callback invocation styles
+ */
+#define BRO_CALLBACK_EXPANDED      0 /* Each argument passed separately */
+#define BRO_CALLBACK_COMPACT       1 /* All arguments passed as a single BroEvArg* */
+
+typedef struct bro_type BroType;
+typedef struct bro_type_list BroTypeList;
+typedef struct bro_record_type BroRecordType;
+typedef struct bro_index_type BroIndexType;
+typedef struct bro_table_type BroTableType;
+typedef struct bro_set_type BroSetType;
+
+typedef struct bro_id BroID;
+typedef struct bro_val BroVal;
+typedef struct bro_list_val BroListVal;
+typedef struct bro_mutable_val BroMutableVal;
+typedef struct bro_record_val BroRecordVal;
+typedef struct bro_table_val BroTableVal;
+
+typedef struct bro_msg_header BroMsgHeader;
+typedef struct bro_msg BroMsg;
+typedef struct bro_event_reg BroEventReg;
+typedef struct bro_event_handler BroEventHandler;
+typedef struct bro_event_cb BroEventCB;
+typedef struct bro_request BroRequest;
+
+/* General per-connection state information that we keep in a separate
+ * structure so we can put it into shared memory if required. This is
+ * a remnant from older code, but seems to make sense to preserve.
+ */
+typedef struct bro_conn_state
+{
+  /* Whether we are currently attempting a reconnect. Used to make
+   * sure we do not attempt reconnects while we are attempting a 
+   * reconnect. :)
+   */
+  int                          in_reconnect;
+  
+  /* Timestamp of the last reconnection attempt of this connection. */
+  time_t                       last_reconnect;
+  
+  
+  /* Flags declaring whether or not individual transmission
+   * directions have shut down (e.g., because of an error).
+   */
+  int                          tx_dead;
+  int                          rx_dead;
+
+  /* State of the connection, for ourselves and the peer.
+   * Connections go through a 
+   *
+   *   (1) setup
+   *   (2) handshake
+   *   (3) state synchronization
+   *   (4) normal operation
+   *
+   * lifecycle, of which phase 3 is optional.
+   */
+  int                          conn_state_self;
+  int                          conn_state_peer;
+
+  /* True if the other side has requested synchronized state. Then
+   * there is an additional phase in the communication. 
+   */
+  int                          sync_state_requested;
+
+  /* Messages for I/O handler. Only used in shared connection case. */
+  int                          io_msg;
+
+  /* If != 0, ID of writer process for messages in the tx buffer. */
+  pid_t                        io_pid;
+  
+} BroConnState;
+
+
+/* The most important structure: Bro connection handles.
+ * =====================================================
+ */
+struct bro_conn
+{
+  /* Flags set for this connection at creation time by the user.
+   */
+  int                          conn_flags;
+  
+  /* Two numerical values used for creating identifiers based on
+   * connection handles.
+   */
+  pid_t                        id_pid;
+  int                          id_num;
+
+  /* The peer we connect to, in <host>:<ip> format */
+  char                        *peer;
+
+  /* The class of this connection. It's just an (optional) string.
+   * If set, gets sent in the setup phase of the connection's
+   * configuration.
+   */
+  char                        *class;
+
+  /* A similar class identifier, if sent by the remote side. */
+  char                        *peer_class;
+
+  /* OpenSSL I/O buffer for communication regardless of whether
+   * we're using encryption or not.
+   */
+  BIO                         *bio;
+
+  /* Incoming data are buffered in the following buffer
+   * structure. Each time data arrive, Broccoli checks
+   * whether there's enough data in the buffer to do
+   * anything useful with in, in which case those data
+   * are consumed and make room for more input.
+   *
+   * The main purpose of the buffer is to disconnect
+   * the arrival of data from the time of processing
+   * because we want to avoid blocking of the instrumented
+   * application by all means.
+   *
+   * Note that the buffers are used in the code directly
+   * as rx_buf/tx_buf, but may actually live in the shared
+   * memory segments pointed to by rx_buf_shm/tx_buf_shm.
+   */
+  BroBuf                      *rx_buf;
+
+  /* Fields to mark the currently processed event in the
+   * input buffer if event is currently processed, NULLs
+   * otherwise:
+   */
+  const char                  *rx_ev_start;
+  const char                  *rx_ev_end;
+
+  /* Similar buffer for outgoing data:
+   */
+  BroBuf                      *tx_buf;
+
+  /* A message queue plus its length counter for messages
+   * that we haven't yet sent to the peer.
+   */
+  TAILQ_HEAD(mqueue, bro_msg)  msg_queue;
+  uint                         msg_queue_len;
+
+  /* A hashtable of all the names of events the peer accepts
+   * from us.
+   */
+  BroHT                       *ev_mask;
+
+  /* We maintain an event handler registry per conection:
+   * these registries define callbacks for events that we
+   * receive and at the same time can be using to request
+   * event delivery from the peering Bro agent.
+   */
+  BroEventReg                 *ev_reg;
+
+  /* Serialization data are cached when they will be
+   * repeated identically. To handle this, there's a per-
+   * connection cache implemented as a hash table:
+   */
+  BroHT                       *io_cache;
+
+  /* Size limit for io_cache. *Must* match MAX_CACHE_SIZE
+   * value defined in Bro's RemoteSerialier.cc.
+   */
+  int                          io_cache_maxsize;
+
+  /* Storage for arbitrary user data:
+   */
+  BroHT                       *data;
+
+#ifdef BRO_PCAP_SUPPORT
+  uint32                       pcap_link_type;
+#endif
+
+  /* General connection state */
+  BroConnState                *state;
+
+  /* Externally provided socket to be used for connection. */
+  int                         socket;
+};
+
+struct bro_msg_header
+{
+  char                         hdr_type;
+  uint32                       hdr_peer_id;
+};
+
+struct bro_msg
+{
+  /* Messages get queued inside BroConns.
+   * These are the list pointers for that.
+   */
+  TAILQ_ENTRY(bro_msg)         msg_queue;
+  uint32                       msg_size;
+  
+  /* Header of the message, a CMsg in Bro.
+   */
+  struct bro_msg_header        msg_header;
+
+  /* A counter for identifying this message. Not used otherwise. */
+  int                          msg_num;
+
+  /* We know the header size, but we need to store it
+   * somewhere when we send the message. We use this:
+   */
+  uint32                       msg_header_size;
+
+  /* A BRO_MSG_CONT_xxx value to identify the type of
+   * data in the union below. This is easier to use than
+   * using the type field in the message header all the time.
+   */
+  char                         msg_cont_type; 
+
+  union {
+    BroBuf                    *msg_raw;
+    BroEvent                  *msg_ev;
+    BroRequest                *msg_req;
+#ifdef BRO_PCAP_SUPPORT
+    BroPacket                 *msg_packet;
+#endif
+  } msg_cont;
+
+#define msg_cont_raw     msg_cont.msg_raw
+#define msg_cont_ev      msg_cont.msg_ev
+#define msg_cont_req     msg_cont.msg_req
+#define msg_cont_packet  msg_cont.msg_packet
+};
+
+struct bro_event
+{
+  /* Name of the event, as listed in event.bif.
+   */
+  BroString                    name;
+  
+  /* Timestamp (seconds since epoch) of creation of event.
+   */
+  double                       ts;
+
+  /* A list of values to pass to the event, plus the
+   * length of the list.
+   */
+  BroList                     *val_list;
+  int                          val_len;
+};
+
+
+struct bro_request
+{
+  int                          req_len;
+  char                        *req_dat;
+};
+
+/* The Bro event registry:
+ * =======================
+ *
+ * Each Bro connection handle contains a BroEventReg structure.
+ * In it, a list of BroEventHandlers registered. Each
+ * handler represents one particular type of event that can
+ * be received, and contains a list of BroEventCBs. Each of
+ * those represents one actual callback performed when an
+ * event for the handler is received (similarly to Bro, Broccoli
+ * can have multiple event handlers for a single event type).
+ *
+ * Since the number and type of each event will vary, the callback
+ * mechanism becomes a little tricky. When an event is received,
+ * its parameters are deserialized accordingly. The registered
+ * callbacks are then called with POINTERS to all these values --
+ * since the size of a pointer is always the same no matter what
+ * it's pointing to, we can in fact call the callbacks with
+ * pointers to all these arguments. The number of parameters is
+ * currently limited to a maximum of 15. If you need that many,
+ * chances are you'll forget one anyway ;)
+ */
+
+struct bro_event_cb
+{
+  TAILQ_ENTRY(bro_event_cb)    cb_list;
+
+  /* One of the various styles of callbacks,
+   * identified by cb_style below.
+   */
+  union {
+    BroEventFunc               cb_expd;  
+    BroCompactEventFunc        cb_comp;  
+  } cb_func;
+
+#define cb_expanded_func       cb_func.cb_expd
+#define cb_compact_func        cb_func.cb_comp
+
+  void                        *cb_user_data;
+  int                          cb_style; /* A BRO_CALLBACK_xxx value */
+};
+
+struct bro_event_handler
+{
+  char                        *ev_name;
+
+  TAILQ_ENTRY(bro_event_handler) handler_list;
+  TAILQ_HEAD(cblist, bro_event_cb) cb_list;
+};
+
+struct bro_event_reg
+{
+  TAILQ_HEAD(hlist, bro_event_handler) handler_list;
+  int                          num_handlers;
+};
+
+#endif 
diff --git a/aux/broccoli/src/bro_util.c b/aux/broccoli/src/bro_util.c
new file mode 100644
index 0000000000..1bd1240799
--- /dev/null
+++ b/aux/broccoli/src/bro_util.c
@@ -0,0 +1,131 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <sys/time.h>
+
+#ifdef __EMX__
+#include <strings.h>
+#endif 
+
+#include <bro_util.h>
+
+#ifdef __MINGW32__
+
+/* MinGW does not define a gettimeofday so we need to roll our own.
+ * This one is largely following 
+ * http://lists.gnu.org/archive/html/bug-gnu-chess/2004-01/msg00020.html
+ */
+
+static int
+gettimeofday(struct timeval* p, void* tz /* IGNORED */){
+  union {
+    long long ns100; /*time since 1 Jan 1601 in 100ns units */
+    FILETIME ft;
+  } _now;
+  
+  GetSystemTimeAsFileTime( &(_now.ft) );
+  p->tv_usec=(long)((_now.ns100 / 10LL) % 1000000LL );
+  p->tv_sec= (long)((_now.ns100-(116444736000000000LL))/10000000LL);
+  return 0;
+}
+#endif
+
+
+int
+__bro_util_snprintf(char *str, size_t size, const char *format, ...)
+{
+  int result;
+  va_list al;
+  va_start(al, format);
+  result = vsnprintf(str, size, format, al);
+  va_end(al);
+  str[size-1] = '\0';
+  
+  return result;
+}
+
+void
+__bro_util_fill_subnet(BroSubnet *sn, uint32 net, uint32 width)
+{
+  if (! sn)
+    return;
+
+  sn->sn_net = net;
+  sn->sn_width = width;
+}
+
+
+double
+__bro_util_get_time(void)
+{
+  struct timeval tv;
+  
+  if (gettimeofday(&tv, 0) < 0)
+    return 0.0;
+  
+  return __bro_util_timeval_to_double(&tv);
+}
+
+
+double
+__bro_util_timeval_to_double(const struct timeval *tv)
+{
+  if (! tv)
+    return 0.0;
+
+  return ((double) tv->tv_sec) + ((double) tv->tv_usec) / 1000000;
+}
+
+#ifndef WORDS_BIGENDIAN
+double
+__bro_util_htond(double d)
+{
+  /* Should work as long as doubles have an even length */
+  int i, dsize;
+  double tmp;
+  char* src = (char*) &d;
+  char* dst = (char*) &tmp;
+  
+  dsize = sizeof(d) - 1;
+  
+  for (i = 0; i <= dsize; i++)
+    dst[i] = src[dsize - i];
+  
+  return tmp;
+}
+
+double
+__bro_util_ntohd(double d)
+{
+  return __bro_util_htond(d);
+}
+#endif
diff --git a/aux/broccoli/src/bro_util.h b/aux/broccoli/src/bro_util.h
new file mode 100644
index 0000000000..4d56454230
--- /dev/null
+++ b/aux/broccoli/src/bro_util.h
@@ -0,0 +1,58 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_util_h
+#define broccoli_util_h
+
+#include <broccoli.h>
+
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#ifndef MIN
+#define MIN(a,b) (((a)<(b))?(a):(b))
+#endif
+#ifndef MAX
+#define	MAX(a,b) (((a)>(b))?(a):(b))
+#endif
+
+int      __bro_util_snprintf(char *str, size_t size, const char *format, ...);
+
+void     __bro_util_fill_subnet(BroSubnet *sn, uint32 net, uint32 width);
+
+double   __bro_util_get_time(void);
+
+double   __bro_util_timeval_to_double(const struct timeval *tv);
+
+#ifdef WORDS_BIGENDIAN
+#define  __bro_util_ntohd(x) x
+#define  __bro_util_htond(x) x
+#else
+double   __bro_util_htond(double d);
+double   __bro_util_ntohd(double d);
+#endif
+
+#endif
diff --git a/aux/broccoli/src/bro_val.c b/aux/broccoli/src/bro_val.c
new file mode 100644
index 0000000000..33502a3337
--- /dev/null
+++ b/aux/broccoli/src/bro_val.c
@@ -0,0 +1,1863 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#if HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/time.h>
+
+#ifdef __EMX__
+#include <strings.h>
+#endif 
+
+#include <bro_types.h>
+#include <bro_type.h>
+#include <bro_io.h>
+#include <bro_debug.h>
+#include <bro_val.h>
+#include <bro_record.h>
+#include <bro_table.h>
+
+/* The virtual implementations of BroSObject's functions are
+ * kept static in this module, and so are the ..._init() methods
+ * not currently needed by other, derived classes.
+ */
+static void             __bro_val_init(BroVal *val);
+static void             __bro_val_free(BroVal *val);
+static int              __bro_val_read(BroVal *val, BroConn *bc);
+static int              __bro_val_write(BroVal *val, BroConn *bc);
+static int              __bro_val_clone(BroVal *dst, BroVal *src);
+static uint32           __bro_val_hash(BroVal *val);
+static int              __bro_val_cmp(BroVal *val1, BroVal *val2);
+static void            *__bro_val_get(BroVal *val);
+
+static void             __bro_list_val_init(BroListVal *lv);
+static void             __bro_list_val_free(BroListVal *lv);
+static int              __bro_list_val_read(BroListVal *lv, BroConn *bc);
+static int              __bro_list_val_write(BroListVal *lv, BroConn *bc);
+static int              __bro_list_val_clone(BroListVal *dst, BroListVal *src);
+static uint32           __bro_list_val_hash(BroListVal *lv);
+static int              __bro_list_val_cmp(BroListVal *lv1, BroListVal *lv2);
+static BroList         *__bro_list_val_get(BroListVal *lv);
+
+static void             __bro_mutable_val_init(BroMutableVal *mv);
+static void             __bro_mutable_val_free(BroMutableVal *mv);
+static int              __bro_mutable_val_read(BroMutableVal *mv, BroConn *bc);
+static int              __bro_mutable_val_write(BroMutableVal *mv, BroConn *bc);
+static int              __bro_mutable_val_clone(BroMutableVal *dst, BroMutableVal *src);
+static uint32           __bro_mutable_val_hash(BroMutableVal *mv);
+static int              __bro_mutable_val_cmp(BroMutableVal *mv1, BroMutableVal *mv2);
+
+static void             __bro_record_val_init(BroRecordVal *rv);
+static void             __bro_record_val_free(BroRecordVal *rv);
+static int              __bro_record_val_read(BroRecordVal *rv, BroConn *bc);
+static int              __bro_record_val_write(BroRecordVal *rv, BroConn *bc);
+static int              __bro_record_val_clone(BroRecordVal *dst, BroRecordVal *src);
+static uint32           __bro_record_val_hash(BroRecordVal *rv);
+static int              __bro_record_val_cmp(BroRecordVal *rv1, BroRecordVal *rv2);
+static void            *__bro_record_val_get(BroRecordVal *rv);
+
+static void             __bro_table_val_init(BroTableVal *tv);
+static void             __bro_table_val_free(BroTableVal *tv);
+static int              __bro_table_val_read(BroTableVal *tv, BroConn *bc);
+static int              __bro_table_val_write(BroTableVal *tv, BroConn *bc);
+static int              __bro_table_val_clone(BroTableVal *dst, BroTableVal *src);
+static uint32           __bro_table_val_hash(BroTableVal *tv);
+static int              __bro_table_val_cmp(BroTableVal *tv1, BroTableVal *tv2);
+static void            *__bro_table_val_get(BroTableVal *tv);
+
+BroVal *
+__bro_val_new(void)
+{
+  BroVal *val;
+
+  D_ENTER;
+
+  if (! (val = calloc(1, sizeof(BroVal))))
+    D_RETURN_(NULL);
+
+  __bro_val_init(val);
+
+  D_RETURN_(val);
+}
+
+
+BroVal *
+__bro_val_new_of_type(int type, const char *type_name)
+{
+  BroVal *val;
+
+  D_ENTER;
+
+  switch (type)
+    {
+    case BRO_TYPE_BOOL:
+    case BRO_TYPE_INT:
+    case BRO_TYPE_COUNT:
+    case BRO_TYPE_COUNTER:
+    case BRO_TYPE_DOUBLE:
+    case BRO_TYPE_TIME:
+    case BRO_TYPE_INTERVAL:
+    case BRO_TYPE_STRING:
+    case BRO_TYPE_TIMER:
+    case BRO_TYPE_PORT:
+    case BRO_TYPE_IPADDR:
+    case BRO_TYPE_NET:
+    case BRO_TYPE_SUBNET:
+    case BRO_TYPE_ENUM:
+      if (! (val = __bro_val_new()))
+	D_RETURN_(NULL);
+      break;
+      
+    case BRO_TYPE_SET:
+      /* A hack -- sets are table vals, but have set type,
+       * at least while Bro still has SetType.
+       */
+    case BRO_TYPE_TABLE:
+      if (! (val = (BroVal *) __bro_table_val_new()))
+	D_RETURN_(NULL);
+      break;
+
+    case BRO_TYPE_RECORD:
+      if (! (val = (BroVal *) __bro_record_val_new()))
+	D_RETURN_(NULL);
+      break;
+      
+    case BRO_TYPE_PATTERN:
+    case BRO_TYPE_ANY:
+    case BRO_TYPE_UNION:
+    case BRO_TYPE_LIST:
+    case BRO_TYPE_FUNC:
+    case BRO_TYPE_FILE:
+    case BRO_TYPE_VECTOR:
+    case BRO_TYPE_ERROR:
+    default:
+      D(("Unsupported value type %i\n", type));
+      D_RETURN_(NULL);
+    }
+  
+  if (! (val->val_type = __bro_type_new_of_type(type, type_name)))
+    {
+      __bro_val_free(val);
+      D_RETURN_(NULL);
+    }
+  
+  D_RETURN_(val);
+}
+
+
+int
+__bro_val_assign(BroVal *val, const void *data)
+{
+  D_ENTER;
+
+  if (! val)
+    {
+      D(("Input error: (%p, %p)\n", val, data));
+      D_RETURN_(FALSE);
+    }
+  
+  if (! data)
+    {
+      if (val->val_type)
+	{
+	  __bro_sobject_release((BroSObject *) val->val_type);
+	  val->val_type = NULL;
+	}
+
+      D(("Marked val %p as unassigned.\n", val));
+      D_RETURN_(TRUE);
+    }
+
+
+  /* If we intend to assign data to the val, it must have a type. */
+  if (! val->val_type)
+    {
+      D(("Cannot assign to val without a type.\n"));
+      D_RETURN_(FALSE);
+    }
+
+  switch (val->val_type->tag)
+    {
+    case BRO_TYPE_BOOL:
+      {
+	int tmp = *((int *) data);
+	val->val.char_val = (tmp != 0 ? 1 : 0);
+      }
+      break;
+
+    case BRO_TYPE_INT:
+    case BRO_TYPE_COUNT:
+    case BRO_TYPE_COUNTER:
+    case BRO_TYPE_ENUM:
+      val->val_int = *((int *) data);
+      break;
+
+    case BRO_TYPE_DOUBLE:
+    case BRO_TYPE_TIME:
+    case BRO_TYPE_INTERVAL:
+      val->val_double = *((double *) data);
+      break;
+
+    case BRO_TYPE_STRING:
+      {
+	BroString *str = (BroString *) data;
+	bro_string_set_data(&val->val_str, str->str_val, str->str_len);
+      }
+      break;
+      
+    case BRO_TYPE_PORT:
+      {
+	BroPort *tmp = (BroPort *) data;
+	
+	if (tmp->port_proto != IPPROTO_TCP &&
+	    tmp->port_proto != IPPROTO_UDP &&
+	    tmp->port_proto != IPPROTO_ICMP)
+	  {
+	    __bro_sobject_release((BroSObject *) data);
+	    D_RETURN_(FALSE);
+	  }
+	
+	val->val_port = *tmp;
+      }
+      break;
+      
+    case BRO_TYPE_IPADDR:
+    case BRO_TYPE_NET:
+      val->val_int = *((uint32 *) data);
+      break;
+      
+    case BRO_TYPE_SUBNET:
+      val->val_subnet = *((BroSubnet *) data);
+      break;
+      
+    case BRO_TYPE_RECORD:
+      {
+	BroList *l;
+	BroVal *tmp_val;
+	BroRecordVal *rv = (BroRecordVal *) val;
+	BroRecord *rec = (BroRecord *) data;
+	
+	if (rv->rec)
+	  __bro_record_free(rv->rec);
+	
+	rv->rec = __bro_record_copy(rec);
+
+	/* Record vals also have a record type, copy that: */
+	for (l = rec->val_list; l; l = __bro_list_next(l))
+	  {
+	    char *field;
+	    
+	    tmp_val = __bro_list_data(l);
+	    
+	    if (! tmp_val->val_type)
+	      {
+		D(("Cannot create record type component from val without type.\n"));
+		D_RETURN_(FALSE);
+	      }
+	    
+	    if (! (field = __bro_sobject_data_get((BroSObject *) tmp_val, "field")))
+	      {
+		D(("Val in record doesn't have field name associated with it.\n"));
+		D_RETURN_(FALSE);
+	      }
+	    
+	    __bro_record_type_add_type((BroRecordType *) val->val_type, field, tmp_val->val_type);;
+	  }
+      }
+      break;
+      
+    case BRO_TYPE_TABLE:
+      {
+	BroTableVal *tv = (BroTableVal *) val;
+	BroTable *table = (BroTable *) data;
+	
+	if (tv->table)
+	  __bro_table_free(tv->table);
+	
+	tv->table = __bro_table_copy(table);
+
+	/* XXX need to create the appropriate content in (BroTableType*) val->val_type! */
+      }
+      break;
+
+    case BRO_TYPE_PATTERN:
+    case BRO_TYPE_TIMER:
+    case BRO_TYPE_ANY:
+    case BRO_TYPE_UNION:
+    case BRO_TYPE_LIST:
+    case BRO_TYPE_FUNC:
+    case BRO_TYPE_FILE:
+    case BRO_TYPE_VECTOR:
+    case BRO_TYPE_ERROR:
+      D(("Type %i currently unsupported.\n", val->val_type->tag));
+      D_RETURN_(FALSE);
+      
+    default:
+      D(("Unknown type identifier %i\n", val->val_type->tag));
+      D_RETURN_(FALSE);
+    }
+
+  D_RETURN_(TRUE);
+}
+
+
+static void
+__bro_val_init(BroVal *val)
+{
+  BroSObject *sobj = (BroSObject *) val;
+
+  D_ENTER;
+  
+  __bro_object_init((BroObject *) val);
+  
+  sobj->read  = (BroSObjectRead) __bro_val_read;
+  sobj->write = (BroSObjectWrite) __bro_val_write;
+  sobj->free  = (BroSObjectFree) __bro_val_free;
+  sobj->clone = (BroSObjectClone) __bro_val_clone;
+  sobj->hash  = (BroSObjectHash) __bro_val_hash;
+  sobj->cmp   = (BroSObjectCmp) __bro_val_cmp;
+
+  /* Note: we don't know yet what type_id we'll be using since
+   * that will depend on the type object hooked into this val.
+   * We take care of that when we're serializing this val out
+   * in that case.
+   */
+  sobj->type_id = SER_VAL;
+
+  val->get_data = __bro_val_get;
+
+  D_RETURN;
+}
+
+
+static void
+__bro_val_free(BroVal *val)
+{
+  D_ENTER;
+
+  /* If there is no type in the val, then it's unassigned and
+   * hence there won't be anything to clean up anyway.
+   */
+  if (val->val_type)
+    {
+      switch (val->val_type->tag)
+	{
+	case BRO_TYPE_STRING:
+	  bro_string_cleanup(&val->val_str);
+	  break;
+	  
+	default:
+	  /* Nothing to do */
+	  break;
+	}
+    }
+  
+  __bro_sobject_release((BroSObject *) val->val_type);
+  __bro_object_free((BroObject *) val);
+
+  D_RETURN;
+}
+
+
+int
+__bro_val_get_type_num(const BroVal *val)
+{
+  if (! val)
+    return 0;
+
+  return val->val_type->tag;
+}
+
+
+int
+__bro_val_get_data(BroVal *val, int *type, void **data)
+{
+  if (! val || ! data)
+    return FALSE;
+
+  if (! val->get_data)
+    return FALSE;
+
+  if (type && val->val_type)
+    *type = val->val_type->tag;
+  
+  *data = val->get_data(val);
+  return TRUE;
+}
+
+
+static int
+__bro_val_read(BroVal *val, BroConn *bc)
+{
+  char opt;
+  uint32 tmp;
+
+  D_ENTER;
+
+  if (! val || !bc)
+    D_RETURN_(FALSE);
+
+  if (! __bro_object_read((BroObject *) val, bc))
+    D_RETURN_(FALSE);
+
+  /* Read type */
+
+  if (val->val_type)
+    {
+      __bro_sobject_release((BroSObject *) val->val_type);
+      val->val_type = NULL;
+    }
+
+  if (! (val->val_type = (BroType *) __bro_sobject_unserialize(SER_IS_TYPE, bc)))
+    D_RETURN_(FALSE);
+
+  D(("Type in val has type tags %i/%i\n",
+     val->val_type->tag, val->val_type->internal_tag));
+     
+  /* Read optional Attributes */
+  
+  if (val->val_attrs)
+    {
+      __bro_sobject_release((BroSObject *) val->val_attrs);
+      val->val_attrs = NULL;
+    }
+
+  if (! __bro_buf_read_char(bc->rx_buf, &opt))
+    D_RETURN_(FALSE);
+  if (opt)
+    {
+      if (! (val->val_attrs = (BroRecordVal *) __bro_sobject_unserialize(SER_RECORD_VAL, bc)))
+	D_RETURN_(FALSE);
+    }
+  
+  switch (val->val_type->internal_tag)
+    {
+    case BRO_INTTYPE_INT:
+    case BRO_INTTYPE_UNSIGNED:
+      /* Hack for ports */
+      if (val->val_type->tag == BRO_TYPE_PORT)
+	{
+	  if (! __bro_buf_read_int(bc->rx_buf, &tmp))
+	    D_RETURN_(FALSE);
+	  
+	  if ( (tmp & 0xf0000) == 0x10000 )
+	    val->val_port.port_proto = IPPROTO_TCP;
+	  else if ( (tmp & 0xf0000) == 0x20000 )
+	    val->val_port.port_proto = IPPROTO_UDP;
+	  else if ( (tmp & 0xf0000) == 0x30000 )
+	    val->val_port.port_proto = IPPROTO_ICMP;
+	    
+	  val->val_port.port_num = (tmp & 0xFFFF);
+	}
+      else
+	{
+	  if (! __bro_buf_read_int(bc->rx_buf, &val->val_int))
+	    D_RETURN_(FALSE);
+	}
+      break;
+      
+    case BRO_INTTYPE_DOUBLE:
+      if (! __bro_buf_read_double(bc->rx_buf, &val->val_double))
+	D_RETURN_(FALSE);
+      break;
+      
+    case BRO_INTTYPE_STRING:
+      if (! __bro_buf_read_string(bc->rx_buf, &val->val_str))
+	D_RETURN_(FALSE);
+      break;
+
+    case BRO_INTTYPE_IPADDR:
+      if (! __bro_buf_read_int(bc->rx_buf, &tmp))
+	D_RETURN_(FALSE);
+      
+      if (tmp != 1)
+	{
+	  D(("We don't handle IPv6 addresses yet.\n"));
+	  D_RETURN_(FALSE);
+	}
+      
+      if (! __bro_buf_read_int(bc->rx_buf, &val->val_int))
+	D_RETURN_(FALSE);
+
+      val->val_int = ntohl(val->val_int);
+      break;
+
+    case BRO_INTTYPE_SUBNET:
+      if (! __bro_buf_read_int(bc->rx_buf, &tmp))
+	D_RETURN_(FALSE);
+      
+      if (tmp != 1)
+	{
+	  D(("We don't handle IPv6 addresses yet.\n"));
+	  D_RETURN_(FALSE);
+	}
+
+      if (! __bro_buf_read_int(bc->rx_buf, &val->val_subnet.sn_net))
+	D_RETURN_(FALSE);
+      val->val_subnet.sn_net = ntohl(val->val_subnet.sn_net);
+
+      if (! __bro_buf_read_int(bc->rx_buf, &val->val_subnet.sn_width))
+	D_RETURN_(FALSE);
+      break;
+
+    case BRO_INTTYPE_OTHER:
+      /* See Val.cc around 165 -- these are handled by derived classes.
+       * We only make sure here it's not functions and not files.
+       */
+      if (val->val_type->tag != BRO_TYPE_FUNC &&
+	  val->val_type->tag != BRO_TYPE_FILE)
+	break;
+      
+      /* Otherwise fall through to warning. */
+
+    default:
+      D(("Unsupported internal type tag: %i\n", val->val_type->internal_tag));
+      D_RETURN_(FALSE);
+    }
+  
+  D_RETURN_(TRUE);
+}
+
+
+static int
+__bro_val_write(BroVal *val, BroConn *bc)
+{
+  BroType *type;
+  BroSObject *obj;
+
+  D_ENTER;
+  
+  if (! val || !bc)
+    D_RETURN_(FALSE);
+
+  /* We need to make sure that the BroSObject at the root has the
+   * correct type_id (a SER_xxx value). This depends on the type object
+   * so map the type tag of that object to a SER_xxx value:
+   */
+  if (! val->val_type)
+    {
+      D(("Val %p doesn't have a type.\n", val));
+      D_RETURN_(FALSE);
+    }
+
+  type = (BroType *) val->val_type;
+  obj  = (BroSObject *) val;
+  
+  switch (type->tag)
+    {
+    case BRO_TYPE_BOOL:
+    case BRO_TYPE_INT:
+    case BRO_TYPE_COUNT:
+    case BRO_TYPE_COUNTER:
+    case BRO_TYPE_STRING:
+    case BRO_TYPE_DOUBLE:
+    case BRO_TYPE_TIME:
+      obj->type_id = SER_VAL;
+      break;
+
+    case BRO_TYPE_ENUM:
+      obj->type_id = SER_ENUM_VAL;
+      break;
+
+    case BRO_TYPE_PORT:
+      obj->type_id = SER_PORT_VAL;
+      break;
+      
+    case BRO_TYPE_INTERVAL:
+      obj->type_id = SER_INTERVAL_VAL;
+      break;
+      
+    case BRO_TYPE_IPADDR:
+      obj->type_id = SER_ADDR_VAL;
+      break;
+      
+    case BRO_TYPE_NET:
+      obj->type_id = SER_NET_VAL;
+      break;
+      
+    case BRO_TYPE_SUBNET:
+      obj->type_id = SER_SUBNET_VAL;
+      break;
+
+    case BRO_TYPE_RECORD:
+      obj->type_id = SER_RECORD_VAL;
+      break;
+      
+    default:
+      D(("Val %p's type unhandled: type tag is %i.\n", val, type->tag));
+      D_RETURN_(FALSE);
+    }
+
+  if (! __bro_object_write((BroObject *) val, bc))
+    D_RETURN_(FALSE);
+
+  if (! __bro_sobject_serialize((BroSObject *) val->val_type, bc))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_write_char(bc->tx_buf, val->val_attrs ? 1 : 0))
+    D_RETURN_(FALSE);
+  
+  if (val->val_attrs && ! __bro_sobject_serialize((BroSObject *) val->val_attrs, bc))
+    D_RETURN_(FALSE);
+  
+  switch (val->val_type->internal_tag)
+    {
+    case BRO_INTTYPE_INT:
+    case BRO_INTTYPE_UNSIGNED:
+      /* Hack for ports */
+      if (val->val_type->tag == BRO_TYPE_PORT)
+	{
+	  int tmp = val->val_port.port_num;
+	  
+	  if (val->val_port.port_proto == IPPROTO_TCP)
+	    tmp |= 0x10000;
+	  else if (val->val_port.port_proto == IPPROTO_UDP)
+	    tmp |= 0x20000;
+      else if (val->val_port.port_proto == IPPROTO_ICMP)
+	    tmp |= 0x30000;
+
+	  if (! __bro_buf_write_int(bc->tx_buf, tmp))
+	    D_RETURN_(FALSE);
+	}
+      else
+	{
+	  if (! __bro_buf_write_int(bc->tx_buf, val->val_int))
+	    D_RETURN_(FALSE);
+	}
+      break;
+      
+    case BRO_INTTYPE_DOUBLE:
+      if (! __bro_buf_write_double(bc->tx_buf, val->val_double))
+	D_RETURN_(FALSE);
+      break;
+      
+    case BRO_INTTYPE_STRING:
+      if (! __bro_buf_write_string(bc->tx_buf, &val->val_str))
+	D_RETURN_(FALSE);
+      break;
+
+    case BRO_INTTYPE_IPADDR:
+      if (! __bro_buf_write_int(bc->tx_buf, 1))
+	D_RETURN_(FALSE);
+      if (! __bro_buf_write_int(bc->tx_buf, htonl(val->val_int)))
+	D_RETURN_(FALSE);
+      break;
+
+    case BRO_INTTYPE_SUBNET:
+      if (! __bro_buf_write_int(bc->tx_buf, 1))
+	D_RETURN_(FALSE);
+      if (! __bro_buf_write_int(bc->tx_buf, htonl(val->val_subnet.sn_net)))
+	D_RETURN_(FALSE);
+      if (! __bro_buf_write_int(bc->tx_buf, val->val_subnet.sn_width))
+	D_RETURN_(FALSE);
+      break;
+
+    case BRO_INTTYPE_OTHER:
+      /* That's fine, will be handled in derived classes
+       * like __bro_record_val_write().
+       */
+      break;
+      
+    default:
+      D(("Unknown internal type tag: %i\n", val->val_type->internal_tag));
+      D_RETURN_(FALSE);
+    }  
+  
+  D_RETURN_(TRUE);
+}
+
+static int
+__bro_val_clone(BroVal *dst, BroVal *src)
+{
+  D_ENTER;
+  
+  if (! __bro_object_clone((BroObject *) dst, (BroObject *) src))
+    {
+      D(("Cloning parent failed.\n"));
+      D_RETURN_(FALSE);
+    }
+
+  if (src->val_type &&
+      ! (dst->val_type = (BroType *) __bro_sobject_copy((BroSObject *) src->val_type)))
+    {
+      D(("Cloning type failed.\n"));
+      D_RETURN_(FALSE);      
+    }
+  
+  if (src->val_attrs &&
+      ! (dst->val_attrs = (BroRecordVal *) __bro_sobject_copy((BroSObject *) src->val_attrs)))
+    {
+      D(("Cloning attributes failed.\n"));
+      D_RETURN_(FALSE);
+    }
+
+  switch (dst->val_type->internal_tag)
+    {
+    case BRO_INTTYPE_INT:
+    case BRO_INTTYPE_UNSIGNED:
+    case BRO_INTTYPE_IPADDR:
+      /* Hack for ports */
+      if (src->val_type->tag == BRO_TYPE_PORT)
+	dst->val_port = src->val_port;
+      else
+	dst->val_int = src->val_int;
+      break;
+      
+    case BRO_INTTYPE_DOUBLE:
+      dst->val_double = src->val_double;
+      break;
+      
+    case BRO_INTTYPE_STRING:
+      bro_string_assign(&src->val_str, &dst->val_str);
+      break;
+
+    case BRO_INTTYPE_SUBNET:
+      dst->val_subnet = src->val_subnet;
+      break;
+
+    case BRO_INTTYPE_OTHER:
+      /* That's okay, handled in subtype */
+      break;
+      
+    default:
+      D(("Unknown internal type tag: %i\n", dst->val_type->internal_tag));
+      D_RETURN_(FALSE);
+    }  
+  
+  D_RETURN_(TRUE);
+}
+
+static uint32
+__bro_val_hash(BroVal *val)
+{
+  uint32 result;
+
+  D_ENTER;
+
+  if (! val)
+    D_RETURN_(0);
+
+  result = __bro_sobject_hash((BroSObject*) val->val_type);
+  
+  switch (val->val_type->internal_tag)
+    {
+    case BRO_INTTYPE_INT:
+    case BRO_INTTYPE_UNSIGNED:
+    case BRO_INTTYPE_IPADDR:
+      result ^= val->val_int;
+      break;
+      
+    case BRO_INTTYPE_DOUBLE:
+      result ^= (uint32) val->val_double;
+      break;
+      
+    case BRO_INTTYPE_STRING:
+      result ^= __bro_ht_str_hash(val->val_str.str_val);
+      break;
+      
+    case BRO_INTTYPE_SUBNET:
+      result ^= val->val_subnet.sn_net;
+      result ^= val->val_subnet.sn_width;
+      break;
+
+    case BRO_INTTYPE_OTHER:
+      D(("WARNING -- __bro_val_hash() invoked on derived type.\n"));
+      break;
+      
+    default:
+      D(("Unknown internal type tag: %i\n", val->val_type->internal_tag));
+      break;
+    }  
+
+  D_RETURN_(result);
+}
+
+static int
+__bro_val_cmp(BroVal *val1, BroVal *val2)
+{
+  D_ENTER;
+  
+  if (! val1 || ! val2)
+    D_RETURN_(FALSE);
+
+  if (! __bro_sobject_cmp((BroSObject*) val1->val_type,
+			  (BroSObject*) val2->val_type))
+    D_RETURN_(FALSE);
+  
+  switch (val1->val_type->internal_tag)
+    {
+    case BRO_INTTYPE_INT:
+    case BRO_INTTYPE_UNSIGNED:
+    case BRO_INTTYPE_IPADDR:
+      if (val1->val_int != val2->val_int)
+	D_RETURN_(FALSE);
+      break;
+      
+    case BRO_INTTYPE_DOUBLE:
+      if (val1->val_double != val2->val_double)
+	D_RETURN_(FALSE);
+      break;
+      
+    case BRO_INTTYPE_STRING:
+      if (! __bro_ht_str_cmp(val1->val_str.str_val, val2->val_str.str_val))
+	D_RETURN_(FALSE);
+      break;
+      
+    case BRO_INTTYPE_SUBNET:
+      if (val1->val_subnet.sn_net != val2->val_subnet.sn_net ||
+	  val1->val_subnet.sn_width != val2->val_subnet.sn_width)
+	D_RETURN_(FALSE);
+      break;
+
+    case BRO_INTTYPE_OTHER:
+      D(("WARNING -- __bro_val_cmp() invoked on derived type.\n"));
+      break;
+      
+    default:
+      D(("Unknown internal type tag: %i\n", val1->val_type->internal_tag));
+      break;
+    }  
+  
+  D_RETURN_(TRUE);
+}
+
+static void *
+__bro_val_get(BroVal *val)
+{
+  /* Following the comments in broccoli.h, we return atomic values
+   * as copies into *result, and complex types (i.e., structs) have
+   * all members assigned to point to internal values so the user
+   * does not have to clean up the returned value. The user can 
+   * still keep those values around if necessary by copying them.
+   */
+  if (! val->val_type)
+    {
+      D(("No type in val %p\n", val));
+      return NULL;
+    }
+  
+   switch (val->val_type->tag)    
+    {
+    case BRO_TYPE_BOOL:
+    case BRO_TYPE_INT:
+    case BRO_TYPE_ENUM:
+    case BRO_TYPE_COUNT:
+    case BRO_TYPE_COUNTER:
+    case BRO_TYPE_IPADDR:
+    case BRO_TYPE_NET:
+      return &val->val_int;
+      
+    case BRO_TYPE_PORT:
+      return &val->val_port;
+      
+    case BRO_TYPE_DOUBLE:
+    case BRO_TYPE_TIME:
+    case BRO_TYPE_INTERVAL:
+      return &val->val_double;
+      
+    case BRO_TYPE_STRING:
+      return &val->val_str;
+      
+    case BRO_TYPE_SUBNET:
+      return &val->val_subnet;
+      
+    case BRO_TYPE_RECORD:
+      D(("WARNING: Inheritance broken -- record types should not be handled here.\n"));
+      return NULL;
+
+    case BRO_TYPE_TABLE:
+      D(("WARNING: Inheritance broken -- table types should not be handled here.\n"));
+      return NULL;
+      
+    default:
+      D(("Type %i currently not extractable.\n", val->val_type->tag));
+    }
+   
+   return NULL;
+}
+
+
+BroListVal *
+__bro_list_val_new(void)
+{
+  BroListVal *val;
+
+  D_ENTER;
+
+  if (! (val = calloc(1, sizeof(BroListVal))))
+    D_RETURN_(NULL);
+
+  __bro_list_val_init(val);
+  
+  D_RETURN_(val);
+}
+
+static void
+__bro_list_val_init(BroListVal *lv)
+{
+  BroSObject *sobj = (BroSObject *) lv;
+  BroVal *val = (BroVal *) lv;
+  
+  D_ENTER;
+  
+  __bro_val_init((BroVal *) lv);
+  
+  sobj->read  = (BroSObjectRead) __bro_list_val_read;
+  sobj->write = (BroSObjectWrite) __bro_list_val_write;
+  sobj->free  = (BroSObjectFree) __bro_list_val_free;
+  sobj->clone = (BroSObjectClone) __bro_list_val_clone;
+  sobj->hash  = (BroSObjectHash) __bro_list_val_hash;
+  sobj->cmp   = (BroSObjectCmp) __bro_list_val_cmp;
+  
+  sobj->type_id = SER_LIST_VAL;
+
+  val->get_data = (BroValAccessor) __bro_list_val_get;
+
+  D_RETURN;
+}
+
+static void
+__bro_list_val_free(BroListVal *lv)
+{
+  D_ENTER;
+  
+  if (! lv)
+    D_RETURN;
+  
+  __bro_list_free(lv->list, (BroFunc) __bro_sobject_release);
+  __bro_val_free((BroVal *) lv);
+  
+  D_RETURN;
+}
+
+static int
+__bro_list_val_read(BroListVal *lv, BroConn *bc)
+{
+  int i;
+  uint32 ui;
+
+  D_ENTER;
+  
+  if (! __bro_val_read((BroVal *) lv, bc))
+    D_RETURN_(FALSE);
+  
+  __bro_list_free(lv->list, (BroFunc) __bro_sobject_release);
+  lv->list = NULL;
+  
+  if (! __bro_buf_read_char(bc->rx_buf, &lv->type_tag))
+    goto error_return;
+  if (! __bro_buf_read_int(bc->rx_buf, &ui))
+    goto error_return;
+  
+  lv->len = (int) ui;
+
+  for (i = 0; i < lv->len; i++)
+    {
+      BroVal *val;
+      
+      if (! (val = (BroVal *) __bro_sobject_unserialize(SER_IS_VAL, bc)))
+	goto error_return;
+      
+      lv->list = __bro_list_append(lv->list, val);
+    }
+  
+  D_RETURN_(TRUE);
+  
+ error_return:
+  __bro_list_free(lv->list, (BroFunc) __bro_sobject_release);
+  lv->list = NULL;
+  D_RETURN_(FALSE);
+}
+
+static int
+__bro_list_val_write(BroListVal *lv, BroConn *bc)
+{
+  BroList *l;
+  
+  D_ENTER;
+  
+  if (! __bro_val_write((BroVal *) lv, bc))
+    D_RETURN_(FALSE);
+  
+  if (! __bro_buf_write_char(bc->tx_buf, lv->type_tag))
+    D_RETURN_(FALSE);
+  
+  if (! __bro_buf_write_int(bc->tx_buf, lv->len))
+    D_RETURN_(FALSE);
+  
+  for (l = lv->list; l; l = __bro_list_next(l))
+    {
+      BroVal *val = __bro_list_data(l);
+      
+      if (! __bro_sobject_serialize((BroSObject *) val, bc))
+	D_RETURN_(FALSE);
+    }
+  
+  D_RETURN_(TRUE);
+}
+
+static int
+__bro_list_val_clone(BroListVal *dst, BroListVal *src)
+{
+  BroList *l;
+
+  D_ENTER;
+
+  if (! __bro_val_clone((BroVal *) dst, (BroVal *) src))
+    D_RETURN_(FALSE);
+
+  dst->type_tag = src->type_tag;
+  dst->len = src->len;
+  
+  if (dst->list)
+    {
+      __bro_list_free(dst->list, (BroFunc) __bro_sobject_release);
+      dst->list = NULL;
+    }
+
+  for (l = src->list; l; l = __bro_list_next(l))
+    dst->list = __bro_list_append(dst->list, __bro_sobject_copy(__bro_list_data(l)));
+  
+  D_RETURN_(TRUE);
+}
+
+static uint32
+__bro_list_val_hash(BroListVal *lv)
+{
+  uint32 result;
+  BroList *l;
+
+  D_ENTER;
+  
+  if (! lv)
+    D_RETURN_(0);
+  
+  result = lv->len ^ lv->type_tag;
+  
+  for (l = lv->list; l; l = __bro_list_next(l))
+    result ^= __bro_sobject_hash((BroSObject *) __bro_list_data(l));
+  
+  D_RETURN_(result);
+}
+
+static int
+__bro_list_val_cmp(BroListVal *lv1, BroListVal *lv2)
+{
+  BroList *l1, *l2;
+
+  D_ENTER;
+  
+  if (! lv1 || ! lv2)
+    D_RETURN_(FALSE);
+
+  if (lv1->len != lv2->len ||
+      lv1->type_tag != lv2->type_tag)    
+    D_RETURN_(FALSE);
+      
+  for (l1 = lv1->list, l2 = lv2->list; l1 && l2;
+       l1 = __bro_list_next(l1), l2 = __bro_list_next(l2))
+    {
+      if (! __bro_sobject_cmp((BroSObject*) __bro_list_data(l1),
+			      (BroSObject*) __bro_list_data(l2)))
+	D_RETURN_(FALSE);
+    }
+
+  if (l1 || l2)
+    {
+      D(("WARNING -- list length inconsistency.\n"));
+      D_RETURN_(FALSE);
+    }
+  
+  D_RETURN_(TRUE);
+}
+
+static BroList *
+__bro_list_val_get(BroListVal *lv)
+{
+  D_ENTER;
+  D_RETURN_(lv->list);
+}
+
+void
+__bro_list_val_append(BroListVal *lv, BroVal *val)
+{
+  D_ENTER;
+
+  if (! lv || ! val)
+    D_RETURN;
+
+  lv->list = __bro_list_append(lv->list, val);
+  lv->len++;
+
+  D_RETURN;
+}
+
+BroVal *
+__bro_list_val_pop_front(BroListVal *lv)
+{
+  BroVal *result;
+  BroList *l;
+
+  D_ENTER;
+
+  if (! lv)
+    D_RETURN_(NULL);
+  
+  l = lv->list;
+  lv->list = __bro_list_remove(lv->list, lv->list);
+  
+  result = (BroVal*) __bro_list_data(l);
+  __bro_list_free(l, NULL);
+  
+  D_RETURN_(result);
+}
+
+BroVal *
+__bro_list_val_get_front(BroListVal *lv)
+{
+  BroVal *result;
+  BroList *l;
+
+  D_ENTER;
+
+  if (! lv)
+    D_RETURN_(NULL);
+  
+  D_RETURN_((BroVal*) __bro_list_data(lv->list));
+}
+
+int
+__bro_list_val_get_length(BroListVal *lv)
+{
+  D_ENTER;
+  
+  if (! lv)
+    D_RETURN_(0);
+  
+  D_RETURN_(lv->len);
+}
+
+
+
+BroMutableVal *
+__bro_mutable_val_new(void)
+{
+  BroMutableVal *val;
+
+  D_ENTER;
+
+  if (! (val = calloc(1, sizeof(BroMutableVal))))
+    D_RETURN_(NULL);
+
+  __bro_mutable_val_init(val);
+
+  D_RETURN_(val);
+}
+
+
+static void
+__bro_mutable_val_init(BroMutableVal *mv)
+{
+  BroSObject *sobj = (BroSObject *) mv;
+  
+  D_ENTER;
+  
+  __bro_val_init((BroVal *) mv);
+  
+  sobj->read  = (BroSObjectRead) __bro_mutable_val_read;
+  sobj->write = (BroSObjectWrite) __bro_mutable_val_write;
+  sobj->free  = (BroSObjectFree) __bro_mutable_val_free;
+  sobj->clone = (BroSObjectClone) __bro_mutable_val_clone;
+  sobj->hash  = (BroSObjectHash) __bro_mutable_val_hash;
+  sobj->cmp   = (BroSObjectCmp) __bro_mutable_val_cmp;
+  
+  sobj->type_id = SER_MUTABLE_VAL;
+
+  /* BroMutableVal inherits __bro_val_get and doesn't override it. */
+
+  D_RETURN;
+}
+
+
+static void
+__bro_mutable_val_free(BroMutableVal *mv)
+{
+  D_ENTER;
+  
+  __bro_sobject_release((BroSObject *) mv->id);
+  __bro_val_free((BroVal *) mv);
+  
+  D_RETURN;
+}
+
+
+static int
+__bro_mutable_val_read(BroMutableVal *mv, BroConn *bc)
+{
+  BroString tmp;
+
+  D_ENTER;
+
+  bro_string_init(&tmp);
+
+  if (! __bro_val_read((BroVal *) mv, bc))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_read_char(bc->rx_buf, &mv->props))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_read_string(bc->rx_buf, &tmp))
+    D_RETURN_(FALSE);
+
+  /* FIXME: now need to obtain real BroID from that name */
+  bro_string_cleanup(&tmp);
+
+  D_RETURN_(TRUE);
+}
+
+
+static int
+__bro_mutable_val_write(BroMutableVal *mv, BroConn *bc)
+{
+  D_ENTER;
+  
+  if (! __bro_val_write((BroVal *) mv, bc))
+    D_RETURN_(FALSE);
+  
+  if (! __bro_buf_write_char(bc->tx_buf, mv->props))
+    D_RETURN_(FALSE);
+  
+  if (! __bro_buf_write_string(bc->tx_buf, (mv->id ? &mv->id->name : NULL)))
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+
+static int
+__bro_mutable_val_clone(BroMutableVal *dst, BroMutableVal *src)
+{
+  D_ENTER;
+  
+  if (! __bro_val_clone((BroVal *) dst, (BroVal *) src))
+    D_RETURN_(FALSE);
+  
+  if (src->id && ! (dst->id = (BroID *) __bro_sobject_copy((BroSObject *) src->id)))
+    D_RETURN_(FALSE);
+  
+  src->props = dst->props;
+  
+  D_RETURN_(TRUE);
+}
+
+
+static uint32
+__bro_mutable_val_hash(BroMutableVal *mv)
+{
+  uint32 result;
+
+  D_ENTER;
+
+  if (! mv)
+    D_RETURN_(0);
+
+  result = __bro_id_hash(mv->id) ^ mv->props;
+
+  D_RETURN_(result);
+}
+
+
+static int
+__bro_mutable_val_cmp(BroMutableVal *mv1, BroMutableVal *mv2)
+{
+  D_ENTER;
+
+  if (! mv1 || ! mv2)
+    D_RETURN_(FALSE);
+
+  if (! __bro_id_cmp(mv1->id, mv2->id))
+    D_RETURN_(FALSE);
+
+  if (mv1->props != mv2->props)
+    D_RETURN_(FALSE);
+
+  D_RETURN_(TRUE);
+}
+
+
+BroRecordVal *
+__bro_record_val_new(void)
+{
+  BroRecordVal *val;
+
+  D_ENTER;
+
+  if (! (val = calloc(1, sizeof(BroRecordVal))))
+    D_RETURN_(NULL);
+
+  __bro_record_val_init(val);
+
+  D_RETURN_(val);
+}
+
+
+static void
+__bro_record_val_init(BroRecordVal *rv)
+{
+  BroSObject *sobj = (BroSObject *) rv;
+  BroVal *val = (BroVal *) rv;
+
+  D_ENTER;
+  
+  __bro_mutable_val_init((BroMutableVal *) rv);
+  
+  sobj->read  = (BroSObjectRead) __bro_record_val_read;
+  sobj->write = (BroSObjectWrite) __bro_record_val_write;
+  sobj->free  = (BroSObjectFree) __bro_record_val_free;
+  sobj->clone = (BroSObjectClone) __bro_record_val_clone;
+  sobj->hash  = (BroSObjectHash) __bro_record_val_hash;
+  sobj->cmp   = (BroSObjectCmp) __bro_record_val_cmp;
+
+  sobj->type_id = SER_RECORD_VAL;
+
+  val->get_data = (BroValAccessor) __bro_record_val_get;
+  
+  D_RETURN;
+}
+
+
+static void
+__bro_record_val_free(BroRecordVal *rv)
+{
+  D_ENTER;
+
+  if (! rv)
+    D_RETURN;
+  
+  __bro_record_free(rv->rec);
+  __bro_mutable_val_free((BroMutableVal *) rv);
+
+  D_RETURN;
+}
+
+
+static int
+__bro_record_val_read(BroRecordVal *rv, BroConn *bc)
+{
+  char opt;
+  uint32 i, len;
+  BroVal *val;
+  
+  D_ENTER;
+  
+  if (! __bro_mutable_val_read((BroMutableVal *) rv, bc))
+    D_RETURN_(FALSE);
+
+  /* Clean out old vals, if any */
+  __bro_record_free(rv->rec);
+  
+  if (! (rv->rec = __bro_record_new()))
+    D_RETURN_(FALSE);
+  
+  /* Read in new vals */
+
+  if (! __bro_buf_read_int(bc->rx_buf, &len))
+    goto error_return;
+  
+  for (i = 0; i < len; i++)
+    {
+      const char *field_name;
+      BroVal *rv_val   = (BroVal *) rv;
+      BroType *rv_type = rv_val->val_type;
+
+      D(("Reading val %i/%i into record %p of val %p\n",
+	 i+1, len, rv->rec, rv));
+
+      if (! __bro_buf_read_char(bc->rx_buf, &opt))
+	goto error_return;
+      
+      if (opt)
+	{
+	  if (! (val = (BroVal *) __bro_sobject_unserialize(SER_IS_VAL, bc)))
+	    {
+	      D(("WARNING -- unserializing record element failed.\n"));
+	      goto error_return;
+	    }
+	}
+      else
+	{
+	  /* We need an empty val if none was given in order to maintain
+	   * a chain of vals nonetheless -- the missing type in this new
+	   * val indicates that it is an unassigned val.
+	   */
+	  D(("WARNING -- unassigned val.\n"));
+	  if (! (val = __bro_val_new()))
+	    goto error_return;
+	}
+      
+      __bro_record_add_val(rv->rec, val);
+      
+      if (! (field_name = __bro_record_type_get_nth_field((BroRecordType *) rv_type, i)))
+	{
+	  D(("WARNING -- record type field %i has no name.\n", i));
+	  goto error_return;
+	}
+
+      __bro_record_set_nth_name(rv->rec, i, field_name);
+    }
+  
+  D_RETURN_(TRUE);
+
+ error_return:
+  __bro_record_free(rv->rec);
+  rv->rec = NULL;
+  D_RETURN_(FALSE);
+}
+
+
+static int
+__bro_record_val_write(BroRecordVal *rv, BroConn *bc)
+{
+  BroList *l;
+  BroVal *val;
+  int i;
+
+  D_ENTER;
+
+  if (! __bro_mutable_val_write((BroMutableVal *) rv, bc))
+    D_RETURN_(FALSE);
+  
+  if (! __bro_buf_write_int(bc->tx_buf, rv->rec->val_len))
+    D_RETURN_(FALSE);
+  
+  if (! rv->rec && rv->rec->val_len > 0)
+    D_RETURN_(FALSE);
+  
+  D(("Writing out %i vals in record %p.\n", rv->rec->val_len, rv->rec));
+
+  for (i = 0, l = rv->rec->val_list; l; i++, l = __bro_list_next(l))
+    {
+      val = __bro_list_data(l);
+      
+      D(("Val %i/%p's type: %p\n", i, val, val->val_type));
+      
+      if (! __bro_buf_write_char(bc->tx_buf, (val->val_type ? 1 :0)))
+	D_RETURN_(FALSE);
+      
+      if (val->val_type)
+	{	  
+	  if (! __bro_sobject_serialize((BroSObject *) val, bc))
+	    D_RETURN_(FALSE);
+	}
+    }
+  
+  D_RETURN_(TRUE);
+}
+
+
+static int
+__bro_record_val_clone(BroRecordVal *dst, BroRecordVal *src)
+{
+  D_ENTER;
+  
+  if (! __bro_mutable_val_clone((BroMutableVal *) dst, (BroMutableVal *) src))
+    D_RETURN_(FALSE);
+  
+  if (src->rec && ! (dst->rec = __bro_record_copy(src->rec)))
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+
+static uint32
+__bro_record_val_hash(BroRecordVal *rv)
+{
+  uint32 result;
+  
+  D_ENTER;
+  
+  if (! rv)
+    D_RETURN_(0);
+
+  result = __bro_record_hash(rv->rec);
+
+  D_RETURN_(result);
+
+}
+
+
+static int
+__bro_record_val_cmp(BroRecordVal *rv1, BroRecordVal *rv2)
+{
+  D_ENTER;
+
+  if (! rv1 || ! rv2)
+    D_RETURN_(FALSE);
+  
+  if (! __bro_record_cmp(rv1->rec, rv2->rec))
+    D_RETURN_(FALSE);
+
+  D_RETURN_(TRUE);
+
+}
+
+
+static void *
+__bro_record_val_get(BroRecordVal *rv)
+{
+  return rv->rec;
+}
+
+
+BroTableVal *
+__bro_table_val_new(void)
+{
+  BroTableVal *val;
+
+  D_ENTER;
+  
+  if (! (val = calloc(1, sizeof(BroTableVal))))
+    D_RETURN_(NULL);
+
+  __bro_table_val_init(val);
+  
+  D_RETURN_(val);
+}
+
+static void
+__bro_table_val_init(BroTableVal *tbl)
+{
+  BroSObject *sobj = (BroSObject *) tbl;
+  BroVal *val = (BroVal *) tbl;
+
+  D_ENTER;
+  
+  __bro_mutable_val_init((BroMutableVal *) tbl);
+  
+  sobj->read  = (BroSObjectRead) __bro_table_val_read;
+  sobj->write = (BroSObjectWrite) __bro_table_val_write;
+  sobj->free  = (BroSObjectFree) __bro_table_val_free;
+  sobj->clone = (BroSObjectClone) __bro_table_val_clone;
+  sobj->hash  = (BroSObjectHash) __bro_table_val_hash;
+  sobj->cmp   = (BroSObjectCmp) __bro_table_val_cmp;
+  
+  sobj->type_id = SER_TABLE_VAL;
+  
+  val->get_data = (BroValAccessor) __bro_table_val_get;  
+
+  D_RETURN;
+}
+
+static void
+__bro_table_val_free(BroTableVal *tbl)
+{
+  D_ENTER;
+  
+  if (! tbl)
+    D_RETURN;
+  
+  __bro_table_free(tbl->table);
+  __bro_mutable_val_free((BroMutableVal *) tbl);
+  
+  D_RETURN;
+}
+
+static int
+__bro_table_val_read(BroTableVal *tbl, BroConn *bc)
+{
+  double d;
+  char opt;
+  int num_keys = 0, num_vals = 0;
+
+  D_ENTER;
+  
+  if (! __bro_mutable_val_read((BroMutableVal *) tbl, bc))
+    D_RETURN_(FALSE);
+  
+  /* Clean out old vals, if any */
+  __bro_table_free(tbl->table);
+  
+  if (! (tbl->table = __bro_table_new()))
+    D_RETURN_(FALSE);
+  
+  /* expire_time, currently unused */
+  if (! __bro_buf_read_double(bc->rx_buf, &d))
+    goto error_return;
+
+  if (! __bro_buf_read_char(bc->rx_buf, &opt))
+    goto error_return;
+  if (opt)
+    {
+      if (! (tbl->attrs = (BroAttrs *) __bro_sobject_unserialize(SER_ATTRIBUTES, bc)))
+	{
+	  D(("WARNING -- unserializing table attributes failed.\n"));
+	  goto error_return;
+	}
+    }
+  
+  if (! __bro_buf_read_char(bc->rx_buf, &opt))
+    goto error_return;
+  if (opt)
+    {
+      D(("WARNING -- cannot unserialize expression, try to use table without expiration expression.\n"));
+      goto error_return;
+    }
+
+  /* Table entries are next: */
+  for ( ; ; )
+    {
+      BroType *type;
+      BroListVal *keys = NULL;
+      BroVal *val = NULL;
+      BroIndexType *itype = NULL;
+      int i, len, key_type = 0, val_type = 0;
+      double d;
+
+      if (! __bro_buf_read_char(bc->rx_buf, &opt))
+	goto error_return;
+
+      /* End of set members is announced if opt is 0: */
+      if (! opt)
+	break;
+
+      if (! (keys = (BroListVal *) __bro_sobject_unserialize(SER_LIST_VAL, bc)))
+	goto error_return;
+
+      /* If this isn't a set, we have a value associated with the keys too. */
+      type = ((BroVal *) tbl)->val_type;
+      itype = (BroIndexType*) type;
+      num_vals++;
+
+      if (itype->yield_type)
+	{
+	  if (! (val = (BroVal *) __bro_sobject_unserialize(SER_IS_VAL, bc)))
+	    goto error_return;
+
+	  val_type = val->val_type->tag;
+	  num_keys++;
+	}
+
+      /* If the key is a composite, we report BRO_TYPE_LIST to the user,
+       * so the user can access the individual values via a record. If
+       * the key is atomic, we extract its type and use it directly.
+       */
+
+      if (keys->len > 1)
+	key_type = BRO_TYPE_LIST;
+      else if (keys->len == 1)
+	key_type = __bro_list_val_get_front(keys)->val_type->tag;
+      else
+	goto error_return;
+      
+      if (tbl->table->tbl_key_type != BRO_TYPE_UNKNOWN &&
+	  tbl->table->tbl_key_type != key_type)
+	{
+	  D(("Type mismatch when unserializing key of type %d, expecting %d\n",
+	     key_type, tbl->table->tbl_key_type));
+	  goto error_return;
+	}
+
+      tbl->table->tbl_key_type = key_type;
+      
+      if (tbl->table->tbl_val_type != BRO_TYPE_UNKNOWN &&
+	  tbl->table->tbl_val_type != val_type)
+	{
+	  D(("Type mismatch when unserializing val of type %d, expecting %d\n",
+	     val_type, tbl->table->tbl_val_type));
+	  goto error_return;
+	}
+
+      tbl->table->tbl_val_type = val_type;	
+      
+      /* Eat two doubles -- one for the last access time and
+       * one for when the item is supposed to expire.
+       * XXX: currently unimplemented.
+       */
+      if (! __bro_buf_read_double(bc->rx_buf, &d) ||
+	  ! __bro_buf_read_double(bc->rx_buf, &d))
+	goto error_return;
+
+      /* The key type of a BroTable is always a BroListVal, even
+       * though it might well have only a single element.
+       *
+       * Since we just unserialized it, we pass on ownership of
+       * both key and value to the table.
+       */
+      __bro_table_insert(tbl->table, (BroVal*) keys, val);
+    }
+
+  D_RETURN_(TRUE);
+
+ error_return:
+  __bro_table_free(tbl->table);
+  tbl->table = NULL;
+  D_RETURN_(FALSE);
+}
+
+static int
+__bro_table_val_write_cb_direct(BroVal *key, BroVal *val, BroConn *bc)
+{
+  if (! __bro_sobject_serialize((BroSObject *) key, bc))
+    return FALSE;
+  
+  if (val && ! __bro_sobject_serialize((BroSObject *) val, bc))
+    return FALSE;
+  
+  return TRUE;
+}
+
+static int
+__bro_table_val_write_cb_unpack(BroVal *key, BroRecordVal *val, BroConn *bc)
+{
+  BroRecord *rec = val->rec;
+  BroListVal *lv = __bro_list_val_new();
+  
+  /* Just hook the list into the list val, we unhook below. */
+  lv->list = rec->val_list;
+  lv->len = rec->val_len;
+  
+  if (! __bro_sobject_serialize((BroSObject *) lv, bc))
+    goto error_return;
+  
+  if (val && ! __bro_sobject_serialize((BroSObject *) val, bc))
+    goto error_return;
+  
+  lv->list = NULL;
+  __bro_list_val_free(lv);
+  
+  return TRUE;
+
+ error_return:
+  lv->list = NULL;
+  __bro_list_val_free(lv);
+  return FALSE;
+}
+
+static int
+__bro_table_val_write(BroTableVal *tbl, BroConn *bc)
+{
+  double d = 0;
+  char opt = 0;
+
+  D_ENTER;
+
+  if (! __bro_mutable_val_write((BroMutableVal *) tbl, bc))
+    D_RETURN_(FALSE);
+
+  if (! __bro_buf_write_double(bc->tx_buf, d))
+    D_RETURN_(FALSE);
+
+  /* XXX For now we neever send any attributes, nor an expire expr */
+  if (! __bro_buf_write_char(bc->tx_buf, opt))
+    D_RETURN_(FALSE);
+  if (! __bro_buf_write_char(bc->tx_buf, opt))
+    D_RETURN_(FALSE);
+
+  /* How we iterate depends on whether the index type is atomic or not.
+   * If atomic, we use __bro_table_val_write_cb_direct(), otherwise
+   * we use ..._unpack(), which converts the elements of the RecordVal
+   * into a ListVal before sending.
+   */
+  if (__bro_table_val_has_atomic_key(tbl))
+    __bro_table_foreach(tbl->table, (BroTableCallback) __bro_table_val_write_cb_direct, bc);
+  else
+    __bro_table_foreach(tbl->table, (BroTableCallback) __bro_table_val_write_cb_unpack, bc);
+
+  D_RETURN_(TRUE);
+}
+
+static int
+__bro_table_val_clone(BroTableVal *dst, BroTableVal *src)
+{
+  D_ENTER;
+
+  if (! __bro_mutable_val_clone((BroMutableVal *) dst, (BroMutableVal *) src))
+    D_RETURN_(FALSE);
+
+  if (src->table && ! (dst->table = __bro_table_copy(src->table)))
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+static uint32
+__bro_table_val_hash(BroTableVal *tv)
+{
+  uint32 result;
+
+  D_ENTER;
+  
+  if (! tv)
+    D_RETURN_(0);
+  
+  result = __bro_sobject_hash((BroSObject*) tv->table_type);
+  result ^= __bro_sobject_hash((BroSObject*) tv->attrs);
+  result ^= __bro_table_hash(tv->table);
+  
+  D_RETURN_(result);
+
+}
+
+static int
+__bro_table_val_cmp(BroTableVal *tv1, BroTableVal *tv2)
+{
+  D_ENTER;
+
+  if (! tv1 || ! tv2)
+    D_RETURN_(FALSE);
+
+  if (! __bro_sobject_cmp((BroSObject*) tv1->table_type,
+			  (BroSObject*) tv2->table_type))
+    D_RETURN_(FALSE);
+  
+  if (! __bro_table_cmp(tv1->table, tv2->table))
+    D_RETURN_(FALSE);
+  
+  D_RETURN_(TRUE);
+}
+
+static void *
+__bro_table_val_get(BroTableVal *tbl)
+{
+  return tbl->table;
+}
+
+int
+__bro_table_val_has_atomic_key(BroTableVal *tbl)
+{
+  if (! tbl || ! tbl->table_type) 
+    return FALSE;
+
+  return ((BroIndexType *) tbl->table_type)->indices->num_types == 1;
+}
diff --git a/aux/broccoli/src/bro_val.h b/aux/broccoli/src/bro_val.h
new file mode 100644
index 0000000000..46a758e910
--- /dev/null
+++ b/aux/broccoli/src/bro_val.h
@@ -0,0 +1,147 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2008 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_val_h
+#define broccoli_val_h
+
+#include <broccoli.h>
+#include <bro_types.h>
+#include <bro_util.h>
+#include <bro_id.h>
+#include <bro_attrs.h>
+
+typedef void *(* BroValAccessor) (BroVal *val);
+
+struct bro_val
+{
+  BroObject                    object;
+
+  /* A class method for accessing the data contained by
+   * a val:
+   */
+  BroValAccessor               get_data;
+  
+  /* The full type object of this val -- this also yields
+   * what member of the union is used below (unless we're
+   * inside a derived type and store our data elsewhere).
+   * If val_type is NULL, it means we're dealing with an
+   * unassigned val.
+   */
+  BroType                     *val_type;
+  
+  BroRecordVal                *val_attrs;
+
+  union {
+    char                       char_val;
+    uint32                     int_val;
+    double                     double_val;
+    BroPort                    port_val;
+    BroString                  str_val;
+    BroSubnet                  subnet_val;
+  } val;
+
+#define val_char               val.char_val
+#define val_int                val.int_val
+#define val_double             val.double_val
+#define val_port               val.port_val
+#define val_str                val.str_val
+#define val_strlen             val.str_val.str_len
+#define val_subnet             val.subnet_val
+};
+
+struct bro_list_val
+{
+  BroVal                       val;
+
+  char                         type_tag;
+  int                          len;
+
+  BroList                     *list;
+};
+
+struct bro_mutable_val
+{
+  BroVal                       val;
+
+  BroID                       *id;
+  char                         props;
+};
+
+#define BRO_VAL_PROP_PERS      0x01
+#define BRO_VAL_PROP_SYNC      0x02
+
+struct bro_record_val
+{
+  BroMutableVal                mutable;
+  
+  /* We don't use the full record val when interacting
+   * with the user, but only what's really necessary.
+   */
+  BroRecord                   *rec;
+};
+
+struct bro_table_val
+{
+  BroMutableVal                mutable;
+
+  BroTableType                *table_type;
+  BroAttrs                    *attrs;
+  
+  BroTable                    *table;
+};
+
+
+BroVal          *__bro_val_new(void);
+BroVal          *__bro_val_new_of_type(int type, const char *type_name);
+int              __bro_val_assign(BroVal *val, const void *data);
+
+/* Returns a pointer to the val's data depending on its type.
+ * Type is returned through *type if provided.
+ */
+int              __bro_val_get_data(BroVal *val, int *type, void **data);
+int              __bro_val_get_type_num(const BroVal *val);
+
+BroListVal      *__bro_list_val_new(void);
+
+/* Append a val to the list. This does not duplicate, so adopts the
+ * given val.
+ */
+void             __bro_list_val_append(BroListVal *lv, BroVal *val);
+
+/* Removes the first value from the list and returns it. */
+BroVal          *__bro_list_val_pop_front(BroListVal *lv);
+
+/* Only returns the first value from the list. */
+BroVal          *__bro_list_val_get_front(BroListVal *lv);
+int              __bro_list_val_get_length(BroListVal *lv);
+
+BroMutableVal   *__bro_mutable_val_new(void);
+
+BroRecordVal    *__bro_record_val_new(void);
+
+BroTableVal     *__bro_table_val_new(void);
+int              __bro_table_val_has_atomic_key(BroTableVal *tv);
+
+#endif
diff --git a/aux/broccoli/src/broccoli.h.in b/aux/broccoli/src/broccoli.h.in
new file mode 100644
index 0000000000..f56f33957a
--- /dev/null
+++ b/aux/broccoli/src/broccoli.h.in
@@ -0,0 +1,1418 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2007 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#ifndef broccoli_h
+#define broccoli_h
+
+#include <unistd.h>
+#include <sys/types.h>
+#include <stdlib.h>
+#ifdef __MINGW32__
+#include <winsock.h>
+#else
+#include <netinet/in.h>
+#endif
+#include <openssl/crypto.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * bro_debug_calltrace - Debugging output switch for call tracing.
+ *
+ * If you have debugging support built in (i.e., your package was configured
+ * with --enable-debugging), you can enable/disable debugging output for
+ * call tracing by setting this to 0 (off) or 1 (on). Default is off.
+ */
+extern int bro_debug_calltrace;
+
+/**
+ * bro_debug_messages - Output switch for debugging messages.
+ *
+ * If you have debugging support built in (i.e., your package was configured
+ * with --enable-debugging), you can enable/disable debugging messages
+ * by setting this to 0 (off) or 1 (on). Default is off.
+ */
+extern int bro_debug_messages;
+
+#ifndef	FALSE
+#define	FALSE	(0)
+#endif
+
+#ifndef	TRUE
+#define	TRUE	(!FALSE)
+#endif
+
+/* Numeric values of Bro type identifiers, corresponding
+ * to the values of the TypeTag enum in Bro's Type.h. Use
+ * these values with bro_event_add_val(), bro_record_add_val(),
+ * bro_record_get_nth_val() and bro_record_get_named_val().
+ *
+ * BRO_TYPE_UNKNOWN is not used in the data exchange,
+ * see bro_record_get_{nth,named}_val() for its use.
+ */
+#define BRO_TYPE_UNKNOWN           0
+#define BRO_TYPE_BOOL              1
+#define BRO_TYPE_INT               2
+#define BRO_TYPE_COUNT             3
+#define BRO_TYPE_COUNTER           4
+#define BRO_TYPE_DOUBLE            5
+#define BRO_TYPE_TIME              6
+#define BRO_TYPE_INTERVAL          7
+#define BRO_TYPE_STRING            8
+#define BRO_TYPE_PATTERN           9
+#define BRO_TYPE_ENUM             10
+#define BRO_TYPE_TIMER            11
+#define BRO_TYPE_PORT             12
+#define BRO_TYPE_IPADDR           13
+#define BRO_TYPE_NET              14
+#define BRO_TYPE_SUBNET           15
+#define BRO_TYPE_ANY              16
+#define BRO_TYPE_TABLE            17
+#define BRO_TYPE_UNION            18
+#define BRO_TYPE_RECORD           19
+#define BRO_TYPE_LIST             20
+#define BRO_TYPE_FUNC             21
+#define BRO_TYPE_FILE             22
+#define BRO_TYPE_VECTOR           23
+#define BRO_TYPE_ERROR            24
+#define BRO_TYPE_PACKET           25 /* CAUTION -- not defined in Bro! */
+#define BRO_TYPE_SET              26 /* ----------- (ditto) ---------- */
+#define BRO_TYPE_MAX              27
+
+/* Flags for new connections, to pass to bro_conn_new()
+ * and bro_conn_new_str(). See manual for details.
+ */
+#define BRO_CFLAG_NONE                      0
+#define BRO_CFLAG_RECONNECT           (1 << 0) /* Attempt transparent reconnects */
+#define BRO_CFLAG_ALWAYS_QUEUE        (1 << 1) /* Queue events sent while disconnected */
+#define BRO_CFLAG_SHAREABLE           (1 << 2) /* DO NOT USE -- no longer supported */
+#define BRO_CFLAG_DONTCACHE           (1 << 3) /* Ask peer not to use I/O cache (default) */
+#define BRO_CFLAG_YIELD               (1 << 4) /* Process just one event at a time */
+#define BRO_CFLAG_CACHE               (1 << 5) /* Ask per to use I/O cache */
+
+
+/* ---------------------------- Typedefs ----------------------------- */
+
+@TYPEDEF_UINT@
+typedef unsigned int   uint32;
+typedef unsigned short uint16;
+typedef unsigned char  uchar;
+
+typedef struct bro_conn BroConn;
+typedef struct bro_event BroEvent;
+typedef struct bro_buf BroBuf;
+typedef struct bro_record BroRecord;
+typedef struct bro_table BroTable;
+typedef struct bro_table BroSet;
+typedef struct bro_ev_meta BroEvMeta;
+typedef struct bro_packet BroPacket;
+
+/* ----------------------- Callback Signatures ----------------------- */
+
+/**
+ * BroEventFunc - The signature of expanded event callbacks.
+ * @bc: Bro connection handle.
+ * @user_data: user data provided to bro_event_registry_add().
+ * @...: varargs.
+ *
+ * This is the signature of callbacks for handling received
+ * Bro events, called in the argument-expanded style.  For details
+ * see bro_event_registry_add().
+ */
+typedef void (*BroEventFunc) (BroConn *bc, void *user_data, ...);
+
+/**
+ * BroCompactEventFunc - The signature of compact event callbacks.
+ * @bc: Bro connection handle.
+ * @user_data: user data provided to bro_event_registry_add_compact().
+ * @meta: metadata for the event
+ *
+ * This is the signature of callbacks for handling received
+ * Bro events, called in the compact-argument style. For details
+ * see bro_event_registry_add_compact().
+ */
+typedef void (*BroCompactEventFunc) (BroConn *bc, void *user_data, BroEvMeta *meta);
+
+typedef void (*BroPacketFunc) (BroConn *bc, void *user_data,
+			       const BroPacket *packet);
+
+/**
+ * OpenSSL_lockfunc - locking function for OpenSSL thread safeness.
+ * @mode: acquire nth lock if (mode & CRYPTO_LOCK) is true, release otherwise.
+ * @n: lock index. You need to support at least CRYPTO_num_locks().
+ * @file: file from which OpenSSL invokes the callback.
+ * @line: line in file from which OpenSSL invokes the callback.
+ *
+ * If you are using Broccoli in a multithreaded environment, you need
+ * to use bro_init() with a BroCtx structure and use it to point at an
+ * implementation of this callback. Refer to pages 74ff in O'Reilly's
+ * OpenSSL book (by Viega et al.) for details. You could also look at 
+ * 
+ *   http://www.openssl.org/support/faq.html#PROG1
+ *   http://www.openssl.org/docs/crypto/threads.html
+ *
+ * but you will only curse OpenSSL even more than you already do after
+ * reading those.
+ */
+typedef void (*OpenSSL_lock_func) (int mode, int n, const char *file, int line);
+
+/**
+ * OpenSSL_thread_id_func - thread ID function for OpenSSL thread safeness.
+ * @id: target pointer into which the current thread's numeric ID must be written.
+ * 
+ * Please refer to pages 74ff in O'Reilly's OpenSSL book, and also see
+ * the comments for OpenSSL_lockfunc.
+ */
+typedef unsigned long (*OpenSSL_thread_id_func) (void);
+
+
+/**
+ * OpenSSL_dynlock_create_func - allocator for dynamic locks, for OpenSSL thread safeness.
+ * @file: file from which OpenSSL invokes the callback.
+ * @line: line in file from which OpenSSL invokes the callback.
+ * 
+ * Please refer to pages 74ff in O'Reilly's OpenSSL book, and also see
+ * the comments for OpenSSL_lockfunc().
+ */
+typedef struct CRYPTO_dynlock_value* (*OpenSSL_dynlock_create_func) (const char *file, int line);
+
+/**
+ * OpenSSL_dynlock_lock_func - lock/unlock dynamic locks, for OpenSSL thread safeness.
+ * @mode: acquire nth lock if (mode & CRYPTO_LOCK) is true, release otherwise.
+ * @mutex: lock to lock/unlock.
+ * @file: file from which OpenSSL invokes the callback.
+ * @line: line in file from which OpenSSL invokes the callback.
+ * 
+ * Please refer to pages 74ff in O'Reilly's OpenSSL book, and also see
+ * the comments for OpenSSL_lockfunc().
+ */
+typedef void (*OpenSSL_dynlock_lock_func) (int mode, struct CRYPTO_dynlock_value *mutex,
+					   const char *file, int line);
+
+/**
+ * OpenSSL_dynlock_free_func - dynamic lock deallocator, for OpenSSL thread safeness.
+ * @mutex: lock to deallocate.
+ * @file: file from which OpenSSL invokes the callback.
+ * @line: line in file from which OpenSSL invokes the callback.
+ * 
+ * Please refer to pages 74ff in O'Reilly's OpenSSL book, and also see
+ * the comments for OpenSSL_lockfunc().
+ */
+typedef void (*OpenSSL_dynlock_free_func) (struct CRYPTO_dynlock_value *mutex,
+					   const char *file, int line);
+
+
+/* ---------------------------- Structures --------------------------- */
+
+
+/* Initialization context for the Broccoli library. */
+typedef struct bro_ctx {
+  OpenSSL_lock_func lock_func;
+  OpenSSL_thread_id_func id_func;
+  OpenSSL_dynlock_create_func dl_create_func;
+  OpenSSL_dynlock_lock_func dl_lock_func;
+  OpenSSL_dynlock_free_func dl_free_func;
+} BroCtx;
+
+/* Statistical properties of a given connection. */
+typedef struct bro_conn_stats {
+  int tx_buflen; // Number of bytes to process in output buffer.
+  int rx_buflen; // Number of bytes to process in input buffer.
+} BroConnStats;
+
+/* BroStrings are used to access string parameters in received events.
+ */
+typedef struct bro_string {
+  uint32       str_len;
+  uchar       *str_val;
+} BroString;
+
+/* Ports in Broccoli do not only consist of a number but also indicate
+ * whether they are TCP or UDP.
+ */
+typedef struct bro_port {
+  uint16       port_num;   /* port number in host byte order */
+  int          port_proto; /* IPPROTO_xxx */
+} BroPort;
+
+/* Subnets are a 4-byte address with a prefix width in bits.
+ */
+typedef struct bro_subnet
+{
+  uint32       sn_net;     /* IP address in network byte order */
+  uint32       sn_width;   /* Length of prefix to consider. */
+} BroSubnet;
+
+/* Encapsulation of arguments passed to an event callback,
+ * for the compact style of argument passing.
+ */
+typedef struct bro_ev_arg
+{
+  void        *arg_data;   /* Pointer to the actual event argument */
+  int          arg_type;   /* A BRO_TYPE_xxx constant */
+} BroEvArg;
+
+/* Metadata for an event, passed to callbacks of the BroCompactEventFunc
+ * prototype.
+ */
+struct bro_ev_meta
+{
+  const char  *ev_name;    /* The name of the event */
+  double       ev_ts;      /* Timestamp of event, taken from BroEvent itself */
+  int          ev_numargs; /* How many arguments are passed */
+  BroEvArg    *ev_args;    /* Array of BroEvArgs, one for each argument */
+  const uchar *ev_start;   /* Start and end pointers to serialized version */
+  const uchar *ev_end;     /* of currently processed event. */
+};
+
+@BRO_PCAP_SUPPORT@
+#ifdef BRO_PCAP_SUPPORT
+#include <pcap.h>
+
+/* Broccoli can send and receive pcap-captured packets, wrapped into
+ * the following structure:
+ */
+struct bro_packet
+{
+  double       pkt_time;
+  uint32       pkt_hdr_size;
+  uint32       pkt_link_type;
+  
+  struct pcap_pkthdr  pkt_pcap_hdr;
+  const u_char       *pkt_data;
+  const char         *pkt_tag;
+
+};
+
+#endif
+
+/* ============================ API ================================== */
+
+/* -------------------------- Initialization ------------------------- */
+
+/**
+ * bro_init - Initializes the library.
+ * @ctx: pointer to a BroCtx structure.
+ *
+ * The function initializes the library. It MUST be called before
+ * anything else in Broccoli. Specific initialization context may be
+ * provided using a BroCtx structure pointed to by ctx. It may be
+ * omitted by passing %NULL, for default values. See bro_init_ctx() for
+ * initialization of the context structure to default values.
+ *
+ * Returns: %TRUE if initialization succeeded, %FALSE otherwise.
+ */
+int            bro_init(const BroCtx *ctx);
+
+
+/**
+ * bro_ctx_init - Initializes initialization context to default values.
+ * @ctx: pointer to a BroCtx structure.
+ */
+void           bro_ctx_init(BroCtx *ctx);
+
+
+/* ----------------------- Connection Handling ----------------------- */
+
+/**
+ * bro_conn_new - Creates and returns a handle for a connection to a remote Bro.
+ * @ip_addr: 4-byte IP address of Bro to contact, in network byte order.
+ * @port: port of machine at @ip_addr to contact, in network byte order.
+ * @flags: an or-combination of the %BRO_CONN_xxx flags.
+ *
+ * The function creates a new Bro connection handle for communication with
+ * Bro through a network. Depending on the flags passed in, the connection
+ * and its setup process can be adjusted. If you don't want to pass any
+ * flags, use %BRO_CFLAG_NONE.
+ *
+ * Returns: pointer to a newly allocated and initialized
+ * Bro connection structure. You need this structure for all
+ * other calls in order to identify the connection to Bro.
+ */
+BroConn       *bro_conn_new(struct in_addr *ip_addr, uint16 port, int flags);
+
+
+/**
+ * bro_conn_new_str - Same as bro_conn_new(), but accepts strings for hostname and port.
+ * @hostname: string describing the host and port to connect to.
+ * @flags: an or-combination of the %BRO_CONN_xxx flags.
+ *
+ * The function is identical to bro_conn_new(), but allows you to specify the
+ * host and port to connect to in a string as "<hostname>:<port>". @flags can
+ * be used to adjust the connection features and the setup process. If you don't
+ * want to pass any flags, use %BRO_CFLAG_NONE.
+ *
+ * Returns: pointer to a newly allocated and initialized
+ * Bro connection structure. You need this structure for all
+ * other calls in order to identify the connection to Bro.
+ */
+BroConn       *bro_conn_new_str(const char *hostname, int flags);
+
+/**
+ * bro_conn_new_socket - Same as bro_conn_new(), but uses existing socket.
+ * @socket: open socket.
+ * @flags: an or-combination of the %BRO_CONN_xxx flags.
+ *
+ * The function is identical to bro_conn_new(), but allows you to pass in an
+ * open socket to use for the communication. @flags can be used to
+ * adjust the connection features and the setup process. If you don't want to
+ * pass any flags, use %BRO_CFLAG_NONE.
+ *
+ * Returns: pointer to a newly allocated and initialized
+ * Bro connection structure. You need this structure for all
+ * other calls in order to identify the connection to Bro.
+ */
+BroConn       *bro_conn_new_socket(int socket, int flags);
+
+/**
+ * bro_conn_set_class - Sets a connection's class identifier.
+ * @bc: connection handle.
+ * @classname: class identifier.
+ *
+ * Broccoli connections can indicate that they belong to a certain class
+ * of connections, which is needed primarily if multiple Bro/Broccoli
+ * instances are running on the same node and connect to a single remote
+ * peer. You can set this class with this function, and you have to do so
+ * before calling bro_connect() since the connection class is determined
+ * upon connection establishment. You remain responsible for the memory
+ * pointed to by @classname.
+ */
+void           bro_conn_set_class(BroConn *bc, const char *classname);
+
+/**
+ * bro_conn_get_peer_class - Reports connection class indicated by peer.	
+ * @bc: connection handle.
+ *
+ * Returns: a string containing the connection class indicated by the peer,
+ * if any, otherwise %NULL.
+ */
+const char    *bro_conn_get_peer_class(const BroConn *bc);
+
+
+/**
+ * bro_conn_get_connstats - Reports connection properties.
+ * @bc: connection handle.
+ * @cs: BroConnStats handle.
+ * 
+ * The function fills the BroConnStats structure provided via @cs with
+ * information about the given connection.
+ */
+void           bro_conn_get_connstats(const BroConn *bc, BroConnStats *cs);
+
+
+/**
+ * bro_conn_connect - Establish connection to peer.
+ * @bc: connection handle.
+ *
+ * The function attempts to set up and configure a connection to
+ * the peer configured when the connection handle was obtained.
+ *
+ * Returns: %TRUE on success, %FALSE on failure.
+ */
+int            bro_conn_connect(BroConn *bc);
+
+
+/**
+ * bro_conn_reconnect - Drop the current connection and reconnect, reusing all settings.
+ * @bc: Bro connection handle.
+ *
+ * The functions drops the current connection identified by @bc and attempts to
+ * establish a new one with all the settings associated with @bc, including full
+ * handshake completion.
+ *
+ * Returns: %TRUE if successful, %FALSE otherwise. No matter what the outcome,
+ * you can continue to use @bc as normal (e.g. you have to release it using
+ * bro_conn_delete()).
+ */
+int            bro_conn_reconnect(BroConn *bc);
+
+
+/**
+ * bro_conn_delete - terminates and releases connection.
+ * @bc: Bro connection handle
+ *
+ * This function will terminate the given connection if necessary
+ * and release all resources associated with the connection handle.
+ * 
+ *
+ * Returns: %FALSE on error, %TRUE otherwise.
+ */
+int            bro_conn_delete(BroConn *bc);
+
+
+/**
+ * bro_conn_alive - Reports whether a connection is currently alive or has died.
+ * @bc: Bro connection handle.
+ 
+ * This predicate reports whether the connection handle is currently
+ * usable for sending/receiving data or not, e.g. because the peer
+ * died. The function does not actively check and update the
+ * connection's state, it only reports the value of flags indicating
+ * its status. In particular, this means that when calling
+ * bro_conn_alive() directly after a select() on the connection's
+ * descriptor, bro_conn_alive() may return an incorrent value. It will
+ * however return the correct value after a subsequent call to
+ * bro_conn_process_input(). Also note that the connection is also
+ * dead after the connection handle is obtained and before
+ * bro_conn_connect() is called.
+ * 
+ * Returns: %TRUE if the connection is alive, %FALSE otherwise.
+ */
+int            bro_conn_alive(const BroConn *bc);
+
+
+/**
+ * bro_conn_adopt_events - Makes one connection send out the same events as another.
+ * @src: Bro connection handle for connection whose event list to adopt.
+ * @dst: Bro connection handle for connection whose event list to change.
+ *
+ * The function makes the connection identified by @dst use the same event
+ * mask as the one identified by @src.
+ */
+void           bro_conn_adopt_events(BroConn *src, BroConn *dst);
+
+
+/**
+ * bro_conn_get_fd - Returns file descriptor of a Bro connection.
+ * @bc: Bro connection handle.
+ *
+ * If you need to know the file descriptor of the connection
+ * (such as when select()ing it etc), use this accessor function.
+ *
+ * Returns: file descriptor for connection @bc, or negative value
+ * on error.
+ */
+int            bro_conn_get_fd(BroConn *bc);
+
+
+/**
+ * bro_conn_process_input - Processes input sent to the sensor by Bro.
+ * @bc: Bro connection handle
+ *
+ * The function reads all input sent to the local sensor by the
+ * Bro peering at the connection identified by @bc. It is up
+ * to you to find a spot in the application you're instrumenting
+ * to make sure this is called. This function cannot block.
+ * bro_conn_alive() will report the actual state of the connection
+ * after a call to bro_conn_process_input().
+ *
+ * Returns: %TRUE if any input was processed, %FALSE otherwise.
+ */
+int            bro_conn_process_input(BroConn *bc);
+
+
+/* ---------------------- Connection data storage -------------------- */
+
+/* Connection handles come with a faciity to store and retrieve
+ * arbitrary data items. Use the following functions to store,
+ * query, and remove items from a connection handle.
+ */
+
+/**
+ * bro_conn_data_set - Puts a data item into the registry.
+ * @bc: Bro connection handle.
+ * @key: name of the data item.
+ * @val: data item.
+ *
+ * The function stores @val under name @key in the connection handle @bc.
+ * @key is copied internally so you do not need to duplicate it before
+ * passing.
+ */
+void           bro_conn_data_set(BroConn *bc, const char *key, void *val);
+
+
+/**
+ * bro_conn_data_get - Looks up a data item.
+ * @bc: Bro connection handle.
+ * @key: name of the data item.
+ *
+ * The function tries to look up the data item with name @key and
+ * if found, returns it.
+ * 
+ * Returns: data item if lookup was successful, %NULL otherwise.
+ */
+void          *bro_conn_data_get(BroConn *bc, const char *key);
+
+
+/**
+ * bro_conn_data_del - Removes a data item.
+ * @bc: Bro connection handle.
+ * @key: name of the data item.
+ *
+ * The function tries to remove the data item with name @key.
+ * 
+ * Returns: the removed data item if it exists, %NULL otherwise.
+ */
+void          *bro_conn_data_del(BroConn *bc, const char *key);
+
+
+/* ----------------------------- Bro Events -------------------------- */
+
+/**
+ * bro_event_new - Creates a new empty event with a given name.
+ * @event_name: name of the Bro event.
+ *
+ * The function creates a new empty event with the given
+ * name and returns it.
+ *
+ * Returns: new event, or %NULL if allocation failed.
+ */
+BroEvent      *bro_event_new(const char *event_name);
+
+
+/**
+ * bro_event_free - Releases all memory associated with an event.
+ * @be: event to release.
+ *
+ * The function releases all memory associated with @be. Note 
+ * that you do NOT have to call this after sending an event.
+ */
+void           bro_event_free(BroEvent *be);
+
+
+/**
+ * bro_event_add_val - Adds a parameter to an event.
+ * @be: event to add to.
+ * @type: numerical type identifier (a %BRO_TYPE_xxx constant).
+ * @type_name: optional name of specialized type.
+ * @val: value to add to event.
+ *
+ * The function adds the given @val to the argument list of
+ * event @be. The type of @val is derived from @type, and may be
+ * specialized to the type named @type_name. If @type_name is not
+ * desired, use %NULL.
+ *
+ * @val remains the caller's responsibility and is copied internally.
+ *
+ * Returns: %TRUE if the operation was successful, %FALSE otherwise.
+ */
+int            bro_event_add_val(BroEvent *be, int type,
+				 const char *type_name,const void *val);
+
+
+/**
+ * bro_event_set_val - Replace a value in an event.
+ * @be: event handle.
+ * @val_num: number of the value to replace, starting at 0.
+ * @type: numerical type identifier (a %BRO_TYPE_xxx constant).
+ * @type_name: optional name of specialized type.
+ * @val: value to put in.
+ *
+ * The function replaces whatever value is currently stored in the
+ * event pointed to by @be with the val specified through the @type and
+ * @val arguments. If the event does not currently hold enough
+ * values to replace one in position @val_num, the function does
+ * nothing. If you want to indicate a type specialized from @type,
+ * use @type_name to give its name, otherwise pass %NULL for @type_name.
+ *
+ * Returns: %TRUE if successful, %FALSE on error.
+ */
+int            bro_event_set_val(BroEvent *be, int val_num,
+				 int type, const char *type_name,
+				 const void *val);
+
+/**
+ * bro_event_send - Tries to send an event to a Bro agent.
+ * @bc: Bro connection handle
+ * @be: event to send.
+ *
+ * The function tries to send @be to the Bro agent connected
+ * through @bc. Regardless of the outcome, you do NOT have
+ * to release the event afterwards using bro_event_free().
+ * 
+ * Returns: %TRUE if the event got sent or queued for later transmission,
+ * %FALSE on error. There are no automatic repeated send attempts
+ * (to minimize the effect on the code that Broccoli is linked to).
+ * If you have to make sure that everything got sent, you have
+ * to try to empty the queue using bro_event_queue_flush(), and
+ * also look at bro_event_queue_empty().
+ */
+int            bro_event_send(BroConn *bc, BroEvent *be);
+	
+
+/**
+ * bro_event_send_raw - Enqueues a serialized event directly into a connection's send buffer.
+ * @bc: Bro connection handle
+ * @data: pointer to serialized event data.
+ * @data_len: length of buffer pointed to by @data.
+ *
+ * The function enqueues the given event data into @bc's transmit buffer.
+ * @data_len bytes at @data must correspond to a single event.
+ *
+ * Returns: %TRUE if successful, %FALSE on error.
+ */
+int            bro_event_send_raw(BroConn *bc, const uchar *data, int data_len);
+
+
+/**
+ * bro_event_queue_length - Returns current queue length.
+ * @bc: Bro connection handle
+ *
+ * Use this function to find out how many events are currently queued
+ * on the client side.
+ *
+ * Returns: number of items currently queued.
+ */
+int            bro_event_queue_length(BroConn *bc);
+
+
+/**
+ * bro_event_queue_length_max - Returns maximum queue length.
+ * @bc: Bro connection handle
+ *
+ * Use this function to find out how many events can be queued before
+ * events start to get dropped.
+ *
+ * Returns: maximum possible queue size.
+ */
+int            bro_event_queue_length_max(BroConn *bc);
+
+
+/**
+ * bro_event_queue_flush - Tries to flush the send queue of a connection.
+ * @bc: Bro connection handle
+ *
+ * The function tries to send as many queued events to the Bro
+ * agent as possible.
+ *
+ * Returns: remaining queue length after flush.
+ */
+int            bro_event_queue_flush(BroConn *bc);
+
+
+/* ------------------------ Bro Event Callbacks ---------------------- */
+
+/**
+ * bro_event_registry_add - Adds an expanded-argument event callback to the event registry.
+ * @bc: Bro connection handle
+ * @event_name: Name of events that trigger callback
+ * @func: callback to invoke.
+ * @user_data: user data passed through to the callback.
+ *
+ * This function registers the callback @func to be invoked when events
+ * of name @event_name arrive on connection @bc. @user_data is passed along
+ * to the callback, which will receive it as the second parameter. You
+ * need to ensure that the memory @user_data points to is valid during the
+ * time the callback might be invoked.
+ *
+ * Note that this function only registers the callback in the state
+ * associated with @bc. If you use bro_event_registry_add() and @bc
+ * has not yet been connected via bro_conn_connect(), then no further
+ * action is required. bro_conn_connect() request ant registered event types.
+ * If however you are requesting additional event types after the connection has
+ * been established, then you also need to call bro_event_registry_request()
+ * in order to signal to the peering Bro that you want to receive those events.
+ */
+void           bro_event_registry_add(BroConn *bc,
+				      const char *event_name,
+				      BroEventFunc func,
+				      void *user_data);
+
+/**
+ * bro_event_registry_add_compact - Adds a compact-argument event callback to the event registry.
+ * @bc: Bro connection handle
+ * @event_name: Name of events that trigger callback
+ * @func: callback to invoke.
+ * @user_data: user data passed through to the callback.
+ *
+ * This function registers the callback @func to be invoked when events
+ * of name @event_name arrive on connection @bc. @user_data is passed along
+ * to the callback, which will receive it as the second parameter. You
+ * need to ensure that the memory @user_data points to is valid during the
+ * time the callback might be invoked. See bro_event_registry_add() for
+ * details.
+ */
+void           bro_event_registry_add_compact(BroConn *bc,
+					      const char *event_name,
+					      BroCompactEventFunc func,
+					      void *user_data);
+
+/**
+ * bro_event_registry_remove - Removes an event handler.
+ * @bc: Bro connection handle
+ * @event_name: event to ignore from now on.
+ *
+ * The function removes all callbacks for event @event_name from the
+ * event registry for connection @bc.
+ */
+void           bro_event_registry_remove(BroConn *bc, const char *event_name);
+
+/**
+ * bro_event_registry_request - Notifies peering Bro to send events.
+ * @bc: Bro connection handle
+ *
+ * The function requests the events you have previously requested using
+ * bro_event_registry_add() from the Bro listening on @bc.
+ */
+void           bro_event_registry_request(BroConn *bc);
+
+
+
+/* ------------------------ Dynamic-size Buffers --------------------- */
+
+/**
+ * bro_buf_new - Creates a new buffer object.
+ *
+ * Returns a new buffer object, or %NULL on error. Use paired with
+ * bro_buf_free().
+ */
+BroBuf        *bro_buf_new(void);
+
+/**
+ * bro_buf_free - Releases a dynamically allocated buffer object.
+ * @buf: buffer pointer.
+ *
+ * The function releases all memory held by the buffer pointed
+ * to by @buf. Use paired with bro_buf_new().
+ */
+void           bro_buf_free(BroBuf *buf);
+
+/**
+ * bro_buf_append - appends data to the end of the buffer.
+ * @buf: buffer pointer.
+ * @data: new data to append to buffer.
+ * @data_len: size of @data.
+ *
+ * The function appends data to the end of the buffer,
+ * enlarging it if necessary to hold the @len new bytes.
+ * NOTE: it does not modify the buffer pointer. It only
+ * appends new data where buf_off is currently pointing
+ * and updates it accordingly. If you DO want the buffer
+ * pointer to be updated, have a look at bro_buf_ptr_write()
+ * instead.
+ *
+ * Returns: %TRUE if successful, %FALSE otherwise.
+ */
+int            bro_buf_append(BroBuf *buf, void *data, int data_len);
+
+
+/**
+ * bro_buf_consume - shrinks the buffer.
+ * @buf: buffer pointer.
+ *
+ * The function removes the buffer contents between the start
+ * of the buffer and the point where the buffer pointer
+ * currently points to. The idea is that you call bro_buf_ptr_read()
+ * a few times to extract data from the buffer, and then
+ * call bro_buf_consume() to signal to the buffer that the
+ * extracted data are no longer needed inside the buffer.
+ */
+void           bro_buf_consume(BroBuf *buf);
+
+
+/**
+ * bro_buf_reset - resets the buffer.
+ * @buf: buffer pointer.
+ *
+ * The function resets the buffer pointers to the beginning of the
+ * currently allocated buffer, i.e., it marks the buffer as empty.
+ */
+void           bro_buf_reset(BroBuf *buf);
+
+
+/**
+ * bro_buf_get - Returns pointer to actual start of buffer.
+ * @buf: buffer pointer.
+ *
+ * Returns the entire buffer's contents.
+ */
+uchar         *bro_buf_get(BroBuf *buf);
+
+
+/**
+ * bro_buf_get_end - Returns pointer to the end of the buffer.
+ * @buf: buffer pointer.
+ *
+ * Returns: a pointer to the first byte in the
+ * buffer that is not currently used.
+ */ 
+uchar         *bro_buf_get_end(BroBuf *buf);
+
+
+/**
+ * bro_buf_get_size - Returns number of bytes allocated for buffer.
+ * @buf: buffer pointer.
+ *
+ * Returns: the number of actual bytes allocated for the
+ * buffer.
+ */
+uint           bro_buf_get_size(BroBuf *buf);
+
+
+/**
+ * bro_buf_get_used_size - Returns number of bytes currently used.
+ * @buf: buffer pointer.
+ *
+ * Returns: number of bytes currently used.
+ */
+uint           bro_buf_get_used_size(BroBuf *buf);
+
+
+/**
+ * bro_buf_ptr_get - Returns current buffer content pointer.
+ * @buf: buffer pointer.
+ *
+ * Returns: current buffer content pointer.
+ */
+uchar         *bro_buf_ptr_get(BroBuf *buf);
+
+
+/**
+ * bro_buf_ptr_tell - Returns current offset of buffer content pointer.
+ * @buf: buffer pointer.
+ *
+ * Returns: current offset of buffer content pointer.
+ */
+uint32         bro_buf_ptr_tell(BroBuf *buf);
+
+
+/**
+ * bro_buf_ptr_seek - Adjusts buffer content pointer.
+ * @buf: buffer pointer.
+ * @offset: number of bytes by which to adjust pointer, positive or negative.
+ * @whence: location relative to which to adjust.
+ *
+ * The function adjusts the position of @buf's content
+ * pointer. Call semantics are identical to fseek(), thus
+ * use @offset to indicate the offset by which to jump and
+ * use %SEEK_SET, %SEEK_CUR, or %SEEK_END to specify the
+ * position relative to which to adjust.
+ *
+ * Returns: %TRUE if adjustment could be made, %FALSE
+ * if not (e.g. because the offset requested is not within
+ * legal bounds).
+ */
+int            bro_buf_ptr_seek(BroBuf *buf, int offset, int whence);
+
+
+/** 
+ * bro_buf_ptr_check - Checks whether a number of bytes can be read.
+ * @buf: buffer pointer.
+ * @size: number of bytes to check for availability.
+ *
+ * The function checks whether @size bytes could be read from the
+ * buffer using bro_buf_ptr_read().
+ *
+ * Returns: %TRUE if @size bytes can be read, %FALSE if not.
+ */
+int            bro_buf_ptr_check(BroBuf *buf, int size);
+
+
+/**
+ * bro_buf_ptr_read - Extracts a number of bytes from buffer.
+ * @buf: buffer pointer.
+ * @data: destination area.
+ * @size: number of bytes to copy into @data.
+ *
+ * The function copies @size bytes into @data if the buffer
+ * has @size bytes available from the current location of
+ * the buffer content pointer onward, incrementing the content
+ * pointer accordingly. If not, the function doesn't do anything.
+ * It behaves thus different from the normal read() in that
+ * it either copies the amount requested or nothing.
+ * 
+ * Returns: %TRUE if @size bytes were copied, %FALSE if not.
+ */
+int            bro_buf_ptr_read(BroBuf *buf, void *data, int size);
+
+/**
+ * bro_buf_ptr_write - Writes a number of bytes into buffer.
+ * @buf: buffer pointer.
+ * @data: data to write.
+ * @size: number of bytes to copy into @data.
+ *
+ * The function writes @size bytes of the area pointed to by @data
+ * into the buffer @buf at the current location of its content pointer,
+ * adjusting the content pointer accordingly. If the buffer doesn't have
+ * enough space to receive @size bytes, more space is allocated.
+ *
+ * Returns: %TRUE if @size bytes were copied, %FALSE if an error
+ * occurred and the bytes could not be copied.
+ */
+int            bro_buf_ptr_write(BroBuf *buf, void *data, int size);
+
+
+/* ------------------------ Configuration Access --------------------- */
+
+/**
+ * bro_conf_set_domain - Sets the current domain to use in a config file.
+ * @domain: name of the domain, or %NULL.
+ *
+ * Broccoli's config files are divided into sections. At the beginning of
+ * each config file you can have an unnamed section that will be used by
+ * default. Case is irrelevant. By passing %NULL for @domain, you select
+ * the default domain, otherwise the one that matches @domain. @domain is
+ * copied internally.
+ */
+void           bro_conf_set_domain(const char *domain);
+
+
+/**
+ * bro_conf_get_int - Retrieves an integer from the configuration
+ * @val_name: key name for the value.
+ * @val: result pointer for the value.
+ *
+ * The function tries to find an integer item named @val_name in the
+ * configuration. If it is found, its value is placed into the
+ * int pointed to by @val.
+ *
+ * Returns: %TRUE if @val_name was found, %FALSE otherwise.
+ */
+int            bro_conf_get_int(const char *val_name, int *val);
+
+
+/**
+ * bro_conf_get_dbl - Retrieves a double float from the configuration
+ * @val_name: key name for the value.
+ * @val: result pointer for the value.
+ *
+ * The function tries to find a double float item named @val_name 
+ * in the configuration. If it is found, its value is placed into the
+ * double pointed to by @val.
+ *
+ * Returns: %TRUE if @val_name was found, %FALSE otherwise.
+ */
+int            bro_conf_get_dbl(const char *val_name, double *val);
+
+
+/**
+ * bro_conf_get_str - Retrieves an integer from the configuration
+ * @val_name: key name for the value.
+ *
+ * The function tries to find a string item named @val_name in the
+ * configuration.
+ *
+ * Returns: the config item if @val_name was found, %NULL otherwise.
+ * A returned string is stored internally and not to be modified. If
+ * you need to keep it around, strdup() it.
+ */
+const char    *bro_conf_get_str(const char *val_name);
+
+
+
+/* ------------------------------ Strings ---------------------------- */
+
+/**
+ * bro_string_init - Initializes an existing string structure.
+ * @bs: string pointer.
+ *
+ * The function initializes the BroString pointed to by @bs. Use this
+ * function before using the members of a BroString you're using on the
+ * stack.
+ */
+void           bro_string_init(BroString *bs);
+
+/**
+ * bro_string_set - Sets a BroString's contents.
+ * @bs: string pointer.
+ * @s: C ASCII string.
+ *
+ * The function initializes the BroString pointed to by @bs to the string
+ * given in @s. @s's content is copied, so you can modify or free @s
+ * after calling this, and you need to call bro_string_cleanup() on the
+ * BroString pointed to by @bs.
+ *
+ * Returns: %TRUE is successful, %FALSE otherwise.
+ */
+int            bro_string_set(BroString *bs, const char *s);
+
+/**
+ * bro_string_set_data - Sets a BroString's contents.
+ * @bs: string pointer.
+ * @data: arbitrary data.
+ * @data_len: length of @data.
+ *
+ * The function initializes the BroString pointed to by @bs to @data_len
+ * bytes starting at @data. @data's content is copied, so you can modify
+ * or free @data after calling this.
+ *
+ * Returns: %TRUE is successful, %FALSE otherwise.
+ */
+int            bro_string_set_data(BroString *bs, const uchar *data, int data_len);
+
+/**
+ * bro_string_get_data - Returns pointer to the string data.
+ * @bs: string pointer.
+ *
+ * The function returns a pointer to the string's internal data. You
+ * can copy out the string using this function in combination with
+ * bro_string_get_length(), for obtaining the string's length.
+ *
+ * Returns: pointer to string, or %NULL on error.
+ */
+const uchar   *bro_string_get_data(const BroString *bs);
+
+/**
+ * bro_string_get_length - Returns string's length.
+ * @bs: string pointer.
+ *
+ * Returns: the string's length.
+ */
+uint32         bro_string_get_length(const BroString *bs);
+  
+/**
+ * bro_string_copy - Duplicates a BroString.
+ * @bs: string pointer.
+ *
+ * Returns: a deep copy of the BroString pointed to by @bs, or %NULL on
+ * error.
+ */
+BroString     *bro_string_copy(BroString *bs);
+
+/**
+ * bro_string_assign - Duplicates a BroString's content, assigning it to an existing one.
+ * @src: source string.
+ * @dst: target string.
+ *
+ * Copies the string content pointed to by @src into the existing
+ * BroString pointed to by @dst. bro_string_cleanup() is called on
+ * @dst before the assignment.
+ */
+void           bro_string_assign(BroString *src, BroString *dst);
+
+/**
+ * bro_string_cleanup - Cleans up existing BroString.
+ * @bs: string pointer.
+ *
+ * This function releases all contents claimed by the BroString pointed
+ * to by @bs, without releasing that BroString structure itself. Use
+ * this when manipulating a BroString on the stack, paired with
+ * bro_string_init().
+ */
+void           bro_string_cleanup(BroString *bs);
+
+/**
+ * bro_string_free - Cleans up dynamically allocated BroString.
+ * @bs: string pointer.
+ * 
+ * This function releases the entire BroString pointed to by @bs, including
+ * the BroString structure itself.
+ */
+void           bro_string_free(BroString *bs);
+
+
+/* -------------------------- Record Handling ------------------------ */
+
+/**
+ * bro_record_new - Creates a new record.
+ *
+ * The function allocates and initializes a new empty record. BroRecords
+ * are used for adding and retrieving records vals to/from events. You
+ * do not have to specify a record type separately when you create a
+ * record. The type is defined implicitly by the sequence of types formed
+ * by the sequence of vals added to the record, along with the names for
+ * each val. See the manual for details.
+ *
+ * Returns: a new record, or %NULL on error.
+ */
+BroRecord     *bro_record_new(void);
+
+/**
+ * bro_record_free - Releases a record.
+ * @rec: record handle.
+ *
+ * The function releases all memory consumed by the record pointed to
+ * by @rec.
+ */
+void           bro_record_free(BroRecord *rec);
+ 
+/**
+ * bro_record_get_length - Returns number of fields in record.
+ * @rec: record handle.
+ *
+ * Returns the number of fields in the record.
+ */
+int            bro_record_get_length(BroRecord *rec);
+
+/**
+ * bro_record_add_val - Adds a val to a record.
+ * @rec: record handle.
+ * @name: field name of the added val.
+ * @type: numerical type tag of the new val.
+ * @type_name: optional name of specialized type.
+ * @val: pointer to the new val*.
+ *
+ * The function adds a new field to the record pointed to by @rec and
+ * assigns the value passed in to that field. The field name is given
+ * in @name, the type of the val is given in @type and must be one of
+ * the %BRO_TYPE_xxx constants defined in broccoli.h. The type you give
+ * implies what data type @val must be pointing to; see the manual for
+ * details. If you want to indicate a type specialized from @type,
+ * use @type_name to give its name, otherwise pass %NULL for @type_name.
+ * It is possible to leave fields unassigned, in that case, pass in
+ * %NULL for @val.
+ *
+ * @val remains the caller's responsibility and is copied internally.
+ *
+ * Returns: %TRUE on success, %FALSE on error.
+ */
+int            bro_record_add_val(BroRecord *rec, const char *name,
+				  int type, const char *type_name,
+				  const void *val);
+
+/**
+ * bro_record_get_nth_val - Retrieves a val from a record by field index.
+ * @rec: record handle.
+ * @num: field index, starting from 0.
+ * @type: value-result argument for the expected/actual type of the value.
+ *
+ * The function returns the @num'th value of the record pointed to
+ * by @rec, expected to be of @type. The returned value is internal
+ * and needs to be duplicated if you want to keep it around. Upon
+ * return, the int pointed to by @type tells you the type of the returned
+ * val, as a BRO_TYPE_xxx type tag. If the int pointed to upon calling
+ * the function has the value BRO_TYPE_UNKNOWN, no type checking is
+ * performed and the value is returned. If it is any other type tag,
+ * its value is compared to that of the value, and if they match, the
+ * value is returned. Otherwise, the return value is %NULL. If you don't
+ * care about type enforcement and don't want to know the value's type,
+ * you may pass %NULL for @type.
+ *
+ * Returns: pointer to queried value on success, %NULL on error.
+ */
+void*          bro_record_get_nth_val(BroRecord *rec, int num, int *type);
+
+
+/**
+ * bro_record_get_nth_name - Retrieves a name from a record by field index.
+ * @rec: record handle.
+ * @num: field index, starting from 0.
+ *
+ * The function returns the @num'th name of the record pointed to by @rec. 
+ *
+ * Returns: field name on success, %NULL on error.
+ */
+const char*    bro_record_get_nth_name(BroRecord *rec, int num);
+
+
+/**
+ * bro_record_get_named_val - Retrieves a val from a record by field name.
+ * @rec: record handle.
+ * @name: field name.
+ * @type: value-result argument for the expected/actual type of the value.
+ *
+ * The function returns the value of the field named @name in the
+ * record pointed to by @rec. The returned value is internal and needs
+ * to be duplicated if you want to keep it around. @type works as with
+ * bro_record_get_nth_val(), see there for more details.
+ *
+ * Returns: pointer to queried value on success, %NULL on error.
+ */
+void*          bro_record_get_named_val(BroRecord *rec, const char *name, int *type);
+
+
+/**
+ * bro_record_set_nth_val - Replaces a val in a record, identified by field index.
+ * @rec: record handle.
+ * @num: field index, starting from 0.
+ * @type: expected type of the value.
+ * @type_name: optional name of specialized type.
+ * @val: pointer to new val.
+ *
+ * The function replaces the @num'th value of the record pointed to
+ * by @rec, expected to be of @type. All values are copied internally
+ * so what @val points to stays unmodified. The value of @type implies
+ * what @result must be pointing to. See the manual for details.
+ * If you want to indicate a type specialized from @type, use
+ * @type_name to give its name, otherwise pass %NULL for @type_name.
+ *
+ * Returns: %TRUE on success, %FALSE on error.
+ */
+int            bro_record_set_nth_val(BroRecord *rec, int num,
+				      int type, const char *type_name,
+				      const void *val);
+
+/**
+ * bro_record_set_named_val - Replaces a val in a record, identified by name.
+ * @rec: record handle.
+ * @name: field name.
+ * @type: expected type of the value.
+ * @type_name: optional name of specialized type.
+ * @val: pointer to new val.
+ *
+ * The function replaces the value named @name in the record pointed to
+ * by @rec, expected to be of @type. All values are copied internally
+ * so what @val points to stays unmodified. The value of @type implies
+ * what @result must be pointing to. See the manual for details.
+ * If you want to indicate a type specialized from @type,
+ * use @type_name to give its name, otherwise pass %NULL for @type_name.
+ *
+ * Returns: %TRUE on success, %FALSE on error.
+ */
+int            bro_record_set_named_val(BroRecord *rec, const char *name,
+					int type, const char *type_name,
+					const void *val);
+
+
+/* -------------------------- Tables & Sets -------------------------- */
+
+/**
+ * BroTableCallback - The signature of callbacks for iterating over tables.
+ * @key: a pointer to the key of a key-value pair.
+ * @val: a pointer to @key's corresponding value.
+ * @user_data: user data passed through.
+ *
+ * This is the signature of callbacks used when iterating over all
+ * elements stored in a BroTable.
+ *
+ * Returns: TRUE if iteration should continue, FALSE if done.
+ */
+typedef int (*BroTableCallback) (void *key, void *val, void *user_data);
+
+
+BroTable      *bro_table_new(void);
+void           bro_table_free(BroTable *tbl);
+
+int            bro_table_insert(BroTable *tbl,
+				int key_type, const void *key,
+				int val_type, const void *val);
+
+void          *bro_table_find(BroTable *tbl, const void *key);
+
+int            bro_table_get_size(BroTable *tbl);
+
+void           bro_table_foreach(BroTable *tbl, BroTableCallback cb,
+				 void *user_data);
+
+void           bro_table_get_types(BroTable *tbl,
+				   int *key_type, int *val_type);
+
+
+/**
+ * BroTableCallback - The signature of callbacks for iterating over sets.
+ * @val: a pointer to an element in the set.
+ * @user_data: user data passed through.
+ *
+ * This is the signature of callbacks used when iterating over all
+ * elements stored in a BroSet.
+ *
+ * Returns: TRUE if iteration should continue, FALSE if done.
+ */
+typedef int (*BroSetCallback) (void *val, void *user_data);
+
+BroSet        *bro_set_new(void);
+void           bro_set_free(BroSet *set);
+
+int            bro_set_insert(BroSet *set, int type, const void *val);
+
+int            bro_set_find(BroSet *set, const void *key);
+
+int            bro_set_get_size(BroSet *set);
+
+void           bro_set_foreach(BroSet *set, BroSetCallback cb,
+			       void *user_data);
+
+void           bro_set_get_type(BroSet *set, int *type);
+
+	
+/* ----------------------- Pcap Packet Handling ---------------------- */
+#ifdef BRO_PCAP_SUPPORT
+
+/**
+ * bro_conn_set_packet_ctxt - Sets current packet context for connection.
+ * @bc: connection handle.
+ * @link_type: libpcap DLT linklayer type.
+ * 
+ * The function sets the packet context for @bc for future BroPackets
+ * handled by this connection.
+ */
+void           bro_conn_set_packet_ctxt(BroConn *bc, int link_type);
+
+/**
+ * bro_conn_get_packet_ctxt - Gets current packet context for connection.
+ * @bc: connection handle.
+ * @link_type: result pointer for libpcap DLT linklayer type.
+ * 
+ * The function returns @bc's current packet context through @link_type.
+ */
+void           bro_conn_get_packet_ctxt(BroConn *bc, int *link_type);
+
+/** 
+ * bro_packet_new - Creates new packet.
+ * @hdr: pointer to libpcap packet header.
+ * @data: pointer to libpcap packet data.
+ * @tag: pointer to ASCII tag (0 for no tag).
+ * 
+ * The function creates a new BroPacket by copying @hdr and @data internally.
+ * Release the resulting packet using bro_packet_free().
+ */
+BroPacket     *bro_packet_new(const struct pcap_pkthdr *hdr, const u_char *data, const char* tag);
+
+/**
+ * bro_packet_clone - Clones a packet.
+ * @packet: packet to clone.
+ *
+ * Returns: a copy of @packet, or %NULL on error.
+ */
+BroPacket     *bro_packet_clone(const BroPacket *packet);
+
+/**
+ * bro_packet_free - Releases a packet.
+ * @packet: packet to release.
+ * 
+ * The function releases all memory occupied by a packet previously allocated
+ * using bro_packet_new().
+ */
+void           bro_packet_free(BroPacket *packet);
+
+/**
+ * bro_packet_send - Sends a packet over a given connection.
+ * @bc: connection on which to send packet.
+ * @packet: packet to send.
+ *
+ * The function sends @packet to the Bro peer connected via @bc.
+ *
+ * Returns: %TRUE if successful, %FALSE otherwise.
+ */
+int            bro_packet_send(BroConn *bc, BroPacket *packet);
+
+#endif
+
+/* --------------------------- Miscellaneous ------------------------- */
+
+/**
+ * bro_util_current_time - Gets current time
+ * 
+ * Returns: the current system time as a double, in seconds, suitable
+ * for passing to bro_event_add_time().
+ */
+double         bro_util_current_time(void);
+
+/**
+ * bro_util_timeval_to_double - Converts timeval struct to double.
+ * @tv: pointer to timeval structure.
+ *
+ * Returns: a double encoding the timestamp given in @tv in a floating
+ * point double, with the fraction of a second between 0.0 and 1.0.
+ */
+double         bro_util_timeval_to_double(const struct timeval *tv);
+  
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/aux/broccoli/svn.pl b/aux/broccoli/svn.pl
new file mode 100755
index 0000000000..581593f615
--- /dev/null
+++ b/aux/broccoli/svn.pl
@@ -0,0 +1,183 @@
+#!/usr/bin/perl -w
+
+# CVS/SVN wrapper script that maintains a nice ChangeLog for us.
+# Heavily hacked & cleaned up, originally based upon a script
+# that was once used in the Enlightenment project.
+
+use strict;
+use FileHandle;
+
+
+# Prototypes
+#_______________________________________________________________________
+
+sub create_changelog;
+sub validate_commit_message;
+sub create_commit_message;
+sub setup_username_translation;
+sub update_changelog;
+sub check_parameters;
+
+
+# Globals
+#_______________________________________________________________________
+my %names;
+my ($date, $author);
+
+# Formats
+#_______________________________________________________________________
+format ENTRY =
+@<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< @>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+$date, $author
+.
+    
+    
+# Subroutines
+#_______________________________________________________________________
+    
+sub setup_username_translation {
+    
+    $names{"kreibich"} = "Christian <christian\@whoop.org>";
+    $names{"cpk25"} = "Christian <christian\@whoop.org>";    
+    $names{"christian"} = "Christian <christian\@whoop.org>";    
+}
+
+
+
+sub create_changelog {
+    
+    my $cl = "ChangeLog";
+    my $num_lines;
+    my $wc;
+    my @lines;
+    my @commitlines;
+    my $line;
+    
+    print "Updating the ChangeLog with your entry.\n";
+    
+    if (open CHANGELOG, $cl) {
+	@lines = <CHANGELOG>;
+	close CHANGELOG;
+	
+	shift (@lines);
+	shift (@lines);
+    }  
+    
+    
+    open CHANGELOG, ">$cl";
+    print CHANGELOG <<eof;
+Broccoli Changelog
+========================================================================
+
+eof
+
+    if (open COMMITLOG, "CommitLog") {
+	@commitlines = <COMMITLOG>;
+	close COMMITLOG;
+    }  
+    
+    CHANGELOG->format_name("ENTRY");
+    $date   = `date`;
+    $author = $names{$ENV{USER}};
+    write CHANGELOG;
+    CHANGELOG->format_name();
+    print CHANGELOG "\n";
+    print CHANGELOG @commitlines;
+    print CHANGELOG "\n------------------------------------------------------------------------\n";
+    print CHANGELOG @lines;
+    close CHANGELOG;
+}
+
+sub create_commit_message {
+    
+    print "Please create a log message for the ChangeLog.\n";
+    
+    if (open COMMITLOG, ">CommitLog") {
+	print COMMITLOG "-" x 72;
+	print COMMITLOG "\n";
+	close COMMITLOG;
+    }  
+
+    if($ENV{EDITOR}) {
+	system("$ENV{EDITOR} CommitLog");
+    } else {
+	system("vi CommitLog");
+    }
+}
+
+
+sub update_changelog {
+  
+    my @ARGV2;
+    
+    @ARGV2 = @ARGV;
+    $ARGV2[0] = "update";
+  
+    print "Force updating ChangeLog\n";
+    unlink "ChangeLog";
+    system("svn update ChangeLog");
+}
+
+
+sub check_parameters {
+
+    if (scalar(@ARGV) < 1) {
+	print "USAGE: cvs.pl <comands> <files>\n";
+	exit (0);
+    }
+}
+
+# Main Program
+#_______________________________________________________________________
+
+check_parameters();
+setup_username_translation();
+
+if (($ARGV[0] =~ /com/) || ($ARGV[0] =~ /ci/)) {
+    my @ARGV2;
+    
+    create_commit_message();
+    update_changelog();
+    
+    $ARGV[0] .= " -F CommitLog";
+    @ARGV2 = @ARGV;
+    $ARGV2[0] = "update";
+    
+    print "Updating the files you are committing.\n";
+    system("svn @ARGV2 2>&1 |tee errors");
+    
+    if (open ERRORS, "errors") {
+
+	while(<ERRORS>) {
+
+	    if (/conflicts during merge/) {
+		print "There are one or more conflicts,\n" .
+		      "Please resolve and try again.\n";
+		unlink "errors" if(-f "errors");
+		exit(0);
+	    }
+	}
+	
+	close ERRORS;
+    }
+    
+    unlink "errors" if(-f "errors");    
+    create_changelog();
+    
+    if($#ARGV >= 1) {
+
+	my $found;
+	
+	$found = 0;
+
+	foreach(@ARGV) {
+	    $found = 1 if(/ChangeLog$/);
+	}
+
+	push @ARGV, "ChangeLog" if(! $found);
+    }
+}
+
+print "svn @ARGV\n";
+system("svn @ARGV");
+print "Finished.\n"
diff --git a/aux/broccoli/test/Makefile.am b/aux/broccoli/test/Makefile.am
new file mode 100644
index 0000000000..a41709e187
--- /dev/null
+++ b/aux/broccoli/test/Makefile.am
@@ -0,0 +1,29 @@
+## Process this file with automake to produce Makefile.in
+
+# A list of all the files in the current directory which can be regenerated
+MAINTAINERCLEANFILES = Makefile.in Makefile dummysensor
+
+INCLUDES = -I$(top_srcdir)/src -W -Wall -Wno-unused
+
+if BRO_PCAP_SUPPORT
+PCAP_TESTS =
+else
+PCAP_TESTS = 
+endif
+
+noinst_PROGRAMS = broping broconn brohose broconftest broenum brotable $(PCAP_TESTS)
+
+LDADD = $(top_builddir)/src/.libs/libbroccoli.a @BRO_LIBADD@
+
+broping_SOURCES = broping.c
+broconn_SOURCES = broconn.c
+brohose_SOURCES = brohose.c
+broenum_SOURCES = broenum.c
+broconftest_SOURCES = broconftest.c
+brotable_SOURCES = brotable.c
+
+# don't install any of this stuff
+#install-binPROGRAMS:
+#uninstall-binPROGRAMS:
+
+EXTRA_DIST = broping.bro brohose.bro broenum.bro broping-record.bro broconn.bro
diff --git a/aux/broccoli/test/broconftest.c b/aux/broccoli/test/broconftest.c
new file mode 100644
index 0000000000..d221d59968
--- /dev/null
+++ b/aux/broccoli/test/broconftest.c
@@ -0,0 +1,50 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2007 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <broccoli.h>
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+int
+main(int argc, char **argv)
+{
+  int i;
+  const char *s;
+
+  bro_init(NULL);
+
+  if ( (s = bro_conf_get_str("PeerName")))
+    printf("PeerName: %s\n", s);
+
+  if (bro_conf_get_int("PeerPort", &i))
+    printf("PeerPort: %i\n", i);
+  
+  return 0;
+}
diff --git a/aux/broccoli/test/broconn.bro b/aux/broccoli/test/broconn.bro
new file mode 100644
index 0000000000..37540df01b
--- /dev/null
+++ b/aux/broccoli/test/broconn.bro
@@ -0,0 +1,50 @@
+# Depending on whether you want to use encryption or not,
+# include "listen-clear" or "listen-ssl":
+#
+# @load listen-ssl
+@load listen-clear
+@load conn
+@load dpd
+
+# Let's make sure we use the same port no matter whether we use encryption or not:
+#
+@ifdef (listen_port_clear)
+redef listen_port_clear    = 47758/tcp;
+@endif
+
+# If we're using encrypted communication, redef the SSL port and hook in
+# the necessary certificates:
+#
+@ifdef (listen_port_ssl)
+redef listen_port_ssl      = 47758/tcp;
+redef ssl_ca_certificate   = "<path>/ca_cert.pem";
+redef ssl_private_key      = "<path>/bro.pem";
+@endif
+
+redef Remote::destinations += {
+	["broconn"] = [$host = 127.0.0.1, $connect=F, $ssl=F]
+};
+
+redef dpd_conn_logs = T;
+
+function services_to_string(ss: string_set): string
+{
+	local result = "";
+
+	for (s in ss)
+	    result = fmt("%s %s", result, s);
+	
+	return result;
+}
+
+event new_connection(c: connection)
+{
+	print fmt("new_connection: %s, services:%s",
+	          id_string(c$id), services_to_string(c$service));
+}
+
+event connection_finished(c: connection)
+{
+	print fmt("connection_finished: %s, services:%s",
+	          id_string(c$id), services_to_string(c$service));
+}
diff --git a/aux/broccoli/test/broconn.c b/aux/broccoli/test/broconn.c
new file mode 100644
index 0000000000..dea050870d
--- /dev/null
+++ b/aux/broccoli/test/broconn.c
@@ -0,0 +1,354 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2007 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#include <sys/types.h>
+#include <sys/time.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <time.h>
+#include <errno.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <string.h>
+
+#include <broccoli.h>
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+char *host_default = "127.0.0.1";
+char *port_default = "47758";
+char *host_str;
+char *port_str;
+
+int count = -1;
+int seq;
+
+static void
+usage(void)
+{
+  printf("broconn - dumps arriving connection events to console.\n"
+	 "USAGE: broconn [-h|-?] [-d] [-p port] host\n");
+  exit(0);
+}
+
+/* Snippet from Bro policies containing relevant record types:
+
+type connection: record {
+	id: conn_id;
+	orig: endpoint;
+	resp: endpoint;
+	start_time: time;
+	duration: interval;
+	service: string;
+	addl: string;
+	hot: count;
+};
+
+type conn_id: record {
+	orig_h: addr;
+	orig_p: port;
+	resp_h: addr;
+	resp_p: port;
+};
+
+type endpoint: record {
+	size: count;
+	state: count;
+};
+
+*/
+
+static int
+services_print_cb(BroString *service, void *user_data)
+{
+  printf("'%s' ", service->str_val);
+  
+  return TRUE;
+  user_data = NULL;
+}
+
+static void
+conn_generic(BroConn *bc, BroRecord *conn)
+{
+  BroRecord *id, *orig, *resp;
+  BroSet *services;
+  BroString *addl;
+  BroPort *port;
+  uint32 *addr, *size, *state;
+  double *start_time, *duration;
+  struct in_addr ip;
+  int type = BRO_TYPE_RECORD;
+
+  if (! (id = bro_record_get_named_val(conn, "id", &type)))
+    {
+      printf("[Error obtaining 'id' member from connection record.]\n");
+      return;
+    }
+
+  if (! (orig = bro_record_get_named_val(conn, "orig", &type)))
+    {
+      printf("[Error obtaining 'orig' member from connection record.]\n");
+      return;
+    }
+
+  if (! (resp = bro_record_get_named_val(conn, "resp", &type)))
+    {
+      printf("[Error obtaining 'orig' member from connection record.]\n");
+      return;
+    }
+  
+  type = BRO_TYPE_IPADDR;
+
+  if (! (addr = bro_record_get_named_val(id, "orig_h", &type)))
+    {
+      printf("[Error obtaining 'orig_h' member from connection ID record.]\n");
+      return;
+    }
+
+  type = BRO_TYPE_PORT;
+
+  if (! (port = bro_record_get_named_val(id, "orig_p", &type)))
+    {
+      printf("[Error obtaining 'orig_p' member from connection ID record.]\n");
+      return;
+    }
+
+  type = BRO_TYPE_COUNT;
+
+  if (! (size = bro_record_get_named_val(orig, "size", &type)))
+    {
+      printf("[Error obtaining 'size' member from orig endpoint record.]\n");
+      return;
+    }
+
+  if (! (state = bro_record_get_named_val(orig, "state", &type)))
+    {
+      printf("[Error obtaining 'state' member from orig endpoint record.]\n");
+      return;
+    }
+
+  ip.s_addr = *addr;
+  printf("%s/%u [%u/%u] -> ", inet_ntoa(ip), port->port_num, *size, *state);
+  type = BRO_TYPE_IPADDR;
+
+  if (! (addr = bro_record_get_named_val(id, "resp_h", &type)))
+    {
+      printf("[Error obtaining 'resp_h' member from connection ID record.]\n");
+      return;
+    }
+
+  type = BRO_TYPE_PORT;
+
+  if (! (port = bro_record_get_named_val(id, "resp_p", &type)))
+    {
+      printf("[Error obtaining 'resp_p' member from connection ID record.]\n");
+      return;
+    }
+
+  type = BRO_TYPE_COUNT;
+
+  if (! (size = bro_record_get_named_val(resp, "size", &type)))
+    {
+      printf("[Error obtaining 'size' member from orig endpoint record.]\n");
+      return;
+    }
+
+  if (! (state = bro_record_get_named_val(resp, "state", &type)))
+    {
+      printf("[Error obtaining 'state' member from orig endpoint record.]\n");
+      return;
+    }
+
+  ip.s_addr = *addr;
+  printf("%s/%u [%u/%u], ", inet_ntoa(ip), port->port_num, *size, *state);
+  type = BRO_TYPE_TIME;
+
+  if (! (start_time = bro_record_get_named_val(conn, "start_time", &type)))
+    {
+      printf("[Error obtaining 'start_time' member from connection record.]\n");
+      return;
+    }
+
+  type = BRO_TYPE_INTERVAL;
+
+  if (! (duration = bro_record_get_named_val(conn, "duration", &type)))
+    {
+      printf("[Error obtaining 'duration' member from connection record.]\n");
+      return;
+    }
+
+  type = BRO_TYPE_SET;
+
+  services = bro_record_get_named_val(conn, "service", &type);
+
+  type = BRO_TYPE_STRING;
+  
+  if (! (addl = bro_record_get_named_val(conn, "addl", &type)))
+    {
+      printf("[Error obtaining 'addl' member from connection record.]\n");
+      return;
+    }
+  
+  printf("start: %f, duration: %f, addl: '%s', ",
+	 *start_time, *duration, addl->str_val);
+  
+  if (services)
+    {
+      int type;
+
+      bro_set_get_type(services, &type);
+
+      printf("%i services (type check: %d) ",
+	     bro_set_get_size(services), type);
+	     
+      if (bro_set_get_size(services) > 0)
+	bro_set_foreach(services, (BroSetCallback) services_print_cb, NULL);
+    }
+  else
+    printf("no services listed");
+  
+  printf("\n");
+}
+
+static void
+conn_new(BroConn *bc, void *data, BroRecord *conn)
+{
+  printf("new_connection: ");
+  conn_generic(bc, conn);
+  data = NULL;
+}
+
+static void
+conn_fin(BroConn *bc, void *data, BroRecord *conn)
+{
+  printf("connection_finished: ");
+  conn_generic(bc, conn);
+  data = NULL;
+}
+
+
+int
+main(int argc, char **argv)
+{
+  int opt, port, fd, debugging = 0;
+  BroConn *bc;
+  extern char *optarg;
+  extern int optind;
+  char hostname[512];
+  fd_set fd_read;
+
+  bro_init(NULL);
+
+  host_str = host_default;
+  port_str = port_default;
+
+  bro_debug_calltrace = 0;
+  bro_debug_messages  = 0;
+
+  while ( (opt = getopt(argc, argv, "c:p:dh?r")) != -1)
+    {
+      switch (opt)
+	{
+	case 'd':
+	  debugging++;
+
+	  if (debugging == 1)
+	    bro_debug_messages = 1;
+	  
+	  if (debugging > 1)
+	    bro_debug_calltrace = 1;
+	  break;
+
+	case 'h':
+	case '?':
+	  usage();
+
+	case 'p':
+	  port_str = optarg;
+	  break;
+
+	default:
+	  usage();
+	}
+    }
+
+  argc -= optind;
+  argv += optind;
+
+  if (argc > 0)
+    host_str = argv[0];
+
+  port = strtol(port_str, NULL, 0);
+  if (errno == ERANGE)
+    {
+      printf("Please provide a port number with -p.\n");
+      exit(-1);
+    }
+
+  snprintf(hostname, 512, "%s:%s", host_str, port_str);
+  
+  /* Connect to Bro */
+  if (! (bc = bro_conn_new_str(hostname, BRO_CFLAG_RECONNECT | BRO_CFLAG_ALWAYS_QUEUE)))
+    {
+      printf("Couldn't get Bro connection handle.\n");
+      exit(-1);
+    }
+  
+  /* Request a few event types and have the corresponding callbacks
+   * called when they arrive. The callback mechanism automatically figures out
+   * the number of arguments and invokes the callback accordingly.
+   */
+  bro_event_registry_add(bc, "new_connection", (BroEventFunc) conn_new, NULL);
+  bro_event_registry_add(bc, "connection_finished", (BroEventFunc) conn_fin, NULL);
+ 
+  if (! bro_conn_connect(bc))
+    {
+      printf("Could not connect to Bro at %s:%s.\n", host_str, port_str);
+      exit(-1);
+    }
+  
+  /* Sit and wait for events */
+  fd = bro_conn_get_fd(bc);
+
+  for ( ; ; )
+    {
+      FD_ZERO(&fd_read);
+      FD_SET(fd, &fd_read);
+      
+      if (select(fd + 1, &fd_read, NULL, NULL, NULL) <= 0)
+	break;
+      
+      bro_conn_process_input(bc);
+    }
+  
+  /* Disconnect from Bro and release state. */
+  bro_conn_delete(bc);
+
+  return 0;
+}
diff --git a/aux/broccoli/test/broenum.bro b/aux/broccoli/test/broenum.bro
new file mode 100644
index 0000000000..fd4d55fc4f
--- /dev/null
+++ b/aux/broccoli/test/broenum.bro
@@ -0,0 +1,33 @@
+# Depending on whether you want to use encryption or not,
+# include "listen-clear" or "listen-ssl":
+#
+# @load listen-ssl
+@load listen-clear
+
+# Let's make sure we use the same port no matter whether we use encryption or not:
+#
+@ifdef (listen_port_clear)
+redef listen_port_clear    = 47758/tcp;
+@endif
+
+# If we're using encrypted communication, redef the SSL port and hook in
+# the necessary certificates:
+#
+@ifdef (listen_port_ssl)
+redef listen_port_ssl      = 47758/tcp;
+redef ssl_ca_certificate   = "<path>/ca_cert.pem";
+redef ssl_private_key      = "<path>/bro.pem";
+@endif
+
+module enumtest;
+
+type enumtype: enum { ENUM1, ENUM2, ENUM3, ENUM4 };
+
+redef Remote::destinations += {
+	["broenum"] = [$host = 127.0.0.1, $events = /enumtest/, $connect=F, $ssl=F]
+};
+
+event enumtest(e: enumtype)
+	{
+	print fmt("Received enum val %d/%s", e, e);
+	}
diff --git a/aux/broccoli/test/broenum.c b/aux/broccoli/test/broenum.c
new file mode 100644
index 0000000000..a450dbfcb1
--- /dev/null
+++ b/aux/broccoli/test/broenum.c
@@ -0,0 +1,171 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2007 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#include <sys/types.h>
+#include <sys/time.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <errno.h>
+
+#include <broccoli.h>
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+char *host_default = "127.0.0.1";
+char *port_default = "47758";
+char *host_str;
+char *port_str;
+
+char *type = "enumtest::enumtype";
+
+static void
+usage(void)
+{
+  printf("broenum - sends enum vals to a Bro node, printing the corresponding\n"
+	 "string value on the Bro side.\n"
+	 "USAGE: broping [-h|-?] [-d] [-p port] [-t type] [-n num] host\n");
+  exit(0);
+}
+
+int
+main(int argc, char **argv)
+{
+  int opt, port, debugging = 0;
+  BroConn *bc;
+  BroEvent *ev;
+  extern char *optarg;
+  extern int optind;
+  char hostname[512];
+  int enumval;
+
+  bro_init(NULL);
+
+  host_str = host_default;
+  port_str = port_default;
+
+  bro_debug_calltrace = 0;
+  bro_debug_messages  = 0;
+
+  while ( (opt = getopt(argc, argv, "t:n:p:dh?")) != -1)
+    {
+      switch (opt)
+	{
+	case 'd':
+	  debugging++;
+
+	  if (debugging == 1)
+	    bro_debug_messages = 1;
+	  
+	  if (debugging > 1)
+	    bro_debug_calltrace = 1;
+	  break;
+
+	case 'h':
+	case '?':
+	  usage();
+
+	case 't':
+	  type = optarg;
+	  break;
+
+	case 'n':
+	  enumval = strtol(optarg, NULL, 0);
+	  if (errno == ERANGE)
+	    {
+	      printf("Please provide an integer to -n.\n");
+	      exit(-1);
+	    }
+	  break;
+	  
+	case 'p':
+	  port_str = optarg;
+	  break;
+
+	default:
+	  usage();
+	}
+    }
+
+  argc -= optind;
+  argv += optind;
+
+  if (argc > 0)
+    host_str = argv[0];
+
+  port = strtol(port_str, NULL, 0);
+  if (errno == ERANGE)
+    {
+      printf("Please provide a port number with -p.\n");
+      exit(-1);
+    }
+
+  if (!type)
+    usage();
+
+  printf("Sending enum val %i to remote peer.\n", enumval);
+
+  snprintf(hostname, 512, "%s:%s", host_str, port_str);
+  
+  /* Connect to Bro */
+  if (! (bc = bro_conn_new_str(hostname, BRO_CFLAG_NONE)))
+    {
+      printf("Could not get Bro connection handle.\n");
+      exit(-1);
+    }
+  
+  if (! bro_conn_connect(bc))
+    {
+      printf("Could not connect to Bro at %s:%s.\n", host_str, port_str);
+      exit(-1);
+    }
+    
+  /* Create empty "ping" event */
+  if (! (ev = bro_event_new("enumtest")))
+    {
+      printf("Couldn't create event structure.\n");
+      exit(-1);
+    }
+
+  /* We send the given number as an instance of an enum type defined
+   * in the remote Bro's policy:
+   */
+  bro_event_add_val(ev, BRO_TYPE_ENUM, type, &enumval);
+	      
+  /* Ship it -- sends it if possible, queues it otherwise */
+  bro_event_send(bc, ev);
+  bro_event_free(ev);
+  
+  /* Make sure we sent the thing. */
+  while (bro_event_queue_length(bc) > 0)
+    bro_event_queue_flush(bc);
+
+  /* Disconnect from Bro and release state. */
+  bro_conn_delete(bc);
+  
+  return 0;
+}
diff --git a/aux/broccoli/test/brohose.bro b/aux/broccoli/test/brohose.bro
new file mode 100644
index 0000000000..a2081bb70c
--- /dev/null
+++ b/aux/broccoli/test/brohose.bro
@@ -0,0 +1,30 @@
+# Depending on whether you want to use encryption or not,
+# include "listen-clear" or "listen-ssl":
+#
+# @load listen-ssl
+@load listen-clear
+
+global brohose_log = open_log_file("brohose");
+
+# Let's make sure we use the same port no matter whether we use encryption or not:
+#
+@ifdef (listen_port_clear)
+redef listen_port_clear    = 47758/tcp;
+@endif
+
+# If we're using encrypted communication, redef the SSL port and hook in
+# the necessary certificates:
+#
+@ifdef (listen_port_ssl)
+redef listen_port_ssl      = 47758/tcp;
+redef ssl_ca_certificate   = "<path>/ca_cert.pem";
+redef ssl_private_key      = "<path>/bro.pem";
+@endif
+
+redef Remote::destinations += {
+	["brohose"] = [$host = 127.0.0.1, $events = /brohose/, $connect=F, $ssl=F]
+};
+
+event brohose(id: string) {
+	print brohose_log, fmt("%s %s", id, current_time());
+}
diff --git a/aux/broccoli/test/brohose.c b/aux/broccoli/test/brohose.c
new file mode 100644
index 0000000000..b1c79adedb
--- /dev/null
+++ b/aux/broccoli/test/brohose.c
@@ -0,0 +1,236 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2007 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/wait.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <errno.h>
+#include <unistd.h>
+
+#include <broccoli.h>
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+char *host_default = "127.0.0.1";
+char *port_default = "47758";
+char *host_str;
+char *port_str;
+
+int num_procs  = 10;
+int num_events = 1000;
+int seq;
+
+static void
+usage(void)
+{
+  printf("brohose - sends events to a Bro node from multiple processes in parallel.\n"
+	 "USAGE: brohose [-h|-?] [-n <# processes>] [-e <# events>] [-p port] host\n"
+	 "  -h|?                 this message\n"
+	 "  -n  <# processes>    number of processes to use (10)\n"
+	 "  -e  <# events>       number of events per process (1000)\n"
+	 "  -p <port>            port to contact\n"
+	 "  host                 host to contanct\n\n");
+  exit(0);
+}
+
+static void
+hose_away(BroConn *bc)
+{
+  BroEvent *ev;
+  BroString str;
+  int i;
+  pid_t pid = getpid();
+  char msg[1024];
+
+  printf("++ child %u\n", pid);
+  
+  for (i = 0; i < num_events; i++)
+    {
+      /* Create empty "ping" event */
+      if (! (ev = bro_event_new("brohose")))
+	{
+	  printf("**** EEEEK\n");
+	  bro_conn_delete(bc);
+	  return;
+	}
+
+      snprintf(msg, 1024, "%u-%i-%i", pid, i, bro_event_queue_length(bc));
+      bro_string_set(&str, msg);
+      bro_event_add_val(ev, BRO_TYPE_STRING, NULL, &str);
+      
+      /* Ship it -- sends it if possible, queues it otherwise */
+      bro_event_send(bc, ev);
+
+      bro_event_free(ev);
+      bro_string_cleanup(&str);
+      
+      if (bro_event_queue_length(bc) > bro_event_queue_length_max(bc) / 2)
+	{
+	  while (bro_event_queue_length(bc) > 0)
+	    bro_event_queue_flush(bc);
+	}
+    }
+
+  while (bro_event_queue_length(bc) > 0)
+    bro_event_queue_flush(bc);
+
+  printf("-- child %u, %i queued\n", pid, bro_event_queue_length(bc));
+  bro_conn_delete(bc);
+}
+
+
+int
+main(int argc, char **argv)
+{
+  int i, opt, port, debugging = 0;
+  BroConn *bc;
+  extern char *optarg;
+  extern int optind;
+  char hostname[512];
+  
+  bro_init(NULL);
+
+  host_str = host_default;
+  port_str = port_default;
+
+  bro_debug_calltrace = 0;
+  bro_debug_messages  = 0;
+
+  while ( (opt = getopt(argc, argv, "n:e:p:dh?")) != -1)
+    {
+      switch (opt)
+	{
+	case 'd':
+	  debugging++;
+
+	  if (debugging == 1)
+	    bro_debug_messages = 1;
+	  
+	  if (debugging > 1)
+	    bro_debug_calltrace = 1;
+	  break;
+	  
+	case 'h':
+	case '?':
+	  usage();
+	  
+	case 'n':
+	  num_procs = strtol(optarg, NULL, 0);
+	  if (errno == ERANGE || num_procs < 1 || num_procs > 100)
+	    {
+	      printf("Please restrict the number of processes to 1-100.\n");
+	      exit(-1);
+	    }
+	  break;
+	  
+	case 'e':
+	  num_events = strtol(optarg, NULL, 0);
+	  if (errno == ERANGE || num_events < 1 || num_events > 10000)
+	    {
+	      printf("Please restrict the number of events to 1-10,000..\n");
+	      exit(-1);
+	    }
+	  break;
+	  
+	case 'p':
+	  port_str = optarg;
+	  break;
+	  
+	default:
+	  usage();
+	}
+    }
+  
+  argc -= optind;
+  argv += optind;
+
+  if (argc > 0)
+    host_str = argv[0];
+
+  port = strtol(port_str, NULL, 0);
+  if (errno == ERANGE)
+    {
+      printf("Please provide a port number with -p.\n");
+      exit(-1);
+    }
+
+  snprintf(hostname, 512, "%s:%s", host_str, port_str);
+
+  printf("Will attempt to send %i events from %i processes, to %s\n",
+	 num_events, num_procs, hostname);
+  
+  /* Connect to Bro */
+  if (! (bc = bro_conn_new_str(hostname, BRO_CFLAG_SHAREABLE)))
+    {
+      printf("Couldn't get Bro connection handle.\n");
+      exit(-1);
+    }
+
+  if (! bro_conn_connect(bc))
+    {
+      printf("Could not connect to Bro at %s:%s.\n", host_str, port_str);
+      exit(-1);
+    }
+
+  for (i = 0; i < num_procs; i++)
+    {
+      int pid = fork();
+      
+      if (pid < 0)
+	{
+	  printf("Couldn't fork children, aborting.\n");
+	  exit(-1);
+	}
+      
+      if (pid == 0)
+	{
+	  hose_away(bc);
+	  exit(0);
+	}
+    }
+
+  while (i > 0)
+    {
+      int status;
+
+      wait(&status);
+      i--;
+    }
+
+  
+  /* Disconnect from Bro -- this will keep the copies in the children
+   * working but reduce the reference count of the underlying socket so
+   * that eventually it is really closed.
+   */
+  bro_conn_delete(bc);
+  printf("Exiting ...\n");
+
+  return 0;
+}
diff --git a/aux/broccoli/test/broping-record.bro b/aux/broccoli/test/broping-record.bro
new file mode 100644
index 0000000000..3a4370fa1e
--- /dev/null
+++ b/aux/broccoli/test/broping-record.bro
@@ -0,0 +1,59 @@
+# Depending on whether you want to use encryption or not,
+# include "listen-clear" or "listen-ssl":
+#
+# @load listen-ssl
+@load listen-clear
+
+global ping_log = open_log_file("ping");
+
+# Let's make sure we use the same port no matter whether we use encryption or not:
+#
+@ifdef (listen_port_clear)
+redef listen_port_clear    = 47758/tcp;
+@endif
+
+# If we're using encrypted communication, redef the SSL port and hook in
+# the necessary certificates:
+#
+@ifdef (listen_port_ssl)
+redef listen_port_ssl      = 47758/tcp;
+redef ssl_ca_certificate   = "<path>/ca_cert.pem";
+redef ssl_private_key      = "<path>/bro.pem";
+@endif
+
+redef Remote::destinations += {
+	["broping"] = [$host = 127.0.0.1, $events = /ping/, $connect=F, $ssl=F]
+};
+
+type ping_data: record {
+	seq: count;
+	src_time: time;
+};
+
+type pong_data: record {
+	seq: count;
+	src_time: time;
+	dst_time: time;
+};
+
+# global pdata: pong_data;
+
+global ping: event(data: ping_data);
+global pong: event(data: pong_data);
+
+event ping(data: ping_data)
+        {
+	local pdata: pong_data;
+	
+	pdata$seq      = data$seq;
+	pdata$src_time = data$src_time;
+	pdata$dst_time = current_time();
+
+        event pong(pdata);
+        }
+
+event pong(data: pong_data)
+        {
+        print ping_log, fmt("ping received, seq %d, %f at src, %f at dest, one-way: %f",
+                            data$seq, data$src_time, data$dst_time, data$dst_time - data$src_time);
+        }
diff --git a/aux/broccoli/test/broping.bro b/aux/broccoli/test/broping.bro
new file mode 100644
index 0000000000..86e7f2d52e
--- /dev/null
+++ b/aux/broccoli/test/broping.bro
@@ -0,0 +1,40 @@
+# Depending on whether you want to use encryption or not,
+# include "listen-clear" or "listen-ssl":
+#
+# @load listen-ssl
+@load listen-clear
+
+global ping_log = open_log_file("ping");
+
+# Let's make sure we use the same port no matter whether we use encryption or not:
+#
+@ifdef (listen_port_clear)
+redef listen_port_clear    = 47758/tcp;
+@endif
+
+# If we're using encrypted communication, redef the SSL port and hook in
+# the necessary certificates:
+#
+@ifdef (listen_port_ssl)
+redef listen_port_ssl      = 47758/tcp;
+redef ssl_ca_certificate   = "<path>/ca_cert.pem";
+redef ssl_private_key      = "<path>/bro.pem";
+@endif
+
+global ping: event(src_time: time, seq: count);
+global pong: event(src_time: time, dst_time: time, seq: count);
+
+redef Remote::destinations += {
+	["broping"] = [$host = 127.0.0.1, $events = /ping/, $connect=F, $ssl=F]
+};
+
+event ping(src_time: time, seq: count)
+        {
+        event pong(src_time, current_time(), seq);
+        }
+
+event pong(src_time: time, dst_time: time, seq: count)
+        {
+        print ping_log, fmt("ping received, seq %d, %f at src, %f at dest, one-way: %f",
+                            seq, src_time, dst_time, dst_time-src_time);
+        }
diff --git a/aux/broccoli/test/broping.c b/aux/broccoli/test/broping.c
new file mode 100644
index 0000000000..c3ccf4d57e
--- /dev/null
+++ b/aux/broccoli/test/broping.c
@@ -0,0 +1,456 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2007 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <sys/time.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <errno.h>
+#include <string.h>
+
+#include <broccoli.h>
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+char *host_default = "127.0.0.1";
+char *port_default = "47758";
+char *host_str;
+char *port_str;
+
+int count = -1;
+int seq;
+
+static void
+usage(void)
+{
+  printf("broping - sends ping events to a Bro agent, expecting pong events.\n"
+	 "USAGE: broping [-h|-?] [-d] [-l] [-r] [-c num] [-p port] host\n"
+	 "   -h|-?       This message.\n"
+	 "   -d          Enable debugging (only useful if configured with --enable-debug).\n"
+	 "   -r          Use record types to transfer data.\n"
+	 "   -C          Use compact callback argument passing.\n"
+	 "   -c <num>    Number of events to send.\n"
+	 "   -p <port>   Port on <host> to contact.\n");
+
+  exit(0);
+}
+
+
+static void
+bro_pong(BroConn *conn, void *data, double *src_time, double *dst_time, uint32 *seq)
+{
+  double now = bro_util_current_time();
+
+  printf("pong event from %s: seq=%i, time=%f/%f s\n",
+	 host_str, *seq, *dst_time - *src_time,
+	 now - *src_time);
+
+  conn = NULL;
+  data = NULL;
+}
+
+static void
+bro_pong_record(BroConn *conn, void *data, BroRecord *rec)
+{
+  double now = bro_util_current_time();
+  double *src_time, *dst_time;
+  uint32 *seq;
+  int type = BRO_TYPE_COUNT;
+
+  if (! (seq = bro_record_get_nth_val(rec, 0, &type)))
+    {
+      printf("Error getting sequence count from event, got type %i\n", type);
+      return;
+    }
+
+  type = BRO_TYPE_TIME;
+
+  if (! (src_time = bro_record_get_nth_val(rec, 1, &type)))
+    {
+      printf("Error getting src time from event, got type %i.\n", type);
+      return;
+    }
+
+  type = BRO_TYPE_TIME;
+  
+  if (! (dst_time = bro_record_get_nth_val(rec, 2, &type)))
+    {
+      printf("Error getting dst time from event, got type %i\n", type);
+      return;
+    }
+
+  printf("pong event from %s: seq=%i, time=%f/%f s\n",
+	 host_str, *seq, *dst_time - *src_time,
+	 now - *src_time);
+  
+  conn = NULL;
+  data = NULL;
+}
+
+static void
+bro_pong_compact(BroConn *conn, void *data, BroEvMeta *meta)
+{
+  double *src_time;
+  double *dst_time;
+  uint32 *seq;
+  
+  /* Sanity-check arguments: */
+
+  if (strcmp(meta->ev_name, "pong") != 0)
+    {
+      printf("Event should be 'pong', is '%s', error.\n",
+	     meta->ev_name);
+      return;
+    }
+
+  if (meta->ev_numargs != 3)
+    {
+      printf("Pong event should have 3 arguments, has %d, error.\n",
+	     meta->ev_numargs);
+      return;
+    }
+
+  if (meta->ev_args[0].arg_type != BRO_TYPE_TIME)
+    {
+      printf("Type of first argument should be %i, is %i, error.\n",
+	     BRO_TYPE_TIME, meta->ev_args[0].arg_type);
+      return;
+    }
+
+  if (meta->ev_args[1].arg_type != BRO_TYPE_TIME)
+    {
+      printf("Type of second argument should be %i, is %i, error.\n",
+	     BRO_TYPE_TIME, meta->ev_args[1].arg_type);
+      return;
+    }
+
+  if (meta->ev_args[2].arg_type != BRO_TYPE_COUNT)
+    {
+      printf("Type of third argument should be %i, is %i, error.\n",
+	     BRO_TYPE_COUNT, meta->ev_args[2].arg_type);
+      return;
+    }
+
+  src_time = (double *) meta->ev_args[0].arg_data;
+  dst_time = (double *) meta->ev_args[1].arg_data;
+  seq = (uint32 *) meta->ev_args[2].arg_data;
+  
+  bro_pong(conn, data, src_time, dst_time, seq);
+}
+
+static void
+bro_pong_compact_record(BroConn *conn, void *data, BroEvMeta *meta)
+{
+  BroRecord *rec;
+
+  /* Sanity-check argument type: */
+
+  if (strcmp(meta->ev_name, "pong") != 0)
+    {
+      printf("Event should be 'pong', is '%s', error.\n",
+	     meta->ev_name);
+      return;
+    }
+
+  if (meta->ev_numargs != 1)
+    {
+      printf("Pong event should have 1 argument, has %d, error.\n",
+	     meta->ev_numargs);
+      return;
+    }
+
+  if (meta->ev_args[0].arg_type != BRO_TYPE_RECORD)
+    {
+      printf("Type of argument should be %i, is %i, error.\n",
+	     BRO_TYPE_RECORD, meta->ev_args[0].arg_type);
+      return;
+    }
+  
+  rec = (BroRecord *) meta->ev_args[0].arg_data;
+  
+  bro_pong_record(conn, data, rec);
+}
+
+BroConn*
+start_listen(int port)
+{
+  int fd = 0;
+  struct sockaddr_in server;
+  struct sockaddr_in client;
+  socklen_t len = sizeof(client);
+  fd_set fds;
+  const int turn_on = 1;
+  BroConn *bc = 0;
+
+  fd = socket(PF_INET, SOCK_STREAM, 0);
+  if ( fd < 0 )  
+	{
+	printf("can't create listen socket: %s\n", strerror(errno));
+	exit(-1);
+	}
+
+  // Set SO_REUSEADDR.
+  if ( setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &turn_on, sizeof(turn_on)) < 0 )
+	{
+	printf("can't set SO_REUSEADDR: %s\n", strerror(errno));
+	exit(-1);
+	}
+
+  bzero(&server, sizeof(server));
+  server.sin_family = AF_INET;
+  server.sin_port = htons(port);
+  server.sin_addr.s_addr = 0;
+
+  if ( bind(fd, (struct sockaddr*) &server, sizeof(server)) < 0 )
+	{
+	printf("can't bind to port %d: %s\n", port, strerror(errno));
+	exit(-1);
+	}
+
+  if ( listen(fd, 50) < 0 )
+	{
+	printf("can't listen: %s\n", strerror(errno));
+	exit(-1);
+	}
+
+   FD_ZERO(&fds);
+   FD_SET(fd, &fds);
+
+  if ( select(fd + 1, &fds, &fds, &fds, 0) < 0 )
+	{
+	printf("can't select: %s\n", strerror(errno));
+	exit(-1);
+	}
+	
+  fd = accept(fd, (struct sockaddr*) &client, &len);
+  if ( fd < 0 )
+	{
+	printf("can't accept: %s\n", strerror(errno));
+	exit(-1);
+	}
+
+  bc = bro_conn_new_socket(fd, BRO_CFLAG_ALWAYS_QUEUE);
+  if ( ! bc )
+	{
+	printf("can't create connection form fd\n");
+	exit(-1);
+	}
+
+  return bc;
+}
+
+int
+main(int argc, char **argv)
+{
+  int opt, port, use_record = 0, use_compact = 0, debugging = 0, listen = 0;
+  BroConn *bc;
+  extern char *optarg;
+  extern int optind;
+  char hostname[512];
+  int fd = -1;
+
+  bro_init(NULL);
+
+  host_str = host_default;
+  port_str = port_default;
+
+  bro_debug_calltrace = 0;
+  bro_debug_messages  = 0;
+
+  while ( (opt = getopt(argc, argv, "Cc:p:dh?lr")) != -1)
+    {
+      switch (opt)
+	{
+	case 'd':
+	  debugging++;
+
+	  if (debugging == 1)
+	    bro_debug_messages = 1;
+	  
+	  if (debugging > 1)
+	    bro_debug_calltrace = 1;
+	  break;
+	
+	case 'l':
+	  listen = 1;
+	  break;
+
+	case 'h':
+	case '?':
+	  usage();
+
+	case 'c':
+	  count = strtol(optarg, NULL, 0);
+	  if (errno == ERANGE || count < 1)
+	    {
+	      printf("Please provide an integer to -c.\n");
+	      exit(-1);
+	    }
+	  break;
+	  
+	case 'p':
+	  port_str = optarg;
+	  break;
+
+	case 'r':
+	  use_record = 1;
+	  break;
+
+	case 'C':
+	  use_compact = 1;
+	  break;
+
+	default:
+	  usage();
+	}
+    }
+
+  argc -= optind;
+  argv += optind;
+
+  if (argc > 0)
+    host_str = argv[0];
+
+  /*
+  if (! (host = gethostbyname(host_str)) ||
+      ! (host->h_addr_list[0]))
+    {
+      printf("Could not resolve host %s\n", host_str);
+      exit(-1);
+    }
+  */
+
+  port = strtol(port_str, NULL, 0);
+  if (errno == ERANGE)
+    {
+      printf("Please provide a port number with -p.\n");
+      exit(-1);
+    }
+
+  snprintf(hostname, 512, "%s:%s", host_str, port_str);
+
+
+  if ( listen )
+	bc  = start_listen(port);
+
+  /* Connect to Bro */
+  else if (! (bc = bro_conn_new_str(hostname, BRO_CFLAG_RECONNECT | BRO_CFLAG_ALWAYS_QUEUE)))
+    {
+      printf("Could not get Bro connection handle.\n");
+      exit(-1);
+    }
+  
+  /* Request "pong" events, and have bro_pong called when they
+   * arrive. The callback mechanism automatically figures out
+   * the number of arguments and invokes the callback accordingly.
+   * Use record-based callback if -r option was given, and compact
+   * argument passing if -C was provided.
+   */
+  if (use_compact)
+    {
+      if (use_record)
+	bro_event_registry_add_compact(bc, "pong", (BroCompactEventFunc)
+				       bro_pong_compact_record, NULL);
+      else
+	bro_event_registry_add_compact(bc, "pong", (BroCompactEventFunc)
+				       bro_pong_compact, NULL);
+    }
+  else
+    {
+      if (use_record)
+	bro_event_registry_add(bc, "pong", (BroEventFunc) bro_pong_record, NULL);
+      else
+	bro_event_registry_add(bc, "pong", (BroEventFunc) bro_pong, NULL);
+    }
+  
+  if (! bro_conn_connect(bc))
+    {
+      printf("Could not connect to Bro at %s:%s.\n", host_str, port_str);
+      exit(-1);
+    }
+  
+  /* Enter pinging loop */
+  for ( ; ; )
+    {
+      BroEvent *ev;
+      
+      bro_conn_process_input(bc);
+
+      if (count > 0 && seq == count)
+	break;
+      
+      /* Create empty "ping" event */
+      if ( (ev = bro_event_new("ping")))
+	{
+	  double timestamp = bro_util_current_time();
+
+	  if (use_record)
+	    {
+	      /* Create a record with the sequence number as first
+	       * element of type counter, and the second element the
+	       * current time:
+	       */
+	      BroRecord *rec = bro_record_new();
+	      
+	      bro_record_add_val(rec, "seq", BRO_TYPE_COUNT, NULL, &seq);
+	      bro_record_add_val(rec, "src_time", BRO_TYPE_TIME, NULL, &timestamp);
+	      
+	      bro_event_add_val(ev, BRO_TYPE_RECORD, NULL, rec);
+	      
+	      bro_record_free(rec);
+	    }
+	  else
+	    {
+	      /* Add a timestamp to it: */
+	      bro_event_add_val(ev, BRO_TYPE_TIME, NULL, &timestamp);
+	      
+	      /* Add the sequence counter: */
+	      bro_event_add_val(ev, BRO_TYPE_COUNT, NULL, &seq);
+	    }
+
+	  seq++;
+
+	  /* Ship it -- sends it if possible, queues it otherwise */
+	  bro_event_send(bc, ev);
+	  bro_event_free(ev);
+	}
+
+#ifdef __MINGW32__
+      sleep(1000);
+#else
+      sleep(1);
+#endif
+    }
+
+  /* Disconnect from Bro and release state. */
+  bro_conn_delete(bc);
+
+  return 0;
+}
diff --git a/aux/broccoli/test/brotable.c b/aux/broccoli/test/brotable.c
new file mode 100644
index 0000000000..4249472477
--- /dev/null
+++ b/aux/broccoli/test/brotable.c
@@ -0,0 +1,328 @@
+/*
+       B R O C C O L I  --  The Bro Client Communications Library
+
+Copyright (C) 2004-2007 Christian Kreibich <christian (at) icir.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies of the Software and its documentation and acknowledgment shall be
+given in the documentation and software packages that this Software was
+used.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+*/
+#include <sys/types.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <time.h>
+#include <errno.h>
+#include <string.h>
+
+#include <broccoli.h>
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+void
+print_val(void *val, int type)
+{
+  char br_open = '[';
+  char br_close = ']';
+
+  if (! val)
+    {
+      printf("NULL");
+      return;
+    }
+
+  switch (type) {
+  case BRO_TYPE_BOOL:
+    printf("%s", *((int*) val) == 0 ? "false" : "true");
+    break;
+
+  case BRO_TYPE_INT:
+    printf("%i", *((int*) val));
+    break;
+
+  case BRO_TYPE_DOUBLE:
+    printf("%f", *((double*) val));
+    break;
+
+  case BRO_TYPE_STRING:
+    printf("'%s'", bro_string_get_data((BroString*) val));
+    break;
+
+  case BRO_TYPE_LIST:
+    /* This means that we're dealing with a composite indexing type.
+     * Except for this differing type code, treatment is exactly as
+     * with a record:
+     */
+    br_open = '{';
+    br_close = '}';
+    
+    /* Fall through */
+    
+  case BRO_TYPE_RECORD:
+    {
+      void *item;
+      int i, type;
+      BroRecord *rec = (BroRecord*) val;
+      
+      printf("%c", br_open);
+      
+      for (i = 0; i < bro_record_get_length(rec); i++)
+	{
+	  /* We don't want to enforce typechecking of the
+	   * queried value, so we use BRO_TYPE_UNKNOWN.
+	   */
+	  type = BRO_TYPE_UNKNOWN;
+	  item = bro_record_get_nth_val(rec, i, &type);
+	  print_val(item, type);
+	  
+	  if (i + 1 < bro_record_get_length(rec))
+	    printf(", ");
+	}      
+      
+      printf("%c", br_close);
+    }
+    break;
+        
+  default:    
+    printf("<unimplemented %d>", type);
+  }
+}
+
+int
+table_it_cb(void *key, void *val, BroTable *table)
+{
+  int key_type, val_type;
+
+  bro_table_get_types(table, &key_type, &val_type);
+  
+  print_val(key, key_type);
+  printf(" -> ");
+  print_val(val, val_type);
+  printf("\n");
+
+  return TRUE;
+}
+
+int
+main(int argc, char **argv)
+{
+  int opt, debugging = 0;
+
+  /* A few tables with different atomic indexing/yield types: */
+  BroTable *int_to_str;
+  BroTable *str_to_double;
+  
+  /* A table with a composite indexing type: */
+  BroTable *int_str_double_to_int;
+
+  /* Placeholders for the stuff we insert/retrieve: */
+  BroString str, *str_ptr;
+  BroRecord *rec;
+  int i, i2, *i_ptr;
+  double d, *d_ptr;
+  
+  while ( (opt = getopt(argc, argv, "c:p:dh?r")) != -1)
+    {
+      switch (opt)
+	{
+	case 'd':
+	  debugging++;
+	  
+	  if (debugging == 1)
+	    bro_debug_messages = 1;
+	  
+	  if (debugging > 1)
+	    bro_debug_calltrace = 1;
+	  break;
+	  
+	default:
+	  break;
+	}
+    }
+
+  /* ---- Mandatory initialization ------------------------------------- */
+  bro_init(NULL);
+
+  /* ---- int -> string ------------------------------------------------ */
+
+  printf("int_to_str table dump:\n");
+  printf("----------------------\n");
+
+  int_to_str = bro_table_new();
+
+  i = 10;
+  bro_string_set(&str, "foo");  
+  bro_table_insert(int_to_str, BRO_TYPE_INT, &i, BRO_TYPE_STRING, &str);
+  bro_string_cleanup(&str);
+
+  i = 20;
+  bro_string_set(&str, "bar");  
+  bro_table_insert(int_to_str, BRO_TYPE_INT, &i, BRO_TYPE_STRING, &str);
+  bro_string_cleanup(&str);
+
+  i = 30;
+  bro_string_set(&str, "baz");  
+  bro_table_insert(int_to_str, BRO_TYPE_INT, &i, BRO_TYPE_STRING, &str);
+  bro_string_cleanup(&str);
+
+  bro_table_foreach(int_to_str, (BroTableCallback) table_it_cb, int_to_str);
+  
+  printf("\ntest lookup: ");
+  i = 20;
+  str_ptr = (BroString*) bro_table_find(int_to_str, &i);
+  
+  print_val(&i, BRO_TYPE_INT);
+  printf(" -> ");
+  print_val(str_ptr, BRO_TYPE_STRING);
+  printf("\n\n");
+
+  bro_table_free(int_to_str);
+
+
+  /* ---- string -> double --------------------------------------------- */
+  
+  printf("str_to_double table dump:\n");
+  printf("-------------------------\n");
+
+  str_to_double = bro_table_new();
+
+  d = 1.1;
+  bro_string_set(&str, "foo");  
+  bro_table_insert(str_to_double, BRO_TYPE_STRING, &str, BRO_TYPE_DOUBLE, &d);
+  bro_string_cleanup(&str);
+
+  d = 2.2;
+  bro_string_set(&str, "bar");  
+  bro_table_insert(str_to_double, BRO_TYPE_STRING, &str, BRO_TYPE_DOUBLE, &d);
+  bro_string_cleanup(&str);
+  
+  d = 3.3;
+  bro_string_set(&str, "baz");  
+  bro_table_insert(str_to_double, BRO_TYPE_STRING, &str, BRO_TYPE_DOUBLE, &d);
+  bro_string_cleanup(&str);
+  
+  bro_table_foreach(str_to_double, (BroTableCallback) table_it_cb, str_to_double);
+  
+  printf("\ntest lookup: ");
+  bro_string_set(&str, "bar");  
+  d_ptr = (double*) bro_table_find(str_to_double, &str);
+  
+  print_val(&str, BRO_TYPE_STRING);
+  printf(" -> ");
+  print_val(d_ptr, BRO_TYPE_DOUBLE);
+  printf("\n\n");
+  
+  bro_string_cleanup(&str);
+  
+  bro_table_free(str_to_double);
+
+
+  /* ---- {int, string, double} -> int --------------------------------- */
+  
+  printf("int_str_double_to_int table dump:\n");
+  printf("---------------------------------\n");
+
+  int_str_double_to_int = bro_table_new();
+
+  /* -- first element -- */
+
+  i = 1;
+  d = 1.1;
+  bro_string_set(&str, "foo");  
+  i2 = 10;
+
+  /* You may pass NULL as the field name, but then of course looking
+   * up elements by field name will not work in case you need it.
+   */
+  rec = bro_record_new();
+  bro_record_add_val(rec, NULL, BRO_TYPE_INT, NULL, &i);
+  bro_record_add_val(rec, NULL, BRO_TYPE_STRING, NULL, &str);
+  bro_record_add_val(rec, NULL, BRO_TYPE_DOUBLE, NULL, &d);
+  bro_table_insert(int_str_double_to_int, BRO_TYPE_LIST, rec, BRO_TYPE_INT, &i2);
+
+  bro_string_cleanup(&str);
+  bro_record_free(rec);
+
+  /* -- second element -- */
+
+  i = 2;
+  d = 2.2;
+  bro_string_set(&str, "bar");  
+  i2 = 20;
+
+  /* You may pass NULL as the field name, but then of course looking
+   * up elements by field name will not work in case you need it.
+   */
+  rec = bro_record_new();
+  bro_record_add_val(rec, NULL, BRO_TYPE_INT, NULL, &i);
+  bro_record_add_val(rec, NULL, BRO_TYPE_STRING, NULL, &str);
+  bro_record_add_val(rec, NULL, BRO_TYPE_DOUBLE, NULL, &d);
+  bro_table_insert(int_str_double_to_int, BRO_TYPE_LIST, rec, BRO_TYPE_INT, &i2);
+
+  bro_string_cleanup(&str);
+  bro_record_free(rec);
+
+  /* -- third element -- */
+
+  i = 3;
+  d = 3.3;
+  bro_string_set(&str, "baz");  
+  i2 = 30;
+
+  /* You may pass NULL as the field name, but then of course looking
+   * up elements by field name will not work in case you need it.
+   */
+  rec = bro_record_new();
+  bro_record_add_val(rec, NULL, BRO_TYPE_INT, NULL, &i);
+  bro_record_add_val(rec, NULL, BRO_TYPE_STRING, NULL, &str);
+  bro_record_add_val(rec, NULL, BRO_TYPE_DOUBLE, NULL, &d);
+  bro_table_insert(int_str_double_to_int, BRO_TYPE_LIST, rec, BRO_TYPE_INT, &i2);
+
+  bro_string_cleanup(&str);
+  bro_record_free(rec);
+  
+  bro_table_foreach(int_str_double_to_int, (BroTableCallback) table_it_cb, int_str_double_to_int);
+
+  printf("\ntest lookup: ");
+
+  i = 2;
+  d = 2.2;
+  bro_string_set(&str, "bar");  
+
+  rec = bro_record_new();
+  bro_record_add_val(rec, NULL, BRO_TYPE_INT, NULL, &i);
+  bro_record_add_val(rec, NULL, BRO_TYPE_STRING, NULL, &str);
+  bro_record_add_val(rec, NULL, BRO_TYPE_DOUBLE, NULL, &d);
+  
+  i_ptr = (int*) bro_table_find(int_str_double_to_int, rec);
+  
+  print_val(rec, BRO_TYPE_LIST);
+  printf(" -> ");
+  print_val(i_ptr, BRO_TYPE_INT);
+  printf("\n\n");
+  
+  bro_string_cleanup(&str);
+  bro_record_free(rec);
+  
+  bro_table_free(int_str_double_to_int);
+
+  return 0;
+}
diff --git a/aux/broccoli/test/dummysensor.c b/aux/broccoli/test/dummysensor.c
new file mode 100644
index 0000000000..aff40e8006
--- /dev/null
+++ b/aux/broccoli/test/dummysensor.c
@@ -0,0 +1,91 @@
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <errno.h>
+
+#include <broccoli.h>
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+char *ip_default   = "127.0.0.1";
+char *port_default = "47756";
+
+int
+main(int argc, char **argv)
+{
+  char *ip_str = ip_default;
+  char *port_str = port_default;
+  int port;
+  struct in_addr ipaddr;
+  BroConn *bc;
+  BroEvent *ev;
+  int i;
+
+  if (argc >= 2)
+    ip_str = argv[1];
+  if (argc >= 3)
+    port_str = argv[2];
+    
+  if (inet_pton(AF_INET, ip_str, &ipaddr) <= 0)
+    {
+      printf("Please provide an IP address to contact as first argument.\n");
+      exit(-1);
+    }
+
+  port = strtol(port_str, NULL, 0);
+  if (errno == ERANGE)
+    {
+      printf("Please provide a port number as second argument.\n");
+      exit(-1);
+    }
+
+  bro_init(NULL);
+
+  printf("Opening connection.\n");
+  if (! (bc = bro_connect_remote(0x0000, &ipaddr, port)))
+    {
+      printf("Couldn't connect.\n");
+      exit(-1);
+    }
+  
+  sleep(1);
+  bro_conn_process_input(bc);
+
+  sleep(5);
+  bro_conn_process_input(bc);
+
+  /*
+  if ( (ev = bro_event_new("bar")))
+    {
+      bro_event_add_string(ev, "hello world");
+
+      if (bro_event_send(bc, ev))
+	printf("Bro test event sent.\n");
+      else
+	printf("Bro test event queued.\n");
+    }
+
+  if ( (ev = bro_event_new("foo")))
+    {
+      bro_event_add_string(ev, "hello world");
+
+      if (bro_event_send(bc, ev))
+	printf("Bro test event sent.\n");
+      else
+	printf("Bro test event queued.\n");
+    }
+  */
+  sleep(2);
+
+  printf("Disconnecting.\n");
+  bro_disconnect(bc);
+
+  return 0;
+}
diff --git a/aux/broccoli/ylwrap b/aux/broccoli/ylwrap
new file mode 100755
index 0000000000..102bd893f7
--- /dev/null
+++ b/aux/broccoli/ylwrap
@@ -0,0 +1,223 @@
+#! /bin/sh
+# ylwrap - wrapper for lex/yacc invocations.
+
+scriptversion=2005-05-14.22
+
+# Copyright (C) 1996, 1997, 1998, 1999, 2001, 2002, 2003, 2004, 2005
+#   Free Software Foundation, Inc.
+#
+# Written by Tom Tromey <tromey@cygnus.com>.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301, USA.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# This file is maintained in Automake, please report
+# bugs to <bug-automake@gnu.org> or send patches to
+# <automake-patches@gnu.org>.
+
+case "$1" in
+  '')
+    echo "$0: No files given.  Try \`$0 --help' for more information." 1>&2
+    exit 1
+    ;;
+  --basedir)
+    basedir=$2
+    shift 2
+    ;;
+  -h|--h*)
+    cat <<\EOF
+Usage: ylwrap [--help|--version] INPUT [OUTPUT DESIRED]... -- PROGRAM [ARGS]...
+
+Wrapper for lex/yacc invocations, renaming files as desired.
+
+  INPUT is the input file
+  OUTPUT is one file PROG generates
+  DESIRED is the file we actually want instead of OUTPUT
+  PROGRAM is program to run
+  ARGS are passed to PROG
+
+Any number of OUTPUT,DESIRED pairs may be used.
+
+Report bugs to <bug-automake@gnu.org>.
+EOF
+    exit $?
+    ;;
+  -v|--v*)
+    echo "ylwrap $scriptversion"
+    exit $?
+    ;;
+esac
+
+
+# The input.
+input="$1"
+shift
+case "$input" in
+  [\\/]* | ?:[\\/]*)
+    # Absolute path; do nothing.
+    ;;
+  *)
+    # Relative path.  Make it absolute.
+    input="`pwd`/$input"
+    ;;
+esac
+
+pairlist=
+while test "$#" -ne 0; do
+  if test "$1" = "--"; then
+    shift
+    break
+  fi
+  pairlist="$pairlist $1"
+  shift
+done
+
+# The program to run.
+prog="$1"
+shift
+# Make any relative path in $prog absolute.
+case "$prog" in
+  [\\/]* | ?:[\\/]*) ;;
+  *[\\/]*) prog="`pwd`/$prog" ;;
+esac
+
+# FIXME: add hostname here for parallel makes that run commands on
+# other machines.  But that might take us over the 14-char limit.
+dirname=ylwrap$$
+trap "cd `pwd`; rm -rf $dirname > /dev/null 2>&1" 1 2 3 15
+mkdir $dirname || exit 1
+
+cd $dirname
+
+case $# in
+  0) $prog "$input" ;;
+  *) $prog "$@" "$input" ;;
+esac
+ret=$?
+
+if test $ret -eq 0; then
+  set X $pairlist
+  shift
+  first=yes
+  # Since DOS filename conventions don't allow two dots,
+  # the DOS version of Bison writes out y_tab.c instead of y.tab.c
+  # and y_tab.h instead of y.tab.h. Test to see if this is the case.
+  y_tab_nodot="no"
+  if test -f y_tab.c || test -f y_tab.h; then
+    y_tab_nodot="yes"
+  fi
+
+  # The directory holding the input.
+  input_dir=`echo "$input" | sed -e 's,\([\\/]\)[^\\/]*$,\1,'`
+  # Quote $INPUT_DIR so we can use it in a regexp.
+  # FIXME: really we should care about more than `.' and `\'.
+  input_rx=`echo "$input_dir" | sed 's,\\\\,\\\\\\\\,g;s,\\.,\\\\.,g'`
+
+  while test "$#" -ne 0; do
+    from="$1"
+    # Handle y_tab.c and y_tab.h output by DOS
+    if test $y_tab_nodot = "yes"; then
+      if test $from = "y.tab.c"; then
+    	from="y_tab.c"
+      else
+    	if test $from = "y.tab.h"; then
+    	  from="y_tab.h"
+    	fi
+      fi
+    fi
+    if test -f "$from"; then
+      # If $2 is an absolute path name, then just use that,
+      # otherwise prepend `../'.
+      case "$2" in
+    	[\\/]* | ?:[\\/]*) target="$2";;
+    	*) target="../$2";;
+      esac
+
+      # We do not want to overwrite a header file if it hasn't
+      # changed.  This avoid useless recompilations.  However the
+      # parser itself (the first file) should always be updated,
+      # because it is the destination of the .y.c rule in the
+      # Makefile.  Divert the output of all other files to a temporary
+      # file so we can compare them to existing versions.
+      if test $first = no; then
+	realtarget="$target"
+	target="tmp-`echo $target | sed s/.*[\\/]//g`"
+      fi
+      # Edit out `#line' or `#' directives.
+      #
+      # We don't want the resulting debug information to point at
+      # an absolute srcdir; it is better for it to just mention the
+      # .y file with no path.
+      #
+      # We want to use the real output file name, not yy.lex.c for
+      # instance.
+      #
+      # We want the include guards to be adjusted too.
+      FROM=`echo "$from" | sed \
+            -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'\
+            -e 's/[^ABCDEFGHIJKLMNOPQRSTUVWXYZ]/_/g'`
+      TARGET=`echo "$2" | sed \
+            -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'\
+            -e 's/[^ABCDEFGHIJKLMNOPQRSTUVWXYZ]/_/g'`
+
+      sed -e "/^#/!b" -e "s,$input_rx,," -e "s,$from,$2," \
+          -e "s,$FROM,$TARGET," "$from" >"$target" || ret=$?
+
+      # Check whether header files must be updated.
+      if test $first = no; then
+	if test -f "$realtarget" && cmp -s "$realtarget" "$target"; then
+	  echo "$2" is unchanged
+	  rm -f "$target"
+	else
+          echo updating "$2"
+          mv -f "$target" "$realtarget"
+        fi
+      fi
+    else
+      # A missing file is only an error for the first file.  This
+      # is a blatant hack to let us support using "yacc -d".  If -d
+      # is not specified, we don't want an error when the header
+      # file is "missing".
+      if test $first = yes; then
+        ret=1
+      fi
+    fi
+    shift
+    shift
+    first=no
+  done
+else
+  ret=$?
+fi
+
+# Remove the directory.
+cd ..
+rm -rf $dirname
+
+exit $ret
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-end: "$"
+# End:
diff --git a/aux/broctl/BroControl/__init__.py b/aux/broctl/BroControl/__init__.py
new file mode 100644
index 0000000000..4f3d61a5d8
--- /dev/null
+++ b/aux/broctl/BroControl/__init__.py
@@ -0,0 +1,3 @@
+# $Id: __init__.py 6811 2009-07-06 20:41:10Z robin $
+#
+# Intentionally empty.
diff --git a/aux/broctl/BroControl/config.py b/aux/broctl/BroControl/config.py
new file mode 100644
index 0000000000..86b4bfd2e2
--- /dev/null
+++ b/aux/broctl/BroControl/config.py
@@ -0,0 +1,513 @@
+#! /usr/bin/env python
+#
+# $Id: config.py 6948 2009-12-03 20:59:41Z robin $
+#
+# Functions to read and access the broctl configuration.
+
+import os
+import sys
+import socket
+import imp
+import re
+
+import ConfigParser
+
+import options
+import execute
+import util
+
+# One broctl node. 
+class Node:
+
+    # Valid tags in nodes file. The values will be stored 
+    # in attributes of the same name.
+    _tags = { "type": 1, "host": 1, "interface": 1, "aux_scripts": 1, "brobase": 1, "ether": 1 }
+
+    def __init__(self, tag):
+        self.tag = tag
+
+    def __str__(self):
+        def fmt(v):
+            if type(v) == type([]):
+                v = ",".join(v)
+            return v
+
+        return ("%15s - " % self.tag) + " ".join(["%s=%s" % (k, fmt(self.__dict__[k])) for k in sorted(self.__dict__.keys())])
+
+    # Returns the working directory for this node. 
+    def cwd(self):
+        return os.path.join(Config.spooldir, self.tag)
+
+    # Stores the nodes process ID. 
+    def setPID(self, pid):
+        Config._setState("%s-pid" % self.tag, str(pid))
+
+    # Returns the stored process ID.
+    def getPID(self):
+        t = "%s-pid" % self.tag
+        if t in Config.state:
+            return Config.state[t]
+        return None
+
+    # Unsets the stored process ID.
+    def clearPID(self):
+        Config._setState("%s-pid" % self.tag, "")
+
+    # Mark node as having terminated unexpectedly.
+    def setCrashed(self):
+        Config._setState("%s-crashed" % self.tag, "1")
+
+    # Unsets the flag for unexpected termination.
+    def clearCrashed(self):
+        Config._setState("%s-crashed" % self.tag, "0")
+
+    # Returns true if node has terminated unexpectedly.
+    def hasCrashed(self):
+        t = "%s-crashed" % self.tag
+        return t in Config.state and Config.state[t] == "1"
+
+    # Set the Bro port this node is using.
+    def setPort(self, port):
+        Config._setState("%s-port" % self.tag, str(port))
+
+    # Get the Bro port this node is using.
+    def getPort(self):
+        t = "%s-port" % self.tag
+        return t in Config.state and int(Config.state[t]) or -1
+
+# Class managing types of analysis. 
+class Analysis:
+    def __init__(self, cfgfile):
+
+        self.types = {}
+        cnt = 0
+
+        if not os.path.exists(cfgfile):
+            if Installing:
+                return
+
+            util.error("analysis configuration %s does not exist" % cfgfile)
+
+        for line in open(cfgfile):
+            cnt += 1
+            line = line.strip()
+            if not line or line.startswith("#"): 
+                continue
+
+            f = line.split()
+            if len(f) < 2:
+                util.warn("cannot parse line %d in %s" % (cnt, cfgfile))
+                continue
+
+            type = f[0]
+            mechanism = f[1]
+            descr = ""
+            if len(f) > 2:
+                descr = " ".join(f[2:])
+
+            self.types[type] = (mechanism, descr)
+
+    # Returns true if we know this kind of analysis.
+    def isValid(self, type):
+        return type in self.types
+
+    # Returns true if type is enabled.
+    # Default is yes if we haven't disabled it.
+    def isEnabled(self, type):
+        tag = "analysis-%s" % type
+        try:
+            return int(Config.state[tag]) != 0
+        except KeyError:
+            return True
+
+    # Enable/disable type.
+    def toggle(self, type, enable=True):
+        tag = "analysis-%s" % type
+        if enable:
+            try:
+                del Config.state[tag]
+            except KeyError:
+                pass
+        else:
+            Config.state[tag] = 0
+
+    # Returns tuples (type, status, mechanism, descr) of all known analysis types.
+    # 'type' is tag for analysis.
+    # 'status' is True if analysis is activated.
+    # 'mechanism' gives the method how to control the analysis within Bro (see etc/analysis.dat).
+    # 'descr' is textual dscription for the kind of analysis.
+    def all(self):
+        result = []
+        keys = self.types.keys()
+        keys.sort()
+        for type in keys:
+            (mechanism, descr) = self.types[type]
+            result += [(type, self.isEnabled(type), mechanism, descr)]
+        return result
+
+# Class storing the broctl configuration.
+#
+# This class provides access to four types of configuration/state:
+#
+# - the global broctl configuration from broctl.cfg
+# - the node configuration from nodes.cfg
+# - dynamic state variables which are kept across restarts in spool/broctl.dat
+# - types of analysis which can be toggled via the shell
+
+Config = None # Globally accessible instance of Configuration.
+Installing = False
+BroBase = None
+MakeDestDir = None
+
+class Configuration:    
+    def __init__(self, config, basedir, distdir, version, standalone):
+        global Config
+        global Installing
+
+        Config = self
+
+        if "BROCTL_INSTALL" in os.environ:
+            Installing = True
+            
+            global BroBase
+            BroBase = basedir
+            
+            if "MAKE_DESTDIR" in os.environ:
+                global MakeDestDir
+                MakeDestDir = os.environ["MAKE_DESTDIR"]
+
+        self.config = {}
+        self.state = {}
+
+        # Read broctl.cfg.
+        self.config = self._readConfig(os.path.join(basedir, config))
+
+        # Set defaults for options we get passed in.
+        self._setOption("brobase", basedir)
+        self._setOption("distdir", distdir)
+        self._setOption("version", version)
+        self._setOption("standalone", standalone and "1" or "0")
+		
+		# Initialize options.
+        for opt in options.options:
+            if not opt.dontinit:
+                self._setOption(opt.name.lower(), opt.default)
+		
+		# Set defaults for options we derive dynamically.
+		self._setOption("mailto", "%s" % os.getenv("USER"))
+		self._setOption("mailfrom", "Big Brother <bro@%s>" % socket.gethostname())
+		self._setOption("home", os.getenv("HOME"))
+		self._setOption("mailalarmsto", self.config["mailto"]) 
+		
+        # Determine operating system.
+        (success, output) = execute.captureCmd("uname")
+        if not success:
+            util.error("cannot run uname")
+        self._setOption("os", output[0].lower().strip())
+
+        # Find the time command (should be a GNU time for best results).
+        (success, output) = execute.captureCmd("which time")
+        self._setOption("time", output[0].lower().strip())
+		
+        # Read nodes.cfg and broctl.dat.
+        self._readNodes()
+        self.readState()
+
+        # Setup the kinds of analyses which we support.
+        self._analysis = Analysis(self.analysiscfg)
+
+        # Make sure cron flag is cleared.
+        self.config["cron"] = "0"
+
+    # Provides access to the configuration options via the dereference operator.
+    # Lookups the attribute in broctl.cfg first, then in the dynamic variables from broctl.dat.
+    # Defaults to empty string for unknown options.
+    def __getattr__(self, attr):
+        if attr in self.config:
+            return self.config[attr]
+        if attr in self.state:
+            return self.state[attr]
+        return ""
+
+    # Returns True if attribute is defined.
+    def hasAttr(self, attr):
+        if attr in self.config:
+            return True
+        if attr in self.state:
+            return True
+        return False
+
+    # Returns a list of all broctl.cfg entries.
+    # Includes dynamic variables if dynamic is true.
+    def options(self, dynamic=True):
+        if dynamic:
+            return self.config.items() + self.state.items()
+        else:
+            return self.config.items()
+
+    # Returns a list of Nodes. 
+    # - If tag is "global" or "all", all Nodes are returned if "expand_all" is true.
+    #     If "expand_all" is false, returns an empty list in this case.
+    # - If tag is "proxies" or "proxy", all proxy Nodes are returned.
+    # - If tag is "workers" or "worker", all worker Nodes are returned.
+    # - If tag is "manager", the manager Node is returned.
+    def nodes(self, tag=None, expand_all=True):
+        nodes = []
+        type = None
+
+        if tag == "cluster" or tag == "all":
+            if not expand_all:
+                return []
+
+            tag = None
+
+        if tag == "proxies":
+            tag = "proxy"
+
+        if tag == "workers":
+            tag = "worker"
+
+        if ("scripts-%s" % tag) in self.config:
+            type = tag
+
+        for n in self.nodelist.values():
+
+            if type:
+                if type == n.type:
+                    nodes += [n]
+
+            elif tag == n.tag or not tag:
+                nodes += [n]
+
+        nodes.sort(key=lambda n: (n.type, n.tag))
+
+        if not nodes and tag == "manager":
+            nodes = self.nodes("standalone")
+
+        return nodes
+
+    # Returns the manager Node.
+    def manager(self):
+        n = self.nodes("manager")
+        if n:
+            return n[0]
+        n = self.nodes("standalone")
+        if n:
+            return n[0]
+        return None
+
+    # Returns a list of nodes which is a subset of the result a similar call to
+    # nodes() would yield but within which each host appears only once.
+    def hosts(self, tag = None):
+        hosts = {}
+        for node in self.nodes(tag):
+            if not node.host in hosts:
+                hosts[node.host] = node
+
+        return hosts.values()
+
+    # Replace all occurences of "${option}", with option being either
+    # broctl.cfg option or a dynamic variable, with the corresponding value. 
+    # Defaults to replacement with the empty string for unknown options.
+    def subst(self, str, make_dest=True):
+        while True:
+            m = re.search(r"(\$\{([A-Za-z]+)(:([^}]+))?\})", str)
+            if not m:
+                
+                # This is a hack to support make's DESTDIR: if the env variable
+                # MAKE_DESTDIR is set, and the string we return starts with  our
+                # installation prefix, we prepend the var's content. This it not
+                # totally perfect but should do the trick.
+                if Installing and MakeDestDir and MakeDestDir != "":
+                    
+                    if make_dest and str.startswith(BroBase):
+                        str = MakeDestDir + str
+
+                    if not make_dest:
+                        str = str.replace(MakeDestDir, "")
+                    
+                return str
+
+            key = m.group(2).lower()
+            if self.hasAttr(key):
+                value = self.__getattr__(key)
+            else:
+                value = m.group(4)
+
+            if not value:
+                value = ""
+
+            str = str[0:m.start(1)] + value + str[m.end(1):]
+
+    # Returns instance of class Analysis. 
+    def analysis(self):
+        return self._analysis
+
+    # Parse nodes.cfg.
+    def _readNodes(self):
+        self.nodelist = {}
+        config = ConfigParser.SafeConfigParser()
+        if not config.read(self.nodecfg) and not Installing:
+            util.error("cannot read '%s'" % self.nodecfg)
+
+        manager = False
+        proxy = False
+        standalone = False
+
+        file = self.nodecfg
+
+        counts = {}
+        for sec in config.sections():
+
+            node = Node(sec)
+            self.nodelist[sec] = node
+
+            for (key, val) in config.items(sec):
+                if not key in Node._tags:
+                    util.warn("%s: unknown key '%s' in section '%s'" % (file, key, sec))
+                    continue
+
+                if key == "type":
+                    # We determine which types are valid by checking for having an
+                    # option specifying which scripts to use for it.
+                    cfg = "scripts-%s" % val 
+                    if not cfg  in self.config:
+                        util.error("%s: unknown type '%s' in section '%s'" % (file, val, sec))
+
+                    self.nodelist[sec].scripts = self.config[cfg].split()
+
+                    if val == "manager":
+                        if manager:
+                            util.error("only one manager can be defined")
+                        manager = True
+
+                    if val == "proxy":
+                        proxy = True
+
+                    if val == "standalone":
+                        standalone = True
+
+                node.__dict__[key] = val
+
+            try:
+                node.addr = socket.gethostbyname(node.host)
+            except AttributeError:
+                util.error("%s: no host given in section '%s'" % (file, sec))
+            except socket.gaierror, e:
+                util.error("%s: unknown host '%s' in section '%s' [%s]" % (file, node.host, sec, e.args[1]))
+
+            # Each node gets a number unique across its type.
+            type = self.nodelist[sec].type
+            try: 
+                counts[type] += 1
+            except KeyError:
+                counts[type] = 1
+
+            node.count = counts[type]
+
+        if self.nodelist:
+
+            if not standalone:
+                if not manager:
+                    util.error("%s: no manager defined" % file)
+
+                if not proxy:
+                    util.error("%s: no proxy defined" % file)
+
+            else:
+                if len(self.nodelist) > 1:
+                    util.error("%s: more than one node defined in stand-alone setup" % file)
+
+        for n in self.nodelist.values():
+            if n.type == "manager":
+                if not execute.isLocal(n):
+                    util.error("script must be run on manager node")
+
+                if n.addr == "127.0.0.1" and n.type != "standalone":
+                    util.error("cannot use localhost/127.0.0.1 for manager host in nodes configuration")
+
+
+    # Parses broctl.cfg and returns a dictionary of all entries. 
+    def _readConfig(self, file):
+        config = {}
+        try:
+            for line in open(file):
+
+                line = line.strip()
+                if not line or line.startswith("#"):
+                    continue
+
+                args = line.split("=")
+                if len(args) != 2:
+                    util.error("%s: syntax error '%s'" % (file, line))
+
+                (key, val) = args
+                key = key.strip().lower()
+                val = val.strip()
+
+                config[key] = val
+
+        except IOError, e:
+            if not Installing:
+                util.error("cannot read '%s'" % file)
+
+        return config
+
+    # Initialize a global option if not already set.
+    def _setOption(self, val, key):
+        if not val in self.config:
+            self.config[val] = self.subst(key)
+
+    # Set a dynamic state variable.
+    def _setState(self, val, key):
+        self.state[val] = key
+
+    # Read dynamic state variables from {$spooldir}/broctl.dat .
+    def readState(self):
+        self.state = self._readConfig(self.statefile)
+
+    # Write the dynamic state variables into {$spooldir}/broctl.dat .
+    def writeState(self):
+        try:
+            out = open(self.statefile, "w")
+        except IOError:
+            if not Installing:
+                util.warn("can't write '%s'" % self.statefile)
+            return
+
+        print >>out, "# Automatically generated. Do not edit.\n"
+
+        for (key, val) in self.state.items():
+            print >>out, "%s = %s" % (key, self.subst(str(val), make_dest=False))
+
+    # Runs Bro to get its version numbers.
+    def determineBroVersion(self):
+        version = None
+        bro = os.path.join(self.distdir, "src/bro")
+        if execute.exists(None, bro):
+            (success, output) = execute.captureCmd("%s -v 2>&1" % bro)
+            if success:
+                version = output[0]
+
+        if not version:
+            # Ok if it's already set. 
+            if "broversion" in self.state:
+                return
+
+            util.error("cannot find Bro binary to determine version")
+
+        m = re.search(".* version ([^ ]*).*$", version)
+        if not m:
+            util.error("cannot determine Bro version [%s]" % version.strip())
+
+        version = m.group(1)
+        if version.endswith("-debug"):
+            version = version[:-6]
+
+        self.state["broversion"] = version
+        self.state["bro"] = self.subst("${bindir}/bro")
+
+    # Returns true if we're running via "make install"
+    def installing(self):
+        return Installing
+
diff --git a/aux/broctl/BroControl/control.py b/aux/broctl/BroControl/control.py
new file mode 100644
index 0000000000..fe4b94b9e1
--- /dev/null
+++ b/aux/broctl/BroControl/control.py
@@ -0,0 +1,1059 @@
+#! /usr/bin/env python
+#
+# $Id: control.py 6948 2009-12-03 20:59:41Z robin $
+#
+# Functions to control the nodes' operations.
+
+import os
+import sys
+import glob
+import fileinput
+import time
+import tempfile
+import re
+
+import execute
+import util
+import config
+import cron
+import install
+
+# Convert a number into a string with a unit (e.g., 1024 into "1M").
+def prettyPrintVal(val):
+    for (prefix, unit, factor) in (("", "G", 1024*1024*1024), ("", "M", 1024*1024), ("", "K", 1024), (" ", "", 0)):
+        if val >= factor:
+            return "%s%3.0f%s" % (prefix, val / factor, unit)
+    return val # Should not happen
+
+# Checks multiple nodes in parallel and returns list of tuples (node, isrunning). 
+def isRunning(nodes, setcrashed=True):
+
+    results = []
+    cmds = []
+
+    for node in nodes:
+        pid = node.getPID()
+        if not pid:
+            results += [(node, False)]
+            continue
+
+        cmds += [(node, "check-pid", [pid])]
+
+    for (node, success, output) in execute.runHelperParallel(cmds):
+
+        # If we cannot connect to the host at all, we filter it out because
+        # the process might actually still be running but we can't tell.
+        if output == None:
+            util.warn("cannot connect to %s" % node.tag)
+            continue
+
+        results += [(node, success)]
+
+        if not success:
+            if setcrashed:
+                # Grmpf. It crashed. 
+                node.clearPID();
+                node.setCrashed()
+
+    return results
+
+# Waits for the nodes' Bro processes to reach the given status. 
+def waitForBros(nodes, status, timeout, ensurerunning):
+
+    # If ensurerunning is true, process must still be running.
+    if ensurerunning:
+        running = isRunning(nodes)
+    else:
+        running = [(node, True) for node in nodes]
+
+    results = []
+
+    # Determine set of nodes still to check.
+    todo = {}
+    for (node, isrunning) in running:
+        if isrunning:
+            todo[node.tag] = node 
+        else:
+            results += [(node, False)]
+
+    points = False
+    while True:
+
+        # Determine  whether process is still running. We need to do this
+        # before we get the state to avoid a race condition.
+        running = isRunning(todo.values(), setcrashed=False)
+
+        # Check nodes' .status file
+        cmds = []
+        for node in todo.values():
+            cmds += [(node, "cat-file", ["%s/.status" % node.cwd()])]
+
+        for (node, success, output) in execute.runHelperParallel(cmds):
+            if success:
+                try:
+                    (stat, loc) = output[0].split()
+                    if status in stat:
+                        # Status reached. Cool.
+                        del todo[node.tag]
+                        results += [(node, True)]
+                except IndexError:
+                    # Something's wrong. We give up on that node.
+                    del todo[node.tag]
+                    results += [(node, False)]
+
+        for (node, isrunning) in running:
+            if node.tag in todo and not isrunning:
+                # Alright, a dead node's status will not change anymore.
+                del todo[node.tag]
+                results += [(node, False)]
+
+        if len(todo) == 0:
+            # All done.
+            break
+
+        # Wait a bit before we start over.
+        time.sleep(1)
+
+        # Timeout reached?
+        timeout -= 1
+        if timeout <= 0:
+            break
+
+        util.output("%d " % len(todo), nl=False)
+        points = True
+
+    for node in todo.values():
+        # These did time-out.
+        results += [(node, False)]
+
+    if points:
+        util.output("%d " % len(todo))
+
+    return results
+
+# Build the Bro parameters for the given node. Include
+# script for live operation if live is true.
+def _makeBroParams(node, live):
+    args = []
+
+    if live:
+        try:
+            args += ["-i %s " % node.interface]
+        except AttributeError:
+            pass
+
+        if config.Config.savetraces == "1":
+            args += ["-w trace.pcap"]
+
+        args += ["-U .status"]
+
+    args += ["-p broctl"]
+
+    if node.type != "standalone":
+        args += ["-p cluster"]
+    else:
+        args += ["-p standalone"]
+
+    for p in config.Config.prefixes.split(":"):
+        args += ["-p %s" % p]
+
+    args += ["-p %s" % node.tag]         
+        
+    args += node.scripts
+
+    if live:
+        args += ["broctl-live"]
+    else:
+        args += ["broctl-check"]
+
+    if node.type == "worker" or node.type == "proxy":
+        args += config.Config.sitepolicyworker.split()
+        args += config.Config.auxscriptsworker.split()
+
+    if node.type == "manager":
+        args += config.Config.sitepolicymanager.split()
+        args += config.Config.auxscriptsmanager.split()
+
+    if node.type == "standalone":
+        args += config.Config.sitepolicystandalone.split()
+        args += config.Config.auxscriptsstandalone.split()
+
+    if "aux_scripts" in node.__dict__:
+        args += [node.aux_scripts]
+
+    args += ["analysis-policy"]
+
+    if config.Config.broargs:
+        args += [config.Config.broargs]
+
+#   args += ["-B comm,serial"]
+
+    return args
+
+# Build the environment variable for the given node. 
+def _makeEnvParam(node):
+    env = ""
+    env = "BRO_%s=%s" % (node.type.upper(), str(node.count))
+
+    return env
+
+# Do a "post-terminate crash" for the given nodes.
+def _makeCrashReports(nodes):
+    cmds = []
+    for node in nodes:
+        cmds += [(node, "run-cmd",  [os.path.join(config.Config.scriptsdir, "post-terminate"), node.cwd(),  "crash"])]
+
+    for (node, success, output) in execute.runHelperParallel(cmds):
+        if not success:
+            util.output("cannot run post-terminate for %s" % node.tag)
+        else:
+            util.sendMail("Crash report from %s" % node.tag, "\n".join(output))
+
+        node.clearCrashed()
+
+# Starts the given nodes. Returns true if all nodes were successfully started.
+def _startNodes(nodes):
+
+    result = True
+
+    filtered = []
+    # Ignore nodes which are still running.
+    for (node, isrunning) in isRunning(nodes):
+        if not isrunning: 
+            filtered += [node]
+            util.output("starting %s ..." % node.tag)
+        else:
+            util.output("%s still running" % node.tag)
+
+    nodes = filtered
+
+    # Generate crash report for any crashed nodes.
+    crashed = [node for node in nodes if node.hasCrashed()]
+    _makeCrashReports(crashed)
+
+    # Make working directories.
+    dirs = [(node, node.cwd()) for node in nodes]
+    nodes = []
+    for (node, success) in execute.mkdirs(dirs):
+        if success:
+            nodes += [node]
+        else:
+            util.output("cannot create working directory for %s" % node.tag)
+            result = False
+
+    # Start Bro process.
+    cmds = []
+    envs = []
+    for node in nodes:
+        cmds += [(node, "start", [node.cwd()] + _makeBroParams(node, True))]
+        envs += [_makeEnvParam(node)]
+
+    nodes = []
+    for (node, success, output) in execute.runHelperParallel(cmds, envs=envs):
+        if success:
+            nodes += [node]
+            node.setPID(int(output[0]))
+        else:
+            util.output("cannot start %s" % node.tag)
+            result = False
+
+    # Check whether processes did indeed start up.
+    hanging = []
+    running = []
+
+    for (node, success) in waitForBros(nodes, "RUNNING", 3, True):
+        if success:
+            running += [node]
+        else:
+            hanging += [node]
+
+    # It can happen that Bro hangs in DNS lookups at startup
+    # which can take a while. At this point we already know
+    # that the process has been started (waitForBro ensures that). 
+    # If by now there is not a TERMINATED status, we assume that it
+    # is doing fine and will move on to RUNNING once DNS is done.
+    for (node, success) in waitForBros(hanging, "TERMINATED", 0, False):
+        if success:
+            util.output("%s terminated immediately after starting; check output with \"diag\"" % node.tag)
+            node.clearPID()
+            result = False
+        else:
+            util.output("(%s still initializing)" % node.tag)
+            running += [node]
+
+    for node in running:
+        cron.logAction(node, "started")
+
+    return result
+
+# Start Bro processes on nodes if not already running.
+def start(nodes):
+
+    if len(nodes) > 0:
+        # User picked nodes to start.
+        _startNodes(nodes)
+        return
+
+    # Start all nodes. Do it in the order manager, proxies, workers. 
+    if not _startNodes(config.Config.nodes("manager")):
+        return
+
+    if not _startNodes(config.Config.nodes("proxies")):
+        return
+
+    if not _startNodes(config.Config.nodes("workers")):
+        return
+
+def _stopNodes(nodes):
+
+    running = []
+
+    # Check for crashed nodes. 
+    for (node, isrunning) in isRunning(nodes):
+        if isrunning: 
+            running += [node]
+            util.output("stopping %s ..." % node.tag)
+        else:
+            if node.hasCrashed():
+                _makeCrashReports([node])
+                util.output("%s not running (was crashed)" % node.tag)
+            else:
+                util.output("%s not running" % node.tag)
+
+    # Helper function to stop nodes with given signal. 
+    def stop(nodes, signal):
+        cmds = []
+        for node in nodes:
+            cmds += [(node, "stop", [node.getPID(), str(signal)])] 
+
+        return execute.runHelperParallel(cmds)
+
+    # Stop nodes.
+    for (node, success, output) in stop(running, 15):
+        if not success:
+            util.output("failed to send stop signal to %s" % node.tag)
+
+    if running:
+        time.sleep(1)
+
+    # Check whether they terminated.
+    terminated = []
+    kill = []
+    for (node, success) in waitForBros(running, "TERMINATED", 60, False):
+        if not success:
+            # Check whether it crashed during shutdown ...
+            result = isRunning([node])
+            for (node, isrunning) in result:
+                if isrunning:
+                    util.output("%s did not terminate ... killing ..." % node.tag)
+                    kill += [node]
+                else:
+                    # crashed flag is set by isRunning().
+                    util.output("%s crashed during shutdown" % node.tag)
+
+    if len(kill):
+        # Kill those which did not terminate gracefully.
+        stop(kill, 9)
+        # Given them a bit to disappear.
+        time.sleep(5) 
+
+    # Check which are still running. We check all nodes to be on the safe side
+    # and give them a bit more time to finally disappear.
+    timeout = 10
+
+    todo = {}
+    for node in running:
+        todo[node.tag] = node
+
+    while True:
+
+        running = isRunning(todo.values(), setcrashed=False)
+
+        for (node, isrunning) in running:
+            if node.tag in todo and not isrunning:
+                # Alright, it's gone. 
+                del todo[node.tag]
+                terminated += [node]
+
+        if len(todo) == 0:
+            # All done.
+            break
+
+        # Wait a bit before we start over.
+
+        if timeout <= 0:
+            break
+
+        time.sleep(1)
+        timeout -= 1
+
+    # Do post-terminate cleanup for those which terminated gracefully.
+    cleanup = [node for node in terminated if not node.hasCrashed()]
+
+    cmds = []
+    for node in cleanup:
+        cmds += [(node, "run-cmd",  [os.path.join(config.Config.scriptsdir, "post-terminate"), node.cwd()])] 
+
+    for (node, success, output) in execute.runHelperParallel(cmds):
+        if not success:
+            util.output("cannot run post-terminate for %s" % node.tag)
+            cron.logAction(node, "stopped (failed)")
+        else:
+            cron.logAction(node, "stopped")
+
+        node.clearPID()
+        node.clearCrashed()
+
+# Stop Bro processes on nodes.
+def stop(nodes):
+
+    if len(nodes) > 0:
+        # User picked nodes to stop.
+        _stopNodes(nodes)
+        return
+
+    # Start all nodes. Do it in the order workers, proxies, manager. 
+    _stopNodes(config.Config.nodes("workers"))
+    _stopNodes(config.Config.nodes("proxies"))
+    _stopNodes(config.Config.nodes("manager"))
+
+# First stop, then start Bro processes on nodes. 
+def restart(nodes, clean):
+
+    if len(nodes) > 0:
+        all_nodes = nodes
+    else:
+        all_nodes = config.Config.nodes()
+
+    util.output("stopping ...")
+    if len(nodes) > 0:
+        # User picked nodes to restart.
+        _stopNodes(nodes)
+    else:
+        stop([])
+
+    if clean:
+        # Can't delete the tmp here because log archival might still be going on there in the background.
+        cleanup(all_nodes, False)
+
+        util.output("checking configuration ...")
+        if not checkConfigs(all_nodes):
+            return 
+
+        util.output("installing ...")
+        install.install(False, False)
+
+    util.output("starting ...")
+    if len(nodes) > 0:
+        _startNodes(nodes)
+    else:
+        start([])
+
+# Output status summary for nodes. 
+def status(nodes):
+
+    util.output("%-10s %-10s %-10s %-13s %-6s %-6s %-20s " % ("Name",  "Type", "Host", "Status", "Pid", "Peers", "Started"))
+
+    all = isRunning(nodes)
+    running = []
+
+    cmds1 = []
+    cmds2 = []
+    for (node, isrunning) in all:
+        if isrunning:
+            running += [node]
+            cmds1 += [(node, "cat-file", ["%s/.startup" % node.cwd()])]
+            cmds2 += [(node, "cat-file", ["%s/.status" % node.cwd()])]
+
+    startups = execute.runHelperParallel(cmds1)
+    statuses = execute.runHelperParallel(cmds2)
+
+    startups = dict([(n.tag, success and util.fmttime(output[0]) or "???") for (n, success, output) in startups])
+    statuses = dict([(n.tag, success and output[0].split()[0].lower() or "???") for (n, success, output) in statuses])
+
+    peers = {}
+    nodes = [n for n in running if statuses[n.tag] == "running"]
+    for (node, success, args) in _queryPeerStatus(nodes):
+        if success:
+            peers[node.tag] = []
+            for f in args[0].split():
+                (key, val) = f.split("=")
+                if key == "peer" and val != "":
+                    peers[node.tag] += [val]
+        else:
+            peers[node.tag] = None
+
+    for (node, isrunning) in all:
+
+        util.output("%-10s " % node.tag, nl=False)
+        util.output("%-10s %-10s " % (node.type, node.host), nl=False)
+
+        if isrunning:
+            util.output("%-13s " % statuses[node.tag], nl=False)
+
+        elif node.hasCrashed():
+            util.output("%-13s " % "crashed", nl=False)
+        else:
+            util.output("%-13s " % "stopped", nl=False)
+
+        if isrunning:
+            util.output("%-6s " % node.getPID(), nl=False)
+
+            if node.tag in peers and peers[node.tag] != None:
+                util.output("%-6d " % len(peers[node.tag]), nl=False)
+            else: 
+                util.output("%-6s " % "???", nl=False)
+
+            util.output("%-8s  " % startups[node.tag], nl=False)
+
+        util.output()
+
+# Outputs state of remote connections for host.     
+
+
+# Helper for getting top output.
+#
+# Returns tuples of the form (node, error, vals) where  'error' is None if we 
+# were able to get the data or otherwise a string with an  error message; 
+# in case there's no error, 'vals' is a list of dicts which map tags to their values.
+#
+# Tags are "pid", "proc", "vsize", "rss", "cpu", and "cmd".
+#
+# We do all the stuff in parallel across all nodes which is why this looks 
+# a bit confusing ...
+def getTopOutput(nodes):
+
+    results = []
+    cmds = []
+
+    running = isRunning(nodes)
+
+    # Get all the PIDs first.
+
+    pids = {}
+    parents = {}
+
+    for (node, isrunning) in running:
+        if isrunning:
+            pid = node.getPID()
+            pids[node.tag] = [int(pid)]
+            parents[node.tag] = pid
+
+            cmds += [(node, "get-childs", [pid])]
+        else:
+            results += [(node, "not running", [{}])]
+            continue
+
+    if not cmds:
+        return results
+
+    for (node, success, output) in execute.runHelperParallel(cmds):
+
+        if not success:
+            results += [(node, "cannot get child pids", [{}])]
+            continue
+
+        pids[node.tag] += [int(line) for line in output]
+
+    cmds = []
+
+    # Now run top.
+    for node in nodes: # Do the loop again to keep the order.
+        if not node.tag in pids:
+            continue
+
+        cmds += [(node, "top", [])]
+
+    if not cmds:
+        return results
+
+    for (node, success, output) in execute.runHelperParallel(cmds):
+
+        if not success:
+            results += [(node, "cannot get top output", [{}])]
+
+        procs = [line.split() for line in output if int(line.split()[0]) in pids[node.tag]]
+
+        if not procs:
+            # It can happen that on the meantime the process is not there anymore.
+            results += [(node, "not running", [{}])]
+            continue
+
+        vals = []
+
+        for p in procs:
+            d = {}
+            d["pid"] = int(p[0])
+            d["proc"] = (p[0] == parents[node.tag] and "parent" or "child") 
+            d["vsize"] = int(p[1])
+            d["rss"] = int(p[2])
+            d["cpu"] = p[3]
+            d["cmd"] = " ".join(p[4:])
+            vals += [d]
+
+        results += [(node, None, vals)]
+
+    return results
+
+# Produce a top-like output for node's processes.
+# If hdr is true, output column headers first. 
+def top(nodes):
+
+    util.output("%-10s %-10s %-10s %-8s %-8s %-8s %-8s %-8s %-8s" % ("Name", "Type", "Node", "Pid", "Proc", "VSize", "Rss", "Cpu", "Cmd"))
+
+    for (node, error, vals) in getTopOutput(nodes):
+
+        if not error:
+            for d in vals:
+                util.output("%-10s " % node.tag, nl=False)
+                util.output("%-10s " % node.type, nl=False)
+                util.output("%-10s " % node.host, nl=False)
+                util.output("%-8s " % d["pid"], nl=False)
+                util.output("%-8s " % d["proc"], nl=False)
+                util.output("%-8s " % prettyPrintVal(d["vsize"]), nl=False)
+                util.output("%-8s " % prettyPrintVal(d["rss"]), nl=False)
+                util.output("%-8s " % ("%s%%" % d["cpu"]), nl=False)
+                util.output("%-8s " % d["cmd"], nl=False)
+                util.output()
+        else:
+            util.output("%-10s " % node.tag, nl=False)
+            util.output("%-8s " % node.type, nl=False)
+            util.output("%-8s " % node.host, nl=False)
+            util.output("<%s> " % error, nl=False)
+            util.output()
+
+def _doCheckConfig(nodes, installed, list_scripts, fullpaths):
+
+    ok = True
+
+    manager = config.Config.manager()
+
+    all = [(node, os.path.join(config.Config.tmpdir, "check-config-%s" % node.tag)) for node in nodes]
+
+    nodes = []
+    for (node, cwd) in all:
+        if os.path.isdir(cwd):
+            if not execute.rmdir(config.Config.manager(), cwd):
+                util.output("cannot remove directory %s on manager" % cwd)
+                continue
+
+        if not execute.mkdir(config.Config.manager(), cwd):
+            util.output("cannot create directory %s on manager" % cwd)
+            continue
+
+        nodes += [(node, cwd)]
+
+    cmds = []
+    for (node, cwd) in nodes:
+
+        env = ""
+        if node.type == "worker" or node.type == "proxy":
+            env = "BRO_%s=%s" % (node.type.upper(), str(node.count))
+
+        dashl = list_scripts and ["-l"] or []
+
+        broargs =  " ".join(dashl + _makeBroParams(node, False)) + " terminate"
+        installed_policies = installed and "1" or "0"
+
+        cmd = os.path.join(config.Config.scriptsdir, "check-config") + " %s %s %s" % (installed_policies, cwd, broargs)
+
+        cmds += [((node, cwd), cmd, env, None)]
+
+    for ((node, cwd), success, output) in execute.runLocalCmdsParallel(cmds):
+
+        if not list_scripts:
+
+            if success:
+                util.output("%s is ok." % node.tag)
+            else:
+                ok = False
+                util.output("%s failed." % node.tag)
+                for line in output:
+                    util.output("   %s" % line)
+
+        else:
+            util.output(node.tag)
+            for line in output:
+                if line.find("loading") >= 0:
+
+                    line = line.replace("loading ", "")
+                    if not fullpaths:
+                        line = re.sub("\S+/", "", line)
+
+                    util.output("   %s" % line)
+
+            if not success:
+                ok = False
+                util.output("%s failed to load all scripts correctly." % node.tag)
+
+        execute.rmdir(manager, cwd)
+
+    return ok
+
+# Check the configuration for nodes without installing first.
+def checkConfigs(nodes):
+    return _doCheckConfig(nodes, False, False, False)
+
+# Extracts the list of loaded scripts from the -l output. 
+def listScripts(nodes, paths, check):
+    _doCheckConfig(nodes, not check, True, paths)
+
+# Report diagostics for node (e.g., stderr output).
+def crashDiag(node):
+
+    util.output("[%s]" % node.tag)
+
+    if not execute.isdir(node, node.cwd()):
+        util.output("No work dir found\n")
+        return
+
+    (rc, output) = execute.runHelper(node, "run-cmd",  [os.path.join(config.Config.scriptsdir, "crash-diag"), node.cwd()])
+    if not rc:
+        util.output("cannot run crash-diag for %s" % node.tag)
+        return
+
+    for line in output:
+        util.output(line)
+
+# Clean up the working directory for nodes (flushes state). 
+# If cleantmp is true, also wipes ${tmpdir}; this is done
+# even when the node is still running.
+def cleanup(nodes, cleantmp=False):
+    util.output("cleaning up nodes ...")
+    result = isRunning(nodes)
+    running =    [node for (node, on) in result if on]
+    notrunning = [node for (node, on) in result if not on]
+
+    execute.rmdirs([(n, n.cwd()) for n in notrunning])
+    execute.mkdirs([(n, n.cwd()) for n in notrunning])
+
+    for node in notrunning:
+        node.clearCrashed();
+
+    for node in running:
+        util.output("   %s is still running, not cleaning work directory" % node.tag)
+
+    if cleantmp:
+        execute.rmdirs([(n, config.Config.tmpdir) for n in running + notrunning])
+        execute.mkdirs([(n, config.Config.tmpdir) for n in running + notrunning])
+
+# Attach gdb to the main Bro processes on the given nodes.    
+def attachGdb(nodes):
+    running = isRunning(nodes)
+
+    cmds = []
+    for (node, isrunning) in running:
+        if isrunning:
+            cmds += [(node, "gdb-attach", ["gdb-%s" % node.tag, config.Config.bro, node.getPID()])]
+
+    results = execute.runHelperParallel(cmds)
+    for (node, success, output) in results:
+        if success:
+            util.output("gdb attached on %s" % node.tag)
+        else:
+            util.output("cannot attach gdb on %s: %s" % node.tag, output)
+
+# Helper for getting capstats output.
+#
+# Returns tuples of the form (node, error, vals) where  'error' is None if we 
+# were able to get the data or otherwise a string with an error message; 
+# in case there's no error, 'vals' maps tags to their values.
+#
+# Tags are those as returned by capstats on the command-line
+#
+# We do all the stuff in parallel across all nodes which is why this looks 
+# a bit confusing ...
+
+# Gather capstats from interfaces.
+def getCapstatsOutput(nodes, interval):
+
+    if not config.Config.capstats:
+        if config.Config.cron == "0":
+            util.warn("do not have capstats binary available")
+        return []
+
+    results = []
+    cmds = []
+
+    hosts = {}
+    for node in nodes:
+        try:
+            hosts[(node.addr, node.interface)] = node
+        except AttributeError:
+            continue
+
+    for (addr, interface) in hosts.keys():
+        node = hosts[addr, interface]
+
+        capstats = [config.Config.capstats, "-i", interface, "-I", str(interval), "-n", "1"]
+
+# Unfinished feature: only consider a particular MAC. Works here for capstats
+# but Bro config is not adapted currently so we disable it for now. 
+#        try:
+#            capstats += ["-f", "\\'", "ether dst %s" % node.ether, "\\'"]
+#        except AttributeError:
+#            pass
+
+        cmds += [(node, "run-cmd", capstats)]
+
+    outputs = execute.runHelperParallel(cmds) 
+
+    for (node, success, output) in outputs:
+
+        if not success:
+            results += [(node, "%s: cannot execute capstats" % node.tag, {})]
+            continue
+
+        fields = output[0].split()
+        vals = { }
+
+        try:
+            for field in fields[1:]:
+                (key, val) = field.split("=")
+                vals[key] = float(val)
+
+            results += [(node, None, vals)]
+
+        except ValueError:
+            results += [(node, "%s: unexpected capstats output: %s" % (node.tag, output[0]), {})]
+
+    return results
+
+# Get current statistics from cFlow. 
+#
+# Returns dict of the form port->(cum-pkts, cum-bytes). 
+#
+# Returns None if we can't run the helper sucessfully.
+def getCFlowStatus():
+    (success, output) = execute.runLocalCmd(os.path.join(config.Config.scriptsdir, "cflow-stats"))
+    if not success or not output:
+        util.warn("failed to run cflow-stats")
+        return None
+
+    vals = {}
+
+    for line in output:
+        try:
+            (port, pps, bps, pkts, bytes) = line.split()
+            vals[port] = (float(pkts), float(bytes))
+        except ValueError:
+            # Probably an error message because we can't connect. 
+            util.warn("failed to get cFlow statistics: %s" % line)
+            return None
+
+    return vals
+
+# Calculates the differences between to getCFlowStatus() calls. 
+# Returns tuples in the same form as getCapstatsOutput() does.
+def calculateCFlowRate(start, stop, interval):
+    diffs = [(port, stop[port][0] - start[port][0], (stop[port][1] - start[port][1])) for port in start.keys() if port in stop]
+
+    rates = []
+    for (port, pkts, bytes) in diffs:
+        vals = { "kpps": "%.1f" % (pkts / 1e3 / interval) }
+        if start[port][1] >= 0:
+            vals["mbps"] = "%.1f" % (bytes * 8 / 1e6 / interval)
+
+        rates += [(port, None, vals)]
+
+    return rates
+
+def capstats(nodes, interval):
+
+    def output(tag, data):
+        util.output("\n%-12s %-10s %-10s (%ds average)" % (tag, "kpps", "mbps", interval))
+        util.output("-" * 30)
+
+        for (port, error, vals) in data:
+
+            if error:
+                util.output(error)
+                continue
+
+            util.output("%-12s " % port, nl=False)
+
+            if not error:
+                util.output("%-10s " % vals["kpps"], nl=False)
+                if "mbps" in vals:
+                    util.output("%-10s " % vals["mbps"], nl=False)
+                util.output()
+            else:
+                util.output("<%s> " % error)
+
+    have_cflow = config.Config.cflowaddress and config.Config.cflowuser and config.Config.cflowpassword
+    have_capstats = config.Config.capstats
+
+    if not have_cflow and not have_capstats:
+        util.warn("do not have capstats binary available")
+        return
+
+    if have_cflow:
+        cflow_start = getCFlowStatus()
+
+    if have_capstats:
+        capstats = [(node.tag, error, vals) for (node, error, vals) in getCapstatsOutput(nodes, interval)]
+
+    else:
+        time.sleep(interval)
+
+    if have_cflow:
+        cflow_stop = getCFlowStatus()
+
+    if have_capstats:    
+        output("Interface", sorted(capstats))
+
+    if have_cflow and cflow_start and cflow_stop:
+        diffs = calculateCFlowRate(cflow_start, cflow_stop, interval)
+        output("cFlow Port", sorted(diffs))
+
+# Update the configuration of a running instance on the fly.     
+def update(nodes):
+
+    running = isRunning(nodes)
+
+    cmds = []
+    for (node, isrunning) in running:
+        if isrunning:
+            env = _makeEnvParam(node)
+            env += " BRO_DNS_FAKE=1"
+            args = " ".join(_makeBroParams(node, False))
+            cmds += [(node.tag, os.path.join(config.Config.scriptsdir, "update") + " %s %s" % (node.tag.replace("worker-", "w"), args), env, None)]
+            util.output("updating %s ..." % node.tag)
+
+    results = execute.runLocalCmdsParallel(cmds)
+
+    for (tag, success, output) in results:
+        if not success:
+            util.output("could not update %s: %s" % (tag, output))
+        else:
+            util.output("%s: %s" % (tag, output[0]))
+
+# Enable/disable types of analysis.
+def toggleAnalysis(types, enable=True):
+
+    ana = config.Config.analysis()
+
+    for t in types:
+        if ana.isValid(t.lower()):
+            ana.toggle(t.lower(), enable)
+        else:
+            util.output("unknown analysis type '%s'" % t)
+
+
+# Print summary of analysis status.
+def showAnalysis():
+    for (tag, status, mechanism, descr) in config.Config.analysis().all():
+        print "%15s is %s  -  %s" % (tag, (status and "enabled " or "disabled"), descr)
+
+# Gets disk space on all volumes relevant to broctl installation.
+# Returns dict which for each node has a list of tuples (fs, total, used, avail).
+def getDf(nodes):
+
+    dirs = ("logdir", "bindir", "helperdir", "cfgdir", "spooldir", "policydir", "libdir", "tmpdir", "staticdir", "scriptsdir")
+
+    df = {}
+    for node in nodes:
+        df[node.tag] = {}
+
+    for dir in dirs:
+        path = config.Config.config[dir]
+
+        cmds = []
+        for node in nodes:
+            cmds += [(node, "df", [path])]
+
+        results = execute.runHelperParallel(cmds)
+
+        for (node, success, output) in results:
+            if success:
+                fields = output[0].split()
+
+                # Ignore NFS mounted volumes.
+                if fields[0].find(":") < 0:
+                    df[node.tag][fields[0]] = fields
+
+
+    result = {}
+    for node in df:
+        result[node] = df[node].values()
+
+    return result 
+
+def df(nodes):
+
+    util.output("%10s  %15s  %-5s  %-5s  %-5s" % ("", "", "total", "avail", "capacity"))
+
+    for (node, dfs) in getDf(nodes).items():
+        for df in dfs:
+            total = float(df[1])
+            used = float(df[2])
+            avail = float(df[3])
+            perc = used * 100.0 / (used + avail)
+
+            util.output("%10s  %15s  %-5s  %-5s  %-5.1f%%" % (node, df[0], 
+                prettyPrintVal(total), 
+                prettyPrintVal(avail), perc))
+
+
+def printID(nodes, id):
+    running = isRunning(nodes)
+
+    events = []
+    for (node, isrunning) in running:
+        if isrunning:
+            events += [(node, "request_id", [id], "request_id_response")]
+
+    results = execute.sendEventsParallel(events)
+
+    for (node, success, args) in results:
+        if success:
+            print "%10s   %s = %s" % (node.tag, args[0], args[1])
+        else:
+            print "%10s   <error: %s>" % (node.tag, args)
+
+def _queryPeerStatus(nodes):
+    running = isRunning(nodes)
+
+    events = []
+    for (node, isrunning) in running:
+        if isrunning:
+            events += [(node, "get_peer_status", [], "get_peer_status_response")]
+
+    return execute.sendEventsParallel(events)
+
+def _queryNetStats(nodes):
+    running = isRunning(nodes)
+
+    events = []
+    for (node, isrunning) in running:
+        if isrunning:
+            events += [(node, "get_net_stats", [], "get_net_stats_response")]
+
+    return execute.sendEventsParallel(events)
+
+def peerStatus(nodes):
+    for (node, success, args) in _queryPeerStatus(nodes):
+        if success:
+            print "%10s\n%s" % (node.tag, args[0])
+        else:
+            print "%10s   <error: %s>" % (node.tag, args)
+
+def netStats(nodes):
+    for (node, success, args) in _queryNetStats(nodes):
+        if success:
+            print "%10s: %s" % (node.tag, args[0]),
+        else:
+            print "%10s: <error: %s>" % (node.tag, args)
+
+def executeCmd(nodes, cmd):
+
+    for special in "|'\"":
+        cmd = cmd.replace(special, "\\" + special)
+
+    cmds = [(n, "run-cmd", [cmd]) for n in nodes]
+
+    for (node, success, output) in execute.runHelperParallel(cmds):
+      util.output("[%s] %s\n> %s" % (node.host, (success and " " or "error"), "\n> ".join(output)))
+
+
+
diff --git a/aux/broctl/BroControl/cron.py b/aux/broctl/BroControl/cron.py
new file mode 100644
index 0000000000..8e77ba6509
--- /dev/null
+++ b/aux/broctl/BroControl/cron.py
@@ -0,0 +1,242 @@
+#! /usr/bin/env python
+#
+# $Id: cron.py 6813 2009-07-07 18:54:12Z robin $
+#
+# Tasks which are to be done on a regular basis from cron.
+
+import os
+import sys
+
+import util
+import config
+import execute
+import control
+import time
+import shutil
+
+# Triggers all activity which is to be done regularly via cron.
+def doCron():
+
+    if config.Config.cronenabled == "0":
+        return
+
+    if not util.lock():
+        return
+
+    util.bufferOutput()
+    config.Config.config["cron"] = "1"  # Flag to indicate that we're running from cron.
+
+    # Check whether nodes are still running an restart if neccessary.
+    for (node, isrunning) in control.isRunning(config.Config.nodes()):
+        if not isrunning and node.hasCrashed():
+            control.start([node])
+
+    # Check for dead hosts.
+    _checkHosts()
+
+    # Generate statistics. 
+    _logStats(5)
+
+    # Check available disk space.
+    _checkDiskSpace()
+
+    # Expire old log files.
+    _expireLogs()
+
+    # Update the HTTP stats directory. 
+    _updateHTTPStats()
+
+    # Run external command if we have one.
+    if config.Config.croncmd:
+        execute.runLocalCmd(config.Config.croncmd)
+
+    # Mail potential output.
+    output = util.getBufferedOutput()
+    if output:
+        util.sendMail("cron: " + output.split("\n")[0], output)
+
+    config.Config.config["cron"] = "0"
+
+    util.unlock()
+
+def logAction(node, action):
+    t = time.time()
+    out = open(config.Config.statslog, "a")
+    print >>out, t, node.tag, "action", action
+    out.close()
+
+def _logStats(interval):
+
+    nodes = config.Config.nodes()
+    top = control.getTopOutput(nodes)
+
+    have_cflow = config.Config.cflowaddress and config.Config.cflowuser and config.Config.cflowpassword
+    have_capstats = config.Config.capstats
+    cflow_start = cflow_end = None
+    capstats = []
+    cflow_rates = []
+
+    if have_cflow:
+        cflow_start = control.getCFlowStatus()
+
+    if have_capstats:
+        capstats = control.getCapstatsOutput(nodes, interval)
+    elif have_cflow:
+        time.sleep(interval)
+
+    if have_cflow:
+        cflow_end = control.getCFlowStatus()
+        if cflow_start and cflow_end:
+            cflow_rates = control.calculateCFlowRate(cflow_start, cflow_end, interval)
+
+    t = time.time()
+
+    out = open(config.Config.statslog, "a")
+
+    for (node, error, vals) in top:
+        if not error:
+            for proc in vals:
+                type = proc["proc"]
+                for (val, key) in proc.items():
+                    if val != "proc":
+                        print >>out, t, node.tag, type, val, key
+        else:
+            print >>out, t, node.tag, "error", "error", error
+
+    for (node, error, vals) in capstats:
+        if not error:
+            for (key, val) in vals.items():
+                # Report if we don't see packets on an interface.
+                tag = "lastpkts-%s" % node.tag
+
+                if key == "pkts":
+                    if tag in config.Config.state:
+                        last = float(config.Config.state[tag])
+                    else:
+                        last = -1.0
+
+                    if float(val) == 0.0 and last != 0.0:
+                        util.output("%s is not seeing any packets on interface %s" % (node.host, node.interface))
+
+                    if float(val) != 0.0 and last == 0.0:
+                        util.output("%s is seeing packets again on interface %s" % (node.host, node.interface))
+
+                    config.Config._setState(tag, val)
+
+                print >>out, t, node.tag, "interface", key, val
+
+        else:
+            print >>out, t, node.tag, "error", "error", error
+
+    for (port, error, vals) in cflow_rates:
+        if not error:
+            for (key, val) in vals.items():
+                print >>out, t, "cflow", port.lower(), key, val
+
+    out.close()
+
+def _checkDiskSpace():
+
+    minspace = float(config.Config.mindiskspace)
+    if minspace == 0.0:
+        return
+
+    for (node, dfs) in control.getDf(config.Config.nodes()).items():
+        for df in dfs:
+            fs = df[0]
+            total = float(df[1])
+            used = float(df[2])
+            avail = float(df[3])
+            perc = used * 100.0 / (used + avail)
+            key = "disk-space-%s%s" % (node, fs.replace("/", "-"))
+
+            if perc > 100 - minspace:
+                try:
+                    if float(config.Config.state[key]) > 100 - minspace:
+                        # Already reported.
+                        continue
+                except KeyError:
+                    pass
+
+                util.output("Disk space low on %s:%s - %.1f%% used." % (node, fs, perc))
+
+            config.Config.state[key] = "%.1f" % perc
+
+def _expireLogs():
+
+    i = int(config.Config.logexpireinterval)
+
+    if not i:
+        return
+
+    (success, output) = execute.runLocalCmd(os.path.join(config.Config.scriptsdir, "expire-logs"))
+
+    if not success:
+        util.output("error running expire-logs\n\n")
+        util.output(output)
+
+def _checkHosts():
+
+    for node in config.Config.hosts():
+
+        tag = "alive-%s" % node.host
+        alive = execute.isAlive(node.addr) and "1" or "0"
+
+        if tag in config.Config.state:
+            previous = config.Config.state[tag]
+
+            if alive != previous:
+                util.output("host %s %s" % (node.host, alive == "1" and "up" or "down"))
+
+        config.Config._setState(tag, alive)
+
+def _getProfLogs():        
+
+    dir = config.Config.statsdir
+    if not os.path.exists(dir):
+        os.mkdir(dir)
+
+    if not os.path.exists(dir) or not os.path.isdir(dir):
+        util.output("cannot create directory %s" % dir)
+        return
+
+    cmds = []
+
+    for node in config.Config.hosts():
+        cmd = os.path.join(config.Config.scriptsdir, "get-prof-log") + " %s %s %s/prof.log" % (node.tag, node.host, node.cwd())
+        cmds += [(node, cmd, [], None)]
+
+    for (node, success, output) in execute.runLocalCmdsParallel(cmds):
+        if not success:
+            util.output("cannot get prof.log from %s" % node.tag)
+
+def _updateHTTPStats():
+
+    # Get the prof.logs.
+    _getProfLogs()
+
+    # Copy stats.dat.
+    shutil.copy(config.Config.statslog, config.Config.statsdir)
+
+    # Creat meta file. 
+    meta = open(os.path.join(config.Config.statsdir, "meta.dat"), "w")
+    for node in config.Config.hosts():
+        print >>meta, "node", node.tag, node.type, node.host
+
+    print >>meta, "time", time.asctime()
+    print >>meta, "version", config.Config.version
+
+    try:
+        print >>meta, "os", execute.captureCmd("uname -a")[1][0]
+    except IndexError:
+        print >>meta, "os <error>"
+
+    try:
+        print >>meta, "host", execute.captureCmd("hostname")[1][0]
+    except IndexError:
+        print >>meta, "host <error>"
+
+    meta.close()
+
+
+
diff --git a/aux/broctl/BroControl/execute.py b/aux/broctl/BroControl/execute.py
new file mode 100644
index 0000000000..23e16c8f2a
--- /dev/null
+++ b/aux/broctl/BroControl/execute.py
@@ -0,0 +1,545 @@
+# $Id: execute.py 6956 2009-12-14 22:01:17Z robin $
+#
+# These modules provides a set of functions to execute actions on a host.
+# If the host is local, it's done direcly; if it's remote we log in via SSH. 
+
+import os
+import sys
+import socket
+import shutil
+import re
+import util
+import time
+import subprocess
+
+import config
+
+haveBroccoli = True
+
+try:
+    import broccoli
+except ImportError:
+    haveBroccoli = False
+
+LocalAddrs = None 
+
+# Wrapper around subprocess.POpen()
+def popen(cmdline, stderr_to_stdout=False):
+    stderr = None
+    if stderr_to_stdout:
+        stderr = subprocess.STDOUT
+
+    # os.setid makes sure that the child process doesn't receive our CTRL-Cs.
+    proc = subprocess.Popen([cmdline], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=stderr, 
+                            close_fds=True, shell=True, preexec_fn=os.setsid)
+    # Compatibility with older popen4.
+    proc.tochild = proc.stdin
+    proc.fromchild = proc.stdout
+
+    return proc
+
+# Returns true if given node corresponds to the host we're running on.
+def isLocal(node):
+    global LocalAddrs 
+    if not LocalAddrs:
+        (success, output) = runLocalCmd(os.path.join(config.Config.scriptsdir, "local-interfaces"))
+        if not success:
+            if not config.Config.installing():
+                util.warn("cannot get list of local IP addresses")
+
+            try:
+                # This does not work for multi-homed hosts.
+                LocalAddrs = [socket.gethostbyname(socket.gethostname()), "127.0.0.1"]
+            except:
+                LocalAddrs = ["127.0.0.1"]
+        else:
+            LocalAddrs = [line.strip() for line in output]
+
+        util.debug(1, "Local IPs: %s" % ",".join(LocalAddrs))
+
+    return not node or node.host == "localhost" or node.addr in LocalAddrs
+
+# Takes list of (node, dir) pairs and ensures the directories exist on the nodes' host.
+# Returns list of (node, sucess) pairs.
+def mkdirs(dirs):
+
+    results = []
+    cmds = []
+    fullcmds = []
+
+    for (node, dir) in dirs:
+        # We make local directories directly. 
+        if isLocal(node):
+            if not exists(node, dir):
+                util.debug(1, "%-10s %s" % ("[local]", "mkdir %s" % dir))
+                os.mkdir(dir)
+
+            results += [(node, True)]
+
+        else:
+            cmds += [(node, [], [])]
+                # Need to be careful here as our helper scripts may not be installed yet. 
+            fullcmds += [("test -d %s || mkdir %s 2>/dev/null; echo $?; echo ~~~" % (dir, dir))]
+
+    for (node, success, output) in runHelperParallel(cmds, fullcmds=fullcmds):
+        results += [(node, success)]
+
+    return results
+
+# Takes list of (node, dir) pairs and ensures the directories exist on the nodes' host.
+# Returns list of (node, sucess) pairs.
+def mkdir(node, dir):
+    return mkdirs([(node, dir)])[0][1]
+
+def rmdirs(dirs):
+    results = []
+    cmds = []
+
+    for (node, dir) in dirs:
+        # We remove local directories directly. 
+        if isLocal(node):
+            (success, output) = captureCmd("rm -rf %s" % dir)
+            results += [(node, success)]
+        else:
+            cmds += [(node, "rmdir", [dir])]
+
+    for (node, success, output) in runHelperParallel(cmds):
+        results += [(node, success)]
+
+    return results
+
+# Removes the directory on the host if it's there.
+def rmdir(node, dir):
+    return rmdirs([(node, dir)])[0][1]
+
+# Returns true if the path exists on the host.
+def exists(host, path):
+    if isLocal(host):
+        return os.path.lexists(path)
+    else:
+        (success, output) = runHelper(host, "exists", [path])
+        return success
+
+# Returns true if the path exists and refers to a file on the host.
+def isfile(host, path):
+    if isLocal(host):
+        return os.path.isfile(path)
+    else:
+        util.error("isfile() not yet supported for remote hosts")
+
+# Returns true if the path exists and refers to a directory on the host.
+def isdir(host, path):
+    if isLocal(host):
+        return os.path.isdir(path)
+    else:
+        (success, output) = runHelper(host, "is-dir", [path])
+        return success
+
+# Copies src to dst, preserving permission bits.
+# Works for files and directories (non-recursive).
+def install(host, src, dst):
+    if isLocal(host):
+        if not exists(host, src):
+            util.output("file does not exist: %s" % src)
+            return False
+
+        if os.path.isfile(dst):
+            os.remove(dst)
+
+        util.debug(1, "cp %s %s" % (src, dst))
+        shutil.copy2(src, dst)
+        return True
+    else:
+        util.error("install() not yet supported for remote hosts")
+        return False
+
+# rsyns paths from localhost to destination hosts. 
+def sync(nodes, paths):
+
+    cmds = []
+    for n in nodes:
+        args = ["-a", "--delete", "--rsh=\"ssh -o ConnectTimeout=30\""]
+        dst = ["%s:%s/" % (n.host, config.Config.brobase)]
+        args += paths + dst
+        cmdline = "rsync %s" % " ".join(args)
+        cmds += [(n, cmdline, "", None)]
+
+    for (id, success, output) in runLocalCmdsParallel(cmds):
+        if not success:
+            util.warn("error rsyncing to %s: %s" % (id.host, output))
+
+# Checks whether the given host is alive.    
+_deadHosts = {}
+
+def isAlive(host):
+
+    if host in _deadHosts:
+        return False
+
+    (success, output) = runLocalCmd(os.path.join(config.Config.scriptsdir, "is-alive") + " " + host)
+
+    if not success and not config.Config.cron == "1":
+        _deadHosts[host] = True
+        util.warn("host %s is not alive" % host)
+
+    return success
+
+# Runs command locally and returns tuple (success, output)
+# with success being true if the command terminated with exit code 0, 
+# and output being the combinded stdout/stderr output of the command. 
+def captureCmd(cmd, env = "", input = None):
+
+    cmdline = env + " " + cmd
+    util.debug(1, "%-10s %s" % ("[local]", cmdline))
+
+    proc = popen(cmdline, stderr_to_stdout=True)
+
+    if input:
+        print >>proc.tochild, input
+        proc.tochild.close()
+
+    rc = proc.wait()
+    output = [line.strip() for line in proc.fromchild]
+
+    util.debug(1, "%-10s exit code %d" % ("[local]", os.WEXITSTATUS(rc)))
+    for line in output:
+        util.debug(2, "           > %s" % line)
+
+    return (os.WIFEXITED(rc) and os.WEXITSTATUS(rc) == 0, output)
+
+## FIXME: Replace "captureCmd" with "runLocalCmd".
+
+# Runs command locally and returns tuple (success, output)
+# with success being true if the command terminated with exit code 0, 
+# and output being the combinded stdout/stderr output of the command. 
+def runLocalCmd(cmd, env = "", input=None):
+    proc = _runLocalCmdInit("single", cmd, env, input)
+    if not proc:
+        return (False, [])
+
+    return _runLocalCmdWait(proc)
+
+# Same as above but runs a set of local commands in parallel.
+# Cmds is a list of (id, cmd, envs, input) tuples, where id is 
+# an arbitrary cookie identifying each command.
+# Returns a list of (id, success, output) tuples.
+# 'output' is None (vs. []) if we couldn't connect to host.
+def runLocalCmdsParallel(cmds):
+
+    results = []
+    running = []
+
+    for (id, cmd, envs, input) in cmds:
+        proc = _runLocalCmdInit(id, cmd, envs, input)
+        if proc:
+            running += [(id, proc)]
+        else:
+            results += [(id, False, None)]
+
+    for (id, proc) in running:
+        status  = _runLocalCmdWait(proc)
+        if status:
+            (success, output) = status
+            results += [(id, success, output)]
+        else:
+            results += [(id, False, None)]
+
+    return results
+
+def _runLocalCmdInit(id, cmd, env, input):
+
+    if not env:
+        env = ""
+
+    cmdline = env + " " + cmd
+    util.debug(1, "%-10s %s" % ("[local]", cmdline))
+
+    proc = popen(cmdline, stderr_to_stdout=True)
+
+    if input:
+        print >>proc.tochild, input
+
+    proc.tochild.close()
+    return proc
+
+def stripNL(str):
+    if len(str) == 0 or str[-1] != "\n":
+        return str
+
+    return str[0:-1]
+
+def _runLocalCmdWait(proc):
+
+    rc = proc.wait()
+    output = [stripNL(line) for line in proc.fromchild]
+
+    util.debug(1, "%-10s exit code %d" % ("[local]", os.WEXITSTATUS(rc)))
+    for line in output:
+        util.debug(2, "           > %s" % line)
+
+    return (os.WIFEXITED(rc) and os.WEXITSTATUS(rc) == 0, output)
+
+# Runs a helper script from bin/helpers, according to the helper
+# protocol. 
+# If fullcmd is given, this is the exact & complete command line (incl. paths). 
+# Otherwise, cmd is just the helper's name (wo/ path) and args are the 
+# arguments. Env is an optional enviroment variable of the form
+# "key=val". Return value as for captureCmd().
+# 'output' is None (vs. []) if we couldn't connect to host.
+def runHelper(host, cmd=None, args=None, fullcmd=None, env = ""):
+    util.disableSignals()
+    try:
+        status = _runHelperInit(host, cmd, args, fullcmd, env)
+        if not status:
+            return (False, None)
+
+        status = _runHelperWait(status)
+        if not status:
+            return (False, None)
+
+        return status
+
+    finally:
+        util.enableSignals()
+
+# Same as above but runs commands on a set of hosts in parallel.
+# Cmds is a list of (node, cmd, args) tuples.
+# Fullcmds, if given, is a parallel list of full command lines. 
+# Envs, if given, is a parallel list of env variables.
+# Returns a list of (node, success, output) tuples.
+# 'output' is None (vs. []) if we couldn't connect to host.
+def runHelperParallel(cmds, fullcmds = None, envs = None):
+
+    util.disableSignals()
+
+    try:
+        results = []
+        running = []
+
+        for (node, cmd, args) in cmds:
+
+            if fullcmds:
+                fullcmd = fullcmds[0]
+                fullcmds = fullcmds[1:]
+            else:
+                fullcmd = ""
+
+            if envs:
+                env = envs[0]
+                envs = envs[1:]
+            else:
+                env = ""
+
+            status = _runHelperInit(node, cmd, args, fullcmd, env)
+            if status:
+                running += [node]
+            else:
+                results += [(node, False, None)]
+
+        for node in running:
+            status =  _runHelperWait(node)
+            if status:
+                (success, output) = status
+                results += [(node, success, output)]
+            else:
+                results += [(node, False, None)]
+
+        return results
+
+    finally:
+        util.enableSignals()
+
+# Helpers for running helpers. 
+#
+# We keep the SSH sessions open across calls to runHelper.
+Connections = {}
+WhoAmI = None
+
+# FIXME: This is an ugly hack. The __del__ method produces
+# strange unhandled exceptions in the child at termination
+# of the main process. Not sure if disabling the cleanup
+# altogether is a good thing but right now that's the 
+# only fix I can come up with.
+def _emptyDel(self):
+    pass
+subprocess.Popen.__del__ = _emptyDel
+
+def _getConnection(host):
+
+    global WhoAmI
+    if not WhoAmI:
+        (success, output) = captureCmd("whoami")
+        if not success:
+            util.error("can't get 'whoami'")
+        WhoAmI = output[0]
+
+    if not host:
+        host = config.Config.manager()
+
+    if host.tag in Connections:
+        p = Connections[host.tag]
+        if p.poll() != None:
+            # Terminated.
+            global _deadHosts
+            _deadHosts[host.host] = True
+            util.warn("connection to %s broke" % host.host)
+            return None
+
+        return (p.stdin, p.stdout)
+
+    if isLocal(host):
+        cmdline = "sh"
+    else:
+        # Check whether host is alive. 
+        if not isAlive(host.host):
+            return None
+
+        cmdline = "ssh -o ConnectTimeout=30 -l %s %s sh" % (WhoAmI, host.host)
+
+    util.debug(1, "%-10s %s" % ("[local]", cmdline))
+
+    try:
+        p = popen(cmdline)
+    except OSError, e:
+        util.warn("cannot login into %s [IOError: %s]" % (host.host, e))
+        return None
+
+    Connections[host.tag] = p
+    return (p.stdin, p.stdout)
+
+def _runHelperInit(host, cmd, args, fullcmd, env):
+
+    c = _getConnection(host)
+    if not c:
+        return None
+
+    (stdin, stdout) = c
+
+    if not fullcmd:
+        cmdline = "%s %s %s" % (env, os.path.join(config.Config.helperdir, cmd), " ".join(args))
+    else:
+        cmdline = fullcmd
+
+    util.debug(1, "%-10s %s" % (("[%s]" % host.host), cmdline))
+    print >>stdin, cmdline
+    stdin.flush()
+
+    return host
+
+def _runHelperWait(host):
+    output = []
+    while True:
+
+        c = _getConnection(host)
+        if not c:
+            return None
+
+        (stdin, stdout) = c
+
+        line = stdout.readline().strip()
+        if line == "~~~":
+            break
+        output += [line]
+
+    try:
+        rc = int(output[0])
+    except ValueError:
+        util.warn("cannot parse exit code from helper on %s: %s" % (host.host, output[0]))
+        rc = 1
+
+    util.debug(1, "%-10s exit code %d" % (("[%s]" % host.host), rc))
+
+    for line in output:
+        util.debug(2, "           > %s" % line)
+
+    return (rc == 0, output[1:])
+
+# Broccoli communication with running nodes.
+
+# Sends event  to a set of nodes in parallel.
+#
+# events is a list of tuples of the form (node, event, args, result_event).
+#   node:    the destination node.
+#   event:   the name of the event to send (node that receiver must subscribe to it as well).
+#   args:    a list of event args; each arg must be a data type understood by the Broccoli module.
+#   result_event: name of a event the node sends back. None if no event is sent back.
+#
+# Returns a list of tuples (node, success, results_args).
+#   If success is True, result_args is a list of arguments as shipped with the result event, 
+#   or [] if no result_event was specified.
+#   If success is False, results_args is a string with an error message.
+
+def sendEventsParallel(events):
+
+    results = []
+    sent = []
+
+    for (node, event, args, result_event) in events:
+
+        if not haveBroccoli:
+            results += [(node, False, "no Python bindings for Broccoli installed")]
+            continue
+
+        (success, bc) = _sendEventInit(node, event, args, result_event)
+        if success and result_event:
+            sent += [(node, result_event, bc)]
+        else:
+            results += [(node, success, bc)]
+
+    for (node, result_event, bc) in sent:
+        (success, result_args) = _sendEventWait(node, result_event, bc)
+        results += [(node, success, result_args)]
+
+    return results
+
+def _sendEventInit(node, event, args, result_event):
+
+    try:
+        bc = broccoli.Connection("%s:%d" % (node.addr, node.getPort()), broclass="update", 
+                                 flags=broccoli.BRO_CFLAG_ALWAYS_QUEUE, connect=False)
+        bc.subscribe(result_event, _event_callback(bc))
+        bc.got_result = False
+        bc.connect()
+    except IOError, e:
+        util.debug(1, "%-10s broccoli: cannot connect" % (("[%s]" % node.tag)))
+        return (False, str(e))
+
+    util.debug(1, "%-10s broccoli: %s(%s)" % (("[%s]" % node.tag), event, ", ".join(args)))
+    bc.send(event, *args)
+    return (True, bc)
+
+def _sendEventWait(node, result_event, bc):
+    # Wait until we have sent the event out. 
+    cnt = 0
+    while bc.processInput():
+        time.sleep(1)
+
+        cnt += 1
+        if cnt > 10:
+            util.debug(1, "%-10s broccoli: timeout during send" % (("[%s]" % node.tag)))
+            return (False, "time-out")
+
+    if not result_event:
+        return (True, [])
+
+    # Wait for reply event.
+    cnt = 0
+    bc.processInput();
+    while not bc.got_result:
+        time.sleep(1)
+        bc.processInput();
+
+        cnt += 1
+        if cnt > 10:
+            util.debug(1, "%-10s broccoli: timeout during receive" % (("[%s]" % node.tag)))
+            return (False, "time-out")
+
+    util.debug(1, "%-10s broccoli: %s(%s)" % (("[%s]" % node.tag), result_event, ", ".join(bc.result_args)))
+    return (True, bc.result_args)
+
+def _event_callback(bc):
+    def save_results(*args):
+        bc.got_result = True
+        bc.result_args = args
+    return save_results
+
diff --git a/aux/broctl/BroControl/install.py b/aux/broctl/BroControl/install.py
new file mode 100644
index 0000000000..77bf36603d
--- /dev/null
+++ b/aux/broctl/BroControl/install.py
@@ -0,0 +1,556 @@
+#! /usr/bin/env python
+#
+# $Id: install.py 6948 2009-12-03 20:59:41Z robin $
+#
+# Functions to install files on all nodes. 
+
+import os
+import sys
+import glob
+import fileinput
+
+import util
+import execute
+import config
+
+# In all paths given in this file, ${<option>} will replaced with the value of the
+# corresponding configuration option.
+
+# Directories to be created on the manager. Each entry is a pair (path, clean)
+# in which 'clean' is a boolean indicating if True that the path is to be
+# deleted first before it is freshly installed. 
+Dirs = [
+    ("${brobase}", False),
+    ("${brobase}/share", False),
+    ("${staticdir}", True),
+    ("${logdir}", False),
+    ("${bindir}", False),
+    ("${scriptsdir}", False),
+    ("${postprocdir}", False),
+    ("${templatedir}", False),
+    ("${helperdir}", False),
+    ("${cfgdir}", False),
+
+    ("${policydir}", False),
+    ("${defsitepolicypath}", False),
+    ("${policydirsiteinstall}", True),
+    ("${policydirsiteinstallauto}", True),
+    ("${policydirbroctl}", True),
+
+    ("${spooldir}", False),
+    ("${tmpdir}", False),
+    ("${libdir}", False),
+    ("${libdirinternal}", False),
+    ("${libdirinternal}/BroControl", False),
+    ]    
+
+# Additional directories to be createdin development mode.     
+DirsDev = [
+     ("${policydir}/sigs", False),
+     ("${policydir}/time-machine", False),
+     ("${policydir}/xquery", False),
+    ]
+
+# List of files to be installed on the manager. Each entry is a pair
+# (src, dst, replace). 'src' must be a file (globs are ok). 
+# If replace is False, existing files will not be overwritten.
+# If source ends in ".in", it's passed through option substitution and
+# installed without the postfix.
+#
+# Note: all files ending in *.in will be copied first into ${templatedir}, and
+# then from there into their final destination in substitized form. 
+Targets = [ 
+    ("${distdir}/aux/broctl/bin/broctl", "${bindir}", True),
+    ("${distdir}/aux/broctl/aux/trace-summary/trace-summary", "${bindir}", True),
+    ("${distdir}/aux/broctl/aux/capstats/capstats", "${bindir}", True),
+    ("${distdir}/aux/broctl/BroControl/*.py", "${libdirinternal}/BroControl", True),
+    ("${distdir}/aux/broctl/policy/*.bro", "${policydir}/broctl", True),
+    ("${distdir}/aux/broctl/etc/analysis.dat", "${cfgdir}", True),
+    ("${distdir}/aux/broctl/bin/run-bro.in", "${scriptsdir}", True),
+    ("${distdir}/aux/broctl/bin/check-config.in", "${scriptsdir}", True),
+    ("${distdir}/aux/broctl/bin/archive-log.in", "${scriptsdir}", True),
+    ("${distdir}/aux/broctl/bin/delete-log", "${scriptsdir}", True),
+    ("${distdir}/aux/broctl/bin/expire-logs.in", "${scriptsdir}", True),
+    ("${distdir}/aux/broctl/bin/post-terminate.in", "${scriptsdir}", True),
+    ("${distdir}/aux/broctl/bin/crash-diag.in", "${scriptsdir}", True),
+    ("${distdir}/aux/broctl/bin/send-mail.in", "${scriptsdir}", True),
+    ("${distdir}/aux/broctl/bin/mail-alarm.in", "${scriptsdir}", True),
+    ("${distdir}/aux/broctl/bin/update.in", "${scriptsdir}", True),
+    ("${distdir}/aux/broctl/bin/remove-log", "${scriptsdir}", True),
+    ("${distdir}/aux/broctl/bin/is-alive.in", "${scriptsdir}", True),
+    ("${distdir}/aux/broctl/bin/local-interfaces", "${scriptsdir}", True),
+    ("${distdir}/aux/broctl/bin/cflow-stats.in", "${scriptsdir}", True),
+    ("${distdir}/aux/broctl/bin/get-prof-log.in", "${scriptsdir}", True),
+    ("${distdir}/aux/broctl/bin/mail-contents.in", "${scriptsdir}", True),
+    ("${distdir}/aux/broctl/bin/helpers/start.in", "${helperdir}", True),
+    ("${distdir}/aux/broctl/bin/helpers/stop", "${helperdir}", True),
+    ("${distdir}/aux/broctl/bin/helpers/check-pid", "${helperdir}", True),
+    ("${distdir}/aux/broctl/bin/helpers/top.in", "${helperdir}", True),
+    ("${distdir}/aux/broctl/bin/helpers/get-childs", "${helperdir}", True),
+    ("${distdir}/aux/broctl/bin/helpers/df.in", "${helperdir}", True),
+    ("${distdir}/aux/broctl/bin/helpers/cat-file", "${helperdir}", True),
+    ("${distdir}/aux/broctl/bin/helpers/run-cmd", "${helperdir}", True),
+    ("${distdir}/aux/broctl/bin/helpers/to-bytes.awk", "${helperdir}", True),
+    ("${distdir}/aux/broctl/bin/helpers/rmdir", "${helperdir}", True),
+    ("${distdir}/aux/broctl/bin/helpers/is-dir", "${helperdir}", True),
+    ("${distdir}/aux/broctl/bin/helpers/exists", "${helperdir}", True),  
+    ("${distdir}/aux/broctl/bin/postprocessors/summarize-connections.in", "${postprocdir}", True),
+    ("${distdir}/aux/broctl/bin/postprocessors/mail-log.in", "${postprocdir}", True),
+    ("${distdir}/aux/broctl/.python-build/lib/_broccoli_intern.so", "${libdirinternal}", True),
+    ("${distdir}/aux/broctl/.python-build/lib/broccoli.py", "${libdirinternal}", True),
+    ("${distdir}/aux/broctl/.python-build/lib/_SubnetTree.so", "${libdirinternal}", True),
+    ("${distdir}/aux/broctl/.python-build/lib/SubnetTree.py", "${libdirinternal}", True),
+]
+
+# Additional list of files only copied when in development mode. 
+TargetsDev = [
+    # Note that the paths here should match with match Bro's "make install" is
+    # doing.
+    ("${distdir}/src/bro", "${bindir}/bro", True),
+    ("${distdir}/policy/*.bro", "${policydir}", True),
+    ("${distdir}/policy/bro.init", "${policydir}", True),
+    ("${distdir}/policy/sigs/*.sig", "${policydir}/sigs", True),
+    ("${distdir}/policy/time-machine/*.bro", "${policydir}/time-machine", True),
+    ("${distdir}/policy/xquery/*.xq", "${policydir}/xquery", True),
+    ("${distdir}/aux/broccoli/src/.libs/lib*", "${libdir}", True),
+]
+
+# Do not complain if these source files do no exist.
+OptionalTargets = [
+    ("${distdir}/aux/cf/cf", "${bindir}", True),
+    ("${distdir}/aux/hf/hf", "${bindir}", True),
+]
+
+# Diretories/files in form (path, mirror) which are synced from the manager to all nodes. 
+# If 'mirror' is true, the path is fully mirrored recursively, otherwise the 
+# directory is just created.
+Syncs = [
+    ("${brobase}", False),
+    ("${brobase}/share", True),
+    ("${cfgdir}", True),
+    ("${libdir}", True),
+    ("${bindir}", True),
+    # ("${policydir}", True),
+    # ("${staticdir}", True),
+    ("${logdir}", False),
+    ("${spooldir}", False),
+    ("${tmpdir}", False),
+    ];    
+
+def _canonTarget(file, dst):
+    manager = config.Config.manager()
+    if execute.isdir(manager, dst):
+        target = os.path.join(dst, os.path.basename(file))
+    else:
+        target = dst
+
+    subst = False
+    if target.endswith(".in"):
+        target = target[:-3]
+        subst = True
+
+    if file.endswith(".in"):
+        subst = True
+
+    return (target, subst)
+
+# Performs the complete broctl installion process.
+# 
+# If local_only is True, nothing is propagated to other nodes.
+# If make_install is True, the install adapts for usage from a "make install",
+# i.e., it will copy all the static files form the broctl distribution; if
+# False, it will perform the "broctl install" command which only updates
+# dynamically generated files plus the site policy. In development mode,
+# "make_install" is always overridden to be True.
+def install(local_only, make_install):
+    if config.Config.devmode == "1":
+        make_install = True
+
+    config.Config.determineBroVersion()
+
+    manager = config.Config.manager()
+
+    # Delete previously installed policy files to not mix things up.
+    policies = [config.Config.policydirsiteinstall, config.Config.policydirsiteinstallauto]
+
+    if make_install:
+        policies += [config.Config.subst("${policydir}/broctl")]
+
+    for p in policies:
+        if os.path.isdir(p):
+            util.output("removing old policies in %s ..." % p, False)
+            execute.rmdir(manager, p)
+            util.output(" done.")
+
+
+    util.output("creating policy directories ...", False)
+    for p in policies:
+        execute.mkdir(manager, p)
+    util.output(" done.")
+
+    custom = [(os.path.expanduser(file), "${bindir}", True, False) for file in config.Config.custominstallbin.split()]
+    pp = [(os.path.expanduser(file), "${postprocdir}", True, False) for file in config.Config.auxpostprocessors.split()]
+
+    targets = Targets
+    if config.Config.devmode == "1":
+        targets += TargetsDev
+
+    mandatory = [(src, dst, replace, False) for (src, dst, replace) in targets]
+    optional  = [(src, dst, replace, True) for (src, dst, replace) in OptionalTargets]
+
+    if config.Config.standalone == "0":
+        mandatory += [("${distdir}/aux/broctl/etc/node.cfg.cluster.in", "${cfgdir}/node.cfg.example", False, False)]
+        mandatory += [("${distdir}/aux/broctl/etc/broctl.cfg.cluster.in", "${cfgdir}/broctl.cfg.example", False, False)]
+        mandatory += [("${distdir}/aux/broctl/etc/networks.cfg.in", "${cfgdir}/networks.cfg.example", False, True)]
+        mandatory += [("${distdir}/aux/broctl/policy/local/cluster.local-manager.bro-template", "${defsitepolicypath}/local-manager.bro", False, True)]
+        mandatory += [("${distdir}/aux/broctl/policy/local/cluster.local-worker.bro-template", "${defsitepolicypath}/local-worker.bro", False, True)]
+        mandatory += [("${distdir}/aux/broctl/policy/local/cluster.local.bro-template", "${defsitepolicypath}/local.bro", False, True)]
+    else:
+        mandatory += [("${distdir}/aux/broctl/etc/node.cfg.standalone.in", "${cfgdir}/node.cfg", False, False)]
+        mandatory += [("${distdir}/aux/broctl/etc/broctl.cfg.standalone.in", "${cfgdir}/broctl.cfg", False, False)]
+        mandatory += [("${distdir}/aux/broctl/etc/networks.cfg.in", "${cfgdir}/networks.cfg", False, True)]
+        mandatory += [("${distdir}/aux/broctl/policy/local/standalone.local.bro-template", "${defsitepolicypath}/local.bro", False, True)]
+
+    all_targets = mandatory + optional + custom + pp
+
+    if make_install:
+        util.output("creating installation directories ...", False)
+        # Install the static parts of the broctl distribution. 
+        dirs = Dirs
+        if config.Config.devmode == "1":
+            dirs += DirsDev
+
+        for (dir, clean) in dirs:
+            dir = config.Config.subst(dir)
+            if clean:
+                execute.rmdir(manager, dir)
+
+            execute.mkdir(manager, dir)
+
+        util.output(" done.")
+
+        # Copy files.
+        util.output("installing files ...", False)
+
+        for (src, dst, replace, optional) in all_targets:
+            src = config.Config.subst(src)
+            dst = config.Config.subst(dst)
+
+            files = glob.glob(src)
+            if not files and not optional: 
+                util.warn("file does not exist: %s" % src)
+                continue
+
+            for file in files:
+                (target, subst) = _canonTarget(file, dst)
+
+                if not replace and execute.exists(manager, target):
+                    continue
+
+                if subst:
+                    # Installation copies to template directory only.
+                    # Substitution will be performed later. 
+                    target = config.Config.templatedir
+
+                if not execute.install(manager, file, target):
+                    continue
+
+        if manager:
+            if not execute.mkdir(manager, manager.cwd()):
+                util.warn("cannot create %s on manager" % manager.cwd())
+
+        util.output(" done.")
+
+    # Processing the templates by substitung all variables.
+    for (src, dst, replace, optional) in all_targets:
+        # Doesn't work with globs!
+
+        src = config.Config.subst(src)
+        dst = config.Config.subst(dst)
+        file = os.path.join(config.Config.templatedir, os.path.basename(src))
+
+        if not execute.exists(manager, file):
+            continue
+
+        (target, subst) = _canonTarget(file, dst)
+
+        assert subst
+
+        if not replace and execute.exists(manager, target):
+            continue
+
+        if not execute.install(manager, file, target):
+            continue
+
+        for line in fileinput.input(target, inplace=1):
+            print config.Config.subst(line, make_dest=False),
+        fileinput.close()
+
+    # Install local site policy.
+
+    if config.Config.sitepolicypath:
+        util.output("installing site policies ...", False)
+        dst = config.Config.policydirsiteinstall
+        for dir in config.Config.sitepolicypath.split(":"):
+            dir = config.Config.subst(dir)
+            for file in glob.glob(os.path.join(dir, "*")):
+                if execute.isfile(manager, file):
+                    execute.install(manager, file, dst)
+        util.output(" done.")
+
+    if not config.Config.nodes():
+        if config.Config.standalone == "0":
+            return
+
+        # The standalone installs default configs. Start over to read those.
+        util.output("[second install pass]")
+        os.system(config.Config.subst("${bindir}/broctl install"))
+        config.Config.readState()
+        config.Config._readNodes()
+        return
+
+    makeLayout()
+    makeAnalysisPolicy()
+    makeLocalNetworks()
+
+    current = config.Config.subst(os.path.join(config.Config.logdir, "current"), make_dest=False)
+    if not execute.exists(manager, current):
+        try:
+            os.symlink(manager.cwd(), current)
+        except (IOError, OSError), e:
+            util.warn("cannot link %s to %s: %s" % (manager.cwd(), current, e))
+
+    if local_only:
+        return
+
+    # Sync to clients.
+    util.output("updating nodes ... ", False)
+
+    hosts = {}
+    nodes = []
+
+    for n in config.Config.nodes():
+        # Make sure we do each host only once.
+        if n.host in hosts:
+            continue
+
+        hosts[n.host] = 1
+
+        if n == manager:
+            continue
+
+        if not execute.isAlive(n.addr):
+            continue
+
+        nodes += [n]
+
+    if config.Config.havenfs != "1":
+        # Non-NFS, need to explicitly synchronize.
+        dirs = []
+        for dir in [config.Config.subst(dir) for (dir, mirror) in Syncs if not mirror]:
+            dirs += [(n, dir) for n in nodes]
+
+        for (node, success) in execute.mkdirs(dirs):
+            if not success:
+                util.warn("cannot create directory %s on %s" % (dir, node.tag))
+
+        paths = [config.Config.subst(dir) for (dir, mirror) in Syncs if mirror]                
+        execute.sync(nodes, paths)
+        util.output("done.")
+
+        # Note: the old code created $brobase explicitly but it seems the loop above should 
+        # already take care of that.
+
+    else:
+        # NFS. We only need to take care of the spool/log directoryies.
+        paths = [config.Config.spooldir]
+        paths += [config.Config.logdir]
+
+        dirs = []
+        for dir in paths:
+            dirs += [(n, dir) for n in nodes]
+
+        for (node, success) in execute.mkdirs(dirs):
+            if not success:
+                util.warn("cannot create directory on %s" % (dir, node.tag))
+        util.output("done.")
+
+# Create Bro-side broctl configuration broctl-layout.bro.        
+
+port = -1
+
+def makeLayout():
+    def nextPort(node):
+        global port
+        port += 1
+        node.setPort(port)
+        return port
+
+    global port
+    port = 47759
+    manager = config.Config.manager()
+
+    if not manager:
+        return
+
+    util.output("generating broctl-layout.bro ...", False)
+
+    out = open(os.path.join(config.Config.policydirsiteinstallauto, "broctl-layout.bro"), "w")
+    print >>out, "# Automatically generated. Do not edit.\n"
+    print >>out, "redef BroCtl::manager = [$ip = %s, $p=%s/tcp, $tag=\"%s\"];\n" % (manager.addr, nextPort(manager), manager.tag);
+
+    proxies = config.Config.nodes("proxy")
+    print >>out, "redef BroCtl::proxies = {"
+    for p in proxies:
+        tag = p.tag.replace("proxy-", "p")
+        print >>out, "\t[%d] = [$ip = %s, $p=%s/tcp, $tag=\"%s\"]," % (p.count, p.addr, nextPort(p), tag)
+    print >>out, "};\n"
+
+    workers = config.Config.nodes("worker")
+    print >>out, "redef BroCtl::workers = {"
+    for s in workers:
+        tag = s.tag.replace("worker-", "w")
+        p = s.count % len(proxies) + 1
+        print >>out, "\t[%d] = [$ip = %s, $p=%s/tcp, $tag=\"%s\", $interface=\"%s\", $proxy=BroCtl::proxies[%d]]," % (s.count, s.addr, nextPort(s), tag, s.interface, p)
+    print >>out, "};\n"
+
+    print >>out, "redef BroCtl::log_dir = \"%s\";\n" % config.Config.subst(config.Config.logdir, make_dest=False)
+	
+    # Activate time-machine support if configured.
+    if config.Config.timemachinehost:
+        print >>out, "redef BroCtl::tm_host = %s;\n" % config.Config.timemachinehost
+        print >>out, "redef BroCtl::tm_port = %s;\n" % config.Config.timemachineport
+        print >>out
+
+    util.output(" done.")
+
+# Create Bro script to enable the selected types of analysis.
+def makeAnalysisPolicy():
+    manager = config.Config.manager()
+
+    if not manager:
+        return
+
+    util.output("generating analysis-policy.bro ...", False)
+
+    out = open(os.path.join(config.Config.policydirsiteinstallauto, "analysis-policy.bro"), "w")
+    print >>out, "# Automatically generated. Do not edit.\n"
+
+    disabled_event_groups = []
+    booleans = []
+    warns = []
+
+    analysis = config.Config.analysis()
+    redo = False
+
+    for (type, state, mechanisms, descr) in analysis.all():
+
+        for mechanism in mechanisms.split(","):
+
+            try:
+                i = mechanism.index(":")
+                scheme = mechanism[0:i]
+                arg = mechanism[i+1:]
+            except ValueError:
+                util.warn("error in %s: ignoring mechanism %s" % (config.Config.analysiscfg, mechanism))
+                continue
+
+            if scheme == "events":
+                # Default is on so only need to record those which are disabled.
+                if not state:
+                    disabled_event_groups += [type]
+
+            elif scheme == "bool":
+                booleans += [(arg, state)]
+
+            elif scheme == "bool-inv":
+                booleans += [(arg, not state)]
+
+            elif scheme == "disable":
+                if state:
+                    continue
+
+                if not analysis.isValid(arg):
+                    util.warn("error in %s: unknown type '%s'" % (config.Config.analysiscfg, arg))
+                    continue
+
+                if analysis.isEnabled(arg):
+                    warns += ["disabled analysis %s (depends on %s)" % (arg, type)]
+                    analysis.toggle(arg, False)
+                    redo = True
+
+            else:
+                util.warn("error in %s: ignoring unknown mechanism scheme %s" % (config.Config.analysiscfg, scheme))
+                continue
+
+    if disabled_event_groups:
+        print >>out, "redef AnalysisGroups::disabled_groups = {"
+        for g in disabled_event_groups:
+            print >>out, "\t\"%s\"," % g
+        print >>out, "};\n"
+
+    for (var, val) in booleans:
+        print >>out, "@ifdef ( %s )" % var
+        print >>out, "redef %s = %s;" % (var, val and "T" or "F");
+        print >>out, "@endif\n" 
+    print >>out, "\n"
+
+    out.close()
+
+    util.output(" done.")
+
+    for w in warns:
+        util.warn(w)
+
+    if redo:
+        # Second pass.
+        makeAnalysisPolicy()
+
+# Reads in a list of networks from file.
+def readNetworks(file):
+
+    nets = []
+
+    for line in open(file):
+        line = line.strip()
+        if not line or line.startswith("#"):
+            continue
+
+        fields = line.split()
+        nets += [(fields[0], " ".join(fields[1:]))]
+
+    return nets
+
+
+# Create Bro script which contains a list of local networks. 
+def makeLocalNetworks():
+
+    netcfg = config.Config.localnetscfg
+
+    if not os.path.exists(netcfg):
+        if not config.Installing:
+            util.warn("list of local networks does not exist in %s" % netcfg)
+        return
+
+    util.output("generating local-networks.bro ...", False)
+
+    out = open(os.path.join(config.Config.policydirsiteinstallauto, "local-networks.bro"), "w")
+    print >>out, "# Automatically generated. Do not edit.\n"
+
+    netcfg = config.Config.localnetscfg
+
+    if os.path.exists(netcfg):
+        nets = readNetworks(netcfg)
+
+        print >>out, "redef local_nets = {"
+        for (cidr, tag) in nets:
+            print >>out, "\t%s," % cidr,
+            if tag != "":
+                print >>out, "\t# %s" % tag,
+            print >>out
+        print >>out, "};\n"
+
+    util.output(" done.")
+
+
+
diff --git a/aux/broctl/BroControl/options.py b/aux/broctl/BroControl/options.py
new file mode 100644
index 0000000000..e07cdfc704
--- /dev/null
+++ b/aux/broctl/BroControl/options.py
@@ -0,0 +1,251 @@
+# $Id: options.py 6813 2009-07-07 18:54:12Z robin $
+#
+# Configuration options. 
+#
+# If started directly, will print option reference documentation.
+
+class Option:
+
+    # Options category.
+    USER = 1       # Standard user-configurable option.
+    INTERNAL = 2   # internal, don't expose to user. 
+    AUTOMATIC = 3  # Set automatically, unlikely to be changed.
+
+    def __init__(self, name, default, type, category, dontinit, description):
+        self.name = name
+        self.default = default
+        self.type = type
+        self.dontinit = dontinit
+        self.category = category
+        self.description = description
+
+options = [
+    # User options.
+    Option("Debug", "0", "bool", Option.USER, False, 
+           "Enable extensive debugging output in spool/debug.log."),
+
+    Option("HaveNFS", "0", "bool", Option.USER, False, 
+           "True if shared files are mounted across all nodes via NFS (see FAQ)."),
+    Option("SaveTraces", "0", "bool", Option.USER, False,
+           "True to let backends capture short-term traces via '-w'. These are not archived but might be helpful for debugging."),
+    Option("DevMode", "0", "bool", Option.USER, False,
+           "Enable development mode, which changes how things are installed by the _install_ command."),
+
+    Option("LogDir", "${BroBase}/logs", "string", Option.USER, False,
+           "Directory for archived log files."),
+
+    Option("SendMail", "1", "bool", Option.USER, False,
+           "True if shell may send mails."),
+    Option("MailSubjectPrefix", "[Bro]", "string", Option.USER, False,
+           "General Subject prefix for broctl-generated mails."),
+    Option("MailAlarmPrefix", "ALERT:", "string", Option.USER, False,
+           "Subject prefix for individual alerts triggered by NOTICE_EMAIL."),
+    Option("MailReplyTo", "", "string", Option.USER, False,
+           "Reply-to address for broctl-generated mails."),
+    Option("MailTo", "<user>", "string", Option.USER, True,
+           "Destination address for broctl-generated non-alarm mails. Default is to use the same address as +MailTo+."),
+    Option("MailAlarmsTo", "${MailTo}", "string", Option.USER, True,
+           "Destination address for broctl-generated alarm mails."),
+    Option("MailFrom", "Big Brother <bro@localhost>", "string", Option.USER, True,
+           "Originator address for broctl-generated mails."),
+
+    Option("MailAlarms", "1", "bool", Option.USER, False,
+           "True if Bro should send mails for NOTICE_EMAIL alerts."),
+    Option("MinDiskSpace", "5", "int", Option.USER, False,
+           "Percentage of minimum disk space available before warning is mailed."),
+    Option("LogExpireInterval", "30", "int", Option.USER, False,
+           "Number of days log files are kept."),
+    Option("BroArgs", "", "string", Option.USER, False,
+           "Additional arguments to pass to Bro on the command-line."),
+    Option("MemLimit", "unlimited", "string", Option.USER, False,
+           "Maximum amount of memory for Bro processes to use (in KB, or the string 'unlimited')."),
+
+    Option("TimeFmt", "%d %b %H:%M:%S", "string", Option.USER, False,
+           "Format string to print data/time specifications (see 'man strftime')."),
+
+    Option("Prefixes", "local", "string", Option.USER, False,
+           "Additional script prefixes for Bro, separated by colons. Use this instead of @prefix."),
+
+    Option("AuxScriptsManager", "", "string", Option.USER, False,
+           "Additional Bro scripts loaded on the manager, separated by spaces."),
+    Option("AuxScriptsWorker", "", "string", Option.USER, False,
+           "Additional Bro scripts loaded on the workers, separated by spaces."),
+    Option("AuxScriptsStandalone", "", "string", Option.USER, False,
+           "Additional Bro scripts loaded on a standalone Brothe manage, separated by spaces."),
+
+    Option("AuxPostProcessors", "", "string", Option.USER, False,
+           "Additional log postprocessors, with paths separated by spaces."),
+
+    Option("SitePolicyManager", "local-manager.bro", "string", Option.USER, False,
+           "Local policy file for manager."),
+    Option("SitePolicyWorker", "local-worker.bro", "string", Option.USER, False,
+           "Local policy file for workers."),
+    Option("SitePolicyStandalone", "local.bro", "string", Option.USER, False,
+           "Local policy file for standalone Bro."),
+
+    Option("CustomInstallBin", "", "string", Option.USER, False,
+           "Additional executables to be installed into ${BinDir}, including full path and separated by spaces."),
+
+    Option("CronCmd", "", "string", Option.USER, False,
+           "A custom command to run everytime the cron command has finished."),
+
+    Option("CFlowAddr", "", "string", Option.USER, False,
+           "If a cFlow load-balander is used, the address of the device (format: <ip>:<port>)."),
+    Option("CFlowUser", "", "string", Option.USER, False,
+           "If a cFlow load-balander is used, the user name for accessing its configuration interface."),
+    Option("CFlowPassword", "", "string", Option.USER, False,
+           "If a cFlow load-balander is used, the password for accessing its configuration interface."),
+		   
+    Option("TimeMachineHost", "", "string", Option.USER, False,
+           "If the manager should connect to a Time Machine, the address of the host it is running on."),
+    Option("TimeMachinePort", "47757/tcp", "string", Option.USER, False,
+           "If the manager should connect to a Time Machine, the port it is running on (in Bro syntax, e.g., +47757/tcp+."),
+		
+    # Automatically set.
+    Option("BroBase", "", "string", Option.AUTOMATIC, True, 
+           "Base path of broctl installation on all nodes."),
+    Option("DistDir", "", "string", Option.AUTOMATIC, True, 
+           "Path to Bro distribution directory."),
+    Option("Version", "", "string", Option.AUTOMATIC, True, 
+           "Version of the broctl."),
+    Option("StandAlone", "0", "bool", Option.AUTOMATIC, True, 
+           "True if running in stand-alone mode (see elsewhere)."),
+    Option("OS", "", "string", Option.AUTOMATIC, True, 
+           "Name of operation systems as reported by uname."),
+    Option("Time", "", "string", Option.AUTOMATIC, True, 
+           "Path to time binary."),
+
+    Option("HaveBroccoli", "", "bool", Option.AUTOMATIC, False,
+           "True if Broccoli interface is available."),
+
+    Option("BinDir", "${BroBase}/bin", "string", Option.AUTOMATIC, False,
+           "Directory for executable files."),
+    Option("ScriptsDir", "${BroBase}/share/broctl/scripts", "string", Option.AUTOMATIC, False,
+           "Directory for executable scripts shipping as part of broctl."),
+    Option("PostProcDir", "${BroBase}/share/broctl/scripts/postprocessors", "string", Option.AUTOMATIC, False,
+           "Directory for log postprocessors."),
+    Option("HelperDir", "${BroBase}/share/broctl/scripts/helpers", "string", Option.AUTOMATIC, False,
+           "Directory for broctl helper scripts."),
+    Option("CfgDir", "${BroBase}/etc", "string", Option.AUTOMATIC, False,
+           "Directory for configuration files."),
+    Option("SpoolDir", "${BroBase}/spool", "string", Option.AUTOMATIC, False,
+           "Directory for run-time data."),
+    Option("PolicyDir", "${BroBase}/share/bro", "string", Option.AUTOMATIC, False,
+           "Directory for standard policy files."),
+    Option("StaticDir", "${BroBase}/share/broctl", "string", Option.AUTOMATIC, False,
+           "Directory for static, arch-independent files."),
+    Option("TemplateDir", "${BroBase}/share/broctl/templates", "string", Option.AUTOMATIC, False,
+           "Directory where the *.in templates are copied into."),
+
+    Option("LibDir", "${BroBase}/lib", "string", Option.AUTOMATIC, False,
+           "Directory for library files."),
+    Option("LibDirInternal", "${BroBase}/lib/broctl", "string", Option.AUTOMATIC, False,
+           "Directory for broctl-specific library files."),
+    Option("TmpDir", "${SpoolDir}/tmp", "string", Option.AUTOMATIC, False,
+           "Directory for temporary data."),
+    Option("TmpExecDir", "${SpoolDir}/tmp", "string", Option.AUTOMATIC, False,
+           "Directory where binaries are copied before execution."),
+    Option("StatsDir", "${LogDir}/stats", "string", Option.AUTOMATIC, False,
+           "Directory where statistics are kepts."),
+
+    Option("TraceSummary", "${bindir}/trace-summary", "string", Option.AUTOMATIC, False, 
+           "Path to trace-summary script; empty if not available."),
+    Option("Capstats", "${bindir}/capstats", "string", Option.AUTOMATIC, False, 
+           "Path to capstats binary; empty if not available."),
+
+    Option("NodeCfg", "${CfgDir}/node.cfg", "string", Option.AUTOMATIC, False,
+           "Node configuration file."),
+    Option("LocalNetsCfg", "${CfgDir}/networks.cfg", "string", Option.AUTOMATIC, False,
+           "File definining the local networks."),
+    Option("AnalysisCfg", "${CfgDir}/analysis.dat", "string", Option.AUTOMATIC, False,
+           "Configuration file defining types of analysis which can be toggled on-the-fly."),
+    Option("StateFile", "${SpoolDir}/broctl.dat", "string", Option.AUTOMATIC, False,
+           "File storing the current broctl state."),
+    Option("LockFile", "${SpoolDir}/lock", "string", Option.AUTOMATIC, False,
+           "Lock file preventing concurrent shell operations."),
+
+    Option("DebugLog", "${SpoolDir}/debug.log", "string", Option.AUTOMATIC, False,
+           "Log file for debugging information."),
+    Option("StatsLog", "${SpoolDir}/stats.log", "string", Option.AUTOMATIC, False,
+           "Log file for statistics."),
+
+    Option("SitePolicyPath", "${PolicyDir}/site", "string", Option.USER, False,
+           "Directories to search for local policy files, separated by colons."),           
+
+    Option("DefSitePolicyPath", "${PolicyDir}/site", "string", Option.INTERNAL, False,
+           "Default directory to search for local policy files."),           
+
+    Option("PolicyDirSiteInstall", "${PolicyDir}/.site", "string", Option.AUTOMATIC, False,
+           "Directory where the shell copies local policy scripts when installing."),
+    Option("PolicyDirSiteInstallAuto", "${PolicyDir}/.site/auto", "string", Option.AUTOMATIC, False,
+           "Directory where the shell copies auto-generated local policy scripts when installing."),
+    Option("PolicyDirBroCtl", "${PolicyDir}/broctl", "string", Option.AUTOMATIC, False,
+           "Directory where the shell copies the additional broctl policy scripts when installing."),
+
+    Option("Scripts-Manager", "cluster-manager", "string", Option.AUTOMATIC, False,
+           "Bro scripts loaded on the manager, separated by spaces."),
+    Option("Scripts-Worker", "cluster-worker", "string", Option.AUTOMATIC, False,
+           "Bro scripts loaded on the workers, separated by spaces."),
+    Option("Scripts-Proxy", "cluster-proxy", "string", Option.AUTOMATIC, False,
+           "Bro scripts loaded on the proxies, separated by spaces."),
+    Option("Scripts-Standalone", "standalone", "string", Option.AUTOMATIC, False,
+           "Bro scripts loaded on a standalone Bro, separated by spaces."),
+
+    # Internal, not documented. 
+    Option("SigInt", "0", "bool", Option.INTERNAL, False,
+           "True if SIGINT has been received."),
+
+    Option("Cron-Enabled", "1", "bool", Option.INTERNAL, False,
+           "True if cron command is enabled; if False, cron is silently ignored."),
+
+    Option("Home", "", "string", Option.INTERNAL, False, 
+           "User's home directory."),
+
+    Option("Cron", "0", "bool", Option.INTERNAL, False,
+           "True if we running from the cron command."),
+
+
+]
+
+def printOptions(cat):
+
+    for opt in sorted(options, key=lambda o: o.name):
+
+        if opt.category != cat:
+            continue
+
+        default = ""
+
+        if not opt.type:
+            print >>sys.stderr, "no type given for", opt.name
+
+        if opt.default and opt.type == "string":
+            opt.default = '"%s"' % opt.default
+
+        if not opt.default and opt.type == "string":
+            opt.default = "_empty_"      
+			
+        if opt.default:
+            default = ", default %s" % opt.default
+
+        default = default.replace("{", "\\{")
+        description = opt.description.replace("{", "\\{")    
+
+        print "[[opt_%s]] *%s* (%s%s)::\n%s" % (opt.name, opt.name, opt.type, default, description)
+
+
+if __name__ == '__main__':
+
+    print "// Automatically generated. Do not edit."
+    print
+    print "User Options"
+    print "~~~~~~~~~~~~"
+
+    printOptions(Option.USER)
+
+    print
+    print "Internal Options"
+    print "~~~~~~~~~~~~~~~~"
+    print
+
+    printOptions(Option.AUTOMATIC)
diff --git a/aux/broctl/BroControl/util.py b/aux/broctl/BroControl/util.py
new file mode 100644
index 0000000000..4af1440659
--- /dev/null
+++ b/aux/broctl/BroControl/util.py
@@ -0,0 +1,283 @@
+#! /usr/bin/env python
+#
+# $Id: util.py 6956 2009-12-14 22:01:17Z robin $
+
+import os
+import sys
+import socket
+import imp
+import re
+import time
+import tempfile
+import signal
+import StringIO
+import tty
+import termios
+import select
+import curses
+import atexit
+
+import config
+import execute
+
+def fmttime(t):
+    return time.strftime(config.Config.timefmt, time.localtime(float(t)))
+
+Buffer = None
+
+def bufferOutput():
+    global Buffer
+    Buffer = StringIO.StringIO()
+
+def getBufferedOutput():
+    global Buffer
+    buffer = Buffer.getvalue()
+    Buffer.close()
+    Buffer = None
+    return buffer
+
+def output(msg = "", nl = True):
+
+    debug(1, "[output] %s %s" % (msg, (not nl) and "..." or ""))
+
+    if Buffer:
+        out = Buffer
+    else:
+        out = sys.stderr
+
+    out.write(msg)
+    if nl:
+        out.write("\n")
+
+def error(msg):
+    output("error: %s" % msg)
+    sys.exit(1)
+
+def warn(msg):
+    output("warning: %s" % msg)
+
+DebugOut = None    
+
+def debug(msglevel, msg):
+    global DebugOut
+
+    try:
+        level = int(config.Config.debug)
+    except ValueError:
+        level = 0
+
+    if level < msglevel:
+        return
+
+    if not DebugOut:
+        try:
+            DebugOut = open(config.Config.debuglog, "a")
+        except IOError:
+            # During the initial install, tmpdir hasn't been setup yet. So we
+            # fall back to current dir.
+            DebugOut = open("debug.log", "a")
+
+    print >>DebugOut, time.strftime(config.Config.timefmt, time.localtime(time.time())), msg
+    DebugOut.flush()
+
+def sendMail(subject, body):
+    cmd = "%s '%s'" % (os.path.join(config.Config.scriptsdir, "send-mail"), subject)
+    (success, output) = execute.captureCmd(cmd, "", body)
+    if not success:
+        warn("cannot send mail")
+
+lockCount = 0        
+
+def _breakLock():
+    try:
+        # Check whether lock is stale.
+        pid = open(config.Config.lockfile, "r").readline().strip()
+        (success, output) = execute.runHelper(config.Config.manager(), "check-pid", args=[pid])
+        if success:
+            # Process still exissts.
+            return False
+
+        # Break lock.
+        warn("removing stale lock")
+        os.unlink(config.Config.lockfile)
+        return True
+
+    except IOError:
+        return False
+
+def _aquireLock():
+    if not config.Config.manager() or config.Installing:
+        # Initial install.
+        return True
+
+    pid = str(os.getpid())
+    tmpfile = config.Config.lockfile + "." + pid
+
+    try:
+        try:
+            # This should be NFS-safe.
+            f = open(tmpfile, "w")
+            print >>f, pid
+            f.close()
+
+            n = os.stat(tmpfile)[3]
+            os.link(tmpfile, config.Config.lockfile)
+            m = os.stat(tmpfile)[3]
+
+            if n == m-1:
+                return True
+
+            # File is locked.
+            if _breakLock():
+                return _aquireLock()
+
+        except OSError, e:
+            # File is already locked.
+            if _breakLock():
+                return _aquireLock()
+
+        except IOError, e:
+            if not config.Config.installing():
+                error("cannot aquire lock: %s" % e)
+                return False
+            else:
+                # The spool directory may not exist yet so we 
+                # silently ignore the failed lock.
+                return True
+
+    finally:
+        try:
+            os.unlink(tmpfile)
+        except OSError:
+            pass
+        except IOError: 
+            pass
+
+    return False
+
+def _releaseLock():
+    try:
+        os.unlink(config.Config.lockfile)
+    except OSError, e:
+        if not config.Config.installing():
+            warn("cannot remove lock file: %s" % e)
+
+def lock():
+    global lockCount
+
+    if lockCount > 0:
+        # Already locked.
+        lockCount += 1
+        return True
+
+    if not _aquireLock():
+        
+        if config.Config.cron == "1":
+            do_output = 0
+        else:
+            do_output = 2
+            
+        if do_ouput:
+            output("waiting for lock ...", nl=False)
+
+        count = 0
+        while not _aquireLock():
+            if do_output:
+                output(".", nl=False)
+            time.sleep(1)
+
+            count += 1
+            if count > 30:
+                output("cannot get lock") # always output this one.
+                return False
+
+        if do_output:
+            output(" ok")
+
+    lockCount = 1
+    return True
+
+def unlock():
+    global lockCount
+
+    if lockCount == 0:
+        error("mismatched lock/unlock")
+
+    if lockCount > 1:
+        # Still locked.
+        lockCount -= 1
+        return
+
+    _releaseLock()
+
+    lockCount = 0
+
+# Keyboard interrupt handler.
+def sigIntHandler(signum, frame):
+    config.Config.config["sigint"] = "1" 
+
+def enableSignals():
+    signal.signal(signal.SIGINT, sigIntHandler)
+
+def disableSignals():
+    signal.signal(signal.SIGINT, signal.SIG_IGN)
+
+
+# Curses functions
+
+_Stdscr = None
+
+def _finishCurses():
+    curses.nocbreak(); 
+    curses.echo()
+    curses.endwin()
+
+def _initCurses():
+    global _Stdscr
+    atexit.register(_finishCurses)
+    _Stdscr = curses.initscr()
+
+def enterCurses():    
+    if not _Stdscr:
+        _initCurses()
+
+    curses.cbreak()
+    curses.noecho()
+    _Stdscr.nodelay(1)
+    
+    signal.signal(signal.SIGWINCH, signal.SIG_IGN)
+
+def leaveCurses():
+    curses.reset_shell_mode()
+    signal.signal(signal.SIGWINCH, signal.SIG_DFL)
+
+# Check non-blockingly for a key press and returns it, or return None if no
+# key is found. enter/leaveCurses must surround the getc() call.
+def getCh():
+    ch = _Stdscr.getch()
+
+    if ch < 0:
+        return None
+
+    return chr(ch)
+
+def clearScreen():
+    if not _Stdscr:
+        _initCurses()
+
+    _Stdscr.clear()
+
+def printLines(lines):
+    y = 0
+    for line in lines.split("\n"):
+        try:
+            _Stdscr.insnstr(y, 0, line, len(line))
+        except:
+            pass
+        y += 1
+        
+    try:
+        _Stdscr.insnstr(y, 0, "", 0)
+    except:
+        pass
+
diff --git a/aux/broctl/Makefile.in b/aux/broctl/Makefile.in
new file mode 100644
index 0000000000..15248155d7
--- /dev/null
+++ b/aux/broctl/Makefile.in
@@ -0,0 +1,70 @@
+# $Id: Makefile.in 6952 2009-12-05 00:23:47Z robin $
+
+VPATH = $BROCTLSRC
+
+# capstats will be handled separately. 
+DIST_IGNORE = config.status aux/capstats
+
+all: pybroccoli pysubnettree capstats config.status
+
+config.status: $BROCTLSRC/bin/broctl.in $BROCTLSRC/Makefile.in $BROCTLSRC/VERSION
+	./config.status
+
+install:
+
+install-broctl: 
+	MAKE_DESTDIR=$(DESTDIR) ./bin/make-wrapper install --make
+
+install-local: 
+	MAKE_DESTDIR=$(DESTDIR) ./bin/make-wrapper install --local
+
+print-config:
+	./bin/make-wrapper config
+
+clean:
+	rm -f BroControl/*.pyc
+	rm -rf .python-build
+	( cd aux/capstats && ${MAKE} clean)
+
+distclean:
+	rm -f config.status Makefile bin/broctl bin/make-wrapper
+	rm -f BroControl/*.pyc
+	rm -rf .python-build
+	( cd aux/capstats && ${MAKE} distclean)
+	rm -rf aux/capstats/capstats-* 
+    
+distdir:
+	@test x"$(distdir)" != x"" || ( echo error: 'make dist' must be called from top-level Makefile && exit 1 )
+	rm -f .exclude
+	for i in $(DIST_IGNORE); do echo $$i >>.exclude; done;
+	find . -regex '.*/\.svn' | sed 's#^\./##g' >>.exclude
+	tar cf - -X .exclude * | ( cd $(distdir) && tar xf - )
+	rm -f .exclude
+
+	mkdir $(distdir)/aux/capstats; 
+	( cd aux/capstats; unset MAKEFLAGS; distdir="" top_distdir="" make distdir; ) 
+	( cd aux/capstats/capstats-* && tar cf - . ) | ( cd $(distdir)/aux/capstats && tar xf - ); 
+
+doc:
+	python BroControl/options.py >README.options
+	python ./bin/broctl --print-doc >README.cmds
+	asciidoc --unsafe -a toc -a no-homepage-link -b xhtml11-custom README
+
+pybroccoli:
+	@echo broctl: building Python bindings for Broccoli ...        
+	( cd $BRODIST/aux/broccoli/bindings/python \
+      && CFLAGS="-I$BRODIST/aux/broccoli/src" LDFLAGS="-L$BROBUILD/aux/broccoli/src/.libs" python setup.py build -b $BROCTLBUILD/.python-build )
+	@( cd $BROCTLBUILD/.python-build && test -e lib || ln -s lib.* lib )	
+
+pysubnettree:
+	@echo broctl: building pysubnettree Python module ...        
+	@( cd $BRODIST/aux/broctl/aux/pysubnettree \
+      && python setup.py build -b $BROCTLBUILD/.python-build )
+
+capstats:
+	@echo broctl: building capstats ...        
+	@( cd $BROCTLBUILD/aux/capstats && ${MAKE} )
+
+## Make distcheck happy.
+EMPTY_AUTOMAKE_TARGETS = dvi pdf ps info html tags ctags install-data install-exec uninstall install-dvi install-html install-info install-ps install-pdf installdirs check installcheck mostlyclean maintainer-clean tags ctags
+$(EMPTY_AUTOMAKE_TARGETS):
diff --git a/aux/broctl/README b/aux/broctl/README
new file mode 100644
index 0000000000..0a838da2f1
--- /dev/null
+++ b/aux/broctl/README
@@ -0,0 +1,450 @@
+//	-*- AsciiDoc -*-
+//
+// $Id: README 6948 2009-12-03 20:59:41Z robin $
+//
+// FIXME: This needs asciidoc 8.2.x plus some custom config files.
+
+BroControl
+===========
+Robin Sommer
+:email: robin@icir.org
+
+This document summarizes installation and use of _BroControl_,
+Bro's interactive shell for operating Bro installations. _Bro
+Control_ has two modes of operation: a _stand-alone_ mode for
+managing a traditional, single-system Bro setup; and a _cluster_
+mode for maintaining a multi-system setup of coordinated Bro
+instances load-balancing the work across a set of independent
+machines. Below, we describe the installation process separately for
+the two modes. Once installed, the operation is pretty similar for
+both types; just keep in mind that if this documents refers to
+"nodes" and you're in a stand-alone setup, there's is only a single
+one and no worker/proxies.)
+
+Prerequisites
+-------------
+
+Running _BroControl_ requires the following prerequisites:
+
+  - A Unix system. FreeBSD, Linux, and MacOS are supported and
+  should work out of the box. Note however that FreeBSD usually sees
+  more testing as it is Bro's primary development platform.  Other
+  Unix systems will quite likely require some tweaking. Note that in
+  a cluster setup, all systems must be running exactly the _same_
+  operating system.
+
+  - A version of _Python_ >= 2.4. 
+
+  - A _bash_ (note in particular, that on FreeBSD, _bash_ is not
+  installed by default). 
+
+NOTE: If you're using a development version, you might need to apply
+a patch to Bro. Please xref:devversion[see below].
+
+Installing a Stand-alone Bro
+----------------------------
+
+This is the default installation. Configure and compile Bro as
+usual, specifying the target installation path as ``prefix`` (we use
++/usr/local/bro+ as an example):
+
+  > cd /path/to/bro/source/distribution
+  > ./configure --prefix=/usr/local/bro
+  > make
+
+- Install _BroControl_:
+
+  > make install-broctl
+
+  (This includes the standard "make install".)
+
+- Add +<prefix>/bin+ to your +PATH+.
+
+- The installation installs three configuration files which you
+  should edit:
+
+  * +etc/broctl.cfg+ is the overall _BroControl_ configuration.
+  Initially, you probably only need to edit the email address for
+  mails sent by the framework; that's the +MailTo+ line. 
+
+  * In +etc/nodes.cfg+, you need to specify the network interface
+  Bro is to monitor; that's the +interface+ line. 
+
+  * In +etc/networks.cfg+, list all the networks which Bro should
+  consider as local to the monitored enviroment. 
+
+- Once you have updated these files, install the modified
+  configuration:
+
+  > broctl install
+
+- Some tasks need to be run on a regular basis. Insert a line like
+this into your crontab:
+
+  0-59/5 * * * * /usr/local/bro/bin/broctl cron
+
+- Finally, you can start Bro:
+
+  > broctl start
+
+Installing a Bro Cluster
+------------------------
+
+A _Bro Cluster_ is a set of systems jointly analyzing the traffic of
+a network link in a coordinated fashion. _BroControl_ is able to
+operate such a setup from a central manager system pretty much
+transparently, hiding much of the complexity of the multi-machine
+installation. 
+
+A cluster consists of four types of components:
+
+  1. One or more frontends.
+       Frontends load-balance the traffic across a set of worker
+       machines.
+
+  2. Worker nodes.
+       Workers are doing the actual analysis, with each seeing a
+       slice of the overall traffic as splitted up by the frontends.
+
+  3. One or more proxies.
+       Proxies relay the communication between worker nodes.
+
+  4. One manager.
+       The manager provides the cluster's user-interface for
+       controlling and logging. During operation, the user only
+       interacts with the manager; this is where _BroControl_ is
+       running.
+
+See http:///www.icir.org/robin/papers/raid07.pdf[this RAID Paper]
+for more information about the general cluster architecture. This
+document focusses on the installation of manager, workers, and the
+proxies. See <somewhere different> for a discussion of how to setup
+a frontend. If not otherwise stated, in the following we use the
+terms "manager", "worker", and "proxy" to refer to Bro instances,
+not to physical machines; rather, we use the term "node" to refer to
+physical machines. There may be multiple Bro instances running on
+the same node. For example, it's possible to run a proxy on the same
+node as the manager is operating on. 
+
+In the following, as an example setup, we will assume that our
+cluster consists of four nodes (not counting the frontend). The host
+names of the systems will be +host1+, +host2+, +host3+, and +host4+.
+We will configure the cluster so that +host1+ runs the manager and
+the (only) proxy, and +host{2,3,4}+ are each running one worker.
+This is a typical setup, which will work well for many sites.
+
+When installing a cluster, in addition to the prerequisites
+mentioned above, you need to
+
+  - have the same user account set up on all nodes. On the worker
+  nodes, this user must have access to target network interface in
+  promiscious mode. +ssh+ access from the manager node to this user
+  account must be setup on all machines, and must work without
+  asking for a password/passphrase.
+
+  - have some storage available on all nodes under the same path,
+  which we will call the cluster's _prefix_ path. In the following,
+  we will use +/usr/local/bro+ as an example. The Bro user must
+  be able to either create this directory or, where it already
+  exists, must have write permission inside this directory on all
+  nodes.
+
+  - have +ssh+ and +rdist+ installed. 
+
+With all prerequisites in place, as the Bro user, perform the
+following steps to install a Bro cluster:
+
+- Configure and compile the Bro distribution using the cluster's
+  prefix path as +--prefix+ +--prefix+, and selecting cluster
+  operation with the +--enable-cluster+ option:
+
+  > cd /path/to/bro/source/distribution
+  > ./configure --prefix=/usr/local/bro --enable-cluster
+  > make
+
+- Install _BroControl_:
+
+  > make install-broctl
+
+  (This includes the standard +make install+.)
+
+- Add +<prefix>/bin+ to your +PATH+.
+
+- Create a cluster configuration file. There is an example provided,
+which you can edit according to the instructions in the file:
+
+  > cd /usr/local/bro
+  > cp etc/broctl.cfg.example etc/broctl.cfg
+  > vi etc/broctl.cfg
+
+- Create a node configuration file to define where manager, workers,
+  and proxies are to run. There is again an example, which defines
+  the example scenario described above and can be edited as needed:
+
+  > cd /usr/local/bro
+  > cp etc/node.cfg.example etc/node.cfg
+  > vi etc/node.cfg
+
+- Create a network configuration file that lists all of the networks
+  which the cluster should consider as local to the monitored
+  enviroment. Once, again the installation installs a template for
+  editing:
+
+  > cd /usr/local/bro
+  > cp etc/networks.cfg.example etc/networks.cfg
+  > vi etc/networks.cfg
+
+- Install workers and proxies using _BroControl_:
+
+  > broctl install
++ 
+This installation process uses +ssh+ and +rdist+ to copy the
+configuration over to the remote machines so, as described above,
+you need to ensure that logging in via SSH works before the install will
+succeed. 
+
+- Some tasks need to be run on a regular basis. On the manager node,
+insert a line like this into the crontab of the user running the
+cluster.
+
+  0-59/5 * * * * <prefix>/bin/broctl cron
+
+- Finally, you can start the cluster:
+
+  > broctl start
+
+Getting Started
+---------------
+
+_BroControl_ is an interactive interface to the cluster which
+allows you to, e.g., start/stop the monitoring or update its
+configuration. It is started with the +broctl+ script and then
+expects commands on its command-line (alternatively, +broctl+ can
+also be started with a single command directly on the shell's
+command line):
+
+  > cluster
+  Welcome to BroControl 0.2
+
+  Type "help" for help.
+
+  [BroControl] >
+
+As the message says, type xref:cmd_help[+help+] to see a list of all
+commands. We will now briefly summarize the most important commands.
+A full reference follows link:cmd_reference[below]. 
+
+Once +broctl.cfg+ and +node.cfg+ are set up as described above, the
+monitoring can be started with the xref:cmd_start[+start+] command.
+In the cluster setup, this will successively start manager, proxies,
+and workers. The xref:cmd_status[+status+] command should then show
+all nodes as operating. To stop the monitoring, issue the
+xref:cmd_stop[+stop+] command. xref:cmd_exit[+exit+] leaves the
+shell. 
+
+On the manager system (and on the standalone system), you find the
+current set of (aggregated) logs in +logs/current+ (which is a
+symlink to the corresponding spool directory.) The workers and
+proxies log into +spool/proxy/+ and +spool/<worker-name>/+,
+respectively. The manager/stand-alone logs are archived in +logs/+,
+by default once a day. Logs files of workers and proxies are
+discarded at the same rotation interval.
+
+Whenenver the _BroControl_ configuration is modified in any way
+(including changes to configuration files and site-specific policy
+scripts), xref:cmd_install[+install+] installs the new version. _No
+changes will take effect until xref:cmd_install[+install+] is run_.
+Before you run xref:cmd_install[+install+], xref:cmd_check[+check+]
+can be used to check for any potential erros in the new
+configuration, e.g., typos in scripts. If xref:cmd_check[+check+]
+does not report any problems, doing xref:cmd_install[+install+] will
+pretty likely not break anything. 
+
+Note that generally configuration changes only take effect after a
+restart of the affected nodes. The xref:cmd_restart[+restart+]
+command triggers this. Some changes however can be put into effect
+on-the-fly without restarting any of the nodes by using the
+xref:cmd_update[+update+] command (again only after doing
+xref:cmd_install[+install+] first). Such dynamic updates work with
+all changes done via the xref:cmd_analysis[+analysis+] command (see
+below) as well as generally with all policy which only modify global
+variables declared as _redefinable_ (i.e., with Bro's _&redef_
+attribute).
+
+Generally, site-specific tuning needs to be done with local policy
+scripts, as in any Bro setup. This is described
+link:site_tuning[below]. Some general types of analysis can however
+be enabled/disabled via the xref:cmd_analysis[+analysis+] command.
+
+_BroControl_ provides various options to control the behaviour of the
+setup. These options can be set by editing +etc/broctl.cfg+. The
+xref:cmd_config[+config+] command gives list of all options with
+their current values. A list of the most important options also
+follows link:cmd_reference[below].
+
+Site-specific Customization
+---------------------------
+[[site_tuning]]
+
+You'll most likely want to adapt the Bro policy to the local
+environment. While some types of analysis can be customized via the
+xref:cmd_analysis[+analysis+] command, much of the more specific
+tuning requires writing local policy files. 
+
+By default, it is assumed that you put site-specific policy scripts
+into the +share/bro/site+ directory. To change the location of site
+policies, set the option xref:opt_SitePolicyPath[+SitePolicyPath+]
+in +broctl.cfg+ to a different path.
+
+During the initial install, sample policy scripts are installed in
++share/bro/site+, which you can edit as appropiate. In the stand-alone
+setup, this is just a single file called +local.bro+. In the cluster
+setup, there are three: +local-manager.bro+ and +local-worker.bro+
+are loaded by the manager and the workers (plus proxies),
+respectively. In turn, both of these load +local.bro+, which
+contains all configuration code shared by all nodes. If in doubt,
+put your customizations into +local.bro+ so that all nodes see it.
+If you want to change which local scripts are loaded by the nodes,
+you can set xref:opt_SitePolicyManager[+SitePolicyManager+] for the
+manager and xref:opt_SitePolicyWorker[+SitePolicyWorker+] for the
+workers.
+
+In the cluster setup, the main exception to putting everything into
++local.bro+ is notice filtering, which should be done only on the
+manager. The example +local-manager.bro+ comes with an example setup
+to configure notice policy and notice actions. You should to adapt
+thiese to the local environment.
+
+In general, all of _BroControl_'s policy scripts are loaded before any
+site-specific policy so that you can redefine any of the defaults
+locally. The xref:cmd_scripts[+scripts+] shows precisely which
+policy scripts get loaded by a node; that can be very helpful for
+debugging. 
+
+Please note that enabling a particular kind of analysis via the
+xref:cmd_analysis[+analysis+] command only has an effect if the
+corresponding Bro scripts are loaded by the local site policy in
++local.bro+. 
+
+It is also possible to add additional scripts to individual nodes
+only. This works by setting the option +aux_scripts+ for the
+corresponding node(s) in +etc/nodes.cfg+. For example, one could add
+a script +experimental.bro+ to a single worker for trying out new
+experimental code.
+
+Command Reference
+-----------------
+[[cmd_reference]]
+
+The following summary lists all commands supported by _BroControl_. All
+commands may be either entered interactively or specificed on the
+shell's command line. If not specified otherwise, commands taking
+_[<nodes>]_ as arguments apply their action either to the given set
+of nodes, or to all nodes if none is given.
+
+include::README.cmds[]
+
+Option Reference
+----------------
+
+This section summarizes the options that can be set in 
++etc/broctl.cfg+ for customizing the behaviour of _BroControl_. Usually,
+one only needs to change the "user options", which are listed first.
+The "internal options" are, as the name suggests, primarily used
+internally and set automatically. They are documented here only for
+reference.
+
+include::README.options[]
+
+Miscellanous
+------------
+
+Mails
+~~~~~
+
+_BroControl_ sents four types of mails to the address given in +MailTo+:
+
+1. When logs are rotated (per default once a day), a list of all
+   alerts during the last rotation interval is sent. This can be
+   disabled by setting +MailAlarms=0+.
+
+2. When the +cron+ command noticies that a node has crashed, it
+   restarts it and sends a notification. It may also send a more
+   detailed crash report containing information about the crash. 
+
+3. NOTICES with a notice action of +NOTICE_EMAIL+; see the Bro
+   documentation for how to configure NOTICE priorities. 
+
+4. If link:trace_summary[+trace-summary+] is installed, a
+   traffic summary is sent each rotation interval. 
+
+Performance Analysis 
+~~~~~~~~~~~~~~~~~~~~
+
+_TODO_: +broctl cron+ logs a number of statistics, which can be
+analyzed/plotted for understanding the cluster's run-time behaviour.
+
+
+Questions and Answers
+---------------------
+
+Can I use an NFS-mounted partition as the cluster's base directory to avoid the +rsync+'ing???  
+    Yes. xref:opt_BroBase[+BroBase+] can be on an NFS partition.
+    Configure and install the shell as usual with
+    +--prefix=<BroBase>+. Then add xref:opt_HaveNFS[HaveNFS]=1+ and
+    +SpoolDir=<spath>+ to +etc/broctl.cfg+, where +<spath>+ is a
+    path on the local disks of the nodes; +<spath>+ will be used for
+    all non-shared data (make sure that the parent directory exists
+    and is writable on all nodes!). Then run xref:cmd_install[+make
+    install-broctl+] again. Finally, you can remove
+    +<BroBase>/spool+ (or link it to <spath>). In addition, you
+    might want to keep the log files locally on the nodes as well by
+    setting xref:opt_LogDir[+LogDir+]+ to a non-NFS directory. (Only
+    the manager's logs will be kept permanently, the logs of
+    workers/proxies are discarded upon rotation.)
+
+When I'm using the xref:Standalone[standalone mode], do I still need to have +ssh+ and +rsync+ installed and configured???
+    No. The standalone performs all operations directly on the local
+    file system.
+
+What do I need to do when the something in the Bro distribution changes???
+    Just re-run +make broctl-install+. It will reinstall
+    all the files from the distribution, except for any of the
+    template files, as they might have been edited. 
++
+In addition, _BroControl_ has a "development mode", which makes
+installation easier if distribution files change frequently
+(e.g., becayse you're working from SVN). Development mode
+activated by adding +DevMode=1+ to +etc/broctl.cfg+. Once done,
+_BroControl_'s +install+ command will also install all the files
+from the distribution, just as +make broctl-install+ does. Note
+that you obviously need to keep the distribution around to have
+this work. 
++
+Note for folks who have used the old "cluster shell": the
+development mode corresponds to the old default behaviour, which
+worked with any +make install-broctl+.
+
+After a Bro crash, the timestamps of the archived log files sometimes seem to be wrong???
+   When Bro crashes, broctl archives the log files produced so far
+   at the normal location. However, for some files it can't (easily)
+   determine the right timestamps to put into the filename. This
+   affects in particular those log files that are not rotated on
+   regular basis (e.g., +stdout.log+, +prof.log+); their filenames
+   will indicate as their start time the point when all the other
+   files were _rotated_ most recently. In addition, for all log
+   files, after a crash the start/end times indicated by the file
+   names might be off a few seconds. 
+
+[[devversion]]Anything special to consider when using development versions???
+   If you are using a _development version_, _BroControl_ might
+   require patching Bro itself to work correctly. A "development
+   version" is defined as anything you have downloaded from Bro's
+   Subversion repository (as opposed to downloading a release
+   tar-ball). If so, see if there's a file called
+   +aux/broctl/patch-bro.diff+. If there is, apply it as follows
+   before you proceed with any of the steps below:
++
+   > cd /path/to/bro/source/distribution
+   > patch -p0 <aux/broctl/patch-bro.diff
+   > ./autogen.sh
diff --git a/aux/broctl/README.cmds b/aux/broctl/README.cmds
new file mode 100644
index 0000000000..64e9842991
--- /dev/null
+++ b/aux/broctl/README.cmds
@@ -0,0 +1,249 @@
+// Automatically generated. Do not edit.
+
+
+[[cmd_analysis]] *analysis _enable|disable <type>_*::
+
+This command enables or disables certain kinds of analysis without the
+need for doing any changes to Bro scripts. Currently, the analyses
+shown in the table below can be controlled (in parentheses the
+corresponding Bro scripts; the effect of enabling/disabling is similar
+to loading or not loading these scripts, respectively). The list might
+be extended in the future. Any changes performed via this command are
+applied by xref:cmd_update[+update+] and therefore do not require a
+restart of the nodes.
++
+[format="dsv",frame="none",grid="all",border="0",separator="|"]
+.10`20~
+Type          | Description
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+dns           | DNS analysis (+dns.bro+)
+ftp           | FTP analysis (+ftp.bro+)
+http-body     | HTTP body analysis (+http-body.bro+).
+http-request  | Client-side HTTP analysis only (+http-request.bro+)
+http-reply    | Client- and server-side HTTP analysis (+http-request.bro+/+http-reply.bro+)
+http-header   | HTTP header analysis (+http-headers.bro+)
+scan          | Scan detection (+scan.bro+)
+smtp          | SMTP analysis (+smtp.bro+)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+
+
+[[cmd_attachgdb]] *attachgdb _[<nodes>]_*::
+
+Primarily for debugging, the command attaches a _gdb_ to the main Bro
+process on the given nodes.
+
+
+[[cmd_capstats]] *capstats _[<interval>] [<nodes>]_*::
+
+Determines the current load on the network interfaces monitored by
+each of the given worker nodes. The load is measured over the
+specified interval (in seconds), or by default over 10 seconds. This
+command uses the http://www.icir.org/robin/capstats[capstats] tool,
+which is installed along with +broctl+.
+
+(Note: When using a CFlow and the CFlow command line utility is
+installed as well, the +capstats+ command can also query the device
+for port statistics. _TODO_: document how to set this up.)
+
+
+[[cmd_check]] *check _[<nodes>]_*::
+
+Verifies a modified configuration in terms of syntactical correctness
+(most importantly correct syntax in policy scripts). This command
+should be executed for each configuration change _before_
+xref:cmd_install[+install+] is used to put the change into place. Note
+that +check+ is the only command which operates correctly without a
+former xref:cmd_install[+install+] command; +check+ uses the policy
+files as found in xref:opt_SitePolicyPath[+SitePolicyPath+] to make
+sure they compile correctly. If they do, xref:cmd_install[+install+]
+will then copy them over to an internal place from where the nodes
+will read them at the next xref:cmd_start[+start+]. This approach
+ensures that new errors in a policy scripts will not affect currently
+running nodes, even when one or more of them needs to be restarted.
+
+
+[[cmd_cleanup]] *cleanup _[--all] [<nodes>]_*::
+
+Clears the nodes' spool directories (if they are not running
+currently). This implies that their persistent state is flushed. Nodes
+that were crashed are reset into _stopped_ state. If +--all+ is
+specified, this command also removes the content of the node's
+xref:opt_TmpDir[+TmpDir+], in particular deleteing any data
+potentially saved there for reference from previous crashes.
+Generally, if you want to reset the installation back into a clean
+state, you can first xref:cmd_stop[+stop+] all nodes, then execute
++cleanup --all+, and finally xref:cmd_start[+start+] all nodes
+again.
+
+
+[[cmd_config]] *config *::
+Prints all configuration options with their current values.
+
+
+[[cmd_cron]] *cron _[<nodes>]_*::
+
+As the name implies, this command should be executed regularly via
+_cron_, as described xref:Installation[above]. It performs a set of
+maintainance tasks, including the logging of various statistical
+information, expiring old log files, checking for dead hosts, and
+restarting nodes which terminated unexpectedly.  While not intended
+for interactive use, no harm will be caused by executing the command
+manually: all the maintainance tasks will then just be performed one
+more time.
+
+
+[[cmd_df]] *df _[<nodes>]_*::
+
+Reports the amount of disk space available on the nodes. Shows only
+paths relevant to the broctl installation.
+
+
+[[cmd_diag]] *diag _[<nodes>]_*::
+
+If a node has terminated unexpectedly, this command prints a (somewhat
+cryptic) summary of its final state including excerpts of any
+stdout/stderr output, resource usage, and also a stack backtrace if a
+core dump is found. The same information is sent out via mail when a
+node is found to have crashed (the "crash report"). While the
+information is mainly intended for debugging, it can also help to find
+misconfigurations (which are usually, but not always, caught by the
+xref:cmd_check[+check+] command).
+
+
+[[cmd_exec]] *exec _<command line>_*::
+
+Executes the given Unix shell command line on all nodes configured to
+run at least one Bro instance. This is handy to quickly perform an
+action across all systems.
+
+
+[[cmd_exit]] *exit *::
+Terminates the shell.
+
+
+[[cmd_help]] *help *::
+Prints a brief summary of all commands understood by the shell.
+
+
+[[cmd_install]] *install *::
+
+
+Reinstalls the given nodes, including all configuration files and
+local policy scripts.  This command must be executed after _all_
+changes to any part of the broctl configuration, otherwise the
+modifications will not take effect. Usually all nodes should be
+reinstalled at the same time, as any inconsistencies between them will
+lead to strange effects. Before executing +install+, it is recommended
+to verify the configuration with xref:cmd_check[+check+].
+
+
+[[cmd_netstats]] *netstats _[<nodes>]_*::
+
+Queries each of the nodes for their current counts of captured and
+dropped packets.
+
+
+[[cmd_nodes]] *nodes *::
+Prints a list of all configured nodes.
+
+
+[[cmd_peerstatus]] *peerstatus _[<nodes>]_*::
+
+Primarily for debugging, +peerstatus+ reports statistics about the
+network connections cluster nodes are using to communicate with other
+nodes.
+
+
+[[cmd_print]] *print _<id> [<nodes>]_*::
+
+Reports the _current_ live value of the given Bro script ID on all of
+the specified nodes (which obviously must be running). This can for
+example be useful to (1) check that policy scripts are working as
+expected, or (2) confirm that configuration changes have in fact been
+applied.  Note that IDs defined inside a Bro namespace must be
+prefixed with +<namespace>::+ (e.g., +print SSH::did_ssh_version+ to
+print the corresponding table from +ssh.bro+.)
+
+
+[[cmd_quit]] *quit *::
+Terminates the shell.
+
+
+[[cmd_restart]] *restart _[--clean] [<nodes>]_*::
+
+Restarts the given nodes, or all nodes if none are specified. The
+effect is the same as first executing xref:cmd_stop[+stop+] followed
+by a xref:cmd_start[+start+], giving the same nodes in both cases.
+This command is most useful to activate any changes made to Bro policy
+scripts (after running xref:cmd_install[+install+] first). Note that a
+subset of policy changes can also be installed on the fly via the
+xref:cmd_updatel[+update+], without requiring a restart.
+
+If +--clean+ is given, the installation is reset into a clean state
+before restarting. More precisely, a +restart --clean+ turns into the
+command sequence xref:cmd_stop[+stop+], xref:cmd_cleanup[+cleanup
+--all+], xref:cmd_check[+check+], xref:cmd_install[+install+], and
+xref:cmd_start[+start+].
+
+
+
+[[cmd_scripts]] *scripts _[-p|-c] [<nodes>]_*::
+
+Primarily for debugging Bro configurations, the +script+ command lists
+all the Bro scripts loaded by each of the nodes in the order as they
+will be parsed by the node at startup. If +-p+ is given, all scripts
+are listed with their full paths. If +-c+ is given, the command
+operates as xref:cmd_check::[+check+] does: it reads the policy files
+from their _original_ location, not the copies installed by
+xref:cmd_install[+install+]. The latter option is useful to check a
+not yet installed configuration.
+
+
+[[cmd_start]] *start _[<nodes>]_*::
+
+Starts the given nodes, or all nodes if none are specified. Nodes
+already running are left untouched.
+
+
+
+[[cmd_status]] *status _[<nodes>]_*::
+
+Prints the current status of the given nodes.
+
+
+[[cmd_stop]] *stop _[<nodes>]_*::
+
+Stops the given nodes, or all nodes if none are specified. Nodes not
+running are left untouched.
+
+
+
+[[cmd_top]] *top _[<nodes>]_*::
+
+For each of the nodes, prints the status of the two Bro
+processes (parent process and child process) in a _top_-like
+format, including CPU usage and memory consumption. If
+executed interactively, the display is updated frequently
+until key +q+ is pressed. If invoked non-interactively, the
+status is printed only once.
+
+
+[[cmd_update]] *update _[<nodes>]_*::
+
+After a change to Bro policy scripts, this command updates the Bro
+processes on the given nodes _while they are running_ (i.e., without
+requiring a xref:cmd_restart[+restart+]). However, such dynamic
+updates work only for a _subset_ of Bro's full configuration. The
+following changes can be applied on the fly: (1) The value of all
+script variables defined as +&redef+ can be changed; and (2) all
+configuration changes performed via the xref:cmd_analysis[+analysis+]
+command can be put into effect. More extensive script changes are not
+possible during runtime and always require a restart; if you change
+more than just the values of +&redef+ variables and still issue
++update+, the results are undefined and can lead to crashes. Also note
+that before running +update+, you still need to do an
+xref:cmd_install[+install+] (preferably after
+xref:cmd_install[+check+]), as otherwise +update+ will not see the
+changes and resend the old configuration.
+
diff --git a/aux/broctl/README.html b/aux/broctl/README.html
new file mode 100644
index 0000000000..1ec7ed060b
--- /dev/null
+++ b/aux/broctl/README.html
@@ -0,0 +1,1986 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
+    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+<meta name="generator" content="AsciiDoc 8.2.7" />
+<style type="text/css">
+/* Debug borders */
+p, li, dt, dd, div, pre, h1, h2, h3, h4, h5, h6 {
+/*
+  border: 1px solid red;
+
+  margin: 1.8em 10% 1.8em 10%;
+
+*/
+}
+
+body {
+  background:#ffffff;
+  padding: 20px 10px;
+  font-size: 90%;
+  font-family: sans-serif;
+  color: #505050;
+  margin: 2em 10% 2em 10%;
+  line-height: 1.4em;
+}
+
+a {
+  color: #005000;
+}
+
+a:visited {
+  color: #005000;
+}
+
+a:hover {
+  color: #002000;
+}
+
+em {
+  font-style: italic;
+}
+
+strong {
+  font-weight: bold;
+}
+
+tt {
+  color: #000000;
+}
+
+h1, h2, h3, h4, h5, h6, div#toctitle {
+  color: #227022;
+  font-family: sans-serif;
+  margin-top: 1.2em;
+  margin-bottom: 0.5em;
+  line-height: 1.3;
+  font-weight: normal;
+}
+
+h1, h2, h3, div#toctitle {
+  border-bottom: 1px solid;
+  border-color: #000000;
+}
+
+h1 {
+  font-size: 150%;
+  }
+
+h2, div#toctitle {
+  padding-top: 0.5em;
+  font-size: 120%;
+}
+h3 {
+  float: left;
+  font-size: 100%;
+}
+h3 + * {
+  clear: left;
+}
+
+div.sectionbody {
+  font-family: sans-serif;
+  margin-left: 0;
+}
+
+hr {
+  border: 1px solid;
+}
+
+p {
+  margin-top: 0.5em;
+  margin-bottom: 0.5em;
+}
+
+pre {
+  padding: 0;
+  margin: 0;
+}
+
+span#author {
+  color: #338033;
+  font-family: sans-serif;
+  font-size: 100%;
+}
+span#email {
+}
+span#revision {
+  font-family: sans-serif;
+}
+
+div#footer {
+  font-family: sans-serif;
+  font-size: 70%;
+  border-top: 1px solid;
+  padding-top: 0.5em;
+  margin-top: 4.0em;
+}
+div#footer-text {
+  float: left;
+  padding-bottom: 0.5em;
+}
+div#footer-badges {
+  float: right;
+  padding-bottom: 0.5em;
+}
+
+div#preamble,
+div.tableblock, div.imageblock, div.exampleblock, div.verseblock,
+div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,
+div.admonitionblock {
+  margin-top: 1.1em;
+  margin-left: 1em;
+  margin-bottom: 1.1em;
+/*  background: #eeffcc; */
+}
+div.admonitionblock {
+  margin-top: 2.5em;
+  margin-bottom: 2.5em;
+}
+
+div.content { /* Block element content. */
+  padding: 0;
+}
+
+/* Block element titles. */
+div.title, caption.title {
+  font-family: sans-serif;
+  text-align: left;
+  margin-top: 1.0em;
+  margin-bottom: 0.5em;
+}
+div.title + * {
+  margin-top: 0;
+}
+
+td div.title:first-child {
+  margin-top: 0.0em;
+}
+div.content div.title:first-child {
+  margin-top: 0.0em;
+}
+div.content + div.title {
+  margin-top: 0.0em;
+}
+
+div.sidebarblock > div.content {
+  background: #ffffee;
+  border: 1px solid;
+  padding: 0.5em;
+}
+
+div.listingblock {
+  margin-right: 0%;
+}
+div.listingblock > div.content {
+  border: 1px solid;
+  background: #f4f4f4;
+  padding: 0.5em;
+}
+
+div.quoteblock > div.content {
+  padding-left: 2.0em;
+}
+
+div.attribution {
+  text-align: right;
+}
+
+div.verseblock + div.attribution {
+  text-align: left;
+}
+
+div.admonitionblock .icon {
+  vertical-align: top;
+  font-size: 100%;
+  color: #338033;
+  padding-right: 0.5em;
+}
+div.admonitionblock td.content {
+  padding-left: 0.5em;
+  border-left: 2px solid;
+}
+
+div.exampleblock > div.content {
+  border-left: 2px solid;
+  padding: 0.5em;
+}
+
+div.verseblock div.content {
+  white-space: pre;
+}
+
+div.imageblock div.content { padding-left: 0; }
+div.imageblock img { border: 1px solid ; }
+span.image img { border-style: none; }
+
+dl {
+  margin-top: 0.8em;
+  margin-bottom: 0.8em;
+}
+dt {
+  margin-top: 0.5em;
+  margin-bottom: 0;
+  font-style: italic;
+}
+dd > *:first-child {
+  margin-top: 0;
+}
+
+ul, ol {
+    list-style-position: outside;
+}
+ol.olist2 {
+  list-style-type: lower-alpha;
+}
+
+div.tableblock > table {
+  border: 1px solid #527bbd;
+}
+
+div.addrblock > table {
+  border: 0px 0px 0px 0px;
+  border-style: none none none none;
+  padding: 0px;
+  margin: 10px;
+  color: #000000;
+}
+
+table.addrblockbg {
+  /*
+  border-top: 1px solid;
+  border-bottom: 1px solid;
+  */
+  background: #e0ffe0 ;
+  border-style: none;
+  outline-style: none;
+}
+
+thead {
+  font-family: sans-serif;
+  color: #000000;
+}
+tfoot {
+  font-weight: bold;
+  color: #000000;
+}
+
+div.hlist {
+  margin-top: 0.8em;
+  margin-bottom: 0.8em;
+}
+div.hlist td {
+  padding-bottom: 5px;
+}
+td.hlist1 {
+  vertical-align: top;
+  font-style: italic;
+  padding-right: 0.8em;
+}
+td.hlist2 {
+  vertical-align: top;
+}
+
+@media print {
+  div#footer-badges { display: none; }
+}
+
+div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {
+  margin-top: .5ex;
+  margin-bottom: 0;
+  margin-left: 2em;
+  line-height: 1.3;
+}
+div.toclevel1 {
+  margin-top: 1ex;
+}
+div.toclevel2 {
+  margin-left: 4em;
+}
+
+div.toclevel3 {
+  margin-left: 6em;
+}
+div.toclevel4 {
+  margin-left: 8em;
+}
+/* Workarounds for IE6's broken and incomplete CSS2. */
+
+div.sidebar-content {
+  background: #ffffee;
+  border-top: 1px solid silver;
+  border-bottom: 1px solid silver;
+  padding: 0.5em;
+}
+div.sidebar-title, div.image-title {
+  font-family: sans-serif;
+  font-weight: bold;
+  margin-top: 0.0em;
+  margin-bottom: 0.5em;
+}
+
+div.listingblock div.content {
+  border: 1px solid silver;
+  background: #f4f4f4;
+  padding: 0.5em;
+}
+
+div.quoteblock-content {
+  padding-left: 2.0em;
+}
+
+div.exampleblock-content {
+  border-left: 2px solid silver;
+  padding-left: 0.5em;
+}
+
+/* IE6 sets dynamically generated links as visited. */
+div#toc a:visited { color: blue; }
+</style>
+<script type="text/javascript">
+/*<![CDATA[*/
+window.onload = function(){generateToc(2)}
+/* Author: Mihai Bazon, September 2002
+ * http://students.infoiasi.ro/~mishoo
+ *
+ * Table Of Content generator
+ * Version: 0.4
+ *
+ * Feel free to use this script under the terms of the GNU General Public
+ * License, as long as you do not remove or alter this notice.
+ */
+
+ /* modified by Troy D. Hanson, September 2006. License: GPL */
+ /* modified by Stuart Rackham, October 2006. License: GPL */
+
+function getText(el) {
+  var text = "";
+  for (var i = el.firstChild; i != null; i = i.nextSibling) {
+    if (i.nodeType == 3 /* Node.TEXT_NODE */) // IE doesn't speak constants.
+      text += i.data;
+    else if (i.firstChild != null)
+      text += getText(i);
+  }
+  return text;
+}
+
+function TocEntry(el, text, toclevel) {
+  this.element = el;
+  this.text = text;
+  this.toclevel = toclevel;
+}
+
+function tocEntries(el, toclevels) {
+  var result = new Array;
+  var re = new RegExp('[hH]([2-'+(toclevels+1)+'])');
+  // Function that scans the DOM tree for header elements (the DOM2
+  // nodeIterator API would be a better technique but not supported by all
+  // browsers).
+  var iterate = function (el) {
+    for (var i = el.firstChild; i != null; i = i.nextSibling) {
+      if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {
+        var mo = re.exec(i.tagName)
+        if (mo)
+          result[result.length] = new TocEntry(i, getText(i), mo[1]-1);
+        iterate(i);
+      }
+    }
+  }
+  iterate(el);
+  return result;
+}
+
+// This function does the work. toclevels = 1..4.
+function generateToc(toclevels) {
+  var toc = document.getElementById("toc");
+  var entries = tocEntries(document.getElementsByTagName("body")[0], toclevels);
+  for (var i = 0; i < entries.length; ++i) {
+    var entry = entries[i];
+    if (entry.element.id == "")
+      entry.element.id = "toc" + i;
+    var a = document.createElement("a");
+    a.href = "#" + entry.element.id;
+    a.appendChild(document.createTextNode(entry.text));
+    var div = document.createElement("div");
+    div.appendChild(a);
+    div.className = "toclevel" + entry.toclevel;
+    toc.appendChild(div);
+  }
+  if (entries.length == 0)
+    document.getElementById("header").removeChild(toc);
+}
+/*]]>*/
+</script>
+<title>BroControl</title>
+</head>
+<body>
+<div id="header">
+<h1>BroControl</h1>
+<span id="author">Robin Sommer</span><br />
+<span id="email"><tt>&lt;<a href="mailto:robin@icir.org">robin@icir.org</a>&gt;</tt></span><br />
+<div id="toc">
+  <div id="toctitle">Table of Contents</div>
+  <noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>
+</div>
+</div>
+<div id="preamble">
+<div class="sectionbody">
+<p>This document summarizes installation and use of <em>BroControl</em>,
+Bro's interactive shell for operating Bro installations. <em>Bro
+Control</em> has two modes of operation: a <em>stand-alone</em> mode for
+managing a traditional, single-system Bro setup; and a <em>cluster</em>
+mode for maintaining a multi-system setup of coordinated Bro
+instances load-balancing the work across a set of independent
+machines. Below, we describe the installation process separately for
+the two modes. Once installed, the operation is pretty similar for
+both types; just keep in mind that if this documents refers to
+"nodes" and you're in a stand-alone setup, there's is only a single
+one and no worker/proxies.)</p>
+</div>
+</div>
+<h2><a id="_prerequisites"></a>Prerequisites</h2><p/>
+<div class="sectionbody">
+<p>Running <em>BroControl</em> requires the following prerequisites:</p>
+<ul>
+<li>
+<p>
+A Unix system. FreeBSD, Linux, and MacOS are supported and
+  should work out of the box. Note however that FreeBSD usually sees
+  more testing as it is Bro's primary development platform.  Other
+  Unix systems will quite likely require some tweaking. Note that in
+  a cluster setup, all systems must be running exactly the <em>same</em>
+  operating system.
+</p>
+</li>
+<li>
+<p>
+A version of <em>Python</em> &gt;= 2.4.
+</p>
+</li>
+<li>
+<p>
+A <em>bash</em> (note in particular, that on FreeBSD, <em>bash</em> is not
+  installed by default).
+</p>
+</li>
+</ul>
+<div class="admonitionblock">
+<table><tr>
+<td class="icon">
+<div class="title">Note</div>
+</td>
+<td class="content">If you're using a development version, you might need to apply
+a patch to Bro. Please <a href="#devversion">see below</a>.</td>
+</tr></table>
+</div>
+</div>
+<h2><a id="_installing_a_stand_alone_bro"></a>Installing a Stand-alone Bro</h2><p/>
+<div class="sectionbody">
+<p>This is the default installation. Configure and compile Bro as
+usual, specifying the target installation path as <tt>`prefix</tt>` (we use
+<tt>/usr/local/bro</tt> as an example):</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt; cd /path/to/bro/source/distribution
+&gt; ./configure --prefix=/usr/local/bro
+&gt; make</tt></pre>
+</div></div>
+<ul>
+<li>
+<p>
+Install <em>BroControl</em>:
+</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt; make install-broctl</tt></pre>
+</div></div>
+<div class="literalblock">
+<div class="content">
+<pre><tt>(This includes the standard "make install".)</tt></pre>
+</div></div>
+</li>
+<li>
+<p>
+Add <tt>&lt;prefix&gt;/bin</tt> to your <tt>PATH</tt>.
+</p>
+</li>
+<li>
+<p>
+The installation installs three configuration files which you
+  should edit:
+</p>
+<ul>
+<li>
+<p>
+<tt>etc/broctl.cfg</tt> is the overall <em>BroControl</em> configuration.
+  Initially, you probably only need to edit the email address for
+  mails sent by the framework; that's the <tt>MailTo</tt> line.
+</p>
+</li>
+<li>
+<p>
+In <tt>etc/nodes.cfg</tt>, you need to specify the network interface
+  Bro is to monitor; that's the <tt>interface</tt> line.
+</p>
+</li>
+<li>
+<p>
+In <tt>etc/networks.cfg</tt>, list all the networks which Bro should
+  consider as local to the monitored enviroment.
+</p>
+</li>
+</ul>
+</li>
+<li>
+<p>
+Once you have updated these files, install the modified
+  configuration:
+</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt; broctl install</tt></pre>
+</div></div>
+</li>
+<li>
+<p>
+Some tasks need to be run on a regular basis. Insert a line like
+this into your crontab:
+</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>0-59/5 * * * * /usr/local/bro/bin/broctl cron</tt></pre>
+</div></div>
+</li>
+<li>
+<p>
+Finally, you can start Bro:
+</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt; broctl start</tt></pre>
+</div></div>
+</li>
+</ul>
+</div>
+<h2><a id="_installing_a_bro_cluster"></a>Installing a Bro Cluster</h2><p/>
+<div class="sectionbody">
+<p>A <em>Bro Cluster</em> is a set of systems jointly analyzing the traffic of
+a network link in a coordinated fashion. <em>BroControl</em> is able to
+operate such a setup from a central manager system pretty much
+transparently, hiding much of the complexity of the multi-machine
+installation.</p>
+<p>A cluster consists of four types of components:</p>
+<ol>
+<li>
+<p>
+One or more frontends.
+       Frontends load-balance the traffic across a set of worker
+       machines.
+</p>
+</li>
+<li>
+<p>
+Worker nodes.
+       Workers are doing the actual analysis, with each seeing a
+       slice of the overall traffic as splitted up by the frontends.
+</p>
+</li>
+<li>
+<p>
+One or more proxies.
+       Proxies relay the communication between worker nodes.
+</p>
+</li>
+<li>
+<p>
+One manager.
+       The manager provides the cluster's user-interface for
+       controlling and logging. During operation, the user only
+       interacts with the manager; this is where <em>BroControl</em> is
+       running.
+</p>
+</li>
+</ol>
+<p>See <a href="http:///www.icir.org/robin/papers/raid07.pdf">this RAID Paper</a>
+for more information about the general cluster architecture. This
+document focusses on the installation of manager, workers, and the
+proxies. See &lt;somewhere different&gt; for a discussion of how to setup
+a frontend. If not otherwise stated, in the following we use the
+terms "manager", "worker", and "proxy" to refer to Bro instances,
+not to physical machines; rather, we use the term "node" to refer to
+physical machines. There may be multiple Bro instances running on
+the same node. For example, it's possible to run a proxy on the same
+node as the manager is operating on.</p>
+<p>In the following, as an example setup, we will assume that our
+cluster consists of four nodes (not counting the frontend). The host
+names of the systems will be <tt>host1</tt>, <tt>host2</tt>, <tt>host3</tt>, and <tt>host4</tt>.
+We will configure the cluster so that <tt>host1</tt> runs the manager and
+the (only) proxy, and <tt>host{2,3,4}</tt> are each running one worker.
+This is a typical setup, which will work well for many sites.</p>
+<p>When installing a cluster, in addition to the prerequisites
+mentioned above, you need to</p>
+<ul>
+<li>
+<p>
+have the same user account set up on all nodes. On the worker
+  nodes, this user must have access to target network interface in
+  promiscious mode. <tt>ssh</tt> access from the manager node to this user
+  account must be setup on all machines, and must work without
+  asking for a password/passphrase.
+</p>
+</li>
+<li>
+<p>
+have some storage available on all nodes under the same path,
+  which we will call the cluster's <em>prefix</em> path. In the following,
+  we will use <tt>/usr/local/bro</tt> as an example. The Bro user must
+  be able to either create this directory or, where it already
+  exists, must have write permission inside this directory on all
+  nodes.
+</p>
+</li>
+<li>
+<p>
+have <tt>ssh</tt> and <tt>rdist</tt> installed.
+</p>
+</li>
+</ul>
+<p>With all prerequisites in place, as the Bro user, perform the
+following steps to install a Bro cluster:</p>
+<ul>
+<li>
+<p>
+Configure and compile the Bro distribution using the cluster's
+  prefix path as <tt>&#8212;prefix</tt> <tt>&#8212;prefix</tt>, and selecting cluster
+  operation with the <tt>&#8212;enable-cluster</tt> option:
+</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt; cd /path/to/bro/source/distribution
+&gt; ./configure --prefix=/usr/local/bro --enable-cluster
+&gt; make</tt></pre>
+</div></div>
+</li>
+<li>
+<p>
+Install <em>BroControl</em>:
+</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt; make install-broctl</tt></pre>
+</div></div>
+<div class="literalblock">
+<div class="content">
+<pre><tt>(This includes the standard +make install+.)</tt></pre>
+</div></div>
+</li>
+<li>
+<p>
+Add <tt>&lt;prefix&gt;/bin</tt> to your <tt>PATH</tt>.
+</p>
+</li>
+<li>
+<p>
+Create a cluster configuration file. There is an example provided,
+which you can edit according to the instructions in the file:
+</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt; cd /usr/local/bro
+&gt; cp etc/broctl.cfg.example etc/broctl.cfg
+&gt; vi etc/broctl.cfg</tt></pre>
+</div></div>
+</li>
+<li>
+<p>
+Create a node configuration file to define where manager, workers,
+  and proxies are to run. There is again an example, which defines
+  the example scenario described above and can be edited as needed:
+</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt; cd /usr/local/bro
+&gt; cp etc/node.cfg.example etc/node.cfg
+&gt; vi etc/node.cfg</tt></pre>
+</div></div>
+</li>
+<li>
+<p>
+Create a network configuration file that lists all of the networks
+  which the cluster should consider as local to the monitored
+  enviroment. Once, again the installation installs a template for
+  editing:
+</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt; cd /usr/local/bro
+&gt; cp etc/networks.cfg.example etc/networks.cfg
+&gt; vi etc/networks.cfg</tt></pre>
+</div></div>
+</li>
+<li>
+<p>
+Install workers and proxies using <em>BroControl</em>:
+</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt; broctl install</tt></pre>
+</div></div>
+<p>This installation process uses <tt>ssh</tt> and <tt>rdist</tt> to copy the
+configuration over to the remote machines so, as described above,
+you need to ensure that logging in via SSH works before the install will
+succeed.</p>
+</li>
+<li>
+<p>
+Some tasks need to be run on a regular basis. On the manager node,
+insert a line like this into the crontab of the user running the
+cluster.
+</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>0-59/5 * * * * &lt;prefix&gt;/bin/broctl cron</tt></pre>
+</div></div>
+</li>
+<li>
+<p>
+Finally, you can start the cluster:
+</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt; broctl start</tt></pre>
+</div></div>
+</li>
+</ul>
+</div>
+<h2><a id="_getting_started"></a>Getting Started</h2><p/>
+<div class="sectionbody">
+<p><em>BroControl</em> is an interactive interface to the cluster which
+allows you to, e.g., start/stop the monitoring or update its
+configuration. It is started with the <tt>broctl</tt> script and then
+expects commands on its command-line (alternatively, <tt>broctl</tt> can
+also be started with a single command directly on the shell's
+command line):</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt; cluster
+Welcome to BroControl 0.2</tt></pre>
+</div></div>
+<div class="literalblock">
+<div class="content">
+<pre><tt>Type "help" for help.</tt></pre>
+</div></div>
+<div class="literalblock">
+<div class="content">
+<pre><tt>[BroControl] &gt;</tt></pre>
+</div></div>
+<p>As the message says, type <a href="#cmd_help"><tt>help</tt></a> to see a list of all
+commands. We will now briefly summarize the most important commands.
+A full reference follows <a href="cmd_reference">below</a>.</p>
+<p>Once <tt>broctl.cfg</tt> and <tt>node.cfg</tt> are set up as described above, the
+monitoring can be started with the <a href="#cmd_start"><tt>start</tt></a> command.
+In the cluster setup, this will successively start manager, proxies,
+and workers. The <a href="#cmd_status"><tt>status</tt></a> command should then show
+all nodes as operating. To stop the monitoring, issue the
+<a href="#cmd_stop"><tt>stop</tt></a> command. <a href="#cmd_exit"><tt>exit</tt></a> leaves the
+shell.</p>
+<p>On the manager system (and on the standalone system), you find the
+current set of (aggregated) logs in <tt>logs/current</tt> (which is a
+symlink to the corresponding spool directory.) The workers and
+proxies log into <tt>spool/proxy/</tt> and <tt>spool/&lt;worker-name&gt;/</tt>,
+respectively. The manager/stand-alone logs are archived in <tt>logs/</tt>,
+by default once a day. Logs files of workers and proxies are
+discarded at the same rotation interval.</p>
+<p>Whenenver the <em>BroControl</em> configuration is modified in any way
+(including changes to configuration files and site-specific policy
+scripts), <a href="#cmd_install"><tt>install</tt></a> installs the new version. <em>No
+changes will take effect until <a href="#cmd_install"><tt>install</tt></a> is run</em>.
+Before you run <a href="#cmd_install"><tt>install</tt></a>, <a href="#cmd_check"><tt>check</tt></a>
+can be used to check for any potential erros in the new
+configuration, e.g., typos in scripts. If <a href="#cmd_check"><tt>check</tt></a>
+does not report any problems, doing <a href="#cmd_install"><tt>install</tt></a> will
+pretty likely not break anything.</p>
+<p>Note that generally configuration changes only take effect after a
+restart of the affected nodes. The <a href="#cmd_restart"><tt>restart</tt></a>
+command triggers this. Some changes however can be put into effect
+on-the-fly without restarting any of the nodes by using the
+<a href="#cmd_update"><tt>update</tt></a> command (again only after doing
+<a href="#cmd_install"><tt>install</tt></a> first). Such dynamic updates work with
+all changes done via the <a href="#cmd_analysis"><tt>analysis</tt></a> command (see
+below) as well as generally with all policy which only modify global
+variables declared as <em>redefinable</em> (i.e., with Bro's <em>&amp;redef</em>
+attribute).</p>
+<p>Generally, site-specific tuning needs to be done with local policy
+scripts, as in any Bro setup. This is described
+<a href="site_tuning">below</a>. Some general types of analysis can however
+be enabled/disabled via the <a href="#cmd_analysis"><tt>analysis</tt></a> command.</p>
+<p><em>BroControl</em> provides various options to control the behaviour of the
+setup. These options can be set by editing <tt>etc/broctl.cfg</tt>. The
+<a href="#cmd_config"><tt>config</tt></a> command gives list of all options with
+their current values. A list of the most important options also
+follows <a href="cmd_reference">below</a>.</p>
+</div>
+<h2><a id="_site_specific_customization"></a>Site-specific Customization</h2><p/>
+<div class="sectionbody">
+<p><a id="site_tuning"></a>You'll most likely want to adapt the Bro policy to the local
+environment. While some types of analysis can be customized via the
+<a href="#cmd_analysis"><tt>analysis</tt></a> command, much of the more specific
+tuning requires writing local policy files.</p>
+<p>By default, it is assumed that you put site-specific policy scripts
+into the <tt>share/bro/site</tt> directory. To change the location of site
+policies, set the option <a href="#opt_SitePolicyPath"><tt>SitePolicyPath</tt></a>
+in <tt>broctl.cfg</tt> to a different path.</p>
+<p>During the initial install, sample policy scripts are installed in
+<tt>share/bro/site</tt>, which you can edit as appropiate. In the stand-alone
+setup, this is just a single file called <tt>local.bro</tt>. In the cluster
+setup, there are three: <tt>local-manager.bro</tt> and <tt>local-worker.bro</tt>
+are loaded by the manager and the workers (plus proxies),
+respectively. In turn, both of these load <tt>local.bro</tt>, which
+contains all configuration code shared by all nodes. If in doubt,
+put your customizations into <tt>local.bro</tt> so that all nodes see it.
+If you want to change which local scripts are loaded by the nodes,
+you can set <a href="#opt_SitePolicyManager"><tt>SitePolicyManager</tt></a> for the
+manager and <a href="#opt_SitePolicyWorker"><tt>SitePolicyWorker</tt></a> for the
+workers.</p>
+<p>In the cluster setup, the main exception to putting everything into
+<tt>local.bro</tt> is notice filtering, which should be done only on the
+manager. The example <tt>local-manager.bro</tt> comes with an example setup
+to configure notice policy and notice actions. You should to adapt
+thiese to the local environment.</p>
+<p>In general, all of <em>BroControl</em>'s policy scripts are loaded before any
+site-specific policy so that you can redefine any of the defaults
+locally. The <a href="#cmd_scripts"><tt>scripts</tt></a> shows precisely which
+policy scripts get loaded by a node; that can be very helpful for
+debugging.</p>
+<p>Please note that enabling a particular kind of analysis via the
+<a href="#cmd_analysis"><tt>analysis</tt></a> command only has an effect if the
+corresponding Bro scripts are loaded by the local site policy in
+<tt>local.bro</tt>.</p>
+<p>It is also possible to add additional scripts to individual nodes
+only. This works by setting the option <tt>aux_scripts</tt> for the
+corresponding node(s) in <tt>etc/nodes.cfg</tt>. For example, one could add
+a script <tt>experimental.bro</tt> to a single worker for trying out new
+experimental code.</p>
+</div>
+<h2><a id="_command_reference"></a>Command Reference</h2><p/>
+<div class="sectionbody">
+<p><a id="cmd_reference"></a>The following summary lists all commands supported by <em>BroControl</em>. All
+commands may be either entered interactively or specificed on the
+shell's command line. If not specified otherwise, commands taking
+<em>[&lt;nodes&gt;]</em> as arguments apply their action either to the given set
+of nodes, or to all nodes if none is given.</p>
+<dl>
+<dt>
+<a id="cmd_analysis"></a> <strong>analysis <em>enable|disable &lt;type&gt;</em></strong>
+</dt>
+<dd>
+<p>
+This command enables or disables certain kinds of analysis without the
+need for doing any changes to Bro scripts. Currently, the analyses
+shown in the table below can be controlled (in parentheses the
+corresponding Bro scripts; the effect of enabling/disabling is similar
+to loading or not loading these scripts, respectively). The list might
+be extended in the future. Any changes performed via this command are
+applied by <a href="#cmd_update"><tt>update</tt></a> and therefore do not require a
+restart of the nodes.
+</p>
+<div class="tableblock">
+<table rules="all"
+frame="void"
+cellspacing="0" cellpadding="4">
+<col width="266" />
+<col width="533" />
+<thead>
+  <tr>
+    <th align="center">
+    Type
+    </th>
+    <th align="left">
+    Description
+    </th>
+  </tr>
+</thead>
+<tbody valign="top">
+  <tr>
+    <td align="center">
+    dns
+    </td>
+    <td align="left">
+    DNS analysis (<tt>dns.bro</tt>)
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+    ftp
+    </td>
+    <td align="left">
+    FTP analysis (<tt>ftp.bro</tt>)
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+    http-body
+    </td>
+    <td align="left">
+    HTTP body analysis (<tt>http-body.bro</tt>).
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+    http-request
+    </td>
+    <td align="left">
+    Client-side HTTP analysis only (<tt>http-request.bro</tt>)
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+    http-reply
+    </td>
+    <td align="left">
+    Client- and server-side HTTP analysis (<tt>http-request.bro</tt>/<tt>http-reply.bro</tt>)
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+    http-header
+    </td>
+    <td align="left">
+    HTTP header analysis (<tt>http-headers.bro</tt>)
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+    scan
+    </td>
+    <td align="left">
+    Scan detection (<tt>scan.bro</tt>)
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+    smtp
+    </td>
+    <td align="left">
+    SMTP analysis (<tt>smtp.bro</tt>)
+    </td>
+  </tr>
+</tbody>
+</table>
+</div>
+</dd>
+<dt>
+<a id="cmd_attachgdb"></a> <strong>attachgdb <em>[&lt;nodes&gt;]</em></strong>
+</dt>
+<dd>
+<p>
+Primarily for debugging, the command attaches a <em>gdb</em> to the main Bro
+process on the given nodes.
+</p>
+</dd>
+<dt>
+<a id="cmd_capstats"></a> <strong>capstats <em>[&lt;interval&gt;] [&lt;nodes&gt;]</em></strong>
+</dt>
+<dd>
+<p>
+Determines the current load on the network interfaces monitored by
+each of the given worker nodes. The load is measured over the
+specified interval (in seconds), or by default over 10 seconds. This
+command uses the <a href="http://www.icir.org/robin/capstats">capstats</a> tool,
+which is installed along with <tt>broctl</tt>.
+</p>
+</dd>
+</dl>
+<p>(Note: When using a CFlow and the CFlow command line utility is
+installed as well, the <tt>capstats</tt> command can also query the device
+for port statistics. <em>TODO</em>: document how to set this up.)</p>
+<dl>
+<dt>
+<a id="cmd_check"></a> <strong>check <em>[&lt;nodes&gt;]</em></strong>
+</dt>
+<dd>
+<p>
+Verifies a modified configuration in terms of syntactical correctness
+(most importantly correct syntax in policy scripts). This command
+should be executed for each configuration change <em>before</em>
+<a href="#cmd_install"><tt>install</tt></a> is used to put the change into place. Note
+that <tt>check</tt> is the only command which operates correctly without a
+former <a href="#cmd_install"><tt>install</tt></a> command; <tt>check</tt> uses the policy
+files as found in <a href="#opt_SitePolicyPath"><tt>SitePolicyPath</tt></a> to make
+sure they compile correctly. If they do, <a href="#cmd_install"><tt>install</tt></a>
+will then copy them over to an internal place from where the nodes
+will read them at the next <a href="#cmd_start"><tt>start</tt></a>. This approach
+ensures that new errors in a policy scripts will not affect currently
+running nodes, even when one or more of them needs to be restarted.
+</p>
+</dd>
+<dt>
+<a id="cmd_cleanup"></a> <strong>cleanup <em>[&#8212;all] [&lt;nodes&gt;]</em></strong>
+</dt>
+<dd>
+<p>
+Clears the nodes' spool directories (if they are not running
+currently). This implies that their persistent state is flushed. Nodes
+that were crashed are reset into <em>stopped</em> state. If <tt>&#8212;all</tt> is
+specified, this command also removes the content of the node's
+<a href="#opt_TmpDir"><tt>TmpDir</tt></a>, in particular deleteing any data
+potentially saved there for reference from previous crashes.
+Generally, if you want to reset the installation back into a clean
+state, you can first <a href="#cmd_stop"><tt>stop</tt></a> all nodes, then execute
+<tt>cleanup &#8212;all</tt>, and finally <a href="#cmd_start"><tt>start</tt></a> all nodes
+again.
+</p>
+</dd>
+<dt>
+<a id="cmd_config"></a> <strong>config </strong>
+</dt>
+<dd>
+<p>
+Prints all configuration options with their current values.
+</p>
+</dd>
+<dt>
+<a id="cmd_cron"></a> <strong>cron <em>[&lt;nodes&gt;]</em></strong>
+</dt>
+<dd>
+<p>
+As the name implies, this command should be executed regularly via
+<em>cron</em>, as described <a href="#Installation">above</a>. It performs a set of
+maintainance tasks, including the logging of various statistical
+information, expiring old log files, checking for dead hosts, and
+restarting nodes which terminated unexpectedly.  While not intended
+for interactive use, no harm will be caused by executing the command
+manually: all the maintainance tasks will then just be performed one
+more time.
+</p>
+</dd>
+<dt>
+<a id="cmd_df"></a> <strong>df <em>[&lt;nodes&gt;]</em></strong>
+</dt>
+<dd>
+<p>
+Reports the amount of disk space available on the nodes. Shows only
+paths relevant to the broctl installation.
+</p>
+</dd>
+<dt>
+<a id="cmd_diag"></a> <strong>diag <em>[&lt;nodes&gt;]</em></strong>
+</dt>
+<dd>
+<p>
+If a node has terminated unexpectedly, this command prints a (somewhat
+cryptic) summary of its final state including excerpts of any
+stdout/stderr output, resource usage, and also a stack backtrace if a
+core dump is found. The same information is sent out via mail when a
+node is found to have crashed (the "crash report"). While the
+information is mainly intended for debugging, it can also help to find
+misconfigurations (which are usually, but not always, caught by the
+<a href="#cmd_check"><tt>check</tt></a> command).
+</p>
+</dd>
+<dt>
+<a id="cmd_exec"></a> <strong>exec <em>&lt;command line&gt;</em></strong>
+</dt>
+<dd>
+<p>
+Executes the given Unix shell command line on all nodes configured to
+run at least one Bro instance. This is handy to quickly perform an
+action across all systems.
+</p>
+</dd>
+<dt>
+<a id="cmd_exit"></a> <strong>exit </strong>
+</dt>
+<dd>
+<p>
+Terminates the shell.
+</p>
+</dd>
+<dt>
+<a id="cmd_help"></a> <strong>help </strong>
+</dt>
+<dd>
+<p>
+Prints a brief summary of all commands understood by the shell.
+</p>
+</dd>
+<dt>
+<a id="cmd_install"></a> <strong>install </strong>
+</dt>
+<dd>
+<p>
+Reinstalls the given nodes, including all configuration files and
+local policy scripts.  This command must be executed after <em>all</em>
+changes to any part of the broctl configuration, otherwise the
+modifications will not take effect. Usually all nodes should be
+reinstalled at the same time, as any inconsistencies between them will
+lead to strange effects. Before executing <tt>install</tt>, it is recommended
+to verify the configuration with <a href="#cmd_check"><tt>check</tt></a>.
+</p>
+</dd>
+<dt>
+<a id="cmd_netstats"></a> <strong>netstats <em>[&lt;nodes&gt;]</em></strong>
+</dt>
+<dd>
+<p>
+Queries each of the nodes for their current counts of captured and
+dropped packets.
+</p>
+</dd>
+<dt>
+<a id="cmd_nodes"></a> <strong>nodes </strong>
+</dt>
+<dd>
+<p>
+Prints a list of all configured nodes.
+</p>
+</dd>
+<dt>
+<a id="cmd_peerstatus"></a> <strong>peerstatus <em>[&lt;nodes&gt;]</em></strong>
+</dt>
+<dd>
+<p>
+Primarily for debugging, <tt>peerstatus</tt> reports statistics about the
+network connections cluster nodes are using to communicate with other
+nodes.
+</p>
+</dd>
+<dt>
+<a id="cmd_print"></a> <strong>print <em>&lt;id&gt; [&lt;nodes&gt;]</em></strong>
+</dt>
+<dd>
+<p>
+Reports the <em>current</em> live value of the given Bro script ID on all of
+the specified nodes (which obviously must be running). This can for
+example be useful to (1) check that policy scripts are working as
+expected, or (2) confirm that configuration changes have in fact been
+applied.  Note that IDs defined inside a Bro namespace must be
+prefixed with <tt>&lt;namespace&gt;::</tt> (e.g., <tt>print SSH::did_ssh_version</tt> to
+print the corresponding table from <tt>ssh.bro</tt>.)
+</p>
+</dd>
+<dt>
+<a id="cmd_quit"></a> <strong>quit </strong>
+</dt>
+<dd>
+<p>
+Terminates the shell.
+</p>
+</dd>
+<dt>
+<a id="cmd_restart"></a> <strong>restart <em>[&#8212;clean] [&lt;nodes&gt;]</em></strong>
+</dt>
+<dd>
+<p>
+Restarts the given nodes, or all nodes if none are specified. The
+effect is the same as first executing <a href="#cmd_stop"><tt>stop</tt></a> followed
+by a <a href="#cmd_start"><tt>start</tt></a>, giving the same nodes in both cases.
+This command is most useful to activate any changes made to Bro policy
+scripts (after running <a href="#cmd_install"><tt>install</tt></a> first). Note that a
+subset of policy changes can also be installed on the fly via the
+<a href="#cmd_updatel"><tt>update</tt></a>, without requiring a restart.
+</p>
+</dd>
+</dl>
+<p>If <tt>&#8212;clean</tt> is given, the installation is reset into a clean state
+before restarting. More precisely, a <tt>restart &#8212;clean</tt> turns into the
+command sequence <a href="#cmd_stop"><tt>stop</tt></a>, <a href="#cmd_cleanup"><tt>cleanup
+&#8212;all</tt></a>, <a href="#cmd_check"><tt>check</tt></a>, <a href="#cmd_install"><tt>install</tt></a>, and
+<a href="#cmd_start"><tt>start</tt></a>.</p>
+<dl>
+<dt>
+<a id="cmd_scripts"></a> <strong>scripts <em>[-p|-c] [&lt;nodes&gt;]</em></strong>
+</dt>
+<dd>
+<p>
+Primarily for debugging Bro configurations, the <tt>script</tt> command lists
+all the Bro scripts loaded by each of the nodes in the order as they
+will be parsed by the node at startup. If <tt>-p</tt> is given, all scripts
+are listed with their full paths. If <tt>-c</tt> is given, the command
+operates as <a href="#cmd_check::"><tt>check</tt></a> does: it reads the policy files
+from their <em>original</em> location, not the copies installed by
+<a href="#cmd_install"><tt>install</tt></a>. The latter option is useful to check a
+not yet installed configuration.
+</p>
+</dd>
+<dt>
+<a id="cmd_start"></a> <strong>start <em>[&lt;nodes&gt;]</em></strong>
+</dt>
+<dd>
+<p>
+Starts the given nodes, or all nodes if none are specified. Nodes
+already running are left untouched.
+</p>
+</dd>
+<dt>
+<a id="cmd_status"></a> <strong>status <em>[&lt;nodes&gt;]</em></strong>
+</dt>
+<dd>
+<p>
+Prints the current status of the given nodes.
+</p>
+</dd>
+<dt>
+<a id="cmd_stop"></a> <strong>stop <em>[&lt;nodes&gt;]</em></strong>
+</dt>
+<dd>
+<p>
+Stops the given nodes, or all nodes if none are specified. Nodes not
+running are left untouched.
+</p>
+</dd>
+<dt>
+<a id="cmd_top"></a> <strong>top <em>[&lt;nodes&gt;]</em></strong>
+</dt>
+<dd>
+<p>
+For each of the nodes, prints the status of the two Bro
+processes (parent process and child process) in a <em>top</em>-like
+format, including CPU usage and memory consumption. If
+executed interactively, the display is updated frequently
+until key <tt>q</tt> is pressed. If invoked non-interactively, the
+status is printed only once.
+</p>
+</dd>
+<dt>
+<a id="cmd_update"></a> <strong>update <em>[&lt;nodes&gt;]</em></strong>
+</dt>
+<dd>
+<p>
+After a change to Bro policy scripts, this command updates the Bro
+processes on the given nodes <em>while they are running</em> (i.e., without
+requiring a <a href="#cmd_restart"><tt>restart</tt></a>). However, such dynamic
+updates work only for a <em>subset</em> of Bro's full configuration. The
+following changes can be applied on the fly: (1) The value of all
+script variables defined as <tt>&amp;redef</tt> can be changed; and (2) all
+configuration changes performed via the <a href="#cmd_analysis"><tt>analysis</tt></a>
+command can be put into effect. More extensive script changes are not
+possible during runtime and always require a restart; if you change
+more than just the values of <tt>&amp;redef</tt> variables and still issue
+<tt>update</tt>, the results are undefined and can lead to crashes. Also note
+that before running <tt>update</tt>, you still need to do an
+<a href="#cmd_install"><tt>install</tt></a> (preferably after
+<a href="#cmd_install"><tt>check</tt></a>), as otherwise <tt>update</tt> will not see the
+changes and resend the old configuration.
+</p>
+</dd>
+</dl>
+</div>
+<h2><a id="_option_reference"></a>Option Reference</h2><p/>
+<div class="sectionbody">
+<p>This section summarizes the options that can be set in
+<tt>etc/broctl.cfg</tt> for customizing the behaviour of <em>BroControl</em>. Usually,
+one only needs to change the "user options", which are listed first.
+The "internal options" are, as the name suggests, primarily used
+internally and set automatically. They are documented here only for
+reference.</p>
+<h3><a id="_user_options"></a>User Options</h3><p/>
+<dl>
+<dt>
+<a id="opt_AuxPostProcessors"></a> <strong>AuxPostProcessors</strong> (string, default <em>empty</em>)
+</dt>
+<dd>
+<p>
+Additional log postprocessors, with paths separated by spaces.
+</p>
+</dd>
+<dt>
+<a id="opt_AuxScriptsManager"></a> <strong>AuxScriptsManager</strong> (string, default <em>empty</em>)
+</dt>
+<dd>
+<p>
+Additional Bro scripts loaded on the manager, separated by spaces.
+</p>
+</dd>
+<dt>
+<a id="opt_AuxScriptsStandalone"></a> <strong>AuxScriptsStandalone</strong> (string, default <em>empty</em>)
+</dt>
+<dd>
+<p>
+Additional Bro scripts loaded on a standalone Brothe manage, separated by spaces.
+</p>
+</dd>
+<dt>
+<a id="opt_AuxScriptsWorker"></a> <strong>AuxScriptsWorker</strong> (string, default <em>empty</em>)
+</dt>
+<dd>
+<p>
+Additional Bro scripts loaded on the workers, separated by spaces.
+</p>
+</dd>
+<dt>
+<a id="opt_BroArgs"></a> <strong>BroArgs</strong> (string, default <em>empty</em>)
+</dt>
+<dd>
+<p>
+Additional arguments to pass to Bro on the command-line.
+</p>
+</dd>
+<dt>
+<a id="opt_CFlowAddr"></a> <strong>CFlowAddr</strong> (string, default <em>empty</em>)
+</dt>
+<dd>
+<p>
+If a cFlow load-balander is used, the address of the device (format: &lt;ip&gt;:&lt;port&gt;).
+</p>
+</dd>
+<dt>
+<a id="opt_CFlowPassword"></a> <strong>CFlowPassword</strong> (string, default <em>empty</em>)
+</dt>
+<dd>
+<p>
+If a cFlow load-balander is used, the password for accessing its configuration interface.
+</p>
+</dd>
+<dt>
+<a id="opt_CFlowUser"></a> <strong>CFlowUser</strong> (string, default <em>empty</em>)
+</dt>
+<dd>
+<p>
+If a cFlow load-balander is used, the user name for accessing its configuration interface.
+</p>
+</dd>
+<dt>
+<a id="opt_CronCmd"></a> <strong>CronCmd</strong> (string, default <em>empty</em>)
+</dt>
+<dd>
+<p>
+A custom command to run everytime the cron command has finished.
+</p>
+</dd>
+<dt>
+<a id="opt_CustomInstallBin"></a> <strong>CustomInstallBin</strong> (string, default <em>empty</em>)
+</dt>
+<dd>
+<p>
+Additional executables to be installed into ${BinDir}, including full path and separated by spaces.
+</p>
+</dd>
+<dt>
+<a id="opt_Debug"></a> <strong>Debug</strong> (bool, default 0)
+</dt>
+<dd>
+<p>
+Enable extensive debugging output in spool/debug.log.
+</p>
+</dd>
+<dt>
+<a id="opt_DevMode"></a> <strong>DevMode</strong> (bool, default 0)
+</dt>
+<dd>
+<p>
+Enable development mode, which changes how things are installed by the <em>install</em> command.
+</p>
+</dd>
+<dt>
+<a id="opt_HaveNFS"></a> <strong>HaveNFS</strong> (bool, default 0)
+</dt>
+<dd>
+<p>
+True if shared files are mounted across all nodes via NFS (see FAQ).
+</p>
+</dd>
+<dt>
+<a id="opt_LogDir"></a> <strong>LogDir</strong> (string, default "${BroBase}/logs")
+</dt>
+<dd>
+<p>
+Directory for archived log files.
+</p>
+</dd>
+<dt>
+<a id="opt_LogExpireInterval"></a> <strong>LogExpireInterval</strong> (int, default 30)
+</dt>
+<dd>
+<p>
+Number of days log files are kept.
+</p>
+</dd>
+<dt>
+<a id="opt_MailAlarmPrefix"></a> <strong>MailAlarmPrefix</strong> (string, default "ALERT:")
+</dt>
+<dd>
+<p>
+Subject prefix for individual alerts triggered by NOTICE_EMAIL.
+</p>
+</dd>
+<dt>
+<a id="opt_MailAlarms"></a> <strong>MailAlarms</strong> (bool, default 1)
+</dt>
+<dd>
+<p>
+True if Bro should send mails for NOTICE_EMAIL alerts.
+</p>
+</dd>
+<dt>
+<a id="opt_MailAlarmsTo"></a> <strong>MailAlarmsTo</strong> (string, default "${MailTo}")
+</dt>
+<dd>
+<p>
+Destination address for broctl-generated alarm mails.
+</p>
+</dd>
+<dt>
+<a id="opt_MailFrom"></a> <strong>MailFrom</strong> (string, default "Big Brother &lt;&gt;")
+</dt>
+<dd>
+<p>
+Originator address for broctl-generated mails.
+</p>
+</dd>
+<dt>
+<a id="opt_MailReplyTo"></a> <strong>MailReplyTo</strong> (string, default <em>empty</em>)
+</dt>
+<dd>
+<p>
+Reply-to address for broctl-generated mails.
+</p>
+</dd>
+<dt>
+<a id="opt_MailSubjectPrefix"></a> <strong>MailSubjectPrefix</strong> (string, default "[Bro]")
+</dt>
+<dd>
+<p>
+General Subject prefix for broctl-generated mails.
+</p>
+</dd>
+<dt>
+<a id="opt_MailTo"></a> <strong>MailTo</strong> (string, default "&lt;user&gt;")
+</dt>
+<dd>
+<p>
+Destination address for broctl-generated non-alarm mails. Default is to use the same address as <tt>MailTo</tt>.
+</p>
+</dd>
+<dt>
+<a id="opt_MemLimit"></a> <strong>MemLimit</strong> (string, default "unlimited")
+</dt>
+<dd>
+<p>
+Maximum amount of memory for Bro processes to use (in KB, or the string <em>unlimited</em>).
+</p>
+</dd>
+<dt>
+<a id="opt_MinDiskSpace"></a> <strong>MinDiskSpace</strong> (int, default 5)
+</dt>
+<dd>
+<p>
+Percentage of minimum disk space available before warning is mailed.
+</p>
+</dd>
+<dt>
+<a id="opt_Prefixes"></a> <strong>Prefixes</strong> (string, default "local")
+</dt>
+<dd>
+<p>
+Additional script prefixes for Bro, separated by colons. Use this instead of @prefix.
+</p>
+</dd>
+<dt>
+<a id="opt_SaveTraces"></a> <strong>SaveTraces</strong> (bool, default 0)
+</dt>
+<dd>
+<p>
+True to let backends capture short-term traces via <em>-w</em>. These are not archived but might be helpful for debugging.
+</p>
+</dd>
+<dt>
+<a id="opt_SendMail"></a> <strong>SendMail</strong> (bool, default 1)
+</dt>
+<dd>
+<p>
+True if shell may send mails.
+</p>
+</dd>
+<dt>
+<a id="opt_SitePolicyManager"></a> <strong>SitePolicyManager</strong> (string, default "local-manager.bro")
+</dt>
+<dd>
+<p>
+Local policy file for manager.
+</p>
+</dd>
+<dt>
+<a id="opt_SitePolicyPath"></a> <strong>SitePolicyPath</strong> (string, default "${PolicyDir}/site")
+</dt>
+<dd>
+<p>
+Directories to search for local policy files, separated by colons.
+</p>
+</dd>
+<dt>
+<a id="opt_SitePolicyStandalone"></a> <strong>SitePolicyStandalone</strong> (string, default "local.bro")
+</dt>
+<dd>
+<p>
+Local policy file for standalone Bro.
+</p>
+</dd>
+<dt>
+<a id="opt_SitePolicyWorker"></a> <strong>SitePolicyWorker</strong> (string, default "local-worker.bro")
+</dt>
+<dd>
+<p>
+Local policy file for workers.
+</p>
+</dd>
+<dt>
+<a id="opt_TimeFmt"></a> <strong>TimeFmt</strong> (string, default "%d %b %H:%M:%S")
+</dt>
+<dd>
+<p>
+Format string to print data/time specifications (see <em>man strftime</em>).
+</p>
+</dd>
+<dt>
+<a id="opt_TimeMachineHost"></a> <strong>TimeMachineHost</strong> (string, default <em>empty</em>)
+</dt>
+<dd>
+<p>
+If the manager should connect to a Time Machine, the address of the host it is running on.
+</p>
+</dd>
+<dt>
+<a id="opt_TimeMachinePort"></a> <strong>TimeMachinePort</strong> (string, default "47757/tcp")
+</dt>
+<dd>
+<p>
+If the manager should connect to a Time Machine, the port it is running on (in Bro syntax, e.g., <tt>47757/tcp</tt>.
+</p>
+</dd>
+</dl>
+<h3><a id="_internal_options"></a>Internal Options</h3><p/>
+<dl>
+<dt>
+<a id="opt_AnalysisCfg"></a> <strong>AnalysisCfg</strong> (string, default "${CfgDir}/analysis.dat")
+</dt>
+<dd>
+<p>
+Configuration file defining types of analysis which can be toggled on-the-fly.
+</p>
+</dd>
+<dt>
+<a id="opt_BinDir"></a> <strong>BinDir</strong> (string, default "${BroBase}/bin")
+</dt>
+<dd>
+<p>
+Directory for executable files.
+</p>
+</dd>
+<dt>
+<a id="opt_BroBase"></a> <strong>BroBase</strong> (string, default <em>empty</em>)
+</dt>
+<dd>
+<p>
+Base path of broctl installation on all nodes.
+</p>
+</dd>
+<dt>
+<a id="opt_Capstats"></a> <strong>Capstats</strong> (string, default "${bindir}/capstats")
+</dt>
+<dd>
+<p>
+Path to capstats binary; empty if not available.
+</p>
+</dd>
+<dt>
+<a id="opt_CfgDir"></a> <strong>CfgDir</strong> (string, default "${BroBase}/etc")
+</dt>
+<dd>
+<p>
+Directory for configuration files.
+</p>
+</dd>
+<dt>
+<a id="opt_DebugLog"></a> <strong>DebugLog</strong> (string, default "${SpoolDir}/debug.log")
+</dt>
+<dd>
+<p>
+Log file for debugging information.
+</p>
+</dd>
+<dt>
+<a id="opt_DistDir"></a> <strong>DistDir</strong> (string, default <em>empty</em>)
+</dt>
+<dd>
+<p>
+Path to Bro distribution directory.
+</p>
+</dd>
+<dt>
+<a id="opt_HaveBroccoli"></a> <strong>HaveBroccoli</strong> (bool)
+</dt>
+<dd>
+<p>
+True if Broccoli interface is available.
+</p>
+</dd>
+<dt>
+<a id="opt_HelperDir"></a> <strong>HelperDir</strong> (string, default "${BroBase}/share/broctl/scripts/helpers")
+</dt>
+<dd>
+<p>
+Directory for broctl helper scripts.
+</p>
+</dd>
+<dt>
+<a id="opt_LibDir"></a> <strong>LibDir</strong> (string, default "${BroBase}/lib")
+</dt>
+<dd>
+<p>
+Directory for library files.
+</p>
+</dd>
+<dt>
+<a id="opt_LibDirInternal"></a> <strong>LibDirInternal</strong> (string, default "${BroBase}/lib/broctl")
+</dt>
+<dd>
+<p>
+Directory for broctl-specific library files.
+</p>
+</dd>
+<dt>
+<a id="opt_LocalNetsCfg"></a> <strong>LocalNetsCfg</strong> (string, default "${CfgDir}/networks.cfg")
+</dt>
+<dd>
+<p>
+File definining the local networks.
+</p>
+</dd>
+<dt>
+<a id="opt_LockFile"></a> <strong>LockFile</strong> (string, default "${SpoolDir}/lock")
+</dt>
+<dd>
+<p>
+Lock file preventing concurrent shell operations.
+</p>
+</dd>
+<dt>
+<a id="opt_NodeCfg"></a> <strong>NodeCfg</strong> (string, default "${CfgDir}/node.cfg")
+</dt>
+<dd>
+<p>
+Node configuration file.
+</p>
+</dd>
+<dt>
+<a id="opt_OS"></a> <strong>OS</strong> (string, default <em>empty</em>)
+</dt>
+<dd>
+<p>
+Name of operation systems as reported by uname.
+</p>
+</dd>
+<dt>
+<a id="opt_PolicyDir"></a> <strong>PolicyDir</strong> (string, default "${BroBase}/share/bro")
+</dt>
+<dd>
+<p>
+Directory for standard policy files.
+</p>
+</dd>
+<dt>
+<a id="opt_PolicyDirBroCtl"></a> <strong>PolicyDirBroCtl</strong> (string, default "${PolicyDir}/broctl")
+</dt>
+<dd>
+<p>
+Directory where the shell copies the additional broctl policy scripts when installing.
+</p>
+</dd>
+<dt>
+<a id="opt_PolicyDirSiteInstall"></a> <strong>PolicyDirSiteInstall</strong> (string, default "${PolicyDir}/.site")
+</dt>
+<dd>
+<p>
+Directory where the shell copies local policy scripts when installing.
+</p>
+</dd>
+<dt>
+<a id="opt_PolicyDirSiteInstallAuto"></a> <strong>PolicyDirSiteInstallAuto</strong> (string, default "${PolicyDir}/.site/auto")
+</dt>
+<dd>
+<p>
+Directory where the shell copies auto-generated local policy scripts when installing.
+</p>
+</dd>
+<dt>
+<a id="opt_PostProcDir"></a> <strong>PostProcDir</strong> (string, default "${BroBase}/share/broctl/scripts/postprocessors")
+</dt>
+<dd>
+<p>
+Directory for log postprocessors.
+</p>
+</dd>
+<dt>
+<a id="opt_Scripts-Manager"></a> <strong>Scripts-Manager</strong> (string, default "cluster-manager")
+</dt>
+<dd>
+<p>
+Bro scripts loaded on the manager, separated by spaces.
+</p>
+</dd>
+<dt>
+<a id="opt_Scripts-Proxy"></a> <strong>Scripts-Proxy</strong> (string, default "cluster-proxy")
+</dt>
+<dd>
+<p>
+Bro scripts loaded on the proxies, separated by spaces.
+</p>
+</dd>
+<dt>
+<a id="opt_Scripts-Standalone"></a> <strong>Scripts-Standalone</strong> (string, default "standalone")
+</dt>
+<dd>
+<p>
+Bro scripts loaded on a standalone Bro, separated by spaces.
+</p>
+</dd>
+<dt>
+<a id="opt_Scripts-Worker"></a> <strong>Scripts-Worker</strong> (string, default "cluster-worker")
+</dt>
+<dd>
+<p>
+Bro scripts loaded on the workers, separated by spaces.
+</p>
+</dd>
+<dt>
+<a id="opt_ScriptsDir"></a> <strong>ScriptsDir</strong> (string, default "${BroBase}/share/broctl/scripts")
+</dt>
+<dd>
+<p>
+Directory for executable scripts shipping as part of broctl.
+</p>
+</dd>
+<dt>
+<a id="opt_SpoolDir"></a> <strong>SpoolDir</strong> (string, default "${BroBase}/spool")
+</dt>
+<dd>
+<p>
+Directory for run-time data.
+</p>
+</dd>
+<dt>
+<a id="opt_StandAlone"></a> <strong>StandAlone</strong> (bool, default 0)
+</dt>
+<dd>
+<p>
+True if running in stand-alone mode (see elsewhere).
+</p>
+</dd>
+<dt>
+<a id="opt_StateFile"></a> <strong>StateFile</strong> (string, default "${SpoolDir}/broctl.dat")
+</dt>
+<dd>
+<p>
+File storing the current broctl state.
+</p>
+</dd>
+<dt>
+<a id="opt_StaticDir"></a> <strong>StaticDir</strong> (string, default "${BroBase}/share/broctl")
+</dt>
+<dd>
+<p>
+Directory for static, arch-independent files.
+</p>
+</dd>
+<dt>
+<a id="opt_StatsDir"></a> <strong>StatsDir</strong> (string, default "${LogDir}/stats")
+</dt>
+<dd>
+<p>
+Directory where statistics are kepts.
+</p>
+</dd>
+<dt>
+<a id="opt_StatsLog"></a> <strong>StatsLog</strong> (string, default "${SpoolDir}/stats.log")
+</dt>
+<dd>
+<p>
+Log file for statistics.
+</p>
+</dd>
+<dt>
+<a id="opt_TemplateDir"></a> <strong>TemplateDir</strong> (string, default "${BroBase}/share/broctl/templates")
+</dt>
+<dd>
+<p>
+Directory where the *.in templates are copied into.
+</p>
+</dd>
+<dt>
+<a id="opt_Time"></a> <strong>Time</strong> (string, default <em>empty</em>)
+</dt>
+<dd>
+<p>
+Path to time binary.
+</p>
+</dd>
+<dt>
+<a id="opt_TmpDir"></a> <strong>TmpDir</strong> (string, default "${SpoolDir}/tmp")
+</dt>
+<dd>
+<p>
+Directory for temporary data.
+</p>
+</dd>
+<dt>
+<a id="opt_TmpExecDir"></a> <strong>TmpExecDir</strong> (string, default "${SpoolDir}/tmp")
+</dt>
+<dd>
+<p>
+Directory where binaries are copied before execution.
+</p>
+</dd>
+<dt>
+<a id="opt_TraceSummary"></a> <strong>TraceSummary</strong> (string, default "${bindir}/trace-summary")
+</dt>
+<dd>
+<p>
+Path to trace-summary script; empty if not available.
+</p>
+</dd>
+<dt>
+<a id="opt_Version"></a> <strong>Version</strong> (string, default <em>empty</em>)
+</dt>
+<dd>
+<p>
+Version of the broctl.
+</p>
+</dd>
+</dl>
+</div>
+<h2><a id="_miscellanous"></a>Miscellanous</h2><p/>
+<div class="sectionbody">
+<h3><a id="_mails"></a>Mails</h3><p/>
+<p><em>BroControl</em> sents four types of mails to the address given in <tt>MailTo</tt>:</p>
+<ol>
+<li>
+<p>
+When logs are rotated (per default once a day), a list of all
+   alerts during the last rotation interval is sent. This can be
+   disabled by setting <tt>MailAlarms=0</tt>.
+</p>
+</li>
+<li>
+<p>
+When the <tt>cron</tt> command noticies that a node has crashed, it
+   restarts it and sends a notification. It may also send a more
+   detailed crash report containing information about the crash.
+</p>
+</li>
+<li>
+<p>
+NOTICES with a notice action of <tt>NOTICE_EMAIL</tt>; see the Bro
+   documentation for how to configure NOTICE priorities.
+</p>
+</li>
+<li>
+<p>
+If <a href="trace_summary"><tt>trace-summary</tt></a> is installed, a
+   traffic summary is sent each rotation interval.
+</p>
+</li>
+</ol>
+<h3><a id="_performance_analysis"></a>Performance Analysis</h3><p/>
+<p><em>TODO</em>: <tt>broctl cron</tt> logs a number of statistics, which can be
+analyzed/plotted for understanding the cluster's run-time behaviour.</p>
+</div>
+<h2><a id="_questions_and_answers"></a>Questions and Answers</h2><p/>
+<div class="sectionbody">
+<ol>
+<li>
+<p><em>
+Can I use an NFS-mounted partition as the cluster's base directory to avoid the <tt>rsync</tt>'ing?
+</em></p>
+<p>
+    Yes. <a href="#opt_BroBase"><tt>BroBase</tt></a> can be on an NFS partition.
+    Configure and install the shell as usual with
+    <tt>&#8212;prefix=&lt;BroBase&gt;</tt>. Then add <a href="#opt_HaveNFS">HaveNFS</a>=1+ and
+    <tt>SpoolDir=&lt;spath&gt;</tt> to <tt>etc/broctl.cfg</tt>, where <tt>&lt;spath&gt;</tt> is a
+    path on the local disks of the nodes; <tt>&lt;spath&gt;</tt> will be used for
+    all non-shared data (make sure that the parent directory exists
+    and is writable on all nodes!). Then run <a href="#cmd_install"><tt>make
+    install-broctl</tt></a> again. Finally, you can remove
+    <tt>&lt;BroBase&gt;/spool</tt> (or link it to &lt;spath&gt;). In addition, you
+    might want to keep the log files locally on the nodes as well by
+    setting <a href="#opt_LogDir"><tt>LogDir</tt></a>+ to a non-NFS directory. (Only
+    the manager's logs will be kept permanently, the logs of
+    workers/proxies are discarded upon rotation.)
+</p>
+</li>
+<li>
+<p><em>
+When I'm using the <a href="#Standalone">standalone mode</a>, do I still need to have <tt>ssh</tt> and <tt>rsync</tt> installed and configured?
+</em></p>
+<p>
+    No. The standalone performs all operations directly on the local
+    file system.
+</p>
+</li>
+<li>
+<p><em>
+What do I need to do when the something in the Bro distribution changes?
+</em></p>
+<p>
+    Just re-run <tt>make broctl-install</tt>. It will reinstall
+    all the files from the distribution, except for any of the
+    template files, as they might have been edited.
+</p>
+<p>In addition, <em>BroControl</em> has a "development mode", which makes
+installation easier if distribution files change frequently
+(e.g., becayse you're working from SVN). Development mode
+activated by adding <tt>DevMode=1</tt> to <tt>etc/broctl.cfg</tt>. Once done,
+<em>BroControl</em>'s <tt>install</tt> command will also install all the files
+from the distribution, just as <tt>make broctl-install</tt> does. Note
+that you obviously need to keep the distribution around to have
+this work.</p>
+<p>Note for folks who have used the old "cluster shell": the
+development mode corresponds to the old default behaviour, which
+worked with any <tt>make install-broctl</tt>.</p>
+</li>
+<li>
+<p><em>
+After a Bro crash, the timestamps of the archived log files sometimes seem to be wrong?
+</em></p>
+<p>
+   When Bro crashes, broctl archives the log files produced so far
+   at the normal location. However, for some files it can't (easily)
+   determine the right timestamps to put into the filename. This
+   affects in particular those log files that are not rotated on
+   regular basis (e.g., <tt>stdout.log</tt>, <tt>prof.log</tt>); their filenames
+   will indicate as their start time the point when all the other
+   files were <em>rotated</em> most recently. In addition, for all log
+   files, after a crash the start/end times indicated by the file
+   names might be off a few seconds.
+</p>
+</li>
+<li>
+<p><em>
+<a id="devversion"></a>Anything special to consider when using development versions?
+</em></p>
+<p>
+   If you are using a <em>development version</em>, <em>BroControl</em> might
+   require patching Bro itself to work correctly. A "development
+   version" is defined as anything you have downloaded from Bro's
+   Subversion repository (as opposed to downloading a release
+   tar-ball). If so, see if there's a file called
+   <tt>aux/broctl/patch-bro.diff</tt>. If there is, apply it as follows
+   before you proceed with any of the steps below:
+</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt; cd /path/to/bro/source/distribution
+&gt; patch -p0 &lt;aux/broctl/patch-bro.diff
+&gt; ./autogen.sh</tt></pre>
+</div></div>
+</li>
+</ol>
+</div>
+<div id="footer">
+<div id="footer-text">
+Last modified at 2009-12-03 12:58:36 PDT - Robin Sommer
+</div>
+</div>
+</body>
+</html>
diff --git a/aux/broctl/README.options b/aux/broctl/README.options
new file mode 100644
index 0000000000..7b0baf233e
--- /dev/null
+++ b/aux/broctl/README.options
@@ -0,0 +1,150 @@
+// Automatically generated. Do not edit.
+
+User Options
+~~~~~~~~~~~~
+[[opt_AuxPostProcessors]] *AuxPostProcessors* (string, default _empty_)::
+Additional log postprocessors, with paths separated by spaces.
+[[opt_AuxScriptsManager]] *AuxScriptsManager* (string, default _empty_)::
+Additional Bro scripts loaded on the manager, separated by spaces.
+[[opt_AuxScriptsStandalone]] *AuxScriptsStandalone* (string, default _empty_)::
+Additional Bro scripts loaded on a standalone Brothe manage, separated by spaces.
+[[opt_AuxScriptsWorker]] *AuxScriptsWorker* (string, default _empty_)::
+Additional Bro scripts loaded on the workers, separated by spaces.
+[[opt_BroArgs]] *BroArgs* (string, default _empty_)::
+Additional arguments to pass to Bro on the command-line.
+[[opt_CFlowAddr]] *CFlowAddr* (string, default _empty_)::
+If a cFlow load-balander is used, the address of the device (format: <ip>:<port>).
+[[opt_CFlowPassword]] *CFlowPassword* (string, default _empty_)::
+If a cFlow load-balander is used, the password for accessing its configuration interface.
+[[opt_CFlowUser]] *CFlowUser* (string, default _empty_)::
+If a cFlow load-balander is used, the user name for accessing its configuration interface.
+[[opt_CronCmd]] *CronCmd* (string, default _empty_)::
+A custom command to run everytime the cron command has finished.
+[[opt_CustomInstallBin]] *CustomInstallBin* (string, default _empty_)::
+Additional executables to be installed into $\{BinDir}, including full path and separated by spaces.
+[[opt_Debug]] *Debug* (bool, default 0)::
+Enable extensive debugging output in spool/debug.log.
+[[opt_DevMode]] *DevMode* (bool, default 0)::
+Enable development mode, which changes how things are installed by the _install_ command.
+[[opt_HaveNFS]] *HaveNFS* (bool, default 0)::
+True if shared files are mounted across all nodes via NFS (see FAQ).
+[[opt_LogDir]] *LogDir* (string, default "$\{BroBase}/logs")::
+Directory for archived log files.
+[[opt_LogExpireInterval]] *LogExpireInterval* (int, default 30)::
+Number of days log files are kept.
+[[opt_MailAlarmPrefix]] *MailAlarmPrefix* (string, default "ALERT:")::
+Subject prefix for individual alerts triggered by NOTICE_EMAIL.
+[[opt_MailAlarms]] *MailAlarms* (bool, default 1)::
+True if Bro should send mails for NOTICE_EMAIL alerts.
+[[opt_MailAlarmsTo]] *MailAlarmsTo* (string, default "$\{MailTo}")::
+Destination address for broctl-generated alarm mails.
+[[opt_MailFrom]] *MailFrom* (string, default "Big Brother <bro@localhost>")::
+Originator address for broctl-generated mails.
+[[opt_MailReplyTo]] *MailReplyTo* (string, default _empty_)::
+Reply-to address for broctl-generated mails.
+[[opt_MailSubjectPrefix]] *MailSubjectPrefix* (string, default "[Bro]")::
+General Subject prefix for broctl-generated mails.
+[[opt_MailTo]] *MailTo* (string, default "<user>")::
+Destination address for broctl-generated non-alarm mails. Default is to use the same address as +MailTo+.
+[[opt_MemLimit]] *MemLimit* (string, default "unlimited")::
+Maximum amount of memory for Bro processes to use (in KB, or the string 'unlimited').
+[[opt_MinDiskSpace]] *MinDiskSpace* (int, default 5)::
+Percentage of minimum disk space available before warning is mailed.
+[[opt_Prefixes]] *Prefixes* (string, default "local")::
+Additional script prefixes for Bro, separated by colons. Use this instead of @prefix.
+[[opt_SaveTraces]] *SaveTraces* (bool, default 0)::
+True to let backends capture short-term traces via '-w'. These are not archived but might be helpful for debugging.
+[[opt_SendMail]] *SendMail* (bool, default 1)::
+True if shell may send mails.
+[[opt_SitePolicyManager]] *SitePolicyManager* (string, default "local-manager.bro")::
+Local policy file for manager.
+[[opt_SitePolicyPath]] *SitePolicyPath* (string, default "$\{PolicyDir}/site")::
+Directories to search for local policy files, separated by colons.
+[[opt_SitePolicyStandalone]] *SitePolicyStandalone* (string, default "local.bro")::
+Local policy file for standalone Bro.
+[[opt_SitePolicyWorker]] *SitePolicyWorker* (string, default "local-worker.bro")::
+Local policy file for workers.
+[[opt_TimeFmt]] *TimeFmt* (string, default "%d %b %H:%M:%S")::
+Format string to print data/time specifications (see 'man strftime').
+[[opt_TimeMachineHost]] *TimeMachineHost* (string, default _empty_)::
+If the manager should connect to a Time Machine, the address of the host it is running on.
+[[opt_TimeMachinePort]] *TimeMachinePort* (string, default "47757/tcp")::
+If the manager should connect to a Time Machine, the port it is running on (in Bro syntax, e.g., +47757/tcp+.
+
+Internal Options
+~~~~~~~~~~~~~~~~
+
+[[opt_AnalysisCfg]] *AnalysisCfg* (string, default "$\{CfgDir}/analysis.dat")::
+Configuration file defining types of analysis which can be toggled on-the-fly.
+[[opt_BinDir]] *BinDir* (string, default "$\{BroBase}/bin")::
+Directory for executable files.
+[[opt_BroBase]] *BroBase* (string, default _empty_)::
+Base path of broctl installation on all nodes.
+[[opt_Capstats]] *Capstats* (string, default "$\{bindir}/capstats")::
+Path to capstats binary; empty if not available.
+[[opt_CfgDir]] *CfgDir* (string, default "$\{BroBase}/etc")::
+Directory for configuration files.
+[[opt_DebugLog]] *DebugLog* (string, default "$\{SpoolDir}/debug.log")::
+Log file for debugging information.
+[[opt_DistDir]] *DistDir* (string, default _empty_)::
+Path to Bro distribution directory.
+[[opt_HaveBroccoli]] *HaveBroccoli* (bool)::
+True if Broccoli interface is available.
+[[opt_HelperDir]] *HelperDir* (string, default "$\{BroBase}/share/broctl/scripts/helpers")::
+Directory for broctl helper scripts.
+[[opt_LibDir]] *LibDir* (string, default "$\{BroBase}/lib")::
+Directory for library files.
+[[opt_LibDirInternal]] *LibDirInternal* (string, default "$\{BroBase}/lib/broctl")::
+Directory for broctl-specific library files.
+[[opt_LocalNetsCfg]] *LocalNetsCfg* (string, default "$\{CfgDir}/networks.cfg")::
+File definining the local networks.
+[[opt_LockFile]] *LockFile* (string, default "$\{SpoolDir}/lock")::
+Lock file preventing concurrent shell operations.
+[[opt_NodeCfg]] *NodeCfg* (string, default "$\{CfgDir}/node.cfg")::
+Node configuration file.
+[[opt_OS]] *OS* (string, default _empty_)::
+Name of operation systems as reported by uname.
+[[opt_PolicyDir]] *PolicyDir* (string, default "$\{BroBase}/share/bro")::
+Directory for standard policy files.
+[[opt_PolicyDirBroCtl]] *PolicyDirBroCtl* (string, default "$\{PolicyDir}/broctl")::
+Directory where the shell copies the additional broctl policy scripts when installing.
+[[opt_PolicyDirSiteInstall]] *PolicyDirSiteInstall* (string, default "$\{PolicyDir}/.site")::
+Directory where the shell copies local policy scripts when installing.
+[[opt_PolicyDirSiteInstallAuto]] *PolicyDirSiteInstallAuto* (string, default "$\{PolicyDir}/.site/auto")::
+Directory where the shell copies auto-generated local policy scripts when installing.
+[[opt_PostProcDir]] *PostProcDir* (string, default "$\{BroBase}/share/broctl/scripts/postprocessors")::
+Directory for log postprocessors.
+[[opt_Scripts-Manager]] *Scripts-Manager* (string, default "cluster-manager")::
+Bro scripts loaded on the manager, separated by spaces.
+[[opt_Scripts-Proxy]] *Scripts-Proxy* (string, default "cluster-proxy")::
+Bro scripts loaded on the proxies, separated by spaces.
+[[opt_Scripts-Standalone]] *Scripts-Standalone* (string, default "standalone")::
+Bro scripts loaded on a standalone Bro, separated by spaces.
+[[opt_Scripts-Worker]] *Scripts-Worker* (string, default "cluster-worker")::
+Bro scripts loaded on the workers, separated by spaces.
+[[opt_ScriptsDir]] *ScriptsDir* (string, default "$\{BroBase}/share/broctl/scripts")::
+Directory for executable scripts shipping as part of broctl.
+[[opt_SpoolDir]] *SpoolDir* (string, default "$\{BroBase}/spool")::
+Directory for run-time data.
+[[opt_StandAlone]] *StandAlone* (bool, default 0)::
+True if running in stand-alone mode (see elsewhere).
+[[opt_StateFile]] *StateFile* (string, default "$\{SpoolDir}/broctl.dat")::
+File storing the current broctl state.
+[[opt_StaticDir]] *StaticDir* (string, default "$\{BroBase}/share/broctl")::
+Directory for static, arch-independent files.
+[[opt_StatsDir]] *StatsDir* (string, default "$\{LogDir}/stats")::
+Directory where statistics are kepts.
+[[opt_StatsLog]] *StatsLog* (string, default "$\{SpoolDir}/stats.log")::
+Log file for statistics.
+[[opt_TemplateDir]] *TemplateDir* (string, default "$\{BroBase}/share/broctl/templates")::
+Directory where the *.in templates are copied into.
+[[opt_Time]] *Time* (string, default _empty_)::
+Path to time binary.
+[[opt_TmpDir]] *TmpDir* (string, default "$\{SpoolDir}/tmp")::
+Directory for temporary data.
+[[opt_TmpExecDir]] *TmpExecDir* (string, default "$\{SpoolDir}/tmp")::
+Directory where binaries are copied before execution.
+[[opt_TraceSummary]] *TraceSummary* (string, default "$\{bindir}/trace-summary")::
+Path to trace-summary script; empty if not available.
+[[opt_Version]] *Version* (string, default _empty_)::
+Version of the broctl.
diff --git a/aux/broctl/TODO b/aux/broctl/TODO
new file mode 100644
index 0000000000..982bbdf5ee
--- /dev/null
+++ b/aux/broctl/TODO
@@ -0,0 +1,21 @@
+# $Id: TODO 6813 2009-07-07 18:54:12Z robin $
+
+Shell
+
+   - Unify argument handling for shell's commmands
+
+Bro config
+
+   - Make sessions IDs shorter
+
+Known bugs:
+
+   - We sometimes don't get the return events for
+   Broccoli-communication. Not sure where the problem is.
+
+   - Proxy reports wrong number of peer with "status" if multiple
+   worker sare running on the same box.
+
+   - bin/helpers/* should be more robust against unexpected output. 
+
+
diff --git a/aux/broctl/VERSION b/aux/broctl/VERSION
new file mode 100644
index 0000000000..be58634173
--- /dev/null
+++ b/aux/broctl/VERSION
@@ -0,0 +1 @@
+0.3
diff --git a/aux/broctl/aux/capstats/AUTHORS b/aux/broctl/aux/capstats/AUTHORS
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/aux/broctl/aux/capstats/COPYING b/aux/broctl/aux/capstats/COPYING
new file mode 100644
index 0000000000..03a48c452f
--- /dev/null
+++ b/aux/broctl/aux/capstats/COPYING
@@ -0,0 +1,35 @@
+
+Copyright (c) 2007-2009, Robin Sommer
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+      
+    * Redistributions in binary form must reproduce the above
+      copyright notice, this list of conditions and the following
+      disclaimer in the documentation and/or other materials provided
+      with the distribution.
+      
+    * Neither the name of the International Computer Science
+      Institute nor the names of its contributors may be used to
+      endorse or promote products derived from this software without
+      specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
diff --git a/aux/broctl/aux/capstats/ChangeLog b/aux/broctl/aux/capstats/ChangeLog
new file mode 100644
index 0000000000..a195537d86
--- /dev/null
+++ b/aux/broctl/aux/capstats/ChangeLog
@@ -0,0 +1 @@
+See README.
diff --git a/aux/broctl/aux/capstats/INSTALL b/aux/broctl/aux/capstats/INSTALL
new file mode 100644
index 0000000000..b42a17ac46
--- /dev/null
+++ b/aux/broctl/aux/capstats/INSTALL
@@ -0,0 +1,182 @@
+Basic Installation
+==================
+
+   These are generic installation instructions.
+
+   The `configure' shell script attempts to guess correct values for
+various system-dependent variables used during compilation.  It uses
+those values to create a `Makefile' in each directory of the package.
+It may also create one or more `.h' files containing system-dependent
+definitions.  Finally, it creates a shell script `config.status' that
+you can run in the future to recreate the current configuration, a file
+`config.cache' that saves the results of its tests to speed up
+reconfiguring, and a file `config.log' containing compiler output
+(useful mainly for debugging `configure').
+
+   If you need to do unusual things to compile the package, please try
+to figure out how `configure' could check whether to do them, and mail
+diffs or instructions to the address given in the `README' so they can
+be considered for the next release.  If at some point `config.cache'
+contains results you don't want to keep, you may remove or edit it.
+
+   The file `configure.in' is used to create `configure' by a program
+called `autoconf'.  You only need `configure.in' if you want to change
+it or regenerate `configure' using a newer version of `autoconf'.
+
+The simplest way to compile this package is:
+
+  1. `cd' to the directory containing the package's source code and type
+     `./configure' to configure the package for your system.  If you're
+     using `csh' on an old version of System V, you might need to type
+     `sh ./configure' instead to prevent `csh' from trying to execute
+     `configure' itself.
+
+     Running `configure' takes awhile.  While running, it prints some
+     messages telling which features it is checking for.
+
+  2. Type `make' to compile the package.
+
+  3. Optionally, type `make check' to run any self-tests that come with
+     the package.
+
+  4. Type `make install' to install the programs and any data files and
+     documentation.
+
+  5. You can remove the program binaries and object files from the
+     source code directory by typing `make clean'.  To also remove the
+     files that `configure' created (so you can compile the package for
+     a different kind of computer), type `make distclean'.  There is
+     also a `make maintainer-clean' target, but that is intended mainly
+     for the package's developers.  If you use it, you may have to get
+     all sorts of other programs in order to regenerate files that came
+     with the distribution.
+
+Compilers and Options
+=====================
+
+   Some systems require unusual options for compilation or linking that
+the `configure' script does not know about.  You can give `configure'
+initial values for variables by setting them in the environment.  Using
+a Bourne-compatible shell, you can do that on the command line like
+this:
+     CC=c89 CFLAGS=-O2 LIBS=-lposix ./configure
+
+Or on systems that have the `env' program, you can do it like this:
+     env CPPFLAGS=-I/usr/local/include LDFLAGS=-s ./configure
+
+Compiling For Multiple Architectures
+====================================
+
+   You can compile the package for more than one kind of computer at the
+same time, by placing the object files for each architecture in their
+own directory.  To do this, you must use a version of `make' that
+supports the `VPATH' variable, such as GNU `make'.  `cd' to the
+directory where you want the object files and executables to go and run
+the `configure' script.  `configure' automatically checks for the
+source code in the directory that `configure' is in and in `..'.
+
+   If you have to use a `make' that does not supports the `VPATH'
+variable, you have to compile the package for one architecture at a time
+in the source code directory.  After you have installed the package for
+one architecture, use `make distclean' before reconfiguring for another
+architecture.
+
+Installation Names
+==================
+
+   By default, `make install' will install the package's files in
+`/usr/local/bin', `/usr/local/man', etc.  You can specify an
+installation prefix other than `/usr/local' by giving `configure' the
+option `--prefix=PATH'.
+
+   You can specify separate installation prefixes for
+architecture-specific files and architecture-independent files.  If you
+give `configure' the option `--exec-prefix=PATH', the package will use
+PATH as the prefix for installing programs and libraries.
+Documentation and other data files will still use the regular prefix.
+
+   In addition, if you use an unusual directory layout you can give
+options like `--bindir=PATH' to specify different values for particular
+kinds of files.  Run `configure --help' for a list of the directories
+you can set and what kinds of files go in them.
+
+   If the package supports it, you can cause programs to be installed
+with an extra prefix or suffix on their names by giving `configure' the
+option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
+
+Optional Features
+=================
+
+   Some packages pay attention to `--enable-FEATURE' options to
+`configure', where FEATURE indicates an optional part of the package.
+They may also pay attention to `--with-PACKAGE' options, where PACKAGE
+is something like `gnu-as' or `x' (for the X Window System).  The
+`README' should mention any `--enable-' and `--with-' options that the
+package recognizes.
+
+   For packages that use the X Window System, `configure' can usually
+find the X include and library files automatically, but if it doesn't,
+you can use the `configure' options `--x-includes=DIR' and
+`--x-libraries=DIR' to specify their locations.
+
+Specifying the System Type
+==========================
+
+   There may be some features `configure' can not figure out
+automatically, but needs to determine by the type of host the package
+will run on.  Usually `configure' can figure that out, but if it prints
+a message saying it can not guess the host type, give it the
+`--host=TYPE' option.  TYPE can either be a short name for the system
+type, such as `sun4', or a canonical name with three fields:
+     CPU-COMPANY-SYSTEM
+
+See the file `config.sub' for the possible values of each field.  If
+`config.sub' isn't included in this package, then this package doesn't
+need to know the host type.
+
+   If you are building compiler tools for cross-compiling, you can also
+use the `--target=TYPE' option to select the type of system they will
+produce code for and the `--build=TYPE' option to select the type of
+system on which you are compiling the package.
+
+Sharing Defaults
+================
+
+   If you want to set default values for `configure' scripts to share,
+you can create a site shell script called `config.site' that gives
+default values for variables like `CC', `cache_file', and `prefix'.
+`configure' looks for `PREFIX/share/config.site' if it exists, then
+`PREFIX/etc/config.site' if it exists.  Or, you can set the
+`CONFIG_SITE' environment variable to the location of the site script.
+A warning: not all `configure' scripts look for a site script.
+
+Operation Controls
+==================
+
+   `configure' recognizes the following options to control how it
+operates.
+
+`--cache-file=FILE'
+     Use and save the results of the tests in FILE instead of
+     `./config.cache'.  Set FILE to `/dev/null' to disable caching, for
+     debugging `configure'.
+
+`--help'
+     Print a summary of the options to `configure', and exit.
+
+`--quiet'
+`--silent'
+`-q'
+     Do not print messages saying which checks are being made.  To
+     suppress all normal output, redirect it to `/dev/null' (any error
+     messages will still be shown).
+
+`--srcdir=DIR'
+     Look for the package's source code in directory DIR.  Usually
+     `configure' can determine that directory automatically.
+
+`--version'
+     Print the version of Autoconf used to generate the `configure'
+     script, and exit.
+
+`configure' also accepts some other, not widely useful, options.
diff --git a/aux/broctl/aux/capstats/Makefile.am b/aux/broctl/aux/capstats/Makefile.am
new file mode 100644
index 0000000000..68359269fa
--- /dev/null
+++ b/aux/broctl/aux/capstats/Makefile.am
@@ -0,0 +1,17 @@
+
+EXTRA_DIST = autogen.sh VERSION README.html
+
+bin_PROGRAMS = capstats
+
+capstats_SOURCES = capstats.cc version.cc
+capstats_INCLUDES = -I/usr/local
+capstats_LDFLAGS = -L/usr/local
+capstats_LDADD = -lpcap 
+
+version.cc: VERSION
+	@rm -f $@
+	sed -e 's/.*/char Version[] = "&";/' VERSION > $@
+                        
+doc: 
+	-asciidoc --unsafe -a toc -b xhtml11-custom README
+    
diff --git a/aux/broctl/aux/capstats/NEWS b/aux/broctl/aux/capstats/NEWS
new file mode 100644
index 0000000000..a195537d86
--- /dev/null
+++ b/aux/broctl/aux/capstats/NEWS
@@ -0,0 +1 @@
+See README.
diff --git a/aux/broctl/aux/capstats/README b/aux/broctl/aux/capstats/README
new file mode 100644
index 0000000000..13857bd46a
--- /dev/null
+++ b/aux/broctl/aux/capstats/README
@@ -0,0 +1,69 @@
+//	-*- AsciiDoc -*-
+capstats - A quick hack to get some NIC statistics.
+===================================================
+
+Overview
+--------
+
++capstats+ is a quick hack to get some statistics about the current
+load on a network interface, using either
+http://www.tcpdump.org[libpcap] or the native interface for
+http:///www.endace.com[Endace's] DAG cards. It reports statistics
+per time interval and/or for the tool's total run-time.
+
+Here's an example output with output in one-second intervals until +CTRL-C+ is hit:
+
+    >capstats -i nve0 -I 1
+    1186620936.890567 pkts=12747 kpps=12.6 kbytes=10807 mbps=87.5 nic_pkts=12822 nic_drops=0 u=960 t=11705 i=58 o=24 nonip=0
+    1186620937.901490 pkts=13558 kpps=13.4 kbytes=11329 mbps=91.8 nic_pkts=13613 nic_drops=0 u=1795 t=24339 i=119 o=52 nonip=0
+    1186620938.912399 pkts=14771 kpps=14.6 kbytes=13659 mbps=110.7 nic_pkts=14781 nic_drops=0 u=2626 t=38154 i=185 o=111 nonip=0
+    1186620939.012446 pkts=1332 kpps=13.3 kbytes=1129 mbps=92.6 nic_pkts=1367 nic_drops=0 u=2715 t=39387 i=194 o=112 nonip=0
+    === Total 
+    1186620939.012483 pkts=42408 kpps=13.5 kbytes=36925 mbps=96.5 nic_pkts=1 nic_drops=0 u=2715 t=39387 i=194 o=112 nonip=0
+
+Each line starts with a timestamp and the other fields are:
+    
+    pkts:: Absolute number of packets seen by +capstats+ during interval.
+    kpps:: Number of packets per second.
+    kbytes:: Absolute number of KBytes during interval.
+    mbps:: Mbits/sec.
+    nic_pkts:: Number of packets as reported by +libpcap+'s +pcap_stats()+ (may not match _pkts_)
+    nic_drops:: Number of packet drops as reported by +libpcap+'s +pcap_stats()+.
+    u:: Number of UDP packets.
+    t:: Number of TCP packets.
+    i:: Number of ICMP packets.
+    nonip:: Number of non-IP packets.
+    
+A list of all options:
+
+    capstats [Options] -i interface
+    
+       -i| --interface <interface>    Listen on interface
+       -d| --dag                      Use native DAG API
+       -f| --filter <filter>          BPF filter
+       -I| --interval <secs>          Stats logging interval
+       -l| --syslog                   Use syslog rather than print to stderr
+       -n| --number <count>           Stop after outputting <number> intervals
+       -N| --select                   Use select() for live pcap (for testing only)
+       -S| --size <size>              Verify packets to have given <size>
+       -s| --snaplen <size>           Use pcap snaplen <size>
+       -v| --version                  Print version and exit
+       -w| --write <filename>         Write packets to file
+
+Download
+--------
+
+Download http://www.icir.org/robin/capstats/capstats-0.12.tar.gz[+capstats-0.12.tar.gz+]
+
+Installation
+------------
+
+   > ./configure
+   > make install
+   
++capstats+ has been tested on Linux and FreeBSD.    
+    
+    
+
+
+
diff --git a/aux/broctl/aux/capstats/README.html b/aux/broctl/aux/capstats/README.html
new file mode 100644
index 0000000000..8b5dd758a0
--- /dev/null
+++ b/aux/broctl/aux/capstats/README.html
@@ -0,0 +1,564 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
+    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+<meta name="generator" content="AsciiDoc 8.2.7" />
+<style type="text/css">
+/* Debug borders */
+p, li, dt, dd, div, pre, h1, h2, h3, h4, h5, h6 {
+/*
+  border: 1px solid red;
+
+  margin: 1.8em 10% 1.8em 10%;
+
+*/
+}
+
+body {
+  background:#ffffff;
+  padding: 20px 10px;
+  font-size: 90%;
+  font-family: sans-serif;
+  color: #505050;
+  margin: 2em 10% 2em 10%;
+  line-height: 1.4em;
+}
+
+a {
+  color: #005000;
+}
+
+a:visited {
+  color: #005000;
+}
+
+a:hover {
+  color: #002000;
+}
+
+em {
+  font-style: italic;
+}
+
+strong {
+  font-weight: bold;
+}
+
+tt {
+  color: #000000;
+}
+
+h1, h2, h3, h4, h5, h6, div#toctitle {
+  color: #227022;
+  font-family: sans-serif;
+  margin-top: 1.2em;
+  margin-bottom: 0.5em;
+  line-height: 1.3;
+  font-weight: normal;
+}
+
+h1, h2, h3, div#toctitle {
+  border-bottom: 1px solid;
+  border-color: #000000;
+}
+
+h1 {
+  font-size: 150%;
+  }
+
+h2, div#toctitle {
+  padding-top: 0.5em;
+  font-size: 120%;
+}
+h3 {
+  float: left;
+  font-size: 100%;
+}
+h3 + * {
+  clear: left;
+}
+
+div.sectionbody {
+  font-family: sans-serif;
+  margin-left: 0;
+}
+
+hr {
+  border: 1px solid;
+}
+
+p {
+  margin-top: 0.5em;
+  margin-bottom: 0.5em;
+}
+
+pre {
+  padding: 0;
+  margin: 0;
+}
+
+span#author {
+  color: #338033;
+  font-family: sans-serif;
+  font-size: 100%;
+}
+span#email {
+}
+span#revision {
+  font-family: sans-serif;
+}
+
+div#footer {
+  font-family: sans-serif;
+  font-size: 70%;
+  border-top: 1px solid;
+  padding-top: 0.5em;
+  margin-top: 4.0em;
+}
+div#footer-text {
+  float: left;
+  padding-bottom: 0.5em;
+}
+div#footer-badges {
+  float: right;
+  padding-bottom: 0.5em;
+}
+
+div#preamble,
+div.tableblock, div.imageblock, div.exampleblock, div.verseblock,
+div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,
+div.admonitionblock {
+  margin-top: 1.1em;
+  margin-left: 1em;
+  margin-bottom: 1.1em;
+/*  background: #eeffcc; */
+}
+div.admonitionblock {
+  margin-top: 2.5em;
+  margin-bottom: 2.5em;
+}
+
+div.content { /* Block element content. */
+  padding: 0;
+}
+
+/* Block element titles. */
+div.title, caption.title {
+  font-family: sans-serif;
+  text-align: left;
+  margin-top: 1.0em;
+  margin-bottom: 0.5em;
+}
+div.title + * {
+  margin-top: 0;
+}
+
+td div.title:first-child {
+  margin-top: 0.0em;
+}
+div.content div.title:first-child {
+  margin-top: 0.0em;
+}
+div.content + div.title {
+  margin-top: 0.0em;
+}
+
+div.sidebarblock > div.content {
+  background: #ffffee;
+  border: 1px solid;
+  padding: 0.5em;
+}
+
+div.listingblock {
+  margin-right: 0%;
+}
+div.listingblock > div.content {
+  border: 1px solid;
+  background: #f4f4f4;
+  padding: 0.5em;
+}
+
+div.quoteblock > div.content {
+  padding-left: 2.0em;
+}
+
+div.attribution {
+  text-align: right;
+}
+
+div.verseblock + div.attribution {
+  text-align: left;
+}
+
+div.admonitionblock .icon {
+  vertical-align: top;
+  font-size: 100%;
+  color: #338033;
+  padding-right: 0.5em;
+}
+div.admonitionblock td.content {
+  padding-left: 0.5em;
+  border-left: 2px solid;
+}
+
+div.exampleblock > div.content {
+  border-left: 2px solid;
+  padding: 0.5em;
+}
+
+div.verseblock div.content {
+  white-space: pre;
+}
+
+div.imageblock div.content { padding-left: 0; }
+div.imageblock img { border: 1px solid ; }
+span.image img { border-style: none; }
+
+dl {
+  margin-top: 0.8em;
+  margin-bottom: 0.8em;
+}
+dt {
+  margin-top: 0.5em;
+  margin-bottom: 0;
+  font-style: italic;
+}
+dd > *:first-child {
+  margin-top: 0;
+}
+
+ul, ol {
+    list-style-position: outside;
+}
+ol.olist2 {
+  list-style-type: lower-alpha;
+}
+
+div.tableblock > table {
+  border: 1px solid #527bbd;
+}
+
+div.addrblock > table {
+  border: 0px 0px 0px 0px;
+  border-style: none none none none;
+  padding: 0px;
+  margin: 10px;
+  color: #000000;
+}
+
+table.addrblockbg {
+  /*
+  border-top: 1px solid;
+  border-bottom: 1px solid;
+  */
+  background: #e0ffe0 ;
+  border-style: none;
+  outline-style: none;
+}
+
+thead {
+  font-family: sans-serif;
+  color: #000000;
+}
+tfoot {
+  font-weight: bold;
+  color: #000000;
+}
+
+div.hlist {
+  margin-top: 0.8em;
+  margin-bottom: 0.8em;
+}
+div.hlist td {
+  padding-bottom: 5px;
+}
+td.hlist1 {
+  vertical-align: top;
+  font-style: italic;
+  padding-right: 0.8em;
+}
+td.hlist2 {
+  vertical-align: top;
+}
+
+@media print {
+  div#footer-badges { display: none; }
+}
+
+div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {
+  margin-top: .5ex;
+  margin-bottom: 0;
+  margin-left: 2em;
+  line-height: 1.3;
+}
+div.toclevel1 {
+  margin-top: 1ex;
+}
+div.toclevel2 {
+  margin-left: 4em;
+}
+
+div.toclevel3 {
+  margin-left: 6em;
+}
+div.toclevel4 {
+  margin-left: 8em;
+}
+/* Workarounds for IE6's broken and incomplete CSS2. */
+
+div.sidebar-content {
+  background: #ffffee;
+  border: 1px solid silver;
+  padding: 0.5em;
+}
+div.sidebar-title, div.image-title {
+  font-family: sans-serif;
+  font-weight: bold;
+  margin-top: 0.0em;
+  margin-bottom: 0.5em;
+}
+
+div.listingblock div.content {
+  border: 1px solid silver;
+  background: #f4f4f4;
+  padding: 0.5em;
+}
+
+div.quoteblock-content {
+  padding-left: 2.0em;
+}
+
+div.exampleblock-content {
+  border-left: 2px solid silver;
+  padding-left: 0.5em;
+}
+
+/* IE6 sets dynamically generated links as visited. */
+div#toc a:visited { color: blue; }
+</style>
+<script type="text/javascript">
+/*<![CDATA[*/
+window.onload = function(){generateToc(2)}
+/* Author: Mihai Bazon, September 2002
+ * http://students.infoiasi.ro/~mishoo
+ *
+ * Table Of Content generator
+ * Version: 0.4
+ *
+ * Feel free to use this script under the terms of the GNU General Public
+ * License, as long as you do not remove or alter this notice.
+ */
+
+ /* modified by Troy D. Hanson, September 2006. License: GPL */
+ /* modified by Stuart Rackham, October 2006. License: GPL */
+
+function getText(el) {
+  var text = "";
+  for (var i = el.firstChild; i != null; i = i.nextSibling) {
+    if (i.nodeType == 3 /* Node.TEXT_NODE */) // IE doesn't speak constants.
+      text += i.data;
+    else if (i.firstChild != null)
+      text += getText(i);
+  }
+  return text;
+}
+
+function TocEntry(el, text, toclevel) {
+  this.element = el;
+  this.text = text;
+  this.toclevel = toclevel;
+}
+
+function tocEntries(el, toclevels) {
+  var result = new Array;
+  var re = new RegExp('[hH]([2-'+(toclevels+1)+'])');
+  // Function that scans the DOM tree for header elements (the DOM2
+  // nodeIterator API would be a better technique but not supported by all
+  // browsers).
+  var iterate = function (el) {
+    for (var i = el.firstChild; i != null; i = i.nextSibling) {
+      if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {
+        var mo = re.exec(i.tagName)
+        if (mo)
+          result[result.length] = new TocEntry(i, getText(i), mo[1]-1);
+        iterate(i);
+      }
+    }
+  }
+  iterate(el);
+  return result;
+}
+
+// This function does the work. toclevels = 1..4.
+function generateToc(toclevels) {
+  var toc = document.getElementById("toc");
+  var entries = tocEntries(document.getElementsByTagName("body")[0], toclevels);
+  for (var i = 0; i < entries.length; ++i) {
+    var entry = entries[i];
+    if (entry.element.id == "")
+      entry.element.id = "toc" + i;
+    var a = document.createElement("a");
+    a.href = "#" + entry.element.id;
+    a.appendChild(document.createTextNode(entry.text));
+    var div = document.createElement("div");
+    div.appendChild(a);
+    div.className = "toclevel" + entry.toclevel;
+    toc.appendChild(div);
+  }
+  if (entries.length == 0)
+    document.getElementById("header").removeChild(toc);
+}
+/*]]>*/
+</script>
+<title>capstats - A quick hack to get some NIC statistics.</title>
+</head>
+<body>
+<div id="header">
+<h1>capstats - A quick hack to get some NIC statistics.</h1>
+<div id="toc">
+  <div id="toctitle">Table of Contents</div>
+  <noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>
+</div>
+</div>
+<h2><a id="_overview"></a>Overview</h2><p/>
+<div class="sectionbody">
+<p><tt>capstats</tt> is a quick hack to get some statistics about the current
+load on a network interface, using either
+<a href="http://www.tcpdump.org">libpcap</a> or the native interface for
+<a href="http:///www.endace.com">Endace's</a> DAG cards. It reports statistics
+per time interval and/or for the tool's total run-time.</p>
+<p>Here's an example output with output in one-second intervals until <tt>CTRL-C</tt> is hit:</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt;capstats -i nve0 -I 1
+1186620936.890567 pkts=12747 kpps=12.6 kbytes=10807 mbps=87.5 nic_pkts=12822 nic_drops=0 u=960 t=11705 i=58 o=24 nonip=0
+1186620937.901490 pkts=13558 kpps=13.4 kbytes=11329 mbps=91.8 nic_pkts=13613 nic_drops=0 u=1795 t=24339 i=119 o=52 nonip=0
+1186620938.912399 pkts=14771 kpps=14.6 kbytes=13659 mbps=110.7 nic_pkts=14781 nic_drops=0 u=2626 t=38154 i=185 o=111 nonip=0
+1186620939.012446 pkts=1332 kpps=13.3 kbytes=1129 mbps=92.6 nic_pkts=1367 nic_drops=0 u=2715 t=39387 i=194 o=112 nonip=0
+=== Total
+1186620939.012483 pkts=42408 kpps=13.5 kbytes=36925 mbps=96.5 nic_pkts=1 nic_drops=0 u=2715 t=39387 i=194 o=112 nonip=0</tt></pre>
+</div></div>
+<p>Each line starts with a timestamp and the other fields are:</p>
+<div class="hlist"><table>
+<tr>
+<td class="hlist1">
+pkts
+</td>
+<td class="hlist2">
+Absolute number of packets seen by <tt>capstats</tt> during interval.
+</td>
+</tr>
+<tr>
+<td class="hlist1">
+kpps
+</td>
+<td class="hlist2">
+Number of packets per second.
+</td>
+</tr>
+<tr>
+<td class="hlist1">
+kbytes
+</td>
+<td class="hlist2">
+Absolute number of KBytes during interval.
+</td>
+</tr>
+<tr>
+<td class="hlist1">
+mbps
+</td>
+<td class="hlist2">
+Mbits/sec.
+</td>
+</tr>
+<tr>
+<td class="hlist1">
+nic_pkts
+</td>
+<td class="hlist2">
+Number of packets as reported by <tt>libpcap</tt>'s <tt>pcap_stats()</tt> (may not match <em>pkts</em>)
+</td>
+</tr>
+<tr>
+<td class="hlist1">
+nic_drops
+</td>
+<td class="hlist2">
+Number of packet drops as reported by <tt>libpcap</tt>'s <tt>pcap_stats()</tt>.
+</td>
+</tr>
+<tr>
+<td class="hlist1">
+u
+</td>
+<td class="hlist2">
+Number of UDP packets.
+</td>
+</tr>
+<tr>
+<td class="hlist1">
+t
+</td>
+<td class="hlist2">
+Number of TCP packets.
+</td>
+</tr>
+<tr>
+<td class="hlist1">
+i
+</td>
+<td class="hlist2">
+Number of ICMP packets.
+</td>
+</tr>
+<tr>
+<td class="hlist1">
+nonip
+</td>
+<td class="hlist2">
+Number of non-IP packets.
+</td>
+</tr>
+</table></div>
+<p>A list of all options:</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>capstats [Options] -i interface</tt></pre>
+</div></div>
+<div class="literalblock">
+<div class="content">
+<pre><tt>-i| --interface &lt;interface&gt;    Listen on interface
+-d| --dag                      Use native DAG API
+-f| --filter &lt;filter&gt;          BPF filter
+-I| --interval &lt;secs&gt;          Stats logging interval
+-l| --syslog                   Use syslog rather than print to stderr
+-n| --number &lt;count&gt;           Stop after outputting &lt;number&gt; intervals
+-N| --select                   Use select() for live pcap (for testing only)
+-S| --size &lt;size&gt;              Verify packets to have given &lt;size&gt;
+-s| --snaplen &lt;size&gt;           Use pcap snaplen &lt;size&gt;
+-v| --version                  Print version and exit
+-w| --write &lt;filename&gt;         Write packets to file</tt></pre>
+</div></div>
+</div>
+<h2><a id="_download"></a>Download</h2><p/>
+<div class="sectionbody">
+<p>Download <a href="http://www.icir.org/robin/capstats/capstats-0.12.tar.gz"><tt>capstats-0.12.tar.gz</tt></a></p>
+</div>
+<h2><a id="_installation"></a>Installation</h2><p/>
+<div class="sectionbody">
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt; ./configure
+&gt; make install</tt></pre>
+</div></div>
+<p><tt>capstats</tt> has been tested on Linux and FreeBSD.</p>
+</div>
+<div id="footer">
+<div id="footer-text">
+<a href="http://www.icir.org/robin">Back to Homepage</a><br />
+</div>
+</div>
+</body>
+</html>
diff --git a/aux/broctl/aux/capstats/VERSION b/aux/broctl/aux/capstats/VERSION
new file mode 100644
index 0000000000..fe5c3f69a3
--- /dev/null
+++ b/aux/broctl/aux/capstats/VERSION
@@ -0,0 +1 @@
+0.12pre
diff --git a/aux/broctl/aux/capstats/autogen.sh b/aux/broctl/aux/capstats/autogen.sh
new file mode 100755
index 0000000000..29891b7e38
--- /dev/null
+++ b/aux/broctl/aux/capstats/autogen.sh
@@ -0,0 +1,9 @@
+touch NEWS README AUTHORS ChangeLog
+
+rm -rf autom4te.cache aclocal.m4
+
+aclocal
+autoheader
+autoconf 
+automake -a
+
diff --git a/aux/broctl/aux/capstats/capstats.cc b/aux/broctl/aux/capstats/capstats.cc
new file mode 100644
index 0000000000..b38bf9a3f7
--- /dev/null
+++ b/aux/broctl/aux/capstats/capstats.cc
@@ -0,0 +1,610 @@
+// $Id: capstats.cc 6813 2009-07-07 18:54:12Z robin $
+// 
+// Counts captured packets. 
+// 
+// Robin Sommer <robin@icir.org>
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <getopt.h>
+#include <string.h>
+#include <pcap.h>
+#include <errno.h>
+#include <net/ethernet.h>
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <signal.h>
+#include <unistd.h>
+#include <time.h>
+#include <iostream>
+#include <syslog.h>
+
+#include "config.h"
+
+extern char Version[];
+
+#ifdef USE_DAG
+# include <dagapi.h>
+// Length of ERF Header before Ethernet header.
+# define DAG_ETH_ERFLEN 18
+# define EXTRA_WINDOW_SIZE (4 * 1024 * 1024)
+#endif 
+
+bool CheckPayload = false;
+bool WritePackets = false;
+bool CheckSize = false;
+bool UseDag = false;
+bool UseSyslog = false;
+const char *Filter;
+const char *Interface = 0;
+const char *OutputFile = 0;
+int Interval = 0;
+int Payload = 0;
+int SnapLen = 8192;
+int NumberInts = 0;
+int UseSelect = false;
+unsigned int Size = 0;
+pcap_dumper_t *Dumper;
+
+bool GotBreak = false;
+bool GotAlarm = false;
+
+double current_time();
+
+struct Stats {
+    unsigned long packets;
+    unsigned long bytes;
+    unsigned long size_mismatches;
+    unsigned long payload_mismatches;
+    unsigned long dag_drops;
+    unsigned long dag_all;
+    unsigned long proto[256];
+    unsigned long non_ip;
+    double start;
+
+    Stats() { clear(); }
+
+    void clear() {
+        memset(proto, sizeof(proto), 0);
+        packets = bytes = size_mismatches = payload_mismatches = non_ip = 0;
+        dag_drops = dag_all = 0;
+        start = current_time();
+    }
+};
+
+Stats Total;
+Stats Current;
+
+unsigned long HdrSize = 14; // Ethernet
+
+pcap_t* Pcap = 0;
+struct bpf_program* Bpf = 0;
+int Dag = -1;
+
+const char* fmt_log(const char* prefix, const char* fmt, va_list ap)
+{
+    const int SIZE = 32768;
+    static char buffer[SIZE];
+    int n = 0;
+
+    n += snprintf(buffer + n, SIZE - n, "%s: ", prefix);
+	n += vsnprintf(buffer + n, SIZE - n, fmt, ap);
+
+    strcat(buffer + n, "\n");
+
+    return buffer;
+}
+
+void logMsg(const char* msg)
+{
+    if (UseSyslog) 
+        syslog(LOG_NOTICE, "%s", msg);
+    else 
+        fprintf(stderr, "%.6f %s\n", current_time(), msg);
+}
+
+void error(const char* fmt, ...)
+{
+    va_list ap;
+    va_start(ap, fmt);
+    const char* msg = fmt_log("error", fmt, ap);
+    va_end(ap);
+    fputs(msg, stdout);
+    exit(1);
+}
+
+double current_time()
+{
+    struct timeval tv;
+    if ( gettimeofday(&tv, 0) < 0 )
+        error("gettimeofday failed in current_time()");
+
+    return double(tv.tv_sec) + double(tv.tv_usec) / 1e6;
+}
+
+void setFilter()
+{
+    Bpf = new bpf_program;
+
+    if ( pcap_compile(Pcap, Bpf, (char*)Filter, 1, 0) < 0 )
+        error("can't compile %s: %s", Filter, pcap_geterr(Pcap));
+
+    if ( pcap_setfilter(Pcap, Bpf) < 0 ) 
+        error("can't set filter: %s", pcap_geterr(Pcap));
+}
+
+void pcapOpen()
+{
+    static char errbuf[PCAP_ERRBUF_SIZE];
+
+    Pcap = pcap_open_live((char *)Interface, SnapLen, 1, UseSelect ? 1 : 10, errbuf);
+
+    if ( ! Pcap )
+        error("%s", errbuf);
+
+#ifdef HAVE_LINUX
+    // Copied from Bro (we generally mimic how Bro is doing non-blocking i/o.)   
+    //    We use the smallest time-out possible to return almost immediately if
+    //    no packets are available. (We can't use set_nonblocking() as it's
+    //    broken on FreeBSD: even when select() indicates that we can read
+    //    something, we may get nothing if the store buffer hasn't filled up
+    //    yet.)
+	if ( pcap_setnonblock(Pcap, 1, errbuf) < 0 )
+        error("%s", errbuf);
+#endif
+
+	int dl = pcap_datalink(Pcap);
+    if ( dl != DLT_EN10MB )
+		error("unknown data link type 0x%x", dl);
+
+    if ( Filter )
+        setFilter();
+}
+
+bool pcapNext(const u_char **pkt, unsigned int *size)
+{
+    struct pcap_pkthdr* hdr;
+    const u_char* data;
+    int result;
+
+    if ( UseSelect ) {
+        int fd = pcap_fileno(Pcap);
+
+        struct timeval timeout;
+        timeout.tv_sec = 0;
+        timeout.tv_usec = 0;
+
+        fd_set fd_read;
+        FD_ZERO(&fd_read);
+        FD_SET(fd, &fd_read);
+
+        if ( select(fd + 1, &fd_read, 0, 0, &timeout) <= 0 ) {
+            // Wait a bit to allow packets to arrive for next time.
+            // This might look a bit odd (i.e., we could use a larger timeout 
+            // right away) but we try to mimic the way Bro operates.
+            struct timeval timeout;
+            timeout.tv_sec = 0;
+            timeout.tv_usec = 20;
+            select(0, 0, 0, 0, &timeout);
+            return false;
+        }
+    }
+
+    result = pcap_next_ex(Pcap, &hdr, &data);
+
+    if ( result < 0 )
+        error("no more input");
+
+    if ( result == 0 )
+        return false;
+
+    *pkt = data;
+    *size = hdr->caplen;
+
+    if ( WritePackets )
+        pcap_dump((u_char*) Dumper, hdr, data);
+
+    return true;
+}
+
+void pcapStats(unsigned int* pkts, unsigned int* drops)
+{
+    static pcap_stat stats;
+    if ( pcap_stats(Pcap, &stats) < 0 )
+        error("can't get pcap stats");
+
+#ifdef HAVE_LINUX
+	// Linux clears its counters each time.
+    if ( pkts )
+        *pkts = stats.ps_recv;
+
+    if ( drops )
+        *drops = stats.ps_drop;
+#else   
+    static pcap_stat *last_stats = 0;
+
+    if ( ! last_stats ) {
+        last_stats = new pcap_stat;
+        last_stats->ps_recv = 0;
+        last_stats->ps_drop = 0;
+    }
+
+    if ( pkts )
+        *pkts = stats.ps_recv - last_stats->ps_recv;
+
+    if ( drops )
+        *drops = stats.ps_drop - last_stats->ps_drop;
+
+    *last_stats = stats;
+#endif
+}
+
+void pcapClose()
+{
+    pcap_close(Pcap);
+}
+
+void dagOpen()
+{
+#ifdef USE_DAG
+	Dag = dag_open((char*)Interface);
+	if ( Dag < 0 )
+		error("can't open dag interface %s", Interface);
+
+	int dag_recordtype = dag_linktype(Dag);
+	if ( dag_recordtype < TYPE_MIN || dag_recordtype > TYPE_MAX )
+		error("dag_linktype");
+
+	if ( dag_recordtype != TYPE_ETH )
+		error("unsupported DAG link type 0x%x", dag_recordtype);
+
+	// long= is needed to prevent the DAG card from truncating jumbo frames.
+	const char* dag_configure_string = "slen=1500 varlen long=1500";
+
+	if ( dag_configure(Dag, (char*)dag_configure_string) < 0 )
+		error("dag_configure");
+
+	if ( dag_attach_stream(Dag, 0, 0, EXTRA_WINDOW_SIZE) < 0 )
+		error("dag_attach_stream");
+
+	if ( dag_start_stream(Dag, 0) < 0 )
+		error("dag_start_stream");
+
+    // We open a dummy pcap file to get access to pcap data structures.
+	Pcap = pcap_open_dead(DLT_EN10MB, 1500);
+	if ( ! Pcap )
+		error("pcap_open_dead");
+
+    if ( Filter )
+        setFilter();
+
+#endif    
+}
+
+bool dagNext(const u_char **pkt, unsigned int *size)
+{
+#ifdef USE_DAG
+    struct bpf_insn* fcode = 0;
+
+    if ( Filter ) {
+        fcode = Bpf->bf_insns;
+        if ( ! fcode )
+            error("filter code not valid when extracting DAG packet");
+    }
+
+    dag_record_t* r = (dag_record_t*) dag_rx_stream_next_record(Dag, 0);
+
+    if ( ! r ) {
+        if ( errno == EAGAIN )
+            // Dry.
+            return false;
+
+        error("dag_rx_stream_next_record: %s", strerror(errno));
+    }
+
+    *size = ntohs(r->rlen) - DAG_ETH_ERFLEN;
+    *pkt = (const u_char*) r->rec.eth.dst;
+    Current.dag_drops += ntohs(r->lctr);
+    Total.dag_drops += ntohs(r->lctr);
+
+    if ( fcode && ! bpf_filter(fcode, (u_char*) *pkt, *size, *size) )
+        return false;
+
+    return true;
+
+#else
+    return false;
+#endif    
+}
+
+void dagStats(unsigned int* pkts, unsigned int* drops, const Stats& s)
+{
+    *pkts = s.dag_all;
+    *drops = s.dag_drops;
+}
+
+void dagClose()
+{
+#ifdef USE_DAG
+    dag_stop_stream(Dag, 0);
+    dag_detach_stream(Dag, 0);
+    dag_close(Dag);
+#endif 
+}
+
+void reportStats(const Stats& s)
+{
+    unsigned int pkts = 0, drops = 0;
+    const int SIZE = 32768;
+    static char buffer[SIZE];
+    int n = 0;
+    int i;
+    unsigned long proto_other = 0;
+
+    if ( UseDag )
+        dagStats(&pkts, &drops, s);
+    else
+        pcapStats(&pkts, &drops);
+
+    double dt = current_time() - s.start;
+
+    double pps = s.packets / dt;
+    double mbps = s.bytes / dt * 8 / 1000 / 1000;
+
+    n += snprintf(buffer+n, SIZE-n, "pkts=%lu kpps=%.1f kbytes=%lu mbps=%.1f nic_pkts=%u nic_drops=%u",
+            s.packets, pps / 1000,
+            s.bytes / 1024, mbps,
+            pkts, drops);
+
+    for ( i=0; i<256; i++ )
+        if ( i != IPPROTO_UDP && i != IPPROTO_TCP && i != IPPROTO_ICMP )
+            proto_other += s.proto[i];
+
+    n += snprintf(buffer+n, SIZE-n, " u=%lu t=%lu i=%lu o=%lu nonip=%lu",
+                  s.proto[IPPROTO_UDP], s.proto[IPPROTO_TCP], s.proto[IPPROTO_ICMP], proto_other, s.non_ip);
+
+    if ( CheckSize )
+        n += snprintf(buffer+n, SIZE-n, " size_mism=%lu", s.size_mismatches);
+
+    if ( CheckPayload )
+        n += snprintf(buffer+n, SIZE-n, " payload_mism=%lu", s.size_mismatches);
+
+    logMsg(buffer);
+
+    Current.clear();
+}
+
+void alarmHandler(int signo)
+{
+    GotAlarm = true;
+}
+
+void scheduleAlarm()
+{
+    GotAlarm = false;
+    if ( Interval ) {
+        signal(SIGALRM, alarmHandler);
+        alarm(Interval);
+    }
+}
+
+void mainLoop()
+{
+    while ( ! GotBreak ) {        
+
+        if ( GotAlarm ) {
+            reportStats(Current);
+            scheduleAlarm();
+
+            if ( NumberInts == 1 )
+                exit(0);
+
+            if ( NumberInts )
+                NumberInts--;
+        }
+
+        bool result;
+        unsigned int size;
+        const u_char* pkt;
+        const struct ip *ip;
+        const struct ether_header *eh;
+
+        if ( UseDag )
+            result = dagNext(&pkt, &size);
+        else
+            result = pcapNext(&pkt, &size);
+
+        if ( ! result )
+            continue;
+
+        eh = (struct ether_header*)pkt;
+        if ( ntohs(eh->ether_type) == ETHERTYPE_IP ) {
+            ip = (struct ip*)(pkt + HdrSize);
+            ++Current.proto[ip->ip_p];
+            ++Total.proto[ip->ip_p];
+        }
+        else {
+            ++Current.non_ip;
+            ++Total.non_ip;
+        }
+
+        size -= HdrSize;
+        pkt += HdrSize;
+
+        ++Current.packets;
+        ++Total.packets;
+        Current.bytes += size;
+        Total.bytes += size;
+
+        if ( CheckSize )
+            if ( size != Size ) {
+                ++Current.size_mismatches;
+                ++Total.size_mismatches;
+            }
+
+        if ( CheckPayload )
+            for ( unsigned int i = 0; i < size; i++ ) {
+                if ( pkt[i] != Payload ) {
+                    ++Current.payload_mismatches;
+                    ++Total.payload_mismatches;
+                    break;
+                }
+            }
+
+    }
+}
+
+void breakHandler(int signo)
+{
+    GotBreak = true;
+}
+
+void usage()
+{
+    printf("capstats [Options] -i interface\n"
+           "\n"
+           "  -i| --interface <interface>    Listen on interface\n"
+           "  -d| --dag                      Use native DAG API\n"
+           "  -f| --filter <filter>          BPF filter\n"
+           "  -I| --interval <secs>          Stats logging interval\n"
+           "  -l| --syslog                   Use syslog rather than print to stderr\n"
+           "  -n| --number <count>           Stop after outputting <number> intervals\n"
+           "  -N| --select                   Use select() for live pcap (for testing only)\n"
+           "  -S| --size <size>              Verify packets to have given <size>\n"
+           "  -s| --snaplen <size>           Use pcap snaplen = <size>\n"
+           "  -v| --version                  Print version and exit\n"
+           "  -w| --write <filename>         Write packets to file\n"
+           "\n");
+
+    exit(1);
+}
+
+static struct option long_options[] = {
+    {"dag", no_argument, 0, 'd'},
+    {"filter", required_argument, 0, 'f'},
+    {"interface", required_argument, 0, 'i'},
+    {"interval", required_argument, 0, 'I'},
+    {"number", required_argument, 0, 'n'},
+    {"select", no_argument, 0, 'N'},
+    {"syslog", no_argument, 0, 'l'},
+    {"payload", required_argument, 0, 'p'},
+    {"size", required_argument, 0, 'S'},
+    {"snaplen", required_argument, 0, 's'},
+    {"version", no_argument, 0, 'v'},
+    {"write", required_argument, 0, 's'},
+    {0, 0, 0, 0}
+};
+
+int main(int argc, char **argv)
+{
+    while (1) {
+        char c = getopt_long (argc, argv, "df:i:I:n:Nps:lvw:S:", long_options, 0);
+
+        if ( c == -1 )
+            break;
+
+        switch ( c ) {
+          case 'd':
+            UseDag = true;
+            break;
+
+          case 'f':
+            Filter = optarg;
+            break;
+
+          case 'i':
+            Interface = optarg;
+            break;
+
+          case 'I':
+            Interval = atoi(optarg);
+            break;
+
+          case 'l':
+            UseSyslog = true;
+            break;
+
+          case 'n':
+            NumberInts = atoi(optarg);
+            break;
+
+          case 'N':
+            UseSelect = true;
+            break;
+
+          case 'p':
+            CheckPayload = true;
+            Payload = atoi(optarg);
+            break;
+
+          case 'S':
+            CheckSize = true;
+            Size = atoi(optarg);
+            break;
+
+          case 's':
+            SnapLen = atoi(optarg);
+            break;
+
+          case 'w':
+            OutputFile = optarg;
+            WritePackets = true;
+            break;
+
+          case 'v':
+            fprintf(stderr, "capstats %s\n", Version);
+            exit(0);
+            break;
+
+          default:
+            usage();
+        }
+    }
+
+    if ( optind != argc )
+        usage();
+
+    if ( ! Interface )
+        error("no interface given");
+
+    openlog("capstats", LOG_PID, LOG_NOTICE);
+    syslog(LOG_NOTICE, "starting if=%s interval=%d filter=%s", Interface, Interval, Filter);
+
+    if ( UseDag ) 
+        dagOpen();
+    else 
+        pcapOpen();
+
+    if ( WritePackets ) {
+        Dumper = pcap_dump_open(Pcap, OutputFile);
+        if (not Dumper) 
+            error("can't open pcap dump file: %s", pcap_geterr(Pcap));
+    }
+
+    signal(SIGINT, breakHandler);
+    signal(SIGTERM, breakHandler);
+    scheduleAlarm();
+
+    pcapStats(0, 0);
+    mainLoop();  
+
+    reportStats(Current);
+    logMsg("\n=== Total\n");
+    reportStats(Total);
+
+    if ( UseDag ) 
+        dagClose();
+    else 
+        pcapClose();
+
+    if ( Dumper ) 
+        pcap_dump_close(Dumper);
+
+    syslog(LOG_NOTICE, "exiting...");
+    return 0;
+    }
+
+
+
diff --git a/aux/broctl/aux/capstats/configure.ac b/aux/broctl/aux/capstats/configure.ac
new file mode 100644
index 0000000000..b87bd78ebc
--- /dev/null
+++ b/aux/broctl/aux/capstats/configure.ac
@@ -0,0 +1,78 @@
+#                                               -*- Autoconf -*-
+# Process this file with autoconf to produce a configure script.
+
+AC_PREREQ(2.59)
+AC_INIT(capstats, esyscmd([tr -d '\n' < VERSION]), robin@icir.org)
+AM_INIT_AUTOMAKE
+
+AC_CONFIG_SRCDIR([capstats.cc])
+AM_CONFIG_HEADER([config.h])
+
+# Checks for programs.
+AC_PROG_CXX
+AC_PROG_CC
+
+AC_ARG_WITH(dag,
+       [  --with-dag=PATH         path to the DAG library (for native support for Endace Tech.'s DAG monitoring cards)],
+        if test "$withval" != "no" -a "$withval" != "NO"; then
+                use_dag=yes
+                DAGPATH="$withval"
+                LDFLAGS="${LDFLAGS} -L${DAGPATH}/lib "
+                V_INCLS="${V_INCLS} -I${DAGPATH}/include"
+        else
+                use_dag=no
+        fi
+        )
+
+# Checks for libraries.
+AC_CHECK_LIB([pcap], [dag_open])
+
+# Checks for header files.
+AC_HEADER_STDC
+AC_CHECK_HEADERS([netinet/in.h stdlib.h string.h syslog.h unistd.h])
+
+# Checks for typedefs, structures, and compiler characteristics.
+AC_HEADER_STDBOOL
+AC_C_CONST
+AC_HEADER_TIME
+
+# Checks for library functions.
+AC_FUNC_ERROR_AT_LINE
+AC_TYPE_SIGNAL
+AC_CHECK_FUNCS([alarm gettimeofday memset strerror])
+
+# Check for OS.
+case "$target_os" in
+linux*)
+        AC_DEFINE(HAVE_LINUX,,[We are on a Linux system])
+        ;;
+esac
+
+dnl ################################################
+dnl # Endace DAG support
+dnl ################################################
+
+if test "$use_dag" != "no" -a "$use_dag" != "NO"; then
+        AC_CHECK_LIB(dag, dag_open, use_dag=yes, use_dag=no)
+        AC_CHECK_HEADER(pcap.h,,use_dag=no)
+
+        if test "$use_dag" = "yes"; then
+                  AC_DEFINE(USE_DAG,,[Include Endace DAG support])
+                  LIBS="${LIBS} -ldag"
+        fi
+else
+        use_dag=no
+fi
+dnl #################################################
+
+AC_CONFIG_FILES([Makefile])
+AC_OUTPUT
+
+echo  
+echo "           Capstats Configuration Summary"
+echo "=========================================================="
+echo
+echo Configuration Summary:
+echo "  - DAG support: "$use_dag
+echo
+
diff --git a/aux/broctl/aux/pysubnettree/LICENSE b/aux/broctl/aux/pysubnettree/LICENSE
new file mode 100644
index 0000000000..03a48c452f
--- /dev/null
+++ b/aux/broctl/aux/pysubnettree/LICENSE
@@ -0,0 +1,35 @@
+
+Copyright (c) 2007-2009, Robin Sommer
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+      
+    * Redistributions in binary form must reproduce the above
+      copyright notice, this list of conditions and the following
+      disclaimer in the documentation and/or other materials provided
+      with the distribution.
+      
+    * Neither the name of the International Computer Science
+      Institute nor the names of its contributors may be used to
+      endorse or promote products derived from this software without
+      specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
diff --git a/aux/broctl/aux/pysubnettree/Makefile b/aux/broctl/aux/pysubnettree/Makefile
new file mode 100644
index 0000000000..e3db026b4b
--- /dev/null
+++ b/aux/broctl/aux/pysubnettree/Makefile
@@ -0,0 +1,34 @@
+# $Id: Makefile 6811 2009-07-06 20:41:10Z robin $
+#
+# Makefile not needed to build module. Use "python setup.py install" instead.
+#
+# This Makefile generates the SWIG wrappers and the documentation.
+
+VERSION=0.12
+
+DISTFILES=LICENSE Makefile README README.html SubnetTree.cc SubnetTree.h \
+	SubnetTree.i SubnetTree.py SubnetTree_wrap.cc patricia.c patricia.h setup.py test.py
+
+CLEAN=build SubnetTree_wrap.cc SubnetTree.py README.html *.pyc 
+
+TGZ=pysubnettree-$(VERSION)
+
+all: SubnetTree_wrap.cpp README.html
+
+SubnetTree_wrap.cpp SubnetTree.py: SubnetTree.i SubnetTree.h
+	swig -c++ -python -o SubnetTree_wrap.cc SubnetTree.i
+
+doc: README.html
+
+README.html : README
+	-asciidoc -a toc -b xhtml11-custom README
+
+clean:
+	rm -rf $(CLEAN)
+
+dist:
+	@rm -rf $(TGZ)
+	@mkdir $(TGZ)
+	@cp -rp $(DISTFILES) $(TGZ)
+	tar czvf $(TGZ).tar.gz $(TGZ)
+	@rm -rf $(TGZ)    
diff --git a/aux/broctl/aux/pysubnettree/README b/aux/broctl/aux/pysubnettree/README
new file mode 100644
index 0000000000..a6c0525730
--- /dev/null
+++ b/aux/broctl/aux/pysubnettree/README
@@ -0,0 +1,87 @@
+//	-*- AsciiDoc -*-
+PySubnetTree - A Python Module for CIDR Lookups.
+================================================
+
+Overview
+--------
+
+The PySubnetTree package provides a Python data structure
++SubnetTree+ which maps subnets given in
+http://tools.ietf.org/html/rfc4632[CIDR] notation to Python
+objects. Lookups are performed by longest-prefix matching. 
+
+Simple example which associates CIDR prefixes with strings:
+
+    >>> import SubnetTree
+    >>> t = SubnetTree.SubnetTree()
+    >>> t["10.1.0.0/16"] = "Network 1"
+    >>> t["10.1.42.0/24"] = "Network 1, Subnet 42"
+    >>> t["10.2.0.0/16"] = "Network 2"
+    >>> print t["10.1.42.1"]
+    Network 1, Subnet 42
+    >>> print t["10.1.43.1"]
+    Network 1
+    >>> print "10.1.42.1" in t
+    True
+    >>> print "10.1.43.1" in t
+    True
+    >>> print "10.20.1.1" in t
+    False
+    >>> print t["10.20.1.1"]
+    Traceback (most recent call last):
+      File "<stdin>", line 1, in <module>
+      File "SubnetTree.py", line 67, in __getitem__
+        def __getitem__(*args): return _SubnetTree.SubnetTree___getitem__(*args)
+    KeyError: '10.20.1.1'
+
+
+CIDR prefixes are given as strings. Single addresses can
+alternatively also be passed in as integers as, e.g., returned by
+http://docs.python.org/lib/module-socket.html#l2h-3657[+socket.inet_aton+].
+
+A SubnetTree also provides methods +insert(prefix,object=None)+ for insertion
+of prefixes (+object+ can be skipped to use the tree like a set), and
++remove(prefix)+ for removing entries (+remove+ performs an _exact_ match
+rather than longest-prefix). 
+
+Internally, the CIDR prefixes of a +SubnetTree+ are managed by a
+Patricia tree data structure and lookups are therefore efficient
+even for large number of prefixes.
+
+PySubnetTree comes with BSD license.
+
+Version History
+---------------
+
+*Version 0.12*:: Better error handling. In particular, using None as
+an index now raises an IndexError.
+
+*Version 0.11*:: License changed from GPL to BSD-style.
+
+*Version 0.1*:: Initial release.
+
+Download
+--------
+
+Download http://www.icir.org/robin/pysubnettree/pysubnettree-0.12.tar.gz[+pysubnettree-0.12.tar.gz+].
+
+Prerequisites
+-------------
+
+This packages requires Python 2.4 or newer.
+
+Installation
+------------
+
+Installation is pretty simple:
+
+   > python setup.py install
+   
+   
+   
+   
+    
+    
+
+
+
diff --git a/aux/broctl/aux/pysubnettree/README.html b/aux/broctl/aux/pysubnettree/README.html
new file mode 100644
index 0000000000..ebd85cd2e7
--- /dev/null
+++ b/aux/broctl/aux/pysubnettree/README.html
@@ -0,0 +1,514 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
+    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+<meta name="generator" content="AsciiDoc 8.2.3" />
+<style type="text/css">
+/* Debug borders */
+p, li, dt, dd, div, pre, h1, h2, h3, h4, h5, h6 {
+/*
+  border: 1px solid red;
+*/
+}
+
+body {
+  background:#ffffff;
+  margin:0;
+  padding:20px 10px;
+  font-size: small;
+  font-family: sans-serif;
+  color: #505050;
+  margin: 1em 10% 1em 10%;
+}
+
+a {
+  color: #005000;
+}
+
+a:visited {
+  color: #005000;
+}
+
+a:hover {
+  color: #002000;
+}
+
+em {
+  font-style: italic;
+}
+
+strong {
+  font-weight: bold;
+}
+
+tt {
+  color: #000000;
+}
+
+h1, h2, h3, h4, h5, h6, div#toctitle {
+  color: #227022;
+  font-family: sans-serif;
+  margin-top: 1.2em;
+  margin-bottom: 0.5em;
+  line-height: 1.3;
+  font-weight: normal;
+}
+
+h1, h2, h3, div#toctitle {
+  border-bottom: 1px solid;
+  border-color: #000000;
+}
+
+h1 {
+  font-size: x-large;
+  }
+
+h2, div#toctitle {
+  padding-top: 0.5em;
+  font-size: medium;
+}
+h3 {
+  float: left;
+  font-size: small;
+}
+h3 + * {
+  clear: left;
+}
+
+div.sectionbody {
+  font-family: sans-serif;
+  margin-left: 0;
+}
+
+hr {
+  border: 1px solid;
+}
+
+p {
+  margin-top: 0.5em;
+  margin-bottom: 0.5em;
+}
+
+pre {
+  padding: 0;
+  margin: 0;
+}
+
+span#author {
+  color: #338033;
+  font-family: sans-serif;
+  font-size: 1.1em;
+}
+span#email {
+}
+span#revision {
+  font-family: sans-serif;
+}
+
+div#footer {
+  font-family: sans-serif;
+  font-size: x-small;
+  border-top: 1px solid;
+  padding-top: 0.5em;
+  margin-top: 4.0em;
+}
+div#footer-text {
+  float: left;
+  padding-bottom: 0.5em;
+}
+div#footer-badges {
+  float: right;
+  padding-bottom: 0.5em;
+}
+
+div#preamble,
+div.tableblock, div.imageblock, div.exampleblock, div.verseblock,
+div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,
+div.admonitionblock {
+  margin-top: 1.5em;
+  margin-left: 1em;
+  margin-bottom: 1.5em;
+/*  background: #eeffcc; */
+}
+div.admonitionblock {
+  margin-top: 2.5em;
+  margin-bottom: 2.5em;
+}
+
+div.content { /* Block element content. */
+  padding: 0;
+}
+
+/* Block element titles. */
+div.title, caption.title {
+  font-family: sans-serif;
+  text-align: left;
+  margin-top: 1.0em;
+  margin-bottom: 0.5em;
+}
+div.title + * {
+  margin-top: 0;
+}
+
+td div.title:first-child {
+  margin-top: 0.0em;
+}
+div.content div.title:first-child {
+  margin-top: 0.0em;
+}
+div.content + div.title {
+  margin-top: 0.0em;
+}
+
+div.sidebarblock > div.content {
+  background: #ffffee;
+  border: 1px solid;
+  padding: 0.5em;
+}
+
+div.listingblock {
+  margin-right: 0%;
+}
+div.listingblock > div.content {
+  border: 1px solid;
+  background: #f4f4f4;
+  padding: 0.5em;
+}
+
+div.quoteblock > div.content {
+  padding-left: 2.0em;
+}
+
+div.attribution {
+  text-align: right;
+}
+
+div.verseblock + div.attribution {
+  text-align: left;
+}
+
+div.admonitionblock .icon {
+  vertical-align: top;
+  font-size: 1.1em;
+  color: #338033;
+  padding-right: 0.5em;
+}
+div.admonitionblock td.content {
+  padding-left: 0.5em;
+  border-left: 2px solid;
+}
+
+div.exampleblock > div.content {
+  border-left: 2px solid;
+  padding: 0.5em;
+}
+
+div.verseblock div.content {
+  white-space: pre;
+}
+
+div.imageblock div.content { padding-left: 0; }
+div.imageblock img { border: 1px solid ; }
+span.image img { border-style: none; }
+
+dl {
+  margin-top: 0.8em;
+  margin-bottom: 0.8em;
+}
+dt {
+  margin-top: 0.5em;
+  margin-bottom: 0;
+  font-style: italic;
+}
+dd > *:first-child {
+  margin-top: 0;
+}
+
+ul, ol {
+    list-style-position: outside;
+}
+div.olist2 ol {
+  list-style-type: lower-alpha;
+}
+
+div.tableblock > table {
+  border: 3px solid #527bbd;
+}
+
+div.addrblock > table {
+  border: 0px 0px 0px 0px;
+  border-style: none none none none;
+  padding: 0px;
+  margin: 10px;
+  color: #000000;
+}
+
+table.addrblockbg {
+  /*
+  border-top: 1px solid;
+  border-bottom: 1px solid;
+  */
+  background: #e0ffe0 ;
+  border-style: none;
+  outline-style: none;
+}
+
+thead {
+  font-family: sans-serif;
+  color: #000000;
+}
+tfoot {
+  font-weight: bold;
+  color: #000000;
+}
+
+div.hlist {
+  margin-top: 0.8em;
+  margin-bottom: 0.8em;
+}
+div.hlist td {
+  padding-bottom: 5px;
+}
+td.hlist1 {
+  vertical-align: top;
+  font-style: italic;
+  padding-right: 0.8em;
+}
+td.hlist2 {
+  vertical-align: top;
+}
+
+@media print {
+  div#footer-badges { display: none; }
+}
+
+div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {
+  margin-top: .5ex;
+  margin-bottom: 0;
+  margin-left: 2em;
+  line-height: 1.3;
+}
+div.toclevel1 {
+  margin-top: 1ex;
+}
+div.toclevel2 {
+  margin-left: 4em;
+}
+
+div.toclevel3 {
+  margin-left: 6em;
+}
+div.toclevel4 {
+  margin-left: 8em;
+}
+/* Workarounds for IE6's broken and incomplete CSS2. */
+
+div.sidebar-content {
+  background: #ffffee;
+  border: 1px solid silver;
+  padding: 0.5em;
+}
+div.sidebar-title, div.image-title {
+  font-family: sans-serif;
+  font-weight: bold;
+  margin-top: 0.0em;
+  margin-bottom: 0.5em;
+}
+
+div.listingblock div.content {
+  border: 1px solid silver;
+  background: #f4f4f4;
+  padding: 0.5em;
+}
+
+div.quoteblock-content {
+  padding-left: 2.0em;
+}
+
+div.exampleblock-content {
+  border-left: 2px solid silver;
+  padding-left: 0.5em;
+}
+
+/* IE6 sets dynamically generated links as visited. */
+div#toc a:visited { color: blue; }
+</style>
+<script type="text/javascript">
+/*<![CDATA[*/
+window.onload = function(){generateToc(2)}
+/* Author: Mihai Bazon, September 2002
+ * http://students.infoiasi.ro/~mishoo
+ *
+ * Table Of Content generator
+ * Version: 0.4
+ *
+ * Feel free to use this script under the terms of the GNU General Public
+ * License, as long as you do not remove or alter this notice.
+ */
+
+ /* modified by Troy D. Hanson, September 2006. License: GPL */
+ /* modified by Stuart Rackham, October 2006. License: GPL */
+
+function getText(el) {
+  var text = "";
+  for (var i = el.firstChild; i != null; i = i.nextSibling) {
+    if (i.nodeType == 3 /* Node.TEXT_NODE */) // IE doesn't speak constants.
+      text += i.data;
+    else if (i.firstChild != null)
+      text += getText(i);
+  }
+  return text;
+}
+
+function TocEntry(el, text, toclevel) {
+  this.element = el;
+  this.text = text;
+  this.toclevel = toclevel;
+}
+
+function tocEntries(el, toclevels) {
+  var result = new Array;
+  var re = new RegExp('[hH]([2-'+(toclevels+1)+'])');
+  // Function that scans the DOM tree for header elements (the DOM2
+  // nodeIterator API would be a better technique but not supported by all
+  // browsers).
+  var iterate = function (el) {
+    for (var i = el.firstChild; i != null; i = i.nextSibling) {
+      if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {
+        var mo = re.exec(i.tagName)
+        if (mo)
+          result[result.length] = new TocEntry(i, getText(i), mo[1]-1);
+        iterate(i);
+      }
+    }
+  }
+  iterate(el);
+  return result;
+}
+
+// This function does the work. toclevels = 1..4.
+function generateToc(toclevels) {
+  var toc = document.getElementById("toc");
+  var entries = tocEntries(document.getElementsByTagName("body")[0], toclevels);
+  for (var i = 0; i < entries.length; ++i) {
+    var entry = entries[i];
+    if (entry.element.id == "")
+      entry.element.id = "toc" + i;
+    var a = document.createElement("a");
+    a.href = "#" + entry.element.id;
+    a.appendChild(document.createTextNode(entry.text));
+    var div = document.createElement("div");
+    div.appendChild(a);
+    div.className = "toclevel" + entry.toclevel;
+    toc.appendChild(div);
+  }
+}
+/*]]>*/
+</script>
+<title>PySubnetTree - A Python Module for CIDR Lookups.</title>
+</head>
+<body>
+<div id="header">
+<h1>PySubnetTree - A Python Module for CIDR Lookups.</h1>
+<div id="toc">
+  <div id="toctitle">Table of Contents</div>
+  <noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>
+</div>
+</div>
+<h2>Overview</h2><p/>
+<div class="sectionbody">
+<p>The PySubnetTree package provides a Python data structure
+<tt>SubnetTree</tt> which maps subnets given in
+<a href="http://tools.ietf.org/html/rfc4632">CIDR</a> notation to Python
+objects. Lookups are performed by longest-prefix matching.</p>
+<p>Simple example which associates CIDR prefixes with strings:</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt;&gt;&gt; import SubnetTree
+&gt;&gt;&gt; t = SubnetTree.SubnetTree()
+&gt;&gt;&gt; t["10.1.0.0/16"] = "Network 1"
+&gt;&gt;&gt; t["10.1.42.0/24"] = "Network 1, Subnet 42"
+&gt;&gt;&gt; t["10.2.0.0/16"] = "Network 2"
+&gt;&gt;&gt; print t["10.1.42.1"]
+Network 1, Subnet 42
+&gt;&gt;&gt; print t["10.1.43.1"]
+Network 1
+&gt;&gt;&gt; print "10.1.42.1" in t
+True
+&gt;&gt;&gt; print "10.1.43.1" in t
+True
+&gt;&gt;&gt; print "10.20.1.1" in t
+False
+&gt;&gt;&gt; print t["10.20.1.1"]
+Traceback (most recent call last):
+  File "&lt;stdin&gt;", line 1, in &lt;module&gt;
+  File "SubnetTree.py", line 67, in __getitem__
+    def __getitem__(*args): return _SubnetTree.SubnetTree___getitem__(*args)
+KeyError: '10.20.1.1'</tt></pre>
+</div></div>
+<p>CIDR prefixes are given as strings. Single addresses can
+alternatively also be passed in as integers as, e.g., returned by
+<a href="http://docs.python.org/lib/module-socket.html#l2h-3657"><tt>socket.inet_aton</tt></a>.</p>
+<p>A SubnetTree also provides methods <tt>insert(prefix,object=None)</tt> for insertion
+of prefixes (<tt>object</tt> can be skipped to use the tree like a set), and
+<tt>remove(prefix)</tt> for removing entries (<tt>remove</tt> performs an <em>exact</em> match
+rather than longest-prefix).</p>
+<p>Internally, the CIDR prefixes of a <tt>SubnetTree</tt> are managed by a
+Patricia tree data structure and lookups are therefore efficient
+even for large number of prefixes.</p>
+<p>PySubnetTree comes with BSD license.</p>
+</div>
+<h2>Version History</h2><p/>
+<div class="sectionbody">
+<div class="hlist"><table>
+<tr>
+<td class="hlist1">
+<strong>Version 0.12</strong>
+</td>
+<td class="hlist2">
+Better error handling. In particular, using None as
+an index now raises an IndexError.
+</td>
+</tr>
+<tr>
+<td class="hlist1">
+<strong>Version 0.11</strong>
+</td>
+<td class="hlist2">
+License changed from GPL to BSD-style.
+</td>
+</tr>
+<tr>
+<td class="hlist1">
+<strong>Version 0.1</strong>
+</td>
+<td class="hlist2">
+Initial release.
+</td>
+</tr>
+</table></div>
+</div>
+<h2>Download</h2><p/>
+<div class="sectionbody">
+<p>Download <a href="http://www.icir.org/robin/pysubnettree/pysubnettree-0.12.tar.gz"><tt>pysubnettree-0.12.tar.gz</tt></a>.</p>
+</div>
+<h2>Prerequisites</h2><p/>
+<div class="sectionbody">
+<p>This packages requires Python 2.4 or newer.</p>
+</div>
+<h2>Installation</h2><p/>
+<div class="sectionbody">
+<p>Installation is pretty simple:</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt; python setup.py install</tt></pre>
+</div></div>
+</div>
+<div id="footer">
+<div id="footer-text">
+<a href="http://www.icir.org/robin">Back to Homepage</a><br />
+</div>
+</div>
+</body>
+</html>
diff --git a/aux/broctl/aux/pysubnettree/SubnetTree.cc b/aux/broctl/aux/pysubnettree/SubnetTree.cc
new file mode 100644
index 0000000000..ae61ed3e76
--- /dev/null
+++ b/aux/broctl/aux/pysubnettree/SubnetTree.cc
@@ -0,0 +1,155 @@
+// $Id: SubnetTree.cc 6813 2009-07-07 18:54:12Z robin $
+
+#include <memory.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <arpa/inet.h>
+
+#include "SubnetTree.h"
+
+static PyObject* dummy = Py_BuildValue("s", "<dummy string>");
+
+inline static prefix_t* make_prefix(unsigned long addr, int width)
+	{
+	prefix_t* subnet = new prefix_t;
+
+	memcpy(&subnet->add.sin, &addr, sizeof(subnet->add.sin)) ;
+	subnet->family = AF_INET;
+	subnet->bitlen = width;
+	subnet->ref_count = 1;
+
+	return subnet;
+	}
+
+inline static bool parse_cidr(const char *cidr, unsigned long *subnet, unsigned short *mask)
+{
+    static char buffer[32];
+    struct in_addr addr;
+
+    if ( ! cidr )
+        return false;
+
+    const char *s = strchr(cidr, '/');
+    if ( s ) {
+        int len = s - cidr < 32 ? s - cidr : 31;
+        memcpy(buffer, cidr, len);
+        buffer[len] = '\0';
+        *mask = atoi(s+1);
+        s = buffer;
+    }
+    else {
+        s = cidr;
+        *mask = 32;
+    }
+
+    if ( ! inet_aton(const_cast<char *>(s), &addr) )
+        return false;
+
+    *subnet = addr.s_addr;
+
+    return true;
+
+}
+
+SubnetTree::SubnetTree()
+{
+    tree = New_Patricia(128);
+}
+
+SubnetTree::~SubnetTree()
+{
+    Destroy_Patricia(tree, 0);
+}
+
+bool SubnetTree::insert(const char *cidr, PyObject* data) 
+{
+    unsigned long subnet;
+    unsigned short mask;
+
+    if ( ! parse_cidr(cidr, &subnet, &mask) )
+        return false;
+
+    return insert(subnet, mask, data);
+}
+
+bool SubnetTree::insert(unsigned long subnet, unsigned short mask, PyObject* data)
+{
+	prefix_t* sn = make_prefix(subnet, mask);
+	patricia_node_t* node = patricia_lookup(tree, sn);
+	Deref_Prefix(sn);
+
+	if ( ! node ) {
+        fprintf(stderr, "Cannot create node in patricia tree");
+        return false;
+    }
+
+    if ( ! data )
+        data = dummy;
+
+    Py_INCREF(data);
+	node->data = data;
+
+	return true;
+}
+
+bool SubnetTree::remove(const char *cidr)
+{
+    unsigned long subnet;
+    unsigned short mask;
+
+    if ( ! parse_cidr(cidr, &subnet, &mask) )
+        return false;
+
+    return remove(subnet, mask);
+}
+
+bool SubnetTree::remove(unsigned long addr, unsigned short mask)
+{                                      /*  */
+	prefix_t* subnet = make_prefix(addr, mask);
+	patricia_node_t* node = patricia_search_exact(tree, subnet);
+	Deref_Prefix(subnet);
+
+	if ( ! node )
+		return false;
+
+    PyObject* data = (PyObject*)node->data;
+    Py_DECREF(data);
+
+	patricia_remove(tree, node);
+
+	return data != dummy;
+}
+
+PyObject* SubnetTree::lookup(const char *cidr, int size) const
+{
+    struct in_addr a;
+
+    if ( ! cidr )
+        return false;
+
+    // If it's a 4-byte string, it's probably a host address packed with
+    // socket.inet_aton().
+    if ( size == 4 )
+        return lookup(*((unsigned long *)cidr));
+
+    if ( ! inet_aton(cidr, &a) )
+        return false;
+
+    return lookup(a.s_addr);
+}
+
+PyObject* SubnetTree::lookup(unsigned long addr) const
+{
+	prefix_t* subnet = make_prefix(addr, 32);
+	patricia_node_t* node =	patricia_search_best(tree, subnet);
+	Deref_Prefix(subnet);
+
+    if ( ! node )
+        return 0;
+
+    PyObject* data = (PyObject*)node->data;
+
+    Py_INCREF(data);
+    return data;
+}
+
diff --git a/aux/broctl/aux/pysubnettree/SubnetTree.h b/aux/broctl/aux/pysubnettree/SubnetTree.h
new file mode 100644
index 0000000000..01e4e236be
--- /dev/null
+++ b/aux/broctl/aux/pysubnettree/SubnetTree.h
@@ -0,0 +1,109 @@
+// $Id: SubnetTree.h 6813 2009-07-07 18:54:12Z robin $
+
+extern "C" {
+#include "Python.h"
+#include "patricia.h"
+}
+
+#ifdef SWIG
+// If a function is supposed to accept 4-byte tuples as packet by
+// socket.inet_aton(), it needs to accept strings which contain 0s.
+// Therefore, we need a size parameter.
+%apply (char *STRING, int LENGTH) { (char *cidr, int size) };
+#endif
+
+class SubnetTree
+{
+public:
+   SubnetTree();
+   ~SubnetTree();
+
+   bool insert(const char *cidr, PyObject* data = 0);
+   bool insert(unsigned long subnet, unsigned short mask, PyObject* data = 0);
+
+   bool remove(const char *cidr);
+   bool remove(unsigned long subnet, unsigned short mask);
+
+   PyObject* lookup(const char *cidr, int size) const;
+   PyObject* lookup(unsigned long addr) const;
+
+#ifndef SWIG   
+   bool operator[](const char* addr) const { return lookup(addr, strlen(addr)); }
+   bool operator[](unsigned long addr) const { return lookup(addr); }
+#else
+   %extend {
+       PyObject* __contains__(char *cidr, int size) 
+       {
+           if ( ! cidr ) {
+               PyErr_SetString(PyExc_TypeError, "index must be string");
+               return 0;
+           }
+
+           PyObject* obj = self->lookup(cidr, size);
+           if ( obj )
+               Py_DECREF(obj);
+
+           if ( obj != 0 )
+               Py_RETURN_TRUE;
+           else
+               Py_RETURN_FALSE;
+       }
+
+       bool __contains__(unsigned long addr) 
+       {
+           return self->lookup(addr);
+       }
+
+       PyObject* __getitem__(char *cidr, int size) 
+       {
+           if ( ! cidr ) {
+               PyErr_SetString(PyExc_TypeError, "index must be string");
+               return 0;
+           }
+
+           PyObject* data = self->lookup(cidr, size);
+           if ( ! data ) {
+               PyErr_SetString(PyExc_KeyError, cidr ? cidr : "None");
+               return 0;
+           }
+
+           return data;
+       }
+
+       PyObject*  __setitem__(const char* cidr, PyObject* data) 
+       {
+           if ( ! cidr ) {
+               PyErr_SetString(PyExc_TypeError, "index must be string");
+               return 0; 
+           }
+
+           if ( ! self->insert(cidr, data) ) {
+               PyErr_SetString(PyExc_IndexError, "cannot insert network");
+               return 0;
+           }
+
+           return PyInt_FromLong(1);
+       }
+
+       PyObject* __delitem__(const char* cidr) 
+       {
+           if ( ! cidr ) {
+               PyErr_SetString(PyExc_TypeError, "index must be string");
+               return 0; 
+           }
+
+           if ( ! self->remove(cidr) ) {
+               PyErr_SetString(PyExc_IndexError, "cannot remove network");
+               return 0;
+           }
+
+           return PyInt_FromLong(1);
+       }
+
+   }
+#endif   
+
+private:
+   patricia_tree_t* tree;
+
+};
diff --git a/aux/broctl/aux/pysubnettree/SubnetTree.i b/aux/broctl/aux/pysubnettree/SubnetTree.i
new file mode 100644
index 0000000000..289a92fe2f
--- /dev/null
+++ b/aux/broctl/aux/pysubnettree/SubnetTree.i
@@ -0,0 +1,8 @@
+
+%module SubnetTree
+%{
+  #include "SubnetTree.h"
+%}
+      
+%include "SubnetTree.h"
+ 
diff --git a/aux/broctl/aux/pysubnettree/SubnetTree.py b/aux/broctl/aux/pysubnettree/SubnetTree.py
new file mode 100644
index 0000000000..307d1d61c0
--- /dev/null
+++ b/aux/broctl/aux/pysubnettree/SubnetTree.py
@@ -0,0 +1,74 @@
+# This file was automatically generated by SWIG (http://www.swig.org).
+# Version 1.3.31
+#
+# Don't modify this file, modify the SWIG interface instead.
+# This file is compatible with both classic and new-style classes.
+
+import _SubnetTree
+import new
+new_instancemethod = new.instancemethod
+try:
+    _swig_property = property
+except NameError:
+    pass # Python < 2.2 doesn't have 'property'.
+def _swig_setattr_nondynamic(self,class_type,name,value,static=1):
+    if (name == "thisown"): return self.this.own(value)
+    if (name == "this"):
+        if type(value).__name__ == 'PySwigObject':
+            self.__dict__[name] = value
+            return
+    method = class_type.__swig_setmethods__.get(name,None)
+    if method: return method(self,value)
+    if (not static) or hasattr(self,name):
+        self.__dict__[name] = value
+    else:
+        raise AttributeError("You cannot add attributes to %s" % self)
+
+def _swig_setattr(self,class_type,name,value):
+    return _swig_setattr_nondynamic(self,class_type,name,value,0)
+
+def _swig_getattr(self,class_type,name):
+    if (name == "thisown"): return self.this.own()
+    method = class_type.__swig_getmethods__.get(name,None)
+    if method: return method(self)
+    raise AttributeError,name
+
+def _swig_repr(self):
+    try: strthis = "proxy of " + self.this.__repr__()
+    except: strthis = ""
+    return "<%s.%s; %s >" % (self.__class__.__module__, self.__class__.__name__, strthis,)
+
+import types
+try:
+    _object = types.ObjectType
+    _newclass = 1
+except AttributeError:
+    class _object : pass
+    _newclass = 0
+del types
+
+
+class SubnetTree(_object):
+    __swig_setmethods__ = {}
+    __setattr__ = lambda self, name, value: _swig_setattr(self, SubnetTree, name, value)
+    __swig_getmethods__ = {}
+    __getattr__ = lambda self, name: _swig_getattr(self, SubnetTree, name)
+    __repr__ = _swig_repr
+    def __init__(self, *args): 
+        this = _SubnetTree.new_SubnetTree(*args)
+        try: self.this.append(this)
+        except: self.this = this
+    __swig_destroy__ = _SubnetTree.delete_SubnetTree
+    __del__ = lambda self : None;
+    def insert(*args): return _SubnetTree.SubnetTree_insert(*args)
+    def remove(*args): return _SubnetTree.SubnetTree_remove(*args)
+    def lookup(*args): return _SubnetTree.SubnetTree_lookup(*args)
+    def __contains__(*args): return _SubnetTree.SubnetTree___contains__(*args)
+    def __getitem__(*args): return _SubnetTree.SubnetTree___getitem__(*args)
+    def __setitem__(*args): return _SubnetTree.SubnetTree___setitem__(*args)
+    def __delitem__(*args): return _SubnetTree.SubnetTree___delitem__(*args)
+SubnetTree_swigregister = _SubnetTree.SubnetTree_swigregister
+SubnetTree_swigregister(SubnetTree)
+
+
+
diff --git a/aux/broctl/aux/pysubnettree/SubnetTree_wrap.cc b/aux/broctl/aux/pysubnettree/SubnetTree_wrap.cc
new file mode 100644
index 0000000000..489d50e52d
--- /dev/null
+++ b/aux/broctl/aux/pysubnettree/SubnetTree_wrap.cc
@@ -0,0 +1,4225 @@
+/* ----------------------------------------------------------------------------
+ * This file was automatically generated by SWIG (http://www.swig.org).
+ * Version 1.3.31
+ * 
+ * This file is not intended to be easily readable and contains a number of 
+ * coding conventions designed to improve portability and efficiency. Do not make
+ * changes to this file unless you know what you are doing--modify the SWIG 
+ * interface file instead. 
+ * ----------------------------------------------------------------------------- */
+
+#define SWIGPYTHON
+#define SWIG_PYTHON_DIRECTOR_NO_VTABLE
+
+#ifdef __cplusplus
+template<class T> class SwigValueWrapper {
+    T *tt;
+public:
+    SwigValueWrapper() : tt(0) { }
+    SwigValueWrapper(const SwigValueWrapper<T>& rhs) : tt(new T(*rhs.tt)) { }
+    SwigValueWrapper(const T& t) : tt(new T(t)) { }
+    ~SwigValueWrapper() { delete tt; } 
+    SwigValueWrapper& operator=(const T& t) { delete tt; tt = new T(t); return *this; }
+    operator T&() const { return *tt; }
+    T *operator&() { return tt; }
+private:
+    SwigValueWrapper& operator=(const SwigValueWrapper<T>& rhs);
+};
+#endif
+
+/* -----------------------------------------------------------------------------
+ *  This section contains generic SWIG labels for method/variable
+ *  declarations/attributes, and other compiler dependent labels.
+ * ----------------------------------------------------------------------------- */
+
+/* template workaround for compilers that cannot correctly implement the C++ standard */
+#ifndef SWIGTEMPLATEDISAMBIGUATOR
+# if defined(__SUNPRO_CC)
+#   if (__SUNPRO_CC <= 0x560)
+#     define SWIGTEMPLATEDISAMBIGUATOR template
+#   else
+#     define SWIGTEMPLATEDISAMBIGUATOR 
+#   endif
+# else
+#   define SWIGTEMPLATEDISAMBIGUATOR 
+# endif
+#endif
+
+/* inline attribute */
+#ifndef SWIGINLINE
+# if defined(__cplusplus) || (defined(__GNUC__) && !defined(__STRICT_ANSI__))
+#   define SWIGINLINE inline
+# else
+#   define SWIGINLINE
+# endif
+#endif
+
+/* attribute recognised by some compilers to avoid 'unused' warnings */
+#ifndef SWIGUNUSED
+# if defined(__GNUC__)
+#   if !(defined(__cplusplus)) || (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4))
+#     define SWIGUNUSED __attribute__ ((__unused__)) 
+#   else
+#     define SWIGUNUSED
+#   endif
+# elif defined(__ICC)
+#   define SWIGUNUSED __attribute__ ((__unused__)) 
+# else
+#   define SWIGUNUSED 
+# endif
+#endif
+
+#ifndef SWIGUNUSEDPARM
+# ifdef __cplusplus
+#   define SWIGUNUSEDPARM(p)
+# else
+#   define SWIGUNUSEDPARM(p) p SWIGUNUSED 
+# endif
+#endif
+
+/* internal SWIG method */
+#ifndef SWIGINTERN
+# define SWIGINTERN static SWIGUNUSED
+#endif
+
+/* internal inline SWIG method */
+#ifndef SWIGINTERNINLINE
+# define SWIGINTERNINLINE SWIGINTERN SWIGINLINE
+#endif
+
+/* exporting methods */
+#if (__GNUC__ >= 4) || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4)
+#  ifndef GCC_HASCLASSVISIBILITY
+#    define GCC_HASCLASSVISIBILITY
+#  endif
+#endif
+
+#ifndef SWIGEXPORT
+# if defined(_WIN32) || defined(__WIN32__) || defined(__CYGWIN__)
+#   if defined(STATIC_LINKED)
+#     define SWIGEXPORT
+#   else
+#     define SWIGEXPORT __declspec(dllexport)
+#   endif
+# else
+#   if defined(__GNUC__) && defined(GCC_HASCLASSVISIBILITY)
+#     define SWIGEXPORT __attribute__ ((visibility("default")))
+#   else
+#     define SWIGEXPORT
+#   endif
+# endif
+#endif
+
+/* calling conventions for Windows */
+#ifndef SWIGSTDCALL
+# if defined(_WIN32) || defined(__WIN32__) || defined(__CYGWIN__)
+#   define SWIGSTDCALL __stdcall
+# else
+#   define SWIGSTDCALL
+# endif 
+#endif
+
+/* Deal with Microsoft's attempt at deprecating C standard runtime functions */
+#if !defined(SWIG_NO_CRT_SECURE_NO_DEPRECATE) && defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
+# define _CRT_SECURE_NO_DEPRECATE
+#endif
+
+
+/* Python.h has to appear first */
+#include <Python.h>
+
+/* -----------------------------------------------------------------------------
+ * swigrun.swg
+ *
+ * This file contains generic CAPI SWIG runtime support for pointer
+ * type checking.
+ * ----------------------------------------------------------------------------- */
+
+/* This should only be incremented when either the layout of swig_type_info changes,
+   or for whatever reason, the runtime changes incompatibly */
+#define SWIG_RUNTIME_VERSION "3"
+
+/* define SWIG_TYPE_TABLE_NAME as "SWIG_TYPE_TABLE" */
+#ifdef SWIG_TYPE_TABLE
+# define SWIG_QUOTE_STRING(x) #x
+# define SWIG_EXPAND_AND_QUOTE_STRING(x) SWIG_QUOTE_STRING(x)
+# define SWIG_TYPE_TABLE_NAME SWIG_EXPAND_AND_QUOTE_STRING(SWIG_TYPE_TABLE)
+#else
+# define SWIG_TYPE_TABLE_NAME
+#endif
+
+/*
+  You can use the SWIGRUNTIME and SWIGRUNTIMEINLINE macros for
+  creating a static or dynamic library from the swig runtime code.
+  In 99.9% of the cases, swig just needs to declare them as 'static'.
+  
+  But only do this if is strictly necessary, ie, if you have problems
+  with your compiler or so.
+*/
+
+#ifndef SWIGRUNTIME
+# define SWIGRUNTIME SWIGINTERN
+#endif
+
+#ifndef SWIGRUNTIMEINLINE
+# define SWIGRUNTIMEINLINE SWIGRUNTIME SWIGINLINE
+#endif
+
+/*  Generic buffer size */
+#ifndef SWIG_BUFFER_SIZE
+# define SWIG_BUFFER_SIZE 1024
+#endif
+
+/* Flags for pointer conversions */
+#define SWIG_POINTER_DISOWN        0x1
+
+/* Flags for new pointer objects */
+#define SWIG_POINTER_OWN           0x1
+
+
+/* 
+   Flags/methods for returning states.
+   
+   The swig conversion methods, as ConvertPtr, return and integer 
+   that tells if the conversion was successful or not. And if not,
+   an error code can be returned (see swigerrors.swg for the codes).
+   
+   Use the following macros/flags to set or process the returning
+   states.
+   
+   In old swig versions, you usually write code as:
+
+     if (SWIG_ConvertPtr(obj,vptr,ty.flags) != -1) {
+       // success code
+     } else {
+       //fail code
+     }
+
+   Now you can be more explicit as:
+
+    int res = SWIG_ConvertPtr(obj,vptr,ty.flags);
+    if (SWIG_IsOK(res)) {
+      // success code
+    } else {
+      // fail code
+    }
+
+   that seems to be the same, but now you can also do
+
+    Type *ptr;
+    int res = SWIG_ConvertPtr(obj,(void **)(&ptr),ty.flags);
+    if (SWIG_IsOK(res)) {
+      // success code
+      if (SWIG_IsNewObj(res) {
+        ...
+	delete *ptr;
+      } else {
+        ...
+      }
+    } else {
+      // fail code
+    }
+    
+   I.e., now SWIG_ConvertPtr can return new objects and you can
+   identify the case and take care of the deallocation. Of course that
+   requires also to SWIG_ConvertPtr to return new result values, as
+
+      int SWIG_ConvertPtr(obj, ptr,...) {         
+        if (<obj is ok>) {			       
+          if (<need new object>) {		       
+            *ptr = <ptr to new allocated object>; 
+            return SWIG_NEWOBJ;		       
+          } else {				       
+            *ptr = <ptr to old object>;	       
+            return SWIG_OLDOBJ;		       
+          } 				       
+        } else {				       
+          return SWIG_BADOBJ;		       
+        }					       
+      }
+
+   Of course, returning the plain '0(success)/-1(fail)' still works, but you can be
+   more explicit by returning SWIG_BADOBJ, SWIG_ERROR or any of the
+   swig errors code.
+
+   Finally, if the SWIG_CASTRANK_MODE is enabled, the result code
+   allows to return the 'cast rank', for example, if you have this
+
+       int food(double)
+       int fooi(int);
+
+   and you call
+ 
+      food(1)   // cast rank '1'  (1 -> 1.0)
+      fooi(1)   // cast rank '0'
+
+   just use the SWIG_AddCast()/SWIG_CheckState()
+
+
+ */
+#define SWIG_OK                    (0) 
+#define SWIG_ERROR                 (-1)
+#define SWIG_IsOK(r)               (r >= 0)
+#define SWIG_ArgError(r)           ((r != SWIG_ERROR) ? r : SWIG_TypeError)  
+
+/* The CastRankLimit says how many bits are used for the cast rank */
+#define SWIG_CASTRANKLIMIT         (1 << 8)
+/* The NewMask denotes the object was created (using new/malloc) */
+#define SWIG_NEWOBJMASK            (SWIG_CASTRANKLIMIT  << 1)
+/* The TmpMask is for in/out typemaps that use temporal objects */
+#define SWIG_TMPOBJMASK            (SWIG_NEWOBJMASK << 1)
+/* Simple returning values */
+#define SWIG_BADOBJ                (SWIG_ERROR)
+#define SWIG_OLDOBJ                (SWIG_OK)
+#define SWIG_NEWOBJ                (SWIG_OK | SWIG_NEWOBJMASK)
+#define SWIG_TMPOBJ                (SWIG_OK | SWIG_TMPOBJMASK)
+/* Check, add and del mask methods */
+#define SWIG_AddNewMask(r)         (SWIG_IsOK(r) ? (r | SWIG_NEWOBJMASK) : r)
+#define SWIG_DelNewMask(r)         (SWIG_IsOK(r) ? (r & ~SWIG_NEWOBJMASK) : r)
+#define SWIG_IsNewObj(r)           (SWIG_IsOK(r) && (r & SWIG_NEWOBJMASK))
+#define SWIG_AddTmpMask(r)         (SWIG_IsOK(r) ? (r | SWIG_TMPOBJMASK) : r)
+#define SWIG_DelTmpMask(r)         (SWIG_IsOK(r) ? (r & ~SWIG_TMPOBJMASK) : r)
+#define SWIG_IsTmpObj(r)           (SWIG_IsOK(r) && (r & SWIG_TMPOBJMASK))
+
+
+/* Cast-Rank Mode */
+#if defined(SWIG_CASTRANK_MODE)
+#  ifndef SWIG_TypeRank
+#    define SWIG_TypeRank             unsigned long
+#  endif
+#  ifndef SWIG_MAXCASTRANK            /* Default cast allowed */
+#    define SWIG_MAXCASTRANK          (2)
+#  endif
+#  define SWIG_CASTRANKMASK          ((SWIG_CASTRANKLIMIT) -1)
+#  define SWIG_CastRank(r)           (r & SWIG_CASTRANKMASK)
+SWIGINTERNINLINE int SWIG_AddCast(int r) { 
+  return SWIG_IsOK(r) ? ((SWIG_CastRank(r) < SWIG_MAXCASTRANK) ? (r + 1) : SWIG_ERROR) : r;
+}
+SWIGINTERNINLINE int SWIG_CheckState(int r) { 
+  return SWIG_IsOK(r) ? SWIG_CastRank(r) + 1 : 0; 
+}
+#else /* no cast-rank mode */
+#  define SWIG_AddCast
+#  define SWIG_CheckState(r) (SWIG_IsOK(r) ? 1 : 0)
+#endif
+
+
+
+
+#include <string.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef void *(*swig_converter_func)(void *);
+typedef struct swig_type_info *(*swig_dycast_func)(void **);
+
+/* Structure to store inforomation on one type */
+typedef struct swig_type_info {
+  const char             *name;			/* mangled name of this type */
+  const char             *str;			/* human readable name of this type */
+  swig_dycast_func        dcast;		/* dynamic cast function down a hierarchy */
+  struct swig_cast_info  *cast;			/* linked list of types that can cast into this type */
+  void                   *clientdata;		/* language specific type data */
+  int                    owndata;		/* flag if the structure owns the clientdata */
+} swig_type_info;
+
+/* Structure to store a type and conversion function used for casting */
+typedef struct swig_cast_info {
+  swig_type_info         *type;			/* pointer to type that is equivalent to this type */
+  swig_converter_func     converter;		/* function to cast the void pointers */
+  struct swig_cast_info  *next;			/* pointer to next cast in linked list */
+  struct swig_cast_info  *prev;			/* pointer to the previous cast */
+} swig_cast_info;
+
+/* Structure used to store module information
+ * Each module generates one structure like this, and the runtime collects
+ * all of these structures and stores them in a circularly linked list.*/
+typedef struct swig_module_info {
+  swig_type_info         **types;		/* Array of pointers to swig_type_info structures that are in this module */
+  size_t                 size;		        /* Number of types in this module */
+  struct swig_module_info *next;		/* Pointer to next element in circularly linked list */
+  swig_type_info         **type_initial;	/* Array of initially generated type structures */
+  swig_cast_info         **cast_initial;	/* Array of initially generated casting structures */
+  void                    *clientdata;		/* Language specific module data */
+} swig_module_info;
+
+/* 
+  Compare two type names skipping the space characters, therefore
+  "char*" == "char *" and "Class<int>" == "Class<int >", etc.
+
+  Return 0 when the two name types are equivalent, as in
+  strncmp, but skipping ' '.
+*/
+SWIGRUNTIME int
+SWIG_TypeNameComp(const char *f1, const char *l1,
+		  const char *f2, const char *l2) {
+  for (;(f1 != l1) && (f2 != l2); ++f1, ++f2) {
+    while ((*f1 == ' ') && (f1 != l1)) ++f1;
+    while ((*f2 == ' ') && (f2 != l2)) ++f2;
+    if (*f1 != *f2) return (*f1 > *f2) ? 1 : -1;
+  }
+  return (l1 - f1) - (l2 - f2);
+}
+
+/*
+  Check type equivalence in a name list like <name1>|<name2>|...
+  Return 0 if not equal, 1 if equal
+*/
+SWIGRUNTIME int
+SWIG_TypeEquiv(const char *nb, const char *tb) {
+  int equiv = 0;
+  const char* te = tb + strlen(tb);
+  const char* ne = nb;
+  while (!equiv && *ne) {
+    for (nb = ne; *ne; ++ne) {
+      if (*ne == '|') break;
+    }
+    equiv = (SWIG_TypeNameComp(nb, ne, tb, te) == 0) ? 1 : 0;
+    if (*ne) ++ne;
+  }
+  return equiv;
+}
+
+/*
+  Check type equivalence in a name list like <name1>|<name2>|...
+  Return 0 if equal, -1 if nb < tb, 1 if nb > tb
+*/
+SWIGRUNTIME int
+SWIG_TypeCompare(const char *nb, const char *tb) {
+  int equiv = 0;
+  const char* te = tb + strlen(tb);
+  const char* ne = nb;
+  while (!equiv && *ne) {
+    for (nb = ne; *ne; ++ne) {
+      if (*ne == '|') break;
+    }
+    equiv = (SWIG_TypeNameComp(nb, ne, tb, te) == 0) ? 1 : 0;
+    if (*ne) ++ne;
+  }
+  return equiv;
+}
+
+
+/* think of this as a c++ template<> or a scheme macro */
+#define SWIG_TypeCheck_Template(comparison, ty)         \
+  if (ty) {                                             \
+    swig_cast_info *iter = ty->cast;                    \
+    while (iter) {                                      \
+      if (comparison) {                                 \
+        if (iter == ty->cast) return iter;              \
+        /* Move iter to the top of the linked list */   \
+        iter->prev->next = iter->next;                  \
+        if (iter->next)                                 \
+          iter->next->prev = iter->prev;                \
+        iter->next = ty->cast;                          \
+        iter->prev = 0;                                 \
+        if (ty->cast) ty->cast->prev = iter;            \
+        ty->cast = iter;                                \
+        return iter;                                    \
+      }                                                 \
+      iter = iter->next;                                \
+    }                                                   \
+  }                                                     \
+  return 0
+
+/*
+  Check the typename
+*/
+SWIGRUNTIME swig_cast_info *
+SWIG_TypeCheck(const char *c, swig_type_info *ty) {
+  SWIG_TypeCheck_Template(strcmp(iter->type->name, c) == 0, ty);
+}
+
+/* Same as previous function, except strcmp is replaced with a pointer comparison */
+SWIGRUNTIME swig_cast_info *
+SWIG_TypeCheckStruct(swig_type_info *from, swig_type_info *into) {
+  SWIG_TypeCheck_Template(iter->type == from, into);
+}
+
+/*
+  Cast a pointer up an inheritance hierarchy
+*/
+SWIGRUNTIMEINLINE void *
+SWIG_TypeCast(swig_cast_info *ty, void *ptr) {
+  return ((!ty) || (!ty->converter)) ? ptr : (*ty->converter)(ptr);
+}
+
+/* 
+   Dynamic pointer casting. Down an inheritance hierarchy
+*/
+SWIGRUNTIME swig_type_info *
+SWIG_TypeDynamicCast(swig_type_info *ty, void **ptr) {
+  swig_type_info *lastty = ty;
+  if (!ty || !ty->dcast) return ty;
+  while (ty && (ty->dcast)) {
+    ty = (*ty->dcast)(ptr);
+    if (ty) lastty = ty;
+  }
+  return lastty;
+}
+
+/*
+  Return the name associated with this type
+*/
+SWIGRUNTIMEINLINE const char *
+SWIG_TypeName(const swig_type_info *ty) {
+  return ty->name;
+}
+
+/*
+  Return the pretty name associated with this type,
+  that is an unmangled type name in a form presentable to the user.
+*/
+SWIGRUNTIME const char *
+SWIG_TypePrettyName(const swig_type_info *type) {
+  /* The "str" field contains the equivalent pretty names of the
+     type, separated by vertical-bar characters.  We choose
+     to print the last name, as it is often (?) the most
+     specific. */
+  if (!type) return NULL;
+  if (type->str != NULL) {
+    const char *last_name = type->str;
+    const char *s;
+    for (s = type->str; *s; s++)
+      if (*s == '|') last_name = s+1;
+    return last_name;
+  }
+  else
+    return type->name;
+}
+
+/* 
+   Set the clientdata field for a type
+*/
+SWIGRUNTIME void
+SWIG_TypeClientData(swig_type_info *ti, void *clientdata) {
+  swig_cast_info *cast = ti->cast;
+  /* if (ti->clientdata == clientdata) return; */
+  ti->clientdata = clientdata;
+  
+  while (cast) {
+    if (!cast->converter) {
+      swig_type_info *tc = cast->type;
+      if (!tc->clientdata) {
+	SWIG_TypeClientData(tc, clientdata);
+      }
+    }    
+    cast = cast->next;
+  }
+}
+SWIGRUNTIME void
+SWIG_TypeNewClientData(swig_type_info *ti, void *clientdata) {
+  SWIG_TypeClientData(ti, clientdata);
+  ti->owndata = 1;
+}
+  
+/*
+  Search for a swig_type_info structure only by mangled name
+  Search is a O(log #types)
+  
+  We start searching at module start, and finish searching when start == end.  
+  Note: if start == end at the beginning of the function, we go all the way around
+  the circular list.
+*/
+SWIGRUNTIME swig_type_info *
+SWIG_MangledTypeQueryModule(swig_module_info *start, 
+                            swig_module_info *end, 
+		            const char *name) {
+  swig_module_info *iter = start;
+  do {
+    if (iter->size) {
+      register size_t l = 0;
+      register size_t r = iter->size - 1;
+      do {
+	/* since l+r >= 0, we can (>> 1) instead (/ 2) */
+	register size_t i = (l + r) >> 1; 
+	const char *iname = iter->types[i]->name;
+	if (iname) {
+	  register int compare = strcmp(name, iname);
+	  if (compare == 0) {	    
+	    return iter->types[i];
+	  } else if (compare < 0) {
+	    if (i) {
+	      r = i - 1;
+	    } else {
+	      break;
+	    }
+	  } else if (compare > 0) {
+	    l = i + 1;
+	  }
+	} else {
+	  break; /* should never happen */
+	}
+      } while (l <= r);
+    }
+    iter = iter->next;
+  } while (iter != end);
+  return 0;
+}
+
+/*
+  Search for a swig_type_info structure for either a mangled name or a human readable name.
+  It first searches the mangled names of the types, which is a O(log #types)
+  If a type is not found it then searches the human readable names, which is O(#types).
+  
+  We start searching at module start, and finish searching when start == end.  
+  Note: if start == end at the beginning of the function, we go all the way around
+  the circular list.
+*/
+SWIGRUNTIME swig_type_info *
+SWIG_TypeQueryModule(swig_module_info *start, 
+                     swig_module_info *end, 
+		     const char *name) {
+  /* STEP 1: Search the name field using binary search */
+  swig_type_info *ret = SWIG_MangledTypeQueryModule(start, end, name);
+  if (ret) {
+    return ret;
+  } else {
+    /* STEP 2: If the type hasn't been found, do a complete search
+       of the str field (the human readable name) */
+    swig_module_info *iter = start;
+    do {
+      register size_t i = 0;
+      for (; i < iter->size; ++i) {
+	if (iter->types[i]->str && (SWIG_TypeEquiv(iter->types[i]->str, name)))
+	  return iter->types[i];
+      }
+      iter = iter->next;
+    } while (iter != end);
+  }
+  
+  /* neither found a match */
+  return 0;
+}
+
+/* 
+   Pack binary data into a string
+*/
+SWIGRUNTIME char *
+SWIG_PackData(char *c, void *ptr, size_t sz) {
+  static const char hex[17] = "0123456789abcdef";
+  register const unsigned char *u = (unsigned char *) ptr;
+  register const unsigned char *eu =  u + sz;
+  for (; u != eu; ++u) {
+    register unsigned char uu = *u;
+    *(c++) = hex[(uu & 0xf0) >> 4];
+    *(c++) = hex[uu & 0xf];
+  }
+  return c;
+}
+
+/* 
+   Unpack binary data from a string
+*/
+SWIGRUNTIME const char *
+SWIG_UnpackData(const char *c, void *ptr, size_t sz) {
+  register unsigned char *u = (unsigned char *) ptr;
+  register const unsigned char *eu = u + sz;
+  for (; u != eu; ++u) {
+    register char d = *(c++);
+    register unsigned char uu;
+    if ((d >= '0') && (d <= '9'))
+      uu = ((d - '0') << 4);
+    else if ((d >= 'a') && (d <= 'f'))
+      uu = ((d - ('a'-10)) << 4);
+    else 
+      return (char *) 0;
+    d = *(c++);
+    if ((d >= '0') && (d <= '9'))
+      uu |= (d - '0');
+    else if ((d >= 'a') && (d <= 'f'))
+      uu |= (d - ('a'-10));
+    else 
+      return (char *) 0;
+    *u = uu;
+  }
+  return c;
+}
+
+/* 
+   Pack 'void *' into a string buffer.
+*/
+SWIGRUNTIME char *
+SWIG_PackVoidPtr(char *buff, void *ptr, const char *name, size_t bsz) {
+  char *r = buff;
+  if ((2*sizeof(void *) + 2) > bsz) return 0;
+  *(r++) = '_';
+  r = SWIG_PackData(r,&ptr,sizeof(void *));
+  if (strlen(name) + 1 > (bsz - (r - buff))) return 0;
+  strcpy(r,name);
+  return buff;
+}
+
+SWIGRUNTIME const char *
+SWIG_UnpackVoidPtr(const char *c, void **ptr, const char *name) {
+  if (*c != '_') {
+    if (strcmp(c,"NULL") == 0) {
+      *ptr = (void *) 0;
+      return name;
+    } else {
+      return 0;
+    }
+  }
+  return SWIG_UnpackData(++c,ptr,sizeof(void *));
+}
+
+SWIGRUNTIME char *
+SWIG_PackDataName(char *buff, void *ptr, size_t sz, const char *name, size_t bsz) {
+  char *r = buff;
+  size_t lname = (name ? strlen(name) : 0);
+  if ((2*sz + 2 + lname) > bsz) return 0;
+  *(r++) = '_';
+  r = SWIG_PackData(r,ptr,sz);
+  if (lname) {
+    strncpy(r,name,lname+1);
+  } else {
+    *r = 0;
+  }
+  return buff;
+}
+
+SWIGRUNTIME const char *
+SWIG_UnpackDataName(const char *c, void *ptr, size_t sz, const char *name) {
+  if (*c != '_') {
+    if (strcmp(c,"NULL") == 0) {
+      memset(ptr,0,sz);
+      return name;
+    } else {
+      return 0;
+    }
+  }
+  return SWIG_UnpackData(++c,ptr,sz);
+}
+
+#ifdef __cplusplus
+}
+#endif
+
+/*  Errors in SWIG */
+#define  SWIG_UnknownError    	   -1 
+#define  SWIG_IOError        	   -2 
+#define  SWIG_RuntimeError   	   -3 
+#define  SWIG_IndexError     	   -4 
+#define  SWIG_TypeError      	   -5 
+#define  SWIG_DivisionByZero 	   -6 
+#define  SWIG_OverflowError  	   -7 
+#define  SWIG_SyntaxError    	   -8 
+#define  SWIG_ValueError     	   -9 
+#define  SWIG_SystemError    	   -10
+#define  SWIG_AttributeError 	   -11
+#define  SWIG_MemoryError    	   -12 
+#define  SWIG_NullReferenceError   -13
+
+
+
+
+/* Add PyOS_snprintf for old Pythons */
+#if PY_VERSION_HEX < 0x02020000
+# if defined(_MSC_VER) || defined(__BORLANDC__) || defined(_WATCOM)
+#  define PyOS_snprintf _snprintf
+# else
+#  define PyOS_snprintf snprintf
+# endif
+#endif
+
+/* A crude PyString_FromFormat implementation for old Pythons */
+#if PY_VERSION_HEX < 0x02020000
+
+#ifndef SWIG_PYBUFFER_SIZE
+# define SWIG_PYBUFFER_SIZE 1024
+#endif
+
+static PyObject *
+PyString_FromFormat(const char *fmt, ...) {
+  va_list ap;
+  char buf[SWIG_PYBUFFER_SIZE * 2];
+  int res;
+  va_start(ap, fmt);
+  res = vsnprintf(buf, sizeof(buf), fmt, ap);
+  va_end(ap);
+  return (res < 0 || res >= (int)sizeof(buf)) ? 0 : PyString_FromString(buf);
+}
+#endif
+
+/* Add PyObject_Del for old Pythons */
+#if PY_VERSION_HEX < 0x01060000
+# define PyObject_Del(op) PyMem_DEL((op))
+#endif
+#ifndef PyObject_DEL
+# define PyObject_DEL PyObject_Del
+#endif
+
+/* A crude PyExc_StopIteration exception for old Pythons */
+#if PY_VERSION_HEX < 0x02020000
+# ifndef PyExc_StopIteration
+#  define PyExc_StopIteration PyExc_RuntimeError
+# endif
+# ifndef PyObject_GenericGetAttr
+#  define PyObject_GenericGetAttr 0
+# endif
+#endif
+/* Py_NotImplemented is defined in 2.1 and up. */
+#if PY_VERSION_HEX < 0x02010000
+# ifndef Py_NotImplemented
+#  define Py_NotImplemented PyExc_RuntimeError
+# endif
+#endif
+
+
+/* A crude PyString_AsStringAndSize implementation for old Pythons */
+#if PY_VERSION_HEX < 0x02010000
+# ifndef PyString_AsStringAndSize
+#  define PyString_AsStringAndSize(obj, s, len) {*s = PyString_AsString(obj); *len = *s ? strlen(*s) : 0;}
+# endif
+#endif
+
+/* PySequence_Size for old Pythons */
+#if PY_VERSION_HEX < 0x02000000
+# ifndef PySequence_Size
+#  define PySequence_Size PySequence_Length
+# endif
+#endif
+
+
+/* PyBool_FromLong for old Pythons */
+#if PY_VERSION_HEX < 0x02030000
+static
+PyObject *PyBool_FromLong(long ok)
+{
+  PyObject *result = ok ? Py_True : Py_False;
+  Py_INCREF(result);
+  return result;
+}
+#endif
+
+/* Py_ssize_t for old Pythons */
+/* This code is as recommended by: */
+/* http://www.python.org/dev/peps/pep-0353/#conversion-guidelines */
+#if PY_VERSION_HEX < 0x02050000 && !defined(PY_SSIZE_T_MIN)
+typedef int Py_ssize_t;
+# define PY_SSIZE_T_MAX INT_MAX
+# define PY_SSIZE_T_MIN INT_MIN
+#endif
+
+/* -----------------------------------------------------------------------------
+ * error manipulation
+ * ----------------------------------------------------------------------------- */
+
+SWIGRUNTIME PyObject*
+SWIG_Python_ErrorType(int code) {
+  PyObject* type = 0;
+  switch(code) {
+  case SWIG_MemoryError:
+    type = PyExc_MemoryError;
+    break;
+  case SWIG_IOError:
+    type = PyExc_IOError;
+    break;
+  case SWIG_RuntimeError:
+    type = PyExc_RuntimeError;
+    break;
+  case SWIG_IndexError:
+    type = PyExc_IndexError;
+    break;
+  case SWIG_TypeError:
+    type = PyExc_TypeError;
+    break;
+  case SWIG_DivisionByZero:
+    type = PyExc_ZeroDivisionError;
+    break;
+  case SWIG_OverflowError:
+    type = PyExc_OverflowError;
+    break;
+  case SWIG_SyntaxError:
+    type = PyExc_SyntaxError;
+    break;
+  case SWIG_ValueError:
+    type = PyExc_ValueError;
+    break;
+  case SWIG_SystemError:
+    type = PyExc_SystemError;
+    break;
+  case SWIG_AttributeError:
+    type = PyExc_AttributeError;
+    break;
+  default:
+    type = PyExc_RuntimeError;
+  }
+  return type;
+}
+
+
+SWIGRUNTIME void
+SWIG_Python_AddErrorMsg(const char* mesg)
+{
+  PyObject *type = 0;
+  PyObject *value = 0;
+  PyObject *traceback = 0;
+
+  if (PyErr_Occurred()) PyErr_Fetch(&type, &value, &traceback);
+  if (value) {
+    PyObject *old_str = PyObject_Str(value);
+    PyErr_Clear();
+    Py_XINCREF(type);
+    PyErr_Format(type, "%s %s", PyString_AsString(old_str), mesg);
+    Py_DECREF(old_str);
+    Py_DECREF(value);
+  } else {
+    PyErr_Format(PyExc_RuntimeError, mesg);
+  }
+}
+
+
+
+#if defined(SWIG_PYTHON_NO_THREADS)
+#  if defined(SWIG_PYTHON_THREADS)
+#    undef SWIG_PYTHON_THREADS
+#  endif
+#endif
+#if defined(SWIG_PYTHON_THREADS) /* Threading support is enabled */
+#  if !defined(SWIG_PYTHON_USE_GIL) && !defined(SWIG_PYTHON_NO_USE_GIL)
+#    if (PY_VERSION_HEX >= 0x02030000) /* For 2.3 or later, use the PyGILState calls */
+#      define SWIG_PYTHON_USE_GIL
+#    endif
+#  endif
+#  if defined(SWIG_PYTHON_USE_GIL) /* Use PyGILState threads calls */
+#    ifndef SWIG_PYTHON_INITIALIZE_THREADS
+#     define SWIG_PYTHON_INITIALIZE_THREADS  PyEval_InitThreads() 
+#    endif
+#    ifdef __cplusplus /* C++ code */
+       class SWIG_Python_Thread_Block {
+         bool status;
+         PyGILState_STATE state;
+       public:
+         void end() { if (status) { PyGILState_Release(state); status = false;} }
+         SWIG_Python_Thread_Block() : status(true), state(PyGILState_Ensure()) {}
+         ~SWIG_Python_Thread_Block() { end(); }
+       };
+       class SWIG_Python_Thread_Allow {
+         bool status;
+         PyThreadState *save;
+       public:
+         void end() { if (status) { PyEval_RestoreThread(save); status = false; }}
+         SWIG_Python_Thread_Allow() : status(true), save(PyEval_SaveThread()) {}
+         ~SWIG_Python_Thread_Allow() { end(); }
+       };
+#      define SWIG_PYTHON_THREAD_BEGIN_BLOCK   SWIG_Python_Thread_Block _swig_thread_block
+#      define SWIG_PYTHON_THREAD_END_BLOCK     _swig_thread_block.end()
+#      define SWIG_PYTHON_THREAD_BEGIN_ALLOW   SWIG_Python_Thread_Allow _swig_thread_allow
+#      define SWIG_PYTHON_THREAD_END_ALLOW     _swig_thread_allow.end()
+#    else /* C code */
+#      define SWIG_PYTHON_THREAD_BEGIN_BLOCK   PyGILState_STATE _swig_thread_block = PyGILState_Ensure()
+#      define SWIG_PYTHON_THREAD_END_BLOCK     PyGILState_Release(_swig_thread_block)
+#      define SWIG_PYTHON_THREAD_BEGIN_ALLOW   PyThreadState *_swig_thread_allow = PyEval_SaveThread()
+#      define SWIG_PYTHON_THREAD_END_ALLOW     PyEval_RestoreThread(_swig_thread_allow)
+#    endif
+#  else /* Old thread way, not implemented, user must provide it */
+#    if !defined(SWIG_PYTHON_INITIALIZE_THREADS)
+#      define SWIG_PYTHON_INITIALIZE_THREADS
+#    endif
+#    if !defined(SWIG_PYTHON_THREAD_BEGIN_BLOCK)
+#      define SWIG_PYTHON_THREAD_BEGIN_BLOCK
+#    endif
+#    if !defined(SWIG_PYTHON_THREAD_END_BLOCK)
+#      define SWIG_PYTHON_THREAD_END_BLOCK
+#    endif
+#    if !defined(SWIG_PYTHON_THREAD_BEGIN_ALLOW)
+#      define SWIG_PYTHON_THREAD_BEGIN_ALLOW
+#    endif
+#    if !defined(SWIG_PYTHON_THREAD_END_ALLOW)
+#      define SWIG_PYTHON_THREAD_END_ALLOW
+#    endif
+#  endif
+#else /* No thread support */
+#  define SWIG_PYTHON_INITIALIZE_THREADS
+#  define SWIG_PYTHON_THREAD_BEGIN_BLOCK
+#  define SWIG_PYTHON_THREAD_END_BLOCK
+#  define SWIG_PYTHON_THREAD_BEGIN_ALLOW
+#  define SWIG_PYTHON_THREAD_END_ALLOW
+#endif
+
+/* -----------------------------------------------------------------------------
+ * Python API portion that goes into the runtime
+ * ----------------------------------------------------------------------------- */
+
+#ifdef __cplusplus
+extern "C" {
+#if 0
+} /* cc-mode */
+#endif
+#endif
+
+/* -----------------------------------------------------------------------------
+ * Constant declarations
+ * ----------------------------------------------------------------------------- */
+
+/* Constant Types */
+#define SWIG_PY_POINTER 4
+#define SWIG_PY_BINARY  5
+
+/* Constant information structure */
+typedef struct swig_const_info {
+  int type;
+  char *name;
+  long lvalue;
+  double dvalue;
+  void   *pvalue;
+  swig_type_info **ptype;
+} swig_const_info;
+
+#ifdef __cplusplus
+#if 0
+{ /* cc-mode */
+#endif
+}
+#endif
+
+
+/* -----------------------------------------------------------------------------
+ * See the LICENSE file for information on copyright, usage and redistribution
+ * of SWIG, and the README file for authors - http://www.swig.org/release.html.
+ *
+ * pyrun.swg
+ *
+ * This file contains the runtime support for Python modules
+ * and includes code for managing global variables and pointer
+ * type checking.
+ *
+ * ----------------------------------------------------------------------------- */
+
+/* Common SWIG API */
+
+/* for raw pointers */
+#define SWIG_Python_ConvertPtr(obj, pptr, type, flags)  SWIG_Python_ConvertPtrAndOwn(obj, pptr, type, flags, 0)
+#define SWIG_ConvertPtr(obj, pptr, type, flags)         SWIG_Python_ConvertPtr(obj, pptr, type, flags)
+#define SWIG_ConvertPtrAndOwn(obj,pptr,type,flags,own)  SWIG_Python_ConvertPtrAndOwn(obj, pptr, type, flags, own)
+#define SWIG_NewPointerObj(ptr, type, flags)            SWIG_Python_NewPointerObj(ptr, type, flags)
+#define SWIG_CheckImplicit(ty)                          SWIG_Python_CheckImplicit(ty) 
+#define SWIG_AcquirePtr(ptr, src)                       SWIG_Python_AcquirePtr(ptr, src)
+#define swig_owntype                                    int
+
+/* for raw packed data */
+#define SWIG_ConvertPacked(obj, ptr, sz, ty)            SWIG_Python_ConvertPacked(obj, ptr, sz, ty)
+#define SWIG_NewPackedObj(ptr, sz, type)                SWIG_Python_NewPackedObj(ptr, sz, type)
+
+/* for class or struct pointers */
+#define SWIG_ConvertInstance(obj, pptr, type, flags)    SWIG_ConvertPtr(obj, pptr, type, flags)
+#define SWIG_NewInstanceObj(ptr, type, flags)           SWIG_NewPointerObj(ptr, type, flags)
+
+/* for C or C++ function pointers */
+#define SWIG_ConvertFunctionPtr(obj, pptr, type)        SWIG_Python_ConvertFunctionPtr(obj, pptr, type)
+#define SWIG_NewFunctionPtrObj(ptr, type)               SWIG_Python_NewPointerObj(ptr, type, 0)
+
+/* for C++ member pointers, ie, member methods */
+#define SWIG_ConvertMember(obj, ptr, sz, ty)            SWIG_Python_ConvertPacked(obj, ptr, sz, ty)
+#define SWIG_NewMemberObj(ptr, sz, type)                SWIG_Python_NewPackedObj(ptr, sz, type)
+
+
+/* Runtime API */
+
+#define SWIG_GetModule(clientdata)                      SWIG_Python_GetModule()
+#define SWIG_SetModule(clientdata, pointer)             SWIG_Python_SetModule(pointer)
+#define SWIG_NewClientData(obj)                         PySwigClientData_New(obj)
+
+#define SWIG_SetErrorObj                                SWIG_Python_SetErrorObj                            
+#define SWIG_SetErrorMsg                        	SWIG_Python_SetErrorMsg				   
+#define SWIG_ErrorType(code)                    	SWIG_Python_ErrorType(code)                        
+#define SWIG_Error(code, msg)            		SWIG_Python_SetErrorMsg(SWIG_ErrorType(code), msg) 
+#define SWIG_fail                        		goto fail					   
+
+
+/* Runtime API implementation */
+
+/* Error manipulation */
+
+SWIGINTERN void 
+SWIG_Python_SetErrorObj(PyObject *errtype, PyObject *obj) {
+  SWIG_PYTHON_THREAD_BEGIN_BLOCK; 
+  PyErr_SetObject(errtype, obj);
+  Py_DECREF(obj);
+  SWIG_PYTHON_THREAD_END_BLOCK;
+}
+
+SWIGINTERN void 
+SWIG_Python_SetErrorMsg(PyObject *errtype, const char *msg) {
+  SWIG_PYTHON_THREAD_BEGIN_BLOCK;
+  PyErr_SetString(errtype, (char *) msg);
+  SWIG_PYTHON_THREAD_END_BLOCK;
+}
+
+#define SWIG_Python_Raise(obj, type, desc)  SWIG_Python_SetErrorObj(SWIG_Python_ExceptionType(desc), obj)
+
+/* Set a constant value */
+
+SWIGINTERN void
+SWIG_Python_SetConstant(PyObject *d, const char *name, PyObject *obj) {   
+  PyDict_SetItemString(d, (char*) name, obj);
+  Py_DECREF(obj);                            
+}
+
+/* Append a value to the result obj */
+
+SWIGINTERN PyObject*
+SWIG_Python_AppendOutput(PyObject* result, PyObject* obj) {
+#if !defined(SWIG_PYTHON_OUTPUT_TUPLE)
+  if (!result) {
+    result = obj;
+  } else if (result == Py_None) {
+    Py_DECREF(result);
+    result = obj;
+  } else {
+    if (!PyList_Check(result)) {
+      PyObject *o2 = result;
+      result = PyList_New(1);
+      PyList_SetItem(result, 0, o2);
+    }
+    PyList_Append(result,obj);
+    Py_DECREF(obj);
+  }
+  return result;
+#else
+  PyObject*   o2;
+  PyObject*   o3;
+  if (!result) {
+    result = obj;
+  } else if (result == Py_None) {
+    Py_DECREF(result);
+    result = obj;
+  } else {
+    if (!PyTuple_Check(result)) {
+      o2 = result;
+      result = PyTuple_New(1);
+      PyTuple_SET_ITEM(result, 0, o2);
+    }
+    o3 = PyTuple_New(1);
+    PyTuple_SET_ITEM(o3, 0, obj);
+    o2 = result;
+    result = PySequence_Concat(o2, o3);
+    Py_DECREF(o2);
+    Py_DECREF(o3);
+  }
+  return result;
+#endif
+}
+
+/* Unpack the argument tuple */
+
+SWIGINTERN int
+SWIG_Python_UnpackTuple(PyObject *args, const char *name, int min, int max, PyObject **objs)
+{
+  if (!args) {
+    if (!min && !max) {
+      return 1;
+    } else {
+      PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got none", 
+		   name, (min == max ? "" : "at least "), min);
+      return 0;
+    }
+  }  
+  if (!PyTuple_Check(args)) {
+    PyErr_SetString(PyExc_SystemError, "UnpackTuple() argument list is not a tuple");
+    return 0;
+  } else {
+    register int l = PyTuple_GET_SIZE(args);
+    if (l < min) {
+      PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d", 
+		   name, (min == max ? "" : "at least "), min, l);
+      return 0;
+    } else if (l > max) {
+      PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d", 
+		   name, (min == max ? "" : "at most "), max, l);
+      return 0;
+    } else {
+      register int i;
+      for (i = 0; i < l; ++i) {
+	objs[i] = PyTuple_GET_ITEM(args, i);
+      }
+      for (; l < max; ++l) {
+	objs[l] = 0;
+      }
+      return i + 1;
+    }    
+  }
+}
+
+/* A functor is a function object with one single object argument */
+#if PY_VERSION_HEX >= 0x02020000
+#define SWIG_Python_CallFunctor(functor, obj)	        PyObject_CallFunctionObjArgs(functor, obj, NULL);
+#else
+#define SWIG_Python_CallFunctor(functor, obj)	        PyObject_CallFunction(functor, "O", obj);
+#endif
+
+/*
+  Helper for static pointer initialization for both C and C++ code, for example
+  static PyObject *SWIG_STATIC_POINTER(MyVar) = NewSomething(...);
+*/
+#ifdef __cplusplus
+#define SWIG_STATIC_POINTER(var)  var
+#else
+#define SWIG_STATIC_POINTER(var)  var = 0; if (!var) var
+#endif
+
+/* -----------------------------------------------------------------------------
+ * Pointer declarations
+ * ----------------------------------------------------------------------------- */
+
+/* Flags for new pointer objects */
+#define SWIG_POINTER_NOSHADOW       (SWIG_POINTER_OWN      << 1)
+#define SWIG_POINTER_NEW            (SWIG_POINTER_NOSHADOW | SWIG_POINTER_OWN)
+
+#define SWIG_POINTER_IMPLICIT_CONV  (SWIG_POINTER_DISOWN   << 1)
+
+#ifdef __cplusplus
+extern "C" {
+#if 0
+} /* cc-mode */
+#endif
+#endif
+
+/*  How to access Py_None */
+#if defined(_WIN32) || defined(__WIN32__) || defined(__CYGWIN__)
+#  ifndef SWIG_PYTHON_NO_BUILD_NONE
+#    ifndef SWIG_PYTHON_BUILD_NONE
+#      define SWIG_PYTHON_BUILD_NONE
+#    endif
+#  endif
+#endif
+
+#ifdef SWIG_PYTHON_BUILD_NONE
+#  ifdef Py_None
+#   undef Py_None
+#   define Py_None SWIG_Py_None()
+#  endif
+SWIGRUNTIMEINLINE PyObject * 
+_SWIG_Py_None(void)
+{
+  PyObject *none = Py_BuildValue((char*)"");
+  Py_DECREF(none);
+  return none;
+}
+SWIGRUNTIME PyObject * 
+SWIG_Py_None(void)
+{
+  static PyObject *SWIG_STATIC_POINTER(none) = _SWIG_Py_None();
+  return none;
+}
+#endif
+
+/* The python void return value */
+
+SWIGRUNTIMEINLINE PyObject * 
+SWIG_Py_Void(void)
+{
+  PyObject *none = Py_None;
+  Py_INCREF(none);
+  return none;
+}
+
+/* PySwigClientData */
+
+typedef struct {
+  PyObject *klass;
+  PyObject *newraw;
+  PyObject *newargs;
+  PyObject *destroy;
+  int delargs;
+  int implicitconv;
+} PySwigClientData;
+
+SWIGRUNTIMEINLINE int 
+SWIG_Python_CheckImplicit(swig_type_info *ty)
+{
+  PySwigClientData *data = (PySwigClientData *)ty->clientdata;
+  return data ? data->implicitconv : 0;
+}
+
+SWIGRUNTIMEINLINE PyObject *
+SWIG_Python_ExceptionType(swig_type_info *desc) {
+  PySwigClientData *data = desc ? (PySwigClientData *) desc->clientdata : 0;
+  PyObject *klass = data ? data->klass : 0;
+  return (klass ? klass : PyExc_RuntimeError);
+}
+
+
+SWIGRUNTIME PySwigClientData * 
+PySwigClientData_New(PyObject* obj)
+{
+  if (!obj) {
+    return 0;
+  } else {
+    PySwigClientData *data = (PySwigClientData *)malloc(sizeof(PySwigClientData));
+    /* the klass element */
+    data->klass = obj;
+    Py_INCREF(data->klass);
+    /* the newraw method and newargs arguments used to create a new raw instance */
+    if (PyClass_Check(obj)) {
+      data->newraw = 0;
+      data->newargs = obj;
+      Py_INCREF(obj);
+    } else {
+#if (PY_VERSION_HEX < 0x02020000)
+      data->newraw = 0;
+#else
+      data->newraw = PyObject_GetAttrString(data->klass, (char *)"__new__");
+#endif
+      if (data->newraw) {
+	Py_INCREF(data->newraw);
+	data->newargs = PyTuple_New(1);
+	PyTuple_SetItem(data->newargs, 0, obj);
+      } else {
+	data->newargs = obj;
+      }
+      Py_INCREF(data->newargs);
+    }
+    /* the destroy method, aka as the C++ delete method */
+    data->destroy = PyObject_GetAttrString(data->klass, (char *)"__swig_destroy__");
+    if (PyErr_Occurred()) {
+      PyErr_Clear();
+      data->destroy = 0;
+    }
+    if (data->destroy) {
+      int flags;
+      Py_INCREF(data->destroy);
+      flags = PyCFunction_GET_FLAGS(data->destroy);
+#ifdef METH_O
+      data->delargs = !(flags & (METH_O));
+#else
+      data->delargs = 0;
+#endif
+    } else {
+      data->delargs = 0;
+    }
+    data->implicitconv = 0;
+    return data;
+  }
+}
+
+SWIGRUNTIME void 
+PySwigClientData_Del(PySwigClientData* data)
+{
+  Py_XDECREF(data->newraw);
+  Py_XDECREF(data->newargs);
+  Py_XDECREF(data->destroy);
+}
+
+/* =============== PySwigObject =====================*/
+
+typedef struct {
+  PyObject_HEAD
+  void *ptr;
+  swig_type_info *ty;
+  int own;
+  PyObject *next;
+} PySwigObject;
+
+SWIGRUNTIME PyObject *
+PySwigObject_long(PySwigObject *v)
+{
+  return PyLong_FromVoidPtr(v->ptr);
+}
+
+SWIGRUNTIME PyObject *
+PySwigObject_format(const char* fmt, PySwigObject *v)
+{
+  PyObject *res = NULL;
+  PyObject *args = PyTuple_New(1);
+  if (args) {
+    if (PyTuple_SetItem(args, 0, PySwigObject_long(v)) == 0) {
+      PyObject *ofmt = PyString_FromString(fmt);
+      if (ofmt) {
+	res = PyString_Format(ofmt,args);
+	Py_DECREF(ofmt);
+      }
+      Py_DECREF(args);
+    }
+  }
+  return res;
+}
+
+SWIGRUNTIME PyObject *
+PySwigObject_oct(PySwigObject *v)
+{
+  return PySwigObject_format("%o",v);
+}
+
+SWIGRUNTIME PyObject *
+PySwigObject_hex(PySwigObject *v)
+{
+  return PySwigObject_format("%x",v);
+}
+
+SWIGRUNTIME PyObject *
+#ifdef METH_NOARGS
+PySwigObject_repr(PySwigObject *v)
+#else
+PySwigObject_repr(PySwigObject *v, PyObject *args)
+#endif
+{
+  const char *name = SWIG_TypePrettyName(v->ty);
+  PyObject *hex = PySwigObject_hex(v);    
+  PyObject *repr = PyString_FromFormat("<Swig Object of type '%s' at 0x%s>", name, PyString_AsString(hex));
+  Py_DECREF(hex);
+  if (v->next) {
+#ifdef METH_NOARGS
+    PyObject *nrep = PySwigObject_repr((PySwigObject *)v->next);
+#else
+    PyObject *nrep = PySwigObject_repr((PySwigObject *)v->next, args);
+#endif
+    PyString_ConcatAndDel(&repr,nrep);
+  }
+  return repr;  
+}
+
+SWIGRUNTIME int
+PySwigObject_print(PySwigObject *v, FILE *fp, int SWIGUNUSEDPARM(flags))
+{
+#ifdef METH_NOARGS
+  PyObject *repr = PySwigObject_repr(v);
+#else
+  PyObject *repr = PySwigObject_repr(v, NULL);
+#endif
+  if (repr) {
+    fputs(PyString_AsString(repr), fp);
+    Py_DECREF(repr);
+    return 0; 
+  } else {
+    return 1; 
+  }
+}
+
+SWIGRUNTIME PyObject *
+PySwigObject_str(PySwigObject *v)
+{
+  char result[SWIG_BUFFER_SIZE];
+  return SWIG_PackVoidPtr(result, v->ptr, v->ty->name, sizeof(result)) ?
+    PyString_FromString(result) : 0;
+}
+
+SWIGRUNTIME int
+PySwigObject_compare(PySwigObject *v, PySwigObject *w)
+{
+  void *i = v->ptr;
+  void *j = w->ptr;
+  return (i < j) ? -1 : ((i > j) ? 1 : 0);
+}
+
+SWIGRUNTIME PyTypeObject* _PySwigObject_type(void);
+
+SWIGRUNTIME PyTypeObject*
+PySwigObject_type(void) {
+  static PyTypeObject *SWIG_STATIC_POINTER(type) = _PySwigObject_type();
+  return type;
+}
+
+SWIGRUNTIMEINLINE int
+PySwigObject_Check(PyObject *op) {
+  return ((op)->ob_type == PySwigObject_type())
+    || (strcmp((op)->ob_type->tp_name,"PySwigObject") == 0);
+}
+
+SWIGRUNTIME PyObject *
+PySwigObject_New(void *ptr, swig_type_info *ty, int own);
+
+SWIGRUNTIME void
+PySwigObject_dealloc(PyObject *v)
+{
+  PySwigObject *sobj = (PySwigObject *) v;
+  PyObject *next = sobj->next;
+  if (sobj->own) {
+    swig_type_info *ty = sobj->ty;
+    PySwigClientData *data = ty ? (PySwigClientData *) ty->clientdata : 0;
+    PyObject *destroy = data ? data->destroy : 0;
+    if (destroy) {
+      /* destroy is always a VARARGS method */
+      PyObject *res;
+      if (data->delargs) {
+	/* we need to create a temporal object to carry the destroy operation */
+	PyObject *tmp = PySwigObject_New(sobj->ptr, ty, 0);
+	res = SWIG_Python_CallFunctor(destroy, tmp);
+	Py_DECREF(tmp);
+      } else {
+	PyCFunction meth = PyCFunction_GET_FUNCTION(destroy);
+	PyObject *mself = PyCFunction_GET_SELF(destroy);
+	res = ((*meth)(mself, v));
+      }
+      Py_XDECREF(res);
+    } else {
+      const char *name = SWIG_TypePrettyName(ty);
+#if !defined(SWIG_PYTHON_SILENT_MEMLEAK)
+      printf("swig/python detected a memory leak of type '%s', no destructor found.\n", name);
+#endif
+    }
+  } 
+  Py_XDECREF(next);
+  PyObject_DEL(v);
+}
+
+SWIGRUNTIME PyObject* 
+PySwigObject_append(PyObject* v, PyObject* next)
+{
+  PySwigObject *sobj = (PySwigObject *) v;
+#ifndef METH_O
+  PyObject *tmp = 0;
+  if (!PyArg_ParseTuple(next,(char *)"O:append", &tmp)) return NULL;
+  next = tmp;
+#endif
+  if (!PySwigObject_Check(next)) {
+    return NULL;
+  }
+  sobj->next = next;
+  Py_INCREF(next);
+  return SWIG_Py_Void();
+}
+
+SWIGRUNTIME PyObject* 
+#ifdef METH_NOARGS
+PySwigObject_next(PyObject* v)
+#else
+PySwigObject_next(PyObject* v, PyObject *SWIGUNUSEDPARM(args))
+#endif
+{
+  PySwigObject *sobj = (PySwigObject *) v;
+  if (sobj->next) {    
+    Py_INCREF(sobj->next);
+    return sobj->next;
+  } else {
+    return SWIG_Py_Void();
+  }
+}
+
+SWIGINTERN PyObject*
+#ifdef METH_NOARGS
+PySwigObject_disown(PyObject *v)
+#else
+PySwigObject_disown(PyObject* v, PyObject *SWIGUNUSEDPARM(args))
+#endif
+{
+  PySwigObject *sobj = (PySwigObject *)v;
+  sobj->own = 0;
+  return SWIG_Py_Void();
+}
+
+SWIGINTERN PyObject*
+#ifdef METH_NOARGS
+PySwigObject_acquire(PyObject *v)
+#else
+PySwigObject_acquire(PyObject* v, PyObject *SWIGUNUSEDPARM(args))
+#endif
+{
+  PySwigObject *sobj = (PySwigObject *)v;
+  sobj->own = SWIG_POINTER_OWN;
+  return SWIG_Py_Void();
+}
+
+SWIGINTERN PyObject*
+PySwigObject_own(PyObject *v, PyObject *args)
+{
+  PyObject *val = 0;
+#if (PY_VERSION_HEX < 0x02020000)
+  if (!PyArg_ParseTuple(args,(char *)"|O:own",&val))
+#else
+  if (!PyArg_UnpackTuple(args, (char *)"own", 0, 1, &val)) 
+#endif
+    {
+      return NULL;
+    } 
+  else
+    {
+      PySwigObject *sobj = (PySwigObject *)v;
+      PyObject *obj = PyBool_FromLong(sobj->own);
+      if (val) {
+#ifdef METH_NOARGS
+	if (PyObject_IsTrue(val)) {
+	  PySwigObject_acquire(v);
+	} else {
+	  PySwigObject_disown(v);
+	}
+#else
+	if (PyObject_IsTrue(val)) {
+	  PySwigObject_acquire(v,args);
+	} else {
+	  PySwigObject_disown(v,args);
+	}
+#endif
+      } 
+      return obj;
+    }
+}
+
+#ifdef METH_O
+static PyMethodDef
+swigobject_methods[] = {
+  {(char *)"disown",  (PyCFunction)PySwigObject_disown,  METH_NOARGS,  (char *)"releases ownership of the pointer"},
+  {(char *)"acquire", (PyCFunction)PySwigObject_acquire, METH_NOARGS,  (char *)"aquires ownership of the pointer"},
+  {(char *)"own",     (PyCFunction)PySwigObject_own,     METH_VARARGS, (char *)"returns/sets ownership of the pointer"},
+  {(char *)"append",  (PyCFunction)PySwigObject_append,  METH_O,       (char *)"appends another 'this' object"},
+  {(char *)"next",    (PyCFunction)PySwigObject_next,    METH_NOARGS,  (char *)"returns the next 'this' object"},
+  {(char *)"__repr__",(PyCFunction)PySwigObject_repr,    METH_NOARGS,  (char *)"returns object representation"},
+  {0, 0, 0, 0}  
+};
+#else
+static PyMethodDef
+swigobject_methods[] = {
+  {(char *)"disown",  (PyCFunction)PySwigObject_disown,  METH_VARARGS,  (char *)"releases ownership of the pointer"},
+  {(char *)"acquire", (PyCFunction)PySwigObject_acquire, METH_VARARGS,  (char *)"aquires ownership of the pointer"},
+  {(char *)"own",     (PyCFunction)PySwigObject_own,     METH_VARARGS,  (char *)"returns/sets ownership of the pointer"},
+  {(char *)"append",  (PyCFunction)PySwigObject_append,  METH_VARARGS,  (char *)"appends another 'this' object"},
+  {(char *)"next",    (PyCFunction)PySwigObject_next,    METH_VARARGS,  (char *)"returns the next 'this' object"},
+  {(char *)"__repr__",(PyCFunction)PySwigObject_repr,   METH_VARARGS,  (char *)"returns object representation"},
+  {0, 0, 0, 0}  
+};
+#endif
+
+#if PY_VERSION_HEX < 0x02020000
+SWIGINTERN PyObject *
+PySwigObject_getattr(PySwigObject *sobj,char *name)
+{
+  return Py_FindMethod(swigobject_methods, (PyObject *)sobj, name);
+}
+#endif
+
+SWIGRUNTIME PyTypeObject*
+_PySwigObject_type(void) {
+  static char swigobject_doc[] = "Swig object carries a C/C++ instance pointer";
+  
+  static PyNumberMethods PySwigObject_as_number = {
+    (binaryfunc)0, /*nb_add*/
+    (binaryfunc)0, /*nb_subtract*/
+    (binaryfunc)0, /*nb_multiply*/
+    (binaryfunc)0, /*nb_divide*/
+    (binaryfunc)0, /*nb_remainder*/
+    (binaryfunc)0, /*nb_divmod*/
+    (ternaryfunc)0,/*nb_power*/
+    (unaryfunc)0,  /*nb_negative*/
+    (unaryfunc)0,  /*nb_positive*/
+    (unaryfunc)0,  /*nb_absolute*/
+    (inquiry)0,    /*nb_nonzero*/
+    0,		   /*nb_invert*/
+    0,		   /*nb_lshift*/
+    0,		   /*nb_rshift*/
+    0,		   /*nb_and*/
+    0,		   /*nb_xor*/
+    0,		   /*nb_or*/
+    (coercion)0,   /*nb_coerce*/
+    (unaryfunc)PySwigObject_long, /*nb_int*/
+    (unaryfunc)PySwigObject_long, /*nb_long*/
+    (unaryfunc)0,                 /*nb_float*/
+    (unaryfunc)PySwigObject_oct,  /*nb_oct*/
+    (unaryfunc)PySwigObject_hex,  /*nb_hex*/
+#if PY_VERSION_HEX >= 0x02020000
+    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_true_divide */ 
+#elif PY_VERSION_HEX >= 0x02000000
+    0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_or */
+#endif
+  };
+
+  static PyTypeObject pyswigobject_type;  
+  static int type_init = 0;
+  if (!type_init) {
+    const PyTypeObject tmp
+      = {
+	PyObject_HEAD_INIT(NULL)
+	0,				    /* ob_size */
+	(char *)"PySwigObject",		    /* tp_name */
+	sizeof(PySwigObject),		    /* tp_basicsize */
+	0,			            /* tp_itemsize */
+	(destructor)PySwigObject_dealloc,   /* tp_dealloc */
+	(printfunc)PySwigObject_print,	    /* tp_print */
+#if PY_VERSION_HEX < 0x02020000
+	(getattrfunc)PySwigObject_getattr,  /* tp_getattr */ 
+#else
+	(getattrfunc)0,			    /* tp_getattr */ 
+#endif
+	(setattrfunc)0,			    /* tp_setattr */ 
+	(cmpfunc)PySwigObject_compare,	    /* tp_compare */ 
+	(reprfunc)PySwigObject_repr,	    /* tp_repr */    
+	&PySwigObject_as_number,	    /* tp_as_number */
+	0,				    /* tp_as_sequence */
+	0,				    /* tp_as_mapping */
+	(hashfunc)0,			    /* tp_hash */
+	(ternaryfunc)0,			    /* tp_call */
+	(reprfunc)PySwigObject_str,	    /* tp_str */
+	PyObject_GenericGetAttr,            /* tp_getattro */
+	0,				    /* tp_setattro */
+	0,		                    /* tp_as_buffer */
+	Py_TPFLAGS_DEFAULT,	            /* tp_flags */
+	swigobject_doc, 	            /* tp_doc */        
+	0,                                  /* tp_traverse */
+	0,                                  /* tp_clear */
+	0,                                  /* tp_richcompare */
+	0,                                  /* tp_weaklistoffset */
+#if PY_VERSION_HEX >= 0x02020000
+	0,                                  /* tp_iter */
+	0,                                  /* tp_iternext */
+	swigobject_methods,		    /* tp_methods */ 
+	0,			            /* tp_members */
+	0,				    /* tp_getset */	    	
+	0,			            /* tp_base */	        
+	0,				    /* tp_dict */	    	
+	0,				    /* tp_descr_get */  	
+	0,				    /* tp_descr_set */  	
+	0,				    /* tp_dictoffset */ 	
+	0,				    /* tp_init */	    	
+	0,				    /* tp_alloc */	    	
+	0,			            /* tp_new */	    	
+	0,	                            /* tp_free */	   
+        0,                                  /* tp_is_gc */  
+	0,				    /* tp_bases */   
+	0,				    /* tp_mro */
+	0,				    /* tp_cache */   
+ 	0,				    /* tp_subclasses */
+	0,				    /* tp_weaklist */
+#endif
+#if PY_VERSION_HEX >= 0x02030000
+	0,                                  /* tp_del */
+#endif
+#ifdef COUNT_ALLOCS
+	0,0,0,0                             /* tp_alloc -> tp_next */
+#endif
+      };
+    pyswigobject_type = tmp;
+    pyswigobject_type.ob_type = &PyType_Type;
+    type_init = 1;
+  }
+  return &pyswigobject_type;
+}
+
+SWIGRUNTIME PyObject *
+PySwigObject_New(void *ptr, swig_type_info *ty, int own)
+{
+  PySwigObject *sobj = PyObject_NEW(PySwigObject, PySwigObject_type());
+  if (sobj) {
+    sobj->ptr  = ptr;
+    sobj->ty   = ty;
+    sobj->own  = own;
+    sobj->next = 0;
+  }
+  return (PyObject *)sobj;
+}
+
+/* -----------------------------------------------------------------------------
+ * Implements a simple Swig Packed type, and use it instead of string
+ * ----------------------------------------------------------------------------- */
+
+typedef struct {
+  PyObject_HEAD
+  void *pack;
+  swig_type_info *ty;
+  size_t size;
+} PySwigPacked;
+
+SWIGRUNTIME int
+PySwigPacked_print(PySwigPacked *v, FILE *fp, int SWIGUNUSEDPARM(flags))
+{
+  char result[SWIG_BUFFER_SIZE];
+  fputs("<Swig Packed ", fp); 
+  if (SWIG_PackDataName(result, v->pack, v->size, 0, sizeof(result))) {
+    fputs("at ", fp); 
+    fputs(result, fp); 
+  }
+  fputs(v->ty->name,fp); 
+  fputs(">", fp);
+  return 0; 
+}
+  
+SWIGRUNTIME PyObject *
+PySwigPacked_repr(PySwigPacked *v)
+{
+  char result[SWIG_BUFFER_SIZE];
+  if (SWIG_PackDataName(result, v->pack, v->size, 0, sizeof(result))) {
+    return PyString_FromFormat("<Swig Packed at %s%s>", result, v->ty->name);
+  } else {
+    return PyString_FromFormat("<Swig Packed %s>", v->ty->name);
+  }  
+}
+
+SWIGRUNTIME PyObject *
+PySwigPacked_str(PySwigPacked *v)
+{
+  char result[SWIG_BUFFER_SIZE];
+  if (SWIG_PackDataName(result, v->pack, v->size, 0, sizeof(result))){
+    return PyString_FromFormat("%s%s", result, v->ty->name);
+  } else {
+    return PyString_FromString(v->ty->name);
+  }  
+}
+
+SWIGRUNTIME int
+PySwigPacked_compare(PySwigPacked *v, PySwigPacked *w)
+{
+  size_t i = v->size;
+  size_t j = w->size;
+  int s = (i < j) ? -1 : ((i > j) ? 1 : 0);
+  return s ? s : strncmp((char *)v->pack, (char *)w->pack, 2*v->size);
+}
+
+SWIGRUNTIME PyTypeObject* _PySwigPacked_type(void);
+
+SWIGRUNTIME PyTypeObject*
+PySwigPacked_type(void) {
+  static PyTypeObject *SWIG_STATIC_POINTER(type) = _PySwigPacked_type();
+  return type;
+}
+
+SWIGRUNTIMEINLINE int
+PySwigPacked_Check(PyObject *op) {
+  return ((op)->ob_type == _PySwigPacked_type()) 
+    || (strcmp((op)->ob_type->tp_name,"PySwigPacked") == 0);
+}
+
+SWIGRUNTIME void
+PySwigPacked_dealloc(PyObject *v)
+{
+  if (PySwigPacked_Check(v)) {
+    PySwigPacked *sobj = (PySwigPacked *) v;
+    free(sobj->pack);
+  }
+  PyObject_DEL(v);
+}
+
+SWIGRUNTIME PyTypeObject*
+_PySwigPacked_type(void) {
+  static char swigpacked_doc[] = "Swig object carries a C/C++ instance pointer";
+  static PyTypeObject pyswigpacked_type;
+  static int type_init = 0;  
+  if (!type_init) {
+    const PyTypeObject tmp
+      = {
+	PyObject_HEAD_INIT(NULL)
+	0,				    /* ob_size */	
+	(char *)"PySwigPacked",		    /* tp_name */	
+	sizeof(PySwigPacked),		    /* tp_basicsize */	
+	0,				    /* tp_itemsize */	
+	(destructor)PySwigPacked_dealloc,   /* tp_dealloc */	
+	(printfunc)PySwigPacked_print,	    /* tp_print */   	
+	(getattrfunc)0,			    /* tp_getattr */ 	
+	(setattrfunc)0,			    /* tp_setattr */ 	
+	(cmpfunc)PySwigPacked_compare,	    /* tp_compare */ 	
+	(reprfunc)PySwigPacked_repr,	    /* tp_repr */    	
+	0,	                            /* tp_as_number */	
+	0,				    /* tp_as_sequence */
+	0,				    /* tp_as_mapping */	
+	(hashfunc)0,			    /* tp_hash */	
+	(ternaryfunc)0,			    /* tp_call */	
+	(reprfunc)PySwigPacked_str,	    /* tp_str */	
+	PyObject_GenericGetAttr,            /* tp_getattro */
+	0,				    /* tp_setattro */
+	0,		                    /* tp_as_buffer */
+	Py_TPFLAGS_DEFAULT,	            /* tp_flags */
+	swigpacked_doc, 	            /* tp_doc */
+	0,                                  /* tp_traverse */
+	0,                                  /* tp_clear */
+	0,                                  /* tp_richcompare */
+	0,                                  /* tp_weaklistoffset */
+#if PY_VERSION_HEX >= 0x02020000
+	0,                                  /* tp_iter */
+	0,                                  /* tp_iternext */
+	0,		                    /* tp_methods */ 
+	0,			            /* tp_members */
+	0,				    /* tp_getset */	    	
+	0,			            /* tp_base */	        
+	0,				    /* tp_dict */	    	
+	0,				    /* tp_descr_get */  	
+	0,				    /* tp_descr_set */  	
+	0,				    /* tp_dictoffset */ 	
+	0,				    /* tp_init */	    	
+	0,				    /* tp_alloc */	    	
+	0,			            /* tp_new */	    	
+	0, 	                            /* tp_free */	   
+        0,                                  /* tp_is_gc */  
+	0,				    /* tp_bases */   
+	0,				    /* tp_mro */
+	0,				    /* tp_cache */   
+ 	0,				    /* tp_subclasses */
+	0,				    /* tp_weaklist */
+#endif
+#if PY_VERSION_HEX >= 0x02030000
+	0,                                  /* tp_del */
+#endif
+#ifdef COUNT_ALLOCS
+	0,0,0,0                             /* tp_alloc -> tp_next */
+#endif
+      };
+    pyswigpacked_type = tmp;
+    pyswigpacked_type.ob_type = &PyType_Type;
+    type_init = 1;
+  }
+  return &pyswigpacked_type;
+}
+
+SWIGRUNTIME PyObject *
+PySwigPacked_New(void *ptr, size_t size, swig_type_info *ty)
+{
+  PySwigPacked *sobj = PyObject_NEW(PySwigPacked, PySwigPacked_type());
+  if (sobj) {
+    void *pack = malloc(size);
+    if (pack) {
+      memcpy(pack, ptr, size);
+      sobj->pack = pack;
+      sobj->ty   = ty;
+      sobj->size = size;
+    } else {
+      PyObject_DEL((PyObject *) sobj);
+      sobj = 0;
+    }
+  }
+  return (PyObject *) sobj;
+}
+
+SWIGRUNTIME swig_type_info *
+PySwigPacked_UnpackData(PyObject *obj, void *ptr, size_t size)
+{
+  if (PySwigPacked_Check(obj)) {
+    PySwigPacked *sobj = (PySwigPacked *)obj;
+    if (sobj->size != size) return 0;
+    memcpy(ptr, sobj->pack, size);
+    return sobj->ty;
+  } else {
+    return 0;
+  }
+}
+
+/* -----------------------------------------------------------------------------
+ * pointers/data manipulation
+ * ----------------------------------------------------------------------------- */
+
+SWIGRUNTIMEINLINE PyObject *
+_SWIG_This(void)
+{
+  return PyString_FromString("this");
+}
+
+SWIGRUNTIME PyObject *
+SWIG_This(void)
+{
+  static PyObject *SWIG_STATIC_POINTER(swig_this) = _SWIG_This();
+  return swig_this;
+}
+
+/* #define SWIG_PYTHON_SLOW_GETSET_THIS */
+
+SWIGRUNTIME PySwigObject *
+SWIG_Python_GetSwigThis(PyObject *pyobj) 
+{
+  if (PySwigObject_Check(pyobj)) {
+    return (PySwigObject *) pyobj;
+  } else {
+    PyObject *obj = 0;
+#if (!defined(SWIG_PYTHON_SLOW_GETSET_THIS) && (PY_VERSION_HEX >= 0x02030000))
+    if (PyInstance_Check(pyobj)) {
+      obj = _PyInstance_Lookup(pyobj, SWIG_This());      
+    } else {
+      PyObject **dictptr = _PyObject_GetDictPtr(pyobj);
+      if (dictptr != NULL) {
+	PyObject *dict = *dictptr;
+	obj = dict ? PyDict_GetItem(dict, SWIG_This()) : 0;
+      } else {
+#ifdef PyWeakref_CheckProxy
+	if (PyWeakref_CheckProxy(pyobj)) {
+	  PyObject *wobj = PyWeakref_GET_OBJECT(pyobj);
+	  return wobj ? SWIG_Python_GetSwigThis(wobj) : 0;
+	}
+#endif
+	obj = PyObject_GetAttr(pyobj,SWIG_This());
+	if (obj) {
+	  Py_DECREF(obj);
+	} else {
+	  if (PyErr_Occurred()) PyErr_Clear();
+	  return 0;
+	}
+      }
+    }
+#else
+    obj = PyObject_GetAttr(pyobj,SWIG_This());
+    if (obj) {
+      Py_DECREF(obj);
+    } else {
+      if (PyErr_Occurred()) PyErr_Clear();
+      return 0;
+    }
+#endif
+    if (obj && !PySwigObject_Check(obj)) {
+      /* a PyObject is called 'this', try to get the 'real this'
+	 PySwigObject from it */ 
+      return SWIG_Python_GetSwigThis(obj);
+    }
+    return (PySwigObject *)obj;
+  }
+}
+
+/* Acquire a pointer value */
+
+SWIGRUNTIME int
+SWIG_Python_AcquirePtr(PyObject *obj, int own) {
+  if (own) {
+    PySwigObject *sobj = SWIG_Python_GetSwigThis(obj);
+    if (sobj) {
+      int oldown = sobj->own;
+      sobj->own = own;
+      return oldown;
+    }
+  }
+  return 0;
+}
+
+/* Convert a pointer value */
+
+SWIGRUNTIME int
+SWIG_Python_ConvertPtrAndOwn(PyObject *obj, void **ptr, swig_type_info *ty, int flags, int *own) {
+  if (!obj) return SWIG_ERROR;
+  if (obj == Py_None) {
+    if (ptr) *ptr = 0;
+    return SWIG_OK;
+  } else {
+    PySwigObject *sobj = SWIG_Python_GetSwigThis(obj);
+    while (sobj) {
+      void *vptr = sobj->ptr;
+      if (ty) {
+	swig_type_info *to = sobj->ty;
+	if (to == ty) {
+	  /* no type cast needed */
+	  if (ptr) *ptr = vptr;
+	  break;
+	} else {
+	  swig_cast_info *tc = SWIG_TypeCheck(to->name,ty);
+	  if (!tc) {
+	    sobj = (PySwigObject *)sobj->next;
+	  } else {
+	    if (ptr) *ptr = SWIG_TypeCast(tc,vptr);
+	    break;
+	  }
+	}
+      } else {
+	if (ptr) *ptr = vptr;
+	break;
+      }
+    }
+    if (sobj) {
+      if (own) *own = sobj->own;
+      if (flags & SWIG_POINTER_DISOWN) {
+	sobj->own = 0;
+      }
+      return SWIG_OK;
+    } else {
+      int res = SWIG_ERROR;
+      if (flags & SWIG_POINTER_IMPLICIT_CONV) {
+	PySwigClientData *data = ty ? (PySwigClientData *) ty->clientdata : 0;
+	if (data && !data->implicitconv) {
+	  PyObject *klass = data->klass;
+	  if (klass) {
+	    PyObject *impconv;
+	    data->implicitconv = 1; /* avoid recursion and call 'explicit' constructors*/
+	    impconv = SWIG_Python_CallFunctor(klass, obj);
+	    data->implicitconv = 0;
+	    if (PyErr_Occurred()) {
+	      PyErr_Clear();
+	      impconv = 0;
+	    }
+	    if (impconv) {
+	      PySwigObject *iobj = SWIG_Python_GetSwigThis(impconv);
+	      if (iobj) {
+		void *vptr;
+		res = SWIG_Python_ConvertPtrAndOwn((PyObject*)iobj, &vptr, ty, 0, 0);
+		if (SWIG_IsOK(res)) {
+		  if (ptr) {
+		    *ptr = vptr;
+		    /* transfer the ownership to 'ptr' */
+		    iobj->own = 0;
+		    res = SWIG_AddCast(res);
+		    res = SWIG_AddNewMask(res);
+		  } else {
+		    res = SWIG_AddCast(res);		    
+		  }
+		}
+	      }
+	      Py_DECREF(impconv);
+	    }
+	  }
+	}
+      }
+      return res;
+    }
+  }
+}
+
+/* Convert a function ptr value */
+
+SWIGRUNTIME int
+SWIG_Python_ConvertFunctionPtr(PyObject *obj, void **ptr, swig_type_info *ty) {
+  if (!PyCFunction_Check(obj)) {
+    return SWIG_ConvertPtr(obj, ptr, ty, 0);
+  } else {
+    void *vptr = 0;
+    
+    /* here we get the method pointer for callbacks */
+    const char *doc = (((PyCFunctionObject *)obj) -> m_ml -> ml_doc);
+    const char *desc = doc ? strstr(doc, "swig_ptr: ") : 0;
+    if (desc) {
+      desc = ty ? SWIG_UnpackVoidPtr(desc + 10, &vptr, ty->name) : 0;
+      if (!desc) return SWIG_ERROR;
+    }
+    if (ty) {
+      swig_cast_info *tc = SWIG_TypeCheck(desc,ty);
+      if (!tc) return SWIG_ERROR;
+      *ptr = SWIG_TypeCast(tc,vptr);
+    } else {
+      *ptr = vptr;
+    }
+    return SWIG_OK;
+  }
+}
+
+/* Convert a packed value value */
+
+SWIGRUNTIME int
+SWIG_Python_ConvertPacked(PyObject *obj, void *ptr, size_t sz, swig_type_info *ty) {
+  swig_type_info *to = PySwigPacked_UnpackData(obj, ptr, sz);
+  if (!to) return SWIG_ERROR;
+  if (ty) {
+    if (to != ty) {
+      /* check type cast? */
+      swig_cast_info *tc = SWIG_TypeCheck(to->name,ty);
+      if (!tc) return SWIG_ERROR;
+    }
+  }
+  return SWIG_OK;
+}  
+
+/* -----------------------------------------------------------------------------
+ * Create a new pointer object
+ * ----------------------------------------------------------------------------- */
+
+/*
+  Create a new instance object, whitout calling __init__, and set the
+  'this' attribute.
+*/
+
+SWIGRUNTIME PyObject* 
+SWIG_Python_NewShadowInstance(PySwigClientData *data, PyObject *swig_this)
+{
+#if (PY_VERSION_HEX >= 0x02020000)
+  PyObject *inst = 0;
+  PyObject *newraw = data->newraw;
+  if (newraw) {
+    inst = PyObject_Call(newraw, data->newargs, NULL);
+    if (inst) {
+#if !defined(SWIG_PYTHON_SLOW_GETSET_THIS)
+      PyObject **dictptr = _PyObject_GetDictPtr(inst);
+      if (dictptr != NULL) {
+	PyObject *dict = *dictptr;
+	if (dict == NULL) {
+	  dict = PyDict_New();
+	  *dictptr = dict;
+	  PyDict_SetItem(dict, SWIG_This(), swig_this);
+	}
+      }
+#else
+      PyObject *key = SWIG_This();
+      PyObject_SetAttr(inst, key, swig_this);
+#endif
+    }
+  } else {
+    PyObject *dict = PyDict_New();
+    PyDict_SetItem(dict, SWIG_This(), swig_this);
+    inst = PyInstance_NewRaw(data->newargs, dict);
+    Py_DECREF(dict);
+  }
+  return inst;
+#else
+#if (PY_VERSION_HEX >= 0x02010000)
+  PyObject *inst;
+  PyObject *dict = PyDict_New();
+  PyDict_SetItem(dict, SWIG_This(), swig_this);
+  inst = PyInstance_NewRaw(data->newargs, dict);
+  Py_DECREF(dict);
+  return (PyObject *) inst;
+#else
+  PyInstanceObject *inst = PyObject_NEW(PyInstanceObject, &PyInstance_Type);
+  if (inst == NULL) {
+    return NULL;
+  }
+  inst->in_class = (PyClassObject *)data->newargs;
+  Py_INCREF(inst->in_class);
+  inst->in_dict = PyDict_New();
+  if (inst->in_dict == NULL) {
+    Py_DECREF(inst);
+    return NULL;
+  }
+#ifdef Py_TPFLAGS_HAVE_WEAKREFS
+  inst->in_weakreflist = NULL;
+#endif
+#ifdef Py_TPFLAGS_GC
+  PyObject_GC_Init(inst);
+#endif
+  PyDict_SetItem(inst->in_dict, SWIG_This(), swig_this);
+  return (PyObject *) inst;
+#endif
+#endif
+}
+
+SWIGRUNTIME void
+SWIG_Python_SetSwigThis(PyObject *inst, PyObject *swig_this)
+{
+ PyObject *dict;
+#if (PY_VERSION_HEX >= 0x02020000) && !defined(SWIG_PYTHON_SLOW_GETSET_THIS)
+ PyObject **dictptr = _PyObject_GetDictPtr(inst);
+ if (dictptr != NULL) {
+   dict = *dictptr;
+   if (dict == NULL) {
+     dict = PyDict_New();
+     *dictptr = dict;
+   }
+   PyDict_SetItem(dict, SWIG_This(), swig_this);
+   return;
+ }
+#endif
+ dict = PyObject_GetAttrString(inst, (char*)"__dict__");
+ PyDict_SetItem(dict, SWIG_This(), swig_this);
+ Py_DECREF(dict);
+} 
+
+
+SWIGINTERN PyObject *
+SWIG_Python_InitShadowInstance(PyObject *args) {
+  PyObject *obj[2];
+  if (!SWIG_Python_UnpackTuple(args,(char*)"swiginit", 2, 2, obj)) {
+    return NULL;
+  } else {
+    PySwigObject *sthis = SWIG_Python_GetSwigThis(obj[0]);
+    if (sthis) {
+      PySwigObject_append((PyObject*) sthis, obj[1]);
+    } else {
+      SWIG_Python_SetSwigThis(obj[0], obj[1]);
+    }
+    return SWIG_Py_Void();
+  }
+}
+
+/* Create a new pointer object */
+
+SWIGRUNTIME PyObject *
+SWIG_Python_NewPointerObj(void *ptr, swig_type_info *type, int flags) {
+  if (!ptr) {
+    return SWIG_Py_Void();
+  } else {
+    int own = (flags & SWIG_POINTER_OWN) ? SWIG_POINTER_OWN : 0;
+    PyObject *robj = PySwigObject_New(ptr, type, own);
+    PySwigClientData *clientdata = type ? (PySwigClientData *)(type->clientdata) : 0;
+    if (clientdata && !(flags & SWIG_POINTER_NOSHADOW)) {
+      PyObject *inst = SWIG_Python_NewShadowInstance(clientdata, robj);
+      if (inst) {
+	Py_DECREF(robj);
+	robj = inst;
+      }
+    }
+    return robj;
+  }
+}
+
+/* Create a new packed object */
+
+SWIGRUNTIMEINLINE PyObject *
+SWIG_Python_NewPackedObj(void *ptr, size_t sz, swig_type_info *type) {
+  return ptr ? PySwigPacked_New((void *) ptr, sz, type) : SWIG_Py_Void();
+}
+
+/* -----------------------------------------------------------------------------*
+ *  Get type list 
+ * -----------------------------------------------------------------------------*/
+
+#ifdef SWIG_LINK_RUNTIME
+void *SWIG_ReturnGlobalTypeList(void *);
+#endif
+
+SWIGRUNTIME swig_module_info *
+SWIG_Python_GetModule(void) {
+  static void *type_pointer = (void *)0;
+  /* first check if module already created */
+  if (!type_pointer) {
+#ifdef SWIG_LINK_RUNTIME
+    type_pointer = SWIG_ReturnGlobalTypeList((void *)0);
+#else
+    type_pointer = PyCObject_Import((char*)"swig_runtime_data" SWIG_RUNTIME_VERSION,
+				    (char*)"type_pointer" SWIG_TYPE_TABLE_NAME);
+    if (PyErr_Occurred()) {
+      PyErr_Clear();
+      type_pointer = (void *)0;
+    }
+#endif
+  }
+  return (swig_module_info *) type_pointer;
+}
+
+#if PY_MAJOR_VERSION < 2
+/* PyModule_AddObject function was introduced in Python 2.0.  The following function
+   is copied out of Python/modsupport.c in python version 2.3.4 */
+SWIGINTERN int
+PyModule_AddObject(PyObject *m, char *name, PyObject *o)
+{
+  PyObject *dict;
+  if (!PyModule_Check(m)) {
+    PyErr_SetString(PyExc_TypeError,
+		    "PyModule_AddObject() needs module as first arg");
+    return SWIG_ERROR;
+  }
+  if (!o) {
+    PyErr_SetString(PyExc_TypeError,
+		    "PyModule_AddObject() needs non-NULL value");
+    return SWIG_ERROR;
+  }
+  
+  dict = PyModule_GetDict(m);
+  if (dict == NULL) {
+    /* Internal error -- modules must have a dict! */
+    PyErr_Format(PyExc_SystemError, "module '%s' has no __dict__",
+		 PyModule_GetName(m));
+    return SWIG_ERROR;
+  }
+  if (PyDict_SetItemString(dict, name, o))
+    return SWIG_ERROR;
+  Py_DECREF(o);
+  return SWIG_OK;
+}
+#endif
+
+SWIGRUNTIME void
+SWIG_Python_DestroyModule(void *vptr)
+{
+  swig_module_info *swig_module = (swig_module_info *) vptr;
+  swig_type_info **types = swig_module->types;
+  size_t i;
+  for (i =0; i < swig_module->size; ++i) {
+    swig_type_info *ty = types[i];
+    if (ty->owndata) {
+      PySwigClientData *data = (PySwigClientData *) ty->clientdata;
+      if (data) PySwigClientData_Del(data);
+    }
+  }
+  Py_DECREF(SWIG_This());
+}
+
+SWIGRUNTIME void
+SWIG_Python_SetModule(swig_module_info *swig_module) {
+  static PyMethodDef swig_empty_runtime_method_table[] = { {NULL, NULL, 0, NULL} };/* Sentinel */
+
+  PyObject *module = Py_InitModule((char*)"swig_runtime_data" SWIG_RUNTIME_VERSION,
+				   swig_empty_runtime_method_table);
+  PyObject *pointer = PyCObject_FromVoidPtr((void *) swig_module, SWIG_Python_DestroyModule);
+  if (pointer && module) {
+    PyModule_AddObject(module, (char*)"type_pointer" SWIG_TYPE_TABLE_NAME, pointer);
+  } else {
+    Py_XDECREF(pointer);
+  }
+}
+
+/* The python cached type query */
+SWIGRUNTIME PyObject *
+SWIG_Python_TypeCache(void) {
+  static PyObject *SWIG_STATIC_POINTER(cache) = PyDict_New();
+  return cache;
+}
+
+SWIGRUNTIME swig_type_info *
+SWIG_Python_TypeQuery(const char *type)
+{
+  PyObject *cache = SWIG_Python_TypeCache();
+  PyObject *key = PyString_FromString(type); 
+  PyObject *obj = PyDict_GetItem(cache, key);
+  swig_type_info *descriptor;
+  if (obj) {
+    descriptor = (swig_type_info *) PyCObject_AsVoidPtr(obj);
+  } else {
+    swig_module_info *swig_module = SWIG_Python_GetModule();
+    descriptor = SWIG_TypeQueryModule(swig_module, swig_module, type);
+    if (descriptor) {
+      obj = PyCObject_FromVoidPtr(descriptor, NULL);
+      PyDict_SetItem(cache, key, obj);
+      Py_DECREF(obj);
+    }
+  }
+  Py_DECREF(key);
+  return descriptor;
+}
+
+/* 
+   For backward compatibility only
+*/
+#define SWIG_POINTER_EXCEPTION  0
+#define SWIG_arg_fail(arg)      SWIG_Python_ArgFail(arg)
+#define SWIG_MustGetPtr(p, type, argnum, flags)  SWIG_Python_MustGetPtr(p, type, argnum, flags)
+
+SWIGRUNTIME int
+SWIG_Python_AddErrMesg(const char* mesg, int infront)
+{
+  if (PyErr_Occurred()) {
+    PyObject *type = 0;
+    PyObject *value = 0;
+    PyObject *traceback = 0;
+    PyErr_Fetch(&type, &value, &traceback);
+    if (value) {
+      PyObject *old_str = PyObject_Str(value);
+      Py_XINCREF(type);
+      PyErr_Clear();
+      if (infront) {
+	PyErr_Format(type, "%s %s", mesg, PyString_AsString(old_str));
+      } else {
+	PyErr_Format(type, "%s %s", PyString_AsString(old_str), mesg);
+      }
+      Py_DECREF(old_str);
+    }
+    return 1;
+  } else {
+    return 0;
+  }
+}
+  
+SWIGRUNTIME int
+SWIG_Python_ArgFail(int argnum)
+{
+  if (PyErr_Occurred()) {
+    /* add information about failing argument */
+    char mesg[256];
+    PyOS_snprintf(mesg, sizeof(mesg), "argument number %d:", argnum);
+    return SWIG_Python_AddErrMesg(mesg, 1);
+  } else {
+    return 0;
+  }
+}
+
+SWIGRUNTIMEINLINE const char *
+PySwigObject_GetDesc(PyObject *self)
+{
+  PySwigObject *v = (PySwigObject *)self;
+  swig_type_info *ty = v ? v->ty : 0;
+  return ty ? ty->str : (char*)"";
+}
+
+SWIGRUNTIME void
+SWIG_Python_TypeError(const char *type, PyObject *obj)
+{
+  if (type) {
+#if defined(SWIG_COBJECT_TYPES)
+    if (obj && PySwigObject_Check(obj)) {
+      const char *otype = (const char *) PySwigObject_GetDesc(obj);
+      if (otype) {
+	PyErr_Format(PyExc_TypeError, "a '%s' is expected, 'PySwigObject(%s)' is received",
+		     type, otype);
+	return;
+      }
+    } else 
+#endif      
+    {
+      const char *otype = (obj ? obj->ob_type->tp_name : 0); 
+      if (otype) {
+	PyObject *str = PyObject_Str(obj);
+	const char *cstr = str ? PyString_AsString(str) : 0;
+	if (cstr) {
+	  PyErr_Format(PyExc_TypeError, "a '%s' is expected, '%s(%s)' is received",
+		       type, otype, cstr);
+	} else {
+	  PyErr_Format(PyExc_TypeError, "a '%s' is expected, '%s' is received",
+		       type, otype);
+	}
+	Py_XDECREF(str);
+	return;
+      }
+    }   
+    PyErr_Format(PyExc_TypeError, "a '%s' is expected", type);
+  } else {
+    PyErr_Format(PyExc_TypeError, "unexpected type is received");
+  }
+}
+
+
+/* Convert a pointer value, signal an exception on a type mismatch */
+SWIGRUNTIME void *
+SWIG_Python_MustGetPtr(PyObject *obj, swig_type_info *ty, int argnum, int flags) {
+  void *result;
+  if (SWIG_Python_ConvertPtr(obj, &result, ty, flags) == -1) {
+    PyErr_Clear();
+    if (flags & SWIG_POINTER_EXCEPTION) {
+      SWIG_Python_TypeError(SWIG_TypePrettyName(ty), obj);
+      SWIG_Python_ArgFail(argnum);
+    }
+  }
+  return result;
+}
+
+
+#ifdef __cplusplus
+#if 0
+{ /* cc-mode */
+#endif
+}
+#endif
+
+
+
+#define SWIG_exception_fail(code, msg) do { SWIG_Error(code, msg); SWIG_fail; } while(0) 
+
+#define SWIG_contract_assert(expr, msg) if (!(expr)) { SWIG_Error(SWIG_RuntimeError, msg); SWIG_fail; } else 
+
+
+
+/* -------- TYPES TABLE (BEGIN) -------- */
+
+#define SWIGTYPE_p_SubnetTree swig_types[0]
+#define SWIGTYPE_p_char swig_types[1]
+static swig_type_info *swig_types[3];
+static swig_module_info swig_module = {swig_types, 2, 0, 0, 0, 0};
+#define SWIG_TypeQuery(name) SWIG_TypeQueryModule(&swig_module, &swig_module, name)
+#define SWIG_MangledTypeQuery(name) SWIG_MangledTypeQueryModule(&swig_module, &swig_module, name)
+
+/* -------- TYPES TABLE (END) -------- */
+
+#if (PY_VERSION_HEX <= 0x02000000)
+# if !defined(SWIG_PYTHON_CLASSIC)
+#  error "This python version requires swig to be run with the '-classic' option"
+# endif
+#endif
+
+/*-----------------------------------------------
+              @(target):= _SubnetTree.so
+  ------------------------------------------------*/
+#define SWIG_init    init_SubnetTree
+
+#define SWIG_name    "_SubnetTree"
+
+#define SWIGVERSION 0x010331 
+#define SWIG_VERSION SWIGVERSION
+
+
+#define SWIG_as_voidptr(a) const_cast< void * >(static_cast< const void * >(a)) 
+#define SWIG_as_voidptrptr(a) ((void)SWIG_as_voidptr(*a),reinterpret_cast< void** >(a)) 
+
+
+#include <stdexcept>
+
+
+namespace swig {
+  class PyObject_ptr {
+  protected:
+    PyObject *_obj;
+
+  public:
+    PyObject_ptr() :_obj(0)
+    {
+    }
+
+    PyObject_ptr(const PyObject_ptr& item) : _obj(item._obj)
+    {
+      Py_XINCREF(_obj);      
+    }
+    
+    PyObject_ptr(PyObject *obj, bool initial_ref = true) :_obj(obj)
+    {
+      if (initial_ref) Py_XINCREF(_obj);
+    }
+    
+    PyObject_ptr & operator=(const PyObject_ptr& item) 
+    {
+      Py_XINCREF(item._obj);
+      Py_XDECREF(_obj);
+      _obj = item._obj;
+      return *this;      
+    }
+    
+    ~PyObject_ptr() 
+    {
+      Py_XDECREF(_obj);
+    }
+    
+    operator PyObject *() const
+    {
+      return _obj;
+    }
+
+    PyObject *operator->() const
+    {
+      return _obj;
+    }
+  };
+}
+
+
+namespace swig {
+  struct PyObject_var : PyObject_ptr {
+    PyObject_var(PyObject* obj = 0) : PyObject_ptr(obj, false) { }
+    
+    PyObject_var & operator = (PyObject* obj)
+    {
+      Py_XDECREF(_obj);
+      _obj = obj;
+      return *this;      
+    }
+  };
+}
+
+
+  #include "SubnetTree.h"
+
+
+SWIGINTERN swig_type_info*
+SWIG_pchar_descriptor(void)
+{
+  static int init = 0;
+  static swig_type_info* info = 0;
+  if (!init) {
+    info = SWIG_TypeQuery("_p_char");
+    init = 1;
+  }
+  return info;
+}
+
+
+SWIGINTERN int
+SWIG_AsCharPtrAndSize(PyObject *obj, char** cptr, size_t* psize, int *alloc)
+{
+  if (PyString_Check(obj)) {
+    char *cstr; Py_ssize_t len;
+    PyString_AsStringAndSize(obj, &cstr, &len);
+    if (cptr)  {
+      if (alloc) {
+	/* 
+	   In python the user should not be able to modify the inner
+	   string representation. To warranty that, if you define
+	   SWIG_PYTHON_SAFE_CSTRINGS, a new/copy of the python string
+	   buffer is always returned.
+
+	   The default behavior is just to return the pointer value,
+	   so, be careful.
+	*/ 
+#if defined(SWIG_PYTHON_SAFE_CSTRINGS)
+	if (*alloc != SWIG_OLDOBJ) 
+#else
+	if (*alloc == SWIG_NEWOBJ) 
+#endif
+	  {
+	    *cptr = reinterpret_cast< char* >(memcpy((new char[len + 1]), cstr, sizeof(char)*(len + 1)));
+	    *alloc = SWIG_NEWOBJ;
+	  }
+	else {
+	  *cptr = cstr;
+	  *alloc = SWIG_OLDOBJ;
+	}
+      } else {
+	*cptr = PyString_AsString(obj);
+      }
+    }
+    if (psize) *psize = len + 1;
+    return SWIG_OK;
+  } else {
+    swig_type_info* pchar_descriptor = SWIG_pchar_descriptor();
+    if (pchar_descriptor) {
+      void* vptr = 0;
+      if (SWIG_ConvertPtr(obj, &vptr, pchar_descriptor, 0) == SWIG_OK) {
+	if (cptr) *cptr = (char *) vptr;
+	if (psize) *psize = vptr ? (strlen((char *)vptr) + 1) : 0;
+	if (alloc) *alloc = SWIG_OLDOBJ;
+	return SWIG_OK;
+      }
+    }
+  }
+  return SWIG_TypeError;
+}
+
+
+
+
+
+SWIGINTERNINLINE PyObject*
+  SWIG_From_bool  (bool value)
+{
+  return PyBool_FromLong(value ? 1 : 0);
+}
+
+
+SWIGINTERN int
+SWIG_AsVal_double (PyObject *obj, double *val)
+{
+  int res = SWIG_TypeError;
+  if (PyFloat_Check(obj)) {
+    if (val) *val = PyFloat_AsDouble(obj);
+    return SWIG_OK;
+  } else if (PyInt_Check(obj)) {
+    if (val) *val = PyInt_AsLong(obj);
+    return SWIG_OK;
+  } else if (PyLong_Check(obj)) {
+    double v = PyLong_AsDouble(obj);
+    if (!PyErr_Occurred()) {
+      if (val) *val = v;
+      return SWIG_OK;
+    } else {
+      PyErr_Clear();
+    }
+  }
+#ifdef SWIG_PYTHON_CAST_MODE
+  {
+    int dispatch = 0;
+    double d = PyFloat_AsDouble(obj);
+    if (!PyErr_Occurred()) {
+      if (val) *val = d;
+      return SWIG_AddCast(SWIG_OK);
+    } else {
+      PyErr_Clear();
+    }
+    if (!dispatch) {
+      long v = PyLong_AsLong(obj);
+      if (!PyErr_Occurred()) {
+	if (val) *val = v;
+	return SWIG_AddCast(SWIG_AddCast(SWIG_OK));
+      } else {
+	PyErr_Clear();
+      }
+    }
+  }
+#endif
+  return res;
+}
+
+
+#include <float.h>
+
+
+#include <math.h>
+
+
+SWIGINTERNINLINE int
+SWIG_CanCastAsInteger(double *d, double min, double max) {
+  double x = *d;
+  if ((min <= x && x <= max)) {
+   double fx = floor(x);
+   double cx = ceil(x);
+   double rd =  ((x - fx) < 0.5) ? fx : cx; /* simple rint */
+   if ((errno == EDOM) || (errno == ERANGE)) {
+     errno = 0;
+   } else {
+     double summ, reps, diff;
+     if (rd < x) {
+       diff = x - rd;
+     } else if (rd > x) {
+       diff = rd - x;
+     } else {
+       return 1;
+     }
+     summ = rd + x;
+     reps = diff/summ;
+     if (reps < 8*DBL_EPSILON) {
+       *d = rd;
+       return 1;
+     }
+   }
+  }
+  return 0;
+}
+
+
+SWIGINTERN int
+SWIG_AsVal_unsigned_SS_long (PyObject *obj, unsigned long *val) 
+{
+  if (PyInt_Check(obj)) {
+    long v = PyInt_AsLong(obj);
+    if (v >= 0) {
+      if (val) *val = v;
+      return SWIG_OK;
+    } else {
+      return SWIG_OverflowError;
+    }
+  } else if (PyLong_Check(obj)) {
+    unsigned long v = PyLong_AsUnsignedLong(obj);
+    if (!PyErr_Occurred()) {
+      if (val) *val = v;
+      return SWIG_OK;
+    } else {
+      PyErr_Clear();
+    }
+  }
+#ifdef SWIG_PYTHON_CAST_MODE
+  {
+    int dispatch = 0;
+    unsigned long v = PyLong_AsUnsignedLong(obj);
+    if (!PyErr_Occurred()) {
+      if (val) *val = v;
+      return SWIG_AddCast(SWIG_OK);
+    } else {
+      PyErr_Clear();
+    }
+    if (!dispatch) {
+      double d;
+      int res = SWIG_AddCast(SWIG_AsVal_double (obj,&d));
+      if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, 0, ULONG_MAX)) {
+	if (val) *val = (unsigned long)(d);
+	return res;
+      }
+    }
+  }
+#endif
+  return SWIG_TypeError;
+}
+
+
+#include <limits.h>
+#ifndef LLONG_MIN
+# define LLONG_MIN	LONG_LONG_MIN
+#endif
+#ifndef LLONG_MAX
+# define LLONG_MAX	LONG_LONG_MAX
+#endif
+#ifndef ULLONG_MAX
+# define ULLONG_MAX	ULONG_LONG_MAX
+#endif
+
+
+SWIGINTERN int
+SWIG_AsVal_unsigned_SS_short (PyObject * obj, unsigned short *val)
+{
+  unsigned long v;
+  int res = SWIG_AsVal_unsigned_SS_long (obj, &v);
+  if (SWIG_IsOK(res)) {
+    if ((v > USHRT_MAX)) {
+      return SWIG_OverflowError;
+    } else {
+      if (val) *val = static_cast< unsigned short >(v);
+    }
+  }  
+  return res;
+}
+
+
+SWIGINTERN int
+SWIG_AsVal_long (PyObject *obj, long* val)
+{
+  if (PyInt_Check(obj)) {
+    if (val) *val = PyInt_AsLong(obj);
+    return SWIG_OK;
+  } else if (PyLong_Check(obj)) {
+    long v = PyLong_AsLong(obj);
+    if (!PyErr_Occurred()) {
+      if (val) *val = v;
+      return SWIG_OK;
+    } else {
+      PyErr_Clear();
+    }
+  }
+#ifdef SWIG_PYTHON_CAST_MODE
+  {
+    int dispatch = 0;
+    long v = PyInt_AsLong(obj);
+    if (!PyErr_Occurred()) {
+      if (val) *val = v;
+      return SWIG_AddCast(SWIG_OK);
+    } else {
+      PyErr_Clear();
+    }
+    if (!dispatch) {
+      double d;
+      int res = SWIG_AddCast(SWIG_AsVal_double (obj,&d));
+      if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, LONG_MIN, LONG_MAX)) {
+	if (val) *val = (long)(d);
+	return res;
+      }
+    }
+  }
+#endif
+  return SWIG_TypeError;
+}
+
+
+SWIGINTERN int
+SWIG_AsVal_int (PyObject * obj, int *val)
+{
+  long v;
+  int res = SWIG_AsVal_long (obj, &v);
+  if (SWIG_IsOK(res)) {
+    if ((v < INT_MIN || v > INT_MAX)) {
+      return SWIG_OverflowError;
+    } else {
+      if (val) *val = static_cast< int >(v);
+    }
+  }  
+  return res;
+}
+
+SWIGINTERN PyObject *SubnetTree___contains____SWIG_0(SubnetTree *self,char *cidr,int size){
+           if ( ! cidr ) {
+               PyErr_SetString(PyExc_TypeError, "index must be string");
+               return 0;
+           }
+               
+           PyObject* obj = self->lookup(cidr, size);
+           if ( obj )
+               Py_DECREF(obj);
+           
+           if ( obj != 0 )
+               Py_RETURN_TRUE;
+           else
+               Py_RETURN_FALSE;
+       }
+SWIGINTERN bool SubnetTree___contains____SWIG_1(SubnetTree *self,unsigned long addr){
+           return self->lookup(addr);
+       }
+SWIGINTERN PyObject *SubnetTree___getitem__(SubnetTree *self,char *cidr,int size){
+           if ( ! cidr ) {
+               PyErr_SetString(PyExc_TypeError, "index must be string");
+               return 0;
+           }
+           
+           PyObject* data = self->lookup(cidr, size);
+           if ( ! data ) {
+               PyErr_SetString(PyExc_KeyError, cidr ? cidr : "None");
+               return 0;
+           }
+           
+           return data;
+       }
+SWIGINTERN PyObject *SubnetTree___setitem__(SubnetTree *self,char const *cidr,PyObject *data){
+           if ( ! cidr ) {
+               PyErr_SetString(PyExc_TypeError, "index must be string");
+               return 0; 
+           }
+           
+           if ( ! self->insert(cidr, data) ) {
+               PyErr_SetString(PyExc_IndexError, "cannot insert network");
+               return 0;
+           }
+           
+           return PyInt_FromLong(1);
+       }
+SWIGINTERN PyObject *SubnetTree___delitem__(SubnetTree *self,char const *cidr){
+           if ( ! cidr ) {
+               PyErr_SetString(PyExc_TypeError, "index must be string");
+               return 0; 
+           }
+           
+           if ( ! self->remove(cidr) ) {
+               PyErr_SetString(PyExc_IndexError, "cannot remove network");
+               return 0;
+           }
+           
+           return PyInt_FromLong(1);
+       }
+#ifdef __cplusplus
+extern "C" {
+#endif
+SWIGINTERN PyObject *_wrap_new_SubnetTree(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  SubnetTree *result = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)":new_SubnetTree")) SWIG_fail;
+  result = (SubnetTree *)new SubnetTree();
+  resultobj = SWIG_NewPointerObj(SWIG_as_voidptr(result), SWIGTYPE_p_SubnetTree, SWIG_POINTER_NEW |  0 );
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_delete_SubnetTree(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  SubnetTree *arg1 = (SubnetTree *) 0 ;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject * obj0 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"O:delete_SubnetTree",&obj0)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, SWIG_POINTER_DISOWN |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "delete_SubnetTree" "', argument " "1"" of type '" "SubnetTree *""'"); 
+  }
+  arg1 = reinterpret_cast< SubnetTree * >(argp1);
+  delete arg1;
+  
+  resultobj = SWIG_Py_Void();
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_SubnetTree_insert__SWIG_0(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  SubnetTree *arg1 = (SubnetTree *) 0 ;
+  char *arg2 = (char *) 0 ;
+  PyObject *arg3 = (PyObject *) 0 ;
+  bool result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  int res2 ;
+  char *buf2 = 0 ;
+  int alloc2 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  PyObject * obj2 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"OOO:SubnetTree_insert",&obj0,&obj1,&obj2)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree_insert" "', argument " "1"" of type '" "SubnetTree *""'"); 
+  }
+  arg1 = reinterpret_cast< SubnetTree * >(argp1);
+  res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2);
+  if (!SWIG_IsOK(res2)) {
+    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "SubnetTree_insert" "', argument " "2"" of type '" "char const *""'");
+  }
+  arg2 = reinterpret_cast< char * >(buf2);
+  arg3 = obj2;
+  result = (bool)(arg1)->insert((char const *)arg2,arg3);
+  resultobj = SWIG_From_bool(static_cast< bool >(result));
+  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
+  return resultobj;
+fail:
+  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_SubnetTree_insert__SWIG_1(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  SubnetTree *arg1 = (SubnetTree *) 0 ;
+  char *arg2 = (char *) 0 ;
+  bool result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  int res2 ;
+  char *buf2 = 0 ;
+  int alloc2 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"OO:SubnetTree_insert",&obj0,&obj1)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree_insert" "', argument " "1"" of type '" "SubnetTree *""'"); 
+  }
+  arg1 = reinterpret_cast< SubnetTree * >(argp1);
+  res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2);
+  if (!SWIG_IsOK(res2)) {
+    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "SubnetTree_insert" "', argument " "2"" of type '" "char const *""'");
+  }
+  arg2 = reinterpret_cast< char * >(buf2);
+  result = (bool)(arg1)->insert((char const *)arg2);
+  resultobj = SWIG_From_bool(static_cast< bool >(result));
+  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
+  return resultobj;
+fail:
+  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_SubnetTree_insert__SWIG_2(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  SubnetTree *arg1 = (SubnetTree *) 0 ;
+  unsigned long arg2 ;
+  unsigned short arg3 ;
+  PyObject *arg4 = (PyObject *) 0 ;
+  bool result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  unsigned long val2 ;
+  int ecode2 = 0 ;
+  unsigned short val3 ;
+  int ecode3 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  PyObject * obj2 = 0 ;
+  PyObject * obj3 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"OOOO:SubnetTree_insert",&obj0,&obj1,&obj2,&obj3)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree_insert" "', argument " "1"" of type '" "SubnetTree *""'"); 
+  }
+  arg1 = reinterpret_cast< SubnetTree * >(argp1);
+  ecode2 = SWIG_AsVal_unsigned_SS_long(obj1, &val2);
+  if (!SWIG_IsOK(ecode2)) {
+    SWIG_exception_fail(SWIG_ArgError(ecode2), "in method '" "SubnetTree_insert" "', argument " "2"" of type '" "unsigned long""'");
+  } 
+  arg2 = static_cast< unsigned long >(val2);
+  ecode3 = SWIG_AsVal_unsigned_SS_short(obj2, &val3);
+  if (!SWIG_IsOK(ecode3)) {
+    SWIG_exception_fail(SWIG_ArgError(ecode3), "in method '" "SubnetTree_insert" "', argument " "3"" of type '" "unsigned short""'");
+  } 
+  arg3 = static_cast< unsigned short >(val3);
+  arg4 = obj3;
+  result = (bool)(arg1)->insert(arg2,arg3,arg4);
+  resultobj = SWIG_From_bool(static_cast< bool >(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_SubnetTree_insert__SWIG_3(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  SubnetTree *arg1 = (SubnetTree *) 0 ;
+  unsigned long arg2 ;
+  unsigned short arg3 ;
+  bool result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  unsigned long val2 ;
+  int ecode2 = 0 ;
+  unsigned short val3 ;
+  int ecode3 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  PyObject * obj2 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"OOO:SubnetTree_insert",&obj0,&obj1,&obj2)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree_insert" "', argument " "1"" of type '" "SubnetTree *""'"); 
+  }
+  arg1 = reinterpret_cast< SubnetTree * >(argp1);
+  ecode2 = SWIG_AsVal_unsigned_SS_long(obj1, &val2);
+  if (!SWIG_IsOK(ecode2)) {
+    SWIG_exception_fail(SWIG_ArgError(ecode2), "in method '" "SubnetTree_insert" "', argument " "2"" of type '" "unsigned long""'");
+  } 
+  arg2 = static_cast< unsigned long >(val2);
+  ecode3 = SWIG_AsVal_unsigned_SS_short(obj2, &val3);
+  if (!SWIG_IsOK(ecode3)) {
+    SWIG_exception_fail(SWIG_ArgError(ecode3), "in method '" "SubnetTree_insert" "', argument " "3"" of type '" "unsigned short""'");
+  } 
+  arg3 = static_cast< unsigned short >(val3);
+  result = (bool)(arg1)->insert(arg2,arg3);
+  resultobj = SWIG_From_bool(static_cast< bool >(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_SubnetTree_insert(PyObject *self, PyObject *args) {
+  int argc;
+  PyObject *argv[5];
+  int ii;
+  
+  if (!PyTuple_Check(args)) SWIG_fail;
+  argc = PyObject_Length(args);
+  for (ii = 0; (ii < argc) && (ii < 4); ii++) {
+    argv[ii] = PyTuple_GET_ITEM(args,ii);
+  }
+  if (argc == 2) {
+    int _v;
+    void *vptr = 0;
+    int res = SWIG_ConvertPtr(argv[0], &vptr, SWIGTYPE_p_SubnetTree, 0);
+    _v = SWIG_CheckState(res);
+    if (_v) {
+      int res = SWIG_AsCharPtrAndSize(argv[1], 0, NULL, 0);
+      _v = SWIG_CheckState(res);
+      if (_v) {
+        return _wrap_SubnetTree_insert__SWIG_1(self, args);
+      }
+    }
+  }
+  if (argc == 3) {
+    int _v;
+    void *vptr = 0;
+    int res = SWIG_ConvertPtr(argv[0], &vptr, SWIGTYPE_p_SubnetTree, 0);
+    _v = SWIG_CheckState(res);
+    if (_v) {
+      {
+        int res = SWIG_AsVal_unsigned_SS_long(argv[1], NULL);
+        _v = SWIG_CheckState(res);
+      }
+      if (_v) {
+        {
+          int res = SWIG_AsVal_unsigned_SS_short(argv[2], NULL);
+          _v = SWIG_CheckState(res);
+        }
+        if (_v) {
+          return _wrap_SubnetTree_insert__SWIG_3(self, args);
+        }
+      }
+    }
+  }
+  if (argc == 3) {
+    int _v;
+    void *vptr = 0;
+    int res = SWIG_ConvertPtr(argv[0], &vptr, SWIGTYPE_p_SubnetTree, 0);
+    _v = SWIG_CheckState(res);
+    if (_v) {
+      int res = SWIG_AsCharPtrAndSize(argv[1], 0, NULL, 0);
+      _v = SWIG_CheckState(res);
+      if (_v) {
+        _v = (argv[2] != 0);
+        if (_v) {
+          return _wrap_SubnetTree_insert__SWIG_0(self, args);
+        }
+      }
+    }
+  }
+  if (argc == 4) {
+    int _v;
+    void *vptr = 0;
+    int res = SWIG_ConvertPtr(argv[0], &vptr, SWIGTYPE_p_SubnetTree, 0);
+    _v = SWIG_CheckState(res);
+    if (_v) {
+      {
+        int res = SWIG_AsVal_unsigned_SS_long(argv[1], NULL);
+        _v = SWIG_CheckState(res);
+      }
+      if (_v) {
+        {
+          int res = SWIG_AsVal_unsigned_SS_short(argv[2], NULL);
+          _v = SWIG_CheckState(res);
+        }
+        if (_v) {
+          _v = (argv[3] != 0);
+          if (_v) {
+            return _wrap_SubnetTree_insert__SWIG_2(self, args);
+          }
+        }
+      }
+    }
+  }
+  
+fail:
+  SWIG_SetErrorMsg(PyExc_NotImplementedError,"Wrong number of arguments for overloaded function 'SubnetTree_insert'.\n  Possible C/C++ prototypes are:\n    insert(char const *,PyObject *)\n    insert(char const *)\n    insert(unsigned long,unsigned short,PyObject *)\n    insert(unsigned long,unsigned short)\n");
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_SubnetTree_remove__SWIG_0(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  SubnetTree *arg1 = (SubnetTree *) 0 ;
+  char *arg2 = (char *) 0 ;
+  bool result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  int res2 ;
+  char *buf2 = 0 ;
+  int alloc2 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"OO:SubnetTree_remove",&obj0,&obj1)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree_remove" "', argument " "1"" of type '" "SubnetTree *""'"); 
+  }
+  arg1 = reinterpret_cast< SubnetTree * >(argp1);
+  res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2);
+  if (!SWIG_IsOK(res2)) {
+    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "SubnetTree_remove" "', argument " "2"" of type '" "char const *""'");
+  }
+  arg2 = reinterpret_cast< char * >(buf2);
+  result = (bool)(arg1)->remove((char const *)arg2);
+  resultobj = SWIG_From_bool(static_cast< bool >(result));
+  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
+  return resultobj;
+fail:
+  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_SubnetTree_remove__SWIG_1(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  SubnetTree *arg1 = (SubnetTree *) 0 ;
+  unsigned long arg2 ;
+  unsigned short arg3 ;
+  bool result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  unsigned long val2 ;
+  int ecode2 = 0 ;
+  unsigned short val3 ;
+  int ecode3 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  PyObject * obj2 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"OOO:SubnetTree_remove",&obj0,&obj1,&obj2)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree_remove" "', argument " "1"" of type '" "SubnetTree *""'"); 
+  }
+  arg1 = reinterpret_cast< SubnetTree * >(argp1);
+  ecode2 = SWIG_AsVal_unsigned_SS_long(obj1, &val2);
+  if (!SWIG_IsOK(ecode2)) {
+    SWIG_exception_fail(SWIG_ArgError(ecode2), "in method '" "SubnetTree_remove" "', argument " "2"" of type '" "unsigned long""'");
+  } 
+  arg2 = static_cast< unsigned long >(val2);
+  ecode3 = SWIG_AsVal_unsigned_SS_short(obj2, &val3);
+  if (!SWIG_IsOK(ecode3)) {
+    SWIG_exception_fail(SWIG_ArgError(ecode3), "in method '" "SubnetTree_remove" "', argument " "3"" of type '" "unsigned short""'");
+  } 
+  arg3 = static_cast< unsigned short >(val3);
+  result = (bool)(arg1)->remove(arg2,arg3);
+  resultobj = SWIG_From_bool(static_cast< bool >(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_SubnetTree_remove(PyObject *self, PyObject *args) {
+  int argc;
+  PyObject *argv[4];
+  int ii;
+  
+  if (!PyTuple_Check(args)) SWIG_fail;
+  argc = PyObject_Length(args);
+  for (ii = 0; (ii < argc) && (ii < 3); ii++) {
+    argv[ii] = PyTuple_GET_ITEM(args,ii);
+  }
+  if (argc == 2) {
+    int _v;
+    void *vptr = 0;
+    int res = SWIG_ConvertPtr(argv[0], &vptr, SWIGTYPE_p_SubnetTree, 0);
+    _v = SWIG_CheckState(res);
+    if (_v) {
+      int res = SWIG_AsCharPtrAndSize(argv[1], 0, NULL, 0);
+      _v = SWIG_CheckState(res);
+      if (_v) {
+        return _wrap_SubnetTree_remove__SWIG_0(self, args);
+      }
+    }
+  }
+  if (argc == 3) {
+    int _v;
+    void *vptr = 0;
+    int res = SWIG_ConvertPtr(argv[0], &vptr, SWIGTYPE_p_SubnetTree, 0);
+    _v = SWIG_CheckState(res);
+    if (_v) {
+      {
+        int res = SWIG_AsVal_unsigned_SS_long(argv[1], NULL);
+        _v = SWIG_CheckState(res);
+      }
+      if (_v) {
+        {
+          int res = SWIG_AsVal_unsigned_SS_short(argv[2], NULL);
+          _v = SWIG_CheckState(res);
+        }
+        if (_v) {
+          return _wrap_SubnetTree_remove__SWIG_1(self, args);
+        }
+      }
+    }
+  }
+  
+fail:
+  SWIG_SetErrorMsg(PyExc_NotImplementedError,"Wrong number of arguments for overloaded function 'SubnetTree_remove'.\n  Possible C/C++ prototypes are:\n    remove(char const *)\n    remove(unsigned long,unsigned short)\n");
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_SubnetTree_lookup__SWIG_0(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  SubnetTree *arg1 = (SubnetTree *) 0 ;
+  char *arg2 = (char *) 0 ;
+  int arg3 ;
+  PyObject *result = 0 ;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  int res2 ;
+  char *buf2 = 0 ;
+  int alloc2 = 0 ;
+  int val3 ;
+  int ecode3 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  PyObject * obj2 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"OOO:SubnetTree_lookup",&obj0,&obj1,&obj2)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree_lookup" "', argument " "1"" of type '" "SubnetTree const *""'"); 
+  }
+  arg1 = reinterpret_cast< SubnetTree * >(argp1);
+  res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2);
+  if (!SWIG_IsOK(res2)) {
+    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "SubnetTree_lookup" "', argument " "2"" of type '" "char const *""'");
+  }
+  arg2 = reinterpret_cast< char * >(buf2);
+  ecode3 = SWIG_AsVal_int(obj2, &val3);
+  if (!SWIG_IsOK(ecode3)) {
+    SWIG_exception_fail(SWIG_ArgError(ecode3), "in method '" "SubnetTree_lookup" "', argument " "3"" of type '" "int""'");
+  } 
+  arg3 = static_cast< int >(val3);
+  result = (PyObject *)((SubnetTree const *)arg1)->lookup((char const *)arg2,arg3);
+  resultobj = result;
+  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
+  return resultobj;
+fail:
+  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_SubnetTree_lookup__SWIG_1(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  SubnetTree *arg1 = (SubnetTree *) 0 ;
+  unsigned long arg2 ;
+  PyObject *result = 0 ;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  unsigned long val2 ;
+  int ecode2 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"OO:SubnetTree_lookup",&obj0,&obj1)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree_lookup" "', argument " "1"" of type '" "SubnetTree const *""'"); 
+  }
+  arg1 = reinterpret_cast< SubnetTree * >(argp1);
+  ecode2 = SWIG_AsVal_unsigned_SS_long(obj1, &val2);
+  if (!SWIG_IsOK(ecode2)) {
+    SWIG_exception_fail(SWIG_ArgError(ecode2), "in method '" "SubnetTree_lookup" "', argument " "2"" of type '" "unsigned long""'");
+  } 
+  arg2 = static_cast< unsigned long >(val2);
+  result = (PyObject *)((SubnetTree const *)arg1)->lookup(arg2);
+  resultobj = result;
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_SubnetTree_lookup(PyObject *self, PyObject *args) {
+  int argc;
+  PyObject *argv[4];
+  int ii;
+  
+  if (!PyTuple_Check(args)) SWIG_fail;
+  argc = PyObject_Length(args);
+  for (ii = 0; (ii < argc) && (ii < 3); ii++) {
+    argv[ii] = PyTuple_GET_ITEM(args,ii);
+  }
+  if (argc == 2) {
+    int _v;
+    void *vptr = 0;
+    int res = SWIG_ConvertPtr(argv[0], &vptr, SWIGTYPE_p_SubnetTree, 0);
+    _v = SWIG_CheckState(res);
+    if (_v) {
+      {
+        int res = SWIG_AsVal_unsigned_SS_long(argv[1], NULL);
+        _v = SWIG_CheckState(res);
+      }
+      if (_v) {
+        return _wrap_SubnetTree_lookup__SWIG_1(self, args);
+      }
+    }
+  }
+  if (argc == 3) {
+    int _v;
+    void *vptr = 0;
+    int res = SWIG_ConvertPtr(argv[0], &vptr, SWIGTYPE_p_SubnetTree, 0);
+    _v = SWIG_CheckState(res);
+    if (_v) {
+      int res = SWIG_AsCharPtrAndSize(argv[1], 0, NULL, 0);
+      _v = SWIG_CheckState(res);
+      if (_v) {
+        {
+          int res = SWIG_AsVal_int(argv[2], NULL);
+          _v = SWIG_CheckState(res);
+        }
+        if (_v) {
+          return _wrap_SubnetTree_lookup__SWIG_0(self, args);
+        }
+      }
+    }
+  }
+  
+fail:
+  SWIG_SetErrorMsg(PyExc_NotImplementedError,"Wrong number of arguments for overloaded function 'SubnetTree_lookup'.\n  Possible C/C++ prototypes are:\n    lookup(char const *,int)\n    lookup(unsigned long)\n");
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_SubnetTree___contains____SWIG_0(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  SubnetTree *arg1 = (SubnetTree *) 0 ;
+  char *arg2 = (char *) 0 ;
+  int arg3 ;
+  PyObject *result = 0 ;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  int res2 ;
+  char *buf2 = 0 ;
+  size_t size2 = 0 ;
+  int alloc2 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"OO:SubnetTree___contains__",&obj0,&obj1)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree___contains__" "', argument " "1"" of type '" "SubnetTree *""'"); 
+  }
+  arg1 = reinterpret_cast< SubnetTree * >(argp1);
+  res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, &size2, &alloc2);
+  if (!SWIG_IsOK(res2)) {
+    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "SubnetTree___contains__" "', argument " "2"" of type '" "char *""'");
+  }  
+  arg2 = reinterpret_cast< char * >(buf2);
+  arg3 = static_cast< int >(size2 - 1);
+  result = (PyObject *)SubnetTree___contains____SWIG_0(arg1,arg2,arg3);
+  resultobj = result;
+  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
+  return resultobj;
+fail:
+  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_SubnetTree___contains____SWIG_1(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  SubnetTree *arg1 = (SubnetTree *) 0 ;
+  unsigned long arg2 ;
+  bool result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  unsigned long val2 ;
+  int ecode2 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"OO:SubnetTree___contains__",&obj0,&obj1)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree___contains__" "', argument " "1"" of type '" "SubnetTree *""'"); 
+  }
+  arg1 = reinterpret_cast< SubnetTree * >(argp1);
+  ecode2 = SWIG_AsVal_unsigned_SS_long(obj1, &val2);
+  if (!SWIG_IsOK(ecode2)) {
+    SWIG_exception_fail(SWIG_ArgError(ecode2), "in method '" "SubnetTree___contains__" "', argument " "2"" of type '" "unsigned long""'");
+  } 
+  arg2 = static_cast< unsigned long >(val2);
+  result = (bool)SubnetTree___contains____SWIG_1(arg1,arg2);
+  resultobj = SWIG_From_bool(static_cast< bool >(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_SubnetTree___contains__(PyObject *self, PyObject *args) {
+  int argc;
+  PyObject *argv[3];
+  int ii;
+  
+  if (!PyTuple_Check(args)) SWIG_fail;
+  argc = PyObject_Length(args);
+  for (ii = 0; (ii < argc) && (ii < 2); ii++) {
+    argv[ii] = PyTuple_GET_ITEM(args,ii);
+  }
+  if (argc == 2) {
+    int _v;
+    void *vptr = 0;
+    int res = SWIG_ConvertPtr(argv[0], &vptr, SWIGTYPE_p_SubnetTree, 0);
+    _v = SWIG_CheckState(res);
+    if (_v) {
+      {
+        int res = SWIG_AsVal_unsigned_SS_long(argv[1], NULL);
+        _v = SWIG_CheckState(res);
+      }
+      if (_v) {
+        return _wrap_SubnetTree___contains____SWIG_1(self, args);
+      }
+    }
+  }
+  if (argc == 2) {
+    int _v;
+    void *vptr = 0;
+    int res = SWIG_ConvertPtr(argv[0], &vptr, SWIGTYPE_p_SubnetTree, 0);
+    _v = SWIG_CheckState(res);
+    if (_v) {
+      int res = SWIG_AsCharPtrAndSize(argv[1], 0, NULL, 0);
+      _v = SWIG_CheckState(res);
+      if (_v) {
+        if (argc <= 2) {
+          return _wrap_SubnetTree___contains____SWIG_0(self, args);
+        }
+        {
+          int res = SWIG_AsVal_int(argv[2], NULL);
+          _v = SWIG_CheckState(res);
+        }
+        if (_v) {
+          return _wrap_SubnetTree___contains____SWIG_0(self, args);
+        }
+      }
+    }
+  }
+  
+fail:
+  SWIG_SetErrorMsg(PyExc_NotImplementedError,"Wrong number of arguments for overloaded function 'SubnetTree___contains__'.\n  Possible C/C++ prototypes are:\n    __contains__(char *,int)\n    __contains__(unsigned long)\n");
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_SubnetTree___getitem__(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  SubnetTree *arg1 = (SubnetTree *) 0 ;
+  char *arg2 = (char *) 0 ;
+  int arg3 ;
+  PyObject *result = 0 ;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  int res2 ;
+  char *buf2 = 0 ;
+  size_t size2 = 0 ;
+  int alloc2 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"OO:SubnetTree___getitem__",&obj0,&obj1)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree___getitem__" "', argument " "1"" of type '" "SubnetTree *""'"); 
+  }
+  arg1 = reinterpret_cast< SubnetTree * >(argp1);
+  res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, &size2, &alloc2);
+  if (!SWIG_IsOK(res2)) {
+    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "SubnetTree___getitem__" "', argument " "2"" of type '" "char *""'");
+  }  
+  arg2 = reinterpret_cast< char * >(buf2);
+  arg3 = static_cast< int >(size2 - 1);
+  result = (PyObject *)SubnetTree___getitem__(arg1,arg2,arg3);
+  resultobj = result;
+  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
+  return resultobj;
+fail:
+  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_SubnetTree___setitem__(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  SubnetTree *arg1 = (SubnetTree *) 0 ;
+  char *arg2 = (char *) 0 ;
+  PyObject *arg3 = (PyObject *) 0 ;
+  PyObject *result = 0 ;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  int res2 ;
+  char *buf2 = 0 ;
+  int alloc2 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  PyObject * obj2 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"OOO:SubnetTree___setitem__",&obj0,&obj1,&obj2)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree___setitem__" "', argument " "1"" of type '" "SubnetTree *""'"); 
+  }
+  arg1 = reinterpret_cast< SubnetTree * >(argp1);
+  res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2);
+  if (!SWIG_IsOK(res2)) {
+    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "SubnetTree___setitem__" "', argument " "2"" of type '" "char const *""'");
+  }
+  arg2 = reinterpret_cast< char * >(buf2);
+  arg3 = obj2;
+  result = (PyObject *)SubnetTree___setitem__(arg1,(char const *)arg2,arg3);
+  resultobj = result;
+  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
+  return resultobj;
+fail:
+  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_SubnetTree___delitem__(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  SubnetTree *arg1 = (SubnetTree *) 0 ;
+  char *arg2 = (char *) 0 ;
+  PyObject *result = 0 ;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  int res2 ;
+  char *buf2 = 0 ;
+  int alloc2 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  
+  if (!PyArg_ParseTuple(args,(char *)"OO:SubnetTree___delitem__",&obj0,&obj1)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_SubnetTree, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "SubnetTree___delitem__" "', argument " "1"" of type '" "SubnetTree *""'"); 
+  }
+  arg1 = reinterpret_cast< SubnetTree * >(argp1);
+  res2 = SWIG_AsCharPtrAndSize(obj1, &buf2, NULL, &alloc2);
+  if (!SWIG_IsOK(res2)) {
+    SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "SubnetTree___delitem__" "', argument " "2"" of type '" "char const *""'");
+  }
+  arg2 = reinterpret_cast< char * >(buf2);
+  result = (PyObject *)SubnetTree___delitem__(arg1,(char const *)arg2);
+  resultobj = result;
+  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
+  return resultobj;
+fail:
+  if (alloc2 == SWIG_NEWOBJ) delete[] buf2;
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *SubnetTree_swigregister(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *obj;
+  if (!PyArg_ParseTuple(args,(char*)"O|swigregister", &obj)) return NULL;
+  SWIG_TypeNewClientData(SWIGTYPE_p_SubnetTree, SWIG_NewClientData(obj));
+  return SWIG_Py_Void();
+}
+
+static PyMethodDef SwigMethods[] = {
+	 { (char *)"new_SubnetTree", _wrap_new_SubnetTree, METH_VARARGS, NULL},
+	 { (char *)"delete_SubnetTree", _wrap_delete_SubnetTree, METH_VARARGS, NULL},
+	 { (char *)"SubnetTree_insert", _wrap_SubnetTree_insert, METH_VARARGS, NULL},
+	 { (char *)"SubnetTree_remove", _wrap_SubnetTree_remove, METH_VARARGS, NULL},
+	 { (char *)"SubnetTree_lookup", _wrap_SubnetTree_lookup, METH_VARARGS, NULL},
+	 { (char *)"SubnetTree___contains__", _wrap_SubnetTree___contains__, METH_VARARGS, NULL},
+	 { (char *)"SubnetTree___getitem__", _wrap_SubnetTree___getitem__, METH_VARARGS, NULL},
+	 { (char *)"SubnetTree___setitem__", _wrap_SubnetTree___setitem__, METH_VARARGS, NULL},
+	 { (char *)"SubnetTree___delitem__", _wrap_SubnetTree___delitem__, METH_VARARGS, NULL},
+	 { (char *)"SubnetTree_swigregister", SubnetTree_swigregister, METH_VARARGS, NULL},
+	 { NULL, NULL, 0, NULL }
+};
+
+
+/* -------- TYPE CONVERSION AND EQUIVALENCE RULES (BEGIN) -------- */
+
+static swig_type_info _swigt__p_SubnetTree = {"_p_SubnetTree", "SubnetTree *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_char = {"_p_char", "char *", 0, 0, (void*)0, 0};
+
+static swig_type_info *swig_type_initial[] = {
+  &_swigt__p_SubnetTree,
+  &_swigt__p_char,
+};
+
+static swig_cast_info _swigc__p_SubnetTree[] = {  {&_swigt__p_SubnetTree, 0, 0, 0},{0, 0, 0, 0}};
+static swig_cast_info _swigc__p_char[] = {  {&_swigt__p_char, 0, 0, 0},{0, 0, 0, 0}};
+
+static swig_cast_info *swig_cast_initial[] = {
+  _swigc__p_SubnetTree,
+  _swigc__p_char,
+};
+
+
+/* -------- TYPE CONVERSION AND EQUIVALENCE RULES (END) -------- */
+
+static swig_const_info swig_const_table[] = {
+{0, 0, 0, 0.0, 0, 0}};
+
+#ifdef __cplusplus
+}
+#endif
+/* -----------------------------------------------------------------------------
+ * Type initialization:
+ * This problem is tough by the requirement that no dynamic 
+ * memory is used. Also, since swig_type_info structures store pointers to 
+ * swig_cast_info structures and swig_cast_info structures store pointers back
+ * to swig_type_info structures, we need some lookup code at initialization. 
+ * The idea is that swig generates all the structures that are needed. 
+ * The runtime then collects these partially filled structures. 
+ * The SWIG_InitializeModule function takes these initial arrays out of 
+ * swig_module, and does all the lookup, filling in the swig_module.types
+ * array with the correct data and linking the correct swig_cast_info
+ * structures together.
+ *
+ * The generated swig_type_info structures are assigned staticly to an initial 
+ * array. We just loop through that array, and handle each type individually.
+ * First we lookup if this type has been already loaded, and if so, use the
+ * loaded structure instead of the generated one. Then we have to fill in the
+ * cast linked list. The cast data is initially stored in something like a
+ * two-dimensional array. Each row corresponds to a type (there are the same
+ * number of rows as there are in the swig_type_initial array). Each entry in
+ * a column is one of the swig_cast_info structures for that type.
+ * The cast_initial array is actually an array of arrays, because each row has
+ * a variable number of columns. So to actually build the cast linked list,
+ * we find the array of casts associated with the type, and loop through it 
+ * adding the casts to the list. The one last trick we need to do is making
+ * sure the type pointer in the swig_cast_info struct is correct.
+ *
+ * First off, we lookup the cast->type name to see if it is already loaded. 
+ * There are three cases to handle:
+ *  1) If the cast->type has already been loaded AND the type we are adding
+ *     casting info to has not been loaded (it is in this module), THEN we
+ *     replace the cast->type pointer with the type pointer that has already
+ *     been loaded.
+ *  2) If BOTH types (the one we are adding casting info to, and the 
+ *     cast->type) are loaded, THEN the cast info has already been loaded by
+ *     the previous module so we just ignore it.
+ *  3) Finally, if cast->type has not already been loaded, then we add that
+ *     swig_cast_info to the linked list (because the cast->type) pointer will
+ *     be correct.
+ * ----------------------------------------------------------------------------- */
+
+#ifdef __cplusplus
+extern "C" {
+#if 0
+} /* c-mode */
+#endif
+#endif
+
+#if 0
+#define SWIGRUNTIME_DEBUG
+#endif
+
+
+SWIGRUNTIME void
+SWIG_InitializeModule(void *clientdata) {
+  size_t i;
+  swig_module_info *module_head, *iter;
+  int found;
+  
+  clientdata = clientdata;
+  
+  /* check to see if the circular list has been setup, if not, set it up */
+  if (swig_module.next==0) {
+    /* Initialize the swig_module */
+    swig_module.type_initial = swig_type_initial;
+    swig_module.cast_initial = swig_cast_initial;
+    swig_module.next = &swig_module;
+  }
+  
+  /* Try and load any already created modules */
+  module_head = SWIG_GetModule(clientdata);
+  if (!module_head) {
+    /* This is the first module loaded for this interpreter */
+    /* so set the swig module into the interpreter */
+    SWIG_SetModule(clientdata, &swig_module);
+    module_head = &swig_module;
+  } else {
+    /* the interpreter has loaded a SWIG module, but has it loaded this one? */
+    found=0;
+    iter=module_head;
+    do {
+      if (iter==&swig_module) {
+        found=1;
+        break;
+      }
+      iter=iter->next;
+    } while (iter!= module_head);
+    
+    /* if the is found in the list, then all is done and we may leave */
+    if (found) return;
+    /* otherwise we must add out module into the list */
+    swig_module.next = module_head->next;
+    module_head->next = &swig_module;
+  }
+  
+  /* Now work on filling in swig_module.types */
+#ifdef SWIGRUNTIME_DEBUG
+  printf("SWIG_InitializeModule: size %d\n", swig_module.size);
+#endif
+  for (i = 0; i < swig_module.size; ++i) {
+    swig_type_info *type = 0;
+    swig_type_info *ret;
+    swig_cast_info *cast;
+    
+#ifdef SWIGRUNTIME_DEBUG
+    printf("SWIG_InitializeModule: type %d %s\n", i, swig_module.type_initial[i]->name);
+#endif
+    
+    /* if there is another module already loaded */
+    if (swig_module.next != &swig_module) {
+      type = SWIG_MangledTypeQueryModule(swig_module.next, &swig_module, swig_module.type_initial[i]->name);
+    }
+    if (type) {
+      /* Overwrite clientdata field */
+#ifdef SWIGRUNTIME_DEBUG
+      printf("SWIG_InitializeModule: found type %s\n", type->name);
+#endif
+      if (swig_module.type_initial[i]->clientdata) {
+        type->clientdata = swig_module.type_initial[i]->clientdata;
+#ifdef SWIGRUNTIME_DEBUG
+        printf("SWIG_InitializeModule: found and overwrite type %s \n", type->name);
+#endif
+      }
+    } else {
+      type = swig_module.type_initial[i];
+    }
+    
+    /* Insert casting types */
+    cast = swig_module.cast_initial[i];
+    while (cast->type) {
+      /* Don't need to add information already in the list */
+      ret = 0;
+#ifdef SWIGRUNTIME_DEBUG
+      printf("SWIG_InitializeModule: look cast %s\n", cast->type->name);
+#endif
+      if (swig_module.next != &swig_module) {
+        ret = SWIG_MangledTypeQueryModule(swig_module.next, &swig_module, cast->type->name);
+#ifdef SWIGRUNTIME_DEBUG
+        if (ret) printf("SWIG_InitializeModule: found cast %s\n", ret->name);
+#endif
+      }
+      if (ret) {
+        if (type == swig_module.type_initial[i]) {
+#ifdef SWIGRUNTIME_DEBUG
+          printf("SWIG_InitializeModule: skip old type %s\n", ret->name);
+#endif
+          cast->type = ret;
+          ret = 0;
+        } else {
+          /* Check for casting already in the list */
+          swig_cast_info *ocast = SWIG_TypeCheck(ret->name, type);
+#ifdef SWIGRUNTIME_DEBUG
+          if (ocast) printf("SWIG_InitializeModule: skip old cast %s\n", ret->name);
+#endif
+          if (!ocast) ret = 0;
+        }
+      }
+      
+      if (!ret) {
+#ifdef SWIGRUNTIME_DEBUG
+        printf("SWIG_InitializeModule: adding cast %s\n", cast->type->name);
+#endif
+        if (type->cast) {
+          type->cast->prev = cast;
+          cast->next = type->cast;
+        }
+        type->cast = cast;
+      }
+      cast++;
+    }
+    /* Set entry in modules->types array equal to the type */
+    swig_module.types[i] = type;
+  }
+  swig_module.types[i] = 0;
+  
+#ifdef SWIGRUNTIME_DEBUG
+  printf("**** SWIG_InitializeModule: Cast List ******\n");
+  for (i = 0; i < swig_module.size; ++i) {
+    int j = 0;
+    swig_cast_info *cast = swig_module.cast_initial[i];
+    printf("SWIG_InitializeModule: type %d %s\n", i, swig_module.type_initial[i]->name);
+    while (cast->type) {
+      printf("SWIG_InitializeModule: cast type %s\n", cast->type->name);
+      cast++;
+      ++j;
+    }
+    printf("---- Total casts: %d\n",j);
+  }
+  printf("**** SWIG_InitializeModule: Cast List ******\n");
+#endif
+}
+
+/* This function will propagate the clientdata field of type to
+* any new swig_type_info structures that have been added into the list
+* of equivalent types.  It is like calling
+* SWIG_TypeClientData(type, clientdata) a second time.
+*/
+SWIGRUNTIME void
+SWIG_PropagateClientData(void) {
+  size_t i;
+  swig_cast_info *equiv;
+  static int init_run = 0;
+  
+  if (init_run) return;
+  init_run = 1;
+  
+  for (i = 0; i < swig_module.size; i++) {
+    if (swig_module.types[i]->clientdata) {
+      equiv = swig_module.types[i]->cast;
+      while (equiv) {
+        if (!equiv->converter) {
+          if (equiv->type && !equiv->type->clientdata)
+          SWIG_TypeClientData(equiv->type, swig_module.types[i]->clientdata);
+        }
+        equiv = equiv->next;
+      }
+    }
+  }
+}
+
+#ifdef __cplusplus
+#if 0
+{
+  /* c-mode */
+#endif
+}
+#endif
+
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+  
+  /* Python-specific SWIG API */
+#define SWIG_newvarlink()                             SWIG_Python_newvarlink()
+#define SWIG_addvarlink(p, name, get_attr, set_attr)  SWIG_Python_addvarlink(p, name, get_attr, set_attr)
+#define SWIG_InstallConstants(d, constants)           SWIG_Python_InstallConstants(d, constants)
+  
+  /* -----------------------------------------------------------------------------
+   * global variable support code.
+   * ----------------------------------------------------------------------------- */
+  
+  typedef struct swig_globalvar {
+    char       *name;                  /* Name of global variable */
+    PyObject *(*get_attr)(void);       /* Return the current value */
+    int       (*set_attr)(PyObject *); /* Set the value */
+    struct swig_globalvar *next;
+  } swig_globalvar;
+  
+  typedef struct swig_varlinkobject {
+    PyObject_HEAD
+    swig_globalvar *vars;
+  } swig_varlinkobject;
+  
+  SWIGINTERN PyObject *
+  swig_varlink_repr(swig_varlinkobject *SWIGUNUSEDPARM(v)) {
+    return PyString_FromString("<Swig global variables>");
+  }
+  
+  SWIGINTERN PyObject *
+  swig_varlink_str(swig_varlinkobject *v) {
+    PyObject *str = PyString_FromString("(");
+    swig_globalvar  *var;
+    for (var = v->vars; var; var=var->next) {
+      PyString_ConcatAndDel(&str,PyString_FromString(var->name));
+      if (var->next) PyString_ConcatAndDel(&str,PyString_FromString(", "));
+    }
+    PyString_ConcatAndDel(&str,PyString_FromString(")"));
+    return str;
+  }
+  
+  SWIGINTERN int
+  swig_varlink_print(swig_varlinkobject *v, FILE *fp, int SWIGUNUSEDPARM(flags)) {
+    PyObject *str = swig_varlink_str(v);
+    fprintf(fp,"Swig global variables ");
+    fprintf(fp,"%s\n", PyString_AsString(str));
+    Py_DECREF(str);
+    return 0;
+  }
+  
+  SWIGINTERN void
+  swig_varlink_dealloc(swig_varlinkobject *v) {
+    swig_globalvar *var = v->vars;
+    while (var) {
+      swig_globalvar *n = var->next;
+      free(var->name);
+      free(var);
+      var = n;
+    }
+  }
+  
+  SWIGINTERN PyObject *
+  swig_varlink_getattr(swig_varlinkobject *v, char *n) {
+    PyObject *res = NULL;
+    swig_globalvar *var = v->vars;
+    while (var) {
+      if (strcmp(var->name,n) == 0) {
+        res = (*var->get_attr)();
+        break;
+      }
+      var = var->next;
+    }
+    if (res == NULL && !PyErr_Occurred()) {
+      PyErr_SetString(PyExc_NameError,"Unknown C global variable");
+    }
+    return res;
+  }
+  
+  SWIGINTERN int
+  swig_varlink_setattr(swig_varlinkobject *v, char *n, PyObject *p) {
+    int res = 1;
+    swig_globalvar *var = v->vars;
+    while (var) {
+      if (strcmp(var->name,n) == 0) {
+        res = (*var->set_attr)(p);
+        break;
+      }
+      var = var->next;
+    }
+    if (res == 1 && !PyErr_Occurred()) {
+      PyErr_SetString(PyExc_NameError,"Unknown C global variable");
+    }
+    return res;
+  }
+  
+  SWIGINTERN PyTypeObject*
+  swig_varlink_type(void) {
+    static char varlink__doc__[] = "Swig var link object";
+    static PyTypeObject varlink_type;
+    static int type_init = 0;  
+    if (!type_init) {
+      const PyTypeObject tmp
+      = {
+        PyObject_HEAD_INIT(NULL)
+        0,                                  /* Number of items in variable part (ob_size) */
+        (char *)"swigvarlink",              /* Type name (tp_name) */
+        sizeof(swig_varlinkobject),         /* Basic size (tp_basicsize) */
+        0,                                  /* Itemsize (tp_itemsize) */
+        (destructor) swig_varlink_dealloc,   /* Deallocator (tp_dealloc) */ 
+        (printfunc) swig_varlink_print,     /* Print (tp_print) */
+        (getattrfunc) swig_varlink_getattr, /* get attr (tp_getattr) */
+        (setattrfunc) swig_varlink_setattr, /* Set attr (tp_setattr) */
+        0,                                  /* tp_compare */
+        (reprfunc) swig_varlink_repr,       /* tp_repr */
+        0,                                  /* tp_as_number */
+        0,                                  /* tp_as_sequence */
+        0,                                  /* tp_as_mapping */
+        0,                                  /* tp_hash */
+        0,                                  /* tp_call */
+        (reprfunc)swig_varlink_str,        /* tp_str */
+        0,                                  /* tp_getattro */
+        0,                                  /* tp_setattro */
+        0,                                  /* tp_as_buffer */
+        0,                                  /* tp_flags */
+        varlink__doc__,                     /* tp_doc */
+        0,                                  /* tp_traverse */
+        0,                                  /* tp_clear */
+        0,                                  /* tp_richcompare */
+        0,                                  /* tp_weaklistoffset */
+#if PY_VERSION_HEX >= 0x02020000
+        0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* tp_iter -> tp_weaklist */
+#endif
+#if PY_VERSION_HEX >= 0x02030000
+        0,                                  /* tp_del */
+#endif
+#ifdef COUNT_ALLOCS
+        0,0,0,0                             /* tp_alloc -> tp_next */
+#endif
+      };
+      varlink_type = tmp;
+      varlink_type.ob_type = &PyType_Type;
+      type_init = 1;
+    }
+    return &varlink_type;
+  }
+  
+  /* Create a variable linking object for use later */
+  SWIGINTERN PyObject *
+  SWIG_Python_newvarlink(void) {
+    swig_varlinkobject *result = PyObject_NEW(swig_varlinkobject, swig_varlink_type());
+    if (result) {
+      result->vars = 0;
+    }
+    return ((PyObject*) result);
+  }
+  
+  SWIGINTERN void 
+  SWIG_Python_addvarlink(PyObject *p, char *name, PyObject *(*get_attr)(void), int (*set_attr)(PyObject *p)) {
+    swig_varlinkobject *v = (swig_varlinkobject *) p;
+    swig_globalvar *gv = (swig_globalvar *) malloc(sizeof(swig_globalvar));
+    if (gv) {
+      size_t size = strlen(name)+1;
+      gv->name = (char *)malloc(size);
+      if (gv->name) {
+        strncpy(gv->name,name,size);
+        gv->get_attr = get_attr;
+        gv->set_attr = set_attr;
+        gv->next = v->vars;
+      }
+    }
+    v->vars = gv;
+  }
+  
+  SWIGINTERN PyObject *
+  SWIG_globals(void) {
+    static PyObject *_SWIG_globals = 0; 
+    if (!_SWIG_globals) _SWIG_globals = SWIG_newvarlink();  
+    return _SWIG_globals;
+  }
+  
+  /* -----------------------------------------------------------------------------
+   * constants/methods manipulation
+   * ----------------------------------------------------------------------------- */
+  
+  /* Install Constants */
+  SWIGINTERN void
+  SWIG_Python_InstallConstants(PyObject *d, swig_const_info constants[]) {
+    PyObject *obj = 0;
+    size_t i;
+    for (i = 0; constants[i].type; ++i) {
+      switch(constants[i].type) {
+      case SWIG_PY_POINTER:
+        obj = SWIG_NewPointerObj(constants[i].pvalue, *(constants[i]).ptype,0);
+        break;
+      case SWIG_PY_BINARY:
+        obj = SWIG_NewPackedObj(constants[i].pvalue, constants[i].lvalue, *(constants[i].ptype));
+        break;
+      default:
+        obj = 0;
+        break;
+      }
+      if (obj) {
+        PyDict_SetItemString(d, constants[i].name, obj);
+        Py_DECREF(obj);
+      }
+    }
+  }
+  
+  /* -----------------------------------------------------------------------------*/
+  /* Fix SwigMethods to carry the callback ptrs when needed */
+  /* -----------------------------------------------------------------------------*/
+  
+  SWIGINTERN void
+  SWIG_Python_FixMethods(PyMethodDef *methods,
+    swig_const_info *const_table,
+    swig_type_info **types,
+    swig_type_info **types_initial) {
+    size_t i;
+    for (i = 0; methods[i].ml_name; ++i) {
+      const char *c = methods[i].ml_doc;
+      if (c && (c = strstr(c, "swig_ptr: "))) {
+        int j;
+        swig_const_info *ci = 0;
+        const char *name = c + 10;
+        for (j = 0; const_table[j].type; ++j) {
+          if (strncmp(const_table[j].name, name, 
+              strlen(const_table[j].name)) == 0) {
+            ci = &(const_table[j]);
+            break;
+          }
+        }
+        if (ci) {
+          size_t shift = (ci->ptype) - types;
+          swig_type_info *ty = types_initial[shift];
+          size_t ldoc = (c - methods[i].ml_doc);
+          size_t lptr = strlen(ty->name)+2*sizeof(void*)+2;
+          char *ndoc = (char*)malloc(ldoc + lptr + 10);
+          if (ndoc) {
+            char *buff = ndoc;
+            void *ptr = (ci->type == SWIG_PY_POINTER) ? ci->pvalue : 0;
+            if (ptr) {
+              strncpy(buff, methods[i].ml_doc, ldoc);
+              buff += ldoc;
+              strncpy(buff, "swig_ptr: ", 10);
+              buff += 10;
+              SWIG_PackVoidPtr(buff, ptr, ty->name, lptr);
+              methods[i].ml_doc = ndoc;
+            }
+          }
+        }
+      }
+    }
+  } 
+  
+#ifdef __cplusplus
+}
+#endif
+
+/* -----------------------------------------------------------------------------*
+ *  Partial Init method
+ * -----------------------------------------------------------------------------*/
+
+#ifdef __cplusplus
+extern "C"
+#endif
+SWIGEXPORT void SWIG_init(void) {
+  PyObject *m, *d;
+  
+  /* Fix SwigMethods to carry the callback ptrs when needed */
+  SWIG_Python_FixMethods(SwigMethods, swig_const_table, swig_types, swig_type_initial);
+  
+  m = Py_InitModule((char *) SWIG_name, SwigMethods);
+  d = PyModule_GetDict(m);
+  
+  SWIG_InitializeModule(0);
+  SWIG_InstallConstants(d,swig_const_table);
+  
+  
+}
+
diff --git a/aux/broctl/aux/pysubnettree/patricia.c b/aux/broctl/aux/pysubnettree/patricia.c
new file mode 100644
index 0000000000..6d7b272182
--- /dev/null
+++ b/aux/broctl/aux/pysubnettree/patricia.c
@@ -0,0 +1,1051 @@
+/*
+ * $Id: patricia.c 6811 2009-07-06 20:41:10Z robin $
+ * Dave Plonka <plonka@doit.wisc.edu>
+ *
+ * This product includes software developed by the University of Michigan,
+ * Merit Network, Inc., and their contributors. 
+ *
+ * This file had been called "radix.c" in the MRT sources.
+ *
+ * I renamed it to "patricia.c" since it's not an implementation of a general
+ * radix trie.  Also I pulled in various requirements from "prefix.c" and
+ * "demo.c" so that it could be used as a standalone API.
+ */
+
+/* From copyright.txt:
+ * 
+ * Copyright (c) 1997, 1998, 1999
+ * 
+ * 
+ * The Regents of the University of Michigan ("The Regents") and Merit Network,
+ * Inc.  All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * 1.  Redistributions of source code must retain the above 
+ *     copyright notice, this list of conditions and the 
+ *     following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above 
+ *     copyright notice, this list of conditions and the 
+ *     following disclaimer in the documentation and/or other 
+ *     materials provided with the distribution.
+ * 3.  All advertising materials mentioning features or use of 
+ *     this software must display the following acknowledgement:  
+ * This product includes software developed by the University of Michigan, Merit
+ * Network, Inc., and their contributors. 
+ * 4.  Neither the name of the University, Merit Network, nor the
+ *     names of their contributors may be used to endorse or 
+ *     promote products derived from this software without 
+ *     specific prior written permission.
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.  
+ */
+
+static char copyright[] =
+"This product includes software developed by the University of Michigan, Merit"
+"Network, Inc., and their contributors.";
+
+#include <assert.h> /* assert */
+#include <ctype.h> /* isdigit */
+#include <errno.h> /* errno */
+#include <math.h> /* sin */
+#include <stddef.h> /* NULL */
+#include <stdio.h> /* sprintf, fprintf, stderr */
+#include <stdlib.h> /* free, atol, calloc */
+#include <string.h> /* memcpy, strchr, strlen */
+#include <arpa/inet.h> /* for inet_addr */
+#include <sys/types.h> /* for u_short, etc. */
+
+#include "patricia.h"
+
+#define Delete free
+
+/* { from prefix.c */
+
+/* prefix_tochar
+ * convert prefix information to bytes
+ */
+u_char *
+prefix_tochar (prefix_t * prefix)
+{
+    if (prefix == NULL)
+	return (NULL);
+
+    return ((u_char *) & prefix->add.sin);
+}
+
+int 
+comp_with_mask (void *addr, void *dest, u_int mask)
+{
+
+    if ( /* mask/8 == 0 || */ memcmp (addr, dest, mask / 8) == 0) {
+	int n = mask / 8;
+	int m = ((-1) << (8 - (mask % 8)));
+
+	if (mask % 8 == 0 || (((u_char *)addr)[n] & m) == (((u_char *)dest)[n] & m))
+	    return (1);
+    }
+    return (0);
+}
+
+/* inet_pton substitute implementation
+ * Uses inet_addr to convert an IP address in dotted decimal notation into 
+ * unsigned long and copies the result to dst.
+ * Only supports AF_INET.  Follows standard error return conventions of 
+ * inet_pton.
+ */
+int
+local_inet_pton (int af, const char *src, void *dst)
+{
+    u_long result;  
+
+    if (af == AF_INET) {
+	result = inet_addr(src);
+	if (result == -1)
+	    return 0;
+	else {
+			memcpy (dst, &result, 4);
+	    return 1;
+		}
+	}
+#ifdef NT
+#ifdef HAVE_IPV6
+	else if (af == AF_INET6) {
+		struct in6_addr Address;
+		return (inet6_addr(src, &Address));
+	}
+#endif /* HAVE_IPV6 */
+#endif /* NT */
+#ifndef NT
+    else {
+
+	errno = EAFNOSUPPORT;
+	return -1;
+    }
+#endif /* NT */
+}
+
+/* this allows imcomplete prefix */
+int
+my_inet_pton (int af, const char *src, void *dst)
+{
+    if (af == AF_INET) {
+        int i, c, val;
+        u_char xp[4] = {0, 0, 0, 0};
+
+        for (i = 0; ; i++) {
+	    c = *src++;
+	    if (!isdigit (c))
+		return (-1);
+	    val = 0;
+	    do {
+		val = val * 10 + c - '0';
+		if (val > 255)
+		    return (0);
+		c = *src++;
+	    } while (c && isdigit (c));
+            xp[i] = val;
+	    if (c == '\0')
+		break;
+            if (c != '.')
+                return (0);
+	    if (i >= 3)
+		return (0);
+        }
+	memcpy (dst, xp, 4);
+        return (1);
+#ifdef HAVE_IPV6
+    } else if (af == AF_INET6) {
+        return (local_inet_pton (af, src, dst));
+#endif /* HAVE_IPV6 */
+    } else {
+#ifndef NT
+	errno = EAFNOSUPPORT;
+#endif /* NT */
+	return -1;
+    }
+}
+
+/* 
+ * convert prefix information to ascii string with length
+ * thread safe and (almost) re-entrant implementation
+ */
+char *
+prefix_toa2x (prefix_t *prefix, char *buff, int with_len)
+{
+    if (prefix == NULL)
+	return ("(Null)");
+    assert (prefix->ref_count >= 0);
+    if (buff == NULL) {
+
+        struct buffer {
+            char buffs[16][48+5];
+            u_int i;
+        } *buffp;
+
+#    if 0
+	THREAD_SPECIFIC_DATA (struct buffer, buffp, 1);
+#    else
+        { /* for scope only */
+	   static struct buffer local_buff;
+           buffp = &local_buff;
+	}
+#    endif
+	if (buffp == NULL) {
+	    /* XXX should we report an error? */
+	    return (NULL);
+	}
+
+	buff = buffp->buffs[buffp->i++%16];
+    }
+    if (prefix->family == AF_INET) {
+	u_char *a;
+	assert (prefix->bitlen <= 32);
+	a = prefix_touchar (prefix);
+	if (with_len) {
+	    sprintf (buff, "%d.%d.%d.%d/%d", a[0], a[1], a[2], a[3],
+		     prefix->bitlen);
+	}
+	else {
+	    sprintf (buff, "%d.%d.%d.%d", a[0], a[1], a[2], a[3]);
+	}
+	return (buff);
+    }
+#ifdef HAVE_IPV6
+    else if (prefix->family == AF_INET6) {
+	char *r;
+	r = (char *) inet_ntop (AF_INET6, &prefix->add.sin6, buff, 48 /* a guess value */ );
+	if (r && with_len) {
+	    assert (prefix->bitlen <= 128);
+	    sprintf (buff + strlen (buff), "/%d", prefix->bitlen);
+	}
+	return (buff);
+    }
+#endif /* HAVE_IPV6 */
+    else
+	return (NULL);
+}
+
+/* prefix_toa2
+ * convert prefix information to ascii string
+ */
+char *
+prefix_toa2 (prefix_t *prefix, char *buff)
+{
+    return (prefix_toa2x (prefix, buff, 0));
+}
+
+/* prefix_toa
+ */
+char *
+prefix_toa (prefix_t * prefix)
+{
+    return (prefix_toa2 (prefix, (char *) NULL));
+}
+
+prefix_t *
+New_Prefix2 (int family, void *dest, int bitlen, prefix_t *prefix)
+{
+    int dynamic_allocated = 0;
+    int default_bitlen = 32;
+
+#ifdef HAVE_IPV6
+    if (family == AF_INET6) {
+        default_bitlen = 128;
+	if (prefix == NULL) {
+            prefix = calloc(1, sizeof (prefix6_t));
+	    dynamic_allocated++;
+	}
+	memcpy (&prefix->add.sin6, dest, 16);
+    }
+    else
+#endif /* HAVE_IPV6 */
+    if (family == AF_INET) {
+		if (prefix == NULL) {
+#ifndef NT
+            prefix = calloc(1, sizeof (prefix4_t));
+#else
+			//for some reason, compiler is getting
+			//prefix4_t size incorrect on NT
+			prefix = calloc(1, sizeof (prefix_t)); 
+#endif /* NT */
+		
+			dynamic_allocated++;
+		}
+		memcpy (&prefix->add.sin, dest, 4);
+    }
+    else {
+        return (NULL);
+    }
+
+    prefix->bitlen = (bitlen >= 0)? bitlen: default_bitlen;
+    prefix->family = family;
+    prefix->ref_count = 0;
+    if (dynamic_allocated) {
+        prefix->ref_count++;
+   }
+/* fprintf(stderr, "[C %s, %d]\n", prefix_toa (prefix), prefix->ref_count); */
+    return (prefix);
+}
+
+prefix_t *
+New_Prefix (int family, void *dest, int bitlen)
+{
+    return (New_Prefix2 (family, dest, bitlen, NULL));
+}
+
+/* ascii2prefix
+ */
+prefix_t *
+ascii2prefix (int family, char *string)
+{
+    u_long bitlen, maxbitlen = 0;
+    char *cp;
+    struct in_addr sin;
+#ifdef HAVE_IPV6
+    struct in6_addr sin6;
+#endif /* HAVE_IPV6 */
+    int result;
+    char save[MAXLINE];
+
+    if (string == NULL)
+		return (NULL);
+
+    /* easy way to handle both families */
+    if (family == 0) {
+       family = AF_INET;
+#ifdef HAVE_IPV6
+       if (strchr (string, ':')) family = AF_INET6;
+#endif /* HAVE_IPV6 */
+    }
+
+    if (family == AF_INET) {
+		maxbitlen = 32;
+    }
+#ifdef HAVE_IPV6
+    else if (family == AF_INET6) {
+		maxbitlen = 128;
+    }
+#endif /* HAVE_IPV6 */
+
+    if ((cp = strchr (string, '/')) != NULL) {
+		bitlen = atol (cp + 1);
+		/* *cp = '\0'; */
+		/* copy the string to save. Avoid destroying the string */
+		assert (cp - string < MAXLINE);
+		memcpy (save, string, cp - string);
+		save[cp - string] = '\0';
+		string = save;
+		if (bitlen < 0 || bitlen > maxbitlen)
+			bitlen = maxbitlen;
+		}
+		else {
+			bitlen = maxbitlen;
+		}
+
+		if (family == AF_INET) {
+			if ((result = my_inet_pton (AF_INET, string, &sin)) <= 0)
+				return (NULL);
+			return (New_Prefix (AF_INET, &sin, bitlen));
+		}
+
+#ifdef HAVE_IPV6
+		else if (family == AF_INET6) {
+// Get rid of this with next IPv6 upgrade
+#if defined(NT) && !defined(HAVE_INET_NTOP)
+			inet6_addr(string, &sin6);
+			return (New_Prefix (AF_INET6, &sin6, bitlen));
+#else
+			if ((result = local_inet_pton (AF_INET6, string, &sin6)) <= 0)
+				return (NULL);
+#endif /* NT */
+			return (New_Prefix (AF_INET6, &sin6, bitlen));
+		}
+#endif /* HAVE_IPV6 */
+		else
+			return (NULL);
+}
+
+prefix_t *
+Ref_Prefix (prefix_t * prefix)
+{
+    if (prefix == NULL)
+	return (NULL);
+    if (prefix->ref_count == 0) {
+	/* make a copy in case of a static prefix */
+        return (New_Prefix2 (prefix->family, &prefix->add, prefix->bitlen, NULL));
+    }
+    prefix->ref_count++;
+/* fprintf(stderr, "[A %s, %d]\n", prefix_toa (prefix), prefix->ref_count); */
+    return (prefix);
+}
+
+void 
+Deref_Prefix (prefix_t * prefix)
+{
+    if (prefix == NULL)
+	return;
+    /* for secure programming, raise an assert. no static prefix can call this */
+    assert (prefix->ref_count > 0);
+
+    prefix->ref_count--;
+    assert (prefix->ref_count >= 0);
+    if (prefix->ref_count <= 0) {
+	Delete (prefix);
+	return;
+    }
+}
+
+/* } */
+
+/* #define PATRICIA_DEBUG 1 */
+
+static int num_active_patricia = 0;
+
+/* these routines support continuous mask only */
+
+patricia_tree_t *
+New_Patricia (int maxbits)
+{
+    patricia_tree_t *patricia = calloc(1, sizeof *patricia);
+
+    patricia->maxbits = maxbits;
+    patricia->head = NULL;
+    patricia->num_active_node = 0;
+    assert (maxbits <= PATRICIA_MAXBITS); /* XXX */
+    num_active_patricia++;
+    return (patricia);
+}
+
+
+/*
+ * if func is supplied, it will be called as func(node->data)
+ * before deleting the node
+ */
+
+void
+Clear_Patricia (patricia_tree_t *patricia, void_fn_t func)
+{
+    assert (patricia);
+    if (patricia->head) {
+
+        patricia_node_t *Xstack[PATRICIA_MAXBITS+1];
+        patricia_node_t **Xsp = Xstack;
+        patricia_node_t *Xrn = patricia->head;
+
+        while (Xrn) {
+            patricia_node_t *l = Xrn->l;
+            patricia_node_t *r = Xrn->r;
+
+    	    if (Xrn->prefix) {
+		Deref_Prefix (Xrn->prefix);
+		if (Xrn->data && func)
+	    	    func (Xrn->data);
+    	    }
+    	    else {
+		assert (Xrn->data == NULL);
+    	    }
+    	    Delete (Xrn);
+	    patricia->num_active_node--;
+
+            if (l) {
+                if (r) {
+                    *Xsp++ = r;
+                }
+                Xrn = l;
+            } else if (r) {
+                Xrn = r;
+            } else if (Xsp != Xstack) {
+                Xrn = *(--Xsp);
+            } else {
+                Xrn = (patricia_node_t *) 0;
+            }
+        }
+    }
+    assert (patricia->num_active_node == 0);
+    /* Delete (patricia); */
+}
+
+
+void
+Destroy_Patricia (patricia_tree_t *patricia, void_fn_t func)
+{
+    Clear_Patricia (patricia, func);
+    Delete (patricia);
+    num_active_patricia--;
+}
+
+
+/*
+ * if func is supplied, it will be called as func(node->prefix, node->data)
+ */
+
+void
+patricia_process (patricia_tree_t *patricia, void_fn_t func)
+{
+    patricia_node_t *node;
+    assert (func);
+
+    PATRICIA_WALK (patricia->head, node) {
+	func (node->prefix, node->data);
+    } PATRICIA_WALK_END;
+}
+
+
+patricia_node_t *
+patricia_search_exact (patricia_tree_t *patricia, prefix_t *prefix)
+{
+    patricia_node_t *node;
+    u_char *addr;
+    u_int bitlen;
+
+    assert (patricia);
+    assert (prefix);
+    assert (prefix->bitlen <= patricia->maxbits);
+
+    if (patricia->head == NULL)
+	return (NULL);
+
+    node = patricia->head;
+    addr = prefix_touchar (prefix);
+    bitlen = prefix->bitlen;
+
+    while (node->bit < bitlen) {
+
+	if (BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) {
+#ifdef PATRICIA_DEBUG
+	    if (node->prefix)
+    	        fprintf (stderr, "patricia_search_exact: take right %s/%d\n", 
+	                 prefix_toa (node->prefix), node->prefix->bitlen);
+	    else
+    	        fprintf (stderr, "patricia_search_exact: take right at %d\n", 
+			 node->bit);
+#endif /* PATRICIA_DEBUG */
+	    node = node->r;
+	}
+	else {
+#ifdef PATRICIA_DEBUG
+	    if (node->prefix)
+    	        fprintf (stderr, "patricia_search_exact: take left %s/%d\n", 
+	                 prefix_toa (node->prefix), node->prefix->bitlen);
+	    else
+    	        fprintf (stderr, "patricia_search_exact: take left at %d\n", 
+			 node->bit);
+#endif /* PATRICIA_DEBUG */
+	    node = node->l;
+	}
+
+	if (node == NULL)
+	    return (NULL);
+    }
+
+#ifdef PATRICIA_DEBUG
+    if (node->prefix)
+        fprintf (stderr, "patricia_search_exact: stop at %s/%d\n", 
+	         prefix_toa (node->prefix), node->prefix->bitlen);
+    else
+        fprintf (stderr, "patricia_search_exact: stop at %d\n", node->bit);
+#endif /* PATRICIA_DEBUG */
+    if (node->bit > bitlen || node->prefix == NULL)
+	return (NULL);
+    assert (node->bit == bitlen);
+    assert (node->bit == node->prefix->bitlen);
+    if (comp_with_mask (prefix_tochar (node->prefix), prefix_tochar (prefix),
+			bitlen)) {
+#ifdef PATRICIA_DEBUG
+        fprintf (stderr, "patricia_search_exact: found %s/%d\n", 
+	         prefix_toa (node->prefix), node->prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+	return (node);
+    }
+    return (NULL);
+}
+
+
+/* if inclusive != 0, "best" may be the given prefix itself */
+patricia_node_t *
+patricia_search_best2 (patricia_tree_t *patricia, prefix_t *prefix, int inclusive)
+{
+    patricia_node_t *node;
+    patricia_node_t *stack[PATRICIA_MAXBITS + 1];
+    u_char *addr;
+    u_int bitlen;
+    int cnt = 0;
+
+    assert (patricia);
+    assert (prefix);
+    assert (prefix->bitlen <= patricia->maxbits);
+
+    if (patricia->head == NULL)
+	return (NULL);
+
+    node = patricia->head;
+    addr = prefix_touchar (prefix);
+    bitlen = prefix->bitlen;
+
+    while (node->bit < bitlen) {
+
+	if (node->prefix) {
+#ifdef PATRICIA_DEBUG
+            fprintf (stderr, "patricia_search_best: push %s/%d\n", 
+	             prefix_toa (node->prefix), node->prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+	    stack[cnt++] = node;
+	}
+
+	if (BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) {
+#ifdef PATRICIA_DEBUG
+	    if (node->prefix)
+    	        fprintf (stderr, "patricia_search_best: take right %s/%d\n", 
+	                 prefix_toa (node->prefix), node->prefix->bitlen);
+	    else
+    	        fprintf (stderr, "patricia_search_best: take right at %d\n", 
+			 node->bit);
+#endif /* PATRICIA_DEBUG */
+	    node = node->r;
+	}
+	else {
+#ifdef PATRICIA_DEBUG
+	    if (node->prefix)
+    	        fprintf (stderr, "patricia_search_best: take left %s/%d\n", 
+	                 prefix_toa (node->prefix), node->prefix->bitlen);
+	    else
+    	        fprintf (stderr, "patricia_search_best: take left at %d\n", 
+			 node->bit);
+#endif /* PATRICIA_DEBUG */
+	    node = node->l;
+	}
+
+	if (node == NULL)
+	    break;
+    }
+
+    if (inclusive && node && node->prefix)
+	stack[cnt++] = node;
+
+#ifdef PATRICIA_DEBUG
+    if (node == NULL)
+        fprintf (stderr, "patricia_search_best: stop at null\n");
+    else if (node->prefix)
+        fprintf (stderr, "patricia_search_best: stop at %s/%d\n", 
+	         prefix_toa (node->prefix), node->prefix->bitlen);
+    else
+        fprintf (stderr, "patricia_search_best: stop at %d\n", node->bit);
+#endif /* PATRICIA_DEBUG */
+
+    if (cnt <= 0)
+	return (NULL);
+
+    while (--cnt >= 0) {
+	node = stack[cnt];
+#ifdef PATRICIA_DEBUG
+        fprintf (stderr, "patricia_search_best: pop %s/%d\n", 
+	         prefix_toa (node->prefix), node->prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+	if (comp_with_mask (prefix_tochar (node->prefix), 
+			    prefix_tochar (prefix),
+			    node->prefix->bitlen)) {
+#ifdef PATRICIA_DEBUG
+            fprintf (stderr, "patricia_search_best: found %s/%d\n", 
+	             prefix_toa (node->prefix), node->prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+	    return (node);
+	}
+    }
+    return (NULL);
+}
+
+
+patricia_node_t *
+patricia_search_best (patricia_tree_t *patricia, prefix_t *prefix)
+{
+    return (patricia_search_best2 (patricia, prefix, 1));
+}
+
+
+patricia_node_t *
+patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix)
+{
+    patricia_node_t *node, *new_node, *parent, *glue;
+    u_char *addr, *test_addr;
+    u_int bitlen, check_bit, differ_bit;
+    int i, j, r;
+
+    assert (patricia);
+    assert (prefix);
+    assert (prefix->bitlen <= patricia->maxbits);
+
+    if (patricia->head == NULL) {
+	node = calloc(1, sizeof *node);
+	node->bit = prefix->bitlen;
+	node->prefix = Ref_Prefix (prefix);
+	node->parent = NULL;
+	node->l = node->r = NULL;
+	node->data = NULL;
+	patricia->head = node;
+#ifdef PATRICIA_DEBUG
+	fprintf (stderr, "patricia_lookup: new_node #0 %s/%d (head)\n", 
+		 prefix_toa (prefix), prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+	patricia->num_active_node++;
+	return (node);
+    }
+
+    addr = prefix_touchar (prefix);
+    bitlen = prefix->bitlen;
+    node = patricia->head;
+
+    while (node->bit < bitlen || node->prefix == NULL) {
+
+	if (node->bit < patricia->maxbits &&
+	    BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) {
+	    if (node->r == NULL)
+		break;
+#ifdef PATRICIA_DEBUG
+	    if (node->prefix)
+    	        fprintf (stderr, "patricia_lookup: take right %s/%d\n", 
+	                 prefix_toa (node->prefix), node->prefix->bitlen);
+	    else
+    	        fprintf (stderr, "patricia_lookup: take right at %d\n", node->bit);
+#endif /* PATRICIA_DEBUG */
+	    node = node->r;
+	}
+	else {
+	    if (node->l == NULL)
+		break;
+#ifdef PATRICIA_DEBUG
+	    if (node->prefix)
+    	        fprintf (stderr, "patricia_lookup: take left %s/%d\n", 
+	             prefix_toa (node->prefix), node->prefix->bitlen);
+	    else
+    	        fprintf (stderr, "patricia_lookup: take left at %d\n", node->bit);
+#endif /* PATRICIA_DEBUG */
+	    node = node->l;
+	}
+
+	assert (node);
+    }
+
+    assert (node->prefix);
+#ifdef PATRICIA_DEBUG
+    fprintf (stderr, "patricia_lookup: stop at %s/%d\n", 
+	     prefix_toa (node->prefix), node->prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+
+    test_addr = prefix_touchar (node->prefix);
+    /* find the first bit different */
+    check_bit = (node->bit < bitlen)? node->bit: bitlen;
+    differ_bit = 0;
+    for (i = 0; i*8 < check_bit; i++) {
+	if ((r = (addr[i] ^ test_addr[i])) == 0) {
+	    differ_bit = (i + 1) * 8;
+	    continue;
+	}
+	/* I know the better way, but for now */
+	for (j = 0; j < 8; j++) {
+	    if (BIT_TEST (r, (0x80 >> j)))
+		break;
+	}
+	/* must be found */
+	assert (j < 8);
+	differ_bit = i * 8 + j;
+	break;
+    }
+    if (differ_bit > check_bit)
+	differ_bit = check_bit;
+#ifdef PATRICIA_DEBUG
+    fprintf (stderr, "patricia_lookup: differ_bit %d\n", differ_bit);
+#endif /* PATRICIA_DEBUG */
+
+    parent = node->parent;
+    while (parent && parent->bit >= differ_bit) {
+	node = parent;
+	parent = node->parent;
+#ifdef PATRICIA_DEBUG
+	if (node->prefix)
+            fprintf (stderr, "patricia_lookup: up to %s/%d\n", 
+	             prefix_toa (node->prefix), node->prefix->bitlen);
+	else
+            fprintf (stderr, "patricia_lookup: up to %d\n", node->bit);
+#endif /* PATRICIA_DEBUG */
+    }
+
+    if (differ_bit == bitlen && node->bit == bitlen) {
+	if (node->prefix) {
+#ifdef PATRICIA_DEBUG 
+    	    fprintf (stderr, "patricia_lookup: found %s/%d\n", 
+		     prefix_toa (node->prefix), node->prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+	    return (node);
+	}
+	node->prefix = Ref_Prefix (prefix);
+#ifdef PATRICIA_DEBUG
+	fprintf (stderr, "patricia_lookup: new node #1 %s/%d (glue mod)\n",
+		 prefix_toa (prefix), prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+	assert (node->data == NULL);
+	return (node);
+    }
+
+    new_node = calloc(1, sizeof *new_node);
+    new_node->bit = prefix->bitlen;
+    new_node->prefix = Ref_Prefix (prefix);
+    new_node->parent = NULL;
+    new_node->l = new_node->r = NULL;
+    new_node->data = NULL;
+    patricia->num_active_node++;
+
+    if (node->bit == differ_bit) {
+	new_node->parent = node;
+	if (node->bit < patricia->maxbits &&
+	    BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) {
+	    assert (node->r == NULL);
+	    node->r = new_node;
+	}
+	else {
+	    assert (node->l == NULL);
+	    node->l = new_node;
+	}
+#ifdef PATRICIA_DEBUG
+	fprintf (stderr, "patricia_lookup: new_node #2 %s/%d (child)\n", 
+		 prefix_toa (prefix), prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+	return (new_node);
+    }
+
+    if (bitlen == differ_bit) {
+	if (bitlen < patricia->maxbits &&
+	    BIT_TEST (test_addr[bitlen >> 3], 0x80 >> (bitlen & 0x07))) {
+	    new_node->r = node;
+	}
+	else {
+	    new_node->l = node;
+	}
+	new_node->parent = node->parent;
+	if (node->parent == NULL) {
+	    assert (patricia->head == node);
+	    patricia->head = new_node;
+	}
+	else if (node->parent->r == node) {
+	    node->parent->r = new_node;
+	}
+	else {
+	    node->parent->l = new_node;
+	}
+	node->parent = new_node;
+#ifdef PATRICIA_DEBUG
+	fprintf (stderr, "patricia_lookup: new_node #3 %s/%d (parent)\n", 
+		 prefix_toa (prefix), prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+    }
+    else {
+        glue = calloc(1, sizeof *glue);
+        glue->bit = differ_bit;
+        glue->prefix = NULL;
+        glue->parent = node->parent;
+        glue->data = NULL;
+        patricia->num_active_node++;
+	if (differ_bit < patricia->maxbits &&
+	    BIT_TEST (addr[differ_bit >> 3], 0x80 >> (differ_bit & 0x07))) {
+	    glue->r = new_node;
+	    glue->l = node;
+	}
+	else {
+	    glue->r = node;
+	    glue->l = new_node;
+	}
+	new_node->parent = glue;
+
+	if (node->parent == NULL) {
+	    assert (patricia->head == node);
+	    patricia->head = glue;
+	}
+	else if (node->parent->r == node) {
+	    node->parent->r = glue;
+	}
+	else {
+	    node->parent->l = glue;
+	}
+	node->parent = glue;
+#ifdef PATRICIA_DEBUG
+	fprintf (stderr, "patricia_lookup: new_node #4 %s/%d (glue+node)\n", 
+		 prefix_toa (prefix), prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+    }
+    return (new_node);
+}
+
+
+void
+patricia_remove (patricia_tree_t *patricia, patricia_node_t *node)
+{
+    patricia_node_t *parent, *child;
+
+    assert (patricia);
+    assert (node);
+
+    if (node->r && node->l) {
+#ifdef PATRICIA_DEBUG
+	fprintf (stderr, "patricia_remove: #0 %s/%d (r & l)\n", 
+		 prefix_toa (node->prefix), node->prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+	
+	/* this might be a placeholder node -- have to check and make sure
+	 * there is a prefix aossciated with it ! */
+	if (node->prefix != NULL) 
+	  Deref_Prefix (node->prefix);
+	node->prefix = NULL;
+	/* Also I needed to clear data pointer -- masaki */
+	node->data = NULL;
+	return;
+    }
+
+    if (node->r == NULL && node->l == NULL) {
+#ifdef PATRICIA_DEBUG
+	fprintf (stderr, "patricia_remove: #1 %s/%d (!r & !l)\n", 
+		 prefix_toa (node->prefix), node->prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+	parent = node->parent;
+	Deref_Prefix (node->prefix);
+	Delete (node);
+        patricia->num_active_node--;
+
+	if (parent == NULL) {
+	    assert (patricia->head == node);
+	    patricia->head = NULL;
+	    return;
+	}
+
+	if (parent->r == node) {
+	    parent->r = NULL;
+	    child = parent->l;
+	}
+	else {
+	    assert (parent->l == node);
+	    parent->l = NULL;
+	    child = parent->r;
+	}
+
+	if (parent->prefix)
+	    return;
+
+	/* we need to remove parent too */
+
+	if (parent->parent == NULL) {
+	    assert (patricia->head == parent);
+	    patricia->head = child;
+	}
+	else if (parent->parent->r == parent) {
+	    parent->parent->r = child;
+	}
+	else {
+	    assert (parent->parent->l == parent);
+	    parent->parent->l = child;
+	}
+	child->parent = parent->parent;
+	Delete (parent);
+        patricia->num_active_node--;
+	return;
+    }
+
+#ifdef PATRICIA_DEBUG
+    fprintf (stderr, "patricia_remove: #2 %s/%d (r ^ l)\n", 
+	     prefix_toa (node->prefix), node->prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+    if (node->r) {
+	child = node->r;
+    }
+    else {
+	assert (node->l);
+	child = node->l;
+    }
+    parent = node->parent;
+    child->parent = parent;
+
+    Deref_Prefix (node->prefix);
+    Delete (node);
+    patricia->num_active_node--;
+
+    if (parent == NULL) {
+	assert (patricia->head == node);
+	patricia->head = child;
+	return;
+    }
+
+    if (parent->r == node) {
+	parent->r = child;
+    }
+    else {
+        assert (parent->l == node);
+	parent->l = child;
+    }
+}
+
+/* { from demo.c */
+
+patricia_node_t *
+make_and_lookup (patricia_tree_t *tree, char *string)
+{
+    prefix_t *prefix;
+    patricia_node_t *node;
+
+    prefix = ascii2prefix (AF_INET, string);
+    printf ("make_and_lookup: %s/%d\n", prefix_toa (prefix), prefix->bitlen);
+    node = patricia_lookup (tree, prefix);
+    Deref_Prefix (prefix);
+    return (node);
+}
+
+patricia_node_t *
+try_search_exact (patricia_tree_t *tree, char *string)
+{
+    prefix_t *prefix;
+    patricia_node_t *node;
+
+    prefix = ascii2prefix (AF_INET, string);
+    printf ("try_search_exact: %s/%d\n", prefix_toa (prefix), prefix->bitlen);
+    if ((node = patricia_search_exact (tree, prefix)) == NULL) {
+        printf ("try_search_exact: not found\n");
+    }
+    else {
+        printf ("try_search_exact: %s/%d found\n", 
+	        prefix_toa (node->prefix), node->prefix->bitlen);
+    }
+    Deref_Prefix (prefix);
+    return (node);
+}
+
+void
+lookup_then_remove (patricia_tree_t *tree, char *string)
+{
+    patricia_node_t *node;
+
+    if ((node = try_search_exact (tree, string)))
+        patricia_remove (tree, node);
+}
+
+patricia_node_t *
+try_search_best (patricia_tree_t *tree, char *string)
+{
+    prefix_t *prefix;
+    patricia_node_t *node;
+
+    prefix = ascii2prefix (AF_INET, string);
+    printf ("try_search_best: %s/%d\n", prefix_toa (prefix), prefix->bitlen);
+    if ((node = patricia_search_best (tree, prefix)) == NULL)
+        printf ("try_search_best: not found\n");
+    else
+        printf ("try_search_best: %s/%d found\n", 
+	        prefix_toa (node->prefix), node->prefix->bitlen);
+    Deref_Prefix (prefix);
+    return 0; // [RS] What is supposed to be returned here?
+ }
+
+/* } */
diff --git a/aux/broctl/aux/pysubnettree/patricia.h b/aux/broctl/aux/pysubnettree/patricia.h
new file mode 100644
index 0000000000..ef7c5bf89f
--- /dev/null
+++ b/aux/broctl/aux/pysubnettree/patricia.h
@@ -0,0 +1,179 @@
+/*
+ * $Id: patricia.h 6811 2009-07-06 20:41:10Z robin $
+ * Dave Plonka <plonka@doit.wisc.edu>
+ *
+ * This product includes software developed by the University of Michigan,
+ * Merit Network, Inc., and their contributors. 
+ *
+ * This file had been called "radix.h" in the MRT sources.
+ *
+ * I renamed it to "patricia.h" since it's not an implementation of a general
+ * radix trie.  Also, pulled in various requirements from "mrt.h" and added
+ * some other things it could be used as a standalone API.
+ */
+
+/* From copyright.txt:
+ * 
+ * Copyright (c) 1997, 1998, 1999
+ * 
+ * 
+ * The Regents of the University of Michigan ("The Regents") and Merit Network,
+ * Inc.  All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * 1.  Redistributions of source code must retain the above 
+ *     copyright notice, this list of conditions and the 
+ *     following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above 
+ *     copyright notice, this list of conditions and the 
+ *     following disclaimer in the documentation and/or other 
+ *     materials provided with the distribution.
+ * 3.  All advertising materials mentioning features or use of 
+ *     this software must display the following acknowledgement:  
+ * This product includes software developed by the University of Michigan, Merit
+ * Network, Inc., and their contributors. 
+ * 4.  Neither the name of the University, Merit Network, nor the
+ *     names of their contributors may be used to endorse or 
+ *     promote products derived from this software without 
+ *     specific prior written permission.
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.  
+ */
+
+#ifndef _PATRICIA_H
+#define _PATRICIA_H
+
+#include <sys/types.h>
+
+/* typedef unsigned int u_int; */
+typedef void (*void_fn_t)();
+/* { from defs.h */
+#define prefix_touchar(prefix) ((u_char *)&(prefix)->add.sin)
+#define MAXLINE 1024
+#define BIT_TEST(f, b)  ((f) & (b))
+/* } */
+
+#define addroute make_and_lookup
+
+#include <netinet/in.h> /* for struct in_addr */
+
+#include <sys/socket.h> /* for AF_INET */
+
+/* { from mrt.h */
+
+typedef struct _prefix4_t {
+    u_short family;		/* AF_INET | AF_INET6 */
+    u_short bitlen;		/* same as mask? */
+    int ref_count;		/* reference count */
+    struct in_addr sin;
+} prefix4_t;
+
+typedef struct _prefix_t {
+    u_short family;		/* AF_INET | AF_INET6 */
+    u_short bitlen;		/* same as mask? */
+    int ref_count;		/* reference count */
+    union {
+		struct in_addr sin;
+#ifdef HAVE_IPV6
+		struct in6_addr sin6;
+#endif /* IPV6 */
+    } add;
+} prefix_t;
+
+/* } */
+
+typedef struct _patricia_node_t {
+   u_int bit;			/* flag if this node used */
+   prefix_t *prefix;		/* who we are in patricia tree */
+   struct _patricia_node_t *l, *r;	/* left and right children */
+   struct _patricia_node_t *parent;/* may be used */
+   void *data;			/* pointer to data */
+   void	*user1;			/* pointer to usr data (ex. route flap info) */
+} patricia_node_t;
+
+typedef struct _patricia_tree_t {
+   patricia_node_t 	*head;
+   u_int		maxbits;	/* for IP, 32 bit addresses */
+   int num_active_node;		/* for debug purpose */
+} patricia_tree_t;
+
+
+patricia_node_t *patricia_search_exact (patricia_tree_t *patricia, prefix_t *prefix);
+patricia_node_t *patricia_search_best (patricia_tree_t *patricia, prefix_t *prefix);
+patricia_node_t * patricia_search_best2 (patricia_tree_t *patricia, prefix_t *prefix, 
+				   int inclusive);
+patricia_node_t *patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix);
+void patricia_remove (patricia_tree_t *patricia, patricia_node_t *node);
+patricia_tree_t *New_Patricia (int maxbits);
+void Clear_Patricia (patricia_tree_t *patricia, void_fn_t func);
+void Destroy_Patricia (patricia_tree_t *patricia, void_fn_t func);
+void patricia_process (patricia_tree_t *patricia, void_fn_t func);
+
+void Deref_Prefix (prefix_t * prefix);
+
+/* { from demo.c */
+
+prefix_t *
+ascii2prefix (int family, char *string);
+
+patricia_node_t *
+make_and_lookup (patricia_tree_t *tree, char *string);
+
+/* } */
+
+#define PATRICIA_MAXBITS 128
+#define PATRICIA_NBIT(x)        (0x80 >> ((x) & 0x7f))
+#define PATRICIA_NBYTE(x)       ((x) >> 3)
+
+#define PATRICIA_DATA_GET(node, type) (type *)((node)->data)
+#define PATRICIA_DATA_SET(node, value) ((node)->data = (void *)(value))
+
+#define PATRICIA_WALK(Xhead, Xnode) \
+    do { \
+        patricia_node_t *Xstack[PATRICIA_MAXBITS+1]; \
+        patricia_node_t **Xsp = Xstack; \
+        patricia_node_t *Xrn = (Xhead); \
+        while ((Xnode = Xrn)) { \
+            if (Xnode->prefix)
+
+#define PATRICIA_WALK_ALL(Xhead, Xnode) \
+do { \
+        patricia_node_t *Xstack[PATRICIA_MAXBITS+1]; \
+        patricia_node_t **Xsp = Xstack; \
+        patricia_node_t *Xrn = (Xhead); \
+        while ((Xnode = Xrn)) { \
+	    if (1)
+
+#define PATRICIA_WALK_BREAK { \
+	    if (Xsp != Xstack) { \
+		Xrn = *(--Xsp); \
+	     } else { \
+		Xrn = (patricia_node_t *) 0; \
+	    } \
+	    continue; }
+
+#define PATRICIA_WALK_END \
+            if (Xrn->l) { \
+                if (Xrn->r) { \
+                    *Xsp++ = Xrn->r; \
+                } \
+                Xrn = Xrn->l; \
+            } else if (Xrn->r) { \
+                Xrn = Xrn->r; \
+            } else if (Xsp != Xstack) { \
+                Xrn = *(--Xsp); \
+            } else { \
+                Xrn = (patricia_node_t *) 0; \
+            } \
+        } \
+    } while (0)
+
+#endif /* _PATRICIA_H */
diff --git a/aux/broctl/aux/pysubnettree/setup.py b/aux/broctl/aux/pysubnettree/setup.py
new file mode 100644
index 0000000000..d0b697d490
--- /dev/null
+++ b/aux/broctl/aux/pysubnettree/setup.py
@@ -0,0 +1,18 @@
+#! /usr/bin/env python
+
+import sys
+
+from distutils.core import setup, Extension
+
+setup(name="pysubnettree", 
+    version="0.12",
+    author="Robin Sommer",
+    author_email="robin@icir.org",
+    license="BSD",
+    url="http://www.icir.org/robin/pysubnettree",
+    py_modules=['SubnetTree'],
+    ext_modules = [ 
+        Extension("_SubnetTree", ["SubnetTree.cc", "patricia.c", "SubnetTree_wrap.cc"]), 
+        ] 
+)
+
diff --git a/aux/broctl/aux/pysubnettree/test.py b/aux/broctl/aux/pysubnettree/test.py
new file mode 100644
index 0000000000..0642c755d1
--- /dev/null
+++ b/aux/broctl/aux/pysubnettree/test.py
@@ -0,0 +1,86 @@
+#! /usr/bin/env python
+
+import socket
+import SubnetTree
+
+t = SubnetTree.SubnetTree()
+
+t.insert("1.2.3.4/16")
+
+if "1.2.3.255" in t:
+    print "yes [correct]"
+else:
+    print "no [incorrect]"
+
+if socket.inet_aton("1.2.3.255") in t:
+    print "yes [correct]"
+else:
+    print "no [incorrect]"
+    
+if "1.3.3.255" in t:
+    print "yes [correct]"
+else:
+    print "no [correct]"
+
+if socket.inet_aton("1.3.3.255") in t:
+    print "yes [correct]"
+else:
+    print "no [correct]"
+    
+if socket.inet_aton("0.1.2.3") in t:
+    print "yes [incorrect]"
+else:
+    print "no [correct]"
+
+t["4.3.2.1/8"] = "indexing works [correct]"
+print t["4.3.255.255"]
+
+try:
+    print t["42.42.42.42"],
+    print "[incorect]"
+except KeyError:
+    print "catching lookup failure [correct]"
+
+del t["4.3.2.1/8"]
+
+try:
+    print t["4.3.2.1/8"],
+    print "[incorect]"
+except KeyError:
+    print "del works [correct]"
+
+try:
+    t["a.b.c.d/error"] = 5
+except IndexError:
+    print "catching parsing errors [correct]"
+
+try:
+    print None in t,
+    print "should not be printed [incorrect]"
+except TypeError:
+    print "catching None lookup [correct]"
+    
+try:    
+    t[None] = "should fail"   
+    print "should not be printed [incorrect]"
+except TypeError:
+    print "catching None assignment [correct]"
+    
+try: 
+    print t[None], 
+    print "should not be printed [incorrect]"
+except TypeError:
+    print "catching None access [correct]"
+
+try: 
+    del t[None],
+    print "should not be printed [incorrect]"
+except TypeError:
+    print "catching None delete [correct]"
+
+try: 
+    print t[42],
+    print "should not be printed [incorrect]"
+except TypeError:
+    print "catching integer lookup [correct]"
+
diff --git a/aux/broctl/aux/trace-summary/CHANGES b/aux/broctl/aux/trace-summary/CHANGES
new file mode 100644
index 0000000000..683fcec38e
--- /dev/null
+++ b/aux/broctl/aux/trace-summary/CHANGES
@@ -0,0 +1,4 @@
+
+0.6  -  License changed to BSD-style. 
+
+0.5  -  First release.
diff --git a/aux/broctl/aux/trace-summary/COPYING b/aux/broctl/aux/trace-summary/COPYING
new file mode 100644
index 0000000000..03a48c452f
--- /dev/null
+++ b/aux/broctl/aux/trace-summary/COPYING
@@ -0,0 +1,35 @@
+
+Copyright (c) 2007-2009, Robin Sommer
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+      
+    * Redistributions in binary form must reproduce the above
+      copyright notice, this list of conditions and the following
+      disclaimer in the documentation and/or other materials provided
+      with the distribution.
+      
+    * Neither the name of the International Computer Science
+      Institute nor the names of its contributors may be used to
+      endorse or promote products derived from this software without
+      specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
diff --git a/aux/broctl/aux/trace-summary/Makefile b/aux/broctl/aux/trace-summary/Makefile
new file mode 100644
index 0000000000..2cca32cb62
--- /dev/null
+++ b/aux/broctl/aux/trace-summary/Makefile
@@ -0,0 +1,19 @@
+
+DISTFILES = README README.html COPYING CHANGES Makefile trace-summary 
+
+VERSION=$(shell grep ^Version trace-summary | awk 'BEGIN{IFS="[= ]}"}{print $$3}')
+DISTDIR=trace-summary-$(VERSION)
+
+doc: README.html
+
+README.html: README
+	asciidoc -a toc -b xhtml11-custom README
+    
+dist: doc
+	rm -rf $(DISTDIR)
+	mkdir $(DISTDIR)
+	cp $(DISTFILES) $(DISTDIR)
+	tar czvf $(DISTDIR).tgz $(DISTDIR)
+	rm -rf $(DISTDIR)
+	     
+
diff --git a/aux/broctl/aux/trace-summary/README b/aux/broctl/aux/trace-summary/README
new file mode 100644
index 0000000000..bcfa4e1672
--- /dev/null
+++ b/aux/broctl/aux/trace-summary/README
@@ -0,0 +1,129 @@
+//	-*- AsciiDoc -*-
+trace-summary - Generating network traffic summaries.
+=====================================================
+
+Overview
+--------
+
++trace-summary+ is a Python script which generates break-downs of
+network traffic, including lists of the top hosts, protocols, ports,
+etc. Optionally, it can generate output separately for incoming vs.
+outgoing traffic, per subnet, and per time-interval.
+
+The script reads both packet traces in
+http://www.tcpdump.org[+libpcap+] format and connection logs 
+produced by the http://www.bro-ids.org[Bro] network intrusion
+detection system. 
+
+Here are two example outputs in the most basic form (note that IP
+addresses are 'anonymized'). The first is from a packet trace and
+the second from a Bro connection log:
+
+
+ >== Total === 2005-01-06-14-23-33 - 2005-01-06-15-23-43
+   - Bytes 918.3m - Payload 846.3m - Pkts 1.8m - Frags   0.9% - MBit/s      1.9 - 
+     Ports        | Sources                   | Destinations              | Protocols |
+     80     33.8% | 131.243.89.214       8.5% | 131.243.89.214       7.7% | 6   76.0% | 
+     22     16.7% | 128.3.2.102          6.2% | 128.3.2.102          5.4% | 17  23.3% | 
+     11001  12.4% | 204.116.120.26       4.8% | 131.243.89.4         4.8% | 1    0.5% | 
+     2049   10.7% | 128.3.161.32         3.6% | 131.243.88.227       3.6% |           | 
+     1023   10.6% | 131.243.89.4         3.5% | 204.116.120.26       3.4% |           | 
+     993     8.2% | 128.3.164.194        2.7% | 131.243.89.64        3.1% |           | 
+     1049    8.1% | 128.3.164.15         2.4% | 128.3.164.229        2.9% |           | 
+     524     6.6% | 128.55.82.146        2.4% | 131.243.89.155       2.5% |           | 
+     33305   4.5% | 131.243.88.227       2.3% | 128.3.161.32         2.3% |           | 
+     1085    3.7% | 131.243.89.155       2.3% | 128.55.82.146        2.1% |           | 
+
+
+ >== Total === 2005-01-06-14-23-33 - 2005-01-06-15-23-42
+   - Connections 43.4k - Payload 398.4m - 
+     Ports        | Sources                   | Destinations              | Services           | Protocols | States        |
+     80     21.7% | 207.240.215.71       3.0% | 239.255.255.253      8.0% | other        51.0% | 17  55.8% | S0      46.2% | 
+     427    13.0% | 131.243.91.71        2.2% | 131.243.91.255       4.0% | http         21.7% | 6   36.4% | SF      30.1% | 
+     443     3.8% | 128.3.161.76         1.7% | 131.243.89.138       2.1% | i-echo        7.3% | 1    7.7% | OTH      7.8% | 
+     138     3.7% | 131.243.90.138       1.6% | 255.255.255.255      1.7% | https         3.8% |           | RSTO     5.8% | 
+     515     2.4% | 131.243.88.159       1.6% | 128.3.97.204         1.5% | nb-dgm        3.7% |           | SHR      4.4% | 
+     11001   2.3% | 131.243.88.202       1.4% | 131.243.88.107       1.1% | printer       2.4% |           | REJ      3.0% | 
+     53      1.9% | 131.243.89.250       1.4% | 117.72.94.10         1.1% | dns           1.9% |           | S1       1.0% | 
+     161     1.6% | 131.243.89.80        1.3% | 131.243.88.64        1.1% | snmp          1.6% |           | RSTR     0.9% | 
+     137     1.4% | 131.243.90.52        1.3% | 131.243.88.159       1.1% | nb-ns         1.4% |           | SH       0.3% | 
+     2222    1.1% | 128.3.161.252        1.2% | 131.243.91.92        1.1% | ntp           1.0% |           | RSTRH    0.2% | 
+
+
+Download
+--------
+
+Download http://www.icir.org/robin/trace-summary-0.5.tar.gz[+trace-summary-0.5.tar.gz+]
+
+Prerequisites
+-------------
+
+* This script requires Python 2.4 or newer.
+
+* It also requires the installation of
+  - the http://www.icir.org/robin/pysubnettree[+pysubnettree+] Python module, and
+  - Eddie Kohler's http://www.cs.ucla.edu/~kohler/ipsumdump[+ipsumdump+] 
+
+Installation
+------------
+
+Simply copy the script into some directory which is in your +PATH+.
+
+Usage
+-----
+
+The general usage is 
+
+   trace-summary [options] [input-file]
+
+Per default, it assumes the +input-file+ to be a +libpcap+ trace
+file. If it is a Bro connection log, use +-c+. If +input-file+ is
+not given, the script reads from stdin. It writes its output to
+stdout. 
+
+Options
+~~~~~~~
+
+There are a bunch of options. The most important ones summmarized
+below. Run +trace-summary \--help+ to see the full list including
+some more estoric ones. 
+
+*-c*::         Input is a Bro connection log instead of a +libpcap+ trace
+               file.
+
+*-b*::         Counts all percentages in bytes rather than number of
+               packets/connections.
+       
+*-E <file>*::  Gives a file which contains a list of networks to
+               ignore for the analysis. The file must contain one
+               network per line, where each network is of the CIDR
+               form +a.b.c.d/mask+. Empty lines and lines starting
+               with a "#" are ignored. 
+
+*-i <duration>*:: Creates totals for each time interval of the given
+                  length (default is seconds; add "+m+" for minutes
+                  and "+h+" for hours). Use +-v+ if you also want to
+                  see the breakdowns for each interval.
+
+*-l <file>*::  Generates separate summaries for incoming and outgoing
+               traffic. +<file>+ is a file which contains a list of
+               networks to be considered local. Format as for +-E+.
+               
+*-n <n>*:: Show top n entries in each break-down.
+               Default is 10.
+              
+*-r*::         Resolves hostnames in the output.       
+
+*-s <n>*::     Gives the sample factor if the input has been sampled.
+
+*-S <n>*::     Sample input with the given factor; less accurate but
+               faster and saves memory.
+
+*-m*::         Does skip memory-expensive statistics.
+
+*-v*::         Generates full break-downs for each time interval. 
+               Requires +-i+.
+    
+
+
+
diff --git a/aux/broctl/aux/trace-summary/README.html b/aux/broctl/aux/trace-summary/README.html
new file mode 100644
index 0000000000..8e6c6b59e3
--- /dev/null
+++ b/aux/broctl/aux/trace-summary/README.html
@@ -0,0 +1,592 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
+    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+<meta name="generator" content="AsciiDoc 8.2.2" />
+<style type="text/css">
+/* Debug borders */
+p, li, dt, dd, div, pre, h1, h2, h3, h4, h5, h6 {
+/*
+  border: 1px solid red;
+*/
+}
+
+body {
+  margin: 1em 5% 1em 5%;
+}
+
+a {
+  color: blue;
+  text-decoration: underline;
+}
+a:visited {
+  color: fuchsia;
+}
+
+em {
+  font-style: italic;
+}
+
+strong {
+  font-weight: bold;
+}
+
+tt {
+  color: navy;
+}
+
+h1, h2, h3, h4, h5, h6 {
+  color: #527bbd;
+  font-family: sans-serif;
+  margin-top: 1.2em;
+  margin-bottom: 0.5em;
+  line-height: 1.3;
+}
+
+h1 {
+  border-bottom: 2px solid silver;
+}
+h2 {
+  border-bottom: 2px solid silver;
+  padding-top: 0.5em;
+}
+
+div.sectionbody {
+  font-family: serif;
+  margin-left: 0;
+}
+
+hr {
+  border: 1px solid silver;
+}
+
+p {
+  margin-top: 0.5em;
+  margin-bottom: 0.5em;
+}
+
+pre {
+  padding: 0;
+  margin: 0;
+}
+
+span#author {
+  color: #527bbd;
+  font-family: sans-serif;
+  font-weight: bold;
+  font-size: 1.1em;
+}
+span#email {
+}
+span#revision {
+  font-family: sans-serif;
+}
+
+div#footer {
+  font-family: sans-serif;
+  font-size: small;
+  border-top: 2px solid silver;
+  padding-top: 0.5em;
+  margin-top: 4.0em;
+}
+div#footer-text {
+  line-height: 1.3;
+  float: left;
+  padding-bottom: 0.5em;
+}
+div#footer-badges {
+  float: right;
+  padding-bottom: 0.5em;
+}
+
+div#preamble,
+div.tableblock, div.imageblock, div.exampleblock, div.verseblock,
+div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,
+div.admonitionblock {
+  margin-right: 10%;
+  margin-top: 1.5em;
+  margin-bottom: 1.5em;
+}
+div.admonitionblock {
+  margin-top: 2.5em;
+  margin-bottom: 2.5em;
+}
+
+div.content { /* Block element content. */
+  padding: 0;
+}
+
+/* Block element titles. */
+div.title, caption.title {
+  font-family: sans-serif;
+  font-weight: bold;
+  text-align: left;
+  margin-top: 1.0em;
+  margin-bottom: 0.5em;
+}
+div.title + * {
+  margin-top: 0;
+}
+
+td div.title:first-child {
+  margin-top: 0.0em;
+}
+div.content div.title:first-child {
+  margin-top: 0.0em;
+}
+div.content + div.title {
+  margin-top: 0.0em;
+}
+
+div.sidebarblock > div.content {
+  background: #ffffee;
+  border: 1px solid silver;
+  padding: 0.5em;
+}
+
+div.listingblock {
+  margin-right: 0%;
+}
+div.listingblock > div.content {
+  border: 1px solid silver;
+  background: #f4f4f4;
+  padding: 0.5em;
+}
+
+div.quoteblock > div.content {
+  padding-left: 2.0em;
+}
+
+div.attribution {
+  text-align: right;
+}
+div.verseblock + div.attribution {
+  text-align: left;
+}
+
+div.admonitionblock .icon {
+  vertical-align: top;
+  font-size: 1.1em;
+  font-weight: bold;
+  text-decoration: underline;
+  color: #527bbd;
+  padding-right: 0.5em;
+}
+div.admonitionblock td.content {
+  padding-left: 0.5em;
+  border-left: 2px solid silver;
+}
+
+div.exampleblock > div.content {
+  border-left: 2px solid silver;
+  padding: 0.5em;
+}
+
+div.verseblock div.content {
+  white-space: pre;
+}
+
+div.imageblock div.content { padding-left: 0; }
+div.imageblock img { border: 1px solid silver; }
+span.image img { border-style: none; }
+
+dl {
+  margin-top: 0.8em;
+  margin-bottom: 0.8em;
+}
+dt {
+  margin-top: 0.5em;
+  margin-bottom: 0;
+  font-style: italic;
+}
+dd > *:first-child {
+  margin-top: 0;
+}
+
+ul, ol {
+    list-style-position: outside;
+}
+ol.olist2 {
+  list-style-type: lower-alpha;
+}
+
+div.tableblock > table {
+  border: 3px solid #527bbd;
+}
+thead {
+  font-family: sans-serif;
+  font-weight: bold;
+}
+tfoot {
+  font-weight: bold;
+}
+
+div.hlist {
+  margin-top: 0.8em;
+  margin-bottom: 0.8em;
+}
+div.hlist td {
+  padding-bottom: 5px;
+}
+td.hlist1 {
+  vertical-align: top;
+  font-style: italic;
+  padding-right: 0.8em;
+}
+td.hlist2 {
+  vertical-align: top;
+}
+
+@media print {
+  div#footer-badges { display: none; }
+}
+
+div#toctitle {
+  color: #527bbd;
+  font-family: sans-serif;
+  font-size: 1.1em;
+  font-weight: bold;
+  margin-top: 1.0em;
+  margin-bottom: 0.1em;
+}
+
+div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {
+  margin-top: 0;
+  margin-bottom: 0;
+}
+div.toclevel2 {
+  margin-left: 2em;
+  font-size: 0.9em;
+}
+div.toclevel3 {
+  margin-left: 4em;
+  font-size: 0.9em;
+}
+div.toclevel4 {
+  margin-left: 6em;
+  font-size: 0.9em;
+}
+/* Workarounds for IE6's broken and incomplete CSS2. */
+
+div.sidebar-content {
+  background: #ffffee;
+  border: 1px solid silver;
+  padding: 0.5em;
+}
+div.sidebar-title, div.image-title {
+  font-family: sans-serif;
+  font-weight: bold;
+  margin-top: 0.0em;
+  margin-bottom: 0.5em;
+}
+
+div.listingblock div.content {
+  border: 1px solid silver;
+  background: #f4f4f4;
+  padding: 0.5em;
+}
+
+div.quoteblock-content {
+  padding-left: 2.0em;
+}
+
+div.exampleblock-content {
+  border-left: 2px solid silver;
+  padding-left: 0.5em;
+}
+
+/* IE6 sets dynamically generated links as visited. */
+div#toc a:visited { color: blue; }
+</style>
+<script type="text/javascript">
+/*<![CDATA[*/
+window.onload = function(){generateToc(2)}
+/* Author: Mihai Bazon, September 2002
+ * http://students.infoiasi.ro/~mishoo
+ *
+ * Table Of Content generator
+ * Version: 0.4
+ *
+ * Feel free to use this script under the terms of the GNU General Public
+ * License, as long as you do not remove or alter this notice.
+ */
+
+ /* modified by Troy D. Hanson, September 2006. License: GPL */
+ /* modified by Stuart Rackham, October 2006. License: GPL */
+
+function getText(el) {
+  var text = "";
+  for (var i = el.firstChild; i != null; i = i.nextSibling) {
+    if (i.nodeType == 3 /* Node.TEXT_NODE */) // IE doesn't speak constants.
+      text += i.data;
+    else if (i.firstChild != null)
+      text += getText(i);
+  }
+  return text;
+}
+
+function TocEntry(el, text, toclevel) {
+  this.element = el;
+  this.text = text;
+  this.toclevel = toclevel;
+}
+
+function tocEntries(el, toclevels) {
+  var result = new Array;
+  var re = new RegExp('[hH]([2-'+(toclevels+1)+'])');
+  // Function that scans the DOM tree for header elements (the DOM2
+  // nodeIterator API would be a better technique but not supported by all
+  // browsers).
+  var iterate = function (el) {
+    for (var i = el.firstChild; i != null; i = i.nextSibling) {
+      if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {
+        var mo = re.exec(i.tagName)
+        if (mo)
+          result[result.length] = new TocEntry(i, getText(i), mo[1]-1);
+        iterate(i);
+      }
+    }
+  }
+  iterate(el);
+  return result;
+}
+
+// This function does the work. toclevels = 1..4.
+function generateToc(toclevels) {
+  var toc = document.getElementById("toc");
+  var entries = tocEntries(document.getElementsByTagName("body")[0], toclevels);
+  for (var i = 0; i < entries.length; ++i) {
+    var entry = entries[i];
+    if (entry.element.id == "")
+      entry.element.id = "toc" + i;
+    var a = document.createElement("a");
+    a.href = "#" + entry.element.id;
+    a.appendChild(document.createTextNode(entry.text));
+    var div = document.createElement("div");
+    div.appendChild(a);
+    div.className = "toclevel" + entry.toclevel;
+    toc.appendChild(div);
+  }
+}
+/*]]>*/
+</script>
+<title>trace-summary - Generating network traffic summaries.</title>
+</head>
+<body>
+<div id="header">
+<h1>trace-summary - Generating network traffic summaries.</h1>
+<div id="toc">
+  <div id="toctitle">Table of Contents</div>
+  <noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>
+</div>
+</div>
+<h2>Overview</h2>
+<div class="sectionbody">
+<p><tt>trace-summary</tt> is a Python script which generates break-downs of
+network traffic, including lists of the top hosts, protocols, ports,
+etc. Optionally, it can generate output separately for incoming vs.
+outgoing traffic, per subnet, and per time-interval.</p>
+<p>The script reads both packet traces in
+<a href="http://www.tcpdump.org"><tt>libpcap</tt></a> format and connection logs
+produced by the <a href="http://www.bro-ids.org">Bro</a> network intrusion
+detection system.</p>
+<p>Here are two example outputs in the most basic form (note that IP
+addresses are <em>anonymized</em>). The first is from a packet trace and
+the second from a Bro connection log:</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt;== Total === 2005-01-06-14-23-33 - 2005-01-06-15-23-43
+  - Bytes 918.3m - Payload 846.3m - Pkts 1.8m - Frags   0.9% - MBit/s      1.9 -
+    Ports        | Sources                   | Destinations              | Protocols |
+    80     33.8% | 131.243.89.214       8.5% | 131.243.89.214       7.7% | 6   76.0% |
+    22     16.7% | 128.3.2.102          6.2% | 128.3.2.102          5.4% | 17  23.3% |
+    11001  12.4% | 204.116.120.26       4.8% | 131.243.89.4         4.8% | 1    0.5% |
+    2049   10.7% | 128.3.161.32         3.6% | 131.243.88.227       3.6% |           |
+    1023   10.6% | 131.243.89.4         3.5% | 204.116.120.26       3.4% |           |
+    993     8.2% | 128.3.164.194        2.7% | 131.243.89.64        3.1% |           |
+    1049    8.1% | 128.3.164.15         2.4% | 128.3.164.229        2.9% |           |
+    524     6.6% | 128.55.82.146        2.4% | 131.243.89.155       2.5% |           |
+    33305   4.5% | 131.243.88.227       2.3% | 128.3.161.32         2.3% |           |
+    1085    3.7% | 131.243.89.155       2.3% | 128.55.82.146        2.1% |           |</tt></pre>
+</div></div>
+<div class="literalblock">
+<div class="content">
+<pre><tt>&gt;== Total === 2005-01-06-14-23-33 - 2005-01-06-15-23-42
+  - Connections 43.4k - Payload 398.4m -
+    Ports        | Sources                   | Destinations              | Services           | Protocols | States        |
+    80     21.7% | 207.240.215.71       3.0% | 239.255.255.253      8.0% | other        51.0% | 17  55.8% | S0      46.2% |
+    427    13.0% | 131.243.91.71        2.2% | 131.243.91.255       4.0% | http         21.7% | 6   36.4% | SF      30.1% |
+    443     3.8% | 128.3.161.76         1.7% | 131.243.89.138       2.1% | i-echo        7.3% | 1    7.7% | OTH      7.8% |
+    138     3.7% | 131.243.90.138       1.6% | 255.255.255.255      1.7% | https         3.8% |           | RSTO     5.8% |
+    515     2.4% | 131.243.88.159       1.6% | 128.3.97.204         1.5% | nb-dgm        3.7% |           | SHR      4.4% |
+    11001   2.3% | 131.243.88.202       1.4% | 131.243.88.107       1.1% | printer       2.4% |           | REJ      3.0% |
+    53      1.9% | 131.243.89.250       1.4% | 117.72.94.10         1.1% | dns           1.9% |           | S1       1.0% |
+    161     1.6% | 131.243.89.80        1.3% | 131.243.88.64        1.1% | snmp          1.6% |           | RSTR     0.9% |
+    137     1.4% | 131.243.90.52        1.3% | 131.243.88.159       1.1% | nb-ns         1.4% |           | SH       0.3% |
+    2222    1.1% | 128.3.161.252        1.2% | 131.243.91.92        1.1% | ntp           1.0% |           | RSTRH    0.2% |</tt></pre>
+</div></div>
+</div>
+<h2>Download</h2>
+<div class="sectionbody">
+<p>Download <a href="http://www.icir.org/robin/trace-summary-0.5.tar.gz"><tt>trace-summary-0.5.tar.gz</tt></a></p>
+</div>
+<h2>Prerequisites</h2>
+<div class="sectionbody">
+<ul>
+<li>
+<p>
+This script requires Python 2.4 or newer.
+</p>
+</li>
+<li>
+<p>
+It also requires the installation of
+</p>
+<ul>
+<li>
+<p>
+the <a href="http://www.icir.org/robin/pysubnettree"><tt>pysubnettree</tt></a> Python module, and
+</p>
+</li>
+<li>
+<p>
+Eddie Kohler's <a href="http://www.cs.ucla.edu/~kohler/ipsumdump"><tt>ipsumdump</tt></a>
+</p>
+</li>
+</ul>
+</li>
+</ul>
+</div>
+<h2>Installation</h2>
+<div class="sectionbody">
+<p>Simply copy the script into some directory which is in your <tt>PATH</tt>.</p>
+</div>
+<h2>Usage</h2>
+<div class="sectionbody">
+<p>The general usage is</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>trace-summary [options] [input-file]</tt></pre>
+</div></div>
+<p>Per default, it assumes the <tt>input-file</tt> to be a <tt>libpcap</tt> trace
+file. If it is a Bro connection log, use <tt>-c</tt>. If <tt>input-file</tt> is
+not given, the script reads from stdin. It writes its output to
+stdout.</p>
+<h3>Options</h3>
+<p>There are a bunch of options. The most important ones summmarized
+below. Run <tt>trace-summary --help</tt> to see the full list including
+some more estoric ones.</p>
+<div class="hlist"><table>
+<tr>
+<td class="hlist1">
+<strong>-c</strong>
+</td>
+<td class="hlist2">
+Input is a Bro connection log instead of a <tt>libpcap</tt> trace
+               file.
+</td>
+</tr>
+<tr>
+<td class="hlist1">
+<strong>-b</strong>
+</td>
+<td class="hlist2">
+Counts all percentages in bytes rather than number of
+               packets/connections.
+</td>
+</tr>
+<tr>
+<td class="hlist1">
+<strong>-E &lt;file&gt;</strong>
+</td>
+<td class="hlist2">
+Gives a file which contains a list of networks to
+               ignore for the analysis. The file must contain one
+               network per line, where each network is of the CIDR
+               form <tt>a.b.c.d/mask</tt>. Empty lines and lines starting
+               with a "#" are ignored.
+</td>
+</tr>
+<tr>
+<td class="hlist1">
+<strong>-i &lt;duration&gt;</strong>
+</td>
+<td class="hlist2">
+Creates totals for each time interval of the given
+                  length (default is seconds; add "<tt>m</tt>" for minutes
+                  and "<tt>h</tt>" for hours). Use <tt>-v</tt> if you also want to
+                  see the breakdowns for each interval.
+</td>
+</tr>
+<tr>
+<td class="hlist1">
+<strong>-l &lt;file&gt;</strong>
+</td>
+<td class="hlist2">
+Generates separate summaries for incoming and outgoing
+               traffic. <tt>&lt;file&gt;</tt> is a file which contains a list of
+               networks to be considered local. Format as for <tt>-E</tt>.
+</td>
+</tr>
+<tr>
+<td class="hlist1">
+<strong>-n &lt;n&gt;</strong>
+</td>
+<td class="hlist2">
+Show top n entries in each break-down.
+               Default is 10.
+</td>
+</tr>
+<tr>
+<td class="hlist1">
+<strong>-r</strong>
+</td>
+<td class="hlist2">
+Resolves hostnames in the output.
+</td>
+</tr>
+<tr>
+<td class="hlist1">
+<strong>-s &lt;n&gt;</strong>
+</td>
+<td class="hlist2">
+Gives the sample factor if the input has been sampled.
+</td>
+</tr>
+<tr>
+<td class="hlist1">
+<strong>-S &lt;n&gt;</strong>
+</td>
+<td class="hlist2">
+Sample input with the given factor; less accurate but
+               faster and saves memory.
+</td>
+</tr>
+<tr>
+<td class="hlist1">
+<strong>-m</strong>
+</td>
+<td class="hlist2">
+Does skip memory-expensive statistics.
+</td>
+</tr>
+<tr>
+<td class="hlist1">
+<strong>-v</strong>
+</td>
+<td class="hlist2">
+Generates full break-downs for each time interval.
+               Requires <tt>-i</tt>.
+</td>
+</tr>
+</table></div>
+</div>
+<div id="footer">
+<div id="footer-text">
+<a href="http://www.icir.org/robin">Back to Homepage</a><br />
+12-Nov-2007 15:23:04 PDT - Robin Sommer
+</div>
+</div>
+</body>
+</html>
diff --git a/aux/broctl/aux/trace-summary/trace-summary b/aux/broctl/aux/trace-summary/trace-summary
new file mode 100755
index 0000000000..12ac9bf167
--- /dev/null
+++ b/aux/broctl/aux/trace-summary/trace-summary
@@ -0,0 +1,884 @@
+#! /usr/bin/env python
+
+import os
+import time
+import sys
+import socket
+import signal
+import posix
+import errno
+import resource
+import optparse
+import random
+
+Version = 0.6
+
+random.seed()
+
+import SubnetTree
+
+class IntervalUpdate:
+    pass
+
+class IntervalList:
+    def __init__(self):
+        self.ints = []
+        self.start = -1
+
+    def finish(self):
+        for i in self.ints:
+            if i:
+                i.start += self.start
+                i.end += self.start
+                i.applySampleFactor()
+            
+    def writeR(self, file, top_ports):
+        file = open(file, "w")
+        Interval.makeRHeader(file, top_ports)
+        next_start = self.start
+        
+        for i in self.ints:
+            if i:
+                i.formatForR(file, top_ports)
+                next_start = i.end
+            else:
+                empty = Interval()
+                empty.start = next_start
+                empty.end = next_start + Options.ilen
+                empty.formatForR(file, top_ports)
+                next_start = empty.end
+            
+class Interval:
+    def __init__(self):
+        self.start = 1e20
+        self.end = 0
+        self.bytes = 0
+        self.payload = 0
+        self.pkts = 0
+        self.frags = 0
+        self.updates = 0
+        self.ports = {}
+        self.prots = {}
+        self.servs = {}
+        self.srcs = {}
+        self.dsts = {}
+        self.states = {}
+
+    def update(self, iupdate, adjusttime=True):
+
+        self.updates += 1
+        self.pkts += iupdate.pkts
+        self.bytes += iupdate.bytes
+        self.payload += iupdate.payload
+        self.frags += iupdate.frags
+
+        if Options.bytes:
+            incr = iupdate.bytes
+        else:
+            incr = 1
+
+        # For packets, we need to look at the source port, too.
+        if not Options.conns:
+            if ( iupdate.src_port < 1024 ) or \
+                ( not Ports and not Options.save_mem ) or \
+                ( Ports and iupdate.src_port in Ports ) or \
+                Options.storeports:
+                try:
+                    self.ports[iupdate.src_port] += incr
+                except KeyError:
+                    self.ports[iupdate.src_port] = incr
+
+        if ( iupdate.dst_port < 1024 ) or \
+            ( not Ports and not Options.save_mem ) or \
+            ( Ports and iupdate.dst_port in Ports ) or \
+            Options.storeports:
+            try:
+                self.ports[iupdate.dst_port] += incr
+            except KeyError:
+                self.ports[iupdate.dst_port] = incr
+            
+        try:
+            self.prots[iupdate.prot] += incr
+        except KeyError:
+            self.prots[iupdate.prot] = incr
+
+        try:
+            self.servs[iupdate.service] += incr
+        except KeyError:
+            self.servs[iupdate.service] = incr
+            
+        try:
+            self.states[iupdate.state] += incr
+        except KeyError:
+            self.states[iupdate.state] = incr
+
+        if adjusttime:
+            if iupdate.start < self.start:
+                self.start = iupdate.start
+
+            if iupdate.end > self.end:
+                self.end = iupdate.end
+            
+        if not Options.save_mem and not Options.R:
+            try:
+                self.srcs[iupdate.src_ip] += incr
+            except KeyError:
+                self.srcs[iupdate.src_ip] = incr
+            
+            try:
+                self.dsts[iupdate.dst_ip] += incr
+            except KeyError:
+                self.dsts[iupdate.dst_ip] = incr
+
+    def applySampleFactor(self):
+        if Options.factor == 1:
+            return
+
+        self.bytes *= Options.factor
+        self.payload *= Options.factor
+        self.pkts *= Options.factor
+        self.frags *= Options.factor
+        self.updates *= Options.factor
+        
+        for i in self.ports.keys():
+             self.ports[i] *= Options.factor
+        for i in self.prots.keys():
+             self.prots[i] *= Options.factor
+        for i in self.servs.keys():
+             self.servs[i] *= Options.factor
+        for i in self.srcs.keys():
+             self.srcs[i] *= Options.factor
+        for i in self.dsts.keys():
+             self.dsts[i] *= Options.factor
+        for i in self.states.keys():
+             self.states[i] *= Options.factor
+                
+    def format(self, conns=False, title=""):
+        def fmt(tag, count, total=-1, sep=" - "):
+            if total >= 0:
+                try:
+                    return "%s %5.1f%%%s" % (tag, (float(count) / total) * 100, sep)
+                except ZeroDivisionError:
+                    return "%s (??%%)%s" % (tag, sep)
+                        
+            return "%s %s%s" % (tag, formatVal(count), sep)
+
+        s = "\n>== %s === %s - %s\n   - " % (title, isoTime(self.start), isoTime(self.end))
+
+        if not conns:
+            # Information for packet traces.
+            s += fmt("Bytes", self.bytes) + \
+                 fmt("Payload", self.payload) + \
+                 fmt("Pkts", self.pkts) + \
+                 fmt("Frags", self.frags, self.pkts)
+                 
+            try:
+                mbit = self.bytes * 8 / 1024.0 / 1024.0 / (self.end - self.start)
+            except ZeroDivisionError:
+                mbit = 0
+            
+            s += "MBit/s %8.1f - " % mbit
+                 
+        else:
+            # Information for connection summaries.
+            s += fmt("Connections", self.pkts) + \
+                 fmt("Payload", self.payload)
+        
+        if Options.verbose:    
+            ports = topx(self.ports)
+            srcs = topx(self.srcs)
+            dsts = topx(self.dsts)
+            prots = topx(self.prots)
+            servs = topx(self.servs)
+
+            servs = map(lambda (count, svc): (count, svc.replace("icmp-", "i-").replace("netbios", "nb")), servs)
+            
+            s += "\n     %-5s        | %-18s        | %-18s        | %-18s | %1s |" \
+                % ("Ports", "Sources", "Destinations", "Services", "Protocols") 
+
+            if conns:
+                s += " States        |"
+                states = (topx(self.states),6)
+            else:
+                states = ({},0)
+
+            s += "\n"
+                
+            addrs = []
+            
+            for i in range(Options.topx):
+                
+                s += "     "
+                
+                for (dict, length) in ((ports, 5), (srcs, 18), (dsts, 18), (servs,11), (prots,2), states): 
+                    try:
+                        item = None
+                        if dict == srcs or dict == dsts:
+                            item = socket.inet_ntoa(dict[i][1])
+                            if Options.resolve:
+                                addrs += [dict[i][1]]
+                                item += "#%d" % len(addrs)
+                        else:
+                            item = str(dict[i][1])
+                        
+                        s += fmt("%-*s" % (length, item), dict[i][0], (Options.bytes and self.bytes or self.pkts), sep=" | ") 
+                    except:
+                        s += " " * length + "        | "
+
+                s += "\n"
+                
+            if Options.resolve:
+                s += "\n        "
+                for i in range(1, len(addrs)+1):
+                    s +=  "#%d=%s  " % (i, gethostbyaddr(socket.inet_ntoa(addrs[i-1])))
+                    if i % 3 == 0:
+                        s += "\n        "
+                        
+            s += "\n"
+
+                
+        return s
+
+    def makeRHeader(f, top_ports):
+        print >>f, "start end count bytes payload frags srcs dsts prot.tcp prot.udp prot.icmp",
+        print >>f, " ".join(["state.%s" % s.lower() for s in States]),
+        print >>f, " ".join(["top.port.%d" % (i+1) for i in range(0,Options.topx)]),
+        print >>f, " ".join(["port.%d" % i for i in range(0,1024)]),
+        if not Options.save_mem:
+            print >>f, " ".join(["port.%d" % p[1] for p in top_ports if p[1] >= 1024]),
+        print >>f
+        
+    makeRHeader = staticmethod(makeRHeader)     
+    
+    def formatForR(self, f, top_ports):
+        print >>f, self.start, self.end, self.pkts, self.bytes, self.payload, self.frags,
+        print >>f, len(self.srcs), len(self.dsts),
+        print >>f, self.prots.get(6, 0), self.prots.get(17, 0), self.prots.get(1, 0),
+        print >>f, " ".join([str(self.states.get(i, 0)) for i in States]),
+        print >>f, " ".join([str(p[1]) for p in topx(self.ports, True)]),
+        print >>f, " ".join([str(self.ports.get(i, 0)) for i in range(0,1024)]),
+        if not Options.save_mem:
+            print >>f, " ".join([str(self.ports.get(p[1], 0)) for p in top_ports if p[1] >= 1024]),
+        print >>f
+            
+        
+    def __str__(self):
+        return self.format(True)
+
+def topx(dict, fill_if_empty=False):
+    top = map(lambda (val, count): (count, val), dict.items())
+    top.sort()
+    top.reverse()
+
+     # Filter out zero vals.
+    top = [(val, count) for (val, count) in top if count != 0]
+    
+    if fill_if_empty and len(top) < Options.topx:
+        top += [(0,0)] * Options.topx
+
+    return top[:Options.topx]
+    
+def findInterval(time, intervals):
+    
+    if intervals.start < 0:
+        intervals.start = int(time / Options.ilen) * Options.ilen
+   
+    i = (time - intervals.start) / Options.ilen
+    idx = int(i)
+
+    # Interval may be earlier than current start
+    if i < 0:
+        
+        if float(idx) != i:
+            # minus 1 since we will multiply by -1
+            idx = idx - 1
+            
+        idx *= -1
+        
+        for j in intervals.ints:
+            if j:
+                j.start += Options.ilen * idx
+                j.end += Options.ilen * idx
+        
+        intervals.ints = ([None] * idx) + intervals.ints
+        intervals.start = int(time / Options.ilen) * Options.ilen
+        first = time
+        idx = 0
+            
+    # Interval may be later than current end
+    while idx >= len(intervals.ints):
+        intervals.ints += [None]
+        
+    if not intervals.ints[idx]:
+        interv = Interval()
+        interv.start = float(idx * Options.ilen)
+        interv.end =  float((idx+1) * Options.ilen)
+        intervals.ints[idx] = interv
+        return interv
+
+    return intervals.ints[idx]
+
+def isoTime(t):
+    if t == 1e20 or t == 0:
+        return "N/A"
+    return time.strftime("%Y-%m-%d-%H-%M-%S", time.localtime(t))    
+
+def readPcap(file):
+    global Total
+    global Incoming
+    global Outgoing
+    
+    for line in os.popen("ipsumdump -r %s --timestamp --src --dst --sport --dport --length --protocol --fragment --payload-length -Q" % file):
+
+        if line.startswith("!"):
+            continue
+
+        if Options.sample > 0 and random.random() > Options.sample:
+            return
+        
+        f = line.split()
+        time = float(f[0])
+
+        if time < Options.mintime or time > Options.maxtime:
+            continue
+        
+        if Options.chema:
+            if f[6] != "T" or f[9] == "0":
+                continue
+        
+        if Options.tcp and f[6] != "T":
+            continue
+
+        if Options.udp and f[6] != "U":
+            continue
+        
+        iupdate = IntervalUpdate()
+        iupdate.pkts = 1
+        iupdate.bytes = int(f[5])
+        iupdate.payload = int(f[8])       
+        iupdate.service = ""
+        
+        try:
+            iupdate.src_ip = socket.inet_aton(f[1])
+        except socket.error:
+            iupdate.src_ip = socket.inet_aton("0.0.0.0")
+            
+        if iupdate.src_ip in ExcludeNets:
+            continue
+        
+        try:
+            iupdate.src_port = int(f[3])
+        except:
+            iupdate.src_port = 0
+            
+        try:
+            iupdate.dst_ip = socket.inet_aton(f[2])
+        except socket.error:
+            iupdate.dst_ip = socket.inet_aton("0.0.0.0")
+            
+        if iupdate.dst_ip in ExcludeNets:
+            continue
+        
+        try:
+            iupdate.dst_port = int(f[4])
+        except:
+            iupdate.dst_port = 0
+            
+        try:
+            iupdate.prot = Protocols[f[6]]
+        except KeyError:
+            iupdate.prot = 0
+        iupdate.state = 0
+        iupdate.start = time
+        iupdate.end = time
+
+        if f[7] != ".":
+            iupdate.frags = 1
+        else:
+            iupdate.frags = 0
+
+        if Options.external:
+            if iupdate.src_ip in LocalNetsIntervals and iupdate.dst_ip in LocalNetsIntervals:
+                continue
+            
+        Total.update(iupdate)
+
+        if Options.ilen > 0:
+            interval = findInterval(time, TotalIntervals)
+            interval.update(iupdate, adjusttime=False)
+        
+        if Options.localnets:
+            try:
+                LocalNetsIntervals[iupdate.src_ip].update(iupdate)
+                Outgoing.update(iupdate)
+                if Options.ilen > 0:
+                    interval = findInterval(time, OutgoingIntervals)
+                    interval.update(iupdate, adjusttime=False)
+            except KeyError:
+                try:
+                    LocalNetsIntervals[iupdate.dst_ip].update(iupdate)
+                    Incoming.update(iupdate)
+                    if Options.ilen > 0:
+                        interval = findInterval(time, IncomingIntervals)
+                        interval.update(iupdate, adjusttime=False)
+                except KeyError:
+                    global NonLocalCount
+                    NonLocalCount += 1
+                    if NonLocalCount < Options.topx:
+                        NonLocalConns[(iupdate.src_ip, iupdate.dst_ip)] = 1
+        
+Protocols = { "T": 6, "tcp": 6, "U": 17, "udp": 17, "I": 1, "icmp": 1 }
+States = ["OTH", "REJ", "RSTO", "RSTOS0", "RSTR", "RSTRH", "S0", "S1", "S2", "S3", "SF", "SH", "SHR"]    
+
+def readConnSummaries(file):
+    while True:
+        try:
+            for line in open(file):
+                parseConnLine(line)
+        except IOError, e:
+            if e.errno == errno.EINTR or e.errno == errno.EAGAIN:
+                continue
+            
+            print >>sys.stderr, e 
+            
+        return
+    
+    
+def parseConnLine(line):
+    global Total
+    global Incoming
+    global Outgoing
+    
+    global LastOutputTime, BaseTime
+    
+    if Options.sample > 0 and random.random() > Options.sample:
+        return
+    
+    f = line.split()
+
+    if len(f) < 11: # 11 is ok for icmp
+        print >>sys.stderr, "Ignoring corrupt line: '%s'" % line.strip()
+        return
+    
+    try:
+        time = float(f[0])
+    except ValueError:
+        print >>sys.stderr, "Invalid starting time %s" % f[0]
+        return
+
+    if f[1] != "?":
+        try:
+            duration = float(f[1])
+        except:
+            print >>sys.stderr, "Invalid starting time %s" % f[0]
+            return
+    else:
+        duration = 0;
+        
+    if time < Options.mintime or (time + duration) > Options.maxtime:
+        return
+    
+    if Options.tcp and f[7] != "tcp":
+        return
+
+    if Options.udp and f[7] != "udp":
+        return
+    
+    if not BaseTime:
+        BaseTime = time
+        LastOutputTime = time
+    
+    if time - LastOutputTime > 3600:
+        # print >>sys.stderr, "%d hours processed" % int((time - BaseTime) / 3600)
+        LastOutputTime = time
+    
+    try:
+        iupdate = IntervalUpdate()
+        iupdate.pkts = 1 # no. connections
+        
+        try:
+            bytes_orig = int(f[8])
+        except:
+            bytes_orig = 0
+            
+        try:
+            bytes_resp = int(f[9])
+        except:
+            bytes_resp = 0
+            
+        iupdate.bytes = bytes_orig + bytes_resp;
+        iupdate.src_ip = socket.inet_aton(f[2])
+        if iupdate.src_ip in ExcludeNets:
+            return
+        iupdate.src_port = int(f[5])
+        iupdate.dst_ip = socket.inet_aton(f[3])
+        if iupdate.dst_ip in ExcludeNets:
+            return
+        iupdate.dst_port = int(f[6])
+        iupdate.prot = Protocols[f[7]]
+
+        iupdate.service = f[4]
+        if iupdate.service[-1] == "?":
+            iupdate.service = iupdate.service[:-1]
+        iupdate.frags = 0
+        iupdate.state = f[10]
+        iupdate.start = time
+        
+    except LookupError:
+        print >>sys.stderr, "Ignoring corrupt line: '%s'" % line.strip()
+        return
+        
+    try:
+        iupdate.end = time + float(f[1])
+    except ValueError:
+        iupdate.end = time
+
+    try:
+        payload_orig = int(f[8])
+        
+        if duration and payload_orig * 8 / (1024 * 1024 * duration) > 700:
+            # Bandwith exceed due to Bro bug.
+            print >>sys.stderr, "%.6f originator exceeds bandwith" % time
+            payload_orig = 0
+            
+    except ValueError:
+        payload_orig = 0
+
+    try:
+        payload_resp = int(f[9])
+        
+        if duration and  payload_resp * 8 / (1024 * 1024 * duration) > 700:
+            # Bandwith exceed due to Bro bug.
+            print >>sys.stderr, "%.6f responder exceeds bandwith" % time
+            payload_resp = 0
+            
+    except ValueError:
+        payload_resp = 0
+        
+    iupdate.payload = payload_orig + payload_resp
+    
+    if Options.external:
+        if iupdate.src_ip in LocalNetsIntervals and iupdate.dst_ip in LocalNetsIntervals:
+            return
+    
+    Total.update(iupdate)
+
+    if Options.ilen > 0:
+        interval = findInterval(time, TotalIntervals)
+        interval.update(iupdate, adjusttime=False)
+    
+    if Options.localnets:
+        
+        try:
+            LocalNetsIntervals[iupdate.src_ip].update(iupdate)
+            Outgoing.update(iupdate)
+            if Options.ilen > 0:
+                interval = findInterval(time, OutgoingIntervals)
+                interval.update(iupdate, adjusttime=False)
+        except KeyError:
+            try:
+                LocalNetsIntervals[iupdate.dst_ip].update(iupdate)
+                Incoming.update(iupdate)
+                if Options.ilen > 0:
+                    interval = findInterval(time, IncomingIntervals)
+                    interval.update(iupdate, adjusttime=False)
+            except KeyError:
+                global NonLocalCount
+                NonLocalCount += 1
+                if NonLocalCount < Options.topx:
+                    NonLocalConns[(iupdate.src_ip, iupdate.dst_ip)] = 1
+
+Cache = {}
+
+def gethostbyaddr( ip, timeout = 5, default = "<???>" ):
+
+    try:
+        return Cache[ip]
+    except LookupError:
+        pass
+    
+    host = default
+    ( pin, pout ) = os.pipe()
+
+    pid = os.fork()
+    
+    if not pid:
+        # Child
+        os.close( pin )
+        try:
+            host = socket.gethostbyaddr( ip )[0]
+        except socket.herror:
+            pass
+        os.write( pout, host )
+        posix._exit(127)
+        
+    #Parent 
+    os.close( pout )
+    
+    signal.signal( signal.SIGALRM, lambda sig, frame: os.kill( pid, signal.SIGKILL ) )
+    signal.alarm( timeout )
+
+    try:
+        os.waitpid( pid, 0 )
+        host = os.read( pin, 8192 )
+    except OSError:
+        pass
+
+    signal.alarm( 0 )
+    
+    os.close( pin )
+    
+    Cache[ip] = host;
+    
+    return host
+
+def formatVal(val):
+    for (prefix, unit, factor) in (("", "g", 1e9), ("", "m", 1e6), ("", "k", 1e3), (" ", "", 1e0)):
+        if val >= factor:
+            return "%s%3.1f%s" % (prefix, val / factor, unit)
+    return val # Should not happen
+
+def readNetworks(file):
+    
+    nets = []
+    
+    for line in open(file):
+        line = line.strip()
+        if not line or line.startswith("#"):
+            continue
+        
+        fields = line.split()
+        nets += [(fields[0], " ".join(fields[1:]))]
+
+    return nets
+
+####### Main
+
+Total = Interval()
+Incoming = Interval()
+Outgoing = Interval()
+
+TotalIntervals = IntervalList()
+IncomingIntervals = IntervalList()
+OutgoingIntervals = IntervalList()
+
+BaseTime = None
+LastOutputTime = None
+
+LocalNets = {}
+LocalNetsIntervals = SubnetTree.SubnetTree()
+NonLocalConns = {}
+NonLocalCount = 0
+
+Ports = None
+
+ExcludeNets = SubnetTree.SubnetTree()
+
+optparser = optparse.OptionParser(usage="%prog [options] <pcap-file>|<conn-summaries>", version=Version)
+optparser.add_option("-b", "--bytes", action="store_true", dest="bytes", default=False,
+                     help="count fractions in terms of bytes rather than packets/connections")
+optparser.add_option("-c", "--conn-summaries", action="store_true", dest="conns", default=False, 
+                     help="input file contains Bro connection summaries")
+optparser.add_option("-C", "--chema", action="store_true", dest="chema", default=False,
+                     help="for packets: include only TCP, ignore when seq==0")
+optparser.add_option("-e", "--external", action="store_true", dest="external", default=False, 
+                     help="ignore strictly internal traffic")
+optparser.add_option("-E", "--exclude-nets", action="store", type="string", dest="excludenets", default=None, 
+                     help="excludes CIDRs in file from analysis")
+optparser.add_option("-i", "--intervals", action="store", type="string", dest="ilen", default="0", 
+                     help="create summaries for time intervals of given length")
+optparser.add_option("-l", "--local-nets", action="store", type="string", dest="localnets", default=None, 
+                     help="differentiate in/out based on CIDRs in file")
+optparser.add_option("-n", "--topn", action="store", type="int", dest="topx", default=10, 
+                     help="show top <n>")
+optparser.add_option("-p", "--ports", action="store", type="string", dest="ports", default=None, 
+                     help="include only ports listed in file")
+optparser.add_option("-P", "--write-ports", action="store", type="string", dest="storeports", default=None, 
+                     help="write top total/incoming/outgoing ports into files ")
+optparser.add_option("-r", "--resolve-host-names", action="store_true", dest="resolve", default=False, 
+                     help="resolve host names")
+optparser.add_option("-R", "--R", action="store", type="string", dest="R", default=None, metavar="tag",
+                     help="write output suitable for R into files <tag.*>")
+optparser.add_option("-s", "--sample-factor", action="store", type="int", dest="factor", default=1,
+                     help="sample factor of input")
+optparser.add_option("-S", "--do-sample", action="store", type="float", dest="sample", default=-1.0,
+                     help="sample input with probability (0.0 < prob < 1.0)")
+optparser.add_option("-m", "--save-mem", action="store_true", dest="save_mem", default=False, 
+                     help="do not make memory-expensive statistics")
+optparser.add_option("-t", "--tcp", action="store_true", dest="tcp", default=False, 
+                     help="include only TCP")
+optparser.add_option("-u", "--udp", action="store_true", dest="udp", default=False, 
+                     help="include only UDP")
+optparser.add_option("-U", "--min-time", action="store", type="string", dest="mintime", default=None,
+                     help="minimum time in ISO format (e.g. 2005-12-31-23-59-00)")
+optparser.add_option("-v", "--verbose", action="store_true", dest="verbose", default=False, 
+                     help="show top-n for every interval")
+optparser.add_option("-V", "--max-time", action="store", type="string", dest="maxtime", default=None,
+                     help="maximum time in ISO format")
+                     
+(Options, args) = optparser.parse_args()
+
+if len(args) > 2:
+    optparser.error("Wrong number of arguments")
+
+file = "-"
+    
+if len(args) > 0:
+    file = args[0]
+
+if Options.external and not Options.localnets:
+    print >>sys.stderr, "Need -l for -e."
+    sys.exit(1)
+    
+# Make per-interval summaries.    
+if Options.ilen:
+    if Options.ilen.endswith("m"):
+        Options.ilen = int(Options.ilen[:-1]) * 60
+    elif Options.ilen.endswith("h"):
+        Options.ilen = int(Options.ilen[:-1]) * 60 * 60
+    else:
+        Options.ilen = int(Options.ilen)
+
+# Read local networks.
+if Options.localnets:
+    
+    for (net, txt) in readNetworks(Options.localnets): 
+        try:
+            i = Interval()
+            LocalNetsIntervals[net] = i
+            LocalNets[net] = (txt, i)
+        except KeyError:
+            print >>sys.stderr, "Can't parse local network '%s'" % net
+
+# Read networks to exclude.
+if Options.excludenets:
+    for (net, txt) in readNetworks(Options.excludenets): 
+        try:
+            ExcludeNets[net] = txt
+        except KeyError:
+            print >>sys.stderr, "Can't parse exclude network '%s'" % net
+
+# Read ports file.
+if Options.ports:
+    Ports = {}
+    for line in open(Options.ports):
+        Ports[int(line.strip())] = 1
+            
+# Parse time-range if given.
+if Options.mintime:
+    Options.mintime = time.mktime(time.strptime(Options.mintime, "%Y-%m-%d-%H-%M-%S"))
+else:
+    Options.mintime = 0
+
+if Options.maxtime:
+    Options.maxtime = time.mktime(time.strptime(Options.maxtime, "%Y-%m-%d-%H-%M-%S"))
+else:
+    Options.maxtime = 1e20
+
+if Options.sample > 0:
+    Options.factor = 1.0 / Options.sample
+    
+if file == "-":
+    file = "/dev/stdin"
+    
+try:    
+    if Options.conns:
+        readConnSummaries(file)
+    else:
+        readPcap(file)
+except KeyboardInterrupt:
+    pass
+
+TotalIntervals.finish()
+IncomingIntervals.finish()
+OutgoingIntervals.finish()
+
+Total.applySampleFactor()
+Incoming.applySampleFactor()
+Outgoing.applySampleFactor()
+
+unique = {}
+for (count, port) in topx(Total.ports) + topx(Incoming.ports) + topx(Outgoing.ports):
+    unique[port] = (count, port)
+    
+top_ports = unique.values()
+
+if Options.storeports:
+    f = open(Options.storeports, "w")
+    for p in top_ports:
+        print >>f, p[1]
+
+if Options.R:
+    file = open(Options.R + ".dat", "w")
+
+    print >>file, "tag", 
+    Interval.makeRHeader(file, top_ports)
+    print >>file, "total",
+    Total.formatForR(file, top_ports)
+
+    print >>file, "incoming",
+    Incoming.formatForR(file, top_ports)
+    print >>file, "outgoing",
+    Outgoing.formatForR(file, top_ports)
+
+    for (net, data) in LocalNets.items():    
+        
+        (txt, i) = data
+        
+        if i.updates:
+            print >>file, net.replace(" ", "_"),
+            i.start += TotalIntervals.start
+            i.end += TotalIntervals.start
+            i.applySampleFactor()
+            i.formatForR(file, top_ports)
+    
+    TotalIntervals.writeR(Options.R + ".total.dat", top_ports)
+    IncomingIntervals.writeR(Options.R + ".incoming.dat", top_ports)
+    OutgoingIntervals.writeR(Options.R + ".outgoing.dat", top_ports)
+                
+    sys.exit(0)
+
+for i in TotalIntervals.ints:
+    if i:
+        print i.format(conns=Options.conns)
+    
+Options.verbose = True
+        
+print Total.format(conns=Options.conns, title="Total")
+
+locals = LocalNets.keys()    
+
+if locals:
+
+    type = "packets"
+    if Options.conns:
+        type = "connections"
+
+    locals.sort(lambda x,y: LocalNets[y][1].pkts - LocalNets[x][1].pkts)    
+
+    print "\n>== Top %d local networks by number of %s\n" % (Options.topx, type)
+        
+    for i in range(min(len(locals), Options.topx)):
+        print "    %2d %5s  %-16s %s " % (i+1, formatVal(LocalNets[locals[i]][1].pkts), locals[i], LocalNets[locals[i]][0])
+    print 
+
+    if len(NonLocalConns):
+        print "\n>== %d %s did not have any local address. Here are the first %d:\n" % (NonLocalCount, type, Options.topx)
+    
+        for (src,dst) in NonLocalConns.keys():
+            print "    %s <-> %s" % (socket.inet_ntoa(src), socket.inet_ntoa(dst))
+    
+if Options.localnets:
+    print Incoming.format(conns=Options.conns, title="Incoming")
+    print Outgoing.format(conns=Options.conns, title="Outgoing")
+        
+for net in locals:        
+    (txt, i) = LocalNets[net]
+
+    if i.updates:
+#        i.start += TotalIntervals.start
+#        i.end += TotalIntervals.start
+        i.applySampleFactor()
+        print i.format(conns=Options.conns, title=net + " " + txt)
+
+print "First: %16s (%.6f) Last: %s %.6f" % (isoTime(Total.start), Total.start, isoTime(Total.end), Total.end)
diff --git a/aux/broctl/bin/archive-log.in b/aux/broctl/bin/archive-log.in
new file mode 100755
index 0000000000..6647617da6
--- /dev/null
+++ b/aux/broctl/bin/archive-log.in
@@ -0,0 +1,59 @@
+#! /usr/bin/env bash
+#
+# $Id: archive-log.in 6860 2009-08-14 19:01:47Z robin $
+#
+# Bro postprocessor script to archive log files. 
+# 
+# archive-log <rotated-file-name> <base-name> <timestamp-when-opened> <timestamp-when-closed> [<tag>]
+
+base=${logdir}
+
+delete=1
+if [ "$1" == "-c" ]; then
+    delete=0
+    shift
+fi
+
+# Record time of last rotation.
+date +%y-%m-%d_%H.%M.%S >.rotate # Bro default format when rotating files.
+
+# We do not keep the logs for workers/proxies.
+if [ -e .worker -o -e .proxy ]; then
+    test $delete = 0 || rm -rf $1
+    exit 0
+fi
+
+# Build archive name
+day=`echo $3 | sed 's/_.*$//'`
+from=`echo $3 | sed 's/^.*_//' | sed 's/\./:/g'`
+to=`echo $4 | sed 's/^.*._//' | sed 's/\./:/g'`
+century=`date +%Y | sed 's/..$//g'`
+day="$century$day"
+
+if [ ! -d "$base/$day" ]; then
+    mkdir "$base/$day" 2>/dev/null
+fi    
+
+#if [ $# == 5 ]; then
+#    dest="$base/$day/$5.$2.$from-$to.gz"
+#else
+    dest="$base/$day/$2.$from-$to.gz"
+#fi
+
+# Run other postprocessors. 
+for pp in ${postprocdir}/*; do
+    nice $pp $@ 
+done
+
+if [ -e $1 ]; then
+   nice gzip -9 <$1 >$dest 2>/dev/null 
+fi   
+
+if [ "$?" == "0" ]; then
+    if [ "$delete" == "1" ]; then 
+        rm -rf $1
+    else
+        # Only delete if too large (>100MB).
+        find $1 -size +104857600c -delete
+    fi
+fi
diff --git a/aux/broctl/bin/broctl.in b/aux/broctl/bin/broctl.in
new file mode 100755
index 0000000000..792f6aea33
--- /dev/null
+++ b/aux/broctl/bin/broctl.in
@@ -0,0 +1,731 @@
+#! /usr/bin/env python
+#
+# $Id: broctl.in 6948 2009-12-03 20:59:41Z robin $
+#
+# The Bro Control interactive shell.
+
+import os
+import sys
+import cmd
+import readline
+import time
+import signal
+import platform
+
+# Base directory of broctl installation.
+# $PREFIX is replaced by 'configure'.
+try:
+    BroBase = os.path.abspath(os.getenv("BROBASE"))
+except AttributeError:
+    BroBase = "$PREFIX"
+
+# Base directory of Bro distribution.              
+# $BRODIST is replaced by 'configure'.
+try:
+    BroDist = os.path.abspath(os.getenv("BRODIST"))
+except AttributeError:
+    BroDist = "$BRODIST"
+
+# Version of the broctl distribution.
+# $VERSION is replaced by 'configure'.
+Version = "$VERSION"
+
+# True if we do a stand-alone install. 
+# $STANDALONE is replaced by 'configure'.
+StandAlone = $STANDALONE
+
+# Adjust the PYTHONPATH. (If we're installing the make-wrapper will have already
+# set it correctly.)
+if not "BROCTL_INSTALL" in os.environ:
+    sys.path = [os.path.join(BroBase, "lib/broctl")] + sys.path
+
+# We need to add the directory of the Broccoli library files
+# to the linker's runtime search path. This is hack which 
+# restarts the script with the new environment. 
+ldpath = "LD_LIBRARY_PATH"
+if platform.system() == "Darwin":
+    ldpath = "DYLD_LIBRARY_PATH"
+
+old = os.environ.get(ldpath)
+dir = os.path.join(BroBase, "lib")
+if not old or not dir in old:
+    if old:
+        path = "%s:%s" % (dir, old)
+    else:
+        path = dir
+    os.environ[ldpath] = path
+    os.execv(sys.argv[0], sys.argv)
+
+## End of library hack.
+
+# Turns nodes arguments into a list of node names. 
+def nodeArgs(args, expand_all=True):
+    if not args:
+        args = "all"
+
+    nodes = []
+
+    for arg in args.split():
+        h = Config.nodes(arg, expand_all)
+        if not h and arg != "all":
+            util.output("unknown node '%s'" % arg)
+            return (False, [])
+
+        nodes += h
+
+    return (True, nodes)
+
+# Main command loop.
+class BroCtlCmdLoop(cmd.Cmd):
+
+    def __init__(self):
+        cmd.Cmd.__init__(self)
+        self.prompt = "[BroControl] > "
+
+    def output(self, text):
+        self.stdout.write(text)
+        self.stdout.write("\n")
+
+    def error(self, str):
+        self.output("Error: %s" % str)
+
+    def syntax(self, args):
+        self.output("Syntax error: %s" % args)
+
+    def lock(self):
+        if not util.lock():
+            sys.exit(1)
+
+        self._locked = True
+        Config.readState()
+        config.Config.config["sigint"] = "0" 
+
+    def precmd(self, line):
+        util.debug(1, "%-10s %s" % ("[command]", line))
+        self._locked = False
+        return line
+
+    def postcmd(self, stop, line):  
+        Config.writeState()
+        if self._locked:
+            util.unlock()
+            self._locked = False
+
+        util.debug(1, "%-10s %s" % ("[command]", "done"))
+        return stop
+
+    def do_EOF(self, args):
+        return True
+
+    def do_exit(self, args):
+        """Terminates the shell."""
+        return True
+
+    def do_quit(self, args):
+        """Terminates the shell."""
+        return True
+
+    def do_nodes(self, args):
+        """Prints a list of all configured nodes."""
+        if args:
+            self.syntax(args)
+            return
+
+        self.lock()
+        for n in Config.nodes():
+            print n
+
+    def do_config(self, args):
+        """Prints all configuration options with their current values."""
+        if args:
+            self.syntax(args)
+            return
+
+        for (key, val) in sorted(Config.options()):
+            print "%s = %s" % (key, val)
+
+    def do_install(self, args): 
+        """
+
+        Reinstalls the given nodes, including all configuration files and
+        local policy scripts.  This command must be executed after _all_
+        changes to any part of the broctl configuration, otherwise the
+        modifications will not take effect. Usually all nodes should be
+        reinstalled at the same time, as any inconsistencies between them will
+        lead to strange effects. Before executing +install+, it is recommended
+        to verify the configuration with xref:cmd_check[+check+]."""
+
+        local = False
+        make = False
+
+        for arg in args.split():
+            if arg == "--local":
+                local = True
+            elif arg == "--make":
+                make = True
+            else:
+                self.syntax(args)
+                return
+
+        self.lock()
+        install.install(local, make)
+
+    def do_start(self, args):
+        """- [<nodes>]
+
+        Starts the given nodes, or all nodes if none are specified. Nodes
+        already running are left untouched.
+        """ 
+
+        self.lock()
+        (success, nodes) = nodeArgs(args, expand_all=False) 
+        if success: 
+            control.start(nodes)
+
+    def do_stop(self, args):
+        """- [<nodes>]
+
+        Stops the given nodes, or all nodes if none are specified. Nodes not
+        running are left untouched.
+        """ 
+        self.lock()
+        (success, nodes) = nodeArgs(args, expand_all=False)
+        if success:
+            control.stop(nodes)
+
+    def do_restart(self, args):
+        """- [--clean] [<nodes>]
+
+        Restarts the given nodes, or all nodes if none are specified. The
+        effect is the same as first executing xref:cmd_stop[+stop+] followed
+        by a xref:cmd_start[+start+], giving the same nodes in both cases.
+        This command is most useful to activate any changes made to Bro policy
+        scripts (after running xref:cmd_install[+install+] first). Note that a
+        subset of policy changes can also be installed on the fly via the
+        xref:cmd_updatel[+update+], without requiring a restart.
+
+        If +--clean+ is given, the installation is reset into a clean state
+        before restarting. More precisely, a +restart --clean+ turns into the
+        command sequence xref:cmd_stop[+stop+], xref:cmd_cleanup[+cleanup
+        --all+], xref:cmd_check[+check+], xref:cmd_install[+install+], and
+        xref:cmd_start[+start+].
+        """
+
+        clean = False
+        try:
+            if args.startswith("--clean"):
+                args = args[7:]
+                clean = True
+        except IndexError:
+            pass
+
+        self.lock()
+        (success, nodes) = nodeArgs(args, expand_all=False)
+        if success:
+            control.restart(nodes, clean)
+
+    def do_status(self, args):
+        """- [<nodes>]
+
+        Prints the current status of the given nodes."""
+
+        self.lock()
+        (success, nodes) = nodeArgs(args)
+        if success:
+            control.status(nodes)
+
+    def _do_top_once(self, args):
+        if util.lock():
+            Config.readState() # May have changed by cron in the meantime.
+            (success, nodes) = nodeArgs(args)
+            if success:
+                control.top(nodes)
+            util.unlock()
+
+    def do_top(self, args):
+        """- [<nodes>]
+
+        For each of the nodes, prints the status of the two Bro
+        processes (parent process and child process) in a _top_-like
+        format, including CPU usage and memory consumption. If
+        executed interactively, the display is updated frequently
+        until key +q+ is pressed. If invoked non-interactively, the
+        status is printed only once.""" 
+
+        self.lock()
+
+        if not Interactive:
+            self._do_top_once(args)
+            return
+
+        util.unlock()
+
+        util.enterCurses()
+        util.clearScreen()
+
+        count = 0
+
+        while config.Config.sigint != "1" and util.getCh() != "q":
+            if count % 10 == 0:
+                util.bufferOutput()
+                self._do_top_once(args)
+                lines = util.getBufferedOutput()
+                util.clearScreen()
+                util.printLines(lines)
+            time.sleep(.1)
+            count += 1
+
+        util.leaveCurses()
+
+        if not util.lock():
+            sys.exit(1)
+
+    def do_diag(self, args):
+        """- [<nodes>]
+
+        If a node has terminated unexpectedly, this command prints a (somewhat
+        cryptic) summary of its final state including excerpts of any
+        stdout/stderr output, resource usage, and also a stack backtrace if a
+        core dump is found. The same information is sent out via mail when a
+        node is found to have crashed (the "crash report"). While the
+        information is mainly intended for debugging, it can also help to find
+        misconfigurations (which are usually, but not always, caught by the
+        xref:cmd_check[+check+] command).""" 
+
+        self.lock()
+        (success, nodes) = nodeArgs(args)
+        if not success:
+            return 
+
+        for h in nodes:
+            control.crashDiag(h)
+
+    def do_attachgdb(self, args):
+        """- [<nodes>]
+
+        Primarily for debugging, the command attaches a _gdb_ to the main Bro
+        process on the given nodes. """ 
+
+        self.lock()
+        (success, nodes) = nodeArgs(args)
+        if success:
+            control.attachGdb(nodes)
+
+    def do_cron(self, args):
+        """- [<nodes>]
+
+        As the name implies, this command should be executed regularly via
+        _cron_, as described xref:Installation[above]. It performs a set of
+        maintainance tasks, including the logging of various statistical
+        information, expiring old log files, checking for dead hosts, and
+        restarting nodes which terminated unexpectedly.  While not intended
+        for interactive use, no harm will be caused by executing the command 
+        manually: all the maintainance tasks will then just be performed one
+        more time."""
+
+        self.lock()
+
+        if len(args) > 0:
+            if args == "enable":
+                config.Config._setState("cronenabled", "1")
+                util.output("cron enabled")
+            elif args == "disable":
+                config.Config._setState("cronenabled", "0")
+                util.output("cron disabled")
+            elif args == "?":
+                util.output("cron " + (config.Config.cronenabled == "1"  and "enabled" or "disabled"))
+            else:
+                util.output("wrong cron argument")
+            return
+
+        cron.doCron()
+
+    def do_check(self, args):
+        """- [<nodes>]
+
+        Verifies a modified configuration in terms of syntactical correctness
+        (most importantly correct syntax in policy scripts). This command
+        should be executed for each configuration change _before_
+        xref:cmd_install[+install+] is used to put the change into place. Note
+        that +check+ is the only command which operates correctly without a
+        former xref:cmd_install[+install+] command; +check+ uses the policy
+        files as found in xref:opt_SitePolicyPath[+SitePolicyPath+] to make
+        sure they compile correctly. If they do, xref:cmd_install[+install+]
+        will then copy them over to an internal place from where the nodes
+        will read them at the next xref:cmd_start[+start+]. This approach
+        ensures that new errors in a policy scripts will not affect currently
+        running nodes, even when one or more of them needs to be restarted."""
+
+        self.lock()
+        (success, nodes) = nodeArgs(args)
+        if success:
+            control.checkConfigs(nodes)
+
+    def do_cleanup(self, args):
+        """- [--all] [<nodes>]
+
+        Clears the nodes' spool directories (if they are not running
+        currently). This implies that their persistent state is flushed. Nodes
+        that were crashed are reset into _stopped_ state. If +--all+ is
+        specified, this command also removes the content of the node's
+        xref:opt_TmpDir[+TmpDir+], in particular deleteing any data
+        potentially saved there for reference from previous crashes.
+        Generally, if you want to reset the installation back into a clean
+        state, you can first xref:cmd_stop[+stop+] all nodes, then execute
+        +cleanup --all+, and finally xref:cmd_start[+start+] all nodes
+        again.""" 
+
+        cleantmp = False
+        try:
+            if args.startswith("--all"):
+                args = args[5:]
+                cleantmp = True
+        except IndexError:
+            pass
+
+        self.lock()
+        (success, nodes) = nodeArgs(args)
+        if not success:
+            return 
+
+        control.cleanup(nodes, cleantmp)
+
+    def do_capstats(self, args):
+        """- [<interval>] [<nodes>]
+
+        Determines the current load on the network interfaces monitored by
+        each of the given worker nodes. The load is measured over the
+        specified interval (in seconds), or by default over 10 seconds. This
+        command uses the http://www.icir.org/robin/capstats[capstats] tool,
+        which is installed along with +broctl+.
+
+        (Note: When using a CFlow and the CFlow command line utility is
+        installed as well, the +capstats+ command can also query the device
+        for port statistics. _TODO_: document how to set this up.)"""
+
+        interval = 10
+        args = args.split()
+
+        try:
+            interval = max(1, int(args[-1]))
+            args = args[0:-1]
+        except ValueError:
+            pass
+        except IndexError:
+            pass
+
+        args = " ".join(args)
+
+        self.lock()
+        (success, nodes) = nodeArgs(args)
+        if success:
+            control.capstats(nodes, interval)
+
+    def do_update(self, args):
+        """- [<nodes>]
+
+        After a change to Bro policy scripts, this command updates the Bro
+        processes on the given nodes _while they are running_ (i.e., without
+        requiring a xref:cmd_restart[+restart+]). However, such dynamic
+        updates work only for a _subset_ of Bro's full configuration. The
+        following changes can be applied on the fly: (1) The value of all
+        script variables defined as +&redef+ can be changed; and (2) all
+        configuration changes performed via the xref:cmd_analysis[+analysis+]
+        command can be put into effect. More extensive script changes are not
+        possible during runtime and always require a restart; if you change
+        more than just the values of +&redef+ variables and still issue
+        +update+, the results are undefined and can lead to crashes. Also note
+        that before running +update+, you still need to do an
+        xref:cmd_install[+install+] (preferably after
+        xref:cmd_install[+check+]), as otherwise +update+ will not see the
+        changes and resend the old configuration.  """
+
+        self.lock()
+        (success, nodes) = nodeArgs(args)
+        if success:
+            control.update(nodes)
+
+    def do_analysis(self, args):
+        """- enable|disable <type>
+
+        This command enables or disables certain kinds of analysis without the
+        need for doing any changes to Bro scripts. Currently, the analyses
+        shown in the table below can be controlled (in parentheses the
+        corresponding Bro scripts; the effect of enabling/disabling is similar
+        to loading or not loading these scripts, respectively). The list might
+        be extended in the future. Any changes performed via this command are
+        applied by xref:cmd_update[+update+] and therefore do not require a
+        restart of the nodes. 
+        +
+        [format="dsv",frame="none",grid="all",border="0",separator="|"]
+        .10`20~
+        Type          | Description
+        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+        dns           | DNS analysis (+dns.bro+)
+        ftp           | FTP analysis (+ftp.bro+)
+        http-body     | HTTP body analysis (+http-body.bro+). 
+        http-request  | Client-side HTTP analysis only (+http-request.bro+)
+        http-reply    | Client- and server-side HTTP analysis (+http-request.bro+/+http-reply.bro+)
+        http-header   | HTTP header analysis (+http-headers.bro+)
+        scan          | Scan detection (+scan.bro+)
+        smtp          | SMTP analysis (+smtp.bro+)
+        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+        """
+
+        self.lock()
+        args = args.split()
+
+        if len(args) > 1:
+            if args[0].lower() == "enable":
+                control.toggleAnalysis(args[1:], True)
+
+            elif args[0].lower() == "disable":
+                control.toggleAnalysis(args[1:], False)
+
+            else:
+                self.syntax("'enable' or 'disable' expected")
+                return
+
+        control.showAnalysis()
+
+    def do_df(self, args):
+        """- [<nodes>]
+
+        Reports the amount of disk space available on the nodes. Shows only
+        paths relevant to the broctl installation."""
+
+        self.lock()
+        (success, nodes) = nodeArgs(args)
+        if success:
+            control.df(nodes)
+
+    def do_print(self, args):
+        """- <id> [<nodes>]
+
+        Reports the _current_ live value of the given Bro script ID on all of
+        the specified nodes (which obviously must be running). This can for
+        example be useful to (1) check that policy scripts are working as
+        expected, or (2) confirm that configuration changes have in fact been
+        applied.  Note that IDs defined inside a Bro namespace must be
+        prefixed with +<namespace>::+ (e.g., +print SSH::did_ssh_version+ to
+        print the corresponding table from +ssh.bro+.)"""
+
+        self.lock()
+        args = args.split()
+        try:
+            id = args[0]
+
+            (success, nodes) = nodeArgs(" ".join(args[1:]))
+            if success:
+                control.printID(nodes, id)
+        except IndexError:
+            self.syntax("no id to print given")
+
+    def do_peerstatus(self, args):
+        """- [<nodes>]
+		
+		Primarily for debugging, +peerstatus+ reports statistics about the
+        network connections cluster nodes are using to communicate with other
+        nodes."""
+
+        self.lock()
+        (success, nodes) = nodeArgs(args)
+        if success:
+            control.peerStatus(nodes)
+
+    def do_netstats(self, args):
+        """- [<nodes>]
+		
+		Queries each of the nodes for their current counts of captured and
+        dropped packets."""
+		
+        if not args:
+            if config.Config.standalone:
+                args = "standalone"
+            else:
+                args = "workers"
+
+        self.lock()
+        (success, nodes) = nodeArgs(args)
+        if success:
+            control.netStats(nodes)
+
+    def do_exec(self, args):
+        """- <command line>
+		
+		Executes the given Unix shell command line on all nodes configured to
+        run at least one Bro instance. This is handy to quickly perform an
+        action across all systems."""
+		
+        self.lock()
+        control.executeCmd(Config.nodes(), args)
+
+    def do_scripts(self, args):
+        """- [-p|-c] [<nodes>]
+		
+		Primarily for debugging Bro configurations, the +script+ command lists
+        all the Bro scripts loaded by each of the nodes in the order as they
+        will be parsed by the node at startup. If +-p+ is given, all scripts
+        are listed with their full paths. If +-c+ is given, the command
+        operates as xref:cmd_check::[+check+] does: it reads the policy files
+        from their _original_ location, not the copies installed by
+        xref:cmd_install[+install+]. The latter option is useful to check a
+        not yet installed configuration."""
+		
+        paths = False
+        check = False
+
+        args = args.split()
+
+        try:
+            while args[0].startswith("-"):
+
+                opt = args[0]
+
+                if opt == "-p":
+                    # Show full paths.
+                    paths = True
+                elif opt == "-c":
+                    # Check non-installed policies.
+                    check = True
+                else:
+                    self.syntax("unknown option %s" % args[0])
+                    return
+
+                args = args[1:]
+
+        except IndexError:
+            pass
+
+        args = " ".join(args)
+
+        self.lock()
+        (success, nodes) = nodeArgs(args)
+        if success:
+            control.listScripts(nodes, paths, check)
+
+    def completedefault(self, text, line, begidx, endidx):
+        # Commands taken a "<nodes>" argument.
+        nodes_cmds = ["check", "cleanup", "df", "diag", "restart", "start", "status", "stop", "top", "update", "attachgdb", "peerstatus", "list-scripts"], 
+
+        args = line.split()
+
+        if not args or not args[0] in nodes_cmds:
+            return []
+
+        nodes = ["manager", "workers", "proxies", "all"] + [n.tag for n in Config.nodes()]
+
+        return [n for n in nodes if n.startswith(text)]
+
+    # Prints the command's docstring in a form suitable for direct inclusion
+    # into the documentation.
+    def printReference(self):
+        print "// Automatically generated. Do not edit."
+        print 
+
+        cmds = []
+
+        for i in self.__class__.__dict__:
+            doc = self.__class__.__dict__[i].__doc__
+            if i.startswith("do_") and doc:
+                cmds += [(i[3:], doc)]
+
+        cmds.sort()
+
+        for (cmd, doc) in cmds:
+            if doc.startswith("- "):
+                # First line are arguments.
+                doc = doc.split("\n")
+                args = doc[0][2:]
+                doc = "\n".join(doc[1:])
+            else:
+                args = ""
+
+            if args:
+                args = ("_%s_" % args)
+            else:
+                args = ""
+
+            output = ""
+            for line in doc.split("\n"):
+                line = line.strip()
+                output += line + "\n"
+
+            print 
+            print "[[cmd_%s]] *%s %s*::" % (cmd, cmd, args)
+            print output
+
+    def do_help(self, args):
+        """Prints a brief summary of all commands understood by the shell."""
+        self.output(
+"""
+BroControl Version %s
+
+   analysis [enable/disable ...] - print or enable/disable types of analysis 
+   capstats <nodes> [secs]       - report interface statistics (needs capstats)
+   check <nodes>                 - check configuration before installing it
+   cleanup [--all] <nodes>       - delete working dirs on nodes (flushes state)
+   config                        - print broctl configuration
+   cron                          - perform jobs intended to run from cron
+   cron enable|disable|?         - enable/disable \"cron\" jobs
+   df                            - print nodes' current disk usage 
+   diag <nodes>                  - output diagnostics for nodes
+   exec <shell cmd>              - execute shell command on all nodes
+   exit                          - exit shell
+   install                       - update broctl installation/configuration
+   netstats                      - print nodes' current packet counters
+   nodes                         - print node configuration
+   print <id> <nodes>            - print current values of script variable at nodes
+   peerstatus <nodes>            - print current status of nodes' remote connections
+   quit                          - exit shell
+   restart [--clean] <nodes>     - stop and then restart processing
+   scripts [-p|-c] <nodes>       - Lists the Bro scripts the nodes will be loading
+   start <nodes>                 - start processing 
+   status <nodes>                - summarize node status              
+   stop <nodes>                  - stop processing 
+   update <nodes>                - update configuration of nodes on the fly
+   top <nodes>                   - show Bro processes ala top
+
+See Bro Control's Wiki page for more information:
+
+    http://www.bro-ids.org/wiki/index.php/BroControl
+
+Send questions to the Bro mailing list at bro@bro-ids.org.
+   """ % Version)
+
+# Hidden command to print the command documentation.   
+if len(sys.argv) == 2 and sys.argv[1] == "--print-doc":
+    loop = BroCtlCmdLoop()
+    loop.printReference()
+    sys.exit(0)
+
+# Here so that we don't need the PYTHONPATH to be setup for --print-doc.    
+from BroControl import util
+from BroControl import config
+from BroControl import execute
+from BroControl import install
+from BroControl import control
+from BroControl import cron
+from BroControl.config import Config
+
+Config = config.Configuration("etc/broctl.cfg", BroBase, BroDist, Version, StandAlone)
+
+util.enableSignals()
+
+loop = BroCtlCmdLoop()
+
+try:
+    os.chdir(Config.brobase)
+except:
+    pass
+
+if len(sys.argv) > 1:
+    Interactive = False
+    line = " ".join(sys.argv[1:])
+    loop.precmd(line)
+    loop.onecmd(line)
+    loop.postcmd(False, line)
+else:
+    Interactive = True
+    loop.cmdloop("\nWelcome to BroControl %s\n\nType \"help\" for help.\n" % Version)
+
diff --git a/aux/broctl/bin/cflow-stats.in b/aux/broctl/bin/cflow-stats.in
new file mode 100755
index 0000000000..1b9c07f95b
--- /dev/null
+++ b/aux/broctl/bin/cflow-stats.in
@@ -0,0 +1,23 @@
+#! /usr/bin/env bash
+#
+# $Id: cflow-stats.in 6811 2009-07-06 20:41:10Z robin $
+#
+# Print cpacket stats in format:
+#
+# port pkts/sec bits/sec cum-pkts cum-bytes (-1 where not available)
+
+cflowcmd=`which cFlowCmd`
+
+if [ "$cflowcmd" == "" ]; then
+   exit 1
+fi   
+
+host=${cflowaddress}
+user=${cflowuser}
+pw=${cflowpassword}
+
+cFlowCmd $host $user:$pw list -m -p --format="rb rp cb cp" \
+         | awk '/^mac_/   {print substr($1, 0, length($1) - 1), $3, -1, $4, -1} 
+                /defmac/  {print "Fall-back", $3, -1, $4, -1;} 
+                /Receive/ {print "In", $4, $3, $6, $5}
+                /Transmit/{print "Out", $4, $3, $6, $5}'
diff --git a/aux/broctl/bin/check-config.in b/aux/broctl/bin/check-config.in
new file mode 100755
index 0000000000..c4eed8456f
--- /dev/null
+++ b/aux/broctl/bin/check-config.in
@@ -0,0 +1,39 @@
+#! /usr/bin/env bash
+#
+# $Id: check-config.in 6860 2009-08-14 19:01:47Z robin $
+#
+# Just check Bro's configuration for errors.
+#
+# check_config <installed_policies_flag> <dir-to-set-as-cwd> <Bro parameters>
+
+if [ "$1" == "1" ]; then
+   policies=${policydir}
+   export BROPATH=${policydirsiteinstallauto}:${policydirsiteinstall}:$policies:$policies/sigs:$policies/time-machine:$policies/broctl:$policies/xquery
+elif [ "${devmode}" == "0" ]; then
+   policies=${policydir}
+   export BROPATH=${policydirsiteinstallauto}:${sitepolicypath}:$policies:$policies/sigs:$policies/time-machine:$policies/broctl:$policies/xquery
+else
+   policies=${distdir}/policy
+   export BROPATH=${policydirsiteinstallauto}:${sitepolicypath}:$policies:$policies/sigs:$policies/time-machine:${distdir}/aux/broctl/policy:$policies/xquery
+fi
+
+shift 
+
+cd $1
+shift
+
+export PATH=${bindir}:${scriptsdir}:$PATH
+
+echo $@ >.cmdline
+
+if [ "${devmode}" == "0" ]; then
+    ${bro} $@
+else
+    ${distdir}/src/bro $@ 
+fi
+
+exit $?
+
+
+
+
diff --git a/aux/broctl/bin/crash-diag.in b/aux/broctl/bin/crash-diag.in
new file mode 100755
index 0000000000..d944747e99
--- /dev/null
+++ b/aux/broctl/bin/crash-diag.in
@@ -0,0 +1,56 @@
+#! /usr/bin/env bash
+#
+# $Id: crash-diag.in 6811 2009-07-06 20:41:10Z robin $
+#
+# crash-diag <cwd>
+
+(
+
+cd $1
+
+if [ -e stderr.log ]; then
+   echo ==== stderr.log 
+   tail -30 stderr.log 
+else
+   echo ==== No stderr.log.
+fi
+
+if [ -e stdout.log ]; then
+   echo ==== stdout.log 
+   tail -30 stdout.log 
+else
+   echo ==== No stdout.log.
+fi
+
+echo
+
+if [ -e .status ]; then
+   echo ==== .status
+   tail -30 .status
+else
+   echo ==== No .status.
+fi
+
+echo
+
+if [ -e prof.log ]; then
+   echo ==== prof.log 
+   tail -30 prof.log 
+else
+   echo ==== No prof.log.
+fi
+
+echo
+
+core=`ls -t *core* 2>&1`
+
+for c in $core; do 
+   if [ -e $c ]; then
+      echo $c
+      echo "bt" | gdb --batch -x /dev/stdin ${bro} $c
+   fi
+done
+
+) >.crash-diag.log
+
+cat .crash-diag.log
diff --git a/aux/broctl/bin/delete-log b/aux/broctl/bin/delete-log
new file mode 100755
index 0000000000..109c9cf450
--- /dev/null
+++ b/aux/broctl/bin/delete-log
@@ -0,0 +1,10 @@
+#! /usr/bin/env bash
+#
+# $Id: delete-log 6811 2009-07-06 20:41:10Z robin $
+#
+# Bro postprocessor script to archive log files. 
+# 
+# archive-log <rotated-file-name> <base-name> <timestamp-when-opened> <timestamp-when-closed> [<tag>]
+
+rm -rf $1
+
diff --git a/aux/broctl/bin/expire-logs.in b/aux/broctl/bin/expire-logs.in
new file mode 100755
index 0000000000..08e145cb8f
--- /dev/null
+++ b/aux/broctl/bin/expire-logs.in
@@ -0,0 +1,26 @@
+#! /usr/bin/env bash
+#
+# $Id: expire-logs.in 6860 2009-08-14 19:01:47Z robin $
+#
+# Delete logs older than ${log_expire_interval} days.
+
+base=${logdir}/
+
+file_pattern='.*/[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]/.*$'
+dir_pattern='.*/[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]$'
+
+exclude=""
+if [ "${keeplogs}" != "" ]; then
+   for name in ${keeplogs}; do
+      exclude="$exclude -not -name $name"
+   done
+fi   
+
+# Remove old files.
+find $base -type f -regex $file_pattern -mtime +${logexpireinterval} $exclude -delete 2>/dev/null
+rc=$?
+
+# Remove now empty directories (will fail for non-empty dirs).
+find $base -type d -regex $dir_pattern -exec rmdir '{}' ';' 2>/dev/null 
+
+exit $rc
diff --git a/aux/broctl/bin/extract-strictly-local-conns b/aux/broctl/bin/extract-strictly-local-conns
new file mode 100755
index 0000000000..4f3b5e0af1
--- /dev/null
+++ b/aux/broctl/bin/extract-strictly-local-conns
@@ -0,0 +1,40 @@
+#! /usr/bin/env python
+#
+# $Id: extract-strictly-local-conns 6813 2009-07-07 18:54:12Z robin $
+#
+
+import sys
+
+import SubnetTree
+
+def readNetworks(file):
+
+    nets = SubnetTree.SubnetTree()
+
+    for line in open(file):
+        line = line.strip()
+        if not line or line.startswith("#"):
+            continue
+
+        fields = line.split()
+        cidr = fields[0]
+        descr = " ".join(fields[1:])
+
+        try:
+            nets[cidr] = descr
+        except KeyError:
+            print >>sys.stderr, "cannot parse network specification '%s'" % cidr
+
+
+    return nets
+
+if len(sys.argv) != 2:
+    print >>sys.stderr, "usage: %s networks.cfg <conn.log" % sys.argv[0]
+    sys.exit(1)
+
+nets = readNetworks(sys.argv[1])
+
+for line in sys.stdin:
+    m = line.split()
+    if m[2] in nets and m[3] in nets:
+        print line,
diff --git a/aux/broctl/bin/get-prof-log.in b/aux/broctl/bin/get-prof-log.in
new file mode 100755
index 0000000000..7576813118
--- /dev/null
+++ b/aux/broctl/bin/get-prof-log.in
@@ -0,0 +1,26 @@
+#! /usr/bin/env bash
+#
+# $Id: get-prof-log.in 6811 2009-07-06 20:41:10Z robin $
+#
+# Copies $3/prof.log from the node $1, running on host $2, to the manager 
+
+tag=$1
+host=$2
+path=$3
+
+dstbase=${statsdir}/prof.$tag
+tmp=$dstbase.$$.log.tmp
+
+# Ignore errors.
+scp $host:$path $tmp >/dev/null 2>&1
+
+if [ -e $tmp ]; then
+   # Rename the file to use the first non-zero timestamp in the filename. 
+   ts=`awk '$1 > 0 {print $1; exit(0); }' <$tmp`
+   if [ "$ts" != "" ]; then
+       mv $tmp $dstbase.$ts.log
+   fi
+fi
+
+
+
diff --git a/aux/broctl/bin/helpers/cat-file b/aux/broctl/bin/helpers/cat-file
new file mode 100755
index 0000000000..2aab375fb7
--- /dev/null
+++ b/aux/broctl/bin/helpers/cat-file
@@ -0,0 +1,14 @@
+#! /usr/bin/env bash
+#
+# $Id: cat-file 6811 2009-07-06 20:41:10Z robin $
+#
+# cat-file <file>
+
+if [ -f $1 ]; then
+   echo 0
+   cat $1
+else
+   echo 1
+fi   
+
+echo ~~~
diff --git a/aux/broctl/bin/helpers/check-pid b/aux/broctl/bin/helpers/check-pid
new file mode 100755
index 0000000000..1991c503ca
--- /dev/null
+++ b/aux/broctl/bin/helpers/check-pid
@@ -0,0 +1,19 @@
+#! /usr/bin/env bash
+#
+# $Id: check-pid 6811 2009-07-06 20:41:10Z robin $
+#
+#  check-pid <pid> 
+
+( ps aux | awk '{print $2}' | grep -v check-pid | grep -v grep | grep -q "^$1$" )  2>/dev/null
+
+if [ $? = 0 ]; then
+   echo 0
+else
+   echo 1
+fi
+
+echo ~~~
+
+
+
+
diff --git a/aux/broctl/bin/helpers/df.in b/aux/broctl/bin/helpers/df.in
new file mode 100755
index 0000000000..553ae39ca1
--- /dev/null
+++ b/aux/broctl/bin/helpers/df.in
@@ -0,0 +1,11 @@
+#! /usr/bin/env bash
+#
+# $Id: df.in 6811 2009-07-06 20:41:10Z robin $
+#
+# df <path>
+#
+# Returns:  <fs> <fs-size> <fs-used> <fs-avail>
+
+echo 0
+df -h $1 | awk '{print $1, $2, $3, $4}' | tail -1 | awk -f ${helperdir}/to-bytes.awk
+echo ~~~
diff --git a/aux/broctl/bin/helpers/exists b/aux/broctl/bin/helpers/exists
new file mode 100755
index 0000000000..9f60841e69
--- /dev/null
+++ b/aux/broctl/bin/helpers/exists
@@ -0,0 +1,13 @@
+#! /usr/bin/env bash
+#
+# $Id: exists 6811 2009-07-06 20:41:10Z robin $
+#
+# exists <path>
+
+if [ -e $1 ]; then
+   echo 0
+else
+   echo 1
+fi   
+
+echo ~~~
diff --git a/aux/broctl/bin/helpers/gdb-attach.in b/aux/broctl/bin/helpers/gdb-attach.in
new file mode 100755
index 0000000000..f1c4a6e35a
--- /dev/null
+++ b/aux/broctl/bin/helpers/gdb-attach.in
@@ -0,0 +1,17 @@
+#! /usr/bin/env bash
+#
+# $Id: gdb-attach.in 6811 2009-07-06 20:41:10Z robin $
+#
+# gdb-attach <screen-session-name> <binary> <pid>
+
+session=$1
+binary=$2
+pid=$3
+
+cmds=${tmpdir}/gdb.cmd
+echo "continue" >$cmds
+
+echo 0
+screen -s $session -X quit >/dev/null 2>&1 
+screen -dmS $session gdb -x $cmds $binary $pid
+echo ~~~
diff --git a/aux/broctl/bin/helpers/get-childs b/aux/broctl/bin/helpers/get-childs
new file mode 100755
index 0000000000..be4b38774c
--- /dev/null
+++ b/aux/broctl/bin/helpers/get-childs
@@ -0,0 +1,12 @@
+#! /usr/bin/env bash
+#
+# $Id: get-childs 6811 2009-07-06 20:41:10Z robin $
+#
+#  get-childs <pid> 
+
+echo 0
+ps ax -o pid,ppid | awk -v pid=$1 '$2==pid {print $1}'
+echo ~~~
+
+
+
diff --git a/aux/broctl/bin/helpers/is-alive b/aux/broctl/bin/helpers/is-alive
new file mode 100755
index 0000000000..e69de29bb2
diff --git a/aux/broctl/bin/helpers/is-dir b/aux/broctl/bin/helpers/is-dir
new file mode 100755
index 0000000000..0d8d1a9349
--- /dev/null
+++ b/aux/broctl/bin/helpers/is-dir
@@ -0,0 +1,13 @@
+#! /usr/bin/env bash
+#
+# $Id: is-dir 6811 2009-07-06 20:41:10Z robin $
+#
+# is-dir <path>
+
+if [ -d $1 ]; then
+   echo 0
+else
+   echo 1
+fi   
+
+echo ~~~
diff --git a/aux/broctl/bin/helpers/rmdir b/aux/broctl/bin/helpers/rmdir
new file mode 100755
index 0000000000..0ca542fe19
--- /dev/null
+++ b/aux/broctl/bin/helpers/rmdir
@@ -0,0 +1,14 @@
+#! /usr/bin/env bash
+#
+# $Id: rmdir 6811 2009-07-06 20:41:10Z robin $
+#
+# rmdir <dir>
+
+if [ -d $1 ]; then
+   rm -rf $1 
+   echo $?
+else
+   echo 0
+fi   
+
+echo ~~~
diff --git a/aux/broctl/bin/helpers/run-cmd b/aux/broctl/bin/helpers/run-cmd
new file mode 100755
index 0000000000..c70b1e38e3
--- /dev/null
+++ b/aux/broctl/bin/helpers/run-cmd
@@ -0,0 +1,9 @@
+#! /usr/bin/env bash
+#
+# $Id: run-cmd 6811 2009-07-06 20:41:10Z robin $
+#
+#  run-cmd <cmd> 
+
+echo 0     # Fix me. Should be real return code.
+eval $@ 2>&1
+echo ~~~
diff --git a/aux/broctl/bin/helpers/run-cmd.in b/aux/broctl/bin/helpers/run-cmd.in
new file mode 100755
index 0000000000..f4571a08a2
--- /dev/null
+++ b/aux/broctl/bin/helpers/run-cmd.in
@@ -0,0 +1,35 @@
+#! /usr/bin/env bash
+#
+# $Id: run-cmd.in 6811 2009-07-06 20:41:10Z robin $
+#
+#  run-cmd [options] <cmd> 
+#
+#  -t 	time command
+#  -b   run in background
+
+time=""
+background=0
+
+while [ "$#" -gt "0" ]; do
+      case $1 in
+            -t) 
+                time=${time}
+                ;;
+            -b) background=1
+                ;;
+            *)
+              	break
+                ;;
+      esac
+      shift
+done                                                                                                                                                                              esac
+
+echo time, $time
+echo bg, $background
+echo rest, $@
+
+exit
+
+echo 0     # Fix me. Should be real return code.
+eval $@ 2>&1
+echo ~~~
diff --git a/aux/broctl/bin/helpers/start.in b/aux/broctl/bin/helpers/start.in
new file mode 100755
index 0000000000..be2cc9c431
--- /dev/null
+++ b/aux/broctl/bin/helpers/start.in
@@ -0,0 +1,23 @@
+#! /usr/bin/env bash
+#
+# $Id: start.in 6811 2009-07-06 20:41:10Z robin $
+#
+#  start <cwd> <Bro args>
+
+cd $1 2>/dev/null
+shift 
+
+rm -f .pid
+
+nohup ${scriptsdir}/run-bro $@ >stdout.log 2>stderr.log &
+
+while [ ! -e .pid ]; do
+   sleep 1
+done
+
+echo 0
+cat .pid
+echo ~~~
+
+
+
diff --git a/aux/broctl/bin/helpers/stop b/aux/broctl/bin/helpers/stop
new file mode 100755
index 0000000000..8ca9143946
--- /dev/null
+++ b/aux/broctl/bin/helpers/stop
@@ -0,0 +1,13 @@
+#! /usr/bin/env bash
+#
+# $Id: stop 6811 2009-07-06 20:41:10Z robin $
+#
+#  stop <pid> <signal>
+
+kill -$2 $1 >/dev/null 2>&1 
+echo 0
+echo ~~~
+
+
+
+
diff --git a/aux/broctl/bin/helpers/to-bytes.awk b/aux/broctl/bin/helpers/to-bytes.awk
new file mode 100644
index 0000000000..4b22539d65
--- /dev/null
+++ b/aux/broctl/bin/helpers/to-bytes.awk
@@ -0,0 +1,16 @@
+# $Id: to-bytes.awk 6811 2009-07-06 20:41:10Z robin $
+
+# Converts strings such as 12K, 42M, etc. into bytes.
+
+{
+    for ( i = 1; i <= NF; i++) {
+	    if ( match($i, "^(-?[0-9.]+)By?$") ){ $i = substr($i, RSTART, RLENGTH-1); }
+ 	    else if ( match($i, "^(-?[0-9.]+)Ki?$") ){ $i = substr($i, RSTART, RLENGTH-1) * 1024; }
+	    else if ( match($i, "^(-?[0-9.]+)Mi?$") ){ $i = substr($i, RSTART, RLENGTH-1) * 1024 * 1024; }
+	    else if ( match($i, "^(-?[0-9.]+)Gi?$") ){ $i = substr($i, RSTART, RLENGTH-1) * 1024 * 1024 * 1024; }
+	    else if ( match($i, "^(-?[0-9.]+)Te?$") ){ $i = substr($i, RSTART, RLENGTH-1) * 1024 * 1024 * 1024 * 1024; }
+	    printf("%s ", $i);
+	}
+
+    print ""; 
+}
diff --git a/aux/broctl/bin/helpers/top.in b/aux/broctl/bin/helpers/top.in
new file mode 100755
index 0000000000..ee05932011
--- /dev/null
+++ b/aux/broctl/bin/helpers/top.in
@@ -0,0 +1,29 @@
+#! /usr/bin/env bash
+#
+# $Id: top.in 6811 2009-07-06 20:41:10Z robin $
+#
+#  top 
+#
+#  Outputs one line per active process as follows:
+# 
+#           <pid> <vsize bytes> <rss in bytes> <%cpu> <cmdline>
+
+cmd_linux='top -b -n 1 | awk "/^ *[0-9]+ /{printf(\"%d %dK %dK %d %s\\n\", \$1, \$5, \$6, \$9, \$12)}"'
+cmd_freebsd='top -u -b all | awk "/^ *[0-9]+ /{printf(\"%d %s %s %d %s\\n\", \$1, \$6, \$7, \$11, \$12)}"'
+cmd_freebsd_nonsmp='top -u -b all | awk "/^ *[0-9]+ /{printf(\"%d %s %s %d %s\\n\", \$1, \$6, \$7, \$10, \$11)}"'
+cmd_darwin='top -l 1 | awk "/^ *[0-9]+ /{printf(\"%d %dK %dK %d %s\\n\", \$1, \$11, \$10, \$3, \$2)}"'
+cmd_netbsd='top -b -u  | awk "/^ *[0-9]+ /{printf(\"%d %s %s %d %s\\n\", \$1, \$5, \$6, \$10, \$11)}"'
+
+cmd="$cmd_${os}"
+
+if [ "${os}" == "freebsd" ]; then
+   # Top's output looks different on non-SMP FreeBSD machines.
+   top -u -b all | grep -q "STATE  C   TIME" || cmd="$cmd_freebsd_nonsmp"
+fi
+
+unset LINES
+unset COLUMNS
+
+echo 0
+eval $cmd | awk -f ${helperdir}/to-bytes.awk
+echo ~~~
diff --git a/aux/broctl/bin/is-alive b/aux/broctl/bin/is-alive
new file mode 100755
index 0000000000..e69de29bb2
diff --git a/aux/broctl/bin/is-alive.in b/aux/broctl/bin/is-alive.in
new file mode 100755
index 0000000000..ef2bb705da
--- /dev/null
+++ b/aux/broctl/bin/is-alive.in
@@ -0,0 +1,16 @@
+#! /usr/bin/env bash
+#
+# $Id: is-alive.in 6811 2009-07-06 20:41:10Z robin $
+#
+# is-alive <host>
+
+cmd_linux='ping -c 1 -W 1'
+cmd_bsd='ping -q -t 1 -o'
+
+if [ "${os}" == "linux" ]; then
+   cmd=$cmd_linux
+else
+   cmd=$cmd_bsd
+fi
+
+$cmd $1 >/dev/null 2>&1
diff --git a/aux/broctl/bin/local-interfaces b/aux/broctl/bin/local-interfaces
new file mode 100755
index 0000000000..a3e6d66607
--- /dev/null
+++ b/aux/broctl/bin/local-interfaces
@@ -0,0 +1,9 @@
+#! /usr/bin/env bash
+#
+# $Id: local-interfaces 6811 2009-07-06 20:41:10Z robin $
+#
+# Returns a list of the IP addresses associated with local interfaces.
+
+# Tested with Linux, FreeBSD and MacOS.
+# TODO: Not sure if this is sufficient for IPv6 addresses.
+ifconfig -a | sed -n 's/.*inet6\{0,1\} \(addr: *\)\{0,1\}\([^ ]*\).*/\2/gp'
diff --git a/aux/broctl/bin/mail-alarm.in b/aux/broctl/bin/mail-alarm.in
new file mode 100755
index 0000000000..10f3d42440
--- /dev/null
+++ b/aux/broctl/bin/mail-alarm.in
@@ -0,0 +1,33 @@
+#! /usr/bin/env bash
+#
+# $Id: mail-alarm.in 6811 2009-07-06 20:41:10Z robin $
+#
+# Mails out individual Bro alerts. 
+# Intended to be used as a Bro mail_script (see notice.bro), which
+# means that we will be called as /bin/mail would, i.e., 
+#
+# 		-s "[Bro Alarm] <notice_type>" <mail_dest>
+#
+
+subject="<No subject>"
+
+while getopts s: opt; do
+    case "$opt" in
+	    s) subject="$OPTARG";;
+	esac
+done
+
+shift $(($OPTIND - 1))
+
+# Remove Bro's subject prefix and insert our own.
+subject=`echo $subject | sed 's/\[Bro Alarm\] */${mailalarmprefix} /g'`
+
+# If the the destination given by Bro is "_broctl_default_", we use our 
+# configured address.
+if [ "$1" = "_broctl_default_" ]; then 
+    ${scriptsdir}/send-mail "$subject" "${mailalarmsto}"
+else
+    ${scriptsdir}/send-mail "$subject" "$1"
+fi 
+
+
diff --git a/aux/broctl/bin/mail-contents.in b/aux/broctl/bin/mail-contents.in
new file mode 100755
index 0000000000..ba0fec226b
--- /dev/null
+++ b/aux/broctl/bin/mail-contents.in
@@ -0,0 +1,34 @@
+#! /usr/bin/env bash
+#
+# $Id: mail-contents.in 6811 2009-07-06 20:41:10Z robin $
+#
+# mail-proto-violations 
+#
+# Gets its arguments via the environment. 
+
+tmp=${tmpdir}/`basename $0`.$$.tmp
+maxlen=8192
+
+function printData
+{
+   addr="$1"
+   name="$2"
+   file="$3"
+
+   title="$addr ($name)" 
+   echo >>$tmp
+   echo "> ---- $title ----------------------------" >>$tmp
+   echo >>$tmp
+   hexdump -e '60/ "%_c" "\n"' -n $maxlen $file >>$tmp 
+   rm -f $file
+}
+
+echo $BRO_ARG_BODY | sed 's/@@/\
+/g' >$tmp
+
+printData "$BRO_ARG_ORIG_H" "$BRO_ARG_ORIG_NAME" "$BRO_ARG_CONTENTS_ORIG"
+printData "$BRO_ARG_RESP_H" "$BRO_ARG_RESP_NAME" "$BRO_ARG_CONTENTS_RESP"
+
+${scriptsdir}/send-mail "$BRO_ARG_SUBJECT" $BRO_ARG_MAIL_DEST <$tmp 
+
+rm -f $tmp
diff --git a/aux/broctl/bin/make-plots.r b/aux/broctl/bin/make-plots.r
new file mode 100644
index 0000000000..cabef158df
--- /dev/null
+++ b/aux/broctl/bin/make-plots.r
@@ -0,0 +1,232 @@
+
+# $Id: make-plots.r 6813 2009-07-07 18:54:12Z robin $
+
+# Text & pch scaling.
+scale.cex		<- 1.4 
+scale.cex.lab	<- 1.4
+scale.cex.legend <- 1.0
+
+# Parameters for nicer plotting
+sample <- 10
+num <- 50 
+shift <- 0
+
+plotLoad <- function(tag, host, key, style, factor=1)
+{                       
+    file <- paste(tag, ".", host, ".dat", sep="")
+    data <- read.table(file, header=TRUE)
+    print(file)
+
+    times <- data$time
+    vals  <- data[[key]] / factor
+
+	l <- xy.coords(times, vals)
+    l$x = l$x[seq(1, length(l$x), by=sample)]
+	l$y = l$y[seq(1, length(l$y), by=sample)]
+	p <- seq(1 + shift * length(l$x) / num, length(l$x), length=num)
+	lines(l$x, l$y, col=style)
+	points(l$x[p], l$y[p], col=style, pch=style)
+}
+
+plotSeries <- function(tag, hosts, type, factor=1)
+{
+   	style <- 1
+    labels <- c()
+    for ( i in seq(1, length(hosts)) ) {
+        plotLoad(tag, hosts[i], type, style, factor=factor)
+        style <- style + 1
+        labels <- c(labels, hosts[i])
+        }
+
+    lsize <- length(labels)
+    cornerLegend(legend=labels, col=c(1:lsize), lty=1, pch=c(1:lsize), corner=2, cex=scale.cex.legend, ncol=5)
+    dev.off()
+}
+
+
+plotScale <- function(file, tag, host, ymax, title, xlab, ylab)
+{
+ 	postscript(file, paper="special", width=11, height=6.5)    
+    par(cex=1.3)
+    file <- paste(tag, ".", host, ".dat", sep="")
+    data <- read.table(file, header=TRUE)
+
+    times <- data$time
+
+ 	timeplot(c(min(times), max(times)), c(0, ymax), type="n", xlab=xlab, ylab=ylab, timezone=7, main=title)
+}
+
+########## Stolen from Holger #######################
+
+weekdays<-c("Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat")
+weekdaysLong<-c("Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday")
+
+time2str<-function(unixt, timezone=1)
+{
+	t<-timestamp(unixt, timezone)
+	s<-weekdays[t[1]+1]
+	s<-paste(s, t[2], sep=" ")
+	s<-paste(s, sprintf("%02g", t[3]), sep=":")
+	s
+}
+
+timeticks <- function (start, end, tickdist=NULL, labeldist=NULL, offset=1, timezone=1)
+{
+	if(identical(tickdist,NULL)) 
+		tickdist<-timetickdist(start, end)
+	if(identical(labeldist, NULL)) 
+		labeldist<-tickdist
+	pos<-start-1
+	res=list(ticks=c(), labels=c())
+	while(pos < end)
+	{
+		pos<-nexttick(pos, tickdist, offset)
+		if(pos<=end)
+		{
+			res$ticks<-c(res$ticks, pos)
+			if (identical((pos+offset*3600)%%labeldist,0)) 
+				res$labels<-c(res$labels, time2str(pos, timezone=offset)) 
+			else 
+				res$labels<-c(res$labels, " ")
+
+		}
+	}
+	res
+}
+
+nexttick <- function (cur, dist, offset=1) 
+{
+	nextt <- cur
+	curTZ = cur+offset*3600
+	if (identical(curTZ%%dist,0)) 
+		nextt <- cur+dist 
+	else 
+		nextt <- cur+(dist-(curTZ%%dist))
+
+	nextt
+}
+
+timetickdist <- function (start, end)
+{
+  d <- end-start
+  tickdist <- 3600*24
+  if (d<=3600*24*7) tickdist<-3600*12
+  if (d<=3600*24*3) tickdist<-3600*6
+  if (d<=3600*24) tickdist<-3600*2
+  if (d<=3600*12) tickdist<-3600
+  if (d<=3600) tickdist<-15*60
+  tickdist
+}
+
+cet <- function (unixt)
+{
+	timestamp(unixt, 1)
+}
+
+timestamp<-function (unixt, offset)
+{
+	unixt<-floor(unixt)
+	secs<-unixt%%60
+	unixt<-unixt%/%60
+	mins<-unixt%%60
+	unixt<-(unixt%/%60) + offset
+	hrs<-unixt%%24
+	unixt<-unixt%/%24
+	days<-(unixt-3)%%7 
+	c(days,hrs,mins,secs)
+}
+
+timeaxis <- function(xrange, offset=1, labels=T, timezone=1)
+{
+	t <- timeticks(xrange[1], xrange[2], offset=offset, timezone=timezone)
+	if (labels) 
+		axis(1, at=t$ticks, labels=t$labels)
+	else 
+		axis(1, at=t$ticks, labels=F)
+}
+
+timeplot <- function(x, y, offset=1, labels=T, timezone=1, ...)
+{
+	plot(x, y, axes=F, ...)
+	box()
+	axis(2)
+	timeaxis(range(x), offset, labels, timezone=timezone)
+}
+
+cornerLegend<-function(corner = 1, xoffs=0, yoffs=0, ...) {
+	xalign = 0
+		yalign = 0
+		smoothf=c(1,1)
+		if (corner == 1){
+			corner<-c(par()$usr[1], par()$usr[3])
+				xalign = 0
+				yalign = 0
+		}else if (corner == 2){
+			corner<-c(par()$usr[1], par()$usr[4])
+				xalign = 0
+				yalign = 1
+				smoothf=c(1,-1)
+		}else if (corner == 3){
+			corner<-c(par()$usr[2], par()$usr[4])
+				xalign = 1
+				yalign = 1
+				smoothf= c(-1,-1)
+		}else{
+			corner<-c(par()$usr[2], par()$usr[3])
+				xalign = 1
+				yalign = 0
+				smoothf = c(-1,1)
+		}
+
+	cat(corner, "\n")
+
+		smooth<-c(0,0)
+		if(par("xlog")){
+			corner[1]<-10^corner[1]
+				smooth[1]<-0
+		}else{
+			smooth[1]<-(par("usr")[2]-par("usr")[1])/50
+		}
+	if(par("ylog")){
+		corner[2]<-10^corner[2]
+			smooth[2]<-(10^par("usr")[4]-10^par("usr")[3])/-50
+	}else{
+		smooth[2]<-(par("usr")[4]-par("usr")[3])/50
+	}
+	smooth<-smooth*smoothf
+		cat (smooth, "\n")
+		legend(x=corner[1]+smooth[1]+xoffs, y=corner[2]+smooth[2]+yoffs, xjust=xalign, yjust=yalign, ...)
+}
+
+########## End of Stolen from Holger #######################
+
+# Interface statistics
+
+hosts <- read.table("interface.hosts.dat", header=TRUE, as.is=TRUE)$name
+plotScale("bandwith.eps", "interface", hosts[1], 500, "Bandwidth", "Time", "Mbps")
+plotSeries("interface", hosts, "mbps")
+
+# CPU Load Child Process
+
+hosts <- read.table("child.hosts.dat", header=TRUE, as.is=TRUE)$name
+plotScale("cpu-child.eps", "child", hosts[1], 120, "CPU Load - Child Process", "Time", "Load")
+plotSeries("child", hosts, "cpu")
+
+# CPU Load Parent Process
+
+hosts <- read.table("parent.hosts.dat", header=TRUE, as.is=TRUE)$name
+plotScale("cpu-parent.eps", "parent", hosts[1], 120, "CPU Load - Parent Process", "Time", "Load")
+plotSeries("parent", hosts, "cpu")
+
+# Memory Parent Process
+
+hosts <- read.table("parent.hosts.dat", header=TRUE, as.is=TRUE)$name
+plotScale("mem-parent.eps", "parent", hosts[1], 2, "Memory - Parent Process", "Time", "GBytes")
+plotSeries("parent", hosts, "vsize", factor=1024*1024*1024)
+
+# Memory Child Process
+
+hosts <- read.table("child.hosts.dat", header=TRUE, as.is=TRUE)$name
+plotScale("mem-child.eps", "child", hosts[1], 2, "Memory - Child Process", "Time", "GBytes")
+plotSeries("child", hosts, "vsize", factor=1024*1024*1024)
+
diff --git a/aux/broctl/bin/make-wrapper.in b/aux/broctl/bin/make-wrapper.in
new file mode 100755
index 0000000000..e6f4003639
--- /dev/null
+++ b/aux/broctl/bin/make-wrapper.in
@@ -0,0 +1,14 @@
+#! /usr/bin/env bash
+#
+# $Id: make-wrapper.in 6811 2009-07-06 20:41:10Z robin $
+#
+# Wrapper to call the broctl script from the Makefile, settting
+# some environment variables first.
+
+export BROBASE=$PREFIX
+export BRODIST=$BRODIST
+
+export BROCTL_INSTALL=1
+export PYTHONPATH=$BRODIST/aux/broctl:$PYTHONPATH
+
+./bin/broctl $@
diff --git a/aux/broctl/bin/post-terminate.in b/aux/broctl/bin/post-terminate.in
new file mode 100755
index 0000000000..8040086700
--- /dev/null
+++ b/aux/broctl/bin/post-terminate.in
@@ -0,0 +1,77 @@
+#! /usr/bin/env bash 
+#
+# $Id: post-terminate.in 6813 2009-07-07 18:54:12Z robin $
+#
+# Cleans-up after termination.
+#
+# post-terminate <dir> [crash]
+#
+# If $2 is "crash", then the scripts assumes that Bro crashed and will return
+# information about the crash on stdout which is suitable for mailing to the user. 
+
+dir=$1
+
+crash=0
+if [ "$2" == "crash" ]; then
+   crash=1
+fi   
+
+if [ ! -d $dir ]; then
+   echo No $dir
+   exit
+fi
+
+date=`date +%Y-%m-%d-%H-%M-%S`
+tmp=${tmpdir}/post-terminate-$date-$$
+
+if [ "$crash" = "1" ]; then
+   cd $1
+   ${scriptsdir}/crash-diag $dir
+   tmp=$tmp-crash
+   archive_flags="-c" # Don't delete log files in work dir.
+fi    
+
+if [ ! -d ${tmpdir} ]; then 
+   mkdir ${tmpdir} 
+fi
+
+mv $dir $tmp 2>/dev/null
+
+mkdir $dir 2>/dev/null
+
+if [ -d $tmp/.state ]; then
+   mv $tmp/.state $dir 2>/dev/null
+fi   
+
+cd $tmp
+
+if [ "$crash" = "1" ]; then
+   tmpbro=${tmpexecdir}/`basename ${bro}`
+   cp $tmpbro .
+fi
+
+# Run post-processors manually. 
+
+if [ ! -f .startup ]; then
+   echo No .startup
+   exit
+fi
+
+end=`date +%y-%m-%d_%H.%M.%S`
+start=`cat .startup | tail -1`
+if [ "$crash" = "1" -a -e .rotate ]; then
+   start=`cat .rotate | tail -1`
+fi   
+
+#if [ -e .peer_description ]; then
+#   tag=`cat .peer_description | tail -1`
+#fi   
+
+( for i in *.log; do
+    if [ -s $i ]; then
+       ${scriptsdir}/archive-log $archive_flags $i $i $start $end $tag >/dev/null &
+    fi
+  done && wait && if [ "$crash" = "0" ]; then rm -rf $tmp; fi ) &
+
+
+
diff --git a/aux/broctl/bin/postprocessors/mail-log.in b/aux/broctl/bin/postprocessors/mail-log.in
new file mode 100755
index 0000000000..5865cdcede
--- /dev/null
+++ b/aux/broctl/bin/postprocessors/mail-log.in
@@ -0,0 +1,35 @@
+#! /usr/bin/env bash
+#
+# $Id: mail-log.in 6811 2009-07-06 20:41:10Z robin $
+#
+# Formats Bro's mail.log, archives, encrypts and mails it (if requested).
+#
+# It's called as a Bro postprocessor so its arguments are:
+# 	   mail-log <logfile> <basename> <timestamp-when-opened> <timestamp-when-closed> [<tag>]
+
+if [ "$2" != "mail.log" ]; then
+   exit 0
+fi
+
+log=$1
+base=$2
+open=$3
+close=$4
+tag=$5
+
+# Do nothing if log is empty
+if [ ! -s $log ]; then
+    rm -f $log
+    exit 0;
+fi
+
+# Build subject 
+start=`echo $open | sed 's/^..-..-.._//' | sed 's/\./:/g'`
+end=`echo $close | sed 's/^..-..-.._//' | sed 's/\./:/g'`
+subject="Log from $start-$end"
+
+# Mail it.
+if [ "${mailalarms}" == "1" ]; then
+   ${scriptsdir}/send-mail "$subject" "${mailalarmsto}" <$log
+fi
+
diff --git a/aux/broctl/bin/postprocessors/summarize-connections.in b/aux/broctl/bin/postprocessors/summarize-connections.in
new file mode 100755
index 0000000000..0aef658dc2
--- /dev/null
+++ b/aux/broctl/bin/postprocessors/summarize-connections.in
@@ -0,0 +1,54 @@
+#! /usr/bin/env bash
+#
+# $Id: summarize-connections.in 6813 2009-07-07 18:54:12Z robin $
+#
+# Bro postprocessor script to summarize connection summaries. 
+#
+# Needs trace-summary script.
+#
+# summarize-conns <rotated-file-name> <base-name> <timestamp-when-opened> <timestamp-when-closed> [<tag>]
+
+if [ "$2" != "conn.log" ]; then
+   exit 0
+fi
+
+summary_options="-c -r"
+
+# If we're a cluster installation, we assume we have lots of traffic and activate sampling.
+if [ "${standalone}" != "0" ]; then
+   summary_options="$summary_options -S 0.01" 
+fi    
+
+if [ -e ${localnetscfg} ]; then
+   summary_options="$summary_options -l ${localnetscfg}"
+fi
+
+input=$1
+open=$3
+close=$4
+
+output=conn-summary.log
+
+# GNU's time can do memory as well.
+export TIME="%E real, %U user, %S sys, %KK total memory"
+
+if [ "${tracesummary}" != "" ]; then
+   # Build subject 
+   start=`echo $open | sed 's/^..-..-.._//' | sed 's/\./:/g'`
+   end=`echo $close | sed 's/^..-..-.._//' | sed 's/\./:/g'`
+   subject="Connection summary from $start-$end"
+
+   LIMIT=${memlimit:1572864}
+   ulimit -m $LIMIT
+   ulimit -v $LIMIT
+
+   export PYTHONPATH=${libdirinternal}:$PYTHONPATH
+   nice ${time} ${tracesummary} $summary_options $input 2>&1 | grep -v "exceeds bandwith" >$output
+
+   ${scriptsdir}/send-mail "$subject" <$output
+   ${scriptsdir}/archive-log $output $output $3 $4 $5
+fi   
+
+
+
+
diff --git a/aux/broctl/bin/reformat-stats b/aux/broctl/bin/reformat-stats
new file mode 100755
index 0000000000..04dba1cf12
--- /dev/null
+++ b/aux/broctl/bin/reformat-stats
@@ -0,0 +1,128 @@
+#! /usr/bin/env python
+#
+# $Id: reformat-stats 6813 2009-07-07 18:54:12Z robin $
+#
+# Turns spool/stats.log into a format more something suitable for R.
+#
+# reformat-stats <stats.log> <dst-dir>
+#
+# Existing data in dst-dir will be deleted.
+
+import sys
+import math
+import os
+
+def filterOutput(tag, host):
+    os.system("cat %s/%s.dat | egrep '%s|^ *time' >%s/%s.%s.dat" % (Dest, tag, host, Dest, tag, host))
+
+def makeOutput(file, tag):
+
+    out = open("%s/%s.dat" % (Dest, tag), "w")
+
+    hosts = {}
+    data = {}
+    keys = {}
+
+    for line in open(file):
+
+        f = line.split()
+        if f[3] == "error": 
+            continue
+
+        try:
+            (time, host, t, key, val)  = f
+        except ValueError:
+            try:
+                (time, host, t, key)  = f
+                val = "-"
+            except ValueError:
+                print >>sys.stderr, "cannot parse '%s'" % line
+                continue
+
+        if t != tag:
+            continue
+
+        hosts[host] = 1
+
+        time = math.floor(float(time))
+        val = val
+
+        if not time in data:
+            data[time] = {}
+
+        interval = data[time]
+
+        if not host in interval:
+            interval[host] = {}
+
+        vals = interval[host]
+        vals[key] = val
+        keys[key] = 1
+
+    intervals = data.keys()
+    intervals.sort()
+
+    keys = keys.keys()
+
+    print >>out, "%10s %10s" % ("time", "node"),
+    for k in keys:
+        print >>out, "%10s" % k,
+    print >>out
+
+    for t in intervals:
+
+        itv = data[t]
+
+        idxs = itv.keys()
+        idxs.sort()
+
+        for idx in idxs:
+
+            vals = itv[idx]
+
+            print >>out, "%10.0f %10s" % (t, idx),
+
+            for k in keys:
+                if k in vals:
+                    print >>out, "%10s" % vals[k],
+                else:
+                    print >>out, "%10s" % "-",
+
+            print >>out
+
+    out.close()
+
+    hosts = hosts.keys()
+    hosts.sort()
+    for host in hosts:
+        filterOutput(tag, host)
+
+    hostlist = open("%s/%s.hosts.dat" % (Dest, tag), "w")
+    print >>hostlist, "name";
+    for host in hosts:
+        print >>hostlist, host;
+
+
+if len(sys.argv) != 3:
+    print "Usage: reformat-stats <stats.log> <dst-dir>"
+    print "Existing data in <dst-dir> will be deleted!"
+    sys.exit(1)
+
+Dest = sys.argv[2]
+
+os.system("rm -rf %s" % Dest)
+os.mkdir(Dest)
+
+for tag in ["parent", "child", "interface"]:
+    makeOutput(sys.argv[1], tag)
+
+
+
+
+
+
+
+
+
+
+
diff --git a/aux/broctl/bin/remove-log b/aux/broctl/bin/remove-log
new file mode 100755
index 0000000000..3bb17a9a45
--- /dev/null
+++ b/aux/broctl/bin/remove-log
@@ -0,0 +1,9 @@
+#! /usr/bin/env bash
+#
+# $Id: remove-log 6811 2009-07-06 20:41:10Z robin $
+#
+# This script can be used as a Bro log postprocessor to simply *delete* 
+# the files after rotation.
+
+rm $1
+
diff --git a/aux/broctl/bin/run-bro.in b/aux/broctl/bin/run-bro.in
new file mode 100755
index 0000000000..d95a8dadf6
--- /dev/null
+++ b/aux/broctl/bin/run-bro.in
@@ -0,0 +1,75 @@
+#! /usr/bin/env bash
+#
+# $Id: run-bro.in 6860 2009-08-14 19:01:47Z robin $
+#
+# Wrapper script around the actual Bro invocation. 
+#
+# run-bro is automatically generated from run-bro.in. Edit only the latter!
+
+export PATH=${bindir}:${scriptsdir}:$PATH
+
+policies=${policydir}
+export BROPATH=${policydirsiteinstallauto}:${policydirsiteinstall}:$policies:$policies/sigs:$policies/time-machine:$policies/broctl:$policies/xquery
+
+if test `uname` == "FreeBSD" && uname -r | grep -q "^[456]"; then
+   export MALLOC_OPTIONS="HR" # Helps performance on FreeBSD < 7
+fi
+
+child=""
+
+trap sig_handler 0
+
+function sig_handler
+{
+    if [ "$child" != "" ]; then
+        kill -15 $child 2>/dev/null
+        echo KILLED 1>&2
+    fi;
+
+    if [ ! -e .pid ]; then
+       echo -1 >.pid
+    fi
+}
+
+LIMIT=${memlimit:1572864}
+ulimit -m $LIMIT
+ulimit -d $LIMIT
+ulimit -v $LIMIT
+ulimit -c unlimited
+
+echo $@ >.cmdline
+
+date +%s >.startup
+date >>.startup
+date +%y-%m-%d_%H.%M.%S >>.startup # Bro default format when rotating files. 
+
+if [ "$BRO_WORKER" != "" ]; then
+   touch .worker
+elif [ "$BRO_PROXY" != "" ]; then
+   touch .proxy
+elif [ "$BRO_MANAGER" != "" ]; then
+   touch .manager
+elif [ "$BRO_STANDALONE" != "" ]; then
+   touch .standalone
+else
+   echo "None of the environment variables BRO_{MANAGER,PROXY,WORKER,STANDALONE} set." 1>&2
+   echo -1 >.pid
+   exit 1
+fi
+
+# ulimit -a
+# echo 
+
+tmpbro=${tmpexecdir}/`basename ${bro}`
+
+rm -f $tmpbro
+cp -p ${bro} $tmpbro
+sleep 1
+nohup $tmpbro $@ &
+
+child=$!
+
+echo $child >.pid
+wait $child
+child=""
+
diff --git a/aux/broctl/bin/send-mail.in b/aux/broctl/bin/send-mail.in
new file mode 100755
index 0000000000..6f857859af
--- /dev/null
+++ b/aux/broctl/bin/send-mail.in
@@ -0,0 +1,53 @@
+#! /usr/bin/env bash
+#
+# $Id: send-mail.in 6811 2009-07-06 20:41:10Z robin $
+#
+# Usage: send-mail subject [destination] <txt
+#
+# Sends stdin per mail to recipients, adding some common headers/footers
+
+if [ "${sendmail}" != "1" ]; then
+   exit 0
+fi
+
+if [ $# -lt 1 -o $# -gt 2 ]; then
+   echo Wrong usage.
+   exit 1
+fi
+
+from="${mailfrom}"
+replyto="${replyto}"
+subject="${mailsubjectprefix} $1"
+
+if [ $# = 2 ]; then
+   to=$2
+else
+   to="${mailto}"
+fi
+
+tmp=${tmpdir}/mail.$$.tmp
+
+rm -f $tmp
+touch $tmp
+
+echo From: $from >>$tmp
+echo Subject: $subject >>$tmp
+echo To: $to >>$tmp
+echo User-Agent: Bro Control ${version} >>$tmp
+
+if [ "$replyto" != "" ]; then
+   echo Reply-To: $replyto >>$tmp
+fi
+
+echo >>$tmp
+
+cat >>$tmp
+
+cat >>$tmp <<EOF
+
+-- 
+[Automatically generated.]
+
+EOF
+
+sendmail -t -oi <$tmp && rm -f $tmp
diff --git a/aux/broctl/bin/update.in b/aux/broctl/bin/update.in
new file mode 100755
index 0000000000..eaaef3d5a0
--- /dev/null
+++ b/aux/broctl/bin/update.in
@@ -0,0 +1,29 @@
+#! /usr/bin/env bash
+#
+# $Id: update.in 6860 2009-08-14 19:01:47Z robin $
+#
+# update <destination> <Bro args>
+
+dst=$1
+shift
+args=$@
+
+# Creating temporary working directory.
+dir=${tmpdir}/update-$1-$$
+rm -rf $dir
+mkdir $dir
+cd $dir
+
+export PATH=${bindir}:${scriptsdir}:$PATH
+
+policies=${policydir}
+export BROPATH=${policydirsiteinstallauto}:${policydirsiteinstall}:$policies:$policies/sigs:$policies/time-machine:$policies/broctl:$policies/xquery
+
+${bro} "SendConfig::dst=$dst-update" $args send-config >out.log 2>&1
+rc=$?
+
+cat out.log | egrep -v "warning: no such host|received termination signal"
+rm -rf $dir
+
+exit $rc
+
diff --git a/aux/broctl/configure b/aux/broctl/configure
new file mode 100755
index 0000000000..2391b0b36b
--- /dev/null
+++ b/aux/broctl/configure
@@ -0,0 +1,157 @@
+#! /usr/bin/env python
+#
+# $Id: configure 6952 2009-12-05 00:23:47Z robin $
+
+import os
+import os.path
+import sys
+import stat
+import subprocess
+
+Prefix = "/usr/local/bro"  # match Bro's default.
+BroDist = os.path.abspath("../..")
+BroCtlSrc = os.path.join(BroDist, "aux/broctl")
+BroBuild = BroDist
+BroCtlBuild = os.path.join(BroDist, "aux/broctl")
+StandAlone = False
+
+def usage():
+    print """
+Usage: ./configure [--prefix=<dir>] [--brodist=<dir>] [--standalone]
+
+     --prefix=<dir>    Base directory for cluster installation [Default: %s]
+     --brodist=<dir>   Base directory of Bro distribution      [Default: %s]
+
+     --standalone      Do a non-cluster, one-Bro-only installation
+""" % (Prefix, BroDist)
+    sys.exit(1)
+
+args = {}
+for arg in sys.argv[1:]:
+    try:
+        m = arg.find("=")
+        if m >= 0: 
+            opt = arg[0:m].strip()
+	    val = arg[m+1:].strip()
+        else:
+            opt = arg.strip()
+            val = None
+
+        if opt == "--prefix" and val:
+            if val != "NONE":
+                Prefix = os.path.abspath(val)
+                
+        elif opt == "--brodist" and val:
+            BroDist = os.path.abspath(val)
+            BroCtlSrc = os.path.join(BroDist, "aux/broctl")
+            
+        elif opt == "--builddir" and val:
+            BroCtlBuild = os.path.abspath(val)
+            BroBuild = os.path.abspath(os.path.join(BroCtlBuild, "../.."))
+                    
+        elif opt == "--standalone":
+            StandAlone = True
+        else:
+            usage()
+
+        args[opt] = val
+
+    except ValueError:
+        usage()
+
+Version = open(os.path.join(BroDist, "aux/broctl/VERSION")).readline().strip()
+
+try:
+    p = subprocess.Popen("svnversion", stdin=subprocess.PIPE, stdout=subprocess.PIPE, close_fds=True)
+    (stdin, stdout) = (p.stdin, p.stdout)
+    stdin.close()
+    svnversion = stdout.readline().split()[0]
+    if svnversion != "exported":
+        Version += " [r%s]" % svnversion
+except:
+    pass
+        
+bin = os.path.join(BroCtlBuild, "bin")        
+if not os.path.exists(bin):
+    os.mkdir(bin)
+        
+# Create Makefile, bin/broctl and bin/make-env by replacing configuration variables.
+for file in ("Makefile", "bin/broctl", "bin/make-wrapper"):
+
+    src = os.path.join(BroDist, "aux/broctl/%s.in" % file)
+    dst = os.path.join(BroCtlBuild, file)
+
+    try:
+        os.unlink(dst)
+    except OSError:
+        pass
+
+    out = open(dst, "w")
+    
+    for line in open(src):
+        line = line.replace("$PREFIX", Prefix)
+        line = line.replace("$BRODIST", BroDist)
+        line = line.replace("$BROBUILD", BroBuild)
+        line = line.replace("$BROCTLBUILD", BroCtlBuild)
+        line = line.replace("$BROCTLSRC", BroCtlSrc)
+        line = line.replace("$STANDALONE", StandAlone and "True" or "False")
+        line = line.replace("$VERSION", Version)
+        print >>out, line, 
+
+    # Copy the mode of the source file but remove write permission 
+    # to prevent accidental modifications.
+    mode = os.stat(src).st_mode
+    os.chmod(dst, mode &~ 0222)
+
+    print "Created %s." % file
+
+# Create config.status.
+status = os.path.join(BroCtlBuild, "config.status")
+out = open(status, "w")
+print >>out, """#! /bin/sh
+# Generated by configure.
+# Run this file to recreate the current configuration.
+echo Recreating configuration.
+echo
+
+if [ -e ./BroControl ]; then
+    configure=./configure
+    args["--brodist"] = "../../"
+else
+    configure=%s/configure
+fi
+
+$configure %s && exit
+""" % (BroCtlSrc, " ".join(["%s=%s" % (k, v) for (k, v) in args.items()]))
+
+os.chmod(status, 0750)
+
+# Done.
+
+print """
+            Bro Control Configuration Summary
+==========================================================
+
+   Installation directory:      %s
+   Bro distribution:            %s
+   Bro build directory:         %s
+   Bro Control distribution:    %s
+   Bro Control build directory: %s
+   
+   Standalone installation:     %s
+
+""" % (Prefix, BroDist, BroBuild, BroCtlSrc, BroCtlBuild, (StandAlone and "yes" or "no"))
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/aux/broctl/etc/analysis.dat b/aux/broctl/etc/analysis.dat
new file mode 100644
index 0000000000..03911b7371
--- /dev/null
+++ b/aux/broctl/etc/analysis.dat
@@ -0,0 +1,28 @@
+# $Id: analysis.dat 6811 2009-07-06 20:41:10Z robin $
+#
+# Types of analysis which we can enable/disable via the cluster shell. 
+#
+# Format: <tag>  <mechanism>   <descr>
+#
+#   tag: 	   The name used to reference the type within the shell.
+#   mechanism: How we can enable/disable the analysis. Currently defined:
+#
+#                  bool:<global>         <global> is a Bro script-level boolean
+#                                        which enables the analysis if true.
+#                 
+#                  bool-inv:<global>     <global> is a Bro script-level boolean
+#                                        which enables the analysis if *false*.
+#                  events:<tag>          <tag> is the name of a Bro event group 
+#                                        which corresponds to the analysis.
+#                  disable:<tag>		 If disabled, also disable analysis <tag>
+
+dns                events:dns            DNS analysis
+ftp                events:ftp            FTP analysis
+smtp               events:smtp           SMTP analysis
+
+http-request       events:http-request,disable:http-reply,disable:http-header,disable:http-body   Client-side HTTP analysis
+http-reply         events:http-reply,bool:HTTP::process_HTTP_replies                              Server-side HTTP analysis 
+http-body          events:http-body,bool:HTTP::process_HTTP_data                                  Analysis of HTTP bodies
+http-header        events:http-header                                                             Analysis of HTTP headers         
+
+scan               bool-inv:Scan::suppress_scan_checks                                            Scan detection
diff --git a/aux/broctl/etc/broctl.cfg.cluster.in b/aux/broctl/etc/broctl.cfg.cluster.in
new file mode 100644
index 0000000000..dd19c8e57d
--- /dev/null
+++ b/aux/broctl/etc/broctl.cfg.cluster.in
@@ -0,0 +1,27 @@
+# $Id: broctl.cfg.cluster.in 6811 2009-07-06 20:41:10Z robin $
+#
+# Global cluster configuration file. 
+#
+
+# Directories with local policies which are to be installed in addition
+# to the distribution's scripts. ':' separates multiple directories.
+#
+SitePolicyPath = ${policydir}/site
+
+# Top-level script file for local manager policy.
+#
+SitePolicyManager = local-manager
+
+# Top-level script file for local worker policy.
+#
+SitePolicyWorker = local-worker
+
+# Local script prefixes (use this instead of the @prefix statement.)
+# Multiple prefixes are separated by a colon.
+Prefixes = local
+
+# Sends all mails to this address.
+MailTo = root@localhost
+
+# Logs debug information into spool/debug.log
+Debug = 1
diff --git a/aux/broctl/etc/broctl.cfg.standalone.in b/aux/broctl/etc/broctl.cfg.standalone.in
new file mode 100644
index 0000000000..a255c05e84
--- /dev/null
+++ b/aux/broctl/etc/broctl.cfg.standalone.in
@@ -0,0 +1,22 @@
+# $Id: broctl.cfg.standalone.in 6811 2009-07-06 20:41:10Z robin $
+#
+# Global configuration file for a non-cluster, single-instance setup.
+#
+
+# Directories with local policies which are to be installed in addition
+# to the distribution's scripts. ':' separates multiple directories.
+#
+SitePolicyPath = ${policydir}/site
+
+# Top-level script file for local policy.
+SitePolicyStandalone = local
+
+# Local script prefixes (use this instead of the @prefix statement.)
+# Multiple prefixes are separated by a colon.
+Prefixes = local
+
+# Sends all mails to this address.
+MailTo = root@localhost
+
+# Logs debug information into spool/debug.log
+Debug = 1
diff --git a/aux/broctl/etc/networks.cfg.in b/aux/broctl/etc/networks.cfg.in
new file mode 100644
index 0000000000..aeeb1337fb
--- /dev/null
+++ b/aux/broctl/etc/networks.cfg.in
@@ -0,0 +1,7 @@
+# $Id: networks.cfg.in 6811 2009-07-06 20:41:10Z robin $
+#
+# List of local networks in CIDR notation, optionally followed by a descriptive tag.
+# 
+
+10.0.0.0/8          Private IP space 
+192.168.0.0/16      Private IP space
diff --git a/aux/broctl/etc/node.cfg.cluster.in b/aux/broctl/etc/node.cfg.cluster.in
new file mode 100644
index 0000000000..82c28a3c74
--- /dev/null
+++ b/aux/broctl/etc/node.cfg.cluster.in
@@ -0,0 +1,27 @@
+# $Id: node.cfg.cluster.in 6811 2009-07-06 20:41:10Z robin $
+#
+# Node configuration
+#
+
+[manager]
+type=manager
+host=host1
+
+[proxy-1]
+type=proxy
+host=host1
+
+[worker-1]
+type=worker
+host=host2
+interface=em0
+
+[worker-2]
+type=worker
+host=host3
+interface=em0
+
+[worker-3]
+type=worker
+host=host4
+interface=em0
diff --git a/aux/broctl/etc/node.cfg.standalone.in b/aux/broctl/etc/node.cfg.standalone.in
new file mode 100644
index 0000000000..2d62dbb462
--- /dev/null
+++ b/aux/broctl/etc/node.cfg.standalone.in
@@ -0,0 +1,9 @@
+# $Id: node.cfg.standalone.in 6811 2009-07-06 20:41:10Z robin $
+#
+# Node configuration for a non-cluster, single-instance setup.
+#
+
+[bro]
+type=standalone
+host=localhost
+interface=em0
diff --git a/aux/broctl/policy/analysis-groups.bro b/aux/broctl/policy/analysis-groups.bro
new file mode 100644
index 0000000000..3ec6ea01d1
--- /dev/null
+++ b/aux/broctl/policy/analysis-groups.bro
@@ -0,0 +1,46 @@
+# $Id: analysis-groups.bro 6813 2009-07-07 18:54:12Z robin $
+#
+# This script allows to selectively enable/disable event groups. No events will be
+# raised for all memmbers of a disabled event group.
+
+module AnalysisGroups;
+
+export 
+	{
+	# By default, all event groups are enabled. We disable all groups in this table.
+	const disabled_groups: set[string] &redef; # = { "ftp" }
+
+	# When the table above gets modified during run-time, calling this function
+	# will put the changes into effect.
+	global update: function();
+	}
+
+# Set to remember all groups which were disabled by the last update().
+global currently_disabled: set[string];
+
+function update()
+	{
+	# Reenable those which are not to be disabled anymore.
+	for ( g in currently_disabled )
+		if ( g !in disabled_groups )
+			enable_event_group(g);
+	
+	# Disable those which are not already.
+	for ( g in disabled_groups )
+		if ( g !in currently_disabled )
+			disable_event_group(g);
+	
+	currently_disabled = copy(disabled_groups);
+	}
+
+event bro_init()
+	{
+	update();
+	}
+
+
+
+
+
+
+
diff --git a/aux/broctl/policy/broctl-check.bro b/aux/broctl/policy/broctl-check.bro
new file mode 100644
index 0000000000..c064a8b59a
--- /dev/null
+++ b/aux/broctl/policy/broctl-check.bro
@@ -0,0 +1,10 @@
+# $Id: broctl-check.bro 6811 2009-07-06 20:41:10Z robin $
+#
+# Only loaded when checking configuration, not when running live.
+
+@load rotate-logs
+
+redef RotateLogs::rotate_on_shutdown=F;
+
+	
+		
diff --git a/aux/broctl/policy/broctl-events.bro b/aux/broctl/policy/broctl-events.bro
new file mode 100644
index 0000000000..d75efe848e
--- /dev/null
+++ b/aux/broctl/policy/broctl-events.bro
@@ -0,0 +1,79 @@
+# $Id: broctl-events.bro 6903 2009-09-04 23:34:56Z robin $
+#
+# Events which are sent by broctl.
+
+module BroCtl;
+
+global sh_log = open_log_file("broctl") &disable_print_hook;
+
+event bro_init()
+	{
+	set_buf(sh_log, F);
+	}
+
+# Request the value of an ID. 
+# (This is copied from remote-print-id-reply.bro for completeness here.)
+event request_id_response(id: string, val: string)
+	{
+	print sh_log, fmt("%.6f raised event request_id_response(%s, %s)", network_time(), id, val);
+	}
+
+event request_id(id: string)
+	{
+	print sh_log, fmt("%.6f got event request_id(%s)", network_time(), id);
+
+	local val = lookup_ID(id);
+	event request_id_response(id, fmt("%s", val));
+	}
+
+@load remote
+
+# Returns the current communication status (one line per connected peer).
+event get_peer_status_response(s: string)
+	{
+	print sh_log, fmt("%.6f raised event get_peer_status(%s)", network_time(), s);
+	}
+
+event get_peer_status()
+	{
+	print sh_log, fmt("%.6f got event get_peer_status()", network_time());
+	
+	local status = "";
+	
+	for ( p in Remote::destinations )
+		{
+		local peer = Remote::destinations[p];
+		if ( ! peer$connected )
+			next;
+		
+		status += fmt("peer=%s host=%s events_in=? events_out=? ops_in=? ops_out=? bytes_in=? bytes_out=?\n",
+					  peer$peer$descr, peer$host);
+		}
+	
+	event get_peer_status_response(status);
+	}
+
+# Returns net_stats.
+
+global last_cstat: net_stats;
+global last_cstat_time: time;
+
+event net_stats_update(t: time, ns: net_stats)
+	{
+	last_cstat = ns;
+	last_cstat_time = t;
+	}
+
+event get_net_stats_response(s: string)
+	{
+	print sh_log, fmt("%.6f raised event get_net_stats_response(%s)", network_time(), s);
+	}
+
+event get_net_stats()
+	{
+	local reply = fmt("%.6f recvd=%d dropped=%d link=%d\n", last_cstat_time, 
+				  last_cstat$pkts_recvd, last_cstat$pkts_dropped, last_cstat$pkts_link);
+	event get_net_stats_response(reply);
+	}
+
+
diff --git a/aux/broctl/policy/broctl-live.bro b/aux/broctl/policy/broctl-live.bro
new file mode 100644
index 0000000000..be34c6d46f
--- /dev/null
+++ b/aux/broctl/policy/broctl-live.bro
@@ -0,0 +1,6 @@
+# $Id: broctl-live.bro 6811 2009-07-06 20:41:10Z robin $
+#
+# Only loaded when running live, not when just checking configuration.
+
+	
+		
diff --git a/aux/broctl/policy/broctl.bro b/aux/broctl/policy/broctl.bro
new file mode 100644
index 0000000000..7539cd6c4f
--- /dev/null
+++ b/aux/broctl/policy/broctl.bro
@@ -0,0 +1,96 @@
+# $Id: broctl.bro 6811 2009-07-06 20:41:10Z robin $
+#
+# Data structures to define the three types of nodes (workers, proxies, and manager).
+
+const BROCTL = T;
+
+const WORKER = to_count(getenv("BRO_WORKER")) &redef;
+const PROXY = to_count(getenv("BRO_PROXY")) &redef;
+const MANAGER = to_count(getenv("BRO_MANAGER")) &redef;
+const STANDALONE = to_count(getenv("BRO_STANDALONE")) &redef;
+
+const env_var_missing = (WORKER == 0 && PROXY == 0 && MANAGER == 0 && STANDALONE == 0);
+
+# Make sure we have some reasonable values because these are actually
+# used before we get a chance to abort.
+redef WORKER = WORKER > 0 ? WORKER : 1;
+redef PROXY = PROXY > 0 ? PROXY : 1;
+redef MANAGER = MANAGER > 0 ? MANAGER : 1;
+
+@load cluster-by-addrs
+@load remote-update
+@load checkpoint 
+
+# FIXME: Load them here to work around a namespace bug.
+@load conn
+@load port-name
+	
+module BroCtl;
+
+export {
+	# Events which are sent by the broctl when dynamically connecting to a
+	# running instance. 
+	const update_events = /.*(configuration_update|request_id|get_peer_status|get_net_stats).*/;
+
+    # The following options are configured from broctl-layout.bro.
+
+	# Directory where broctl is archiving logs. 
+	const log_dir = "/not/set" &redef;
+
+	# Host where TM is running or 0.0.0.0 if none. 
+	const tm_host = 0.0.0.0 &redef;
+
+	# Host where TM is running or 0.0.0.0 if none. 
+	const tm_port = 47757/tcp &redef;
+
+}
+
+# PROXY record.
+type pnode: record {
+	ip: addr;                       
+	p: port;                        
+	tag: string;
+};
+
+# WORKER record.
+type snode: record {
+    ip: addr;                       
+	p: port;                        
+	interface: string &optional;    
+	proxy: pnode;                   # proxy ip this worker uses
+	tag: string;
+};
+
+# MANAGER record.
+type mnode: record {
+    ip: addr;                       
+	p: port;                        
+	tag: string;
+};
+
+export {
+	global manager: mnode &redef;
+    global proxies: table[count] of pnode &redef;
+    global workers: table[count] of snode &redef;
+}
+
+@load broctl-layout
+	
+event bro_init()
+	{
+	if ( env_var_missing )
+		{
+		print "None of the broctl environment variables BRO_{MANAGER,WORKER,PROXY} set, aborting.";
+		terminate();
+		}
+	
+	local descr = open(".peer_description");
+	print descr, peer_description;
+	}
+
+@load broctl-events
+
+# Change some defaults.
+	
+redef enable_syslog = F;
+redef check_for_unused_event_handlers = F;
diff --git a/aux/broctl/policy/broctl.checkpoint.bro b/aux/broctl/policy/broctl.checkpoint.bro
new file mode 100644
index 0000000000..be10f52ce7
--- /dev/null
+++ b/aux/broctl/policy/broctl.checkpoint.bro
@@ -0,0 +1,3 @@
+# $Id: broctl.checkpoint.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef state_checkpoint_interval = 0 min;
diff --git a/aux/broctl/policy/broctl.conn.bro b/aux/broctl/policy/broctl.conn.bro
new file mode 100644
index 0000000000..4465282d61
--- /dev/null
+++ b/aux/broctl/policy/broctl.conn.bro
@@ -0,0 +1,3 @@
+# $Id: broctl.conn.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef dpd_conn_logs = T;
diff --git a/aux/broctl/policy/broctl.remote.bro b/aux/broctl/policy/broctl.remote.bro
new file mode 100644
index 0000000000..b2d8e8d8eb
--- /dev/null
+++ b/aux/broctl/policy/broctl.remote.bro
@@ -0,0 +1,11 @@
+# $Id: broctl.remote.bro 6811 2009-07-06 20:41:10Z robin $
+
+@load broctl
+
+# Configure Time Machine.
+event bro_init()
+	{
+	if ( BroCtl::tm_host != 0.0.0.0 )
+		Remote::destinations["time-machine"] = [$host=BroCtl::tm_host, $p=BroCtl::tm_port, $connect=T, $retry=1min];
+	}
+
diff --git a/aux/broctl/policy/broctl.site.bro b/aux/broctl/policy/broctl.site.bro
new file mode 100644
index 0000000000..7f60cd6da1
--- /dev/null
+++ b/aux/broctl/policy/broctl.site.bro
@@ -0,0 +1,3 @@
+# $Id: broctl.site.bro 6811 2009-07-06 20:41:10Z robin $
+
+@load local-networks
diff --git a/aux/broctl/policy/broctl.tm-contents.bro b/aux/broctl/policy/broctl.tm-contents.bro
new file mode 100644
index 0000000000..1307043663
--- /dev/null
+++ b/aux/broctl/policy/broctl.tm-contents.bro
@@ -0,0 +1,5 @@
+# $Id: broctl.tm-contents.bro 6811 2009-07-06 20:41:10Z robin $
+
+@load broctl
+
+redef TimeMachine::contents_dir = BroCtl::log_dir + "/tm-contents";
diff --git a/aux/broctl/policy/capture-unknown-protocols.bro b/aux/broctl/policy/capture-unknown-protocols.bro
new file mode 100644
index 0000000000..b824382223
--- /dev/null
+++ b/aux/broctl/policy/capture-unknown-protocols.bro
@@ -0,0 +1,95 @@
+# $Id: capture-unknown-protocols.bro 6811 2009-07-06 20:41:10Z robin $
+#
+# Capture the content of connections running a "foreign" protocol 
+# on a well-known port.
+
+module CaptureProtocolViolations;
+	
+@load site
+@load tm-mail-contents
+	
+export {
+	# We capture contents only for this subset of analyzers.
+	const analyzers: set[AnalyzerTag] = 
+		{ ANALYZER_SSH, ANALYZER_FTP, ANALYZER_SMTP, ANALYZER_POP3 } &redef;
+
+	# If true, capture only outgoing connections.
+	const outbound_only = F &redef;	
+
+	global mail_proto_violation: function(c: connection, atype: count, reason: string, destination: string);
+}
+
+global reported: set[addr,addr,count] &read_expire = 24hr &persistent;
+
+type violation_info: record {
+	atype: count;
+	reason: string;
+	start: time;
+	service: string;
+	destination: string;
+};
+
+# We postpone the mail until the connection is done so that we
+# can determine the real service.
+global conn_expire_func: function(t: table[conn_id] of violation_info, id: conn_id): interval;
+global mail_when_done: table[conn_id] of violation_info &create_expire=5mins &expire_func=conn_expire_func;
+
+function end_of_connection(id: conn_id)
+	{
+	local info = mail_when_done[id];
+	delete mail_when_done[id];
+	
+	local aname = analyzer_name(info$atype);
+
+	local service = info$service;
+	
+	if ( service != "other" )
+		service = to_upper(service);
+
+	local subject = fmt("%s -> %s: %s protocol on %s port %s",
+						id$orig_h, id$resp_h, service, aname, id$resp_p);
+	
+	local body = fmt("> %D %s@@@@Not %s: %s", info$start, id_string(id), aname, info$reason);
+	
+	TimeMachine::mail_contents(id, info$start, fmt("proto-violation.%s", aname), subject, body, info$destination);
+	}
+
+function conn_expire_func(t: table[conn_id] of violation_info, id: conn_id): interval
+	{
+	end_of_connection(id);
+	print "conn_expire_func", id;
+	return 0secs;
+	}
+
+event connection_state_remove(c: connection)
+	{
+	local id=c$id;
+	
+	if ( id !in mail_when_done )
+		return;
+	
+	mail_when_done[id]$service = determine_service(c);
+	
+	end_of_connection(c$id);
+	}
+
+function mail_proto_violation(c: connection, atype: count, reason: string, destination: string)
+	{
+	if ( [c$id$orig_h, c$id$resp_h, atype] in reported )
+		return;
+	
+	# Interesting analyzer?
+	if ( atype !in analyzers )
+		return;
+
+	# Outbound connection?
+	if ( outbound_only && is_local_addr(c$id$resp_h) )
+		return;
+	
+	# Well-known port?
+	if ( atype !in dpd_config || c$id$resp_p !in dpd_config[atype]$ports )
+		return;
+
+	mail_when_done[c$id] = [$atype=atype, $reason=reason, $destination=destination, $service=determine_service(c), $start=c$start_time];
+	add reported[c$id$orig_h, c$id$resp_h, atype];
+	}
diff --git a/aux/broctl/policy/cluster-addrs.anon.bro b/aux/broctl/policy/cluster-addrs.anon.bro
new file mode 100644
index 0000000000..f091669b7c
--- /dev/null
+++ b/aux/broctl/policy/cluster-addrs.anon.bro
@@ -0,0 +1,3 @@
+# $Id: cluster-addrs.anon.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef ip_anon_mapping &synchronized;
diff --git a/aux/broctl/policy/cluster-addrs.blaster.bro b/aux/broctl/policy/cluster-addrs.blaster.bro
new file mode 100644
index 0000000000..c08c4569af
--- /dev/null
+++ b/aux/broctl/policy/cluster-addrs.blaster.bro
@@ -0,0 +1,4 @@
+# $Id: cluster-addrs.blaster.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef w32b_scanned &persistent &synchronized;
+redef w32b_reported &persistent &synchronized &read_expire = 7 days;
diff --git a/aux/broctl/policy/cluster-addrs.bro b/aux/broctl/policy/cluster-addrs.bro
new file mode 100644
index 0000000000..42fde63a27
--- /dev/null
+++ b/aux/broctl/policy/cluster-addrs.bro
@@ -0,0 +1,5 @@
+# $Id: cluster-addrs.bro 6811 2009-07-06 20:41:10Z robin $
+#
+# Cluster config for load-distribution based on a (src,dst) hash.
+
+@prefixes += cluster-addrs
diff --git a/aux/broctl/policy/cluster-addrs.conn.bro b/aux/broctl/policy/cluster-addrs.conn.bro
new file mode 100644
index 0000000000..d12d1c60ac
--- /dev/null
+++ b/aux/broctl/policy/cluster-addrs.conn.bro
@@ -0,0 +1,3 @@
+# $Id: cluster-addrs.conn.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef RPC_server_map &persistent &synchronized &read_expire = 7 days;
diff --git a/aux/broctl/policy/cluster-addrs.ftp-cmd-arg.bro b/aux/broctl/policy/cluster-addrs.ftp-cmd-arg.bro
new file mode 100644
index 0000000000..b6901f049f
--- /dev/null
+++ b/aux/broctl/policy/cluster-addrs.ftp-cmd-arg.bro
@@ -0,0 +1,3 @@
+# $Id: cluster-addrs.ftp-cmd-arg.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef ftp_unexpected_cmd_reply &persistent &synchronized &read_expire = 1 day;
diff --git a/aux/broctl/policy/cluster-addrs.ftp.bro b/aux/broctl/policy/cluster-addrs.ftp.bro
new file mode 100644
index 0000000000..3b6afc1da3
--- /dev/null
+++ b/aux/broctl/policy/cluster-addrs.ftp.bro
@@ -0,0 +1,4 @@
+# $Id: cluster-addrs.ftp.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef ftp_first_seen_cmds &persistent &synchronized;
+redef ftp_unlisted_cmds &persistent &synchronized;
diff --git a/aux/broctl/policy/cluster-addrs.hot.bro b/aux/broctl/policy/cluster-addrs.hot.bro
new file mode 100644
index 0000000000..4a050f6a20
--- /dev/null
+++ b/aux/broctl/policy/cluster-addrs.hot.bro
@@ -0,0 +1,3 @@
+# $Id: cluster-addrs.hot.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef ssh_notice_hosts &persistent &synchronized &create_expire = 7 days;
diff --git a/aux/broctl/policy/cluster-addrs.icmp.bro b/aux/broctl/policy/cluster-addrs.icmp.bro
new file mode 100644
index 0000000000..b7b20851f5
--- /dev/null
+++ b/aux/broctl/policy/cluster-addrs.icmp.bro
@@ -0,0 +1,4 @@
+# $Id: cluster-addrs.icmp.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef conn_pair &persistent &synchronized;
+
diff --git a/aux/broctl/policy/cluster-addrs.irc.bro b/aux/broctl/policy/cluster-addrs.irc.bro
new file mode 100644
index 0000000000..47cab169e8
--- /dev/null
+++ b/aux/broctl/policy/cluster-addrs.irc.bro
@@ -0,0 +1,4 @@
+# $Id: cluster-addrs.irc.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef active_users &persistent &synchronized;
+redef active_channels &persistent &synchronized;
diff --git a/aux/broctl/policy/cluster-addrs.pop3.bro b/aux/broctl/policy/cluster-addrs.pop3.bro
new file mode 100644
index 0000000000..e61fdf498e
--- /dev/null
+++ b/aux/broctl/policy/cluster-addrs.pop3.bro
@@ -0,0 +1,3 @@
+# $Id: cluster-addrs.pop3.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef pop_connection_weirds &persistent &synchronized;
diff --git a/aux/broctl/policy/cluster-addrs.portmapper.bro b/aux/broctl/policy/cluster-addrs.portmapper.bro
new file mode 100644
index 0000000000..667f140417
--- /dev/null
+++ b/aux/broctl/policy/cluster-addrs.portmapper.bro
@@ -0,0 +1,4 @@
+# $Id: cluster-addrs.portmapper.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef suppress_pm_log &persistent &synchronized &read_expire = 1 day
+	&synchronized;
diff --git a/aux/broctl/policy/cluster-addrs.proxy.bro b/aux/broctl/policy/cluster-addrs.proxy.bro
new file mode 100644
index 0000000000..a50fa6c00a
--- /dev/null
+++ b/aux/broctl/policy/cluster-addrs.proxy.bro
@@ -0,0 +1,4 @@
+# $Id: cluster-addrs.proxy.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef found_proxies &synchronized &persistent;
+redef requests &synchronized;
diff --git a/aux/broctl/policy/cluster-addrs.scan.bro b/aux/broctl/policy/cluster-addrs.scan.bro
new file mode 100644
index 0000000000..765c2c0e72
--- /dev/null
+++ b/aux/broctl/policy/cluster-addrs.scan.bro
@@ -0,0 +1,20 @@
+# $Id: cluster-addrs.scan.bro 6811 2009-07-06 20:41:10Z robin $
+
+# Backscatter.
+redef distinct_backscatter_peers &persistent &synchronized;
+
+# Address scans
+redef distinct_peers &persistent &synchronized;
+
+# Logins.
+redef accounts_tried &persistent &synchronized;
+
+## These tables are used to keep track of whether a threshold has been reached.
+redef shut_down_thresh_reached  &persistent &synchronized;
+redef rb_idx  &persistent &synchronized;
+redef rps_idx  &persistent &synchronized;
+redef rops_idx  &persistent &synchronized;
+redef rpts_idx  &persistent &synchronized;
+redef rat_idx  &persistent &synchronized;
+redef rrat_idx  &persistent &synchronized;
+
diff --git a/aux/broctl/policy/cluster-addrs.smtp-relay.bro b/aux/broctl/policy/cluster-addrs.smtp-relay.bro
new file mode 100644
index 0000000000..908515a010
--- /dev/null
+++ b/aux/broctl/policy/cluster-addrs.smtp-relay.bro
@@ -0,0 +1,6 @@
+# $Id: cluster-addrs.smtp-relay.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef smtp_relay_table &persistent &synchronized;
+redef smtp_session_by_recipient &persistent &synchronized;
+redef smtp_session_by_message_id &persistent &synchronized;
+redef smtp_session_by_content_hash &persistent &synchronized;
diff --git a/aux/broctl/policy/cluster-addrs.ssh.bro b/aux/broctl/policy/cluster-addrs.ssh.bro
new file mode 100644
index 0000000000..36174087e7
--- /dev/null
+++ b/aux/broctl/policy/cluster-addrs.ssh.bro
@@ -0,0 +1,3 @@
+# $Id: cluster-addrs.ssh.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef did_ssh_version &persistent &synchronized;
diff --git a/aux/broctl/policy/cluster-addrs.tftp.bro b/aux/broctl/policy/cluster-addrs.tftp.bro
new file mode 100644
index 0000000000..52363b0aa2
--- /dev/null
+++ b/aux/broctl/policy/cluster-addrs.tftp.bro
@@ -0,0 +1,3 @@
+# $Id: cluster-addrs.tftp.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef tftp_notice_count &persistent &synchronized;
diff --git a/aux/broctl/policy/cluster-addrs.weird.bro b/aux/broctl/policy/cluster-addrs.weird.bro
new file mode 100644
index 0000000000..66819d4298
--- /dev/null
+++ b/aux/broctl/policy/cluster-addrs.weird.bro
@@ -0,0 +1,7 @@
+# $Id: cluster-addrs.weird.bro 6811 2009-07-06 20:41:10Z robin $
+
+# Synchronizing the weird stuff is not really worth the trouble.
+# It can be a lot, and it's only there to suppress duplicate messages.
+# As we will put some infrastructure in place for filtering duplicates
+# on the master anyway, we can live without that.
+
diff --git a/aux/broctl/policy/cluster-addrs.worm.bro b/aux/broctl/policy/cluster-addrs.worm.bro
new file mode 100644
index 0000000000..db98715874
--- /dev/null
+++ b/aux/broctl/policy/cluster-addrs.worm.bro
@@ -0,0 +1,4 @@
+# $Id: cluster-addrs.worm.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef worm_list &persistent &synchronized;
+redef worm_type_list &persistent &synchronized;
diff --git a/aux/broctl/policy/cluster-by-addrs.bro b/aux/broctl/policy/cluster-by-addrs.bro
new file mode 100644
index 0000000000..9080da49cf
--- /dev/null
+++ b/aux/broctl/policy/cluster-by-addrs.bro
@@ -0,0 +1,5 @@
+# $Id: cluster-by-addrs.bro 6811 2009-07-06 20:41:10Z robin $
+#
+# Cluster config for load-distribution based on a (src,dst) hash.
+
+@prefixes += cluster-addrs
diff --git a/aux/broctl/policy/cluster-by-conns.bro b/aux/broctl/policy/cluster-by-conns.bro
new file mode 100644
index 0000000000..61b813b780
--- /dev/null
+++ b/aux/broctl/policy/cluster-by-conns.bro
@@ -0,0 +1,7 @@
+# $Id: cluster-by-conns.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef distinct_ports &persistent &synchronized;
+redef distinct_low_ports &persistent &synchronized;
+redef possible_scan_sources &persistent &synchronized;
+redef scan_triples &persistent &synchronized;
+
diff --git a/aux/broctl/policy/cluster-conns.ftp.bro b/aux/broctl/policy/cluster-conns.ftp.bro
new file mode 100644
index 0000000000..b6046f2a6a
--- /dev/null
+++ b/aux/broctl/policy/cluster-conns.ftp.bro
@@ -0,0 +1,3 @@
+# $Id: cluster-conns.ftp.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef ftp_data_expected &persistent &synchronized;
diff --git a/aux/broctl/policy/cluster-conns.portmapper.bro b/aux/broctl/policy/cluster-conns.portmapper.bro
new file mode 100644
index 0000000000..5d754b9bcb
--- /dev/null
+++ b/aux/broctl/policy/cluster-conns.portmapper.bro
@@ -0,0 +1,3 @@
+# $Id: cluster-conns.portmapper.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef did_pm_log &persistent &synchronized &read_expire = 1 day &synchronized;
diff --git a/aux/broctl/policy/cluster-conns.scan.bro b/aux/broctl/policy/cluster-conns.scan.bro
new file mode 100644
index 0000000000..389393d7fe
--- /dev/null
+++ b/aux/broctl/policy/cluster-conns.scan.bro
@@ -0,0 +1,7 @@
+# $Id: cluster-conns.scan.bro 6811 2009-07-06 20:41:10Z robin $
+
+# Port scans
+redef distinct_ports &persistent &synchronized;
+redef distinct_low_ports &persistent &synchronized;
+redef possible_scan_sources &persistent &synchronized;
+redef scan_triples &persistent &synchronized;
diff --git a/aux/broctl/policy/cluster-manager.bro b/aux/broctl/policy/cluster-manager.bro
new file mode 100644
index 0000000000..6b93dc6d3a
--- /dev/null
+++ b/aux/broctl/policy/cluster-manager.bro
@@ -0,0 +1,44 @@
+# $Id: cluster-manager.bro 6860 2009-08-14 19:01:47Z robin $
+#
+# Cluster manager configuration.
+
+@prefixes += cluster-manager
+
+@load broctl
+@load filter-duplicates
+@load notice
+@load remote
+@load rotate-logs
+@load mail-alarms
+	
+# Since we don't capture, don't bother with this.
+@unload print-filter
+
+# Remote-print policy hooks into print() fucntion on remote hosts,
+# and gets a copy to print to local files.
+@load remote-print
+
+# This grabs the remote peers (workers) and saves some status info
+# to a local peer_status.log.
+@load save-peer-status
+	
+# We have to listen of course... 
+@load listen-clear
+redef listen_port_clear = BroCtl::manager$p;
+
+# The cluster manager does not capture.
+redef interfaces = "";
+
+# Give us a name. 
+redef peer_description = BroCtl::manager$tag;
+
+# Reraise remote notices locally.
+event notice_action(n: notice_info, action: NoticeAction)
+	{
+	if ( is_remote_event() && FilterDuplicates::is_new(n) )
+		NOTICE(n);
+	}
+
+redef FilterDuplicates::filters += {
+	[Drop::AddressSeenAgain] = FilterDuplicates::match_src,
+};
diff --git a/aux/broctl/policy/cluster-manager.detect-protocols.bro b/aux/broctl/policy/cluster-manager.detect-protocols.bro
new file mode 100644
index 0000000000..2e09fe8866
--- /dev/null
+++ b/aux/broctl/policy/cluster-manager.detect-protocols.bro
@@ -0,0 +1,6 @@
+# $Id: cluster-manager.detect-protocols.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef FilterDuplicates::filters += {
+    [ServerFound] = FilterDuplicates::match_src_port
+};
+
diff --git a/aux/broctl/policy/cluster-manager.drop.bro b/aux/broctl/policy/cluster-manager.drop.bro
new file mode 100644
index 0000000000..e058abe5e5
--- /dev/null
+++ b/aux/broctl/policy/cluster-manager.drop.bro
@@ -0,0 +1,42 @@
+# $Id$
+
+# These will be generated by the workers.
+event Drop::address_seen_again(a: addr)
+	{
+	if ( ! use_catch_release )
+		return;
+	
+	if ( a !in drop_info )
+		# Never dropped.
+		return;
+	
+	local di = drop_info[a];
+	if ( is_dropped(a) )
+		# Still dropped.
+		return;
+	
+	NOTICE([$note=AddressSeenAgain, $src=a,
+			$msg=fmt("%s seen again after release", a)]);
+	}
+
+# $Id$
+
+# These will be generated by the workers.
+event Drop::address_seen_again(a: addr)
+	{
+	if ( ! use_catch_release )
+		return;
+	
+	if ( a !in drop_info )
+		# Never dropped.
+		return;
+	
+	local di = drop_info[a];
+	if ( is_dropped(a) )
+		# Still dropped.
+		return;
+	
+	NOTICE([$note=AddressSeenAgain, $src=a,
+			$msg=fmt("%s seen again after release", a)]);
+	}
+
diff --git a/aux/broctl/policy/cluster-manager.icmp.bro b/aux/broctl/policy/cluster-manager.icmp.bro
new file mode 100644
index 0000000000..a5ed72e8a1
--- /dev/null
+++ b/aux/broctl/policy/cluster-manager.icmp.bro
@@ -0,0 +1,12 @@
+# $Id: cluster-manager.scan.bro 6740 2009-06-12 17:59:44Z robin $
+
+redef FilterDuplicates::filters += {
+    [ICMPAddressScan] = FilterDuplicates::match_src_num
+};
+	
+# $Id: cluster-manager.scan.bro 6740 2009-06-12 17:59:44Z robin $
+
+redef FilterDuplicates::filters += {
+    [ICMPAddressScan] = FilterDuplicates::match_src_num
+};
+	
diff --git a/aux/broctl/policy/cluster-manager.mail-alarms.bro b/aux/broctl/policy/cluster-manager.mail-alarms.bro
new file mode 100644
index 0000000000..6c02a61ef2
--- /dev/null
+++ b/aux/broctl/policy/cluster-manager.mail-alarms.bro
@@ -0,0 +1,5 @@
+# $Id: cluster-manager.mail-alarms.bro 6811 2009-07-06 20:41:10Z robin $
+
+@load rotate-logs
+
+redef MailAlarms::output &rotate_interval = 12hrs;
diff --git a/aux/broctl/policy/cluster-manager.notice.bro b/aux/broctl/policy/cluster-manager.notice.bro
new file mode 100644
index 0000000000..000a2bf846
--- /dev/null
+++ b/aux/broctl/policy/cluster-manager.notice.bro
@@ -0,0 +1,8 @@
+# $Id: cluster-manager.notice.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef mail_script = "mail-alarm";
+redef mail_dest = "_broctl_default_"; # Will be replace by mail script.  
+
+# These don't get cleared because we're not seeing the actual connections. 	
+redef notice_tags &read_expire = 2hrs;
+
diff --git a/aux/broctl/policy/cluster-manager.remote.bro b/aux/broctl/policy/cluster-manager.remote.bro
new file mode 100644
index 0000000000..b665fb6536
--- /dev/null
+++ b/aux/broctl/policy/cluster-manager.remote.bro
@@ -0,0 +1,34 @@
+# $Id: cluster-manager.remote.bro 6860 2009-08-14 19:01:47Z robin $
+#
+# This is the MANAGER remote configuration.
+#
+# The manager is passive (the workers connect to us), and once connected
+# the manager registers for the events on the workers that are needed
+# to get the desired data from the workers.
+
+@load broctl
+
+const cluster_events = /.*(print_hook|notice_action|TimeMachine::command|Drop::).*/;
+
+event bro_init() 
+{
+	# Set up remote dests for WORKERS based on central cluster config.
+	for ( n in BroCtl::workers ) 
+		Remote::destinations[fmt("w%d", n)]
+			= [$host=BroCtl::workers[n]$ip, $connect=F, $sync=F, $class=BroCtl::workers[n]$tag, $events=cluster_events];
+
+	# Set up remote dests for PROXIES, just to get ResourceStats.
+	for ( n in BroCtl::proxies ) 
+		Remote::destinations[fmt("p%d", n)]
+			= [$host=BroCtl::proxies[n]$ip, $connect=F, $sync=F, $class=BroCtl::proxies[n]$tag, $events=/.*(notice_action).*/ ];
+
+	# Connections from the manager for configuration updates.
+	Remote::destinations["update"] 
+		=  [$host = BroCtl::manager$ip, $p=BroCtl::manager$p, $sync=F, $events=BroCtl::update_events, $class="update"];
+
+	# Configure Time Machine.
+	if ( BroCtl::tm_host != 0.0.0.0 )
+		Remote::destinations["time-machine"] = [$host=BroCtl::tm_host, $p=BroCtl::tm_port, $connect=T, $retry=1min];
+}
+
+
diff --git a/aux/broctl/policy/cluster-manager.rotate-logs.bro b/aux/broctl/policy/cluster-manager.rotate-logs.bro
new file mode 100644
index 0000000000..807c4a46fe
--- /dev/null
+++ b/aux/broctl/policy/cluster-manager.rotate-logs.bro
@@ -0,0 +1,7 @@
+# $Id: cluster-manager.rotate-logs.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef log_rotate_interval = 24hrs;
+redef log_rotate_base_time = "0:00";
+redef RotateLogs::default_postprocessor = "archive-log";
+
+redef conn_file &rotate_interval = 12hrs;
diff --git a/aux/broctl/policy/cluster-manager.scan.bro b/aux/broctl/policy/cluster-manager.scan.bro
new file mode 100644
index 0000000000..d469228742
--- /dev/null
+++ b/aux/broctl/policy/cluster-manager.scan.bro
@@ -0,0 +1,16 @@
+# $Id: cluster-manager.scan.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef FilterDuplicates::filters += {
+    [AddressScan] = FilterDuplicates::match_src_num,
+    [PortScan] = FilterDuplicates::match_src_num,
+    [PasswordGuessing] = FilterDuplicates::match_src_num,
+	
+    [ScanSummary] = FilterDuplicates::match_src,
+    [PortScanSummary] = FilterDuplicates::match_src,
+    [LowPortScanSummary] = FilterDuplicates::match_src,
+    [BackscatterSeen] = FilterDuplicates::match_src,
+    [Landmine] = FilterDuplicates::match_src,
+    [ShutdownThresh] = FilterDuplicates::match_src,
+    [LowPortTrolling] = FilterDuplicates::match_src
+};
+
diff --git a/aux/broctl/policy/cluster-manager.time-machine.bro b/aux/broctl/policy/cluster-manager.time-machine.bro
new file mode 100644
index 0000000000..418919e58f
--- /dev/null
+++ b/aux/broctl/policy/cluster-manager.time-machine.bro
@@ -0,0 +1,13 @@
+# $Id: cluster-manager.time-machine.bro 6811 2009-07-06 20:41:10Z robin $
+#
+# Relays TM commands received from the workers  to a TM connected to the 
+# manager. Note that potential responses from the TM will go to the manager 
+# and are *not* be propapated back to the workers.
+
+event TimeMachine::command(cmd: string)
+       {
+       if ( is_remote_event() )
+               event TimeMachine::command(cmd);
+       }
+
+
diff --git a/aux/broctl/policy/cluster-proxy.bro b/aux/broctl/policy/cluster-proxy.bro
new file mode 100644
index 0000000000..5680a34fa9
--- /dev/null
+++ b/aux/broctl/policy/cluster-proxy.bro
@@ -0,0 +1,28 @@
+# $Id: cluster-proxy.bro 6811 2009-07-06 20:41:10Z robin $
+#
+# Common PROXY config.
+
+@prefixes += cluster-proxy
+
+@load broctl
+@load remote
+@load rotate-logs
+	
+# Since we don't capture, don't bother with this.
+@unload print-filter
+	
+# Communications. 
+@load listen-clear
+redef listen_port_clear = BroCtl::proxies[PROXY]$p;
+
+# No packet capture on proxy.
+redef interfaces = "";
+
+# The proxy only syncs state; does not forward events.
+redef forward_remote_events = F;
+redef forward_remote_state_changes = T;
+
+# Set our name.
+redef peer_description = BroCtl::proxies[PROXY]$tag;
+
+
diff --git a/aux/broctl/policy/cluster-proxy.notice.bro b/aux/broctl/policy/cluster-proxy.notice.bro
new file mode 100644
index 0000000000..fc90e207b6
--- /dev/null
+++ b/aux/broctl/policy/cluster-proxy.notice.bro
@@ -0,0 +1,4 @@
+# $Id: cluster-proxy.notice.bro 6811 2009-07-06 20:41:10Z robin $
+
+# Expire these.
+redef notice_tags &read_expire = 30 mins;
diff --git a/aux/broctl/policy/cluster-proxy.remote.bro b/aux/broctl/policy/cluster-proxy.remote.bro
new file mode 100644
index 0000000000..5d0bc378a5
--- /dev/null
+++ b/aux/broctl/policy/cluster-proxy.remote.bro
@@ -0,0 +1,33 @@
+# $Id: cluster-proxy.remote.bro 6811 2009-07-06 20:41:10Z robin $
+
+event bro_init() 
+	{
+	# Set up worker connections.
+	for ( n in BroCtl::workers ) 
+		# We set up Bro to accept connection from all nodes, even those which 
+		# won't connect to us. It's easier this way. :-)
+		Remote::destinations[fmt("w%d", n)]
+ 			= [$host=BroCtl::workers[n]$ip, $connect=F, $sync=T, $auth=T, $class="proxy"];
+
+	# Set up proxy connections. Each proxy connects to the next in line, and 
+	# accepts connections from the previous one. 
+	# (This is not ideal for setups with many proxies but we will quite 
+	# unlikely have those.)
+	# FIXME: Once we're using multiple proxies, we should also figure out some $class scheme ...
+
+	if ( PROXY > 1 )
+		Remote::destinations[fmt("p%d", PROXY-1)]
+			= [$host=BroCtl::proxies[PROXY-1]$ip, $p=BroCtl::proxies[PROXY-1]$p, $connect=F, $auth=T, $sync=T];
+
+	if ( PROXY < |BroCtl::proxies| )
+		Remote::destinations[fmt("p%d", PROXY+1)]
+			= [$host=BroCtl::proxies[PROXY+1]$ip, $p=BroCtl::proxies[PROXY+1]$p, $connect=T, $auth=F, $sync=T, $retry=1mins];
+
+	# Finally the manager, to send it status updates.
+	Remote::destinations["manager"] = 
+		[$host=BroCtl::manager$ip, $p=BroCtl::manager$p, $connect=T, $sync=F, $retry=1mins, $class=BroCtl::proxies[PROXY]$tag];
+
+	# Connections from the manager for configuration updates.
+	Remote::destinations["update"] 
+		=  [$host = BroCtl::manager$ip, $p=BroCtl::manager$p, $sync=F, $events=BroCtl::update_events, $class="update"];
+	}
diff --git a/aux/broctl/policy/cluster-proxy.rotate-logs.bro b/aux/broctl/policy/cluster-proxy.rotate-logs.bro
new file mode 100644
index 0000000000..796127c3e9
--- /dev/null
+++ b/aux/broctl/policy/cluster-proxy.rotate-logs.bro
@@ -0,0 +1,5 @@
+# $Id: cluster-proxy.rotate-logs.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef log_rotate_interval = 24 hrs;
+redef log_rotate_base_time = "0:00";
+redef RotateLogs::default_postprocessor = "delete-log";
diff --git a/aux/broctl/policy/cluster-proxy.scan.bro b/aux/broctl/policy/cluster-proxy.scan.bro
new file mode 100644
index 0000000000..b75c8bfcb2
--- /dev/null
+++ b/aux/broctl/policy/cluster-proxy.scan.bro
@@ -0,0 +1,10 @@
+# $Id: cluster-proxy.scan.bro 6811 2009-07-06 20:41:10Z robin $
+
+# If scan is loaded, don't locally record ScanSummary events.
+# this is special in the way that it is implemented, in that these
+# events would be generated on a proxy.
+
+redef notice_action_filters += {
+        [ScanSummary] = ignore_notice,
+};
+
diff --git a/aux/broctl/policy/cluster-worker.alarm.bro b/aux/broctl/policy/cluster-worker.alarm.bro
new file mode 100644
index 0000000000..546a3b97b9
--- /dev/null
+++ b/aux/broctl/policy/cluster-worker.alarm.bro
@@ -0,0 +1,8 @@
+# $Id: cluster-worker.alarm.bro 6811 2009-07-06 20:41:10Z robin $
+#
+# In the cluster worker node, we forward the NOTICE events to the manager, and all 
+# reasonable alarms are NOTICES these days, so there is no need to replicate
+# the local node's alarm file to the manager node.  Ergo, we disable remote
+# printing on the alarm file.
+
+redef bro_alarm_file &disable_print_hook;
diff --git a/aux/broctl/policy/cluster-worker.bro b/aux/broctl/policy/cluster-worker.bro
new file mode 100644
index 0000000000..bee08bb971
--- /dev/null
+++ b/aux/broctl/policy/cluster-worker.bro
@@ -0,0 +1,28 @@
+# $Id: cluster-worker.bro 6811 2009-07-06 20:41:10Z robin $
+#
+# This is the cluster WORKER top-level policy for configuration settings that are 
+# common to all worker node (as everything currently is except setting WORKER id).
+
+@prefixes += cluster-worker
+
+@load broctl
+@load remote
+@load rotate-logs
+
+@load trim-trace-file	
+
+@load analysis-groups
+	
+# Set up communications for updating workers.
+@load listen-clear
+
+redef listen_port_clear = BroCtl::workers[WORKER]$p;
+
+# Give us a name.
+redef peer_description = BroCtl::workers[WORKER]$tag;
+
+# Don't do any local logging.
+redef suppress_local_output = T;
+
+# Record all packets into trace file.
+redef record_all_packets = T;
diff --git a/aux/broctl/policy/cluster-worker.checkpoint.bro b/aux/broctl/policy/cluster-worker.checkpoint.bro
new file mode 100644
index 0000000000..606cff289f
--- /dev/null
+++ b/aux/broctl/policy/cluster-worker.checkpoint.bro
@@ -0,0 +1,3 @@
+# $Id: cluster-worker.checkpoint.bro 6811 2009-07-06 20:41:10Z robin $
+
+# redef state_checkpoint_interval = 15 min &redef;
diff --git a/aux/broctl/policy/cluster-worker.cluster-live.bro b/aux/broctl/policy/cluster-worker.cluster-live.bro
new file mode 100644
index 0000000000..015201ee60
--- /dev/null
+++ b/aux/broctl/policy/cluster-worker.cluster-live.bro
@@ -0,0 +1,8 @@
+# $Id: cluster-worker.cluster-live.bro 6811 2009-07-06 20:41:10Z robin $
+#
+# Only loaded when running live, not when just checking configuration.
+
+@load print-filter
+	
+redef PrintFilter::terminate_bro = F; 
+redef PrintFilter::to_file = T; 
diff --git a/aux/broctl/policy/cluster-worker.drop.bro b/aux/broctl/policy/cluster-worker.drop.bro
new file mode 100644
index 0000000000..a2645511ee
--- /dev/null
+++ b/aux/broctl/policy/cluster-worker.drop.bro
@@ -0,0 +1,36 @@
+# $Id$
+
+# The cluster manager will inform us with these events if he's interested in
+# further connection attempts from that source.
+
+global watch_addr_table: set[addr] &read_expire=7days &persistent;
+
+global address_seen_again: event(a: addr);
+
+event address_restored(a: addr)
+	{
+	add watch_addr_table[a];
+	}
+
+event address_dropped(a: addr)
+	{
+	delete watch_addr_table[a];
+	}
+
+event address_cleared(a: addr)
+	{
+	delete watch_addr_table[a];
+	}
+
+# We need to forward the new connection attempt.
+event new_connection(c: connection)
+	{
+	local a = c$id$orig_h;
+	if ( a in watch_addr_table )
+		{
+		event Drop::address_seen_again(a);
+		delete watch_addr_table[a];
+		}
+	}
+
+
diff --git a/aux/broctl/policy/cluster-worker.irc-bot.bro b/aux/broctl/policy/cluster-worker.irc-bot.bro
new file mode 100644
index 0000000000..5a295d545f
--- /dev/null
+++ b/aux/broctl/policy/cluster-worker.irc-bot.bro
@@ -0,0 +1,3 @@
+# $Id: cluster-worker.irc-bot.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef IrcBot::summary_interval = 0 min;
diff --git a/aux/broctl/policy/cluster-worker.notice.bro b/aux/broctl/policy/cluster-worker.notice.bro
new file mode 100644
index 0000000000..9de6554253
--- /dev/null
+++ b/aux/broctl/policy/cluster-worker.notice.bro
@@ -0,0 +1,5 @@
+# $Id: cluster-worker.notice.bro 6811 2009-07-06 20:41:10Z robin $
+
+# We forward the notice events, so don't (also) remote print them.
+redef notice_file &disable_print_hook;
+
diff --git a/aux/broctl/policy/cluster-worker.remote.bro b/aux/broctl/policy/cluster-worker.remote.bro
new file mode 100644
index 0000000000..b7d6a440d0
--- /dev/null
+++ b/aux/broctl/policy/cluster-worker.remote.bro
@@ -0,0 +1,21 @@
+# $Id: cluster-worker.remote.bro 6860 2009-08-14 19:01:47Z robin $
+#
+# Remote config for cluster analysis WORKERS.
+
+# Do not copy the worker's remote.log to the manager
+redef Remote::rm_log &disable_print_hook;
+
+const manager_events = /.*(Drop::).*/;
+
+# The worker initiates connection to manager and proxy, but need no events from them.
+# (the manager and the proxy register for events from us workers)
+redef Remote::destinations += {
+	["manager"] = [$host=BroCtl::manager$ip, $p=BroCtl::manager$p, $events=manager_events,
+			$connect=T, $sync=F, $retry=1mins, $class=BroCtl::workers[WORKER]$tag],
+	["proxy"] = [$host=BroCtl::workers[WORKER]$proxy$ip, 
+			$p=BroCtl::workers[WORKER]$proxy$p, $connect=T, 
+				 $sync=T, $retry=1mins, $class="proxy"],
+
+	["update"] = [$host=BroCtl::manager$ip, $sync=F, $events=BroCtl::update_events, $class="update"]
+	};
+
diff --git a/aux/broctl/policy/cluster-worker.rotate-logs.bro b/aux/broctl/policy/cluster-worker.rotate-logs.bro
new file mode 100644
index 0000000000..9e69f1c097
--- /dev/null
+++ b/aux/broctl/policy/cluster-worker.rotate-logs.bro
@@ -0,0 +1,5 @@
+# $Id: cluster-worker.rotate-logs.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef log_rotate_interval = 24 hrs;
+redef log_rotate_base_time = "0:00";
+redef RotateLogs::default_postprocessor = "delete-log";
diff --git a/aux/broctl/policy/cluster-worker.time-machine.bro b/aux/broctl/policy/cluster-worker.time-machine.bro
new file mode 100644
index 0000000000..cb5fd10dff
--- /dev/null
+++ b/aux/broctl/policy/cluster-worker.time-machine.bro
@@ -0,0 +1,6 @@
+# $Id: cluster-worker.time-machine.bro 6811 2009-07-06 20:41:10Z robin $
+#
+# We connect the TM to the manager which relays (and logs) commands so we
+# do not propagate the worker's TM logs.
+
+redef TimeMachine::logfile &disable_print_hook;
diff --git a/aux/broctl/policy/cluster-worker.weird.bro b/aux/broctl/policy/cluster-worker.weird.bro
new file mode 100644
index 0000000000..bebb41e60f
--- /dev/null
+++ b/aux/broctl/policy/cluster-worker.weird.bro
@@ -0,0 +1,17 @@
+# $Id: cluster-worker.weird.bro 6811 2009-07-06 20:41:10Z robin $
+#
+# Important weird events are forwarded via NOTICE mechanism,
+# so we are not remote printing the worker weird.log.
+# (If one is never going to look at the worker weird log, it could be
+# suppressed with a local notice policy).
+
+redef Weird::weird_file &disable_print_hook;
+
+redef notice_action_filters += 
+	{
+	# Not worth forwarding as they can generate a lot of load
+	# if the machines gets really busy.
+	[Weird::ContentGap] = ignore_notice,
+	[Weird::AckAboveHole] = ignore_notice
+	};
+
diff --git a/aux/broctl/policy/cluster.detect-protocols.bro b/aux/broctl/policy/cluster.detect-protocols.bro
new file mode 100644
index 0000000000..2cb71efc91
--- /dev/null
+++ b/aux/broctl/policy/cluster.detect-protocols.bro
@@ -0,0 +1,4 @@
+# $Id: cluster.detect-protocols.bro 6811 2009-07-06 20:41:10Z robin $
+
+# There are so many HTTP servers out there that this consumes too much memory.
+redef ProtocolDetector::suppress_servers = { ANALYZER_HTTP };
diff --git a/aux/broctl/policy/cluster.dns.bro b/aux/broctl/policy/cluster.dns.bro
new file mode 100644
index 0000000000..f30770466e
--- /dev/null
+++ b/aux/broctl/policy/cluster.dns.bro
@@ -0,0 +1,5 @@
+# $Id: cluster.dns.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef DNS::dns_sessions  &read_expire = 5 mins;
+redef DNS::hostile_domain_list = {};
+redef DNS::logging = F;
diff --git a/aux/broctl/policy/cluster.icmp.bro b/aux/broctl/policy/cluster.icmp.bro
new file mode 100644
index 0000000000..4d6fbba816
--- /dev/null
+++ b/aux/broctl/policy/cluster.icmp.bro
@@ -0,0 +1,5 @@
+# $Id: cluster.icmp.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef ICMP::detect_scans = F; ###
+redef ICMP::log_details = F;
+
diff --git a/aux/broctl/policy/cluster.irc.bro b/aux/broctl/policy/cluster.irc.bro
new file mode 100644
index 0000000000..9e96bfc6a9
--- /dev/null
+++ b/aux/broctl/policy/cluster.irc.bro
@@ -0,0 +1,3 @@
+# $Id: cluster.irc.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef active_users &read_expire= 1hr;
diff --git a/aux/broctl/policy/cluster.notice.bro b/aux/broctl/policy/cluster.notice.bro
new file mode 100644
index 0000000000..5f1a1a59ab
--- /dev/null
+++ b/aux/broctl/policy/cluster.notice.bro
@@ -0,0 +1,3 @@
+# $Id: cluster.notice.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef use_tagging = T;	
diff --git a/aux/broctl/policy/cluster.rotate-logs.bro b/aux/broctl/policy/cluster.rotate-logs.bro
new file mode 100644
index 0000000000..3fed946a22
--- /dev/null
+++ b/aux/broctl/policy/cluster.rotate-logs.bro
@@ -0,0 +1,3 @@
+# $Id: cluster.rotate-logs.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef RotateLogs::tag = peer_description;
diff --git a/aux/broctl/policy/cluster.scan.bro b/aux/broctl/policy/cluster.scan.bro
new file mode 100644
index 0000000000..75a310681d
--- /dev/null
+++ b/aux/broctl/policy/cluster.scan.bro
@@ -0,0 +1,13 @@
+# $Id: cluster.scan.bro 6860 2009-08-14 19:01:47Z robin $
+
+redef addr_scan_trigger = 3;  
+redef ignore_scanners_threshold = 500; 
+
+redef pre_distinct_peers &read_expire = 12hrs;
+
+redef distinct_backscatter_peers &read_expire = 30mins;
+redef distinct_peers &read_expire = 30mins;
+redef distinct_ports &read_expire = 30mins;
+redef distinct_low_ports &read_expire = 30mins;
+redef possible_scan_sources &read_expire = 30mins;
+
diff --git a/aux/broctl/policy/cluster.trw.bro b/aux/broctl/policy/cluster.trw.bro
new file mode 100644
index 0000000000..e8c41262c2
--- /dev/null
+++ b/aux/broctl/policy/cluster.trw.bro
@@ -0,0 +1,7 @@
+# $Id: cluster.trw.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef TRW::target_false_positive_prob = 0.000001;
+redef TRW::failed_locals &write_expire = 15 mins;
+redef TRW::successful_locals &write_expire = 15 mins;
+redef TRW::num_scanned_locals &write_expire = 15 mins;
+redef TRW::lambda &write_expire = 15 mins;
diff --git a/aux/broctl/policy/filter-duplicates.bro b/aux/broctl/policy/filter-duplicates.bro
new file mode 100644
index 0000000000..44eb188a1d
--- /dev/null
+++ b/aux/broctl/policy/filter-duplicates.bro
@@ -0,0 +1,86 @@
+# $Id: filter-duplicates.bro 6868 2009-08-17 04:18:02Z robin $
+#
+# Script to filter out duplicate alarms reported by multiple backends. 
+
+module FilterDuplicates;
+
+@load notice
+
+export {
+	const log_duplicates = T &redef;
+
+	# Returns false if this notice is a duplicate of another notice 
+	# we have seen before; if log_duplicates is true, it also logs
+	# it into "notice.duplicates.log". Return true if we have not 
+	# seen it before.
+	global is_new: function(n: notice_info) : bool;
+
+	# Per default, a Notice is assumed to be unique. The following table
+	# defines functions finding duplicates on a per-notice bases. These 
+	# functions will be called with two instances of their notice type, and 
+	# must return T if they consider the two to be equal.
+	global filters: table[Notice] of function(n: notice_info): string &redef;
+
+	# Some predefined functions that can be used with the filters table.
+    
+		# Filters by matching source addresses.    
+	global match_src: function(n: notice_info) : string;
+		# Filters by matching source addresses and the number attributes.
+	global match_src_num: function(n: notice_info) : string;
+		# Filters by matching source addresses and the port attributes.
+	global match_src_port: function(n: notice_info) : string;
+}
+
+function match_src(n: notice_info) : string
+	{
+	local src = n?$src ? fmt("%s", n$src) : "";
+	return fmt("%s#%s", n$note, src);
+	}
+
+function match_src_num(n: notice_info) : string
+	{
+	local src = n?$src ? fmt("%s", n$src) : "";
+	local num = n?$src ? fmt("%d", n$n) : "";
+	return fmt("%s#%s#%s", n$note, src, num);
+	}
+
+function match_src_port(n: notice_info) : string
+	{
+	local src = n?$src ? fmt("%s", n$src) : "";
+	local p = n?$p ? fmt("%d", n$p) : "";
+	return fmt("%s#%s#%s", n$note, src, p);
+	}
+
+global dupl_log: file;
+
+event bro_init()
+	{
+	if ( log_duplicates )
+		dupl_log = open_log_file( "notice-duplicates" );
+	}
+
+global notices: set[string] &read_expire = 2mins;
+
+function is_new(n: notice_info) : bool
+	{
+	local idx = n$note;
+	
+	if ( idx !in filters )
+		# No filtering for this notice type.
+		return T;
+	
+	local key = filters[idx](n);
+	
+	if ( key in notices ) 
+		{
+		# A duplicate.
+		if ( log_duplicates )
+			print dupl_log, build_notice_info_string_tagged(n);
+	
+		return F;
+		}
+
+	# New one.
+	add notices[key];
+	return T;
+	}
diff --git a/aux/broctl/policy/local/cluster.local-manager.bro-template b/aux/broctl/policy/local/cluster.local-manager.bro-template
new file mode 100644
index 0000000000..1a0fbf0fae
--- /dev/null
+++ b/aux/broctl/policy/local/cluster.local-manager.bro-template
@@ -0,0 +1,49 @@
+# $Id: cluster.local-manager.bro-template 6811 2009-07-06 20:41:10Z robin $
+#
+# Local site policy loaded only by the manager. 
+# 
+# This template comes with a sample notice policy which you will
+# almost certainly want to adapt to your environment. 
+
+@load local 
+	
+redef notice_action_filters +=
+    {
+	# These are all very common.
+	[Weird::ContentGap] = tally_notice_type_and_ignore,
+	[Weird::AckAboveHole] = tally_notice_type_and_ignore,
+	[Weird::RetransmissionInconsistency] = tally_notice_type_and_ignore,
+	[Drop::AddressDropIgnored] = ignore_notice,
+	[Drop::AddressDropped] = ignore_notice,
+	[Weird::WeirdActivity] = file_local_bro_notices,
+	[DroppedPackets] = file_notice,
+	[TerminateConnection::TerminatingConnectionIgnored] = notice_alarm_per_orig,
+	[ProtocolDetector::ProtocolFound] = file_notice,
+	[ProtocolDetector::ServerFound] = file_if_remote,
+	[DynDisable::ProtocolViolation] = file_notice,
+	};
+
+redef Weird::weird_action += {
+	["window_recision"] = Weird::WEIRD_FILE,
+	["RST_with_data"] = Weird::WEIRD_FILE,
+	["line_terminated_with_single_CR"] = Weird::WEIRD_FILE,
+	["line_terminated_with_single_LF"] = Weird::WEIRD_FILE,
+	["spontaneous_RST"] = Weird::WEIRD_FILE,
+	["spontaneous_FIN"] = Weird::WEIRD_FILE,
+	["data_before_established"] = Weird::WEIRD_FILE,
+	["unsolicited_SYN_response"] = Weird::WEIRD_FILE,
+	["inappropriate_FIN"] = Weird::WEIRD_FILE,
+	["possible_split_routing"] = Weird::WEIRD_FILE,
+	["connection_originator_SYN_ack"] = Weird::WEIRD_FILE,
+	["fragment_inconsistency"] = Weird::WEIRD_NOTICE_PER_ORIG,
+	["fragment_size_inconsistency"] = Weird::WEIRD_NOTICE_PER_ORIG,
+	["fragment_overlap"] = Weird::WEIRD_NOTICE_PER_ORIG,
+	["ICMP-unreachable for wrong state"] = Weird::WEIRD_NOTICE_PER_ORIG,
+	["corrupt_tcp_options"] = Weird::WEIRD_NOTICE_PER_ORIG,
+};
+	
+
+
+
+
+	
diff --git a/aux/broctl/policy/local/cluster.local-worker.bro-template b/aux/broctl/policy/local/cluster.local-worker.bro-template
new file mode 100644
index 0000000000..d9cf66a007
--- /dev/null
+++ b/aux/broctl/policy/local/cluster.local-worker.bro-template
@@ -0,0 +1,6 @@
+# $Id: cluster.local-worker.bro-template 6811 2009-07-06 20:41:10Z robin $
+#
+# Local site policy loaded only by the workers (and the proxy).
+
+@load local
+
diff --git a/aux/broctl/policy/local/cluster.local.bro-template b/aux/broctl/policy/local/cluster.local.bro-template
new file mode 100644
index 0000000000..6cf6ddde57
--- /dev/null
+++ b/aux/broctl/policy/local/cluster.local.bro-template
@@ -0,0 +1,52 @@
+# $Id: cluster.local.bro-template 6813 2009-07-07 18:54:12Z robin $
+#
+# Template for local site policy loaded manager and workers.
+# Customize as appropiate. 
+#
+# This file contains the main site policy. If in doubt, put any customizations
+# here or into a file loaded by this script. (The main exception to this rule
+# is all notice-filtering; see site-manager.bro). 
+#
+# Also note that enabling a particular kind of analysis via the cluster's 
+# "analysis command" only has an effect if the corresponding scripts are
+# loaded by this site policy. 
+
+@load alarm
+@load notice
+@load weird
+
+@load dpd
+@load detect-protocols
+@load detect-protocols-http
+@load dyn-disable
+@load inactivity        
+
+@load dns
+@load dns-lookup
+@load finger
+@load frag
+@load ftp
+@load icmp
+@load hot
+@load http-request
+@load http-reply
+@load ident
+@load irc   
+@load irc-bot
+@load login
+@load ntp
+@load pop3
+@load portmapper  
+@load scan
+@load smtp
+@load ssh
+@load ssl  
+@load synflood
+@load tcp
+@load tftp
+@load udp
+@load worm
+
+# Uncomment for profiling resource usage.
+# @load profiling 
+# redef expensive_profiling_multiple = 20;
diff --git a/aux/broctl/policy/local/standalone.local.bro-template b/aux/broctl/policy/local/standalone.local.bro-template
new file mode 100644
index 0000000000..777e669d1e
--- /dev/null
+++ b/aux/broctl/policy/local/standalone.local.bro-template
@@ -0,0 +1,93 @@
+# $Id: standalone.local.bro-template 6811 2009-07-06 20:41:10Z robin $
+#
+# Template for local site policy. Customize as appropiate. 
+#
+# (Note that enabling a particular kind of analysis via the cluster's 
+# "analysis command" only has an effect if the corresponding scripts are
+# loaded by this site policy.)
+
+@load alarm
+@load notice
+@load weird
+
+@load dpd
+@load detect-protocols
+@load detect-protocols-http
+@load dyn-disable
+@load inactivity        
+
+# Uncomment for profiling resource usage.
+# @load profiling 
+# redef expensive_profiling_multiple = 20;
+	
+@load dns
+@load dns-lookup
+@load finger
+@load frag
+@load ftp
+@load icmp
+@load hot
+@load http-request
+@load http-reply
+@load ident
+@load irc   
+@load irc-bot
+@load login
+@load ntp
+@load pop3
+@load portmapper  
+@load scan
+@load smtp
+@load ssh
+@load ssl  # Buggy?
+@load synflood
+@load tcp
+@load tftp
+@load udp
+@load worm
+
+# If you want to monitor locally generated traffic and your system
+# offloads checksum computation to the NIC (like Mac OS tends do),
+# you might want to disable Bro's checksum checking. 
+#
+# redef ignore_checksums = T;
+
+# Sample notice policy which you will almost certainly want 
+# to adapt to your environment. 
+	
+redef notice_action_filters +=
+    {
+	# These are all very common.
+	[Weird::ContentGap] = tally_notice_type_and_ignore,
+	[Weird::AckAboveHole] = tally_notice_type_and_ignore,
+	[Weird::RetransmissionInconsistency] = tally_notice_type_and_ignore,
+	[Drop::AddressDropIgnored] = ignore_notice,
+	[Drop::AddressDropped] = ignore_notice,
+	[Weird::WeirdActivity] = file_local_bro_notices,
+	[DroppedPackets] = file_notice,
+	[TerminateConnection::TerminatingConnectionIgnored] = notice_alarm_per_orig,
+	[ProtocolDetector::ProtocolFound] = file_notice,
+	[ProtocolDetector::ServerFound] = file_if_remote,
+	[DynDisable::ProtocolViolation] = file_notice,
+	};
+
+redef Weird::weird_action += {
+	["window_recision"] = Weird::WEIRD_FILE,
+	["RST_with_data"] = Weird::WEIRD_FILE,
+	["line_terminated_with_single_CR"] = Weird::WEIRD_FILE,
+	["line_terminated_with_single_LF"] = Weird::WEIRD_FILE,
+	["spontaneous_RST"] = Weird::WEIRD_FILE,
+	["spontaneous_FIN"] = Weird::WEIRD_FILE,
+	["data_before_established"] = Weird::WEIRD_FILE,
+	["unsolicited_SYN_response"] = Weird::WEIRD_FILE,
+	["inappropriate_FIN"] = Weird::WEIRD_FILE,
+	["possible_split_routing"] = Weird::WEIRD_FILE,
+	["connection_originator_SYN_ack"] = Weird::WEIRD_FILE,
+	["fragment_inconsistency"] = Weird::WEIRD_NOTICE_PER_ORIG,
+	["fragment_size_inconsistency"] = Weird::WEIRD_NOTICE_PER_ORIG,
+	["fragment_overlap"] = Weird::WEIRD_NOTICE_PER_ORIG,
+	["ICMP-unreachable for wrong state"] = Weird::WEIRD_NOTICE_PER_ORIG,
+	["corrupt_tcp_options"] = Weird::WEIRD_NOTICE_PER_ORIG,
+};
+	
+	
diff --git a/aux/broctl/policy/mail-alarms.bro b/aux/broctl/policy/mail-alarms.bro
new file mode 100644
index 0000000000..645bea4f3d
--- /dev/null
+++ b/aux/broctl/policy/mail-alarms.bro
@@ -0,0 +1,117 @@
+# $Id: mail-alarms.bro 6811 2009-07-06 20:41:10Z robin $
+#
+# Script to prettify alarms into a form suitable for mailing out.
+# Output is written to mail.log which can be mailed out via post-processor.
+
+@load site
+@load notice
+
+module MailAlarms;
+
+export 	{
+	# If non-empty, we include only the given Notices into mail.
+	global include_only: set[Notice] &redef;
+
+	# If one of these networks is involved, we mark the entry with a quote 
+	# symbol (i.e., ">"). Many mailers flag such lines in some fashion.
+	global flag_nets: set[subnet] &redef;
+
+	# Skip the notice types for the mails.
+	global ignore: set[Notice] &redef;
+
+	global output = open_log_file( "mail" );
+	}
+
+function do_msg(line1: string, line2: string, line3: string, host: addr, name: string)
+	{
+	if ( host != 0.0.0.0 )
+		name = fmt("%s = %s", host, name);
+	
+	print output, cat(line1, name);
+	print output, line2;
+	if ( line3 != "" )
+		print output, line3;
+	}
+
+function message(msg: string, flag: bool, host: addr, n: notice_info)
+	{
+	if ( length(include_only) > 0 && n$note !in include_only )
+		return;
+	
+	local location = "";
+
+	if ( host != 0.0.0.0 )
+		location =  is_local_addr(host) ? "(L)" : "(R)";
+	
+	local line1 = fmt(">%s %D %s %s ", (flag ? ">" : " "), network_time(), n$note, location);
+	local line2 = fmt("   %s", msg);   
+	local line3 = "";
+
+	if ( n?$captured )
+		line3 = fmt("   [TM: %s]", n$captured);
+
+	if ( host == 0.0.0.0 )
+		{
+		do_msg(line1, line2, line3, 0.0.0.0, "");
+		return;
+		}
+	
+	when ( local name = lookup_addr(host) )
+		{
+		do_msg(line1, line2, line3, host, name);
+		}
+	timeout 5secs
+		{
+		do_msg(line1, line2, line3, host, "(dns timeout)");
+		}
+	}
+
+event bro_init()
+    {
+    set_buf( output, F );
+    }
+
+event notice_alarm(n: notice_info, action: NoticeAction) &priority = -10
+	{
+	if ( is_remote_event() )
+		return;
+
+	if ( n$note in ignore )
+		return;
+	
+	local pdescr = "local";
+	
+	if ( n?$src_peer )
+		pdescr = n$src_peer?$descr ? n$src_peer$descr : fmt("%s", n$src_peer$host);
+
+	local msg = fmt( "<%s> %s%s", pdescr, n$msg, n?$sub ? cat( " ", n$sub ) : "" );
+
+	local orig = 0.0.0.0;
+	local resp = 0.0.0.0;
+	local host = 0.0.0.0;
+
+	if ( n?$src )
+		orig = host = n$src;
+
+	if ( n?$conn )
+		{
+		orig = n$conn$id$orig_h;
+		resp = n$conn$id$resp_h;
+		}
+
+	else if ( n?$id )
+		{
+		orig = n$id$orig_h;
+		resp = n$id$resp_h;
+		}
+
+	if ( host == 0.0.0.0 )
+		host = orig; 
+
+	local flag = F;
+	if ( orig in flag_nets || resp in flag_nets )
+		flag = T;
+
+	message(msg, flag, host, n);
+	}
+
diff --git a/aux/broctl/policy/remote-update.bro b/aux/broctl/policy/remote-update.bro
new file mode 100644
index 0000000000..9a76050bf4
--- /dev/null
+++ b/aux/broctl/policy/remote-update.bro
@@ -0,0 +1,16 @@
+# $Id: remote-update.bro 6811 2009-07-06 20:41:10Z robin $
+#
+# Code to be executed when we're dynamically updated on the fly. 
+
+@load analysis-groups
+
+module RemoteUpdate;
+
+event configuration_update()
+	{
+	if ( ! is_remote_event() )
+		return;
+	
+	AnalysisGroups::update();
+	event remote_log(REMOTE_LOG_INFO, REMOTE_SRC_SCRIPT, "configuration updated");
+	}
diff --git a/aux/broctl/policy/send-config.bro b/aux/broctl/policy/send-config.bro
new file mode 100644
index 0000000000..9b51cc3d0c
--- /dev/null
+++ b/aux/broctl/policy/send-config.bro
@@ -0,0 +1,94 @@
+# $Id: send-config.bro 6813 2009-07-07 18:54:12Z robin $
+#
+# Sends the current values of all &redef'able globals to a remote Bro
+# and then terminates processing.
+#
+# Intended to be used from the command line as in:
+#
+# bro SendConfig::dst=<dst> <scripts> send-config
+
+module SendConfig;
+
+@load remote
+
+export {
+    const dst = "<no-destination-given>" &redef;
+}
+
+const ignore_ids = { "Remote::destinations", "SendConfig::dst" };
+
+event terminate_event()
+	{
+	terminate_communication();
+	}
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	local peer = Remote::destinations[dst];
+
+	if ( peer$host != p$host )
+		return;
+
+	# Send all &redef'able globals to peer.
+	local globals = global_ids();
+    local cnt = 0;
+	for ( id in globals )
+		{
+        if ( id in ignore_ids )
+			next;
+
+		local t = globals[id];
+		
+		if ( ! t$redefinable )
+			next;
+
+		send_id(p, id);
+		++cnt;
+		}
+
+	print fmt("sent %d IDs", cnt);
+
+	# Signal configuration update to peer.
+	event configuration_update();
+	
+	# We can't terminate the communication right away here since the 
+	# event configuration_update is only queued but not send at this
+	# point. Therefore we raise another events which will trigger 
+	# termination only after the previous has been raised.
+	event terminate_event();
+	}
+
+function make_dest(tag: string, ip: addr, p: port)
+	{
+	Remote::destinations[fmt("%s-update", tag)] 
+		= [$host=ip, $p=p, $sync=F, $class="update"];
+	}
+
+# This handler is executed after the other bro_inits() so that we can
+# actually delete all previous destinations and fill the table ourselves.
+event bro_init() &priority=-1
+	{
+	clear_table(Remote::destinations);
+
+	for ( n in BroCtl::workers ) 
+		make_dest(BroCtl::workers[n]$tag, BroCtl::workers[n]$ip, BroCtl::workers[n]$p);
+
+	for ( n in BroCtl::proxies ) 
+		make_dest(BroCtl::proxies[n]$tag, BroCtl::proxies[n]$ip, BroCtl::proxies[n]$p);
+
+	make_dest(BroCtl::manager$tag, BroCtl::manager$ip, BroCtl::manager$p);
+	}
+
+event bro_init() &priority=-2
+	{
+	if ( dst !in Remote::destinations )
+		{
+		print fmt("unknown destination %s", dst);
+		terminate();
+		return;
+		}
+
+	Remote::connect_peer(dst);
+	}
+
+
diff --git a/aux/broctl/policy/standalone.bro b/aux/broctl/policy/standalone.bro
new file mode 100644
index 0000000000..d3eaf73305
--- /dev/null
+++ b/aux/broctl/policy/standalone.bro
@@ -0,0 +1,32 @@
+# $Id: standalone.bro 6860 2009-08-14 19:01:47Z robin $
+#
+# Configuration for a standalone system.
+
+@load site
+
+@unload cluster-by-addrs
+@unload cluster-by-conns
+
+@load broctl
+@load notice
+@load remote
+@load rotate-logs
+@load mail-alarms
+	
+@load trim-trace-file	
+@load analysis-groups
+	
+# Even a stand-alone system has to listen so that we can do remote updates.
+@load listen-clear
+redef listen_port_clear = BroCtl::manager$p;
+
+# Give us a name. 
+redef peer_description = "bro";
+
+# Record all packets into trace file.
+redef record_all_packets = T;
+
+@load notice
+
+
+
diff --git a/aux/broctl/policy/standalone.checkpoint.bro b/aux/broctl/policy/standalone.checkpoint.bro
new file mode 100644
index 0000000000..618cb87e6b
--- /dev/null
+++ b/aux/broctl/policy/standalone.checkpoint.bro
@@ -0,0 +1,3 @@
+# $Id: standalone.checkpoint.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef state_checkpoint_interval = 15 min &redef;
diff --git a/aux/broctl/policy/standalone.irc-bot.bro b/aux/broctl/policy/standalone.irc-bot.bro
new file mode 100644
index 0000000000..5eabe8601e
--- /dev/null
+++ b/aux/broctl/policy/standalone.irc-bot.bro
@@ -0,0 +1,3 @@
+# $Id: standalone.irc-bot.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef IrcBot::summary_interval = 0 min;
diff --git a/aux/broctl/policy/standalone.mail-alarms.bro b/aux/broctl/policy/standalone.mail-alarms.bro
new file mode 100644
index 0000000000..27e7833b9a
--- /dev/null
+++ b/aux/broctl/policy/standalone.mail-alarms.bro
@@ -0,0 +1,5 @@
+# $Id: standalone.mail-alarms.bro 6811 2009-07-06 20:41:10Z robin $
+
+@load rotate-logs
+
+redef MailAlarms::output &rotate_interval = 12hrs;
diff --git a/aux/broctl/policy/standalone.notice.bro b/aux/broctl/policy/standalone.notice.bro
new file mode 100644
index 0000000000..939be5bf10
--- /dev/null
+++ b/aux/broctl/policy/standalone.notice.bro
@@ -0,0 +1,7 @@
+# $Id: standalone.notice.bro 6811 2009-07-06 20:41:10Z robin $
+
+redef mail_script = "mail-alarm";
+redef mail_dest = "_broctl_default_"; # Will be replaced by mail script.  
+
+redef use_tagging = T;	
+
diff --git a/aux/broctl/policy/standalone.remote.bro b/aux/broctl/policy/standalone.remote.bro
new file mode 100644
index 0000000000..c43aeee9c3
--- /dev/null
+++ b/aux/broctl/policy/standalone.remote.bro
@@ -0,0 +1,19 @@
+# $Id: standalone.remote.bro 6860 2009-08-14 19:01:47Z robin $
+#
+# We only need to accept update connections from the shell.
+# 
+
+@load broctl
+
+event bro_init() 
+{
+	# Connections from the manager for configuration updates.
+	Remote::destinations["update"] 
+		=  [$host = BroCtl::manager$ip, $p=BroCtl::manager$p, $sync=F, $events=BroCtl::update_events, $class="update"];
+
+	# Configure Time Machine.
+	if ( BroCtl::tm_host != 0.0.0.0 )
+		Remote::destinations["time-machine"] = [$host=BroCtl::tm_host, $p=BroCtl::tm_port, $connect=T, $retry=1min];
+}
+
+
diff --git a/aux/broctl/policy/standalone.rotate-logs.bro b/aux/broctl/policy/standalone.rotate-logs.bro
new file mode 100644
index 0000000000..c4ff279775
--- /dev/null
+++ b/aux/broctl/policy/standalone.rotate-logs.bro
@@ -0,0 +1,9 @@
+# $Id: standalone.rotate-logs.bro 6811 2009-07-06 20:41:10Z robin $
+
+@load mail-alarms
+
+redef log_rotate_interval = 24hrs;
+redef log_rotate_base_time = "0:00";
+redef RotateLogs::default_postprocessor = "archive-log";
+
+redef conn_file &rotate_interval = 12hrs;
diff --git a/aux/broctl/policy/terminate.bro b/aux/broctl/policy/terminate.bro
new file mode 100644
index 0000000000..b6cf0e2d98
--- /dev/null
+++ b/aux/broctl/policy/terminate.bro
@@ -0,0 +1,11 @@
+# $Id: terminate.bro 6811 2009-07-06 20:41:10Z robin $
+#
+# Just terminate Bro after it parsed its configuration.
+
+event bro_init() &priority = -10
+{
+	terminate();
+}
+
+
+
diff --git a/aux/broctl/policy/tm-mail-contents.bro b/aux/broctl/policy/tm-mail-contents.bro
new file mode 100644
index 0000000000..56554be586
--- /dev/null
+++ b/aux/broctl/policy/tm-mail-contents.bro
@@ -0,0 +1,69 @@
+# $Id: tm-mail-contents.bro 6811 2009-07-06 20:41:10Z robin $
+
+@load tm-contents
+
+module TimeMachine;
+
+export {
+
+	# Extracts the contents of the connection from the time-machine
+	# and mails it out with the specified subject and body prefix. 
+	# Also asks the TM to store a copy of the connection's packets
+	# under with given filename prefix. If the mail address is empty,
+	# the default is taken.
+	
+	global mail_contents:
+		function(id: conn_id, start: time, filename_prefix: string, 
+				 subject: string, body_prefix: string, email: string);
+}
+
+type mail_info: record {
+	subject: string;
+	body: string;
+	email: string;
+	};
+
+global conns: table[conn_id] of mail_info;
+
+function mail_contents(id: conn_id, start: time, filename_prefix: string, subject: string, body_prefix: string, email: string)
+	{
+	TimeMachine::save_contents_id(filename_prefix, id, start, F, "mail-contents-save");
+		
+	local idstr = fmt("%s.%d-%s.%d", id$orig_h, id$orig_p, id$resp_h, id$resp_p);
+	local fname = fmt("%s.%s", filename_prefix, idstr);
+	TimeMachine::capture_connection_id(fname, id, start, F, "mail-contents-capture");
+
+	body_prefix += fmt("@@@@Time Machine trace: %s@@", fname);
+	
+	conns[id] = [$subject=subject, $body=body_prefix, $email=email];
+	}
+
+
+event TimeMachine::contents_saved(c: connection, orig_file: string, resp_file: string)
+	{
+	if ( c$id !in conns )
+		return;
+
+	local ci = conns[c$id];
+	delete conns[c$id];
+	
+	when ( (local orig = lookup_addr(c$id$orig_h)) && 
+		   (local resp = lookup_addr(c$id$resp_h)) )
+		{
+		# Set arguments for script.
+		local args: table[string] of string;
+		args["contents_orig"] = orig_file;
+		args["contents_resp"] = resp_file;
+		args["orig_h"] = fmt("%s", c$id$orig_h);
+		args["resp_h"] = fmt("%s", c$id$resp_h);
+		args["orig_name"] = orig;
+		args["resp_name"] = resp;
+		args["subject"] = ci$subject;
+		args["body"] = ci$body;
+		args["mail_dest"] = ci$email;
+		
+		system_env("mail-contents", args);
+		}
+	}
+
+	
diff --git a/aux/broctl/policy/trim-trace-file.bro b/aux/broctl/policy/trim-trace-file.bro
new file mode 100644
index 0000000000..716ef63c1a
--- /dev/null
+++ b/aux/broctl/policy/trim-trace-file.bro
@@ -0,0 +1,39 @@
+# $Id: trim-trace-file.bro 6811 2009-07-06 20:41:10Z robin $
+#
+# Deletes the -w tracefile at regular intervals and starts from scratch. Separate 
+# from rotate-logs.bro because we might want to have a shorter rotation interval 
+# for this one due to its size.
+#
+# FIXME: Still, we eventually want to merge this with rotate-logs.bro by
+# allowing per-file intervals for aux files. 
+
+module TrimTraceFile;
+
+export {
+	const trim_interval = 10 mins &redef;
+	}
+
+global first_trim = T;
+
+event trim_tracefile()
+	{
+	if ( bro_is_terminating() || trace_output_file == "" )
+		return;
+
+	if ( ! first_trim )
+		{
+		local info = rotate_file_by_name(trace_output_file);
+		if ( info$old_name != "" )
+			system(fmt("/bin/rm %s", info$new_name));
+		}
+
+	first_trim = F;
+	schedule trim_interval { trim_tracefile() };
+	}
+
+event bro_init()
+	{
+	if ( trim_interval != 0 secs )
+		schedule trim_interval { trim_tracefile() };
+	}
+
diff --git a/aux/cf/Makefile.am b/aux/cf/Makefile.am
new file mode 100644
index 0000000000..9f77c90020
--- /dev/null
+++ b/aux/cf/Makefile.am
@@ -0,0 +1,5 @@
+## Process this file with automake to produce Makefile.in
+
+noinst_PROGRAMS = cf
+cf_CFLAGS = -I$(top_srcdir)/src -I../src/ -I../../src
+cf_SOURCES = cf.c version.c 
diff --git a/aux/cf/cf.1 b/aux/cf/cf.1
new file mode 100755
index 0000000000..1f4808cfd5
--- /dev/null
+++ b/aux/cf/cf.1
@@ -0,0 +1,133 @@
+.\"	@(#) $Id: cf.1 2410 2005-12-27 00:58:20Z vern $ (LBL)
+.\"
+.\" Copyright (c) 2004
+.\"     The Regents of the University of California.  All rights reserved.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that: (1) source code distributions
+.\" retain the above copyright notice and this paragraph in its entirety, (2)
+.\" distributions including binary code include the above copyright notice and
+.\" this paragraph in its entirety in the documentation or other materials
+.\" provided with the distribution, and (3) all advertising materials mentioning
+.\" features or use of this software display the following acknowledgement:
+.\" ``This product includes software developed by the University of California,
+.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
+.\" the University nor the names of its contributors may be used to endorse
+.\" or promote products derived from this software without specific prior
+.\" written permission.
+.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
+.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+.TH CF 1 "December 20, 2005"
+.UC 4
+.SH NAME
+cf -  unix time to formated time and date filter
+.SH SYNOPSIS
+.B cf
+[
+.B -f fmt
+] [
+.B -lpsu
+] [
+.I file ...
+]
+.SH DESCRIPTION
+This filter reads the named files (or from stdin if there are none)
+and replaces numeric timestamps found at the beginning of each line
+with a formated time and date time and date. For example:
+.LP
+.RS
+.na
+.nh
+\% echo '1074558944 default format' | cf
+.br  
+Jan 19 16:35:44 default format
+.ad
+.hy
+.RE
+
+The default format is '%b\ %e\ %H:%M:%S'. The
+.B \-l
+flag appends the year ('%Y') to the default format. There are two
+ways to specify a custom format; one is with the
+.B \-f
+flag. The other is to set the
+.B CFTIMEFMT
+environment variable. Finally, using an empty format with the
+.B \-f
+flag causes
+.B cf
+to revert to its default format.
+Note that the
+.B \-f
+and
+.B \-l
+flags override the
+.B CFTIMEFMT
+environment variable.
+.SH OPTIONS
+.LP
+.TP
+.B \-f fmt
+Specify a strftime(1) format string. For example:
+.LP
+.RS
+.RS
+.na
+.nh
+% echo '1074558944 custom format' | \\
+    cf -f '%Y-%m-%d\ %H:%M:%S'
+.br  
+2004-01-19 16:35:44 custom format
+.ad
+.hy
+.RE
+.LP
+.RE
+.TP
+.B \-l
+Use the long format (which includes the year). For example:
+.LP
+.RS
+.RS
+.na
+.nh
+% echo '1074558944 long format' | cf -l
+.br  
+Jan 19 16:35:44 2004 long format
+.ad
+.hy
+.RE
+.RE
+.TP
+.B \-p
+Preserve sub-second timestamp info. For example:
+.LP
+.RS
+.RS
+.na
+.nh
+% echo '1100980501.867105 preserve format' | cf -p
+.br  
+Nov 20 11:55:01.867105 preserve format
+.ad
+.hy
+.RE
+.RE
+.TP
+.B \-s
+Do strict checking of the timestamp. The number is only considered
+to be a valid timestamp and converted if it 9 or more characters
+long and contains one or less dots.
+.TP
+.B \-u
+Format using UTC (Coordinated Universal) instead of local time.
+.LP
+.SH "SEE ALSO"
+.na
+.nh
+hf(1), strftime(3)
+.ad
+.hy
+.\" .SH BUGS
diff --git a/aux/cf/cf.c b/aux/cf/cf.c
new file mode 100755
index 0000000000..00e46f4b41
--- /dev/null
+++ b/aux/cf/cf.c
@@ -0,0 +1,189 @@
+/*
+ * Copyright (c) 1991, 1994, 1995, 1996, 1998, 1999, 2001, 2004
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that: (1) source code distributions
+ * retain the above copyright notice and this paragraph in its entirety, (2)
+ * distributions including binary code include the above copyright notice and
+ * this paragraph in its entirety in the documentation or other materials
+ * provided with the distribution, and (3) all advertising materials mentioning
+ * features or use of this software display the following acknowledgement:
+ * ``This product includes software developed by the University of California,
+ * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
+ * the University nor the names of its contributors may be used to endorse
+ * or promote products derived from this software without specific prior
+ * written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#ifndef lint
+static const char copyright[] =
+    "@(#) Copyright (c) 1991, 1994, 1995, 1996, 1998, 1999, 2001, 2004\n\
+The Regents of the University of California.  All rights reserved.\n";
+static const char rcsid[] =
+    "@(#) $Id: cf.c 5857 2008-06-26 23:00:03Z vern $ (LBL)";
+#endif
+
+#include <sys/types.h>
+
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+static char *argv0;
+
+extern char *optarg;
+extern int optind, opterr;
+
+int preserve = 0;
+int strict = 0;
+int utc = 0;
+char *sfmt = "%b %e %H:%M:%S";
+char *lfmt = "%b %e %H:%M:%S %Y";
+char *fmt;
+
+/* Forwards */
+int main(int, char **);
+void doone(FILE *, FILE *);
+void usage(void);
+
+int
+main(argc, argv)
+	int argc;
+	char **argv;
+{
+	register char *cp;
+	register int status, didany, op;
+	FILE *f;
+	int targc;
+	char **targv;
+
+	if ((cp = strrchr(argv[0], '/')) != NULL)
+		argv0 = cp + 1;
+	else
+		argv0 = argv[0];
+
+	/* Set default format */
+	if ((fmt = getenv("CFTIMEFMT")) == NULL)
+		fmt = sfmt;
+
+	opterr = 0;
+	while ((op = getopt(argc, argv, "f:lpsu")) != EOF)
+		switch (op) {
+
+		case 'f':
+			if (*optarg == '\0')
+				fmt = sfmt;
+			else
+				fmt = optarg;
+			break;
+
+		case 'l':
+			fmt = lfmt;
+			break;
+
+		case 'p':
+			++preserve;
+			break;
+
+		case 's':
+			++strict;
+			break;
+
+		case 'u':
+			++utc;
+			break;
+
+		default:
+			usage();
+			/* NOTREACHED */
+		}
+	targc = argc - optind;
+	targv = &argv[optind];
+
+	status = 0;
+	didany = 0;
+	while (targc > 0) {
+		f = fopen(*targv, "r");
+		if (f) {
+			doone(f, stdout);
+			(void) fclose(f);
+		} else {
+			(void) fprintf(stderr, "%s: fopen: ", argv0);
+			perror(*targv);
+			status |= 1;
+		}
+		--targc;
+		++targv;
+		++didany;
+	}
+	if (!didany)
+		doone(stdin, stdout);
+	exit(status);
+}
+
+void
+doone(fin, fout)
+	FILE *fin, *fout;
+{
+	time_t ts;
+	register char *bp, *dotbp;
+	register struct tm *tp;
+	register int dot_count;
+	char buf[1024];
+	char tstr[128] = "";
+	static time_t lastts = 0;
+
+	while (fgets(buf, sizeof(buf), fin)) {
+		bp = buf;
+		dotbp = NULL;
+		if (isdigit(*bp)) {
+			ts = atol(bp);
+			++bp;
+			dot_count = 0;
+			while (isdigit(*bp) || *bp == '.') {
+				if (*bp == '.') {
+					dotbp = bp;
+					++dot_count;
+				}
+				++bp;
+			}
+			if (strict && (bp - buf < 9 || dot_count > 1 ||
+			    (bp - buf > 10 && dot_count != 1))) {
+				/* Doesn't look like a genuine timestamp -
+				 * skip it.
+				 */
+				fputs(buf, fout);
+				continue;
+			}
+			if (lastts != ts) {
+				if (!utc)
+					tp = localtime(&ts);
+				else
+					tp = gmtime(&ts);
+				(void)strftime(tstr, sizeof(tstr), fmt, tp);
+				lastts = ts;
+			}
+			fputs(tstr, fout);
+			if (preserve && dotbp != NULL)
+				bp = dotbp;
+		}
+		fputs(bp, fout);
+	}
+}
+
+void
+usage()
+{
+	extern char version[];
+
+	(void)fprintf(stderr, "%s version %s\n", argv0, version);
+	(void)fprintf(stderr, "usage: %s [-f fmt] [-lpsu] [file ...]\n", argv0);
+	exit(1);
+}
diff --git a/aux/cf/gnuc.h b/aux/cf/gnuc.h
new file mode 100755
index 0000000000..deba3e6fef
--- /dev/null
+++ b/aux/cf/gnuc.h
@@ -0,0 +1,43 @@
+/* @(#) $Header$ (LBL) */
+
+/* Define __P() macro, if necessary */
+#ifndef __P
+#if __STDC__
+#define __P(protos) protos
+#else
+#define __P(protos) ()
+#endif
+#endif
+
+/* inline foo */
+#ifdef __GNUC__
+#define inline __inline
+#else
+#define inline
+#endif
+
+/*
+ * Handle new and old "dead" routine prototypes
+ *
+ * For example:
+ *
+ *	__dead void foo(void) __attribute__((volatile));
+ *
+ */
+#ifdef __GNUC__
+#ifndef __dead
+#define __dead volatile
+#endif
+#if __GNUC__ < 2  || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
+#ifndef __attribute__
+#define __attribute__(args)
+#endif
+#endif
+#else
+#ifndef __dead
+#define __dead
+#endif
+#ifndef __attribute__
+#define __attribute__(args)
+#endif
+#endif
diff --git a/aux/cf/version.c b/aux/cf/version.c
new file mode 100644
index 0000000000..076ba4f713
--- /dev/null
+++ b/aux/cf/version.c
@@ -0,0 +1 @@
+char version[] = "1.2";
diff --git a/aux/contrib/README b/aux/contrib/README
new file mode 100644
index 0000000000..fbba44b3b2
--- /dev/null
+++ b/aux/contrib/README
@@ -0,0 +1,8 @@
+This directory contains unsupported contributions to Bro.  If you have
+something to contribute to this directory please send it to us.
+
+policy/
+	miscellaneous .bro policy file you might find useful
+
+scripts/
+	miscellaneous support scripts, alternate report formats, etc.
diff --git a/aux/contrib/policy/README b/aux/contrib/policy/README
new file mode 100644
index 0000000000..5c63fd5017
--- /dev/null
+++ b/aux/contrib/policy/README
@@ -0,0 +1,8 @@
+Contents of this directory:
+
+syslog.bro: Bro analyzer for broccoli-based syslog data
+
+user-check.bro: Bro analyzer for syslog-based user data (bad usernames, etc.)
+
+client-heartbeat.bro: Generate heartbeat events and send to other Bro's
+server-heartbeat.bro: Generate alarm if don't receive a heartbeat event
diff --git a/aux/contrib/policy/client-heartbeat.bro b/aux/contrib/policy/client-heartbeat.bro
new file mode 100644
index 0000000000..36b1f81540
--- /dev/null
+++ b/aux/contrib/policy/client-heartbeat.bro
@@ -0,0 +1,55 @@
+# client-heartbeat.bro
+# Send heartbeat events to a remote server
+# $Id: client-heartbeat.bro,v 1.3 2007/02/26 07:03:20 jason Exp $
+
+# load remote communications
+@load remote
+
+global bro_heartbeat_interval = 15 min &redef;
+
+# heartbeat server (ip address)
+global bro_heartbeat_server: addr = 127.0.0.1 &redef;
+
+# name of this host (optional, its not used)
+global myhostname = "foo.example.com" &redef; 
+global myip = 127.0.0.1 &redef; 
+
+######################################################################
+# Shouldn't need to modifiy anything below this
+# (Unless your not using SSL, then you will)
+######################################################################
+
+# who to 'heartbeat' to (i.e. the heartbeat server)
+# usually hostname-service (i.e. host.lbl.gov-syslog)
+redef Remote::destinations += { 
+ 	["server-heartbeat"] = [$host=bro_heartbeat_server, 
+ 		$retry=60 sec, $connect=T, $ssl=F],
+ };
+
+# do nothing in the client
+event heartbeat_event( ts: double, myip: addr, hostname: string )
+    {
+    # intentionally left empty
+    }
+
+
+# call heartbeat_event and schedule ourselves to run again
+event send_heartbeat_event()
+	{
+	local hb_host = fmt ("%s", get_event_peer());
+    # NOT USED
+    local foo: double = 0.0;
+	event heartbeat_event( foo, myip, myhostname );
+	schedule bro_heartbeat_interval  { send_heartbeat_event() };
+	}
+
+# stick us in the queue to run
+event bro_init()
+	{
+# waiting till gethostname is put into production bro.bif
+#	if myhostname == "")
+#	{
+#		myhostname = gethostname();
+#	}
+	schedule bro_heartbeat_interval { send_heartbeat_event() };
+	}
diff --git a/aux/contrib/policy/server-heartbeat.bro b/aux/contrib/policy/server-heartbeat.bro
new file mode 100644
index 0000000000..852f270fb1
--- /dev/null
+++ b/aux/contrib/policy/server-heartbeat.bro
@@ -0,0 +1,92 @@
+# heartbeat-server.bro
+# Listen for remote heartbeat events
+# $Id: server-heartbeat.bro,v 1.6 2007/02/26 07:03:20 jason Exp $
+
+# To use this analyzer, be sure to redef Remote::destinations 
+# and probably mail_dest too.
+
+# start listening for remote hosts
+@load listen-clear
+
+# how long till 'lost' messages are genterated
+global max_timeout = 30 min &redef;
+
+# how often to bug about missing servers (60minutes)
+global report_nag_time = 1 hr &redef;
+
+# how many times to do this for? (0 forever)
+global report_nag_times: count = 0 &redef;
+
+#################################################
+# shouldn't need to modifiy anything below here #
+#################################################
+# setup our Notice type
+redef enum Notice += { LostHeartBeat } ;
+
+global report_missing_heartbeat: 
+    function(t: table[string] of count, idx: string) : interval;
+
+global reported_address_heartbeat: table[string] of count &default=0 
+    &create_expire = report_nag_time &expire_func = report_missing_heartbeat;
+
+# function called when a monitored stream times-out
+global lost_heartbeat:
+        function(t: table[string] of event_peer, idx: string) : interval;
+
+# table holding who we are monitoring (cache peer for use in notice)
+global heartbeats : table[string] of event_peer &write_expire = max_timeout &expire_func = lost_heartbeat;
+
+# send email if we expire an entry in the table
+function lost_heartbeat(t: table[string] of event_peer, idx: string): interval
+{
+    NOTICE([$note=LostHeartBeat, $src_peer=heartbeats[idx], 
+    	$msg=fmt("Lost heartbeat from %s", idx) ]);
+
+    # pop him into the report table
+    reported_address_heartbeat[idx]= report_nag_times;
+
+    return 0 sec;
+}
+
+# send email if this server is *still* down
+function report_missing_heartbeat(t: table[string] of count, idx: string): interval
+{
+    # if he is back, just let this entry expire
+    if (idx in heartbeats)
+    {
+    	return 0 secs;
+    }
+
+    NOTICE([$note=LostHeartBeat, 
+        $msg=fmt("Still missing heartbeat from %s", idx) ]);
+
+    # pop him back into the report table
+    local times: count;
+    times = reported_address_heartbeat[idx];
+
+    # if he has time left put him back
+    if ( times > 1 ) 
+        reported_address_heartbeat[idx] = times - 1;
+    # if he is set to 0, keep him forever
+    else if  (times == 0 )
+        reported_address_heartbeat[idx] = 0;
+
+    # not exactly sure why, but ....
+    return 60 sec;
+}
+
+
+# update table that we recieved a msg
+event heartbeat_event( ts:double, orig_h:addr, info:string )
+    {
+    local hb_peer = get_event_peer();
+    local hb_host = fmt("%s", hb_peer$host);
+
+    print fmt("got heartbeat from %s", orig_h) ;
+
+    # use this one if you want to be notified if the service
+    # went down and came back up on a differnt port
+    #local hb_host = fmt("%s:%s", hb_peer$host, hb_peer$p);
+    heartbeats[hb_host] = hb_peer;
+
+    }
diff --git a/aux/contrib/policy/syslog.bro b/aux/contrib/policy/syslog.bro
new file mode 100644
index 0000000000..3f479812eb
--- /dev/null
+++ b/aux/contrib/policy/syslog.bro
@@ -0,0 +1,418 @@
+# general syslog analyzer 0.3
+#
+# NOTES:
+# - for now, all IP addresses need to be expressed in IPv4 notation here or it will end up 
+#   looking like 255.255.255.255
+
+@load listen-clear
+@load listen-ssl
+@load user-check
+
+# put something like this in hostname.bro file
+#redef Remote::destinations += {
+#        ["syslog"] = [$host = 10.0.0.1, $events = /.*/, $connect=F, $retry = 60 secs, $ssl=T],
+#};
+
+
+# list of notices
+redef enum Notice += {
+	LoginFail, 		# too many failed attempt to a given dest
+	LoginFailSrc, 		# num failed logins from source IP exceeds thresh
+	LoginFailPair,		# num failed logins from IP pair exceeds thresh
+	LoginFailAccount,	# num failed accounts from IP->IP exceeds thresh
+	LoginFailAccountPair,	# num failed accounts from IP->account@IP exceeds thresh
+	LoginFailDict,		# num failed authentications for IP->account@IP exceeds thresh
+	LoginAfterFail,		# succ login after a series of bad from source IP
+};
+
+global syslog = open_log_file("syslog") &redef;
+
+
+# overall design is as follows:
+#
+# SIP --->table[DIPs] of login_record for each SIP<->DIP
+#     --->count of total failed logins for SIP
+#     --->count of total failed accounts for SIP
+#     access cluster data fia the cluster.bro script since it can
+#     deal better with the general notion.  
+#
+# data will be stored in two tables, one holding global data for the source IP,
+# the other holding origIP<->respIP information.  There is likely as better
+# way to go about this.
+
+# list of ssh auth_strings to ignore; 
+#  gssapi-with-mic: ssh sometimes tries, this, fails, and they
+#     uses pass phrase to log in. Dont count this type of failure for now
+#     (may need to revisit this later if every see attack using this)
+const skip_auth_strings =     {"gssapi-with-mic", } &redef;
+
+### config data ###
+const dest_num_fail_logins =     25;	# to a single dest
+const source_num_fail_logins =   20;	# across all hosts, from a single source
+const source_num_fail_accounts = 20;	# 
+const pair_num_fail_logins =     25;	# applies to single IP<->IP sets
+const pair_num_fail_accounts =   20;	#
+
+const single_account_fail =      25;	# threshold for a single IP -> account@IP fail
+					# works also as dictionary threshold on a single account
+
+### end config data ###
+
+### data structs ###
+	# IP<->IP record
+	type pair_record: record {
+		total_logins: count &default=0;		# failed login count in total
+		total_accounts: count &default=0;	# total count of accounts seen
+		accounts: table[string] of count;	# running count per unique account
+		#peer: set[count];			# event_peer$id for distributed analysis
+	};
+
+	# source record
+	type source_record: record {
+		stotal_logins: count &default=0;
+		stotal_accounts: count &default=0;
+	};
+
+# table for source data
+global source_list: table[addr] of source_record &write_expire  = 24 hr;
+
+# table for pair data
+global pair_list: table[addr,addr] of pair_record &write_expire  = 24 hr;
+
+global dests : table[addr] of count &write_expire = 1 hr; 
+
+### end data structs, config and control
+
+### begin functions and events ###
+
+# for the following events, the existance test takes place since
+# there is a chance that the postponed_ssh_login has removed the account
+# as a problem.  See that event for more information and complaining...
+
+event login_fail_src(ts:double, orig_h:addr)
+	{
+	# Here we look for the total number of failed accounts assosciated with
+	# a source IP.
+
+	# make sure the problem still exists for the host
+	if ( orig_h in source_list )
+		{
+		local srec: source_record = source_list[orig_h];
+
+		if ( srec$stotal_logins >= source_num_fail_logins )
+			NOTICE([$note=LoginFailSrc, $src=orig_h,
+				$msg=fmt("%s Exceeded %d failed logins to multiple hosts",
+					orig_h, source_num_fail_logins)]);
+		}
+	}
+
+event login_fail_account(ts:double, orig_h:addr, account:string)
+	{
+	# Here we look at the total number of unique failed accounts assosciated
+	# with a given source IP.
+
+	# make sure the problem still exists for the host
+	if ( orig_h in source_list )
+		{
+		local srec: source_record = source_list[orig_h];
+
+		if ( srec$stotal_accounts >= source_num_fail_accounts )
+			NOTICE([$note=LoginFailAccount, $src=orig_h,
+				$msg=fmt("%s has %s different account attempts to multiple hosts ",
+					orig_h, source_num_fail_accounts)]);
+		}
+	}
+
+event login_fail_pair(ts:double, orig_h:addr, resp_h:addr, account:string)
+	{
+	# Here we look at the number of failed logins for a pair of IP addresses.
+
+	# make sure the problem still exists for the host
+	if ( [orig_h, resp_h] in pair_list )
+		{
+		local prec: pair_record = pair_list[orig_h, resp_h];
+
+		if ( prec$total_logins >= pair_num_fail_logins )
+			NOTICE([$note=LoginFailPair, $src=orig_h, $dst=resp_h,
+				 $msg=fmt("%s -> %s Exceeded %s failed logins for %s",
+				orig_h, resp_h, prec$total_logins, account)]);
+
+		}
+	}
+
+event login_fail_account_pair(ts:double, orig_h:addr, resp_h:addr, account:string)
+	{
+	# Here we look at the number of failed accounts per IP pair.
+
+	if ( [orig_h, resp_h] in pair_list )
+		{
+		local prec: pair_record = pair_list[orig_h, resp_h];
+
+		if ( prec$total_logins >= pair_num_fail_accounts )
+			NOTICE([$note=LoginFailAccountPair, $src=orig_h, $dst=resp_h,
+				$msg=fmt("%s -> %s Exceeded %s failed accounts",
+				orig_h, resp_h, prec$total_accounts)]);
+		}
+	}
+
+event login_fail_dict(ts:double, orig_h:addr, resp_h:addr, account:string)
+	{
+	# Here we look at the number of times an account has failed for a given IP
+	# pair.  This is looking in particular for dictionary attacks
+
+	if ( [orig_h, resp_h] in pair_list )
+		{
+		local prec: pair_record = pair_list[orig_h, resp_h];
+		
+		# make sure that the account is still there
+		if ( account in prec$accounts )
+			{
+			if ( prec$accounts[account] >= single_account_fail )
+				# *finally* we are able to send the notice.  seems
+				# like a lot of work...
+				NOTICE([$note=LoginFailDict, $src=orig_h, $dst=resp_h,
+					$msg=fmt("%s -> %s@%s Exceeded %s failed tries",
+						orig_h, account, resp_h, prec$accounts[account])]);
+			}
+		} # end pair check
+	}
+
+
+event ssh_login(ts:double, orig_h:addr, resp_h:addr, account:string, auth_type:string)
+	{
+        print syslog, fmt("%.1f ssh_login %s -> %s@%s  %s", ts, orig_h, account, resp_h, auth_type);
+
+	local prec: pair_record;
+
+	# run a basic check on the user
+	check_user(ts, orig_h, resp_h, account, auth_type);
+
+	if ( [orig_h,resp_h] in pair_list )
+		{
+		# we have seen the pair, have we seen the account?
+		prec = pair_list[orig_h, resp_h];
+		
+		if ( account in prec$accounts )
+			{
+			# there is a history of failure, check threshold.  Also skip the
+			# informational accounts since there is a great deal of noise with them
+			if ( (prec$accounts[account] == single_account_fail) && (!informational_user(account)) )
+				{
+				NOTICE([$note=LoginAfterFail, $src=orig_h, $dst=resp_h,
+					$msg=fmt("%s -> %s@%s user login after %s failed logins ",
+						orig_h, account, resp_h, single_account_fail)]);
+				}
+			}
+		}	
+	else
+		{
+		# add new pair list
+		local tmp_accounts: table[string] of count;
+		tmp_accounts[account] = 1;
+		
+		prec$total_logins = 1;
+		prec$total_accounts = 1;
+		prec$accounts = tmp_accounts;
+
+		pair_list[orig_h, resp_h] = prec;
+		}
+
+	} # end ssh_ok_login
+
+event ssh_fail_login(ts:double, orig_h:addr, resp_h:addr, account:string, auth_type:string)
+	{
+	local prec: pair_record;
+	local srec: source_record;
+
+	print syslog, fmt("%.1f ssh_fail_login %s -> %s@%s  %s", ts, orig_h, account, resp_h, auth_type);
+
+        if (auth_type in skip_auth_strings )
+        {
+	        print syslog, fmt("ignoring ssh_fail: %s", auth_type);
+		return;
+        }
+
+	# run a basic check on the user
+	check_user(ts, orig_h, resp_h, account, "ssh_fail");
+
+	# there are a number of accounts that are infrastructural in nature
+	# and used internally.  We skip them for now even though this is 
+	# probably not such a good idea
+
+	# include local addrs too and see what happens
+	#if ( (!is_local_addr(orig_h)) && (!informational_user(account)) )
+
+	if ( (!informational_user(account)) )
+		{
+		# look at dest 
+		if ( resp_h !in dests )
+		    dests[resp_h] = 0;
+	        ++dests[resp_h];
+
+		if (dests[resp_h] == dest_num_fail_logins)
+			NOTICE([$note=LoginFail, $src=orig_h, $dst=resp_h,
+				$msg=fmt("Exceeded %d failed logins from %s to %s",
+					dest_num_fail_logins, orig_h, resp_h)]);
+
+		if ( orig_h !in source_list )
+			{ # add a new record
+			srec$stotal_logins = 1;
+			srec$stotal_accounts = 1;
+
+			source_list[orig_h] = srec;
+			}
+		else
+			{	
+			srec = source_list[orig_h];
+
+			# schedule an event to trigger the notice to provide an opportunity
+			# to correct for pam running thorough 'false negatives'
+			if ( ++srec$stotal_logins == source_num_fail_logins )
+				schedule 10 sec { login_fail_src(ts, orig_h) };
+
+			# for the time being this is being commented out ...
+			#if ( ++srec$stotal_accounts == source_num_fail_accounts ) 
+			#	schedule 10 sec { login_fail_account(ts, orig_h, account) };
+			}
+
+		# look at pair
+		if ( [orig_h, resp_h] !in pair_list )
+			{
+			local tmp_accounts: table[string] of count; 
+			tmp_accounts[account] = 1;
+
+			prec$total_logins = 1;
+			prec$total_accounts = 1;
+			prec$accounts = tmp_accounts;
+
+			}
+		else
+			{
+			prec = pair_list[orig_h, resp_h];
+
+			# this is a gross evaluation of the total login failures between two hosts
+			# which is really the sum of all failures - accounts single or multiple
+			if ( ++prec$total_logins == pair_num_fail_logins )
+				schedule 10 sec 
+					{ 
+					login_fail_pair(ts, orig_h, resp_h, account) 
+					};
+		
+			# have we seen the account before?
+			if ( account !in prec$accounts )
+				{
+				prec$accounts[account] = 1;
+
+				# look for multiple failures for many accounts: increment since this is new
+				if ( ++prec$total_accounts == pair_num_fail_accounts )
+					schedule 10 sec 
+						{ 
+						login_fail_account_pair(ts, orig_h, resp_h, account) 
+						};
+				}
+			else
+				{
+				# look for multiple failures for a single account
+				if ( ++prec$accounts[account] == single_account_fail )
+					schedule 10 sec 
+						{ 
+						login_fail_dict(ts, orig_h, resp_h, account) 
+						}; 
+				}
+			}
+
+			# update data
+		        #print "syslog: ssh_fail, updating source_list and pair_list ", srec, prec;
+			source_list[orig_h] = srec;
+			pair_list[orig_h, resp_h] = prec;
+
+		} # end initial internal/user filter
+			
+	}
+
+event postponed_ssh_login(ts:double, orig_h:addr, resp_h:addr, account:string, auth_type:string)
+	{
+	# This abomination is a result of a login passing through pam and ssh sending
+	# sperious 'failed' messages with the final successful login message.
+	# Here we intercept the data before the scheduled NOTICE event and change it back. 
+	# This is a prime example of how to introduce race conditions into code, but for the time 
+	# being I have nothing better.
+
+	print syslog, fmt("%.1f postponed_ssh_login %s -> %s@%s  %s", ts, orig_h, account, resp_h, auth_type);
+
+	# this code is almost the same as above except that we are removing values (which introduces 
+	# more testing).
+	local prec: pair_record;
+	local srec: source_record;
+	local delta: count = 2; # ammount to decrement 
+
+	# look at source, skip if record does not exist
+	if ( orig_h in source_list )
+		{	
+		srec = source_list[orig_h];
+
+		if ( (srec$stotal_logins - delta) >= 0 ) 
+			srec$stotal_logins = srec$stotal_logins - delta;
+
+		if ( (srec$stotal_accounts - delta) >= 0 )
+			srec$stotal_accounts = srec$stotal_logins - delta;
+		}
+
+	# look at pair, again skipping unknown sessions (throw weird?)
+	if ( [orig_h, resp_h] in pair_list )
+		{
+		prec = pair_list[orig_h, resp_h];
+
+		if ( (prec$total_logins - delta) >= 0 ) 
+			prec$total_logins = prec$total_logins - delta;
+		
+		if ( (prec$total_accounts - delta) >= 0 )
+			prec$total_accounts = prec$total_logins - delta;
+
+		if ( account in prec$accounts )
+			{
+			if ( (prec$accounts[account] - delta) >= 0 )  
+				prec$accounts[account] = prec$accounts[account] - delta;
+			}
+		} # end pair check
+
+		source_list[orig_h] = srec;
+		pair_list[orig_h, resp_h] = prec;
+
+
+	} # end of postpend
+
+# really want both users, waiting for fix..
+#event failed_su(ts:double, orig_h:addr, user:string, user2:string)
+event failed_su(ts:double, orig_h:addr, user:string)
+{
+        #print syslog, fmt("%.1f failed_su %s %s", ts, orig_h, user, user2 );
+        print syslog, fmt("%.1f failed_su %s %s", ts, orig_h, user);
+	# should generate a notice if too many of these
+}
+
+event successful_su (ts:double, orig_h:addr, logname: string, user:string  )
+{
+        print syslog, fmt("%.1f sucussful_su %s %s to %s", ts, orig_h, logname, user );
+}
+
+event failed_sudo (ts:double, orig_h:addr, user:string )
+{
+        print syslog, fmt("%.1f failed_sudo %s@%s", ts, user, orig_h );
+	# should generate a notice if too many of these
+}
+
+event successful_sudo (ts:double, orig_h:addr, user:string, command:string)
+{
+        print syslog, fmt("%.1f sucussful_sudo %s@%s %s", ts, user, orig_h, command );
+}
+
+#other syslog events: Grid stuff
+#"gateInit double=$time addr=$runhost addr=$reqhost count=$p \n";
+#"gateUser addr=$runhost count=$p2 string=$IDFields[9]\n";
+#"gateService addr=$runhost count=$p2 string=$srvFields[8]\n";
+#"gateLocalUser addr=$runhost count=$p2 string=$LUFields [10] string=$LUFields[6]\n";
+#"gateLocalUID addr=$runhost count=$p2 count=$LUFields[10] string=$LUFields[6]\n";
+#print "gateLocalGID addr=$runhost count=$p2 count=$GUFields[9]\n";
+
+
diff --git a/aux/contrib/policy/user-check.bro b/aux/contrib/policy/user-check.bro
new file mode 100644
index 0000000000..c3d929ba89
--- /dev/null
+++ b/aux/contrib/policy/user-check.bro
@@ -0,0 +1,82 @@
+# version 0.1
+# script to make detailed decisions about user logins
+#
+# there are three levels of interest - 
+# 	informational : general interest (say root) for account use
+# 	suspicious : specific accounts that you do not
+# 	   expect to see and should know (such as 'lp')
+#	dead_man_walkin : accounts that may represent former employies 
+#	   or known bad entities.
+#
+# the choice to differentiate between the second and third may be gratuitious...
+#
+#
+
+redef enum Notice += {
+	SuspiciousUser,		# a user is seen that should not normally be there
+	ForbiddenUser,	        # known bad user account, more dangerous than suspicous
+	SensitiveRemoteLogin,        # root ssh connection from remote host
+};
+
+global check_dead_man_walkin = T &redef; 
+global check_user_list = T &redef;
+global check_remote_access_accounts = T &redef;
+
+# this one not finished: might want to flag these someday
+const information_accounts = { "operator", } &redef;
+
+const suspicious_accounts = { "lp", "toor", "admin", "test", "r00t", "bash", } &redef;
+
+const forbidden_accounts = { "", } &redef;
+
+# this is for accounts that you do not want logging in remotely 
+const no_remote_accounts = { "root", "system", "operator", } &redef; 
+
+function informational_user(user: string) : bool
+	{
+	if ( user in information_accounts )
+		return T;
+
+	return F;
+	}
+
+function check_user(ts:double, orig_h:addr, resp_h:addr, account:string, auth_type:string) : bool
+	{
+
+	# compare provided user with a list of potential bad accounts
+	# see note above about hot-ids: this provides a little better 
+	# flexability for general checking
+	#
+
+        #print "checking user: ", account;
+
+	if ( check_dead_man_walkin && account in forbidden_accounts )
+		{
+		NOTICE([$note=ForbiddenUser,
+			$msg=fmt("%s -> %s@%s forbidden user login",
+				 orig_h, account, resp_h)]);
+
+		return T;
+		}
+
+	if ( check_user_list && account in suspicious_accounts )
+		{
+		NOTICE([$note=SuspiciousUser,
+			$msg=fmt("%s -> %s@%s suspicious user login",
+				orig_h, account, resp_h)]);
+		return T;
+		}
+
+	if ( check_remote_access_accounts && account in no_remote_accounts 
+			&& !is_local_addr(orig_h) && auth_type != "ssh_fail" )
+		{
+		NOTICE([$note=SensitiveRemoteLogin,
+			$msg=fmt("%s -> %s@%s successful sensitive remote login",
+				orig_h, account, resp_h)]);
+		return T;
+		}
+
+	return F;
+		
+	}
+
diff --git a/aux/contrib/scripts/README b/aux/contrib/scripts/README
new file mode 100644
index 0000000000..1b3c47ea7a
--- /dev/null
+++ b/aux/contrib/scripts/README
@@ -0,0 +1,5 @@
+Contents of this directory:
+
+syslog2broccoli.py: converts syslog data to Broccoli events
+
+bro_report.py: alternate report script
diff --git a/aux/contrib/scripts/bro_report.py b/aux/contrib/scripts/bro_report.py
new file mode 100644
index 0000000000..f56f760dc0
--- /dev/null
+++ b/aux/contrib/scripts/bro_report.py
@@ -0,0 +1,553 @@
+#!/usr/bin/env python
+#
+# Alternate script to generate a report using the alarm and 
+#    conn files for a given day. 
+# Notes: My experience is that everyone has their own ideas on what
+#   Bro reports should look like, so rather than try to please 
+#   everyone, we'd like to include several sample report scripts, and
+#   encourage people to generate their own script based on the 
+#   sample scripts. This is one such example. If you have your
+#   own script to contribute, please email to the Bro team.
+#
+# Brian Tierney, LBL
+#
+# input: date of report, bro.cfg file, and bro/site/local.site.bro file
+# output: a report emailed address specified
+#
+
+__doc__="""
+   Usage: bro_report.py [-s start_time -e end_time] [-x] -m email_address 
+	default start/end time = 24 period ending now
+	date format = YYYY-MM-DD-HH-mm
+	[-y] put connection logs at the end of the report 
+"""
+
+# TO DO:
+#  add ability to use report_alarms instead of ignore_alarms
+#  add non-html option (for Vern :-) )
+#  add css for more formatting options
+#
+
+import os, time, sys, datetime, socket, getopt, glob, re 
+
+# initialize globals
+
+# set this for your preferences
+ignore_alarms = ["AddressScan", "PortScan", "ScanSummary", "AddressDropped"]
+# not yet implemented
+report_alarms = []
+
+brohome = os.getenv("BROHOME")
+if brohome == None:
+    brohome = "/usr/local/bro" # try using this
+
+path = "%s/logs" % brohome
+cf = "%s/bin/cf" % brohome 
+hf = "%s/bin/hf -l" % brohome 
+# this program uses mutt to send email with attachment
+# Note: probably want to add something like this to your .muttrc file
+#    set from="bro@brohost.mysite.org"
+# There is probably a more standard way to make this work...
+
+mutt = "/usr/local/bin/mutt"
+bro_local_nets = "%s/site/local.site.bro" % brohome
+
+use_mtime = 1  # if set, use file modification time to find alarm files,
+#conn_reports_at_end = 0  # set if want all connection info at end of the report 
+########################################################
+#		otherwise use file name
+
+
+
+def get_file_names(start_time, end_time):
+    """
+     using stat, get a list of all files modified on a given date
+    """
+
+    global alarm_file_list
+    global conn_file_list
+
+    print "looking for alarms between %s and %s " % (time.ctime(start_time), time.ctime(end_time))
+    alarm_file_list = []
+    if use_mtime:
+        globstring = "%s/alarm*" % (path)
+        alarm_files = glob.glob(globstring)
+        cnt = 0
+        for afile in alarm_files:
+            st = os.stat(afile)
+            ctime = st[8]
+            mtime = st[9]
+            if (mtime >= start_time or ctime >= start_time) and (mtime <= end_time or ctime >= end_time):
+                alarm_file_list.append(afile)
+                cnt += 1
+    else:
+        rdate = time.strftime("%y-%m-%d", time.localtime(start_time))
+        globstring = "%s/alarm*%s*" % (path,rdate)
+        alarm_files = glob.glob(globstring)
+        cnt = 0
+        for afile in alarm_files:
+            alarm_file_list.append(afile)
+            cnt += 1
+
+    #print "Using this list of alarm files: ", alarm_file_list
+
+    conn_file_list = []
+    globstring = "%s/conn*" % (path)
+    conn_files = glob.glob(globstring)
+    for cfile in conn_files:
+        st = os.stat(cfile)
+        ctime = st[8]
+        mtime = st[9]
+        #if mtime >= start_time and mtime <= end_time:
+        if (mtime >= start_time or ctime >= start_time) and (mtime <= end_time or ctime >= end_time):
+            conn_file_list.append(cfile)
+
+    #print "Using this list of conn files: ", conn_file_list
+    return cnt
+
+########################################################
+
+def get_time(sdate):
+    """
+	take command line arg and generate time
+     """
+
+    if len(sdate.split("-")) == 3:
+        yr,mn,dy  = sdate.split("-")
+        stime = (int(yr), int(mn), int(dy), 0, 0, 0, 0, 0, -1)
+    elif len(sdate.split("-")) == 4:
+        yr,mn,dy,hr  = sdate.split("-")
+        stime = (int(yr), int(mn), int(dy), int(hr), 0, 0, 0, 0, -1)
+    elif len(sdate.split("-")) == 5:
+        try:
+            yr,mn,dy,hr,min  = sdate.split("-")
+        except:
+            print "Error parsing date: ", sdate
+            usage()
+        stime = (int(yr), int(mn), int(dy), int(hr), int(min), 0, 0, 0, -1)
+    else:
+        print "Invalid data format"
+        usage()
+    rtime = time.mktime(stime)
+
+    return rtime
+
+########################################################
+
+def get_site_name(broConfig):
+
+    f = open(broConfig)
+    lines = f.readlines()
+    site_name = "Default"
+    for line in lines:
+        if line.startswith("BRO_SITE_NAME"):
+            site_name = line.split("=")[1]
+            site_name = site_name.replace('"','')
+    # no way to pass this directly to mutt, need to put in .muttrc instead
+    #if line.startswith("BRO_EMAIL_FROM"):
+    #    mail_from = line.split("=")[1]
+    #    mail_from = site_name.replace('"','')
+
+    return site_name
+
+########################################################
+def get_local_nets(localnets):
+    """
+    reads Bro local.site.bro file to get a list of local networks
+    """
+
+    # this ugly thing will match IP addresses
+    regexp = re.compile("([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0 -5])\.([01]?\d\d?|2[0-4]\d|25[0-5])")
+
+    f = open(localnets)
+    lines = f.readlines()
+
+    local_nets = []
+    if len(lines) > 0: 
+        for line in lines:
+            fields = line.split()
+            if len(fields) > 0 and not fields[0].startswith("#"):  # skip comment lines
+                #print fields
+                for f in fields:
+                    match = regexp.match(f)
+                    if match:
+                        t = f.split("/")
+                        local_nets.append(t[0])
+    else:
+        print "Bro local nets not found. Exiting. "
+        sys.exit(-1)
+
+    return local_nets
+
+########################################################
+
+def get_local_host(ip1,ip2,sh,dh,local_nets):
+    """
+	based on contents of bro site file, determine which host is local
+    """
+    local_host = ""
+    if ip2 != "none":
+        #print "debug:", ip1, ip2, sh, dh, local_nets
+        # HACK Alert: this will only work for /16 and /24 networks
+        for net in local_nets:
+            if net.split(".")[2] == "0":  # assume class B
+                ipa = "%s.%s.0.0" % (ip1.split(".")[0] , ip1.split(".")[1] ) 
+                ipb = "%s.%s.0.0" % (ip2.split(".")[0] , ip2.split(".")[1] ) 
+            else: # assume class C
+                ipa = "%s.%s.%s.0" % (ip1.split(".")[0] , ip1.split(".")[1], ip1.split(".")[2] ) 
+                ipb = "%s.%s.%s.0" % (ip2.split(".")[0] , ip2.split(".")[1], ip2.split(".")[2] ) 
+
+            if ipa == net: 
+                local_host = sh
+                break
+            if ipb == net: 
+                local_host = dh
+                break
+    else:
+        local_host = sh
+    #print "   found local host: ", local_host
+
+    if local_host == "":  # sometimes see packets not on either net!
+        local_host = "host from unknown subnet!"
+    return local_host
+
+########################################################
+
+def create_alarm_info(aline, start_time, end_time):
+    """
+	create log info record from alarm message
+    """
+
+    # assume tagged alarm file; trick to parse correctly
+    if aline[:2] != "t=":   # if line does not start with "t=", continue
+        print "Warning: not a tagged alarm: ", aline
+	return []
+    reformated_alarm = [t.replace('~',' ') for t in aline.replace('\\ ','~').split()]
+    ip1 = ip2 = sp = dp =  "none"
+    alarm = msg = tm = tag = ""
+    for s in reformated_alarm:
+        field = s.split("=")
+        if field[0] == "sa":
+            ip1 = field[1]
+        if field[0] == "sp":
+            sp = field[1]
+        if field[0] == "da":
+            ip2 = field[1]
+        if field[0] == "dp":
+            dp = field[1]
+        if field[0] == "t":
+            try:
+                utime = float(field[1]) # unix-style time in seconds
+            except:
+                print "Error, unknown alarm format ", reformated_alarm
+                return []
+            if utime < start_time or utime > end_time:
+                return []
+            tm = time.ctime(float(field[1]))
+        if field[0] == "no":
+            alarm = field[1]
+        if field[0] == "tag":
+            tag = field[1]
+        if field[0] == "msg":
+            msg = field[1]
+            msg = msg.replace('\\ ', ' ')
+    # end for
+
+    if alarm in ignore_alarms:  # skip if wrong type of alarm
+        return []
+
+    if tag == "": 
+        tag = "missing tag"
+        print "Warning: Alarm tag not found: ", reformated_alarm
+    #return [] # only continue for tagged alarms
+
+    # look up src/dst addresses
+    sh = [""]
+    dh = [""]
+    try:
+        sh = socket.gethostbyaddr(ip1);
+    except:
+        sh[0] = ip1
+    try:
+        dh = socket.gethostbyaddr(ip2);
+    except:
+        dh[0] = ip2
+    #print "hostnames: %s = %s; %s = %s" % (ip1, sh[0], ip2, dh[0])
+
+    # save all useful info from this alarm
+    alarm_info = [alarm, tm, ip1, sp, sh[0], ip2, dp, dh[0], msg, tag, 0]
+
+    #print "alarm info: ", alarm_info
+    return alarm_info
+
+########################################################
+
+def load_alarms(start_time, end_time):
+    """
+	load alarms from alarm log files into alarm_list 
+    """
+
+    # fills in alarm_list and host_list data structure
+
+    global alarm_list 
+    global host_list 
+
+    alarm_list = []
+    host_list = []
+
+    report_date = time.strftime("%y-%m-%d", time.localtime(end_time))
+    yr, mn, dy = report_date.split("-")
+
+    cnt = 0
+    for afile in alarm_file_list:
+        print "opening file:", afile
+        fd = open(afile)
+
+        # first read through entire alarm file and create list of hosts involved.
+        done = 0
+        while not done:
+            try:
+                tl = fd.readline()
+            except Exception, E:
+                print E
+                done = 1
+                continue
+            #print "read line: ",tl
+
+            if len(tl) == 0:
+                done = 1
+                #print "end of file"
+                continue
+
+            alarm_info = create_alarm_info(tl,start_time, end_time)
+            if alarm_info != []:
+                cnt += 1
+                #only add if this alarm for this host pair has not been seen before
+                alarm_exists = 0
+                for curr_alarm_info in alarm_list:
+                    alarm,tm,ip1,sp,shost,ip2,dp,dhost,msg,tag,a_cnt = curr_alarm_info
+                    if alarm  == alarm_info[0] and ip1 == alarm_info[2] and ip2 == alarm_info[5]:
+                        curr_alarm_info[10] += 1   # increment count
+                        alarm_exists = 1
+                if not alarm_exists:
+                    alarm_list.append(alarm_info)
+
+                # figure out which host is local and add to host_list[]
+                local_host = get_local_host(alarm_info[2], alarm_info[5], alarm_info[4], alarm_info[7], local_nets)
+                if local_host not in host_list:
+                    print "Adding to host list: ", local_host
+                    host_list.append(local_host)
+
+    #print host_list
+    #print alarm_list
+    print "Found %d alarms in this time period " % cnt
+    return cnt
+
+######################################################################
+def print_alarm(alarminfo,out):
+    """ Formats and outputs the alarms
+    """
+
+    alarm,tm,ip1,sp,sh,ip2,dp,dh,msg,tag,a_cnt = alarminfo
+
+    out.write ('<table border="0" cellspacing="2" cellpadding="2"> \n <tr> \n')
+    out.write ('<td><div align="right"><strong> ')
+    # reformat alarm and write to file in a more readable format
+    alarm_string =  '<strong>%s</strong>: <td> %s </td> </tr> \n <tr align="left"> <td align="right"> source: </td> <td align="left"> %s </td> <td> %s </td> <td> port = %s </td> </tr> \n <tr align="left"> <td align="right"> dest: </td> <td align="left"> %s </td> <td> %s </td> <td> port = %s </td> </tr> \n <tr> <td align="right"> alarm message: </td> <td colspan= 3 align="left"> %s %s </td> </tr> </table> \n' % (alarm, tm, ip1, sh, sp, ip2, dh, dp, msg, tag) 
+    out.write(alarm_string)
+    if a_cnt > 1:
+        out.write("<ul>%d instances of this alarm for this host pair </ul>" % a_cnt)
+
+    out.write ("<p> \n")
+
+######################################################################
+def print_connections(connfiles,ip,tag,out):
+    """ Formats and outputs the connection logs
+     """
+
+    # there must be a clever way to do this with the pipes module, but this will work for now
+    # only include connections that have state SF or S1 (should also include RSTO)
+
+    cmd = "grep -h ' %s ' %s | grep -e 'SF' -e 'S1' -e 'RSTO' | grep -A 10 -B 5 '%s$' | %s | %s > %s" % (ip, connfiles, tag, cf, hf, "/tmp/bro-report.tmp")
+    print "running program: ", cmd
+    os.system(cmd)       
+    f = open("/tmp/bro-report.tmp")
+    lines = f.readlines()  # read entire file
+
+    if len(lines) > 0:
+        out.write ('\n <table border="0" cellspacing="2" cellpadding="2"> \n')
+        out.write('<tr align="right"><td colspan= 3> Time </td> <td> Duration </td><td> Src host </td><td> Dst host </td> <td> Service </td> <td> Src port </td> <td> Dst port </td> <td> Prot </td> <td> Bytes sent </td><td> Bytes rcv </td> <td> State </td><td> Flag </td><td> Tag </td> </tr>')
+
+        for line in lines:
+            fields = line.split()
+            out.write('<tr align="right">')
+            for f in fields:
+                out.write("<td> %s </td>" % f)
+            out.write("</tr>")
+        out.write("</table> \n ")
+
+    else:
+        out.write ("<ul> No suscessful connections found. </ul> \n")
+
+    out.write ("<hr>\n")
+
+
+######################################################################
+def usage(m=None):
+    """This just prints the doc string for the whole program.
+    """
+    if m: print "Error: %s" % m
+    print __doc__
+    sys.exit()
+
+########################################################
+
+def main():
+    """
+	parse opts, collect alarms, generate report
+    """
+
+    global local_nets 
+    global report_date
+    global conn_reports_at_end 
+    conn_reports_at_end = 0
+
+    try:    
+        options,prog_args = getopt.getopt(sys.argv[1:],'hxys:e:m:')
+    except getopt.GetoptError, E:       
+        usage(E)
+
+    do_today = 0
+    report_date = sdate = edate = dest = ""
+    for opt,val in options:
+        if opt == '-s':
+            sdate = val
+        elif opt == '-e':
+            edate = val
+        elif opt == '-m':
+            dest = val
+        elif opt == '-y':
+            conn_reports_at_end = 1 
+        else:
+            usage()
+
+    if dest == "":
+        print "Missing email address for report"
+        usage()
+
+    if sdate == "":
+        # set defauts
+        end_time = time.time()
+        start_time = end_time - (24 * 60 * 60)  # number of seconds in 1 day
+    else:
+        # if start/stop times given at the command line, convert them to Unix time
+        if sdate != "":
+            start_time = get_time(sdate)
+            if edate == "":  # if not specified, add 24 hrs
+                end_time = start_time + (24 * 60 * 60) 
+        if edate != "":
+            end_time = get_time(edate)
+            if sdate == "":  # if not specified, subtract 24 hrs
+                start_time = end_time + (24 * 60 * 60) 
+        else:
+            end_time = start_time + (24 * 60 * 60)  # number of seconds in 1 day
+
+    #print "start time: %f, %s " % (start_time, time.ctime(start_time))
+    #print "end time: %f, %s " % (end_time, time.ctime(end_time))
+
+    outfile = "%s/reports/bro.report.%d.html" % (brohome, os.getpid())
+    out = open(outfile, 'w') 
+
+    if conn_reports_at_end:   # open file to save all conn information, then cat to report at the end
+        outfile_conn = "%s/reports/bro.report.%d.tmp" % (brohome, os.getpid())
+        out_conn = open(outfile_conn, 'w') 
+
+    rstart = time.strftime("%y-%m-%d %H:%M", time.localtime(start_time))
+    rend = time.strftime("%y-%m-%d %H:%M", time.localtime(end_time))
+
+    if get_file_names(start_time, end_time) <= 0:
+        print "No alarms found for time specified"
+        out.write ("<HTML><HEAD><TITLE> Bro Report %s to %s </TITLE></HEAD>\n" % (rstart, rend ) )
+        out.write ("<BODY><p> Bro Report %s-%s <p> \n"  % (rstart, rend ) )
+        out.write ("<BODY><p><p> No alarms found for time specified \n </BODY></HTML>"  )
+        sys.exit(0)
+
+    connfiles = ""
+    for connfile in conn_file_list:  # build single string with all names in it
+        connfiles += "%s " % connfile
+    #print "connfiles ", connfiles
+
+    site_name = get_site_name("%s/etc/bro.cfg" % brohome)
+    local_nets = get_local_nets(bro_local_nets)
+    cnt = load_alarms(start_time, end_time)
+
+    out.write ("<HTML><HEAD><TITLE> Bro Report %s-%s </TITLE></HEAD>\n" % (rstart, rend ) )
+    out.write ("<BODY>")
+    out.write ("<p> Bro Report: %s-%s \n" % (rstart, rend ) )
+    out.write ("<p> Total Number of Alarms: %d \n " % cnt)
+    if cnt > 0:
+        out.write ("<br> List of %s hosts with Alarms in this report: \n <ul> " % site_name)
+
+        # now loop through alarm_list and generate report
+        for host in host_list:
+            out.write ("  <p> <strong> %s </strong>" % (host))
+        out.write ("</ul> <p> <hr> \n")
+    else:
+        print "No Alarms found"
+
+    for alarm in alarm_list:
+        #print alarm
+        print_alarm(alarm,out)
+        tag = alarm[9]
+
+        if conn_reports_at_end:   
+            taglink = "#alarm%s" % (tag)
+            out.write ('\n <ul> <a href="%s"> Successful Connections</a> just before and after this alarm </ul> <p>\n' % taglink)
+        else:
+            out.write ("Successful Connections just before and after this alarm: \n\n <p> \n" )
+
+        print "searching conn files '%s' for tag %s " % ( connfiles, tag)
+
+        if conn_reports_at_end:   
+            out_conn.write('<P><A name="%s"></A>\n' % taglink.strip("#"))
+
+        if len(connfiles) > 0:
+            if conn_reports_at_end:   
+                out_conn.write ('\n <p> \n Successful Connections just before and after alarm %s  <p>\n' % tag)
+                print_connections(connfiles, alarm[2], tag, out_conn )
+            else:
+                print_connections(connfiles, alarm[2], tag, out )
+
+    if conn_reports_at_end and cnt > 0:   
+        out.write ("<hr> \n")
+        out.write ("<p> Connection Summary Information \n" )
+        out_conn.close()
+        out.close()
+        cmd = "cat %s >> %s " % (outfile_conn, outfile)
+        print "Running command: ", cmd
+        os.system(cmd)       
+        # next reopen the file
+        out = open(outfile, 'a')  
+
+    out.write ("</body></html> \n")
+    out.close()
+
+    # done building report, now send it
+
+    #cmd = "/usr/bin/Mail -s 'Bro Report: %s' %s < %s" % (tm, dest, outfile)
+    # mail does not handle HTML attachments, so use mutt instead
+    cmd = "%s -s 'Bro Report from %s: %s to %s ' -a %s %s < /dev/null" % (mutt, socket.gethostname(), rstart, rend, outfile, dest)
+    print "running program: ", cmd
+    os.system(cmd)       
+
+    try:
+        os.remove("/tmp/bro-report.tmp")
+    #os.remove(outfile)
+    except:
+        pass
+
+    sys.exit(0)
+
+######################################################################
+if __name__ == '__main__': main()
+
diff --git a/aux/contrib/scripts/syslog2broccoli.py b/aux/contrib/scripts/syslog2broccoli.py
new file mode 100644
index 0000000000..294486cb9f
--- /dev/null
+++ b/aux/contrib/scripts/syslog2broccoli.py
@@ -0,0 +1,600 @@
+#! /usr/bin/env python
+#
+# this script finds the end of the syslog file, and then watches
+#  for new events to send to Bro.  Actually they are reformatted
+#  as Broccoli events, and written to stdout. Then some other
+#  process can send them to Bro.
+#
+# started as a perl script from unknon source
+# modified for syslog parsing by Scott Campbell
+# more options added by Brian Tierney
+#
+# CHANGELOG: started 07/07/05
+# fixed IPv6 support in sshd login analysis
+# 07/12/05 change logic in ssh deny parsing to only look at what
+#          we want rather than reverse.
+#
+"""
+script that looks at interesting entries in a syslog file
+and print out information in a format that broccoli understands
+"""
+import optparse, logging, re, time
+import select, socket, sys, threading
+
+RE_SSH = re.compile(r"[\w,\s,\W]*sshd") 
+RE_SSH_ACCEPT = re.compile(r"[\w,\s,\W]*Accept")
+# all Failures; leads to false possitives
+# RE_SSH_FAIL = re.compile(r"[\w,\s,\W]*Failed")
+# just failed passwords
+RE_SSH_FAIL = re.compile(r"[\w,\s,\W]*Failed[\s]*password")
+RE_SSH_FAIL_ILLEGAL_USER = re.compile(r"[\w,\s,\W]*illegal[\s]*user|[\w,\s,\W]*invalid[\s]*user")
+RE_SSH_EXCLUDE = re.compile(r"[\w,\s,\W]*com\.apple\.SecurityServer")
+
+# only do failures for now
+
+RE_SUDO = re.compile(r"[\w,\s,\W]*sudo[\w,\s,\W]+failure|[\w,\s,\W]*sudo[\w,\s,\W]+incorrect password attempts")
+RE_SUDO_FORMAT1 = re.compile(r"[\w,\s,\W]*sudo[\w,\s,\W]+failure")
+RE_SUDO_FORMAT2 = re.compile(r"[\w,\s,\W]*sudo[\w,\s,\W]+incorrect password attempts") 
+
+RE_SU_SUCCESS = re.compile(r"[\w,\s\W]*su: \(|[\w,\s,\W]*su: SU |[\w,\s,\W]*su[\w,s,\W]+session opened") 
+RE_SU_FORMAT1 = re.compile(r"[\w,\s,\W]*session opened for user [\w,\W]+ by [\w,\W]+")        
+RE_SU_FORMAT2 = re.compile(r"[\w,\s,\W]*su:[\s]*\(to [\w]+\) [\w]+")        
+RE_SU_FORMAT3 = re.compile(r"[\w,\s,\W]*su: SU")        
+
+
+RE_SU_FAIL = re.compile(r"[\w,\s\W]* BAD SU |[\w,\s,\W]* FAILED SU |[\w,\s,\W]*su[\w,\s,\W]*authentication failure") 
+RE_SU_FAIL_FORMAT1 = re.compile(r"[\w,\s,\W]*authentication failure")
+RE_SU_FAIL_FORMAT2 = re.compile(r"[\w,\s,\W]*FAILED SU")
+RE_SU_FAIL_FORMAT3 = re.compile(r"[\w,\s,\W]*BAD SU")
+
+RE_GRID = re.compile(r"[\w,\s\W]* GRAM")
+RE_GRID_AUTHORIZE_LOCALUSER = re.compile(r"[\w,\s,\W]* Authorized as local user")
+RE_GRID_AUTHORIZE_LOCALUID = re.compile(r"[\w,\s,\W]* Authorized as local uid:")
+RE_GRID_AUTHORIZE_LOCALGID = re.compile(r"[\w,\s,\W]* and local gid:")
+RE_GRID_AUTHENTICATE = re.compile(r"[\w,\s,\W]* Authenticated globus user:")
+RE_GRID_CONNECT = re.compile(r"[\w,\s,\W]* Got connection ")
+RE_GRID_SERVICE = re.compile(r"[\w,\s,\W]* Requested service: ")
+RE_GRID_INFO = re.compile(r"[\w,\s,W]*gridinfo")
+
+# not done: generate Bro event for these too
+RE_NEWUSER = re.compile(r"[\w,\s,\W]*new user:[\w,\s,\W]+useradd")
+
+# not done: generate Bro event for user root sending mail to yahoo, gmail, hotmail, aol, etc.
+#	(maybe even any .com ?)
+RE_ROOT_EMAIL = re.compile(r"[\w,\s,\W]*sendmail[\w,\s,\W]+root[\w,\s,\W]+to `[\w,\s,\W]+\.com")
+
+
+class HeartBeatThread(threading.Thread):
+    """
+    HeartBeat class that inherits from Python Thread class 
+    """
+    def __init__(self, sleep_seconds): 
+        threading.Thread.__init__(self)
+        self._sleeptime = sleep_seconds 
+
+    def run(self):
+        """
+        Sends out a heartbeat event, then goes to sleep for 15 minutes
+        """
+        addr = socket.gethostbyname(socket.gethostname())
+        heartbeat_string = "Syslog_daemon_heartbeat"
+        while True: 
+            time_double = time.time()
+            print "heartbeat_event double=%d addr=%s string=%s" % (time_double, addr, heartbeat_string)
+            time.sleep(self._sleeptime) 
+
+def time_conversion(month, date, clocktime):
+    """
+    Convert time string to double, need to handle the
+    year field
+    """ 
+    year = time.asctime().split()[-1:][0] 
+    time_str = " ".join((month, date, clocktime, year)) 
+    try:
+        time_tuple = time.strptime(time_str, "%b %d %H:%M:%S %Y")
+    except:
+        log.error( "time.strptime error converting %s" % time_str )
+        return 0.0
+    time_double = time.mktime(time_tuple) 
+    return time_double
+    
+def check_ip(ip):
+    """
+	Covert hostname to IP if necessary, and check if valid IP
+    """
+
+    try:
+        ip = socket.gethostbyname(ip)
+    except:
+        log.error( "Error converting %s to an IP " % ip )
+        return ""
+
+    # if passed in something that looked like an IP, gethostbyname might not return an error, so best to check
+    try:
+        ips = ip.split('.')
+    except:
+        log.error("Error spliting IP into components: %s" % ip)
+        return ""
+
+    if len(ips) == 4:
+        if int(ips[0]) < 256 and int(ips[1]) < 256 and int(ips[2]) < 256 and int(ips[3]) < 256:
+            return ip
+        else:
+            return ""
+    else:
+        return ""
+
+def find_user(fields):
+    """
+    Find the user in a list of fields where user is the name in user=name
+    """
+    user = "unknown"
+    for f in fields: 
+        try:
+            user1, user2 = f.split('=')
+            if user1 == 'user' or user1 == 'ruser':
+                if user2 != "": 
+                    return user2
+        except: 
+            pass 
+    return user 
+
+def parse_ssh(line, line_cnt): 
+    """
+    print out the ssh fields into the broccoli format
+
+    Note: still needs to handle odd syslog formats, such as (double set of timestamps):
+      Jan  1 00:03:44 127.0.0.1 2005-12-31 21:51:10.163447500 isthiswhatyouwant.jay.lbl.gov sshd[] PAM: Authentication failure for ldoolitt from astound-69-42-20-231.ca.astound.net
+
+    There are many different formats, but the following seem fairly consistant:
+        for username
+        from hostname
+     so look for works "for" and "from", and then take the fields after that
+
+    """ 
+    
+    fields = line.split() 
+    time_double = time_conversion(fields[0], fields[1], fields[2]) 
+    # look for 'from' hostname
+    n = 0
+    from_ip = ""
+    for f in fields:
+        if f == "from":
+            from_ip = fields[n+1]
+            break
+        n += 1
+
+    # check for valid IP (some look like this: "::ffff:128.3.60.86")
+    ipf = from_ip.split(':')
+    if len(ipf) > 1:
+        ip = ipf[len(ipf) - 1]
+    else:
+        ip = ipf[0]
+
+    # verify that this is a valid IP address
+    ip = check_ip(ip)
+    lh_ip = check_ip(fields[3])
+
+    success = False
+    failed = False
+    auth_type = "unknown"
+    username = "unknown"
+
+    if RE_SSH_ACCEPT.match(line):
+        success = True
+        try:
+            auth_index = fields.index('Accepted')
+            username_index = fields.index('for')
+        except ValueError:
+            log.error( "Error: sshd line with unknown format: line %d,%s" % (line_cnt, line))
+            return 
+            
+        auth_type = fields[auth_index +1] 
+        username = fields[username_index +1]
+
+    if RE_SSH_FAIL.match(line) and not RE_SSH_EXCLUDE.match(line): 
+        failed = True 
+        try:
+            auth_index = fields.index('Failed')
+            username_index = fields.index('for') 
+        except ValueError:
+            log.error( "Error: sshd line with unknown format: line %d,%s" % (line_cnt, line))
+            return 
+        
+        auth_type = fields[auth_index + 1] 
+        if RE_SSH_FAIL_ILLEGAL_USER.match(line):
+            username = fields[username_index +3] 
+        else:
+            username = fields[username_index +1]
+    
+    if ip and lh_ip:
+        if success: 
+            print "ssh_login double=%d addr=%s addr=%s string=%s string=%s" % (time_double, ip, lh_ip, username, auth_type)
+           
+        if failed:
+            print "ssh_fail_login double=%d addr=%s addr=%s string=%s string=%s" % (time_double, ip, lh_ip, username, auth_type)
+           
+    else:
+        log.error( "Error: sshd line with unknown format: line %d" % (line_cnt))
+ 
+  
+def parse_sudo(line):
+    """
+    print out the sudo fields in the broccoli format 
+    Supports these formats
+        1. host sudo(pam_unix)[5835]: authentication failure; logname=user uid=0 euid=0 tty=pts/4 ruser= rhost=  user=user
+        2. host sudo:    user: 3 incorrect password attempts ;
+        TTY=pts/11 ; PWD=directory COMMAND=/bin/ls
+
+    """ 
+    
+    fields = line.split()
+    time_double = time_conversion(fields[0], fields[1], fields[2]) 
+
+    # look for user
+    user = "unknown" 
+    if RE_SUDO_FORMAT1.match(line): 
+        user = find_user(fields)        
+        
+    if RE_SUDO_FORMAT2.match(line): 
+        user = fields[5] 
+
+    if user == "":
+        user = "unknown" 
+
+    # check if need to convert to IP addr
+    lh_ip = check_ip(fields[3])
+
+    if user == "unknown":
+        log.debug("unhandled user in next line" )
+        log.debug(line)
+    
+    print "failed_sudo double=%d addr=%s string=%s " % (time_double, lh_ip, user )
+
+def parse_su_success(line, line_cnt):
+    """
+    print out the su fields in the broccoli format
+
+    This one is hard because there are MANY formats used for this, including: 
+        This function handles these 3 formats
+        1. session opened for user by user
+        2. (to root) user
+        3. su: SU 
+        
+        user to root
+        'su root' succeeded for user 
+
+        Not quite done: does not always correctly find logname or username
+    """
+    fields = line.split()
+    time_double = time_conversion(fields[0], fields[1], fields[2]) 
+    logname = "unknown"
+    user = "unknown" 
+     
+    if RE_SU_FORMAT1.match(line): 
+        try:
+            index = fields.index('user')
+        except ValueError:
+            log.error( "Error: su line with unknown format: line %d,%s" % (line_cnt, line))
+            return 
+            
+        logname = fields[index +1] 
+        user = fields[index +3] 
+    
+    if RE_SU_FORMAT2.match(line): 
+        logname = fields[6].rstrip(')')
+        user = fields[7]
+    
+    if RE_SU_FORMAT3.match(line): 
+        try:
+            index = fields.index('SU')
+        except ValueError:
+            log.error( "Error: su line with unknown format: line %d,%s" % (line_cnt, line))
+            return 
+        
+        user = fields[index +1] 
+
+    if user == "unknown": 
+        log.debug("unhandled case on line: %d " % line_cnt)
+        log.debug(line)
+    lh_ip = check_ip(fields[3])
+    print "successful_su double=%d addr=%s string=%s string=%s" % (time_double, lh_ip, logname, user) 
+     
+
+def parse_su_fail(line, line_cnt):
+    """
+    print out the su fields in the broccoli format
+    This one is hard because there are MANY formats used for this, including:
+        authentication failure; 
+        logname=user uid=uid euid=0 tty= ruser=jason rhost=  user=root
+        
+        We match this case only
+        1. BAD SU user to root
+        These cases are not handled
+        FAILED SU (to root) user
+        'su root' failed for user 
+    """
+    fields = line.split() 
+    time_double = time_conversion(fields[0], fields[1], fields[2]) 
+    user = "unknown"
+    
+    if RE_SU_FAIL_FORMAT1.match(line):
+        user = find_user(fields) 
+    
+    if RE_SU_FAIL_FORMAT2.match(line): 
+        fail_test1 = False
+        fail_test2 = False
+        try:
+            index = fields.index('to') 
+        except:
+            fail_test1 = True
+        try:
+            index = fields.index('(to') 
+        except:    
+            fail_test2 = True 
+        
+        if fail_test1 and fail_test2:
+            log.error("su fail: -to- not found: line %d" % line_cnt)
+        else: 
+            user = fields[index +1]
+    
+    if RE_SU_FAIL_FORMAT3.match(line): 
+        try:
+            index = fields.index('to') 
+            user = fields[index - 1]
+        except:
+            log.error("su fail: -to- not found: line %d " % line_cnt)
+        
+    if user == "":
+        user = "unknown" 
+
+    if user == "unknown":
+        log.debug("unhandled case on line %d" % line_cnt)
+        log.debug(line)
+
+    lh_ip = check_ip(fields[3])
+
+    print "failed_su double=%d addr=%s string=%s" % (time_double, lh_ip, user) 
+
+def parse_gate(line, line_cnt):
+    """
+    print out the globus fields in the broccoli format
+
+    Not finished
+    """
+    fields = line.split() 
+    time_double = time_conversion(fields[0], fields[1], fields[2]) 
+    
+    if RE_GRID_AUTHORIZE_LOCALUSER.match(line): 
+        gate_ip = check_ip(fields[3])
+        pid = fields[5].strip("gatekeeper[]:") 
+        user = fields[10]
+        print "gatekeeper_local_user addr=%s count=%s string=%s string=Authorized" % (gate_ip, pid, user) 
+        
+    elif RE_GRID_AUTHORIZE_LOCALUID.match(line):
+        gate_ip = check_ip(fields[3])
+        pid = fields[5].strip("gatekeeper[]:")
+        uid = fields[10]
+        print "gatekeeper_local_uid addr=%s count=%s string=%s string=Authorized" % (gate_ip, pid, uid)
+    elif RE_GRID_AUTHORIZE_LOCALGID.match(line):
+        gate_ip = check_ip(fields[3])
+        pid = fields[5].strip("gatekeeper[]:")
+        gid = fields[9]
+        print "gatekeeper_local_uid addr=%s count=%s string=%s string=Authorized" % (gate_ip, pid, gid)
+    elif RE_GRID_AUTHENTICATE.match(line):
+        print "authenticate"
+        gate_ip = check_ip(fields[3])
+        pid = fields[5].strip("gatekeeper[]:")
+        dn = " ".join(fields[9:])
+        print "gatekeeper_auth_user addr=%s count=%s string=%s string=Authorized" % (gate_ip, pid, dn) 
+    elif RE_GRID_CONNECT.match(line): 
+        gate_ip = check_ip(fields[3])
+        src_ip = check_ip(fields[8])
+        pid = fields[5].strip("gatekeeper[]:")
+        print "gateekeeper_connect double=%d addr=%s addr=%s count=%s" % (time_double, gate_ip, src_ip, pid) 
+    elif RE_GRID_SERVICE.match(line): 
+        gate_ip = check_ip(fields[3]) 
+        pid = fields[5].strip("gatekeeper[]:")
+        service = fields[8]
+        print "gatekeeper_service double=%d addr=%s count=%s string=%s" % (time_double, gate_ip, pid, service) 
+  
+    else:
+        log.debug("unhandled case on line %d" % line_cnt)
+        log.debug(line)
+    
+    
+    
+
+    
+
+    
+
+def parse_newuser(line):
+    """
+    print out the newuser fields in the broccoli format
+
+    Not finished
+    """
+    fields = line.split() 
+    time_double = time_conversion(fields[0], fields[1], fields[2]) 
+    lh_ip = check_ip(fields[3])
+
+    #print "new_user double=%d addr=%s string=%s" % (time_double, lh_ip, user) 
+
+def parse_root_email(line):
+    """
+    print out the root email fields in the broccoli format
+
+    Not finished
+    """
+    fields = line.split() 
+    time_double = time_conversion(fields[0], fields[1], fields[2]) 
+    lh_ip = check_ip(fields[3])
+
+    #print "root_email double=%d addr=%s addr=%s" % (time_double, lh_ip, ip) 
+
+
+
+def log_parse(syslog_file, opts):
+    """
+    Continually parse the log file, and print information to stdout
+    """
+
+    line_cnt = 0
+    done = 0
+    if opts.begin_tail or opts.begin:
+        tail = 0
+    else:
+        tail = 1
+
+    day = int(time.strftime("%d")) # day that program is started
+    today = time.strftime("%Y-%m-%d") 
+
+    while not done:
+        try:  
+            line = syslog_file.readline()
+        except Exception, E:
+            log.error ("Error reading file. Possibly log file was rotated, so try to reopen " )
+            syslog_file.close() 
+            fname = "%s/all-%s" % (opts.path, today)
+            try:
+                syslog_file = open(fname) 
+            except:
+                log.error( "Error opening syslog file %s " % (fname))
+                sys.exit(-1)
+
+        if len(line) == 0 and opts.begin: # if not tailing the file
+            done = 1
+            log.debug ("End of file. Num lines = %d. Exiting" % line_cnt)
+            sys.exit(1);
+ 
+        if len(line) == 0 and opts.begin_tail and tail == 0:
+            tail = 1   # start tailing the file
+            log.debug ("Reached End of file, now tailing the file") 
+
+        line_cnt += 1
+        if not (line_cnt % 50000):
+            log.debug ("Processed %d lines" % line_cnt)
+
+
+	try:
+           if RE_SSH.match(line) and ( RE_SSH_ACCEPT.match(line) or RE_SSH_FAIL.match(line) ):
+               parse_ssh(line, line_cnt) 
+             
+           elif RE_SUDO.match(line):
+               parse_sudo(line) 
+             
+           elif RE_SU_SUCCESS.match(line):
+               parse_su_success(line, line_cnt)
+ 
+           elif RE_SU_FAIL.match(line):
+               parse_su_fail(line, line_cnt)
+
+           elif RE_GRID.match(line):
+               parse_gate(line, line_cnt) 
+
+           elif RE_NEWUSER.match(line):
+               parse_newuser(line.split()) 
+
+           elif RE_ROOT_EMAIL.match(line):
+               parse_root_email(line.split()) 
+
+           else:
+               #This outputs too much information, this should be turned
+               #on if we set verbose to the next level
+               #log.debug("Not matching line: %s" % line)
+               pass 
+
+        except:
+            log.error ("Error parsing log file. Corrupt log entry: %s" % line )
+	    continue
+
+        sys.stdout.flush()
+
+        if tail: # go slow if tailing the file
+            select.select([], [], [], .01) 
+            # if tailing the file and path is set, 
+            #need to roll over to a new file at midnight
+            if opts.path:
+                check_day = int(time.strftime("%d"))
+                if day != check_day:
+                    # new day, so open new file
+                    syslog_file.close() 
+                    today = time.strftime("%Y-%m-%d") 
+                    fname = "%s/all-%s" % (opts.path, today)
+                    log.debug( "New Day, so opening new syslog file: %s " % (fname))
+                    try:
+                        syslog_file = open(fname) 
+                    except:
+                        log.error( "Error opening syslog file %s " % (fname))
+                        sys.exit(-1)
+                    day = check_day 
+                    line_cnt = 0
+
+ 
+def log_open(opts):
+    """
+    open the logfile at the beginning or end
+    depending on the command line arguments
+    """
+    global log
+    logging.basicConfig()
+    log = logging.getLogger("sys2broccoli")
+
+    if opts.verbose:
+        log.setLevel(logging.DEBUG)
+    else:
+        log.setLevel(logging.NOTSET) 
+    
+    if opts.path and opts.start_date: 
+        fname = "%s/all-%s" % (opts.path, opts.start_date)
+    else:
+        fname = opts.syslog_file
+    
+    try:
+        syslog_file = open(fname) 
+    except:
+        log.error( "Error opening syslog file %s " % (fname))
+        sys.exit(-1)
+
+    if opts.begin or opts.begin_tail:
+        log.debug("Will start at the beginning of the file.")    
+    else:
+        syslog_file.seek(0, 2)
+
+    log_parse(syslog_file, opts)        
+            
+         
+
+def main():
+    """
+    Read in the command line arguments, then open the log
+    """
+    parser = optparse.OptionParser()
+    begin_help = """Start at the begining of the syslog file,
+                    and exit when get to the end""" 
+    parser.add_option("-b", action="store_true", dest="begin", 
+                      help=begin_help, default=False)
+    begin_tail_help = """Start at the begining of the syslog file, 
+                         and tail the file when get to the end""" 
+    parser.add_option("-B", action="store_true", dest="begin_tail", 
+                     help=begin_tail_help, default=False)
+    parser.add_option("-v", "--verbose", action="store_true", dest="verbose", 
+                      help="be more verbose", default=False)
+    parser.add_option("-f", "--file", action="store", dest="syslog_file", 
+                      help="Location of the syslog file.", 
+                      default="/var/log/syslog")
+    # these are for use on syslog.lbl.gov
+    parser.add_option("-d", "--dir", action="store", dest="path", 
+                      help="Directory of the archived syslog files.")
+    parser.add_option("-t", "--date", action="store", dest="start_date", 
+                      help="Date of file to process.", default=False)
+    opts, args = parser.parse_args()
+    heartbeat = HeartBeatThread(900)
+    heartbeat.setDaemon(True)
+    heartbeat.start() 
+    log_open(opts) 
+    
+
+
+if __name__ == "__main__": main()
diff --git a/aux/hf/Makefile.am b/aux/hf/Makefile.am
new file mode 100755
index 0000000000..2e127f5084
--- /dev/null
+++ b/aux/hf/Makefile.am
@@ -0,0 +1,16 @@
+DISTCLEANFILES = hf.c nf.c pf.c
+
+noinst_PROGRAMS = hf nf pf
+
+#LEX = @V_LEX@
+
+#.l.c:
+#	$(LEX) $(srcdir)/$*.l ; rm -f $@ ; mv lex.yy.c $@
+
+if USE_NBDNS
+dns_srcs = nb_dns.c
+endif
+
+hf_SOURCES = hf.l setsignal.c version.c nb_dns.h setsignal.h gnuc.h $(dns_srcs) 
+nf_SOURCES = nf.l setsignal.c 
+pf_SOURCES = pf.l setsignal.c 
diff --git a/aux/hf/VERSION b/aux/hf/VERSION
new file mode 100755
index 0000000000..f71668fbd8
--- /dev/null
+++ b/aux/hf/VERSION
@@ -0,0 +1 @@
+1.0a10
diff --git a/aux/hf/gnuc.h b/aux/hf/gnuc.h
new file mode 100755
index 0000000000..deba3e6fef
--- /dev/null
+++ b/aux/hf/gnuc.h
@@ -0,0 +1,43 @@
+/* @(#) $Header$ (LBL) */
+
+/* Define __P() macro, if necessary */
+#ifndef __P
+#if __STDC__
+#define __P(protos) protos
+#else
+#define __P(protos) ()
+#endif
+#endif
+
+/* inline foo */
+#ifdef __GNUC__
+#define inline __inline
+#else
+#define inline
+#endif
+
+/*
+ * Handle new and old "dead" routine prototypes
+ *
+ * For example:
+ *
+ *	__dead void foo(void) __attribute__((volatile));
+ *
+ */
+#ifdef __GNUC__
+#ifndef __dead
+#define __dead volatile
+#endif
+#if __GNUC__ < 2  || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
+#ifndef __attribute__
+#define __attribute__(args)
+#endif
+#endif
+#else
+#ifndef __dead
+#define __dead
+#endif
+#ifndef __attribute__
+#define __attribute__(args)
+#endif
+#endif
diff --git a/aux/hf/hf.l b/aux/hf/hf.l
new file mode 100755
index 0000000000..d5ef9198c4
--- /dev/null
+++ b/aux/hf/hf.l
@@ -0,0 +1,950 @@
+N              [0-9]
+O              ({N}{1,3})
+
+C              [0-9A-Fa-f]
+H              ({C}{1,4})
+
+    #include "config.h"
+    #include <sys/types.h>
+    #include <sys/socket.h>
+    #include <sys/time.h>
+    #include <sys/stat.h>
+
+    #include <netinet/in.h>
+
+    #include <arpa/inet.h>
+
+    #ifdef NEED_NAMESER_COMPAT_H
+        #include <arpa/nameser_compat.h>
+    #else
+        #include <arpa/nameser.h>
+    #endif
+
+    #ifndef NS_MAXDNAME
+	    #define NS_MAXDNAME 1025
+    #endif
+    #ifndef NS_INADDRSZ
+	    #define NS_INADDRSZ 4
+    #endif
+    #ifndef NS_IN6ADDRSZ
+	    #define NS_IN6ADDRSZ 16
+    #endif
+
+    #include <ctype.h>
+    #include <errno.h>
+    #ifdef HAVE_MEMORY_H
+    #include <memory.h>
+    #endif
+    #include <netdb.h>
+    #include <resolv.h>
+    #include <setjmp.h>
+    #include <signal.h>
+    #include <stdio.h>
+    #include <string.h>
+    #include <unistd.h>
+
+    #include "gnuc.h"
+    #ifdef HAVE_OS_PROTO_H
+    #include "os-proto.h"
+    #endif
+
+    #include "setsignal.h"
+    #include "nb_dns.h"
+
+    #undef yywrap
+    #ifdef FLEX_SCANNER
+    #define YY_NO_UNPUT
+    #endif
+    int yywrap(void);
+    int yylex(void);
+    void convert(const char *, int);
+
+    #ifdef HAVE_ASYNC_DNS
+    #define ECHO \
+	if (!lookup_pass) { (void) fwrite( yytext, yyleng, 1, yyout ); }
+    int lookup_pass;		/* true if lookup only */
+    #endif
+    int linemode;		/* convert at most one entry per line */
+    int triedone;
+
+%%
+
+
+::{O}(\.{O}){3}		convert(yytext, 1);
+{O}(\.{O}){3}		convert(yytext, 0);
+
+{H}(:{H}){7}		convert(yytext, 1);
+{H}:(:{H}){1,6}		convert(yytext, 1);
+({H}:){2}(:{H}){1,5}	convert(yytext, 1);
+({H}:){3}(:{H}){1,4}	convert(yytext, 1);
+({H}:){4}(:{H}){1,3}	convert(yytext, 1);
+({H}:){5}(:{H}){1,2}	convert(yytext, 1);
+({H}:){6}:{H}		convert(yytext, 1);
+
+({O}\.){1,3}		ECHO;		/* anti-backtrack */
+{O}((\.{O}){1,2})	ECHO;		/* anti-backtrack */
+
+{N}+			ECHO;
+[^0-9\n]+		ECHO;
+[^0-9\n]+\n		{
+			ECHO;
+			triedone = 0;
+			}
+
+\n			{
+			ECHO;
+			triedone = 0;
+			}
+
+%%
+
+/*
+ * Copyright (c) 1989, 1990, 1991, 1992, 1993, 1994, 1996, 1998, 1999, 2000, 2001, 2002, 2004
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that: (1) source code distributions
+ * retain the above copyright notice and this paragraph in its entirety, (2)
+ * distributions including binary code include the above copyright notice and
+ * this paragraph in its entirety in the documentation or other materials
+ * provided with the distribution, and (3) all advertising materials mentioning
+ * features or use of this software display the following acknowledgement:
+ * ``This product includes software developed by the University of California,
+ * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
+ * the University nor the names of its contributors may be used to endorse
+ * or promote products derived from this software without specific prior
+ * written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#ifndef lint
+static const char copyright[] =
+    "@(#) Copyright (c) 1989, 1990, 1991, 1992, 1993, 1994, 1996, 1998, 1999, 2000, 2001, 2002, 2004\n\
+The Regents of the University of California.  All rights reserved.\n";
+static const char rcsid[] =
+    "@(#) $Id: hf.l 1420 2005-09-29 22:25:14Z vern $ (LBL)";
+#endif
+
+
+#define HSIZE 8192		/* must be a power of two */
+
+struct htable {
+	char addr[NS_IN6ADDRSZ];
+	int af;			/* address family */
+	int alen;
+	int state;
+	char *name;		/* overloaded variable */
+	struct htable *next;
+} htable[HSIZE];
+
+#define STATE_FREE	0	/* not in use */
+#define STATE_RAW	1	/* couldn't translate */
+#define STATE_SENTPTR	2
+#define STATE_HAVEPTR	3
+#define STATE_SENTA	4
+#define STATE_HAVEA	5
+
+int strip = 1;			/* strip local domain when possible */
+int lcase = 1;			/* force lowercase */
+int shortdomain;		/* strip entire domain */
+int printboth;			/* print both addr & name */
+#ifdef HAVE_ASYNC_DNS
+int asyncdns;			/* 2 pass async dns hack */
+int numasync;			/* number of outstanding async requests */
+int asyncfd;
+#endif
+int networknumber;		/* convert to network numbers */
+int check;			/* check PTR's against A records */
+#ifdef DEBUG
+int debug = 0;
+#endif
+
+int tmo;			/* seconds to wait for a answer from the dns */
+int doingdns;			/* true if we're waiting for the nameserver */
+jmp_buf alrmenv;		/* longjmp() buffer */
+
+char *prog;
+
+char domain[64];		/* current domain name (including '.') */
+int domainlen;			/* length of domain name */
+
+char azero[NS_IN6ADDRSZ];
+
+#ifdef HAVE_ASYNC_DNS
+struct nb_dns_info *nd;
+#endif
+
+int targc;
+char **targv;
+
+extern char *optarg;
+extern int optind, opterr;
+
+/* ANSI C defines this */
+#ifndef __STDC__
+extern char *malloc();
+#endif
+
+/* Forwards */
+char *a2h(const char *, int, int);
+char *addr2host(const char *, int, int);
+#ifdef HAVE_ASYNC_DNS
+void asyncreap(int);
+#endif
+struct htable *cacheaddr(const char *, int, int, int, const char *);
+#ifdef DEBUG
+void dump(void);
+#endif
+int getdomain(void);
+struct htable *hash(const char *, int, int);
+#ifdef HAVE_ASYNC_DNS
+int ispipe(FILE *);
+#endif
+struct htable *lookupaddr(const char *, int, int);
+int main(int, char **);
+void massagename(char *);
+RETSIGTYPE timeout(int);
+void usage(void);
+
+int
+main(argc, argv)
+	int argc;
+	char **argv;
+{
+	register char *cp;
+	register int op;
+#ifdef HAVE_ASYNC_DNS
+	char errstr[NB_DNS_ERRSIZE];
+#endif
+
+	if ((cp = strrchr(argv[0], '/')) != NULL)
+		prog = cp + 1;
+	else
+		prog = argv[0];
+
+	opterr = 0;
+	while ((op = getopt(argc, argv, "1abcdilnNt:")) != EOF)
+		switch (op) {
+
+		case '1':
+			++linemode;
+			break;
+
+		case 'a':
+#ifdef HAVE_ASYNC_DNS
+			++asyncdns;
+#else
+			fprintf(stderr,
+			    "%s: warning: -a not supported; ignored\n", prog);
+#endif
+			break;
+
+		case 'b':
+			++printboth;
+			break;
+
+		case 'c':
+			++check;
+			break;
+
+#ifdef DEBUG
+		case 'd':
+			++debug;
+			break;
+#endif
+
+		case 'i':
+			lcase = 0;
+			break;
+
+		case 'l':
+			strip = 0;
+			break;
+
+		case 'n':
+#ifdef notdef
+			++networknumber;
+#else
+			fprintf(stderr, "%s: -n not currently impemented\n",
+			    prog);
+			exit(1);
+#endif
+			break;
+
+		case 'N':
+			++shortdomain;
+			break;
+
+		case 't':
+			tmo = atoi(optarg);
+			if (tmo <= 0)
+				usage();
+			break;
+
+		default:
+			usage();
+		}
+
+#ifdef HAVE_ASYNC_DNS
+	if (asyncdns) {
+		nd = nb_dns_init(errstr);
+		if (nd == NULL) {
+			fprintf(stderr, "%s: nb_dns_init: %s\n", prog, errstr);
+			exit(1);
+		}
+		asyncfd = nb_dns_fd(nd);
+		/* If no explicit timeout, use resolver retransmit */
+		if (tmo == 0)
+			tmo = _res.retrans;
+	}
+#endif
+
+	/* Figure out our domain, if necessary */
+	if (!strip || shortdomain || !getdomain())
+		domain[0] = '\0';
+
+	/* Up number of retries, we really want answers */
+	_res.retry = 20;
+
+	/* Don't search, we'll use only FQDNs */
+	_res.options &= ~RES_DNSRCH;
+
+	/* Setup alarm catcher if -t */
+#ifdef HAVE_ASYNC_DNS
+	if (!asyncdns)
+#endif
+		if (tmo > 0)
+			(void)setsignal(SIGALRM, timeout);
+
+	/* Let yywrap() figure out if there are any arguments to open */
+	targc = argc - optind;
+	targv = &argv[optind];
+	yyin = NULL;
+	(void)yywrap();
+
+	/* Process file opened by yywrap() or stdin if no arguments */
+	if (yyin) {
+#ifdef HAVE_ASYNC_DNS
+		/* XXX depends on the type of stdin */
+		/* XXX can we do a test rewind? */
+#ifdef notdef
+		if (asyncdns && yyin == stdin)
+			fprintf(stderr,
+			    "%s: warning: can't use -a on stdin\n", prog);
+#endif
+#endif
+		yylex();
+	}
+
+#ifdef DEBUG
+	if (debug) {
+		fflush(stdout);
+		dump();
+	}
+#endif
+	exit(0);
+}
+
+int
+yywrap()
+{
+	register char *file;
+	static int didany = 0;
+
+	/* Close file, if necessary */
+	if (yyin) {
+#ifdef HAVE_ASYNC_DNS
+		if (asyncdns) {
+			if (lookup_pass) {
+				if (fseek(yyin, 0L, SEEK_SET) < 0) {
+					fprintf(stderr,
+					    "%s: fseek/rewind: %s\n",
+					    prog, strerror(errno));
+					exit(1);
+				}
+				yyrestart(yyin);
+				lookup_pass = 0;
+				asyncreap(1);
+				return (0);
+			}
+			numasync = 0;
+		}
+#endif
+		if (yyin != stdin)
+			(void)fclose(yyin);
+		yyin = NULL;
+	}
+
+	/* Spin through arguments until we run out or successfully open one */
+	while (targc > 0) {
+		file = targv[0];
+		--targc;
+		++targv;
+		++didany;
+		if ((yyin = fopen(file, "r")) != NULL) {
+#ifdef HAVE_ASYNC_DNS
+			if (asyncdns)
+				lookup_pass = 1;
+#endif
+			return (0);
+		}
+		perror(file);
+	}
+	if (!didany) {
+		yyin = stdin;
+#ifdef HAVE_ASYNC_DNS
+		if (asyncdns) {
+			if (ispipe(yyin)) {
+				fprintf(stderr,
+				    "%s: warning: can't use -a on a pipe\n",
+				    prog);
+				asyncdns = 0;
+			} else
+				lookup_pass = 1;
+		}
+#endif
+	}
+	return (1);
+}
+
+int
+getdomain()
+{
+	register char *cp;
+	register struct hostent *hp;
+	char host[128];
+
+	if (gethostname(host, sizeof(host) - 1) < 0)
+		return (0);
+	if ((cp = strchr(host, '.')) == NULL) {
+		/* Not already canonical */
+		if (tmo > 0)
+			alarm(tmo);
+		doingdns = 1;
+		if (setjmp(alrmenv))
+			return (0);
+		hp = gethostbyname(host);
+		doingdns = 0;
+		if (hp == NULL)
+			return (0);
+		if ((cp = strchr(hp->h_name, '.')) == NULL)
+			return (0);
+	}
+	(void)strncpy(domain, cp, sizeof(domain));
+	domain[sizeof(domain) - 1] = '\0';
+	if (lcase)
+		for (cp = domain; *cp; ++cp)
+			if (isupper((int)*cp))
+				*cp = tolower(*cp);
+	domainlen = strlen(domain);
+	return (1);
+}
+
+RETSIGTYPE
+timeout(int signo)
+{
+
+	if (doingdns) {
+		doingdns = 0;
+		longjmp(alrmenv, 1);
+	}
+	return RETSIGVAL;
+}
+
+/* Convert address to hostname via the dns */
+char *
+a2h(register const char *ap, register int alen, register int af)
+{
+	register char **pp;
+	register size_t len;
+	static struct hostent *hp;
+	static char *host = NULL;
+	static size_t hostlen = 0;
+
+	/* Look up the PTR */
+	if (tmo > 0)
+		alarm(tmo);
+	doingdns = 1;
+	if (setjmp(alrmenv))
+		return (NULL);
+	hp = gethostbyaddr(ap, alen, af);
+	doingdns = 0;
+	if (hp == NULL)
+		return (NULL);
+
+	len = strlen(hp->h_name) + 1;
+	if (hostlen < len) {
+		if (len < 132)
+			len = 132;
+		if (host == NULL)
+			host = malloc(len);
+		else
+			host = realloc(host, len);
+		if (host == NULL) {
+			hostlen = 0;
+			return (NULL);
+		}
+		hostlen = len;
+	}
+	(void)strcpy(host, hp->h_name);
+
+	/* Done if we aren't checking */
+	if (!check)
+		return (host);
+
+#ifndef HAVE_GETHOSTBYNAME2
+	if (af != AF_INET)
+		return (NULL);
+#endif
+
+	/* Check PTR against the A record */
+	if (tmo > 0)
+		alarm(tmo);
+	doingdns = 1;
+	if (setjmp(alrmenv))
+		return (NULL);
+#ifdef HAVE_GETHOSTBYNAME2
+	hp = gethostbyname2(host, af);
+#else
+	hp = gethostbyname(host);
+#endif
+	doingdns = 0;
+	if (hp == NULL)
+		return (NULL);
+	if (af != hp->h_addrtype)
+		return (NULL);
+
+	/* Spin through ip addresses looking for a match */
+	for (pp = hp->h_addr_list; *pp != NULL; ++pp)
+		if (memcmp(ap, *pp, alen) == 0)
+			return (host);
+
+	return (NULL);
+}
+
+/* Convert address to hostname via the cache and/or dns */
+char *
+addr2host(register const char *ap, register int alen, register int af)
+{
+	register int state;
+	register char *host;
+	register struct htable *p;
+
+	/* First look in hash table */
+	p = lookupaddr(ap, alen, af);
+	if (p != NULL)
+		return (p->name);
+
+	/* Lookup this host */
+	host = a2h(ap, alen, af);
+	state = STATE_RAW;
+	if (host != NULL) {
+		if (check)
+			state = STATE_HAVEA;
+		else
+			state = STATE_HAVEPTR;
+		massagename(host);
+	}
+
+	p = cacheaddr(ap, state, alen, af, host);
+	if (p != NULL)
+		return (p->name);
+
+	return (host);
+}
+
+/* Look hash table entry for address */
+struct htable *
+lookupaddr(register const char *ap, register int alen, register int af)
+{
+	register struct htable *p;
+
+	for (p = hash(ap, alen, af); p != NULL; p = p->next)
+		if (p->af == af && memcmp(p->addr, ap, alen) == 0)
+			return (p);
+	return (NULL);
+}
+
+void
+massagename(register char *name)
+{
+	register char *cp;
+
+	if (shortdomain) {
+		/* Throw away entire domain */
+		cp = strchr(name, '.');
+		if (cp)
+			*cp = '\0';
+	} else if (strip && *domain != '\0') {
+		/* Strip the local domain */
+		cp = name + strlen(name) - domainlen;
+		if (cp > name && strcasecmp(cp, domain) == 0)
+			*cp = '\0';
+	}
+	if (lcase)
+		for (cp = name; *cp; ++cp)
+			if (isupper((int)*cp))
+				*cp = tolower(*cp);
+}
+
+struct htable *
+cacheaddr(register const char *ap, register int state, register int alen,
+    register int af, register const char *host)
+{
+	register struct htable *p, *p2;
+
+	/* Don't cache zero */
+	if (memcmp(ap, azero, alen) == 0)
+		return (NULL);
+
+	/* Look for existing slot in hash table */
+	for (p = hash(ap, alen, af); p != NULL; p = p->next)
+		if (p->state != STATE_FREE &&
+		    p->af == af &&
+		    memcmp(p->addr, ap, alen) == 0)
+			break;
+
+	/* Allocate a new slot */
+	if (p == NULL) {
+		p = hash(ap, alen, af);
+		if (p->state != STATE_FREE) {
+			/* Handle the collision */
+			p2 = (struct htable *)malloc(sizeof(struct htable));
+			/* Lose, lose */
+			if (p2 == NULL)
+				return (NULL);
+			memset((char *)p2, 0, sizeof(struct htable));
+			p2->next = p->next;
+			p->next = p2;
+			p = p2;
+		}
+	}
+
+	/* Install new host */
+	memmove(p->addr, ap, alen);
+	p->alen = alen;
+	p->af = af;
+	if (host != NULL)
+		p->name = strdup(host);
+	if (state != 0)
+		p->state = state;
+	if (p->state == STATE_FREE)
+		abort();
+
+	/* Return answer entry */
+	return (p);
+}
+
+#ifdef DEBUG
+void
+dump()
+{
+	register char *cp;
+	register int i, j, n, d;
+	register struct htable *p, *p2;
+	char buf[132];
+
+	d = n = 0;
+	for (p = htable, i = 0; i < HSIZE; ++p, ++i)
+		if (p->name) {
+			++n;
+			j = 0;
+			for (p2 = p; p2; p2 = p2->next) {
+				if ((cp = p2->name) == NULL)
+					cp = "<nil>";
+				else if (cp == (char *)1)
+					cp = "<raw>";
+				(void)fprintf(stderr, "%4d:%d ", i, j);
+				if (inet_ntop(p2->af, p2->addr,
+				    buf, sizeof(buf)) == NULL)
+					(void)fprintf(stderr, "?");
+				else
+					(void)fprintf(stderr, "%s", buf);
+				switch (p2->state) {
+
+				case STATE_HAVEA:
+					(void)fprintf(stderr, " HAVEA");
+					break;
+
+				case STATE_HAVEPTR:
+					(void)fprintf(stderr, " HAVEPTR");
+					break;
+
+				case STATE_SENTPTR:
+					(void)fprintf(stderr, " SENTPTR");
+					break;
+
+				case STATE_RAW:
+					(void)fprintf(stderr, " RAW");
+					break;
+
+				default:
+					(void)fprintf(stderr, " #%d",
+					    p2->state);
+					break;
+				}
+				(void)fprintf(stderr, " \"%s\"\n", cp);
+				++d;
+				++j;
+			}
+		}
+	d -= n;
+	(void)fprintf(stderr, "%d entries (%d dynamically linked)\n", n, d);
+}
+#endif
+
+#ifdef HAVE_ASYNC_DNS
+void
+asyncreap(register int ateof)
+{
+	register char *host;
+	register int n;
+	register char **pp;
+	register struct htable *p;
+	register struct nb_dns_result *nr;
+	register struct hostent *hp;
+	fd_set fds;
+	struct timeval to;
+	char errstr[NB_DNS_ERRSIZE];
+	struct nb_dns_result xxxnr;
+
+	nr = &xxxnr;
+	memset(nr, 0, sizeof(*nr));
+	while (numasync > 0) {
+		FD_ZERO(&fds);
+		FD_SET(asyncfd, &fds);
+		/* If we're not at EOF, just poll */
+		if (!ateof) {
+			to.tv_sec = 0;
+			to.tv_usec = 0;
+		} else {
+			to.tv_sec = tmo;
+			to.tv_usec = 0;
+		}
+		n = select(asyncfd + 1, &fds, NULL, NULL, &to);
+		if (n < 0) {
+			fprintf(stderr, "%s: select: %s\n",
+			    prog, strerror(errno));
+			exit(1);
+		}
+
+		/* Done if timed out */
+		if (n == 0)
+			break;
+
+		n = nb_dns_activity(nd, nr, errstr);
+		if (n < 0) {
+			fprintf(stderr, "%s: nb_dns_activity: %s\n",
+			    prog, errstr);
+			exit(1);
+		}
+
+		/* Bail if reply doesn't match any current queries */
+		if (n == 0)
+			continue;
+
+		/* Decrement outstanding request counter */
+		--numasync;
+
+		/* Bail if not a good answer */
+		if (nr->host_errno != NETDB_SUCCESS)
+			continue;
+
+		/* Bail if no hostname (probably shouldn't happen) */
+		hp = nr->hostent;
+		host = hp->h_name;
+		if (host == NULL)
+			continue;
+
+		/* Recover hash table pointer */
+		p = (struct htable *)nr->cookie;
+
+		switch (p->state) {
+
+		case STATE_SENTPTR:
+			/* Are we done? */
+			if (!check) {
+				p->state = STATE_HAVEPTR;
+				break;
+			}
+
+			/* Now look up the A record */
+			if (nb_dns_host_request2(nd, host, p->af,
+			    (void *)p, errstr) < 0) {
+				fprintf(stderr, "%s: nb_dns_host_request: %s\n",
+				    prog, errstr);
+				p->state = STATE_RAW;
+				free(p->name);
+				p->name = NULL;
+				break;
+			}
+
+			/* Cache the fact that we're looking */
+			++numasync;
+			p->state = STATE_SENTA;
+			break;
+
+		case STATE_SENTA:
+			/* Check A against our address */
+			if (p->af != hp->h_addrtype) {
+				p->state = STATE_RAW;
+				free(p->name);
+				p->name = NULL;
+				break;
+			}
+
+			/* Spin through ip addresses looking for a match */
+			for (pp = hp->h_addr_list; *pp != NULL; ++pp)
+				if (memcmp(p->addr, *pp, p->alen) == 0)
+					break;
+
+			if (pp == NULL) {
+				p->state = STATE_RAW;
+				free(p->name);
+				p->name = NULL;
+				break;
+			}
+			p->state = STATE_HAVEA;
+			break;
+
+		default:
+			abort();
+		}
+		massagename(host);
+		if (p->name != NULL)
+			abort();
+		if (host != NULL)
+			p->name = strdup(host);
+	}
+}
+#endif
+
+void
+convert(register const char *str, register int isv6)
+{
+	register char *host;
+	register int alen;
+	register int af;
+#ifdef HAVE_ASYNC_DNS
+	register struct htable *p;
+	char errstr[NB_DNS_ERRSIZE];
+	static int num = 0;
+#endif
+	char addr[NS_IN6ADDRSZ];
+
+	if (isv6) {
+#ifdef AF_INET6
+		af = AF_INET6;
+		alen = NS_IN6ADDRSZ;
+#else
+#ifdef HAVE_ASYNC_DNS
+		if (!asyncdns || !lookup_pass)
+#endif
+			fputs(str, stdout);
+		return;
+#endif
+	} else {
+		af = AF_INET;
+		alen = NS_INADDRSZ;
+	}
+
+#ifdef HAVE_ASYNC_DNS
+	if (asyncdns && lookup_pass) {
+		if (inet_pton(af, str, addr) != 1)
+			return;
+
+		/* Done if already in hash table */
+		if (lookupaddr(addr, alen, af) != NULL)
+			return;
+
+		p = cacheaddr(addr, STATE_SENTPTR, alen, af, NULL);
+		if (p == NULL)
+			return;
+
+		if (nb_dns_addr_request2(nd, addr, af,
+		    (void *)p, errstr) >= 0) {
+			/* Cache the fact that we're looking */
+			++numasync;
+			++num;
+		} else
+			fprintf(stderr, "%s: nb_dns_host_request: %s\n",
+			    prog, errstr);
+		/* reap replies after we send a number of queries */
+		if (num > 10) {
+			asyncreap(0);
+			num = 0;
+		}
+		return;
+	}
+#endif
+
+	if (linemode && triedone) {
+		fputs(str, stdout);
+		return;
+	}
+	++triedone;
+
+	if (inet_pton(af, str, addr) == 1) {
+		host = addr2host(addr, alen, af);
+		if (host != NULL) {
+			fputs(host, stdout);
+			if (printboth) {
+				putchar('(');
+				fputs(str, stdout);
+				putchar(')');
+			}
+			return;
+		}
+	}
+	fputs(str, stdout);
+}
+
+struct htable *
+hash(register const char *ap, register int alen, register int af)
+{
+	u_int32_t h;
+
+	switch (alen) {
+
+	case NS_INADDRSZ:
+		memmove(&h, ap, sizeof(h));
+		break;
+
+	case NS_IN6ADDRSZ:
+		memmove(&h, ap + NS_IN6ADDRSZ - sizeof(h), sizeof(h));
+		break;
+
+	default:
+		abort();
+	}
+	return (&htable[h & (HSIZE - 1)]);
+}
+
+#ifdef HAVE_ASYNC_DNS
+int
+ispipe(FILE *f)
+{
+	struct stat sbuf;
+
+	if (fstat(fileno(f), &sbuf) < 0) {
+		fprintf(stderr, "%s: fstat: %s\n", prog, strerror(errno));
+		exit(1);
+	}
+	if ((sbuf.st_mode & S_IFMT) != S_IFREG)
+		return (1);
+	return (0);
+}
+#endif
+
+void
+usage()
+{
+	extern char version[];
+
+	(void)fprintf(stderr, "Version %s\n", version);
+	(void)fprintf(stderr, "usage: %s [-1abcdilN] [-t secs] [file ...]\n",
+	    prog);
+	exit(1);
+}
diff --git a/aux/hf/nb_dns.c b/aux/hf/nb_dns.c
new file mode 100755
index 0000000000..283bcde1a3
--- /dev/null
+++ b/aux/hf/nb_dns.c
@@ -0,0 +1,612 @@
+/*
+ * See the file "COPYING" in the main distribution directory for copyright.
+ */
+#ifndef lint
+static const char rcsid[] =
+    "@(#) $Id: nb_dns.c 7074 2010-09-13 01:52:50Z vern $ (LBL)";
+#endif
+/*
+ * nb_dns - non-blocking dns routines
+ *
+ * This version works with BIND 9
+ *
+ * Note: The code here is way more complicated than it should be but
+ * although the interface to send requests is public, the routine to
+ * crack reply buffers is private.
+ */
+
+#include "config.h"			/* must appear before first ifdef */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#ifdef NEED_NAMESER_COMPAT_H
+#include <arpa/nameser_compat.h>
+#endif
+
+#include <errno.h>
+#ifdef HAVE_MEMORY_H
+#include <memory.h>
+#endif
+#include <netdb.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#ifdef notdef
+#include "gnuc.h"
+#ifdef HAVE_OS_PROTO_H
+#include "os-proto.h"
+#endif
+#endif
+
+#include "nb_dns.h"
+
+#if PACKETSZ > 1024
+#define MAXPACKET	PACKETSZ
+#else
+#define MAXPACKET	1024
+#endif
+
+#ifdef DO_SOCK_DECL
+extern int socket(int, int, int);
+extern int connect(int, const struct sockaddr *, int);
+extern int send(int, const void *, int, int);
+extern int recvfrom(int, void *, int, int, struct sockaddr *, int *);
+#endif
+
+/* Private data */
+struct nb_dns_entry {
+	struct nb_dns_entry *next;
+	char name[NS_MAXDNAME + 1];
+	int qtype;			/* query type */
+	int atype;			/* address family */
+	int asize;			/* address size */
+	u_short id;
+	void *cookie;
+};
+
+#ifndef MAXALIASES
+#define MAXALIASES	35
+#endif
+#ifndef MAXADDRS
+#define MAXADDRS	35
+#endif
+
+struct nb_dns_hostent {
+	struct hostent hostent;
+	int numaliases;
+	int numaddrs;
+	char *host_aliases[MAXALIASES + 1];
+	char *h_addr_ptrs[MAXADDRS + 1];
+	char hostbuf[8 * 1024];
+};
+
+struct nb_dns_info {
+	int s;				/* Resolver file descriptor */
+	struct sockaddr_in server;	/* server address to bind to */
+	struct nb_dns_entry *list;	/* outstanding requests */
+	struct nb_dns_hostent dns_hostent;
+};
+
+/* Forwards */
+static int _nb_dns_mkquery(struct nb_dns_info *, const char *, int, int,
+    void *, char *);
+static int _nb_dns_cmpsockaddr(struct sockaddr *, struct sockaddr *, char *);
+
+static char *
+my_strerror(int errnum)
+{
+#if HAVE_STRERROR
+	extern char *strerror(int);
+	return strerror(errnum);
+#else
+	static char errnum_buf[32];
+	snprintf(errnum_buf, sizeof(errnum_buf), "errno %d", errnum);
+	return errnum_buf;
+#endif
+}
+
+struct nb_dns_info *
+nb_dns_init(char *errstr)
+{
+	register struct nb_dns_info *nd;
+
+	nd = (struct nb_dns_info *)malloc(sizeof(*nd));
+	if (nd == NULL) {
+		snprintf(errstr, NB_DNS_ERRSIZE, "nb_dns_init: malloc(): %s",
+		    my_strerror(errno));
+		return (NULL);
+	}
+	memset(nd, 0, sizeof(*nd));
+	nd->s = -1;
+
+	/* XXX should be able to init static hostent struct some other way */
+	(void)gethostbyname("localhost.");
+
+	if ((_res.options & RES_INIT) == 0 && res_init() == -1) {
+		snprintf(errstr, NB_DNS_ERRSIZE, "res_init() failed");
+		free(nd);
+		return (NULL);
+	}
+	nd->s = socket(PF_INET, SOCK_DGRAM, 0);
+	if (nd->s < 0) {
+		snprintf(errstr, NB_DNS_ERRSIZE, "socket(): %s",
+		    my_strerror(errno));
+		free(nd);
+		return (NULL);
+	}
+
+	/* XXX should use resolver config */
+	nd->server = _res.nsaddr_list[0];
+
+	if (connect(nd->s, (struct sockaddr *)&nd->server,
+	    sizeof(struct sockaddr)) < 0) {
+		snprintf(errstr, NB_DNS_ERRSIZE, "connect(%s): %s",
+		    inet_ntoa(nd->server.sin_addr), my_strerror(errno));
+		close(nd->s);
+		free(nd);
+		return (NULL);
+	}
+
+	return (nd);
+}
+
+void
+nb_dns_finish(struct nb_dns_info *nd)
+{
+	register struct nb_dns_entry *ne, *ne2;
+
+	ne = nd->list;
+	while (ne != NULL) {
+		ne2 = ne;
+		ne = ne->next;
+		free(ne2);
+	}
+	close(nd->s);
+	free(nd);
+}
+
+int
+nb_dns_fd(struct nb_dns_info *nd)
+{
+
+	return (nd->s);
+}
+
+static int
+_nb_dns_cmpsockaddr(register struct sockaddr *sa1,
+    register struct sockaddr *sa2, register char *errstr)
+{
+	register struct sockaddr_in *sin1, *sin2;
+#ifdef AF_INET6
+	register struct sockaddr_in6 *sin6a, *sin6b;
+#endif
+	static const char serr[] = "answer from wrong nameserver (%d)";
+
+	if (sa1->sa_family != sa1->sa_family) {
+		snprintf(errstr, NB_DNS_ERRSIZE, serr, 1);
+		return (-1);
+	}
+	switch (sa1->sa_family) {
+
+	case AF_INET:
+		sin1 = (struct sockaddr_in *)sa1;
+		sin2 = (struct sockaddr_in *)sa2;
+		if (sin1->sin_port != sin2->sin_port) {
+			snprintf(errstr, NB_DNS_ERRSIZE, serr, 2);
+			return (-1);
+		}
+		if (sin1->sin_addr.s_addr != sin2->sin_addr.s_addr) {
+			snprintf(errstr, NB_DNS_ERRSIZE, serr, 3);
+			return (-1);
+		}
+		break;
+
+#ifdef AF_INET6
+	case AF_INET6:
+		sin6a = (struct sockaddr_in6 *)sa1;
+		sin6b = (struct sockaddr_in6 *)sa2;
+		if (sin6a->sin6_port != sin6b->sin6_port) {
+			snprintf(errstr, NB_DNS_ERRSIZE, serr, 2);
+			return (-1);
+		}
+		if (memcmp(&sin6a->sin6_addr, &sin6b->sin6_addr,
+		    sizeof(sin6a->sin6_addr)) != 0) {
+			snprintf(errstr, NB_DNS_ERRSIZE, serr, 3);
+			return (-1);
+		}
+		break;
+#endif
+
+	default:
+		snprintf(errstr, NB_DNS_ERRSIZE, serr, 4);
+		return (-1);
+	}
+	return (0);
+}
+
+static int
+_nb_dns_mkquery(register struct nb_dns_info *nd, register const char *name,
+    register int atype, register int qtype, register void * cookie,
+    register char *errstr)
+{
+	register struct nb_dns_entry *ne;
+	register HEADER *hp;
+	register int n;
+	u_long msg[MAXPACKET / sizeof(u_long)];
+
+	/* Allocate an entry */
+	ne = (struct nb_dns_entry *)malloc(sizeof(*ne));
+	if (ne == NULL) {
+		snprintf(errstr, NB_DNS_ERRSIZE, "malloc(): %s",
+		    my_strerror(errno));
+		return (-1);
+	}
+	memset(ne, 0, sizeof(*ne));
+	strncpy(ne->name, name, sizeof(ne->name));
+	ne->name[sizeof(ne->name) - 1] = '\0';
+	ne->qtype = qtype;
+	ne->atype = atype;
+	switch (atype) {
+
+	case AF_INET:
+		ne->asize = NS_INADDRSZ;
+		break;
+
+#ifdef AF_INET6
+	case AF_INET6:
+		ne->asize = NS_IN6ADDRSZ;
+		break;
+#endif
+
+	default:
+		snprintf(errstr, NB_DNS_ERRSIZE,
+		    "_nb_dns_mkquery: bad family %d", atype);
+		return (-1);
+	}
+
+	/* Build the request */
+	n = res_mkquery(
+	    ns_o_query,			/* op code (query) */
+	    name,			/* domain name */
+	    ns_c_in,			/* query class (internet) */
+	    qtype,			/* query type */
+	    NULL,			/* data */
+	    0,				/* length of data */
+	    NULL,			/* new rr */
+	    (u_char *)msg,		/* buffer */
+	    sizeof(msg));		/* size of buffer */
+	if (n < 0) {
+		snprintf(errstr, NB_DNS_ERRSIZE, "res_mkquery() failed");
+		free(ne);
+		return (-1);
+	}
+
+	hp = (HEADER *)msg;
+	ne->id = htons(hp->id);
+
+	if (send(nd->s, (char *)msg, n, 0) != n) {
+		snprintf(errstr, NB_DNS_ERRSIZE, "send(): %s",
+		    my_strerror(errno));
+		free(ne);
+		return (-1);
+	}
+
+	ne->next = nd->list;
+	ne->cookie = cookie;
+	nd->list = ne;
+
+	return(0);
+}
+
+int
+nb_dns_host_request(register struct nb_dns_info *nd, register const char *name,
+    register void *cookie, register char *errstr)
+{
+
+	return (nb_dns_host_request2(nd, name, AF_INET, cookie, errstr));
+}
+
+int
+nb_dns_host_request2(register struct nb_dns_info *nd, register const char *name,
+    register int af, register void *cookie, register char *errstr)
+{
+	register int qtype;
+
+	switch (af) {
+
+	case AF_INET:
+		qtype = T_A;
+		break;
+
+#ifdef AF_INET6
+	case AF_INET6:
+		qtype = T_AAAA;
+		break;
+#endif
+
+	default:
+		snprintf(errstr, NB_DNS_ERRSIZE,
+		    "nb_dns_host_request2(): uknown address family %d", af);
+		return (-1);
+	}
+	return (_nb_dns_mkquery(nd, name, af, qtype, cookie, errstr));
+}
+
+int
+nb_dns_addr_request(register struct nb_dns_info *nd, nb_uint32_t addr,
+    register void *cookie, register char *errstr)
+{
+
+	return (nb_dns_addr_request2(nd, (char *)&addr, AF_INET,
+	    cookie, errstr));
+}
+
+int
+nb_dns_addr_request2(register struct nb_dns_info *nd, char *addrp,
+    register int af, register void *cookie, register char *errstr)
+{
+#ifdef AF_INET6
+	register char *cp;
+	register int n, i;
+	register size_t size;
+#endif
+	register u_char *uaddr;
+	char name[NS_MAXDNAME + 1];
+
+	switch (af) {
+
+	case AF_INET:
+		uaddr = (u_char *)addrp;
+		snprintf(name, sizeof(name), "%u.%u.%u.%u.in-addr.arpa",
+		    (uaddr[3] & 0xff),
+		    (uaddr[2] & 0xff),
+		    (uaddr[1] & 0xff),
+		    (uaddr[0] & 0xff));
+		break;
+
+#ifdef AF_INET6
+	case AF_INET6:
+		uaddr = (u_char *)addrp;
+		cp = name;
+		size = sizeof(name);
+		for (n = NS_IN6ADDRSZ - 1; n >= 0; --n) {
+			snprintf(cp, size, "%x.%x.",
+			    (uaddr[n] & 0xf),
+			    (uaddr[n] >> 4) & 0xf);
+			i = strlen(cp);
+			size -= i;
+			cp += i;
+		}
+		snprintf(cp, size, "ip6.int");
+		break;
+#endif
+
+	default:
+		snprintf(errstr, NB_DNS_ERRSIZE,
+		    "nb_dns_addr_request2(): uknown address family %d", af);
+		return (-1);
+	}
+
+	return (_nb_dns_mkquery(nd, name, af, T_PTR, cookie, errstr));
+}
+
+int
+nb_dns_abort_request(struct nb_dns_info *nd, void *cookie)
+{
+	register struct nb_dns_entry *ne, *lastne;
+
+	/* Try to find this request on the outstanding request list */
+	lastne = NULL;
+	for (ne = nd->list; ne != NULL; ne = ne->next) {
+		if (ne->cookie == cookie)
+			break;
+		lastne = ne;
+	}
+
+	/* Not a currently pending request */
+	if (ne == NULL)
+		return (-1);
+
+	/* Unlink this entry */
+	if (lastne == NULL)
+		nd->list = ne->next;
+	else
+		lastne->next = ne->next;
+	ne->next = NULL;
+
+	return (0);
+}
+
+/* Returns 1 with an answer, 0 when reply was old, -1 on fatal errors */
+int
+nb_dns_activity(struct nb_dns_info *nd, struct nb_dns_result *nr, char *errstr)
+{
+	register int msglen, qtype, atype, n, i;
+	register struct nb_dns_entry *ne, *lastne;
+	socklen_t fromlen;
+	struct sockaddr from;
+	u_long msg[MAXPACKET / sizeof(u_long)];
+	register char *bp, *ep;
+	register char **ap, **hap;
+	register u_int16_t id;
+	register const u_char *rdata;
+	register struct hostent *he;
+	register size_t rdlen;
+	ns_msg handle;
+	ns_rr rr;
+
+	/* This comes from the second half of do_query() */
+	fromlen = sizeof(from);
+	msglen = recvfrom(nd->s, (char *)msg, sizeof(msg), 0, &from, &fromlen);
+	if (msglen <= 0) {
+		snprintf(errstr, NB_DNS_ERRSIZE, "recvfrom(): %s",
+		    my_strerror(errno));
+		return (-1);
+	}
+	if (msglen < HFIXEDSZ) {
+		snprintf(errstr, NB_DNS_ERRSIZE, "recvfrom(): undersized: %d",
+		    msglen);
+		return (-1);
+	}
+	if (ns_initparse((u_char *)msg, msglen, &handle) < 0) {
+		snprintf(errstr, NB_DNS_ERRSIZE, "ns_initparse(): %s",
+		    my_strerror(errno));
+		nr->host_errno = NO_RECOVERY;
+		return (-1);
+	}
+
+	/* RES_INSECURE1 style check */
+	if (_nb_dns_cmpsockaddr((struct sockaddr *)&nd->server, &from,
+	    errstr) < 0) {
+		nr->host_errno = NO_RECOVERY;
+		return (-1);
+	}
+
+	/* Search for this request */
+	lastne = NULL;
+	id = ns_msg_id(handle);
+	for (ne = nd->list; ne != NULL; ne = ne->next) {
+		if (ne->id == id)
+			break;
+		lastne = ne;
+	}
+
+	/* Not an answer to a question we care about anymore */
+	if (ne == NULL)
+		return (0);
+
+	/* Unlink this entry */
+	if (lastne == NULL)
+		nd->list = ne->next;
+	else
+		lastne->next = ne->next;
+	ne->next = NULL;
+
+	/* RES_INSECURE2 style check */
+	/* XXX not implemented */
+
+	/* Initialize result struct */
+	memset(nr, 0, sizeof(*nr));
+	nr->cookie = ne->cookie;
+	qtype = ne->qtype;
+
+	/* Deal with various errors */
+	switch (ns_msg_getflag(handle, ns_f_rcode)) {
+
+	case ns_r_nxdomain:
+		nr->host_errno = HOST_NOT_FOUND;
+		free(ne);
+		return (1);
+
+	case ns_r_servfail:
+		nr->host_errno = TRY_AGAIN;
+		free(ne);
+		return (1);
+
+	case ns_r_noerror:
+		break;
+
+	case ns_r_formerr:
+	case ns_r_notimpl:
+	case ns_r_refused:
+	default:
+		nr->host_errno = NO_RECOVERY;
+		free(ne);
+		return (1);
+	}
+
+	/* Loop through records in packet */
+	memset(&rr, 0, sizeof(rr));
+	memset(&nd->dns_hostent, 0, sizeof(nd->dns_hostent));
+	he = &nd->dns_hostent.hostent;
+	/* XXX no support for aliases */
+	he->h_aliases = nd->dns_hostent.host_aliases;
+	he->h_addr_list = nd->dns_hostent.h_addr_ptrs;
+	he->h_addrtype = ne->atype;
+	he->h_length = ne->asize;
+	free(ne);
+
+	bp = nd->dns_hostent.hostbuf;
+	ep = bp + sizeof(nd->dns_hostent.hostbuf);
+	hap = he->h_addr_list;
+	ap = he->h_aliases;
+
+	for (i = 0; i < ns_msg_count(handle, ns_s_an); i++) {
+		/* Parse next record */
+		if (ns_parserr(&handle, ns_s_an, i, &rr) < 0) {
+			if (errno != ENODEV) {
+				nr->host_errno = NO_RECOVERY;
+				return (1);
+			}
+			/* All done */
+			break;
+		}
+
+		/* Ignore records that don't answer our query (e.g. CNAMEs) */
+		atype = ns_rr_type(rr);
+		if (atype != qtype)
+			continue;
+
+		rdata = ns_rr_rdata(rr);
+		rdlen = ns_rr_rdlen(rr);
+		switch (atype) {
+
+		case T_A:
+		case T_AAAA:
+			if (rdlen != (unsigned int) he->h_length) {
+				snprintf(errstr, NB_DNS_ERRSIZE,
+				    "nb_dns_activity(): bad rdlen %d",
+				    (int) rdlen);
+				nr->host_errno = NO_RECOVERY;
+				return (-1);
+			}
+
+			if (bp + rdlen >= ep) {
+				snprintf(errstr, NB_DNS_ERRSIZE,
+				    "nb_dns_activity(): overflow 1");
+				nr->host_errno = NO_RECOVERY;
+				return (-1);
+			}
+			if (nd->dns_hostent.numaddrs + 1 >= MAXADDRS) {
+				snprintf(errstr, NB_DNS_ERRSIZE,
+				    "nb_dns_activity(): overflow 2");
+				nr->host_errno = NO_RECOVERY;
+				return (-1);
+			}
+			memcpy(bp, rdata, rdlen);
+			*hap++ = bp;
+			bp += rdlen;
+			++nd->dns_hostent.numaddrs;
+
+			/* Keep looking for more A records */
+			break;
+
+		case T_PTR:
+			n = dn_expand((const u_char *)msg,
+			    (const u_char *)msg + msglen, rdata, bp, ep - bp);
+			if (n < 0) {
+				/* XXX return -1 here ??? */
+				nr->host_errno = NO_RECOVERY;
+				return (1);
+			}
+			he->h_name = bp;
+			/* XXX check for overflow */
+			bp += n;		/* returned len includes EOS */
+
+			/* "Find first satisfactory answer" */
+			nr->hostent = he;
+			return (1);
+		}
+	}
+
+	nr->hostent = he;
+	return (1);
+}
diff --git a/aux/hf/nb_dns.h b/aux/hf/nb_dns.h
new file mode 100755
index 0000000000..8a5a140c07
--- /dev/null
+++ b/aux/hf/nb_dns.h
@@ -0,0 +1,52 @@
+/* @(#) $Id: nb_dns.h 909 2004-12-09 04:27:10Z jason $ (LBL)
+ *
+ * Copyright (c) 2000, 2002
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that: (1) source code distributions
+ * retain the above copyright notice and this paragraph in its entirety, (2)
+ * distributions including binary code include the above copyright notice and
+ * this paragraph in its entirety in the documentation or other materials
+ * provided with the distribution, and (3) all advertising materials mentioning
+ * features or use of this software display the following acknowledgement:
+ * ``This product includes software developed by the University of California,
+ * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
+ * the University nor the names of its contributors may be used to endorse
+ * or promote products derived from this software without specific prior
+ * written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+/* Private data */
+struct nb_dns_info;
+
+/* Public data */
+struct nb_dns_result {
+	void *cookie;
+	int host_errno;
+	struct hostent *hostent;
+};
+
+typedef unsigned int nb_uint32_t;
+
+/* Public routines */
+struct nb_dns_info *nb_dns_init(char *);
+void nb_dns_finish(struct nb_dns_info *);
+
+int nb_dns_fd(struct nb_dns_info *);
+
+int nb_dns_host_request(struct nb_dns_info *, const char *, void *, char *);
+int nb_dns_host_request2(struct nb_dns_info *, const char *, int,
+    void *, char *);
+
+int nb_dns_addr_request(struct nb_dns_info *, nb_uint32_t, void *, char *);
+int nb_dns_addr_request2(struct nb_dns_info *, char *, int, void *, char *);
+
+int nb_dns_abort_request(struct nb_dns_info *, void *);
+
+int nb_dns_activity(struct nb_dns_info *, struct nb_dns_result *, char *);
+
+#define NB_DNS_ERRSIZE 256
diff --git a/aux/hf/nf.l b/aux/hf/nf.l
new file mode 100755
index 0000000000..485c6160d2
--- /dev/null
+++ b/aux/hf/nf.l
@@ -0,0 +1,312 @@
+N              [0-9]
+O              ({N}{1,3})
+
+    #include <sys/types.h>
+    #include <sys/socket.h>
+
+    #include <netinet/in.h>
+
+    #include <arpa/inet.h>
+    #include <arpa/nameser.h>
+
+    #include <ctype.h>
+    #ifdef HAVE_MEMORY_H
+    #include <memory.h>
+    #endif
+    #include <netdb.h>
+    #include <resolv.h>
+    #include <stdio.h>
+    #include <string.h>
+    #include <unistd.h>
+
+    #include "gnuc.h"
+    #ifdef HAVE_OS_PROTO_H
+    #include "os-proto.h"
+    #endif
+
+    #undef yywrap
+    #ifdef FLEX_SCANNER
+    #define YY_NO_UNPUT
+    #endif
+    int yywrap(void);
+    int yylex(void);
+    char *addr2host(char *);
+    void convert(char *);
+    int pad;
+
+%%
+
+{O}\.{O}\.{O}\.{O}	convert(yytext);
+{O}\.{O}\.{O}		if (pad) {
+				char buf[256];
+				strcpy(buf, yytext);
+				strcat(buf, ".0");
+				convert(buf);
+			} else {
+				ECHO;
+			}
+{O}\.{O}		if (pad) {
+				char buf[256];
+				strcpy(buf, yytext);
+				strcat(buf, ".0.0");
+				convert(buf);
+			} else {
+				ECHO;
+			}
+{O}			if (pad) {
+				char buf[256];
+				strcpy(buf, yytext);
+				strcat(buf, ".0.0.0");
+				convert(buf);
+			} else {
+				ECHO;
+			}
+
+{N}+			ECHO;
+[^0-9\n]+		ECHO;
+[^0-9\n]+\n		ECHO;
+
+%%
+
+/*
+ * Copyright (c) 1990, 1991, 1996, 1999, 2000, 2004
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that: (1) source code distributions
+ * retain the above copyright notice and this paragraph in its entirety, (2)
+ * distributions including binary code include the above copyright notice and
+ * this paragraph in its entirety in the documentation or other materials
+ * provided with the distribution, and (3) all advertising materials mentioning
+ * features or use of this software display the following acknowledgement:
+ * ``This product includes software developed by the University of California,
+ * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
+ * the University nor the names of its contributors may be used to endorse
+ * or promote products derived from this software without specific prior
+ * written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#ifndef lint
+static const char copyright[] =
+    "@(#) Copyright (c) 1990, 1991, 1996, 1999, 2000, 2004\n\
+The Regents of the University of California.  All rights reserved.\n";
+static const char rcsid[] =
+    "@(#) $Id: nf.l 909 2004-12-09 04:27:10Z jason $ (LBL)";
+#endif
+
+#define HSIZE 2048		/* must be a power of two */
+
+struct htable {
+	u_int addr;
+	char *name;
+	struct htable *next;
+} htable[HSIZE];
+
+int lcase = 1;			/* force lowercase */
+int printboth = 0;
+#ifdef DEBUG
+int debug = 0;
+#endif
+
+int targc;
+char **targv;
+
+extern char *optarg;
+extern int optind, opterr;
+
+/* Forwards */
+int main(int, char **);
+#ifdef DEBUG
+void dump(void);
+#endif
+
+int
+main(argc, argv)
+	int argc;
+	char **argv;
+{
+	register char *cp;
+	register int op;
+	char *argv0;
+
+	if ((cp = strrchr(argv[0], '/')) != NULL)
+		argv0 = cp + 1;
+	else
+		argv0 = argv[0];
+
+	opterr = 0;
+	while ((op = getopt(argc, argv, "dibp")) != EOF)
+		switch (op) {
+
+#ifdef DEBUG
+		case 'd':
+			++debug;
+			break;
+#endif
+
+		case 'i':
+			lcase = 0;
+			break;
+
+		case 'p':
+			pad = 1;
+			break;
+
+		case 'b':
+			printboth = 1;
+			break;
+
+		default:
+			(void)fprintf(stderr, "usage: %s [-dibp] [file ...]\n",
+			    argv0);
+			exit(1);
+			/* NOTREACHED */
+		}
+
+	setnetent(1);
+
+	/* Let yywrap() figure out if there are any arguments to open */
+	targc = argc - optind;
+	targv = &argv[optind];
+	yyin = 0;
+	(void)yywrap();
+
+	/* Process file opened by yywrap() or stdin if no arguments */
+	if (yyin)
+		yylex();
+
+#ifdef DEBUG
+	if (debug) {
+		fflush(stdout);
+		dump();
+	}
+#endif
+	exit(0);
+}
+
+int
+yywrap()
+{
+	register char *file;
+	static int didany = 0;
+
+	/* Close file, if necessary */
+	if (yyin && yyin != stdin) {
+		(void)fclose(yyin);
+		yyin = 0;
+	}
+
+	/* Spin through arguments until we run out or successfully open one */
+	while (targc > 0) {
+		file = targv[0];
+		--targc;
+		++targv;
+		++didany;
+		if ((yyin = fopen(file, "r")) != NULL)
+			return(0);
+		else
+			perror(file);
+	}
+	if (!didany)
+		yyin = stdin;
+	return(1);
+}
+
+void
+convert(str)
+	char *str;
+{
+	fputs(addr2host(str), stdout);
+	if (printboth) {
+		putchar('(');
+		fputs(str, stdout);
+		putchar(')');
+	}
+}
+
+char *
+addr2host(str)
+	char *str;
+{
+	register u_long addr, net;
+	register char *cp, *host;
+	register struct netent *hp;
+	register struct htable *p, *p2;
+	struct in_addr ia;
+
+	addr = inet_addr(str);
+
+	/* First check if we already know about it */
+	for (p = &htable[addr & (HSIZE - 1)]; p; p = p->next)
+		if (p->addr == addr && p->name)
+			return(p->name);
+
+	/* Try to lookup this net */
+	ia.s_addr = addr;
+	net = inet_netof(ia);
+	if ((hp = getnetbyaddr(net, AF_INET)) != NULL)
+		host = hp->n_name;
+	else
+		host = inet_ntoa(ia);
+
+	if (lcase)
+		for (cp = host; *cp; ++cp)
+			if (isupper(*cp))
+				*cp = tolower(*cp);
+
+	/* Malloc space for new hostname */
+	cp = malloc((u_int) strlen(host) + 1);
+	if (cp == 0)
+		return(host);
+
+	/* Find slot in hash table */
+	p = &htable[addr & (HSIZE - 1)];
+	if (p->name) {
+		/* Handle the collision */
+		p2 = (struct htable *)malloc(sizeof(struct htable));
+		if (p2 == 0) {
+			/* Lose, lose */
+			free(cp);
+			return(host);
+		}
+		memset((char *)p2, 0, sizeof(struct htable));
+		p2->next = p->next;
+		p->next = p2;
+		p = p2;
+	}
+
+	/* Install new host */
+	p->addr = addr;
+	p->name = strcpy(cp, host);
+
+	/* Return answer */
+	return(p->name);
+}
+
+#ifdef DEBUG
+void
+dump()
+{
+	register int i, j, n, d;
+	register struct htable *p, *p2;
+
+	d = n = 0;
+	for (p = htable, i = 0; i < HSIZE; ++p, ++i)
+		if (p->name) {
+			++n;
+			j = 0;
+			for (p2 = p; p2; p2 = p2->next) {
+				(void)fprintf(stderr,
+				    "%4d:%d 0x%08x \"%s\"\n", i, j,
+				    p2->addr, p2->name ? p2->name : "<nil>");
+				++d;
+				++j;
+			}
+		}
+	d -= n;
+	(void)fprintf(stderr, "%d entries (%d dynamically linked)\n", n, d);
+}
+#endif
diff --git a/aux/hf/pf.l b/aux/hf/pf.l
new file mode 100755
index 0000000000..734e43a7ec
--- /dev/null
+++ b/aux/hf/pf.l
@@ -0,0 +1,196 @@
+N              [0-9]
+
+    #include <sys/types.h>
+
+    #include <netdb.h>
+    #include <string.h>
+    #include <unistd.h>
+
+    #include "gnuc.h"
+    #ifdef HAVE_OS_PROTO_H
+    #include "os-proto.h"
+    #endif
+
+    #undef yywrap
+    #ifdef FLEX_SCANNER
+    #define YY_NO_UNPUT
+    #endif
+    int yywrap(void);
+    int yylex(void);
+    void convert(char *);
+
+%%
+
+"["{N}+"]"		convert(yytext);
+[^0-9[\]\n]+\n?		ECHO;
+.|\n			ECHO;
+
+%%
+
+/*
+ * Copyright (c) 1990, 1991, 1996, 1999, 2000, 2004
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that: (1) source code distributions
+ * retain the above copyright notice and this paragraph in its entirety, (2)
+ * distributions including binary code include the above copyright notice and
+ * this paragraph in its entirety in the documentation or other materials
+ * provided with the distribution, and (3) all advertising materials mentioning
+ * features or use of this software display the following acknowledgement:
+ * ``This product includes software developed by the University of California,
+ * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
+ * the University nor the names of its contributors may be used to endorse
+ * or promote products derived from this software without specific prior
+ * written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#ifndef lint
+static const char copyright[] =
+    "@(#) Copyright (c) 1990, 1991, 1996, 1999, 2000, 2004\n\
+The Regents of the University of California.  All rights reserved.\n";
+static const char rcsid[] =
+    "@(#) $Id: pf.l 909 2004-12-09 04:27:10Z jason $ (LBL)";
+#endif
+
+#ifdef DEBUG
+int debug = 0;
+#endif
+
+#define MAX_PORT_NUM 65535
+char *port_to_name[MAX_PORT_NUM+1];
+
+int targc;
+char **targv;
+
+extern char *optarg;
+extern int optind, opterr;
+
+/* Forwards */
+int main(int, char **);
+char *dup_string(char *);
+void portinit(void);
+
+int
+main(argc, argv)
+	int argc;
+	char **argv;
+{
+	register char *cp;
+	register int op;
+	char *argv0;
+
+	if ((cp = strrchr(argv[0], '/')) != NULL)
+		argv0 = cp + 1;
+	else
+		argv0 = argv[0];
+
+	opterr = 0;
+	while ((op = getopt(argc, argv, "d")) != EOF)
+		switch (op) {
+
+#ifdef DEBUG
+		case 'd':
+			++debug;
+			break;
+#endif
+
+		default:
+			(void)fprintf(stderr, "usage: %s [-d] [file ...]\n",
+			    argv0);
+			exit(1);
+			/* NOTREACHED */
+		}
+
+	/* Let yywrap() figure out if there are any arguments to open */
+	targc = argc - optind;
+	targv = &argv[optind];
+	yyin = 0;
+	(void)yywrap();
+
+	portinit();
+
+	/* Process file opened by yywrap() or stdin if no arguments */
+	if (yyin)
+		yylex();
+
+#ifdef DEBUG
+	if (debug) {
+		register int i;
+		for (i=0; i <= MAX_PORT_NUM; ++i)
+			if (port_to_name[i])
+				fprintf(stderr, "[%d]\t%s\n", i,
+				    port_to_name[i]);
+	}
+#endif	/* DEBUG */
+	exit(0);
+}
+
+int
+yywrap()
+{
+	register char *file;
+	static int didany = 0;
+
+	/* Close file, if necessary */
+	if (yyin && yyin != stdin) {
+		(void)fclose(yyin);
+		yyin = 0;
+	}
+
+	/* Spin through arguments until we run out or successfully open one */
+	while (targc > 0) {
+		file = targv[0];
+		--targc;
+		++targv;
+		++didany;
+		if ((yyin = fopen(file, "r")) != NULL)
+			return(0);
+		else
+			perror(file);
+	}
+	if (!didany)
+		yyin = stdin;
+	return(1);
+}
+
+char *
+dup_string(src)
+	char *src;
+{
+	char *dst;
+
+	dst = malloc(strlen(src)+1);
+	if (dst)
+		strcpy(dst, src);
+	return dst;
+}
+
+void
+convert(str)
+	char *str;
+{
+	register int port;
+
+	port = atoi(str+1);
+	if (port >= 0 && port <= MAX_PORT_NUM && port_to_name[port] != 0)
+		str = port_to_name[port];
+	fputs(str, stdout);
+}
+
+void
+portinit()
+{
+	struct servent *sp;
+
+	while ((sp = getservent()) != 0) {
+		if (port_to_name[sp->s_port] == 0 ||
+		    sp->s_proto[0] == 't')
+			port_to_name[sp->s_port] = dup_string(sp->s_name);
+	}
+	endservent();
+
+}
diff --git a/aux/hf/setsignal.c b/aux/hf/setsignal.c
new file mode 100755
index 0000000000..9711ebef49
--- /dev/null
+++ b/aux/hf/setsignal.c
@@ -0,0 +1,82 @@
+/*
+ * Copyright (c) 1997
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that: (1) source code distributions
+ * retain the above copyright notice and this paragraph in its entirety, (2)
+ * distributions including binary code include the above copyright notice and
+ * this paragraph in its entirety in the documentation or other materials
+ * provided with the distribution, and (3) all advertising materials mentioning
+ * features or use of this software display the following acknowledgement:
+ * ``This product includes software developed by the University of California,
+ * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
+ * the University nor the names of its contributors may be used to endorse
+ * or promote products derived from this software without specific prior
+ * written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#ifndef lint
+static const char rcsid[] =
+    "@(#) $Header$ (LBL)";
+#endif
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <sys/types.h>
+
+#ifdef HAVE_MEMORY_H
+#include <memory.h>
+#endif
+#include <signal.h>
+#ifdef HAVE_SIGACTION
+#include <string.h>
+#endif
+
+#include "gnuc.h"
+#ifdef HAVE_OS_PROTO_H
+#include "os-proto.h"
+#endif
+
+#include "setsignal.h"
+
+/*
+ * An os independent signal() with BSD semantics, e.g. the signal
+ * catcher is restored following service of the signal.
+ *
+ * When sigset() is available, signal() has SYSV semantics and sigset()
+ * has BSD semantics and call interface. Unfortunately, Linux does not
+ * have sigset() so we use the more complicated sigaction() interface
+ * there.
+ *
+ * Did I mention that signals suck?
+ */
+RETSIGTYPE
+(*setsignal (int sig, RETSIGTYPE (*func)(int)))(int)
+{
+#ifdef HAVE_SIGACTION
+	struct sigaction old, new;
+
+	memset(&new, 0, sizeof(new));
+	new.sa_handler = func;
+#ifdef SA_RESTART
+	new.sa_flags |= SA_RESTART;
+#endif
+	if (sigaction(sig, &new, &old) < 0)
+		return (SIG_ERR);
+	return (old.sa_handler);
+
+#else
+#ifdef HAVE_SIGSET
+	return (sigset(sig, func));
+#else
+	return (signal(sig, func));
+#endif
+#endif
+}
+
diff --git a/aux/hf/setsignal.h b/aux/hf/setsignal.h
new file mode 100755
index 0000000000..6df239f2d3
--- /dev/null
+++ b/aux/hf/setsignal.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (c) 1997
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that: (1) source code distributions
+ * retain the above copyright notice and this paragraph in its entirety, (2)
+ * distributions including binary code include the above copyright notice and
+ * this paragraph in its entirety in the documentation or other materials
+ * provided with the distribution, and (3) all advertising materials mentioning
+ * features or use of this software display the following acknowledgement:
+ * ``This product includes software developed by the University of California,
+ * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
+ * the University nor the names of its contributors may be used to endorse
+ * or promote products derived from this software without specific prior
+ * written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ *
+ * @(#) $Header$ (LBL)
+ */
+#ifndef setsignal_h
+#define setsignal_h
+
+RETSIGTYPE (*setsignal(int, RETSIGTYPE (*)(int)))(int);
+#endif
diff --git a/aux/hf/strerror.c b/aux/hf/strerror.c
new file mode 100755
index 0000000000..d330a6523e
--- /dev/null
+++ b/aux/hf/strerror.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)strerror.c	8.1 (Berkeley) 6/4/93";
+#endif /* LIBC_SCCS and not lint */
+
+#include <sys/types.h>
+
+#include <string.h>
+
+#include "gnuc.h"
+#ifdef HAVE_OS_PROTO_H
+#include "os-proto.h"
+#endif
+
+char *
+strerror(num)
+	int num;
+{
+	extern int sys_nerr;
+	extern char *sys_errlist[];
+#define	UPREFIX	"Unknown error: "
+	static char ebuf[40] = UPREFIX;		/* 64-bit number + slop */
+	register unsigned int errnum;
+	register char *p, *t;
+	char tmp[40];
+
+	errnum = num;				/* convert to unsigned */
+	if (errnum < sys_nerr)
+		return(sys_errlist[errnum]);
+
+	/* Do this by hand, so we don't include stdio(3). */
+	t = tmp;
+	do {
+		*t++ = "0123456789"[errnum % 10];
+	} while (errnum /= 10);
+	for (p = ebuf + sizeof(UPREFIX) - 1;;) {
+		*p++ = *--t;
+		if (t <= tmp)
+			break;
+	}
+	*p = '\0';
+	return(ebuf);
+}
diff --git a/aux/hf/version.c b/aux/hf/version.c
new file mode 100644
index 0000000000..1b09c66cdd
--- /dev/null
+++ b/aux/hf/version.c
@@ -0,0 +1 @@
+char version[] = "1.0a10";
diff --git a/aux/libpcap-0.7.2.tar.gz b/aux/libpcap-0.7.2.tar.gz
new file mode 100644
index 0000000000..435880ccf7
Binary files /dev/null and b/aux/libpcap-0.7.2.tar.gz differ
diff --git a/aux/libpcap-0.8.3.tar.gz b/aux/libpcap-0.8.3.tar.gz
new file mode 100644
index 0000000000..54ef183f4b
Binary files /dev/null and b/aux/libpcap-0.8.3.tar.gz differ
diff --git a/aux/libpcap-0.9.8.tar.gz b/aux/libpcap-0.9.8.tar.gz
new file mode 100644
index 0000000000..14344a44dd
Binary files /dev/null and b/aux/libpcap-0.9.8.tar.gz differ
diff --git a/aux/nftools/Makefile.am b/aux/nftools/Makefile.am
new file mode 100644
index 0000000000..4b2ace77d7
--- /dev/null
+++ b/aux/nftools/Makefile.am
@@ -0,0 +1,5 @@
+
+noinst_PROGRAMS = ftwire2bro nfcollector
+
+ftwire2bro_SOURCES = ftwire2bro.c nfcommon.h
+nfcollector_SOURCES = nfcollector.c nfcommon.h
diff --git a/aux/nftools/ftwire2bro.c b/aux/nftools/ftwire2bro.c
new file mode 100644
index 0000000000..c277e23096
--- /dev/null
+++ b/aux/nftools/ftwire2bro.c
@@ -0,0 +1,94 @@
+/* $Id:$ */
+/* Written by Bernhard Ager (2007). */
+/* Works only with NFv5. */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include "nfcommon.h"
+
+void leave (int errlvl, const char *msg) {
+  fprintf (stderr, "%s", msg);
+  exit (errlvl);
+}
+
+void usage () {
+  puts ("Converts NetFlow v5 files in 'wire' format to bro format.\n"
+	"A flow-tools file can be converted to 'wire' format with\n"
+	"        flow-export -f 4\n"
+	"Note this is a hack: The network time is calculated from the\n"
+        "export time and an optional offset; the exporter is set statically.\n"
+	"Usage: ftwire2bro [-e <exporter_ip> [-t <offset>]\n"
+	"       <exporter_ip> defaults to 0.0.0.0, <offset> defaults to 0.0\n"
+	"       data is read from stdin and written to stdout");
+}
+
+size_t pdusize(NFv5Header hdr) {
+  return sizeof(hdr)+ntohs(hdr.count)*V5_RECORD_SIZE;
+}
+
+int main (int argc, char** argv) {
+  int opt;
+  struct in_addr exporter = {0};
+  double offset = 0.0;
+  FlowFileSrcPDUHeader ffphdr;
+  NFv5PDU v5pdu;
+  unsigned short count;
+
+  while ((opt = getopt (argc, argv, "e:t:h")) >= 0) {
+    switch (opt) {
+    case 'e':
+      if (! inet_aton (optarg, &exporter)) {
+	fprintf (stderr, "could not convert exporter_ip: '%s'\n", optarg);
+	exit (1);
+      }
+      break;
+    case 't':
+      offset = atof(optarg);
+      break;
+    case 'h':
+      usage();
+      exit (0);
+    default:
+/*       fprintf (stderr, "Unknown option: %c\n", optopt); */
+      exit(1);
+    }
+  }
+
+  while (1) {
+    if (fread (&(v5pdu.header), sizeof (NFv5Header), 1, stdin) == 0) {
+      if (feof(stdin))
+	break;
+      leave (1, "Could not read header\n");
+    }
+
+    count = ntohs (v5pdu.header.count);
+    if (ntohs(v5pdu.header.version) != 5)
+      leave (1, "Header indicates flow not in version 5 format\n");
+    if (count > V5_RECORD_MAXCOUNT) {
+      fprintf (stderr, "header indicates too many records: %d\n", 
+	       count);
+      exit (1);
+    }
+    
+    if (fread (v5pdu.records, sizeof(NFv5Record), count, stdin) < count)
+      leave (1, "Could not read enough records from stdin\n");
+
+    ffphdr.network_time = ntohl(v5pdu.header.unix_secs) + 
+                          ntohl(v5pdu.header.unix_nsecs)/1e9 + offset;
+    ffphdr.pdu_length = pdusize(v5pdu.header);
+    ffphdr.ipaddr = exporter.s_addr;
+
+    if (fwrite (&ffphdr, sizeof(ffphdr), 1, stdout) == 0)
+      leave (1, "Could not write ffpheader\n");
+    if (fwrite (&v5pdu, ffphdr.pdu_length, 1, stdout) == 0)
+      leave (1, "Could not write netflow PDU\n");
+  }
+
+  return 0;
+}
diff --git a/aux/nftools/nfcollector.c b/aux/nftools/nfcollector.c
new file mode 100644
index 0000000000..0b80983f8c
--- /dev/null
+++ b/aux/nftools/nfcollector.c
@@ -0,0 +1,83 @@
+/* $Id;$ */
+/* Written by Bernhard Ager (2007). */
+
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <sys/time.h>
+#include <netinet/in.h>
+
+#include "nfcommon.h"
+
+void pleave (int errlvl, const char *msg) {
+  perror (msg);
+  exit (errlvl);
+}
+
+void usage () {
+  puts ("collects NetFlow data and writes it to a file (or stdout)\n"
+	"       such that Bro can read the NetFlow dump file.\n"
+	"  Usage: nfcollector [-p <port>] [-o <outputfile>]\n"
+	"       port defaults to 1234, outputfile defaults to stdout");
+}
+
+int main (int argc, char** argv) {
+  int opt;
+  int s = -1;
+  char *outfile = NULL;
+  int outfd = 1; // default to stdout
+  struct timeval tv;
+  struct sockaddr_in sa = { .sin_family = AF_INET, 
+			    .sin_port = htons(1234),
+			    .sin_addr = {0} };
+  struct sockaddr_in from;
+  socklen_t fromlen;
+  FlowFilePDU ffp;
+
+  while ((opt = getopt (argc, argv, "p:o:h")) >= 0) {
+    switch (opt) {
+    case 'o':
+      outfile = malloc (strlen(optarg) + 1);
+      strcpy (outfile, optarg);
+      break;
+    case 'p':
+      sa.sin_port = htons(atoi(optarg));
+      break;
+    case 'h':
+      usage();
+      exit (0);
+    default:
+      fprintf (stderr, "Unknown option: %c\n", optopt);
+    }
+  }
+
+  if ((s = socket (PF_INET, SOCK_DGRAM, 0)) < 0)
+    pleave(1, "opening socket");
+
+  if (bind (s, (struct sockaddr*) &sa, sizeof (sa)) < 0)
+    pleave (1, "bind");
+
+  if (outfile && (outfd = open (outfile, O_TRUNC|O_WRONLY|O_CREAT, 0666)) < 0)
+    pleave (1, "open");
+
+  while (1) {
+    fromlen = sizeof (from);
+    if ((ffp.header.pdu_length = recvfrom(s, ffp.data, MAX_PKT_SIZE, 0, (struct sockaddr*)&from, &fromlen)) < 0)
+      pleave (1, "recvfrom");
+    if (gettimeofday(&tv, NULL) == 0)
+      ffp.header.network_time = tv.tv_sec + tv.tv_usec / 1000000.;
+    else {
+      ffp.header.network_time = -1.;
+      perror ("gettimeofday");
+    }
+
+    ffp.header.ipaddr = from.sin_addr.s_addr;
+    write (outfd, &ffp, ffp.header.pdu_length + sizeof (FlowFileSrcPDUHeader));
+  }
+
+  return 0;
+}
diff --git a/aux/nftools/nfcommon.h b/aux/nftools/nfcommon.h
new file mode 100644
index 0000000000..fd91d1341c
--- /dev/null
+++ b/aux/nftools/nfcommon.h
@@ -0,0 +1,45 @@
+/* $Id:$ */
+/* Written by Bernhard Ager (2007). */
+/* For now this only works with IPv4. */
+
+#include "../../config.h"
+
+/* Enough for NFv5 - how about the others? */
+#define MAX_PKT_SIZE 8192
+
+/* from FlowSrc.h */
+typedef struct {
+  double network_time;
+  int pdu_length;
+  u_int32_t ipaddr;
+} FlowFileSrcPDUHeader;
+
+typedef struct {
+  u_int16_t version;
+  u_int16_t count;
+  u_int32_t sysuptime;
+  u_int32_t unix_secs;
+  u_int32_t unix_nsecs;
+  u_int32_t flow_seq;
+  u_int8_t  eng_type;
+  u_int8_t  eng_id;
+  u_int16_t sample_int;
+} NFv5Header;
+
+#define V5_RECORD_SIZE 48
+#define V5_RECORD_MAXCOUNT 30
+
+typedef struct {
+  char data[V5_RECORD_SIZE];
+} NFv5Record;
+
+typedef struct {
+  NFv5Header header;
+  NFv5Record records[V5_RECORD_MAXCOUNT];
+} NFv5PDU;
+
+/* TODO: replace char data[] by NFv5PDU pdu*/
+typedef struct {
+  FlowFileSrcPDUHeader header;
+  char data [MAX_PKT_SIZE];
+} FlowFilePDU;
diff --git a/aux/rst/Makefile.am b/aux/rst/Makefile.am
new file mode 100644
index 0000000000..b56859335f
--- /dev/null
+++ b/aux/rst/Makefile.am
@@ -0,0 +1,4 @@
+## Process this file with automake to produce Makefile.in
+
+noinst_PROGRAMS = rst
+rst_SOURCES = rst.c
diff --git a/aux/rst/rst.c b/aux/rst/rst.c
new file mode 100644
index 0000000000..8dca07bb7f
--- /dev/null
+++ b/aux/rst/rst.c
@@ -0,0 +1,380 @@
+/* $Id: rst.c 7073 2010-09-13 00:45:02Z vern $ */
+
+/* Derived from traceroute, which has the following copyright:
+ *
+ * Copyright (c) 1999, 2002
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that: (1) source code distributions
+ * retain the above copyright notice and this paragraph in its entirety, (2)
+ * distributions including binary code include the above copyright notice and
+ * this paragraph in its entirety in the documentation or other materials
+ * provided with the distribution, and (3) all advertising materials mentioning
+ * features or use of this software display the following acknowledgement:
+ * ``This product includes software developed by the University of California,
+ * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
+ * the University nor the names of its contributors may be used to endorse
+ * or promote products derived from this software without specific prior
+ * written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+#ifndef lint
+static const char copyright[] =
+    "@(#) Copyright (c) 1999, 2002\nThe Regents of the University of California.  All rights reserved.\n";
+static const char rcsid[] =
+    "@(#) $Id: rst.c 7073 2010-09-13 00:45:02Z vern $ (LBL)";
+#endif
+
+/* need this due to linux's funny idea of a tcphdr */
+#if defined(__linux__)
+#define _BSD_SOURCE
+#endif
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in_systm.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+
+#include <arpa/inet.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "../../config.h"
+
+/* Forwards */
+void gripe(const char *, const char *);
+void pgripe(const char *);
+u_short in_cksum(register u_short *, register int);
+int ones_complement_checksum(const void *, int, u_int32_t);
+int tcp_checksum(const struct ip *, const struct tcphdr *, int);
+void send_pkt(int, struct in_addr, int, u_int32_t, struct in_addr,
+    int, u_int32_t, int, int, int, int, const char *);
+void terminate(int, const char *, int, u_int32_t, const char *,
+    int, u_int32_t, int, int, int, int, const char *);
+void usage(void);
+int main(int, char **);
+
+const char *prog_name;
+
+void gripe(const char *fmt, const char *arg)
+{
+	fprintf(stderr, "%s: ", prog_name);
+	fprintf(stderr, fmt, arg);
+	fprintf(stderr, "\n");
+}
+
+void pgripe(const char *msg)
+{
+	fprintf(stderr, "%s: %s (%s)\n", prog_name, msg, strerror(errno));
+	exit(1);
+}
+
+/*
+ * Checksum routine for Internet Protocol family headers (C Version)
+ */
+u_short
+in_cksum(register u_short *addr, register int len)
+{
+	register int nleft = len;
+	register u_short *w = addr;
+	register u_short answer;
+	register int sum = 0;
+
+	/*
+	 *  Our algorithm is simple, using a 32 bit accumulator (sum),
+	 *  we add sequential 16 bit words to it, and at the end, fold
+	 *  back all the carry bits from the top 16 bits into the lower
+	 *  16 bits.
+	 */
+	while (nleft > 1)  {
+		sum += *w++;
+		nleft -= 2;
+	}
+
+	/* mop up an odd byte, if necessary */
+	if (nleft == 1)
+		sum += *(u_char *)w;
+
+	/*
+	 * add back carry outs from top 16 bits to low 16 bits
+	 */
+	sum = (sum >> 16) + (sum & 0xffff);	/* add hi 16 to low 16 */
+	sum += (sum >> 16);			/* add carry */
+	answer = ~sum;				/* truncate to 16 bits */
+	return (answer);
+}
+
+// - adapted from tcpdump
+// Returns the ones-complement checksum of a chunk of b short-aligned bytes.
+int ones_complement_checksum(const void *p, int b, u_int32_t sum)
+{
+	const u_short *sp = (u_short *) p;	// better be aligned!
+
+	b /= 2;	// convert to count of short's
+
+	/* No need for endian conversions. */
+	while ( --b >= 0 )
+		sum += *sp++;
+
+	while ( sum > 0xffff )
+		sum = (sum & 0xffff) + (sum >> 16);
+
+	return sum;
+}
+
+int tcp_checksum(const struct ip *ip, const struct tcphdr *tp, int len)
+{
+	int tcp_len = tp->th_off * 4 + len;
+	u_int32_t sum, addl_pseudo;
+
+	if ( len % 2 == 1 )
+		// Add in pad byte.
+		sum = htons(((const u_char*) tp)[tcp_len - 1] << 8);
+	else
+		sum = 0;
+
+	sum = ones_complement_checksum((void*) &ip->ip_src.s_addr, 4, sum);
+	sum = ones_complement_checksum((void*) &ip->ip_dst.s_addr, 4, sum);
+
+	addl_pseudo = (htons(IPPROTO_TCP) << 16) | htons((unsigned short) tcp_len);
+
+	sum = ones_complement_checksum((void*) &addl_pseudo, 4, sum);
+	sum = ones_complement_checksum((void*) tp, tcp_len, sum);
+
+	return sum;
+}
+
+void send_pkt(int s, struct in_addr from, int from_port, u_int32_t from_seq,
+		struct in_addr to, int to_port, u_int32_t to_seq,
+		int size, int redundancy, int delay, int flags,
+		const char *inject)
+{
+	int cc;
+	int pktlen = 40 + size;
+	const int max_injection_size = 4096;
+	char *pkt = malloc(pktlen + max_injection_size + 1024 /* slop */);
+	struct ip *ip = (struct ip *) pkt;
+	struct tcphdr *tcp = (struct tcphdr *) &pkt[20];
+
+	if ( ! pkt )
+		pgripe("couldn't malloc memory");
+
+	if ( inject && *inject ) {
+		size = strlen(inject);
+
+		if ( size > max_injection_size )
+			gripe("injection text too large%s", "");
+
+		pktlen = 40 + size;
+	}
+
+	memset(pkt, 0, pktlen);
+
+	ip->ip_v = IPVERSION;
+	ip->ip_len = pktlen;	/* on FreeBSD, don't use htons(); YMMV */
+	ip->ip_off = 0;
+	ip->ip_src = from;
+	ip->ip_dst = to;
+	ip->ip_hl = 5;
+	ip->ip_p = IPPROTO_TCP;
+	ip->ip_ttl = 255;
+	ip->ip_id = 0;
+
+	ip->ip_sum = in_cksum((u_short *) ip, sizeof(*ip));
+
+	if (ip->ip_sum == 0)
+		ip->ip_sum = 0xffff;
+
+	tcp->th_sport = htons(from_port);
+	tcp->th_dport = htons(to_port);
+	tcp->th_seq = htonl(from_seq);
+	tcp->th_ack = htonl(to_seq);
+	tcp->th_off = 5;
+	tcp->th_flags = flags;
+	tcp->th_win = 0;
+	tcp->th_urp = 0;
+	tcp->th_sum = 0;
+
+	if ( inject && *inject ) {
+		char *payload = &pkt[40];
+		strcpy(payload, inject);
+
+	} else if ( size > 0 )
+		{
+		const char *fill_string =
+			(inject && *inject) ? inject : "BRO-RST\n";
+		char *payload = &pkt[40];
+		int n = strlen(fill_string);
+		int i;
+		for ( i = size; i > n + 1; i -= n )
+			{
+			strcpy(payload, fill_string);
+			payload += n;
+			}
+
+		for ( ; i > 0; --i )
+			*(payload++) = '\n';
+		}
+
+	tcp->th_sum = ~tcp_checksum(ip, tcp, size);
+
+	while ( redundancy-- > 0 )
+		{
+		cc = send(s, (char *) ip, pktlen, 0);
+		if (cc < 0 || cc != pktlen)
+			pgripe("problem in sendto()");
+		usleep(delay * 1000);
+		}
+
+	free(pkt);
+}
+
+void terminate(int s, const char *from_addr, int from_port, u_int32_t from_seq,
+		const char *to_addr, int to_port, u_int32_t to_seq,
+		int num, int redundancy, int stride, int delay,
+		const char *inject)
+{
+	struct sockaddr where_from, where_to;
+	struct sockaddr_in *from = (struct sockaddr_in *) &where_from;
+	struct sockaddr_in *to = (struct sockaddr_in *) &where_to;
+
+	memset(from, 0, sizeof(*from));
+	memset(to, 0, sizeof(*to));
+#ifdef SIN_LEN
+	from->sin_len = to->sin_len = sizeof(*to);
+#endif /* SIN_LEN */
+	from->sin_family = to->sin_family = AF_INET;
+
+	if ( inet_aton(from_addr, (struct in_addr *) &from->sin_addr) == 0 )
+		gripe("bad from address %s", from_addr);
+	if ( inet_aton(to_addr, (struct in_addr *) &to->sin_addr) == 0 )
+		gripe("bad to address %s", to_addr);
+
+	if ( connect(s, &where_to, sizeof(where_to)) < 0 )
+		pgripe("can't connect");
+
+	while ( num-- > 0 )
+		{
+		send_pkt(s, from->sin_addr, from_port, from_seq,
+			to->sin_addr, to_port, to_seq, 0, redundancy, delay,
+			(*inject ? 0 : TH_RST) | TH_ACK, inject);
+
+		if ( num > 0 && stride > 1 )
+			send_pkt(s, from->sin_addr, from_port, from_seq,
+				to->sin_addr, to_port, to_seq, stride,
+				redundancy, delay, TH_ACK, inject);
+
+		from_seq += stride;
+		}
+}
+
+void usage()
+{
+	fprintf(stderr, "%s [-R] [-I text-to-inject] [-d delay-msec] [-n num] [-r redundancy] [-s stride] from_addr from_port from_seq to_addr to_port to_seq\n", prog_name);
+	exit(0);
+}
+
+int main(int argc, char **argv)
+{
+	extern char* optarg;
+	extern int optind, opterr;
+	const char *from_addr, *to_addr;
+	char inject[8192];
+	int from_port, to_port;
+	u_int32_t from_seq, to_seq;
+	int delay = 0.0;
+	int redundancy = 1;
+	int num = 1;
+	int stride = 1;
+	int reverse = 0;
+	int s;
+	int on = 1;
+	int op;
+
+	prog_name = argv[0];
+
+	opterr = 0;
+
+	inject[0] = 0;
+
+	while ( (op = getopt(argc, argv, "RI:d:n:r:s:")) != EOF )
+		switch ( op ) {
+		case 'R':
+			reverse = 1;
+			break;
+
+		case 'I':
+			{
+			char *ap = optarg;
+			char *ip;
+			for ( ip = inject; *ap; ++ip, ++ap ) {
+				if ( ap[0] == '\\' && ap[1] == 'n' )
+					*ip = '\n', ++ap;
+				else
+					*ip = *ap;
+			}
+			}
+			break;
+
+		case 'd':
+			delay = atoi(optarg);
+			break;
+
+		case 'n':
+			num = atoi(optarg);
+			break;
+
+		case 'r':
+			redundancy = atoi(optarg);
+			break;
+
+		case 's':
+			stride = atoi(optarg);
+			break;
+
+		default:
+			usage();
+			break;
+		}
+
+	if ( argc - optind != 6 )
+		usage();
+
+	s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+	if ( s < 0 )
+		pgripe("couldn't create raw socket");
+
+	setuid(getuid());
+
+	if (setsockopt(s, 0, IP_HDRINCL, (char *) &on, sizeof(on)) < 0)
+		pgripe("can't turn on IP_HDRINCL");
+
+	from_addr = argv[optind++];
+	from_port = atoi(argv[optind++]);
+	from_seq = strtoul(argv[optind++], 0, 10);
+
+	to_addr = argv[optind++];
+	to_port = atoi(argv[optind++]);
+	to_seq = strtoul(argv[optind++], 0, 10);
+
+	if ( reverse )
+		terminate(s, to_addr, to_port, to_seq,
+			from_addr, from_port, from_seq,
+			num, redundancy, stride, delay, inject);
+	else
+		terminate(s, from_addr, from_port, from_seq,
+			to_addr, to_port, to_seq,
+			num, redundancy, stride, delay, inject);
+
+	return 0;
+}
diff --git a/aux/scripts/Makefile.am b/aux/scripts/Makefile.am
new file mode 100644
index 0000000000..c0a7ebb1b1
--- /dev/null
+++ b/aux/scripts/Makefile.am
@@ -0,0 +1,3 @@
+## Process this file with automake to produce Makefile.in
+
+EXTRA_DIST = hot-report mon-report ip-grep ca-create ca-issue bro-logchk.pl host-to-addrs mvlog host-grep lock_file
diff --git a/aux/scripts/bro-logchk.pl b/aux/scripts/bro-logchk.pl
new file mode 100755
index 0000000000..f711feab29
--- /dev/null
+++ b/aux/scripts/bro-logchk.pl
@@ -0,0 +1,197 @@
+#!/usr/bin/perl
+
+# Written by:
+#     James J. Barlow <jbarlow@ncsa.uiuc.edu>
+#     June 2002
+#
+# Orders and scans through bro http and ftp logs.
+
+use Getopt::Std;
+use Socket;
+
+# Get the options on the command line
+getopts('DFHdshra:f:x:');
+
+# Check for invalid options or help option
+if ($opt_h || ($opt_a && $opt_x) || (($opt_s || $opt_d) && !$opt_a) ||
+   ($opt_F && $opt_H) || !($opt_F || $opt_H)) {
+    &Usage;
+}
+
+# Read file
+if ($opt_f) {
+    open(INFILE, "$opt_f") || die "Can't open $opt_f: $!\n";
+} else {
+    &Usage;
+}
+
+$max = 0;
+
+while (<INFILE>) {
+
+    # is it the start of a connection
+    if (check_start_conn()) {
+
+        # Set to resolve IP address if $opt_r.
+        $resolve = 1;
+
+        # Do we want a specific IP address
+        if ($opt_a) {
+            if ((($source EQ $opt_a) && !$opt_d) || (($dest EQ $opt_a) && !$opt_s)) {
+                # Yes, push connection number on list
+                push @ipconlist, $conn;
+            } else {
+                $resolve = 0; # don't try to resolve IP address
+            }
+        }
+
+        # Do we want to exclude an IP address
+        if ($opt_x) {
+            # Check if ipaddr is not excluded address
+            if (($source NE $opt_x) && ($dest NE $opt_x)) {
+                # if not push connection number on list
+                push @ipconlist, $conn;
+            } else {
+                $resolve = 0; # don't try to resolve IP address
+            }
+        }
+
+        # set max connection number
+        $max = $conn if ($max < $conn);
+
+        # Do we want to try and resolve IP addresses
+        if ($opt_r && $resolve) {
+            # get source and dest hostnames from IP addresses
+            $sname = gethostbyaddr(inet_aton($source), AF_INET);
+            # set source name to IP address if not resolvable
+            if (!$sname) {
+                $sname = $source;
+            }
+            $dname = gethostbyaddr(inet_aton($dest), AF_INET);
+            # set destination name to IP address if not resolvable
+            if (!$dname) {
+                $dname = $dest;
+            }
+        } else {
+            $sname = $source;
+            $dname = $dest;
+        }
+
+        # Get timestamp
+        $time = localtime($secs);
+
+        # push connection 
+        push @{$connlist[$conn]}, "$time - $conn  ${sname}${source_port} > $dname";
+        print "$time - $conn  ${sname}${source_port} > $dname\n" if $opt_D;
+        next;
+    }
+
+    # is it a request
+    if (check_request()) {
+
+        # set max connection number
+        $max = $conn if ($max < $conn);
+
+        push @{$connlist[$conn]}, "${time}${conn}  $request";
+        print "${time}${conn}  $request\n" if $opt_D;
+        next;
+    }
+
+    print "Unrecognized line: $_";
+}
+
+for ($i=1;$i<=$max;$i++) {
+    # skip connections not on list if we want specific addrs
+    # or are excluding addresses
+    if ($opt_a || $opt_x) {
+        next if !(grep /^$i$/, @ipconlist);
+    }
+    # print connections
+    foreach $entry (@{$connlist[$i]}) {
+        print "$entry\n";
+    }
+}
+
+close(INFILE);
+
+
+sub check_start_conn {
+
+    $valid_conn = 0;
+
+    # http connection?
+    if ($opt_H) {
+        if ((m/^(\d+)\s+%(\d+)\s+start\s+(\S+)\s+>\s+(\S+)/) ||
+            (m/^(\d+)\.\d+\s+%(\d+)\s+start\s+(\S+)\s+>\s+(\S+)/)) {
+            $secs = $1;
+            $conn = $2;
+            $source = $3;
+            $dest = $4;
+            chomp($dest);
+            $source_port = "";
+            $valid_conn = 1;
+        }
+    # ftp connection?
+    } elsif ($opt_F) {
+        if ((m/^(\d+)\s+#(\d+)\s+(\S+)\/(\d+)\s+>\s+(\S+)\/ftp start/) ||
+            (m/^(\d+)\.\d+\s+#(\d+)\s+(\S+)\/(\d+)\s+>\s+(\S+)\/ftp start/)) {
+            $secs = $1;
+            $conn = $2;
+            $source = $3;
+            $source_port = "/$4";
+            $dest = $5;
+            $valid_conn = 1;
+        }
+    }
+
+    return $valid_conn;
+}
+
+sub check_request {
+
+    $valid_request = 0;
+
+    if ($opt_H) {
+        if (m/^%(\d+)\s+\S+\s+(.*)/) {
+            $conn = $1;
+            $request = "GET $2";
+            chomp($request);
+            $time = "";
+            $valid_conn = 1;
+        }
+    } elsif ($opt_F) {
+        if (m/^(\d+)\.\d+ #(\d+) (.*)/) {
+            $time = localtime($1)." - ";
+            $conn = $2;
+            $request = $3;
+            chomp($request);
+            $valid_conn = 1;
+        }
+    }
+
+    return $valid_conn;
+}
+
+
+#
+# Usage
+#
+# Prints out usage for script.
+             
+sub Usage {
+    print "Usage:\n";
+    print "   bro-logchk.pl -[hrDFHds] -f filename -a ipaddr -x ipaddr\n";
+    print "       -h          print this usage information\n";
+    print "       -F          using ftp log\n";
+    print "       -H          using http log\n";
+    print "       -r          try to resolve IP addresses to hostnames\n";
+    print "       -f file     log file to parse\n";
+    print "       -a ipaddr   only output connections from this address\n";
+    print "       -s          only want matching source address (used with -a option)\n";
+    print "       -d          only want matching destination address (used with -a option)\n";
+    print "       -D          debug option\n";
+    print "       -x ipaddr   exclude connections from this address\n";
+    print "\n";
+    exit;
+}
+
diff --git a/aux/scripts/ca-create b/aux/scripts/ca-create
new file mode 100755
index 0000000000..f9cb5e13e8
--- /dev/null
+++ b/aux/scripts/ca-create
@@ -0,0 +1,148 @@
+#! /bin/sh
+
+######################################################################
+# prompt for input for a variable
+# $1 name of var
+# $2 defualt value
+# $3 prompt string (if empty get from config file )
+bro_config_input()
+{
+    if [ -z $1 ] ; then
+        name=""
+    else
+        name=$1
+    fi
+    
+    if [ -z $2 ] ; then
+        default=""
+    else
+        default=$2
+    fi
+
+    if [ -z "$3" ] ; then 
+        prompt=""
+    else
+        prompt=$3
+    fi
+
+    #empty it out
+    RESP=
+    desc=$prompt
+    
+    while [ -z "$RESP" ]; do
+        echo -n "$desc [$default]: " >&0
+        read RESP
+
+        case "$RESP" in 
+            [Yy]|[Yy][Ee][Ss]) ret="YES"; RESP="YES";;
+            [Nn]|[Nn][Oo] ) ret="NO"; RESP="NO" ;;
+            "") ret=$default ; RESP="$default" ;;
+            *) ret=$RESP;;
+        esac
+    done
+
+    # set back the value
+    eval $1=\$ret
+    eval $name=\$ret
+    return 1
+}
+
+
+echo "Creating SSL certificate authority"
+echo "----------------------------------"
+echo
+
+dir=$HOME
+
+if [ "x$BRO_CA_DIR" != "x" ]; then
+    dir=$BRO_CA_DIR
+fi
+
+bro_config_input "dir" $dir "Directory for CA setup"
+
+mkdir -p $dir
+if [ $? -ne 0 ]; then
+	echo "Couldn't create directory $dir."
+	exit 1
+fi
+
+mkdir -p $dir/certs $dir/private
+chmod g-rwx,o-rwx $dir/private
+echo '01' > $dir/serial
+touch $dir/issued.txt
+
+echo "- Directory structure created in directory $dir"
+
+cat - > $dir/openssl.cfg << _EOF
+# OpenSSL config file for Root CA
+#
+
+# Global variable so it can be used everywhere:
+dir                = $dir
+
+[ ca ]
+default_ca = bro_ca
+
+[ bro_ca ]
+certificate        = \$dir/ca_cert.pem
+database           = \$dir/issued.txt
+new_certs_dir      = \$dir/certs
+private_key        = \$dir/private/ca_key.pem
+serial             = \$dir/serial
+
+# Number of days before CRLs are published
+default_crl_days   = 7
+
+# Number of days a certificate will be valud
+default_days       = 365
+
+# Digest used to sign issued certificates
+default_md         = sha1
+
+# Policy for distinguished name in certificate requests
+policy             = bro_policy
+x509_extensions    = cert_exts
+
+
+[ bro_policy ]
+commonName         = supplied
+emailAddress       = optional
+
+[ cert_exts ]
+# Certificates we hand out must not be used as CA certificates
+basicConstraints     = CA:false
+
+[ req ]
+default_bits       = 2048 # Private key length
+
+default_keyfile    = \$dir/private/ca_key.pem
+default_md         = sha1
+
+# Don't ask for distinguished name, use what's given below:
+prompt             = no
+distinguished_name = root_ca_dist_name
+
+x509_extensions    = root_ca_exts
+
+[ root_ca_dist_name ]
+commonName         = Bro Root Certification Authority
+
+[ root_ca_exts ]
+basicConstraints   = CA:true
+
+_EOF
+
+echo "- OpenSSL config file created at $dir/openssl.cfg"
+echo
+echo "I will now generate the CA's certificate. You will be asked to"
+echo "enter the password for the CA's private key."
+echo
+openssl req -config $dir/openssl.cfg -x509 -new -out $dir/ca_cert.pem -outform PEM
+
+if [ $? -ne 0 ]; then
+	echo "Couldn't create root certificate."
+	exit 1
+fi
+
+echo "- Root certificate created successfully"
+echo "- Done."
diff --git a/aux/scripts/ca-issue b/aux/scripts/ca-issue
new file mode 100755
index 0000000000..6bac0bd1eb
--- /dev/null
+++ b/aux/scripts/ca-issue
@@ -0,0 +1,112 @@
+#! /bin/sh
+
+######################################################################
+# prompt for input for a variable
+# $1 name of var
+# $2 defualt value
+# $3 prompt string (if empty get from config file )
+bro_config_input()
+{
+    if [ -z $1 ] ; then
+        name=""
+    else
+        name=$1
+    fi
+    
+    if [ -z $2 ] ; then
+        default=""
+    else
+        default=$2
+    fi
+
+    if [ -z "$3" ] ; then 
+        prompt=""
+    else
+        prompt=$3
+    fi
+
+    #empty it out
+    RESP=
+    desc=$prompt
+    
+    while [ -z "$RESP" ]; do
+        echo -n "$desc [$default]: " >&0
+        read RESP
+
+        case "$RESP" in 
+            [Yy]|[Yy][Ee][Ss]) ret="YES"; RESP="YES";;
+            [Nn]|[Nn][Oo] ) ret="NO"; RESP="NO" ;;
+            "") ret=$default ; RESP="$default" ;;
+            *) ret=$RESP;;
+        esac
+    done
+
+    # set back the value
+    eval $1=\$ret
+    eval $name=\$ret
+    return 1
+}
+
+
+echo "Issuing SSL certificate"
+echo "-----------------------"
+echo
+
+dir=$HOME
+
+if [ "x$BRO_CA_DIR" != "x" ]; then
+    dir=$BRO_CA_DIR
+fi
+
+bro_config_input "dir" $dir "CA installation directory"
+
+
+if [ ! -r $dir/openssl.cfg ]; then
+    echo "Could not find config file for root CA in $BRO_CA_DIR/openssl.cfg"
+    exit 1
+fi
+
+prefix=bro
+bro_config_input "prefix" $prefix "Prefix for the generated certificate request and private key"
+
+if [ "x$OPENSSL_CONF" = "x$BRO_CA_DIR/openssl.cfg" ]; then
+    OPENSSL_CONF=
+    echo "*Not* using $BRO_CA_DIR/openssl.cfg as configuration file"
+fi
+
+echo
+echo "I will now generate a certificate request. You will be asked"
+echo "for a passphrase with which the private key will be encrypted."
+echo "You will also be asked for a challenge phrase stored in the"
+echo "certificate request, which is ignored by OpenSSL."
+echo
+openssl req -newkey rsa:1024 -days 730 -nodes -keyout ${prefix}_key.pem -keyform PEM -out ${prefix}_req.pem
+
+if [ $? -ne 0 ]; then
+	echo "Couldn't create certificate request."
+	exit 1
+fi
+
+echo "- Certificate request created in ${prefix}_req.pem, with private key in ${prefix}_key.pem"
+echo
+echo "Issuing certificate using ${prefix}_req.pem"
+openssl ca -config $BRO_CA_DIR/openssl.cfg -days 730 -in ${prefix}_req.pem -notext -out ${prefix}_cert.pem
+
+if [ $? -ne 0 ]; then
+	echo "Couldn't create certificate. Make sure the parameters"
+	echo "of the certificate request are unique."
+	exit 1
+fi
+
+echo
+echo "- Certificate created in ${prefix}_cert.pem"
+
+cat ${prefix}_key.pem ${prefix}_cert.pem > ${prefix}.pem
+rm ${prefix}_key.pem ${prefix}_cert.pem ${prefix}_req.pem
+echo "- Created host certificate and key configuration in $prefix.pem"
+echo
+echo "Now configure your Bro agent to use"
+echo " * CA certificate $dir/ca_cert.pem"
+echo " * Host certificate $prefix.pem"
+echo
+echo "- Done."
diff --git a/aux/scripts/host-grep b/aux/scripts/host-grep
new file mode 100755
index 0000000000..1aa62ad279
--- /dev/null
+++ b/aux/scripts/host-grep
@@ -0,0 +1,29 @@
+#! /bin/csh -f
+#
+# Greps a Bro connection summary file on stdin for the given hosts.  Usage:
+#
+#	host-grep [-a] host ...
+#
+# If -a is specified then we only want lines with *all* of the listed hosts.
+
+if ( "$1" == "-a" ) then
+	shift
+	if ( "$2" != "" ) then
+		# More than one host, recurse.
+		set h1 = $1
+		shift
+		host-grep $h1 | host-grep -a $*
+		exit
+	else
+		# Just one host, fall through.
+	endif
+endif
+
+# Thank you csh, for your totally busted sense of command composition
+# and error propagation.
+set sheesh=`ip-grep $*`
+if ( $status != 0 ) then
+	exit 1
+endif
+
+grep -E " $sheesh "
diff --git a/aux/scripts/host-to-addrs b/aux/scripts/host-to-addrs
new file mode 100755
index 0000000000..ed0b615c01
--- /dev/null
+++ b/aux/scripts/host-to-addrs
@@ -0,0 +1,47 @@
+#! /bin/sh -e
+#
+# Returns a list of IP addresses associated with hostname $1.
+
+sheesh=`dig +noauthor +noaddit $1 a |
+
+awk '
+BEGIN	{
+	name = "'$1'"
+
+	if ( name ~ /^[0-9][0-9]*\.[0-9][0-9]*/ )
+		# An address, not a name.
+		print name
+
+	name = name "."
+	}
+
+/^;; ANSWER/	{
+	getline
+
+	# First reduce CNAMEs.
+	while ( $4 == "CNAME" )
+		{
+		name = $5
+		getline
+		}
+
+	# Now pick off the addresses.
+	while ( $1 == name )
+		{
+		print $5
+		getline
+		}
+
+	++num_answers
+	}
+
+END	{
+	if ( num_answers == 0 )
+		{
+		print "no DNS answers to query for", name	>"/dev/stderr"
+		exit 1;
+		}
+	}
+'`
+
+echo "$sheesh" | sort -u
diff --git a/aux/scripts/hot-report b/aux/scripts/hot-report
new file mode 100755
index 0000000000..2e8b5b7ab6
--- /dev/null
+++ b/aux/scripts/hot-report
@@ -0,0 +1,160 @@
+#! /bin/sh
+#
+# Generate readable output from a Bro connection summary file.  If the
+# -n flag is given, then the input is not run through hf to convert addresses
+# to hostnames, otherwise it is.  If -x is given, then exact sizes and times
+# are reported, otherwise approximate.
+#
+# Requires the hf and cf utilities.  See doc/conn-logs for a summary of
+# the mnemonics used to indicate different connection states.
+
+if [ "$1" = "-n" ]
+then
+	shift
+	HF="cat" export HF
+	exec $0 "$@"
+fi
+
+if [ "$1" = "-x" ]
+then
+	shift
+	EXACT=1 export EXACT
+	exec $0 "$@"
+fi
+
+usage="usage: hot-report [-n -x] [file ...]"
+
+if [ ! "$HF" ]
+then
+	HF="hf -cl -t 15"
+fi
+
+if [ ! "$EXACT" ]
+then
+	EXACT=0
+fi
+
+$HF $* | cf |
+mawk '
+BEGIN	{
+	interactive["telnet"] = interactive["login"] = interative["klogin"] = 1
+	version_probe["smtp"] = 1
+
+	no_flag["www"] = no_flag["gopher"] = no_flag["smtp"] = 1
+	no_flag["www?"] = no_flag["www??"] = no_flag["gopher?"] = 1
+	no_flag["http"] = no_flag["http?"] = no_flag["http??"] = 1
+	no_flag["https"] = 1
+
+	no_rej["finger"] = no_rej["time"] = no_rej["daytime"] = 1
+	no_rej["nntp"] = no_rej["auth"] = 1
+	}
+
+	{
+	state = $10
+	if ( state == "REJ" )
+		marker = "["
+	else if ( state ~ /S0/ )
+		marker = "}"
+	else if ( state ~ /RSTR/ )
+		marker = state ~ /H/ ? "<[" : ">["
+	else if ( state ~ /RSTO/ )
+		marker = ">]"
+	else if ( state ~ /SHR/ )
+		marker = "<h"
+	else
+		marker = ">"
+
+	osize = size($6, state)
+	rsize = size($7, state)
+	dur = duration($4, state)
+
+	proto = $5
+
+	time = $1 " " ($2 "") " " $3
+
+	if ( $11 ~ /L/ )
+		{
+		ohost = $8
+		rhost = $9
+		}
+	else
+		{
+		ohost = $9
+		rhost = $8
+		}
+
+	status = ""
+	if ( NF > 11 )
+		{ # Collect additional status
+		for ( i = 12; i <= NF; ++i )
+			status = status " " $i
+		}
+
+	flag_it = flag(proto, $4+0, $6+0, $7+0, state)
+
+	printf("%-15s %s%s%s %s %s/%s%s%s%s\n", time, flag_it ? "*" : " ",
+		ohost, osize, marker, rhost, proto, rsize, dur, status)
+	}
+
+# Returns true if a connection should be flagged (represents successful
+# and sensitive activity), false otherwise
+function flag(proto, dur, osize, rsize, state)
+	{
+	if ( proto in interactive )
+		return osize > 200 || rsize > 1000 || dur > 300
+
+	if ( proto in version_probe && (osize == 0 || osize == 6) )
+		return 1
+
+	if ( proto in no_rej && (state == "REJ" || state == "S0") )
+		return 0
+
+	if ( proto ~ /^ftpdata-/ || proto ~ /^ftp-data/ )
+		return 0
+
+	return ! (proto in no_flag)
+	}
+
+function size(bytes, state)
+	{
+	if ( state == "S0" )
+		return ""
+
+	if ( state == "REJ" )
+		return ""
+
+	if ( bytes == "?" )
+		s = "?"
+
+	else if ( '$EXACT' )
+		s = sprintf("%db", bytes)
+
+	else if ( bytes < 1000 )
+		s = sprintf("%.1fkb", bytes / 1000)
+
+	else
+		s = sprintf("%.0fkb", bytes / 1000)
+
+	return " " s
+	}
+
+function duration(t, state)
+	{
+	if ( t == "?" )
+		return " " t
+
+	if ( state == "S0" || state == "S1" || state == "REJ" )
+		return ""
+
+	if ( '$EXACT' )
+		s = sprintf("%.1fs", t)
+
+	else if ( t < 60 )
+		s = sprintf("%.1fm", t / 60)
+
+	else
+		s = sprintf("%.0fm", t / 60)
+
+	return " " s
+	}
+'
diff --git a/aux/scripts/ip-grep b/aux/scripts/ip-grep
new file mode 100755
index 0000000000..8f34d6040f
--- /dev/null
+++ b/aux/scripts/ip-grep
@@ -0,0 +1,9 @@
+#! /bin/sh
+#
+# Returns a grep pattern for matching the IP addresses of the given hosts.
+# Note that generally when using the pattern you should surround it with
+# some form of anchoring, such as blanks, to avoid false hits.
+
+sheesh=`(for i do host-to-addrs $i; done)`
+if [ "$sheesh" = "" ]; then exit 1; fi;
+echo "$sheesh" | xargs | sed 's/\./\\./g;s/ /|/g;s/.*/(&)/'
diff --git a/aux/scripts/lock_file b/aux/scripts/lock_file
new file mode 100755
index 0000000000..718b6c04c6
--- /dev/null
+++ b/aux/scripts/lock_file
@@ -0,0 +1,70 @@
+#! /bin/sh
+# Inspired by http://members.toast.net/art.ross/rute/node24.html
+
+TAG=default
+CMD=
+
+help() {
+    echo "USAGE: lock_file (lock|unlock) [<tag>]"
+    echo
+    echo "lock_file locks or unlocks a lock file, for synchronization"
+    echo "across multiple processes. The lock command will block until"
+    echo "the lock can be obtained, upon which it exits with code 0."
+    echo "The exit code will be 1 on failures, and 2 on input error."
+    echo "You can use different tags for different locks."
+}
+
+while test "x$1" != "x"; do
+    case "$1" in 
+	"-h"|"--help"|"-help"|"-?"|"help")
+	    help
+	    exit 0
+	    ;;
+	"lock")
+	    CMD=lock
+	    shift 1
+	    ;;
+	"unlock")
+	    CMD=unlock
+	    shift 1
+	    ;;
+	*)
+	    TAG="$1"
+	    shift 1
+	    ;;
+    esac
+done
+
+TEMPFILE="/tmp/lock_${TAG}.$$"
+LOCKFILE="/tmp/lock_${TAG}.lock"
+
+if test "${CMD}" = "lock"; then
+
+    { echo $$ > $TEMPFILE; } >/dev/null 2>&1 || {
+	echo "You don't have permission to access `dirname $TEMPFILE`"
+	exit 1
+    }
+
+    while true; do
+	ln $TEMPFILE $LOCKFILE >/dev/null 2>&1 && {
+	    rm -f $TEMPFILE
+	    exit 0;
+	}
+
+	if test -e "$LOCKFILE"; then
+	    kill -0 `cat $LOCKFILE` >/dev/null 2>&1 || {
+		echo "Removing stale lock file"
+		rm -f $LOCKFILE
+	    }
+	fi
+	
+	sleep 1
+    done
+fi
+
+if test "${CMD}" = "unlock"; then
+    rm -f $LOCKFILE && exit 0
+    exit 1
+fi
+
+exit 2
diff --git a/aux/scripts/mon-report b/aux/scripts/mon-report
new file mode 100755
index 0000000000..0b39819362
--- /dev/null
+++ b/aux/scripts/mon-report
@@ -0,0 +1,79 @@
+#! /bin/csh -f
+#
+# Given Bro connection summary files, reports on the activities of
+# particular host(s) or net(s).
+#
+# mon-report [-n] [-t] [-x] h1 [-a h2] file ...
+#
+# reports on all connections involving host "h1", or "h1" and "h2" if -a
+# specified.  -n means that h1 and h2 should be interpreted as IP addresses
+# (either host or network) instead of hostnames.  -t means to write to stdout
+# the raw trace file instead of the hot report.  -x is passed along to
+# hot-report to specify exact byte counts and durations (unless -t is given).
+
+set usage = "mon-report [-n] [-t] [-x] h1 [-a h2] file ..."
+set GREP = "grep -E"
+
+if ( "$1" == "-n" ) then
+	setenv REPORT_NET
+	shift
+	mon-report $*
+	exit
+endif
+
+if ( "$1" == "-t" ) then
+	setenv REPORT_TO_STDOUT
+	shift
+	mon-report $*
+	exit
+endif
+
+if ( "$1" == "-x" ) then
+	setenv EXACT
+	shift
+	mon-report $*
+	exit
+endif
+
+if ( "$1" == "" ) then
+	echo "$usage"
+	exit
+endif
+
+set h1=$1
+shift
+
+set h2
+if ( "$1" == "-a" ) then
+	shift
+	if ( "$1" == "" ) then
+		echo "$usage"
+		exit
+	endif
+	setenv H2
+	set h2=$1
+	shift
+endif
+
+if ( $?REPORT_TO_STDOUT ) then
+	set out="cat"
+else
+	if ( $?EXACT ) then
+		set out="hot-report -x"
+	else
+		set out="hot-report"
+	endif
+endif
+
+if ( $?REPORT_NET ) then
+	if ( $?H2 ) then
+		cat $* | $GREP " `echo $h1 | sed 's/\./\\./g;s/ /|/g'`[. ]" | \
+			 $GREP " `echo $h2 | sed 's/\./\\./g;s/ /|/g'`[. ]" | \
+			 sort -n | $out
+	else
+		cat $* | $GREP " `echo $h1 | sed 's/\./\\./g;s/ /|/g'`[. ]" | \
+			 sort -n | $out
+	endif
+else
+	cat $* | host-grep -a $h1 $h2 | sort -n | $out
+endif
diff --git a/aux/scripts/mvlog b/aux/scripts/mvlog
new file mode 100755
index 0000000000..6136744dec
--- /dev/null
+++ b/aux/scripts/mvlog
@@ -0,0 +1,58 @@
+#! /usr/bin/env bash
+#
+# This script may be used as a postprocessor for Bro's log files to
+# automatically compress and archive them.
+# 
+# Example use: 
+#
+#     1. Add two lines to your Bro configuration:
+#
+#              redef log_rotate_interval = 6 hrs &redef;
+#              redef log_postprocessor = "mvlog";
+#
+#     2. Put the script into your PATH.
+#
+#     3. Define an environment variable BROBASE giving 
+#        a base directory to store the archived logs in.
+#
+#     Now Bro rotates log files every six hours, gzips them
+#     and moves them into directories $BROBASE/logs/<date>/
+#
+# General usage (this is how Bro calls all postprocessors):
+#
+#     mvlog <rotated-file-name> <base-name> <timestamp-when-opened> <timestamp-when-closed>
+#
+# Example of how Bro may call the script: 
+#
+#     mvlog alert.log.28799.1069381104 alert.log 03-11-21_03.18.18 03-11-21_04.0.24
+
+if [ "$BROBASE" == "" ]; then
+   echo BROBASE not set.
+   exit 1
+fi   
+
+# Base of archive.
+BASE="$BROBASE/logs"
+
+# Build archive name
+DAY=`echo $3 | sed 's/_.*$//'`
+FROM=`echo $3 | sed 's/^.*_//' | sed 's/\./:/g'`
+TO=`echo $4 | sed 's/^.*._//' | sed 's/\./:/g'`
+
+CENTURY=`date +%Y | sed 's/..$//g'`
+DAY="$CENTURY$DAY"
+
+DEST="$BASE/$DAY/$2.$FROM-$TO"
+
+# Create archive sub-dir if not existent.
+
+if [ ! -d "$BASE" ]; then
+    mkdir "$BASE"
+fi    
+
+if [ ! -d "$BASE/$DAY" ]; then
+    mkdir "$BASE/$DAY"
+fi    
+
+# Zip it and move into archive.
+nice gzip -6 <$1 >$DEST.gz && rm $1
diff --git a/compile b/compile
new file mode 100755
index 0000000000..a81e000ae1
--- /dev/null
+++ b/compile
@@ -0,0 +1,136 @@
+#! /bin/sh
+# Wrapper for compilers which do not understand `-c -o'.
+
+scriptversion=2003-11-09.00
+
+# Copyright (C) 1999, 2000, 2003 Free Software Foundation, Inc.
+# Written by Tom Tromey <tromey@cygnus.com>.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# This file is maintained in Automake, please report
+# bugs to <bug-automake@gnu.org> or send patches to
+# <automake-patches@gnu.org>.
+
+case $1 in
+  '')
+     echo "$0: No command.  Try \`$0 --help' for more information." 1>&2
+     exit 1;
+     ;;
+  -h | --h*)
+    cat <<\EOF
+Usage: compile [--help] [--version] PROGRAM [ARGS]
+
+Wrapper for compilers which do not understand `-c -o'.
+Remove `-o dest.o' from ARGS, run PROGRAM with the remaining
+arguments, and rename the output as expected.
+
+If you are trying to build a whole package this is not the
+right script to run: please start by reading the file `INSTALL'.
+
+Report bugs to <bug-automake@gnu.org>.
+EOF
+    exit 0
+    ;;
+  -v | --v*)
+    echo "compile $scriptversion"
+    exit 0
+    ;;
+esac
+
+
+prog=$1
+shift
+
+ofile=
+cfile=
+args=
+while test $# -gt 0; do
+  case "$1" in
+    -o)
+      # configure might choose to run compile as `compile cc -o foo foo.c'.
+      # So we do something ugly here.
+      ofile=$2
+      shift
+      case "$ofile" in
+	*.o | *.obj)
+	  ;;
+	*)
+	  args="$args -o $ofile"
+	  ofile=
+	  ;;
+      esac
+       ;;
+    *.c)
+      cfile=$1
+      args="$args $1"
+      ;;
+    *)
+      args="$args $1"
+      ;;
+  esac
+  shift
+done
+
+if test -z "$ofile" || test -z "$cfile"; then
+  # If no `-o' option was seen then we might have been invoked from a
+  # pattern rule where we don't need one.  That is ok -- this is a
+  # normal compilation that the losing compiler can handle.  If no
+  # `.c' file was seen then we are probably linking.  That is also
+  # ok.
+  exec "$prog" $args
+fi
+
+# Name of file we expect compiler to create.
+cofile=`echo $cfile | sed -e 's|^.*/||' -e 's/\.c$/.o/'`
+
+# Create the lock directory.
+# Note: use `[/.-]' here to ensure that we don't use the same name
+# that we are using for the .o file.  Also, base the name on the expected
+# object file name, since that is what matters with a parallel build.
+lockdir=`echo $cofile | sed -e 's|[/.-]|_|g'`.d
+while true; do
+  if mkdir $lockdir > /dev/null 2>&1; then
+    break
+  fi
+  sleep 1
+done
+# FIXME: race condition here if user kills between mkdir and trap.
+trap "rmdir $lockdir; exit 1" 1 2 15
+
+# Run the compile.
+"$prog" $args
+status=$?
+
+if test -f "$cofile"; then
+  mv "$cofile" "$ofile"
+fi
+
+rmdir $lockdir
+exit $status
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-end: "$"
+# End:
diff --git a/config.guess b/config.guess
new file mode 100755
index 0000000000..6bdac8d7b6
--- /dev/null
+++ b/config.guess
@@ -0,0 +1,1388 @@
+#! /bin/sh
+# Attempt to guess a canonical system name.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
+#   2000, 2001, 2002, 2003 Free Software Foundation, Inc.
+
+timestamp='2003-05-09'
+
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Originally written by Per Bothner <per@bothner.com>.
+# Please send patches to <config-patches@gnu.org>.  Submit a context
+# diff and a properly formatted ChangeLog entry.
+#
+# This script attempts to guess a canonical system name similar to
+# config.sub.  If it succeeds, it prints the system name on stdout, and
+# exits with 0.  Otherwise, it exits with 1.
+#
+# The plan is that this can be called by configure scripts if you
+# don't specify an explicit build system type.
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION]
+
+Output the configuration name of the system \`$me' is run on.
+
+Operation modes:
+  -h, --help         print this help, then exit
+  -t, --time-stamp   print date of last modification, then exit
+  -v, --version      print version number, then exit
+
+Report bugs and patches to <config-patches@gnu.org>."
+
+version="\
+GNU config.guess ($timestamp)
+
+Originally written by Per Bothner.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001
+Free Software Foundation, Inc.
+
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case $1 in
+    --time-stamp | --time* | -t )
+       echo "$timestamp" ; exit 0 ;;
+    --version | -v )
+       echo "$version" ; exit 0 ;;
+    --help | --h* | -h )
+       echo "$usage"; exit 0 ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       echo "$me: invalid option $1$help" >&2
+       exit 1 ;;
+    * )
+       break ;;
+  esac
+done
+
+if test $# != 0; then
+  echo "$me: too many arguments$help" >&2
+  exit 1
+fi
+
+trap 'exit 1' 1 2 15
+
+# CC_FOR_BUILD -- compiler used by this script. Note that the use of a
+# compiler to aid in system detection is discouraged as it requires
+# temporary files to be created and, as you can see below, it is a
+# headache to deal with in a portable fashion.
+
+# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still
+# use `HOST_CC' if defined, but it is deprecated.
+
+# Portable tmp directory creation inspired by the Autoconf team.
+
+set_cc_for_build='
+trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ;
+trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ;
+: ${TMPDIR=/tmp} ;
+ { tmp=`(umask 077 && mktemp -d -q "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } ||
+ { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } ||
+ { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ;
+dummy=$tmp/dummy ;
+tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ;
+case $CC_FOR_BUILD,$HOST_CC,$CC in
+ ,,)    echo "int x;" > $dummy.c ;
+	for c in cc gcc c89 c99 ; do
+	  if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then
+	     CC_FOR_BUILD="$c"; break ;
+	  fi ;
+	done ;
+	if test x"$CC_FOR_BUILD" = x ; then
+	  CC_FOR_BUILD=no_compiler_found ;
+	fi
+	;;
+ ,,*)   CC_FOR_BUILD=$CC ;;
+ ,*,*)  CC_FOR_BUILD=$HOST_CC ;;
+esac ;'
+
+# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
+# (ghazi@noc.rutgers.edu 1994-08-24)
+if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
+	PATH=$PATH:/.attbin ; export PATH
+fi
+
+UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown
+UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
+UNAME_SYSTEM=`(uname -s) 2>/dev/null`  || UNAME_SYSTEM=unknown
+UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
+
+# Note: order is significant - the case branches are not exclusive.
+
+case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
+    *:NetBSD:*:*)
+	# NetBSD (nbsd) targets should (where applicable) match one or
+	# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
+	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
+	# switched to ELF, *-*-netbsd* would select the old
+	# object file format.  This provides both forward
+	# compatibility and a consistent mechanism for selecting the
+	# object file format.
+	#
+	# Note: NetBSD doesn't particularly care about the vendor
+	# portion of the name.  We always set it to "unknown".
+	sysctl="sysctl -n hw.machine_arch"
+	UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \
+	    /usr/sbin/$sysctl 2>/dev/null || echo unknown)`
+	case "${UNAME_MACHINE_ARCH}" in
+	    armeb) machine=armeb-unknown ;;
+	    arm*) machine=arm-unknown ;;
+	    sh3el) machine=shl-unknown ;;
+	    sh3eb) machine=sh-unknown ;;
+	    *) machine=${UNAME_MACHINE_ARCH}-unknown ;;
+	esac
+	# The Operating System including object format, if it has switched
+	# to ELF recently, or will in the future.
+	case "${UNAME_MACHINE_ARCH}" in
+	    arm*|i386|m68k|ns32k|sh3*|sparc|vax)
+		eval $set_cc_for_build
+		if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
+			| grep __ELF__ >/dev/null
+		then
+		    # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
+		    # Return netbsd for either.  FIX?
+		    os=netbsd
+		else
+		    os=netbsdelf
+		fi
+		;;
+	    *)
+	        os=netbsd
+		;;
+	esac
+	# The OS release
+	# Debian GNU/NetBSD machines have a different userland, and
+	# thus, need a distinct triplet. However, they do not need
+	# kernel version information, so it can be replaced with a
+	# suitable tag, in the style of linux-gnu.
+	case "${UNAME_VERSION}" in
+	    Debian*)
+		release='-gnu'
+		;;
+	    *)
+		release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+		;;
+	esac
+	# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
+	# contains redundant information, the shorter form:
+	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
+	echo "${machine}-${os}${release}"
+	exit 0 ;;
+    amiga:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    arc:OpenBSD:*:*)
+	echo mipsel-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    hp300:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    mac68k:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    macppc:OpenBSD:*:*)
+	echo powerpc-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    mvme68k:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    mvme88k:OpenBSD:*:*)
+	echo m88k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    mvmeppc:OpenBSD:*:*)
+	echo powerpc-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    pmax:OpenBSD:*:*)
+	echo mipsel-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    sgi:OpenBSD:*:*)
+	echo mipseb-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    sun3:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    wgrisc:OpenBSD:*:*)
+	echo mipsel-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    *:OpenBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    alpha:OSF1:*:*)
+	if test $UNAME_RELEASE = "V4.0"; then
+		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
+	fi
+	# According to Compaq, /usr/sbin/psrinfo has been available on
+	# OSF/1 and Tru64 systems produced since 1995.  I hope that
+	# covers most systems running today.  This code pipes the CPU
+	# types through head -n 1, so we only detect the type of CPU 0.
+	ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^  The alpha \(.*\) processor.*$/\1/p' | head -n 1`
+	case "$ALPHA_CPU_TYPE" in
+	    "EV4 (21064)")
+		UNAME_MACHINE="alpha" ;;
+	    "EV4.5 (21064)")
+		UNAME_MACHINE="alpha" ;;
+	    "LCA4 (21066/21068)")
+		UNAME_MACHINE="alpha" ;;
+	    "EV5 (21164)")
+		UNAME_MACHINE="alphaev5" ;;
+	    "EV5.6 (21164A)")
+		UNAME_MACHINE="alphaev56" ;;
+	    "EV5.6 (21164PC)")
+		UNAME_MACHINE="alphapca56" ;;
+	    "EV5.7 (21164PC)")
+		UNAME_MACHINE="alphapca57" ;;
+	    "EV6 (21264)")
+		UNAME_MACHINE="alphaev6" ;;
+	    "EV6.7 (21264A)")
+		UNAME_MACHINE="alphaev67" ;;
+	    "EV6.8CB (21264C)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.8AL (21264B)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.8CX (21264D)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.9A (21264/EV69A)")
+		UNAME_MACHINE="alphaev69" ;;
+	    "EV7 (21364)")
+		UNAME_MACHINE="alphaev7" ;;
+	    "EV7.9 (21364A)")
+		UNAME_MACHINE="alphaev79" ;;
+	esac
+	# A Vn.n version is a released version.
+	# A Tn.n version is a released field test version.
+	# A Xn.n version is an unreleased experimental baselevel.
+	# 1.2 uses "1.2" for uname -r.
+	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+	exit 0 ;;
+    Alpha\ *:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# Should we change UNAME_MACHINE based on the output of uname instead
+	# of the specific Alpha model?
+	echo alpha-pc-interix
+	exit 0 ;;
+    21064:Windows_NT:50:3)
+	echo alpha-dec-winnt3.5
+	exit 0 ;;
+    Amiga*:UNIX_System_V:4.0:*)
+	echo m68k-unknown-sysv4
+	exit 0;;
+    *:[Aa]miga[Oo][Ss]:*:*)
+	echo ${UNAME_MACHINE}-unknown-amigaos
+	exit 0 ;;
+    *:[Mm]orph[Oo][Ss]:*:*)
+	echo ${UNAME_MACHINE}-unknown-morphos
+	exit 0 ;;
+    *:OS/390:*:*)
+	echo i370-ibm-openedition
+	exit 0 ;;
+    arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
+	echo arm-acorn-riscix${UNAME_RELEASE}
+	exit 0;;
+    SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
+	echo hppa1.1-hitachi-hiuxmpp
+	exit 0;;
+    Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
+	# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
+	if test "`(/bin/universe) 2>/dev/null`" = att ; then
+		echo pyramid-pyramid-sysv3
+	else
+		echo pyramid-pyramid-bsd
+	fi
+	exit 0 ;;
+    NILE*:*:*:dcosx)
+	echo pyramid-pyramid-svr4
+	exit 0 ;;
+    DRS?6000:UNIX_SV:4.2*:7*)
+	case `/usr/bin/uname -p` in
+	    sparc) echo sparc-icl-nx7 && exit 0 ;;
+	esac ;;
+    sun4H:SunOS:5.*:*)
+	echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
+	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    i86pc:SunOS:5.*:*)
+	echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    sun4*:SunOS:6*:*)
+	# According to config.sub, this is the proper way to canonicalize
+	# SunOS6.  Hard to guess exactly what SunOS6 will be like, but
+	# it's likely to be more like Solaris than SunOS4.
+	echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    sun4*:SunOS:*:*)
+	case "`/usr/bin/arch -k`" in
+	    Series*|S4*)
+		UNAME_RELEASE=`uname -v`
+		;;
+	esac
+	# Japanese Language versions have a version number like `4.1.3-JL'.
+	echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
+	exit 0 ;;
+    sun3*:SunOS:*:*)
+	echo m68k-sun-sunos${UNAME_RELEASE}
+	exit 0 ;;
+    sun*:*:4.2BSD:*)
+	UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
+	test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
+	case "`/bin/arch`" in
+	    sun3)
+		echo m68k-sun-sunos${UNAME_RELEASE}
+		;;
+	    sun4)
+		echo sparc-sun-sunos${UNAME_RELEASE}
+		;;
+	esac
+	exit 0 ;;
+    aushp:SunOS:*:*)
+	echo sparc-auspex-sunos${UNAME_RELEASE}
+	exit 0 ;;
+    # The situation for MiNT is a little confusing.  The machine name
+    # can be virtually everything (everything which is not
+    # "atarist" or "atariste" at least should have a processor
+    # > m68000).  The system name ranges from "MiNT" over "FreeMiNT"
+    # to the lowercase version "mint" (or "freemint").  Finally
+    # the system name "TOS" denotes a system which is actually not
+    # MiNT.  But MiNT is downward compatible to TOS, so this should
+    # be no problem.
+    atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit 0 ;;
+    atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
+	echo m68k-atari-mint${UNAME_RELEASE}
+        exit 0 ;;
+    *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit 0 ;;
+    milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
+        echo m68k-milan-mint${UNAME_RELEASE}
+        exit 0 ;;
+    hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
+        echo m68k-hades-mint${UNAME_RELEASE}
+        exit 0 ;;
+    *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
+        echo m68k-unknown-mint${UNAME_RELEASE}
+        exit 0 ;;
+    powerpc:machten:*:*)
+	echo powerpc-apple-machten${UNAME_RELEASE}
+	exit 0 ;;
+    RISC*:Mach:*:*)
+	echo mips-dec-mach_bsd4.3
+	exit 0 ;;
+    RISC*:ULTRIX:*:*)
+	echo mips-dec-ultrix${UNAME_RELEASE}
+	exit 0 ;;
+    VAX*:ULTRIX*:*:*)
+	echo vax-dec-ultrix${UNAME_RELEASE}
+	exit 0 ;;
+    2020:CLIX:*:* | 2430:CLIX:*:*)
+	echo clipper-intergraph-clix${UNAME_RELEASE}
+	exit 0 ;;
+    mips:*:*:UMIPS | mips:*:*:RISCos)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+#ifdef __cplusplus
+#include <stdio.h>  /* for printf() prototype */
+	int main (int argc, char *argv[]) {
+#else
+	int main (argc, argv) int argc; char *argv[]; {
+#endif
+	#if defined (host_mips) && defined (MIPSEB)
+	#if defined (SYSTYPE_SYSV)
+	  printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_SVR4)
+	  printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
+	  printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
+	#endif
+	#endif
+	  exit (-1);
+	}
+EOF
+	$CC_FOR_BUILD -o $dummy $dummy.c \
+	  && $dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \
+	  && exit 0
+	echo mips-mips-riscos${UNAME_RELEASE}
+	exit 0 ;;
+    Motorola:PowerMAX_OS:*:*)
+	echo powerpc-motorola-powermax
+	exit 0 ;;
+    Motorola:*:4.3:PL8-*)
+	echo powerpc-harris-powermax
+	exit 0 ;;
+    Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*)
+	echo powerpc-harris-powermax
+	exit 0 ;;
+    Night_Hawk:Power_UNIX:*:*)
+	echo powerpc-harris-powerunix
+	exit 0 ;;
+    m88k:CX/UX:7*:*)
+	echo m88k-harris-cxux7
+	exit 0 ;;
+    m88k:*:4*:R4*)
+	echo m88k-motorola-sysv4
+	exit 0 ;;
+    m88k:*:3*:R3*)
+	echo m88k-motorola-sysv3
+	exit 0 ;;
+    AViiON:dgux:*:*)
+        # DG/UX returns AViiON for all architectures
+        UNAME_PROCESSOR=`/usr/bin/uname -p`
+	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
+	then
+	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
+	       [ ${TARGET_BINARY_INTERFACE}x = x ]
+	    then
+		echo m88k-dg-dgux${UNAME_RELEASE}
+	    else
+		echo m88k-dg-dguxbcs${UNAME_RELEASE}
+	    fi
+	else
+	    echo i586-dg-dgux${UNAME_RELEASE}
+	fi
+ 	exit 0 ;;
+    M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
+	echo m88k-dolphin-sysv3
+	exit 0 ;;
+    M88*:*:R3*:*)
+	# Delta 88k system running SVR3
+	echo m88k-motorola-sysv3
+	exit 0 ;;
+    XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
+	echo m88k-tektronix-sysv3
+	exit 0 ;;
+    Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
+	echo m68k-tektronix-bsd
+	exit 0 ;;
+    *:IRIX*:*:*)
+	echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
+	exit 0 ;;
+    ????????:AIX?:[12].1:2)   # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
+	echo romp-ibm-aix      # uname -m gives an 8 hex-code CPU id
+	exit 0 ;;              # Note that: echo "'`uname -s`'" gives 'AIX '
+    i*86:AIX:*:*)
+	echo i386-ibm-aix
+	exit 0 ;;
+    ia64:AIX:*:*)
+	if [ -x /usr/bin/oslevel ] ; then
+		IBM_REV=`/usr/bin/oslevel`
+	else
+		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+	fi
+	echo ${UNAME_MACHINE}-ibm-aix${IBM_REV}
+	exit 0 ;;
+    *:AIX:2:3)
+	if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
+		eval $set_cc_for_build
+		sed 's/^		//' << EOF >$dummy.c
+		#include <sys/systemcfg.h>
+
+		main()
+			{
+			if (!__power_pc())
+				exit(1);
+			puts("powerpc-ibm-aix3.2.5");
+			exit(0);
+			}
+EOF
+		$CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0
+		echo rs6000-ibm-aix3.2.5
+	elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
+		echo rs6000-ibm-aix3.2.4
+	else
+		echo rs6000-ibm-aix3.2
+	fi
+	exit 0 ;;
+    *:AIX:*:[45])
+	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
+	if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
+		IBM_ARCH=rs6000
+	else
+		IBM_ARCH=powerpc
+	fi
+	if [ -x /usr/bin/oslevel ] ; then
+		IBM_REV=`/usr/bin/oslevel`
+	else
+		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+	fi
+	echo ${IBM_ARCH}-ibm-aix${IBM_REV}
+	exit 0 ;;
+    *:AIX:*:*)
+	echo rs6000-ibm-aix
+	exit 0 ;;
+    ibmrt:4.4BSD:*|romp-ibm:BSD:*)
+	echo romp-ibm-bsd4.4
+	exit 0 ;;
+    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC BSD and
+	echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
+	exit 0 ;;                           # report: romp-ibm BSD 4.3
+    *:BOSX:*:*)
+	echo rs6000-bull-bosx
+	exit 0 ;;
+    DPX/2?00:B.O.S.:*:*)
+	echo m68k-bull-sysv3
+	exit 0 ;;
+    9000/[34]??:4.3bsd:1.*:*)
+	echo m68k-hp-bsd
+	exit 0 ;;
+    hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
+	echo m68k-hp-bsd4.4
+	exit 0 ;;
+    9000/[34678]??:HP-UX:*:*)
+	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	case "${UNAME_MACHINE}" in
+	    9000/31? )            HP_ARCH=m68000 ;;
+	    9000/[34]?? )         HP_ARCH=m68k ;;
+	    9000/[678][0-9][0-9])
+		if [ -x /usr/bin/getconf ]; then
+		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
+                    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
+                    case "${sc_cpu_version}" in
+                      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
+                      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
+                      532)                      # CPU_PA_RISC2_0
+                        case "${sc_kernel_bits}" in
+                          32) HP_ARCH="hppa2.0n" ;;
+                          64) HP_ARCH="hppa2.0w" ;;
+			  '') HP_ARCH="hppa2.0" ;;   # HP-UX 10.20
+                        esac ;;
+                    esac
+		fi
+		if [ "${HP_ARCH}" = "" ]; then
+		    eval $set_cc_for_build
+		    sed 's/^              //' << EOF >$dummy.c
+
+              #define _HPUX_SOURCE
+              #include <stdlib.h>
+              #include <unistd.h>
+
+              int main ()
+              {
+              #if defined(_SC_KERNEL_BITS)
+                  long bits = sysconf(_SC_KERNEL_BITS);
+              #endif
+                  long cpu  = sysconf (_SC_CPU_VERSION);
+
+                  switch (cpu)
+              	{
+              	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
+              	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
+              	case CPU_PA_RISC2_0:
+              #if defined(_SC_KERNEL_BITS)
+              	    switch (bits)
+              		{
+              		case 64: puts ("hppa2.0w"); break;
+              		case 32: puts ("hppa2.0n"); break;
+              		default: puts ("hppa2.0"); break;
+              		} break;
+              #else  /* !defined(_SC_KERNEL_BITS) */
+              	    puts ("hppa2.0"); break;
+              #endif
+              	default: puts ("hppa1.0"); break;
+              	}
+                  exit (0);
+              }
+EOF
+		    (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
+		    test -z "$HP_ARCH" && HP_ARCH=hppa
+		fi ;;
+	esac
+	if [ ${HP_ARCH} = "hppa2.0w" ]
+	then
+	    # avoid double evaluation of $set_cc_for_build
+	    test -n "$CC_FOR_BUILD" || eval $set_cc_for_build
+	    if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E -) | grep __LP64__ >/dev/null
+	    then
+		HP_ARCH="hppa2.0w"
+	    else
+		HP_ARCH="hppa64"
+	    fi
+	fi
+	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
+	exit 0 ;;
+    ia64:HP-UX:*:*)
+	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	echo ia64-hp-hpux${HPUX_REV}
+	exit 0 ;;
+    3050*:HI-UX:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#include <unistd.h>
+	int
+	main ()
+	{
+	  long cpu = sysconf (_SC_CPU_VERSION);
+	  /* The order matters, because CPU_IS_HP_MC68K erroneously returns
+	     true for CPU_PA_RISC1_0.  CPU_IS_PA_RISC returns correct
+	     results, however.  */
+	  if (CPU_IS_PA_RISC (cpu))
+	    {
+	      switch (cpu)
+		{
+		  case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break;
+		  default: puts ("hppa-hitachi-hiuxwe2"); break;
+		}
+	    }
+	  else if (CPU_IS_HP_MC68K (cpu))
+	    puts ("m68k-hitachi-hiuxwe2");
+	  else puts ("unknown-hitachi-hiuxwe2");
+	  exit (0);
+	}
+EOF
+	$CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0
+	echo unknown-hitachi-hiuxwe2
+	exit 0 ;;
+    9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
+	echo hppa1.1-hp-bsd
+	exit 0 ;;
+    9000/8??:4.3bsd:*:*)
+	echo hppa1.0-hp-bsd
+	exit 0 ;;
+    *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*)
+	echo hppa1.0-hp-mpeix
+	exit 0 ;;
+    hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
+	echo hppa1.1-hp-osf
+	exit 0 ;;
+    hp8??:OSF1:*:*)
+	echo hppa1.0-hp-osf
+	exit 0 ;;
+    i*86:OSF1:*:*)
+	if [ -x /usr/sbin/sysversion ] ; then
+	    echo ${UNAME_MACHINE}-unknown-osf1mk
+	else
+	    echo ${UNAME_MACHINE}-unknown-osf1
+	fi
+	exit 0 ;;
+    parisc*:Lites*:*:*)
+	echo hppa1.1-hp-lites
+	exit 0 ;;
+    C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
+	echo c1-convex-bsd
+        exit 0 ;;
+    C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+        exit 0 ;;
+    C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
+	echo c34-convex-bsd
+        exit 0 ;;
+    C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
+	echo c38-convex-bsd
+        exit 0 ;;
+    C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
+	echo c4-convex-bsd
+        exit 0 ;;
+    CRAY*Y-MP:*:*:*)
+	echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit 0 ;;
+    CRAY*[A-Z]90:*:*:*)
+	echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
+	| sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
+	      -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \
+	      -e 's/\.[^.]*$/.X/'
+	exit 0 ;;
+    CRAY*TS:*:*:*)
+	echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit 0 ;;
+    CRAY*T3E:*:*:*)
+	echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit 0 ;;
+    CRAY*SV1:*:*:*)
+	echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit 0 ;;
+    *:UNICOS/mp:*:*)
+	echo nv1-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' 
+	exit 0 ;;
+    F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
+	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+        FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
+        echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+        exit 0 ;;
+    i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
+	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
+	exit 0 ;;
+    sparc*:BSD/OS:*:*)
+	echo sparc-unknown-bsdi${UNAME_RELEASE}
+	exit 0 ;;
+    *:BSD/OS:*:*)
+	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
+	exit 0 ;;
+    *:FreeBSD:*:*|*:GNU/FreeBSD:*:*)
+	# Determine whether the default compiler uses glibc.
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#include <features.h>
+	#if __GLIBC__ >= 2
+	LIBC=gnu
+	#else
+	LIBC=
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
+	echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`${LIBC:+-$LIBC}
+	exit 0 ;;
+    i*:CYGWIN*:*)
+	echo ${UNAME_MACHINE}-pc-cygwin
+	exit 0 ;;
+    i*:MINGW*:*)
+	echo ${UNAME_MACHINE}-pc-mingw32
+	exit 0 ;;
+    i*:PW*:*)
+	echo ${UNAME_MACHINE}-pc-pw32
+	exit 0 ;;
+    x86:Interix*:3*)
+	echo i586-pc-interix3
+	exit 0 ;;
+    [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
+	echo i${UNAME_MACHINE}-pc-mks
+	exit 0 ;;
+    i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
+	# UNAME_MACHINE based on the output of uname instead of i386?
+	echo i586-pc-interix
+	exit 0 ;;
+    i*:UWIN*:*)
+	echo ${UNAME_MACHINE}-pc-uwin
+	exit 0 ;;
+    p*:CYGWIN*:*)
+	echo powerpcle-unknown-cygwin
+	exit 0 ;;
+    prep*:SunOS:5.*:*)
+	echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    *:GNU:*:*)
+	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
+	exit 0 ;;
+    i*86:Minix:*:*)
+	echo ${UNAME_MACHINE}-pc-minix
+	exit 0 ;;
+    arm*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit 0 ;;
+    ia64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit 0 ;;
+    m68*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit 0 ;;
+    mips:Linux:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#undef CPU
+	#undef mips
+	#undef mipsel
+	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
+	CPU=mipsel
+	#else
+	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
+	CPU=mips
+	#else
+	CPU=
+	#endif
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
+	test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0
+	;;
+    mips64:Linux:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#undef CPU
+	#undef mips64
+	#undef mips64el
+	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
+	CPU=mips64el
+	#else
+	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
+	CPU=mips64
+	#else
+	CPU=
+	#endif
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
+	test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0
+	;;
+    ppc:Linux:*:*)
+	echo powerpc-unknown-linux-gnu
+	exit 0 ;;
+    ppc64:Linux:*:*)
+	echo powerpc64-unknown-linux-gnu
+	exit 0 ;;
+    alpha:Linux:*:*)
+	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
+	  EV5)   UNAME_MACHINE=alphaev5 ;;
+	  EV56)  UNAME_MACHINE=alphaev56 ;;
+	  PCA56) UNAME_MACHINE=alphapca56 ;;
+	  PCA57) UNAME_MACHINE=alphapca56 ;;
+	  EV6)   UNAME_MACHINE=alphaev6 ;;
+	  EV67)  UNAME_MACHINE=alphaev67 ;;
+	  EV68*) UNAME_MACHINE=alphaev68 ;;
+        esac
+	objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null
+	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
+	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
+	exit 0 ;;
+    parisc:Linux:*:* | hppa:Linux:*:*)
+	# Look for CPU level
+	case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
+	  PA7*) echo hppa1.1-unknown-linux-gnu ;;
+	  PA8*) echo hppa2.0-unknown-linux-gnu ;;
+	  *)    echo hppa-unknown-linux-gnu ;;
+	esac
+	exit 0 ;;
+    parisc64:Linux:*:* | hppa64:Linux:*:*)
+	echo hppa64-unknown-linux-gnu
+	exit 0 ;;
+    s390:Linux:*:* | s390x:Linux:*:*)
+	echo ${UNAME_MACHINE}-ibm-linux
+	exit 0 ;;
+    sh*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit 0 ;;
+    sparc:Linux:*:* | sparc64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit 0 ;;
+    x86_64:Linux:*:*)
+	echo x86_64-unknown-linux-gnu
+	exit 0 ;;
+    i*86:Linux:*:*)
+	# The BFD linker knows what the default object file format is, so
+	# first see if it will tell us. cd to the root directory to prevent
+	# problems with other programs or directories called `ld' in the path.
+	# Set LC_ALL=C to ensure ld outputs messages in English.
+	ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \
+			 | sed -ne '/supported targets:/!d
+				    s/[ 	][ 	]*/ /g
+				    s/.*supported targets: *//
+				    s/ .*//
+				    p'`
+        case "$ld_supported_targets" in
+	  elf32-i386)
+		TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu"
+		;;
+	  a.out-i386-linux)
+		echo "${UNAME_MACHINE}-pc-linux-gnuaout"
+		exit 0 ;;
+	  coff-i386)
+		echo "${UNAME_MACHINE}-pc-linux-gnucoff"
+		exit 0 ;;
+	  "")
+		# Either a pre-BFD a.out linker (linux-gnuoldld) or
+		# one that does not give us useful --help.
+		echo "${UNAME_MACHINE}-pc-linux-gnuoldld"
+		exit 0 ;;
+	esac
+	# Determine whether the default compiler is a.out or elf
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#include <features.h>
+	#ifdef __ELF__
+	# ifdef __GLIBC__
+	#  if __GLIBC__ >= 2
+	LIBC=gnu
+	#  else
+	LIBC=gnulibc1
+	#  endif
+	# else
+	LIBC=gnulibc1
+	# endif
+	#else
+	#ifdef __INTEL_COMPILER
+	LIBC=gnu
+	#else
+	LIBC=gnuaout
+	#endif
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
+	test x"${LIBC}" != x && echo "${UNAME_MACHINE}-pc-linux-${LIBC}" && exit 0
+	test x"${TENTATIVE}" != x && echo "${TENTATIVE}" && exit 0
+	;;
+    i*86:DYNIX/ptx:4*:*)
+	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
+	# earlier versions are messed up and put the nodename in both
+	# sysname and nodename.
+	echo i386-sequent-sysv4
+	exit 0 ;;
+    i*86:UNIX_SV:4.2MP:2.*)
+        # Unixware is an offshoot of SVR4, but it has its own version
+        # number series starting with 2...
+        # I am not positive that other SVR4 systems won't match this,
+	# I just have to hope.  -- rms.
+        # Use sysv4.2uw... so that sysv4* matches it.
+	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
+	exit 0 ;;
+    i*86:OS/2:*:*)
+	# If we were able to find `uname', then EMX Unix compatibility
+	# is probably installed.
+	echo ${UNAME_MACHINE}-pc-os2-emx
+	exit 0 ;;
+    i*86:XTS-300:*:STOP)
+	echo ${UNAME_MACHINE}-unknown-stop
+	exit 0 ;;
+    i*86:atheos:*:*)
+	echo ${UNAME_MACHINE}-unknown-atheos
+	exit 0 ;;
+    i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*)
+	echo i386-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    i*86:*DOS:*:*)
+	echo ${UNAME_MACHINE}-pc-msdosdjgpp
+	exit 0 ;;
+    i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*)
+	UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
+	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
+		echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
+	else
+		echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
+	fi
+	exit 0 ;;
+    i*86:*:5:[78]*)
+	case `/bin/uname -X | grep "^Machine"` in
+	    *486*)	     UNAME_MACHINE=i486 ;;
+	    *Pentium)	     UNAME_MACHINE=i586 ;;
+	    *Pent*|*Celeron) UNAME_MACHINE=i686 ;;
+	esac
+	echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}
+	exit 0 ;;
+    i*86:*:3.2:*)
+	if test -f /usr/options/cb.name; then
+		UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
+		echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
+	elif /bin/uname -X 2>/dev/null >/dev/null ; then
+		UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')`
+		(/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486
+		(/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \
+			&& UNAME_MACHINE=i586
+		(/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		(/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
+	else
+		echo ${UNAME_MACHINE}-pc-sysv32
+	fi
+	exit 0 ;;
+    pc:*:*:*)
+	# Left here for compatibility:
+        # uname -m prints for DJGPP always 'pc', but it prints nothing about
+        # the processor, so we play safe by assuming i386.
+	echo i386-pc-msdosdjgpp
+        exit 0 ;;
+    Intel:Mach:3*:*)
+	echo i386-pc-mach3
+	exit 0 ;;
+    paragon:*:*:*)
+	echo i860-intel-osf1
+	exit 0 ;;
+    i860:*:4.*:*) # i860-SVR4
+	if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
+	  echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
+	else # Add other i860-SVR4 vendors below as they are discovered.
+	  echo i860-unknown-sysv${UNAME_RELEASE}  # Unknown i860-SVR4
+	fi
+	exit 0 ;;
+    mini*:CTIX:SYS*5:*)
+	# "miniframe"
+	echo m68010-convergent-sysv
+	exit 0 ;;
+    mc68k:UNIX:SYSTEM5:3.51m)
+	echo m68k-convergent-sysv
+	exit 0 ;;
+    M680?0:D-NIX:5.3:*)
+	echo m68k-diab-dnix
+	exit 0 ;;
+    M68*:*:R3V[567]*:*)
+	test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;;
+    3[34]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0)
+	OS_REL=''
+	test -r /etc/.relid \
+	&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
+	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+	  && echo i486-ncr-sysv4.3${OS_REL} && exit 0
+	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
+	  && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;;
+    3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
+        /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+          && echo i486-ncr-sysv4 && exit 0 ;;
+    m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
+	echo m68k-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    mc68030:UNIX_System_V:4.*:*)
+	echo m68k-atari-sysv4
+	exit 0 ;;
+    TSUNAMI:LynxOS:2.*:*)
+	echo sparc-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    rs6000:LynxOS:2.*:*)
+	echo rs6000-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*)
+	echo powerpc-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    SM[BE]S:UNIX_SV:*:*)
+	echo mips-dde-sysv${UNAME_RELEASE}
+	exit 0 ;;
+    RM*:ReliantUNIX-*:*:*)
+	echo mips-sni-sysv4
+	exit 0 ;;
+    RM*:SINIX-*:*:*)
+	echo mips-sni-sysv4
+	exit 0 ;;
+    *:SINIX-*:*:*)
+	if uname -p 2>/dev/null >/dev/null ; then
+		UNAME_MACHINE=`(uname -p) 2>/dev/null`
+		echo ${UNAME_MACHINE}-sni-sysv4
+	else
+		echo ns32k-sni-sysv
+	fi
+	exit 0 ;;
+    PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
+                      # says <Richard.M.Bartel@ccMail.Census.GOV>
+        echo i586-unisys-sysv4
+        exit 0 ;;
+    *:UNIX_System_V:4*:FTX*)
+	# From Gerald Hewes <hewes@openmarket.com>.
+	# How about differentiating between stratus architectures? -djm
+	echo hppa1.1-stratus-sysv4
+	exit 0 ;;
+    *:*:*:FTX*)
+	# From seanf@swdc.stratus.com.
+	echo i860-stratus-sysv4
+	exit 0 ;;
+    *:VOS:*:*)
+	# From Paul.Green@stratus.com.
+	echo hppa1.1-stratus-vos
+	exit 0 ;;
+    mc68*:A/UX:*:*)
+	echo m68k-apple-aux${UNAME_RELEASE}
+	exit 0 ;;
+    news*:NEWS-OS:6*:*)
+	echo mips-sony-newsos6
+	exit 0 ;;
+    R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
+	if [ -d /usr/nec ]; then
+	        echo mips-nec-sysv${UNAME_RELEASE}
+	else
+	        echo mips-unknown-sysv${UNAME_RELEASE}
+	fi
+        exit 0 ;;
+    BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
+	echo powerpc-be-beos
+	exit 0 ;;
+    BeMac:BeOS:*:*)	# BeOS running on Mac or Mac clone, PPC only.
+	echo powerpc-apple-beos
+	exit 0 ;;
+    BePC:BeOS:*:*)	# BeOS running on Intel PC compatible.
+	echo i586-pc-beos
+	exit 0 ;;
+    SX-4:SUPER-UX:*:*)
+	echo sx4-nec-superux${UNAME_RELEASE}
+	exit 0 ;;
+    SX-5:SUPER-UX:*:*)
+	echo sx5-nec-superux${UNAME_RELEASE}
+	exit 0 ;;
+    SX-6:SUPER-UX:*:*)
+	echo sx6-nec-superux${UNAME_RELEASE}
+	exit 0 ;;
+    Power*:Rhapsody:*:*)
+	echo powerpc-apple-rhapsody${UNAME_RELEASE}
+	exit 0 ;;
+    *:Rhapsody:*:*)
+	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
+	exit 0 ;;
+    *:Darwin:*:*)
+	case `uname -p` in
+	    *86) UNAME_PROCESSOR=i686 ;;
+	    powerpc) UNAME_PROCESSOR=powerpc ;;
+	esac
+	echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
+	exit 0 ;;
+    *:procnto*:*:* | *:QNX:[0123456789]*:*)
+	UNAME_PROCESSOR=`uname -p`
+	if test "$UNAME_PROCESSOR" = "x86"; then
+		UNAME_PROCESSOR=i386
+		UNAME_MACHINE=pc
+	fi
+	echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE}
+	exit 0 ;;
+    *:QNX:*:4*)
+	echo i386-pc-qnx
+	exit 0 ;;
+    NSR-[DGKLNPTVW]:NONSTOP_KERNEL:*:*)
+	echo nsr-tandem-nsk${UNAME_RELEASE}
+	exit 0 ;;
+    *:NonStop-UX:*:*)
+	echo mips-compaq-nonstopux
+	exit 0 ;;
+    BS2000:POSIX*:*:*)
+	echo bs2000-siemens-sysv
+	exit 0 ;;
+    DS/*:UNIX_System_V:*:*)
+	echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
+	exit 0 ;;
+    *:Plan9:*:*)
+	# "uname -m" is not consistent, so use $cputype instead. 386
+	# is converted to i386 for consistency with other x86
+	# operating systems.
+	if test "$cputype" = "386"; then
+	    UNAME_MACHINE=i386
+	else
+	    UNAME_MACHINE="$cputype"
+	fi
+	echo ${UNAME_MACHINE}-unknown-plan9
+	exit 0 ;;
+    *:TOPS-10:*:*)
+	echo pdp10-unknown-tops10
+	exit 0 ;;
+    *:TENEX:*:*)
+	echo pdp10-unknown-tenex
+	exit 0 ;;
+    KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*)
+	echo pdp10-dec-tops20
+	exit 0 ;;
+    XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*)
+	echo pdp10-xkl-tops20
+	exit 0 ;;
+    *:TOPS-20:*:*)
+	echo pdp10-unknown-tops20
+	exit 0 ;;
+    *:ITS:*:*)
+	echo pdp10-unknown-its
+	exit 0 ;;
+esac
+
+#echo '(No uname command or uname output not recognized.)' 1>&2
+#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
+
+eval $set_cc_for_build
+cat >$dummy.c <<EOF
+#ifdef _SEQUENT_
+# include <sys/types.h>
+# include <sys/utsname.h>
+#endif
+main ()
+{
+#if defined (sony)
+#if defined (MIPSEB)
+  /* BFD wants "bsd" instead of "newsos".  Perhaps BFD should be changed,
+     I don't know....  */
+  printf ("mips-sony-bsd\n"); exit (0);
+#else
+#include <sys/param.h>
+  printf ("m68k-sony-newsos%s\n",
+#ifdef NEWSOS4
+          "4"
+#else
+	  ""
+#endif
+         ); exit (0);
+#endif
+#endif
+
+#if defined (__arm) && defined (__acorn) && defined (__unix)
+  printf ("arm-acorn-riscix"); exit (0);
+#endif
+
+#if defined (hp300) && !defined (hpux)
+  printf ("m68k-hp-bsd\n"); exit (0);
+#endif
+
+#if defined (NeXT)
+#if !defined (__ARCHITECTURE__)
+#define __ARCHITECTURE__ "m68k"
+#endif
+  int version;
+  version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
+  if (version < 4)
+    printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
+  else
+    printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
+  exit (0);
+#endif
+
+#if defined (MULTIMAX) || defined (n16)
+#if defined (UMAXV)
+  printf ("ns32k-encore-sysv\n"); exit (0);
+#else
+#if defined (CMU)
+  printf ("ns32k-encore-mach\n"); exit (0);
+#else
+  printf ("ns32k-encore-bsd\n"); exit (0);
+#endif
+#endif
+#endif
+
+#if defined (__386BSD__)
+  printf ("i386-pc-bsd\n"); exit (0);
+#endif
+
+#if defined (sequent)
+#if defined (i386)
+  printf ("i386-sequent-dynix\n"); exit (0);
+#endif
+#if defined (ns32000)
+  printf ("ns32k-sequent-dynix\n"); exit (0);
+#endif
+#endif
+
+#if defined (_SEQUENT_)
+    struct utsname un;
+
+    uname(&un);
+
+    if (strncmp(un.version, "V2", 2) == 0) {
+	printf ("i386-sequent-ptx2\n"); exit (0);
+    }
+    if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
+	printf ("i386-sequent-ptx1\n"); exit (0);
+    }
+    printf ("i386-sequent-ptx\n"); exit (0);
+
+#endif
+
+#if defined (vax)
+# if !defined (ultrix)
+#  include <sys/param.h>
+#  if defined (BSD)
+#   if BSD == 43
+      printf ("vax-dec-bsd4.3\n"); exit (0);
+#   else
+#    if BSD == 199006
+      printf ("vax-dec-bsd4.3reno\n"); exit (0);
+#    else
+      printf ("vax-dec-bsd\n"); exit (0);
+#    endif
+#   endif
+#  else
+    printf ("vax-dec-bsd\n"); exit (0);
+#  endif
+# else
+    printf ("vax-dec-ultrix\n"); exit (0);
+# endif
+#endif
+
+#if defined (alliant) && defined (i860)
+  printf ("i860-alliant-bsd\n"); exit (0);
+#endif
+
+  exit (1);
+}
+EOF
+
+$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && $dummy && exit 0
+
+# Apollos put the system type in the environment.
+
+test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit 0; }
+
+# Convex versions that predate uname can use getsysinfo(1)
+
+if [ -x /usr/convex/getsysinfo ]
+then
+    case `getsysinfo -f cpu_type` in
+    c1*)
+	echo c1-convex-bsd
+	exit 0 ;;
+    c2*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+	exit 0 ;;
+    c34*)
+	echo c34-convex-bsd
+	exit 0 ;;
+    c38*)
+	echo c38-convex-bsd
+	exit 0 ;;
+    c4*)
+	echo c4-convex-bsd
+	exit 0 ;;
+    esac
+fi
+
+cat >&2 <<EOF
+$0: unable to guess system type
+
+This script, last modified $timestamp, has failed to recognize
+the operating system you are using. It is advised that you
+download the most up to date version of the config scripts from
+
+    ftp://ftp.gnu.org/pub/gnu/config/
+
+If the version you run ($0) is already up to date, please
+send the following data and any information you think might be
+pertinent to <config-patches@gnu.org> in order to provide the needed
+information to handle your system.
+
+config.guess timestamp = $timestamp
+
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null`
+/bin/uname -X     = `(/bin/uname -X) 2>/dev/null`
+
+hostinfo               = `(hostinfo) 2>/dev/null`
+/bin/universe          = `(/bin/universe) 2>/dev/null`
+/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null`
+/bin/arch              = `(/bin/arch) 2>/dev/null`
+/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
+
+UNAME_MACHINE = ${UNAME_MACHINE}
+UNAME_RELEASE = ${UNAME_RELEASE}
+UNAME_SYSTEM  = ${UNAME_SYSTEM}
+UNAME_VERSION = ${UNAME_VERSION}
+EOF
+
+exit 1
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "timestamp='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/config.sub b/config.sub
new file mode 100755
index 0000000000..fe4f1edf3c
--- /dev/null
+++ b/config.sub
@@ -0,0 +1,1492 @@
+#! /bin/sh
+# Configuration validation subroutine script.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
+#   2000, 2001, 2002, 2003 Free Software Foundation, Inc.
+
+timestamp='2003-05-09'
+
+# This file is (in principle) common to ALL GNU software.
+# The presence of a machine in this file suggests that SOME GNU software
+# can handle that machine.  It does not imply ALL GNU software can.
+#
+# This file is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330,
+# Boston, MA 02111-1307, USA.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Please send patches to <config-patches@gnu.org>.  Submit a context
+# diff and a properly formatted ChangeLog entry.
+#
+# Configuration subroutine to validate and canonicalize a configuration type.
+# Supply the specified configuration type as an argument.
+# If it is invalid, we print an error message on stderr and exit with code 1.
+# Otherwise, we print the canonical config type on stdout and succeed.
+
+# This file is supposed to be the same for all GNU packages
+# and recognize all the CPU types, system types and aliases
+# that are meaningful with *any* GNU software.
+# Each package is responsible for reporting which valid configurations
+# it does not support.  The user should be able to distinguish
+# a failure to support a valid configuration from a meaningless
+# configuration.
+
+# The goal of this file is to map all the various variations of a given
+# machine specification into a single specification in the form:
+#	CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
+# or in some cases, the newer four-part form:
+#	CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
+# It is wrong to echo any other type of specification.
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION] CPU-MFR-OPSYS
+       $0 [OPTION] ALIAS
+
+Canonicalize a configuration name.
+
+Operation modes:
+  -h, --help         print this help, then exit
+  -t, --time-stamp   print date of last modification, then exit
+  -v, --version      print version number, then exit
+
+Report bugs and patches to <config-patches@gnu.org>."
+
+version="\
+GNU config.sub ($timestamp)
+
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001
+Free Software Foundation, Inc.
+
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case $1 in
+    --time-stamp | --time* | -t )
+       echo "$timestamp" ; exit 0 ;;
+    --version | -v )
+       echo "$version" ; exit 0 ;;
+    --help | --h* | -h )
+       echo "$usage"; exit 0 ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       echo "$me: invalid option $1$help"
+       exit 1 ;;
+
+    *local*)
+       # First pass through any local machine types.
+       echo $1
+       exit 0;;
+
+    * )
+       break ;;
+  esac
+done
+
+case $# in
+ 0) echo "$me: missing argument$help" >&2
+    exit 1;;
+ 1) ;;
+ *) echo "$me: too many arguments$help" >&2
+    exit 1;;
+esac
+
+# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
+# Here we must recognize all the valid KERNEL-OS combinations.
+maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
+case $maybe_os in
+  nto-qnx* | linux-gnu* | freebsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*)
+    os=-$maybe_os
+    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
+    ;;
+  *)
+    basic_machine=`echo $1 | sed 's/-[^-]*$//'`
+    if [ $basic_machine != $1 ]
+    then os=`echo $1 | sed 's/.*-/-/'`
+    else os=; fi
+    ;;
+esac
+
+### Let's recognize common machines as not being operating systems so
+### that things like config.sub decstation-3100 work.  We also
+### recognize some manufacturers as not being operating systems, so we
+### can provide default operating systems below.
+case $os in
+	-sun*os*)
+		# Prevent following clause from handling this invalid input.
+		;;
+	-dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \
+	-att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \
+	-unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \
+	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
+	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
+	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
+	-apple | -axis)
+		os=
+		basic_machine=$1
+		;;
+	-sim | -cisco | -oki | -wec | -winbond)
+		os=
+		basic_machine=$1
+		;;
+	-scout)
+		;;
+	-wrs)
+		os=-vxworks
+		basic_machine=$1
+		;;
+	-chorusos*)
+		os=-chorusos
+		basic_machine=$1
+		;;
+ 	-chorusrdb)
+ 		os=-chorusrdb
+		basic_machine=$1
+ 		;;
+	-hiux*)
+		os=-hiuxwe2
+		;;
+	-sco5)
+		os=-sco3.2v5
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco4)
+		os=-sco3.2v4
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2.[4-9]*)
+		os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2v[4-9]*)
+		# Don't forget version if it is 3.2v4 or newer.
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco*)
+		os=-sco3.2v2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-udk*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-isc)
+		os=-isc2.2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-clix*)
+		basic_machine=clipper-intergraph
+		;;
+	-isc*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-lynx*)
+		os=-lynxos
+		;;
+	-ptx*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
+		;;
+	-windowsnt*)
+		os=`echo $os | sed -e 's/windowsnt/winnt/'`
+		;;
+	-psos*)
+		os=-psos
+		;;
+	-mint | -mint[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+esac
+
+# Decode aliases for certain CPU-COMPANY combinations.
+case $basic_machine in
+	# Recognize the basic CPU types without company name.
+	# Some are omitted here because they have special meanings below.
+	1750a | 580 \
+	| a29k \
+	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
+	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
+	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \
+	| clipper \
+	| d10v | d30v | dlx | dsp16xx \
+	| fr30 | frv \
+	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
+	| i370 | i860 | i960 | ia64 \
+	| ip2k \
+	| m32r | m68000 | m68k | m88k | mcore \
+	| mips | mipsbe | mipseb | mipsel | mipsle \
+	| mips16 \
+	| mips64 | mips64el \
+	| mips64vr | mips64vrel \
+	| mips64orion | mips64orionel \
+	| mips64vr4100 | mips64vr4100el \
+	| mips64vr4300 | mips64vr4300el \
+	| mips64vr5000 | mips64vr5000el \
+	| mipsisa32 | mipsisa32el \
+	| mipsisa32r2 | mipsisa32r2el \
+	| mipsisa64 | mipsisa64el \
+	| mipsisa64sb1 | mipsisa64sb1el \
+	| mipsisa64sr71k | mipsisa64sr71kel \
+	| mipstx39 | mipstx39el \
+	| mn10200 | mn10300 \
+	| msp430 \
+	| ns16k | ns32k \
+	| openrisc | or32 \
+	| pdp10 | pdp11 | pj | pjl \
+	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
+	| pyramid \
+	| sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \
+	| sh64 | sh64le \
+	| sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv9 | sparcv9b \
+	| strongarm \
+	| tahoe | thumb | tic80 | tron \
+	| v850 | v850e \
+	| we32k \
+	| x86 | xscale | xstormy16 | xtensa \
+	| z8k)
+		basic_machine=$basic_machine-unknown
+		;;
+	m6811 | m68hc11 | m6812 | m68hc12)
+		# Motorola 68HC11/12.
+		basic_machine=$basic_machine-unknown
+		os=-none
+		;;
+	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k)
+		;;
+
+	# We use `pc' rather than `unknown'
+	# because (1) that's what they normally are, and
+	# (2) the word "unknown" tends to confuse beginning users.
+	i*86 | x86_64)
+	  basic_machine=$basic_machine-pc
+	  ;;
+	# Object if more than one company name word.
+	*-*-*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+	# Recognize the basic CPU types with company name.
+	580-* \
+	| a29k-* \
+	| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
+	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
+	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
+	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
+	| avr-* \
+	| bs2000-* \
+	| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
+	| clipper-* | cydra-* \
+	| d10v-* | d30v-* | dlx-* \
+	| elxsi-* \
+	| f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
+	| h8300-* | h8500-* \
+	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
+	| i*86-* | i860-* | i960-* | ia64-* \
+	| ip2k-* \
+	| m32r-* \
+	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
+	| m88110-* | m88k-* | mcore-* \
+	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
+	| mips16-* \
+	| mips64-* | mips64el-* \
+	| mips64vr-* | mips64vrel-* \
+	| mips64orion-* | mips64orionel-* \
+	| mips64vr4100-* | mips64vr4100el-* \
+	| mips64vr4300-* | mips64vr4300el-* \
+	| mips64vr5000-* | mips64vr5000el-* \
+	| mipsisa32-* | mipsisa32el-* \
+	| mipsisa32r2-* | mipsisa32r2el-* \
+	| mipsisa64-* | mipsisa64el-* \
+	| mipsisa64sb1-* | mipsisa64sb1el-* \
+	| mipsisa64sr71k-* | mipsisa64sr71kel-* \
+	| mipstx39-* | mipstx39el-* \
+	| msp430-* \
+	| none-* | np1-* | nv1-* | ns16k-* | ns32k-* \
+	| orion-* \
+	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
+	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
+	| pyramid-* \
+	| romp-* | rs6000-* \
+	| sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \
+	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
+	| sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \
+	| sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
+	| tahoe-* | thumb-* \
+	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
+	| tron-* \
+	| v850-* | v850e-* | vax-* \
+	| we32k-* \
+	| x86-* | x86_64-* | xps100-* | xscale-* | xstormy16-* \
+	| xtensa-* \
+	| ymp-* \
+	| z8k-*)
+		;;
+	# Recognize the various machine names and aliases which stand
+	# for a CPU type and a company and sometimes even an OS.
+	386bsd)
+		basic_machine=i386-unknown
+		os=-bsd
+		;;
+	3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
+		basic_machine=m68000-att
+		;;
+	3b*)
+		basic_machine=we32k-att
+		;;
+	a29khif)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	adobe68k)
+		basic_machine=m68010-adobe
+		os=-scout
+		;;
+	alliant | fx80)
+		basic_machine=fx80-alliant
+		;;
+	altos | altos3068)
+		basic_machine=m68k-altos
+		;;
+	am29k)
+		basic_machine=a29k-none
+		os=-bsd
+		;;
+	amd64)
+		basic_machine=x86_64-pc
+		;;
+	amdahl)
+		basic_machine=580-amdahl
+		os=-sysv
+		;;
+	amiga | amiga-*)
+		basic_machine=m68k-unknown
+		;;
+	amigaos | amigados)
+		basic_machine=m68k-unknown
+		os=-amigaos
+		;;
+	amigaunix | amix)
+		basic_machine=m68k-unknown
+		os=-sysv4
+		;;
+	apollo68)
+		basic_machine=m68k-apollo
+		os=-sysv
+		;;
+	apollo68bsd)
+		basic_machine=m68k-apollo
+		os=-bsd
+		;;
+	aux)
+		basic_machine=m68k-apple
+		os=-aux
+		;;
+	balance)
+		basic_machine=ns32k-sequent
+		os=-dynix
+		;;
+	c90)
+		basic_machine=c90-cray
+		os=-unicos
+		;;
+	convex-c1)
+		basic_machine=c1-convex
+		os=-bsd
+		;;
+	convex-c2)
+		basic_machine=c2-convex
+		os=-bsd
+		;;
+	convex-c32)
+		basic_machine=c32-convex
+		os=-bsd
+		;;
+	convex-c34)
+		basic_machine=c34-convex
+		os=-bsd
+		;;
+	convex-c38)
+		basic_machine=c38-convex
+		os=-bsd
+		;;
+	cray | j90)
+		basic_machine=j90-cray
+		os=-unicos
+		;;
+	crds | unos)
+		basic_machine=m68k-crds
+		;;
+	cris | cris-* | etrax*)
+		basic_machine=cris-axis
+		;;
+	da30 | da30-*)
+		basic_machine=m68k-da30
+		;;
+	decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
+		basic_machine=mips-dec
+		;;
+	decsystem10* | dec10*)
+		basic_machine=pdp10-dec
+		os=-tops10
+		;;
+	decsystem20* | dec20*)
+		basic_machine=pdp10-dec
+		os=-tops20
+		;;
+	delta | 3300 | motorola-3300 | motorola-delta \
+	      | 3300-motorola | delta-motorola)
+		basic_machine=m68k-motorola
+		;;
+	delta88)
+		basic_machine=m88k-motorola
+		os=-sysv3
+		;;
+	dpx20 | dpx20-*)
+		basic_machine=rs6000-bull
+		os=-bosx
+		;;
+	dpx2* | dpx2*-bull)
+		basic_machine=m68k-bull
+		os=-sysv3
+		;;
+	ebmon29k)
+		basic_machine=a29k-amd
+		os=-ebmon
+		;;
+	elxsi)
+		basic_machine=elxsi-elxsi
+		os=-bsd
+		;;
+	encore | umax | mmax)
+		basic_machine=ns32k-encore
+		;;
+	es1800 | OSE68k | ose68k | ose | OSE)
+		basic_machine=m68k-ericsson
+		os=-ose
+		;;
+	fx2800)
+		basic_machine=i860-alliant
+		;;
+	genix)
+		basic_machine=ns32k-ns
+		;;
+	gmicro)
+		basic_machine=tron-gmicro
+		os=-sysv
+		;;
+	go32)
+		basic_machine=i386-pc
+		os=-go32
+		;;
+	h3050r* | hiux*)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	h8300hms)
+		basic_machine=h8300-hitachi
+		os=-hms
+		;;
+	h8300xray)
+		basic_machine=h8300-hitachi
+		os=-xray
+		;;
+	h8500hms)
+		basic_machine=h8500-hitachi
+		os=-hms
+		;;
+	harris)
+		basic_machine=m88k-harris
+		os=-sysv3
+		;;
+	hp300-*)
+		basic_machine=m68k-hp
+		;;
+	hp300bsd)
+		basic_machine=m68k-hp
+		os=-bsd
+		;;
+	hp300hpux)
+		basic_machine=m68k-hp
+		os=-hpux
+		;;
+	hp3k9[0-9][0-9] | hp9[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k2[0-9][0-9] | hp9k31[0-9])
+		basic_machine=m68000-hp
+		;;
+	hp9k3[2-9][0-9])
+		basic_machine=m68k-hp
+		;;
+	hp9k6[0-9][0-9] | hp6[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k7[0-79][0-9] | hp7[0-79][0-9])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k78[0-9] | hp78[0-9])
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893)
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][13679] | hp8[0-9][13679])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][0-9] | hp8[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hppa-next)
+		os=-nextstep3
+		;;
+	hppaosf)
+		basic_machine=hppa1.1-hp
+		os=-osf
+		;;
+	hppro)
+		basic_machine=hppa1.1-hp
+		os=-proelf
+		;;
+	i370-ibm* | ibm*)
+		basic_machine=i370-ibm
+		;;
+# I'm not sure what "Sysv32" means.  Should this be sysv3.2?
+	i*86v32)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv32
+		;;
+	i*86v4*)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv4
+		;;
+	i*86v)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv
+		;;
+	i*86sol2)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-solaris2
+		;;
+	i386mach)
+		basic_machine=i386-mach
+		os=-mach
+		;;
+	i386-vsta | vsta)
+		basic_machine=i386-unknown
+		os=-vsta
+		;;
+	iris | iris4d)
+		basic_machine=mips-sgi
+		case $os in
+		    -irix*)
+			;;
+		    *)
+			os=-irix4
+			;;
+		esac
+		;;
+	isi68 | isi)
+		basic_machine=m68k-isi
+		os=-sysv
+		;;
+	m88k-omron*)
+		basic_machine=m88k-omron
+		;;
+	magnum | m3230)
+		basic_machine=mips-mips
+		os=-sysv
+		;;
+	merlin)
+		basic_machine=ns32k-utek
+		os=-sysv
+		;;
+	mingw32)
+		basic_machine=i386-pc
+		os=-mingw32
+		;;
+	miniframe)
+		basic_machine=m68000-convergent
+		;;
+	*mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+	mips3*-*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
+		;;
+	mips3*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
+		;;
+	mmix*)
+		basic_machine=mmix-knuth
+		os=-mmixware
+		;;
+	monitor)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	morphos)
+		basic_machine=powerpc-unknown
+		os=-morphos
+		;;
+	msdos)
+		basic_machine=i386-pc
+		os=-msdos
+		;;
+	mvs)
+		basic_machine=i370-ibm
+		os=-mvs
+		;;
+	ncr3000)
+		basic_machine=i486-ncr
+		os=-sysv4
+		;;
+	netbsd386)
+		basic_machine=i386-unknown
+		os=-netbsd
+		;;
+	netwinder)
+		basic_machine=armv4l-rebel
+		os=-linux
+		;;
+	news | news700 | news800 | news900)
+		basic_machine=m68k-sony
+		os=-newsos
+		;;
+	news1000)
+		basic_machine=m68030-sony
+		os=-newsos
+		;;
+	news-3600 | risc-news)
+		basic_machine=mips-sony
+		os=-newsos
+		;;
+	necv70)
+		basic_machine=v70-nec
+		os=-sysv
+		;;
+	next | m*-next )
+		basic_machine=m68k-next
+		case $os in
+		    -nextstep* )
+			;;
+		    -ns2*)
+		      os=-nextstep2
+			;;
+		    *)
+		      os=-nextstep3
+			;;
+		esac
+		;;
+	nh3000)
+		basic_machine=m68k-harris
+		os=-cxux
+		;;
+	nh[45]000)
+		basic_machine=m88k-harris
+		os=-cxux
+		;;
+	nindy960)
+		basic_machine=i960-intel
+		os=-nindy
+		;;
+	mon960)
+		basic_machine=i960-intel
+		os=-mon960
+		;;
+	nonstopux)
+		basic_machine=mips-compaq
+		os=-nonstopux
+		;;
+	np1)
+		basic_machine=np1-gould
+		;;
+	nv1)
+		basic_machine=nv1-cray
+		os=-unicosmp
+		;;
+	nsr-tandem)
+		basic_machine=nsr-tandem
+		;;
+	op50n-* | op60c-*)
+		basic_machine=hppa1.1-oki
+		os=-proelf
+		;;
+	or32 | or32-*)
+		basic_machine=or32-unknown
+		os=-coff
+		;;
+	OSE68000 | ose68000)
+		basic_machine=m68000-ericsson
+		os=-ose
+		;;
+	os68k)
+		basic_machine=m68k-none
+		os=-os68k
+		;;
+	pa-hitachi)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	paragon)
+		basic_machine=i860-intel
+		os=-osf
+		;;
+	pbd)
+		basic_machine=sparc-tti
+		;;
+	pbb)
+		basic_machine=m68k-tti
+		;;
+	pc532 | pc532-*)
+		basic_machine=ns32k-pc532
+		;;
+	pentium | p5 | k5 | k6 | nexgen | viac3)
+		basic_machine=i586-pc
+		;;
+	pentiumpro | p6 | 6x86 | athlon | athlon_*)
+		basic_machine=i686-pc
+		;;
+	pentiumii | pentium2)
+		basic_machine=i686-pc
+		;;
+	pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*)
+		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumpro-* | p6-* | 6x86-* | athlon-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumii-* | pentium2-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pn)
+		basic_machine=pn-gould
+		;;
+	power)	basic_machine=power-ibm
+		;;
+	ppc)	basic_machine=powerpc-unknown
+		;;
+	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppcle | powerpclittle | ppc-le | powerpc-little)
+		basic_machine=powerpcle-unknown
+		;;
+	ppcle-* | powerpclittle-*)
+		basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppc64)	basic_machine=powerpc64-unknown
+		;;
+	ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppc64le | powerpc64little | ppc64-le | powerpc64-little)
+		basic_machine=powerpc64le-unknown
+		;;
+	ppc64le-* | powerpc64little-*)
+		basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ps2)
+		basic_machine=i386-ibm
+		;;
+	pw32)
+		basic_machine=i586-unknown
+		os=-pw32
+		;;
+	rom68k)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	rm[46]00)
+		basic_machine=mips-siemens
+		;;
+	rtpc | rtpc-*)
+		basic_machine=romp-ibm
+		;;
+	s390 | s390-*)
+		basic_machine=s390-ibm
+		;;
+	s390x | s390x-*)
+		basic_machine=s390x-ibm
+		;;
+	sa29200)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	sb1)
+		basic_machine=mipsisa64sb1-unknown
+		;;
+	sb1el)
+		basic_machine=mipsisa64sb1el-unknown
+		;;
+	sequent)
+		basic_machine=i386-sequent
+		;;
+	sh)
+		basic_machine=sh-hitachi
+		os=-hms
+		;;
+	sparclite-wrs | simso-wrs)
+		basic_machine=sparclite-wrs
+		os=-vxworks
+		;;
+	sps7)
+		basic_machine=m68k-bull
+		os=-sysv2
+		;;
+	spur)
+		basic_machine=spur-unknown
+		;;
+	st2000)
+		basic_machine=m68k-tandem
+		;;
+	stratus)
+		basic_machine=i860-stratus
+		os=-sysv4
+		;;
+	sun2)
+		basic_machine=m68000-sun
+		;;
+	sun2os3)
+		basic_machine=m68000-sun
+		os=-sunos3
+		;;
+	sun2os4)
+		basic_machine=m68000-sun
+		os=-sunos4
+		;;
+	sun3os3)
+		basic_machine=m68k-sun
+		os=-sunos3
+		;;
+	sun3os4)
+		basic_machine=m68k-sun
+		os=-sunos4
+		;;
+	sun4os3)
+		basic_machine=sparc-sun
+		os=-sunos3
+		;;
+	sun4os4)
+		basic_machine=sparc-sun
+		os=-sunos4
+		;;
+	sun4sol2)
+		basic_machine=sparc-sun
+		os=-solaris2
+		;;
+	sun3 | sun3-*)
+		basic_machine=m68k-sun
+		;;
+	sun4)
+		basic_machine=sparc-sun
+		;;
+	sun386 | sun386i | roadrunner)
+		basic_machine=i386-sun
+		;;
+	sv1)
+		basic_machine=sv1-cray
+		os=-unicos
+		;;
+	symmetry)
+		basic_machine=i386-sequent
+		os=-dynix
+		;;
+	t3e)
+		basic_machine=alphaev5-cray
+		os=-unicos
+		;;
+	t90)
+		basic_machine=t90-cray
+		os=-unicos
+		;;
+        tic4x | c4x*)
+		basic_machine=tic4x-unknown
+		os=-coff
+		;;
+	tic54x | c54x*)
+		basic_machine=tic54x-unknown
+		os=-coff
+		;;
+	tic55x | c55x*)
+		basic_machine=tic55x-unknown
+		os=-coff
+		;;
+	tic6x | c6x*)
+		basic_machine=tic6x-unknown
+		os=-coff
+		;;
+	tx39)
+		basic_machine=mipstx39-unknown
+		;;
+	tx39el)
+		basic_machine=mipstx39el-unknown
+		;;
+	toad1)
+		basic_machine=pdp10-xkl
+		os=-tops20
+		;;
+	tower | tower-32)
+		basic_machine=m68k-ncr
+		;;
+	udi29k)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	ultra3)
+		basic_machine=a29k-nyu
+		os=-sym1
+		;;
+	v810 | necv810)
+		basic_machine=v810-nec
+		os=-none
+		;;
+	vaxv)
+		basic_machine=vax-dec
+		os=-sysv
+		;;
+	vms)
+		basic_machine=vax-dec
+		os=-vms
+		;;
+	vpp*|vx|vx-*)
+		basic_machine=f301-fujitsu
+		;;
+	vxworks960)
+		basic_machine=i960-wrs
+		os=-vxworks
+		;;
+	vxworks68)
+		basic_machine=m68k-wrs
+		os=-vxworks
+		;;
+	vxworks29k)
+		basic_machine=a29k-wrs
+		os=-vxworks
+		;;
+	w65*)
+		basic_machine=w65-wdc
+		os=-none
+		;;
+	w89k-*)
+		basic_machine=hppa1.1-winbond
+		os=-proelf
+		;;
+	xps | xps100)
+		basic_machine=xps100-honeywell
+		;;
+	ymp)
+		basic_machine=ymp-cray
+		os=-unicos
+		;;
+	z8k-*-coff)
+		basic_machine=z8k-unknown
+		os=-sim
+		;;
+	none)
+		basic_machine=none-none
+		os=-none
+		;;
+
+# Here we handle the default manufacturer of certain CPU types.  It is in
+# some cases the only manufacturer, in others, it is the most popular.
+	w89k)
+		basic_machine=hppa1.1-winbond
+		;;
+	op50n)
+		basic_machine=hppa1.1-oki
+		;;
+	op60c)
+		basic_machine=hppa1.1-oki
+		;;
+	romp)
+		basic_machine=romp-ibm
+		;;
+	rs6000)
+		basic_machine=rs6000-ibm
+		;;
+	vax)
+		basic_machine=vax-dec
+		;;
+	pdp10)
+		# there are many clones, so DEC is not a safe bet
+		basic_machine=pdp10-unknown
+		;;
+	pdp11)
+		basic_machine=pdp11-dec
+		;;
+	we32k)
+		basic_machine=we32k-att
+		;;
+	sh3 | sh4 | sh[34]eb | sh[1234]le | sh[23]ele)
+		basic_machine=sh-unknown
+		;;
+	sh64)
+		basic_machine=sh64-unknown
+		;;
+	sparc | sparcv9 | sparcv9b)
+		basic_machine=sparc-sun
+		;;
+	cydra)
+		basic_machine=cydra-cydrome
+		;;
+	orion)
+		basic_machine=orion-highlevel
+		;;
+	orion105)
+		basic_machine=clipper-highlevel
+		;;
+	mac | mpw | mac-mpw)
+		basic_machine=m68k-apple
+		;;
+	pmac | pmac-mpw)
+		basic_machine=powerpc-apple
+		;;
+	*-unknown)
+		# Make sure to match an already-canonicalized machine name.
+		;;
+	*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+esac
+
+# Here we canonicalize certain aliases for manufacturers.
+case $basic_machine in
+	*-digital*)
+		basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'`
+		;;
+	*-commodore*)
+		basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'`
+		;;
+	*)
+		;;
+esac
+
+# Decode manufacturer-specific aliases for certain operating systems.
+
+if [ x"$os" != x"" ]
+then
+case $os in
+        # First match some system type aliases
+        # that might get confused with valid system types.
+	# -solaris* is a basic system type, with this one exception.
+	-solaris1 | -solaris1.*)
+		os=`echo $os | sed -e 's|solaris1|sunos4|'`
+		;;
+	-solaris)
+		os=-solaris2
+		;;
+	-svr4*)
+		os=-sysv4
+		;;
+	-unixware*)
+		os=-sysv4.2uw
+		;;
+	-gnu/linux*)
+		os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
+		;;
+	# First accept the basic system types.
+	# The portable systems comes first.
+	# Each alternative MUST END IN A *, to match a version number.
+	# -sysv* is not here because it comes later, after sysvr4.
+	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
+	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\
+	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
+	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
+	      | -aos* \
+	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
+	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
+	      | -hiux* | -386bsd* | -netbsd* | -openbsd* | -freebsd* | -riscix* \
+	      | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
+	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
+	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
+	      | -chorusos* | -chorusrdb* \
+	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
+	      | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -mpeix* | -udk* \
+	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
+	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
+	      | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
+	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
+	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
+	      | -powermax* | -dnix*)
+	# Remember, each alternative MUST END IN *, to match a version number.
+		;;
+	-qnx*)
+		case $basic_machine in
+		    x86-* | i*86-*)
+			;;
+		    *)
+			os=-nto$os
+			;;
+		esac
+		;;
+	-nto-qnx*)
+		;;
+	-nto*)
+		os=`echo $os | sed -e 's|nto|nto-qnx|'`
+		;;
+	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
+	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* \
+	      | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
+		;;
+	-mac*)
+		os=`echo $os | sed -e 's|mac|macos|'`
+		;;
+	-linux*)
+		os=`echo $os | sed -e 's|linux|linux-gnu|'`
+		;;
+	-sunos5*)
+		os=`echo $os | sed -e 's|sunos5|solaris2|'`
+		;;
+	-sunos6*)
+		os=`echo $os | sed -e 's|sunos6|solaris3|'`
+		;;
+	-opened*)
+		os=-openedition
+		;;
+	-wince*)
+		os=-wince
+		;;
+	-osfrose*)
+		os=-osfrose
+		;;
+	-osf*)
+		os=-osf
+		;;
+	-utek*)
+		os=-bsd
+		;;
+	-dynix*)
+		os=-bsd
+		;;
+	-acis*)
+		os=-aos
+		;;
+	-atheos*)
+		os=-atheos
+		;;
+	-386bsd)
+		os=-bsd
+		;;
+	-ctix* | -uts*)
+		os=-sysv
+		;;
+	-nova*)
+		os=-rtmk-nova
+		;;
+	-ns2 )
+		os=-nextstep2
+		;;
+	-nsk*)
+		os=-nsk
+		;;
+	# Preserve the version number of sinix5.
+	-sinix5.*)
+		os=`echo $os | sed -e 's|sinix|sysv|'`
+		;;
+	-sinix*)
+		os=-sysv4
+		;;
+	-triton*)
+		os=-sysv3
+		;;
+	-oss*)
+		os=-sysv3
+		;;
+	-svr4)
+		os=-sysv4
+		;;
+	-svr3)
+		os=-sysv3
+		;;
+	-sysvr4)
+		os=-sysv4
+		;;
+	# This must come after -sysvr4.
+	-sysv*)
+		;;
+	-ose*)
+		os=-ose
+		;;
+	-es1800*)
+		os=-ose
+		;;
+	-xenix)
+		os=-xenix
+		;;
+	-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
+		os=-mint
+		;;
+	-aros*)
+		os=-aros
+		;;
+	-kaos*)
+		os=-kaos
+		;;
+	-none)
+		;;
+	*)
+		# Get rid of the `-' at the beginning of $os.
+		os=`echo $os | sed 's/[^-]*-//'`
+		echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2
+		exit 1
+		;;
+esac
+else
+
+# Here we handle the default operating systems that come with various machines.
+# The value should be what the vendor currently ships out the door with their
+# machine or put another way, the most popular os provided with the machine.
+
+# Note that if you're going to try to match "-MANUFACTURER" here (say,
+# "-sun"), then you have to tell the case statement up towards the top
+# that MANUFACTURER isn't an operating system.  Otherwise, code above
+# will signal an error saying that MANUFACTURER isn't an operating
+# system, and we'll never get to this point.
+
+case $basic_machine in
+	*-acorn)
+		os=-riscix1.2
+		;;
+	arm*-rebel)
+		os=-linux
+		;;
+	arm*-semi)
+		os=-aout
+		;;
+	# This must come before the *-dec entry.
+	pdp10-*)
+		os=-tops20
+		;;
+	pdp11-*)
+		os=-none
+		;;
+	*-dec | vax-*)
+		os=-ultrix4.2
+		;;
+	m68*-apollo)
+		os=-domain
+		;;
+	i386-sun)
+		os=-sunos4.0.2
+		;;
+	m68000-sun)
+		os=-sunos3
+		# This also exists in the configure program, but was not the
+		# default.
+		# os=-sunos4
+		;;
+	m68*-cisco)
+		os=-aout
+		;;
+	mips*-cisco)
+		os=-elf
+		;;
+	mips*-*)
+		os=-elf
+		;;
+	or32-*)
+		os=-coff
+		;;
+	*-tti)	# must be before sparc entry or we get the wrong os.
+		os=-sysv3
+		;;
+	sparc-* | *-sun)
+		os=-sunos4.1.1
+		;;
+	*-be)
+		os=-beos
+		;;
+	*-ibm)
+		os=-aix
+		;;
+	*-wec)
+		os=-proelf
+		;;
+	*-winbond)
+		os=-proelf
+		;;
+	*-oki)
+		os=-proelf
+		;;
+	*-hp)
+		os=-hpux
+		;;
+	*-hitachi)
+		os=-hiux
+		;;
+	i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent)
+		os=-sysv
+		;;
+	*-cbm)
+		os=-amigaos
+		;;
+	*-dg)
+		os=-dgux
+		;;
+	*-dolphin)
+		os=-sysv3
+		;;
+	m68k-ccur)
+		os=-rtu
+		;;
+	m88k-omron*)
+		os=-luna
+		;;
+	*-next )
+		os=-nextstep
+		;;
+	*-sequent)
+		os=-ptx
+		;;
+	*-crds)
+		os=-unos
+		;;
+	*-ns)
+		os=-genix
+		;;
+	i370-*)
+		os=-mvs
+		;;
+	*-next)
+		os=-nextstep3
+		;;
+	*-gould)
+		os=-sysv
+		;;
+	*-highlevel)
+		os=-bsd
+		;;
+	*-encore)
+		os=-bsd
+		;;
+	*-sgi)
+		os=-irix
+		;;
+	*-siemens)
+		os=-sysv4
+		;;
+	*-masscomp)
+		os=-rtu
+		;;
+	f30[01]-fujitsu | f700-fujitsu)
+		os=-uxpv
+		;;
+	*-rom68k)
+		os=-coff
+		;;
+	*-*bug)
+		os=-coff
+		;;
+	*-apple)
+		os=-macos
+		;;
+	*-atari*)
+		os=-mint
+		;;
+	*)
+		os=-none
+		;;
+esac
+fi
+
+# Here we handle the case where we know the os, and the CPU type, but not the
+# manufacturer.  We pick the logical manufacturer.
+vendor=unknown
+case $basic_machine in
+	*-unknown)
+		case $os in
+			-riscix*)
+				vendor=acorn
+				;;
+			-sunos*)
+				vendor=sun
+				;;
+			-aix*)
+				vendor=ibm
+				;;
+			-beos*)
+				vendor=be
+				;;
+			-hpux*)
+				vendor=hp
+				;;
+			-mpeix*)
+				vendor=hp
+				;;
+			-hiux*)
+				vendor=hitachi
+				;;
+			-unos*)
+				vendor=crds
+				;;
+			-dgux*)
+				vendor=dg
+				;;
+			-luna*)
+				vendor=omron
+				;;
+			-genix*)
+				vendor=ns
+				;;
+			-mvs* | -opened*)
+				vendor=ibm
+				;;
+			-ptx*)
+				vendor=sequent
+				;;
+			-vxsim* | -vxworks* | -windiss*)
+				vendor=wrs
+				;;
+			-aux*)
+				vendor=apple
+				;;
+			-hms*)
+				vendor=hitachi
+				;;
+			-mpw* | -macos*)
+				vendor=apple
+				;;
+			-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
+				vendor=atari
+				;;
+			-vos*)
+				vendor=stratus
+				;;
+		esac
+		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
+		;;
+esac
+
+echo $basic_machine$os
+exit 0
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "timestamp='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/configure.in b/configure.in
new file mode 100644
index 0000000000..16c1113a3a
--- /dev/null
+++ b/configure.in
@@ -0,0 +1,964 @@
+dnl @(#) $Id: configure.in 6960 2009-12-19 06:22:16Z vern $ (LBL)
+dnl
+dnl Copyright (c) 1997, 1998, 2001, 2002
+dnl	The Regents of the University of California.  All rights reserved.
+dnl
+dnl Process this file with autoconf to produce a configure script.
+dnl
+
+## broken versioning stuff
+##m4_include([version.m4])
+##AC_INIT([bro], VERSION_NUMBER)
+
+## NOTICE: this sets the version at the autoconf time, not
+## at configure time, so it may be out of date!
+
+## start of changes for different versions of automake/conf
+
+# this will work with automake 1.8.5
+dnl AC_INIT(bro, esyscmd([tr -d '\n' < VERSION]))
+dnl AC_CONFIG_SRCDIR(src/Active.cc)
+dnl AC_CANONICAL_SYSTEM
+dnl AM_INIT_AUTOMAKE
+dnl AC_CONFIG_HEADER(config.h)
+dnl AC_LBL_C_INIT(V_CCOPT, V_INCLS)
+dnl AC_PROG_LEX
+
+## This should work with automake 1.6
+AC_INIT(src/Active.cc)
+AC_CANONICAL_SYSTEM
+#AM_INIT_AUTOMAKE(bro, 0.1.0)
+AM_INIT_AUTOMAKE(bro,  esyscmd([tr -d '\n' < VERSION]))
+AM_CONFIG_HEADER(config.h)
+AC_LBL_C_INIT(V_CCOPT, V_INCLS)
+AM_PROG_LEX
+
+## end of changes for versions of automake/conf
+
+dnl Commands for funkier shell output:
+BLD_ON=`./shtool echo -n -e %B`
+BLD_OFF=`./shtool echo -n -e %b`
+
+# We should install everything in /usr/local/bro{bin,lib,policy,etc}
+AC_PREFIX_DEFAULT(/usr/local/bro)
+
+dnl ################################################
+dnl # Checks for programs
+dnl ################################################
+AC_PROG_YACC
+AC_PROG_CXX
+AC_PROG_INSTALL
+AC_PROG_MAKE_SET
+AC_PROG_RANLIB
+AC_CHECK_PROGS(COMPRESS, gzip, compress)
+
+AM_CONDITIONAL(USEV6, false)
+
+AC_ARG_ENABLE(brov6,
+    [  --enable-brov6          enable IPV6 processing],
+    AC_DEFINE(BROv6,,[enable IPV6 processing])
+    AM_CONDITIONAL(USEV6,true))
+AC_ARG_ENABLE(int64,
+    [  --enable-int64          enable use of int64 (long long) for integers],
+    AC_DEFINE(USE_INT64,1,[enable use of 64-bit integers]))
+AC_ARG_ENABLE(activemapping,
+    [  --enable-activemapping  enable active mapping processing],
+    AC_DEFINE(ACTIVE_MAPPING,,[Enable active mapping processing]))
+AC_ARG_ENABLE(expire-dfa-states,
+    [  --enable-expire-dfa-states enable DFA state expiration],
+    AC_DEFINE(EXPIRE_DFA_STATES,,[Enable DFA state expiration]))
+
+AC_ARG_ENABLE(debug,
+    [  --enable-debug          no compiler optimizations],
+    debug="yes"
+    V_CCOPT="-g -DDEBUG"
+    CFLAGS="-DDEBUG `echo $CFLAGS | sed -e 's/-O2//'`"
+    CPPFLAGS="-DDEBUG `echo $CPPFLAGS | sed -e 's/-O2//'`"
+    CXXFLAGS="-DDEBUG `echo $CXXFLAGS | sed -e 's/-O2//'`",
+    debug="no")
+
+AC_ARG_ENABLE(select-loop,
+    [  --disable-select-loop   disable select-based main loop],
+    check_select_loop=no,
+    check_select_loop=yes)
+
+AC_ARG_ENABLE(perftools,
+    [  --enable-perftools      use Google's perftools],
+    use_perftools=yes,
+    use_perftools=no)
+
+AC_ARG_WITH(openssl,
+    [  --with-openssl=PATH     path to OpenSSL (needed for SSL analyzer and secure communication)],
+	if test "$withval" != "no" -a "$withval" != "NO"; then
+		use_openssl=yes
+		OPENSSL="$withval"
+		LDFLAGS="${LDFLAGS} -L${OPENSSL}/lib "
+		V_INCLS="${V_INCLS} -I${OPENSSL}/include"
+		CXXFLAGS="${CXXFLAGS} -I${OPENSSL}/include"
+	else
+		use_openssl=no
+	fi
+	)
+
+AC_ARG_ENABLE(shippedpcap, 
+              [  --enable-shippedpcap  use the shipped version of libpcap ],
+              [ if test "$enableval" = yes; then 
+                    use_shippedpcap=yes
+               else
+                   use_shippedpcap=no 
+               fi ],
+               [ use_shippedpcap=no ])
+
+AC_ARG_WITH(perl,     [  --with-perl=PATH        path/name of the Perl interpreter],
+            PERL=$withval, PERL=${PERL:-})
+
+AC_ARG_WITH(dag,
+	[  --with-dag=PATH         path to the DAG library (for native support for Endace Tech.'s DAG monitoring cards)],
+	if test "$withval" != "no" -a "$withval" != "NO"; then
+		use_dag=yes
+		DAGPATH="$withval"
+		LDFLAGS="${LDFLAGS} -L${DAGPATH}/lib "
+		V_INCLS="${V_INCLS} -I${DAGPATH}/include"
+	else
+		use_dag=no
+	fi
+	)
+
+AC_ARG_WITH(binpac,
+	[  --with-binpac=PATH	   path to a binpac executable for compiling analyzer code],
+	BINPAC="$withval")
+
+AC_ARG_ENABLE(nbdns,
+              AC_HELP_STRING([--disable-nbdns], [Disable non-blocking DNS support]),
+              nbdns="no", nbdns="yes")
+
+AC_LBL_ENABLE_CHECK([activemapping binpac broccoli brov6 debug \
+	expire-dfa-states gtk-doc int64 openssl perftools perl \
+	select-loop shippedpcap broctl cluster nbdns])
+
+dnl ################################################
+dnl # OpenSSL
+dnl ################################################
+
+if test "$use_openssl" != "no" -a "$use_openssl" != "NO"; then
+    saved_libs="${LIBS}"
+   	AC_CHECK_LIB(crypto, OPENSSL_add_all_algorithms_conf,
+   	   	LIBS="${LDFLAGS} -lcrypto"
+   	   	AC_CHECK_LIB(ssl, SSL_new,, AC_MSG_ERROR([Can't find SSL library]))
+   	   	LIBS="${LDFLAGS} -lssl"
+       	use_openssl=yes,
+        use_openssl=no
+        )
+    LIBS="${saved_libs}"
+else
+	use_openssl=no
+fi
+
+if test "$use_openssl" != "no"; then
+   saved_cflags="${CFLAGS}"
+   CFLAGS="${CFLAGS} -I${OPENSSL}/include"
+   AC_CHECK_DECL(OPENSSL_add_all_algorithms_conf,, 
+      use_openssl=no,
+      [#include <openssl/evp.h>])
+   CFLAGS="${saved_cflags}"
+fi
+
+if test "$use_openssl" = "yes"; then
+   # On Red Hat we may need to include Kerberos header.
+   # (CHECK_HEADER doesn't work here)
+   saved_cflags="${CFLAGS}"
+   CFLAGS="${CFLAGS} -I${OPENSSL}/include"
+   AC_COMPILE_IFELSE([#include <openssl/ssl.h>],,
+      CFLAGS="${CFLAGS} -I/usr/kerberos/include"
+      AC_CHECK_HEADER(krb5.h, 
+         V_INCLS="${V_INCLS} -I/usr/kerberos/include"
+         AC_DEFINE(NEED_KRB5_H,,[Include krb5.h]),
+         use_openssl=no
+         AC_MSG_WARN([Can't compile OpenSSL test; disabling OpenSSL.]);
+         ,
+         [#include <krb5.h>
+         #include <openssl/ssl.h>]
+         )   
+   CFLAGS="${saved_cflags}"
+   )
+fi
+
+# Check for version >= 0.9.7
+if test "$use_openssl" = "yes"; then
+   saved_libs="${LIBS}"
+   LIBS="${LIBS} -lssl -lcrypto"
+   AC_MSG_CHECKING([for OpenSSL >= 0.9.7])
+   AC_LINK_IFELSE(AC_LANG_PROGRAM([[#include <openssl/evp.h>]], [[OPENSSL_add_all_algorithms_conf();]]),
+      AC_MSG_RESULT(yes)
+      use_openssl=yes,
+      AC_MSG_RESULT(no)
+      use_openssl=no)
+   LIBS="${saved_libs}"
+fi
+
+AM_CONDITIONAL(USE_OPENSSL, false)
+if test "$use_openssl" = "yes"; then
+      AM_CONDITIONAL(USE_OPENSSL, true)
+      AC_DEFINE(USE_OPENSSL,,[Use OpenSSL])
+      LIBS="${LIBS} -lssl -lcrypto"
+fi
+
+# A test to see whether d2i_X509() uses const for the u_char**
+# argument. Since one cannot just cast a u_char** to a const one
+# (http://parashift.com/c++-faq-lite/const-correctness.html#faq-18.17)
+# we test and then force a u_char** cast only when needed.
+#
+if test "$use_openssl" = "yes"; then
+  AC_MSG_CHECKING([whether d2i_X509() uses a const unsigned char**])
+  AC_LANG_PUSH([C++])
+  AC_COMPILE_IFELSE(
+    AC_LANG_PROGRAM([[#include <openssl/x509.h>]],
+                    [[const unsigned char** cpp = 0;
+		      X509** x = 0; d2i_X509(x, cpp, 0);]]),
+    AC_DEFINE(OPENSSL_D2I_X509_USES_CONST_CHAR,,[d2i_x509 uses const char**])
+    AC_MSG_RESULT(yes),
+    AC_MSG_RESULT(no))
+  AC_LANG_POP([C++])
+fi
+
+# do we use ssl?
+AM_CONDITIONAL(USE_SSL, test "$use_openssl" = "yes")
+
+
+dnl ################################################
+dnl # Check for Perl executable
+dnl ################################################
+if test -n "$PERL"; then
+  if echo "$PERL" | grep '^/' >/dev/null; then
+    AC_MSG_CHECKING(for $PERL)
+    if test -s "$PERL"; then
+      AC_MSG_RESULT(yes)
+    else
+      AC_MSG_RESULT(no)
+      PERL='none'
+    fi
+  else
+    find_perl="$PERL"
+    PERL=''
+  fi
+fi
+
+dnl if there is no perl, go find one!
+if test -z "$PERL"; then
+  AC_PATH_PROGS(PERL,perl5 perl,,/usr/local/bin:/opt/local/bin:/usr/bin::.)
+fi
+
+dnl if we still can't find it, warn them
+if test -z "$PERL"; then
+   AC_MSG_WARN([Cannot find perl; please use --with-perl=/path/to/perl option.])
+else
+   dnl this seems backwards to me .....? but works
+   if ${PERL} -e 'exit ($] >= 5.006001)' > /dev/null 2>&1; then
+     AC_MSG_WARN([Bad perl version, need perl 5.6.1 or higher.; please use --with-perl=/path/to/perl option.])
+   fi
+fi
+
+AC_SUBST(PERL)
+
+dnl ################################################
+dnl # Check for chown binary
+dnl ################################################
+AC_PATH_PROG(CHOWN, chown, ,
+             [/usr/sbin:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin])
+AC_SUBST(CHOWN)
+
+dnl ################################################
+dnl # OS-specific hacks and tweaks
+dnl ################################################
+
+AC_LBL_DEVEL(V_CCOPT)
+AM_CONDITIONAL(USE_NMALLOC, false)
+
+dnl Our resolver tests below include an absolute libray location.
+dnl This is its default, it may be changed for some OSs.
+bro_absolute_libresolv="/usr/lib/libresolv.a"
+
+case "$target_os" in
+
+freebsd*)
+	# alternate malloc is faster for FreeBSD, but needs more testing
+	# need to add way to set this from the command line
+	AM_CONDITIONAL(USE_NMALLOC, true)
+	;;
+
+darwin*)
+	AC_MSG_CHECKING([if we need to include arpa/nameser_compat.h])
+	AC_COMPILE_IFELSE(AC_LANG_PROGRAM([[#include <arpa/nameser.h>]], [[HEADER *hdr; int d = NS_IN6ADDRSZ;]]), bro_ns_header_defined=yes, bro_ns_header_defined=no)
+	# if the header is found, we don't need compatibility
+	if test "x$bro_ns_header_defined" = xyes; then
+	   AC_MSG_RESULT(no)
+	else
+	   AC_DEFINE(NEED_NAMESER_COMPAT_H,,[Compatibility for Darwin])
+	   AC_MSG_RESULT(yes)
+	fi
+	# Support for MacPorts and Fink package-management.
+	test -d /opt/local/lib && LDFLAGS="${LDFLAGS} -L/opt/local/lib"
+	test -d /sw/lib && LDFLAGS="${LDFLAGS} -L/sw/lib"
+	V_INCLS="${V_INCLS} -I/opt/local/include -I/sw/include"
+	CXXFLAGS="${CXXFLAGS} -I/opt/local/include -I/sw/include"
+	;;
+
+openbsd*)
+	AM_CONDITIONAL(USE_NMALLOC, true)
+	AC_DEFINE(HAVE_OPENBSD,,[We are on a OpenBSD system])
+	LDFLAGS="${LDFLAGS} -L/usr/local/lib"
+	V_INCLS="${V_INCLS} -I/usr/local/include"
+	CXXFLAGS="${CXXFLAGS} -I/usr/local/include"
+	;;
+
+linux*)
+	V_INCLS="$V_INCLS -I\${top_srcdir}/linux-include"
+	AC_DEFINE(HAVE_LINUX,,[We are on a Linux system])
+	AC_MSG_CHECKING(Linux kernel version)
+	AC_CACHE_VAL(ac_cv_linux_vers,
+	    ac_cv_linux_vers=`uname -r 2>&1 | \
+		sed -n -e '$s/.* //' -e '$s/\..*//p'`)
+	AC_MSG_RESULT($ac_cv_linux_vers)
+	if test $ac_cv_linux_vers -lt 2 ; then
+            AC_MSG_ERROR(version 2 or higher required; see the INSTALL doc for more info)
+	fi
+        if test "a$build_cpu" = "ax86_64"; then
+           bro_absolute_libresolv="/usr/lib64/libresolv.a"
+        fi
+	;;
+
+solaris*)
+	LIBS="${LIBS} -lnsl -lsocket"
+	;;
+
+osf*)
+	dnl Workaround around ip_hl vs. ip_vhl problem in netinet/ip.h
+	V_CCOPT="$V_CCOPT -D__STDC__=2"
+esac
+
+dnl ################################################
+dnl # Enable large file support for all platforms.
+dnl # Can be disabled with --disable-largefile
+dnl ################################################
+AC_SYS_LARGEFILE
+
+dnl ################################################
+dnl # Checks for types and header files.
+dnl ################################################
+AC_HEADER_STDC
+AC_LBL_TYPE_SIGNAL
+AC_LBL_CHECK_TYPE(int32_t, int)
+AC_LBL_CHECK_TYPE(u_int32_t, u_int)
+AC_LBL_CHECK_TYPE(u_int16_t, u_short)
+AC_LBL_CHECK_TYPE(u_int8_t, u_char)
+AC_HEADER_TIME
+
+AC_CHECK_HEADERS(memory.h netinet/in.h socket.h getopt.h)
+AC_CHECK_HEADERS(net/ethernet.h netinet/ether.h netinet/if_ether.h sys/ethernet.h,,,
+    [#include <sys/types.h>
+    #include <sys/socket.h>
+    #include <netinet/in.h>
+    #include <net/if.h>])
+
+AC_CHECK_HEADERS(netinet/ip6.h,,,
+    [#include <sys/types.h>
+    #include <sys/socket.h>
+    #include <netinet/in.h>
+    #include <net/if.h>])
+
+AC_DEFUN([AC_C_SOCKLEN_T],
+[AC_CACHE_CHECK(for socklen_t, ac_cv_c_socklen_t,
+[
+  AC_TRY_COMPILE([
+    #include <sys/types.h>
+    #include <sys/socket.h>
+  ],[
+    socklen_t foo;
+  ],[
+    ac_cv_c_socklen_t=yes
+  ],[
+    ac_cv_c_socklen_t=no
+  ])
+])
+if test $ac_cv_c_socklen_t = no; then
+  AC_DEFINE(socklen_t, int, [define to int if socklen_t not available])
+fi
+])
+
+AC_C_SOCKLEN_T
+
+AC_BRO_SYSLOG_INT
+AC_BRO_SOCK_DECL
+
+dnl ################################################
+dnl # PCAP stuff.
+dnl ################################################
+
+# ensure we are either YES or NO
+if test "$use_shippedpcap" = "no" ; then
+    pcap_local="NO"
+    pcapmsg="system-provided"
+    AM_CONDITIONAL(USE_LOCALPCAP, false)
+else
+    pcap_local="YES"
+    pcapmsg="shipped with Bro"
+    AM_CONDITIONAL(USE_LOCALPCAP, true)
+fi
+
+# if not using local version, find one on the system
+if test "$pcap_local" = "NO"; then
+    AC_LBL_LIBPCAP(V_PCAPDEP, V_INCLS)
+    CPPFLAGS="$CPPFLAGS $V_INCLS"
+    AC_CHECK_HEADERS(pcap-int.h)
+    AC_CHECK_FUNCS(bpf_set_bufsize)
+    dnl ################################################
+    dnl # Check whether pcap provides pcap_version
+    dnl ################################################
+    AC_MSG_CHECKING([for pcap_version in libpcap])
+    AC_LINK_IFELSE(
+     AC_LANG_PROGRAM([extern char pcap_version[];], [puts(pcap_version);]),
+      AC_MSG_RESULT(yes)
+      AC_DEFINE(PCAP_VERSION_STRING,,[Have a version string in libpcap]),
+      AC_MSG_RESULT(no))
+    dnl ################################################
+    dnl # Check whether linking to pcap works 
+    dnl ################################################
+    AC_CHECK_LIB(pcap, main, , AC_MSG_ERROR([Bro requires pcap - install from aux/ if necessary.]))
+else
+    # we have to define the abilites of the local pcap
+    # as it hasn't been unpacked/configured/installed
+    # yet and we can't query it.
+    AC_DEFINE(HAVE_PCAP_INT_H, 1, [Define to 1 if you have the <pcap-int.h> header file.])
+    AC_DEFINE(HAVE_BPF_SET_BUFSIZE, 0, [Define to 1 if you have the bpf_set_bufsize function.])
+    AC_DEFINE(PCAP_VERSION_STRING, 1, [Have a version string in libpcap])
+    AC_DEFINE(HAVE_LIBPCAP, 1, [Define to 1 if you have the pcap library (-lpcap).])
+fi
+
+dnl AC_CHECK_HEADERS(pcap-int.h)
+dnl AC_CHECK_FUNCS(bpf_set_bufsize)
+
+dnl ################################################
+dnl # STL compatibility tests.
+dnl ################################################
+
+dnl # Whether basic_string<> requires additional
+dnl # definitions for char_traits. In that case, we
+dnl # fall back to vector.
+dnl #
+AC_MSG_CHECKING([if char_traits defines all methods])
+AC_LANG_PUSH([C++])
+AC_LINK_IFELSE(
+  AC_LANG_PROGRAM([[
+#include <string>
+using namespace std;
+class Foo { };
+]], [[
+char_traits<Foo*> foo;
+Foo f;
+Foo *fp;
+foo.assign(&fp, 10, &f);]]),
+  AC_MSG_RESULT([yes])
+  basic_string_works=yes,
+  AC_MSG_RESULT([no])
+  basic_string_works=no
+  AC_DEFINE(BASIC_STRING_BROKEN,,[basic_string not usable with non-char template arg]))
+AC_LANG_POP([C++])
+
+dnl ################################################
+dnl # Include the Broccoli tree in aux/broccoli in
+dnl # the setup, unless specifically disabled.
+dnl ################################################
+AC_ARG_ENABLE(broccoli,
+	      AC_HELP_STRING([--disable-broccoli], [Do not build/package Broccoli]),
+	      broccoli="no", broccoli="yes")
+
+AM_CONDITIONAL(USE_BROCCOLI, test "x$broccoli" = xyes)
+if test "x$broccoli" = xyes; then
+   AC_CONFIG_SUBDIRS(aux/broccoli)
+fi
+
+dnl ################################################
+dnl # Include the broctl tree in aux/broctl into
+dnl # the setup, unless specifically disabled. 
+dnl # Per default, we configure it in standalone mode;
+dnl # if --enable-cluster is given, we switch to 
+dnl # cluster mode.
+dnl ################################################
+AC_ARG_ENABLE(broctl,
+	      AC_HELP_STRING([--disable-broctl], [Do not build/package broctl framework]),
+	      broctl=$enableval, broctl="yes")
+
+AC_ARG_ENABLE(cluster,
+	      AC_HELP_STRING([--enable-cluster], [Configure broctl for cluster usage]),
+	      cluster=$enableval, cluster="no")
+
+dnl ################################################
+dnl # Include the Binpac tree in aux/binpac in the
+dnl # build, unless the user selected another binpac
+dnl # via --with-binpac=.
+dnl ################################################
+if test "$BINPAC" = ""; then
+   AC_CONFIG_SUBDIRS(aux/binpac)
+   BINPAC="\${top_builddir}/aux/binpac/src/binpac"
+   binpacmsg="shipped with Bro"
+else # Check (somewhat) whether the binpac given is valid
+   AC_MSG_CHECKING([whether given binpac is executable])
+   if test -x "$BINPAC"; then
+      AC_MSG_RESULT(yes)
+   else
+      AC_MSG_RESULT(no)
+      echo "Please check whether $BINPAC is correct."
+      exit 1
+   fi
+   binpacmsg="$BINPAC"
+fi
+
+AC_SUBST(BINPAC)
+
+dnl ################################################
+dnl # DNS resolver checks.
+dnl ################################################
+dnl
+dnl Check whether our arpa/nameser.h provides type ns_msg.
+dnl If not, we disable nonblocking DNS lookups.
+dnl We assume worst case first and improve on it below.
+AM_CONDITIONAL(USE_NBDNS, false)
+
+dnl Add potential header locations to path
+if test -d /usr/local/include/bind; then
+   CFLAGS="$CFLAGS -I/usr/local/include/bind"
+fi
+
+AC_CHECK_TYPE(ns_msg, bro_check_nb_dns=yes, bro_check_nb_dns=no, [#include <arpa/nameser.h>])
+
+if test $bro_check_nb_dns = no; then
+   AC_MSG_NOTICE([Nonblocking DNS disabled.])
+   use_nb_dns=no
+else
+   dnl We will check for ns_initparse and res_mkquery using a number
+   dnl of resolver library variations, a list of which we build up now.
+   bro_resolver_options="none -lresolv ${bro_absolute_libresolv} -lbind"
+
+   save_cflags="$CFLAGS"
+   save_ldflags="$LDFLAGS"
+   save_libs="$LIBS"
+
+   dnl Okay now try to link both symbols with each of the resolver
+   dnl location variants.  As soon as one works, we're happy.
+   for res in $bro_resolver_options; do
+
+      AC_MSG_CHECKING([for ns_inittab/res_mkquery with resolver '$res'])
+
+      dnl "none" just means "try without any additional flags".
+      if test "$res" = "none"; then
+	 res=""
+      fi
+
+      CFLAGS="${save_cflags}"
+      LDFLAGS="${save_ldflags}"
+      LIBS="${save_libs} $res"
+
+      dnl In the generic -lbind case, we check for the existence
+      dnl of a number of directories and add them to the relevant
+      dnl paths.
+      dnl
+      if test "$res" = "-lbind"; then
+	 if test -d /usr/local/bind/lib; then
+	    LDFLAGS="$LDFLAGS -L/usr/local/bind/lib"
+	 fi
+
+	 if test -d /usr/local/lib; then
+	    LDFLAGS="$LDFLAGS -L/usr/local/lib"
+	 fi
+      fi
+
+      bro_ns_initparse_works=no
+      bro_res_mkquery_works=no
+
+      AC_LINK_IFELSE(AC_LANG_PROGRAM([[#include <arpa/nameser.h>]],
+				      [[ns_initparse(0,0,0);]]),
+		     bro_ns_initparse_works=yes)
+
+      AC_LINK_IFELSE(AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>]],
+[[int (*p)() = res_mkquery]]), bro_res_mkquery_works=yes)
+
+      if test $bro_ns_initparse_works = yes && test $bro_res_mkquery_works = yes && test $nbdns = yes; then
+         AC_MSG_RESULT(yes)
+	 AC_MSG_NOTICE([Nonblocking DNS enabled.])
+
+	 dnl Make sure that nb_dns.o is linked in.
+	 NBDNS="nb_dns.o"
+	 AC_SUBST(NBDNS)
+
+	 AM_CONDITIONAL(USE_NBDNS, true)
+	 AC_DEFINE(HAVE_NB_DNS,,[async dns support])
+	 use_nb_dns=yes
+	 break
+      else
+         AC_MSG_RESULT(no)
+      fi
+   done
+
+   if test "x$NBDNS" != "xnb_dns.o"; then
+      AC_MSG_NOTICE([Nonblocking DNS disabled.])
+      use_nb_dns=no
+      CFLAGS="${save_cflags}"
+      LDFLAGS="${save_ldflags}"
+      LIBS="${save_libs}"
+   fi
+fi
+
+dnl ################################################
+dnl # Checks for library functions.
+dnl ################################################
+
+AC_FUNC_MEMCMP
+AC_FUNC_STRFTIME
+AC_CHECK_FUNCS(strerror strsep strcasestr mallinfo getopt_long)
+AC_SEARCH_LIBS(inet_aton, resolv)
+
+# We use deflatePrime() to make sure that zlib is recent enough.
+AC_CHECK_LIB(z, deflatePrime)
+
+# Libmagic
+have_libmagic=yes
+AC_CHECK_HEADERS([magic.h],,have_libmagic=no)
+AC_CHECK_LIB(magic,magic_open,,have_libmagic=no)
+
+# Libclamav
+# have_libclamav=yes
+# AC_CHECK_HEADERS([clamav.h],,have_libclamav=no)
+# AC_CHECK_LIB(clamav,cl_retdbdir,,have_libclamav=no)
+
+# Libclamav is broken because of changed API.
+have_libclamav=no
+
+if test "$have_libclamav" = "yes"; then
+   AC_DEFINE(USE_LIBCLAMAV,,[Use libclamav])
+fi
+
+# LibGeoIP
+have_libgeoip=yes
+AC_CHECK_HEADERS([GeoIPCity.h],,have_libgeoip=no)
+if test "$have_libgeoip" = "yes"; then
+  AC_CHECK_LIB(GeoIP,GeoIP_open_type,,have_libgeoip=no)
+fi
+if test "$have_libgeoip" = "yes"; then
+  AC_DEFINE(USE_GEOIP,,[GeoIP geographic lookup functionality])
+fi
+
+dnl ################################################
+dnl # Terminal library support
+dnl ################################################
+
+bro_have_termlibrary=no
+
+dnl 1) Check if termcap is available
+AC_CHECK_LIB(termcap, tgetnum, 
+    [AC_CHECK_HEADERS([termcap.h term.h], 
+        LIBS="${LIBS} -ltermcap"
+        bro_have_termlibrary=yes)])
+
+dnl 2) Check if curses is available instaed
+if test "$bro_have_termlibrary" = no; then
+    AC_CHECK_LIB(curses, tgetnum, 
+        [AC_CHECK_HEADERS([curses.h term.h], 
+            LIBS="${LIBS} -lcurses"
+            bro_have_termlibrary=yes)])
+fi
+
+dnl 3) Check for ncurses as a final resort
+if test "$bro_have_termlibrary" = no; then
+    AC_CHECK_LIB(ncurses, tgetnum, 
+        [AC_CHECK_HEADERS([ncurses.h curses.h term.h], 
+            LIBS="${LIBS} -lncurses"
+            bro_have_termlibrary=yes)])
+fi
+
+if test "$bro_have_termlibrary" != yes; then
+    AC_MSG_RESULT(no)
+    AC_MSG_ERROR([No terminal emulation library found! Consider installing termcap, curses, or ncurses.])
+else
+    AC_MSG_RESULT(yes)
+fi
+
+dnl Check whether we have readline and history libraries
+AC_CHECK_HEADER([readline/readline.h], bro_readline=yes)
+AC_CHECK_HEADER([readline/history.h], bro_history=yes)
+AC_CHECK_LIB(readline, using_history,, bro_libreadline=no)
+
+if test "$bro_history" = yes; then
+   AC_CHECK_MEMBER([HISTORY_STATE.entries],
+                   [bro_history_entries=yes], [],
+                   [#include <stdio.h>
+                    #include <readline/history.h>])
+fi
+
+if test "$bro_readline" = yes -a \
+   "$bro_history" = yes -a \
+   "$bro_libreadline" != no -a \
+   "$bro_history_entries" = yes; then
+   AC_DEFINE(HAVE_READLINE,1,[line editing & history powers])
+fi 
+
+AC_C_BIGENDIAN(
+	AC_DEFINE(WORDS_BIGENDIAN,1,[whether words are stored with the most significant byte first])
+	dnl This is intentionally named differently so as to not collide with WORDS_BIGENDIAN
+	HOST_BIGENDIAN="#define HOST_BIGENDIAN 1"
+	AC_SUBST(HOST_BIGENDIAN))
+
+AC_CHECK_TYPES([union semun, struct sembuf],[],[],
+[#include <sys/types.h>
+#include <sys/sem.h>
+])
+
+# see if we have sin_len 
+AC_CHECK_MEMBER(struct sockaddr_in.sin_len,
+  [AC_DEFINE(SIN_LEN,,[have sin_len field in sockaddr_in])],,
+  [ 
+#if HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#if HAVE_SYS_SOCKET_H
+# include <sys/socket.h>
+#endif
+#if HAVE_NETINET_IN_H
+# include <netinet/in.h>
+#endif
+])
+
+AC_CHECK_SIZEOF(long long)
+AC_CHECK_SIZEOF(long int)
+AC_CHECK_SIZEOF(void *)
+
+# Per default we do not use the select-based main loop. We activate it only if
+#  (i) the user requests it
+# (ii) we know the OS to support selectable pcap fds
+use_select_loop=no
+
+if test $check_select_loop = yes; then
+	case "$target_os" in
+
+	linux*)
+		# Linux should support selectable at least since 2.2 (not sure
+		# about earlier versions)
+		AC_MSG_CHECKING(Linux kernel version support selectable fds)
+		AC_CACHE_VAL(ac_cv_linux_major_vers,
+		    ac_cv_linux_major_vers=`uname -r 2>&1 | \
+			sed 's/-.*$//g' | awk -v FS='.' '{print $1}'`)
+		AC_CACHE_VAL(ac_cv_linux_minor_vers,
+		    ac_cv_linux_minor_vers=`uname -r 2>&1 | \
+			sed 's/-.*$//g' | awk -v FS='.' '{print $2}'`)
+
+	    linux_version=`expr $ac_cv_linux_major_vers '*' 10 '+' $ac_cv_linux_minor_vers`
+		if test $linux_version -gt 21; then
+			use_select_loop=yes
+	        AC_MSG_RESULT($ac_cv_linux_major_vers.$ac_cv_linux_minor_vers is ok)
+		else
+	        AC_MSG_RESULT($ac_cv_linux_major_vers.$ac_cv_linux_minor_vers is too old)
+	    fi
+		;;
+
+	freebsd*)
+		# FreeBSD supports selectable fds correctly since 4.6.
+		AC_MSG_CHECKING(FreeBSD kernel version support selectable fds)
+		AC_CACHE_VAL(ac_cv_freebsd_major_vers,
+		    ac_cv_freebsd_major_vers=`uname -r 2>&1 | \
+			sed 's/-.*$//g' | awk -v FS='.' '{print $1}'`)
+		AC_CACHE_VAL(ac_cv_freebsd_minor_vers,
+		    ac_cv_freebsd_minor_vers=`uname -r 2>&1 | \
+			sed 's/-.*$//g' | awk -v FS='.' '{print $2}'`)
+
+	    freebsd_version=`expr $ac_cv_freebsd_major_vers '*' 10 '+' $ac_cv_freebsd_minor_vers`
+		if test $freebsd_version -gt 45; then
+			use_select_loop=yes
+	        AC_MSG_RESULT($ac_cv_freebsd_major_vers.$ac_cv_freebsd_minor_vers is ok)
+		else
+	        AC_MSG_RESULT($ac_cv_freebsd_major_vers X $ac_cv_freebsd_minor_vers is too old)
+		fi
+		;;
+
+	esac
+fi
+
+if test "$use_select_loop" = "yes"; then
+	AC_DEFINE(USE_SELECT_LOOP,,[Use select-based main loop])
+fi
+
+dnl ################################################
+dnl # Endace DAG support
+dnl ################################################
+
+if test "$use_dag" != "no" -a "$use_dag" != "NO"; then
+	AC_CHECK_LIB(dag, dag_open, use_dag=yes, use_dag=no)
+	AC_CHECK_HEADER(pcap.h,,use_dag=no)
+
+	if test "$use_dag" = "yes"; then
+		  AC_DEFINE(USE_DAG,,[Include Endace DAG support])
+		  LIBS="${LIBS} -ldag"
+		  AC_SUBST(WANT_DAG_OBJ, "\$(DAG_OBJ)")
+	else
+		  AC_SUBST(WANT_DAG_OBJ, "")
+	fi
+else
+	use_dag=no
+fi
+
+dnl ################################################
+dnl # If configured with --enable-perftools, look for
+dnl # Google's perftools to do heap checking.
+dnl ################################################
+
+if test "$use_perftools" != "no" -a "$use_perftools" != "NO"; then
+	AC_LANG_PUSH(C++)
+	saved_libs="${LIBS}"
+	LIBS="${LIBS} -ltcmalloc -lpthread"
+	AC_TRY_LINK([#include <google/heap-checker.h>],
+		[HeapLeakChecker heap_checker("test");],
+		[use_perftools="yes"],[use_perftools="no"])
+	LIBS="${saved_libs}"
+	AC_LANG_POP([C++])
+
+	if test "$use_perftools" = "yes"; then
+		AC_DEFINE(USE_PERFTOOLS,,[Use Google's perftools])
+		LIBS="${LIBS} -ltcmalloc -lpthread"
+	fi
+fi
+
+###############################
+# Configure broctl. 
+###############################
+
+# Need Python >= 2.4.
+have_python=no
+AC_PATH_TOOL(pybin, python, "")
+if test "x$pybin" != x -a "x$broctl" = xyes; then
+	AC_MSG_CHECKING([for Python >= 2.4])
+	AC_CACHE_VAL(ac_cv_python_major_vers,
+		ac_cv_python_major_vers=`python -V 2>&1 | \
+			sed 's/^Python //g' | awk -v FS='.' '{print $1}'`)
+	AC_CACHE_VAL(ac_cv_python_minor_vers,
+		ac_cv_python_minor_vers=`python -V 2>&1 | \
+			sed 's/^Python //g' | awk -v FS='.' '{print $2}'`)
+
+	pyversion=`expr $ac_cv_python_major_vers '*' 10 '+' $ac_cv_python_minor_vers`
+	if test $pyversion -ge 24; then
+		AC_MSG_RESULT([yes])
+		have_python=yes
+    fi
+    
+    AC_CHECK_PROG(have_python, python-config, $have_python, no)
+
+    if test "x$have_python" != xyes; then
+        AC_MSG_RESULT([no, disabling broctl])
+    fi
+fi    
+
+if test "x$have_python" != xyes; then
+    broctl=no
+fi
+
+AM_CONDITIONAL(USE_BROCTL, test "x$broctl" = xyes)
+
+if test "x$broctl" = xyes; then
+   if test "x$cluster" = xno; then
+       standalone="--standalone"
+   fi
+   echo "=== configuring in aux/broctl"
+
+   test -d aux || mkdir aux
+   test -d aux/broctl || mkdir aux/broctl
+   
+   ${srcdir}/aux/broctl/configure --prefix=${prefix} --builddir=`pwd`/aux/broctl --brodist=${srcdir} ${standalone}
+   
+   AC_CONFIG_SUBDIRS([aux/broctl/aux/capstats])
+fi   
+
+if test "$use_xqilla" = "yes"; then
+	LIBS="${LIBS} -lxqilla"
+fi
+
+# grab the hostname
+BROHOST=`hostname 2>/dev/null` || `uname -n 2>/dev/null`
+AC_SUBST(BROHOST)
+
+dnl Setup pcap path just before creating files, this way tests won't fail
+dnl with 'can't find libpcap' when we use the local pcap which hasn't 
+dnl been unpacked yet
+
+if test "$pcap_local" = "YES"; then
+    LIBS="-L\${top_srcdir}/aux/libpcap-0.9.8 -lpcap $LIBS"
+    V_INCLS="$V_INCLS -I\${top_builddir}/aux/libpcap-0.9.8"
+fi
+
+AC_SUBST(V_CCOPT)
+AC_SUBST(V_INCLS)
+AC_SUBST(LDFLAGS)
+
+
+dnl AC_SUBST(V_PCAPDEP) dnl (libpcap dependancies -- not used)
+AC_OUTPUT([Makefile 
+           src/Makefile 
+           doc/Makefile 
+           doc/ref-manual/Makefile 
+           doc/quick-start/Makefile
+           doc/user-manual/Makefile 
+           aux/adtrace/Makefile
+           aux/cf/Makefile
+           aux/hf/Makefile
+           aux/nftools/Makefile
+           aux/scripts/Makefile
+           aux/bdcat/Makefile
+           aux/rst/Makefile
+           aux/Makefile
+           policy/Makefile
+           policy/sigs/Makefile
+           policy/time-machine/Makefile
+           scripts/Makefile
+           scripts/bro_config
+           scripts/bro.rc
+           scripts/localnetMAC.pl
+           scripts/s2b/Makefile
+           scripts/s2b/bro-include/Makefile
+           scripts/s2b/example_bro_files/Makefile
+           scripts/s2b/etc/Makefile
+           scripts/s2b/bin/Makefile
+           scripts/s2b/pm/Makefile
+           scripts/s2b/snort_rules2.2/Makefile
+           ],
+           [chmod +x scripts/bro_config
+           chmod +x scripts/localnetMAC.pl]
+           )
+
+if test "$use_openssl" != "yes"; then
+    OPENSSL=""
+#else
+#   AC_OUTPUT(aux/bdcat/Makefile)
+fi
+
+echo
+echo "                  "${BLD_ON}"Bro Configuration Summary"${BLD_OFF}
+echo "=========================================================="
+echo
+echo "  - Debugging enabled:      "${BLD_ON}$debug${BLD_OFF}
+echo "  - OpenSSL support:        "${BLD_ON}$use_openssl $OPENSSL${BLD_OFF}
+echo "  - Non-blocking main loop: "${BLD_ON}$use_select_loop${BLD_OFF}
+echo "  - Non-blocking resolver:  "${BLD_ON}$use_nb_dns${BLD_OFF}
+echo "  - Installation prefix:    "${BLD_ON}$prefix${BLD_OFF}
+echo "  - Perl interpreter:       "${BLD_ON}$PERL${BLD_OFF}
+echo "  - Using basic_string:     "${BLD_ON}$basic_string_works${BLD_OFF}
+echo "  - Using libmagic:         "${BLD_ON}$have_libmagic${BLD_OFF}
+# echo "  - Using libclamav:        "${BLD_ON}$have_libclamav${BLD_OFF}
+echo "  - Using perftools:        "${BLD_ON}$use_perftools${BLD_OFF}
+echo "  - Binpac used:            "${BLD_ON}$binpacmsg${BLD_OFF}
+echo "  - Using libGeoIP:         "${BLD_ON}$have_libgeoip${BLD_OFF}
+echo "  - Enabled broctl:         "${BLD_ON}$broctl${BLD_OFF}
+echo "  - Enabled cluster:        "${BLD_ON}$cluster${BLD_OFF}
+echo "  - Pcap used:              "${BLD_ON}$pcapmsg${BLD_OFF}
+echo
+exit 0
diff --git a/depcomp b/depcomp
new file mode 100755
index 0000000000..25bdb18892
--- /dev/null
+++ b/depcomp
@@ -0,0 +1,526 @@
+#! /bin/sh
+# depcomp - compile a program generating dependencies as side-effects
+
+scriptversion=2004-04-25.13
+
+# Copyright (C) 1999, 2000, 2003, 2004 Free Software Foundation, Inc.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+# 02111-1307, USA.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Originally written by Alexandre Oliva <oliva@dcc.unicamp.br>.
+
+case $1 in
+  '')
+     echo "$0: No command.  Try \`$0 --help' for more information." 1>&2
+     exit 1;
+     ;;
+  -h | --h*)
+    cat <<\EOF
+Usage: depcomp [--help] [--version] PROGRAM [ARGS]
+
+Run PROGRAMS ARGS to compile a file, generating dependencies
+as side-effects.
+
+Environment variables:
+  depmode     Dependency tracking mode.
+  source      Source file read by `PROGRAMS ARGS'.
+  object      Object file output by `PROGRAMS ARGS'.
+  depfile     Dependency file to output.
+  tmpdepfile  Temporary file to use when outputing dependencies.
+  libtool     Whether libtool is used (yes/no).
+
+Report bugs to <bug-automake@gnu.org>.
+EOF
+    exit 0
+    ;;
+  -v | --v*)
+    echo "depcomp $scriptversion"
+    exit 0
+    ;;
+esac
+
+if test -z "$depmode" || test -z "$source" || test -z "$object"; then
+  echo "depcomp: Variables source, object and depmode must be set" 1>&2
+  exit 1
+fi
+# `libtool' can also be set to `yes' or `no'.
+
+if test -z "$depfile"; then
+   base=`echo "$object" | sed -e 's,^.*/,,' -e 's,\.\([^.]*\)$,.P\1,'`
+   dir=`echo "$object" | sed 's,/.*$,/,'`
+   if test "$dir" = "$object"; then
+      dir=
+   fi
+   # FIXME: should be _deps on DOS.
+   depfile="$dir.deps/$base"
+fi
+
+tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`}
+
+rm -f "$tmpdepfile"
+
+# Some modes work just like other modes, but use different flags.  We
+# parameterize here, but still list the modes in the big case below,
+# to make depend.m4 easier to write.  Note that we *cannot* use a case
+# here, because this file can only contain one case statement.
+if test "$depmode" = hp; then
+  # HP compiler uses -M and no extra arg.
+  gccflag=-M
+  depmode=gcc
+fi
+
+if test "$depmode" = dashXmstdout; then
+   # This is just like dashmstdout with a different argument.
+   dashmflag=-xM
+   depmode=dashmstdout
+fi
+
+case "$depmode" in
+gcc3)
+## gcc 3 implements dependency tracking that does exactly what
+## we want.  Yay!  Note: for some reason libtool 1.4 doesn't like
+## it if -MD -MP comes after the -MF stuff.  Hmm.
+  "$@" -MT "$object" -MD -MP -MF "$tmpdepfile"
+  stat=$?
+  if test $stat -eq 0; then :
+  else
+    rm -f "$tmpdepfile"
+    exit $stat
+  fi
+  mv "$tmpdepfile" "$depfile"
+  ;;
+
+gcc)
+## There are various ways to get dependency output from gcc.  Here's
+## why we pick this rather obscure method:
+## - Don't want to use -MD because we'd like the dependencies to end
+##   up in a subdir.  Having to rename by hand is ugly.
+##   (We might end up doing this anyway to support other compilers.)
+## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like
+##   -MM, not -M (despite what the docs say).
+## - Using -M directly means running the compiler twice (even worse
+##   than renaming).
+  if test -z "$gccflag"; then
+    gccflag=-MD,
+  fi
+  "$@" -Wp,"$gccflag$tmpdepfile"
+  stat=$?
+  if test $stat -eq 0; then :
+  else
+    rm -f "$tmpdepfile"
+    exit $stat
+  fi
+  rm -f "$depfile"
+  echo "$object : \\" > "$depfile"
+  alpha=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
+## The second -e expression handles DOS-style file names with drive letters.
+  sed -e 's/^[^:]*: / /' \
+      -e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile"
+## This next piece of magic avoids the `deleted header file' problem.
+## The problem is that when a header file which appears in a .P file
+## is deleted, the dependency causes make to die (because there is
+## typically no way to rebuild the header).  We avoid this by adding
+## dummy dependencies for each header file.  Too bad gcc doesn't do
+## this for us directly.
+  tr ' ' '
+' < "$tmpdepfile" |
+## Some versions of gcc put a space before the `:'.  On the theory
+## that the space means something, we add a space to the output as
+## well.
+## Some versions of the HPUX 10.20 sed can't process this invocation
+## correctly.  Breaking it into two sed invocations is a workaround.
+    sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
+  rm -f "$tmpdepfile"
+  ;;
+
+hp)
+  # This case exists only to let depend.m4 do its work.  It works by
+  # looking at the text of this script.  This case will never be run,
+  # since it is checked for above.
+  exit 1
+  ;;
+
+sgi)
+  if test "$libtool" = yes; then
+    "$@" "-Wp,-MDupdate,$tmpdepfile"
+  else
+    "$@" -MDupdate "$tmpdepfile"
+  fi
+  stat=$?
+  if test $stat -eq 0; then :
+  else
+    rm -f "$tmpdepfile"
+    exit $stat
+  fi
+  rm -f "$depfile"
+
+  if test -f "$tmpdepfile"; then  # yes, the sourcefile depend on other files
+    echo "$object : \\" > "$depfile"
+
+    # Clip off the initial element (the dependent).  Don't try to be
+    # clever and replace this with sed code, as IRIX sed won't handle
+    # lines with more than a fixed number of characters (4096 in
+    # IRIX 6.2 sed, 8192 in IRIX 6.5).  We also remove comment lines;
+    # the IRIX cc adds comments like `#:fec' to the end of the
+    # dependency line.
+    tr ' ' '
+' < "$tmpdepfile" \
+    | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \
+    tr '
+' ' ' >> $depfile
+    echo >> $depfile
+
+    # The second pass generates a dummy entry for each header file.
+    tr ' ' '
+' < "$tmpdepfile" \
+   | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
+   >> $depfile
+  else
+    # The sourcefile does not contain any dependencies, so just
+    # store a dummy comment line, to avoid errors with the Makefile
+    # "include basename.Plo" scheme.
+    echo "#dummy" > "$depfile"
+  fi
+  rm -f "$tmpdepfile"
+  ;;
+
+aix)
+  # The C for AIX Compiler uses -M and outputs the dependencies
+  # in a .u file.  In older versions, this file always lives in the
+  # current directory.  Also, the AIX compiler puts `$object:' at the
+  # start of each line; $object doesn't have directory information.
+  # Version 6 uses the directory in both cases.
+  stripped=`echo "$object" | sed 's/\(.*\)\..*$/\1/'`
+  tmpdepfile="$stripped.u"
+  if test "$libtool" = yes; then
+    "$@" -Wc,-M
+  else
+    "$@" -M
+  fi
+  stat=$?
+
+  if test -f "$tmpdepfile"; then :
+  else
+    stripped=`echo "$stripped" | sed 's,^.*/,,'`
+    tmpdepfile="$stripped.u"
+  fi
+
+  if test $stat -eq 0; then :
+  else
+    rm -f "$tmpdepfile"
+    exit $stat
+  fi
+
+  if test -f "$tmpdepfile"; then
+    outname="$stripped.o"
+    # Each line is of the form `foo.o: dependent.h'.
+    # Do two passes, one to just change these to
+    # `$object: dependent.h' and one to simply `dependent.h:'.
+    sed -e "s,^$outname:,$object :," < "$tmpdepfile" > "$depfile"
+    sed -e "s,^$outname: \(.*\)$,\1:," < "$tmpdepfile" >> "$depfile"
+  else
+    # The sourcefile does not contain any dependencies, so just
+    # store a dummy comment line, to avoid errors with the Makefile
+    # "include basename.Plo" scheme.
+    echo "#dummy" > "$depfile"
+  fi
+  rm -f "$tmpdepfile"
+  ;;
+
+icc)
+  # Intel's C compiler understands `-MD -MF file'.  However on
+  #    icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c
+  # ICC 7.0 will fill foo.d with something like
+  #    foo.o: sub/foo.c
+  #    foo.o: sub/foo.h
+  # which is wrong.  We want:
+  #    sub/foo.o: sub/foo.c
+  #    sub/foo.o: sub/foo.h
+  #    sub/foo.c:
+  #    sub/foo.h:
+  # ICC 7.1 will output
+  #    foo.o: sub/foo.c sub/foo.h
+  # and will wrap long lines using \ :
+  #    foo.o: sub/foo.c ... \
+  #     sub/foo.h ... \
+  #     ...
+
+  "$@" -MD -MF "$tmpdepfile"
+  stat=$?
+  if test $stat -eq 0; then :
+  else
+    rm -f "$tmpdepfile"
+    exit $stat
+  fi
+  rm -f "$depfile"
+  # Each line is of the form `foo.o: dependent.h',
+  # or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'.
+  # Do two passes, one to just change these to
+  # `$object: dependent.h' and one to simply `dependent.h:'.
+  sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile"
+  # Some versions of the HPUX 10.20 sed can't process this invocation
+  # correctly.  Breaking it into two sed invocations is a workaround.
+  sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" |
+    sed -e 's/$/ :/' >> "$depfile"
+  rm -f "$tmpdepfile"
+  ;;
+
+tru64)
+   # The Tru64 compiler uses -MD to generate dependencies as a side
+   # effect.  `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'.
+   # At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
+   # dependencies in `foo.d' instead, so we check for that too.
+   # Subdirectories are respected.
+   dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
+   test "x$dir" = "x$object" && dir=
+   base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
+
+   if test "$libtool" = yes; then
+      # Dependencies are output in .lo.d with libtool 1.4.
+      # They are output in .o.d with libtool 1.5.
+      tmpdepfile1="$dir.libs/$base.lo.d"
+      tmpdepfile2="$dir.libs/$base.o.d"
+      tmpdepfile3="$dir.libs/$base.d"
+      "$@" -Wc,-MD
+   else
+      tmpdepfile1="$dir$base.o.d"
+      tmpdepfile2="$dir$base.d"
+      tmpdepfile3="$dir$base.d"
+      "$@" -MD
+   fi
+
+   stat=$?
+   if test $stat -eq 0; then :
+   else
+      rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
+      exit $stat
+   fi
+
+   if test -f "$tmpdepfile1"; then
+      tmpdepfile="$tmpdepfile1"
+   elif test -f "$tmpdepfile2"; then
+      tmpdepfile="$tmpdepfile2"
+   else
+      tmpdepfile="$tmpdepfile3"
+   fi
+   if test -f "$tmpdepfile"; then
+      sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
+      # That's a tab and a space in the [].
+      sed -e 's,^.*\.[a-z]*:[	 ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
+   else
+      echo "#dummy" > "$depfile"
+   fi
+   rm -f "$tmpdepfile"
+   ;;
+
+#nosideeffect)
+  # This comment above is used by automake to tell side-effect
+  # dependency tracking mechanisms from slower ones.
+
+dashmstdout)
+  # Important note: in order to support this mode, a compiler *must*
+  # always write the preprocessed file to stdout, regardless of -o.
+  "$@" || exit $?
+
+  # Remove the call to Libtool.
+  if test "$libtool" = yes; then
+    while test $1 != '--mode=compile'; do
+      shift
+    done
+    shift
+  fi
+
+  # Remove `-o $object'.
+  IFS=" "
+  for arg
+  do
+    case $arg in
+    -o)
+      shift
+      ;;
+    $object)
+      shift
+      ;;
+    *)
+      set fnord "$@" "$arg"
+      shift # fnord
+      shift # $arg
+      ;;
+    esac
+  done
+
+  test -z "$dashmflag" && dashmflag=-M
+  # Require at least two characters before searching for `:'
+  # in the target name.  This is to cope with DOS-style filenames:
+  # a dependency such as `c:/foo/bar' could be seen as target `c' otherwise.
+  "$@" $dashmflag |
+    sed 's:^[  ]*[^: ][^:][^:]*\:[    ]*:'"$object"'\: :' > "$tmpdepfile"
+  rm -f "$depfile"
+  cat < "$tmpdepfile" > "$depfile"
+  tr ' ' '
+' < "$tmpdepfile" | \
+## Some versions of the HPUX 10.20 sed can't process this invocation
+## correctly.  Breaking it into two sed invocations is a workaround.
+    sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
+  rm -f "$tmpdepfile"
+  ;;
+
+dashXmstdout)
+  # This case only exists to satisfy depend.m4.  It is never actually
+  # run, as this mode is specially recognized in the preamble.
+  exit 1
+  ;;
+
+makedepend)
+  "$@" || exit $?
+  # Remove any Libtool call
+  if test "$libtool" = yes; then
+    while test $1 != '--mode=compile'; do
+      shift
+    done
+    shift
+  fi
+  # X makedepend
+  shift
+  cleared=no
+  for arg in "$@"; do
+    case $cleared in
+    no)
+      set ""; shift
+      cleared=yes ;;
+    esac
+    case "$arg" in
+    -D*|-I*)
+      set fnord "$@" "$arg"; shift ;;
+    # Strip any option that makedepend may not understand.  Remove
+    # the object too, otherwise makedepend will parse it as a source file.
+    -*|$object)
+      ;;
+    *)
+      set fnord "$@" "$arg"; shift ;;
+    esac
+  done
+  obj_suffix="`echo $object | sed 's/^.*\././'`"
+  touch "$tmpdepfile"
+  ${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
+  rm -f "$depfile"
+  cat < "$tmpdepfile" > "$depfile"
+  sed '1,2d' "$tmpdepfile" | tr ' ' '
+' | \
+## Some versions of the HPUX 10.20 sed can't process this invocation
+## correctly.  Breaking it into two sed invocations is a workaround.
+    sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
+  rm -f "$tmpdepfile" "$tmpdepfile".bak
+  ;;
+
+cpp)
+  # Important note: in order to support this mode, a compiler *must*
+  # always write the preprocessed file to stdout.
+  "$@" || exit $?
+
+  # Remove the call to Libtool.
+  if test "$libtool" = yes; then
+    while test $1 != '--mode=compile'; do
+      shift
+    done
+    shift
+  fi
+
+  # Remove `-o $object'.
+  IFS=" "
+  for arg
+  do
+    case $arg in
+    -o)
+      shift
+      ;;
+    $object)
+      shift
+      ;;
+    *)
+      set fnord "$@" "$arg"
+      shift # fnord
+      shift # $arg
+      ;;
+    esac
+  done
+
+  "$@" -E |
+    sed -n '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' |
+    sed '$ s: \\$::' > "$tmpdepfile"
+  rm -f "$depfile"
+  echo "$object : \\" > "$depfile"
+  cat < "$tmpdepfile" >> "$depfile"
+  sed < "$tmpdepfile" '/^$/d;s/^ //;s/ \\$//;s/$/ :/' >> "$depfile"
+  rm -f "$tmpdepfile"
+  ;;
+
+msvisualcpp)
+  # Important note: in order to support this mode, a compiler *must*
+  # always write the preprocessed file to stdout, regardless of -o,
+  # because we must use -o when running libtool.
+  "$@" || exit $?
+  IFS=" "
+  for arg
+  do
+    case "$arg" in
+    "-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI")
+	set fnord "$@"
+	shift
+	shift
+	;;
+    *)
+	set fnord "$@" "$arg"
+	shift
+	shift
+	;;
+    esac
+  done
+  "$@" -E |
+  sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::echo "`cygpath -u \\"\1\\"`":p' | sort | uniq > "$tmpdepfile"
+  rm -f "$depfile"
+  echo "$object : \\" > "$depfile"
+  . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::	\1 \\:p' >> "$depfile"
+  echo "	" >> "$depfile"
+  . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::\1\::p' >> "$depfile"
+  rm -f "$tmpdepfile"
+  ;;
+
+none)
+  exec "$@"
+  ;;
+
+*)
+  echo "Unknown depmode $depmode" 1>&2
+  exit 1
+  ;;
+esac
+
+exit 0
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-end: "$"
+# End:
diff --git a/doc/Makefile.am b/doc/Makefile.am
new file mode 100644
index 0000000000..2842129441
--- /dev/null
+++ b/doc/Makefile.am
@@ -0,0 +1,9 @@
+EXTRA_DIST = README.txt
+SUBDIRS = ref-manual quick-start user-manual
+
+doc:
+	@echo "Build Bro Documentation (html and pdf)"
+	for d in $(SUBDIRS); do \
+		( cd $$d && $(MAKE) $@ ); \
+	done
+
diff --git a/doc/README.txt b/doc/README.txt
new file mode 100644
index 0000000000..6b0a6b70c7
--- /dev/null
+++ b/doc/README.txt
@@ -0,0 +1,14 @@
+
+The current documentation is in the following directories:
+
+quick-start/ 
+user-manual/ 
+ref-manual/  
+
+To build html and pdf version of the documents, 'makeinfo' and 'texi2dvi', part
+of the GNU texinfo package, version 4.7 or higher is required.
+
+Pre-built (and probably more current) versions of the documentation 
+are available at:
+	http://www.bro-ids.org/manuals.html
+ 
diff --git a/doc/misc/conn-logs b/doc/misc/conn-logs
new file mode 100644
index 0000000000..88c156e261
--- /dev/null
+++ b/doc/misc/conn-logs
@@ -0,0 +1,82 @@
+TCP connection logs are generated by tcp.bro.  The summaries are written
+to stdout, one line per connection:
+
+	start-time duration protocol orig-bytes resp-bytes \
+	local-addr remote-addr state flags additional
+
+	start-time: timestamp of when the connection's first packet was
+		observed
+
+	duration: time until connection finished, in seconds, or '?' if
+		not determined
+
+	protocol: TCP protocol, if well-known port; or portmapper request
+
+	orig-bytes: total bytes sent by originator.  Computed from difference
+		between starting and ending sequence numbers, so sometimes
+		wrong (if wrong, the values tend to be erroneously large)
+
+	resp-bytes: same for bytes sent by connection responder
+
+	local-addr: IP address of local end of connection
+	remote-addr: IP address of remote end of connection
+		Note that these would make more sense as originator/responder,
+		but for historical reasons they're defined in terms of
+		"local" and "remote", where "local" is specified by the
+		"local_nets" set in hot.bro.  To pull out the originator
+		and responder addresses requires looking at the "flags"
+		field to see whether the connection originated locally.
+
+	state: final connection state (see below)
+
+	flags: some characteristics of the connection.  The most important is
+		the 'L' flag, which if present indicates that the connection
+		was initiated by the local address (see above); otherwise
+		it was initiated by the remote address.
+
+	additional: protocol-specific additional information, such as the FTP
+		session identifier, telnet user name, finger request, or
+		portmapper results.
+
+The scripts "hot-report" and "mon-report" (in the aux/scripts/ directory) 
+generate readable versions of these connection summaries.  They include
+a mnemonic indicating the connection's state.  Here is the list of
+abbreviations used:
+
+	Symbol	Name	Meaning
+	------	-------	-------------------
+	}	S0	Initial SYN seen, no reply seen ("unanswered")
+	>	S1	Initial SYN handshake seen ("established")
+
+	>	SF	Established and normal FIN handshake seen
+			for termination.  Note that this is the same
+			symbol as for state S1.  You can tell the two
+			apart because for S1 there will not be any
+			byte counts, while for SF there will be.
+
+	[	REJ	Initial SYN elicited RST in reply ("rejected")
+
+	}2	S2	Established and FIN from originator only seen
+	}3	S3	Established and FIN from responder only seen
+
+	>]	RSTO	Established, originator sent a RST to terminate
+	>[	RSTR	Established, responder sent a RST to terminate
+
+	}]	RSTOS0	Originator sent a SYN followed by a RST,
+			we never saw a SYN ack from the responder
+	<[	RSTRH	Responder sent a SYN ack followed by a RST,
+			we never saw a SYN from the originator
+
+	>h	SH	Originator sent a SYN followed by a FIN,
+			we never saw a SYN ack from the responder
+			(so "half" open)
+	<h	SHR	Responder sent a SYN ack followed by a FIN,
+			we never saw a SYN from the originator
+
+	?>?	OTH	No SYN seen, just midstream traffic
+
+The sundry weird states can arise from broken TCPs, but also from split
+routing in which Bro just sees one side of a connection.
+
+For UDP, if we see a request but no reply, that's state S0 ("}"); a request
+followed by a reply is SF (">"); and a reply but no request is SHR ("<h").
diff --git a/doc/misc/ssl.txt b/doc/misc/ssl.txt
new file mode 100644
index 0000000000..dd8e1c11c9
--- /dev/null
+++ b/doc/misc/ssl.txt
@@ -0,0 +1,49 @@
+
+How to create certificates to authorize Bro's SSL connections
+=============================================================
+
+- Create a global CA key/certificate once:
+
+  * Create some directory to store the CA stuff, and create
+  	a few things there:
+
+	    mkdir <ca-dir>
+		cd <ca-dir>
+  		mkdir private newcerts cert crl
+		chmod 700 private
+		touch index.txt
+		echo 01 >serial
+		cp bro/openssl.conf .
+
+  * Create a private CA key:
+   	    openssl genrsa -des3 -out private/ca_key.pem
+
+  * Self-sign it:
+  		openssl req -new -x509 -key private/ca_key.pem -out ca_cert.pem -days 1095
+
+- For each Bro:
+
+  * Create a private key (w/o password):
+  		openssl genrsa -out bro_key.pem
+
+  * Create a certification request:
+  		openssl req -new -key bro_key.pem -out bro.csr
+
+  * Create a certificate using the CA key:
+  		openssl ca -config openssl.cnf -in bro.csr -out bro_cert.pem
+
+  * Verify that the certicate is ok:
+  		openssl verify  -CAfile ca_cert.pem bro_cert.pem
+
+  * Concat Bro key and certificate:
+  		cat bro_key.pem bro_cert.pem >bro.pem
+
+  * Copy this and the CA certificate to the IDS machine:
+  		 scp bro.pem ca_cert.pem ids:...
+
+  * Redef Bro's variables to point to the files:
+  		 redef ssl_ca_certificate = "...../ca_cert.pem";
+  		 redef ssl_private_key = "...../bro.pem";
+
+  * Remove the unnecessary stuff:
+  		 rm bro_key.pem bro.csr bro_cert.pem bro.pem
diff --git a/doc/old/manual-src.tar.gz b/doc/old/manual-src.tar.gz
new file mode 100644
index 0000000000..0e959c40a9
Binary files /dev/null and b/doc/old/manual-src.tar.gz differ
diff --git a/doc/old/manual.pdf b/doc/old/manual.pdf
new file mode 100644
index 0000000000..b2e945acd5
Binary files /dev/null and b/doc/old/manual.pdf differ
diff --git a/doc/old/manual/WARNINGS b/doc/old/manual/WARNINGS
new file mode 100644
index 0000000000..41ac2abf00
--- /dev/null
+++ b/doc/old/manual/WARNINGS
@@ -0,0 +1,60 @@
+
+The manual.aux file was not found, so sections will not be numbered 
+and cross-references will be shown as icons.
+
+There is no author for this document.
+
+? brace missing for \emph
+
+? brace missing for \index
+couldn't convert character bb into available encodings
+
+ ...set $ACCENT_IMAGES  to get an image 
+couldn't convert character cring into available encodings
+couldn't convert character tt into available encodings
+
+No number for "Differenttypesofdirectionsfor<TT>set_contents_file</TT>"
+
+No number for "<TT>print-filter</TT>printsoutthe<TT>tcpdump</TT>filteryourBroscriptwoulduseandthenexits."
+
+No number for "Definitionofthe<TT>net_stats</TT>record."
+
+No number for "Definitionof<TT>conn_id</TT>and<TT>connection</TT>records."
+
+No number for "TCPandUDPconnectionstates,asstoredinan<TT>endpoint</TT>record."
+
+No number for "Summariesofconnectionstates,asreportedin<TT>red</TT>files."
+
+No number for "Differentconnectionstatestousewhencalling<TT>check_hot</TT>."
+
+No number for "Sampledefinitionof<TT>log_hook</TT>"
+
+No number for "Definitionofthe<TT>dns_mapping</TT>record."
+
+No number for "Definitionofthe<TT>ftp_session_info</TT>record"
+
+No number for "ExampleofFTPlogfileentriesforasingleFTPsession."
+
+No number for "ExampleofHTTPlogfileentriesforasingleHTTPsession."
+
+No number for "Differenttypesofconfusionthat<TT>login</TT>analyzercanreport."
+
+No number for "TypesofcallstotheRPCportmapperservice."
+
+No number for "TypesofRPCstatuscodes."
+
+No number for "<TT>endpoint_stats</TT>fieldsforsummarizingconnectionendpointstatistics,alloftype<TT>count</TT>."
+
+No number for "Possibleactionstotakeforsignaturesmatches.<I>signatures-log</I>defaultsto<TT>open_log_file(;SPMquot;signatures;SPMquot;)</TT>."
+
+No number for "Definitionofthe<TT>x509</TT>record"
+
+No number for "Definitionofthe<TT>ssl_connection_info</TT>record"
+
+No number for "ExampleofSSLlogfilewithasingleSSLsession."
+
+No number for "Differenttypesofpossibleactionstotakefor``weird''events."
+
+No number for "Definitionofthe<TT>signature_state</TT>record."
+
+Failed to convert image /tmp/l2h6233/image052.ps
diff --git a/doc/old/manual/images.aux b/doc/old/manual/images.aux
new file mode 100644
index 0000000000..f23e54680b
--- /dev/null
+++ b/doc/old/manual/images.aux
@@ -0,0 +1 @@
+\relax 
diff --git a/doc/old/manual/images.idx b/doc/old/manual/images.idx
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/doc/old/manual/images.log b/doc/old/manual/images.log
new file mode 100644
index 0000000000..b1ffb1e95c
--- /dev/null
+++ b/doc/old/manual/images.log
@@ -0,0 +1,607 @@
+This is TeX, Version 3.14159 (Web2C 7.3.1) (format=latex 2001.8.15)  21 MAR 2004 07:20
+**./images.tex
+(./images.tex
+LaTeX2e <1999/12/01> patch level 1
+Babel <v3.6Z> and hyphenation patterns for american, french, german, ngerman, n
+ohyphenation, loaded.
+
+(/usr/local/share/texmf/tex/latex/base/report.cls
+Document Class: report 1999/09/10 v1.4a Standard LaTeX document class
+(/usr/local/share/texmf/tex/latex/base/size10.clo
+File: size10.clo 1999/09/10 v1.4a Standard LaTeX file (size option)
+)
+\c@part=\count79
+\c@chapter=\count80
+\c@section=\count81
+\c@subsection=\count82
+\c@subsubsection=\count83
+\c@paragraph=\count84
+\c@subparagraph=\count85
+\c@figure=\count86
+\c@table=\count87
+\abovecaptionskip=\skip41
+\belowcaptionskip=\skip42
+\bibindent=\dimen102
+) (/usr/local/share/texmf/tex/latex/base/ifthen.sty
+Package: ifthen 1999/09/10 v1.1b Standard LaTeX ifthen package (DPC)
+) (/usr/local/share/texmf/tex/latex/base/makeidx.sty
+Package: makeidx 1999/09/17 v1.0l Standard LaTeX package
+) (/usr/local/share/texmf/tex/latex/psnfss/times.sty
+Package: times 1999/03/29 PSNFSS v.7.2 Times font as default roman : S Rahtz
+) (/usr/local/share/texmf/tex/generic/misc/psfig.sty
+\@unused=\write3
+\ps@stream=\read1
+\p@intvaluex=\dimen103
+\p@intvaluey=\dimen104
+psfig/tex 1.10-dvips
+) (/home/jaguar/u0/vern/latex2html/texinputs/html.sty
+Package: html 1999/07/19 v1.38 hypertext commands for latex2html (nd, hws, rrm)
+
+\c@lpart=\count88
+\c@lchapter=\count89
+\c@lsection=\count90
+\c@lsubsection=\count91
+\c@lsubsubsection=\count92
+\c@lparagraph=\count93
+\c@lsubparagraph=\count94
+\c@lsubsubparagraph=\count95
+\ptrfile=\write4
+)
+\@indexfile=\write5
+\openout5 = `images.idx'.
+
+Writing index file images.idx
+(/usr/local/share/texmf/tex/latex/graphics/color.sty
+Package: color 1999/02/16 v1.0i Standard LaTeX Color (DPC)
+(/usr/local/share/texmf/tex/latex/config/color.cfg)
+Package color Info: Driver file: dvips.def on input line 125.
+(/usr/local/share/texmf/tex/latex/graphics/dvips.def
+File: dvips.def 1999/02/16 v3.0i Driver-dependant file (DPC,SPQR)
+) (/usr/local/share/texmf/tex/latex/graphics/dvipsnam.def
+File: dvipsnam.def 1999/02/16 v3.0i Driver-dependant file (DPC,SPQR)
+)) (/usr/local/share/texmf/tex/latex/base/inputenc.sty
+Package: inputenc 1999/09/17 v0.992 Input encoding file 
+(/usr/local/share/texmf/tex/latex/base/latin1.def
+File: latin1.def 1999/09/17 v0.992 Input encoding file 
+))
+\sizebox=\box26
+\lthtmlwrite=\write6
+No file images.aux.
+\openout1 = `images.aux'.
+
+LaTeX Font Info:    Checking defaults for OML/cmm/m/it on input line 334.
+LaTeX Font Info:    ... okay on input line 334.
+LaTeX Font Info:    Checking defaults for T1/cmr/m/n on input line 334.
+LaTeX Font Info:    ... okay on input line 334.
+LaTeX Font Info:    Checking defaults for OT1/cmr/m/n on input line 334.
+LaTeX Font Info:    ... okay on input line 334.
+LaTeX Font Info:    Checking defaults for OMS/cmsy/m/n on input line 334.
+LaTeX Font Info:    ... okay on input line 334.
+LaTeX Font Info:    Checking defaults for OMX/cmex/m/n on input line 334.
+LaTeX Font Info:    ... okay on input line 334.
+LaTeX Font Info:    Checking defaults for U/cmr/m/n on input line 334.
+LaTeX Font Info:    ... okay on input line 334.
+LaTeX Font Info:    Try loading font information for OT1+ptm on input line 334.
+
+(/usr/local/share/texmf/tex/latex/psnfss/ot1ptm.fd
+File: ot1ptm.fd 1998/07/06 Fontinst v1.800 font definitions for OT1/ptm.
+)
+
+latex2htmlLength hsize=349.0pt
+
+latex2htmlLength vsize=633.0pt
+
+latex2htmlLength hoffset=0.0pt
+
+latex2htmlLength voffset=0.0pt
+
+latex2htmlLength topmargin=0.0pt
+
+latex2htmlLength topskip=0.00003pt
+
+latex2htmlLength headheight=0.0pt
+
+latex2htmlLength headsep=0.0pt
+
+latex2htmlLength parskip=0.0pt plus 1.0pt
+
+latex2htmlLength oddsidemargin=-10.84006pt
+
+latex2htmlLength evensidemargin=-10.84006pt
+
+LaTeX Font Info:    External font `cmex10' loaded for size
+(Font)              <7> on input line 399.
+LaTeX Font Info:    External font `cmex10' loaded for size
+(Font)              <5> on input line 399.
+l2hSize :tex2html_wrap_inline5436:6.74997pt::0.0pt::13.00003pt.
+[1
+
+
+
+]
+l2hSize :tex2html_wrap_inline5438:6.74997pt::0.0pt::8.00003pt.
+[2
+
+
+]
+l2hSize :tex2html_wrap_inline5440:6.83331pt::0.0pt::73.23354pt.
+[3
+
+
+]
+l2hSize :tex2html_wrap_inline5442:6.83331pt::0.0pt::15.04518pt.
+[4
+
+
+]
+l2hSize :tex2html_wrap_inline5444:8.14003pt::0.0pt::13.9723pt.
+[5
+
+
+]
+l2hSize :tex2html_wrap_inline5446:8.14003pt::0.0pt::13.9723pt.
+[6
+
+
+]
+l2hSize :tex2html_wrap_inline5448:8.14003pt::0.0pt::9.98618pt.
+[7
+
+
+]
+l2hSize :tex2html_wrap_inline5450:6.83331pt::0.0pt::41.50558pt.
+[8
+
+
+]
+l2hSize :tex2html_wrap_inline5452:6.83331pt::0.0pt::59.23058pt.
+[9
+
+
+]
+l2hSize :tex2html_wrap_inline5454:6.83331pt::0.0pt::16.67014pt.
+[10
+
+
+]
+l2hSize :tex2html_wrap_inline5456:7.96227pt::0.0pt::7.13895pt.
+[11
+
+
+]
+l2hSize :tex2html_wrap_inline5458:6.88586pt::0.0pt::5.09726pt.
+[12
+
+
+]
+l2hSize :tex2html_wrap_inline8536:7.24997pt::7.24997pt::4.98616pt.
+[13
+
+
+]
+l2hSize :tex2html_wrap_inline8540:7.24997pt::7.24997pt::4.98616pt.
+[14
+
+
+]
+l2hSize :tex2html_wrap_inline8614:7.24997pt::7.24997pt::4.98616pt.
+[15
+
+
+]
+l2hSize :tex2html_wrap_inline16373:7.24997pt::7.24997pt::21.05557pt.
+[16
+
+
+]
+l2hSize :tex2html_wrap_inline16375:6.74997pt::0.0pt::9.28017pt.
+[17
+
+
+]
+l2hSize :tex2html_wrap_inline16379:6.74997pt::0.0pt::6.50238pt.
+[18
+
+
+]
+l2hSize :tex2html_wrap_inline16393:6.94444pt::0.0pt::6.26161pt.
+[19
+
+
+]
+LaTeX Font Info:    Try loading font information for OT1+pcr on input line 614.
+
+(/usr/local/share/texmf/tex/latex/psnfss/ot1pcr.fd
+File: ot1pcr.fd 1998/07/06 Fontinst v1.800 font definitions for OT1/pcr.
+)
+Overfull \hbox (59.0pt too wide) in paragraph at lines 631--631
+[]        \OT1/pcr/m/n/10 print fmt("(%s) and (%s)", capture_filter, restrict_f
+ilter);[] 
+ []
+
+l2hSize :figure22361:203.09998pt::0.0pt::349.0pt.
+[20
+
+
+]
+Overfull \hbox (41.0pt too wide) in paragraph at lines 647--647
+[]    \OT1/pcr/m/n/10 pkts_recvd: count;       # Number of packets received so 
+far.[] 
+ []
+
+
+Overfull \hbox (59.0pt too wide) in paragraph at lines 647--647
+[]    \OT1/pcr/m/n/10 pkts_dropped: count;     # Number of packets *reported* d
+ropped.[] 
+ []
+
+
+Overfull \hbox (83.0pt too wide) in paragraph at lines 647--647
+[]    \OT1/pcr/m/n/10 interface_drops: count;  # Number of drops reported by in
+terface(s).[] 
+ []
+
+l2hSize :figure22485:83.09998pt::0.0pt::349.0pt.
+[21
+
+
+]
+Overfull \hbox (29.0pt too wide) in paragraph at lines 680--680
+[]    \OT1/pcr/m/n/10 id: conn_id;        # Originator/responder addresses/port
+s.[] 
+ []
+
+
+Overfull \hbox (71.0pt too wide) in paragraph at lines 680--680
+[]    \OT1/pcr/m/n/10 duration: interval; # How long it was active (or has been
+ so far).[] 
+ []
+
+
+Overfull \hbox (95.0pt too wide) in paragraph at lines 680--680
+[]    \OT1/pcr/m/n/10 service: string;    # The service we associate with it (e
+.g., "http").[] 
+ []
+
+
+Overfull \hbox (59.0pt too wide) in paragraph at lines 680--680
+[]    \OT1/pcr/m/n/10 addl: string;       # Additional information associated w
+ith it.[] 
+ []
+
+
+Overfull \hbox (71.0pt too wide) in paragraph at lines 680--680
+[]    \OT1/pcr/m/n/10 hot: count;         # How many times we've marked it as s
+ensitive.[] 
+ []
+
+l2hSize :figure22528:275.09998pt::0.0pt::349.0pt.
+[22
+
+
+]
+l2hSize :tex2html_wrap_inline31877:6.83331pt::0.0pt::8.00005pt.
+[23
+
+
+]
+l2hSize :tex2html_wrap_inline31879:6.83331pt::0.0pt::8.58684pt.
+[24
+
+
+]
+l2hSize :tex2html_wrap_inline31899:7.33331pt::7.33331pt::12.53233pt.
+[25
+
+
+]
+l2hSize :tex2html_wrap_inline31901:7.33331pt::7.33331pt::12.51337pt.
+[26
+
+
+]
+l2hSize :tex2html_wrap_inline31903:7.33331pt::7.33331pt::11.0695pt.
+[27
+
+
+]
+l2hSize :tex2html_wrap_inline31905:7.33331pt::7.33331pt::12.4283pt.
+[28
+
+
+]
+l2hSize :tex2html_wrap_inline31927:7.33331pt::7.33331pt::12.44727pt.
+[29
+
+
+]
+l2hSize :tex2html_wrap_inline31937:7.33331pt::7.33331pt::11.0792pt.
+[30
+
+
+]
+l2hSize :tex2html_wrap_inline31941:7.33331pt::7.33331pt::11.06023pt.
+[31
+
+
+]
+l2hSize :tex2html_wrap_inline31943:6.83331pt::0.0pt::9.05698pt.
+[32
+
+
+]
+l2hSize :tex2html_wrap_inline31957:7.33331pt::7.33331pt::11.36739pt.
+[33
+
+
+]
+l2hSize :tex2html_wrap_inline31961:7.33331pt::7.33331pt::11.34842pt.
+[34
+
+
+]
+l2hSize :tex2html_wrap_inline31971:7.24997pt::7.24997pt::5.53128pt.
+[35
+
+
+]
+l2hSize :figure23775:263.09998pt::0.0pt::349.0pt.
+[36
+
+
+]
+Overfull \hbox (35.0pt too wide) in paragraph at lines 830--830
+[]    \OT1/pcr/m/n/10 req_host: string;     # The hostname in the request, if a
+ny.[] 
+ []
+
+
+Overfull \hbox (29.0pt too wide) in paragraph at lines 830--830
+[]    \OT1/pcr/m/n/10 req_addr: addr;       # The address in the request, if an
+y.[] 
+ []
+
+
+Overfull \hbox (59.0pt too wide) in paragraph at lines 830--830
+[]    \OT1/pcr/m/n/10 hostname: string;     # The hostname in the answer, or "<
+none>".[] 
+ []
+
+
+Overfull \hbox (35.0pt too wide) in paragraph at lines 830--830
+[]    \OT1/pcr/m/n/10 addrs: set[addr];     # The addresses in the answer, if a
+ny.[] 
+ []
+
+l2hSize :figure23860:131.09998pt::0.0pt::349.0pt.
+[37
+
+
+]
+Overfull \hbox (41.0pt too wide) in paragraph at lines 858--858
+[]    \OT1/pcr/m/n/10 id: count;              # unique number associated w/ ses
+sion[] 
+ []
+
+
+Overfull \hbox (71.0pt too wide) in paragraph at lines 858--858
+[]    \OT1/pcr/m/n/10 log_if_not_denied: bool;        # unless code 530 on repl
+y, log it[] 
+ []
+
+
+Overfull \hbox (71.0pt too wide) in paragraph at lines 858--858
+[]    \OT1/pcr/m/n/10 log_if_not_unavail: bool;       # unless code 550 on repl
+y, log it[] 
+ []
+
+l2hSize :figure24088:131.09998pt::0.0pt::349.0pt.
+[38
+
+
+]
+Overfull \hbox (35.0pt too wide) in paragraph at lines 877--877
+[]\OT1/pcr/m/n/10 972499885.784104 #26 131.243.70.68/1899 > 64.55.26.206/ftp st
+art[] 
+ []
+
+
+Overfull \hbox (5.0pt too wide) in paragraph at lines 877--877
+[]\OT1/pcr/m/n/10 972499886.685046 #26 response (220 tuvok.ooc.com FTP server[]
+ 
+ []
+
+
+Overfull \hbox (23.0pt too wide) in paragraph at lines 877--877
+[]    \OT1/pcr/m/n/10 (Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000) ready.
+)[] 
+ []
+
+
+Overfull \hbox (41.0pt too wide) in paragraph at lines 877--877
+[]\OT1/pcr/m/n/10 972499889.493020 #26 SIZE /pub/OB/4.0/JOB-4.0.3.zip (213 1675
+597)[] 
+ []
+
+
+Overfull \hbox (65.0pt too wide) in paragraph at lines 877--877
+[]\OT1/pcr/m/n/10 972499890.135706 #26 *RETR /pub/OB/4.0/JOB-4.0.3.zip, ABOR (c
+omplete)[] 
+ []
+
+
+Overfull \hbox (11.0pt too wide) in paragraph at lines 877--877
+[]\OT1/pcr/m/n/10 972500055.491045 #26 response (225 ABOR command successful.)[
+] 
+ []
+
+l2hSize :figure24192:119.53992pt::0.0pt::349.0pt.
+[39
+
+
+]
+l2hSize :figure24357:83.53992pt::0.0pt::349.0pt.
+[40
+
+
+]
+l2hSize :tex2html_wrap_inline31983:7.24997pt::7.24997pt::16.05556pt.
+[41
+
+
+]
+l2hSize :tex2html_wrap_inline31987:7.24997pt::7.24997pt::26.05559pt.
+[42
+
+
+]
+l2hSize :tex2html_wrap_inline31989:7.24997pt::7.24997pt::31.0556pt.
+[43
+
+
+]
+l2hSize :tex2html_wrap_inline31991:7.24997pt::7.24997pt::8.27783pt.
+[44
+
+
+]
+l2hSize :figure25695:59.09998pt::0.0pt::349.0pt.
+[45
+
+
+]
+Overfull \hbox (29.0pt too wide) in paragraph at lines 970--970
+[]    \OT1/pcr/m/n/10 id: count;                      # the log identifier numb
+er[] 
+ []
+
+
+Overfull \hbox (29.0pt too wide) in paragraph at lines 970--970
+[]    \OT1/pcr/m/n/10 connection_id: conn_id;         # IP connection informati
+on[] 
+ []
+
+
+Overfull \hbox (83.0pt too wide) in paragraph at lines 970--970
+[]    \OT1/pcr/m/n/10 version: count;                 # version associated with
+ connection[] 
+ []
+
+
+Overfull \hbox (59.0pt too wide) in paragraph at lines 970--970
+[]    \OT1/pcr/m/n/10 id_index: string;               # index for associated se
+ssionID[] 
+ []
+
+
+Overfull \hbox (131.0pt too wide) in paragraph at lines 970--970
+[]    \OT1/pcr/m/n/10 handshake_cipher: count;        # cipher suite client and
+ server agreed upon[] 
+ []
+
+l2hSize :figure25707:119.09998pt::0.0pt::349.0pt.
+[46
+
+
+]
+Overfull \hbox (59.0pt too wide) in paragraph at lines 992--992
+[]\OT1/pcr/m/n/10 1046778101.534846 #1 192.168.0.98/32988 > 213.61.126.124/http
+s start[] 
+ []
+
+
+Overfull \hbox (2135.0pt too wide) in paragraph at lines 992--992
+[]\OT1/pcr/m/n/10 1046778101.534846 #1 cipher suites: SSLv3x_RSA_WITH_RC4_128_M
+D5 (0x4), SSLv3x_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xFEFF), SSLv3x_RSA_WITH_3DES_
+EDE_CBC_SHA (0xA), SSLv3x_RSA_FIPS_WITH_DES_CBC_SHA (0xFEFE), SSLv3x_RSA_WITH_D
+ES_CBC_SHA(0x9), SSLv3x_RSA_EXPORT1024_WITH_RC4_56_SHA (0x64), SSLv3x_RSA_EXPOR
+T1024_WITH_DES_CBC_SHA (0x62), SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5 (0x3), SSLv3x_
+RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6),[] 
+ []
+
+
+Overfull \hbox (65.0pt too wide) in paragraph at lines 992--992
+[]\OT1/pcr/m/n/10 1046778101.753356 #1 cipher suite: SSLv3x_RSA_WITH_RC4_128_MD
+5 (0x4),[] 
+ []
+
+
+Overfull \hbox (749.0pt too wide) in paragraph at lines 992--992
+[]\OT1/pcr/m/n/10 1046778101.762601 #1 X.509 server issuer: /C=DE/ST=Hamburg/L=
+Hamburg/O=TC TrustCenter for Security in Data Networks GmbH/OU=TC TrustCenter C
+lass 3 CA/Email=certificate@trustcenter.de,[] 
+ []
+
+
+Overfull \hbox (521.0pt too wide) in paragraph at lines 992--992
+[]\OT1/pcr/m/n/10 1046778101.762601 #1 X.509 server subject: /C=DE/ST=Berlin/O=
+Lehmanns Fachbuchhandlung GmbH/OU=Zentrale EDV/CN=www.jfl.de/Email=admin@lehman
+ns.de[] 
+ []
+
+
+Overfull \hbox (257.0pt too wide) in paragraph at lines 992--992
+[]\OT1/pcr/m/n/10 1046778101.894567 #1 handshake finished, version 3.1, cipher 
+suite: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4)[] 
+ []
+
+l2hSize :figure25794:155.25494pt::0.0pt::349.0pt.
+[47
+
+
+]
+l2hSize :tex2html_wrap_inline31993:7.31989pt::7.31989pt::51.61522pt.
+[48
+
+
+]
+Overfull \hbox (41.0pt too wide) in paragraph at lines 1037--1037
+[]    \OT1/pcr/m/n/10 is_orig: bool;       # True if current endpoint is origin
+ator[] 
+ []
+
+
+Overfull \hbox (95.0pt too wide) in paragraph at lines 1037--1037
+[]    \OT1/pcr/m/n/10 payload_size: count; # Payload size of the first pkt of c
+urr. endpoint[] 
+ []
+
+l2hSize :figure39539:83.09998pt::0.0pt::349.0pt.
+[49
+
+
+]
+l2hSize :tex2html_wrap_inline39988:6.83331pt::0.0pt::9.625pt.
+[50
+
+
+]
+l2hSize :tex2html_wrap_inline39992:7.33331pt::7.33331pt::17.4028pt.
+[51
+
+
+] (/home/jaguar/u0/vern/bro/bro-doc/index.tex (/home/jaguar/u0/vern/bro/bro-doc
+/doc.ind
+LaTeX Font Info:    Font shape `OT1/ptm/bx/n' in size <24.88> not available
+(Font)              Font shape `OT1/ptm/b/n' tried instead on input line 1.
+LaTeX Font Info:    Font shape `OT1/pcr/m/it' in size <10> not available
+(Font)              Font shape `OT1/pcr/m/sl' tried instead on input line 1539.
+
+! TeX capacity exceeded, sorry [main memory size=263001].
+\par ...@m \@noitemerr {\@@par }\fi \else {\@@par 
+                                                  }\fi 
+l.2843     \subitem
+                    reading, 17
+If you really absolutely need more capacity,
+you can ask a wizard to enlarge me.
+
+ 
+Here is how much of TeX's memory you used:
+ 1313 strings out of 10901
+ 15527 string characters out of 72380
+ 263001 words of memory out of 263001
+ 4278 multiletter control sequences out of 10000+0
+ 6696 words of font info for 23 fonts, out of 400000 for 1000
+ 14 hyphenation exceptions out of 1000
+ 23i,5n,19p,429b,425s stack positions out of 300i,100n,500p,50000b,4000s
+Output written on images.dvi (51 pages, 17976 bytes).
diff --git a/doc/old/manual/images.pl b/doc/old/manual/images.pl
new file mode 100644
index 0000000000..d419b8ea7a
--- /dev/null
+++ b/doc/old/manual/images.pl
@@ -0,0 +1,332 @@
+# LaTeX2HTML 2002-2 (1.70)
+# Associate images original text with physical files.
+
+
+$key = q/B;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="19" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
+ SRC="|."$dir".q|img24.gif"
+ ALT="$B$">|; 
+
+$key = q/A_i;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="29" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
+ SRC="|."$dir".q|img4.gif"
+ ALT="$A\_i$">|; 
+
+$key = q/ge1024;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="55" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
+ SRC="|."$dir".q|img43.gif"
+ ALT="$\ge 1024$">|; 
+
+$key = q/2^{24};MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="27" HEIGHT="20" ALIGN="BOTTOM" BORDER="0"
+ SRC="|."$dir".q|img5.gif"
+ ALT="$2^{24}$">|; 
+
+$key = q/S_{o};MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="23" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
+ SRC="|."$dir".q|img30.gif"
+ ALT="$S_{o}$">|; 
+
+$key = q/ge256;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="47" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
+ SRC="|."$dir".q|img42.gif"
+ ALT="$\ge 256$">|; 
+
+$key = q/pmN;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="33" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
+ SRC="|."$dir".q|img51.gif"
+ ALT="$\pm N$">|; 
+
+$key = q/{figure}preform{<verbatim_mark>verbatim312#preform{{{{figure};FSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="645" HEIGHT="185" BORDER="0"
+ SRC="|."$dir".q|img37.gif"
+ ALT="\begin{figure}\begin{verbatim}type dns_mapping: record {
+creation_time: time;...
+... set[addr];  ...">|; 
+
+$key = q/_{2};MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="13" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
+ SRC="|."$dir".q|img13.gif"
+ ALT="$_{2}$">|; 
+
+$key = q/N_1{{tt{.}N_2{{tt{.};MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="71" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
+ SRC="|."$dir".q|img8.gif"
+ ALT="$N\_1 {\tt .} N\_2 {\tt .}$">|; 
+
+$key = q/{figure}preform{<verbatim_mark>verbatim338#preform{{{{figure};FSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="763" HEIGHT="166" BORDER="0"
+ SRC="|."$dir".q|img46.gif"
+ ALT="\begin{figure}\begin{verbatim}type ssl_connection_info: record {
+id: count;  ...">|; 
+
+$key = q/A_{l};MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="23" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
+ SRC="|."$dir".q|img27.gif"
+ ALT="$A_{l}$">|; 
+
+$key = q/{figure}preform{<verbatim_mark>verbatim345#preform{{{{figure};FSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="705" HEIGHT="109" BORDER="0"
+ SRC="|."$dir".q|img49.gif"
+ ALT="\begin{figure}\begin{verbatim}type signature_state: record {
+id: string;  ...">|; 
+
+$key = q/ge;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="18" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
+ SRC="|."$dir".q|img44.gif"
+ ALT="$\ge$">|; 
+
+$key = q/{figure}preform{<verbatim_mark>verbatim298#preform{{{{figure};FSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="644" HEIGHT="299" BORDER="0"
+ SRC="|."$dir".q|img20.gif"
+ ALT="\begin{figure}\begin{verbatim}event bro_init()
+{
+if ( restrict_filter == '''...
+...%s)'', capture_filter, restrict_filter);exit();
+}\end{verbatim}
+\end{figure}">|; 
+
+$key = q/S_{r};MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="23" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
+ SRC="|."$dir".q|img31.gif"
+ ALT="$S_{r}$">|; 
+
+$key = q/P_{o};MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="23" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
+ SRC="|."$dir".q|img33.gif"
+ ALT="$P_{o}$">|; 
+
+$key = q/2^8;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="21" HEIGHT="20" ALIGN="BOTTOM" BORDER="0"
+ SRC="|."$dir".q|img7.gif"
+ ALT="$2^8$">|; 
+
+$key = q/A_{o};MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="25" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
+ SRC="|."$dir".q|img29.gif"
+ ALT="$A_{o}$">|; 
+
+$key = q/p;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="14" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
+ SRC="|."$dir".q|img35.gif"
+ ALT="$p$">|; 
+
+$key = q/D;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="20" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
+ SRC="|."$dir".q|img32.gif"
+ ALT="$D$">|; 
+
+$key = q/_{1};MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="13" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
+ SRC="|."$dir".q|img14.gif"
+ ALT="$_{1}$">|; 
+
+$key = q/N;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="21" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
+ SRC="|."$dir".q|img50.gif"
+ ALT="$N$">|; 
+
+$key = q/~tilde{~}~~~;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="26" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
+ SRC="|."$dir".q|img1.gif"
+ ALT="$&nbsp;\tilde{&nbsp;}&nbsp;&nbsp;&nbsp;$">|; 
+
+$key = q/P_{r};MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="23" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
+ SRC="|."$dir".q|img34.gif"
+ ALT="$P_{r}$">|; 
+
+$key = q/A_{r};MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="25" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
+ SRC="|."$dir".q|img28.gif"
+ ALT="$A_{r}$">|; 
+
+$key = q/N_i;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="32" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
+ SRC="|."$dir".q|img10.gif"
+ ALT="$N\_i$">|; 
+
+$key = q/B_{o};MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="25" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
+ SRC="|."$dir".q|img25.gif"
+ ALT="$B_{o}$">|; 
+
+$key = q/2cdotmbox{MSL}=4;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="87" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
+ SRC="|."$dir".q|img48.gif"
+ ALT="$2 \cdot \mbox{MSL} = 4$">|; 
+
+$key = q/{figure}preform{<verbatim_mark>verbatim300#preform{{{{figure};FSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="703" HEIGHT="414" BORDER="0"
+ SRC="|."$dir".q|img22.gif"
+ ALT="\begin{figure}\begin{verbatim}type conn_id: record {
+orig_h: addr;  ...">|; 
+
+$key = q/{figure}preform{<verbatim_mark>verbatim319#preform{{{{figure};FSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="551" HEIGHT="109" BORDER="0"
+ SRC="|."$dir".q|img40.gif"
+ ALT="\begin{figure}\begin{verbatim}972482763.371224 %1596 start 200.241.229.80 &gt; 13...
+...g/movies/off.gif
+%1596 GET /vfrog/new.frog.small.gif
+\end{verbatim}
+\end{figure}">|; 
+
+$key = q/{figure}preform{<verbatim_mark>verbatim317#preform{{{{figure};FSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="652" HEIGHT="167" BORDER="0"
+ SRC="|."$dir".q|img39.gif"
+ ALT="\begin{figure}\begin{verbatim}972499885.784104  ...">|; 
+
+$key = q/{figure}preform{<verbatim_mark>verbatim315#preform{{{{figure};FSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="667" HEIGHT="185" BORDER="0"
+ SRC="|."$dir".q|img38.gif"
+ ALT="\begin{figure}\begin{verbatim}type ftp_session_info: record {
+id: count;  ...">|; 
+
+$key = q/{figure}preform{<verbatim_mark>verbatim311#preform{{{{figure};FSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="514" HEIGHT="394" BORDER="0"
+ SRC="|."$dir".q|img36.gif"
+ ALT="\begin{figure}\begin{verbatim}global msg_count: table[string] of count &amp;defaul...
+... schedule +5 min { log_summary(msg) };return F;
+}\end{verbatim}
+\end{figure}">|; 
+
+$key = q/{figure}preform{<verbatim_mark>verbatim339#preform{{{{figure};FSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="3949" HEIGHT="223" BORDER="0"
+ SRC="|."$dir".q|img47.gif"
+ ALT="\begin{figure}\begin{verbatim}1046778101.534846  ...">|; 
+
+$key = q/{figure}preform{<verbatim_mark>verbatim337#preform{{{{figure};FSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="515" HEIGHT="70" BORDER="0"
+ SRC="|."$dir".q|img45.gif"
+ ALT="\begin{figure}\begin{verbatim}type x509: record {
+issuer: string;  ...">|; 
+
+$key = q/^*;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="13" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
+ SRC="|."$dir".q|img12.gif"
+ ALT="$^*$">|; 
+
+$key = q/{figure}preform{<verbatim_mark>verbatim299#preform{{{{figure};FSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="684" HEIGHT="109" BORDER="0"
+ SRC="|."$dir".q|img21.gif"
+ ALT="\begin{figure}\begin{verbatim}type net_stats: record {
+...">|; 
+
+$key = q/h;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="15" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
+ SRC="|."$dir".q|img19.gif"
+ ALT="$h$">|; 
+
+$key = q/B_{r};MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="25" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
+ SRC="|."$dir".q|img26.gif"
+ ALT="$B_{r}$">|; 
+
+$key = q/m;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="20" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
+ SRC="|."$dir".q|img17.gif"
+ ALT="$m$">|; 
+
+$key = q/le2;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="31" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
+ SRC="|."$dir".q|img41.gif"
+ ALT="$\le 2$">|; 
+
+$key = q/2^{16};MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="27" HEIGHT="20" ALIGN="BOTTOM" BORDER="0"
+ SRC="|."$dir".q|img6.gif"
+ ALT="$2^{16}$">|; 
+
+$key = q/le26;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="39" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
+ SRC="|."$dir".q|img16.gif"
+ ALT="$\le 26$">|; 
+
+$key = q/A;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="18" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
+ SRC="|."$dir".q|img23.gif"
+ ALT="$A$">|; 
+
+$key = q/A_1{{tt{.}A_2{{tt{.}A_3{{tt{.}A_4;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="122" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
+ SRC="|."$dir".q|img3.gif"
+ ALT="$A\_1 {\tt .} A\_2 {\tt .} A\_3 {\tt .} A\_4$">|; 
+
+$key = q/_{3};MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="13" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
+ SRC="|."$dir".q|img15.gif"
+ ALT="$_{3}$">|; 
+
+$key = q/^+;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="17" HEIGHT="20" ALIGN="BOTTOM" BORDER="0"
+ SRC="|."$dir".q|img11.gif"
+ ALT="$^+$">|; 
+
+$key = q/N_1{{tt{.}N_2{{tt{.}N_3;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="99" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
+ SRC="|."$dir".q|img9.gif"
+ ALT="$N\_1 {\tt .} N\_2 {\tt .} N\_3 $">|; 
+
+$key = q/tilde{~}~~;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="18" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
+ SRC="|."$dir".q|img2.gif"
+ ALT="$\tilde{&nbsp;}&nbsp;&nbsp;$">|; 
+
+$key = q/n;MSF=1.6;AAT/;
+$cached_env_img{$key} = q|<IMG
+ WIDTH="16" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
+ SRC="|."$dir".q|img18.gif"
+ ALT="$n$">|; 
+
+1;
+
diff --git a/doc/old/manual/images.tex b/doc/old/manual/images.tex
new file mode 100644
index 0000000000..ea01ededfa
--- /dev/null
+++ b/doc/old/manual/images.tex
@@ -0,0 +1,1104 @@
+\batchmode
+
+
+\documentclass[twoside]{report}
+\RequirePackage{ifthen}
+
+
+
+
+\frenchspacing
+
+
+\sloppy
+
+
+\usepackage{makeidx}
+\usepackage{times}
+\usepackage{psfig}
+\usepackage{html}
+
+
+\textwidth=6.5in
+\oddsidemargin=-0.15in
+\evensidemargin=-0.15in
+
+
+\title{
+	The {\em Bro} 0.8 User Manual
+}
+
+%
+\providecommand{\note}[1]{\emph{Note: #1}}%
+\providecommand{\privatenote}[1]{}%
+\providecommand{\updateme}[1]{#1}%
+\providecommand{\unlikeC}[1]{\emph{Unlike with C,} #1}%
+\providecommand{\deficiency}[1]{\emph{Deficiency: #1}}%
+\providecommand{\fixme}[1]{\emph{Fix me: #1}} 
+
+%
+\providecommand{\xref}[1]{\hyperref{\S~\ref{#1}}{}{}{#1}}%
+\providecommand{\pxref}[1]{(\hyperref{\S~\ref{#1}}{}{}{#1})}%
+\providecommand{\cxref}[1]{\hyperref{Chapter~\ref{#1}}{}{}{#1}}%
+\providecommand{\link}[2]{\hyperref{#1}{}{}{#2}}%
+\providecommand{\lab}[2]{\label{#1}{#2}}%
+\providecommand{\labsectchapter}[2]{\chapter{#2 #1}}%
+\providecommand{\labsectsection}[2]{\section{#2 #1}}%
+\providecommand{\labsectsubsection}[2]{\subsection{#2 #1}}%
+\providecommand{\labsectsubsubsection}[2]{\subsubsection{#2 #1}}%
+\providecommand{\itemwithextra}[3]{\item[{\tt #1#3}]}%
+\providecommand{\optsyntax}[1]{{\emph{[} \texttt{#1} \emph{]}}}%
+\providecommand{\nl}{} 
+
+%
+\providecommand{\itemwithtype}[2]{\item[{\tt #1 : #2}]} 
+
+%
+\providecommand{\f}[1]{Figure~\ref{#1}}%
+\providecommand{\tbl}[1]{Table~\ref{#1}}%
+\providecommand{\percent}{{{\tt \%}}}%
+\providecommand{\hash}{{{\tt \#}}}%
+\providecommand{\caret}{{{\tt \^}}}%
+\providecommand{\load}{{{\tt @load}{ }}}%
+\providecommand{\loadx}{{{\tt @load}}}%
+\providecommand{\prefix}{{{\tt @prefix}{ }}}%
+\providecommand{\prefixx}{{{\tt @prefix}}}%
+\providecommand{\void}{void} 
+
+%
+\providecommand{\kludge}{{\tt \mbox{\hspace{0.01in}}~}} 
+
+%
+\providecommand{\indplain}[2]{\index{#1 #2}\index{#2s!#1}{#1}}%
+\providecommand{\indtt}[2]{\index{#1 #2@{\protect\tt #1} #2}\index{#2s}\index{#2s!#1@{\tt #1}}{{\tt #1}}}%
+\providecommand{\indttbang}[2]{\index{#1@{\tt #1}}\index{#1!#2@#2}{{\tt #1}}}%
+\providecommand{\indttparen}[2]{\index{#1 #2@{\protect\tt (#1)} #2}\index{#2s}\index{#2s!#1@{\tt (#1)}}{{\tt (#1)}}}%
+\providecommand{\indttnotext}[2]{\index{#1 #2@{\protect\tt #1} #2}\index{#2s}\index{#2s!#1@{\tt #1}}}%
+\providecommand{\indttnotexttwo}[3]{\index{#1 #2 #3@{\protect\tt #1 #2} #3}\index{#2 #3@{\tt #2} #3}\index{#2 #3!#1@{\tt #1}}}%
+\providecommand{\indttzero}[1]{\index{#1@{\protect\tt #1}}{{\tt #1}}}%
+\providecommand{\indtttwo}[3]{\index{#2@{\protect\tt #1} #3}\index{#3s}\index{#3s!#2@{\tt #1}}}%
+\providecommand{\itemindtt}[2]{\index{#1 #2@{\protect\tt #1} #2}\index{#2s}\index{#2s!#1@{\tt #1}}\item[{\tt #1}]}%
+\providecommand{\indttbegin}[2]{\index{#1 #2@{\protect\tt #1} #2|(}\index{#2s}\index{#2s!#1@{\tt #1}|(}{\tt #1}}%
+\providecommand{\indttend}[2]{\index{#1 #2@{\protect\tt #1} #2|)}\index{#2s}\index{#2s!#1@{\tt #1}|)}{\tt #1}} 
+
+%
+\providecommand{\opind}[1]{\index{#1 operator@{\protect\tt #1} operator}\index{operators!{\protect\tt #1}}}%
+\providecommand{\indopone}[2]{\index{#1 #2@{\protect\tt #1} #2}\index{operators!{\protect\tt #1}}}%
+\providecommand{\indoponekey}[3]{\index{#3@{\protect\tt #1} #2}\index{operators!{\protect\tt #1}}}%
+\providecommand{\indoptwo}[2]{\index{#1 #2@{\protect\tt #1\protect\ } #2}\index{operators!{\protect\tt #1}}} 
+
+%
+\providecommand{\keyind}[1]{\index{#1 keyword@{\protect\tt #1} keyword}\index{keywords!{\protect\tt #1}}} 
+
+%
+\providecommand{\indevent}[2]{\index{#1 event@{\protect\tt #1} event}\index{events!{\protect\tt #1}}\label{#2-event}{{\tt #1}}}%
+\providecommand{\itemindevent}[2]{\index{#1 event@{\protect\tt #1} event}\index{events!{\protect\tt #1}}\label{#2-event}{\item[{\tt #1}]}}%
+\providecommand{\indeventnolabel}[1]{\index{#1 event@{\protect\tt #1} event}\index{events!{\protect\tt #1}}}%
+\providecommand{\indeventtype}[3]{\index{#1 event@{\protect\tt #1} event}\index{events!{\protect\tt #1}}\label{#2-event}{\item[{\tt \tt #1 (#3)}]}}%
+\providecommand{\indeventtypenolabel}[2]{\index{#1 event@{\protect\tt #1} event}\index{events!{\protect\tt #1}}\item[{\tt \tt #1 (#2)}]}%
+\providecommand{\xrefevent}[2]{\hyperref{\tt #1}{}{}{#2-event}}%
+\providecommand{\xrefindevent}[2]{\index{#1 event@{\protect\tt #1} event}\index{events!{\protect\tt #1}}\hyperref{\tt #1}{}{}{#2-event}} 
+
+%
+\providecommand{\indenvnotext}[1]{\index{#1 environment variable@{\protect\tt \$#1} environment variable}\index{environment variables!#1@{\tt \$#1}}}%
+\providecommand{\indenv}[2]{\index{#1 environment variable@{\protect\tt \$#1} environment variable}\index{environment variables!#1@{\tt \$#1}}\label{#2-env}{{\tt \$#1}}}%
+\providecommand{\itemindenv}[2]{\index{#1 environment variable@{\protect\tt \$#1} environment variable}\index{environment variables!#1@{\tt \$#1}}\label{#2-env}{\item[{\tt \$#1}]} }%
+\providecommand{\xrefenv}[2]{\hyperref{\tt \$#1}{}{}{#2-env}} 
+
+%
+\providecommand{\analyzer}[1]{{\tt #1}}%
+\providecommand{\indanalyzer}[2]{\index{#1 analyzer@{\protect\tt #1} analyzer}\index{analyzers!{\protect \tt #1}}\label{#2-analyzer-module}{{\tt #1}}}%
+\providecommand{\indanalyzernolabel}[1]{{\index{#1 analyzer@{\protect\tt #1} analyzer}\index{analyzers!{\protect \tt #1}}{\tt #1}}}%
+\providecommand{\xrefanalyzer}[2]{\hyperref{\tt #1}{}{}{#2-analyzer-module}} 
+
+%
+\providecommand{\module}[1]{{\tt #1}}%
+\providecommand{\indmodule}[2]{\index{#1 module@{\protect\tt #1} module}\index{modules!{\protect \tt #1}}\label{#2-analyzer-module}{{\tt #1}}}%
+\providecommand{\xrefmodule}[2]{\hyperref{\tt #1}{}{}{#2-analyzer-module}} 
+
+%
+\providecommand{\indfunc}[2]{\index{#1 function@{\protect\tt #1} function}\index{functions!{\protect \tt #1}}\label{#2-func}{{\tt #1}}}%
+\providecommand{\itemindfunc}[3]{\index{#1 function@{\protect\tt #1} function}\index{functions!{\protect \tt #1}}\label{#2-func}{\item[{\tt \tt #1\tt #3 }]}}%
+\providecommand{\indfuncnolabel}[2]{\index{#1 function@{\protect\tt #1} function}\index{functions!{\protect \tt #1}}{\tt #1}}%
+\providecommand{\xreffunc}[2]{\hyperref{\tt #1}{}{}{#2-func}}%
+\providecommand{\xrefindfunc}[2]{\index{#1 function@{\protect\tt #1} function}\index{functions!{\protect \tt #1}}\hyperref{\tt #1}{}{}{#2-func}}%
+\providecommand{\xreffuncnott}[2]{\hyperref{\S~\ref{#2-func}}{}{}{#2-func}} 
+
+%
+\providecommand{\xreflog}[1]{\hyperref{\tt #1}{}{}{#1-log}} 
+
+%
+\providecommand{\itemindstmtemph}[1]{\index{#1 statement@{\protect\emph{#1}} statement}\index{statements!{\protect\emph{#1}}}\label{#1-stmt}{\item[{\emph{#1}}]}}%
+\providecommand{\itemindstmttt}[1]{\index{#1 statement@{\protect\tt #1} statement}\index{statements!{\protect\tt #1}}\label{#1-stmt}{\item[{\tt #1}]}}%
+\providecommand{\itemindstmttttwo}[2]{\index{#1 statement@{\protect\tt #1} statement}\index{#2 statement@{\protect\tt #2} statement}\index{statements!{\protect\tt #1}}\index{statements!{\protect\tt #2}}\label{#1-stmt}\label{#2-stmt}{\item[{\tt #1}, {\tt #2}]}}%
+\providecommand{\xrefstmt}[2]{\hyperref{\tt #1}{}{}{#2-stmt}} 
+
+%
+\providecommand{\itemindexpremph}[1]{\index{#1 expression@{\protect\emph{#1}} expression}\index{expressions!{\protect\emph{#1}}}\label{#1-expr}{\item[{\emph{#1}}]}}%
+\providecommand{\itemindexprtt}[1]{\index{#1 expression@{\protect\tt #1} expression}\index{expressions!{\protect\tt #1}}\label{#1-expr}{\item[{\tt #1}]}}%
+\providecommand{\itemindexprtttwo}[2]{\index{#1 expressions@{\protect\tt #1} expressions}\index{#2 expressions@{\protect\tt #2} expressions}\index{expressions!{\protect\tt #1}}\index{expressions!{\protect\tt #2}}\label{#1-expr}\label{#2-expr}{\item[{\tt #1}, {\tt #2}]}}%
+\providecommand{\itemindexpremphtwo}[2]{\index{#1 expressions@{\protect\em #1} expressions}\index{#2 expressions@{\protect\em #2} expressions}\index{expressions!{\protect\em #1}}\index{expressions!{\protect\em #2}}\label{#1-expr}\label{#2-expr}{\item[{\em #1}, {\em #2}]}}%
+\providecommand{\itemindexprtttwonott}[2]{\index{#1 expressions@{#1} expressions}\index{#2 expressions@{#2} expressions}\index{expressions!{#1}}\index{expressions!{#2}}\label{#1-expr}\label{#2-expr}{\item[{#1}, {#2}]}}%
+\providecommand{\xrefexpr}[2]{\hyperref{\tt #1}{}{}{#2-expr}} 
+
+%
+\providecommand{\indfield}[4]{\index{#1@{\tt #1}}\index{#1!#3@{\tt #3} field}\index{#3 record@{\tt #3} record}\label{#4-#2-field}{\item[{\tt #1}]}}%
+\providecommand{\xreffield}[3]{\hyperref{\tt #1}{}{}{#3-#2-field}}%
+\providecommand{\xrefscript}[2]{\hyperref{\tt #1}{}{}{#2-script}} 
+
+%
+\providecommand{\indvar}[1]{\index{#1 variable@{\protect\tt #1} variable}\index{variables!{\protect \tt #1}}{\tt #1}}%
+\providecommand{\indvartype}[3]{\index{#1 variable@{\protect\tt #1} variable}\index{variables!{\protect \tt #1}}\label{#2-var}{\item[{\tt \tt #1 : #3}]}}%
+\providecommand{\indvarbegin}[1]{\index{#1 variable@{\tt #1} variable|(}\index{variables!{\protect \tt #1}|(}}%
+\providecommand{\indvarend}[1]{\index{#1 variable@{\tt #1} variable|)}\index{variables!{\protect \tt #1}|)}}%
+\providecommand{\xrefvar}[2]{\hyperref{\tt #1}{}{}{#2-var}}%
+\providecommand{\xrefvarnott}[2]{\hyperref{\S~\ref{#2-var}}{}{}{#2-var}}%
+\providecommand{\pxrefvarnott}[2]{(\hyperref{\S~\ref{#2-var}}{}{}{#2-var})} 
+
+%
+\providecommand{\xreftype}[2]{\hyperref{\tt #1}{}{}{#2-type}} 
+
+%
+\providecommand{\indattr}[2]{\index{#1 attribute@{\protect\tt \&#1} attribute}\index{attributes!#1@{\tt \&#1}}\label{#2-attr}{{\tt \&#1}}}%
+\providecommand{\indattrnotext}[1]{\index{#1 attribute@{\protect\tt \&#1} attribute}\index{attributes!#1@{\tt \&#1}}}%
+\providecommand{\itemindattr}[2]{\index{#1 attribute@{\protect\tt \&#1} attribute}\index{attributes!#1@{\tt \&#1}}\label{#2-attr}{\item[{\tt \&#1}]} }%
+\providecommand{\xrefattr}[2]{\hyperref{\tt \&#1}{}{}{#2-attr}} 
+
+%
+\providecommand{\indintvar}[1]{\index{#1 internal variable@{\protect\tt #1} internal variable}\index{internal variables!{\protect \tt #1}}{\tt #1}} 
+
+%
+\providecommand{\indformat}[1]{\index{#1 format@{\protect\tt #1} format}\index{format!#1@{\tt #1}}\item[#1]}%
+\providecommand{\indformatnoitem}[1]{\index{#1 format@{\protect\tt #1} format}\index{format!#1@{\tt #1}}} 
+
+%
+\providecommand{\indweird}[2]{\index{#1 (``weird'' event)@{\protect\tt #1} (``weird'' event)}\index{weird event@``weird'' event}\index{weird event!#1@{\protect \tt #1}}\label{#2-weird}{\item[{\tt #1}]}} 
+
+%
+\providecommand{\indextext}[2]{\index{#1 (#2)@{\protect\tt "#1"} (#2)}\index{#2s}\index{#2s!#1@{\tt "#1"}}{\tt "#1"}}%
+\providecommand{\indexmsg}[1]{\index{#1@{\protect\tt "#1"}}\index{message!{\protect \tt "#1"}}} 
+
+%
+\providecommand{\indfatal}[1]{\index{#1!fatal run-time error}\index{fatal run-time error!#1}\index{run-time error!#1}}%
+\providecommand{\indruntime}[1]{\index{#1!run-time error}\index{run-time error!#1}} 
+
+%
+\providecommand{\indglobalnotext}[1]{{\index{#1 global variable@{\protect\tt #1} global variable}}{\index{global variables!{\protect\tt #1}}}}%
+\providecommand{\indglobal}[1]{{\index{#1 global variable@{\protect\tt #1} global variable}}{\index{global variables!{\protect\tt #1}}}{\tt #1}} 
+
+%
+\providecommand{\indpredefvar}[3]{\index{#1 variable@{\protect\tt #1} variable}\index{predefined variables!{\protect \tt #1}}\index{variables!{\protect \tt #1}}\label{#2-global}{\item[{\tt \tt #1 : #3}]}} 
+
+%
+\providecommand{\xrefglobal}[2]{\hyperref{\tt #1}{}{}{#2-global}}%
+\providecommand{\xrefglobalind}[2]{\hyperref{\tt #1}{}{}{#2-global}{\index{#1 global variable@{\protect\tt #1} global variable}}{\index{global variables!{\protect\tt #1}}}} 
+
+%
+\providecommand{\indlibrary}[2]{{\index{#1 library@{\protect\em #1} library}}{\index{libraries!{\protect\em #1}}}{\index{libraries!{\protect\em #1}}}\label{#2-library}{{\em #1}}}%
+\providecommand{\xreflibrary}[2]{\hyperref{\emph{#1}}{}{}{#2-library}} 
+
+%
+\providecommand{\indutility}[2]{{\index{#1 utility program@{\protect\em #1} utility program}}{\index{programs!{\protect\em #1}}}{\index{utility programs!{\protect\em #1}}}\label{#2-utility}{{\em #1}}}%
+\providecommand{\xrefutility}[2]{\hyperref{\emph{#1}}{}{}{#2-utility}} 
+
+%
+\providecommand{\mkflagind}[1]{\index{#1 flag@{\protect\tt -#1} flag}\index{flags!{\protect \tt -#1}}\index{Bro!flags!{\protect \tt -#1}}}%
+\providecommand{\indflag}[1]{\index{#1 flag@{\protect\tt -#1} flag}\index{flags!{\protect \tt -#1}}\index{Bro!flags!{\protect \tt -#1}}\label{flag-#1}{\item[{\tt -#1}]}}%
+\providecommand{\indflagnoitem}[1]{\index{#1 flag@{\protect\tt -#1} flag}\index{flags!{\protect \tt -#1}}\index{Bro!flags!{\protect \tt -#1}}{\tt -#1}}%
+\providecommand{\indflagtwo}[2]{\index{#1 flag@{\protect\tt -#1} flag}\index{flags!{\protect \tt -#1}}\index{Bro!flags!{\protect \tt -#1}}\label{flag-#1}{\item[{\tt \tt -#1 \emph{#2}}] \\}}%
+\providecommand{\xrefflag}[1]{\hyperref{\tt #1}{}{}{flag#1}} 
+
+%
+\providecommand{\indpredeffunc}[3]{\index{#1 function@{\tt #1} function}\index{predefined functions!{\protect \tt #1}}\index{functions!{\protect \tt #1}}\label{#2-func}{\item[{\tt \tt #1 #3}]}}%
+\providecommand{\indpredeffuncnolab}[2]{\index{#1 predefined function@{\tt #1} predefined function}\index{predefined functions!{\protect \tt #1}}\index{functions!{\protect \tt #1}}\item[{\tt \tt #1 #2}]} 
+
+%
+\providecommand{\indtype}[1]{\index{#1@{\protect\tt #1}|see{types, {\protect\tt #1}}}} 
+
+%
+\providecommand{\indconfig}[2]{\index{#1 configuration option@{\tt {--}#1} configuration option}\index{configuration options!{\tt {--}#1}}\label{#2-config}{{\tt {--}#1}}}%
+\providecommand{\xrefconfig}[2]{\hyperref{\tt {--}#1}{}{}{#2-config}} 
+
+%
+\providecommand{\addindextocentry}{\addcontentsline{toc}{chapter}{\protect\numberline{Index}{}}} 
+
+%
+\providecommand{\indsigattr}[1]{\item[\tt #1]} 
+
+
+\makeindex
+
+
+
+
+\usepackage[dvips]{color}
+
+
+\pagecolor[gray]{.7}
+
+\usepackage[latin1]{inputenc}
+
+
+
+\makeatletter
+
+\makeatletter
+\count@=\the\catcode`\_ \catcode`\_=8 
+\newenvironment{tex2html_wrap}{}{}%
+\catcode`\<=12\catcode`\_=\count@
+\newcommand{\providedcommand}[1]{\expandafter\providecommand\csname #1\endcsname}%
+\newcommand{\renewedcommand}[1]{\expandafter\providecommand\csname #1\endcsname{}%
+  \expandafter\renewcommand\csname #1\endcsname}%
+\newcommand{\newedenvironment}[1]{\newenvironment{#1}{}{}\renewenvironment{#1}}%
+\let\newedcommand\renewedcommand
+\let\renewedenvironment\newedenvironment
+\makeatother
+\let\mathon=$
+\let\mathoff=$
+\ifx\AtBeginDocument\undefined \newcommand{\AtBeginDocument}[1]{}\fi
+\newbox\sizebox
+\setlength{\hoffset}{0pt}\setlength{\voffset}{0pt}
+\addtolength{\textheight}{\footskip}\setlength{\footskip}{0pt}
+\addtolength{\textheight}{\topmargin}\setlength{\topmargin}{0pt}
+\addtolength{\textheight}{\headheight}\setlength{\headheight}{0pt}
+\addtolength{\textheight}{\headsep}\setlength{\headsep}{0pt}
+\setlength{\textwidth}{349pt}
+\newwrite\lthtmlwrite
+\makeatletter
+\let\realnormalsize=\normalsize
+\global\topskip=2sp
+\def\preveqno{}\let\real@float=\@float \let\realend@float=\end@float
+\def\@float{\let\@savefreelist\@freelist\real@float}
+\def\liih@math{\ifmmode$\else\bad@math\fi}
+\def\end@float{\realend@float\global\let\@freelist\@savefreelist}
+\let\real@dbflt=\@dbflt \let\end@dblfloat=\end@float
+\let\@largefloatcheck=\relax
+\let\if@boxedmulticols=\iftrue
+\def\@dbflt{\let\@savefreelist\@freelist\real@dbflt}
+\def\adjustnormalsize{\def\normalsize{\mathsurround=0pt \realnormalsize
+ \parindent=0pt\abovedisplayskip=0pt\belowdisplayskip=0pt}%
+ \def\phantompar{\csname par\endcsname}\normalsize}%
+\def\lthtmltypeout#1{{\let\protect\string \immediate\write\lthtmlwrite{#1}}}%
+\newcommand\lthtmlhboxmathA{\adjustnormalsize\setbox\sizebox=\hbox\bgroup\kern.05em }%
+\newcommand\lthtmlhboxmathB{\adjustnormalsize\setbox\sizebox=\hbox to\hsize\bgroup\hfill }%
+\newcommand\lthtmlvboxmathA{\adjustnormalsize\setbox\sizebox=\vbox\bgroup %
+ \let\ifinner=\iffalse \let\)\liih@math }%
+\newcommand\lthtmlboxmathZ{\@next\next\@currlist{}{\def\next{\voidb@x}}%
+ \expandafter\box\next\egroup}%
+\newcommand\lthtmlmathtype[1]{\gdef\lthtmlmathenv{#1}}%
+\newcommand\lthtmllogmath{\lthtmltypeout{l2hSize %
+:\lthtmlmathenv:\the\ht\sizebox::\the\dp\sizebox::\the\wd\sizebox.\preveqno}}%
+\newcommand\lthtmlfigureA[1]{\let\@savefreelist\@freelist
+       \lthtmlmathtype{#1}\lthtmlvboxmathA}%
+\newcommand\lthtmlpictureA{\bgroup\catcode`\_=8 \lthtmlpictureB}%
+\newcommand\lthtmlpictureB[1]{\lthtmlmathtype{#1}\egroup
+       \let\@savefreelist\@freelist \lthtmlhboxmathB}%
+\newcommand\lthtmlpictureZ[1]{\hfill\lthtmlfigureZ}%
+\newcommand\lthtmlfigureZ{\lthtmlboxmathZ\lthtmllogmath\copy\sizebox
+       \global\let\@freelist\@savefreelist}%
+\newcommand\lthtmldisplayA{\bgroup\catcode`\_=8 \lthtmldisplayAi}%
+\newcommand\lthtmldisplayAi[1]{\lthtmlmathtype{#1}\egroup\lthtmlvboxmathA}%
+\newcommand\lthtmldisplayB[1]{\edef\preveqno{(\theequation)}%
+  \lthtmldisplayA{#1}\let\@eqnnum\relax}%
+\newcommand\lthtmldisplayZ{\lthtmlboxmathZ\lthtmllogmath\lthtmlsetmath}%
+\newcommand\lthtmlinlinemathA{\bgroup\catcode`\_=8 \lthtmlinlinemathB}
+\newcommand\lthtmlinlinemathB[1]{\lthtmlmathtype{#1}\egroup\lthtmlhboxmathA
+  \vrule height1.5ex width0pt }%
+\newcommand\lthtmlinlineA{\bgroup\catcode`\_=8 \lthtmlinlineB}%
+\newcommand\lthtmlinlineB[1]{\lthtmlmathtype{#1}\egroup\lthtmlhboxmathA}%
+\newcommand\lthtmlinlineZ{\egroup\expandafter\ifdim\dp\sizebox>0pt %
+  \expandafter\centerinlinemath\fi\lthtmllogmath\lthtmlsetinline}
+\newcommand\lthtmlinlinemathZ{\egroup\expandafter\ifdim\dp\sizebox>0pt %
+  \expandafter\centerinlinemath\fi\lthtmllogmath\lthtmlsetmath}
+\newcommand\lthtmlindisplaymathZ{\egroup %
+  \centerinlinemath\lthtmllogmath\lthtmlsetmath}
+\def\lthtmlsetinline{\hbox{\vrule width.1em \vtop{\vbox{%
+  \kern.1em\copy\sizebox}\ifdim\dp\sizebox>0pt\kern.1em\else\kern.3pt\fi
+  \ifdim\hsize>\wd\sizebox \hrule depth1pt\fi}}}
+\def\lthtmlsetmath{\hbox{\vrule width.1em\kern-.05em\vtop{\vbox{%
+  \kern.1em\kern0.8 pt\hbox{\hglue.17em\copy\sizebox\hglue0.8 pt}}\kern.3pt%
+  \ifdim\dp\sizebox>0pt\kern.1em\fi \kern0.8 pt%
+  \ifdim\hsize>\wd\sizebox \hrule depth1pt\fi}}}
+\def\centerinlinemath{%
+  \dimen1=\ifdim\ht\sizebox<\dp\sizebox \dp\sizebox\else\ht\sizebox\fi
+  \advance\dimen1by.5pt \vrule width0pt height\dimen1 depth\dimen1 
+ \dp\sizebox=\dimen1\ht\sizebox=\dimen1\relax}
+
+\def\lthtmlcheckvsize{\ifdim\ht\sizebox<\vsize 
+  \ifdim\wd\sizebox<\hsize\expandafter\hfill\fi \expandafter\vfill
+  \else\expandafter\vss\fi}%
+\providecommand{\selectlanguage}[1]{}%
+\makeatletter \tracingstats = 1 
+
+
+\begin{document}
+\pagestyle{empty}\thispagestyle{empty}\lthtmltypeout{}%
+\lthtmltypeout{latex2htmlLength hsize=\the\hsize}\lthtmltypeout{}%
+\lthtmltypeout{latex2htmlLength vsize=\the\vsize}\lthtmltypeout{}%
+\lthtmltypeout{latex2htmlLength hoffset=\the\hoffset}\lthtmltypeout{}%
+\lthtmltypeout{latex2htmlLength voffset=\the\voffset}\lthtmltypeout{}%
+\lthtmltypeout{latex2htmlLength topmargin=\the\topmargin}\lthtmltypeout{}%
+\lthtmltypeout{latex2htmlLength topskip=\the\topskip}\lthtmltypeout{}%
+\lthtmltypeout{latex2htmlLength headheight=\the\headheight}\lthtmltypeout{}%
+\lthtmltypeout{latex2htmlLength headsep=\the\headsep}\lthtmltypeout{}%
+\lthtmltypeout{latex2htmlLength parskip=\the\parskip}\lthtmltypeout{}%
+\lthtmltypeout{latex2htmlLength oddsidemargin=\the\oddsidemargin}\lthtmltypeout{}%
+\makeatletter
+\if@twoside\lthtmltypeout{latex2htmlLength evensidemargin=\the\evensidemargin}%
+\else\lthtmltypeout{latex2htmlLength evensidemargin=\the\oddsidemargin}\fi%
+\lthtmltypeout{}%
+\makeatother
+\setcounter{page}{1}
+\onecolumn
+
+% !!! IMAGES START HERE !!!
+
+\stepcounter{chapter}
+\stepcounter{chapter}
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsubsection}
+\stepcounter{subsubsection}
+\stepcounter{subsubsection}
+\stepcounter{subsubsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsubsection}
+\stepcounter{subsubsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsubsection}
+\stepcounter{subsubsection}
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{chapter}
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsubsection}
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline5436}%
+$~\tilde{~}~~~$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline5438}%
+$\tilde{~}~~$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{subsubsection}
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsubsection}
+\stepcounter{subsubsection}
+\stepcounter{subsubsection}
+\stepcounter{subsubsection}
+\stepcounter{subsubsection}
+\stepcounter{subsubsection}
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{section}
+\stepcounter{subsection}
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline5440}%
+$A\_1 {\tt .} A\_2 {\tt .} A\_3 {\tt .} A\_4$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline5442}%
+$A\_i$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{subsection}
+\stepcounter{section}
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline5444}%
+$2^{24}$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline5446}%
+$2^{16}$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline5448}%
+$2^8$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{subsection}
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline5450}%
+$N\_1 {\tt .} N\_2 {\tt .}$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline5452}%
+$N\_1 {\tt .} N\_2 {\tt .} N\_3 $%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline5454}%
+$N\_i$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{subsection}
+\stepcounter{section}
+\stepcounter{subsection}
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline5456}%
+$^+$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline5458}%
+$^*$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{chapter}
+\stepcounter{section}
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline8536}%
+$_{2}$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline8540}%
+$_{1}$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{section}
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline8614}%
+$_{3}$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{chapter}
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+
+%
+\providecommand{\constmsg}{\\NOTE: This variable is {\tt const}, 
+so may only be changed via {\tt redef}.}%
+
+\stepcounter{chapter}
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{section}
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline16373}%
+$\le 26$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline16375}%
+$m$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline16379}%
+$n$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline16393}%
+$h$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{chapter}
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsection}
+{\newpage\clearpage
+\lthtmlfigureA{figure22361}%
+\begin{figure}\begin{verbatim}
+
+event bro_init()
+    {
+    if ( restrict_filter == "" && capture_filter == "" )
+        print "tcp or not tcp";  # Capture everything.
+
+    else if ( restrict_filter == "" )
+        print capture_filter;
+
+    else if ( capture_filter == "" )
+        print restrict_filter;
+
+    else
+        print fmt("(%s) and (%s)", capture_filter, restrict_filter);
+
+    exit();
+    }\end{verbatim}
+
+\end{figure}%
+\lthtmlfigureZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{section}
+{\newpage\clearpage
+\lthtmlfigureA{figure22485}%
+\begin{figure}\begin{verbatim}
+
+type net_stats: record {
+    # All counts are cumulative.
+    pkts_recvd: count;       # Number of packets received so far.
+    pkts_dropped: count;     # Number of packets *reported* dropped.
+    interface_drops: count;  # Number of drops reported by interface(s).
+};\end{verbatim}
+
+\end{figure}%
+\lthtmlfigureZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{section}
+\stepcounter{subsection}
+{\newpage\clearpage
+\lthtmlfigureA{figure22528}%
+\begin{figure}\begin{verbatim}
+
+type conn_id: record {
+    orig_h: addr;  # Address of originating host.
+    orig_p: port;  # Port used by originator.
+    resp_h: addr;  # Address of responding host.
+    resp_p: port;  # Port used by responder.
+};
+
+type endpoint: record {
+    size: count;  # Bytes sent by this endpoint so far.
+    state: count; # The endpoint's current state.
+};
+
+type connection: record {
+    id: conn_id;        # Originator/responder addresses/ports.
+    orig: endpoint;     # Endpoint info for originator.
+    resp: endpoint;     # Endpoint info for responder.
+    start_time: time;   # When the connection began.
+    duration: interval; # How long it was active (or has been so far).
+    service: string;    # The service we associate with it (e.g., "http").
+    addl: string;       # Additional information associated with it.
+    hot: count;         # How many times we've marked it as sensitive.
+};\end{verbatim}
+
+\end{figure}%
+\lthtmlfigureZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{subsection}
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline31877}%
+$A$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline31879}%
+$B$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline31899}%
+$B_{o}$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline31901}%
+$B_{r}$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline31903}%
+$A_{l}$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline31905}%
+$A_{r}$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{subsection}
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline31927}%
+$A_{o}$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline31937}%
+$S_{o}$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline31941}%
+$S_{r}$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline31943}%
+$D$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline31957}%
+$P_{o}$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline31961}%
+$P_{r}$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline31971}%
+$p$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+{\newpage\clearpage
+\lthtmlfigureA{figure23775}%
+\begin{figure}\begin{verbatim}
+
+global msg_count: table[string] of count &default = 0;
+
+event log_summary(msg: string)
+    {
+    log fmt("(%s) %d times", msg, msg_count[msg]);
+    }
+
+function log_hook(msg: string): bool
+    {
+    if ( ++msg_count[msg] == 1 )
+        # First time we've seen this message - log it.
+        return T;
+
+    if ( msg_count[msg] == 5 )
+        # We've seen it five times, enough to be worth
+        # summarizing.  Do so five minutes from now,
+        # for whatever total we've seen by then.
+        schedule +5 min { log_summary(msg) };
+
+    return F;
+    }\end{verbatim}
+
+\end{figure}%
+\lthtmlfigureZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{subsection}
+{\newpage\clearpage
+\lthtmlfigureA{figure23860}%
+\begin{figure}\begin{verbatim}
+
+type dns_mapping: record {
+    creation_time: time;  # When the mapping was created.
+
+    req_host: string;     # The hostname in the request, if any.
+    req_addr: addr;       # The address in the request, if any.
+
+    valid: bool;          # Whether we received an answer.
+    hostname: string;     # The hostname in the answer, or "<none>".
+    addrs: set[addr];     # The addresses in the answer, if any.
+};\end{verbatim}
+
+\end{figure}%
+\lthtmlfigureZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{subsection}
+{\newpage\clearpage
+\lthtmlfigureA{figure24088}%
+\begin{figure}\begin{verbatim}
+
+type ftp_session_info: record {
+    id: count;              # unique number associated w/ session
+    user: string;           # username, if determined
+    request: string;        # pending request or requests
+    num_requests: count;    # count of pending requests
+    request_t: time;        # time of request
+    log_if_not_denied: bool;        # unless code 530 on reply, log it
+    log_if_not_unavail: bool;       # unless code 550 on reply, log it
+    log_it: bool;           # if true, log the request(s)
+};\end{verbatim}
+
+\end{figure}%
+\lthtmlfigureZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{subsection}
+{\newpage\clearpage
+\lthtmlfigureA{figure24192}%
+\begin{figure}\begin{verbatim}
+
+972499885.784104 #26 131.243.70.68/1899 > 64.55.26.206/ftp start
+972499886.685046 #26 response (220 tuvok.ooc.com FTP server
+    (Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000) ready.)
+972499886.686025 #26 USER anonymous/IEUser@ (logged in)
+972499887.850621 #26 TYPE I (ok)
+972499888.421741 #26 PASV (227 64.55.26.206/2427)
+972499889.493020 #26 SIZE /pub/OB/4.0/JOB-4.0.3.zip (213 1675597)
+972499890.135706 #26 *RETR /pub/OB/4.0/JOB-4.0.3.zip, ABOR (complete)
+972500055.491045 #26 response (225 ABOR command successful.)\end{verbatim}
+
+\end{figure}%
+\lthtmlfigureZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{section}
+\stepcounter{subsection}
+{\newpage\clearpage
+\lthtmlfigureA{figure24357}%
+\begin{figure}\begin{verbatim}
+
+972482763.371224 %1596 start 200.241.229.80 > 131.243.2.12
+%1596 GET /ITG.hm.pg.docs/dissect/portuguese/dissect.html
+%1596 GET /vfrog/bottom.icon.gif
+%1596 GET /vfrog/top.icon.gif
+%1596 GET /vfrog/movies/off.gif
+%1596 GET /vfrog/new.frog.small.gif
+\end{verbatim}
+
+\end{figure}%
+\lthtmlfigureZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{subsection}
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline31983}%
+$\le 2$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline31987}%
+$\ge 256$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline31989}%
+$\ge 1024$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline31991}%
+$\ge$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{subsection}
+{\newpage\clearpage
+\lthtmlfigureA{figure25695}%
+\begin{figure}\begin{verbatim}
+
+type x509: record {
+    issuer:  string; # issuer name of the certificate
+    subject: string; # subject name of the certificate
+};\end{verbatim}
+
+\end{figure}%
+\lthtmlfigureZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{subsection}
+{\newpage\clearpage
+\lthtmlfigureA{figure25707}%
+\begin{figure}\begin{verbatim}
+
+type ssl_connection_info: record {
+    id: count;                      # the log identifier number
+    connection_id: conn_id;         # IP connection information
+    version: count;                 # version associated with connection
+    client_cert: x509;
+    server_cert: x509;
+    id_index: string;               # index for associated sessionID
+    handshake_cipher: count;        # cipher suite client and server agreed upon
+};\end{verbatim}
+
+\end{figure}%
+\lthtmlfigureZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{subsection}
+{\newpage\clearpage
+\lthtmlfigureA{figure25794}%
+\begin{figure}\begin{verbatim}
+
+1046778101.534846 #1 192.168.0.98/32988 > 213.61.126.124/https start
+1046778101.534846 #1 connection attempt version: 3.1
+1046778101.534846 #1 cipher suites: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4), SSLv3x_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xFEFF), SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA (0xA), SSLv3x_RSA_FIPS_WITH_DES_CBC_SHA (0xFEFE), SSLv3x_RSA_WITH_DES_CBC_SHA(0x9), SSLv3x_RSA_EXPORT1024_WITH_RC4_56_SHA (0x64), SSLv3x_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x62), SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5 (0x3), SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6),
+1046778101.753356 #1 server reply, version: 3.1
+1046778101.753356 #1 cipher suite: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4),
+1046778101.762601 #1 X.509 server issuer: /C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in Data Networks GmbH/OU=TC TrustCenter Class 3 CA/Email=certificate@trustcenter.de,
+1046778101.762601 #1 X.509 server subject: /C=DE/ST=Berlin/O=Lehmanns Fachbuchhandlung GmbH/OU=Zentrale EDV/CN=www.jfl.de/Email=admin@lehmanns.de
+1046778101.894567 #1 handshake finished, version 3.1, cipher suite: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4)
+1046778104.877207 #1 finish
+---
+Used cipher-suites statistics:
+SSLv3x_RSA_WITH_RC4_128_MD5 (0x4): 1\end{verbatim}
+
+\end{figure}%
+\lthtmlfigureZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{subsection}
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline31993}%
+$2 \cdot \mbox{MSL} = 4$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{subsection}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{chapter}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{subsection}
+\stepcounter{subsubsection}
+\stepcounter{subsubsection}
+\stepcounter{subsubsection}
+\stepcounter{subsubsection}
+{\newpage\clearpage
+\lthtmlfigureA{figure39539}%
+\begin{figure}            \begin{verbatim}
+
+type signature_state: record {
+    id: string;          # ID of the signature
+    conn: connection;    # Current connection
+    is_orig: bool;       # True if current endpoint is originator
+    payload_size: count; # Payload size of the first pkt of curr. endpoint
+    };\end{verbatim}
+
+            
+        \end{figure}%
+\lthtmlfigureZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{subsection}
+\stepcounter{section}
+\stepcounter{chapter}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline39988}%
+$N$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+{\newpage\clearpage
+\lthtmlinlinemathA{tex2html_wrap_inline39992}%
+$\pm N$%
+\lthtmlinlinemathZ
+\lthtmlcheckvsize\clearpage}
+
+\stepcounter{chapter}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+\stepcounter{section}
+{\newpage\clearpage
+\lthtmlfigureA{center42103}%
+\begin{center}\vbox{\input{index.tex}
+}\end{center}%
+\lthtmlfigureZ
+\lthtmlcheckvsize\clearpage}
+
+
+\end{document}
diff --git a/doc/old/manual/img1.gif b/doc/old/manual/img1.gif
new file mode 100644
index 0000000000..0223c17338
Binary files /dev/null and b/doc/old/manual/img1.gif differ
diff --git a/doc/old/manual/img10.gif b/doc/old/manual/img10.gif
new file mode 100644
index 0000000000..427749b200
Binary files /dev/null and b/doc/old/manual/img10.gif differ
diff --git a/doc/old/manual/img11.gif b/doc/old/manual/img11.gif
new file mode 100644
index 0000000000..8c06e38f4f
Binary files /dev/null and b/doc/old/manual/img11.gif differ
diff --git a/doc/old/manual/img12.gif b/doc/old/manual/img12.gif
new file mode 100644
index 0000000000..7555544ec5
Binary files /dev/null and b/doc/old/manual/img12.gif differ
diff --git a/doc/old/manual/img13.gif b/doc/old/manual/img13.gif
new file mode 100644
index 0000000000..e96a66a481
Binary files /dev/null and b/doc/old/manual/img13.gif differ
diff --git a/doc/old/manual/img14.gif b/doc/old/manual/img14.gif
new file mode 100644
index 0000000000..5a93808349
Binary files /dev/null and b/doc/old/manual/img14.gif differ
diff --git a/doc/old/manual/img15.gif b/doc/old/manual/img15.gif
new file mode 100644
index 0000000000..7a9ad3b96c
Binary files /dev/null and b/doc/old/manual/img15.gif differ
diff --git a/doc/old/manual/img16.gif b/doc/old/manual/img16.gif
new file mode 100644
index 0000000000..b52710213a
Binary files /dev/null and b/doc/old/manual/img16.gif differ
diff --git a/doc/old/manual/img17.gif b/doc/old/manual/img17.gif
new file mode 100644
index 0000000000..c827cd1997
Binary files /dev/null and b/doc/old/manual/img17.gif differ
diff --git a/doc/old/manual/img18.gif b/doc/old/manual/img18.gif
new file mode 100644
index 0000000000..94fc1b7cbf
Binary files /dev/null and b/doc/old/manual/img18.gif differ
diff --git a/doc/old/manual/img19.gif b/doc/old/manual/img19.gif
new file mode 100644
index 0000000000..bfce4a140d
Binary files /dev/null and b/doc/old/manual/img19.gif differ
diff --git a/doc/old/manual/img2.gif b/doc/old/manual/img2.gif
new file mode 100644
index 0000000000..a1c67ed462
Binary files /dev/null and b/doc/old/manual/img2.gif differ
diff --git a/doc/old/manual/img20.gif b/doc/old/manual/img20.gif
new file mode 100644
index 0000000000..8f14da3376
Binary files /dev/null and b/doc/old/manual/img20.gif differ
diff --git a/doc/old/manual/img21.gif b/doc/old/manual/img21.gif
new file mode 100644
index 0000000000..0351618325
Binary files /dev/null and b/doc/old/manual/img21.gif differ
diff --git a/doc/old/manual/img22.gif b/doc/old/manual/img22.gif
new file mode 100644
index 0000000000..bbd0b4f8a8
Binary files /dev/null and b/doc/old/manual/img22.gif differ
diff --git a/doc/old/manual/img23.gif b/doc/old/manual/img23.gif
new file mode 100644
index 0000000000..280d924c1c
Binary files /dev/null and b/doc/old/manual/img23.gif differ
diff --git a/doc/old/manual/img24.gif b/doc/old/manual/img24.gif
new file mode 100644
index 0000000000..7f4e0e7f12
Binary files /dev/null and b/doc/old/manual/img24.gif differ
diff --git a/doc/old/manual/img25.gif b/doc/old/manual/img25.gif
new file mode 100644
index 0000000000..8aa47363f5
Binary files /dev/null and b/doc/old/manual/img25.gif differ
diff --git a/doc/old/manual/img26.gif b/doc/old/manual/img26.gif
new file mode 100644
index 0000000000..f1941a65d2
Binary files /dev/null and b/doc/old/manual/img26.gif differ
diff --git a/doc/old/manual/img27.gif b/doc/old/manual/img27.gif
new file mode 100644
index 0000000000..b419999213
Binary files /dev/null and b/doc/old/manual/img27.gif differ
diff --git a/doc/old/manual/img28.gif b/doc/old/manual/img28.gif
new file mode 100644
index 0000000000..3212cf87f0
Binary files /dev/null and b/doc/old/manual/img28.gif differ
diff --git a/doc/old/manual/img29.gif b/doc/old/manual/img29.gif
new file mode 100644
index 0000000000..48c80016d5
Binary files /dev/null and b/doc/old/manual/img29.gif differ
diff --git a/doc/old/manual/img3.gif b/doc/old/manual/img3.gif
new file mode 100644
index 0000000000..e620bb6822
Binary files /dev/null and b/doc/old/manual/img3.gif differ
diff --git a/doc/old/manual/img30.gif b/doc/old/manual/img30.gif
new file mode 100644
index 0000000000..33713b6a16
Binary files /dev/null and b/doc/old/manual/img30.gif differ
diff --git a/doc/old/manual/img31.gif b/doc/old/manual/img31.gif
new file mode 100644
index 0000000000..943f8a10bc
Binary files /dev/null and b/doc/old/manual/img31.gif differ
diff --git a/doc/old/manual/img32.gif b/doc/old/manual/img32.gif
new file mode 100644
index 0000000000..3b2228a5b3
Binary files /dev/null and b/doc/old/manual/img32.gif differ
diff --git a/doc/old/manual/img33.gif b/doc/old/manual/img33.gif
new file mode 100644
index 0000000000..a6d458dd59
Binary files /dev/null and b/doc/old/manual/img33.gif differ
diff --git a/doc/old/manual/img34.gif b/doc/old/manual/img34.gif
new file mode 100644
index 0000000000..8d1959f6f7
Binary files /dev/null and b/doc/old/manual/img34.gif differ
diff --git a/doc/old/manual/img35.gif b/doc/old/manual/img35.gif
new file mode 100644
index 0000000000..ab7db612f9
Binary files /dev/null and b/doc/old/manual/img35.gif differ
diff --git a/doc/old/manual/img36.gif b/doc/old/manual/img36.gif
new file mode 100644
index 0000000000..a44fb49895
Binary files /dev/null and b/doc/old/manual/img36.gif differ
diff --git a/doc/old/manual/img37.gif b/doc/old/manual/img37.gif
new file mode 100644
index 0000000000..bb04e6c790
Binary files /dev/null and b/doc/old/manual/img37.gif differ
diff --git a/doc/old/manual/img38.gif b/doc/old/manual/img38.gif
new file mode 100644
index 0000000000..802eb22a71
Binary files /dev/null and b/doc/old/manual/img38.gif differ
diff --git a/doc/old/manual/img39.gif b/doc/old/manual/img39.gif
new file mode 100644
index 0000000000..490e8c748c
Binary files /dev/null and b/doc/old/manual/img39.gif differ
diff --git a/doc/old/manual/img4.gif b/doc/old/manual/img4.gif
new file mode 100644
index 0000000000..dfd4c3db1f
Binary files /dev/null and b/doc/old/manual/img4.gif differ
diff --git a/doc/old/manual/img40.gif b/doc/old/manual/img40.gif
new file mode 100644
index 0000000000..b077d4b603
Binary files /dev/null and b/doc/old/manual/img40.gif differ
diff --git a/doc/old/manual/img41.gif b/doc/old/manual/img41.gif
new file mode 100644
index 0000000000..5e8e4cd56a
Binary files /dev/null and b/doc/old/manual/img41.gif differ
diff --git a/doc/old/manual/img42.gif b/doc/old/manual/img42.gif
new file mode 100644
index 0000000000..2460bbcbc6
Binary files /dev/null and b/doc/old/manual/img42.gif differ
diff --git a/doc/old/manual/img43.gif b/doc/old/manual/img43.gif
new file mode 100644
index 0000000000..9600430261
Binary files /dev/null and b/doc/old/manual/img43.gif differ
diff --git a/doc/old/manual/img44.gif b/doc/old/manual/img44.gif
new file mode 100644
index 0000000000..5a976f9f3f
Binary files /dev/null and b/doc/old/manual/img44.gif differ
diff --git a/doc/old/manual/img45.gif b/doc/old/manual/img45.gif
new file mode 100644
index 0000000000..1473999c89
Binary files /dev/null and b/doc/old/manual/img45.gif differ
diff --git a/doc/old/manual/img46.gif b/doc/old/manual/img46.gif
new file mode 100644
index 0000000000..11d39cbe0c
Binary files /dev/null and b/doc/old/manual/img46.gif differ
diff --git a/doc/old/manual/img47.gif b/doc/old/manual/img47.gif
new file mode 100644
index 0000000000..689f2bfe53
Binary files /dev/null and b/doc/old/manual/img47.gif differ
diff --git a/doc/old/manual/img48.gif b/doc/old/manual/img48.gif
new file mode 100644
index 0000000000..15317ea977
Binary files /dev/null and b/doc/old/manual/img48.gif differ
diff --git a/doc/old/manual/img49.gif b/doc/old/manual/img49.gif
new file mode 100644
index 0000000000..5b41f026ae
Binary files /dev/null and b/doc/old/manual/img49.gif differ
diff --git a/doc/old/manual/img5.gif b/doc/old/manual/img5.gif
new file mode 100644
index 0000000000..d6e4587a50
Binary files /dev/null and b/doc/old/manual/img5.gif differ
diff --git a/doc/old/manual/img50.gif b/doc/old/manual/img50.gif
new file mode 100644
index 0000000000..61b654af90
Binary files /dev/null and b/doc/old/manual/img50.gif differ
diff --git a/doc/old/manual/img51.gif b/doc/old/manual/img51.gif
new file mode 100644
index 0000000000..16e570fe0c
Binary files /dev/null and b/doc/old/manual/img51.gif differ
diff --git a/doc/old/manual/img6.gif b/doc/old/manual/img6.gif
new file mode 100644
index 0000000000..e92fc18acd
Binary files /dev/null and b/doc/old/manual/img6.gif differ
diff --git a/doc/old/manual/img7.gif b/doc/old/manual/img7.gif
new file mode 100644
index 0000000000..424994a0c6
Binary files /dev/null and b/doc/old/manual/img7.gif differ
diff --git a/doc/old/manual/img8.gif b/doc/old/manual/img8.gif
new file mode 100644
index 0000000000..95e3b29fc0
Binary files /dev/null and b/doc/old/manual/img8.gif differ
diff --git a/doc/old/manual/img9.gif b/doc/old/manual/img9.gif
new file mode 100644
index 0000000000..b5af385015
Binary files /dev/null and b/doc/old/manual/img9.gif differ
diff --git a/doc/old/manual/internals.pl b/doc/old/manual/internals.pl
new file mode 100644
index 0000000000..1e5e6add77
--- /dev/null
+++ b/doc/old/manual/internals.pl
@@ -0,0 +1,3978 @@
+# LaTeX2HTML 2002-2 (1.70)
+# Associate internals original text with physical files.
+
+
+$key = q/process-HTTP-data-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-connection-info-version-field/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/network-interfaces/;
+$ref_files{$key} = "$dir".q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/signal-handling/;
+$ref_files{$key} = "$dir".q|node36.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/stp-ratio-thresh-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/stp-idle-min-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sigs-deps/;
+$ref_files{$key} = "$dir".q|node66.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/http-request-event/;
+$ref_files{$key} = "$dir".q|node51.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-attempt-set-event/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-spoof-services-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-hot-cmds-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-log-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/spontaneous-FIN-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/USER-env/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-authentication-var/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-services-pairs-var/;
+$ref_files{$key} = "$dir".q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-okay-nets-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/mask-addr-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-record-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:signature-state/;
+$ref_files{$key} = "$dir".q|node66.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/for-stmt/;
+$ref_files{$key} = "$dir".q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fragment-size-inconsistency-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/site-analyzer-module/;
+$ref_files{$key} = "$dir".q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/exit-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/forbidden-id-patterns-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-SYN-ack-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/Land-attack-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-scan-nets-16-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/active-connection-reuse-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/smtp-legal-cmds-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/local-stmt/;
+$ref_files{$key} = "$dir".q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-data-expected-session-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/set-record-packets-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/forbidden-ids-var/;
+$ref_files{$key} = "$dir".q|node49.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-login-func/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/var-redef/;
+$ref_files{$key} = "$dir".q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/endpoint-state-field/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/logical-operators/;
+$ref_files{$key} = "$dir".q|node10.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-PTR-scans-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/UDP-datagram-length-mismatch-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/always-hot-login-ids-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/record-index/;
+$ref_files{$key} = "$dir".q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/address-type/;
+$ref_files{$key} = "$dir".q|node17.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-attempt-event/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RST-storm-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/NULs-allowed-in-strings/;
+$ref_files{$key} = "$dir".q|node13.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cross-product-init/;
+$ref_files{$key} = "$dir".q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-portmapper/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-SYN-ack-ok-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/remote-code-red-response-pgm-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-max-keystroke-pkt-size-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-standard-ports-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-request-func/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-analyzer-module/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/relay-log-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-partial-close-event/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-remote-sensitive-URIs-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:ssl-log/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/debugger-overview/;
+$ref_files{$key} = "$dir".q|node69.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-do-not-complain-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/print-filter-analyzer-module/;
+$ref_files{$key} = "$dir".q|node35.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/debugger/;
+$ref_files{$key} = "$dir".q|node68.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/debugger-example/;
+$ref_files{$key} = "$dir".q|node70.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/get-resp-seq-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/return-stmt/;
+$ref_files{$key} = "$dir".q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/num-distinct-ports-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/add-interface-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/scan-analyzer-module/;
+$ref_files{$key} = "$dir".q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/module-hot-ids/;
+$ref_files{$key} = "$dir".q|node49.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-TCP-checksum-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/partial-finger-request-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/temporal-types/;
+$ref_files{$key} = "$dir".q|node15.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/active-conn-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ignore-checksums-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-addrs-field/;
+$ref_files{$key} = "$dir".q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-service-pairs-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/udp-did-summary-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/neighbor-nets-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ack-above-hole-event/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/determine-service-func/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/did-sigconns-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/record-decl/;
+$ref_files{$key} = "$dir".q|node19.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-RPC-program-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/relational-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-finished-event/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/max-count-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-analyzer-module/;
+$ref_files{$key} = "$dir".q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-guest-ids-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-type/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/module-frag/;
+$ref_files{$key} = "$dir".q|node48.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/have-skip-remote-sensitive-URIs-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/SYN-after-partial-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/num-distinct-peers-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-min-normal-line-ratio-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/log-stmt/;
+$ref_files{$key} = "$dir".q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-stat-backoff-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-log/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/full-input-trouble-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-telnet-orig-ports-var/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-hot-guest-files-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/check-relay-4-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/debugger-reference/;
+$ref_files{$key} = "$dir".q|node73.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rlogin-conns-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-ident-request-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sigs-content/;
+$ref_files{$key} = "$dir".q|node66.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/to-lower-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/finger-request-event/;
+$ref_files{$key} = "$dir".q|node47.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/partial-ident-request-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-okay-var/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/mixing-numerics/;
+$ref_files{$key} = "$dir".q|node11.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/net-weird-event/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzers/;
+$ref_files{$key} = "$dir".q|node34.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-do-not-ignore-repeats-var/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rule-file-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interfaces-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-established-event/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/blank-in-HTTP-request-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-session-timer-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_tls-56/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/_-library/;
+$ref_files{$key} = "$dir".q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/open-for-append-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-scan-nets-24-var/;
+$ref_files{$key} = "$dir".q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/attrs/;
+$ref_files{$key} = "$dir".q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/code-red-log-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/partial-connection/;
+$ref_files{$key} = "$dir".q|node86.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/input-trouble-var/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-analyzer-module/;
+$ref_files{$key} = "$dir".q|node62.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/horiz-scan-thresholds-var/;
+$ref_files{$key} = "$dir".q|node56.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/logical-negation/;
+$ref_files{$key} = "$dir".q|node10.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-interesting-changes-var/;
+$ref_files{$key} = "$dir".q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/constant-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-terminal-types-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/red-log/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/router-prompts-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/NFS-world-servers-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sigs-snort2bro/;
+$ref_files{$key} = "$dir".q|node67.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/module-mt/;
+$ref_files{$key} = "$dir".q|node42.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_RFC-NFS2/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_RFC-NFS3/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-dump-okay-var/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-UDP-checksum-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/equality-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/net-constants/;
+$ref_files{$key} = "$dir".q|node18.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/SYN-seq-jump-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/partial-connection-ok-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/non-backdoor-prompts-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-analyzer-module/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-min-bytes-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-log-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rewrite-finger-trace-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/null-stmt/;
+$ref_files{$key} = "$dir".q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/restrict-filter-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/scan-dropping/;
+$ref_files{$key} = "$dir".q|node84.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/is-forbidden-id-func/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-further-processing-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/max-request-length-var/;
+$ref_files{$key} = "$dir".q|node47.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-bad-port-event/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-connection-info-id-field/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-name-changed-event/;
+$ref_files{$key} = "$dir".q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/net-type/;
+$ref_files{$key} = "$dir".q|node18.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/num-dns-sessions-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/arithmetic-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-conn-alert-event/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/field-test-op/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/gtld-servers-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sensitive-URIs-var/;
+$ref_files{$key} = "$dir".q|node51.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-request-getport-event/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sigs-overview/;
+$ref_files{$key} = "$dir".q|node65.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/address-constants/;
+$ref_files{$key} = "$dir".q|node17.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-ssh-orig-ports-var/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-conns-reported-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/packet-drops/;
+$ref_files{$key} = "$dir".q|node87.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-half-finished-event/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/http-log-file/;
+$ref_files{$key} = "$dir".q|node51.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-successful-service-var/;
+$ref_files{$key} = "$dir".q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-successful-inbound-service-var/;
+$ref_files{$key} = "$dir".q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/temporal-constants/;
+$ref_files{$key} = "$dir".q|node15.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/heartbeat-interval-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/distinct-answered-PTR-requests-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/restrict-filter/;
+$ref_files{$key} = "$dir".q|node35.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/last-stat-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-confused/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/internally-truncated-header-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-stat-backoff-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/byte-len-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-stats-event/;
+$ref_files{$key} = "$dir".q|node55.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_ssl-aes/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-scan-sources-var/;
+$ref_files{$key} = "$dir".q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-ICMP-checksum-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/baroque-SYN-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-connection-linger-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-request-event/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/unsolicited-SYN-response-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/set-login-state-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rewriting-http-trace-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-request-dump-event/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/event-handlers/;
+$ref_files{$key} = "$dir".q|node24.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/authentication-accepted-event/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/frag-analyzer-module/;
+$ref_files{$key} = "$dir".q|node48.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/http-log/;
+$ref_files{$key} = "$dir".q|node51.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/edited-input-trouble-var/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/inappropriate-FIN-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/string-constants/;
+$ref_files{$key} = "$dir".q|node13.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sub-bytes-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/non-ASCII-hosts-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-connection-info-handshake-cipher-field/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tbl:portmapper/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-accounts-tried-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-login-ids-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/root-servers-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/udp-req-count-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/patterns/;
+$ref_files{$key} = "$dir".q|node14.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/distinct-ports-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/FIN-storm-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-icmp/;
+$ref_files{$key} = "$dir".q|node59.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/NFS-world-servers-var/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/table-del/;
+$ref_files{$key} = "$dir".q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/reading-live-traffic-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/set-contents-file-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/check-relay-3-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/id-string-func/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:net-stats/;
+$ref_files{$key} = "$dir".q|node36.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-action-var/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/clean-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-weird-event/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/neighbor-marker/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/T-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/possible-port-scan-thresh-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-prompts-var/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-pop3/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-sessions-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/module-port-name/;
+$ref_files{$key} = "$dir".q|node41.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/write-expire-attr/;
+$ref_files{$key} = "$dir".q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/always-hot-ids-var/;
+$ref_files{$key} = "$dir".q|node49.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-dst-24nets-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-prompts-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-altered-event/;
+$ref_files{$key} = "$dir".q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-rexmit-inconsistency-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/timer-management/;
+$ref_files{$key} = "$dir".q|node81.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/var-init/;
+$ref_files{$key} = "$dir".q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/event-stmt/;
+$ref_files{$key} = "$dir".q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-cache/;
+$ref_files{$key} = "$dir".q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/distinct-rejected-PTR-requests-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/active-conn-var/;
+$ref_files{$key} = "$dir".q|node44.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/kazaa-sig-disabled-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/distinct-peers-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/anonymous_function-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-filters/;
+$ref_files{$key} = "$dir".q|node35.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/possible-port-scan-thresh-var/;
+$ref_files{$key} = "$dir".q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/demux-analyzer-module/;
+$ref_files{$key} = "$dir".q|node45.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/module-log/;
+$ref_files{$key} = "$dir".q|node43.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/truncated-header-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/code-red-list2-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-id/;
+$ref_files{$key} = "$dir".q|node19.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-min-normal-line-ratio-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/capture-filter-var/;
+$ref_files{$key} = "$dir".q|node35.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/module-ssh-stepping/;
+$ref_files{$key} = "$dir".q|node61.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-conn-established-event/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/check-spoof-func/;
+$ref_files{$key} = "$dir".q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/active-file-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-ids-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/record_constructor-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-conn-attempt-event/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/module-active/;
+$ref_files{$key} = "$dir".q|node44.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/possible-scan-sources-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-max-interarrival-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-verify-certificates-var/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/router-prompts-var/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/addl-web-var/;
+$ref_files{$key} = "$dir".q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/account-tried-event/;
+$ref_files{$key} = "$dir".q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/portmapper-analyzer-module/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-ids-var/;
+$ref_files{$key} = "$dir".q|node49.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/port-names-var/;
+$ref_files{$key} = "$dir".q|node41.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bro-log-file-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-weird-orig-func/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/stp-demux-disabled-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fmt-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-sessions-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/predefineds-string/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-min-gamma-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-failure-msgs-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-clear-ssh-reports-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/SYN-with-data-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/same-local-net-is-spoof-var/;
+$ref_files{$key} = "$dir".q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/check-scan-func/;
+$ref_files{$key} = "$dir".q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-failure-event/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/inconsistent-option-event/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fragment-inconsistency-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rlogin-sig-disabled-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/data-before-established-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/inserting-tables-into-tables/;
+$ref_files{$key} = "$dir".q|node90.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-stat-period-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/variable-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:http-log-eg/;
+$ref_files{$key} = "$dir".q|node51.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-unverified-event/;
+$ref_files{$key} = "$dir".q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/detected-stones-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_RFC1122/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/if-stmt/;
+$ref_files{$key} = "$dir".q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tag-to-conn-map-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/refinement/;
+$ref_files{$key} = "$dir".q|node79.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/gnutella-sig-disabled-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/napster-sig-disabled-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-analyzer-module/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-compare-cipherspecs-var/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/functions/;
+$ref_files{$key} = "$dir".q|node23.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-functions/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_tlsv1/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-demux-skip-tags-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-ident/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-rejected-event/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-rlogin-prolog-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/discarder-check-ip-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-attempt-null-event/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-store-certificates-var/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_pcap/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-log-file/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/non-backdoor-prompts-var/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-ignore-src-addrs-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-store-cert-path-var/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/repeated-SYN-with-ack-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tbl:conn-file-states/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/mt-analyzer-module/;
+$ref_files{$key} = "$dir".q|node42.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-valid-field/;
+$ref_files{$key} = "$dir".q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-confused-text-event/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/variables/;
+$ref_files{$key} = "$dir".q|node29.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/net-done-event/;
+$ref_files{$key} = "$dir".q|node36.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/type-conversion/;
+$ref_files{$key} = "$dir".q|node9.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-non-failure-msgs-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/check-hot-func/;
+$ref_files{$key} = "$dir".q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-new-name-event/;
+$ref_files{$key} = "$dir".q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-sig-disabled-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-lost-name-event/;
+$ref_files{$key} = "$dir".q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-match-undelivered-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/num-backscatter-peers-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/software-table-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cf-utility/;
+$ref_files{$key} = "$dir".q|node7.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/simultaneous-open-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/discarder-check-tcp-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/demuxed-conn-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-accounts-tried-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/excessive-line-event/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-min-interarrival-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/smtp-sensitive-cmds-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-min-7bit-ascii-ratio-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/udp-rep-count-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flush-all-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:log-hook/;
+$ref_files{$key} = "$dir".q|node43.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-storm-thresh-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/split-routing/;
+$ref_files{$key} = "$dir".q|node83.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-successful-inbound-service-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-stepping/;
+$ref_files{$key} = "$dir".q|node60.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/table-attr/;
+$ref_files{$key} = "$dir".q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-ssh-len-disabled-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-activation/;
+$ref_files{$key} = "$dir".q|node35.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/expression-stmt/;
+$ref_files{$key} = "$dir".q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/SYN-after-close-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/code-red-list1-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/local-24-nets-var/;
+$ref_files{$key} = "$dir".q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/edit-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/in-operator/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/smtp-relay-table-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-request-callit-event/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/output-trouble-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/contains-string-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/multiple-RPCs-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/membership-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/http-abstract-max-length-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/suppress-scan-checks-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fragment-protocol-inconsistency-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/todo/;
+$ref_files{$key} = "$dir".q|node74.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-services-to-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/non-ASCII-hosts-var/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssh-len-conns-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/done-with-network-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-session-info-num-requests-field/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/arith-operators/;
+$ref_files{$key} = "$dir".q|node11.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/num-scan-triples-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/last-stat-time-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/NFS-services-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/record-connection-func/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-prompts-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/trace-log/;
+$ref_files{$key} = "$dir".q|node76.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/has-signature-matched-func/;
+$ref_files{$key} = "$dir".q|node56.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/service-name-func/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-scan-nets-24-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/var-scope/;
+$ref_files{$key} = "$dir".q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:ftp-log-eg/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/distinct-PTR-requests-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/http-log-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/signature-analyzer-module/;
+$ref_files{$key} = "$dir".q|node56.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/okay-to-lookup-sensitive-hosts-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-log-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sensitive-lookup-hosts-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/getting-started/;
+$ref_files{$key} = "$dir".q|node5.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-action-filters-var/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/statements/;
+$ref_files{$key} = "$dir".q|node26.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/record-constructors/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/BRO-ID-env/;
+$ref_files{$key} = "$dir".q|node43.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/always-hot-ids-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-do-not-ignore-repeats-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/icmp-flows-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/max-interval-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-events/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/http-analyzer-module/;
+$ref_files{$key} = "$dir".q|node51.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/check-info-expanded-line-field/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-analy/;
+$ref_files{$key} = "$dir".q|node55.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/have-stats-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/var-mod/;
+$ref_files{$key} = "$dir".q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/suppress-pm-log-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/last-type/;
+$ref_files{$key} = "$dir".q|node25.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-log/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hf-utility/;
+$ref_files{$key} = "$dir".q|node7.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/is-hot-id-func/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-log-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/edit-and-check-line-func/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/data-after-reset-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/spontaneous-RST-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sensitive-post-URIs-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/worm-log-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/policy-script-events/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-service-field/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-okay-services-var/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-min-alpha-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/repeated-SYN-reply-wo-ack-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-dsts-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-scan-sources-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sigs-context/;
+$ref_files{$key} = "$dir".q|node66.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-src-24nets-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-request-unset-event/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/software-ident-by-major-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bro-log-file-var/;
+$ref_files{$key} = "$dir".q|node43.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/udp-reply-event/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/x509-trusted-cert-path-var/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/never-shut-down-var/;
+$ref_files{$key} = "$dir".q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ident-request-event/;
+$ref_files{$key} = "$dir".q|node52.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/BROPATH-env/;
+$ref_files{$key} = "$dir".q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/full-id-string-func/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/neighbor-16-nets-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/port-name-analyzer-module/;
+$ref_files{$key} = "$dir".q|node41.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/module-dns/;
+$ref_files{$key} = "$dir".q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-dsts-var/;
+$ref_files{$key} = "$dir".q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-pm-port-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/shut-down-all-scans-var/;
+$ref_files{$key} = "$dir".q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sigs-language/;
+$ref_files{$key} = "$dir".q|node66.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bibliography/;
+$ref_files{$key} = "$dir".q|node105.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/neighbor-addresses/;
+$ref_files{$key} = "$dir".q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/NFS-services-var/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/local-mail-addr-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/udp-analyzer-module/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/http-proxy-sig-disabled-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-HTTP-reply-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/debugger-notes/;
+$ref_files{$key} = "$dir".q|node72.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/have-FTP-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/first-type/;
+$ref_files{$key} = "$dir".q|node10.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/delete-func-attr/;
+$ref_files{$key} = "$dir".q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/did-ssh-version-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-min-num-lines-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/worm-list-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/local-16-nets-var/;
+$ref_files{$key} = "$dir".q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-storm-interarrival-thresh-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/shallow-copy/;
+$ref_files{$key} = "$dir".q|node19.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-logins-to-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/site-info/;
+$ref_files{$key} = "$dir".q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/any-RPC-okay-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/parse-ftp-port-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/positivation-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-ftp/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/mime-log-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/stp-scale-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-weird-func/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hostnames-vs-addresses/;
+$ref_files{$key} = "$dir".q|node93.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pattern-matching-ops/;
+$ref_files{$key} = "$dir".q|node14.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/SYN-inside-connection-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/anonymize-ip-addr-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-weird-addl-event/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/forbidden-ids-if-no-password-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-check-getport-func/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/TCP-christmas-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-attempt-delayv-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-ident/;
+$ref_files{$key} = "$dir".q|node52.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-analyzer-module/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-option-event/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-rpc/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/scan-triples-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analy-conn/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/demux-conn-func/;
+$ref_files{$key} = "$dir".q|node45.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/udp-conn/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/non-analyzed-lifetime-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/always-hot-login-ids-var/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_bro-usenix-98/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/suppress-pm-log-var/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssh-sig-disabled-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/intro/;
+$ref_files{$key} = "$dir".q|node4.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-request-set-event/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tbl:login-confusion/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/display-pairs-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_sslv30/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssh-min-ssh-pkts-ratio-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/SYN-after-reset-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-unexpected-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_bro-comp-networks-99/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-session-info-log-if-not-unavail-field/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-session-info-request-field/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/open-log-file-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fragment-with-DF-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-peer-scan-var/;
+$ref_files{$key} = "$dir".q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bro-done-event/;
+$ref_files{$key} = "$dir".q|node36.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-min-num-lines-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-originator-SYN-ack-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-success-event/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-terminal-event/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tables/;
+$ref_files{$key} = "$dir".q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-session-info-id-field/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-services-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/signatures/;
+$ref_files{$key} = "$dir".q|node64.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/telnet-sig-3byte-conns-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/default-attr/;
+$ref_files{$key} = "$dir".q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/always-hot-ids/;
+$ref_files{$key} = "$dir".q|node49.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/is-tcp-port-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/process-HTTP-replies-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sigs-conditions/;
+$ref_files{$key} = "$dir".q|node66.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-load/;
+$ref_files{$key} = "$dir".q|node35.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-RPC-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-excessive-filename-trunc-len-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/log-hot-conn-func/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-guest-ids-var/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-backdoor/;
+$ref_files{$key} = "$dir".q|node62.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-hot-files-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/root-backdoor-sig-disabled-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flow-weird-event/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/max-double-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/alert-file-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-16-net-pairs-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/terminate-connection-func/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/capture-filter/;
+$ref_files{$key} = "$dir".q|node35.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-dst-24nets-var/;
+$ref_files{$key} = "$dir".q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-unexpected-net-var/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/NULs-run-time/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/reference/;
+$ref_files{$key} = "$dir".q|node73.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-server-map-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-min-ssh-pkts-ratio-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-skip-hot-var/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/is-login-conn-func/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/local-24-nets-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-ftp/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tbl:sigs-modactions/;
+$ref_files{$key} = "$dir".q|node56.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/forbidden-id-patterns-var/;
+$ref_files{$key} = "$dir".q|node49.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-min-bytes-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-store-key-material-var/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/break-stmt/;
+$ref_files{$key} = "$dir".q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/parenthesized-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/alert-action-filters-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-conn-server-reply-event/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/global-stmts/;
+$ref_files{$key} = "$dir".q|node89.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-id-orig-h-field/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/network-time-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-session-timeout-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/mkdir-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-login/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-option-termination-event/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/decrement-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-ignore-host-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-connection-info-connection-id-field/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-max-cipherspec-size-var/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/min-interval-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/set-type/;
+$ref_files{$key} = "$dir".q|node21.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_ssl-fips/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/preserved-net-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-demux-disabled-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-valid-event/;
+$ref_files{$key} = "$dir".q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sensitive-post-URIs-var/;
+$ref_files{$key} = "$dir".q|node51.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-prompts-var/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/read-expire-attr/;
+$ref_files{$key} = "$dir".q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-unexpected-var/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-min-num-pkts-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/differences/;
+$ref_files{$key} = "$dir".q|node100.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-telnet/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-hot/;
+$ref_files{$key} = "$dir".q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/smtp-sessions-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rlogin-sig-1byte-disabled-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/log-analyzer-module/;
+$ref_files{$key} = "$dir".q|node43.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/port-constants/;
+$ref_files{$key} = "$dir".q|node16.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/output-trouble-var/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-okay-nets-var/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/keystroke-editing/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-names-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/neighbor-nets-var/;
+$ref_files{$key} = "$dir".q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rpc-programs-var/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rpc-prog-func/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/local-16-nets-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/max-timer-expires-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/http-sessions-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tbl:endpoint-stats/;
+$ref_files{$key} = "$dir".q|node55.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pattern-constants/;
+$ref_files{$key} = "$dir".q|node14.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-16-net-pairs-var/;
+$ref_files{$key} = "$dir".q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-output-line-event/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/vert-scan-thresholds-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/port-ops/;
+$ref_files{$key} = "$dir".q|node16.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-analyzer-module/;
+$ref_files{$key} = "$dir".q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/numeric-constants/;
+$ref_files{$key} = "$dir".q|node11.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/endpoint-size-field/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/active-analyzer-module/;
+$ref_files{$key} = "$dir".q|node44.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/excessively-large-fragment-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/local-nets-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/assignment-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-attempt-unset-event/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-IP-checksum-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/smtp-hot-cmds-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/multiple-HTTP-request-elements-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/worm-URIs-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/telnet-sig-conns-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-log-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-creation-time-field/;
+$ref_files{$key} = "$dir".q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/icmp-analyzer-module/;
+$ref_files{$key} = "$dir".q|node59.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/negation-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/FIN-after-reset-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-backscatter-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/var-type/;
+$ref_files{$key} = "$dir".q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-annotate-standard-ports-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_ptacek98/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/system-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/length-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/inactivity-timeout-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:ftp-session-info/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/demux/;
+$ref_files{$key} = "$dir".q|node91.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-action-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/icmp-conn/;
+$ref_files{$key} = "$dir".q|node59.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/include-HTTP-abstract-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_bpf/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bro-proc-events/;
+$ref_files{$key} = "$dir".q|node36.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sig-actions-var/;
+$ref_files{$key} = "$dir".q|node56.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-ident-ids-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/get-orig-seq-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/telnet-sig-3byte-disabled-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-okay-services-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/module-demux/;
+$ref_files{$key} = "$dir".q|node45.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/horiz-scan-thresholds-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-rejected-service-var/;
+$ref_files{$key} = "$dir".q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-hot-guest-files-var/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/address-ops/;
+$ref_files{$key} = "$dir".q|node17.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ident-analyzer-module/;
+$ref_files{$key} = "$dir".q|node52.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ident-reply-event/;
+$ref_files{$key} = "$dir".q|node52.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/num-accounts-tried-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/var-attr/;
+$ref_files{$key} = "$dir".q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-successful-service-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-weird-conn-func/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_sslv2/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tftp-alert-count-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-activity-func/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-TCP-header-len-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-services-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/redef/;
+$ref_files{$key} = "$dir".q|node79.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/smtp-log-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/port-type/;
+$ref_files{$key} = "$dir".q|node16.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pattern_matching-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/forbidden-ids-if-no-password-var/;
+$ref_files{$key} = "$dir".q|node49.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/redef-attr/;
+$ref_files{$key} = "$dir".q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/edit-and-check-user-func/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cat-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/local-nets-var/;
+$ref_files{$key} = "$dir".q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/log-file-name-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-reset-delay-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/partial-connection-event/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/debugger-usage/;
+$ref_files{$key} = "$dir".q|node71.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/create-expire-attr/;
+$ref_files{$key} = "$dir".q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/add-stmt/;
+$ref_files{$key} = "$dir".q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-certificate-event/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-id-resp-h-field/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rule-actions-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/records/;
+$ref_files{$key} = "$dir".q|node19.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-report-script/;
+$ref_files{$key} = "$dir".q|node94.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/stp-common-host-thresh-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-ident-exceptions-var/;
+$ref_files{$key} = "$dir".q|node52.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/partial-ftp-request-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/excessive-ntp-request-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-accounts-tried-var/;
+$ref_files{$key} = "$dir".q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/can-drop-connectivity-var/;
+$ref_files{$key} = "$dir".q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-addl-field/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/index-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/getenv-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-req-host-field/;
+$ref_files{$key} = "$dir".q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/activating-encryption-event/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-attempt-dump-event/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/truncated-IP-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/add-func-attr/;
+$ref_files{$key} = "$dir".q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/BRO-PREFIXES-env/;
+$ref_files{$key} = "$dir".q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-xdr/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-srcs-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-session-info-user-field/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-ssh/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/shut-down-thresh-var/;
+$ref_files{$key} = "$dir".q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/unpaired-RPC-response-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/active-connection-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rewrite-ident-trace-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-src-24nets-var/;
+$ref_files{$key} = "$dir".q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/demux-dir-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tbl:conn-record-states/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/port-names-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-ignore-dst-addrs-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-ident-exceptions-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conditional-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-stat-period-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/delete-stmt/;
+$ref_files{$key} = "$dir".q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/HTTP-version-mismatch-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/get-login-state-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/vert-scan-thresholds-var/;
+$ref_files{$key} = "$dir".q|node56.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tbl:contents-dir/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/preserved-subnet-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_x509/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/precedence/;
+$ref_files{$key} = "$dir".q|node85.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/close-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-connection-info-server-cert-field/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-services-var/;
+$ref_files{$key} = "$dir".q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backscatter-ports-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tbl:portmapper-status/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:conn-record/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bro-signal-event/;
+$ref_files{$key} = "$dir".q|node36.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/omit-rewrite-place-holder-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-remote-accounts-tried-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/max-finger-request-len-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-demux-disabled-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RST-with-data-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssh-log-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-reply-event/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/finger-analyzer-module/;
+$ref_files{$key} = "$dir".q|node47.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/parse-ftp-pasv-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/public-ident-user-ids-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-scan/;
+$ref_files{$key} = "$dir".q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:x509/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hostnames/;
+$ref_files{$key} = "$dir".q|node17.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/const-stmt/;
+$ref_files{$key} = "$dir".q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-login-ids-var/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/distinct-backscatter-peers-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/temporal-ops/;
+$ref_files{$key} = "$dir".q|node15.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/table-access/;
+$ref_files{$key} = "$dir".q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-req-addr-field/;
+$ref_files{$key} = "$dir".q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/scope_of_local_variables/;
+$ref_files{$key} = "$dir".q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/account-tried/;
+$ref_files{$key} = "$dir".q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-okay-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-pairs-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-rejected-PTR-factor-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-HTTP-version-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-min-duration-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/compound-stmt/;
+$ref_files{$key} = "$dir".q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-state-func/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rlogin-id-okay-if-no-password-exposed-var/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-skip-hot-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tbl:weird-action/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/field-attrs/;
+$ref_files{$key} = "$dir".q|node19.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-attempt-getport-event/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/public-ident-systems-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/capture-filter-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/finger-reply-event/;
+$ref_files{$key} = "$dir".q|node47.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-failure-msgs-var/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/timer-expiration/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-ident-reply-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/record-dollar/;
+$ref_files{$key} = "$dir".q|node19.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/excessively-small-fragment-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-close-delay-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/possible-split-routing-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/stepping-analyzer-module/;
+$ref_files{$key} = "$dir".q|node60.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/log-HTTP-data-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rewriting-smtp-trace-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-not-actually-hot-files-var/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-connection-info-client-cert-field/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/smtp-session-by-message-id-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/terminate-successful-inbound-service-var/;
+$ref_files{$key} = "$dir".q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/current-time-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/did-stone-summary-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-dump-okay-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/function_call-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/incompletely-captured-fragment-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-ssl/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/next-stmt/;
+$ref_files{$key} = "$dir".q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/local-addresses/;
+$ref_files{$key} = "$dir".q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-interconn/;
+$ref_files{$key} = "$dir".q|node63.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/http-sig-disabled-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/actually-rejected-PTR-anno-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/anon-log-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/authentication-rejected-event/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rel-operators/;
+$ref_files{$key} = "$dir".q|node11.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/full-output-trouble-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-ignore-ports-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-F/;
+$ref_files{$key} = "$dir".q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rlogin-text-after-rejected-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bro-init-file/;
+$ref_files{$key} = "$dir".q|node92.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/local-code-red-response-pgm-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/accounts-tried-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/shut-down-scans-var/;
+$ref_files{$key} = "$dir".q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/open-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/process-smtp-relay-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-O/;
+$ref_files{$key} = "$dir".q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-P/;
+$ref_files{$key} = "$dir".q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-success-msgs-var/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/to-upper-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/NUL-in-line-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/stp-random-pair-thresh-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sensitive-URIs-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pending-data-when-closed-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/add-tcpdump-filter-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-peer-scan-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-W/;
+$ref_files{$key} = "$dir".q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-size-func/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-analyzer-module/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/worm-type-list-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/print-stmt/;
+$ref_files{$key} = "$dir".q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/net-stats-update-event/;
+$ref_files{$key} = "$dir".q|node36.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-port-scan-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-default-pkt-size-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/filtering/;
+$ref_files{$key} = "$dir".q|node35.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-record/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-request-null-event/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-analyze-certificates-var/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-http-1-0/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-f/;
+$ref_files{$key} = "$dir".q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_RFC791/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-http-1-1/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-session-info-log-it-field/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-h/;
+$ref_files{$key} = "$dir".q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_RFC793/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-i/;
+$ref_files{$key} = "$dir".q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-authentication-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tbl:check-hot-states/;
+$ref_files{$key} = "$dir".q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-p/;
+$ref_files{$key} = "$dir".q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/terminate-successful-inbound-service-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-ignore-host-var/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ntp-session-timeout-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-r/;
+$ref_files{$key} = "$dir".q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/neighbor-24-nets-var/;
+$ref_files{$key} = "$dir".q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-s/;
+$ref_files{$key} = "$dir".q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analy-analyzer-module/;
+$ref_files{$key} = "$dir".q|node55.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ident-request-addendum-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-v/;
+$ref_files{$key} = "$dir".q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-w/;
+$ref_files{$key} = "$dir".q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/originator-RPC-reply-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ident-error-event/;
+$ref_files{$key} = "$dir".q|node52.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:print-filter/;
+$ref_files{$key} = "$dir".q|node35.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-outbound-peer-scan-var/;
+$ref_files{$key} = "$dir".q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-rejected-service-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sigs-actions/;
+$ref_files{$key} = "$dir".q|node66.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_RFC2373/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_RFC1644/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rpc-programs-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/have-SMTP-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-reassembler-ports-orig-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/values-types-constants/;
+$ref_files{$key} = "$dir".q|node8.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/to-net-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-names-var/;
+$ref_files{$key} = "$dir".q|node47.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/record-assign/;
+$ref_files{$key} = "$dir".q|node19.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/table-assign/;
+$ref_files{$key} = "$dir".q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/notes/;
+$ref_files{$key} = "$dir".q|node72.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/enable-brov6-config/;
+$ref_files{$key} = "$dir".q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/partial-RPC-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rexmit-inconsistency-event/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/software-file-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-terminal-types-var/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/predefineds-time/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-excessive-filename-len-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-ignore-invalid-PORT-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-reset-event/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/is-ftp-data-conn-func/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sigs-header/;
+$ref_files{$key} = "$dir".q|node66.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-remote-accounts-tried-var/;
+$ref_files{$key} = "$dir".q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-id-orig-p-field/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/mime-sessions-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-ids-analyzer-module/;
+$ref_files{$key} = "$dir".q|node49.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/event_scheduling-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-excessive-ntp-requests-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/discarders/;
+$ref_files{$key} = "$dir".q|node99.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-connection-info-id-index-field/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-partial-close-delay-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-session-info-request-t-field/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-hot-field/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rpc-timeout-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-input-line-event/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/authentication-skipped-event/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/load-directive/;
+$ref_files{$key} = "$dir".q|node88.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-rlogin/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/table-expire-interval-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/discarder-maxlen-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/smtp-session-by-recipient-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/endpoint-id-func/;
+$ref_files{$key} = "$dir".q|node41.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-log-file/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/net-ops/;
+$ref_files{$key} = "$dir".q|node18.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-start-time-field/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/discarder-check-udp-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/record_field_access-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-timeouts-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/input-wait-for-output-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-outbound-services-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-outbound-services-var/;
+$ref_files{$key} = "$dir".q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-ignore-privileged-PASVs-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-success-msgs-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-http/;
+$ref_files{$key} = "$dir".q|node51.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/HTTP-unknown-method-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/excess-RPC-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/min-double-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-attempt-callit-event/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/set-buf-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/step-log-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/forbidden-ids-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-non-failure-msgs-var/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/discarder-check-icmp-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/edited-input-trouble-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-min-7bit-ascii-ratio-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-standard-ports-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/excessive-RPC-len-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/smtp-session-by-content-hash-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-attempt-func/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:ssl-connection-info/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/increment-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/table-decl/;
+$ref_files{$key} = "$dir".q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/direct-login-prompts-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/play-back/;
+$ref_files{$key} = "$dir".q|node98.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/signature-match-event/;
+$ref_files{$key} = "$dir".q|node56.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-finger/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-reassembler-ports-resp-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/log-hook-func/;
+$ref_files{$key} = "$dir".q|node43.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-signature/;
+$ref_files{$key} = "$dir".q|node56.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/predefineds/;
+$ref_files{$key} = "$dir".q|node31.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-ignore-standard-ports-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-tag-info-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-data-expected-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-action-filters-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-hot-files-var/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/FIN-advanced-last-seq-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-x11/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssh-min-num-pkts-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/addl-web-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-confused-event/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/expire-func-attr/;
+$ref_files{$key} = "$dir".q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-hostname-field/;
+$ref_files{$key} = "$dir".q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-summaries/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/neighbor-16-nets-var/;
+$ref_files{$key} = "$dir".q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-pairs-var/;
+$ref_files{$key} = "$dir".q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/stp-delta-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/udp-request-event/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/any-RPC-okay-var/;
+$ref_files{$key} = "$dir".q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/responder-RPC-call-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-telnet-options/;
+$ref_files{$key} = "$dir".q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/record-constants/;
+$ref_files{$key} = "$dir".q|node19.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/table-init/;
+$ref_files{$key} = "$dir".q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/telnet-sig-disabled-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-unexpected-net-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-conn-weak-event/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/logical-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/new-connection-event/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-spoof-services-var/;
+$ref_files{$key} = "$dir".q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/direct-login-prompts-var/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-conn-reused-event/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/min-count-func/;
+$ref_files{$key} = "$dir".q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/type-inference/;
+$ref_files{$key} = "$dir".q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/syn-fin-filtering/;
+$ref_files{$key} = "$dir".q|node82.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-services-to-var/;
+$ref_files{$key} = "$dir".q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:dns-mapping/;
+$ref_files{$key} = "$dir".q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-logins-to-var/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-srcs-var/;
+$ref_files{$key} = "$dir".q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-accounts-tried-var/;
+$ref_files{$key} = "$dir".q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/SSL-analyzer-module/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/root-backdoor-sig-conns-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/partial-portmapper-request-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-pending-event/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/did-PTR-scan-event-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-outbound-peer-scan-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/prefixes/;
+$ref_files{$key} = "$dir".q|node75.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/record_field_test-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/function-call-expr/;
+$ref_files{$key} = "$dir".q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-rejected-PTR-thresh-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/premature-connection-reuse-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-conns-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-timeouts-var/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-id-resp-p-field/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-session-info-log-if-not-denied-field/;
+$ref_files{$key} = "$dir".q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-log/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-finger/;
+$ref_files{$key} = "$dir".q|node47.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-certificate-seen-event/;
+$ref_files{$key} = "$dir".q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/watchdog-interval-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/write-file/;
+$ref_files{$key} = "$dir".q|node76.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-telnet-orig-ports-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/edit-and-check-password-func/;
+$ref_files{$key} = "$dir".q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/boolean-constants/;
+$ref_files{$key} = "$dir".q|node10.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fragment-overlap-weird/;
+$ref_files{$key} = "$dir".q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/is-local-addr-func/;
+$ref_files{$key} = "$dir".q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-ident-ids-var/;
+$ref_files{$key} = "$dir".q|node52.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/maintain-http-sessions-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-sessions-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-SYN-timeout-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-duration-field/;
+$ref_files{$key} = "$dir".q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rlogin-id-okay-if-no-password-exposed-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/same-local-net-is-spoof-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/input-trouble-global/;
+$ref_files{$key} = "$dir".q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/drop-address-func/;
+$ref_files{$key} = "$dir".q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bro-init-event/;
+$ref_files{$key} = "$dir".q|node36.html|; 
+$noresave{$key} = "$nosave";
+
+1;
+
diff --git a/doc/old/manual/labels.pl b/doc/old/manual/labels.pl
new file mode 100644
index 0000000000..866938d0e3
--- /dev/null
+++ b/doc/old/manual/labels.pl
@@ -0,0 +1,3985 @@
+# LaTeX2HTML 2002-2 (1.70)
+# Associate labels original text with physical files.
+
+
+$key = q/process-HTTP-data-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-connection-info-version-field/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/network-interfaces/;
+$external_labels{$key} = "$URL/" . q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/signal-handling/;
+$external_labels{$key} = "$URL/" . q|node36.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/stp-ratio-thresh-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/stp-idle-min-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sigs-deps/;
+$external_labels{$key} = "$URL/" . q|node66.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/http-request-event/;
+$external_labels{$key} = "$URL/" . q|node51.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-attempt-set-event/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-spoof-services-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-hot-cmds-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-log-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/spontaneous-FIN-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/USER-env/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-authentication-var/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-services-pairs-var/;
+$external_labels{$key} = "$URL/" . q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-okay-nets-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/mask-addr-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-record-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:signature-state/;
+$external_labels{$key} = "$URL/" . q|node66.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/for-stmt/;
+$external_labels{$key} = "$URL/" . q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fragment-size-inconsistency-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/site-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/exit-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/forbidden-id-patterns-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-SYN-ack-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/Land-attack-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-scan-nets-16-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/active-connection-reuse-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/smtp-legal-cmds-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/local-stmt/;
+$external_labels{$key} = "$URL/" . q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-data-expected-session-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/set-record-packets-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/forbidden-ids-var/;
+$external_labels{$key} = "$URL/" . q|node49.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-login-func/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/var-redef/;
+$external_labels{$key} = "$URL/" . q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/endpoint-state-field/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/logical-operators/;
+$external_labels{$key} = "$URL/" . q|node10.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-PTR-scans-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/UDP-datagram-length-mismatch-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/always-hot-login-ids-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/record-index/;
+$external_labels{$key} = "$URL/" . q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/address-type/;
+$external_labels{$key} = "$URL/" . q|node17.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-attempt-event/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RST-storm-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/NULs-allowed-in-strings/;
+$external_labels{$key} = "$URL/" . q|node13.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cross-product-init/;
+$external_labels{$key} = "$URL/" . q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-portmapper/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-SYN-ack-ok-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/remote-code-red-response-pgm-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-max-keystroke-pkt-size-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-standard-ports-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-request-func/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/relay-log-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-partial-close-event/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-remote-sensitive-URIs-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:ssl-log/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/debugger-overview/;
+$external_labels{$key} = "$URL/" . q|node69.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-do-not-complain-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/print-filter-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node35.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/debugger/;
+$external_labels{$key} = "$URL/" . q|node68.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/debugger-example/;
+$external_labels{$key} = "$URL/" . q|node70.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/get-resp-seq-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/return-stmt/;
+$external_labels{$key} = "$URL/" . q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/num-distinct-ports-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/add-interface-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/scan-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/module-hot-ids/;
+$external_labels{$key} = "$URL/" . q|node49.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-TCP-checksum-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/partial-finger-request-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/temporal-types/;
+$external_labels{$key} = "$URL/" . q|node15.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/active-conn-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ignore-checksums-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-addrs-field/;
+$external_labels{$key} = "$URL/" . q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-service-pairs-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/udp-did-summary-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/neighbor-nets-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ack-above-hole-event/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/determine-service-func/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/did-sigconns-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/record-decl/;
+$external_labels{$key} = "$URL/" . q|node19.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-RPC-program-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/relational-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-finished-event/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/max-count-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-guest-ids-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-type/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/module-frag/;
+$external_labels{$key} = "$URL/" . q|node48.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/have-skip-remote-sensitive-URIs-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/SYN-after-partial-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/num-distinct-peers-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-min-normal-line-ratio-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/log-stmt/;
+$external_labels{$key} = "$URL/" . q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-stat-backoff-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-log/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/full-input-trouble-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-telnet-orig-ports-var/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-hot-guest-files-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/check-relay-4-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/debugger-reference/;
+$external_labels{$key} = "$URL/" . q|node73.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rlogin-conns-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-ident-request-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sigs-content/;
+$external_labels{$key} = "$URL/" . q|node66.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/to-lower-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/finger-request-event/;
+$external_labels{$key} = "$URL/" . q|node47.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/partial-ident-request-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-okay-var/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/mixing-numerics/;
+$external_labels{$key} = "$URL/" . q|node11.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/net-weird-event/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzers/;
+$external_labels{$key} = "$URL/" . q|node34.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-do-not-ignore-repeats-var/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rule-file-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interfaces-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-established-event/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/blank-in-HTTP-request-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-session-timer-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_tls-56/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/_-library/;
+$external_labels{$key} = "$URL/" . q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/open-for-append-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-scan-nets-24-var/;
+$external_labels{$key} = "$URL/" . q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/attrs/;
+$external_labels{$key} = "$URL/" . q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/code-red-log-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/partial-connection/;
+$external_labels{$key} = "$URL/" . q|node86.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/input-trouble-var/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node62.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/horiz-scan-thresholds-var/;
+$external_labels{$key} = "$URL/" . q|node56.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/logical-negation/;
+$external_labels{$key} = "$URL/" . q|node10.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-interesting-changes-var/;
+$external_labels{$key} = "$URL/" . q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/constant-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-terminal-types-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/red-log/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/router-prompts-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/NFS-world-servers-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sigs-snort2bro/;
+$external_labels{$key} = "$URL/" . q|node67.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/module-mt/;
+$external_labels{$key} = "$URL/" . q|node42.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_RFC-NFS2/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_RFC-NFS3/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-dump-okay-var/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-UDP-checksum-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/equality-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/net-constants/;
+$external_labels{$key} = "$URL/" . q|node18.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/SYN-seq-jump-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/partial-connection-ok-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/non-backdoor-prompts-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-min-bytes-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-log-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rewrite-finger-trace-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/null-stmt/;
+$external_labels{$key} = "$URL/" . q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/restrict-filter-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/scan-dropping/;
+$external_labels{$key} = "$URL/" . q|node84.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/is-forbidden-id-func/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-further-processing-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/max-request-length-var/;
+$external_labels{$key} = "$URL/" . q|node47.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-bad-port-event/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-connection-info-id-field/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-name-changed-event/;
+$external_labels{$key} = "$URL/" . q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/net-type/;
+$external_labels{$key} = "$URL/" . q|node18.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/num-dns-sessions-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/arithmetic-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-conn-alert-event/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/field-test-op/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/gtld-servers-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sensitive-URIs-var/;
+$external_labels{$key} = "$URL/" . q|node51.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-request-getport-event/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sigs-overview/;
+$external_labels{$key} = "$URL/" . q|node65.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/address-constants/;
+$external_labels{$key} = "$URL/" . q|node17.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-ssh-orig-ports-var/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-conns-reported-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/packet-drops/;
+$external_labels{$key} = "$URL/" . q|node87.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-half-finished-event/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/http-log-file/;
+$external_labels{$key} = "$URL/" . q|node51.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-successful-service-var/;
+$external_labels{$key} = "$URL/" . q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-successful-inbound-service-var/;
+$external_labels{$key} = "$URL/" . q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/temporal-constants/;
+$external_labels{$key} = "$URL/" . q|node15.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/heartbeat-interval-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/distinct-answered-PTR-requests-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/restrict-filter/;
+$external_labels{$key} = "$URL/" . q|node35.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/last-stat-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-confused/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/internally-truncated-header-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-stat-backoff-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/byte-len-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-stats-event/;
+$external_labels{$key} = "$URL/" . q|node55.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_ssl-aes/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-scan-sources-var/;
+$external_labels{$key} = "$URL/" . q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-ICMP-checksum-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/baroque-SYN-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-connection-linger-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-request-event/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/unsolicited-SYN-response-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/set-login-state-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rewriting-http-trace-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-request-dump-event/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/event-handlers/;
+$external_labels{$key} = "$URL/" . q|node24.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/authentication-accepted-event/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/frag-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node48.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/http-log/;
+$external_labels{$key} = "$URL/" . q|node51.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/edited-input-trouble-var/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/inappropriate-FIN-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/string-constants/;
+$external_labels{$key} = "$URL/" . q|node13.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sub-bytes-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/non-ASCII-hosts-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-connection-info-handshake-cipher-field/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tbl:portmapper/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-accounts-tried-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-login-ids-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/root-servers-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/udp-req-count-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/patterns/;
+$external_labels{$key} = "$URL/" . q|node14.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/distinct-ports-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/FIN-storm-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-icmp/;
+$external_labels{$key} = "$URL/" . q|node59.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/NFS-world-servers-var/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/table-del/;
+$external_labels{$key} = "$URL/" . q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/reading-live-traffic-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/set-contents-file-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/check-relay-3-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/id-string-func/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:net-stats/;
+$external_labels{$key} = "$URL/" . q|node36.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-action-var/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/clean-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-weird-event/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/neighbor-marker/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/T-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/possible-port-scan-thresh-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-prompts-var/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-pop3/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-sessions-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/module-port-name/;
+$external_labels{$key} = "$URL/" . q|node41.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/write-expire-attr/;
+$external_labels{$key} = "$URL/" . q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/always-hot-ids-var/;
+$external_labels{$key} = "$URL/" . q|node49.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-dst-24nets-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-prompts-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-altered-event/;
+$external_labels{$key} = "$URL/" . q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-rexmit-inconsistency-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/timer-management/;
+$external_labels{$key} = "$URL/" . q|node81.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/var-init/;
+$external_labels{$key} = "$URL/" . q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/event-stmt/;
+$external_labels{$key} = "$URL/" . q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-cache/;
+$external_labels{$key} = "$URL/" . q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/distinct-rejected-PTR-requests-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/active-conn-var/;
+$external_labels{$key} = "$URL/" . q|node44.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/kazaa-sig-disabled-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/distinct-peers-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/anonymous_function-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-filters/;
+$external_labels{$key} = "$URL/" . q|node35.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/possible-port-scan-thresh-var/;
+$external_labels{$key} = "$URL/" . q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/demux-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node45.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/module-log/;
+$external_labels{$key} = "$URL/" . q|node43.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/truncated-header-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/code-red-list2-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-id/;
+$external_labels{$key} = "$URL/" . q|node19.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-min-normal-line-ratio-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/capture-filter-var/;
+$external_labels{$key} = "$URL/" . q|node35.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/module-ssh-stepping/;
+$external_labels{$key} = "$URL/" . q|node61.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-conn-established-event/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/check-spoof-func/;
+$external_labels{$key} = "$URL/" . q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/active-file-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-ids-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/record_constructor-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-conn-attempt-event/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/module-active/;
+$external_labels{$key} = "$URL/" . q|node44.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/possible-scan-sources-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-max-interarrival-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-verify-certificates-var/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/router-prompts-var/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/addl-web-var/;
+$external_labels{$key} = "$URL/" . q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/account-tried-event/;
+$external_labels{$key} = "$URL/" . q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/portmapper-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-ids-var/;
+$external_labels{$key} = "$URL/" . q|node49.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/port-names-var/;
+$external_labels{$key} = "$URL/" . q|node41.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bro-log-file-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-weird-orig-func/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/stp-demux-disabled-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fmt-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-sessions-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/predefineds-string/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-min-gamma-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-failure-msgs-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-clear-ssh-reports-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/SYN-with-data-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/same-local-net-is-spoof-var/;
+$external_labels{$key} = "$URL/" . q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/check-scan-func/;
+$external_labels{$key} = "$URL/" . q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-failure-event/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/inconsistent-option-event/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fragment-inconsistency-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rlogin-sig-disabled-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/data-before-established-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/inserting-tables-into-tables/;
+$external_labels{$key} = "$URL/" . q|node90.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-stat-period-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/variable-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:http-log-eg/;
+$external_labels{$key} = "$URL/" . q|node51.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-unverified-event/;
+$external_labels{$key} = "$URL/" . q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/detected-stones-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_RFC1122/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/if-stmt/;
+$external_labels{$key} = "$URL/" . q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tag-to-conn-map-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/refinement/;
+$external_labels{$key} = "$URL/" . q|node79.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/gnutella-sig-disabled-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/napster-sig-disabled-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-compare-cipherspecs-var/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/functions/;
+$external_labels{$key} = "$URL/" . q|node23.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-functions/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_tlsv1/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-demux-skip-tags-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-ident/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-rejected-event/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-rlogin-prolog-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/discarder-check-ip-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-attempt-null-event/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-store-certificates-var/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_pcap/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-log-file/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/non-backdoor-prompts-var/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-ignore-src-addrs-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-store-cert-path-var/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/repeated-SYN-with-ack-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tbl:conn-file-states/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/mt-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node42.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-valid-field/;
+$external_labels{$key} = "$URL/" . q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-confused-text-event/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/variables/;
+$external_labels{$key} = "$URL/" . q|node29.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/net-done-event/;
+$external_labels{$key} = "$URL/" . q|node36.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/type-conversion/;
+$external_labels{$key} = "$URL/" . q|node9.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-non-failure-msgs-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/check-hot-func/;
+$external_labels{$key} = "$URL/" . q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-new-name-event/;
+$external_labels{$key} = "$URL/" . q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-sig-disabled-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-lost-name-event/;
+$external_labels{$key} = "$URL/" . q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-match-undelivered-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/num-backscatter-peers-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/software-table-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cf-utility/;
+$external_labels{$key} = "$URL/" . q|node7.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/simultaneous-open-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/discarder-check-tcp-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/demuxed-conn-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-accounts-tried-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/excessive-line-event/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-min-interarrival-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/smtp-sensitive-cmds-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-min-7bit-ascii-ratio-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/udp-rep-count-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flush-all-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:log-hook/;
+$external_labels{$key} = "$URL/" . q|node43.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-storm-thresh-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/split-routing/;
+$external_labels{$key} = "$URL/" . q|node83.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-successful-inbound-service-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-stepping/;
+$external_labels{$key} = "$URL/" . q|node60.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/table-attr/;
+$external_labels{$key} = "$URL/" . q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-ssh-len-disabled-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-activation/;
+$external_labels{$key} = "$URL/" . q|node35.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/expression-stmt/;
+$external_labels{$key} = "$URL/" . q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/SYN-after-close-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/code-red-list1-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/local-24-nets-var/;
+$external_labels{$key} = "$URL/" . q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/edit-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/in-operator/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/smtp-relay-table-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-request-callit-event/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/output-trouble-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/contains-string-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/multiple-RPCs-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/membership-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/http-abstract-max-length-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/suppress-scan-checks-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fragment-protocol-inconsistency-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/todo/;
+$external_labels{$key} = "$URL/" . q|node74.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-services-to-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/non-ASCII-hosts-var/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssh-len-conns-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/done-with-network-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-session-info-num-requests-field/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/arith-operators/;
+$external_labels{$key} = "$URL/" . q|node11.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/num-scan-triples-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/last-stat-time-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/NFS-services-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/record-connection-func/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-prompts-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/trace-log/;
+$external_labels{$key} = "$URL/" . q|node76.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/has-signature-matched-func/;
+$external_labels{$key} = "$URL/" . q|node56.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/service-name-func/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-scan-nets-24-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/var-scope/;
+$external_labels{$key} = "$URL/" . q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:ftp-log-eg/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/distinct-PTR-requests-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/http-log-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/signature-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node56.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/okay-to-lookup-sensitive-hosts-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-log-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sensitive-lookup-hosts-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/getting-started/;
+$external_labels{$key} = "$URL/" . q|node5.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-action-filters-var/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/statements/;
+$external_labels{$key} = "$URL/" . q|node26.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/record-constructors/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/BRO-ID-env/;
+$external_labels{$key} = "$URL/" . q|node43.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/always-hot-ids-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-do-not-ignore-repeats-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/icmp-flows-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/max-interval-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-events/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/http-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node51.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/check-info-expanded-line-field/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-analy/;
+$external_labels{$key} = "$URL/" . q|node55.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/have-stats-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/var-mod/;
+$external_labels{$key} = "$URL/" . q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/suppress-pm-log-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/last-type/;
+$external_labels{$key} = "$URL/" . q|node25.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-log/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hf-utility/;
+$external_labels{$key} = "$URL/" . q|node7.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/is-hot-id-func/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-log-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/edit-and-check-line-func/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/data-after-reset-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/spontaneous-RST-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sensitive-post-URIs-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/worm-log-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/policy-script-events/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-service-field/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-okay-services-var/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-min-alpha-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/repeated-SYN-reply-wo-ack-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-dsts-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-scan-sources-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sigs-context/;
+$external_labels{$key} = "$URL/" . q|node66.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-src-24nets-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-request-unset-event/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/software-ident-by-major-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bro-log-file-var/;
+$external_labels{$key} = "$URL/" . q|node43.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/udp-reply-event/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/x509-trusted-cert-path-var/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/never-shut-down-var/;
+$external_labels{$key} = "$URL/" . q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ident-request-event/;
+$external_labels{$key} = "$URL/" . q|node52.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/BROPATH-env/;
+$external_labels{$key} = "$URL/" . q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/full-id-string-func/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/neighbor-16-nets-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/port-name-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node41.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/module-dns/;
+$external_labels{$key} = "$URL/" . q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-dsts-var/;
+$external_labels{$key} = "$URL/" . q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-pm-port-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/shut-down-all-scans-var/;
+$external_labels{$key} = "$URL/" . q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sigs-language/;
+$external_labels{$key} = "$URL/" . q|node66.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bibliography/;
+$external_labels{$key} = "$URL/" . q|node105.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/neighbor-addresses/;
+$external_labels{$key} = "$URL/" . q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/NFS-services-var/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/local-mail-addr-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/udp-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/http-proxy-sig-disabled-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-HTTP-reply-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/debugger-notes/;
+$external_labels{$key} = "$URL/" . q|node72.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/have-FTP-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/first-type/;
+$external_labels{$key} = "$URL/" . q|node10.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/delete-func-attr/;
+$external_labels{$key} = "$URL/" . q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/did-ssh-version-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-min-num-lines-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/worm-list-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/local-16-nets-var/;
+$external_labels{$key} = "$URL/" . q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-storm-interarrival-thresh-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/shallow-copy/;
+$external_labels{$key} = "$URL/" . q|node19.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-logins-to-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/site-info/;
+$external_labels{$key} = "$URL/" . q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/any-RPC-okay-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/parse-ftp-port-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/positivation-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-ftp/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/mime-log-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/stp-scale-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-weird-func/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hostnames-vs-addresses/;
+$external_labels{$key} = "$URL/" . q|node93.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pattern-matching-ops/;
+$external_labels{$key} = "$URL/" . q|node14.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/SYN-inside-connection-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/anonymize-ip-addr-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-weird-addl-event/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/forbidden-ids-if-no-password-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-check-getport-func/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/TCP-christmas-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-attempt-delayv-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-ident/;
+$external_labels{$key} = "$URL/" . q|node52.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-option-event/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-rpc/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/scan-triples-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analy-conn/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/demux-conn-func/;
+$external_labels{$key} = "$URL/" . q|node45.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/udp-conn/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/non-analyzed-lifetime-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/always-hot-login-ids-var/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_bro-usenix-98/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/suppress-pm-log-var/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssh-sig-disabled-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/intro/;
+$external_labels{$key} = "$URL/" . q|node4.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-request-set-event/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tbl:login-confusion/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/display-pairs-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_sslv30/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssh-min-ssh-pkts-ratio-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/SYN-after-reset-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-unexpected-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_bro-comp-networks-99/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-session-info-log-if-not-unavail-field/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-session-info-request-field/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/open-log-file-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fragment-with-DF-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-peer-scan-var/;
+$external_labels{$key} = "$URL/" . q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bro-done-event/;
+$external_labels{$key} = "$URL/" . q|node36.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-min-num-lines-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-originator-SYN-ack-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-success-event/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-terminal-event/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tables/;
+$external_labels{$key} = "$URL/" . q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-session-info-id-field/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-services-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/signatures/;
+$external_labels{$key} = "$URL/" . q|node64.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/telnet-sig-3byte-conns-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/default-attr/;
+$external_labels{$key} = "$URL/" . q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/always-hot-ids/;
+$external_labels{$key} = "$URL/" . q|node49.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/is-tcp-port-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/process-HTTP-replies-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sigs-conditions/;
+$external_labels{$key} = "$URL/" . q|node66.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-load/;
+$external_labels{$key} = "$URL/" . q|node35.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-RPC-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-excessive-filename-trunc-len-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/log-hot-conn-func/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-guest-ids-var/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-backdoor/;
+$external_labels{$key} = "$URL/" . q|node62.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-hot-files-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/root-backdoor-sig-disabled-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flow-weird-event/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/max-double-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/alert-file-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-16-net-pairs-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/terminate-connection-func/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/capture-filter/;
+$external_labels{$key} = "$URL/" . q|node35.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-dst-24nets-var/;
+$external_labels{$key} = "$URL/" . q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-unexpected-net-var/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/NULs-run-time/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/reference/;
+$external_labels{$key} = "$URL/" . q|node73.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-server-map-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-min-ssh-pkts-ratio-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-skip-hot-var/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/is-login-conn-func/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/local-24-nets-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-ftp/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tbl:sigs-modactions/;
+$external_labels{$key} = "$URL/" . q|node56.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/forbidden-id-patterns-var/;
+$external_labels{$key} = "$URL/" . q|node49.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-min-bytes-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-store-key-material-var/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/break-stmt/;
+$external_labels{$key} = "$URL/" . q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/parenthesized-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/alert-action-filters-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-conn-server-reply-event/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/global-stmts/;
+$external_labels{$key} = "$URL/" . q|node89.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-id-orig-h-field/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/network-time-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-session-timeout-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/mkdir-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-login/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-option-termination-event/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/decrement-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-ignore-host-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-connection-info-connection-id-field/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-max-cipherspec-size-var/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/min-interval-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/set-type/;
+$external_labels{$key} = "$URL/" . q|node21.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_ssl-fips/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/preserved-net-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-demux-disabled-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-valid-event/;
+$external_labels{$key} = "$URL/" . q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sensitive-post-URIs-var/;
+$external_labels{$key} = "$URL/" . q|node51.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-prompts-var/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/read-expire-attr/;
+$external_labels{$key} = "$URL/" . q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-unexpected-var/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-min-num-pkts-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/differences/;
+$external_labels{$key} = "$URL/" . q|node100.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-telnet/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-hot/;
+$external_labels{$key} = "$URL/" . q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/smtp-sessions-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rlogin-sig-1byte-disabled-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/log-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node43.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/port-constants/;
+$external_labels{$key} = "$URL/" . q|node16.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/output-trouble-var/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-okay-nets-var/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/keystroke-editing/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-names-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/neighbor-nets-var/;
+$external_labels{$key} = "$URL/" . q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rpc-programs-var/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rpc-prog-func/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/local-16-nets-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/max-timer-expires-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/http-sessions-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tbl:endpoint-stats/;
+$external_labels{$key} = "$URL/" . q|node55.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pattern-constants/;
+$external_labels{$key} = "$URL/" . q|node14.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-16-net-pairs-var/;
+$external_labels{$key} = "$URL/" . q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-output-line-event/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/vert-scan-thresholds-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/port-ops/;
+$external_labels{$key} = "$URL/" . q|node16.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/numeric-constants/;
+$external_labels{$key} = "$URL/" . q|node11.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/endpoint-size-field/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/active-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node44.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/excessively-large-fragment-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/local-nets-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/assignment-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-attempt-unset-event/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-IP-checksum-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/smtp-hot-cmds-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/multiple-HTTP-request-elements-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/worm-URIs-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/telnet-sig-conns-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-log-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-creation-time-field/;
+$external_labels{$key} = "$URL/" . q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/icmp-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node59.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/negation-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/FIN-after-reset-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-backscatter-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/var-type/;
+$external_labels{$key} = "$URL/" . q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-annotate-standard-ports-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_ptacek98/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/system-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/length-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/inactivity-timeout-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:ftp-session-info/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/demux/;
+$external_labels{$key} = "$URL/" . q|node91.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-action-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/icmp-conn/;
+$external_labels{$key} = "$URL/" . q|node59.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/include-HTTP-abstract-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_bpf/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bro-proc-events/;
+$external_labels{$key} = "$URL/" . q|node36.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sig-actions-var/;
+$external_labels{$key} = "$URL/" . q|node56.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-ident-ids-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/get-orig-seq-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/telnet-sig-3byte-disabled-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-okay-services-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/module-demux/;
+$external_labels{$key} = "$URL/" . q|node45.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/horiz-scan-thresholds-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-rejected-service-var/;
+$external_labels{$key} = "$URL/" . q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-hot-guest-files-var/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/address-ops/;
+$external_labels{$key} = "$URL/" . q|node17.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ident-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node52.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ident-reply-event/;
+$external_labels{$key} = "$URL/" . q|node52.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/num-accounts-tried-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/var-attr/;
+$external_labels{$key} = "$URL/" . q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-successful-service-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-weird-conn-func/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_sslv2/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tftp-alert-count-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-activity-func/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-TCP-header-len-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-services-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/redef/;
+$external_labels{$key} = "$URL/" . q|node79.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/smtp-log-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/port-type/;
+$external_labels{$key} = "$URL/" . q|node16.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pattern_matching-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/forbidden-ids-if-no-password-var/;
+$external_labels{$key} = "$URL/" . q|node49.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/redef-attr/;
+$external_labels{$key} = "$URL/" . q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/edit-and-check-user-func/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cat-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/local-nets-var/;
+$external_labels{$key} = "$URL/" . q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/log-file-name-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-reset-delay-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/partial-connection-event/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/debugger-usage/;
+$external_labels{$key} = "$URL/" . q|node71.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/create-expire-attr/;
+$external_labels{$key} = "$URL/" . q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/add-stmt/;
+$external_labels{$key} = "$URL/" . q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-certificate-event/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-id-resp-h-field/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rule-actions-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/records/;
+$external_labels{$key} = "$URL/" . q|node19.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-report-script/;
+$external_labels{$key} = "$URL/" . q|node94.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/stp-common-host-thresh-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-ident-exceptions-var/;
+$external_labels{$key} = "$URL/" . q|node52.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/partial-ftp-request-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/excessive-ntp-request-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-accounts-tried-var/;
+$external_labels{$key} = "$URL/" . q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/can-drop-connectivity-var/;
+$external_labels{$key} = "$URL/" . q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-addl-field/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/index-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/getenv-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-req-host-field/;
+$external_labels{$key} = "$URL/" . q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/activating-encryption-event/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-attempt-dump-event/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/truncated-IP-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/add-func-attr/;
+$external_labels{$key} = "$URL/" . q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/BRO-PREFIXES-env/;
+$external_labels{$key} = "$URL/" . q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-xdr/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-srcs-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-session-info-user-field/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-ssh/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/shut-down-thresh-var/;
+$external_labels{$key} = "$URL/" . q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/unpaired-RPC-response-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/active-connection-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rewrite-ident-trace-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-src-24nets-var/;
+$external_labels{$key} = "$URL/" . q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/demux-dir-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tbl:conn-record-states/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/port-names-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-ignore-dst-addrs-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-ident-exceptions-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conditional-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-stat-period-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/delete-stmt/;
+$external_labels{$key} = "$URL/" . q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/HTTP-version-mismatch-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/get-login-state-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/vert-scan-thresholds-var/;
+$external_labels{$key} = "$URL/" . q|node56.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tbl:contents-dir/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/preserved-subnet-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_x509/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/precedence/;
+$external_labels{$key} = "$URL/" . q|node85.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/close-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-connection-info-server-cert-field/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-services-var/;
+$external_labels{$key} = "$URL/" . q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backscatter-ports-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tbl:portmapper-status/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:conn-record/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bro-signal-event/;
+$external_labels{$key} = "$URL/" . q|node36.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/omit-rewrite-place-holder-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-remote-accounts-tried-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/max-finger-request-len-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-demux-disabled-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RST-with-data-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssh-log-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-reply-event/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/finger-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node47.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/parse-ftp-pasv-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/public-ident-user-ids-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-scan/;
+$external_labels{$key} = "$URL/" . q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:x509/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hostnames/;
+$external_labels{$key} = "$URL/" . q|node17.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/const-stmt/;
+$external_labels{$key} = "$URL/" . q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-login-ids-var/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/distinct-backscatter-peers-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/temporal-ops/;
+$external_labels{$key} = "$URL/" . q|node15.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/table-access/;
+$external_labels{$key} = "$URL/" . q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-req-addr-field/;
+$external_labels{$key} = "$URL/" . q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/scope_of_local_variables/;
+$external_labels{$key} = "$URL/" . q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/account-tried/;
+$external_labels{$key} = "$URL/" . q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-okay-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-pairs-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-rejected-PTR-factor-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-HTTP-version-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-min-duration-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/compound-stmt/;
+$external_labels{$key} = "$URL/" . q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-state-func/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rlogin-id-okay-if-no-password-exposed-var/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-skip-hot-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tbl:weird-action/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/field-attrs/;
+$external_labels{$key} = "$URL/" . q|node19.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-attempt-getport-event/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/public-ident-systems-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/capture-filter-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/finger-reply-event/;
+$external_labels{$key} = "$URL/" . q|node47.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-failure-msgs-var/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/timer-expiration/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bad-ident-reply-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/record-dollar/;
+$external_labels{$key} = "$URL/" . q|node19.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/excessively-small-fragment-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-close-delay-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/possible-split-routing-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/stepping-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node60.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/log-HTTP-data-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rewriting-smtp-trace-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-not-actually-hot-files-var/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-connection-info-client-cert-field/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/smtp-session-by-message-id-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/terminate-successful-inbound-service-var/;
+$external_labels{$key} = "$URL/" . q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/current-time-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/did-stone-summary-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/RPC-dump-okay-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/function_call-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/incompletely-captured-fragment-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-ssl/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/next-stmt/;
+$external_labels{$key} = "$URL/" . q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/local-addresses/;
+$external_labels{$key} = "$URL/" . q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-interconn/;
+$external_labels{$key} = "$URL/" . q|node63.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/http-sig-disabled-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/actually-rejected-PTR-anno-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/anon-log-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/authentication-rejected-event/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rel-operators/;
+$external_labels{$key} = "$URL/" . q|node11.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/full-output-trouble-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-ignore-ports-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-F/;
+$external_labels{$key} = "$URL/" . q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rlogin-text-after-rejected-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bro-init-file/;
+$external_labels{$key} = "$URL/" . q|node92.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/local-code-red-response-pgm-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/accounts-tried-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/shut-down-scans-var/;
+$external_labels{$key} = "$URL/" . q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/open-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/process-smtp-relay-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-O/;
+$external_labels{$key} = "$URL/" . q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-P/;
+$external_labels{$key} = "$URL/" . q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-success-msgs-var/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/to-upper-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/NUL-in-line-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/stp-random-pair-thresh-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sensitive-URIs-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pending-data-when-closed-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/add-tcpdump-filter-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-peer-scan-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-W/;
+$external_labels{$key} = "$URL/" . q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-size-func/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/worm-type-list-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/print-stmt/;
+$external_labels{$key} = "$URL/" . q|node27.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/net-stats-update-event/;
+$external_labels{$key} = "$URL/" . q|node36.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-port-scan-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-default-pkt-size-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/filtering/;
+$external_labels{$key} = "$URL/" . q|node35.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-record/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-request-null-event/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-analyze-certificates-var/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-http-1-0/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-f/;
+$external_labels{$key} = "$URL/" . q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_RFC791/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-http-1-1/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-session-info-log-it-field/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-h/;
+$external_labels{$key} = "$URL/" . q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_RFC793/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-i/;
+$external_labels{$key} = "$URL/" . q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-authentication-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tbl:check-hot-states/;
+$external_labels{$key} = "$URL/" . q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-p/;
+$external_labels{$key} = "$URL/" . q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/terminate-successful-inbound-service-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-ignore-host-var/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ntp-session-timeout-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-r/;
+$external_labels{$key} = "$URL/" . q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/neighbor-24-nets-var/;
+$external_labels{$key} = "$URL/" . q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-s/;
+$external_labels{$key} = "$URL/" . q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analy-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node55.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ident-request-addendum-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-v/;
+$external_labels{$key} = "$URL/" . q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-w/;
+$external_labels{$key} = "$URL/" . q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/originator-RPC-reply-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ident-error-event/;
+$external_labels{$key} = "$URL/" . q|node52.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:print-filter/;
+$external_labels{$key} = "$URL/" . q|node35.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-outbound-peer-scan-var/;
+$external_labels{$key} = "$URL/" . q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/flag-rejected-service-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sigs-actions/;
+$external_labels{$key} = "$URL/" . q|node66.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_RFC2373/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_RFC1644/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rpc-programs-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/have-SMTP-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-reassembler-ports-orig-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/values-types-constants/;
+$external_labels{$key} = "$URL/" . q|node8.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/to-net-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-names-var/;
+$external_labels{$key} = "$URL/" . q|node47.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/record-assign/;
+$external_labels{$key} = "$URL/" . q|node19.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/table-assign/;
+$external_labels{$key} = "$URL/" . q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/notes/;
+$external_labels{$key} = "$URL/" . q|node72.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/enable-brov6-config/;
+$external_labels{$key} = "$URL/" . q|node6.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/partial-RPC-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rexmit-inconsistency-event/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/software-file-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-terminal-types-var/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/predefineds-time/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-excessive-filename-len-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-ignore-invalid-PORT-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-reset-event/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/is-ftp-data-conn-func/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/sigs-header/;
+$external_labels{$key} = "$URL/" . q|node66.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-remote-accounts-tried-var/;
+$external_labels{$key} = "$URL/" . q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-id-orig-p-field/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/mime-sessions-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-ids-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node49.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/event_scheduling-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-excessive-ntp-requests-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/discarders/;
+$external_labels{$key} = "$URL/" . q|node99.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-connection-info-id-index-field/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-partial-close-delay-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-session-info-request-t-field/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-hot-field/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rpc-timeout-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-input-line-event/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/authentication-skipped-event/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/load-directive/;
+$external_labels{$key} = "$URL/" . q|node88.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-rlogin/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/table-expire-interval-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/discarder-maxlen-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/smtp-session-by-recipient-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/endpoint-id-func/;
+$external_labels{$key} = "$URL/" . q|node41.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-log-file/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/net-ops/;
+$external_labels{$key} = "$URL/" . q|node18.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-start-time-field/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/discarder-check-udp-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/record_field_access-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-timeouts-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/input-wait-for-output-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-outbound-services-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-outbound-services-var/;
+$external_labels{$key} = "$URL/" . q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-ignore-privileged-PASVs-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-success-msgs-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-http/;
+$external_labels{$key} = "$URL/" . q|node51.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/HTTP-unknown-method-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/excess-RPC-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/min-double-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-attempt-callit-event/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/set-buf-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/step-log-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/forbidden-ids-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-non-failure-msgs-var/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/discarder-check-icmp-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/edited-input-trouble-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-min-7bit-ascii-ratio-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/backdoor-standard-ports-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/excessive-RPC-len-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/smtp-session-by-content-hash-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/pm-attempt-func/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:ssl-connection-info/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/increment-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/table-decl/;
+$external_labels{$key} = "$URL/" . q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/direct-login-prompts-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/play-back/;
+$external_labels{$key} = "$URL/" . q|node98.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/signature-match-event/;
+$external_labels{$key} = "$URL/" . q|node56.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-finger/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-reassembler-ports-resp-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/log-hook-func/;
+$external_labels{$key} = "$URL/" . q|node43.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-signature/;
+$external_labels{$key} = "$URL/" . q|node56.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/predefineds/;
+$external_labels{$key} = "$URL/" . q|node31.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-ignore-standard-ports-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-tag-info-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-data-expected-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/weird-action-filters-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-hot-files-var/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/FIN-advanced-last-seq-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-x11/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssh-min-num-pkts-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/addl-web-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-confused-event/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/expire-func-attr/;
+$external_labels{$key} = "$URL/" . q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/dns-mapping-hostname-field/;
+$external_labels{$key} = "$URL/" . q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-summaries/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/neighbor-16-nets-var/;
+$external_labels{$key} = "$URL/" . q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-pairs-var/;
+$external_labels{$key} = "$URL/" . q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/stp-delta-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/udp-request-event/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/any-RPC-okay-var/;
+$external_labels{$key} = "$URL/" . q|node54.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/responder-RPC-call-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/cite_rfc-telnet-options/;
+$external_labels{$key} = "$URL/" . q|node106.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/record-constants/;
+$external_labels{$key} = "$URL/" . q|node19.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/table-init/;
+$external_labels{$key} = "$URL/" . q|node20.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/telnet-sig-disabled-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-unexpected-net-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-conn-weak-event/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/logical-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/new-connection-event/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-spoof-services-var/;
+$external_labels{$key} = "$URL/" . q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/direct-login-prompts-var/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-conn-reused-event/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/min-count-func/;
+$external_labels{$key} = "$URL/" . q|node33.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/type-inference/;
+$external_labels{$key} = "$URL/" . q|node30.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/syn-fin-filtering/;
+$external_labels{$key} = "$URL/" . q|node82.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/allow-services-to-var/;
+$external_labels{$key} = "$URL/" . q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fig:dns-mapping/;
+$external_labels{$key} = "$URL/" . q|node46.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/skip-logins-to-var/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-srcs-var/;
+$external_labels{$key} = "$URL/" . q|node39.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-accounts-tried-var/;
+$external_labels{$key} = "$URL/" . q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/SSL-analyzer-module/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/root-backdoor-sig-conns-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/partial-portmapper-request-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-pending-event/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/did-PTR-scan-event-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-outbound-peer-scan-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/prefixes/;
+$external_labels{$key} = "$URL/" . q|node75.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/record_field_test-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/function-call-expr/;
+$external_labels{$key} = "$URL/" . q|node28.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/report-rejected-PTR-thresh-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/premature-connection-reuse-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/interconn-conns-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/login-timeouts-var/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/conn-id-resp-p-field/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-session-info-log-if-not-denied-field/;
+$external_labels{$key} = "$URL/" . q|node50.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-log/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/analyzer-finger/;
+$external_labels{$key} = "$URL/" . q|node47.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ssl-certificate-seen-event/;
+$external_labels{$key} = "$URL/" . q|node57.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/watchdog-interval-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/write-file/;
+$external_labels{$key} = "$URL/" . q|node76.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-telnet-orig-ports-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/edit-and-check-password-func/;
+$external_labels{$key} = "$URL/" . q|node53.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/boolean-constants/;
+$external_labels{$key} = "$URL/" . q|node10.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/fragment-overlap-weird/;
+$external_labels{$key} = "$URL/" . q|node58.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/is-local-addr-func/;
+$external_labels{$key} = "$URL/" . q|node38.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/hot-ident-ids-var/;
+$external_labels{$key} = "$URL/" . q|node52.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/maintain-http-sessions-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/ftp-sessions-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/tcp-SYN-timeout-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/connection-duration-field/;
+$external_labels{$key} = "$URL/" . q|node37.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/rlogin-id-okay-if-no-password-exposed-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/same-local-net-is-spoof-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/input-trouble-global/;
+$external_labels{$key} = "$URL/" . q|node32.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/drop-address-func/;
+$external_labels{$key} = "$URL/" . q|node40.html|; 
+$noresave{$key} = "$nosave";
+
+$key = q/bro-init-event/;
+$external_labels{$key} = "$URL/" . q|node36.html|; 
+$noresave{$key} = "$nosave";
+
+1;
+
+
+# LaTeX2HTML 2002-2 (1.70)
+# labels from external_latex_labels array.
+
+
+1;
+
diff --git a/doc/old/manual/manual.css b/doc/old/manual/manual.css
new file mode 100644
index 0000000000..d1824aff42
--- /dev/null
+++ b/doc/old/manual/manual.css
@@ -0,0 +1,30 @@
+/* Century Schoolbook font is very similar to Computer Modern Math: cmmi */
+.MATH    { font-family: "Century Schoolbook", serif; }
+.MATH I  { font-family: "Century Schoolbook", serif; font-style: italic }
+.BOLDMATH { font-family: "Century Schoolbook", serif; font-weight: bold }
+
+/* implement both fixed-size and relative sizes */
+SMALL.XTINY		{ font-size : xx-small }
+SMALL.TINY		{ font-size : x-small  }
+SMALL.SCRIPTSIZE	{ font-size : smaller  }
+SMALL.FOOTNOTESIZE	{ font-size : small    }
+SMALL.SMALL		{  }
+BIG.LARGE		{  }
+BIG.XLARGE		{ font-size : large    }
+BIG.XXLARGE		{ font-size : x-large  }
+BIG.HUGE		{ font-size : larger   }
+BIG.XHUGE		{ font-size : xx-large }
+
+/* heading styles */
+H1		{  }
+H2		{  }
+H3		{  }
+H4		{  }
+H5		{  }
+
+/* mathematics styles */
+DIV.displaymath		{ }	/* math displays */
+TD.eqno			{ }	/* equation-number cells */
+
+
+/* document-specific styles come next */
diff --git a/doc/pubs/bro-CN99.ps b/doc/pubs/bro-CN99.ps
new file mode 100644
index 0000000000..8ae2db3b4b
--- /dev/null
+++ b/doc/pubs/bro-CN99.ps
@@ -0,0 +1,5025 @@
+%!PS-Adobe-2.0
+%%Creator: dvipsk 5.58f Copyright 1986, 1994 Radical Eye Software
+%%Title: bro.dvi
+%%Pages: 22
+%%PageOrder: Ascend
+%%BoundingBox: 0 0 612 792
+%%DocumentFonts: Times-Roman Times-Bold Times-Italic Courier
+%%+ Courier-Oblique
+%%EndComments
+%DVIPSCommandLine: dvips bro.dvi
+%DVIPSParameters: dpi=600, compressed, comments removed
+%DVIPSSource:  TeX output 2000.02.22:0012
+%%BeginProcSet: texc.pro
+/TeXDict 250 dict def TeXDict begin /N{def}def /B{bind def}N /S{exch}N
+/X{S N}B /TR{translate}N /isls false N /vsize 11 72 mul N /hsize 8.5 72
+mul N /landplus90{false}def /@rigin{isls{[0 landplus90{1 -1}{-1 1}
+ifelse 0 0 0]concat}if 72 Resolution div 72 VResolution div neg scale
+isls{landplus90{VResolution 72 div vsize mul 0 exch}{Resolution -72 div
+hsize mul 0}ifelse TR}if Resolution VResolution vsize -72 div 1 add mul
+TR[matrix currentmatrix{dup dup round sub abs 0.00001 lt{round}if}
+forall round exch round exch]setmatrix}N /@landscape{/isls true N}B
+/@manualfeed{statusdict /manualfeed true put}B /@copies{/#copies X}B
+/FMat[1 0 0 -1 0 0]N /FBB[0 0 0 0]N /nn 0 N /IE 0 N /ctr 0 N /df-tail{
+/nn 8 dict N nn begin /FontType 3 N /FontMatrix fntrx N /FontBBox FBB N
+string /base X array /BitMaps X /BuildChar{CharBuilder}N /Encoding IE N
+end dup{/foo setfont}2 array copy cvx N load 0 nn put /ctr 0 N[}B /df{
+/sf 1 N /fntrx FMat N df-tail}B /dfs{div /sf X /fntrx[sf 0 0 sf neg 0 0]
+N df-tail}B /E{pop nn dup definefont setfont}B /ch-width{ch-data dup
+length 5 sub get}B /ch-height{ch-data dup length 4 sub get}B /ch-xoff{
+128 ch-data dup length 3 sub get sub}B /ch-yoff{ch-data dup length 2 sub
+get 127 sub}B /ch-dx{ch-data dup length 1 sub get}B /ch-image{ch-data
+dup type /stringtype ne{ctr get /ctr ctr 1 add N}if}B /id 0 N /rw 0 N
+/rc 0 N /gp 0 N /cp 0 N /G 0 N /sf 0 N /CharBuilder{save 3 1 roll S dup
+/base get 2 index get S /BitMaps get S get /ch-data X pop /ctr 0 N ch-dx
+0 ch-xoff ch-yoff ch-height sub ch-xoff ch-width add ch-yoff
+setcachedevice ch-width ch-height true[1 0 0 -1 -.1 ch-xoff sub ch-yoff
+.1 sub]/id ch-image N /rw ch-width 7 add 8 idiv string N /rc 0 N /gp 0 N
+/cp 0 N{rc 0 ne{rc 1 sub /rc X rw}{G}ifelse}imagemask restore}B /G{{id
+gp get /gp gp 1 add N dup 18 mod S 18 idiv pl S get exec}loop}B /adv{cp
+add /cp X}B /chg{rw cp id gp 4 index getinterval putinterval dup gp add
+/gp X adv}B /nd{/cp 0 N rw exit}B /lsh{rw cp 2 copy get dup 0 eq{pop 1}{
+dup 255 eq{pop 254}{dup dup add 255 and S 1 and or}ifelse}ifelse put 1
+adv}B /rsh{rw cp 2 copy get dup 0 eq{pop 128}{dup 255 eq{pop 127}{dup 2
+idiv S 128 and or}ifelse}ifelse put 1 adv}B /clr{rw cp 2 index string
+putinterval adv}B /set{rw cp fillstr 0 4 index getinterval putinterval
+adv}B /fillstr 18 string 0 1 17{2 copy 255 put pop}for N /pl[{adv 1 chg}
+{adv 1 chg nd}{1 add chg}{1 add chg nd}{adv lsh}{adv lsh nd}{adv rsh}{
+adv rsh nd}{1 add adv}{/rc X nd}{1 add set}{1 add clr}{adv 2 chg}{adv 2
+chg nd}{pop nd}]dup{bind pop}forall N /D{/cc X dup type /stringtype ne{]
+}if nn /base get cc ctr put nn /BitMaps get S ctr S sf 1 ne{dup dup
+length 1 sub dup 2 index S get sf div put}if put /ctr ctr 1 add N}B /I{
+cc 1 add D}B /bop{userdict /bop-hook known{bop-hook}if /SI save N @rigin
+0 0 moveto /V matrix currentmatrix dup 1 get dup mul exch 0 get dup mul
+add .99 lt{/QV}{/RV}ifelse load def pop pop}N /eop{SI restore userdict
+/eop-hook known{eop-hook}if showpage}N /@start{userdict /start-hook
+known{start-hook}if pop /VResolution X /Resolution X 1000 div /DVImag X
+/IE 256 array N 0 1 255{IE S 1 string dup 0 3 index put cvn put}for
+65781.76 div /vsize X 65781.76 div /hsize X}N /p{show}N /RMat[1 0 0 -1 0
+0]N /BDot 260 string N /rulex 0 N /ruley 0 N /v{/ruley X /rulex X V}B /V
+{}B /RV statusdict begin /product where{pop product dup length 7 ge{0 7
+getinterval dup(Display)eq exch 0 4 getinterval(NeXT)eq or}{pop false}
+ifelse}{false}ifelse end{{gsave TR -.1 .1 TR 1 1 scale rulex ruley false
+RMat{BDot}imagemask grestore}}{{gsave TR -.1 .1 TR rulex ruley scale 1 1
+false RMat{BDot}imagemask grestore}}ifelse B /QV{gsave newpath transform
+round exch round exch itransform moveto rulex 0 rlineto 0 ruley neg
+rlineto rulex neg 0 rlineto fill grestore}B /a{moveto}B /delta 0 N /tail
+{dup /delta X 0 rmoveto}B /M{S p delta add tail}B /b{S p tail}B /c{-4 M}
+B /d{-3 M}B /e{-2 M}B /f{-1 M}B /g{0 M}B /h{1 M}B /i{2 M}B /j{3 M}B /k{
+4 M}B /w{0 rmoveto}B /l{p -4 w}B /m{p -3 w}B /n{p -2 w}B /o{p -1 w}B /q{
+p 1 w}B /r{p 2 w}B /s{p 3 w}B /t{p 4 w}B /x{0 S rmoveto}B /y{3 2 roll p
+a}B /bos{/SS save N}B /eos{SS restore}B end
+%%EndProcSet
+%%BeginFont: Times-Roman
+% @psencodingfile{
+%   author = "P. MacKay, Alan Jeffrey, S. Rahtz, K. Berry, B. Horn",
+%   version = "0.2",
+%   date = "7 September 94",
+%   filename = "8r.enc",
+%   email = "kb@cs.umb.edu",
+%   address = "135 Center Hill Rd. // Plymouth, MA 02360",
+%   codetable = "ISO/ASCII",
+%   checksum = "xx",
+%   docstring = "Encoding for TrueType or Type 1 fonts to be used with TeX."
+% }
+% 
+% Idea is to have all the characters normally included in Type 1 fonts
+% available for typesetting. This is effectively the characters in Adobe
+% Standard Encoding + ISO Latin 1 + extra characters from Lucida.
+% 
+% Character code assignments were made as follows:
+% 
+% (1) the Windows ANSI characters are in their Windows ANSI positions,
+% because Windows users cannot easily reencode the fonts, and it makes
+% no difference on other systems. The only Windows ANSI characters not
+% available are those that make no sense for typesetting -- rubout
+% (127 decimal), nobreakspace (160), softhyphen (173).
+% 
+% (2) The caron and dotlessi characters are in the positions used by
+% Y&Y for their modified ATM encoding.
+% 
+% (3) Remaining characters are assigned arbitrarily to the first few
+% positions.
+% 
+% (4) (Y&Y) Lucida Bright includes some extra text characters; in the
+% hopes that other PostScript fonts, perhaps created for public
+% consumption, will include them, they are included starting at 0x10.
+% 
+% (5) Remaining positions left undefined are for use in (hopefully)
+% upward-compatible revisions, if someday more characters are generally
+% available in the Type 1 fonts.
+% 
+% Ligatures are omitted, since this encoding is intended for use at the
+% driver end. Including ligatures and kerns would make the TFM files
+% much larger, to no particular purpose. If someone actually wants to
+% typeset in this encoding, they can pick a different name, and regenerate
+% the fonts.
+ 
+/TeXBase1Encoding [
+% 0x00 (encoded characters from Adobe Standard not in Windows 3.1)
+  /breve /dotaccent /fi /fl
+  /fraction /hungarumlaut /Lslash /lslash
+  /ogonek /ring /tilde /minus
+  % These are the only two remaining unencoded characters, so may as
+  % well include them.
+  /Zcaron /zcaron /.notdef /.notdef
+% 0x10 (TeX characters from, e.g., Lucida Bright)
+ /dotlessj /ff /ffi /ffl /.notdef /.notdef /.notdef /.notdef
+ /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef
+% 0x20 (ASCII begins)
+ /space /exclam /quotedbl /numbersign
+ /dollar /percent /ampersand /quotesingle
+ /parenleft /parenright /asterisk /plus /comma /hyphen /period /slash
+% 0x30
+ /zero /one /two /three /four /five /six /seven
+ /eight /nine /colon /semicolon /less /equal /greater /question
+% 0x40
+ /at /A /B /C /D /E /F /G /H /I /J /K /L /M /N /O
+% 0x50
+ /P /Q /R /S /T /U /V /W
+ /X /Y /Z /bracketleft /backslash /bracketright /asciicircum /underscore
+% 0x60
+ /grave /a /b /c /d /e /f /g /h /i /j /k /l /m /n /o
+% 0x70
+ /p /q /r /s /t /u /v /w
+ /x /y /z /braceleft /bar /braceright /asciitilde
+ /.notdef % rubout; ASCII ends
+% 0x80
+ /.notdef /.notdef /quotesinglbase /florin
+ /quotedblbase /ellipsis /dagger /daggerdbl
+ /circumflex /perthousand /Scaron /guilsinglleft
+ /OE
+ /caron % Y&Y
+ /.notdef
+ /.notdef
+% 0x90
+ /.notdef /quoteleft /quoteright /quotedblleft
+ /quotedblright /bullet /endash /emdash
+ /tildeaccent /trademark /scaron /guilsinglright
+ /oe
+ /dotlessi % Y&Y
+ /.notdef
+ /Ydieresis
+% 0xA0
+ /.notdef % nobreakspace
+ /exclamdown /cent /sterling
+ /currency /yen /brokenbar /section
+ /dieresis /copyright /ordfeminine /guillemotleft
+ /logicalnot
+ /hyphen % Y&Y (also at 45); Windows' softhyphen
+ /registered
+ /macron
+% 0xD0
+ /degree /plusminus /twosuperior /threesuperior
+ /acute /mu /paragraph /periodcentered
+ /cedilla /onesuperior /ordmasculine /guillemotright
+ /onequarter /onehalf /threequarters /questiondown
+% 0xC0
+ /Agrave /Aacute /Acircumflex /Atilde /Adieresis /Aring /AE /Ccedilla
+ /Egrave /Eacute /Ecircumflex /Edieresis
+ /Igrave /Iacute /Icircumflex /Idieresis
+% 0xD0
+ /Eth /Ntilde /Ograve /Oacute
+ /Ocircumflex /Otilde /Odieresis /multiply
+ /Oslash /Ugrave /Uacute /Ucircumflex
+ /Udieresis /Yacute /Thorn /germandbls
+% 0xE0
+ /agrave /aacute /acircumflex /atilde
+ /adieresis /aring /ae /ccedilla
+ /egrave /eacute /ecircumflex /edieresis
+ /igrave /iacute /icircumflex /idieresis
+% 0xF0
+ /eth /ntilde /ograve /oacute
+ /ocircumflex /otilde /odieresis /divide
+ /oslash /ugrave /uacute /ucircumflex
+ /udieresis /yacute /thorn /ydieresis
+] def
+%%EndFont
+%%BeginProcSet: texps.pro
+TeXDict begin /rf{findfont dup length 1 add dict begin{1 index /FID ne 2
+index /UniqueID ne and{def}{pop pop}ifelse}forall[1 index 0 6 -1 roll
+exec 0 exch 5 -1 roll VResolution Resolution div mul neg 0 0]/Metrics
+exch def dict begin Encoding{exch dup type /integertype ne{pop pop 1 sub
+dup 0 le{pop}{[}ifelse}{FontMatrix 0 get div Metrics 0 get div def}
+ifelse}forall Metrics /Metrics currentdict end def[2 index currentdict
+end definefont 3 -1 roll makefont /setfont load]cvx def}def
+/ObliqueSlant{dup sin S cos div neg}B /SlantFont{4 index mul add}def
+/ExtendFont{3 -1 roll mul exch}def /ReEncodeFont{/Encoding exch def}def
+end
+%%EndProcSet
+%%BeginProcSet: special.pro
+TeXDict begin /SDict 200 dict N SDict begin /@SpecialDefaults{/hs 612 N
+/vs 792 N /ho 0 N /vo 0 N /hsc 1 N /vsc 1 N /ang 0 N /CLIP 0 N /rwiSeen
+false N /rhiSeen false N /letter{}N /note{}N /a4{}N /legal{}N}B
+/@scaleunit 100 N /@hscale{@scaleunit div /hsc X}B /@vscale{@scaleunit
+div /vsc X}B /@hsize{/hs X /CLIP 1 N}B /@vsize{/vs X /CLIP 1 N}B /@clip{
+/CLIP 2 N}B /@hoffset{/ho X}B /@voffset{/vo X}B /@angle{/ang X}B /@rwi{
+10 div /rwi X /rwiSeen true N}B /@rhi{10 div /rhi X /rhiSeen true N}B
+/@llx{/llx X}B /@lly{/lly X}B /@urx{/urx X}B /@ury{/ury X}B /magscale
+true def end /@MacSetUp{userdict /md known{userdict /md get type
+/dicttype eq{userdict begin md length 10 add md maxlength ge{/md md dup
+length 20 add dict copy def}if end md begin /letter{}N /note{}N /legal{}
+N /od{txpose 1 0 mtx defaultmatrix dtransform S atan/pa X newpath
+clippath mark{transform{itransform moveto}}{transform{itransform lineto}
+}{6 -2 roll transform 6 -2 roll transform 6 -2 roll transform{
+itransform 6 2 roll itransform 6 2 roll itransform 6 2 roll curveto}}{{
+closepath}}pathforall newpath counttomark array astore /gc xdf pop ct 39
+0 put 10 fz 0 fs 2 F/|______Courier fnt invertflag{PaintBlack}if}N
+/txpose{pxs pys scale ppr aload pop por{noflips{pop S neg S TR pop 1 -1
+scale}if xflip yflip and{pop S neg S TR 180 rotate 1 -1 scale ppr 3 get
+ppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub neg TR}if xflip yflip
+not and{pop S neg S TR pop 180 rotate ppr 3 get ppr 1 get neg sub neg 0
+TR}if yflip xflip not and{ppr 1 get neg ppr 0 get neg TR}if}{noflips{TR
+pop pop 270 rotate 1 -1 scale}if xflip yflip and{TR pop pop 90 rotate 1
+-1 scale ppr 3 get ppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub neg
+TR}if xflip yflip not and{TR pop pop 90 rotate ppr 3 get ppr 1 get neg
+sub neg 0 TR}if yflip xflip not and{TR pop pop 270 rotate ppr 2 get ppr
+0 get neg sub neg 0 S TR}if}ifelse scaleby96{ppr aload pop 4 -1 roll add
+2 div 3 1 roll add 2 div 2 copy TR .96 dup scale neg S neg S TR}if}N /cp
+{pop pop showpage pm restore}N end}if}if}N /normalscale{Resolution 72
+div VResolution 72 div neg scale magscale{DVImag dup scale}if 0 setgray}
+N /psfts{S 65781.76 div N}N /startTexFig{/psf$SavedState save N userdict
+maxlength dict begin /magscale true def normalscale currentpoint TR
+/psf$ury psfts /psf$urx psfts /psf$lly psfts /psf$llx psfts /psf$y psfts
+/psf$x psfts currentpoint /psf$cy X /psf$cx X /psf$sx psf$x psf$urx
+psf$llx sub div N /psf$sy psf$y psf$ury psf$lly sub div N psf$sx psf$sy
+scale psf$cx psf$sx div psf$llx sub psf$cy psf$sy div psf$ury sub TR
+/showpage{}N /erasepage{}N /copypage{}N /p 3 def @MacSetUp}N /doclip{
+psf$llx psf$lly psf$urx psf$ury currentpoint 6 2 roll newpath 4 copy 4 2
+roll moveto 6 -1 roll S lineto S lineto S lineto closepath clip newpath
+moveto}N /endTexFig{end psf$SavedState restore}N /@beginspecial{SDict
+begin /SpecialSave save N gsave normalscale currentpoint TR
+@SpecialDefaults count /ocount X /dcount countdictstack N}N /@setspecial
+{CLIP 1 eq{newpath 0 0 moveto hs 0 rlineto 0 vs rlineto hs neg 0 rlineto
+closepath clip}if ho vo TR hsc vsc scale ang rotate rwiSeen{rwi urx llx
+sub div rhiSeen{rhi ury lly sub div}{dup}ifelse scale llx neg lly neg TR
+}{rhiSeen{rhi ury lly sub div dup scale llx neg lly neg TR}if}ifelse
+CLIP 2 eq{newpath llx lly moveto urx lly lineto urx ury lineto llx ury
+lineto closepath clip}if /showpage{}N /erasepage{}N /copypage{}N newpath
+}N /@endspecial{count ocount sub{pop}repeat countdictstack dcount sub{
+end}repeat grestore SpecialSave restore end}N /@defspecial{SDict begin}
+N /@fedspecial{end}B /li{lineto}B /rl{rlineto}B /rc{rcurveto}B /np{
+/SaveX currentpoint /SaveY X N 1 setlinecap newpath}N /st{stroke SaveX
+SaveY moveto}N /fil{fill SaveX SaveY moveto}N /ellipse{/endangle X
+/startangle X /yrad X /xrad X /savematrix matrix currentmatrix N TR xrad
+yrad scale 0 0 1 startangle endangle arc savematrix setmatrix}N end
+%%EndProcSet
+TeXDict begin 40258431 52099146 1000 600 600 (bro.dvi)
+@start /Fa 171[36 6[52 77[{TeXBase1Encoding ReEncodeFont}2
+58.333336 /Times-Roman rf /Fb 172[50 6[50 6[50 50 1[50
+66[{TeXBase1Encoding ReEncodeFont}5 83.333336 /Courier-Oblique
+rf /Fc 6 112 df<146014E0EB01C0EB0380EB0700130E131E5B5BA25B485AA2485AA212
+075B120F90C7FCA25A121EA2123EA35AA65AB2127CA67EA3121EA2121F7EA27F12077F12
+03A26C7EA26C7E1378A27F7F130E7FEB0380EB01C0EB00E01460135278BD20>40
+D<12C07E12707E7E7E120F6C7E6C7EA26C7E6C7EA21378A2137C133C133E131EA2131F7F
+A21480A3EB07C0A6EB03E0B2EB07C0A6EB0F80A31400A25B131EA2133E133C137C1378A2
+5BA2485A485AA2485A48C7FC120E5A5A5A5A5A13527CBD20>I<EB01C013031307131F13
+FFB5FCA2131F1200B3B3A8497E007FB512F0A31C3879B72A>49 D<ED03F090390FF00FF8
+90393FFC3C3C9039F81F707C3901F00FE03903E007C03A07C003E010000FECF000A24848
+6C7EA86C6C485AA200075C6C6C485A6D485A6D48C7FC38073FFC38060FF0000EC9FCA412
+0FA213C06CB512C015F86C14FE6CECFF804815C03A0F80007FE048C7EA0FF0003E140348
+140116F8481400A56C1401007C15F06CEC03E0003F1407D80F80EB0F80D807E0EB3F0039
+01FC01FC39007FFFF0010790C7FC26387EA52A>103 D<EA03F012FFA3120F1203B3B3AD
+487EB512C0A3123A7EB917>108 D<EB03FE90380FFF8090383E03E09038F800F8484813
+7C48487F48487F4848EB0F80001F15C090C712074815E0A2007EEC03F0A400FE15F8A900
+7E15F0A2007F14076C15E0A26C6CEB0FC0000F15806D131F6C6CEB3F006C6C137EC66C13
+F890387E03F090381FFFC0D903FEC7FC25277EA52A>111 D E /Fd
+141[72 2[72 44[72 66[{TeXBase1Encoding ReEncodeFont}3
+119.999947 /Courier rf /Fe 2 67 df<4B7E1503150782150F151FA2153FA2156F15
+CF82EC0187140315071406140E140C02187FA2EC30031460A214C013011480D903007F91
+B5FC5B90380C0001A25B13380130805B01E013005B12011203000F4A7ED8FFF890381FFF
+E0A22B2A7DA932>65 D<013FB512F816FF903A01FC001FC04AEB07E0EE03F001031401A2
+4A14F8A2130717F04A130317E0010F1407EE0FC04AEB1F80EE7E00011F495A91B512F0A2
+91388001FC013FEB007E8291C7EA1F80160F4915C0A2137EA213FEEE1F805BEE3F000001
+153E16FE49EB01F84B5A0003EC1FC0B7C7FC15F82D287DA732>I
+E /Ff 130[40 40 40 40 40 40 40 40 40 40 40 40 40 40 40
+40 40 40 40 1[40 40 40 40 40 40 40 40 40 1[40 1[40 40
+40 1[40 1[40 40 40 40 40 40 40 40 40 40 1[40 2[40 40
+1[40 40 40 40 40 40 1[40 40 40 1[40 40 40 40 40 40 40
+40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40
+40 40 33[{TeXBase1Encoding ReEncodeFont}82 66.666664
+/Courier rf /Fg 143[60 3[60 2[60 5[60 60 60 97[{
+TeXBase1Encoding ReEncodeFont}6 100.000000 /Courier rf
+/Fh 134[50 2[50 55 33 39 44 1[55 50 55 83 28 55 1[28
+55 50 33 44 55 44 55 50 6[66 3[72 1[66 55 72 1[61 78
+1[94 3[39 2[61 66 72 72 11[50 50 50 50 50 50 50 2[25
+46[{TeXBase1Encoding ReEncodeFont}42 100.000000 /Times-Bold
+rf /Fi 4 121 df<EB0FE0EB7FFC497E0003EBFF804814C04814E04814F04814F8A24814
+FCA3B612FEA86C14FCA36C14F8A26C14F06C14E06C14C06C1480C6EBFE006D5AEB0FE01F
+207BA42A>15 D<EC01F8140FEC3F80ECFC00495A495A495AA2130F5CB3A7131F5C133F49
+C7FC13FEEA03F8EA7FE048C8FCEA7FE0EA03F8EA00FE137F6D7E131F80130FB3A7801307
+A26D7E6D7E6D7EEC3F80EC0FF814011D537ABD2A>102 D<12FCEAFFC0EA07F0EA01FCEA
+007E7F80131F80130FB3A7801307806D7E6D7EEB007EEC1FF0EC07F8EC1FF0EC7E00495A
+495A495A5C130F5CB3A7131F5C133F91C7FC137E485AEA07F0EAFFC000FCC8FC1D537ABD
+2A>I<137E3801FFC03807C1E0380F0070001E1338003E131C48130C141E147E5AA3143C
+1400A3127CA37E121E7E6C7E6C7EEA00F013FCEA03FF380F8780381F01E0003E13F0EB00
+F848137CA200FC133E5A141FA6127C143F6C133EA26C137CEA0F80000713F83801E1F038
+00FFC0EB3F00130FEB03C0EB01E0EB00F01478147C143EA3141FA3123C127EA3143E1278
+12300038137C6C13786C13F0380783E03803FF8038007E00184C7ABA25>120
+D E /Fj 9 113 df<121C127FEAFF80A5EA7F00121C0909798817>58
+D<1760177017F01601A21603A21607160FA24C7EA216331673166316C3A2ED0183A2ED03
+03150683150C160115181530A21560A215C014011580DA03007FA202061300140E140C5C
+021FB5FC5CA20260C7FC5C83495A8349C8FC1306A25BA25B13385B01F01680487E000716
+FFB56C013F13FF5EA2383C7DBB3E>65 D<0103B77E4916F018FC903B0007F80003FE4BEB
+00FFF07F80020FED3FC0181F4B15E0A2141FA25DA2143F19C04B143F1980027F157F1900
+92C812FE4D5A4A4A5AEF0FF04AEC1FC005FFC7FC49B612FC5F02FCC7B4FCEF3FC00103ED
+0FE0717E5C717E1307844A1401A2130F17035CA2131F4D5A5C4D5A133F4D5A4A4A5A4D5A
+017F4BC7FC4C5A91C7EA07FC49EC3FF0B812C094C8FC16F83B397DB83F>I<902603FFF8
+91381FFFF8496D5CA2D90007030113006FEC007C02061678DA0EFF157081020C6D1460A2
+DA1C3F15E0705CEC181F82023815016F6C5C1430150702706D1303030392C7FC02607FA2
+DAE0015C701306ECC0008201016E130EEF800C5C163F0103EDC01C041F131891C713E016
+0F49EDF03818300106140717F8010E02031370EFFC60130CEE01FE011C16E004005B0118
+15FF177F1338600130153FA20170151F95C8FC01F081EA07FCB512E01706A245397DB843
+>78 D<4BB4FC031F13F09238FE01FC913903F0007EDA07C0EB1F80DA1F80EB0FC0023EC7
+EA07E002FCEC03F0495A4948EC01F8495A4948EC00FC495A49C912FE49167E13FE49167F
+1201485AA2485AA2120F5B001F17FFA2485AA34848ED01FEA400FFEE03FC90C9FCA2EF07
+F8A2EF0FF0A218E0171F18C0EF3F806C167F180017FE4C5A6C6C5D1603001F4B5A6D4A5A
+000FED1F806C6C4AC7FC6D147E0003EC01F8D801FC495AD8007EEB0FC090263F807FC8FC
+903807FFF801001380383D7CBA3F>I<0003B812FEA25A903AF8003FC00101C091388000
+7E4848163C90C7007F141C121E001C92C7FCA2485CA200305C007017180060130112E048
+5CA21403C716005DA21407A25DA2140FA25DA2141FA25DA2143FA25DA2147FA292C9FCA2
+5CA25CA21301A25CA21303A25CEB0FFC003FB6FC5AA237397EB831>84
+D<EB03F0EA01FFA3EA00075CA3130F5CA3131F5CA3133F91C8FCA35B017EEB07C0ED1FF0
+ED783801FEEBE0F89039FC01C1FCEC0383EC07070001130ED9F81C13F891383803F09138
+7001E0000349C7FCEBF1C0EBF38001F7C8FCEA07FEA2EBFFE0EBE7F8380FE0FEEBC07F6E
+7E141F001F80D9800F1330A21670003F011F136001001380A216E04815C0007E1481020F
+1380158300FE903807870048EB03FE0038EB00F8263B7CB92B>107
+D<D803E0137F3A07F801FFE03A0E3C0781F03A1C3E1E00F826383F387F00305B4A137C00
+705B00605BA200E090C712FC485A137EA20000140101FE5C5BA2150300015D5B15075E12
+0349010F133016C0031F13700007ED80605B17E0EE00C0000F15014915801603EE070000
+1FEC0F0E49EB07FC0007C7EA01F02C267EA432>110 D<90390F8003F090391FE00FFC90
+3939F03C1F903A70F8700F80903AE0FDE007C09038C0FF80030013E00001491303018015
+F05CEA038113015CA2D800031407A25CA20107140FA24A14E0A2010F141F17C05CEE3F80
+131FEE7F004A137E16FE013F5C6E485A4B5A6E485A90397F700F80DA383FC7FC90387E1F
+FCEC07E001FEC9FCA25BA21201A25BA21203A25B1207B512C0A32C3583A42A>112
+D E /Fk 5 54 df<13E01201120712FF12F91201B3A7487EB512C0A212217AA01E>49
+D<EA01FC3807FF80381C0FC0383003E0386001F0EB00F812F86C13FCA2147C1278003013
+FCC7FC14F8A2EB01F0EB03E014C0EB0780EB0F00131E13385B5B3801C00CEA0380380600
+185A5A383FFFF85AB512F0A216217CA01E>I<13FF000313C0380F03E0381C00F014F800
+3E13FC147CA2001E13FC120CC712F8A2EB01F0EB03E0EB0FC03801FF00A2380003E0EB00
+F01478147C143E143F1230127812FCA2143E48137E0060137C003813F8381E03F0380FFF
+C00001130018227DA01E>I<14E01301A213031307A2130D131D13391331136113E113C1
+EA01811203EA07011206120C121C12181230127012E0B6FCA2380001E0A6EB03F0EB3FFF
+A218227DA11E>I<00101330381E01F0381FFFE014C01480EBFE00EA1BF00018C7FCA513
+FE381BFF80381F03C0381C01E0381800F014F8C71278A2147CA21230127812F8A2147848
+13F8006013F0387001E01238381E07803807FF00EA01F816227CA01E>I
+E /Fl 133[37 42 42 60 42 46 28 32 37 1[46 42 46 69 23
+46 1[23 46 42 28 37 46 37 46 42 11[60 55 46 60 1[51 65
+60 78 1[65 1[32 65 2[55 60 60 1[60 18[21 28 21 47 40[46
+2[{TeXBase1Encoding ReEncodeFont}44 83.333336 /Times-Bold
+rf /Fm 131[50 1[50 50 50 50 50 50 50 50 50 50 50 50 50
+50 50 50 50 50 50 50 50 50 50 50 50 50 3[50 50 50 3[50
+50 50 50 50 50 1[50 50 50 1[50 1[50 50 50 1[50 50 50
+50 50 50 1[50 50 50 50 1[50 1[50 50 50 50 1[50 50 50
+50 50 50 50 50 50 50 50 50 1[50 50 50 2[50 33[{
+TeXBase1Encoding ReEncodeFont}74 83.333336 /Courier rf
+/Fn 5 54 df<13381378EA01F8121F12FE12E01200B3AB487EB512F8A215267BA521>49
+D<13FF000313E0380E03F0381800F848137C48137E00787F12FC6CEB1F80A4127CC7FC15
+005C143E147E147C5C495A495A5C495A010EC7FC5B5B903870018013E0EA018039030003
+0012065A001FB5FC5A485BB5FCA219267DA521>I<13FF000313E0380F01F8381C007C00
+30137E003C133E007E133FA4123CC7123E147E147C5C495AEB07E03801FF8091C7FC3800
+01E06D7E147C80143F801580A21238127C12FEA21500485B0078133E00705B6C5B381F01
+F03807FFC0C690C7FC19277DA521>I<1438A2147814F81301A2130313071306130C131C
+131813301370136013C012011380EA03005A120E120C121C5A12305A12E0B612E0A2C7EA
+F800A7497E90383FFFE0A21B277EA621>I<0018130C001F137CEBFFF85C5C1480D819FC
+C7FC0018C8FCA7137F3819FFE0381F81F0381E0078001C7F0018133EC7FC80A21580A212
+30127C12FCA3150012F00060133E127000305B001C5B380F03E03803FFC0C648C7FC1927
+7DA521>I E /Fo 136[44 1[33 18 26 26 1[33 33 1[48 1[29
+5[29 22[44 10[44 67[{TeXBase1Encoding ReEncodeFont}12
+66.666664 /Times-Italic rf /Fp 104[66 33 1[29 29 25[33
+33 48 33 33 18 26 22 33 33 33 33 52 18 33 1[18 33 33
+22 29 33 29 33 29 3[22 1[22 41 1[48 63 1[48 41 37 44
+1[37 48 48 59 41 1[26 22 48 1[37 41 48 44 44 48 6[18
+33 33 33 33 33 33 33 33 33 33 1[17 22 17 2[22 22 22 35[37
+37 2[{TeXBase1Encoding ReEncodeFont}70 66.666664 /Times-Roman
+rf /Fq 1 4 df<136013701360A20040132000E0137038F861F0387E67E0381FFF803807
+FE00EA00F0EA07FE381FFF80387E67E038F861F038E060700040132000001300A2137013
+6014157B9620>3 D E /Fr 134[37 37 55 37 42 23 32 32 42
+42 42 42 60 23 37 1[23 42 42 23 37 42 37 42 42 8[51 69
+1[60 46 42 51 1[51 60 55 69 46 2[28 60 60 51 51 1[55
+1[51 6[28 42 1[42 3[42 1[42 1[23 21 28 3[28 28 28 35[42
+3[{TeXBase1Encoding ReEncodeFont}54 83.333336 /Times-Italic
+rf /Fs 104[83 42 1[37 37 24[37 42 42 60 42 42 23 32 28
+42 42 42 42 65 23 42 23 23 42 42 28 37 42 37 42 37 3[28
+1[28 51 60 60 78 60 60 51 46 55 60 46 60 60 74 51 60
+32 28 60 60 46 51 60 55 55 60 5[23 23 42 42 42 42 42
+42 42 42 42 42 23 21 28 21 47 1[28 28 28 1[69 3[28 29[46
+46 2[{TeXBase1Encoding ReEncodeFont}82 83.333336 /Times-Roman
+rf /Ft 134[60 60 86 1[66 40 47 53 1[66 60 66 100 33 66
+1[33 66 60 40 53 66 53 66 60 12[80 66 86 8[47 2[73 80
+3[86 6[40 60 60 60 60 60 60 60 60 60 3[40 42[66 2[{
+TeXBase1Encoding ReEncodeFont}41 119.999947 /Times-Bold
+rf /Fu 1 4 df<130C131EA50060EB01800078130739FC0C0FC0007FEB3F80393F8C7F00
+3807CCF83801FFE038007F80011EC7FCEB7F803801FFE03807CCF8383F8C7F397F0C3F80
+00FCEB0FC039781E078000601301000090C7FCA5130C1A1D7C9E23>3
+D E /Fv 134[50 50 72 50 1[28 39 33 2[50 50 1[28 50 1[28
+50 50 33 44 50 44 50 44 10[72 1[61 55 66 1[55 1[72 1[61
+2[33 5[66 66 72 92 17[25 1[25 5[78 38[{TeXBase1Encoding ReEncodeFont}35
+100.000000 /Times-Roman rf /Fw 134[72 1[104 1[72 40 56
+48 2[72 72 112 40 72 1[40 1[72 48 64 72 64 1[64 12[88
+80 96 3[104 4[48 4[104 1[96 104 6[40 12[48 45[{
+TeXBase1Encoding ReEncodeFont}28 144.000000 /Times-Roman
+rf end
+%%EndProlog
+%%BeginSetup
+%%Feature: *Resolution 600dpi
+TeXDict begin
+
+%%EndSetup
+%%Page: 1 1
+1 0 bop 180 161 a Fw(Bro:)43 b(A)36 b(System)e(for)h(Detecting)f(Netw)o
+(ork)f(Intruders)h(in)i(Real-T)-5 b(ime)1700 402 y Fv(V)-11
+b(ern)25 b(P)o(axson)854 634 y(La)o(wrence)h(Berk)o(ele)o(y)f(National)
+f(Laboratory)-6 b(,)24 b(Berk)o(ele)o(y)-6 b(,)24 b(CA)3045
+598 y Fu(\003)1878 751 y Fv(and)792 867 y(A)-11 b(T&T)24
+b(Center)i(for)f(Internet)g(Research)h(at)f(ICSI,)h(Berk)o(ele)o(y)-6
+b(,)24 b(CA)1650 983 y(v)o(ern@aciri.or)n(g)-150 1309
+y Ft(Abstract)-150 1498 y Fs(W)-7 b(e)36 b(describe)f(Bro,)k(a)c
+(stand-alone)f(system)h(for)g(detecting)f(net-)-150 1598
+y(w)o(ork)c(intruders)f(in)i(real-time)e(by)h(passi)n(v)o(ely)g
+(monitoring)e(a)j(net-)-150 1698 y(w)o(ork)23 b(link)g(o)o(v)o(er)g
+(which)g(the)g(intruder')-5 b(s)23 b(traf)n(\002c)g(transits.)36
+b(W)-7 b(e)24 b(gi)n(v)o(e)-150 1797 y(an)c(o)o(v)o(ervie)n(w)e(of)h
+(the)h(system')-5 b(s)20 b(design,)f(which)h(emphasizes)f(high-)-150
+1897 y(speed)30 b(\(FDDI-rate\))f(monitoring,)i(real-time)f
+(noti\002cation,)i(clear)-150 1996 y(separation)18 b(between)g
+(mechanism)g(and)h(polic)o(y)-5 b(,)18 b(and)g(e)o(xtensibility)-5
+b(.)-150 2096 y(T)e(o)21 b(achie)n(v)o(e)f(these)h(ends,)g(Bro)g(is)h
+(di)n(vided)d(into)i(an)g(\223e)n(v)o(ent)f(engine\224)-150
+2196 y(that)e(reduces)f(a)h(k)o(ernel-\002ltered)e(netw)o(ork)g(traf)n
+(\002c)i(stream)f(into)h(a)g(se-)-150 2295 y(ries)27
+b(of)f(higher)n(-le)n(v)o(el)f(e)n(v)o(ents,)i(and)f(a)h(\223polic)o(y)
+f(script)g(interpreter\224)-150 2395 y(that)33 b(interprets)g(e)n(v)o
+(ent)f(handlers)g(written)h(in)h(a)f(specialized)g(lan-)-150
+2495 y(guage)17 b(used)g(to)h(e)o(xpress)g(a)g(site')-5
+b(s)19 b(security)e(polic)o(y)-5 b(.)23 b(Ev)o(ent)17
+b(handlers)-150 2594 y(can)24 b(update)f(state)i(information,)e
+(synthesize)h(ne)n(w)g(e)n(v)o(ents,)g(record)-150 2694
+y(information)e(to)i(disk,)g(and)g(generate)e(real-time)i
+(noti\002cations)f(via)-150 2793 y Fr(syslo)o(g)p Fs(.)62
+b(W)-7 b(e)34 b(also)f(discuss)g(a)g(number)d(of)j(attacks)f(that)h
+(attempt)-150 2893 y(to)25 b(sub)o(v)o(ert)f(passi)n(v)o(e)h
+(monitoring)e(systems)j(and)f(defenses)f(against)-150
+2993 y(these,)k(and)f(gi)n(v)o(e)f(particulars)f(of)i(ho)n(w)f(Bro)h
+(analyzes)f(the)h(six)g(ap-)-150 3092 y(plications)22
+b(inte)o(grated)e(into)i(it)h(so)g(f)o(ar:)29 b(Finger)m(,)22
+b(FTP)-9 b(,)22 b(Portmapper)m(,)-150 3192 y(Ident,)d(T)-6
+b(elnet)20 b(and)f(Rlogin.)24 b(The)c(system)g(is)h(publicly)d(a)n(v)n
+(ailable)h(in)-150 3292 y(source)g(code)h(form.)-150
+3584 y Ft(1)119 b(Intr)n(oduction)-150 3774 y Fs(W)m(ith)31
+b(gro)n(wing)f(Internet)g(connecti)n(vity)f(comes)i(gro)n(wing)e(oppor)
+n(-)-150 3873 y(tunities)j(for)e(attack)o(ers)i(to)f(illicitly)h
+(access)h(computers)c(o)o(v)o(er)i(the)-150 3973 y(netw)o(ork.)51
+b(The)29 b(problem)e(of)i(detecting)f(such)h(attacks)g(is)h(termed)-150
+4073 y Fr(network)19 b(intrusion)f(detection)p Fs(,)g(a)h(relati)n(v)o
+(ely)f(ne)n(w)g(area)h(of)f(security)-150 4172 y(research)29
+b([MHL94)n(].)53 b(W)-7 b(e)31 b(can)e(di)n(vide)g(these)h(systems)g
+(into)f(tw)o(o)-150 4272 y(types,)h(those)f(that)g(rely)f(on)g(audit)g
+(information)f(gathered)f(by)j(the)-150 4372 y(hosts)19
+b(in)h(the)f(netw)o(ork)e(the)o(y)i(are)g(trying)f(to)h(protect,)f(and)
+h(those)f(that)-150 4471 y(operate)24 b(\223stand-alone\224)f(by)h
+(observing)f(netw)o(ork)h(traf)n(\002c)h(directly)-5
+b(,)-150 4571 y(and)23 b(passi)n(v)o(ely)-5 b(,)23 b(using)g(a)h(pack)o
+(et)f(\002lter)-5 b(.)36 b(There)23 b(is)i(also)f(increasing)-150
+4670 y(interest)29 b(in)f(b)n(uilding)f(hybrid)g(systems)i(that)g
+(combine)e(these)h(tw)o(o)-150 4770 y(approaches)18 b([Ax99)n(].)p
+-150 4850 801 4 v -66 4903 a Fq(\003)-30 4927 y Fp(This)f(paper)h
+(appears)h(in)f Fo(Computer)g(Networks)p Fp(,)h(31\(23\22624\),)f(pp.)g
+(2435\2262463,)-150 5006 y(14)i(Dec.)h(1999.)31 b(This)20
+b(w)o(ork)g(w)o(as)h(supported)h(by)e(the)h(Director)m(,)i(Of)n(\002ce)
+e(of)f(Ener)o(gy)-150 5085 y(Research,)k(Of)n(\002ce)e(of)f
+(Computational)k(and)d(T)-5 b(echnology)23 b(Research,)h(Mathemati-)
+-150 5163 y(cal,)17 b(Information,)i(and)e(Computational)j(Sciences)f
+(Di)n(vision)f(of)f(the)g(United)h(States)-150 5242 y(Department)k(of)f
+(Ener)o(gy)f(under)h(Contract)i(No.)c(DE-A)m(C03-76SF00098.)32
+b(An)20 b(ear)o(-)-150 5321 y(lier)j(v)o(ersion)g(of)f(this)g(paper)h
+(appeared)h(in)e(the)h(Proceedings)h(of)e(the)g(7th)h(USENIX)-150
+5400 y(Security)c(Symposium,)e(San)g(Antonio,)h(TX,)d(January)k(1998.)
+2132 1309 y Fs(In)25 b(this)h(paper)e(we)i(focus)f(on)g(the)g(problem)f
+(of)h(b)n(uilding)f(stand-)2049 1408 y(alone)15 b(systems,)i(which)e
+(we)h(will)h(term)e(\223monitors.)-6 b(\224)22 b(Though)14
+b(mon-)2049 1508 y(itors)28 b(necessarily)g(f)o(ace)g(the)g(dif)n
+(\002culties)g(of)g(more)g(limited)g(infor)n(-)2049 1607
+y(mation)35 b(than)g(systems)h(with)f(access)h(to)g(audit)f(trails,)40
+b(monitors)2049 1707 y(also)26 b(gain)f(the)g(major)g(bene\002t)h(that)
+f(the)o(y)g(can)h(be)f(added)g(to)h(a)g(net-)2049 1807
+y(w)o(ork)k(without)g(requiring)e(an)o(y)i(changes)f(to)i(the)f(hosts.)
+56 b(F)o(or)30 b(our)2049 1906 y(purposes\227monitoring)22
+b(a)k(collection)f(of)h(se)n(v)o(eral)g(thousand)e(het-)2049
+2006 y(erogeneous,)17 b(di)n(v)o(ersely-administered)f(hosts\227this)k
+(adv)n(antage)e(is)2049 2106 y(immense.)2132 2211 y(Our)34
+b(monitoring)e(system)j(is)h(called)e(Bro)h(\(an)f(Orwellian)g(re-)2049
+2311 y(minder)f(that)h(monitoring)e(comes)i(hand)f(in)i(hand)e(with)h
+(the)g(po-)2049 2410 y(tential)48 b(for)f(pri)n(v)n(ac)o(y)e
+(violations\).)106 b(A)48 b(number)e(of)h(commer)n(-)2049
+2510 y(cial)35 b(products)d(e)o(xist)j(that)f(do)g(what)g(Bro)g(does,)k
+(generally)32 b(with)2049 2609 y(much)f(more)g(sophisticated)g(interf)o
+(aces)g(and)g(management)f(soft-)2049 2709 y(w)o(are)f([In99)n(,)h(T)-7
+b(o99)n(,)30 b(Ci99],)2900 2679 y Fn(1)2968 2709 y Fs(and)f(lar)o(ger)f
+(\223attack)h(signature\224)f(li-)2049 2809 y(braries.)51
+b(T)-7 b(o)29 b(our)f(kno)n(wledge,)h(ho)n(we)n(v)o(er)m(,)g(there)g
+(are)g(no)f(detailed)2049 2908 y(accounts)c(in)h(the)h(netw)o(ork)d
+(security)i(literature)f(of)h(ho)n(w)g(monitors)2049
+3008 y(can)f(be)h(b)n(uilt.)38 b(Furthermore,)23 b(monitors)g(can)i(be)
+f(susceptible)g(to)h(a)2049 3108 y(number)j(of)h(attacks)h(aimed)f(at)h
+(sub)o(v)o(erting)d(the)j(monitoring;)i(we)2049 3207
+y(belie)n(v)o(e)19 b(the)i(attacks)f(we)h(discuss)f(here)g(ha)n(v)o(e)g
+(not)g(been)g(pre)n(viously)2049 3307 y(described)g(in)i(the)g
+(literature.)29 b(Thus,)21 b(the)h(contrib)n(ution)d(of)j(this)g(pa-)
+2049 3406 y(per)h(is)i(not)e(at)h(heart)f(a)h(no)o(v)o(el)e(idea)h
+(\(though)f(we)i(belie)n(v)o(ed)e(it)i(no)o(v)o(el)2049
+3506 y(when)30 b(we)h(undertook)c(the)k(project,)h(in)e(1995\),)h(b)n
+(ut)g(rather)e(a)i(de-)2049 3606 y(tailed)i(o)o(v)o(ervie)n(w)d(of)i
+(some)h(e)o(xperiences)e(with)h(b)n(uilding)g(such)g(a)2049
+3705 y(system.)2132 3811 y(Prior)16 b(to)g(de)n(v)o(eloping)e(Bro,)j
+(we)f(had)g(signi\002cant)g(operational)e(e)o(x-)2049
+3910 y(perience)20 b(with)i(a)g(simpler)g(system)f(based)h(on)f(of)n
+(f-line)f(analysis)i(of)2049 4010 y Fm(tcpdump)29 b Fs([JLM89)o(])h
+(trace)f(\002les.)55 b(Out)30 b(of)g(this)g(e)o(xperience)e(we)2049
+4110 y(formulated)18 b(a)j(number)d(of)i(design)f(goals)i(and)e
+(requirements:)2049 4315 y Fl(High-speed,)h(lar)o(ge)g(v)o(olume)g
+(monitoring)40 b Fs(F)o(or)69 b(our)f(en)m(viron-)2215
+4415 y(ment,)20 b(we)h(vie)n(w)f(the)h(greatest)f(source)g(of)g
+(threats)h(as)g(e)o(xternal)2215 4515 y(hosts)28 b(connecting)d(to)j
+(our)f(hosts)g(o)o(v)o(er)f(the)i(Internet.)46 b(Since)2215
+4614 y(the)28 b(netw)o(ork)f(we)i(w)o(ant)f(to)g(protect)g(has)g(a)h
+(single)f(link)f(con-)2215 4714 y(necting)e(it)i(to)g(the)f(remainder)f
+(of)h(the)g(Internet)f(\(a)h(\223DMZ\224\),)2215 4814
+y(we)42 b(can)f(economically)f(monitor)g(our)h(greatest)g(potential)
+2215 4913 y(source)23 b(of)g(attacks)g(by)g(passi)n(v)o(ely)f(w)o
+(atching)h(the)g(DMZ)g(link.)p 2049 5007 V 2134 5061
+a Fk(1)2169 5085 y Fp(Or)18 b(at)h(least)h(appear)m(,)h(according)g(to)
+e(their)h(product)g(literature,)i(to)d(do)g(the)h(same)2049
+5163 y(things\227we)f(do)e(not)g(ha)o(v)o(e)h(direct)h(e)o(xperience)h
+(with)e(an)o(y)f(of)g(these)h(products.)2115 5242 y(A)h(some)n(what)i
+(dif)n(ferent)h(sort)d(of)g(product,)i(the)f(\223Netw)o(ork)h(Flight)g
+(Recorder)m(,)-5 b(\224)23 b(is)2049 5321 y(described)d(in)e([RLSSL)-5
+b(W97)o(],)17 b(though)i(it)f(is)g(no)n(w)f(increasingly)k(used)d(for)g
+(intrusion)2049 5400 y(detection)i([Ne99)q(].)1929 5649
+y Fs(1)p eop
+%%Page: 2 2
+2 1 bop 16 -104 a Fs(Ho)n(we)n(v)o(er)m(,)22 b(the)i(link)f(is)h(an)g
+(FDDI)g(ring,)f(so)h(to)g(monitor)e(it)i(re-)16 -5 y(quires)g(a)h
+(system)g(that)f(can)h(capture)e(traf)n(\002c)h(at)h(speeds)g(of)f(up)
+16 95 y(to)c(100)g(Mbps.)-150 266 y Fl(No)g(pack)o(et)g(\002lter)h(dr)o
+(ops)41 b Fs(If)25 b(an)h(application)e(using)h(a)h(pack)o(et)f(\002l-)
+16 366 y(ter)20 b(cannot)e(consume)g(pack)o(ets)h(as)i(quickly)d(as)i
+(the)o(y)f(arri)n(v)o(e)f(on)16 466 y(the)25 b(monitored)d(link,)j
+(then)f(the)h(\002lter)g(will)g(b)n(uf)n(fer)e(the)i(pack-)16
+565 y(ets)g(for)g(later)f(consumption.)36 b(Ho)n(we)n(v)o(er)m(,)24
+b(e)n(v)o(entually)e(the)j(\002l-)16 665 y(ter)30 b(will)g(run)e(out)h
+(of)h(b)n(uf)n(fer)m(,)f(at)h(which)f(point)g(it)h Fr(dr)l(ops)f
+Fs(an)o(y)16 765 y(further)i(pack)o(ets)g(that)h(arri)n(v)o(e.)60
+b(From)31 b(a)i(security)e(monitor)n(-)16 864 y(ing)25
+b(perspecti)n(v)o(e,)h(drops)e(can)i(completely)e(defeat)h(the)h(mon-)
+16 964 y(itoring,)41 b(since)c(the)h(missing)g(pack)o(ets)f(might)g
+(contain)f(e)o(x-)16 1063 y(actly)24 b(the)g(interesting)f(traf)n
+(\002c)h(that)g(identi\002es)g(a)g(netw)o(ork)f(in-)16
+1163 y(truder)-5 b(.)27 b(Gi)n(v)o(en)21 b(our)f(\002rst)i(design)f
+(requirement\227high-speed)16 1263 y(monitoring\227then)c(a)n(v)n
+(oiding)i(pack)o(et)h(\002lter)h(drops)f(becomes)16 1362
+y(another)f(strong)g(requirement.)16 1498 y(It)25 b(is)h(sometimes)f
+(tempting)f(to)h(dismiss)g(a)h(problem)d(such)i(as)16
+1598 y(pack)o(et)h(\002lter)h(drops)e(with)i(an)f(ar)o(gument)e(that)i
+(it)h(is)h(unlik)o(ely)16 1697 y(a)e(traf)n(\002c)g(spik)o(e)f(will)i
+(occur)d(at)i(the)g(same)g(time)g(as)g(an)g(attack)16
+1797 y(happens)j(to)h(be)g(underw)o(ay)-5 b(.)52 b(This)31
+b(ar)o(gument,)f(ho)n(we)n(v)o(er)m(,)g(is)16 1896 y(completely)e
+(undermined)f(if)j(we)h(assume)e(that)h(an)g(attack)o(er)16
+1996 y(might,)35 b(in)e(parallel)f(with)h(a)h(break-in)d(attempt,)k
+Fr(attac)n(k)e(the)16 2096 y(monitor)20 b(itself)33 b
+Fs(\(see)20 b(belo)n(w\).)-150 2267 y Fl(Real-time)g(noti\002cation)39
+b Fs(One)50 b(of)f(our)g(main)g(dissatisf)o(actions)16
+2367 y(with)31 b(our)e(initial)i(of)n(f-line)e(system)h(w)o(as)h(the)g
+(lengthy)d(delay)16 2467 y(incurred)33 b(before)h(detecting)g(an)h
+(attack.)69 b(If)35 b(an)g(attack,)j(or)16 2566 y(an)25
+b(attempted)f(attack,)h(is)h(detected)e(quickly)-5 b(,)24
+b(then)g(it)i(can)f(be)16 2666 y(much)c(easier)h(to)g(trace)g(back)f
+(the)h(attack)o(er)f(\(for)g(e)o(xample,)g(by)16 2765
+y(telephoning)d(the)i(site)h(from)d(which)i(the)o(y)f(are)h(coming\),)e
+(min-)16 2865 y(imize)35 b(damage,)i(pre)n(v)o(ent)c(further)g
+(break-ins,)k(and)d(initiate)16 2965 y(full)28 b(recording)d(of)j(all)h
+(of)e(the)h(attack)o(er')-5 b(s)28 b(netw)o(ork)f(acti)n(vity)-5
+b(.)16 3064 y(Therefore,)24 b(one)h(of)g(our)f(requirements)g(for)g
+(Bro)h(w)o(as)i(that)e(it)16 3164 y(detect)i(attacks)g(in)g(real-time.)
+44 b(This)27 b(is)g(not)g(to)g(discount)f(the)16 3264
+y(enormous)e(utility)i(of)f(k)o(eeping)f(e)o(xtensi)n(v)o(e,)i
+(permanent)e(logs)16 3363 y(of)g(netw)o(ork)e(acti)n(vity)i(for)f
+(later)h(analysis.)36 b(In)m(v)n(ariably)-5 b(,)21 b(when)16
+3463 y(we)28 b(ha)n(v)o(e)e(suf)n(fered)g(a)h(break-in,)g(we)h(turn)e
+(to)i(these)f(logs)g(for)16 3562 y(retrospecti)n(v)o(e)20
+b(damage)g(assessment,)i(sometimes)f(searching)16 3662
+y(back)f(a)g(number)f(of)g(months.)-150 3834 y Fl(Mechanism)i(separate)
+f(fr)o(om)f(policy)41 b Fs(Sound)h(softw)o(are)g(design)16
+3933 y(often)29 b(stresses)j(constructing)c(a)i(clear)g(separation)f
+(between)16 4033 y(mechanism)g(and)i(polic)o(y;)k(done)29
+b(properly)-5 b(,)31 b(this)g(b)n(uys)f(both)16 4133
+y(simplicity)f(and)g(\003e)o(xibility)-5 b(.)53 b(The)29
+b(problems)f(f)o(aced)h(by)g(our)16 4232 y(system)19
+b(particularly)d(bene\002t)i(from)g(separating)f(the)h(tw)o(o:)25
+b(be-)16 4332 y(cause)32 b(we)f(ha)n(v)o(e)g(a)h(f)o(airly)f(high)g(v)n
+(olume)g(of)g(traf)n(\002c)g(to)h(deal)16 4431 y(with,)i(we)d(need)f
+(to)h(be)g(able)f(to)h(easily)h(trade-of)n(f)c(at)k(dif)n(fer)n(-)16
+4531 y(ent)19 b(times)g(ho)n(w)g(we)g(\002lter)m(,)g(inspect)g(and)f
+(respond)f(to)i(dif)n(ferent)16 4631 y(types)d(of)h(traf)n(\002c.)23
+b(If)16 b(we)h(hardwired)e(these)h(responses)g(into)h(the)16
+4730 y(system,)j(then)g(these)g(changes)g(w)o(ould)f(be)h(cumbersome)e
+(\(and)16 4830 y(error)n(-prone\))f(to)j(mak)o(e.)-150
+5001 y Fl(Extensible)42 b Fs(Because)27 b(there)h(are)f(an)h(enormous)e
+(number)g(of)h(dif-)16 5101 y(ferent)39 b(netw)o(ork)g(attacks,)45
+b(with)40 b(who)g(kno)n(ws)f(ho)n(w)h(man)o(y)16 5201
+y(w)o(aiting)32 b(to)h(be)g(disco)o(v)o(ered,)g(the)f(system)h(clearly)
+f(must)h(be)16 5300 y(designed)17 b(in)h(order)f(to)h(mak)o(e)g(it)h
+(easy)f(to)g(add)g(to)g(it)h(kno)n(wledge)16 5400 y(of)25
+b(ne)n(w)g(types)f(of)h(attacks.)40 b(In)24 b(addition,)h(while)g(our)f
+(system)2215 -104 y(is)e(a)f(research)f(project,)g(it)i(is)g(at)g(the)f
+(same)g(time)g(a)g(production)2215 -5 y(system)30 b(that)h(plays)f(a)g
+(signi\002cant)g(role)f(in)i(our)e(daily)h(secu-)2215
+95 y(rity)h(operations.)56 b(Consequently)-5 b(,)31 b(we)g(need)f(to)i
+(be)f(able)f(to)2215 194 y(upgrade)18 b(it)j(in)f(small,)h(easily)f
+(deb)n(ugged)e(increments.)2049 394 y Fl(A)-8 b(v)o(oid)20
+b(simple)h(mistak)o(es)42 b Fs(Of)19 b(course,)g(we)g(al)o(w)o(ays)h(w)
+o(ant)f(to)h(a)n(v)n(oid)2215 493 y(mistak)o(es.)36 b(Ho)n(we)n(v)o(er)
+m(,)23 b(here)g(we)i(mean)e(that)h(we)g(particularly)2215
+593 y(desire)k(that)g(the)g(w)o(ay)g(that)g(a)h(site)g(de\002nes)f(its)
+h(security)e(pol-)2215 693 y(ic)o(y)22 b(be)g(both)f(clear)h(and)f(as)i
+(error)n(-free)c(as)k(possible.)30 b(\(F)o(or)21 b(e)o(x-)2215
+792 y(ample,)j(we)g(w)o(ould)f(not)g(consider)f(e)o(xpressing)g(the)i
+(polic)o(y)e(in)2215 892 y(C)f(code)f(as)h(meeting)e(these)h(goals.\))
+2049 1091 y Fl(The)h(monitor)f(will)h(be)g(attack)o(ed)40
+b Fs(W)-7 b(e)18 b(must)f(assume)h(that)f(attack-)2215
+1191 y(ers)30 b(will)h(\(e)n(v)o(entually\))c(ha)n(v)o(e)i(full)h(kno)n
+(wledge)e(of)h(the)h(tech-)2215 1290 y(niques)j(used)g(by)g(the)h
+(monitor)m(,)g(and)f(access)h(to)g(its)g(source)2215
+1390 y(code,)29 b(and)f(will)h(use)g(this)g(kno)n(wledge)d(in)i
+(attempts)h(to)f(sub-)2215 1490 y(v)o(ert)c(or)h(o)o(v)o(erwhelm)d(the)
+j(monitor)e(so)i(that)g(it)g(f)o(ails)h(to)f(detect)2215
+1589 y(the)18 b(attack)o(er')-5 b(s)17 b(break-in)f(acti)n(vity)-5
+b(.)23 b(This)18 b(assumption)f(signi\002-)2215 1689
+y(cantly)f(complicates)g(the)h(design)f(of)h(the)g(monitor;)f(b)n(ut)h
+(f)o(ailing)2215 1788 y(to)j(address)g(it)h(is)g(to)g(b)n(uild)e(a)i
+(house)e(of)h(cards.)2215 1938 y(W)-7 b(e)22 b(do,)f(ho)n(we)n(v)o(er)m
+(,)e(allo)n(w)i(one)g(further)f(assumption,)g(namely)2215
+2038 y(that)34 b Fr(the)f(monitor)h(will)g(only)f(be)h(attac)n(k)o(ed)f
+(fr)l(om)h(one)f(end)p Fs(.)2215 2137 y(That)c(is,)k(gi)n(v)o(en)28
+b(a)i(netw)o(ork)f(connection)e(between)i(hosts)h Fj(A)2215
+2237 y Fs(and)21 b Fj(B)t Fs(,)h(we)g(assume)f(that)g(at)h(most)g(one)e
+(of)h Fj(A)i Fs(or)e Fj(B)26 b Fs(has)21 b(been)2215
+2336 y(compromised)k(and)i(might)g(try)h(to)g(attack)f(the)h(monitor)m
+(,)g(b)n(ut)2215 2436 y(not)c(both.)37 b(This)25 b(assumption)e
+(greatly)h(aids)g(in)h(dealing)e(with)2215 2536 y(the)29
+b(problem)d(of)i(attacks)h(on)f(the)h(monitor)m(,)f(since)h(it)g(means)
+2215 2635 y(that)g Fr(we)i(can)d(trust)j(one)d(of)i(the)f(endpoints)f
+Fs(\(though)f(we)j(do)2215 2735 y(not)20 b(kno)n(w)f(which\).)2215
+2884 y(In)26 b(addition,)g(we)g(note)f(that)i(this)f(second)f
+(assumption)g(costs)2215 2984 y(us)17 b(virtually)e(nothing.)22
+b(If,)17 b(indeed,)f(both)g Fj(A)h Fs(and)f Fj(B)21 b
+Fs(ha)n(v)o(e)16 b(been)2215 3084 y(compromised,)28 b(then)g(the)h
+(attack)o(er)g(can)f(establish)h(intricate)2215 3183
+y(co)o(v)o(ert)19 b(channels)g(between)h(the)g(tw)o(o.)25
+b(These)20 b(can)g(be)g(immea-)2215 3283 y(surably)27
+b(hard)g(to)i(detect,)h(depending)25 b(on)j(ho)n(w)g(de)n(vious)f(the)
+2215 3383 y(channel)18 b(is;)i(that)f(our)e(system)i(f)o(ails)h(to)f
+(do)f(so)h(only)f(means)g(we)2215 3482 y(gi)n(v)o(e)h(up)h(on)g
+(something)f(e)o(xtremely)f(dif)n(\002cult)i(an)o(yw)o(ay)-5
+b(.)2132 3698 y(A)28 b(\002nal)g(important)f(point)g(concerns)f(the)i
+(broader)e(conte)o(xt)g(for)2049 3798 y(our)20 b(monitoring)e(system.)
+27 b(Our)21 b(site)g(is)h(engaged)c(in)j(basic,)g(unclas-)2049
+3897 y(si\002ed)k(research.)37 b(The)24 b(consequences)f(of)h(a)h
+(break-in)e(are)h(usually)2049 3997 y(limited)31 b(to)g(\(potentially)f
+(signi\002cant\))g(e)o(xpenditure)e(in)k(lost)f(time)2049
+4097 y(and)d(re-securing)e(the)j(compromised)d(machines,)j(and)f
+(perhaps)f(a)2049 4196 y(tarnished)20 b(public)g(image)h(depending)d
+(on)j(the)g(subsequent)f(actions)2049 4296 y(of)g(the)g(attack)o(ers.)
+25 b(Thus,)20 b(while)g(we)h(v)o(ery)e(much)h(aim)g(to)g(minimize)2049
+4395 y(break-in)d(acti)n(vity)-5 b(,)19 b(we)g(do)g(not)f(try)h(to)h
+(achie)n(v)o(e)e(\223airtight\224)g(security)-5 b(.)2049
+4495 y(W)e(e)18 b(instead)f(emphasize)f(monitoring)f(o)o(v)o(er)h
+(blocking)f(when)i(possi-)2049 4595 y(ble.)31 b(Ob)o(viously)-5
+b(,)20 b(other)h(sites)j(may)d(ha)n(v)o(e)h(quite)g(dif)n(ferent)e
+(security)2049 4694 y(priorities,)f(which)h(we)h(do)e(not)h(claim)g(to)
+h(address.)2132 4802 y(In)i(the)h(remainder)e(of)h(this)h(paper)f(we)h
+(discuss)g(ho)n(w)f(the)g(design)2049 4902 y(of)d(Bro)h(attempts)f(to)h
+(meet)f(these)h(goals)f(and)g(constraints.)25 b(First,)c(in)2049
+5001 y Fi(x)d Fs(2)g(we)g(gi)n(v)o(e)e(an)i(o)o(v)o(ervie)n(w)d(of)j
+(the)f(structure)g(of)g(the)h(whole)f(system.)2049 5101
+y Fi(x)23 b Fs(3)f(presents)g(the)h(specialized)f Fm(Bro)g
+Fs(language)f(used)h(to)g(e)o(xpress)g(a)2049 5201 y(site')-5
+b(s)21 b(security)e(polic)o(y)-5 b(.)23 b(W)-7 b(e)20
+b(turn)f(in)h Fi(x)g Fs(4)f(to)h(the)g(details)f(of)h(ho)n(w)f(the)2049
+5300 y(system)29 b(is)h(currently)e(implemented.)49 b
+Fi(x)30 b Fs(5)f(discusses)h(attacks)f(on)2049 5400 y(the)23
+b(monitoring)e(system.)33 b Fi(x)24 b Fs(6)f(looks)f(at)i(the)f
+(specialized)g(analysis)1929 5649 y(2)p eop
+%%Page: 3 3
+3 2 bop 175 -187 a
+ 10656645 18968821 0 0 33285570 59269365 startTexFig
+ 175 -187 a
+%%BeginDocument: structure.eps
+%Magnification: 1.00
+/$F2psDict 200 dict def
+$F2psDict begin
+$F2psDict /mtrx matrix put
+/col-1 {0 setgray} bind def
+/col0 {0.000 0.000 0.000 srgb} bind def
+/col1 {0.000 0.000 1.000 srgb} bind def
+/col2 {0.000 1.000 0.000 srgb} bind def
+/col3 {0.000 1.000 1.000 srgb} bind def
+/col4 {1.000 0.000 0.000 srgb} bind def
+/col5 {1.000 0.000 1.000 srgb} bind def
+/col6 {1.000 1.000 0.000 srgb} bind def
+/col7 {1.000 1.000 1.000 srgb} bind def
+/col8 {0.000 0.000 0.560 srgb} bind def
+/col9 {0.000 0.000 0.690 srgb} bind def
+/col10 {0.000 0.000 0.820 srgb} bind def
+/col11 {0.530 0.810 1.000 srgb} bind def
+/col12 {0.000 0.560 0.000 srgb} bind def
+/col13 {0.000 0.690 0.000 srgb} bind def
+/col14 {0.000 0.820 0.000 srgb} bind def
+/col15 {0.000 0.560 0.560 srgb} bind def
+/col16 {0.000 0.690 0.690 srgb} bind def
+/col17 {0.000 0.820 0.820 srgb} bind def
+/col18 {0.560 0.000 0.000 srgb} bind def
+/col19 {0.690 0.000 0.000 srgb} bind def
+/col20 {0.820 0.000 0.000 srgb} bind def
+/col21 {0.560 0.000 0.560 srgb} bind def
+/col22 {0.690 0.000 0.690 srgb} bind def
+/col23 {0.820 0.000 0.820 srgb} bind def
+/col24 {0.500 0.190 0.000 srgb} bind def
+/col25 {0.630 0.250 0.000 srgb} bind def
+/col26 {0.750 0.380 0.000 srgb} bind def
+/col27 {1.000 0.500 0.500 srgb} bind def
+/col28 {1.000 0.630 0.630 srgb} bind def
+/col29 {1.000 0.750 0.750 srgb} bind def
+/col30 {1.000 0.880 0.880 srgb} bind def
+/col31 {1.000 0.840 0.000 srgb} bind def
+
+end
+save
+-142.0 971.0 translate
+1 -1 scale
+
+/cp {closepath} bind def
+/ef {eofill} bind def
+/gr {grestore} bind def
+/gs {gsave} bind def
+/sa {save} bind def
+/rs {restore} bind def
+/l {lineto} bind def
+/m {moveto} bind def
+/rm {rmoveto} bind def
+/n {newpath} bind def
+/s {stroke} bind def
+/sh {show} bind def
+/slc {setlinecap} bind def
+/slj {setlinejoin} bind def
+/slw {setlinewidth} bind def
+/srgb {setrgbcolor} bind def
+/rot {rotate} bind def
+/sc {scale} bind def
+/sd {setdash} bind def
+/ff {findfont} bind def
+/sf {setfont} bind def
+/scf {scalefont} bind def
+/sw {stringwidth} bind def
+/tr {translate} bind def
+/tnt {dup dup currentrgbcolor
+  4 -2 roll dup 1 exch sub 3 -1 roll mul add
+  4 -2 roll dup 1 exch sub 3 -1 roll mul add
+  4 -2 roll dup 1 exch sub 3 -1 roll mul add srgb}
+  bind def
+/shd {dup dup currentrgbcolor 4 -2 roll mul 4 -2 roll mul
+  4 -2 roll mul srgb} bind def
+/$F2psBegin {$F2psDict begin /$F2psEnteredState save def} def
+/$F2psEnd {$F2psEnteredState restore end} def
+
+$F2psBegin
+10 setmiterlimit
+n 0 79200 m 0 0 l 61200 0 l 61200 79200 l cp clip
+ 0.06000 0.06000 sc
+7.500 slw
+% Polyline
+n 2385 5385 m 10785 5385 l 10785 3585 l 2385 3585 l cp gs col-1 s gr 
+% Polyline
+n 2385 8940 m 10785 8940 l 10785 7140 l 2385 7140 l cp gs col-1 s gr 
+60.000 slw
+% Polyline
+gs  clippath
+6435 13410 m 6585 12690 l 6735 13410 l 6735 12480 l 6435 12480 l  cp clip
+n 6585 14355 m 6585 12555 l gs col7 0.95 shd ef gr gs col-1 s gr gr
+
+% arrowhead
+n 6435 13410 m 6585 12690 l 6735 13410 l 6585 13290 l 6435 13410 l  cp gs 0.00 setgray ef gr  col-1 s
+7.500 slw
+% Polyline
+n 2385 12555 m 10785 12555 l 10785 10755 l 2385 10755 l cp gs col-1 s gr 
+45.000 slw
+% Polyline
+gs  clippath
+6465 9624 m 6585 9048 l 6705 9624 l 6705 8880 l 6465 8880 l  cp clip
+n 6585 10740 m 6585 8940 l gs col7 0.95 shd ef gr gs col-1 s gr gr
+
+% arrowhead
+n 6465 9624 m 6585 9048 l 6705 9624 l 6585 9528 l 6465 9624 l  cp gs 0.00 setgray ef gr  col-1 s
+30.000 slw
+% Polyline
+gs  clippath
+6495 5898 m 6585 5466 l 6675 5898 l 6675 5340 l 6495 5340 l  cp clip
+n 6585 7185 m 6585 5385 l gs col7 0.95 shd ef gr gs col-1 s gr gr
+
+% arrowhead
+n 6495 5898 m 6585 5466 l 6675 5898 l 6585 5826 l 6495 5898 l  cp gs 0.00 setgray ef gr  col-1 s
+15.000 slw
+% Polyline
+gs  clippath
+6540 1542 m 6600 1254 l 6660 1542 l 6660 1170 l 6540 1170 l  cp clip
+n 6600 3600 m 6600 1200 l gs col7 0.95 shd ef gr gs col-1 s gr gr
+
+% arrowhead
+n 6540 1542 m 6600 1254 l 6660 1542 l 6600 1494 l 6540 1542 l  cp gs 0.00 setgray ef gr  col-1 s
+% Polyline
+ [100.0] 0 sd
+gs  clippath
+3060 10506 m 3000 10746 l 2940 10506 l 2940 10830 l 3060 10830 l  cp clip
+n 3000 9000 m 3000 10800 l gs col7 0.95 shd ef gr gs col-1 s gr gr
+ [] 0 sd
+% arrowhead
+n 3060 10506 m 3000 10746 l 2940 10506 l 3000 10506 l 3060 10506 l  cp gs col7 1.00 shd ef gr  col-1 s
+% Polyline
+ [100.0] 0 sd
+gs  clippath
+3060 6906 m 3000 7146 l 2940 6906 l 2940 7230 l 3060 7230 l  cp clip
+n 3000 5400 m 3000 7200 l gs col7 0.95 shd ef gr gs col-1 s gr gr
+ [] 0 sd
+% arrowhead
+n 3060 6906 m 3000 7146 l 2940 6906 l 3000 6906 l 3060 6906 l  cp gs col7 1.00 shd ef gr  col-1 s
+% Polyline
+ [100.0] 0 sd
+gs  clippath
+3060 3306 m 3000 3546 l 2940 3306 l 2940 3630 l 3060 3630 l  cp clip
+n 3000 1200 m 3000 3600 l gs col7 0.95 shd ef gr gs col-1 s gr gr
+ [] 0 sd
+% arrowhead
+n 3060 3306 m 3000 3546 l 2940 3306 l 3000 3306 l 3060 3306 l  cp gs col7 1.00 shd ef gr  col-1 s
+7.500 slw
+% Polyline
+n 2385 14355 m 10785 14355 l 10785 16155 l 2385 16155 l cp gs col7 0.50 shd ef gr gs col-1 s gr 
+/Helvetica-Bold ff 540.00 scf sf
+5520 15442 m
+gs 1 -1 sc (Network) col-1 sh gr
+/Helvetica ff 360.00 scf sf
+6885 6405 m
+gs 1 -1 sc (Event stream) col-1 sh gr
+/Helvetica ff 360.00 scf sf
+6855 2835 m
+gs 1 -1 sc (Record to disk) col-1 sh gr
+/Helvetica ff 360.00 scf sf
+6825 2265 m
+gs 1 -1 sc (Real-time notification) col-1 sh gr
+/Helvetica ff 360.00 scf sf
+6885 9960 m
+gs 1 -1 sc (Filtered packet stream) col-1 sh gr
+/Times-Bold ff 540.00 scf sf
+6615 8220 m
+gs 1 -1 sc (Event Engine) dup sw pop 2 div neg 0 rm  col-1 sh gr
+/Helvetica ff 360.00 scf sf
+3210 2505 m
+gs 1 -1 sc (Policy script) col-1 sh gr
+/Helvetica ff 360.00 scf sf
+3210 6405 m
+gs 1 -1 sc (Event control) col-1 sh gr
+/Helvetica ff 360.00 scf sf
+3210 10005 m
+gs 1 -1 sc (Tcpdump filter) col-1 sh gr
+/Helvetica ff 360.00 scf sf
+6885 13575 m
+gs 1 -1 sc (Packet stream) col-1 sh gr
+/Times-Bold ff 540.00 scf sf
+6615 4665 m
+gs 1 -1 sc (Policy Script Interpreter) dup sw pop 2 div neg 0 rm  col-1 sh gr
+/Courier-Bold ff 540.00 scf sf
+6615 11835 m
+gs 1 -1 sc (libpcap) dup sw pop 2 div neg 0 rm  col-1 sh gr
+$F2psEnd
+rs
+%%EndDocument
+
+ endTexFig
+ 220 2398 a Fs(Figure)19 b(1:)25 b(Structure)20 b(of)f(the)i(Bro)f
+(system)-150 2675 y(Bro)d(does)h(for)e(six)i(Internet)e(applications:)
+23 b(FTP)-9 b(,)17 b(Finger)m(,)g(Portmap-)-150 2775
+y(per)m(,)22 b(Ident,)g(T)-6 b(elnet)22 b(and)g(Rlogin.)31
+b Fi(x)23 b Fs(7)g(gi)n(v)o(es)f(the)g(status)h(of)f(the)h(im-)-150
+2874 y(plementation)i(and)i(our)g(e)o(xperiences)e(with)j(it,)h
+(including)d(a)h(brief)-150 2974 y(assessment)d(of)g(its)g
+(performance.)33 b Fi(x)24 b Fs(8)g(of)n(fers)e(some)i(thoughts)e(on)
+-150 3074 y(future)28 b(directions.)51 b(Finally)-5 b(,)30
+b(an)f(Appendix)e(illustrates)j(ho)n(w)f(the)-150 3173
+y(dif)n(ferent)21 b(elements)h(of)g(the)g(system)h(come)e(together)g
+(for)h(monitor)n(-)-150 3273 y(ing)e(Finger)f(traf)n(\002c.)-150
+3580 y Ft(2)119 b(Structur)n(e)31 b(of)f(the)g(system)-150
+3775 y Fs(Bro)e(is)g(conceptually)e(di)n(vided)g(into)h(an)h(\223e)n(v)
+o(ent)f(engine\224)f(that)i(re-)-150 3874 y(duces)15
+b(a)g(stream)h(of)f(\(\002ltered\))f(pack)o(ets)h(to)g(a)h(stream)f(of)
+g(higher)n(-le)n(v)o(el)-150 3974 y(netw)o(ork)i(e)n(v)o(ents,)i(and)f
+(an)g(interpreter)f(for)h(a)h(specialized)f(language)-150
+4074 y(that)25 b(is)i(used)e(to)g(e)o(xpress)g(a)h(site')-5
+b(s)26 b(security)f(polic)o(y)-5 b(.)39 b(More)25 b(gener)n(-)-150
+4173 y(ally)-5 b(,)20 b(the)g(system)h(is)g(structured)e(in)i(layers,)f
+(as)h(sho)n(wn)e(in)i(Figure)f(1.)-150 4273 y(The)26
+b(lo)n(wer)n(-most)f(layers)h(process)g(the)h(greatest)f(v)n(olume)f
+(of)h(data,)-150 4373 y(and)20 b(hence)f(must)i(limit)g(the)f(w)o(ork)g
+(performed)d(to)k(a)g(minimum.)j(As)-150 4472 y(we)i(go)g(higher)e(up)h
+(through)f(the)i(layers,)g(the)g(data)g(stream)g(dimin-)-150
+4572 y(ishes,)g(allo)n(wing)d(for)g(more)h(processing)f(per)g(data)h
+(item.)38 b(This)24 b(ba-)-150 4671 y(sic)h(design)f(re\003ects)h(the)g
+(need)f(to)h(conserv)o(e)e(processing)g(as)j(much)-150
+4771 y(as)i(possible,)h(in)f(order)e(to)i(meet)f(the)h(goals)f(of)h
+(monitoring)d(high-)-150 4871 y(speed,)20 b(lar)o(ge)f(v)n(olume)g
+(traf)n(\002c)h(\003o)n(ws)g(without)g(dropping)d(pack)o(ets.)-150
+5135 y Fh(2.1)99 b Fg(libpcap)-150 5300 y Fs(From)18
+b(the)h(perspecti)n(v)o(e)f(of)g(the)h(rest)h(of)f(the)g(system,)g
+(just)g(abo)o(v)o(e)f(the)-150 5400 y(netw)o(ork)24 b(itself)i(is)g
+Fm(libpcap)e Fs([MLJ94)n(],)j(the)e(pack)o(et-capture)d(li-)2049
+-104 y(brary)j(used)h(by)g Fm(tcpdump)f Fs([JLM89)o(].)43
+b(Using)26 b Fm(libpcap)f Fs(gains)2049 -5 y(signi\002cant)34
+b(adv)n(antages:)51 b(it)35 b(isolates)g(Bro)f(from)f(details)i(of)f
+(the)2049 95 y(netw)o(ork)k(link)g(technology)f(\(Ethernet,)42
+b(FDDI,)d(SLIP)-9 b(,)39 b(etc.\);)48 b(it)2049 194 y(greatly)21
+b(aids)h(in)g(porting)f(Bro)g(to)i(dif)n(ferent)d(Unix)h(v)n(ariants)g
+(\(which)2049 294 y(also)28 b(mak)o(es)f(it)h(easier)f(to)h(upgrade)d
+(to)j(f)o(aster)f(hardw)o(are)f(as)i(it)g(be-)2049 394
+y(comes)34 b(a)n(v)n(ailable\);)41 b(and)34 b(it)h(means)f(that)g(Bro)h
+(can)f(also)h(operate)2049 493 y(on)c Fm(tcpdump)f Fs(sa)n(v)o(e)h
+(\002les,)k(making)29 b(of)n(f-line)h(de)n(v)o(elopment)e(and)2049
+593 y(analysis)20 b(easy)-5 b(.)2132 693 y(Another)24
+b(major)g(adv)n(antage)f(of)h Fm(libpcap)h Fs(is)g(that)g(if)h(the)f
+(host)2049 792 y(operating)41 b(system)i(pro)o(vides)e(a)i(suf)n
+(\002ciently)e(po)n(werful)g(k)o(ernel)2049 892 y(pack)o(et)32
+b(\002lter)m(,)k(such)d(as)h(BPF)g([MJ93)o(],)i(then)d
+Fm(libpcap)f Fs(do)n(wn-)2049 992 y(loads)18 b(the)f(\002lter)h(used)g
+(to)g(reduce)e(the)i(traf)n(\002c)f(into)h(the)g(k)o(ernel.)23
+b(Con-)2049 1091 y(sequently)-5 b(,)17 b(rather)g(than)h(ha)n(ving)g
+(to)g(haul)g(e)n(v)o(ery)f(pack)o(et)h(up)g(to)h(user)n(-)2049
+1191 y(le)n(v)o(el)30 b(merely)f(so)i(the)f(majority)f(can)h(be)g
+(discarded)f(\(if)h(the)g(\002lter)2049 1291 y(accepts)e(only)g(a)h
+(small)f(proportion)e(of)i(the)g(traf)n(\002c\),)i(the)e(rejected)2049
+1390 y(pack)o(ets)d(can)f(instead)h(be)g(discarded)e(in)i(the)g(k)o
+(ernel,)g(without)f(suf-)2049 1490 y(fering)i(a)i(conte)o(xt)e(switch)h
+(or)g(data)h(cop)o(ying.)44 b(W)m(inno)n(wing)26 b(do)n(wn)2049
+1589 y(the)c(pack)o(et)g(stream)g(as)h(soon)f(as)g(possible)g(greatly)g
+(abets)g(monitor)n(-)2049 1689 y(ing)e(at)h(high)e(speeds)h(without)f
+(losing)h(pack)o(ets.)2132 1789 y(The)26 b(k)o(e)o(y)g(to)h(pack)o(et)f
+(\002ltering)g(is,)j(of)d(course,)h(judicious)e(selec-)2049
+1889 y(tion)e(of)f(which)g(pack)o(ets)h(to)g(k)o(eep)f(and)h(which)f
+(to)h(discard.)32 b(F)o(or)23 b(the)2049 1988 y(application)17
+b(protocols)f(that)j(Bro)f(kno)n(ws)f(about,)h(it)h(captures)e(e)n(v)o
+(ery)2049 2088 y(pack)o(et,)25 b(so)g(it)g(can)f(analyze)g(ho)n(w)g
+(the)g(application)f(is)j(being)d(used.)2049 2187 y(In)d
+Fm(tcpdump)p Fs(')-5 b(s)20 b(\002ltering)f(language,)g(this)h(looks)g
+(lik)o(e:)2208 2351 y Ff(port)40 b(finger)f(or)g(port)g(ftp)h(or)f(tcp)
+h(port)f(113)g(or)2208 2430 y(port)h(telnet)f(or)g(port)g(login)h(or)f
+(port)g(111)2049 2613 y Fs(That)34 b(is,)k(the)c(\002lter)h(accepts)f
+(an)o(y)f(TCP)i(pack)o(ets)f(with)g(a)g(source)2049 2713
+y(or)g(destination)f(port)g(of)h(79)g(\(Finger\),)i(21)d(\(FTP\),)h
+(113)f(\(Ident\),)2049 2813 y(23)18 b(\(T)-6 b(elnet\),)17
+b(513)g(\(Rlogin\),)g(and)h(an)o(y)f(TCP)i(or)f(UDP)h(pack)o(ets)e
+(with)2049 2912 y(a)g(source)f(or)g(destination)f(port)h(of)g(111)g
+(\(Portmapper\).)21 b(In)16 b(addition,)2049 3012 y(Bro)k(uses:)2208
+3175 y Ff(tcp[13])39 b(&)h(7)g(!=)f(0)2049 3359 y Fs(to)19
+b(capture)f(an)o(y)g(TCP)i(pack)o(ets)e(with)h(the)g(SYN,)g(FIN,)g(or)g
+(RST)g(con-)2049 3458 y(trol)i(bits)g(set.)27 b(These)21
+b(pack)o(ets)f(delimit)h(the)f(be)o(ginning)f(\(SYN\))h(and)2049
+3558 y(end)f(\(FIN)g(or)h(RST\))g(of)f(each)g(TCP)i(connection.)h
+(Because)e(TCP/IP)2049 3658 y(pack)o(et)i(headers)g(contain)f
+(considerable)g(information)f(about)i(each)2049 3757
+y(TCP)36 b(connection,)i(from)c(just)i(these)g(control)e(pack)o(ets)i
+(one)f(can)2049 3857 y(e)o(xtract)30 b(connection)e(start)j(time,)j
+(duration,)d(participating)e(hosts,)2049 3957 y(ports)15
+b(\(and)g(hence,)g(generally)-5 b(,)15 b(the)g(application)f
+(protocol\),)h(and)g(the)2049 4056 y(number)24 b(of)h(bytes)h(sent)g
+(in)f(each)h(direction.)40 b(Thus,)26 b(by)f(capturing)2049
+4156 y(on)f(the)g(order)f(of)i(only)e(4)h(pack)o(ets)h(\(the)f(tw)o(o)g
+(initial)h(SYN)g(pack)o(ets)2049 4255 y(e)o(xchanged,)30
+b(and)g(the)g(\002nal)h(tw)o(o)g(FIN)f(pack)o(ets)g(e)o(xchanged\),)g
+(we)2049 4355 y(can)c(determine)f(a)i(great)f(deal)g(about)g(a)h
+(connection)d(e)n(v)o(en)h(though)2049 4455 y(we)c(\002lter)f(out)g
+(all)h(of)f(its)h(data)f(pack)o(ets.)2132 4555 y(The)g(\002nal)g
+(\002lter)h(we)f(use)h(is:)2208 4718 y Ff(ip[6:2])39
+b(&)h(0x3fff)f(!=)g(0)2049 4902 y Fs(which)f(captures)g(IP)i
+(fragments,)i(necessary)c(for)g(sound)g(traf)n(\002c)2049
+5001 y(analysis,)21 b(and)g(also)g(to)h(protect)e(against)h(particular)
+e(attacks)j(on)f(the)2049 5101 y(monitoring)d(system)i
+Fi(x)h Fs(5.3.)2132 5201 y(When)j(using)f(a)i(pack)o(et)e(\002lter)m(,)
+i(one)e(must)h(also)g(choose)f(a)i Fr(snap-)2049 5300
+y(shot)37 b(length)p Fs(,)j(which)c(determines)g(ho)n(w)h(much)f(of)g
+(each)h(pack)o(et)2049 5400 y(should)20 b(be)g(captured.)25
+b(F)o(or)20 b(e)o(xample,)f(by)h(def)o(ault)g Fm(tcpdump)g
+Fs(uses)1929 5649 y(3)p eop
+%%Page: 4 4
+4 3 bop -150 -104 a Fs(a)20 b(snapshot)e(length)g(of)h(68)g(bytes,)g
+(which)f(suf)n(\002ces)i(to)f(capture)f(link-)-150 -5
+y(layer)g(and)g(TCP/IP)i(headers,)e(b)n(ut)h(generally)e(discards)h
+(most)h(of)g(the)-150 95 y(data)j(in)h(the)f(pack)o(et.)32
+b(The)22 b(smaller)g(the)h(snapshot)e(length,)h(the)g(less)-150
+194 y(data)e(per)f(accepted)g(pack)o(et)g(needs)h(to)g(copied)e(up)i
+(to)g(the)g(user)n(-le)n(v)o(el)-150 294 y(by)29 b(the)g(pack)o(et)g
+(\002lter)m(,)i(which)d(aids)i(in)f(accelerating)f(pack)o(et)h(pro-)
+-150 394 y(cessing)j(and)g(a)n(v)n(oiding)f(loss.)61
+b(On)32 b(the)g(other)f(hand,)j(to)e(analyze)-150 493
+y(connections)14 b(at)i(the)g(application)e(le)n(v)o(el,)i(Bro)g
+(requires)f(the)h(full)g(data)-150 593 y(contents)25
+b(of)h(each)g(pack)o(et.)42 b(Consequently)-5 b(,)25
+b(it)i(sets)g(the)f(snapshot)-150 693 y(length)19 b(to)i(capture)e
+(entire)h(pack)o(ets.)-150 945 y Fh(2.2)99 b(Ev)o(ent)26
+b(engine)-150 1105 y Fs(The)21 b(resulting)g(\002ltered)g(pack)o(et)g
+(stream)h(is)g(then)g(handed)e(up)h(to)h(the)-150 1205
+y(ne)o(xt)g(layer)m(,)g(the)h(Bro)g(\223e)n(v)o(ent)f(engine.)-6
+b(\224)32 b(This)22 b(layer)h(\002rst)g(performs)-150
+1305 y(se)n(v)o(eral)d(inte)o(grity)g(checks)h(to)g(assure)g(that)g
+(the)g(pack)o(et)f(headers)h(are)-150 1404 y(well-formed,)d(including)g
+(v)o(erifying)f(the)j(IP)h(header)d(checksum.)24 b(If)-150
+1504 y(these)e(checks)g(f)o(ail,)h(then)e(Bro)h(generates)g(an)g(e)n(v)
+o(ent)f(indicating)g(the)-150 1604 y(problem)h(and)h(discards)h(the)f
+(pack)o(et.)35 b(It)24 b(is)h(also)f(at)g(this)g(point)f(that)-150
+1703 y(Bro)29 b(reassembles)g(IP)h(fragments)d(so)j(it)g(can)f(then)f
+(analyze)g(com-)-150 1803 y(plete)20 b(IP)h(datagrams.)-67
+1905 y(If)37 b(the)h(checks)f(succeed,)k(then)c(the)g(e)n(v)o(ent)g
+(engine)f(looks)h(up)-150 2005 y(the)f(connection)f(state)i(associated)
+f(with)g(the)h(tuple)f(of)g(the)g(tw)o(o)-150 2104 y(IP)30
+b(addresses)g(and)f(the)h(tw)o(o)g(TCP)h(or)f(UDP)g(port)f(numbers,)i
+(cre-)-150 2204 y(ating)22 b(ne)n(w)g(state)i(if)f(none)e(already)g(e)o
+(xists.)33 b(It)23 b(then)f(dispatches)g(the)-150 2304
+y(pack)o(et)32 b(to)g(a)h(handler)e(for)h(the)g(corresponding)d
+(connection)h(\(de-)-150 2403 y(scribed)24 b(shortly\).)35
+b(Bro)25 b(maintains)e(a)i Fm(tcpdump)e Fs(trace)i(\002le)f(asso-)-150
+2503 y(ciated)i(with)g(the)f(traf)n(\002c)h(it)g(sees.)43
+b(The)25 b(connection)f(handler)g(indi-)-150 2603 y(cates)17
+b(upon)f(return)f(whether)h(the)h(engine)f(should)g(record)f(the)i
+(entire)-150 2702 y(pack)o(et)j(to)h(the)f(trace)h(\002le,)g(just)g
+(its)h(header)m(,)c(or)j(nothing)e(at)i(all.)26 b(This)-150
+2802 y(triage)f(trades)g(of)n(f)f(the)h(completeness)f(of)h(the)g(traf)
+n(\002c)g(trace)g(v)o(ersus)-150 2901 y(its)h(size)g(and)f(time)h
+(spent)f(generating)e(the)i(trace.)41 b(Generally)-5
+b(,)24 b(Bro)-150 3001 y(records)f(full)h(pack)o(ets)g(if)h(it)g
+(analyzed)e(the)h(entire)g(pack)o(et;)i(just)f(the)-150
+3101 y(header)16 b(if)h(it)h(only)e(analyzed)f(the)i(pack)o(et)f(for)h
+(SYN/FIN/RST)g(com-)-150 3200 y(putations;)j(and)h(skips)g(recording)e
+(the)h(pack)o(et)h(if)g(it)h(did)e(not)h(do)f(an)o(y)-150
+3300 y(processing)f(on)h(it.)-67 3402 y(W)-7 b(e)25 b(no)n(w)e(gi)n(v)o
+(e)g(an)h(o)o(v)o(ervie)n(w)e(of)h(general)g(processing)f(done)h(for)
+-150 3502 y(TCP)28 b(and)f(UDP)h(pack)o(ets.)46 b(In)27
+b(both)g(cases,)i(the)f(processing)e(ends)-150 3601 y(with)j(in)m(v)n
+(oking)d(a)j(handler)e(to)i(process)f(the)g(data)g(payload)f(of)i(the)
+-150 3701 y(pack)o(et.)24 b(F)o(or)c(applications)e(kno)n(wn)g(to)i
+(Bro,)g(this)g(results)g(in)g(further)-150 3801 y(analysis,)g(as)g
+(discussed)f(in)h Fi(x)g Fs(6.)25 b(F)o(or)19 b(other)g(applications,)g
+(analysis)-150 3900 y(ends)h(at)h(this)f(point.)-67 4003
+y Fl(TCP)41 b(pr)o(ocessing)o(.)87 b Fs(F)o(or)40 b(each)h(TCP)g(pack)o
+(et,)k(the)c(connec-)-150 4102 y(tion)25 b(handler)e(\(a)i(C++)h
+(virtual)e(function\))f(v)o(eri\002es)i(that)g(the)g(entire)-150
+4202 y(TCP)c(header)e(is)j(present)d(and)h(v)n(alidates)g(the)h(TCP)g
+(checksum)e(o)o(v)o(er)-150 4301 y(the)30 b(pack)o(et)g(header)f(and)h
+(payload.)53 b(If)30 b(successful,)j(it)e(then)e(tests)-150
+4401 y(whether)23 b(the)g(TCP)i(header)e(includes)g(an)o(y)g(of)g(the)h
+(SYN/FIN/RST)-150 4501 y(control)35 b(\003ags,)41 b(and)36
+b(if)h(so)g(adjusts)g(the)f(connection')-5 b(s)35 b(state)j(ac-)-150
+4600 y(cordingly)-5 b(.)46 b(Finally)-5 b(,)29 b(it)f(processes)g(an)o
+(y)f(data)h(ackno)n(wledgement)-150 4700 y(present)23
+b(in)h(the)f(header)m(,)g(and)g(then)g(in)m(v)n(ok)o(es)f(a)i(handler)e
+(to)i(process)-150 4800 y(the)c(payload)f(data,)h(if)g(an)o(y)-5
+b(.)-67 4902 y(Dif)n(ferent)28 b(changes)g(in)i(the)f(connection')-5
+b(s)28 b(state)i(generate)e(dif-)-150 5001 y(ferent)42
+b(e)n(v)o(ents.)93 b(When)43 b(the)g(initial)h(SYN)g(pack)o(et)e
+(requesting)-150 5101 y(a)37 b(connection)e(is)j(seen,)j(the)c(e)n(v)o
+(ent)f(engine)g(schedules)g(a)i(timer)-150 5201 y(for)i
+Fj(T)52 b Fs(seconds)40 b(in)g(the)h(future)e(\(presently)-5
+b(,)43 b(\002)n(v)o(e)e(minutes\);)49 b(if)-150 5300
+y(the)h(timer)g(e)o(xpires)g(and)f(the)i(connection)d(has)i(not)g
+(changed)-150 5400 y(state,)23 b(then)e(the)h(engine)f(generates)g(a)h
+Fm(connection)p 1479 5400 25 4 v 28 w(attempt)2049 -104
+y Fs(e)n(v)o(ent.)125 b(If)54 b(before)f(that)h(time,)62
+b(ho)n(we)n(v)o(er)m(,)e(the)54 b(other)f(con-)2049 -5
+y(nection)g(endpoint)f(replies)h(with)h(a)g(correct)f(SYN)h(ackno)n(w-)
+2049 95 y(ledgement)35 b(pack)o(et,)k(then)d(the)g(engine)f
+(immediately)g(generates)2049 194 y(a)44 b Fm(connection)p
+2635 194 V 28 w(established)e Fs(e)n(v)o(ent,)48 b(and)42
+b(cancels)i(the)2049 294 y(connection)49 b(attempt)i(timer)-5
+b(.)118 b(On)51 b(the)g(other)g(hand,)57 b(if)52 b(the)2049
+394 y(endpoint)c(replies)h(with)h(a)g(RST)g(pack)o(et,)57
+b(then)49 b(the)g(connec-)2049 493 y(tion)38 b(attempt)g(has)h(been)e
+(rejected,)42 b(and)c(the)g(engine)g(generates)2049 593
+y Fm(connection)p 2554 593 V 28 w(rejected)p Fs(.)47
+b(Similarly)-5 b(,)28 b(if)h(a)f(connection)d(ter)n(-)2049
+693 y(minates)31 b(via)g(a)h(normal)e(FIN)i(e)o(xchange,)f(then)g(the)g
+(engine)f(gen-)2049 792 y(erates)23 b Fm(connection)p
+2771 792 V 28 w(finished)p Fs(.)34 b(It)23 b(also)h(generates)e(se)n(v)
+o(eral)2049 892 y(other)f(e)n(v)o(ents)g(re\003ecting)g(more)g(unusual)
+g(w)o(ays)h(in)g(which)f(connec-)2049 991 y(tions)f(can)g(terminate.)
+2132 1099 y Fl(UDP)j(pr)o(ocessing)o(.)34 b Fs(UDP)24
+b(processing)e(is)i(similar)f(b)n(ut)h(simpler)m(,)2049
+1199 y(since)k(there)f(is)h(no)f(connection)f(state,)k(e)o(xcept)c(in)i
+(one)f(re)o(gard.)45 b(If)2049 1299 y(host)16 b Fj(A)g
+Fs(sends)g(a)g(UDP)g(pack)o(et)f(to)h(host)g Fj(B)k Fs(with)c(a)g
+(source)f(port)g(of)g Fj(p)3996 1311 y Fe(A)2049 1398
+y Fs(and)k(a)h(destination)e(port)h(of)g Fj(p)2915 1410
+y Fe(B)2972 1398 y Fs(,)h(then)f(Bro)h(considers)e Fj(A)i
+Fs(as)h(ha)n(ving)2049 1498 y(initiated)16 b(a)h(\223request\224)e(to)i
+Fj(B)t Fs(,)g(and)f(establishes)h(pseudo-connection)2049
+1597 y(state)27 b(associated)g(with)f(that)h(request.)43
+b(If)27 b Fj(B)k Fs(subsequently)25 b(sends)2049 1697
+y(a)31 b(UDP)g(pack)o(et)e(to)i Fj(A)g Fs(with)f(a)h(source)e(port)h
+(of)g Fj(p)3549 1709 y Fe(B)3636 1697 y Fs(and)g(destina-)2049
+1797 y(tion)d Fj(p)2248 1809 y Fe(A)2302 1797 y Fs(,)j(then)e(Bro)f
+(considers)g(this)i(pack)o(et)e(to)h(re\003ect)f(a)i(\223reply\224)2049
+1896 y(to)23 b(the)f(request.)32 b(The)22 b(handlers)g(\(virtual)f
+(functions\))g(for)h(the)h(UDP)2049 1996 y(payload)j(data)i(can)f(then)
+g(readily)g(distinguish)g(between)g(requests)2049 2096
+y(and)22 b(replies)g(for)g(the)g(usual)h(case)g(when)e(UDP)i(traf)n
+(\002c)f(follo)n(ws)g(that)2049 2195 y(pattern.)43 b(The)26
+b(def)o(ault)g(handlers)f(for)h(UDP)h(requests)f(and)g(replies)2049
+2295 y(simply)20 b(generate)f Fm(udp)p 2753 2295 V 29
+w(request)h Fs(and)f Fm(udp)p 3442 2295 V 30 w(reply)g
+Fs(e)n(v)o(ents.)2049 2578 y Fh(2.3)124 b(P)n(olicy)24
+b(script)h(inter)o(pr)n(eter)2049 2749 y Fs(After)30
+b(the)g(e)n(v)o(ent)f(engine)g(has)h(\002nished)g(processing)f(a)h
+(pack)o(et,)i(it)2049 2849 y(then)h(checks)g(whether)f(the)h
+(processing)f(generated)g(an)o(y)g(e)n(v)o(ents.)2049
+2948 y(\(These)26 b(are)h(k)o(ept)f(on)g(a)h(FIFO)g(queue.\))43
+b(If)27 b(so,)h(it)g(processes)e(each)2049 3048 y(e)n(v)o(ent)h(until)h
+(the)f(queue)g(is)i(empty)-5 b(,)28 b(as)h(described)d(belo)n(w)-5
+b(.)47 b(It)28 b(also)2049 3148 y(checks)19 b(whether)f(an)o(y)h(timer)
+g(e)n(v)o(ents)g(ha)n(v)o(e)g(e)o(xpired,)e(and)i(if)h(so)g(pro-)2049
+3247 y(cesses)h(them,)f(too)g(\(see)g Fi(x)h Fs(4)f(for)g(more)f(on)h
+(timer)g(e)o(xpiration\).)3882 3217 y Fn(2)2132 3355
+y Fs(A)d(k)o(e)o(y)e(f)o(acet)i(of)f(Bro')-5 b(s)17 b(design)e(is)i
+(the)g(clear)f(distinction)f(between)2049 3455 y(the)33
+b(generation)d(of)j(e)n(v)o(ents)e(v)o(ersus)i(what)f(to)h(do)f(in)h
+(response)e(to)2049 3554 y(the)26 b(e)n(v)o(ents.)40
+b(These)26 b(are)g(sho)n(wn)f(as)h(separate)f(box)o(es)g(in)h(Figure)f
+(1,)2049 3654 y(and)18 b(this)h(structure)f(re\003ects)g(the)h
+(separation)e(between)h(mechanism)2049 3754 y(and)25
+b(polic)o(y)g(discussed)g(in)h Fi(x)h Fs(1.)42 b(The)25
+b(\223polic)o(y)g(script)g(interpreter\224)2049 3853
+y(e)o(x)o(ecutes)17 b(scripts)h(written)g(in)g(the)g(specialized)f
+Fm(Bro)h Fs(language)e(\(de-)2049 3953 y(tailed)h(in)h
+Fi(x)g Fs(3\).)24 b(These)17 b(scripts)h(specify)f(e)n(v)o(ent)f
+(handlers,)h(which)g(are)2049 4052 y(essentially)26 b(identical)f(to)h
+(Bro)g(functions)e(e)o(xcept)h(that)h(the)o(y)f(don')o(t)2049
+4152 y(return)19 b(a)i(v)n(alue.)k(F)o(or)20 b(each)g(e)n(v)o(ent)f
+(passed)i(to)f(the)h(interpreter)m(,)d(it)j(re-)2049
+4252 y(trie)n(v)o(es)g(the)h(\(semi-\)compiled)d(code)i(for)g(the)g
+(corresponding)d(han-)2049 4351 y(dler)m(,)28 b(binds)e(the)h(v)n
+(alues)f(of)h(the)f(e)n(v)o(ents)h(to)f(the)h(ar)o(guments)e(of)i(the)p
+2049 4455 801 4 v 2134 4509 a Fk(2)2169 4532 y Fp(There)e(is)f(a)h
+(subtle)h(design)g(decision)g(in)m(v)o(olv)o(ed)h(with)e(processing)i
+(all)e(of)g(the)2049 4611 y(generated)g(e)n(v)o(ents)f(before)g
+(proceeding)h(to)e(read)g(the)g(ne)o(xt)g(pack)o(et.)39
+b(W)-5 b(e)22 b(might)h(be)2049 4690 y(tempted)f(to)e(defer)h(e)n(v)o
+(ent)h(processing)g(until)g(a)e(period)h(of)g(relati)n(v)o(ely)j(light)
+d(acti)n(vity)l(,)2049 4769 y(to)g(aid)g(the)g(engine)h(with)f(k)o
+(eeping)i(up)d(during)h(periods)h(of)e(hea)o(vy)h(load.)32
+b(Ho)n(we)n(v)o(er)m(,)2049 4848 y(doing)24 b(so)f(can)h(lead)h(to)f
+(races:)35 b(the)24 b(\223e)n(v)o(ent)h(control\224)h(arro)n(w)e(in)g
+(Figure)g(1)f(re\003ects)2049 4927 y(the)e(f)o(act)h(that)g(the)f
+(polic)o(y)h(script)g(can,)f(to)g(a)g(limited)h(de)o(gree,)h
+(manipulate)g(the)e(con-)2049 5006 y(nection)h(state)f(maintained)i
+(inside)e(the)f(engine.)31 b(If)19 b(e)n(v)o(ent)j(processing)f(is)f
+(deferred,)2049 5085 y(then)k(such)f(control)h(may)f(happen)h(after)g
+(the)f(connection)j(state)e(has)f(already)i(been)2049
+5163 y(changed)20 b(due)f(to)f(more)g(recently-recei)n(v)o(ed)24
+b(traf)n(\002c.)h(So,)18 b(to)g(ensure)h(that)g(e)n(v)o(ent)h(pro-)2049
+5242 y(cessing)e(al)o(w)o(ays)i(re\003ects)e(fresh)g(data,)g(and)g
+(does)g(not)g(inadv)o(ertently)j(lead)e(to)e(incon-)2049
+5321 y(sistent)k(connection)i(state,)e(we)f(process)h(e)n(v)o(ents)g
+(immediately)l(,)h(before)f(mo)o(ving)g(on)2049 5400
+y(to)c(ne)n(wly-arri)n(v)o(ed)k(netw)o(ork)e(traf)n(\002c.)1929
+5649 y Fs(4)p eop
+%%Page: 5 5
+5 4 bop -150 -104 a Fs(handler)m(,)23 b(and)h(interprets)g(the)g(code.)
+37 b(This)25 b(code)e(in)i(turn)e(can)i(e)o(x)o(e-)-150
+-5 y(cute)19 b(arbitrary)e(Bro)i(scripting)f(commands,)f(including)h
+(generating)-150 95 y(ne)n(w)27 b(e)n(v)o(ents,)h(logging)e(real-time)g
+(noti\002cations)g(\(using)h(the)g(Unix)-150 194 y Fr(syslo)o(g)d
+Fs(function\),)e(recording)g(data)h(to)h(disk,)g(or)g(modifying)d
+(inter)n(-)-150 294 y(nal)k(state)g(for)f(access)i(by)e(subsequently)f
+(in)m(v)n(ok)o(ed)g(e)n(v)o(ent)h(handlers)-150 394 y(\(or)c(by)f(the)i
+(e)n(v)o(ent)e(engine)g(itself\).)-67 497 y(Finally)-5
+b(,)41 b(along)c(with)g(separating)g(mechanism)f(from)g(polic)o(y)-5
+b(,)-150 597 y(Bro')g(s)23 b(emphasis)g(on)f(asynchronous)e(e)n(v)o
+(ents)i(as)i(the)f(link)f(between)-150 696 y(the)c(e)n(v)o(ent)f
+(engine)g(and)h(the)g(polic)o(y)e(script)i(interpreter)f(b)n(uys)h(a)g
+(great)-150 796 y(deal)28 b(in)f(terms)h(of)f(e)o(xtensibility)-5
+b(.)46 b(Adding)26 b(ne)n(w)i(functionality)d(to)-150
+896 y(Bro)e(generally)f(consists)i(of)f(adding)e(a)j(ne)n(w)f(protocol)
+e(analyzer)h(to)-150 995 y(the)e(e)n(v)o(ent)f(engine)g(and)h(then)g
+(writing)f(ne)n(w)h(e)n(v)o(ent)f(handlers)g(for)h(the)-150
+1095 y(e)n(v)o(ents)27 b(generated)f(by)h(the)h(analyzer)-5
+b(.)46 b(Neither)27 b(the)h(analyzer)e(nor)-150 1194
+y(the)g(e)n(v)o(ent)f(handlers)g(tend)h(to)g(ha)n(v)o(e)g(much)f(o)o(v)
+o(erlap)f(with)i(e)o(xisting)-150 1294 y(functionality)-5
+b(,)16 b(so)k(for)e(the)h(most)f(part)h(we)g(can)g(a)n(v)n(oid)f(the)h
+(subtle)g(in-)-150 1394 y(teractions)25 b(between)g(loosely)g(coupled)f
+(modules)h(that)h(can)f(easily)-150 1493 y(lead)20 b(to)g(maintenance)f
+(headaches)g(and)g(b)n(uggy)g(programs.)-150 1794 y Ft(3)119
+b(The)31 b Fd(Bro)e Ft(language)-150 1987 y Fs(As)21
+b(discussed)g(abo)o(v)o(e,)d(we)j(e)o(xpress)f(security)g(policies)h
+(in)f(terms)h(of)-150 2086 y(scripts)i(written)g(in)g(the)g
+(specialized)f Fm(Bro)h Fs(language.)31 b(In)23 b(this)g(sec-)-150
+2186 y(tion)18 b(we)g(gi)n(v)o(e)f(an)g(o)o(v)o(ervie)n(w)f(of)h(the)h
+(language')-5 b(s)17 b(features.)23 b(The)17 b(aim)-150
+2285 y(is)25 b(to)g(con)m(v)o(e)o(y)d(the)i(\003a)n(v)n(or)h(of)f(the)g
+(language,)g(rather)f(than)h(describe)-150 2385 y(it)d(precisely)-5
+b(.)-67 2488 y(Our)23 b(goal)f(of)h(\223a)n(v)n(oid)g(simple)g(mistak)o
+(es\224)g(\()p Fi(x)g Fs(1\),)h(while)f(perhaps)-150
+2588 y(sounding)28 b(trite,)k(in)e(f)o(act)g(hea)n(vily)g(in\003uenced)
+e(the)i(design)f(of)h(the)-150 2688 y Fm(Bro)24 b Fs(language.)35
+b(Because)24 b(intrusion)f(detection)g(can)h(form)f(a)h(cor)n(-)-150
+2787 y(nerstone)18 b(of)i(the)f(security)g(measures)g(a)n(v)n(ailable)g
+(to)h(a)g(site,)g(we)g(v)o(ery)-150 2887 y(much)26 b(w)o(ant)g(our)g
+(polic)o(y)f(scripts)i(to)g(beha)n(v)o(e)e(as)j(e)o(xpected.)42
+b(From)-150 2987 y(our)20 b(o)n(wn)h(e)o(xperience,)e(a)j(big)f(step)g
+(to)n(w)o(ards)g(a)n(v)n(oiding)f(surprises)h(is)-150
+3086 y(to)d(use)g(a)g(strongly)f(typed)g(language)f(that)i(detects)g
+(typing)e(inconsis-)-150 3186 y(tencies)21 b(at)h(compile-time,)e(and)g
+(that)i(guarantees)e(that)h(all)h(v)n(ariable)-150 3285
+y(references)h(at)i(run-time)d(will)j(be)f(to)h(v)n(alid)f(v)n(alues.)
+36 b(Furthermore,)-150 3385 y(we)26 b(ha)n(v)o(e)e(come)h(to)g
+(appreciate)f(the)h(bene\002ts)g(of)g(domain-speci\002c)-150
+3485 y(languages,)32 b(that)f(is,)j(languages)29 b(tailored)h(for)g(a)h
+(particular)e(task.)-150 3584 y(Ha)n(ving)c(cobbled)f(together)g(our)h
+(\002rst)h(monitoring)d(system)j(out)f(of)-150 3684 y
+Fm(tcpdump)p Fs(,)30 b Fm(awk)p Fs(,)h(and)d(shell)h(scripts,)i(we)e
+(thirsted)f(for)g(w)o(ays)h(to)-150 3784 y(deal)j(directly)g(with)h
+(hostnames,)h(IP)f(addresses,)i(port)c(numbers,)-150
+3883 y(and)20 b(the)g(lik)o(e,)g(rather)f(than)h(de)n(vising)f(ASCII)h
+(pseudo-equi)n(v)n(alents.)-150 3983 y(By)c(making)e(these)h(sorts)g
+(of)g(entities)h(\002rst-class)g(v)n(alues)f(in)g Fm(Bro)p
+Fs(,)h(we)-150 4082 y(both)k(increase)g(the)h(ease)g(of)g(e)o
+(xpression)e(of)n(fered)g(by)h(the)h(language)-150 4182
+y(and,)h(due)f(to)h(strong)f(typing,)g(catch)h(errors)f(\(such)g(as)i
+(comparing)c(a)-150 4282 y(port)h(to)g(an)g(IP)h(address\))e(that)h
+(might)g(otherwise)f(slip)i(by)-5 b(.)-150 4540 y Fh(3.1)99
+b(Data)25 b(types)g(and)h(constants)-150 4703 y Fl(Atomic)d(types.)35
+b Fm(Bro)23 b Fs(supports)f(se)n(v)o(eral)h(types)g(f)o(amiliar)g(to)g
+(users)-150 4802 y(of)32 b(traditional)g(languages:)48
+b Fm(bool)32 b Fs(for)g(booleans,)i Fm(int)f Fs(for)f(in-)-150
+4902 y(te)o(gers,)25 b Fm(count)f Fs(for)g(non-ne)o(gati)n(v)o(e)d
+(inte)o(gers)j(\(\223unsigned\224)e(in)j(C\),)-150 5001
+y Fm(double)k Fs(for)g(double-precision)d(\003oating)j(point,)i(and)e
+Fm(string)-150 5101 y Fs(for)18 b(a)h(series)g(of)f(bytes.)24
+b(The)19 b(\002rst)g(four)e(of)h(these)h(\(all)g(b)n(ut)f
+Fm(string)p Fs(\))-150 5201 y(are)h(termed)g Fr(arithmetic)g
+Fs(types,)g(and)g(mixing)f(them)h(in)h(e)o(xpressions)-150
+5300 y(promotes)35 b Fm(bool)h Fs(to)h Fm(count)p Fs(,)i
+Fm(count)d Fs(to)h Fm(int)p Fs(,)j(and)c Fm(int)g Fs(to)-150
+5400 y Fm(double)p Fs(.)2132 -104 y Fm(Bro)e Fs(pro)o(vides)d
+Fm(T)j Fs(and)f Fm(F)h Fs(as)g Fm(bool)g Fs(constants)f(for)g(true)g
+(and)2049 -5 y(f)o(alse;)38 b(a)33 b(series)f(of)g(digits)g(for)g
+Fm(count)f Fs(constants;)38 b(and)31 b(C-style)2049 95
+y(constants)20 b(for)f Fm(double)h Fs(and)g Fm(string)p
+Fs(.)2132 194 y(Unlik)o(e)27 b(in)g(C,)g(ho)n(we)n(v)o(er)m(,)f
+Fm(Bro)h Fs(strings)g(are)g(represented)e(inter)n(-)2049
+294 y(nally)j(as)g(a)h(count)e(and)g(a)i(v)o(ector)d(of)i(bytes,)i
+(rather)d(than)g(a)i(NUL-)2049 394 y(terminated)24 b(series)j(of)e
+(bytes.)41 b(This)26 b(dif)n(ference)d(is)k(important)d(be-)2049
+493 y(cause)34 b(NULs)g(can)g(easily)g(be)g(introduced)d(into)j
+(strings)f(deri)n(v)o(ed)2049 593 y(from)22 b(netw)o(ork)f(traf)n
+(\002c,)i(either)f(by)h(the)f(nature)g(of)h(the)f(application,)2049
+693 y(inadv)o(ertently)-5 b(,)35 b(or)f(maliciously)g(by)g(an)g(attack)
+o(er)g(attempting)f(to)2049 792 y(sub)o(v)o(ert)21 b(the)i(monitor)-5
+b(.)30 b(An)23 b(e)o(xample)e(of)h(the)h(latter)g(is)g(sending)f(the)
+2049 892 y(follo)n(wing)d(to)h(an)g(FTP)h(serv)o(er:)2208
+1043 y Ff(USER)40 b(nice\\0USER)e(root)2049 1216 y Fs(where)20
+b(\223)p Fm(\\0)p Fs(\224)g(represents)f(a)i(NUL.)f(Depending)f(on)h
+(ho)n(w)f(it)i(is)h(writ-)2049 1315 y(ten,)33 b(the)e(FTP)h
+(application)d(recei)n(ving)h(this)h(te)o(xt)g(might)f(well)i(in-)2049
+1415 y(terpret)i(it)h(as)h(tw)o(o)f(separate)f(commands,)j(\223)p
+Fm(USER)49 b(nice)p Fs(\224)34 b(fol-)2049 1515 y(lo)n(wed)d(by)g(\223)
+p Fm(USER)49 b(root)p Fs(\224.)58 b(But)32 b(if)g(the)g(monitoring)d
+(program)2049 1614 y(uses)18 b(NUL-terminated)c(strings,)k(then)e(it)i
+(will)g(ef)n(fecti)n(v)o(ely)d(see)i(only)2049 1714 y(\223)p
+Fm(USER)49 b(nice)p Fs(\224)27 b(and)h(ha)n(v)o(e)f(no)h(opportunity)c
+(to)k(detect)g(the)g(sub-)2049 1813 y(v)o(ersi)n(v)o(e)19
+b(action.)2132 1913 y(Similarly)-5 b(,)22 b(it)h(is)h(important)c(that)
+j(when)f(Bro)g(logs)h(such)f(strings,)2049 2013 y(or)33
+b(prints)g(them)f(as)i(te)o(xt)f(to)g(a)h(\002le,)i(that)e(it)f(e)o
+(xpands)f(embedded)2049 2112 y(NULs)19 b(into)g(visible)f(escape)h
+(sequences)f(to)h(\003ag)f(their)h(appearance.)2132 2212
+y Fm(Bro)44 b Fs(also)f(includes)g(a)h(number)e(of)h(non-traditional)e
+(types,)2049 2312 y(geared)35 b(to)n(w)o(ards)h(its)i(speci\002c)f
+(problem)d(domain.)73 b(A)37 b(v)n(alue)f(of)2049 2411
+y(type)23 b Fm(time)h Fs(re\003ects)g(an)g(absolute)f(time,)i(and)e
+Fm(interval)g Fs(a)h(dif-)2049 2511 y(ference)35 b(in)h(time.)74
+b(Subtracting)34 b(tw)o(o)j Fm(time)f Fs(v)n(alues)g(yields)g(an)2049
+2610 y Fm(interval)p Fs(;)17 b(adding)e(or)h(subtracting)f(an)i
+Fm(interval)e Fs(to)i(a)g Fm(time)2049 2710 y Fs(yields)25
+b(a)h Fm(time)p Fs(;)j(adding)24 b(tw)o(o)i Fm(time)f
+Fs(v)n(alues)g(is)i(an)e(error)-5 b(.)40 b(There)2049
+2810 y(are)24 b(presently)e(no)i Fm(time)f Fs(constants,)h(b)n(ut)g
+Fm(interval)f Fs(constants)2049 2909 y(can)33 b(be)h(speci\002ed)f
+(using)g(a)h(numeric)f(\(possibly)f(\003oating-point\))2049
+3009 y(v)n(alue)i(follo)n(wed)f(by)h(a)g(unit)h(of)f(time,)j(such)e(as)
+g(\223)p Fm(30)49 b(min)p Fs(\224)34 b(for)2049 3109
+y(thirty)20 b(minutes.)2132 3208 y(The)k Fm(port)g Fs(type)g
+(corresponds)e(to)i(a)h(TCP)g(or)e(UDP)i(port)f(num-)2049
+3308 y(ber)-5 b(.)24 b(TCP)18 b(and)e(UDP)h(ports)g(are)g(distinct.)23
+b(Thus,)17 b(a)h(v)n(ariable)d(of)i(type)2049 3407 y
+Fm(port)j Fs(can)g(hold)f(either)h(a)h(TCP)g(or)f(a)g(UDP)h(port,)f(b)n
+(ut)g(at)g(an)o(y)g(gi)n(v)o(en)2049 3507 y(time)g(it)h(is)g(holding)e
+(e)o(xactly)g(one)h(of)g(these.)2132 3607 y(There)29
+b(are)h(tw)o(o)h(forms)e(of)h Fm(port)g Fs(constants.)55
+b(The)30 b(\002rst)g(con-)2049 3706 y(sists)h(of)f(an)g(unsigned)e
+(inte)o(ger)h(follo)n(wed)f(by)i(either)f(\223)p Fm(/tcp)p
+Fs(\224)h(or)2049 3806 y(\223)p Fm(/udp)p Fs(.)-6 b(\224)46
+b(So,)28 b(for)f(e)o(xample,)g(\223)p Fm(80/tcp)p Fs(\224)g
+(corresponds)d(to)k(TCP)2049 3906 y(port)c(80)h(\(the)f(HTTP)h
+(protocol)e(used)i(by)f(the)h(W)-7 b(orld)25 b(W)m(ide)f(W)-7
+b(eb\).)2049 4005 y(The)39 b(second)e(form)h(of)h(constant)f(is)i
+(speci\002ed)e(using)h(a)g(prede-)2049 4105 y(\002ned)28
+b(identi\002er)m(,)i(such)e(as)i(\223)p Fm(http)p Fs(\224,)g(equi)n(v)n
+(alent)d(to)h(\223)p Fm(80/tcp)p Fs(.)-6 b(\224)2049
+4204 y(Originally)h(,)15 b(we)h(w)o(ould)g(look)f(up)g
+(otherwise-unde\002ned)e(identi\002ers)2049 4304 y(using)33
+b(the)h Fr(g)o(etservbyname)e Fs(library)g(routine.)64
+b(Ho)n(we)n(v)o(er)m(,)35 b(doing)2049 4404 y(so)e(not)f(only)f(runs)h
+(into)h(dif)n(\002culties)f(when)f(a)i(single)g(name)e(lik)o(e)2049
+4503 y(\223)p Fm(domain)p Fs(\224)g(has)h(both)f(TCP)i(and)e(UDP)h
+(de\002nitions,)i(b)n(ut,)g(more)2049 4603 y(fundamentally)-5
+b(,)27 b(erodes)h(portability)e(because)i(a)h Fr(g)o(etservbyname)2049
+4703 y Fs(service)e(name)h(kno)n(wn)e(on)h(one)h(system)f(might)h(well)
+g(be)g(missing)2049 4802 y(from)17 b(another)g(system,)h(rendering)e
+(in)m(v)n(alid)h(an)o(y)g Fm(Bro)h Fs(scripts)h(writ-)2049
+4902 y(ten)h(using)g(the)g(service)g(name.)2132 5001
+y(V)-9 b(alues)20 b(of)g(type)g Fm(port)g Fs(may)g(be)g(compared)e(for)
+i(equality)f(or)h(or)n(-)2049 5101 y(dering)31 b(\(for)g(e)o(xample,)j
+(\223)p Fm(20/tcp)48 b(<)i(telnet)p Fs(\224)31 b(yields)i(true\),)2049
+5201 y(b)n(ut)20 b(otherwise)g(cannot)f(be)h(operated)f(on.)2132
+5300 y(Another)j(netw)o(orking)f(type)i(pro)o(vided)e(by)i
+Fm(Bro)g Fs(is)h Fm(addr)p Fs(,)g(cor)n(-)2049 5400 y(responding)29
+b(to)j(an)f(IP)h(address.)59 b(These)31 b(are)h(represented)e(inter)n
+(-)1929 5649 y(5)p eop
+%%Page: 6 6
+6 5 bop -150 -104 a Fs(nally)17 b(as)h(unsigned,)e(32-bit)g(inte)o
+(gers,)h(b)n(ut)g(in)h Fm(Bro)f Fs(scripts)h(the)f(only)-150
+-5 y(operations)26 b(that)h(can)g(be)g(performed)d(on)j(them)f(are)h
+(comparisons)-150 95 y(for)e(equality)g(or)h(inequality)e(\(also,)j(a)f
+(b)n(uilt-in)f(function)f(pro)o(vides)-150 194 y(masking,)19
+b(as)h(discussed)g(belo)n(w\).)k(Constants)c(of)g(type)f
+Fm(addr)h Fs(ha)n(v)o(e)-150 294 y(the)g(f)o(amiliar)g(\223dotted)f
+(quad\224)g(format,)g Fj(A)1064 306 y Fn(1)1102 294 y
+Fj(:A)1187 306 y Fn(2)1224 294 y Fj(:A)1309 306 y Fn(3)1347
+294 y Fj(:A)1432 306 y Fn(4)1469 294 y Fs(.)-67 394 y(More)37
+b(interesting)g(are)g Fr(hostname)f Fs(constants.)77
+b(There)37 b(is)h(no)-150 493 y Fm(Bro)45 b Fs(type)f(corresponding)d
+(to)j(Internet)g(hostnames,)49 b(because)-150 593 y(hostnames)26
+b(can)g(correspond)e(to)j(multiple)f(IP)h(addresses,)g(so)g(one)-150
+693 y(quickly)34 b(runs)g(into)h(ambiguities)f(if)h(comparing)d(one)j
+(hostname)-150 792 y(with)h(another)-5 b(.)71 b Fm(Bro)36
+b Fs(does,)j(ho)n(we)n(v)o(er)m(,)e(support)e(hostnames)g(as)-150
+892 y(constants.)81 b(An)o(y)38 b(series)i(of)e(tw)o(o)i(or)e(more)h
+(identi\002ers)f(delim-)-150 991 y(ited)c(by)f(dots)h(forms)f(a)i
+(hostname)d(constant,)37 b(so,)g(for)c(e)o(xample,)-150
+1091 y(\223)p Fm(lbl.gov)p Fs(\224)23 b(and)h(\223)p
+Fm(www.microsoft.com)p Fs(\224)d(are)j(both)f(host-)-150
+1191 y(name)f(constants)g(\(the)h(latter)m(,)g(as)g(of)f(this)i
+(writing,)e(corresponds)e(to)-150 1290 y(6)27 b(distinct)g(IP)h
+(addresses\).)44 b(The)27 b(v)n(alue)f(of)h(a)g(hostname)f(constant)
+-150 1390 y(is)21 b(a)g Fm(list)g Fs(of)f Fm(addr)g Fs(containing)f
+(one)h(or)g(more)g(elements.)26 b(These)-150 1490 y(lists)21
+b(cannot)e(be)g(used)h(in)g Fm(Bro)f Fs(e)o(xpressions;)g(b)n(ut)h(the)
+o(y)f(play)g(a)h(cen-)-150 1589 y(tral)27 b(role)f(in)h(initializing)f
+Fm(Bro)h(table)p Fs(')-5 b(s)26 b(and)g Fm(set)p Fs(')-5
+b(s,)29 b(discussed)-150 1689 y(in)20 b Fi(x)h Fs(3.3)f(belo)n(w)-5
+b(.)-67 1788 y Fl(Aggr)o(egate)22 b(types.)38 b Fm(Bro)24
+b Fs(also)h(supports)e(a)i(number)e(of)h(aggre-)-150
+1888 y(gate)j(types.)46 b(A)28 b Fm(record)f Fs(is)h(a)g(collection)e
+(of)h(elements)g(of)g(arbi-)-150 1988 y(trary)19 b(type.)25
+b(F)o(or)19 b(e)o(xample,)f(the)i(prede\002ned)e Fm(conn)p
+1370 1988 25 4 v 29 w(id)j Fs(type,)e(used)-150 2087
+y(to)f(hold)g(connection)e(identi\002ers,)i(is)i(de\002ned)d(in)h(the)h
+Fm(Bro)f Fs(run-time)-150 2187 y(initialization)i(\002le)g(as:)9
+2339 y Ff(type)40 b(conn_id:)e(record)h({)169 2418 y(orig_h:)g(addr;)
+169 2497 y(orig_p:)g(port;)169 2576 y(resp_h:)g(addr;)169
+2655 y(resp_p:)g(port;)9 2734 y(};)-150 2907 y Fs(The)27
+b Fm(orig)p 212 2907 V 29 w(h)h Fs(and)f Fm(resp)p 667
+2907 V 29 w(h)h Fs(elements)f(\(or)g(\223\002elds\224\))g(ha)n(v)o(e)g
+(type)-150 3006 y Fm(addr)e Fs(and)g(hold)g(the)h(connection)d
+(originator')-5 b(s)24 b(and)h(responder')-5 b(s)-150
+3106 y(IP)21 b(addresses.)26 b(Similarly)-5 b(,)20 b
+Fm(orig)p 862 3106 V 29 w(p)h Fs(and)f Fm(resp)p 1303
+3106 V 29 w(p)h Fs(hold)f(the)h(orig-)-150 3205 y(inator)g(and)f
+(responder)f(ports.)28 b(Record)21 b(\002elds)h(are)f(accessed)g(using)
+-150 3305 y(the)f(\223)p Fm($)p Fs(\224)g(operator)-5
+b(.)-67 3405 y(F)o(or)20 b(specifying)e(security)i(policies,)f(a)i
+(particularly)d(useful)i Fm(Bro)-150 3504 y Fs(type)26
+b(is)i Fm(table)p Fs(.)44 b Fm(Bro)26 b Fs(tables)h(ha)n(v)o(e)f(tw)o
+(o)h(components,)f(a)h(set)h(of)-150 3604 y Fr(indices)c
+Fs(and)g(a)h Fr(yield)g(type)p Fs(.)37 b(The)24 b(indices)h(may)f(be)g
+(of)g(an)o(y)g(atomic)-150 3704 y(\(non-aggre)o(gate\))c(type,)25
+b(and/or)e(an)o(y)h Fm(record)g Fs(types)h(that,)g(when)-150
+3803 y(\(recursi)n(v)o(ely\))i(e)o(xpanded)g(into)i(all)h(of)f(their)g
+(elements,)i(are)e(com-)-150 3903 y(prised)h(of)h(only)f(atomic)h
+(types.)57 b(\(Thus,)32 b Fm(Bro)f Fs(tables)g(pro)o(vide)e(a)-150
+4002 y(form)19 b(of)h(associati)n(v)o(e)g(array)-5 b(.\))23
+b(So,)d(for)g(e)o(xample,)9 4155 y Ff(table[port])39
+b(of)g(string)-150 4307 y Fs(can)20 b(be)g(inde)o(x)o(ed)e(by)i(a)h
+Fm(port)f Fs(v)n(alue,)f(yielding)g(a)h Fm(string)p Fs(,)g(and:)9
+4445 y Ff(table[conn_id])38 b(of)i(ftp_session_info)-150
+4603 y Fs(is)34 b(inde)o(x)o(ed)c(by)i(a)h Fm(conn)p
+623 4603 V 30 w(id)f Fs(record\227or)m(,)h(equi)n(v)n(alently)-5
+b(,)33 b(by)g(an)-150 4703 y Fm(addr)p Fs(,)42 b(a)d
+Fm(port)p Fs(,)j(another)36 b Fm(addr)p Fs(,)43 b(and)37
+b(another)g Fm(port)p Fs(\227and)-150 4802 y(yields)20
+b(an)g Fm(ftp)p 323 4802 V 30 w(session)p 703 4802 V
+28 w(info)g Fs(record)f(as)i(a)f(result.)-67 4902 y(Closely)i(related)e
+(to)i Fm(table)e Fs(types)h(are)h Fm(set)f Fs(types.)28
+b(These)21 b(are)-150 5001 y(simply)d Fm(table)f Fs(types)h(that)h(do)e
+(not)h(yield)g(a)g(v)n(alue.)24 b(Their)17 b(purpose)-150
+5101 y(is)j(to)f(maintain)f(collections)h(of)g(tuples,)g(e)o(xpressed)e
+(in)j(terms)f(of)g(the)-150 5201 y(set')-5 b(s)18 b(indices.)23
+b(The)16 b(e)o(xamples)f(in)i Fi(x)g Fs(3.3)f(clarify)f(ho)n(w)h(this)h
+(is)g(useful.)-67 5300 y(Another)27 b(aggre)o(gate)e(type)i(supported)f
+(is)j Fm(file)p Fs(.)48 b(Support)26 b(for)-150 5400
+y(\002les)d(is)g(presently)d(crude:)28 b(a)22 b(script)g(can)g(open)f
+(\002les)h(for)g(writing)f(or)2049 -104 y(appending,)j(and)g(can)h
+(pass)h(the)g(resulting)e Fm(file)h Fs(v)n(ariable)f(to)i(the)2049
+-5 y Fm(print)e Fs(command)f(to)i(specify)f(where)g(it)i(should)e
+(write,)i(b)n(ut)e(that)2049 95 y(is)j(all.)42 b(Also,)27
+b(these)f(\002les)h(are)f(simple)f(ASCII.)h(In)g(the)f(future,)h(we)
+2049 194 y(plan)g(to)h(e)o(xtend)f(\002les)i(to)f(support)e(reading,)i
+(ASCII)g(parsing,)g(and)2049 294 y(binary)19 b(\(typed\))f(reading)h
+(and)h(writing.)2132 394 y(Finally)-5 b(,)24 b(abo)o(v)o(e)d(we)j
+(alluded)f(to)h(the)f Fm(list)g Fs(type,)h(which)f(holds)2049
+493 y(zero)e(or)g(more)g(instances)h(of)f(a)h(v)n(alue.)28
+b(Currently)-5 b(,)20 b(this)i(type)f(is)i(not)2049 593
+y(directly)c(a)n(v)n(ailable)g(to)h(the)g Fm(Bro)f Fs(script)h(writer)m
+(,)f(other)g(than)g(implic-)2049 693 y(itly)k(when)e(using)h
+Fr(hostname)f Fs(constants.)30 b(Since)22 b(its)i(present)d(use)i(is)
+2049 792 y(primarily)g(internal)h(to)g(the)h(script)f(interpreter)f
+(\(when)g(initializing)2049 892 y(v)n(ariables,)c(per)h
+Fi(x)h Fs(3.3\),)e(we)h(do)g(not)g(describe)f(it)i(further)-5
+b(.)2132 991 y Fl(Regular)44 b(expr)o(essions.)99 b Fs(The)45
+b(last)g(b)n(uilt-in)f Fm(Bro)h Fs(type)g(is)2049 1091
+y Fm(pattern)p Fs(.)51 b(P)o(atterns)29 b(are)g(Unix-style)f(re)o
+(gular)g(e)o(xpressions;)k(in)2049 1191 y(particular)m(,)22
+b(the)h(syntax)f(used)h(by)g(the)g Fr(\003e)n(x)g Fs(utility)g([P)o
+(a96)n(].)34 b(P)o(attern)2049 1290 y(constants)20 b(are)g(enclosed)f
+(by)h Fm(/)g Fs(delimiters.)25 b(F)o(or)20 b(e)o(xample:)2208
+1435 y Ff(/sync|lp|uucp|operator|ezsetup|4dgifts/)2049
+1600 y Fs(is)k(a)f(pattern)f(that)i(matches)e(a)i(number)d(of)i(common)
+e(def)o(ault)h(Unix)2049 1700 y(accounts.)2132 1800 y(Presently)-5
+b(,)20 b(only)h(tw)o(o)g(operations)f(are)h(allo)n(wed)f(on)h(pattern)f
+(v)n(al-)2049 1899 y(ues:)25 b(assignment,)18 b(and)h(testing)g(to)h
+(see)f(whether)g(the)g(pattern)f(v)n(alue)2049 1999 y(matches)i(a)g(gi)
+n(v)o(en)f(string)h(\(discussed)g(belo)n(w\).)2049 2233
+y Fh(3.2)99 b(Operators)2049 2389 y Fm(Bro)27 b Fs(pro)o(vides)e(a)j
+(number)d(of)i(C-lik)o(e)g(operators)f(\()p Fm(+)p Fs(,)j
+Fm(-)p Fs(,)g Fm(*)p Fs(,)f Fm(/)p Fs(,)h Fm(\045)p Fs(,)2049
+2489 y Fm(!)p Fs(,)g Fm(&&)p Fs(,)f Fm(||)p Fs(,)h Fm(?:)p
+Fs(,)f(relationals)e(lik)o(e)h Fm(<=)p Fs(\))g(with)g(which)f(we)i
+(assume)2049 2588 y(the)e(reader)f(is)i(f)o(amiliar)m(,)f(and)g(will)h
+(not)e(detail)h(here.)42 b(Assignment)2049 2688 y(is)28
+b(done)e(using)h Fm(=)p Fs(,)i(table)e(and)f(set)i(inde)o(xing)d(with)i
+Fm([])p Fs(,)i(and)e(func-)2049 2787 y(tion)19 b(in)m(v)n(ocation)f
+(and)h(e)n(v)o(ent)g(generation)e(with)j Fm(\(\))p Fs(.)25
+b(Numeric)18 b(v)n(ari-)2049 2887 y(ables)35 b(can)g(be)f(incremented)f
+(and)h(decremented)f(using)h Fm(++)h Fs(and)2049 2987
+y Fm(--)p Fs(.)i(Record)23 b(\002elds)i(are)f(accessed)g(using)g
+Fm($)p Fs(,)h(to)f(a)n(v)n(oid)g(ambiguity)2049 3086
+y(with)30 b Fr(hostname)f Fs(constants.)54 b(Assignment)30
+b(of)f(aggre)o(gate)f(v)n(alues)2049 3186 y(is)h Fr(shallow)p
+Fs(\227the)e(ne)n(wly-assigned)e(v)n(ariable)i(refers)g(to)h(the)f
+(same)2049 3286 y(aggre)o(gate)20 b(v)n(alue)h(as)i(the)f(right-hand)d
+(side)j(of)g(the)g(assignment)f(e)o(x-)2049 3385 y(pression.)52
+b(This)30 b(choice)f(w)o(as)h(made)f(to)h(f)o(acilitate)f(performance;)
+2049 3485 y(we)e(ha)n(v)o(e)f(not)g(yet)h(been)f(bitten)g(by)h(the)f
+(semantics)h(\(which)f(dif)n(fer)2049 3585 y(from)21
+b(C\).)i(W)-7 b(e)24 b(may)d(in)i(the)f(future)g(add)f(a)i
+Fm(copy)f Fs(operator)f(to)h(con-)2049 3684 y(struct)e(\223deep\224)f
+(copies.)2132 3784 y(From)30 b(the)g(perspecti)n(v)o(e)e(of)i(C,)g(the)
+g(only)g(no)o(v)o(el)e(operators)h(are)2049 3883 y Fm(in)f
+Fs(and)e Fm(!in)p Fs(.)47 b(These)27 b(in\002x)g(operators)f(yield)h
+Fm(bool)g Fs(v)n(alues)g(de-)2049 3983 y(pending)16 b(on)h(whether)g
+(or)g(not)h(a)g(gi)n(v)o(en)e(inde)o(x)h(is)h(in)g(a)g(gi)n(v)o(en)f
+Fm(table)2049 4083 y Fs(or)k Fm(set)p Fs(.)26 b(F)o(or)21
+b(e)o(xample,)e(if)i Fm(sensitive)p 3322 4083 V 29 w(services)f
+Fs(is)h(a)h Fm(set)2049 4182 y Fs(inde)o(x)o(ed)c(by)i(a)h(single)f
+Fm(port)p Fs(,)f(then)2208 4327 y Ff(23/tcp)39 b(in)h
+(sensitive_services)2049 4492 y Fs(returns)20 b(true)g(if)h(the)g(set)h
+(has)f(an)g(element)f(corresponding)d(to)k(an)g(in-)2049
+4592 y(de)o(x)c(of)h(TCP)h(port)f(23,)g(f)o(alse)g(if)h(it)g(does)f
+(not)g(ha)n(v)o(e)f(such)h(an)g(element.)2049 4692 y(Similarly)-5
+b(,)25 b(if)f Fm(RPC)p 2630 4692 V 30 w(okay)g Fs(is)i(a)e
+Fm(set)h Fs(\(or)f Fm(table)p Fs(\))g(inde)o(x)o(ed)e(by)i(a)2049
+4791 y(source)30 b(address,)i(a)f(destination)e(address,)k(and)d(an)g
+(RPC)i(service)2049 4891 y(number)18 b(\(a)j Fm(count)p
+Fs(\),)e(then)2129 5035 y Ff([src_addr,)38 b(dst_addr,)h(serv])g(in)g
+(RPC_okay)2049 5201 y Fs(yields)34 b(true)f(if)h(the)g(gi)n(v)o(en)e
+(ordered)g(triple)h(is)i(present)e(as)h(an)g(in-)2049
+5300 y(de)o(x)26 b(into)h Fm(RPC)p 2507 5300 V 30 w(okay)p
+Fs(.)45 b(The)27 b Fm(!in)g Fs(operator)f(simply)g(returns)h(the)2049
+5400 y(boolean)19 b(ne)o(gation)f(of)i(the)g Fm(in)g
+Fs(operator)-5 b(.)1929 5649 y(6)p eop
+%%Page: 7 7
+7 6 bop -67 -104 a Fs(Presently)-5 b(,)17 b(inde)o(xing)e(a)j(table)g
+(or)f(set)h(with)g(a)g(v)n(alue)f(that)h(does)f(not)-150
+-5 y(correspond)24 b(to)i(one)g(of)g(its)h(elements)f(leads)g(to)h(a)g
+(run-time)d(error)m(,)-150 95 y(so)d(such)g(operations)e(need)h(to)h
+(be)g(preceded)e(by)h Fm(in)h Fs(tests.)28 b(W)-7 b(e)22
+b(\002nd)-150 194 y(this)g(not)f(entirely)f(satisfying,)h(and)g(plan)f
+(to)i(add)f(a)g(mechanism)f(for)-150 294 y(optionally)28
+b(specifying)g(the)h(action)g(to)h(tak)o(e)f(in)h(such)f(cases)h(on)f
+(a)-150 394 y(per)n(-table)19 b(basis.)-67 498 y(Another)26
+b(use)h(of)f(the)h Fm(in)g Fs(and)g Fm(!in)g Fs(operators)e(is)j(for)e
+(re)o(gular)n(-)-150 598 y(e)o(xpression)19 b(pattern)g(matching.)k(F)o
+(or)d(e)o(xample,)-70 785 y Ff(filename)38 b(in)i(/rootkit-1\\.[5-8]/)
+-150 987 y Fs(yields)20 b(true)h(if)g(the)f(v)n(alue)g(of)g(the)h(e)o
+(xpression)e Fm(filename)g Fs(\(which)-150 1087 y(must)26
+b(ha)n(v)o(e)g(type)g Fm(string)p Fs(\))f(matches)h(an)o(y)f(of)h
+Fm(rootkit-1.5)p Fs(,)-150 1187 y Fm(rootkit-1.6)p Fs(,)18
+b Fm(rootkit-1.7)p Fs(,)h(or)h Fm(rootkit-1.8)p Fs(.)-67
+1291 y(Finally)-5 b(,)33 b Fm(Bro)d Fs(includes)h(a)g(number)e(of)h
+(prede\002ned)f(functions)-150 1391 y(to)46 b(perform)e(operations)g
+(not)i(directly)f(a)n(v)n(ailable)h(in)g(the)g(lan-)-150
+1490 y(guage.)27 b(Some)21 b(of)g(the)g(more)f(interesting:)27
+b Fm(fmt)21 b Fs(pro)o(vides)e Fr(sprintf)12 b Fs(-)-150
+1590 y(style)26 b(formatting)d(for)i(use)g(in)h(printing)d(or)i
+(manipulating)f(strings;)-150 1690 y Fm(edit)j Fs(returns)f(a)i(cop)o
+(y)e(of)h(a)g(string)g(that)g(has)g(been)g(edited)f(using)-150
+1789 y(the)i(gi)n(v)o(en)f(editing)h(characters)f(\(currently)f(it)j
+(only)f(kno)n(ws)g(about)-150 1889 y(single-character)44
+b(deletions\);)57 b Fm(mask)p 1041 1889 25 4 v 29 w(addr)46
+b Fs(tak)o(es)g(an)g Fm(addr)-150 1989 y Fs(and)31 b(returns)f(another)
+g Fm(addr)g Fs(corresponding)e(to)j(its)i(top)d Fj(n)i
+Fs(bits;)-150 2088 y Fm(open)43 b Fs(and)g Fm(close)g
+Fs(manipulate)f Fm(file)p Fs(s;)55 b Fm(network)p 1628
+2088 V 29 w(time)-150 2188 y Fs(returns)62 b(the)h(timestamp)g(of)g
+(the)g(most)g(recently)f(recei)n(v)o(ed)-150 2287 y(pack)o(et;)29
+b Fm(getenv)d Fs(pro)o(vides)e(access)j(to)g(en)m(vironment)c(v)n
+(ariables;)-150 2387 y Fm(skip)p 55 2387 V 29 w(further)p
+434 2387 V 29 w(processing)e Fs(marks)h(a)h(connection)e(as)i(not)-150
+2487 y(requiring)d(an)o(y)h(further)f(analysis;)j Fm(set)p
+1035 2487 V 29 w(record)p 1364 2487 V 29 w(packets)e
+Fs(in-)-150 2586 y(structs)38 b(the)f(e)n(v)o(ent)f(engine)g(whether)g
+(or)h(not)g(to)h(record)d(an)o(y)i(of)-150 2686 y(a)j(connection')-5
+b(s)38 b(future)g(pack)o(ets)h(\(though)e(SYN/FIN/RST)k(are)-150
+2786 y(al)o(w)o(ays)c(recorded\);)43 b Fm(set)p 658 2786
+V 29 w(contents)p 1087 2786 V 29 w(file)36 b Fs(speci\002es)i(a)f
+(\002le)-150 2885 y(to)k(which)f(Bro)h(records)f(the)h(connection')-5
+b(s)39 b(reassembled)h(byte)-150 2985 y(stream;)46 b
+Fm(system)36 b Fs(e)o(x)o(ecutes)h(a)g(string)g(as)h(a)g(Unix)f(shell)g
+(com-)-150 3084 y(mand;)25 b(and)e Fm(parse)p 483 3084
+V 29 w(ftp)p 662 3084 V 30 w(port)g Fs(tak)o(es)i(an)e(FTP)i(\223POR)-5
+b(T\224)24 b(com-)-150 3184 y(mand)g(and)h(returns)g(a)g
+Fm(record)g Fs(with)h(the)f(corresponding)d Fm(addr)-150
+3284 y Fs(and)e Fm(port)p Fs(.)-150 3549 y Fh(3.3)99
+b(V)-9 b(ariables)-150 3714 y Fm(Bro)28 b Fs(supports)f(tw)o(o)h(le)n
+(v)o(els)g(of)f(scoping:)40 b(local)27 b(to)h(a)h(function)d(or)-150
+3813 y(e)n(v)o(ent)31 b(handler)m(,)i(and)e(global)g(to)h(the)g(entire)
+f Fm(Bro)h Fs(script.)60 b(Expe-)-150 3913 y(rience)28
+b(has)h(already)f(sho)n(wn)g(that)i(we)f(w)o(ould)f(bene\002t)g(by)h
+(adding)-150 4013 y(a)37 b(third,)i(intermediate)c(le)n(v)o(el)h(of)g
+(scoping,)j(perhaps)c(as)i(part)f(of)-150 4112 y(a)f(\223module\224)d
+(or)j(\223object\224)e(f)o(acility)-5 b(,)37 b(or)d(e)n(v)o(en)g(as)h
+(simple)f(as)h(C')-5 b(s)-150 4212 y Fm(static)33 b Fs(scoping.)65
+b(Local)33 b(v)n(ariables)g(are)h(declared)e(using)i(the)-150
+4312 y(k)o(e)o(yw)o(ord)20 b Fm(local)p Fs(,)i(and)f(the)h
+(declarations)f(must)g(come)h(inside)g(the)-150 4411
+y(body)c(of)i(a)g(function)e(or)h(e)n(v)o(ent)g(handler)-5
+b(.)24 b(There)19 b(is)i(no)e(requirement)-150 4511 y(to)31
+b(declare)f(v)n(ariables)g(at)i(the)f(be)o(ginning)d(of)j(the)g
+(function.)55 b(The)-150 4610 y(scope)21 b(of)h(the)g(v)n(ariable)e
+(ranges)h(from)g(the)h(point)f(of)g(declaration)f(to)-150
+4710 y(the)j(end)e(of)i(the)f(body)-5 b(.)30 b(Global)22
+b(v)n(ariables)g(are)g(declared)g(using)g(the)-150 4810
+y(k)o(e)o(yw)o(ord)28 b Fm(global)h Fs(and)g(the)g(declarations)g(must)
+g(come)g(outside)-150 4909 y(of)g(an)o(y)f(function)g(bodies.)51
+b(F)o(or)29 b(either)f(type)h(of)g(declaration,)h(the)-150
+5009 y(k)o(e)o(yw)o(ord)17 b(can)h(be)g(replaced)f(instead)i(by)f
+Fm(const)p Fs(,)g(which)g(indicates)-150 5109 y(that)i(the)g(v)n
+(ariable')-5 b(s)20 b(v)n(alue)f(is)j(constant)d(and)h(cannot)f(be)h
+(changed.)-67 5213 y(Syntactically)-5 b(,)19 b(a)h(v)n(ariable)f
+(declaration)g(looks)h(lik)o(e:)-150 5400 y Ff({class})39
+b({identifier})f([':')h({type}])g(['=')g({init}])2049
+-104 y Fs(That)29 b(is,)j(a)d(class)h(\()p Fm(local)e
+Fs(or)h Fm(global)g Fs(scope,)h(or)f(the)g Fm(const)2049
+-5 y Fs(quali\002er\),)21 b(the)h(name)f(of)h(the)f(v)n(ariable,)g(an)h
+(optional)f(type,)g(and)h(an)2049 95 y(optional)k(initialization)g(v)n
+(alue.)45 b(One)27 b(of)g(the)g(latter)g(tw)o(o)h(must)f(be)2049
+194 y(speci\002ed.)43 b(If)26 b(both)f(are,)i(then)f(naturally)f(the)h
+(type)g(of)f(the)i(initial-)2049 294 y(ization)22 b(much)g(agree)g
+(with)h(the)f(speci\002ed)g(type.)32 b(If)23 b(only)e(a)i(type)g(is)
+2049 394 y(gi)n(v)o(en,)e(then)g(the)h(v)n(ariable)f(is)i(mark)o(ed)d
+(as)j(not)e(ha)n(ving)g(a)h(v)n(alue)f(yet;)2049 493
+y(attempting)f(to)i(access)h(its)f(v)n(alue)f(before)g(\002rst)h
+(setting)g(it)g(results)g(in)2049 593 y(a)f(run-time)d(error)-5
+b(.)2132 694 y(If)23 b(only)f(an)g(initializer)h(is)h(speci\002ed,)f
+(then)f(Bro)h(infers)f(the)h(v)n(ari-)2049 793 y(able')-5
+b(s)19 b(type)g(from)f(the)h(form)f(of)h(the)g(initializer)-5
+b(.)25 b(This)19 b(pro)o(v)o(es)f(quite)2049 893 y(con)m(v)o(enient,)i
+(as)j(does)f(the)g(ease)h(with)f(which)g(comple)o(x)f(tables)h(and)2049
+993 y(sets)f(can)f(be)g(initialized.)25 b(F)o(or)20 b(e)o(xample,)2049
+1160 y Ff(const)39 b(IRC)h(=)f({)h(6666/tcp,)e(6667/tcp,)h(6668/tcp)g
+(};)2049 1348 y Fs(infers)20 b(a)g(type)g(of)g Fm(set[port])f
+Fs(for)h Fm(IRC)p Fs(,)g(while:)2049 1515 y Ff(const)39
+b(ftp_serv)g(=)g({)h(ftp.lbl.gov,)e(www.lbl.gov)g(};)2049
+1703 y Fs(infers)33 b(a)h(type)g(of)f Fm(set[addr])f
+Fs(for)i Fm(ftp)p 3393 1703 V 29 w(serv)p Fs(,)i(and)e(initial-)2049
+1802 y(izes)i(it)g(to)g(consist)f(of)g(the)h(IP)f(addresses)g(for)g
+Fm(ftp.lbl.gov)2049 1902 y Fs(and)30 b Fm(www.lbl.gov)p
+Fs(,)i(which,)g(as)g(noted)d(abo)o(v)o(e,)j(may)e(encom-)2049
+2001 y(pass)22 b(more)e(than)h(tw)o(o)h(addresses.)28
+b(Bro)21 b(infers)g(compound)e(indices)2049 2101 y(by)h(use)g(of)g
+Fm([])g Fs(notation:)2049 2269 y Ff(const)39 b(allowed_services)f(=)h
+({)2169 2348 y([ftp.lbl.gov,)e(ftp],)j([ftp.lbl.gov,)d(smtp],)2169
+2427 y([ftp.lbl.gov,)g(ident],)i([ftp.lbl.gov,)f(20/tcp],)2169
+2505 y([www.lbl.gov,)f(ftp],)j([www.lbl.gov,)d(smtp],)2169
+2584 y([www.lbl.gov,)g(ident],)i([www.lbl.gov,)f(20/tcp],)2169
+2663 y([nntp.lbl.gov,)f(nntp])2049 2742 y(};)2049 2929
+y Fs(results)25 b(in)g Fm(allowed)p 2736 2929 V 29 w(services)f
+Fs(ha)n(ving)f(type)i Fm(set[addr,)2049 3029 y(port])p
+Fs(.)47 b(Here)28 b(again,)g(the)g Fr(hostname)f Fs(constants)g(may)h
+(result)f(in)2049 3129 y(more)20 b(than)f(one)h(IP)h(address.)k(An)o(y)
+19 b(time)i(Bro)f(encounters)f(a)i Fm(list)2049 3228
+y Fs(of)33 b(v)n(alues)g(in)h(an)g(initialization,)h(it)g(replicates)e
+(the)g(correspond-)2049 3328 y(ing)22 b(inde)o(x.)31
+b(Furthermore,)21 b(one)h(can)g(e)o(xplicitly)g(introduce)e(lists)k(in)
+2049 3427 y(initializers)h(by)f(enclosing)f(a)i(series)g(of)f(v)n
+(alues)g(\(with)g(compatible)2049 3527 y(types\))c(in)g
+Fm([])p Fs(')-5 b(s,)21 b(so)f(the)g(abo)o(v)o(e)f(could)g(be)h
+(written:)2049 3695 y Ff(const)39 b(allowed_services:)e(set[addr,)i
+(port])g(=)h({)2169 3774 y([ftp.lbl.gov,)d([ftp,)j(smtp,)f(ident,)g
+(20/tcp]],)2169 3852 y([www.lbl.gov,)e([ftp,)j(smtp,)f(ident,)g
+(20/tcp]],)2169 3931 y([nntp.lbl.gov,)e(nntp])2049 4010
+y(};)2049 4198 y Fs(The)18 b(only)f(cost)i(of)f(such)g(an)g
+(initialization)g(is)h(that)f(Bro')-5 b(s)19 b(algorithm)2049
+4297 y(for)k(inferring)e(the)i(v)n(ariable')-5 b(s)23
+b(type)g(from)f(its)i(initializer)f(currently)2049 4397
+y(gets)17 b(confused)d(by)i(these)h(embedded)d(lists,)k(so)f(the)f
+(type)g(no)n(w)g(needs)2049 4496 y(to)k(be)g(e)o(xplicitly)g(supplied,)
+f(as)h(sho)n(wn.)2132 4597 y(In)h(addition,)e(an)o(y)h(pre)n
+(viously-de\002ned)d(global)j(v)n(ariable)g(can)h(be)2049
+4697 y(used)j(in)h(the)f(initialization)g(of)g(a)h(subsequent)e(global)
+h(v)n(ariable.)37 b(If)2049 4796 y(the)19 b(v)n(ariable)f(used)g(in)h
+(this)h(f)o(ashion)e(is)i(a)f Fm(set)p Fs(,)g(then)f(its)i(indices)f
+(are)2049 4896 y(e)o(xpanded)e(as)j(if)f(enclosed)g(in)g(their)g(o)n
+(wn)g(list.)26 b(So)20 b(the)f(abo)o(v)o(e)f(could)2049
+4996 y(be)i(further)f(simpli\002ed)h(to:)2049 5163 y
+Ff(const)39 b(allowed_services:)e(set[addr,)i(port])g(=)h({)2169
+5242 y([ftp_serv,)e([ftp,)h(smtp,)g(ident,)g(20/tcp]],)2169
+5321 y([nntp.lbl.gov,)e(nntp])2049 5400 y(};)1929 5649
+y Fs(7)p eop
+%%Page: 8 8
+8 7 bop -150 -104 a Fs(Initializing)17 b Fm(table)g Fs(v)n(alues)g
+(looks)g(v)o(ery)g(similar)m(,)g(with)h(the)g(dif)n(fer)n(-)-150
+-5 y(ence)h(that)g(a)h Fm(table)f Fs(initializer)g(includes)f(a)i
+Fr(yield)h Fs(v)n(alue,)e(too.)24 b(F)o(or)-150 95 y(e)o(xample:)-150
+257 y Ff(global)39 b(port_names)f(=)i({)-30 336 y([7/tcp])e(=)i
+("echo",)-30 415 y([9/tcp])e(=)i("discard",)-30 493 y([11/tcp])e(=)i
+("systat",)-30 572 y(...)-150 651 y(};)-150 834 y Fs(which)20
+b(infers)f(a)i(type)f(of)g Fm(table[port])47 b(of)j(string)p
+Fs(.)-67 934 y(W)-7 b(e)35 b(\002nd)e(that)h(these)g(forms)f(of)g
+(initialization)g(shorthand)f(are)-150 1033 y(much)k(more)g(than)g
+(syntactic)h(sugar)-5 b(.)74 b(Because)37 b(the)o(y)f(allo)n(w)h(us)
+-150 1133 y(to)29 b(de\002ne)g(lar)o(ge)f(tables)i(in)f(a)g(succinct)g
+(f)o(ashion,)i(by)d(referring)f(to)-150 1232 y(pre)n(viously-de\002ned)
+16 b(objects)j(and)g(by)h(concisely)e(capturing)g(forms)-150
+1332 y(of)i(replication)e(in)j(the)f(table,)g(we)g(can)g(specify)f
+(intricate)h(polic)o(y)f(re-)-150 1432 y(lationships)31
+b(in)g(a)h(f)o(ashion)e(that')-5 b(s)32 b(both)e(easy)i(to)f(write)h
+(and)e(easy)-150 1531 y(to)d(v)o(erify)-5 b(.)41 b(Certainly)-5
+b(,)27 b(we)g(w)o(ould)f(prefer)f(the)h(\002nal)h(de\002nition)e(of)
+-150 1631 y Fm(allowed)p 205 1631 25 4 v 29 w(services)g
+Fs(abo)o(v)o(e)f(to)i(an)o(y)g(of)f(its)i(predecessors,)f(in)-150
+1731 y(terms)20 b(of)g(kno)n(wing)e(e)o(xactly)i(what)g(the)g(set)h
+(consists)g(of.)-67 1830 y(Along)39 b(with)h(clarity)f(and)g
+(conciseness,)44 b(another)38 b(important)-150 1930 y(adv)n(antage)31
+b(of)h Fm(Bro)p Fs(')-5 b(s)33 b(emphasis)f(on)g(tables)g(and)g(sets)i
+(is)f(speed.)-150 2030 y(Consider)c(the)h(common)d(problem)h(of)i
+(attempting)e(to)i(determine)-150 2129 y(whether)18 b(access)h(is)h
+(allo)n(wed)e(to)h(service)g Fm(S)g Fs(of)g(host)f Fm(H)p
+Fs(.)h(Rather)g(than)-150 2229 y(using)h(\(conceptually\):)-150
+2391 y Ff(if)40 b(\()f(H)h(==)g(ftp.lbl.gov)e(||)h(H)h(==)g
+(www.lbl.gov)e(\))9 2470 y(if)i(\()g(S)f(==)h(ftp)f(||)h(S)g(==)f(smtp)
+g(||)h(...)f(\))-150 2549 y(else)g(if)h(\()g(H)f(==)h(nntp.lbl.gov)e
+(\))9 2627 y(if)i(\()g(S)f(==)h(nntp)f(\))-150 2706 y(...)-150
+2889 y Fs(we)21 b(can)f(simply)f(use:)-150 3051 y Ff(if)40
+b(\()f([S,)h(H])f(in)h(allowed_services)d(\))49 3130
+y(...)j(it's)f(okay)g(...)-150 3313 y Fs(The)23 b Fm(in)h
+Fs(operation)d(translates)j(into)f(a)h(single)f(hash)g(table)h(lookup,)
+-150 3412 y(a)n(v)n(oiding)17 b(the)i(cascaded)f Fm(if)p
+Fs(')-5 b(s)19 b(and)f(clearly)g(sho)n(wing)g(the)h(intent)f(of)-150
+3512 y(the)i(test.)-150 3750 y Fh(3.4)99 b(Statements)-150
+3906 y Fm(Bro)26 b Fs(currently)e(supports)h(only)g(a)i(modest)e(group)
+f(of)i(statements,)-150 4005 y(which)g(we)i(ha)n(v)o(e)e(so)h(f)o(ar)g
+(found)e(suf)n(\002cient.)45 b(Along)26 b(with)h(C-style)-150
+4105 y Fm(if)17 b Fs(and)g Fm(return)g Fs(and)g(e)o(xpression)e(e)n(v)n
+(aluation,)h(other)g(statements)-150 4204 y(are:)38 b
+Fm(print)27 b Fs(a)g(list)h(of)e(e)o(xpressions)g(to)g(a)i
+Fm(file)e Fs(\()p Fr(stdout)i Fs(by)e(de-)-150 4304 y(f)o(ault\);)f
+Fm(log)e Fs(a)h(list)h(of)e(e)o(xpressions;)h Fm(add)g
+Fs(an)f(element)g(to)h(a)f Fm(set)p Fs(;)-150 4404 y
+Fm(delete)g Fs(an)h(element)f(from)g(a)h Fm(set)g Fs(or)f(a)i
+Fm(table)p Fs(;)g(and)e Fm(event)p Fs(,)-150 4503 y(which)d(generates)f
+(a)i(ne)n(w)f(e)n(v)o(ent.)-67 4603 y(In)h(particular)m(,)e(the)h
+(language)g(does)g(not)h(support)e(looping)g(using)-150
+4703 y(a)27 b Fm(for)p Fs(-style)g(construct.)43 b(W)-7
+b(e)28 b(are)f(w)o(ary)g(of)f(loops)h(in)g(e)n(v)o(ent)e(han-)-150
+4802 y(dlers)33 b(because)f(the)o(y)f(can)i(lead)f(to)h(arbitrarily)e
+(lar)o(ge)h(processing)-150 4902 y(delays,)c(which)e(in)h(turn)f(could)
+g(lead)g(to)h(pack)o(et)g(\002lter)g(drops.)43 b(W)-7
+b(e)-150 5001 y(w)o(anted)23 b(to)g(see)h(whether)e(we)i(could)e(still)
+i(adequately)e(e)o(xpress)g(se-)-150 5101 y(curity)g(policies)g(in)g
+Fm(Bro)g Fs(without)g(resorting)f(to)i(loops;)f(if)h(so,)g(then)-150
+5201 y(we)17 b(ha)n(v)o(e)e(some)h(con\002dence)f(that)h(e)n(v)o(ery)f
+(e)n(v)o(ent)g(is)i(handled)e(quickly)-5 b(.)-150 5300
+y(So)23 b(f)o(ar)m(,)g(this)g(e)o(xperiment)e(has)i(been)f(successful.)
+33 b(Looping)21 b(is)i(still)-150 5400 y(possible)29
+b(via)g(recursion)f(\(either)g(functions)g(calling)h(themselv)o(es,)
+2049 -104 y(or)23 b(e)n(v)o(ent)g(handlers)f(generating)g(their)h(o)n
+(wn)g(e)n(v)o(ents\),)h(b)n(ut)f(we)h(ha)n(v)o(e)2049
+-5 y(not)c(found)e(a)j(need)e(to)i(resort)f(to)g(it.)2132
+96 y(Lik)o(e)i(in)h(C,)g(we)g(can)f(group)f(sets)j(of)e(statements)g
+(into)g Fr(bloc)n(ks)h Fs(by)2049 196 y(enclosing)c(them)h(within)g
+Fi(fg)p Fs(')-5 b(s.)25 b(Function)19 b(de\002nitions)g(look)g(lik)o
+(e:)2049 367 y Ff(function)39 b(endpoint_id\(h:)e(addr,)j(p:)f(port\):)
+g(string)2169 445 y({)2169 524 y(if)g(\()h(p)g(in)f(port_names)f(\))
+2288 603 y(return)h(fmt\("\045s/\045s",)f(h,)i(port_names[p]\);)2169
+682 y(else)2288 761 y(return)f(fmt\("\045s/\045d",)f(h,)i(p\);)2169
+840 y(})2049 1029 y Fs(Ev)o(ent)63 b(handler)f(de\002nitions)h(look)f
+(the)i(same)g(e)o(xcept)e(that)2049 1129 y Fm(function)18
+b Fs(is)i(replaced)d(by)i Fm(event)f Fs(and)g(the)o(y)g(cannot)g
+(specify)g(a)2049 1229 y(return)h(type.)24 b(See)d(Appendix)d(A)j(for)f
+(an)g(e)o(xample.)2132 1330 y(Functions)f(are)i(in)m(v)n(ok)o(ed)d(the)
+j(usual)f(w)o(ay)-5 b(,)20 b(as)h(e)o(xpressions)e(spec-)2049
+1430 y(i\002ed)28 b(by)f(the)g(function')-5 b(s)26 b(name)h(follo)n
+(wed)f(by)h(its)i(ar)o(guments)c(en-)2049 1529 y(closed)d(within)f
+(parentheses.)29 b(Ev)o(ents)21 b(are)h(generated)e(in)i(a)g(similar)
+2049 1629 y(f)o(ashion,)31 b(e)o(xcept)d(using)h(the)g(k)o(e)o(yw)o
+(ord)f Fm(event)h Fs(before)f(the)h(han-)2049 1728 y(dler')-5
+b(s)30 b(name)g(and)f(ar)o(gument)f(list.)56 b(Since)31
+b(e)n(v)o(ents)e(do)h(not)g(return)2049 1828 y(v)n(alues)17
+b(\(the)o(y)f(can')o(t,)h(since)g(the)o(y)g(are)g(processed)f
+(asynchronously\),)2049 1928 y(e)n(v)o(ent)g(generation)e(is)k(a)e
+(statement)h(in)f Fm(Bro)h Fs(and)f(not)g(an)g(e)o(xpression.)2132
+2029 y Fm(Bro)22 b Fs(also)f(allo)n(ws)h(\223global\224)f(statements)g
+(that)h(are)f(not)h(part)f(of)g(a)2049 2129 y(function)15
+b(or)i(e)n(v)o(ent)f(handler)f(de\002nition.)23 b(These)16
+b(are)h(e)o(x)o(ecuted)e(after)2049 2228 y(parsing)30
+b(the)g(full)h(script,)i(and)d(can)h(of)g(course)f(in)m(v)n(ok)o(e)f
+(functions)2049 2328 y(or)e(generate)e(e)n(v)o(ents.)45
+b(The)26 b(e)n(v)o(ent)g(engine)g(also)h(generates)f(e)n(v)o(ents)2049
+2427 y(during)21 b(dif)n(ferent)f(phases)j(of)f(its)h(operation:)28
+b Fm(bro)p 3555 2427 V 29 w(init)22 b Fs(when)g(it)2049
+2527 y(is)27 b(about)f(to)g(be)o(gin)f(operation,)h Fm(bro)p
+3162 2527 V 29 w(done)g Fs(when)g(it)h(is)g(about)e(to)2049
+2627 y(terminate,)18 b(and)f Fm(bro)p 2696 2627 V 30
+w(signal)h Fs(when)f(it)j(recei)n(v)o(es)d(a)i(Unix)f(signal.)2132
+2728 y(One)32 b(dif)n(ference)e(between)h(de\002ning)g(functions)f(and)
+i(de\002ning)2049 2828 y(e)n(v)o(ent)24 b(handlers)f(is)i(that)g
+Fm(Bro)f Fs(allo)n(ws)h(multiple,)f(dif)n(ferent)f(de\002ni-)2049
+2927 y(tions)j(for)g(a)h(gi)n(v)o(en)e(e)n(v)o(ent)h(handler)-5
+b(.)42 b(Whene)n(v)o(er)25 b(an)i(e)n(v)o(ent)e(is)i(gen-)2049
+3027 y(erated,)f(each)f(instance)h(of)f(a)h(handler)e(is)j(in)m(v)n(ok)
+o(ed)c(in)j(turn)f(\(in)h(the)2049 3127 y(order)g(the)o(y)h(appear)f
+(in)h(the)h(script\).)46 b(So,)29 b(for)e(e)o(xample,)g(dif)n(ferent)
+2049 3226 y(\(conceptual\))f(modules)i(can)g(each)g(de\002ne)g
+Fm(bro)p 3516 3226 V 29 w(init)h Fs(handlers)2049 3326
+y(to)23 b(tak)o(e)f(care)g(of)h(their)f(initialization.)31
+b(W)-7 b(e)24 b(\002nd)e(this)h(considerably)2049 3425
+y(simpli\002es)17 b(the)g(task)h(of)e(creating)g(modular)f(sets)j(of)f
+(e)n(v)o(ent)f(handlers,)2049 3525 y(b)n(ut)21 b(we)h(anticipate)f
+(requiring)e(greater)i(control)f(in)h(the)h(future)e(o)o(v)o(er)2049
+3625 y(the)g(e)o(xact)g(order)f(in)h(which)g Fm(Bro)g
+Fs(in)m(v)n(ok)o(es)f(multiple)h(handlers.)2049 3914
+y Ft(4)119 b(Implementation)30 b(issues)2049 4103 y Fs(W)-7
+b(e)24 b(implemented)c(the)j(Bro)g(e)n(v)o(ent)e(engine)h(and)g(script)
+g(interpreter)2049 4203 y(in)35 b(C++,)k(currently)33
+b(about)g(27,000)g(lines.)69 b(In)34 b(this)i(section)e(we)2049
+4302 y(discuss)40 b(some)f(of)g(the)g(signi\002cant)g(implementation)e
+(decisions)2049 4402 y(and)29 b(tradeof)n(fs.)53 b(W)-7
+b(e)31 b(defer)e(to)h Fi(x)g Fs(5)g(discussion)f(of)h(ho)n(w)f(Bro)h
+(de-)2049 4502 y(fends)i(against)f(attacks)h(on)g(the)g(monitoring)e
+(system,)35 b(and)d(post-)2049 4601 y(pone)23 b(application-speci\002c)
+f(issues)k(until)e Fi(x)g Fs(6,)i(as)f(that)f(discussion)2049
+4701 y(bene\002ts)c(from)f(notions)g(de)n(v)o(eloped)f(in)i
+Fi(x)h Fs(5.)2132 4802 y Fl(Use)26 b(of)f(C++.)41 b Fs(Our)25
+b(use)g(of)g(C++)h(w)o(as)g(moti)n(v)n(ated)d(by)i(our)g(suc-)2049
+4902 y(cessful)33 b(e)o(xperience)d(with)j(using)f(it)h(for)f
+(implementing)e(another)2049 5001 y(e)n(v)o(ent-oriented)j(script)j
+(interpreter)m(,)i(the)e(Glish)g(\223softw)o(are)f(b)n(us\224)2049
+5101 y([PS93)o(].)29 b(F)o(or)21 b(Bro,)h(this)g(has)f(been)g(a)h
+(clear)f(success.)29 b(Class)23 b(hierar)n(-)2049 5201
+y(chies)g(map)f(well)i(to)e(protocol)f(layers,)i(which)g(then)f
+(simpli\002es)h(e)o(x-)2049 5300 y(tending)e(the)i(e)n(v)o(ent)e
+(engine)h(and)g(script)g(interpreter)-5 b(.)31 b(W)-7
+b(e)24 b(ha)n(v)o(e)e(not)2049 5400 y(percei)n(v)o(ed)17
+b(an)o(y)h(performance)e(problems)i(related)g(to)i(the)f(choice)f(of)
+1929 5649 y(8)p eop
+%%Page: 9 9
+9 8 bop -150 -104 a Fs(C++;)19 b(the)e(choice)g(of)g(interpreting)e(v)o
+(ersus)i(compiling)f(\(see)i(belo)n(w\))-150 -5 y(is)j(clearly)f(a)g
+(more)g(dominant)e(ef)n(fect.)-67 99 y Fl(Single-thr)o(eaded)k(design.)
+37 b Fs(Since)23 b(e)n(v)o(ent)g(handling)f(lies)i(at)h(the)-150
+199 y(heart)20 b(of)g(the)g(system,)h(it)g(is)g(natural)f(to)g
+(consider)f(a)i(multi-threaded)-150 298 y(design,)e(with)h(one)f
+(thread)g(per)h(acti)n(v)o(e)f(e)n(v)o(ent)g(handler)-5
+b(.)24 b(W)-7 b(e)21 b(ha)n(v)o(e)e(so)-150 398 y(f)o(ar)25
+b(resisted)g(this)g(approach,)e(because)h(of)h(concerns)e(that)i(it)h
+(could)-150 498 y(lead)20 b(to)g(subtle)h(race)e(conditions)g(in)i
+Fm(Bro)f Fs(scripts.)-67 602 y(An)25 b(important)f(consequence)e(of)j
+(a)h(single-threaded)c(design)j(is)-150 701 y(that)j(the)g(system)g
+(must)g(be)g(careful)f(before)g(initiating)g(an)o(y)g(acti)n(v-)-150
+801 y(ity)h(that)g(may)f(potentially)f(block)h(w)o(aiting)h(for)f(a)h
+(resource,)g(lead-)-150 900 y(ing)d(to)h(pack)o(et)f(\002lter)h(drops)e
+(as)j(the)e(engine)g(f)o(ails)h(to)g(consume)e(in-)-150
+1000 y(coming)g(traf)n(\002c.)41 b(A)26 b(particular)e(concern)g(is)i
+(performing)d(Domain)-150 1100 y(Name)18 b(System)h(\(DNS\))f(lookups,)
+f(which)h(can)g(tak)o(e)g(man)o(y)f(seconds)-150 1199
+y(to)24 b(complete)e(or)i(time)g(out.)35 b(Currently)-5
+b(,)22 b(Bro)i(only)f(performs)f(such)-150 1299 y(lookups)k(when)h
+(parsing)g(its)i(input)e(\002le,)j(b)n(ut)e(we)g(w)o(ant)g(in)f(the)h
+(fu-)-150 1399 y(ture)19 b(to)g(be)f(able)h(to)g(mak)o(e)f(address)h
+(and)f(hostname)g(translations)g(on)-150 1498 y(the)23
+b(\003y)-5 b(,)22 b(both)g(to)h(generate)e(clearer)h(messages,)h(and)f
+(to)h(detect)g(cer)n(-)-150 1598 y(tain)17 b(types)f(of)h(attacks.)24
+b(Consequently)-5 b(,)15 b(Bro)i(includes)f(customized)-150
+1697 y(non-blocking)d(DNS)18 b(routines)e(that)i(perform)d(DNS)j
+(lookups)d(asyn-)-150 1797 y(chronously)-5 b(.)-67 1901
+y(W)e(e)22 b(may)e(yet)h(adopt)f(a)h(multi-threaded)d(design.)26
+b(A)c(more)e(lik)o(ely)-150 2001 y(possibility)42 b(is)h(e)n(v)n
+(olving)e(Bro)h(to)n(w)o(ards)g(a)h(distrib)n(uted)e(design,)-150
+2100 y(in)28 b(which)f(loosely-coupled,)f(multiple)h(Bro')-5
+b(s)29 b(on)e(separate)g(hosts)-150 2200 y(monitor)17
+b(the)h(same)g(netw)o(ork)f(link.)24 b(Each)18 b(Bro)g(w)o(ould)f(w)o
+(atch)i(a)f(dif-)-150 2299 y(ferent)k(type)f(of)i(traf)n(\002c)f
+(\(e.g.,)f(HTTP)i(or)f(NFS\))h(and)f(communicate)-150
+2399 y(only)c(at)h(a)g(high)e(le)n(v)o(el,)i(to)f(con)m(v)o(e)o(y)e
+(current)i(threat)g(information.)1732 2369 y Fn(3)1791
+2399 y Fs(A)-150 2499 y(further)i(e)o(xtension)f(of)i(this)h(notion)e
+(is)i(a)g(more)e(general)g(distrib)n(uted)-150 2598 y(design,)25
+b(in)f(which)g(multiple)g(Bro')-5 b(s)25 b(w)o(atch)g(multiple)f
+(links,)h(parti-)-150 2698 y(tioning)i(the)h(monitoring)d(w)o(orkload;)
+30 b(and)e(also)g(interacting)e(with)-150 2798 y(host-based)18
+b(agents.)24 b(Others)19 b(ha)n(v)o(e)g(recently)f(also)i(be)o(gun)d
+(pursuing)-150 2897 y(distrib)n(uted)i(architectures)g([Ci99)o(,)i
+(In99)n(].)-67 3001 y Fl(Managing)27 b(timers.)49 b Fs(Bro)28
+b(uses)g(numerous)e(timers)i(internally)-150 3101 y(for)18
+b(operations)g(such)g(as)i(timing)f(out)f(a)i(connection)c
+(establishment)-150 3200 y(attempt.)57 b(It)31 b(sometimes)g(has)g
+(thousands)e(of)i(timers)g(pending)e(at)-150 3300 y(a)g(gi)n(v)o(en)f
+(moment.)50 b(Consequently)-5 b(,)29 b(it)h(is)g(important)d(that)i
+(timers)-150 3400 y(be)j(v)o(ery)g(lightweight:)49 b(quick)31
+b(to)i(set)g(and)f(to)h(e)o(xpire.)60 b(Our)33 b(ini-)-150
+3499 y(tial)f(implementation)e(used)h(a)h(single)f(priority)g(heap,)i
+(which)e(we)-150 3599 y(found)d(attracti)n(v)o(e)h(since)h(insert)g
+(and)f(delete)h(operations)e(both)h(re-)-150 3699 y(quire)19
+b(only)f Fj(O)r Fc(\(log)q(\()p Fj(N)9 b Fc(\)\))21 b
+Fs(time)f(if)f(the)h(heap)f(contains)f Fj(N)29 b Fs(elements.)-150
+3798 y(Ho)n(we)n(v)o(er)m(,)22 b(we)i(found)e(that)h(when)g(the)h(heap)
+f(gro)n(ws)f(quite)i(lar)o(ge\227)-150 3898 y(such)29
+b(as)g(during)f(a)h(hostile)g(port)f(scan)h(that)g(creates)g(hundreds)e
+(of)-150 3997 y(ne)n(w)d(connections)e(each)i(second\227then)e(this)i
+(o)o(v)o(erhead)e(becomes)-150 4097 y(signi\002cant.)43
+b(Consequently)-5 b(,)25 b(we)i(percei)n(v)o(ed)d(a)j(need)e(to)i
+(redesign)-150 4197 y(timers)21 b(to)g(bring)e(the)i(o)o(v)o(erhead)d
+(closer)i(to)h Fj(O)r Fc(\(1\))p Fs(.)28 b(T)-7 b(o)21
+b(achie)n(v)o(e)e(this,)-150 4296 y(Bro)h(no)n(w)g(uses)h(\223calendar)
+d(queues\224)i(instead)g([Br88)n(].)-67 4400 y(A)36 b(related)e(issue)i
+(with)f(managing)e(timers)j(concerns)d(e)o(xactly)-150
+4500 y(when)15 b(to)i(e)o(xpire)e(timers.)23 b(Bro)16
+b(deri)n(v)o(es)g(its)h(notion)d(of)i(time)h(from)e(the)-150
+4599 y(timestamps)28 b(pro)o(vided)d(by)j Fm(libpcap)g
+Fs(with)g(each)g(pack)o(et)f(it)i(de-)-150 4699 y(li)n(v)o(ers.)d
+(Whene)n(v)o(er)19 b(this)i(clock)f(adv)n(ances)g(to)h(a)g(time)g
+(later)f(than)h(the)-150 4799 y(\002rst)e(element)e(on)g(the)h(timer)g
+(queue,)e(Bro)i(be)o(gins)f(remo)o(ving)e(timers)-150
+4898 y(from)27 b(the)h(queue)f(and)g(processing)g(their)g(e)o
+(xpiration,)h(continuing)-150 4998 y(until)22 b(the)h(queue)e(is)i
+(empty)f(or)g(its)i(\002rst)f(element)f(has)g(a)h(timestamp)p
+-150 5086 801 4 v -65 5140 a Fk(3)-30 5163 y Fp(Some)c(systems,)g(such)
+g(as)g(DIDS)g(and)h(CSM,)e(orchestrate)23 b(multiple)e(monitors)-150
+5242 y(w)o(atching)g(multiple)f(netw)o(ork)h(links,)e(in)g(order)g(to)g
+(track)h(users)e(as)h(the)o(y)g(mo)o(v)o(e)g(from)-150
+5321 y(machine)d(to)e(machine)i([MHL94,)d(WFP96].)19
+b(These)c(dif)n(fer)g(from)f(what)g(we)h(en)m(vision)-150
+5400 y(for)i(Bro)g(in)h(that)g(the)o(y)g(require)g(each)h(host)e(in)g
+(the)h(netw)o(ork)h(to)e(run)g(a)g(monitor)l(.)2049 -104
+y Fs(later)29 b(than)f(the)h(current)f(time.)51 b(This)29
+b(approach)d(is)k(\003a)o(wed,)g(ho)n(w-)2049 -5 y(e)n(v)o(er)m(,)i
+(because)e(in)g(some)h(situations\227such)e(as)j(port)e(scans\227the)
+2049 95 y(e)n(v)o(ent)23 b(engine)g(may)g(\002nd)h(it)g(needs)g(to)g(e)
+o(xpire)e(hundreds)g(of)h(timers)2049 194 y(that)29 b(ha)n(v)o(e)e
+(suddenly)g(become)g(due,)j(because)e(the)g(clock)g(has)h(ad-)2049
+294 y(v)n(anced)d(by)h(a)h(lar)o(ge)e(amount)g(due)h(to)g(a)h(lull)g
+(in)f(incoming)f(traf)n(\002c.)2049 394 y(W)-7 b(e)23
+b(a)n(v)n(oid)f(incurring)f(a)h(lar)o(ge)g(processing)f(spik)o(e)h(in)g
+(this)h(situation)2049 493 y(by)e(placing)f(an)h(upper)f(limit)i
+Fj(k)j Fs(on)c(the)g(number)f(of)h(timers)g(e)o(xpired)2049
+593 y(for)16 b(an)o(y)g(single)g(adv)n(ance)f(of)i(the)f(clock.)24
+b(Doing)15 b(so)i(trades)g(of)n(f)f(timer)2049 693 y(e)o(xactness)j
+(for)h(spreading)e(out)h(load.)25 b(Since)20 b(we)g(do)f(not)h(percei)n
+(v)o(e)e(a)2049 792 y(requirement)e(for)i(precise)h(timers,)g(this)g
+(is)h(an)e(acceptable)g(compro-)2049 892 y(mise.)2132
+996 y Fl(Implementing)28 b(r)o(egular)f(expr)o(essions.)47
+b Fs(Bro)28 b(uses)g(a)g(custom)2049 1095 y(re)o(gular)n(-e)o
+(xpression)e(matching)i(library)-5 b(,)30 b(rather)e(than)h(reusing)g
+(an)2049 1195 y(e)o(xisting)d(one,)i(for)f(tw)o(o)g(reasons.)46
+b(First,)29 b(we)e(were)g(unable)f(to)i(lo-)2049 1294
+y(cate)33 b(a)h(high)e(performance)f(re)o(gular)g(e)o(xpression)h
+(library)g(with)h(a)2049 1394 y(redistrib)n(ution)25
+b(license)h(we)h(found)e(acceptable.)43 b(In)26 b(addition,)h(in-)2049
+1494 y(trusion)20 b(detection)f(pattern-matching)e(dif)n(fers)j(from)f
+(more)h(typical)2049 1593 y(te)o(xt)g(matching)f(in)h(tw)o(o)h(w)o
+(ays.)2132 1697 y(First,)26 b(we)g(w)o(ant)e(the)h(ability)g(to)g
+(match)f(te)o(xt)g(piecemeal,)h(so)g(we)2049 1797 y(can)19
+b(feed)f(the)h(matcher)e(ne)n(w)i(chunks)e(of)i(te)o(xt)g(as)g(the)o(y)
+f(arri)n(v)o(e,)g(with-)2049 1896 y(out)23 b(ha)n(ving)g(to)h
+(construct)f(a)h(cop)o(y)f(of)g(the)h(entire)f(string)g(to)h(match.)
+2049 1996 y(Second,)31 b(we)e(anticipate)g(matching)f(sets)j(of)e
+(patterns)g(and)g(w)o(ant-)2049 2096 y(ing)g(to)h(kno)n(w)f(which)g
+(subset)h(were)f(matched)g(by)g(a)h(gi)n(v)o(en)e(set)j(of)2049
+2195 y(te)o(xt,)26 b(and)f(for)g(performance)e(reasons)i(we)h(w)o(ant)g
+(to)f(do)h(the)f(match)2049 2295 y(with)20 b(a)f(single)h(\002nite)f
+(automaton)f(rather)g(than)h(trying)f(each)h(pattern)2049
+2395 y(sequentially)-5 b(.)2132 2498 y(Since)22 b(we)h(had)f(e)o
+(xperience)e(writing)h(a)i(high)e(performance)f(re)o(g-)2049
+2598 y(ular)28 b(e)o(xpression)e(compiler)h([P)o(a96)n(],)j(and)e(one)f
+(that)h(already)f(sup-)2049 2698 y(ported)22 b(the)i(second)e(of)h(the)
+h(abo)o(v)o(e)d(requirements,)h(we)i(decided)e(to)2049
+2797 y(tak)o(e)f(that)g(compiler)f(and)g(reimplement)f(it)j(in)f(C++)g
+(to)g(\002t)h(into)f(Bro.)2049 2897 y(Doing)k(so)h(w)o(as)g(actually)f
+(considerably)e(easier)j(than)f(anticipated,)2049 2996
+y(and)30 b(the)g(only)g(remaining)f(piece)h(for)g(supporting)e(the)i
+(abo)o(v)o(e)f(re-)2049 3096 y(quirements)19 b(no)n(w)g(is)i(the)f
+(corresponding)d(Bro)j(interpreter)f(modi\002-)2049 3196
+y(cations.)2132 3300 y(One)24 b(\002nal)h(f)o(acet)f(of)g(implementing)
+e(re)o(gular)h(e)o(xpressions)f(con-)2049 3399 y(cerns)36
+b(caching:)55 b(we)36 b(emplo)o(y)f(a)h(lar)o(ge)f(number)f(of)h
+(patterns)g(in)2049 3499 y(our)29 b(analysis)g(\(particularly)f(for)h
+(scanning)f(interacti)n(v)o(e)g(sessions,)2049 3598 y(as)33
+b(discussed)f(in)g Fi(x)h Fs(6.5\).)60 b(These)32 b(can)g(tak)o(e)g(a)h
+(lar)o(ge)e(amount)g(of)2049 3698 y(CPU)24 b(time)e(\(minutes\))g(to)h
+(compile,)f(which)g(is)h(problematic)e(when)2049 3798
+y(we)j(w)o(ant)f(to)h(start)g(up)f(the)g(monitor)f(quickly)-5
+b(.)33 b(Consequently)-5 b(,)21 b(Bro)2049 3897 y(maintains)36
+b(a)g(cache)g(of)g(pre)n(viously-compiled)c(re)o(gular)j(e)o(xpres-)
+2049 3997 y(sions,)d(and)d(if)h(called)f(upon)f(to)i(compile)f(one)g
+(that)g(is)i(already)d(in)2049 4097 y(the)j(cache,)j(simply)d(loads)g
+(the)g(compiled)f(v)o(ersion,)i(taking)f(v)o(ery)2049
+4196 y(little)21 b(time.)2132 4300 y Fl(Inter)o(pr)o(eting)g(vs.)31
+b(compiling)o(.)g Fs(Presently)-5 b(,)21 b(Bro)h(interprets)g(the)2049
+4400 y(polic)o(y)j(script:)38 b(that)27 b(is,)i(it)e(parses)g(the)f
+(script)h(into)f(a)h(tree)g(of)f(C++)2049 4499 y(objects)i(that)h
+(re\003ect)f(an)g(abstract)g(syntax)g(tree)g(\(AST\),)g(and)g(then)2049
+4599 y(e)o(x)o(ecutes)i(portions)g(of)h(the)g(tree)g(as)h(needed)e(by)h
+(in)m(v)n(oking)e(a)j(vir)n(-)2049 4698 y(tual)27 b(e)n(v)n(aluation)f
+(method)f(at)j(the)f(root)f(of)h(a)h(gi)n(v)o(en)d(subtree.)45
+b(This)2049 4798 y(method)17 b(in)h(turn)g(recursi)n(v)o(ely)e(in)m(v)n
+(ok)o(es)i(e)n(v)n(aluation)e(methods)i(on)g(its)2049
+4898 y(children.)2132 5001 y(Such)32 b(a)g(design)g(has)g(the)g
+(virtues)g(of)g(simplicity)g(and)f(ease)i(of)2049 5101
+y(deb)n(ugging,)24 b(b)n(ut)h(comes)g(at)h(the)f(cost)h(of)f
+(considerable)e(o)o(v)o(erhead.)2049 5201 y(From)h(its)h(inception,)f
+(we)h(intended)e Fm(Bro)h Fs(to)h(readily)e(admit)h(com-)2049
+5300 y(pilation)29 b(to)h(a)f(lo)n(w-le)n(v)o(el)g(virtual)g(machine.)
+51 b(Ex)o(ecution)28 b(pro\002les)2049 5400 y(of)h(the)f(current)g
+(implementation)f(indicate)h(that)h(the)g(interpreti)n(v)o(e)1929
+5649 y(9)p eop
+%%Page: 10 10
+10 9 bop -150 -104 a Fs(o)o(v)o(erhead)17 b(is)j(indeed)e
+(signi\002cant,)h(so)h(we)g(anticipate)f(de)n(v)o(eloping)d(a)-150
+-5 y(compiler)23 b(and)h(optimizer)-5 b(.)36 b(\(The)23
+b(current)g(interpreter)g(does)h(some)-150 95 y(simple)40
+b(constant)f(folding)g(and)g(peephole)g(optimization)f(when)-150
+194 y(b)n(uilding)19 b(the)h(AST)-6 b(,)20 b(b)n(ut)g(no)g(more.\))-67
+298 y(Using)25 b(an)f(interpreter)f(also)i(inadv)o(ertently)d
+(introduced)g(an)j(im-)-150 398 y(plementation)k(problem.)55
+b(By)31 b(structuring)e(the)i(interpreter)e(such)-150
+497 y(that)23 b(it)h(recursi)n(v)o(ely)d(in)m(v)n(ok)o(es)h(virtual)g
+(e)n(v)n(aluation)f(methods)h(on)h(the)-150 597 y(AST)-6
+b(,)23 b(we)h(wind)e(up)h(intricately)f(tying)h(the)g
+Fm(Bro)g Fs(e)n(v)n(aluation)e(stack)-150 697 y(with)i(the)h(C++)f
+(run-time)f(stack.)34 b(Consequently)-5 b(,)22 b(we)h(cannot)f(eas-)
+-150 796 y(ily)f(b)n(undle)e(up)h(a)h Fm(Bro)f Fs(function')-5
+b(s)19 b(e)o(x)o(ecution)f(state)j(into)f(a)h(closure)-150
+896 y(to)i(e)o(x)o(ecute)f(at)i(some)f(later)g(point)f(in)i(time.)34
+b(Y)-8 b(et)23 b(we)h(w)o(ould)e(lik)o(e)h(to)-150 996
+y(ha)n(v)o(e)g(this)g(functionality)-5 b(,)21 b(so)j
+Fm(Bro)f Fs(scripts)g(ha)n(v)o(e)g(timers)g(a)n(v)n(ailable)-150
+1095 y(to)e(them;)f(the)h(semantics)f(of)h(these)f(timers)h(are)g(to)f
+(e)o(x)o(ecute)g(a)h(block)-150 1195 y(of)k(statements)h(when)f(a)i
+(timer)e(e)o(xpires,)h(including)e(access)j(to)f(the)-150
+1294 y(local)j(v)n(ariables)g(of)g(the)h(function)e(or)h(e)n(v)o(ent)f
+(handler)g(scheduling)-150 1394 y(the)23 b(timer)-5 b(.)35
+b(Therefore,)22 b(adding)g(timers)h(to)h Fm(Bro)f Fs(will)h(require)e
+(at)i(a)-150 1494 y(minimum)g(implementing)g(an)i(e)o(x)o(ecution)d
+(stack)j(for)f Fm(Bro)h Fs(scripts)-150 1593 y(separate)20
+b(from)f(that)h(of)g(the)g(interpreter)-5 b(.)-67 1697
+y Fl(Checkpointing)o(.)30 b Fs(W)-7 b(e)23 b(run)e(Bro)h(continuously)e
+(to)i(monitor)e(our)-150 1797 y(DMZ)d(netw)o(ork.)22
+b(Ho)n(we)n(v)o(er)m(,)16 b(we)h(need)f(to)h(periodically)e(checkpoint)
+-150 1896 y(its)24 b(operation,)e(both)h(to)g(reclaim)g(memory)f(tied)h
+(up)g(in)g(remember)n(-)-150 1996 y(ing)16 b(state)h(for)f
+(long-dormant)d(connections)h(\(because)h(we)i(don')o(t)e(yet)-150
+2096 y(ha)n(v)o(e)j(timers)i(in)f(the)g(scripting)f(language;)g(see)h
+(abo)o(v)o(e\),)e(and)i(to)g(col-)-150 2195 y(lect)i(a)f(snapshot)f
+(for)h(archi)n(ving)e(and)h(of)n(f-line)g(analysis)h(\(discussed)-150
+2295 y(belo)n(w\).)-67 2399 y(Checkpointing)15 b(is)j(currently)e(a)i
+(three-stage)e(process.)24 b(First,)18 b(we)-150 2498
+y(run)27 b(a)g(ne)n(w)h(instance)f(of)g(Bro)g(that)h(parses)f(the)g
+(polic)o(y)g(script)g(and)-150 2598 y(resolv)o(es)d(all)h(of)f(the)g
+(DNS)h(names)f(in)h(it.)38 b(Because)24 b(we)h(ha)n(v)o(e)f(non-)-150
+2698 y(blocking)e(DNS)j(routines,)f(Bro)h(can)f(perform)e(a)j(lar)o(ge)
+e(number)g(of)-150 2797 y(lookups)30 b(in)h(parallel,)i(as)f(well)f(as)
+h(timing)f(out)f(lookup)g(attempts)-150 2897 y(whene)n(v)o(er)c(it)i
+(chooses.)47 b(F)o(or)27 b(each)h(lookup,)f(it)i(compares)d(the)i(re-)
+-150 2996 y(sults)e(with)e(an)o(y)g(it)i(may)e(ha)n(v)o(e)g(pre)n
+(viously)f(cached)g(and)i(generates)-150 3096 y(corresponding)19
+b(e)n(v)o(ents)k(\(mapping)d(v)n(alid,)j(mapping)e(un)m(v)o(eri\002ed)f
+(if)-150 3196 y(it)25 b(had)e(to)i(time)f(out)g(the)g(lookup,)f(or)h
+(mapping)e(changed\).)35 b(It)24 b(then)-150 3295 y(updates)19
+b(the)i(DNS)f(cache)g(\002le)h(and)f(e)o(xits.)-67 3399
+y(In)25 b(the)h(second)e(stage,)j(we)f(run)e(another)g(instance)h(of)g
+(Bro,)i(this)-150 3499 y(time)j(specifying)e(that)i(it)g(should)e(only)
+h(consult)g(the)h(DNS)g(cache)-150 3598 y(and)15 b(not)g(perform)f
+(lookups.)21 b(Because)16 b(it)g(w)o(orks)f(directly)g(out)g(of)h(the)
+-150 3698 y(cache,)27 b(it)g(starts)g(v)o(ery)e(quickly)-5
+b(.)42 b(After)26 b(w)o(aiting)g(a)h(short)f(interv)n(al,)-150
+3798 y(we)k(then)e(send)h(a)h(signal)f(to)g(the)g(long-running)c(Bro)30
+b(telling)f(it)g(to)-150 3897 y(terminate.)24 b(When)c(it)h(e)o(xits,)f
+(the)g(checkpointing)d(is)22 b(complete.)-67 4001 y(W)-7
+b(e)31 b(\002nd)f(the)g(checkpointing)d(de\002cient)j(in)g(tw)o(o)h(w)o
+(ays.)55 b(First,)-150 4101 y(it)26 b(w)o(ould)f(be)h(simpler)f(to)h
+(coordinate)e(a)i(checkpoint)d(if)j(a)g(ne)n(w)g(in-)-150
+4200 y(stance)33 b(of)g(Bro)g(could)f(directly)g(signal)h(an)g(old)g
+(instance)g(to)g(an-)-150 4300 y(nounce)20 b(that)h(it)i(is)f(ready)f
+(to)g(tak)o(e)h(o)o(v)o(er)e(monitoring.)27 b(Second,)20
+b(and)-150 4400 y(more)25 b(important,)g(currently)f(no)h(state)i
+(survi)n(v)o(es)d(the)i(checkpoint-)-150 4499 y(ing.)43
+b(In)26 b(particular)m(,)h(if)f(the)h(older)e(Bro)i(has)f(identi\002ed)
+g(some)g(sus-)-150 4599 y(pect)f(acti)n(vity)g(and)g(is)i(w)o(atching)e
+(it)h(particularly)e(closely)h(\(say)-5 b(,)26 b(by)-150
+4698 y(recording)16 b(all)i(of)g(its)h(pack)o(ets\),)f(this)h
+(information)c(is)k(lost)g(when)f(the)-150 4798 y(ne)n(w)i(Bro)g(tak)o
+(es)h(o)o(v)o(er)-5 b(.)24 b(Clearly)-5 b(,)19 b(we)i(need)e(to)i
+(\002x)f(this.)-67 4902 y Fl(Off-line)30 b(analysis.)56
+b Fs(As)31 b(mentioned)e(abo)o(v)o(e,)i(one)f(reason)g(for)-150
+5001 y(checkpointing)j(the)i(system)h(is)h(to)f(f)o(acilitate)g(of)n
+(f-line)e(analysis.)-150 5101 y(The)24 b(\002rst)i(step)f(of)f(this)h
+(analysis)g(is)g(to)g(cop)o(y)f(the)g Fm(libpcap)g Fs(sa)n(v)o(e)-150
+5201 y(\002le)k(and)g(an)o(y)e(\002les)j(generated)d(by)h(the)h(polic)o
+(y)f(script)h(to)f(an)h(anal-)-150 5300 y(ysis)h(machine.)46
+b(Our)28 b(polic)o(y)f(script)h(generates)f(six)h(such)g(\002les:)41
+b(a)-150 5400 y(summary)24 b(of)h(all)h(connection)d(acti)n(vity)-5
+b(,)25 b(including)f(starting)h(time,)2049 -104 y(duration,)c(size)i
+(in)f(each)g(direction,)f(protocol,)g(IP)h(addresses,)g(con-)2049
+-5 y(nection)i(state,)j(and)e(an)o(y)f(additional)g(information)f
+(\(such)i(as)h(user)n(-)2049 95 y(name,)21 b(when)g(identi\002ed\);)h
+(a)g(summary)e(of)h(the)h(netw)o(ork)e(interf)o(ace)2049
+194 y(and)30 b(pack)o(et)g(\002lter)i(statistics;)37
+b(a)31 b(list)h(of)f(all)g(generated)e(log)i(mes-)2049
+294 y(sages;)f(summaries)c(of)g(Finger)f(and)h(FTP)h(commands;)h(and)e
+(a)g(list)2049 394 y(of)20 b(all)h(unusual)e(netw)o(orking)f(e)n(v)o
+(ents.)2132 498 y(Re)o(garding)k(this)j(last,)h(the)e(e)n(v)o(ent)g
+(engine)f(identi\002es)i(more)e(than)2049 598 y(70)17
+b(dif)n(ferent)f(types)h(of)g(unusual)f(beha)n(vior)m(,)f(such)j(as)g
+(incorrect)d(con-)2049 697 y(nection)h(initiations)h(and)f
+(terminations,)g(checksum)g(errors,)g(pack)o(et)2049
+797 y(length)h(mismatches,)h(and)f(protocol)f(violations.)24
+b(F)o(or)17 b(each,)h(it)g(gen-)2049 896 y(erates)g(a)h
+Fm(conn)p 2522 896 25 4 v 29 w(weird)f Fs(or)g Fm(net)p
+3057 896 V 29 w(weird)g Fs(e)n(v)o(ent,)f(identifying)g(the)2049
+996 y(beha)n(vior)25 b(with)j(a)f(prede\002ned)e(string.)46
+b(Our)26 b(polic)o(y)g(script)i(uses)f(a)2049 1096 y
+Fm(table[string])47 b(of)j(count)19 b Fs(to)h(map)f(these)h(strings)f
+(to)h(one)2049 1195 y(of)j(\223ignore,)-6 b(\224)22 b(\223\002le,)-6
+b(\224)24 b(\223log)e(al)o(w)o(ays,)-6 b(\224)24 b(\223log)f(once)f
+(per)h(connection,)-6 b(\224)2049 1295 y(and)26 b(\223log)f(once)h(per)
+g(originating)e(source)h(address,)-6 b(\224)27 b(meaning)e(ig-)2049
+1395 y(nore)e(the)i(beha)n(vior)e(entirely)-5 b(,)23
+b(record)g(it)i(to)g(the)f(anomaly)f(\002le,)j(log)2049
+1494 y(it)f(\(real-time)f(noti\002cation\))f(and)h(record)f(it)j(to)f
+(the)f(\002le,)i(and)f(log)f(it)2049 1594 y(b)n(ut)i(only)g(the)g
+(\002rst)h(time)f(it)h(occurs)f(for)f(the)i(gi)n(v)o(en)e(connection)f
+(or)2049 1693 y(the)16 b(gi)n(v)o(en)e(source)i(address.)23
+b(Some)15 b(anomalies)g(pro)o(v)o(e)f(surprisingly)2049
+1793 y(common,)j(and)i(on)g(a)g(typical)g(day)g(the)g(anomaly)e(\002le)
+j(contains)f(se)n(v-)2049 1893 y(eral)k(thousand)e(entries,)j(e)n(v)o
+(en)e(though)f(our)i(script)g(suppresses)f(du-)2049 1992
+y(plicate)h(messages.)32 b(\(See)23 b Fi(x)g Fs(7.3)f(belo)n(w)g(for)g
+(further)f(discussion)h(of)2049 2092 y(anomalies.\))2132
+2196 y(All)i(of)e(the)h(copied)f(\002les)h(thus)g(form)f(an)h(archi)n
+(v)n(al)f(record)f(of)i(the)2049 2296 y(day')-5 b(s)17
+b(traf)n(\002c.)23 b(W)-7 b(e)18 b(k)o(eep)e(these)h(\002les)h
+(inde\002nitely)-5 b(.)22 b(The)o(y)16 b(can)g(pro)o(v)o(e)2049
+2395 y(in)m(v)n(aluable)28 b(when)i(we)h(disco)o(v)o(er)e(a)h(break-in)
+f(that)h(\002rst)i(occurred)2049 2495 y(weeks)19 b(or)f(months)g(in)h
+(the)g(past.)25 b(In)18 b(addition,)g(once)g(we)h(ha)n(v)o(e)f(iden-)
+2049 2595 y(ti\002ed)25 b(an)f(attacking)g(site,)i(we)f(can)f(run)g(it)
+h(through)e(the)h(archi)n(v)o(e)f(to)2049 2694 y(\002nd)c(an)o(y)f
+(other)h(hosts)g(it)h(may)f(ha)n(v)o(e)g(attack)o(ed)f(that)i(the)f
+(monitoring)2049 2794 y(f)o(ailed)j(to)g(detect)g(\(for)f(e)o(xample,)g
+(the)h(attack)o(er)f(has)i(obtained)d(a)i(list)2049 2894
+y(of)e(passw)o(ords)g(using)f(a)i(passw)o(ord-snif)n(fer\).)2132
+2998 y(Finally)-5 b(,)28 b(the)f(of)n(f-line)f(analysis)h(generates)f
+(a)i(traf)n(\002c)f(summary)2049 3097 y(highlighting)14
+b(the)i(b)n(usiest)h(hosts)f(and)g(gi)n(ving)e(the)j(v)n(olume)e
+(\(number)2049 3197 y(of)23 b(connections)e(and)i(bytes)g
+(transferred\))e(due)i(to)h(dif)n(ferent)d(appli-)2049
+3297 y(cations.)27 b(As)22 b(of)f(this)g(writing,)g(on)f(a)i(typical)e
+(day)h(our)f(site)i(engages)2049 3396 y(in)k(about)e(1,200,000)f
+(connections)g(transferring)h(40)h(GB)i(of)e(data.)2049
+3496 y(The)e(great)g(majority)g(\(75\22680\045\))e(of)i(the)h
+(connections)e(are)h(HTTP;)2049 3596 y(the)28 b(highest)f(byte)g(v)n
+(olume)f(comes)h(from)g(HTTP)-9 b(,)27 b(FTP)h(data,)h(and)2049
+3695 y(sometimes)20 b(the)g(NFS)h(netw)o(ork)e(\002le)i(system.)2049
+4001 y Ft(5)119 b(Attacks)30 b(on)g(the)g(monitor)2049
+4195 y Fs(In)21 b(this)i(section)e(we)h(discuss)g(the)g(dif)n(\002cult)
+f(problem)f(of)h(defending)2049 4295 y(the)h(monitor)f(against)h
+(attacks)h(upon)e(itself.)32 b(W)-7 b(e)24 b(defer)d(discussion)2049
+4394 y(of)26 b(Bro')-5 b(s)27 b(application-speci\002c)d(processing)h
+(until)h(after)g(this)h(sec-)2049 4494 y(tion,)c(because)g(elements)g
+(of)g(that)g(processing)f(re\003ect)h(attempts)g(to)2049
+4594 y(defeat)d(the)g(types)g(of)g(attacks)g(we)h(describe)e(here.)2132
+4698 y(As)28 b(discussed)f(in)g Fi(x)g Fs(1,)i(we)e(assume)g(that)h
+(such)e(attack)o(ers)h(ha)n(v)o(e)2049 4798 y(full)c(access)g(to)h(the)
+f(monitor')-5 b(s)21 b(algorithms)h(and)h(source)f(code;)i(b)n(ut)2049
+4897 y(also)e(that)f(the)o(y)g(ha)n(v)o(e)g(control)f(o)o(v)o(er)g
+(only)h(one)g(of)g(the)h(tw)o(o)f(connec-)2049 4997 y(tion)g
+(endpoints.)26 b(In)21 b(addition,)f(we)i(assume)f(that)g(the)h(crack)o
+(er)e(does)2049 5096 y Fr(not)f Fs(ha)n(v)o(e)e(access)h(to)g(the)g
+Fm(Bro)f Fs(polic)o(y)g(script,)h(which)f(each)g(site)i(will)2049
+5196 y(ha)n(v)o(e)h(customized,)e(and)i(should)f(k)o(eep)h(well)g
+(protected.)2132 5300 y(While)c(pre)n(vious)f(w)o(ork)g(has)h
+(addressed)f(the)h(general)f(problem)f(of)2049 5400 y(testing)29
+b(intrusion)g(detection)f(systems)i([PZCMO96)o(],)h(this)f(w)o(ork)1908
+5649 y(10)p eop
+%%Page: 11 11
+11 10 bop -150 -104 a Fs(has)19 b(focused)e(on)h(correctness)f(of)h
+(the)g(system)h(in)f(terms)h(of)f(whether)-150 -5 y(it)23
+b(does)f(indeed)f(recognize)f(the)j(attacks)f(claimed.)30
+b(T)-7 b(o)22 b(our)g(kno)n(wl-)-150 95 y(edge,)i(the)h(\002rst)g
+(discussion)f(in)g(the)g(literature)g(speci\002cally)g(aimed)-150
+194 y(at)16 b(the)f(problem)e(of)i(attack)o(ers)g(sub)o(v)o(erting)e(a)
+j(netw)o(ork)e(intrusion)g(de-)-150 294 y(tection)24
+b(system)h(w)o(as)h(the)f(concurrent)d(publication)h(of)i(the)g
+(earlier)-150 394 y(v)o(ersion)16 b(of)h(this)h(paper)e([P)o(a98)o(])i
+(and)e(that)i(of)f(Ptacek)g(and)g(Ne)n(wsham)-150 493
+y([PN98)o(].)-67 595 y(The)34 b(second)f(of)h(these)g(is)h(the)f(more)g
+(thorough,)g(being)f(com-)-150 695 y(pletely)17 b(de)n(v)n(oted)f(to)h
+(the)g(topic.)24 b(The)17 b(authors)f(consider)g(three)h(types)-150
+794 y(of)i(attacks,)g(\223insertion,)-6 b(\224)18 b(in)h(which)g(the)g
+(attack)o(er)f(attempts)h(to)g(mis-)-150 894 y(lead)32
+b(the)h(monitor)e(into)h(accepting)f(traf)n(\002c)i(that)f(the)h
+(destination)-150 994 y(end-system)24 b(rejects;)j(\223e)n(v)n(asion,)
+-6 b(\224)25 b(in)g(which)f(the)h(monitor)e(f)o(ails)i(to)-150
+1093 y(accept)31 b(traf)n(\002c)g(that)h(the)f(end-system)f(does)h(in)h
+(f)o(act)f(accept;)37 b(and)-150 1193 y(denial-of-service,)28
+b(in)i(which)f(the)g(attack)o(er)g(attempts)g(to)h(e)o(xploit)-150
+1293 y(a)21 b(monitor')-5 b(s)20 b(proacti)n(v)o(e)f(mechanisms)h
+(\(such)h(as)g(terminating)e(con-)-150 1392 y(nections)i(belonging)f
+(to)i(an)g(apparent)e(attack\))i(in)g(order)e(to)i(disrupt)-150
+1492 y(le)o(gitimate)e(uses)g(of)g(the)g(netw)o(ork.)-67
+1594 y(F)o(or)k(our)f(purposes,)h(ho)n(we)n(v)o(er)m(,)e(we)j(use)f(a)h
+(dif)n(ferent)d(attack)i(tax-)-150 1693 y(onomy)-5 b(,)34
+b(because)f(we)h(focus)e(on)h(designing)f(monitors)g(to)i(resist)-150
+1793 y(these)18 b(attacks.)25 b(W)-7 b(e)19 b(classify)g(netw)o(ork)e
+(monitor)g(attacks)h(into)g(three)-150 1893 y(cate)o(gories:)31
+b Fr(o)o(verload)p Fs(,)23 b Fr(cr)o(ash)p Fs(,)h(and)f
+Fr(subterfug)o(e)p Fs(.)35 b(The)23 b(remainder)-150
+1992 y(of)17 b(this)g(section)g(de\002nes)g(each)f(cate)o(gory)f(and)i
+(brie\003y)f(discusses)i(the)-150 2092 y(de)o(gree)h(to)h(which)g(Bro)g
+(meets)g(that)h(class)g(of)f(threat.)-150 2342 y Fh(5.1)99
+b(Ov)o(erload)25 b(attacks)-150 2502 y Fs(W)-7 b(e)24
+b(term)e(an)g(attack)h(as)g(an)f Fr(o)o(verload)i Fs(if)f(the)f(goal)g
+(of)h(the)f(attack)h(is)-150 2601 y(to)f(o)o(v)o(erb)n(urden)d(the)j
+(monitor)f(to)h(the)g(point)g(where)f(it)i(f)o(ails)g(to)f(k)o(eep)-150
+2701 y(up)h(with)g(the)g(data)g(stream)g(it)g(must)h(process.)32
+b(The)23 b(attack)g(has)g(tw)o(o)-150 2801 y(phases,)k(the)g(\002rst)f
+(in)h(which)e(the)i(attack)o(er)e(dri)n(v)o(es)h(the)g(monitor)e(to)
+-150 2900 y(the)i(point)f(of)h(o)o(v)o(erload,)f(and)h(the)g(second)f
+(in)h(which)g(the)g(attack)o(er)-150 3000 y(attempts)c(a)h(netw)o(ork)e
+(intrusion.)30 b(The)22 b(monitor)f(w)o(ould)h(ordinarily)-150
+3100 y(detect)i(this)g(second)f(phase,)h(b)n(ut)f(f)o(ails)i(to)f(do)f
+(so\227or)g(at)h(least)h(f)o(ails)-150 3199 y(to)20 b(do)f(so)h(with)g
+(some)g(non-ne)o(gligible)c(probability\227because)g(it)21
+b(is)-150 3299 y(no)27 b(longer)e(tracking)h(all)h(of)g(the)g(data)g
+(necessary)f(to)h(detect)g(e)n(v)o(ery)-150 3398 y(current)19
+b(threat.)-67 3500 y(It)40 b(is)g(this)g(last)h(consideration,)h(that)e
+(the)f(attack)g(might)g(still)-150 3600 y(be)30 b(detected)e(because)h
+(the)h(monitor)e(w)o(as)j(not)e(suf)n(\002ciently)g(o)o(v)o(er)n(-)-150
+3700 y(whelmed,)18 b(that)g(complicates)g(the)g(use)h(of)f(o)o(v)o
+(erload)e(attacks;)j(so,)g(in)-150 3799 y(turn,)d(this)i(pro)o(vides)d
+(a)i(defensi)n(v)o(e)e(strate)o(gy)-5 b(,)16 b(namely)f(to)i(lea)n(v)o
+(e)g(some)-150 3899 y(doubt)i(as)i(to)f(the)g(e)o(xact)g(po)n(wer)f
+(and)h(typical)g(load)f(of)h(the)g(monitor)-5 b(.)-67
+4001 y(Another)19 b(defensi)n(v)o(e)g(strate)o(gy)g(is)j(for)d(the)i
+(monitor)e(to)h Fr(shed)g(load)-150 4100 y Fs(when)26
+b(it)h(becomes)f(unduly)f(stressed)i(\(see)f([CT94)o(])h(for)f(a)h
+(discus-)-150 4200 y(sion)f(of)g(shedding)f(load)h(in)g(a)h(dif)n
+(ferent)e(conte)o(xt\).)41 b(F)o(or)26 b(e)o(xample,)-150
+4300 y(the)21 b(monitor)f(might)h(decide)f(to)i(cease)f(to)h(capture)e
+(HTTP)h(pack)o(ets,)-150 4399 y(as)26 b(these)g(form)e(a)i(high)e
+(proportion)f(of)i(the)g(traf)n(\002c.)40 b(Of)26 b(course,)f(if)-150
+4499 y(the)31 b(attack)o(er)f(kno)n(ws)h(the)g(form)f(of)g
+(load-shedding)e(used)j(by)g(the)-150 4598 y(monitor)m(,)24
+b(then)h(the)o(y)f(can)h(e)o(xploit)f(its)i(consequent)d(blindness)h
+(and)-150 4698 y(launch)19 b(a)i(no)n(w-undetected)c(attack.)-67
+4800 y(F)o(or)29 b(Bro)g(in)h(particular)m(,)f(to)h(de)n(v)o(elop)d(an)
+i(o)o(v)o(erload)e(attack)i(one)-150 4900 y(might)16
+b(be)o(gin)g(by)g(inspecting)g(Figure)g(1)h(to)g(see)h(ho)n(w)e(to)h
+(increase)g(the)-150 4999 y(data)22 b(\003o)n(w)-5 b(.)32
+b(One)23 b(step)g(is)g(to)g(send)f(pack)o(ets)h(that)f(match)h(the)f
+(pack)o(et)-150 5099 y(\002lter;)35 b(another)m(,)30
+b(pack)o(et)f(streams)h(that)g(in)g(turn)f(generate)f(e)n(v)o(ents;)
+-150 5198 y(and)20 b(a)g(third,)g(e)n(v)o(ents)f(that)h(lead)h(to)f
+(logging)e(or)i(recording)e(to)i(disk.)-67 5300 y(The)55
+b(\002rst)h(of)f(these)g(is)h(particularly)e(easy)-5
+b(,)63 b(because)55 b(the)-150 5400 y Fm(libpcap)26 b
+Fs(\002lter)i(used)f(by)g(Bro)g(is)h(\002x)o(ed.)45 b(One)27
+b(defense)f(against)2049 -104 y(it)32 b(is)g(to)f(use)g(a)g(hardw)o
+(are)f(platform)f(with)i(suf)n(\002cient)g(processing)2049
+-5 y(po)n(wer)23 b(to)h(k)o(eep)g(up)f(with)h(a)h(high)e(v)n(olume)g
+(of)h(\002ltered)g(traf)n(\002c,)g(and)2049 95 y(it)c(w)o(as)h(this)f
+(consideration)e(that)i(lead)g(to)f(our)g(elaborating)f(the)i(goal)2049
+194 y(of)f(\223no)h(pack)o(et)f(\002lter)h(drops\224)e(in)i
+Fi(x)g Fs(1.)25 b(The)19 b(second)g(le)n(v)o(el)h(of)f(attack,)2049
+294 y(causing)h(the)i(engine)e(to)h(generate)f(a)h(lar)o(ge)g(v)n
+(olume)f(of)h(e)n(v)o(ents,)f(is)i(a)2049 394 y(bit)d(more)f(dif)n
+(\002cult)g(to)h(achie)n(v)o(e)f(because)g(Bro)h(e)n(v)o(ents)f(are)h
+(designed)2049 493 y(to)30 b(be)g(lightweight.)53 b(It)30
+b(is)h(only)e(the)h(e)n(v)o(ents)g(for)f(which)g(the)h(pol-)2049
+593 y(ic)o(y)24 b(speci\002es)g(quite)g(a)g(bit)h(of)f(w)o(ork)f(that)h
+(pro)o(vide)e(much)h(le)n(v)o(erage)2049 693 y(for)31
+b(an)h(attack)f(at)i(this)f(le)n(v)o(el,)i(and)d(we)i(do)e
+Fr(not)i Fs(assume)f(that)g(the)2049 792 y(attack)o(er)24
+b(has)i(access)f(to)g(the)g(polic)o(y)f(scripts.)39 b(This)25
+b(same)h(consid-)2049 892 y(eration)20 b(mak)o(es)i(an)f(attack)g(at)h
+(the)f(\002nal)h(le)n(v)o(el\227ele)n(v)n(ating)d(the)i(log-)2049
+991 y(ging)27 b(or)g(recording)e(rate\227dif)n(\002cult,)j(because)f
+(the)h(attack)o(er)f(does)2049 1091 y(not)20 b(necessarily)f(kno)n(w)h
+(which)f(e)n(v)o(ents)h(lead)g(to)g(logging.)2132 1193
+y(Finally)-5 b(,)55 b(to)49 b(help)f(defend)f(against)h(o)o(v)o(erload)
+e(attacks,)56 b(the)2049 1293 y(e)n(v)o(ent)18 b(engine)g(periodically)
+g(generates)g(a)i Fm(net)p 3448 1293 25 4 v 29 w(stats)p
+3727 1293 V 29 w(update)2049 1393 y Fs(e)n(v)o(ent.)59
+b(The)31 b(v)n(alue)g(of)g(this)i(e)n(v)o(ent)d(gi)n(v)o(es)i(the)f
+(number)f(of)i(pack-)2049 1492 y(ets)24 b(recei)n(v)o(ed,)f(the)g
+(number)f(dropped)f(by)i(the)h(pack)o(et)f(\002lter)g(due)g(to)2049
+1592 y(insuf)n(\002cient)h(b)n(uf)n(fer)m(,)g(and)g(the)h(number)e
+(reported)h(dropped)e(by)j(the)2049 1691 y(netw)o(ork)18
+b(interf)o(ace)g(because)g(the)h(k)o(ernel)f(f)o(ailed)g(to)h(consume)f
+(them)2049 1791 y(quickly)27 b(enough.)48 b(Thus,)30
+b Fm(Bro)f Fs(scripts)g(at)g(least)h(ha)n(v)o(e)e(some)g(ba-)2049
+1891 y(sic)g(information)d(a)n(v)n(ailable)i(to)h(them)f(to)h
+(determine)e(whether)h(the)2049 1990 y(monitor)19 b(is)i(becoming)d(o)o
+(v)o(erloaded.)2049 2243 y Fh(5.2)99 b(Crash)25 b(attacks)2049
+2403 y Fr(Cr)o(ash)30 b Fs(attacks)f(aim)g(to)h(knock)d(the)j(monitor)d
+(completely)h(out)h(of)2049 2503 y(action)17 b(by)h(causing)f(it)i(to)f
+(either)f(f)o(ault)h(or)g(run)f(out)h(of)g(resources.)23
+b(As)2049 2603 y(with)e(an)g(o)o(v)o(erload)d(attack,)j(the)g(crash)g
+(attack)f(has)i(tw)o(o)f(phases,)g(the)2049 2702 y(\002rst)27
+b(during)d(which)i(the)g(attack)o(er)f(crashes)h(the)h(monitor)m(,)e
+(and)h(the)2049 2802 y(second)19 b(during)g(which)g(the)o(y)h(then)g
+(proceed)e(with)j(an)f(intrusion.)2132 2904 y(Crash)25
+b(attacks)g(can)g(be)f(much)g(more)g(subtle)h(than)f(o)o(v)o(erload)e
+(at-)2049 3004 y(tacks,)32 b(though.)52 b(By)30 b(careful)f(source)g
+(code)g(analysis,)j(it)e(may)g(be)2049 3103 y(possible)g(to)g(\002nd)g
+(a)h(series)f(of)g(pack)o(ets,)i(or)e(e)n(v)o(en)f(just)i(one,)h(that,)
+2049 3203 y(when)18 b(recei)n(v)o(ed)f(by)h(the)h(monitor)m(,)e(causes)
+i(it)g(to)g(f)o(ault)g(due)f(to)g(a)h(cod-)2049 3303
+y(ing)h(error)-5 b(.)24 b(The)c(ef)n(fect)g(can)g(be)g(immediate)f(and)
+h(violent.)2132 3405 y(W)-7 b(e)29 b(can)e(perhaps)f(defend)g(against)g
+(this)i(form)f(of)g(crash)g(attack)2049 3504 y(by)22
+b(careful)g(coding)g(and)g(testing.)33 b(Another)21 b(type)i(of)f
+(crash)h(attack,)2049 3604 y(harder)15 b(to)j(defend)d(against,)i(is)g
+(one)g(that)g(causes)g(the)g(monitor)e(to)i(e)o(x-)2049
+3704 y(haust)f(its)h(a)n(v)n(ailable)e(resources:)23
+b(dynamic)14 b(memory)g(or)i(disk)g(space.)2049 3803
+y(Ev)o(en)28 b(if)i(the)f(monitor)f(has)h(no)g(memory)f(leaks,)j(it)f
+(still)h(needs)d(to)2049 3903 y(maintain)21 b(state)h(for)g(an)o(y)e
+(acti)n(v)o(e)i(traf)n(\002c.)29 b(Therefore,)20 b(one)h(attack)h(is)
+2049 4003 y(to)d(create)f(traf)n(\002c)h(that)g(consumes)f(a)h(lar)o
+(ge)f(amount)f(of)i(state.)25 b(When)2049 4102 y Fm(Bro)k
+Fs(supports)f(timers)h(for)g(polic)o(y)e(scripts,)32
+b(this)d(attack)g(will)h(be-)2049 4202 y(come)23 b(more)g(dif)n
+(\002cult,)h(because)f(it)h(will)h(be)e(harder)g(to)h(predict)f(the)
+2049 4301 y(necessary)k(le)n(v)o(el)g(of)h(bogus)f(traf)n(\002c.)47
+b(Attacks)28 b(on)f(disk)h(space)g(are)2049 4401 y(lik)o(e)n(wise)33
+b(dif)n(\002cult,)h(unless)f(one)f(kno)n(ws)f(the)h(a)n(v)n(ailable)g
+(disk)h(ca-)2049 4501 y(pacity)-5 b(.)39 b(In)25 b(addition,)g(the)g
+(monitor)f(might)g(continue)g(to)h(run)g(e)n(v)o(en)2049
+4600 y(with)j(no)g(disk)g(space)g(a)n(v)n(ailable,)h(sacri\002cing)f
+(an)g(archi)n(v)n(al)f(record)2049 4700 y(b)n(ut)20 b(still)h
+(producing)c(real-time)i(noti\002cations,)g(so)h(a)g(disk)g(space)f
+(at-)2049 4800 y(tack)h(might)g(f)o(ail)g(to)h(mask)f(a)g(follo)n(w-on)
+e(attack.)2132 4902 y(Bro)30 b(pro)o(vides)e(tw)o(o)i(features)f(to)g
+(aid)h(with)g(defending)d(against)2049 5001 y(crash)k(attacks.)57
+b(First,)34 b(the)d(e)n(v)o(ent)f(engine)f(maintains)i(a)g(\223w)o
+(atch-)2049 5101 y(dog\224)23 b(timer)i(that)f(e)o(xpires)g(e)n(v)o
+(ery)f Fj(T)36 b Fs(seconds.)i(\(This)24 b(timer)g(is)i(not)2049
+5201 y(a)c(Bro)g(internal)f(timer)m(,)h(b)n(ut)g(rather)f(a)h(Unix)g
+(\223alarm.)-6 b(\224\))29 b(Upon)21 b(e)o(xpi-)2049
+5300 y(ration,)d(the)g(w)o(atchdog)g(handler)f(checks)h(to)g(see)h
+(whether)f(the)g(e)n(v)o(ent)2049 5400 y(engine)28 b(has)i(f)o(ailed)f
+(to)g(\002nish)h(processing)e(the)h(pack)o(et)g(\(and)f(sub-)1908
+5649 y(11)p eop
+%%Page: 12 12
+12 11 bop -150 -104 a Fs(sequent)24 b(e)n(v)o(ents\))h(it)g(w)o(as)h(w)
+o(orking)e(on)h Fj(T)36 b Fs(seconds)25 b(before.)38
+b(If)25 b(so,)-150 -5 y(then)16 b(the)g(w)o(atchdog)f(presumes)g(that)h
+(the)h(engine)e(is)i(in)f(some)h(sort)f(of)-150 95 y(processing)24
+b(jam)h(\(perhaps)e(due)i(to)g(a)g(coding)f(error)m(,)g(perhaps)g(due)
+-150 194 y(to)i(e)o(xcessi)n(v)o(e)f(time)h(spent)g(managing)d(o)o(v)o
+(erb)n(urdened)f(resources\),)-150 294 y(and)d(terminates)f(the)h
+(monitor)f(process)h(\(\002rst)g(logging)f(this)i(f)o(act,)f(of)-150
+394 y(course,)g(and)h(generating)e(a)j(core)e(image)h(for)f(later)i
+(analysis\).)-67 496 y(This)d(feature)g(might)f(not)h(seem)h
+(particularly)d(useful,)i(e)o(xcept)f(for)-150 596 y(the)28
+b(f)o(act)h(that)g(it)g(is)g(coupled)e(with)i(a)g(second)e(feature:)41
+b(the)29 b(script)-150 695 y(that)d(runs)f(Bro)g(also)h(detects)g(if)f
+(it)i(e)n(v)o(er)d(unduly)g(e)o(xits,)j(and,)f(if)f(so,)-150
+795 y(logs)e(this)g(f)o(act)f(and)h(e)o(x)o(ecutes)e(a)i(cop)o(y)f(of)g
+Fm(tcpdump)g Fs(that)h(records)-150 894 y(the)d(same)g(traf)n(\002c)g
+(that)g(the)g(monitor)e(w)o(ould)i(ha)n(v)o(e)f(captured.)k(Thus,)-150
+994 y(crash)k(attacks)h(are)g(\(1\))f(logged,)h(and)f(\(2\))g(do)h(not)
+f(allo)n(w)h(a)g(subse-)-150 1094 y(quent)18 b(intrusion)g(attempt)h
+(to)g(go)f(unrecorded,)e(only)j(to)g(e)n(v)n(ade)f(real-)-150
+1193 y(time)26 b(detection.)42 b(Ho)n(we)n(v)o(er)m(,)25
+b(there)h(is)h(a)g(windo)n(w)e(of)h(opportunity)-150
+1293 y(between)i(the)g(time)h(when)f(the)h(Bro)g(monitor)e(crashes)h
+(and)g(when)-150 1393 y Fm(tcpdump)21 b Fs(runs.)29 b(If)22
+b(an)f(attack)o(er)h(can)f(predict)g(e)o(xactly)g(when)g(this)-150
+1492 y(windo)n(w)i(occurs,)h(then)f(the)o(y)g(can)h(still)h(e)n(v)n
+(ade)e(detection.)35 b(But)24 b(de-)-150 1592 y(termining)g(the)h
+(windo)n(w)g(is)h(dif)n(\002cult)f(without)g(kno)n(wledge)e(of)j(the)
+-150 1691 y(e)o(xact)h(con\002guration)f(of)h(the)h(monitoring)e
+(system.)48 b(One)28 b(w)o(ay)g(of)-150 1791 y(closing)21
+b(this)g(windo)n(w)f(is)j(to)e(emplo)o(y)f(a)h(second,)g(\223shado)n
+(w\224)f(moni-)-150 1891 y(toring)d(machine)g(that)h(simply)g(records)f
+(to)h(disk)g(the)g(same)g(traf)n(\002c)g(as)-150 1990
+y(the)i(Bro)g(monitor)f(inspects.)-150 2243 y Fh(5.3)99
+b(Subterfuge)27 b(attacks)-150 2403 y Fs(In)j(a)h Fr(subterfug)o(e)e
+Fs(attack,)k(an)d(attack)o(er)g(attempts)g(to)g(mislead)h(the)-150
+2503 y(monitor)26 b(as)i(to)g(the)f(meaning)f(of)h(the)g(traf)n(\002c)h
+(it)g(analyzes.)46 b(These)-150 2603 y(attacks)30 b(are)g(particularly)
+e(dif)n(\002cult)i(to)g(defend)f(against,)i(because)-150
+2702 y(\(1\))26 b(unlik)o(e)g(o)o(v)o(erload)e(and)i(crash)h(attacks,)h
+(if)f(successful)f(the)o(y)g(do)-150 2802 y(not)e(lea)n(v)o(e)g(an)o(y)
+f(traces)i(that)f(the)o(y)f(ha)n(v)o(e)h(occurred,)f(and)h(\(2\))f(the)
+h(at-)-150 2901 y(tacks)32 b(can)f(be)g(quite)g(subtle.)59
+b(Access)32 b(to)g(the)f(monitor')-5 b(s)30 b(source)-150
+3001 y(code)20 b(particularly)e(aids)i(with)h(de)n(vising)e(subterfuge)
+f(attacks.)-67 3103 y(W)-7 b(e)33 b(brie\003y)f(discussed)g(an)g(e)o
+(xample)e(of)i(a)h(subterfuge)d(attack)-150 3203 y(in)24
+b Fi(x)g Fs(3.1,)g(in)g(which)f(the)h(attack)o(er)g(sends)f(te)o(xt)h
+(with)g(an)g(embedded)-150 3303 y(NUL)d(in)g(the)f(hope)g(that)h(the)f
+(monitor)f(will)j(miss)f(the)g(te)o(xt)f(after)h(the)-150
+3402 y(NUL.)c(Another)g(form)f(of)h(subterfuge)f(attack)h(is)i(using)e
+(fragmented)-150 3502 y(IP)24 b(datagrams)e(in)h(an)h(attempt)f(to)g
+(elude)g(monitors)f(that)i(f)o(ail)f(to)h(re-)-150 3601
+y(assemble)d(IP)h(fragments)e(\(an)h(attack)g(well-kno)n(wn)e(to)j(the)
+f(\002re)n(w)o(all)-150 3701 y(community)-5 b(,)14 b(and)h(one)g(we)i
+(ha)n(v)o(e)e(increasingly)f(detected)h(in)h(our)f(on-)-150
+3801 y(going)k(operation)f(of)i(Bro\).)k(The)c(k)o(e)o(y)g(principle)e
+(is)j(to)g(\002nd)e(a)i(traf)n(\002c)-150 3900 y(pattern)f(interpreted)
+f(by)h(the)h(monitor)e(in)i(a)g(dif)n(ferent)e(f)o(ashion)h(than)-150
+4000 y(by)25 b(the)h(recei)n(ving)f(endpoint,)g(and)g(then)g(to)h(le)n
+(v)o(erage)f(this)h(into)g(an)-150 4100 y(insertion)19
+b(or)h(e)n(v)n(asion)f(attack,)h(as)h(discussed)f(abo)o(v)o(e.)-67
+4202 y(T)-7 b(o)23 b(thw)o(art)f(subterfuge)e(attacks,)j(as)g(we)f(de)n
+(v)o(eloped)e(Bro)j(we)f(at-)-150 4301 y(tempted)d(at)i(each)f(stage)h
+(to)f(analyze)f(the)i(e)o(xplicit)e(and)h(implicit)g(as-)-150
+4401 y(sumptions)h(made)g(by)h(the)f(system,)i(and)e(ho)n(w)-5
+b(,)21 b(by)h(violating)e(them,)-150 4501 y(an)31 b(attack)g(might)f
+(successfully)g(elude)h(detection.)56 b(This)31 b(can)g(be)-150
+4600 y(a)26 b(dif)n(\002cult)g(process,)h(though,)e(and)g(we)i(mak)o(e)
+e(no)h(claims)g(to)g(ha)n(v)o(e)-150 4700 y(found)17
+b(them)h(all!)25 b(In)19 b(the)g(remainder)d(of)j(this)g(section,)g(we)
+g(focus)f(on)-150 4800 y(subterfuge)k(attacks)i(on)g(the)g(inte)o
+(grity)f(of)h(the)g(byte)g(stream)g(moni-)-150 4899 y(tored)e(for)h(a)g
+(TCP)h(connection.)31 b(Then,)23 b(in)g Fi(x)g Fs(6.5,)g(we)g(look)g
+(at)g(sub-)-150 4999 y(terfuge)c(attacks)h(aimed)g(at)h(hiding)d(k)o(e)
+o(yw)o(ords)h(in)h(interacti)n(v)o(e)f(te)o(xt.)-67 5101
+y(T)-7 b(o)27 b(analyze)f(a)h(TCP)g(connection)e(at)i(the)f
+(application)g(le)n(v)o(el)g(re-)-150 5201 y(quires)17
+b(e)o(xtracting)f(the)i(payload)e(data)h(from)f(each)i(TCP)g(pack)o(et)
+f(and)-150 5300 y(reassembling)j(it)h(into)g(its)h(proper)d(sequence.)
+26 b(W)-7 b(e)22 b(no)n(w)e(consider)g(a)-150 5400 y(spectrum)k(of)i
+(approaches)d(to)j(this)g(problem,)e(ranging)g(from)g(sim-)2049
+-104 y(plest)d(and)e(easiest)i(to)g(defeat,)e(to)h(increasingly)f
+(resilient.)2132 -1 y(Scanning)28 b(the)h(data)h(in)f(indi)n(vidual)f
+(pack)o(ets)h(without)g(remem-)2049 99 y(bering)20 b(an)o(y)h
+(connection)f(state,)i(while)g(easiest,)h(ob)o(viously)c(suf)n(fers)
+2049 199 y(from)24 b(major)g(problems:)33 b(an)o(y)24
+b(time)g(the)h(te)o(xt)g(of)f(interest)h(happens)2049
+298 y(to)e(straddle)g(the)g(boundary)d(between)i(the)h(end)f(of)h(one)g
+(pack)o(et)f(and)2049 398 y(the)g(be)o(ginning)d(of)i(the)h(ne)o(xt,)f
+(the)g(te)o(xt)h(will)g(go)g(unobserv)o(ed.)k(Such)2049
+497 y(a)e(split)f(can)g(happen)e(simply)i(by)g(accident,)g(and)f
+(certainly)g(by)h(ma-)2049 597 y(licious)d(intent.)2132
+701 y(Some)48 b(systems)h(address)f(this)h(problem)e(by)h(remembering)
+2049 801 y(pre)n(viously-seen)16 b(te)o(xt)j(up)f(to)h(a)h(certain)e
+(de)o(gree)f(\(perhaps)h(from)g(the)2049 900 y(be)o(ginning)25
+b(of)i(the)g(current)g(line\).)46 b(This)28 b(approach)d(f)o(ails)j(as)
+g(soon)2049 1000 y(as)g(a)g(sequence)e(\223hole\224)h(appears:)39
+b(that)28 b(is,)i(an)o(y)c(time)i(a)g(pack)o(et)f(is)2049
+1099 y(missing\227due)d(to)i(loss)g(or)g(out-of-order)21
+b(deli)n(v)o(ery\227then)i(the)j(re-)2049 1199 y(sulting)g
+(discontinuity)f(in)i(the)f(data)h(stream)f(again)g(can)g(mask)h(the)
+2049 1299 y(presence)19 b(of)h(k)o(e)o(y)g(te)o(xt)g(that)g(is)h(only)e
+(partially)h(present.)2132 1402 y(The)i(ne)o(xt)h(step)g(is)g(to)g
+(fully)g(reassemble)f(the)h(TCP)g(data)g(stream,)2049
+1502 y(based)c(on)g(the)g(sequence)g(numbers)f(associated)h(with)g
+(each)g(pack)o(et.)2049 1602 y(Doing)42 b(so)h(requires)e(maintaining)g
+(a)i(list)h(of)e(contiguous)f(data)2049 1701 y(blocks)27
+b(recei)n(v)o(ed)f(so)i(f)o(ar)m(,)h(and)e(\002tting)g(the)h(data)g
+(from)e(ne)n(w)i(pack-)2049 1801 y(ets)23 b(into)e(the)h(blocks,)g(mer)
+o(ging)e(no)n(w-adjacent)f(blocks)j(when)f(pos-)2049
+1901 y(sible.)26 b(At)21 b(an)o(y)e(gi)n(v)o(en)h(moment,)f(one)g(can)i
+(then)e(scan)i(the)f(te)o(xt)h(from)2049 2000 y(the)28
+b(be)o(ginning)e(of)i(the)h(connection)d(to)i(the)h(highest)e
+(in-sequence)2049 2100 y(byte)20 b(recei)n(v)o(ed.)2132
+2204 y(Unless)54 b(we)g(are)f(careful,)60 b(e)n(v)o(en)53
+b(k)o(eeping)f(track)h(of)g(non-)2049 2303 y(contiguous)31
+b(data)i(blocks)g(does)g(not)g(suf)n(\002ce)g(to)h(pre)n(v)o(ent)d(a)j
+(TCP)2049 2403 y(subterfuge)29 b(attack.)57 b(The)31
+b(k)o(e)o(y)f(observ)n(ation)f(is)j(that)f(an)g(attack)o(er)2049
+2502 y(can)20 b(manipulate)e(the)i(pack)o(ets)f(their)h(TCP)g(sends)g
+(so)g(that)g(the)g(mon-)2049 2602 y(itor)i(sees)i(a)f(particular)e
+(pack)o(et,)i(b)n(ut)f(the)h(endpoint)e(does)h(not.)32
+b(One)2049 2702 y(w)o(ay)h(of)g(doing)f(so)h(is)h(to)g(transmit)f(the)g
+(pack)o(et)f(with)i(an)f(in)m(v)n(alid)2049 2801 y(TCP)23
+b(checksum.)31 b(\(This)23 b(particular)e(attack)i(can)f(be)h(dealt)f
+(with)h(by)2049 2901 y(checksumming)g(e)n(v)o(ery)g(pack)o(et,)j(and)f
+(discarding)f(those)h(that)g(f)o(ail;)2049 3001 y(a)e(monitor)d(needs)i
+(to)h(do)e(this)i(an)o(yw)o(ay)e(so)i(that)f(it)h(correctly)e(tracks)
+2049 3100 y(the)30 b(endpoint')-5 b(s)29 b(state)i(in)f(the)g(presence)
+f(of)h(honest)g(data)g(corrup-)2049 3200 y(tion)18 b(errors,)g(which)g
+(are)g(not)g(particularly)f(rare)g([P)o(a97a)o(].\))24
+b(Another)2049 3300 y(w)o(ay)18 b(is)g(to)g(launch)e(the)i(pack)o(et)f
+(with)g(an)h(IP)g(\223T)m(ime)f(T)-7 b(o)18 b(Li)n(v)o(e\224)f(\(TTL\))
+2049 3399 y(\002eld)22 b(suf)n(\002cient)f(to)g(carry)g(the)g(pack)o
+(et)g(past)h(the)f(monitoring)f(point,)2049 3499 y(b)n(ut)30
+b(insuf)n(\002cient)f(to)h(carry)g(it)g(all)h(the)f(w)o(ay)g(to)g(the)g
+(endpoint.)53 b(\(If)2049 3598 y(the)28 b(site)h(has)f(a)g(comple)o(x)e
+(topology)-5 b(,)27 b(it)i(may)e(be)h(dif)n(\002cult)f(for)h(the)2049
+3698 y(monitor)19 b(to)h(detect)g(this)h(attack.\))j(A)d(third)e(w)o
+(ay)i(becomes)e(possible)2049 3798 y(if)27 b(the)f(\002nal)h(path)f(to)
+h(the)g(attack)o(ed)f(endpoint)e(happens)h(to)i(ha)n(v)o(e)f(a)2049
+3897 y(smaller)21 b(Maximum)f(T)m(ransmission)g(Unit)h(\(MTU\))g(than)f
+(the)h(Inter)n(-)2049 3997 y(net)c(path)f(from)g(the)h(attack)o(er')-5
+b(s)17 b(host)g(to)g(the)g(monitoring)e(point.)23 b(The)2049
+4097 y(attack)o(er)c(then)h(sends)g(a)g(pack)o(et)g(with)g(a)g(size)h
+(e)o(xceeding)d(this)j(MTU)2049 4196 y(and)c(with)h(the)g(IP)g
+(\223Don')o(t)e(Fragment\224)g(header)h(bit)g(set.)25
+b(This)18 b(pack)o(et)2049 4296 y(will)25 b(then)f(transit)g(past)h
+(the)f(monitoring)e(point,)i(b)n(ut)h(be)f(discarded)2049
+4395 y(by)c(the)g(router)f(at)i(the)f(point)f(where)h(the)g(MTU)g
+(narro)n(ws.)2132 4499 y(By)28 b(manipulating)e(pack)o(ets)i(in)g(this)
+h(f)o(ashion,)f(an)g(attack)o(er)g(can)2049 4599 y(send)38
+b(innocuous)f(te)o(xt)h(for)g(the)h(bene\002t)f(of)g(the)h(monitor)m(,)
+i(such)2049 4698 y(as)27 b(\223)p Fm(USER)49 b(nice)p
+Fs(\224,)26 b(and)g(then)f(retransmit)g(\(using)g(the)h(same)g(se-)2049
+4798 y(quence)d(numbers\))g(attack)i(te)o(xt)f(\(\223)p
+Fm(USER)49 b(root)p Fs(\224\),)24 b(this)i(time)e(al-)2049
+4898 y(lo)n(wing)k(the)i(pack)o(ets)f(to)g(tra)n(v)o(erse)g(all)h(the)f
+(w)o(ay)h(to)f(the)h(endpoint.)2049 4997 y(If)19 b(the)h(monitor)e
+(simply)h(discards)g(retransmitted)g(data)g(without)g(in-)2049
+5097 y(specting)k(it,)j(then)d(it)i(will)g(mistak)o(enly)e(belie)n(v)o
+(e)g(that)h(the)g(endpoint)2049 5197 y(recei)n(v)o(ed)19
+b(the)h(innocuous)e(te)o(xt,)i(and)f(f)o(ail)i(to)f(detect)g(the)g
+(attack.)2132 5300 y(Figure)29 b(2)h(illustrates)g(this)g(attack.)53
+b(Here,)32 b(the)d(attack)o(er)h(sends)2049 5400 y(the)19
+b(te)o(xt)g(\223)p Fm(USER)p Fs(\224)g(with)g(an)g(initial)h(TTL)e(of)h
+(20)g(hops,)g(co)o(v)o(ering)d(se-)1908 5649 y(12)p eop
+%%Page: 13 13
+13 12 bop -125 -187 a
+ 15392931 10313261 5788794 18945146 34930114 38613893 startTexFig
+ -125 -187 a
+%%BeginDocument: evasion.idraw
+
+/arrowhead {
+0 begin
+transform originalCTM itransform
+/taily exch def
+/tailx exch def
+transform originalCTM itransform
+/tipy exch def
+/tipx exch def
+/dy tipy taily sub def
+/dx tipx tailx sub def
+/angle dx 0 ne dy 0 ne or { dy dx atan } { 90 } ifelse def
+gsave
+originalCTM setmatrix
+tipx tipy translate
+angle rotate
+newpath
+arrowHeight neg arrowWidth 2 div moveto
+0 0 lineto
+arrowHeight neg arrowWidth 2 div neg lineto
+patternNone not {
+originalCTM setmatrix
+/padtip arrowHeight 2 exp 0.25 arrowWidth 2 exp mul add sqrt brushWidth mul
+arrowWidth div def
+/padtail brushWidth 2 div def
+tipx tipy translate
+angle rotate
+padtip 0 translate
+arrowHeight padtip add padtail add arrowHeight div dup scale
+arrowheadpath
+ifill
+} if
+brushNone not {
+originalCTM setmatrix
+tipx tipy translate
+angle rotate
+arrowheadpath
+istroke
+} if
+grestore
+end
+} dup 0 9 dict put def
+
+/arrowheadpath {
+newpath
+arrowHeight neg arrowWidth 2 div moveto
+0 0 lineto
+arrowHeight neg arrowWidth 2 div neg lineto
+} def
+
+/leftarrow {
+0 begin
+y exch get /taily exch def
+x exch get /tailx exch def
+y exch get /tipy exch def
+x exch get /tipx exch def
+brushLeftArrow { tipx tipy tailx taily arrowhead } if
+end
+} dup 0 4 dict put def
+
+/rightarrow {
+0 begin
+y exch get /tipy exch def
+x exch get /tipx exch def
+y exch get /taily exch def
+x exch get /tailx exch def
+brushRightArrow { tipx tipy tailx taily arrowhead } if
+end
+} dup 0 4 dict put def
+
+
+/arrowHeight 8 def
+/arrowWidth 4 def
+
+/IdrawDict 54 dict def
+IdrawDict begin
+
+/reencodeISO {
+dup dup findfont dup length dict begin
+{ 1 index /FID ne { def }{ pop pop } ifelse } forall
+/Encoding ISOLatin1Encoding def
+currentdict end definefont
+} def
+
+/ISOLatin1Encoding [
+/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
+/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
+/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
+/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
+/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright
+/parenleft/parenright/asterisk/plus/comma/minus/period/slash
+/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon
+/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N
+/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright
+/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m
+/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde
+/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
+/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
+/.notdef/dotlessi/grave/acute/circumflex/tilde/macron/breve
+/dotaccent/dieresis/.notdef/ring/cedilla/.notdef/hungarumlaut
+/ogonek/caron/space/exclamdown/cent/sterling/currency/yen/brokenbar
+/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot
+/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior
+/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine
+/guillemotright/onequarter/onehalf/threequarters/questiondown
+/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla
+/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex
+/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis
+/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute
+/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis
+/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave
+/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex
+/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis
+/yacute/thorn/ydieresis
+] def
+/Helvetica-Bold reencodeISO def
+/Times-Roman reencodeISO def
+/Courier-Bold reencodeISO def
+/Helvetica-Oblique reencodeISO def
+
+/none null def
+/numGraphicParameters 17 def
+/stringLimit 65535 def
+
+/Begin {
+save
+numGraphicParameters dict begin
+} def
+
+/End {
+end
+restore
+} def
+
+/SetB {
+dup type /nulltype eq {
+pop
+false /brushRightArrow idef
+false /brushLeftArrow idef
+true /brushNone idef
+} {
+/brushDashOffset idef
+/brushDashArray idef
+0 ne /brushRightArrow idef
+0 ne /brushLeftArrow idef
+/brushWidth idef
+false /brushNone idef
+} ifelse
+} def
+
+/SetCFg {
+/fgblue idef
+/fggreen idef
+/fgred idef
+} def
+
+/SetCBg {
+/bgblue idef
+/bggreen idef
+/bgred idef
+} def
+
+/SetF {
+/printSize idef
+/printFont idef
+} def
+
+/SetP {
+dup type /nulltype eq {
+pop true /patternNone idef
+} {
+dup -1 eq {
+/patternGrayLevel idef
+/patternString idef
+} {
+/patternGrayLevel idef
+} ifelse
+false /patternNone idef
+} ifelse
+} def
+
+/BSpl {
+0 begin
+storexyn
+newpath
+n 1 gt {
+0 0 0 0 0 0 1 1 true subspline
+n 2 gt {
+0 0 0 0 1 1 2 2 false subspline
+1 1 n 3 sub {
+/i exch def
+i 1 sub dup i dup i 1 add dup i 2 add dup false subspline
+} for
+n 3 sub dup n 2 sub dup n 1 sub dup 2 copy false subspline
+} if
+n 2 sub dup n 1 sub dup 2 copy 2 copy false subspline
+patternNone not brushLeftArrow not brushRightArrow not and and { ifill } if
+brushNone not { istroke } if
+0 0 1 1 leftarrow
+n 2 sub dup n 1 sub dup rightarrow
+} if
+end
+} dup 0 4 dict put def
+
+/Circ {
+newpath
+0 360 arc
+patternNone not { ifill } if
+brushNone not { istroke } if
+} def
+
+/CBSpl {
+0 begin
+dup 2 gt {
+storexyn
+newpath
+n 1 sub dup 0 0 1 1 2 2 true subspline
+1 1 n 3 sub {
+/i exch def
+i 1 sub dup i dup i 1 add dup i 2 add dup false subspline
+} for
+n 3 sub dup n 2 sub dup n 1 sub dup 0 0 false subspline
+n 2 sub dup n 1 sub dup 0 0 1 1 false subspline
+patternNone not { ifill } if
+brushNone not { istroke } if
+} {
+Poly
+} ifelse
+end
+} dup 0 4 dict put def
+
+/Elli {
+0 begin
+newpath
+4 2 roll
+translate
+scale
+0 0 1 0 360 arc
+patternNone not { ifill } if
+brushNone not { istroke } if
+end
+} dup 0 1 dict put def
+
+/Line {
+0 begin
+2 storexyn
+newpath
+x 0 get y 0 get moveto
+x 1 get y 1 get lineto
+brushNone not { istroke } if
+0 0 1 1 leftarrow
+0 0 1 1 rightarrow
+end
+} dup 0 4 dict put def
+
+/MLine {
+0 begin
+storexyn
+newpath
+n 1 gt {
+x 0 get y 0 get moveto
+1 1 n 1 sub {
+/i exch def
+x i get y i get lineto
+} for
+patternNone not brushLeftArrow not brushRightArrow not and and { ifill } if
+brushNone not { istroke } if
+0 0 1 1 leftarrow
+n 2 sub dup n 1 sub dup rightarrow
+} if
+end
+} dup 0 4 dict put def
+
+/Poly {
+3 1 roll
+newpath
+moveto
+-1 add
+{ lineto } repeat
+closepath
+patternNone not { ifill } if
+brushNone not { istroke } if
+} def
+
+/Rect {
+0 begin
+/t exch def
+/r exch def
+/b exch def
+/l exch def
+newpath
+l b moveto
+l t lineto
+r t lineto
+r b lineto
+closepath
+patternNone not { ifill } if
+brushNone not { istroke } if
+end
+} dup 0 4 dict put def
+
+/Text {
+ishow
+} def
+
+/idef {
+dup where { pop pop pop } { exch def } ifelse
+} def
+
+/ifill {
+0 begin
+gsave
+patternGrayLevel -1 ne {
+fgred bgred fgred sub patternGrayLevel mul add
+fggreen bggreen fggreen sub patternGrayLevel mul add
+fgblue bgblue fgblue sub patternGrayLevel mul add setrgbcolor
+eofill
+} {
+eoclip
+originalCTM setmatrix
+pathbbox /t exch def /r exch def /b exch def /l exch def
+/w r l sub ceiling cvi def
+/h t b sub ceiling cvi def
+/imageByteWidth w 8 div ceiling cvi def
+/imageHeight h def
+bgred bggreen bgblue setrgbcolor
+eofill
+fgred fggreen fgblue setrgbcolor
+w 0 gt h 0 gt and {
+l w add b translate w neg h scale
+w h true [w 0 0 h neg 0 h] { patternproc } imagemask
+} if
+} ifelse
+grestore
+end
+} dup 0 8 dict put def
+
+/istroke {
+gsave
+brushDashOffset -1 eq {
+[] 0 setdash
+1 setgray
+} {
+brushDashArray brushDashOffset setdash
+fgred fggreen fgblue setrgbcolor
+} ifelse
+brushWidth setlinewidth
+originalCTM setmatrix
+stroke
+grestore
+} def
+
+/ishow {
+0 begin
+gsave
+fgred fggreen fgblue setrgbcolor
+/fontDict printFont printSize scalefont dup setfont def
+/descender fontDict begin 0 [FontBBox] 1 get FontMatrix end
+transform exch pop def
+/vertoffset 1 printSize sub descender sub def {
+0 vertoffset moveto show
+/vertoffset vertoffset printSize sub def
+} forall
+grestore
+end
+} dup 0 3 dict put def
+/patternproc {
+0 begin
+/patternByteLength patternString length def
+/patternHeight patternByteLength 8 mul sqrt cvi def
+/patternWidth patternHeight def
+/patternByteWidth patternWidth 8 idiv def
+/imageByteMaxLength imageByteWidth imageHeight mul
+stringLimit patternByteWidth sub min def
+/imageMaxHeight imageByteMaxLength imageByteWidth idiv patternHeight idiv
+patternHeight mul patternHeight max def
+/imageHeight imageHeight imageMaxHeight sub store
+/imageString imageByteWidth imageMaxHeight mul patternByteWidth add string def
+0 1 imageMaxHeight 1 sub {
+/y exch def
+/patternRow y patternByteWidth mul patternByteLength mod def
+/patternRowString patternString patternRow patternByteWidth getinterval def
+/imageRow y imageByteWidth mul def
+0 patternByteWidth imageByteWidth 1 sub {
+/x exch def
+imageString imageRow x add patternRowString putinterval
+} for
+} for
+imageString
+end
+} dup 0 12 dict put def
+
+/min {
+dup 3 2 roll dup 4 3 roll lt { exch } if pop
+} def
+
+/max {
+dup 3 2 roll dup 4 3 roll gt { exch } if pop
+} def
+
+/midpoint {
+0 begin
+/y1 exch def
+/x1 exch def
+/y0 exch def
+/x0 exch def
+x0 x1 add 2 div
+y0 y1 add 2 div
+end
+} dup 0 4 dict put def
+
+/thirdpoint {
+0 begin
+/y1 exch def
+/x1 exch def
+/y0 exch def
+/x0 exch def
+x0 2 mul x1 add 3 div
+y0 2 mul y1 add 3 div
+end
+} dup 0 4 dict put def
+
+/subspline {
+0 begin
+/movetoNeeded exch def
+y exch get /y3 exch def
+x exch get /x3 exch def
+y exch get /y2 exch def
+x exch get /x2 exch def
+y exch get /y1 exch def
+x exch get /x1 exch def
+y exch get /y0 exch def
+x exch get /x0 exch def
+x1 y1 x2 y2 thirdpoint
+/p1y exch def
+/p1x exch def
+x2 y2 x1 y1 thirdpoint
+/p2y exch def
+/p2x exch def
+x1 y1 x0 y0 thirdpoint
+p1x p1y midpoint
+/p0y exch def
+/p0x exch def
+x2 y2 x3 y3 thirdpoint
+p2x p2y midpoint
+/p3y exch def
+/p3x exch def
+movetoNeeded { p0x p0y moveto } if
+p1x p1y p2x p2y p3x p3y curveto
+end
+} dup 0 17 dict put def
+
+/storexyn {
+/n exch def
+/y n array def
+/x n array def
+n 1 sub -1 0 {
+/i exch def
+y i 3 2 roll put
+x i 3 2 roll put
+} for
+} def
+
+/SSten {
+fgred fggreen fgblue setrgbcolor
+dup true exch 1 0 0 -1 0 6 -1 roll matrix astore
+} def
+
+/FSten {
+dup 3 -1 roll dup 4 1 roll exch
+newpath
+0 0 moveto
+dup 0 exch lineto
+exch dup 3 1 roll exch lineto
+0 lineto
+closepath
+bgred bggreen bgblue setrgbcolor
+eofill
+SSten
+} def
+
+/Rast {
+exch dup 3 1 roll 1 0 0 -1 0 6 -1 roll matrix astore
+} def
+
+
+%I Idraw 10 Grid 3 3 
+
+
+Begin
+%I b u
+%I cfg u
+%I cbg u
+%I f u
+%I p u
+%I t
+[ 0.955325 0 0 0.955325 0 0 ] concat
+/originalCTM matrix currentmatrix def
+
+Begin %I Line
+%I b 65520
+0 0 0 [12 4] 0 SetB
+%I cfg Black
+0 0 0 SetCFg
+%I cbg White
+1 1 1 SetCBg
+none SetP %I p n
+%I t
+[ 1 -0 -0 1 117 149 ] concat
+%I
+228 226 228 451 Line
+%I 1
+End
+
+Begin %I Line
+%I b 65535
+0 0 0 [] 0 SetB
+%I cfg Black
+0 0 0 SetCFg
+%I cbg White
+1 1 1 SetCBg
+none SetP %I p n
+%I t
+[ 1 -0 -0 1 117 149 ] concat
+%I
+213 211 228 181 Line
+%I 1
+End
+
+Begin %I Line
+%I b 65535
+0 0 0 [] 0 SetB
+%I cfg Black
+0 0 0 SetCFg
+%I cbg White
+1 1 1 SetCBg
+%I p
+0 SetP
+%I t
+[ 1 -0 -0 1 117 149 ] concat
+%I
+228 181 243 211 Line
+%I 1
+End
+
+Begin %I Text
+%I cfg Black
+0 0 0 SetCFg
+%I f -*-helvetica-bold-r-normal-*-14-*-*-*-*-*-*-*
+Helvetica-Bold 14 SetF
+%I t
+[ 1 0 0 1 322 317 ] concat
+%I
+[
+(Monitor)
+] Text
+End
+
+Begin %I Text
+%I cfg Black
+0 0 0 SetCFg
+%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-*
+Times-Roman 12 SetF
+%I t
+[ 0.92 0 0 0.92 355.92 609.68 ] concat
+%I
+[
+(\(10 hops\))
+] Text
+End
+
+Begin %I Text
+%I cfg Black
+0 0 0 SetCFg
+%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-*
+Times-Roman 12 SetF
+%I t
+[ 1 0 0 1 473 580 ] concat
+%I
+[
+(\(18 hops\))
+] Text
+End
+
+Begin %I Rect
+%I b 65535
+1 0 0 [] 0 SetB
+%I cfg Black
+0 0 0 SetCFg
+%I cbg White
+1 1 1 SetCBg
+none SetP %I p n
+%I t
+[ 1 0 0 1 58.25 112.5 ] concat
+%I
+105 437 146 462 Rect
+End
+
+Begin %I Text
+%I cfg Black
+0 0 0 SetCFg
+%I f -*-courier-bold-r-normal-*-12-*-*-*-*-*-*-*
+Courier-Bold 12 SetF
+%I t
+[ 1 0 0 1 170.25 566.5 ] concat
+%I
+[
+(USER)
+] Text
+End
+
+Begin %I Text
+%I cfg Black
+0 0 0 SetCFg
+%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-*
+Times-Roman 12 SetF
+%I t
+[ 1 0 0 1 145 590 ] concat
+%I
+[
+(seq= 6 ... 9)
+] Text
+End
+
+Begin %I Text
+%I cfg Black
+0 0 0 SetCFg
+%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-*
+Times-Roman 12 SetF
+%I t
+[ 1 0 0 1 129.25 566.5 ] concat
+%I
+[
+(ttl=20)
+] Text
+End
+
+Begin %I Rect
+%I b 65535
+1 0 0 [] 0 SetB
+%I cfg Black
+0 0 0 SetCFg
+%I cbg White
+1 1 1 SetCBg
+none SetP %I p n
+%I t
+[ 1 0 0 1 103.25 67.5 ] concat
+%I
+105 437 146 462 Rect
+End
+
+Begin %I Text
+%I cfg Black
+0 0 0 SetCFg
+%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-*
+Times-Roman 12 SetF
+%I t
+[ 1 0 0 1 173.25 522 ] concat
+%I
+[
+(ttl=12)
+] Text
+End
+
+Begin %I Text
+%I cfg Black
+0 0 0 SetCFg
+%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-*
+Times-Roman 12 SetF
+%I t
+[ 1 0 0 1 211 545 ] concat
+%I
+[
+(10 .. 13)
+] Text
+End
+
+Begin %I Text
+%I cfg Black
+0 0 0 SetCFg
+%I f -*-courier-bold-r-normal-*-12-*-*-*-*-*-*-*
+Courier-Bold 12 SetF
+%I t
+[ 1 0 0 1 215.25 521.5 ] concat
+%I
+[
+(nice)
+] Text
+End
+
+Begin %I Rect
+%I b 65535
+1 0 0 [] 0 SetB
+%I cfg Black
+0 0 0 SetCFg
+%I cbg White
+1 1 1 SetCBg
+none SetP %I p n
+%I t
+[ 1 0 0 1 103.25 8.50003 ] concat
+%I
+105 437 146 462 Rect
+End
+
+Begin %I Text
+%I cfg Black
+0 0 0 SetCFg
+%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-*
+Times-Roman 12 SetF
+%I t
+[ 1 0 0 1 211 486 ] concat
+%I
+[
+(10 .. 13)
+] Text
+End
+
+Begin %I Text
+%I cfg Black
+0 0 0 SetCFg
+%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-*
+Times-Roman 12 SetF
+%I t
+[ 1 0 0 1 173.25 463 ] concat
+%I
+[
+(ttl=20)
+] Text
+End
+
+Begin %I Text
+%I cfg Black
+0 0 0 SetCFg
+%I f -*-courier-bold-r-normal-*-12-*-*-*-*-*-*-*
+Courier-Bold 12 SetF
+%I t
+[ 1 0 0 1 215.25 463 ] concat
+%I
+[
+(root)
+] Text
+End
+
+Begin %I Line
+%I b 65535
+2 0 1 [] 0 SetB
+%I cfg Black
+0 0 0 SetCFg
+%I cbg White
+1 1 1 SetCBg
+none SetP %I p n
+%I t
+[ 1 -0 -0 1 172.25 248.5 ] concat
+%I
+88 211 308 212 Line
+%I 1
+End
+
+Begin %I Line
+%I b 65535
+2 0 1 [] 0 SetB
+%I cfg Black
+0 0 0 SetCFg
+%I cbg White
+1 1 1 SetCBg
+none SetP %I p n
+%I t
+[ 1 -0 -0 1 169.25 246.5 ] concat
+%I
+93 271 206 272 Line
+%I 1
+End
+
+Begin %I Pict
+%I b u
+%I cfg u
+%I cbg u
+%I f u
+%I p u
+%I t
+[ 1 0 0 1 5 0.5 ] concat
+
+Begin %I Pict
+%I b u
+%I cfg u
+%I cbg u
+%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-*
+Times-Roman 12 SetF
+%I p u
+%I t
+[ 0.214567 0 0 0.214567 300.249 408.973 ] concat
+
+Begin %I Line
+%I b 65535
+0 0 0 [] 0 SetB
+%I cfg Black
+0 0 0 SetCFg
+%I cbg White
+1 1 1 SetCBg
+none SetP %I p n
+%I t
+[ 0.125 -0 -0 0.125 346 477.5 ] concat
+%I
+329 115 40 403 Line
+%I 8
+End
+
+Begin %I Line
+%I b 65535
+0 0 0 [] 0 SetB
+%I cfg Black
+0 0 0 SetCFg
+%I cbg White
+1 1 1 SetCBg
+none SetP %I p n
+%I t
+[ 0.125 -0 -0 0.125 346 477.5 ] concat
+%I
+41 115 329 403 Line
+%I 8
+End
+
+End %I eop
+
+Begin %I Text
+%I cfg Black
+0 0 0 SetCFg
+%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-*
+Times-Roman 12 SetF
+%I t
+[ 1 0 0 1 374.75 510.25 ] concat
+%I
+[
+(ttl expires)
+] Text
+End
+
+End %I eop
+
+Begin %I Rect
+%I b 65535
+0 0 0 [] 0 SetB
+%I cfg Black
+0 0 0 SetCFg
+%I cbg White
+1 1 1 SetCBg
+none SetP %I p n
+%I t
+[ 1.7938 0 0 0.865636 184.784 -12.9233 ] concat
+%I
+105 437 146 462 Rect
+End
+
+Begin %I Text
+%I cfg Black
+0 0 0 SetCFg
+%I f -*-courier-bold-r-normal-*-12-*-*-*-*-*-*-*
+Courier-Bold 12 SetF
+%I t
+[ 1 0 0 1 378.906 380.68 ] concat
+%I
+[
+(USER nice)
+] Text
+End
+
+Begin %I Line
+%I b 65535
+0 0 0 [] 0 SetB
+%I cfg Black
+0 0 0 SetCFg
+%I cbg White
+1 1 1 SetCBg
+none SetP %I p n
+%I t
+[ 1 -0 -0 1 118.906 247.18 ] concat
+%I
+291 118 291 140 Line
+%I 1
+End
+
+Begin %I Rect
+%I b 65535
+0 0 0 [] 0 SetB
+%I cfg Black
+0 0 0 SetCFg
+%I cbg White
+1 1 1 SetCBg
+none SetP %I p n
+%I t
+[ 1.7938 0 0 0.865636 184.784 -38.4233 ] concat
+%I
+105 437 146 462 Rect
+End
+
+Begin %I Line
+%I b 65535
+0 0 0 [] 0 SetB
+%I cfg Black
+0 0 0 SetCFg
+%I cbg White
+1 1 1 SetCBg
+none SetP %I p n
+%I t
+[ 1 0 0 1 118.906 221.68 ] concat
+%I
+291 118 291 140 Line
+%I 1
+End
+
+Begin %I Text
+%I cfg Black
+0 0 0 SetCFg
+%I f -*-courier-bold-r-normal-*-12-*-*-*-*-*-*-*
+Courier-Bold 12 SetF
+%I t
+[ 1 0 0 1 378.906 355.18 ] concat
+%I
+[
+(USER root)
+] Text
+End
+
+Begin %I Text
+%I cfg Black
+0 0 0 SetCFg
+%I f -*-helvetica-medium-o-normal-*-14-*-*-*-*-*-*-*
+Helvetica-Oblique 14 SetF
+%I t
+[ 1 0 0 1 453 382 ] concat
+%I
+[
+(?)
+] Text
+End
+
+Begin %I Text
+%I cfg Black
+0 0 0 SetCFg
+%I f -*-helvetica-medium-o-normal-*-14-*-*-*-*-*-*-*
+Helvetica-Oblique 14 SetF
+%I t
+[ 1 0 0 1 453 357 ] concat
+%I
+[
+(?)
+] Text
+End
+
+Begin %I Rect
+%I b 65535
+0 0 0 [] 0 SetB
+%I cfg Black
+0 0 0 SetCFg
+%I cbg White
+1 1 1 SetCBg
+none SetP %I p n
+%I t
+[ 1.7938 0 0 0.865636 292.284 104.577 ] concat
+%I
+105 437 146 462 Rect
+End
+
+Begin %I Line
+%I b 65535
+0 0 0 [] 0 SetB
+%I cfg Black
+0 0 0 SetCFg
+%I cbg White
+1 1 1 SetCBg
+none SetP %I p n
+%I t
+[ 1 0 0 1 226.406 364.68 ] concat
+%I
+291 118 291 140 Line
+%I 1
+End
+
+Begin %I Text
+%I cfg Black
+0 0 0 SetCFg
+%I f -*-courier-bold-r-normal-*-12-*-*-*-*-*-*-*
+Courier-Bold 12 SetF
+%I t
+[ 1 0 0 1 486.406 498.18 ] concat
+%I
+[
+(USER root)
+] Text
+End
+
+Begin %I Line
+%I b 65535
+2 0 1 [] 0 SetB
+%I cfg Black
+0 0 0 SetCFg
+%I cbg White
+1 1 1 SetCBg
+none SetP %I p n
+%I t
+[ 0.5 -0 -0 0.5 338.25 314.5 ] concat
+%I
+-246 496 287 494 Line
+%I 2
+End
+
+Begin %I Pict
+%I b u
+%I cfg u
+%I cbg u
+%I f u
+%I p u
+%I t
+[ 1 0 0 1 6 32 ] concat
+
+Begin %I Text
+%I cfg Black
+0 0 0 SetCFg
+%I f -*-helvetica-bold-r-normal-*-14-*-*-*-*-*-*-*
+Helvetica-Bold 14 SetF
+%I t
+[ 1 0 0 1 477 493 ] concat
+%I
+[
+(Victim)
+] Text
+End
+
+Begin %I Text
+%I cfg Black
+0 0 0 SetCFg
+%I f -*-helvetica-bold-r-normal-*-14-*-*-*-*-*-*-*
+Helvetica-Bold 14 SetF
+%I t
+[ 1 0 0 1 89 494 ] concat
+%I
+[
+(Attacker)
+] Text
+End
+
+End %I eop
+
+Begin %I BSpl
+%I b 65535
+0 0 0 [] 0 SetB
+%I cfg Black
+0 0 0 SetCFg
+%I cbg White
+1 1 1 SetCBg
+none SetP %I p n
+%I t
+[ 0.25 -0 -0 0.25 313.75 281.5 ] concat
+%I 3
+89 266
+126 302
+160 267
+3 BSpl
+%I 4
+End
+
+Begin %I BSpl
+%I b 65535
+0 0 0 [] 0 SetB
+%I cfg Black
+0 0 0 SetCFg
+%I cbg White
+1 1 1 SetCBg
+%I p
+0 SetP
+%I t
+[ 0.25 -0 -0 0.25 313.75 281.5 ] concat
+%I 3
+106 279
+125 269
+145 282
+3 BSpl
+%I 4
+End
+
+Begin %I BSpl
+%I b 65535
+0 0 0 [] 0 SetB
+%I cfg Black
+0 0 0 SetCFg
+%I cbg White
+1 1 1 SetCBg
+%I p
+0 SetP
+%I t
+[ 0.25 -0 -0 0.25 313.75 281.5 ] concat
+%I 3
+145 281
+125 291
+106 281
+3 BSpl
+%I 4
+End
+
+End %I eop
+
+showpage
+
+
+end
+%%EndDocument
+
+ endTexFig
+ -150 1302 a Fs(Figure)19 b(2:)24 b(A)c(TTL-based)e(e)n(v)n(asion)g
+(attack)h(on)g(an)g(intrusion)f(detec-)-150 1401 y(tion)i(system)-150
+1691 y(quence)27 b(numbers)f(6)i(through)e(9)i(in)g(the)g(TCP)h(data)e
+(stream.)48 b(It)29 b(is)-150 1791 y(18)f(hops)h(to)g(the)g(victim)f
+(and)h(10)f(hops)g(to)h(the)g(monitor)m(,)g(so)g(both)-150
+1890 y(see)g(this)g(te)o(xt)g(and)f(accept)g(it.)51 b(The)29
+b(attack)o(er)f(ne)o(xt)g(transmits)h(the)-150 1990 y(te)o(xt)g(\223)p
+Fm(nice)p Fs(\224)f(co)o(v)o(ering)f(the)i(ne)o(xt)f(consecuti)n(v)o(e)
+f(span)i(of)f(the)h(se-)-150 2090 y(quence)34 b(space,)40
+b(10)35 b(through)e(13,)39 b(b)n(ut)d(with)g(an)f(initial)h(TTL)g(of)
+-150 2189 y(only)19 b(12,)f(which)h(suf)n(\002ces)h(for)f(the)g(pack)o
+(et)g(to)g(tra)n(v)o(el)h(past)f(the)h(mon-)-150 2289
+y(itor)m(,)35 b(b)n(ut)e(not)g(all)g(the)g(w)o(ay)g(to)g(the)g(victim.)
+62 b(Hence,)36 b(the)d(moni-)-150 2388 y(tor)28 b(sees)h(this)g(te)o
+(xt)f(b)n(ut)g(the)g(victim)g(does)g(not.)49 b(The)28
+b(attack)o(er)g(the)-150 2488 y(sends)e(the)g(te)o(xt)g(\223)p
+Fm(root)p Fs(\224)g(with)g(the)g(same)g(sequence)f(numbers)g(as)-150
+2588 y(\223)p Fm(nice)p Fs(\224,)20 b(b)n(ut)h(this)g(time)g(with)g
+(enough)d(TTL)j(to)f(reach)g(the)h(victim.)-150 2687
+y(The)26 b(victim)f(will)i(thus)f(only)f(see)h(the)g(te)o(xt)g(\223)p
+Fm(USER)p Fs(\224)f(follo)n(wed)g(by)-150 2787 y(\223)p
+Fm(root)p Fs(\224,)d(while)h(the)f(monitor)f(will)i(see)g(tw)o(o)g(v)o
+(ersions)e(of)h(the)h(te)o(xt)-150 2887 y(for)17 b(sequence)g(numbers)f
+(10)i(through)d(13,)j(and)f(will)i(ha)n(v)o(e)e(to)h(decide)-150
+2986 y(which)i(to)h(assume)f(w)o(as)i(also)f(recei)n(v)o(ed)e(by)h(the)
+g(victim)h(\(if,)f(indeed,)-150 3086 y(it)e(e)n(v)o(en)f(detects)h
+(that)g(the)f(data)h(stream)f(includes)g(an)h(inconsistenc)o(y)-5
+b(,)-150 3185 y(which)25 b(requires)f(e)o(xtra)h(w)o(ork)f(on)h(the)h
+(monitor')-5 b(s)24 b(part\).)40 b(While)25 b(in)-150
+3285 y(this)c(case)g(by)f(inspecting)f(the)h(TTLs)h(it)g
+Fr(may)f Fs(be)g(able)g(to)h(determine)-150 3385 y(which)c(of)g(the)g
+(tw)o(o)g(v)o(ersions)g(the)g(victim)g(will)h(ha)n(v)o(e)e(seen,)i
+(there)f(are)-150 3484 y(man)o(y)28 b(other)g(w)o(ays)h(\(windo)n(w)e
+(checks,)j(the)f(MTU)g(attack)f(abo)o(v)o(e,)-150 3584
+y(checksums,)e(ackno)n(wledgement)c(sequence)j(number)f(checks\))h(of)
+-150 3684 y(subtly)31 b(af)n(fecting)g(header)g(\002elds)h(such)g(that)
+g(the)g(victim)f(will)i(re-)-150 3783 y(ject)21 b(one)f(or)g(the)g
+(other)g(of)g(the)g(tw)o(o)h(v)o(ersions.)j(Fundamentally)-5
+b(,)18 b(the)-150 3883 y(monitor)j(cannot)h(con\002dently)f(kno)n(w)h
+(which)h(of)f(the)h(tw)o(o)h(v)o(ersions)-150 3982 y(to)c(accept.)-67
+4093 y(A)27 b(partial)g(defense)e(against)h(this)h(attack)g(is)h(that)e
+(when)g(we)h(ob-)-150 4193 y(serv)o(e)j(a)h(retransmitted)e(pack)o(et)h
+(\(one)f(with)i(data)f(that)g(wholly)g(or)-150 4293 y(partially)21
+b(o)o(v)o(erlaps)g(pre)n(viously-seen)e(data\),)j(we)g(compare)f(it)h
+(with)-150 4392 y(an)o(y)f(data)g(it)i(o)o(v)o(erlaps,)d(and)h(sound)g
+(an)g(alarm)h(\(or)m(,)f(for)g(Bro,)h(gener)n(-)-150
+4492 y(ate)k(an)g(e)n(v)o(ent\))f(if)h(the)o(y)f(disagree.)41
+b(A)27 b(properly-functioning)20 b(TCP)-150 4592 y(will)31
+b(al)o(w)o(ays)f(retransmit)f(the)h(same)g(data)f(as)i(originally)d
+(sent,)k(so)-150 4691 y(an)o(y)23 b(disagreement)f(is)j(either)f(due)f
+(to)h(a)h(brok)o(en)d(TCP)-9 b(,)24 b(undetected)-150
+4791 y(data)19 b(corruption)d(\(i.e.,)j(corruption)e(the)i(checksum)e
+(f)o(ails)j(to)f(catch\),)-150 4890 y(or)h(an)g(attack.)-67
+5001 y(W)-7 b(e)28 b(ha)n(v)o(e)e(ar)o(gued)f(that)i(the)g(monitor)e
+(must)i(retain)f(a)h(record)f(of)-150 5101 y(pre)n(viously)34
+b(transmitted)i(data,)k(both)35 b(in-sequence)g(and)g(out-of-)-150
+5201 y(sequence.)30 b(The)22 b(question)f(no)n(w)g(arises)i(as)g(to)f
+(ho)n(w)g(long)g(the)g(mon-)-150 5300 y(itor)f(must)g(k)o(eep)g(this)g
+(data)g(around.)26 b(If)21 b(it)h(k)o(eeps)e(it)i(for)f(the)g(lifetime)
+-150 5400 y(of)d(the)h(connection,)d(then)i(it)i(may)e(require)f
+(prodigious)f(amounts)i(of)2049 -104 y(memory)25 b(an)o(y)g(time)i(it)g
+(happens)e(upon)g(a)h(particularly)f(lar)o(ge)g(con-)2049
+-5 y(nection;)i(these)e(are)g(not)g(infrequent)e([P)o(a94)n(].)40
+b(W)-7 b(e)26 b(instead)f(w)o(ould)2049 95 y(lik)o(e)31
+b(to)g(discard)f(data)h(blocks)f(as)h(soon)g(as)g(possible,)i(to)e
+(reclaim)2049 194 y(the)g(associated)g(memory)-5 b(.)55
+b(Clearly)-5 b(,)33 b(we)f(cannot)d(safely)i(discard)2049
+294 y(blocks)17 b(abo)o(v)o(e)f(a)j(sequencing)c(hole,)j(as)h(we)f
+(then)f(lose)h(the)g(opportu-)2049 394 y(nity)i(to)h(scan)f(the)h(te)o
+(xt)f(that)h(crosses)g(from)e(the)i(sequence)e(hole)h(into)2049
+493 y(the)h(block.)28 b(But)22 b(we)g(w)o(ould)e(lik)o(e)i(to)g
+(determine)e(when)g(it)i(is)h(safe)e(to)2049 593 y(discard)f
+(in-sequence)e(data.)2132 698 y(Here)i(we)h(can)f(mak)o(e)g(use)h(of)f
+(our)f(assumption)g(that)i(the)f(attack)o(er)2049 798
+y(controls)j(only)f(one)h(of)h(the)f(connection)f(endpoints.)33
+b(Suppose)23 b(the)2049 897 y(stream)30 b(of)g(interest)g(\003o)n(ws)g
+(from)f(host)h Fj(A)h Fs(to)f(host)g Fj(B)t Fs(.)55 b(If)29
+b(the)h(at-)2049 997 y(tack)o(er)i(controls)g Fj(B)t
+Fs(,)k(then)c(the)o(y)g(are)g(unable)g(to)g(manipulate)g(the)2049
+1097 y(data)21 b(pack)o(ets)g(in)h(a)g(subterfuge)d(attack,)i(so)h(we)g
+(can)f(safely)g(discard)2049 1196 y(the)h(data)h(once)e(it)i(is)g
+(in-sequence)e(and)h(we)g(ha)n(v)o(e)g(had)g(an)g(opportu-)2049
+1296 y(nity)e(to)h(analyze)e(it.)26 b(On)21 b(the)f(other)g(hand,)f(if)
+h(the)o(y)g(control)f Fj(A)p Fs(,)i(then,)2049 1395 y(from)i(our)f
+(assumption,)h(an)o(y)g(traf)n(\002c)h(we)g(see)g(from)e
+Fj(B)29 b Fs(re\003ects)24 b(the)2049 1495 y(correct)16
+b(functioning)f(of)i(its)i(TCP)f(\(this)f(assumes)h(that)f(we)h(use)g
+(anti-)2049 1595 y(spoo\002ng)f(\002lters)j(so)f(that)g(the)g(attack)o
+(er)f(cannot)g(for)o(ge)f(bogus)h(traf)n(\002c)2049 1694
+y(purportedly)g(coming)h(from)h Fj(B)t Fs(\).)27 b(In)21
+b(particular)m(,)e(we)i(can)f(trust)h(that)2049 1794
+y(if)f(we)g(see)h(an)f(ackno)n(wledgement)c(from)j Fj(B)24
+b Fs(for)c(sequence)e(number)2049 1894 y Fj(n)p Fs(,)26
+b(then)e(indeed)f Fj(B)29 b Fs(has)c(recei)n(v)o(ed)e(all)i(data)g(in)f
+(sequence)g(up)g(to)g Fj(n)p Fs(.)2049 1993 y(At)d(this)f(point,)g
+Fj(B)t Fs(')-5 b(s)21 b(TCP)g(will)g(deli)n(v)o(er)m(,)d(or)i(has)h
+(already)e(deli)n(v)o(ered,)2049 2093 y(this)24 b(data)f(to)h(the)f
+(application)f(running)f(on)i Fj(B)t Fs(.)35 b(In)23
+b(particular)m(,)f Fj(B)t Fs(')-5 b(s)2049 2192 y(TCP)31
+b(cannot)e(accept)h(an)o(y)f(retransmitted)g(data)h(belo)n(w)g
+(sequence)2049 2292 y Fj(n)p Fs(,)24 b(as)g(it)f(has)h(already)e
+(indicated)g(it)h(has)h(no)e(more)h(interest)g(in)g(such)2049
+2392 y(data.)h(Therefore,)15 b(when)h(the)i(monitor)d(sees)j(an)f
+(ackno)n(wledgement)2049 2491 y(for)k Fj(n)p Fs(,)h(it)g(can)f(safely)h
+(release)f(an)o(y)g(memory)f(associated)h(with)h(data)2049
+2591 y(up)e(to)g(sequence)f Fj(n)p Fs(.)2132 2696 y(While)d(this)g
+(defense)e(w)o(orks)h(for)g(detecting)f(this)i(general)f(class)h(of)
+2049 2796 y(insertion)k(attacks,)h(it)h(suf)n(fers)e(from)g(f)o(alse)h
+(positi)n(v)o(es,)f(as)i(discussed)2049 2895 y(in)e Fi(x)h
+Fs(7.3)f(belo)n(w)-5 b(.)2132 3000 y(Finally)g(,)33 b(we)f(note)e(a)i
+(general)e(defense)h(against)f(certain)h(types)2049 3100
+y(of)22 b(subterfuge)e(attacks,)i(which)f(we)h(term)g(\223bifurcating)e
+(analysis.)-6 b(\224)2049 3200 y(The)23 b(idea)g(is)h(that)f(when)g
+(the)g(monitor)e(cannot)h(determine)g(ho)n(w)h(an)2049
+3299 y(endpoint)15 b(will)j(interpret)e(some)h(netw)o(ork)f(traf)n
+(\002c)g(\(such)h(as)h(whether)2049 3399 y(it)25 b(will)h(accept)e
+Fm(USER)49 b(nice)25 b Fs(or)f Fm(USER)49 b(root)p Fs(\),)25
+b(it)g(forms)f(mul-)2049 3499 y(tiple)c(threads)g(of)g(analysis,)g(e)o
+(xamining)e(each)i(of)g(the)g(possibilities.)2049 3598
+y(W)-7 b(e)25 b(note)d(one)h(e)o(xample)f(of)h(doing)g(so)g(in)h
+Fi(x)g Fs(6.5)e(belo)n(w)h(in)h(our)e(dis-)2049 3698
+y(cussion)e(of)g(analyzing)e(T)-6 b(elnet)20 b(and)g(Rlogin)g(traf)n
+(\002c.)2049 4008 y Ft(6)119 b(A)m(pplication-speci\002c)33
+b(pr)n(ocessing)2049 4204 y Fs(W)-7 b(e)21 b(\002nish)g(our)e(o)o(v)o
+(ervie)n(w)f(of)i(Bro)g(with)g(a)h(discussion)e(of)h(the)g(addi-)2049
+4304 y(tional)j(processing)f(it)i(does)g(for)e(the)i(six)g
+(applications)e(it)i(currently)2049 4404 y(kno)n(ws)33
+b(about:)51 b(Finger)m(,)36 b(FTP)-9 b(,)33 b(Portmapper)m(,)i(Ident,)h
+(T)-6 b(elnet)33 b(and)2049 4503 y(Rlogin.)e(Admittedly)21
+b(these)h(are)g(just)h(a)g(small)f(portion)f(of)h(the)g(dif-)2049
+4603 y(ferent)g(Internet)g(applications)g(used)g(in)h(attacks,)h(and)e
+(Bro')-5 b(s)24 b(ef)n(fec-)2049 4703 y(ti)n(v)o(eness)e(will)h
+(bene\002t)g(greatly)e(as)i(more)f(are)g(added.)31 b(F)o(ortunately)-5
+b(,)2049 4802 y(we)34 b(ha)n(v)o(e)f(in)h(general)f(found)f(that)i(the)
+g(system)g(meets)g(our)f(goal)2049 4902 y(of)f(e)o(xtensibility)e(\()p
+Fi(x)j Fs(1\),)h(and)d(adding)g(ne)n(w)h(applications)e(to)i(Bro)2049
+5001 y(is\227other)j(than)f(the)i(sometimes)f(major)f(headache)g(of)h
+(rob)n(ustly)2049 5101 y(interpreting)d(the)j(application)e(protocol)f
+(itself\227quite)i(straight-)2049 5201 y(forw)o(ard,)d(a)f(matter)g(of)
+g(deri)n(ving)e(a)i(C++)h(class)g(to)f(analyze)f(each)2049
+5300 y(connection')-5 b(s)18 b(traf)n(\002c,)h(and)g(de)n(vising)g(a)h
+(set)g(of)f(e)n(v)o(ents)g(correspond-)2049 5400 y(ing)h(to)g
+(signi\002cant)g(elements)g(of)g(the)g(application.)1908
+5649 y(13)p eop
+%%Page: 14 14
+14 13 bop -150 -104 a Fh(6.1)99 b(Finger)-150 51 y Fs(The)33
+b(\002rst)i(of)e(the)h(applications)f(is)h(the)g(Finger)f(\223User)h
+(Informa-)-150 151 y(tion\224)22 b(service)f([Zi91)o(].)30
+b(Structurally)-5 b(,)20 b(Finger)h(is)i(v)o(ery)e(simple:)29
+b(the)-150 250 y(connection)i(originator)f(sends)j(a)g(single)g(line,)i
+(terminated)d(by)g(a)-150 350 y(carriage-return)20 b(line-feed,)i
+(specifying)f(the)i(user)g(for)f(which)g(the)o(y)-150
+450 y(request)28 b(information.)50 b(An)29 b(optional)f(\003ag)h
+(requests)g(\223full\224)g(\(v)o(er)n(-)-150 549 y(bose\))g(output.)54
+b(The)29 b(responder)f(returns)h(whate)n(v)o(er)g(information)-150
+649 y(it)c(deems)f(appropriate)f(in)h(multiple)g(lines)h(of)f(te)o(xt,)
+i(after)e(which)g(it)-150 749 y(closes)d(the)f(connection.)-67
+848 y(Bro)37 b(generates)f(a)h Fm(finger)p 825 848 25
+4 v 28 w(request)f Fs(e)n(v)o(ent)g(whene)n(v)o(er)f(it)-150
+948 y(monitors)18 b(a)i(complete)e(Finger)h(request.)24
+b(A)c(handler)e(for)h(this)g(e)n(v)o(ent)-150 1047 y(looks)h(lik)o(e:)
+-150 1191 y Ff(event)39 b(finger_request\(c:)e(connection,)687
+1270 y(user:)i(string,)g(full:)g(bool\))-150 1435 y Fs(Our)18
+b(site')-5 b(s)20 b(polic)o(y)d(for)h(Finger)g(requests)g(includes)g
+(testing)g(for)g(pos-)-150 1534 y(sible)j(b)n(uf)n(fer)n(-o)o(v)o
+(er\003o)n(w)16 b(attacks)21 b(and)e(checking)g(the)h(user)g(against)g
+(a)-150 1634 y(list)27 b(of)e(sensiti)n(v)o(e)h(user)g(ID')-5
+b(s,)27 b(such)f(as)g(pri)n(vile)o(ged)e(accounts.)41
+b(See)-150 1734 y(Appendix)26 b(A)i(for)f(a)h(discussion)f(of)h(ho)n(w)
+f(the)h(Finger)f(analysis)h(is)-150 1833 y(inte)o(grated)19
+b(into)g(Bro.)-67 1933 y(Bro)h(generates)g(an)g(analogous)e
+Fm(finger)p 1174 1933 V 29 w(reply)i Fs(e)n(v)o(ent:)-150
+2077 y Ff(event)39 b(finger_reply\(c:)f(connection,)607
+2155 y(reply_line:)g(string\))-150 2320 y Fs(for)20 b(each)f(line)i(of)
+f(the)g(reply)f(from)g(the)i(Finger)e(serv)o(er)-5 b(.)-67
+2420 y(A)19 b(\002nal)g(note:)24 b(if)19 b(the)f(e)n(v)o(ent)g(engine)f
+(\002nds)i(that)g(the)f(polic)o(y)g(script)-150 2519
+y(does)29 b(not)g(de\002ne)f(a)i Fm(finger)p 772 2519
+V 29 w(request)e Fs(or)h Fm(finger)p 1578 2519 V 29 w(reply)-150
+2619 y Fs(handler)m(,)19 b(then)h(it)h(does)f(not)g(bother)f(creating)h
+(Finger)n(-speci\002c)f(ana-)-150 2719 y(lyzers)j(for)g(ne)n(w)g
+(Finger)g(connections.)30 b(In)22 b(general,)g(the)g(e)n(v)o(ent)g(en-)
+-150 2818 y(gine)g(tries)i(to)f(determine)e(as)j(early)f(as)g(possible)
+g(whether)f(the)h(user)-150 2918 y(has)c(de\002ned)f(a)h(particular)e
+(handler)m(,)g(and,)i(if)g(not,)f(a)n(v)n(oids)h(undertak-)-150
+3017 y(ing)29 b(the)g(w)o(ork)f(associated)h(with)h(generating)d(the)i
+(corresponding)-150 3117 y(e)n(v)o(ent.)-150 3351 y Fh(6.2)99
+b(FTP)-150 3507 y Fs(The)30 b(File)h(T)m(ransfer)f(Protocol)f([PR85)o
+(])i(is)g(much)f(more)f(comple)o(x)-150 3607 y(than)h(the)g(Finger)f
+(protocol;)k(it)e(also,)h(ho)n(we)n(v)o(er)m(,)e(is)h(highly)e(struc-)
+-150 3706 y(tured)34 b(and)g(easy)h(to)g(parse,)j(so)d(interpreting)e
+(an)h(FTP)i(dialog)e(is)-150 3806 y(straight-forw)o(ard.)-67
+3906 y(F)o(or)28 b(FTP)h(requests,)i(Bro)d(parses)h(each)f(line)h(sent)
+g(by)f(the)g(con-)-150 4005 y(nection)22 b(originator)e(into)j(a)g
+(command)e(\(\002rst)i(w)o(ord\))f(and)g(an)g(ar)o(gu-)-150
+4105 y(ment)28 b(\(the)g(remainder\),)f(splitting)h(the)h(tw)o(o)f(at)h
+(the)f(\002rst)h(instance)-150 4204 y(of)f(whitespace)f(it)i(\002nds,)h
+(and)e(con)m(v)o(erting)d(the)j(command)e(to)i(up-)-150
+4304 y(percase)20 b(\(to)g(circumv)o(ent)e(problems)g(such)i(as)h(a)g
+(polic)o(y)e(script)h(test-)-150 4404 y(ing)i(for)g(\223store)g
+(\002le\224)h(commands)e(as)i Fm(STOR)f Fs(or)h Fm(stor)p
+Fs(,)f(and)g(an)g(at-)-150 4503 y(tack)o(er)j(instead)g(sending)f
+Fm(stOR)p Fs(,)g(which)h(the)g(remote)g(FTP)g(serv)o(er)-150
+4603 y(will)32 b(happily)e(accept\).)57 b(It)31 b(then)g(generates)f
+(an)h Fm(ftp)p 1478 4603 V 29 w(request)-150 4703 y Fs(e)n(v)o(ent)24
+b(with)h(these)g(and)f(the)h(corresponding)c(connection)i(as)i(ar)o
+(gu-)-150 4802 y(ments.)-67 4902 y(FTP)20 b(replies)f(be)o(gin)g(with)g
+(a)h(status)g(code)f(\(a)h(number\),)d(follo)n(wed)-150
+5001 y(by)f(an)o(y)g(accompan)o(ying)d(te)o(xt.)23 b(Replies)18
+b(also)e(can)h(indicate)f(whether)-150 5101 y(the)o(y)24
+b(continue)f(to)i(another)e(line.)38 b(Accordingly)-5
+b(,)23 b(for)h(each)g(line)h(of)-150 5201 y(reply)31
+b(the)i(e)n(v)o(ent)e(engine)g(generates)g(an)h Fm(ftp)p
+1263 5201 V 29 w(reply)g Fs(with)h(the)-150 5300 y(code,)25
+b(the)f(te)o(xt,)h(a)g(\003ag)g(indicating)e(continuation,)g(and)h(the)
+h(corre-)-150 5400 y(sponding)18 b(connection)g(as)j(ar)o(guments.)2132
+-104 y(As)35 b(f)o(ar)f(as)h(the)f(e)n(v)o(ent)f(engine)g(is)i
+(concerned,)g(that')-5 b(s)34 b(it\227100)2049 -5 y(lines)18
+b(of)g(straight-forw)o(ard)d(C++.)24 b(What)19 b(is)f(interesting)f
+(about)g(FTP)2049 95 y(is)32 b(that)f(all)h(the)f(remaining)f(w)o(ork)g
+(can)h(be)g(done)f(in)i Fm(Bro)f Fs(\(about)2049 194
+y(400)d(lines)g(for)g(our)g(site\).)50 b(The)29 b Fm(ftp)p
+3182 194 V 29 w(request)f Fs(handler)f(k)o(eeps)2049
+294 y(track)k(of)f(distinct)i(FTP)f(sessions,)k(pulls)c(out)f
+(usernames)g(to)i(test)2049 394 y(against)26 b(a)h(list)g(of)g(sensiti)
+n(v)o(e)f(ID')-5 b(s)27 b(\(and)f(to)g(annotate)g(the)g(connec-)2049
+493 y(tion')-5 b(s)24 b(general)f(summary\),)g(and,)h(for)f(an)o(y)g
+(FTP)i(request)e(that)h(ma-)2049 593 y(nipulates)29 b(a)i(\002le,)i
+(checks)c(for)h(access)g(to)h(sensiti)n(v)o(e)e(\002les.)56
+b(Some)2049 693 y(of)23 b(these)g(checks)g(depend)e(on)i(conte)o(xt;)h
+(for)e(e)o(xample,)h(a)g(guest)g(\(or)2049 792 y(\223anon)o
+(ymous\224\))i(user)k(should)f(not)g(attempt)g(to)h(manipulate)f(user)n
+(-)2049 892 y(con\002guration)18 b(\002les,)i(while)h(for)e(other)h
+(users)g(doing)f(so)h(is)h(\002ne.)2132 998 y(One)f(subtlety)h(in)f
+(the)h(FTP)g(analysis)g(is)g(being)f(careful)g(to)g(main-)2049
+1097 y(tain)32 b(a)h(notion)d(of)i(\223current)f(requests)g(a)o(w)o
+(aiting)h(replies,)-6 b(\224)34 b(rather)2049 1197 y(than)f(just)h
+(\223the)f(most)g(recently)g(seen)g(request.)-6 b(\224)64
+b(Doing)33 b(so)g(cir)n(-)2049 1297 y(cumv)o(ents)23
+b(an)h(attack)h(in)f(which)g(the)h(attack)o(er)e(pipelines)h(multiple)
+2049 1396 y(requests\227rather)g(than)h(issuing)g(a)h(single)g(request)
+e(at)i(a)g(time)g(and)2049 1496 y(a)o(w)o(aiting)18 b(its)i
+(response\227and)c(confuses)i(the)h(monitor)e(as)i(to)g(which)2049
+1595 y(replies)h(go)g(with)g(which)g(requests.)2132 1701
+y(A)g(\002nal)g(analysis)f(step)h(for)f Fm(ftp)p 3093
+1701 V 29 w(request)g Fs(e)n(v)o(ents)g(is)h(to)g(parse)2049
+1801 y(an)o(y)i Fm(PORT)g Fs(request)g(to)h(e)o(xtract)f(the)g
+(hostname)g(and)g(TCP)h(port)f(as-)2049 1901 y(sociated)f(with)g(an)h
+(upcoming)c(transfer)-5 b(.)28 b(\(The)21 b(FTP)h(protocol)d(uses)2049
+2000 y(multiple)28 b(TCP)i(connections,)f(one)g(for)f(the)h(control)f
+(information)2049 2100 y(such)g(as)h(user)f(requests,)i(and)e(others,)h
+(dynamically)e(created,)i(for)2049 2199 y(each)34 b(data)f(transfer)-5
+b(.\))65 b(This)34 b(is)h(an)f(important)e(step,)38 b(because)33
+b(it)2049 2299 y(enables)27 b(the)g(script)g(to)g(tell)h(which)e
+(subsequent)g(connections)f(be-)2049 2399 y(long)h(to)g(this)i(FTP)f
+(session)g(and)f(which)g(do)g(not.)44 b(A)27 b(site')-5
+b(s)28 b(polic)o(y)2049 2498 y(might)d(allo)n(w)h(FTP)g(access)h(to)f
+(particular)e(serv)o(ers,)j(b)n(ut)e(an)o(y)g(other)2049
+2598 y(access)f(to)f(those)g(serv)o(ers)f(merits)i(an)f(alarm;)h(b)n
+(ut)f(without)g(parsing)2049 2698 y(the)c Fm(PORT)h Fs(request,)e(it)j
+(can)e(be)g(impossible)g(to)h(distinguish)e(a)i(le)o(git-)2049
+2797 y(imate)j(FTP)g(data)f(transfer)g(connection)f(from)g(an)i
+(illicit,)h(non-FTP)2049 2897 y(connection.)54 b(Consequently)-5
+b(,)30 b(the)h(script)f(k)o(eeps)h(track)f(of)g(pend-)2049
+2996 y(ing)23 b(data)h(transfer)e(connections,)g(and)h(when)g(it)h
+(encounters)e(them,)2049 3096 y(marks)g(them)g(as)h Fm(ftp-data)f
+Fs(applications,)f(e)n(v)o(en)g(if)i(the)o(y)f(do)g(not)2049
+3196 y(use)j(the)g(well-kno)n(wn)e(port)i(associated)g(with)g(such)f
+(transfers)h(\(the)2049 3295 y(standard)19 b(does)h(not)g(require)f
+(them)g(to)i(do)f(so\).)2132 3401 y(W)-7 b(e)18 b(also)f(note)f(that,)h
+(in)g(addition)f(to)g(correctly)g(identifying)e(FTP-)2049
+3501 y(related)30 b(traf)n(\002c,)i(parsing)d Fm(PORT)h
+Fs(requests)g(mak)o(es)g(it)h(possible)e(to)2049 3600
+y(detect)e(\223FTP)h(bounce\224)d(attacks.)47 b(In)27
+b(these)g(attacks,)i(a)f(malicious)2049 3700 y(FTP)j(client)g
+(instructs)g(an)g(FTP)g(serv)o(er)g(to)g(open)e(a)j(data)e(transfer)
+2049 3800 y(connection)f(not)i(back)f(to)i(it,)i(b)n(ut)d(to)h(a)f
+(third,)i(victim)e(site.)59 b(The)2049 3899 y(client)25
+b(can)f(thus)h(manipulate)e(the)h(serv)o(er)g(into)h(uploading)d(data)i
+(to)2049 3999 y(an)e(arbitrary)e(service)h(on)h(the)g(victim)f(site,)i
+(or)f(to)g(ef)n(fecti)n(v)o(ely)e(port-)2049 4099 y(scan)h(the)g
+(victim)g(site)h(\(which)e(the)h(client)g(does)g(by)g(using)f(multiple)
+2049 4198 y(bogus)30 b Fm(PORT)g Fs(requests)h(and)f(observing)f(the)i
+(completion)e(status)2049 4298 y(of)20 b(subsequent)f(data-transfer)g
+(requests\).)25 b(Our)20 b(script)h(\003ags)g Fm(PORT)2049
+4397 y Fs(requests)d(that)g(attempt)f(an)o(y)h(redirection)e(of)h(the)h
+(data)g(transfer)f(con-)2049 4497 y(nection.)23 b(Interestingly)-5
+b(,)16 b(we)j(added)e(this)i(check)e(mostly)h(because)g(it)2049
+4597 y(w)o(as)e(easy)g(to)g(do)f(so;)j(months)d(later)m(,)h(we)g
+(monitored)d(the)j(\002rst)g(of)g(se)n(v-)2049 4696 y(eral)22
+b(subsequent)e(FTP)i(bounce)e(attacks.)30 b(This)22 b(form)f(of)g
+(serendip-)2049 4796 y(itous)h(disco)o(v)o(ery)e(of)h(an)h
+(unanticipated)e(type)h(of)h(attack)g(ar)o(gues)e(for)2049
+4896 y(emplo)o(ying)c(a)j(general)f(principle)f(of)h(\223sanity)h
+(checking\224)d(the)j(mon-)2049 4995 y(itored)25 b(traf)n(\002c)g(as)h
+(much)e(as)i(possible.)40 b(F)o(or)25 b(a)h(dif)n(\002culty)e(with)i
+(this)2049 5095 y(principle,)19 b(ho)n(we)n(v)o(er)m(,)e(see)k
+Fi(x)g Fs(7.3.)2132 5201 y(F)o(or)26 b Fm(ftp)p 2428
+5201 V 29 w(reply)f Fs(e)n(v)o(ents,)i(most)f(of)g(the)g(w)o(ork)f(is)i
+(simply)e(for)n(-)2049 5300 y(matting)h(a)i(succinct)e(one-line)g
+(summary)g(of)h(the)g(request)f(and)h(its)2049 5400 y(result)f(for)f
+(recording)e(in)i(the)h(FTP)g(acti)n(vity)f(log.)41 b(In)25
+b(addition,)h(an)1908 5649 y(14)p eop
+%%Page: 15 15
+15 14 bop -150 -104 a Fs(FTP)19 b Fm(PASV)f Fs(request)g(has)g(a)h
+(structure)f(similar)g(to)h(a)f Fm(PORT)g Fs(request,)-150
+-5 y(e)o(xcept)c(that)i(the)f(FTP)h(serv)o(er)f(instead)g(of)g(the)g
+(client)g(determines)g(the)-150 95 y(speci\002cs)22 b(of)g(the)f
+(subsequent)f(data)i(transfer)f(connection.)27 b(Conse-)-150
+194 y(quently)h(our)g(script)h(subjects)g Fm(PASV)g Fs(replies)g(to)g
+(the)g(same)g(anal-)-150 294 y(ysis)f(as)h Fm(PORT)e
+Fs(requests.)47 b(Finally)-5 b(,)28 b(there)f(is)i(nothing)d(to)h(pre)n
+(v)o(ent)-150 394 y(a)f Fr(dif)o(fer)m(ent)g Fs(remote)e(host)i(from)e
+(connecting)f(to)j(the)f(data)g(transfer)-150 493 y(port)c(of)n(fered)f
+(by)i(a)g(serv)o(er)f(via)h(a)g Fm(PASV)g Fs(reply)-5
+b(.)29 b(It)22 b(may)g(be)f(hard)g(to)-150 593 y(see)i(why)e(this)i
+(might)f(actually)f(occur)m(,)h(b)n(ut)g(putting)f(in)h(a)h(test)g(for)
+f(it)-150 693 y(is)k(simple)f(\(unfortunately)-5 b(,)21
+b(there)k(are)g(some)f(f)o(alse)h(alarms)g(due)f(to)-150
+792 y(multi-homed)17 b(clients;)j(we)f(use)h(heuristics)f(to)g(reduce)f
+(these\);)h(and,)-150 892 y(indeed,)32 b(se)n(v)o(eral)d(months)h
+(after)g(adding)f(it,)k(it)f(triggered,)f(due)e(to)-150
+991 y(an)18 b(attack)o(er)g(using)g(3-w)o(ay)f(FTP)i(as)g(\(e)n
+(vidently\))d(a)j(w)o(ay)f(to)h(disguise)-150 1091 y(their)d(trail,)i
+(another)d(serendipitous)g(result)i(of)g(the)f(sanity-checking)-150
+1191 y(principle.)-150 1587 y Fh(6.3)99 b(P)n(ortmapper)-150
+1798 y Fs(Man)o(y)26 b(services)h(based)g(on)g(Remote)g(Procedure)e
+(Call)k(\(RPC;)f(de-)-150 1897 y(\002ned)16 b(in)g([Sr95a)o(]\))g(do)f
+(not)h(listen)h(for)e(requests)h(on)g(a)h(\223well-kno)n(wn\224)-150
+1997 y(port,)k(b)n(ut)g(rather)g(pick)g(an)g(arbitrary)f(port)h(when)f
+(initialized.)29 b(The)o(y)-150 2096 y(then)22 b(re)o(gister)g(this)h
+(port)f(with)h(a)g(Portmapper)d(service)j(running)d(on)-150
+2196 y(the)32 b(same)h(machine.)60 b(Only)32 b(the)g(Portmapper)e
+(needs)i(to)g(run)g(on)-150 2296 y(a)24 b(well-kno)n(wn)e(port;)j(when)
+f(clients)g(w)o(ant)g(access)g(to)g(the)g(service,)-150
+2395 y(the)o(y)16 b(\002rst)i(contact)f(the)g(Portmapper)m(,)e(and)h
+(it)i(tells)g(them)f(which)f(port)-150 2495 y(the)o(y)24
+b(should)g(then)g(contact)g(in)h(order)e(to)i(reach)f(the)g(service.)38
+b(This)-150 2595 y(second)25 b(port)g(may)g(be)h(for)f(TCP)h(or)g(UDP)g
+(access)g(\(depending)d(on)-150 2694 y(which)d(of)g(these)g(the)g
+(client)g(requests)g(from)f(the)i(Portmapper\).)-67 2823
+y(Thus,)c(by)h(monitoring)d(Portmapper)g(traf)n(\002c,)j(we)g(can)f
+(detect)g(an)o(y)-150 2922 y(attempted)e(access)i(to)g(a)f(number)f(of)
+h(sensiti)n(v)o(e)g(RPC)i(services,)f(such)-150 3022
+y(as)j(NFS)h(and)e(YP)-9 b(,)19 b(e)o(xcept)g(in)g(cases)i(where)e(the)
+g(attack)o(er)g(learns)h(the)-150 3122 y(port)g(for)f(those)h(services)
+g(some)g(other)g(w)o(ay)g(\(e.g.,)f(port-scanning\).)-67
+3250 y(The)39 b(Portmapper)e(service)i(is)h(itself)g(b)n(uilt)g(on)e
+(top)h(of)g(RPC,)-150 3350 y(which)29 b(in)i(turn)e(uses)h(the)g(XDR)h
+(External)e(Data)h(Representation)-150 3449 y(Standard)23
+b([Sr95b)n(].)36 b(Furthermore,)23 b(one)g(can)h(use)g(RPC)i(on)d(top)h
+(of)-150 3549 y(either)f(TCP)i(or)e(UDP)-9 b(,)24 b(and)f(typically)g
+(the)h(Portmapper)e(listens)i(on)-150 3649 y(both)30
+b(a)i(well-kno)n(wn)d(TCP)j(port)e(and)h(a)g(well-kno)n(wn)f(UDP)h
+(port)-150 3748 y(\(both)21 b(are)h(port)f(111\).)29
+b(Consequently)-5 b(,)20 b(adding)g(Portmapper)g(anal-)-150
+3848 y(ysis)29 b(to)g(Bro)f(required)f(adding)g(a)i(generic)e(RPC)j
+(analyzer)m(,)f(TCP-)-150 3947 y(and)22 b(UDP-speci\002c)h(analyzers)f
+(to)h(unwrap)e(the)i(dif)n(ferent)e(w)o(ays)i(in)-150
+4047 y(which)34 b(RPCs)i(are)e(embedded)e(in)i(TCP)h(and)f(UDP)g(pack)o
+(ets,)k(an)-150 4147 y(XDR)21 b(analyzer)m(,)d(and)i(a)h(Portmapper)n
+(-speci\002c)c(analyzer)-5 b(.)-67 4275 y(This)32 b(last)g(generates)f
+(six)h(pairs)f(of)g(e)n(v)o(ents,)j(one)d(for)g(each)g(re-)-150
+4375 y(quest)23 b(and)f(reply)g(for)h(the)g(six)g(actions)g(the)g
+(Portmapper)e(supports:)-150 4474 y(a)27 b(null)f(call;)j(add)d(a)h
+(binding)d(between)h(a)i(service)f(and)g(a)g(port;)j(re-)-150
+4574 y(mo)o(v)o(e)21 b(a)h(binding;)f(look)h(up)f(a)i(binding;)e(dump)g
+(the)h(entire)g(table)g(of)-150 4674 y(bindings;)c(and)f(both)h(look)f
+(up)h(a)g(service)g(and)g(call)g(it)h(directly)f(with-)-150
+4773 y(out)h(requiring)f(a)i(second)e(connection.)23
+b(\(This)c(last)i(is)f(a)g(monitoring)-150 4873 y(headache)i(because)g
+(it)i(means)f(an)o(y)f(RPC)j(service)e(can)g(potentially)-150
+4973 y(be)d(accessed)g(directly)g(through)e(a)i(Portmapper)e
+(connection.\))-67 5101 y(Our)37 b(polic)o(y)f(script)i(for)f
+(Portmapper)e(traf)n(\002c)i(again)g(is)h(f)o(airly)-150
+5201 y(lar)o(ge,)i(more)d(than)g(300)f(lines.)76 b(Most)38
+b(of)f(this)h(concerns)e(what)-150 5300 y(Portmapper)17
+b(requests)j(we)g(allo)n(w)f(between)g(which)g(pairs)g(of)h(hosts,)-150
+5400 y(particularly)e(for)i(NFS)h(access.)2049 -104 y
+Fh(6.4)99 b(Ident)2049 63 y Fs(The)27 b(Identi\002cation)e(Protocol)h
+(\(\223ident\224\))g(is)i(used)e(to)i(query)d(hosts)2049
+162 y(for)34 b(the)h(user)g(identity)f(associated)h(with)g(an)g(acti)n
+(v)o(e)g(connection)2049 262 y([S-J93)o(].)52 b(The)29
+b(request)f(is)i(of)f(the)g(form)f(\223)p Fr(r)m(emote-port)i
+Fm(:)43 b Fr(local-)2049 361 y(port)q Fs(\224.)c(If)24
+b(host)h Fj(A)h Fs(sends)e(such)h(a)g(request)f(to)h(the)g(ident)f
+(serv)o(er)g(on)2049 461 y(host)19 b Fj(B)t Fs(,)g(then)f(the)h
+(request)f(is)h(asking)f(for)g(the)h(identi\002cation)e(of)i(the)2049
+561 y(user)i(on)g(host)h Fj(B)k Fs(who)21 b(has)g(a)h(connection)e
+(from)g(host)h Fj(B)t Fs(')-5 b(s)23 b Fr(r)m(emote-)2049
+660 y(port)c Fs(to)e(host)h Fj(A)p Fs(')-5 b(s)18 b Fr(local-port)p
+Fs(.)23 b(The)17 b(reply)g(identi\002es)g(the)g(operating)2049
+760 y(system,)25 b(perhaps)d(a)i(language)f(encoding,)f(and)h(a)h
+(username)f(\(or)g(a)2049 860 y(\223cookie\224)h(that)h(does)g(not)f
+(directly)h(re)n(v)o(eal)f(the)h(username)f(b)n(ut)h(can)2049
+959 y(be)d(used)f(subsequently)f(by)h(an)h(administrator)e(of)h(host)h
+Fj(B)27 b Fs(to)21 b(iden-)2049 1059 y(tify)f(the)g(user\).)2132
+1164 y(Bro)44 b(generates)f(three)g(e)n(v)o(ents,)49
+b Fm(ident)p 3404 1164 25 4 v 28 w(request)p Fs(,)g(which)2049
+1264 y(identi\002es)54 b(the)h Fr(r)m(emote-port)g Fs(and)f
+Fr(local-port)g Fs(in)h(a)f(request,)2049 1364 y Fm(ident)p
+2304 1364 V 29 w(reply)p Fs(,)33 b(which)d(includes)g(the)g(username)g
+(and)g(the)g(op-)2049 1463 y(erating)i(system,)k(and)d
+Fm(ident)p 3010 1463 V 29 w(error)p Fs(,)j(for)c(when)g(the)h(remote)
+2049 1563 y(serv)o(er)22 b(declares)g(that)h(the)g(ident)g(request)f(w)
+o(as)i(in)m(v)n(alid.)32 b(Our)22 b(site')-5 b(s)2049
+1663 y(polic)o(y)24 b(scripts)i(check)f(the)h(username)e(against)h(a)h
+(list)g(of)g(sensiti)n(v)o(e)2049 1762 y(user)16 b(ID')-5
+b(s)17 b(\(such)f(as)i(\223)p Fm(rewt)p Fs(\224,)e(a)h(name)f(commonly)
+e(used)j(for)f(back-)2049 1862 y(door)j(\223root\224)g(accounts\),)g
+(and)g(annotates)h(the)g(corresponding)c(con-)2049 1961
+y(nection)j(record)g(with)h(the)h(username.)2049 2232
+y Fh(6.5)99 b(T)-9 b(elnet)26 b(and)g(Rlogin)2049 2399
+y Fs(The)38 b(\002nal)h(applications)e(currently)f(b)n(uilt)j(into)f
+(Bro)g(are)h(T)-6 b(elnet)2049 2499 y(and)29 b(Rlogin,)h(services)g
+(for)e(remote)h(interacti)n(v)o(e)e(access)j([PR83a)o(,)2049
+2598 y(Ka91)o(].)42 b(There)25 b(are)h(se)n(v)o(eral)f(signi\002cant)g
+(dif)n(\002culties)h(with)g(moni-)2049 2698 y(toring)21
+b(interacti)n(v)o(e)g(traf)n(\002c.)30 b(The)21 b(\002rst)i(is)g(that,)
+f(unlik)o(e)g(FTP)-9 b(,)22 b(T)-6 b(elnet)2049 2798
+y(and)17 b(Rlogin)g(traf)n(\002c)h(is)g(virtually)f(unstructured.)k
+(There)c(are)h(no)f(nice)2049 2897 y(\223)p Fm(USER)49
+b(xyz)p Fs(\224)29 b(directi)n(v)o(es)f(that)i(mak)o(e)f(it)h(tri)n
+(vial)f(to)g(identify)g(the)2049 2997 y(account)c(associated)g(with)h
+(the)g(acti)n(vity;)j(instead,)e(one)e(must)h(em-)2049
+3097 y(plo)o(y)f(a)g(series)h(of)f(heuristics.)40 b(\(The)24
+b(Rlogin)h(protocol)f(includes)g(a)2049 3196 y(mechanism)g(for)g
+(specifying)g(an)h(initial)g(username,)g(b)n(ut)g(does)g(not)2049
+3296 y(include)15 b(a)h(mechanism)f(for)g(indicating)g(that)h(the)g
+(username)e(w)o(as)j(re-)2049 3395 y(jected,)j(so)g(the)g(situation)g
+(is)h(virtually)e(identical)g(to)h(that)g(for)g(T)-6
+b(elnet)2049 3495 y(in)17 b(which)g(the)g(initial)g(name)g(is)h
+(presumably)d(the)i(\002rst)h(te)o(xt)f(typed)f(by)2049
+3595 y(the)21 b(user)-5 b(.\))27 b(This)21 b(problem)e(mak)o(es)h
+(interacti)n(v)o(e)g(traf)n(\002c)g(particularly)2049
+3694 y(susceptible)g(to)h(subterfuge)e(attacks,)i(since)g(if)g(the)g
+(heuristics)f(ha)n(v)o(e)2049 3794 y(holes,)g(an)g(attack)o(er)g(can)g
+(slip)g(through)e(them)i(undetected.)2132 3900 y(There)35
+b(are)i(tw)o(o)f(parts)g(to)h(the)f(analysis:)58 b(determining)34
+b(user)n(-)2049 3999 y(names)22 b(in)g(a)h(rob)n(ust)f(f)o(ashion,)f
+(and)h(scanning)f(interacti)n(v)o(e)g(sessions)2049 4099
+y(for)j(strings)g(re\003ecting)f(questionable)g(acti)n(vity)-5
+b(.)36 b(W)-7 b(e)25 b(discuss)g(each)2049 4198 y(in)31
+b(turn.)55 b(Because)30 b(of)h(the)f(close)h(similarities)g(between)f
+(analyz-)2049 4298 y(ing)f(T)-6 b(elnet)30 b(and)f(Rlogin)g(sessions,)k
+(Bro)d(combines)e(them)i(into)f(a)2049 4398 y(generic)21
+b(\223Login\224)f(analyzer)m(,)g(which)h(is)i(the)e(term)h(we)g(use)f
+(for)g(both)2049 4497 y(in)f(the)h(remainder)d(of)i(the)g(section.)2132
+4603 y Fl(Recognizing)29 b(the)h(authentication)e(dialog)o(.)53
+b Fs(The)30 b(\002rst)h(f)o(acet)2049 4703 y(of)26 b(analyzing)f(Login)
+g(acti)n(vity)h(is)h(to)f(accurately)f(track)h(the)g(initial)2049
+4802 y(authentication)f(dialog)i(and)f(e)o(xtract)h(from)f(it)i(the)f
+(usernames)f(as-)2049 4902 y(sociated)c(with)h(both)f(login)g(f)o
+(ailures)h(and)f(successes.)33 b(Initially)22 b(we)2049
+5001 y(attempted)e(to)h(b)n(uild)g(a)g(state)h(machine)e(that)h(w)o
+(ould)g(track)f(the)h(v)n(ari-)2049 5101 y(ous)e(authentication)f
+(steps:)25 b(w)o(aiting)20 b(for)e(the)i(username,)e(scanning)2049
+5201 y(the)29 b(login)f(prompt)f(\(this)h(comes)h(after)f(the)h
+(username,)g(since)g(the)2049 5300 y(processing)22 b(is)i
+(line-oriented,)e(and)h(the)g(full,)h(ne)n(wline-terminated)2049
+5400 y(prompt)34 b(line)h(does)g(not)g(appear)f(until)h(after)g(the)g
+(username)f(has)1908 5649 y(15)p eop
+%%Page: 16 16
+16 15 bop -150 -104 a Fs(been)24 b(entered\),)g(w)o(aiting)h(for)f(the)
+g(passw)o(ord,)h(scanning)f(the)g(pass-)-150 -5 y(w)o(ord)34
+b(prompt,)i(and)f(then)f(looking)f(for)h(an)g(indication)g(that)h(the)
+-150 95 y(passw)o(ord)29 b(w)o(as)j(rejected)d(\(in)h(which)g(case)g
+(the)h(process)e(repeats\))-150 194 y(or)f(accepted.)48
+b(This)29 b(approach,)e(though,)i(founders)d(on)i(the)g(great)-150
+294 y(v)n(ariety)21 b(of)i(authentication)d(dialogs)i(used)g(by)g(dif)n
+(ferent)e(operating)-150 394 y(systems,)25 b(some)e(of)g(which)h
+(sometimes)f(do)g(not)g(prompt)f(for)h(pass-)-150 493
+y(w)o(ords,)k(or)f(re-prompt)e(for)h(passw)o(ords)h(rather)g(than)f
+(login)h(names)-150 593 y(after)34 b(a)g(passw)o(ord)f(f)o(ailure,)k
+(or)d(utilize)g(tw)o(o)g(steps)h(of)e(passw)o(ord)-150
+693 y(authentication,)20 b(or)h(e)o(xtract)g(usernames)f(from)h(en)m
+(vironment)d(v)n(ari-)-150 792 y(ables,)25 b(and)e(so)h(on.)35
+b(W)-7 b(e)25 b(instead)f(use)g(a)g(simpler)g(approach,)e(based)-150
+892 y(on)h(associating)f(particular)g(strings)h(\(such)f(as)i(\223P)o
+(assw)o(ord:\224\))29 b(with)-150 991 y(particular)g(information,)i
+(and)f(not)g(attempting)f(to)h(track)g(the)h(au-)-150
+1091 y(thentication)16 b(states)j(e)o(xplicitly)-5 b(.)22
+b(It)c(w)o(orks)f(well,)h(although)e(not)h(per)n(-)-150
+1191 y(fectly)-5 b(,)19 b(and)h(its)h(w)o(orkings)e(are)h(certainly)f
+(easier)i(to)f(follo)n(w)-5 b(.)-67 1297 y(The)40 b(Login)e(analyzer)h
+(generates)g Fm(login)p 1272 1297 25 4 v 29 w(success)g
+Fs(upon)-150 1396 y(determining)51 b(that)h(a)i(user)e(has)h
+(successfully)g(authenticated,)-150 1496 y Fm(login)p
+105 1496 V 29 w(failure)40 b Fs(when)g(a)h(user')-5 b(s)41
+b(attempt)g(to)g(authenticate)-150 1595 y(f)o(ails,)18
+b Fm(authentication)p 736 1595 V 27 w(skipped)e Fs(if)g(it)i
+(recognizes)d(the)h(au-)-150 1695 y(thentication)28 b(dialog)h(as)i
+(one)e(speci\002ed)g(by)h(the)f(polic)o(y)g(script)h(as)-150
+1795 y(not)17 b(requiring)f(further)g(analysis,)h(and)g
+Fm(login)p 1240 1795 V 29 w(confused)g Fs(if)h(the)-150
+1894 y(analyzer)f(becomes)g(confused)f(re)o(garding)g(the)i
+(authentication)e(dia-)-150 1994 y(log.)24 b(\(This)19
+b(last)g(could,)f(for)g(e)o(xample,)g(trigger)f(full-pack)o(et)g
+(record-)-150 2094 y(ing)j(of)g(the)g(subsequent)f(session,)h(for)g
+(later)g(manual)f(analysis.\))-67 2199 y Fl(T)-6 b(ype-ahead.)28
+b Fs(A)22 b(basic)g(dif)n(\002culty)e(that)i(complicates)f(the)g(anal-)
+-150 2299 y(ysis)j(is)g(type-ahead.)32 b(W)-7 b(e)24
+b(cannot)f(rely)g(on)f(the)i(most-recently)d(en-)-150
+2399 y(tered)h(string)g(as)i(corresponding)19 b(to)k(the)f(current)g
+(prompt)f(line.)32 b(In-)-150 2498 y(stead,)24 b(we)f(k)o(eep)f(track)h
+(of)g(user)f(input)h(lines)g(separately)-5 b(,)22 b(and)g(con-)-150
+2598 y(sume)27 b(them)h(as)g(we)g(observ)o(e)e(dif)n(ferent)g(prompts.)
+46 b(F)o(or)27 b(e)o(xample,)-150 2698 y(if)20 b(the)g(analyzer)f
+(scans)h(\223P)o(assw)o(ord:\224,)f(then)g(it)i(associates)g(with)f
+(the)-150 2797 y(prompt)15 b(the)i(\002rst)h(unread)d(line)i(in)g(the)g
+(user)g(type-ahead)d(b)n(uf)n(fer)m(,)i(and)-150 2897
+y(consumes)21 b(that)i(line.)31 b(The)22 b(hazard)f(of)h(this)h
+(approach)d(is)j(if)f(the)h(lo-)-150 2996 y(gin)h(serv)o(er)f(e)n(v)o
+(er)h(\003ushes)g(the)g(type-ahead)e(b)n(uf)n(fer)h(\(due)h(to)g(part)g
+(of)-150 3096 y(its)f(authentication)c(dialog,)j(or)f(upon)f(an)i(e)o
+(xplicit)f(signal)h(from)f(the)-150 3196 y(user\),)h(then)g(if)g(the)h
+(monitor)d(misses)k(this)e(f)o(act)h(it)g(will)g(become)e(out)-150
+3295 y(of)29 b(sync.)50 b(This)29 b(opens)f(the)h(monitor)e(to)i(a)g
+(subterfuge)e(attack,)j(in)-150 3395 y(which)c(an)h(attack)o(er)f
+(passes)h(of)n(f)f(an)h(innocuous)d(string)i(as)i(a)f(user)n(-)-150
+3495 y(name,)20 b(and)g(the)h(polic)o(y)f(script)g(in)h(turn)f(f)o
+(ails)i(to)f(recognize)e(that)i(the)-150 3594 y(attack)o(er)16
+b(in)h(f)o(act)f(has)h(authenticated)e(as)i(a)g(pri)n(vile)o(ged)d
+(user)-5 b(.)24 b(One)16 b(\002x)-150 3694 y(to)21 b(this)h
+(problem\227re\003ecting)c(a)j(strate)o(gy)f(we)i(adopt)e(for)g(the)h
+(more)-150 3793 y(general)g(\223k)o(e)o(ystrok)o(e)f(editing\224)g
+(problem)g(discussed)i(belo)n(w\227is)f(to)-150 3893
+y(test)29 b Fr(both)f Fs(usernames)f(and)h(passw)o(ords)g(against)g(an)
+o(y)f(list)j(of)e(sen-)-150 3993 y(siti)n(v)o(e)d(usernames,)h(an)f(e)o
+(xample)f(of)h(the)g(\223bifurcation\224)e(approach)-150
+4092 y(discussed)d(in)g Fi(x)h Fs(5.3)f(abo)o(v)o(e.)-67
+4198 y(Unless)37 b(we)f(are)g(careful,)j(type-ahead)34
+b(also)i(opens)g(the)g(door)-150 4298 y(to)28 b(another)e(subterfuge)g
+(attack.)47 b(F)o(or)27 b(e)o(xample,)h(an)g(attack)o(er)f(can)-150
+4397 y(type-ahead)41 b(the)i(string)g(\223P)o(assw)o(ord:\224,)48
+b(which,)g(when)43 b(echoed)-150 4497 y(by)49 b(the)g(login)f(serv)o
+(er)m(,)55 b(w)o(ould)49 b(be)g(interpreted)e(by)i(the)g(ana-)-150
+4597 y(lyzer)26 b(as)i(corresponding)23 b(to)k(a)g(passw)o(ord)g
+(prompt,)f(when)g(in)h(f)o(act)-150 4696 y(the)40 b(dialog)f(is)i(in)f
+(a)h(dif)n(ferent)d(state.)85 b(The)40 b(analyzer)f(defends)-150
+4796 y(against)32 b(these)i(attacks)f(by)f(checking)g(each)h
+(typed-ahead)d(string)-150 4896 y(against)16 b(the)g(dif)n(ferent)f
+(dialog)g(strings)h(it)h(kno)n(ws)f(about,)g(generating)-150
+4995 y Fm(possible)p 255 4995 V 28 w(login)p 533 4995
+V 29 w(ploy)k Fs(upon)f(a)i(match.)-67 5101 y Fl(K)n(eystr)o(ok)o(e)14
+b(editing)o(.)23 b Fs(Usernames)15 b(can)g(also)h(become)e(disguised)
+-150 5201 y(due)21 b(to)g(use)g(of)g(k)o(e)o(ystrok)o(e)e(editing.)27
+b(F)o(or)21 b(e)o(xample,)e(we)j(w)o(ould)e(lik)o(e)-150
+5300 y(to)29 b(recognize)d(that)j(\223)p Fm(rb<)p Fb(DEL)q
+Fm(>oot)p Fs(\224)e(does)h(indeed)f(correspond)-150 5400
+y(to)22 b(a)g(username)e(of)h Fm(root)p Fs(,)h(assuming)f(that)g
+Fm(<)p Fb(DEL)q Fm(>)g Fs(is)h(the)g(single-)2049 -104
+y(character)k(deletion)f(operator)-5 b(.)44 b(W)-7 b(e)28
+b(\002nd)e(this)h(assumption,)g(ho)n(w-)2049 -5 y(e)n(v)o(er)m(,)d
+(problematic,)g(since)h(some)f(systems)h(use)g Fm(<)p
+Fb(DEL)q Fm(>)f Fs(and)g(oth-)2049 95 y(ers)30 b(use)g
+Fm(<)p Fb(BS)t Fm(>)p Fs(.)52 b(W)-7 b(e)31 b(address)e(this)h(problem)
+e(by)h(applying)e(both)2049 194 y(forms)h(of)h(editing)f(to)g
+(usernames,)i(yielding)e(possibly)g(three)g(dif-)2049
+294 y(ferent)21 b(strings,)g(each)g(of)h(which)f(the)g(script)h(then)f
+(assesses)i(in)e(turn.)2049 394 y(So,)29 b(for)d(e)o(xample,)i(the)f
+(string)g(\223)p Fm(rob<)p Fb(DEL)q Fm(><)p Fb(BS)t Fm(><)p
+Fb(BS)t Fm(>ot)p Fs(\224)d(is)2049 493 y(tested)19 b(both)g(directly)-5
+b(,)18 b(as)h(\223)p Fm(ro<)p Fb(BS)t Fm(><)p Fb(BS)t
+Fm(>ot)p Fs(\224,)f(and)g(as)i(\223)p Fm(root)p Fs(\224.)2049
+593 y(This)f(is)h(another)e(e)o(xample)f(of)i(using)f(bifurcation)f(to)
+i(address)g(anal-)2049 693 y(ysis)i(ambiguities.)2132
+898 y(Editing)35 b(is)h(not)f(limited)h(to)f(deleting)g(indi)n(vidual)f
+(characters,)2049 998 y(ho)n(we)n(v)o(er)-5 b(.)65 b(Some)34
+b(systems)g(support)f(deleting)g(entire)h(w)o(ords)g(or)2049
+1097 y(lines;)24 b(others)d(allo)n(w)i(access)g(to)f(pre)n
+(viously-typed)c(lines)23 b(using)f(an)2049 1197 y(escape)f(sequence.)
+26 b(W)-7 b(ord)21 b(and)g(line)g(deletion)f(do)h(not)f(allo)n(w)h(an)g
+(at-)2049 1297 y(tack)o(er)d(to)g(hide)f(their)h(username,)f(if)h
+(tests)h(for)f(sensiti)n(v)o(e)g(usernames)2049 1396
+y(check)k(for)g(an)o(y)g(embedded)e(occurrence)g(of)j(the)f(username)g
+(within)2049 1496 y(the)35 b(input)f(te)o(xt.)68 b(\223History\224)35
+b(access)g(to)g(pre)n(vious)e(te)o(xt)i(is)g(more)2049
+1595 y(problematic;)28 b(presently)-5 b(,)27 b(the)g(analyzer)e
+(recognizes)h(one)g(operat-)2049 1695 y(ing)18 b(system)g(that)g
+(supports)f(this)h(\(VMS\))g(and,)f(for)h(it)g(only)-5
+b(,)17 b(e)o(xpands)2049 1795 y(the)j(escape)g(sequence)f(into)h(the)g
+(te)o(xt)g(of)g(the)h(pre)n(vious)d(line.)2132 2000 y
+Fl(T)-8 b(elnet)42 b(options.)88 b Fs(The)41 b(T)-6 b(elnet)42
+b(protocol)d(supports)h(a)i(rich,)2049 2100 y(comple)o(x)37
+b(mechanism)h(for)g(e)o(xchanging)e(options)i(between)h(the)2049
+2199 y(client)d(and)g(serv)o(er)g([PR83b)o(])g(\(there)g(are)g(more)g
+(than)g(50)g(RFCs)2049 2299 y(discussing)27 b(dif)n(ferent)e(T)-6
+b(elnet)28 b(options\).)45 b(Unhappily)-5 b(,)26 b(we)i(cannot)2049
+2399 y(ignore)j(the)i(possible)g(presence)e(of)i(these)f(options)g(in)h
+(our)f(anal-)2049 2498 y(ysis,)j(because)c(an)h(attack)o(er)f(can)h
+(embed)e(one)h(in)h(the)g(middle)f(of)2049 2598 y(te)o(xt)d(the)o(y)g
+(transmit)g(in)h(order)e(to)i(disguise)f(their)g(intent\227for)f(e)o
+(x-)2049 2698 y(ample,)33 b(\223)p Fm(ro<)p Fr(option)p
+Fm(>ot)p Fs(\224.)55 b(The)31 b(T)-6 b(elnet)31 b(serv)o(er)f(will)i
+(dutifully)2049 2797 y(strip)25 b(out)f(the)h(option)e(before)g
+(passing)i(along)e(the)i(remaining)e(te)o(xt)2049 2897
+y(to)h(the)f(authentication)f(system.)35 b(W)-7 b(e)25
+b(must)e(do)g(the)h(same.)35 b(On)24 b(the)2049 2996
+y(other)30 b(hand,)j(parsing)e(options)f(also)i(yields)f(some)g
+(bene\002ts:)47 b(we)2049 3096 y(can)20 b(detect)g(connections)e(that)i
+(successfully)f(ne)o(gotiate)g(to)h(encrypt)2049 3196
+y(the)29 b(data)h(session,)h(and)e(skip)h(subsequent)d(analysis)j
+(\(rather)e(than)2049 3295 y(generating)16 b Fm(login)p
+2673 3295 V 29 w(confused)h Fs(e)n(v)o(ents\),)g(as)i(well)f(as)h
+(analyzing)2049 3395 y(options)j(used)g(for)g(authentication)e(\(for)i
+(e)o(xample,)f(K)n(erberos\))g(and)2049 3495 y(to)27
+b(transmit)f(the)g(user')-5 b(s)27 b(en)m(vironment)c(v)n(ariables)j
+(\(some)g(systems)2049 3594 y(use)j Fm($USER)e Fs(as)j(the)e(def)o
+(ault)f(username)g(during)g(subsequent)g(au-)2049 3694
+y(thentication\).)2132 3899 y Fl(Scanning)h(the)g(session)h(contents.)
+47 b Fs(The)27 b(last)i(form)d(of)i(Login)2049 3999 y(analysis,)c(and)g
+(in)f(our)g(e)o(xperience)f(f)o(ar)h(and)h(a)o(w)o(ay)f(the)h(most)f
+(po)n(w-)2049 4099 y(erful)18 b(for)h(detecting)f(break-ins,)f(is)j
+(looking)d(at)j(the)f(contents)f(of)h(the)2049 4198 y(lines)h(sent)g
+(by)g(the)g(user)g(\()p Fm(login)p 3048 4198 V 28 w(input)p
+3326 4198 V 29 w(line)g Fs(e)n(v)o(ents\))f(and)g(by)2049
+4298 y(the)h(remote)g(serv)o(er)f(\()p Fm(login)p 2928
+4298 V 28 w(output)p 3256 4298 V 29 w(line)p Fs(\).)2132
+4503 y(F)o(or)33 b(input)f(lines,)37 b(some)c(of)f(the)h(patterns)g(we)
+g(search)g(for)g(are)2049 4603 y(the)39 b(string)g(\223)p
+Fm(eggdrop)p Fs(\224)g(\(an)g(Internet)f(Relay)i(Chat)f(tool)g(that)
+2049 4703 y(man)o(y)34 b(attack)o(ers)i(install)g(upon)e(a)i
+(break-in\),)h(\223)p Fm(loadmodule)p Fs(\224)2049 4802
+y(and)24 b(\223)p Fm(/bin/eject)p Fs(\224)f(\(used)h(in)g(b)n(uf)n(fer)
+f(o)o(v)o(er\003o)n(w)g(attacks\),)i(and)2049 4902 y(access)34
+b(to)g(hidden)f(directories)f(with)i(names)g(lik)o(e)g(\223)p
+Fm(...)p Fs(\224.)65 b(F)o(or)2049 5001 y(output)29 b(lines,)j(we)e
+(look)f(for)g(\223)p Fm(ls)p Fs(\224)h(output)f(sho)n(wing)f
+(setuid-root)2049 5101 y(v)o(ersions)f(of)h(command-line)d
+(interpreters)i(lik)o(e)h Fr(csh)p Fs(,)i(and)e(strings)2049
+5201 y(lik)o(e)67 b(\223)p Fm(Jumping)48 b(to)i(address)p
+Fs(\224)66 b(and)g(\223)p Fm(Log)49 b(started)2049 5300
+y(at)p Fs(\224)24 b(which)f(correspond)d(to)k(popular)e(b)n(uf)n(fer)n
+(-o)o(v)o(er\003o)n(w)d(and)k(pass-)2049 5400 y(w)o(ord)d(snif)n(fer)f
+(tools,)h(respecti)n(v)o(ely)-5 b(.)1908 5649 y(16)p
+eop
+%%Page: 17 17
+17 16 bop -150 -104 a Fh(6.6)124 b(Scan)26 b(detection)-150
+70 y Fs(W)-7 b(e)34 b(\002nish)f(with)g(a)h(discussion)e(of)h
+(detecting)e(port)i(and)f(address)-150 170 y(scanning.)22
+b(While)17 b(not,)g(strictly)f(speaking,)g(a)h(form)e(of)h
+(application-)-150 269 y(speci\002c)29 b(processing,)g(we)f(ha)n(v)o(e)
+g(deferred)f(discussion)h(until)g(no)n(w)-150 369 y(so)21
+b(we)h(can)f(refer)f(to)h(the)g(pre)n(viously-de)n(v)o(eloped)16
+b(concepts)k(of)g(Bro)-150 469 y(language)e(mechanisms)i(and)f(attacks)
+i(on)e(the)i(monitor)-5 b(.)-67 578 y(Scan)18 b(detection)e(is)j(all)f
+(done)e(at)i(the)g(polic)o(y)e(script)i(le)n(v)o(el,)f(so)h(sites)-150
+678 y(may)j(of)g(course)g(tailor)g(the)g(detection)f(ho)n(we)n(v)o(er)g
+(the)o(y)g(wish.)29 b(Ho)n(w-)-150 777 y(e)n(v)o(er)m(,)h(the)g(basic)f
+(approach)e(we)j(use)g(is)g(to)f(maintain)g(pairs)g(of)g(ta-)-150
+877 y(bles.)38 b(F)o(or)24 b(detecting)f(address)h(scanning,)g(the)g
+(\002rst)h(of)f(the)h(pair)f(of)-150 977 y(tables,)39
+b Fm(distinct)p 509 977 25 4 v 28 w(peers)p Fs(,)f(is)e(a)f
+Fm(table[addr,)48 b(addr])-150 1076 y(of)h(bool)p Fs(.)67
+b(W)-7 b(e)36 b(inde)o(x)d(it)i(using)e(the)h(source)g(and)g
+(destination)-150 1176 y(address)26 b(of)g(each)h(ne)n(wly-attempted)d
+(connection.)42 b(If)26 b(the)h(pair)f(of)-150 1276 y(addresses)32
+b(is)h(not)e(in)i(the)f(table,)i(then)e(we)g(add)g(them)f(to)h(the)g
+(ta-)-150 1375 y(ble,)23 b(and)f(increment)f Fm(num)p
+649 1375 V 29 w(distinct)p 1078 1375 V 28 w(peers)p Fs(,)i(a)f
+(correspond-)-150 1475 y(ing)k Fm(table[addr])48 b(of)h(count)p
+Fs(.)42 b(This)27 b(second)e(table)h(k)o(eeps)-150 1574
+y(track)j(for)f(each)h(source)f(address)h(the)g(number)e(of)i(distinct)
+h(desti-)-150 1674 y(nation)e(addresses)h(to)g(which)f(it)i(has)f
+(attempted)f(to)h(connect.)50 b(As)-150 1774 y(that)19
+b(number)e(crosses)j(dif)n(ferent)d(thresholds,)h(the)h(script)h
+(generates)-150 1873 y(a)26 b(series)h(of)e(real-time)h
+(noti\002cations)f(indicating)f(that)i(an)g(address)-150
+1973 y(scan)31 b(is)h(underw)o(ay)-5 b(.)55 b(It)32 b(can)e(of)h
+(course)g(tak)o(e)g(additional)e(action,)-150 2073 y(too,)e(such)e(as)h
+(in)m(v)n(oking)e(via)i Fm(system\(\))e Fs(a)j(script)e(that)h(remo)o
+(v)o(es)-150 2172 y(the)20 b(attacking)f(site')-5 b(s)22
+b(connecti)n(vity)c(to)i(the)g(local)h(site)g(\()p Fi(x)f
+Fs(8\).)-67 2282 y(W)-7 b(e)60 b(detect)f(port)f(scanning)f(in)i(a)g
+(similar)g(f)o(ashion,)68 b(us-)-150 2381 y(ing)51 b
+Fm(distinct)p 413 2381 V 28 w(ports)p Fs(,)59 b(a)52
+b Fm(table[addr,)47 b(port])i(of)-150 2481 y(bool)24
+b Fs(inde)o(x)o(ed)e(by)i(source)g(address)g(and)g(destination)f(port)h
+(num-)-150 2581 y(ber)m(,)32 b(and)f(a)g(companion)d(table)j
+Fm(num)p 975 2581 V 29 w(distinct)p 1404 2581 V 28 w(ports)p
+Fs(,)i(and)-150 2680 y(again)28 b(generate)f(noti\002cations)h(as)h
+(the)g(distinct)f(port)g(count)g(for)g(a)-150 2780 y(gi)n(v)o(en)19
+b(address)h(crosses)g(dif)n(ferent)f(thresholds.)-67
+2889 y(Note)24 b(that)h(this)g(approach)d(does)i(not)h(ha)n(v)o(e)e(an)
+o(y)h(restrictions)g(on)-150 2989 y(the)j Fr(or)m(der)i
+Fs(in)e(which)f(addresses)h(or)f(ports)h(are)g(scanned,)g(nor)f(an)o(y)
+-150 3089 y(particular)14 b(requirements)f(for)i(ho)n(w)f(quickly)g
+(the)o(y)h(are)g(scanned.)22 b(By)-150 3188 y(remo)o(ving)h(these)i
+(sorts)h(of)f(restrictions,)h(we)f(can)g(detect)g(not)g(only)-150
+3288 y(simple)30 b(brute-force)c(scans,)33 b(b)n(ut)c(also)h(some)f
+(forms)g(of)h(\223stealth\224)-150 3388 y(scanning,)19
+b(in)h(which)f(the)i(scan)f(is)h(done)e(slo)n(wly)h(across)g(a)h
+(random-)-150 3487 y(ized)f(list)h(of)f(addresses.)-67
+3597 y(There)c(are)h(tw)o(o)g(problems)e(with)i(the)g(approach,)e(ho)n
+(we)n(v)o(er)-5 b(.)22 b(First,)-150 3696 y(while)29
+b(the)g(abo)o(v)o(e)f(steps)h(do)g(indeed)f(detect)h(scanning)f(acti)n
+(vities,)-150 3796 y(the)o(y)17 b(also)h(generate)f(f)o(alse)h(hits,)g
+(because)g(some)f(services)h(naturally)-150 3896 y(result)25
+b(in)h(a)g(single)f(source)f(contacting)g(multiple)h(destination)f(ad-)
+-150 3995 y(dresses)32 b(\(for)e(e)o(xample,)j(a)f(single)f(client)g
+(sur\002ng)g(multiple)g(W)-7 b(eb)-150 4095 y(serv)o(ers\),)36
+b(or)d(contacting)f(multiple)g(ports)h(on)g(the)h(same)f(remote)-150
+4195 y(host)24 b(\(an)g(FTP)g(serv)o(er)g(running)e(on)h(a)i
+(non-standard)c(port,)j(so)g(Bro)-150 4294 y(does)k(not)f(kno)n(w)g(to)
+i(track)e(its)i(POR)-5 b(T/P)d(ASV)30 b(directi)n(v)o(es)d(in)h(order)
+-150 4394 y(to)j(associate)h(connections)d(on)h(ephemeral)g(ports)h
+(with)g(the)g(FTP)-150 4493 y(session\).)c(W)-7 b(e)22
+b(can)f(generally)f(deal)g(with)h(this)h(problem,)d(ho)n(we)n(v)o(er)m
+(,)-150 4593 y(by)e(introducing)e(some)j(additional)e(polic)o(y)h
+(elements)g(in)h(our)f(script,)-150 4693 y(such)25 b(as)g(a)h(list)g
+(of)f(services)g(which)f(we)h(should)f(ignore)g(when)g(up-)-150
+4792 y(dating)19 b(the)i(tables)f(to)g(re\003ect)h(ne)n(wly)e
+(attempted)g(connections.)-67 4902 y(The)28 b(second)f(dif)n(\002culty)
+f(concerns)h(consumption)e(of)j(memory)-5 b(.)-150 5001
+y(Depending)37 b(on)i(a)h(site')-5 b(s)41 b(traf)n(\002c)e(patterns,)44
+b(the)39 b(scan-detection)-150 5101 y(tables)j(can)g(gro)n(w)f(quite)g
+(lar)o(ge.)89 b(The)o(y)40 b(can)i(especially)f(gro)n(w)-150
+5201 y(lar)o(ge)34 b(if)i(an)f(attack)o(er)g(deliberately)f(tar)o(gets)
+h(them)g(as)h(a)g(w)o(ay)f(to)-150 5300 y(attempt)44
+b(to)g(compromise)e(the)i(monitor)f(via)h(an)g(o)o(v)o(erload)d(at-)
+-150 5400 y(tack.)64 b(One)33 b(solution)g(for)g(addressing)f(this)h
+(problem)f(w)o(ould)h(be)2049 -104 y(to)c(introduce)e(the)j(notion)d
+(of)i(associating)g(timers)g(with)g(table)g(el-)2049
+-5 y(ements.)60 b(W)m(ith)32 b(such)g(a)g(mechanism,)i(we)e(could,)i
+(for)d(e)o(xample,)2049 95 y(o)o(v)o(er)i(time)h(remo)o(v)o(e)e
+(elements)i(from)f Fm(distinct)p 3623 95 V 28 w(peers)h
+Fs(and)2049 194 y Fm(num)p 2204 194 V 29 w(distinct)p
+2633 194 V 29 w(peers)p Fs(.)73 b(Doing)36 b(so,)k(ho)n(we)n(v)o(er)m
+(,)e(trades)e(of)n(f)2049 294 y(reco)o(v)o(ering)22 b(resources)i
+(\(and)g(thus)h(impairing)e(an)i(attack)o(er')-5 b(s)25
+b(abil-)2049 394 y(ity)g(to)g(launch)f(an)h(o)o(v)o(erload)d(attack\))i
+(with)h(f)o(ailing)g(to)g(detect)f(slo)n(w)2049 493 y(stealth)d(scans.)
+2132 595 y(See)k Fi(x)g Fs(7.1)f(belo)n(w)f(for)h(a)h(brief)f
+(discussion)g(of)g(our)f(e)o(xperiences)2049 695 y(with)d
+(scan-detection.)2049 990 y Ft(7)119 b(Status)30 b(and)h(Experiences)
+2049 1180 y Fs(Bro)26 b(has)g(operated)f(continuously)e(since)k(April)e
+(1996)g(as)i(an)f(inte-)2049 1280 y(gral)i(part)g(of)h(our)e(site')-5
+b(s)30 b(security)e(system.)50 b(It)29 b(initially)f(included)2049
+1379 y(only)d(general)g(TCP/IP)i(analysis;)j(as)d(time)f(permitted,)g
+(we)h(added)2049 1479 y(the)c(additional)f(modules)g(discussed)g(in)i
+Fi(x)f Fs(6,)h(and)e(we)h(plan)g(to)g(add)2049 1579 y(man)o(y)h(more.)
+39 b(In)25 b(this)g(section)g(we)g(sk)o(etch)g(its)i(current)c(status)j
+(and)2049 1678 y(our)19 b(e)o(xperiences)g(with)h(operating)e(it.)2049
+1930 y Fh(7.1)99 b(Implementation)26 b(status)2049 2091
+y Fs(Presently)-5 b(,)26 b(the)g(implementation)d(is)j(about)f(27,000)f
+(lines)i(of)f(C++)2049 2190 y(and)e(another)f(3,200)g(lines)i(of)g
+Fm(Bro)f Fs(\(about)g(2,700)f(lines)i(of)f(which)2049
+2290 y(are)38 b(\223boilerplate\224)f(not)g(speci\002c)i(to)f(our)f
+(site\).)80 b(It)38 b(runs)g(under)2049 2389 y(Digital)33
+b(Unix,)h(FreeBSD,)f(Linux,)h(and)e(Solaris)h(operating)d(sys-)2049
+2489 y(tems.)57 b(W)-7 b(e)32 b(use)f(the)g Fr(autoconf)41
+b Fs(auto-con\002guration)27 b(tool)k(as)g(our)2049 2589
+y(main)20 b(mechanism)f(for)g(abetting)h(portability)-5
+b(.)2132 2691 y(Bro)58 b(is)h(publicly)d(a)n(v)n(ailable)i(in)g
+(source-code)d(form)i(\(see)2049 2791 y Fr(http://www-nr)m(g)o(.ee)o
+(.lbl.go)o(v/br)l(o-info.html)19 b Fs(for)k(release)i(informa-)2049
+2890 y(tion\),)34 b(though)d(the)h(current)f(release)h(is)h(of)f
+(\223alpha\224)f(quality)g(and)2049 2990 y(includes)19
+b(only)h(v)o(ery)f(limited)h(documentation.)2132 3092
+y(W)-7 b(e)32 b(hope)d(that)i(it)g(will)g(both)f(bene\002t)g(the)g
+(community)e(and)i(in)2049 3192 y(turn)22 b(bene\002t)h(from)e
+(community)g(ef)n(forts)h(to)h(enhance)e(it.)34 b(W)-7
+b(e)24 b(ha)n(v)o(e)2049 3291 y(set)c(up)f(a)g(mailing)g(list)h(for)f
+(discussion\227see)g(the)g(abo)o(v)o(e)e(W)-7 b(eb)20
+b(page)2049 3391 y(for)g(subscription)e(information.)2132
+3493 y(In)29 b(our)f(on-going)e(operations,)j(Bro)g(generates)f(about)f
+(85)i(MB)2049 3593 y(of)22 b(connection)f(summaries)h(each)h(day)-5
+b(,)22 b(and)g(around)f(40)h(real-time)2049 3692 y(noti\002cations,)28
+b(though)e(this)i(\002gure)f(v)n(aries)h(greatly)-5 b(.)45
+b(While)29 b(most)2049 3792 y(of)e(the)h(noti\002cations)e(are)i
+(innocuous)d(\(and)i(if)h(we)g(were)f(not)g(also)2049
+3892 y(de)n(v)o(elopers)21 b(of)h(the)h(system,)g(we)g(w)o(ould)g
+(suppress)f(these\),)h(we)g(not)2049 3991 y(infrequently)k(also)j
+(detect)f(break-in)f(attempts,)j(and)e(we)h(a)n(v)o(erage)2049
+4091 y(4\2265)15 b(address)h(and)f(port)g(scans)i(each)e(day)-5
+b(.)23 b(Operation)15 b(of)g(the)h(system)2049 4191 y(has)33
+b(resulted)f(so)g(f)o(ar)h(in)f(4,000)f(email)i(messages,)i(150)d
+(incident)2049 4290 y(reports)f(\002led)g(with)h(CIA)m(C)g(and)f(CER)-5
+b(T)f(,)32 b(a)g(number)d(of)j(accounts)2049 4390 y(deacti)n(v)n(ated)
+24 b(by)i(other)f(sites,)k(and)c(a)h(couple)f(incidents)h(in)m(v)n
+(olving)2049 4489 y(la)o(w)20 b(enforcement.)2049 4741
+y Fh(7.2)124 b(P)n(erf)n(ormance)2049 4902 y Fs(The)22
+b(system)h(generally)f(operates)g(without)g(incurring)e(an)o(y)i(pack)o
+(et)2049 5001 y(drops.)50 b(The)29 b(FDDI)g(ring)f(it)i(runs)f(on)f(is)
+i(f)o(airly)f(hea)n(vily)f(utilized:)2049 5101 y(a)e(January)-5
+b(,)26 b(1999)f(trace)h(of)f(a)i(14:30-15:30)22 b(b)n(usy)k(hour)f
+(re\003ects)h(a)2049 5201 y(traf)n(\002c)j(le)n(v)o(el)g(of)g(11,900)e
+(pack)o(ets/sec)i(\(34)g(Mbps\))f(sustained)h(for)2049
+5300 y(the)17 b(full)f(hour)m(,)g(with)h(peaks)f(of)h(18,000)e(pack)o
+(ets/sec.)23 b(Ho)n(we)n(v)o(er)m(,)16 b(the)2049 5400
+y(pack)o(et)i(\002lter)h(discards)f(a)h(great)f(deal)g(of)h(this,)g
+(both)e(due)h(to)h(\002ltering)1908 5649 y(17)p eop
+%%Page: 18 18
+18 17 bop -150 -104 a Fs(primarily)30 b(on)g(SYN,)i(FIN,)f(or)g(RST)h
+(control)e(bits,)k(and)c(because)-150 -5 y(only)f(about)g(20\045)g(of)g
+(the)h(traf)n(\002c)f(belongs)g(to)h(netw)o(orks)e(that)i(we)-150
+95 y(routinely)d(monitor)g(\(the)i(link)f(is)i(shared)e(with)h(a)g(lar)
+o(ge)f(neighbor)-150 194 y(institution\).)-67 296 y(T)-7
+b(o)24 b(test)h(the)f(system)g(under)e(stress,)k(we)e(ran)g(it)g(for)g
+(a)g(40)f(minute)-150 396 y(period)g(without)h(the)g(\223interesting)g
+(netw)o(orks\224)f(\002lter)m(,)j(resulting)d(in)-150
+495 y(a)j(much)e(higher)f(fraction)h(of)h(traf)n(\002c)g(accepted)f(by)
+h(the)g(pack)o(et)f(\002l-)-150 595 y(ter)-5 b(.)31 b(During)20
+b(this)j(period,)d(the)i(\002lter)h(accepted)d(an)i(a)n(v)o(erage)f(of)
+g(730)-150 694 y(pack)o(ets/sec,)36 b(with)d(peaks)g(o)o(v)o(er)e
+(1,200)h(pack)o(ets/sec,)j(and)e(with-)-150 794 y(out)20
+b(dropping)e(an)o(y)i(pack)o(ets.)25 b(The)c(monitor)e(system)h(uses)i
+(stripped)-150 894 y(disks)d(and)f(lar)o(ge)f(BPF)j(pack)o(et)e(b)n(uf)
+n(fers)f([RLSSL)-6 b(W97)o(])19 b(to)g(impro)o(v)o(e)-150
+993 y(performance.)-150 1242 y Fh(7.3)124 b(Crud)26 b(seen)f(on)h(a)e
+(DMZ)-150 1401 y Fs(An)k(important)e(and)h(sobering)g(aspect)g(of)h
+(our)f(operational)f(e)o(xpe-)-150 1501 y(rience)21 b(with)h(Bro)f(w)o
+(as)i(the)e(realization)g(of)g(ho)n(w)g(frequently)-5
+b(,)19 b(when)-150 1600 y(monitoring)c(a)j(lar)o(ge)f(v)n(olume)f(of)h
+(netw)o(ork)g(traf)n(\002c,)g(le)o(gitimate)g(\(i.e.,)-150
+1700 y(non-attacking\))23 b(traf)n(\002c)j(e)o(xhibits)f(abnormal)g
+(beha)n(vior)-5 b(.)42 b(W)-7 b(e)27 b(ha)n(v)o(e)-150
+1800 y(observ)o(ed)18 b(all)j(of)f(the)g(follo)n(wing:)-67
+1972 y Fi(\017)41 b Fs(\223Storms\224)23 b(of)g(10,000)f(FIN)h(or)h
+(RST)g(pack)o(ets,)g(in)f(which)g(due)16 2071 y(to)h(a)f(protocol)f
+(implementation)f(error)h(tw)o(o)i(hosts)g(e)o(xchange)16
+2171 y(FIN)d(or)e(RST)i(pack)o(ets)f(e)o(xtremely)f(rapidly)-5
+b(.)-67 2345 y Fi(\017)41 b Fs(Storms)20 b(due)g(to)g(foggy)f(days.)887
+2315 y Fn(4)-67 2519 y Fi(\017)41 b Fs(\223Pri)n(v)n(ate\224)19
+b(Internet)g(addresses)g([Re96)o(])h(leaking)f(out)g(into)h(the)16
+2618 y(public)39 b(Internet.)81 b(These)39 b(addresses)g(are)h
+(inherently)d(un-)16 2718 y(routable,)21 b(and)g(should)g(ne)n(v)o(er)g
+(be)h(used)g(by)f(a)i(public)e(Internet)16 2817 y(connection.)-67
+2991 y Fi(\017)41 b Fs(SYN)22 b(pack)o(ets)f(with)g(the)h(\223Ur)o
+(gent\224)d(bit)j(set.)29 b(F)o(or)21 b(SYN)h(pack-)16
+3091 y(ets,)f(setting)f(\223ur)o(gent\224)e(does)i(not)g(mak)o(e)g(an)o
+(y)g(sense,)g(since)h(the)16 3191 y(connection)c(is)k(not)e(yet)h
+(established)f(and)g(hence)g(cannot)f(pos-)16 3290 y(sibly)24
+b(ha)n(v)o(e)g(ur)o(gent)f(data)h(to)h(send.)37 b(Such)24
+b(pack)o(ets)g(are)g(prob-)16 3390 y(lematic,)e(ho)n(we)n(v)o(er)m(,)e
+(because)h(some)h(\002re)n(w)o(alls)g(and)g(monitors)16
+3489 y(that)29 b(are)g(not)f(carefully)f(coded)h(look)g(for)g(the)h(be)
+o(ginning)d(of)16 3589 y(connections)17 b(to)h(be)g(indicated)g(by)f
+(the)i(TCP)g(\223\003ags\224)f(\002eld)h(be-)16 3689
+y(ing)e(equal)h(to)f(the)h(SYN)g(\003ag,)g(rather)f(than)h(simply)f(ha)
+n(ving)g(the)16 3788 y(SYN)k(\003ag)g(set.)27 b(When)20
+b(the)h(Ur)o(gent)e(bit)i(is)g(set,)g(the)g(\002eld)f(is)i(no)16
+3888 y(longer)d Fr(equal)g Fs(to)i(the)f(SYN)h(\003ag.)-67
+4062 y Fi(\017)41 b Fs(TCPs)28 b(that)f(when)f(retransmitting)f(data)h
+(can)h(send)f(dif)n(ferent)16 4161 y(data)32 b(for)f(the)h(same)g
+(sequence)e(numbers)h(as)h(the)o(y)f(sent)i(the)16 4261
+y(\002rst)21 b(time.)-67 4435 y Fi(\017)41 b Fs(TCPs)18
+b(that)f(sometimes)f(ackno)n(wledge)e(receipt)i(of)g(data)h(ne)n(v)o
+(er)16 4535 y(sent.)-67 4708 y Fi(\017)41 b Fs(IP)20
+b(fragments)f(in)h(which)g(the)g(initial)g(fragment)e(is)j(v)o(ery)e
+(small)16 4808 y(and)24 b(the)g(\002nal)g(fragment)e(is)j(lar)o(ge.)36
+b(Such)23 b(fragments)g(can)h(be)16 4908 y(used)33 b(to)g(attempt)f(to)
+h(circumv)o(ent)e(\002re)n(w)o(alls)i(and)g(monitors)16
+5007 y(that)20 b(do)g(not)g(do)g(fragment)e(reassembly)-5
+b(.)p -150 5086 801 4 v -65 5140 a Fk(4)-30 5163 y Fp(One)20
+b(of)g(the)g(routers)h(on)f(our)g(DMZ)f(has)h(a)g(micro)n(w)o(a)o(v)o
+(e)i(link)f(to)f(a)g(peer)h(on)f(the)-150 5242 y(other)15
+b(side)g(of)f(San)g(Francisco)i(Bay)l(.)k(On)14 b(foggy)g(days,)h(this)
+g(link)g(sometimes)g(\223\003aps,)-5 b(\224)-150 5321
+y(leading)20 b(to)f(routing)g(loops)g(on)f(the)h(DMZ)e(in)i(which)g
+(sets)f(of)g(pack)o(ets)j(enter)e(routing)-150 5400 y(loops)f(and)f
+(cross)g(the)h(DMZ)e(10')l(s)h(or)g(100')l(s)h(of)f(times,)g(until)h
+(their)h(TTLs)c(e)o(xpire.)2132 -104 y Fi(\017)41 b Fs(Fragments)30
+b(with)h(the)g(\223Don')o(t)f(Fragment\224)g(bit)h(set.)58
+b(While)2215 -5 y(allo)n(wed)26 b(by)g(the)g(IP)h(standard,)g(it)g(is)h
+(dif)n(\002cult)d(to)i(en)m(vision)e(a)2215 95 y(situation)k(in)g
+(which)g(such)g(fragments)e(can)i(be)h(le)o(gitimately)2215
+194 y(constructed,)e(yet)f(we)h(do)f(indeed)g(see)h(them)f(on)h
+(clearly)f(in-)2215 294 y(nocuous)19 b(traf)n(\002c.)2132
+467 y Fi(\017)41 b Fs(Ov)o(erlapping)31 b(fragments,)36
+b(in)e(which)g(the)g(end)f(of)h(the)g(\002rst)2215 567
+y(fragment)21 b(is)j(common)d(with)i(the)g(be)o(ginning)d(of)j(the)g
+(second.)2215 666 y(Such)h(fragments)f(are)i(also)f(used)g(for)g
+(\223teardrop\224)f(denial-of-)2215 766 y(service)d(attacks.)2132
+939 y Fi(\017)41 b Fs(Ov)o(erlapping)36 b(fragments)g(for)i(which)f
+(the)i(tw)o(o)f(fragments)2215 1039 y(disagree)19 b(on)h(the)g
+(contents)g(of)g(the)g(o)o(v)o(erlapped)d(re)o(gion.)2049
+1210 y(W)-7 b(e)22 b(recount)d(these)i(pathologies)e(not)h(simply)g
+(because)g(it)i(is)f(some-)2049 1310 y(what)27 b(f)o(ascinating)g(to)g
+(see)h(what)f(a)h(broad)e(range)g(of)h(beha)n(vior)f(we)2049
+1410 y(can)i(observ)o(e)e(in)i(real)g(netw)o(ork)f(traf)n(\002c;)k(b)n
+(ut)d(also)g(for)g(the)g(impor)n(-)2049 1509 y(tant)33
+b(reason)g(that)g Fr(many)g(of)g(these)h(patholo)o(gies)d(look)i(very)h
+(sim-)2049 1609 y(ilar)i(to)f(g)o(enuine)f(attac)n(ks)p
+Fs(.)70 b(Thus,)38 b(the)d(di)n(v)o(ersity)f(of)h(le)o(gitimate)2049
+1708 y(netw)o(ork)28 b(traf)n(\002c,)j(including)c(the)i
+(implementation)e(errors)h(some-)2049 1808 y(times)22
+b(re\003ected)g(within)f(it,)i(leads)f(to)g(a)h(v)o(ery)d(real)i
+(problem)e(for)i(in-)2049 1908 y(trusion)h(detection,)g(namely)f
+(discerning)g(in)h(some)h(circumstances)2049 2007 y(between)k(a)i(true)
+f(attack)g(v)o(ersus)g(an)g(innocuous)e(implementation)2049
+2107 y(error)-5 b(.)46 b(F)o(or)27 b(e)o(xample,)g(it)i(can)e(be)g(e)o
+(xtremely)f(dif)n(\002cult)h(to)g(discern)2049 2207 y(between)18
+b(the)h(\223)p Fm(USER)49 b(nice)p Fs(\224)19 b(/)h(\223)p
+Fm(USER)49 b(root)p Fs(\224)18 b(subterfuge)f(at-)2049
+2306 y(tack)28 b(discussed)g(in)g Fi(x)g Fs(5.3,)h(and)e(a)i(brok)o(en)
+d(TCP)j(implementation)2049 2406 y(that)k(sometimes)f(retransmits)h
+(dif)n(ferent)e(te)o(xt)h(than)h(it)g(originally)2049
+2505 y(sent.)58 b(More)30 b(generally)-5 b(,)32 b(we)g(cannot)e(rely)g
+(on)h(\223clearly\224)f(brok)o(en)2049 2605 y(protocol)22
+b(beha)n(vior)g(as)i(de\002nitely)f(indicating)f(an)h(attack\227it)h(v)
+o(ery)2049 2705 y(well)f(may)f(simply)g(re\003ect)h(the)f(operation)f
+(of)h(an)g(incorrect)f(imple-)2049 2804 y(mentation)e(of)h(that)g
+(protocol.)2132 2906 y(W)-7 b(e)17 b(\002nish)g(our)e(discussion)h(by)f
+(noting)g(a)i(situation)f(that)g(does)g(not)2049 3005
+y(re\003ect)j(a)g(protocol)e(implementation)f(error)m(,)i(b)n(ut)g
+(rather)g(a)h(common)2049 3105 y(real-w)o(orld)14 b(problem,)g(one)h
+(that)h(greatly)f(complicates)f(monitoring.)2132 3206
+y(If)27 b(e)n(v)o(er)f(a)h(site')-5 b(s)29 b(netw)o(ork)c(topology)g
+(includes)h(multiple)h(paths)2049 3306 y(from)19 b(the)h(site)h(to)g
+(the)f(remainder)e(of)i(the)g(Internet,)f(then)g(the)i(moni-)2049
+3406 y(tor)g(may)f(observ)o(e)f(only)h(one)g(direction)g(of)g(a)i
+(connection,)c(because)2049 3505 y(the)27 b(traf)n(\002c)f(for)g(the)g
+(other)g(direction)f(transits)i(an)g(alternate)f(route.)2049
+3605 y(W)-7 b(e)35 b(term)f(this)h(situation)f(\223split)h(routing.)-6
+b(\224)65 b(\(In)34 b(the)g(Internet)f(at)2049 3705 y(lar)o(ge,)20
+b(asymmetric)g(routing)f(is)j(quite)f(common,)e(and)i(so)g(there)g(are)
+2049 3804 y(numerous)32 b(monitoring)f(points)j(that)g(suf)n(fer)f
+(from)g(split)h(routing)2049 3904 y([P)o(a97b)n(].)53
+b(Indi)n(vidual)27 b(sites,)33 b(ho)n(we)n(v)o(er)m(,)c(often)g(ha)n(v)
+o(e)f(full)i(control)2049 4003 y(o)o(v)o(er)19 b(whether)g(the)o(y)h
+(ha)n(v)o(e)g(multiple)f(Internet)g(connections.)24 b(Some)2049
+4103 y(pursue)e(multiple)g(connections)f(in)i(order)e(to)i(pro)o(vide)e
+(redundanc)o(y)2049 4203 y(in)f(their)g(connecti)n(vity)e(to)j(protect)
+e(against)h(occasional)f(outages.\))2132 4304 y(Split)28
+b(routing)d(can,)k(of)e(course,)g(lead)h(to)f(the)g(monitor)f(missing)
+2049 4404 y(attacks)e(entirely)f(because)g(it)h(ne)n(v)o(er)f(sees)h
+(the)g(traf)n(\002c)f(correspond-)2049 4503 y(ing)h(to)g(the)f(attack.)
+36 b(Ev)o(en)23 b(if)h(a)g(site)h(runs)f(multiple)f(monitors,)g(one)
+2049 4603 y(per)e(Internet)f(link,)i(a)f(subtle)h(problem)d(remains:)28
+b(the)21 b(split)h(routing)2049 4703 y(can)16 b(defeat)f(precautions)g
+(tak)o(en)g(by)h(the)g(monitor)f(because)g(it)i(can)f(no)2049
+4802 y(longer)f(assume)g(that)h(it)h(sees)g(traf)n(\002c)e(from)g(at)i
+(least)f(one)f(trustw)o(orthy)2049 4902 y(endpoint)22
+b(for)h(each)g(connection.)33 b(So,)24 b(for)f(e)o(xample,)g(the)g
+(monitor)2049 5001 y(loses)i(the)g(ability)g(to)g(determine)e(when)h
+(it)i(can)e(safely)h(discard)f(in-)2049 5101 y(sequence)i(data.)45
+b(Consequently)-5 b(,)26 b(unless)h(the)g(multiple)f(monitors)2049
+5201 y(communicate)19 b(with)j(one)e(another)g(concerning)f(connection)
+g(state,)2049 5300 y(an)g(attack)o(er)f(who)g(disco)o(v)o(ers)g(a)h
+(split-route)e(can)i(e)o(xploit)f(it)h(to)g(elude)2049
+5400 y(the)h(monitor)-5 b(.)1908 5649 y(18)p eop
+%%Page: 19 19
+19 18 bop -67 -104 a Fs(F)o(ortunately)-5 b(,)37 b(split)f(routing)e
+(is)j(at)f(least)g(easy)g(to)g(detect,)j(be-)-150 -5
+y(cause)32 b(the)g(monitor)e(observ)o(es)h(a)h(connection)e
+(transmitting)g(uni-)-150 95 y(directional)d(traf)n(\002c)h(without)f
+(ha)n(ving)g(\002rst)i(completed)e(the)h(initial)-150
+194 y(three-w)o(ay)17 b(SYN)h(handshak)o(e.)23 b(Whene)n(v)o(er)16
+b(Bro)i(detects)g(split)h(rout-)-150 294 y(ing,)h(it)h(generates)e(an)h
+(e)n(v)o(ent)f(announcing)e(the)j(problem.)-150 569 y
+Ft(8)119 b(Futur)n(e)31 b(dir)n(ections)-150 755 y Fs(In)16
+b(addition)g(to)g(de)n(v)o(eloping)e(more)i(application)f(analysis)i
+(modules,)-150 854 y(we)42 b(see)h(a)f(number)e(of)h(a)n(v)o(enues)g
+(for)g(future)g(w)o(ork.)89 b(As)42 b(dis-)-150 954 y(cussed)36
+b(abo)o(v)o(e,)h(compiling)e Fm(Bro)g Fs(scripts)h(and,)j(especially)-5
+b(,)39 b(de-)-150 1054 y(vising)f(mechanisms)f(to)h(distrib)n(ute)f
+(monitoring)f(across)i(multi-)-150 1153 y(ple)e(hosts)f(of)n(fer)g(the)
+g(promise)g(of)g(increasing)g(monitoring)e(per)n(-)-150
+1253 y(formance.)39 b(W)-7 b(e)27 b(are)e(also)h(v)o(ery)f(interested)g
+(in)g(e)o(xtending)f(BPF)i(to)-150 1353 y(better)c(support)e
+(monitoring,)g(such)i(as)h(adding)e(lookup)f(tables)i(and)-150
+1452 y(v)n(ariable-length)17 b(snapshots.)-67 1552 y(Another)f
+(interesting)g(direction)g(is)i(adding)e(\223teeth\224)h(to)g(the)h
+(mon-)-150 1651 y(itoring)i(in)h(the)f(form)g(of)h(acti)n(v)o(ely)e
+(terminating)h(misbeha)n(ving)e(con-)-150 1751 y(nections)h(by)g
+(sending)g(RST)h(pack)o(ets)g(to)g(their)f(endpoints,)f(or)h(com-)-150
+1851 y(municating)c(with)h(intermediary)f(routers,)h(as)h(some)f
+(commercially)-150 1950 y(a)n(v)n(ailable)27 b(monitors)g(already)f
+(do.)48 b(W)-7 b(e)28 b(ha)n(v)o(e)g(implemented)d(both)-150
+2050 y(of)20 b(these)g(for)g(Bro)g(and)g(are)g(no)n(w)g(e)o
+(xperimenting)d(with)k(their)f(ef)n(fec-)-150 2150 y(ti)n(v)o(eness.)31
+b(The)22 b(ability)g(to)h(ask)f(a)h(router)e(to)i(drop)e(traf)n(\002c)h
+(in)m(v)n(olving)-150 2249 y(a)i(particular)d(address)i(has)g(already)g
+(pro)o(v)o(en)d(e)o(xtremely)i(useful,)h(as)-150 2349
+y(it)h(greatly)f(limits)h(the)g(information)d(that)j(attack)o(ers)f
+(can)h(gather)e(by)-150 2449 y(scanning)29 b(our)h(site;)37
+b(once)30 b(Bro)g(recognizes)f(a)i(scan,)i(it)f(instructs)-150
+2548 y(the)i(border)f(router)g(to)h(drop)f(an)o(y)g(further)g(traf)n
+(\002c)h(in)m(v)n(olving)e(the)-150 2648 y(gi)n(v)o(en)24
+b(site.)39 b(Some)25 b(open)e(issues)j(with)f(this)h(form)d(of)i
+(reaction)f(are)-150 2747 y(the)e(impact)g(on)h(router)e(performance)e
+(as)24 b(the)e(number)f(of)h(such)g(\002l-)-150 2847
+y(ters)e(increases,)g(and)f(attack)o(ers)h(for)o(ging)d(traf)n(\002c)j
+(from)e(remote)h(sites)-150 2947 y(to)27 b(mislead)f(Bro)h(into)f
+(dropping)f(them,)i(as)h(a)f(form)e(of)i(denial-of-)-150
+3046 y(service)20 b(attack.)-67 3146 y(More)34 b(generally)-5
+b(,)36 b(ho)n(we)n(v)o(er)m(,)g(we)f(ha)n(v)o(e)f(found)f(our)h(f)o
+(airly)h(in-)-150 3246 y(depth)29 b(consideration)f(of)h(the)h(problem)
+f(of)g(attacks)h(on)g(monitors)-150 3345 y(\()p Fi(x)i
+Fs(5\))g(sobering.)59 b(Some)31 b(forms)h(of)f(subterfuge)f(attacks)i
+(are)g(e)o(x-)-150 3445 y(tremely)41 b(dif)n(\002cult)g(to)h(defend)e
+(against,)46 b(and)41 b(we)h(belie)n(v)o(e)f(it)i(is)-150
+3544 y(ine)n(vitable)33 b(that)h(attack)o(ers)g(will)h(de)n(vise)e(and)
+h(share)f(toolkits)h(for)-150 3644 y(launching)16 b(such)h(attacks.)25
+b(This)18 b(in)g(turn)f(suggests)h(three)f(important)-150
+3744 y(areas)i(for)g(research)f(into)h(intrusion)f(detection:)24
+b Fr(\(i\))19 b Fs(further)f(e)o(xplor)n(-)-150 3843
+y(ing)28 b(the)g(notion)f(of)h(\223bifurcating)f(analysis\224)h
+(discussed)g(in)g Fi(x)h Fs(5.3;)-150 3943 y Fr(\(ii\))24
+b Fs(studying)f(the)h(notion)f(of)h(traf)n(\002c)g(\223normalizers\224)
+e(that)j(remo)o(v)o(e)-150 4043 y(ambiguities)g(from)f(traf)n(\002c)h
+(streams)h(\(one)f(such)g(normalizer)f(is)j(an)-150 4142
+y(\223in-the-loop\224)16 b(monitor)m(,)i(one)g(that)h(must)g(appro)o(v)
+o(e)e(the)i(forw)o(arding)-150 4242 y(of)d(an)o(y)f(pack)o(et)h(it)g
+(recei)n(v)o(es\);)h(and)e Fr(\(iii\))h Fs(inte)o(grating)e(into)i(the)
+g(system)-150 4341 y(monitor)27 b(\223sensors\224)g(that)i(run)e(on)g
+(the)i(end)e(hosts.)49 b(Such)28 b(sensors)-150 4441
+y(can)16 b(analyze)f(netw)o(ork)g(traf)n(\002c)h(at)g(a)h(suf)n
+(\002ciently)e(high)g(layer)h(in)g(their)-150 4541 y(host')-5
+b(s)19 b(netw)o(ork)e(stack)i(where)e(ambiguities)h(about)f(ho)n(w)h
+(the)h(traf)n(\002c)-150 4640 y(will)32 b(be)f(interpreted)e(ha)n(v)o
+(e)i(already)f(been)g(resolv)o(ed.)56 b(Our)31 b(near)n(-)-150
+4740 y(term)22 b(research)f(is)j(focussing)d(on)h(the)g(second)f(of)h
+(these,)h(e)o(xploring)-150 4840 y(the)d(issues)h(associated)f(with)h
+(b)n(uilding)e(traf)n(\002c)g(normalizers.)-150 5115
+y Ft(9)119 b(Ackno)o(wledgements)-150 5300 y Fs(W)-7
+b(e)17 b(gratefully)d(ackno)n(wledge)g(Digital)i(Equipment)d
+(Corporation')-5 b(s)-150 5400 y(W)e(estern)17 b(Research)f(Laboratory)
+e(for)i(contrib)n(uting)e(the)i(Alpha)g(sys-)2049 -104
+y(tem)24 b(that)g(made)f(de)n(v)o(eloping)e(and)i(operating)f(Bro)i(at)
+h(high)e(speeds)2049 -5 y(possible.)30 b(I)22 b(w)o(ould)f
+(particularly)f(lik)o(e)i(to)g(thank)f(Jef)n(f)h(Mogul,)f(who)2049
+95 y(w)o(as)26 b(instrumental)f(in)g(arranging)f(this)i(through)d(WRL)
+-8 b(')j(s)28 b(External)2049 194 y(Research)20 b(Program.)2132
+294 y(Man)o(y)49 b(thanks,)57 b(too,)h(to)50 b(Craig)g(Leres.)116
+b(Bro)50 b(has)h(bene-)2049 394 y(\002ted)32 b(greatly)e(from)h(man)o
+(y)f(discussions)h(with)h(him.)59 b(Craig)31 b(also)2049
+493 y(wrote)i(the)g(calendar)e(queue)h(and)h(non-blocking)c(DNS)34
+b(routines)2049 593 y(discussed)e(in)g Fi(x)h Fs(4.)61
+b(Along)31 b(with)h(Craig)h(Leres,)i(I')l(d)c(lik)o(e)h(to)h(ac-)2049
+693 y(kno)n(wledge)19 b(the)j(on-going)c(feedback)i(I)i(recei)n(v)o(e)e
+(from)g(Craig)i(Lant)2049 792 y(and)f(P)o(artha)h(Banerjee)f(on)h(the)f
+(daily)h(operation)e(of)h(Bro,)i(and)e(their)2049 892
+y(ef)n(forts)e(at)i(analyzing)e(security)g(incidents)h(detected)f(by)h
+(Bro.)2132 991 y(My)29 b(appreciation)e(to)i(Scott)g(Denton,)h(John)f
+(Antonishek,)g(and)2049 1091 y(man)o(y)20 b(others)h(for)g
+(alpha-testing)f(Bro)i(and)f(contrib)n(uting)e(portabil-)2049
+1191 y(ity)h(\002x)o(es)h(and)e(other)h(enhancements.)2132
+1290 y(Finally)-5 b(,)41 b(this)d(w)o(ork)e(w)o(ould)h(not)g(ha)n(v)o
+(e)f(been)h(possible)g(with-)2049 1390 y(out)f(the)g(support)f(and)h
+(enthusiasm)f(of)h(Mark)g(Rosenber)o(g,)i(V)-9 b(an)2049
+1490 y(Jacobson,)39 b(Jim)h(Rothfuss,)k(Stu)c(Lok)o(en)f(and)g(Da)n(v)o
+(e)h(Ste)n(v)o(ens\227)2049 1589 y(much)19 b(appreciated!)2049
+1869 y Ft(A)120 b(Example:)36 b(tracking)31 b(Finger)g(traf\002c)2049
+2055 y Fs(In)d(this)i(appendix)c(we)k(gi)n(v)o(e)d(an)i(o)o(v)o(ervie)n
+(w)e(of)h(ho)n(w)g(the)h(dif)n(ferent)2049 2155 y(elements)19
+b(of)g(Bro)h(come)f(together)f(for)h(monitoring)e(Finger)i(traf)n
+(\002c.)2049 2254 y(F)o(or)27 b(the)g(e)n(v)o(ent)f(engine,)h(we)h(ha)n
+(v)o(e)e(a)i(C++)f(class)h Fm(FingerConn)p Fs(,)2049
+2354 y(deri)n(v)o(ed)17 b(from)h(the)h(general-purpose)d
+Fm(TCP)p 3326 2354 25 4 v 29 w(Connection)i Fs(class.)2049
+2453 y(When)f(Bro)h(encounters)d(a)j(ne)n(w)f(connection)e(with)j
+(service)f(port)f(79,)2049 2553 y(it)j(instantiates)f(a)h
+(corresponding)14 b Fm(FingerConn)j Fs(object,)h(instead)2049
+2653 y(of)24 b(a)g Fm(TCP)p 2359 2653 V 30 w(Connection)f
+Fs(object)g(as)i(it)g(w)o(ould)e(for)h(an)g(unrecog-)2049
+2752 y(nized)c(port.)2132 2852 y Fm(FingerConn)129 b
+Fs(rede\002nes)h(the)h(virtual)f(function)2049 2952 y
+Fm(BuildEndpoints)p Fs(,)29 b(which)g(is)i(in)m(v)n(ok)o(ed)c(when)i(a)
+h(connection)2049 3051 y(object)20 b(is)h(\002rst)g(created:)2049
+3213 y Ff(void)39 b(FingerConn::BuildEndpoints\(\))2169
+3292 y({)2169 3371 y(resp)g(=)h(new)f(TCP_EndpointLine\(this,)d(1,)k
+(0,)g(1\);)2169 3449 y(orig)f(=)h(new)f(TCP_EndpointLine\(this,)d(0,)k
+(0,)g(1\);)2169 3528 y(})2049 3711 y Fs(Here,)70 b Fm(resp)p
+Fs(,)g(corresponding)57 b(to)k(the)f(responder)f(\(Finger)2049
+3810 y(serv)o(er\))28 b(side)i(of)f(the)g(connection,)g(is)h
+(initialized)f(to)h(an)f(ordinary)2049 3910 y Fm(TCP)p
+2204 3910 V 29 w(Endpoint)i Fs(object,)i(because)e(Bro)g(does)g(not)g
+(\(presently\))2049 4010 y(look)20 b(inside)h(Finger)f(replies.)27
+b(But)21 b Fm(orig)p Fs(,)g(the)f(Finger)h(client)f(side,)2049
+4109 y(and)g Fm(resp)p Fs(,)h(the)f(responder)f(\(Finger)h(serv)o(er\))
+f(side)i(of)g(the)f(connec-)2049 4209 y(tion)31 b(are)h(both)f
+(initialized)g(to)h Fm(TCP)p 3140 4209 V 29 w(EndpointLine)e
+Fs(objects,)2049 4308 y(which)23 b(means)g(Bro)g(will)h(track)f(the)g
+(contents)g(of)g(each)g(side)h(of)f(the)2049 4408 y(connection,)g(and,)
+h(furthermore,)d(deli)n(v)o(er)i(the)h(contents)f(in)h(a)h(line-)2049
+4508 y(oriented)19 b(f)o(ashion)h(to)h Fm(FingerConn)p
+Fs(')-5 b(s)19 b(virtual)h Fm(NewLine)g Fs(func-)2049
+4607 y(tion:)2049 4769 y Ff(int)39 b
+(FingerConn::NewLine\(TCP_Endpoint*)c(/*)40 b(s)g(*/,)2806
+4848 y(double)f(/*)h(t)f(*/,)h(char*)f(line\))2169 4927
+y({)2169 5006 y(line)g(=)h(skip_whitespace\(line\);)2169
+5163 y(//)f(Check)g(for)h(/W.)2169 5242 y(int)f(is_long)g(=)g
+(\(line[0])g(==)h('/')f(&&)2766 5321 y(toupper\(line[1]\))f(==)h
+('W'\);)2169 5400 y(if)g(\()h(is_long)f(\))1908 5649
+y Fs(19)p eop
+%%Page: 20 20
+20 19 bop 89 -104 a Ff(line)39 b(=)h(skip_whitespace\(line+2\);)-30
+53 y(val_list*)e(vl)i(=)f(new)h(val_list;)-30 132 y
+(vl->append\(BuildConnVal\(\)\);)-30 211 y(vl->append\(new)d
+(StringVal\(line\)\);)-30 290 y(vl->append\(new)g(Val\(is_long,)h
+(TYPE_BOOL\)\);)-30 448 y(mgr.QueueEvent\(finger_request,)d(vl\);)-30
+526 y(return)k(0;)-30 605 y(})-150 773 y Fs(\(F)o(or)89
+b(bre)n(vity)-5 b(,)104 b(we)90 b(sho)n(w)f Fm(NewLine)f
+Fs(only)h(for)g(the)-150 872 y Fm(finger)p 155 872 25
+4 v 29 w(request)66 b Fs(case.\))165 b Fm(NewLine)66
+b Fs(skips)i(whites-)-150 972 y(pace)29 b(in)g(the)g(request,)i(scans)e
+(it)h(for)e(the)i(\223)p Fm(/W)p Fs(\224)f(indicator)e(\(which)-150
+1072 y(requests)18 b(v)o(erbose)f(Finger)g(output\),)g(and)h(mo)o(v)o
+(es)f(past)h(it)h(if)f(present.)-150 1171 y(It)34 b(then)f(creates)h(a)
+h Fm(val)p 604 1171 V 29 w(list)f Fs(object,)i(which)d(holds)h(a)g
+(list)h(of)-150 1271 y(generic)i(Bro)h Fm(Val)g Fs(objects.)78
+b(The)38 b(\002rst)g(of)g(these)g(is)h(assigned)-150
+1371 y(to)i(a)g(generic)f(connection-identi\002er)d(v)n(alue)j(\(see)g
+(belo)n(w\);)51 b(the)-150 1470 y(second,)39 b(to)d(a)g(Bro)g
+Fm(string)f Fs(containing)f(the)i(Finger)f(request,)-150
+1570 y(and)41 b(the)h(third)f(to)h(a)h Fm(bool)e Fs(indicating)g
+(whether)f(the)i(request)-150 1669 y(w)o(as)37 b(v)o(erbose)e(or)h
+(not.)74 b(The)36 b(penultimate)f(line)h(queues)g(a)h(ne)n(w)-150
+1769 y Fm(finger)p 155 1769 V 29 w(request)k Fs(e)n(v)o(ent)f(with)i
+(the)f(corresponding)d(list)43 b(of)-150 1869 y(v)n(alues)28
+b(as)h(ar)o(guments;)h(\002nally)-5 b(,)29 b Fm(return)49
+b(0)28 b Fs(indicates)g(that)h(the)-150 1968 y Fm(FingerConn)22
+b Fs(is)i(all)f(done)f(with)h(the)g(memory)f(associated)g(with)-150
+2068 y Fm(line)34 b Fs(\(since)h Fm(new)49 b(StringVal\(line\))32
+b Fs(made)i(a)h(cop)o(y)f(of)-150 2168 y(it\),)20 b(so)h(that)f(memory)
+f(can)h(be)g(reclaimed)f(by)h(the)g(caller)-5 b(.)-67
+2267 y(The)34 b(connection)f(identi\002er)h(discussed)g(abo)o(v)o(e)f
+(is)j(de\002ned)d(in)-150 2367 y(Bro)20 b(as)h(a)g(\223)p
+Fm(connection)p Fs(\224)d(record:)-150 2514 y Ff(type)39
+b(endpoint:)g(record)g({)-30 2592 y(size:)g(count;)g(state:)g(count;)
+-150 2671 y(};)-150 2750 y(type)g(connection:)f(record)h({)-30
+2829 y(id:)g(conn_id;)-30 2908 y(orig:)g(endpoint;)f(resp:)h(endpoint;)
+-30 2987 y(start_time:)f(time;)-30 3066 y(duration:)g(interval;)-30
+3145 y(service:)g(string;)89 3223 y(#)i(if)f(empty,)g(service)g(not)h
+(yet)f(determined)-30 3302 y(addl:)g(string;)-30 3381
+y(hot:)g(count;)89 3460 y(#)h(how)f(hot;)g(0)h(=)g(don't)f(know)g(or)h
+(not)f(hot)-150 3539 y(};)-150 3706 y Fs(The)19 b Fm(id)h
+Fs(\002eld)g(is)g(a)g Fm(conn)p 624 3706 V 30 w(id)f
+Fs(record,)f(discussed)i(in)g Fi(x)g Fs(3.1.)k Fm(orig)-150
+3806 y Fs(and)29 b Fm(resp)h Fs(correspond)d(to)j(the)g(connection)e
+(originator)g(and)h(re-)-150 3906 y(sponder)m(,)22 b(each)h(a)h(Bro)f
+Fm(endpoint)f Fs(record)g(consisting)h(of)g Fm(size)-150
+4005 y Fs(\(the)c(number)f(of)i(bytes)g(transferred)d(by)j(that)g
+(endpoint)e(so)i(f)o(ar\))f(and)-150 4105 y Fm(state)p
+Fs(,)38 b(the)c(endpoint')-5 b(s)33 b(TCP)j(state)f(\(e.g.,)i(SYN)e
+(sent,)k(estab-)-150 4204 y(lished,)26 b(closed\).)40
+b(This)25 b(latter)h(w)o(ould)e(be)h(better)g(e)o(xpressed)f(using)-150
+4304 y(an)j(enumerated)e(type)i(\(rather)f(than)g(a)i
+Fm(count)p Fs(\),)g(which)f(we)g(may)-150 4404 y(add)20
+b(to)g(Bro)g(in)h(the)f(future.)-67 4503 y(The)36 b Fm(start)p
+354 4503 V 29 w(time)g Fs(\002eld)h(re\003ects)g(when)f(the)g
+(connection')-5 b(s)-150 4603 y(\002rst)21 b(pack)o(et)f(w)o(as)h
+(seen,)f(and)g Fm(duration)g Fs(ho)n(w)f(long)h(the)g(connec-)-150
+4703 y(tion)k(has)h(e)o(xisted.)38 b Fm(service)24 b
+Fs(corresponds)e(to)j(the)f(name)g(of)h(the)-150 4802
+y(service,)h(or)f(an)g(empty)f(string)h(if)g(it)h(has)g(not)f(been)f
+(identi\002ed.)39 b(By)-150 4902 y(con)m(v)o(ention,)33
+b Fm(addl)g Fs(holds)f(additional)g(information)f(associated)-150
+5001 y(with)e(the)g(connection;)i(better)d(than)h(a)g
+Fm(string)f Fs(here)h(w)o(ould)f(be)-150 5101 y(some)16
+b(sort)g(of)g(union)f(or)h(generic)f(type,)i(if)f(Bro)h(supported)d
+(such.)23 b(Fi-)-150 5201 y(nally)-5 b(,)18 b(by)h(con)m(v)o(ention)d
+(the)k(polic)o(y)e(script)h(increments)f Fm(hot)i Fs(when-)-150
+5300 y(e)n(v)o(er)g(it)i(\002nds)f(something)f(potentially)g
+(suspicious)g(about)g(the)h(con-)-150 5400 y(nection.)2132
+-104 y(Here)f(is)h(the)f(corresponding)d(polic)o(y)i(script:)2049
+33 y Ff(global)39 b(hot_names)f(=)i({)g("root",)f("lp",)g("uucp")g(};)
+2049 111 y(global)g(finger_log)f(=)2169 190 y(open\(getenv\("BRO_ID"\))
+e(==)k("")f(?)2368 269 y("finger.log")f(:)2368 348 y
+(fmt\("finger.\045s",)f(getenv\("BRO_ID"\)\)\);)2049
+506 y(event)i(finger_request\(c:connection,)2886 585
+y(request:)g(string,)2886 664 y(full:)g(bool\))2169 742
+y({)2169 821 y(if)g(\()h(byte_len\(request\))d(>)j(80)f(\))h({)2288
+900 y(request)f(=)h(fmt\("\045s...",)2846 979 y(sub_bytes\(request,)d
+(1,)j(80\)\);)2288 1058 y(++c$hot;)2169 1137 y(})2169
+1216 y(if)f(\()h(request)f(in)g(hot_names)g(\))2288 1295
+y(++c$hot;)2169 1452 y(local)g(req)g(=)h(request)f(==)g("")h(?)2288
+1531 y("ANY")f(:)h(fmt\("\\"\045s\\"",)e(request\);)2169
+1610 y(if)h(\()h(c$addl)f(!=)g("")h(\))2288 1689 y(#)g(This)f(is)h(an)f
+(additional)g(request.)2288 1768 y(req)h(=)f(fmt\("\(\045s\)",)f
+(req\);)2169 1847 y(if)h(\()h(full)f(\))2288 1925 y(req)h(=)f
+(fmt\("\045s)g(\(/W\)",)g(req\);)2169 2083 y(local)g(msg)g(=)h
+(fmt\("\045s)f(>)g(\045s)h(\045s",)2806 2162 y(c$id$orig_h,)2806
+2241 y(c$id$resp_h,)2806 2320 y(req\);)2169 2399 y(if)f(\()h(c$hot)f(>)
+h(0)f(\))2288 2478 y(log)h(fmt\("finger:)e(\045s",)h(msg\);)2169
+2556 y(print)g(finger_log,)2408 2635 y(fmt\("\045.6f)f(\045s",)h
+(c$start_time,)f(msg\);)2169 2793 y(c$addl)h(=)g(c$addl)g(==)h("")f(?)
+2527 2872 y(req)h(:)f(fmt\("*\045s,)g(\045s",)g(c$addl,)g(req\);)2169
+2951 y(})2049 3109 y Fs(The)28 b(global)f Fm(hot)p 2598
+3109 V 30 w(names)h Fs(is)h(a)g(Bro)f Fm(set)h Fs(of)f
+Fm(string)p Fs(.)48 b(In)29 b(the)2049 3208 y(ne)o(xt)22
+b(line,)i Fm(finger)p 2689 3208 V 29 w(log)f Fs(is)g(initialized)g(to)g
+(a)h(Bro)f Fm(file)p Fs(,)g(either)2049 3308 y(named)f(\223\002nger)-5
+b(.log\224,)23 b(or)m(,)g(if)h(the)f Fm(BRO)p 3196 3308
+V 30 w(ID)g Fs(en)m(vironment)e(v)n(ariable)2049 3407
+y(is)g(set,)g(to)f(a)h(name)f(deri)n(v)o(ed)e(from)h(it)i(using)f(the)g
+(b)n(uilt-in)g Fm(fmt)g Fs(func-)2049 3507 y(tion.)2132
+3607 y(The)28 b Fm(finger)p 2595 3607 V 29 w(request)g
+Fs(e)n(v)o(ent)g(handler)f(follo)n(ws.)50 b(It)29 b(tak)o(es)2049
+3706 y(three)h(ar)o(guments,)i(corresponding)27 b(to)k(the)g(v)n(alues)
+g(added)e(to)j(the)2049 3806 y Fm(val)p 2204 3806 V 29
+w(list)24 b Fs(abo)o(v)o(e.)34 b(It)24 b(\002rst)h(checks)e(whether)g
+(the)g(request)h(is)g(e)o(x-)2049 3906 y(cessi)n(v)o(ely)15
+b(long,)h(and,)f(if)h(so,)h(truncates)e(it)h(and)f(increments)g(the)h
+Fm(hot)2049 4005 y Fs(\002eld)21 b(of)g(the)g(connection')-5
+b(s)19 b(information)g(record.)25 b(\(The)c(Bro)g(b)n(uilt-)2049
+4105 y(in)j(functions)f(used)h(here)g(are)g(named)g(in)g(terms)g(of)h
+(\223bytes\224)e(rather)2049 4204 y(than)16 b(\223string\224)g(because)
+f(the)o(y)h(mak)o(e)g(no)g(assumptions)f(about)h(NUL-)2049
+4304 y(termination)k(of)i(their)g(ar)o(guments;)e(in)i(particular)m(,)f
+Fm(byte)p 3762 4304 V 29 w(len)h Fs(re-)2049 4404 y(turns)g(the)h
+(length)f(of)h(its)h(ar)o(gument)c(including)h(a)i(\002nal)g(NUL)g
+(byte,)2049 4503 y(if)d(present.\))2132 4603 y(Ne)o(xt,)32
+b(the)e(script)g(checks)f(whether)g(the)h(request)f(corresponds)2049
+4703 y(to)e(an)o(y)e(of)h(the)h(entries)f(in)h(the)f
+Fm(hot)p 3134 4703 V 30 w(names)g Fs(set.)44 b(If)26
+b(so,)i(it)g(again)2049 4802 y(marks)20 b(the)g(connection)e(as)j
+(\223hot.)-6 b(\224)2132 4902 y(W)f(e)25 b(then)e(initialize)g(the)h
+(local)f(v)n(ariable)f Fm(req)i Fs(to)f(a)h(quoted)e(v)o(er)n(-)2049
+5001 y(sion)17 b(of)h(the)f(request;)h(or)m(,)f(if)h(the)g(request)e(w)
+o(as)j(empty)d(\(which)h(in)h(the)2049 5101 y(Finger)25
+b(protocol)g(indicates)g(a)i(request)e(type)h(of)f(\223)-7
+b(ANY\224\),)26 b(then)g(it)2049 5201 y(is)21 b(changed)e(to)h(\223)-7
+b(ANY\224.)2132 5300 y(The)19 b(e)n(v)o(ent)g(handler)g(stores)h(the)f
+(Finger)g(request)h(in)f(the)h(connec-)2049 5400 y(tion)g(record')-5
+b(s)19 b Fm(addl)h Fs(\002eld)g(\(see)h(belo)n(w\),)e(so)h(the)g(ne)o
+(xt)g(line)g(checks)1908 5649 y(20)p eop
+%%Page: 21 21
+21 20 bop -150 -104 a Fs(to)30 b(see)g(whether)f(this)h(\002eld)g
+(already)f(contains)g(a)h(request.)53 b(If)29 b(so,)-150
+-5 y(then)19 b(we)h(are)g(seeing)f(multiple)g(requests)h(for)f(a)h
+(single)f(Finger)g(con-)-150 95 y(nection.)30 b(This)23
+b(is)g(not)f(allo)n(wed)g(by)f(the)i(Finger)e(protocol,)g(b)n(ut)h
+(that)-150 194 y(doesn')o(t)28 b(mean)h(we)g(w)o(on')o(t)g(see)h(them!)
+52 b(In)29 b(particular)m(,)g(we)h(might)-150 294 y(imagine)23
+b(a)i(subterfuge)d(attack)i(in)g(which)g(an)g(attack)o(er)f(queries)h
+(an)-150 394 y(innocuous)h(name)h(in)h(their)g(\002rst)h(request,)g
+(and)e(a)h(sensiti)n(v)o(e)g(name)-150 493 y(in)i(their)f(second,)h
+(and)f(depending)d(on)j(ho)n(w)g(the)h(\002nger)e(serv)o(er)h(is)-150
+593 y(written,)g(it)g(may)e(well)h(respond)f(to)h(both.)1102
+563 y Fn(5)1183 593 y Fs(This)g(script)g(will)g(still)-150
+693 y(catch)g(such)g(use,)i(since)f(it)g(fully)f(processes)g(each)g
+(request;)j(b)n(ut)e(it)-150 792 y(needs)21 b(to)g(be)g(careful)f(to)i
+(k)o(eep)e(the)i(global)e(state)i(corresponding)17 b(to)-150
+892 y(the)30 b(connection)e(\(in)i(the)g Fm(addl)f Fs(\002eld\))h
+(complete.)54 b(T)-7 b(o)30 b(do)f(so,)k(it)-150 991
+y(marks)21 b(additional)f(requests)h(by)g(enclosing)f(them)h(in)h
+(parentheses,)-150 1091 y(and)31 b(also)g(prepends)e(an)i(asterisk)h
+(to)f(the)g(entire)g Fm(addl)g Fs(\002eld)g(for)-150
+1191 y(each)25 b(additional)g(request,)h(so)g(that)f(in)h(later)g
+(visual)f(inspection)g(of)-150 1290 y(the)20 b(Finger)g(logs)g(these)g
+(requests)g(immediately)f(stand)h(out.)-67 1390 y(The)k
+Fm(msg)g Fs(local)g(v)n(ariable)f(holds)g(the)h(basic)g(description)f
+(of)h(the)-150 1490 y(Finger)29 b(request.)51 b(The)29
+b Fm(fmt)h Fs(function)d(kno)n(ws)i(to)h(format)e(the)h(IP)-150
+1589 y(addresses)38 b Fm(c$id$orig)p 662 1589 25 4 v
+28 w(h)h Fs(and)e Fm(c$id$resp)p 1387 1589 V 28 w(h)i
+Fs(as)g(\223dotted)-150 1689 y(quads.)-6 b(\224)-67 1788
+y(Ne)o(xt,)27 b(if)f(the)g(connection)e(has)i(been)f(mark)o(ed)f(as)j
+(\223hot\224)e(\(either)-150 1888 y(just)30 b(pre)n(viously)-5
+b(,)29 b(or)g(perhaps)f(by)g(a)i(completely)e(dif)n(ferent)f(e)n(v)o
+(ent)-150 1988 y(handler\),)17 b(then)g(the)h(script)h(generates)e(a)h
+(real-time)g(noti\002cation.)23 b(In)-150 2087 y(an)o(y)17
+b(case,)h(it)g(also)g(records)f(the)g(request)g(to)h(the)g
+Fm(finger)p 1533 2087 V 29 w(log)f Fs(\002le.)-150 2187
+y(Finally)-5 b(,)24 b(it)g(updates)e(the)i Fm(addl)f
+Fs(\002eld)h(to)g(re\003ect)f(the)h(request)e(\(and)-150
+2287 y(to)e(\003ag)h(multiple)e(requests,)h(as)h(discussed)f(abo)o(v)o
+(e\).)-67 2386 y(Entries)g(in)g(the)h(log)e(\002le)i(look)f(lik)o(e:)
+-150 2530 y Ff(880988813.752829)37 b(171.64.15.68)i(>)527
+2609 y(128.3.253.104)f("feng")-150 2688 y(880991121.364126)f
+(131.243.168.28)h(>)527 2766 y(130.132.143.23)g("anlin")-150
+2845 y(880997120.932007)f(192.84.144.6)i(>)527 2924 y(128.3.32.16)g
+(ALL)-150 3003 y(881000846.603872)e(128.3.9.45)i(>)527
+3082 y(146.165.7.14)g(ALL)g(\(/W\))-150 3161 y(881001601.958411)e
+(152.66.83.11)i(>)527 3240 y(128.3.13.76)g("davfor")-150
+3404 y Fs(\(though)18 b(without)i(the)g(lines)g(split)h(after)f(the)g
+(\223)p Fm(>)p Fs(\224\).)-67 3504 y(The)37 b(real-time)f
+(noti\002cations)g(look)h(quite)f(similar)m(,)41 b(with)d(the)-150
+3603 y(k)o(e)o(yw)o(ord)24 b(\223)p Fm(finger:)p Fs(\224)34
+b(added)24 b(to)i(a)n(v)n(oid)f(ambiguity)f(with)h(other)-150
+3703 y(types)20 b(of)g(real-time)f(noti\002cation.)-150
+3980 y Ft(Refer)n(ences)-150 4165 y Fs([Ax99])95 b(AXENT)141
+b(T)-6 b(echnologies,)170 b Fr(Intruder)141 b(Alert)p
+Fs(,)187 4265 y(http://www)-5 b(.ax)o(ent.com/produ)o(ct/smsb)n(u/IT)c
+(A/,)187 4365 y(1999.)-150 4523 y([Br88])114 b(R.)32
+b(Bro)n(wn,)h(\223Calendar)d(Queues:)47 b(A)32 b(F)o(ast)g
+Fj(O)r Fc(\(1\))g Fs(Pri-)187 4623 y(ority)39 b(Queue)g(Implementation)
+e(for)j(the)g(Simulation)187 4723 y(Ev)o(ent)16 b(Set)j(Problem,)-6
+b(\224)17 b Fr(Communications)f(of)i(the)f(A)n(CM)p Fs(,)187
+4822 y(31\(10\),)g(pp.)j(1220-1227,)c(Oct.)21 b(1988.)-150
+4981 y([Ci99])119 b(Cisco)357 b(Systems,)440 b Fr(NetRang)o(er)p
+Fs(,)187 5081 y(http://www)-5 b(.cisco.com/w)o(arp/public/cc/cisco/m)o
+(kt/)187 5180 y(security/nranger/inde)o(x.htm)o(l,)15
+b(1999.)p -150 5244 801 4 v -65 5298 a Fk(5)-30 5321
+y Fp(W)-5 b(e)22 b(do)i(indeed)h(see)e(occasional)k(multiple)e
+(requests.)41 b(So)23 b(f)o(ar)m(,)i(the)o(y)g(ha)o(v)o(e)f(all)-150
+5400 y(appeared)19 b(fully)f(innocuous.)2049 -104 y Fs([CT94])91
+b(C.)44 b(Compton)f(and)h(D.)g(T)-6 b(ennenhouse,)47
+b(\223Collabora-)2386 -5 y(ti)n(v)o(e)e(Load)f(Shedding)f(for)i
+(Media-Based)g(Applica-)2386 95 y(tions,)-6 b(\224)45
+b Fr(Pr)l(oc.)c(International)d(Confer)m(ence)i(on)g(Mul-)2386
+194 y(timedia)i(Computing)f(and)h(Systems)p Fs(,)49 b(Boston,)e(MA,)
+2386 294 y(May)-5 b(.)19 b(1994.)2049 459 y([In99])127
+b(Internet)44 b(Security)h(Systems,)52 b(Inc.,)f Fr(RealSecur)m(e)3940
+429 y Fa(TM)4029 459 y Fs(,)2386 559 y(http://www)-5
+b(.iss.net/prod/rs.php3,)15 b(1999.)2049 725 y([JLM89])40
+b(V)-11 b(.)72 b(Jacobson,)83 b(C.)72 b(Leres,)84 b(and)71
+b(S.)g(McCanne,)2386 824 y Fm(tcpdump)p Fs(,)80 b(a)n(v)n(ailable)68
+b(via)h(anon)o(ymous)d(ftp)i(to)2386 924 y(ftp.ee.lbl.go)o(v)-5
+b(,)16 b(Jun.)k(1989.)2049 1089 y([Ka91])100 b(B.)36
+b(Kantor)m(,)j(\223BSD)d(Rlogin,)-6 b(\224)40 b(RFC)d(1282,)h(Netw)o
+(ork)2386 1189 y(Information)51 b(Center)m(,)63 b(SRI)55
+b(International,)61 b(Menlo)2386 1289 y(P)o(ark,)19 b(CA,)i(Dec.)f
+(1991.)2049 1454 y([MJ93])91 b(S.)30 b(McCanne)e(and)h(V)-11
+b(.)31 b(Jacobson,)f(\223The)f(BSD)i(P)o(ack)o(et)2386
+1554 y(Filter:)38 b(A)27 b(Ne)n(w)g(Architecture)f(for)g(User)n(-le)n
+(v)o(el)g(P)o(ack)o(et)2386 1653 y(Capture,)-6 b(\224)18
+b Fr(Pr)l(oc.)h(1993)e(W)-5 b(inter)20 b(USENIX)f(Confer)m(ence)p
+Fs(,)2386 1753 y(San)h(Die)o(go,)f(CA.)2049 1918 y([MLJ94])40
+b(S.)77 b(McCanne,)90 b(C.)78 b(Leres)e(and)h(V)-11 b(.)77
+b(Jacobson,)2386 2018 y Fm(libpcap)p Fs(,)j(a)n(v)n(ailable)68
+b(via)h(anon)o(ymous)d(ftp)i(to)2386 2118 y(ftp.ee.lbl.go)o(v)-5
+b(,)16 b(1994.)2049 2283 y([MHL94])39 b(B.)23 b(Mukherjee,)d(L.)i
+(Heberlein,)f(and)h(K.)g(Le)n(vitt,)g(\223Net-)2386 2383
+y(w)o(ork)33 b(Intrusion)f(Detection,)-6 b(\224)37 b
+Fr(IEEE)c(Network)p Fs(,)38 b(8\(3\),)2386 2482 y(pp.)19
+b(26-41,)f(May/Jun.)h(1994.)2049 2648 y([Ne99])100 b(Netw)o(ork)41
+b(Flight)g(Recorder)m(,)46 b(Inc.,)g Fr(Network)d(Flight)2386
+2747 y(Recor)m(der)p Fs(,)19 b(http://www)-5 b(.nfr)g(.com,)17
+b(1999.)2049 2913 y([PS93])105 b(V)-11 b(.)18 b(P)o(axson)g(and)g(C.)h
+(Saltmarsh,)f(\223Glish:)25 b(A)19 b(User)n(-Le)n(v)o(el)2386
+3012 y(Softw)o(are)46 b(Bus)i(for)f(Loosely-Coupled)d(Distrib)n(uted)
+2386 3112 y(Systems,)-6 b(\224)17 b Fr(Pr)l(oc.)f(1993)e(W)-5
+b(inter)17 b(USENIX)f(Confer)m(ence)p Fs(,)2386 3212
+y(San)k(Die)o(go,)f(CA.)2049 3377 y([P)o(a94])115 b(V)-11
+b(.)35 b(P)o(axson,)i(\223Empirically-Deri)n(v)o(ed)30
+b(Analytic)35 b(Mod-)2386 3477 y(els)28 b(of)f(W)m(ide-Area)g(TCP)h
+(Connections,)-6 b(\224)28 b Fr(IEEE/A)n(CM)2386 3576
+y(T)-5 b(r)o(ansactions)34 b(on)g(Networking)p Fs(,)39
+b(2\(4\),)e(pp.)e(316-336,)2386 3676 y(Aug.)19 b(1994.)2049
+3842 y([P)o(a96])115 b(V)-11 b(.)25 b(P)o(axson,)g Fm(flex)p
+Fs(,)g(a)n(v)n(ailable)f(via)h(anon)o(ymous)d(ftp)i(to)2386
+3941 y(ftp.ee.lbl.go)o(v)-5 b(,)16 b(Sep.)k(1996.)2049
+4107 y([P)o(a97a])78 b(V)-11 b(.)31 b(P)o(axson,)i(\223End-to-End)28
+b(Internet)i(P)o(ack)o(et)h(Dynam-)2386 4206 y(ics,)-6
+b(\224)67 b Fr(Pr)l(oc.)57 b(SIGCOMM)g('97)p Fs(,)65
+b(Cannes,)h(France,)2386 4306 y(Sep.)20 b(1997.)2049
+4471 y([P)o(a97b])73 b(V)-11 b(.)28 b(P)o(axson,)h(\223End-to-End)c
+(Routing)j(Beha)n(vior)f(in)i(the)2386 4571 y(Internet,)-6
+b(\224)41 b Fr(IEEE/A)n(CM)c(T)-5 b(r)o(ansactions)37
+b(on)h(Network-)2386 4671 y(ing)p Fs(,)19 b(5\(5\),)g(pp.)h(601-615,)d
+(Oct.)j(1997.)2049 4836 y([P)o(a98])115 b(V)-11 b(.)18
+b(P)o(axson,)g(\223Bro:)24 b(A)18 b(System)g(for)g(Detecting)f(Netw)o
+(ork)2386 4936 y(Intruders)h(in)i(Real-T)m(ime,)-6 b(\224)20
+b(Proc.)f(7th)h(USENIX)g(Secu-)2386 5035 y(rity)g(Symposium,)e(Jan.)i
+(1998.)2049 5201 y([PR83a])59 b(J.)26 b(Postel)h(and)f(J.)h(Re)o
+(ynolds,)f(\223T)-6 b(elnet)26 b(Protocol)f(Spec-)2386
+5300 y(i\002cation,)-6 b(\224)21 b(RFC)j(854,)d(Netw)o(ork)g
+(Information)e(Center)m(,)2386 5400 y(SRI)i(International,)c(Menlo)j(P)
+o(ark,)f(CA,)i(May)f(1983.)1908 5649 y(21)p eop
+%%Page: 22 22
+22 21 bop -150 -104 a Fs([PR83b])54 b(J.)24 b(Postel)g(and)f(J.)h(Re)o
+(ynolds,)g(\223T)-6 b(elnet)23 b(Option)g(Speci\002-)187
+-5 y(cations,)-6 b(\224)30 b(RFC)g(855,)g(Netw)o(ork)d(Information)f
+(Center)m(,)187 95 y(SRI)21 b(International,)c(Menlo)j(P)o(ark,)f(CA,)i
+(May)f(1983.)-150 261 y([PR85])96 b(J.)25 b(Postel)g(and)f(J.)h(Re)o
+(ynolds,)f(\223File)h(T)m(ransfer)f(Protocol)187 360
+y(\(FTP\),)-6 b(\224)35 b(RFC)j(959,)h(Netw)o(ork)c(Information)e
+(Center)m(,)187 460 y(SRI)21 b(International,)c(Menlo)j(P)o(ark,)f(CA,)
+i(Oct.)f(1985.)-150 626 y([PN98])91 b(T)-6 b(.)52 b(Ptacek)g(and)g(T)-6
+b(.)53 b(Ne)n(wsham,)59 b(\223Insertion,)g(Ev)n(a-)187
+726 y(sion,)68 b(and)59 b(Denial)g(of)g(Service:)103
+b(Eluding)57 b(Net-)187 825 y(w)o(ork)i(Intrusion)f(Detection,)-6
+b(\224)69 b(Secure)59 b(Netw)o(orks,)187 925 y(Inc.,)45
+b(http://www)-5 b(.aciri.or)o(g/v)o(ern/Ptacek-)o(Ne)n(wsham)o(-)187
+1025 y(Ev)n(asion-98.ps,)17 b(Jan.)j(1998.)-150 1191
+y([PZCMO96])40 b(N.)22 b(Puk)o(etza,)f(K.)h(Zhang,)e(M.)i(Chung,)f(B.)h
+(Mukher)n(-)187 1290 y(jee)34 b(and)f(R.)h(Olsson,)j(\223)-7
+b(A)34 b(Methodology)d(for)i(T)-6 b(esting)187 1390 y(Intrusion)23
+b(Detection)i(Systems,)-6 b(\224)27 b Fr(IEEE)e(T)-5
+b(r)o(ansactions)187 1490 y(on)40 b(Softwar)m(e)g(Engineering)p
+Fs(,)j(22\(10\),)g(pp.)d(719-729,)187 1589 y(Oct.)20
+b(1996.)-150 1755 y([RLSSL)-6 b(W97])40 b(M.)25 b(Ranum,)g(K.)g
+(Land\002eld,)g(M.)f(Stolarchuk,)g(M.)187 1855 y(Sienkie)n(wicz,)41
+b(A.)d(Lambeth)e(and)i(E.)g(W)-7 b(all,)43 b(\223Imple-)187
+1954 y(menting)29 b(a)i(generalized)e(tool)h(for)g(netw)o(ork)f
+(monitor)n(-)187 2054 y(ing,)-6 b(\224)24 b Fr(Pr)l(oc.)g(LISA)f('97)p
+Fs(,)h(USENIX)g(11th)f(Systems)h(Ad-)187 2154 y(ministration)19
+b(Conference,)f(San)i(Die)o(go,)f(Oct.)i(1997.)-150 2320
+y([Re96])105 b(Y)-11 b(.)19 b(Rekhter)m(,)f(B.)i(Mosk)o(o)n(witz,)e(D.)
+h(Karrenber)o(g,)d(G.)j(J.)h(de)187 2419 y(Groot,)30
+b(and)f(E.)h(Lear)m(,)h(\223)-7 b(Address)29 b(Allocation)g(for)f(Pri-)
+187 2519 y(v)n(ate)20 b(Internets,)-6 b(\224)19 b(RFC)i(1918,)e(Feb)m
+(.)h(1996.)-150 2685 y([Sr95a])86 b(R.)21 b(Srini)n(v)n(asan,)f
+(\223RPC:)i(Remote)e(Procedure)f(Call)j(Pro-)187 2785
+y(tocol)30 b(Speci\002cation)g(V)-9 b(ersion)30 b(2,)-6
+b(\224)34 b(RFC)e(1831,)g(DDN)187 2884 y(Netw)o(ork)19
+b(Information)e(Center)m(,)j(Aug.)f(1995.)-150 3050 y([Sr95b])81
+b(R.)30 b(Srini)n(v)n(asan,)g(\223XDR:)g(External)e(Data)h(Representa-)
+187 3150 y(tion)g(Standard,)-6 b(\224)30 b(RFC)g(1832,)g(DDN)g(Netw)o
+(ork)e(Infor)n(-)187 3250 y(mation)19 b(Center)m(,)g(Aug.)h(1995.)-150
+3416 y([S-J93])91 b(M.)18 b(St.)h(Johns,)f(\223Identi\002cation)e
+(Protocol,)-6 b(\224)18 b(RFC)h(1413,)187 3515 y(Netw)o(ork)38
+b(Information)f(Center)m(,)44 b(SRI)c(International,)187
+3615 y(Menlo)19 b(P)o(ark,)h(CA,)g(Feb)m(.)g(1993.)-150
+3781 y([T)-7 b(o99])111 b(T)-7 b(ouch)65 b(T)-6 b(echnologies,)75
+b(Inc.,)i Fr(INT)o(OUCH)67 b(INSA)p Fs(,)187 3881 y(http://www)-5
+b(.ttisms.com/tti/nsa)p 1176 3881 25 4 v 27 w(www)g(.html,)19
+b(1999.)-150 4047 y([WFP96])41 b(G.)30 b(White,)i(E.)e(Fisch)h(and)e
+(U.)h(Pooch,)i(\223Cooperating)187 4146 y(Security)e(Managers:)47
+b(A)32 b(Peer)n(-Based)g(Intrusion)e(De-)187 4246 y(tection)22
+b(System,)-6 b(\224)23 b Fr(IEEE)f(Network)p Fs(,)i(10\(1\),)e(pp.)g
+(20-23,)187 4346 y(Jan./Feb)m(.)d(1994.)-150 4512 y([Zi91])123
+b(D.)41 b(Zimmerman,)k(\223The)c(Finger)g(User)h(Information)187
+4611 y(Protocol,)-6 b(\224)27 b(RFC)h(1288,)f(Netw)o(ork)f(Information)
+e(Cen-)187 4711 y(ter)m(,)16 b(SRI)g(International,)e(Menlo)h(P)o(ark,)
+g(CA,)h(Dec.)k(1991.)1908 5649 y(22)p eop
+%%Trailer
+end
+userdict /end-hook known{end-hook}if
+%%EOF
diff --git a/doc/quick-start/Bro-installation.texi b/doc/quick-start/Bro-installation.texi
new file mode 100644
index 0000000000..fcaddfe0f0
--- /dev/null
+++ b/doc/quick-start/Bro-installation.texi
@@ -0,0 +1,229 @@
+
+@menu
+* Download ::
+* Install ::
+* Configuration ::
+* Encrypted Reports ::
+@end menu
+
+@node Download
+@section Download
+@cindex download
+
+Download Bro from: @uref{http://www.bro-ids.org/}
+
+You can unpack the distribution anywhere except into the directory
+you plan to install into. To untar the file, type:
+
+@example
+tar xvzf bro-0.9a6.6.tar.gz
+@end example
+
+@node Install
+@section Install
+
+You'll need to collect the following information before beginning the installation.
+
+@itemize
+@item localnets: a list of local subnets for your network. Bro needs to know which networks are "internal" and which are "external".
+
+@item interface names: the names of the capture interfaces in your host (e.g. sk0 or en1). Use @code{ifconfig -a} to get the list of all network interfaces on your Bro host.
+@end itemize
+
+If you want to use Bro's periodic email report feature, you'll also need:
+@itemize
+@item email list: a list of email addresses to send the reports to.
+
+@item pgp keys: if you want to encrypt all email reports, the location of the 
+@uref{http://www.gnupg.org/,GPG keyring} of all recipients.
+@end itemize
+
+Bro is very easy to install. Just log in as @code{root}, and type:
+@example
+./configure
+@end example
+or to install Bro in a location other than @file{/usr/local/bro}, use:
+@example
+./configure --prefix=/path/to/bro
+@end example
+and then type:
+@example
+make
+make install
+@end example
+
+To update an existing Bro installation with new binaries and standard policy file, instead
+of @code{'make install'} do a @code{'make update'}. This will preserve all your local customizations.
+
+@node Configuration
+@section Configuration
+@cindex bro_config
+@cindex bro.cfg
+
+The @emph{Bro-Lite} configuration script can be used to automatically configure Bro for you. It
+checks your system's BPF settings, creates a 'bro' user account, installs
+a script to start bro at boot time, and installs a number of @code{cron} jobs 
+to checkpoint bro every night, run perioidic reports, and manage log files.
+
+To run this configuration script type:
+@example
+make install-brolite 
+@end example
+
+
+This will run the script @code{bro_config}, which creates the file @file{$BROHOME/etc/bro.cfg}.
+@code{bro_config} will ask a number of simple questions.
+
+Sample output of @code{bro_config}, along with explanation, is shown below:
+
+@quotation
+
+@verbatim
+Running Bro Configuration Utility
+Checking interfaces ....  Done.
+Reading /usr/local/bro/etc/bro.cfg.example for defaults.
+@end verbatim
+@quotation 
+@quotation 
+The @code{bro_config} script looks first at ./bro.cfg, then /usr/local/bro/etc,  
+for default values to use below.
+@end quotation
+@end quotation
+
+@verbatim
+Bro Log archive location [/usr/local/bro/archive] 
+@end verbatim
+@quotation
+@quotation
+This is the directory where log file archives are kept. 
+If you expect the log files to be very large, it is recommended to put these in a separate disk partition.
+@end quotation
+@end quotation
+
+@verbatim
+User id to install and run Bro under [bro] 
+@end verbatim
+@quotation
+@quotation
+@code{bro_config} will create a new user account with this username if the user does not exist. 
+@end quotation
+@end quotation
+
+@verbatim
+Interface names to listen on. [en1,en2] 
+@end verbatim
+@quotation
+@quotation
+@code{bro_config} looks for all network interfaces and does a short test to determine which interfaces see the most traffic, and selects these interfaces as the default. 
+@end quotation
+@end quotation
+
+@verbatim
+Site name for reports (i.e. LBNL, FOO.COM, BAZ.ORG) [] 
+Starting Report Time [0600]
+Report interval (in hours) [24]
+Email addresses for internal reports [bro@localhost] 
+Do you want to send external reports to a incident 
+		reporting org (e.g.: CERT, CIAC, etc) (Y/N)
+Y
+Email addresses for external reports [] 
+@end verbatim
+
+@quotation
+@quotation
+Daily reports will be created.  
+Enter the site name you want to appear at the top and in the subject of all email reports.
+The 'start time' and 'interval' define the window of 
+network activity that the daily report will cover, starting at 'Starting Report Time' and 
+lasting through 'Report interval'. The start time should be entered using 24hr clock notation. 
+For example: 12:30am = 0030,  2pm = 1400
+
+Two types of reports will be generated,
+"internal" and "external". Internal reports contain the same basic information as
+the external reports, along with traffic statistics and more detailed information on 
+incidents. Both internal and external reports will be sent to the "internal" email address list.
+External reports are only sent if you answer "Y" and enter an external email address. 
+(Note: currently only internal reports are generated)
+@end quotation
+@end quotation
+
+
+@verbatim
+Do you want to encrypt the email reports (Y/N) [N]
+Y
+@end verbatim
+@quotation
+@quotation 
+If you want the email reports encrypted, you will need to set up GPG (@uref{http://www.gnupg.org})
+and create a GPG keyring containing the public keys of all email recipients. Instructions 
+for this are in @ref{Encrypted Reports}.
+
+@end quotation
+@end quotation
+
+@verbatim
+Running script to determine your local subnets ... 
+Your Local subnets [198.129.224.1/32] 
+@end verbatim
+@quotation
+@quotation
+Bro needs to know a list of your local subnets. @code{bro_config} runs a tool 
+that attempts to discover this automatically. 
+You should always verify the results of this tool. The format is a list of subnet/significant 
+bits of address. 
+For example: 131.243.0.0/16, 198.128.0.0/18, 198.129.224.1/32
+@end quotation
+This information will be stored in the file @code{$BROHOME/site/local.site.bro}
+@end quotation
+
+@verbatim
+Saving settings to file: /usr/local/bro/etc/bro.cfg
+Bro configuration finished. 
+To change these values, you can rerun bro_config at any time.
+@end verbatim
+@quotation
+@quotation
+Indicates that the script finished successfully.
+@end quotation
+@end quotation
+
+@end quotation
+
+For site monitoring very high traffic rates on Gigabit ethernet, there is some
+additional system tuning that should be done. See the @uref{http://www.bro-ids.org/, Bro User Guide} for more details.
+
+
+To reconfigure Bro, just type:
+@example
+bro_config
+@end example
+
+This will update your @file{/usr/local/bro/etc/bro.cfg} file. You can also edit this file using your favorite editor if you prefer.
+
+For other site customizations, you can edit the file $BROHOME/site/local.site.bro.
+For example, to tell bro to not look at traffic for host 198.162.44.66, add:
+@verbatim
+     redef restrict_filters += { ["ignore host 198.162.44.66 "] = "not (host 198.162.44.66)" };
+@end verbatim
+
+Or to disable alarms for "WeirdActivity", you can add this:
+@verbatim
+     redef notice_action_filters += { [[WeirdActivity]] = ignore_notice, };
+@end verbatim
+
+Any changes you make in $BROHOME/site will not be touched during an upgrade
+or reinstall of Bro. You should avoid editing files in $BROHOME/policy,
+as these will be overwritten.
+
+More details are available in the Bro user guide. 
+
+@node Encrypted Reports 
+@section Encrypted Reports 
+@cindex GPG
+
+Bro can use GPG (@uref{http://www.gnupg.org/}) to encrypt
+the reports that it sends. To have Bro encrypt your
+reports you must have said 'yes' to the bro_config question to
+encrypt your reports. For information on configuring
+GPG for Bro reports, see the @uref{http://www.bro-ids.org/, Bro User Manual}.
+
diff --git a/doc/quick-start/Bro-overview.texi b/doc/quick-start/Bro-overview.texi
new file mode 100644
index 0000000000..de02ec482c
--- /dev/null
+++ b/doc/quick-start/Bro-overview.texi
@@ -0,0 +1,143 @@
+
+@menu
+* What is Bro? ::
+* Bro features and benefits ::
+* Getting more Information ::
+@end menu
+
+@node What is Bro?
+@section What is Bro?
+@cindex Network Intrusion Detection System
+
+Bro is a Unix-based Network Intrusion Detection System (IDS).  Bro monitors network traffic and detects intrusion attempts based on the traffic 
+characteristics and content.  Bro detects intrusions by comparing network traffic against rules describing events that are deemed troublesome.  These rules 
+might describe activities (e.g., certain hosts connecting to certain services), what activities are worth alerting (e.g., attempts to a given number of different hosts constitutes 
+a "scan"), or signatures describing known attacks or access to known vulnerabilities.  If Bro detects something of interest, it can be instructed to either issue a log entry or initiate the execution of an operating system command.
+
+Bro targets high-speed (Gbit/second), high-volume intrusion detection. By judiciously leveraging packet filtering techniques, 
+Bro is able to achieve the performance necessary to do so while running on commercially 
+available PC hardware, and thus can serve as a cost effective means of monitoring a site's Internet connection.
+
+
+@node Bro features and benefits
+@section Bro features and benefits
+
+@itemize
+@item @strong{Network Based}
+@quotation
+Bro is a network-based IDS.  It collects, filters, and analyzes traffic that passes through a specific
+network location.  A single Bro monitor, strategically placed at a key network junction, can be
+used to monitor all incoming and outgoing traffic for the entire site.  Bro does not use or
+require installation of client software on each individual, networked computer.
+@end quotation
+
+@item @strong{Custom Scripting Language}
+@quotation
+Bro policy scripts are programs written in the Bro language.  They contain the "rules" that
+describe what sorts of activities are deemed troublesome.  They analyze the network activity and
+initiate actions based on the analysis.  Although the Bro language takes some time and effort to
+learn, once mastered, the Bro user can write or modify Bro policies to detect and alert on virtually
+any type of network activity.
+@end quotation
+
+@item @strong{Pre-written Policy Scripts}
+@quotation
+Bro comes with a rich set of policy scripts designed to detect the most common Internet attacks
+while limiting the number of false positives, i.e., alerts that confuse uninteresting activity with the
+important attack activity.  These supplied policy scripts will run "out of the box" and do not
+require knowledge of the Bro language or policy script mechanics.
+@end quotation
+
+@item @strong{Powerful Signature Matching Facility}
+@quotation
+Bro policies incorporate a signature matching facility that looks for specific traffic content.  For
+Bro, these signatures are expressed as regular expressions, rather than fixed strings.  Bro adds a
+great deal of power to its signature-matching capability because of its rich language.  This allows
+Bro to not only examine the network content, but to understand the context of the signature,
+greatly reducing the number of false positives.  Bro comes with a set of high value signatures
+policies, selected for their high detection and low false positive characteristics.
+@end quotation
+
+@item @strong{Network Traffic Analysis}
+@quotation
+Bro not only looks for signatures, but can also analyze network protocols, connections,
+transactions, data amounts, and many other network characteristics.  It has powerful facilities for
+storing information about past activity and incorporating it into analyses of new activity.
+@end quotation
+
+@item @strong{Detection Followed by Action}
+@quotation
+Bro policy scripts can generate output files recording the activity seen on the network (including
+normal, non-attack activity).  They can also send alarms to event logs, including the
+operating system syslog facility.  In addition, scripts can execute programs, which can, in turn,
+send e-mail messages, page the on-call staff, automatically terminate existing connections, or, with
+appropriate additional software, insert access control blocks into a router's access control list.
+With Bro's ability to execute programs at the operating system level, the actions that Bro can
+initiate are only limited by the computer and network capabilities that support Bro.
+@end quotation
+
+@item @strong{@uref{http://www.snort.org/,Snort} Compatibility Support}
+@cindex Snort
+@quotation
+The Bro distribution includes a tool, snort2bro, which converts Snort signatures into Bro
+signatures.  Along with translating the format of the signatures, snort2bro also incorporates a large
+number of enhancements to the standard set of Snort signatures to take advantage of Bro's
+additional contextual power and reduce false positives.
+@end quotation
+
+
+@end itemize
+
+@node Getting more Information 
+@section Getting more Information 
+
+@itemize
+@item @strong{Reference manual}
+@quotation
+An extensive @uref{http://www.bro-ids.org/manuals.html,reference manual} is provided detailing the Bro Policy Language
+@end quotation
+
+@item @strong{FAQ}
+@cindex FAQ
+@quotation
+Several Frequently Asked Questions are outlined in the @uref{http://www.bro-ids.org/FAQ.html,Bro FAQ}.  
+Do you have a question that's not
+in the FAQ, send it to us and we'll add it.
+@end quotation
+
+@item @strong{E-mail list}
+@cindex Email list
+@quotation
+Send questions on any Bro subject to Bro@@bro-ids.org
+The list is frequented by all of the Bro developers, including the primary author of Bro, Dr. Vern
+Paxson.
+
+You can subscribe by going to the website: 
+@* @uref{http://mailman.icsi.berkeley.edu/mailman/listinfo/bro},
+@*
+or by placing the following command in either the subject or the body of a message addressed to
+Bro-request@@ICSI.Berkeley.EDU.
+
+@example
+subscribe [password] [digest-option] [address=<address>]
+@end example
+
+A password must be given to
+unsubscribe or change your options.  Once subscribed to the
+list, you'll be reminded of your password periodically.
+The 'digest-option' may be either: 'nodigest' or 'digest' (no
+quotes!)  If you wish to subscribe an address other than the
+address you use to send this request from, you may specify
+"address=<email address>" (no brackets around the email
+address, no quotes!)
+
+@end quotation
+
+@item @strong{Website}
+@quotation
+The official Bro website is located at:
+@uref{http://www.bro-ids.org}.
+It contains all of the above documentation and more.
+@end quotation
+
+@end itemize
diff --git a/doc/quick-start/Bro-quick-start.pdf b/doc/quick-start/Bro-quick-start.pdf
new file mode 100644
index 0000000000..75f0a484c5
Binary files /dev/null and b/doc/quick-start/Bro-quick-start.pdf differ
diff --git a/doc/quick-start/Bro-quick-start.texi b/doc/quick-start/Bro-quick-start.texi
new file mode 100644
index 0000000000..166d1293f3
--- /dev/null
+++ b/doc/quick-start/Bro-quick-start.texi
@@ -0,0 +1,99 @@
+\input texinfo   @c -*-texinfo-*-
+@comment $Id: Bro-quick-start.texi 958 2004-12-21 16:51:44Z tierney $
+@comment %**start of header
+@setfilename Bro-quick-start.info
+@settitle Bro Quick Start Guide 
+@setcontentsaftertitlepage 
+@comment %**end of header
+
+
+@set VERSION 0.9
+@set UPDATED 11-15-2004
+
+@copying
+This the Quick Start Guide for Bro
+version @value{VERSION}.
+
+This software is copyright @copyright{} 
+1995-2004, The Regents of the University of California
+and the International Computer Science Institute.  All rights reserved.
+
+For further information about this notice, contact:
+
+Vern Paxson
+email: @email{vern@@icir.org}
+
+@end copying
+
+@dircategory Bro
+@direntry
+* Bro: Network Intrusion Detection System
+@end direntry
+
+@ifnottex
+@node Top
+@top Bro Quick Start Guide
+@copyright{} Lawrence Berkeley National Laboratory
+@end ifnottex
+
+@titlepage
+@title Bro Quick Start Guide 
+@subtitle version @value{VERSION}, @value{UPDATED}, @strong{DRAFT}
+@author Vern Paxson, Jim Rothfuss, Brian Tierney
+@author Contact: @email{vern@@icir.org}
+@author @uref{http://www.bro-ids.org/}
+@page
+@insertcopying
+@vskip 0pt plus 1filll
+@end titlepage
+
+@contents
+
+@ifnottex
+@strong{Bro Quick Start Guide}: 
+This manual contains info on installing, configuring, and running
+Bro. For more details, see the @uref{http://www.bro-ids.org/Bro-user-manual/,
+Bro User Manual}
+@end ifnottex
+
+@menu
+* Overview of Bro::
+* Requirements ::
+* Installation and Configuration::
+* Running Bro ::
+* Index::  
+@end menu
+
+@comment ********************************************
+
+@node Overview of Bro
+@chapter Overview of Bro
+@include Bro-overview.texi
+
+@comment ********************************************
+@node Requirements 
+@chapter Requirements 
+@cindex Software requirements
+@cindex Hardware requirements
+
+@include Bro-requirements.texi
+
+@comment ********************************************
+@node Installation and Configuration 
+@chapter Installation and Configuration 
+@cindex Installation instructions 
+@include Bro-installation.texi
+@cindex Configuration instructions 
+
+@comment ********************************************
+@node Running Bro
+@chapter Running Bro
+@include Bro-running.texi
+
+@comment ********************************************
+@node Index
+@unnumbered Index 
+
+@printindex cp
+
+@bye
diff --git a/doc/quick-start/Bro-requirements.texi b/doc/quick-start/Bro-requirements.texi
new file mode 100644
index 0000000000..d3fa73b48e
--- /dev/null
+++ b/doc/quick-start/Bro-requirements.texi
@@ -0,0 +1,79 @@
+
+
+@menu
+* Network Tap ::
+* Hardware and Software Requirements ::
+@end menu
+
+
+@node Network Tap
+@section Network Tap
+@cindex network tap
+
+A network tap must be installed to provide Bro with access to live network traffic. 
+For Bro to be most effective, access to the network must be full-bandwidth (no bandwidth limitations) and full-duplex. A passive tap is recommended to ensure minimal impact on network operations.
+
+Normally the network tap for Bro should be placed behind an external firewall and on the DMZ 
+(the portion of the network under the control of the organization but outside of the internal firewall), 
+as shown in the figure below. Some organizations might prefer to install the network tap before 
+the firewall in order to detect all scans or attacks.  Placing Bro before the firewall will allow
+the organization to better understand attacks, but will produce a much high number of alarms and alerts. Another option is to place Bro inside the internal firewall, allowing it to detect internal hosts with viruses or worms.
+In addition to the connection to the network tap, a separate network connection is required 
+for management of Bro and access to log files.
+
+For more information on taps and tap placement see the Netoptics White paper titled @emph{Deploying Network Taps with Intrusion Detection Systems} (@uref{http://www.netoptics.com/products/pdf/Taps-and-IDSs.pdf}).
+
+@float Figure, tap location
+@image{bro-deployment,6.3in}
+@caption{Typical location for network tap and Bro system}
+@end float
+
+@node Hardware and Software Requirements
+@section Hardware and Software Requirements
+
+Bro requires no custom hardware, and runs on low-cost commodity PC-style system.
+However, the Bro monitoring host must examine every packet into and out of 
+your site, so depending on your sites network traffic, you may need a fairly high-end machine.
+If you are trying to monitor a link with a large number of connections, we recommend using
+a second system for report generation, and run only Bro on the capture host.
+
+@quotation
+@multitable  @columnfractions .25 .75
+@comment only work with texiinfo 4.7 or higher: @headitem Item @tab Requirements
+@item @strong{Item} @tab @strong{Requirements}
+
+@item @strong{Processor}
+@tab 1 GHz CPU (for 100 BT Ethernet with average packet rate <= 5,000 packets/second)
+@* 2 GHz CPU (for 1000 BT Ethernet with average packet rate <= 10,000 packets/second)
+@* 3 GHz CPU (for 1000 BT Ethernet with average packet rate <= 20,000 packets/second)
+@* 4 GHz CPU (for 1000 BT Ethernet with average packet rate <= 50,000 packets/second)
+@* (Note: these are @strong{very} rough estimates, and much depends on the types of
+traffic on your network (e.g.: http, ftp, mail, etc.). See the Performance chapter of the Bro User Guide for more information)
+
+@item @strong{Operating System}
+@tab FreeBSD 4.10 (@uref{http://www.freebsd.org/})  Bro works with Linux 
+and Solaris as well, 
+but the performance is best under FreeBSD. In particular there are some performance issues with 
+packet capture under Linux. See the User Guide chapter on Bro and Linux for more information. FreeBSD 5.x should work, but may have performance issues. For sites with very high traffic loads, contact us for information on a FreeBSD 4.x patch to do @emph{bpf bonding}
+
+@item @strong{Memory}
+@tab 1 GB RAM is the minimum needed, but 2-3 GB is recommended
+
+@item @strong{Hard disk}
+@tab 10 GByte minimum, 50 GByte or more for log files recommended
+
+@item @strong{User privileges}
+@tab @emph{superuser} to install Bro, then Bro runs as user @emph{bro}
+
+@item @strong{Network Interfaces}
+@tab 3 interfaces are required: 2 for packet capture (1 for each direction), and 1 for host management. Capture interfaces should be identical.
+
+@item @strong{Other Software}
+@* - Perl version 5.6 or higher (@uref{http://www.perl.org})
+@* - libpcap version 0.8 or higher (@uref{http://www.tcpdump.org})
+@* - tcpdump version 3.8 or higher (@uref{http://www.tcpdump.org})
+@* Note: FreeBSD 4.x comes with older versions perl, libpcap, and tcpdump. Bro
+requires newer versions of these tools.
+
+@end multitable
+@end quotation
diff --git a/doc/quick-start/Bro-running.texi b/doc/quick-start/Bro-running.texi
new file mode 100644
index 0000000000..6fd2d95d0a
--- /dev/null
+++ b/doc/quick-start/Bro-running.texi
@@ -0,0 +1,316 @@
+
+@menu
+* Starting Bro ::
+* Bro Scripts ::
+* Sending (E-mail) Bro Reports ::
+* Reading a Bro Report ::
+@end menu
+
+@node Starting Bro 
+@section Starting Bro 
+@cindex starting Bro
+@cindex bro.rc
+
+Bro is automatically started at boot time via the @command{bro.rc} 
+script,
+( located in /usr/local/bro/etc and /usr/local/etc/rc.d on FreeBSD or 
+/usr/init.d on Linux )
+
+To run this script by hand, type:
+@example
+bro.rc start
+@end example
+or
+@example
+bro.rc checkpoint
+@end example
+or 
+@example
+bro.rc stop
+@end example
+
+Use @code{checkpoint} to restart Bro, loading a new policy file.
+
+To get feel for what Bro logs will look like on your traffic, do the following:
+
+Generate some "offline" data to play with:
+
+@example
+ # tcpdump -s 0 -w trace.out 
+@end example
+
+Kill off the tcpdump after capturing traffic for a few minutes (use ctrl-C),
+then to run Bro against this captured trace file:
+
+@example
+ # setenv BROHOME /usr/local/bro
+ # setenv BROPATH $BROHOME/site:$BROHOME/policy
+ # bro -r trace.out hostname.bro 
+@end example
+
+
+@node Bro Scripts
+@section Bro Scripts
+@cindex bro_generate_report
+@cindex bro_log_compress
+@cindex check_disk
+@cindex managing disk space
+
+Installing Bro automatically creates the following @command{cron} jobs, 
+which are
+automatically run on a specified interval.
+
+@itemize
+@item @command{site-report.pl}: generates an email report of all alarms 
+and alerts
+@item @command{mail_reports.sh}: send email reports 
+@end itemize
+
+These scripts can also all be run by hand at any time.
+
+Bro log files can get quick large, and it is important to make sure that 
+the Bro disk
+does not fill up. Bro includes some simple scripts to help manage disk 
+space. Most
+sites will want to customize these for their own requirements, and 
+integrate them into their
+backup system to make sure files are not removed before they are 
+archived.
+
+@itemize
+@item @command{check_disk.sh}: check for low disk space, and send email 
+@item @command{bro_log_compress.sh}: removes/compresses old log files 
+@end itemize
+
+These scripts can be customized by editing their settings in 
+@code{$BROHOME/etc/bro.cfg}.
+The settings are as follows:
+@itemize
+@item @command{check_disk.sh}: 
+@itemize
+@item @command{diskspace_pct}: when disk is >= this percent full, send 
+email
+@item @command{diskspace_watcher}: list of email addresses to send mail 
+to
+@end itemize
+@end itemize
+
+@itemize
+@item @command{bro_log_compress.sh}: 
+@itemize
+@item @command{Days2deletion}: remove files more than this many days old 
+(default = 60)
+@item @command{Days2compression}: compress files more than this many days 
+old (default = 30)
+@end itemize
+@end itemize
+
+
+
+@node Sending (E-mail) Bro Reports
+@section Sending (E-mail) Bro Reports
+@cindex e-mail reports
+@cindex internal report
+@cindex external report
+
+A daily 'internal' report is created that covers three sets of 
+information:
+
+@itemize
+@item Incident information
+@item Operational status of Bro
+@item General network traffic information
+@end itemize
+
+If the local organization is asked to report incidents to another 
+incident analysis organization (i.e. CERT, CIAC, FedCIRC, etc.) an 
+auxiliary 'external' report can be created that only contains the 
+incident information.  These reports are stored in $BRODIR/reports.
+
+The two reports will be mailed to the e-mail addresses specified during 
+Bro installation.  These e-mail addresses can be changed by re-running 
+the bro_config script or by editing $BROHOME/etc/bro.cfg  directly.  Each 
+report has it's own set of e-mail addresses.  If it is desired to send 
+the auxiliary report directly to the external incident analysis 
+organization without inspection, enter their e-mail address directly.  
+Otherwise, have the external e-mail sent to someone who can inspect and 
+forward it appropriately.
+
+@node Reading a Bro Report
+@section Reading a Bro Report
+@cindex incident
+@cindex incident type
+@cindex report period
+@cindex alarm
+@cindex connection, successful
+@cindex connection, unsuccessful
+@cindex connection, history
+@cindex scans
+@cindex system statistics
+@cindex traffic statistics
+
+The report is divided into three parts, the summary, incidents, and 
+scans.  The summary includes a rollup of incident information, Bro 
+operational statistics, and network information.  The incidents section 
+has details for each Bro alarm.  The scans section gives details about 
+scans that Bro detected.
+
+@subsection Parts of a Report
+
+@subsubheading Summary
+@quotation
+@strong{Report Period:} The beginning and ending date/times that define 
+the window of network data used to produce the report.  
+@*@*
+@strong{Incident Count:} The number of each type of incident that are 
+detailed in the report period
+@*@*
+@strong{System Statistics:} Operating system statistics that give some 
+idea of the 'health' of Bro's operation.
+@*@*
+@strong{Traffic Statistics:} Statistics gathered by Bro that may or may 
+not have significant value in evaluating intrusions, but are useful in 
+understanding the network environment.
+@end quotation
+
+@subsubheading Incidents
+@quotation
+@strong{Incident:} Each incident generated by the Bro installation is 
+assigned a unique identification number.  This number is unique for all 
+incidents, not just to the daily report.
+@*@*
+@strong{Incident Type:} Bro can detect attacks, but cannot make a 
+definitive judgment if an attack is successful without further 
+investigation and/or knowledge of the unique network environment.  Bro 
+uses an expert knowledge algorithm to make a determination if an incident 
+is 'Likely Successful', 'Unknown' (not enough information to make a 
+guess), or 'Likely Unsuccessful'.
+@*@*
+@strong{Local Host:} The local computer involved in the incident; usually 
+the victim.
+@*@*
+@strong{Remote Host:} The remote computer involved in the incident; 
+usually the attacker.
+@*@*
+@strong{Alarm(s}:) The network event(s) that Bro detected and identified 
+as probable attacks.
+@*@*
+@strong{Successful Connections:} Connections where one host initiates a 
+network request and the other host participates in the subsequent 
+requested transactions.
+@*@*
+@strong{Unsuccessful Connections:} Connections where one host initiates a 
+network request and the other host refuses the request.
+@*@*
+@strong{Unknown Connections:} Connections where one host initiated a 
+network request, but it is unclear if the other host participated in a 
+successful transaction.
+@*@*
+@strong{Connections History:} A summary tabulation of successful and 
+unsuccessful connections made in specific time periods.  The tabulations 
+are accumulative.  That is, the connections counted under 3 days will 
+also be counted in each subsequent column.
+@end quotation
+
+@subsubheading Scans
+Scans are repetitive (similar) probes, searching several victim hosts for 
+vulnerabilities.  The scan section gives the attack host instigating the 
+scan, the date/time of the scan, and the ports that were probed. 
+
+@subsection Example Report:
+
+@example
+@verbatim
+Bro Report                                              Organization Name 
+=========================================================================
+Summary                        July 28, 2004 17:01 to July 29, 2004 17:00
+=========================================================================
+ Incident       Likely Successful          1	
+ Summary        Unknown                    0			
+                Likely Unsuccessful        0
+                Scans                     10
+
+ System         Bro disk space:   <% at time of report generation>
+ Statistics     Bro Process cpu:  <time>
+                Bro restarts:     <date/time>
+                System reboots:   <date/time>
+
+ Traffic        Number of packets:       <count>
+ Statistics     Number of valid packets: <count>  <% of total>
+                Protocol summary
+                Http: <count>   <% of total>
+                SSH : <count>   <% of total>
+                SMTP: <count>   <% of total>
+                Etc.
+                Average bandwidth:
+                Peak bandwidth:
+=========================================================================
+Incident Details
+                       legend for connection type
+                > connection initiated by remote host
+                < connection initiated by local host
+                # number corresponds to alarm triggered by the connection
+                * successful connection, otherwise unsuccessful
+=========================================================================
+Incident     ORGCODE-000002                             LIKELY SUCCESSFUL
+---------------------
+Remote Host: 84.136.138.21   p54877614.dip.hacker.net
+ Local Host: 124.333.183.162 pooroljoe.dhcp.org.com
+
+Alarm(s) 1 MS-SQL xp_cmdshell - program execution
+           Jul 29 12:43 84.135.118.20 -> 128.3.183.62
+         2 TFTP Get Runtime.exe
+           Jul 29 12:43 128.3.183.62 -> 84.135.118.20
+
+Connections (only first 25 after alarm are listed)
+-----------
+                 time      byte   remote       local    byte
+ date   time   duration  transfer  port  type   port  transfer  protocol
+----- -------- -------- --------- -----  ---- ------ --------- ----------
+07/29 12:43:31        ?     566 b  4634  1  >  1433      467 b  tcp/MSSQL
+07/29 12:43:31        0         ?  2318  2 <     69       20 b  udp/tftp
+07/29 12:43:32    265.7       4 b  4638  * <   2318      3.0kb  udp
+07/29 12:48:56        ?         ?  4640     >  2362          ?  tcp
+07/29 12:50:05        ?    11.4kb  4639  * <   3333      8.6kb  tcp
+07/29 12:53:00        0         ?  4684  *  >  2362          ?  tcp
+07/29 12:53:07        ?         ?  4685  *  >  2362          ?  tcp
+07/29 12:53:59        ?         ?  4689  *  >  2362          ?  tcp
+07/29 12:54:14      6.1         0  4693  * <   2380     94.2kb  tcp
+07/29 12:54:21       .5      50 b  4694     >  2381          0  tcp
+07/29 12:54:23       .7         ?  4695    <   2382          0  tcp
+07/29 12:54:25       .5      51 b  4696  *  >  2383          0  tcp
+07/29 12:54:27       .5      61 b  4697  *  >  2384          0  tcp
+07/29 12:54:28       .7      39 b  4698     >  2385          0  tcp
+07/29 12:54:31       .5      41 b  4699  *  >  2386          0  tcp
+07/29 12:54:33      1.2    4.9 kb  4700     >  2387          0  tcp
+07/29 12:54:35     12.8  195.0 kb  4701  * <   2388          0  tcp
+07/29 12:54:53       .2         ?  4703    <   2390          0  tcp
+07/29 12:54:54       .5      37 b  4704     >  2391          0  tcp
+07/29 12:54:56      3.4      23 b  4705  *  >  2392          0  tcp
+07/29 12:55:04     21.4  308.7 kb  4706     >  2393          0  tcp
+07/29 12:55:27     50.7         ?  4707     >  2394          ?  tcp
+07/29 12:59:23        ?         ?  4775     >  1433          ?  tcp
+07/29 12:59:25        ?         ?  4774  *  >  3333          ?  tcp
+
+Remote Host Connection History (all successful/unsuccessful to site)
+      24 hrs     |      3 days      |      7 days     |      30 days
+-------------------------------------------------------------------------
+       14/10     |        0/0       |        0/0      |        0/0
+-------------------------------------------------------------------------
+  Total since remote host first seen on 07/29/04: 14/10
+
+=========================================================================
+Scans
+=======================================================================
+==
+Date Dropped		Host			             Port Scanned
+-------------------------------------------------------------------------
+Jul 29 13:14 n219077002119.netvigator.com                     (3128/tcp)
+Jul 29 13:23 node1.lbnl.nodes.planet-lab.org                  (49702/tcp)
+Jul 29 13:30 213-145-189-50.dd.nextgentel.com                 (4899/tcp)
+Jul 29 13:32 211.55.52.67                                     (1034/tcp)
+Jul 29 13:52 user-69-1-11-116.knology.net                     (3128/tcp)
+
+*************************************************************************
+@end verbatim
+@end example
diff --git a/doc/quick-start/Makefile.am b/doc/quick-start/Makefile.am
new file mode 100644
index 0000000000..5670736a60
--- /dev/null
+++ b/doc/quick-start/Makefile.am
@@ -0,0 +1,29 @@
+prefix = @prefix@
+bro_dir         = ${prefix}/bro
+
+EXTRA_DIST = README.txt bro.css bro-deployment.pdf \
+	bro-deployment.png Bro-installation.texi \
+	Bro-overview.texi Bro-quick-start.pdf \
+	Bro-quick-start.texi Bro-requirements.texi \
+	Bro-running.texi Bro-quick-start
+
+clean-local: doc-clean
+
+doc: html pdf
+
+pdf: 
+	texi2dvi -s --clean --pdf Bro-quick-start.texi
+
+html:
+	@rm -rf Bro-quick-start
+	makeinfo --css-include=bro.css  --html Bro-quick-start.texi
+	@cp *.png Bro-quick-start
+
+doc-clean:
+	@echo "cleaning Quick Start Guide"
+	@rm -f *.log Bro-quick-start/*
+
+doc-distclean: clean
+	@rm Makefile
+
+
diff --git a/doc/quick-start/README.txt b/doc/quick-start/README.txt
new file mode 100644
index 0000000000..bf5d55c0b7
--- /dev/null
+++ b/doc/quick-start/README.txt
@@ -0,0 +1,8 @@
+
+to generate html:
+  makeinfo --css-include=bro.css --html Bro-quick-start.texi
+
+to generate PDF:
+
+ texi2dvi --clean --pdf Bro-quick-start.texi
+
diff --git a/doc/quick-start/bro-deployment.pdf b/doc/quick-start/bro-deployment.pdf
new file mode 100644
index 0000000000..20b4432d09
Binary files /dev/null and b/doc/quick-start/bro-deployment.pdf differ
diff --git a/doc/quick-start/bro-deployment.png b/doc/quick-start/bro-deployment.png
new file mode 100644
index 0000000000..6c4568c042
Binary files /dev/null and b/doc/quick-start/bro-deployment.png differ
diff --git a/doc/quick-start/bro.css b/doc/quick-start/bro.css
new file mode 100644
index 0000000000..0bebab8e63
--- /dev/null
+++ b/doc/quick-start/bro.css
@@ -0,0 +1,43 @@
+/* 
+ * Custom nllite stylesheet
+ */
+body {  
+  font-family: Verdana, Arial, serif;
+}
+H1 {  
+  color: #339933;
+}
+A:link, A:active, A:visited, A:hover { 
+  color: #3333ff;
+  text-decoration: none; 
+}
+A:hover {
+  border-bottom: 1px dotted red;
+  color: red;
+  text-decoration: none;
+}
+ul.menu { 
+  list-style-type: circle;
+  list-style-position: inside;
+  padding: 5px;
+  background-color: #ccffcc;
+  border: 1px dashed #333333;
+}
+hr { 
+  display: none;
+}
+div.node { 
+  font-size: 12px;
+  font-weight: bold;
+  background-color: #ccffcc;
+/*
+  line-height: 0;
+*/
+  padding: 0.5em;
+}
+table.cartouche { 
+  background-color: white;
+}
+table { 
+  border: none;
+}
diff --git a/doc/ref-manual/Bro-Ref-Manual.pdf b/doc/ref-manual/Bro-Ref-Manual.pdf
new file mode 100644
index 0000000000..bac11c462e
Binary files /dev/null and b/doc/ref-manual/Bro-Ref-Manual.pdf differ
diff --git a/doc/ref-manual/Bro-Ref-Manual.texi b/doc/ref-manual/Bro-Ref-Manual.texi
new file mode 100644
index 0000000000..d0c1067d3a
--- /dev/null
+++ b/doc/ref-manual/Bro-Ref-Manual.texi
@@ -0,0 +1,96 @@
+\input texinfo   @c -*-texinfo-*-
+@comment $Id: Bro-Ref-Manual.texi 958 2004-12-21 16:51:44Z tierney $
+@comment %**start of header
+@setfilename Bro-reference-manual.info
+@settitle Bro Reference Guide 
+@setcontentsaftertitlepage 
+@comment %**end of header
+
+
+@set VERSION 0.8-alpha
+@set UPDATED 6-1-2004
+
+@copying
+This the Installation and User Manual is for Bro-Lite
+(version @value{VERSION}, @value{UPDATED}).
+
+This software is copyright @copyright{} 
+1995-2004, The Regents of the University of California
+and the International Computer Science Institute.  All rights reserved.
+
+For further information about this notice, contact:
+
+Vern Paxson
+email: @email{vern@@icir.org}
+
+@end copying
+
+@dircategory Bro
+@direntry
+* Bro: Network Intrution Detection System
+@end direntry
+
+@ifnottex
+@node Top
+@top Bro Reference Manual
+@copyright{} Lawrence Berkeley National Laboratory
+@end ifnottex
+
+@titlepage
+@title Bro Reference Manual
+@subtitle for version @value{VERSION}, @value{UPDATED}
+@author Vern Paxson, Brian Tierney
+@author Contact: @email{vern@@icir.org})
+@author @uref{http://www.bro-ids.org/}
+@page
+@insertcopying
+@vskip 0pt plus 1filll
+@end titlepage
+
+@contents
+
+@ifnothtml
+@unnumbered Figures and Tables
+@listoffloats Figure
+@*
+@listoffloats Table
+@end ifnothtml
+
+@menu
+* Introduction::
+* Getting Started::
+* Values::
+* Statements and Expressions::  
+* Global and Local Variables::  
+* Predefined Variables and Functions::
+* Analyzers and Events::        
+* Signatures::        
+* Interactive Debugger::        
+* Missing Documentation::
+* References::
+* Index::
+@end menu
+
+@include intro.texi
+@include started.texi
+@include values.texi
+@include stmts.texi
+@include vars.texi
+@include predefined.texi
+@include analysis.texi
+@include signatures.texi
+@include debugger.texi
+@include todo.texi
+@include references.texi
+
+@node Index
+@unnumbered Index
+@printindex cp
+Variable Index
+@printindex vr
+Function Index
+@printindex fn
+
+@contents
+@bye
+
diff --git a/doc/ref-manual/Makefile.am b/doc/ref-manual/Makefile.am
new file mode 100644
index 0000000000..31c7e87751
--- /dev/null
+++ b/doc/ref-manual/Makefile.am
@@ -0,0 +1,27 @@
+
+prefix = @prefix@
+bro_dir         = ${prefix}/bro
+
+EXTRA_DIST = README.txt bro.css Bro-Ref-Manual.texi \
+	analysis.texi debugger.texi intro.texi \
+	predefined.texi references.texi signatures.texi \
+	started.texi stmts.texi todo.texi values.texi \
+	vars.texi Bro-reference-manual
+
+clean-local: doc-clean
+
+doc: html pdf
+pdf: 
+	texi2dvi -s --clean --pdf Bro-Ref-Manual.texi
+
+html:
+	@rm -rf $(prefix)/Bro-reference-manual
+	makeinfo --css-include=bro.css --html Bro-Ref-Manual.texi
+
+doc-clean:
+	@echo "cleaning  Reference Manual"
+	@rm -f *.log Bro-reference-manual/*
+
+doc-distclean: clean
+	@rm Makefile
+
diff --git a/doc/ref-manual/README.txt b/doc/ref-manual/README.txt
new file mode 100644
index 0000000000..8dfeda876c
--- /dev/null
+++ b/doc/ref-manual/README.txt
@@ -0,0 +1,8 @@
+
+to generate html:
+  makeinfo --css-include=bro.css  --html Bro-Ref-Manual.texi
+
+to generate PDF:
+
+ texi2dvi --clean --pdf Bro-Ref-Manual.texi
+
diff --git a/doc/ref-manual/analysis.texi b/doc/ref-manual/analysis.texi
new file mode 100644
index 0000000000..af3f837588
--- /dev/null
+++ b/doc/ref-manual/analysis.texi
@@ -0,0 +1,6110 @@
+
+@node Analyzers and Events
+@chapter Analyzers and Events
+
+@cindex analyzers
+@cindex scripts, standard
+@cindex standard scripts
+In this chapter we detail the different analyzers that Bro provides.
+Some analyzers look at traffic in fairly generic terms, such as at
+the level of TCP or UDP connections.  Others delve into the specifics
+of a particular application that is carried on top of TCP or UDP.
+
+As we use the term here, @emph{analyzer} primarily refers to Bro's event
+engine.  We use the term @emph{script} to refer to a set of event handlers
+(and related functions and variables) written in the Bro language;
+@emph{module} to refer to a script that serves primarily to provide utility
+(helper) functions and variables, rather than event handlers; and
+@emph{handler} to denote an event handler written in the Bro language.
+Furthermore, the @emph{standard script} is the
+script that comes with the Bro distribution for handling the events
+generated by a particular analyzer.
+
+Note: However, we also sometimes use @emph{analyzer} to refer to the event
+handler that processes events generated by the event engine. 
+
+We characterize the analyzers in terms of @emph{what} events they
+generate, but don't here go into the details of @emph{how} they
+generate the events (i.e., the nitty gritty C++ implementations of
+the analyzers).
+
+@menu
+* Activating an Analyzer::	
+* Module Facility::	
+* General Processing Events::	
+* Generic Connection Analysis::	 
+* Site-specific information::	
+* hot Analyzer::		
+* scan Analyzer::		
+* port-name Analysis Script::		
+* brolite Analysis Script::			
+* alarm Analysis Script::			
+* active Analysis Script::		
+* demux Analysis Script::		
+* dns Analysis Script::			
+* finger Analyzer::		
+* frag Analysis Script::			
+* hot-ids Analysis Script::		
+* ftp Analyzer::		
+* http Analyzer::		
+* ident Analyzer::		
+* irc Analyzer::
+* login Analyzer::		
+* pop3 Analyzer::		
+* portmapper Analyzer::		
+* analy Analyzer::		
+* signature Analysis Script::		
+* SSL Analyzer::		
+* weird Analysis Script::		
+* icmp Analyzer::		
+* stepping Analyzer::		
+* ssh-stepping Analysis Script::		
+* backdoor Analyzer::		
+* interconn Analyzer::		
+@end menu
+
+@node Activating an Analyzer,
+@section Activating an Analyzer
+
+@cindex analyzers, activating
+@cindex analyzers, instantiating
+@cindex performance, analysis tradeoffs
+In general, Bro will only do the work associated with a particular
+analyzer if your policy script defines one or more event handlers
+associated with the analyzer.  For example, Bro will
+instantiate an FTP analyzer only if your script defines an
+@code{ftp_request} or @code{ftp_reply} handler.  If it doesn't, then
+when a new FTP connection begins, Bro will only instantiate a
+generic TCP analyzer for it.  This is an important point, because
+some analyzers can require Bro to capture a large volume of
+traffic (See @ref{Filtering}) and perform a lot of computation;
+therefore, you need to have a way to trade off between the type
+of analysis you do and the performance requirements it entails,
+so you can strike the best balance for your particular monitoring needs.
+
+@emph{Deficiency: While Bro attempts to instantiate an analyzer if you define a handler for any of the events the analyzer generates, its method for doing so is incomplete: if you only define an analyzer's less mainstream handlers, Bro may fail to instantiate the analyzer.}
+
+@menu
+* Loading Analyzers::		
+* Filtering::			
+@end menu
+
+@node Loading Analyzers,
+@subsection Loading Analyzers
+
+@cindex analyzers,loading
+The simplest way to use an analyzer is to @code{@@load} the standard script
+associated with the analyzer.  (See @ref{load directive} for a discussion
+of @code{@@load}).  However, there's nothing magic about these scripts; you can
+freely modify or write your own.  The only caveat is that some scripts
+@code{@@load} other scripts, so the original version may wind up being loaded
+even though you've also written your own version.
+@emph{Deficiency: It would be useful to have a mechanism to fully override one script with another.}
+
+In this chapter we discuss each of the standard scripts
+as we discuss their associated analyzers.
+
+@node Filtering,
+@subsection Filtering
+
+@cindex filters
+@cindex analyzers, filtering
+@cindex performance, filtering
+Most analyzers require Bro to capture a particular type of network traffic.
+These traffic flows can vary immensely in volume, so different analyzers
+can cost greatly differing amounts in terms of performance.
+Bro declares two redefinable tables in @code{pcap.bro}
+that have special interpretations with regard to filtering:
+
+@example
+    global capture_filters: table[string] of string &redef;
+    global restrict_filters: table[string] of string &redef;
+@end example
+
+The key strings serve as a user-definable identifier for the filter
+strings they are associated with.  The entries of the @code{capture_filters}
+table define what traffic Bro @emph{should} capture, while @code{restrict_filters}'
+entries @emph{limit} what traffic Bro captures. Bro builds the following @code{tcpdump}
+filter from both tables:
+@quotation
+(@emph{OR of capture_filters' entries}) and (@emph{AND of restrict_filters' entries})
+@end quotation
+
+@cindex restricting traffic
+@cindex traffic, restricting
+@cindex excluding hosts
+@cindex hosts, excluding
+Thus, repeated @ref{Refinement}s of @code{capture_filters} using the @code{+=} initializer
+are combined using logical ``OR''s, whereas for @code{restrict_filters} ``AND''s are
+used.  This follows from the tables' respective purposes---@code{capture_filters}
+permits @emph{any} of its components, while @code{restrict_filters} rejects
+everything that does not comply with @emph{all} of its components.
+
+@cindex filtering, default
+@cindex default, filtering
+If you do not define @code{capture_filters}, then its value
+is set to ``@code{tcp or udp}'';
+if you do not define @code{restrict_filters}, then no restriction is
+in effect.
+
+Here is an example. If you specify:
+@example
+    redef capture_filters = @{ ["HTTP"] = "port http" @};
+    redef restrict_filter = @{ ["mynet"] = "net 128.3" @};
+@end example
+
+then the corresponding @code{tcpdump} filter will be:
+@example
+    (port http) and (net 128.3)
+@end example
+
+which will capture only the TCP port 80 traffic that has either a source
+or destination address belonging to the @code{128.3} network (i.e.,
+@code{128.3/16}). A more complex example:
+
+@example
+    redef capture_filters += @{ ["DNS"] = "udp port 53" @};
+    redef capture_filters += @{ ["FTP"] = "port ftp" @};
+
+    redef restrict_filters += @{ ["foonet"] = "net 128.3" @};
+    redef restrict_filters += @{ ["noflood"] = "not host syn-flood.magnet.com" @};
+@end example
+
+yields this @code{tcpdump} filter:
+
+@example
+    ((udp port 53) or (port ftp)) and ((net 128.3) and (not host syn-flood.magnet.com))
+@end example
+
+@cindex filters, displaying
+As you add analyzers, the final @code{tcpdump} filter can become quite
+complicated.  You can load the predefined @code{print-filter} script
+to print out the resulting filter.
+This script handles the @code{bro_init} event and exits Bro after printing
+the filter.  Its intended use is that you can add it to the Bro command
+line (``@code{bro @emph{my-own-script} print-filter}'') when you want to
+see what filter the script @emph{my-own-script} winds up using.
+
+@cindex debugging,filtering problems
+@cindex filters,errors
+@cindex tcpdump,bugs
+@cindex bugs,tcpdump
+
+There are two particular uses for @code{print-filter}.  The first is to debug
+filtering problems.  Unfortunately, Bro sometimes
+uses sufficiently complicated expressions that they tickle bugs in
+@code{tcpdump}'s optimizer.  You can take the filter printed out for
+your script and try running it through @code{tcpdump} by hand, and
+then also try using @code{tcpdump}'s
+@code{-O} option to see if turning
+off the optimizer fixes the problem.
+@cindex shadowing
+The second use is to provide a @emph{shadow} backup to Bro: that is,
+a version of @code{tcpdump}
+running either on the same machine or a
+separate machine that uses the same network filter as Bro.  While
+@code{tcpdump} can't perform any analysis of the traffic, the shadow
+guards against the possibility of Bro crashing, because if it does,
+you will still have a record of the subsequent network traffic which
+you can run through Bro for post-analysis.
+
+@cindex filters
+@cindex analyzers, filtering
+
+@node Module Facility
+@section Module Facility
+
+The module facility implements namespaces. Everything is in some namespace
+or other. The default namespace is called "GLOBAL" and is searched by
+default when doing name resolution. The scoping operator is "::" as in
+C++. You can only access things in the current namespace, things in the
+GLOBAL namespace, or things that have been explicitly exported from a
+different namespace. Exported variables and functions still require
+fully-qualified names. The syntax is as follows:
+
+@verbatim
+module foo;  # Sets the current namespace to "foo"
+  export {
+    int i;
+    int j;
+  }
+  int k;
+
+module bar;
+  int i;
+
+  foo::i = 1;
+  bar::i = 2;
+  print i;    # bar::i (since we're currently in module bar)
+  j = 3;      # ERROR: j is exported, but the fully qualified name
+              #        foo::j is required
+  foo::k = 4; # ERROR: k is not exported
+
+@end verbatim
+
+The same goes for calling functions.
+
+One restriction currently in place is that variables not in the "GLOBAL"
+namespace can't shadow those in GLOBAL, so you can't have:
+
+@example
+    module GLOBAL;
+    global i: int;
+
+    module other_module;
+    global i: int;
+@end example
+
+It is a little confusing that the "global" declaration really only means
+that the variable i is global to the current module, not that it is truly
+global and thus visible everywhere (that would require that it be in
+GLOBAL, or if using the full name is okay, that it be exported).  Perhaps
+there will be a change to the syntax in the future to address this.
+
+The "module" statement cuts across @@load commands, so that if you say:
+
+@example
+    module foo;
+    @@load other_script;
+@end example
+
+then other_script will be in module foo. Likewise if other_script changes
+to module bar, then the current module will be module bar even after
+other_script is done.  However, this functionality may change in the future
+if it proves problematic.
+
+The policy scripts in the Bro distribution have not yet been updated to
+use it, but there is a backward-compatibility feature so that existing
+scripts should work without modification. In particular, everything is
+put in GLOBAL by default.
+
+
+@node General Processing Events,
+@section General Processing Events
+
+@cindex general Bro processing events
+@cindex events, general Bro processing
+Bro provides the following events relating to its overall processing:
+
+@table @samp
+@cindex initialization event
+@cindex startup, event
+@cindex events, initialization
+@cindex events, startup
+@item @code{bro_init ()} 
+is generated when Bro first starts up.  In particular, after Bro has initialized
+the network (or initialized to read from a save file) and executed any
+initializations and global statements, and just before
+Bro begins to read packets from the network input source(s).
+
+@cindex termination event
+@cindex finish event
+@cindex network cleanup event
+@cindex events, termination
+@cindex events, finish
+
+@item @code{net_done (t: time)}
+generated when Bro has finished reading from the network,
+due to either having exhausted reading the save file(s), or having
+received a terminating signal (See @ref{General Processing Events}).  @emph{Deficiency: This event is generated on a terminating signal even if Bro is not reading network traffic. }  @code{t} gives the time at which network processing
+finished.
+
+This event is generated @emph{before} @code{bro_done}.  Note: If Bro
+terminates due to an invocation of @code{exit}, then this event is
+@emph{not} generated. 
+
+@cindex termination event
+@cindex finish event
+@cindex cleanup event
+@cindex events, termination
+@cindex events, finish
+
+@item @code{bro_done ()}
+generated when Bro is about to terminate, either due to having exhausted
+reading the save file(s), receiving a terminating signal
+(See @ref{General Processing Events}), or because Bro was run without the network input
+source and has finished executing any global statements .
+
+This event is generated @emph{after} @code{net_done}.  If you have cleanup
+that only needs to be done when processing network traffic, it likely is
+better done using @code{net_done}.  Note: If Bro terminates due to an
+invocation of @code{exit}, then this event is @emph{not} generated.  
+
+@cindex signal handling
+@cindex handling signals
+@cindex SIGTERM
+ 
+@cindex TERM
+@cindex SIGINT
+ 
+@cindex SIGHUP
+ 
+@item @code{bro_signal (signal: count)}
+generated when Bro receives a signal.  Currently, the signals Bro
+handles are @emph{SIGTERM}, @emph{SIGINT}, and @emph{SIGHUP}.
+
+Receiving either of the first two terminates Bro, though if Bro is in the
+middle of processing a set of events, it first finishes with them before
+shutting down.  The shutdown leads to invocations of @code{net_done}
+and @code{bro_done}, in that order.  @emph{Deficiency: In this case, Bro fails to invoke @code{bro_signal}, clearly a bug. }
+
+Upon receiving @emph{SIGHUP}, Bro invokes @code{flush_all}  (in addition
+to your handler, if any).
+
+@cindex network statistics
+@cindex packets, drops
+@item @code{net_stats_update (t: time, ns: net_stats)}
+This event includes two arguments, @code{t}, the @code{time} at which
+the event was generated, and @code{ns}, a @code{net_stats} record,
+as defined in the example below.
+Regarding this second parameter,
+the @code{pkts_recvd} field gives the total number of packets accepted
+by the packet filter so far during this execution of Bro; @code{pkts_dropped}
+gives the total number of packets reported @emph{dropped} by the kernel;
+and @code{interface_drops} gives the total number of packets reported
+by the kernel as having been dropped by the network interface.
+
+Note: An important consideration is that, as shown by experience, the
+kernel's reporting of these statistics is not always accurate.
+In particular, the @code{$pkts_dropped}
+statistic is sometimes missing actual packet drops, and some operating
+systems do not support the @code{interface_drops} statistic at all.
+See the @code{ack_above_hole} event for an alternate
+way to detect if packets are being dropped.
+
+@end table
+
+@example
+type net_stats: record @{
+    # All counts are cumulative.
+    pkts_recvd: count;       # Number of packets received so far.
+    pkts_dropped: count;     # Number of packets *reported* dropped.
+    interface_drops: count;  # Number of drops reported by interface(s).
+@};
+@end example
+
+@node Generic Connection Analysis,
+@section Generic Connection Analysis
+
+@cindex analyzers, generic
+@cindex connection, analysis
+@cindex connection, generic analysis
+@cindex generic connection analysis
+The @code{conn} analyzer performs generic connection analysis:
+connection start time, duration, sizes, hosts, and the like.  You don't
+in general load @code{analyzer} directly, but instead do so implicitly
+by loading the  @code{tcp}, @code{udp}, or @code{icmp} 
+analyzers.
+Consequently, @code{analyzer} doesn't configure @code{capture_filters}
+by itself, but instead uses whatever is set up by these more specific
+analyzers.
+
+@code{conn} analyzes a number of events related to connections beginning
+or ending.  We first describe the @code{connection} record data type that
+keeps track of the state associated with each connection (See @ref{connection record}),
+and then we detail the events in @ref{Generic TCP connection events}.  The main output of its
+analysis are one-line connection summaries, which we describe in
+@ref{Connection summaries}, and in @ref{Connection functions} we give an overview
+of the different callable functions provided by @code{conn}.
+
+@code{conn} also loads three other Bro modules: the @code{hot}
+and @code{scan} analyzers, and the @code{port_name} utility
+module.
+
+@menu
+* connection record::		
+* Definitions of connections::	
+* Generic TCP connection events::  
+* tcp analyzer::		
+* udp analyzer::		
+* Connection summaries::	
+* Connection functions::	
+@end menu
+
+@node connection record,
+@subsection The @code{connection} record
+
+@cindex record, connection
+@cindex connection record
+
+@example
+type conn_id: record @{
+    orig_h: addr;  # Address of originating host.
+    orig_p: port;  # Port used by originator.
+    resp_h: addr;  # Address of responding host.
+    resp_p: port;  # Port used by responder.
+@};
+
+type endpoint: record @{
+    size: count;  # Bytes sent by this endpoint so far.
+    state: count; # The endpoint's current state.
+@};
+
+type connection: record @{
+    id: conn_id;        # Originator/responder addresses/ports.
+    orig: endpoint;     # Endpoint info for originator.
+    resp: endpoint;     # Endpoint info for responder.
+    start_time: time;   # When the connection began.
+    duration: interval; # How long it was active (or has been so far).
+    service: string;    # The service we associate with it (e.g., "http").
+    addl: string;       # Additional information associated with it.
+    hot: count;         # How many times we've marked it as sensitive.
+@};
+@end example
+
+@cindex connection, addresses
+@cindex connection, initiator
+@cindex connection, originator
+A connection record record holds the state associated with a connection,
+as shown in the example above.
+Its first field, @emph{id}, is
+defined in terms of the conn_id record, which has the
+following fields:
+
+@table @samp
+
+@item @code{orig_h}
+The IP address of the host that originated (initiated) the connection.
+In ``client/server'' terminology, this is the ``client.''
+
+@cindex connection, ports
+@item @code{orig_p}
+The TCP or UDP port used by the connection originator (client).  For
+ICMP ``connections'', it is set to 0 @ref{icmp Analyzer}.
+
+@cindex connection, addresses
+@cindex connection, initiator
+@cindex connection, originator
+@item @code{resp_h}
+The IP address of the host that responded (received) the connection.
+In ``client/server'' terminology, this is the ``server.''
+
+@cindex connection, ports
+@item @code{resp_p}
+The TCP or UDP port used by the connection responder (server).  For
+ICMP ``connections'', it is set to 0 @ref{icmp Analyzer}.
+
+@end table
+
+The @code{orig} and @code{resp} fields of a @code{connection}
+record both hold @code{endpoint} record values, which consist
+of the following fields:
+
+@table @samp
+@cindex connection, bytes
+@cindex connection, size
+@item @code{size}
+How many bytes the given endpoint has transmitted so far.  Note that
+for some types of filtering, the size will be zero until the connection
+terminates, because the nature of the filtering is to discard the
+connection's intermediary packets and only capture its start/stop packets.
+
+@cindex connection, state
+@item @code{state}
+The current state the endpoint is in with respect to the connection.
+The table below defines the different possible states
+for TCP and UDP connections.
+@emph{Deficiency:The states are currently defined as @code{count}, but should instead be an enumerated type; but Bro does not yet support enumerated types.}
+
+Note: UDP ``connections'' do not have a well-defined structure, so
+the states for them are quite simplistic.  See @ref{Definitions of connections} for
+further discussion. 
+
+@end table
+
+The remaining fields in a @code{connection}
+record are:
+
+@table @samp
+@cindex connection, start time
+@cindex beginning time of a connection
+@cindex start time of a connection
+@item @code{start_time}
+The time at which the first packet associated with this connection was seen.
+
+@cindex connection, duration
+@cindex duration of a connection
+@item @code{duration }
+How long the connection lasted, or, if it is still active, how long since
+it began.
+
+@cindex connection, service
+@cindex service associated with a connection
+
+@item @code{service}
+The name of the service associated with the connection.  For example,
+if @code{$id$resp_p} is @code{tcp/80}, then the service will be
+@code{"http"}.  Usually, this mapping is provided by the global variable, perhaps via the @code{endpoint_id} function; but
+the service does not always directly correspond to
+@code{$id$resp_p}, which is why it's a separate field.  In particular,
+an FTP data connection can have a @code{service} of @code{"ftp-data"}
+even though its @code{$id$resp_p} is something other than @code{tcp/20}
+(which is not consistently used by FTP servers).
+
+If the name of the service has not yet been determined, then this field
+is set to an empty string.
+
+@cindex connection, additional information
+@cindex information associated with a connection
+@cindex additional information associated with a connection
+
+@item @code{addl}
+Additional information associated with the connection.  For example,
+for a @emph{login} connection, this is the username associated with
+the login.
+
+@emph{Deficiency: A significant deficiency associated with the @code{addl} field is that it is simply a @code{string} without any further structure. In practice, this has proven too restrictive.  For example, we may well want to associate an unambiguous username with a login session, and also keep track of the names associated with failed login attempts.  (See the @code{login} analyzer for an example of how this is implemented presently.)  What's needed is a notion of @code{union} types which can then take on a variety of values in a type-safe manner. }
+
+If no additional information is yet associated with this connection,
+then this field is set to an empty string.
+
+@cindex connection, hot
+@cindex connection, sensitivity
+@cindex sensitivity associated with a connection
+
+@item @code{hot}
+How many times this connection has been marked as potentially sensitive
+or reflecting a break-in.  The default value of 0 means that so far the
+connection has not been regarded as ``hot''.
+
+Note: Bro does not presently make fine-grained use of this field; the
+standard scripts alarm on connections with a non-zero @code{hot} field,
+and do not in general alarm on those that do not, though there are exceptions.
+In particular, the @code{hot} field is @emph{not} rigorously maintained
+as an indicator of trouble; it instead is used loosely as an indicator
+of particular types of trouble (access to sensitive hosts or usernames).
+
+@end table
+
+@node Definitions of connections,
+@subsection Definitions of connections
+
+@cindex connection, definitions
+
+@cindex TCP, connections
+@cindex connection, TCP
+@cindex tcp_inactivity_timeout
+Connections
+for TCP are well-defined, because establishing and terminating a connection
+plays a central part of the TCP protocol. Beyond those, Bro enforces a hard
+connection timeout after the period of time specified through the
+@code{tcp_inactivity_timeout} variable, defined in bro.init.
+
+@cindex UDP, connections``connections''
+
+@cindex connection, UDP
+@cindex UDP, timeout
+@cindex udp_inactivity_timeout
+For UDP, a connection begins when host @emph{A} sends
+a packet to host @emph{B} for the first time, @emph{B} never having sent anything
+to @emph{A}.  This transmission is termed a @emph{request}, even if in fact
+the application protocol being used is not based on requests and replies.
+If @emph{B} sends a packet back, then that packet is termed a @emph{reply}.
+Each packet @emph{A} or @emph{B} sends is another request or reply.
+UDP connection timeouts are specified through the @code{udp_inactivity_timeout}
+variable, defined in bro.init.
+
+@cindex ICMP, connections
+@cindex connection, ICMP
+@cindex ICMP, timeout
+@cindex icmp_inactivity_timeout
+For ICMP, Bro likewise creates a connection the first time it sees
+an ICMP packet from @emph{A} to @emph{B}, even if @emph{B} previously sent a packet
+to @emph{A}, because that earlier packet would have been for a different
+@emph{transport} connection than the ICMP itself---the ICMP will likely
+@emph{refer} to that connection, but it itself is not part of
+the connection.  For simplicity, this holds even for ICMP ECHOs and
+ECHO_REPLYs; if you want to pair them up, you need to do so explicitly
+in the policy script.
+ICMP connection timeouts are specified through the @code{icmp_inactivity_timeout}
+variable, defined in bro.init.
+
+@node Generic TCP connection events,
+@subsection Generic TCP connection events
+
+@cindex events, generic TCP connection
+@cindex connection, events
+
+@cindex TCP, events
+@cindex TCP-specific connection events
+@cindex connection events, TCP-specific
+There are a number of generic events associated with TCP connections,
+all of which have a single @code{connection} record as their argument:
+
+@table @samp
+@cindex connection, new
+@cindex new connection
+@item @code{new_connection}
+Generated whenever state for a new (TCP) connection is instantiated.
+
+Note: Handling this event is potentially expensive.  For example,
+during a SYN flooding attack, every spoofed SYN packet will lead to
+a new @code{new_connection} event.
+
+@cindex connection, establishment
+@cindex established connections
+@item @code{connection_established}
+Generated when a connection has become established, i.e., both participating
+endpoints have agreed to open the connection.
+
+@cindex connection, attempt
+@cindex attempted connections
+@item @code{connection_attempt}
+Generated when the originator (client) has unsuccessfully attempted to
+establish a connection.  ``Unsuccessful'' is defined as at least
+@code{ATTEMPT_INTERVAL} seconds having elapsed since the client first
+sent a connection establishment packet to the responder (server),
+where @code{ATTEMPT_INTERVAL} is an internal Bro variable which is
+presently set to 300 seconds.
+@emph{Deficiency:This variable should be user-settable.}  If you want to
+@emph{immediately} detect that a client is attempting to connect to
+a server, regardless of whether it may soon succeed, then you want
+to handle the @code{new_connection} event instead.
+
+Note: Handling this event is potentially expensive.  For example,
+during a SYN flooding attack, every spoofed SYN packet will lead to
+a new @code{connection_attempt} event, albeit delayed by
+@code{ATTEMPT_INTERVAL.} 
+
+@cindex crud
+@cindex scanning, stealth
+@cindex stealth scans
+@cindex connection, partial
+@cindex partial connections
+
+@item @code{partial_connection}
+Generated when both connection endpoints enter the @code{TCP_PARTIAL} state
+This means that we have seen traffic generated by each endpoint, but
+the activity did not begin with the usual connection establishment.
+@emph{Deficiency:For completeness, Bro's event engine should generate another form of @code{partial_connection} event when a single endpoint becomes active (see @code{new_connection} below).  This hasn't been implemented because our experience is network traffic often contains a great deal of ``crud'', which would lead to a large number of these really-partial events.  However, by not providing the event handler, we miss an opportunity to detect certain forms of stealth scans until they begin to elicit some form of reply.}
+
+
+@float Table, Connection States
+@multitable  @columnfractions .25 .6
+@item @strong{State} @tab @strong{Meaning}
+@item @code{TCP_INACTIVE}
+@tab The endpoint has not sent any traffic.
+@item @code{TCP_SYN_SENT}
+@tab It has sent a SYN to initiated a connection.
+@item @code{TCP_SYN_ACK_SENT}
+@tab  It has sent a SYN ACK to respond to a connection request.
+@item @code{TCP_PARTIAL}
+@tab The endpoint has been active, but we did not see the beginning of the connection.
+@item @code{TCP_ESTABLISHED}
+@tab The two endpoints have established a connection.
+@item @code{TCP_CLOSED}
+@tab The endpoint has sent a FIN in order to close its end of the connection.
+@item @code{TCP_RESET}
+@tab The endpoint has sent a RST to abruptly terminate the connection.
+@item @code{UDP_INACTIVE}
+@tab The endpoint has not sent any traffic.
+@item @code{UDP_ACTIVE}
+@tab The endpoint has sent some traffic.
+@end multitable
+@caption{TCP and UDP connection states, as stored in an @code{endpoint} record}
+@end float
+
+@*
+
+
+@cindex connection, finished
+@cindex completed connections
+
+@item @code{connection_finished}
+Generated when a connection has gracefully closed.
+
+@cindex connection, rejected
+@cindex rejected connections
+
+@item @code{connection_rejected}
+Generated when a server rejects a connection attempt by a client.
+
+@cindex TCP Wrappers, reset vs. rejected connections
+Note: This event is only generated as the client attempts to establish
+a connection.  If the server instead accepts the connection and then
+later aborts it, a @code{connection_reset} event is generated (see below).
+This can happen, for example, due to use of TCP Wrappers.
+
+Note: Per the discussion above, a client attempting to connect to a server
+will result in @emph{one} of @code{connection_attempt},
+@code{connection_established}, or @code{connection_rejected}; they are
+mutually exclusive.
+
+@cindex connection, completion
+@cindex connection, half finished
+@cindex half-finished connections
+@item @code{connection_half_finished }
+Generated when Bro sees one endpoint of a connection attempt to gracefully
+close the connection, but the other endpoint is in the @code{TCP_INACTIVE}
+state.  This can happen due to @emph{split routing},
+in which Bro only sees one side of a connection.
+
+@cindex connection, reset
+@cindex reset connections
+@item @code{connection_reset}
+Generated when one endpoint of an established
+connection terminates the connection
+abruptly by sending a TCP RST packet.
+
+@cindex connection, partial close
+@cindex partially closed connections
+@item @code{connection_partial_close }
+Generated when a previously inactive endpoint attempts to close a connection
+via a normal FIN handshake or an abort RST sequence.  When it sends one
+of these packets, Bro waits @code{PARTIAL_CLOSE_INTERVAL} (an
+internal Bro variable set to 10 seconds) prior to generating the event,
+to give the other endpoint a chance to close the connection normally.
+
+@cindex connection, pending
+@cindex pending connections
+@item @code{connection_pending}
+Generated for each still-open connection when Bro terminates.
+
+@end table
+
+@node tcp analyzer,
+@subsection The @code{tcp} analyzer
+
+@cindex TCP, analysis
+@cindex SYN control packet
+@cindex FIN control packet
+@cindex RST control packet
+@cindex TCP control packets (SYN/FIN/RST)
+@cindex control packets (SYN/FIN/RST)
+@cindex packets, control (SYN/FIN/RST)
+The general @code{tcp} analyzer lets you specify that you're interested in
+generic connection analysis for TCP.  It
+simply @code{@@load}'s @code{conn} and adds the following
+to :
+@example
+    tcp[13] & 0x7 != 0
+@end example
+
+which instructs Bro to capture all TCP SYN, FIN and RST packets;
+that is, the control packets that delineate the beginning (SYN)
+and end (FIN) or abnormal termination (RST) of a connection.
+
+@node udp analyzer,
+@subsection The @code{udp} analyzer
+
+@cindex UDP, analysis
+The general @code{udp} analyzer lets you specify that you're interested in
+generic connection analysis for UDP.  It
+@code{@@load}'s both @code{hot} and @code{conn}, and defines two event handlers:
+
+@table @samp
+@item @code{udp_request (u: connection)}
+Invoked whenever a UDP packet is seen on the forward (request) direction of
+a UDP connection.  See @ref{Definitions of connections} for a discussion of how Bro
+defines UDP connections.
+
+The analyzer invokes @code{check_hot} with a mode of @code{CONN_ATTEMPTED}
+and then @code{record_connections} to generate a connection summary
+(necessary because Bro does not time out UDP connections, and hence
+cannot generate a connection-attempt-failed event).
+
+@item @code{udp_reply (u: connection)}
+Invoked whenever a UDP packet is seen on the reverse (reply) direction of
+a UDP connection.  See @ref{Definitions of connections} for a discussion of how Bro
+defines UDP connections.
+
+The analyzer invokes @code{check_hot} with a mode of @code{CONN_ESTABLISHED}
+and then again with a mode of @code{CONN_FINISHED} to cover the general
+case that the reply reflects that the connection was both established and
+is now complete.  Finally, it invokes  to
+generate a connection summary.
+
+@end table
+
+Note: The standard script does @emph{not} update @code{capture_filters}
+to capture UDP traffic.  Unlike for TCP, where there is a natural generic
+filter that captures only a subset of the traffic, the only natural UDP
+filter would be simply to capture all UDP traffic, and that can often be
+a huge load. 
+
+@node Connection summaries,
+@subsection Connection summaries
+@cindex connection, summaries
+
+The main output of @code{conn} is a one-line ASCII summary
+of each connection.  By tradition, these summaries are written to
+a file with the name @code{conn.tag.log}, where @emph{tag} uniquely
+identifies the Bro session generating the logs.  
+
+The summaries are produced by the @code{record_connection} function,
+and have the following format:
+
+@quotation
+@code{ <@emph{start}> <@emph{duration}> <@emph{local IP}> <@emph{remote IP}> 
+<@emph{service}> <@emph{local port}> <@emph{remote port}> 
+<@emph{protocol}> <@emph{org bytes sent}>, <@emph{res bytes sent}> 
+<@emph{state}> <@emph{flags}> <@emph{tag}>}
+@end quotation
+
+@cindex connection, start time
+@cindex beginning time of a connection
+@cindex start time of a connection
+@table @samp
+@item @emph{start}
+corresponds to the connection's start time, as defined by @code{start_time}.  
+@cindex connection, duration
+@cindex duration of a connection 
+@item @emph{duration}
+gives the connection's duration, as defined by @code{duration}.
+@cindex connection, hosts
+@cindex hosts, in a connection
+@cindex connection, addresses
+@cindex addresses, in a connection
+@item @emph{local IP}, @emph{remote IP}
+correspond to the @emph{local} and @emph{remote} addresses
+that participated in the connection, respectively.  The notion of which
+addresses are local is controlled by the 
+global variable @code{local_nets}, which has a default value of empty.  If
+@code{local_nets} has @emph{not} been redefined, then @emph{local IP} is the
+connection @emph{responder} and @emph{remote IP} is the connection @emph{originator}.
+@cindex service associated with a connection
+@item @emph{service}
+is the connection's service, as defined by @code{service}.
+@cindex ports associated with a connection
+@item @emph{local port}, @emph{remote port} 
+are the ports used by the connection.
+@cindex connection, size
+@cindex connection, bytes
+@cindex size of connection
+@cindex bytes in connection
+@item @emph{org bytes sent} @emph{res bytes sent}
+give the number of bytes sent by the @emph{originator}
+and @emph{responder}, respectively.  These correspond to the @code{size}
+fields of the corresponding @code{endpoint} records.
+@cindex connection, state
+@cindex state of connection
+@item @emph{state}
+reflects the state of the connection at the time
+the summary was written (which is usually either when the connection
+terminated, or when Bro terminated).  The different states are summarized
+in the table below.
+@quotation
+@float Table, Connection State Summaries
+@multitable  @columnfractions .15 .6
+@item @strong{Name} @tab @strong{Meaning}
+@item @code{S0}
+@tab Connection attempt seen, no reply.
+@item @code{S1}
+@tab Connection established, not terminated.
+@item @code{SF}
+@tab Normal establishment and termination. Note that this is the
+same symbol as for state S1. You can tell the two apart because
+for S1 there will not be any byte counts in the summary, while
+for SF there will be.
+@item @code{REJ}
+@tab Connection attempt rejected.
+@item @code{S2} 
+@tab Connection established and close attempt by originator seen
+(but no reply from responder).
+@item @code{S3} 
+@tab Connection established and close attempt by responder seen
+(but no reply from originator).
+@item @code{RSTO}
+@tab Connection established, originator aborted (sent a RST).
+@item @code{RSTR}
+@tab Established, responder aborted.
+@item @code{RSTOS0} 
+@tab Originator sent a SYN followed by a RST, we never saw a SYN
+ACK from the responder.
+@item @code{RSTRH}
+@tab Responder sent a SYN ACK followed by a RST, we never saw
+a SYN from the (purported) originator.
+@item @code{SH}
+@tab Originator sent a SYN followed by a FIN, we never saw a
+SYN ACK from the responder (hence the connection was "half" open).
+@item @code{SHR} 
+@tab Responder sent a SYN ACK followed by a FIN, we never saw
+a SYN from the originator.
+@item @code{OTH}
+@tab No SYN seen, just midstream traffic (a "partial connection" that
+was not later closed).
+@end multitable
+@caption{Summaries of connection states, as reported in @code{conn.log} files}
+@end float
+@end quotation
+
+The ASCII @code{Name} given in the Table is
+what appears in the @code{conn.tag.log} log file; it is returned by the @code{conn_state}
+function.  The @code{Symbol} is used when generating human-readable versions
+of the file---see @ref{hot-report script}.
+
+For UDP connections, the analyzer reports connections for which both
+endpoints have been active as @code{SF}; those for which just the originator
+was active as @code{S0}; those for which just the responder was active
+as @code{SHR}; and those for which neither was active as @code{OTH} (this
+latter shouldn't happen!).
+@cindex connection, flags
+@cindex flags of connection
+@item @emph{flags}
+reports a set of additional binary state associated with the connection:
+@table @samp
+@item @code{L}
+indicates that the connection was initiated @emph{locally},
+i.e., the host corresponding to @emph{@math{A_l}} initiated the connection.  If @code{L}
+is missing, then the host corresponding to @emph{@math{A_r}} initiated the connection.
+@item @code{U}
+indicates the connection involved one of the networks
+listed in the @code{neighbor_nets} variable.  The use
+of ``@code{U}'' for this indication (rather than ``@code{N}'', say) is
+historical, as for the most part is the whole notion of ``neighbor network.''
+Note that connection can have both @code{L} and @code{U} set (see next item).
+@item @code{X}
+is used to indicate that @emph{neither} the ``@code{L}''
+or ``@code{U}'' flags is associated with this connection.  
+@end table
+@cindex connection, additional information
+@cindex information associated with a connection
+@cindex additional information associated with a connection
+@item @emph{tag}
+Reference tag to log lines containing additional information associated with the
+connection in other log files, (e.g.: http.log).
+
+@end table
+
+@*
+Putting all of this together, here is an example of a @code{conn.log} connection
+summary:
+@example
+931803523.006848 54.3776 http 7320 38891 206.132.179.35 
+	128.32.162.134 RSTO X %103
+@end example
+
+The connection began at timestamp 931803523.006848 (18:18:43 hours GMT
+on July 12, 1999; see the @code{cf} utility for how to determine this)
+and lasted 54.3776 seconds.  The service was HTTP (presumably; this conclusion
+is based just on the responder's use of port @code{80/tcp}).
+The originator sent 7,320 bytes, and the responder sent 38,891 bytes.
+Because the ``@code{L}'' flag is absent, the connection was initiated by
+host 128.32.162.134, and the responding host was 206.132.179.35.  When
+the summary was written, the connection was in the ``@code{RSTO}'' state,
+i.e., after establishing the connection and transferring data, the originator 
+had terminated it with a RST (this is unfortunately common for Web clients).  The connection had neither
+the @code{L} or @code{U} flags associated with it, and there was additional
+information, summarized by the string ``@code{%103}'' (see the
+@code{http} analyzer for an explanation of this information).
+
+
+@node Connection functions,
+@subsection Connection functions
+@cindex connection, functions
+@cindex connection, functions
+We finish our discussion of generic connection analysis with a brief
+summary of the different Bro functions provided by the @code{conn} analyzer:
+
+@table @samp
+@cindex connection, size
+@cindex connection, bytes
+@cindex size of connection
+@cindex bytes in connection
+
+@item @code{conn_size e: endpoint, is_tcp: bool): string}
+returns a string giving either the number of bytes the endpoint sent
+during the given connection, or @code{"?"} if from the connection state
+this can't be determined.  The @code{is_tcp} parameter is needed
+so that the function can inspect the endpoint's state to determine
+whether the connection was closed.
+
+@cindex connection, state
+@cindex state of connection
+@item @code{conn_state (c: connection, is_tcp: bool): string}
+returns the name associated with the connection's state, as
+given in the above table.
+
+@cindex connection, service
+@cindex service associated with a connection
+@item @code{determine_service c: connection): bool}
+sets the @code{service} field of the given connection,
+using @code{port_names}.
+If you are using the @code{ftp} analyzer, then it knows about FTP
+data connections and maps them to @code{port_names[20/tcp]}, i.e.,
+@code{"ftp-data"}.
+
+@cindex connection ID
+@cindex ID of connection
+
+@item @code{full_id_string (c: connection): string}
+returns a string identifying the connection in one of the two
+following forms.  If the connection is in state @code{S0}, @code{S1},
+or @code{REJ}, then no data has been transferred,
+and the format is:
+@quotation
+@emph{@math{A_o} <state> @math{A_r}/<service> <addl>}
+@end quotation
+
+where @emph{@math{A_o}} is the IP address of the originator (@code{$id$orig_h}),
+@emph{state} is as
+given in the @strong{Symbol} column of the above table.
+@emph{@math{A_r}} is the
+IP address of the responder (@code{$id$resp_h}), @emph{service} gives
+the application service (@code{$service}) as set by @code{determine_service},
+and @emph{addl} is the contents of the @code{$addl} field (which may be
+an empty string).
+
+@cindex port, ephemeral
+@cindex ephemeral port
+Note that the ephemeral port used
+by the originator is not reported.  If you want to display it, use
+@code{id_string}.
+
+So, for example:
+@example
+    128.3.6.55 > 131.243.88.10/telnet "luser"
+@end example
+
+identifies a connection originated by @code{128.3.6.55} to @code{131.243.88.10}'s
+Telnet server, for which the additional associated information is @code{"luser"},
+the username successfully used during the authentication dialog as determined
+by the  analyzer.  From the table above we see that
+the connection must be in state @code{S1}, as that's the only state of
+@code{S0}, @code{S1}, or @code{REJ} that has a @code{>} symbol.  (We can tell
+it's @emph{not} in state @code{SF} because the format used for that state
+differs---see below.)
+
+For connections in other states, Bro has size and duration information
+available, and the format returned by @code{full_id_string} is:
+@quotation
+@emph{@math{A_o} @math{S_o}b <state> @math{A_r}/<service> @math{S_r}b @math{D_s} <addl>}
+@end quotation
+
+where @emph{@math{A_o}}, @emph{@math{A_r}}, @emph{state}, @emph{service}, and @emph{addl} are
+as before, @emph{@math{S_o}} and @emph{@math{S_r}} give the number of bytes transmitted so far
+by the originator to the responder and vice versa, and @emph{D} gives the
+duration of the connection in seconds (reported with one decimal place)
+so far.
+
+An example of this second format is:
+@example
+    128.3.6.55 63b > 131.243.88.10/telnet 391b 39.1s "luser"
+@end example
+
+which reflects the same connection as before, but now @code{128.3.6.55} has
+transmitted 63 bytes to @code{131.243.88.10}, which has transmitted 391 bytes
+in response, and the connection has been active for 39.1 seconds.  The
+``@code{>}'' indicates that the connection is in state @code{SF}.
+
+@cindex connection, ID
+@cindex ID of connection
+@item @code{id_string (id: conn_id): string}
+returns a string identifying the connection by its address/port quadruple.
+Regardless of the connection's state, the format is:
+@quotation
+@emph{@math{A_o}@code{/}@math{P_o} @code{>} @math{A_r}@code{/}@math{P_r}}
+@end quotation
+where @emph{@math{A_o}} and @emph{@math{A_r}} are the originator and responder addresses,
+respectively, and @emph{@math{P_o}} and @emph{@math{P_r}} are representations of the originator
+and responder ports as returned by the @code{port-name} module,
+i.e., either
+or a string like ``@code{http}'' for a well-known port such as @code{80/tcp}.
+
+An example:
+@example
+    128.3.6.55/2244 > 131.243.88.10/telnet
+@end example
+
+Note, @code{id_string} is implemented using a pair of calls to @code{endpoint_id}.
+
+@emph{Deficiency:It would be convenient to have a form of @code{id_string} that can incorporate a notion of directionality, for example @code{128.3.6.55/2244 < 131.243.88.10/telnet} to indicate the same connection as before, but referring specifically to the flow from responder to originator in that connection (indicated by using ``@code{<}'' instead of ``@code{>}'').}
+
+@cindex connection, hot
+@cindex connection, logging
+@cindex logging, connection
+@item @code{log_hot_conn (c: connection)}
+logs a real-time SensitiveConnection alarm of the form:
+@quotation
+hot: @code{<}@emph{connection-id}@code{>}
+@end quotation
+where @emph{connection-id} is the format returned by @code{full_id_string}.
+@code{log_hot_conn} keeps track of which connections it has logged and
+will not log the same connection more than once.
+
+@cindex log file, connection summary (red)
+@cindex connection, recording
+@cindex recording connections
+
+@item @code{record_connection (c: connection, disposition: string)}
+Generates a connection summary to the @file{conn} file
+in the format described in @ref{Connection summaries}.
+If the connection's @code{hot} field is positive, then also logs
+the connection using @code{log_hot_conn}.  The @code{disposition} is a text
+description of the connection's state, such as @code{"attempt"} or
+@code{"half_finished"}; it is not presently used.
+
+@cindex connection, service
+@cindex service associated with a connection
+
+@item  @code{service_name (c: connection): string}
+returns a string describing the service associated with the connection,
+computed as follows.  If the responder port (@code{$id$resp_p}), @emph{p}, is
+well-known, that is, in the @code{port_names} table,
+then @emph{p}'s entry in the table is returned (such as @code{"http"} for TCP
+port 80).  Otherwise, for TCP connections, if the responder port
+is less than 1024, then @code{priv-@emph{p}} is returned, otherwise
+@code{other-@emph{p}}.  For UDP connections, the corresponding service
+names are @code{upriv-@emph{p}} and @code{uother-@emph{p}}.
+
+@cindex connection, terminating with extreme prejudice
+@cindex terminating connections forcibly
+
+@item @code{terminate_connection (c: connection)}
+Attempts to terminate the given connection using the @code{rst} utility
+in the current directory.  It does not check to see whether the utility
+is actually present, so an unaesthetic shell error will appear if the utility
+is not available.
+
+@code{rst} terminates connections by forging RST packets.  It is not
+presently distributed with Bro, due to its potential for disruptive use.
+
+@cindex analysis, on-line
+@cindex on-line analysis
+@cindex analysis, off-line
+@cindex off-line analysis
+If Bro is reading a trace file rather than live network traffic,
+then @code{terminate_connection} logs the @code{rst} invocation
+but does not actually invoke the utility.  In either case, it finishes
+by logging that the connection is being terminated.
+
+@end table
+
+@cindex analyzers, generic
+
+@node Site-specific information,
+@section Site-specific information
+
+@cindex analyzers, site-specific information
+@cindex site-specific, information
+The @code{site} analyzer is not actually an analyzer but
+simply a set of global variables (and @emph{Updateme: one function}) used
+to define a site's basic topological information.
+
+@menu
+* Site variables::		
+* Site-specific functions::	
+@end menu
+
+@node Site variables,
+@subsection Site variables
+
+@cindex site-specific, variables
+
+The @code{site} module defines the following variables, all redefinable:
+
+@cindex addresses, local
+@cindex local addresses
+@cindex subnets
+@cindex prefixes, network
+@cindex network prefixes
+@table @samp
+@item @code{local_nets set[net]}
+Defines which @code{net}'s Bro should consider as reflecting a local address.
+
+Default: empty.
+
+@cindex CIDR
+@cindex addresses, local
+@cindex local addresses
+@cindex subnets
+@cindex prefixes, network
+@cindex network prefixes
+@item @code{local_16_nets set[net]}
+Defines which /16 prefixes Bro should consider as reflecting a local address.
+@emph{Deficiency:Bro currently is inconsistent regarding when it consults @code{local_nets} versus @code{local_16_nets}, so you should ensure that this variable and the previous one are always consistent.}
+
+Default: empty.
+
+@cindex addresses, local
+@cindex local addresses
+@item @code{local_24_nets set[net]}
+The same, but for /24 addresses.
+
+Default: empty.
+
+@cindex addresses, neighbor
+@cindex neighbor addresses
+@item @code{neighbor_nets set[net]}
+Defines which @code{net}'s Bro should consider as reflecting a ``neighbor.''
+Neighbors networks can be treated specially in some policies, distinct
+from other non-local addresses.  In particular, 
+will not drop connectivity to an address belonging to a neighbor.
+
+The notion is somewhat historical, as
+is the use of ``@code{U}'' to mark neighbors in connection summaries
+(See @ref{Connection summaries}).
+
+Default: empty.
+
+@cindex addresses, neighbor
+@cindex neighbor addresses
+@item @code{neighbor_16_nets set[addr]}
+Defines which /16 addresses Bro should consider as reflecting a neighbor;
+the only use of this variable in the standard scripts is that a scan
+originating from an address with one of these prefixes will not be dropped
+.  @emph{Deficiency:The name is poorly chosen and should be changed to better reflect this use.}  @emph{Deficiency:In addition, this variable should be kept consistent with @code{neighbor_nets}, until the fine day when the processing is rectified to only use one variable.}
+
+Default: empty.
+
+@cindex addresses, neighbor
+@cindex neighbor addresses
+@item @code{neighbor_24_nets set[net]}
+The same, but for /24 addresses.
+
+Default: empty.
+
+@end table
+
+@cindex site-specific, variables
+
+@node Site-specific functions,
+@subsection Site-specific functions
+
+@cindex functions, site-specific
+@cindex site-specific, functions
+
+Currently, the @code{site} module only defines one function:
+
+@table @samp
+@cindex addresses, local
+@cindex local addresses
+@cindex site addresses
+@item @code{is_local_addr (a: addr): bool}
+returns true if the given address belongs to one of the ``local'' networks,
+false otherwise.  @emph{Updateme: Currently, the test is made by masking the address to /16 and /24 and comparing it to @code{local_16_nets} and @code{local_24_nets}.}
+
+@end table
+
+@cindex site-specific, functions
+
+@cindex analyzers, site-specific information
+
+@node hot Analyzer,
+@section The @code{hot} Analyzer
+
+@cindex connection, analysis
+@cindex connection, hot analysis
+@cindex hot connection, analysis
+
+The standard @code{hot} script defines policy relating to fairly
+generic notions of allowed and prohibited connections.  It defines
+a number of variables that you will need to refine to customize your
+site's policies.  It also provides two functions for checking
+connections against the policies, which can be used by other of the standard
+scripts.
+
+@menu
+* hot variables::		
+* hot functions::		
+@end menu
+
+@node hot variables,
+@subsection @code{hot} variables
+
+@cindex analyzers, hot, variables
+
+The standard @code{hot} script defines the following variables, all redefinable:
+
+@table @samp
+@cindex spoofing, detection
+@cindex local addresses, spoofing
+@item @code{same_local_net_is_spoof : bool}
+If true, then a connection with a local originator address and a local
+responder address is considered by 
+to have been spoofed.  @emph{Deficiency:The name is poorly chosen (and may be changed in the future) to something more accurate like @code{both_local_nets_is_spoof}.}
+
+@cindex DMZ, spoof detection
+@cindex internal networks, spoof detection
+In general, you want to use true for a Bro that is monitoring Internet access
+links (DMZs) and false for internal monitors.
+
+Default: @code{F}.
+
+@cindex spoofing, allowable services
+@cindex local addresses, spoofing
+@item @code{allow_spoof_services : set[port]}
+Defines a set of services (responder ports) for which Bro should not
+generate notices if it sees apparent spoofed traffic.
+
+Default: @code{110/tcp} (POP version 3; RFC-1939).
+This default was chosen because
+in our experience one common form of benign spoof is an off-site laptop
+attempting to read mail while still configured to use its on-site address.
+
+@cindex access, allowable address pairs
+@cindex allowable address pairs
+@item @code{allow_pairs : set[addr, addr]}
+Defines pairs of source and destination addresses for which the
+source is allowed to connect to the destination.  The intent with
+this variable is that the source or destination address will be a sensitive
+host (such as defined with @code{host_src} or
+@code{host_dsts}), for which this particular access should
+be allowed.
+
+Default: empty.
+
+@cindex access, allowable /16 network pairs
+@cindex allowable /16 network pairs
+@item @code{allow_16_net_pairs : set[addr, addr]}
+Defines pairs of source and destination /16 networks for which the
+source is allowed to connect to the destination, similar to @code{allow_pairs}.
+@emph{Note: The set is defined in terms of @code{addr}'s and not @code{net}'s.
+So, for example, rather than specifying @code{128.32.}, which is a @code{net}
+constant, you'd use @code{128.32.0.0} (an @code{addr} constant).  }
+
+Default: empty.
+
+@cindex access, sensitive source addresses
+@cindex sensitive source addresses
+@cindex hot source addresses
+@cindex addresses, hot sources
+@item @code{hot_srcs : table[addr] of string}
+Defines source addresses that should be considered ``hot''.
+A successfully established connection from such a source address
+generates an alarm, unless one of the access exception variables such as
+@code{allow_pairs} also matches the connection.  The value of the
+table gives an explanatory message as to why the source is
+hot; for example, @code{"known attacker site"}.  
+Note: This value
+is not currently used, though it aids in documenting the policy script.
+
+Default: empty.
+
+Example: redefining @code{hot_srcs} using
+@example
+redef hot_srcs: table[addr] of string = @{
+    [ph33r.the.eleet.com] = "script kideez",
+@};
+@end example
+
+would result in Bro noticing any traffic coming @code{ph33r.the.eleet.com}.
+@cindex kiddies, script
+@cindex script kiddies
+
+@cindex access, sensitive destination addresses
+@cindex sensitive destination addresses
+@cindex hot destination addresses
+@cindex addresses, hot destinations
+@item @code{hot_dsts : table[addr] of string}
+Same as @code{hot_srcs}, except for destination addresses.
+
+Default: empty.
+
+@cindex access, sensitive /24 source networks
+@cindex sensitive /24 source networks
+@cindex hot /24 source networks
+@cindex networks, hot sources
+@item @code{hot_src_24nets : table[addr] of string}
+Defines /24 source networks should be considered ``hot,''
+similar to @code{hot_srcs}.  @emph{Deficiency:Other network masks, particularly /16, should be provided.}
+
+Default: empty.
+
+@cindex CIA detection
+@cindex Central Intelligence Agency, detection
+Example: redefining @code{hot_src_24nets} using
+@example
+redef hot_src_24nets: table[addr] of string = @{
+    [198.81.129.0] = "CIA incoming!",
+@};
+@end example
+
+would result in Bro noticing any traffic coming from the @code{198.81.129/24}
+network.
+
+@cindex access, sensitive /24 destination networks
+@cindex sensitive /24 destination networks
+@cindex hot /24 destination networks
+@cindex networks, hot destinations
+@item @code{hot_dst_24nets : table[addr] of string}
+same as @code{hot_src_24nets}, except for destination networks.
+
+Default: empty.
+
+@cindex access, allowable services
+@cindex services, allowable
+@item @code{allow_services : set[port]}
+Defines a set of services that are always allowed, regardless of
+whether the source or destination address is ``hot.''
+
+Default: @code{ssh}, @code{http}, @code{gopher} @code{ident}, @code{smtp},
+@code{20/tcp} (FTP data).
+
+Note: The defaults are a bit unusual.  They are intended for a quite open
+site with many services. 
+
+@cindex access, service allowed to a particular host
+@cindex services, allowed to a particular host
+@item @code{allow_services_to : set[addr, port]}
+Defines a set of services that are always allowed if the server is the
+given host, regardless of whether the source or destination address is
+``hot.''
+
+Default: empty.
+
+Example: redefining @code{allow_services_to} using
+@example
+redef allow_services_to: set[addr, port] += @{
+    [ns.mydomain.com, [domain, 123/tcp]],
+@} &redef;
+@end example
+
+would result in Bro not noticing any TCP DNS or NTP traffic heading
+to @code{ns.mydomain.com}.  You might add this if @code{ns.mydomain.com}
+is also in @code{hot_dsts}, because in general you want to consider
+any access (other than DNS or NTP) as sensitive.
+
+@cindex access, service allowed to particular host pairs
+@cindex services, allowed to particular host pairs
+@item @code{allow_services_pairs : set[addr, addr, port]}
+Defines a set of services that are always allowed if the connection
+originator is the first address and the responder (server) the second
+address.
+
+Default: empty.
+
+Example: redefining @code{allow_services_pairs} using
+@example
+redef allow_services_pairs: set[addr, addr, port] += @{
+    [ns2.mydomain.com, ns.mydomain.com, [domain, 123/tcp]],
+@} &redef;
+@end example
+
+would result in Bro not noticing any TCP DNS or NTP traffic initiated
+from @code{ns2.mydomain.com} to @code{ns.mydomain.com}.
+
+@cindex access, forbidden services
+@cindex services, forbidden
+@item @code{flag_successful_service : table[port] of string}
+The opposite of @code{allow_services}.
+Defines a set of services that should always be flagged as sensitive,
+even if neither the source nor the destination address is ``hot.''
+The @code{string} value in the table gives the reason for why
+the service is considered hot.
+Note: Bro currently does not use these explanatory messages.
+
+Default: @code{31337/tcp} (a popular backdoor because in stylized lettering
+it spells @code{ELEET}) and @code{2766/tcp} (the Solaris @code{listen} service,
+in our experience rarely used legitimately in wide-area traffic).
+
+@cindex ephemeral ports, confused with sensitive services
+@cindex sensitive services, confused with ephemeral ports
+@cindex FTP, ephemeral ports confused with sensitive services
+
+@emph{Note: Bro can flag these services erroneously when a server happens to
+run a different service on the same port.  For example, if you're not
+running the FTP analyzer, then Bro won't know that FTP data connections
+using ephemeral ports in fact belong to legitimate FTP traffic, and will
+flag any that coincide with these services.  A related problem arises 
+when a user has configured their SSH access to tunnel FTP control channels
+through the FTP connection, but not the corresponding data connections (so
+they don't pay the expense of encrypting the data transfers), so again
+Bro can't recognize that the ephemeral ports used for the data connections
+does not reflect the presumed sensitive service.}
+
+Example: redefining @code{flag_successful_service} using
+@example
+redef flag_successful_service: table[port] of string += @{
+        [1524/tcp] = "popular backdoor",
+@};
+@end example
+
+would result in Bro also noticing any successful connection to
+a server running on TCP port 1524.
+
+@cindex access, forbidden inbound services
+@cindex services, forbidden if inbound
+@cindex inbound services, forbidden
+
+@item @code{flag_successful_inbound_service : table[port] of string}
+The same as @code{flag_successful_service}, except only applies to
+connections with a remote initiator and a local responder (determined
+by finding the responder address in @code{local_nets}).
+
+@cindex etc/inetd.conf/etc/inetd.conf
+@cindex inetd.conf.conf
+Default: @code{1524/tcp} (@code{ingreslock}, a popular backdoor because an
+attacker can place an entry for the backdoor in @emph{/etc/inetd.conf} using
+a service name rather than a raw port number, and hence more likely to
+appear legitimate to casual inspection).  Note: There's no compelling 
+reason why @code{ingreslock} is in this table rather than the more
+general @code{flag_successful_service}, though it does tend to result
+in a few more false hits than the others, presumably because it's a lower
+port number, and hence more likely on some systems to be chosen for
+an ephemeral port.
+
+Note: Symmetry would call for @code{flag_successful_outbound_service}.
+This hasn't been implemented in Bro yet simply because the
+Bro development site has a threat model structured primarily around
+external threats.
+
+@cindex access, fatal inbound services
+@cindex services, fatal if inbound
+@cindex inbound services, fatal
+@item @code{terminate_successful_inbound_service : table[port] of string}
+The same as @code{flag_successful_inbound_service}, except invokes
+ in an attempt to terminate the connection.
+
+Default: empty.
+
+Note: As for @code{flag_successful_inbound_service}, it would be symmetric
+to have @code{terminate_successful_outbound_service}, and also to have
+a more general @code{terminate_successful_service}.
+
+@cindex access, forbidden attempted services
+@cindex services, forbidden if attempted
+@cindex attempted services, forbidden
+@code{flag_rejected_service table[port] of string}
+Similar to @code{flag_successful_service}, except applies to connections
+that a server rejects.  For example, you could detect a particular, failed
+Linux @emph{mountd} attack by adding @code{10752/tcp} to this table, since
+that happens to be the port used by the commonly
+available version of the exploit
+for its backdoor if the attack succeeds.  Note: You would of course
+likely also want to put @code{10752/tcp} in @code{flag_successful_service};
+or put the entire @code{flag_rejected_service} table 
+into @code{flag_successful_service}, as discussed in @ref{Inserting tables into tables}.
+
+Default: none.
+
+@emph{Deficiency:It might make sense to have @code{flag_attempted_service}, which doesn't require that a server actively reject the connection, but Bro doesn't currently have this.}
+
+@end table
+
+@cindex analyzers, hot, variables
+
+@node hot functions,
+@subsection @code{hot} functions
+
+@cindex analyzers, hot, functions
+
+The @code{hot} module defines two functions for external use:
+
+@table @samp
+@cindex spoofing, detection
+@cindex local addresses, spoofing
+@item @code{check_spoof (c: connection): bool}
+checks the originator and responder addresses of the given connection to
+determine if they are both local (and the connection is not explicitly
+allowed in @code{allow_spoof_services}).  If so, and if @code{same_local_net_is_spoof} is true, then marks the connection as ``hot''.
+
+@cindex Land attack
+@cindex attack, Land
+The function also checks for a specific denial of service attack, the
+``Land'' attack, in which the addresses are the same and so are the ports.
+If so, then it generates a  event with a name of 
+@code{"Land_attack"}.  It makes this check even if is false.
+
+Returns: true if the connection is now hot (or was upon entry), false
+otherwise.
+
+@cindex hot detection
+@cindex detecting sensitive connections
+@cindex connection, detecting sensitive
+@item @code{check_hot (c: connection, state: count): bool}
+checks the given connection against the various policy variables discussed
+above, and bumps the connection's @code{hot} field if it matches
+the policies for being sensitive, and does not match the various exceptions.
+It also uses @code{check_spoof} to see if the connection reflects a possible
+spoofing attack; and terminates the connection if
+@code{terminate_successful_service} indicates so.
+
+The caller indicates the connection's state in the second parameter to the
+function, using one of the values given in the Table below.
+As noted in the Table, the processing differs depending on the state.
+
+
+@float Table, Hot connection states
+@multitable  @columnfractions .2 .4 .3
+@item @strong{State} @tab @strong{Meaning} @tab @strong{Tests}
+@item @code{CONN_ATTEMPTED}
+@tab Connection attempted, no reply seen.  Note that you should also use this value
+for scans with undetermined state, such as possible stealth scans. For example,
+connection @code{half_finished} does this.
+@tab @code{check_spoof}
+@item @code{CONN_ESTABLISHED}
+@tab Connection established. Also used for connections apparently established, per @code{partial_connection}.
+@tab @code{check_spoof, flag_successful_service,
+flag_successful_inbound service, allow_services_to,
+terminate_successful inbound_service}
+@item @code{APPL_ESTABLISHED}
+@tab The connection has reached application-layer establishment. For
+example, for Telnet or Rlogin, this is after the user has authenticated.
+@tab @code{allow_services_to, allow_service_pairs,
+allow_pairs, allow_16_net_pairs, hot_srcs,
+hot_dsts, hot_src_24nets, hot_dst_24nets}
+@item @code{CONN_FINISHED}
+@tab The connection has finished, either cleanly or abnormally (for example, @code{connection_reset}.
+@tab Same as @code{APPL_ESTABLISHED}, if the connection exchanged non-zero
+amounts of data in both directions, and if the service wasn’t one of the ones that
+generates @code{APPL_ESTABLISHED}
+@item @code{CONN_REJECTED}
+@tab The connection attempt was rejected by the server.  
+@tab @code{check_spoof, flag_rejected_service}
+@end multitable
+@caption{Different connection states to use when calling check @code{hot}}
+@end float
+@*
+
+
+In general, the pattern is to make one call when the connection is first
+seen, either @code{CONN_ATTEMPTED}, @code{CONN_ESTABLISHED},
+or @code{CONN_REJECTED}.  If the application is one for which connections
+should only be considered ``established'' after a successful pre-exchange
+between originator and responder, then a subsequent call is made
+with a state of @code{APPL_ESTABLISHED}.   The idea here is to provide a
+way to filter out what are in fact not really successful connections
+so that they are not analyzed in terms of successful service.
+Finally, for services that don't use @code{APPL_ESTABLISHED}, a
+call is made instead when the connection finishes for some reason,
+using state @code{CONN_FINISHED}.  Note: This approach delays
+noticing until the connection is over, which might be later than
+you want, in which case you may need to edit @code{check_hot} to 
+provide the desired functionality.
+
+Returns: true if the connection is now hot (or was upon entry), false
+otherwise.
+
+@end table
+
+@cindex analyzers, hot, functions
+
+@node scan Analyzer,
+@section The @code{scan} Analyzer
+
+@cindex scan detection
+@cindex detecting scans
+@cindex scanning, address
+@cindex scanning, port
+@cindex address scanning
+@cindex port scanning
+@cindex passwords, guessing
+The @code{scan} analyzer detects connection attempts to numerous machines
+(address scanning), connection attempts to many different services
+on the same machine (port scanning), and attempts to access many different
+accounts (password guessing).  The basic methodology is to use tables to
+keep track of the distinct addresses and ports to which a given host
+attempts to connect, and to trigger notices when either of these reaches
+a specified size.  @emph{Deficiency:As currently written, the analyzer will not detect distributed scans, i.e., when many sites are used to probe individually just a few, but together a large number, of ports or addresses.}
+
+A powerful technique that Bro potentially provides is dropping
+border connectivity with remote scanning sites, though you must
+supply the magic script to talk with your router and effect the
+block.  See @code{drop_address} below for a discussion of the
+interface provided.  Note: Naturally, providing this capability means
+you might become vulnerable to denial-of-service attacks in which spoofed
+packets are used in an attempt to trigger a block of a site to which
+you want to have access.
+
+@menu
+* scan variables::		
+* scan functions::		
+* scan event handlers::		
+@end menu
+
+@node scan variables,
+@subsection @code{scan} variables
+
+@cindex analyzers, scan, variables
+
+In addition to internal variables for its bookkeeping, the analyzer
+provides the following redefinable variables:
+
+@table @samp
+@code{report_peer_scan : set[count]}
+Generate an alarm whenever a remote host (as determined by
+@code{is_local_address}) has attempted to connect to the given
+number of distinct hosts.
+
+Default: @code{@{ 100, 1000, 10000, @}}.  So, for example, if
+a remote host attempts to connect to 3,500 different local hosts,
+a report will be generated when it makes the 100th attempt, and
+another when it makes the 1,000th attempt.
+
+@item @code{report_outbound_peer_scan : set[count]}
+The same as @code{report_peer_scan}, except for connections
+initiated locally.
+
+Default: @code{@{ 1000, 10000, @}}.
+
+@item @code{possible_port_scan_thresh : count}
+Initially, port scan detection is done based on how many different
+ports a given host connects to, regardless of on which hosts.  Once
+this threshold is reached, however, then the analyzer begins tracking
+ports accessed per-server, which is important for reducing false
+positives.  Note: The reason this variable exists  is because it
+is very expensive to track per-server ports accessed for every
+active host; this variable limits such tracking to only active hosts
+contacting a significant number of different ports.
+
+Default: @code{25}.
+
+@item @code{report_accounts_tried : set[count]}
+Whenever a remote host has attempted to access a number of local
+accounts present in this set, generate an alarm.  Each distinct
+username/password pair is considered a different access.
+
+Default: @code{@{ 25, 100, 500, @}}.
+
+@item @code{report_remote_accounts_tried : set[count]}
+The same, except for access to remote accounts rather than local ones.
+
+Default: @code{@{ 100, 500, @}}.
+
+@item @code{skip_accounts_tried : set[addr]}
+Do not do bookkeeping for account attempts for the given hosts.
+
+Default: empty.
+
+@item @code{skip_outbound_services : set[port]}
+Do not do outbound-scanning bookkeeping for connections involving
+the given services.
+
+Default: @code{allow_services}, @code{ftp}, @code{addl_web} (see next item).
+
+@item @code{addl_web : set[port]}
+Additional ports that should be considered as Web traffic (and hence skipped
+for outbound-scan bookkeeping).
+
+Default: @code{@{ 81/tcp, 443/tcp, 8000/tcp, 8001/tcp, 8080/tcp, @}}.
+
+@item @code{skip_scan_sources : set[addr]}
+Hosts that are allowed to address-scan without complaint.
+
+Default: @code{scooter.pa-x.dec.com}, @code{scooter2.av.pa-x.dec.com}
+(AltaVista crawlers; you get the idea.)
+
+@item @code{skip_scan_nets_24 : set[addr, port]}
+/24 networks that are allowed to address scan for the given port
+without complaint.
+
+Default: empty.
+
+@cindex connectivity, dropping
+@cindex dropping connectivity
+@cindex firewall, reactive
+@cindex reactive firewall
+@item @code{can_drop_connectivity : bool}
+True if the Bro has the capability of dropping connectivity,
+per @code{drop_address}.
+
+Default: false.
+
+@cindex scanning, shutting down
+@cindex shutting down scans
+@item @code{shut_down_scans : set[port]}
+Scans of these ports trigger connectivity-dropping (if the Bro
+is capable of dropping connectivity), unless @code{shut_down_all_scans}
+is defined (next item).
+
+Default: empty.
+
+@item @code{shut_down_all_scans : bool}
+Ignore @code{shut_down_scans} and simply drop all scans regardless of
+service.
+
+Default: false.
+
+@item @code{shut_down_thresh : count}
+Shut down connectivity after a host has scanned this many addresses.`
+
+Default: @code{100}.
+
+@item @code{never_shut_down : set[addr]}
+Purported scans from these addresses are never shut down.
+
+Default: the root name servers (@code{a.root-servers.net} through
+@code{m.root-servers.net}).
+
+@end table
+
+@cindex analyzers, scan, variables
+
+@node scan functions,
+@subsection @code{scan} functions
+
+@cindex analyzers, scan, functions
+The standard @code{scan} script provides the following functions:
+
+@table @samp
+@cindex connectivity, dropping
+@cindex dropping connectivity
+@cindex firewall, reactive
+@cindex reactive firewall
+@cindex scanning, shutting down
+@cindex shutting down scans
+@item @code{drop_address (a: addr, msg: string)}
+Drops external connectivity to the given address and generates a notification
+using the given message.
+
+@cindex drop-connectivity shell script-connectivity shell script
+@cindex shell scripts, drop-connectivity-connectivity
+Dropping connectivity requires all of the following to be true:
+@itemize @bullet
+@item  @code{can_drop_connectivity} is true.
+
+@item 
+The address is neither local
+nor a neighbor (See @ref{Site variables}).
+
+@item 
+The address is not in @code{never_shut_down}.
+@end itemize
+
+If these checks succeed, then the script simply attempts to invoke
+a shell script @emph{drop-connectivity} with a single argument, the IP
+address to block.  It is up to you to provide the script, using whatever
+interface to your router/firewall you have available.
+
+The function does not return a value.
+
+@cindex scanning, stealth
+@cindex stealth scans
+@item @code{check_scan (c: connection, established: bool, reverse: bool): bool}
+Updates the analyzer's internal bookkeeping on the basis of the
+new connection @code{c}.  If @code{established} is true, then the connection
+was successfully established, otherwise not.  If @code{reverse} is true,
+then the function should consider the originator/responder fields in
+the connection's record as reversed.  Note: This last is needed
+for some unusual new connections that may reflect stealth scanning.
+For example, when the event engine sees a SYN-ack without a corresponding
+SYN, it instantiates a new connection with an assumption that the SYN-ack
+came from the responder (and it missed the initial SYN either due to
+split routing (See @ref{Split routing}), a packet drop (See @ref{Packet drops}),
+or Bro having started running after the initial SYN was sent).
+
+If the originating host's activity matches the policy defined by the
+variables above, then the analyzer logs this fact, and possibly
+attempts to drop connectivity to the originating host.  The function
+also schedules an event for 24 hours in the future (or when Bro terminates)
+to generate a summary of the scanning activity (so if the host continues
+scanning, you get a report on how many hosts it wound up scanning).
+@emph{Deficiency:This time interval should be selectable.}
+
+Note: Purported scans of the FTP data port (@code{20/tcp}) or the @code{ident}
+service (@code{113/tcp}) are never reported or dropped, as experience
+has shown they yield too many false hits.
+
+The function does not return a value.
+
+@end table
+
+@cindex analyzers, scan, functions
+
+@node scan event handlers,
+@subsection @code{scan} event handlers
+
+@cindex analyzers, scan, event handlers
+
+The standard @code{scan} script defines one event handler:
+
+@table @samp
+@item @code{account_tried (c: connection, user: string, passwd: string)}
+The given connection made an attempt to access the given username and
+password.  Each distinct username/password pair is considered a new access.
+The event handler generates an alarm if the access matches the logging
+policy outlined above.
+
+Note: @code{account_tried} events are generated by  @code{login}
+and @code{ftp} analyzers.
+
+@end table
+
+@cindex analyzers, scan, event handlers
+
+@cindex scan detection
+
+@node port-name Analysis Script,
+@section The @code{port-name} Analysis Script
+
+The @code{port-name} utility module provides one redefinable variable
+and one callable function:
+
+@table @samp
+@item @code{port_names : table[port] of string}
+Maps TCP/UDP ports to names for the services associated with those ports.
+For example, @code{80/tcp} maps to @code{"http"}.  These names are used by
+the @code{conn} analyzer when generating connection logs
+(See @ref{Generic Connection Analysis}).
+
+@item @code{endpoint_id (h: addr, p: port): string }
+Returns a printable form of the given address/port connection
+endpoint.  The format is either 
+@code{<}@emph{address}@code{>/<}@emph{service-name}@code{>}
+or
+@code{<}@emph{address}@code{>/<}@emph{port-number}@code{>}
+depending on whether the port appears in @code{port_names}.
+@end table
+
+@node brolite Analysis Script,
+@section The @code{brolite} Analysis Script
+
+The @code{brolite} module is intended to provide a convenient way
+to run (almost) all of the analyzers.  It @code{@@load}'s the following
+other modules and analyzers:
+@code{alarm, dns, hot, port-name, frag, tcp, scan, weird, finger, ident, ftp,
+login} and @code{portmapper}.
+So you can run Bro using @emph{bro -i in0 brolite} to have it analyze
+traffic on interface @emph{in0} using the above analyzers
+; or you can @code{@@load brolite} to load in the above
+analyzers.
+
+Note: The @code{brolite} analyzer doesn't load @code{http}  (because
+it can prove a very high load for many sites)
+nor experimental analyzers such as  @code{stepping}
+or @code{backdoor}. 
+
+@node alarm Analysis Script,
+@section The @code{alarm} Analysis Script
+
+The @code{alarm} utility module redefines a single variable:
+
+@table @samp
+@cindex alarm file
+@item @code{bro_alarm_file : file}
+A special Bro variable used internally to specify a file where Bro should
+record messages logged by @code{alarm} statements (as well
+as generating real-time notifications via @emph{syslog}).
+
+Default: if the @code{$BRO_LOG_SUFFIX} environment variable is defined,
+then @code{alarm.@code{<}@emph{$BRO_LOG_SUFFIX}@code{>}}, otherwise @code{alarm.log}.
+
+See @code{bro_alarm_file} for further discussion.
+
+@end table
+
+If you do not include this module, then Bro records alarm messages
+to @emph{stderr}.
+@cindex stderr
+
+Here is a sample definition of @code{alarm_hook}:
+@example
+global msg_count: table[string] of count &default = 0;
+
+event alarm_summary(msg: string)
+    @{
+    alarm fmt("(%s) %d times", msg, msg_count[msg]);
+    @}
+
+function alarm_hook(msg: string): bool
+    @{
+    if ( ++msg_count[msg] == 1 )
+        # First time we've seen this message - log it.
+        return T;
+
+    if ( msg_count[msg] == 5 )
+        # We've seen it five times, enough to be worth
+        # summarizing.  Do so five minutes from now,
+        # for whatever total we've seen by then.
+        schedule +5 min @{ alarm_summary(msg) @};
+
+    return F;
+    @}
+
+@end example
+
+You can also control Bro's alarm processing by defining the
+special function @emph{alarm-hook}.  It takes a single
+argument, @code{msg: string}, the message in a just-executed
+@code{alarm} statement, and returns a boolean value: true if Bro
+should indeed log the message, false if not.  The above example
+shows a definition of @code{alarm_hook} that
+checks each alarm message to see whether the same text has
+been logged before.  It only logs the first instance of a message.
+If a message appears at least five times, then it schedules a
+future @code{alarm_summary} event for 5 minutes in the future;
+the purpose of this event is to summarize the total number of
+times the message has appeared at that point in time.
+
+@node active Analysis Script,
+@section The @code{active} Analysis Script
+
+The @emph{active} utility module provides a single, non-redefinable
+variable that holds information about active connections: 
+
+@table @samp
+@item @code{active_conn : table[conn_id] of connection}
+Indexed by a @code{conn_id} giving the
+originator/responder addresses/ports, returns the connection's
+@code{connection} record.  As usual, accessing
+the table with a non-existing index results in a run-time error,
+so you should first test for the presence of the index using
+the @code{in} operator.
+
+Default: empty.
+@end table
+
+This functionality is quite similar to that of the @code{active_connection}
+function, and @emph{Deficiency:arguably this module should be removed in favor of the function}.  It does, however, provide a useful example of maintaining
+bookkeeping by defining additional handlers for events that already have
+handlers elsewhere.
+
+@node demux Analysis Script,
+@section The @code{demux} Analysis Script
+
+The @emph{demux} utility module provides a single function:
+
+@table @samp
+@item @code{demux_conn (id: conn_id, tag: string, otag: string, rtag: string): bool }
+Instructs Bro to write (``demultiplex'') the contents of the connection
+with the given @code{id} to a pair of files whose names are constructed
+out of @code{tag}, @code{otag}, and @code{rtag}, as follows.
+
+The originator-to-responder direction of the connection goes into a file named:
+@quotation
+@code{<}@emph{otag}@code{>.<}@emph{tag}@code{>.<}@emph{orig-addr}@code{>.<}@emph{orig-port}@code{>-<}@emph{resp-addr}@code{>.<}@emph{resp-port}@code{>}
+@end quotation
+and the other direction in:
+@quotation
+@code{<}@emph{rtag}@code{>.<}@emph{tag}@code{>.<}@emph{resp-addr}@code{>.<}@emph{resp-port}@code{>-<}@emph{orig-addr}@code{>.<}@emph{orig-port}@code{>}
+@end quotation
+Accordingly, @emph{tag} can be used to associate a unique label with
+the pair of files, while @emph{otag} and @emph{rtag} provide distinct
+labels for the two directions.
+
+If Bro is already demuxing the connection, or if the connection is
+not active, then nothing happens, and the function returns false.
+Otherwise, it returns true.
+
+@end table
+
+Bro places demuxed streams in a directory defined by the redefinable
+global @code{demux_dir}, which defaults in the usual fashion to
+@code{open_log_file("xscript")}.
+
+@emph{Deficiency:Experience has shown that it would be highly convenient if Bro would demultiplex the @emph{entire} connection contents into the files, instead of just the part of the connection seen subsequently after the call to @code{demux_conn}.  One way to do this would be for @code{demux_conn} to offset the contents in the file by the current stream position, and then to invoke a utility tool that goes through the Bro output trace file  and copies the contents up to the current stream position to the front of the file.  This utility tool might even be another instance of Bro running with suitable arguments.}
+
+@node dns Analysis Script,
+@section The @code{dns} Analysis Script
+
+The @code{dns} module deals with Bro's internal mapping of hostnames
+to/from IP addresses.
+@emph{Deficiency: There is no DNS protocol analyzer available at present.}
+Furthermore, @emph{Deficiency: the lookup mechanisms discussed here are not available to the Bro script writer, other than implicitly by using hostnames in lieu of addresses in variable initializations (see @ref{Hostnames vs addresses}).}
+
+@cindex bro-dns-cache.bro-dns-cache
+@cindex DNS, Bro's private cache
+
+The module's function is to handle different events that can
+occur when Bro resolves hostnames upon startup.  Bro maintains its
+own cache of DNS information which persists across invocations of Bro
+on the same machine and by the same user.
+The role of the cache is to allow Bro to resolve
+hostnames even in the face of DNS outages; the philosophy is that it's
+better to use old addresses than none at all, and this helps harden Bro
+against attacks in which the attacker causes DNS outages in order to
+prevent Bro from resolving particular sensitive hostnames (e.g., @code{hot_srcs}
+).  The cache is stored in the file ``@code{.bro-dns-cache}''
+in the user's home directory.  You can delete this file whenever you want,
+for example to purge out old entries no longer needed, and Bro will recreate
+it next time it's invoked using @code{-P}.
+
+Currently, all of the event handlers are invoked upon @emph{comparing}
+the results of a new attempt to look up a name or an address versus the
+results obtained the @emph{last time} Bro did the lookup.  When Bro looks
+up a name for the first time, no events are generated.
+
+Also, Bro currently only looks up hostnames to map them to addresses.
+It does not perform inverse lookups.
+
+@menu
+* dns_mapping record::		
+* dns variables::
+* dns event handlers::      
+@end menu
+
+@node dns_mapping record,
+@subsection The @code{dns_mapping} record
+
+@cindex DNS, mappings
+
+All of the events handled by the module include at least one
+record of DNS mapping information, defined by the @code{dns_mapping}
+type shown in the example below.
+The corresponding fields are:
+
+@table @samp
+@item @code{creation_time}
+When the mapping was created.
+
+@item @code{req_host}
+The hostname looked up, or an empty string if this was not a hostname
+lookup.
+
+@item @code{req_addr}
+The address looked up (reverse lookup), or @code{0.0.0.0} if this was not
+an address lookup.
+
+@item @code{valid}
+True if an answer was received for a lookup (even if the answer was that
+the request name or address does not exist in the DNS).
+
+@item @code{hostname}
+The hostname answer in response to an address lookup, or the
+string @code{"@code{<}none@code{>"}} if an answer was received but
+it indicated there was no PTR record for the given address.
+
+@item @code{addrs}
+A set of addresses in response to a hostname lookup.  Empty
+if an answer was received but it indicated that there was no A record
+for the given hostname.
+
+@end table
+
+@example
+type dns_mapping: record @{
+    creation_time: time;  # When the mapping was created.
+
+    req_host: string;     # The hostname in the request, if any.
+    req_addr: addr;       # The address in the request, if any.
+
+    valid: bool;          # Whether we received an answer.
+    hostname: string;     # The hostname in the answer, or "<none>".
+    addrs: set[addr];     # The addresses in the answer, if any.
+@};
+@end example
+
+@node dns variables,
+@subsection @code{dns} variables
+
+@cindex modules, dns, variables
+
+The modules provides one redefinable variable:
+
+@table @samp
+@item @code{dns_interesting_changes : set[string]}
+The different DNS events have names associated with them.  If the
+name is present in this set, then the event will generate a notice, otherwise
+not.
+
+One exception to this list is that DNS changes involving the
+loopback address @code{127.0.0.1} are always considered notice-worthy,
+since they may reflect DNS corruption.
+
+Default: @code{@{ "unverified", "old name", "new name", "mapping", @}}.
+
+@end table
+
+@cindex modules, dns, variables
+
+@node dns event handlers,
+@subsection @code{dns} event handlers
+
+@cindex modules, dns, event handlers
+
+The DNS module supplies the following event handlers:
+
+@table @samp
+@item @code{dns_mapping_valid (dm: dns_mapping)}
+The given request was looked up and it was identical to its previous
+mapping.
+
+@item @code{dns_mapping_unverified (dm: dns_mapping)}
+The given request was looked up but no answer came back.
+
+@item @code{dns_mapping_new_name (dm: dns_mapping)}
+In the past, the given address did not resolve to a hostname;
+this time, it did.
+
+@item @code{dns_mapping_lost_name (dm: dns_mapping)}
+In the past, the given address resolved to a hostname; now,
+that name has gone away.  (An answer was received, but it stated
+that there is no hostname corresponding to the given address.)
+
+@item @code{dns_mapping_name_changed (old_dm: dns_mapping, new_dm: dns_mapping)}
+The name returned this time for the given address differs from the
+name returned in the past.
+
+@item @code{dns_mapping_altered (dm: dns_mapping, old_addrs: set[addr], new_addrs: set[addr])}
+The addresses associated with the given hostname have changed.  Those
+in @code{old_addrs} used to be part of the set returned for the name, but
+aren't any more; while those in @code{new_addrs} didn't used to be, but
+now are.  There may also be some unchanged addresses, which are those in
+@code{dm$addrs} but not in @code{new_addrs}.
+
+@end table
+
+@cindex modules, dns, event handlers
+
+@node finger Analyzer,
+@section The @code{finger} Analyzer
+
+@cindex analyzers, application-specific
+@cindex Finger, analysis
+The @code{finger} analyzer processes traffic associated with
+the Finger service RFC-1288.  Bro instantiates a @code{finger}
+analyzer for any connection with service port @code{79/tcp} (if you
+@code{@@load} the finger analyzer in your script, or define your own
+@code{finger_request} or @code{finger_reply} handlers, of course).
+
+The analyzer uses a capture filter of ``@code{port finger}''
+(See: @ref{Filtering}).
+
+In the past, attackers often used Finger requests to obtain information
+about a site's users, and sometimes to launch attacks of various forms
+(buffer overflows, in particular).  In our experience, exploitation
+of the service has
+greatly diminished over the past years (no doubt in part to the service
+being increasingly turned off, or prohibited by firewalls).  Now it is only
+rarely associated with an attack.
+
+@menu
+* finger variables::		
+* finger event handlers::	
+@end menu
+
+@node finger variables,
+@subsection @code{finger} variables
+
+@cindex analyzers, finger, variables
+
+The standard script defines two redefinable variables:
+
+@table @samp
+@item @code{hot_names : set[string]}
+A list of usernames that should be considered sensitive (notice-worthy)
+if included in a Finger request.
+
+Default: @code{@{ "root", "lp", "uucp", "nuucp", "demos", "operator", "sync", "guest", "visitor", @}}.
+
+@item @code{max_request_length : count}
+The largest reasonable request size (used to flag possible buffer
+overflow attacks).  Bro marks a connection as ``hot'' if its request
+exceeds this length, and truncates its logging of the request to
+this many bytes, followed by @code{"..."}.
+
+Default: @code{80}.
+
+@end table
+
+@cindex analyzers, finger, variables
+
+@node finger event handlers,
+@subsection @code{finger} event handlers
+
+@cindex analyzers, finger, event handlers
+
+The standard script defines one event handler:
+
+@table @samp
+@item @code{finger_request (c: connection, request: string, full: bool)}
+Invoked upon connection @code{c} having made the request @code{request}.
+The @code{full} flag is true if the request included the ``long format''
+option (which the event engine will have removed from the request).
+
+The standard script flags long requests and truncates them as noted above,
+and then checks whether the request is for a name in @code{hot_names}.
+It then formats the request either by placing double quotation marks
+around it, or, if the request was empty---indicating a request for
+information on all users---the request is changed to the string @code{ALL}
+with no quotes around it.
+
+If the originator already made a request, then this additional request
+is placed in parentheses (though multiple requests violate the Finger
+protocol).  If the request was for the @code{full} format, then the
+text ``@code{(/W)}'' is appended to the request.  Finally, the request
+is appended to the connection's  field.
+
+@end table
+
+The event engine generates an additional event that the predefined
+@code{finger} script does not handle:
+
+@table @samp
+@item @code{finger_reply (c: connection, reply_line: string)}
+Generated for each line of text sent in response to the originator's
+request.
+
+@end table
+
+@cindex analyzers, finger
+
+@node frag Analysis Script,
+@section The @code{frag} Analysis Script
+
+The @code{frag} utility module simply refines the capture filter
+(See: @ref{Filtering}) so that Bro will capture and reassemble IP fragments.
+Bro reassembles any fragments it receives; but normally it doesn't receive
+any, except the beginnings of TCP fragments (see the @code{tcp} 
+module), and UDP port 111 (per the @code{portmapper} module).
+
+@cindex fragment reassembly
+@cindex fragments, TCP vs. UDP
+@cindex TCP, fragments
+@cindex UDP, fragments
+So, to make Bro do fragment reassembly, you simply use ``@code{load} @code{frag}''.
+It effects this by adding:
+@example
+    (ip[6:2] & 0x3fff != 0) and tcp
+@end example
+
+to the filter.  The first part of this expression matches all IP fragments,
+while the second restricts those matched to TCP traffic.  We would @emph{like}
+to use:
+@example
+    (ip[6:2] & 0x3fff != 0) and (tcp or udp port 111)
+@end example
+
+to also include portmapper fragments, but that won't work---the port
+numbers will only be present in the first fragment, so the packet filter
+won't recognize the subsequent fragments as belonging to a UDP port 111
+packet, and will fail to capture them.
+
+@cindex NFS traffic, high volume fragments
+@emph{Note: Alternatively, we might be tempted to use ``@code{(tcp or udp)}''
+and so capture @emph{all} UDP fragments, including port 111.  This would
+work in principle, but in practice can capture very high volumes of
+traffic due to NFS traffic, which can send all of its file data in
+UDP fragments.}
+
+@node hot-ids Analysis Script,
+@section The @code{hot-ids} Analysis Script
+
+@cindex usernames, sensitive
+@cindex sensitive usernames
+@cindex hot usernames
+
+The @code{hot-ids} module defines a number of redefinable variables
+that specify usernames Bro should consider sensitive:
+
+@table @samp
+@item @code{forbidden_ids set[string]}
+lists usernames that should never be used.  If Bro detects use of one,
+it will attempt to terminate the corresponding connection.
+
+Default: @code{@{ "uucp", "daemon", "rewt", "nuucp", "EZsetup", "OutOfBox", "4Dgifts", "ezsetup", "outofbox", "4dgifts", "sgiweb", @}}.  
+All of these
+correspond to accounts that some systems have enabled by default
+(with well-known passwords), except for @code{"rewt"}, which corresponds
+to a username often used by (weenie) attackers.
+@cindex attackers, weenie
+
+@emph{Deficiency: The repeated definitions such as @code{"EZsetup"} and @code{"ezsetup"} reflect that this variable is a @code{set} and not a @code{pattern}.  Consequently, the exact username must appear in it (with a pattern, we could use character classes to match both upper and lower case).  }
+
+@item @code{forbidden_ids_if_no_password : set[string]}
+Same as @code{forbidden_ids} except only considered forbidden if
+the login succeeded with an empty password.
+
+Default: @code{"lp"}, a default passwordless IRIX account.
+
+@item @code{forbidden_id_patterns : pattern}
+A pattern giving user ids that should be considered forbidden.
+@emph{Deficiency: This pattern is currently only used to check Telnet/Rlogin user ids, not ids seen in other contexts, such as FTP sessions.}
+
+Default: @code{/(y[o0]u)(r|ar[e3])([o0]wn.*)/}, a particularly
+egregious style of username of which we've observed variants
+in different break-ins.
+
+@item @code{always_hot_ids : set[string]}
+A list of usernames that should always be considered sensitive,
+though not necessarily so sensitive that they should be terminated
+whenever used.
+
+Default: @code{@{ "lp", "warez", "demos", forbidden_ids, @}}.  The
+@code{"lp"} and @code{"demos"} accounts are specified here rather
+than @code{forbidden_ids} because it's possible that they might be
+used for legitimate accounts.  @code{"warez"} (for ``wares'', i.e.,
+bootlegged software) is listed because its use likely constitutes
+a policy violation, not a security violation.
+
+Note: @code{forbidden_ids} is incorporated into @code{always_hot_ids}
+to avoid replicating the list of particularly sensitive ids by listing
+it twice and risking inconsistencies.
+
+@item @code{hot_ids set[string]}
+User ids that generate notices if the user logs in successfully.
+
+Default: @code{@{ "root", "system", always_hot_ids, @}}.  The
+ones included in addition to @code{always_hot_ids} are only considered
+sensitive if the user logs in successfully.
+
+@end table
+
+@node ftp Analyzer,
+@section The @code{ftp} Analyzer
+
+@cindex FTP, analysis
+The @code{ftp} analyzer processes traffic associated with
+the FTP file transfer service RFC-959.  Bro instantiates an
+@code{ftp} analyzer for any connection with service port @code{21/tcp},
+providing you have loaded the @code{ftp} analyzer, or defined a handler
+for @code{ftp_request} or @code{ftp_reply}.
+
+The analyzer uses a capture filter of ``@code{port ftp}'' (See: @ref{Filtering}).
+It generates summaries of FTP sessions;
+looks for sensitive usernames, access to sensitive files, and possible
+FTP ``bounce'' attacks, in which the host specified in a ``@code{PORT}'' or
+``@code{PASV}'' directive does not correspond to the host sending
+the directive; or in which a different host than the server (client) connects
+to the endpoint specified in a @code{PORT} (@code{PASV}) directive.
+
+@menu
+* ftp_session_info record::	
+* ftp variables::		
+* ftp functions::		
+* ftp event handlers::		
+* ftp notices::		
+@end menu
+
+@node ftp_session_info record,
+@subsection The @code{ftp_session_info} record
+
+@cindex FTP, session information
+
+The main data structure managed by the @code{ftp} analyzer is
+a collection of @code{ftp_session_info} records, where the
+record type is shown below:
+
+@example
+type ftp_session_info: record @{
+    id: count;              # unique number associated w/ session
+    user: string;           # username, if determined
+    request: string;        # pending request or requests
+    num_requests: count;    # count of pending requests
+    request_t: time;        # time of request
+    log_if_not_denied: bool;        # unless code 530 on reply, log it
+    log_if_not_unavail: bool;       # unless code 550 on reply, log it
+    log_it: bool;           # if true, log the request(s)
+@};
+@end example
+
+The corresponding fields are:
+
+@table @samp
+@item @code{id}
+The unique session identifier assigned to this session.  Sessions
+are numbered starting at @code{1} and incrementing with each new session.
+
+@item @code{user}
+The username associated with this session (from the initial FTP
+authentication dialog), or an empty string if not yet determined.
+
+@item @code{request}
+The pending request, if the client has issued any.  Ordinarily there
+would be at most one pending request, but a client can in fact send
+multiple requests to the server all at once,
+and an attacker could do so attempting
+to confuse the analyzer into mismatching responses with requests,
+or simply forgetting about previous requests.
+
+@item @code{num_requests}
+A count of how many requests are currently pending.
+
+@item @code{request_t}
+The time at which the pending request was issued.
+
+@item @code{log_if_not_denied}
+If true, then when the reply to the current request comes in,
+Bro should log it, unless the reply code is @code{530} (``@code{denied}'').
+
+@item @code{log_if_not_unavail}
+If true, then when the reply to the current request comes in,
+Bro should log it, unless the reply code is @code{550} (``@code{unavail}'').
+
+@item @code{log_it}
+If true, then when the reply to the current request comes in,
+Bro should log it.
+
+@end table
+
+@node ftp variables,
+@subsection @code{ftp} variables
+
+@cindex analyzers, ftp, variables
+
+The standard script defines the following redefinable variables:
+
+@table @samp
+@item @code{ftp_guest_ids : set[string]}
+A set of usernames associated with publicly accessible ``guest''
+services.  Bro interprets guest usernames as indicating Bro should
+use the authentication @emph{password} as the effective username.
+
+Default: @code{@{ "anonymous", "ftp", "guest", @}}.
+
+@item @code{ftp_skip_hot : set[addr, addr, string]}
+Entries indicate that a connection from the first given address to the
+second given address, using the given string username, should not
+be treated as hot even if the username is sensitive.
+
+Default: empty.
+
+Example: redefining @code{ftp_skip_hot} using
+@example
+redef ftp_skip_hot: set[addr, addr, string] += @{
+    [[bob1.dsl.home.net, bob2.dsl.home.net], 
+      bob.work.com, "root"], @};
+@end example
+
+would result in Bro not noticing FTP connections as user @code{"root"}
+from either @code{bob1.dsl.home.net} or @code{bob2.dsl.home.net} to the
+server running on @code{bob.work.com}.
+
+@item @code{ftp_hot_files : pattern}
+Bro matches the argument given in each FTP file manipulation
+request (RETR, STOR, etc.)
+against this pattern to see if the file is sensitive. If so,
+and if the request succeeds, then the access is logged.
+
+@cindex eggdrop
+@cindex filenames, sensitive
+Default: @code{aggdrop} a pattern that matches various flavors of password files, plus
+any string with @code{eggdrop} in it.  @emph{Note: Eggdrop is an IRC management
+tool often installed by certain attackers upon a successful break-in.}
+
+@item @code{ftp_not_actually_hot_files : pattern}
+A pattern giving exceptions to @code{ftp_hot_files}.  It turns out
+that a pattern like @code{/passwd/} generates a lot of false hits,
+such as from @code{passwd.c} (source for the @emph{passwd} utility;
+this can turn up in FTP sessions that fetch entire sets of utility sources
+using @code{MGET}) or @code{passwd.html} (a Web page explaining how to enter
+a password for accessing a particular page).
+
+Default: @code{/(passwd|shadow).*@code{.}(c|gif|htm|pl|rpm|tar|zip)/} .
+
+@item @code{ftp_hot_guest_files pattern}
+Files that guests should not attempt to access.
+
+@cindex rhosts
+@cindex forward
+Default: @code{.rhosts} and @code{.forward} .
+
+@item @code{skip_unexpected : set[addr]}
+If a new host (address) unexpectedly connects to the endpoint specified in a
+@code{PORT} or @code{PASV} directive, then if either the original host
+or the new host is in this set, no message is
+generated.  The idea is that you can specify multi-homed hosts that
+frequently show up in your FTP traffic, as these can generate innocuous
+warnings about connections from unexpected hosts.
+
+Default: some @code{hp.com} hosts, as an example.  Most are specified
+as raw IP addresses rather than hostnames, since the hostnames
+don't always consistently resolve.
+
+@item @code{skip_unexpected_net : set[addr]}
+The same as @code{skip_unexpected}, except addresses are masked to /24 and
+/16 before looked up in this set.
+
+Default: empty.
+
+@end table
+
+@cindex FTP, log file
+@cindex log file, FTP
+@cindex ftp session summary file
+In addition, @code{ftp_log} holds the name of the FTP log file to
+which Bro writes FTP session summaries.  It defaults to
+@code{open_log_file("ftp")}.
+
+Here is an example of what entries in this file look like:
+
+@example
+972499885.784104 #26 131.243.70.68/1899 > 64.55.26.206/ftp start
+972499886.685046 #26 response (220 tuvok.ooc.com FTP server
+    (Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000) ready.)
+972499886.686025 #26 USER anonymous/IEUser@@ (logged in)
+972499887.850621 #26 TYPE I (ok)
+972499888.421741 #26 PASV (227 64.55.26.206/2427)
+972499889.493020 #26 SIZE /pub/OB/4.0/JOB-4.0.3.zip (213 1675597)
+972499890.135706 #26 *RETR /pub/OB/4.0/JOB-4.0.3.zip, ABOR (complete)
+972500055.491045 #26 response (225 ABOR command successful.)
+@end example
+
+Here we see a transcript of
+the 26th FTP session seen since Bro started running.  The first line
+gives its start time and the participating hosts and ports.  The
+next line (split across two lines above for clarity) gives the server's
+welcome banner.  The client then logged in as user ``@code{anonymous}'',
+and because this is one of the guest usernames, Bro recorded their
+password too, which in this case was ``@code{IEUser@@}'' (a useless
+string supplied by their Web browser).  The server accepted this
+authentication, so the status on the line is ``@code{(logged in)}''.
+
+The client then issues a request for the Image file type, to which the
+server agreed.  Next they issued a @code{PASV} directive, and received a
+response instructing them to connect to the server on port @code{2427/tcp}
+for the next transfer.  At this point, after issuing a @code{SIZE} directive
+(to which the server returned 1,675,597 bytes), they send @code{RETR} to
+fetch the file @emph{/pub/OB/4.0/JOB-4.0.3.zip}.  However, before the
+transfer completed, they issued @code{ABOR}, but the transfer finished
+before the server processed the abort, so the log shows a status of @code{completed}.  Furthermore, because the client issued two commands without
+waiting for an intervening response, these are shown together in the log
+file, and the line marked with a ``@code{*}'' so it draws the eye.  Finally,
+because Bro paired up the @code{(completed)} with the multi-request line, it
+then treats the response to the @code{ABOR} command as a reply by itself,
+showing in the last line that the server reported it successfully carried
+out the abort.
+
+The corresponding lines in the @file{conn} file look like:
+@example
+    972499885.784104 565.836 ftp 118 427 131.243.70.68 64.55.26.206
+        RSTO L #26 anonymous/IEUser@@
+    972499888.984116 165.098 ftp-data ? 1675597 131.243.70.68 
+	64.55.26.206 RSTO L
+@end example
+
+The first line summarizes the FTP control session (over which the client
+sends its requests and receives the server's responses).  It includes
+an @code{addl} annotation of ``@code{#26 anonymous/IEUser@@}'',
+summarizing the session number (so you can find the corresponding records
+in the @code{ftp} log file) and the authentication information.
+
+@cindex connection size, undetermined for RST termination
+@cindex RST termination, causing undetermined connection size
+The second line summarizes the single FTP data transfer, of 1,675,597 bytes.
+The amount of data sent by the client for this connection is shown as
+unknown because the client aborted the connection with a RST (hence
+the state @code{RSTO}).   For connections that Bro does not look inside
+(such as FTP data transfers), it learns the amount of data transferred from
+the sequence numbers of the SYN and FIN connection control packets, and
+can't (reliably) learn them for the sender of a RST.  (It can for the
+receiver of the RST.)
+
+They also aborted the control session (again, state @code{RSTO}), but
+in this case, Bro captured all of the packets of the session, so it
+could still assign sizes to both directions.
+
+@cindex analyzers, ftp, variables
+
+@node ftp functions,
+@subsection @code{ftp} functions
+
+@cindex analyzers, ftp, functions
+
+The standard @code{ftp} script provides one function for external use:
+
+@table @samp
+@item @code{is_ftp_data_conn (c: connection): bool }
+Returns true if the given connection matches one we're expecting
+as the data connection half of an FTP session.  @emph{Note: This function is
+not idempotent: if the connection matches an expected one, then
+Bro updates its state such that that connection is no longer expected.
+It also logs a discrepancy if the connection appears to be usurping
+another one that generated either a ``@code{PORT}'' or a ``@code{PASV}''
+directive.}
+
+Also returns true if the source port is @code{20/tcp} and there's currently
+an FTP session active between the originator and responder, in case for
+some reason Bro's bookkeeping is inconsistent.
+
+@end table
+
+@cindex analyzers, ftp, functions
+
+@node ftp event handlers,
+@subsection @code{ftp} event handlers
+@cindex analyzers, ftp, event handlers
+
+The standard script handles the following events:
+
+@table @samp
+@item @code{ftp_request (c: connection, command: string, arg: string)}
+Invoked upon the client side of connection @code{c} having made the request
+@code{command} with the argument @code{arg}.
+
+The processing depends on the particular command:
+@table @samp
+
+@item @code{USER}
+Specifies the username that the client wishes to
+use for authentication. If it is sensitive---in @code{hot_ids} (which
+the @code{ftp} analyzer accesses via a @code{@@load} of @code{hot-ids})---then
+the analyzer flags the FTP session as notice-worthy.  In addition, if
+the username is in @code{forbidden_ids}, then the analyzer terminates
+the session.
+
+The analyzer also updates the connection's @code{addl} field
+with the username.
+
+@item @code{PASS}
+Specifies the password to use for authentication.
+
+If the password is empty and the username appears in
+@code{forbidden_ids_if_no_password} (also from the @code{hot-ids} analyzer),
+then the analyzer terminates the connection.
+
+If the username corresponds to a guest account (@code{ftp_guest_ids}),
+then the analyzer updates the connection's @code{addl}  field
+with the password as additional account information.  Otherwise,
+it generates an @code{account_tried} event to
+facilitate detection of password guessing.
+
+@item @code{PORT}
+Instructs the FTP server to connect to the given
+IP address and port for delivery of the next FTP data item.  The analyzer
+first checks the address/port specifier for validity.  If valid, it
+will generate a notice if either the address specified in the directive
+does not match that of the client, or if the port corresponds to a
+``privileged'' port, i.e., one in the range 0--1023.  Finally, it
+establishes state so that @code{is_ftp_data_conn} can identify a
+subsequent connection corresponding to this directive as belonging to
+this FTP session.
+
+@item @code{ACCT}
+Specifies additional accounting information associated with a session,
+which the analyzer simply adds to the connection's 
+field.
+
+@item @code{APPE}, @code{CWD}, @code{DELE}, @code{MKD}, @code{RETR}, @code{RMD}, @code{RNFR}, @code{RNTO}, @code{STOR}, @code{STOU}
+All of these manipulate files (and directories).  The analyzer checks
+the filename against the policies to see if it is sensitive in the
+context of the given username (i.e., guest or non-guest), and, if so,
+marks the connection to generate a notice unless the operation fails.
+The analyzer also checks for an excessively long filename, currently
+by checking its length against a @emph{Deficiency:hardwired maximum of 250 bytes}.
+@end table
+
+@item @code{ftp_reply (c: connection, code: count, msg: string, cont_resp: bool)}
+Invoked upon the server side of connection @code{c} having replied to
+a request using the given status code and text message.  @code{cont_resp}
+is true if the reply line is tagged as being continued to the next line.
+The analyzer only processes requests when the last line of a continued
+reply is received.
+
+The analyzer checks the reply against any expected for the connection
+(for example, ``@code{log_if_not_denied}'') and generates notices accordingly.
+If the reply corresponds to a @code{PASV} directive, then it parses the
+address/port specification in the reply and generates notices in an analogous
+fashion as done by the @code{ftp_request} handler for @code{PORT} directives.
+
+Finally, if the reply is not one that the analyzer is hardwired to skip
+(code @code{150}, used at the beginning of a data transfer, and code
+@code{331}, used to prompt for a password),
+then it writes a summary of the request and reply to the FTP log file
+(See: @ref{ftp variables}).  Also, if the reply is an ``orphan'' (there was
+no corresponding request, perhaps because Bro started up after the
+request was made), then the reply is summarized in the log file by
+itself.
+
+@end table
+
+The standard @code{ftp} script defines one other handler, an instance of
+ used to flush FTP session information
+in case the session terminates abnormally and no reply is seen to
+the pending request(s).
+
+@cindex analyzers, ftp, event handlers
+
+@node ftp notices,
+@subsection ftp notices
+@cindex ftp, notices
+
+The FTP analyzer can generate the following Notices:
+
+@itemize
+@item FTP::FTP_BadPort	 - Bad format in PORT/PASV
+@item FTP::FTP_ExcessiveFilename	- Very long filename seen 
+@item FTP::FTP_PrivPort	- Privileged port used in PORT/PASV 
+@item FTP::FTP_Sensitive -Sensitive connection (as defined in hot) 
+@item FTP::FTP_UnexpectedConn	- Data transfer from unexpected src.
+Suppose there's an FTP session between client A and server B, and either
+A issues a PORT or B issues a PASV.  Then what's expected is that A will
+rendezvous with B using the port specified in the PORT/PASV.  If instead
+a new IP address C connects to (or accepts from) the negotiated port, that
+generated FTP_UnexpectedConn.
+@end itemize
+
+
+@node http Analyzer,
+@section The @code{http} Analyzer
+
+@cindex HTTP, analysis
+
+The @code{http} analyzer processes traffic associated with
+the Hyper Text Transfer Protocol (HTTP) [RFC-1945],
+the main protocol used by the Web.  Bro instantiates an
+@code{http} analyzer for any connection with service port @code{80/tcp},
+providing you have loaded the @code{http} analyzer, or defined a handler
+for @code{http_request}.  It also instantiates an analyzer for
+service ports @code{8080/tcp} and @code{8000/tcp}, as these are
+often also used for Web servers.
+
+The analyzer uses a capture filter of ``@code{tcp dst port 80 or tcp dst port 8080 or tcp dst port 8000}'' (See: @ref{Filtering}).  Note: This filter excludes
+traffic sent by an HTTP server (that would be matched by @code{tcp src port 80},
+etc.), because @emph{Deficiency: Bro doesn't yet have an analyzer for HTTP replies.  It generates summaries of HTTP sessions (connections between the same client and server) and looks for access to sensitive URIs (effectively, URLs).}
+
+@menu
+* http variables::		
+* http event handlers::		
+@end menu
+
+@node http variables,
+@subsection @code{http} variables
+
+@cindex analyzers, http, variables
+
+@table @samp
+@cindex HTTP methods
+@item @code{sensitive_URIs : pattern}
+Any HTTP method (e.g., @code{GET}, @code{HEAD},
+@code{POST}) specifying
+a URI that matches this pattern is flagged as sensitive.
+
+@cindex etc/passwd
+@cindex etc/shadow
+@cindex Cold Fusion exploits
+Default: URIs with @code{/etc/passwd} or @code{/etc/shadow} embedded
+in them, or @code{/cfdocs/expeval} (used in some Cold Fusion exploits).
+Note: This latter generates some false hits; it's mainly included
+just to convey the notion of looking for direct attacks rather than
+attacks used to exploit sensitive files like the first ones. 
+
+@emph{Deficiency: It would be very handy to have variables providing hooks for more context when considering whether a particular access is sensitive, such as whether the request was inbound or outbound. }
+
+@item @code{sensitive_post_URIs : pattern}
+Any @code{POST} method specifying a URI that matches this pattern is flagged as
+sensitive.
+
+Default: URIs with @code{wwwroot} embedded in them.
+
+@end table
+
+@cindex frogs, dissecting
+@cindex http session summary file
+
+@cindex HTTP, log file
+@cindex log file, HTTP
+In addition, @code{http_log} holds the name of the HTTP log file to
+which Bro writes HTTP session summaries.  It defaults to
+@code{open_log_file("http")}.
+
+Here we show an example of what entries in this file look like:  
+
+@example
+972482763.371224 %1596 start 200.241.229.80 > 131.243.2.12
+%1596 GET /ITG.hm.pg.docs/dissect/portuguese/dissect.html
+%1596 GET /vfrog/bottom.icon.gif
+%1596 GET /vfrog/top.icon.gif
+%1596 GET /vfrog/movies/off.gif
+%1596 GET /vfrog/new.frog.small.gif
+@end example
+
+Here we see a transcript of
+the 1596th HTTP session seen since Bro started running.  The first line
+gives its start time and the participating hosts.  The
+next five lines all correspond to @code{GET} methods retrieving different
+items from the Web server.  @emph{Deficiency: Bro can't log whether the retrievals succeeded or failed because it doesn't yet have an HTTP reply analyzer. }
+
+The corresponding lines in the @code{conn} file look like:
+@example
+    972482762.872695 481.551 http 441 5040 131.243.2.12 200.241.229.80
+        S3 X %10596
+    972482764.686470 18.7611 http 596 7712 131.243.2.12 200.241.229.80
+        S3 X %10596
+    972482764.685047 ? http 603 2959 131.243.2.12 200.241.229.80
+        S1 X %10596
+@end example
+
+That there are three rather than five reflects @emph{(i)} that the client
+used persistent HTTP, and so didn't need one connection per item, but
+also @emph{(ii)} the client used three parallel connections (the maximum
+the standard allows is only two) to fetch the items more quickly.  As with FTP
+sessions, the @code{%10596} @code{addl} annotation lets you 
+correlate the @code{conn} entries with the log entries.
+
+@emph{Note: All three of the connections wound up in unusual states.  The first
+two are in state @code{S3}, which, as indicated by Table 7.3,
+means that the responder (in this case, the Web server) attempted to close
+the connection, but their was no reply from the originator.  The last is
+in state @code{S1}, indicating that neither side attempted to close the
+connection (which is why no duration is listed for the connection).}
+
+@cindex analyzers, http, variables
+
+@node http event handlers,
+@subsection @code{http} event handlers
+
+@cindex analyzers, http, event handlers
+
+The standard HTTP script defines one event handler:
+
+@table @samp
+@item @code{http_request c: connection, request: string, URI: string}
+Invoked whenever the client side of the given connection generates an
+HTTP request.  @code{request} gives the HTTP method and @code{URI} the
+associated resource.  The analyzer matches the URI against the ones
+defined as sensitive, as given above.
+@end table
+
+@emph{Deficiency: As mentioned above, the event engine does not currently generate an @code{http_reply} event.  This is for two reasons: first, the HTTP request stream is much lower volume than the HTTP reply stream, and I was interested in the degree to which Bro could get away without analyzing the higher volume stream.  (Of course, this argument is shallow, since one could control whether or not Bro should analyze HTTP replies by deciding whether or not to define an @code{http_reply} handler.)  Second, matching HTTP replies in their full generality involves a lot of work, because the HTTP standard allows replies to be delimited in a number of ways.  That said, most of the work for implementing @code{http_reply} is already done in the event engine, but it is missing testing and debugging.}
+
+@cindex analyzers, http, event handlers
+
+@node ident Analyzer,
+@section The @code{ident} Analyzer
+
+@cindex IDENT, analysis
+
+The @code{ident} analyzer processes traffic associated with
+the Identification Protocol [RFC-1413], which provides a simple
+service whereby clients can query Ident servers to discover user information
+associated with an existing connection between the server's host and
+the client's host.  Bro instantiates an @code{ident} analyzer for
+any connection with service port @code{113/tcp}, providing you have loaded
+the @code{ident} analyzer, or defined a handler for @code{ident_request},
+@code{ident_reply}, or @code{ident_error}.
+
+The analyzer uses a capture filter of ``@code{tcp port 113}''
+(See: @ref{Filtering}).
+The @code{ident_reply} handler annotates the @code{addl}
+field of the connection for which the Ident client made its query with the
+user information returned in the reply.  It also checks the user information
+against sensitive usernames, because a match indicates that the connection
+in the Ident query was initiated by a possibly-compromised account.
+
+@menu
+* ident variables::		
+* ident event handlers::	
+@end menu
+
+@node ident variables,
+@subsection @code{ident} variables
+
+@cindex analyzers, ident, variables
+
+The standard script defines the following pair of redefinable variables:
+
+@table @samp
+@item @code{hot_ident_ids : set[string]}
+usernames to flag as sensitive if they appear in an Ident reply.
+
+Default: @code{always_hot_ids} (See: @ref{hot-ids Analysis Script}).
+
+@item @code{hot_ident_exceptions : set[string]}
+usernames not to consider sensitive even if they appear in
+@code{hot_ident_ids}.
+
+@cindex daemons, as innocuous user names
+Default: @code{@{ "uucp", "nuucp", "daemon", @}}.  These usernames
+are exceptions because daemons sometimes run with the given user ids
+and their use is often innocuous.
+
+@end table
+
+@cindex analyzers, ident, variables
+
+@node ident event handlers,
+@subsection @code{ident} event handlers
+
+@cindex analyzers, ident, event handlers
+
+The standard script handles the following events:
+
+@table @samp
+@item @code{ident_request (c: connection, lport: port, rport: port)}
+Invoked when a client request arrives on connection @code{c}, querying
+about the connection from local port @code{lport} to remote port
+@code{rport}, where local and remote are relative to the client.
+
+@item @code{ident_reply (c: connection, lport: port, rport: port, user_id: string, system: string)}
+Invoked when a server replies to an Ident request.  @code{lport} and
+@code{rport} are again the local and remote ports (relative to the
+client) of the connection being asked about.  @code{user_id} is the
+user information returned in the Ident server's reply, and @code{system}
+is information regarding the operating system (the Ident specification
+does not further standardize this information).
+
+The handler annotates the queried connection with the user information,
+which it also checks against @code{hot_ident_ids} and @code{hot_ident_exceptions}
+as discussed above.  At present, it does nothing with the @code{system}
+information.
+
+@item @code{ident_error (c: connection, lport: port, rport: port, line: string)}
+Invoked when the given request yielded an error reply from the Ident
+server.  The handler annotates the connection with
+@code{ident/}@code{<}@emph{error}@code{>},
+where @emph{error} is the text given in @code{line}.
+
+@end table
+
+@cindex analyzers, ident, event handlers
+
+@node irc Analyzer,
+@section The @code{irc} Analyzer
+
+@cindex IRC, analysis
+
+The @code{IRC} analyzer processes traffic from chat sessions that
+use the IRC (Internet Relay Chat) protocol.
+It can analyze client-server connections and server-server connections.
+
+Bro instantiates an @code{IRC} analyzer for any connection with service
+ports @code{6666/tcp} or @code{6667/tcp},
+providing you have loaded the @code{IRC} analyzer, or defined a handler
+for one of the IRC events.
+It it also possible to analyze server connections, but to do so you need
+to recompile Bro to include the necessary ports if they are not the
+usual ones.
+
+Bro can analyze compressed connections if it sees the beginning of the
+connection.
+
+@menu
+* irc records::
+* irc variables::
+* irc event handlers::
+@end menu
+
+@node irc records,
+@subsection @code{irc} records
+
+@cindex analyzers, irc, records
+
+The standard script defines a record for users and one for channels.
+This is the user record:
+@example
+type irc_user: record @{
+	u_nick: string;			# nick name
+	u_real: string;			# real name
+	u_host: string;			# client host
+	u_channels: set[string];	# channels user is a member of
+	u_is_operator: bool;		# user is server operator
+	u_conn: connection;
+@}
+@end example
+
+This record represents a user inside the IRC network.
+The corresponding fields are:
+
+@table @samp
+
+@item @code{u_nick}
+The nick name of the user.
+
+@item @code{u_real}
+The real name of the user.
+
+@item @code{u_host}
+This is the client's host name.
+
+@item @code{u_channels}
+A list of channels the user has joined.
+
+@item @code{u_isOp}
+If the user got operator status in the IRC network this will be set to true.
+
+@item @code{u_conn}
+The TCP connection which this IRC connection is based on.
+
+@end table
+
+This is the channel record:
+@example
+type irc_channel: record @{
+	c_name: string;		# channel name
+	c_users: set[string];	# users in channel
+	c_ops: set[string];	# channel operators
+	c_type: string;		# channel type
+	c_modes: string;	# channel modes
+@}
+@end example
+
+This record represents a channel inside the IRC network.
+The corresponding fields are:
+
+@table @samp
+
+@item @code{c_name}
+The name of the channel.
+
+@item @code{c_users}
+A list of nick names of users in this channel.
+
+@item @code{c_ops}
+A list of nick names of users with operator status in this channel.
+
+@item @code{c_type}
+The channel type.
+
+@item @code{c_modes}
+The channel modes.
+@end table
+
+@cindex analyzers, irc, records
+
+@node irc variables,
+@subsection @code{irc} variables
+
+@cindex analyzers, irc, variables
+
+The standard script defines the following set of redefinable variables:
+
+@table @samp
+
+@item @code{IRC::hot_words}
+list of regular expressions which will generate notice messages.  The
+analyzer searches for these patterns in user messages, notices and all
+unknown IRC commands.
+
+@item @code{IRC::ignore_in_other_msgs: set[string]}
+list of IRC commands which are ignored in the events for unknown commands.
+
+@item @code{IRC::ignore_in_other_responses: set[count]}
+list of IRC return codes which are ignored in the event for unknown return
+codes.
+
+@end table
+
+These variables contain information about users and channels which were identified by Bro.
+
+@table @samp
+
+@item @code{IRC::users: table[string]}
+contains all identified IRC users as @code{irc_user} objects.
+
+@item @code{IRC::channels: table[string]}
+contains all identified IRC channels as @code{irc_channel} objects.
+
+@end table
+
+@cindex analyzers, irc, variables
+
+@node irc event handlers,
+@subsection @code{irc} event handlers
+
+@cindex analyzers, irc, event handlers
+
+The standard script handles the following events:
+
+@table @samp
+
+@item @code{irc_privmsg_message (c: connection, source: string, target: string, message: string)}
+A user sent a message to another user or channel.
+
+@code{IRC} command: PRIVMSG
+
+The source is the user who sent the message to the target user/channel.
+Message contains the data sent to the target.
+
+@item @code{irc_notice_message (c: connection, source: string, target: string, message: string)}
+This is very similar to the irc_privmsg_message. It is typically used by
+services or client scripts to send status messages.
+
+@code{IRC} command: NOTICE
+
+The source is the user who sent the message to the target user/channel.
+Message contains the data sent to the target.
+
+@item @code{irc_squery_message (c: connection, source: string, target: string, message: string)}
+This event is activated if somebody sends a message to an IRC service.
+
+@code{IRC} command: SQUERY
+
+The source is the user who sent the message to the target service.
+Message contains the data sent to the target.
+
+@item @code{irc_enter_message (c: connection, nick: string, realname: string)}
+Every time a user enters the IRC network this event occurs.
+
+@code{IRC} command: USER
+
+Nick contains the selected nick name of the user and realname the user's
+name in real life.
+
+@item @code{irc_quit_message (c: connection, nick: string, message: string)}
+
+Every time a user quits the IRC network this event occurs.
+
+@code{IRC} command: QUIT
+
+Nick contains the nick name of the sender. An optional quit message is included in message.
+
+@item @code{irc_join_message (c: connection, infoList: irc_join_list)}
+
+If a user joins one or more IRC channels this event occurs.
+
+@code{IRC} command: JOIN
+
+The infoList contains a list of joined channel names and - if provided by
+user - the passwords for them.
+
+@item @code{irc_part_message (c: connection, nick: string, channels: string_set, message: string)}
+
+If a user exits one or more IRC channels this event occurs.
+
+@code{IRC} command: PART
+
+Nick contains the nick name of the user.
+Channels is a set of channel names.
+If the user supplies a quit message it is included in message.
+
+@item @code{irc_nick_message (c: connection, who: string, newnick: string)}
+
+This event occurs when users change their nick names.
+
+@code{IRC} command: NICK
+
+Who contains the IRC message prefix which includes the user nick and host.
+Newnick is the new nick name of this user.
+
+@item @code{irc_invalid_nick (c: connection)}
+
+This event occurs when users change their nick names and the name was invalid.
+
+@code{IRC} response to: NICK
+
+@item @code{irc_network_info (c: connection, users: count, services: count, servers: count)}
+
+This a summary of the status of the whole IRC network.
+
+@code{IRC} response to: LUSERS
+
+Users, services and servers are the total number of users, services and IRC servers connected to the IRC network.
+
+@item @code{irc_server_info (c: connection, users: count, services: count, servers: count)}
+
+This a summary of an IRC server status.
+
+@code{IRC} response to: LUSERS
+
+Users, services and servers are the total number of users, services and IRC servers connected with this IRC server.
+
+@item @code{irc_channel_info (c: connection, channels: count)}
+
+Displays the total number of channels.
+
+@code{IRC} response to: LUSERS
+
+Channels is the number of IRC channels formed on this server (local + global).
+
+@item @code{irc_who_message (c: connection, mask: string, oper: bool)}
+
+The event occurs if an IRC user sent the WHO command to get information about an IRC user or channel.
+
+@code{IRC} command: WHO
+
+Mask is the target of the search. This can be a channel or user name,
+wildcards are allowed.  If oper is true then the user asks only for operator
+user results.
+
+@item @code{irc_who_line (c: connection, target_nick: string, channel:
+string, user: string, host: string, server: string, nick: string, params:
+string, hops: count, realname: string)}
+
+This includes several information about an IRC user.
+
+@code{IRC} response to: WHO
+
+@code{Target_nick} is the nick name of the IRC user who sent the WHO request.
+The username of the returned IRC user is included in @code{user}, his nick
+name in @code{nick} and real name in @code{realname}.  The client DNS/IP
+address is @code{host}. @code{Params} includes the channel parameters for
+this user (e.g. "@@" for channel operators).  The user is connected to IRC
+server @code{server} and the number of servers between him and the requester
+is @code{hops}.  @code{Channel} includes the channel name which was target
+for the request.
+
+@item @code{irc_whois_message (c: connection, server: string, users: string)}
+
+The event occurs if an IRC user sent the WHOIS command to get information
+about one or more IRC users.
+
+@code{IRC} command: WHOIS
+
+If server is given then the user wants this specific server to answer.
+Users is comma separated list of nick names for which information is
+requested.
+
+@item @code{irc_whois_user_line (c: connection, nick: string, user: string, host: string, realName: string)}
+
+This includes several information about an IRC user.
+
+@code{IRC} response to: WHOIS
+
+The user with nick name nick has the user name user and his real name is realname. The IRC client runs on host.
+
+@item @code{irc_whois_operator_line (c: connection, nick: string)}
+
+This response to an WHOIS command gives information if an IRC user is operator.
+
+@code{IRC} response to: WHOIS
+
+The IRC user with nick name nick has operator status.
+
+@item @code{irc_whois_channel_line (c: connection, nick: string, channels: string_set)}
+
+This response to an WHOIS command gives information on the channels of an
+IRC user.
+
+@code{IRC} response to: WHOIS
+
+The IRC user with nick name nick is member in all IRC channels of the
+variable channels.
+
+@item @code{irc_oper_message (c: connection, user: string, password: string)}
+
+This means that an IRC user requested operator status.
+
+@code{IRC} command: OPER
+
+The user and password parameters are used to authenticate the possible
+operator. They must fit to the IRCD server settings.
+
+@item @code{irc_oper_response (c: connection, got_oper: bool)}
+
+This is the answer to an operator request.
+
+@code{IRC} response to: OPER
+
+If the IRC user got operator status the got_oper variable is true.
+
+@item @code{irc_kick_message (c: connection, prefix: string, channels: string, users: string, comment: string)}
+
+An user requested to remove somebody from a channel.
+
+@code{IRC} command: KICK
+
+Prefix includes the requesters nick name and host. The user requested to
+remove the users (comma separated list) from the channels (comma separated
+list).  If the requester provided an optional kick message it is included
+in comment.
+
+@item @code{irc_error_message (c: connection, prefix: string, message: string)}
+
+An IRC server sent an error message to one or more clients.
+
+@code{IRC} command: ERROR
+
+Prefix includes the server name and message contains the error message.
+
+@item @code{irc_invite_message (c: connection, prefix: string, nickname: string, channel: string)}
+
+An IRC user sent an invitation for a closed channel to another user.
+
+@code{IRC} command: INVITE
+
+Prefix includes the senders nick and host. The IRC user with the nick name
+nickname is invited to the channel with name channel.
+
+@item @code{irc_mode_message (c: connection, prefix: string, params: string)}
+
+An IRC user sent an user or channel mode message.
+
+@code{IRC} command: MODE
+
+@item @code{irc_squit_message (c: connection, prefix: string, server: string, message: string)}
+
+This means that the disconnection of a server link was requested. This
+command is only available to operators.
+
+@code{IRC} command: SQUIT
+
+Prefix includes the requesters nick and host. Server is the host name of
+the server to disconnect and message contains an optional comment.
+
+@item @code{irc_names_info (c: connection, c_type: string, channel: string, users: string_set)}
+
+This reply to a NAMES command gives information what users are on what
+channels.
+
+@code{IRC} response to: NAMES
+
+C_type is "@@" for secret, "*" for private and "=" for public channels.
+Channel contains the channel name.  Users is a list of nick names that are
+member of this channel.
+
+@item @code{irc_dcc_message (c: connection, prefix: string, target: string, dcc_type: string,
+argument: string, address: addr, dest_port: count, size: count)}
+
+An user sent a DCC request to another user to setup a direct connection
+between these users.
+
+@code{IRC} command: PRIVMSG DCC
+
+Prefix contains the requesters nick and host. Target contains the target
+user's nick name.  Dcc_type can be "CHAT" for chat connections or "SEND"
+for file transfers.  Argument contains the file name for file transfers
+or "chat" for chat connections.  Address and dest_port specify where the
+target user should connect.  Size is only given for file transfers and
+contains the file size in bytes.
+
+@item @code{irc_request (c: connection, prefix: string, command: string, arguments: string)}
+
+All client messages that do not fit to the other events are handled here.
+
+Prefix is usually formated like this: <nickname>!<user>@@<hostname>.
+Command contains the command string which was sent and arguments the
+corresponding argument values.
+
+@item @code{irc_message (c: connection, prefix: string, command: string, message: string)}
+
+All server messages that do not fit to the other events are handled here.
+
+Prefix is usually the server name.  Command contains the command string
+which was sent and message contains additional parameters.
+
+@item @code{irc_response (c: connection, prefix: string, code: count, params: string)}
+
+All server response messages that do not fit to the other events are handled
+here.
+
+Prefix is usually the server name.  Code is the numeric reply code and
+params contains any additional parameters.
+
+@end table
+
+@node login Analyzer,
+@section The @code{login} Analyzer
+@cindex login session
+@cindex Rlogin, sessions
+@cindex Telnet, sessions
+@cindex Unix analysis
+@cindex keystrokes, analysis
+@cindex input, analysis
+@cindex user keystrokes, analysis
+The @code{login} analyzer inspects interactive login sessions
+to extract username and password information, and monitors user
+keystrokes and the text returned by the login server.  It is one of
+the most powerful Bro modules for detecting break-ins to Unix
+systems because of the ability to look for particular commands that
+attackers often execute once they have penetrated a Unix machine.
+
+The analyzer is generic in the sense that it applies to more
+than one protocol.  Currently, Bro instantiates a @code{login}
+analyzer for both Telnet [RFC-854] and Rlogin [RFC-1282]
+traffic.  In principle, it could do the same for other protocols such as
+SSH [RFC-XXX] or perhaps X11 [RFC-1013], if one could write
+the corresponding elements of the event engine to decrypt the
+SSH session (naturally, this would require access to the encryption keys)
+or extract authentication information and keystrokes from the
+X11 event stream.  @emph{Note: The analyzer does an exceedingly limited
+form of SSH analysis; see @code{hot_ssh_orig_ports} }. 
+
+@cindex authentication dialog
+@cindex usernames, extracting
+@cindex sniffing
+@cindex passwords, sniffing
+@cindex heuristics, extracting username information
+@cindex Telnet, options
+@cindex options, Telnet
+For Telnet, the event engine knows how to remove in-band Telnet option
+sequences [RFC-855]
+from the text stream, and does not deliver these to
+the event handlers, except for a few options
+that the engine
+analyzes in detail (such as attempts to negotiate authentication).
+Unfortunately, the Telnet protocol does not include any explicit
+marking of username or password information (unlike the FTP protocol,
+as discussed in @ref{ftp Analyzer}).  Consequently, Bro employs a series
+of heuristics that attempt to extract the username and password from the
+authentication dialog the session is presumed to begin with.  The
+analysis becomes quite complicated due to the possible use of
+type-ahead and editing sequences by the user, plus the possibility
+@cindex evasion, authentication dialog
+that the user may be an attacker who attempts to mislead the heuristics
+in order to disguise the username they are accessing.
+
+@cindex rhosts
+Analyzing Rlogin is nominally easier than analyzing Telnet because Rlogin
+has a simpler in-band option scheme, and because the Rlogin protocol
+explicitly indicates the username in the initial connection dialog.
+However, this last is not actually a help to the analyzer, because
+for most Rlogin servers, if the initial username fails authentication
+(for example, is not present in the @code{.rhosts} file local to
+the server), then the server falls back on the same authentication
+dialog as with Telnet
+(prompting for username and then password, or perhaps just
+for a password to go with the transmitted username).
+Consequently, the event engine employs the same set of heuristics
+as for Telnet.
+
+Each connection processed by the analyzer is in a distinct state:
+user attempting to authenticate, user has successfully authenticated,
+analyzer is skipping any further processing, or the analyzer is
+confused (See: @ref{login analyzer confusion}).  You can find out the state of
+a given connection using @code{get_login_state}.
+
+The analyzer uses a capture filter of ``@code{tcp port 23 or tcp port 513}''
+@code{@ref{Filtering}}.  It annotates each connection
+with the username(s) present in the authentication dialog.  If
+the username was authenticated successfully, then it encloses
+the annotation in quotes. If the authentication failed, then
+the name is marked as @code{failed/}@code{<}@emph{username}@code{>}.
+So, for example, if user ``smith'' successfully authenticates,
+then the connection's @code{addl} field will have
+@code{"smith"} appended to it:
+@example
+931803523.006848 254.377 telnet 324 8891 1.2.3.4 5.6.7.8 SF L "smith"
+@end example
+
+while if ``smith'' failed to authenticate, the report will look like:
+@example
+931803523.006848 254.377 telnet 324 8891 1.2.3.4 5.6.7.8 SF L fail/smith
+@end example
+
+and if they first tried as ``smith'' and failed, and then succeeded
+as ``jones'', the record would look like:
+@example
+931803523.006848 254.377 telnet 324 8891 1.2.3.4 5.6.7.8 SF L 
+	fail/smith "jones"
+@end example
+
+@cindex passwords, inadvertently exposed
+@cindex sensitive information, inadvertently exposed
+@emph{Note: The event engine's heuristics can sometimes get out of synch
+such that it interprets a password as a username; in addition, users
+sometimes type their password when they should instead enter
+their username.  Consequently, the connection logs sometimes include
+passwords in the annotations, and so should be treated as very sensitive
+information (e.g., not readable by any user other than the one running
+Bro). }
+
+@menu
+* login analyzer confusion::	
+* login variables::		
+* login functions::		
+* login event handlers::	
+@end menu
+
+@node login analyzer confusion,
+@subsection @code{login} analyzer confusion
+@cindex login analysis, confusion
+@cindex confused login analysis
+@cindex heuristics, confusion
+@cindex confusion of heuristics
+@cindex failure of heuristics
+@cindex authentication dialog
+@cindex usernames, extracting
+@cindex heuristics, extracting username information
+@cindex rhosts
+Because there is no well-defined protocol for Telnet authentication
+(or Rlogin, if the initial
+@code{.rhosts} authentication fails), the @code{login} analyzer employs a set
+of heuristics to detect the username, password, and whether the authentication
+attempt succeeded.  All in all, these heuristics work quite well, but
+it is possible for them to become confused and reach incorrect conclusions.
+
+Bro attempts to detect such confusion.  If it does, then it generates a
+ event, after which the event engine will no
+longer attempt to follow the authentication dialog.  In particular, it will
+@emph{not} generate subsequent @code{login_failure} or
+@code{login_sucess} events.  The @code{login_confused} event includes
+a string describing the type of confusion, using one of the values
+given in the table below.
+
+
+@float Table, Login analyzer confusion
+@multitable  @columnfractions .35 .55
+@item @strong{Type of confusion} @tab @strong{Meaning}
+@item "excessive typeahead" 
+@tab The user has typed ahead 12 or more lines. Deficiency: The upper bound
+should be adjustable.
+@item "extra repeat text" 
+@tab The user has entered more than one VMS repeat sequence (an escape
+followed by "[A") on the same line. Note: Bro determines
+that a login session involves a VMS server if the server prompts with
+"@code{Username:}". It then interprets VMS repeat sequences as indicating
+it should replace the current line with the previous line.
+@item "multiple USERs" 
+@tab The user has specified more than one username using the $USER environment
+variable.
+@item "multiple login prompts" 
+@tab The analyzer has seen several login prompts on the same line, and has
+not seen a corresponding number of lines typed ahead previously by the
+user.
+@item "no login prompt" 
+@tab The analyzer has seen 50 lines sent by the server without any of them
+matching login prompts. Deficiency: The value of 50 should be adjustable.
+@item "no username" 
+@tab The analyzer is generating an event after having already seen a login
+failure, but the user's input has not provided another username to include
+with the event. Note: If the analyzer's heuristics indicate it's okay that
+no new username has been given, such as when the event is generated
+due to one connection endpoint closing the connection, then it instead
+uses the username @code{<none>}.
+@item "no username2" 
+@tab The analyzer saw an additional password prompt without seeing an intervening
+username, and it has no previous username to reuse.
+@item "non empty multi login" 
+@tab The analyzer saw multiple adjacent login prompts, with an apparently
+ignored intervening username typed-ahead between them.
+@item "possible login ploy" 
+@tab The client sent text that matches one of the patterns reflecting text usually
+sent by the server. This form of confusion can reflect an attacker attempting
+to evade the monitor. For example, the client may have sent the text
+"@code{login:} as a username so that when echoed back by the server, the
+analyzer would misinterpret it as reflecting another login prompt from
+the server.
+@item "repeat without username" 
+@tab The user entered a VMS repeat sequence but there is no username to
+repeat. (See extra repeat text for a discussion of the analyzer's
+heuristics for dealing with VMS servers.)
+@item "responder environment" 
+@tab The responder (login server) has signaled a set of environment variables
+to the originator (login client). This is in the opposite direction as to what
+makes sense.
+@item "username with embedded repeat" 
+@tab The line repeated by a VMS server in response to a repeat sequence itself
+contains a repeat sequence.
+@end multitable
+@caption{Different types of confusion that login analyzer can report}
+@end float
+
+@node login variables,
+@subsection @code{login} variables
+
+@cindex analyzers, login, variables
+
+The standard script defines a large number of variables for refining the
+analysis policy:
+
+@table @samp
+@item @code{input_trouble : pattern} 
+lists patterns that the analyzer
+should flag if they appear in the user's input (keystroke) stream.
+
+@cindex user keystrokes, editing
+@cindex keystrokes, editing
+@cindex input, editing
+The analyzer searches for these patterns both in the raw text typed
+by the user and the same lines after applying @emph{editing}
+using the @code{edit} function twice: once with interpreting
+@emph{BS} (ctrl-H) as delete-one-character, and once with @emph{DEL}
+as the edit character.  If any of these matches, then the analyzer
+considers the pattern to have matched.
+
+@code{eggdrop}
+@cindex root, backdoors
+@cindex Internet Relay Chat (IRC), attacker subpopulation
+@cindex exploits, Unix
+Default: a pattern matching occurrences of the strings
+``@code{rewt}'',
+``@code{eggdrop}'',
+``@code{loadmodule}'', or
+``@code{/bin/eject}''.  The first of these is a popular username attackers
+use for root backdoor accounts.  The second reflects that one prevalent
+class of attackers are devotees of Internet Relay Chat (IRC), who
+frequently upon breaking into an account install the IRC @code{eggdrop}
+utility.
+
+@item @code{edited_input_trouble : pattern} 
+is the same as @code{input_trouble} except the analyzer only checks the edited
+user input against the pattern, not the raw input (see above).
+
+This variable is provided so you can specify patterns that can
+occur innocuously as typos; whenever the user corrects the typo before
+terminating the line, the pattern won't match, because it won't be present
+in the edited version of the line.  In addition, for matches to
+these patterns, the analyzer @emph{delays} reporting the match until
+it sees the next line of output from the server.  It then includes
+both the line that triggered the match and the corresponding response
+from the server, which makes it easy for a human inspecting the logs
+to tell if the occurrence of the pattern was in fact innocuous.
+
+@cindex filenames, sensitive
+@cindex directory names, sensitive
+@cindex sensitive filenames
+Here's an example of an innocuous report:
+@example
+936723303.760483 1.2.3.4/21550 > 5.6.7.8/telnet
+    input "cd ..." yielded output "ksh: ...:  not found."
+@end example
+
+It was flagged because the user's input included
+``@code{...}'', a name commonly used by attackers to surreptitiously
+hide a directory containing their tools and the like.  However, we
+see from the Telnet server's response that this was not actual access
+to such a directory, but merely a typing mistake.
+
+On the other hand:
+@example
+937528764.579039 1.2.3.4/3834 > 5.6.7.8/telnet
+    input "cd ..." yielded output "maroon# ftp 
+	sunspot.sunspot.noao.edu "
+@end example
+
+shows a problem---the lines returned by the server was a root
+prompt (``@code{maroon@code{#}}''), to which the user issued a command to
+access a remote FTP server.
+
+@emph{Deficiency: The analyzer should decouple the notion of waiting to receive the server's reply from the notion of matching only the edited form of the line; there might be raw inputs for which it is useful to see the server's response, and edited inputs for which the server's response is unimportant in terms of knowing that the input spells trouble. }
+
+Default: the pattern
+@example
+    /[ \t]*cd[ \t]+((['"]?\.\.\.)|(["'](\.[^"']*)[ \t]))/
+@end example
+
+which looks for a ``@code{cd}'' command to either a directory beginning
+with ``@code{...}'' (optionally quoted by the user) or a directory
+name beginning with ``@code{.}'' that is quoted and includes an
+embedded blank or tab.
+
+@item @code{output_trouble : pattern} 
+lists patterns that
+the analyzer should flag if they occur in the output sent by the
+login server back to the user.
+
+@cindex buffer overflow tools
+@cindex exploits, buffer overflow
+@cindex sniffer logs
+@cindex trojaning
+@cindex Linux, super exploit
+@cindex smurf attacks
+@cindex attacks, smurf
+@cindex log file, altering
+@cindex altering log files
+@code{PATH_UTMP sensitive pattern}
+@code{smashdu.c exploit tool}
+@cindex root, setuid
+@cindex setuid root
+@cindex command shell, setuid root
+@cindex ls
+@cindex utilities, ls
+@cindex lynx utility
+@cindex utilities, lynx
+@cindex fetch utility
+@cindex utilities, fetch
+@cindex anticode.com
+@cindex TFreak
+Default: the pattern
+@example
+      /^-r.s.*root.*\/bin\/(sh|csh|tcsh)/
+    | /Jumping to address/
+    | /smashdu\.c/
+    | /PATH_UTMP/
+    | /Log started at =/    
+    | /www\.anticode\.com/
+    | /smurf\.c by TFreak/
+    | /Trojaning in progress/ 
+    | /Super Linux Xploit/
+@end example
+
+The first of these triggers any time the user inspects with the
+@emph{ls} utility an executable whose pathname ends in @code{/bin/} followed
+by one of the popular command shells, and the @emph{ls} output shows
+that the command shell has been altered to be setuid to root.
+The remainder match either the output generated by some popular
+exploit tools (for example, ``@code{Jumping to address}'', present
+in many buffer overflow exploit tools), exploit tool names (``@code{smashdu.c}''),
+text found within the tool source code (``@code{smurf.c by TFreak}''),
+or URLs accessed (say via the @emph{lynx} or @emph{fetch} utilities)
+to retrieve attack software (``@code{www.anticode.com}'').
+
+@cindex backdoor, prompts
+@item @code{backdoor_prompts : pattern} 
+lists patterns that
+the analyzer should flag if they are seen as the first line sent by the
+server to the user, because they often correspond with
+backdoors that offer a remote user immediate command shell access
+without having to first authenticate.
+
+Default: the pattern ``@code{/^[!-~]*( ?)[#%$] /}'', which matches
+a line that begins with a series of printable, non-blank characters and
+ends with a likely prompt character, with a blank just after
+the prompt character and perhaps before it.
+
+@cindex backdoor, avoiding false positives
+@item @code{non_backdoor_prompts : pattern} 
+lists patterns
+that if a possible backdoor prompt also matches, then the analyzer
+should not consider the server output as indicating a backdoor prompt.
+Used to limit false positives for @code{backdoor_prompts}.
+
+Default: the pattern ``@code{/^ *#.*#/}'', which catches lines with
+more than one occurrence of a @code{#}.  Some servers generate such
+lines as part of their welcome banner.
+
+@cindex backdoor, triggered by terminal type
+@cindex magic terminal types
+@item @code{hot_terminal_types : pattern} 
+lists ``magic''
+terminal types sometimes used by attackers to access backdoors.
+Both Telnet and Rlogin have mechanisms for negotiating a terminal
+type (name; e.g., ``@code{xterm}''); these backdoors trigger and skip
+authentication if the name has a particular value.
+
+@code{VT666}
+Default: the name ``@code{VT666}'', one of the trigger terminal types
+we've observed in practice.
+
+@cindex backdoor, triggered by ephemeral port
+@cindex ephemeral port, triggering a backdoor
+@cindex client port, triggering a backdoor
+
+@item @code{hot_telnet_orig_ports : set[port]} 
+Some Telnet backdoors trigger if the ephemeral port used by the client side of the connection
+happens to be a particular value.  This variable is used to list the
+port values whose use should be considered as possibly indicating
+a backdoor.  @emph{Note: Clearly, this mechanism can generate false
+positives when the client by chance happens to choose one of the
+listed ports.}
+
+Default: @code{53982/tcp}, one of the trigger ports we have observed
+in practice.
+
+@emph{Deficiency: There should be a corresponding variable for Rlogin backdoors triggered by a similar mechanism. }
+
+@item @code{hot_ssh_orig_ports : set[port]} 
+Similar to @code{hot_telnet_orig_ports}, only for SSH.
+
+Default: @code{31337/tcp}, a trigger port that we've observed in practice.
+
+@item @code{skip_authentication : set[string]} 
+A set of strings
+that, if present in the server's initial output (i.e., its welcome banner),
+indicates the analyzer should not attempt to analyze the session for an
+authentication dialog.  This is used for servers that provide public
+access and don't bother authenticating the user.
+
+Default: the string @code{"WELCOME TO THE BERKELEY PUBLIC LIBRARY"},
+which corresponds to a frequently accessed public server in the
+Berkeley area.  (Obviously, we include this default as an example,
+and not because it will be appropriate for most Bro users!  But it
+does little harm to include it.)
+
+@emph{Deficiency: It would be more natural if this variable and a number of others listed below were of type @code{pattern} rather than @code{set[string]}.  They are actually converted internally by the event engine into regular expressions. }
+
+@item @code{direct_login_prompts : set[string]} 
+A set of strings
+that if seen during the authentication dialog mean that the user will
+be logged in as soon as they answer the prompt.
+
+Default: @code{"TERMINAL?"}, a prompt used by some terminal servers.
+
+@code{login_prompts : set[string]} 
+A set of strings corresponding to login username prompts during an authentication
+dialog.
+
+Default: the strings
+@example
+    Login:
+    login:
+    Name:
+    Username:
+    User:
+    Member Name
+@end example
+
+and the default contents of @code{direct_login_prompts}.
+
+@item @code{login_failure_msgs : set[string]} 
+A set of strings
+that if seen in text sent by the server during the authentication dialog
+correspond to a failed login attempt.
+
+Default: the strings
+@example
+    invalid
+    Invalid
+    incorrect
+    Incorrect
+    failure
+    Failure,
+    User authorization failure,
+    Login failed,
+    INVALID
+    Sorry,
+    Sorry.
+@end example
+
+@item @code{login_non_failure_msgs : set[string]} 
+A set of strings
+similar to @code{login_failure_msgs} that if present mean that the
+server text does not actually correspond to an authentication failure
+(i.e., if @code{login_failure_msgs} also matches, it's a false
+positive).
+
+Default: the strings
+@example
+    Failures
+    failures
+    failure since last successful login
+    failures since last successful login
+@end example
+
+@item @code{router_prompts : set[string]} 
+A set of strings
+corresponding to prompts returned by the local routers when a
+user successfully authenticates to the router.
+For the purpose of this variable, see the next variable.
+
+Default: empty.
+
+@item @code{login_success_msgs : set[string]} 
+A set of strings
+that if seen in text sent by the server during the authentication dialog
+correspond to a successful authentication attempt.
+
+Default: the strings
+@example
+    Last login
+    Last successful login
+    Last   successful login
+    checking for disk quotas
+    unsuccessful login attempts
+    failure since last successful login
+    failures since last successful login
+@end example
+
+and the default contents of the @code{router_prompts} variable.
+
+@emph{Deficiency: Since by default @code{router_prompts} is empty, this last inclusion does nothing.  In particular, if you redefine @code{router_prompts} then @code{login_success_msgs} will @emph{not}  pick up the change; you will need to redefine it to (again) include @code{router_prompts}, using: @w{redef login_success_msgs += router_prompts}. This is clearly a misfeature of Bro and will be fixed one fine day. }
+
+@item @code{login_timeouts : set[string]} 
+A set of strings that if seen in text sent by the server during the authentication dialog
+correspond to the server having timed out the authentication attempt.
+
+Default: the strings
+@example
+    timeout
+    timed out
+    Timeout
+    Timed out
+    Error reading command input
+@end example
+
+(This last is returned by the VMS operating system.)
+
+@item @code{non_ASCII_hosts : set[addr]} 
+A set of addresses corresponding to hosts whose login servers do not (primarily) use
+7-bit ASCII.  The analyzer will not attempt to analyze authentication
+dialogs to such hosts, and will not complain about huge lines
+generated by either the sender or receiver (per @code{excessive_line}).
+
+Default: empty.
+
+@item @code{skip_logins_to : set[addr]} 
+A set of addresses corresponding to hosts for which the analyzer should not attempt
+to analyze authentication dialogs.
+
+Default: the (empty) contents of @code{non_ASCII_hosts}.
+
+@item @code{always_hot_login_ids : set[string]} A set of usernames
+that the analyzer should always flag as sensitive, even if they're seen in
+a session for which the analyzer is @emph{confused} @ref{login analyzer confusion}.
+
+Default: the value of @code{always_hot_ids} defined by the
+@code{hot} analyzer.
+
+@item @code{hot_login_ids : set[string]} 
+A set of usernames that the analyzer should flag as sensitive, unless it sees them
+in a session for which the analyzer is @emph{confused} 
+(See: @ref{login analyzer confusion}).
+
+Default: the value of @code{hot_ids} defined by the
+@code{hot-ids} analyzer.
+
+@cindex rhosts
+@item @code{rlogin_id_okay_if_no_password_exposed : set[string]}
+A set of username exceptions to @code{hot_login_ids} which the
+analyzer should not flag as sensitive if the user authenticated without
+exposing a password (so, for example, via @code{.rhosts}).
+
+Default: the username @code{"root"}.
+
+@end table
+
+@cindex analyzers, login, variables
+
+@node login functions,
+@subsection @code{login} functions
+
+@cindex analyzers, login, functions
+
+The standard @code{login} script provides the following functions for external use:
+
+@table @samp
+@item @code{is_login_conn (c: connection): bool }
+Returns true if the given connection is one analyzed by @code{login}
+(currently, Telnet or Rlogin), false otherwise.
+
+@item @code{hot_login (c: connection, msg: string, tag: string) }
+Marks the given connection as hot, logs the given message, and
+demultiplexes @code{demux} the subsequent server-side contents of the
+connection to a filename based on @code{tag} and the client-side
+to a filename based on the name @code{"keys"}.  No return value.
+
+@item @code{is_hot_id (id: string, successful: bool, confused: bool): bool}
+Returns true if the username id should be considered sensitive,
+given that the user either did or did not successfully authenticate,
+and that the analyze was or was not in a @emph{confused} state
+(See: @ref{login analyzer confusion}).
+
+@item @code{is_forbidden_id (id: string): bool }
+Returns true if the username id is present in 
+@code{forbidden_ids} or @code{forbidden_id_patterns}.
+
+@item @code{edit_and_check_line (c: connection, line: string, successful: bool): check_info}
+Tests whether the given line of text seen on connection @code{c} includes
+a sensitive username, after first applying @emph{BS} and @emph{DEL}
+keystroke editing (see: @ref{login variables}).  @code{successful} should
+be true if the user has successfully authenticated, false otherwise.
+
+The return value is a @code{check_info} record, which contains four
+@code{check_info}
+fields:
+@table @samp
+@item @code{expanded_line}
+All of the different editing interpretations of the line, separated
+by commas.  For example, if the original line is
+@quotation
+@code{"@code{rob<}@emph{DEL}@code{><}@emph{BS}@code{><}@emph{BS}@code{>ot}"}
+@end quotation
+then the different editing interpretations are
+@code{"@code{ro<}@emph{BS}@code{><}@emph{BS}@code{>ot}"}
+and @code{"root"}, so the return value will be:
+@quotation
+@code{"@code{rob<}@emph{DEL}@code{><}@emph{BS}@code{><}@emph{BS}@code{>ot},@code{ro<}@emph{BS}@code{><}@emph{BS}@code{>ot},root"}
+@end quotation
+
+@emph{Deficiency: Ideally, these values would be returned in a list of some form, so that they can be accessed separately and unambiguously. The current form is really suitable only for display to a person, and even that can be quite confusing if @code{line} happens to contain commas already.  @emph{Or}, perhaps an algorithm of ``simply pick the shortest'' would find the correct editing every time anyway.}
+
+@item @code{hot: bool}
+True if any editing sequence resulted in a match against a sensitive username.
+
+@item @code{hot_id: string}
+The version of the input line (with or without editing) that was considered
+hot, or an empty string if none.
+
+@item @code{forbidden: bool}
+True if any editing sequence resulted in a match against a username considered
+``forbidden'', per @code{is_forbidden_id}.
+
+@end table
+
+@item @code{edit_and_check_user (c: connection, user: string, successful: bool, fmt_s: string): bool}
+Tests whether the given username used for authentication on connection @code{c}
+is sensitive, after first applying @emph{BS} and @emph{DEL}
+keystroke editing (See: @ref{login variables}).  @code{successful} should be
+true if the user has successfully authenticated, false otherwise.
+
+@code{fmt_s} is a @code{fmt} format specifying how the username
+information should be included in the connection's 
+@code{addl} field.  It takes two @code{string} parameters, the current value of the
+field and the expanded version of the username as described in @code{expanded_line}.
+
+If @code{edit_and_check_line} indicates that the username is sensitive,
+then @code{edit_and_check_user} records the connection into its own
+demultiplexing files .  If the username is @emph{forbidden},
+then unless the analyzer is confused, we attempt to terminate the
+connection using @code{terminate_connection}.
+
+@cindex connection, hot
+@cindex hot connections
+Returns true if the connection is now considered ``hot,'' either
+due to having a sensitive username, or because it was hot upon
+entry to the function.
+
+@cindex connection, hot
+@cindex hot connections
+@item @code{edit_and_check_password(c: connection, password: string): bool}
+Checks the given password to see whether it contains a sensitive username.
+If so, then marks the connection as hot and logs the sensitive password.
+No return value.
+
+@emph{Note: The purpose of this function is to catch instances in which the
+event engine becomes out of synch with the authentication dialog and mistakes
+what is, in fact, a username being entered, for a password being entered.
+Such confusion can come about either due to a failure of the event
+engine's heuristics, or due to deliberate manipulation of the event
+engine by an attacker. }
+
+@end table
+
+@cindex analyzers, login, functions
+
+@node login event handlers,
+@subsection @code{login} event handlers
+
+@cindex analyzers, login, event handlers
+
+The standard @code{login} script handles the following events:
+
+@cindex rhosts
+@table @samp
+@item @code{login_failure (c: connection, user: string, client_user: string, password: string, line: string)}
+Invoked when the event engine has seen a failed attempt to authenticate
+as @code{user} with @code{password} on the given connection @code{c}.
+@code{client_user} is the user's username on the client side of the
+connection.  For Telnet connections, this is an empty string, but
+for Rlogin connections, it is the client name passed in the initial
+authentication information (to check against
+@code{.rhosts}).  @code{line} is the
+line of text that led the analyzer to conclude that the authentication
+had failed.
+
+The analyzer first generates an @code{account_tried}
+event to facilitate detection of password guessing, and then checks for
+a sensitive username or password.  If the username was not sensitive
+and the password is empty, then no further analysis is applied, since
+clearly the attempt was half-hearted and aborted.  Otherwise, the
+analyzer annotates the connection's @code{addl}
+field with @code{fail/@code{<}@emph{username}@code{>}} to mark the
+authentication failure, and also checks the @code{client_user} to
+see if it is sensitive.  If we then find that the connection is
+hot, the analyzer logs a message to that effect.
+
+@item @code{login_success (c: connection, user: string, client_user: string, password: string, line: string)}
+Invoked when the event engine has seen a successful attempt to authenticate.
+The parameters are the same as for @code{login_failure}.
+
+The analyzer invokes @code{check_hot} with mode @code{APPL_ESTABLISHED}
+since the application session has now been established.  It generates
+an @code{account_tried}
+event to facilitate detection of password guessing, and then checks for
+a sensitive username or password.  The event engine uses the special
+password @code{"@code{<}none@code{>}"} to indicate that no password
+was exposed, and this mitigates the sensitivity of logins using particular
+usernames per @code{rlogin_id_okay_if_no_password_exposed}.
+
+The analyzer annotates the connection's @code{addl}
+field with @code{"@code{<}@emph{username}@code{>}"} to mark the
+successful authentication.  Finally, if we then find that the connection
+is hot, the analyzer logs a message to that effect.
+
+@item @code{login_input_line (c: connection, line: string)}
+Invoked for every line of text sent by the client side of the login
+session to the server side.  The analyzer matches the text against
+@code{input_trouble} and @code{edited_input_trouble} and invokes
+@code{hot_login} with a tag of @code{"trb"} if it sees a match,
+which will log a notice concerning the connection.  However, this
+invocation is only done while the connection's @code{hot}
+field count is <= 2, to avoid cascaded notices when an attacker gets
+really busy and steps on a lot of sensitive patterns.
+
+@item @code{login_output_line (c: connection, line: string)}
+Invoked for every line of text sent by the server side of the login
+session to the client side.  The analyzer checks @code{backdoor_prompts}
+ and any pending input notices that
+were waiting on the server output, per @code{edited_input_trouble}.
+These last are then logged unless the output matched the pattern:
+@example
+    /No such file or directory/
+@end example
+
+@emph{Deficiency: Clearly, this pattern should not be hardwired but instead specified by a redefinable variable. }
+
+Finally, if the line is not too long and the text matches @code{output_trouble}
+and the connection's @code{hot}
+field count is <= 2 (to avoid cascaded notices), the analyzer
+invokes @code{hot_login}  with a tag of @code{"trb"}.
+@emph{Deficiency: ``Too long'' is hardwired to be a length $\ge 256$ bytes. It, too, should be specifiable via a redefinable variable. } 
+Note: We might
+wonder if not checking overly long lines presents an evasion threat: the
+attacker can bury their access to a sensitive string in an excessive line
+and thus avoid detection.  While this is true, it doesn't appear to cost
+much.  First, some of the sensitive patterns are generated in server output
+that will be hard to manipulate into being overly long.  Second, if the
+attacker is trying to avoid detection, there are easier ways, such as
+passing their output through a filter that alters it a good deal. 
+
+@item @code{login_confused (c: connection, msg: string, line: string)}
+Invoked when the event engine's heuristics have concluded that they
+have become confused and can no longer correctly track the authentication
+dialog (See: @ref{login analyzer confusion}).
+@code{msg} gives the particular problem the heuristics detected
+(for example, @code{multiple_login_prompts} means that the engine saw
+several login prompts in a row, without the type-ahead from the client side
+presumed necessary to cause them) and @code{line} the line of text that
+caused the heuristics to conclude they were confused.
+
+Once declaring that it's confused, the event engine will no longer attempt
+to follow the authentication dialog.  In particular, it will @emph{not}
+generate subsequent @code{login_failure} or @code{login_success} events.
+
+Upon this event, the standard
+@code{login} script invokes @code{check_hot} with
+mode @code{APPL_ESTABLISHED} since it could well be that the application
+session is now established (it can't know for sure, of course, because
+the event engine has given up).  It annotates the connection's
+ @code{addl} field with
+@code{confused}@code{<}@emph{line}@code{>} to mark the confused state,
+and then logs to the @file{weird} file the particulars of the
+connection and the type of confusion (@code{msg}).  @emph{Deficiency: This should be done by generating a @emph{weird}-related event instead. }
+
+Finally, the analyzer invokes @code{set_record_packets} to specify
+that all of the packets associated with this connection should be recorded
+to the @file{trace} file.
+@emph{Note: For the current @code{login} analyzer, this call is not needed---it
+records every packet of every login session anyway, because the generally
+philosophy is that Bro should record whatever it analyzes, so that the
+analysis may be repeated or examined in detail.  Since the current analyzer
+looks at every input and output line via @code{login_input} and @code{login_output}, it records all of the packets of every such analyzed session.
+There is commented-out text in @code{login_success} to be used if
+@code{login_input} and @code{login_output} are not being used; it turns
+off recording of a session's packets after the user has successfully logged
+in (assuming the connection is not considered hot).} 
+
+@item @code{login_confused_text (c: connection, line: string)}
+Invoked for every line the user types after the event engine has 
+entered the @emph{confused} state.  If the connection is not already
+considered hot, then the analyzer checks for the presence of sensitive
+usernames in the line using @code{edit_and_check_line}, and, if
+present, annotates the connection's @code{addl} field
+with 
+@code{confused}@code{<}@emph{line}@code{>}, logs that the connection
+has become hot, and invokes @code{set_record_packets} to record
+to the @file{trace} file all of the packets associated with the connection.
+
+@item @code{login_terminal (c: connection, terminal: string)}
+Invoked when the client transmits a terminal type to the server.
+The mechanism by which the client transmits the type depends on the
+underlying protocol (Rlogin or Telnet).
+
+The handler checks the terminal type against @code{hot_terminal_types}
+and if it finds a match invokes @code{hot_login} with a tag of
+@code{"trb"}.
+
+@cindex tunneling
+@cindex evasion, using tunneling
+@cindex Napster, tunneled over Telnet or Rlogin
+@cindex excessively long lines
+@item @code{excessive_line (c: connection)}
+Invoked when the event engine observes a very long line sent by either
+the client or the server.  Such long lines are seen as potential attempts
+by an attacker to evade the @code{login} analyzer; or, possibly, as
+a Login session carrying an unusual application.  @emph{Note: One example
+we have observed occurs when a high-bandwidth binary payload protocol such
+as Napster is sent over the Telnet or Rlogin well-known port in an
+attempt to either evade detection or tunnel through a firewall.}
+
+@cindex Network Virtual Terminal (NVT)
+@cindex NVT (Network Virtual Terminal)
+This event is actually generic to any TCP connection carrying
+an application that uses the ``Network Virtual Terminal'' (NVT) abstraction,
+which presently comprises Telnet and FTP.  But the only handler defined
+in the demonstration Bro policy is for Telnet, hence we discuss it here.
+For this reason, the handler first invokes @code{is_login_conn}
+to check whether the connection is in fact a login session.  If so, then
+if the connection is not hot, and if the analyzer finds the server
+listed in @code{non_ACSII_HOSTS}, then it presumes the long line
+is due to use of a non-ASCII character set; the analyzer invokes
+@code{set_login_state} and @code{set_record_packets} to avoid
+further analysis or recording of the connection.
+
+Otherwise, if the connection is still in the authentication dialog, then
+the handler generates a  event with a
+confusion-type of @code{"excessive_line"}, and changes the connection's
+state to @emph{confused}.
+
+@emph{Deficiency: The event engine is currently hardwired to consider a line of >= 1024 bytes as ``excessive''; clearly this should be user-redefinable. }
+
+@cindex NVT options, inconsistent
+@cindex Telnet, options, inconsistent
+@item @code{inconsistent_option (c: connection)}
+NVT options are specified by the client and server stating which options
+they are willing to support vs. which they are not, 
+and then instructing one another
+which in fact they should or should not use for the current connection.
+If the event engine sees a peer violate either what the other peer has
+instructed it to do, or what it itself offered in terms of options in 
+the past, then the engine generates an @code{inconsistent_option} event.
+
+The handler for this event simply records an entry about it to the
+ file.  @emph{Deficiency: The event handler invocation does not include enough information to determine what option was inconsistently specified; in addition, it would be convenient to integrate the handling of problems like this within the general ``weird'' framework. }
+
+Note: As for @code{excessive_line} above, this event is actually a
+generic one applicable to any NVT-based protocol.  It is handled here
+because the problem most often crops up for Telnet sessions. 
+Note: Also, the handler does not check to see whether the connection
+is a login session (as it does for @code{excessive_line}); it serves
+as the handler for any NVT session with an excessive line. 
+
+Note: Finally, note that this event can be generated if the session
+contains a stream of binary data.  One way this can occur is when
+the session is encrypted but Bro fails to recognize this fact. 
+@cindex encryption, leading to ``excessive lines''
+
+@cindex NVT options, bad
+@cindex Telnet, options, bad
+@item @code{bad_option (c: connection)}
+If an NVT option is either ill-formed (e.g., a bad length field) or
+unrecognized, then the analyzer generates this event.
+
+The processing of this event (recording information to the 
+file) and the various notes and deficiencies associated with it are
+the same as those for @code{inconsistent_option} above.
+
+@cindex NVT options, bad termination
+@cindex Telnet, options, bad termination
+@item @code{bad_option_termination (c: connection)}
+If an NVT option fails to be terminated correctly (for example,
+a character is seen within the option that is disallowed for use
+in the option), then the analyzer generates this event.
+
+The processing of this event (recording information to the 
+file) and the various notes and deficiencies associated with it are
+the same as those for @code{inconsistent_option} above.
+
+@cindex NVT options, authentication
+@cindex Telnet, options, authentication
+@cindex authentication, accepted
+@item @code{authentication_accepted (name: string, c: connection)}
+The NVT framework includes options for negotiating authentication.
+When such an option is sent from client to server and the server
+replies that it accepts the authentication, then the event engine
+generates this event.
+
+The handler annotates the connection's @code{addl} field
+with 
+@code{auth}@code{<}@emph{name}@code{>}, 
+unless that annotation is already present.
+
+@cindex NVT options, authentication
+@cindex Telnet, options, authentication
+@cindex authentication, rejected
+@item @code{authentication_rejected (name: string, c: connection)}
+The same as @code{authentication_accepted}, except invoked when the
+server replies that it rejects the attempted authentication.
+
+The handler annotates the connection's @code{addl} field
+with @code{auth-failed}@code{<}@emph{name}@code{>}.
+
+@cindex authentication, skipped
+@item @code{authentication_skipped (c: connection)}
+Invoked when the event engine sees a line in the authentication dialog
+that matches .
+
+The handler annotates the connection's @code{addl} field
+with `` @code{skipped}''
+to mark that authentication was skipped,
+and then invokes @code{skip_further_processing} and (unless the
+connection is hot) @code{set_record_packets} to skip any further
+analysis of the connection, and to stop recording its packets to
+the @file{trace} file.
+
+@item @code{connection_established (c: connection)}
+@code{connection_established} is a generic
+event generated for all TCP connections; however, the @code{login} analyzer
+defines an additional handler for it.
+
+The handler first checks (via @code{is_login_conn}) whether this is a Telnet
+or Rlogin connection.  If so, it generates an @code{authentication_skipped}
+ event if the server's address occurs
+in @code{skip_logins_to}, and also (for Telnet) checks whether the
+client's port occurs in @code{hot_telnet_orig_ports}, invoking @code{hot_login}
+ with the tag @code{"orig"} if it does.
+
+For SSH connections, it likewise checks the client's port, but
+in @code{hot_ssh_orig_ports}, marking the connection as hot and
+logging a real-time notice if it is.
+
+@item @code{partial_connection (c: connection)}
+As noted earlier, @code{partial_connection} is a generic
+event generated for all TCP connections.  The @code{login} analyzer
+also defines a handler for it, one which (if it's a Telnet/Rlogin
+connection) sets the connection's state to @emph{confused} and
+checks for @code{hot_telnet_orig_ports}.
+
+@cindex NVT options, encryption
+@cindex Telnet, options, encryption
+@cindex encrypted login sessions
+@item @code{activating_encryption (c: connection)}
+The NVT framework includes options for negotiating encryption.  When such
+a series of options is successfully negotiated, the event engine generates
+this event.  @emph{Note: The negotiation sequence is complex and can fail at a number of points.  The event engine does not attempt to generate events for each possible failure, but instead only looks for the option sent after a successful negotiation sequence. }
+
+The handler annotates the connection's @code{addl} field
+with ``@code{(encrypted)}'' to mark that authentication was encrypted.
+@emph{Note: The event engine itself marks the connection as requiring no further processing.  This is done by the event engine rather than the handler because the event engine cannot do its job (regardless of the policy the handler might desire) in the face of encryption. }
+
+@end table
+
+@cindex analyzers, login, event handlers
+
+@node pop3 Analyzer,
+@section The @code{pop3} Analyzer
+The @code{pop3} analyzer does a protocol analysis of the Post Office
+Protocol - Version 3.
+
+When Bro runs with the pop3 Analyzer, it processes all packets with
+destination port 110/tcp, generating a log file @code{pop3.log}. Each line
+contains a timestamp, a connection ID, the originator and responder IP
+addresses, and the message sent. The message consists of the command and
+arguments on client side, and the status on server side.
+
+@menu
+* pop3 pop3_session_info record::	
+* pop3 variables::		
+* pop3 event handlers::	
+@end menu
+
+@node pop3 pop3_session_info record,
+@subsection The @code{pop3_session_info} record
+
+@cindex pop3, session information
+
+The @code{pop3} analyzer maintains a @code{pop3_session_info} record per
+@code{pop3} connection:
+
+@example
+type pop3_session_info: record @{
+    id: count;              # Unique session ID.
+    quit_sent: bool;        # Client issued a QUIT.
+    last_command: string;   # Last command of client.
+@};
+@end example
+
+The corresponding fields are:
+
+@table @samp
+@item @code{id}
+The unique session identifier assigned to this session.  Sessions
+are numbered starting at @code{1} and incremented with each new session.
+
+@item @code{quit_sent}
+True if the client has sent a QUIT command.
+
+@item @code{last_command}
+Last command issued by the client.
+
+@end table
+
+@node pop3 variables,
+@subsection @code{pop3} variables 
+@table @samp
+@item @code{pop_connections: table[conn_id] of pop3_session_info}
+This table contains all active POP3-sessions indexed by their Connection IDs.
+As soon as the TCP Connection terminates or expires, they are deleted.
+@item @code{pop_connection_weirds: table[addr] of count &default=0 &create_expire = 5 mins}
+This table contains all the POP3-session originators for which unexpected behavior was recorded.
+@item @code{error_threshold: count = 3}
+This variable contains a threshold for the maximum number of negative status
+indicators per originator received from a server. It is used for recognizing
+potential abuses, e.g., trial and error password guessing attacks.
+@item @code{ignore_commands: set[string] }
+Set of commands to ignore while generating the log file. 
+@end table
+
+@node pop3 event handlers,
+@subsection @code{pop3} event handlers 
+@table @samp
+@item @code{pop3_request(c: connection, is_orig: bool, command: string, arg: string)}
+Generated for each valid command sent from the client
+to the server.
+@item @code{pop3_reply(c: connection, is_orig: bool, cmd: string, msg: string) }
+Generated for each server reply containing a valid status indicator.
+@item @code{pop3_data(c: connection, is_orig: bool, data: string) }
+Generated for every data line sent by the server as a reply to the client,
+including commands that yield multi-line answers.
+@item @code{pop3_unexpected(c: connection, is_orig: bool, msg: string, detail: string) }
+Generated when something semantically unexpected has happened.	
+@item @code{pop3_login_success(c: connection, is_orig: bool, user: string, password: string)}
+Generated when a user authenticates successfully.
+The password may be empty if it has not been observed.
+@item @code{pop3_login_failure(c: connection, is_orig: bool, user: string, password: string)}
+Generated when a user fails to authenticate correctly. 
+@end table
+
+@node portmapper Analyzer,
+@section The @code{portmapper} Analyzer
+@cindex remote procedure call (RPC)
+@cindex RPC (Remote Procedure Call)
+The @code{portmapper} analyzer monitors one particularly
+important form of remote procedure call (RPC) [RFC-1831, RFC-1832] 
+traffic: the portmapper service, used to map between RPC program (and
+version) numbers and the TCP or UDP port on which the service runs for a
+particular host.  For example, @emph{rstatd} is an RPC service that provides
+``remote host status monitoring'' so that a set of hosts can be informed
+when any of them reboots.  @emph{rstatd} has been assigned a standard
+RPC program number of 100002.  To find out the corresponding TCP or UDP
+port on a given host, a remote host would usually first contact the
+portmapper RPC service running on the host and request the port
+corresponding to program 100002.
+
+@float Table, Calls to RPC portmapper service
+@multitable  @columnfractions .15 .55
+@item @strong{Call} @tab @strong{Meaning}
+@item NULL 
+@tab A do-nothing call typically provided by all RPC services.
+@item GETPORT 
+@tab Look up the port associated with a given RPC program.
+@item SET 
+@tab Add a new port mapping (or replace an existing mapping) for an RPC program.
+@item UNSET 
+@tab Remove a port mapping.
+@item DUMP 
+@tab Retrieve all of the RPC program mappings.
+@item CALLIT 
+@tab Both look up a program and then directly call it.
+@end multitable
+@caption{Types of calls to the RPC portmapper service}
+@end float
+
+All in all, clients can make six different types of calls to the portmapper,
+as summarized in the above table.
+Attackers often use
+GETPORT and DUMP to see whether a host may be running an RPC service
+vulnerable to a known exploit.
+
+The analyzer uses a capture filter of ``@code{port 111}'' (See: @ref{Filtering}),
+equivalent to ``@code{tcp port 111 or udp port 111}'' (since the portmapper
+service ordinarily accepts calls using either TCP or UDP, both on port 111).
+It checks the different types of portmapper calls against policies
+expressed using a number of different variables.
+
+@emph{Note:  An important point not to overlook is that an attacker does @emph{not} have to first call the portmapper service in order to call an RPC program.  They might instead happen to know the port on which the service runs @emph{a priori}, since for example it may generally run on the same port for a particular operating system; or they might scan the host's different TCP or UDP ports directly looking for a reply from the service.  Thus, while portmapper monitoring proves very useful in detecting attacks, it does @emph{not} provide comprehensive monitoring of attempts to exploit RPC services. }
+
+@menu
+* portmapper variables::	
+* portmapper functions::	
+* portmapper event handlers::	
+@end menu
+
+@node portmapper variables,
+@subsection @code{portmapper} variables
+
+@cindex analyzers, portmapper, variables
+
+The standard script provides the following redefinable variables:
+
+@table @samp
+@item @code{rpc_programs : table[count] of string}
+Maps RPC program numbers to a string used to name the service.
+For example, the @code{[100002]} entry is mapped to @code{"rstatd"}.
+
+Default: a large list of RPC services.
+
+@cindex NFS (Network File System)
+@cindex Network File System (NFS)
+@item @code{NFS_services : set of string}
+Lists the names of those RPC services that correspond to
+Network File System (NFS) [RFC-1094, RFC-1813] services.  This
+variable is provided because it is convenient to express policies
+specific to accessing NFS file systems.
+
+Default: the services @emph{mountd}, @emph{nfs}, @emph{pcnfsd},
+@emph{nlockmgr}, @emph{rquotad}, @emph{status}.
+
+@emph{Deficiency: Bro's notion of NFS is currently confined to just knowledge of the existence of these services.  It does not analyze the particulars of different NFS operations. }
+
+@item @code{RPC_okay : set[addr, addr, string]}
+Indexed by the host providing a given service and then by the host
+accessing the service.  If an entry is present, it means that the 
+given access is allowed.  For example, an entry of:
+@example
+    [1.2.3.4, 5.6.7.8, "rstatd"]
+@end example
+
+means that host @code{5.6.7.8} is allowed to access the @emph{rstatd}
+service on host @code{1.2.3.4}.
+
+Default: empty.
+
+@item @code{RPC_okay_nets : set[net]}
+A set of networks allowed to make GETPORT requests without complaint.
+The notion behind providing this variable is that the listed
+networks are trusted.  However, the trust doesn't extend beyond
+GETPORT to other portmapper requests, because GETPORT is the only
+portmapper operation used routinely by a set of hosts trusted by
+another set of hosts (but that don't belong to the same group, and hence
+are not issuing SET and UNSET calls).
+
+Default: empty.
+
+@cindex walld
+@item @code{RPC_okay_services : set[string]}
+A set of services for which GETPORT requests should not generate
+complaints.  These might be services that are widely invoked and
+believed exploit-free, such as @emph{walld}, though care should
+be taken with blithely assuming that a given service is indeed
+exploit-free.
+
+Note that, like for @code{RPC_okay_nets}, the trust does not
+extend beyond GETPORT, because it should be the only portmapper
+operation routinely invoked.
+
+Default: empty.
+
+@item @code{NFS_world_servers : set[addr]}
+A set of hosts that provide public access to an NFS file system,
+and thus should not have any of their NFS traffic flagged as
+possibly sensitive.  (The presumption here is that such public
+servers have been carefully secured against any remote NFS operations.)
+An example of such a server might be one providing read-only
+access to a public database.
+
+Default: empty.
+
+@item @code{RPC_dump_okay : set[addr, addr]}
+Indexed first by the host requesting a portmapper dump, and second
+by the host from which it's requesting the dump.  If an entry is
+present, then the dump operation is not flagged.
+
+Default: empty.
+
+@item @code{any_RPC_okay : set[addr, string]}
+Pairs of hosts and services for which any GETPORT access to the given
+service is allowed.
+
+@cindex ypserv
+@item @code{sun-rpc.mcast.net}
+@cindex RPC (Remote Procedure Call), reserved multicast address
+Default:
+@example
+    [NFS_world_servers, NFS_services],
+    [sun-rpc.mcast.net, "ypserv"]
+@end example
+
+The first of these allows access to any NFS service of any of the
+@code{NFS_world_servers}, using Bro's cross-product initialization
+feature (See @ref{Initializing Tables}).  The second allows @emph{ypserv}
+requests to the multicast address reserved for RPC multicasts.@footnote{ I don't know how much this type of access is actually used in practice, but experience shows that requests for @emph{ypserv} directed to that address pop up not infrequently. }
+
+@cindex walld
+@item @code{suppress_pm_log : table[addr, string] of bool}
+Do not generate real-time notices for access by the given address
+for the given service.  Note that unlike most Bro policy variables,
+this one is not @code{const} but is modified at run-time to add
+to it any host that invokes the @emph{walld} RPC service, so that
+such access is only reported once for each host.
+
+Default: empty, but dynamic as discussed above.
+
+@end table
+
+@cindex analyzers, portmapper, variables
+
+@node portmapper functions,
+@subsection @code{portmapper} functions
+
+@cindex analyzers, portmapper, functions
+
+The standard script provides the following externally accessible functions:
+
+@table @samp
+@item @code{rpc_prog (p: count): string }
+Returns the name of the RPC program with the given number,
+if it's present in ; otherwise returns
+the text @code{"unknown-@code{<}@emph{p}@code{>}"}.
+
+@item @code{pm_check_getport (r: connection, prog: string): bool }
+Checks a GETPORT request for the given program against the policy expressed
+by @code{RPC_okay_services}, @code{any_RPC_okay}, 
+@code{RPC_okay}, and @code{RPC_okay_nets},
+returning true if the request violates policy, false if it's allowed.
+
+@item @code{pm_activity (r: connection, log_it: bool) }
+A bookkeeping function invoked when there's been portmapper activity 
+on the given connection.
+
+The function records the connection via ,
+unless it is a TCP connection (which will instead be recorded by
+@code{connection_finished}).  If @code{log_it} is true then the
+function generates a real-time notice of the form:
+@quotation
+rpc:
+@code{<}@emph{connection-id}@code{>}
+@code{<}@emph{RPC-service}@code{>}
+@code{<}@emph{r$addl}@code{>}
+@end quotation
+For example:
+@example
+    972616255.679799 rpc: 65.174.102.21/832 > 
+	182.7.9.47/portmapper pm_getport: nfs -> 2049/udp
+@end example
+
+However, it does not generate the notice if either the client host and
+service are present in @code{suppress_pm_log}, or if it already generated
+a notice in the past for the same client, server and service (to prevent
+notice cascades).
+
+@item @code{pm_request (r: connection, proc: string, addl: string, log_it: bool) }
+Invoked when the given connection has made a portmapper request of some
+sort for the given RPC procedure @code{proc}.  @code{addl} gives an
+annotation to add to the connection's @code{addl} field.
+If @code{log_it} is true, then connection should be logged; it will also
+be logged if the function determines that it is hot.
+
+The function first invokes @code{check_scan} and @code{scan_hot}
+(with a mode of @code{CONN_ESTABLISHED}),
+unless @code{r} is a TCP connection, in which case these checks have already
+been made by @code{connection_established}.  The function then adds
+@code{addl} to the connection's @code{addl} field, though if the field's
+length already exceeds 80 bytes, then it just tacks on @code{"..."}
+(unless already present).  This last is necessary because Bro will sometimes
+see zillions of successive portmapper requests that all use the same
+connection ID, and these will each add to @code{addl} until it
+becomes unwieldy in size.  @emph{Deficiency: Clearly, the byte limit of 80 should be adjustable. }
+
+Finally, the function invokes @code{check_hot} with a mode
+of @code{CONN_FINISHED}, and @code{pm_activity} to finish up
+bookkeeping for the connection.
+
+No return value.
+
+@item @code{pm_attempt (r: connection, proc: string, status: count, addl: string, log_it: bool) }
+Invoked when the given connection attempted to make a portmapper request
+of some sort, but the request failed or went unanswered.  The arguments
+are the same as for @code{pm_request}, with the addition of
+@code{status}, which gives the RPC status code corresponding to why the
+attempt failed (see below).
+
+The function first invokes @code{check_scan} and @code{check_hot}
+(with a mode of @code{CONN_ATTEMPTED}),
+unless @code{r} is a TCP connection, in which case these checks have already
+been made by @code{connection_attempt}.
+
+The function then adds
+@code{addl} to the connection's @code{addl} field, along with
+a text description of the RPC status code, as given in
+the Table below.
+
+No return value.
+
+@float Table, RPC status codes
+@multitable  @columnfractions .2 .7
+@item @strong{Status description} @tab @strong{Meaning}
+@item "ok" 
+@tab The call succeeded.
+@item "prog unavail" 
+@tab The call was for an RPC program that has not registered with the portmapper.
+@item "mismatch" 
+@tab The call was for a version of the RPC program that has not registered with the portmapper.
+@item "garbage args" 
+@tab The parameters in the call did not decode correctly.
+@item "system err" 
+@tab A system error (such as out-of-memory) occurred when processing the call.
+@item "timeout" 
+@tab No reply was received within 24 seconds of the request.
+@item "auth error" 
+@tab The caller failed to authenticate to the server, or was not authorized to make the call.
+@item "unknown" 
+@tab An unknown error occurred.
+@end multitable 
+@caption{Types of RPC status codes}
+@end float 
+
+@end table
+
+@cindex analyzers, portmapper, functions
+
+@node portmapper event handlers,
+@subsection @code{portmapper} event handlers
+
+@cindex analyzers, portmapper, event handlers
+
+The standard script handles the following events:
+
+@table @samp
+@item @code{pm_request_null (r: connection)}
+Invoked upon a successful portmapper request for the ``null'' procedure.
+The script invokes @code{pm_request} with @code{log_it=F}.
+
+@item @code{pm_request_set (r: connection, m: pm_mapping, success: bool)}
+Invoked upon a nominally successful portmapper request to set the portmapper
+binding @code{m}.  The script invokes @code{pm_request} with @code{log_it=T}.
+@code{success} is true if the server honored the request, false otherwise;
+the script turns this into an annotation of @code{"ok"} or @code{"failed"}.
+
+The @code{pm_mapping} type (for @code{m}) has three fields,
+@code{program: count}, @code{version: count} and @code{p: port}, the
+port for the mapping of the given program and version.
+@code{pm_mapping}
+
+@item @code{pm_request_unset (r: connection, m: pm_mapping, success: bool)}
+Invoked upon a nominally successful portmapper request to remove a portmapper
+binding.  The script invokes @code{pm_request} with @code{log_it=T}.
+@code{success} is true if the server honored the request, false otherwise;
+the script turns this into an annotation of @code{"ok"} or @code{"failed"}.
+
+@item @code{pm_request_getport (r: connection, pr: pm_port_request, p: port)}
+Invoked upon a successful portmapper request to look up a portmapper
+binding.  @code{pr}, of type
+@code{pm_port_request}, has three fields:
+@code{program: count}, @code{version: count}, and @code{is_tcp: bool},
+this last indicating whether the caller is request the TCP or UDP
+port, if the given program/version has mappings for both.
+The script invokes @code{pm_request} with @code{log_it} set
+according to the return value of 
+and an annotation of the mapping.
+
+@item @code{pm_request_dump (r: connection, m: pm_mappings)}
+Invoked upon a successful portmapper request to dump the portmapper
+bindings.  The script invokes @code{pm_request} with @code{log_it=T}
+unless  indicates that the dump call is allowed.
+The script ignores @code{m}, which gives the mappings as a
+@code{table[count] of pm_mapping}, where the table index simply reflects
+the order in which the mappings were returned, starting with an index
+of 1.  @emph{Deficiency: What the script @emph{should} do, instead, is keep track of the mappings so that Bro can identify the service associated with connections for otherwise unknown ports. }
+
+@cindex walld
+@item @code{pm_request_callit (r: connection, pm_callit_request, p: port)}
+Invoked upon a successful portmapper request to look up and call
+an RPC procedure.  The script invokes @code{pm_request} with @code{log_it=T}
+unless the combination of the caller and the
+program are in @code{suppress_pm_log}.  Finally, if the program
+called is @emph{walld}, then the script adds the caller to @code{suppress_pm_log}.
+
+The @code{pm_callit_request} type has four fields:
+@code{pm_callit_request}
+@code{program: count}, @code{version: count}, @code{proc: count}, and
+@code{arg_size: count}.  These reflect the procedure being looked up and
+called, and the size of the arguments being passed to it, respectively.
+@emph{Deficiency: Currently, the event engine does not do any analysis or refinement of the arguments passed to the procedure (such as making them available to the event handler) or the return value.}  @code{p} is
+the port value returned by the call.
+
+@item @code{pm_attempt_null (r: connection, status: count)}
+Invoked upon a failed portmapper request for the ``null'' procedure.
+@code{status} gives the reason for the failure.
+The script invokes @code{pm_attempt} with @code{log_it=T}.
+
+@item @code{pm_attempt_set (r: connection, status: count, m: pm_mapping)}
+Invoked upon a failed portmapper request to set the portmapper
+binding @code{m}.  The script invokes @code{pm_attempt} with @code{log_it=T}.
+
+@item @code{pm_attempt_unset (r: connection, status: count, m: pm_mapping)}
+Invoked upon a failed portmapper request to remove a portmapper
+binding.  The script invokes @code{pm_attempt} with @code{log_it=T}.
+
+@item @code{pm_attempt_getport (r: connection, status: count, pr: pm_port_request)}
+Invoked upon a failed portmapper request to look up a portmapper
+binding.  @code{pr}, of type @code{pm_port_request}, has three fields:
+@code{program: count}, @code{version: count}, and @code{is_tcp: bool},
+this last indicating whether the caller requested the TCP or UDP port.
+The script invokes @code{pm_attempt} with @code{log_it} set
+according to the return value of @code{pm_check_get_port}.
+
+@item @code{pm_attempt_dump (r: connection, status: count)}
+Invoked upon a failed portmapper request to dump the portmapper
+bindings.  The script invokes @code{pm_attempt} with @code{log_it=T}
+unless @code{RPC_dump_okay} indicates that the dump call is allowed.
+
+@cindex walld
+@item @code{pm_attempt_callit (r: connection, status: count, pm_callit_request)}
+Invoked upon a failed portmapper request to look up and call
+an RPC procedure.  The script invokes @code{pm_attempt} with @code{log_it=T}
+unless the combination of the caller and the
+program are in @code{suppress_pm_log}.  Finally, if the program
+called is @emph{walld}, then the script adds the caller to
+@code{suppress_pm_log}.
+
+@item @code{pm_bad_port (r: connection, bad_p: count)}
+Invoked when a portmapper request or response includes an invalid
+port number.  Since ports are represented by unsigned 4-byte integers,
+they can stray outside the allowed range of 0--65535 by being >= 65536.
+The script invokes @code{conn_weird_log} with a @emph{weird tag}
+of @code{"bad_pm_port"}.
+
+@end table
+
+@cindex analyzers, portmapper, event handlers
+
+@cindex analyzers, application-specific
+
+@node analy Analyzer,
+@section The @code{analy} Analyzer
+@cindex statistical analysis
+@cindex connection, analysis
+The @code{analy} analyzer provides a limited mechanism to
+use Bro to do statistical analysis on TCP connections.  Its primary
+purpose is to demonstrate that Bro has applications to network
+traffic analysis beyond intrusion detection.  It defines one
+event handler:
+
+@table @samp
+@item @code{conn_stats c: connection, os: endpoint_stats, rs: endpoint_stats}
+Invoked for each connection when it terminates (for whatever reason).
+@code{os} and @code{rs} are the statistics for the originator endpoint and
+the responder endpoint, respectively; the table below 
+gives the different record fields.
+
+@end table
+
+@code{endpoint_stats} fields for summarizing connection endpoint statistics, 
+all of type @code{count}.
+
+@float Table, endpoint_stats fields 
+@multitable  @columnfractions .2 .75
+@item @strong{Field} @tab @strong{Meaning}
+@item num_pkts 
+@tab The number of packets sent by the endpoint, as seen by the monitor. The endpoint may
+have sent others that the network dropped upstream from the monitor.
+@item num_rxmit 
+@tab The number of packets retransmitted by the endpoint, as seen by the monitor.
+@item num_rxmit_bytes 
+@tab The number of bytes retransmitted by the endpoint.
+@item num_in_order 
+@tab The number of packets sent by the endpoint that arrived at the monitor in order, where "in
+order" means in the same order as sent by the endpoint, rather than in sequence number.
+(Thus, a retransmission can arrive in order, by this definition.) Bro determines if the packet
+arrived in order by applying heuristics to the IP identification (ID) field, which in general
+will increase by a small amount between successive packets transmitted by an endpoint.
+@item num_OO 
+@tab The number of packets sent by the endpoint that arrived at the monitor out of order. See the
+previous entry for the definition of "in order", and hence "out of order".
+@item num_repl 
+@tab The number of extra copies of packets sent by the endpoint that arrived at the monitor. Bro
+considers a packet replicated if its IP ID field is the same as for the previous packet it saw
+from the endpoint. Using this definition, a replication is most likely caused by a network
+mechanism such as duplication of a packet by a router, rather than a transport mechanism
+such as retransmission, though some TCPs fully reuse packets when retransmitting them,
+including their IP ID field.
+@item endian_type 
+@tab Whether the advance of the IP ID field as seen by the monitor was consistent with bigendian
+(network order) addition, little-endian, or undetermined. The three values are represented
+by the Bro constants ENDIAN_BIG, ENDIAN_LITTLE, and ENDIAN_UNKNOWN.
+In addition, the value can be ENDIAN_CONFUSED, meaning that the monitor saw conflicting
+evidence for little- and big-endian.
+@end multitable
+@caption{@code{endpoint_stats} fields for summarizing connection endpoint statistics, all of type @code{count}}
+@end float
+
+
+@node signature Analysis Script,
+@section The @code{signature} Analysis Script
+
+@cindex signature analysis
+@cindex exploit scans
+@cindex scans, exploit
+@cindex horizontal exploit scans
+@cindex vertical exploit scans
+The @code{signature} module analyzes @emph{signature matches} 
+(see @ref{Signatures}).
+For each signature, you can specify one of the actions
+defined in Table 7.2.
+In addition, the module identifies two types of @emph{exploit scans}:
+@emph{horizontal} (a host triggers a signature for multiple destinations) and
+@emph{vertical} (a host triggers multiple signature for the same destination).
+
+@cindex signatures, log file
+@cindex log file, signatures
+
+The module handles one event:
+
+@table @samp
+@item @code{signature_match (state: signature_state, msg: string, data: string)}
+Invoked upon a match of a signature which contains an @code{event} action (See @ref{Actions}).
+@end table
+
+It provides the following redefinable variables:
+
+@table @samp
+@item @code{sig_actions : table[string] of count}
+Maps signature IDs to actions as defined in the table below.
+
+@float Table, signature actions
+@multitable  @columnfractions .2 .6
+@item @strong{Action} @tab @strong{Meaning}
+@item SIG_IGNORE @tab Ignore the signature completely.
+@item SIG_QUIET @tab Process for scan detection but don't report individually.
+@item SIG_FILE @tab Write matches to signatures-log
+@item SIG_FILE_BUT_NOT_SCAN @tab Same, but ignore for scan processing
+@item SIG_ALARM @tab Alarm and write to signatures, notice, and alarm files
+@item SIG_ALARM_ONCE @tab Same, but only for the first instance
+@item SIG_ALARM_PER_ORIG @tab Same, but once per originator
+@item SIG_ALARM_NO_WORM @tab Same, but ignore if generated by known worm-source
+@item SIG_COUNT_PER_RESP @tab Count per destination and alarm if threshold reached
+@item SIG_SUMMARY @tab Don't alarm, but generate per-originator summary
+@end multitable
+@caption{Possible actions to take for signatures matches}
+@end float
+
+Default: @code{SIG_FILE}.
+
+@item @code{horiz_scan_thresholds : set[count]} 
+Generate a notice whenever a remote host triggers a signature for
+the given number of hosts.
+
+Default: @code{@{ 5, 10, 50, 100, 500, 1000@} }
+
+@item @code{vert_scan_thresholds : set[count]} 
+Generate a notice whenever a remote host triggers the
+given number of signatures for the same destination.
+
+Default: @code{@{ 5, 10, 50, 100, 500, 1000@} }
+
+@end table
+
+The module defines one function for external use:
+
+@table @samp
+@item @code{has_signature_matched (id: string, orig: addr, resp: addr): bool}
+Returns true if the given signature has already matched for the 
+(originator,responder) pair.
+@end table
+
+@node SSL Analyzer,
+@section The @code{SSL} Analyzer
+
+@cindex SSL, analysis
+The @code{SSL} analyzer processes traffic associated with the SSL
+(Secure Socket Layer) protocol versions 2.0, 3.0 
+and 3.1.  SSL version 3.1 is also known as TLS (Transport
+Layer Security) version 1.0 since from that version onward the IETF has taken
+responsibility for further development of SSL.
+
+Bro instantiates an @code{SSL} analyzer for any connection with service
+ports @code{443/tcp (https), 563/tcp (nntps), 585/tcp (imap4-ssl), 614/tcp (sshell), 636/tcp (ldaps), 989/tcp (ftps-data), 990/tcp (ftps), 992/tcp (telnets), 993/tcp (imaps), 994/tcp (ircs), 995/tcp (pop3s)}, providing
+you have loaded the @code{SSL} analyzer, or defined a handler for one of
+the SSL events.
+
+By default, the analyzer uses the above set of ports as a capture filter
+(See: @ref{Filtering}).  It currently checks the SSL handshake process for
+consistency, tries to verify seen certificates, generates several events,
+does connection logging, tries to detect security weaknesses, and produces
+simple statistics.  It is also able to store seen certificates on disk.
+However, it does no decryption, so analysis is limited to clear text SSL
+records. This means that analysis stops in the middle of the handshaking
+phase for SSLv2 and at the end of it for SSLv3.0/SSLv3.1 (TLS).  For this
+reason we have not implemented the SSL session caching mechanism (yet).
+
+The analyzer consists of the four files: @code{ssl.bro}, @code{ssl-ciphers.bro},
+@code{ssl-errors.bro},
+and @code{ssl-alerts.bro}, which are accessed by  @code{@@load} @code{ssl}.
+The analyzer writes to the @code{weird} and @code{ssl} log files.
+The first receives all non-conformant and ``weird'' activity, while
+the latter tracks the SSL handshaking phase.
+
+@menu
+* x509 record::			
+* ssl_connection_info record::	
+* SSL variables::		
+* SSL event handlers::		
+@end menu
+
+@node x509 record,
+@subsection The @code{x509} record
+
+@cindex SSL, x509
+
+This record is a very simplified structure for storing X.509 
+certificate information. It currently supports only the issuer and
+subject names.
+
+@example
+type x509: record @{
+    issuer:  string; # issuer name of the certificate
+    subject: string; # subject name of the certificate
+@};
+@end example
+
+@node ssl_connection_info record,
+@subsection The @code{ssl_connection_info} record
+
+@cindex SSL, connection information
+
+
+The main data structure managed by the @code{SSL} analyzer is
+a collection of @code{ssl_connection_info} records, where the
+record type is shown below.
+
+@example
+type ssl_connection_info: record @{
+id: count;                      # the log identifier number
+connection_id: conn_id;         # IP connection information
+version: count;                 # version associated with connection
+client_cert: x509;
+server_cert: x509;
+id_index: string;               # index for associated sessionID
+handshake_cipher: count;        # cipher suite client and server agreed upon
+@};
+@end example
+
+The corresponding fields are @emph{Fixme: the description here is out of date}:
+
+@table @samp
+@item @code{id}
+The unique connection identifier assigned to this connection.  Connections
+are numbered starting at @code{1} and incrementing with each new connection.
+
+@item @code{connection_id}
+The TCP connection which this SSL connection is based on.
+
+@item @code{version }
+The SSL version number for this connection. Possible values are
+@code{SSLv20}, for SSL version 2.0, @code{SSLv30} for version 3.0, and
+@code{SSLv31} for version 3.1.
+
+@item @code{client_cert }
+The information from the client certificate, if available.
+
+@item @code{server_cert }
+The information from the server certificate, if available.
+
+@item @code{id_index }
+Index into associated @code{SSL_sessionID_record} table.
+
+@item @code{handshake_cipher }
+The cipher suite client and server agreed upon.
+@emph{Note: For SSLv2 cached sessions, this is a placeholder (@code{0xABCD})}.
+
+@end table
+
+@node SSL variables,
+@subsection @code{SSL} variables
+
+@cindex analyzers, SSL, variables
+
+The standard script defines the following redefinable variables:
+
+@table @samp
+@item @code{ssl_compare_cipherspecs : bool}
+If true, remember the client and server cipher specs and perform additional
+tests.  This costs an extra amount of memory (normally only for a short
+time) but enables detection of non-intersecting cipher sets, for example.
+
+Default: @code{T}.
+
+@item @code{ssl_analyze_certificates : bool}
+If true, analyze certificates seen in SSL connections, which
+includes the following steps:
+@itemize @bullet
+@item 
+Generating a hash of the certificate and checking if we already
+saw it earlier from the current host. If so, we won't
+verify it, because we already did and verifying is a
+computational expensive process. If the certificate has
+changed for the current host, generate a weird event.
+
+@item 
+Verify the certificate.
+
+@item 
+Store of the certificate on disk in DER format.
+@end itemize
+
+Default: @code{T}.
+
+@item @code{ssl_store_certificates : bool}
+If certificates are analyzed, this variable determines they should be stored
+on disk.
+
+Default: @code{T}.
+
+@item @code{ssl_store_cert_path : string}
+Path where certificates are stored.
+If empty, use the current directory.
+@emph{Note: The path must not end with a slash!}
+
+Default: @code{"../certs"}.
+
+@item @code{ssl_verify_certificates : bool}
+If certificates are analyzed, whether to verify them.
+
+Default: @code{T}.
+
+@item @code{x509_trusted_cert_path : string}
+Path where OpenSSL looks for trusted certificates.
+If empty, use the default OpenSSL path.
+
+Default: @code{""}.
+
+@item @code{ssl_max_cipherspec_size : count}
+Maximum size in bytes for an SSL cipherspec.  If we see attempted use of
+larger cipherspecs, warn and skip comparing it.
+
+Default: @code{45}.
+
+@item @code{ssl_store_key_material : bool}
+If true, stores key material exchanged in the handshaking phase.
+@emph{Note: This is mainly for decryption purposes and currently useless.}
+
+Default: @code{T}.
+
+@float Figure, SSL example
+@example
+1046778101.534846 #1 192.168.0.98/32988 > 
+		213.61.126.124/https start
+1046778101.534846 #1 connection attempt version: 3.1
+1046778101.534846 #1 cipher suites: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4), 
+	SSLv3x_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xFEFF), 
+	SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA (0xA), 
+	SSLv3x_RSA_FIPS_WITH_DES_CBC_SHA (0xFEFE), 
+	SSLv3x_RSA_WITH_DES_CBC_SHA(0x9), SSLv3x_RSA_EXPORT1024_WITH_RC4_56_SHA (0x64), 
+	SSLv3x_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x62), 
+	SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5 (0x3), 
+	SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6),
+1046778101.753356 #1 server reply, version: 3.1
+1046778101.753356 #1 cipher suite: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4),
+1046778101.762601 #1 X.509 server issuer: /C=DE/ST=Hamburg/L=Hamburg/O=TC 
+	TrustCenter for Security in Data Networks GmbH/OU=TC 
+	TrustCenter Class 3 CA/Email=certificate@@trustcenter.de,
+1046778101.762601 #1 X.509 server subject: /C=DE/ST=Berlin/O=Lehmanns 
+	Fachbuchhandlung GmbH/OU=Zentrale EDV/CN=www.jfl.de/Email=admin@@lehmanns.de
+1046778101.894567 #1 handshake finished, version 3.1, cipher suite: 
+	SSLv3x_RSA_WITH_RC4_128_MD5 (0x4)
+1046778104.877207 #1 finish
+---
+
+Used cipher-suites statistics:
+SSLv3x_RSA_WITH_RC4_128_MD5 (0x4): 1
+
+@end example
+@caption{Example of SSL log file with a single SSL session.}
+@end float 
+
+@cindex SSL, log file
+@cindex log file, SSL
+@cindex SSL session summary file
+In addition, @code{ssl_log} holds the name of the SSL log file to
+which Bro writes SSL connection summaries.  It defaults to
+@code{open_log_file("ssl")}.
+@end table
+
+The above figure shows an example of how entries in the SSL log file look like.
+We see a transcript of the first SSL connection seen since Bro started
+running.  The first line gives its start and the participating hosts and
+ports.  Next, we see a client trying to attempt a SSL (Version 3.1)
+connection and the cipher suites offered.  The server replies with a SSL
+3.1 @code{SERVER-REPLY} and the desired cipher suite.
+@emph{Note: In SSL v3.0/v3.1 this determines which cipher suite will be used for the connection}.  
+Following this is the certificate the server sends,
+including the issuer and subject.  Finally, we see that the handshaking
+phase for this SSL connection is finished now, and that client and server
+agreed on the cipher suite: @code{RSA_WITH_RC4_128_MD5}.  Due to encryption,
+the SSL analyzer skips all further data.  We only see the end of the
+connection.  When Bro finishes, we get some statistics about
+the cipher suites used in all monitored SSL connections. 
+
+@cindex analyzers, SSL, variables
+
+@node SSL event handlers,
+@subsection @code{SSL} event handlers
+
+@cindex analyzers, SSL, event handlers
+
+The standard script handles the following events:
+
+@table @samp
+@item @code{ssl_conn_attempt (c: connection, version: count, cipherSuites: cipher_suites_list)}
+
+Invoked upon the client side of connection @code{c} when the analyzer sees a @code{CLIENT-HELLO}
+of SSL version @code{version} including the cipher suites the client offers @code{cipherSuites}.
+
+The version can be @code{0x0002}, @code{0x0300} or @code{0x0301}.
+A new entry is generated inside the SSL connection table and the cipher suites
+are listed. Ciphers, that are known as weak (according to a corresponding table of
+weak ciphers) are logged inside the @code{weak.log} file. This also happens to
+cipher suites that we do not know yet. 
+@emph{Note: See the file @code{ssl-ciphers.bro} for a list of known cipher suites.}
+
+@item @code{ssl_conn_server_reply (c: connection, version: count, cipherSuites: cipher_suites_list)}
+
+This event is invoked upon the analyzer receiving a @code{SERVER-HELLO} of the SSL server.
+It contains the SSL version the server wishes to use (@emph{Note: This finally determines, which SSL version will be used further}) and the cipher suite he offers. If it is SSL version 3.0 or 3.1, the server determines
+within this @code{SERVER-HELLO} the cipher suite for the following connection (so it will only be one).
+But if it's a SSL version 2.0 connection, the server only announces the cipher suites he supports and
+it's up to the client to decide which one to use.
+
+Again, the cipher suites are listed and weak and unknown cipher suites are reported inside
+@code{weak.log}.
+
+@item @code{ssl_certificate_seen (c: connection, isServer: int)}
+
+Invoked whenever we see a certificate from client or server but before
+verification of the certificate takes place.
+This may be useful, if you want to do something before certificate verification
+(e.g. do not verify certificates of some given servers).
+
+@item @code{ssl_certificate (c: connection, cert: x509, isServer: bool)}
+
+Invoked after the certificate from server or client (@code{isServer}) has been verified. 
+@emph{Note: We only verify certificates once. If we see them again, we only check if they have changed!}
+@code{cert} holds the issuer and subject of the certificate, which gets stored
+inside this SSL connection's information record inside the SSL connection table and
+are written to @code{ssl.log}.
+
+@item @code{ssl_conn_reused (c: connection, session_id: string)}
+
+Invoked whenever a former SSL session is reused. @code{session_id} holds
+the session ID as string of the reused session and is written to @code{ssl.log}.
+Currently we don't do session tracking, because SSL version 2.0 doesn't
+send the session ID in clear text when it's generated.
+
+@item @code{ssl_conn_established (c: connection, version: count, cipher_suite: count)}
+
+Invoked when the handshaking phase of an SSL connection is finished.  We
+see the used SSL version and the cipher suite that will be used for
+cryptography (written to @code{ssl.log}) if we have SSL version 3.0 or 3.1.
+In case of SSL version 2.0 we can only determine the used cipher suite for
+new sessions, not for reused ones.  (@emph{Note: In SSL version 3.0 and 3.1 the 
+cipher suite to be used is already announced in the @code{SERVER-HELLO}.})
+
+@item @code{ssl_conn_alert (c: connection, version: count, level: count, description: count)}
+
+Invoked when the analyzer receives an SSL alert.  The @code{level} of the
+alert (warning or fatal) and the @code{description} are written into
+@code{ssl.log}. (@emph{Note: See @code{ssl-alerts.bro}}).
+
+@item @code{ssl_conn_weak (name: string, c: connection)}
+
+This event is called when the analyzer sees:
+@itemize @bullet
+@item weak ciphers (See: @code{ssl_conn_attempt}, @code{ssl_server_reply}, @code{ssl_conn_established}),
+@item unknown ciphers (See: @code{ssl_conn_attempt}, @code{ssl_server_reply}, @code{ssl_conn_established})
+@item or certificate verification failed.
+@end itemize
+
+See @code{weak.bro}.
+
+@end table
+
+@cindex analyzers, SSL, event handlers
+
+@node weird Analysis Script,
+@section The @code{weird} Analysis Script
+
+@cindex weird events
+@cindex events, exceptional
+@cindex exceptional events
+@cindex unusual events
+
+The @code{weird} module processes unusual or exceptional
+events.  A number of these ``shouldn't'' or even ``can't'' happen,
+yet they do.  The general design philosophy of Bro is to check
+for such events whenever possible, because they can reflect incorrect
+assumptions (either Bro's or the user's), attempts by attackers to
+confuse the monitor and evade detection, broken hardware, misconfigured
+networks, and so on.
+
+Weird events are divided into three categories, namely those pertaining
+to: connections; flows (a pair of hosts, but for which a specific connection
+cannot be identified); and network behavior (cannot be associated with a
+pair of hosts).  These categories have a total of four event handlers:
+@code{conn_weird}, @code{conn_weird_addl}, @code{flow_weird}, and @code{net_weird},
+and in the corresponding sections below we
+catalog the events handled by each.  In addition, we separately catalog
+the events generated by the standard scripts themselves
+(See: @ref{Events generated by the standard scripts}).  Finally, two more weird events have their
+own handlers, in order to associate detailed information with the event:
+@code{rexmit_inconsistency} and @code{ack_above_hole}.
+
+@cindex weird event summary file
+@cindex log file, weird events
+@code{weird_file} is the logging file  that
+the module uses to record exceptional
+events.  It defaults to @code{open_log_file("weird")}.
+
+@cindex crud
+@cindex unusual events, prevalence in actual network traffic
+@cindex weird events, prevalence in actual network traffic
+@cindex buggy implementations, causing ``weird'' events
+@cindex diverse network use, causing ``weird'' events
+@cindex Bro bugs/limitations, causing ``weird'' events
+@cindex bugs, causing ``weird'' events
+
+@emph{Note:  While these events ``shouldn't'' happen, in reality they often
+do.  For example, of the 73 listed below, a search of 10 months' worth of
+logs at LBNL shows that 42 were seen operationally.  While some of the
+instances reflect attacks, the great majority are simply due to i) buggy
+implementations, ii) diverse use of the network, or iii) Bro bugs or
+limitations.  Accordingly, you may initially be inclined to log each
+instance, but don't be surprised to find that you soon decide to only
+record many of them in the @code{weird} file, or not record them at all.
+(For further discussion, see the section on ``crud'' in [Pa99].) }
+
+@menu
+* Actions for weird events::	
+* weird variables::		
+* weird functions::		
+* Events handled by conn_weird::  
+* Events handled by conn_weird_addl::  
+* Events handled by flow_weird::  
+* Events handled by net_weird::	 
+* Events generated by the standard scripts::  
+* Additional handlers for weird events::  
+@end menu
+
+@node Actions for weird events,
+@subsection Actions for ``weird'' events
+
+@cindex weird events, actions
+
+The general approach taken by the module is to categorize for each event
+the action to take when the event engine generates the event.
+Table XX summarizes the different possible actions.
+
+@float Table, Weird Event Actions
+@multitable  @columnfractions .2 .75
+@item @strong{Action} @tab @strong{Meaning}
+@item WEIRD_UNSPECIFIED 
+@tab No action specified.
+@item WEIRD_IGNORE 
+@tab Ignore the event.
+@item WEIRD_FILE 
+@tab Record the event to weird file, if it has not been seen for these hosts before. (But see
+weird do not ignore repeats.)
+@item WEIRD_NOTICE_ALWAYS 
+@tab Record the event to weird file and generate a notice each time the event occurs.
+@item WEIRD_NOTICE_ONCE 
+@tab Record the event to weird file; generate a notice the first time the event occurs.
+@item WEIRD_NOTICE_PER_CONN 
+@tab Record the event to weird file; generate a notice the first time it occurs for a
+given connection.
+@item WEIRD_NOTICE_PER_ORIG 
+@tab Record the event to weird file; generate a notice the first time it occurs for a
+given originating host.
+@end multitable
+@caption{Different types of possible actions to take for "weird" events}
+@end float
+
+@node weird variables,
+@subsection @code{weird} variables
+
+The standard @code{weird} script provides the following redefinable variables:
+
+@table @samp
+@item @code{weird_action : table[string] of count}
+Maps different weird events to actions as given in Table in @ref{Actions for weird events} above.
+
+Default: as specified in @code{conn_weird}, @code{conn_weird_addl}, @code{flow_weird}, @code{net_weird},
+and @ref{Events generated by the standard scripts}.  As usual, you can change particular
+values using refinement.  For example:
+@example
+redef weird_action: table[string] of count += @{
+    [["bad_TCP_checksum", "bad_UDP_checksum"]] = WEIRD_IGNORE,
+    ["fragment_overlap"] = WEIRD_NOTICE_PER_CONN,
+@};
+@end example
+
+would specify to ignore TCP and UDP checksum errors (rather than the default
+of @code{WEIRD_FILE}), and to notice fragment overlaps once per connection
+in which they occur, rather than the default of @code{WEIRD_NOTICE_ALWAYS}.
+
+@item @code{weird_action_filters : table[string] of function(c: connection): count}
+Indexed by the name of a weird event, yields a function that when called
+for a given connection exhibiting the event, returns an action from
+the table in section @ref{Actions for weird events}.
+A return value of @code{WEIRD_UNSPECIFIED} 
+means ``no special action, use the action you normally would.''
+This variable thus allows arbitrary
+customization of the handling of particular events.
+
+Default: empty, for the @code{weird} analyzer itself.  The
+ analyzer redefines this variable as follows:
+@example
+    redef weird_action_filters += @{
+        [["bad_RPC", "excess_RPC", "multiple_RPCs", 
+		"partial_RPC"]] = RPC_weird_action_filter,
+@};
+@end example
+
+where @code{RPC_weird_action_filter} is a function internal to the
+analyzer that returns @code{WEIRD_FILE} if the originating host
+is in , and @code{WEIRD_UNSPECIFIED} otherwise.
+
+@item @code{weird_ignore_host : set[addr, string]}
+Specifies that the analyzer should ignore the given weird event (named by
+the second index) if it involves the given address (as either originator
+or responder host).
+
+Default: empty.
+
+@item @code{weird_do_not_ignore_repeats : set[string]}
+Gives a set of weird events that, if their action is @code{WEIRD_FILE},
+should still be recorded to the @code{weird_file} each time they occur.
+
+Default: the events relating to checksum errors, i.e.,
+@code{"bad_IP_checksum"},
+@code{"bad_TCP_checksum"},
+@code{"bad_UDP_checksum"}, and
+@code{"bad_ICMP_checksum"}.
+These are recorded multiple times because it can prove handy to
+be able to track clusters of checksum errors.
+
+@end table
+
+@node weird functions,
+@subsection @code{weird} functions
+
+The @code{weird} analyzer includes the following functions:
+
+@table @samp
+@item @code{report_weird (t: time, name: string, id: string, action: WeirdAction, no_log: bool)}
+Processes an occurrence of the weird event @code{name} associated with
+the connection described by the string @code{id} (which may be empty
+if no connection is associated with the event).  @code{action} is the
+action associated with the event.  For @code{report_weird}, the only
+distinctions made between the different actions are that @code{WEIRD_IGNORE}
+causes the function to do nothing; any of @code{WEIRD_NOTICE_xxx}
+cause the function to generate a notice, unless @code{no_log} is true; and @code{WEIRD_UNSPECIFIED} 
+causes the function to look up the action in @code{weird_action}.
+If the function does @emph{not} find an action
+for the event, then it uses @code{WEIRD_NOTICE_ALWAYS} and prepends the log
+message with a pair of asterisks (``@code{**}'') to flag that this event
+does not have a specified action.
+
+For @code{WEIRD_FILE}, @code{report_weird} only
+records the event once to the file, unless the given event is present
+in @code{weird_do_not_ignore_repeats}.  Events with notice-able actions
+are always recorded to @code{weird_file}.
+
+@item @code{report_weird_conn (t: time, name: string, id: string, c: connection)}
+Processes an occurrence of the weird event @code{name} associated with
+the connection @code{c}, which is described by the string @code{id}.
+
+If @code{report_weird_conn} finds one of the hosts and the given event name
+in @code{weird_ignore_host}, then it does nothing.  Then, if the event
+is in @code{weird_action}, then it looks up the event in
+@code{weird_action_filters} and invokes the corresponding function
+if present, otherwise taking the action from @code{weird_action}.
+It then implements the various flavors of @code{WEIRD_NOTICE_xxx}
+by not generating notices more than once per connection, originator host,
+etc., though the events are still written to @code{weird_file}.
+Finally, the function invokes  to do the
+actual recording and/or writing to @code{weird_file}.
+
+@item @code{report_weird_orig (t: time, name: string, id: string, orig: addr)}
+Processes an occurrence of the weird event @code{name} associated with
+the source address @code{orig}.  @code{id} textually describes the flow from
+@code{orig} to the destination, for example using @code{endpoint_id}.
+
+The function looks up the event name in @code{weird_action} and
+passes it along to @code{report_weird}.
+
+@end table
+
+@node Events handled by conn_weird,
+@subsection Events handled by @code{conn_weird}
+
+@cindex weird events, handled by conn_weird
+@cindex event handling, weird
+
+@table @samp
+@item @code{conn_weird (name: string, c: connection)}
+Invoked for most ``weird'' events.
+@code{name} is the name of the weird event, and @code{c} is the
+connection with which it's associated.
+
+@end table
+
+@noindent @code{conn_weird} handles the following events, all of which have
+a default action of @code{WEIRD_FILE}:
+
+@table @samp
+@item @code{active_connection_reuse}
+A new connection attempt (initial SYN)
+was seen for an already-established connection that has not
+yet terminated.
+@cindex HTTP, weird events
+@item @code{bad_HTTP_reply}
+The first line of a reply from an HTTP
+server did not include @code{HTTP/}@emph{version}.
+@item @code{bad_HTTP_version}
+The first line of a request from an HTTP
+client did not include @code{HTTP/}@emph{version}.
+@cindex ICMP, weird events
+@cindex packets, corrupted
+@cindex corrupted packets
+@cindex checksum error, ICMP
+@cindex ICMP, checksum error
+@item @code{bad_ICMP_checksum}
+The checksum field in an
+ICMP packet was invalid.
+@cindex Rlogin, weird events
+@item @code{bad_rlogin_prolog}
+The beginning of an Rlogin connection had
+a syntactical error.
+@cindex RPC (Remote Procedure Call), weird events
+@item @code{bad_RPC}
+A Remote Procedure Call was ill-formed.
+@item @code{bad_RPC_program}
+A portmapper RPC call did not include the
+correct portmapper program number.
+@item @code{bad_SYN_ack}
+A TCP SYN acknowledgment (SYN-ack) did not acknowledge
+the sequence number sent in the initial SYN.
+@cindex TCP, weird events
+@cindex checksum error, TCP
+@cindex TCP, checksum error
+@item @code{bad_TCP_checksum}
+A TCP packet had a bad checksum.
+@cindex UDP, weird events
+@cindex checksum error, UDP
+@cindex UDP, checksum error
+@item @code{bad_UDP_checksum}
+A UDP packet had a bad checksum.
+@item @code{baroque_SYN}
+A TCP SYN was seen with an unlikely
+combination of other flags (the URGent pointer).
+@item @code{blank_in_HTTP_request}
+The URL in an HTTP request includes
+an embedded blank.
+@item @code{connection_originator_SYN_ack}
+A TCP endpoint that originated
+a connection by sending a SYN followed this up by sending a SYN-ack.
+@item @code{data_after_reset}
+After a TCP endpoint sent a RST to terminate
+a connection, it sent some data.
+@item @code{data_before_established}
+Before the connection was fully
+established, a TCP endpoint sent some data.
+@item @code{excessive_RPC_len}
+An RPC record sent over a TCP connection
+exceeded 8 KB.
+@item @code{excess_RPC}
+The sender of an RPC request or reply included
+leftover data beyond what the RPC parameters or result value
+themselves consumed.
+@item @code{FIN_advanced_last_seq}
+A TCP endpoint retransmitted a FIN with
+a higher sequence number than previously.
+@item @code{FIN_after_reset}
+A TCP endpoint sent a FIN after sending a RST.
+@cindex packets, storms
+@cindex storms
+@item @code{FIN_storm}
+The monitor saw a flurry of FIN packets all sent on
+the same connection.  A ``flurry'' is defined as 1,000 packets that
+arrived with less than 1 sec between successive FINs.
+@emph{Deficiency: Clearly, this numbers should be user-controllable. }
+@item @code{HTTP_unknown_method}
+The method in an HTTP request was
+not GET, POST or HEAD.
+@item @code{HTTP_version_mismatch}
+A persistent HTTP connection sent a
+different version number for a subsequent item than it
+did initially.
+@item @code{inappropriate_FIN}
+A TCP endpoint sent a FIN before the
+connection was fully established.
+@item @code{multiple_HTTP_request_elements}
+An HTTP request included multiple
+methods.
+@item @code{multiple_RPCs}
+A TCP RPC stream included more than one
+remote procedure call.
+@cindex NULs
+@item @code{NUL_in_line}
+A NUL (ASCII 0) was seen in a text stream
+that is expected to be free of NULs.  @emph{Updateme:  Currently, the only such stream is that associated with an FTP control connection. }
+@item @code{originator_RPC_reply}
+The originator (and hence presumed client)
+of an RPC connection sent an RPC reply (either instead of a request,
+or in addition to a request).
+@cindex Finger, weird events
+@item @code{partial_finger_request}
+When a Finger connection terminated, it
+included a final line of unanalyzed text because the text was
+not newline-terminated.
+@cindex FTP, weird events
+@item @code{partial_ftp_request}
+When an FTP connection terminated, it
+included a final line of unanalyzed text because the text was
+not newline-terminated.
+@item @code{partial_ident_request}
+When an IDENT connection terminated, it
+included a final line of unanalyzed text because the text was
+not newline-terminated.
+@item @code{partial_portmapper_request}
+A portmapper connection terminated with
+an unanalyzed request because the data stream was incomplete.
+@item @code{partial_RPC}
+An RPC was missing some required header information
+due to truncation.
+@cindex data, unanalyzed
+@cindex unanalyzed data
+@item @code{pending_data_when_closed}
+A TCP connection closed even though
+not all of the data in it was analyzed due to a sequence hole.
+@cindex split routing
+@cindex routing, split
+@cindex vantage point
+@cindex bidirectional vs. unidirectional analysis
+@cindex analysis, bidirectional vs. unidirectional
+@cindex undirectional analysis
+@cindex scanning, stealth
+@cindex stealth scans
+@item @code{possible_split_routing}
+Bro appears to be seeing only one
+direction of some bi-directional connections .
+This can also occur due to certain forms of stealth-scanning.
+@cindex connection, reuse
+@cindex Maximum Segment Lifetime (MSL)
+@cindex MSL (Maximum Segment Lifetime)
+@item @code{premature_connection_reuse}
+A TCP connection tuple is being
+reused less than 30 sec after its previous use.  (The standard
+requires waiting 2 * @w{MSL} = 4 minutes [p. 27] [RFC-793].)
+@item @code{repeated_SYN_reply_wo_ack}
+A TCP responder that replied to an
+initial SYN with a SYN-ack has subsequently sent a SYN @emph{without}
+an acknowledgment.
+@item @code{repeated_SYN_with_ack}
+A TCP originator that sent an
+initial SYN has subsequently sent a SYN-ack.
+@item @code{responder_RPC_call}
+The responder (and hence presumed server)
+of an RPC connection sent an RPC request (either instead of a reply,
+or in addition to a reply).
+@item @code{rlogin_text_after_rejected}
+An Rlogin client sent additional text
+to an Rlogin server after the server already presumably rejected
+the client's service request.
+@cindex retransmission, inconsistent
+@cindex inconsistent retransmission
+@cindex evasion, inconsistent RPC retransmission
+@item @code{RPC_rexmit_inconsistency}
+An RPC call was retransmitted, and
+the retransmitted call differed from the original call.  This
+could reflect an attempt by an attacker to evade the monitor.
+@emph{Note:  This type of inconsistency checking is not available for RPC replies because the transmission of the reply in general marks the end of the RPC connection, and the monitor deletes the connection state shortly afterward. }
+@item @code{RST_storm}
+The monitor saw a flurry of RST packets all sent on
+the same connection.  See @code{FIN_storm} for the definition of
+``flurry.''
+@item @code{RST_with_data}
+A TCP RST packet included data.  This actually
+is allowed by the specification [4.2.2.12] RFC-1122.
+@emph{Deficiency: This event should include the data. }
+@cindex simultaneous open
+@cindex connection, simultaneous open
+@item @code{simultaneous_open}
+The monitor saw a TCP simultaneous open,
+i.e., both endpoints sent initial SYNs to one another at the same time.
+While the specification allows this [p. 30] RFC-793, none of the
+protocols analyzed by Bro should be using it.
+@cindex transients, startup
+@cindex startup, transients
+@cindex scanning, stealth
+@cindex stealth scans
+@item @code{spontaneous_FIN}
+A TCP endpoint sent a FIN packet without
+sending any previous packets.  This event can reflect stealth-scanning,
+but can also occur when Bro has recently
+started up and has not seen other traffic on a connection and hence does
+not know that the connection already exists.
+@item @code{spontaneous_RST}
+A TCP endpoint sent a RST packet without
+sending any previous packets.  As with @code{spontaneous_FIN}, this
+event can reflect either stealth scanning or a Bro start-up
+transient.
+@item @code{SYN_after_close}
+A TCP endpoint sent a SYN (connection
+initiation) after sending a FIN (connection termination),
+but before the connection fully closed.
+@item @code{SYN_after_partial}
+A TCP endpoint in a ``partial'' connection
+ sent a SYN.
+@item @code{SYN_after_reset}
+A TCP endpoint sent a SYN after sending a
+RST (reset connection).
+@item @code{SYN_inside_connection}
+A TCP endpoint sent a SYN during a
+connection (or partial connection) on which it had already
+sent data.
+@item @code{SYN_seq_jump}
+A TCP endpoint retransmitted a SYN or a
+SYN-ack, but with a different sequence number.
+@cindex T/TCP
+@cindex TCP, transaction
+@cindex transaction TCP
+@item @code{SYN_with_data}
+A TCP endpoint included data in a SYN packet
+it sent.  Note, this can legitimately occur for T/TCP connections
+[RFC-1644].
+@cindex TCP, Christmas packet
+@cindex Christmas packet
+@item @code{TCP_christmas}
+A TCP endpoint sent a SYN packet that
+included the RST flag (a nonsensical combination).  The
+term ``Christmas packet'' has been used in this context
+(particularly if other flags are set, too) because the
+packet's flags are ``lit up like a Christmas tree.''
+@cindex length mismatch, UDP
+@cindex UDP, length mismatch
+@cindex evasion, length mismatch
+@item @code{UDP_datagram_length_mismatch}
+The length field in a UDP header
+did not match the length field in the IP header.  This could
+reflect an attempt by an attacker to evade the monitor.
+@item @code{unpaired_RPC_response}
+An RPC reply was seen for which no
+request was seen.  This event could reflect a Bro start-up
+transient (it started running after the request was sent).
+@item @code{unsolicited_SYN_response}
+A TCP endpoint sent a SYN-ack without
+first receiving an initial SYN.  This event could reflect a
+Bro start-up transient.
+
+@end table
+
+@node Events handled by conn_weird_addl,
+@subsection Events handled by @code{conn_weird_addl}
+
+@cindex weird events, handled by conn_weird_addl
+
+@cindex polymorphic functions, need for
+@table @samp
+@item @code{conn_weird_addl (name: string, c: connection, addl: string)}
+Invoked for a few ``weird'' events that require an extra (string)
+argument to help clarify the event. @emph{Deficiency: It would likely be very handy if the general ``weird'' event handling was more flexible, with the ability to have various parameters associated with the events.  Doing so will likely have to wait on general Bro mechanism for dealing with default parameters and/or polymorphic functions and event handlers. }
+
+@end table
+
+@code{conn_weird_addl} handles the following events, all of which
+have a default action of @code{WEIRD_FILE}:
+
+@table @samp
+@cindex IDENT, weird events
+@item @code{bad_ident_reply}
+A reply from an IDENT server was
+syntactically invalid.
+@item @code{bad_ident_request}
+A request to an IDENT server was
+syntactically invalid.
+@item @code{ident_request_addendum}
+An IDENT request included additional
+text beyond that forming the request itself.
+@end table
+
+@node Events handled by flow_weird,
+@subsection Events handled by @code{flow_weird}
+
+@cindex weird events, handled by flow_weird
+
+@table @samp
+@item @code{flow_weird (name: string, src: addr, dst: addr)}
+is invoked for ``weird'' events that cannot be associated with a
+particular connection, but only with a pair of hosts, corresponding
+to a flow of packets from @code{src} to @code{dst}. Presently, all of
+these events deal with fragments.
+
+@end table
+
+@code{flow_weird} handles the following events:
+
+@table @samp
+@cindex IP, fragments
+@cindex fragments, excessively large
+@cindex denial of service, excessively large fragments
+@item @code{excessively_large_fragment}
+A set of IP fragments reassembled
+to a maximum size exceeding 64,000 bytes.  @emph{Note:  Sizes between 64,000 and 65,535 bytes are allowed, strictly speaking, but are highly unlikely in legitimate traffic.  Sizes above 65,535 bytes generally represent attempted denial-of-service attacks, due to IP implementations that crash upon receiving such impossibly-large fragment sets. }
+
+Default: @code{WEIRD_NOTICE_ALWAYS}.
+
+@cindex fragments, excessively small
+@cindex evasion, excessively small fragments
+@item @code{excessively_small_fragment}
+A fragment other than the
+last fragment in a set was less than 64 bytes in size.
+@emph{Note:  The standard allows such small fragments, but their presence may reflect an attacker attempting to evade the monitor by splitting header information across multiple fragments. }
+
+Default: @code{WEIRD_NOTICE_ALWAYS}.
+
+@cindex fragments, inconsistent
+@cindex evasion, inconsistent fragments
+@item @code{fragment_inconsistency}
+A fragment overlaps with a previously
+sent fragment, and the two disagree on data they share in common.
+This event could reflect an attacker attempting to evade the
+monitor; it can also occur because Bro keeps previous fragments
+indefinitely (@emph{Deficiency: it needs to provide a means for flushing old fragments, otherwise it becomes vulnerable to a state-holding attack}), and occasionally a fragment will
+overlap with one sent much earlier and long-since forgotten
+by the endpoints.
+
+Default: @code{WEIRD_NOTICE_ALWAYS}.
+
+@cindex fragments, overlapping
+@item @code{fragment_overlap}
+A fragment overlaps with a previously
+sent fragment.  As for @code{fragment_inconsistency}, this
+event can occur due to Bro keeping previous fragments
+indefinitely.  This event does not in general reflect a
+possible attempt at evasion.
+
+Default: @code{WEIRD_NOTICE_ALWAYS}.
+
+@cindex fragments, inconsistent protocols
+@item @code{fragment_protocol_inconsistency}
+Two fragments were seen
+for the same flow and IP ID which differed in their transport protocol
+(e.g., UDP, TCP).  According to the specification, this is allowed
+[p. 24] RFC-791, but its use appears highly unlikely.
+
+Default: @code{WEIRD_FILE}, because it is difficult to see how
+an attacker can exploit this anomaly.
+
+@cindex fragments, inconsistent sizes
+@cindex evasion, inconsistent fragment size
+@item @code{fragment_size_inconsistency}
+A ``last fragment'' was
+seen twice, and the two disagree on how large the reassembled datagram
+should be.  This event could reflect an attacker attempting to evade
+the monitor.
+
+Default: @code{WEIRD_FILE}, since it is more likely that this
+occurs due to a high volume flow of fragments wrapping the
+IP ID space than due to an actual attack.
+
+@item @code{fragment_with_DF}
+A fragment was seen with the ``Don't Fragment''
+bit set in its header.  While strictly speaking this is not illegal,
+and not impossible (a router could have fragmented a packet and then
+decided that the fragments should not be further fragmented), its
+presence is highly unusual.
+
+Default: @code{WEIRD_FILE}, because it's difficult to see how
+this could reflect malicious activity.
+
+@item @code{incompletely_captured_fragment}
+A fragment was seen whose
+length field is larger than the fragment datagram appearing on the
+monitored link.
+
+Default: @code{WEIRD_NOTICE_ALWAYS}.
+
+@end table
+
+@node Events handled by net_weird,
+@subsection Events handled by @code{net_weird}
+
+@cindex weird events, handled by net_weird
+
+@table @samp
+@item @code{net_weird (name: string)}
+is invoked for ``weird'' events that cannot be associated with
+a particular connection or set of hosts.  Except as noted, the
+default action for all such events is @code{WEIRD_FILE}.
+
+@end table
+
+@code{net_weird} handles the following events:
+
+@cindex packets, corrupted
+@cindex corrupted packets
+@cindex IP, weird events
+@cindex IP, checksum error
+@cindex checksum error, IP
+@table @samp
+@item @code{bad_IP_checksum}
+A packet had a bad IP header checksum.
+
+@cindex TCP, corrupted header
+@item @code{bad_TCP_header_len}
+The length of the TCP header (which is
+itself specified in the header) was smaller than the minimum
+allowed size.
+
+@cindex headers, truncated
+@cindex truncated headers
+@item @code{internally_truncated_header}
+A captured packet with a valid
+IP length field was smaller as actually recorded, such that the
+captured version of the packet was illegally small.  This event
+may reflect an error in Bro's packet capture hardware or software.
+
+Default: @code{WEIRD_NOTICE_ALWAYS}, because this event can indicate
+a basic problem with Bro's packet capture.
+
+@item @code{truncated_IP}
+A captured packet either was too small to
+include a minimal IP header, or the full length as recorded by
+the packet capture library was smaller than the length as indicated
+by the IP header.
+
+@item @code{truncated_header}
+An IP datagram's header indicates a length
+smaller than that required for the indicated transport type (TCP,
+UDP, ICMP).
+
+@end table
+
+@node Events generated by the standard scripts,
+@subsection Events generated by the standard scripts
+
+@cindex weird events, generated by standard scripts
+
+The following events are generated by the standard scripts themselves:
+
+@table @samp
+@item @code{bad_pm_port}
+See @code{pm_bad_port}.  Handled by  @code{conn_weird_addl},
+where the extra parameter is the text
+@code{"port <}@emph{bad-port}@code{>"}.
+
+@cindex denial of service, Land attack
+@cindex Land attack
+@code{Land_attack}
+A TCP connection attempt was seen with identical
+initiator and responder addresses and ports.  This event likely
+reflects an attempted denial-of-service attack known as a
+``Land'' attack.  See @code{check_spoof}.  Handled by @code{conn_weird}.
+
+@end table
+
+@node Additional handlers for weird events,
+@subsection Additional handlers for ``weird'' events
+
+@cindex weird events, additional handlers
+
+In addition to the above, generalized events, Bro includes two specific
+events that are defined by themselves so they can include additional
+parameterization:
+
+@cindex evasion, inconsistent TCP retransmission
+@cindex retransmission, inconsistent
+@cindex inconsistent retransmission
+@table @samp
+@item @code{rexmit_inconsistency (c: connection, t1: string, t2: string)}
+Invoked when a retransmission associated with connection @code{c} differed
+in its data from the contents transmitted previously.  @code{t1} gives
+the original data and @code{t2} the different retransmitted data.
+
+@cindex bugs, appalling
+This event may reflect an attacker attempting to evade the monitor.
+Unfortunately, however, experience has shown that
+@emph{(i)} inconsistent retransmissions do in fact
+happen due to (appalling) TCP implementation bugs, and
+@emph{(ii)} once they occur, they tend to cascade, because often
+the source of the bug is that the two endpoints have become
+desynchronized.
+
+The handler logs the message in the format
+@code{"}@emph{id}@code{ rexmit inconsistency (<t1>) (<t2>)"} .  However,
+the handler only logs the first instance of an inconsistency, due to
+the cascade problem mentioned above.
+
+@emph{Deficiency: The handler is not told which of the two connection endpoints was the faulty transmitter. }
+
+@cindex packets, drops
+@cindex acknowledgment holes
+@cindex inconsistent acknowledgment
+@cindex bugs, appalling
+@item @code{ack_above_hole (c: connection, t1: string, t2: string)}
+Invoked when Bro sees a TCP receiver acknowledge data above
+a sequence hole.  In principle, this should never occur.  Its
+presence generally means one of two things: @emph{(i)} a TCP
+implementation with an appalling bug (these definitely exist),
+or @emph{(ii)} a packet drop by Bro's packet capture facility,
+such that it never saw the data now being acknowledged.
+
+Because of the seriousness of this latter possibility, the
+handler logs a message 
+@code{ack above a hole}.  
+@emph{Note:  You can often distinguish between a truly broken TCP acknowledgment and Bro dropping packets by the fact that in the latter case you generally see a cluster of ack-above-a-hole messages among otherwise unrelated connections. }
+
+@emph{Deficiency: The handler is not told which of the two connection endpoints sent the acknowledgment. }
+
+@end table
+
+@cindex event handling, weird
+
+@cindex unusual events
+@cindex exceptional events
+@cindex events, exceptional
+@cindex weird events
+
+@node icmp Analyzer,
+@section The @code{icmp} Analyzer
+
+not done.
+
+@node stepping Analyzer,
+@section The @code{stepping} Analyzer
+
+not done.
+
+@node ssh-stepping Analysis Script,
+@section The @code{ssh-stepping} Analysis Script
+
+not done.
+
+@node backdoor Analyzer,
+@section The @code{backdoor} Analyzer
+
+not done.
+
+@node interconn Analyzer,
+@section The @code{interconn} Analyzer
+
+not done.
+
+@cindex standard scripts
+@cindex scripts, standard
+@cindex analyzers
+
+
diff --git a/doc/ref-manual/bro.css b/doc/ref-manual/bro.css
new file mode 100644
index 0000000000..0bebab8e63
--- /dev/null
+++ b/doc/ref-manual/bro.css
@@ -0,0 +1,43 @@
+/* 
+ * Custom nllite stylesheet
+ */
+body {  
+  font-family: Verdana, Arial, serif;
+}
+H1 {  
+  color: #339933;
+}
+A:link, A:active, A:visited, A:hover { 
+  color: #3333ff;
+  text-decoration: none; 
+}
+A:hover {
+  border-bottom: 1px dotted red;
+  color: red;
+  text-decoration: none;
+}
+ul.menu { 
+  list-style-type: circle;
+  list-style-position: inside;
+  padding: 5px;
+  background-color: #ccffcc;
+  border: 1px dashed #333333;
+}
+hr { 
+  display: none;
+}
+div.node { 
+  font-size: 12px;
+  font-weight: bold;
+  background-color: #ccffcc;
+/*
+  line-height: 0;
+*/
+  padding: 0.5em;
+}
+table.cartouche { 
+  background-color: white;
+}
+table { 
+  border: none;
+}
diff --git a/doc/ref-manual/debugger.texi b/doc/ref-manual/debugger.texi
new file mode 100644
index 0000000000..cb542edd89
--- /dev/null
+++ b/doc/ref-manual/debugger.texi
@@ -0,0 +1,389 @@
+
+@node Interactive Debugger
+@chapter Interactive Debugger
+
+@menu
+* Debugger Overview::			
+* A Sample Session::		
+* Usage::			
+* Notes and Limitations::	
+* Reference::			
+@end menu
+
+@node Debugger Overview,
+@section Debugger Overview
+
+Bro's interactive debugger is intended to aid in the development,
+testing, and maintenance of policy scripts. The debugger's interface
+has been modeled after the popular @code{gdb} debugger; the
+command syntax is virtually identical. While at present the Bro
+debugger supports only a small subset of @code{gdb}'s features,
+these were chosen to be the most commonly used commands. Additional
+features beyond those of @code{gdb}, such as wildcarding, have
+been added to specifically address needs created by Bro policy scripts.
+
+@node A Sample Session,
+@section A Sample Session
+
+The transcript below should look very familiar to those familiar with
+@code{gdb}. The debugger's command prompt accepts debugger commands;
+before each prompt, the line of policy code that is next to be
+executed is displayed.
+
+First we activate the debugger with the @code{-d} command-line switch.
+@example
+bobcat:~/bro/bro$ ./bro -d -r slice.trace brolite
+Policy file debugging ON.
+In bro_init() at policy/ftp.bro:437
+437             have_FTP = T;
+@end example
+ Next, we set a breakpoint in the @code{connection_finished}
+event handler [reference this somehow]. A breakpoint causes the
+script's execution to stop when it reaches the specified function. In
+this case, there are many event handlers for the
+@code{connection_finished} event, so we are given a choice.
+@example
+(Bro [0]) break connection_finished
+Setting breakpoint on connection_finished:
+
+There are multiple definitions of that event handler.
+Please choose one of the following options:
+[1] policy/conn.bro:268
+[2] policy/active.bro:14
+[3] policy/ftp.bro:413
+[4] policy/demux.bro:40
+[5] policy/login.bro:496
+[a] All of the above
+[n] None of the above
+Enter your choice: 1
+Breakpoint 1 set at connection_finished at policy/conn.bro:268
+@end example
+ Now we resume execution; when the breakpoint is reached, execution
+stops and the debugger prompt returns.
+@example
+(Bro [1]) continue
+Continuing.
+Breakpoint 1, connection_finished(c = '[id=[orig_h=1.0.0.163,
+orig_p=2048/tcp, resp_h=1.0.0.6, resp_p=23/tcp], orig=[size=0,
+state=5], resp=[size=46, state=5], start_time=929729696.316166,
+duration=0.0773319005966187, service=, addl=, hot=0]') at
+policy/conn.bro:268
+In connection_finished(c = '[id=[orig_h=1.0.0.163, orig_p=2048/tcp,
+resp_h=1.0.0.6, resp_p=23/tcp], orig=[size=0, state=5], resp=[size=46,
+state=5], start_time=929729696.316166, duration=0.0773319005966187,
+service=, addl=, hot=0]') at policy/conn.bro:268
+268             if ( c$orig$size == 0 || c$resp$size == 0 )
+@end example
+ We now step through a few lines of code and into the
+@code{record_connection} call.
+@example
+(Bro [2]) step
+274             record_connection(c, "finished");
+(Bro [3]) step
+In record_connection(c = '[id=[orig_h=1.0.0.163, orig_p=2048/tcp,
+resp_h=1.0.0.6, resp_p=23/tcp], orig=[size=0, state=5], resp=[size=46,
+state=5], start_time=929729696.316166, duration=0.0773319005966187,
+service=, addl=, hot=0]', disposition = 'finished') at
+policy/conn.bro:162
+162             local id = c$id;
+(Bro [4]) step
+163             local local_init = to_net(id$orig_h) in local_nets;
+@end example
+
+We now print the value of the @code{id} variable, which was set in
+the previously executed statement @code{local id = c$id;}. We follow
+that with a backtrace (@code{bt}) call, which prints a trace of the
+currently-executing functions and event handlers (along with their
+actual arguments). We then remove the breakpoint and continue
+execution to its end (the remaining output has been trimmed off). 
+@example
+(Bro [5]) print id
+[orig_h=1.0.0.163, orig_p=2048/tcp, resp_h=1.0.0.6, resp_p=23/tcp]
+(Bro [6]) bt
+#0 In record_connection(c = '[id=[orig_h=1.0.0.163, orig_p=2048/tcp,
+ resp_h=1.0.0.6, resp_p=23/tcp], orig=[size=0, state=5],
+ resp=[size=46, state=5], start_time=929729696.316166,
+ duration=0.0773319005966187, service=, addl=, hot=0]', disposition =
+ 'finished') at policy/conn.bro:163
+#1 In connection_finished(c = '[id=[orig_h=1.0.0.163, orig_p=2048/tcp,
+ resp_h=1.0.0.6, resp_p=23/tcp], orig=[size=0, state=5],
+ resp=[size=46, state=5], start_time=929729696.316166,
+ duration=0.0773319005966187, service=, addl=, hot=0]') at
+ policy/conn.bro:274
+(Bro [7]) delete
+Breakpoint 1 deleted
+(Bro [8]) continue
+Continuing.
+...
+@end example
+ 
+
+@node Usage,
+@section Usage
+
+The Bro debugger is invoked with the @code{-d} command-line
+switch. It is strongly recommended that the debugger be used with a
+tcpdump capture file as input (the @code{-r} switch) rather than in
+``live'' mode, so that results are repeatable.
+
+Execution tracing is a feature which generates a complete record of
+which code statements are executed during a given run. It is enabled
+with the @code{-t} switch, whose argument specifies a file which
+will contain the trace. 
+
+Debugger commands all are a single word, though many of them take
+additional arguments. Commands may be abbreviated with a prefix
+(e.g., @code{fin} for @code{finish}); if the same prefix matches
+multiple commands, the debugger will list all that match. Certain
+very frequently-used commands, such as @code{next}, have been
+given specific one-character shortcuts (in this case,
+@code{n}). For more details on all the debugger commands, see the
+Reference in section @ref{Reference}, below.
+
+The debugger's prompt can be activated in three ways. First, when
+the @code{-d} switch is supplied, Bro stops in the
+@code{bro_init} initialization function (more precisely, after
+global-scope code has been executed; see section @ref{Notes and Limitations}). It is
+also activated when a breakpoint is hit. Breakpoints are set with
+the @code{break} command (see the Reference). The final way to
+invoke the debugger's prompt is to interrupt execution by pressing
+Ctrl-C (sending an Interrupt signal to the process). Execution will
+be suspended after the currently-executing line is completed.
+
+@node Notes and Limitations,
+@section Notes and Limitations
+
+@itemize @bullet
+@item 
+Statements at global scope, i.e., those executed before the
+@code{bro_init} function, may not be debugged at present. This is
+because those statements load declarations for other functions
+needed for the debugger to function properly.
+@end itemize
+
+@node Reference,
+@section Reference
+
+@strong{large Summary of Commands}
+Note: all commands may be abbreviated with a unique prefix. Shortcuts
+below are special exceptions to this rule.
+
+@float Table, Debugger commands
+@multitable  @columnfractions .15  .15  .6
+@item @strong{Command} @tab @strong{Shortcut} @tab @strong{Description} 
+@item help @tab @tab Get help with debugger commands 
+@item quit @tab @tab Exit Bro 
+@item next @tab n @tab Step to the following statement, skipping function calls 
+@item step @tab s @tab Step to following statements, stepping in to function calls 
+@item continue @tab c @tab Resume execution of the policy script 
+@item finish @tab @tab Run until the currently-executing function completes 
+@item break @tab b @tab Set a breakpoint 
+@item condition @tab @tab Set a condition on an existing breakpoint 
+@item delete @tab d @tab Delete the specified breakpoints; delete all if no arguments 
+@item disable @tab @tab Turn off the specified breakpoint; do not delete
+permanently 
+@item enable @tab @tab Undo a prior `disable' command 
+@item info @tab @tab Get information about the debugging environment  
+@item print @tab p @tab Evaluate an expression and print the result 
+@item set @tab @tab Alias for `print' 
+@item backtrace @tab bt @tab Print a stack trace  
+@item frame @tab @tab Select frame number N 
+@item up @tab @tab Select the stack frame one level up from the current one 
+@item down @tab @tab Select the stack frame one level down from the current one 
+@item list @tab l @tab Print source lines surrounding specified context 
+@item trace @tab @tab Turn on or off execution tracing 
+@end multitable
+@caption{Debugger Commands}
+@end float
+
+@*
+
+@strong{Getting Help}
+@table @samp
+
+@item help
+Help for each command may be invoked with the @code{help}
+command. Calling the command with no arguments displays a one-line
+summary of each command. 
+@end table
+
+@strong{Command-Line Options}
+@table @samp
+
+@item @code{-d} switch
+The @code{-d} switch enables the Bro
+script debugger.
+
+@item @code{-t} switch
+The @code{-t} enables execution
+tracing. There is an argument to the switch, which indicates a file
+that will contain the result of the trace. Trace output consists of
+the source code lines executed, indented for each nested function invocation.
+
+@strong{Example.} The following command invokes Bro, using @code{tcpdump_file} for
+the input packets and outputting the result of the trace to
+@code{execution_trace}.
+@example
+  ./bro -t execution_trace -r tcpdump_file policy_script.bro
+  @end example
+
+@strong{Example.} If the argument to @code{-t} is a single dash
+character (``@code{-}''), then the trace output is sent to
+@code{stderr}.
+@example
+  ./bro -t - -r tcpdump_file policy_script.bro
+  @end example
+
+@strong{Example.} Lastly, execution tracing may be combined with the
+debugger. Here we send output to @code{stderr}, so it will be
+intermingled with the debugger's output. Tracing may be turned off
+and on in the debugger using the @code{trace} command.
+@example
+  ./bro -d -t - -r tcpdump_file policy_script.bro
+  @end example
+
+@end table
+
+@strong{Running the Script}
+@table @samp
+
+@item quit
+Exit Bro, aborting execution of the currently executing script.
+
+@item restart (r)
+@emph{(Currently Unimplemented)} Restart the execution
+of the script, rewinding to the beginning of the input file(s), if
+appropriate. Breakpoints and other debugger state are preserved.
+
+@item continue (c)
+Resume execution of the script file. The script will
+continue running until interrupted by a breakpoint or a signal.
+
+@item next (n)
+Execute one statement, without entering any subroutines
+called in that statement. 
+
+@item step (s)
+Execute one statement, but stop on entry to any called subroutine.
+
+@item finish
+Run until the currently executing function returns.
+@end table
+
+@strong{Breakpoints}
+@table @samp
+
+@item break (b)
+Set a breakpoint. A breakpoint suspend execution when
+execution reaches a particular location and returns control to the
+debugger. Breakpoint locations may be specified in a number of ways:
+
+@multitable  @columnfractions .3  .6
+@item @code{break} @tab With no argument, the current line is used. 
+@item @code{break} @emph{[FILE:]LINE} @tab The specified line in the specified file; if
+no policy file is specified, the current file is implied. 
+@item @code{break} @emph{FUNCTION} @tab The first line of the specified function or
+event handler. If more than one event handler matches the name, a choice
+will be presented. 
+@item @code{break} @emph{WILDCARD} @tab Similar to @emph{FUNCTION}, but a
+POSIX-compliant regular expression (see the @code{regex(3)} man
+page )is supplied, which is matched against all functions and event
+handlers. One exception to the the POSIX syntax is that, as in the
+shell, the @code{*} character may be used to match zero or more
+of any character without a preceding period character (@code{.}).
+@end multitable
+
+@item condition @emph{N expression}
+The numeric argument
+$N$ indicates which breakpoint to add a condition to, and the
+expression is the conditional expression. A breakpoint with a
+condition will only stop execution when the supplied condition is
+true. The condition will be evaluated in the context of the
+breakpoint's location when it is reached.
+
+@item enable
+With no arguments, enable all breakpoints
+previously disabled with the @code{disable} command. If numeric
+arguments separated by spaces are provided, the breakpoints with those
+numbers will be enabled.
+
+@item disable
+With no arguments, disable all breakpoints. Disabled
+breakpoints will not stop execution, but will be retained to be
+enabled later. If numeric arguments separated by spaces are provided,
+the breakpoints with those numbers will be disabled.
+
+@item delete (d)
+With no arguments, permanently delete all
+breakpoints. If numeric arguments separated by spaces are provided,
+the breakpoints with those numbers will be deleted.
+@end table
+
+@strong{Debugger State}
+@table @samp
+
+@item @strong{info}
+Give information about the
+current script and debugging environment. A subcommand should follow
+the @code{info} command to indicate which information is
+desired. At present, the following subcommands are available: 
+
+@multitable  @columnfractions .2  .6
+@item @code{info break} @tab List all breakpoints and their status
+@end multitable
+
+@end table
+
+@strong{Inspecting Program State}
+@table @samp
+
+@item print (p) / set
+The @code{print} command and its alias,
+@code{set}, are used to evaluate any expression in the policy
+script language. The result of the evaluation is printed
+out. Results of the evaluation affect the current execution
+environment; expressions may include things like assignment. The
+expression is evaluated in the context of the currently selected
+stack frame. The @code{frame}, @code{up}, and @code{down}
+commands (below) are used to change the currently selected frame,
+which defaults to the innermost one.
+
+@item backtrace (bt)
+Print a description of all the stack frames (function
+invocations) of the currently executing script.\ With no arguments,
+prints out the currently selected stack frame.\ With a numeric
+argument @emph{+/- N}, prints the innermost @emph{N} frames if the argument is
+positive, or the outermost $N$ frames if the argument is negative.
+
+@item frame
+With no arguments, prints the currently selected
+frame. \ With a numeric argument $N$, selects frame $N$. Frame
+numbers are numbered inside-out from 0; the 
+
+@item up
+Select the stack frame that called the currently selected
+one. If a numeric argument $N$ is supplied, go up that many frames.
+
+@item down
+Select the stack frame called by the currently selected
+one. If a numeric argument $N$ is supplied, go down that many frames.
+
+@item list (l)
+With no argument, print the ten lines of script source
+code following the previous listing. If there was no previous
+listing, print ten lines surrounding the next statement to be
+executed. If an argument is supplied, ten lines are printed around
+the location it describes. The argument may take one of the
+following forms:
+
+@emph{[FILE:]LINE} 
+The specified line in the specified file; if
+no policy file is specified, the current file is implied. \
+@emph{FUNCTION} The first line of the specified function or
+event handler. If more than one event handler matches the name, a choice
+will be presented. \
+$\pm N$ With a numeric argument preceded by a plus or minus
+sign, the line at the supplied offset from the previously selected line.
+
+@end table
+
diff --git a/doc/ref-manual/intro.texi b/doc/ref-manual/intro.texi
new file mode 100644
index 0000000000..9b96709f55
--- /dev/null
+++ b/doc/ref-manual/intro.texi
@@ -0,0 +1,170 @@
+
+@node Introduction
+@chapter Introduction
+
+Bro is an intrusion detection system that works by passively watching
+traffic seen on a network link.  It is built around an @emph{event engine}
+that pieces network packets into events that reflect different types of
+activity.  Some events are quite low-level, such as the monitor seeing
+a connection attempt; some are specific to a particular network protocol,
+such as an FTP request or reply; and some reflect fairly high-level notions,
+such as a user having successfully authenticated during a login session.
+
+Bro runs the events produced by the event engine through a @emph{policy script}, which you (the Bro administrator) supply, though in general you will
+do so by using large portions of the scripts
+(``@emph{analyzers}''; see below) that come with the Bro distribution.
+
+You write policy scripts in ``Bro'', a specialized language geared towards
+network analysis in general and security analysis in particular.  Bro scripts
+are made up of @emph{event handlers} that specify what to do whenever a
+given event occurs.  Event handlers can maintain and update global state
+information, write arbitrary information to disk files, generate new
+events, call functions (either user-defined or predefined), generate
+@emph{alarms} that produce @emph{syslog} messages, and invoke arbitrary
+shell commands.  These latter might terminate a running connection or talk
+to your border router to install an ACL prohibiting traffic from a particular
+host, for example.
+
+The Bro language is strongly typed and includes a bunch of types designed
+to aid analyzing network traffic.  It also supports @emph{implicit typing},
+meaning that often you don't need to explicitly indicate a variable's type
+because Bro can figure it out from context.  This feature makes the strong typing
+a bit less of a pain, while retaining its bug-finding benefits.
+
+For high performance, Bro relies on use of an efficient @emph{packet filter}
+to capture only a (hopefully small) subset of the traffic that transits
+the link it monitors.  Related to this, Bro comes with a set of
+@emph{analyzers}, that is, scripts for analyzing different protocols and
+different types of activity.  In general you can pick and choose among
+these for which types of analysis you want to enable, and Bro will only
+capture traffic relating to the analyzers you choose.  Thus, you can
+control how much work Bro has to do by the analyzers you designate, a
+potentially major consideration if the monitored link has a high volume
+of traffic.
+
+Experience has shown that the policy scripts often require tailoring
+to each environment in which they're used; but if the tailoring is done
+by editing the analyzers supplied with the Bro distribution, you wind
+up with multiple copies of the analyzers, all slightly different, such
+that when you want to make a general change to all of them, it takes
+careful (and tedious) editing to correctly apply the change to all of
+the copies.
+
+Consequently, Bro emphasizes the use of tables and sets of values as ways
+to codify policy particulars such as which hosts should generate alarms
+if seen engaged in various types of connections, which usernames are sensitive
+and should trigger alarms when used, and so on.  The various analyzers
+are written such that you can (often) customize them by simply changing
+variables associated with the analyzer.  Furthermore, Bro
+supports a notion of @emph{refining} the initialization of a variable, so
+that, in a @emph{separate} file from the one defining an analyzer, you
+can either @emph{(i)} @emph{redefine} the variable's initial value,
+@emph{(ii)} @emph{add} new elements to a given table, set or pattern, or
+@emph{(iii)} @emph{remove} elements from a given table or set.
+In a nutshell, refinement allows you to specify particular policies
+in terms of their @emph{differences} from existing policies, rather
+than in their entirety.
+
+@cindex Bro!references
+You can find an overview of Bro in the paper
+``Bro: A System for Detecting Network Intruders in Real-Time,''
+Proceedings of the 1998 USENIX Security Symposium
+@uref{insert URL,Pa98}
+and a revised version
+in @emph{Computer Networks} 
+@uref{insert URL,Pa99}
+A copy of the latter is included in the Bro distribution.
+
+@strong{Using this manual:}
+
+This manual is intended to provide full documentation for users
+of Bro, both those who wish to write Bro scripts to use Bro's existing
+analyzers, and those who wish to implement event engine support for new Bro
+analyzers.  The current version of the manual is @emph{incomplete};
+in particular, it does not discuss the internals of the event engines,
+and a number of other topics have only placeholders.
+
+The manual is organized @emph{not} as a tutorial, but rather closer to a
+reference manual.  In particular, the intent is for the @emph{index} to
+be highly comprehensive, and to serve as one of the main tools to help
+you navigate through Bro's numerous features and capabilities.  Accordingly,
+the index contains many ``redundant'' entries, that is, the same
+information indexed in multiple ways, to try to make it particularly easy
+to look up information.  For example, you'll find a list of all of
+the predefined functions under ``predefined functions'', and also
+under ``functions''.  There are similar entries for ``events'' and
+``variables''.
+
+The manual also includes @emph{Note:}'s and @emph{Deficiency:}'s that
+emphasize points that may be subtle or counter-intuitive, or that
+reflect bugs of some form.  The general delineation between the two
+is that @emph{Note:}'s discuss facets of Bro not likely to change,
+while @emph{Deficiency:}'s will (should) eventually get fixed.
+
+I'm very interested in feedback on whether the manual in general and the
+index in particular is effective, what should be added or removed from it
+to improve it, any errors found in the index or (of course) elsewhere in
+the manual, and what topics you would give the highest priority for the
+next revision of the manual.  In addition, @emph{any contributions to the manual} will be highly welcome!  You'll find the source for the manual
+in @emph{doc/manual-src/}.
+
+The current version of the manual is organized as follows.
+We begin with an overview of how to get started using Bro: building
+and installing it, running it interactively and on live and prerecorded
+network traffic, and the helper utilities (scripts and programs) included
+in the distribution (Chapter N).
+
+Chapter N then discusses the different
+types, values, and constants that Bro supports.  The intent is to provide
+you with some of the flavor of the language.  In addition, later chapters
+use these concepts to explain things like the types associated with the
+arguments passed to different event handlers.
+
+Chapter N lists the different variables and functions
+that Bro predefines.  The variables generally reflect particular values
+that control the behavior of the event engine or reflect its status,
+and the functions are for the most part utilities to aid in the writing
+of Bro scripts.
+
+Chapter N discusses the different analyzers that
+Bro provides.  It is far and away the longest chapter, since there
+are a good number of analyzers, and some of them are quite rich
+in their analysis.
+
+Chapter N describes how to use Bro's @emph{signature engine}.
+The signature engine provides a general mechanism for searching for 
+regular expressions in packet payloads or reassembled TCP byte streams.
+Successful matches can then be fed as events into your policy script
+for further analysis, including the opportunity to assess the match
+in terms of surrounding context, which can greatly reduce the problem
+of ``false positives'' from which signature-matching can suffer.
+The chapter also discusses how to incorporate signatures from the popular
+@emph{Snort} intrusion detection system.
+
+Chapter N gives an overview of Bro's @emph{interactive debugger}.
+The debugger allows you to breakpoint your policy script and inspect and
+change the values of script variables.  The chapter also describes the
+generation of @emph{traces} of all of the events generated during execution.
+
+Finally, Chapter N briefly lists different aspects of Bro
+that have not yet been documented (in addition to the event engine
+and the Bro language itself).
+
+@noindent @emph{Acknowledgments:}
+
+Major components of Bro's functionality were contributed by Ruoming Pang,
+Umesh Shankar, Robin Sommer, and Chema Gonzalez.  Robin also wrote
+Chapter N of this manual; Umesh wrote Chapter N;
+and Michael Kuhn and Benedikt Ostermaier contributed the SSL analyzer
+(with additional development by Scott Campbell) and the associated
+documentation.
+
+Many thanks, too, to Craig Leres, Craig Lant, Jim Mellander, Anne Hutton,
+David Johnston, Mark Handley, and Partha Banerjee for their contributions
+and operational feedback.
+
+Finally, a number of people were instrumental to supporting Bro's development:
+Jim Rothfuss, Mark Rosenberg, Stu Loken, Van Jacobson, Dave Stevens, and
+Jeff Mogul.  Again, many thanks!
+
+
diff --git a/doc/ref-manual/predefined.texi b/doc/ref-manual/predefined.texi
new file mode 100644
index 0000000000..639fe09de8
--- /dev/null
+++ b/doc/ref-manual/predefined.texi
@@ -0,0 +1,3108 @@
+
+@node Predefined Variables and Functions
+@chapter Predefined Variables and Functions
+
+@menu
+* Predefined Variables::	
+* Predefined Functions::	
+@end menu
+
+@node Predefined Variables,
+@section Predefined Variables
+
+@cindex predefined variables
+
+Bro predefines and responds to the following variables, organized by
+the policy file in which they are contained. Note that you will only
+be able to access the variables in a policy file if you @code{load} it or
+a policy file which loads it.
+
+@menu
+* activebro::			
+* anonbro::			
+* backdoorbro::			
+* broinit::			
+* code-redbro::			
+* connbro::			
+* demuxbro::			
+* dnsbro::			
+* dns-mappingbro::		
+* fingerbro::			
+* ftpbro::			
+* hotbro::			
+* hot-idsbro::			
+* httpbro::			
+* http-abstractbro::		
+* http-requestbro::		
+* icmpbro::			
+* identbro::			
+* interconnbro::		
+* ircbro::
+* loginbro::			
+* mimebro::			
+* noticebro::			
+* ntpbro::			
+* pop3bro::			
+* port-namesbro::		
+* portmapperbro::		
+* scanbro::			
+* signaturesbro::			
+* sitebro::			
+* smtpbro::			
+* smtp-relaybro::		
+* softwarebro::			
+* sshbro::			
+* steppingbro::			
+* tftpbro::			
+* udpbro::			
+* weirdbro::			
+* wormbro::			
+* Uncategorized::		
+@end menu
+
+@node activebro,
+@subsection active.bro
+
+@table @samp
+
+@code{active_conn : table[conn_id] of connection}
+@vindex active_conn 
+@quotation
+A table of @code{connection} records corresponding to all active
+connections.
+@end quotation
+
+@end table
+
+@node anonbro,
+@subsection anon.bro
+
+@table @samp
+@code{anon_log : file}
+@vindex anon_log 
+@quotation
+The file into which anonymization @emph{Fixme: Add a reference to doc on anonymization when it is available.} IP address mappings are written.
+@end quotation
+
+@code{preserved_subnet : set[subnet]}
+@vindex preserved_subnet
+@quotation
+Addresses in these subnet are preserved when anonymization is being
+performed. See also @code{preserved_net}.  NOTE: The variable @code{const}. so may only be changed via @code{redef}
+@end quotation
+
+@code{preserved_net : set[net]}
+@vindex preserved_net 
+@quotation
+These Class A/B/C nets are preserved when anonymization is being
+performed. See also @code{preserved_subnet}.
+@end quotation
+
+@end table
+
+@node backdoorbro,
+@subsection backdoor.bro
+
+@table @samp
+@code{backdoor_log : file}
+@vindex backdoor_log 
+@quotation
+The file into which logs for backdoor servers
+() are written.
+@end quotation
+
+@code{backdoor_min_num_lines : count}
+@vindex backdoor_min_num_lines 
+@quotation
+The number of lines of @emph{Fixme: must be telnet?} input and output must be more than this amount to
+trigger backdoor checking.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{backdoor_min_normal_line_ratio : double}
+@vindex backdoor_min_normal_line_ratio 
+@quotation
+If the fraction of ``normal'' (less than a certain length) lines is
+below this value, then backdoor checking is not performed.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{backdoor_min_bytes : count}
+@vindex backdoor_min_bytes 
+@quotation
+The total number of bytes transferred on the connection must be at
+least this large in order for backdoor checking to be performed.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{backdoor_min_7bit_ascii_ratio : double}
+@vindex backdoor_min_7bit_ascii_ratio 
+@quotation
+The fraction of 7-bit ASCII characters out of all bytes transferred
+must be at least this large in order for backdoor checking to be performed.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{backdoor_demux_disabled : bool}
+@vindex backdoor_demux_disabled 
+@quotation
+If T (the default), then suspected backdoor connections are not
+demuxed into sender and receiver streams.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{backdoor_demux_skip_tags : set[string]}
+@vindex backdoor_demux_skip_tags 
+@quotation
+If the type of backdoor (the tag) is in this set, the connection will
+not be demuxed.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{backdoor_ignore_src_addrs : table[string, addr] of bool}
+@vindex backdoor_ignore_src_addrs 
+@quotation
+If the suspected backdoor name (``*'' for any) and source address (or
+its /16 or /24) subnet are in this table as a pair, then the backdoor
+will not be logged.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{backdoor_ignore_dst_addrs : table[string, addr] of bool}
+@vindex backdoor_ignore_dst_addrs 
+@quotation
+If the suspected backdoor name (``*'' for any) and destination address (or
+its /16 or /24) subnet are in this table as a pair, then the backdoor
+will not be logged.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{backdoor_ignore_ports : table[string, port] of bool}
+@quotation
+The following (signature, well-known port) pairs should not generated
+a backdoor notice.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{backdoor_standard_ports : set[port]}
+@quotation
+See @code{backdoor_annotate_standard_ports}.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{backdoor_stat_period : interval}
+@quotation
+A report on backdoor stats is generated at this interval.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{backdoor_stat_backoff : interval}
+@quotation
+@emph{Fixme: Not sure about the exact definition here} The backdoor report
+interval (@code{backdoor_stat_period}) is increased by this factor each time it is generated,
+except if the timers are artificially expired.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{backdoor_annotate_standard_ports : bool}
+@quotation
+If T (the default), backdoor notices for those on @code{backdoor_standard_ports}
+should be annotated with the backdoor tag name.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{ssh_sig_disabled : bool}
+@quotation
+If T (default = F), then matches against the SSH signature are ignored.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{telnet_sig_disabled : bool}
+@quotation
+If T (default = F), then matches against the telnet signature are ignored.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{telnet_sig_3byte_disabled : bool}
+@quotation
+If T (default = F), then matches against the 3-byte telnet signature are ignored.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{rlogin_sig_disabled : bool}
+@quotation
+If T (default = F), then matches against the rlogin signature are ignored.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{rlogin_sig_1byte_disabled : bool}
+@quotation
+If T (default = F), then matches against the 1-byte rlogin signature are ignored.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{root_backdoor_sig_disabled : bool}
+@quotation
+If T (default = F), then matches against the root backdoor signature are ignored.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{ftp_sig_disabled : bool}
+@quotation
+If T (default = F), then matches against the FTP signature are ignored.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{napster_sig_disabled : bool}
+@quotation
+If T (default = F), then matches against the Napster signature are ignored.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{gnutella_sig_disabled : bool}
+@quotation
+If T (default = F), then matches against the Gnutella signature are ignored.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{kazaa_sig_disabled : bool}
+@quotation
+If T (default = F), then matches against the KaZaA signature are ignored.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{http_sig_disabled : bool}
+@quotation
+If T (default = F), then matches against the HTTP signature are ignored.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{http_proxy_sig_disabled : bool}
+@quotation
+If T (default = F), then matches against the HTTP proxy signature are ignored.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{did_sigconns : table[conn_id] of set[string]}
+@quotation
+A table which indicates, for each connection, which backdoor server
+signatures were found in the connection's traffic, e.g., ``ftp-sig''
+or ``napster-sig''.
+@end quotation
+
+@code{rlogin_conns : table[conn_id] of rlogin_conn_info}
+@quotation
+A table that holds relevant state variables (an @code{rlogin_conn_info}
+ record) for @code{rsh} connections.
+@end quotation
+
+@code{root_backdoor_sig_conns : set[conn_id]}
+@quotation
+The set of connections for which a root backdoor signature
+(``root-bd-sig'') has been detected.
+@end quotation
+
+@code{ssh_len_conns : set[conn_id]}
+@quotation
+The set of connections that are predicted to contain SSH traffic,
+based on the proportion of packets that meet the expected packet size
+distribution. Relevant parameters are @code{ssh_min_num_pkts} and 
+@code{ssh_min_ssh_pkts_ratio}, which are local to @code{backdoor}.
+@end quotation
+
+@code{ssh_min_num_pkts : count}
+@quotation
+The minimum number of packets that look like SSH packets that allow a
+stream to be classified as such.
+@end quotation
+
+@code{ssh_min_ssh_pkts_ratio : double}
+@quotation
+The minimum fraction of packets in a stream that look like SSH packets that allow a
+stream to be classified as such.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{telnet_sig_conns : table[conn_id] of count}
+@quotation
+The set of connections that are predicted to be Telnet connections,
+based on observation of the Telnet signature, the IAC byte (0xff).
+@end quotation
+
+@code{telnet_sig_3byte_conns : table[conn_id] of count}
+@quotation
+Similar to @code{telnet_sig_conns}, but the signature matched is a
+whole 3-byte Telnet command sequence.
+@end quotation
+
+@end table
+
+@node broinit,
+@subsection bro.init
+
+@table @samp
+
+@code{ignore_checksums : bool}
+@quotation
+If T (default = F), packet checksums are not verified.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{partial_connection_ok : bool}
+@quotation
+If T (the default), instantiate connection state when a partial connection
+(one missing its initial establishment negotiation) is seen.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{tcp_SYN_ack_ok : bool}
+@quotation
+If T (the default), instantiate connection state when a SYN ack is seen
+but not the initial SYN (even if partial_connection_ok is false).
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{tcp_match_undelivered : bool}
+@quotation
+If a connection state is removed there may still be some undelivered
+data waiting in the reassembler. If T (the default), pass this to the signature
+engine before flushing the state.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{tcp_SYN_timeout : interval}
+@quotation
+Check up on the result of an initial SYN after this much
+time. @emph{Fixme: What exactly does this mean? Check that the connection is active?}
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{tcp_session_timer : interval}
+@quotation
+After a connection has closed, wait this long for further activity
+before checking whether to time out its state.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{tcp_connection_linger : interval}
+@quotation
+When checking a closed connection for further activity, consider it
+inactive if there hasn't been any for this long.  Complain if the
+connection is reused before this much time has elapsed.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{tcp_attempt_delayv : interval}
+@quotation
+Wait this long upon seeing an initial SYN before timing out the
+connection attempt.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{tcp_close_delay : interval}
+@quotation
+Upon seeing a normal connection close, flush state after this much time.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{tcp_reset_delay : interval}
+@quotation
+Upon seeing a RST, flush state after this much time.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{tcp_partial_close_delay : interval}
+@quotation
+Generate a connection_partial_close event this much time after one half
+of a partial connection closes, assuming there has been no subsequent
+activity.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{non_analyzed_lifetime : interval}
+@quotation
+If a connection belongs to an application that we don't analyze,
+time it out after this interval.  If 0 secs, then don't time it out.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{inactivity_timeout : interval}
+@quotation
+If a connection is inactive, time it out after this interval.
+If 0 secs, then don't time it out.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{tcp_storm_thresh : count}
+@quotation
+This many FINs/RSTs in a row constitutes a "storm". See also @code{tcp_storm_interarrival_thresh}.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{tcp_storm_interarrival_thresh : interval}
+@quotation
+The FINs/RSTs must come with this much time or less between them to be
+considered a storm. See also @code{tcp_storm_thresh}.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{tcp_reassembler_ports_orig : set[port]}
+@quotation
+For services without a handler, these sets define which
+side of a connection is to be reassembled. @emph{Fixme: What is the point of this exactly? What are you analyzing?}
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{tcp_reassembler_ports_resp : set[port]}
+@quotation
+For services without a handler, these sets define which
+side of a connection is to be reassembled. @emph{Fixme: What is the point of this exactly? What are you analyzing?}
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{table_expire_interval : interval}
+@quotation
+Check for expired table entries after this amount of time @emph{Fixme: Which tables?}
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{dns_session_timeout : interval}
+@quotation
+Time to wait before timing out a DNS request.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{ntp_session_timeout : interval}
+@quotation
+Time to wait before timing out an NTP request.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{rpc_timeout : interval}
+@quotation
+Time to wait before timing out an RPC request.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{watchdog_interval : interval}
+@quotation
+A SIGALRM is set for this interval to make sure that Bro does not get
+caught up doing something for too long. @emph{Fixme: True?} If this happens,
+Bro is termination after doing a dump of all remaining packets.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{heartbeat_interval : interval}
+@quotation
+After each interval of this length, update the 
+variable.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{anonymize_ip_addr : bool}
+@quotation
+If true (default = false), then IP addresses are anonymized in notice
+and log generation.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{omit_rewrite_place_holder : bool}
+@quotation
+If true, omit place holder packets when rewriting. @emph{Fixme: Should this go somewhere else?}
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{rewriting_http_trace : bool}
+@quotation
+If true (default = F), HTTP traces are rewritten.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{rewriting_smtp_trace : bool}
+@quotation
+If true (default = F), SMTP traces are rewritten.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@end table
+
+@node code-redbro,
+@subsection code-red.bro
+
+@table @samp
+
+@code{code_red_log file}
+@quotation
+The file into which Code Red-related logs are written.
+@end quotation
+
+@code{code_red_list1 : table[addr] of count}
+@quotation
+A table which contains, for each IP address, how many Code Red I attacks
+were observed (based on a signature) by the machine at that address.
+@end quotation
+
+@code{code_red_list2 : table[addr] of count}
+@quotation
+A table which contains, for each IP address, how many Code Red II attacks
+were observed (based on a signature) by the machine at that address.
+@end quotation
+
+@code{local_code_red_response_pgm : string}
+@quotation
+By default, an empty string; if @code{&redef}ed, the specified program
+will be invoked with the attack source IP as the argument the first
+time an attack from that IP is observed.
+@end quotation
+
+@code{remote_code_red_response_pgm : string}
+@quotation
+By default, an empty string; if @code{&redef}ed, the specified program
+will be invoked with the attack destination IP as the argument the first
+time an attack on that IP is observed.
+@end quotation
+
+@end table
+
+@node connbro,
+@subsection conn.bro
+
+@table @samp
+
+@code{have_FTP : bool}
+@quotation
+If true, @code{ftp.bro} has been loaded.
+@end quotation
+
+@code{have_SMTP : bool}
+@quotation
+If true, @code{smtp.bro} has been loaded.
+@end quotation
+
+@code{have_stats : bool}
+@quotation
+True if  was ever updated with packet capture statistics.
+@end quotation
+
+@code{hot_conns_reported : set[string]}
+@quotation
+The set of connections (indexed by the entire 'hot' message) that have
+previously been flagged as @code{hot}.
+@end quotation
+
+@code{last_stat : net_stats}
+@quotation
+The last recorded snapshot of packet capture statistics, in a  record.
+@end quotation
+
+@code{last_stat_time : time}
+@quotation
+The last time that network statistics were read into .
+@end quotation
+
+@code{RPC_server_map : table[addr, port] of string}
+@quotation
+Maps a given port on a given server's address to an RPC service.
+If we haven't loaded @code{portmapper.bro}, then it will be empty; see
+@code{portmapper.bro} and the @code{portmapper} module documentation 
+for more information.
+@end quotation
+
+@end table
+
+@node demuxbro,
+@subsection demux.bro
+
+For more information on demultiplexing of connections, see the
+@ref{demux Analysis Script,demux Analysis Script}.
+
+@table @samp
+
+@code{demux_dir : string}
+@quotation
+The name of the directory which will contain the files with
+demultiplexed connection data.
+@end quotation
+
+@code{demuxed_conn : set[conn_id]}
+@quotation
+The set of connections that are currently being demultiplexed.
+@end quotation
+
+@end table
+
+@node dnsbro,
+@subsection dns.bro
+
+@table @samp
+
+@code{actually_rejected_PTR_anno : set[string]}
+@quotation
+Annotations that if returned for a PTR lookup actually indicate
+a rejected query; for example, "illegal-address.lbl.gov".
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{sensitive_lookup_hosts : set[addr]}
+@quotation
+Hosts in this set generate a notice when they are
+returned in PTR queries, unless the originating host is in @code{sensitive_lookup_hosts}. 
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{okay_to_lookup_sensitive_hosts : set[addr]}
+@quotation
+If the DNS request originator is in this set, then it is allowed to
+look up ``sensitive'' hosts (see also @code{sensitive_lookup_hosts})
+without causing a notice.
+@end quotation
+
+@code{dns_log : file}
+@quotation
+The file into which DNS-related logs are written.
+@end quotation
+
+@code{dns_sessions : table[addr, addr] of dns_session_info}
+@quotation
+A table of outstanding DNS sessions indexed by [client IP, server IP].
+@emph{Fixme:  Need to illustrate dns_sessions_info. }
+@end quotation
+
+@code{num_dns_sessions : count}
+@quotation
+The total number of entries that have ever been in the  table.
+@end quotation
+
+@code{distinct_PTR_requests : table[addr, string] of count}
+@quotation
+The number of DNS PTR requests observed with the given source address
+and request string.
+@end quotation
+
+@code{distinct_rejected_PTR_requests : table[addr] of count}
+@quotation
+How many DNS PTR requests from the given source address were
+rejected.  A report is generated if this number crosses a threshold,
+namely, @code{report_rejected_PTR_thresh}.
+@end quotation
+
+@code{distinct_answered_PTR_requests : table[addr] of count}
+@quotation
+How many DNS PTR requests from the given source address were rejected.
+@end quotation
+
+@code{report_rejected_PTR_thresh : count}
+@quotation
+If this many DNS requests from a host are rejected, generate a
+possible PTR scan event.
+@end quotation
+
+@code{report_rejected_PTR_factor : double}
+@quotation
+If DNS requests from a host are rejected more than accepted by this
+factor, generate a  event.
+@end quotation
+
+@code{allow_PTR_scans set[addr]}
+@quotation
+The set of hosts for which a @code{PTR_scan} event does not generate a report
+(that is, the scan is allowed).
+@end quotation
+
+@code{did_PTR_scan_event table[addr] of count}
+@quotation
+A table of hosts for which a  event has been generated.
+@end quotation
+
+@end table
+
+@node dns-mappingbro,
+@subsection dns-mapping.bro
+
+@table @samp
+
+@code{dns_interesting_changes}
+@quotation
+The set of DNS mapping changes (according to lookups by Bro itself)
+that is interesting enough to notice.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@end table
+
+@node fingerbro,
+@subsection finger.bro
+
+@table @samp
+
+@code{hot_names : set[string]}
+@quotation
+If a finger request for any of the names in this set is observed, the
+associated connection is marked ``hot''.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{max_finger_request_len : count}
+@quotation
+If a finger request is longer than this length, then it is marked as ``hot''.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{rewrite_finger_trace : bool}
+@quotation
+Indicates whether or not finger requests are rewritten for anonymity.
+@end quotation
+
+@end table
+
+@node ftpbro,
+@subsection ftp.bro
+
+@table @samp
+
+@code{ftp_log : file}
+@quotation
+The file into which FTP-related logs are written.
+@end quotation
+
+@code{ftp_sessions : table[conn_id] of ftp_session_info}
+
+@code{ftp_guest_ids : set[string]}
+@quotation
+The set of login IDs which are guest logins, e.g., ``anonymous'' and
+``ftp''.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{ftp_skip_hot : set[addr, addr, string]}
+@quotation
+Indexed by source and destination addresses and the id, these
+connections are not marked as ``hot'' even if its data would to cause
+it to be otherwise.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{ftp_hot_files : pattern}
+@quotation
+If a filename matching this pattern is requested, the @code{ftp_sensitive_files}
+ event is generated. The default behavior is to alarm the connection.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{ftp_hot_guest_files : pattern}
+@quotation
+If a user is logged in under a guest ID and attempts to retrieve a
+file matching this pattern,  the
+@code{ftp_sensitive} event is generated. The default
+behavior is to alarm the connection.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{ftp_hot_cmds : table[string] of pattern}
+@quotation
+If an FTP command matches an index into the table and its argument
+matches the associated pattern, the connection is alarmed.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{skip_unexpected : set[addr]}
+@quotation
+Pairs of IP addresses for which we shouldn't bother logging if one
+of them is used in lieu of the other in a PORT or PASV directive.
+@end quotation
+
+@code{skip_unexpected_net : set[addr]}
+@quotation
+Similar to @code{skip_unexpected}, but matches a /24 subnet.
+@end quotation
+
+@code{ftp_data_expected : table[addr, port] of addr}
+@quotation
+Indexed by the server's responder pair, yields the address expected to make an
+FTP data connection to it.
+@end quotation
+
+@code{ftp_data_expected_session : table[addr, port] of ftp_session_info}
+@quotation
+Indexed by the server's responder pair, yields the associated
+@code{ftp_session_info} record for the expected incoming FTP data
+connection.
+@end quotation
+
+@code{ftp_excessive_filename_len : count}
+@quotation
+If an FTP request filename meets or exceeds this length, an
+@code{FTP_ExcessiveFilename} notice is generated.
+@end quotation
+
+@code{ftp_excessive_filename_trunc_len : count}
+@quotation
+How much of the excessively long filename is printed in the notice message.
+@end quotation
+
+@code{ftp_ignore_invalid_PORT : pattern} 
+@quotation
+Invalid PORT/PASV directives that exactly match this pattern don't
+generate notices.
+@end quotation
+
+@code{ftp_ignore_privileged_PASVs : set[port]}
+@quotation
+If an FTP PASV port is specified to be a privileged port (< 1024/tcp)
+then an @code{FTP_PrivPort} event is generated, EXCEPT if the port is
+in this set.
+@end quotation
+
+@end table
+
+@node hotbro,
+@subsection hot.bro
+
+@table @samp
+
+@code{same_local_net_is_spoof : bool}
+@quotation
+If true (default = F), it should be considered a spoofing attack if a connection has
+the same local net for source and destination.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{allow_spoof_services : set[port]}
+@quotation
+The services in this set are not counted as spoofed even if they pass
+the test from @code{same_local_net_is_spoof}.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{allow_pairs : set[addr, addr]}
+@quotation
+Connections between these (source address, destination address) pairs
+are never marked as ``hot''.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{allow_16_net_pairs : set[addr, addr]}
+@quotation
+Connections between these (/16 network, /32 destination host) pairs
+are never marked as ``hot''.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{hot_srcs : table[addr] of string}
+@quotation
+Connections from any of these sources are automatically marked ``hot''
+with the associated message in the table.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{hot_dsts : table[addr] of string}
+@quotation
+Connections to any of these destinations are automatically marked ``hot''
+with the associated message in the table.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{hot_src_24nets : table[addr] of string}
+@quotation
+Connections from any of these source /24 nets are automatically marked ``hot''
+with the associated message in the table.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{hot_dst_24nets : table[addr] of string}
+@quotation
+Connections to any of these destination /24 nets are automatically marked ``hot''
+with the associated message in the table.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{allow_services : set[port]}
+@quotation
+Connections to this set of services are never marked ``hot'' (based on port
+number).
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{allow_services_to : set[addr, port]}
+@quotation
+Connections to the specified host and port are never marked ``hot''.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{allow_service_pairs : set[addr, addr, port]}
+@quotation
+Connections from the first address to the second on the specified
+destination port are never marked ``hot''.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{flag_successful_service : table[port] of string}
+@quotation
+Successful connections to any of the specified ports are flagged with
+the accompanying message. Examples are popular backdoor ports.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{flag_successful_inbound_service : table[port] of string}
+@quotation
+Incoming connections to the specified ports are flagged with the
+accompanying message. This is similar to
+, but may be used when the port gives
+to many false positives for outgoing connections.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{terminate_successful_inbound_service : table[port] of string}
+@quotation
+Connections to this port, if previously flagged by @code{flag_successful_service}
+ or @code{flag_incoming_service} are terminated.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{flag_rejected_service : table[port] of string}
+@quotation
+Failed connection attempts to the specified ports are marked as ``hot''.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@end table
+
+@node hot-idsbro,
+@subsection hot-ids.bro
+
+@table @samp
+
+@code{forbidden_ids : set[string]}
+@quotation
+If any of these usernames/login IDs are used, the corresponding
+connection is terminated.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{forbidden_ids_if_no_password : set[string]}
+@quotation
+If any of these usernames/login IDs are used with no password, the corresponding
+connection is terminated.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{forbidden_id_patterns : pattern}
+@quotation
+If a username/login ID matches this pattern, the corresponding
+connection is terminated.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{always_hot_ids : set[string]}
+@quotation
+Connections that attempt to login with these IDs are always marked
+``hot'', whether or not they succeed. See also @code{hot_ids}.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{hot_ids : set[string]}
+@quotation
+Similar to , except that only successful connections are marked ``hot''.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@end table
+
+@node httpbro,
+@subsection http.bro
+
+@table @samp
+
+@code{http_log : file}
+@quotation
+The file into which HTTP-related logs are written.
+@end quotation
+
+@code{http_sessions : table[addr, addr] of http_session_info}
+@quotation
+A [source, destination] indexed table of @code{http_session_info} records.
+@end quotation
+
+@code{include_HTTP_abstract : bool}
+@quotation
+Currently used to indicate whether or not an abstract of the HTTP
+request data will be included in a rewritten connection.
+@end quotation
+
+@code{log_HTTP_data : bool}
+@quotation
+If true, an abstract of the HTTP request data is included in a log message.
+@end quotation
+
+@code{maintain_http_sessions : bool}
+@quotation
+If true, HTTP sessions are maintained across multiple connections,
+otherwise we not (which saves some memory).
+@end quotation
+
+@code{process_HTTP_replies : bool}
+@quotation
+If true, HTTP replies (not just requests) are processed.
+@end quotation
+
+@code{process_HTTP_data : bool}
+@quotation
+If true, HTTP data is examined as needed (e.g., for making HTTP abstracts,
+as discussed below).
+@end quotation
+
+@end table
+
+@node http-abstractbro,
+@subsection http-abstract.bro
+
+@table @samp
+
+@code{http_abstract_max_length : count}
+@quotation
+The maximum number of bytes used to store an abstract for an HTTP connection.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@end table
+
+@node http-requestbro,
+@subsection http-request.bro
+
+@table @samp
+
+@code{skip_remote_sensitive_URIs : pattern}
+@quotation
+URIs matching this pattern should not be considered sensitive if accessed 
+remotely, i.e., by a local client.
+@end quotation
+
+@code{have_skip_remote_sensitive_URIs : bool}
+@quotation
+Due to a quirk in Bro, this must be redef'ed to T if you want to use
+@code{skip_remote_sensitive_URIs}.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{sensitive_URIs : pattern}
+@quotation
+URIs matching this pattern, but not matching @code{worm_URIs}, are
+noticed. See also @code{skip_remote_sensitive_URIs} and @code{sensitive_post_URIs}.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{worm_URIs : pattern}
+@quotation
+URIs matching this pattern are not noticed even if they match
+@code{sensitive_URIs}, since worms are so common they would clutter
+the logs.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{sensitive_post_URIs : pattern}
+@quotation
+URIs matching this pattern are noticed if they are used with the HTTP
+``POST'' method (rather than ``GET''). 
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@end table
+
+@node icmpbro,
+@subsection icmp.bro
+
+@table @samp
+
+@code{icmp_flows : table[icmp_flow_id] of icmp_flow_info}
+@quotation
+A table tracking all ICMP ``flows'' by @code{icmp_flow_info}.
+``Flows'', which are simply inferred related
+sequences of packets between two machines, based on ICMP ID, are timed
+out after (currently) 30 seconds of inactivity.
+@end quotation
+
+@end table
+
+@node identbro,
+@subsection ident.bro
+
+@table @samp
+
+@code{hot_ident_ids : set[string]}
+@quotation
+If any of the User IDs in this set are returned in an @code{ident}
+response, an @emph{IdentSensitiveID} notice is generated.
+@end quotation
+
+@code{hot_ident_exceptions : set[string]}
+@quotation
+Exceptions to the @code{hot_ident_ids} set.
+@end quotation
+
+@code{public_ident_user_ids : set[string]}
+@quotation
+User IDs in this set are described as ``public'' in a rewritten  @code{ident}
+trace.
+@end quotation
+
+@code{public_ident_systems : set[string]}
+@quotation
+Operating system names in this set (e.g., ``UNIX'') are reported
+directly in a rewritten @code{ident} trace; other OSes will be reported
+as ``OTHER''.
+@end quotation
+
+@code{rewrite_ident_trace : bool}
+@quotation
+If true, traces will be rewritten (partially anonymized).
+@end quotation
+
+@end table
+
+@node interconnbro,
+@subsection interconn.bro
+
+@table @samp
+
+@code{interconn_conns : table [conn_id] of conn_info}
+@quotation
+A @code{conn_id}-indexed table of all currently-tracked interactive
+connections. The table entries are  records
+containing some very basic information about the connection.
+@end quotation
+
+@code{interconn_log : file}
+@quotation
+The file into which generic interactive-connection-related logs are written.
+@end quotation
+
+@code{interconn_min_interarrival : interval}
+@quotation
+Used in computing the ``alpha'' parameter, which is used to determine
+which connections are interactive, based on the distribution of
+interarrival times. See also @code{interconn_max_interarrival}.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{interconn_max_interarrival : interval}
+@quotation
+Used in computing the ``alpha'' parameter, which is used to determine
+which connections are interactive, based on the distribution of
+interarrival times. See also @code{interconn_max_interarrival}.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{interconn_max_keystroke_pkt_size : count}
+@quotation
+The maximum packet size used to classify keystroke-containing packets.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{interconn_default_pkt_size : count}
+@quotation
+The estimated packet size used to calculate the number of packets
+missed when we see an ack above a hole. @emph{Fixme: Please verify.}
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{interconn_stat_period : interval}
+@quotation
+How often to generate a report of interconn stats.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{interconn_stat_backoff : double}
+@quotation
+@emph{Fixme: I don't fully understand is_expire in timers.} The stat report
+generation interval (@code{interconn_stat_period}) is increased by this factor each time the report
+is generated [unless the report is generated because all timers are
+artificially expired].
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{interconn_min_num_pkts : count}
+@quotation
+A connection must have this number of packets transferred before it
+may be classified as interactive.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{interconn_min_duration : interval}
+@quotation
+A connection must last least this long before it may be classified as interactive.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{interconn_ssh_len_disabled : bool} 
+@quotation
+If false (default = T), and at least one side of the connection has
+partial state (the initial negotiation was missed), then packets are
+examined to see if they fit the size distribution associated with
+interactive SSH connections.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{interconn_min_ssh_pkts_ratio : double}
+@quotation
+Analogous to @code{ssh_min_ssh_pkts_ratio}, except used in the
+context described in @code{interconn_ssh_len_disabled}.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{interconn_min_bytes : count}
+@quotation
+The number of bytes transferred on a connection must be at least this high before the
+connection may be classified as interactive.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{interconn_min_7bit_ascii_ratio : double}
+@quotation
+The ratio of 7-bit ASCII characters to total bytes must be at least
+this high before the connection may be classified as interactive.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{interconn_min_num_lines : count}
+@quotation
+The number of lines transferred on a connection must be at least
+this high before the connection may be classified as interactive.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{interconn_min_normal_line_ratio : double}
+@quotation
+The ratio of ``normal'' lines to total lines must be at least
+this high before the connection may be classified as interactive. A
+normal line, roughly speaking, is one whose length is within a certain
+bound. @emph{Fixme: Please verify this.}
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{interconn_min_alpha : double}
+@quotation
+The ``alpha'' parameter computed on connection must be at least
+this high before the connection may be classified as interactive. This
+parameter measures certain properties of packet interarrival
+times. See @code{interconn}.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{interconn_min_gamma : double}
+@quotation
+The ``gamma'' parameter computed on connection must be at least
+this high before the connection may be classified as interactive. 
+@end quotation
+
+@code{interconn_standard_ports : set[port]}
+@quotation
+Connections to or from these ports are marked as interactive
+automatically, unless @code{interconn_standard_ports} is set
+to true.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{interconn_ignore_standard_ports : bool}
+@quotation
+If true (default = F), then all connections are analyzed for
+interactive patterns, regardless of port. See @code{interconn_standard_ports}.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{interconn_demux_disabled : bool}
+@quotation
+If false (default = T), then interactive connections are demuxed
+when being logged.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@end table
+
+@node ircbro,
+@subsection irc.bro
+
+@table @samp
+
+@code{IRC::log_file: file}
+@quotation
+Where to log IRC sessions.
+@end quotation
+
+@code{hot_words}
+@quotation
+List of regular expressions that generate notices if found in session dialog.
+@end quotation
+
+@code{ignore_in_other_msgs: set[string]}
+@quotation
+Commands to ignore in generating events for unknown commands.
+@end quotation
+
+@code{ignore_in_other_responses: set[string]}
+@quotation
+Return codes to ignore in generating events for unknown return codes.
+@end quotation
+
+@end table
+
+These variables contain information about the users and channels
+identified by Bro:
+
+@table @samp
+
+@code{irc_users: table[string] of irc_user}
+@quotation
+All identified IRC users, indexed by IRC nick.
+@end quotation
+
+@code{irc_channels: table[string] of irc_channel}
+@quotation
+All identified IRC channels, indexed by IRC channel name.
+@end quotation
+
+@end table
+
+@node loginbro,
+@subsection login.bro
+
+@table @samp
+
+@code{input_trouble : pattern}
+@quotation
+If a user's keystroke input matches this pattern, then a notice is generated.
+@end quotation
+
+@code{edited_input_trouble : pattern}
+@quotation
+If a user's keystroke input matches this pattern, taking into account
+backspace and delete characters, then a notice is generated.
+@end quotation
+
+@code{full_input_trouble : pattern}
+@quotation
+If this pattern is matched in a full line of input, a notice is generated.
+@end quotation
+
+@code{input_wait_for_output : pattern}
+@quotation
+The same as @code{edited_input_trouble}, except that the notice is
+delayed until the corresponding output is seen, so that both may be
+logged together.
+@end quotation
+
+@code{output_trouble : pattern}
+@quotation
+If the login output matches this pattern, a notice is generated.
+@end quotation
+
+@code{full_output_trouble : pattern}
+@quotation
+Similar to @code{output_trouble}, but the pattern must match the
+entire output.
+@end quotation
+
+@code{backdoor_prompts : pattern} 
+@quotation
+If the login output matches this text, but not
+@code{non_backdoor_prompts}, generate a possible-backdoor notice.
+@end quotation
+
+@code{non_backdoor_prompts : pattern}
+@quotation
+See @code{backdoor_prompts}.
+@end quotation
+
+@code{hot_terminal_types : pattern} 
+@quotation
+If the terminal type used matches this pattern, generate a notice.
+@end quotation
+
+@code{hot_telnet_orig_ports : set[port]}
+@quotation
+If the source port of a telnet connection is in this set, generate a notice.
+@end quotation
+
+@code{skip_authentication : set[string] }
+@quotation
+If a string in this set appears where an authentication prompt would
+normally, skip processing of authentication (typically for an
+unauthenticated system). @emph{Fixme: Please verify.}
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{login_prompts : set[string]}
+@quotation
+The set of strings that are recognized as login prompts anywhere on a line, e.g.,
+``Login:''.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{login_failure_msgs : set[string]}
+@quotation
+If any of these strings appear on a line following an authentication
+attempt, the attempt is considered to have failed, unless a string
+from @code{login_non_failure_msgs} also appears on the line. This
+set has higher precedence than @code{login_success_msgs}, and the
+same precedence as @code{login_timeouts}.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{login_non_failure_msgs : set[string]}
+@quotation
+If any of these strings appear on a line following an authentication
+attempt, the connection is not considered to have failed even if
+@code{login_failure_msgs} indicates otherwise.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{login_success_msgs : set[string]}
+@quotation
+If any of these messages is seen, the connection attempt is assumed to
+have succeeded. This set has lower precedence than @code{login_failure_msgs}
+and @code{login_timeouts} .
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{login_timeouts : set[string]}
+@quotation
+If any of these messages is seen during the login phase, the
+connection attempt is assumed to have timed out. This
+set has higher precedence than @code{login_success_msgs}, and the
+same precedence as @code{login_failure_msgs}.
+@end quotation
+
+@code{router_prompts : pattern}
+@quotation
+@emph{Fixme: Don't know what this is}
+@end quotation
+
+@code{non_ASCII_hosts : set[addr]} 
+@quotation
+The set of hosts that do not use ASCII (and to whom logins are thus
+not processed).
+@end quotation
+
+@code{skip_logins_to : set[addr]}
+@quotation
+Do not process logins to this set of hosts.
+@end quotation
+
+@code{always_hot_login_ids : pattern}
+@quotation
+Login names which generate a notice even if the login is not successful.
+@end quotation
+
+@code{hot_login_ids : pattern}
+@quotation
+Login names which generate a notice, if the login is successful.
+@end quotation
+
+@code{rlogin_id_okay_if_no_password_exposed : set[string]}
+@quotation
+Login names in this set are those which are normally considered
+sensitive, but are allowed if the associated password is not exposed.
+@end quotation
+
+@code{login_sessions : table[conn_id] of login_session_info}
+@quotation
+A table, indexed by connection ID, of @code{login_session_info}
+records, characterizing each login session.
+@end quotation
+
+@end table
+
+@node mimebro,
+@subsection mime.bro
+
+@table @samp
+
+@code{mime_log : file}
+@quotation
+MIME message-related logs are written to this file.
+@end quotation
+
+@code{mime_sessions : table[conn_id] of mime_session_info}
+@quotation
+A table, indexed by connection ID, of @code{mime_session_info}
+records, characterizing each MIME session.
+@end quotation
+
+@code{check_relay_3 function(session: mime_session_info, msg_id: string): bool}
+@quotation
+@emph{Fixme: Don't know about this}
+@end quotation
+
+@code{check_relay_4 function(session: mime_session_info, content_hash: string): bool}
+@quotation
+@emph{Fixme: Don't know about this}
+@end quotation
+
+@end table
+
+@node noticebro,
+@subsection notice.bro
+
+@table @samp
+@code{notice_action_filters : table[Notice] of function(n: notice_info: NoticeAction}
+@vindex notice_action_filters
+@quotation
+A table that maps each @code{notice} into a function that should be
+called to determine the action.
+@end quotation
+
+@code{notice_file : file}
+@vindex notice_file 
+@quotation
+The file into which notices are written.
+@end quotation
+
+@end table
+
+@node ntpbro,
+@subsection ntp.bro
+
+@table @samp
+
+@code{excessive_ntp_request : count}
+@quotation
+NTP requests over this length are considered ``excessive'' and will be
+flagged (marked ``hot'').
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{allow_excessive_ntp_requests : set[addr]}
+@quotation
+NTP requests from an address in this set are never considered
+excessively long (see @code{excessive_ntp_request}).
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@end table
+
+@node pop3bro,
+@subsection pop3.bro
+@table @samp
+@item @code{pop_connections: table[conn_id] of pop3_session_info}
+This table contains all active POP3-sessions indexed by their Connection IDs.
+Deleted as soon as the TCP Connection terminates or expires.
+@item @code{pop_connection_weirds: table[addr] of count &default=0 &create_expire = 5 mins}
+This table contains all the POP3-session originators for which unexpected
+behavior was recorded.
+@item @code{error_threshold: count = 3}
+A threshold for the maximum of negative status indicators per originator
+received by a server.
+@item @code{ignore_commands: set[string] }
+Set of commands that will be ignored while generating the log file. 
+@end table
+
+@node port-namesbro,
+@subsection port-names.bro
+
+@table @samp
+
+@code{port_names : table[port] of string}
+@quotation
+A mapping of well-known port numbers to the associated service names.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@end table
+
+@node portmapperbro,
+@subsection portmapper.bro
+
+@table @samp
+
+@code{rpc_programs : table[count] of string}
+@quotation
+A table correlating numeric RPC service IDs to string names of
+the services, e.g., @code{[1000000] = ``portmapper''}.
+@end quotation
+
+@code{NFS_services : set[string]}
+@quotation
+A set of string names of NFS-related RPC services.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{RPC_okay : set[addr, addr, string]}
+@quotation
+Indexed by the host providing the service, the host requesting it,
+and the service; do not notice Sun portmapper requests from the specified
+requester to the specified provider for the specified service.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{RPC_okay_nets : set[net]}
+@quotation
+Hosts in any of the networks in this set may make portmapper requests without
+being flagged.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{RPC_okay_services : set[string]}
+@quotation
+Requests for services in this set will not be flagged.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{NFS_world_servers : set[addr]}
+@quotation
+Any host may request NFS services from any of the machines in this set
+without being flagged..
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{any_RPC_okay : set[addr, string]}
+@quotation
+Indexed by the service provider and the service (in string form); any
+host may access these services without being flagged.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{RPC_dump_okay : set[addr, addr]}
+@quotation
+Indexed by requesting host and providing host, respectively; dumps of
+RPC portmaps are allowed between these pairs.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{RPC_do_not_complain : set[string, bool]} 
+@quotation
+Indexed by the portmapper request and a boolean that's T if the
+request was answered, F it was attempted but not answered.  If there's
+an entry in the set matching the current request/attempt, then the
+access won't be noticed (unless the connection is hot for some other
+reason).
+@end quotation
+
+@code{suppress_pm_log : set[addr, string]}
+@quotation
+Indexed by source and portmapper service.  If set, we already noticed
+and shouldn't do so again. @emph{Fixme: Presumably this can be preloaded 
+with stuff, or we wouldn't need to document it.}
+@end quotation
+
+@end table
+
+@node scanbro,
+@subsection scan.bro
+
+@table @samp
+
+@code{suppress_scan_checks : bool}
+@quotation
+If true, we suppress scan checking (we still do account-tried accounting).
+This is provided because scan checking can consume a lot of memory.
+@end quotation
+
+@code{report_peer_scan : set[count]}
+@quotation
+When the number of distinct machines connected to by a given external host reaches
+each of the levels in the set, a notice is generated.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{report_outbound_peer_scan : set[count]}
+@quotation
+When the number of distinct machines connected to by a given internal host reaches
+each of the levels in the set, a notice is generated.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{num_distinct_peers : table[addr] of count}
+@quotation
+A table indexed by a host's address which indicates how many distinct
+machines that host has connected to.
+@end quotation
+
+@code{distinct_peers : set[addr,addr]}
+@quotation
+A table indexed by source host and target machine that tracks which
+machines have been scanned by each host.
+@end quotation
+
+@code{num_distinct_ports : table[addr] of count}
+@quotation
+A table indexed by a host's address which indicates how many distinct
+ports that host has connected to.
+@end quotation
+
+@code{distinct_ports : set[addr, port]}
+@quotation
+A table indexed by source host and target port that tracks which
+ports have been scanned by each host.
+@end quotation
+
+@code{report_port_scan : set[count]}
+@quotation
+When the number of distinct ports connected to by a given external host reaches
+each of the levels in the set, a notice is generated.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{possible_port_scan_thresh : count}
+@quotation
+If a host tries to connect to more than this number of ports, it is
+considered a possible scanner.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{possible_scan_sources : set[addr]}
+@quotation
+Hosts are put in this set once they have scanned more than ports.
+@end quotation
+
+@code{num_scan_triples : table[addr, addr] of count}
+@quotation
+Indexed by source address and destination address, the number of
+services scanned for on the latter by the former. This is only tracked
+for @code{possible_scan_sources}.
+@end quotation
+
+@code{scan_triples : set[addr, addr, port]}
+@quotation
+For @code{possible_scan_sources} as a source address, the triples
+of (source address, destination address, and service/port) scanned.
+@end quotation
+
+@code{accounts_tried : set[addr, string, string]}
+@quotation
+Which account names were tried, indexed by source address, user name
+tried, password tried.
+@end quotation
+
+@code{num_accounts_tried : table[addr] of count}
+@quotation
+How many accounts, as defined by a (user name, password) pair, were
+tried by the host with the given address.
+@end quotation
+
+@code{report_accounts_tried : set[count]}
+@quotation
+When the number of distinct accounts (username, password) tried by a
+given external host reaches each of the levels in the set, a notice is
+generated.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{report_remote_accounts_tried : set[count]}
+@quotation
+When the number of distinct remote accounts (username, password) tried by a
+given internal host reaches each of the levels in the set, a notice is
+generated.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{skip_accounts_tried : set[addr]}
+@quotation
+Hosts in this set are not subject to notices based on
+@code{report_accounts_tried} and @code{report_remote_accounts_tried}.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{addl_web : set[port]}
+@quotation
+Ports in this set are treated as HTTP services.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{skip_services : set[port]}
+@quotation
+Connections to ports in this set are ignored for the purposes of scan detection.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{skip_outbound_services : set[port]}
+@quotation
+Connections to external machines on ports in this set are ignored for
+the purposes of scan detection.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{skip_scan_sources : set[addr]}
+@quotation
+Hosts in this set are ignored as possible sources of scans.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{skip_scan_nets_16 : set[addr,port]}
+@quotation
+Connections matching the specified (source host /16 subnet, port) pairs
+are ignored for the purpose of scan detection.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{skip_scan_nets_24 : set[addr,port]}
+@quotation
+Connections matching the specified (source host /24 subnet, port) pairs
+are ignored for the purpose of scan detection.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{backscatter_ports : set[port]}
+@quotation
+Reverse (SYN-ack) scans seen from these ports are considered to reflect
+possible SYN flooding backscatter and not true (stealth) scans.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{num_backscatter_peers : table[addr] of count}
+@quotation
+Indexed by a host, how many other hosts it connected to with a possible backscatter
+signature.
+@end quotation
+
+@code{distinct_backscatter_peers :  table[addr, addr] of count}
+@quotation
+A table of [source, destination] observed backscatter activity; the
+table entry is a count of backscatter packets from the source to the destination.
+@end quotation
+
+@code{report_backscatter : set[count]}
+@quotation
+When the number of machines that a host has sent backscatter packets
+to reaches each of the levels in the set, a notice is generated.
+
+@emph{Fixme: Need to document connection-dropping related variables.}
+@example
+global can_drop_connectivity = F &redef;
+global drop_connectivity_script = "drop-connectivity" &redef;
+global connectivity_dropped set[addr];
+const shut_down_scans: set[port] &redef;
+const shut_down_all_scans = F &redef;
+const shut_down_thresh = 100 &redef;
+never_shut_down set[addr]
+never_drop_nets set[net]
+never_drop_16_nets set[net]
+did_drop_address table[addr] of count
+@end example
+@end quotation
+
+@code{root_servers : set[host]}
+@findex root_servers 
+@quotation
+The set of root DNS servers.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{gtld_servers : set[host]}
+@quotation
+The set of Generic Top-Level Domain servers (.com, .net, .org, etc.).
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@end table
+
+@node signaturesbro,
+@subsection signatures.bro
+
+@table @samp
+
+@code{horiz_scan_thresholds : set[count]}
+@quotation
+Notice if for a pair (orig, signature) the number of different responders has
+reached one of the thresholds in this set.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{vert_scan_thresholds : set[count]}
+@quotation
+Notice if for a pair (orig, resp) the number of different signature matches has
+reached one of the thresholds in this set.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@end table
+
+@node sitebro,
+@subsection site.bro
+
+@table @samp
+
+@code{local_nets : set[net]}
+@quotation
+Class A/B/C networks that are considered ``local''.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{local_16_nets : set[addr]}
+@quotation
+/16 address blocks that are considered ``local''. These are derived
+directly from @code{local_nets} . @emph{Fixme: Please verify this}.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{local_24_nets : set[addr]}
+@quotation
+/24 address blocks that are considered ``local''. These are derived
+directly from  @code{local_nets}. @emph{Fixme: Please verify this}.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{neighbor_nets : set[net]}
+@quotation
+Class A/B/C networks that are considered ``neighbors''. Note that
+unlike for local_nets, @code{local_16_nets} is @emph{not}
+merely a /16 addr version of neighbor_nets, but instead is consulted
+@emph{in addition} to neighbor_nets.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{neighbor_16_nets : set[addr]}
+@quotation
+/16 address blocks that are considered ``neighbors''. Note that
+unlike for local_nets, neighbor_16_nets is @emph{not}
+merely a /16 addr version of @code{neighbor_nets}, but instead is consulted
+@emph{in addition} to @code{neighbor_nets}.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@end table
+
+@node smtpbro,
+@subsection smtp.bro
+
+@table @samp
+
+@code{local_mail_addr : pattern}
+@quotation
+Email addresses matching this pattern are considered to be local. This
+is used to detect relaying.
+@end quotation
+
+@code{smtp_log : file}
+@quotation
+The file into which SMTP-related notices are written.
+@end quotation
+
+@code{smtp_sessions : table[conn_id] of smtp_session_info}
+@quotation
+A table of @code{smtp_session_info} records tracking SMTP-related
+state for a given connection.
+@end quotation
+
+@code{process_smtp_relay : bool}
+@quotation
+If true (default = F), processing is done to check for mail relaying.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+
+@example
+type smtp_session_info: record @{
+	id: count;
+	connection_id: conn_id;
+	external_orig: bool;
+	in_data: bool;
+	num_cmds: count;
+	num_replies: count;
+	cmds: smtp_cmd_info_list;
+	in_header: bool;
+	keep_current_header: bool;	# a hack till MIME rewriter is ready
+	recipients: string;
+	subject: string;
+	content_hash: string;
+	num_lines_in_body: count;	# lines in RFC 822 body before MIME decoding
+	num_bytes_in_body: count;	# bytes in entity bodies after MIME decoding
+	content_gap: bool;		# whether there is content gap in conversation
+
+	relay_1_rcpt: string;	# external recipients
+	relay_2_from: count; 	# session id of same recipient
+	relay_2_to: count;
+	relay_3_from: count; 	# session id of same msg id
+	relay_3_to: count;
+	relay_4_from: count; 	# session id of same content hash
+	relay_4_to: count;
+@};
+@end example
+@end quotation
+
+@code{smtp_legal_cmds : set[string]}
+@quotation
+The set of allowed SMTP commands (not currently used). @emph{Fixme: Is it used somewhere?}
+@end quotation
+
+@code{smtp_hot_cmds : table[string] of pattern}
+@quotation
+If an SMTP command matching an index into the table has an argument
+matching the associated pattern, then the request and its reply are logged.
+@end quotation
+
+@code{smtp_sensitive_cmds : set[string]}
+@quotation
+If an SMTP command is in this set, the request and its reply are logged.
+@end quotation
+
+@end table
+
+@node smtp-relaybro,
+@subsection smtp-relay.bro
+
+@table @samp
+
+@code{relay_log : file}
+@quotation
+Logs related to email relaying go in this file.
+@end quotation
+
+@code{smtp_relay_table : table[count] of smtp_session_info}
+@quotation
+A table indexed by SMTP session ID (session$id) that keeps track of
+each session in an  record.
+@end quotation
+
+@code{smtp_session_by_recipient : table[string] of smtp_session_info}
+@quotation
+A table indexed by the recipient that holds the corresponding
+@code{smtp_session_info} record.
+@end quotation
+
+@code{smtp_session_by_message_id : table[string] of smtp_session_info}
+@quotation
+A table indexed by the email message ID that holds the corresponding
+@code{smtp_session_info} record.
+@end quotation
+
+@code{smtp_session_by_content_hash : table[string] of smtp_session_info}
+@quotation
+A table indexed by the MD5 hash of the message that holds the corresponding
+ record. @emph{Fixme: Currently unimplemented?}
+@end quotation
+
+@end table
+
+@node softwarebro,
+@subsection software.bro
+
+@table @samp
+
+@code{software_file : file}
+@quotation
+Logs related to host software detection go in this file.
+@end quotation
+
+@code{software_table : table[addr] of software_set}
+@quotation
+A table of the software running on each host. A
+@code{software_set} is itself a table, indexed by the name of the
+software, of @code{software} records.
+@end quotation
+
+@code{software_ident_by_major : set[string]}
+@quotation
+Software names in this set could be installed twice on the same
+machine with different major version numbers. Such software is
+identified as ``Software-N'' where N is the major version number, to
+disambiguate the two.
+@end quotation
+
+@end table
+
+@node sshbro,
+@subsection ssh.bro
+
+@table @samp
+
+@code{ssh_log : file}
+@quotation
+Logs related to ssh connections go in this file.
+@end quotation
+
+@code{did_ssh_version : table[addr, bool] of count}
+@quotation
+Indexed by host IP and (T for client, F for server), the table tracks
+if we have recorded the SSH version. Values of one and greater are
+essentially equivalent.
+@end quotation
+
+@end table
+
+@node steppingbro,
+@subsection stepping.bro
+
+@table @samp
+
+@code{step_log : file}
+@quotation
+Logs related to stepping-stone detection go in this file.
+@end quotation
+
+@code{display_pairs : table[addr, string] of connection}
+@quotation
+If <conn> was a login to <dst> propagating a $DISPLAY of <display>,
+then we make an entry of [<dst>, <display>] = <conn>.
+@end quotation
+
+@code{tag_to_conn_map : table[string] of connection}
+@quotation
+Maps login tags like "Last login ..." to connections.
+@end quotation
+
+@code{conn_tag_info : table[conn_id] of tag_info}
+@quotation
+A table, indexed by connection ID, of the @code{tag_info} related
+to it. Roughly, ``tag info'' consists of login strings like ``Last
+login'' and @code{$DISPLAY} variables. Since this information can stay
+constant across stepping stones, it is used to detect them.
+@end quotation
+
+@code{detected_stones : table[addr, port, addr, port, addr, port, addr, port] of count}
+@quotation
+Indexed by two pairs of connections: (addr,port)->(addr,port) and
+(addr,port)->(addr,port) that have been detected to be multiple links
+in a stepping stone chain. The table value is the ``score'' of the
+pair of connections; the higher the score, the more likely it is to be
+a real stepping stone pair. More points are assigned for a
+timing-based correlation than, say, a @code{$DISPLAY}-based correlation.
+@end quotation
+
+@code{did_stone_summary : table[addr, port, addr, port, addr, port, addr, port] of count}
+@quotation
+Basically tracks which suspected stepping stone connection pairs have had notices
+generated for them. See @code{detected_stones}  for the indexing scheme.
+@end quotation
+
+@code{stp_delta : interval}
+@quotation
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{stp_idle_min : interval}
+@quotation
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{stp_ratio_thresh : double}
+@quotation
+For timing correlations, the proportion of idle times that must match
+up for the correlation to be considered significant.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{stp_scale : double}
+@quotation
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{stp_common_host_thresh : count}
+@quotation
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{stp_random_pair_thresh : count}
+@quotation
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{stp_demux_disabled : count}
+@quotation
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{skip_clear_ssh_reports : set[addr, string]}
+@quotation
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@end table
+
+@node tftpbro,
+@subsection tftp.bro
+
+@table @samp
+
+@code{tftp_notice_count : table[addr] of count}
+@quotation
+Keeps track of the number of observed outbound TFTP connections from
+each host.
+@end quotation
+
+@end table
+
+@node udpbro,
+@subsection udp.bro
+
+@table @samp
+
+@code{udp_req_count : table[conn_id] of count}
+@quotation
+Keeps track of the number of UDP requests sent over each connection.
+@end quotation
+
+@code{udp_rep_count : table[conn_id] of count}
+@quotation
+@emph{Fixme: not really sure}
+@end quotation
+
+@code{udp_did_summary : table[conn_id] of count}
+@quotation
+Keeps track of which connections have been summarized/recorded
+@emph{Fixme: what is it really? do people use this?}
+@end quotation
+
+@end table
+
+@node weirdbro,
+@subsection weird.bro
+
+@table @samp
+
+@code{weird_log : file}
+@quotation
+Logs related to @code{weird}  (unexpected or inconsistent)
+traffic go in this file.
+@end quotation
+
+@code{weird_action : table[string] of WeirdAction}
+@quotation
+A table of what to do (a @code{WeirdAction} ) when faced with a
+particular ``weird'' scenario (the index). Example include logging to
+the special ``weird'' file or ignoring the condition.
+@end quotation
+
+@code{weird_action_filters : table[string] of function(c: connection): WeirdAction}
+@quotation
+If an entry exists in this table for a given weird situation, then the
+corresponding entry is used to determine what action to
+take; the default is to look in @code{weird_action}.
+@end quotation
+
+@code{weird_ignore_host : set[addr, string]}
+@quotation
+(host, weird condition) pairs in this set are ignored for the purposes
+of reporting.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@code{weird_do_not_ignore_repeats : set[string]}
+@quotation
+The included conditions are reported even if they are repeated.
+@* Note: This variable is @code{const}, so may only be changed via @code{redef}.
+@end quotation
+
+@end table
+
+@node wormbro,
+@subsection worm.bro
+
+@table @samp
+
+@code{worm_log : file}
+@quotation
+The file into which worm-detection-related logs are written.
+@end quotation
+
+@code{worm_list : table[addr] of count}
+@quotation
+A table of infected hosts, indexed by the infected hosts'
+addresses. The value is how many times the instance has been seen
+sending packets.
+@end quotation
+
+@code{worm_type_list : table[addr, string] of count}
+@quotation
+A table of infected hosts, indexed by host address and type of
+worm. The value is how many times that particular worm has been seen
+on the host.
+@end quotation
+
+@end table
+
+@node Uncategorized,
+@subsection Uncategorized
+
+@emph{Fixme:  These need categorization. }
+
+@table @samp
+
+@code{bro_alarm_file : file}
+@quotation
+Used to record the messages logged by @code{alarm} statements.
+
+@cindex stderr
+@cindex alarm file
+Default: @emph{stderr}, unless you @code{@@load} the @code{alarm} analyzer;
+see @code{bro_alarm_file}  for further discussion.
+@end quotation
+
+@code{capture_filters : table[string] of string}
+@quotation
+Specifies what packets Bro's filter should record.
+@end quotation
+
+@code{direct_login_prompts : set[string]}
+@quotation
+Strings that when seen in a login dialog indicate that
+the user will be directly logged in after entering their username,
+without requiring a password. 
+@end quotation
+
+@code{discarder_maxlen : int}
+@quotation
+The maximum amount of data that Bro should pass to a TCP or UDP
+@emph{discarder}.
+@*Default: 128 bytes.
+@end quotation
+
+@code{done_with_network : bool}
+@quotation
+Set to true when Bro is done reading from the network (or from
+the save files being played back, per @ref{Playing back traces,play-back}).  The variable is set by a
+handler for @code{net_done}.
+@*Default: initially set to false.
+@end quotation
+
+@cindex network interfaces
+@cindex analysis, on-line
+@cindex on-line analysis
+
+@code{interfaces : string}
+@quotation
+A blank-separated list of network interfaces from which Bro should
+read network traffic.  Bro merges packets from the interfaces according
+to their timestamps.  @emph{Deficiency: All interfaces @emph{must} have the same link layer type. }
+
+If empty, then Bro does not read any network traffic, unless one
+or more interfaces are specified using the -i flag.
+
+@emph{Note:}  @code{interfaces} has an @code{&add_func} that allows you to add interfaces 
+to the list simply using a @code{+=} initialization refinement.
+
+@*Default: empty.
+@end quotation
+
+@cindex timer expiration
+@cindex expiration, timer
+
+@code{max_timer_expires : count}
+@quotation
+Sets an upper limit on how many pending timers Bro will expire per newly arriving packet.  If set to 0, then Bro expires all
+pending timers whose time has come or past.  This variable trades off
+timer accuracy and memory requirements (because a number of Bro's internal
+timers relate to expiring state) with potentially bursty load spikes due
+to a lot of timers expiring at the same time, which can trigger the
+watchdog, if active.
+@end quotation
+
+@code{restrict_filter : string}
+@quotation
+Restricts what packets Bro's filter should record.
+@end quotation
+
+@end table
+
+@cindex predefined variables
+
+@node Predefined Functions,
+@section Predefined Functions
+
+Bro provides a number of built-in functions:
+
+@cindex predefined functions
+
+@table @samp
+@cindex connection: testing for existence
+
+@code{active_connection (id: conn_id) : bool}
+@findex active_connection 
+@quotation
+Returns true if the given connection identifier (originator/responder
+addresses and ports) corresponds to a currently-active connection.
+@end quotation
+
+@code{active_file (f: file): bool}
+@quotation
+Returns true if the given @code{file} is open.
+@end quotation
+
+@code{add_interface (iold: string, inew: string): string}
+@quotation
+Used to refine the initialization of @code{interfaces}.  Meant
+for internal use, and as an example of refinement.
+@end quotation
+
+@code{add_tcpdump_filter (fold: string, fnew: string): string}
+@quotation
+Used to refine the initializations of  @code{capture_filters}
+and  @code{restrict_filters}.  Meant for internal use, and as an
+example of refinement.
+@end quotation
+
+@cindex alarms, control of
+@cindex logging, control of
+@code{alarm_hook (msg: string): bool}
+@quotation
+If you define this function, then Bro will call it with each string
+it is about to log in an alarm.  The function should return true if Bro should
+go ahead with the alarm, false otherwise.  See 
+for further discussion and an example.
+@end quotation
+
+@cindex strings, length
+@cindex length, of strings
+@code{byte_len (s: string): count}
+@quotation
+Returns the number of bytes in the given string.  This includes
+any embedded NULs, and also a trailing NUL, if any (which is why the
+function isn't called @emph{strlen}; to remind the user that Bro strings
+can include NULs).
+@end quotation
+
+@cindex strings, concatenation
+@cindex concatenation of strings
+@code{cat (args: any): string}
+@quotation
+Returns the concatenation of the string representation of its arguments,
+which can be of any type.  For example, @code{cat("foo", 3, T)} returns
+@code{"foo3T"}.
+@end quotation
+
+@cindex strings, cleaned up
+
+@code{clean (s: string): string}
+@quotation
+Returns a cleaned up version of @code{s}, meaning that:
+@cindex NUL
+@cindex DEL
+@cindex delete character
+@quotation
+@itemize @bullet
+@item 
+embedded NULs become the text ``@code{\0}''
+
+@item 
+embedded DELs (delete characters) become the text ``@code{^?}''
+
+@item 
+ASCII ``control'' characters with code <= 26 become the
+text ``@code{^}@emph{Letter}'', where @emph{Letter} is
+the corresponding (upper case) control character; for example,
+ASCII 2 becomes ``@code{^B}''
+
+@item 
+ASCII ``control'' characters with codes between 26 and 32 (non-inclusive)
+become the text ``@code{\x}@emph{hex-code}''; for example,
+ASCII 31 becomes ``@code{\x1f}''
+
+@item 
+if the string does not yet have a trailing NUL, one is added.
+@end itemize
+@end quotation
+@end quotation
+
+@code{close (f: file): bool}
+@quotation
+Flushes any buffered output for the given file and closes it.
+Returns true if the file was open, false if already closed or
+never opened.
+@end quotation
+
+@code{connection_record (id: conn_id): connection}
+@quotation
+Returns the @code{connection} record corresponding to the non-existing connection id if not a known connection.
+@emph{Note: If the connection does not exist, then exits with a fatal run-time error. }
+
+@emph{Deficiency: If Bro had an exception mechanism, then we could avoid the fatal run-time error, and likewise could get rid of @code{active_connection} . }
+@end quotation
+
+@code{contains_string (big: string, little: string): bool}
+@quotation
+Returns true if the string @code{little} occurs somewhere within
+@code{big}, false otherwise.
+@end quotation
+
+@cindex time, clock
+@cindex clock time
+@code{current_time (): time}
+@quotation
+Returns the current clock time.  You will usually instead want to
+use @code{network_time}.
+@end quotation
+
+@code{discarder_check_icmp (i: ip_hdr, ih: icmp_hdr): bool}
+@quotation
+Not documented.
+@end quotation
+
+@code{discarder_check_ip (i: ip_hdr): bool}
+@quotation
+Not documented.
+@end quotation
+
+@code{discarder_check_tcp (i: ip_hdr, t: tcp_hdr, d: string): bool}
+@quotation
+Not documented.
+@end quotation
+
+@code{discarder_check_udp (i: ip_hdr, u: udp_hdr, d: string): bool}
+@quotation
+Not documented.
+@end quotation
+
+@cindex line editing
+@cindex editing
+@cindex backspace character
+@cindex DEL
+@cindex BS
+@code{edit (s: string, edit_char: string): string}
+@quotation
+Returns a version of @code{s} assuming that @code{edit_char} is the ``backspace''
+character (usually @code{"\x08"} for backspace or @code{"\x7f"} for DEL).
+For example, @code{edit("hello there", "e")} returns @code{"llo t"}.
+
+@code{edit_char} must be a string of exactly one character, or Bro generates
+a run-time error and uses the first character in the string.
+
+@emph{Deficiency: To do a proper job, edit should also know about delete-word and delete-line editing; and it would be very convenient if it could do multiple types of edits all in one shot, rather than requiring separate invocations. }
+@end quotation
+
+@code{exit (): int}
+@quotation
+Exits Bro with a status of 0.
+
+@emph{Deficiency: This function should probably allow you to specify the exit status. }
+
+@emph{Note: If you invoke this function, then the usual cleanup functions  
+@code{net_done} and @code{bro_done} are NOT invoked. 
+There probably should be an additional ``@code{shutdown}'' function that provides for cleaner termination.  }
+@end quotation
+
+@code{flush_all (): bool}
+@quotation
+Flushes all open files to disk.
+@end quotation
+
+@cindex formatting text
+@cindex text, formatting
+@cindex string, formatting
+@cindex width, of formatted strings
+@cindex precision, of formatted strings
+@cindex format, width
+@cindex format, precision
+
+@code{fmt (args: any): string}
+@quotation
+Performs @emph{sprintf}-style formatting.  The first argument gives
+the format specifier to which the remaining arguments are formatted,
+left-to-right.  As with @emph{sprintf}, the format for each argument
+is introduced using ``%'', and
+formats beginning with a positive integer @emph{m} specify
+that the given field should have a width of @emph{m} characters.  Fields
+with fewer characters are right-padded with blanks up to this width.
+
+A format specifier of ``@code{.$n}'' (coming after @code{m}, if present)
+instructs @code{fmt} to use a precision of @emph{n} digits.  You can
+only specify a precision for the @code{e}, @code{f} or @code{g}
+formats.
+(@code{fmt} generates a run-time error if either @emph{m} or @emph{n} exceeds 127.)
+
+The different format specifiers are:
+
+@table @samp
+
+@item %
+A literal percent-sign character.
+
+@item @code{D} 
+Format as a date.  Valid only for values of type @code{time}.
+
+The exact format is
+@emph{yy}--@emph{mm}--@emph{dd}--@emph{hh}:@emph{mm}:@emph{ss}
+for the local time zone, per @emph{strftime}.
+
+@cindex little endian
+@cindex big endian
+@cindex endian issues
+@cindex host order (vs. network order)
+@cindex network order (vs. host order)
+@cindex integers, network vs. host order
+
+@item @code{d} 
+Format as an integer.  Valid for types @code{bool},
+@code{count}, @code{int}, @code{ port}, @code{addr}, and @code{net},
+with the latter three being converted from network order to
+host order prior to formatting.  @code{bool} values of true format
+as the number 1, and false as 0.
+
+@item @code{e, f, g}
+Format as a floating point value.
+Valid for types @code{double}, @code{time}, and @code{interval}.
+The formatting is the same as for @emph{printf}, including
+the field width @emph{m} and precision @emph{n}.
+
+@end table
+
+Given no arguments, @code{fmt} returns an empty string.
+
+Given a non-string first argument, @code{fmt} returns the concatenation of
+all its arguments, per @code{cat}.
+
+Finally, given the wrong number of additional arguments for the given
+format specifier, @code{fmt} generates a run-time error.
+@end quotation
+
+@cindex authentication dialog
+@cindex state, of a Telnet/Rlogin session
+@cindex Telnet, session state
+@cindex Rlogin, session state
+@cindex login session, state
+
+@code{get_login_state (c: conn_id): count}
+@quotation
+Returns the state of the given login (Telnet or Rlogin) connection,
+one of:
+
+@table @samp
+
+@item @code{LOGIN_STATE_AUTHENTICATE}
+The connection is in its initial authentication dialog.
+
+@item @code{LOGIN_STATE_LOGGED_IN}
+The analyzer believes the user has successfully authenticated.
+
+@item @code{LOGIN_STATE_SKIP}
+The analyzer has skipped any further processing of the connection.
+
+@item @code{LOGIN_STATE_CONFUSED}
+The analyzer has concluded that it does not correctly know the
+state of the connection, and/or the username associated with it.
+
+@end table
+@end quotation
+
+@code{connection_id} is not a known login connection
+or a run-time error and a value of @code{LOGIN_STATE_AUTHENTICATE}
+if the connection is not a login connection.
+
+@cindex sequence numbers, connection originator
+@cindex connection, sequence numbers
+@code{get_orig_seq (c: conn_id): count}
+@quotation
+Returns the highest sequence number sent by a connection's originator,
+or 0 if there's no such TCP connection.  Sequence numbers are absolute
+(i.e., they reflect the values seen directly in packet headers; they are
+not relative to the beginning of the connection).
+@end quotation
+
+@cindex sequence numbers, connection responder
+@cindex connection, sequence numbers
+@code{get_resp_seq (c: conn_id): count}
+@quotation
+Returns the highest sequence number sent by a connection's responder,
+or 0 if there's no such TCP connection.
+@end quotation
+
+@cindex environment, accessing
+@code{getenv (var: string): string}
+@quotation
+Looks up the given environment variable and returns its value,
+or an empty string if it is not defined.
+@end quotation
+
+@cindex ports, TCP vs. UDP
+@cindex TCP vs. UDP ports
+@code{is_tcp_port (p: port): bool}
+@quotation
+Returns true if the given @code{port} value corresponds to a TCP port,
+false otherwise (i.e., it belongs to a UDP port).
+@end quotation
+
+@cindex length, of table or set
+@cindex size, of table or set
+@cindex number of elements, in table or set
+@cindex table size
+@cindex set size
+@code{length (args: any): count}
+@quotation
+Returns the number of elements in its argument, which must be of
+type @code{table} or @code{set}.  If not exactly one argument is
+specified, or if the argument is not a table or a set, then generates
+a run-time message and returns 0.
+
+@cindex union type, need for
+@cindex any type, replacing with union type
+
+@emph{Deficiency: If Bro had a union type, then we could get rid of the magic ``@code{args: any}'' specification and catch parameter 
+mismatches at compile-time instead of run-time. }
+@end quotation
+
+@cindex log file
+@cindex name, of log file
+@code{log_file_name (tag: string): string}
+@quotation
+Returns a name for a log file (such as @code{weird} or @code{conn} )
+in a standard form.  The form depends on whether $BRO_LOG_SUFFIX is set.
+If so, then the format is ``@code{<}@emph{tag}@code{>.<\$BRO_LOG_SUFFIX>}''.  Otherwise,
+it is simply @code{tag}.
+@end quotation
+
+@cindex masking
+@cindex address masking
+@cindex CIDR
+@cindex subnets
+@code{mask_addr (a: addr, top_bits_to_keep: count): addr}
+@quotation
+Returns the address @code{a} masked down to the number of upper bits
+indicated by @code{top_bits_to_keep}, which must be greater than 0 and
+less than 33.  For example, @code{mask_addr(1.2.3.4, 18)} returns
+@code{1.2.0.0}, and @code{mask_addr(1.2.255.4, 18)} returns
+@code{1.2.192.0}.
+
+Compare with @code{to_net}.
+@end quotation
+
+@cindex maximum
+@code{max_count (a: count, b: count): count}
+@quotation
+Returns the larger of @code{a} or @code{b}.
+@end quotation
+
+@code{max_double (a: double, b: double): double}
+@quotation
+Returns the larger of @code{a} or @code{b}.
+@end quotation
+
+@code{max_interval (a: interval, b: interval): interval}
+@quotation
+Returns the larger of @code{a} or @code{b}.
+
+@cindex polymorphic functions, need for
+@emph{Deficiency: If Bro supported polymorphic functions, then this function could be merged with its predecessors, gaining simplicity and clarity. }
+@end quotation
+
+@cindex minimum
+@code{min_count (a: count, b: count): count}
+@quotation
+Returns the smaller of @code{a} or @code{b}.
+@end quotation
+
+@code{min_double (a: double, b: double): double}
+@quotation
+Returns the smaller of @code{a} or @code{b}.
+@end quotation
+
+
+@code{min_interval (a: interval, b: interval): interval}
+@quotation
+Returns the smaller of @code{a} or @code{b}.
+
+@cindex polymorphic functions, need for
+@emph{Deficiency: If Bro supported polymorphic functions, then this function could be merged with its predecessors, gaining simplicity and clarity. }
+@end quotation
+
+@cindex directories, creating
+@cindex creating directories
+@code{mkdir (f: string): bool}
+@quotation
+Creates a directory with the given name, if it does not already exist.
+Returns true upon success, false (with a run-time message) if
+unsuccessful.
+@end quotation
+
+@cindex time, clock
+@cindex time, packet
+@cindex clock time
+@cindex packets, time
+@cindex scripting, general
+@cindex general scripting
+@code{network_time (): time}
+@quotation
+Returns the timestamp of the most recently read packet, whether read
+from a live network interface or from a save file.
+Compare against @code{current_time}.  In general, you should use
+@code{network_time} unless you're using Bro for non-networking uses
+(such as general scripting;
+not particularly recommended), because otherwise your script may
+behave very differently on live traffic versus played-back traffic
+from a save file.
+@end quotation
+
+@cindex files, opening
+@cindex opening a file
+@code{open (f: string): file}
+@quotation
+Opens the given filename for write access.  Creates the file if it
+does not already exist.  Generates a run-time error if the file
+cannot be opened/created.
+@end quotation
+
+@cindex files, appending
+@cindex files, opening
+@cindex appending to a file
+@cindex opening a file
+@code{open_for_append (f: string): file}
+@quotation
+Opens the given filename for append access.  Creates the file if it
+does not already exist.  Generates a run-time error if the file
+cannot be opened/created.
+@end quotation
+
+@code{open_log_file (tag: string): file}
+@quotation
+Opens a log file associated with the given tag, using a filename
+format as returned by .
+@end quotation
+
+@cindex record, ftp_port
+@code{parse_ftp_pasv (s: string): ftp_port}
+@quotation
+Parses the server's reply to an FTP @code{PASV} command to extract the
+IP address and port number indicated by the server.  The values
+are returned in an @code{ftp_port} record, which has three
+fields: @code{h}, the address (@emph{h} is mnemonic for @emph{host});
+@code{p}, the (TCP) port; and @code{valid}, a boolean that is true
+if the server's reply was in the required format, false if not,
+or if any of the individual values (or the indicated port number)
+are out of range.
+@end quotation
+
+@cindex record, ftp_port
+@code{parse_ftp_port (s: string): ftp_port}
+@quotation
+Parses the argument included in a client's FTP @code{PORT} request to
+extract the IP address and port number indicated by the server.  The values
+are returned in an @code{ftp_port}, which has three fields, as
+indicated in the discussion of @code{parse_ftp_pasv}.
+@end quotation
+
+
+@cindex live traffic
+@cindex recorded traffic
+@cindex traffic, live vs. recorded
+@cindex analysis, on-line
+@cindex on-line analysis
+@cindex analysis, off-line
+@cindex off-line analysis
+
+@code{reading_live_traffic (): bool}
+@quotation
+Returns true if Bro was invoked to read live network traffic (from
+one or more network interfaces, per ), false
+if it's reading from save files being played back .
+
+@emph{Note: This function returns true even after Bro has stopped reading network traffic, for example due to receiving a termination signal. }
+
+@end quotation
+
+@code{set_buf (f: file, buffered: bool)}
+@quotation
+Specifies that writing to the given file should either be fully
+buffered (if @code{buffered} is true), or line-buffered (if false).
+Does not return a value.
+@end quotation
+
+@code{set_contents_file (c: conn_id, direction: count, f: file): bool}
+@quotation
+Specifies that the traffic stream of the given connection in the given
+direction should be recorded to the given file.  @code{direction} is one of
+the values given in the table below.
+
+@float Table, Directions
+@multitable  @columnfractions .25 .6 
+@item @strong{Direction} @tab @strong{Meaning}
+@item @code{CONTENTS_NONE}
+@tab Stop recording the connection's content
+@item @code{CONTENTS_ORIG}
+@tab Record the data sent by the connection originator (often the client).
+@item @code{CONTENTS_RESP}
+@tab Record the data sent by the connection responder (often the server).
+@item @code{CONTENTS_BOTH}
+@tab Record the data sent in both directions.
+@end multitable
+@caption{Different types of directions for @code{set_contents} file}
+@end float
+@*
+
+
+@emph{Note: CONTENTS_BOTH results in the two directions being intermixed in the file, in the order the data was seen by Bro. }
+
+@emph{Note: The data recorded to the file reflects the byte stream, not the contents of individual packets.  Reordering and duplicates are removed.  If any data is missing, the recording stops at the missing data; see @code{ack_above_hole} for how this can happen. }
+
+@emph{Deficiency: Bro begins recording the traffic stream starting with new traffic it sees.  Experience has shown it would be highly handy if Bro could record the entire connection to the file, including previously seen traffic.  In principle, this is possible if Bro is recording the traffic to a 
+save file , which a separate utility program could then read to extract the stream. }
+
+Returns true upon success, false upon an error.
+@end quotation
+
+@cindex authentication dialog
+@cindex state, of a Telnet/Rlogin session
+@cindex Telnet, session state
+@cindex Rlogin, session state
+@cindex login session, state
+
+@code{set_login_state (c: conn_id, new_state: count): bool}
+@quotation
+Manually sets the state of the given login (Telnet or Rlogin) connection
+to @code{new_state}, which should be one of the values described
+in .
+
+Generates a run-time error and returns false
+if the connection is not a login connection.  Otherwise, returns true.
+@end quotation
+
+@cindex packets, recording
+@cindex recording packets
+@cindex save file, control over what's recorded
+@cindex write file, control over what's recorded
+@cindex trace file, control over what's recorded
+
+@code{set_record_packets (c: conn_id, do_record: bool): bool}
+@quotation
+Controls whether Bro should or should not record the packets corresponding
+to the given connection to the save file , if any.
+
+Returns true upon success, false upon an error.
+@end quotation
+
+@cindex avoiding processing
+@cindex processing, avoiding
+@cindex shedding load
+@cindex load, shedding
+
+@code{skip_further_processing (c: conn_id): bool}
+@quotation
+Informs bro that it should skip any further processing of the contents
+of the given connection.  In particular, Bro will refrain from reassembling
+the TCP byte stream and from generating events relating to any analyzers
+that have been processing the connection.  Bro will still generate
+connection-oriented events such as @code{connection_finished} .
+
+This function provides a way to shed some load in order to reduce
+the computational burden placed on the monitor.
+
+Returns true upon success, false upon an error.
+@end quotation
+
+@cindex string, extraction
+@cindex substrings
+
+@code{sub_bytes (s: string, start: count, n: count): string}
+@quotation
+Returns a copy of @code{n} bytes from the given string, starting at position
+@code{start}.  The beginning of a string corresponds to position 1.
+
+If @code{start} is 0 or exceeds the length of the string, returns
+an empty string.
+
+If the string does not have @code{n} characters from @code{start} to
+its end, then returns the characters from @code{start} to the end.
+@end quotation
+
+@cindex command shell
+@cindex Bourne shell
+@cindex shell escape
+@cindex scripts, running
+@cindex executables, running
+@cindex running outside scripts or executables
+
+@code{system (s: string): int}
+@quotation
+Runs the given string as a @emph{sh} command (via C's @emph{system} call).
+
+@emph{Note: The command is run in the background with stdout redirected to stderr. }
+
+Returns the return value from the @emph{system} call.  @emph{Note: This corresponds to the status of backgrounding the given command, NOT to the exit status of the command itself. }  
+A value of 127 corresponds
+to a failure to execute @emph{sh}, and -1 to an internal system failure.
+@end quotation
+
+@code{to_lower (s: string): string}
+@quotation
+Returns a copy of the given string with the uppercase letters
+(as indicated by @emph{isascii} and @emph{isupper})
+folded to lowercase (via @emph{tolower}).
+@end quotation
+
+@cindex masking
+@cindex address masking
+@cindex CIDR
+@cindex subnets
+@cindex prefixes, network
+@cindex network prefixes
+
+@code{to_net (a: addr): net}
+@quotation
+Returns the network prefix historically associated with the given
+address.  That is, if @code{a}'s leading octet is less than 128,
+then returns
+@code{<}@emph{a}@code{>}@emph{/8};
+if between 128 and 191, inclusive, then
+@code{<}@emph{a}@code{>}@emph{/16};
+if between 192 and 223, then
+@code{<}@emph{a}@code{>}@emph{/24};
+and, otherwise,
+@code{<}@emph{a}@code{>}@emph{/32}.
+See the discussion of the  type for more about network prefixes.
+
+Generates a run-time error and returns @code{0.0.0.0} 
+if the address is IPv6.
+
+@emph{Note: Such network prefixes have become obsolete with the advent of CIDR; still, for some sites they prove useful because they correspond to existing address allocations. }
+
+Compare with @code{mask_addr}.
+@end quotation
+
+@code{to_upper s: string): string}
+@quotation
+Returns a copy of the given string with the lowercase letters
+(as indicated by @emph{isascii} and @emph{islower})
+folded to uppercase (via @emph{toupper}).
+@end quotation
+
+@end table
+
+@menu
+* Run-time errors for non-existing connections::  
+* Run-time errors for strings with NULs::  
+* Functions for manipulating strings::	
+* Functions for manipulating time::  
+@end menu
+
+@node Run-time errors for non-existing connections,
+@subsection Run-time errors for non-existing connections
+
+@cindex connection, non-existing
+
+Note that for all functions that take a @code{conn_id} argument
+except @code{active-connection}, Bro generates a run-time
+error and returns false if the given connection does not exist.
+
+@cindex NULs, disallowed in certain function calls
+@cindex NULs, termination
+@cindex strings, termination with NULs
+@cindex NULs, allowed in strings
+
+@node Run-time errors for strings with NULs,
+@subsection Run-time errors for strings with NULs
+
+While Bro allows NULs embedded within strings,
+for many of the predefined functions, their presence spells trouble,
+particularly when the string is being passed to a C run-time function.
+The same holds for strings that are @emph{not} NUL-terminated.  Because
+Bro string constants and values returned by Bro functions that construct
+strings such as @code{fmt} and @code{cat} are all NUL-terminated, such strings
+will not ordinarily arise; but their presence could indicate an attacker
+attempting to manipulate either a TCP endpoint, or the monitor itself,
+into misinterpreting a string they're sending.
+
+In general, any of the functions above that are passed a string argument
+will check for the presence of an embedded NUL or the lack of a terminating
+NUL.  If either occurs, they generate a run-time message, and the
+string is transformed into the value
+@code{"<string-with-NUL>"}.
+
+There are three exceptions: @code{clean}, @code{byte_len}, and
+@code{sub_bytes}.  These functions do not complain about embedded
+NULs or lack of trailing NULs.
+
+@node Functions for manipulating strings,
+@subsection Functions for manipulating strings
+
+@emph{Fixme: Missing}
+
+@node Functions for manipulating time,
+@subsection Functions for manipulating time
+
+@emph{Fixme: Missing}
+
+@cindex predefined functions
+
diff --git a/doc/ref-manual/references.texi b/doc/ref-manual/references.texi
new file mode 100644
index 0000000000..760f8368f4
--- /dev/null
+++ b/doc/ref-manual/references.texi
@@ -0,0 +1,122 @@
+@node References
+@chapter References
+
+
+@itemize
+@item [RFC2373] R. Hinden and S. Deering, IP Version 6 Addressing Architecture,
+RFC-2373, Jul. 1998.
+
+@item [MJ93] S. McCanne and V. Jacobson,
+The BSD Packet Filter:  A New Architecture for User-level Packet Capture,
+Proc.1993 Winter USENIX Conference, San Diego, CA.
+
+@item [MLJ94] S. McCanne, C. Leres and V. Jacobson,
+libpcap, available via anonymous ftp from @uref{http://www.tcpdump.org}, 1994.
+
+@item [Pa98] V. Paxson,
+Bro: A System for Detecting Network Intruders in Real-Time,
+Proc. 7th USENIX Security Symposium, Jan. 1998.
+
+@item [Pa99]
+V. Paxson, Bro: A System for Detecting Network Intruders
+in Real-Time, Computer Networks: special issue on intrusion detection,
+31(23--24), pp. 2435-2463, Dec. 1999.
+
+@item [PN98] T. Ptacek and T. Newsham,
+Insertion, Evasion, and Denial of Service: Eluding Network
+Intrusion Detection, Secure Networks, Inc.,
+@uref{http://www.aciri.org/vern/Ptacek-Newsham-Evasion-98.ps},
+Jan. 1998.
+
+@item [RFC791] J. Postel, Internet Protocol, RFC-791, Sep. 1981.
+
+@item [RFC793] J. Postel, Transmission Control Protocol,
+RFC-793, Sep. 1981.
+
+@item [RFC854] J. Postel and J. Reynolds,
+Telnet Protocol Specification, May 1983.
+
+@item [RFC855] J. Postel and J. Reynolds,
+Telnet Option Specifications, RFC-855, May 1983.
+
+@item [RFC959] J. Postel and J. Reynolds, File Transfer Protocol (FTP),
+RFC-959, Oct. 1985.
+
+@item [RFC1013] R. Scheifler,
+X Window System Protocol, version 11: Alpha update,
+RFC-1013, Apr. 1987.
+
+@item [RFC1094] Sun Microsystems,
+NFS: Network File System Protocol specification,
+RFC-1094, Mar. 1989.
+
+@item [RFC1122] B. Braden,
+Requirements for Internet hosts - communication layers,
+RFC-1122, Oct. 1989.
+
+@item [RFC1282] B. Kantor, BSD Rlogin, RFC-1282, Dec. 1991.
+
+@item [RFC1288] D. Zimmerman,
+The Finger User Information Protocol, RFC-1288, Dec. 1991.
+
+@item [RFC1413] M. St. Johns, Identification Protocol, RFC-1413, Jan. 1993.
+
+@item [RFC1644] B. Braden,
+T/TCP -- TCP Extensions for Transactions Functional Specification,
+RFC-1644, Jul. 1994.
+
+@item [RFC1813] B. Callaghan, B. Pawlowski, P. Staubach,
+NFS Version 3 Protocol Specification,
+RFC-1813, June 1995.
+
+@item [RFC1831] R. Srinivasan, 
+RPC: Remote Procedure Call Protocol Specification Version 2,
+RFC-1831, Aug. 1995.
+
+@item [RFC1832] R. Srinivasan, XDR: External Data Representation Standard,
+RFC-1832, Aug. 1995.
+
+@item [RFC1939] J. Myers and M. Rose, Post Office Protocol - Version 3,
+RFC-1939, May 1996.
+
+@item [RFC1945] T. Berners-Lee, R. Fielding and H. Frystyk,
+Hypertext Transfer Protocol -- HTTP/1.0,
+RFC-1945, May 1996.
+
+@item [RFC2616] J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee,
+Hypertext Transfer Protocol -- HTTP/1.1,
+RFC-2626, Jun. 1999.
+
+@item [YKSRL00] T. Ylonen, T. Kivinen, M. Saarinen, T. Rinne and S. Lehtinen,
+SSH Connection Protocol, Internet Draft
+draft-ietf-secsh-connect-07.txt, May 2000.
+
+@item [SSLv2] Kipp E.B. Hickman, 
+The SSL Protocol, Netscape Communications Corp.
+@emph{http://wp.netscape.com/eng/security/SSL_2.html}, February 1995.
+
+@item [SSLv30] Alan O. Freier, Philip Karlton, Paul C. Kocher,
+The SSL Protocol Version 3.0, Internet Draft
+@emph{draft-freier-ssl-version3-02.txt}, November 1996.
+
+@item [TLSv1] T. Dierks, C. Allen,
+`` The TLS Protocol Version 1.0,'' RFC-2246, January 1999.
+
+@item [SSL-FIPS] Nelson Bolyard, Wan-Teh Chang,
+FIPS SSL CipherSuites,
+@uref{http://www.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html}, June 2001.
+
+@item [SSL-AES] P. Chown, 
+Advanced Encryption Standard (AES) Ciphersuites for Transport 
+Layer Security (TLS), RFC-3268, June 2002.
+
+@item [TLS-56] John Banes, Richard Harrington,
+56-bit Export Cipher Suites For TLS, Internet Draft
+@emph{draft-ietf-tls-56-bit-ciphersuites-00.txt}, April 1999.
+
+@item [X509] R. Housley, W. Polk, W. Ford, D. Solo,
+Internet X.509 Public Key Infrastructure Certificate and 
+Certificate Revocation List (CRL) Profile,
+RFC-3280, June 2002.
+
+@end itemize
diff --git a/doc/ref-manual/signatures.texi b/doc/ref-manual/signatures.texi
new file mode 100644
index 0000000000..50ee0d3b08
--- /dev/null
+++ b/doc/ref-manual/signatures.texi
@@ -0,0 +1,295 @@
+
+@node Signatures
+@chapter Signatures
+
+@menu
+* Overview::			
+* Signature language::		
+* snort2bro::			
+@end menu
+
+@node Overview,
+@section Overview
+
+In addition to the policy language, Bro provides another language which is
+specifically designed to define @emph{signatures}. Signatures precisely describe
+how network traffic looks for certain, well-known attacks. As soon as a attack
+described by a signature is recognized, Bro may generate an event for this
+@emph{signature match} which can then be analyzed by a policy script.
+To define signatures, Bro's language provides several powerful constructs like
+regular expressions @ and dependencies between multiple
+signatures.
+
+Signatures are independent of Bro's policy scripts and, therefore, are put
+into their own file(s). There two ways to specify which files contain
+signatures: By using the @code{-s} flag when you invoke Bro, or by extending
+the Bro variable @code{signatures_files} using the @code{+=} operator.
+If a signature file is given without a path, it is searched along
+. The default extension of the file name is @code{.sig} 
+which Bro appends automatically.
+
+@node Signature language,
+@section Signature language
+
+Each individual signature has the format 
+
+@quotation
+@code{signature @emph{id} @{ @emph{attribute-set} @} }
+@end quotation
+
+@code{id} is an unique label for the signature. There are two types of
+attributes: @emph{conditions} and @emph{actions}. The conditions define
+@emph{when} the signature matches, while the actions declare @emph{what to do} in the case of a match. Conditions can be further divided into
+four types: @emph{header}, @emph{content}, @emph{dependency}, and 
+@emph{context}. We will discuss these in more detail in the following
+subsections.
+
+This is an example of a signature:
+
+@example
+signature formmail-cve-1999-0172 @{
+  ip-proto == tcp
+  dst-ip == 1.2.0.0/16
+  dst-port = 80
+  http /.*formmail.*\?.*recipient=[^&]*[;|]/
+  event "formmail shell command"
+  @}
+@end example
+
+@menu
+* Conditions::			
+* Actions::			
+@end menu
+
+@node Conditions,
+@subsection Conditions
+
+@menu
+* Header conditions::		
+* Content conditions::		
+* Dependency conditions::	
+* Context conditions::		
+@end menu
+
+@node Header conditions,
+@subsubsection Header conditions
+
+Header conditions limit the applicability of the signature to a subset of
+traffic that contains matching packet headers. For TCP, this match is
+performed only for the first packet of a connection. For other protocols, it
+is done on each individual packet. There are pre-defined header conditions for
+some of the most used header fields:
+
+@table @samp
+
+@item @emph{address-list}
+Destination address of IP packet (may include CIDR masks for specifying networks)
+
+@item @emph{integer-list} 
+Destination port of TCP or UDP packet
+
+@item @emph{protocol-list}
+IP protocol; @emph{protocol} may be @code{tcp}, @code{udp}, or @code{icmp}.
+
+@item @emph{address-list} 
+Source address of IP packet (may include CIDR masks for specifying networks)
+
+@item @emph{integer-list} 
+Source port of TCP or UDP packet
+@end table
+
+@emph{comp} is one of @code{==}, @code{!=}, @code{<},
+@code{<=}, @code{>}, @code{>=}. All lists are comma-separated values of
+the given type which are sequentially compared against the corresponding
+header field. If at least one of the comparisons evaluates to true, the whole
+header condition matches (exception: if @emph{comp} is @code{!=}, the header
+condition only matches if @emph{all} values differ). @emph{address} is an
+dotted IP address optionally followed by a CIDR/mask to define a subnet
+instead of an individual address. @emph{protocol} is either one of @code{ip},
+@code{tcp}, @code{udp} and @code{icmp}, or an integer.
+
+In addition to this pre-defined short-cuts, a general header condition can be
+defined either as
+
+@quotation
+@code{header @emph{proto}[@emph{offset}:@emph{size}] @emph{comp} @emph{value-list}}
+@end quotation
+
+or as
+
+@quotation
+@code{header @emph{proto}[@emph{offset}:@emph{size}] & @emph{integer} @emph{comp} @emph{value-list}}
+@end quotation
+
+This compares the value found at the given position of the packet header with
+a list of values. @emph{offset} defines the position of the value within
+the header of the protocol defined by @emph{proto} (which can @code{ip}, @code{tcp},
+@code{udp} or@code{icmp}. @emph{size} is either 1, 2, or 4 and specifies the
+value to have a size of this many bytes. If the optimal
+@code{& @emph{integer}} is given, the packet's value is first masked
+with the @emph{integer} before it is compared to the value-list. @emph{comp}
+is one of @code{==}, @code{!=}, @code{<},
+@code{<=}, @code{>}, @code{>=}. @emph{value-list} is a list of
+comma-separated integers similar to those described above. The integers within
+the list may be followed by an additional @code{/@emph{mask}} where
+@emph{mask} is a value from 0 to 32. This corresponds to the CIDR notation
+for netmasks and is translated into a corresponding bitmask which is applied
+to the packet's value prior to the comparison (similar to the optional
+@code{& @emph{integer}}).
+
+Putting all together, this is an example which is equivalent to
+@code{dst-ip == 1.2.3.4/16, 5.6.7.8/24}:
+
+@quotation
+@code{header ip[16:4] == 1.2.3.4/16, 5.6.7.8/24}
+@end quotation 
+
+@node Content conditions,
+@subsubsection Content conditions
+
+Content conditions are defined by regular expressions. We differentiate two
+kinds of content conditions: first, the expression may be declared with the
+@code{payload} statement, in which case it is matched against the raw
+payload of a connection (for reassembled TCP streams) or of a each packet.
+Alternatively, it may be prefixed with an analyzer-specific label, in which
+case the expression is matched against the data as extracted by the
+corresponding analyzer.
+
+A @code{payload} condition has the form
+
+@quotation
+@code{payload /@emph{regular expression}/}
+@end quotation 
+
+Currently, the following analyzer-specific content conditions are defined (note that
+the corresponding analyzer has to be activated by loading its policy script):
+
+@table @samp
+
+@item @code{http-request @emph{/regular expression/}}
+The regular expression is matched against decoded URIs of the HTTP requests.
+
+@item @code{http-request-header @emph{/regular expression/} }
+The regular expression is matched against client-side HTTP headers.
+
+@item  @code{http-reply-header @emph{/regular expression/} }
+The regular expression is matched against server-side HTTP headers.
+
+@item @code{ftp @emph{/regular expression/} }   
+The regular expression is matched against the command line input of 
+FTP sessions.
+
+@item @code{finger @emph{/regular expression/}}
+The regular expression is matched against the finger requests.
+@end table
+
+For example, @code{http /(etc/(passwd|shadow)/} matches any URI
+containing either @code{etc/passwd} or @code{etc/shadow}.
+
+@node Dependency conditions,
+@subsubsection Dependency conditions
+
+To define dependencies between different signatures, there are two conditions:
+
+@table @samp
+
+@item requires-signature [! @emph{id}]
+Defines the current signature to match only if the signature given by @emph{id}
+matches for the same connection. Using `@code{!}' negates the
+condition: The current signature only matches if @emph{id} does not
+match for the same connection (this decision is necessarily deferred until
+the connection terminates).
+
+@item  requires-reverse-signature [! @emph{id}]
+Similar to @code{requires-signature}, but @emph{id} has to match for the
+other direction of the same connections than the current signature.
+This allows to model the notion of requests and replies.
+@end table
+
+@node Context conditions,
+@subsubsection Context conditions
+
+Context conditions pass the match decision on to various other components of
+Bro. They are only evaluated if all other conditions have already matched. The
+following context conditions are defined:
+
+@table @samp
+
+@item @code{eval @emph{policy function}}
+The given policy function is called and has to return a boolean
+indicating the match result. The function has to be of the type
+@code{function cond(state: signature_state): bool}. See
+\f@{fig:signature-state@} for the definition of @code{signature_state}.
+
+@float Figure, signature-state
+@example
+type signature_state: record @{
+    id: string;          # ID of the signature
+    conn: connection;    # Current connection
+    is_orig: bool;       # True if current endpoint is originator
+    payload_size: count; # Payload size of the first pkt of curr. endpoint
+    @};
+@end example
+@caption{Definition of the @code{signature_state} record}
+@end float
+
+@item @code{ip-options}
+Not implemented currently.
+
+@item @code{payload-size @emph{comp_integer}}
+Compares the integer to the size of the payload of a packet. For
+reassembled TCP streams, the integer is compared to the size of
+the first in-order payload chunk. Note that the latter is not well defined.
+
+@item @code{same-ip }
+Evaluates to true if the source address of the IP packets equals its
+destination address.
+
+@item @code{tcp-state @emph{state-list}}
+Poses restrictions on the current TCP state of the connection.
+@emph{state-list} is a comma-separated list of @code{established}
+(the three-way handshake has already been performed),
+@code{originator} (the current data is send by the originator of the
+connection), and @code{responder} (the current data is send by the
+responder of the connection).
+
+@end table
+
+@node Actions,
+@subsection Actions
+
+Actions define what to do if a signature matches. Currently, there is only one 
+action defined: @code{event @emph{string}} raises a @code{signature_match}
+event. The event handler has the following type: 
+
+@quotation
+@code{event signature_match(state: signature_state, msg: string, data: string)}
+@end quotation
+
+See \f@{fig:signature-state@} for a description of @code{signature_state}. The given string
+is passed as @code{msg}, and data is the current part of the payload that
+has eventually lead to the signature match (this may be empty for signatures without
+content conditions).
+
+@node snort2bro,
+@section snort2bro
+
+The open-source IDS Snort provides an extensive library of signatures.
+The Python script @{snort2bro@} converts Snort's signature into Bro signatures.
+Due to different internal architectures  of Bro and Snort, it is not always
+possible to keep the exact semantics of Snort's signatures, but most of the
+time it works very well.
+
+To convert Snort signatures into Bro's format, @code{snort2bro} needs a
+workable Snort configuration file (@code{snort.cfg}) which, in particular,
+defines the variables used in the Snort signatures (usually things like
+@code{$EXTERNAL_NET} or @code{$HTTP_SERVERS}). The conversion is
+performed by calling @code{snort2bro [-I @emph{dir}] snort.cfg} where the
+directory optionally given by @code{-I} contains the files imported by
+Snort's @code{include} statement. The converted signature set is written to
+standard output and may be redirected to a file. This file can then be
+evaluated by Bro using the @code{-s} flag or the @code{signatures_files}
+variable.
+
+@emph{Deficiency:@code{snort2bro} does not know about some of the newer Snort signature options and ignores them (but it gives a warning).}
+
diff --git a/doc/ref-manual/started.texi b/doc/ref-manual/started.texi
new file mode 100644
index 0000000000..2f3d996e70
--- /dev/null
+++ b/doc/ref-manual/started.texi
@@ -0,0 +1,868 @@
+
+@node Getting Started
+@chapter Getting Started
+
+
+This chapter gives an overview of how to get started with operating Bro:
+@emph{(i)} compiling it, @emph{(ii)} running it interactively, on live
+network traffic, and on recorded traces, @emph{(iii)} how Bro locates the
+policy files it should evaluate and how to modify them, @emph{(iv)} the
+arguments you can give it to control its operation, and @emph{(v)} some
+helper utilities also distributed with Bro that you'll often find handy.
+
+@menu
+* Running Bro::			
+* Helper utilities::		
+@end menu
+
+@node Running Bro,
+@section Running Bro
+
+@cindex running Bro
+@cindex Bro, running
+
+This section discusses how to build and install Bro, running it interactively
+(mostly useful for building up familiarity with the policy language, not
+for traffic analysis), running it on live and recorded network traffic,
+modifying Bro policy scripts, and the different run-time flags.
+
+@menu
+* Building and installing Bro::	 
+* Using Bro interactively::	
+* Specifying policy scripts::	
+* Running Bro on network traffic::  
+* Modifying Bro policy::	
+* Bro flags and run-time environment::	
+@end menu
+
+@node Building and installing Bro,
+@subsection Building and installing Bro
+
+@cindex Bro, installing
+@cindex building Bro
+@cindex compiling Bro
+
+@menu
+* Supported platforms::		
+* Bro source code distribution::  
+* Installing Bro::		
+* Tuning BPF::			
+@end menu
+
+@node  Supported platforms,
+@subsubsection  Supported platforms 
+
+@cindex Unix support
+@cindex Windows, not supported
+@cindex NT, not supported
+
+Bro builds on a number of types of Unix: @emph{ FreeBSD, Solaris, Linux}, though not all versions.  It does @emph{not}
+build under non-Unix operating systems such as Windows NT.
+
+@node  Bro source code distribution,
+@subsubsection  The Bro source code distribution 
+
+@cindex source code, for Bro
+@cindex Bro, source code
+@cindex Bro, web page
+
+You can get the latest public release of Bro from the Bro web page,
+@url{http://www.bro-ids.org/}.
+Bro is distributed as a @emph{gzip}'d Unix @emph{tar} archive, which
+you can unpack using:
+@quotation
+@code{gzcat +@emph{tar-file} | tar xf -}
+@end quotation
+or, on some Unix systems:
+@quotation
+@code{+tar zxf +@emph{tar-file}}
+@end quotation
+This creates a subdirectory
+@code{+bro-+@emph{XXX}+-+@emph{version}},
+where @emph{XXX} is a tag such as pub for public releases and
+priv for private releases, and @emph{version} reflects a version
+and possibly a subversion, such as @code{0.8a20} for version
+@emph{0.8} and subversion @emph{a20}.
+
+To build Bro, change to the Bro directory and enter:
+@quotation
+@noindent ./configure @* make 
+@end quotation
+
+Bro configuration is described in the 
+@uref{http://www.bro-ids.org/User-Manual, User Manual}
+
+@node  Installing Bro,
+@subsubsection  Installing Bro 
+
+@cindex installing Bro
+
+You install Bro by issuing:
+@quotation
+@noindent @code{make install}
+@end quotation
+
+@node  Tuning BPF,
+@subsubsection  Tuning BPF 
+
+@cindex Bro, system configuration
+@cindex system configuration
+@cindex optimizing your system for Bro
+@cindex BPF (Berkeley Packet Filter), tuning
+
+Bro is written using @command{libpcap}, the portable packet-capture
+library available from
+@code{ftp://ftp.ee.lbl.gov/libpcap.tar.Z}.  While
+@emph{libpcap} knows how to use a wide range of Unix packet filters, it
+far and away performs most efficiently used in conjunction with the Berkeley
+Packet Filter (BPF) and with BPF descendants (such as the Digital Unix
+packet filter).  Although BPF is available from
+@code{ftp://ftp.ee.lbl.gov/bpf.tar.Z}, installing
+it involves modifying your kernel, and perhaps requires significant porting
+work.  However, it comes as part of several operating systems, such as
+FreeBSD, NetBSD, and OpenBSD.
+
+For BPF systems, you should be aware of the following tuning and
+configuration issues:
+@table @samp
+
+@item BPF kernel support
+You need to make sure that kernel support for BPF is enabled.  In addition,
+some systems default to configuring kernel support for only one BPF device.
+This often proves to be a headache because it means you cannot run more
+than one Bro at a time, nor can you run it at the same time as
+
+@item /dev/bpf devices
+@cindex dev/bpf
+  
+Related to the
+previous item, on BPF systems access to the packet filter is via special
+@emph{/dev/bpf} devices, such as @emph{/dev/bpf0}.  Just as you need to
+make sure that the kernel's configuration supports multiple BPF devices,
+so to must you make sure that an equal number of device files reside in
+@emph{/dev/}.
+
+@item packet filter permissions
+@cindex packet filter, permissions
+@cindex packet filter, access
+@cindex root, Bro not running as
+@cindex Bro, not running as root
+On systems for which access to the packet filter is via the file system,
+you should consider whether you want to only allow root access, or instead
+create a Unix @emph{group} for which you enable read access to
+the device file(s).  The latter allows you to run Bro as a user other
+than root, which is @emph{strongly recommended}!
+
+@item large BPF buffers
+@cindex BPF buffers, ensuring they are large
+@cindex large BPF buffers
+@cindex buffers, large for BPF
+While running with BPF is often necessary for high performance, it's not
+necessarily sufficient.  By default, BPF programs use very modest kernel
+buffers for storing packets, which leads to high context switch overhead
+as the kernel very often has to deliver packets to the user-level Bro
+process.  Minimizing the overhead requires increasing the buffer sizes.
+This can make a @emph{large} difference!
+
+Under FreeBSD, the configuration variable to increase is
+@code{debug.bpf_bufsize}, which you can set via @emph{sysctl}.  We
+recommend creating a script run at boot-up time that increases it
+from its small default value to something on the order of 100 KB--2 MB,
+depending on how fast (heavily loaded) is the link being monitored,
+and how much physical memory the monitor machine has at its disposal.
+
+@cindex libpcap buffer size patch
+@emph{libpcap buffer size patch}:
+@emph{Important note}:  some versions of  have
+internal code that limits the maximum buffer size to 32 KB.  For
+these systems, you should apply the patch included in the Bro distribution
+in the file @code{libpcap.patch}.
+
+Finally, once you have increased the buffer sizes, you should @emph{check}
+that running Bro does indeed consume the amount of kernel memory you
+expect.  You can do this under FreeBSD using @emph{vmstat -m} and
+searching in the output for the summary of BPF memory.  You should find
+that the @emph{MemUse} statistic goes up by twice the buffer size for
+every concurrent Bro or @command{tcpdump} you run.@footnote{Providing
+that these programs have been recompiled with the corrected @emph{libpcap}
+noted above.}  The reason the increase is by twice the buffer size is
+because Bro uses double-buffering to avoid dropping packets when the
+buffer fills up.
+@end table
+
+@node Using Bro interactively,
+@subsection Using Bro interactively
+
+@cindex Bro, interactive use
+
+Once you've built Bro, you can run it interactively to try out simple
+facets of the policy language.  Note that in this mode, Bro is @emph{not}
+reading network traffic, so you cannot do any traffic analysis; this mode
+is simply to try out Bro language features.
+
+You run Bro interactively by simply executing ``bro'' without
+any arguments.  It then reads from @emph{stdin} and writes to @emph{stdout}.
+
+Try typing the following to it:
+@quotation
+@noindent @code{print "hello, world";}  @*
+@noindent @code{^D} @emph{(i.e., end of file)}
+@end quotation
+(The end-of-file is critical to remember.  It's also a bit annoying for
+interactive evaluation, but reflects the fact that Bro is not actually
+meant for interactive use, it simply works as a side-effect of Bro's
+structure.)
+
+Bro will respond by printing:
+@quotation
+@noindent hello, world
+@end quotation
+to @emph{stdout} and exiting.
+
+You can further declare variables and print expressions, for example:
+@example
+    global a = telnet;
+    print a, a > ftp;
+    print www.microsoft.com;
+@end example
+
+will print
+@example
+    23/tcp, T
+    207.46.230.229, 207.46.230.219, 207.46.230.218
+@end example
+(FIXME: this example needs to be updated. Format has changed.)
+
+where 23/tcp reflects the fact that telnet is a predefined
+variable whose value is TCP port 23, which is larger than TCP port 21
+(i.e., ftp); and the DNS name @emph{www.microsoft.com} currently
+returns the above three addresses.
+
+You can also define functions:
+@example
+    function top18bits(a: addr): addr
+        @{
+        return mask_addr(a, 18);
+        @}
+
+    print top18bits(128.3.211.7);
+@end example
+
+prints
+@example
+    128.3.192.0
+@end example
+
+and even event handlers:
+@example
+    event bro_done()
+        @{
+        print "all done!";
+        @}
+@end example
+
+which prints ``all done!'' when Bro exits.
+
+@node Specifying policy scripts,
+@subsection Specifying policy scripts
+
+Usually, rather than running Bro interactively you want it to execute
+a policy script or a set of policy scripts.  You do so by specifying
+the names of the scripts as command-line arguments, such as:
+@example
+    bro ~/my-policy.bro ~/my-additional-policy.bro
+@end example
+
+Bro provides several mechanisms for simplifying how you specify which
+policies to run.
+
+First, if a policy file doesn't exist then it will
+try again using .bro as a suffix, so the above could be specified as:
+@example
+    bro ~/my-policy ~/my-additional-policy
+@end example
+
+Second, Bro consults the colon-separated search path 
+to locate policy scripts.  If your home directory was listed in $BROPATH,
+then you could have invoked it above using:
+@example
+    bro my-policy my-additional-policy
+@end example
+
+@emph{Note:}  If you define $BROPATH, you @emph{must} include @emph{bro-dir}/policy, where @emph{bro-dir} is where you have built or installed Bro, because it has to be able to locate @emph{bro-dir}/policy/bro.init to initialize itself at run-time. 
+
+Third, the @code{@@load} directive can be used in a policy script to indicate the
+Bro should at that point process another policy script (like C's include
+directive; see ).  So you could have in @emph{my-policy}:
+@example
+    @@load my-additional-policy
+@end example
+
+and then just invoke Bro using:
+@example
+    bro my-policy
+@end example
+
+providing you @emph{always} want to load @emph{my-additional-policy}
+whenever you load @emph{my-policy}.
+
+Note that the predefined Bro module @code{brolite} loads almost
+all of the other standard Bro analyzers, so you can pull them in
+with simply:
+@example
+    @@load brolite
+@end example
+
+or by invoking Bro using ``@command{bro brolite @emph{my-policy}}''.
+
+@node Running Bro on network traffic,
+@subsection Running Bro on network traffic
+
+There are two ways to run Bro on network traffic: on traffic captured
+live by the network interface(s), and on traffic previously recorded
+using the @code{-w} flag of @code{tcpdump} or Bro itself.
+
+@menu
+* Live traffic::		
+* Traffic traces::		
+@end menu
+
+@node Live traffic,
+@subsubsection Live traffic
+@cindex network interfaces
+@cindex analysis, on-line
+@cindex on-line analysis
+
+Bro reads live traffic from the local network interface whenever you
+specify the @code{-i}  flag.  As mentioned below, you can specify
+multiple instances to read from multiple interfaces simultaneously,
+however the interfaces must all be of the same link type (e.g., you
+can't mix reading from a Fast Ethernet with reading from an FDDI link,
+though you can mix a 10 Mbps Ethernet interface with a 100 Mbps Ethernet).
+
+In addition, Bro will read live traffic from the interface(s) listed in
+the @code{interfaces} variable, @emph{unless} you specify
+the @code{-r} flag (and do not specify @code{-i}).  So, for
+example, if your policy script contains:
+@example
+    const interfaces += "sk0";
+    const interfaces += "sk1";
+@end example
+
+then Bro will read from the @emph{sk0} and @emph{sk1} interfaces,
+and you don't need to specify @code{-i}.
+
+@node Traffic traces,
+@subsubsection Traffic traces
+
+@cindex analysis, off-line
+@cindex off-line analysis
+
+To run on recorded traffic, you use the @code{-r} flag to indicate
+the trace file Bro should read.  As with @code{-i}, you can use the
+flag multiple times to read from multiple files; Bro will merge the packets
+from the files into a single packet stream based on their timestamps.
+
+The Bro distribution includes an example trace that you can try out,
+@emph{example.ftp-attack.trace}.  If you invoke Bro using:
+@example
+    bro -r example.ftp-attack.trace brolite
+@end example
+
+you'll see that it generates a connection summary to @emph{stdout},
+a summary of the FTP sessions to ftp.example, a copy of what
+would have been real-time alarms had Bro been running on live traffic
+to @code{alarm.example}, and a summary of unusual traffic anomalies (none in
+this trace) to @code{weird.example}.
+
+@node Modifying Bro policy,
+@subsection Modifying Bro policy
+
+One way to alter the policy Bro executes is of course to directly
+edit the scripts.  When this can be avoided, however, that is preferred,
+and Bro provides a pair of related mechanisms to help you specify
+@emph{refinements} to existing policies in separate files.
+
+The first such mechanism is that you can define @emph{multiple}
+handlers for a given event.  So, for example, even though the standard
+@command{ftp} analyzer (@code{@emph{bro-dir}/policy/ftp.bro})
+defines a handler for @code{ftp.request}, you can define another handler
+if you wish in your own policy script, even if that policy script loads
+(perhaps indirectly, via the @code{brolite} module) the @code{ftp} analyzer.
+When the event engine generates an ftp_request event, @emph{both}
+handlers will be invoked.  
+
+@emph{Deficiency: Presently, you do not have control over the order in which they are invoked; you also cannot completely override one handler with another, preventing the first from being invoked. }
+
+Second, the standard policy scripts are often written in terms of
+@emph{redefinable} variables.  For example, @code{ftp.bro} contains
+a variable @code{ftp_guest_ids} that defines a list of usernames
+the analyzer will consider to reflect guest accounts:
+@example
+    const ftp_guest_ids = @{ "anonymous", "ftp", "guest", @} &redef;
+@end example
+
+While ``@code{const}'' marks this variables as constant at run-time,
+the attribute ``@code{&redef}'' specifies that its value can be
+redefined.
+
+For example, in your own script you could have:
+@example
+    redef ftp_guest_ids = @{ "anonymous", "guest", "visitor", "student" @};
+@end example
+
+instead.  (Note the use of ``redef'' rather than ``const'',
+to indicate that you realize you are redefining an existing variable.)
+
+In addition, for most types of variables you can specify @emph{incremental}
+changes to the variable, either new elements to add or old ones to
+subtract.  For example, you could instead express the above as:
+@example
+    redef ftp_guest_ids += @{ "visitor", "student" @};
+    redef ftp_guest_ids -= "ftp";
+@end example
+
+The potential advantage of incremental refinements such as these are that
+if any @emph{other} changes are made to ftp.bro's original definition,
+your script will automatically inherit them, rather than replacing them
+if you used the first definition above (which explicitly lists all four
+names to include in the variable).  Sometimes, however, you don't want this
+form of inheriting later changes; you need to decide on a case-by-case
+basis, though our experience is that generally the incremental approach
+works best.
+
+Finally, the use of @emph{prefixes} provides a way
+to specify a whole set of policy scripts to load in a particular context.
+For example, if you set @code{$BRO_PREFIXES} to ``dialup'',
+then a load of @code{ftp.bro} will @emph{also} load dialup.ftp.bro
+automatically (if it exists).  See @ref{Run-time environment} for further discussion.
+
+@node Bro flags and run-time environment,
+@subsection Bro flags and run-time environment
+
+@menu
+* Flags::			
+* Run-time environment::	
+@end menu
+
+@node Flags,
+@subsubsection Flags
+
+@cindex command line options
+
+When invoking Bro, you can control its behavior using a large number of
+flags and arguments. Most options can be specified using either a more
+readable long version (starting with two dashes), or a more compact but
+sometimes less intuitive short version (single dash followed by a single
+letter).  Arguments can be provided after whitespace (i.e., ``@command{-r file.pcap}''
+or ``@command{--readfile file.pcap}'') and also using an equation mark
+when the long version is used (i.e., ``@command{--readfile=file.pcap}'').
+Single-letter flags without arguments can be combined into a single option
+element (i.e., ``-dWF'' is the same as ``-d -W -F'').
+
+@table @samp
+@c
+@c Note: the @*s are to provide consistent spacing between the items in HTML
+@c       output. Better solutions welcome. --cpk
+@c
+@item @code{-d|--debug-policy}
+Activates policy file debugging. See @ref{Interactive Debugger} for details.
+@cindex debugging, policy scripts
+@*
+
+@item @code{-e|--exec <Bro statements>}
+Adds the given Bro policy statements to the loaded policy.  Use for
+manual @ref{Refinement, refinement}, or for verifying the resulting value of a
+given variable.  Note that you can omit trailing semi-colons.
+@*
+
+@item @code{-f|--filter filter}
+Use @emph{filter} as the @command{tcpdump} filter for
+capturing packets, rather than the combination of 
+and @code{restrict_filter}, or the default of ``tcp or udp'' .
+@*
+
+@item @code{-h|--help|-?}
+Generate a help message summarizing Bro's options and environment variables,
+and exit.
+@cindex help message
+@cindex Bro, usage
+@cindex usage message
+@*
+
+@item @code{-g|--dump-config}
+Writes out the current configuration into the persistent state directory
+configured through the @code{state_dir} variable, defined in
+@ref{Bro init file, bro.init} and subject to @ref{Refinement, refinement}.
+@cindex persistent state
+@cindex configuration, dumping to directory
+@*
+
+@item @code{-i|--iface <interface>}
+Add @emph{interface} to the list of interfaces from which Bro should
+read @ref{Live traffic, network traffic}.  You can use this flag
+multiple times to direct Bro to read from multiple interfaces.
+You can also, or in addition, use refinements of the 
+variable to specify interfaces.
+
+Note that if no interfaces are specified, then Bro will not read
+any network traffic.  It does @emph{not} have a notion of a ``default''
+interface from which to read.
+@cindex network interfaces
+@cindex analysis, on-line
+@cindex on-line analysis
+@*
+
+@item @code{-p|--prefix <prefix>}
+Add @emph{prefix} to the list of prefixes searched by Bro when loading
+a script.  You can also, or in addition, use @emph{prefix} to specify search
+prefixes.  See @ref{use of prefixes, prefixes} for discussion.
+@cindex prefixes
+@*
+
+@item @code{-r|--readfile <readfile>}
+Add @emph{readfile} to the list of @command{tcpdump}
+save files that Bro should read.  You can use this flag multiple times to
+direct Bro to read from multiple save files; it will merge the packets
+read from the different files based on their timestamps.  Note that if
+the save files contain only packet headers and not contents, then of
+course Bro's analysis of them will be limited.
+
+Note that use of @code{-r} is @emph{mutually exclusive} with use of @code{-i}.
+However, you can use @code{-r} when running scripts that refine
+@code{interfaces}, in which case the -r option takes precedence
+and Bro performs off-line analysis.
+@cindex trace file, reading
+@cindex save file, reading
+@cindex analysis, off-line
+@cindex off-line analysis
+@cindex reading tcpdump files 
+@*
+
+@item @code{-s|--rulefile <signaturefile>}
+Add @emph{signaturefile} to the list of files containing signatures to match
+against the network traffic. See @ref{Signatures} for more information.
+@*
+
+@item @code{-t|--tracefile <tracefile>}
+Enables tracing of Bro script execution. See @ref{Execution tracing}.
+@cindex tracing
+@cindex execution tracing
+@*
+
+@item @code{-w|--writefile <writefile>}
+Write a @command{tcpdump} save file to the file
+@emph{writefile}.  Bro will record all of the packets it captures,
+including their contents, except as controlled by calls to @command{set_record_packets}.
+@cindex trace file, writing
+@cindex save file, writing
+@cindex writing tcpdump files 
+@cindex HTTP packets, contents not being recorded
+@cindex SYN control packet
+@cindex FIN control packet
+@cindex RST control packet
+@cindex TCP control packets (SYN/FIN/RST)
+@cindex control packets (SYN/FIN/RST)
+@cindex packets, control (SYN/FIN/RST)
+@emph{Note:}  One exception is that unless you are analyzing HTTP events (for example, by loading the @ ref@code{http} analyzer), 
+Bro does @emph{not} record the @emph{contents} of HTTP SYN/FIN/RST packets to the trace file.  
+The reason for this is that HTTP FIN packets often contain a large amount of data, which is not of any interest if you are not using HTTP analysis, 
+and due to the very high volume of HTTP traffic at many sites, removing this data can significantly reduce the size of the save file. @emph{Deficiency: Clearly, this should not be hardwired into Bro but under user control. }
+
+Save files written using @code{-w} are of course readable using @code{-r}.
+Accordingly, you will generally want to use @code{-w} when running Bro on
+live network traffic so you can rerun it off-line later to understand
+any problems that arise, and also to experiment with the effects of changes
+to the policy scripts.
+
+You can also combine @code{-r} with @code{-w} to both read a save file(s) and
+write another.  This is of interest when using multiple instances of
+@code{-r}, as it provides a way to merge @command{tcpdump}
+save files.
+@*
+
+@item @code{-v|--version}
+@cindex version message
+@cindex Bro, version
+Print the version of Bro and exit.
+@*
+
+@item @code{-x|--print-state <Bro state file>}
+Reads the contents of the specified Bro state file, prints them to the
+console, and exits.
+@*
+
+@item @code{-z|--analyze <analysis>}
+Runs the specified analyzer over the configured policy. See @ref{Policy analyzers}.
+@cindex policy analysis
+@*
+
+@item @code{-A|--transfile <writefile>}
+Write transformed trace to the @command{tcpdump} file given. See @ref{Trace rewriting}.
+@*
+
+@item @code{-C|--no-checksums}
+Incorrect IP, TCP, or UDP checksums normally trigger different variants of
+@code{net_weird} and @code{conn_weird} events (see also @ref{Events handled by net_weird},
+@ref{Events handled by conn_weird}, and @ref{weird variables}). This flag causes
+Bro to ignore incorrect checksums.
+@cindex checksums, disabling checks
+@*
+
+@item @code{-D|--dfa-size <size>}
+Sets the cache size of deterministic finite automata (used extensively for
+@ref{Signatures, signatures}) to the given number of entries. The default is
+10,000.
+@*
+
+@item @code{-F|--force-dns}
+@cindex DNS!Bro's private cache, forcing access to
+@cindex forcing access to Bro's private DNS cache
+@cindex Bro, private caches
+Instructs Bro that it @emph{must} resolve all hostnames out of its
+private DNS cache.  If the script refers to a hostname
+not in the cache, then Bro @emph{exits} with a fatal error.
+
+@cindex checkpointing Bro
+@cindex Bro, checkpointing
+The point behind this option is to ensure that Bro starts quickly, rather
+than possibly stalling for an undetermined amount of time resolving a
+hostname.  Fast startup simplifies checkpointing a running Bro---you can
+start up a new Bro and then killing off the old one shortly after.
+You'd like this to occur in a manner such that there's no period during
+which neither Bro is watching the network (the older because you killed
+it off too early, the newer because it's stuck resolving hostnames).
+@*
+
+@item @code{-I|--print-id <name>}
+Looks up the variable identified by ``name'' in the global scope
+(see @ref{Scope}) and prints it to the console.
+@*
+
+@item @code{-K|--md5-hashkey <hashkey>}
+Allows you to specify a fixed seed for MD5 initialization. MD5 is used
+by default for hashing elements in the Bro core, and by default some
+randomness is gathered at Bro startup before PRNG initialization.
+@*
+
+@emph{Note:  This means that by default repeated runs of Bro on identical
+inputs do @strong{not} necessarily yield identical output. If you want
+to ensure determinism, use the @code{--save-seeds} and @code{--load-seeds}
+options.}
+@cindex determinism
+@cindex indeterminism
+@cindex hashing, keys
+@*
+
+@item @code{-L|--rule-benchmark}
+See @ref{Rule benchmarking}.
+@*
+
+@item @code{-O|--optimize}
+@cindex optimizer for policy script interpreter
+@cindex policy script interpreter, optimizer
+@cindex Bro, optimizer
+Turns on Bro's optimizer for improving its internal representation
+of the policy script.  @emph{Note:}  Currently, the amount of improvement is modest, and there's (as always) a risk of an optimizer bug introducing errors into the execution of the script, so the optimizer is not enabled by default. 
+@*
+
+@item @code{-P|--prime-dns}
+@cindex caches, Bro's private ones
+@cindex Bro, private caches
+@cindex priming Bro's private DNS cache
+Instructs Bro to @emph{prime} its private DNS cache.
+It does so by parsing the policy scripts, but not executing them.
+Bro looks up each hostname's address(es) and records them in the private
+cache.  The idea is that once @command{bro -P} finishes, you can then use
+@command{bro -F} to start up Bro quickly because it will read all the
+information it needs from the cache.
+@*
+
+@c EventPlayer's class definition in Serializer.h says it's not currently
+@c usable, so -R is left out for now. --cpk
+@c 
+@c @item @code{-R|--replay <events file>}
+
+@item @code{-S|--debug-rules}
+Prints debugging output for the rules used in signature matching. See also
+@ref{Signatures}.
+@cindex signature debugging
+@*
+
+@item @code{-T|--re-level <level>}
+Sets the level in the tree of rules at which regular expressions are
+built. Default is 4.
+@*
+
+@item @code{-W|--watchdog}
+@cindex Bro, wedging
+@cindex watchdog
+@cindex Bro, watchdog
+@cindex Bro, execution aborted
+@cindex aborted execution
+Instructs Bro to activate its internal @emph{watchdog}.  The watchdog
+provides self-monitoring to enable Bro to detect if its processing is
+wedged.
+
+Bro only activates the watchdog if it is reading live network traffic.
+The watchdog consists of a periodic timer that fires every
+@code{WATCHDOG_INTERVAL} seconds.  (@emph{Deficiency:clearly this should be a user-definable value.})  At that point, the watchdog checks
+to see whether Bro is still working on the same packet as it was the last
+time the watchdog expired.  If so, then the watchdog logs this fact along
+with some information regarding when Bro began processing the current
+packet and how many events it processed after handling the packet.  Finally,
+it prints the packet drop information for the different interfaces Bro
+was reading from, and aborts execution.
+@*
+
+@item @code{--save-seeds <file>}
+Writes the seeds used for initializing the PRNGs in Bro to the given
+file. This can be combined with @code{-K|--md5-hashkey}, and is intended
+to be used with @code{--load-seeds} in future Bro runs.
+@cindex determinism
+@cindex indeterminism
+@cindex seeding Bro
+@*
+
+@item @code{--save-seeds <file>}
+Seeds the PRNGs in Bro using a file produced by @code{--save-seeds}
+in an earlier Bro invocation.
+@cindex determinism
+@cindex indeterminism
+@cindex seeding Bro
+@*
+
+@end table
+
+@node Run-time environment,
+@subsubsection Run-time environment
+
+Bro is also sensitive to the following environment variables:
+@table @samp
+
+@item $BROPATH
+@cindex search path
+@cindex Bro, search path
+@cindex policy directories
+@cindex usr/local/lib/bro/usr/local/lib/bro/ policy directory
+@cindex policy/ policy directory
+@cindex policy/local/local/ policy directory
+A colon-separated list of directories that Bro searches whenever
+you load a policy file.  It loads the first instance it finds (though
+see $BRO_PREFIXES for how a single load can lead to Bro loading
+multiple files).
+
+Default: if you don't set this variable, then Bro uses the path
+@example
+    .:policy:policy/local:/usr/local/lib/bro
+@end example
+
+That is, the current directory, any @emph{policy/} and @emph{policy/local/}
+subdirectories, and @emph{/usr/local/lib/bro/}.
+
+@item $BRO_PREFIXES
+@cindex prefixes
+@cindex bro suffix.bro suffix
+A colon-separate lists of @emph{prefixes} that Bro should apply to
+each name in a @code{@@load} directive.  For a given prefix and load-name, Bro
+constructs the filename:
+@quotation
+@emph{prefix}.@emph{load-name}.bro
+@end quotation
+(where it doesn't add .bro if @emph{load-name} already ends in
+.bro).  It then searches for the filename using $BROPATH
+and loads it if its found.  Furthermore, it @emph{repeats} this process
+for all of the other prefixes (left-to-right), and loads @emph{each}
+file it finds for the different prefixes.  @emph{Note:}  Bro @emph{also} first attempts to load the filename without any prefix at all. If this load fails, then Bro exits with an error complaining that it can't open the given @code{@@load} file.
+
+For example, if you set $BRO_PREFIXES to:
+@example
+    mysite:mysite.wan
+@end example
+
+and then issue ``@command{@@load ftp}'', Bro will attempt to load each of the
+following scripts in the following order:
+@example
+    ftp.bro
+    mysite.ftp.bro
+    mysite.wan.ftp.bro
+@end example
+
+Default: if you don't specify a value for $BRO_PREFIXES, it defaults
+to empty, and for the example above Bro would only attempt to @command{@@load ftp.bro}.
+
+@end table
+
+@node Helper utilities,
+@section Helper utilities
+
+@menu
+* Scripts::			
+* hf utility::	
+* cf utility::	
+@end menu
+
+@node Scripts,
+@subsection Scripts
+
+Documentation missing.
+
+@node hf utility,
+@subsection The @code{hf} utility
+
+@cindex hostnames, mapping addresses to
+@cindex addresses, mapping to hostnames
+@cindex dotted quads
+The @emph{hf} utility reads text on @emph{stdin} and attempts to convert any
+``dotted quads'' it sees to hostnames.  It is very convenient for running
+on Bro log files to generate human-readable forms.  See the manual page
+included with the distribution for details.
+
+@node cf utility,
+@subsection The @code{cf} utility
+
+@cindex timestamps, mapping to readable form
+@cindex Unix timestamps
+The @emph{cf} utility reads Unix timestamps at the beginning of lines on
+@emph{stdin} and converts them to human-readable form.  For example,
+for the input line:
+@example
+972499885.784104 #26 131.243.70.68/1899 > 64.55.26.206/ftp start
+@end example
+
+it will generate:
+@example
+Oct 25 11:51:25 #26 131.243.70.68/1899 > 64.55.26.206/ftp start
+@end example
+
+It takes two flags:
+@table @samp
+
+@item -l
+specifies the @emph{long} human-readable form, which includes the year.
+For example, on the above input, the output would instead be:
+@example
+Oct 25 11:51:25 2000 #26 131.243.70.68/1899 > 64.55.26.206/ftp start
+@end example
+
+@item -s
+specifies @emph{strict} checking to ensure that the number at the beginning
+of a line is a plausible timestamp: it must have at least 9 digits, at most
+one decimal, and must have a decimal if there are 10 or more digits.
+
+Without -s, an input like:
+@example
+131.243.70.68 > 64.55.26.206
+@end example
+
+generates the output:
+@example
+Dec 31 16:02:11 > 64.55.26.206
+@end example
+
+which, needless to say, is not very helpful.  
+
+@emph{Deficiency: It seems clear that -s should be the default behavior. }
+
+@end table
+
diff --git a/doc/ref-manual/stmts.texi b/doc/ref-manual/stmts.texi
new file mode 100644
index 0000000000..c09e9a8b16
--- /dev/null
+++ b/doc/ref-manual/stmts.texi
@@ -0,0 +1,773 @@
+
+@node Statements and Expressions
+@chapter Statements and Expressions
+
+You express Bro's analysis of network traffic using @emph{event handlers},
+which, as discussed in XX,
+are essentially subroutines written in Bro's policy scripting
+language.  In this chapter we discuss the different types of statements
+and expressions available for expressing event handlers and the auxiliary
+functions they use.
+
+@menu
+* Statements::			
+* Expressions::			
+@end menu
+
+@node Statements,
+@section Statements
+
+@cindex statements
+Bro functions and event handlers are written in an imperative style, and
+the statements available for doing so are similar to those provided in C.
+@cindex statements, semi-colon termination
+@cindex semi-colon statement termination
+@cindex statements, multi-line
+@cindex whitespace, in statements
+As in C, statements are terminated with a semi-colon.  There are no
+restrictions on how many lines a statement can span.  Whitespace can appear
+between any of the syntactic components in a statement, and its presence
+always serves as a separator (that is, a single syntactic component cannot
+in general contain embedded whitespace, unless it is escaped in some form,
+such as appearing inside a string literal).
+
+Bro provides the following types of statements:
+
+@command{expression}
+@cindex expression
+@quotation
+Syntax:
+@quotation
+@emph{expr} ;
+@end quotation
+As in C, an expression by itself can also be used as a statement.
+For example, assignments, calling functions, and scheduling
+timers are all expressions; they also are often used as statements.
+@end quotation
+
+@command{print}
+@cindex print statement
+@quotation
+Syntax:
+@quotation
+print @emph{file} @emph{expr-list} ;
+@end quotation
+The expressions are converted to a list of strings, which are then
+printed as a comma-separated list.  If the first expression is of
+type , then the other expressions are printed to
+the corresponding file; otherwise they're written to
+@cindex stdout
+@emph{stdout}.
+
+For control over how the strings are formatted, see the @code{fmt}
+function.
+@end quotation
+
+@command{alarm}
+@cindex alarm statement
+@quotation
+Syntax:
+@quotation
+alarm @emph{expr-list} ;
+@end quotation
+The expressions are converted to a list of strings, which are then
+logged as a comma-separated list.  ``Logging'' means recording the
+values to @file{bro-alarm-file}.  In addition, if Bro is reading
+@cindex live traffic
+@cindex traffic, live vs. recorded
+@emph{live} network traffic (as opposed to from a trace file), then
+the messages are also reported via
+@cindex syslog
+@emph{syslog(3)} at level
+@emph{LOG_NOTICE}.  If the message does not already
+include a timestamp, one is added.
+
+See the @code{alarm}  module for a discussion of controlling logging
+behavior from your policy script.  In particular, an important feature of
+the @code{alarm} statement is that prior to logging the giving string(s),
+Bro first invokes @command{alarm-hook} to determine whether to suppress
+the logging.
+@end quotation
+
+@command{event}
+@cindex event statement
+@quotation
+Syntax:
+@quotation
+event @emph{expr} ( @emph{expr-list*} ) ;
+@end quotation
+Evaluates @emph{expr} to obtain an event handler and queues an event
+for it with the value corresponding to the optional comma-separated
+list of values given by @emph{expr-list}.
+
+@emph{Note:}  @code{event} statements look syntactically just like function calls, other than the 
+keyword ``@code{event}''.  However, @command{function-call-expr}, while queueing an event is not, since it does not return a value. 
+@end quotation
+
+@command{if}
+@cindex if statement
+@quotation
+Syntax:
+@quotation
+if ( @emph{expr} ) @emph{stmt}  @*
+if ( @emph{expr} ) @emph{stmt} else @emph{stmt2}
+@end quotation
+Evaluates @emph{expr}, which must yield a @command{bool} value.  If true,
+executes @emph{stmt}.  For the second form, if false, executes @emph{stmt2}.
+@end quotation
+
+@command{for}
+@cindex for statement
+@quotation
+Syntax:
+@quotation
+for ( @emph{var} in @emph{expr} ) @emph{stmt} 
+@end quotation
+Iterates over the indices of @emph{expr}, which must evaluate to either
+a @code{set} or a @code{table}.  For each iteration, @emph{var} is
+set to one of the indices and @emph{stmt} is executed.  @emph{var} needn't
+have been previously declared (in which case its type is implicitly inferred
+from that of the indices of @emph{expr}), and must not be a global variable.
+
+If @emph{expr} is a @code{set}, then the indices correspond to the
+members of the set.  If @emph{expr} is a @code{table}, then they correspond
+to the indices of the table.
+
+@emph{Deficiency: You can only use @code{for} statements to iterate over sets and tables with a single, non-compound index type.  You can't iterate over multi-dimensional or compound indices. }
+
+@emph{Deficiency: Bro lacks ways of controlling the order in which it iterates over the indices. }
+@end quotation
+
+@command{next}
+@cindex next statement
+@quotation
+Syntax:
+@quotation
+next ;  
+@end quotation
+Only valid within a @code{for} statement.  When executed, causes the
+loop to proceed to the next iteration value (i.e., the next index value).
+@end quotation
+
+@command{break}
+@cindex break statement
+@quotation
+Syntax:
+@quotation
+break ;  
+@end quotation
+Only valid within a @code{for} statement.  When executed, causes the
+loop to immediately exit.
+@end quotation
+
+@command{return}
+@cindex return statement
+@quotation
+Syntax:
+@quotation
+return @emph{expr} ;  
+@end quotation
+Immediately exits the current function or event handler.  For a function,
+returns the value @emph{expr} (which is omitted if the function does
+not return a value, or for event handlers).
+@end quotation
+
+@command{add}
+@cindex add statement
+@quotation
+Syntax:
+@quotation
+add @emph{expr1} @emph{expr2} ; 
+@end quotation
+Adds the element specified by @emph{expr2} to the
+set given by @emph{expr1}.  For example,
+@example
+    global active_hosts: set[addr, port];
+    ...
+    add active_hosts[1.44.33.7, 80/tcp];
+@end example
+
+adds an element corresponding to the pair
+1.44.33.7 and 80/tcp to the set active_hosts.
+@end quotation
+
+@command{delete}
+@cindex delete statement
+@quotation
+Syntax:
+@quotation
+delete @emph{expr1} [@emph{expr2}] ; 
+@end quotation
+Deletes the corresponding value, where @emph{expr1} corresponds
+to a set or table, and @emph{expr2} an element/index of the
+set/table.  If the element is not in the set/table, does nothing.
+@end quotation
+
+@command{compound}
+@cindex compound statement
+@quotation
+Compound statements are formed from a list of (zero or more)
+statements enclosed in
+@code{@{@}}'s:
+@quotation
+@{ @emph{statement*} @} 
+@end quotation
+@end quotation
+
+@command{null}
+@cindex null statement
+@quotation
+A lone:
+@quotation
+; 
+@end quotation
+denotes an empty, do-nothing statement.
+@end quotation
+
+@cindex variables, local
+@cindex local variables
+@cindex variables, constant
+@cindex constant variables
+
+@command{local,const}
+@cindex local 
+@quotation
+Syntax:
+@quotation
+local @emph{var} : @emph{type} = @emph{initialization} @emph{attributes} ; @*
+const @emph{var} : @emph{type} = @emph{initialization} @emph{attributes} ; 
+@end quotation
+Declares a local variable with the given type, initialization, and
+attributes, all of which are optional.  The syntax of these fields is the
+same as for @command{global-vars}.  The
+second form likewise declares a local variable, but one which is
+@emph{constant}: trying to assign a new value to it results in an error.
+@emph{Deficiency:Currently, this @code{const} restriction isn't detected/enforced. }
+
+@cindex variables, scope
+
+@emph{Unlike with C} the scope of a local variable is from the point of declaration to the end of the encompassing function or event handler.
+@end quotation
+
+@cindex statements
+
+@node Expressions,
+@section Expressions
+
+@cindex expressions|(
+Expressions in Bro are very similar to those in C, with similar precedence:
+
+@cindex left parenthesis operator( operator
+@cindex operator, left parenthesis( parenthesis
+@cindex right parenthesis operator) operator
+@cindex operator, right parenthesis) parenthesis
+@cindex parentheses operators()
+
+@command{parenthesized}
+@quotation
+Syntax:
+@quotation
+( @emph{expr} ) 
+@end quotation
+Parentheses are used as usual to override precedence.
+@end quotation
+
+@command{constant}
+@cindex constant 
+@quotation
+Any constant value  is an expression.
+@end quotation
+
+@command{variable}
+@cindex variable 
+@quotation
+The name of a @emph{variable} is an expression.
+@end quotation
+
+@command{clone}
+@cindex clone operator
+@quotation
+Syntax:
+@quotation
+copy( @emph{expr} )
+@end quotation
+Produces a clone, or deep copy, of the value produced by the expression
+it is applied to.
+@end quotation
+
+@command{increment,decrement}
+@cindex increment 
+@cindex decrement 
+@quotation
+Syntax:
+@quotation
+++ @emph{expr}  
+@*
+-- @emph{expr} 
+@end quotation
+Increments or decrements the given expression, which must correspond
+to an assignable value (variable, table element, or record element)
+and of a number type.
+
+Yields the value of the expression after the increment.
+
+@emph{Unlike with C, these operators only are defined for ``pre''-increment/decrement; there is no post-increment/decrement.}
+@end quotation
+
+@command{negation}
+@cindex negation 
+@quotation
+Syntax:
+@quotation
+! @emph{expr}  @*
+- @emph{expr} 
+@end quotation
+Yields the boolean 
+or arithmetic negation for values of boolean
+or @emph{numeric} (or @emph{interval}) types, respectively.
+@end quotation
+
+@command{positivation}
+@quotation
+Syntax:
+@quotation
++ @emph{expr} 
+@end quotation
+Yields the value of @emph{expr}, which must be of type @emph{numeric}
+or @emph{interval}.
+
+The point of this operator is to explicitly convert a value of type count
+to int.  For example, suppose you want to declare a local variable
+code to be of type int, but initialized to the value 2.
+If you used:
+@example
+    local code = 2;
+@end example
+
+then Bro's implicit typing would make it of type count, because
+that's the type of a
+@command{numeric-constants}.
+You could instead use:
+@example
+    local code = +2;
+@end example
+
+to direct the type inferencing to instead assign a type of int
+to code.  Or, of course, you could specify the type explicitly:
+@example
+    local code:int = 2;
+@end example
+@end quotation
+
+@command{arithmetic}
+@quotation
+Syntax:
+@quotation
+@emph{expr1} + @emph{expr2} @* 
+@emph{expr1} - @emph{expr2} @* 
+@emph{expr1} * @emph{expr2} @* 
+@emph{expr1} / @emph{expr2} @* 
+@emph{expr1} % @emph{expr2} 
+@end quotation
+The usual C arithmetic operators, 
+defined for numeric types, except
+modulus (@code{%}) is only defined for integral types.
+@end quotation
+
+@cindex & short-circuit&&@  short-circuit ``and''
+@cindex short-circuit1-circuit && ``and'' operator
+@cindex and operator&& ``and'' operator
+@cindex operator, and&& ``and''
+@cindex & or short-circuit"|"|@  short-circuit ``or''
+@cindex short-circuit2-circuit "|"| ``or'' operator
+@cindex or operator"|"| ``or'' operator
+@cindex operator, or"|"| ``or''
+
+@command{logical}
+@quotation
+Syntax:
+@quotation
+@emph{expr1} @code{&&} @emph{expr2} @*
+@emph{expr1} @code{||} @emph{expr2} 
+@end quotation
+The usual C logical operators, defined for boolean types.
+@end quotation
+
+@cindex == equality operator==@  equality operator
+@cindex == inequality operator", =@  inequality operator
+
+@command{equality}
+@quotation
+Syntax:
+@quotation
+@emph{expr1} @code{==} @emph{expr2}  \
+@emph{expr1} @code{"!=} @emph{expr2} 
+@end quotation
+@command{rel-operators},
+Compares two values for equality or inequality, yielding a @code{bool} value.  Defined for all non-compound types except pattern.
+@end quotation
+
+@cindex == less-than operator<@ @  less-than operator
+@cindex == less-than-or-equal operator<=@  less-or-equal operator
+@cindex == z operator>@ @  greater-than operator
+@cindex == zz operator>=@  greater-or-equal operator
+
+@command{relational}
+@quotation
+Syntax:
+@quotation
+@emph{expr1} @code{<} @emph{expr2}  \
+@emph{expr1} @code{<=} @emph{expr2}  \
+@emph{expr1} @code{>} @emph{expr2}  \
+@emph{expr1} @code{>=} @emph{expr2} 
+@end quotation
+Compares two values for magnitude ordering,
+yielding a bool value.  Defined for values of type @emph{numeric},
+time, interval, port, or addr.
+
+@emph{Note:} TCP port values are considered less than UDP port values.
+
+@emph{Note:} IPv4 addr values less than IPv6 addr values.
+
+@emph{Deficiency: Should also be defined at for @command{string} values. }
+@end quotation
+
+@command{conditional}
+@quotation
+Syntax:
+@quotation
+@emph{expr1} ? @emph{expr2} : @emph{expr3} 
+@end quotation
+Evaluates @emph{expr1} and, if true, evaluates and yields
+@emph{expr2}, otherwise evaluates and yields
+@emph{expr3}. 
+@emph{expr2} and @emph{expr3} must have compatible
+types.
+@end quotation
+
+@command{assignment}
+@quotation
+Syntax:
+@quotation
+@emph{expr1} = @emph{expr2} 
+@end quotation
+Assigns the value of @emph{expr2} to the storage defined
+by 
+@emph{expr1}, which must be an assignable value
+(variable, table element, or record element).  Yields the assigned value.
+@end quotation
+
+@cindex left parenthesis operator( operator
+@cindex operator, left parenthesis( parenthesis
+@cindex right parenthesis operator) operator
+@cindex operator, right parenthesis) parenthesis
+@cindex parentheses operators()
+
+@cindex invocation, function
+@cindex function invocation
+
+@command{function call}
+@quotation
+Syntax:
+@quotation
+@emph{expr1} ( @emph{expr-list2} ) 
+@end quotation
+Evaluates @emph{expr1} to obtain a value of type @code{function},
+which is then invoked with its arguments bound left-to-right to the values
+obtained from the comma-separated list of expressions
+@emph{expr-list2}.  Each element of @emph{expr-list2}
+must be assignment-compatible with the corresponding formal argument 
+in the type of @emph{expr1}.  The list may (and must) be empty if the
+function does not take any parameters.
+@end quotation
+
+@cindex functions, anonymous
+
+@command{anonymous function}
+@quotation
+Syntax:
+@quotation
+function ( @emph{parameters} ) @emph{body} 
+@end quotation
+Defines an @emph{anonymous function}, which, in abstract terms, is how
+you specify a constant of type @code{function}.  @emph{parameters} has
+the syntax of parameter declarations for
+@command{functions}, as does @emph{body},
+which is just a list of statements enclosed in braces.
+
+Anonymous functions can be used anywhere you'd usually instead use a
+function declared in the usual direct fashion.  For example, consider the
+function:
+@example
+    function demo(msg: string): bool
+        @{
+        if ( msg == "do the demo" )
+            @{
+            print "got it";  
+            return T;
+            @}
+        else
+            return F;
+        @}
+@end example
+
+You could instead declare demo as a global variable of type @code{function}:
+@example
+global demo: function(msg: string): bool;
+@end example
+
+and then later assign to it an anonymous function:
+@example
+    demo = function (msg: string): bool
+        @{
+        if ( msg == "do the demo" )
+            @{
+            print "got it";
+            return T;
+            @}
+        else
+            return F;
+        @};
+@end example
+
+You can even call the anonymous function directly:
+@example
+    (function (msg: string): bool
+        @{
+        if ( msg == "do the demo" )
+            @{
+            print "got it";
+            return T;
+            @}
+        else
+            return F;
+        @})("do the demo")
+@end example
+
+though to do so you need to enclose the function in parentheses to
+avoid confusing Bro's parser.
+
+One particularly handy form of anonymous function is that used
+for @command{&default}.
+@end quotation
+
+@cindex timers
+@cindex events, scheduling
+@cindex scheduling events
+
+@command{event scheduling}
+@quotation
+Syntax:
+@quotation
+schedule @emph{expr1} @code{@{} @emph{expr2} ( @emph{expr-list3} ) @code{@}} 
+@end quotation
+Evaluates @emph{expr1} to obtain a value of type @command{interval},
+and schedules the event given by @emph{expr2} with parameters
+@emph{expr-list3} for that time.  Note that the expressions are
+all evaluated and bound at the time of execution of the schedule
+expression; evaluation is @emph{not} deferred until the future execution
+of the event handler.
+
+For example, we could define the following event handler:
+@example
+    event once_in_a_blue_moon(moon_phase: interval)
+        @{
+        print fmt("wow, a blue moon - phase %s", moon_phase);
+        @}
+@end example
+
+and then we could schedule delivery of the event for 6 hours from
+the present, with a moon_phase of 12 days, using:
+@example
+    schedule +6 hr @{ once_in_a_blue_moon(12 days) @};
+@end example
+
+@emph{Note:  The syntax is admittedly a bit clunky.  In particular, it's easy to @emph{(i)} forget to include the braces (which are needed to avoid confusing Bro's parser), @emph{(ii)} forget the final semi-colon if the schedule expression is being used as an expression-statement, or @emph{(iii)} erroneously place a semi-colon after the event specification but before the closing brace.}
+
+@cindex timer expiration
+@cindex expiration, timer
+
+Timer invocation is inexact.  In general, Bro uses arriving packets to
+serve as its clock (when reading a trace file off-line, this is still the
+case---the timestamp of the latest packet read from the trace is used as
+the notion of ``now'').  Once this clock reaches or passes the time
+associated with a queued event, Bro will invoke the event handler,
+which is termed ``expiring'' the timer.  (However, Bro will only
+invoke @command{max-timer-expires} timers per packet, and these
+include its own internal timers for managing connection state, so this can
+also delay invocation.)
+
+It will also expire all pending timers (whose time has not yet arrived)
+when Bro terminates; if you don't want those event handlers to activate
+in this instance, you need to test @command{done-with-network}.
+
+You would think that @code{schedule} should just be a statement like
+@command{event-invocation} is,
+rather than an expression.  But it actually does return a value, of the
+undocumented type timer.  
+@cindex possible future changes,  type
+ In the future, Bro may provide mechanisms for manipulating such
+timers; for example, to cancel them if you no longer want them to expire.
+@end quotation
+
+@command{index}
+@quotation
+Syntax:
+@quotation
+@emph{expr1} [ @emph{expr-list2} ] 
+@end quotation
+Returns the sub-value of @emph{expr1} indexed by
+the value of @emph{expr-list2}, which must be compatible with the index
+type of @emph{expr1}.
+
+@emph{expr-list2} is a comma-separated list of expressions
+(with at least one expression listed) whose values
+are matched left-to-right against the index types of @emph{expr1}.
+
+The only type of value that can be indexed
+in this fashion is a table.  @emph{Note:} set's cannot be indexed because they do not yield any value.  Use @code{in} to test for set membership.
+@end quotation
+
+@command{membership}
+@quotation
+Syntax:
+@quotation
+@emph{expr1} in @emph{expr2}  @*
+@emph{expr1} !in @emph{expr2} 
+@end quotation
+Yields true (false, respectively)
+if the index @emph{expr1} is present in
+the @code{table} or @code{set} @emph{expr2}.
+
+For example, if notice_level is a table index by an address
+and yielding a count:
+@example
+    global notice_level: table[addr] of count;
+@end example
+
+then we could test whether the address 127.0.0.1 is present using:
+@example
+    127.0.0.1 in notice_level
+@end example
+
+For table's and set's indexed by multiple dimensions,
+you enclose @emph{expr1} in brackets.  For example,
+if we have:
+@example
+    global connection_seen: set[addr, addr];
+@end example
+
+then we could test for the presence of the element indexed by
+8.1.14.2 and 129.186.0.77 using:
+@example
+    [8.1.14.2, 129.186.0.77] in connection_seen
+@end example
+
+We can also instead use a corresponding record type.
+If we had
+@example
+    local t = [$x = 8.1.14.2, $y = 129.186.0.77]
+@end example
+
+then we could test:
+@example
+    t in connection_seen
+@end example
+@end quotation
+
+@cindex == equality operator==@  equality operator
+@cindex == inequality operator", =@  inequality operator
+
+@command{pattern matching}
+@quotation
+Syntax:
+@quotation
+@emph{expr1} == @emph{expr2}  @*
+@emph{expr1} "!= @emph{expr2}  @*
+@emph{expr1} in @emph{expr2}  @*
+@emph{expr1} "!in @emph{expr2} 
+@end quotation
+As discussed for @command{pattern values}. 
+the first two forms yield true (false) if 
+the @code{pattern} @emph{expr1} exactly matches the string
+@emph{expr2}.  (You can also list the @code{string} value 
+on the left-hand side of the operator and the @code{pattern} on the right.)
+
+The second two forms yield true (false) if
+the pattern @emph{expr1} is present within the string
+@emph{expr2}.  (For these, you @emph{must} list the pattern
+as the left-hand operand.)
+@end quotation
+
+@cindex $$@  record field access operator
+
+@command{record field access}
+@quotation
+Syntax:
+@quotation
+@emph{expr} $ @emph{field-name} 
+@end quotation
+Returns the given field @emph{field-name} of the record
+@emph{expr}.  If the record does not contain the
+given field, a compile-time error results.
+@end quotation
+
+@cindex $$@  record constructor operator
+
+@command{record constructor}
+@quotation
+Syntax:
+@quotation
+[ @emph{field-constructor-list} ] 
+@end quotation
+
+Constructs a @code{record} value.  The @emph{field-constructor-list} is
+a comma-separated list of individual field constructors, which have the syntax:
+@quotation
+$ @emph{field-name} = @emph{expr} 
+@end quotation
+
+For example,
+@example
+    [$foo = 3, $bar = 23/tcp]
+@end example
+
+yields a @code{record} with two fields, @code{foo} of type @code{count} and
+@code{bar} of type @code{port}.  The values used in the constructor needn't
+be constants, however; they can be any expression of an assignable type.
+@end quotation
+
+@cindex ?$?$@  record field test
+
+@command{record field test}
+@quotation
+Syntax:
+@quotation
+@emph{expr} @code{?$} @emph{field-name} 
+@end quotation
+Returns true if the given field has been set in the record yielded by
+@emph{expr}.  Note that @emph{field-name} @emph{must} correspond to
+one of the fields in the record type of @emph{expr} (otherwise, the
+expression would always be false).  The point of this operator is
+to test whether an @emph{&optional} field of a record has been
+assigned to.
+
+For example, suppose we have:
+@example
+    type rap_sheet: record @{
+        num_scans: count &optional;
+        first_activity: time;
+    @};
+    global the_goods: table[addr] of rap_sheet;
+@end example
+
+and we want to test whether the address held in the variable perp
+exists in the_goods and, if so, whether num_scans has been
+assigned to, then we could use:
+@example
+    perp in the_goods && the_goods[perp]?$num_scans
+@end example
+@end quotation
+
+@cindex expressions
+
diff --git a/doc/ref-manual/todo.texi b/doc/ref-manual/todo.texi
new file mode 100644
index 0000000000..9722d08c62
--- /dev/null
+++ b/doc/ref-manual/todo.texi
@@ -0,0 +1,174 @@
+
+@node Missing Documentation
+@chapter Missing Documentation
+
+This chapter holds stubs for subjects that have yet to be documented.
+Some of these are actually already somewhat covered elsewhere in the
+manual.  In addition, a major missing piece for the manual is the
+Bro language itself; below we mention some Bro language topics that
+come up elsewhere in the current version of the manual.
+
+@menu
+* use of prefixes::		
+* tcpdump save file that Bro writes::  
+* init initialization file::	
+* Assignment operators such as +=::  
+* notion of redefinition/refinement::  
+* Notice/Alarm model::		
+* Timer management::		
+* SYN-FIN filtering::		
+* Split routing::		
+* Scan dropping::		
+* Operator precedence::		
+* Partial connections::		
+* Packet drops::		
+* load directive::		
+* Global statements::		
+* Inserting tables into tables::  
+* Demultiplexing::		
+* Bro init file::		
+* Hostnames vs addresses::	
+* hot-report script::		
+* Use of libpcap/BPF::		
+* problem of evasion::		
+* Backscatter::			
+* Playing back traces::		
+* Discarders::			
+* Differences between this release and the previous one::  
+* Notice cascade::		
+* need for subtyping::		
+* need for CIDR masks::		
+* wish list::			
+* Known bugs::			
+* Execution tracing::
+* Policy analyzers::
+* Trace rewriting::
+* Rule benchmarking::
+* Connection state history recording::
+@end menu
+
+@node use of prefixes,
+@section The use of @emph{prefixes}
+
+
+@node  tcpdump save file that Bro writes,
+@section  The tcpdump save file that Bro writes 
+
+
+@node  init initialization file,
+@section  The bro.init initialization file 
+
+@node  Assignment operators such as +=,
+@section  Assignment operators such as += 
+
+@node  notion of redefinition/refinement,
+@section  The notion of redefinition/refinement 
+
+ 
+@node  Notice/Alarm model,
+@section  The notice/alarm model 
+
+@node  Timer management,
+@section  Timer management 
+
+@node  SYN-FIN filtering,
+@section  SYN-FIN filtering 
+
+@node  Split routing,
+@section  Split routing 
+
+@node  Scan dropping,
+@section  Scan dropping 
+
+@node  Operator precedence,
+@section  Operator precedence 
+
+@node  Partial connections,
+@section  Partial connections 
+
+@node  Packet drops,
+@section  Packet drops 
+
+@node  load directive,
+@section  The load directive 
+
+@node  Global statements,
+@section  Global statements 
+
+@node  Inserting tables into tables,
+@section  Inserting tables into tables 
+
+@node  Demultiplexing,
+@section  Demultiplexing 
+
+@node  Bro init file,
+@section  Bro init file 
+
+
+@node  Hostnames vs addresses,
+@section  Hostnames vs. addresses 
+
+
+@node  hot-report script,
+@section  The hot-report script 
+
+
+@node  Use of libpcap/BPF,
+@section  Use of libpcap/BPF 
+
+See: bpf,pcap refs XXX
+
+@node  problem of evasion,
+@section  The problem of evasion 
+
+See: ptacek98 paper XXX
+
+@node  Backscatter,
+@section  Backscatter 
+
+
+@node Playing back traces,
+@section Playing back traces 
+
+
+@node  Discarders,
+@section  Discarders 
+
+@node  Differences between this release and the previous one,
+@section  Differences between this release and the previous one 
+
+
+@node  Notice cascade,
+@section  Notice cascade 
+
+
+@node  need for subtyping,
+@section  The need for subtyping 
+
+E.g., src addr vs. dst addr, perhaps
+using attributes.
+
+@node  need for CIDR masks,
+@section  The need for CIDR masks 
+
+
+@node  wish list,
+@section  The wish list 
+
+@node  Known bugs,
+@section  Known bugs 
+
+@node  Execution tracing,
+@section  Execution tracing
+
+@node  Policy analyzers,
+@section  Policy analyzers
+
+@node  Trace rewriting,
+@section  Trace rewriting
+
+@node  Rule benchmarking,
+@section  Rule benchmarking
+
+@node  Connection state history recording,
+@section  Connection state history recording
diff --git a/doc/ref-manual/values.texi b/doc/ref-manual/values.texi
new file mode 100644
index 0000000000..811c87e89f
--- /dev/null
+++ b/doc/ref-manual/values.texi
@@ -0,0 +1,1945 @@
+
+@node Values
+@chapter Values, Types, and Constants
+
+@menu
+* Values Overview::			
+* Booleans::			
+* Numeric Types::		
+* Enumerations::		
+* Strings::			
+* Patterns::			
+* Temporal Types::		
+* Port Type::			
+* Address Type::		
+* Net Type::			
+* Records::			
+* Tables::			
+* Sets::			
+* Files::			
+* Functions::			
+* Event handlers::		
+* any type::			
+@end menu
+
+@node Values Overview,
+@section Values Overview
+
+@cindex values, overview
+We begin with an overview of the types of values supported by
+Bro, giving a brief description of each type and
+introducing the notions of type conversion and type inference.
+We discuss each type in detail in 
+
+@menu
+* Bro Types::			
+* Type Conversions::		
+@end menu
+
+@node Bro Types
+@subsection Bro Types
+
+There are 18 (XXX check this) types of values in the Bro type
+system:
+@cindex types, overview
+
+@itemize @bullet
+@cindex types, bool
+
+@item 
+@code{bool} for Booleans;
+
+@cindex types, numeric
+@cindex types, count
+@cindex types, int
+@cindex types, double
+@cindex numeric types, count
+@cindex numeric types, int
+@cindex numeric types, double
+
+@item 
+@code{count}, @code{int}, and @code{double} types, collectively 
+called @emph{numeric}, for arithmetic and logical operations, and comparisons;
+
+@cindex types, enumeration
+@cindex types, enum
+
+@item 
+@code{enum} for enumerated types similar to those in C;
+
+@cindex types, string
+
+@item 
+@code{string}, character strings that can be used
+for comparisons and to index tables and sets;
+
+@cindex types, pattern
+
+@item 
+@code{pattern}, regular expressions that can be used for pattern
+matching;
+
+@cindex types, temporal
+@cindex types, time
+@cindex types, interval
+
+@item 
+@code{time} and @code{interval}, for absolute and relative times,
+collectively termed @emph{temporal};
+
+@cindex types, port
+
+@item 
+@code{port}, a TCP or UDP port number;
+
+@cindex types, addr
+
+@item 
+@code{addr}, an IP address;
+
+@cindex types, net
+
+@item 
+@code{net}, a network prefix;
+
+@cindex types, record
+
+@item 
+@code{record}, a collection of values (of possibly different types),
+each of which has a name;
+
+@cindex types, table
+
+@item 
+@code{table}, an associative array, indexed by tuples of
+scalars and yielding values of a particular type;
+
+@cindex types, set
+
+@item 
+@code{set}, a collection of tuples-of-scalars, for which a
+particular tuple's membership can be tested;
+
+@cindex types, file
+
+@item 
+@code{file}, a disk file to write or append to;
+
+@cindex types, function
+
+@item 
+@code{function}, a function that when called with a list of
+values (arguments) returns a value;
+
+@cindex types, event
+
+@item 
+@code{event}, an event handler that is invoked with a list of
+values (arguments) any time an event occurs.
+
+@end itemize
+
+Every value in a Bro script has one of these types.
+For most types there are ways of specifying @emph{constants} representing
+values of the type.  For example, @code{2.71828} is a constant
+of type @code{double}, and @code{80/tcp} is a constant of type
+@code{port}.  The discussion of types below includes a description
+of how to specify constants for the types.
+
+@cindex typing, static
+@cindex static typing
+Finally, even though Bro variables have @emph{static} types,
+meaning that their type is fixed,
+often their type is @emph{inferred} from the value to which
+they are initially assigned when the variable is declared.
+For example,
+@example
+    local a = "hi there";
+@end example
+
+fixes @code{a}'s type as @code{string}, and
+@example
+    local b = 6;
+@end example
+
+sets @code{b}'s type to @code{count}.  See 
+for further discussion.
+
+@node Type Conversions,
+@subsection Type Conversions
+
+@cindex types, conversion
+Some types will be automatically converted to other types as
+needed.
+@cindex types, conversion, automatic
+For example, a @code{count} value can always be used where a @code{double}
+value is expected.  The following:
+@example
+    local a = 5;
+    local b = a * .2;
+@end example
+
+creates a local variable @code{a} of type @code{count} and
+assigns the @code{double} value @code{1.0} to @code{b}, which will
+also be of type @code{double}.
+Automatic conversions are limited to converting between @emph{numeric} types.
+The rules for how types are converted are given below.
+@cindex types, conversion
+
+@node Booleans,
+@section Booleans
+
+@cindex booleans
+The @code{bool} type reflects a value with one of two possible
+meanings: @emph{true} or @emph{false}.
+
+@menu
+* Boolean Constants::		
+* Logical Operators::		
+@end menu
+
+@node Boolean Constants,
+@subsection Boolean Constants
+
+@cindex constants, boolean
+@cindex T
+@cindex F
+There are two @code{bool} constants:
+@code{T} and @code{F}.  They
+represent the values of ``true" and ``false", respectively.
+
+@node Logical Operators,
+@subsection Logical Operators
+
+@cindex types, bool
+
+@cindex operators, logical
+Bro supports three logical operators:
+@code{&&},
+@cindex & short-circuit&&@  short-circuit ``and''
+@cindex short-circuit1-circuit && ``and'' operator
+@cindex and operator&& ``and'' operator
+@cindex operator, and&& ``and''
+@code{||},
+@cindex & or short-circuit"|"|@  short-circuit ``or''
+@cindex short-circuit2-circuit "|"| ``or'' operator
+@cindex or operator"|"| ``or'' operator
+@cindex operator, or"|"| ``or''
+and @code{!}
+@cindex & z not", @ @  ``not'' operator
+@cindex not operator",  ``not'' operator
+@cindex operator, not",  ``not''
+are Boolean ``and,'' ``or,'' and ``not,'' respectively.
+@code{&&} and @code{||} are ``short circuit'' operators, as in C:
+they evaluate their right-hand operand
+only if needed.
+
+The @code{&&} operator returns @code{F} if its
+first operand evaluates to @emph{false}, otherwise it evaluates its second
+operand and returns @code{T} if it evaluates to @emph{true}.
+The @code{||} operator evaluates its first operand and returns @code{T} if
+the operand evaluates to @emph{true}.  Otherwise it evaluates its second
+operand, and returns @code{T} if it is @emph{true}, @code{F} if @emph{false}.
+
+@cindex logical negation
+@cindex negation, logical
+The unary @code{!}
+operator returns the boolean negation of its argument.
+So, @code{!@ T} yields @code{F}, and @code{!@ F} yields @code{T}.
+
+@cindex operators, logical, associativity
+@cindex operators, logical, precedence
+The logical operators are left-associative.
+The @code{!}
+operator has very high precedence, the same as unary @code{+} and @code{-};
+see 
+The @code{||} operator has
+precedence just below @code{&&}, which in turn is just below that of
+the comparison operators (see @ref{Comparison Operators}).
+@cindex operators, logical
+@cindex booleans
+
+@node Numeric Types,
+@section Numeric Types
+
+@cindex types, count
+@cindex types, int
+@cindex types, double
+
+@cindex types, numeric
+@code{int}, @code{count}, and @code{double} types
+should be familiar to most programmers as integer, unsigned integer, and
+double-precision floating-point types.
+
+These types are referred to collectively as @emph{numeric}.  @emph{Numeric}
+types can be used in arithmetic operations (see 
+below) as well as in comparisons (@ref{Comparison Operators}).
+
+@menu
+* Numeric Constants::		
+* Mixing Numeric Types::	
+* Arithmetic Operators::	
+* Comparison Operators::	
+@end menu
+
+@node Numeric Constants,
+@subsection Numeric Constants
+
+@cindex constants, count
+@code{count} constants are just strings of digits: @code{1234} and @code{0}
+are examples.
+
+@cindex constants, integer
+@code{integer} constants are strings of digits preceded
+by a @code{+} or @code{-} sign: @code{-42} and @code{+5} for example.
+Because digit strings without a sign are of type @code{count}, occasionally
+you need to take care when defining a variable if it really needs to
+be of type @code{int} rather than @code{count}.  Because of type inferencing
+, a definition like:
+@example
+    local size_difference = 0;
+@end example
+
+will result in @code{size_difference} having type @code{count} when
+@code{int} is what's instead needed (because, say, the size difference can be
+negative).  This can be resolved either by using an @code{int} constant
+in the  initialization:
+@example
+    local size_difference = +0;
+@end example
+
+or explicitly indicating the type:
+@example
+    local size_difference: int = 0;
+@end example
+
+@cindex constants, floating-point
+You write floating-point constants in the usual ways, a string of digits
+with perhaps a decimal point and perhaps a scale-factor written in scientific
+notation.  Optional @code{+} or @code{-} signs may be given before the digits
+or before the scientific notation exponent.
+Examples are @code{-1234.}, @code{-1234e0}, @code{3.14159}, and @code{.003e-23}.
+All floating-point constants are of type @code{double}.
+
+@node Mixing Numeric Types,
+@subsection Mixing Numeric Types
+
+@cindex types, numeric, intermixing
+@cindex types, numeric, bool not numeric
+You can freely intermix @emph{numeric} types in expressions.  When intermixed,
+values are promoted to the ``highest" type in the expression.
+In general, this promotion follows a simple hierarchy: @code{double} is
+highest, @code{int} comes next, and @code{count} is lowest.  (Note that
+@code{bool} is not a numeric type.)
+
+@node Arithmetic Operators,
+@subsection Arithmetic Operators
+
+@cindex operators, arithmetic
+@cindex addition, numeric
+@cindex subtraction, numeric
+@cindex multiplication, numeric
+@cindex division, numeric
+@cindex operators, arithmetic, operand conversion
+For doing arithmetic, Bro supports
+@code{+}
+@code{-}
+@code{*}
+@code{/}
+and
+@code{%}
+@cindex percent modulus operator
+.
+In general, binary operators evaluate their operands after converting them
+to the higher type of the two and return a result of that type.
+However, subtraction of two @code{count} values yields an @code{int} value.
+Division is integral if its operands are @code{count} and/or @code{int}.
+
+@code{+}
+and @code{-}
+can also be used as unary operators.  If applied to a @code{count} type,
+they yield an @code{int} type.
+
+@code{%} computes a @emph{modulus}, defined in the same way as in
+the C language.  It can only be applied to @code{count} or @code{int}
+types, and yields @code{count} if both operands are @code{count} types,
+otherwise @code{int}.
+
+@cindex operators, arithmetic, precedence
+Binary @code{+} and @code{-}
+have the lowest precedence, @code{*}, @code{/}, and @code{%} have equal
+and next highest precedence.  The unary
+@code{+} and @code{-} operators have the same precedence as the @code{!}
+operator @ref{Logical Operators}.
+See , for a table of the precedence of all Bro
+operators.
+
+@cindex operators, arithmetic, associativity
+All arithmetic operators associate from left-to-right.
+@cindex operators, arithmetic
+
+@node Comparison Operators,
+@subsection Comparison Operators
+
+@cindex operators, comparison
+@cindex relationals, numeric
+@cindex operators, comparison, operand conversion
+Bro provides the usual comparison operators:
+@code{==}
+@cindex == equality operator==@  equality operator
+,
+@code{!=}
+@cindex == inequality operator", =@  inequality operator
+,
+@code{<}
+@cindex == less-than operator<@ @  less-than operator
+,
+@code{<=}
+@cindex == less-than-or-equal operator<=@  less-or-equal operator
+,
+@code{>}
+@cindex == z operator>@ @  greater-than operator
+,
+and
+@code{>=}
+@cindex == zz operator>=@  greater-or-equal operator
+.
+They each take two operands, which
+they convert to the higher of the two types (see @ref{Mixing Numeric Types}).
+They return a @code{bool} corresponding to the comparison of the operands.
+For example,
+@example
+    3 < 3.000001
+@end example
+
+yields true.
+
+@cindex operators, comparison, associativity
+@cindex operators, comparison, precedence
+The comparison operators are all non-associative and have equal precedence,
+just below that of the 
+just above that of the 
+See ,
+for a general discussion of precedence.
+@cindex operators, comparison
+@cindex types, numeric
+
+@node Enumerations,
+@section Enumerations
+
+@cindex enumerations
+@cindex types, enum
+Enumerations allow you to specify a set of related values that have
+no further structure, similar to @code{enum} types in C.  For example:
+@example
+    type color: enum @{ Red, White, Blue, @};
+@end example
+
+defines the values @code{Red}, @code{White}, and @code{Blue}.  A variable
+of type @code{color} holds one of these values.  Note that @code{Red} et al
+@cindex global scope, of enumerations
+have @emph{global scope}.  You @emph{cannot} define a variable or type
+with those names.  (Also note that, as usual, the comma after @code{Blue}
+is optional.)
+
+The only operations allowed on enumerations are comparisons for
+equality.  Unlike C enumerations, they do not have values or an
+ordering associated with them.
+
+You can extend the set of values in an enumeration using
+@code{redef enum @emph{identifier} += @{ @emph{name-list} @}}:
+@example
+    redef enum color += @{ Black, Yellow @};
+@end example
+
+@cindex enumerations
+
+@node Strings,
+@section Strings
+
+@cindex strings
+@cindex types, string
+The @code{string} type holds character-string values, used to represent
+and manipulate text.
+
+@menu
+* String Constants::		
+* String Operators::		
+@end menu
+
+@node String Constants,
+@subsection String Constants
+
+@cindex constants, string
+@cindex escape sequences
+@cindex possible future changes, breaking string constants across multiple lines
+You create string constants by enclosing text within double (@code{"}) quotes.
+A backslash character (@code{\}) 
+introduces an @emph{escape sequence}.  The following ANSI C escape
+sequences are recognized:
+FIXME
+the 8-bit ASCII character with code @emph{hex-digits}.
+Bro string constants currently @emph{cannot} be continued across
+multiple lines by escaping newlines in the input.  This may change
+in the future.
+Any other character following a @code{\} is passed along literally.
+
+@cindex NULs, allowed in strings
+
+@cindex evasion, inserting NULs
+
+Unlike in C, strings are represented internally as a count and a
+vector of bytes, rather than a NUL-terminated series of bytes.  This
+difference is important because NULs can easily be introduced into strings
+derived from network traffic, either by the nature of the application,
+inadvertently, or maliciously by an attacker attempting to subvert the
+monitor.  An example of the latter is sending the following to an FTP server:
+@example
+    USER nice\0USER root
+@end example
+
+where ``@code{\0}'' represents a NUL.  Depending on how it is written,
+the FTP application receiving this text might well interpret it as
+two separate commands, ``@code{USER nice}'' followed by ``@code{USER root}''.
+But if the monitoring program uses NUL-terminated strings, then it
+will effectively see only ``@code{USER nice}'' and have no opportunity
+to detect the subversive action.
+
+@cindex NULs, terminating string constants
+@cindex string constants, NUL terminated
+Note that Bro string constants are automatically NUL-terminated.
+
+Note: While Bro itself allows NULs in strings, their presence
+in arguments to many Bro functions results in a run-time error, as
+often their presence (or, conversely, lack of a NUL terminator)
+indicates some sort of problem (particularly
+for arguments that will be passed to C functions).  See 
+section @ref{Run-time errors for strings with NULs} for discussion. 
+
+@cindex constants, string
+
+@node String Operators,
+@subsection String Operators
+
+@cindex operators, string
+@cindex relationals, string
+@cindex ASCII, as usual character set
+@cindex character set, ASCII
+Currently the only string operators provided are the comparison
+operators discussed in @ref{Comparison Operators} and pattern-matching
+as discussed in @ref{Pattern Operators}.  These operators
+perform character by character comparisons based on the native
+character set, usually ASCII.
+
+Some functions for manipulating strings are also available.  See
+.
+@cindex strings
+
+@cindex strings
+
+@node Patterns,
+@section Patterns
+
+@cindex types, pattern
+@cindex searching for strings
+@cindex pattern matching
+
+@cindex patterns
+The @code{pattern} type holds regular-expression patterns, which can
+be used for fast text searching operations.
+
+@menu
+* Pattern Constants::		
+* Pattern Operators::		
+@end menu
+
+@node Pattern Constants,
+@subsection Pattern Constants
+
+@cindex constants, pattern
+@cindex flex utility
+@cindex lex utility
+@cindex utilities, flex
+@cindex utilities, lex
+You create pattern constants by enclosing text within forward slashes (@code{/}).
+The syntax is the same as for the @emph{flex} version of the @emph{lex}
+utility.
+For example,
+@example
+    /foo|bar/
+@end example
+
+specifies a pattern that matches either the text ``foo'' or the
+text ``bar'';
+@example
+    /[a-zA-Z0-9]+/
+@end example
+
+matches one or more letters or digits, as will
+@example
+    /[[:alpha:][:digit:]]+/
+@end example
+
+or
+@example
+    /[[:alnum:]]+/
+@end example
+
+and the pattern
+@example
+    /^rewt.*login/
+@end example
+
+matches any string with the text ``rewt'' at the beginning of
+a line followed somewhere later in the line by the text ``login''.
+
+You can create disjunctions (patterns the match any of a number of
+alternatives) both using the ``@{@code{|}@}'' regular expression
+operator directly, as in the first example above, or by using it
+to join multiple patterns.  So the first example above
+could instead be written:
+@example
+    /foo/ | /bar/
+@end example
+
+This form is convenient when constructing large disjunctions because
+it's easier to see what's going on.
+
+Note that the speed of the regular expression matching does @emph{not}
+depend on the complexity or size of the patterns, so you should feel
+free to make full use of the expressive power they afford.
+
+You can assign @code{pattern} values to variables, hold them in tables,
+and so on.  So for example you could have:
+@example
+    global address_filters: table[addr] of pattern = @{
+        [128.3.4.4] = /failed login/ | /access denied/,
+        [128.3.5.1] = /access timeout/
+    @};
+@end example
+
+and then could test, for example:
+@example
+    if ( address_filters[c$id$orig_h] in msg )
+        skip_the_activity();
+@end example
+
+Note though that you cannot use create patterns dynamically.
+this form (or any other) to create dynamic
+
+@cindex constants, pattern
+
+@node Pattern Operators,
+@subsection Pattern Operators
+
+@cindex operators, pattern
+
+There are two types of pattern-matching operators: @emph{exact}
+matching and @emph{embedded} matching.
+
+@menu
+* Exact Pattern Matching::	
+* Embedded Pattern Matching::	
+@end menu
+
+@node Exact Pattern Matching,
+@subsubsection Exact Pattern Matching
+
+@cindex pattern matching, exact
+Exact matching tests for a
+string entirely matching a given
+pattern.  You specify exact matching by using the
+@code{==} equality relational with one @code{pattern} operand and one
+@code{string} operand (order irrelevant).  For example,
+@example
+    "foo" == /foo|bar/
+@end example
+
+yields true, while
+@example
+    /foo|bar/ == "foobar"
+@end example
+
+yields false.  The @code{!=} operator is the negation of the @code{==}
+operator, just as when comparing strings or numerics.
+
+Note that for exact matching, the @code{^} (anchor to beginning-of-line)
+and @code{$} (anchor to end-of-line) regular expression operators are
+redundant: since the match is @emph{exact}, every pattern is implicitly
+anchored to the beginning and end of the line.
+
+@node Embedded Pattern Matching,
+@subsubsection Embedded Pattern Matching
+
+@cindex pattern matching, embedded
+
+@cindex in operator operator
+Embedded matching tests whether a given pattern appears anywhere
+within a given string.
+You specify embedded pattern matching
+using the @code{in} operator.  It takes two operands, the first
+(which must appear on the left-hand side) of type @code{pattern},
+the second of type @code{string}.
+For example,
+@example
+    /foo|bar/ in "foobar"
+@end example
+
+yields true, as does
+@example
+    /oob/ in "foobar"
+@end example
+
+but
+@example
+    /^oob/ in "foobar"
+@end example
+
+does not, since the text ``oob'' does not appear the beginning
+of the string ``foobar''.
+Note, though, that the @code{$} regular expression operator (anchor
+to end-of-line) is not currently supported, so:
+@example
+    /oob$/ in "foobar"
+@end example
+
+currently yields true.  This is likely to change in the future.
+@cindex bugs, $ pattern operator not supported
+
+@cindex in2 operator", in negation of  operator
+@cindex not in operator", in negation of  operator
+Finally, the @code{!in} operator yields the negation of the @code{in} operator.
+
+@cindex patterns
+
+@node Temporal Types,
+@section Temporal Types
+
+@cindex time
+@cindex absolute time
+@cindex relative time
+@cindex temporal, types
+@cindex types, time
+@cindex types, interval
+
+Bro supports types representing @emph{absolute} and @emph{relative}
+times with the @code{time} and @code{interval} types, respectively.
+
+@menu
+* Temporal Constants::		
+* Temporal Operators::		
+@end menu
+
+@node Temporal Constants,
+@subsection Temporal Constants
+
+@cindex constants, temporal
+@cindex temporal, constants
+@cindex constants, time
+@cindex constants, interval
+@cindex possible future changes, constants for absolute times
+There is currently no way to specify an absolute time as a constant
+(though see the @code{current_time} and @code{network_time} functions
+in @ref{Functions for manipulating time}).  You can specify @code{interval} constants,
+however, by appending a @emph{time unit} after a numeric constant.
+For example,
+@example
+    3.5 min
+@end example
+
+denotes 210 seconds.
+The different time units are @code{usec}, @code{sec},
+@code{min}, @code{hr}, and @code{day}, representing microseconds, seconds,
+minutes, hours, and days, respectively.  The whitespace between 
+the numeric constant and the unit is optional, and the letter ``s''
+may be added to pluralize the unit (this has no semantic effect).
+So the above
+example could also be written:
+@cindex usec (microseconds) interval unit
+@cindex sec (seconds) interval unit
+@cindex min (minutes) interval unit
+@cindex hr (hours) interval unit
+@cindex day interval unit
+@cindex interval units, usec
+@cindex interval units, sec
+@cindex interval units, min
+@cindex interval units, hr
+@cindex interval units, day
+@example
+    3.5mins
+@end example
+
+or
+@example
+    150 secs
+@end example
+
+@cindex constants, interval
+@cindex constants, time
+
+@node Temporal Operators,
+@subsection Temporal Operators
+
+@cindex operators, temporal
+
+You can apply arithmetic and relational operators to temporal
+values, as follows.
+
+@menu
+* Temporal Negation::		
+* Temporal Addition::		
+* Temporal Subtraction::	
+* Temporal Multiplication::	
+* Temporal Division::		
+* Temporal Relationals::	
+@end menu
+
+@node Temporal Negation,
+@subsubsection Temporal Negation
+
+@cindex temporal, negation
+@cindex negation, temporal
+
+The unary @code{-}
+operator can be applied to an @code{interval} value to yield another
+@code{interval} value.  For example,
+@example
+    - 12 hr
+@end example
+
+represents ``twelve hours in the past.''
+
+@node Temporal Addition,
+@subsubsection Temporal Addition
+
+@cindex temporal, addition
+@cindex addition, temporal
+
+Adding two @code{interval} values yields another @code{interval} value.
+For example,
+@example
+    5 sec + 2 min
+@end example
+
+yields 125 seconds.
+Adding a @code{time} value to an @code{interval} yields
+another @code{time} value.
+
+@node Temporal Subtraction,
+@subsubsection Temporal Subtraction
+
+@cindex temporal, subtraction
+@cindex subtraction, temporal
+
+Subtracting a @code{time} value from another @code{time} value
+yields an @code{interval} value, as does subtracting an @code{interval}
+value from another @code{interval}, while subtracting an @code{interval}
+from a @code{time} yields a @code{time}.
+
+@node Temporal Multiplication,
+@subsubsection Temporal Multiplication
+
+@cindex temporal, multiplication
+@cindex multiplication, temporal
+
+You can multiply an @code{interval} value by a @emph{numeric} value
+to yield another @code{interval} value.  For example,
+@example
+   5 min * 6.5
+@end example
+
+yields 1,950 seconds.  @code{time} values cannot be scaled by
+multiplication or division.
+
+@node Temporal Division,
+@subsubsection Temporal Division
+
+@cindex temporal, division
+@cindex division, temporal
+
+You can also divide an @code{interval} value by a @emph{numeric} value
+to yield another @code{interval} value.  For example,
+@example
+   5 min / 2
+@end example
+
+yields 150 seconds.  Furthermore, you can divide one @code{interval}
+value by another to yield a @code{double}. For example,
+@example
+   5 min / 30 sec
+@end example
+
+yields 10.
+
+@node Temporal Relationals,
+@subsubsection Temporal Relationals
+
+@cindex temporal, relationals
+@cindex relationals, temporal
+
+You may compare two @code{time} values or two @code{interval} values
+for equality, and also for ordering, where times or intervals
+further in the future are considered larger than times or intervals
+nearer in the future, or in the past.
+
+@cindex time
+
+@node Port Type,
+@section Port Type
+
+@cindex port type
+@cindex ports, UDP
+@cindex ports, TCP
+@cindex ports, ICMP
+@cindex ports, unknown
+
+The @code{port} type corresponds to transport-level port numbers.
+Besides TCP or UDP ports, these can also be ICMP ``ports'', where the
+source port is the ICMP message type and the destination port the ICMP
+message code.  Furthermore, the transport-level protocol of a port can
+remain unspecified.  In any case, a value of type @code{port}
+represents exactly one of those four transport protocol choices.
+
+@menu
+* Port Constants::		
+* Port Operators::		
+* Port Functions::		
+@end menu
+
+@node Port Constants,
+@subsection Port Constants
+
+@cindex constants, port
+@cindex ports, constants
+There are two forms of @code{port}
+constants.  The first consists of an unsigned integer followed by one of
+``@code{/tcp}'', ``@code{/udp}'', ``@code{/icmp}'', or ``@code{/unknown}''.
+So, for example, ``@code{80/tcp}'' corresponds to TCP port 80 (typically
+used for the HTTP protocol). The second form of constant is specified
+using a predefined identifier, such as ``@code{http}'', equivalent to
+``@code{80/tcp}.''  These predefined identifiers are simply @code{const}
+variables defined in the Bro initialization file, such as:
+@example
+    const http = 80/tcp;
+@end example
+
+@node Port Operators,
+@subsection Port Operators
+
+@cindex ports, operators
+@cindex operators, ports
+
+The only operations that can be applied to @code{port} values are
+relationals.  You may compare them for equality, and also for ordering.
+For example,
+@example
+     20/tcp < telnet
+@end example
+
+yields true because @code{telnet} is a predefined constant set to
+@code{23/tcp}.  
+
+When comparing ports across transport-level protocols, the following
+holds: unknown < TCP < UDP < ICMP. For example, ``@code{65535/tcp}'' is
+smaller than ``@code{0/udp}''.
+
+@cindex port type
+
+@node Port Functions,
+@subsection Port Functions
+
+@cindex ports, functions
+
+You can obtain the transport-level protocol type of a port as an
+@code{enum} constant of type @code{transport_proto} (defined in
+@code{bro.init}), using the built-in function (see @ref{Predefined Functions})
+@code{get_port_transport_proto(p: port): transport_proto}.
+
+@node Address Type,
+@section Address Type
+
+@cindex address type
+
+@cindex relationals, address
+Another networking type provided by Bro is @code{addr}, corresponding to an
+IP address.  The only operations that can be performed on them are
+comparisons for equality or inequality (also, a built-in function provides
+masking, as discussed below).
+
+When configuring the Bro distribution, if you specify @code{--enable-brov6}
+
+then Bro will be built to support both IPv4 and IPv6 addresses,
+and an @code{addr} can hold either.  Otherwise, addresses are
+restricted to IPv4.
+@cindex IPv6 support
+
+@menu
+* Address Constants::		
+* Address Operators::		
+@end menu
+
+@node Address Constants,
+@subsection Address Constants
+
+@cindex constants, address
+@cindex address type, constants
+@cindex IPv4/IPv6 address constants
+
+Constants of type @code{addr} have the familiar ``dotted quad'' format,
+@code{A_1.A_2.A_3.A_4}, where the A_i all lie
+between 0 and 255.  If you have configured for IPv6 support as discussed
+above, then you can also use the colon-separated hexadecimal form
+described in RFC2373.
+
+@cindex hostnames
+@cindex constants, hostname
+
+Often more useful are @emph{hostname} constants.  There is no Bro
+type corresponding to Internet hostnames. Because hostnames can correspond
+to multiple IP addresses, you quickly run into ambiguities if comparing
+one hostname with another.  Bro does, however, support hostnames as
+constants.  Any series of two or more identifiers delimited by dots
+forms a hostname constant, so, for example, ``@code{lbl.gov}'' and
+``@code{www.microsoft.com}'' are both hostname constants (the latter,
+as of this writing, corresponds to 5 distinct IP addresses).  The value of
+a hostname constant is a @code{list} of @code{addr} containing one
+or more elements.  These lists (as with the lists associated with
+certain @code{port} constants, discussed above) cannot be used in
+Bro expressions; but they play a central role in initializing Bro 
+@command{tables} and @command{sets}.
+
+@node Address Operators,
+@subsection Address Operators
+@cindex address type, operators
+@cindex operators, address
+
+The only operations that can be applied to @code{addr} values are
+comparisons for equality or inequality, using @code{==} and @code{!=}.
+However, you can also operate on @code{addr} values using
+ to mask off lower address bits, and 
+to convert an @code{addr} to a @code{net} (see below).
+
+@cindex address type
+
+@node Net Type,
+@section Net Type
+@cindex net type
+
+@cindex address masking
+@cindex CIDR
+@cindex subnets
+@cindex prefixes, network
+@cindex network prefixes
+Related to the @code{addr} type is @code{net}.  @code{net} values hold address
+prefixes.  Historically, the IP address space was divided into different
+@emph{classes} of addresses, based on the uppermost components of a given
+address: class A spanned the range 0.0.0.0 to 127.255.255.255; class B from
+128.0.0.0 to 191.255.255.255; class C from 192.0.0.0 to 223.255.255.255;
+class D from 224.0.0.0 to 239.255.255.255; and class E from 240.0.0.0 to
+255.255.255.255.  Addresses were allocated to different networks out of
+either class A, B, or C, in blocks of @math{2^{24}}, @math{2^{16}}, and @math{2^8}
+addresses, respectively.
+
+Accordingly, @code{net} values hold either an 8-bit class A prefix,
+a 16-bit class B prefix, a 24-bit class C prefix, or a 32-bit class D
+``prefix'' (an entire address).  Values for class E prefixes are not
+defined (because no such addresses are currently allocated, and so shouldn't
+appear in other than clearly-bogus packets).
+
+Today, address allocations come not from class A, B or C, but instead
+from @emph{CIDR} blocks (CIDR = Classless Inter-Domain Routing), which
+are prefixes between 1 and 32 bits long in the range 0.0.0.0 to
+223.255.255.255.  @emph{Deficiency: Bro @emph{should} deal just with CIDR prefixes, rather than old-style network prefixes.  However, these are more difficult to implement efficiently for table searching and the like; hence currently Bro only supports the easier-to-implement old-style prefixes.  Since these don't match current allocation policies, often they don't really fit an address range you'll want to describe.  But for sites with older allocations, they do, which gives them some basic utility.}
+
+@cindex IPv6 and lack of CIDR prefixes
+In addition, @emph{Deficiency: IPv6 has no notion of old-style network prefixes, only CIDR prefixes, so the lack of support of CIDR prefixes impairs use of Bro to analyze IPv6 traffic. }
+
+@menu
+* Net Constants::		
+* Net Operators::		
+@end menu
+
+@node Net Constants,
+@subsection Net Constants
+
+@cindex constants, net
+@cindex net, constants
+You express constants of type @code{net} in one of two forms, either:
+@quotation
+@code{N_1.N_2.}
+@end quotation
+or
+@quotation
+@code{N_1.N_2.N_3}
+@end quotation
+where the N_i all lie between 0 and 255.  The first of these corresponds
+to class B prefixes (note the trailing ``@code{.}'' that's required to
+distinguish the constant from a floating-point number), and the second to
+class C prefixes.  @emph{Deficiency: There's currently no way to specify a class A prefix. }
+
+@node Net Operators,
+@subsection Net Operators
+@cindex net, operators
+@cindex operators, net
+
+@cindex relationals, net
+The only operations that can be applied to @code{net} values are
+comparisons for equality or inequality, using @code{==} and @code{!=}.
+
+@cindex net type
+
+@node Records,
+@section Records
+
+@cindex records
+@cindex records, fields
+A @code{record} is a collection of values.  Each value has a name,
+referred to as one of the record's @emph{fields},
+and a type.  The values do
+not need to have the same type, and there is no restriction on the
+allowed types (i.e., each field can be @emph{any} type).
+
+@menu
+* Defining records::		
+* Record Constants::		
+* Accessing Fields Using $::	
+* Record Assignment::		
+@end menu
+
+@node Defining records,
+@subsection Defining records
+
+A definition of a record type has the following syntax:
+@example
+record @{ @math{field^+} @}
+@end example
+
+(that is, the keyword @code{record} followed by one-or-more @emph{field}'s
+enclosed in braces), where a @emph{field} has the syntax:
+@example
+identifier : type @math{field-attributes^*}  ; identifier : type @math{field-attributes^*}  ,
+@end example
+
+Each field has a name given by the identifier (which can be the same
+as the identifier of an existing variable or a field in another record).
+@cindex records, fields, legal names
+@cindex names, case-sensitive
+Field names must follow the same syntax as that for Bro variable names (see @ref{Variables Overview, 
+Variables}),
+namely they must begin with a letter or
+an underscore (``@code{_}'') followed by zero or more letters, underscores,
+or digits.  Bro reserved words such as @code{if} or @code{event} cannot
+be used for field names.  Field names are
+case-sensitive.
+
+Each field holds a value of the given type.
+We discuss the optional 
+Finally, you can use either a semicolon or a comma to terminate the
+definition of a record field.
+
+For example, the following record type:
+@example
+    type conn_id: record @{
+        orig_h: addr;  # Address of originating host.
+        orig_p: port;  # Port used by originator.
+        resp_h: addr;  # Address of responding host.
+        resp_p: port;  # Port used by responder.
+    @};
+@end example
+
+is used throughout Bro scripts to denote a connection identifier
+by specifying the connections originating and responding addresses
+and ports.  It has four fields: @code{orig_h} and @code{resp_h} of type
+@code{addr}, and @code{orig_p} of @code{resp_p} of type @code{port}.
+
+@node Record Constants,
+@subsection Record Constants
+@cindex constants, record
+
+You can initialize values of type
+@code{record} using either assignment from another, already existing
+@code{record} value; or element-by-element; or using a 
+
+In a Bro function or event handler, we could declare a local
+variable the @code{conn_id} type given above:
+@example
+    local id: conn_id;
+@end example
+
+and then explicitly assign each of its fields:
+@example
+    id$orig_h = 207.46.138.11;
+    id$orig_p = 31337/tcp;
+    id$resp_h = 207.110.0.15;
+    id$resp_p = 22/tcp;
+@end example
+
+@emph{Deficiency: One danger with this initialization method is that if you forget to initialize a field, and then later access it, you will @emph{crash} Bro. }
+
+Or we could use:
+@example
+    id = [$orig_h = 207.46.138.11, $orig_p = 31337/tcp,
+          $resp_h = 207.110.0.15, $resp_p = 22/tcp];
+@end example
+
+This second form is no different from assigning a @code{record} value 
+computed in some other fashion, such as the value of another variable,
+a table element, or the value returned by a function call.  Such assignments
+must specify @emph{all} of the fields in the target (i.e., in @code{id} in
+this example), unless the missing field has the  @code{&optional} or @code{&default} attribute.
+
+@cindex constants, record
+
+@node Accessing Fields Using $,
+@subsection Accessing Fields Using ``@code{$}''
+
+@cindex records, fields, accessing
+You access and assign record fields using the ``@code{$}'' (dollar-sign)
+operator.  As indicated in the example above, for the record @code{id} we can
+access its @code{orig_h} field using:
+@example
+    id$orig_h
+@end example
+
+which will yield the @code{addr} value @code{207.46.138.11}.
+
+@node Record Assignment,
+@subsection Record Assignment
+@cindex records, assignment
+@cindex assigning records
+You can assign one record value to another using simple assignment:
+@example
+    local a: conn_id;
+    ...
+    local b: conn_id;
+    ...
+    b = a;
+@end example
+
+@cindex copy, shallow vs. deep
+@cindex shallow copy
+@cindex deep copy
+
+Doing so produces a @emph{shallow} copy.  That is, after the assignment,
+@code{b} refers to the same record as does @code{a}, and an assignment
+to one of @code{b}'s fields will alter the field in @code{a}'s value
+(and vice versa for an assignment to one of @code{a}'s fields).
+However, assigning again to @code{b} itself, or assigning to @code{a} itself,
+will break the connection.
+
+In order to produce a @emph{deep} copy, use the clone operator ``copy()''.
+For more details, see @ref{Expressions}.
+
+You can also assign to a record another record that has fields with
+the same names and types, even if they come in a different order.
+For example, if you have:
+@example
+    local b: conn_id;
+    local c: record @{
+        resp_h: addr, orig_h: addr;
+        resp_p: port, orig_p: port;
+    @};
+@end example
+
+then you can assign either @code{b} to @code{c} or vice versa.
+
+You could @emph{not}, however, make the assignment (in either
+direction) if you had:
+@example
+    local b: conn_id;
+    local c: record @{
+        resp_h: addr, orig_h: addr;
+        resp_p: port, orig_p: port;
+        num_notices: count;
+    @};
+@end example
+
+because the field @code{num_notices} would either be missing or excess.
+
+However, when declaring a record you can associate attributes with the fields. The relevant ones are 
+@code{&optional},
+which indicates that when assigning to the record you can omit the field, and 
+@code{&default = expr}, which indicates
+that if the field is missing, then a reference to it returns the value of the expression @emph{expr}. So if instead you had:
+
+@example
+    local b: conn_id;
+    local c: record @{
+        resp_h: addr, orig_h: addr;
+        resp_p: port, orig_p: port;
+        num_notices: count &optional;
+    @};
+@end example
+
+then you could execute @code{c = b} even though @code{num_notices} is missing from b. 
+You still could not execute @code{b = c},
+though, since in that direction, @code{num_notices} is an extra field (regardless of whether it has 
+been assigned to or not --- the error is a type-checking error, not a run-time error).
+
+The same holds for:
+
+@example
+    local b: conn_id;
+    local c: record @{
+        resp_h: addr, orig_h: addr;
+        resp_p: port, orig_p: port;
+        num_notices: count &default = 0;
+    @};
+@end example
+
+I.e., you could execute @code{c = b} but not @code{b = c}. The only difference between this example and the previous one is that
+for the previous one, access to @code{c$num_notices} without having first assigned to it 
+results in a run-time error, while in the second, it yields 0.
+
+You can test for whether a record field exists using the @code{?$} operator.
+
+Finally, all of the rules for assigning records also apply when passing a record value as an argument in a function
+call or an event handler invocation.
+
+@node Tables,
+@section Tables
+
+@cindex tables
+@cindex array, associative
+@cindex associative array
+@cindex index, of a table
+@cindex yield, of a table
+@code{table}'s provide @emph{associative arrays}: mappings from one set of
+values to another.  The values being mapped are termed the @emph{index}
+(or @emph{indices}, if they come in groups of more than one)
+and the results of the mapping the @emph{yield}.
+
+Tables are quite powerful, and indexing them is very efficient,
+boiling down to a single hash table lookup.  So you should take advantage
+of them whenever appropriate.
+
+@menu
+* Declaring Tables::		
+* Initializing Tables::		
+* Table Attributes::		
+* Accessing Tables::		
+* Table Assignment::		
+* Deleting Table Elements::	
+@end menu
+
+@node Declaring Tables,
+@subsection Declaring Tables
+You declare tables using the following syntax:
+@quotation
+@code{table [} @emph{@math{type^+}} @code{] of} @emph{type}
+@end quotation
+@cindex scalars
+where @emph{@math{type^+}} is one or more types, separated by commas.
+
+The indices can be of the following @emph{scalar} types: @emph{numeric},
+@emph{temporal}, @emph{enumerations},
+@emph{string}, @emph{port}, @emph{addr}, or @emph{net}.
+The yield can be of any type.  So, for example:
+@example
+    global a: table[count] of string;
+@end example
+
+declares @code{a} to be a table indexed by a @code{count} value and
+yielding a @code{string} value, similar to a regular array in a
+language like C.  The yield type can also be more complex:
+@example
+    global a: table[count] of table[addr, port] of conn_id;
+@end example
+
+declares @code{a} to be a table indexed by @code{count} and
+yielding another table, which itself is indexed by an @code{addr}
+and a @code{port} to yield a  @code{conn_id} record.
+
+@cindex array, multi-dimensional
+@cindex multi-dimensional table
+This second example illustrates a @emph{multi-dimensional} table,
+one indexed not by a single value but by a @emph{tuple} of values.
+
+@node Initializing Tables,
+@subsection Initializing Tables
+You initialize tables by enclosing a set of initializers within braces.
+Each initializer looks like:
+@quotation
+@code{[} @emph{expr-list} @code{] =} @emph{expr}
+@end quotation
+where @emph{expr-list} is a comma-separated list of expressions
+corresponding to an index of the table (so, for a table indexed
+by @code{count}, for example, this would be a single expression
+of type @code{count}) and @emph{expr} is the yield value to 
+assign to that index.
+
+For example,
+@example
+    global a: table[count] of string = @{
+        [11] = "eleven",
+        [5] = "five",
+    @};
+@end example
+
+initializes the table @code{a} to have two elements, one indexed
+by @code{11} and yielding the string @code{"eleven"} and the other
+indexed by @code{5} and yielding the string @code{"five"}.
+(Note the comma after the last list element; it is optional,
+similar to how C allows final commas in declarations.)
+
+You can also group together a set of indices together to initialize
+them to the same value:
+@example
+    type HostType: enum @{ DeskTop, Server, Router @};
+    global a: table[addr] of HostType = @{
+        [[155.26.27.2, 155.26.27.8, 155.26.27.44]] = Server,
+    @};
+@end example
+
+is equivalent to:
+@example
+    type HostType: enum @{ DeskTop, Server, Router @};
+    global a: table[addr] of HostType = @{
+        [155.26.27.2] = Server,
+        [155.26.27.8] = Server,
+        [155.26.27.44] = Server,
+    @};
+@end example
+
+This mechanism also applies to 
+which can be used in table initializations for any indices of
+type @code{addr}.  For example, if @code{www.my-server.com} corresponded
+to the addresses 155.26.27.2 and 155.26.27.44, then the above
+could be written:
+@example
+    global a: table[addr] of HostType = @{
+        [[www.my-server.com, 155.26.27.8]] = Server,
+    @};
+@end example
+
+and if it corresponded to all there, then:
+@example
+    global a: table[addr] of HostType = @{
+        [www.my-server.com] = Server,
+    @};
+@end example
+
+You can also use multiple index groupings across different indices:
+@example
+    global access_allowed: table[addr, port] of bool = @{
+        [www.my-server.com, [21/tcp, 80/tcp]] = T,
+    @};
+@end example
+
+is equivalent to:
+@example
+    global access_allowed: table[addr, port] of bool = @{
+        [155.26.27.2, 21/tcp] = T,
+        [155.26.27.2, 80/tcp] = T,
+        [155.26.27.8, 21/tcp] = T,
+        [155.26.27.8, 80/tcp] = T,
+        [155.26.27.44, 21/tcp] = T,
+        [155.26.27.44, 80/tcp] = T,
+    @};
+@end example
+
+@emph{Fixme: add example of cross-product initialization of sets}
+
+@node Table Attributes,
+@subsection Table Attributes
+
+When declaring a table, you can specify a number of attributes
+that affect its operation:
+
+@table @samp
+
+@cindex default values
+
+@item @code{&default}
+Specifies a value to yield when an index does not appear in the table.
+Syntax:
+@quotation
+@code{&default = @emph{expr}}
+@end quotation
+@emph{expr} can have one of two forms.  If it's type is the same as
+the table's yield type, then @emph{expr} is evaluated and returned.
+@cindex dynamic defaults
+If it's type is a @code{function} with arguments whose types correspond
+left-to-right with the index types of the table, and which returns
+a type the same as the yield type, then that function is called with
+the indices that yielded the missing value to compute the default value.
+
+For example:
+@example
+    global a: table[count] of string &default = "nothing special";
+@end example
+
+will return the string @code{"nothing special"} anytime @code{a} is
+indexed with a @code{count} value that does not appear in @code{a}.
+
+A more dynamic example:
+@example
+    function nothing_special(): string
+        @{
+        if ( panic_mode )
+            return "look out!";
+        else
+            return "nothing special";
+        @}
+
+    global a: table[count] of string &default = nothing_special;
+@end example
+
+An example of using a function that computes using the index:
+@example
+    function make_pretty(c: count): string
+        @{
+        return fmt("**%d**", c);
+        @}
+
+    global a: table[count] of string &default = make_pretty;
+@end example
+
+@cindex memory management
+@cindex state management
+@cindex management, of state
+
+@item @code{&create_expire}
+Specifies that elements in the table should be @emph{automatically deleted} after a given amount of time has elapsed since they were
+first entered into the table.
+Syntax:
+@quotation
+@code{&create_expire = @emph{expr}}
+@end quotation
+where @emph{expr} is of type @code{interval}.
+
+@item @code{&read_expire}
+The same as @code{create_expire} except the element is deleted
+when the given amount of time has lapsed since the last time the
+element was accessed from the table.
+
+@item @code{&write_expire}
+The same as @code{&create_expire}  except the element is deleted
+when the given amount of time has lapsed since the last time the
+element was entered or modified in the table.
+
+@item @code{&expire_func}
+Specifies a function to call when an element is due for expression
+because of @command{&create_expire}, @command{&read_expire}, or @command{&write_expire}.
+Syntax:
+@quotation
+@code{&expire_func = @emph{expr}}
+@end quotation
+@emph{expr} must be a function that takes two arguments:
+the first one is a table with the same index and yield types as the
+associated table.  The second one is of type @code{any} and
+corresponds to the index(es) of the element being expired.
+The function must return an
+@code{interval} value.
+The @code{interval} indicates for how much longer the element should
+remain in the table; returning @code{0 secs} or a negative value instructs
+Bro to go ahead and delete the element.
+
+@emph{Deficiency: The use of an @code{any} type here is @emph{temporary} and will be changing in the future to a general @emph{tuple} notion. }
+
+@end table
+
+You specify multiple attributes by listing one after the other,
+@emph{without} commas between them:
+@example
+    global a: table[count] of string &default="foo" &write_expire=5sec;
+@end example
+
+Note that you can specify each type of attribute only once.  You can,
+however, specify more than one of 
+@command{&create_expire}, @command{&read_expire}, or @command{&write_expire}.
+In that case, whenever any of the corresponding timers expires, the element will
+be deleted.
+
+@node Accessing Tables,
+@subsection Accessing Tables
+As usual, you access the values in tables by indexing them with 
+a value (for a single index) or list of values (multiple indices)
+enclosed in @code{[]}'s.
+@cindex sub-tables, lack of
+@emph{Deficiency: Presently, when indexing a multi-dimensional table you must provide @emph{all} of the relevant indices; you can't leave one out in order to extract a sub-table. }
+
+You can also index arrays using @code{record}'s, providing the
+record is comprised of values whose types match that of the table's
+indices.  (Any record fields whose types are themselves records
+are recursively unpacked to effect this matching.)  For example,
+if we have:
+@example
+    local b: table[addr, port] of conn_id;
+    local c = 131.243.1.10;
+    local d = 80/tcp;
+@end example
+
+then we could index @code{b} using @code{b[c, d]}, but if we had:
+@example
+    local e = [$field1 = c, $field2 = d];
+@end example
+
+we could also index it using @code{a[d]}
+
+You can test whether a table holds a given index using
+the @code{in} operator:
+@example
+    [131.243.1.10, 80/tcp] in b
+@end example
+
+or
+@example
+    e in b
+@end example
+
+per the examples above.  In addition, if the table has only
+a single index (not multi-dimensional), then you can omit
+the @code{[]}'s:
+@example
+    local active_connections: table[addr] of conn_id;
+    ...
+    if ( 131.243.1.10 in active_connections )
+        ...
+@end example
+
+@node Table Assignment,
+@subsection Table Assignment
+An indexed table can be the target of an assignment:
+@example
+    b[131.243.1.10, 80/tcp] = c$id;
+@end example
+
+You can also assign to an entire table.  For example, suppose we
+have the global:
+@example
+    global active_conn_count: table[addr, port] of count;
+@end example
+
+@cindex tables, clearing entries
+then we could later clear the contents of the table using:
+@example
+    local empty_table: table[addr, port] of count;
+    active_conn_count = empty_table;
+@end example
+
+Here the first statement declares a local variable @code{empty_table}
+with the same type as @code{active_conn_count}.  Since we don't
+initialize the table, it starts out empty.  Assigning it to
+@code{active_conn_count} then replaces the value of @code{active_conn_count}
+with an empty table.
+@cindex copy, shallow vs. deep
+@cindex shallow copy
+@cindex deep copy
+Note: As with @code{record}'s, assigning @code{table} values results
+in a @emph{shallow copy}. For @emph{deep copies}, use the clone operator ``copy()''
+explained in @ref{Expressions}.
+
+In addition to directly accessing an element of a table by specifying
+its index, you can also loop over all of the indices in a table
+using the  statement.
+
+@node Deleting Table Elements,
+@subsection Deleting Table Elements
+You can remove an individual element from a table using the
+ statement:
+@example
+    delete active_host[c$id];
+@end example
+
+will remove the element in @code{active_host} corresponding to
+the connection identifier @code{c$id} (which is a @command{&conn_id} record).
+If the element isn't present, nothing happens.
+
+@cindex tables
+
+@node Sets,
+@section Sets
+
+@cindex set type
+Sets are very similar to tables.  The principle difference is that they are
+simply a collection of indices; they don't yield any values.
+You declare tables using the following syntax:
+@quotation
+@code{set [} @emph{@math{type^+}} @code{]}
+@end quotation
+where, as with @code{table}s,
+@emph{@math{type^+}} is one or more scalar types (or records), separated by commas.
+
+You initialize sets listing their elements in braces:
+@example
+    global a = @{ 21/tcp, 23/tcp, 80/tcp, 443/tcp @};
+@end example
+
+which implicitly types @code{a} as a @code{set[port]} and then
+initializes it to contain the given 4 @code{port} values.
+
+For multiple indices, you enclose each set of indices in brackets:
+@example
+    global b = @{ [21/tcp, "ftp"], [23/tcp, "telnet"], @};
+@end example
+
+which implicitly @code{b} as @code{set[port, string]} and then
+initializes it to contain the given two elements.  (As with tables,
+the comma after the last element is optional.)
+
+As with tables, you can group together sets of indices:
+@example
+    global c = @{ [21/tcp, "ftp"], [[80/tcp, 8000/tcp, 8080/tcp], "http"], @};
+@end example
+
+initializes @code{c} to contain 4 elements.
+
+Also as with tables, you can use the
+@command{&create_expire}, @command{&read_expire}, and @command{&write_expire}
+attributes to control the automatic expiration of elements in a set.
+@emph{Deficiency: However, the  attribute is not currently supported. }
+
+You can test for whether a particular member is in a set using
+the add elements using the @code{add} statement:
+@example
+    add c[443/tcp, "https"];
+@end example
+
+and can remove them using the @code{delete} statement:
+@example
+    delete c[21/tcp, "ftp"];
+@end example
+
+Also, as with tables, you can assign to the entire set, which assigns
+a 
+
+Finally, as with tables, you can loop over all of the indices in a set
+using the  statement.
+
+@cindex set type
+
+@node Files,
+@section Files
+
+@cindex file type
+@emph{Deficiency: Bro currently supports only a very simple notion of files. You can only write to files, you can't read from them: and files are essentially untyped---the only values you can write to them are @code{string}'s or values that can be converted to @code{string}.}
+
+You declare @code{file} variables simply as type @code{file}:
+@example
+    global f: file;
+@end example
+
+You can create values of type @code{file} by using the 
+function:
+@example
+    f = open("suspicious_info.log");
+@end example
+
+will create (or recreate, if it already exists) the file
+@emph{suspicious_info.log} and open it for writing.  You can also use
+ to append to an existing file (or create
+a new one, if it doesn't exist).
+
+You write to files using the @code{print} statement:
+@example
+    print f, 5 * 6;
+@end example
+
+will print the text @code{30} to the file corresponding to the value of @code{f}.
+
+There is no restriction regarding how many files you can have open at a
+given time.  In particular, even if your system has a limit imposed by
+RLIMIT_NOFILE as set by the system call  @code{setrlimit}.
+If, however, you want to to close a file, you can do so using @code{close},
+and you can test whether a file is open using @code{active-file}.
+
+Finally, you can control whether a file is buffered using @code{set-buf},
+and can flush the buffers of all open files using @code{flush-all}.
+
+@cindex file type
+
+@node Functions,
+@section Functions
+
+@cindex functions
+@cindex function type
+You declare a Bro @code{function} type using:
+@quotation
+@code{function(} @emph{argument*} @code{)} @code{:} @emph{type}
+@end quotation
+where @emph{argument} is a (possibly empty)
+comma-separated list of arguments, and the final
+``@code{:} @emph{type}'' declares the return type of the function.
+It is optional; if missing, then the function does not return a value.
+
+Each argument is declared using:
+@quotation
+@emph{param-name} @code{:} @emph{type}
+@end quotation
+
+So, for example:
+@example
+    function(a: addr, p: port): string
+@end example
+
+corresponds to a function that takes two parameters, @code{a} of type
+@code{addr} and @code{p} of type @code{port}, and returns a value of
+type @code{string}.
+
+You could furthermore declare:
+@example
+    global generate_id: function(a: addr, p: port): string;
+@end example
+
+to define @code{generate_id} as a variable of this type.  Note that
+the declaration does @emph{not} define the body of the function,
+and, indeed, @code{generate_id} could have different function bodies
+at different times, by assigning different function values to it.
+
+When defining a function including its body, the syntax is slightly different:
+
+@example
+function @emph{func-name} ( @emph{argument*} ) [ : type ] @{ @emph{statement*} @}
+@end example
+
+That is, you introduce @emph{func-name}, the name of the function, between
+the keyword @code{function} and the opening parenthesis of the argument
+list, and you list the statements of the function within braces at the end.
+
+For the previous example, we could define its body using:
+@example
+    function generate_id(a: addr, p: port): string
+        @{
+        if ( a in local_servers )
+            # Ignore port, they're always the same.
+            return fmt("server %s", a);
+
+        if ( p < 1024/tcp )
+            # Privileged port, flag it.
+            return fmt("%s/priv-%s", a, p);
+
+        # Nothing special - default formatting.
+        return fmt("%s/%s", a, p);
+        @}
+@end example
+
+We also could have omitted the first definition; a function definition
+like the one immediately above automatically defines @code{generate_id}
+as a function of type @code{function(a: addr, p: port): string}.  Note
+@cindex redefining functions
+@cindex functions, redefining
+though that if @emph{func-name} was indeed already declared, then the
+argument list much match @emph{exactly} that of the previous definition.
+This includes the names of the arguments; @emph{Unlike in C}, you cannot change
+the argument names between their first (forward) definition and the
+full definition of the function.
+
+You can also define functions without using any name.  These are
+referred to as are a type of expression.
+
+You can only do two things with functions: 
+or assign them.  As an example of the latter, suppose we have:
+@example
+    local id_funcs: table[conn_id] of function(p: port, a: addr): string;
+@end example
+
+would declare a local variable indexed by a
+
+same type as in the previous example.  You could then execute:
+@example
+    id_funcs[c$id] = generate_id
+@end example
+
+or call whatever function is associated with a given @code{conn_id}:
+@example
+    print fmt("id is: %s", id_funcs[c$id](80/tcp, 1.2.3.4));
+@end example
+
+@cindex function type
+@cindex functions
+
+@node Event handlers,
+@section Event handlers
+
+@cindex event type
+
+Event handlers are nearly identical in both syntax and semantics
+to functions, with the two differences being that event handlers
+have no return type since they never return a value, and you cannot
+call an event handler.  You declare an event handler using:
+@quotation
+@code{event (} @emph{argument*} @code{)}
+@end quotation
+So, for example,
+@example
+    local eh: event(attack_source: addr, severity: count)
+@end example
+
+declares the local variable @code{eh} to have a type corresponding
+to an event handler that takes two arguments, @code{attack_source} of
+type @code{addr}, and @code{severity} of type @code{count}.
+
+To declare an event handler along with its body, the syntax is:
+@quotation
+@code{event} @emph{handler} @code{(} @emph{argument} @code{)} @code{@{} @emph{statement} @code{@}}
+@end quotation
+
+As with functions, you can assign event handlers to variables of the
+same type.  Instead of calling event handlers like functions, though,
+@cindex event handler, invocation
+@cindex invoking event handlers
+instead they are @emph{invoked}.  This can happen in one of three ways:
+@table @samp
+@cindex event engine
+
+@item From the event engine
+When the event engine detects an event for which you have defined a
+corresponding event handler, it queues an event for that handler.  The
+handler is invoked as soon as the event engine finishes processing the
+current packet (and invoking any other event handlers that were queued
+first).  The various event handlers known to the event engine are discussed
+in Chapter N .
+
+@item Via the @code{event} statement
+The @code{event} statement queues an event for the given event handler
+for immediate processing.  For example:
+@example
+    event password_exposed(c, user, password);
+@end example
+
+queues an invocation of the event handler @code{password_exposed} with
+the arguments @code{c}, @code{user}, and @code{password}.  Note that
+@code{password_exposed} must have been previously declared as an event
+handler with a compatible set of arguments.
+
+Or, if we had a local variable @code{eh} as defined above, we could execute:
+@example
+    event eh(src, how_severe);
+@end example
+
+if @code{src} is of type @code{addr} and @code{how_severe} of type @code{count}.
+
+@item Via the @code{schedule} expression
+The  expression queues an event for future invocation.
+For example:
+@example
+    schedule 5 secs @{ password_exposed(c, user, password) @};
+@end example
+
+would cause @code{password_exposed} to be invoked 5 seconds in the future.
+
+@end table
+
+@cindex event type
+@cindex event handlers
+
+@node any type,
+@section The @code{any} type
+
+@cindex any type``any'' type
+The @code{any} type is a type used internally by Bro to bypass strong
+typing.  For example, the  function takes arguments
+of type @code{any}, because its arguments can be of different types,
+and of variable length.  However, the @code{any} type is not supported
+@cindex casting, not provided in Bro
+@cindex type casting, not provided in Bro
+for use by the user; while Bro lets you declare variables of type @code{any},
+it does not allow assignment to them.
+@cindex possible future changes, use of any type for bypassing strong typing
+This may change in the future.  Note, though, that you can achieve
+some of the same effect using @code{record} values with @code{&optional}
+fields.
+
+@cindex any type``any'' type
+
diff --git a/doc/ref-manual/vars.texi b/doc/ref-manual/vars.texi
new file mode 100644
index 0000000000..c7ed8223ec
--- /dev/null
+++ b/doc/ref-manual/vars.texi
@@ -0,0 +1,294 @@
+
+@node Global and Local Variables
+@chapter Global and Local Variables
+
+@menu
+* Variables Overview::			
+@end menu
+
+@node Variables Overview,
+@section Variables Overview
+
+@cindex variables, overview
+
+Bro variables can be complicated to understand because they have
+a number of possibilities and features.  They can be
+global or local in scope;
+modifiable or constant (unchangeable);
+explicitly or implicitly typed;
+optionally initialized;
+defined to have additional 
+@emph{attributes};
+and, for global variables,
+@emph{redefined} to have a different
+initialization or different attributes from their first declaration.
+
+Rather than giving the full syntax for variable declarations, which
+is messy, in the following sections we discuss each of these facets
+of variables in turn, illustrating them with the minimal necessary
+syntax.  However, keep in mind that the features can be combined
+as needed in a variable declaration.
+
+@menu
+* Scope::			
+* Assignment & call semantics::
+* Modifiability::		
+* Typing::			
+* Initialization::		
+* Attributes::			
+* Refinement::			
+@end menu
+
+@node Scope,
+@subsection Scope
+
+@cindex variables, scoping
+@cindex scoping of variables
+@cindex global variables
+@cindex local variables
+@emph{Global} variables are available throughout your policy script (once
+declared), while the scope of @emph{local} variables is confined to the
+function or event handler in which they're declared.  You indicate the
+variable's type using a corresponding keyword:
+@quotation
+@code{global} @emph{name} @code{:} @emph{type} @code{;}
+@end quotation
+or
+@quotation
+@code{local} @emph{name} @code{:} @emph{type} @code{;}
+@end quotation
+which declares @emph{name} to have the given type and the corresponding
+scope.
+
+You can intermix function/event handler definitions with declarations
+of global variables, and, indeed, they're in fact the same thing (that
+is, a function or event handler definition is equivalent to defining
+a global variable of type @code{function} or @code{event} and associating
+its initial value with that of the function or event handler).  So
+the following is fine:
+@example
+    global a: count;
+
+    function b(p: port): string
+        @{
+        if ( p < 1024/tcp )
+            return "privileged";
+        else
+            return "ephemeral";
+        @}
+
+    global c: addr;
+@end example
+
+However, you cannot mix declarations of global variables with
+global statements; the following is not allowed:
+@example
+    print "hello, world";
+    global a: count;
+@end example
+
+Local variables, on the other hand, can @emph{only} be declared within a
+function or event handler.  (Unlike for global statements, these declarations
+@emph{can} come after statements.)  Their scope persists to the end of
+the function.  For example:
+@example
+    function b(p: port): string
+        @{
+        if ( p < 1024/tcp )
+            local port_type = "privileged";
+        else
+            port_type = "ephemeral";
+
+        return port_type;
+        @}
+@end example
+
+@node Assignment & call semantics,
+@subsection Assignment & call semantics
+
+@cindex call semantics
+@cindex call by reference
+@cindex call by value
+@cindex assignment semantics
+@cindex aggregated types
+
+Assignments of aggregate types (such as records, tables, or vectors) are
+always @emph{shallow}, that is, they are performed @emph{by reference}.
+So when you assign a record or table value to another variable, any modifications
+you make to members become visible in both variables (see also
+@ref{Record Assignment}, @ref{Table Assignment}).
+
+The same holds for function calls: an aggregate value passed into a function
+is passed by reference, thus any modifications made to the value inside the
+function remain effective after the function returns.
+ 
+@cindex reference counting
+@cindex shallow copy
+@cindex deep copy
+It is important to be aware of the fact that events triggered using the
+@code{event} statement remain on the event queue until they are processed,
+and that any aggregate values passed as arguments to @code{event} can be modified
+at any time before the event handlers are executed. If this is not desirable,
+you have to copy the values before passing them to @code{event}. The model that applies
+here is one of @emph{reference counting}, not local scope or deep copying.
+If deep copies are desirable, use the clone operator ``copy()'' explained in
+@ref{Expressions}.
+
+Therefore, if an event handler triggering a new event modifies the arguments
+after the @code{event} statement, these changes will be visible inside the event
+handlers running later. This also affects the lifetime of a value. If an aggregate
+is for example stored in a table and referenced nowhere else, then retrieved and
+passed to an @code{event} statement, and removed from the table before the
+event handlers execute, it does remain in existence until the event handlers
+are executed.
+
+Furthermore, if multiple event handlers exist for a single event type, any changes
+to the arguments made by an event handler will be visible in other
+event handlers still to follow.
+
+@node Modifiability,
+@subsection Modifiability
+
+@cindex variables, modifiability
+@cindex modifiability of variables
+For both global and local variables, you can declare that the
+variable @emph{cannot be modified} by declaring it using the const
+keyword rather than global or local:
+@example
+    const response_script = "./scripts/nuke-em";
+@end example
+
+Note that @code{const} variables @emph{must} be initialized (otherwise,
+of course, there's no way for them to ever hold a useful value).
+
+The utility of marking a variable as unmodifiable is for clarity
+in expressing your script---making it explicit that a particular value
+will never change---and also allows Bro to possibly optimize accesses
+to the variable (though it does little of this currently).
+
+Note that const variables @emph{can} be redefined via
+redef.
+
+@node Typing,
+@subsection Typing
+
+@cindex variables, typing
+@cindex typing of variables
+@cindex implicit typing
+@cindex explicit typing
+When you define a variable, you can @emph{explicitly} type it by
+specifying its type after a colon.  For example,
+@example
+    global a: count;
+@end example
+
+directly indicates that a's type is @code{count}.
+
+However, Bro can also @emph{implicitly} type the variable by looking
+at the type of the expression you use to initialize the variable:
+@example
+    global a = 5;
+@end example
+
+also declares a's type to be @code{count}, since that's
+the type of the initialization expression (the constant 5).
+There is no difference between this declaration and:
+@example
+    global a: count = 5;
+@end example
+
+except that it is more concise both to write and to read.  In particular,
+Bro remains @emph{strongly} typed, even though it also supports @emph{implicit}
+typing; the key is that once the type is implicitly inferred, it is thereafter
+strongly enforced.
+
+@cindex type inference
+@cindex inferring types
+Bro's @emph{type inference} is fairly powerful: it can generally figure
+out the type whatever initialization expression you use.  For example,
+it correctly infers that:
+@example
+    global c = @{ [21/tcp, "ftp"], [[80/tcp, 8000/tcp, 8080/tcp], "http"], @};
+@end example
+
+specifies that c's type is set[port, string].  But for still
+more complicated expressions, it is not always able to infer the correct
+type.  When this occurs, you need to explicitly specify the type.
+
+@node Initialization,
+@subsection Initialization
+
+@cindex variables, initialization
+@cindex initialization of variables
+When defining a variable, you can optionally specify an initial
+value for the variable:
+@example
+    global a = 5;
+@end example
+
+indicates that the initial value of @code{a} is the value @code{5}
+(and also implicitly types a as type count, per @ref{Typing}).
+
+The syntax of an initialization is ``= @emph{expression}'', where
+the given expression must be assignment-compatible with the variable's
+type (if explicitly given).  Tables and sets also have special initializer
+forms, which are discussed in @ref{Initializing Tables} and @ref{Sets}.
+
+@node Attributes,
+@subsection Attributes
+
+@cindex variables, attributes
+@cindex attributes
+
+When defining a variable, you can optionally specify a set of
+@emph{attributes} associated with the variable, which specify
+additional properties associated with it.  Attributes have two forms:
+@quotation
+@code{&} @emph{attr}
+@end quotation
+for attributes that are specified simply using their name, and
+@quotation
+@code{&} @emph{attr} @code{=} @emph{expr}
+@end quotation
+for attributes that have a value associated with them.
+
+The attributes
+@code{&redef}
+@code{&add_func}
+and
+@code{&delete_func},
+pertain to redefining variables; they are discussed in @ref{Refinement}.
+
+The attributes
+@code{&default},
+@code{&create_expire},
+@code{&read_expire},
+@code{&write_expire}, and
+@code{&expire_func}
+are for use with table's and set's.
+See @ref{Table Attributes} for discussion.
+
+The attribute
+@code{&optional}
+specifies that a @code{record} field is optional.  See 
+for discussion.
+
+Finally, to specify multiple attributes, you do @emph{not} separate them
+with commas (doing so would actually make Bro's grammar ambiguous), but
+just list them one after another.  For example:
+@example
+    global a: table[port] of string &redef &default="missing";
+@end example
+
+@node Refinement,
+@subsection Refinement
+
+@cindex variables, redefining
+@cindex variables, refinement
+@cindex refinement
+@cindex redefining variables
+
+To do:
+&redef @*
+&add func @*
+&delete func 
diff --git a/doc/user-manual/Bro-Linux.texi b/doc/user-manual/Bro-Linux.texi
new file mode 100644
index 0000000000..0dc44f29a5
--- /dev/null
+++ b/doc/user-manual/Bro-Linux.texi
@@ -0,0 +1,11 @@
+
+The section not done!
+
+There are a number of patches needed to make Bro work well with Linux.
+
+These include:
+
+Luca Deri's patch to fix libpcap issues.
+
+
+
diff --git a/doc/user-manual/Bro-analysis.texi b/doc/user-manual/Bro-analysis.texi
new file mode 100644
index 0000000000..ad0f65f05e
--- /dev/null
+++ b/doc/user-manual/Bro-analysis.texi
@@ -0,0 +1,322 @@
+
+@subheading Rule one: There are no rules @enddots{}
+
+This section describes a specific procedure that can be followed with each "incident" that  Bro uncovers, but one must keep in mind that intrusion detection is not a static problem.  The perpetrators of intrusions and malicious network activity are constantly changing their techniques with the express purpose of evading detection.  Unexpected activities are often found by investigation of seemingly innocuous network oddities or serendipitous inspection of logs.  While Bro is an exceptionally useful tool for collecting, sorting, analyzing and flagging suspect network data, it cannot be expected to flag all new, cleverly disguised attacks.  Nor can it be expected to differentiate with 100% accuracy between aberrant, but legitimate, user behavior and a malicious attack.  Sometimes a strong curiosity is an analyst's best friend and Bro is the vehicle for allowing him or her to follow that curiosity.
+
+@menu
+* Two Types of Triggers ::
+* General Process Steps ::
+* Understand What Triggered the Alarm(s) ::
+* Understand the Intent of the Alarm(s) ::
+* Examine HTTP FTP or SMTP Sessions ::
+* Examine the Connection and Weird Logs ::
+* Examine the Bulk Trace if Available  ::
+* Contact and Question Appropriate People ::
+@end menu
+
+@node Two Types of Triggers
+@section Two Types of Triggers
+
+There are two ways that alarms can be triggered.  One is when network traffic matches a @emph{signatures} that has been converted to work with Bro.  The other way is by matching Bro @emph{rules} that are embedded in the Bro analyzers.
+
+@subsection Converted Signatures
+In the Bro report, converted signatures are identified by the alarm type: @code{SensitiveSignature} and the existence of a @code{bro} identification number.  Each signature is distinct, targeting one specific set of network events for each alarm.  Currently the majority of converted @emph{signatures} are developed from Snort@copyright{} signatures using the @file{snort2bro} utility.  In addition, enhancing have been made by utilizing features in the Bro policy language that are absent in Snort@copyright{}.  Most Bro signatures are found in the @file{$BROHOME/site/signatures.sig}, however, they can exist in other @file{.sig} files.
+
+@subsection Embedded Bro Rule
+Bro rules are typically embedded in the Bro @emph{analyzers} or other @file{.bro} policy files.
+@comment ***** XXX: Need ref to analyzer section of ref manual
+Several trigger conditions are usually lumped into a grouping of Bro rules within a @file{.bro} file, making it difficult to separate the exact condition that triggered the alarm.  Hence, alarms triggered by an embedded Bro rule will not have a specific @code{bro} identification number, nor will the @emph{signature code} block appear in the report.
+
+@quotation Possible types of embedded bro rule alarms
+@multitable {SensitiveUsernameInPassword} {ICMPConnectionPair} {FTP_ExcessiveFilename}
+@item AddressDropped
+@tab AddressScan
+@tab BackscatterSeen
+@item ClearToEncrypted_SS
+@tab CountSignature
+@tab DNS::DNS_MappingChanged
+@item DNS::DNS_PTR_Scan
+@tab FTP::FTP_BadPort
+@tab FTP::FTP_ExcessiveFilename
+@item FTP::FTP_PrivPort
+@tab FTP::FTP_Sensitive
+@tab FTP::FTP_UnexpectedConn
+@item HTTP::HTTP_SensitiveURI
+@tab HotEmailRecipient
+@tab ICMP::ICMPAsymPayload
+@item ICMP::ICMPUnpairedEchoReply
+@tab ICMP::ICMPConnectionPair
+@tab IdentSensitiveID
+@item LoginForbiddenButConfused
+@tab LocalWorm
+@tab MultipleSigResponders
+@item MultipleSignatures
+@tab OutboundTFTP
+@tab PasswordGuessing
+@item PortScan
+@tab RemoteWorm
+@tab ResolverInconsistency
+@item SSH_Overflow
+@tab SSL_SessConIncon
+@tab SSL_X509Violation
+@item ScanSummary
+@tab SensitiveConnection
+@tab SensitiveDNS_Lookup
+@item SensitivePortmapperAccess
+@tab SensitiveLogin
+@tab SensitiveSignature
+@item SensitiveUsernameInPassword
+@tab SignatureSummary
+@tab SynFloodEnd
+@item SynFloodStart
+@tab SynFloodStatus
+@tab TRW::TRWAddressScan
+@item TerminatingConnection
+@tab W32B_SourceLocal
+@tab W32B_SourceRemote
+@item ZoneTransfer
+@end multitable
+@end quotation
+
+@node General Process Steps
+@section General Process Steps
+
+The following steps will both aid the Bro user with uncovering network 
+activity of interest, and also help acquaint the user with the anomalies that Bro detects, together building up an understanding of what constitutes "normal" network traffic for the local site.  The analyst might follow each successive step with each incident until a firm determination is made if the incident is malicious or a "false positive".
+
+@itemize
+@item Understand What Triggered the Alarm(s)
+@item Understand the Intent of the Alarm(s)
+@item Examine the Session(s) from the HTTP, FTP, or SMTP Logs
+@item Examine the Connection Logs for Breakin Indicators
+@item Examine for Connections to Other Computers
+@item Examine Other Bro Logs for Odd Activity
+@item Examine the Bulk Trace if Available 
+@item Contact and Question Appropriate People
+@end itemize 
+
+@node Understand What Triggered the Alarm(s)
+@section Understand What Triggered the Alarm(s)
+
+To understand what triggered the alarm, compare the signature or rule code with @emph{payload}.  The network traffic that matches the signature, rule, or policy is known as the payload.  The payload that triggers the alarm is usually included in the Bro's incident report.
+Often it is obvious that the payload is not malicious.
+
+@quotation Example
+The signature may trigger on the word @emph{shadow}, notifying that someone may be attempting to download the shadow password file.  However, the payload may reveal that the actual download is something like @emph{theshadow.jpg}, which is obliviously innocuous.
+@end quotation
+
+The two kinds of alarms, converted signatures and embedded rules trigger alarms differently, so they must be treated separately.  The following sections describe how to investigate the signature or rule code and payload of each.
+
+@subsection Converted Snort Signatures
+These signatures are recognizable by the inclusion of a @code{bro} number and the identification @code{SensitiveSignature}.  A @emph{signature code} and @emph{payload} block should be present in the incident report.  To understand what triggered the alarm, compare the payload to the signature code and find the defined signature within the payload.  Since some payload lines can get extremely long, the payload lines in the report and notice and alarm logs has been truncated to 250 characters.  Sometimes the actual trigger payload is beyond the 250 character cut off.  In this case, the protocol sessions log file must be examined.  @xref{Examine HTTP FTP or SMTP Sessions}.
+
+@subsection Embedded Bro Rule
+For alarms triggered by an embedded Bro rule the @emph{signature code} block will not appear, and in many cases, neither will the payload.  There is currently no direct way to find the specific Bro rule that triggered the alarm other than to search the Bro policy files.  Following is a process for conducting that search.  The example of the @code{HTTP_SensitiveURL} is used.  In actual practice, this rule appears quite often in the reports.
+
+@quotation Read about the specific analyzer
+In the Bro Technical Reference Manual there are sections for each type of analyzer.  In the case of our example the HTTP analyzer is the obvious choice.  In the section on the HTTP analyzer, it is noted that the variables @var{sensitive_URIs} and @var{sensitive_post_URIs} are responsible for flagging sensitive URIs.
+@end quotation
+
+@quotation Find the policy file that defines these variables
+Using egrep to search for @var{sensitive_URIs} and/or @var{sensitive_post_URIs} yields the following:
+
+@example
+> egrep "sensitive_URIs | sensitive_post_URIs" http*
+http-request.bro:   const sensitive_URIs =
+http-request.bro:  # URIs that match sensitive_URIs but can be generated by worms
+http-request.bro:   const skip_remote_sensitive_URIs = /\/cgi-bin\/(phf|php\.cgi|test-cgi)/ &redef;
+http-request.bro:   const sensitive_post_URIs = /wwwroot|WWWROOT/ &redef;
+http-request.bro:   if ( (sensitive_URIs in URI && URI != worm_URIs) ||
+http-request.bro:   (method == "POST" && sensitive_post_URIs in URI) )
+http-request.bro:   skip_remote_sensitive_URIs in URI )
+@end example
+
+Clearly @file{http-request.bro} is the file of interest.  If, in the case of other types of analyzers, more than one file appears, look for the place where the @code{const} statement is used to declare the variable(s).
+@end quotation
+
+@quotation Look into the policy file
+Search in the section of Bro policy code that describes the rule(s) for the specific notification.  In the file @file{http-request.bro}, is found:
+
+@verbatim
+export{
+   const sensitive_URIs =
+      /etc.*\/.*(passwd|shadow|netconfig)/
+      | /IFS[ \t]*=/
+      | /nph-test-cgi\?/
+      | /(%0a|\.\.)\/(bin|etc|usr|tmp)/
+      | /\/Admin_files\/order\.log/
+      | /\/carbo\.dll/
+      | /\/cgi-bin\/(phf|php\.cgi|test-cgi)/
+      | /\/cgi-dos\/args\.bat/
+      | /\/cgi-win\/uploader\.exe/
+      | /\/search97\.vts/
+      | /tk\.tgz/
+      | /ownz/        # somewhat prone to false positives
+     &redef;
+
+     # URIs that match sensitive_URIs but can be generated by worms,
+     # and hence should not be flagged (because they're so common).
+     const worm_URIs =
+          /.*\/c\+dir/
+          | /.*cool.dll.*/
+          | /.*Admin.dll.*Admin.dll.*/
+     &redef;
+}
+
+redef capture_filters +=  {
+        ["http-request"] = "tcp dst port 80 or tcp dst port 8080
+                            or tcp dst port 8000"
+};
+
+# URIs that should not be considered sensitive if accessed remotely,
+# i.e. by a local client.
+const skip_remote_sensitive_URIs = /\/cgi-bin\/(phf|php\.cgi|test-cgi)/
+ &redef;
+
+const sensitive_post_URIs = /wwwroot|WWWROOT/ &redef;
+@end verbatim
+
+Unfortunately, there isn't any way of knowing exactly which one of these rules triggered the @code{HTTP_SensitiveURL} alarm.  As will be seen in the next section, the triggering payload must be compared against this entire section.
+@end quotation
+
+@node Understand the Intent of the Alarm(s)
+@section Understand the Intent of the Alarm(s)
+
+While understanding the technical signature or policy "code" that "triggered" the alarm, it is also useful to understand the reason the trigger was built.
+@itemize
+@item What attack or malicious behavior is the alarm trying to illuminate?
+@item What is the normal method of attack ... manual? automated?  expert? novice?
+@item How long has the particular attack existed?
+@item How often is it seen?  How often is it actually used by attackers?
+@end itemize
+All of these things, and any other information that can be gathered, will 
+help in differentiating attacks from legitimate behavior.  Although this process may seem tedious and time consuming in the beginning, the Bro analyst will quickly build up a substantial knowledge of known attacks.  Even if the incident in question turns out to be benign, the effort to learn about the attack almost always proves useful in future investigations.
+
+@subsection Converted Snort@copyright{} Signatures
+Since Snort@copyright{} signatures are usually fairly well documented, one way to discover the intent of the signature is to search the web for the title of the signature using any of the common search engines (Yahoo, Google, Teoma, AltaVista, or one of the may others).  For instance, a search on the @emph{MS SQL xp_cmdshell} vulnerability yields ~7000 hits.  One of those hits is:
+
+@example
+Zone-H.org * Advisories
+... Successful exploitation of this vulnerability can enable an attacker to 
+execute commands in the system (via MS SQL xp_cmdshell function). ...
+www.zone-h.org/advisories/read/id=4243 - 17k - Cached - Similar pages
+@end example
+
+This web site give a fairly detailed description of the exploit and verifies that it can be used to root compromise a computer and hence,  is a vulnerability of significant interest.  Several other sites also give details about the signature, the attack, and other useful information.
+
+@subsection Embedded Bro Rule
+Unfortunately, most of the embedded Bro rules have not been documented.  
+The analyst must rely on his/her own understand of network attacks to 
+guess what the intent of the rule is.  Sometimes useful comments are 
+written into the Bro policy source.
+
+@node Examine HTTP FTP or SMTP Sessions
+@section Examine HTTP FTP or SMTP Sessions
+
+These three files record session activity on ports 80(http), 21(ftp), and 25(smtp) respectively.  If the alarm involves any of these ports, these files may reveal the details of the sessions.  The general format of all three files is:
+date/time@key{SP}%sessionnumber@key{SP}Message
+
+where:
+@quotation date/time
+is the time in UNIX epoch time.  The @code{cf} utility can be used to convert this time to @cite{readable} time. Reference Tech Manual
+@comment ####################### need reference to Tech Manaual.
+@end quotation
+@quotation sessionnumber
+is the number assigned to session.  All subsequent records in the file that are part of the session will retain this same session number.  Session numbers are prefixed with the @samp{%} sign.
+@end quotation
+@quotation message
+is the message that Bro policy has formed to describe the session event.  Typically the message will be:
+@itemize
+@item the start of the session, including the two ip addresses involved
+@item an anomolous event
+@item the full protocol command line that was sent
+@item short statistics concerning the transaction (e.g. bytes sent)
+@end itemize
+@end quotation
+
+In an alarm where the session number is given (typically in a SensitiveSignature alarm), a search on the session number in the appropriate file(s) will show the full sessons.  @xref{The bro/logs Directory}.
+@*@*
+@strong{Example:}
+@*Consider the following alarm:
+
+@verbatim
+Alarm: HTTP_SensitiveURI
+       11/22_12.52.42                128.333.48.179 -> 80.143.378.186
+                                           3091/tcp -> 80/tcp
+       session: %73280
+       payload: GET\/NR/rdonlyres/eirownz4tqwlseoggqm2ahj5cqsdbedlaxyye
+                7kvdz7rnh6u4o2v2gpvmoggqjlekzdtulryyatiinj3xwimmiavgfb/
+                smallshoulders.gif\ (200\ "OK"\ [1134])
+@end verbatim
+
+From the payload shown, it is unclear what triggered the alarm.  To investigate further, the entire session can be viewed:
+
+Example:
+@verbatim
+> grep %73280 http.hostname.04-11-22_12.52.42 | cf
+Nov 22 15:18:30 %73280 start 128.333.48.179 > 80.143.378.186
+Nov 22 15:18:30 %73280 GET /fitness/default.htm (200 "OK" [10473])
+Nov 22 15:18:30 %73280 GET /javascripts/cms_common.js (304 "Not Modified"[0])
+Nov 22 15:19:47 %73280 GET /food_nutrition/default.htm (200 "OK"[13177])
+Nov 22 15:19:47 %73280 GET/NR/rdonlyres/eirwwu3xtlr22dkat5cim4ziupouzxb6kz4xb
+zbr4zs255ca57cvv5mhcjcrmrfg6kpcrevyndo2za3yoi5esheiolf/News111904Dairy NotFor
+Diet.jpg (200 "OK" [6572])
+Nov 22 15:19:51 %73280 GET /NR/rdonlyres/0D25692F-D59A-4B90-AB53-8BBC9E75A286.
+gif (200 "OK" [189])
+Nov 22 15:19:51 %73280 GET /NR/rdonlyres/eqpbdbex34wpqpagp2fcbxh35omcjtq45feyf7
+zgtjff6fhrybfbsvtszeu4rc2clayghhslfimaafkoocae6cv6wof/doctor.jpg (200 "OK" [161
+5])/NR/rdonlyres/enhskrfoodzuquvmbli2hasjspusrgsvyhbd3nlue5msoli2ueagrwdxw56gqa
+aa7sosee3yn2hwywcg6kgv4wcv6jc/bigback.gif (200 "OK" [8192 (interrupted)])/NR/rd
+onlyres/ej2cpd275ghrefp23ezou43haqe6fmj3oyeqxkvopf4bv4zhwbqimfrrbndqpotx55pogc7
+xiqvdcovaxo66afyqfof/smallleg.jpg (200 "OK" [1010])
+Nov 22 15:22:12 %73280 GET /NR/rdonlyres/eirownz4tqwlseoggqm2ahj5cqsdbedlaxyye7
+kvdz7rnh6u4o2v2gpvmoggqjlekzdtulryyatiinj3xwimmiavgfb/smallshoulders.gif (200 "
+OK" [1134])
+Nov 22 15:22:13 %73280 GET /NR/rdonlyres/49D86A33-AF6C-4873-AD11-F26DDBF222B1.g
+if (200 "OK" [167])
+@end verbatim
+By examining this session it can clearly be seen that the session is simply a web visit to a fitness website.  There is no need to investigate further.
+
+@node Examine the Connection and Weird Logs
+@section Examine the Connection and Weird Logs
+
+The connection logs are a record of every connection Bro detects.  Although they don't contain content, being able to track the network @emph{movement} of an attacking host is often very useful.
+
+@subsection Breakin Indicators
+
+If it is still not clear if a suspect host is an attacker, the connection surrounding the suspicious connection can be examined.  Here are some questions that might be answered by the @file{conn} logs.
+itemize
+item How many more successful connection the attacker make to the target host?
+item How much data was transfered? A lot of data means something more than an unsuccessful probe.
+item Did the target host connect back to the attacker?  This is a fairly sure sign of a successful attack.  The attacker has gained control of the target and is connecting back to his own host.
+item What was the time duration?  If several attacks occur in a very short time and then slow down to @emph{human} speed, it could indicate the attacker used an automated attack to gain control and then switched to a manual mode to "work on" the compromised target host.
+
+@subsection Connections to Other Computers
+If a host has been successfully identified as an attacker, it is useful to know what and how many other hosts the attacker has touched.  This can be found by grepping through the @file{conn} logs for instances of connections by the suspect host.
+@example
+example here
+@end example
+If the attack used a specific, little used, port; another investigation would be to search for other similar connection using that port.  Often the attacker might change attack hosts, but will continue to use the same attack method.
+@example
+example here
+@end example
+@quotation NOTES
+@i{You may want to go back several days, weeks, months, or even years to see if the attacker has visited (and perhaps compromised) you site earlier without being detected.
+@*However, be forwarned that the @file{conn} logs tend to get very large and doing extensive searches can take a very long time.}
+@end quotation
+
+@subsection Odd Activity
+Despite attempts to have the network community adhere to network standards, non-compliant traffic occurs all the time.  The @file{weird} logs are a record of instances of network traffic that simply should not happen.
+@*@*
+While these logs are usually of interest to the most hard-core of network engineers, if a unique attack is detected, it is sometimes valuable to search the weird logs for other unusual activities by the attacking host.  Hackers are not bound by standard protocol and sometimes find ways to circumvent security via @emph{weird} methods.
+
+@node Examine the Bulk Trace if Available 
+@section Examine the Bulk Trace if Available 
+
+For information on using the Bulk trace files for analysis, see 
+@ref{Bulk Traces and Off-line Analysis}.
+
+@node Contact and Question Appropriate People
+@section Contact and Question Appropriate People
+The final and usually the most definitive investigation is to call the owners of the hosts involved.  Often a call to the owner of the local host can reveal that the activity was not normal, but appropriate or a mistake.
+
diff --git a/doc/user-manual/Bro-blocking.texi b/doc/user-manual/Bro-blocking.texi
new file mode 100644
index 0000000000..5cc3ed063e
--- /dev/null
+++ b/doc/user-manual/Bro-blocking.texi
@@ -0,0 +1,37 @@
+
+
+@menu
+* To block or not to block -- That is the question::
+* Adjusting criteria for automatic blocking::
+* Manually blocking/unblocking hosts::
+* Sample Blocking Code::
+@end menu
+
+@comment ********************************************
+@node To block or not to block -- That is the question
+@section To block or not to block -- That is the question
+
+insert text here 
+
+@comment ********************************************
+@node Adjusting criteria for automatic blocking
+@section Adjusting criteria for automatic blocking
+
+insert text here 
+
+@comment ********************************************
+@node Manually blocking/unblocking hosts
+@section Manually blocking/unblocking hosts
+
+insert text here 
+
+@comment ********************************************
+@node Sample Blocking Code
+@section Sample Blocking Code
+
+At LBL we use a program called @uref{http://www-nrg.ee.lbl.gov/leres/acl2.html, acld}
+to update the ACLs in our boarder routers on the fly.
+This code is available at:  ftp://ftp.ee.lbl.gov/acld.tar.gz
+
+
+
diff --git a/doc/user-manual/Bro-customizing.texi b/doc/user-manual/Bro-customizing.texi
new file mode 100644
index 0000000000..22c123053d
--- /dev/null
+++ b/doc/user-manual/Bro-customizing.texi
@@ -0,0 +1,508 @@
+
+Bro is very customizable, and there are several ways to modify Bro to suit
+your environment. You can write your own policy analyzers using the Bro language.  
+Most sites will likely just want to do minor customizations, such as changing the level
+of an alert from "notice" to "alarm", or turning on or off particular analyzers.
+The chapter describes how to do these types of customizations.
+Information on how to write your own analyzers can be found in
+the @uref{http://www.bro-ids.org/Bro-reference-manual/, Bro Reference Manual}.
+
+The default policy scripts for Bro are all in $BROHOME/policy. These files should @strong{never} be 
+edited, as your edits will be lost when you upgrade Bro. To customize Bro for your site, you
+should make all your changes in $BROHOME/site. Many simple changes just require you
+to @emph{redefine} (using the @uref{
+http://www.bro-ids.org/Bro-reference-manual/Variables-Overview.html,
+@code{redef}} operator, 
+a Bro constant from a standard policy script with your own custom value. You can
+also write your own custom script to do whatever you want.
+
+For example, to add "guest" to the list of 
+@uref{http://www.bro-ids.org/Bro-reference-manual/hot_002dids-Module.html, forbidden_ids}
+(user names that generate a login alarm), you
+do this:
+
+@verbatim
+    redef forbidden_ids += { "guest", };
+@end verbatim
+
+In this chapter we give an overview of all the standard Bro policy scripts, what notices
+they generate, and how to customize the most commonly changed items, and how to write new policy 
+modules.
+
+@menu
+* Builtin Policy Files ::
+* Notices ::
+* Notice Actions ::
+* Customizing Builtin Policy::
+* Writing New Policy::
+* Signatures ::
+* Tuning Scan Detection ::
+* Other Customizations ::
+@end menu
+
+@node Builtin Policy Files
+@section Builtin Policy Files
+@cindex Policy Files
+
+
+Bro @emph{policy} script is the basic analyzer used by Bro to determine what network events are alarm worthy. 
+A policy can also specify what actions to take and how to report activities, as well as determine what activities to scrutinize.  
+Bro uses policies to determine what activities to classify as @emph{hot}, or questionable in intent. 
+These hot network sessions can then be flagged, watched, or responded to via other policies or applications determined to be necessary, such as calling @code{rst} to reset a connection on the local side, or to add an IP address block to a main router's ACL (Access Control List). 
+The policy files use the Bro scripting language, which is discussed in great detail in @uref{http://www.bro-ids.org/Bro-reference-manual/index.html, The Bro Reference Manual}.
+
+Policy files are loaded using an @code{@@load} command. The semantics of @code{@@load} are "load in this script if it hasn't already been loaded", so there is no harm in loading something in multiple policy scripts.
+The following policy scripts are included with Bro. The first set are all on by default, and the second group can be added by adding them to your @file{site/brohost.bro} policy file.
+
+Bro Analyzers are described in detail in the 
+@uref{http://www.bro-ids.org/Bro-reference-manual/Analyzers-and-Events.html, 
+Reference Manual}.
+These policy files are loaded by default:
+
+@quotation
+@multitable  @columnfractions .2 .7
+@item @code{site} @tab  defines local and neighbor networks from static config
+@item @code{alarm} @tab    open logging file for alarm events
+@item @code{tcp} @tab   initialize BPF filter for SYN/FIN/RST TCP packets
+@item @code{login} @tab  rlogin/telnet analyzer (or to ensure they are disabled)
+@item @code{weird} @tab  initialize generic mechanism for detecting unusual events
+@item @code{conn} @tab  access and record connection events
+@item @code{hot} @tab  defines certain forms of sensitive access
+@item @code{frag} @tab  process TCP fragments
+@item @code{print-resources} @tab  on exit, print resource usage information, useful for tuning
+@item @code{signatures} @tab   the signature policy engine
+@item @code{scan} @tab  generic scan detection mechanism
+@item @code{trw} @tab  additional, more sensitive scan detection  
+@item @code{http} @tab general http analyzer, low level of detail
+@item @code{http-request} @tab  detailed analysis of http requests
+@item @code{http-reply} @tab    detailed analysis of http replys 
+@item @code{ftp} @tab   FTP analysis
+@item @code{portmapper} @tab  record and analyze RPC portmapper requests
+@item @code{smtp} @tab  record and analyze email traffic
+@item @code{tftp} @tab  identify and log TFTP sessions
+@item @code{worm} @tab flag HTTP-based worm sources such as Code Red
+@item @code{software} @tab  track software versions; required for some signature matching
+@item @code{blaster} @tab looks for blaster worm 
+@item @code{synflood} @tab looks for synflood attacks
+@item @code{stepping} @tab used to detect when someone logs into 
+your site from an external net, and then soon logs into another site
+@item @code{reduce-memory} @tab sets shorter timeouts for saving state, 
+thus saving memory. If your Bro is using < 50% of you RAM, try not loading this
+@end multitable
+@end quotation
+
+These are @strong{not} loaded by default:
+
+@quotation
+@multitable  @columnfractions .14 .4 .03 .4
+@item @strong{Policy} @tab @strong{Description} @tab @tab @strong{Why off by default} 
+@item @code{drop} @tab    Include if site has ability to drop hostile remotes @tab @tab Turn on if needed
+@item @code{icmp} @tab    icmp analysis @tab @tab CPU intensive and low payoff 
+@item @code{dns} @tab   DNS analysis @tab @tab CPU intensive and low payoff
+@item @code{ident} @tab ident program analyzer @tab @tab historical, no longer interesting
+@item @code{gnutella} @tab looks for hosts running Gnutella @tab @tab Turn this on if you want
+to know about this 
+@item @code{ssl} @tab  ssl analyzer @tab @tab still experimental
+@item @code{ssh-stepping} @tab Detects stepping stones where both incoming and outgoing connections are ssh
+@tab @tab Possibly too CPU intensive (needs more testing)
+@item @code{analy} @tab Performs statistical analysis @tab @tab only used in off-line alalysis
+@item @code{backdoor} @tab Looks for backdoors @tab @tab only effective when also capturing bulk traffic
+@item @code{passwords} @tab Looks for clear text passwords @tab @tab may want to turn on if your site does not allow clear text passwords 
+@item @code{file-flush} @tab Causes all log files to be flushed every N seconds @tab @tab may want to turn on if you are doing "real time" analysis
+@end multitable
+@end quotation
+
+To modify which analyzers are loaded, edit or create a file in @file{$BROHOME/site}. 
+If you write your own new custom analyzer, it goes in this directory too. To disable an analyzer,
+add "@code{@@unload policy.bro}" to the beginning of the file 
+@file{$BROHOME/site/brohost.bro}, before
+the line "@code{@@load brolite.bro}". To add additional analyzers, add them @@load them 
+in @file{$BROHOME/site/brohost.bro}.
+
+
+@node Notices
+@section Notices
+@cindex Predefined Bro Notices
+
+The primary output facility in Bro is called a @emph{Notice}. 
+The Bro distribution includes a number of standard of Notices, listed below. The table 
+contains the name of the Notice, what Bro policy file generates it, and a short description
+of what the Notice is about.
+
+@quotation
+@multitable  @columnfractions .24 .15 .5 
+@item @strong{Notice} @tab @strong{Policy} @tab @strong{Description} 
+
+@item @code{AckAboveHole} @tab weird @tab Could mean packet drop; could also be a faulty TCP implementation 
+@item @code{AddressDropIgnored} @tab scan @tab A request to drop connectivity has been ignored ; (scan detected, but one of these flags is true:  !can_drop_connectivity, or never_shut_down, or never_drop_nets )
+@item @code{AddressDropped } @tab scan @tab Connectivity w/ given address has been dropped
+@item @code{AddressScan} @tab scan @tab The source has scanned a number of addrs
+@item @code{BackscatterSeen} @tab scan @tab Apparent flooding backscatter seen from source
+@item @code{ClearToEncrypted_SS} @tab stepping @tab  A stepping stone was seen in which the first part of the chain is a clear-text connection but the second part is encrypted. This often means that a password or passphrase has been exposed in the clear, and may also mean that the user has an incomplete notion that their connection is protected from eavesdropping.
+@item @code{ContentGap} @tab weird @tab Data has sequence hole; perhaps due to filtering
+@item @code{CountSignature}  @tab signatures @tab Signature has triggered multiple times for a destination
+@item @code{DNS::DNS_MappingChanged} @tab DNS @tab Some sort of change WRT previous Bro lookup
+@item @code{DNS::DNS_PTR_Scan} @tab dns @tab Summary of a set of PTR lookups (automatically generated once/day when dns policy is loaded)
+@item @code{DroppedPackets} @tab netstats @tab Number of packets dropped as reported by the packet filter
+@item @code{FTP::FTP_BadPort} @tab ftp @tab Bad format in PORT/PASV;
+@item @code{FTP::FTP_ExcessiveFilename} @tab ftp @tab  Very long filename seen
+@item @code{FTP::FTP_PrivPort} @tab ftp @tab Privileged port used in PORT/PASV
+@item @code{FTP::FTP_Sensitive} @tab ftp @tab Sensitive connection (as defined in @emph{hot})
+@item @code{FTP::FTP_UnexpectedConn} @tab ftp @tab FTP data transfer from unexpected src
+@item @code{HTTP::HTTP_SensitiveURI} @tab http @tab Sensitive URI in GET/POST/HEAD (default sensitive URIs defined http-request.bro; e.g.:  /etc.*\/.*(passwd|shadow|netconfig)
+@item @code{HotEmailRecipient} @tab smtp @tab XXX Need Example, default = NULL
+@item @code{ICMP::ICMPAsymPayload} @tab icmp @tab  Payload in echo req-resp not the same
+@item @code{ICMP::ICMPConnectionPair} @tab icmp @tab Too many ICMPs between hosts (default = 200)
+@item @code{IdentSensitiveID} @tab ident @tab Sensitive username in Ident lookup
+@item @code{LocalWorm} @tab worm @tab Worm seen in local host (searches for code red 1, code red 2, nimda, slammer) 
+@comment for PDF, need to break up long names 
+@ifnothtml
+@item @code{LoginForbidden ButConfused} @tab login  @tab Interactive login seen using forbidden username, but the analyzer was confused in following the login dialog, so may be in error.
+@end ifnothtml
+@ifnottex
+@item @code{LoginForbiddenButConfused} @tab login  @tab Interactive login seen using forbidden username, but the analyzer was confused in following the login dialog, so may be in error.
+@end ifnottex
+@ifnothtml
+@item @code{Multiple SigResponders} @tab signatures @tab  host has triggered the same signature on multiple responders
+@end ifnothtml
+@ifnottex
+@item @code{MultipleSigResponders} @tab signatures @tab  host has triggered the same signature on multiple responders
+@end ifnottex
+@item @code{MultipleSignatures} @tab signatures @tab host has triggered many signatures
+@item @code{Multiple SigResponders} @tab signatures @tab  host has triggered the same signature on multiple responders
+@item @code{OutboundTFTP} @tab tftp  @tab outbound TFTP seen
+@item @code{PasswordGuessing} @tab scan @tab source tried too many user/password combinations (default = 25)
+@item @code{PortScan} @tab scan  @tab the source has scanned a number of ports
+@item @code{RemoteWorm} @tab worm @tab worm seen in remote host
+@ifnothtml
+@item @code{Resolver Inconsistency} @tab  dns @tab  the answer returned by a DNS server differs from one previously returned
+@end ifnothtml
+@ifnottex
+@item @code{ResolverInconsistency} @tab  dns @tab  the answer returned by a DNS server differs from one previously returned
+@end ifnottex
+@item @code{ResourceSummary} @tab print-resources @tab prints Bro resource usage
+@ifnothtml
+@item @code{Retransmission Inconsistency} @tab weird @tab possible evasion; usually just bad TCP implementation
+@end ifnothtml
+@ifnottex
+@item @code{RetransmissionInconsistency} @tab weird @tab possible evasion; usually just bad TCP implementation
+@end ifnottex
+@item @code{SSL_SessConIncon} @tab ssl @tab session data not consistent with connection
+@item @code{SSL_X509Violation} @tab ssl @tab blanket X509 error
+@item @code{ScanSummary} @tab scan @tab a summary of scanning activity, output once / day
+@item @code{SensitiveConnection} @tab conn @tab connection marked "hot", See: @uref{http://www.bro-ids.org/Bro-reference-manual/hot_002dids-Module.html, Reference Manual section on hot ids} for more information. 
+@item @code{SensitiveDNS_Lookup} @tab dns @tab DNS lookup of sensitive hostname/addr; default list of sensitive hosts = NULL 
+@item @code{SensitiveLogin} @tab login @tab interactive login using sensitive username (defined in 'hot')
+@ifnothtml
+@item @code{Sensitive PortmapperAccess} @tab portmapper @tab the given combination of the service looked up via the pormapper, the host requesting the lookup, and the host from which it's requiesting it is deemed sensitive
+@end ifnothtml
+@ifnottex
+@item @code{SensitivePortmapperAccess} @tab portmapper @tab the given combination of the service looked up via the pormapper, the host requesting the lookup, and the host from which it's requiesting it is deemed sensitive
+@end ifnottex
+@item @code{SensitiveSignature} @tab signatures @tab  generic for alarm-worthy
+@ifnothtml
+@item @code{SensitiveUsername InPassword} @tab login @tab During a login dialog, a sensitive username (e.g., "rewt") was seen in the user's password.  This is reported as a notice because it could be that the login analyzer didn't track the authentication dialog correctly, and in fact what it thinks is the user's password is instead the user's username.
+@end ifnothtml
+@ifnottex
+@item @code{SensitiveUsernameInPassword} @tab login @tab During a login dialog, a sensitive username (e.g., "rewt") was seen in the user's password.  This is reported as a notice because it could be that the login analyzer didn't track the authentication dialog correctly, and in fact what it thinks is the user's password is instead the user's username.
+@end ifnottex
+@item @code{SignatureSummary} @tab signatures @tab summarize number of times a host triggered a signature (default = 1/day)
+@item @code{SynFloodEnd} @tab synflood @tab end of syn-flood against a certain victim. 
+A syn-flood is defined to be more than SYNFLOOD_THRESHOLD (default = 15000) new connections
+have been reported within the last SYNFLOOD_INTERVAL (default = 60 seconds) for a certain IP.
+@item @code{SynFloodStart} @tab synflood @tab start of syn-flood against a certain victim
+@item @code{SynFloodStatus} @tab synflood @tab report of ongoing syn-flood
+@item @code{TRWAddressScan} @tab trw @tab source flagged as scanner by TRW algorithm
+@item @code{TRWScanSummary} @tab trw @tab summary of scanning activities reported by TRW
+@ifnothtml
+@item @code{Terminating Connection} @tab conn @tab "rst" command sent to connection origin, connection terminated, triggered in the following policies: ftp and login: forbidden user id, hot (connection from host with spoofed IP address)
+@end ifnothtml
+@ifnottex
+@item @code{TerminatingConnection} @tab conn @tab "rst" command sent to connection origin, connection terminated, triggered in the following policies: ftp and login: forbidden user id, hot (connection from host with spoofed IP address?)
+@end ifnottex
+@item @code{W32B_SourceLocal} @tab blaster @tab report a local W32.Blaster-infected host
+@item @code{W32B_SourceRemote} @tab blaster @tab report a remote W32.Blaster-infected host
+@item @code{WeirdActivity} @tab Weird @tab generic unusual, alarm-worthy activity
+@end multitable
+@end quotation
+
+Note that some of the Notice names start with "ModuleName::" (e.g.: FTP::FTP_BadPort)
+and some do not. This is becuase not all of the Bro Analyzers
+have been converted to use the @uref{http://www.bro-ids.org/Bro-reference-manual/Module-Facility.html,
+Modules facility} yet.  Eventually all notices will start with "ModuleName::".
+
+To get a list of all Notices that your particular Bro configuration might generate,
+you can type:
+@example
+  sh . $BROHOME/etc/bro.cfg; bro -z notice $BRO_HOSTNAME.bro
+@end example
+
+@node Notice Actions
+@section Notice Actions
+@cindex Customizing Notice Actions
+
+Notices that are deemed particularly important
+are called @emph{Alarms}. Alarms are sent to the alarm log file, and to 
+optionally to @emph{syslog}. 
+
+The standard Bro distribution supports a number of types of @emph{notice actions}, these are:
+
+@quotation
+@multitable  @columnfractions .3 .5
+@item @code{NOTICE_IGNORE} @tab   do nothing
+@item @code{NOTICE_FILE} @tab  send to 'notice' file
+@item @code{NOTICE_ALARM_ALWAYS} @tab   send to alarm file and @emph{syslog}
+@item @code{NOTICE_ALARM_PER_CONN} @tab  send to alarm file once per connection
+@item @code{NOTICE_EMAIL} @tab  send to alarm file and send email
+@item @code{NOTICE_PAGE} @tab  send to alarm file and send to pager
+@end multitable
+@end quotation
+
+It is also possible to define your own custom notice actions.
+
+By default, all notices are set to NOTICE_ALARM_ALWAYS except for the following:
+@example
+ContentGap, AckAboveHole, AddressDropIgnored, PacketsDropped, 
+RetransmissionInconsistency
+@end example
+
+By default all Alarms are also sent to @emph{syslog}. To disable this, add:
+
+@verbatim
+   redef enable_syslog = F;
+@end verbatim
+
+To change the default notice action for a given notice, add something like this to your @file{site/brohost.bro} file:
+
+@verbatim
+   redef notice_action_filters += {
+        [[WeirdActivity, ContentGap]] = ignore_notice,
+   };
+@end verbatim
+
+This will cause the Notices @code{WeirdActivity} and @code{ContentGap} to no longer get logged anywhere.
+To send these Notices to the Notice log file only, and not to the Alarm log, add this:
+
+@verbatim
+   redef notice_action_filters += {
+        [[WeirdActivity, ContentGap]] = file_notice,
+   };
+@end verbatim
+
+For NOTICE_EMAIL and NOTICE_PAGE, 
+email is sent using the script specified by the mail_script variable
+(default: "mail_notice.sh"), which must be in $PATH. 
+To activate this, $mail_dest must be set. 
+Email is only sent if Bro is reading live traffic.
+
+For example, to send email on TerminatingConnection and FTP_Sensitive notices, add
+something like this:
+
+@verbatim
+redef mail_dest = "youremail@yoursite.edu";
+
+redef notice_action_filters += {
+    [[TerminatingConnection, FTP::FTP_Sensitive]] = send_email_notice,
+};
+
+@end verbatim
+
+
+@comment  XXX what if someone wanted to define their own new notice action. What would they do?
+
+@node Customizing Builtin Policy 
+@section Customizing Builtin Policy 
+@cindex Customizing Builtin Policy 
+
+The default policy scripts for Bro are all in $BROHOME/policy. Remember that 
+these files should @strong{never} be 
+edited, as your edits will be lost when you upgrade Bro. To customize Bro for your site, you
+should make all your changes in $BROHOME/site. Many simple changes just require you
+to @emph{redefine} (using the @uref{
+http://www.bro-ids.org/Bro-reference-manual/Variables-Overview.html,
+@code{redef}} operator, 
+a Bro constant from a standard policy script with your own custom value. You can
+also write your own custom script to do whatever you want.
+
+Here are some example of the types of things you may want to customize.
+
+To add "guest" to the list of 
+@uref{http://www.bro-ids.org/Bro-reference-manual/hot_002dids-Module.html, forbidden_ids}
+(user names that generate a login alarm), you
+do this:
+
+@verbatim
+    redef forbidden_ids += { "guest", };
+@end verbatim
+
+To add a new rootkit string to HTTP
+@uref{http://www.bro-ids.org/Bro-reference-manual/http_002drequestbro.html, sensitive_URIs}:
+@verbatim
+   redef HTTP::sensitive_URIs += /^.*rootdown.pl.*$/;
+@end verbatim
+
+
+@node Writing New Policy
+@section Writing New Policy 
+@cindex  Writing New Policy
+
+For example, if your site only allows external http and mail to a small, 
+controlled lists of hosts, you could write a new .bro file containing this:
+
+@verbatim
+const web_servers = { www.lbl.gov, www.bro-ids.org, };
+const mail_servers = { smtp.lbl.gov, smtp2.lbl.gov, };
+
+const allow_my_services: set[addr, port] = {
+        [mail_servers, smtp],
+        [web_servers, http],
+};
+@end verbatim
+
+Bro can then generate an Alarm or even terminate the connection for policy violations.
+For example:
+
+@verbatim
+
+event connection_established(c: connection)
+{
+   local id = c$id;
+   local service = id$resp_p;
+   local inbound = is_local_addr(id$resp_h);
+
+   if ( inbound && [id$resp_h, service] !in allow_my_services )
+      NOTICE ([$note=SensitiveConnection, $conn=c,
+		$msg=fmt("hot: %s", full_id_string(c)) ]);
+    if ( inbound && service in terminate_successful_inbound_service )
+            terminate_connection(c);
+}
+@end verbatim
+
+To test this you might do the following. First,
+generate some "offline" data to play with:
+
+@example
+ # tcpdump -s 0 -w trace.out port smtp or port http 
+@end example
+
+Kill off the tcpdump after capturing traffic for a few minutes (use ctrl-C).
+Then add the above Bro code to your hostname.bro file, and 
+run Bro against this captured trace file: 
+ 
+@example
+ # setenv BROHOME /usr/local/bro
+ # setenv BROPATH $BROHOME/site:$BROHOME/policy
+ # bro -r trace.out hostname.bro       
+@end example
+
+
+
+
+@node Signatures
+@section Signatures
+@cindex Signatures
+
+@include Bro-signatures.texi
+
+@node Tuning Scan Detection
+@section Tuning Scan Detection 
+@cindex Tuning Scan Detection
+
+There are a large number of tunable parameters in the scan analyzer, all of which
+are described in @uref{http://www.bro-ids.org/Bro-reference-manual/scan-Analyzer.html,
+the reference manual}. Most of these parameters should be fine for all sites. The only settings
+that you may want to tune are:
+
+@itemize
+@item report_peer_scan: Generate a log message whenever a remote host has attempted to connect to the given number of distinct hosts. Default = @{ 100, 1000, 10000, @}.
+@item report_outbound_peer_scan: Generate a log message whenever a local host has attempted to connect to the given number of remost hosts. Default = @{ 100, 1000, @}.
+
+@item skip_services: list of ports to ignore scans on, because they often gets scanned
+by legitimate (or at least common) services. The default list can be found
+in the brolite.bro file.
+@end itemize
+
+If you want enable ICMP scan detection, set these:
+
+@example
+redef ICMP::detect_scans = T;
+redef ICMP::scan_threshold = 100;
+@end example
+
+@node Other Customizations
+@section Other Customizations
+@cindex Scan Thresholds
+
+There are a number of things you may wish to customize.
+
+@strong{hot_ids}
+
+The policy file @uref{http://www.bro-ids.org/Bro-reference-manual/hot_002dids-Module.html,
+@file{hot-ids.bro}} contains a number of constants that you
+might want to customize by "redef"ing them in your brohost.bro policy file.
+These are all used to generate FTP and login alarms (SensitiveConnection Notice) 
+for suspicious users.
+The user ID's that are in @code{hot_ids} and not in @code{always_hot_ids}
+are only hot upon successful login. For details see the
+@uref{http://www.bro-ids.org/Bro-reference-manual/hot_002dids-Module.html,
+Bro Reference Manual}.
+
+@quotation
+@multitable  @columnfractions .25  .6
+@item @strong{constant} @tab @strong{Defaults} 
+@item forbidden_ids @tab "uucp", "daemon", "rewt", "nuucp",
+        "EZsetup", "OutOfBox", "4Dgifts",
+        "ezsetup", "outofbox", "4dgifts", "sgiweb"
+	"r00t", "ruut", "bomb", "backdoor",
+	"bionic", "warhead", "check_mate", "checkmate", "check_made",
+	"themage", "darkmage", "y0uar3ownd", "netfrack", "netphrack"
+@item always_hot_ids @tab "lp", "demos", 
+ 	"retro", "milk", "moof", "own", "gdm", "anacnd",
+	+ forbidden_ids 
+@item hot_ids @tab "root", "system", "smtp", "sysadm", "diag", "sysdiag", "sundiag",
+	"sync", "tutor", "tour",
+ 	"operator", "sys", "toor", "issadmin", "msql", "sysop", "sysoper",
+         + always_hot_ids
+
+@end multitable
+@end quotation
+
+@strong{Input/Output Strings}
+
+The policy files login.bro and ftp.bro both contain a list of input and output strings
+that indicate suspicious activity. In you wish to add anything to this list, you
+may want to @code{redef} one of these. 
+@example
+login.bro: see @uref{http://www.bro-ids.org/Bro-reference-manual/login-variables.html,
+input_trouble and output_trouble}
+ftp.bro: see @uref{http://www.bro-ids.org/Bro-reference-manual/ftp-variables.html,
+ftp_hot_files}
+@end example
+
+@strong{Sensitive URIs}
+
+The policy file http-request.bro contain a list of http URI's 
+that indicate suspicious activity. In you wish to add anything to this list, you
+may want to @code{redef} one of these. 
+
+@comment XXX need to explain how this relates to signatures, and when to use each.
+
+@example
+sensitive_URIs 
+sensitive_post_URIs 
+@end example
+
+@strong{Log Files}
+
+@code{redef} this to rotate the log files every N seconds
+@example
+log_rotate_interval (default = 0 sec, don't rotate) 
+@end example
+
+@code{redef} this to rotate the log files when they get this big
+@example
+log_max_size (default = 250e6, rotate when any file exceeds 250 MB)
+@end example
+
+@comment XXX: what else should we document here?
+
diff --git a/doc/user-manual/Bro-dir-files.texi b/doc/user-manual/Bro-dir-files.texi
new file mode 100644
index 0000000000..9258f517d9
--- /dev/null
+++ b/doc/user-manual/Bro-dir-files.texi
@@ -0,0 +1,647 @@
+@float Figure, The Bro Directory Structure
+@image{BroDir}
+@caption{The Bro Directory Structure}
+@end float
+
+@menu
+* The bro/bin Directory ::
+* The bro/etc Directory ::
+* The bro/var Directory ::
+* The bro/scripts Directory ::
+* The bro/policy Directory ::
+@c * The bro/sigs Directory ::
+* The bro/site Directory ::
+* The bro/logs Directory ::
+* The bro/archive Directory ::
+* Other Files ::
+@end menu
+@cindex directory structure
+
+@node The bro/bin Directory
+@appendixsec The bro/bin Directory
+@cindex bro/bin Directory
+@cindex adtrace executible
+@c @cindex bdcat executible
+@c @cindex bifcl executible
+@cindex bro executible
+@cindex cf executible
+@cindex rst executible
+
+The bin directory is the storage area for executable binary 
+files used by Bro.
+
+@subsubheading adtrace
+adtrace retrieves MAC and IP address information from 
+tcpdump trace files
+@quotation
+   usage:
+@example
+         adtrace <trace-file>
+@end example
+@end quotation
+
+@ignore
+>>>>>>>>>>>>>>>>>>>>>>>>
+@subsubheading bdcat
+In the Bro policy language, the files Bro access can be encrypted (see 
+the &encrypt attribute in the technical manual). bdcat is used to 
+decrypt the files.
+@comment add URL link to &encrypt attribute in the technical manual
+
+@subsubheading bifcl
+Built-in functions (.bif files) are implemented in C++ and 
+can be called by Bro policy scripts. The bif compiler, 
+bifcl, takes a .bif file and generates the corresponding 
+C++ segments and Bro language declarations, so that each 
+function only needs be written once in a .bif file and the 
+actual C++/Bro code will be automatically generated.
+<<<<<<<<<<<<<<<<<<<<<<<<
+@end ignore
+
+@subsubheading bro
+This program is the primary Bro executable.  
+Full use of the bro command is documented in the technical 
+manual.
+@comment add URL link to Bro command in technical manual
+
+@subsubheading cf
+A program that converts UNIX epoch time into a conventional 
+date.  Most of the raw Bro logs record UNIX epoch time as 
+the timestamp for their records.  Piping the file through 
+cf will convert the time.  Full use of cf is documented in 
+the technical manual.
+@comment add URL link to cf in technical manual
+
+@subsubheading rst
+A program that Bro calls to form and send a reset packet 
+which will tear down a tcp connection.  The use of rst is 
+documented in the Technical Manual and in chapter ### of 
+the User Manual.
+@comment add URL link to rst in Technical Manual
+@comment fix ### with correct chapter
+
+@node The bro/etc Directory
+@appendixsec The bro/etc Directory
+@cindex alert_scores
+@cindex bro/etc Directory
+@cindex bro.cfg file
+@cindex bro.cfg.example file
+@cindex bro.rc file
+@cindex bro.rc-hooks.sh file
+@cindex signature_scores
+@cindex VERSION file
+
+Configuration and other ancillary files are stored in the 
+etc directory.  These files are usually changed by 
+supplimentary configuration tools supplied with the Bro 
+distribution. Direct editing of these files is discouraged.  
+If direct edits are made, the changes may be reversed or 
+deleted during subsequent Bro updates.
+
+@subsubheading alert_scores
+This file contains ranking numbers for alarms (the use of the term "alert" is
+vestigial and will be changed in the future).  The ranking numbers are used as part of the ranking system for determining the success likelihood of an incident triggering a specific alarm.
+
+@subsubheading bro.cfg
+This file contains configuration criteria for operational 
+parameters.  Most of the parameters are set during the 
+installation process and can be changed using the bro-
+config script.
+@comment add URL link to bro-config script
+
+@subsubheading bro.cfg.example
+A annotated, generic bro.cfg file.  This file is not used 
+by Bro.  It is supplied for documentation purposes.
+
+@subsubheading bro.rc
+This is the script for controlled starting and stopping of 
+Bro.  See section ### for its use.
+@comment fix ### with correct chapter
+@comment add URL link to start/stop section
+
+@subsubheading bro.rc-hooks.sh
+This script is called by bro.rc at various points during 
+the starting and stopping of Bro.  It is presented as an 
+interface for customizations into the start and stop 
+process. 
+@comment need instruction on how to add hooks
+
+@subsubheading signature_scores
+This file contains ranking numbers for signatures.  The ranking numbers are used as part of the ranking system for determining the success likelyhood of an incident triggering a specific signature.
+
+@subsubheading VERSION
+A file containing the Bro version number for the installed 
+distribution.
+
+@node The bro/var Directory
+@section The bro/var Directory
+@cindex bro/var Directory
+@cindex autorestart file
+@cindex pid file
+@cindex start_time file
+
+Temporary information about the current Bro instance is 
+stored in the var directory.
+
+@subsubheading autorestart
+Contains the word "ON" if Bro is configured to autorestart.
+
+@subsubheading pid
+Contains the process ID number for the current instance of 
+Bro.
+
+@subsubheading start_time
+Contains the date and time when the current instance of Bro 
+was started.
+
+@node The bro/scripts Directory
+@appendixsec The bro/scripts Directory
+@cindex bro-config script
+@cindex bro/scripts Directory
+@cindex bro-logchk.pl script
+@cindex bro_log_compress.sh script
+@cindex host-grep script
+@cindex host-to-addrs script
+@c @cindex hot-report script
+@cindex ip-grep script
+@c @cindex mon-report script
+@c @cindex mvlog script
+@cindex site-report.pl script
+@cindex bro/scripts/pm Directory
+@cindex bro/pm Directory
+
+This directory contains a number of auxiliary scripts used 
+to suppliment Bro's operation.
+
+@subsubheading bro-config
+A utility script for changing the Bro operational 
+parameters in the bro.cfg file.
+@comment add URL link to installation instructions
+
+@subsubheading bro-logchk.pl
+@comment needs to be fixed or removed
+@emph{Currently, this file does not work}@*
+A utility program for searching ftp and http log files for 
+activity by specific ip addresses.
+@quotation
+Usage:
+@verbatim
+   bro-logchk.pl -[hrDFHds] -f filename -a ipaddr -x ipaddr
+       -h          print this usage information
+       -F          using ftp log
+       -H          using http log
+       -r          try to resolve IP addresses to hostnames
+       -f file     log file to parse
+       -a ipaddr   only output connections from this address
+       -s          only want matching source address (used with -a )
+       -d          only want matching dest address (used with -a )
+       -D          debug option
+       -x ipaddr   exclude connections from this address
+@end verbatim
+@end quotation
+ 
+@subsubheading bro_log_compress.sh
+A very simple script written to manage log and coredump files.  By 
+default it compresses log files older than 30 days and sends them to 
+the archive directory; it deletes log files older than 60 days; and it 
+deletes coredump files older than 4 days.
+@quotation
+Restrictions:
+@itemize
+   @item Must be run from a user account that has read/write/execute access to files in the $BROHOME directory.
+@end itemize
+@end quotation
+
+@subsubheading host-grep
+Greps a Bro connection summary log on stdin for two given hostnames.
+@quotation
+Usage:
+@example
+      host-grep [-a] hostname hostname < connection_log
+      If -a is specified then we only want lines with *all* of the listed hosts.
+@end example
+Restrictions:
+@itemize
+   @item Must have $BROHOME/scripts included in the PATH environment variable.
+   @item Will only work with hostnames.  ip addresses are not accepted
+   @item Uses host-to-addrs and ip-grep scripts
+@end itemize
+@end quotation
+
+@subsubheading host-to-addrs
+Finds all ip addresses associated with a given hostname.
+@quotation
+Usage:
+@example
+      host-to-addrs hostname
+@end example
+Restrictions:
+@itemize
+   @item Must have $BROHOME/scripts included in the PATH environment variable.
+   @item Will only work with hostnames.  IP addresses are not accepted
+@end itemize
+@end quotation
+
+@ignore
+>>>>>>>>>>>>>>>>>>>>>>>>>>
+@subsubheading hot-report
+@comment needs to be fixed or removed
+@emph{Currently, this file does not work}@*
+Obsolete report generator
+<<<<<<<<<<<<<<<<<<<<<<<<<<
+@end ignore
+
+@subsubheading ip-grep
+Returns an exact grep pattern for matching the IP addresses of the 
+given hosts
+@quotation
+Usage:
+@example
+ip-grep hostname hostname ...
+@end example
+Restrictions:
+@itemize
+   @item Must have $BROHOME/scripts included in the PATH environment variable.
+   @item Will only work with hostnames.  ip addresses are not accepted
+   @item Uses host-to-addrs script
+@end itemize
+@end quotation
+
+@ignore
+>>>>>>>>>>>>>>>>>>>>>>>>>>
+subsubheading mon-report
+@comment needs to be fixed or removed
+@emph{Currently, this file does not work}@*
+Obsolete report generator
+
+@subsubheading mvlog
+@comment needs to be fixed or removed
+@emph{Currently, this file does not work}@*
+Rotates log files every six hours by gzipping them and moving them into directories $BROHOME/logs/<date>/.  The six hour interval is adjustable.  See the file header for more info.
+<<<<<<<<<<<<<<<<<<<<<<<<<<
+@end ignore
+
+@subsubheading site-report.pl
+This script produces the daily consolidated site report.  By default, it is run daily via the cron job submitted by the bro user via files in /var/cron/tabs.
+
+@subsubheading The bro/scripts/pm Directory
+This directory contains perl modules to support the perl scripts in the scripts directory.
+
+@node The bro/policy Directory
+@appendixsec The bro/policy Directory
+@cindex bro/policy Directory
+This directory contains all standard Bro policy files.  For more information about the policy files see section ###, Policy
+@comment need section number and name of section
+@comment add URL link to Policy section 
+
+Signature support files:
+
+@subsubheading sig-addendum.sig
+This file contains small support utilities that are used in the implementation of Bro signatures.
+
+@subsubheading sig-functions.bro
+@emph{To be completed}
+@comment need to add definition
+
+@subsubheading sig-action.bro
+@emph{To be completed}
+@comment need to add definition
+
+
+Policy files:
+@itemize
+@item active.bro
+@item alarm.bro
+@item analy.bro
+@item anon.bro
+@item backdoor.bro
+@item blaster.bro
+@item bro.bif.bro
+@item bro.init
+@item brolite.bro
+@item capture-events.bro
+@item checkpoint.bro
+@item common-rw.bif.bro
+@item conn-id.bro
+@item conn.bro
+@item const.bif.bro
+@item contents.bro
+@item cpu-adapt.bro
+@item demux.bro
+@item dns-info.bro
+@item dns-lookup.bro
+@item dns.bro
+@item drop-adapt.bro
+@item event.bif.bro
+@item finger-rw.bif.bro
+@item finger.bro
+@item flag-irc.bro
+@item flag-warez.bro
+@item frag.bro
+@item ftp-anonymizer.bro
+@item ftp-cmd-arg.bro
+@item ftp-reply-pattern.bro
+@item ftp-rw.bif.bro
+@item ftp-safe-words.bro
+@item ftp.bro
+@item gnutella.bro
+@item hand-over.bro
+@item hot-ids.bro
+@item hot.bro
+@item http-abstract.bro
+@item http-body.bro
+@item http-entity.bro
+@item http-event.bro
+@item http-header.bro
+@item http-reply.bro
+@item http-request.bro
+@item http-rewriter.bro
+@item http-rw.bif.bro
+@item http.bro
+@item icmp.bro
+@item ident-rewriter.bro
+@item ident-rw.bif.bro
+@item ident.bro
+@item inactivity.bro
+@item interconn.bro
+@item listen-clear.bro
+@item listen-ssl.bro
+@item load-level.bro
+@item login.bro
+@item mime.bro
+@item mt.bro
+@item netstats.bro
+@item notice.bro
+@item notice.bro.old
+@item ntp.bro
+@item pcap.bro
+@item pkt-profile.bro
+@item port-name.bro
+@item portmapper.bro
+@item print-filter.bro
+@item print-globals.bro
+@item print-resources.bro
+@item print-sig-states.bro
+@item profiling.bro
+@item reduce-memory.bro
+@item remote-pcap.bro
+@item remote-print.bro
+@item remote.bro
+@item scan.bro
+@item secondary-filter.bro
+@item signatures.bro
+@item signatures.bro.old
+@item site.bro
+@item smtp-relay.bro
+@item smtp-rewriter.bro
+@item smtp-rw.bif.bro
+@item smtp.bro
+@item snort.bro
+@item software.bro
+@item ssh-stepping.bro
+@item ssh.bro
+@item ssl-alerts.bro
+@item ssl-ciphers.bro
+@item ssl-errors.bro
+@item ssl-worm.bro
+@item ssl.bro
+@item stats.bro
+@item stepping.bro
+@item synflood.bro
+@item tcp.bro
+@item tftp.bro
+@item trw.bro
+@item udp.bro
+@item vlan.bro
+@item weird.bro
+@item worm.bro
+@end itemize
+
+@ignore
+>>>>>>>>>>>>>>>>>>>>>>>>
+@node The bro/sigs Directory
+@appendixsec The bro/sigs Directory
+@cindex bro/sigs Directory
+@cindex ex.web-rules.sig
+@cindex snort-default.sig
+@cindex ssl-worm.sig
+@cindex worm.sig
+
+@subsubheading ex.web-rules.sig
+@*This file contains a subset of Snort's signatures pertaining to http activity that have been converted into Bro signature language.
+
+@subsubheading snort-default.sig
+@*This file contains a subset of Snort's signatures that have been converted into Bro signature language.
+
+@subsubheading ssl-worm.sig
+@*This file contains Bro signatures to detect the Apache/SSL worm.
+
+@subsubheading worm.sig
+@*This file contains Bro signatures to detect several different worms.
+<<<<<<<<<<<<<<<<<<<<<<<<<
+@end ignore
+
+@node The bro/site Directory
+@appendixsec The bro/site Directory
+@cindex bro/site Directory
+@cindex s2b-addendum-sigs.sig
+@cindex s2b-functions.bro
+@cindex s2b-sigaction.bro
+@cindex s2b.sig
+
+@subsubheading signatures.sig
+@emph{To be completed}
+@comment need to add definition
+
+@node The bro/logs Directory
+@appendixsec The bro/logs Directory
+@cindex bro/logs Directory
+@cindex alarm log
+@cindex conn log
+@cindex ftp log
+@cindex http log
+@cindex info log
+@cindex notice log
+@cindex signatures log
+@cindex smtp log
+@cindex software log
+@cindex weird log
+@cindex worm log
+@cindex .state
+@cindex active_log
+
+
+All logs take the form@*
+@example
+@emph{type.hostname.start_date/time-end_date/time}
+@end example
+The date/time stamps for 
+each record in the files are always in UNIX (ticks since 
+epoch) format.
+@*@*
+@emph{type} is one of the following:
+
+@subsubheading alarm
+Network occurrences that are determined to be of high 
+importance will be written into the alarm file.  The 
+determination is made by the Bro policy scripts.  Local 
+site modifications can override default Bro alarms or 
+create new ones that are site specific.
+Each entry contains the date/time, the alarm type, and a 
+description of the alarm.
+This file is usually the "starting point" for 
+investigation.  Each alarm should be evaluated for further 
+follow-up action.
+
+@subsubheading conn
+All network connections detected by Bro are recorded in 
+this file.  A connection is defined by an initial packet 
+that attempts to set up a session and all subsequent 
+packets that take part in the session.  Initial packets 
+that fail to set up a session are also recorded as 
+connections and are tagged with a failure state that 
+designates the reason for failure.
+Each entry contains the following data describing the 
+connection: date/time, the duration of the connection, the 
+local and remote ip addresses and ports, bytes transferred 
+in each direction, the transport protocol (udp, tcp), the 
+final state of the connection, and other information 
+describing the connection.
+This file is often used in forensic analysis to determine 
+network activity by a suspect host beyond the immediate 
+alarm.
+@comment add URL link to conn file description in tech manual
+
+@subsubheading ftp
+All transactions involving the well known ftp control port 
+(21) are recorded into this file.  Each entry is marked by 
+an arbitrary session number, allowing full ftp control 
+sessions to be reconstructed.
+Each entry contains the date/time, a session number, and 
+ftp connection information or the specific ftp commands 
+transferred.
+This file is often used to examine details of  suspect ftp 
+sessions.
+
+@subsubheading http
+All transaction involving the well known http ports (80, 
+8000, 8080) are recorded into this file.  Each entry is 
+marked by an arbitrary session number, allowing the full 
+http session to reconstructed
+Each entry contains the date/time, a session number, and 
+http connection information or the specific http commands 
+transferred.
+This file is often used to examine details of  suspect web 
+sessions.
+
+@subsubheading info
+This file contains information concerning the operation of 
+Bro during the time interval covered by the file.  The 
+entries will consist of the Bro version number, startup 
+information, and Bro runtime warnings and errors.
+This file is helpful in troubleshooting Bro operational 
+difficulties. 
+
+@subsubheading notice
+Network occurrences that are determined to be of nominal 
+importance will be written into the notice file.  The 
+determination is made by the Bro policy scripts.  Local 
+site modifications can override default Bro alarms or 
+create new ones that are site specific.  The notice files 
+are similar to the alarm files, but of lesser importance.
+Each entry contains the date/time, a notice type, a notice 
+action, the local and remote ip addresses and ports.  
+Optionally, depending on the type of notice, an entry might 
+contain information about user, filename, method, URL, and 
+other messages.
+This file alerts to occurrences that are worth noting, but 
+do not warrant an alarm.
+
+@subsubheading signatures
+This file contains information associated with specific 
+signature matches.  These matches do not necessarily 
+correspond to all alarms or notices, only to those that are 
+triggered by a signature.
+Each entry contains the date/time, a description of the 
+signature,  the local and remote ip addresses and ports,  
+the signature id number (if available),  a description of 
+the signature trigger, a portion of the offending payload 
+data, a count of that particular signature, and a count of 
+the number of involved hosts.
+This file gives details that are helpful in evaluating if 
+an event triggered by a signature match is a false-
+positive.
+
+@subsubheading smtp
+All transactions involving the well known smtp port (25) 
+are recorded into this file.  Each entry is marked by an 
+arbitrary session number, allowing full smtp sessions to be 
+reconstructed.
+Each entry contains the date/time, a session number, and 
+smtp connection information or the specific smtp commands 
+transferred.
+This file is often used to examine details of suspect mail 
+sessions.
+
+@subsubheading software
+This file is a record of all unique host/software pairs 
+detected by Bro during the time interval covered by the 
+file.
+Each entry in the file contains the date/time, the ip 
+address of the host, and information about the software 
+detected.
+This file can be useful for cataloging network software.  
+However, population of this file on a busy network often 
+results in a huge number of entries.  Since the relative 
+daily usefulness of the file usually does not warrant the 
+disk space it consumes, the software file is turned off by 
+default.  It can be turned on by <<<instructions>>>
+@comment needs instructions on how to turn on software file
+
+@subsubheading weird
+Network events that are unusual or exceptional are recorded 
+in this file.  A number of these events "shouldn't" or even 
+"can't" happen according to accepted protocol definitions, 
+yet they do.
+Each entry in the file contains the date/time, the local 
+and remote ip addresses and ports, and a short description 
+of the weird activity.
+This file is useful for detecting odd behavior that might 
+normally "fly under the radar" and also for getting a 
+general sense of the amount of "garbage" that is on the 
+network.
+
+@subsubheading worm
+Bro's worm.bro policy detects patterns generated by 
+specific worms and records the instance in this file.  
+Currently, the worms detected are code red1, code red2, 
+nimda, and slammer. 
+Each entry in the file contains the date/time, the worm 
+detected, and the source ip address of the worm.
+This file is useful for spotting hosts that have been 
+infected with worms.
+
+@*@*Other files in the /logs directory are:
+
+@subsubheading .state
+@emph{To be completed}
+@comment need to add definition
+
+@subsubheading active_log
+@emph{To be completed}
+@comment need to add definition
+
+@node The bro/archive Directory
+@appendixsec The bro/archive Directory
+@cindex bro/archive Directory
+
+The archive directory is initially empty.  The script 
+bro/script/bro_log_compress.sh populates the archive directory 
+with compressed log files.
+@comment add URL link to bro_log_compress.sh
+
+@node Other Files
+@appendixsec Other Files
+@comment need to add other files outside of the Bro directory tree
+
+
diff --git a/doc/user-manual/Bro-hardware.texi b/doc/user-manual/Bro-hardware.texi
new file mode 100644
index 0000000000..4a76c7bcbb
--- /dev/null
+++ b/doc/user-manual/Bro-hardware.texi
@@ -0,0 +1,94 @@
+
+@menu
+* Number and Type of Machines Needed::
+* Hard Drive and Controller Considerations::
+* NICs::
+* Taps::
+* ACL Mechanisms::
+@end menu
+@comment ********************************************
+
+@node Number and Type of Machines Needed
+@section Number and Type of Machines Needed
+@cindex Host issues
+
+
+Bro won't run well unless you use suitable hardware.  This section of the Bro User Manual
+describes the many hardware-related issues with which you'll need to deal if Bro is to run
+optimally.
+
+
+The better the equipment, the better Bro will run, so getting the best equipment you can afford is
+a good idea. In particular the speed of the CPU and motherboard will affect Bro's performance in
+filtering, analyzing, reacting and storing the network data that it encounters. Ideally the CPU
+should have a processing speed of around 1GHz or higher and the motherboard should be at least
+500MHz. The CPU and motherboard should be reliable and durable, and if possible obtain
+machines that support dual CPUs. RAM is also extremely important in dealing with the large
+amounts of network throughput without packet drops; a minimum of 1 GB of RAM is thus
+recommended, other than for small networks, with 2 GB approaching the optimal. The amount of motherboard BIOS memory
+can also make a big difference for Bro performance, and having more than one network port is
+also a very good idea, as explained shortly.
+
+The number of machines you will need depends on the scope of your Bro deployment (e.g., how
+many protocols you want to analyze, how much traffic Bro will need to process, whether you
+want to store packet capture data, and so on). No matter how small a deployment you have, you
+will probably at a minimum want two machines, one for bulk recording/data capture and one for
+analyzing live Bro data.  With large deployments Bro is likely to work best with a number of
+machines (perhaps up to five), each dedicated to a specific task. In this latter case it may be best
+to have one machine can perform data capture, another to process and store connection
+summaries, still another to run policy scripts, and a few redundant machines for the sake of
+operational continuity.
+
+
+@comment ********************************************
+
+@node Hard Drive and Controller Considerations
+@section Hard Drive and Controller Considerations
+@cindex Disk Issues
+@cindex Controller Issues
+
+Every Bro machine needs to have at least one large capacity hard drive, a minimum of 60 to 80
+GB of storage (and more in the case of the bulb trace host), and possible a second hard drive, too.
+Bro output files can fill a small capacity hard drive quickly, and the packet capture output can be
+voluminous if Bro is engaging in a considerable amount of analysis because the network
+throughput rate is high or a large amount of anomalous packets are traversing the network where
+Bro is placed.
+
+What type of hard drive is best? Although SCSI (Small Computer System Interface), SATA
+(Serial ATA) or IDE (Integrated Drive Electronics) disks may all potentially prove satisfactory
+from a performance standpoint, many people who run Bro choose IDE if they run Bro on
+FreeBSD. Why -- IDE has been tested in connection with FreeBSD more extensively than the
+other types of disk hardware. Obtaining a high-end disk controller card is also advantageous to
+performance.
+
+
+
+@comment ********************************************
+
+@node  NICs
+@section   NICs
+@cindex  NICs
+
+Bro deployments require at least two NICs, one for capturing network data and the other for
+interfacing with the network so that Bro can be remotely administered. Three NICs can also be
+used, with two of them for acquiring network data (to minimize data loss resulting from packet or
+frame errors) and one for remote administration. High-end NICs are recommended in that they
+generally result in far fewer packet drops or losses than do inexpensive ones. A NIC speed of
+about 1 Gb per second is usually more than sufficient. No more than two NICs for capturing
+network data is necessary.
+
+If two network data acquisition NICs are used, each needs to be suited for the type of network to
+which it will be attached. 
+SysKonnect SK-9844 Gigabit Ethernet cards are recommended because they have been tested extensively with Bro. 
+Having identical NICs is desirable from a management standpoint.
+
+@comment ********************************************
+@node Taps
+@section  Taps
+@cindex Taps
+
+@comment ********************************************
+@node ACL Mechanisms 
+@section  ACL Mechanisms 
+@cindex ACL Mechanisms 
+
diff --git a/doc/user-manual/Bro-installation.texi b/doc/user-manual/Bro-installation.texi
new file mode 100644
index 0000000000..0e403b80f0
--- /dev/null
+++ b/doc/user-manual/Bro-installation.texi
@@ -0,0 +1,432 @@
+
+@menu
+* Download ::
+* Install ::
+* Bro Configuration ::
+* OS Configuration ::
+* Encrypted Reports ::
+* Generating Reports on a Separate Host ::
+@end menu
+
+@node Download
+@section Download
+@cindex download
+
+Download Bro from: @uref{http://www.bro-ids.org/}
+
+You can unpack the distribution anywhere except into the directory
+you plan to install into. To untar the file, type:
+
+@example
+tar xzf bro-pub-0.9-current.tar.gz
+@end example
+
+@node Install
+@section Install
+@cindex BROHOME
+
+You'll need to collect the following information before beginning the installation.
+
+@itemize
+@item localnets: a list of local subnets for your network. Bro needs to know which networks are "internal" and which are "external".
+
+@item interface names: the names of the capture interfaces in your host (e.g. sk0 or en1). Use @code{ifconfig -a} to get the list of all network interfaces on your Bro host.
+@end itemize
+
+If you want to use Bro's periodic email report feature, you'll also need:
+@itemize
+@item email list: a list of email addresses to send the reports to.
+
+@item PGP keys: if you want to encrypt all email reports, the location of the 
+@uref{http://www.gnupg.org/,GPG keyring} of all recipients.
+@end itemize
+
+Bro is easy to install. Log in as @code{root}, and type:
+@example
+./configure
+@end example
+By default Bro is installed in @code{/usr/local/bro}. 
+This location
+is referred to in the rest of the manual as @code{$BROHOME}.
+To install Bro in a location other than @file{/usr/local/bro}, use:
+@example
+./configure --prefix=/path/to/bro
+@end example
+By default Bro uses the version of libpcap that is installed on
+the system. If your system version older than version 0.7.2, you can run configure
+Bro with --enable-shippedpcap to use the version of libpcap that comes packaged
+with Bro. For example:
+@example
+./configure --enable-shippedpcap
+@end example
+
+Then type:
+@example
+make
+make install
+@end example
+or
+@example
+make install-brolite
+@end example
+
+Use @emph{make install} to install all the Bro binaries and policy script files. Use
+@emph{make install-brolite} to also run the configuration script (described in the next section) and install all the configuration files and @code{cron} jobs. @emph{make install} can be run as any user, but @emph{make install-brolite} requires
+you to be root.
+
+To update an existing Bro installation with new binaries and standard policy files, instead
+of @code{"make install"} do a @code{"make update"}. This will preserve all your local customizations.
+
+Then add @code{$BROHOME/bin} and @code{$BROHOME/scripts} to your $PATH to use
+Bro's utilities and scripts.
+
+Also note that this documentation is installed in @code{$BROHOME/docs} as both HTML and PDF versions.
+
+@node Bro Configuration
+@section Bro Configuration
+@cindex bro_config
+@cindex bro.cfg
+
+The @emph{Bro-Lite} configuration script can be used to automatically configure (or reconfigure) Bro for you. It
+checks your system's BPF settings, creates a "bro" user account, installs
+a script to start Bro at boot time, installs the report generation package,
+and installs a number of @code{cron} jobs 
+to checkpoint Bro every night, run periodic reports, and manage log files.
+
+To run this configuration script type:
+@example
+bro_config
+@end example
+
+
+This script creates the file @file{$BROHOME/etc/bro.cfg}.
+@code{bro_config} will ask a number of simple questions. Note
+that the full functionality of this script is only supported
+under FreeBSD. Some additional configuration may need to be
+done by hand under Linux.
+
+Sample output of @code{bro_config}, along with explanation, is shown below:
+
+@quotation
+
+@verbatim
+Running Bro Configuration Utility
+Checking interfaces ....  Done.
+Reading /usr/local/bro/etc/bro.cfg.example for defaults.
+@end verbatim
+@quotation 
+@quotation 
+The @code{bro_config} script looks first at ./bro.cfg, then /usr/local/bro/etc,  
+for default values to use below.
+@end quotation
+@end quotation
+
+@verbatim
+Bro Log archive location [/usr/local/bro/archive] 
+@end verbatim
+@quotation
+@quotation
+This is the directory where log file archives are kept. 
+If you expect the log files to be very large, it is recommended to put these in a separate disk partition.
+@end quotation
+@end quotation
+
+@verbatim
+User id to install and run Bro under [bro] 
+@end verbatim
+@quotation
+@quotation
+@code{bro_config} will create a new user account with this username if the user does not exist. 
+@end quotation
+@end quotation
+
+@verbatim
+Interface names to listen on. [en1,en2] 
+@end verbatim
+@quotation
+@quotation
+@code{bro_config} looks for all network interfaces and does a short test to determine which interfaces see the most traffic, and selects these interfaces as the default. 
+@end quotation
+@end quotation
+
+@verbatim
+Site name for reports (i.e. LBNL, FOO.COM, BAZ.ORG) [] 
+Starting Report Time [0600]
+Report interval (in hours) [24]
+Email addresses for reports [bro@localhost] 
+@end verbatim
+
+@quotation
+@quotation
+Daily reports will be created.  
+Enter the site name you want to appear at the top and in the subject of all email reports.
+The "start time" and "interval" define the window of 
+network activity that the daily report will cover, starting at "Starting Report Time" and 
+lasting through "Report interval". The start time should be entered using 24hr clock notation. 
+For example: 12:30AM = 0030,  2PM = 1400
+@end quotation
+@end quotation
+
+
+@verbatim
+Do you want to encrypt the email reports (Y/N) [N]
+Y
+@end verbatim
+@quotation
+@quotation 
+If you want the email reports encrypted, you will need to set up GPG (@uref{http://www.gnupg.org})
+and create a GPG keyring containing the public keys of all email recipients. Instructions 
+for this are in @ref{Encrypted Reports}.
+@emph{Note: PGP keys are compatible with GPG, but the Bro supplied scripts 
+require GPG, not PGP}.
+
+@end quotation
+@end quotation
+
+@verbatim
+Running script to determine your local subnets ... 
+Your Local subnets [198.129.224.1/32] 
+@end verbatim
+
+@quotation
+Bro needs to know a list of your local subnets. @code{bro_config} runs a tool 
+that attempts to discover this automatically. 
+You should always verify the results of this tool. The format is a list of subnet/significant 
+bits of address. 
+For example: 131.243.0.0/16, 198.128.0.0/18, 198.129.224.1/32
+This information will be stored in the file @code{$BROHOME/site/local.site.bro}
+@end quotation
+
+@verbatim
+Saving settings to file: /usr/local/bro/etc/bro.cfg
+Bro configuration finished. 
+To change these values, you can rerun bro_config at any time.
+@end verbatim
+@quotation
+Indicates that the script finished successfully.
+@end quotation
+
+@end quotation
+
+For site monitoring very high traffic rates on Gigabit Ethernet, there is some
+additional system tuning that should be done. See the @ref{Performance Tuning} 
+section for more details.
+
+To reconfigure Bro, run:
+@example
+BRHOME/scripts/bro_config
+@end example
+
+This will update your @file{/usr/local/bro/etc/bro.cfg} file. You can also edit this file using your favorite editor if you prefer.
+
+For other site customizations, you can edit the file $BROHOME/site/brohost.bro.
+For example, to tell bro to not look at traffic for host 198.162.44.66, add:
+@verbatim
+     redef restrict_filters += {
+       ["ignore host 198.162.44.66 "] =
+	 "not host 198.162.44.66"
+     };
+@end verbatim
+
+More details are available in the section on @ref{Customizing Bro}.
+
+@node OS Configuration
+@section OS Configuration
+
+This section contains information on critical OS tuning items. More detailed
+tuning information can be found in the section on @ref{Performance Tuning}.
+
+@strong{FreeBSD Configuration}
+
+The standard FreeBSD kernel imposes a per-process limit of 512 MB of memory.
+This is not enough for most Bro installations. 
+
+To check your current limit type:
+
+@smallexample
+limits -H
+@end smallexample
+
+Unfortunately the only way to increase this limit in FreeBSD 4.x
+is to reconfigure and rebuild the kernel.
+In FreeBSD 5.x it is much easier. Just increase
+@code{kern.maxdsiz} in @file{/boot/defaults/loader.conf} and reboot.
+For example:
+@smallexample
+kern.maxdsiz="2G"
+@end smallexample
+
+
+and look at the @code{datasize} setting, which should be the same
+as your amount of RAM. If this is not true, see section @ref{Hardware and OS Tuning}
+for information on fixing this.
+
+For FreeBSD 5.3+, BPF devices are no longer created using MAKEDEV, but rather are
+created on demand. This is configured automatically by running '@code{make install-brolite}',
+or you can figure it by hand by adding the following to @code{/etc/rc.local}
+
+@verbatim
+devfs ruleset 15
+devfs rule add 15 path 'bpf*' mode 660 user bro
+@end verbatim
+ 
+
+@strong{Linux Configuration}
+
+You may want increase these for a high traffic environment.
+
+@emph{not done: need to get recommended values for these}:
+
+@verbatim
+/proc/sys/net/core/rmem_default (IP-Stack socket receive queue)
+/proc/sys/net/core/rmem_max     (similar to rmem_default)
+/proc/sys/net/core/netdev_max_backlog (queue between driver and socket)
+@end verbatim
+
+
+@node Encrypted Reports 
+@section Encrypted Reports 
+@cindex GPG
+
+Bro can use GPG (@uref{http://www.gnupg.org/}) to encrypt
+the reports that it sends. To have Bro encrypt your
+reports you must have said "yes" to the bro_config question to
+encrypt your reports. 
+Then each email recipient much generate a public/private key pair, and their public key 
+must be installed on the Bro machine in the home directory of the user running
+the Bro process.
+
+To create a key-pair:
+
+@example
+gpg --gen-key
+@end example
+
+To export the public key:
+
+@example
+gpg --armor --output mykey.gpg --export myemail@@address.com
+@end example
+
+Then login to the machine running Bro and import the list of public keys:
+
+@example
+gpg --import mykey.gpg
+@end example
+
+
+Then you must to make the list of keys "trusted" so that they can be used
+to encrypt the email reports. To do this, you must 
+edit the key to add "ultimate" trust to the key.
+
+@example
+gpg --edit-key myemail@@address.com
+
+pub  1024D/4A872E40  created: 2001-02-05 expires: never      trust: -/f
+sub  3072g/B72DD7FE  created: 2001-02-05 expires: never     
+(1). Some R. User <myemaill@@address.com>
+
+Command> trust
+pub  1024D/4A872E40  created: 2001-02-05 expires: never      trust: -/f
+sub  3072g/B72DD7FE  created: 2001-02-05 expires: never     
+(1). Some R. User <myemail@@address.com>
+
+Please decide how far you trust this user to correctly
+verify other users' keys (by looking at passports,
+checking fingerprints from different sources...)?
+
+ 1 = Don't know
+ 2 = I do NOT trust
+ 3 = I trust marginally
+ 4 = I trust fully
+ 5 = I trust ultimately
+ m = back to the main menu
+
+Your decision? 5
+Do you really want to set this key to ultimate trust? yes
+
+pub  1024D/4A872E40  created: 2001-02-05 expires: never      trust: u/u
+sub  3072g/B72DD7FE  created: 2001-02-05 expires: never     
+(1). Some R. User <myemail@@address.com>
+
+Command> quit
+
+@end example
+
+For more information on GPG see @uref{http://www.gnupg.org/}
+
+@node Generating Reports on a Separate Host 
+@section Generating Reports on a Separate Host 
+@cindex report generate, separate host
+@cindex GPG
+
+@emph{Warning: this section assumes a reasonably high level of Unix system administration skills!}
+
+If your site has lots of traffic, lots of connections, or if Bro is using on average more than around 40% of your CPU,
+you'll want to use a second host for generating reports.
+
+To do this, on the Bro host, run bro_config, and say "N" to all report generation questions.
+Then install Bro on the second host using the following:
+
+@example
+./configure
+make
+make install-reports
+@end example
+
+Then follow the instructions in @ref{Bro Configuration} for setting up report generation.
+
+You'll also need to set up a method to copy files from the Bro host to the report generation
+host. One way to do this is using @code{rsync}, and the Bro script @code{push_logs.sh} 
+does this for you. For example, you can set up a cron job
+like this on the Bro host:
+
+@example
+1 1 * * * (push_logs.sh /usr/local/bro/etc/bro.cfg host:/home/bro) >> /tmp/bro-push.log
+@end example
+
+To make sure your @code{rsync} command has time to transfer
+all log files before your report generation
+script is run, the @code{push_logs.sh} script is designed to be used with the scripts
+@code{frontend-site-report.sh} and @code{frontend-mail-report.sh} on the frontend host. 
+These @code{frontend} scripts wait for a file with a particular name to exist before running.
+It is also important to use the @code{nice} 
+command to help ensure the network copy does not unduly divert processing away from Bro.
+
+You may want to @code{rsync} the log files over a secure ssh connection. To do this,
+you need to first generate a ssh key pair on the Bro capture host with no passphrase:
+@example
+ssh-keygen -t rsa -C "batch key" -f ./batch.key
+@end example
+
+Put this in user @code{bro}'s .ssh/config file, also on the Bro capture host
+@example
+Host recvhost brohost.foo.com
+IdentityFile ~/.ssh/batch.key
+@end example
+
+On the frontend host where the log files will be processed, add batch.pub 
+to the authorized_keys file
+@example
+cat batch.key.pub >> authorized_keys
+@end example
+
+Then create a cron entry on the Bro capture host 
+@example
+1 1 * * * nice -n 20 rsync -e 'ssh' -azv \
+  /usr/local/bro/logs host:/home/bro
+@end example
+
+@comment @node Web GUI Installation / Configuration 
+@comment @section Web GUI Installation / Configuration 
+
+@comment The Bro Web Logfile viewing GUI is not yet packaged in an easy to install format.
+@comment However if you want to give try installing it, there are
+@comment instructions at:
+@comment @uref{http://www.icir.org/twiki/bin/view/Bro/BrooeryGUI/}
+@comment 
+@comment This web GUI can run on a lightly loaded Bro host, but it is recommended to run this on a separate host. Use the @code{rsync} method described in 
+@comment @ref{Generating Reports on a Separate Host} to
+@comment copy files to the web host. Note: this web server should NOT be publicly accessible
+@comment to the Internet. Information in the log files is generally very sensitive.
+@comment 
diff --git a/doc/user-manual/Bro-intrusion-prevention.texi b/doc/user-manual/Bro-intrusion-prevention.texi
new file mode 100644
index 0000000000..99ce165120
--- /dev/null
+++ b/doc/user-manual/Bro-intrusion-prevention.texi
@@ -0,0 +1,91 @@
+
+Bro includes two important @emph{active response} capabilities that allow sites to use Bro
+for intrusion prevention, and not just intrusion detection. These include the ability to
+terminate a connection known to be an intrusion, and the ability to update a
+blocking router's access control list (ACL) to block attacking hosts.
+
+@menu
+* Terminating a Connection ::
+* Updating Router ACL ::
+@end menu
+
+@node Terminating a Connection
+@section Terminating a Connection
+@cindex Terminating a Connection
+
+The Bro distribution includes a program called @code{rst} that will terminate
+a active connection by sending a TCP "reset" packet to the sender. 
+The @code{ftp} and @code{login} analyzers look for connections that should be terminated.
+All connections from a @uref{http://www.bro-ids.org/Bro-reference-manual/hot_002dids-Module.html, 
+@code{forbidden_id}} get flagged for termination, as well as any service
+defined in @code{terminate_successful_inbound_service}. 
+
+Connection termination is off by default. To enable it, redefine the following
+flag in your @file{site/site.local.bro} file:
+
+@example
+  redef activate_terminate_connection = T ;
+@end example
+
+Connections are terminated using the @code{rst} program, which is installed
+in $BROHOME/bin. To use this program change the file permission to be setuid root.
+Whenever a connection is terminated you will see a @code{TerminatingConnection} alarm.
+If Bro detects a connection that Bro thinks is a candidate for termination, but
+@code{activate_terminate_connection = F}, then you will see the alarm: 
+@code{IgnoreTerminatingConnection}.
+
+You may want to add a number of services to the list of forbidden services. 
+For example, to terminate all successful attempts
+to access the RPC portmapper via TCP from an external network, you would add this:
+
+@verbatim
+    redef terminate_successful_inbound_service += {
+        [111/tcp] = "disallow external portmapper"
+    }; 
+@end verbatim
+
+This will prevent NFS connections from external hosts. P2P services such as KaZaa can 
+also be terminated in this manner. You can make exceptions to 
+@code{terminate_successful_inbound_service}
+by redefing @code{allow_services_to}. See @code{hot.bro} for details.
+
+@comment {Note: This functionality may no longer work. should include a more complex example here.}
+
+@comment : XXX For example, show a config for:
+@comment :   deny all NFS except to subnet XXX
+@comment :   deny all netbios except to subnet XXX
+@comment :   deny all Kazaa
+@comment :   deny all FTP except to host Y, Z
+@comment :     further restrict anonymous FTP to only host P
+@comment :   deny all DHCP servers except  a,b,c
+@comment :   deny all DNS except a,b,c
+@comment :   deny all SMTP except a,b,c
+@comment :   deny all pop, imap  to hosts a.b.c
+@comment :      only allow encrypted imap
+
+@node  Updating Router ACL
+@section  Updating Router ACL
+@cindex  Updating Router ACL
+
+Bro can be used to send the IPs of scanning or attacking hosts to your router, so
+that the router can drop these hosts.
+
+Since every router does this differently, you will need to write a script that works for your
+router. 
+
+To active your custom drop script, add this to your hostname.bro file:
+
+@verbatim
+ @load scan
+ redef can_drop_connectivity  = T;
+ redef drop_connectivity_script = "my_drop_script";
+@end verbatim
+
+
+At LBL we use a program called @uref{http://www-nrg.ee.lbl.gov/leres/acl2.html, acld}
+to update the ACLs in our boarder routers on the fly.
+This code is available at:  ftp://ftp.ee.lbl.gov/acld.tar.gz
+
+
+
+
diff --git a/doc/user-manual/Bro-log-files.texi b/doc/user-manual/Bro-log-files.texi
new file mode 100644
index 0000000000..2891ede950
--- /dev/null
+++ b/doc/user-manual/Bro-log-files.texi
@@ -0,0 +1,3 @@
+
+
+coming soon
diff --git a/doc/user-manual/Bro-offline-analysis.texi b/doc/user-manual/Bro-offline-analysis.texi
new file mode 100644
index 0000000000..17c22a725a
--- /dev/null
+++ b/doc/user-manual/Bro-offline-analysis.texi
@@ -0,0 +1,102 @@
+
+@strong{NOTE: This chapter still a very rough draft and incomplete}
+
+Bro is most effective when used in conjunction with bulk traces
+from your site. Capturing bulk traces just involves using @code{tcpdump}
+to capture all traffic entering and leaving your site.
+
+Bulk traces can be very valuable for forensic analysis of all traffic
+in and out of a compromised host. It is also needed to run some
+particularly CPU intensive policy analyzers that can not be done
+in real time (as described in the Off-line Analysis section below).
+
+Depending on your traffic load, you might be able to bulk capture on
+the Bro host directly, but in general we recommend using a separate
+packet capture host for this. Unless you want to buy a huge amount
+of disk, you'll probably only be able to save a few days worth
+of traffic.
+
+@menu
+* Bulk Traces ::
+* Off-line Analysis ::
+@end menu
+
+@node Bulk Traces
+@section Bulk Traces 
+@cindex Bulk Traces
+
+The Bro distribution includes a couple scripts to make bulk capture
+easier. These are:
+
+@code{spot-trace}: called by @code{start-capture-all} script
+
+@code{start-capture-all}: captures all packets. This script looks
+for an existing instance of the @code{spot-trace} program, and if it finds one
+creates a new capture file name with an incremented filename, 
+and continues capturing data. Bulk
+capture files can get very large, so typically you run this as
+a cron job every 1-2 hours.
+
+@code{bro_bulk_compress.sh}: compress and/or delete old bulk trace files. Run as a cron job. 
+
+@comment XXX: need more details here: eg: edit bro.cfg settings, etc.
+
+Since the bulk trace files can be huge, you often will want 
+to run tcpdump on the raw trace with a filter to extract the packets 
+of interest. For example:
+
+@smallexample
+tcpdump -r bulkXXX.trace -w goodstuff.trace 'host w.x.y.z'
+@end smallexample
+
+If you know that that packets you want are bounded by a time interval, say
+it occurred 1:17PM-1:18PM, then you can speed this up a great deal
+using @uref{ftp://ftp.ee.lbl.gov/tcpslice.tar.Z, tcpslice}.
+For example:
+
+@smallexample
+tcpslice 13h15m +5m bulkXXX.trace | tcpdump -r - -w goodstuff.trace 'host w.x.y.z'
+@end smallexample
+
+It is recommend to use a somewhat broader time interval for tcpslice
+(such as in the above example) than when
+Bro reported the activity occurred, so you can catch additional related
+packets cheaply.
+
+
+@node Off-line Analysis
+@section Off-line Analysis
+@cindex Off-line Analysis
+
+There are some policy modules that are meant to be run as off-line
+analysis on bulk trace files. These include:
+
+@code{backdoor.bro}:  looks for standard services running on non-standard ports.
+These services include ssh, http, ftp, telnet, and rlogin.
+
+To run Bro on a tcpdump file, do something like this:
+
+@comment ### XXX we really need a version of this that works with tcsh, grrrr ...
+@smallexample
+# set up the Bro environment (sh or bash)
+. /usr/local/bro/etc/bro.cfg
+/usr/local/bro/bin/bro -r dumpfile backdoor.bro 
+@end smallexample
+
+To use Bro to extract the contents of a trace file, do:
+@smallexample
+    bro -r tracefile contents
+@end smallexample
+
+which will load policy/contents.bro.  It stores the contents of each
+connection in two files, contents.H1.P1.H2.P2 and contents.H2.P2.H1.P1,
+where H1/P1 is the host/port of the originator and H2/P2 the same for the
+responder. 
+
+You can extract just the connections of interest using, for example:
+@smallexample
+    bro -f "host 1.2.3.4" -r tracefile contents
+@end smallexample
+
+
+
diff --git a/doc/user-manual/Bro-output.texi b/doc/user-manual/Bro-output.texi
new file mode 100644
index 0000000000..ffce7a17ad
--- /dev/null
+++ b/doc/user-manual/Bro-output.texi
@@ -0,0 +1,806 @@
+
+This section explains the contents of the various output files and reports
+that Bro creates.
+
+@menu
+* Alarm File::
+* Connection Summary File::
+* Analyzer-specific Files::
+* Tracefiles::
+* Bro Summary Reports::
+@comment add someday? * Creating your own Custom Output::
+@end menu
+
+@section Rotating Log Files
+
+There are a number of ways to control the rotation of Bro's log files.
+Here are some examples:
+
+@verbatim
+
+# if using one log, must open append (default = truncate )
+@load log-append
+
+@load rotate-logs
+
+# rotate at midnight
+redef log_rotate_base_time = "0:00";
+
+# do not rotate on shutdown  (default = T)
+redef RotateLogs::rotate_on_shutdown = F;
+
+# rotate frequency
+redef log_rotate_interval = 24 hr;
+
+@end verbatim
+
+
+@comment ********************************************
+
+@node Alarm File
+@section Alarm File
+
+@subsection Alarm File Format
+
+The alarm.log is 
+a 'tagged' format that is fairly self descriptive. This is
+an example from the alarm.log file:
+
+@verbatim
+   t=1000057981.940712 no=AddressScan na=NOTICE_ALARM_ALWAYS sa=10.1.1.1 sp=2222/tcp da=10.2.2.2 dp=3333/tcp msg=10.1.1.1\ has\ scanned\ 2000\ hosts\ (3333/tcp
+) tag=@42
+@end verbatim
+
+Where the tags indicate the following:
+@itemize
+@item t: time
+@item no: notice
+@item na: notice action
+@item sa: source address
+@item sp: source port
+@item da: destination address
+@item dp: destination port
+@item msg: message (in this case a host has scanned 20 hosts)
+@item tag: identifier to match this to lines in notice.log and conn.log:
+@end itemize
+
+The alarm file format is designed to be easy to parse and interpret by programs, not humans.
+
+@subsection Sample Alarm File Contents
+
+@emph{NOTE: the examples in this section still use the old log format. This needs to be updated}
+
+@c XXX fix these
+
+Bro generates a number of types of alarms, such as suspicious connection attempts directed 
+at your systems (address scanning), port scans, and attempts to gain access to user accounts. 
+We describe some of these in more detail here.
+
+@strong{Vulnerability scans directed against systems}
+
+The first category of suspicious connection attempts that Bro identifies and reports is vulnerability scans directed against systems. 
+Instead of burdening you with every vulnerability scan (no matter how tiny) against systems that occurs, 
+it reports only scans that occur at or above its threshold in terms of a specified size, such as the number of vulnerability scan attempts per second. 
+The following entry indicates that IP address 66.243.211.244 has scanned 10000 of your systems on tcp port 445, the port used by newer Windows systems such as Windows 2000, XP and Server 2003 for share access: 
+
+@smallexample
+Nov 16 06:30:49 AddressScan 66.243.211.244 has scanned 10000 hosts (445/tcp)
+@end smallexample
+
+Important note: If the source of a scan is an IP address within your own network, the probability that this system is infected or has been taken over by an attacker is very high.  
+
+At the bottom portion of each Bro report summaries of scan activity also will appear for your convenience (see the bottom part of Figure 1). Scan summaries look like the following:  
+
+@smallexample
+Nov 16  8 01:30:11 ScanSummary 194.201.88.100 scanned a total of 145 hosts
+@end smallexample
+
+@strong{Port scanning }
+
+Port scanning means that a system has targeted one system, connecting to one port, then another, until it has scanned a whole range of ports.  In the following example a system with an IP address of 218.204.91.85 has scanned 50 ports of a system named diblys.dhcp within an internal network:  
+
+@smallexample
+Nov 16 06:30:50 PortScan 218.204.91.85 has scanned 50 ports of siblys.dhcp
+@end smallexample
+
+An address dropped entry is likely to appear shortly after a port scan is reported. In the following entry, the system with an IP address of 218.204.91.85 was systematically probing low ports, that is, ports in the range from 0 to 1023, on sibyls.dhcp:
+
+@smallexample
+Nov 16 06:30:52 AddressDropped low port trolling 218.204.91.85 403/tcp
+@end smallexample
+
+
+@strong{Connection attempts}
+
+Bro finds attacks against user accounts, such as password guessing attempts. When it does, it reports them as follows:   
+
+(Need example here)
+
+@strong{Weird events}
+
+Bro labels unusual or exceptional events as @emph{weird} Weird events include a wide range of events, including malformed connections, 
+attacker's attempts to confuse or evade being detected, malfunctioning hardware, or misconfigured systems or network devices such as routers. 
+Some weird events could be the result of an attack; others are just anomalies. 
+The better you know your own systems and networks, the more likely you will be to correctly determine whether or not weird events compromise an attack. 
+Weird events are divided into three categories: 
+
+@enumerate
+1. Weird connections that are not formed in accordance with protocol conventions such as the way the tcp protocol should work
+
+1. Weird flows in which data is being sent between two systems, but no specific connection between them can be identified, and 
+
+1. Weird network behavior that cannot be associated with any particular system. 
+@end enumerate
+
+The following entry shows a weird connection in which packets are being sent between systems in what 
+appears to be an ongoing ftp session, but Bro has not identified any initial connection attempt (i.e., there is an @emph{ack above a hole}): 
+
+@smallexample
+Nov 16 06:30:58 WeirdActivity window/50406 > klecker.debian.org/ftp ack above a hole
+@end smallexample
+
+The next entry (below) shows another weird traffic pattern in which eqvaadvip1.doubleclick.net has sent a flood of FIN packets, packets that tell the other system in a connection to terminate the connection, to bcig-8 within the network that Bro protects.  
+
+@smallexample
+Nov 16 06:32:09 WeirdActivity bcig-8/2044 > eqvaadvip1.doubleclick.net/http: FIN_storm
+@end smallexample
+
+Here's another one --- in this case a system with an IP address of 222.64.93.208 has sent a flood of packets that have both the SYN and the ACK flags set, something that should normally happen only once in a TCP session. @command{nsx} is the destination system.  
+
+@smallexample
+Nov 16 06:30:58 WeirdActivity 222.64.93.208/1115 > nsx/dns: repeated_SYN_with_ack
+@end smallexample
+
+Packets sent over networks are often broken up (or @emph{fragmented}) for various reasons. 
+Fragmented packets are not necessarily a sign of an attack, but large fragments can 
+indicate suspicious activity such as attempts to cause denial of service. 
+In the following example Bro has identified a very large packet fragment sent by p508c7fc5.dip.t-dialin.net to an internal system with an IP  address of 131.243.3.162:  
+
+@smallexample
+Nov 16 06:30:50 WeirdActivity p508c7fc5.dip.t-dialin.net -> 131.243.3.162: excessively_large_fragment
+@end smallexample
+
+Sometimes attackers attempt to evade being detected by sending malformed packets to the system they are attacking. 
+The receiving system cannot process them, so it informs the sending (attacking system) accordingly, asking it to resend them. 
+The sending system may now send packets that constitute an attack. Some intrusion detection systems (but not Bro) ignore what is resent because in theory it is unnecessary to reanalyze what has already been sent. 
+Bro detects this kind of retransmission inconsistency (@emph{rexmit inconsistency}) and reports it. 
+The following example shows that there has been retransmission inconsistency in packets 
+sent by a system at IP address 131.243.223.212 to origin2.microsoft.com:  
+
+@smallexample
+Nov 16 06:30:59 RetransmissionInconsistency 131.243.223.212/2270 > origin2.microsoft.com/http @/ rexmit inconsistency (HTTP/1.1 200 OK^M^JDate: Tue, 16 Nov 2004
+@end smallexample
+
+
+@comment ********************************************
+@node Connection Summary File
+@section Connection Summary File
+
+See the 
+@uref{http://www.bro-ids.org/Bro-reference-manual/Connection-summaries.html, Connection Summary} 
+section in the reference manual for a description of the @code{conn.log} files.
+
+@comment ********************************************
+
+@node Analyzer-specific Files
+@section Analyzer-specific Files
+
+A number of analyzers such as HTTP and FTP generate their own log files. These files are
+fairly self explanatory.
+
+coming soon: sample http.log, ftp.log, etc
+
+@comment ********************************************
+
+@node Tracefiles
+@section Tracefiles
+
+Bro can be configured to output captured packets that look to be part of suspicious sessions.
+These files are in @code{tcpdump} format.
+
+@comment ********************************************
+
+
+@node Bro Summary Reports
+@section Bro Summary Reports
+
+@cindex e-mail reports
+
+@emph{NOTE: The Bro report facility is still under development. This section
+may be out of date. }
+
+Bro reports are generated using the @command{site-report.pl} script, which is
+typically run as a nightly @command{cron} job.
+
+A daily report is created that covers three sets of
+information:
+
+@itemize
+@item Incident information
+@item Operational status of Bro
+@item General network traffic information
+@end itemize
+
+The reports will be mailed to the email addresses specified during
+Bro installation.  These email addresses can be changed by re-running
+the @code{bro_config} script or by editing @code{$BROHOME/etc/bro.cfg} directly.
+
+@cindex incident
+@cindex incident type
+@cindex report period
+@cindex alarm
+@cindex connection, successful
+@cindex connection, unsuccessful
+@cindex connection, history
+@cindex scans
+@cindex scan, definition
+@cindex scans, successful
+@cindex system statistics
+@cindex traffic statistics
+
+The report is divided into three parts, the summary, incidents, and
+scans.  The summary includes a rollup of incident information, Bro
+operational statistics, and network information.  The incidents section
+has details for each Bro alarm.  The scans section gives details about
+scans that Bro detected.
+
+@subsection Parts of a Report
+
+@subsubheading Header
+The header gives some basic information about the report.
+@quotation
+@strong{Site name} is determined by the "Site name for reports" that was
+given during the installation and configuration process.
+@*@*
+@strong{Start time and interval} of the report are also entered during
+the configuration process.
+@end quotation
+@xref{Bro Configuration}.
+
+@subsubheading Summary
+This section give a numeric summary of the events that have happened in
+the reporting period.
+@quotation
+@strong{Incidents} shows the number of incidents that are recorded in
+the report period.  An incident is any occurrence that is deemed worth
+investigating.  An incident is formed by the triggering of one or more
+alarms.
+@*@*
+@strong{Scanning Hosts} are the number of specific IP addresses that
+have been detected scanning either into or out from the site.@*
+@quotation
+ @strong{A scan can be a:}
+ @itemize
+ @item @strong{port scan:} scanning several ports of a single host.
+ @item @strong{network scan:} scanning several hosts for open
+       ports.
+ @item @strong{signature scan:} attacking multiple hosts with a
+       specific vulnerability attack (signature).
+ @item @strong{targeted attack:} launching multiple signatures against
+       a single host.
+ @item @strong{password scan:} attempts to guess passwords on telnet
+terminals.
+ @end itemize
+
+@*
+ @strong{A successful scan is when:}
+ @itemize
+ @item the bytes sent by a single probe of a scan against a host or
+several hosts are more than three deviations away from the standard
+deviation of the rest of scan.  In essence, where the bytes transferred
+on one connection is different than the rest of the scan other
+connections involved in the scan.
+ @item a separate connection back to the attacker host is detected from
+the local network.
+ @item the number of bytes sent back from the targeted victim host to
+the offender during a scan connection exceeds 20480.
+ @end itemize
+@end quotation
+
+@comment ### it occurs to me that summarizing signatures here, but not alarms in general, probably overemphasizes the importance of signatures vs. other types of analysis.
+@strong{Signature Summary} shows the total number of alarms triggered by
+signatures during the report period and the number of those that are
+unique. These numbers do not include alarms triggered by embedded Bro
+rules. @xref{Understand What Triggered the Alarm(s)}.
+@end quotation
+
+@subsubheading Signature Distributions
+This is a list of all signatures that were triggered during the report
+period.
+@*
+NOTE:  This section does not include alarms triggered by embedded Bro
+rules. @xref{Understand What Triggered the Alarm(s)}.
+
+@quotation
+@strong{Count} is the number of times the signature was seen.
+@*@*
+@strong{Unique Sources} is the number of unique ip addresses that used
+the specific signature as an attack.
+@*@*
+@strong{Unique Dests} is the number of unique ip addresses that were
+attacked by the particular signature.
+@*@*
+@strong{Unique Pairs} are the number of unique source/dest ip address
+pairs where the source used the signature to attack the destination.
+@end quotation
+
+@subsubheading Incidents
+@quotation Legend
+This is the legend for reading the @i{connections} portions of the each
+incident.  It is shown once on each report at the top of the
+@i{Incidents} section.
+@end quotation
+@quotation Incident number
+Each incident listed in the Bro report is assigned a unique, sequential,
+identification number prefixed with the organization identifier.  This
+number is unique for all incidents, not just to the daily reports.
+@end quotation
+@quotation Remote and Local hosts
+The Remote and Local hosts are identified by both ip address and
+hostname.  The local hosts are those that are in local subnets as
+determined during Bro configuration.  It is important to note that
+@i{remote host} does not infer @i{attack host}.  Attacks can come from
+local hosts (indicating an inside hacker or a compromised host).
+@end quotation
+@quotation Alarms
+The network event(s) that Bro detects and identifies as possible
+attacks.  There are two general types of alarms, those triggered by
+signatures and those triggered by Bro rules.
+@xref{Understand What Triggered the Alarm(s)}, for more information about the differences.
+All alarms will include the date/time of the attack, the direction of
+the attack, and the ports involved.  A @code{SensitiveSignature} will
+include the signature code and payload to help evaluate what triggered
+the alarm.  Embedded Bro rules will include the payload and a session
+number which can be used for further investigation in the logs.
+@xref{Examine HTTP FTP or SMTP Sessions}.
+@end quotation
+@quotation Connections
+A list of the first 25 connections after the first alarm is triggered
+that are attempted between the attacking and victim host.  This
+tabulation of connections can be used to see if connections were
+accepted by the victim host, the amount of bytes transferred in both
+directions, the timing between the connections, and the ports involved.
+@end quotation
+
+@subsubheading Scans 
+This is a summary of the ip addresses involved in successful scans, the
+type of scans, and the attacks used by the scanners.
+
+@subsubheading Connection Log Summary
+This section gives a overview of the most prominent connections that 
+have occurred during the report period, as shown by way of five tables.
+
+@quotation Site-wide connection statistics
+The number of successful and unsuccessful connections and the ratio
+between the two.
+@end quotation 
+@quotation Top 20 Sources 
+Hosts that have initiated the most connections.
+@end quotation 
+@quotation Top 20 Destinations
+Hosts that have accepted connections.
+@end quotation 
+@quotation Top 20 Local E-mail Servers
+The most active E-mail servers.
+@end quotation 
+@quotation Top 20 Services
+The services, as determined by port number, that have been involved in
+connections.
+@end quotation
+
+@subsubheading Byte Transfer Pairs
+This section gives a summary of the ip address address pairs that have
+transferred the most bytes during the report period.
+
+@subsection Annotated Example Report:
+
+@verbatim
+Site Report for ORG_NAME 
+from 2004/11/03 00:00:00 to 2004/11/04 00:00:00
+generated on Sat Nov 13 12:02:48 2004
+@end verbatim
+
+@quotation annotation
+@i{ORG_NAME will normally be replaced with "Site name for reports" that
+was given during the installation and configuration process.}
+@end quotation
+
+@verbatim
+========================================================================
+Summary
+========================================================================
+@end verbatim
+
+@quotation annotation
+@i{Since this report is simple and only includes two incidents, the
+summary is rather uninteresting.  A glance at this summary would reveal
+a rather "slow" day (for which you should be thankful).}
+@end quotation
+
+@verbatim
+  Incidents               2
+  Scanning Hosts
+    Successful            8
+    Unsuccessful          15
+  Signature Summary
+    Total signatures          2
+    Unique signatures         2
+    Unique sources            2
+    Unique destinations       2
+    Unique source/dest pairs  1
+@end verbatim
+
+@quotation annotation
+@i{Since the same to ip addresses were involved in both signature
+attacks, there is only one unique source/dest pair.}
+@end quotation
+
+@verbatim
+========================================================================
+Signature Distributions
+========================================================================
+                                       Unique      Unique    Unique
+  Signature ID               Count     Sources     Dests      Pairs
+  ------------------------  --------  ---------  ---------  --------
+  bro-687-5                 1          1          1          1
+  bro-144-3                 1          1          1          1
+========================================================================
+Incident Details
+========================================================================
+@end verbatim
+
+@quotation annotation
+@i{The following legend appears once in every report at the top of the
+"Incidents" section}
+@end quotation
+
+@verbatim
+     # legend for connection type #
+                  ------------------------------
+         C Connection Status
+           # number corresponds to alarm triggered by the connection
+           * successful connection, otherwise unsuccessful.
+         I Initiatator of Connection
+           > connection initiated by remote host
+           < connection initiated by local host
+------------------------------------------------------------------------
+Incident      ORG_NAME-000004524
+--------------------------------
+@end verbatim
+
+@quotation annotation
+@i{The host domain name "org_name.org" will normally be replaced by the
+local domain name.  The IP addresses in this example have been
+synthesized from an imaginary range outside of the octal range.  (We
+realize these ip addresses cannot exist).  In this example the ip ranges
+124.333.0.0/24 and 132.257.0.0/24 are considered the local subnets.}
+@end quotation
+
+@verbatim
+Remote Host: 84.136.338.21   p54877614.dip.hacker.net
+ Local Host: 124.333.183.162 pooroljoe.dhcp.org_name.org
+@end verbatim
+
+@quotation annotation
+@i{This attacker was successful in using an SQL attack and then
+downloaded a "tool" using TFTP.  Both of these were detected and created
+the following alarms.}
+@end quotation
+
+@verbatim
+Alarm: SensitiveSignature
+  1    bro-687-5: MS-SQL xp_cmdshell - program execution
+       7/29 12:43:31                  84.136.338.21 -> 124.333.183.62
+                                            566/tcp -> 1433/tcp
+       signature code:
+       signature bro-687-5 {
+         ip-proto == tcp
+         dst-port == 1433
+         event "MS-SQL xp_cmdshell - program execution"
+         tcp-state established,originator
+         payload /.*[xX]\x00[pP]\x00_\x00[cC]\x00[mM]\x00[dD]\x00[sS]
+         \x00[hH]\x00[eE]\x00[lL]\x00[lL]\x00/
+       }
+       payload: xp_cmdshell 'echo.> c:\\temp\\bcp.cmd'
+
+Alarm: SensitiveSignature
+  2    bro-1444-3: TFTP Get
+       7/29 12:43:31                  84.136.338.21 -> 124.333.183.62
+                                           2318/upd -> 69/udp
+       signature code:
+       signature bro-1444-3 {
+           ip-proto == udp
+           dst-port == 69
+           event "TFTP Get"
+           payload /\x00\x01/
+           }
+       payload: Runtime.exe
+@end verbatim
+
+@quotation annotation
+@i{Looking at the "C" column below, the alarms are signified by "1" and
+"2", both occuring at 12:43:31.  Since the attacks take place within one
+second, this is probably an automated attack.  The remote host continues
+to connect to the victim host, using a different port each time to avoid
+detection.  The large transfers from the local host to the remote host,
+subsequent to the alarmed attacks, signifies that the attack is probably
+successful.}
+@end quotation
+
+@verbatim
+Connections (only first 25 after first alarm are listed)
+-----------
+                 time     byte   remote        local   byte
+ date   time   duration transfer  port  C   I   port transfer  protocol
+----- -------- -------- -------- ------ ------ ----- -------- ----------
+07/29 12:43:31        ?     566 b  4634 1   >  1433      467 b tcp/MSSQL
+07/29 12:43:31        0         ?  2318 2  <     69       20 b udp/tftp
+07/29 12:43:32    265.7       4 b  4638 *  <   2318      3.0kb udp
+07/29 12:48:56        ?         ?  4640     >  2362          ? tcp
+07/29 12:50:05        ?    11.4kb  4639 *  <   3333      8.6kb tcp
+07/29 12:53:00        0         ?  4684 *   >  2362          ? tcp
+07/29 12:53:07        ?         ?  4685 *   >  2362          ? tcp
+07/29 12:53:59        ?         ?  4689 *   >  2362          ? tcp
+07/29 12:54:14      6.1         0  4693 *  <   2380     94.2kb tcp
+07/29 12:54:21       .5      50 b  4694     >  2381          0 tcp
+07/29 12:54:23       .7         ?  4695    <   2382          0 tcp
+07/29 12:54:25       .5      51 b  4696 *   >  2383          0 tcp
+07/29 12:54:27       .5      61 b  4697 *   >  2384          0 tcp
+07/29 12:54:28       .7      39 b  4698     >  2385          0 tcp
+07/29 12:54:31       .5      41 b  4699 *   >  2386          0 tcp
+07/29 12:54:33      1.2    4.9 kb  4700     >  2387          0 tcp
+07/29 12:54:35     12.8  195.0 kb  4701 *  <   2388          0 tcp
+07/29 12:54:53       .2         ?  4703    <   2390          0 tcp
+07/29 12:54:54       .5      37 b  4704     >  2391          0 tcp
+07/29 12:54:56      3.4      23 b  4705 *   >  2392          0 tcp
+07/29 12:55:04     21.4  308.7 kb  4706     >  2393          0 tcp
+07/29 12:55:27     50.7         ?  4707     >  2394          ? tcp
+07/29 12:59:23        ?         ?  4775     >  1433          ? tcp
+07/29 12:59:25        ?         ?  4774 *   >  3333          ? tcp
+@end verbatim
+
+@quotation annotation
+@i{The next Incident demonstrates alarms triggered by embedded rules,
+rather than signatures.}
+@end quotation
+
+@verbatim
+------------------------------------------------------------------------
+Incident      ORG_NAME-000004525
+--------------------------------
+Remote Host:  80.143.378.186     p508FB2BA.dip.t-dialin.net
+ Local Host:  128.333.181.191      lemonade.lbl.gov
+@end verbatim
+
+@quotation annotation
+@i{Since these alarms are triggered in the HTTP protocol, the actual
+trigger rules are found in the file} @file{bro/policy/http.bro}.
+@end quotation
+
+@verbatim
+Alarm: HTTP_SensitiveURI
+       11/13 11:36:05                80.143.378.186 -> 128.333.181.191
+                                           1560/tcp -> 80/tcp
+       session: %4672
+       payload: GET http://cn.edit.vip.cnb.yahoo.com/config/login?.redir
+                _from=PROFILES
+
+Alarm: HTTP_SensitiveURI
+       11/13 11:53:54                80.143.378.186 -> 128.333.181.191
+                                           2434/tcp -> 80/tcp
+       session:%7386
+       payload: GET http://l10.login.scd.yahoo.com/config/login?.redir_f
+                rom=PROFILES?&
+@end verbatim
+
+@quotation annotation
+@i{In the connections shown below, all connections are from the remote
+host to the local host, with no successful connections back.  Also the
+payload above is seeking yahoo.com.  Hence the likelihood is that this
+is not an attack.}
+@end quotation
+
+@verbatim
+Connections (only first 25 after alarm are listed)
+-----------
+                 time     byte   remote        local   byte
+ date   time   duration transfer  port  C   I   port transfer  protocol
+----- -------- -------- -------- ------ ------ ----- -------- ----------
+11/13 11:36:05 1.109227      297   1560 *    >    80     1531       http
+11/13 11:36:06        ?        ?   1560      >    80        ?       http
+11/13 11:41:51 0.843209      301   3175 *    >    80     1533       http
+11/13 11:41:52        ?        ?   3175      >    80        ?       http
+11/13 11:47:37 2.562365      281   4701 *    >    80     1382       http
+11/13 11:47:39        ?        ?   4701      >    80        ?       http
+11/13 11:53:53 0.694131      293   2434 *    >    80     1529       http
+11/13 11:53:54        ?        ?   2434      >    80        ?       http
+11/13 11:59:23 0.685181      301   3975 *    >    80     1529       http
+11/13 11:59:23        ?        ?   3975      >    80        ?       http
+11/13 12:04:53 1.054925      289   1700 *    >    80     1527       http
+11/13 12:04:54        ?        ?   1700      >    80        ?       http
+11/13 12:11:56 2.579652      283   3442 *    >    80     1523       http
+11/13 12:11:59        ?        ?   3442      >    80        ?       http
+11/13 12:18:08 1.046188      289   1083 *    >    80     1531       http
+11/13 13:14:42        ?        ?   3282      >    80        ?       http
+11/13 13:16:46        ?        ?   4802      >    80        ?       http
+11/13 13:19:04 1.731771        0   2764 *    >    80        0       http
+11/13 13:19:07        ?        ?   2764      >    80        ?       http
+11/13 13:20:42 0.994114      289   4142 *    >    80     1527       http
+11/13 13:20:43        ?        ?   4142      >    80        ?       http
+11/13 13:22:37 1.122448      292   1732 *    >    80     1523       http
+11/13 13:22:38        ?        ?   1732      >    80        ?       http
+11/13 13:24:40 1.042112      289   3179 *    >    80     1531       http
+11/13 13:24:41        ?        ?   3179      >    80        ?       http
+
+
+========================================================================
+Scans (only first 100 shown)
+========================================================================
+@end verbatim
+
+@quotation annotation
+@i{The scans show below are considered "successful".  Four interesting
+scans shown below are the ones originating from the 124.333 and 132.257
+domains, since they are local domains.  These should be investigated.
+The attack against 132.257.85.96 might also be investigated further.
+With each report, a review of the attacks will give an understanding of
+what types of scans are becoming "popular".}
+@end quotation
+
+@verbatim
+Scanning IP      Victim IP       Attack
+132.257.70.234   multiple        bro-1344-5
+132.257.52.64    multiple        bro-1367-5
+63.251.3.51      multiple        bro-2570-6
+124.333.181.191  multiple        bro-1599-7
+210.313.36.53    132.257.85.96   >1000 port scan
+211.300.24.151   132.257.85.96   >1000 port scan
+124.333.95.0     62.214.34.30    >250 port scan
+172.278.206.135  multiple       (3128/tcp)
+
+========================================================================
+Connection Log Summary
+========================================================================
+@end verbatim
+
+@quotation annotation
+@i{The connection log summary gives a general idea of what hosts are
+most active.  The analyst may want to become familiar with any new hosts
+that appear on the next three lists and services that appear or
+radically change position on the fourth list}
+@end quotation
+
+@verbatim
+Site-wide connection statistics
+    Successful:   4498748
+    Unsuccessful: 35941140
+    Ratio: 1:7.989
+
+Top 20 Sources
+                Host                      IP         Bytes   Conn. Count
+  --------------------------------  ---------------  ------  -----------
+                  ns1.org_name.org  124.333.34.186    3.7 G       683948
+                  ns2.org_name.org  132.257.64.2      165 M       231245
+             lemonade.org_name.org  124.333.181.191    88 M       217781
+                  nsx.org_name.org  132.257.64.3      371 M       200935
+               cinnamon.mining.com  207.5.380.138     4.5 M       103011
+       node2.lbnl.nodes.planet.org  198.328.56.12     106 M        75725
+       node1.lbnl.nodes.planet.org  198.328.56.11      85 M        73719
+      microscope.dhcp.org_name.org  132.257.19.79      61 M        54024
+                                    169.299.224.1     2.3 M        40348
+                uhuru.org_name.org  132.257.10.97     423 M        39847
+                                    132.257.77.246     13 M        29496
+            googledev.org_name.org  124.333.41.57      13 M        24930
+                                    64.46.248.43       60 M        19785
+  ...16-141.sfo4.dsl.contactor.net  66.292.16.141     6.2 M        19048
+                      rock.es.net  198.128.2.83      2.8 G        18459
+             perry.Geo.college.EDU  124.32.349.11     1.7 M        17326
+               google.org_name.org  124.333.41.70     8.5 M        15508
+             egspd42212.search.com  65.264.38.212     3.1 M        15138
+       hmb-330-042.MSE.college.EDU  124.32.349.20     222 M        14865
+          1rodan.dhcp.org_name.org  132.257.19.170    7.7 M        11873
+
+Top 20 Destinations
+                Host                      IP         Bytes   Conn. Count
+  --------------------------------  ---------------  ------  -----------
+                  nsx.org_name.org  132.257.64.3       14 G      1571638
+                  ns1.org_name.org  124.333.34.186    1.6 G       264976
+                  ns2.org_name.org  132.257.64.2       80 M       218740
+             lemonade.org_name.org  124.333.181.191   2.6 G       176788
+                 CS.university.EDU  128.312.136.10     10 M        81622
+                 g.old-servers.net  192.42.293.30      11 G        71407
+          engram.CS.university.EDU  128.312.136.12    7.5 M        61309
+               aulvs.realthing.com  207.288.24.156    792 M        50493
+                   ns1.college.EDU  124.32.349.9      995 M        39977
+                  rohan.superc.gov  128.550.6.34      4.7 G        32883
+            sportsmed.starship.com  199.281.132.79     17 M        32152
+                      ns2.yoho.com  66.263.169.170    2.1 G        24361
+                uhuru.org_name.org  132.257.10.97      58 M        19785
+                      g3.NSDDD.COM  192.342.93.32     488 M        19734
+                   w4.org_name.org  124.333.7.51      447 M        19334
+                 E.TOP-SERVERS.NET  192.303.230.10    195 M        19066
+               mantis.org_name.org  124.333.7.39      395 M        18811
+              postala.org_name.org  124.333.41.61     8.0 M        17283
+                vista.org_name.org  132.257.48.146    488 M        15961
+               calmail.college.EDU  128.32.349.103     73 M        15154
+
+Top 20 Local Email Senders
+                  Hostname                        IP          Conn.
+Count
+  ----------------------------------------  ---------------  -----------
+                         mta1.org_name.org  124.333.41.24           3869
+                      postala.org_name.org  124.333.41.61           2850
+                           ci.org_name.org  132.257.192.220          868
+                      postal2.org_name.org  132.257.248.26           376
+                           ee.org_name.org  132.257.1.10             173
+                         math.org_name.org  124.333.7.22             131
+                         rod2.org_name.org  132.257.112.183          121
+                         gigo.org_name.org  124.333.2.54             110
+                          mh1.org_name.org  124.333.7.48              82
+                          stm.org_name.org  132.257.16.51             81
+
+Top 20 Services
+  Service        Conn. Count  % of Total   Bytes In  Bytes Out
+  ------------  ------------  ----------  ---------  ---------
+  dns                3378522       75.10       30 G       11 G
+  http                902573       20.06       18 G       11 G
+  other                92913        2.07       14 G      249 G
+  smtp                 35942        0.80      458 M      196 M
+  https                33848        0.75      2.3 G      179 M
+  ssh                  25515        0.57      977 M      1.0 G
+  netbios-ssn          11004        0.24       65 M      9.5 M
+  pop-3                 5494        0.12       58 M      3.6 M
+  ftp-data              4495        0.10       37 G       34 G
+  ldap                  3549        0.08      740 K      2.0 M
+  ftp                   1061        0.02      1.3 M      873 K
+  ident                  970        0.02      29602       9039
+  printer                834        0.02        837       9176
+  time                   645        0.01       2416        166
+  imap4                  636        0.01       28 M       47 M
+  nntp                   308        0.01      355 M      1.5 M
+  pm_getport             238        0.01      13328       6664
+  telnet                 164        0.00      469 K       7850
+  ntp                     26        0.00       1344       1392
+  X11                      6        0.00      652 K      64280
+========================================================================
+Byte Transfer Pairs
+========================================================================
+@end verbatim
+
+@quotation annotation
+@i{Once again, this summary gives a general idea of what hosts are most
+active.  Radical changes to this list may indicate malicious activity.}
+@end quotation
+
+@verbatim
+Hot Report - Top 20
+                                    Local      Remote     Conn.
+  Local Host       Remote Host      Bytes      Bytes      Count
+---------------  ---------------  ---------  ---------  ---------
+124.333.28.60    128.265.128.131      123 G     5327 K  3930
+124.333.28.60    128.265.128.132      123 G     5159 K  3927
+132.257.64.3     198.328.2.83        2855 M     11.9 G  15097
+124.333.34.186   192.342.93.30       2958 M     10.7 G  40033
+132.257.64.3     61.283.32.172       7469 M      10393  11
+124.333.41.57    128.256.6.34        12.0 M     4490 M  22360
+124.333.181.191  81.257.197.163      1350 M     4430 M  3341
+132.257.64.3     130.262.101.6        276 M     2200 M  13064
+124.333.34.186   66.263.169.170       389 M     2095 M  17919
+132.257.195.68   140.267.28.48       91.3 M     2029 M  6275
+132.257.212.232  151.293.199.65       39155     1994 M  24
+124.333.41.61    206.290.82.18         3401     1853 M  22
+132.257.64.3     61.278.72.30        1798 M          7  1
+124.333.181.191  61.263.209.246      16.8 M     1676 M  113
+132.257.64.3     261.232.163.3       1544 M      24069  9
+132.257.64.3     61.273.210.110      1517 M       4140  7
+124.333.34.186   128.342.121.70      1351 M      222 M  14861
+132.257.64.3     258.14.200.58       1350 M      24075  14
+132.257.64.3     222.330.100.28      1219 M       4077  7
+132.257.64.3     210.261.41.131      1162 M         25  3
+@end verbatim
+
+
+@comment ********************************************
+@comment node Creating your own Custom Output
+@comment section Creating your own Custom Output
+
diff --git a/doc/user-manual/Bro-overview.texi b/doc/user-manual/Bro-overview.texi
new file mode 100644
index 0000000000..e3353b1a58
--- /dev/null
+++ b/doc/user-manual/Bro-overview.texi
@@ -0,0 +1,143 @@
+
+@menu
+* What is Bro? ::
+* Bro features and benefits ::
+* Getting more Information ::
+@end menu
+
+@node What is Bro?
+@section What is Bro?
+@cindex Network Intrusion Detection System
+
+Bro is a Unix-based Network Intrusion Detection System (IDS).  Bro monitors network traffic and detects intrusion attempts based on the traffic 
+characteristics and content.  Bro detects intrusions by passing network traffic through rules describing events that are deemed troublesome.  These rules 
+might describe activities (e.g., certain hosts connecting to certain services), what activities are worth alarming (e.g., attempts to a given number of different hosts constitutes 
+a "scan"), or signatures describing known attacks or access to known vulnerabilities.  If Bro detects something of interest, it can be instructed to either issue a log entry or initiate the execution of an operating system command (such as sending email, or creating a router entry to block an address).
+
+Bro targets high-speed (Gbit/second), high-volume intrusion detection. By judiciously leveraging packet filtering techniques, 
+Bro is able to achieve the performance necessary to do so while running on commercially 
+available PC hardware, and thus can serve as a cost effective means of monitoring a site's Internet connection.
+
+
+@node Bro features and benefits
+@section Bro features and benefits
+
+@itemize
+@item @strong{Network Based}
+@quotation
+Bro is a network-based IDS.  It collects, filters, and analyzes traffic that passes through a specific
+network location.  A single Bro monitor, strategically placed at a key network junction, can be
+used to monitor all incoming and outgoing traffic for the entire site.  Bro does not use or
+require installation of client software on each individual, networked computer.
+@end quotation
+
+@item @strong{Custom Scripting Language}
+@quotation
+Bro policy scripts are programs written in the Bro language.  They contain the "rules" that
+describe what sorts of activities are deemed troublesome.  They analyze the network activity and
+initiate actions based on the analysis.  Although the Bro language takes some time and effort to
+learn, once mastered, the Bro user can write or modify Bro policies to detect and notify or alarm on virtually
+any type of network activity.
+@end quotation
+
+@item @strong{Pre-written Policy Scripts}
+@quotation
+Bro comes with a rich set of policy scripts designed to detect the most common Internet attacks
+while limiting the number of false positives, i.e., alarms that confuse uninteresting activity with the
+important attack activity.  These supplied policy scripts will run "out of the box" and do not
+require knowledge of the Bro language or policy script mechanics.
+@end quotation
+
+@item @strong{Powerful Signature Matching Facility}
+@quotation
+Bro policies incorporate a signature matching facility that looks for specific traffic content.  For
+Bro, these signatures are expressed as regular expressions, rather than fixed strings.  Bro adds a
+great deal of power to its signature-matching capability because of its rich language.  This allows
+Bro to not only examine the network content, but to understand the context of the signature,
+greatly reducing the number of false positives.  Bro comes with a set of high-value signatures,
+selected for their high detection and low false positive characteristics,
+as well as policy scripts that perform more detailed analysis.
+@end quotation
+
+@item @strong{Network Traffic Analysis}
+@quotation
+Bro not only looks for signatures, but also analyzes network protocols, connections,
+transactions, data volumes, and many other network characteristics.  It has powerful facilities for
+storing information about past activity and incorporating it into analyses of new activity.
+@end quotation
+
+@item @strong{Detection Followed by Action}
+@quotation
+Bro policy scripts can generate output files recording the activity seen on the network (including
+normal, non-attack activity).  They can also send alarms to event logs, including the
+operating system @emph{syslog} facility.  In addition, scripts can execute programs, which can, in turn,
+send e-mail messages, page the on-call staff, automatically terminate existing connections, or, with
+appropriate additional software, insert access control blocks into a router's access control list.
+With Bro's ability to execute programs at the operating system level, the actions that Bro can
+initiate are only limited by the computer and network capabilities that support Bro.
+@end quotation
+
+@item @strong{@uref{http://www.snort.org/,Snort} Compatibility Support}
+@cindex Snort
+@quotation
+The Bro distribution includes a tool, snort2bro, which converts Snort signatures into Bro
+signatures.  Along with translating the format of the signatures, snort2bro also incorporates a large
+number of enhancements to the standard set of Snort signatures to take advantage of Bro's
+additional contextual power and reduce false positives.
+@end quotation
+
+
+@end itemize
+
+@node Getting more Information 
+@section Getting more Information 
+
+@itemize
+@item @strong{Reference manual}
+@quotation
+An extensive @uref{http://www.bro-ids.org/manuals.html,reference manual} is provided detailing the Bro Policy Language
+@end quotation
+
+@item @strong{FAQ}
+@cindex FAQ
+@quotation
+Several Frequently Asked Questions are outlined in the @uref{http://www.bro-ids.org/FAQ.html,Bro FAQ}.  
+If you have a question not already covered
+in the FAQ, send it to us and we'll add it.
+@end quotation
+
+@item @strong{E-mail list}
+@cindex Email list
+@quotation
+Send questions on any Bro subject to bro@@bro-ids.org
+The list is frequented by all of the Bro developers.
+
+You can subscribe by going to the website: 
+@* @uref{http://mailman.icsi.berkeley.edu/mailman/listinfo/bro},
+@*
+or by placing the following command in either the subject or the body of a message addressed to
+bro-request@@icsi.berkeley.edu.
+
+@example
+subscribe [password] [digest-option] [address=<address>]
+@end example
+
+A password must be given to
+unsubscribe or change your options.  Once subscribed to the
+list, you'll be reminded of your password periodically.
+The "digest-option" may be either: "nodigest" or "digest" (no
+quotes!).  If you wish to subscribe an address other than the
+address you use to send this request from, you may specify
+"address=<email address>" (no brackets around the email
+address, no quotes!)
+
+@end quotation
+
+@item @strong{Website}
+@quotation
+The official Bro website is located at:
+@uref{http://www.bro-ids.org}.
+It contains all of the above documentation and more.
+@end quotation
+
+@end itemize
diff --git a/doc/user-manual/Bro-production.texi b/doc/user-manual/Bro-production.texi
new file mode 100644
index 0000000000..87e154abcc
--- /dev/null
+++ b/doc/user-manual/Bro-production.texi
@@ -0,0 +1,26 @@
+
+@menu
+* Compiling Bro::
+* Starting Bro::
+* Disk space considerations::
+* Router/firewall ACL space considerations::
+* Other maintenance considerations::
+@end menu
+
+@node Compiling Bro
+@section Compiling Bro
+
+@node Running Bro
+@section Running Bro
+
+@node Disk space considerations
+@section Disk space considerations
+
+@node Router/firewall ACL space considerations
+@section Router/firewall ACL space considerations
+
+@node Other maintenance considerations
+@section Other maintenance considerations
+
+
+
diff --git a/doc/user-manual/Bro-requirements.texi b/doc/user-manual/Bro-requirements.texi
new file mode 100644
index 0000000000..2f205c4269
--- /dev/null
+++ b/doc/user-manual/Bro-requirements.texi
@@ -0,0 +1,93 @@
+
+
+@menu
+* Network Tap ::
+* Hardware and Software Requirements ::
+@end menu
+
+
+@node Network Tap
+@section Network Tap
+@cindex network tap
+
+Bro requires
+a network tap to give it access to live network traffic. 
+The tap needs to be full-speed for the link being monitored and must provide
+copies of both directions of the link, or you need to two taps, one in
+each direction.
+
+Normally the network tap for Bro should be placed behind an external firewall and on the DMZ 
+(the portion of the network under the control of the organization but outside of the internal firewall), 
+as shown in the figure below. Some organizations might prefer to install the network tap outside 
+the firewall in order to detect all scans or attacks.  Placing Bro outside the firewall will allow
+the organization to better understand attacks, but will produce a more notifications and alarms. Another option is to place Bro inside the internal firewall, allowing it to detect internal hosts with viruses or worms.
+In addition to the connection to the network tap, a separate network connection is recommended 
+for management of Bro and access to log files.
+
+For more information on taps and tap placement see the Netoptics White paper titled @emph{Deploying Network Taps with Intrusion Detection Systems} (@uref{http://www.netoptics.com/products/pdf/Taps-and-IDSs.pdf}).
+
+@float Figure, tap location
+@image{bro-deployment,6.3in}
+@caption{Typical location for network tap and Bro system}
+@end float
+
+@node Hardware and Software Requirements
+@section Hardware and Software Requirements
+
+Bro requires no custom hardware, and runs on low-cost commodity PC-style systems.
+However, the Bro monitoring host must examine every packet into and out of 
+your site, so depending on your site's network traffic, you may need a fairly high-end machine.
+If you are trying to monitor a link with a large number of connections, we recommend using
+a second system for report generation, and run only Bro on the packet-capture host.
+
+@quotation
+@multitable  @columnfractions .25 .75
+@comment only work with texiinfo 4.7 or higher: @headitem Item @tab Requirements
+@item @strong{Item} @tab @strong{Requirements}
+
+@item @strong{Processor}
+@tab Note: these are @strong{rough} estimates. Much depends on the
+number of connections/second, the types of
+traffic on your network (e.g., HTTP, FTP, email, etc.), and you can trade
+off depth of analysis (especially, which protocols are analyzed) for processing
+load.  (See the Performance chapter of the Bro User Guide for more information.)
+@* 1 GHz CPU for 100 Mbps monitoring with average packet rate <= 5,000 packets/second
+@* 2 GHz CPU for 1 Gbps monitoring with <= 10,000 packets/second
+@* 3 GHz CPU for 1 Gbps monitoring with <= 20,000 packets/second
+@* 4 GHz CPU for 1 Gbps monitoring with <= 50,000 packets/second
+
+@item @strong{Operating System}
+@tab Recommended: FreeBSD (@uref{http://www.freebsd.org/}).  Bro works with
+many Unix systems, including Linux and Solaris, but has been primarily tuned
+for FreeBSD. We currently recommend using FreeBSD version 4.10 for Bro.
+If your site has a large number of packets or connections per second you should
+look at the section on @ref{Hardware and OS Tuning}.
+FreeBSD 5.x should work, but is not quite as fast as 4.10. 
+For sites with very high traffic loads and capturing traffic on 
+ two interfaces, contact us for a FreeBSD 4.x kernel patch 
+to do @emph{BPF bonding}, which allows merging the two directions of a
+network link into a single interface as seen by Bro.  While Bro can instead
+merge the two interfaces at user-level, this costs some performance.
+
+@item @strong{Memory}
+@tab 512 MB suffices for small networks (say 200 hosts connected via a
+100 Mbps link).  For larger networks, 1 GB RAM will be required, with
+2-3 GB is recommended.
+
+@item @strong{Hard disk}
+@tab 10 GB minimum, 50 GB or more for log files recommended.
+
+@item @strong{User privileges}
+@tab @emph{superuser} to install Bro, with Bro then running as user @emph{bro}.
+
+@item @strong{Network Interfaces}
+@tab 3 interfaces are recommended: 2 for packet capture (1 for each direction), and 1 for host management. Capture interfaces should be identical.  For some network taps, both directions of the link are captured using the same interface, and the separate host management interface, while prudent, is not required.
+
+@item @strong{Other Software}
+@tab - Perl version 5.6 or higher (@uref{http://www.perl.org}) (for report generation)
+@* - libpcap version 0.7.2 or higher (@uref{http://www.tcpdump.org}) 
+@*      Note: Some version of FreeBSD come with older versions of libpcap. Bro
+recommends newer versions of these tools for performance reasons.
+
+@end multitable
+@end quotation
diff --git a/doc/user-manual/Bro-running.texi b/doc/user-manual/Bro-running.texi
new file mode 100644
index 0000000000..10e08762c9
--- /dev/null
+++ b/doc/user-manual/Bro-running.texi
@@ -0,0 +1,147 @@
+
+@menu
+* Starting Bro Daemon::
+* Running Bro from the command line::
+* Bro Cron Scripts ::
+@end menu
+
+@c *********************************************************************
+@node Starting Bro Daemon
+@section Starting Bro Daemon
+@cindex starting Bro daemon
+@cindex bro.rc
+
+Bro is automatically started at boot time via the @command{bro.rc} 
+script (located in @file{$BROHOME/etc} and @file{/usr/local/etc/rc.d} on 
+FreeBSD, or @file{/etc/init.d} on Linux).
+
+To run this script by hand, type:
+@example
+bro.rc start
+@end example
+or
+@example
+bro.rc checkpoint
+@end example
+or 
+@example
+bro.rc stop
+@end example
+
+Use @code{checkpoint} to restart a running Bro, loading a new policy file.
+
+
+Note that under Linux, Bro must be run as the 'root' user. 
+Linux must have root privilages to capture packets.
+
+@c *********************************************************************
+
+@node Running Bro from the command line
+@section  Running Bro from the command line
+@cindex  Running Bro from the command line
+
+If you use @code{bash} for your shell, you do something like this
+to start Bro by hand:
+
+@example
+cd /usr/local/bro
+. etc/bro.cfg
+./bro -i eth1 -i eth2 myhost.mysite.org.bro
+@end example
+
+The '. etc/bro.cfg' should set your $BROHOME and $BROPATH
+correctly to find all of the needed the files.
+
+Files are loaded is the following order: Bro is invoked with a start
+file (in the above myhost.mysite.org.bro). In that file (which is
+in $BROHOME/site)  there should be a couple of lines like this at
+the top:
+
+@verbatim
+---------------- myhost.mysite.org.bro ----------------------------
+@prefixes = local
+@load site      # file generated by the network script for dynamic config
+                   # of the local network subnets.
+
+# Make any changes to policy starting here
+....
+-------------- end  --------------------------------------
+@end verbatim
+
+The '@@load site' will load the local.site.bro file from $BROHOME/site.
+If you are making changes, you should make them in 'myhost.mysite.bro'
+file.
+
+Bro can also be run on @code{tcpdump -w} files instead of on live traffic.
+To do this, you must set a @code{BROPATH} enviroment variable to point
+at your set of policy scripts. For example (in csh):
+
+@example
+setenv BROHOME /usr/local/bro
+setenv BROPATH $BROHOME/site:$BROHOME/policy
+bro -r dumpfile brohost
+@end example
+
+More information on Bro run-time flags and environment variables
+is available in the 
+@uref{http://www.bro-ids.org/Bro-reference-manual/Bro-flags-and-run_002dtime-environment.html,
+Reference Manual}.
+
+@c *********************************************************************
+@node Bro Cron Scripts
+@section Bro Cron Scripts
+@cindex bro_generate_report
+@cindex bro_log_compress
+@cindex check_disk
+@cindex managing disk space
+
+Installing @emph{brolite} automatically creates the 
+following @command{cron} jobs, 
+which are run on at the specified intervals.
+
+@itemize
+@item @command{site-report.pl}: generates a text report of all alarms 
+and notifications
+@item @command{mail_reports.sh}:emails the reports generated 
+by @command{site-report.pl}
+to the list of addresses specified in the file @code{$BROHOME/etc/bro.cfg}
+@end itemize
+
+These scripts can also all be run by hand at any time. Be sure your
+$BROHOME environment variable is set first.
+
+As Bro log files can get large quickly, it is important to ensure that 
+the Bro disk does not fill up. Bro includes some simple scripts to help 
+manage disk  space. Most sites will want to customize these for their 
+own requirements, and integrate them into their backup system to make 
+sure files are not removed before they are archived.
+
+@itemize
+@item @command{check_disk.sh}: send email if disk space is too low
+@item @command{bro_log_compress.sh}: remove/compress old log files 
+@end itemize
+
+These scripts can be customized by editing their settings in 
+@code{$BROHOME/etc/bro.cfg}.
+The settings are as follows:
+@itemize
+@item @command{check_disk.sh}: 
+@itemize
+@item @command{diskspace_pct}: when disk is >= this percent full, send 
+email (default = 85%)
+@item @command{diskspace_watcher}: list of email addresses to send mail 
+to
+@end itemize
+@end itemize
+
+@itemize
+@item @command{bro_log_compress.sh}: 
+@itemize
+@item @command{Days2deletion}: remove files more than this many days old 
+(default = 60)
+@item @command{Days2compression}: compress files more than this many 
+days 
+old (default = 30)
+@end itemize
+@end itemize
+
diff --git a/doc/user-manual/Bro-setup.texi b/doc/user-manual/Bro-setup.texi
new file mode 100644
index 0000000000..a8816fec61
--- /dev/null
+++ b/doc/user-manual/Bro-setup.texi
@@ -0,0 +1,40 @@
+@menu
+* Bro Environment Variables::
+* Required files/directories::
+* System Configuration and Security of Bro Boxes::
+* Configuring syslog::
+* Placing Bro Boxes on the Network::
+* Filtering Traffic::
+* Selecting Analyzers::
+* Tuning Bro Policy Scripts/event Handlers::
+* Setting up Reports and Special Notifications::
+@end menu
+
+@node Bro Environment Variables
+@section Bro Environment Variables
+
+@node Required files/directories
+@section Required files/directories
+
+@node System Configuration and Security of Bro Boxes
+@section System Configuration and Security of Bro Boxes
+
+@node Configuring syslog
+@section Configuring @emph{syslog}
+
+@node Placing Bro Boxes on the Network
+@section Placing Bro Boxes on the Network
+
+@node Filtering Traffic
+@section Filtering Traffic
+
+@node Selecting Analyzers
+@section Selecting Analyzers
+
+@node Tuning Bro Policy Scripts/event Handlers
+@section Tuning Bro Policy Scripts/event Handlers
+
+@node Setting up Reports and Special Notifications
+@section Setting up Reports and Special Notifications
+
+
diff --git a/doc/user-manual/Bro-signatures.texi b/doc/user-manual/Bro-signatures.texi
new file mode 100644
index 0000000000..085aa39eda
--- /dev/null
+++ b/doc/user-manual/Bro-signatures.texi
@@ -0,0 +1,143 @@
+
+@emph{NOTE: Bro Signatures mechanism is still under development}
+
+Signatures in Bro are quite different than standard packet matching signatures such as those used in
+@uref{http://www.snort.org', Snort}. A Bro signature, or @emph{Rule}, is a @emph{contextual signature}
+that can include connection-level information. Hence Bro signatures generate @strong{far} fewer
+false positives.
+
+However, Bro's contextual signatures are fairly CPU and memory intensive,
+and still generate more false positives than we'd like,
+so for now they are turned off by default. See the next section for information on how to turn them on.
+
+For example, an packet-level signature of a HTTP attack only looks at the attack packet, where
+the Bro contextual signature also looks for the HTTP reply, and only generates an alarm if the attack was 
+successful.
+
+In this section we explain how to customize signatures for your site,
+and how to import new signatures from Snort and bro-ids.org. More
+information on the details of Bro signatures are in
+@uref{http://www.bro-ids.org/Bro-reference-manual/Signature-language.html, the
+signature section of the reference manual}.
+
+The following files are used to control and customize Bro signatures.
+
+@itemize
+@item @code{$BROHOME/site/signatures.sig}: Bro version of snort signatures
+@item @code{$BROHOME/policy/sig-addendum.sig}: Bro supplied signatures
+@item @code{$BROHOME/policy/sig-action.bro}: policy file to control signature notification type
+@end itemize
+
+Files in @code{$BROHOME/policy} contain the default Bro signatures, and should not be edited.
+Files in @code{$BROHOME/site} contain files you will use to customize signatures for your site.
+New signatures that you write go here too. All files ending in @code{.sig} in this directory
+will be loaded into the signature engine. In fact, all .sig files in any
+directory in @code{$BROPATH} (set in @code{$BROHOME/etc/bro.cfg}) will be loaded.
+
+@menu
+* Turning Signatures ON/OFF ::
+* Add a New Signature ::
+* Editing Existing Signatures ::
+* Importing Snort Signatures ::
+* Checking for new Signatures from bro-ids.org ::
+@end menu
+
+
+@node Turning Signatures ON/OFF 
+@subsection Turning Signatures ON/OFF
+@cindex Turning Signatures ON/OFF
+
+Signature matching is off by default. To use a small set of
+known, high quality signatures, add the following to your site policy file:
+@smallexample
+@@load brolite-sigs
+@end smallexample
+
+To use the full set of converted snort signatures,
+add both of these lines:
+@smallexample
+@@load brolite-sigs
+redef signature_files += "signatures";
+@end smallexample
+
+If signatures are turned on, then you can control the 
+signature "action" levels through the file 
+@code{$BROHOME/site/sigaction.bro}.
+You can set the signature action to the one of the following:
+
+@verbatim
+    SIG_IGNORE          # ignore this sig. completely 
+    SIG_FILE            # write to signatures and notice files
+    SIG_ALARM           # alarm and write to notice and alarm files
+    SIG_ALARM_PER_ORIG  # alarm once per originator
+    SIG_ALARM_ONCE      # alarm once and then never again
+@end verbatim
+
+All signatures default to action = @code{SIG_ALARM}. To lower the alarm level of the signature,
+add an entry to the file @code{$BROHOME/site/sigaction.bro}.  The Bro distribution
+contains a default sigaction.bro file that lowers the level of a number of signatures from ALARM
+to FILE (notice) .
+
+To permanently remove a signature you can delete it from the @code{.sig} file.
+
+
+@node  Add a New Signature
+@subsection  Add a New Signature
+@cindex  Add a New Signature
+
+To add a new signature to a running Bro, add the signature to the file
+@code{$BROHOME/site/site.sig} (or create a new @code{.sig} file in @code{$BROHOME/site}), 
+and then restart Bro using "@code{$BROHOME/etc/bro.rc checkpoint}".
+
+A sample signature looks like this:
+
+@verbatim
+signature formmail-cve-1999-0172 {
+       ip-proto == tcp
+       dst-ip == 1.2.0.0/16
+       dst-port = 80
+       http /.*formmail.*\?.*recipient=[^&]*[;|]/
+       event "formmail shell command"
+       }
+@end verbatim
+
+For more details, see the
+@uref{http://www.bro-ids.org/Bro-reference-manual/Signature-language.html, 
+reference manual}.
+
+@node   Editing Existing Signatures
+@subsection   Editing Existing Signatures
+@cindex   Editing Existing Signatures
+
+Bro supplied signatures are in $BROHOME/sigs. You should not edit these, as they will
+get overwritten when you update Bro. Instead, make your modifications in $BROHOME/site.
+If you use the same signature ID as an existing signature, the site sig will take precedence.
+
+@node Importing Snort Signatures
+@subsection Importing Snort Signatures
+@cindex Importing Snort Signatures
+
+New snort signatures come out almost every week. To add these to Bro, do the following:
+
+(XXX section not done!)
+
+Add instructions for incorporating new sigs from Snort.
+
+@node Checking for new Signatures from bro-ids.org
+@subsection Checking for new Signatures from bro-ids.org
+@cindex download new Signatures 
+
+note: this functionality is currently under development, and does
+not yet exist
+
+The Bro team will be constantly updating our set of default signatures and posting
+them on the Bro web site. To download the latest signatures and incorporate
+them into your Bro setup, run the script:
+@example
+$BROHOME/scripts/update-sigs
+@end example
+This script uses the @code{wget} command to download the latest signatures 
+and puts them into
+the required Bro files, and then restarts Bro to load the new signatures..
+
+
diff --git a/doc/user-manual/Bro-software.texi b/doc/user-manual/Bro-software.texi
new file mode 100644
index 0000000000..d15a57b30a
--- /dev/null
+++ b/doc/user-manual/Bro-software.texi
@@ -0,0 +1,71 @@
+
+@menu
+* OS platform(s) to use::
+* Required software::
+* Optional software::
+@end menu
+
+@node OS platform(s) to use
+@section OS platform(s) to use
+@cindex OS issues
+
+Bro will run on a variety of UNIX flavors such as FreeBSD, NetBSD, and Solaris, and will also
+run on Linux. Although Bro has been ported or can readily be ported to many flavors of Unix,
+Bro currently runs best on FreeBSD for the following reasons:
+
+@itemize
+@item Most current development and system integration efforts are taking place on FreeBSD.
+@item Compiling Bro on FreeBSD is more straightforward than on any other OS.
+@item Bro performance on this platform has been extensively tested.
+@item Policy scripts have been tested more on Free BSD than on any other OS.
+@item Bro documentation (such as this User Manual) is oriented more towards FreeBSD than
+any other flavor of Unix. Discussion of startup scripts, for example, focuses on files and
+directories found in FreeBSD systems.
+@end itemize
+
+An important consideration in your choice of operating system on which Bro will run is whether
+@command{BPF}  runs in the kernel. Bro uses @command{BPF} to ignore packets that Bro does not need to inspect, thereby
+greatly increasing Bro's efficiency. The fact that @command{BPF} is not available in Solaris is a problem,
+although Solaris at least has a @command{BPF} compatibility mode that to some degree solves the problem.
+@command{BPF} is also not available in most flavors of Linux, although certain flavors of Linux such as
+RedHat run libpcap, making it possible to filter packets that are captured in a manner that will
+make Bro run efficiently.
+
+
+@node Required software
+@section Required software
+
+Additional software is necessary to support certain Bro functions. Each package or tool must be
+in the Bro user's PATH (as explained more fully in Section 4):
+
+@itemize
+@item tcpdump: This enables you to use certain rules ("filters") to determine the packets that are
+and are not captured on a network. You can obtain tcpdump from ftp://ftp.ee.lbl.gov
+
+@item libpcap: Available from ftp.ee.lbl.gov. This is the packet capture library, developed at
+LBNL.
+
+@item tcpslice: Available from ftp.ee.lbl.gov. This allows for the editing and extraction of
+heuristic-based TCP/IP traffic captured via tcpdump.
+
+@item Perl: Available from ftp.perl.org.  Perl version XX or higher is necessary for some of the scripts to run.
+
+@item BIND 8 or 9: Available from ftp.isc.org.
+It is necessary to run a caching DNS server on the Bro machine so that when Bro is
+run to prep the entries in the policies that a more consistent resolver is used. (not clear??) This can cause
+policies to not be interpreted correctly, so this is an important factor in setting up a Bro box. 
+The local DNS server is really present further for the DNS entries to persist throughout Bro's
+operation and rotation of its logs (which requires that Bro's process be checkpointed).
+
+@end itemize
+
+@node Optional software
+@section Optional software
+
+The utility called @command{ipw} is also very useful. There is a package available for FreeBSD
+from ftp.freebsd.org. This allows one to simply specify an IP address and it will
+determine who is responsible for that IP range and provide contact information for that
+person or persons. 
+
+
+
diff --git a/doc/user-manual/Bro-tuning.texi b/doc/user-manual/Bro-tuning.texi
new file mode 100644
index 0000000000..538c5fb0c3
--- /dev/null
+++ b/doc/user-manual/Bro-tuning.texi
@@ -0,0 +1,144 @@
+
+@strong{NOTE: This chapter still a rough draft and incomplete}
+
+If the link you are monitoring with Bro has
+too many connections per second, or if you have too many policy
+modules loaded, it is possible that Bro will not be able to keep
+up, and that the Bro host will drop too many packets to be able to
+perform accurate analysis.
+
+A "rule of thumb" for Bro is that if CPU usage is < 50% and memory
+use is < 70% of physical memory, than you should not have any worries.
+
+Otherwise you might want to explore the tuning options below.
+
+For sites with an extremely high load you might consider using multiple
+Bro boxes, each configured to capture and analyze different types of traffic.
+
+Note that the amount of CPU required by Bro is a function of both the number
+of connections/second and the number of packets/second. So it's possible
+that a large site (e.g., 2,000 hosts) on a slow link (e.g., 100 Mbps) would
+still have performance issues because it has a very large 
+number of connections / second. 
+
+@menu
+* Hardware and OS Tuning ::
+* Bro Policy Tuning ::
+@end menu
+
+@node Hardware  and OS Tuning
+@section Hardware  and OS Tuning
+@cindex Hardware Tuning
+@cindex OS Tuning
+
+If your CPU load > 50% or your memory footprint is > 70% of physical 
+memory, an obvious solution is to buy a faster CPU or more memory.
+
+If this is not possible, here are some other things to try.
+
+@strong{FreeBSD}
+
+First, check that your BPF buffer size is big enough. The Bro installation
+script should set this correctly for you, but to test this, do:
+@smallexample
+sysctl debug.bpf_bufsize
+sysctl debug.bpf_maxbufsize
+@end smallexample
+
+They should both be at least 4 MB.
+
+Next, if your Bro host is capturing packets on 2 interfaces and you are
+running FreeBSD, we provide a patched kernel that bonds both interfaces
+into a single interface at the BPF level. This reduces CPU load considerably.
+This patched kernel also increases the default per-process memory limits.
+
+This kernel source is available for download at:
+@smallexample
+@uref{http://www.bro-ids.org/download/FreeBSD.4.10.bro.tgz}.
+@end smallexample
+
+To install this kernel and the BPF bonding utilites, type:
+
+@smallexample
+tar xfz fbsd.4.10.bond.tgz
+cd FreeBSD-4-10-RELEASE/sys/i386/conf
+/usr/sbin/config BRO
+cd ../../compile/BRO
+make depend
+make
+make install
+
+cd FreeBSD-4-10-RELEASE/local/sbin/bpfbond/
+make
+make install
+
+reboot
+@end smallexample
+
+For more instructions on rebuilding the kernel, see:
+@uref{http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html}.
+
+
+@strong{Linux}
+
+Check that the net.core.rmem_max buffer is big enough. The Bro installation
+script should set this correctly for you, but to test this, do:
+@smallexample
+sysctl net.core.rmem_max 
+@end smallexample
+
+It should be at least 4 MB.
+
+For heavy traffic load, the Linux version of libpcap has a hard time keeping up.
+There are a couple a options available to improve Linux pcap performance.
+These include:
+
+Phil Wood's libpcap replacement: (see http://public.lanl.gov/cpw/)
+Luca Deri's patch to fix libpcap issues. (see http://luca.ntop.org/Ring.pdf)
+
+(Note that Phil Wood's version of libpcap seems to be buggy in non-blocking 
+mode. Build Bro using the --disable-selectloop option to disable non-blocking
+mode if using this version of libpcap.)
+
+
+@node  Bro Policy Tuning
+@section  Bro Policy Tuning
+@cindex  Bro Policy Tuning
+
+If the hardware and OS tuning solutions fail to bring your 
+CPU load or memory consumption under control, next you will
+have to start turning off analyzers. Signatures are particularly CPU 
+and memory intensive,
+so try turning it off or greatly reduce the number of signatures it
+is processing. The HTTP analyzers are also CPU intensive. For example,
+to turn off the HTTP reply analyzer, add the following lines at the beginning
+of the file @code{$BROHOME/site/brohost.bro}, before any @@load commands.
+
+@smallexample
+@@unload http-reply        
+@end smallexample
+
+Another solution is to modify libpcap filter for Bro. This is done
+by adding @code{restrict_filters}. For example, to only capture SYN/FIN
+packets from a large web proxy, you can do this:
+
+@verbatim
+redef restrict_filters += { ["not proxy outbound Web replies"] = 
+     "not (host bigproxy.mysite.net and
+           src port 80 and (tcp[13] & 7 == 0))" };
+@end verbatim
+
+This filter will allow you to record the number and size of the HTTP replies,
+but will not do further HTTP analysis.
+ 
+Another way to reduce the CPU load of Bro analysis is to split the work
+across two Bro hosts. An easy way to do this is to take the sum of the
+source and destination IPs, and monitor even combinations
+on one host and odd combinations on a second host.
+
+For example:
+
+@verbatim
+redef restrict_filters += { ["capture even src/dest pairs only"] = "(ip[12:4] + ip[16:4]) & 1 == 0" };
+@end verbatim
+
diff --git a/doc/user-manual/Bro-user-manual.pdf b/doc/user-manual/Bro-user-manual.pdf
new file mode 100644
index 0000000000..9e6f15a144
Binary files /dev/null and b/doc/user-manual/Bro-user-manual.pdf differ
diff --git a/doc/user-manual/Bro-user-manual.texi b/doc/user-manual/Bro-user-manual.texi
new file mode 100644
index 0000000000..6e6a8abfba
--- /dev/null
+++ b/doc/user-manual/Bro-user-manual.texi
@@ -0,0 +1,135 @@
+\input texinfo   @c -*-texinfo-*-
+@comment $Id: Bro-user-manual.texi 1224 2005-07-23 03:58:34Z tierney $
+@comment %**start of header
+@setfilename Bro-user-manual.info
+@settitle Bro User Manual
+@setcontentsaftertitlepage 
+@comment %**end of header
+
+
+@set VERSION 0.9
+@set UPDATED 12-1-2004
+
+@copying
+This the User Manual for Bro
+version @value{VERSION}.
+
+This software is copyright @copyright{} 
+1995-2004, The Regents of the University of California
+and the International Computer Science Institute.  All rights reserved.
+
+For further information about this notice, contact:
+
+Vern Paxson
+email: @email{vern@@icir.org}
+
+@end copying
+
+@dircategory Bro
+@direntry
+* Bro: Network Intrusion Detection System
+@end direntry
+
+@ifnottex
+@node Top
+@top Bro User Manual 
+@copyright{} Lawrence Berkeley National Laboratory
+@end ifnottex
+
+@titlepage
+@title Bro User Manual
+@subtitle version @value{VERSION}, @value{UPDATED}, @strong{DRAFT}
+@author Vern Paxson, Jim Rothfuss, Brian Tierney
+@author Contact: @email{vern@@icir.org}
+@author @uref{http://www.bro-ids.org/}
+@page
+@insertcopying
+@vskip 0pt plus 1filll
+@end titlepage
+
+@contents
+
+@strong{Bro User Manual}
+@menu
+* Overview of Bro::
+* Requirements ::
+* Installation and Configuration::
+* Running Bro ::
+* Bro Output::
+* Analysis of Incidents and Alarms ::
+* Customizing Bro ::
+* Intrusion Prevention Using Bro ::
+* Performance Tuning ::
+* Bulk Traces and Off-line Analysis ::
+* Bro Directory and Files ::
+* Index::   Index
+@end menu
+
+@comment ********************************************
+
+@node Overview of Bro
+@chapter Overview of Bro
+@include Bro-overview.texi
+
+@comment ********************************************
+@node Requirements 
+@chapter Requirements 
+@cindex Software requirements
+@cindex Hardware requirements
+
+@include Bro-requirements.texi
+
+@comment ********************************************
+@node Installation and Configuration 
+@chapter Installation and Configuration 
+@cindex Installation instructions 
+@include Bro-installation.texi
+@cindex Configuration instructions 
+
+@comment ********************************************
+@node Running Bro
+@chapter Running Bro
+@include Bro-running.texi
+
+@comment ********************************************
+@node Bro Output
+@chapter Bro Output
+@include Bro-output.texi
+
+@comment ********************************************
+@node Analysis of Incidents and Alarms
+@chapter Analysis of Incidents and Alarms
+@include Bro-analysis.texi
+
+@comment ********************************************
+@node Customizing Bro
+@chapter Customizing Bro
+@include Bro-customizing.texi
+
+@comment ********************************************
+@node Intrusion Prevention Using Bro
+@chapter Intrusion Prevention Using Bro
+@include Bro-intrusion-prevention.texi
+
+@comment ********************************************
+@node Performance Tuning
+@chapter Performance Tuning
+@include Bro-tuning.texi
+
+@comment ********************************************
+@node Bulk Traces and Off-line Analysis 
+@chapter Bulk Traces and Off-line Analysis 
+@include Bro-offline-analysis.texi
+
+@comment ********************************************
+@node Bro Directory and Files
+@appendix Bro Directory and Files
+@include Bro-dir-files.texi
+
+@comment ********************************************
+@node Index
+@unnumbered Index 
+
+@printindex cp
+
+@bye
diff --git a/doc/user-manual/BroDir.pdf b/doc/user-manual/BroDir.pdf
new file mode 100644
index 0000000000..7392093a78
Binary files /dev/null and b/doc/user-manual/BroDir.pdf differ
diff --git a/doc/user-manual/BroDir.png b/doc/user-manual/BroDir.png
new file mode 100644
index 0000000000..cd28c5a0f1
Binary files /dev/null and b/doc/user-manual/BroDir.png differ
diff --git a/doc/user-manual/Makefile.am b/doc/user-manual/Makefile.am
new file mode 100644
index 0000000000..3a889a2db9
--- /dev/null
+++ b/doc/user-manual/Makefile.am
@@ -0,0 +1,32 @@
+
+prefix = @prefix@
+bro_dir         = ${prefix}/bro
+
+EXTRA_DIST = README.txt bro.css Bro-user-manual.pdf bro-deployment.pdf \
+	BroDir.pdf BroDir.png \
+	bro-deployment.png Bro-analysis.texi Bro-blocking.texi \
+	Bro-customizing.texi Bro-dir-files.texi Bro-hardware.texi \
+	Bro-installation.texi Bro-intrusion-prevention.texi \
+	Bro-Linux.texi Bro-log-files.texi Bro-offline-analysis.texi \
+	Bro-output.texi Bro-overview.texi Bro-production.texi \
+	Bro-requirements.texi Bro-running.texi Bro-setup.texi \
+	Bro-signatures.texi Bro-software.texi Bro-tuning.texi \
+	Bro-user-manual.texi Bro-user-manual
+
+clean-local: doc-clean
+
+doc: html pdf
+
+pdf: 
+	texi2dvi -s --clean --pdf Bro-user-manual.texi
+
+html:
+	@rm -rf Bro-user-manual
+	makeinfo --css-include=bro.css  --html Bro-user-manual.texi
+
+doc-clean:
+	@echo "cleaning  User Manual"
+	@rm -f *.log Bro-user-manual/*
+
+doc-distclean:	clean
+	@rm Makefile
diff --git a/doc/user-manual/README.txt b/doc/user-manual/README.txt
new file mode 100644
index 0000000000..5e2a8250b1
--- /dev/null
+++ b/doc/user-manual/README.txt
@@ -0,0 +1,8 @@
+
+to generate html:
+  makeinfo --css-include=bro.css --html Bro-user-manual.texi
+
+to generate PDF:
+
+ texi2dvi --clean --pdf Bro-user-manual.texi
+
diff --git a/doc/user-manual/bro-deployment.pdf b/doc/user-manual/bro-deployment.pdf
new file mode 100644
index 0000000000..43984adbe0
Binary files /dev/null and b/doc/user-manual/bro-deployment.pdf differ
diff --git a/doc/user-manual/bro-deployment.png b/doc/user-manual/bro-deployment.png
new file mode 100644
index 0000000000..6c4568c042
Binary files /dev/null and b/doc/user-manual/bro-deployment.png differ
diff --git a/doc/user-manual/bro.css b/doc/user-manual/bro.css
new file mode 100644
index 0000000000..0bebab8e63
--- /dev/null
+++ b/doc/user-manual/bro.css
@@ -0,0 +1,43 @@
+/* 
+ * Custom nllite stylesheet
+ */
+body {  
+  font-family: Verdana, Arial, serif;
+}
+H1 {  
+  color: #339933;
+}
+A:link, A:active, A:visited, A:hover { 
+  color: #3333ff;
+  text-decoration: none; 
+}
+A:hover {
+  border-bottom: 1px dotted red;
+  color: red;
+  text-decoration: none;
+}
+ul.menu { 
+  list-style-type: circle;
+  list-style-position: inside;
+  padding: 5px;
+  background-color: #ccffcc;
+  border: 1px dashed #333333;
+}
+hr { 
+  display: none;
+}
+div.node { 
+  font-size: 12px;
+  font-weight: bold;
+  background-color: #ccffcc;
+/*
+  line-height: 0;
+*/
+  padding: 0.5em;
+}
+table.cartouche { 
+  background-color: white;
+}
+table { 
+  border: none;
+}
diff --git a/example-attacks/ftp-site-exec.trace b/example-attacks/ftp-site-exec.trace
new file mode 100644
index 0000000000..2562eb7098
Binary files /dev/null and b/example-attacks/ftp-site-exec.trace differ
diff --git a/example-attacks/ntp-attack.trace b/example-attacks/ntp-attack.trace
new file mode 100644
index 0000000000..b082e180c9
Binary files /dev/null and b/example-attacks/ntp-attack.trace differ
diff --git a/install-sh b/install-sh
new file mode 100755
index 0000000000..ebc66913e9
--- /dev/null
+++ b/install-sh
@@ -0,0 +1,250 @@
+#! /bin/sh
+#
+# install - install a program, script, or datafile
+# This comes from X11R5 (mit/util/scripts/install.sh).
+#
+# Copyright 1991 by the Massachusetts Institute of Technology
+#
+# Permission to use, copy, modify, distribute, and sell this software and its
+# documentation for any purpose is hereby granted without fee, provided that
+# the above copyright notice appear in all copies and that both that
+# copyright notice and this permission notice appear in supporting
+# documentation, and that the name of M.I.T. not be used in advertising or
+# publicity pertaining to distribution of the software without specific,
+# written prior permission.  M.I.T. makes no representations about the
+# suitability of this software for any purpose.  It is provided "as is"
+# without express or implied warranty.
+#
+# Calling this script install-sh is preferred over install.sh, to prevent
+# `make' implicit rules from creating a file called install from it
+# when there is no Makefile.
+#
+# This script is compatible with the BSD install script, but was written
+# from scratch.  It can only install one file at a time, a restriction
+# shared with many OS's install programs.
+
+
+# set DOITPROG to echo to test this script
+
+# Don't use :- since 4.3BSD and earlier shells don't like it.
+doit="${DOITPROG-}"
+
+
+# put in absolute paths if you don't have them in your path; or use env. vars.
+
+mvprog="${MVPROG-mv}"
+cpprog="${CPPROG-cp}"
+chmodprog="${CHMODPROG-chmod}"
+chownprog="${CHOWNPROG-chown}"
+chgrpprog="${CHGRPPROG-chgrp}"
+stripprog="${STRIPPROG-strip}"
+rmprog="${RMPROG-rm}"
+mkdirprog="${MKDIRPROG-mkdir}"
+
+transformbasename=""
+transform_arg=""
+instcmd="$mvprog"
+chmodcmd="$chmodprog 0755"
+chowncmd=""
+chgrpcmd=""
+stripcmd=""
+rmcmd="$rmprog -f"
+mvcmd="$mvprog"
+src=""
+dst=""
+dir_arg=""
+
+while [ x"$1" != x ]; do
+    case $1 in
+	-c) instcmd="$cpprog"
+	    shift
+	    continue;;
+
+	-d) dir_arg=true
+	    shift
+	    continue;;
+
+	-m) chmodcmd="$chmodprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-o) chowncmd="$chownprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-g) chgrpcmd="$chgrpprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-s) stripcmd="$stripprog"
+	    shift
+	    continue;;
+
+	-t=*) transformarg=`echo $1 | sed 's/-t=//'`
+	    shift
+	    continue;;
+
+	-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
+	    shift
+	    continue;;
+
+	*)  if [ x"$src" = x ]
+	    then
+		src=$1
+	    else
+		# this colon is to work around a 386BSD /bin/sh bug
+		:
+		dst=$1
+	    fi
+	    shift
+	    continue;;
+    esac
+done
+
+if [ x"$src" = x ]
+then
+	echo "install:	no input file specified"
+	exit 1
+else
+	true
+fi
+
+if [ x"$dir_arg" != x ]; then
+	dst=$src
+	src=""
+	
+	if [ -d $dst ]; then
+		instcmd=:
+	else
+		instcmd=mkdir
+	fi
+else
+
+# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
+# might cause directories to be created, which would be especially bad 
+# if $src (and thus $dsttmp) contains '*'.
+
+	if [ -f $src -o -d $src ]
+	then
+		true
+	else
+		echo "install:  $src does not exist"
+		exit 1
+	fi
+	
+	if [ x"$dst" = x ]
+	then
+		echo "install:	no destination specified"
+		exit 1
+	else
+		true
+	fi
+
+# If destination is a directory, append the input filename; if your system
+# does not like double slashes in filenames, you may need to add some logic
+
+	if [ -d $dst ]
+	then
+		dst="$dst"/`basename $src`
+	else
+		true
+	fi
+fi
+
+## this sed command emulates the dirname command
+dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
+
+# Make sure that the destination directory exists.
+#  this part is taken from Noah Friedman's mkinstalldirs script
+
+# Skip lots of stat calls in the usual case.
+if [ ! -d "$dstdir" ]; then
+defaultIFS='	
+'
+IFS="${IFS-${defaultIFS}}"
+
+oIFS="${IFS}"
+# Some sh's can't handle IFS=/ for some reason.
+IFS='%'
+set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
+IFS="${oIFS}"
+
+pathcomp=''
+
+while [ $# -ne 0 ] ; do
+	pathcomp="${pathcomp}${1}"
+	shift
+
+	if [ ! -d "${pathcomp}" ] ;
+        then
+		$mkdirprog "${pathcomp}"
+	else
+		true
+	fi
+
+	pathcomp="${pathcomp}/"
+done
+fi
+
+if [ x"$dir_arg" != x ]
+then
+	$doit $instcmd $dst &&
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
+else
+
+# If we're going to rename the final executable, determine the name now.
+
+	if [ x"$transformarg" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		dstfile=`basename $dst $transformbasename | 
+			sed $transformarg`$transformbasename
+	fi
+
+# don't allow the sed command to completely eliminate the filename
+
+	if [ x"$dstfile" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		true
+	fi
+
+# Make a temp file name in the proper directory.
+
+	dsttmp=$dstdir/#inst.$$#
+
+# Move or copy the file name to the temp name
+
+	$doit $instcmd $src $dsttmp &&
+
+	trap "rm -f ${dsttmp}" 0 &&
+
+# and set any options; do chmod last to preserve setuid bits
+
+# If any of these fail, we abort the whole thing.  If we want to
+# ignore errors from any of these, just make sure not to ignore
+# errors from the above "$doit $instcmd $src $dsttmp" command.
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
+
+# Now rename the file to the real destination.
+
+	$doit $rmcmd -f $dstdir/$dstfile &&
+	$doit $mvcmd $dsttmp $dstdir/$dstfile 
+
+fi &&
+
+
+exit 0
diff --git a/libpcap.bufsize.patch b/libpcap.bufsize.patch
new file mode 100644
index 0000000000..ac5293db5b
--- /dev/null
+++ b/libpcap.bufsize.patch
@@ -0,0 +1,56 @@
+*** pcap-bpf.c	1998/02/15 23:35:23	1.30
+--- pcap-bpf.c	2000/01/26 23:20:35	1.32
+***************
+*** 159,165 ****
+  	int fd;
+  	struct ifreq ifr;
+  	struct bpf_version bv;
+! 	u_int v;
+  	pcap_t *p;
+  
+  	p = (pcap_t *)malloc(sizeof(*p));
+--- 166,172 ----
+  	int fd;
+  	struct ifreq ifr;
+  	struct bpf_version bv;
+! 	u_int v, n;
+  	pcap_t *p;
+  
+  	p = (pcap_t *)malloc(sizeof(*p));
+***************
+*** 184,196 ****
+  		sprintf(ebuf, "kernel bpf filter out of date");
+  		goto bad;
+  	}
+! 	v = 32768;	/* XXX this should be a user-accessible hook */
+! 	/* Ignore the return value - this is because the call fails on
+! 	 * BPF systems that don't have kernel malloc.  And if the call
+! 	 * fails, it's no big deal, we just continue to use the standard
+! 	 * buffer size.
+  	 */
+! 	(void) ioctl(fd, BIOCSBLEN, (caddr_t)&v);
+  
+  	(void)strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
+  	if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) < 0) {
+--- 191,211 ----
+  		sprintf(ebuf, "kernel bpf filter out of date");
+  		goto bad;
+  	}
+! 
+! 	/*
+! 	 * The bpf buffer length typically defaults to 4k. Check to see
+! 	 * what it is and if it's not larger than 32k, try to raise it.
+  	 */
+! 	n = 32768;	/* XXX this should be a user-accessible hook */
+! 	if (ioctl(fd, BIOCGBLEN, (caddr_t)&v) >= 0 && v < n) {
+! 		/*
+! 		 * Ignore the return value - this is because the call
+! 		 * fails on BPF systems that don't have kernel malloc.
+! 		 * And if the call fails, it's no big deal, we just
+! 		 * continue to use the standard buffer size.
+! 		 */
+! 		(void) ioctl(fd, BIOCSBLEN, (caddr_t)&n);
+! 	}
+  
+  	(void)strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
+  	if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) < 0) {
diff --git a/linux-include/README b/linux-include/README
new file mode 100644
index 0000000000..d7f328aef0
--- /dev/null
+++ b/linux-include/README
@@ -0,0 +1,2 @@
+This is the linux compatibility include tree from the tcpdump
+distribution.
diff --git a/linux-include/net/slcompress.h b/linux-include/net/slcompress.h
new file mode 100644
index 0000000000..8075486120
--- /dev/null
+++ b/linux-include/net/slcompress.h
@@ -0,0 +1,148 @@
+/*
+ * Definitions for tcp compression routines.
+ *
+ * @(#) $Header$ (LBL)
+ *
+ * Copyright (c) 1989, 1990, 1992, 1993 Regents of the University of
+ * California. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that the above copyright notice and this paragraph are
+ * duplicated in all such forms and that any documentation,
+ * advertising materials, and other materials related to such
+ * distribution and use acknowledge that the software was developed
+ * by the University of California, Berkeley.  The name of the
+ * University may not be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ *
+ *	Van Jacobson (van@ee.lbl.gov), Dec 31, 1989:
+ *	- Initial distribution.
+ */
+
+#define MAX_STATES 16		/* must be > 2 and < 256 */
+#define MAX_HDR MLEN		/* XXX 4bsd-ism: should really be 128 */
+
+/*
+ * Compressed packet format:
+ *
+ * The first octet contains the packet type (top 3 bits), TCP
+ * 'push' bit, and flags that indicate which of the 4 TCP sequence
+ * numbers have changed (bottom 5 bits).  The next octet is a
+ * conversation number that associates a saved IP/TCP header with
+ * the compressed packet.  The next two octets are the TCP checksum
+ * from the original datagram.  The next 0 to 15 octets are
+ * sequence number changes, one change per bit set in the header
+ * (there may be no changes and there are two special cases where
+ * the receiver implicitly knows what changed -- see below).
+ *
+ * There are 5 numbers which can change (they are always inserted
+ * in the following order): TCP urgent pointer, window,
+ * acknowlegement, sequence number and IP ID.  (The urgent pointer
+ * is different from the others in that its value is sent, not the
+ * change in value.)  Since typical use of SLIP links is biased
+ * toward small packets (see comments on MTU/MSS below), changes
+ * use a variable length coding with one octet for numbers in the
+ * range 1 - 255 and 3 octets (0, MSB, LSB) for numbers in the
+ * range 256 - 65535 or 0.  (If the change in sequence number or
+ * ack is more than 65535, an uncompressed packet is sent.)
+ */
+
+/*
+ * Packet types (must not conflict with IP protocol version)
+ *
+ * The top nibble of the first octet is the packet type.  There are
+ * three possible types: IP (not proto TCP or tcp with one of the
+ * control flags set); uncompressed TCP (a normal IP/TCP packet but
+ * with the 8-bit protocol field replaced by an 8-bit connection id --
+ * this type of packet syncs the sender & receiver); and compressed
+ * TCP (described above).
+ *
+ * LSB of 4-bit field is TCP "PUSH" bit (a worthless anachronism) and
+ * is logically part of the 4-bit "changes" field that follows.  Top
+ * three bits are actual packet type.  For backward compatibility
+ * and in the interest of conserving bits, numbers are chosen so the
+ * IP protocol version number (4) which normally appears in this nibble
+ * means "IP packet".
+ */
+
+/* packet types */
+#define TYPE_IP 0x40
+#define TYPE_UNCOMPRESSED_TCP 0x70
+#define TYPE_COMPRESSED_TCP 0x80
+#define TYPE_ERROR 0x00
+
+/* Bits in first octet of compressed packet */
+#define NEW_C	0x40	/* flag bits for what changed in a packet */
+#define NEW_I	0x20
+#define NEW_S	0x08
+#define NEW_A	0x04
+#define NEW_W	0x02
+#define NEW_U	0x01
+
+/* reserved, special-case values of above */
+#define SPECIAL_I (NEW_S|NEW_W|NEW_U)		/* echoed interactive traffic */
+#define SPECIAL_D (NEW_S|NEW_A|NEW_W|NEW_U)	/* unidirectional data */
+#define SPECIALS_MASK (NEW_S|NEW_A|NEW_W|NEW_U)
+
+#define TCP_PUSH_BIT 0x10
+
+
+/*
+ * "state" data for each active tcp conversation on the wire.  This is
+ * basically a copy of the entire IP/TCP header from the last packet
+ * we saw from the conversation together with a small identifier
+ * the transmit & receive ends of the line use to locate saved header.
+ */
+struct cstate {
+	struct cstate *cs_next;	/* next most recently used cstate (xmit only) */
+	u_short cs_hlen;	/* size of hdr (receive only) */
+	u_char cs_id;		/* connection # associated with this state */
+	u_char cs_filler;
+	union {
+		char csu_hdr[MAX_HDR];
+		struct ip csu_ip;	/* ip/tcp hdr from most recent packet */
+	} slcs_u;
+};
+#define cs_ip slcs_u.csu_ip
+#define cs_hdr slcs_u.csu_hdr
+
+/*
+ * all the state data for one serial line (we need one of these
+ * per line).
+ */
+struct slcompress {
+	struct cstate *last_cs;	/* most recently used tstate */
+	u_char last_recv;	/* last rcvd conn. id */
+	u_char last_xmit;	/* last sent conn. id */
+	u_short flags;
+#ifndef SL_NO_STATS
+	u_int sls_packets;	/* outbound packets */
+	u_int sls_compressed;	/* outbound compressed packets */
+	u_int sls_searches;	/* searches for connection state */
+	u_int sls_misses;	/* times couldn't find conn. state */
+	u_int sls_uncompressedin;/* inbound uncompressed packets */
+	u_int sls_compressedin;	/* inbound compressed packets */
+	u_int sls_errorin;	/* inbound unknown type packets */
+	u_int sls_tossed;	/* inbound packets tossed because of error */
+#endif
+	struct cstate tstate[MAX_STATES];	/* xmit connection states */
+	struct cstate rstate[MAX_STATES];	/* receive connection states */
+};
+/* flag values */
+#define SLF_TOSS 1		/* tossing rcvd frames because of input err */
+
+#ifdef KERNEL
+#ifdef __STDC__
+extern	void sl_compress_init(struct slcompress *);
+extern	u_char sl_compress_tcp(struct mbuf *, struct ip *, struct slcompress *);
+extern	int sl_uncompress_tcp(struct mbuf *, int, u_int, struct slcompress *);
+#else
+extern	void sl_compress_init();
+extern	u_char sl_compress_tcp();
+extern	int sl_uncompress_tcp();
+#endif
+#endif
+
diff --git a/linux-include/net/slip.h b/linux-include/net/slip.h
new file mode 100644
index 0000000000..8d62fa3336
--- /dev/null
+++ b/linux-include/net/slip.h
@@ -0,0 +1,45 @@
+/*
+ * Definitions that user level programs might need to know to interact
+ * with serial line IP (slip) lines.
+
+ * @(#) $Header$ (LBL)
+ *
+ * Copyright (c) 1990 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that the above copyright notice and this paragraph are
+ * duplicated in all such forms and that any documentation,
+ * advertising materials, and other materials related to such
+ * distribution and use acknowledge that the software was developed
+ * by the University of California, Berkeley.  The name of the
+ * University may not be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+/*
+ * ioctl to get slip interface unit number (e.g., sl0, sl1, etc.)
+ * assigned to some terminal line with a slip module pushed on it.
+ */
+#ifdef __STDC__
+#define SLIOGUNIT _IOR('B', 1, int)
+#else
+#define SLIOGUNIT _IOR(B, 1, int)
+#endif
+
+/*
+ * definitions of the pseudo- link-level header attached to slip
+ * packets grabbed by the packet filter (bpf) traffic monitor.
+ */
+#define SLIP_HDRLEN 16
+
+#define SLX_DIR 0
+#define SLX_CHDR 1
+#define CHDR_LEN 15
+
+#define SLIPDIR_IN 0
+#define SLIPDIR_OUT 1
+
diff --git a/linux-include/netinet/if_ether.h b/linux-include/netinet/if_ether.h
new file mode 100644
index 0000000000..4148ab83ea
--- /dev/null
+++ b/linux-include/netinet/if_ether.h
@@ -0,0 +1,88 @@
+/*
+ * Copyright (c) 1982, 1986, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)if_ether.h	8.3 (Berkeley) 5/2/95
+ */
+
+#include <net/if_arp.h>
+
+/*
+ * Ethernet address - 6 octets
+ */
+struct ether_addr {
+	u_char	ether_addr_octet[6];
+};
+
+/*
+ * Structure of a 10Mb/s Ethernet header.
+ */
+struct	ether_header {
+	u_char	ether_dhost[6];
+	u_char	ether_shost[6];
+	u_short	ether_type;
+};
+
+#define	ETHERTYPE_PUP		0x0200	/* PUP protocol */
+#define	ETHERTYPE_IP		0x0800	/* IP protocol */
+#define ETHERTYPE_ARP		0x0806	/* Addr. resolution protocol */
+#define ETHERTYPE_REVARP	0x8035	/* reverse Addr. resolution protocol */
+
+/*
+ * The ETHERTYPE_NTRAILER packet types starting at ETHERTYPE_TRAIL have
+ * (type-ETHERTYPE_TRAIL)*512 bytes of data followed
+ * by an ETHER type (as given above) and then the (variable-length) header.
+ */
+#define	ETHERTYPE_TRAIL		0x1000		/* Trailer packet */
+#define	ETHERTYPE_NTRAILER	16
+
+#define	ETHERMTU	1500
+#define	ETHERMIN	(60-14)
+
+/*
+ * Ethernet Address Resolution Protocol.
+ *
+ * See RFC 826 for protocol description.  Structure below is adapted
+ * to resolving internet addresses.  Field names used correspond to 
+ * RFC 826.
+ */
+struct	ether_arp {
+	struct	arphdr ea_hdr;	/* fixed-size header */
+	u_char	arp_sha[6];	/* sender hardware address */
+	u_char	arp_spa[4];	/* sender protocol address */
+	u_char	arp_tha[6];	/* target hardware address */
+	u_char	arp_tpa[4];	/* target protocol address */
+};
+#define	arp_hrd	ea_hdr.ar_hrd
+#define	arp_pro	ea_hdr.ar_pro
+#define	arp_hln	ea_hdr.ar_hln
+#define	arp_pln	ea_hdr.ar_pln
+#define	arp_op	ea_hdr.ar_op
diff --git a/linux-include/netinet/in_systm.h b/linux-include/netinet/in_systm.h
new file mode 100644
index 0000000000..d9a7c3e233
--- /dev/null
+++ b/linux-include/netinet/in_systm.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1982, 1986, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)in_systm.h	8.1 (Berkeley) 6/10/93
+ */
+
+/*
+ * Miscellaneous internetwork
+ * definitions for kernel.
+ */
+
+/*
+ * Network types.
+ *
+ * Internally the system keeps counters in the headers with the bytes
+ * swapped so that VAX instructions will work on them.  It reverses
+ * the bytes before transmission at each protocol level.  The n_ types
+ * represent the types with the bytes in ``high-ender'' order.
+ */
+typedef u_short n_short;		/* short as received from the net */
+typedef u_int	n_long;			/* long as received from the net */
+
+typedef	u_int	n_time;			/* ms since 00:00 GMT, byte rev */
+
+#ifdef KERNEL
+n_time	 iptime __P((void));
+#endif
diff --git a/linux-include/netinet/ip.h b/linux-include/netinet/ip.h
new file mode 100644
index 0000000000..93f98cdbc9
--- /dev/null
+++ b/linux-include/netinet/ip.h
@@ -0,0 +1,170 @@
+/*
+ * Copyright (c) 1982, 1986, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)ip.h	8.2 (Berkeley) 6/1/94
+ */
+
+#include <endian.h>
+
+/*
+ * Definitions for internet protocol version 4.
+ * Per RFC 791, September 1981.
+ */
+#define	IPVERSION	4
+
+/*
+ * Structure of an internet header, naked of options.
+ *
+ * We declare ip_len and ip_off to be short, rather than u_short
+ * pragmatically since otherwise unsigned comparisons can result
+ * against negative integers quite easily, and fail in subtle ways.
+ */
+struct ip {
+#if BYTE_ORDER == LITTLE_ENDIAN 
+	u_char	ip_hl:4,		/* header length */
+		ip_v:4;			/* version */
+#endif
+#if BYTE_ORDER == BIG_ENDIAN 
+	u_char	ip_v:4,			/* version */
+		ip_hl:4;		/* header length */
+#endif
+	u_char	ip_tos;			/* type of service */
+	short	ip_len;			/* total length */
+	u_short	ip_id;			/* identification */
+	short	ip_off;			/* fragment offset field */
+#define	IP_DF 0x4000			/* dont fragment flag */
+#define	IP_MF 0x2000			/* more fragments flag */
+#define	IP_OFFMASK 0x1fff		/* mask for fragmenting bits */
+	u_char	ip_ttl;			/* time to live */
+	u_char	ip_p;			/* protocol */
+	u_short	ip_sum;			/* checksum */
+	struct	in_addr ip_src,ip_dst;	/* source and dest address */
+};
+
+#define	IP_MAXPACKET	65535		/* maximum packet size */
+
+/*
+ * Definitions for IP type of service (ip_tos)
+ */
+#define	IPTOS_LOWDELAY		0x10
+#define	IPTOS_THROUGHPUT	0x08
+#define	IPTOS_RELIABILITY	0x04
+
+/*
+ * Definitions for IP precedence (also in ip_tos) (hopefully unused)
+ */
+#define	IPTOS_PREC_NETCONTROL		0xe0
+#define	IPTOS_PREC_INTERNETCONTROL	0xc0
+#define	IPTOS_PREC_CRITIC_ECP		0xa0
+#define	IPTOS_PREC_FLASHOVERRIDE	0x80
+#define	IPTOS_PREC_FLASH		0x60
+#define	IPTOS_PREC_IMMEDIATE		0x40
+#define	IPTOS_PREC_PRIORITY		0x20
+#define	IPTOS_PREC_ROUTINE		0x00
+
+/*
+ * Definitions for options.
+ */
+#define	IPOPT_COPIED(o)		((o)&0x80)
+#define	IPOPT_CLASS(o)		((o)&0x60)
+#define	IPOPT_NUMBER(o)		((o)&0x1f)
+
+#define	IPOPT_CONTROL		0x00
+#define	IPOPT_RESERVED1		0x20
+#define	IPOPT_DEBMEAS		0x40
+#define	IPOPT_RESERVED2		0x60
+
+#define	IPOPT_EOL		0		/* end of option list */
+#define	IPOPT_NOP		1		/* no operation */
+
+#define	IPOPT_RR		7		/* record packet route */
+#define	IPOPT_TS		68		/* timestamp */
+#define	IPOPT_SECURITY		130		/* provide s,c,h,tcc */
+#define	IPOPT_LSRR		131		/* loose source route */
+#define	IPOPT_SATID		136		/* satnet id */
+#define	IPOPT_SSRR		137		/* strict source route */
+
+/*
+ * Offsets to fields in options other than EOL and NOP.
+ */
+#define	IPOPT_OPTVAL		0		/* option ID */
+#define	IPOPT_OLEN		1		/* option length */
+#define IPOPT_OFFSET		2		/* offset within option */
+#define	IPOPT_MINOFF		4		/* min value of above */
+
+/*
+ * Time stamp option structure.
+ */
+struct	ip_timestamp {
+	u_char	ipt_code;		/* IPOPT_TS */
+	u_char	ipt_len;		/* size of structure (variable) */
+	u_char	ipt_ptr;		/* index of current entry */
+#if BYTE_ORDER == LITTLE_ENDIAN 
+	u_char	ipt_flg:4,		/* flags, see below */
+		ipt_oflw:4;		/* overflow counter */
+#endif
+#if BYTE_ORDER == BIG_ENDIAN 
+	u_char	ipt_oflw:4,		/* overflow counter */
+		ipt_flg:4;		/* flags, see below */
+#endif
+	union ipt_timestamp {
+		n_long	ipt_time[1];
+		struct	ipt_ta {
+			struct in_addr ipt_addr;
+			n_long ipt_time;
+		} ipt_ta[1];
+	} ipt_timestamp;
+};
+
+/* flag bits for ipt_flg */
+#define	IPOPT_TS_TSONLY		0		/* timestamps only */
+#define	IPOPT_TS_TSANDADDR	1		/* timestamps and addresses */
+#define	IPOPT_TS_PRESPEC	3		/* specified modules only */
+
+/* bits for security (not byte swapped) */
+#define	IPOPT_SECUR_UNCLASS	0x0000
+#define	IPOPT_SECUR_CONFID	0xf135
+#define	IPOPT_SECUR_EFTO	0x789a
+#define	IPOPT_SECUR_MMMM	0xbc4d
+#define	IPOPT_SECUR_RESTR	0xaf13
+#define	IPOPT_SECUR_SECRET	0xd788
+#define	IPOPT_SECUR_TOPSECRET	0x6bc5
+
+/*
+ * Internet implementation parameters.
+ */
+#define	MAXTTL		255		/* maximum time to live (seconds) */
+#define	IPDEFTTL	64		/* default ttl, from RFC 1340 */
+#define	IPFRAGTTL	60		/* time to live for frags, slowhz */
+#define	IPTTLDEC	1		/* subtracted when forwarding */
+
+#define	IP_MSS		576		/* default maximum segment size */
diff --git a/linux-include/netinet/ip_icmp.h b/linux-include/netinet/ip_icmp.h
new file mode 100644
index 0000000000..c3fdc45390
--- /dev/null
+++ b/linux-include/netinet/ip_icmp.h
@@ -0,0 +1,160 @@
+/*
+ * Copyright (c) 1982, 1986, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)ip_icmp.h	8.1 (Berkeley) 6/10/93
+ */
+
+/*
+ * Interface Control Message Protocol Definitions.
+ * Per RFC 792, September 1981.
+ */
+
+/*
+ * Structure of an icmp header.
+ */
+struct icmp {
+	u_char	icmp_type;		/* type of message, see below */
+	u_char	icmp_code;		/* type sub code */
+	u_short	icmp_cksum;		/* ones complement cksum of struct */
+	union {
+		u_char ih_pptr;			/* ICMP_PARAMPROB */
+		struct in_addr ih_gwaddr;	/* ICMP_REDIRECT */
+		struct ih_idseq {
+			n_short	icd_id;
+			n_short	icd_seq;
+		} ih_idseq;
+		int ih_void;
+
+		/* ICMP_UNREACH_NEEDFRAG -- Path MTU Discovery (RFC1191) */
+		struct ih_pmtu {
+			n_short ipm_void;    
+			n_short ipm_nextmtu;
+		} ih_pmtu;
+	} icmp_hun;
+#define	icmp_pptr	icmp_hun.ih_pptr
+#define	icmp_gwaddr	icmp_hun.ih_gwaddr
+#define	icmp_id		icmp_hun.ih_idseq.icd_id
+#define	icmp_seq	icmp_hun.ih_idseq.icd_seq
+#define	icmp_void	icmp_hun.ih_void
+#define	icmp_pmvoid	icmp_hun.ih_pmtu.ipm_void
+#define	icmp_nextmtu	icmp_hun.ih_pmtu.ipm_nextmtu
+	union {
+		struct id_ts {
+			n_time its_otime;
+			n_time its_rtime;
+			n_time its_ttime;
+		} id_ts;
+		struct id_ip  {
+			struct ip idi_ip;
+			/* options and then 64 bits of data */
+		} id_ip;
+		u_int	id_mask;
+		char	id_data[1];
+	} icmp_dun;
+#define	icmp_otime	icmp_dun.id_ts.its_otime
+#define	icmp_rtime	icmp_dun.id_ts.its_rtime
+#define	icmp_ttime	icmp_dun.id_ts.its_ttime
+#define	icmp_ip		icmp_dun.id_ip.idi_ip
+#define	icmp_mask	icmp_dun.id_mask
+#define	icmp_data	icmp_dun.id_data
+};
+
+/*
+ * Lower bounds on packet lengths for various types.
+ * For the error advice packets must first insure that the
+ * packet is large enought to contain the returned ip header.
+ * Only then can we do the check to see if 64 bits of packet
+ * data have been returned, since we need to check the returned
+ * ip header length.
+ */
+#define	ICMP_MINLEN	8				/* abs minimum */
+#define	ICMP_TSLEN	(8 + 3 * sizeof (n_time))	/* timestamp */
+#define	ICMP_MASKLEN	12				/* address mask */
+#define	ICMP_ADVLENMIN	(8 + sizeof (struct ip) + 8)	/* min */
+#define	ICMP_ADVLEN(p)	(8 + ((p)->icmp_ip.ip_hl << 2) + 8)
+	/* N.B.: must separately check that ip_hl >= 5 */
+
+/*
+ * Definition of type and code field values.
+ */
+#define	ICMP_ECHOREPLY		0		/* echo reply */
+#define	ICMP_UNREACH		3		/* dest unreachable, codes: */
+#define		ICMP_UNREACH_NET	0		/* bad net */
+#define		ICMP_UNREACH_HOST	1		/* bad host */
+#define		ICMP_UNREACH_PROTOCOL	2		/* bad protocol */
+#define		ICMP_UNREACH_PORT	3		/* bad port */
+#define		ICMP_UNREACH_NEEDFRAG	4		/* IP_DF caused drop */
+#define		ICMP_UNREACH_SRCFAIL	5		/* src route failed */
+#define		ICMP_UNREACH_NET_UNKNOWN 6		/* unknown net */
+#define		ICMP_UNREACH_HOST_UNKNOWN 7		/* unknown host */
+#define		ICMP_UNREACH_ISOLATED	8		/* src host isolated */
+#define		ICMP_UNREACH_NET_PROHIB	9		/* prohibited access */
+#define		ICMP_UNREACH_HOST_PROHIB 10		/* ditto */
+#define		ICMP_UNREACH_TOSNET	11		/* bad tos for net */
+#define		ICMP_UNREACH_TOSHOST	12		/* bad tos for host */
+#define	ICMP_SOURCEQUENCH	4		/* packet lost, slow down */
+#define	ICMP_REDIRECT		5		/* shorter route, codes: */
+#define		ICMP_REDIRECT_NET	0		/* for network */
+#define		ICMP_REDIRECT_HOST	1		/* for host */
+#define		ICMP_REDIRECT_TOSNET	2		/* for tos and net */
+#define		ICMP_REDIRECT_TOSHOST	3		/* for tos and host */
+#define	ICMP_ECHO		8		/* echo service */
+#define	ICMP_ROUTERADVERT	9		/* router advertisement */
+#define	ICMP_ROUTERSOLICIT	10		/* router solicitation */
+#define	ICMP_TIMXCEED		11		/* time exceeded, code: */
+#define		ICMP_TIMXCEED_INTRANS	0		/* ttl==0 in transit */
+#define		ICMP_TIMXCEED_REASS	1		/* ttl==0 in reass */
+#define	ICMP_PARAMPROB		12		/* ip header bad */
+#define		ICMP_PARAMPROB_OPTABSENT 1		/* req. opt. absent */
+#define	ICMP_TSTAMP		13		/* timestamp request */
+#define	ICMP_TSTAMPREPLY	14		/* timestamp reply */
+#define	ICMP_IREQ		15		/* information request */
+#define	ICMP_IREQREPLY		16		/* information reply */
+#define	ICMP_MASKREQ		17		/* address mask request */
+#define	ICMP_MASKREPLY		18		/* address mask reply */
+
+#define	ICMP_MAXTYPE		18
+
+#define	ICMP_INFOTYPE(type) \
+	((type) == ICMP_ECHOREPLY || (type) == ICMP_ECHO || \
+	(type) == ICMP_ROUTERADVERT || (type) == ICMP_ROUTERSOLICIT || \
+	(type) == ICMP_TSTAMP || (type) == ICMP_TSTAMPREPLY || \
+	(type) == ICMP_IREQ || (type) == ICMP_IREQREPLY || \
+	(type) == ICMP_MASKREQ || (type) == ICMP_MASKREPLY)
+
+#ifdef KERNEL
+void	icmp_error __P((struct mbuf *, int, int, n_int, struct ifnet *));
+void	icmp_input __P((struct mbuf *, int));
+void	icmp_reflect __P((struct mbuf *));
+void	icmp_send __P((struct mbuf *, struct mbuf *));
+int	icmp_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
+#endif
diff --git a/linux-include/netinet/ip_var.h b/linux-include/netinet/ip_var.h
new file mode 100644
index 0000000000..c528b62fa9
--- /dev/null
+++ b/linux-include/netinet/ip_var.h
@@ -0,0 +1,178 @@
+/*
+ * Copyright (c) 1982, 1986, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)ip_var.h	8.2 (Berkeley) 1/9/95
+ */
+
+#include <endian.h>
+
+/*
+ * Overlay for ip header used by other protocols (tcp, udp).
+ */
+struct ipovly {
+	caddr_t	ih_next, ih_prev;	/* for protocol sequence q's */
+	u_char	ih_x1;			/* (unused) */
+	u_char	ih_pr;			/* protocol */
+	short	ih_len;			/* protocol length */
+	struct	in_addr ih_src;		/* source internet address */
+	struct	in_addr ih_dst;		/* destination internet address */
+};
+
+/*
+ * Ip reassembly queue structure.  Each fragment
+ * being reassembled is attached to one of these structures.
+ * They are timed out after ipq_ttl drops to 0, and may also
+ * be reclaimed if memory becomes tight.
+ */
+struct ipq {
+	struct	ipq *next,*prev;	/* to other reass headers */
+	u_char	ipq_ttl;		/* time for reass q to live */
+	u_char	ipq_p;			/* protocol of this fragment */
+	u_short	ipq_id;			/* sequence id for reassembly */
+	struct	ipasfrag *ipq_next,*ipq_prev;
+					/* to ip headers of fragments */
+	struct	in_addr ipq_src,ipq_dst;
+};
+
+/*
+ * Ip header, when holding a fragment.
+ *
+ * Note: ipf_next must be at same offset as ipq_next above
+ */
+struct	ipasfrag {
+#if BYTE_ORDER == LITTLE_ENDIAN 
+	u_char	ip_hl:4,
+		ip_v:4;
+#endif
+#if BYTE_ORDER == BIG_ENDIAN 
+	u_char	ip_v:4,
+		ip_hl:4;
+#endif
+	u_char	ipf_mff;		/* XXX overlays ip_tos: use low bit
+					 * to avoid destroying tos;
+					 * copied from (ip_off&IP_MF) */
+	short	ip_len;
+	u_short	ip_id;
+	short	ip_off;
+	u_char	ip_ttl;
+	u_char	ip_p;
+	u_short	ip_sum;
+	struct	ipasfrag *ipf_next;	/* next fragment */
+	struct	ipasfrag *ipf_prev;	/* previous fragment */
+};
+
+/*
+ * Structure stored in mbuf in inpcb.ip_options
+ * and passed to ip_output when ip options are in use.
+ * The actual length of the options (including ipopt_dst)
+ * is in m_len.
+ */
+#define MAX_IPOPTLEN	40
+
+struct ipoption {
+	struct	in_addr ipopt_dst;	/* first-hop dst if source routed */
+	char	ipopt_list[MAX_IPOPTLEN];	/* options proper */
+};
+
+struct	ipstat {
+	n_long	ips_total;		/* total packets received */
+	n_long	ips_badsum;		/* checksum bad */
+	n_long	ips_tooshort;		/* packet too short */
+	n_long	ips_toosmall;		/* not enough data */
+	n_long	ips_badhlen;		/* ip header length < data size */
+	n_long	ips_badlen;		/* ip length < ip header length */
+	n_long	ips_fragments;		/* fragments received */
+	n_long	ips_fragdropped;	/* frags dropped (dups, out of space) */
+	n_long	ips_fragtimeout;	/* fragments timed out */
+	n_long	ips_forward;		/* packets forwarded */
+	n_long	ips_cantforward;	/* packets rcvd for unreachable dest */
+	n_long	ips_redirectsent;	/* packets forwarded on same net */
+	n_long	ips_noproto;		/* unknown or unsupported protocol */
+	n_long	ips_delivered;		/* datagrams delivered to upper level*/
+	n_long	ips_localout;		/* total ip packets generated here */
+	n_long	ips_odropped;		/* lost packets due to nobufs, etc. */
+	n_long	ips_reassembled;	/* total packets reassembled ok */
+	n_long	ips_fragmented;		/* datagrams sucessfully fragmented */
+	n_long	ips_ofragments;		/* output fragments created */
+	n_long	ips_cantfrag;		/* don't fragment flag was set, etc. */
+	n_long	ips_badoptions;		/* error in option processing */
+	n_long	ips_noroute;		/* packets discarded due to no route */
+	n_long	ips_badvers;		/* ip version != 4 */
+	n_long	ips_rawout;		/* total raw ip packets generated */
+};
+
+#ifdef KERNEL
+/* flags passed to ip_output as last parameter */
+#define	IP_FORWARDING		0x1		/* most of ip header exists */
+#define	IP_RAWOUTPUT		0x2		/* raw ip header exists */
+#define	IP_ROUTETOIF		SO_DONTROUTE	/* bypass routing tables */
+#define	IP_ALLOWBROADCAST	SO_BROADCAST	/* can send broadcast packets */
+
+struct	ipstat	ipstat;
+struct	ipq	ipq;			/* ip reass. queue */
+u_short	ip_id;				/* ip packet ctr, for ids */
+int	ip_defttl;			/* default IP ttl */
+
+int	 in_control __P((struct socket *, n_long, caddr_t, struct ifnet *));
+int	 ip_ctloutput __P((int, struct socket *, int, int, struct mbuf **));
+void	 ip_deq __P((struct ipasfrag *));
+int	 ip_dooptions __P((struct mbuf *));
+void	 ip_drain __P((void));
+void	 ip_enq __P((struct ipasfrag *, struct ipasfrag *));
+void	 ip_forward __P((struct mbuf *, int));
+void	 ip_freef __P((struct ipq *));
+void	 ip_freemoptions __P((struct ip_moptions *));
+int	 ip_getmoptions __P((int, struct ip_moptions *, struct mbuf **));
+void	 ip_init __P((void));
+int	 ip_mforward __P((struct mbuf *, struct ifnet *));
+int	 ip_optcopy __P((struct ip *, struct ip *));
+int	 ip_output __P((struct mbuf *,
+	    struct mbuf *, struct route *, int, struct ip_moptions *));
+int	 ip_pcbopts __P((struct mbuf **, struct mbuf *));
+struct ip *
+	 ip_reass __P((struct ipasfrag *, struct ipq *));
+struct in_ifaddr *
+	 ip_rtaddr __P((struct in_addr));
+int	 ip_setmoptions __P((int, struct ip_moptions **, struct mbuf *));
+void	 ip_slowtimo __P((void));
+struct mbuf *
+	 ip_srcroute __P((void));
+void	 ip_stripoptions __P((struct mbuf *, struct mbuf *));
+int	 ip_sysctl __P((int *, n_long, void *, size_t *, void *, size_t));
+void	 ipintr __P((void));
+int	 rip_ctloutput __P((int, struct socket *, int, int, struct mbuf **));
+void	 rip_init __P((void));
+void	 rip_input __P((struct mbuf *));
+int	 rip_output __P((struct mbuf *, struct socket *, n_long));
+int	 rip_usrreq __P((struct socket *,
+	    int, struct mbuf *, struct mbuf *, struct mbuf *));
+#endif
diff --git a/linux-include/netinet/tcp.h b/linux-include/netinet/tcp.h
new file mode 100644
index 0000000000..92654c6fb0
--- /dev/null
+++ b/linux-include/netinet/tcp.h
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 1982, 1986, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)tcp.h	8.1 (Berkeley) 6/10/93
+ */
+
+typedef	u_int	tcp_seq;
+/*
+ * TCP header.
+ * Per RFC 793, September, 1981.
+ */
+struct tcphdr {
+	u_short	th_sport;		/* source port */
+	u_short	th_dport;		/* destination port */
+	tcp_seq	th_seq;			/* sequence number */
+	tcp_seq	th_ack;			/* acknowledgement number */
+#if BYTE_ORDER == LITTLE_ENDIAN 
+	u_char	th_x2:4,		/* (unused) */
+		th_off:4;		/* data offset */
+#endif
+#if BYTE_ORDER == BIG_ENDIAN 
+	u_char	th_off:4,		/* data offset */
+		th_x2:4;		/* (unused) */
+#endif
+	u_char	th_flags;
+#define	TH_FIN	0x01
+#define	TH_SYN	0x02
+#define	TH_RST	0x04
+#define	TH_PUSH	0x08
+#define	TH_ACK	0x10
+#define	TH_URG	0x20
+	u_short	th_win;			/* window */
+	u_short	th_sum;			/* checksum */
+	u_short	th_urp;			/* urgent pointer */
+};
+
+#define	TCPOPT_EOL		0
+#define	TCPOPT_NOP		1
+#define	TCPOPT_MAXSEG		2
+#define    TCPOLEN_MAXSEG		4
+#define TCPOPT_WINDOW		3
+#define    TCPOLEN_WINDOW		3
+#define TCPOPT_SACK_PERMITTED	4		/* Experimental */
+#define    TCPOLEN_SACK_PERMITTED	2
+#define TCPOPT_SACK		5		/* Experimental */
+#define TCPOPT_TIMESTAMP	8
+#define    TCPOLEN_TIMESTAMP		10
+#define    TCPOLEN_TSTAMP_APPA		(TCPOLEN_TIMESTAMP+2) /* appendix A */
+
+#define TCPOPT_TSTAMP_HDR	\
+    (TCPOPT_NOP<<24|TCPOPT_NOP<<16|TCPOPT_TIMESTAMP<<8|TCPOLEN_TIMESTAMP)
+
+/*
+ * Default maximum segment size for TCP.
+ * With an IP MSS of 576, this is 536,
+ * but 512 is probably more convenient.
+ * This should be defined as MIN(512, IP_MSS - sizeof (struct tcpiphdr)).
+ */
+#define	TCP_MSS	512
+
+#define	TCP_MAXWIN	65535	/* largest value for (unscaled) window */
+
+#define TCP_MAX_WINSHIFT	14	/* maximum window shift */
+
+/*
+ * User-settable options (used with setsockopt).
+ */
+#ifndef TCP_NODELAY
+#define	TCP_NODELAY	0x01	/* don't delay send to coalesce packets */
+#endif
+#ifndef TCP_MAXSEG
+#define	TCP_MAXSEG	0x02	/* set maximum segment size */
+#endif
diff --git a/linux-include/netinet/tcp_var.h b/linux-include/netinet/tcp_var.h
new file mode 100644
index 0000000000..e94ccd65e0
--- /dev/null
+++ b/linux-include/netinet/tcp_var.h
@@ -0,0 +1,280 @@
+/*
+ * Copyright (c) 1982, 1986, 1993, 1994, 1995
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)tcp_var.h	8.4 (Berkeley) 5/24/95
+ */
+
+/*
+ * Kernel variables for tcp.
+ */
+
+/*
+ * Tcp control block, one per tcp; fields:
+ */
+struct tcpcb {
+	struct	tcpiphdr *seg_next;	/* sequencing queue */
+	struct	tcpiphdr *seg_prev;
+	short	t_state;		/* state of this connection */
+	short	t_timer[TCPT_NTIMERS];	/* tcp timers */
+	short	t_rxtshift;		/* log(2) of rexmt exp. backoff */
+	short	t_rxtcur;		/* current retransmit value */
+	short	t_dupacks;		/* consecutive dup acks recd */
+	u_short	t_maxseg;		/* maximum segment size */
+	char	t_force;		/* 1 if forcing out a byte */
+	u_short	t_flags;
+#define	TF_ACKNOW	0x0001		/* ack peer immediately */
+#define	TF_DELACK	0x0002		/* ack, but try to delay it */
+#define	TF_NODELAY	0x0004		/* don't delay packets to coalesce */
+#define	TF_NOOPT	0x0008		/* don't use tcp options */
+#define	TF_SENTFIN	0x0010		/* have sent FIN */
+#define	TF_REQ_SCALE	0x0020		/* have/will request window scaling */
+#define	TF_RCVD_SCALE	0x0040		/* other side has requested scaling */
+#define	TF_REQ_TSTMP	0x0080		/* have/will request timestamps */
+#define	TF_RCVD_TSTMP	0x0100		/* a timestamp was received in SYN */
+#define	TF_SACK_PERMIT	0x0200		/* other side said I could SACK */
+
+	struct	tcpiphdr *t_template;	/* skeletal packet for transmit */
+	struct	inpcb *t_inpcb;		/* back pointer to internet pcb */
+/*
+ * The following fields are used as in the protocol specification.
+ * See RFC783, Dec. 1981, page 21.
+ */
+/* send sequence variables */
+	tcp_seq	snd_una;		/* send unacknowledged */
+	tcp_seq	snd_nxt;		/* send next */
+	tcp_seq	snd_up;			/* send urgent pointer */
+	tcp_seq	snd_wl1;		/* window update seg seq number */
+	tcp_seq	snd_wl2;		/* window update seg ack number */
+	tcp_seq	iss;			/* initial send sequence number */
+	n_long	snd_wnd;		/* send window */
+/* receive sequence variables */
+	n_long	rcv_wnd;		/* receive window */
+	tcp_seq	rcv_nxt;		/* receive next */
+	tcp_seq	rcv_up;			/* receive urgent pointer */
+	tcp_seq	irs;			/* initial receive sequence number */
+/*
+ * Additional variables for this implementation.
+ */
+/* receive variables */
+	tcp_seq	rcv_adv;		/* advertised window */
+/* retransmit variables */
+	tcp_seq	snd_max;		/* highest sequence number sent;
+					 * used to recognize retransmits
+					 */
+/* congestion control (for slow start, source quench, retransmit after loss) */
+	n_long	snd_cwnd;		/* congestion-controlled window */
+	n_long	snd_ssthresh;		/* snd_cwnd size threshhold for
+					 * for slow start exponential to
+					 * linear switch
+					 */
+/*
+ * transmit timing stuff.  See below for scale of srtt and rttvar.
+ * "Variance" is actually smoothed difference.
+ */
+	u_short	t_idle;			/* inactivity time */
+	short	t_rtt;			/* round trip time */
+	tcp_seq	t_rtseq;		/* sequence number being timed */
+	short	t_srtt;			/* smoothed round-trip time */
+	short	t_rttvar;		/* variance in round-trip time */
+	u_short	t_rttmin;		/* minimum rtt allowed */
+	n_long	max_sndwnd;		/* largest window peer has offered */
+
+/* out-of-band data */
+	char	t_oobflags;		/* have some */
+	char	t_iobc;			/* input character */
+#define	TCPOOB_HAVEDATA	0x01
+#define	TCPOOB_HADDATA	0x02
+	short	t_softerror;		/* possible error not yet reported */
+
+/* RFC 1323 variables */
+	u_char	snd_scale;		/* window scaling for send window */
+	u_char	rcv_scale;		/* window scaling for recv window */
+	u_char	request_r_scale;	/* pending window scaling */
+	u_char	requested_s_scale;
+	n_long	ts_recent;		/* timestamp echo data */
+	n_long	ts_recent_age;		/* when last updated */
+	tcp_seq	last_ack_sent;
+
+/* TUBA stuff */
+	caddr_t	t_tuba_pcb;		/* next level down pcb for TCP over z */
+};
+
+#define	intotcpcb(ip)	((struct tcpcb *)(ip)->inp_ppcb)
+#define	sototcpcb(so)	(intotcpcb(sotoinpcb(so)))
+
+/*
+ * The smoothed round-trip time and estimated variance
+ * are stored as fixed point numbers scaled by the values below.
+ * For convenience, these scales are also used in smoothing the average
+ * (smoothed = (1/scale)sample + ((scale-1)/scale)smoothed).
+ * With these scales, srtt has 3 bits to the right of the binary point,
+ * and thus an "ALPHA" of 0.875.  rttvar has 2 bits to the right of the
+ * binary point, and is smoothed with an ALPHA of 0.75.
+ */
+#define	TCP_RTT_SCALE		8	/* multiplier for srtt; 3 bits frac. */
+#define	TCP_RTT_SHIFT		3	/* shift for srtt; 3 bits frac. */
+#define	TCP_RTTVAR_SCALE	4	/* multiplier for rttvar; 2 bits */
+#define	TCP_RTTVAR_SHIFT	2	/* multiplier for rttvar; 2 bits */
+
+/*
+ * The initial retransmission should happen at rtt + 4 * rttvar.
+ * Because of the way we do the smoothing, srtt and rttvar
+ * will each average +1/2 tick of bias.  When we compute
+ * the retransmit timer, we want 1/2 tick of rounding and
+ * 1 extra tick because of +-1/2 tick uncertainty in the
+ * firing of the timer.  The bias will give us exactly the
+ * 1.5 tick we need.  But, because the bias is
+ * statistical, we have to test that we don't drop below
+ * the minimum feasible timer (which is 2 ticks).
+ * This macro assumes that the value of TCP_RTTVAR_SCALE
+ * is the same as the multiplier for rttvar.
+ */
+#define	TCP_REXMTVAL(tp) \
+	(((tp)->t_srtt >> TCP_RTT_SHIFT) + (tp)->t_rttvar)
+
+/* XXX
+ * We want to avoid doing m_pullup on incoming packets but that
+ * means avoiding dtom on the tcp reassembly code.  That in turn means
+ * keeping an mbuf pointer in the reassembly queue (since we might
+ * have a cluster).  As a quick hack, the source & destination
+ * port numbers (which are no longer needed once we've located the
+ * tcpcb) are overlayed with an mbuf pointer.
+ */
+#define REASS_MBUF(ti) (*(struct mbuf **)&((ti)->ti_t))
+
+/*
+ * TCP statistics.
+ * Many of these should be kept per connection,
+ * but that's inconvenient at the moment.
+ */
+struct	tcpstat {
+	n_long	tcps_connattempt;	/* connections initiated */
+	n_long	tcps_accepts;		/* connections accepted */
+	n_long	tcps_connects;		/* connections established */
+	n_long	tcps_drops;		/* connections dropped */
+	n_long	tcps_conndrops;		/* embryonic connections dropped */
+	n_long	tcps_closed;		/* conn. closed (includes drops) */
+	n_long	tcps_segstimed;		/* segs where we tried to get rtt */
+	n_long	tcps_rttupdated;	/* times we succeeded */
+	n_long	tcps_delack;		/* delayed acks sent */
+	n_long	tcps_timeoutdrop;	/* conn. dropped in rxmt timeout */
+	n_long	tcps_rexmttimeo;	/* retransmit timeouts */
+	n_long	tcps_persisttimeo;	/* persist timeouts */
+	n_long	tcps_keeptimeo;		/* keepalive timeouts */
+	n_long	tcps_keepprobe;		/* keepalive probes sent */
+	n_long	tcps_keepdrops;		/* connections dropped in keepalive */
+
+	n_long	tcps_sndtotal;		/* total packets sent */
+	n_long	tcps_sndpack;		/* data packets sent */
+	n_long	tcps_sndbyte;		/* data bytes sent */
+	n_long	tcps_sndrexmitpack;	/* data packets retransmitted */
+	n_long	tcps_sndrexmitbyte;	/* data bytes retransmitted */
+	n_long	tcps_sndacks;		/* ack-only packets sent */
+	n_long	tcps_sndprobe;		/* window probes sent */
+	n_long	tcps_sndurg;		/* packets sent with URG only */
+	n_long	tcps_sndwinup;		/* window update-only packets sent */
+	n_long	tcps_sndctrl;		/* control (SYN|FIN|RST) packets sent */
+
+	n_long	tcps_rcvtotal;		/* total packets received */
+	n_long	tcps_rcvpack;		/* packets received in sequence */
+	n_long	tcps_rcvbyte;		/* bytes received in sequence */
+	n_long	tcps_rcvbadsum;		/* packets received with ccksum errs */
+	n_long	tcps_rcvbadoff;		/* packets received with bad offset */
+	n_long	tcps_rcvshort;		/* packets received too short */
+	n_long	tcps_rcvduppack;	/* duplicate-only packets received */
+	n_long	tcps_rcvdupbyte;	/* duplicate-only bytes received */
+	n_long	tcps_rcvpartduppack;	/* packets with some duplicate data */
+	n_long	tcps_rcvpartdupbyte;	/* dup. bytes in part-dup. packets */
+	n_long	tcps_rcvoopack;		/* out-of-order packets received */
+	n_long	tcps_rcvoobyte;		/* out-of-order bytes received */
+	n_long	tcps_rcvpackafterwin;	/* packets with data after window */
+	n_long	tcps_rcvbyteafterwin;	/* bytes rcvd after window */
+	n_long	tcps_rcvafterclose;	/* packets rcvd after "close" */
+	n_long	tcps_rcvwinprobe;	/* rcvd window probe packets */
+	n_long	tcps_rcvdupack;		/* rcvd duplicate acks */
+	n_long	tcps_rcvacktoomuch;	/* rcvd acks for unsent data */
+	n_long	tcps_rcvackpack;	/* rcvd ack packets */
+	n_long	tcps_rcvackbyte;	/* bytes acked by rcvd acks */
+	n_long	tcps_rcvwinupd;		/* rcvd window update packets */
+	n_long	tcps_pawsdrop;		/* segments dropped due to PAWS */
+	n_long	tcps_predack;		/* times hdr predict ok for acks */
+	n_long	tcps_preddat;		/* times hdr predict ok for data pkts */
+	n_long	tcps_pcbcachemiss;
+	n_long	tcps_persistdrop;	/* timeout in persist state */
+	n_long	tcps_badsyn;		/* bogus SYN, e.g. premature ACK */
+};
+
+#ifdef KERNEL
+struct	inpcb tcb;		/* head of queue of active tcpcb's */
+struct	tcpstat tcpstat;	/* tcp statistics */
+n_long	tcp_now;		/* for RFC 1323 timestamps */
+
+int	 tcp_attach __P((struct socket *));
+void	 tcp_canceltimers __P((struct tcpcb *));
+struct tcpcb *
+	 tcp_close __P((struct tcpcb *));
+void	 tcp_ctlinput __P((int, struct sockaddr *, struct ip *));
+int	 tcp_ctloutput __P((int, struct socket *, int, int, struct mbuf **));
+struct tcpcb *
+	 tcp_disconnect __P((struct tcpcb *));
+struct tcpcb *
+	 tcp_drop __P((struct tcpcb *, int));
+void	 tcp_dooptions __P((struct tcpcb *,
+	    u_char *, int, struct tcpiphdr *, int *, n_long *, n_long *));
+void	 tcp_drain __P((void));
+void	 tcp_fasttimo __P((void));
+void	 tcp_init __P((void));
+void	 tcp_input __P((struct mbuf *, int));
+int	 tcp_mss __P((struct tcpcb *, u_int));
+struct tcpcb *
+	 tcp_newtcpcb __P((struct inpcb *));
+void	 tcp_notify __P((struct inpcb *, int));
+int	 tcp_output __P((struct tcpcb *));
+void	 tcp_pulloutofband __P((struct socket *,
+	    struct tcpiphdr *, struct mbuf *));
+void	 tcp_quench __P((struct inpcb *, int));
+int	 tcp_reass __P((struct tcpcb *, struct tcpiphdr *, struct mbuf *));
+void	 tcp_respond __P((struct tcpcb *,
+	    struct tcpiphdr *, struct mbuf *, n_long, n_long, int));
+void	 tcp_setpersist __P((struct tcpcb *));
+void	 tcp_slowtimo __P((void));
+struct tcpiphdr *
+	 tcp_template __P((struct tcpcb *));
+struct tcpcb *
+	 tcp_timers __P((struct tcpcb *, int));
+void	 tcp_trace __P((int, int, struct tcpcb *, struct tcpiphdr *, int));
+struct tcpcb *
+	 tcp_usrclosed __P((struct tcpcb *));
+int	 tcp_usrreq __P((struct socket *,
+	    int, struct mbuf *, struct mbuf *, struct mbuf *));
+void	 tcp_xmit_timer __P((struct tcpcb *, int));
+#endif
diff --git a/linux-include/netinet/tcpip.h b/linux-include/netinet/tcpip.h
new file mode 100644
index 0000000000..5000ae303c
--- /dev/null
+++ b/linux-include/netinet/tcpip.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 1982, 1986, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)tcpip.h	8.1 (Berkeley) 6/10/93
+ */
+
+/*
+ * Tcp+ip header, after ip options removed.
+ */
+struct tcpiphdr {
+	struct 	ipovly ti_i;		/* overlaid ip structure */
+	struct	tcphdr ti_t;		/* tcp header */
+};
+#define	ti_next		ti_i.ih_next
+#define	ti_prev		ti_i.ih_prev
+#define	ti_x1		ti_i.ih_x1
+#define	ti_pr		ti_i.ih_pr
+#define	ti_len		ti_i.ih_len
+#define	ti_src		ti_i.ih_src
+#define	ti_dst		ti_i.ih_dst
+#define	ti_sport	ti_t.th_sport
+#define	ti_dport	ti_t.th_dport
+#define	ti_seq		ti_t.th_seq
+#define	ti_ack		ti_t.th_ack
+#define	ti_x2		ti_t.th_x2
+#define	ti_off		ti_t.th_off
+#define	ti_flags	ti_t.th_flags
+#define	ti_win		ti_t.th_win
+#define	ti_sum		ti_t.th_sum
+#define	ti_urp		ti_t.th_urp
diff --git a/linux-include/netinet/udp.h b/linux-include/netinet/udp.h
new file mode 100644
index 0000000000..354a213cbc
--- /dev/null
+++ b/linux-include/netinet/udp.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 1982, 1986, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)udp.h	8.1 (Berkeley) 6/10/93
+ */
+
+/*
+ * Udp protocol header.
+ * Per RFC 768, September, 1981.
+ */
+struct udphdr {
+	u_short	uh_sport;		/* source port */
+	u_short	uh_dport;		/* destination port */
+	short	uh_ulen;		/* udp length */
+	u_short	uh_sum;			/* udp checksum */
+};
diff --git a/linux-include/netinet/udp_var.h b/linux-include/netinet/udp_var.h
new file mode 100644
index 0000000000..f36d832bae
--- /dev/null
+++ b/linux-include/netinet/udp_var.h
@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 1982, 1986, 1989, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)udp_var.h	8.1 (Berkeley) 6/10/93
+ */
+
+/*
+ * UDP kernel structures and variables.
+ */
+struct	udpiphdr {
+	struct 	ipovly ui_i;		/* overlaid ip structure */
+	struct	udphdr ui_u;		/* udp header */
+};
+#define	ui_next		ui_i.ih_next
+#define	ui_prev		ui_i.ih_prev
+#define	ui_x1		ui_i.ih_x1
+#define	ui_pr		ui_i.ih_pr
+#define	ui_len		ui_i.ih_len
+#define	ui_src		ui_i.ih_src
+#define	ui_dst		ui_i.ih_dst
+#define	ui_sport	ui_u.uh_sport
+#define	ui_dport	ui_u.uh_dport
+#define	ui_ulen		ui_u.uh_ulen
+#define	ui_sum		ui_u.uh_sum
+
+struct	udpstat {
+				/* input statistics: */
+	n_long	udps_ipackets;		/* total input packets */
+	n_long	udps_hdrops;		/* packet shorter than header */
+	n_long	udps_badsum;		/* checksum error */
+	n_long	udps_badlen;		/* data length larger than packet */
+	n_long	udps_noport;		/* no socket on port */
+	n_long	udps_noportbcast;	/* of above, arrived as broadcast */
+	n_long	udps_fullsock;		/* not delivered, input socket full */
+	n_long	udpps_pcbcachemiss;	/* input packets missing pcb cache */
+				/* output statistics: */
+	n_long	udps_opackets;		/* total output packets */
+};
+
+/*
+ * Names for UDP sysctl objects
+ */
+#define	UDPCTL_CHECKSUM		1	/* checksum UDP packets */
+#define UDPCTL_MAXID		2
+
+#define UDPCTL_NAMES { \
+	{ 0, 0 }, \
+	{ "checksum", CTLTYPE_INT }, \
+}
+
+#ifdef KERNEL
+struct	inpcb udb;
+struct	udpstat udpstat;
+
+void	 udp_ctlinput __P((int, struct sockaddr *, struct ip *));
+void	 udp_init __P((void));
+void	 udp_input __P((struct mbuf *, int));
+int	 udp_output __P((struct inpcb *,
+	    struct mbuf *, struct mbuf *, struct mbuf *));
+int	 udp_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
+int	 udp_usrreq __P((struct socket *,
+	    int, struct mbuf *, struct mbuf *, struct mbuf *));
+#endif
diff --git a/linux-include/sys/mbuf.h b/linux-include/sys/mbuf.h
new file mode 100644
index 0000000000..b5df3899aa
--- /dev/null
+++ b/linux-include/sys/mbuf.h
@@ -0,0 +1,5 @@
+/* @(#) $Header$ (LBL) */
+
+#ifndef MLEN
+#define MLEN 128			/* needed for slcompress.h */
+#endif
diff --git a/missing b/missing
new file mode 100755
index 0000000000..e7ef83a1c2
--- /dev/null
+++ b/missing
@@ -0,0 +1,360 @@
+#! /bin/sh
+# Common stub for a few missing GNU programs while installing.
+
+scriptversion=2003-09-02.23
+
+# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003 
+#   Free Software Foundation, Inc.
+# Originally by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+# 02111-1307, USA.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+if test $# -eq 0; then
+  echo 1>&2 "Try \`$0 --help' for more information"
+  exit 1
+fi
+
+run=:
+
+# In the cases where this matters, `missing' is being run in the
+# srcdir already.
+if test -f configure.ac; then
+  configure_ac=configure.ac
+else
+  configure_ac=configure.in
+fi
+
+msg="missing on your system"
+
+case "$1" in
+--run)
+  # Try to run requested program, and just exit if it succeeds.
+  run=
+  shift
+  "$@" && exit 0
+  # Exit code 63 means version mismatch.  This often happens
+  # when the user try to use an ancient version of a tool on
+  # a file that requires a minimum version.  In this case we
+  # we should proceed has if the program had been absent, or
+  # if --run hadn't been passed.
+  if test $? = 63; then
+    run=:
+    msg="probably too old"
+  fi
+  ;;
+esac
+
+# If it does not exist, or fails to run (possibly an outdated version),
+# try to emulate it.
+case "$1" in
+
+  -h|--h|--he|--hel|--help)
+    echo "\
+$0 [OPTION]... PROGRAM [ARGUMENT]...
+
+Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an
+error status if there is no known handling for PROGRAM.
+
+Options:
+  -h, --help      display this help and exit
+  -v, --version   output version information and exit
+  --run           try to run the given command, and emulate it if it fails
+
+Supported PROGRAM values:
+  aclocal      touch file \`aclocal.m4'
+  autoconf     touch file \`configure'
+  autoheader   touch file \`config.h.in'
+  automake     touch all \`Makefile.in' files
+  bison        create \`y.tab.[ch]', if possible, from existing .[ch]
+  flex         create \`lex.yy.c', if possible, from existing .c
+  help2man     touch the output file
+  lex          create \`lex.yy.c', if possible, from existing .c
+  makeinfo     touch the output file
+  tar          try tar, gnutar, gtar, then tar without non-portable flags
+  yacc         create \`y.tab.[ch]', if possible, from existing .[ch]
+
+Send bug reports to <bug-automake@gnu.org>."
+    ;;
+
+  -v|--v|--ve|--ver|--vers|--versi|--versio|--version)
+    echo "missing $scriptversion (GNU Automake)"
+    ;;
+
+  -*)
+    echo 1>&2 "$0: Unknown \`$1' option"
+    echo 1>&2 "Try \`$0 --help' for more information"
+    exit 1
+    ;;
+
+  aclocal*)
+    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
+       # We have it, but it failed.
+       exit 1
+    fi
+
+    echo 1>&2 "\
+WARNING: \`$1' is $msg.  You should only need it if
+         you modified \`acinclude.m4' or \`${configure_ac}'.  You might want
+         to install the \`Automake' and \`Perl' packages.  Grab them from
+         any GNU archive site."
+    touch aclocal.m4
+    ;;
+
+  autoconf)
+    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
+       # We have it, but it failed.
+       exit 1
+    fi
+
+    echo 1>&2 "\
+WARNING: \`$1' is $msg.  You should only need it if
+         you modified \`${configure_ac}'.  You might want to install the
+         \`Autoconf' and \`GNU m4' packages.  Grab them from any GNU
+         archive site."
+    touch configure
+    ;;
+
+  autoheader)
+    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
+       # We have it, but it failed.
+       exit 1
+    fi
+
+    echo 1>&2 "\
+WARNING: \`$1' is $msg.  You should only need it if
+         you modified \`acconfig.h' or \`${configure_ac}'.  You might want
+         to install the \`Autoconf' and \`GNU m4' packages.  Grab them
+         from any GNU archive site."
+    files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' ${configure_ac}`
+    test -z "$files" && files="config.h"
+    touch_files=
+    for f in $files; do
+      case "$f" in
+      *:*) touch_files="$touch_files "`echo "$f" |
+				       sed -e 's/^[^:]*://' -e 's/:.*//'`;;
+      *) touch_files="$touch_files $f.in";;
+      esac
+    done
+    touch $touch_files
+    ;;
+
+  automake*)
+    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
+       # We have it, but it failed.
+       exit 1
+    fi
+
+    echo 1>&2 "\
+WARNING: \`$1' is $msg.  You should only need it if
+         you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'.
+         You might want to install the \`Automake' and \`Perl' packages.
+         Grab them from any GNU archive site."
+    find . -type f -name Makefile.am -print |
+	   sed 's/\.am$/.in/' |
+	   while read f; do touch "$f"; done
+    ;;
+
+  autom4te)
+    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
+       # We have it, but it failed.
+       exit 1
+    fi
+
+    echo 1>&2 "\
+WARNING: \`$1' is needed, but is $msg.
+         You might have modified some files without having the
+         proper tools for further handling them.
+         You can get \`$1' as part of \`Autoconf' from any GNU
+         archive site."
+
+    file=`echo "$*" | sed -n 's/.*--output[ =]*\([^ ]*\).*/\1/p'`
+    test -z "$file" && file=`echo "$*" | sed -n 's/.*-o[ ]*\([^ ]*\).*/\1/p'`
+    if test -f "$file"; then
+	touch $file
+    else
+	test -z "$file" || exec >$file
+	echo "#! /bin/sh"
+	echo "# Created by GNU Automake missing as a replacement of"
+	echo "#  $ $@"
+	echo "exit 0"
+	chmod +x $file
+	exit 1
+    fi
+    ;;
+
+  bison|yacc)
+    echo 1>&2 "\
+WARNING: \`$1' $msg.  You should only need it if
+         you modified a \`.y' file.  You may need the \`Bison' package
+         in order for those modifications to take effect.  You can get
+         \`Bison' from any GNU archive site."
+    rm -f y.tab.c y.tab.h
+    if [ $# -ne 1 ]; then
+        eval LASTARG="\${$#}"
+	case "$LASTARG" in
+	*.y)
+	    SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'`
+	    if [ -f "$SRCFILE" ]; then
+	         cp "$SRCFILE" y.tab.c
+	    fi
+	    SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'`
+	    if [ -f "$SRCFILE" ]; then
+	         cp "$SRCFILE" y.tab.h
+	    fi
+	  ;;
+	esac
+    fi
+    if [ ! -f y.tab.h ]; then
+	echo >y.tab.h
+    fi
+    if [ ! -f y.tab.c ]; then
+	echo 'main() { return 0; }' >y.tab.c
+    fi
+    ;;
+
+  lex|flex)
+    echo 1>&2 "\
+WARNING: \`$1' is $msg.  You should only need it if
+         you modified a \`.l' file.  You may need the \`Flex' package
+         in order for those modifications to take effect.  You can get
+         \`Flex' from any GNU archive site."
+    rm -f lex.yy.c
+    if [ $# -ne 1 ]; then
+        eval LASTARG="\${$#}"
+	case "$LASTARG" in
+	*.l)
+	    SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'`
+	    if [ -f "$SRCFILE" ]; then
+	         cp "$SRCFILE" lex.yy.c
+	    fi
+	  ;;
+	esac
+    fi
+    if [ ! -f lex.yy.c ]; then
+	echo 'main() { return 0; }' >lex.yy.c
+    fi
+    ;;
+
+  help2man)
+    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
+       # We have it, but it failed.
+       exit 1
+    fi
+
+    echo 1>&2 "\
+WARNING: \`$1' is $msg.  You should only need it if
+	 you modified a dependency of a manual page.  You may need the
+	 \`Help2man' package in order for those modifications to take
+	 effect.  You can get \`Help2man' from any GNU archive site."
+
+    file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'`
+    if test -z "$file"; then
+	file=`echo "$*" | sed -n 's/.*--output=\([^ ]*\).*/\1/p'`
+    fi
+    if [ -f "$file" ]; then
+	touch $file
+    else
+	test -z "$file" || exec >$file
+	echo ".ab help2man is required to generate this page"
+	exit 1
+    fi
+    ;;
+
+  makeinfo)
+    if test -z "$run" && (makeinfo --version) > /dev/null 2>&1; then
+       # We have makeinfo, but it failed.
+       exit 1
+    fi
+
+    echo 1>&2 "\
+WARNING: \`$1' is $msg.  You should only need it if
+         you modified a \`.texi' or \`.texinfo' file, or any other file
+         indirectly affecting the aspect of the manual.  The spurious
+         call might also be the consequence of using a buggy \`make' (AIX,
+         DU, IRIX).  You might want to install the \`Texinfo' package or
+         the \`GNU make' package.  Grab either from any GNU archive site."
+    file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'`
+    if test -z "$file"; then
+      file=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'`
+      file=`sed -n '/^@setfilename/ { s/.* \([^ ]*\) *$/\1/; p; q; }' $file`
+    fi
+    touch $file
+    ;;
+
+  tar)
+    shift
+    if test -n "$run"; then
+      echo 1>&2 "ERROR: \`tar' requires --run"
+      exit 1
+    fi
+
+    # We have already tried tar in the generic part.
+    # Look for gnutar/gtar before invocation to avoid ugly error
+    # messages.
+    if (gnutar --version > /dev/null 2>&1); then
+       gnutar "$@" && exit 0
+    fi
+    if (gtar --version > /dev/null 2>&1); then
+       gtar "$@" && exit 0
+    fi
+    firstarg="$1"
+    if shift; then
+	case "$firstarg" in
+	*o*)
+	    firstarg=`echo "$firstarg" | sed s/o//`
+	    tar "$firstarg" "$@" && exit 0
+	    ;;
+	esac
+	case "$firstarg" in
+	*h*)
+	    firstarg=`echo "$firstarg" | sed s/h//`
+	    tar "$firstarg" "$@" && exit 0
+	    ;;
+	esac
+    fi
+
+    echo 1>&2 "\
+WARNING: I can't seem to be able to run \`tar' with the given arguments.
+         You may want to install GNU tar or Free paxutils, or check the
+         command line arguments."
+    exit 1
+    ;;
+
+  *)
+    echo 1>&2 "\
+WARNING: \`$1' is needed, and is $msg.
+         You might have modified some files without having the
+         proper tools for further handling them.  Check the \`README' file,
+         it often tells you about the needed prerequisites for installing
+         this package.  You may also peek at any GNU archive site, in case
+         some other package would contain this missing \`$1' program."
+    exit 1
+    ;;
+esac
+
+exit 0
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-end: "$"
+# End:
diff --git a/policy/Makefile.am b/policy/Makefile.am
new file mode 100644
index 0000000000..3e401db66c
--- /dev/null
+++ b/policy/Makefile.am
@@ -0,0 +1,71 @@
+## Process this file with automake to produce Makefile.in
+
+SUBDIRS = sigs time-machine
+
+# These files are created and moved here by the src Makefile
+BIF_BRO_FILES = \
+	bro.bif.bro common-rw.bif.bro const.bif.bro \
+	dns-rw.bif.bro event.bif.bro finger-rw.bif.bro \
+	ftp-rw.bif.bro http-rw.bif.bro ident-rw.bif.bro \
+	smb-rw.bif.bro smtp-rw.bif.bro strings.bif.bro
+
+MOSTLYCLEANFILES = $(BIF_BRO_FILES)
+
+# doesn't end in a sig
+bropolicydir=$(datadir)/bro
+bropolicysitedir=$(datadir)/bro/site
+
+dist_bropolicy_DATA = bro.init adu.bro alarm.bro analy.bro \
+	anon.bro arp.bro backdoor.bro bittorrent.bro \
+	blaster.bro bt-tracker.bro brolite.bro \
+	brolite-backdoor.bro brolite-sigs.bro \
+	capture-events.bro capture-loss.bro capture-state-updates.bro \
+	checkpoint.bro clear-passwords.bro conn-flood.bro conn-id.bro \
+	conn.bro contents.bro cpu-adapt.bro dce.bro demux.bro \
+	detect-protocols.bro detect-protocols-http.bro \
+	dhcp.bro dns-anonymizer.bro dns-info.bro \
+	dns-lookup.bro dns.bro dpd.bro drop.bro \
+	drop-adapt.bro dyn-disable.bro \
+	file-flush.bro finger.bro firewall.bro \
+	flag-irc.bro flag-warez.bro frag.bro \
+	ftp-anonymizer.bro ftp-cmd-arg.bro ftp-reply-pattern.bro \
+	ftp-safe-words.bro ftp.bro gnutella.bro hand-over.bro \
+	heavy-analysis.bro heavy.http.bro heavy.irc.bro \
+	heavy.scan.bro heavy.software.bro heavy.trw.bro \
+	hot-ids.bro hot.bro \
+	http-abstract.bro http-anon-server.bro http-anon-useragent.bro \
+	http-anon-utils.bro http-anonymizer.bro http-body.bro \
+	http-detect-passwd.bro http-entity.bro \
+	http-event.bro http-extract-items.bro http-header.bro \
+	http-identified-files.bro http-reply.bro \
+	http-request.bro http-rewriter.bro http.bro \
+	icmp.bro ident-rewriter.bro ident.bro inactivity.bro \
+	interconn.bro irc.bro irc-bot.bro large-conns.bro listen-clear.bro \
+	listen-ssl.bro load-level.bro load-sample.bro log-append.bro \
+	login.bro mime.bro mime-pop.bro mt.bro \
+	ncp.bro netflow.bro netstats.bro nfs.bro \
+	notice.bro notice-policy.bro notice-action-filters.bro ntp.bro \
+	OS-fingerprint.bro pcap.bro peer-status.bro \
+	pkt-profile.bro pop3.bro port-name.bro portmapper.bro print-filter.bro \
+	print-globals.bro print-resources.bro print-sig-states.bro \
+	profiling.bro proxy.bro passwords.bro \
+	remote-pcap.bro remote-ping.bro \
+	remote-print-id-reply.bro remote-print-id.bro remote-print.bro \
+	remote-report-notices.bro remote-send-id.bro remote.bro \
+	rotate-logs.bro rsh.bro \
+	save-peer-status.bro scan.bro secondary-filter.bro sensor-sshd.bro \
+	server-ports.bro service-probe.bro signatures.bro site.bro \
+	smb.bro smtp-relay.bro smtp-rewriter.bro smtp.bro snort.bro \
+	software.bro ssh-stepping.bro ssh.bro ssl-alerts.bro \
+	ssl-ciphers.bro ssl-errors.bro ssl-worm.bro ssl.bro stats.bro \
+	stepping.bro synflood.bro targeted-scan.bro tcp.bro \
+	terminate-connection.bro tftp.bro trw.bro trw-impl.bro \
+	udp.bro udp-common.bro vlan.bro weird.bro worm.bro \
+	$(BIF_BRO_FILES)
+
+
+install-data-hook:
+	test -d $(DESTDIR)$(bropolicysitedir) || mkdir $(DESTDIR)$(bropolicysitedir)
+
+uninstall-local:
+	-rmdir $(DESTDIR)$(bropolicysitedir)
diff --git a/policy/OS-fingerprint.bro b/policy/OS-fingerprint.bro
new file mode 100644
index 0000000000..8f00fe93fd
--- /dev/null
+++ b/policy/OS-fingerprint.bro
@@ -0,0 +1,18 @@
+# $Id: OS-fingerprint.bro 1071 2005-03-08 14:09:31Z vern $
+#
+# Tracks operating system versioning using the "software" framework.
+
+@load software
+
+event OS_version_found(c: connection, host: addr, OS: OS_version)
+	{
+	local version: software_version;
+	version$major = version$minor = version$minor2 = -1;
+	version$addl = OS$detail;
+
+	local sw: software;
+	sw$name = OS$genre;
+	sw$version = version;
+
+	event software_version_found(c, host, sw, "OS");
+	}
diff --git a/policy/adu.bro b/policy/adu.bro
new file mode 100644
index 0000000000..3c2168784a
--- /dev/null
+++ b/policy/adu.bro
@@ -0,0 +1,278 @@
+# $Id: adu.bro 5152 2007-12-04 21:48:56Z vern $
+
+@load conn-id
+
+module adu;
+
+# This script parses application-layer data (ADU) units, or "messages",
+# out of the packet streams.  Since the analysis is generic, we define
+# an ADU simply as all application-layer data in a 5-tuple flow going
+# in one direction without any data going the other way.  Once we see
+# data in the other direction, we finish the current ADU and start
+# a new one (going the other way).  While this approach is only
+# approximate, it can work well for both UDP and TCP.
+#
+# The script reports ADUs as strings, up to a configurable maximum size, and
+# up to a configurable depth into the flow.
+#
+# Generated events:
+#
+# - adu_tx(c: connection, a: adu_state) reports an ADU seen from
+#   c's originator to its responder.
+#
+# - adu_rx(c: connection, a: adu_state) reports an ADU seen from
+#   c's responder to the originator.
+#
+# - adu_done(c: connection) indicates that no more ADUs will be seen
+#   on connection c. This is useful to know in case your statekeeping
+#   relies on event connection_state_remove(), which is also used by
+#   adu.bro.
+#
+
+# --- Input configuration -- which ports to look at --------------------
+
+# Right now: everything!
+#
+redef tcp_content_deliver_all_orig = T;
+redef tcp_content_deliver_all_resp = T;
+redef udp_content_deliver_all_orig = T;
+redef udp_content_deliver_all_resp = T;
+
+# --- Debugging -- should really be a separate policy ------------------
+
+# Comment out to disable debugging output:
+#global adu_debug = T;
+
+# Uncomment to enable tests:
+#global adu_test = T;
+
+@ifdef (adu_debug)
+function DBG(msg: string) { print fmt("DBG[adu.bro]: %s", msg); }
+@else
+function DBG(msg: string) { }
+@endif
+
+export {
+
+# --- Constants --------------------------------------------------------
+
+	# The maximum depth in bytes up to which we follow a flow.
+	# This is counting bytes seen in both directions.
+	const adu_conn_max_depth    = 100000 &redef;
+
+	# The maximum message depth that we report.
+	const adu_max_depth         = 3 &redef;
+
+	# The maximum message size in bytes that we report.
+	const adu_max_size          = 1000 &redef;
+
+	# Whether ADUs are reported beyond content gaps.
+	const adu_gaps_ok           = F &redef;
+
+# --- Types ------------------------------------------------------------
+
+	# adu_state records contain the latest ADU and aditional flags to help
+	# the user identify the direction of the message, its depth in the flow,
+	# etc.
+	type adu_state: record {
+		adu: string     &default = "";	# the current ADU
+
+		# Message counter (>= 1), orig->resp and resp->orig.
+		depth_tx: count &default = 1;
+		depth_rx: count &default = 1;
+
+		# TCP: seqno tracking to recognize gaps.
+		seen_tx: count  &default = 0;
+		seen_rx: count  &default = 0;
+
+		size: count     &default = 0;	# total connection size in bytes
+		is_orig: bool   &default = F;	# whether ADU is orig->resp
+		ignore: bool	&default = F;	# ignore future activity on conn
+	};
+
+	# Tell the ADU policy that you do not wish to receive further
+	# adu_tx/adu_rx events for a given connection. Other policies
+	# may continue to process the connection.
+	#
+	global adu_skip_further_processing: function(cid: conn_id);
+}
+
+
+# --- Globals ----------------------------------------------------------
+
+# A global table that tracks each flow's messages.
+global adu_conns: table[conn_id] of adu_state;
+
+# Testing invokes the following events.
+global adu_tx: event(c: connection, astate: adu_state);
+global adu_rx: event(c: connection, astate: adu_state);
+global adu_done: event(c: connection);
+
+# --- Functions --------------------------------------------------------
+
+function adu_skip_further_processing(cid: conn_id)
+	{
+	if ( cid !in adu_conns )
+		return;
+
+	adu_conns[cid]$ignore = T;
+	}
+
+function flow_contents(c: connection, is_orig: bool, seq: count, contents: string)
+	{
+	local astate: adu_state;
+
+	DBG(fmt("contents %s, %s: %s", id_string(c$id), is_orig, contents));
+
+	# Ensure we track the given connection.
+	if ( c$id !in adu_conns )
+		adu_conns[c$id] = astate;
+	else
+		astate = adu_conns[c$id];
+
+	# Forget it if we've been asked to ignore.
+	#
+	if ( astate$ignore == T )
+		return;
+
+	# Don't report if flow is too big.
+	#
+	if ( astate$size >= adu_conn_max_depth )
+		return;
+
+	# If we have an assembled message, we may now have something
+	# to report.
+	if ( |astate$adu| > 0 )
+		{
+		# If application-layer data flow is switching
+		# from resp->orig to orig->resp, report the assembled
+		# message as a received ADU.
+		if ( is_orig && ! astate$is_orig )
+			{
+			event adu_rx(c, copy(astate));
+			astate$adu = "";
+
+			if ( ++astate$depth_rx > adu_max_depth )
+				adu_skip_further_processing(c$id);
+			}
+
+		# If application-layer data flow is switching
+		# from orig->resp to resp->orig, report the assembled
+		# message as a transmitted ADU.
+		#
+		if ( !is_orig && astate$is_orig )
+			{
+			event adu_tx(c, copy(astate));
+			astate$adu = "";
+
+			if ( ++astate$depth_tx > adu_max_depth )
+				adu_skip_further_processing(c$id);
+			}
+		}
+
+	# Check for content gaps. If we identify one, only continue
+	# if user allowed it.
+	#
+	if ( !adu_gaps_ok && seq > 0 )
+		{
+		if ( is_orig )
+			{
+			if ( seq > astate$seen_tx + 1 )
+				return;
+			else
+				astate$seen_tx += |contents|;
+			}
+		else
+			{
+			if ( seq > astate$seen_rx + 1 )
+				return;
+			else
+				astate$seen_rx += |contents|;
+			}
+		}
+
+	# Append the contents to the end of the currently
+	# assembled message, if the message hasn't already
+	# reached the maximum size.
+	#
+	if ( |astate$adu| < adu_max_size )
+		{
+		astate$adu += contents;
+
+		# As a precaution, clip the string to the maximum
+		# size. A long content string with astate$adu just
+		# below its maximum allowed size could exceed that
+		# limit by a lot.
+		### str_clip(astate$adu, adu_max_size);
+		}
+
+
+	# Note that this counter is bumped up even if we have
+	# exceeded the maximum size of an individual message.
+	#
+	astate$size += |contents|;
+
+	astate$is_orig = is_orig;
+	}
+
+# --- Event Handlers ---------------------------------------------------
+
+event tcp_contents(c: connection, is_orig: bool, seq: count, contents: string)
+	{
+	flow_contents(c, is_orig, seq, contents);
+	}
+
+event udp_contents(u: connection, is_orig: bool, contents: string)
+	{
+	flow_contents(u, is_orig, 0, contents);
+	}
+
+event connection_state_remove(c: connection)
+	{
+	if ( c$id !in adu_conns )
+		return;
+
+	local astate = adu_conns[c$id];
+
+	# Forget it if we've been asked to ignore.
+	#
+	if ( astate$ignore == T )
+		return;
+
+	# Report the remaining data now, if any.
+	#
+	if ( |astate$adu| > 0 ) {
+		if ( astate$is_orig )
+			{
+			if ( astate$depth_tx <= adu_max_depth )
+				event adu_tx(c, copy(astate));
+			}
+		else
+			{
+			if ( astate$depth_rx <= adu_max_depth )
+				event adu_rx(c, copy(astate));
+			}
+	}
+
+	delete adu_conns[c$id];
+	event adu_done(c);
+}
+
+
+# --- Tests ------------------------------------------------------------
+
+@ifdef (adu_test)
+
+event adu_tx(c: connection, astate: adu_state)
+	{
+	print fmt("%s ---- %s, %d -> ----", network_time(), id_string(c$id), astate$depth_tx);
+#	print astate$adu;
+	}
+
+event adu_rx(c: connection, astate: adu_state)
+	{
+	print fmt("%s ---- %s, %d <- ----", network_time(), id_string(c$id), astate$depth_rx);
+#	print astate$adu;
+	}
+
+@endif
diff --git a/policy/alarm.bro b/policy/alarm.bro
new file mode 100644
index 0000000000..4c4943c948
--- /dev/null
+++ b/policy/alarm.bro
@@ -0,0 +1,3 @@
+# $Id: alarm.bro 340 2004-09-09 06:38:27Z vern $
+
+redef bro_alarm_file = open_log_file("alarm");
diff --git a/policy/all.bro b/policy/all.bro
new file mode 100644
index 0000000000..4bbe3e8afe
--- /dev/null
+++ b/policy/all.bro
@@ -0,0 +1,141 @@
+@load heavy-analysis
+@load OS-fingerprint
+@load adu
+@load alarm
+@load analy
+@load anon
+@load arp
+@load backdoor
+@load bittorrent
+@load blaster
+@load bt-tracker
+@load brolite-backdoor
+@load capture-events
+@load capture-loss
+@load capture-state-updates
+@load checkpoint
+@load clear-passwords
+@load conn-flood
+@load conn-id
+@load conn
+@load contents
+@load cpu-adapt
+@load dce
+@load demux
+@load detect-protocols-http
+@load detect-protocols
+@load dhcp
+@load dns-info
+@load dns-lookup
+@load dns
+@load dpd
+@load drop-adapt
+@load dyn-disable
+@load file-flush
+@load finger
+@load firewall
+@load flag-irc
+@load flag-warez
+@load frag
+@load ftp
+@load gnutella
+@load hot-ids
+@load hot
+@load http-abstract
+@load http-anon-server
+@load http-anon-useragent
+@load http-anon-utils
+@load http-body
+@load http-detect-passwd
+@load http-entity
+@load http-event
+@load http-header
+@load http-identified-files.bro
+@load http-reply
+@load http-request
+@load http-rewriter
+@load http
+@load icmp
+@load ident-rewriter
+@load ident
+@load inactivity
+@load interconn
+@load irc-bot-syslog
+@load irc-bot
+@load irc
+@load large-conns
+@load listen-clear
+@load listen-ssl
+@load load-level
+@load load-sample
+@load log-append
+@load login
+@load mime-pop
+@load mime
+@load mt
+@load ncp
+@load netflow
+@load netstats
+@load nfs
+@load notice-action-filters
+@load notice
+@load ntp
+@load passwords
+@load pcap
+@load pkt-profile
+@load pop3
+@load port-name
+@load portmapper
+@load print-filter
+@load print-globals
+@load print-resources
+@load print-sig-states
+@load profiling
+@load proxy
+@load remote-pcap
+@load remote-ping
+@load remote-print-id-reply
+@load remote-print-id
+@load remote-print
+@load remote-report-notices
+@load remote-send-id
+@load remote
+@load rotate-logs
+@load rsh
+@load scan
+@load secondary-filter
+@load sensor-sshd
+@load server-ports
+@load service-probe
+@load signatures
+@load site
+@load smb
+@load smtp-relay
+@load smtp-rewriter
+@load smtp
+@load snort
+@load software
+@load ssh
+@load ssh-stepping
+@load ssl-alerts
+@load ssl-ciphers
+@load ssl-errors
+@load ssl-worm
+@load ssl
+@load stats
+@load stepping
+@load synflood
+@load targeted-scan
+@load tcp
+@load tftp
+@load trw-impl
+@load trw
+@load udp-common
+@load udp
+@load vlan
+@load weird
+@load worm
+@load notice-policy
+
+# The following keeps us running after the bro_init event.
+redef PrintFilter::terminate_bro = F;
diff --git a/policy/analy.bro b/policy/analy.bro
new file mode 100644
index 0000000000..714c1deb41
--- /dev/null
+++ b/policy/analy.bro
@@ -0,0 +1,16 @@
+# Statistical analysis of TCP connection in terms of the packet streams
+# in each direction.
+
+@load dns-lookup
+@load udp
+
+
+event conn_stats(c: connection, os: endpoint_stats, rs: endpoint_stats)
+	{
+	local id = c$id;
+
+	print fmt("%.6f %s %s %s %s %s %s %s %s %s",
+		c$start_time, c$duration, id$orig_p, id$resp_p,
+		conn_size(c$orig, tcp), conn_size(c$resp, tcp),
+		id$orig_h, id$resp_h, os, rs);
+	}
diff --git a/policy/anon.bro b/policy/anon.bro
new file mode 100644
index 0000000000..f2532cb38e
--- /dev/null
+++ b/policy/anon.bro
@@ -0,0 +1,193 @@
+# $Id: anon.bro 6889 2009-08-21 16:45:17Z vern $
+
+redef anonymize_ip_addr = T;
+
+const orig_addr_anonymization = RANDOM_MD5 &redef;
+const resp_addr_anonymization = RANDOM_MD5 &redef;
+const other_addr_anonymization = SEQUENTIALLY_NUMBERED &redef;
+
+const preserve_orig_addr: set[addr] = {} &redef;
+const preserve_resp_addr: set[addr] = {} &redef;
+const preserve_other_addr: set[addr] = {
+	0.0.0.0,
+} &redef;
+
+const preserved_subnet: set[subnet] = {
+#	192.150.186/23,
+} &redef;
+
+const preserved_net: set[net] = {
+#	192.150.186, 192.150.187,
+} &redef;
+
+global anon_log = open_log_file("anon") &redef;
+
+global anonymized_args: table[string] of string;
+
+global ip_anon_mapping: set[addr, addr];
+
+event bro_init()
+	{
+	for ( n in preserved_net )
+		preserve_net(n);
+	}
+
+function anonymize_address(a: addr, id: conn_id): addr
+	{
+	if ( a == id$orig_h )
+		return anonymize_addr(a, ORIG_ADDR);
+	else if ( a == id$resp_h )
+		return anonymize_addr(a, RESP_ADDR);
+	else
+		return anonymize_addr(a, OTHER_ADDR);
+	}
+
+event anonymization_mapping(orig: addr, mapped: addr)
+	{
+	if ( [orig, mapped] !in ip_anon_mapping )
+		{
+		add ip_anon_mapping[orig, mapped];
+		print anon_log, fmt("%s -> %s", orig, mapped);
+		}
+	}
+
+function string_anonymized(from: string, to: string, seed: count)
+	{
+	print anon_log, fmt("\"%s\" %d=> \"%s\"", from, seed, to);
+	}
+
+global num_string_id: count = 0 &redef;
+global anonymized_strings: table[string] of record {
+	s: string;
+	c: count;
+} &redef;
+
+# Hopefully, the total number of strings to anonymize is much less than
+# 36^unique_string_length.
+const unique_string_length = 8 &redef;
+# const anonymized_string_pattern = /U[0-9a-f]+U/;
+global unique_string_set: set[string];
+
+event bro_init()
+	{
+	for ( s in anonymized_strings )
+		add unique_string_set[anonymized_strings[s]$s];
+	}
+
+function unique_string(s: string, seed: count): string
+	{
+	local t = cat("U", sub_bytes(md5_hmac(seed, s),
+					1, unique_string_length), "U");
+	if ( t in unique_string_set )
+		return unique_string(s, seed+1);
+
+	anonymized_strings[s] = [$s = t, $c = 1];
+	add unique_string_set[t];
+	string_anonymized(s, t, seed);
+
+	return t;
+	}
+
+function anonymize_string(from: string): string
+	{
+	if ( from in anonymized_strings )
+		{
+		++anonymized_strings[from]$c;
+		return anonymized_strings[from]$s;
+		}
+
+	local t = unique_string(from, 0);
+	return t;
+	}
+
+function anonymize_arg(typ: string, arg: string): string
+	{
+	if ( arg == "" )
+		return "";	# an empty argument is safe
+
+	local arg_seed = string_cat(typ, arg);
+
+	if ( arg_seed in anonymized_args )
+		return anonymized_args[arg_seed];
+
+	local a = anonymize_string(arg_seed);
+	anonymized_args[arg_seed] = a;
+
+	print anon_log, fmt("anonymize_arg: (%s) {%s} -> %s ",
+			typ, to_string_literal(arg), to_string_literal(a));
+	return a;
+	}
+
+
+# Does not contain ? and ends with an allowed suffix.
+const path_to_file_pat = 
+	/\/[^?]+\.(html|ico|icon|pdf|ps|doc|ppt|htm|js|crl|swf|shtml|h|old|c|cc|java|class|src|cfm|gif|jpg|php|rdf|rss|asp|bmp|owl|phtml|jpeg|jsp|cgi|png|txt|xml|css|avi|tex|dvi)/
+	;
+
+# Acceptable domain names.
+const kosher_dom_pat =
+	/ar|au|biz|br|ca|cc|cl|cn|co|com|cx|cz|de|ec|es|edu|fi|fm|fr|gov|hn|il|is|it|jp|lv|mx|net|no|nz|org|pe|pl|ru|sk|tv|tw|uk|us|arpa/
+	;
+
+# Simple filename pattern.
+const simple_filename = 
+	/[0-9\-A-Za-z]+\.(html|ico|icon|pdf|ps|doc|ppt|htm|js|crl|swf|shtml|h|old|c|cc|java|class|src|cfm|gif|jpg|php|rdf|rss|asp|bmp|owl|phtml|jpeg|jsp|cgi|png|txt|xml|css|avi|tex|dvi)/
+	;
+
+function anonymize_path(path: string): string
+	{
+	local hashed_path = "";
+
+	if ( to_lower(path) != path_to_file_pat )
+		{
+		hashed_path = anonymize_arg("path", path);
+		return hashed_path;
+		}
+
+	local file_parts = split(path, /\./);
+
+	local i = 1;
+	for ( part in file_parts )
+		{
+		# This looks broken to me - VP.
+		hashed_path = fmt("%s.%s", hashed_path, file_parts[i]);
+		if ( ++i == length(file_parts) )
+			break;
+		}
+
+	return fmt("%s.%s", anonymize_arg("path", hashed_path), file_parts[i]);
+	}
+
+function anonymize_host(host: string): string
+	{
+	local hashed_host = "";
+	local host_parts = split(host, /\./);
+
+	local i = 1;
+	for ( hosty in host_parts )
+		{
+		if ( i == length(host_parts) )
+			break;
+
+		# Check against "kosher" tld list.
+		hashed_host = fmt("%s%s.", hashed_host,
+					anonymize_arg("host", host_parts[i]));
+
+		++i;
+		} 
+
+	if ( host_parts[i] == kosher_dom_pat )
+		return string_cat(hashed_host, host_parts[i]);
+
+	print anon_log, fmt("anonymize_host: non-kosher domain %s", host); 
+	return string_cat(hashed_host, anonymize_arg("host", host_parts[i]));
+	}
+
+event bro_done()
+	{
+	for ( s in anonymized_strings )
+		{
+		print anon_log, fmt("appearance: %d: \"%s\" => \"%s\"",
+			anonymized_strings[s]$c, s, anonymized_strings[s]$s);
+		}
+	}
diff --git a/policy/arp.bro b/policy/arp.bro
new file mode 100644
index 0000000000..dfae133b38
--- /dev/null
+++ b/policy/arp.bro
@@ -0,0 +1,160 @@
+# $Id: arp.bro 4909 2007-09-24 02:26:36Z vern $
+
+@load notice
+
+module ARP;
+
+export {
+	redef enum Notice += {
+		ARPSourceMAC_Mismatch,	# source MAC doesn't match mappings
+		ARPAddlMAC_Mapping,	# another MAC->addr seen beyond just one
+		ARPUnsolicitedReply,	# could be poisoning; or just gratuitous
+		# ARPRequestProvidesTargetAddr,	# request includes non-triv addr
+
+		# MAC/addr pair seen in request/reply different from
+		# that in the cache.
+		ARPCacheInconsistency,
+
+		# ARP reply gives different value than previously seen.
+		ARPMappingChanged,
+	};
+
+	const arp_log = open_log_file("arp") &redef;
+}
+
+redef capture_filters += { ["arp"] = "arp" };
+
+# Abbreviations taken from RFC 826:
+#
+# SHA: source hardware address
+# SPA: source protocol address (i.e., IP address)
+# THA: target hardware address
+# TPA: target protocol address
+
+# ARP requests indexed on SHA/SPA/TPA (no THA, as it's what it's being
+# queried).
+global arp_requests: set[string, addr, addr] &create_expire = 1 min;
+
+# ARP responses we've seen: indexed by IP address, yielding MAC address.
+global ARP_cache: table[addr] of string;
+
+
+# Bad ARPs can occur when:
+#	- type/size pairs are not OK for HW and L3 addresses (Ethernet=6, IP=4)
+#	- opcode is neither request (1) nor reply (2)
+#	- MAC src address != ARP sender MAC address
+event bad_arp(SPA: addr, SHA: string, TPA: addr, THA: string,
+		explanation: string)
+	{
+	print arp_log, fmt("%.06f bad-arp %s(%s) ? %s(%s): %s",
+			network_time(), SPA, SHA, TPA, THA, explanation);
+	}
+
+
+# The first of these maps a MAC address to the last protocol address seen
+# for it.  The second tracks every protocol address seen.
+global mac_addr_map: table[string] of addr;
+global mac_addr_associations: table[string] of set[addr];
+
+# A somewhat general notion of broadcast MAC/IP addresses.
+const broadcast_mac_addrs = { "00:00:00:00:00:00", "ff:ff:ff:ff:ff:ff", };
+const broadcast_addrs = { 0.0.0.0, 255.255.255.255, };
+
+
+# Called to note that we've seen an association between a MAC address
+# and an IP address.  Note that this is *not* an association advertised
+# in an ARP reply (those are tracked in ARP_cache), but instead the
+# pairing of hardware address + protocol address as expressed in
+# an ARP request or reply header.
+function mac_addr_association(mac_addr: string, a: addr)
+	{
+	# Ignore placeholders.
+	if ( mac_addr in broadcast_mac_addrs || a in broadcast_addrs )
+		return;
+
+	local is_addl = F;
+	if ( mac_addr in mac_addr_associations )
+		is_addl = a !in mac_addr_associations[mac_addr];
+	else
+		mac_addr_associations[mac_addr] = set();
+
+	print arp_log, fmt("%.06f association %s -> %s%s", network_time(),
+				mac_addr, a, is_addl ? " <addl>" : "");
+
+	mac_addr_map[mac_addr] = a;
+	add mac_addr_associations[mac_addr][a];
+
+	if ( a in ARP_cache && ARP_cache[a] != mac_addr )
+		NOTICE([$note=ARPCacheInconsistency, $src=a,
+			$msg=fmt("mapping for %s to %s doesn't match cache of %s",
+				mac_addr, a, ARP_cache[a])]);
+	}
+
+# Returns the IP address associated with a MAC address, if we've seen one.
+# Otherwise just returns the MAC address.
+function addr_from_mac(mac_addr: string): string
+	{
+	return mac_addr in mac_addr_map ?
+		fmt("%s", mac_addr_map[mac_addr]) : mac_addr;
+	}
+
+event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
+			TPA: addr, THA: string)
+	{
+	mac_addr_association(SHA, SPA);
+
+	local msg = fmt("%s -> %s who-has %s",
+			addr_from_mac(mac_src), addr_from_mac(mac_dst), TPA);
+
+	local mismatch = SHA != mac_src;
+	if ( mismatch )
+		NOTICE([$note=ARPSourceMAC_Mismatch, $src=SPA, $msg=msg]);
+
+	# It turns out that some hosts fill in the THA field even though
+	# that doesn't make sense.  (The RFC specifically allows this,
+	# however.)  Perhaps there's an attack that can be launched
+	# doing so, but it's hard to see what it might be, so for now
+	# we don't bother notice'ing these.
+	# if ( THA !in broadcast_addrs )
+	# 	NOTICE([$note=ARPRequestProvidesTargetAddr, $src=SPA,
+	# 		$msg=fmt("%s: %s", msg, THA)]);
+
+	print arp_log, fmt("%.06f %s%s", network_time(), msg,
+				mismatch ? " <source-mismatch>" : "");
+
+	add arp_requests[SHA, SPA, TPA];
+	}
+
+event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
+		TPA: addr, THA: string)
+	{
+	mac_addr_association(SHA, SPA);
+	mac_addr_association(THA, TPA);
+
+	local msg = fmt("%s -> %s: %s is-at %s",
+			addr_from_mac(mac_src), addr_from_mac(mac_dst),
+			SPA, SHA);
+
+	local unsolicited = [THA, TPA, SPA] !in arp_requests;
+	delete arp_requests[THA, TPA, SPA];
+	if ( unsolicited )
+		NOTICE([$note=ARPUnsolicitedReply, $src=SPA,
+			$msg=fmt("%s: request[%s, %s, %s]", msg, THA, TPA, SPA)]);
+
+	local mismatch = SHA != mac_src;
+	if ( mismatch )
+		NOTICE([$note=ARPSourceMAC_Mismatch, $src=SPA, $msg=msg]);
+
+	local mapping_changed = SPA in ARP_cache && ARP_cache[SPA] != SHA;
+	if ( mapping_changed )
+		NOTICE([$note=ARPMappingChanged, $src=SPA,
+			$msg=fmt("%s: was %s", msg, ARP_cache[SPA])]);
+
+	print arp_log, fmt("%.06f %s%s%s%s", network_time(), msg,
+				unsolicited ? " <unsolicited>" : "",
+				mismatch ? " <source-mismatch>" : "",
+				mapping_changed ?
+					fmt(" <changed from %s>", ARP_cache[SPA]) : "");
+
+	ARP_cache[SPA] = SHA;
+	}
diff --git a/policy/backdoor.bro b/policy/backdoor.bro
new file mode 100644
index 0000000000..f611d424fa
--- /dev/null
+++ b/policy/backdoor.bro
@@ -0,0 +1,559 @@
+# $Id: backdoor.bro 4909 2007-09-24 02:26:36Z vern $
+
+# Looks for a variety of applications running on ports other than
+# their usual ports.
+#
+# Note that this script by itself does *not* change capture_filters
+# to add in the extra ports to look at.  You need to specify that
+# separately.
+
+
+# Some tcpdump filters can be used to replace or work together with
+# some detection algorithms.  They could be used with the "secondary
+# filter" for more efficient (but in some cases potentially less reliable)
+# matching:
+#
+# - looking for "SSH-1." or "SSH-2." at the beginning of the packet;
+#   somewhat weaker than ssh-sig in that ssh-sig only looks for such
+#   pattern in the first packet of a connection:
+#
+#	tcp[(tcp[12]>>2):4] = 0x5353482D and
+#	(tcp[((tcp[12]>>2)+4):2] = 0x312e or tcp[((tcp[12]>>2)+4):2] = 0x322e)
+#
+# - looking for pkts with 8k+4 (<=128) bytes of data (combined with ssh-len);
+#   only effective for ssh 1.x:
+#
+#	(ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) & 0xFF87 = 4
+#
+# - looking for packets with <= 512 bytes of data that ends with a NUL
+#   (can be potentially combined with rlogin-sig or rlogin-sig-1byte):
+#
+#	(tcp[(ip[2:2] - ((ip[0]&0x0f)<<2))-1] == 0) and
+#	((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) != 0) and
+#	((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 512)
+#
+# - looking for telnet negotiation (can be combined with telnet-sig(-3byte)):
+#
+#	(tcp[(tcp[12]>>2):2] > 0xfffa) and
+#	(tcp[(tcp[12]>>2):2] < 0xffff) and
+#	((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12] >> 2)) >= 3)
+#
+# - looking for packets with <= 20 bytes of data (combined with small-pkt):
+#
+#	(ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 20
+#
+# - looking for FTP servers by the initial "220-" or "220 " sent by the server:
+#
+#	tcp[(tcp[12]>>2):4] = 0x3232302d or tcp[(tcp[12]>>2):4] = 0x32323020
+#
+# - looking for root backdoors by seeing a server payload of exactly "# ":
+#
+#	tcp[(tcp[12]>>2):2] = 0x2320 and
+#	(ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) == 2
+#
+# - looking for Napster by the initial "GET" or "SEND" sent by the originator:
+#
+#	((ip[2:2]-((ip[0]&0x0f)<<2)-(tcp[12]>>2))=4 and
+#	tcp[(tcp[12]>>2):4]=0x53454e44) or
+#	((ip[2:2]-((ip[0]&0x0f)<<2)-(tcp[12]>>2))=3 and
+#	tcp[(tcp[12]>>2):2]=0x4745 and tcp[(tcp[12]>>2)+2]=0x54)
+#
+# - looking for Gnutella handshaking "GNUTELLA "
+#
+#	tcp[(tcp[12]>>2):4] = 0x474e5554 and
+#	tcp[(4+(tcp[12]>>2)):4] = 0x454c4c41 and
+#	tcp[8+(tcp[12]>>2)] = 0x20
+#
+# - looking for KaZaA via "GIVE " (not present in all connections)
+#
+#	tcp[(tcp[12]>>2):4] = 0x47495645 and
+#	tcp[(4+(tcp[12]>>2)):1] = 0x20
+#
+
+@load site
+@load port-name
+@load demux
+@load notice
+
+redef enum Notice += { BackdoorFound, };
+
+# Set to dump the packets that trigger the backdoor detector to a file.
+const dump_backdoor_packets = F &redef;
+
+redef backdoor_stat_period = 60 sec;
+redef backdoor_stat_backoff = 2.0;
+
+const ssh_min_num_pkts = 8 &redef;
+const ssh_min_ssh_pkts_ratio = 0.6 &redef;
+
+const backdoor_min_num_lines = 2 &redef;
+const backdoor_min_normal_line_ratio = 0.5 &redef;
+
+const backdoor_min_bytes = 10 &redef;
+const backdoor_min_7bit_ascii_ratio = 0.75 &redef;
+
+type rlogin_conn_info : record {
+	o_num_null: count;
+	o_len: count;
+	r_num_null: count;
+	r_len: count;
+};
+
+const backdoor_demux_disabled = T &redef;
+const backdoor_demux_skip_tags: set[string] &redef;
+
+const ftp_backdoor_sigs = "ftp-sig";
+const ssh_backdoor_sigs = { "ssh-sig", "ssh-len-v1.x", "ssh-len-v2.x" };
+const rlogin_backdoor_sigs = { "rlogin-sig", "rlogin-sig-1byte" };
+const root_backdoor_sigs = "root-bd-sig";
+const telnet_backdoor_sigs = { "telnet-sig", "telnet-sig-3byte" };
+const napster_backdoor_sigs = "napster-sig";
+const gnutella_backdoor_sigs = "gnutella-sig";
+const kazaa_backdoor_sigs = "kazaa-sig";
+const http_backdoor_sigs = "http-sig";
+const http_proxy_backdoor_sigs = "http-proxy-sig";
+const smtp_backdoor_sigs = "smtp-sig";
+const irc_backdoor_sigs = "irc-sig";
+const gaobot_backdoor_sigs = "gaobot-sig";
+
+# List of backdoors, so you can use it when defining sets and tables
+# with values over all of them.
+const backdoor_sigs = {
+	ftp_backdoor_sigs, ssh_backdoor_sigs, rlogin_backdoor_sigs,
+	root_backdoor_sigs, telnet_backdoor_sigs,
+	napster_backdoor_sigs, gnutella_backdoor_sigs, kazaa_backdoor_sigs,
+	http_backdoor_sigs, http_proxy_backdoor_sigs,
+	smtp_backdoor_sigs, irc_backdoor_sigs, gaobot_backdoor_sigs,
+};
+
+# List of address-port pairs that if present in a backdoor are ignored.
+# Note that these can be either the client and its source port (unusual)
+# or the server and its service port (the common case).
+const backdoor_ignore_host_port_pairs: set[addr, port] &redef;
+
+const backdoor_ignore_ports: table[string, port] of bool = {
+	# The following ignore backdoors that are detected on their
+	# usual ports.  The definitions for ftp-sig, telnet-sig and
+	# telnet-sig-3byte are somehwat broad since those backdoors
+	# are also frequently triggered for other similar protocols.
+
+	[ftp_backdoor_sigs, [ftp, smtp, 587/tcp ]] = T,
+	[ssh_backdoor_sigs, ssh] = T,
+	[rlogin_backdoor_sigs , [512/tcp, rlogin, 514/tcp]] = T,
+	[root_backdoor_sigs, [telnet, 512/tcp, rlogin, 514/tcp]] = T,
+	[telnet_backdoor_sigs, [telnet, ftp, smtp, 143/tcp, 110/tcp]] = T,
+
+	# The following don't have well-known ports (well, Napster does
+	# somewhat, as shown below), hence the definitions are F rather
+	# than T.
+	[napster_backdoor_sigs, [6688/tcp, 6699/tcp]] = F,
+	[gnutella_backdoor_sigs, 6346/tcp] = F,
+
+	[kazaa_backdoor_sigs, 1214/tcp] = F,
+
+	[http_backdoor_sigs, [http, 8000/tcp, 8080/tcp]] = T,
+
+	[smtp_backdoor_sigs, [smtp, 587/tcp]] = T,
+
+	# Skip FTP, as "USER foo" generates false positives.  There's
+	# also a lot of IRC on 7000/tcp.
+	[irc_backdoor_sigs, [ftp, 6666/tcp, 6667/tcp, 7000/tcp]] = T,
+
+	# The following are examples of wildcards, and since they're defined
+	# to be F, they don't affect the policy unless redefined.
+	["*", http] = F,	# entry for "any backdoor, service http"
+	["ssh-sig", 0/tcp] = F,	# entry for "ssh-sig, any port"
+
+} &redef &default = F;
+
+# Indexed by the backdoor, indicates which backdoors residing on
+# a local (remote) host should be ignored.
+const backdoor_ignore_local: set[string] &redef;
+const backdoor_ignore_remote: set[string] &redef;
+
+# Indexed by the source (destination) address and the backdoor.
+# Also indexed by the /24 and /16 versions of the source address.
+# backdoor "*" means "all backdoors".
+const backdoor_ignore_src_addrs: table[string, addr] of bool &redef &default=F;
+const backdoor_ignore_dst_addrs: table[string, addr] of bool &redef &default=F;
+
+const backdoor_standard_ports = {
+	telnet, rlogin, 512/tcp, 514/tcp, ftp, ssh, smtp, 143/tcp,
+	110/tcp, 6667/tcp,
+} &redef;
+const backdoor_annotate_standard_ports = T &redef;
+
+const backdoor_ignore_hosts: set[addr] &redef;
+const backdoor_ignore_src_nets: set[subnet] &redef;
+const backdoor_ignore_dst_nets: set[subnet] &redef;
+
+# Most backdoors are enabled by default, but a few are disabled by
+# default (T below) because they generated too many false positives
+# (or, for HTTP, too many uninteresting true positives).
+const ftp_sig_disabled			= F &redef;
+const gaobot_sig_disabled		= F &redef;
+const gnutella_sig_disabled		= F &redef;
+const http_proxy_sig_disabled		= T &redef;
+const http_sig_disabled			= T &redef;
+const irc_sig_disabled			= F &redef;
+const kazaa_sig_disabled		= F &redef;
+const napster_sig_disabled		= F &redef;
+const rlogin_sig_1byte_disabled		= T &redef;
+const rlogin_sig_disabled		= T &redef;
+const root_backdoor_sig_disabled	= T &redef;
+const smtp_sig_disabled			= F &redef;
+	# Note, for the following there's a corresponding variable
+	# interconn_ssh_len_disabled in interconn.bro.
+const ssh_len_disabled			= T &redef;
+const ssh_sig_disabled			= F &redef;
+const telnet_sig_3byte_disabled		= T &redef;
+const telnet_sig_disabled		= T &redef;
+
+global ssh_len_conns: set[conn_id];
+global rlogin_conns: table[conn_id] of rlogin_conn_info;
+global root_backdoor_sig_conns: set[conn_id];
+
+global did_sig_conns: table[conn_id] of set[string];
+
+const BACKDOOR_UNKNOWN = 0;
+const BACKDOOR_YES = 1;
+const BACKDOOR_NO = 2;
+const BACKDOOR_SIG_FOUND = 3;
+
+global telnet_sig_conns: table[conn_id] of count;
+global telnet_sig_3byte_conns: table[conn_id] of count;
+
+global smtp_sig_conns: table[conn_id] of count;
+global irc_sig_conns: table[conn_id] of count;
+global gaobot_sig_conns: table[conn_id] of count;
+
+const backdoor_log = open_log_file("backdoor") &redef;
+
+function ignore_backdoor_conn(c: connection, bd: string): bool
+	{
+	local oa = c$id$orig_h;
+	local ra = c$id$resp_h;
+	local op = c$id$orig_p;
+	local rp = c$id$resp_p;
+
+	if ( backdoor_ignore_ports[bd, op] ||
+	     backdoor_ignore_ports[bd, rp] ||
+
+	     # Check port wildcards.
+	     backdoor_ignore_ports[bd, 0/tcp] ||
+
+	     (ra in local_nets && bd in backdoor_ignore_local) ||
+	     (ra !in local_nets && bd in backdoor_ignore_remote) ||
+
+	     backdoor_ignore_src_addrs[bd, oa] ||
+	     backdoor_ignore_src_addrs[bd, mask_addr(oa, 16)] ||
+	     backdoor_ignore_src_addrs[bd, mask_addr(oa, 24)] ||
+
+	     backdoor_ignore_dst_addrs[bd, ra] ||
+	     backdoor_ignore_dst_addrs[bd, mask_addr(ra, 16)] ||
+	     backdoor_ignore_dst_addrs[bd, mask_addr(ra, 24)] )
+		return T;
+
+	if ( [oa, op] in backdoor_ignore_host_port_pairs ||
+	     [ra, rp] in backdoor_ignore_host_port_pairs )
+		return T;
+
+	if ( bd != "*" )
+		# Evaluate again, but for wildcarding the backdoor.
+		return ignore_backdoor_conn(c, "*");
+	else
+		return F;
+	}
+
+function log_backdoor(c: connection, tag: string): bool
+	{
+	if ( ignore_backdoor_conn(c, tag) )
+		return F;
+
+	local id = c$id;
+
+	if ( backdoor_annotate_standard_ports &&
+	     (id$orig_p in backdoor_standard_ports ||
+	      id$resp_p in backdoor_standard_ports) )
+		append_addl(c, fmt("[%s]", tag));
+
+	else if ( id$orig_h in backdoor_ignore_hosts ||
+		  id$resp_h in backdoor_ignore_hosts ||
+		  id$orig_h in backdoor_ignore_src_nets ||
+		  id$resp_h in backdoor_ignore_dst_nets )
+		return F;
+
+	else
+		{
+		print backdoor_log, fmt("%.6f %s > %s %s",
+			c$start_time,
+			endpoint_id(id$orig_h, id$orig_p),
+			endpoint_id(id$resp_h, id$resp_p),
+			tag);
+
+		NOTICE([$note=BackdoorFound, $msg=tag, $conn=c]);
+
+		if ( dump_backdoor_packets )
+			{
+			mkdir("backdoor-packets");
+			local fname = fmt("backdoor-packets/%s:%.2f",
+						tag, current_time());
+			dump_current_packet(fname);
+			}
+
+		if ( backdoor_demux_disabled ||
+		     tag in backdoor_demux_skip_tags )
+			{
+			if ( active_connection(c$id) )
+				skip_further_processing(c$id);
+			}
+		else
+			demux_conn(id, tag, "orig", "resp");
+		}
+
+	return T;
+	}
+
+event new_connection(c: connection)
+	{
+	local id = c$id;
+
+	if ( ! rlogin_sig_disabled || ! rlogin_sig_1byte_disabled )
+		{
+		local i: rlogin_conn_info;
+		i$o_num_null = i$o_len = i$r_num_null = i$r_len = 0;
+
+		rlogin_conns[id] = i;
+		}
+	}
+
+event backdoor_remove_conn(c: connection)
+	{
+	local id = c$id;
+
+	delete ssh_len_conns[id];
+	delete telnet_sig_conns[id];
+	delete telnet_sig_3byte_conns[id];
+	delete rlogin_conns[id];
+	delete root_backdoor_sig_conns[id];
+	delete smtp_sig_conns[id];
+	delete irc_sig_conns[id];
+	delete gaobot_sig_conns[id];
+
+	delete did_sig_conns[id];
+	}
+
+event root_backdoor_signature_found(c: connection)
+	{
+	if ( root_backdoor_sig_disabled ||
+	     ignore_backdoor_conn(c, "root-bd-sig") )
+		return;
+
+	local id = c$id;
+
+	# For root backdoors, don't ignore standard ports.  This is because
+	# we shouldn't see such a backdoor even 23/tcp or 513/tcp!
+
+	if ( id !in root_backdoor_sig_conns )
+		{
+		add root_backdoor_sig_conns[id];
+		log_backdoor(c, "root-bd-sig");
+		}
+	}
+
+function signature_found(c: connection, sig_disabled: bool, sig_name: string)
+	{
+	if ( sig_disabled )
+		return;
+
+	if ( ignore_backdoor_conn(c, sig_name) )
+		return;
+
+	if ( c$id !in did_sig_conns )
+		did_sig_conns[c$id] = set();
+
+	if ( sig_name !in did_sig_conns[c$id] )
+		{
+		add did_sig_conns[c$id][sig_name];
+		log_backdoor(c, sig_name);
+		}
+	}
+
+event ftp_signature_found(c: connection)
+	{
+	signature_found(c, ftp_sig_disabled, "ftp-sig");
+	}
+
+event napster_signature_found(c: connection)
+	{
+	signature_found(c, napster_sig_disabled, "napster-sig");
+	}
+
+event gnutella_signature_found(c: connection)
+	{
+	signature_found(c, gnutella_sig_disabled, "gnutella-sig");
+	}
+
+event kazaa_signature_found(c: connection)
+	{
+	signature_found(c, kazaa_sig_disabled, "kazaa-sig");
+	}
+
+event http_signature_found(c: connection)
+	{
+	signature_found(c, http_sig_disabled, "http-sig");
+	}
+
+event http_proxy_signature_found(c: connection)
+	{
+	signature_found(c, http_proxy_sig_disabled, "http-proxy-sig");
+	}
+
+event ssh_signature_found(c: connection, is_orig: bool)
+	{
+	signature_found(c, ssh_sig_disabled, "ssh-sig");
+	}
+
+event smtp_signature_found(c: connection)
+	{
+	signature_found(c, smtp_sig_disabled, "smtp-sig");
+	}
+
+event irc_signature_found(c: connection)
+	{
+	signature_found(c, irc_sig_disabled, "irc-sig");
+	}
+
+event gaobot_signature_found(c: connection)
+	{
+	signature_found(c, gaobot_sig_disabled, "gaobot-sig");
+	}
+
+event telnet_signature_found(c: connection, is_orig: bool, len: count)
+	{
+	local id = c$id;
+
+	if ( ignore_backdoor_conn(c, "telnet-sig") )
+		return;
+
+	if ( ! telnet_sig_disabled && id !in telnet_sig_conns )
+		telnet_sig_conns[id] = BACKDOOR_SIG_FOUND;
+
+	if ( ! telnet_sig_3byte_disabled && len == 3 &&
+	     id !in telnet_sig_3byte_conns )
+		telnet_sig_3byte_conns[id] = BACKDOOR_SIG_FOUND;
+	}
+
+event rlogin_signature_found(c: connection, is_orig: bool,
+			     num_null: count, len: count)
+	{
+	local id = c$id;
+
+	if ( (rlogin_sig_disabled && rlogin_sig_1byte_disabled) ||
+	     ignore_backdoor_conn(c, "rlogin-sig") )
+		return;
+
+	local ri = rlogin_conns[id];
+	if ( is_orig && ri$o_num_null == 0 )
+		ri$o_num_null = num_null;
+
+	else if ( ! is_orig && ri$r_num_null == 0 )
+		{
+		ri$r_num_null = num_null;
+		ri$r_len = len;
+		}
+	else
+		return;
+
+	if ( ri$o_num_null == 0 || ri$r_num_null == 0 )
+		return;
+
+	if ( ! rlogin_sig_1byte_disabled && ri$r_len == 1 )
+		log_backdoor(c, "rlogin-sig-1byte");
+
+	if ( ! rlogin_sig_disabled )
+		log_backdoor(c, "rlogin-sig");
+	}
+
+
+function ssh_len_stats(c: connection, os: backdoor_endp_stats,
+		       rs: backdoor_endp_stats) : bool
+	{
+	if ( ssh_len_disabled || c$id in ssh_len_conns )
+		return F;
+
+	if ( os$num_pkts == 0 || rs$num_pkts == 0 )
+		return F;
+
+	# xxx: only use ssh-len for partial connection
+
+	local is_partial = os$is_partial || rs$is_partial;
+	if ( ! is_partial )
+		return F;
+
+	local num_pkts = os$num_pkts + rs$num_pkts;
+
+	if ( num_pkts < ssh_min_num_pkts )
+		return F;
+
+	local num_8k0_pkts = os$num_8k0_pkts + rs$num_8k0_pkts;
+	local num_8k4_pkts = os$num_8k4_pkts + rs$num_8k4_pkts;
+
+	local id = c$id;
+	if ( num_8k0_pkts >= num_pkts * ssh_min_ssh_pkts_ratio )
+		{
+		add ssh_len_conns[id];
+		log_backdoor(c, "ssh-len-v2.x");
+		}
+
+	else if ( num_8k4_pkts >= num_pkts * ssh_min_ssh_pkts_ratio )
+		{
+		add ssh_len_conns[id];
+		log_backdoor(c, "ssh-len-v1.x");
+		}
+
+	return T;
+	}
+
+function telnet_stats(c: connection, os: backdoor_endp_stats,
+		      rs: backdoor_endp_stats) : bool
+	{
+	local num_lines = os$num_lines + rs$num_lines;
+	local num_normal_lines = os$num_normal_lines + rs$num_normal_lines;
+
+	if ( num_lines < backdoor_min_num_lines ||
+	     num_normal_lines < num_lines * backdoor_min_normal_line_ratio )
+		return F;
+
+	local num_bytes = os$num_bytes + rs$num_bytes;
+	local num_7bit_ascii = os$num_7bit_ascii + rs$num_7bit_ascii;
+
+	if ( num_bytes < backdoor_min_bytes ||
+	     num_7bit_ascii < num_bytes * backdoor_min_7bit_ascii_ratio )
+		return F;
+
+	local id = c$id;
+
+	if ( id in telnet_sig_conns &&
+	     telnet_sig_conns[id] != BACKDOOR_YES )
+		{
+		telnet_sig_conns[id] = BACKDOOR_YES;
+		log_backdoor(c, "telnet-sig");
+		}
+
+	if ( id in telnet_sig_3byte_conns &&
+	     telnet_sig_3byte_conns[id] != BACKDOOR_YES )
+		{
+		telnet_sig_3byte_conns[id] = BACKDOOR_YES;
+		log_backdoor(c, "telnet-sig-3byte");
+		}
+
+	return T;
+	}
+
+event backdoor_stats(c: connection,
+			os: backdoor_endp_stats, rs: backdoor_endp_stats)
+	{
+	telnet_stats(c, os, rs);
+	ssh_len_stats(c, os, rs);
+	}
diff --git a/policy/bittorrent.bro b/policy/bittorrent.bro
new file mode 100644
index 0000000000..7a1576abf5
--- /dev/null
+++ b/policy/bittorrent.bro
@@ -0,0 +1,277 @@
+# $Id:$
+#
+# bittorrent.bro - policy script for analyzing BitTorrent traffic
+# ---------------------------------------------------------------
+# This code contributed by Nadi Sarrar.
+
+@load dpd
+@load weird
+
+module BitTorrent;
+
+export {
+	# Whether to log the length of PDUs.
+	global log_pdu_length = T &redef;
+}
+
+redef capture_filters += { ["bittorrent"] = "tcp" };
+
+type bt_peer_state: enum {
+	choked,	# peer won't receive any responses to requests (initial state)
+	unchoked	# peer may do requests
+};
+
+type bt_peer_info: record {
+	# Total of pure peer wire protocol overhead data (w/o pieces).
+	protocol_total: count &default = 0;
+
+	# State of the peer - choked or unchoked.
+	state: bt_peer_state &default = choked;
+
+	# Total number of seconds the peer was unchoked.
+	unchoked: interval &default = 0 secs;
+
+	# Time of the last received unchoke message.
+	time_last_unchoked: time;
+};
+
+type bt_peer_conn: record {
+	id: count;
+	orig: bt_peer_info;
+	resp: bt_peer_info;
+	weird: bool &default = F;
+};
+
+global bittorrent_log = open_log_file("bittorrent") &redef;
+global bt_peer_conns : table[conn_id] of bt_peer_conn;
+global peer_conn_count = 0;
+
+function record_peer_protocol_traffic(c: connection, is_orig: bool,
+					protocol_len: count): count
+	{
+	if ( c$id in bt_peer_conns )
+		{
+		local pc = bt_peer_conns[c$id];
+
+		if ( is_orig )
+			pc$orig$protocol_total += protocol_len;
+		else
+			pc$resp$protocol_total += protocol_len;
+
+		return pc$id;
+		}
+
+	return 0;
+	}
+
+function record_choke(pi: bt_peer_info, now: time)
+	{
+	if ( pi$state == unchoked )
+		{
+		pi$state = choked;
+		pi$unchoked += now - pi$time_last_unchoked;
+		}
+	}
+
+function record_unchoke(pi: bt_peer_info, now: time)
+	{
+	if ( pi$state == choked )
+		{
+		pi$state = unchoked;
+		pi$time_last_unchoked = now;
+		}
+	}
+
+function lookup_bt_peer(id: conn_id): bt_peer_conn
+	{
+	if ( id in bt_peer_conns )
+		return bt_peer_conns[id];
+
+	local orig: bt_peer_info;
+	local resp: bt_peer_info;
+	local pc: bt_peer_conn;
+	pc$orig = orig;
+	pc$resp = resp;
+	pc$id = ++peer_conn_count;
+	bt_peer_conns[id] = pc;
+
+	return pc;
+	}
+
+function bt_log_id(id: conn_id, cid: count, tag: string, is_orig: bool): string
+	{
+	return fmt("%.6f P%d %s %s:%d %s %s:%d",
+			network_time(), cid, tag, id$orig_h, id$orig_p,
+			is_orig ? ">" : "<", id$resp_h, id$resp_p);
+	}
+
+function pdu_log_len(len: count): string
+	{
+	return log_pdu_length ? fmt("[PDU-len:%d]", len) : "";
+	}
+
+function log_pdu(c: connection, is_orig: bool, tag: string, len: count): count
+	{
+	local cid = record_peer_protocol_traffic(c, is_orig, len);
+	print bittorrent_log,
+		fmt("%s %s", bt_log_id(c$id, cid, tag, is_orig),
+				pdu_log_len(len));
+
+	return cid;
+	}
+
+function log_pdu_str(c: connection, is_orig: bool, tag: string, len: count,
+			str: string)
+	{
+	local cid = record_peer_protocol_traffic(c, is_orig, len);
+	print bittorrent_log,
+		fmt("%s %s %s", bt_log_id(c$id, cid, tag, is_orig),
+				pdu_log_len(len), str);
+	}
+
+function log_pdu_str_n(c: connection, is_orig: bool, tag: string, len: count,
+			n: count, str: string)
+	{
+	local cid = record_peer_protocol_traffic(c, is_orig, len);
+	print bittorrent_log,
+		fmt("%s %s %s", bt_log_id(c$id, cid, tag, is_orig),
+			pdu_log_len(n), str);
+	}
+
+event bittorrent_peer_handshake(c: connection, is_orig: bool, reserved: string,
+				info_hash: string, peer_id: string)
+	{
+	local pc = lookup_bt_peer(c$id);
+	log_pdu_str(c, is_orig, "handshake", 68,
+		fmt("[peer_id:%s info_hash:%s reserved:%s]",
+			bytestring_to_hexstr(peer_id),
+			bytestring_to_hexstr(info_hash),
+			bytestring_to_hexstr(reserved)));
+	}
+
+event bittorrent_peer_keep_alive(c: connection, is_orig: bool)
+	{
+	log_pdu(c, is_orig, "keep-alive", 4);
+	}
+
+event bittorrent_peer_choke(c: connection, is_orig: bool)
+	{
+	local cid = log_pdu(c, is_orig, "choke", 5);
+	if ( cid > 0 )
+		{
+		local pc = bt_peer_conns[c$id];
+		record_choke(is_orig ? pc$resp : pc$orig, network_time());
+		}
+	}
+
+event bittorrent_peer_unchoke(c: connection, is_orig: bool)
+	{
+	local cid = log_pdu(c, is_orig, "unchoke", 5);
+	if ( cid > 0 )
+		{
+		local pc = bt_peer_conns[c$id];
+		record_unchoke(is_orig ? pc$resp : pc$orig, network_time());
+		}
+	}
+
+event bittorrent_peer_interested(c: connection, is_orig: bool)
+	{
+	log_pdu(c, is_orig, "interested", 5);
+	}
+
+event bittorrent_peer_not_interested(c: connection, is_orig: bool)
+	{
+	log_pdu(c, is_orig, "not-interested", 5);
+	}
+
+event bittorrent_peer_have(c: connection, is_orig: bool, piece_index: count)
+	{
+	log_pdu(c, is_orig, "have", 9);
+	}
+
+event bittorrent_peer_bitfield(c: connection, is_orig: bool, bitfield: string)
+	{
+	log_pdu_str(c, is_orig, "bitfield", 5 + byte_len(bitfield), 
+			fmt("[bitfield:%s]",
+				bytestring_to_hexstr(bitfield)));
+	}
+
+event bittorrent_peer_request(c: connection, is_orig: bool, index: count,
+				begin: count, length: count)
+	{
+	log_pdu_str(c, is_orig, "request", 17,
+		fmt("[index:%d begin:%d length:%d]", index, begin, length));
+	}
+
+event bittorrent_peer_piece(c: connection, is_orig: bool, index: count,
+				begin: count, piece_length: count)
+	{
+	log_pdu_str_n(c, is_orig, "piece", 13, 13 + piece_length,
+		fmt("[index:%d begin:%d piece_length:%d]",
+			index, begin, piece_length));
+	}
+
+event bittorrent_peer_cancel(c: connection, is_orig: bool, index: count,
+				begin: count, length: count)
+	{
+	log_pdu_str(c, is_orig, "cancel", 7,
+		fmt("[index:%d begin:%d length:%d]",
+			index, begin, length));
+	}
+
+event bittorrent_peer_port(c: connection, is_orig: bool, listen_port: port)
+	{
+	log_pdu_str(c, is_orig, "port", 5,
+			fmt("[listen_port:%s]", listen_port));
+	}
+
+event bittorrent_peer_unknown(c: connection, is_orig: bool, message_id: count,
+				data: string)
+	{
+	log_pdu_str(c, is_orig, "<unknown>", 5 + byte_len(data),
+			fmt("[message_id:%d]", message_id));
+	}
+
+event bittorrent_peer_weird(c: connection, is_orig: bool, msg: string)
+	{
+	local pc = lookup_bt_peer(c$id);
+	pc$weird = T;
+
+	print bittorrent_log,
+		fmt("%s [%s]", bt_log_id(c$id, pc$id, "<weird>", is_orig), msg);
+
+	event conn_weird(msg, c);
+	}
+
+function log_close(c: connection, pc: bt_peer_conn, is_orig: bool)
+	{
+	local endp = is_orig ? c$orig : c$resp;
+	local peer_i = is_orig ? pc$orig : pc$resp;
+
+	local status =
+		pc$weird ?
+			fmt("size:%d", endp$size) :
+			fmt("unchoked:%.06f size_protocol:%d size_pieces:%d",
+				peer_i$unchoked, peer_i$protocol_total,
+				endp$size - peer_i$protocol_total);
+
+	print bittorrent_log,
+		fmt("%s [duration:%.06f %s]",
+			bt_log_id(c$id, pc$id, "<closed>", is_orig),
+			c$duration, status);
+	}
+
+event connection_state_remove(c: connection)
+	{
+	if ( c$id !in bt_peer_conns )
+		return;
+
+	local pc = bt_peer_conns[c$id];
+	delete bt_peer_conns[c$id];
+
+	record_choke(pc$orig, c$start_time + c$duration);
+	record_choke(pc$resp, c$start_time + c$duration);
+
+	log_close(c, pc, T);
+	log_close(c, pc, F);
+	}
diff --git a/policy/blaster.bro b/policy/blaster.bro
new file mode 100644
index 0000000000..07cc542199
--- /dev/null
+++ b/policy/blaster.bro
@@ -0,0 +1,52 @@
+# $Id: blaster.bro 5952 2008-07-13 19:45:15Z vern $
+#
+# Identifies W32.Blaster-infected hosts by observing their scanning
+# activity.
+
+@load notice
+@load site
+
+# Which hosts have scanned which addresses via 135/tcp.
+global w32b_scanned: table[addr] of set[addr] &write_expire = 5min;
+global w32b_reported: set[addr] &persistent;
+
+const W32B_port = 135/tcp;
+const W32B_MIN_ATTEMPTS = 50 &redef;
+
+redef enum Notice += {
+	W32B_SourceLocal,
+	W32B_SourceRemote,
+};
+
+event connection_attempt(c: connection)
+	{
+	if ( c$id$resp_p != W32B_port )
+		return;
+
+	local ip = c$id$orig_h;
+
+	if ( ip in w32b_reported )
+		return;
+
+	if ( ip in w32b_scanned )
+		{
+		add (w32b_scanned[ip])[c$id$resp_h];
+
+		if ( length(w32b_scanned[ip]) >= W32B_MIN_ATTEMPTS )
+			{
+			if ( is_local_addr(ip) )
+				NOTICE([$note=W32B_SourceLocal, $conn=c,
+					$msg=fmt("W32.Blaster local source: %s",
+							ip)]);
+			else
+				NOTICE([$note=W32B_SourceRemote, $conn=c,
+					$msg=fmt("W32.Blaster remote source: %s",
+							ip)]);
+
+			add w32b_reported[ip];
+			}
+		}
+
+	else
+		w32b_scanned[ip] = set(ip) &mergeable;
+	}
diff --git a/policy/bro.init b/policy/bro.init
new file mode 100644
index 0000000000..1ba8f59b4d
--- /dev/null
+++ b/policy/bro.init
@@ -0,0 +1,1383 @@
+# $Id: bro.init 6887 2009-08-20 05:17:33Z vern $
+
+@load const.bif.bro
+
+global bro_signal: event(signal: count);
+
+# Called (one day) if there's no handler for an internal event.
+global no_handler: event(name: string, val: any);
+
+# Type declarations
+type string_array: table[count] of string;
+type string_set: set[string];
+type index_vec: vector of count;
+type string_vec: vector of string;
+
+type transport_proto: enum { unknown_transport, tcp, udp, icmp };
+
+type conn_id: record {
+	orig_h: addr;
+	orig_p: port;
+	resp_h: addr;
+	resp_p: port;
+};
+
+type icmp_conn: record {
+	orig_h: addr;
+	resp_h: addr;
+	itype: count;
+	icode: count;
+	len: count;
+};
+
+type icmp_hdr: record {
+	icmp_type: count;	# type of message
+};
+
+type icmp_context: record {
+	id: conn_id;
+	len: count;
+	proto: count;
+	frag_offset: count;
+	bad_hdr_len: bool;
+	bad_checksum: bool;
+	MF: bool;
+	DF: bool;
+};
+
+type addr_set: set[addr];
+
+type dns_mapping: record {
+	creation_time: time;
+
+	req_host: string;
+	req_addr: addr;
+
+	valid: bool;
+	hostname: string;
+	addrs: addr_set;
+};
+
+type ftp_port: record {
+	h: addr;
+	p: port;
+	valid: bool;	# true if format was right
+};
+
+type endpoint: record {
+	size: count;
+	state: count;
+};
+
+type endpoint_stats: record {
+	num_pkts: count;
+	num_rxmit: count;
+	num_rxmit_bytes: count;
+	num_in_order: count;
+	num_OO: count;
+	num_repl: count;
+	endian_type: count;
+};
+
+type AnalyzerID: count;
+
+type connection: record {
+	id: conn_id;
+	orig: endpoint;
+	resp: endpoint;
+	start_time: time;
+	duration: interval;
+	service: string_set;	# if empty, service hasn't been determined
+	addl: string;
+	hot: count;		# how hot; 0 = don't know or not hot
+	history: string;
+};
+
+type SYN_packet: record {
+	is_orig: bool;
+	DF: bool;
+	ttl: count;
+	size: count;
+	win_size: count;
+	win_scale: int;
+	MSS: count;
+	SACK_OK: bool;
+};
+
+type bro_resources: record {
+	version: string;        # Bro version string
+	debug: bool;            # true if compiled with --enable-debug
+	start_time: time;	# start time of process
+	real_time: interval;	# elapsed real time since Bro started running
+	user_time: interval;	# user CPU seconds
+	system_time: interval;	# system CPU seconds
+	mem: count;		# maximum memory consumed, in KB
+	minor_faults: count;	# page faults not requiring actual I/O
+	major_faults: count;	# page faults requiring actual I/O
+	num_swap: count;	# times swapped out
+	blocking_input: count;	# blocking input operations
+	blocking_output: count;	# blocking output operations
+	num_context: count;	# number of involuntary context switches
+
+	num_TCP_conns: count;	# current number of TCP connections
+	num_UDP_conns: count;
+	num_ICMP_conns: count;
+	num_fragments: count;	# current number of fragments pending reassembly
+	num_packets: count;	# total number packets processed to date
+	num_timers: count;	# current number of pending timers
+	num_events_queued: count;	# total number of events queued so far
+	num_events_dispatched: count;	# same for events dispatched
+
+	max_TCP_conns: count;	# maximum number of TCP connections, etc.
+	max_UDP_conns: count;
+	max_ICMP_conns: count;
+	max_fragments: count;
+	max_timers: count;
+};
+
+
+# Summary statistics of all DFA_State_Caches.
+type matcher_stats: record {
+	matchers: count;	# number of distinct RE matchers
+	dfa_states: count;	# number of DFA states across all matchers
+	computed: count;	# number of computed DFA state transitions
+	mem: count;		# number of bytes used by DFA states
+	hits: count;		# number of cache hits
+	misses: count;		# number of cache misses
+	avg_nfa_states: count;	# average # NFA states across all matchers
+};
+
+# Info provided to gap_report, and also available by get_gap_summary().
+type gap_info: record {
+	ack_events: count;	# how many ack events *could* have had gaps
+	ack_bytes: count;	# how many bytes those covered
+	gap_events: count;	# how many *did* have gaps
+	gap_bytes: count;	# how many bytes were missing in the gaps:
+};
+
+# This record should be read-only.
+type packet: record {
+	conn: connection;
+	is_orig: bool;
+	seq: count;	# seq=k => it is the kth *packet* of the connection
+	timestamp: time;
+};
+
+type var_sizes: table[string] of count;	# indexed by var's name, returns size
+
+type script_id: record {
+	type_name: string;
+	exported: bool;
+	constant: bool;
+	enum_constant: bool;
+	redefinable: bool;
+	value: any &optional;
+};
+
+type id_table: table[string] of script_id;
+
+# {precompile,install}_pcap_filter identify the filter by IDs
+type PcapFilterID: enum { None };
+
+type IPAddrAnonymization: enum {
+	KEEP_ORIG_ADDR,
+	SEQUENTIALLY_NUMBERED,
+	RANDOM_MD5,
+	PREFIX_PRESERVING_A50,
+	PREFIX_PRESERVING_MD5,
+};
+
+type IPAddrAnonymizationClass: enum {
+	ORIG_ADDR,	# client address
+	RESP_ADDR,	# server address
+	OTHER_ADDR,
+};
+
+
+# Events are generated by event_peer's (which may be either ourselves, or
+# some remote process).
+type peer_id: count;
+
+type event_peer: record {
+	id: peer_id;	# locally unique ID of peer (returned by connect())
+	host: addr;
+	p: port;
+	is_local: bool;	# true if this peer describes the current process.
+	descr: string;	# source's external_source_description
+	class: string &optional;	# self-assigned class of the peer
+};
+
+type rotate_info: record {
+	old_name: string;  # original filename
+	new_name: string;  # file name after rotation
+	open: time;        # time when opened
+	close: time;       # time when closed
+};
+
+
+### The following aren't presently used, though they should be.
+# # Structures needed for subsequence computations (str_smith_waterman):
+# #
+# type sw_variant: enum {
+#	SW_SINGLE,
+#	SW_MULTIPLE,
+# };
+
+type sw_params: record {
+	# Minimum size of a substring, minimum "granularity".
+	min_strlen: count &default = 3;
+
+	# Smith-Waterman flavor to use.
+	sw_variant: count &default = 0;
+};
+
+type sw_align: record {
+	str: string;	# string a substring is part of
+	index: count;	# at which offset
+};
+
+type sw_align_vec: vector of sw_align;
+
+type sw_substring: record {
+	str: string;	# a substring
+	aligns: sw_align_vec;	# all strings of which it's a substring
+	new: bool;	# true if start of new alignment
+};
+
+type sw_substring_vec: vector of sw_substring;
+
+# Policy-level handling of pcap packets.
+type pcap_packet: record {
+	ts_sec: count;
+	ts_usec: count;
+	caplen: count;
+	len: count;
+	data: string;
+};
+
+# GeoIP support.
+type geo_location: record {
+	country_code: string;
+	region: string;
+	city: string;
+	latitude: double;
+	longitude: double;
+};
+
+# Prototypes of Bro built-in functions.
+@load strings.bif.bro
+@load bro.bif.bro
+
+global bro_alarm_file: file &redef;
+global alarm_hook: function(msg: string): bool &redef;
+global log_file_name: function(tag: string): string &redef;
+global open_log_file: function(tag: string): file &redef;
+
+# Where to store the persistent state.
+const state_dir = ".state" &redef;
+
+# Length of the delays added when storing state incrementally.
+const state_write_delay = 0.01 secs &redef;
+
+global done_with_network = F;
+event net_done(t: time) { done_with_network = T; }
+
+const SIGHUP = 1;
+event bro_signal(signal: count)
+	{
+	if ( signal == SIGHUP )
+		{
+		flush_all();
+		checkpoint_state();
+		}
+	}
+
+function log_file_name(tag: string): string
+	{
+	local suffix = getenv("BRO_LOG_SUFFIX") == "" ? "log" : getenv("BRO_LOG_SUFFIX");
+	return fmt("%s.%s", tag, suffix);
+	}
+
+function open_log_file(tag: string): file
+	{
+	return open(log_file_name(tag));
+	}
+
+function add_interface(iold: string, inew: string): string
+	{
+	if ( iold == "" )
+		return inew;
+	else
+		return fmt("%s %s", iold, inew);
+	}
+
+global interfaces = "" &add_func = add_interface;
+
+function add_signature_file(sold: string, snew: string): string
+	{
+	if ( sold == "" )
+		return snew;
+	else
+		return cat(sold, " ", snew);
+	}
+
+global signature_files = "" &add_func = add_signature_file;
+
+const passive_fingerprint_file = "sigs/p0fsyn" &redef;
+
+const ftp = 21/tcp;
+const ssh = 22/tcp;
+const telnet = 23/tcp;
+const smtp = 25/tcp;
+const domain = 53/tcp;	# note, doesn't include UDP version
+const gopher = 70/tcp;
+const finger = 79/tcp;
+const http = 80/tcp;
+const ident = 113/tcp;
+const bgp = 179/tcp;
+const rlogin = 513/tcp;
+
+const TCP_INACTIVE = 0;
+const TCP_SYN_SENT = 1;
+const TCP_SYN_ACK_SENT = 2;
+const TCP_PARTIAL = 3;
+const TCP_ESTABLISHED = 4;
+const TCP_CLOSED = 5;
+const TCP_RESET = 6;
+
+# If true, don't verify checksums.  Useful for running on altered trace
+# files, and for saving a few cycles, but of course dangerous, too ...
+# Note that the -C command-line option overrides the setting of this
+# variable.
+const ignore_checksums = F &redef;
+
+# If true, instantiate connection state when a partial connection
+# (one missing its initial establishment negotiation) is seen.
+const partial_connection_ok = T &redef;
+
+# If true, instantiate connection state when a SYN ack is seen
+# but not the initial SYN (even if partial_connection_ok is false).
+const tcp_SYN_ack_ok = T &redef;
+
+# If a connection state is removed there may still be some undelivered
+# data waiting in the reassembler. If true, pass this to the signature
+# engine before flushing the state.
+const tcp_match_undelivered = T &redef;
+
+# Check up on the result of an initial SYN after this much time.
+const tcp_SYN_timeout = 5 secs &redef;
+
+# After a connection has closed, wait this long for further activity
+# before checking whether to time out its state.
+const tcp_session_timer = 6 secs &redef;
+
+# When checking a closed connection for further activity, consider it
+# inactive if there hasn't been any for this long.  Complain if the
+# connection is reused before this much time has elapsed.
+const tcp_connection_linger = 5 secs &redef;
+
+# Wait this long upon seeing an initial SYN before timing out the
+# connection attempt.
+const tcp_attempt_delay = 5 secs &redef;
+
+# Upon seeing a normal connection close, flush state after this much time.
+const tcp_close_delay = 5 secs &redef;
+
+# Upon seeing a RST, flush state after this much time.
+const tcp_reset_delay = 5 secs &redef;
+
+# Generate a connection_partial_close event this much time after one half
+# of a partial connection closes, assuming there has been no subsequent
+# activity.
+const tcp_partial_close_delay = 3 secs &redef;
+
+# If a connection belongs to an application that we don't analyze,
+# time it out after this interval.  If 0 secs, then don't time it out.
+const non_analyzed_lifetime = 0 secs &redef;
+
+# If a connection is inactive, time it out after this interval.
+# If 0 secs, then don't time it out.
+const tcp_inactivity_timeout = 5 min &redef;
+const udp_inactivity_timeout = 1 min &redef;
+const icmp_inactivity_timeout = 1 min &redef;
+
+# This many FINs/RSTs in a row constitutes a "storm".
+const tcp_storm_thresh = 1000 &redef;
+
+# The FINs/RSTs must come with this much time or less between them.
+const tcp_storm_interarrival_thresh = 1 sec &redef;
+
+# Maximum amount of data that might plausibly be sent in an initial
+# flight (prior to receiving any acks).  Used to determine whether we
+# must not be seeing our peer's acks.  Set to zero to turn off this
+# determination.
+const tcp_max_initial_window = 4096;
+
+# If we're not seeing our peer's acks, the maximum volume of data above
+# a sequence hole that we'll tolerate before assuming that there's
+# been a packet drop and we should give up on tracking a connection.
+# If set to zero, then we don't ever give up.
+const tcp_max_above_hole_without_any_acks = 4096;
+
+# If we've seen this much data without any of it being acked, we give up
+# on that connection to avoid memory exhaustion due to buffering all that
+# stuff.  If set to zero, then we don't ever give up.  Ideally, Bro would
+# track the current window on a connection and use it to infer that data
+# has in fact gone too far, but for now we just make this quite beefy.
+const tcp_excessive_data_without_further_acks = 10 * 1024 * 1024;
+
+# For services without a handler, these sets define which
+# side of a connection is to be reassembled.
+const tcp_reassembler_ports_orig: set[port] = {} &redef;
+const tcp_reassembler_ports_resp: set[port] = {} &redef;
+
+# These sets define destination ports for which the contents
+# of the originator (responder, respectively) stream should
+# be delivered via tcp_contents.
+const tcp_content_delivery_ports_orig: table[port] of bool = {} &redef;
+const tcp_content_delivery_ports_resp: table[port] of bool = {} &redef;
+
+# To have all TCP orig->resp/resp->orig traffic reported via tcp_contents,
+# redef these to T.
+const tcp_content_deliver_all_orig = F &redef;
+const tcp_content_deliver_all_resp = F &redef;
+
+# These sets define destination ports for which the contents
+# of the originator (responder, respectively) stream should
+# be delivered via udp_contents.
+const udp_content_delivery_ports_orig: table[port] of bool = {} &redef;
+const udp_content_delivery_ports_resp: table[port] of bool = {} &redef;
+
+# To have all UDP orig->resp/resp->orig traffic reported via udp_contents,
+# redef these to T.
+const udp_content_deliver_all_orig = F &redef;
+const udp_content_deliver_all_resp = F &redef;
+
+# Check for expired table entries after this amount of time
+const table_expire_interval = 10 secs &redef;
+
+# When expiring/serializing, don't work on more than this many table
+# entries at a time.
+const table_incremental_step = 5000 &redef;
+
+# When expiring, wait this amount of time before checking the next chunk
+# of entries.
+const table_expire_delay = 0.01 secs &redef;
+
+# Time to wait before timing out a DNS/NTP/RPC request.
+const dns_session_timeout = 10 sec &redef;
+const ntp_session_timeout = 300 sec &redef;
+const rpc_timeout = 24 sec &redef;
+
+# Time window for reordering packets (to deal with timestamp
+# discrepency between multiple packet sources).
+const packet_sort_window = 0 usecs &redef;
+
+# How long to hold onto fragments for possible reassembly.  A value
+# of 0.0 means "forever", which resists evasion, but can lead to
+# state accrual.
+const frag_timeout = 0.0 sec &redef;
+
+# If positive, indicates the encapsulation header size that should
+# be skipped over for each captured packet ....
+const encap_hdr_size = 0 &redef;
+# ... or just for the following UDP port.
+const tunnel_port = 0/udp &redef;
+
+const UDP_INACTIVE = 0;
+const UDP_ACTIVE = 1;	# means we've seen something from this endpoint
+
+const ENDIAN_UNKNOWN = 0;
+const ENDIAN_LITTLE = 1;
+const ENDIAN_BIG = 2;
+const ENDIAN_CONFUSED = 3;
+
+function append_addl(c: connection, addl: string)
+	{
+	if ( c$addl == "" )
+		c$addl= addl;
+
+	else if ( addl !in c$addl )
+		c$addl = fmt("%s %s", c$addl, addl);
+	}
+
+function append_addl_marker(c: connection, addl: string, marker: string)
+	{
+	if ( c$addl == "" )
+		c$addl= addl;
+
+	else if ( addl !in c$addl )
+		c$addl = fmt("%s%s%s", c$addl, marker, addl);
+	}
+
+
+# Values for set_contents_file's "direction" argument.
+const CONTENTS_NONE = 0;	# turn off recording of contents
+const CONTENTS_ORIG = 1;	# record originator contents
+const CONTENTS_RESP = 2;	# record responder contents
+const CONTENTS_BOTH = 3;	# record both originator and responder contents
+
+const ICMP_UNREACH_NET = 0;
+const ICMP_UNREACH_HOST = 1;
+const ICMP_UNREACH_PROTOCOL = 2;
+const ICMP_UNREACH_PORT = 3;
+const ICMP_UNREACH_NEEDFRAG = 4;
+const ICMP_UNREACH_ADMIN_PROHIB = 13;
+# The above list isn't exhaustive ...
+
+
+# Definitions for access to packet headers.  Currently only used for
+# discarders.
+const IPPROTO_IP = 0;			# dummy for IP
+const IPPROTO_ICMP = 1;			# control message protocol
+const IPPROTO_IGMP = 2;			# group mgmt protocol
+const IPPROTO_IPIP = 4;			# IP encapsulation in IP
+const IPPROTO_TCP = 6;			# TCP
+const IPPROTO_UDP = 17;			# user datagram protocol
+const IPPROTO_RAW = 255;		# raw IP packet
+
+type ip_hdr: record {
+	hl: count;		# header length (in bytes)
+	tos: count;		# type of service
+	len: count;		# total length
+	id: count;		# identification
+	ttl: count;		# time to live
+	p: count;		# protocol
+	src: addr;		# source address
+	dst: addr;		# dest address
+};
+
+# TCP flags.
+const TH_FIN = 1;
+const TH_SYN = 2;
+const TH_RST = 4;
+const TH_PUSH = 8;
+const TH_ACK = 16;
+const TH_URG = 32;
+const TH_FLAGS = 63;		# (TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG)
+
+type tcp_hdr: record {
+	sport: port;		# source port
+	dport: port;		# destination port
+	seq: count;		# sequence number
+	ack: count;		# acknowledgement number
+	hl: count;		# header length (in bytes)
+	dl: count;		# data length (xxx: not in original tcphdr!)
+	flags: count;		# flags
+	win: count;		# window
+};
+
+type udp_hdr: record {
+	sport: port;		# source port
+	dport: port;		# destination port
+	ulen: count;		# udp length
+};
+
+
+# Holds an ip_hdr and one of tcp_hdr, udp_hdr, or icmp_hdr.
+type pkt_hdr: record {
+	ip: ip_hdr;
+	tcp: tcp_hdr &optional;
+	udp: udp_hdr &optional;
+	icmp: icmp_hdr &optional;
+};
+
+
+# If you add elements here, then for a given BPF filter as index, when
+# a packet matching that filter is captured, the corresponding event handler
+# will be invoked.
+global secondary_filters: table[string] of event(filter: string, pkt: pkt_hdr)
+	&redef;
+
+global discarder_maxlen = 128 &redef;	# maximum amount of data passed to fnc
+
+global discarder_check_ip: function(i: ip_hdr): bool;
+global discarder_check_tcp: function(i: ip_hdr, t: tcp_hdr, d: string): bool;
+global discarder_check_udp: function(i: ip_hdr, u: udp_hdr, d: string): bool;
+global discarder_check_icmp: function(i: ip_hdr, ih: icmp_hdr): bool;
+# End of definition of access to packet headers, discarders.
+
+
+type net_stats: record {
+	# All counts are cumulative.
+	pkts_recvd: count;	# pkts received by Bro
+	pkts_dropped: count;	# pkts dropped
+	pkts_link: count;	# pkts seen on link (not always available)
+};
+
+
+const watchdog_interval = 10 sec &redef;
+const heartbeat_interval = 10 sec &redef;
+
+# The maximum number of timers to expire after processing each new
+# packet.  The value trades off spreading out the timer expiration load
+# with possibly having to hold state longer.  A value of 0 means
+# "process all expired timers with each new packet".
+const max_timer_expires = 300 &redef;
+
+# With a similar trade-off, this gives the number of remote events
+# to process in a batch before interleaving other activity.
+const max_remote_events_processed = 10 &redef;
+
+# These need to match the definitions in Login.h.
+const LOGIN_STATE_AUTHENTICATE = 0;	# trying to authenticate
+const LOGIN_STATE_LOGGED_IN = 1;	# successful authentication
+const LOGIN_STATE_SKIP = 2;	# skip any further processing
+const LOGIN_STATE_CONFUSED = 3;	# we're confused
+
+# It would be nice to replace these function definitions with some
+# form of parameterized types.
+function min_double(a: double, b: double): double { return a < b ? a : b; }
+function max_double(a: double, b: double): double { return a > b ? a : b; }
+function min_interval(a: interval, b: interval): interval { return a < b ? a : b; }
+function max_interval(a: interval, b: interval): interval { return a > b ? a : b; }
+function min_count(a: count, b: count): count { return a < b ? a : b; }
+function max_count(a: count, b: count): count { return a > b ? a : b; }
+
+global skip_authentication: set[string] &redef;
+global direct_login_prompts: set[string] &redef;
+global login_prompts: set[string] &redef;
+global login_non_failure_msgs: set[string] &redef;
+global login_failure_msgs: set[string] &redef;
+global login_success_msgs: set[string] &redef;
+global login_timeouts: set[string] &redef;
+
+type mime_header_rec: record {
+	name: string;
+	value: string;
+};
+type mime_header_list: table[count] of mime_header_rec;
+global mime_segment_length = 1024 &redef;
+global mime_segment_overlap_length = 0 &redef;
+
+type pm_mapping: record {
+	program: count;
+	version: count;
+	p: port;
+};
+
+type pm_mappings: table[count] of pm_mapping;
+
+type pm_port_request: record {
+	program: count;
+	version: count;
+	is_tcp: bool;
+};
+
+type pm_callit_request: record {
+	program: count;
+	version: count;
+	proc: count;
+	arg_size: count;
+};
+
+# See const.bif
+# const RPC_SUCCESS = 0;
+# const RPC_PROG_UNAVAIL = 1;
+# const RPC_PROG_MISMATCH = 2;
+# const RPC_PROC_UNAVAIL = 3;
+# const RPC_GARBAGE_ARGS = 4;
+# const RPC_SYSTEM_ERR = 5;
+# const RPC_TIMEOUT = 6;
+# const RPC_AUTH_ERROR = 7;
+# const RPC_UNKNOWN_ERROR = 8;
+
+const RPC_status = {
+	[RPC_SUCCESS] = "ok",
+	[RPC_PROG_UNAVAIL] = "prog unavail",
+	[RPC_PROG_MISMATCH] = "mismatch",
+	[RPC_PROC_UNAVAIL] = "proc unavail",
+	[RPC_GARBAGE_ARGS] = "garbage args",
+	[RPC_SYSTEM_ERR] = "system err",
+	[RPC_TIMEOUT] = "timeout",
+	[RPC_AUTH_ERROR] = "auth error",
+	[RPC_UNKNOWN_ERROR] = "unknown"
+};
+
+
+type nfs3_file_type: enum {
+	NFS3_REG, NFS3_DIR, NFS3_BLK, NFS3_CHR, NFS3_LNK, NFS3_SOCK, NFS3_FIFO,
+};
+
+type nfs3_attrs: record {
+	ftype: nfs3_file_type;
+	mode: count;
+	nlink: count;
+	uid: count;
+	gid: count;
+	size: double;
+	used: double;
+	rdev1: count;
+	rdev2: count;
+	fsid: double;
+	fileid: double;
+	atime: time;
+	mtime: time;
+	ctime: time;
+};
+
+type nfs3_opt_attrs: record {
+	attrs: nfs3_attrs &optional;
+};
+
+type nfs3_lookup_args: record {
+	fh: string;	# file handle of directory in which to search
+	name: string;	# name of file to look for in directory
+};
+
+type nfs3_lookup_reply: record {
+	fh: string;	# file handle of object looked up
+	file_attr: nfs3_opt_attrs;	# optional attributes associated w/ file
+	dir_attr: nfs3_opt_attrs;	# optional attributes associated w/ dir.
+};
+
+type nfs3_fsstat: record {
+	attrs: nfs3_opt_attrs;
+	tbytes: double;
+	fbytes: double;
+	abytes: double;
+	tfiles: double;
+	ffiles: double;
+	afiles: double;
+	invarsec: interval;
+};
+
+
+type ntp_msg: record {
+	id: count;
+	code: count;
+	stratum: count;
+	poll: count;
+	precision: int;
+	distance: interval;
+	dispersion: interval;
+	ref_t: time;
+	originate_t: time;
+	receive_t: time;
+	xmit_t: time;
+};
+
+
+# Maps Samba command numbers to descriptive names.
+global samba_cmds: table[count] of string &redef
+			&default = function(c: count): string
+				{ return fmt("samba-unknown-%d", c); };
+
+type smb_hdr : record {
+	command: count;
+	status: count;
+	flags: count;
+	flags2: count;
+	tid: count;
+	pid: count;
+	uid: count;
+	mid: count;
+};
+
+type smb_trans : record {
+	word_count: count;
+	total_param_count: count;
+	total_data_count: count;
+	max_param_count: count;
+	max_data_count: count;
+	max_setup_count: count;
+#	flags: count;
+#	timeout: count;
+	param_count: count;
+	param_offset: count;
+	data_count: count;
+	data_offset: count;
+	setup_count: count;
+	setup0: count;
+	setup1: count;
+	setup2: count;
+	setup3: count;
+	byte_count: count;
+	parameters: string;
+};
+
+type smb_trans_data : record {
+	data : string;
+};
+
+type smb_tree_connect : record {
+	flags: count;
+	password: string;
+	path: string;
+	service: string;
+};
+
+type smb_negotiate : table[count] of string;
+
+# A list of router addresses offered by the server.
+type dhcp_router_list: table[count] of addr;
+
+type dhcp_msg: record {
+	op: count;	# message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
+	m_type: count;	# the type of DHCP message
+	xid: count;	# transaction ID of a DHCP session
+	h_addr: string;	# hardware address of the client
+	ciaddr: addr;	# original IP address of the client
+	yiaddr: addr;	# IP address assigned to the client
+};
+
+type dns_msg: record {
+	id: count;
+
+	opcode: count;
+	rcode: count;
+
+	QR: bool;
+	AA: bool;
+	TC: bool;
+	RD: bool;
+	RA: bool;
+	Z: count;
+
+	num_queries: count;
+	num_answers: count;
+	num_auth: count;
+	num_addl: count;
+};
+
+type dns_soa: record {
+	mname: string;	# primary source of data for zone
+	rname: string;	# mailbox for responsible person
+	serial: count;	# version number of zone
+	refresh: interval;	# seconds before refreshing
+	retry: interval;	# how long before retrying failed refresh
+	expire: interval;	# when zone no longer authoritative
+	minimum: interval;	# minimum TTL to use when exporting
+};
+
+type dns_edns_additional: record {
+	query: string;
+	qtype: count;
+	t: count;
+	payload_size: count;
+	extended_rcode: count;
+	version: count;
+	z_field: count;
+	TTL: interval;
+	is_query: count;
+};
+
+type dns_tsig_additional: record {
+	query: string;
+	qtype: count;
+	alg_name: string;
+	sig: string;
+	time_signed: time;
+	fudge: time;
+	orig_id: count;
+	rr_error: count;
+	is_query: count;
+};
+
+# Different values for "answer_type" in the following.  DNS_QUERY
+# shouldn't occur, it's just for completeness.
+const DNS_QUERY = 0;
+const DNS_ANS = 1;
+const DNS_AUTH = 2;
+const DNS_ADDL = 3;
+
+type dns_answer: record {
+	answer_type: count;
+	query: string;
+	qtype: count;
+	qclass: count;
+	TTL: interval;
+};
+
+# For servers in these sets, omit processing the AUTH or ADDL records
+# they include in their replies.
+global dns_skip_auth: set[addr] &redef;
+global dns_skip_addl: set[addr] &redef;
+
+# If the following are true, then all AUTH or ADDL records are skipped.
+global dns_skip_all_auth = T &redef;
+global dns_skip_all_addl = T &redef;
+
+# If a DNS request includes more than this many queries, assume it's
+# non-DNS traffic and do not process it.  Set to 0 to turn off this
+# functionality.
+global dns_max_queries = 5;
+
+# The maxiumum size in bytes for an SSL cipherspec.  If we see a packet that
+# has bigger cipherspecs, we warn and won't do a comparisons of cipherspecs.
+const ssl_max_cipherspec_size = 45 &redef;
+
+# SSL and X.509 types.
+type cipher_suites_list: set[count];
+type SSL_sessionID: table[count] of count;
+type X509_extension: table[count] of string;
+type X509: record {
+	issuer: string;
+	subject: string;
+	orig_addr: addr;
+};
+
+type http_stats_rec: record {
+	num_requests: count;
+	num_replies: count;
+	request_version: double;
+	reply_version: double;
+};
+
+type http_message_stat: record {
+	start: time;		# when the request/reply line was complete
+	interrupted: bool;	# whether the message is interrupted
+	finish_msg: string;	# reason phrase if interrupted
+	body_length: count;	# length of body processed
+				#  (before finished/interrupted)
+	content_gap_length: count;	# total len of gaps within body_length
+	header_length: count;	# length of headers
+				#  (including the req/reply line,
+				#   but not CR/LF's)
+};
+
+global http_entity_data_delivery_size = 1500 &redef;
+
+# Truncate URIs longer than this to prevent over-long URIs (usually sent
+# by worms) from slowing down event processing.  A value of -1 means "do
+# not truncate".
+const truncate_http_URI = -1 &redef;
+
+# IRC-related globals to which the event engine is sensitive.
+type irc_join_info: record {
+	nick: string;
+	channel: string;
+	password: string;
+	usermode: string;
+};
+type irc_join_list: set[irc_join_info];
+global irc_servers : set[addr] &redef;
+
+# Stepping-stone globals.
+const stp_delta: interval &redef;
+const stp_idle_min: interval &redef;
+
+# Don't do analysis on these sources.  Used to avoid overload from scanners.
+global stp_skip_src: set[addr] &redef;
+
+const interconn_min_interarrival: interval &redef;
+const interconn_max_interarrival: interval &redef;
+const interconn_max_keystroke_pkt_size: count &redef;
+const interconn_default_pkt_size: count &redef;
+const interconn_stat_period: interval &redef;
+const interconn_stat_backoff: double &redef;
+
+type interconn_endp_stats: record {
+	num_pkts: count;
+	num_keystrokes_two_in_row: count;
+	num_normal_interarrivals: count;
+	num_8k0_pkts: count;
+	num_8k4_pkts: count;
+	is_partial: bool;
+	num_bytes: count;
+	num_7bit_ascii: count;
+	num_lines: count;
+	num_normal_lines: count;
+};
+
+const backdoor_stat_period: interval &redef;
+const backdoor_stat_backoff: double &redef;
+
+type backdoor_endp_stats: record {
+	is_partial: bool;
+	num_pkts: count;
+	num_8k0_pkts: count;
+	num_8k4_pkts: count;
+	num_lines: count;
+	num_normal_lines: count;
+	num_bytes: count;
+	num_7bit_ascii: count;
+};
+
+type signature_state: record {
+	id: string;          # ID of the signature
+	conn: connection;    # Current connection
+	is_orig: bool;       # True if current endpoint is originator
+	payload_size: count; # Payload size of the first pkt of curr. endpoint
+
+};
+
+type software_version: record {
+	major: int;	# Major version number
+	minor: int;	# Minor version number
+	minor2: int;	# Minor subversion number
+	addl: string;	# Additional version string (e.g. "beta42")
+};
+
+type software: record {
+	name: string;	# Unique name of a software, e.g., "OS"
+	version: software_version;
+};
+
+# The following describe the quality of signature matches used
+# for passive fingerprinting.
+type OS_version_inference: enum {
+	direct_inference, generic_inference, fuzzy_inference,
+};
+
+type OS_version: record {
+	genre: string;	# Linux, Windows, AIX, ...
+	detail: string;	# kernel version or such
+	dist: count;	# how far is the host away from the sensor (TTL)?
+	match_type: OS_version_inference;
+};
+
+# Defines for which subnets we should do passive fingerprinting.
+global generate_OS_version_event: set[subnet] &redef;
+
+# Type used to report load samples via load_sample().  For now,
+# it's a set of names (event names, source file names, and perhaps
+# <source file, line number>'s, which were seen during the sample.
+type load_sample_info: set[string];
+
+# NetFlow-related data structures.
+
+# The following provides a mean to sort together flow headers and flow
+# records at the script level.  rcvr_id equals the name of the file
+# (e.g., netflow.dat) or the socket address (e.g., 127.0.0.1:5555),
+# or an explicit name if specified to -y or -Y; pdu_id is just a serial
+# number, ignoring any overflows.
+type nfheader_id: record {
+	rcvr_id: string;
+	pdu_id: count;
+};
+
+type nf_v5_header: record {
+	h_id: nfheader_id;	# ID for sorting, per the above
+	cnt: count;
+	sysuptime: interval;	# router's uptime
+	exporttime: time;	# when the data was exported
+	flow_seq: count;
+	eng_type: count;
+	eng_id: count;
+	sample_int: count;
+	exporter: addr;
+};
+
+type nf_v5_record: record {
+	h_id: nfheader_id;
+	id: conn_id;
+	nexthop: addr;
+	input: count;
+	output: count;
+	pkts: count;
+	octets: count;
+	first: time;
+	last: time;
+	tcpflag_fin: bool;	# Taken from tcpflags in NF V5; or directly.
+	tcpflag_syn: bool;
+	tcpflag_rst: bool;
+	tcpflag_psh: bool;
+	tcpflag_ack: bool;
+	tcpflag_urg: bool;
+	proto: count;
+	tos: count;
+	src_as: count;
+	dst_as: count;
+	src_mask: count;
+	dst_mask: count;
+};
+
+
+# The peer record and the corresponding set type used by the
+# BitTorrent analyzer.
+type bittorrent_peer: record {
+	h: addr;
+	p: port;
+};
+type bittorrent_peer_set: set[bittorrent_peer];
+
+# The benc value record and the corresponding table type used by the
+# BitTorrenttracker analyzer.  Note that "benc" = Bencode ("Bee-Encode"),
+# per http://en.wikipedia.org/wiki/Bencode.
+type bittorrent_benc_value: record {
+	i: int &optional;
+	s: string &optional;
+	d: string &optional;
+	l: string &optional;
+};
+type bittorrent_benc_dir: table[string] of bittorrent_benc_value;
+
+# The header table type used by the bittorrenttracker analyzer.
+type bt_tracker_headers: table[string] of string;
+
+@load event.bif.bro
+
+@load common-rw.bif.bro
+@load finger-rw.bif.bro
+@load ftp-rw.bif.bro
+@load ident-rw.bif.bro
+@load smtp-rw.bif.bro
+@load http-rw.bif.bro
+@load dns-rw.bif.bro
+
+function subst(s: string, from: pattern, to: string): string
+	{
+	local p = split_all(s, from);
+
+	for ( p_i in p )
+		if ( p_i % 2 == 0 )
+			p[p_i] = to;
+
+	return cat_string_array(p);
+	}
+
+
+type pattern_match_result: record {
+	matched: bool;
+	str: string;
+	off: count;
+};
+
+function match_pattern(s: string, p:pattern): pattern_match_result
+	{
+	local a = split_n(s, p, T, 1);
+
+	if ( length(a) == 1 )
+		# no match
+		return [$matched = F, $str = "", $off = 0];
+	else
+		return [$matched = T, $str = a[2], $off = byte_len(a[1]) + 1];
+	}
+
+function cut_tail(s: string, tail_len: count): string
+	{
+	local len = byte_len(s);
+
+	if ( tail_len > len )
+		tail_len = len;
+
+	return sub_bytes(s, 1, int_to_count(len - tail_len));
+	}
+
+# Given a string, returns an escaped version.  This means that
+# (1) any occurrences of any character in "chars" are escaped using '\', and
+# (2) any '\'s are likewise escaped.
+function string_escape(s: string, chars: string): string
+	{
+	s = subst_string(s, "\\", "\\\\");
+	for ( c in chars )
+		s = subst_string(s, c, cat("\\", c));
+	return s;
+	}
+
+@load pcap.bro
+
+# Rotate logs every x seconds.
+const log_rotate_interval = 0 sec &redef;
+
+# If set, rotate logs at given time + i * log_rotate_interval.
+# (string is time in 24h format, e.g., "18:00").
+const log_rotate_base_time = "" &redef;
+
+# Rotate logs when they reach this size (in bytes).  Note, the
+# parameter is a double rather than a count to enable easy expression
+# of large values such as 1e7 or exceeding 2^32.
+const log_max_size = 0.0 &redef;
+
+# Default public key for encrypting log files.
+const log_encryption_key = "<undefined>" &redef;
+
+# Write profiling info into this file.
+global profiling_file: file &redef;
+
+# Update interval for profiling (0 disables).
+const profiling_interval = 0 secs &redef;
+
+# Multiples of profiling_interval at which (expensive) memory
+# profiling is done (0 disables).
+const expensive_profiling_multiple = 0 &redef;
+
+# If true, then write segment profiling information (very high volume!)
+# in addition to statistics.
+const segment_profiling = F &redef;
+
+# Output packet profiling information every <freq> secs (mode 1),
+# every <freq> packets (mode 2), or every <freq> bytes (mode 3).
+# Mode 0 disables.
+type pkt_profile_modes: enum {
+	PKT_PROFILE_MODE_NONE,
+	PKT_PROFILE_MODE_SECS,
+	PKT_PROFILE_MODE_PKTS,
+	PKT_PROFILE_MODE_BYTES,
+};
+const pkt_profile_mode = PKT_PROFILE_MODE_NONE &redef;
+
+# Frequency associated with packet profiling.
+const pkt_profile_freq = 0.0 &redef;
+
+# File where packet profiles are logged.
+global pkt_profile_file: file &redef;
+
+# Rate at which to generate load_sample events, *if* you've also
+# defined a load_sample handler.  Units are inverse number of packets;
+# e.g., a value of 20 means "roughly one in every 20 packets".
+global load_sample_freq = 20 &redef;
+
+# Rate at which to generate gap_report events assessing to what
+# degree the measurement process appears to exhibit loss.
+const gap_report_freq = 1.0 sec &redef;
+
+# Globals associated with entire-run statistics on gaps (useful
+# for final summaries).
+
+# The CA certificate file to authorize remote Bros.
+const ssl_ca_certificate = "<undefined>" &redef;
+
+# File containing our private key and our certificate.
+const ssl_private_key = "<undefined>" &redef;
+
+# The passphrase for our private key. Keeping this undefined
+# causes Bro to prompt for the passphrase.
+const ssl_passphrase = "<undefined>" &redef;
+
+# Whether the Bro-level packet filter drops packets per default or not.
+const packet_filter_default = F &redef;
+
+# Maximum size of regular expression groups for signature matching.
+const sig_max_group_size = 50 &redef;
+
+# If true, send logger messages to syslog.
+const enable_syslog = T &redef;
+
+# This is transmitted to peers receiving our events.
+const peer_description = "" &redef;
+
+# If true, broadcast events/state received from one peer to other peers.
+# NOTE: These options are only temporary. They will disappear when we get a
+# more sophisticated script-level communication framework.
+const forward_remote_events = F &redef;
+const forward_remote_state_changes = F &redef;
+
+const PEER_ID_NONE = 0;
+
+# Whether to use the connection tracker.
+const use_connection_compressor = T &redef;
+
+# Whether compressor should handle refused connections itself.
+const cc_handle_resets = F &redef;
+
+# Whether compressor should only take care of initial SYNs.
+# (By default on, this is basically "connection compressor lite".)
+const cc_handle_only_syns = T &redef;
+
+# Whether compressor instantiates full state when originator sends a
+# non-control packet.
+const cc_instantiate_on_data = F &redef;
+
+# Signature payload pattern types
+const SIG_PATTERN_PAYLOAD = 0;
+const SIG_PATTERN_HTTP = 1;
+const SIG_PATTERN_FTP = 2;
+const SIG_PATTERN_FINGER = 3;
+
+# Log-levels for remote_log.
+# Eventually we should create a general logging framework and merge these in.
+const REMOTE_LOG_INFO = 1;
+const REMOTE_LOG_ERROR = 2;
+
+# Sources for remote_log.
+const REMOTE_SRC_CHILD = 1;
+const REMOTE_SRC_PARENT = 2;
+const REMOTE_SRC_SCRIPT = 3;
+
+# Synchronize trace processing at a regular basis in pseudo-realtime mode.
+const remote_trace_sync_interval = 0 secs &redef;
+
+# Number of peers across which to synchronize trace processing.
+const remote_trace_sync_peers = 0 &redef;
+
+# Whether for &synchronized state to send the old value as a consistency check.
+const remote_check_sync_consistency = F &redef;
+
+# Prepend the peer description, if set.
+function prefixed_id(id: count): string
+	{
+	if ( peer_description == "" )
+		return fmt("%s", id);
+	else
+		return cat(peer_description, "-", id);
+	}
+
+# Analyzer tags. The core automatically defines constants
+# ANALYZER_<analyzer-name>*, e.g., ANALYZER_HTTP.
+type AnalyzerTag: count;
+
+# DPM configuration.
+
+type dpd_protocol_config: record {
+	ports: set[port] &optional;
+};
+
+const dpd_config: table[AnalyzerTag] of dpd_protocol_config = {} &redef;
+
+# Reassemble the beginning of all TCP connections before doing
+# signature-matching for protocol detection.
+const dpd_reassemble_first_packets = T &redef;
+
+# Size of per-connection buffer in bytes. If the buffer is full, data is
+# deleted and lost to analyzers that are activated afterwards.
+const dpd_buffer_size = 1024 &redef;
+
+# If true, stops signature matching if dpd_buffer_size has been reached.
+const dpd_match_only_beginning = T &redef;
+
+# If true, don't consider any ports for deciding which analyzer to use.
+const dpd_ignore_ports = F &redef;
+
+# Ports which the core considers being likely used by servers.
+const likely_server_ports: set[port] &redef;
+
+# Set of all ports for which we know an analyzer.
+global dpd_analyzer_ports: table[port] of set[AnalyzerTag];
+
+event bro_init()
+	{
+	for ( a in dpd_config )
+		for ( p in dpd_config[a]$ports )
+			{
+			if ( p !in dpd_analyzer_ports )
+				{
+				local empty_set: set[AnalyzerTag];
+				dpd_analyzer_ports[p] = empty_set;
+				}
+
+			add dpd_analyzer_ports[p][a];
+			}
+	}
+
+@load server-ports
+
+# Per-incident timer managers are drained after this amount of inactivity.
+const timer_mgr_inactivity_timeout = 1 min &redef;
+
+# Time-out for expected connections.
+const expected_connection_timeout = 5 min &redef;
+
+# If true, output profiling for time-machine queries.
+const time_machine_profiling = F &redef;
+
+# If true, warns about unused event handlers at startup.
+const check_for_unused_event_handlers = F &redef;
+
+# If true, dumps all invoked event handlers at startup.
+const dump_used_event_handlers = F &redef;
+
+# If true, we suppress prints to local files if we have a receiver for
+# print_hook events.  Ignored for files with a &disable_print_hook attribute.
+const suppress_local_output = F &redef;
+
+# Holds the filename of the trace file given with -w (empty if none).
+const trace_output_file = "";
+  
+# If a trace file is given, dump *all* packets seen by Bro into it.
+# By default, Bro applies (very few) heuristics to reduce the volume.
+# A side effect of setting this to true is that we can write the
+# packets out before we actually process them, which can be helpful
+# for debugging in case the analysis triggers a crash.
+const record_all_packets = F &redef;
diff --git a/policy/brolite-backdoor.bro b/policy/brolite-backdoor.bro
new file mode 100644
index 0000000000..496ee4e075
--- /dev/null
+++ b/policy/brolite-backdoor.bro
@@ -0,0 +1,56 @@
+# $Id: brolite-backdoor.bro 2956 2006-05-14 01:08:34Z vern $
+
+# Sample file for running backdoor detector
+#
+# Note, this can consume significant processing resources when running
+# on live traffic.
+#
+# To run bro with this script using a Bro Lite setup:
+#
+#  rename this script to hostname.bro
+#  run: $BROHOME/etc/bro.rc start
+#  	or bro -i interface brolite-backdoor.bro
+
+@load site
+
+@load backdoor
+@load alarm
+@load weird
+
+# By default, do backdoor detection on everything except standard HTTP
+# and SMTP ports.
+redef capture_filters += [ ["tcp"] = "tcp" ];
+redef restrict_filters +=
+	[ ["not-http"] = "not (port 80 or port 8000 or port 8080)" ];
+redef restrict_filters += [ ["not-smtp"] = "not (port 25 or port 587)" ];
+
+redef use_tagging = T;
+
+# Set if you want to dump packets that trigger the detections.
+redef dump_backdoor_packets = T;
+
+# Disable (set to T) if you don't care about this traffic.
+# redef gnutella_sig_disabled = T;
+# redef kazaa_sig_disabled = T;
+
+redef napster_sig_disabled = T;	# too many false positives
+
+# Ignore outgoing, only report incoming backdoors.
+redef backdoor_ignore_remote += {
+	ftp_backdoor_sigs, ssh_backdoor_sigs, rlogin_backdoor_sigs,
+	http_backdoor_sigs, http_proxy_backdoor_sigs, smtp_backdoor_sigs,
+};
+
+# Set these to send mail on backdoor alarms.
+# redef mail_dest = "youremail@yourhost.dom";
+# redef notice_action_filters += {
+#	[BackdoorFound] = send_email_notice,
+#};
+
+# Tuning: use more aggressive timeouts to reduce CPU and memory, as these
+#	have little effect on backdoor analysis.
+redef tcp_SYN_timeout = 1 sec;
+redef tcp_attempt_delay = 1 sec;
+redef tcp_inactivity_timeout = 1 min;
+redef udp_inactivity_timeout = 5 secs;
+redef icmp_inactivity_timeout = 5 secs;
diff --git a/policy/brolite-sigs.bro b/policy/brolite-sigs.bro
new file mode 100644
index 0000000000..82cc3f63bc
--- /dev/null
+++ b/policy/brolite-sigs.bro
@@ -0,0 +1,83 @@
+# $Id: brolite-sigs.bro 3856 2006-12-02 00:18:57Z vern $
+
+# Bro Lite signature configuration file
+
+# General policy - these scripts are more infrastructural than service
+# oriented, so in general avoid changing anything here.
+@load alarm	# open logging file for alarm events
+
+# Set global constant.  This can be used in ifdef statements to determine 
+# if signatures are enabled.
+const use_signatures = T;
+
+@load snort		# basic definitions for signatures
+@load signatures	# the signature policy engine
+@load sig-functions	# addl. functions added for signature accuracy
+@load sig-action	# actions related to particular signatures
+
+# Flag HTTP worm sources such as Code Red.
+@load worm
+
+# Do worm processing
+redef notice_action_filters += { [RemoteWorm] = file_notice };
+
+# Ports that need to be captured for signatures to see a useful
+# cross section of traffic.
+redef capture_filters += {
+	["sig-http"] =
+		"tcp port 80 or tcp port 8080 or tcp port 8000 or tcp port 8001",
+	["sig-ftp"] = "port ftp",
+	["sig-telnet"] = "port telnet",
+	["sig-portmapper"] = "port 111",
+	["sig-smtp"] = "port smtp",
+	["sig-imap"] = "port 143",
+	["sig-snmp"] = "port 161 or port 162",
+	["sig-dns"] = "port 53",
+
+	# rsh/rlogin/rexec
+	["sig-rfoo"] = "port 512 or port 513 or port 515",
+
+	# Range of TCP ports for general RPC traffic.  This can also
+	# occur on other ports, but these should catch a lot without
+	# a major performance hit.  We skip ports assosciated with
+	# HTTP, SSH and M$.
+	["sig-rpc"] = "tcp[2:2] > 32770 and tcp[2:2] < 32901 and tcp[0:2] != 80 and tcp[0:2] != 22 and tcp[0:2] != 139",
+};
+
+### Why is this called "tcp3"?
+# Catch outbound M$ scanning.   Returns filter listing local addresses
+# along with the interesting ports.
+function create_tcp3_filter(): string
+	{
+	local local_addrs = "";
+	local firsttime = T;
+
+	for ( l in local_nets )
+		{
+		if ( firsttime )
+			{
+			local_addrs = fmt("src net %s", l);
+			firsttime = F;
+			}
+		else
+			local_addrs = fmt("%s or src net %s", local_addrs, l);
+		}
+
+	local MS_scan_ports =
+		"dst port 135 or dst port 137 or dst port 139 or dst port 445";
+
+	if ( local_addrs == "" )
+		return MS_scan_ports;
+	else
+		return fmt("(%s) and (%s)", local_addrs, MS_scan_ports);
+	}
+
+# Create and apply the filter.
+redef capture_filters += { ["tcp3"] = create_tcp3_filter()};
+
+# Turn on ICMP analysis.
+redef capture_filters += { ["icmp"] = "icmp"};
+
+# Load the addendum signatures.  These are utility signatures that do not
+# produce event messages.
+redef signature_files += "sig-addendum";
diff --git a/policy/brolite.bro b/policy/brolite.bro
new file mode 100644
index 0000000000..79492143c1
--- /dev/null
+++ b/policy/brolite.bro
@@ -0,0 +1,195 @@
+# Bro Lite base configuration file.
+
+# General policy - these scripts are more infrastructural than service
+# oriented, so in general avoid changing anything here.
+
+@load site	# defines local and neighbor networks from static config
+@load tcp	# initialize BPF filter for SYN/FIN/RST TCP packets
+@load weird	# initialize generic mechanism for unusual events
+@load conn	# access and record connection events
+@load hot	# defines certain forms of sensitive access
+@load frag	# process TCP fragments
+@load print-resources	# on exit, print resource usage information
+
+# Scan detection policy.
+@load scan	# generic scan detection mechanism
+@load trw	# additional, more sensitive scan detection
+#@load drop	# include if installation has ability to drop hostile remotes
+
+# Application level policy - these scripts operate on the specific service.
+@load http	# general http analyzer, low level of detail
+@load http-request	# detailed analysis of http requests
+@load http-reply	# detailed analysis of http reply's
+
+# Track software versions; required for some signature matching.  Also
+# can be used by http and ftp policies.
+@load software
+
+@load ftp	# FTP analysis
+@load portmapper	# record and analyze RPC portmapper requests
+@load tftp	# identify and log TFTP sessions
+@load login	# rlogin/telnet analyzer
+@load irc	# IRC analyzer
+@load blaster	# blaster worm detection
+@load stepping	# "stepping stone" detection
+@load synflood	# synflood attacks detection
+@load smtp	# record and analyze email traffic - somewhat expensive
+
+@load notice-policy	# tuning of notices to downgrade some alarms
+
+# off by default
+#@load icmp	# icmp analysis
+
+# Tuning of memory consumption.
+@load inactivity	# time out connections for certain services more quickly
+# @load print-globals	# on exit, print the size of global script variables
+
+# Record system statistics to the notice file
+@load stats
+
+# udp analysis - potentially expensive, depending on a site's traffic profile
+#@load udp.all
+#@load remove-multicast
+
+# Prints the pcap filter and immediately exits.  Not used during
+# normal operation.
+#@load print-filter
+
+## End policy script loading.
+
+## General configuration.
+
+@load rotate-logs
+redef log_rotate_base_time = "0:00";
+redef log_rotate_interval = 24 hr;
+
+
+# Set additional policy prefixes.
+@prefixes += lite
+
+## End basic configuration.
+
+
+## Scan configuration.
+@ifdef ( Scan::analyze_all_services )
+	redef Scan::analyze_all_services = T;
+
+	# The following turns off scan detection.
+	#redef Scan::suppress_scan_checks = T;
+
+	# Be a bit more aggressive than default (though the defaults
+	# themselves should be fixed).
+	redef Scan::report_outbound_peer_scan = { 100, 1000, };
+
+	# These services are skipped for scan detection due to excessive
+	# background noise.
+	redef Scan::skip_services += {
+		http,           # Avoid Code Red etc. overload
+		27374/tcp,      # Massive scanning in Jan 2002
+		1214/tcp,       # KaZaa scans
+		12345/tcp,      # Massive scanning in Apr 2002
+		445/tcp,        # Massive distributed scanning Oct 2002
+		135/tcp,        # These days, NetBIOS scanning is endemic
+		137/udp,	# NetBIOS
+		139/tcp,	# NetBIOS
+		1025/tcp,
+		6129/tcp,       # Dameware
+		3127/tcp,       # MyDoom worms worms worms!
+		2745/tcp,       # Bagel worm
+		1433/tcp,       # Distributed scanning, April 2004
+		5000/tcp,       # Distributed scanning, May 2004
+		5554/tcp,       # More worm food, May 2004
+		9898/tcp,       # Worms attacking worms. ugh - May 2004
+		3410/tcp,       # More worm food, June 2004
+		3140/tcp,       # Dyslexic worm food, June 2004
+		27347/tcp,      # Can't kids type anymore?
+		1023/tcp,       # Massive scanning, July 2004
+		17300/tcp,      # Massive scanning, July 2004
+	};
+
+@endif
+
+@ifdef ( ICMP::detect_scans )
+	# Whether to detect ICMP scans.
+	redef ICMP::detect_scans = F;
+	redef ICMP::scan_threshold = 100;
+@endif
+
+@ifdef ( TRW::TRWAddressScan )
+	# remove logging TRW scan events
+	redef notice_action_filters += {
+		[TRW::TRWAddressScan] = ignore_notice,
+	};
+@endif
+
+# Note: default scan configuration is conservative in terms of memory use and
+# might miss slow scans. Consider uncommenting these based on your sites scan
+# traffic.
+#redef distinct_peers &create_expire = 30 mins;
+#redef distinct_ports &create_expire = 30 mins;
+#redef distinct_low_ports &create_expire= 30 mins;
+
+
+## End scan configuration.
+
+## additional IRC checks
+redef IRC::hot_words += /.*exe/ ;
+
+
+## Dynamic Protocol Detection configuration
+#
+# This is off by default, as it requires a more powerful Bro host.
+# Uncomment next line to activate.
+# const use_dpd = T;
+
+@ifdef ( use_dpd )
+	@load dpd
+	@load irc-bot
+	@load dyn-disable
+	@load detect-protocols
+	@load detect-protocols-http
+	@load proxy
+	@load ssh
+
+	# By default, DPD looks at all traffic except port 80.
+	# For lightly loaded networks, comment out the restrict_filters line.
+	# For heavily loaded networks, try adding addition ports (e.g., 25) to
+	#   the restrict filters.
+	redef capture_filters += [ ["tcp"] = "tcp" ];
+	redef restrict_filters += [ ["not-http"] = "not (port 80)" ];
+@endif
+
+@ifdef ( ProtocolDetector::ServerFound )
+# Report servers on non-standard ports only for local addresses.
+redef notice_policy += {
+	[$pred(a: notice_info) =
+		{ return a$note == ProtocolDetector::ServerFound &&
+					! is_local_addr(a$src); },
+	 $result = NOTICE_FILE,
+	 $priority = 1],
+
+	# Report protocols on non-standard ports only for local addresses
+	# (unless it's IRC).
+	[$pred(a: notice_info) =
+		{ return a$note == ProtocolDetector::ProtocolFound &&
+					! is_local_addr(a$dst) &&
+					a$sub != "IRC"; },
+	 $result = NOTICE_FILE,
+	 $priority = 1],
+};
+@endif
+
+# The following is used to transfer state between Bro's when one
+# takes over from another.
+#
+# NOTE: not implemented in the production version, so ignored for now.
+@ifdef ( remote_peers_clear )
+	redef remote_peers_clear += {
+		[127.0.0.1, 55555/tcp] = [$hand_over = T],
+		[127.0.0.1, 0/tcp] = [$hand_over = T]
+	};
+@endif
+
+# Use tagged log files for alarms and notices.
+redef use_tagging = T;
+
diff --git a/policy/bt-tracker.bro b/policy/bt-tracker.bro
new file mode 100644
index 0000000000..dfc948a9e2
--- /dev/null
+++ b/policy/bt-tracker.bro
@@ -0,0 +1,190 @@
+# $Id:$
+#
+# bt-tracker.bro - analysis of BitTorrent tracker traffic
+# ------------------------------------------------------------------------------
+# This code contributed by Nadi Sarrar.
+
+@load dpd
+@load weird
+
+module BitTorrent;
+
+export {
+	# Whether to log tracker URIs.
+	global log_tracker_request_uri = F &redef;
+}
+
+redef capture_filters += { ["bittorrent"] = "tcp", };
+
+global bt_tracker_log = open_log_file("bt-tracker") &redef;
+
+global bt_tracker_conns: table[conn_id] of count;
+global tracker_conn_count: count = 0;
+
+
+function bt_log_tag(id: conn_id, cid: count, tag: string, is_orig: bool): string
+	{
+	return fmt("%.6f T%d %s %s:%d %s %s:%d",
+			 network_time(), cid, tag, id$orig_h, id$orig_p,
+			 is_orig ? ">" : "<", id$resp_h, id$resp_p);
+	}
+
+event bt_tracker_request(c: connection, uri: string,
+				headers: bt_tracker_headers)
+	{
+	# Parse and validate URI.
+	local pair = split1(uri, /\?/);
+	local keys = split(pair[2], /&/);
+
+	local info_hash = "";
+	local peer_ide = "";
+	local peer_port = 0/udp;
+	local uploaded = -1;
+	local downloaded = -1;
+	local left = -1;
+	local compact = T;
+	local peer_event = "empty";
+
+	for ( idx in keys )
+		{
+		local keyval = split1(keys[idx], /=/);
+		if ( length(keyval) != 2 )
+			next;
+
+		local key = to_lower(keyval[1]);
+		local val = keyval[2];
+
+		if ( key == "info_hash" )
+			info_hash = unescape_URI(val);
+		else if ( key == "peer_id" )
+			peer_ide = unescape_URI(val);
+		else if ( key == "port" )
+			peer_port = to_port(to_count(val), tcp);
+		else if ( key == "uploaded" )
+			uploaded = to_int(val);
+		else if ( key == "downloaded" )
+			downloaded = to_int(val);
+		else if ( key == "left" )
+			left = to_int(val);
+		else if ( key == "compact" )
+			compact = (to_int(val) == 1);
+
+		else if ( key == "event" )
+			{
+			val = to_lower(val);
+			if ( val == /started|stopped|completed/ )
+				peer_event = val;
+			}
+		}
+
+	if ( info_hash == "" || peer_ide == "" || peer_port == 0/udp )
+		{ # Does not look like BitTorrent.
+		disable_analyzer(c$id, current_analyzer());
+		delete bt_tracker_conns[c$id];
+		return;
+		}
+
+	if ( peer_port != 0/tcp )
+		expect_connection(to_addr("0.0.0.0"), c$id$orig_h,
+					peer_port, ANALYZER_BITTORRENT, 1 min);
+
+	local id: count;
+	if ( c$id in bt_tracker_conns )
+		id = bt_tracker_conns[c$id];
+	else
+		{
+		id = ++tracker_conn_count;
+		bt_tracker_conns[c$id] = id;
+		}
+
+	print bt_tracker_log,
+		fmt("%s [peer_id:%s info_hash:%s port:%s event:%s up:%d down:%d left:%d compact:%s]%s",
+			bt_log_tag(c$id, id, "request", T),
+			bytestring_to_hexstr(peer_ide),
+			bytestring_to_hexstr(info_hash),
+			peer_port, peer_event,
+			uploaded, downloaded, left,
+			compact ? "yes" : "no",
+			log_tracker_request_uri ? fmt(" GET %s", uri) : "");
+	}
+
+function benc_status(benc: bittorrent_benc_dir, tag: string): string
+	{
+	if ( tag !in benc || ! benc[tag]?$i )
+		return "";
+
+	local fmt_tag = sub(tag, / /, "_");
+	return fmt("%s:%d", fmt_tag, benc[tag]$i);
+	}
+
+event bt_tracker_response(c: connection, status: count,
+				headers: bt_tracker_headers,
+				peers: bittorrent_peer_set,
+				benc: bittorrent_benc_dir)
+	{
+	if ( c$id !in bt_tracker_conns )
+		return;
+
+	local id = bt_tracker_conns[c$id];
+
+	for ( peer in peers )
+		expect_connection(c$id$orig_h, peer$h, peer$p,
+					ANALYZER_BITTORRENT, 1 min);
+
+	if ( "failure reason" in benc )
+		{
+		print bt_tracker_log,
+			fmt("%s [failure_reason:\"%s\"]",
+				bt_log_tag(c$id, id, "response", F),
+				benc["failure reason"]?$s ?
+					benc["failure reason"]$s : "");
+		return;
+		}
+
+	print bt_tracker_log,
+		fmt("%s [%s%s%s%s%speers:%d]",
+			bt_log_tag(c$id, id, "response", F),
+			benc_status(benc, "warning message"),
+			benc_status(benc, "complete"),
+			benc_status(benc, "incomplete"),
+			benc_status(benc, "interval"),
+			benc_status(benc, "min interval"),
+			length(peers));
+	}
+
+event bt_tracker_response_not_ok(c: connection, status: count,
+					headers: bt_tracker_headers)
+	{
+	if ( c$id in bt_tracker_conns )
+		{
+		local id = bt_tracker_conns[c$id];
+		print bt_tracker_log,
+			fmt("%s [status:%d]",
+				bt_log_tag(c$id, id, "response", F), status);
+		}
+	}
+
+event bt_tracker_weird(c: connection, is_orig: bool, msg: string)
+	{
+	local id = (c$id in bt_tracker_conns) ? bt_tracker_conns[c$id] : 0;
+	print bt_tracker_log,
+		fmt("%s [%s]", bt_log_tag(c$id, id, "<weird>", is_orig), msg);
+
+	event conn_weird(msg, c);
+	}
+
+event connection_state_remove(c: connection)
+	{
+	if ( c$id !in bt_tracker_conns )
+		return;
+
+	local id = bt_tracker_conns[c$id];
+	delete bt_tracker_conns[c$id];
+
+	print bt_tracker_log,
+		fmt("%s [duration:%.06f total:%d]",
+			# Ideally the direction here wouldn't be T or F
+			# but both, displayed as "<>".
+			bt_log_tag(c$id, id, "<closed>", T), c$duration,
+			c$orig$size + c$resp$size);
+	}
diff --git a/policy/capture-events.bro b/policy/capture-events.bro
new file mode 100644
index 0000000000..2ba6eba7b7
--- /dev/null
+++ b/policy/capture-events.bro
@@ -0,0 +1,9 @@
+#! $Id: capture-events.bro 4674 2007-07-30 22:00:43Z vern $
+#
+# Captures all events to events.bst.
+#
+
+event bro_init()
+	{
+	capture_events("events.bst");
+	}
diff --git a/policy/capture-loss.bro b/policy/capture-loss.bro
new file mode 100644
index 0000000000..a641749bd4
--- /dev/null
+++ b/policy/capture-loss.bro
@@ -0,0 +1,74 @@
+# $Id:$
+
+# Logs evidence regarding the degree to which the packet capture process
+# suffers from measurment loss.
+#
+# By default, only reports loss computed in terms of number of "gap events"
+# (ACKs for a sequence number that's above a gap).  You can also get an
+# estimate in terms of number of bytes missing; this however is sometimes
+# heavily affected by miscomputations due to broken packets with incorrect
+# sequence numbers.  (These packets also affect the first estimator, but
+# only to a quite minor degree.)
+
+@load notice
+
+module CaptureLoss;
+
+export {
+	redef enum Notice += {
+		CaptureLossReport,	# interval report
+		CaptureLossSummary,	# end-of-run summary
+	};
+
+	# Whether to also report byte-weighted estimates.
+	global report_byte_based_estimates = F &redef;
+
+	# Whether to generate per-interval reports even if there
+	# was no evidence of loss.
+	global report_if_none = F &redef;
+
+	# Whether to generate a summary even if there was no
+	# evidence of loss.
+	global summary_if_none = F &redef;
+}
+
+
+# Redefine this to be non-zero to get per-interval reports.
+redef gap_report_freq = 0 sec;
+
+event gap_report(dt: interval, info: gap_info)
+	{
+	if ( info$gap_events > 0 || report_if_none )
+		{
+		local msg = report_byte_based_estimates ?
+			fmt("gap-dt=%.6f acks=%d bytes=%d gaps=%d gap-bytes=%d",
+				dt, info$ack_events, info$ack_bytes,
+				info$gap_events, info$gap_bytes) :
+			fmt("gap-dt=%.6f acks=%d gaps=%d",
+				dt, info$ack_events, info$gap_events);
+
+		NOTICE([$note=CaptureLossReport, $msg=msg]);
+		}
+	}
+ 
+event bro_done()
+	{
+	local g = get_gap_summary();
+
+	local gap_rate =
+		g$ack_events == 0 ? 0.0 :
+			(1.0 * g$gap_events) / (1.0 * g$ack_events);
+	local gap_bytes =
+		g$ack_bytes == 0 ? 0.0 :
+			(1.0 * g$gap_bytes) / (1.0 * g$ack_bytes);
+
+	if ( gap_rate == 0.0 && gap_bytes == 0.0 && ! summary_if_none )
+		return;
+
+	local msg = report_byte_based_estimates ?
+		fmt("estimated rate = %g / %g (events/bytes)",
+			gap_rate, gap_bytes) :
+		fmt("estimated rate = %g", gap_rate);
+
+	NOTICE([$note=CaptureLossSummary, $msg=msg]);
+	}
diff --git a/policy/capture-state-updates.bro b/policy/capture-state-updates.bro
new file mode 100644
index 0000000000..7630015365
--- /dev/null
+++ b/policy/capture-state-updates.bro
@@ -0,0 +1,9 @@
+#! $Id: capture-events.bro 6 2004-04-30 00:31:26Z jason $
+#
+# Captures all operations on &synchronized variables to state-updates.bst.
+#
+
+event bro_init()
+	{
+	capture_state_updates("state-updates.bst");
+	}
diff --git a/policy/checkpoint.bro b/policy/checkpoint.bro
new file mode 100644
index 0000000000..2222d69c0c
--- /dev/null
+++ b/policy/checkpoint.bro
@@ -0,0 +1,54 @@
+# $Id: checkpoint.bro 6724 2009-06-07 09:23:03Z vern $
+#
+# Checkpoints Bro's persistent state at regular intervals and scans
+# the state directory for external updates.
+
+const state_rescan_interval = 15 secs &redef;
+const state_checkpoint_interval = 15 min &redef;
+
+# Services for which the internal connection state is stored.
+const persistent_services = {
+	21/tcp, # ftp
+	22/tcp, # ssh
+	23/tcp, # telnet
+	513/tcp, # rlogin
+} &redef;
+
+# The first timer fires immediately. This flags lets us ignore it.
+global state_ignore_first = T;
+
+event state_checkpoint()
+	{
+	if ( state_ignore_first )
+		state_ignore_first = F;
+
+	else if ( ! bro_is_terminating() )
+		checkpoint_state();
+
+	if ( state_checkpoint_interval > 0 secs )
+		schedule state_checkpoint_interval { state_checkpoint() };
+	}
+
+event state_rescan()
+	{
+	rescan_state();
+
+	if ( state_rescan_interval > 0 secs )
+		schedule state_rescan_interval { state_rescan() };
+	}
+
+event bro_init()
+	{
+	if ( state_checkpoint_interval > 0 secs )
+		schedule state_checkpoint_interval { state_checkpoint() };
+
+	if ( state_rescan_interval > 0 secs )
+		schedule state_rescan_interval { state_rescan() };
+	}
+
+event connection_established(c: connection)
+	{
+	# Buggy?
+	# if ( c$id$resp_p in persistent_services )
+	#	make_connection_persistent(c);
+	}
diff --git a/policy/clear-passwords.bro b/policy/clear-passwords.bro
new file mode 100644
index 0000000000..7607738dcc
--- /dev/null
+++ b/policy/clear-passwords.bro
@@ -0,0 +1,36 @@
+# $Id: clear-passwords.bro 4758 2007-08-10 06:49:23Z vern $
+
+# Monitoring for use of cleartext passwords.
+
+@load ftp
+@load login
+@load pop3
+@load irc
+
+const passwd_file = open_log_file("passwords") &redef;
+
+# ftp, login and pop3 call login_{success,failure}, which in turn
+# calls account_tried(), so we can snarf all at once here:
+event account_tried(c: connection, user: string, passwd: string)
+	{
+	print passwd_file, fmt("%s account name '%s', password '%s': %s",
+				is_local_addr(c$id$orig_h) ? "local" : "remote",
+				user, passwd, id_string(c$id));
+	}
+
+# IRC raises a different event on login, so we hook into it here:
+event irc_join_message(c: connection, info_list: irc_join_list)
+	{
+	for ( l in info_list)
+		{
+		print passwd_file,  fmt("IRC JOIN name '%s', password '%s'",
+					l$nick, l$password);
+		}
+	}
+
+# Raised if IRC user tries to become operator:
+event irc_oper_message(c: connection, user: string, password: string)
+	{
+	print passwd_file, fmt("IRC OPER name '%s', password '%s'",
+				user, password);
+	}
diff --git a/policy/conn-flood.bro b/policy/conn-flood.bro
new file mode 100644
index 0000000000..7da1cccff4
--- /dev/null
+++ b/policy/conn-flood.bro
@@ -0,0 +1,71 @@
+# $Id$
+#
+# Script which alarms if the number of connections per time interval
+# exceeds a threshold.
+#
+# This script is mainly meant as a demonstration; it hasn't been hardened
+# with/for operational use.
+
+@load notice
+
+module ConnFlood;
+
+export {
+	redef enum Notice += {
+		ConnectionFloodStart, ConnectionFloodEnd,
+	};
+
+	# Thresholds to reports (conns/sec).
+	const thresholds: set[count] =
+		{ 1000, 2000, 4000, 6000, 8000, 10000, 20000, 50000 }
+	&redef;
+
+	# Average over this time interval.
+	const avg_interval = 10 sec &redef;
+}
+
+global conn_counter = 0;
+global last_thresh = 0;
+
+# Note: replace with connection_attempt if too expensive.
+event new_connection(c: connection)
+	{
+	++conn_counter;
+	}
+
+event check_flood()
+	{
+	local thresh = 0;
+	local rate = double_to_count(interval_to_double((conn_counter / avg_interval)));
+
+	# Find the largest threshold reached this interval.
+	for ( i in thresholds )
+		{
+		if ( rate >= i && rate > thresh )
+			thresh = i;
+		}
+
+	# Report if larger than last reported threshold.
+	if ( thresh > last_thresh )
+		{
+		NOTICE([$note=ConnectionFloodStart, $n=thresh,
+			   $msg=fmt("flood begins at rate %d conns/sec", rate)]);
+		last_thresh = thresh;
+		}
+
+	# If no threshold was reached, the flood is over.
+	else if ( thresh == 0 && last_thresh > 0 )
+		{
+		NOTICE([$note=ConnectionFloodEnd, $n=thresh,
+			   $msg=fmt("flood ends at rate %d conns/sec", rate)]);
+		last_thresh = 0;
+		}
+
+	conn_counter = 0;
+	schedule avg_interval { check_flood() };
+	}
+
+event bro_init()
+	{
+	schedule avg_interval { check_flood() };
+	}
diff --git a/policy/conn-id.bro b/policy/conn-id.bro
new file mode 100644
index 0000000000..9a81e307c9
--- /dev/null
+++ b/policy/conn-id.bro
@@ -0,0 +1,24 @@
+# $Id: conn-id.bro 45 2004-06-09 14:29:49Z vern $
+
+# Simple functions for generating ASCII connection identifiers.
+
+@load port-name
+
+function id_string(id: conn_id): string
+	{
+	return fmt("%s > %s",
+		endpoint_id(id$orig_h, id$orig_p),
+		endpoint_id(id$resp_h, id$resp_p));
+	}
+
+function reverse_id_string(id: conn_id): string
+	{
+	return fmt("%s < %s",
+		endpoint_id(id$orig_h, id$orig_p),
+		endpoint_id(id$resp_h, id$resp_p));
+	}
+
+function directed_id_string(id: conn_id, is_orig: bool): string
+	{
+	return is_orig ? id_string(id) : reverse_id_string(id);
+	}
diff --git a/policy/conn.bro b/policy/conn.bro
new file mode 100644
index 0000000000..134ac9db13
--- /dev/null
+++ b/policy/conn.bro
@@ -0,0 +1,442 @@
+# $Id: conn.bro 6782 2009-06-28 02:19:03Z vern $
+
+@load notice
+@load hot
+@load port-name
+@load netstats
+@load conn-id
+
+redef enum Notice += {
+	SensitiveConnection,	# connection marked "hot"
+};
+
+const conn_closed = { TCP_CLOSED, TCP_RESET };
+
+global have_FTP = F;	# if true, we've loaded ftp.bro
+global have_SMTP = F;	# if true, we've loaded smtp.bro
+global is_ftp_data_conn: function(c: connection): bool;
+
+# Whether to include connection state history in the logs generated
+# by record_connection.
+const record_state_history = F &redef;
+
+# Whether to translate the local address in SensitiveConnection notices
+# to a hostname.  Meant as a demonstration of the "when" construct.
+const xlate_hot_local_addr = F &redef;
+
+# Whether to use DPD for generating the service field in the summaries.
+# Default off, because it changes the format of conn.log in a way
+# potentially incompatible with existing scripts.
+const dpd_conn_logs = F &redef;
+
+# Maps a given port on a given server's address to an RPC service.
+# If we haven't loaded portmapper.bro, then it will be empty
+# (and, ideally, queries to it would be optimized away ...).
+global RPC_server_map: table[addr, port] of string;
+
+const conn_file = open_log_file("conn") &redef;
+
+function conn_state(c: connection, trans: transport_proto): string
+	{
+	local os = c$orig$state;
+	local rs = c$resp$state;
+
+	local o_inactive = os == TCP_INACTIVE || os == TCP_PARTIAL;
+	local r_inactive = rs == TCP_INACTIVE || rs == TCP_PARTIAL;
+
+	if ( trans == tcp )
+		{
+		if ( rs == TCP_RESET )
+			{
+			if ( os == TCP_SYN_SENT || os == TCP_SYN_ACK_SENT ||
+			     (os == TCP_RESET &&
+			      c$orig$size == 0 && c$resp$size == 0) )
+				return "REJ";
+			else if ( o_inactive )
+				return "RSTRH";
+			else
+				return "RSTR";
+			}
+		else if ( os == TCP_RESET )
+			return r_inactive ? "RSTOS0" : "RSTO";
+		else if ( rs == TCP_CLOSED && os == TCP_CLOSED )
+			return "SF";
+		else if ( os == TCP_CLOSED )
+			return r_inactive ? "SH" : "S2";
+		else if ( rs == TCP_CLOSED )
+			return o_inactive ? "SHR" : "S3";
+		else if ( os == TCP_SYN_SENT && rs == TCP_INACTIVE )
+			return "S0";
+		else if ( os == TCP_ESTABLISHED && rs == TCP_ESTABLISHED )
+			return "S1";
+		else
+			return "OTH";
+		}
+
+	else if ( trans == udp )
+		{
+		if ( os == UDP_ACTIVE )
+			return rs == UDP_ACTIVE ? "SF" : "S0";
+		else
+			return rs == UDP_ACTIVE ? "SHR" : "OTH";
+		}
+
+	else
+		return "OTH";
+	}
+
+function conn_size(e: endpoint, trans: transport_proto): string
+	{
+	if ( e$size > 0 || (trans == tcp && e$state == TCP_CLOSED) )
+		return fmt("%d", e$size);
+	else
+		### should return 0 for TCP_RESET that went through TCP_CLOSED
+		return "?";
+	}
+
+function service_name(c: connection): string
+	{
+	local p = c$id$resp_p;
+
+	if ( p in port_names )
+		return port_names[p];
+	else
+		return "other";
+	}
+
+const state_graphic = {
+	["OTH"] = "?>?", ["REJ"] = "[",
+	["RSTO"] = ">]", ["RSTOS0"] = "}]", ["RSTR"] = ">[", ["RSTRH"] = "<[",
+	["S0"] = "}", ["S1"] = ">", ["S2"] = "}2", ["S3"] = "}3",
+	["SF"] = ">", ["SH"] = ">h", ["SHR"] = "<h",
+};
+
+function full_id_string(c: connection): string
+	{
+	local id = c$id;
+	local trans = get_port_transport_proto(id$orig_p);
+	local state = conn_state(c, trans);
+	local state_gr = state_graphic[state];
+	local service = service_name(c);
+
+	if ( state == "S0" || state == "S1" || state == "REJ" )
+		return fmt("%s %s %s/%s %s", id$orig_h, state_gr,
+				id$resp_h, service, c$addl);
+
+	else
+		return fmt("%s %sb %s %s/%s %sb %.1fs %s",
+			id$orig_h, conn_size(c$orig, trans),
+			state_gr, id$resp_h, service,
+			conn_size(c$resp, trans), c$duration, c$addl);
+	}
+
+# The sets are indexed by the complete hot messages.
+global hot_conns_reported: table[conn_id] of set[string];
+
+# Low-level routine that generates the actual SensitiveConnection
+# notice associated with a "hot" connection.
+function do_hot_notice(c: connection, dir: string, host: string)
+	{
+	NOTICE([$note=SensitiveConnection, $conn=c,
+		$msg=fmt("hot: %s %s local host: %s",
+			full_id_string(c), dir, host)]);
+	}
+
+# Generate a SensitiveConnection notice with the local hostname
+# translated.  Mostly intended as a demonstration of using "when".
+function gen_hot_notice_with_hostnames(c: connection)
+	{
+	local id = c$id;
+	local inbound = is_local_addr(id$resp_h);
+	local dir = inbound ? "to" : "from";
+	local local_addr = inbound ? id$orig_h : id$resp_h;
+
+	add_notice_tag(c);
+
+	when ( local hostname = lookup_addr(local_addr) )
+		do_hot_notice(c, dir, hostname);
+	timeout 5 sec
+		{ do_hot_notice(c, dir, fmt("%s", local_addr)); }
+	}
+
+function log_hot_conn(c: connection)
+	{
+	if ( c$id !in hot_conns_reported )
+		hot_conns_reported[c$id] = set() &mergeable;
+
+	local msg = full_id_string(c);
+
+	if ( msg !in hot_conns_reported[c$id] )
+		{
+		if ( xlate_hot_local_addr )
+			gen_hot_notice_with_hostnames(c);
+		else
+			NOTICE([$note=SensitiveConnection, $conn=c,
+				$msg=fmt("hot: %s", full_id_string(c))]);
+
+		add hot_conns_reported[c$id][msg];
+		}
+	}
+
+function determine_service_non_DPD(c: connection) : string
+	{
+	if ( length(c$service) != 0 )
+		{
+		for ( i in c$service )
+			return i;	# return first;
+		}
+
+	else if ( have_FTP && is_ftp_data_conn(c) )
+		return port_names[20/tcp];
+
+	else if ( [c$id$resp_h, c$id$resp_p] in RPC_server_map )
+		# Alternatively, perhaps this should be stored in $addl
+		# rather than $service, so the port number remains
+		# visible .... ?
+		return RPC_server_map[c$id$resp_h, c$id$resp_p];
+
+	else if ( c$orig$state == TCP_INACTIVE )
+		{
+		# We're seeing a half-established connection.  Use the
+		# service of the originator if it's well-known and the
+		# responder isn't.
+		if ( c$id$resp_p !in port_names && c$id$orig_p in port_names )
+			return port_names[c$id$orig_p];
+		}
+
+	return service_name(c);
+	}
+
+function determine_service(c: connection) : string
+	{
+	if ( ! dpd_conn_logs )
+		return determine_service_non_DPD(c);
+
+	if ( [c$id$resp_h, c$id$resp_p] in RPC_server_map )
+		add c$service[RPC_server_map[c$id$resp_h, c$id$resp_p]];
+
+	if ( length(c$service) == 0  )
+		{
+		# Empty service set.  Use port as a hint.
+		if ( c$orig$state == TCP_INACTIVE )
+			{
+			# We're seeing a half-established connection.  Use the
+			# service of the originator if it's well-known and the
+			# responder isn't.
+			if ( c$id$resp_p !in port_names &&
+			     c$id$orig_p in port_names )
+				return fmt("%s?", port_names[c$id$orig_p]);
+			}
+
+		if ( c$id$resp_p in port_names )
+			return fmt("%s?", port_names[c$id$resp_p]);
+
+		return "other";
+		}
+
+	local service = "";
+	for ( s in c$service )
+		{
+		if ( sub_bytes(s, 0, 1) != "-" )
+			service = service == "" ? s : cat(service, ",", s);
+		}
+
+	return service != "" ? to_lower(service) : "other";
+	}
+
+function record_connection(f: file, c: connection)
+	{
+	local id = c$id;
+	local local_init = is_local_addr(id$orig_h);
+
+	local local_addr = local_init ? id$orig_h : id$resp_h;
+	local remote_addr = local_init ? id$resp_h : id$orig_h;
+
+	local flags = local_init ? "L" : "X";
+
+	local trans = get_port_transport_proto(id$orig_p);
+	local duration: string;
+
+	# Do this first so we see the tag in addl.
+	if ( c$hot > 0 )
+		log_hot_conn(c);
+
+	if ( trans == tcp )
+		{
+		if ( c$orig$state in conn_closed || c$resp$state in conn_closed )
+			duration = fmt("%.06f", c$duration);
+		else
+			duration = "?";
+		}
+	else
+		duration = fmt("%.06f", c$duration);
+
+	local addl = c$addl;
+
+@ifdef ( estimate_flow_size_and_remove )
+	# Annotate connection with separately-estimated size, if present.
+	local orig_est = estimate_flow_size_and_remove(id, T);
+	local resp_est = estimate_flow_size_and_remove(id, F);
+
+	if ( orig_est$have_est )
+		addl = fmt("%s olower=%.0fMB oupper=%.0fMB oincon=%s", addl,
+				orig_est$lower / 1e6, orig_est$upper / 1e6,
+				orig_est$num_inconsistent);
+
+	if ( resp_est$have_est )
+		addl = fmt("%s rlower=%.0fMB rupper=%.0fMB rincon=%s", addl,
+				resp_est$lower / 1e6, resp_est$upper / 1e6,
+				resp_est$num_inconsistent);
+@endif
+
+	local service = determine_service(c);
+
+	local log_msg =
+		fmt("%.6f %s %s %s %s %d %d %s %s %s %s %s",
+			c$start_time, duration, id$orig_h, id$resp_h, service,
+			id$orig_p, id$resp_p, trans,
+			conn_size(c$orig, trans), conn_size(c$resp, trans),
+			conn_state(c, trans), flags);
+
+	if ( record_state_history )
+		log_msg = fmt("%s %s", log_msg,
+				c$history == "" ? "X" : c$history);
+
+	if ( addl != "" )
+		log_msg = fmt("%s %s", log_msg, addl);
+
+	print f, log_msg;
+	}
+
+event protocol_confirmation(c: connection, atype: count, aid: count)
+	{
+	if ( ! dpd_conn_logs )
+		return;
+
+	delete c$service[fmt("-%s",analyzer_name(atype))];
+	add c$service[analyzer_name(atype)];
+	}
+
+event protocol_violation(c: connection, atype: count, aid: count,
+				reason: string) &priority = 10
+	{
+	if ( ! dpd_conn_logs )
+		return;
+
+	delete c$service[analyzer_name(atype)];
+	add c$service[fmt("-%s",analyzer_name(atype))];
+	}
+
+event connection_established(c: connection)
+	{
+	Hot::check_hot(c, Hot::CONN_ESTABLISHED);
+
+	if ( c$hot > 0 )
+		log_hot_conn(c);
+	}
+
+event partial_connection(c: connection)
+	{
+	if ( c$orig$state == TCP_PARTIAL && c$resp$state == TCP_INACTIVE )
+		# This appears to be a stealth scan.  Don't do hot-checking
+		# as there wasn't an established connection.
+		;
+	else
+		{
+		Hot::check_hot(c, Hot::CONN_ESTABLISHED);
+		Hot::check_hot(c, Hot::APPL_ESTABLISHED);	# assume it's been established
+		}
+
+	if ( c$hot > 0 )
+		log_hot_conn(c);
+	}
+
+event connection_attempt(c: connection)
+	{
+	Hot::check_spoof(c);
+	Hot::check_hot(c, Hot::CONN_ATTEMPTED);
+	}
+
+event connection_finished(c: connection)
+	{
+	if ( c$orig$size == 0 || c$resp$size == 0 )
+		# Hard to get excited about this - not worth logging again.
+		c$hot = 0;
+	else
+		Hot::check_hot(c, Hot::CONN_FINISHED);
+	}
+
+event connection_partial_close(c: connection)
+	{
+	if ( c$orig$size == 0 || c$resp$size == 0 )
+		# Hard to get excited about this - not worth logging again.
+		c$hot = 0;
+	else
+		Hot::check_hot(c, Hot::CONN_FINISHED);
+	}
+
+event connection_half_finished(c: connection)
+	{
+	Hot::check_hot(c, Hot::CONN_ATTEMPTED);
+	}
+
+event connection_rejected(c: connection)
+	{
+	Hot::check_hot(c, Hot::CONN_REJECTED);
+	}
+
+event connection_reset(c: connection)
+	{
+	Hot::check_hot(c, Hot::CONN_FINISHED);
+	}
+
+event connection_pending(c: connection)
+	{
+	if ( c$orig$state in conn_closed &&
+	     (c$resp$state == TCP_INACTIVE || c$resp$state == TCP_PARTIAL) )
+		# This is a stray FIN or RST - don't bother reporting.
+		return;
+
+	if ( c$orig$state == TCP_RESET || c$resp$state == TCP_RESET )
+		# We already reported this connection when the RST
+		# occurred.
+		return;
+
+	Hot::check_hot(c, Hot::CONN_FINISHED);
+	}
+
+function connection_gone(c: connection, gone_type: string)
+	{
+	if ( c$orig$size == 0 || c$resp$size == 0 )
+		{
+		if ( c$orig$state == TCP_RESET && c$resp$state == TCP_INACTIVE)
+			# A bare RST, no other context.  Ignore it.
+			return;
+
+		# Hard to get excited about this - not worth logging again,
+		# per connection_finished().
+		c$hot = 0;
+		}
+	else
+		Hot::check_hot(c, Hot::CONN_TIMEOUT);
+	}
+
+event connection_state_remove(c: connection) &priority = -10
+	{
+	local os = c$orig$state;
+	local rs = c$resp$state;
+
+	if ( os == TCP_ESTABLISHED && rs == TCP_ESTABLISHED )
+		# It was still active, no summary generated.
+		connection_gone(c, "remove");
+
+	else if ( (os == TCP_CLOSED || rs == TCP_CLOSED) &&
+		  (os == TCP_ESTABLISHED || rs == TCP_ESTABLISHED) )
+		# One side has closed, the other hasn't - it's in state S2
+		# or S3, hasn't been reported yet.
+		connection_gone(c, "remove");
+
+	record_connection(conn_file, c);
+
+	delete hot_conns_reported[c$id];
+	}
diff --git a/policy/contents.bro b/policy/contents.bro
new file mode 100644
index 0000000000..152b54ed3b
--- /dev/null
+++ b/policy/contents.bro
@@ -0,0 +1,40 @@
+# $Id: contents.bro 47 2004-06-11 07:26:32Z vern $
+
+redef capture_filters += { ["contents"] = "tcp" };
+
+# Keeps track of to which given contents files we've written.
+global contents_files: set[string];
+
+event new_connection_contents(c: connection)
+	{
+	local id = c$id;
+
+	local orig_file =
+		fmt("contents.%s.%d-%s.%d",
+			id$orig_h, id$orig_p, id$resp_h, id$resp_p);
+	local resp_file =
+		fmt("contents.%s.%d-%s.%d",
+			id$resp_h, id$resp_p, id$orig_h, id$orig_p);
+
+	local orig_f: file;
+	local resp_f: file;
+
+	if ( orig_file !in contents_files )
+		{
+		add contents_files[orig_file];
+		orig_f = open(orig_file);
+		}
+	else
+		orig_f = open_for_append(orig_file);
+
+	if ( resp_file !in contents_files )
+		{
+		add contents_files[resp_file];
+		resp_f = open(resp_file);
+		}
+	else
+		resp_f = open_for_append(resp_file);
+
+	set_contents_file(id, CONTENTS_ORIG, orig_f);
+	set_contents_file(id, CONTENTS_RESP, resp_f);
+	}
diff --git a/policy/cpu-adapt.bro b/policy/cpu-adapt.bro
new file mode 100644
index 0000000000..7376e0780a
--- /dev/null
+++ b/policy/cpu-adapt.bro
@@ -0,0 +1,62 @@
+# $Id: cpu-adapt.bro 1904 2005-12-14 03:27:15Z vern $
+#
+# Adjust load level based on cpu load.
+
+@load load-level
+
+# We increase the load-level if the average CPU load (percentage) is
+# above this limit.
+global cpu_upper_limit = 70.0 &redef;
+
+# We derease the load-level if the average CPU load is below this limit.
+global cpu_lower_limit = 30.0 &redef;
+
+# Time interval over which we average the CPU load.
+global cpu_interval = 1 min &redef;
+
+global cpu_last_proc_time = 0 secs;
+global cpu_last_wall_time: time = 0;
+
+event cpu_measure_load()
+	{
+	local res = resource_usage();
+	local proc_time = res$user_time + res$system_time;
+	local wall_time = current_time();
+
+	if ( cpu_last_proc_time > 0 secs )
+		{
+		local dproc = proc_time - cpu_last_proc_time;
+		local dwall = wall_time - cpu_last_wall_time;
+		local load = dproc / dwall * 100.0;
+
+		print ll_file, fmt("%.6f CPU load %.02f", network_time(), load);
+
+		# Second test is for whether we have any room to change
+		# things.  It shouldn't be hardwired to "xxx10" ....
+		if ( load > cpu_upper_limit &&
+		     current_load_level != LoadLevel10 )
+			{
+			print ll_file, fmt("%.6f CPU load above limit: %.02f",
+						network_time(), load);
+			increase_load_level();
+			}
+
+		else if ( load < cpu_lower_limit &&
+			  current_load_level != LoadLevel1 )
+			{
+			print ll_file, fmt("%.6f CPU load below limit: %.02f",
+						network_time(), load);
+			decrease_load_level();
+			}
+		}
+
+	cpu_last_proc_time = proc_time;
+	cpu_last_wall_time = wall_time;
+
+	schedule cpu_interval { cpu_measure_load() };
+	}
+
+event bro_init()
+	{
+	schedule cpu_interval { cpu_measure_load() };
+	}
diff --git a/policy/dce.bro b/policy/dce.bro
new file mode 100644
index 0000000000..51b82d3894
--- /dev/null
+++ b/policy/dce.bro
@@ -0,0 +1,8 @@
+# $Id:$
+
+redef capture_filters += { ["dce"] = "port 135" };
+
+global dce_ports = { 135/tcp } &redef;
+redef dpd_config += { [ANALYZER_DCE_RPC] = [$ports = dce_ports] };
+
+# No default implementation for events.
diff --git a/policy/demux.bro b/policy/demux.bro
new file mode 100644
index 0000000000..cfb70d6686
--- /dev/null
+++ b/policy/demux.bro
@@ -0,0 +1,41 @@
+# $Id: demux.bro 4758 2007-08-10 06:49:23Z vern $
+
+const demux_dir = log_file_name("xscript") &redef;
+global created_demux_dir = F;
+
+# Table of which connections we're demuxing.
+global demuxed_conn: set[conn_id];
+
+# tag: identifier to use for the reason for demuxing
+# otag: identifier to use for originator side of the connection
+# rtag: identifier to use for responder side of the connection
+function demux_conn(id: conn_id, tag: string, otag: string, rtag: string): bool
+	{
+	if ( id in demuxed_conn || ! active_connection(id) )
+		return F;
+
+	if ( ! created_demux_dir )
+		{
+		mkdir(demux_dir);
+		created_demux_dir = T;
+		}
+
+	local orig_file =
+		fmt("%s/%s.%s.%s.%d-%s.%d", demux_dir, otag, tag,
+			id$orig_h, id$orig_p, id$resp_h, id$resp_p);
+	local resp_file =
+		fmt("%s/%s.%s.%s.%d-%s.%d", demux_dir, rtag, tag,
+			id$resp_h, id$resp_p, id$orig_h, id$orig_p);
+
+	set_contents_file(id, CONTENTS_ORIG, open(orig_file));
+	set_contents_file(id, CONTENTS_RESP, open(resp_file));
+
+	add demuxed_conn[id];
+
+	return T;
+	}
+
+event connection_finished(c: connection)
+	{
+	delete demuxed_conn[c$id];
+	}
diff --git a/policy/detect-protocols-http.bro b/policy/detect-protocols-http.bro
new file mode 100644
index 0000000000..fb1fed33ac
--- /dev/null
+++ b/policy/detect-protocols-http.bro
@@ -0,0 +1,156 @@
+# $Id: detect-protocols-http.bro,v 1.1.4.2 2006/05/31 00:16:21 sommer Exp $
+#
+# Identifies protocols that use HTTP.
+
+@load detect-protocols
+
+module DetectProtocolHTTP;
+
+export {
+	# Defines characteristics of a protocol.  All attributes must match
+	# to trigger the detection. We match patterns against lower-case
+	# versions of the data.
+	type protocol : record {
+		url: pattern &optional;
+		client_header: pattern &optional;
+		client_header_content: pattern &optional;
+		server_header: pattern &optional;
+		server_header_content: pattern &optional;
+	};
+
+	const protocols: table[string] of protocol = {
+		["Kazaa"] = [$url=/^\/\.hash=.*/, $server_header=/^x-kazaa.*/],
+		["Gnutella"] = [$url=/^\/(uri-res|gnutella).*/,
+				$server_header=/^x-gnutella-.*/],
+		["Gnutella_"] = [$url=/^\/(uri-res|gnutella).*/,
+				$server_header=/^x-(content-urn|features).*/],
+		["Gnutella__"] = [$url=/^\/(uri-res|gnutella).*/,
+				$server_header=/^content-type/,
+				$server_header_content=/.*x-gnutella.*/],
+		["BitTorrent"] = [$url=/^.*\/(scrape|announce)\?.*info_hash.*/],
+		["SOAP"] = [$client_header=/^([:print:]+-)?(soapaction|methodname|messagetype).*/],
+		["Squid"] = [$server_header=/^x-squid.*/],
+	} &redef;
+}
+
+# Bit masks.
+const url_found = 1;
+const client_header_found = 2;
+const server_header_found = 2;
+
+type index : record {
+	id: conn_id;
+	pid: string;
+};
+
+# Maps to characteristics found so far.
+# FIXME: An integer would suffice for the bit-field
+# if we had bit-operations ...
+global conns: table[index] of set[count] &read_expire = 1hrs;
+
+function check_match(c: connection, pid: string, mask: set[count])
+	{
+	conns[[$id=c$id, $pid=pid]] = mask;
+
+	local p = protocols[pid];
+
+	if ( p?$url && url_found !in mask )
+		return;
+
+	if ( p?$client_header && client_header_found !in mask )
+		return;
+
+	if ( p?$server_header && server_header_found !in mask )
+		return;
+
+	# All found.
+
+	ProtocolDetector::found_protocol(c, ANALYZER_HTTP, pid);
+	}
+
+event http_request(c: connection, method: string, original_URI: string,
+			unescaped_URI: string, version: string)
+	{
+	for ( pid in protocols )
+		{
+		local p = protocols[pid];
+
+		if ( ! p?$url )
+			next;
+
+		local mask: set[count];
+		local idx = [$id=c$id, $pid=pid];
+		if ( idx in conns )
+			mask = conns[idx];
+
+		if ( url_found in mask )
+			# Already found a match.
+			next;
+
+		# FIXME: There are people putting NULs into the URLs
+		# (BitTorrent), which to_lower() does not like.  Not sure
+		# what the right fix is, though.
+		unescaped_URI = subst_string(unescaped_URI, "\x00", "");
+
+		if ( to_lower(unescaped_URI) == p$url )
+			{
+			add mask[url_found];
+			check_match(c, pid, mask);
+			}
+		}
+	}
+
+event http_header(c: connection, is_orig: bool, name: string, value: string)
+	{
+	if ( name == /[sS][eE][rR][vV][eE][rR]/ )
+		{
+		# Try to extract the server software.
+		local s = split1(strip(value), /[[:space:]\/]/);
+		if ( s[1] == /[-a-zA-Z0-9_]+/ )
+			ProtocolDetector::found_protocol(c, ANALYZER_HTTP, s[1]);
+		}
+
+	for ( pid in protocols )
+		{
+		local p = protocols[pid];
+
+		local mask: set[count];
+		local idx = [$id=c$id, $pid=pid];
+		if ( idx in conns )
+			mask = conns[idx];
+
+		if ( p?$client_header && is_orig )
+			{
+			if ( client_header_found in mask )
+				return;
+
+			if ( to_lower(name) == p$client_header )
+				{
+				if ( p?$client_header_content )
+					if ( to_lower(value) !=
+					     p$client_header_content )
+						return;
+
+				add mask[client_header_found];
+				check_match(c, pid, mask);
+				}
+			}
+
+		if ( p?$server_header && ! is_orig )
+			{
+			if ( server_header_found in mask )
+				return;
+
+			if ( to_lower(name) == p$server_header )
+				{
+				if ( p?$server_header_content )
+					if ( to_lower(value) !=
+					     p$server_header_content )
+						return;
+
+				add mask[server_header_found];
+				check_match(c, pid, mask);
+				}
+			}
+		}
+	}
diff --git a/policy/detect-protocols.bro b/policy/detect-protocols.bro
new file mode 100644
index 0000000000..49f02e60e9
--- /dev/null
+++ b/policy/detect-protocols.bro
@@ -0,0 +1,258 @@
+# $Id: detect-protocols.bro,v 1.1.4.4 2006/05/31 18:07:27 sommer Exp $
+#
+# Finds connections with protocols on non-standard ports using the DPM
+# framework.
+
+@load site
+
+@load conn-id
+@load notice
+
+module ProtocolDetector;
+
+export {
+	redef enum Notice += {
+		ProtocolFound,	# raised for each connection found
+		ServerFound,	# raised once per dst host/port/protocol tuple
+	};
+
+	# Table of (protocol, resp_h, resp_p) tuples known to be uninteresting
+	# in the given direction.  For all other protocols detected on
+	# non-standard ports, we raise a ProtocolFound notice.  (More specific
+	# filtering can then be done via notice_filters.)
+	#
+	# Use 0.0.0.0 for to wildcard-match any resp_h.
+
+	type dir: enum { NONE, INCOMING, OUTGOING, BOTH };
+
+	const valids: table[count, addr, port] of dir = {
+		# A couple of ports commonly used for benign HTTP servers.
+
+		# For now we want to see everything.
+
+		# [ANALYZER_HTTP, 0.0.0.0, 81/tcp] = OUTGOING,
+		# [ANALYZER_HTTP, 0.0.0.0, 82/tcp] = OUTGOING,
+		# [ANALYZER_HTTP, 0.0.0.0, 83/tcp] = OUTGOING,
+		# [ANALYZER_HTTP, 0.0.0.0, 88/tcp] = OUTGOING,
+		# [ANALYZER_HTTP, 0.0.0.0, 8001/tcp] = OUTGOING,
+		# [ANALYZER_HTTP, 0.0.0.0, 8090/tcp] = OUTGOING,
+		# [ANALYZER_HTTP, 0.0.0.0, 8081/tcp] = OUTGOING,
+		#
+		# [ANALYZER_HTTP, 0.0.0.0, 6346/tcp] = BOTH, # Gnutella
+		# [ANALYZER_HTTP, 0.0.0.0, 6347/tcp] = BOTH, # Gnutella
+		# [ANALYZER_HTTP, 0.0.0.0, 6348/tcp] = BOTH, # Gnutella
+	} &redef;
+
+	# Set of analyzers for which we suppress ServerFound notices
+	# (but not ProtocolFound).  Along with avoiding clutter in the
+	# log files, this also saves memory because for these we don't
+	# need to remember which servers we already have reported, which
+	# for some can be a lot.
+	const suppress_servers: set [count] = {
+		# ANALYZER_HTTP
+	} &redef;
+
+	# We consider a connection to use a protocol X if the analyzer for X
+	# is still active (i) after an interval of minimum_duration, or (ii)
+	# after a payload volume of minimum_volume, or (iii) at the end of the
+	# connection.
+	const minimum_duration = 30 secs &redef;
+	const minimum_volume = 4e3 &redef;	# bytes
+
+	# How often to check the size of the connection.
+	const check_interval = 5 secs;
+
+	# Entry point for other analyzers to report that they recognized
+	# a certain (sub-)protocol.
+	global found_protocol: function(c: connection, analyzer: count,
+					protocol: string);
+
+	# Table keeping reported (server, port, analyzer) tuples (and their
+	# reported sub-protocols).
+	global servers: table[addr, port, string] of set[string]
+				&read_expire = 14 days;
+}
+
+# Table that tracks currently active dynamic analyzers per connection.
+global conns: table[conn_id] of set[count];
+
+# Table of reports by other analyzers about the protocol used in a connection.
+global protocols: table[conn_id] of set[string];
+
+type protocol : record {
+	a: string;	# analyzer name
+	sub: string;	# "sub-protocols" reported by other sources
+};
+
+function get_protocol(c: connection, a: count) : protocol
+	{
+	local str = "";
+	if ( c$id in protocols )
+		{
+		for ( p in protocols[c$id] )
+			str = |str| > 0 ? fmt("%s/%s", str, p) : p;
+		}
+
+	return [$a=analyzer_name(a), $sub=str];
+	}
+
+function fmt_protocol(p: protocol) : string
+	{
+	return p$sub != "" ? fmt("%s (via %s)", p$sub, p$a) : p$a;
+	}
+
+function do_notice(c: connection, a: count, d: dir)
+	{
+	if ( d == BOTH )
+		return;
+
+	if ( d == INCOMING && is_local_addr(c$id$resp_h) )
+		return;
+
+	if ( d == OUTGOING && ! is_local_addr(c$id$resp_h) )
+		return;
+
+	local p = get_protocol(c, a);
+	local s = fmt_protocol(p);
+
+	NOTICE([$note=ProtocolFound,
+		$msg=fmt("%s %s on port %s", id_string(c$id), s, c$id$resp_p),
+		$sub=s, $conn=c, $n=a]);
+
+	# We report multiple ServerFound's per host if we find a new
+	# sub-protocol.
+	local known = [c$id$resp_h, c$id$resp_p, p$a] in servers;
+
+	local newsub = F;
+	if ( known )
+		newsub = (p$sub != "" &&
+			  p$sub !in servers[c$id$resp_h, c$id$resp_p, p$a]);
+
+	if ( (! known || newsub) && a !in suppress_servers )
+		{
+		NOTICE([$note=ServerFound,
+			$msg=fmt("%s: %s server on port %s%s", c$id$resp_h, s,
+				c$id$resp_p, (known ? " (update)" : "")),
+			$p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h, $n=a]);
+
+		if ( ! known )
+			servers[c$id$resp_h, c$id$resp_p, p$a] = set();
+
+		add servers[c$id$resp_h, c$id$resp_p, p$a][p$sub];
+		}
+	}
+
+function report_protocols(c: connection)
+	{
+	# We only report the connection if both sides have transferred data.
+	if ( c$resp$size == 0 || c$orig$size == 0 )
+		{
+		delete conns[c$id];
+		delete protocols[c$id];
+		return;
+		}
+
+	local analyzers = conns[c$id];
+
+	for ( a in analyzers )
+		{
+		if ( [a, c$id$resp_h, c$id$resp_p] in valids )
+			do_notice(c, a, valids[a, c$id$resp_h, c$id$resp_p]);
+
+		else if ( [a, 0.0.0.0, c$id$resp_p] in valids )
+			do_notice(c, a, valids[a, 0.0.0.0, c$id$resp_p]);
+		else
+			do_notice(c, a, NONE);
+
+		append_addl(c, analyzer_name(a));
+		}
+
+	delete conns[c$id];
+	delete protocols[c$id];
+	}
+
+event ProtocolDetector::check_connection(c: connection)
+	{
+	if ( c$id !in conns )
+		return;
+
+	local duration = network_time() - c$start_time;
+	local size = c$resp$size + c$orig$size;
+
+	if ( duration >= minimum_duration || size >= minimum_volume )
+		report_protocols(c);
+	else
+		{
+		local delay = min_interval(minimum_duration - duration,
+					   check_interval);
+		schedule delay { ProtocolDetector::check_connection(c) };
+		}
+	}
+
+event connection_state_remove(c: connection)
+	{
+	if ( c$id !in conns )
+		{
+		delete protocols[c$id];
+		return;
+		}
+
+	# Reports all analyzers that have remained to the end.
+	report_protocols(c);
+	}
+
+event protocol_confirmation(c: connection, atype: count, aid: count)
+	{
+	# Don't report anything running on a well-known port.
+	if ( atype in dpd_config && c$id$resp_p in dpd_config[atype]$ports )
+		return;
+
+	if ( c$id in conns )
+		{
+		local analyzers = conns[c$id];
+		add analyzers[atype];
+		}
+	else
+		{
+		conns[c$id] = set(atype);
+
+		local delay = min_interval(minimum_duration, check_interval);
+		schedule delay { ProtocolDetector::check_connection(c) };
+		}
+	}
+
+# event connection_analyzer_disabled(c: connection, analyzer: count)
+# 	{
+# 	if ( c$id !in conns )
+# 		return;
+# 
+# 	delete conns[c$id][analyzer];
+# 	}
+
+function append_proto_addl(c: connection)
+	{
+	for ( a in conns[c$id] )
+		append_addl(c, fmt_protocol(get_protocol(c, a)));
+	}
+
+function found_protocol(c: connection, analyzer: count, protocol: string)
+	{
+	# Don't report anything running on a well-known port.
+	if ( analyzer in dpd_config &&
+	     c$id$resp_p in dpd_config[analyzer]$ports )
+		return;
+
+	if ( c$id !in protocols )
+		protocols[c$id] = set();
+
+	add protocols[c$id][protocol];
+	}
+
+event connection_state_remove(c: connection)
+	{
+	if ( c$id !in conns )
+		return;
+
+	append_proto_addl(c);
+	}
+
diff --git a/policy/dhcp.bro b/policy/dhcp.bro
new file mode 100644
index 0000000000..2c60f73fe4
--- /dev/null
+++ b/policy/dhcp.bro
@@ -0,0 +1,525 @@
+# $Id: dhcp.bro 4054 2007-08-14 21:45:58Z pclin $
+
+@load dpd
+@load weird
+
+module DHCP;
+
+export {
+	# Set to false to disable printing to dhcp.log.
+	const logging = T &redef;
+}
+
+# Type of states in DHCP client.  See Figure 5 in RFC 2131.
+# Each state name is prefixed with DHCP_ to avoid name conflicts.
+type dhcp_state: enum {
+
+	DHCP_INIT_REBOOT,
+	DHCP_INIT,
+	DHCP_SELECTING,
+	DHCP_REQUESTING,
+	DHCP_REBINDING,
+	DHCP_BOUND,
+	DHCP_RENEWING,
+	DHCP_REBOOTING,
+
+	# This state is not in Figure 5.  Client has been externally configured.
+	DHCP_INFORM,
+};
+
+global dhcp_log: file;
+
+# Source port 68: client -> server; source port 67: server -> client.
+global dhcp_ports: set[port] = { 67/udp, 68/udp } &redef;
+
+redef dpd_config += { [ANALYZER_DHCP_BINPAC] = [$ports = dhcp_ports] };
+
+# Default handling for peculiarities in DHCP analysis.
+redef Weird::weird_action += {
+	["DHCP_no_type_option"] = Weird::WEIRD_FILE,
+	["DHCP_wrong_op_type"] = Weird::WEIRD_FILE,
+	["DHCP_wrong_msg_type"] = Weird::WEIRD_FILE,
+};
+
+# Types of DHCP messages, identified from the 'options' field.  See RFC 1533.
+global dhcp_msgtype_name: table[count] of string = {
+	[1] = "DHCP_DISCOVER",
+	[2] = "DHCP_OFFER",
+	[3] = "DHCP_REQUEST",
+	[4] = "DHCP_DECLINE",
+	[5] = "DHCP_ACK",
+	[6] = "DHCP_NAK",
+	[7] = "DHCP_RELEASE",
+	[8] = "DHCP_INFORM",
+};
+
+# Type of DHCP client state, inferred from the messages.  See RFC 2131, fig 5.
+global dhcp_state_name: table[dhcp_state] of string = {
+	[DHCP_INIT_REBOOT] = "INIT-REBOOT",
+	[DHCP_INIT]	   = "INIT",
+	[DHCP_SELECTING]   = "SELECTING",
+	[DHCP_REQUESTING]  = "REQUESTING",
+	[DHCP_REBINDING]   = "REBINDING",
+	[DHCP_BOUND]	   = "BOUND",
+	[DHCP_RENEWING]    = "RENEWING",
+	[DHCP_REBOOTING]   = "REBOOTING",
+	[DHCP_INFORM]	   = "INFORM",
+};
+
+type dhcp_session_info: record {
+	state: dhcp_state;	# the state of a DHCP client
+	seq: count;		# sequence of session in the trace
+	lease: interval;	# lease time of an IP address
+	h_addr: string;		# hardware/MAC address of the client
+};
+
+# Track the DHCP session info of each client, indexed by the transaction ID.
+global dhcp_session: table[count] of dhcp_session_info
+	&default = record($state = DHCP_INIT_REBOOT, $seq = 0, $lease = 0 sec,
+				$h_addr = "")
+	&write_expire = 5 min
+;
+
+# We need the following table to track some DHCPINFORM messages since they
+# use xid = 0 (I do not know why), starting from the second pair of INFORM
+# and ACK.  Since the client address is ready before DHCPINFORM, we can use
+# it as the index to find its corresponding xid.
+global session_xid: table[addr] of count &read_expire = 30 sec;
+
+# Count how many DHCP sessions have been detected, for use in dhcp_session_seq.
+global pkt_cnt: count = 0;
+global session_cnt: count = 0;
+
+# Record the address of client that sends a DHCPINFORM message with xid = 0.
+global recent_client: addr;
+
+global BROADCAST_ADDR = 255.255.255.255;
+global NULL_ADDR = 0.0.0.0;
+
+# Used to detect if an ACK is duplicated.  They are used only in dhcp_ack().
+# We put them here since Bro scripts lacks the equivalent of "static" variables.
+global ack_from: addr;
+global duplicated_ack: bool;
+
+
+function warning_wrong_state(msg_type: count): string
+	{
+	return fmt("%s not sent in a correct state.",
+			dhcp_msgtype_name[msg_type]);
+	}
+
+function dhcp_message(c: connection, seq: count, show_conn: bool): string
+	{
+	local conn_info = fmt("%.06f #%d", network_time(), seq);
+	if ( show_conn )
+		return fmt("%s %s > %s", conn_info,
+				endpoint_id(c$id$orig_h, c$id$orig_p),
+				endpoint_id(c$id$resp_h, c$id$resp_p));
+
+	return conn_info;
+	}
+
+function new_dhcp_session(xid: count, state: dhcp_state, h_addr: string)
+: dhcp_session_info
+	{
+	local session: dhcp_session_info;
+	session$state = state;
+	session$seq = ++session_cnt;
+	session$lease = 0 sec;
+	session$h_addr = h_addr;
+
+	dhcp_session[xid] = session;
+
+	return session;
+	}
+
+
+event bro_init()
+	{
+	if ( logging )
+		dhcp_log = open_log_file("dhcp");
+	}
+
+event dhcp_discover(c: connection, msg: dhcp_msg, req_addr: addr)
+	{
+	local old_session = T;
+
+	if ( msg$xid !in dhcp_session )
+		{
+		local session =
+			new_dhcp_session(msg$xid, DHCP_SELECTING, msg$h_addr);
+		old_session = F;
+		}
+
+	if ( logging )
+		{
+		if ( old_session &&
+		     dhcp_session[msg$xid]$state == DHCP_SELECTING )
+			print dhcp_log, fmt("%s DISCOVER (duplicated)",
+				dhcp_message(c, dhcp_session[msg$xid]$seq, F));
+		else
+			print dhcp_log,
+				fmt("%s DISCOVER (xid = %x, client state = %s)",
+					dhcp_message(c, dhcp_session[msg$xid]$seq, T),
+					msg$xid, dhcp_state_name[dhcp_session[msg$xid]$state]);
+		}
+	}
+
+event dhcp_offer(c: connection, msg: dhcp_msg, mask: addr,
+		router: dhcp_router_list, lease: interval, serv_addr: addr)
+	{
+	local standalone = msg$xid !in dhcp_session;
+	local err_state =
+		standalone && dhcp_session[msg$xid]$state != DHCP_SELECTING;
+
+	if ( logging )
+		{
+		# Note that no OFFER messages are considered duplicated,
+		# since they may come from multiple DHCP servers in a session.
+		if ( standalone )
+			print dhcp_log, fmt("%s OFFER (standalone)",
+				dhcp_message(c, ++session_cnt, T));
+
+		else if ( err_state )
+			print dhcp_log, fmt("%s OFFER (in error state %s)",
+				dhcp_message(c, dhcp_session[msg$xid]$seq, T),
+				dhcp_state_name[dhcp_session[msg$xid]$state]);
+
+		else
+			print dhcp_log, fmt("%s OFFER (client state = %s)",
+				dhcp_message(c, dhcp_session[msg$xid]$seq, T),
+					dhcp_state_name[DHCP_SELECTING]);
+		}
+	}
+
+event dhcp_request(c: connection, msg: dhcp_msg,
+			req_addr: addr, serv_addr: addr)
+	{
+	local log_info: string;
+
+	if ( msg$xid in dhcp_session )
+		{
+		if ( ! logging )
+			return;
+
+		local state = dhcp_session[msg$xid]$state;
+
+		if ( state == DHCP_REBOOTING )
+			recent_client = req_addr;
+		else
+			recent_client = c$id$orig_h;
+
+		session_xid[recent_client] = msg$xid;
+
+		if ( state == DHCP_RENEWING || state == DHCP_REBINDING ||
+		     state == DHCP_REQUESTING || state == DHCP_REBOOTING )
+			print dhcp_log, fmt("%s REQUEST (duplicated)",
+				dhcp_message(c, dhcp_session[msg$xid]$seq, F));
+		else
+			{
+			log_info = dhcp_message(c, dhcp_session[msg$xid]$seq, T);
+			print dhcp_log, fmt("%s REQUEST (in error state %s)",
+						log_info,
+						dhcp_state_name[dhcp_session[msg$xid]$state]);
+			}
+		}
+	else
+		{
+		local d_state = DHCP_REBOOTING;
+
+		if ( c$id$resp_h != BROADCAST_ADDR )
+			d_state = DHCP_RENEWING;
+		else if ( msg$ciaddr != NULL_ADDR )
+			d_state = DHCP_REBINDING;
+		else if ( serv_addr != NULL_ADDR )
+			d_state = DHCP_REQUESTING;
+
+		local session = new_dhcp_session(msg$xid, d_state, msg$h_addr);
+
+		if ( session$state == DHCP_REBOOTING )
+			recent_client = req_addr;
+		else
+			recent_client = c$id$orig_h;
+
+		session_xid[recent_client] = msg$xid;
+
+		if ( logging )
+			{
+			log_info = dhcp_message(c, session$seq, T);
+			if ( req_addr != NULL_ADDR )
+				log_info = fmt("%s REQUEST %As",
+						log_info, req_addr);
+			else
+				log_info = fmt("%s REQUEST", log_info);
+
+			print dhcp_log, fmt("%s (xid = %x, client state = %s)",
+						log_info, msg$xid,
+						dhcp_state_name[session$state]);
+			}
+		}
+	}
+
+event dhcp_decline(c: connection, msg: dhcp_msg)
+	{
+	local old_session = msg$xid in dhcp_session;
+	local err_state = F;
+
+	if ( old_session )
+		{
+		if ( dhcp_session[msg$xid]$state == DHCP_REQUESTING )
+			dhcp_session[msg$xid]$state = DHCP_INIT;
+		else
+			err_state = T;
+		}
+	else
+		new_dhcp_session(msg$xid, DHCP_INIT, "");
+
+	if ( ! logging )
+		return;
+
+	if ( old_session )
+		{
+		if ( err_state )
+			print dhcp_log, fmt("%s DECLINE (in error state %s)",
+				dhcp_message(c, dhcp_session[msg$xid]$seq, T),
+				dhcp_state_name[dhcp_session[msg$xid]$state]);
+		else
+			print dhcp_log, fmt("%s DECLINE (duplicated)",
+				dhcp_message(c, dhcp_session[msg$xid]$seq, F));
+		}
+	else
+		print dhcp_log, fmt("%s DECLINE (xid = %x)",
+			dhcp_message(c, ++session_cnt, T), msg$xid);
+	}
+
+event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr,
+		router: dhcp_router_list, lease: interval, serv_addr: addr)
+	{
+	local log_info: string;
+
+	if ( msg$xid == 0 )
+		{ # An ACK for a DHCPINFORM message with xid = 0.
+		local xid =
+			c$id$orig_h in session_xid ?
+				# An ACK to the client.
+				session_xid[c$id$orig_h]
+			:
+				# Assume ACK from a relay agent to the server.
+				session_xid[recent_client];
+
+		local seq: count;
+
+		if ( xid > 0 )
+			{
+			duplicated_ack = dhcp_session[xid]$state != DHCP_INFORM;
+			dhcp_session[xid]$state = DHCP_BOUND;
+			seq = dhcp_session[xid]$seq;
+			}
+		else
+			{
+			# This is a weird situation.  We arbitrarily set
+			# duplicated_ack to false to have more information
+			# shown.
+			duplicated_ack = F;
+			seq = session_cnt;
+			}
+
+		if ( ! logging )
+			return;
+
+		log_info = dhcp_message(c, seq, F);
+		if ( c$id$orig_h in session_xid )
+			{
+			if ( duplicated_ack )
+				print dhcp_log, fmt("%s ACK (duplicated)",
+							log_info);
+			else
+				print dhcp_log,
+					fmt("%s ACK (client state = %s)",
+						log_info,
+						dhcp_state_name[DHCP_BOUND]);
+			}
+		else
+			print dhcp_log,
+				fmt("%s ACK (relay agent at = %As)",
+					log_info, c$id$orig_h);
+		return;
+		}
+
+	if ( msg$xid in dhcp_session )
+		{
+		local last_state = dhcp_session[msg$xid]$state;
+		local from_reboot_state = last_state == DHCP_REBOOTING;
+
+		if ( last_state == DHCP_REQUESTING ||
+		     last_state == DHCP_REBOOTING ||
+		     last_state == DHCP_RENEWING ||
+		     last_state == DHCP_REBINDING ||
+		     last_state == DHCP_INFORM )
+			{
+			dhcp_session[msg$xid]$state = DHCP_BOUND;
+			dhcp_session[msg$xid]$lease = lease;
+			}
+
+		if ( ! logging )
+			return;
+
+		if ( last_state == DHCP_BOUND )
+			{
+			log_info = dhcp_message(c, dhcp_session[msg$xid]$seq, F);
+			if ( c$id$orig_h == ack_from )
+				log_info = fmt("%s ACK (duplicated)",
+						log_info);
+
+			else
+				# Not a duplicated ACK.
+				log_info = fmt("%s ACK (relay agent at = %As)",
+						log_info, c$id$orig_h);
+			}
+		else
+			{
+			ack_from = c$id$orig_h;
+
+			# If in a reboot state, we had better
+			# explicitly show the original address
+			# and the destination address of ACK,
+			# because the client initally has a
+			# zero address.
+			if ( from_reboot_state )
+				log_info = dhcp_message(c, dhcp_session[msg$xid]$seq, T);
+			else
+				log_info = dhcp_message(c, dhcp_session[msg$xid]$seq, F);
+
+			if ( last_state != DHCP_INFORM &&
+			     lease > 0 sec )
+				log_info = fmt("%s ACK (lease time = %s, ",
+						log_info, lease);
+			else
+				log_info = fmt("%s ACK (", log_info);
+
+			log_info = fmt("%sclient state = %s)",
+					log_info,
+					dhcp_state_name[dhcp_session[msg$xid]$state]);
+			}
+
+		print dhcp_log, log_info;
+		}
+
+	else if ( logging )
+		print dhcp_log, fmt("%s ACK (standalone)",
+					dhcp_message(c, ++session_cnt, T));
+	}
+
+event dhcp_nak(c: connection, msg: dhcp_msg)
+	{
+	if ( msg$xid in dhcp_session )
+		{
+		local last_state = dhcp_session[msg$xid]$state;
+
+		if ( last_state == DHCP_REQUESTING ||
+		     last_state == DHCP_REBOOTING ||
+		     last_state == DHCP_RENEWING ||
+		     last_state == DHCP_REBINDING )
+			dhcp_session[msg$xid]$state = DHCP_INIT;
+
+		if ( logging )
+			print dhcp_log, fmt("%s NAK (client state = %s)",
+				dhcp_message(c, dhcp_session[msg$xid]$seq, F),
+				dhcp_state_name[dhcp_session[msg$xid]$state]);
+		}
+
+	else if ( logging )
+		print dhcp_log, fmt("%s NAK (standalone)",
+			dhcp_message(c, ++session_cnt, T));
+	}
+
+event dhcp_release(c: connection, msg: dhcp_msg)
+	{
+	local old_session = msg$xid in dhcp_session;
+
+	if ( ! old_session )
+		# We assume the client goes back to DHCP_INIT
+		# because the RFC does not specify which state to go to.
+		new_dhcp_session(msg$xid, DHCP_INIT, "");
+
+	if ( ! logging )
+		return;
+
+	if ( old_session )
+		{
+		if ( dhcp_session[msg$xid]$state == DHCP_INIT )
+			print dhcp_log, fmt("%s RELEASE (duplicated)",
+				dhcp_message(c, dhcp_session[msg$xid]$seq, F));
+		else
+			print dhcp_log, fmt("%s RELEASE, (client state = %s)",
+				dhcp_message(c, dhcp_session[msg$xid]$seq, F),
+				dhcp_state_name[dhcp_session[msg$xid]$state]);
+		}
+	else
+		print dhcp_log, fmt("%s RELEASE (xid = %x, IP addr = %As)",
+			dhcp_message(c, session_cnt, T), msg$xid, c$id$orig_h);
+	}
+
+event dhcp_inform(c: connection, msg: dhcp_msg)
+	{
+	recent_client = c$id$orig_h;
+
+	if ( msg$xid == 0 )
+		{
+		# Oops! Try to associate message with transaction ID 0 with
+		# a previous session.
+		local xid: count;
+		local seq: count;
+
+		if ( c$id$orig_h in session_xid )
+			{
+			xid = session_xid[c$id$orig_h];
+			dhcp_session[xid]$state = DHCP_INFORM;
+			seq = dhcp_session[xid]$seq;
+			}
+		else
+			{
+			# Weird: xid = 0 and no previous INFORM-ACK dialog.
+			xid = 0;
+			seq = ++session_cnt;
+
+			# Just record that a INFORM message has appeared,
+			# although the xid is not useful.
+			session_xid[c$id$orig_h] = 0;
+			}
+
+		if ( logging )
+			print dhcp_log,
+				fmt("%s INFORM (xid = %x, client state = %s)",
+					dhcp_message(c, seq, T),
+					xid, dhcp_state_name[DHCP_INFORM]);
+		return;
+		}
+
+	if ( msg$xid in dhcp_session )
+		{
+		if ( logging )
+			if ( dhcp_session[msg$xid]$state == DHCP_INFORM )
+				print dhcp_log, fmt("%s INFORM (duplicated)",
+					dhcp_message(c, dhcp_session[msg$xid]$seq, F));
+			else	{
+				print dhcp_log,
+					fmt("%s INFORM (duplicated, client state = %s)",
+						dhcp_message(c, dhcp_session[msg$xid]$seq, F),
+						dhcp_state_name[dhcp_session[msg$xid]$state]);
+				}
+
+		return;
+		}
+
+	local session = new_dhcp_session(msg$xid, DHCP_INFORM, msg$h_addr);
+
+	# Associate this transaction ID with the host so we can identify
+	# subsequent pairs of INFORM/ACK if client uses xid=0.
+	session_xid[c$id$orig_h] = msg$xid;
+
+	if ( logging )
+		print dhcp_log, fmt("%s INFORM (xid = %x, client state = %s)",
+				dhcp_message(c, session$seq, T),
+				msg$xid, dhcp_state_name[session$state]);
+	}
diff --git a/policy/dns-anonymizer.bro b/policy/dns-anonymizer.bro
new file mode 100644
index 0000000000..d85f31a395
--- /dev/null
+++ b/policy/dns-anonymizer.bro
@@ -0,0 +1,107 @@
+# $Id:$
+
+@load dns
+@load anon
+
+module DNS;
+
+redef rewriting_dns_trace = T;
+
+event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count)
+	{
+	if ( get_conn_transport_proto(c$id) == udp )
+		rewrite_dns_message(c, is_orig, msg, len);
+	}
+
+event dns_request(c: connection, msg: dns_msg, query: string,
+			qtype: count, qclass: count)
+	{
+	if ( get_conn_transport_proto(c$id) == udp )
+		rewrite_dns_request(c, anonymize_host(query),
+					msg, qtype, qclass);
+	}
+
+event dns_end(c: connection, msg: dns_msg)
+	{
+	if ( get_conn_transport_proto(c$id) == udp )
+		rewrite_dns_end(c, T);
+	}
+
+event dns_query_reply(c: connection, msg: dns_msg, query: string,
+			qtype: count, qclass: count)
+	{
+	rewrite_dns_reply_question(c, msg, anonymize_host(query),
+					qtype, qclass);
+	}
+
+event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
+	{
+	ans$query = anonymize_host(ans$query);
+	rewrite_dns_A_reply(c, msg, ans, anonymize_address(a, c$id));
+	}
+
+#### FIXME: ANONYMIZE!
+event dns_AAAA_reply(c: connection, msg: dns_msg, ans: dns_answer,
+			a: addr, astr: string)
+	{
+	ans$query = anonymize_host(ans$query);
+	astr = "::";
+	a = anonymize_address(a, c$id);
+	rewrite_dns_AAAA_reply(c, msg, ans, a, astr);
+	}
+
+event dns_NS_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string)
+	{
+	ans$query = anonymize_host(ans$query);
+	rewrite_dns_NS_reply(c, msg, ans, anonymize_host(name));
+	}
+
+event dns_CNAME_reply(c: connection, msg: dns_msg, ans: dns_answer,
+			name: string)
+	{
+	ans$query = anonymize_host(ans$query);
+	rewrite_dns_CNAME_reply(c, msg, ans, anonymize_host(name));
+	}
+
+event dns_MX_reply(c: connection, msg: dns_msg, ans: dns_answer,
+			name: string, preference: count)
+	{
+	ans$query = anonymize_host(ans$query);
+	rewrite_dns_MX_reply(c, msg, ans, anonymize_host(name), preference);
+	}
+
+event dns_PTR_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string)
+	{
+	ans$query = anonymize_host(ans$query);
+	rewrite_dns_PTR_reply(c, msg, ans, anonymize_host(name));
+	}
+
+event dns_SOA_reply(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa)
+	{
+	soa$mname = anonymize_host(soa$mname);
+	soa$rname = anonymize_host(soa$rname);
+	ans$query = anonymize_host(ans$query);
+	rewrite_dns_SOA_reply(c, msg, ans, soa);
+	}
+
+event dns_TXT_reply(c: connection, msg: dns_msg, ans: dns_answer,
+			str: string)
+	{
+	str = anonymize_string(str);
+	ans$query = anonymize_host(ans$query);
+	rewrite_dns_TXT_reply(c, msg, ans, str);
+	}
+
+event dns_EDNS_addl (c: connection, msg: dns_msg, ans: dns_edns_additional)
+	{
+	rewrite_dns_EDNS_addl(c, msg, ans);
+	}
+
+event dns_rejected(c: connection, msg: dns_msg, query: string,
+			qtype: count, qclass: count)
+	{
+	#### Hmmm, this is probably not right - we are going to have to look
+	# at the question type to determine how to anonymize this.
+	rewrite_dns_reply_question(c, msg, anonymize_host(query),
+					qtype, qclass);
+	}
diff --git a/policy/dns-info.bro b/policy/dns-info.bro
new file mode 100644
index 0000000000..3ad36d461e
--- /dev/null
+++ b/policy/dns-info.bro
@@ -0,0 +1,81 @@
+# $Id: dns-info.bro 3919 2007-01-14 00:27:09Z vern $
+
+# Types, errors, and fields for analyzing DNS data.  A helper file
+# for dns.bro.
+
+const PTR = 12;
+const EDNS = 41;
+const ANY = 255;
+
+const query_types = {
+	[1] = "A", [2] = "NS", [3] = "MD", [4] = "MF",
+	[5] = "CNAME", [6] = "SOA", [7] = "MB", [8] = "MG",
+	[9] = "MR", [10] = "NULL", [11] = "WKS", [PTR] = "PTR",
+	[13] = "HINFO", [14] = "MINFO", [15] = "MX", [16] = "TXT",
+	[17] = "RP", [18] = "AFSDB", [19] = "X25", [20] = "ISDN",
+	[21] = "RT", [22] = "NSAP", [23] = "NSAP-PTR", [24] = "SIG",
+	[25] = "KEY", [26] = "PX" , [27] = "GPOS", [28] = "AAAA",
+	[29] = "LOC", [30] = "EID", [31] = "NIMLOC", [32] = "NB",
+	[33] = "SRV", [34] = "ATMA", [35] = "NAPTR", [36] = "KX",
+	[37] = "CERT", [38] = "A6", [39] = "DNAME", [40] = "SINK",
+ 	[EDNS] = "EDNS", [42] = "APL", [43] = "DS", [44] = "SINK",
+	[45] = "SSHFP", [46] = "RRSIG", [47] = "NSEC", [48] = "DNSKEY",
+	[49] = "DHCID", [99] = "SPF", [100] = "DINFO", [101] = "UID",
+	[102] = "GID", [103] = "UNSPEC", [249] = "TKEY", [250] = "TSIG",
+	[251] = "IXFR", [252] = "AXFR", [253] = "MAILB", [254] = "MAILA",
+	[32768] = "TA", [32769] = "DLV",
+	[ANY] = "*",
+} &default = function(n: count): string { return fmt("query-%d", n); };
+
+const DNS_code_types = {
+	[0] = "X0",
+	[1] = "Xfmt",
+	[2] = "Xsrv",
+	[3] = "Xnam",
+	[4] = "Ximp",
+	[5] = "X[",
+} &default = function(n: count): string { return "?"; };
+
+# Used for non-TSIG/EDNS types.
+const base_error = {
+	[0] = "NOERROR", 	# No Error
+	[1] = "FORMERR", 	# Format Error
+	[2] = "SERVFAIL",	# Server Failure
+	[3] = "NXDOMAIN",	# Non-Existent Domain
+	[4] = "NOTIMP",  	# Not Implemented
+	[5] = "REFUSED", 	# Query Refused
+	[6] = "YXDOMAIN",	# Name Exists when it should not
+	[7] = "YXRRSET", 	# RR Set Exists when it should not
+	[8] = "NXRRSet", 	# RR Set that should exist does not
+	[9] = "NOTAUTH", 	# Server Not Authoritative for zone
+	[10] = "NOTZONE",	# Name not contained in zone
+	[11] = "unassigned-11", # available for assignment
+	[12] = "unassigned-12", # available for assignment
+	[13] = "unassigned-13", # available for assignment
+	[14] = "unassigned-14", # available for assignment
+	[15] = "unassigned-15", # available for assignment
+	[16] = "BADVERS",	# for EDNS, collision w/ TSIG
+	[17] = "BADKEY",	# Key not recognized
+	[18] = "BADTIME",	# Signature out of time window
+	[19] = "BADMODE",	# Bad TKEY Mode
+	[20] = "BADNAME",	# Duplicate key name
+	[21] = "BADALG",	# Algorithm not supported
+	[22] = "BADTRUNC",	# draft-ietf-dnsext-tsig-sha-05.txt
+	[3842] = "BADSIG",	# 16 <= number collision with EDNS(16);
+				# this is a translation from TSIG(16)
+} &default = function(n: count): string { return "?"; };
+
+# This deciphers EDNS Z field values.
+const edns_zfield = {
+	[0] = "NOVALUE",	# regular entry
+	[32768] = "DNS_SEC_OK",	# accepts DNS Sec RRs
+} &default = function(n: count): string { return "?"; };
+
+const dns_class = {
+	[1] = "C_INTERNET",
+	[2] = "C_CSNET",
+	[3] = "C_CHAOS",
+	[4] = "C_HESOD",
+	[254] = "C_NONE",
+	[255] =	"C_ANY",
+} &default = function(n: count): string { return "?"; };
diff --git a/policy/dns-lookup.bro b/policy/dns-lookup.bro
new file mode 100644
index 0000000000..8ef1dd4f0a
--- /dev/null
+++ b/policy/dns-lookup.bro
@@ -0,0 +1,65 @@
+# $Id: dns-lookup.bro 340 2004-09-09 06:38:27Z vern $
+
+@load notice
+
+redef enum Notice += {
+	DNS_MappingChanged,	# some sort of change WRT previous Bro lookup
+};
+
+const dns_interesting_changes = {
+	"unverified", "old name", "new name", "mapping",
+} &redef;
+
+function dump_dns_mapping(msg: string, dm: dns_mapping): bool
+	{
+	if ( msg in dns_interesting_changes ||
+	     127.0.0.1 in dm$addrs )
+		{
+		local req = dm$req_host == "" ?
+				fmt("%As", dm$req_addr) : dm$req_host;
+		NOTICE([$note=DNS_MappingChanged,
+			$msg=fmt("DNS %s: %s/%s %s-> %As", msg, req,
+					dm$hostname, dm$valid ?
+						"" : "(invalid) ", dm$addrs),
+			$sub=msg]);
+
+		return T;
+		}
+	else
+		return F;
+	}
+
+event dns_mapping_valid(dm: dns_mapping)
+	{
+	dump_dns_mapping("valid", dm);
+	}
+
+event dns_mapping_unverified(dm: dns_mapping)
+	{
+	dump_dns_mapping("unverified", dm);
+	}
+
+event dns_mapping_new_name(dm: dns_mapping)
+	{
+	dump_dns_mapping("new name", dm);
+	}
+
+event dns_mapping_lost_name(dm: dns_mapping)
+	{
+	dump_dns_mapping("lost name", dm);
+	}
+
+event dns_mapping_name_changed(old_dm: dns_mapping, new_dm: dns_mapping)
+	{
+	if ( dump_dns_mapping("old name", old_dm) )
+		dump_dns_mapping("new name", new_dm);
+	}
+
+event dns_mapping_altered(dm: dns_mapping,
+				old_addrs: set[addr], new_addrs: set[addr])
+	{
+	if ( dump_dns_mapping("mapping", dm) )
+		NOTICE([$note=DNS_MappingChanged,
+			$msg=fmt("changed addresses: %As -> %As", old_addrs, new_addrs),
+			$sub="changed addresses"]);
+	}
diff --git a/policy/dns.bro b/policy/dns.bro
new file mode 100644
index 0000000000..812e7245cc
--- /dev/null
+++ b/policy/dns.bro
@@ -0,0 +1,675 @@
+# $Id: dns.bro 6724 2009-06-07 09:23:03Z vern $
+
+@load notice
+@load weird
+@load udp-common
+@load dns-info
+
+module DNS;
+
+export {
+	# Lookups of hosts in here are flagged ...
+	const sensitive_lookup_hosts: set[addr] &redef;
+
+	# ... unless the lookup comes from one of these hosts.
+	const okay_to_lookup_sensitive_hosts: set[addr] &redef;
+
+	# Start considering whether we're seeing PTR scanning if we've seen
+	# at least this many rejected PTR queries.
+	const report_rejected_PTR_thresh = 100 &redef;
+
+	# Generate a PTR_scan event if at any point (once we're above
+	# report_rejected_PTR_thresh) we see this many more distinct
+	# rejected PTR requests than distinct answered PTR requests.
+	const report_rejected_PTR_factor = 2.0 &redef;
+
+	# The following sources are allowed to do PTR scanning.
+	const allow_PTR_scans: set[addr] &redef;
+
+	# Annotations that if returned for a PTR lookup actually indicate
+	# a rejected query; for example, "illegal-address.lbl.gov".
+	const actually_rejected_PTR_anno: set[string] &redef;
+
+	# Hosts allowed to do zone transfers.
+	const zone_transfers_okay: set[addr] &redef;
+
+	# Set to false to disable printing to dns.log.
+	const logging = T &redef;
+
+	redef enum Notice += {
+		SensitiveDNS_Lookup,	# DNS lookup of sensitive hostname/addr
+		DNS_PTR_Scan,		# A set of PTR lookups
+		DNS_PTR_Scan_Summary,	# Summary of a set of PTR lookups
+		ResolverInconsistency,	# DNS answer changed
+		ZoneTransfer,		# a DNS zone transfer request was seen
+
+	};
+
+	# This is a list of domains that have a history of providing
+	# more RR's in response than they are supposed to.  There is
+	# some danger here in that record inconsistancies will not be 
+	# identified for these domains...
+	const bad_domain_resp: set[string] &redef;
+
+	# Same idea, except that it applies to a list of host names.
+	const bad_host_resp: set[string] &redef;
+
+	# Turn resolver consistancy checking on/off.
+	const resolver_consist_check = F &redef;
+
+	# Should queries be checked against 'bad' domains?
+	const check_domain_list = T;
+
+	# List of 'bad' domains.
+	const hostile_domain_list: set[string] &redef;
+
+	# Used for PTR scan detection.  Exported so their timeouts can be
+	# adjusted.
+	global distinct_PTR_requests:
+		table[addr, string] of count &default = 0 &write_expire = 5 min;
+	global distinct_rejected_PTR_requests:
+		table[addr] of count &default = 0 &write_expire = 5 min;
+	global distinct_answered_PTR_requests:
+		table[addr] of count &default = 0 &write_expire = 5 min;
+}
+
+redef capture_filters += { 
+	["dns"] = "port 53",
+	["netbios-ns"] = "udp port 137", 
+};
+
+# DPM configuration.
+global dns_ports = { 53/udp, 53/tcp, 137/udp } &redef;
+redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] };
+
+global dns_udp_ports = { 53/udp, 137/udp } &redef;
+global dns_tcp_ports = { 53/tcp } &redef;
+redef dpd_config += { [ANALYZER_DNS_UDP_BINPAC] = [$ports = dns_udp_ports] };
+redef dpd_config += { [ANALYZER_DNS_TCP_BINPAC] = [$ports = dns_tcp_ports] };
+
+# Default handling for peculiarities in DNS analysis.  You can redef these
+# again in your site-specific script if you want different behavior.
+redef Weird::weird_action += {
+	["DNS_AAAA_neg_length"]	= Weird::WEIRD_FILE,
+	["DNS_Conn_count_too_large"]	= Weird::WEIRD_FILE,
+	["DNS_NAME_too_long"]	= Weird::WEIRD_FILE,
+	["DNS_RR_bad_length"]	= Weird::WEIRD_FILE,
+	["DNS_RR_length_mismatch"]	= Weird::WEIRD_FILE,
+	["DNS_RR_unknown_type"]	= Weird::WEIRD_FILE,
+	["DNS_label_forward_compress_offset"]	= Weird::WEIRD_FILE,
+	["DNS_label_len_gt_name_len"]	= Weird::WEIRD_FILE,
+	["DNS_label_len_gt_pkt"]	= Weird::WEIRD_FILE,
+	["DNS_label_too_long"]	= Weird::WEIRD_FILE,
+	["DNS_name_too_long"]	= Weird::WEIRD_FILE,
+	["DNS_truncated_RR_rdlength_lt_len"]	= Weird::WEIRD_FILE,
+	["DNS_truncated_ans_too_short"]	= Weird::WEIRD_FILE,
+	["DNS_truncated_len_lt_hdr_len"]	= Weird::WEIRD_FILE,
+	["DNS_truncated_quest_too_short"]	= Weird::WEIRD_FILE,
+};
+
+type dns_session_info: record {
+	id: count;
+	is_zone_transfer: bool;
+	last_active: time;	# when we last saw activity
+
+	# Indexed by query id, returns string annotation corresponding to
+	# queries for which no answer seen yet.
+	pending_queries: table[count] of string;
+};
+
+# Indexed by client and server.
+global dns_sessions: table[addr, addr, count] of dns_session_info;
+global num_dns_sessions = 0;
+
+const PTR_pattern = /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.in-addr\.arpa/;
+
+# Keeps track of for which addresses we processed a PTR_scan event.
+global did_PTR_scan_event: table[addr] of count &default = 0;
+
+# The following definitions relate to tracking when DNS records
+# change and whether they do so in a consistent fashion.
+type dns_response_record: record {
+	dns_name: string;	# domain name in question
+	dns_type: count;	# type of query
+	num_resp: count;	# number of responses
+	resp_count: count;	# how many responses have been registered
+	addrs: set[addr];	# addresses in response
+};
+
+global dns_history: table[string, count, count] of dns_response_record;
+
+global did_zone_transfer_notice: table[addr] of count &default = 0;
+
+# Sample known irregular domains.
+redef bad_domain_resp += { "instacontent.net", "mirror-image.net", };
+
+# Sample hostile domains.
+redef hostile_domain_list += { "undernet.org", "afraid.org", };
+
+global dns_log : file;
+
+event bro_init()
+	{
+	if ( logging )
+		dns_log = open_log_file("dns");
+	}
+
+event remove_name(name: string, qtype: count, id: count)
+	{
+	if ( [name, qtype, id] in dns_history )
+		{
+		# We need to remove the dns_history record and the assosciated
+		# dns_consistency_info records.
+
+		local drr = dns_history[name, qtype, id];
+		local a: addr;
+
+		for ( a in drr$addrs )
+			delete drr$addrs[a];
+
+		delete dns_history[name, qtype, id];
+		}
+	else if ( logging )
+		print dns_log, fmt("ERROR in history session removal: %s/%d doesn't exist", name, qtype);
+	}
+
+# Returns the second-level domain, so for example an argument of "a.b.c.d"
+# returns "c.d".
+function second_level_domain(name: string): string
+	{
+	local split_on_dots = split(name, /\./);
+	local num_dots = length(split_on_dots);
+
+	if ( num_dots <= 1 )
+		return name;
+
+	return fmt("%s.%s", split_on_dots[num_dots-1], split_on_dots[num_dots]);
+	}
+
+function insert_name(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
+	{
+	local drr: dns_response_record;
+
+	if ( [ans$query, ans$qtype, msg$id] !in dns_history )
+		{ # add record
+		drr$dns_name = ans$query;
+		drr$dns_type = ans$qtype;
+
+		# Here we modified the expected number of addresses to allow
+		# for the number of answer RR's along with the provided
+		# additional RR's.
+		drr$num_resp = msg$num_answers+msg$num_addl;
+		drr$resp_count = 0;
+		add drr$addrs[a];
+
+		dns_history[ans$query, ans$qtype, msg$id] = drr;
+
+		if ( ans$TTL < 0 sec )
+			# Strangely enough, the spec allows this,
+			# though it's hard to see why!  But because
+			# of that, we don't generate a Weird, we
+			# just change the TTL to 0.
+			ans$TTL = 0 sec;
+
+		# Check the TTL, but allow a smidgen of skew to avoid
+		# possible race conditions.
+		schedule ans$TTL + 1 sec
+			{ remove_name(ans$query, ans$qtype, msg$id) };
+		}
+	else
+		{ # extract record and do some counting
+		drr = dns_history[ans$query, ans$qtype, msg$id];
+
+		# In some broken records, the number of reported records is 0.
+		# This makes the test below fail, to 'fix' set to 1 ...
+		if ( drr$num_resp == 0 )
+			drr$num_resp = 1;
+
+		# Check if we have filled in the expected number of responses
+		# already - it should be > current responder count to allow
+		# for resolver timeouts.  Addresses are only added if they
+		# are not already prsent.  This comes at a slight performance
+		# cost.
+		if ( a !in drr$addrs ) 
+			{
+			add drr$addrs[a];
+			++drr$resp_count;
+			dns_history[ans$query, ans$qtype, msg$id]=drr;
+			}
+
+		if ( drr$num_resp >= drr$resp_count )
+			return;
+
+		if ( second_level_domain(ans$query) in bad_domain_resp )
+			return;
+
+		if ( ans$query in bad_host_resp )
+			return;
+
+		# Too many responses to the request, or some other
+		# inconsistency has been introduced.
+
+		NOTICE([$note=ResolverInconsistency, $conn=c,
+			$msg=fmt("address inconsistency for %s, %s", ans$query, a),
+			$dst=a]);
+		}
+	}
+
+event expire_DNS_session(orig: addr, resp: addr, trans_id: count)
+	{
+	if ( [orig, resp, trans_id] in dns_sessions )
+		{
+		local session = dns_sessions[orig, resp, trans_id];
+		local last_active = session$last_active;
+		if ( network_time() > last_active + dns_session_timeout ||
+		     done_with_network )
+			{
+			# Flush out any pending requests.
+			if ( logging )
+				{
+				for ( query in session$pending_queries )
+					print dns_log, fmt("%0.6f #%d %s",
+							network_time(), session$id,
+							session$pending_queries[query]);
+
+				print dns_log, fmt("%.06f #%d finish",
+						network_time(), session$id);
+				}
+
+			delete dns_sessions[orig, resp, trans_id];
+			}
+
+		else
+			schedule dns_session_timeout {
+				expire_DNS_session(orig, resp, trans_id)
+			};
+		}
+	}
+
+function lookup_DNS_session(c: connection, trans_id: count): dns_session_info
+	{
+	local id = c$id;
+	local orig = id$orig_h;
+	local resp = id$resp_h;
+
+	if ( [orig, resp, trans_id] !in dns_sessions )
+		{
+		local session: dns_session_info;
+		session$id = ++num_dns_sessions;
+		session$last_active = network_time();
+		session$is_zone_transfer = F;
+
+		if ( logging )
+			print dns_log, fmt("%.06f #%d %s start",
+				c$start_time, session$id, id_string(id));
+
+		dns_sessions[orig, resp, trans_id] = session;
+
+		schedule 15 sec { expire_DNS_session(orig, resp, trans_id) };
+
+		append_addl(c, fmt("#%d", session$id));
+
+		return session;
+		}
+
+	else
+		return dns_sessions[orig, resp, trans_id];
+	}
+
+event sensitive_addr_lookup(c: connection, a: addr, is_query: bool)
+	{
+	local orig = c$id$orig_h;
+	local resp = c$id$resp_h;
+	local holding = 0;
+
+	if ( orig in okay_to_lookup_sensitive_hosts )
+		return;
+
+	local session_id: string;
+	if ( [orig, resp, holding] in dns_sessions )
+		session_id = fmt("#%d", dns_sessions[orig, resp, holding]$id);
+	else
+		session_id = "#?";
+
+	local id = fmt("%s > %s (%s)", orig, resp, session_id);
+
+	if ( is_query )
+		NOTICE([$note=SensitiveDNS_Lookup, $conn=c,
+			$msg=fmt("%s PTR lookup of %s", id, a),
+			$sub="PTR lookup"]);
+	else
+		NOTICE([$note=SensitiveDNS_Lookup, $conn=c,
+			$msg=fmt("%s name lookup of %s", id, a),
+			$sub="name lookup"]);
+	}
+
+function DNS_query_annotation(c: connection, msg: dns_msg, query: string,
+				qtype: count, is_zone_xfer: bool): string
+	{
+	local anno: string;
+
+	if ( (qtype == PTR || qtype == ANY) && query == PTR_pattern )
+		{
+		# convert PTR text to more readable form.
+		local a = ptr_name_to_addr(query);
+		if ( a in sensitive_lookup_hosts && ! is_zone_xfer )
+			event sensitive_addr_lookup(c, a, T);
+
+		anno = fmt("?%s %As", query_types[qtype], a);
+		}
+	else
+		anno = fmt("%s %s", query_types[qtype], query);
+
+	if ( ! is_zone_xfer &&
+	     (msg$num_answers > 0 || msg$num_auth > 0 || msg$num_addl > 0) )
+		anno = fmt("%s <query addl = %d/%d/%d>", anno,
+			msg$num_answers, msg$num_auth, msg$num_addl);
+
+	return anno;
+	}
+
+
+event dns_zone_transfer_request(c: connection, session: dns_session_info,
+				msg: dns_msg, query: string)
+	{
+	session$is_zone_transfer = T;
+
+	if ( ! is_tcp_port(c$id$orig_p) )
+		event conn_weird("UDP_zone_transfer", c);
+
+	local src = c$id$orig_h;
+	if ( src !in zone_transfers_okay &&
+	     ++did_zone_transfer_notice[src] == 1 )
+		{
+		NOTICE([$note=ZoneTransfer, $src=src, $conn=c,
+			$msg=fmt("transfer of %s requested by %s", query, src)]);
+		}
+	}
+
+event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
+	{
+	local id = c$id;
+	local orig = id$orig_h;
+	local resp = id$resp_h;
+	local session = lookup_DNS_session(c, msg$id);
+	local anno = DNS_query_annotation(c, msg, query, qtype, F);
+
+	local report = fmt("%.06f #%d %s", network_time(), session$id, c$id$orig_h);
+	local q: string;
+
+	if ( query_types[qtype] == "AXFR" )
+		{
+		event dns_zone_transfer_request(c, session, msg, query);
+
+		q = DNS_query_annotation(c, msg, query, qtype, T);
+		report = fmt("%s ?%s", report, q);
+		}
+	else
+		report = fmt("%s <query ?%s> %s Trunc:%s Recurs:%s",
+			report, query_types[qtype], query, msg$TC, msg$RD);
+
+	if ( logging )
+		print dns_log, fmt("%s", report);
+
+	# Check to see if this is a host or MX lookup for a designated
+	# hostile domain.
+	if ( check_domain_list &&
+	     (query_types[qtype] == "A" || query_types[qtype] == "MX") &&
+	     second_level_domain(query) in hostile_domain_list )
+		{
+		NOTICE([$note=SensitiveDNS_Lookup, $conn=c,
+			$msg=fmt("%s suspicious domain lookup: %s", id, query)]);
+		}
+
+	session$pending_queries[msg$id] = anno;
+	session$last_active = network_time();
+	}
+
+event dns_rejected(c: connection, msg: dns_msg,
+			query: string, qtype: count, qclass: count)
+	{
+	local session = lookup_DNS_session(c, msg$id);
+	local code = DNS_code_types[msg$rcode];
+	local id = msg$id;
+
+	if ( id in session$pending_queries )
+		{
+		if ( logging )
+			print dns_log, fmt("%.06f #%d %s %s", network_time(),
+						session$id,
+						session$pending_queries[id],
+						code);
+
+		delete session$pending_queries[id];
+		}
+
+	else if ( logging )
+		{
+		if ( c$start_time == network_time() )
+			print dns_log, fmt("%.06f #%d [?%s] %s", network_time(),
+						session$id, query, code);
+		else
+			print dns_log, fmt("%.06f #%d %s", network_time(),
+						session$id, code);
+		}
+	}
+
+event PTR_scan_summary(src: addr)
+	{
+	NOTICE([$note=DNS_PTR_Scan_Summary, $src=src,
+		$msg=fmt("%s totaled %d/%d un/successful PTR lookups", src,
+			distinct_rejected_PTR_requests[src],
+			distinct_answered_PTR_requests[src]),
+		$sub="final summary"]);
+	}
+
+event PTR_scan(src: addr)
+	{
+	++did_PTR_scan_event[src];
+
+	if ( src !in allow_PTR_scans && src !in okay_to_lookup_sensitive_hosts )
+		{
+		NOTICE([$note=DNS_PTR_Scan, $src=src,
+			$msg=fmt("%s has made %d/%d un/successful PTR lookups",
+				src, distinct_rejected_PTR_requests[src],
+				distinct_answered_PTR_requests[src]),
+			$sub="scan detected"]);
+
+		schedule 1 day { PTR_scan_summary(src) };
+		}
+	}
+
+function check_PTR_scan(src: addr)
+	{
+	if ( src !in did_PTR_scan_event &&
+	     distinct_rejected_PTR_requests[src] >=
+	     distinct_answered_PTR_requests[src] * report_rejected_PTR_factor )
+		event PTR_scan(src);
+	}
+
+function DNS_answer(c: connection, msg: dns_msg,
+			ans: dns_answer, annotation: string)
+	{
+	local is_answer = ans$answer_type == DNS_ANS;
+	local session = lookup_DNS_session(c, msg$id);
+	local report =
+		fmt("%.06f #%d %s", network_time(), session$id, c$id$orig_h);
+	local id = msg$id;
+	local query: string;
+
+	if ( id in session$pending_queries )
+		{
+		query = fmt("%s = <ans %s>", session$pending_queries[id],
+				query_types[ans$qtype]);
+		delete session$pending_queries[id];
+		report = fmt("%s %s", report, query);
+		}
+
+	else if ( session$is_zone_transfer )
+		{ # need to provide the query directly.
+		query = fmt("<ans %s>", query_types[ans$qtype]);
+		report = fmt("%s ?%s", report, query);
+		}
+
+	else
+		{
+		# No corresponding query.  This can happen if it's
+		# already been deleted because we've already processed
+		# an answer to it; or if the session itself was timed
+		# out prior to this answer being generated.  In the
+		# first case, we don't want to provide the query again;
+		# in the second, we do.  We can determine that we're
+		# likely in the second case if either (1) this session
+		# was just now created, or (2) we're now processing the
+		# sole answer to the original query.
+		#
+		# However, for now we punt.
+		#
+		#	if ( c$start_time == network_time() ||
+		#	     (is_answer && msg$num_answers == 1) )
+		#		{
+		#		query = DNS_query_annotation(c, msg, ans$query, ans$qtype, F);
+		#		report = fmt("%s [?%s]", report, query);
+		#		}
+		#	else
+		#		query = "";
+
+		query = fmt("<ans %s>", query_types[ans$qtype]);
+		report = fmt("%s %s", report, query);
+		}
+
+	# Append a bunch of additional annotation.
+	report = fmt("%s %s RCode:%s AA=%s TR=%s %s/%s/%s/%s",
+		report, annotation, base_error[msg$rcode], msg$AA, msg$TC,
+		msg$num_queries, msg$num_answers, msg$num_auth, msg$num_addl );
+
+	local src = c$id$orig_h;
+
+	if ( msg$rcode != 0 )
+		{
+		if ( /\?(PTR|\*.*in-addr).*/ in query )
+			##### should check for private address
+			{
+			if ( ++distinct_PTR_requests[src, query] == 1 &&
+			     ++distinct_rejected_PTR_requests[src] >=
+			       report_rejected_PTR_thresh )
+				check_PTR_scan(src);
+			}
+
+		report = fmt("%s %s", report, DNS_code_types[msg$rcode]);
+		}
+
+	else if ( is_answer )
+		{
+		if ( /\?(PTR|\*.*in-addr).*/ in query )
+			{
+			if ( annotation in actually_rejected_PTR_anno )
+				{
+				if ( ++distinct_PTR_requests[src, query] == 1 &&
+				     ++distinct_rejected_PTR_requests[src] >=
+				       report_rejected_PTR_thresh )
+					check_PTR_scan(src);
+				}
+			else
+				{
+				if ( ++distinct_PTR_requests[src, query] == 1 )
+					++distinct_answered_PTR_requests[src];
+				}
+			}
+		}
+
+	if ( logging )
+		print dns_log, fmt("%s TTL=%g", report, ans$TTL);
+
+	### Note, DNS_AUTH and DNS_ADDL not processed.
+
+	session$last_active = network_time();
+	}
+
+event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
+	{
+	if ( a in sensitive_lookup_hosts )
+		event sensitive_addr_lookup(c, a, F);
+
+	DNS_answer(c, msg, ans, fmt("%As", a));
+
+	if ( resolver_consist_check )
+		insert_name(c, msg, ans, a );
+
+	}
+
+event dns_NS_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string)
+	{
+	DNS_answer(c, msg, ans, fmt("%s", name));
+	}
+
+event dns_CNAME_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string)
+	{
+	DNS_answer(c, msg, ans, fmt("%s %s", query_types[ans$qtype], name));
+	}
+
+event dns_PTR_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string)
+	{
+	DNS_answer(c, msg, ans, fmt("%s", name));
+	}
+
+event dns_SOA_reply(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa)
+	{
+	DNS_answer(c, msg, ans, fmt("%s", soa$mname));
+	}
+
+event dns_MX_reply(c: connection, msg: dns_msg, ans: dns_answer, name: string,
+			preference: count)
+	{
+	DNS_answer(c, msg, ans, fmt("%s/%d", name, preference));
+	}
+
+event dns_EDNS(c: connection, msg: dns_msg, ans: dns_answer)
+	{
+	DNS_answer(c, msg, ans, "<---?--->");
+	}
+
+
+# From here on down we need to modify the way that data is recorded.  The
+# standard resource record format is no longer universally applicable in
+# that we may see modified structs or some number of value pairs that may take
+# more flexability in reporting.
+
+event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional)
+	{
+	local session = lookup_DNS_session(c, msg$id);
+	local report =
+		fmt("%.06f #%d %s", network_time(), session$id, c$id$orig_h);
+
+	if ( ans$is_query == 1 )
+		report = fmt("%s <addl_edns ?>", report);
+	else
+		report = fmt("%s <addl_edns> ", report);
+
+	if ( logging )
+		print dns_log, fmt("%s pldsize:%s RCode:%s VER:%s Z:%s",
+				report, ans$payload_size,
+				base_error[ans$extended_rcode],
+				ans$version, edns_zfield[ans$z_field]);
+	}
+
+event dns_TSIG_addl(c: connection, msg: dns_msg, ans: dns_tsig_additional)
+	{
+	local session = lookup_DNS_session(c, msg$id);
+	local report =
+		fmt("%.06f #%d %s", network_time(), session$id, c$id$orig_h);
+
+	# Error handling with this is a little odd: number collision with EDNS.
+	# We set the collided value to the first private space number.  gross.
+	local trans_error_num = (ans$rr_error == 16) ?  3842 : ans$rr_error;
+
+	if ( ans$is_query == 1 )
+		report = fmt("%s <addl_tsig ?> ", report);
+	else
+		report = fmt("%s <addl_tsig> ", report);
+
+	if ( logging )
+		print dns_log, fmt("%s name:%s alg:%s origID:%s RCode:%s",
+				report, ans$query, ans$alg_name,
+				ans$orig_id, base_error[trans_error_num]);
+	}
diff --git a/policy/dpd.bro b/policy/dpd.bro
new file mode 100644
index 0000000000..5963e5e7a3
--- /dev/null
+++ b/policy/dpd.bro
@@ -0,0 +1,5 @@
+# $Id: dpd.bro,v 1.1.2.1 2006/05/10 02:10:26 sommer Exp $
+#
+# Activates port-independent protocol detection.
+
+redef signature_files += "dpd.sig";
diff --git a/policy/drop-adapt.bro b/policy/drop-adapt.bro
new file mode 100644
index 0000000000..b599770ded
--- /dev/null
+++ b/policy/drop-adapt.bro
@@ -0,0 +1,74 @@
+# $Id: drop-adapt.bro 6940 2009-11-14 00:38:53Z robin $
+#
+# Adjust load level based on packet drops.
+#
+
+@load load-level
+
+# Increase load-level if packet drops are successively 'count' times
+# above 'threshold' percent.
+const drop_increase_count = 5 &redef;
+const drop_increase_threshold = 5.0 &redef;
+
+# Same for decreasing load-level.
+const drop_decrease_count = 15 &redef;
+const drop_decrease_threshold = 0.0 &redef;
+
+# Minimum time to wait after a load-level increase before new decrease.
+const drop_decrease_wait = 20 mins &redef;
+
+global drop_last_stat: net_stats;
+global drop_have_stats = F;
+global drop_above = 0;
+global drop_below = 0;
+
+global drop_last_increase: time = 0;
+
+event net_stats_update(t: time, ns: net_stats)
+	{
+	if ( drop_have_stats )
+		{
+		local new_recvd = ns$pkts_recvd - drop_last_stat$pkts_recvd;
+		local new_dropped =
+			ns$pkts_dropped - drop_last_stat$pkts_dropped;
+
+		local p = new_dropped * 100.0 / new_recvd;
+
+		drop_last_stat = ns;
+
+		if ( p >= 0 )
+			{
+			if ( p >= drop_increase_threshold )
+				{
+				if ( ++drop_above >= drop_increase_count )
+					{
+					increase_load_level();
+					drop_above = 0;
+					drop_last_increase = t;
+					}
+				}
+			else
+				drop_above = 0;
+
+			if ( t - drop_last_increase < drop_decrease_wait )
+				return;
+
+			if ( p <= drop_decrease_threshold )
+				{
+				if ( ++drop_below >= drop_decrease_count )
+					{
+					decrease_load_level();
+					drop_below = 0;
+					}
+				}
+			else
+				drop_below = 0;
+
+			}
+		}
+	else
+		{
+		drop_have_stats = T;
+		drop_last_stat = ns;
+		}
+	}
diff --git a/policy/drop.bro b/policy/drop.bro
new file mode 100644
index 0000000000..b2e75fa269
--- /dev/null
+++ b/policy/drop.bro
@@ -0,0 +1,340 @@
+# $Id:$
+#
+# drop.bro implements a drop/restore policy termed "catch-and-release"
+# whereby the first time an address is dropped, it is restored a while after
+# the last connection attempt seen.  If a connection attempt is subsequently
+# seen, however, then the system is blocked again, and for a longer time.
+#
+# This policy has significant benefits when using Bro to update router
+# ACLs for which:
+#     - The router has a limited number of ACLs slots.
+#     - You care about possible reuse of IP addresses by now-benign hosts,
+#	so don't want blocks to last forever.
+#
+# Original code by Jim Mellander, LBNL.
+# Updated by Brian Tierney, LBNL and by Robin Sommer, ICSI.
+
+@load site
+
+module Drop;
+
+export {
+	redef enum Notice += {
+		# Connectivity with given address has been dropped.
+		AddressDropped,
+
+		# A request to drop connectivity has been ignored.
+		AddressDropIgnored,
+
+		# Connectivity with given address has been restored.
+		AddressRestored,
+
+		AddressAlreadyDropped,	# host is already dropped
+
+		# Previously dropped host connects again.
+		AddressSeenAgain,
+
+		# Previous offenders re-dropped or re-restored.
+		RepeatAddressDropped,
+		RepeatAddressRestored,
+	};
+
+	# True if we have the capability to drop hosts at all.
+	const can_drop_connectivity = F &redef;
+
+	# True if we never want to drop local addresses.
+	const dont_drop_locals = T &redef;
+
+	# True if we should use the catch-and-release scheme.  If not then
+	# we simply drop addresses via the drop_connectivity_script and
+	# never restore them (they must be restored out-of-band).
+	const use_catch_release = F &redef;
+
+	# Catch-and-release parameters.
+
+	# Interval to wait for release following inactivity after
+	# first offense.
+	global drop_time = 5 min &redef;
+
+	# For repeat offenders: if the total time a host has already been
+	# dropped reaches persistent_offender_time, we drop the host for
+	# long_drop_time.  Setting persistent_offender_time to zero disables
+	# this functionality.
+	const persistent_offender_time = 2 hr &redef;
+	global long_drop_time = 12 hr &redef;
+
+	# Scripts to perform the actual dropping/restore. They get the
+	# IP address as their first argument.
+	const drop_connectivity_script = "drop-connectivity" &redef;
+	const restore_connectivity_script = "restore-connectivity" &redef;
+
+	const root_servers = {
+		a.root-servers.net, b.root-servers.net, c.root-servers.net,
+		d.root-servers.net, e.root-servers.net, f.root-servers.net,
+		g.root-servers.net, h.root-servers.net, i.root-servers.net,
+		j.root-servers.net, k.root-servers.net, l.root-servers.net,
+		m.root-servers.net,
+	} &redef;
+
+	const gtld_servers = {
+		a.gtld-servers.net, b.gtld-servers.net, c.gtld-servers.net,
+		d.gtld-servers.net, e.gtld-servers.net, f.gtld-servers.net,
+		g.gtld-servers.net, h.gtld-servers.net, i.gtld-servers.net,
+		j.gtld-servers.net, k.gtld-servers.net, l.gtld-servers.net,
+		m.gtld-servers.net,
+	} &redef;
+
+	const never_shut_down = {
+		root_servers, gtld_servers,
+	} &redef;
+
+	const never_drop_nets: set[subnet] &redef;
+
+	# Drop the connectivity for the address. "msg" gives a reason.
+	# It returns a copy of the NOTICE generated for the drop, which
+	# gives more information about the kind of dropping performed.
+	# If the notice type is NoticeNone, the drop was not successful
+	# (e.g., because this Bro instance is not configured to do drops.)
+	global drop_address: function(a: addr, msg: string) : notice_info;
+
+	# The following events are used to communicate information about the
+	# drops, in particular for C&R in the cluster setting.
+
+	# Address has been dropped.
+	global address_dropped: event(a: addr);
+
+	# Raised when an IP is restored.
+	global address_restored: event(a: addr);
+
+	# Raised when an that was dropped in the past is no
+	# longer monitored specifically for new connections.
+	global address_cleared: event(a: addr);
+
+	const debugging = F &redef;
+	global debug_log: function(msg: string);
+}
+
+type drop_rec: record {
+	tot_drop_count: count &default=0;
+	tot_restore_count: count &default=0;
+	actual_restore_count: count &default=0;
+	tot_drop_time: interval &default=0secs;
+	last_timeout: interval &default=0secs;
+};
+
+global clear_host: function(t: table[addr] of drop_rec, a: addr): interval;
+
+global drop_info: table[addr] of drop_rec
+	&read_expire = 1 days &expire_func=clear_host &persistent;
+
+global last_notice: notice_info;
+
+function do_notice(n: notice_info)
+	{
+	last_notice = n;
+	NOTICE(n);
+	}
+
+function dont_drop(a: addr) : bool
+	{
+	return ! can_drop_connectivity || a in never_shut_down ||
+	       a in never_drop_nets || (dont_drop_locals && is_local_addr(a));
+	}
+
+function is_dropped(a: addr) : bool
+	{
+	if ( a !in drop_info )
+		return F;
+
+	local di = drop_info[a];
+
+	if ( di$tot_drop_count < di$tot_restore_count )
+		{ # This shouldn't happen.
+		# FIXME: We need an assert().
+		print "run-time error: more restores than drops!";
+		return F;
+		}
+
+	return di$tot_drop_count > di$tot_restore_count;
+	}
+
+global debug_log_file: file;
+
+function debug_log(msg: string)
+	{
+	if ( ! debugging )
+		return;
+
+	print debug_log_file,
+		fmt("%.6f [%s] %s", network_time(), peer_description, msg);
+	}
+
+event bro_init()
+	{
+	if ( debugging )
+		{
+		debug_log_file =
+			open_log_file(fmt("drop-debug.%s", peer_description));
+		set_buf(debug_log_file, F);
+		}
+	}
+
+function do_direct_drop(a: addr, msg: string)
+	{
+	if ( msg != "" )
+		msg = fmt(" (%s)", msg);
+
+	if ( a !in drop_info )
+		{
+		local tmp: drop_rec;
+		drop_info[a] = tmp;
+		}
+
+	local di = drop_info[a];
+
+	if ( is_dropped(a) )
+		# Already dropped. Nothing to do.
+		do_notice([$note=Drop::AddressAlreadyDropped, $src=a,
+				$msg=fmt("%s%s", a, msg)]);
+	else
+		{
+		system(fmt("%s %s", Drop::drop_connectivity_script, a));
+
+		debug_log(fmt("sending drop for %s", a));
+		event Drop::address_dropped(a);
+
+		if ( di$tot_drop_count == 0 )
+			do_notice([$note=Drop::AddressDropped, $src=a,
+					$msg=fmt("%s%s", a, msg)]);
+		else
+			{
+			local s = fmt("(%d times)", di$tot_drop_count + 1);
+			do_notice([$note=Drop::RepeatAddressDropped,
+				$src=a, $n=di$tot_drop_count+1,
+				$msg=fmt("%s%s %s", a, msg, s), $sub=s]);
+			}
+		}
+
+	++di$tot_drop_count;
+	debug_log(fmt("dropped %s: tot_drop_count=%d tot_restore_count=%d",
+			a, di$tot_drop_count, di$tot_restore_count));
+	}
+
+# Restore a previously dropped address.
+global do_restore: function(a: addr, force: bool);
+
+event restore_dropped_address(a: addr)
+	{
+	do_restore(a, F);
+	}
+
+function do_catch_release_drop(a: addr, msg: string)
+	{
+	do_direct_drop(a, msg);
+
+	local di = drop_info[a];
+
+	local t = (persistent_offender_time != 0 sec &&
+		   di$tot_drop_time >= persistent_offender_time) ?
+			long_drop_time : drop_time;
+
+	di$tot_drop_time += t;
+	di$last_timeout = t;
+
+	schedule t { restore_dropped_address(a) };
+	}
+
+function do_restore(a: addr, force: bool)
+	{
+	if ( a !in drop_info )
+		return;
+
+	local di = drop_info[a];
+	++drop_info[a]$tot_restore_count;
+	debug_log(fmt("restored %s: tot_drop_count=%d tot_restore_count=%d force=%s", a, drop_info[a]$tot_drop_count, drop_info[a]$tot_restore_count, force));
+
+	if ( di$tot_drop_count == di$tot_restore_count || force )
+		{
+		++di$actual_restore_count;
+		system(fmt("%s %s", Drop::restore_connectivity_script, a));
+
+		debug_log(fmt("sending restored for %s", a));
+		event Drop::address_restored(a);
+
+		local t = di$last_timeout;
+
+		if ( di$actual_restore_count == 1 )
+			{
+			local s1 = fmt("(timeout %.1f)", t);
+			do_notice([$note=Drop::AddressRestored, $src=a,
+				   $msg=fmt("%s %s", a, s1), $sub=s1]);
+			}
+
+		else
+			{
+			local s2 = fmt("(%d times, timeout %.1f)",
+					di$actual_restore_count, t);
+			do_notice([$note=Drop::RepeatAddressRestored, $src=a,
+				   $n=di$tot_restore_count,
+				   $msg=fmt("%s %s", a, s2), $sub=s2]);
+			}
+		}
+	}
+
+function clear_host(t: table[addr] of drop_rec, a: addr): interval
+	{
+	if ( is_dropped(a) )
+		# Restore address.
+		do_restore(a, T);
+
+	debug_log(fmt("sending cleared for %s", a));
+	event Drop::address_cleared(a);
+
+	return 0 secs;
+	}
+
+# Returns true if drop was successful (or IP was already dropped).
+function drop_address(a: addr, msg: string) : notice_info
+	{
+	debug_log(fmt("drop_address(%s, %s)", a, msg));
+
+	last_notice = [$note=NoticeNone];
+
+	if ( dont_drop(a) )
+		do_notice([$note=AddressDropIgnored, $src=a,
+			$msg=fmt("ignoring request to drop %s (%s)", a, msg)]);
+	else if ( use_catch_release )
+		do_catch_release_drop(a, msg);
+	else
+		do_direct_drop(a, msg);
+
+	if ( last_notice$note == NoticeNone )
+		print "run-time error: drop_address did not raise a NOTICE";
+
+	return last_notice;
+	}
+
+event new_connection(c: connection)
+	{
+	if ( ! can_drop_connectivity )
+		return;
+
+	# With Catch & Release, 1 connection from a previously dropped system
+	# triggers an immediate redrop.
+	if ( ! use_catch_release )
+		return;
+
+	local a = c$id$orig_h;
+
+	if ( a !in drop_info )
+		# Never dropped.
+		return;
+
+	local di = drop_info[a];
+	if ( is_dropped(a) )
+		# Still dropped.
+		return;
+
+	NOTICE([$note=AddressSeenAgain, $src=a,
+		$msg=fmt("%s seen again after release", a)]);
+	}
diff --git a/policy/dyn-disable.bro b/policy/dyn-disable.bro
new file mode 100644
index 0000000000..b1b5bd937e
--- /dev/null
+++ b/policy/dyn-disable.bro
@@ -0,0 +1,53 @@
+# $Id: dyn-disable.bro,v 1.1.4.3 2006/05/31 01:52:02 sommer Exp $
+#
+# When this script is loaded, analyzers that raise protocol_violation events
+# are disabled for the affected connection.
+
+# Note that this a first-shot solution. Eventually, we should make the
+# disable-decision more fine-grained/sophisticated.
+
+@load conn
+@load notice
+
+module DynDisable;
+
+export {
+	redef enum Notice += {
+		ProtocolViolation
+	};
+
+	# Ignore violations which go this many bytes into the connection.
+	const max_volume = 10 * 1024 &redef;
+}
+
+global conns: table[conn_id] of set[count];
+
+event protocol_violation(c: connection, atype: count, aid: count,
+				reason: string)
+	{
+	if ( c$id in conns && aid in conns[c$id] )
+		return;
+
+	local size = c$orig$size + c$resp$size;
+
+	if ( max_volume > 0 && size > max_volume )
+		return;
+
+	# Disable the analyzer that raised the last core-generated event.
+	disable_analyzer(c$id, aid);
+
+	NOTICE([$note=ProtocolViolation, $conn=c,
+		$msg=fmt("%s analyzer %s disabled due to protocol violation",
+				id_string(c$id), analyzer_name(atype)),
+		$sub=reason, $n=atype]);
+
+	if ( c$id !in conns )
+		conns[c$id] = set();
+
+	add conns[c$id][aid];
+	}
+
+event connection_state_remove(c: connection)
+	{
+	delete conns[$id=c$id];
+	}
diff --git a/policy/file-flush.bro b/policy/file-flush.bro
new file mode 100644
index 0000000000..481d078e59
--- /dev/null
+++ b/policy/file-flush.bro
@@ -0,0 +1,18 @@
+# $Id: file-flush.bro 786 2004-11-24 08:25:16Z vern $
+
+# Causes all files to be flushed every file_flush_interval seconds.
+# Useful if you want to poke through the log files in real time,
+# particularly if network traffic is light.
+
+global file_flush_interval = 10 sec &redef;
+
+event file_flush_event()
+	{
+	flush_all();
+	schedule file_flush_interval { file_flush_event() };
+	}
+
+event bro_init()
+	{
+	schedule file_flush_interval { file_flush_event() };
+	}
diff --git a/policy/finger.bro b/policy/finger.bro
new file mode 100644
index 0000000000..8cf1dbba65
--- /dev/null
+++ b/policy/finger.bro
@@ -0,0 +1,89 @@
+# $Id: finger.bro 4758 2007-08-10 06:49:23Z vern $
+
+module Finger;
+
+export {
+	const hot_names = {
+		"root", "lp", "uucp", "nuucp", "demos", "operator", "sync",
+		"r00t", "tutor", "tour", "admin", "system", "guest", "visitor",
+		"0", "1", "2", "3", "4", "5", "6", "7", "8", "9",
+	} &redef;
+
+	const max_finger_request_len = 80 &redef;
+}
+
+redef capture_filters += { ["finger"] = "port finger" };
+
+# DPM configuration.
+global finger_ports = { 79/tcp } &redef;
+redef dpd_config += { [ANALYZER_FINGER] = [$ports = finger_ports] };
+
+function public_user(user: string): bool
+	{
+	return T;
+	}
+
+function authorized_client(host: addr): bool
+	{
+	return T;
+	}
+
+event finger_request(c: connection, full: bool, username: string, hostname: string)
+	{
+	local id = c$id;
+	local request: string;
+
+	if ( hostname != "" )
+		request = cat(username, "@", hostname);
+	else
+		request = username;
+
+	if ( byte_len(request) > max_finger_request_len )
+		{
+		request = fmt("%s...", sub_bytes(request, 1, max_finger_request_len));
+		++c$hot;
+		}
+
+	if ( hostname != "" )
+		++c$hot;
+
+	if ( username in hot_names )
+		++c$hot;
+
+	local req = request == "" ? "ALL" : fmt("\"%s\"", request);
+
+	if ( full )
+		req = fmt("%s (/W)", req);
+
+	if ( c$addl != "" )
+		# This is an additional request.
+		req = fmt("(%s)", req);
+
+	append_addl_marker(c, req, " *");
+
+	if ( rewriting_finger_trace )
+		rewrite_finger_request(c, full,
+				public_user(username) ? username : "private user",
+				hostname);
+	}
+
+event finger_reply(c: connection, reply_line: string)
+	{
+	local id = c$id;
+	if ( rewriting_finger_trace )
+		rewrite_finger_reply(c,
+				authorized_client(id$orig_h) ? "finger reply ..." : reply_line);
+	}
+
+function is_finger_conn(c: connection): bool
+	{
+	return c$id$resp_p == finger;
+	}
+
+event connection_state_remove(c: connection)
+	{
+	if ( rewriting_finger_trace && requires_trace_commitment &&
+	     is_finger_conn(c) )
+		# Commit queued packets and all packets in future.
+		rewrite_commit_trace(c, T, T);
+	}
diff --git a/policy/firewall.bro b/policy/firewall.bro
new file mode 100644
index 0000000000..adbf7a450c
--- /dev/null
+++ b/policy/firewall.bro
@@ -0,0 +1,195 @@
+# $Id: firewall.bro 4758 2007-08-10 06:49:23Z vern $
+#
+# Firewall-like rules.
+
+@load notice
+@load conn
+@load ftp
+
+module Firewall;
+
+export {
+	type action: enum { ALLOW, DENY };
+	type cmp: enum { EQ, NE };
+
+	type rule: record {
+		label: string &default = "<no-label>";
+		orig: subnet &default = 0.0.0.0/0;
+		orig_set: set[addr] &optional;
+		orig_cmp: cmp &default = EQ;
+		orig_p: port &default = 0/tcp;
+		orig_p_cmp: cmp &default = EQ;
+		resp: subnet &default = 0.0.0.0/0;
+		resp_set: set[addr] &optional;
+		resp_cmp: cmp &default = EQ;
+		resp_p: port &default = 0/tcp;
+		resp_p_cmp: cmp &default = EQ;
+		prot: transport_proto &default = unknown_transport;
+		prot_cmp: cmp &default = EQ;
+		state: string &default = "";
+		state_cmp: cmp &default = EQ;
+		is_ftp: bool &default = F;
+
+		action: action &default = ALLOW;
+	};
+
+	redef enum Notice += {
+		DenyRuleMatched
+	};
+
+	global begin: function(c: connection);
+	global match_rule: function(c: connection, r: rule);
+}
+
+const log_file = open_log_file("firewall") &redef;
+
+global stop_matching = F;
+
+function do_match(c: connection, r: rule): bool
+	{
+	if ( r$orig_cmp == EQ )
+		{
+		if ( r?$orig_set )
+			{
+			if ( c$id$orig_h !in r$orig_set && c$id$orig_h !in r$orig )
+				return F;
+			}
+		else
+			{
+			if ( c$id$orig_h !in r$orig )
+				return F;
+			}
+		}
+	else
+		{
+		if ( r?$orig_set )
+			{
+			if ( c$id$orig_h in r$orig_set || c$id$orig_h in r$orig )
+				return F;
+			}
+		else
+			{
+			if ( c$id$orig_h in r$orig )
+				return F;
+			}
+		}
+
+	if ( r$resp_cmp == EQ )
+		{
+		if ( r?$resp_set )
+			{
+			if ( c$id$resp_h !in r$resp_set && c$id$resp_h !in r$resp )
+				return F;
+			}
+		else
+			{
+			if ( c$id$resp_h !in r$resp )
+				return F;
+			}
+		}
+	else
+		{
+		if ( r?$resp_set )
+			{
+			if ( c$id$resp_h in r$resp_set || c$id$resp_h in r$resp )
+				return F;
+			}
+		else
+			{
+			if ( c$id$resp_h in r$resp )
+				return F;
+			}
+		}
+
+	if ( r$orig_p != 0/tcp )
+		{
+		if ( r$orig_p_cmp == EQ )
+			{
+			if ( c$id$orig_p != r$orig_p )
+				return F;
+			}
+		else
+			if ( c$id$orig_p == r$orig_p )
+				return F;
+		}
+
+	if ( r$resp_p != 0/tcp )
+		{
+		if ( r$resp_p_cmp == EQ )
+			{
+			if ( c$id$resp_p != r$resp_p )
+				return F;
+			}
+		else
+			if ( c$id$resp_p == r$resp_p )
+				return F;
+		}
+
+	if ( r$state != "" )
+		{
+		local state = conn_state(c, get_port_transport_proto(c$id$orig_p));
+		if ( r$state_cmp == EQ )
+			{
+			if ( state != r$state )
+				return F;
+			}
+		else
+			if ( state == r$state )
+				return F;
+		}
+
+	if ( r$prot != unknown_transport )
+		{
+		local proto = get_port_transport_proto(c$id$orig_p);
+		if ( r$prot_cmp == EQ )
+			{
+			if ( proto != r$prot )
+				return F;
+			}
+		else
+			if ( proto == r$prot )
+				return F;
+		}
+
+	if ( r$is_ftp && ! is_ftp_data_conn(c) )
+		return F;
+
+	return T;
+	}
+
+
+function report_violation(c: connection, r:rule)
+	{
+	local trans = get_port_transport_proto(c$id$orig_p);
+	local state = conn_state(c, trans);
+
+	NOTICE([$note=DenyRuleMatched,
+			$msg=fmt("%s %s",
+		 	id_string(c$id), trans), $conn=c, $sub=r$label]);
+	append_addl(c, fmt("<%s>", r$label));
+	record_connection(log_file, c);
+	}
+
+function begin(c: connection)
+	{
+	stop_matching = F;
+	}
+
+function match_rule(c: connection, r: rule)
+	{
+	if ( stop_matching )
+		return;
+
+	if ( do_match(c, r) )
+		{
+		stop_matching = T;
+
+		if ( r$action == DENY )
+			report_violation(c, r);
+		}
+	}
+
+event bro_init()
+	{
+	set_buf(log_file, F);
+	}
diff --git a/policy/flag-irc.bro b/policy/flag-irc.bro
new file mode 100644
index 0000000000..60d687bff7
--- /dev/null
+++ b/policy/flag-irc.bro
@@ -0,0 +1,18 @@
+# $Id: flag-irc.bro 4758 2007-08-10 06:49:23Z vern $
+#
+# include this module to flag various forms of IRC access.
+
+@load ftp
+
+redef FTP::hot_files +=
+	  /.*eggdrop.*/
+	| /.*eggsun.*/
+	;
+
+redef Hot::flag_successful_inbound_service: table[port] of string += {
+	[[6666/tcp, 6667/tcp]] = "inbound IRC",
+};
+
+redef Hot::hot_dsts: table[addr] of string += {
+	[bitchx.com] = "IRC source sites",
+};
diff --git a/policy/flag-warez.bro b/policy/flag-warez.bro
new file mode 100644
index 0000000000..6781252338
--- /dev/null
+++ b/policy/flag-warez.bro
@@ -0,0 +1,11 @@
+# $Id: flag-warez.bro 416 2004-09-17 03:52:28Z vern $
+#
+# include this module to flag various forms of Warez access.
+
+@load hot-ids
+@load ftp
+
+redef FTP::hot_files += /.*[wW][aA][rR][eE][zZ].*/ ;
+
+redef always_hot_ids += { "warez", "hanzwarez", "zeraw", };
+redef hot_ids += { "warez", "hanzwarez", "zeraw", };
diff --git a/policy/frag.bro b/policy/frag.bro
new file mode 100644
index 0000000000..fcced8cd9a
--- /dev/null
+++ b/policy/frag.bro
@@ -0,0 +1,6 @@
+# Capture TCP fragments, but not UDP (or ICMP), since those are a lot more
+# common due to high-volume, fragmenting protocols such as NFS :-(.
+
+redef capture_filters += { ["frag"] = "(ip[6:2] & 0x3fff != 0) and tcp" };
+
+redef frag_timeout = 5 min;
diff --git a/policy/ftp-anonymizer.bro b/policy/ftp-anonymizer.bro
new file mode 100644
index 0000000000..560b85119b
--- /dev/null
+++ b/policy/ftp-anonymizer.bro
@@ -0,0 +1,846 @@
+# $Id: ftp-anonymizer.bro 47 2004-06-11 07:26:32Z vern $
+
+@load ftp
+@load anon
+
+# Definitions of constants.
+
+# Check if those commands carry any argument; anonymize non-empty
+# argument.
+const ftp_cmds_with_no_arg = {
+	"CDUP", "QUIT", "REIN", "PASV", "STOU",
+	"ABOR", "PWD", "SYST", "NOOP",
+
+	"FEAT",	"XPWD",
+};
+
+const ftp_cmds_with_file_arg = {
+	"APPE", "CWD", "DELE", "LIST", "MKD",
+	"NLST", "RMD", "RNFR", "RNTO", "RETR",
+	"STAT", "STOR", "SMNT",
+	# FTP extensions
+	"SIZE", "MDTM",
+	"MLSD", "MLST",
+	"XCWD",
+};
+
+# For following commands, we check if the argument conforms to the
+# specification -- if so, it is safe to be left in the clear.
+const ftp_cmds_with_safe_arg = {
+	"TYPE", "STRU", "MODE", "ALLO", "REST",
+	"HELP",
+
+	"MACB",	# MacBinary encoding
+};
+
+# ftp_other_cmds can be redefined in site/trace-specific ways.
+const ftp_other_cmds = {
+	"LPRT", "OPTS", "CLNT", "RETP",
+	"EPSV", "XPWD",
+	"SOCK",	# old FTP command (RFC 354)
+} &redef;
+
+# Below defines patterns of arguments of FTP commands
+
+# The following patterns are case-insensitive
+const ftp_safe_cmd_arg_pattern =
+	  /TYPE (([AE]( [NTC])?)|I|(L [0-9]+))/
+	| /STRU [FRP]/
+	| /MODE [SBC]/
+	| /ALLO [0-9]+([ \t]+R[ \t]+[0-9]+)?/
+	| /REST [!-~]+/
+	| /MACB (E|DISABLE|ENABLE)/
+	| /SITE TRUTH ON/
+	&redef;
+
+# The following list includes privacy-safe [cmd, arg] pairs and can be
+# customized for particular traces
+const ftp_safe_arg_list: set[string, string] = {
+} &redef;
+
+# ftp_special_cmd_args offers an even more flexible way of customizing
+# argument anonymization: for each [cmd, arg] pair in the table, the
+# corresponding value will be the anonymized argument.
+const ftp_special_cmd_args: table[string, string] of string = {
+} &redef;
+
+# The following words are safe to be left in the clear as the argument
+# of a HELP command.
+const ftp_help_words = {
+	"USER",	"PORT",	"STOR",	"MSAM",	"RNTO",	"NLST",	"MKD",	"CDUP",
+	"PASS",	"PASV",	"APPE",	"MRSQ",	"ABOR",	"SITE",	"XMKD",	"XCUP",
+	"ACCT",	"TYPE",	"MLFL",	"MRCP",	"DELE",	"SYST",	"RMD",	"STOU",
+	"SMNT",	"STRU",	"MAIL",	"ALLO",	"CWD",	"STAT",	"XRMD",	"SIZE",
+	"REIN",	"MODE",	"MSND",	"REST",	"XCWD",	"HELP",	"PWD",	"MDTM",
+	"QUIT",	"RETR",	"MSOM",	"RNFR",	"LIST",	"NOOP",	"XPWD",
+} &redef;
+
+const ftp_port_pat = /[0-9]+([[:blank:]]*,[[:blank:]]*[0-9]+){5}/;
+
+# Pattern for the argument of EPRT command.
+# TODO: the pattern works fot the common case but is not RFC2428-complete.
+const ftp_eprt_pat = /\|1\|[0-9]{1,3}(\.[0-9]{1,3}){3}\|[0-9]{1,5}\|/;
+
+# IP addresses.
+const ftp_ip_pat = /[0-9]{1,3}(\.[0-9]{1,3}){3}/;
+
+# Domain names (deficiency: domain suffices of countries).
+const ftp_domain_name_pat =
+	/([\-0-9a-zA-Z]+\.)+(com|edu|net|org|gov|mil|uk|fr|nl|es|jp|it)/;
+
+# File names (printable characters).
+const ftp_file_name_pat = /[[:print:]]+/;
+
+# File names that can be left in the clear.
+const ftp_public_files =
+	  /\// | /\.\./		# "/" and ".."
+	| /(\/etc\/|master\.)?(passwd|shadow|s?pwd\.db)/ # ftp_hot_files
+	| /\/(etc|usr\/bin|bin|sbin|kernel)(\/)?/
+	| /\.rhosts/ | /\.forward/			 # ftp_hot_guest_files
+&redef;
+
+const ftp_sensitive_files =
+	  /.*(etc\/|master\.)?(passwd|shadow|s?pwd\.db)/ # ftp_hot_files
+	| /\/(etc|usr\/bin|bin|sbin|kernel)\/.*/
+	| /.*\.rhosts/ | /.*\.forward/			 # ftp_hot_guest_files
+&redef;
+
+# Public servers.
+const ftp_public_servers: set[addr] = {} &redef;
+
+# Whether we keep all file names (valid or invalid) for public servers.
+const ftp_keep_all_files_for_public_servers = F &redef;
+
+# Public files.
+const ftp_known_public_files: set[addr, string] = {} &redef;
+
+# Hidden file/directory.
+const ftp_hidden_file = /.*\/\.[^.\/].*/;
+const ftp_public_hidden_file = /0/ &redef;
+
+# Options for file commands (LIST, NLST) that can be left in the clear.
+const ftp_known_option = /-[[:alpha:]]{1,5}[ ]*/;
+
+const ftp_known_site_cmd = {
+	"UMASK", "GROUP", "INDEX", "GROUPS",
+	"IDLE", "GPASS", "EXEC", "CHECKMETHOD",
+	"CHMOD", "NEWER", "ALIAS", "CHECKSUM",
+	"HELP", "MINFO", "CDPATH",
+
+	"TRUTH", "UTIME",
+} &redef;
+
+const ftp_sensitive_ids: set[string] = {
+	"backdoor", "bomb", "diag", "gdm", "issadmin", "msql", "netfrack",
+	"netphrack", "own", "r00t", "root", "ruut", "smtp", "sundiag", "sync",
+	"sys", "sysadm", "sysdiag", "sysop", "sysoper", "system", "toor", "tour",
+	"y0uar3ownd",
+};
+
+redef anonymize_ip_addr = T;
+redef rewriting_ftp_trace = T;
+
+global ftp_anon_log = open_log_file("ftp-anon") &redef;
+
+# Anonymized arguments, indexed by the anonymization seed.
+global anonymized_args: table[string] of string;
+
+# Arguments left in the clear, indexed by the argument and the context.
+global ftp_arg_left_in_the_clear: set[string, string];
+
+# Valid files on public servers.
+global ftp_valid_public_files: set[addr, string];
+
+type ftp_cmd_arg_anon_result: record {
+	anonymized: bool;
+	cmd: string;
+	arg: string;
+};
+
+
+# Whether anonymize_trace_specific_cmd_arg is defined:
+const trace_specific_cmd_arg_anonymization = F &redef;
+
+# This function is to be defined in a trace-specific script. By
+# default, use ftp-anonymizer-trace.bro.
+
+global anonymize_trace_specific_cmd_arg:
+	function(session: ftp_session_info, cmd: string, arg: string):
+		ftp_cmd_arg_anon_result;
+
+
+# Anonymize FTP replies by message patterns.
+const process_ftp_reply_by_message_pattern = F &redef;
+global anonymize_ftp_reply_by_msg_pattern:
+	function(code: count, act_msg: string,
+		cmd_arg: ftp_cmd_arg, session: ftp_session_info): string;
+
+
+# Anonymize an argument *completely* with a hash value of the string,
+# and log the anonymization.
+function anonymize_arg(typ: string, session: ftp_session_info, cmd: string, arg: string, seed: string): string
+	{
+	if ( arg == "" )
+		return ""; # an empty argument is safe
+
+	local arg_seed = string_cat(typ, seed, arg);
+
+	if ( arg_seed in anonymized_args )
+		return anonymized_args[arg_seed];
+
+	local a = anonymize_string(arg_seed);
+	anonymized_args[arg_seed] = a;
+
+	print ftp_anon_log,
+		fmt("anonymize_arg: (%s) {%s} %s \"%s\" to \"%s\" in [%s]",
+				typ, seed, cmd,
+				to_string_literal(arg), to_string_literal(a),
+				id_string(session$connection_id));
+	return a;
+	}
+
+# This function is called whenever an argument is to be left in the
+# clear. It logs the action if it hasn't occurred before.
+function leave_in_the_clear(msg: string, session: ftp_session_info,
+				arg: string, context: string): string
+	{
+	if ( [arg, context] !in ftp_arg_left_in_the_clear )
+		{
+		add ftp_arg_left_in_the_clear[arg, context];
+		print ftp_anon_log, fmt("leave_in_the_clear: (%s) \"%s\" [%s] in [%s]",
+				msg, to_string_literal(arg), context,
+				id_string(session$connection_id));
+		}
+	return arg;
+	}
+
+
+# Sometimes the argument of a file command contains an option string
+# before the file name, such as in 'LIST -l /xyz/', the following
+# function identifies such option strings and separate the argument
+# accordingly.
+
+type separate_option_str_result: record {
+	opt_str: string;
+	file_name: string;
+};
+
+function separate_option_str(file_name: string): separate_option_str_result
+	{
+	local ret: separate_option_str_result;
+	if ( file_name == /-[[:alpha:]]+( .*)?/ )
+		{
+		local parts = split_all(file_name, /-[[:alpha:]]+[ ]*/);
+		ret$opt_str = string_cat(parts[1], parts[2]);
+		parts[1] = ""; parts[2] = "";
+		ret$file_name = cat_string_array(parts);
+		return ret;
+		}
+	else
+		return [$opt_str = "", $file_name = file_name];
+	}
+
+
+# Anonymize a user id
+type login_status_type: enum {
+	LOGIN_PENDING,
+	LOGIN_SUCCESSFUL,
+	LOGIN_FAILED,
+	LOGIN_UNKNOWN,
+};
+
+function anonymize_user_id(session: ftp_session_info, id: string, login_status: login_status_type, msg: string): string
+	{
+	if ( id in ftp_guest_ids )
+		{
+		leave_in_the_clear("guest_id", session, id, msg);
+		return id;
+		}
+
+	else if ( id in ftp_sensitive_ids && login_status == LOGIN_FAILED )
+		{
+		leave_in_the_clear("sensitive_id", session, id, msg);
+		return id;
+		}
+
+	else
+		return anonymize_arg("user_name", session, "USER", id, cat(session$connection_id$resp_h, login_status));
+	}
+
+# Anonymize a file name argument.
+function anonymize_file_name_arg(session: ftp_session_info, cmd: string, arg: string, valid_file_name: bool): string
+	{
+	local file_name = arg;
+	local opt_str = "";
+	if ( cmd == /LIST|NLST/ )
+		{
+		# Separate the option from file name if there is one
+
+		local ret = separate_option_str(file_name);
+		if ( ret$opt_str != "" )
+			{
+			opt_str = ret$opt_str;
+
+			# Shall we anonymize the option string?
+			if ( opt_str != ftp_known_option )
+				{
+				# Anonymize the option conservatively
+				print ftp_anon_log, fmt("option_anonymized: \"%s\" from (%s %s)",
+					to_string_literal(opt_str), cmd, file_name);
+				opt_str = "-<option>";
+				}
+			else
+				# Leave in the clear
+				print ftp_anon_log, fmt("option_left_in_the_clear: \"%s\" from (%s %s)",
+					to_string_literal(opt_str), cmd, file_name);
+
+			file_name = ret$file_name;
+			}
+		}
+
+	if ( file_name == "" )
+		return opt_str;
+
+	if ( file_name != ftp_file_name_pat )
+		{
+		# Log special file names (e.g. those containing
+		# control characters) for manual inspection -- such
+		# file names are rare and may present problems in
+		# reply anonymization.
+
+		print ftp_anon_log, fmt("unrecognized_file_name: \"%s\" (%s) [%s]",
+			to_string_literal(file_name), cmd, id_string(session$connection_id));
+		}
+
+
+	if ( strstr(file_name, " ") > 0 )
+		{
+		# Log file names that contain spaces (for debugging only)
+
+		print ftp_anon_log, fmt("space_in_file_name: \"%s\" (%s) [%s]",
+			to_string_literal(file_name), cmd, id_string(session$connection_id));
+		}
+
+	# Compute the absolute and clean (without '..' and duplicate
+	# '/') path
+	local abs_path = absolute_path(session, file_name);
+	local resp_h = session$connection_id$resp_h;
+	local known_public_file =
+		[resp_h, abs_path] in ftp_known_public_files ||
+		[resp_h, abs_path] in ftp_valid_public_files;
+
+	if ( file_name == ftp_public_files || abs_path == ftp_public_files )
+		{
+		leave_in_the_clear("public_path_name", session,
+			arg, fmt("(%s %s) %s", cmd, file_name, abs_path));
+		}
+
+	else if ( resp_h in ftp_public_servers &&
+		  (abs_path != ftp_hidden_file ||
+		   abs_path == ftp_public_hidden_file) &&
+		  (ftp_keep_all_files_for_public_servers || valid_file_name ||
+		   known_public_file) )
+		{
+		if ( valid_file_name && ! known_public_file )
+			{
+			add ftp_valid_public_files[resp_h, abs_path];
+			print ftp_anon_log,
+				fmt("valid_public_file: [%s, \"%s\"]",
+					resp_h, to_string_literal(abs_path));
+			}
+
+		leave_in_the_clear("file_on_public_server", session, arg,
+			fmt("%s %s:%s", cmd, session$connection_id$resp_h, abs_path));
+		}
+	else
+		{
+		local anon_type: string;
+
+		if ( file_name == ftp_sensitive_files ||
+		     abs_path == ftp_sensitive_files )
+			anon_type = "sensitive_path_name";
+
+		else if ( abs_path == ftp_hidden_file )
+			anon_type = "hidden_path_name";
+
+		else if ( resp_h in ftp_public_servers )
+			anon_type = "invalid_public_file";
+
+		else
+			anon_type = "path_name";
+
+		file_name = anonymize_arg(anon_type, session, cmd, abs_path, cat("file:", session$connection_id$resp_h));
+		}
+
+	# concatenate the option string with the file_name
+	return string_cat(opt_str, file_name);
+	}
+
+
+# The argument is presumably privacy-safe, but we should not assume
+# that it is the case. Instead, we check if the argument is legal and
+# thus privacy-free.
+function check_safe_arg(session: ftp_session_info, cmd: string,
+			arg: string): string
+	{
+	if ( cmd == "HELP" )
+		return ( arg in ftp_help_words ) ?
+				leave_in_the_clear("known_help_word", session,
+					arg,
+					fmt("%s %s", cmd, arg))
+				: anonymize_arg("unknown_help_string", session, cmd, arg, cmd);
+
+	else
+		# Note that we have already checked the (cmd, arg)
+		# against ftp_safe_cmd_arg_pattern. So the argument
+		# here must have an unrecognized pattern and should be
+		# anonymized.
+		return anonymize_arg("illegal_argument", session, cmd, arg, cmd);
+	}
+
+function check_site_arg(session: ftp_session_info, cmd: string,
+			arg: string): string
+	{
+	local site_cmd_arg = split1(arg, /[ \t]*/);
+
+	local site_cmd = site_cmd_arg[1];
+	local site_cmd_upper = to_upper(site_cmd);
+
+	if ( site_cmd_upper in ftp_known_site_cmd )
+		{
+		if ( length(site_cmd_arg) > 1 )
+			{
+			# If the there is an argument after "SITE <cmd>"
+			local site_arg = site_cmd_arg[2];
+			site_arg =
+				anonymize_arg(fmt("arg_of_site_%s", site_cmd),
+						session, cmd, site_arg, cmd);
+			return string_cat(site_cmd, " ", site_arg);
+			}
+		else
+			{
+			return leave_in_the_clear("known_site_command", session,
+						site_cmd,
+						fmt("%s %s", cmd, arg));
+			}
+		}
+	else
+		return anonymize_arg("site_arg", session, cmd, arg, cmd);
+	}
+
+function anonymize_port_arg(session: ftp_session_info, cmd: string,
+				arg: string): string
+	{
+	local data = parse_ftp_port(arg);
+
+	if ( data$valid )
+		{
+		local a: addr;
+		# Anonymize the address part
+		a = anonymize_address(data$h, session$connection_id);
+		return fmt_ftp_port(a, data$p);
+		}
+	else
+		return anonymize_arg("unrecognized_ftp_port", session, cmd, arg, "");
+	}
+
+# EPRT is an extension to the PORT command
+function anonymize_eprt_arg(session: ftp_session_info, cmd: string,
+				arg: string): string
+	{
+	if ( arg != ftp_eprt_pat )
+		return anonymize_arg("unrecognized_EPRT_arg", session, cmd, arg, "");
+
+	local parts = split(arg, /\|/);
+	# Anonymize the address part
+	local a = parse_dotted_addr(parts[3]);
+	a = anonymize_address(a, session$connection_id);
+	return fmt("|%s|%s|%s|", parts[2], a, parts[4]);
+	}
+
+# Anonymize arguments of commands that we do not understand
+function anonymize_other_arg(session: ftp_session_info, cmd: string, arg: string): string
+	{
+	local anon: string;
+
+	# Try to guess what the arg is
+
+	local data = parse_ftp_port(arg);
+	if ( arg == ftp_port_pat && data$valid )
+		# Here we do not check whether data$h == session$connection_id$orig_h
+		# because sometimes it's not the case, but we will try to anonymize it anyway.
+		{
+		anon = anonymize_port_arg(session, cmd, arg);
+		print ftp_anon_log, fmt("anonymize_arg: (%s) {} %s \"%s\" to \"%s\" in [%s]",
+					"port arg of non-port command",
+					cmd, arg, anon, id_string(session$connection_id));
+		}
+
+	else if ( arg == ftp_ip_pat )
+		{
+		local a = parse_dotted_addr(arg);
+		a = anonymize_address(a, session$connection_id);
+		anon = cat(a);
+		}
+
+	else if ( arg == ftp_domain_name_pat )
+		{
+		anon = "<domain name>";
+		}
+
+	else if ( arg == "." )
+		{
+		anon = arg;
+		leave_in_the_clear(".", session, arg, fmt("%s %s", cmd, arg));
+		}
+
+	else
+		# Anonymize by default.
+		anon = anonymize_arg("cannot_understand_arg",
+					session, cmd, arg, cmd);
+
+	return anon;
+	}
+
+# Anonymize the command and argument, and put the results in
+# cmd_arg$anonymized_{cmd, arg}
+function anonymize_ftp_cmd_arg(session: ftp_session_info,
+				cmd_arg: ftp_cmd_arg)
+	{
+	local cmd = cmd_arg$cmd;
+	local arg = cmd_arg$arg;
+	local anon : string;
+
+	cmd_arg$anonymized_cmd = cmd;
+
+	local ret: ftp_cmd_arg_anon_result;
+
+	if ( trace_specific_cmd_arg_anonymization )
+		ret = anonymize_trace_specific_cmd_arg(session, cmd, arg);
+	else
+		ret$anonymized = F;
+
+	if ( ret$anonymized )
+		{
+		# If the trace-specific anonymization applies to the cmd_arg
+			print ftp_anon_log, fmt("anonymize_arg: (%s) \"%s %s\" to \"%s %s\" in [%s]",
+				"trace-specific",
+				cmd, to_string_literal(arg),
+				ret$cmd, to_string_literal(ret$arg),
+				id_string(session$connection_id));
+		cmd_arg$anonymized_cmd = ret$cmd;
+		anon = ret$arg;
+		}
+
+	else if ( [cmd, arg] in ftp_special_cmd_args )
+		{
+		anon = ftp_special_cmd_args[cmd, arg];
+		print ftp_anon_log, fmt("anonymize_arg: (%s) [%s] \"%s\" to \"%s\" in [%s]",
+					"special_arg_transformation",
+					cmd,
+					to_string_literal(arg),
+					to_string_literal(anon),
+					id_string(session$connection_id));
+		}
+
+	else if ( to_upper(string_cat(cmd, " ", arg)) == ftp_safe_cmd_arg_pattern ||
+		  [cmd, arg] in ftp_safe_arg_list )
+		{
+		leave_in_the_clear("safe_arg", session, arg, fmt("%s %s", cmd, arg));
+		anon = arg;
+		}
+
+	else if ( cmd == "USER" || cmd == "ACCT" )
+		anon = (arg in ftp_guest_ids) ?
+			arg : anonymize_user_id(session, arg, LOGIN_PENDING, "");
+
+	else if ( cmd == "PASS" )
+		anon = "<password>";
+
+	else if ( cmd in ftp_cmds_with_no_arg )
+		anon = (arg == "") ?
+			"" :
+			anonymize_arg("should_have_been_empty",
+					session, cmd, arg, cmd);
+
+	else if ( cmd in ftp_cmds_with_file_arg )
+		{
+		if ( session$user in ftp_guest_ids )
+			anon = ( arg == "" ) ? "" : anonymize_file_name_arg(session, cmd, arg, F);
+		else
+			anon = "<path>";
+		}
+
+	else if ( cmd in ftp_cmds_with_safe_arg )
+		anon = check_safe_arg(session, cmd, arg);
+
+	else if ( cmd == "SITE" )
+		anon = check_site_arg(session, cmd, arg);
+
+	else if ( cmd == "PORT" )
+		anon = anonymize_port_arg(session, cmd, arg);
+
+	else if ( cmd == "EPRT" )
+		anon = anonymize_eprt_arg(session, cmd, arg);
+
+	else if ( cmd == "AUTH" )
+		anon = anonymize_arg("rejected_auth_arg", session, cmd, arg, cmd);
+
+	else
+		{
+		if ( cmd == /<.*>/ )
+			cmd_arg$anonymized_cmd = "";
+
+		else if ( cmd !in ftp_other_cmds )
+			{
+			local a = anonymize_string(string_cat("cmd:", cmd));
+			print ftp_anon_log, fmt("anonymize_cmd: (%s) \"%s\" [%s] to \"%s\" in [%s]",
+				"unrecognized command", to_string_literal(cmd),
+				to_string_literal(arg), a,
+				id_string(session$connection_id));
+			cmd_arg$anonymized_cmd = a;
+			}
+
+		anon = anonymize_other_arg(session, cmd, arg);
+		}
+
+	if ( cmd == "USER" )
+		session$anonymized_user = anon;
+
+	cmd_arg$anonymized_arg = anon;
+	}
+
+
+# We delay anonymization of certain requests till we see the reply:
+# when the argument of a USER command is a sensitive user ID, we
+# anonymize the ID if the login is successful and leave the ID in the
+# clear otherwise.
+#
+# The function returns T if the decision should be delayed.
+
+function delay_rewriting_request(session: ftp_session_info, cmd: string,
+				 arg: string): bool
+	{
+	return (cmd == "USER" && arg !in ftp_guest_ids) ||
+		(cmd == "AUTH") ||
+		(cmd in ftp_cmds_with_file_arg &&
+		 session$connection_id$resp_h in ftp_public_servers);
+	}
+
+function ftp_request_rewrite(c: connection, session: ftp_session_info,
+				cmd_arg: ftp_cmd_arg): bool
+	{
+	local cmd = cmd_arg$cmd;
+	local arg = cmd_arg$arg;
+
+	if ( delay_rewriting_request(session, cmd, arg) )
+		{
+		cmd_arg$rewrite_slot = reserve_rewrite_slot(c);
+		session$delayed_request_rewrite[cmd_arg$seq] = cmd_arg;
+		return F;
+		}
+	else
+		{
+		anonymize_ftp_cmd_arg(session, cmd_arg);
+		rewrite_ftp_request(c, cmd_arg$anonymized_cmd,
+					cmd_arg$anonymized_arg);
+		return T;
+		}
+	}
+
+function do_rewrite_delayed_ftp_request(c: connection, delayed: ftp_cmd_arg)
+	{
+	seek_rewrite_slot(c, delayed$rewrite_slot);
+
+	rewrite_ftp_request(c, delayed$cmd == /<.*>/ ? "" : delayed$cmd,
+				delayed$anonymized_arg);
+	release_rewrite_slot(c, delayed$rewrite_slot);
+
+	delayed$rewrite_slot = 0;
+	}
+
+function delayed_ftp_request_rewrite(c: connection, session: ftp_session_info,
+					delayed: ftp_cmd_arg,
+					current: ftp_cmd_arg,
+					reply_code: count)
+	{
+	local cmd = delayed$cmd;
+	local arg = delayed$arg;
+
+	if ( cmd == "USER" )
+		{
+		delayed$anonymized_cmd = cmd;
+
+		local login_status: login_status_type;
+
+		if ( reply_code == 0 )
+			login_status = LOGIN_UNKNOWN;
+
+		else if ( delayed$seq == current$seq ||
+		     current$cmd == "PASS" ||
+		     current$cmd == "ACCT" )
+				{
+			if ( reply_code >= 330 && reply_code < 340 ) # need PASS/ACCT
+				login_status = LOGIN_PENDING; # wait to see outcome of PASS
+
+			else if ( reply_code >= 400 && reply_code < 600 )
+					login_status = LOGIN_FAILED;
+
+			else if ( reply_code >= 230 && reply_code < 240 )
+				login_status = LOGIN_SUCCESSFUL;
+
+			else
+				login_status = LOGIN_UNKNOWN;
+			}
+
+		else if ( current$cmd == "USER" ) # another login attempt
+			login_status = LOGIN_FAILED;
+
+		else if ( reply_code == 230 )
+			login_status = LOGIN_SUCCESSFUL;
+
+		else if ( reply_code == 530 )
+			login_status = LOGIN_FAILED;
+
+		else
+			login_status = LOGIN_UNKNOWN;
+
+		if ( login_status != LOGIN_PENDING )
+			{
+			delayed$anonymized_arg =
+				anonymize_user_id(session, arg, login_status,
+					fmt("(%s %s) %s %s -> %d", cmd, arg, current$cmd, current$arg, reply_code));
+			do_rewrite_delayed_ftp_request(c, delayed);
+			}
+		}
+
+	else if ( cmd == "AUTH" )
+		{
+		delayed$anonymized_cmd = cmd;
+
+		if ( reply_code >= 500 && reply_code < 600 )
+			# if AUTH fails
+			{
+			anonymize_ftp_cmd_arg(session, delayed);
+			do_rewrite_delayed_ftp_request(c, delayed);
+			}
+
+		else if ( reply_code >= 300 && reply_code < 400 )
+			;
+		else 	# otherwise always anonymize the argument
+			{
+			delayed$anonymized_arg = "<auth_mechanism>";
+			do_rewrite_delayed_ftp_request(c, delayed);
+			}
+		}
+
+	else if ( cmd in ftp_cmds_with_file_arg && session$connection_id$resp_h in ftp_public_servers )
+		{
+		delayed$anonymized_cmd = cmd;
+
+		# The argument represents a valid file name on a
+		# public server only if the operation is successful.
+		delayed$anonymized_arg =
+			anonymize_file_name_arg(session, cmd, arg,
+				(cmd != "LIST" && cmd != "NLST" &&
+				 reply_code >= 100 && reply_code < 300));
+		do_rewrite_delayed_ftp_request(c, delayed);
+		}
+
+	else
+		{
+		print ftp_anon_log, "ERROR! unrecognizable delayed ftp request rewrite";
+
+		anonymize_ftp_cmd_arg(session, delayed);
+		do_rewrite_delayed_ftp_request(c, delayed);
+		}
+	}
+
+function process_delayed_rewrites(c: connection, session: ftp_session_info, reply_code: count, cmd_arg: ftp_cmd_arg)
+	{
+	local written: table[count] of ftp_cmd_arg;
+
+	for ( s in session$delayed_request_rewrite )
+		{
+		local ca = session$delayed_request_rewrite[s];
+		delayed_ftp_request_rewrite(c, session, ca, cmd_arg,
+					reply_code);
+
+		if ( ca$rewrite_slot == 0 )
+			written[ca$seq] = ca;
+		}
+
+	for ( s in written )
+		delete session$delayed_request_rewrite[s];
+	}
+
+function ftp_reply_rewrite(c: connection, session: ftp_session_info,
+				code: count, msg: string, cont_resp: bool,
+				cmd_arg: ftp_cmd_arg)
+	{
+	local actual_code = session$reply_code;
+	local xyz = parse_ftp_reply_code(actual_code);
+
+	process_delayed_rewrites(c, session, actual_code, cmd_arg);
+
+	if ( process_ftp_reply_by_message_pattern )
+		{
+		# See *ftp-reply-pattern.bro* for reply anonymization
+		local anon_msg = anonymize_ftp_reply_by_msg_pattern(actual_code, msg,
+					cmd_arg, session);
+		rewrite_ftp_reply(c, code, anon_msg, cont_resp);
+		}
+	else
+		rewrite_ftp_reply(c, code, "<ftp reply message stripped out>", cont_resp);
+	}
+
+
+const eliminate_scans = F &redef;
+const port_scanners: set[addr] &redef;
+global eliminate_scan_for_host: table[addr] of bool;
+
+function eliminate_scan(id: conn_id): bool
+	{
+	local h = id$resp_h;
+
+	if ( h !in eliminate_scan_for_host )
+		{
+		# if the hash string starts with [0-7], i.e. with probability of 50%
+		eliminate_scan_for_host[h] = (/^[0-7]/ in md5_hmac(h));
+		if ( eliminate_scan_for_host[h] )
+			print ftp_anon_log, fmt("eliminate_scans_for_host %s", h);
+		}
+
+	return eliminate_scan_for_host[h];
+	}
+
+redef call_ftp_connection_remove = T;
+
+function ftp_connection_remove(c: connection)
+	{
+	if ( c$id in ftp_sessions )
+		{
+		local session = ftp_sessions[c$id];
+		process_delayed_rewrites(c, session, 0, find_ftp_pending_cmd(session$pending_requests, 0, ""));
+		}
+
+	if ( eliminate_scans && ! requires_trace_commitment )
+		print ftp_anon_log,
+			fmt("ERROR: requires_trace_commitment must be set to true in order to allow scan elimination");
+
+	if ( requires_trace_commitment )
+		{
+		local id = c$id;
+		local eliminate = F;
+
+		if ( eliminate_scans &&
+		     # To check if the connection is part of a port scan
+		     (id !in ftp_sessions ||
+		      ftp_sessions[id]$num_requests == 0 ||
+		      id$orig_h in port_scanners) &&
+		     eliminate_scan(id) )
+			rewrite_commit_trace(c, F, T);
+		else
+			rewrite_commit_trace(c, T, T);
+		}
+	}
diff --git a/policy/ftp-cmd-arg.bro b/policy/ftp-cmd-arg.bro
new file mode 100644
index 0000000000..5bb7d269c8
--- /dev/null
+++ b/policy/ftp-cmd-arg.bro
@@ -0,0 +1,188 @@
+# $Id: ftp-cmd-arg.bro 416 2004-09-17 03:52:28Z vern $
+
+# For debugging purpose only
+# global ftp_cmd_reply_log = open_log_file("ftp-cmd-arg") &redef;
+
+const ftp_cmd_reply_code: set[string, count] = {
+	# According to RFC 959
+	["<init>", [120, 220, 421]],
+	["USER", [230, 530, 500, 501, 421, 331, 332]],
+	["PASS", [230, 202, 530, 500, 501, 503, 421, 332]],
+	["ACCT", [230, 202, 530, 500, 501, 503, 421]],
+	["CWD", [250, 500, 501, 502, 421, 530, 550]],
+	["CDUP", [200, 500, 501, 502, 421, 530, 550]],
+	["SMNT", [202, 250, 500, 501, 502, 421, 530, 550]],
+	["REIN", [120, 220, 421, 500, 502]],
+	["QUIT", [221, 500]],
+	["PORT", [200, 500, 501, 421, 530]],
+	["PASV", [227, 500, 501, 502, 421, 530]],
+	["MODE", [200, 500, 501, 504, 421, 530]],
+	["TYPE", [200, 500, 501, 504, 421, 530]],
+	["STRU", [200, 500, 501, 504, 421, 530]],
+	["ALLO", [200, 202, 500, 501, 504, 421, 530]],
+	["REST", [500, 501, 502, 421, 530, 350]],
+	["STOR", [125, 150, 110, 226, 250, 425, 426, 451, 551, 552, 532, 450, 452, 553, 500, 501, 421, 530]],
+	["STOU", [125, 150, 110, 226, 250, 425, 426, 451, 551, 552, 532, 450, 452, 553, 500, 501, 421, 530]],
+	["RETR", [125, 150, 110, 226, 250, 425, 426, 451, 450, 550, 500, 501, 421, 530]],
+	["LIST", [125, 150, 226, 250, 425, 426, 451, 450, 500, 501, 502, 421, 530]],
+	["NLST", [125, 150, 226, 250, 425, 426, 451, 450, 500, 501, 502, 421, 530]],
+	["APPE", [125, 150, 226, 250, 425, 426, 451, 551, 552, 532, 450, 550, 452, 553, 500, 501, 502, 421, 530]],
+	["RNFR", [450, 550, 500, 501, 502, 421, 530, 350]],
+	["RNTO", [250, 532, 553, 500, 501, 502, 503, 421, 530]],
+	["DELE", [250, 450, 550, 500, 501, 502, 421, 530]],
+	["RMD", [250, 500, 501, 502, 421, 530, 550]],
+	["MKD", [257, 500, 501, 502, 421, 530, 550]],
+	["PWD", [257, 500, 501, 502, 421, 550]],
+	["ABOR", [225, 226, 500, 501, 502, 421]],
+	["SYST", [215, 500, 501, 502, 421]],
+	["STAT", [211, 212, 213, 450, 500, 501, 502, 421, 530]],
+	["HELP", [211, 214, 500, 501, 502, 421]],
+	["SITE", [200, 202, 500, 501, 530]],
+	["NOOP", [200, 500, 421]],
+
+	# Extensions
+
+#	["SIZE", [213, 550]],
+#	["SITE", 214],
+#	["MDTM", 213],
+#	["EPSV", 500],
+#	["FEAT", 500],
+#	["OPTS", 500],
+
+#	["CDUP", 250],
+#	["CLNT", 200],
+#	["CLNT", 500],
+#	["EPRT", 500],
+
+#	["FEAT", 211],
+#	["HELP", 200],
+#	["LIST", 550],
+#	["LPRT", 500],
+#	["MACB", 500],
+#	["MDTM", 212],
+#	["MDTM", 500],
+#	["MDTM", 501],
+#	["MDTM", 550],
+#	["MLST", 500],
+#	["MLST", 550],
+#	["MODE", 502],
+#	["NLST", 550],
+#	["OPTS", 501],
+#	["REST", 200],
+#	["SITE", 502],
+#	["SIZE", 500],
+#	["STOR", 550],
+#	["SYST", 530],
+
+	["<init>", 0], # unexpected command-reply pair
+	["<missing>", 0], # unexpected command-reply pair
+	["QUIT", 0], # unexpected command-reply pair
+} &redef;
+
+global ftp_unexpected_cmd_reply: set[string];
+
+type ftp_cmd_arg: record {
+	cmd: string;
+	arg: string;
+	anonymized_cmd: string;
+	anonymized_arg: string;	# anonymized arg
+	seq: count;		# seq number
+	rewrite_slot: count;
+};
+
+type ftp_pending_cmds: record {
+	seq: count;
+	cmds: table[count] of ftp_cmd_arg;
+};
+
+function init_ftp_pending_cmds(): ftp_pending_cmds
+	{
+	local cmds: table[count] of ftp_cmd_arg;
+	return [$seq = 1, $cmds = cmds];
+	}
+
+function ftp_cmd_pending(s: ftp_pending_cmds): bool
+	{
+	return length(s$cmds) > 0;
+	}
+
+function add_to_ftp_pending_cmds(s: ftp_pending_cmds, cmd: string, arg: string)
+	: ftp_cmd_arg
+	{
+	local ca = [$cmd = cmd, $arg = arg, $anonymized_cmd = "<TBD!>",
+			$anonymized_arg = "<TBD!>", $seq = s$seq,
+			$rewrite_slot = 0];
+
+	s$cmds[s$seq] = ca;
+	++s$seq;
+
+	return ca;
+	}
+
+function find_ftp_pending_cmd(s: ftp_pending_cmds, reply_code: count, reply_msg: string): ftp_cmd_arg
+	{
+	if ( length(s$cmds) == 0 )
+		{
+		return [$cmd = "<unknown>", $arg = "",
+			$anonymized_cmd = "<TBD!>", $anonymized_arg = "<TBD!>",
+			$seq = 0, $rewrite_slot = 0];
+		}
+
+	local best_match: ftp_cmd_arg;
+	local best_score: int = -1;
+
+	for ( seq in s$cmds )
+		{
+		local ca = s$cmds[seq];
+		local score: int = 0;
+		# if the command is compatible with the reply code
+		# code 500 (syntax error) is compatible with all commands
+		if ( reply_code == 500 || [ca$cmd, reply_code] in ftp_cmd_reply_code )
+			score = score + 100;
+		# if the command or the command arg appears in the reply message
+		if ( strstr(reply_msg, ca$cmd) > 0 )
+			score = score + 20;
+		if ( strstr(reply_msg, ca$cmd) > 0 )
+			score = score + 10;
+		if ( score > best_score ||
+		     ( score == best_score && ca$seq < best_match$seq ) ) # break tie with sequence number
+			{
+			best_score = score;
+			best_match = ca;
+			}
+		}
+
+	if ( [best_match$cmd, reply_code] !in ftp_cmd_reply_code )
+		{
+		local annotation = "";
+		if ( length(s$cmds) == 1 )
+			annotation = "for sure";
+		else
+			{
+			for ( i in s$cmds )
+				annotation = cat(annotation, " ", s$cmds[i]$cmd);
+			annotation = cat("candidates:", annotation);
+			}
+		# add ftp_unexpected_cmd_reply[fmt("[\"%s\", %d], # %s",
+		#	best_match$cmd, reply_code, annotation)];
+		}
+
+	return best_match;
+	}
+
+function pop_from_ftp_pending_cmd(s: ftp_pending_cmds, ca: ftp_cmd_arg): bool
+	{
+	if ( ca$seq in s$cmds )
+		{
+		delete s$cmds[ca$seq];
+		return T;
+		}
+	else
+		return F;
+	}
+
+event bro_done()
+	{
+	# for ( cmd_reply in ftp_unexpected_cmd_reply )
+	# 	print ftp_cmd_reply_log, fmt("        %s", cmd_reply);
+	}
diff --git a/policy/ftp-reply-pattern.bro b/policy/ftp-reply-pattern.bro
new file mode 100644
index 0000000000..59c507978e
--- /dev/null
+++ b/policy/ftp-reply-pattern.bro
@@ -0,0 +1,1317 @@
+# $Id: ftp-reply-pattern.bro 6 2004-04-30 00:31:26Z jason $
+
+@load ftp-anonymizer
+
+redef process_ftp_reply_by_message_pattern = T;
+
+
+# A line of reply message is split into fields with the following
+# regular expression.  The regular expression defines the pattern of
+# field separators. Basically a field separator is blank space
+# enclosed by optional punctuations.
+
+const ftp_msg_field_separator =
+	  /@@BOL@@ [[:space:][:punct:]]*( @@EOL@@)?/
+	| /[[:space:][:punct:]]+/
+	| /[[:space:][:punct:]]* @@EOL@@/
+	;
+
+# Type *msg_format_info* defines a message format extracted from
+# messages.
+
+type msg_format_info: record {
+	parts: string_array;
+	code: count;
+	msg: string;		# one of the original messages
+	hit: count;		# number of messages that match the pattern
+};
+
+type msg_format_group: table[string] of msg_format_info;
+global msg_format_groups: table[string] of msg_format_group;
+
+
+# A pattern string (derived from one or more message formats) contains
+# fields enclosed by '|': e.g.
+#
+#  "211 @@BOL@@ |connected| |to| |~ domain, ~ ip| @@EOL@@"
+#
+# Thus we the field separator can be defined by the following pattern:
+# everything up to the first '|', after the last '|', or between two
+# adjacent '|'s in the middle.
+
+const ftp_pattern_field_separator =
+	  /@@BOL@@ @@EOL@@/
+	| /@@BOL@@ [^|]*\|/
+	| /\|[^|]+\|/
+	| /\|[^|]* @@EOL@@/
+	;
+
+# A message pattern is very similar to a message format, except that
+# the former is for message pattern matching and thus is used in a
+# different phase than a message format, which is used in pattern
+# extraction.
+
+type msg_pattern_info: record {
+	code: count;
+	str: string;
+	num_parts: count;
+	parts: string_array;
+	sep: string_array;
+	tok: string_array;
+	hit: count;
+};
+
+type msg_pattern_group: table[string] of msg_pattern_info;
+global msg_pattern_groups: table[string] of msg_pattern_group;
+
+
+# Here starts patterns of individual fields (numbers, ip address, domain
+# name, etc.) in the reply message:
+
+# Numbers (including float numbers and negative numbers)
+const ftp_number_pat = /[\-]?[0-9]+(\.[0-9]+)?/;
+
+# English words (including 's and 't)
+# const ftp_word_pat =
+	/[[:alpha:]]*('m|'re|[[:alpha:]]'s|s'|n't|'d|'ve|'ll)|[[:alpha:]]+/
+	;
+
+# File modes in ls -l (seen in replies for STAT)
+const ftp_file_mode_pat = /[ld\-]([r-][w-][xs-]){3}/;
+
+# FTP server version string
+const ftp_server_version_pat = /[a-zA-Z0-9]+([\.\-_][a-zA-Z0-9]+)+/ &redef;
+
+# FTP path name
+#
+# As it is not clear how to define a pattern for path names, it is
+# defined in two aspects: first, we define a pattern for strings that
+# are path names *almost for sure*:
+
+const ftp_path_pat = /\/.+\/.*/
+	| /README/
+	| /.*\.(gz|tar|Z|ps|pdf)/ 	# TODO: add other extensions
+	| /[A-Z]:[\\\/].*/ 		# a path name almost for sure
+	;
+
+# Second, we define a pattern for strings that can possibly be a path name:
+# const ftp_file_name_pat = /[[:print:]]+/;
+#
+# Together, we assume that
+# Set(ftp_path_pat) <= Set(path names) <= Set(ftp_file_name_pat)
+
+# DOS file names
+const ftp_dos_path_pat = /[A-Z]:[\\\/].*/;
+
+
+# Finally, a table of message field patterns
+const ftp_msg_part_patterns = {
+	["~ num"] = ftp_number_pat,
+	["~ port"] = ftp_port_pat,
+	["~ ip"] = ftp_ip_pat,
+	["~ domain"] = ftp_domain_name_pat,
+	["~ file_mode"] = ftp_file_mode_pat,
+	["~ time"] = /[0-9]{2}:[0-9]{2}(:[0-9]{2})?(am|pm)?/,
+	["~ day"] = /Mon|Tue|Wed|Thu|Fri|Sat|Sun/,
+	["~ month"] = /Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec/,
+	["~ ip,port"] = /[0-9]{1,3}(\.[0-9]{1,3}){3},[0-9]+/,
+	["~ ip:port"] = /[0-9]{1,3}(\.[0-9]{1,3}){3}:[0-9]+/,
+	["~ email"] = /[[:alnum:]\-\._]+@([\-0-9a-zA-Z]+\.)*[\-0-9a-zA-Z]+/,
+	["~ path"] = ftp_path_pat,
+	["~ url"] = /http:\/\/.+/,
+} &redef;
+
+
+# One critical issue in understanding an FTP reply message is to
+# recognize the request arguments in messages. The argument of an FTP
+# request may appear in various forms in the reply message,
+# e.g. argument "/abc//def/" may appear as "/abc/def/" (eliminate
+# duplicat /), "/abc/def" (w/o last /), or even "def" (base file name
+# only).
+
+# Type *ftp_arg_variant* defines the set of variants of an argument,
+# and function *expand_ftp_arg_variants* expands an argument to
+# its variants.
+
+type ftp_arg_variants: record {
+	arg: string;		# the argument
+	path: string;		# after eliminating options
+	norm_path: string;	# normalized path, after eliminating dup slashes
+	abs_path: string;	# the absolute path
+	base_path: string;	# the base file name only, without the directory part
+};
+
+
+# Trace-specific anonymization of replies
+# 1. Whether function anonymize_trace_specific_reply is defined:
+const trace_specific_reply_anonymization = F &redef;
+
+# 2. Result of message anonymization
+type ftp_reply_anon_result: record {
+	anonymized: bool;
+	msg: string;
+};
+
+# 3. The trace-specific function (to be defined externally)
+global anonymize_trace_specific_reply:
+	function(session: ftp_session_info, code: count, msg: string,
+		cmd_arg: ftp_cmd_arg,
+		arg_var: ftp_arg_variants): ftp_reply_anon_result;
+
+
+# Other global states:
+
+# Reply messages that are entirely stripped out (e.g. server banner message)
+global msg_stripped_out: set[string];
+
+# Remember wildcard matches to suppress the number of outputs
+global all_wildcard_matches: set[string, string];
+
+
+# PART I. Message pattern extraction
+
+function init_msg_format_info(parts: string_array, code: count, msg: string, level: count): msg_format_info
+	{
+	return [$parts = parts,
+		$code = code,
+		$msg = msg,
+		$hit = 0];
+	}
+
+
+# Whether the pattern defined by *parts* is a sub-pattern of
+# *fmt_parts*.
+
+function match_msg_format(fmt_parts: string_array, parts: string_array): bool
+	{
+	if ( length(fmt_parts) != length(parts) )
+		return F;
+
+	for ( i in fmt_parts )
+		{
+		if ( i % 2 == 1 )
+			{
+			local t1 = fmt_parts[i];
+			local t2 = parts[i];
+
+			if ( t1 == t2 || t1 == "~ *" ||
+			     (t1 == "~ path" &&
+			      (t2 == ftp_file_name_pat || t2 == "~ num")) )
+				; # t2 matches t1
+			else
+				return F;
+			}
+		}
+
+	return T;
+	}
+
+
+# Abstract msg_parts[k]. The whole msg_parts is passed because the
+# function needs to look at the context to decide whether a pattern is
+# applicable (in the case of version pattern).
+
+function abstract_msg_part(msg_parts: string_array, k: count, other_pat: table[string] of string): string
+	{
+	local part = msg_parts[k];
+	local abs_part: string;
+
+	if ( part in other_pat )
+		abs_part = other_pat[part];
+	else if ( k > 2 &&
+		  msg_parts[int_to_count(k-2)] == /[Vv]er(sion)?|[Rr]elease|.*ftpd.*|Server|Process/ &&
+		  part == ftp_server_version_pat &&
+		  part != ftp_domain_name_pat )
+		abs_part = "~ version";
+	else if ( part == ftp_msg_part_patterns["~ path"] &&
+		  part == ftp_file_name_pat )
+		abs_part = "~ path";
+	else
+		{
+		local known_pattern = 0;
+
+		for ( pat_ty in ftp_msg_part_patterns )
+			if ( part == ftp_msg_part_patterns[pat_ty] )
+				{
+				++known_pattern;
+				abs_part = pat_ty;
+				}
+		if ( known_pattern > 1 )
+			print ftp_anon_log,
+			    fmt("ERROR: ambiguous ftp msg part pattern: %s", part);
+		if ( known_pattern != 1 )
+			abs_part = part;
+		}
+
+	return abs_part;
+	}
+
+
+# Transform a message format to a pattern string.
+
+function fmt_parts_to_string(parts: string_array): string
+	{
+	local p: string_array;
+	local num_parts = length(parts);
+	for ( i in parts )
+		{
+		local s = parts[i];
+
+		if ( i == 1 || i == num_parts )
+			p[i] = "";
+		else if ( i % 2 == 1 )
+			p[i] = string_cat("|", to_lower(s), "|");
+		else
+			p[i] = " ";
+		}
+	return string_cat("@@BOL@@", cat_string_array(p), "@@EOL@@");
+	}
+
+
+# Extract the format of a message, if it does not match any known
+# format. The message is already splitted into *msg_parts*, and the
+# *act_msg* is only used for logging and debugging. Parameter
+# *other_pat* defines an instance-specific mapping from strings to
+# field types (e.g. "~ cmd", "~ arg"). For example, when "/fileA" is
+# the argument of the corresponding FTP requests, other_pat["/fileA"]
+# = "~ arg".
+
+function extract_ftp_reply_pattern(code: count, act_msg: string, msg_parts: string_array,
+			other_pat: table[string] of string,
+			session: ftp_session_info): bool
+	{
+	local num_parts = length(msg_parts);
+
+	# Abstract each part of the message.
+	local abs_parts: string_array;
+	for ( i in msg_parts )
+		{
+		if ( i % 2 == 1 )
+			abs_parts[i] = abstract_msg_part(msg_parts, i, other_pat);
+		else
+			abs_parts[i] = msg_parts[i];
+		}
+
+	# Derive the abstract message format
+	local abs_msg = fmt_parts_to_string(abs_parts);
+
+	# Locate the corresponding format group
+	local ind = fmt("%3d %3d", code, num_parts);
+	local fmt_group: msg_format_group;
+
+	if ( ind in msg_format_groups )
+		fmt_group = msg_format_groups[ind];
+	else
+		msg_format_groups[ind] = fmt_group;
+
+	# Check existing message formats
+	if ( abs_msg in fmt_group )
+		{
+		++fmt_group[abs_msg]$hit;
+		return F;
+		}
+
+	local the_fmt = init_msg_format_info(abs_parts, code,
+				fmt("%s: %s", id_string(session$connection_id), act_msg), 1);
+	the_fmt$hit = 1;
+
+	# Check whether it is a sub-format of a known format, or vice versa
+
+	# Whether the_fmt is a sub-format of another format
+	local sub_format = F;
+
+	# Which other formats are sub-formats of the_fmt
+	local sub_format_set: set[string];
+
+	for ( fm2 in fmt_group )
+		{
+		local f2 = fmt_group[fm2];
+		if ( match_msg_format(f2$parts, abs_parts) )
+			{
+			sub_format = T;	# abs_parts is a sub-format of f2
+			++f2$hit;
+			}
+		else if ( match_msg_format(abs_parts, f2$parts) )
+			add sub_format_set[fm2];
+		else
+			; # do nothing
+		}
+
+	# Do not add the format if it is a sub-format of another one.
+	if ( ! sub_format )
+		{
+		fmt_group[abs_msg] = the_fmt;
+
+		# remove sub-formats of this message
+		for ( fm3 in sub_format_set )
+			{
+			the_fmt$hit = the_fmt$hit + fmt_group[fm3]$hit;
+			delete fmt_group[fm3];
+			}
+		}
+
+	return T;
+	}
+
+function print_msg_format(the_log: file, ind: string, m: string, f: msg_format_info)
+	{
+	local lm = to_string_literal(m);
+	if ( lm != m )
+		print the_log, fmt("special_character_in_pattern: \"%s\"", lm);
+	local fm = fmt("%d %s", f$code, lm);
+	local pat_ind = fmt("%3d %3d", f$code, length(f$parts));
+
+	print the_log, fmt("reply_pattern: $%s$ \"%s\",  # \"%s\"",
+		ind, fm, f$msg);
+
+	if ( pat_ind in msg_pattern_groups && fm in msg_pattern_groups[pat_ind] )
+		print the_log, fmt("ERROR: pattern_already_exists: \"%s\"", fm);
+	}
+
+event bro_done()
+	{
+	for ( ind in msg_format_groups )
+		{
+		local fmt_group = msg_format_groups[ind];
+		for ( m2 in fmt_group )
+			print_msg_format(ftp_anon_log, ind, m2, fmt_group[m2]);
+		}
+	}
+
+
+# PART II. Read and parse patterns
+
+type msg_pattern_result: record {
+	valid: bool,
+	msg_pat: msg_pattern_info,
+};
+
+
+# Parse message pattern string <fm> -- put the separators in <sep> and
+# tokens in <tok>.
+
+function parse_msg_format(fm: string): msg_pattern_result
+	{
+	local msg_pat: msg_pattern_info;
+	local ret = [$valid = F, $msg_pat = msg_pat];
+
+	# Separate the reply code from the rest of the pattern string
+	local code_fmt = split1(fm, / /);
+	local sep: string_array;
+	local tok: string_array;
+
+	msg_pat$code = to_count(code_fmt[1]);
+	msg_pat$str = fm;
+	# print ftp_anon_log, fmt("msg_format: %d \"%s\"", msg_pat$code, msg_pat$str);
+	msg_pat$sep = sep;
+	msg_pat$tok = tok;
+	msg_pat$hit = 0;
+
+	# Split the pattern string with the pattern field separator
+	local parts = split_all(code_fmt[2], ftp_pattern_field_separator);
+	local num_parts = length(parts);
+	msg_pat$parts = parts;
+	msg_pat$num_parts = num_parts;
+
+	for ( i in parts )
+		{
+		local s = parts[i];
+		local j: count;
+		if ( i % 2 == 0 )
+			{
+			j = int_to_count(i / 2);
+			sep[j] = s;
+			}
+		else if ( i > 1 && i < num_parts )
+			{
+			j = int_to_count((i - 1) / 2);
+			tok[j] = s;
+			}
+		else
+			; # do nothing
+		}
+
+	ret$valid = T;
+	return ret;
+	}
+
+
+# Parse the pattern string and insert the pattern into
+# msg_pattern_groups.
+
+function process_predefined_msg_format(f: string): bool
+	{
+	local r: msg_pattern_result;
+	r = parse_msg_format(f);
+	if ( ! r$valid )
+		return F;
+	local msg_pat = r$msg_pat;
+
+	local pat_ind = fmt("%3d %3d", msg_pat$code, msg_pat$num_parts);
+
+	local pat_group: msg_pattern_group;
+	if ( pat_ind !in msg_pattern_groups )
+		msg_pattern_groups[pat_ind] = pat_group;
+	else
+		pat_group = msg_pattern_groups[pat_ind];
+
+	if ( msg_pat$str in pat_group )
+		return F;	# there should not be duplicates
+	pat_group[msg_pat$str] = msg_pat;
+
+	return T;
+	}
+
+const ftp_msg_format_white_list: set[string] = {} &redef;
+
+event bro_init()
+	{
+	for ( f in ftp_msg_format_white_list )
+		process_predefined_msg_format(f);
+	}
+
+
+# PART III. Merge message patterns
+
+# moved to ftp-merge-pattern.bro
+
+# PART IV. Message pattern matching
+
+# Note that $parts is not redundant with $pat, because each field in
+# $pat may contain multiple patterns, as in
+#
+# "211 @@BOL@@ |connected| |to| |~ domain, ~ ip| @@EOL@@"
+#
+# $parts tells whether "~ domain" or "~ ip" is matched.
+
+type msg_pattern_match_result: record {
+	valid: bool;
+	pat: msg_pattern_info;	# the pattern matched
+	parts: string_array;	# the matched pattern of each part
+};
+
+
+# Return -1 if t1 is more specific than t2, 1 if vice versa, and 0 if
+# t1 equals to t2 or if t1 and t2 are incomparable.
+
+function cmp_pattern_part(t1: string, t2: string): int
+	{
+	if ( t1 == t2 ) return 0;
+
+	local ret: int = 0;
+
+	if ( t1 != /~ .*/ || t2 != /~ .*/ )
+		{
+		if ( t2	== /~ .*/ ) ret = -1; 	# t1 < t2
+		if ( t1 == /~ .*/ ) ret = 1; 	# t2 < t1
+		}
+	else if ( t1 == /~ (arg|cmd)/ || t2 == /~ (arg|cmd)/ )
+		{
+		if ( t2 != /~ (arg|cmd)/ ) ret = -1;	# t1 < t2
+		if ( t1 != /~ (arg|cmd)/ ) ret = 1; 	# t2 < t1
+		}
+	else if ( t1 == "~ ip" && t2 == "~ domain" )
+		ret = -1;
+	else if ( t1 == "~ domain" && t2 == "~ ip" )
+		ret =  1;
+	else if ( t1 == "~ *" || t2 == "~ *" )
+		{
+		if ( t1 != "~ *" ) ret = -1;
+		if ( t2 != "~ *" ) ret = 1;
+		}
+
+	# print ftp_anon_log,
+	#	fmt("compare pattern part: \"%s\" vs. \"%s\" = %d", t1, t2, ret);
+
+	if ( ret == 0 )
+		print ftp_anon_log,
+			fmt("ERROR: cannot compare pattern part: \"%s\" vs. \"%s\"", t1, t2);
+	return ret;
+	}
+
+
+# Which pattern is more specific, returns -1 if m1 < m2, ...
+
+function cmp_msg_pattern_match(m1: msg_pattern_match_result, m2: msg_pattern_match_result): int
+	{
+	local b1 = F;	# whether part of m1 is more specific
+	local b2 = F;	# whether part of m2 is more specific
+
+	for ( i in m1$parts )
+		{
+		local c = cmp_pattern_part(m1$parts[i], m2$parts[i]);
+		if ( c < 0 ) b1 = T;
+		if ( c > 0 ) b2 = T;
+		}
+	if ( b1 && ! b2 ) return -1;
+	if ( ! b1 && b2 ) return 1;
+
+	print ftp_anon_log,
+		fmt("ERROR: cannot compare pattern match: \"%s\" vs. \"%s\"", m1$pat$str, m2$pat$str);
+	return 0;
+	}
+
+
+# Whether data matches pat. Parameter aux_pat contains a set of (data,
+# pat) pairs in addition to the predefined patterns and usually
+# contains pairs such as "~ cmd : USER", "~ arg : anonymous".
+
+function do_match_pattern_part(pat: string, data: string, aux_pat: set[string]): bool
+	{
+	if ( pat == /~ .+[-+]/ ) 	# with a flag
+		pat = cut_tail(pat, 1); # ignore the flag
+
+	if ( string_cat(pat, " : ", data) in aux_pat )
+		return T;
+	else if ( pat != /~ .*/ ) # not an abstract pattern
+		{
+		return ( to_lower(data) == pat );
+		}
+	else if ( pat == "~ *" )
+		return T; 	# always match
+	else if ( pat == "~ path" )
+		{
+		return ( data == ftp_file_name_pat ||
+		         /\// in data || /\\ / in data );
+		}
+	else if ( pat == "~ domain" )
+		{
+		return ( data == /([\-0-9a-zA-Z]+\.)*[\-0-9a-zA-Z]+/ );
+		}
+	else if ( pat == "~ version" )
+		{
+		return ( data == /[A-Za-z0-9\-\.\_]+/ );
+		}
+	else if ( pat in ftp_msg_part_patterns )
+		{
+		return ( data == ftp_msg_part_patterns[pat] );
+		}
+	else
+		return F;
+	}
+
+
+# Return the most promising part of <pat> that matches <data>, where
+# <pat> = "<pat_1>, [<pat_2>, ...]".
+
+function match_pattern_part(pat: string, data: string, aux_pat: set[string]): string
+	{
+	# print ftp_anon_log, fmt("part_match: \"%s\" ~? \"%s\"", data, pat);
+
+	local best = "~ none";
+	local pp = split(pat, /, /);
+	for ( i in pp )
+		{
+		local p = pp[i];
+		if ( do_match_pattern_part(p, data, aux_pat) )
+			{
+			if ( best == "~ none" || cmp_pattern_part(best, p) > 0 )
+				best = p;
+			}
+		}
+
+	# if ( best != "~ none" )
+	#	print ftp_anon_log, fmt("part_match: \"%s\" ~ \"%s\"", data, best);
+
+	return best;
+	}
+
+
+# Return T if the message (act_msg) matches the pattern; otherwise
+# return F.
+
+function do_msg_pattern_match(act_msg: string, msg_parts: string_array,
+		msg_pat: msg_pattern_info, aux_pat: set[string]): msg_pattern_match_result
+	{
+	local ret: msg_pattern_match_result;
+	ret$valid = F;
+
+	local num_parts = length(msg_parts);
+	local pat = msg_pat$tok;
+
+	local data: string_array;
+	for ( i2 in msg_parts )
+		if ( i2 % 2 == 1 && i2 > 1 && i2 < num_parts )
+			data[int_to_count((i2-1)/2)] = msg_parts[i2];
+
+	if ( length(pat) != length(data) )
+		return ret;
+
+	local matched: string_array;
+
+	for ( i in pat )
+		{
+		local m = match_pattern_part(pat[i], data[i], aux_pat);
+		if ( m == "~ none" )
+			return ret;
+		matched[i] = m;
+		}
+
+	ret$valid = T;
+	ret$parts = matched;
+	ret$pat = msg_pat;
+	return ret;
+	}
+
+
+# Anonymize a data field according to its pattern type.
+
+function anonymize_msg_part(data: string, pat: string,
+		cmd_arg: ftp_cmd_arg, session: ftp_session_info): string
+	{
+	if ( pat == /~ .+[-+]/ )
+		{
+		local pat_len = byte_len(pat);
+		local annotation = sub_bytes(pat, pat_len, 1); # the last character
+		if ( annotation == "+" ) 	# to expose the data
+			return data;
+		else if ( annotation == "-" )	# to hide the data
+			return "<->";
+		pat = cut_tail(pat, 1);		# otherwise ignore the annotation
+		}
+
+	if ( pat == "~ cmd" )
+		return cmd_arg$anonymized_cmd;
+	else if ( pat == "~ arg" )
+		return cmd_arg$anonymized_arg;
+	else if ( pat == "~ num" )
+		return "<num>";			# hide the number by default
+	else if ( pat == "~ port" )
+		return anonymize_port_arg(session, "<port in reply>", data);
+	else if ( pat == "~ ip" )
+		{
+		local a = parse_dotted_addr(data);
+		return cat(anonymize_address(a, session$connection_id));
+		}
+	else if ( pat == "~ domain" )
+		return "<domain>";
+	else if ( pat == "~ file_mode" )
+		return "<file mode>";
+	else if ( pat == "~ time" || pat == "~ day" || pat == "~ month" )
+		return data;
+	else if ( pat == "~ email" )
+		return "<email>";
+	else if ( pat == "~ url" )
+		return "<url>";
+	else if ( pat == "~ ip,port" || pat == "~ ip:port" )
+		{
+		local b = split_all(data, /[:,]/);
+		b[1] = cat(anonymize_address(parse_dotted_addr(b[1]), session$connection_id));
+		return cat_string_array(b);
+		}
+	else if ( pat == "~ path" || pat == "~ dir" )
+		return anonymize_file_name_arg(session, "<ftp reply>", data,
+			(session$reply_code >= 100 && session$reply_code < 300));
+	else if ( pat == "~ version" )
+		return data; 	# keep version of the server
+	else if ( pat == "~ *" )
+		return "<*>";
+	else
+		{
+		return "<!>";
+		print ftp_anon_log, fmt("ERROR: do not know how to anonymize pattern: %s", pat);
+		}
+	}
+
+
+# Compute a unique id that does not appear in <context>.
+
+function get_unique_subst_id(context: string, seed: string): string
+	{
+	local id = string_cat("X", md5_hmac(seed), "X");
+	if ( strstr(context, id) > 0 )
+		return get_unique_subst_id(context, string_cat(seed, "."));
+	return id;
+	}
+
+
+# Substitute all occurances of <part> in <msg1> with a unique id, if
+# the occurrance of <part> is followed by <suffix> (context-sensitive
+# substitution), and add to <subst_map> the mapping <subst_id> ->
+# <part>. It returns the message after substitution.
+
+function subst_part(msg1: string, part: string, suffix: string, subst_map: table[string] of string): string
+	{
+	local ps = string_cat(part, suffix);
+	if ( strstr(msg1, ps) <= 0 ) return msg1;
+	local subst_id = get_unique_subst_id(msg1, part);
+	subst_map[subst_id] = part;
+	return subst_string(msg1, ps, string_cat(subst_id, suffix));
+	}
+
+
+# Expand argument variants (see comments of ftp_arg_variants).
+
+function expand_ftp_arg_variants(session: ftp_session_info, cmd_arg: ftp_cmd_arg): ftp_arg_variants
+	{
+	local var: ftp_arg_variants;
+
+	var$arg = cmd_arg$arg;
+	var$path = "~ none";
+	var$norm_path = "~ none";
+	var$abs_path = "~ none";
+	var$base_path = "~ none";
+
+	if ( cmd_arg$cmd in ftp_cmds_with_file_arg )
+		{
+		local opt_fn = separate_option_str(cmd_arg$arg);
+		var$path = opt_fn$file_name;
+
+		# eliminate duplicate slashes
+		local norm_path = subst(var$path, /\/+|\\+/, "/");
+		# eliminate '/./' (as '/')
+		norm_path = subst(norm_path, /\/(\.\/)+/, "/");
+		if ( norm_path == /.*\/\./ ) # end with '/.'
+			norm_path = cut_tail(norm_path, 1);
+
+		# compress ..
+		norm_path = compress_path(norm_path);
+
+		if ( var$path == ftp_dos_path_pat )
+			{
+			norm_path = subst(norm_path, /\//, "\\");
+			# cut the last '\' off if it is not "C:\"
+			if ( norm_path == /.*\\/ && norm_path != /[[:alpha:]]:\\/ )
+				norm_path = cut_tail(norm_path, 1);
+			}
+		else
+			{
+			if ( norm_path == /.*\// && norm_path != /\//)	# if it is not '/'
+				norm_path = cut_tail(norm_path, 1);
+			}
+
+		var$norm_path = norm_path;
+
+		var$abs_path = absolute_path(session, norm_path);
+
+		var$base_path = subst(norm_path, /.*(\/+|\\+)/, "");
+		# But ignore base path names that only contain whitespace and/or punctuations
+		# if ( var$base_path == ftp_msg_field_separator )
+		if ( var$base_path == "" )
+			var$base_path = "~ none";
+
+		# print ftp_anon_log, fmt("path=\"%s\", norm_path=\"%s\", abs_path = \"%s\", base_path=\"%s\"",
+		# 			var$path, var$norm_path, var$abs_path, var$base_path);
+		}
+
+	return var;
+	}
+
+
+function strstr_clean(big: string, little: string, clean_match: bool): count
+	{
+	local i = strstr(big, little);
+
+	if ( i == 0 ) return i;
+
+	if ( clean_match )
+		{
+		local prefix = sub_bytes(big, 1, i - 1);
+		local suffix = sub_bytes(big, i + byte_len(little), -1);
+
+		# print ftp_anon_log, fmt("prefix = \"%s\", suffix = \"%s\"", prefix, suffix);
+		# if little is not surrounded by blanks or punctuations
+		if ( prefix != /|.*[[:blank:][:punct:]]/ ||
+		     suffix != /|[[:blank:][:punct:]].*/ )
+			return 0;
+		}
+
+	return i;
+	}
+
+
+# Search s for an argument variant. Note that variants are searched in
+# the order of priorities -- the more specific the varient is, the
+# higher priority it gets.
+
+type arg_in_msg: record {
+	arg: string;
+	arg_ind: count;
+	arg_len: count;
+	prefix: string;
+	suffix: string;
+};
+
+function check_arg_variant(s: string, arg: string, v: arg_in_msg, clean_match: bool): bool
+	{
+	if ( arg == "" || arg == "~ none" )
+		return F;
+
+	local i =  strstr_clean(s, arg, clean_match);
+	if ( i <= 0 ) return F;
+
+	local len = byte_len(arg);
+	if ( len <= v$arg_len ) return F;
+
+	v$arg = arg;
+	v$arg_ind = i;
+	v$arg_len = len;
+	v$prefix = sub_bytes(s, 1, i - 1);
+	v$suffix = sub_bytes(s, i + len, -1);
+	return T;
+	}
+
+function expand_path_arg(v: arg_in_msg): bool
+	{
+	if ( v$prefix != /.*\// ) return F;
+
+	local parts = split_all(v$prefix, /([^[:blank:][:punct:]]*\/)+/);
+	local num_parts = length(parts);
+	if ( parts[num_parts] != "" ) return F;
+	local last_part = int_to_count(num_parts - 1);
+	local s = parts[last_part];
+	local s_len = byte_len(s);
+
+	print ftp_anon_log, fmt("expand_path_arg: \"%s\" + \"%s\"", s, v$arg);
+	v$arg_len = v$arg_len + s_len;
+	v$arg_ind = int_to_count(v$arg_ind - s_len);
+	v$arg = string_cat(s, v$arg);
+
+	parts[last_part] = "";
+	v$prefix = cat_string_array(parts);
+	return T;
+	}
+
+function search_arg_variant(s: string, var: ftp_arg_variants, clean_match: bool): string
+	{
+	local v = [$arg = "", $arg_ind = 0, $arg_len = 0, $prefix = "", $suffix = ""];
+
+	check_arg_variant(s, var$arg, v, clean_match);
+	check_arg_variant(s, var$path, v, clean_match);
+	check_arg_variant(s, var$norm_path, v, clean_match);
+	check_arg_variant(s, var$abs_path, v, clean_match);
+	check_arg_variant(s, var$base_path, v, clean_match);
+
+	if ( var$path != "~ none" )
+		expand_path_arg(v);
+
+	return ( v$arg != "" ) ? v$arg : "~ none";
+	}
+
+
+# Substitute <arg> with a unique id in <msg>, store the mapping from
+# the id to <arg> in <subst_map>, and update <other_pat> and <aux_pat>
+# about the argument.
+#
+# It returns the message after substituion.
+
+function process_arg_in_reply(arg_var: ftp_arg_variants, msg: string,
+		other_pat: table[string] of string, aux_pat: set[string],
+		subst_map: table[string] of string): string
+	{
+	add aux_pat[string_cat("~ arg", " : ", arg_var$arg)];
+	add aux_pat[string_cat("~ arg", " : ", arg_var$path)];
+	add aux_pat[string_cat("~ arg", " : ", arg_var$abs_path)];
+	add aux_pat[string_cat("~ arg", " : ", arg_var$norm_path)];
+	add aux_pat[string_cat("~ arg", " : ", arg_var$base_path)];
+
+	local arg = search_arg_variant(msg, arg_var, T);
+	if ( arg != "~ none" )
+		{
+		print ftp_anon_log, fmt("arg_variant_found: \"%s\" in \"%s\"", arg, msg);
+
+		if ( arg != "" )
+			{
+			other_pat[arg] = "~ arg";
+			if ( ftp_msg_field_separator in arg && arg != ftp_msg_field_separator )
+				msg = subst_part(msg, arg, "", subst_map);
+			}
+		}
+
+	return msg;
+	}
+
+
+# Record the message being stripped out
+
+function strip_out_message(session: ftp_session_info, code: count, msg: string): string
+	{
+	local ind = fmt("%d %s", code, msg);
+	if ( ind !in msg_stripped_out )
+		{
+		print ftp_anon_log,
+			fmt("message_stripped_out: %s", msg);
+		add msg_stripped_out[ind];
+		}
+	return "<message stripped out>";
+	}
+
+
+type msg_component: record {
+	msg: pattern;
+	part: pattern;
+	context: pattern;
+};
+
+global msg_components_not_to_split: table[string] of msg_component;
+
+event bro_init()
+{
+	# quoted string
+	msg_components_not_to_split["quoted"] =
+		[$msg = /.*/,
+		 $part = /([^"]|\"\")*/,
+		 $context = /@@BOL@@ *\"([^"]|\"\")*\"/];
+
+	# port numbers in reply to PASV
+	msg_components_not_to_split["port"] =
+		[$msg = /227 .*/,
+		 $part = /[0-9]+([[:blank:]]*,[[:blank:]]*[0-9]+){5}/,
+		 $context = /\([0-9]+([[:blank:]]*,[[:blank:]]*[0-9]+){5}\)/];
+
+	# dotted IP address
+	msg_components_not_to_split["ip"] =
+		[$msg = /.*/,	# any reply code
+		 $part = /[0-9]{1,3}(\.[0-9]{1,3}){3}/,
+		 $context = /[[:space:]\(\[][0-9]{1,3}(\.[0-9]{1,3}){3}[[:space:][:punct:]]/];
+
+	# email
+	msg_components_not_to_split["email"] =
+		[$msg = /.*/,	# any reply code
+		 $part = /[[:alnum:]\-\._]+@([\-0-9a-zA-Z]+\.)*[\-0-9a-zA-Z]+/,
+		 $context = /[[:space:]\(\[<][[:alnum:]\-\.\_]+@([\-[:alnum:]]+\.)*[\-[:alnum:]]+[[:space:][:punct:]]/];
+
+	# URL
+	msg_components_not_to_split["url"] =
+		[$msg = /.*/,	# any reply code
+		 $part = /(http|ftp):\/\/[[:alnum:][:punct:]]+/,
+		 $context = /(http|ftp):\/\/[[:alnum:][:punct:]]+/];
+
+	# domain name
+	msg_components_not_to_split["domain-version-filename"] =
+		[$msg = /.*/,	# any reply code
+		 $part = /([[:alnum:]]+[\-\.\_])+[[:alnum:]]+/,
+		 $context = /[^\@\.\-\_[:alnum:]]([[:alnum:]]+[\-\.\_])+[[:alnum:]]+[[:space:][:punct:]]/];	# not proceeded by '@' (as in email)
+
+	# UNIX file mode string
+	msg_components_not_to_split["file_mode"] =
+		[$msg = /(211|213) .*/,
+		 $part = /[ld\-]([r-][w-][xs-]){3}/,
+		 $context = /@@BOL@@ [[:blank:]]*[ld\-]([r\-][w\-][xs\-]){3}/];
+
+	# file name in `ls -l`
+	msg_components_not_to_split["ls_l_file_name"] =
+		[$msg = /(211|213) @@BOL@@ [[:blank:]]*[ld\-]([r\-][w\-][xs\-]){3} .*/,
+		 $part = /[^[:blank:]]+/,
+		 $context = /[[:blank:]][^[:blank:]]+ @@EOL@@/];
+
+	# symbolic links in `ls -l`
+	msg_components_not_to_split["ls_l_symbolic_link"] =
+		[$msg = /(211|213) @@BOL@@ [[:blank:]]*[ld\-]([r-][w-][xs-]){3} .*/,
+		 $part = /[^[:blank:]]+/,
+		 $context = /[[:blank:]][^[:blank:]]+ -> /];
+
+	# time
+	msg_components_not_to_split["time"] =
+		[$msg = /.*/,	# any reply code
+		 $part = /[0-9]{2}:[0-9]{2}(:[0-9]{2})?(am|pm)?/,
+		 $context = /[[:space:]\(\[][0-9]{2}:[0-9]{2}(:[0-9]{2})?(am|pm)?[[:space:][:punct:]]/];
+}
+
+function subst_in_context(msg: string, orig_msg: string, c: msg_component, subst_map: table[string] of string): string
+	{
+	# print ftp_anon_log, fmt("msg = \"%s\", context = %s", msg, c$context);
+
+	if ( orig_msg != c$msg || c$context !in msg )
+		return msg;
+
+	local parts = split_all(msg, c$context);
+	local msg0 = msg;
+
+	for ( i in parts )
+		{
+		# print ftp_anon_log, fmt("part[%d] = \"%s\"", i, parts[i]);
+		if ( i % 2 == 0 )
+			{
+			local s = parts[i];
+			local t = split_all(s, c$part);
+
+			if ( length(t) > 1 && /X[[:alnum:]]{32}X/ !in t[2] )
+				{
+				# print ftp_anon_log, fmt("\"%s\" -> \"%s\" + \"%s\" + \"%s\"",
+				#	to_string_literal(parts[i]), t[1], t[2], t[3]);
+				# print ftp_anon_log, fmt("subst_in_context: \"%s\" [%s].[%s]",
+				#	to_string_literal(s), c$part, c$context);
+
+				local id = get_unique_subst_id(msg0, msg0);
+				msg0 = string_cat(msg0, id);
+				subst_map[id] =	t[2];
+				t[2] = id;
+				parts[i] = cat_string_array(t);
+				# print ftp_anon_log, fmt("subst_in_context: \"%s\"->\"%s\" in \"%s\"",
+				#	subst_map[id], id, to_string_literal(parts[i]));
+				}
+			}
+		}
+
+	return cat_string_array(parts);
+	}
+
+
+# The main function for FTP reply anonymization.  cmd_arg is the
+# corresponding FTP request.
+
+function anonymize_ftp_reply_by_msg_pattern(code: count, act_msg: string,
+			cmd_arg: ftp_cmd_arg, session: ftp_session_info): string
+	{
+	local cmd = cmd_arg$cmd;
+	local arg = cmd_arg$arg;
+	local arg_var = expand_ftp_arg_variants(session, cmd_arg);
+
+	# First check if trace-specific anonymization applies to the message
+	if ( trace_specific_reply_anonymization )
+		{
+		local ret = anonymize_trace_specific_reply(session, code, act_msg, cmd_arg, arg_var);
+		if ( ret$anonymized )
+			{
+			print ftp_anon_log, fmt("trace_specific_reply: %d \"%s\" ->\"%s\"",
+				code, to_string_literal(act_msg), to_string_literal(ret$msg));
+			return ret$msg;
+			}
+		}
+
+	# Extract any prefix of form "<reply code>-"
+	local prefix = "";
+	local msg0 = act_msg;
+
+	if ( code > 0 )
+		{
+		prefix = fmt("%d-", code);
+		if ( strstr(msg0, prefix) == 1 ) # msg0 starts with prefix like '220-'
+			msg0 = sub_bytes(msg0, byte_len(prefix) + 1, -1);
+		else
+			prefix = "";
+		}
+
+
+	# Below we will split the message into fields. However, before
+	# the split we will first substitute certain substrings of the
+	# message with unique ID's and switch the ID's back to the
+	# corresponding strings after the split.
+
+	# This is necessary to keep some part of the message from
+	# being splitted, for instance, we'd like to split the
+	# message:
+	#
+	# "'CWD /My Document/music/' command successful."
+	#
+	# with "/My Document/music/" as a single field instead two
+	# fields: "/My" and "Document/music/".
+
+	# Mark the two ends of the message
+	msg0 = string_cat("@@BOL@@ ", msg0, " @@EOL@@");
+
+	# For pattern extraction -- used by extract_ftp_reply_pattern
+	local other_pat: table[string] of string;
+
+	# For pattern matching -- used by match_pattern_part
+	local aux_pat: set[string];
+
+	local subst_map: table[string] of string;
+
+	local orig_msg = fmt("%d %s", code, msg0);
+	local msg1 = msg0;
+
+	msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["file_mode"], subst_map);
+	msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["ls_l_file_name"], subst_map);
+	msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["ls_l_symbolic_link"], subst_map);
+
+	# Process command in the reply message
+	if ( cmd != "<missing>" )
+		{
+		other_pat[cmd] = "~ cmd";
+		add aux_pat[string_cat("~ cmd", " : ", cmd)];
+		add aux_pat[string_cat("~ cmd", " : ", to_lower(cmd))];
+		if ( ftp_msg_field_separator in cmd )
+			msg1 = subst_part(msg1, cmd, "", subst_map);
+		}
+
+	# Process arguments in reply. Note that the order is
+	# critical: the argument variants are processed starting from
+	# the most specific one.
+	msg1 = process_arg_in_reply(arg_var, msg1, other_pat, aux_pat, subst_map);
+
+	# Process directory in the reply
+	local dir = "~ none";	# any directory contained in the reply
+	if ( code == 257 || [cmd, code] in ftp_dir_operation )
+		{
+		dir = extract_dir_from_reply(session, msg1, dir);
+		if ( dir != "~ none" )
+			{
+			other_pat[dir] = "~ dir";
+			add aux_pat[string_cat("~ dir", " : ", dir)];
+			if ( ftp_msg_field_separator in dir )
+				msg1 = subst_part(msg1, dir, "", subst_map);
+			}
+		}
+
+	# msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["quoted"], subst_map);
+	msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["port"], subst_map);
+	msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["email"], subst_map);
+	msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["url"], subst_map);
+	msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["ip"], subst_map);
+	msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["domain-version-filename"], subst_map);
+	msg1 = subst_in_context(msg1, orig_msg, msg_components_not_to_split["time"], subst_map);
+
+	# Summarize all the substitution for debugging and verification
+	local subst_str = "";
+	if ( length(subst_map) > 0 )
+		{
+		for ( xx in subst_map )
+			{
+			if ( subst_str != "" )
+				subst_str = string_cat(subst_str, ", ");
+			subst_str = string_cat(subst_str, fmt("(\"%s\"->\"%s\")", to_string_literal(subst_map[xx]), xx));
+			}
+		print ftp_anon_log, fmt("substitute: \"%d %s\" with {%s}",
+			code, act_msg, subst_str);
+		}
+
+	# Split the message to parts
+	local msg_parts = split_all(msg1, ftp_msg_field_separator);
+	local num_parts = length(msg_parts);
+
+	# According to subst_map, change substitution ID's back to the
+	# corresponding parts. Note that here we only look at whole
+	# fields to look for substitution ID's.
+	for ( i in msg_parts )
+		{
+		local this_part = msg_parts[i];
+		if ( this_part in subst_map )
+			{
+			msg_parts[i] = subst_map[this_part];
+			# print ftp_anon_log, fmt("substitute_part: \"%s\"", to_string_literal(msg_parts[i]));
+			}
+		}
+
+	# Sanity check for string substitution
+	local msg2 = cat_string_array(msg_parts);
+	# msg2 != msg0 suggests that there is an improper substitution
+	if ( msg2 != msg0 )
+		{
+		print ftp_anon_log, fmt("ERROR: substitution: \"%s\" -> \"%s\" with {%s} in [%s]",
+			to_string_literal(msg0), to_string_literal(msg2),
+			subst_str, id_string(session$connection_id));
+		return strip_out_message(session, code, act_msg);
+		}
+
+	# So far the message is successfully splitted. Now we will try
+	# to find a matching pattern.
+
+	# Look it up in message patterns.
+	local ind = fmt("%3d %3d", code, num_parts);
+
+	if ( ind !in msg_pattern_groups )
+		{
+		print ftp_anon_log, fmt("pattern_not_found: \"%d %s\" in [%s]",
+			code, act_msg, id_string(session$connection_id));
+		extract_ftp_reply_pattern(code, act_msg, msg_parts, other_pat, session);
+		return strip_out_message(session, code, act_msg);
+		}
+
+	local pat_group = msg_pattern_groups[ind];
+
+	# There can be more than one matches ... record all of them
+	# and pick the most promising one.
+	local matches: table[string] of msg_pattern_match_result;
+	local the_pat: msg_pattern_match_result;	# the best match
+	the_pat$valid = F;
+
+	for ( pat_str in pat_group )
+		{
+		local msg_pat = pat_group[pat_str];
+		local tok: string_array;
+		local r = do_msg_pattern_match(act_msg, msg_parts, msg_pat, aux_pat);
+		if ( r$valid )
+			{
+			if ( length(matches) == 0 || cmp_msg_pattern_match(r, the_pat) < 0 )
+				the_pat = r;
+			matches[pat_str] = r;
+			}
+		}
+
+	if ( length(matches) == 0 )
+		{
+		print ftp_anon_log, fmt("pattern_not_found: \"%d %s\" in [%s]",
+			code, act_msg, id_string(session$connection_id));
+
+		extract_ftp_reply_pattern(code, act_msg, msg_parts, other_pat, session);
+
+		return strip_out_message(session, code, act_msg);
+		}
+
+	if ( length(matches) > 1 )
+		print ftp_anon_log, fmt("multiple_patterns: \"%d %s\"", code, act_msg);
+
+	print ftp_anon_log, fmt("message_matched: (%d) \"%d %s\" ~ \"%s\"",
+					length(matches), code, act_msg, the_pat$pat$str);
+
+	++the_pat$pat$hit;
+
+	# Now we anonymize the message according to the_pat. During
+	# the process we log two kinds of anonymization for manual
+	# inspection:
+	# 1) when a field matches the wild card pattern ('~ *'): this
+	# will help us find information that is over-conservatively
+	# anonymized;
+	# 2) when a field matches a pattern with a 'to expose' flag (a
+	# '+' at the end): this will help us to verify that the
+	# exposed data is privacy-safe.
+
+	local anon_parts: string_array;
+	local match_wildcard = "";
+	local match_exposure = "";
+
+	for ( i in msg_parts )
+		{
+		local data = msg_parts[i];
+		if ( i <= 2 || i >= num_parts - 1 )
+			anon_parts[i] = subst(data, /@@BOL@@ | @@EOL@@/, "");
+		else if ( i % 2 == 0 )
+			anon_parts[i] = data;
+		else
+			{
+			local p = the_pat$parts[int_to_count((i-1)/2)];
+			anon_parts[i] = ( p != /~ .*/ ) ? data :
+						anonymize_msg_part(data, p,
+							cmd_arg, session);
+
+			if ( p == /~ .+[+]/ )
+				{
+				if ( match_exposure != "" ) match_exposure = string_cat(match_exposure, "; ");
+				match_exposure = string_cat(match_exposure, data);
+				}
+
+			if ( p == "~ *" )
+				{
+				if ( match_wildcard != "" ) match_wildcard = string_cat(match_wildcard, "; ");
+				match_wildcard = string_cat(match_wildcard, data);
+				}
+			}
+		}
+
+	if ( match_wildcard != "" && [match_wildcard, the_pat$pat$str] !in all_wildcard_matches )
+		{
+		add all_wildcard_matches[match_wildcard, the_pat$pat$str];
+		print ftp_anon_log, fmt("wildcard_match: in pattern: \"%s\" data: [%s] in [%s]",
+			the_pat$pat$str,
+			match_wildcard,
+			id_string(session$connection_id));
+		}
+
+	if ( match_exposure != "" )
+		{
+		print ftp_anon_log, fmt("data_exposure: in pattern: \"%s\" data: [%s] in [%s]",
+			the_pat$pat$str,
+			match_exposure,
+			id_string(session$connection_id));
+		}
+
+	local result = cat_string_array(anon_parts);
+
+	# Stick the prefix back to the message.
+	if ( prefix != "" )
+		result = string_cat(prefix, result);
+
+	return result;
+	}
diff --git a/policy/ftp-safe-words.bro b/policy/ftp-safe-words.bro
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/policy/ftp.bro b/policy/ftp.bro
new file mode 100644
index 0000000000..4fc86df2c4
--- /dev/null
+++ b/policy/ftp.bro
@@ -0,0 +1,868 @@
+# $Id: ftp.bro 6726 2009-06-07 22:09:55Z vern $
+
+@load notice
+@load conn
+@load scan
+@load hot-ids
+@load terminate-connection
+
+@load ftp-cmd-arg
+
+module FTP;
+
+export {
+	# Indexed by source & destination addresses and the id.
+	const skip_hot: set[addr, addr, string] &redef;
+
+   # see: http://packetstormsecurity.org/UNIX/penetration/rootkits/index4.html
+   # for current list of rootkits to include here
+
+	const hot_files =
+		  /.*(etc\/|master\.)?(passwd|shadow|s?pwd\.db)/
+		| /.*snoop\.(tar|tgz).*/
+		| /.*bnc\.(tar|tgz).*/
+		| /.*datapipe.*/
+		| /.*ADMw0rm.*/
+		| /.*newnick.*/
+		| /.*sniffit.*/
+		| /.*neet\.(tar|tgz).*/
+		| /.*\.\.\..*/
+		| /.*ftpscan.txt.*/
+		| /.*jcc.pdf.*/
+		| /.*\.[Ff]rom.*/
+		| /.*sshd\.(tar|tgz).*/
+		| /.*\/rk7.*/
+		| /.*rk7\..*/
+		| /.*[aA][dD][oO][rR][eE][bB][sS][dD].*/
+		| /.*[tT][aA][gG][gG][eE][dD].*/
+		| /.*shv4\.(tar|tgz).*/
+		| /.*lrk\.(tar|tgz).*/
+		| /.*lyceum\.(tar|tgz).*/
+		| /.*maxty\.(tar|tgz).*/
+		| /.*rootII\.(tar|tgz).*/
+		| /.*invader\.(tar|tgz).*/
+	&redef;
+
+	const hot_guest_files =
+		  /.*\.rhosts/
+		| /.*\.forward/
+		&redef;
+
+	const hot_cmds: table[string] of pattern = {
+		["SITE"] = /[Ee][Xx][Ee][Cc].*/,
+	} &redef;
+
+	const excessive_filename_len = 250 &redef;
+	const excessive_filename_trunc_len = 32 &redef;
+
+	const guest_ids = { "anonymous", "ftp", "guest", } &redef;
+
+	# Invalid PORT/PASV directives that exactly match the following
+	# don't generate notice's.
+	const ignore_invalid_PORT =
+		/,0,0/	# these are common, dunno why
+	&redef;
+
+	# Some servers generate particular privileged PASV ports for benign
+	# reasons (presumably to tunnel through firewalls, sigh).
+	const ignore_privileged_PASVs = { ssh, } &redef;
+
+	# Pairs of IP addresses for which we shouldn't bother logging if one
+	# of them is used in lieu of the other in a PORT or PASV directive.
+
+	const skip_unexpected: set[addr] = {
+		15.253.0.10, 15.253.48.10, 15.254.56.2,		# hp.com
+		gvaona1.cns.hp.com,
+	} &redef;
+
+	const skip_unexpected_net: set[addr] &redef;
+
+	const log_file = open_log_file("ftp") &redef;
+
+	redef enum Notice += {
+		FTP_UnexpectedConn,	# FTP data transfer from unexpected src
+		FTP_ExcessiveFilename,	# very long filename seen
+		FTP_PrivPort,		# privileged port used in PORT/PASV;
+					#   $sub says which
+		FTP_BadPort,		# bad format in PORT/PASV;
+					#   $sub says which
+		FTP_Sensitive,		# sensitive connection -
+					#   not more specific
+		FTP_SiteExecAttack,	# specific "site exec" attack seen
+	};
+
+	type ftp_session_info: record {
+		id: count;
+		connection_id: conn_id;
+		user: string;
+		anonymized_user: string;
+		anonymous_login: bool;
+
+		request: string;	# pending request or requests
+		num_requests: count;	# count of pending requests
+		request_t: time;	# time of request
+		log_if_not_denied: bool;	# log unless code 530 on reply
+		log_if_not_unavail: bool;	# log unless code 550 on reply
+		log_it: bool;		# if true, log the request(s)
+
+		reply_code: count;	# the most recent reply code
+		cwd: string;		# current working directory
+
+		pending_requests: ftp_pending_cmds;	# pending requests
+		delayed_request_rewrite: table[count] of ftp_cmd_arg;
+
+		expected: set[addr, port]; # data connections we expect
+	};
+
+	type ftp_expected_conn: record {
+		host: addr;
+		session: ftp_session_info;
+	};
+
+	global ftp_sessions: table[conn_id] of ftp_session_info &persistent;
+}
+
+
+redef capture_filters += { ["ftp"] = "port ftp" };
+
+# DPM configuration.
+global ftp_ports = { 21/tcp } &redef; 
+redef dpd_config += { [ANALYZER_FTP] = [$ports = ftp_ports] };
+
+function is_ftp_conn(c: connection): bool
+	{
+	return c$id$resp_p == ftp;
+	}
+
+type ftp_reply_code: record {
+	x: count;	# high-order (3rd digit)
+	y: count;	# middle (2nd) digit
+	z: count;	# bottom digit
+};
+
+global ftp_session_id = 0;
+
+# Indexed by the responder pair, yielding the address expected to connect to it.
+global ftp_data_expected: table[addr, port] of ftp_expected_conn &persistent &create_expire = 1 min;
+
+const ftp_init_dir: table[addr, string] of string = {
+	[131.243.1.10, "anonymous"] = "/",
+} &default = "<unknown>/";
+
+const ftp_file_cmds = {
+	"APPE", "CWD", "DELE", "MKD", "RETR", "RMD", "RNFR", "RNTO",
+	"STOR", "STOU",
+};
+
+const ftp_absolute_path_pat = /(\/|[A-Za-z]:[\\\/]).*/;
+
+const ftp_dir_operation = {
+	["CWD", 250],
+	["CDUP", 200],	# typo in RFC?
+	["CDUP", 250],	# as found in traces
+	["PWD", 257],
+	["XPWD", 257],
+};
+
+const ftp_skip_replies = {
+	150,	# "status okay - about to open connection"
+	331	# "user name okay, need password"
+};
+
+const ftp_replies: table[count] of string = {
+	[150] = "ok",
+	[200] = "ok",
+	[220] = "ready for new user",
+	[221] = "closed",
+	[226] = "complete",
+	[230] = "logged in",
+	[250] = "ok",
+	[257] = "done",
+	[331] = "id ok",
+	[500] = "syntax error",
+	[530] = "denied",
+	[550] = "unavail",
+};
+
+const ftp_other_replies = { ftp_replies };
+
+const ftp_all_cmds: set[string] = {
+	"<init>", "<missing>",
+	"USER", "PASS", "ACCT",
+	"CWD", "CDUP", "SMNT",
+	"REIN", "QUIT",
+	"PORT", "PASV", "MODE", "TYPE", "STRU",
+	"ALLO", "REST", "STOR", "STOU", "RETR", "LIST", "NLST", "APPE",
+	"RNFR", "RNTO", "DELE", "RMD", "MKD", "PWD", "ABOR",
+	"SYST", "STAT", "HELP",
+	"SITE", "NOOP",
+
+	# FTP extensions
+	"SIZE", "MDTM", "MLST", "MLSD",
+	"EPRT", "EPSV",
+};
+
+const ftp_tested_cmds: set[string] = {};
+const ftp_untested_cmds: set[string] = { ftp_all_cmds };
+
+global ftp_first_seen_cmds: set[string];
+global ftp_unlisted_cmds: set[string];
+
+# const ftp_state_diagram: table[string] of count = {
+#	["ABOR", "ALLO", "DELE", "CWD", "CDUP",
+#	 "SMNT", "HELP", "MODE", "NOOP", "PASV",
+#	 "QUIT", "SITE", "PORT", "SYST", "STAT",
+#	 "RMD", "MKD", "PWD", "STRU", "TYPE"] = 1,
+#	["APPE", "LIST", "NLST", "RETR", "STOR", "STOU"] = 2,
+#	["REIN"] = 3,
+#	["RNFR", "RNTO"] = 4,
+# };
+
+
+function parse_ftp_reply_code(code: count): ftp_reply_code
+	{
+	local a: ftp_reply_code;
+
+	a$z = code % 10;
+
+	code = code / 10;
+	a$y = code % 10;
+
+	code = code / 10;
+	a$x = code % 10;
+
+	return a;
+	}
+
+event ftp_unexpected_conn_violation(id: conn_id, orig: addr, expected: addr)
+	{
+	NOTICE([$note=FTP_UnexpectedConn, $id=id,
+		$msg=fmt("%s > %s FTP connection from %s",
+			id$orig_h, id$resp_h, orig)]);
+	}
+
+event ftp_unexpected_conn(id: conn_id, orig: addr, expected: addr)
+	{
+	if ( orig in skip_unexpected || expected in skip_unexpected ||
+	     mask_addr(orig, 24) in skip_unexpected_net ||
+	     mask_addr(expected, 24) in skip_unexpected_net )
+		; # don't bother reporting
+
+	else if ( mask_addr(orig, 24) == mask_addr(expected, 24) )
+		; # close enough, probably multi-homed
+
+	else if ( mask_addr(orig, 16) == mask_addr(expected, 16) )
+		; # ditto
+
+	else
+		event ftp_unexpected_conn_violation(id, orig, expected);
+	}
+
+event ftp_connection_expected(c: connection, orig_h: addr, resp_h: addr,
+				resp_p: port, session: ftp_session_info)
+	{
+	}
+
+event expected_connection_seen(c: connection, a: count)
+	{
+	local id = c$id;
+	if ( [id$resp_h, id$resp_p] in ftp_data_expected )
+		add c$service["ftp-data"];
+	}
+
+# Deficiency: will miss data connections if the commands/replies
+# are encrypted.
+function is_ftp_data_conn(c: connection): bool
+	{
+	local id = c$id;
+	if ( [id$resp_h, id$resp_p] in ftp_data_expected )
+		{
+		local expected = ftp_data_expected[id$resp_h, id$resp_p];
+		if ( id$orig_h != expected$host )
+			event ftp_unexpected_conn(expected$session$connection_id,
+				id$orig_h, expected$host);
+
+		return T;
+		}
+
+	else if ( id$orig_p == 20/tcp &&
+	          [$orig_h = id$resp_h, $orig_p = id$resp_p,
+		   $resp_h = id$orig_h, $resp_p = 21/tcp] in ftp_sessions )
+		return T;
+	else
+		return F;
+	}
+
+
+function new_ftp_session(c: connection, add_init: bool)
+	{
+	local session = c$id;
+	local new_id = ++ftp_session_id;
+
+	local info: ftp_session_info;
+	info$id = new_id;
+	info$connection_id = session;
+	info$user = "<unknown>";
+	info$anonymized_user = "<TBD!>";
+	info$anonymous_login = T;
+	info$request = "";
+	info$num_requests = 0;
+	info$request_t = c$start_time;
+	info$log_if_not_unavail = F;
+	info$log_if_not_denied = F;
+	info$log_it = F;
+	info$reply_code = 0;
+	info$cwd = "<before_login>/";
+	info$pending_requests = init_ftp_pending_cmds();
+
+	if ( add_init )
+		add_to_ftp_pending_cmds(info$pending_requests, "<init>", "");
+
+	ftp_sessions[session] = info;
+	append_addl(c, fmt("#%s", prefixed_id(new_id)));
+
+	print log_file, fmt("%.6f #%s %s start", c$start_time, prefixed_id(new_id),
+				id_string(session));
+	}
+
+function ftp_message(id: conn_id, msg: string)
+	{
+	print log_file, fmt("%.6f #%s %s",
+			network_time(), prefixed_id(ftp_sessions[id]$id), msg);
+	}
+
+event ftp_sensitive_file(c: connection, session: ftp_session_info,
+				filename: string)
+	{
+	session$log_if_not_unavail = T;
+	}
+
+event ftp_excessive_filename(session: ftp_session_info,
+				command: string, arg: string)
+	{
+	NOTICE([$note=FTP_ExcessiveFilename, $id=session$connection_id,
+		$user=session$user, $filename=arg,
+		$msg=fmt("%s #%s excessive filename: %s",
+				id_string(session$connection_id),
+				prefixed_id(session$id), arg)]);
+	session$log_it = T;
+	}
+
+global ftp_request_rewrite: function(c: connection, session: ftp_session_info,
+					cmd_arg: ftp_cmd_arg);
+global ftp_reply_rewrite: function(c: connection, session: ftp_session_info,
+					code: count, msg: string,
+					cont_resp: bool, cmd_arg: ftp_cmd_arg);
+
+# Returns true if the given string is at least 25% composed of 8-bit
+# characters.
+function is_string_binary(s: string): bool
+	{
+	return byte_len(gsub(s, /[\x00-\x7f]/, "")) * 100 / byte_len(s) >= 25;
+	}
+
+event ftp_request(c: connection, command: string, arg: string)
+	{
+	# Command may contain garbage, e.g. if we're parsing something
+	# which isn't ftp. Ignore this.
+	if ( is_string_binary(command) )
+		return;
+
+	local id = c$id;
+
+	if ( id !in ftp_sessions )
+		new_ftp_session(c, F);
+
+	local session = ftp_sessions[id];
+
+	# Keep the original command and arg.
+	local cmd_arg =
+		add_to_ftp_pending_cmds(session$pending_requests, command, arg);
+
+	if ( command == "USER" )
+		{
+		if ( arg in hot_ids &&
+		     [id$orig_h, id$resp_h, arg] !in skip_hot )
+			{
+			if ( arg in always_hot_ids )
+				session$log_it = T;
+			else
+				session$log_if_not_denied = T;
+			}
+
+		append_addl(c, arg);
+		session$user = arg;
+
+		if ( arg in forbidden_ids )
+			TerminateConnection::terminate_connection(c);
+		}
+
+	else if ( command == "PASS" )
+		{
+		if ( session$user in forbidden_ids_if_no_password &&
+		     arg == "" )
+			TerminateConnection::terminate_connection(c);
+
+		if ( session$user in guest_ids )
+			append_addl_marker(c, arg, "/");
+		else
+			{
+			event account_tried(c, session$user, arg);
+			arg = "<suppressed>";
+			}
+		}
+
+	else if ( command == "PORT" || command == "EPRT" )
+		{
+		local data = (command == "PORT") ?
+				parse_ftp_port(arg) : parse_eftp_port(arg);
+
+		if ( data$valid )
+			{
+			if ( data$h != id$orig_h )
+				ftp_message(id, fmt("*> PORT host %s doesn't match originator host %s", data$h, id$orig_h));
+
+			if ( data$p < 1024/tcp && data$p in port_names )
+				NOTICE([$note=FTP_PrivPort, $id=id,
+					$user=session$user,
+					$msg=fmt("%s #%s privileged PORT %d: %s",
+						id_string(id),
+						prefixed_id(session$id),
+						data$p, arg),
+					$sub="PORT"]);
+
+			local expected = [$host=c$id$resp_h, $session=session];
+			ftp_data_expected[data$h, data$p] = expected;
+			add session$expected[data$h, data$p];
+
+			expect_connection(c$id$resp_h, data$h, data$p,
+						ANALYZER_FILE, 5 min);
+
+			event ftp_connection_expected(c, c$id$resp_h, data$h,
+							data$p, session);
+			}
+		else if ( arg != ignore_invalid_PORT )
+			NOTICE([$note=FTP_BadPort, $id=id,
+				$user=session$user,
+				$msg=fmt("%s #%s invalid ftp PORT directive: %s",
+						id_string(id),
+						prefixed_id(session$id), arg),
+				$sub="PORT"]);
+		}
+
+	else if ( command in ftp_file_cmds )
+		{
+		if ( arg == hot_files ||
+		     (session$user in guest_ids &&
+		      arg == hot_guest_files) )
+			event ftp_sensitive_file(c, session, arg);
+
+		if ( byte_len(arg) >= excessive_filename_len )
+			{
+			arg = fmt("%s..[%d]..",
+				sub_bytes(arg, 1, excessive_filename_trunc_len),
+				byte_len(arg));
+			event ftp_excessive_filename(session, command, arg);
+			}
+		}
+
+	else if ( command == "ACCT" )
+		append_addl(c, fmt("(account %s)", arg));
+
+	if ( command in hot_cmds && arg == hot_cmds[command] )
+		{
+		session$log_it = T;
+
+		# Special hack for "site exec" attacks.
+		### Obviously, this should be generic and not specialized
+		### like the following.
+		if ( command == "SITE" && /[Ee][Xx][Ee][Cc]/ in arg &&
+		     # We see legit use of "site exec cp / /", God knows why.
+		     byte_len(arg) > 32 )
+			{ # Terminate with extreme prejudice.
+			TerminateConnection::terminate_connection(c);
+			NOTICE([$note=FTP_SiteExecAttack, $conn=c, $conn=c, 
+					$msg=fmt("%s %s", command, arg)]);
+			}
+		}
+
+	local request = arg == "" ? command : cat(command, " ", arg);
+	if ( ++session$num_requests == 1 )
+		{
+		# First pending request
+		session$request = request;
+		session$request_t = network_time();
+		}
+	else
+		{
+		# Don't append PASS commands, unless they're for an
+		# anonymous user.
+
+		### Is it okay to include the args of an ACCT command?
+
+		if ( command == "PASS" )
+			{
+			if ( session$user in guest_ids )
+				{
+				session$request =
+					cat(session$request, "/", arg);
+				}
+
+			# Don't count this as a multiple request.
+			--session$num_requests;
+			}
+		else
+			{
+			if ( byte_len(session$request) < 256 )
+				session$request = cat(session$request, ", ", request);
+			}
+		}
+
+	if ( rewriting_ftp_trace )
+		ftp_request_rewrite(c, session, cmd_arg);
+
+	if ( command in ftp_all_cmds )
+		{
+		if ( command in ftp_untested_cmds )
+			{
+			delete ftp_untested_cmds[command];
+			add ftp_first_seen_cmds[command];
+			}
+		}
+	else
+		add ftp_unlisted_cmds[command];
+	}
+
+event ftp_binary_response(session: ftp_session_info, code: count, msg: string)
+	{
+	print log_file, fmt("%.6f #%s binary response",
+				network_time(), prefixed_id(session$id));
+	}
+
+function extract_dir_from_reply(session: ftp_session_info, msg: string,
+				hint: string): string
+	{
+	const dir_pattern = /\"([^\"]|\"\")*(\/|\\)([^\"]|\"\")*\"/;
+	local parts = split_all(msg, dir_pattern);
+
+	if ( length(parts) != 3 )
+		{ # not found or ambiguous
+#		print log_file, fmt("%.6f #%s cannot extract directory: \"%s\"",
+#			network_time(), prefixed_id(session$id), msg);
+		return hint;
+		}
+
+	local d = parts[2];
+	return sub_bytes(d, 2, int_to_count(byte_len(d) - 2));
+	}
+
+# Process ..'s and eliminate duplicate '/'s
+# Deficiency: gives wrong results when a symbolic link is followed by ".."
+function compress_path(dir: string): string
+	{
+	const cdup_sep = /((\/)+([^\/]|\\\/)+)?((\/)+\.\.(\/)+)/;
+
+	local parts = split_n(dir, cdup_sep, T, 1);
+	if ( length(parts) > 1 )
+		{
+		parts[2] = "/";
+		dir = cat_string_array(parts);
+		return compress_path(dir);
+		}
+
+	const multislash_sep = /(\/){2,}/;
+	parts = split_all(dir, multislash_sep);
+	for ( i in parts )
+		if ( i % 2 == 0 )
+			parts[i] = "/";
+	dir = cat_string_array(parts);
+
+	return dir;
+	}
+
+# Computes the absolute path with cwd (current working directory).
+function absolute_path(session: ftp_session_info, file_name: string): string
+	{
+	local abs_file_name: string;
+	if ( file_name == ftp_absolute_path_pat ) # start with '/' or 'A:\'
+		abs_file_name = file_name;
+	else
+		abs_file_name = string_cat(session$cwd, "/", file_name);
+	return  compress_path(abs_file_name);
+	}
+
+function do_ftp_reply(c: connection, session: ftp_session_info,
+			code: count, msg: string, cmd: string, arg: string)
+	{
+	local id = c$id;
+
+	if ( session$log_if_not_denied && code != 530 &&
+	     # skip password prompt, which we can get when the requests
+	     # are stacked up
+	     code != 331 )
+		session$log_it = T;
+
+	if ( session$log_if_not_unavail && code != 550 )
+		session$log_it = T;
+
+	if ( code == 227  || code == 229 )
+		{
+		local data = (code == 227) ?
+				parse_ftp_pasv(msg) : parse_ftp_epsv(msg);
+
+		if ( code == 229 && data$h == 0.0.0.0 )
+			data$h = id$resp_h;
+
+		if ( data$valid )
+			{
+			if ( data$h != id$resp_h )
+				ftp_message(id, fmt("*< PASV host %s doesn't match responder host %s", data$h, id$resp_h));
+
+			if ( data$p < 1024/tcp && data$p in port_names &&
+			     data$p !in ignore_privileged_PASVs )
+				NOTICE([$note=FTP_PrivPort, $id=id,
+					$user=session$user, $n=code,
+					$msg=fmt("%s #%s privileged PASV %d: %s",
+						id_string(id), prefixed_id(session$id),
+						data$p, msg),
+					$sub="PASV"]);
+
+			local expected = [$host=id$orig_h, $session=session];
+			ftp_data_expected[data$h, data$p] = expected;
+			add session$expected[data$h, data$p];
+			event ftp_connection_expected(c, c$id$orig_h, data$h,
+							data$p, session);
+
+			expect_connection(id$orig_h, data$h, data$p,
+						ANALYZER_FILE, 5 min);
+
+			msg = endpoint_id(data$h, data$p);
+			}
+
+		else if ( msg != ignore_invalid_PORT )
+			{
+			NOTICE([$note=FTP_BadPort, $id=id,
+				$user=session$user, $n=code,
+				$msg=fmt("%s #%s invalid ftp PASV directive: %s",
+						id_string(id),
+						prefixed_id(session$id), msg),
+				$sub="PASV"]);
+			msg = "invalid PASV";
+			}
+		}
+
+	if ( [cmd, code] in ftp_dir_operation )
+		{
+		local cwd: string;
+
+		if ( cmd == "CWD" )
+			{
+			if ( arg == ftp_absolute_path_pat ) # absolute dir
+				cwd = arg;
+			else
+				cwd = cat(session$cwd, "/", arg);
+			}
+
+		else if ( cmd == "CDUP" )
+			cwd = cat(session$cwd, "/..");
+
+		else if ( cmd == "PWD" || cmd == "XPWD" )
+			# Here we need to guess how to extract the
+			# directory from the reply.
+			cwd = extract_dir_from_reply(session, msg,
+							 session$cwd);
+
+		# cwd = cat(cwd, "/");
+
+		# Process "..", eliminate duplicate '/'s, and eliminate
+		# last '/' if cwd != "/"
+		# session$cwd = compress_path(cwd);
+
+		session$cwd = cwd;
+
+#		print log_file, fmt("*** DEBUG *** %.06f #%s (%s %s) CWD = \"%s\"",
+#				network_time(), prefixed_id(session$id),
+#				cmd, arg, session$cwd);
+		}
+
+	if ( session$num_requests > 0 )
+		{
+		if ( code in ftp_skip_replies )
+			;	# Don't flush request yet.
+
+		else
+			{
+			local reply = code in ftp_replies ? ftp_replies[code] :
+					fmt("%d %s", code, msg);
+
+			local session_msg = fmt("#%s %s%s (%s)",
+					prefixed_id(session$id),
+					session$num_requests > 1 ? "*" : "",
+					session$request, reply);
+
+			if ( session$log_it )
+				NOTICE([$note=FTP_Sensitive, $id=id,
+					$user=session$user, $n=code,
+					$msg=fmt("ftp: %s %s",
+						id_string(id), session_msg)]);
+
+			print log_file, fmt("%.6f %s", session$request_t,
+						session_msg);
+
+			session$request = "";
+			session$num_requests = 0;
+			session$log_if_not_unavail = F;
+			session$log_if_not_denied = F;
+			session$log_it = F;
+			}
+		}
+	else
+		{
+		# An unpaired response.  This can happen in particular
+		# when the session is encrypted, so we check for that here.
+		if ( /[\x80-\xff]{3}/ in msg )
+			# Three 8-bit characters in a row - good enough.
+			# Note, this should of course be customizable.
+			event ftp_binary_response(session, code, msg);
+
+		else
+			print log_file, fmt("%.6f #%s response (%d %s)",
+					network_time(), prefixed_id(session$id), code, msg);
+		}
+	}
+
+function do_ftp_login(c: connection, session: ftp_session_info)
+	{
+	session$cwd = ftp_init_dir[session$connection_id$resp_h, session$user];
+	event login_successful(c, session$user);
+	}
+
+event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool)
+	{
+	local id = c$id;
+	local response_xyz = parse_ftp_reply_code(code);
+
+	if ( id !in ftp_sessions )
+		new_ftp_session(c, T);
+
+	local session = ftp_sessions[id];
+
+	if ( code != 0 || ! cont_resp )
+		session$reply_code = code;
+
+	local cmd_arg = find_ftp_pending_cmd(session$pending_requests, session$reply_code, msg);
+
+	if ( ! cont_resp )
+		{
+		if ( response_xyz$x == 2 &&	# successful
+		     (cmd_arg$cmd == /USER|PASS|ACCT/) )
+			do_ftp_login(c, session);
+
+		do_ftp_reply(c, session, code, msg, cmd_arg$cmd, cmd_arg$arg);
+		}
+
+	if ( rewriting_ftp_trace )
+		{
+		ftp_reply_rewrite(c, session, code, msg, cont_resp, cmd_arg);
+		}
+
+	if ( ! cont_resp )
+		{
+		if ( ftp_cmd_pending(session$pending_requests) )
+			{
+			if ( response_xyz$x == 1 )
+				# nothing
+				;
+
+			else if ( response_xyz$x >= 2 && response_xyz$x <= 5 )
+				{
+				pop_from_ftp_pending_cmd(session$pending_requests, cmd_arg);
+				# print log_file, fmt("*** DEBUG *** %.06f #%d: [%s %s] [%d %s]",
+				#	network_time(), session$id, cmd_arg$cmd, cmd_arg$arg, code, msg);
+				}
+			}
+
+		else if ( code != 421 ) # closing connection
+			ftp_message(id, fmt("spontaneous response (%d %s)",
+					code, msg));
+		}
+	}
+
+const call_ftp_connection_remove = F &redef;
+global ftp_connection_remove: function(c: connection);
+
+# Use state remove event instead of finish to cover connections terminated by
+# RST.
+event connection_state_remove(c: connection)
+	{
+	local id = c$id;
+
+	if ( is_ftp_conn(c) && call_ftp_connection_remove )
+		ftp_connection_remove(c);
+
+	if ( id in ftp_sessions )
+		{
+		local session = ftp_sessions[id];
+
+		if ( session$num_requests > 0 )
+			{
+			local msg = fmt("#%s %s%s (no reply)",
+					prefixed_id(session$id),
+					session$num_requests > 1 ? "*" : "",
+					session$request);
+
+			if ( session$log_it )
+				NOTICE([$note=FTP_Sensitive, $id=id,
+					$user=session$user,
+					$msg=fmt("ftp: %s %s",
+						id_string(id), msg)]);
+
+			print log_file, fmt("%.6f %s", session$request_t, msg);
+			}
+
+		if ( ftp_cmd_pending(session$pending_requests) )
+			{
+			local ca = find_ftp_pending_cmd(session$pending_requests, 0, "<finish>");
+			# print log_file, fmt("*** DEBUG *** requests pending from %s %s", ca$cmd, ca$arg);
+			}
+
+		for ( [h, p] in session$expected )
+			delete ftp_data_expected[h, p];
+
+		ftp_message(id, "finish");
+
+		delete ftp_sessions[id];
+		}
+	}
+
+event file_transferred(c: connection, prefix: string, descr: string,
+			mime_type: string)
+	{
+	if ( [c$id$resp_h, c$id$resp_p] in ftp_data_expected )
+		{
+		local expected = ftp_data_expected[c$id$resp_h, c$id$resp_p];
+		print log_file, fmt("%.6f #%s ftp-data %s '%s'",
+					c$start_time,
+					prefixed_id(expected$session$id),
+					mime_type, descr);
+		append_addl(c, descr);
+		}
+	}
+
+event file_virus(c: connection, virname: string)
+	{
+	if ( [c$id$resp_h, c$id$resp_p] in ftp_data_expected )
+		{
+		local expected = ftp_data_expected[c$id$resp_h, c$id$resp_p];
+		# FIXME: Throw NOTICE.
+		print log_file, fmt("%.6f #%s VIRUS %s found", c$start_time,
+					prefixed_id(expected$session$id),
+					virname);
+		append_addl(c, fmt("Virus %s", virname));
+		}
+	}
+
+event bro_init()
+	{
+	have_FTP = T;
+	}
diff --git a/policy/gnutella.bro b/policy/gnutella.bro
new file mode 100644
index 0000000000..0fd4429f83
--- /dev/null
+++ b/policy/gnutella.bro
@@ -0,0 +1,61 @@
+# $Id: gnutella.bro 4017 2007-02-28 07:11:54Z vern $
+
+redef capture_filters += { ["gnutella"] = "port 6346 or port 8436" };
+
+global gnutella_ports = { 6346/tcp, 8436/tcp } &redef;
+redef dpd_config += { [ANALYZER_GNUTELLA] = [$ports = gnutella_ports] };
+
+event gnutella_text_msg(c: connection, orig: bool, headers: string)
+	{
+	if ( orig )
+		print fmt("gnu txt %s -> %s %s", c$id$orig_h, c$id$resp_h, headers);
+	else
+		print fmt("gnu txt %s -> %s %s", c$id$resp_h, c$id$orig_h, headers);
+	}
+
+
+event gnutella_binary_msg(c: connection, orig: bool, msg_type: count,
+				ttl: count, hops: count, msg_len: count,
+				payload: string, payload_len: count,
+				trunc: bool, complete: bool)
+	{
+	local s = "";
+
+	if ( orig )
+		s = fmt("gnu bin %s -> %s", c$id$orig_h, c$id$resp_h);
+	else
+		s = fmt("gnu bin %s -> %s", c$id$resp_h, c$id$orig_h);
+
+	print fmt("%s %d %d %d %d %d %d %d %s",
+			s, msg_type, ttl, hops, msg_len,
+			trunc, complete, payload_len, payload);
+	}
+
+
+event gnutella_partial_binary_msg(c: connection, orig: bool,
+					msg: string, len: count)
+	{
+	if ( orig )
+		print fmt("gnu pbin %s -> %s", c$id$orig_h, c$id$resp_h);
+	else
+		print fmt("gnu pbin %s -> %s", c$id$resp_h, c$id$orig_h);
+	}
+
+
+event gnutella_establish(c: connection)
+	{
+	print fmt("gnu est %s <-> %s", c$id$orig_h, c$id$resp_h);
+	}
+
+
+event gnutella_not_establish(c: connection)
+	{
+	print fmt("gnu !est %s <-> %s", c$id$orig_h, c$id$resp_h);
+	}
+
+
+event gnutella_http_notify(c: connection)
+	{
+	print fmt("gnu http %s/%s <-> %s/%s", c$id$orig_h, c$id$orig_p,
+			c$id$resp_h, c$id$resp_p);
+	}
diff --git a/policy/hand-over.bro b/policy/hand-over.bro
new file mode 100644
index 0000000000..0b3cf2f195
--- /dev/null
+++ b/policy/hand-over.bro
@@ -0,0 +1,144 @@
+# $Id: hand-over.bro 617 2004-11-02 00:54:31Z scottc $
+#
+# Hand-over between two instances of Bro.
+
+@load remote
+
+# The host from which we want to take over the state has to be
+# added to remote_peers_{clear,ssl}, setting hand_over to T.
+#
+# The host which we want to allow to perform a hand-over with us
+# has to be added to remote_peers with a port of 0/tcp and
+# hand_over = T.
+
+function is_it_us(host: addr, p: port): bool
+	{
+@ifdef ( listen_if_clear )
+	if ( is_local_interface(host) && p == listen_port_clear )
+		return T;
+@endif
+
+@ifdef ( listen_if_ssl )
+	if ( is_local_interface(host) && p == listen_port_ssl )
+	    return T;
+@endif
+	return F;
+	}
+
+function is_handover_peer(p: event_peer): bool
+	{
+	local peer: Remote::Destination;
+
+	if ( p$id in Remote::pending_peers )
+		peer = Remote::pending_peers[p$id];
+	else
+		return F;
+
+	return peer$hand_over;
+	}
+
+function handover_start_processing()
+	{
+	uninstall_src_net_filter(0.0.0.0/0);
+	}
+
+event bro_init()
+	{
+	# Disable packet processing.
+	install_src_net_filter(0.0.0.0/0, 0, 100);
+	alarm "waiting for hand-over - packet processing disabled.";
+	}
+
+event remote_connection_error(p: event_peer, reason: string)
+	{
+	if ( is_remote_event() || ! ( p$id in Remote::connected_peers) )
+		return;
+
+	# Seems that the other side in not running.
+	alarm "can't connect for hand-over - starting processing ...";
+	handover_start_processing();
+	}
+
+event remote_connection_established(p: event_peer)
+	{
+	if ( is_remote_event() )
+		return;
+
+	# If [p$id] is defined in Remote::connected_peers and p != 0, we have connected
+	# to the host.
+	if ( p$p != 0/tcp &&
+	     ([p$id] in Remote::connected_peers ) )
+		{
+		if ( ! is_handover_peer(p) )
+			return;
+
+		alarm fmt("requesting hand-over from %s:%d", p$host, p$p);
+
+		request_remote_events(p, /handover_.*|finished_send_state/);
+
+		# Give the remote side some time to register its handlers.
+		schedule 3 secs { handover_request(p$host, p$p) };
+		return;
+		}
+
+	# If the other side connected to us, we will allow the hand-over
+	# if the remote host is defined as a hand-over host in remote_peers.
+	if ( is_handover_peer(p) )
+		{
+		alarm fmt("allowing hand-over from %s:%d", p$host, p$p);
+		request_remote_events(p, /handover_.*|finished_send_state/);
+		}
+	}
+
+event handover_send_state(p: event_peer)
+	{
+	if ( is_remote_event() )
+		return;
+
+	# There may be a serialization in progress in which case
+	# we will have to try again.
+	if ( ! send_state(p) )
+		{
+		alarm "can't send state; serialization in progress";
+		schedule 5 secs { handover_send_state(p$host, p$p) };
+		}
+	}
+
+event handover_request(p: event_peer)
+	{
+	# Make sure the event is for us.
+	if ( ! (is_remote_event() && is_it_us(p$host, p$p)) )
+		return;
+
+	# Send state to other side.
+	schedule 1 sec { handover_send_state(p) };
+	}
+
+event finished_send_state(p: event_peer)
+	{
+	# We will get this event from the remote side.
+	# Make sure it's indeed for us.
+	if ( ! is_remote_event() )
+		 return;
+
+	if ( ! is_handover_peer(p) )
+		 return;
+
+	alarm fmt("full state received from %s:%d - starting processing ...",
+		p$host, p$p);
+
+	event handover_got_state(p);
+
+	# Start processing.
+	handover_start_processing();
+	}
+
+event handover_got_state(p: event_peer)
+	{
+	# Make sure the event is for us.
+	if ( ! (is_remote_event() && is_it_us(p$host, p$p)) )
+		return;
+
+	alarm fmt("%s:%d received our state - terminating", p$host, p$p);
+	terminate();
+	}
diff --git a/policy/heavy-analysis.bro b/policy/heavy-analysis.bro
new file mode 100644
index 0000000000..6d3bf29a0c
--- /dev/null
+++ b/policy/heavy-analysis.bro
@@ -0,0 +1,26 @@
+# $Id: heavy-analysis.bro 2771 2006-04-18 23:53:09Z vern $
+#
+# Loading this files enables somewhat more accurate, yet also significantly
+# more expensive, analysis (in terms of memory as well as CPU time).
+#
+# This script only sets core-level options.  Script-level timeouts are
+# adjusted in heavy.*.bro, loaded via Bro's prefix mechanism.  To make this
+# work, the prefix has to be set *before* reading other scripts, either by
+# loading this script first of all, or by manually putting a @prefix
+# at the start of Bro's configuration.
+
+@prefixes += heavy
+
+redef tcp_SYN_timeout = 120 secs;
+redef tcp_session_timer = 30 secs;
+redef tcp_connection_linger = 30 secs;
+redef tcp_attempt_delay = 300 secs;
+redef tcp_close_delay = 15 secs;
+redef tcp_reset_delay = 15 secs;
+redef tcp_partial_close_delay = 10 secs;
+
+redef max_timer_expires = 32;
+
+redef tcp_inactivity_timeout = 2 hrs;
+redef udp_inactivity_timeout = 1 hrs;
+redef icmp_inactivity_timeout = 1 hrs;
diff --git a/policy/heavy.http.bro b/policy/heavy.http.bro
new file mode 100644
index 0000000000..f3be0bf058
--- /dev/null
+++ b/policy/heavy.http.bro
@@ -0,0 +1,3 @@
+# $Id: heavy.http.bro 4723 2007-08-07 18:14:35Z vern $
+
+redef http_sessions &write_expire = 5 hrs;
diff --git a/policy/heavy.irc.bro b/policy/heavy.irc.bro
new file mode 100644
index 0000000000..0e2cdf0dbb
--- /dev/null
+++ b/policy/heavy.irc.bro
@@ -0,0 +1,4 @@
+# $Id: heavy.irc.bro 4723 2007-08-07 18:14:35Z vern $
+
+redef active_users &persistent &read_expire = 1 days;
+redef active_channels &persistent &read_expire = 1 days;
diff --git a/policy/heavy.scan.bro b/policy/heavy.scan.bro
new file mode 100644
index 0000000000..570e79bf6a
--- /dev/null
+++ b/policy/heavy.scan.bro
@@ -0,0 +1,6 @@
+# $Id: heavy.scan.bro 4758 2007-08-10 06:49:23Z vern $
+
+redef distinct_peers &create_expire = 10 hrs;
+redef distinct_ports &create_expire = 10 hrs;
+redef distinct_low_ports &create_expire = 10 hrs;
+redef possible_scan_sources &create_expire = 10 hrs;
diff --git a/policy/heavy.software.bro b/policy/heavy.software.bro
new file mode 100644
index 0000000000..f9e8d0b694
--- /dev/null
+++ b/policy/heavy.software.bro
@@ -0,0 +1,3 @@
+# $Id: heavy.software.bro 2771 2006-04-18 23:53:09Z vern $
+
+redef only_report_local = F;
diff --git a/policy/heavy.trw.bro b/policy/heavy.trw.bro
new file mode 100644
index 0000000000..1bfce8f6b4
--- /dev/null
+++ b/policy/heavy.trw.bro
@@ -0,0 +1,8 @@
+# $Id: heavy.trw.bro 4723 2007-08-07 18:14:35Z vern $
+
+redef TRW::scan_sources &write_expire = 1 day;
+redef TRW::benign_sources &write_expire = 1 day;
+redef TRW::failed_locals &write_expire = 12 hrs;
+redef TRW::successful_locals &write_expire = 12 hrs;
+redef TRW::lambda &write_expire = 12 hrs;
+redef TRW::num_scanned_locals &write_expire = 12 hrs;
diff --git a/policy/hot-ids.bro b/policy/hot-ids.bro
new file mode 100644
index 0000000000..64a6a7a71f
--- /dev/null
+++ b/policy/hot-ids.bro
@@ -0,0 +1,29 @@
+# @(#) $Id: hot-ids.bro 785 2004-11-24 05:56:06Z rwinslow $ (LBL)
+
+# If these ids are seen, the corresponding connection is terminated.
+const forbidden_ids = {
+	"uucp", "daemon", "rewt", "nuucp",
+	"EZsetup", "OutOfBox", "4Dgifts",
+	"ezsetup", "outofbox", "4dgifts", "sgiweb",
+	"r00t", "ruut", "bomb", "backdoor",
+	"bionic", "warhead", "check_mate", "checkmate", "check_made",
+	"themage", "darkmage", "y0uar3ownd", "netfrack", "netphrack",
+} &redef;
+
+const forbidden_ids_if_no_password = { "lp" } &redef;
+
+const forbidden_id_patterns = /(y[o0]u)(r|ar[e3])([o0]wn.*)/ &redef;
+
+const always_hot_ids = {
+	"sync", "tutor", "tour",
+	"retro", "milk", "moof", "own", "gdm", "anacnd",
+	"lp", "demos", forbidden_ids,
+} &redef;
+
+# The ones here that aren't in always_hot_ids are only hot upon
+# success.
+const hot_ids = {
+	"root", "system", "smtp", "sysadm", "diag", "sysdiag", "sundiag",
+	"operator", "sys", "toor", "issadmin", "msql", "sysop", "sysoper",
+	"wank", always_hot_ids,
+} &redef;
diff --git a/policy/hot.bro b/policy/hot.bro
new file mode 100644
index 0000000000..c3434e3a3b
--- /dev/null
+++ b/policy/hot.bro
@@ -0,0 +1,160 @@
+# $Id: hot.bro 7057 2010-07-19 23:22:19Z vern $
+
+@load site
+@load port-name
+@load notice
+@load terminate-connection
+
+module Hot;
+
+export {
+	# True if it should be considered a spoofing attack if a connection has
+	# the same local net for source and destination.
+	const same_local_net_is_spoof = F &redef;
+
+	const allow_spoof_services = {
+		110/tcp,	# pop-3
+		139/tcp,	# netbios-ssn
+	} &redef;
+
+	# Indexed by source address and destination address.
+	const allow_pairs: set[addr, addr] &redef;
+
+	const hot_srcs: table[addr] of string = {
+		#	[ph33r.the.eleet.com] = "kidz",
+	} &redef;
+
+	const hot_dsts: table[addr] of string = {
+		[206.101.197.226] = "ILOVEYOU worm destination",
+	} &redef;
+
+	const allow_services = {
+		ssh, http, gopher, ident, smtp, 20/tcp,
+		53/udp,		# DNS queries
+		123/udp,	# NTP
+	} &redef;
+
+	const allow_services_to: set[addr, port] &redef;
+	const allow_services_from: set[addr, port] &redef;
+	const allow_service_pairs: set[addr, addr, port] &redef;
+
+	const flag_successful_service: table[port] of string = {
+		[[31337/tcp]] = "popular backdoors",
+	} &redef;
+
+	const flag_successful_inbound_service: table[port] of string = {
+		[1524/tcp] = "popular backdoor, but with false hits outbound",
+	} &redef;
+
+	const terminate_successful_inbound_service: table[port] of string &redef;
+
+	const flag_rejected_service: table[port] of string &redef;
+
+	# Different values to hand to check_hot() at different stages in
+	# a connection's lifetime.
+	const CONN_ATTEMPTED = 1;
+	const CONN_ESTABLISHED = 2;
+	const APPL_ESTABLISHED = 3;
+	const CONN_FINISHED = 4;
+	const CONN_REJECTED = 5;
+	const CONN_TIMEOUT = 6;
+	const CONN_REUSED = 7;
+
+	global check_hot: function(c: connection, state: count): bool;
+	global check_spoof: function(c: connection): bool;
+}
+
+# An internal function used by check_hot.
+function do_hot_check(c: connection, a: addr, t: table[addr] of string)
+	{
+	if ( a in t )
+		{
+		++c$hot;
+		local hot_msg = fmt("<%s>", t[a]);
+		append_addl(c, hot_msg);
+		}
+	}
+
+function check_spoof(c: connection): bool
+	{
+	local orig = c$id$orig_h;
+	local resp = c$id$resp_h;
+	local service = c$id$resp_p;
+
+	if ( is_local_addr(orig) && is_local_addr(resp) &&
+	     service !in allow_spoof_services )
+		{
+		if ( c$id$orig_p == service && orig == resp )
+			event conn_weird("Land_attack", c);
+
+		if ( same_local_net_is_spoof )
+			++c$hot;
+		}
+
+	return c$hot != 0;
+	}
+
+function check_hot(c: connection, state: count): bool
+	{
+	local id = c$id;
+	local service = id$resp_p;
+
+	if ( service in allow_services || "ftp-data" in c$service )
+		return F;
+
+	if ( state == CONN_ATTEMPTED )
+		check_spoof(c);
+
+	else if ( state == CONN_REJECTED )
+		{
+		check_spoof(c);
+
+		if ( service in flag_rejected_service )
+			++c$hot;
+		}
+
+	else if ( state == CONN_ESTABLISHED )
+		{
+		check_spoof(c);
+
+		local inbound = is_local_addr(id$resp_h);
+
+		if ( (service in flag_successful_service ||
+		      (inbound &&
+		       service in flag_successful_inbound_service)) &&
+		     ([id$resp_h, id$resp_p] !in allow_services_to || 
+		      [id$orig_h, id$resp_p] !in allow_services_from) )
+			{
+			if ( inbound &&
+			     service in terminate_successful_inbound_service )
+				TerminateConnection::terminate_connection(c);
+
+			++c$hot;
+			if ( service in flag_successful_service )
+				append_addl(c, flag_successful_service[service]);
+			else
+				append_addl(c, flag_successful_inbound_service[service]);
+			}
+		}
+
+	else if ( state == APPL_ESTABLISHED ||
+		  ((state == CONN_FINISHED || state == CONN_TIMEOUT ||
+		    state == CONN_REUSED) &&
+		   service != telnet && c$orig$size > 0 && c$resp$size > 0) )
+		{
+		# Connection established and has a non-trivial size.
+		local orig = c$id$orig_h;
+		local resp = c$id$resp_h;
+
+		if ( [resp, service] in allow_services_to ||
+		     [orig, service] in allow_services_from ||
+		     [orig, resp, service] in allow_service_pairs ||
+		     [orig, resp] in allow_pairs )
+			return F;
+
+		do_hot_check(c, resp, hot_srcs);
+		do_hot_check(c, resp, hot_dsts);
+		}
+
+	return c$hot != 0;
+	}
diff --git a/policy/http-abstract.bro b/policy/http-abstract.bro
new file mode 100644
index 0000000000..3eaeb273f0
--- /dev/null
+++ b/policy/http-abstract.bro
@@ -0,0 +1,54 @@
+# $Id: http-abstract.bro 47 2004-06-11 07:26:32Z vern $
+
+@load http
+@load http-entity
+
+module HTTP;
+
+export {
+	const abstract_max_length = 512 &redef;
+}
+
+redef http_entity_data_delivery_size = 4096;
+redef include_HTTP_abstract = T;
+
+function skip_abstract(c: connection, is_orig: bool, msg: http_message)
+	{
+	msg$skip_abstract = T;
+	if ( ! process_HTTP_data )
+		skip_http_entity_data(c, is_orig);
+	}
+
+event http_content_type(c: connection, is_orig: bool, ty: string, subty: string)
+	{
+	local s = lookup_http_request_stream(c);
+	local msg = get_http_message(s, is_orig);
+
+	if ( msg$entity_level == 1 && ty == "TEXT" )
+		# Do not skip the body in this case.
+		return;
+
+	skip_abstract(c, is_orig, msg);
+	}
+
+event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
+	{
+	local s = lookup_http_request_stream(c);
+	local msg = get_http_message(s, is_orig);
+
+	if ( msg$skip_abstract )
+		return;
+
+	local len = byte_len(data);
+	if ( len > abstract_max_length )
+		msg$abstract = sub_bytes(data, 1, abstract_max_length);
+	else
+		msg$abstract = data;
+
+	skip_abstract(c, is_orig, msg);
+
+	# print http_log, fmt("%.6f %s %s %d bytes: \"%s\"",
+	#			network_time(), s$id,
+	#			is_orig ? "=>" : "<=", byte_len(msg$abstract),
+	#			msg$abstract);
+	}
diff --git a/policy/http-anon-server.bro b/policy/http-anon-server.bro
new file mode 100644
index 0000000000..ecf755c39a
--- /dev/null
+++ b/policy/http-anon-server.bro
@@ -0,0 +1,209 @@
+# $Id:$
+
+# Anonymize values in Server: headers.
+#
+# TODO:
+#
+# - Zedo and IBM web servers can have Apache mods -- the parsing should
+#   be extended to support them
+#
+
+@load anon
+@load http-anon-utils
+
+# ---------------------------------------------------------------------
+#                      Apache (and friends)
+# - abandon all hope ye who enter here .....
+# ---------------------------------------------------------------------
+
+const apache_server =
+	/apache(-ish)?(\/([0-9]+\.)*[0-9]+)? *(\(?(red hat( linux)?|cobalt|suse\/linux|linux\/suse|darwin|gentoo\/linux|debian gnu\/linux|win32|fedora|freebsd|red-hat\/linux|unix)\)? *)*/;
+
+const apache_mod_pat =
+	  /mod_fastcgi\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /openssl\/([0-9]+\.)*[0-9a-z]{1,4}(-beta[0-9]{0,2})?/
+	| /dav\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /php-cgi\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /ben-ssl\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /embperl\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /mod_ruby\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /nexadesic\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /postgresql\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /mod_tsunami\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /mod_auth_svn\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /mod_auth_mda\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /rus\/pl(([0-9]+\.)*[0-9]{1,4})/
+	| /authmysql\/(([0-9]+\.)*[0-9]{1,4})/
+	| /mod_auth_pgsql\/(([0-9]+\.)*[0-9]{1,4})/
+	| /mod_ssl\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /php\/(([0-9]+\.)*[0-9a-z]{1,4})(-[0-9]+)?/
+	| /mod_perl\/(([0-9]+\.)*[0-9a-z]{1,4})(\_[0-9]+)?/
+	| /mod_macro\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /mod_auth_pam\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /mod_oas\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /mod_cap\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /powweb\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /mod_gzip\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /resin\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /mod_jk\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /python\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /perl\/(v)?(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /mod_python\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /mod_log_bytes\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /mod_auth_passthrough\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /mod_bwlimited\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /mod_throttle\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /mod_webapp\/(([0-9]+\.)*[0-9a-z]{1,4})(-dev)?/
+	| /frontpage\/(([0-9]+\.)*[0-9a-z]{1,5})/
+	| /mod_pubcookie\/[0-9a-z]{2}\/[0-9]+\.[0-9]+\-[0-9]+/
+	| /(-)?coyote\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	| /svn\/(([0-9]+\.)*[0-9a-z]{1,4})/
+	;
+
+# Various Apache variants (e.g., stronghold).
+const apache_misc =
+	/stronghold\/(([0-9]+\.)*[0-9]+) apache(\/([0-9]+\.)*[0-9]+)? (c2neteu\/[0-9])? *(\(?(red hat( linux)?|cobalt|suse\/linux|linux\/suse|darwin|gentoo\/linux|debian gnu\/linux|win32|fedora|freebsd|red-hat\/linux|unix)\)? *)*/;
+
+const apache_basic = /apache?(\/([0-9]+\.)*[0-9]+)?/;
+const apache_platforms =
+	/(\(?(red hat( linux)?|cobalt|suse\/linux|linux\/suse|darwin|gentoo\/linux|debian gnu\/linux|win32|fedora|freebsd|red-hat\/linux|unix)\)? *)*/;
+
+# ibm_http_server/1.3.26.2, apache/1.3.26 (unix).
+const IBM_server =
+	/ibm_http_server(\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)?( *apache\/[0-9]+\.[0-9]+\.[0-9]+ \(unix\))?/;
+
+
+# ---------------------------------------------------------------------
+#  Servers values for which we don't retain all values.
+# ---------------------------------------------------------------------
+
+const zope_server =
+	/zope\/\(zope ([0-9]+\.)*[0-9]+-[a-z0-9]{1,2}\, python ([0-9]+\.)*[0-9]+\, linux[0-9]\)/;
+
+const thttp_server = /thttpd\/[0-9]+\.[0-9]+(beta[0-9]+)?/;
+const weblogic_server = /weblogic server [0-9]+\.[0-9]+/;
+const zedo_server = /zedo 3g(\/([0-9]+\.)*[0-9]+)?/;
+const jetty_server = /jetty\/[0-9]+\.[0-9]+/;
+
+# ---------------------------------------------------------------------
+#                      Misc         Servers
+# ---------------------------------------------------------------------
+
+const misc_server =
+	  /dclk creative/
+	| /gws\/[0-9]+\.[0-9]+/
+	| /nfe\/[0-9]+\.[0-9]+/
+	| /gfe\/[0-9]+\.[0-9]+/
+	| /dclk-adsvr/
+	| /rsi/
+	| /swcd\/([0-9]+\.)*[0-9]+/
+	| /microsoft-iis\/[0-9]{1,2}\.[0-9]{1,2}/
+	| /cafe\/[0-9]+\.[0-9]+/
+	| /artblast\/([0-9]+\.)*[0-9]+/
+	| /aolserver\/([0-9]+\.)*[0-9]+/
+	| /resin\/([0-9]+\.)*s?[0-9]+/
+	| /netscape-enterprise\/([0-9]+\.)*[0-9a-z]{1,2}+ *(aol)?/
+	| /mapquest listener/
+	| /miixpc\/[0-9]+\.[0-9]+/
+	| /sun-one-web-server\/[0-9]+\.[0-9]+/
+	| /appledotmacserver/
+	| /cj\/[0-9]+\.[0-9]+/
+	| /jigsaw\/([0-9]+\.)*[0-9]+/
+	| /boa\/[0-9]+\.[0-9]+(\.[0-9]+(rc[0-9]+)?)?/
+	| /tux\/[0-9]+\.[0-9]+ *\(linux\)/
+	| /igfe/
+	| /trafficmarketplace-jforce\/([0-9]+\.)*[0-9]+/
+	| /lighttpd/
+	| /hitbox gateway ([0-9]+\.)*[0-9]+ [a-z][0-9]/
+	| /jbird\/[0-9]+\.[0-9a-z]{1,2}/
+	| /perlbal/
+	| /big-ip/
+	| /konichiwa\/[0-9]+\.[0-9]+/
+	| /footprint [0-9]+\.[0-9]+\/fpmc/
+	| /iii [0-9]+/
+	| /clickability web server\/([0-9]+\.)*[0-9]+ *\(unix\)/
+	| /accipiter-directserver\/([0-9]+\.)*[0-9]+ \(nt; pentium\)/
+	| /ibm-proxy-wte\/([0-9]+\.)*[0-9]+/
+	| /netscape-commerce\/[0-9]+\.[0-9]+/
+	| /nde/
+	;
+
+function do_apache_server(server: string): string
+	{
+	local apache_parts = split_all(server, apache_server);
+	if ( apache_parts[3] == "" )
+		return apache_parts[2];
+
+	local apache_return_string = apache_parts[2];
+	local mod_parts = split(apache_parts[3], / /);
+
+	for ( part in mod_parts )
+		{
+		if ( mod_parts[part] == apache_mod_pat )
+			{
+			apache_return_string =
+				string_cat(apache_return_string,
+					" ");
+			apache_return_string =
+				string_cat(apache_return_string,
+					mod_parts[part]);
+			}
+		else
+			print http_anon_log, fmt("** unknown Apache mod: %s:%s", mod_parts[part], server);
+		}
+
+	return apache_return_string;
+	}
+
+function check_server(server: string, server_pat: pattern): bool
+	{
+	return server_pat in server;
+	}
+
+function do_server(server: string, server_pat: pattern): string
+	{
+	return split_all(server, server_pat)[2];
+	}
+
+function filter_in_http_server(server: string): string
+	{
+	# Vanilla Apache is a hard one and a special case.  Let's get the
+	# nastiness over first.
+
+	if ( apache_server in server )
+		return do_apache_server(server);
+
+	if ( check_server(server, apache_misc) )
+		return do_server(server, apache_misc);
+	if ( check_server(server, IBM_server) )
+		return do_server(server, IBM_server);
+	if ( check_server(server, zedo_server) )
+		return do_server(server, zedo_server);
+	if ( check_server(server, zope_server) )
+		return do_server(server, zope_server);
+	if ( check_server(server, jetty_server) )
+		return do_server(server, jetty_server);
+	if ( check_server(server, thttp_server) )
+		return do_server(server, thttp_server);
+	if ( check_server(server, weblogic_server) )
+		return do_server(server, weblogic_server);
+
+	# Grab bag.
+	if ( misc_server in server )
+		return server;
+
+	# Best guess - unknown Apache variant of some sort.
+	if ( apache_basic in server )
+		{
+		print http_anon_log,
+			fmt("** unknown Apache variant: %s", server);
+
+		return fmt("(bro: unknown) %s %s",
+				split_all(server, apache_basic)[2],
+				split_all(server, apache_platforms)[2]);
+		}
+
+	print http_anon_log, fmt("** unknown server: %s", server);
+
+	return fmt("(bro: unknown) %s", anonymize_arg("server", server));
+	}
diff --git a/policy/http-anon-useragent.bro b/policy/http-anon-useragent.bro
new file mode 100644
index 0000000000..b8edd4a637
--- /dev/null
+++ b/policy/http-anon-useragent.bro
@@ -0,0 +1,111 @@
+# $Id:$
+
+# Filter-in known "USER-AGENT:" values.
+
+@load anon
+@load http-anon-utils
+
+# ---------------------------------------------------------------------
+#                      Mozilla (and friends)
+# ---------------------------------------------------------------------
+
+const mozilla_full_pat =
+	/mozilla\/[0-9]\.[0-9] \(( *|;|iebar| freebsd i[0-9]{1,4}|fr|-|windows|windows 98|sunos sun4u|compatible|msie [0-9]\.[0-9]|windows nt [0-9]\.[0-9]|google-tr-1|sv1|\.net clr ([0-9]\.)*[0-9]+|x11|en|ppc mac os x|macintosh|u|linux i[0-9]{1,4}|en-us|rv\:([0-9]+\.)*[0-9]+|aol [0-9]\.[0-9]|gnotify ([0-9]+\.)*[0-9]+)*\) *(gecko\/[0-9]+)? *(firefox\/([0-9]+.)*[0-9]+)?/;
+
+const mozilla_head_pat = /mozilla\/[0-9]\.[0-9]/;
+
+const misc_user_pat =
+	  /spiderman/
+	| /w3m\/([0-9]+\.)*[0-9]+/
+	| /java([0-9]+\.)*[0-9]+(_[0-9]+)?/
+	| /java\/([0-9]+\.)*[0-9]+(_[0-9]+)?/
+	| /freecorder/
+	| /industry update control/
+	| /microsoft-cryptoapi\/([0-9]+\.)*[0-9]+/
+	| /ruriko\/([0-9]+\.)*[0-9]+/
+	| /crawler[0-9]\.[0-9]/
+	| /w3search/
+	| /symantec liveupdate/
+	| /davkit\/[0-9]\.[0-9]/
+	| /windows-media-player\/([0-9]+\.)*[0-9]+/
+	| /winamp\/([0-9]+\.)*[0-9]+/
+	| /headdump/
+	;
+
+const misc_cmplx_user_pat =
+	  /lynx\/([0-9]+\.)*[0-9]+.*/
+	| /wget\/([0-9]+\.)*[0-9]+.*/
+	| /yahooseeker\/([0-9]+\.)*[0-9]+.*/
+	| /rma\/([0-9]+\.)*[0-9]+.*/
+	| /aim\/[0-9]+.*/
+	| /ichiro\/([0-9]+\.)*[0-9]+.*/
+	| /unchaos.*/
+	| /irlbot\/[0-9]\.[0-9]+.*/
+	| /msnbot\/([0-9]+\.)*[0-9]+.*/
+	| /opera\/([0-9]+\.)*[0-9]+.*/
+	| /netnewswire\/([0-9]+\.)*[0-9]+.*/
+	| /nsplayer\/([0-9]+\.)*[0-9]+.*/
+	| /aipbot\/([0-9]+\.)*[0-9]+.*/
+	| /mac os x; webservicescore\.framework.*/
+	| /fast-webcrawler\/([0-9]+\.)*[0-9]+.*/
+	| /skype.*/
+	| /googlebot\/([0-9]+\.)*[0-9]+.*/
+	;
+
+const misc_cmplx_user_start =
+	  /lynx\/([0-9]+\.)*[0-9]+/
+	| /wget\/([0-9]+\.)*[0-9]+/
+	| /yahooseeker\/([0-9]+\.)*[0-9]+/
+	| /rma\/([0-9]+\.)*[0-9]+/
+	| /aim\/[0-9]+/
+	| /ichiro\/([0-9]+\.)*[0-9]+/
+	| /unchaos/
+	| /irlbot\/[0-9]\.[0-9]+/
+	| /opera\/([0-9]+\.)*[0-9]+/
+	| /msnbot\/([0-9]+\.)*[0-9]+/
+	| /netnewswire\/([0-9]+\.)*[0-9]+/
+	| /nsplayer\/([0-9]+\.)*[0-9]+/
+	| /aipbot\/([0-9]+\.)*[0-9]+/
+	| /mac os x; webservicescore\.framework/
+	| /fast-webcrawler\/([0-9]+\.)*[0-9]+/
+	| /skype/
+	| /googlebot\/([0-9]+\.)*[0-9]+/
+	;
+
+function filter_in_http_useragent(user: string): string
+	{
+	# Check for an exact match for Mozilla.
+	if ( mozilla_full_pat in user )
+		return split_all(user, mozilla_full_pat)[2];
+
+	# Look for popular Mozilla-compatible crawlers.
+	if ( mozilla_head_pat in user )
+		{
+		local crawler = "(bro: unknown)";
+
+		if ( /.*yahoo\! slurp/ in user )
+			crawler = "(yahoo! slurp)";
+
+		else if ( /.*ask jeeves/ in user )
+			crawler = "(ask jeeves)";
+
+		else
+			print http_anon_log,
+				fmt("*** unknown Mozilla user-agent %s\n", user);
+
+		return fmt("%s %s", split_all(user, mozilla_head_pat)[2],
+				crawler);
+		}
+
+	# Some simple, common user names.
+	if ( misc_user_pat in user )
+		return user;
+
+	# Require some info removal.
+	if ( misc_cmplx_user_pat in user )
+		return split_all(user, misc_cmplx_user_pat)[2];
+
+	print http_anon_log,fmt("*** unknown user agent %s\n", user);
+
+	return fmt("(bro: unknown) %s", anonymize_arg("user-agent", user));
+	}
diff --git a/policy/http-anon-utils.bro b/policy/http-anon-utils.bro
new file mode 100644
index 0000000000..660452cc2f
--- /dev/null
+++ b/policy/http-anon-utils.bro
@@ -0,0 +1,164 @@
+# $Id:$
+
+@load anon
+
+global http_anon_log = open_log_file("http-anon") &redef;
+
+const URI_proto_pat = /^ *([a-zA-Z]+)\:\/\// ;
+const known_URI_proto_pat = /^ *(http|https|ftp|ssh)\:\/\// ;
+
+const host_pat = / *^([\-0-9a-zA-Z]+\.)+([\_\-0-9a-zA-Z])*/ ;
+const port_pat = /^ *(\:[0-9]+\.)/ ;
+
+const query_pat = /\?/ ;
+
+function anonymize_http_URI(URI: string): string
+	{
+	URI = to_lower(URI);
+
+	# Strip off protocol.
+	local proto = "";
+	if ( URI_proto_pat in URI )
+		{
+		local proto_part = split(URI, /\:\/\//);
+
+		# Check if we know the protocol.  If not, flag it so we
+		# can update our protocol database.
+
+		if ( known_URI_proto_pat !in URI )
+			{
+			print http_anon_log,
+				fmt("*** protocol %s unknown ", proto_part[1]);
+
+			proto_part[1] =
+				string_cat(" (bro: unknown) ",
+					anonymize_arg("proto", proto_part[1]));
+			}
+
+		proto = string_cat(proto_part[1],"://");
+		URI = proto_part[2];
+		}
+
+	# Strip off domain.
+	local host = "";
+	if ( host_pat in URI )
+		{
+		local base_parts =
+			split_all(URI, / *^([\-\_0-9a-z]+\.)+[\-\_0-9a-z]*/);
+
+		if ( |base_parts| < 2 )
+			{
+			print http_anon_log,
+				fmt (" XXXXXXXXXXXXXXXXXXXXXX BASE %s", URI);
+			return " XXXX processing error XXXX";
+			}
+
+		if ( |base_parts| == 2 )
+			URI =  "";
+
+		else if ( |base_parts| == 3)
+			URI = base_parts[3];
+
+		else if ( |base_parts| > 3)
+			{
+			local patch_me = "";
+			local hack = base_parts[2];
+
+			local i = 1;
+			for ( part in base_parts )
+				{
+				if ( i != 2 )
+					patch_me = string_cat(patch_me,
+								base_parts[i]);
+				i += 1;
+				}
+
+			URI  = patch_me;
+			}
+
+		if ( host == simple_filename )
+			host = anonymize_path(host);
+		else
+			host = anonymize_host(base_parts[2]);
+		}
+
+	# Strip off port (if it exists).
+	local pport = "";
+	if ( port_pat in URI )
+		{
+		print "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ";
+		print "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ";
+		print "XXXXX anon.bro doing nothing with port XXXXXXXXXXX ";
+		print "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ";
+		print "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ";
+		}
+
+	# Handle query (if exists).
+	local tail = "";
+	if ( URI == "/" )
+		{
+		# -- pass
+		}
+
+	else if ( query_pat in URI )
+		{
+		local query_part = split(URI, /\?/);
+
+		tail = fmt("%s?%s",
+				anonymize_path(query_part[1]),
+				anonymize_path(query_part[2]));
+		}
+
+	else
+		tail = anonymize_path(URI);
+
+	tail = string_cat("/", tail);
+
+	return fmt("%s%s%s%s", proto, host, pport, tail);
+	}
+
+
+const a_href_pat = /.*\< *a *href.*\>.*/ ;
+	#/.*\< *a *href *= *\"[[:print:]]+\" *\>.*/;
+
+# Doesn't get everything ... but works for most.
+const a_href_split =
+	/\< *a *href *= *(\\)?(\"|\')?([0-9a-z\/._!\[\]():*;~&|$\\=+\-?%@])+(\\)?(\"|\')?/ ;
+
+# Elegant ... yeah ... really .. :-/
+const file_split =
+	/(\"|\')([0-9a-z\/._!\[\]():*;~&|$\\=+\-?%@])+(\"|\')/ ;
+const file_strip_split = /([0-9a-z\/._!\[\]():*;~&|$\\=+\-?%@])+/ ;
+
+function http_doc_link_list(abstract: string): string
+	{
+	abstract = to_lower(abstract);
+
+	if ( abstract == "" )
+		return abstract;
+
+	local concat_key = "";
+	local href_parts = split_all(abstract, a_href_split);
+
+	for ( part in href_parts )
+		{
+		if ( href_parts[part] == a_href_split )
+			{
+			local file_parts =
+				split_all(href_parts[part], file_split);
+			for ( a_part in file_parts )
+				{
+				if ( file_parts[a_part] == file_split )
+					{
+					local file_strip_parts =
+						split_all(file_parts[a_part],
+							file_strip_split);
+					concat_key = fmt("%s %s", concat_key,
+							anonymize_http_URI(file_strip_parts[2]));
+					}
+				}
+			}
+		}
+
+	return concat_key;
+	}
diff --git a/policy/http-anonymizer.bro b/policy/http-anonymizer.bro
new file mode 100644
index 0000000000..21cf8a37a5
--- /dev/null
+++ b/policy/http-anonymizer.bro
@@ -0,0 +1,433 @@
+# $Id:$
+
+# We can't do HTTP rewriting unless we process everything in the connection.
+@load http-reply
+@load http-entity
+@load http-anon-server
+@load http-anon-useragent
+@load http-anon-utils
+@load http-abstract
+
+@load anon
+
+module HTTP;
+
+redef rewriting_http_trace = T;
+redef http_entity_data_delivery_size = 18874368;
+redef abstract_max_length = 18874368;
+
+const rewrite_header_in_position = F;
+
+const http_response_reasons = {
+	"no content", "ok", "moved permanently", "not modified",
+	"use local copy", "object not found", "forbidden", "okay",
+	"object moved", "found", "http", "redirecting to main server",
+	"internal server error", "not found", "unauthorized", "moved",
+	"redirected", "continue", "access forbidden", "partial content",
+	"redirect", "<empty>", "authorization required",
+	"request time-out", "moved temporarily", "",
+};
+
+const keep_alive_pat = /(([0-9]+|timeout=[0-9]+|max=[0-9]+),?)*/ ;
+
+const content_type =
+	  /video\/(x-flv)(;)?/ 	# video
+	| /audio\/(x-scpls)/
+	| /image\/(gif|bmp|jpeg|pjpeg|tiff|png|x-icon)(;)?(qs\=[0-9](\.[0-9])?)?,?/
+	| /application\/(octet-stream|x-www-form-urlencoded|x-javascript|rss\+xml|x-gzip|x-ns-proxy-autoconfig|pdf|pkix-crl|x-shockwave-flash|postscript|xml|rdf\+xml|excel|msword|x-wais-source)(;)?(charset=(iso-8859-1|iso8859-1|gb2312|windows-1251|windows-1252|utf-8))?/
+	| /text\/(plain|js|html|\*|css|xml|javascript);?(charset=(iso-8859-1|iso8859-1|gb2312|windows-1251|windows-1252|utf-8))?/
+	| /^unknown$/
+	;
+
+const accept_enc_pat =
+	/(((x-)?deflate|(x-)?compress|\*|identity|(x-)?gzip|bzip|bzip2)(\; *q\=[0-9](\.[0-9])?)?,?)*/ ;
+const accept_charset_pat =
+	/((windows-(1252|1251)|big5|iso-8859-(1|15)|\*|utf-(8|16))(\; *q\=[0-9](\.[0-9])?)?,?)*/ ;
+const connection_pat = /((close|keep\-alive|transfer\-encoding|te),?)*/ ;
+
+const http_methods =
+	/get|put|post|head|propfind|connect|options|proppatch|lock|unlock|move|delete|mkcol/ ;
+
+const http_version = /(1\.0|1\.1)/ ;
+
+const last_modified_pat =
+	  /(Sun|Mon|Tue|Wed|Thu|Fri|Sat), [0-9]+ (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) [0-9][0-9][0-9][0-9] .*/
+	| /(-)?[0-9]+/
+	;
+
+const vary_pat =
+	/((\*| *|accept|accept\-charset|negotiate|host|user\-agent|accept\-language|accept\-encoding|cookie),?)*/ ;
+
+const accept_lang_pat =
+	/(( *|tw|cs|mx|tr|ru|sk|au|hn|sv|no|bg|en|ko|kr|ca|pl|nz|fr|ch|jo|gb|zh|hk|cn|lv|de|nl|dk|fi|nl|es|pe|it|pt|br|ve|cl|ja|jp|he|ha|ar|us|en-us|da)(\; *q\=[0-9](\.[0-9]+)?)?(,|-|\_)?)*/ ;
+
+const accept_pat =
+	/(( *|audio|application|\*|gif|xml|xhtml\+xml|x-rgb|x-xbm|video|x-gsarcade-launch|mpeg|sgml|tiff|x-rgb|x-xbm|postscript|text|html|x-xbitmap|pjpeg|vnd.ms-powerpoint|vnd.ms-excel|msword|salt\+html|xhtml|plain|jpeg|jpg|x-shockwave-flash|x-|css|image|png|\*)(\; *q\=[0-9]*(\.[0-9]+)?)?(,|\/|\+)?)*/ ;
+
+const tcn_pat = /list|choice|adhoc|re-choose|keep/;
+
+const date_pat =
+	  /(sun|mon|tue|wed|thu|fri|sat)\,*[0-9]+ *(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) *[0-9]+ ([0-9]+:)*[0-9]+ gmt/
+	| /(sun|mon|tue|wed|thu|fri|sat)*(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) *[0-9]+ *([0-9]+:)*[0-9]+(am|pm)?( *[0-9]+)?( *gmt)?/ ;
+
+const content_encoding_pat = /gzip|deflate|x-compress|x-gzip/;
+
+const hashed_headers =
+	  /COOKIE/
+	| /AUTHOR/
+	| /CACHE-CONTROL/
+	| /ETAG/
+	| /VIA/
+	| /X-VIA/
+	| /IISEXPORT/
+	| /SET-COOKIE/
+	| /X-JUNK/
+	| /PRAGMA/
+	| /AUTHORIZATION/
+	| /X-POWERED-BY/
+	| /X-CACHE/
+	| /X-FORWARDED-FOR/
+	| /X-PAD/
+	| /X-C/
+	| /XSERVER/
+	| /FROM/
+	| /CONTENT-DISPOSITION/
+	| /X-ASPNET-VERSION/
+	| /GUID/
+	| /REGIONDATA/
+	| /CLIENTID/
+	| /X-CACHE-HEADERS-SET-BY/
+	| /X-CACHE-LOOKUP/
+	| /WARNING/
+	| /MICROSOFTOFFICEWEBSERVER/
+	| /IF-NONE-MATCH/
+	| /X-AMZ-ID-[0-9]/
+	| /X-N/
+	| /X-TR/
+	| /X-RSN/
+	#| /X-POOKIE/	# these are weird ... next two are from slashdot
+	#| /X-FRY/
+	#| /X-BENDER/
+	| /RANGE/
+	| /IF-RANGE/
+	| /CONTENT-RANGE/
+	| /AD-REACH/
+	| /HMSERVER/
+	| /STATUS/
+	| /X-SERVED/
+	| /WWW-AUTHENTICATE/
+	| /X-RESPONDING-SERVER/
+	| /MAX-AGE/
+	| /POST-CHECK/
+	| /PRE-CHECK/
+	| /X-CONTENT-ENCODED-BY/
+	| /X-USER-IP/
+	| /X-ICAP-VERSION/
+	| /X-DELPHI/
+	| /AUTHENTICATION-INFO/
+	| /PPSERVER/
+	| /EDGE-CONTROL/
+	| /COMPRESSION-CONTROL/
+	| /CONTENT-MD5/
+	| /X-HOST/
+	| /P3P/
+	;
+
+event http_request(c: connection, method: string,
+		   original_URI: string, unescaped_URI: string, version: string)
+	{
+	if (! rewriting_trace() )
+		return;
+
+	print http_anon_log,
+		fmt(" > %s %s %s ", method, original_URI, version);
+
+	if ( to_lower(method) != http_methods )
+		{
+		print http_anon_log, fmt("*** Unknown method %s", method);
+		method = string_cat(" (anon-unknown) ", anonymize_string(method));
+		}
+
+	original_URI = anonymize_http_URI(original_URI);
+
+	if ( version != http_version )
+		{
+		print http_anon_log, fmt("*** Unknown version %s ", version);
+		version = string_cat(" (anon-unknown) ", anonymize_string(version));
+		}
+
+	print http_anon_log, fmt(" < %s %s %s ", method, original_URI, version);
+
+	rewrite_http_request(c, method, original_URI, version);
+	}
+
+event http_reply(c: connection, version: string, code: count, reason: string)
+	{
+	if ( rewriting_trace() )
+		{
+		reason = to_lower(strip(reason));
+		if ( reason !in http_response_reasons )
+			{
+			print http_anon_log,
+				fmt("*** Unknown reply reason %s ", reason);
+			rewrite_http_reply(c, version, code,
+				anonymize_string(reason));
+			}
+		else
+			rewrite_http_reply(c, version, code, reason);
+		}
+	}
+
+function check_pat(value: string, pat: pattern, name: string): string
+	{
+	if ( value == pat )
+		return value;
+
+	print http_anon_log, fmt("*** invalid %s: %s", name, value);
+	return "(anon-unknown): ";
+	}
+
+function check_pat2(value: string, pat: pattern, name: string): string
+	{
+	if ( value == pat )
+		return value;
+
+	print http_anon_log, fmt("*** invalid %s: %s", name, value);
+	return fmt("(anon-unknown): %s", anonymize_string(value));
+	}
+
+function check_pat3(value: string, pat: pattern): string
+	{
+	if ( value == pat )
+		return value;
+
+	return fmt("(anon-unknown): %s", anonymize_string(value));
+	}
+
+event http_header(c: connection, is_orig: bool, name: string, value: string)
+	{
+	if ( ! rewriting_trace() )
+		return;
+
+	# Only rewrite top-level headers.
+	local s = lookup_http_request_stream(c);
+	local msg = get_http_message(s, is_orig);
+
+	if ( msg$entity_level != 1 )
+		return;
+
+	value = strip(value);
+
+	if ( name == "CONTENT-LENGTH" )
+		{
+		# if ( rewrite_header_in_position )
+		# {
+		#     local p = current_packet(c);
+		#     if ( p$is_orig == is_orig )
+		#     {
+		#         # local s = lookup_http_request_stream(c);
+		#         # local msg = get_http_message(s, is_orig);
+		#         if ( msg$header_slot == 0 )
+		#             msg$header_slot = reserve_rewrite_slot(c);
+		#     }
+		#     else
+		#         print fmt("cannot reserve a slot at %.6f", network_time());
+		# }
+		print http_anon_log,
+			fmt("X-Original-Content-Length: %s --", value);
+		name = "X-Original-Content-Length";
+		}
+
+	else if ( name == "TRANSFER-ENCODING" || name == "TE" )
+		{
+		print http_anon_log, fmt("TRANSFER-ENCOODING: %s --", value);
+		name = "X-Original-Transfer-Encoding";
+		}
+
+	else if ( name == "HOST" )
+		{
+		local anon_host = "";
+
+		if ( value == simple_filename )
+			anon_host = anonymize_path(value);
+		else
+			anon_host = anonymize_host(value);
+
+		print http_anon_log, fmt("HOST: %s > %s", value, anon_host);
+		value = anon_host;
+		}
+
+	else if ( name == "REFERER" )
+		{
+		local anon_ref = anonymize_http_URI(value);
+		print http_anon_log, fmt("REFERER: %s > %s", value, anon_ref);
+		value = anon_ref;
+		}
+
+	else if ( name == "LOCATION" || name == "CONTENT-LOCATION" )
+		value = anonymize_http_URI(value);
+
+	else if ( name == "SERVER" )
+		value = filter_in_http_server(to_lower(value));
+
+	else if ( name == "USER-AGENT" )
+		value = filter_in_http_useragent(to_lower(value));
+
+	else if ( name == "KEEP-ALIVE" )
+		value = check_pat(value, keep_alive_pat, "keep-alive");
+
+	else if ( name == "DATE" || name == "IF-MODIFIED-SINCE" ||
+		  name == "UNLESS-MODIFIED-SINCE" )
+		value = check_pat2(to_lower(value), date_pat, "date");
+
+	else if ( name == "ACCEPT-CHARSET" )
+		value = check_pat(to_lower(value), accept_charset_pat,
+					"accept-charset");
+
+	else if ( name == "CONTENT-TYPE" )
+		{
+		value = check_pat2(to_lower(value), content_type, "content-type");
+		# local stream = lookup_http_request_stream(c);
+		# local the_http_msg = get_http_message(stream, is_orig);
+		# the_http_msg$content_type = value;
+		}
+
+	else if ( name == "ACCEPT-ENCODING" )
+		value = check_pat2(to_lower(value), accept_enc_pat,
+					"accept-encoding");
+
+	else if ( name == "PAGE-COMPLETION-STATUS" )
+		value = check_pat2(to_lower(value), /(ab)?normal/,
+					"page-completion-status");
+
+	else if ( name == "CONNECTION" || name == "PROXY-CONNECTION" )
+		value = check_pat2(to_lower(value), connection_pat,
+					"connection type");
+
+	else if ( name == "LAST-MODIFIED" || name == "EXPIRES" )
+		value = check_pat(value, last_modified_pat, name);
+
+	else if (name == "ACCEPT-LANGUAGE" || name == "LANGUAGE")
+		value = check_pat2(to_lower(value), accept_lang_pat,
+					"accept-language");
+
+	else if ( name == "ACCEPT" )
+		value = check_pat(to_lower(value), accept_pat, "accept");
+
+	else if ( name == "ACCEPT-RANGES" )
+		value = check_pat2(to_lower(value), /(bytes|none) */,
+					"accept-ranges");
+
+	else if ( name == "MIME-VERSION" )
+		value = check_pat3(value, /[0-9]\.[0-9]/);
+
+	else if ( name == "TCN" )
+		value = check_pat3(value, tcn_pat);
+
+	else if ( name == "CONTENT-ENCODING" )
+		value = check_pat2(value, content_encoding_pat,
+					"content-encoding");
+
+	else if ( name == "CONTENT-LANGUAGE" )
+		value = check_pat2(value, accept_lang_pat, "content-language");
+
+	else if ( name == "ALLOW" )
+		value = check_pat3(value, http_methods);
+
+	else if ( name == "AGE" || name == "BANDWIDTH" )
+		value = check_pat3(value, /[0-9]+/);
+
+	else if ( name == "VARY" )
+		value = check_pat2(value, vary_pat, "vary");
+
+	else if ( name == hashed_headers )
+		value = anonymize_string(value);
+
+	else
+		{
+		print http_anon_log, fmt("unknown header: %s : %s", name, value);
+		value = string_cat("(anon-unknown): ", anonymize_string(value));
+		}
+
+	rewrite_http_header(c, is_orig, name, value);
+	}
+
+event http_all_headers(c: connection, is_orig: bool, hlist: mime_header_list)
+	{
+	if ( ! rewriting_trace() )
+		return;
+
+	if ( rewrite_header_in_position )
+		{
+		local p = current_packet(c);
+		if ( p$is_orig == is_orig )
+			{
+			local s = lookup_http_request_stream(c);
+			local msg = get_http_message(s, is_orig);
+			if ( msg$header_slot == 0 )
+				msg$header_slot = reserve_rewrite_slot(c);
+			}
+		else
+			print fmt("cannot reserve a slot at %.6f", network_time());
+
+		# An empty line to mark the end of headers.
+		rewrite_http_data(c, is_orig, "\r\n");
+		}
+	}
+
+event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
+	{
+	if ( ! rewriting_trace() )
+		return;
+
+	if ( stat$interrupted )
+		{
+		print http_log,
+			fmt("%.6f %s message interrupted at length=%d \"%s\"",
+				network_time(), id_string(c$id),
+				stat$body_length, stat$finish_msg);
+		}
+
+	local s = lookup_http_request_stream(c);
+	local msg = get_http_message(s, is_orig);
+	if ( msg$header_slot > 0 )
+		seek_rewrite_slot(c, msg$header_slot);
+
+	local data_length = 0;
+	local data_hash = "";
+	local sanitized_abstract = "";
+
+	if ( ! is_orig || stat$body_length > 0 )
+		{
+		data_length = byte_len(msg$abstract);
+		data_hash = anonymize_string(msg$abstract);
+		sanitized_abstract = string_fill(data_length, data_hash);
+
+		data_length += stat$content_gap_length;
+
+		rewrite_http_header(c, is_orig, "Content-Length",
+					fmt(" %d", data_length));
+
+		rewrite_http_header(c, is_orig, "X-anon-content-hash",
+					fmt(" %s", data_hash));
+
+		rewrite_http_header(c, is_orig, "X-Actual-Data-Length",
+					fmt(" %d; gap=%d, content-length=%s",
+						stat$body_length,
+						stat$content_gap_length,
+						msg$content_length));
+		}
+
+	if ( msg$header_slot > 0 )
+		{
+		release_rewrite_slot(c, msg$header_slot);
+		msg$header_slot = 0;
+		}
+
+	if ( ! rewrite_header_in_position )
+		# An empty line to mark the end of headers.
+		rewrite_http_data(c, is_orig, "\r\n");
+
+	if ( data_length > 0 )
+		rewrite_http_data(c, is_orig, sanitized_abstract);
+	}
diff --git a/policy/http-body.bro b/policy/http-body.bro
new file mode 100644
index 0000000000..77c1c30680
--- /dev/null
+++ b/policy/http-body.bro
@@ -0,0 +1,60 @@
+# $Id: http-body.bro 5230 2008-01-14 01:38:18Z vern $
+
+# Counts length of data.
+#
+# If log_HTTP_data = T, it also outputs an abstract of data.
+
+@load http
+
+module HTTP;
+
+redef process_HTTP_data = T;
+redef log_HTTP_data = T;
+
+export {
+	# If the following is > 0, then when logging contents, they will be
+	# truncated beyond this many bytes.
+	global content_truncation_limit = 40 &redef;
+}
+
+event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
+	{
+	local s = lookup_http_request_stream(c);
+	local msg = get_http_message(s, is_orig);
+	local len = byte_len(data);
+
+	msg$data_length = msg$data_length + length;
+
+	if ( log_HTTP_data )
+		{
+		local abstract: string;
+		if ( content_truncation_limit > 0 &&
+		     len > content_truncation_limit )
+			abstract = cat(sub_bytes(data, 1, content_truncation_limit), "...");
+		else
+			abstract = data;
+
+		print http_log, fmt("%.6f %s %s %d bytes: \"%s\"",
+					network_time(), s$id,
+					is_orig ? "=>" : "<=", length,
+					abstract);
+		}
+	}
+
+event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
+	{
+	local s = lookup_http_request_stream(c);
+	local msg = get_http_message(s, is_orig);
+
+	# This is for debugging purpose only
+	if ( msg$data_length > 0 &&
+	     stat$body_length != msg$data_length + stat$content_gap_length)
+		{
+		# This can happen for multipart messages with a
+		# 'content-length' header, which is not required for multipart
+		# messages.
+		alarm fmt("length mismatch: %s %d %d %d",
+			id_string(c$id), stat$body_length, msg$data_length,
+			stat$content_gap_length);
+		}
+	}
diff --git a/policy/http-detect-passwd.bro b/policy/http-detect-passwd.bro
new file mode 100644
index 0000000000..8ad71168c2
--- /dev/null
+++ b/policy/http-detect-passwd.bro
@@ -0,0 +1,45 @@
+@load http
+
+module HTTP;
+
+export {
+	redef enum Notice += {
+		PasswordFullFetch,	# they got back the whole thing
+		PasswordShadowFetch,	# they got back a shadowed version
+	};
+
+	# Pattern to search for in replies indicating that a full password
+	# file was returned.
+	const full_fetch =
+		/[[:alnum:]]+\:[[:alnum:]]+\:[[:digit:]]+\:[[:digit:]]+\:/
+	&redef;
+
+	# Same, but indicating a shadow password file was returned.
+	const shadow_fetch =
+		/[[:alnum:]]+\:\*\:[[:digit:]]+\:[[:digit:]]+\:/
+	&redef;
+}
+
+event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
+	{
+	local s = lookup_http_request_stream(c);
+	local n = s$first_pending_request;
+	if ( n !in s$requests )
+		return;
+
+	local req = s$requests[n];
+	local passwd_request = req$passwd_req;
+	if ( ! passwd_request )
+		return;
+
+	if ( full_fetch in data )
+		NOTICE([$note=PasswordFullFetch,
+			$conn=c, $method=req$method, $URL=req$URI,
+			$msg=fmt("%s %s: %s %s", id_string(c$id), c$addl,
+					req$method, req$URI)]);
+	else if ( shadow_fetch in data )
+		NOTICE([$note=PasswordShadowFetch,
+			$conn=c, $method=req$method, $URL=req$URI,
+			$msg=fmt("%s %s: %s %s", id_string(c$id), c$addl,
+					req$method, req$URI)]);
+	}
diff --git a/policy/http-entity.bro b/policy/http-entity.bro
new file mode 100644
index 0000000000..9084b65661
--- /dev/null
+++ b/policy/http-entity.bro
@@ -0,0 +1,20 @@
+# $Id: http-entity.bro 6 2004-04-30 00:31:26Z jason $
+
+# Counts entity_level.
+
+module HTTP;
+
+event http_begin_entity(c: connection, is_orig: bool)
+	{
+	local s = lookup_http_request_stream(c);
+	local msg = get_http_message(s, is_orig);
+	++msg$entity_level;
+	}
+
+event http_end_entity(c: connection, is_orig: bool)
+	{
+	local s = lookup_http_request_stream(c);
+	local msg = get_http_message(s, is_orig);
+	if ( msg$entity_level > 0 )
+		--msg$entity_level;
+	}
diff --git a/policy/http-event.bro b/policy/http-event.bro
new file mode 100644
index 0000000000..450be5cf1d
--- /dev/null
+++ b/policy/http-event.bro
@@ -0,0 +1,12 @@
+# $Id: http-event.bro 6 2004-04-30 00:31:26Z jason $
+
+@load http
+
+module HTTP;
+
+event http_event(c: connection, event_type: string, detail: string)
+	{
+	print http_log, fmt("%.6f %s HTTP event: [%s] \"%s\"",
+				network_time(), id_string(c$id),
+				event_type, detail);
+	}
diff --git a/policy/http-extract-items.bro b/policy/http-extract-items.bro
new file mode 100644
index 0000000000..4c7b1a1c0d
--- /dev/null
+++ b/policy/http-extract-items.bro
@@ -0,0 +1,41 @@
+# $Id:$
+
+# Extracts the items from HTTP traffic, one per file.
+# Files are named:
+#
+#    <prefix>.<n>.<orig-addr>_<orig-port>.<resp-addr>_<resp-port>.<is-orig>
+#
+# where <prefix> is a redef'able prefix (default: "http-item"), <n> is
+# a number uniquely identifying the item, the next four are describe
+# the connection tuple, and <is-orig> is "orig" if the item was transferred
+# from the originator to the responder, "resp" otherwise.
+
+@load http-reply
+
+module HTTP_extract_items;
+
+global prefix = "http-item" &redef;
+global item_file: table[conn_id] of file;
+global nitems = 0;
+
+event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
+	{
+	local id = c$id;
+	if ( id !in item_file )
+		{
+		# Create a new file for this one.
+		local fname = fmt("%s.%d.%s_%d.%s_%d.%s",
+					prefix, ++nitems,
+					id$orig_h, id$orig_p,
+					id$resp_h, id$resp_p,
+					is_orig ? "orig" : "resp");
+		item_file[id] = open(fname);
+		}
+
+	write_file(item_file[id], data);
+	}
+
+event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
+	{
+	delete item_file[c$id];
+	}
diff --git a/policy/http-header.bro b/policy/http-header.bro
new file mode 100644
index 0000000000..3d676488ff
--- /dev/null
+++ b/policy/http-header.bro
@@ -0,0 +1,34 @@
+# $Id: http-header.bro 7073 2010-09-13 00:45:02Z vern $
+
+# Prints out detailed HTTP headers.
+
+module HTTP;
+
+export {
+	# The following lets you specify headers that you don't want
+	# to print out.
+	global skip_header: set[string] &redef;
+
+	# If you add anything to the following table, *only* the headers
+	# included will be recorded.
+	global include_header: set[string] &redef;
+
+	# For example:
+	# 	redef skip_header += { "COOKIE", "SET-COOKIE" };
+	# will refrain from printing cookies.
+}
+
+event http_header(c: connection, is_orig: bool, name: string, value: string)
+	{
+	if ( name in skip_header )
+		return;
+
+	if ( |include_header| > 0 && name !in include_header )
+		return;
+
+	local s = lookup_http_request_stream(c);
+
+	print http_log, fmt("%.6f %s %s %s: %s",
+				network_time(), s$id,
+				is_orig ? ">" : "<", name, value);
+	}
diff --git a/policy/http-identified-files.bro b/policy/http-identified-files.bro
new file mode 100644
index 0000000000..a4ecd2cf7f
--- /dev/null
+++ b/policy/http-identified-files.bro
@@ -0,0 +1,115 @@
+# $Id:$
+#
+# Analyze HTTP entities for sensitive types (e.g., executables).
+#
+# Contributed by Seth Hall.
+
+@load http-reply
+
+module HTTP;
+
+const http_identified_log = open_log_file("http-id");
+
+export {
+	# Base the libmagic analysis on this many bytes.  Currently,
+	# we will in fact use fewer (basically, just what's in the
+	# first data packet).
+	const magic_content_limit = 1024 &redef;
+
+	# These MIME types are logged and generate a Notice.  The patterns
+	# need to match the entire description as returned by libMagic.
+	# For example, for plain text it can return
+	# "text/plain charset=us-ascii", so you might want to use
+	# /text\/plain.*/.
+	const watched_mime_types =
+		  /application\/x-dosexec/	# Windows and DOS executables
+		| /application\/x-executable/	# *NIX executable binary
+	&redef;
+
+	const watched_descriptions = /PHP script text/ &redef;
+
+	# URLs included here are not logged and notices are not generated.
+	# Take care when defining patterns to not be overly broad.
+	const ignored_urls =
+		/^http:\/\/www\.download\.windowsupdate\.com\// &redef;
+
+	redef enum Notice += {
+		# Generated when we see a MIME type we flagged for watching.
+		HTTP_WatchedMIMEType,
+
+		# Generated when the file extension doesn't match
+		# the file contents.
+		HTTP_IncorrectFileType,
+	};
+
+	# Create patterns that *should* be in the URLs for specific MIME types.
+	# Notices are generated if the pattern doesn't match.
+	const mime_types_extensions = {
+		["application/x-dosexec"] = /\.([eE][xX][eE]|[dD][lL][lL])/,
+	} &redef;
+}
+
+event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
+	{
+	if ( is_orig )
+		# For now we only inspect server responses.
+		return;
+
+	local s = lookup_http_request_stream(c);
+	local msg = get_http_message(s, is_orig);
+
+@ifndef	( content_truncation_limit )
+	# This is only done if http-body.bro is not loaded.
+	msg$data_length = msg$data_length + length;
+@endif
+
+	# For the time being, we'll just use the data from the first packet.
+	# Don't continue until we have enough data.
+	# if ( msg$data_length < magic_content_limit )
+	#	return;
+
+	# Right now, only try this for the first chunk of data
+	if ( msg$data_length > length )
+		return;
+
+	local abstract = sub_bytes(data, 1, magic_content_limit);
+	local magic_mime = identify_data(abstract, T);
+	local magic_descr = identify_data(abstract, F);
+
+	if ( (magic_mime == watched_mime_types ||
+	      watched_descriptions in magic_descr) &&
+	     s$first_pending_request in s$requests )
+		{
+		local r = s$requests[s$first_pending_request];
+		local host = (s$next_request$host=="") ?
+			fmt("%s", c$id$resp_h) : s$next_request$host;
+
+		event file_transferred(c, abstract, magic_descr, magic_mime);
+
+		local url = fmt("http://%s%s", host, r$URI);
+		if ( ignored_urls in url )
+			return;
+
+		local file_type = "";
+		if ( magic_mime == watched_mime_types )
+			file_type = magic_mime;
+		else
+			file_type = magic_descr;
+
+		local message = fmt("%s %s %s %s",
+				id_string(c$id), file_type, r$method, url);
+
+		NOTICE([$note=HTTP_WatchedMIMEType, $msg=message, $conn=c,
+			$method=r$method, $URL=url]);
+
+		print http_identified_log, fmt("%.06f %s %s",
+			network_time(), s$id, message);
+
+		if ( (magic_mime in mime_types_extensions &&
+		      mime_types_extensions[magic_mime] !in url) ||
+		     (magic_descr in mime_types_extensions &&
+		      mime_types_extensions[magic_descr] !in url) )
+			NOTICE([$note=HTTP_IncorrectFileType, $msg=message,
+				$conn=c, $method=r$method, $URL=url]);
+		}
+	}
diff --git a/policy/http-reply.bro b/policy/http-reply.bro
new file mode 100644
index 0000000000..e410b1fc34
--- /dev/null
+++ b/policy/http-reply.bro
@@ -0,0 +1,117 @@
+# $Id: http-reply.bro 2694 2006-04-02 22:50:00Z vern $
+
+@load http-request
+
+module HTTP;
+
+redef capture_filters += {
+	["http-reply"] = "tcp src port 80 or tcp src port 8080 or tcp src port 8000"
+};
+
+redef process_HTTP_replies = T;
+
+event http_reply(c: connection, version: string, code: count, reason: string)
+	{
+	local s = lookup_http_request_stream(c);
+	local msg = s$next_reply;
+
+	init_http_message(msg);
+
+	msg$initiated = T;
+	msg$code = code;
+	msg$reason = reason;
+	}
+
+function http_request_done(c: connection, stat: http_message_stat)
+	{
+	local s = lookup_http_request_stream(c);
+	local msg = s$next_request;
+	msg$initiated = F;
+	}
+
+function http_reply_done(c: connection, stat: http_message_stat)
+	{
+	local s = lookup_http_request_stream(c);
+	local req_msg = s$next_request;
+	local msg = s$next_reply;
+	local req: string;
+	local have_request = F;
+	local log_it: bool;
+
+	if ( s$num_pending_requests == 0 )
+		{
+		# Weird - reply w/o request - perhaps due to cold start?
+		req = "<unknown request>";
+		log_it = F;
+		}
+	else
+		{
+		local r = s$requests[s$first_pending_request];
+		have_request = T;
+
+		# Remove pending request.
+		delete s$requests[s$first_pending_request];
+		--s$num_pending_requests;
+		++s$first_pending_request;
+
+		req = fmt("%s %s", r$method, r$URI);
+		log_it = r$log_it;
+		}
+
+	local req_rep =
+		fmt("%s (%d \"%s\" [%d%s]%s)",
+			req, msg$code, string_escape(msg$reason, "\""),
+			stat$body_length,
+			stat$interrupted ? " (interrupted)" : "",
+			have_request ? fmt(" %s", req_msg$host) : "");
+
+	# The following is a more verbose form:
+# 	local req_rep =
+# 		fmt("%s (%d \"%s\" [\"%s\", %d%s%s])",
+# 			req, msg$code, msg$reason,
+# 			msg$content_length, stat$body_length,
+# 			stat$interrupted ? " (interrupted)" : "",
+# 			stat$content_gap_length > 0 ?
+# 				fmt(" (gap = %d bytes)", stat$content_gap_length) : "");
+
+	if ( log_it )
+		NOTICE([$note=HTTP_SensitiveURI, $conn=c,
+			$method = r$method, $URL = r$URI,
+			$n = msg$code,
+			$msg = fmt("%s %s: %s",
+				id_string(c$id), c$addl, req_rep)]);
+
+	print http_log, fmt("%.6f %s %s", network_time(), s$id, req_rep);
+
+	msg$initiated = F;
+	}
+
+event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
+	{
+	if ( is_orig )
+		http_request_done(c, stat);
+	else
+		http_reply_done(c, stat);
+	}
+
+@load http-entity
+event http_header(c: connection, is_orig: bool, name: string, value: string)
+	{
+	# Only rewrite top-level headers.
+	local s = lookup_http_request_stream(c);
+	local msg = get_http_message(s, is_orig);
+
+	if ( msg$entity_level == 1 )
+		{
+		if ( name == "CONTENT-LENGTH" )
+			msg$content_length = value;
+
+		else if ( is_orig && name == "HOST" )
+			{ # suppress leading blank
+			if ( /^ / in value )
+				msg$host = sub_bytes(value, 2, -1);
+			else
+				msg$host = value;
+			}
+		}
+	}
diff --git a/policy/http-request.bro b/policy/http-request.bro
new file mode 100644
index 0000000000..d5d647c977
--- /dev/null
+++ b/policy/http-request.bro
@@ -0,0 +1,104 @@
+# $Id: http-request.bro 6726 2009-06-07 22:09:55Z vern $
+
+# Analysis of HTTP requests.
+
+@load http
+
+module HTTP;
+
+export {
+	const sensitive_URIs =
+		  /etc\/(passwd|shadow|netconfig)/
+		| /IFS[ \t]*=/
+		| /nph-test-cgi\?/
+		| /(%0a|\.\.)\/(bin|etc|usr|tmp)/
+		| /\/Admin_files\/order\.log/
+		| /\/carbo\.dll/
+		| /\/cgi-bin\/(phf|php\.cgi|test-cgi)/
+		| /\/cgi-dos\/args\.bat/
+		| /\/cgi-win\/uploader\.exe/
+		| /\/search97\.vts/
+		| /tk\.tgz/
+		| /ownz/	# somewhat prone to false positives
+		| /viewtopic\.php.*%.*\(.*\(/	# PHP attack, 26Nov04
+		# a bunch of possible rootkits
+		| /sshd\.(tar|tgz).*/
+		| /[aA][dD][oO][rR][eE][bB][sS][dD].*/
+		# | /[tT][aA][gG][gG][eE][dD].*/	# prone to FPs
+		| /shv4\.(tar|tgz).*/
+		| /lrk\.(tar|tgz).*/
+		| /lyceum\.(tar|tgz).*/
+		| /maxty\.(tar|tgz).*/
+		| /rootII\.(tar|tgz).*/
+		| /invader\.(tar|tgz).*/
+	&redef;
+
+	# Used to look for attempted password file fetches.
+	const passwd_URI = /passwd/ &redef;
+
+	# URIs that match sensitive_URIs but can be generated by worms,
+	# and hence should not be flagged (because they're so common).
+	const worm_URIs =
+		  /.*\/c\+dir/
+		| /.*cool.dll.*/
+		| /.*Admin.dll.*Admin.dll.*/
+	&redef;
+
+	# URIs that should not be considered sensitive if accessed by
+	# a local client.
+	const skip_remote_sensitive_URIs =
+		/\/cgi-bin\/(phf|php\.cgi|test-cgi)/
+	&redef;
+
+	const sensitive_post_URIs = /wwwroot|WWWROOT/ &redef;
+}
+
+redef capture_filters +=  {
+	["http-request"] = "tcp dst port 80 or tcp dst port 8080 or tcp dst port 8000"
+};
+
+event http_request(c: connection, method: string, original_URI: string,
+			unescaped_URI: string, version: string)
+	{
+	local log_it = F;
+	local URI = unescaped_URI;
+
+	if ( (sensitive_URIs in URI && URI != worm_URIs) ||
+	     (method == "POST" && sensitive_post_URIs in URI) )
+		{
+		if ( is_local_addr(c$id$orig_h) &&
+		     skip_remote_sensitive_URIs in URI )
+			; # don't flag it after all
+		else
+			log_it = T;
+		}
+
+	local s = lookup_http_request_stream(c);
+
+	if ( process_HTTP_replies )
+		{
+		# To process HTTP replies, we need to record the corresponding
+		# requests.
+		local n = s$first_pending_request + s$num_pending_requests;
+
+		s$requests[n] = [$method=method, $URI=URI, $log_it=log_it,
+					$passwd_req=passwd_URI in URI];
+		++s$num_pending_requests;
+
+		# if process_HTTP_messages
+		local msg = s$next_request;
+
+		init_http_message(msg);
+		msg$initiated = T;
+		}
+	else
+		{
+		if ( log_it )
+			NOTICE([$note=HTTP_SensitiveURI, $conn=c,
+				$method = method, $URL = URI,
+				$msg=fmt("%s %s: %s %s",
+					id_string(c$id), c$addl, method, URI)]);
+		print http_log,
+			fmt("%.6f %s %s %s", network_time(), s$id, method, URI);
+		}
+	}
diff --git a/policy/http-rewriter.bro b/policy/http-rewriter.bro
new file mode 100644
index 0000000000..3b8222c21a
--- /dev/null
+++ b/policy/http-rewriter.bro
@@ -0,0 +1,137 @@
+# $Id: http-rewriter.bro 416 2004-09-17 03:52:28Z vern $
+
+# We can't do HTTP rewriting unless we process everything in the connection.
+@load http-reply
+@load http-entity
+
+module HTTP;
+
+redef rewriting_http_trace = T;
+redef http_entity_data_delivery_size = 4096;
+
+const rewrite_header_in_position = F;
+
+event http_request(c: connection, method: string,
+		   original_URI: string, unescaped_URI: string, version: string)
+	{
+	if ( rewriting_trace() )
+		rewrite_http_request(c, method, original_URI, version);
+	}
+
+event http_reply(c: connection, version: string, code: count, reason: string)
+	{
+	if ( rewriting_trace() )
+		rewrite_http_reply(c, version, code, reason);
+	}
+
+event http_header(c: connection, is_orig: bool, name: string, value: string)
+	{
+	if ( ! rewriting_trace() )
+		return;
+
+	# Only rewrite top-level headers.
+	local s = lookup_http_request_stream(c);
+	local msg = get_http_message(s, is_orig);
+
+	if ( msg$entity_level == 1 )
+		{
+		if ( name == "CONTENT-LENGTH" )
+			{
+			if ( rewrite_header_in_position )
+				{
+				local p = current_packet(c);
+				if ( p$is_orig == is_orig )
+					{
+					# local s = lookup_http_request_stream(c);
+					# local msg = get_http_message(s, is_orig);
+					if ( msg$header_slot == 0 )
+						msg$header_slot = reserve_rewrite_slot(c);
+					}
+				else
+					print fmt("cannot reserve a slot at %.6f", network_time());
+				}
+			# rewrite_http_header(c, is_orig,
+			#		"X-Original-Content-Length", value);
+			}
+
+		else if ( name == "TRANSFER-ENCODING" )
+			rewrite_http_header(c, is_orig,
+					"X-Original-Transfer-Encoding", value);
+
+		else
+			rewrite_http_header(c, is_orig, name, value);
+		}
+	}
+
+event http_all_headers(c: connection, is_orig: bool, hlist: mime_header_list)
+	{
+	if ( ! rewriting_trace() )
+		return;
+
+	if ( rewrite_header_in_position )
+		{
+		local p = current_packet(c);
+		if ( p$is_orig == is_orig )
+			{
+			local s = lookup_http_request_stream(c);
+			local msg = get_http_message(s, is_orig);
+			if ( msg$header_slot == 0 )
+				msg$header_slot = reserve_rewrite_slot(c);
+			}
+		else
+			print fmt("cannot reserve a slot at %.6f", network_time());
+
+	      # An empty line to mark the end of headers.
+	      rewrite_http_data(c, is_orig, "\r\n");
+	      }
+	}
+
+event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
+	{
+	if ( ! rewriting_trace() )
+		return;
+
+	local s = lookup_http_request_stream(c);
+	local msg = get_http_message(s, is_orig);
+	local data_length = 0;
+
+	if ( stat$interrupted )
+		{
+		print http_log,
+			fmt("%.6f %s message interrupted at length=%d \"%s\"",
+				network_time(), id_string(c$id),
+				stat$body_length, stat$finish_msg);
+		}
+
+	if ( msg$header_slot > 0 )
+		seek_rewrite_slot(c, msg$header_slot);
+
+	if ( ! is_orig || stat$body_length > 0 )
+		{
+		if ( include_HTTP_abstract )
+			data_length = byte_len(msg$abstract);
+
+		data_length = data_length + stat$content_gap_length;
+
+		rewrite_http_header(c, is_orig, "Content-Length",
+					fmt(" %d", data_length));
+		}
+
+	rewrite_http_header(c, is_orig, "X-Actual-Data-Length",
+				fmt(" %d; gap=%d, content-length=%s",
+					stat$body_length,
+					stat$content_gap_length,
+					msg$content_length));
+	if ( msg$header_slot > 0 )
+		{
+		release_rewrite_slot(c, msg$header_slot);
+		msg$header_slot = 0;
+		}
+
+	if ( ! rewrite_header_in_position )
+		# An empty line to mark the end of headers.
+		rewrite_http_data(c, is_orig, "\r\n");
+
+	if ( data_length > 0 )
+		rewrite_http_data(c, is_orig, msg$abstract);
+	}
diff --git a/policy/http.bro b/policy/http.bro
new file mode 100644
index 0000000000..90b0aa2daa
--- /dev/null
+++ b/policy/http.bro
@@ -0,0 +1,236 @@
+# $Id: http.bro 6726 2009-06-07 22:09:55Z vern $
+
+@load notice
+@load site
+@load conn-id
+
+module HTTP;
+
+export {
+	redef enum Notice += {
+		HTTP_SensitiveURI,	# sensitive URI in GET/POST/HEAD
+	};
+}
+
+# DPM configuration.
+global http_ports = {
+	80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp,
+	8000/tcp, 8080/tcp, 8888/tcp,
+};
+redef dpd_config += { [ANALYZER_HTTP] = [$ports = http_ports] };
+redef dpd_config += { [ANALYZER_HTTP_BINPAC] = [$ports = http_ports] };
+
+# HTTP processing options.
+export {
+	const process_HTTP_replies = F &redef;
+	const process_HTTP_data = F &redef;
+	const include_HTTP_abstract = F &redef;
+	const log_HTTP_data = F &redef;
+}
+
+type http_pending_request: record {
+	method: string;
+	URI: string;
+	log_it: bool;
+
+	# Whether we determined it's an attempted passwd file fetch.
+	passwd_req: bool;
+};
+
+# Eventually we will combine http_pending_request and http_message.
+
+type http_message: record {
+	initiated: bool;
+	code: count;		# for HTTP reply message
+	reason: string;		# for HTTP reply message
+	entity_level: count;	# depth of enclosing MIME entities
+	data_length: count;	# actual length of data delivered
+	content_length: string;	# length specified in CONTENT-LENGTH header
+	header_slot: count;	# rewrite slot at the end of headers
+	abstract: string;	# data abstract
+	skip_abstract: bool;	# to skip abstract for certain content types
+	host: string;		# host indicated in Host header
+};
+
+type http_pending_request_stream: record {
+	# Number of first pending request.
+	first_pending_request: count &default = 0;
+
+	# Total number of pending requests.
+	num_pending_requests: count &default = 0;
+
+	# Indexed from [first_pending_request ..
+	#		(first_pending_request + num_pending_requests - 1)]
+	requests: table[count] of http_pending_request;
+
+	next_request: http_message; 	# the on-going request
+	next_reply: http_message;	# the on-going reply
+
+	# len_next_reply: count;	# 0 means unspecified
+	# len_next_request: count;
+
+	id: string;	# repeated from http_session_info, for convenience
+};
+
+type http_session_info: record {
+	id: string;
+ 	request_stream: http_pending_request_stream;
+};
+
+const http_log = open_log_file("http") &redef;
+
+# Called when an HTTP session times out.
+global expire_http_session:
+	function(t: table[conn_id] of http_session_info, id: conn_id)
+		: interval;
+
+export {
+	# Indexed by conn_id.
+	# (Exported so that we can define a timeout on it.)
+	global http_sessions: table[conn_id] of http_session_info
+			&expire_func = expire_http_session
+			&read_expire = 15 min;
+}
+
+global http_session_id = 0;
+
+function init_http_message(msg: http_message)
+	{
+	msg$initiated = F;
+	msg$code = 0;
+	msg$reason = "";
+	msg$entity_level = 0;
+	msg$data_length = 0;
+	msg$content_length = "";
+	msg$header_slot = 0;
+	msg$abstract = "";
+	msg$skip_abstract = F;
+	msg$host = "";
+	}
+
+function new_http_message(): http_message
+	{
+	local msg: http_message;
+	init_http_message(msg);
+	return msg;
+	}
+
+function new_http_session(c: connection): http_session_info
+	{
+	local session = c$id;
+	local new_id = ++http_session_id;
+
+	local info: http_session_info;
+	info$id = fmt("%%%s", prefixed_id(new_id));
+
+	local rs: http_pending_request_stream;
+
+	rs$first_pending_request = 1;
+	rs$num_pending_requests = 0;
+	rs$id = info$id;
+
+	rs$next_request = new_http_message();
+	rs$next_reply = new_http_message();
+	rs$requests = table();
+
+	info$request_stream = rs;
+
+	http_sessions[session] = info;
+
+	print http_log, fmt("%.6f %s start %s:%d > %s:%d", network_time(),
+				info$id, c$id$orig_h,
+				c$id$orig_p, c$id$resp_h, c$id$resp_p);
+
+	return info;
+	}
+
+function lookup_http_session(c: connection): http_session_info
+	{
+	local s: http_session_info;
+	local id = c$id;
+
+	s = id in http_sessions ? http_sessions[id] : new_http_session(c);
+
+	append_addl(c, s$id);
+
+	return s;
+	}
+
+function lookup_http_request_stream(c: connection): http_pending_request_stream
+	{
+	local s = lookup_http_session(c);
+
+	return s$request_stream;
+	}
+
+function get_http_message(s: http_pending_request_stream, is_orig: bool): http_message
+	{
+	return is_orig ? s$next_request : s$next_reply;
+	}
+
+function finish_stream(session: conn_id, id: string,
+			rs: http_pending_request_stream)
+	{
+	### We really want to do this in sequential order, not table order.
+	for ( i in rs$requests )
+		{
+		local req = rs$requests[i];
+
+		if ( req$log_it )
+			NOTICE([$note=HTTP_SensitiveURI,
+				$src=session$orig_h, $dst=session$resp_h,
+				$URL=req$URI,
+				$method=req$method,
+				$msg=fmt("%s:%d -> %s:%d %s: <no reply>",
+					session$orig_h, session$orig_p,
+					session$resp_h, session$resp_p, id)]);
+
+		local msg = fmt("%s %s <no reply>", req$method, req$URI);
+		print http_log, fmt("%.6f %s %s", network_time(), rs$id, msg);
+		}
+	}
+
+event connection_state_remove(c: connection)
+	{
+	local id = c$id;
+
+	if ( id !in http_sessions )
+		return;
+
+	local s = http_sessions[id];
+	finish_stream(id, s$id, s$request_stream);
+	delete http_sessions[c$id];
+	}
+
+function expire_http_session(t: table[conn_id] of http_session_info,
+				id: conn_id): interval
+	{
+	### FIXME: not really clear that we need this function at all ...
+	#
+	# One would think that connection_state_remove() already takes care
+	# of everything.  However, without this expire-handler, some requests
+	# don't show up with the test-suite (but haven't reproduced with
+	# smaller traces) - Robin.
+
+	local s = http_sessions[id];
+	finish_stream(id, s$id, s$request_stream);
+	return 0 sec;
+	}
+
+# event connection_timeout(c: connection)
+# 	{
+# 	if ( ! maintain_http_sessions )
+# 		{
+# 		local id = c$id;
+# 		if ( [id$orig_h, id$resp_h] in http_sessions )
+# 			delete http_sessions[id$orig_h, id$resp_h];
+# 		}
+# 	}
+
+# event http_stats(c: connection, stats: http_stats_rec)
+# 	{
+# 	if ( stats$num_requests == 0 && stats$num_replies == 0 )
+# 		return;
+#
+# 	c$addl = fmt("%s (%d v%.1f v%.1f)", c$addl, stats$num_requests, stats$request_version, stats$reply_version);
+# 	}
diff --git a/policy/icmp.bro b/policy/icmp.bro
new file mode 100644
index 0000000000..c6c3c87d44
--- /dev/null
+++ b/policy/icmp.bro
@@ -0,0 +1,306 @@
+# $Id: icmp.bro 6883 2009-08-19 21:08:09Z vern $
+
+@load hot
+@load weird
+@load conn
+@load scan
+
+global icmp_file = open_log_file("icmp");
+
+redef capture_filters += { ["icmp"] = "icmp" };
+
+module ICMP;
+
+export {
+
+	redef enum Notice += {
+		ICMPAsymPayload,	# payload in echo req-resp not the same
+		ICMPConnectionPair,	# too many ICMPs between hosts
+		ICMPAddressScan,
+
+		# The following isn't presently sufficiently useful due
+		# to cold start and packet drops.
+		# ICMPUnpairedEchoReply,	# no EchoRequest seen for EchoReply
+	};
+
+	# Whether to log detailed information icmp.log.
+	const log_details = T &redef;
+
+	# ICMP scan detection.
+	const detect_scans = T &redef;
+	const scan_threshold = 25 &redef;
+
+	# Analysis of connection pairs.
+	const detect_conn_pairs = F &redef;	# switch for connection pair
+	const detect_payload_asym = F &redef;	# switch for echo payload
+	const conn_pair_threshold = 200 &redef;
+}
+
+global conn_pair:table[addr] of set[addr] &create_expire = 1 day;
+global conn_pair_thresh_reached: table[addr] of bool &default=F;
+
+
+
+type flow_id: record {
+	orig_h: addr;
+	resp_h: addr;
+	id: count;
+};
+
+type flow_info: record {
+	start_time: time;
+	last_time: time;
+	orig_bytes: count;
+	resp_bytes: count;
+	payload: string;
+};
+
+const names: table[count] of string = {
+	[0] = "echo_reply",
+	[3] = "unreach",
+	[4] = "quench",
+	[5] = "redirect",
+	[8] = "echo_req",
+	[9] = "router_adv",
+	[10] = "router_sol",
+	[11] = "time_xcd",
+	[12] = "param_prob",
+	[13] = "tstamp_req",
+	[14] = "tstamp_reply",
+	[15] = "info_req",
+	[16] = "info_reply",
+	[17] = "mask_req",
+	[18] = "mask_reply",
+} &default = function(n: count): string { return fmt("icmp-%d", n); };
+
+
+# Map IP protocol number to the protocol's name.
+const IP_proto_name: table[count] of string = {
+	[1]  = "ICMP",
+	[2]  = "IGMP",
+	[6]  = "TCP",
+	[17] = "UDP",
+	[41] = "IPV6",
+} &default = function(n: count): string { return fmt("%s", n); }
+  &redef;
+
+# Print a report for the given ICMP flow.
+function generate_flow_summary(flow: flow_id, fi: flow_info)
+	{
+	local local_init = is_local_addr(flow$orig_h);
+	local local_addr = local_init ? flow$orig_h : flow$resp_h;
+	local remote_addr = local_init ? flow$resp_h : flow$orig_h;
+	local flags = local_init ? "L" : "";
+
+	local state: string;
+	if ( fi$orig_bytes > 0 )
+		{
+		if ( fi$resp_bytes > 0 )
+			state = "SF";
+		else
+			state = "SH";
+		}
+	else if ( fi$resp_bytes > 0 )
+		state = "SHR";
+	else
+		state = "OTH";
+
+	print icmp_file, fmt("%.6f %.6f %s %s %s %s %s %s %s",
+		fi$start_time, fi$last_time - fi$start_time,
+		flow$orig_h, flow$resp_h, "icmp_echo",
+		fi$orig_bytes, fi$resp_bytes, state, flags);
+	}
+
+# Called when a flow is expired in order to generate a report for it.
+function flush_flow(ft: table[flow_id] of flow_info, fi: flow_id): interval
+	{
+	generate_flow_summary(fi, ft[fi]);
+	return 0 sec;
+	}
+
+# Table to track each active flow.
+global flows: table[flow_id] of flow_info
+		&read_expire = 45 sec
+		&expire_func = flush_flow;
+
+event icmp_sent(c: connection, icmp: icmp_conn)
+	{
+	print icmp_file, fmt("%.6f %.6f %s %s %s %s %s %s %s %s %s",
+		network_time(), 0.0, icmp$orig_h, icmp$resp_h,
+		names[icmp$itype], icmp$itype, icmp$icode, "icmp",
+		icmp$len, "0", "SH");
+	}
+
+event flow_summary(flow: flow_id, last_time: time)
+	{
+	if ( flow !in flows )
+		return;
+
+	local fi = flows[flow];
+
+	if ( fi$last_time == last_time )
+		{
+		generate_flow_summary(flow, fi);
+		delete flows[flow];
+		}
+	}
+
+function update_flow(icmp: icmp_conn, id: count, is_orig: bool, payload: string)
+	{
+	local fid: flow_id;
+	fid$orig_h = is_orig ? icmp$orig_h : icmp$resp_h;
+	fid$resp_h = is_orig ? icmp$resp_h : icmp$orig_h;
+	fid$id = id;
+
+	if ( fid !in flows )
+		{
+		local info: flow_info;
+		info$start_time = network_time();
+		info$orig_bytes = info$resp_bytes = 0;
+		info$payload = payload;	# checked in icmp_echo_reply
+		flows[fid] = info;
+		}
+
+	local fi = flows[fid];
+
+	fi$last_time = network_time();
+
+	if ( is_orig )
+		fi$orig_bytes = fi$orig_bytes + byte_len(payload);
+	else
+		fi$resp_bytes = fi$resp_bytes + byte_len(payload);
+
+	schedule +30sec { flow_summary(fid, fi$last_time) };
+	}
+
+event icmp_echo_request(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string)
+	{
+	update_flow(icmp, id, T, payload);
+
+	local orig = icmp$orig_h;
+	local resp = icmp$resp_h;
+
+	# Simple ping scan detector.
+	if ( detect_scans &&
+	     (orig !in Scan::distinct_peers ||
+	      resp !in Scan::distinct_peers[orig]) )
+		{
+		if ( orig !in Scan::distinct_peers )
+			{
+			local empty_peer_set: set[addr] &mergeable;
+			Scan::distinct_peers[orig] = empty_peer_set;
+			}
+
+		if ( resp !in Scan::distinct_peers[orig] )
+			add Scan::distinct_peers[orig][resp];
+
+		if ( ! Scan::shut_down_thresh_reached[orig] &&
+		     orig !in Scan::skip_scan_sources &&
+		     orig !in Scan::skip_scan_nets &&
+		     |Scan::distinct_peers[orig]| >= scan_threshold )
+			{
+			NOTICE([$note=ICMPAddressScan, $src=orig,
+				$n=scan_threshold,
+				$msg=fmt("%s has icmp echo scanned %s hosts",
+				orig, scan_threshold)]);
+
+			Scan::shut_down_thresh_reached[orig] = T;
+			}
+		}
+
+	if ( detect_conn_pairs )
+		{
+		if ( orig !in conn_pair )
+			{
+			local empty_peer_set2: set[addr] &mergeable;
+			conn_pair[orig] = empty_peer_set2;
+			}
+
+		if ( resp !in conn_pair[orig] )
+			add conn_pair[orig][resp];
+
+		if ( ! conn_pair_thresh_reached[orig] &&
+		     |conn_pair[orig]| >= conn_pair_threshold )
+			{
+			NOTICE([$note=ICMPConnectionPair,
+				$msg=fmt("ICMP connection threshold exceeded : %s -> %s",
+				orig, resp)]);
+			conn_pair_thresh_reached[orig] = T;
+			}
+		}
+	}
+
+event icmp_echo_reply(c: connection, icmp: icmp_conn, id: count,
+			seq: count, payload: string)
+	{
+	# Check payload with the associated flow.
+
+	local fid: flow_id;
+	fid$orig_h = icmp$resp_h;	# We know the expected results since
+	fid$resp_h = icmp$orig_h;	# it's an echo reply.
+	fid$id = id;
+
+	if ( fid !in flows )
+		{
+# 		NOTICE([$note=ICMPUnpairedEchoReply,
+# 			$msg=fmt("ICMP echo reply w/o request: %s -> %s",
+# 				icmp$orig_h, icmp$resp_h)]);
+		}
+	else
+		{
+		if ( detect_payload_asym )
+			{
+			local fi = flows[fid];
+			local pl = fi$payload;
+
+			if ( pl != payload )
+				{
+				NOTICE([$note=ICMPAsymPayload,
+					$msg=fmt("ICMP payload inconsistancy: %s(%s) -> %s(%s)",
+					icmp$orig_h, byte_len(fi$payload),
+					icmp$resp_h, byte_len(payload))]);
+				}
+			}
+		}
+
+	update_flow(icmp, id, F, payload);
+	}
+
+event icmp_unreachable(c: connection, icmp: icmp_conn, code: count,
+			context: icmp_context)
+	{
+	if ( active_connection(context$id) )
+		{
+		# This section allows Bro to act on ICMP-unreachable packets
+		# that happen in the context of an active connection.  It is
+		# not currently used.
+		local c2 = connection_record(context$id);
+		local os = c2$orig$state;
+		local rs = c2$resp$state;
+		local is_attempt =
+			is_tcp_port(c2$id$orig_p) ?
+				(os == TCP_SYN_SENT && rs == TCP_INACTIVE) :
+				(os == UDP_ACTIVE && rs == UDP_INACTIVE);
+
+		# Insert action here.
+		}
+
+	if ( log_details )
+		{
+		# ICMP unreachable packets are the only ones currently
+		# logged.  Due to the connection data contained *within*
+		# them, each log line will contain two connections' worth
+		# of data.  The initial ICMP connection info is the same
+		# as logged for connections.
+		print icmp_file, fmt("%.6f %.6f %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s",
+			network_time(), 0.0, icmp$orig_h, icmp$resp_h,
+			names[icmp$itype], icmp$itype, icmp$icode, "icmp",
+			icmp$len, "0", "EncapPkt:",
+				# This is the encapsulated packet:
+				context$id$orig_h, context$id$orig_p,
+				context$id$resp_h, context$id$resp_p,
+				context$len, IP_proto_name[context$proto],
+				context$len, context$bad_hdr_len,
+				context$bad_checksum);
+		}
+	}
diff --git a/policy/ident-rewriter.bro b/policy/ident-rewriter.bro
new file mode 100644
index 0000000000..2cf1d03720
--- /dev/null
+++ b/policy/ident-rewriter.bro
@@ -0,0 +1,115 @@
+# $Id: ident-rewriter.bro 47 2004-06-11 07:26:32Z vern $
+
+@load ident
+
+redef rewriting_ident_trace = T;
+
+global public_ident_user_ids = { "root", } &redef;
+global public_ident_systems = { "UNIX", } &redef;
+
+const delay_rewriting_request = T;
+
+function public_ident_user(id: string): bool
+	{
+	return id in public_ident_user_ids;
+	}
+
+function public_system(system: string): bool
+	{
+	return system in public_ident_systems;
+	}
+
+type ident_req: record {
+	lport: port;
+	rport: port;
+	rewrite_slot: count;
+};
+
+# Does not support pipelining ....
+global ident_req_slots: table[addr, port, addr, port] of ident_req;
+
+event ident_request(c: connection, lport: port, rport: port)
+	{
+	if ( ! rewriting_trace() )
+		return;
+
+	local id = c$id;
+	if ( delay_rewriting_request )
+		{
+		local slot = reserve_rewrite_slot(c);
+		ident_req_slots[id$orig_h, id$orig_p, id$resp_h, id$resp_p] =
+			[$lport = lport, $rport = rport, $rewrite_slot = slot];
+		}
+	else
+		rewrite_ident_request(c, lport, rport);
+	}
+
+event ident_reply(c: connection, lport: port, rport: port,
+		user_id: string, system: string)
+	{
+	if ( ! rewriting_trace() )
+		return;
+
+	local id = c$id;
+
+	if ( [id$orig_h, id$orig_p, id$resp_h, id$resp_p] in ident_req_slots )
+		{
+		local req = ident_req_slots[id$orig_h, id$orig_p,
+						id$resp_h, id$resp_p];
+
+		seek_rewrite_slot(c, req$rewrite_slot);
+		rewrite_ident_request(c, req$lport, req$rport);
+		release_rewrite_slot(c, req$rewrite_slot);
+
+		delete ident_req_slots[id$orig_h, id$orig_p,
+					id$resp_h, id$resp_p];
+		}
+
+	rewrite_ident_reply(c, lport, rport,
+			public_system(system) ? system : "OTHER",
+			public_ident_user(user_id) ? user_id : "private user");
+	}
+
+event ident_error(c: connection, lport: port, rport: port, line: string)
+	{
+	if ( ! rewriting_trace() )
+		return;
+
+	local id = c$id;
+
+	if ( [id$orig_h, id$orig_p, id$resp_h, id$resp_p] in ident_req_slots )
+		{
+		local req = ident_req_slots[id$orig_h, id$orig_p,
+						id$resp_h, id$resp_p];
+
+		seek_rewrite_slot(c, req$rewrite_slot);
+		rewrite_ident_request(c, req$lport, req$rport);
+		release_rewrite_slot(c, req$rewrite_slot);
+
+		delete ident_req_slots[id$orig_h, id$orig_p,
+					id$resp_h, id$resp_p];
+		}
+
+	rewrite_ident_error(c, lport, rport, line);
+	}
+
+event connection_state_remove(c: connection)
+	{
+	if ( ! rewriting_trace() )
+		return;
+
+	local id = c$id;
+
+	if ( [id$orig_h, id$orig_p, id$resp_h, id$resp_p] in ident_req_slots )
+		{
+		local req = ident_req_slots[id$orig_h, id$orig_p,
+						id$resp_h, id$resp_p];
+
+		seek_rewrite_slot(c, req$rewrite_slot);
+		rewrite_ident_request(c, req$lport, req$rport);
+		release_rewrite_slot(c, req$rewrite_slot);
+
+		delete ident_req_slots[id$orig_h, id$orig_p,
+					id$resp_h, id$resp_p];
+		}
+	}
diff --git a/policy/ident.bro b/policy/ident.bro
new file mode 100644
index 0000000000..d52265db65
--- /dev/null
+++ b/policy/ident.bro
@@ -0,0 +1,68 @@
+# $Id: ident.bro 5948 2008-07-11 22:29:49Z vern $
+
+@load notice
+@load hot-ids
+
+module Ident;
+
+export {
+	redef enum Notice += {
+		IdentSensitiveID,	# sensitive username in Ident lookup
+	};
+
+	const hot_ident_ids = { always_hot_ids, } &redef;
+	const hot_ident_exceptions = { "uucp", "nuucp", "daemon", } &redef;
+}
+
+redef capture_filters += { ["ident"] = "tcp port 113" };
+
+global ident_ports = { 113/tcp } &redef;
+redef dpd_config += { [ANALYZER_IDENT] = [$ports = ident_ports] };
+
+global pending_ident_requests: set[addr, port, addr, port, port, port];
+
+event ident_request(c: connection, lport: port, rport: port)
+	{
+	local id = c$id;
+	add pending_ident_requests[id$orig_h, id$orig_p, id$resp_h, id$resp_p, lport, rport];
+	}
+
+function add_ident_tag(c: connection, lport: port, rport: port, tag: string)
+: connection
+	{
+	local id = c$id;
+	if ( [id$orig_h, id$orig_p, id$resp_h, id$resp_p, lport, rport] in
+	     pending_ident_requests )
+		delete pending_ident_requests[id$orig_h, id$orig_p, id$resp_h, id$resp_p, lport, rport];
+	else
+		tag = fmt("orphan-%s", tag);
+
+	local c_orig_id = [$orig_h = id$resp_h, $orig_p = rport,
+				$resp_h = id$orig_h, $resp_p = lport];
+
+	local c_orig = active_connection(c_orig_id) ?
+			connection_record(c_orig_id) : c;
+
+	append_addl(c_orig, tag);
+
+	return c_orig;
+	}
+
+event ident_reply(c: connection, lport: port, rport: port,
+		user_id: string, system: string)
+	{
+	local c_orig = add_ident_tag(c, lport, rport, fmt("ident/%s", user_id));
+
+	if ( user_id in hot_ident_ids && user_id !in hot_ident_exceptions )
+		{
+		++c_orig$hot;
+		NOTICE([$note=IdentSensitiveID, $conn=c,
+			$msg=fmt("%s hot ident: %s",
+				$user=c_orig$addl, id_string(c_orig$id))]);
+		}
+	}
+
+event ident_error(c: connection, lport: port, rport: port, line: string)
+	{
+	add_ident_tag(c, lport, rport, fmt("iderr/%s", line));
+	}
diff --git a/policy/inactivity.bro b/policy/inactivity.bro
new file mode 100644
index 0000000000..ea984a2fc2
--- /dev/null
+++ b/policy/inactivity.bro
@@ -0,0 +1,31 @@
+# $Id: inactivity.bro 7073 2010-09-13 00:45:02Z vern $
+
+@load port-name
+
+const inactivity_timeouts: table[port] of interval = {
+	# For interactive services, allow longer periods of inactivity.
+	[[telnet, rlogin, ssh, ftp]] = 1 hrs,
+} &redef;
+
+function determine_inactivity_timeout(c: connection)
+	{
+	local service = c$id$resp_p;
+
+	# Determine service (adapted from hot.bro)
+	if ( c$orig$state == TCP_INACTIVE )
+		{
+		# We're seeing a half-established connection. Use the
+		# service of the originator if it's well-known and the
+		# responder isn't.
+		if ( service !in port_names && c$id$orig_p in port_names )
+			service = c$id$orig_p;
+		}
+
+	if ( service in inactivity_timeouts )
+		set_inactivity_timeout(c$id, inactivity_timeouts[service]);
+	}
+
+event connection_established(c: connection)
+	{
+	determine_inactivity_timeout(c);
+	}
diff --git a/policy/interconn.bro b/policy/interconn.bro
new file mode 100644
index 0000000000..ff545d4eef
--- /dev/null
+++ b/policy/interconn.bro
@@ -0,0 +1,318 @@
+# $Id: interconn.bro 3997 2007-02-23 00:31:19Z vern $
+#
+# interconn - generic detection of interactive connections.
+
+@load port-name
+@load demux
+
+# The following must be defined for the event engine to generate
+# interconn events.
+redef interconn_min_interarrival = 0.01 sec;
+redef interconn_max_interarrival = 2.0 sec;
+redef interconn_max_keystroke_pkt_size = 20;
+redef interconn_default_pkt_size = 512;
+redef interconn_stat_period = 15.0 sec;
+redef interconn_stat_backoff = 1.5;
+
+const interconn_min_num_pkts = 10 &redef; # min num of pkts sent
+const interconn_min_duration = 2.0 sec &redef; # min duration for the connection
+
+const interconn_ssh_len_disabled = T &redef;
+const interconn_min_ssh_pkts_ratio = 0.6 &redef;
+
+const interconn_min_bytes = 10 &redef;
+const interconn_min_7bit_ascii_ratio = 0.75 &redef;
+
+const interconn_min_num_lines = 2 &redef;
+const interconn_min_normal_line_ratio = 0.5 &redef;
+
+# alpha: portion of interarrival times within range
+#	[interconn_min_interarrival, interconn_max_interarrival]
+#
+#	alpha should be >= interconn_min_alpha
+#
+# gamma: num_keystrokes_two_in_row / num_pkts
+#	gamma indicates the portion of keystrokes in the overall traffic
+#
+#	gamma should be >= interconn_min_gamma
+
+const interconn_min_alpha = 0.2 &redef; # minimum required alpha
+const interconn_min_gamma = 0.2 &redef; # minimum required gamma
+
+const interconn_standard_ports = { telnet, rlogin, ftp, ssh, smtp, 143/tcp, 110/tcp  } &redef;
+const interconn_ignore_standard_ports = F &redef;
+
+const interconn_demux_disabled = T &redef;
+
+const INTERCONN_UNKNOWN = 0;	# direction/interactivity is unknown
+
+const INTERCONN_FORWARD = 1;	# forward: a conn's orig is true originator
+const INTERCONN_BACKWARD = 2;	# backward: a conn's resp is true originator
+
+const INTERCONN_INTERACTIVE = 1;	# a conn is interactive
+const INTERCONN_STANDARD_PORT = 2;	# conn involves a standard port to ignore
+
+type conn_info : record {
+	interactive: count; # interactivity: unknown/interactive/standard_port
+	dir: count; # direction: unknown/forward/backward
+};
+
+global interconn_conns: table [conn_id] of conn_info; # table for all connections
+
+# Table for resp_endp's of those established (non-partial) conn's.
+# If a partial conn connects to one of such resp's, we can infer
+# its direction.
+global interconn_resps: table [addr, port] of count &default = 0;
+
+global interconn_log = open_log_file("interconn") &redef;
+
+global num_interconns = 0;
+
+function interconn_conn_string(c: connection): string
+	{
+	return fmt("%.6f %s.%d > %s.%d",
+		c$start_time,
+		c$id$orig_h, c$id$orig_p,
+		c$id$resp_h, c$id$resp_p);
+	}
+
+function interconn_weird(c: connection, s: string)
+	{
+	print fmt("%s interconn_weird: %s %s", network_time(), interconn_conn_string(c), s);
+	}
+
+function get_direction(c: connection): count
+	{
+	local id = c$id;
+
+	if ( interconn_conns[id]$dir != INTERCONN_UNKNOWN )
+		return interconn_conns[id]$dir;
+
+	# The connection is not established yet, but one endpoint
+	# is a known resp_endp
+	if ( [id$resp_h, id$resp_p] in interconn_resps )
+		{
+		interconn_conns[id]$dir = INTERCONN_FORWARD;
+		++interconn_resps[id$resp_h, id$resp_p];
+
+		return INTERCONN_FORWARD;
+		}
+
+	else if ( [id$orig_h, id$orig_p] in interconn_resps )
+		{
+		interconn_conns[id]$dir = INTERCONN_BACKWARD;
+		++interconn_resps[id$orig_h, id$orig_p];
+
+		return INTERCONN_BACKWARD;
+		}
+
+	return INTERCONN_UNKNOWN;
+	}
+
+function comp_gamma(s: interconn_endp_stats): double
+	{
+	return s$num_pkts >= interconn_min_num_pkts ?
+		(1.0 * s$num_keystrokes_two_in_row) / s$num_pkts : 0.0;
+	}
+
+function comp_alpha(s: interconn_endp_stats) : double
+	{
+	return ( s$num_keystrokes_two_in_row > 0 ) ?
+		(1.0 * s$num_normal_interarrivals / s$num_keystrokes_two_in_row) : 0.0;
+	}
+
+function skip_further_interconn_processing(c: connection)
+	{
+	# This used to call skip_further_processing()
+	# (if active_connection(c$id) returned T).  But that's
+	# clearly wrong *if* we're also doing additional analysis
+	# on the connection.  So do nothing.
+	}
+
+function log_interconn(c: connection, tag: string)
+	{
+	print interconn_log, fmt("%s %s", interconn_conn_string(c), tag);
+
+	local id = c$id;
+
+	if ( interconn_demux_disabled )
+		skip_further_interconn_processing(c);
+	else
+		demux_conn(id, tag, "orig", "resp");
+	}
+
+function is_interactive_endp(s: interconn_endp_stats): bool
+	{
+	# Criteria 1: num_pkts >= interconn_min_num_pkts.
+	if ( s$num_pkts < interconn_min_num_pkts )
+		return F;
+
+	# Criteria 2: gamma >= interconn_min_gamma.
+	if ( comp_gamma(s) < interconn_min_gamma )
+		return F;
+
+	# Criteria 3: alpha >= interconn_min_alpha.
+	if ( comp_alpha(s) < interconn_min_alpha )
+		return F;
+
+	return T;
+	}
+
+event connection_established(c: connection)
+	{
+	local id = c$id;
+	local dir = interconn_conns[id]$dir;
+
+	if ( dir == INTERCONN_FORWARD )
+		return;
+
+	if ( dir == INTERCONN_BACKWARD )
+		{
+		interconn_weird(c, "inconsistent direction");
+		return;
+		}
+
+	interconn_conns[id]$dir = INTERCONN_FORWARD;
+	++interconn_resps[id$resp_h, id$resp_p];
+	}
+
+event new_connection(c: connection)
+	{
+	local id = c$id;
+
+	local info: conn_info;
+	info$dir = INTERCONN_UNKNOWN;
+
+	if ( interconn_ignore_standard_ports &&
+	     (id$orig_p in interconn_standard_ports ||
+	      id$resp_p in interconn_standard_ports) )
+		{
+		info$interactive = INTERCONN_STANDARD_PORT;
+		skip_further_interconn_processing(c);
+		}
+
+	else
+		info$interactive = INTERCONN_UNKNOWN;
+
+	interconn_conns[id] = info;
+	}
+
+event interconn_remove_conn(c: connection)
+	{
+	local id = c$id;
+
+	if ( id !in interconn_conns )
+		# This can happen for weird connections such as those
+		# with an initial SYN+FIN packet.
+		return;
+
+	local dir = interconn_conns[id]$dir;
+
+	delete interconn_conns[id];
+	delete demuxed_conn[c$id];
+
+	if ( dir == INTERCONN_FORWARD )
+		{
+		if ( --interconn_resps[id$resp_h, id$resp_p] == 0 )
+			delete interconn_resps[id$resp_h, id$resp_p];
+		}
+
+	else if ( dir == INTERCONN_BACKWARD )
+		{
+		if ( --interconn_resps[id$orig_h, id$orig_p] == 0 )
+			delete interconn_resps[id$orig_h, id$orig_p];
+		}
+	}
+
+event interconn_stats(c: connection,
+			os: interconn_endp_stats, rs: interconn_endp_stats)
+	{
+	local id = c$id;
+
+	if ( id !in interconn_conns )
+		return;
+
+	if ( interconn_conns[id]$interactive != INTERCONN_UNKNOWN )
+		return; # already classified
+
+	if ( c$duration < interconn_min_duration )
+		# forget about excessively short connections
+		return;
+
+	local dir = get_direction(c);
+
+	# Criteria:
+	#
+	#	if ( dir == FORWARD )
+	#		(os) is interactive
+	#	else if ( dir == BACKWARD )
+	#		(rs) is interactive
+	#	else
+	#		either (os) or (rs) is interactive
+	if ( dir == INTERCONN_FORWARD )
+		{
+		if ( ! is_interactive_endp(os) )
+			return;
+		}
+
+	else if ( dir == INTERCONN_BACKWARD )
+		{
+		if ( ! is_interactive_endp(rs) )
+			return;
+		}
+
+	else
+		{
+		if ( ! is_interactive_endp(os) && ! is_interactive_endp(rs) )
+			return;
+		}
+
+	local tag: string;
+
+	if ( ! interconn_ssh_len_disabled && (os$is_partial || rs$is_partial) )
+		{
+		local num_pkts = os$num_pkts + rs$num_pkts;
+		local num_8k0_pkts = os$num_8k0_pkts + rs$num_8k0_pkts;
+		local num_8k4_pkts = os$num_8k4_pkts + rs$num_8k4_pkts;
+
+		if ( num_8k0_pkts > num_pkts * interconn_min_ssh_pkts_ratio )
+			{
+			# c now considered as interactive.
+			interconn_conns[id]$interactive = INTERCONN_INTERACTIVE;
+			tag = fmt("interconn.%d.ssh2", ++num_interconns);
+			}
+		else if ( num_8k4_pkts > num_pkts * interconn_min_ssh_pkts_ratio )
+			{
+			# c now considered as interactive.
+			interconn_conns[id]$interactive = INTERCONN_INTERACTIVE;
+			tag = fmt("interconn.%d.ssh1", ++num_interconns);
+			}
+		}
+
+	# Criteria 4:	num_7bit_ascii / num_bytes is big enough; AND
+	#		enough number of normal lines
+	if ( interconn_conns[id]$interactive != INTERCONN_INTERACTIVE )
+		{
+		local num_bytes = os$num_bytes + rs$num_bytes;
+		local num_7bit_ascii = os$num_7bit_ascii + rs$num_7bit_ascii;
+
+		if ( num_bytes < interconn_min_bytes ||
+		     num_7bit_ascii < num_bytes * interconn_min_7bit_ascii_ratio )
+			return;
+
+		local num_lines = os$num_lines + rs$num_lines;
+		local num_normal_lines = os$num_normal_lines +
+					 rs$num_normal_lines;
+
+		if ( num_lines < interconn_min_num_lines ||
+		     num_normal_lines < num_lines * interconn_min_normal_line_ratio )
+			return;
+
+		# c now considered as interactive.
+		interconn_conns[id]$interactive = INTERCONN_INTERACTIVE;
+
+		tag = fmt("interconn.%d", ++num_interconns);
+		}
+
+	log_interconn(c, tag);
+	}
diff --git a/policy/irc-bot-syslog.bro b/policy/irc-bot-syslog.bro
new file mode 100644
index 0000000000..6ca1281db3
--- /dev/null
+++ b/policy/irc-bot-syslog.bro
@@ -0,0 +1,79 @@
+# $Id: irc-bot-syslog.bro,v 1.1.4.2 2006/05/31 00:16:21 sommer Exp $
+#
+# Passes current bot-state to syslog.
+#
+# - When a new server/client is found, we syslog it immediately.
+# - Every IrcBot::summary_interval we dump the current set.
+
+@load irc-bot
+
+module IrcBotSyslog;
+
+export {
+	# Prefix for all messages for easy grepping.
+	const prefix = "irc-bots" &redef;
+}
+
+# For debugging, everything which goes to syslog also goes here.
+global syslog_file = open_log_file("irc-bots.syslog");
+
+function fmt_time(t: time) : string
+	{
+	return strftime("%Y-%m-%d-%H-%M-%S", t);
+	}
+
+function log_server(ip: addr, new: bool)
+	{
+	local s = IrcBot::servers[ip];
+	local ports = IrcBot::portset_to_str(s$p);
+
+	local msg = fmt("%s ip=%s new=%d local=%d server=1 first_seen=%s last_seen=%s ports=%s",
+			prefix, ip, new, is_local_addr(ip),
+			fmt_time(s$first_seen), fmt_time(s$last_seen), ports);
+
+	syslog(msg);
+	print syslog_file, fmt("%.6f %s", network_time(), msg);
+	}
+
+function log_client(ip: addr, new: bool)
+	{
+	local c = IrcBot::clients[ip];
+	local servers = IrcBot::addrset_to_str(c$servers);
+
+	local msg = fmt("%s ip=%s new=%d local=%d server=0 first_seen=%s last_seen=%s user=%s nick=%s realname=%s servers=%s",
+			prefix, ip, new, is_local_addr(ip),
+			fmt_time(c$first_seen), fmt_time(c$last_seen),
+				  c$user, c$nick, c$realname, servers);
+
+	syslog(msg);
+	print syslog_file, fmt("%.6f %s", network_time(), msg);
+	}
+
+event print_bot_state()
+	{
+	for ( s in IrcBot::confirmed_bot_servers )
+		log_server(s, F);
+
+	for ( c in IrcBot::confirmed_bot_clients )
+		log_client(c, F);
+	}
+
+event bro_init()
+	{
+	set_buf(syslog_file, F);
+	}
+
+redef notice_policy += {
+	[$pred(a: notice_info) =
+		{
+		if ( a$note == IrcBot::IrcBotServerFound )
+			log_server(a$src, T);
+
+		if ( a$note == IrcBot::IrcBotClientFound )
+			log_client(a$src, T);
+
+		return F;
+		},
+	 $result = NOTICE_FILE,
+	 $priority = 1]
+};
diff --git a/policy/irc-bot.bro b/policy/irc-bot.bro
new file mode 100644
index 0000000000..8375aa91d6
--- /dev/null
+++ b/policy/irc-bot.bro
@@ -0,0 +1,566 @@
+# $Id:$
+
+@load conn
+@load notice
+@load weird
+
+module IrcBot;
+
+export {
+	global detailed_log = open_log_file("irc.detailed") &redef;
+	global bot_log = open_log_file("irc-bots") &redef;
+
+	global summary_interval = 1 min &redef;
+
+	global detailed_logging = T &redef;
+	global content_dir = "irc-bots" &redef;
+
+	global bot_nicks =
+		  /^\[([^\]]+\|)+[0-9]{2,}]/		# [DEU|XP|L|00]
+		| /^\[[^ ]+\]([^ ]+\|)+([0-9a-zA-Z-]+)/	# [0]CHN|3436036 [DEU][1]3G-QE
+		| /^DCOM[0-9]+$/			# DCOM7845
+		| /^\{[A-Z]+\}-[0-9]+/			# {XP}-5021040
+		| /^\[[0-9]+-[A-Z0-9]+\][a-z]+/		# [0058-X2]wpbnlgwf
+		| /^\[[a-zA-Z0-9]\]-[a-zA-Z0-9]+$/	# [SD]-743056826
+		| /^[a-z]+[A-Z]+-[0-9]{5,}$/
+		| /^[A-Z]{3}-[0-9]{4}/			# ITD-1119
+	;
+
+	global bot_cmds =
+		  /(^| *)[.?#!][^ ]{0,5}(scan|ndcass|download|cvar\.|execute|update|dcom|asc|scanall) /
+		| /(^| +\]\[ +)\* (ipscan|wormride)/
+		| /(^| *)asn1/
+	;
+
+	global skip_msgs =
+		  /.*AUTH .*/
+		| /.*\*\*\* Your host is .*/
+		| /.*\*\*\* If you are having problems connecting .*/
+	;
+
+	redef enum Notice += {
+		IrcBotServerFound,
+		IrcBotClientFound,
+	};
+
+	type channel: record {
+		name: string;
+		passwords: set[string];
+		topic: string &default="";
+		topic_history: vector of string;
+	};
+
+	type bot_client: record {
+		host: addr;
+		p: port;
+		nick: string &default="";
+		user: string &default="";
+		realname: string &default="";
+		channels: table[string] of channel;
+		servers: set[addr] &optional;
+		first_seen: time;
+		last_seen: time;
+	};
+
+	type bot_server: record {
+		host: addr;
+		p: set[port];
+		clients: table[addr] of bot_client;
+		global_users: string &default="";
+		passwords: set[string];
+		channels: table[string] of channel;
+		first_seen: time;
+		last_seen: time;
+	};
+
+	type bot_conn: record {
+		client: bot_client;
+		server: bot_server;
+		conn: connection;
+		fd: file;
+		ircx: bool &default=F;
+	};
+
+	# We keep three sets of clients/servers:
+	#  (1) tables containing all IRC clients/servers
+	#  (2) sets containing potential bot hosts
+	#  (3) sets containing confirmend bot hosts
+	#
+	# Hosts are confirmed when a connection is established between
+	# potential bot hosts.
+	#
+	# FIXME: (1) should really be moved into the general IRC script.
+
+	global expire_server:
+		function(t: table[addr] of bot_server, idx: addr): interval;
+	global expire_client:
+		function(t: table[addr] of bot_client, idx: addr): interval;
+
+	global servers: table[addr] of bot_server &write_expire=24 hrs
+			&expire_func=expire_server &persistent;
+	global clients: table[addr] of bot_client &write_expire=24 hrs
+			&expire_func=expire_client &persistent;
+
+	global potential_bot_clients: set[addr] &persistent;
+	global potential_bot_servers: set[addr] &persistent;
+	global confirmed_bot_clients: set[addr] &persistent;
+	global confirmed_bot_servers: set[addr] &persistent;
+
+	# All IRC connections.
+	global conns: table[conn_id] of bot_conn &persistent;
+
+	# Connections between confirmed hosts.
+	global bot_conns: set[conn_id] &persistent;
+
+	# Helper functions for readable output.
+	global strset_to_str: function(s: set[string]) : string;
+	global portset_to_str: function(s: set[port]) : string;
+	global addrset_to_str: function(s: set[addr]) : string;
+}
+
+function strset_to_str(s: set[string]) : string
+	{
+	if ( |s| == 0 )
+		return "<none>";
+
+	local r = "";
+	for ( i in s )
+		{
+		if ( r != "" )
+			r = cat(r, ",");
+		r = cat(r, fmt("\"%s\"", i));
+		}
+
+	return r;
+	}
+
+function portset_to_str(s: set[port]) : string
+	{
+	if ( |s| == 0 )
+		return "<none>";
+
+	local r = "";
+	for ( i in s )
+		{
+		if ( r != "" )
+			r = cat(r, ",");
+		r = cat(r, fmt("%d", i));
+		}
+
+	return r;
+	}
+
+function addrset_to_str(s: set[addr]) : string
+	{
+	if ( |s| == 0 )
+		return "<none>";
+
+	local r = "";
+	for ( i in s )
+		{
+		if ( r != "" )
+			r = cat(r, ",");
+		r = cat(r, fmt("%s", i));
+		}
+
+	return r;
+	}
+
+function fmt_time(t: time) : string
+	{
+	return strftime("%y-%m-%d-%H-%M-%S", t);
+	}
+
+event print_bot_state()
+	{
+	local bot_summary_log = open_log_file("irc-bots.summary");
+	disable_print_hook(bot_summary_log);
+
+	print bot_summary_log, "---------------------------";
+	print bot_summary_log, strftime("%y-%m-%d-%H-%M-%S", network_time());
+	print bot_summary_log, "---------------------------";
+	print bot_summary_log;
+	print bot_summary_log, "Known servers";
+
+	for ( h in confirmed_bot_servers )
+		{
+		local s = servers[h];
+
+		print bot_summary_log,
+			fmt("    %s %s - clients: %d ports %s password(s) %s last-seen %s first-seen %s global-users %s",
+				(is_local_addr(s$host) ? "L" : "R"),
+				s$host, length(s$clients), portset_to_str(s$p),
+				strset_to_str(s$passwords),
+				fmt_time(s$last_seen), fmt_time(s$first_seen),
+				s$global_users);
+
+		for ( name in s$channels )
+			{
+			local ch = s$channels[name];
+			print bot_summary_log,
+				fmt("        channel %s: topic \"%s\", password(s) %s",
+					ch$name, ch$topic,
+					strset_to_str(ch$passwords));
+			}
+		}
+
+	print bot_summary_log, "\nKnown clients";
+
+	for ( h in confirmed_bot_clients )
+		{
+		local c = clients[h];
+		print bot_summary_log,
+			fmt("    %s %s - server(s) %s user %s nick %s realname %s last-seen %s first-seen %s",
+				(is_local_addr(h) ? "L" : "R"), h,
+				addrset_to_str(c$servers),
+				c$user, c$nick, c$realname,
+				fmt_time(c$last_seen), fmt_time(c$first_seen));
+		}
+
+	close(bot_summary_log);
+
+	if ( summary_interval != 0 secs )
+		schedule summary_interval { print_bot_state() };
+	}
+
+event bro_init()
+	{
+	if ( summary_interval != 0 secs )
+		schedule summary_interval { print_bot_state() };
+	}
+
+function do_log_force(c: connection, msg: string)
+	{
+	local id = c$id;
+	print bot_log, fmt("%.6f %s:%d > %s:%d %s %s",
+				network_time(), id$orig_h, id$orig_p,
+				id$resp_h, id$resp_p, c$addl, msg);
+	}
+
+function do_log(c: connection, msg: string)
+	{
+	if ( c$id !in bot_conns )
+		return;
+
+	do_log_force(c, msg);
+	}
+
+function log_msg(c: connection, cmd: string, prefix: string, msg: string)
+	{
+	if ( skip_msgs in msg )
+		return;
+
+	do_log(c, fmt("MSG command=%s prefix=%s msg=\"%s\"", cmd, prefix, msg));
+	}
+
+function update_timestamps(c: connection) : bot_conn
+	{
+	local conn = conns[c$id];
+
+	conn$client$last_seen = network_time();
+	conn$server$last_seen = network_time();
+
+	# To prevent the set of entries from premature expiration,
+	# we need to make a write access (can't use read_expire as we
+	# iterate over the entries on a regular basis).
+	clients[c$id$orig_h] = conn$client;
+	servers[c$id$resp_h] = conn$server;
+
+	return conn;
+	}
+
+function add_server(c: connection) : bot_server
+	{
+	local s_h = c$id$resp_h;
+
+	if ( s_h in servers )
+		return servers[s_h];
+
+	local empty_table1: table[addr] of bot_client;
+	local empty_table2: table[string] of channel;
+	local empty_set: set[string];
+	local empty_set2: set[port];
+
+	local server = [$host=s_h, $p=empty_set2, $clients=empty_table1,
+			$channels=empty_table2, $passwords=empty_set,
+			$first_seen=network_time(), $last_seen=network_time()];
+	servers[s_h] = server;
+
+	return server;
+	}
+
+function add_client(c: connection) : bot_client
+	{
+	local c_h = c$id$orig_h;
+
+	if ( c_h in clients )
+		return clients[c_h];
+
+	local empty_table: table[string] of channel;
+	local empty_set: set[addr];
+	local client = [$host=c_h, $p=c$id$resp_p, $servers=empty_set,
+			$channels=empty_table, $first_seen=network_time(),
+			$last_seen=network_time()];
+	clients[c_h] = client;
+
+	return client;
+	}
+
+function check_bot_conn(c: connection)
+	{
+	if ( c$id in bot_conns )
+		return;
+
+	local client = c$id$orig_h;
+	local server = c$id$resp_h;
+
+	if ( client !in potential_bot_clients || server !in potential_bot_servers )
+		return;
+
+	# New confirmed bot_conn.
+
+	add bot_conns[c$id];
+
+	if ( server !in confirmed_bot_servers )
+		{
+		NOTICE([$note=IrcBotServerFound, $src=server, $p=c$id$resp_p, $conn=c,
+				$msg=fmt("ircbot server found: %s:%d", server, $p=c$id$resp_p)]);
+		add confirmed_bot_servers[server];
+		}
+
+	if ( client !in confirmed_bot_clients )
+		{
+		NOTICE([$note=IrcBotClientFound, $src=client, $p=c$id$orig_p, $conn=c,
+				$msg=fmt("ircbot client found: %s:%d", client, $p=c$id$orig_p)]);
+		add confirmed_bot_clients[client];
+		}
+	}
+
+function get_conn(c: connection) : bot_conn
+	{
+	local conn: bot_conn;
+
+	if ( c$id in conns )
+		{
+		check_bot_conn(c);
+		return update_timestamps(c);
+		}
+
+	local c_h = c$id$orig_h;
+	local s_h = c$id$resp_h;
+
+	local client : bot_client;
+	local server : bot_server;
+
+	if ( c_h in clients )
+		client = clients[c_h];
+	else
+		client = add_client(c);
+
+	if ( s_h in servers )
+		server = servers[s_h];
+	else
+		server = add_server(c);
+
+	server$clients[c_h] = client;
+	add server$p[c$id$resp_p];
+	add client$servers[s_h];
+
+	conn$server = server;
+	conn$client = client;
+	conn$conn = c;
+	conns[c$id] = conn;
+	update_timestamps(c);
+
+	return conn;
+	}
+
+function expire_server(t: table[addr] of bot_server, idx: addr): interval
+	{
+	local server = t[idx];
+	for ( c in server$clients )
+		{
+		local client = server$clients[c];
+		delete client$servers[idx];
+		}
+
+	delete potential_bot_servers[idx];
+	delete confirmed_bot_servers[idx];
+	return 0secs;
+	}
+
+function expire_client(t: table[addr] of bot_client, idx: addr): interval
+	{
+	local client = t[idx];
+	for ( s in client$servers )
+		if ( s in servers )
+			delete servers[s]$clients[idx];
+	delete potential_bot_clients[idx];
+	delete confirmed_bot_clients[idx];
+	return 0secs;
+	}
+
+function remove_connection(c: connection)
+	{
+	local conn = conns[c$id];
+	delete conns[c$id];
+	delete bot_conns[c$id];
+	}
+
+event connection_state_remove(c: connection)
+	{
+	if ( c$id !in conns )
+		return;
+
+	remove_connection(c);
+	}
+
+event bro_init()
+	{
+	set_buf(detailed_log, F);
+	set_buf(bot_log, F);
+	}
+
+event irc_client(c: connection, prefix: string, data: string)
+	{
+	if ( detailed_logging )
+		print detailed_log, fmt("%.6f %s > (%s) %s", network_time(), id_string(c$id), prefix, data);
+
+	local conn = get_conn(c);
+
+	if ( data == /^ *[iI][rR][cC][xX] *$/ )
+		conn$ircx = T;
+	}
+
+event irc_server(c: connection, prefix: string, data: string)
+	{
+	if ( detailed_logging )
+		print detailed_log, fmt("%.6f %s < (%s) %s", network_time(), id_string(c$id), prefix, data);
+
+	local conn = get_conn(c);
+	}
+
+event irc_user_message(c: connection, user: string, host: string, server: string, real_name: string)
+	{
+	local conn = get_conn(c);
+	conn$client$user = user;
+	conn$client$realname = real_name;
+
+	do_log(c, fmt("USER user=%s host=%s server=%s real_name=%s", user, host, server, real_name));
+	}
+
+function get_channel(conn: bot_conn, channel: string) : channel
+	{
+	if ( channel in conn$server$channels )
+		return conn$server$channels[channel];
+	else
+		{
+		local empty_set: set[string];
+		local empty_vec: vector of string;
+		local ch = [$name=channel, $passwords=empty_set, $topic_history=empty_vec];
+		conn$server$channels[ch$name] = ch;
+		return ch;
+		}
+	}
+
+event irc_join_message(c: connection, info_list: irc_join_list)
+	{
+	local conn = get_conn(c);
+
+	for ( i in info_list )
+		{
+		local ch = get_channel(conn, i$channel);
+
+		if ( i$password != "" )
+			add ch$passwords[i$password];
+
+		conn$client$channels[ch$name] = ch;
+
+		do_log(c, fmt("JOIN channel=%s password=%s", i$channel, i$password));
+		}
+	}
+
+global urls: set[string] &read_expire = 7 days &persistent;
+
+event http_request(c: connection, method: string, original_URI: string,
+			unescaped_URI: string, version: string)
+	{
+	if ( original_URI in urls )
+		do_log_force(c, fmt("Request for URL %s", original_URI));
+	}
+
+event irc_channel_topic(c: connection, channel: string, topic: string)
+	{
+	if ( bot_cmds in topic )
+		{
+		do_log_force(c, fmt("Matching TOPIC %s", topic));
+		add potential_bot_servers[c$id$resp_h];
+		}
+
+	local conn = get_conn(c);
+
+	local ch = get_channel(conn, channel);
+	ch$topic_history[|ch$topic_history| + 1] = ch$topic;
+	ch$topic = topic;
+
+	if ( c$id in bot_conns )
+		{
+		do_log(c, fmt("TOPIC channel=%s topic=\"%s\"", channel, topic));
+
+		local s = split(topic, / /);
+		for ( i in s )
+			{
+			local w = s[i];
+			if ( w == /[a-zA-Z]+:\/\/.*/ )
+				{
+				add urls[w];
+				do_log(c, fmt("URL channel=%s url=\"%s\"",
+						channel, w));
+				}
+			}
+		}
+	}
+
+event irc_nick_message(c: connection, who: string, newnick: string)
+	{
+	if ( bot_nicks in newnick )
+		{
+		do_log_force(c, fmt("Matching NICK %s", newnick));
+		add potential_bot_clients[c$id$orig_h];
+		}
+
+	local conn = get_conn(c);
+	conn$client$nick = newnick;
+
+	do_log(c, fmt("NICK who=%s nick=%s", who, newnick));
+	}
+
+event irc_password_message(c: connection, password: string)
+	{
+	local conn = get_conn(c);
+	add conn$server$passwords[password];
+
+	do_log(c, fmt("PASS password=%s", password));
+	}
+
+event irc_privmsg_message(c: connection, source: string, target: string,
+				message: string)
+	{
+	log_msg(c, "privmsg", source, fmt("->%s %s", target, message));
+	}
+
+event irc_notice_message(c: connection, source: string, target: string,
+				message: string)
+	{
+	log_msg(c, "notice", source, fmt("->%s %s", target, message));
+	}
+
+event irc_global_users(c: connection, prefix: string, msg: string)
+	{
+	local conn = get_conn(c);
+
+	# Better would be to parse the message to extract the counts.
+	conn$server$global_users = msg;
+
+	log_msg(c, "globalusers", prefix, msg);
+	}
diff --git a/policy/irc.bro b/policy/irc.bro
new file mode 100644
index 0000000000..27b905528a
--- /dev/null
+++ b/policy/irc.bro
@@ -0,0 +1,689 @@
+# $Id: irc.bro 4758 2007-08-10 06:49:23Z vern $
+
+@load conn-id
+@load notice
+@load weird
+
+@load signatures
+
+module IRC;
+
+export {
+	const log_file = open_log_file("irc") &redef;
+
+	type irc_user: record {
+		u_nick: string;		# nick name
+		u_real: string;		# real name
+		u_host: string;		# client host
+		u_channels: set[string];	# channels the user is member of
+		u_is_operator: bool;	# user is server operator
+		u_conn: connection;	# connection handle
+	};
+
+	type irc_channel: record {
+		c_name: string;		# channel name
+		c_users: set[string];	# users in channel
+		c_ops: set[string];	# channel operators
+		c_type: string;		# channel type
+		c_modes: string;	# channel modes
+		c_topic: string;	# channel topic
+	};
+
+	global expired_user:
+		function(t: table[string] of irc_user, idx: string): interval;
+	global expired_channel:
+		function(t: table[string] of irc_channel, idx: string): interval;
+
+	# Commands to ignore in irc_request/irc_message.
+	const ignore_in_other_msgs = { "PING", "PONG", "ISON" } &redef;
+
+	# Return codes to ignore in irc_response
+	const ignore_in_other_responses: set[count] = {
+		303 # RPL_ISON
+	} &redef;
+
+	# Active users, indexed by nick.
+	global active_users: table[string] of irc_user &read_expire = 6 hrs
+		&expire_func = expired_user &redef;
+
+	# Active channels, indexed by channel name.
+	global active_channels: table[string] of irc_channel
+					&read_expire = 6 hrs
+					&expire_func = expired_channel &redef;
+
+	# Strings that generate a notice if found in session dialog.
+	const hot_words =
+		  /.*etc\/shadow.*/
+		| /.*etc\/ldap.secret.*/
+		| /.*phatbot.*/
+		| /.*botnet.*/
+	&redef;
+
+	redef enum Notice += {
+		IRC_HotWord,
+	};
+}
+
+
+# IRC ports.  This could be widened to 6660-6669, say.
+redef capture_filters += { ["irc-6666"] = "port 6666" };
+redef capture_filters += { ["irc-6667"] = "port 6667" };
+
+# DPM configuration.
+global irc_ports = { 6666/tcp, 6667/tcp } &redef;
+redef dpd_config += { [ANALYZER_IRC] = [$ports = irc_ports] };
+
+redef Weird::weird_action += {
+	["irc_invalid_dcc_message_format"]	= Weird::WEIRD_FILE,
+	["irc_invalid_invite_message_format"]	= Weird::WEIRD_FILE,
+	["irc_invalid_kick_message_format"]	= Weird::WEIRD_FILE,
+	["irc_invalid_line"]	= Weird::WEIRD_FILE,
+	["irc_invalid_mode_message_format"]	= Weird::WEIRD_FILE,
+	["irc_invalid_names_line"]	= Weird::WEIRD_FILE,
+	["irc_invalid_njoin_line"]	= Weird::WEIRD_FILE,
+	["irc_invalid_notice_message_format"]	= Weird::WEIRD_FILE,
+	["irc_invalid_oper_message_format"]	= Weird::WEIRD_FILE,
+	["irc_invalid_privmsg_message_format"]	= Weird::WEIRD_FILE,
+	["irc_invalid_reply_number"]	= Weird::WEIRD_FILE,
+	["irc_invalid_squery_message_format"]	= Weird::WEIRD_FILE,
+	["irc_invalid_who_line"]	= Weird::WEIRD_FILE,
+	["irc_invalid_who_message_format"]	= Weird::WEIRD_FILE,
+	["irc_invalid_whois_channel_line"]	= Weird::WEIRD_FILE,
+	["irc_invalid_whois_message_format"]	= Weird::WEIRD_FILE,
+	["irc_invalid_whois_operator_line"]	= Weird::WEIRD_FILE,
+	["irc_invalid_whois_user_line"]	= Weird::WEIRD_FILE,
+	["irc_line_size_exceeded"]	= Weird::WEIRD_FILE,
+	["irc_line_too_short"]	= Weird::WEIRD_FILE,
+	["irc_partial_request"]	= Weird::WEIRD_FILE,
+	["irc_too_many_invalid"]	= Weird::WEIRD_FILE,
+};
+
+# # IRC servers to identify server-to-server connections.
+# redef irc_servers = {
+# 	# German IRCnet servers
+# 	irc.leo.org,
+# 	irc.fu-berlin.de,
+# 	irc.uni-erlangen.de,
+# 	irc.belwue.de,
+# 	irc.freenet.de,
+# 	irc.tu-ilmenau.de,
+# 	irc.rz.uni-karlsruhe.de,
+# };
+
+global conn_list: table[conn_id] of count;
+global conn_ID = 0;
+global check_connection: function(c: connection);
+
+function irc_check_hot(c: connection, s: string, context: string)
+	{
+	if ( s == hot_words )
+		NOTICE([$note=IRC_HotWord, $conn=c,
+			$msg=fmt("IRC hot word in: %s", context)]);
+	}
+
+function log_activity(c: connection, msg: string)
+	{
+	print log_file, fmt("%.6f #%s %s",
+				network_time(), conn_list[c$id], msg);
+	}
+
+event connection_state_remove(c: connection)
+	{
+	delete conn_list[c$id];
+	}
+
+event irc_request(c: connection, prefix: string,
+			command: string, arguments: string)
+	{
+	check_connection(c);
+
+	local context = fmt("%s %s", command, arguments);
+	irc_check_hot(c, command, context);
+	irc_check_hot(c, arguments, context);
+
+	if ( command !in ignore_in_other_msgs )
+		log_activity(c, fmt("other request%s%s: %s",
+					prefix == "" ? "" : " ",
+					prefix, context));
+	}
+
+event irc_reply(c: connection, prefix: string, code: count, params: string)
+	{
+	check_connection(c);
+
+	local context = fmt("%s %s", code, params);
+	irc_check_hot(c, params, context);
+
+	if ( code !in ignore_in_other_responses )
+		log_activity(c, fmt("other response from %s: %s",
+					prefix, context));
+	}
+
+event irc_message(c: connection, prefix: string,
+			command: string, message: string)
+	{
+	check_connection(c);
+
+	# Sanity checks whether this is indeed IRC.
+	#
+	# If we happen to parse an HTTP connection, the server "commands" will
+	# end with ":".
+	if ( command == /.*:$/ )
+		{
+		local aid = current_analyzer();
+		event protocol_violation(c, ANALYZER_IRC, aid, "broken server response");
+		return;
+		}
+
+	local context = fmt("%s %s", command, message);
+	irc_check_hot(c, command, context);
+	irc_check_hot(c, message, context);
+
+	if ( command !in ignore_in_other_msgs )
+		log_activity(c, fmt("other server message from %s: %s",
+					prefix, context));
+	}
+
+event irc_user_message(c: connection, user: string, host: string,
+			server: string, real_name: string)
+	{
+	check_connection(c);
+
+	log_activity(c, fmt("new user, user='%s', host='%s', server='%s', real = '%s'",
+				user, host, server, real_name));
+
+	if ( user in active_users )
+		active_users[user]$u_conn = c;
+	else
+		{
+		local u: irc_user;
+		u$u_nick = user;
+		u$u_real = real_name;
+		u$u_conn = c;
+		u$u_host = "";
+		u$u_is_operator = F;
+		active_users[user] = u;
+		}
+	}
+
+event irc_quit_message(c: connection, nick: string, message: string)
+	{
+	check_connection(c);
+
+	log_activity(c, fmt("user '%s' leaving%s", nick,
+				message == "" ? "" : fmt(", \"%s\"", message)));
+
+	# Remove from lists.
+	if ( nick in active_users )
+		{
+		delete active_users[nick];
+		for ( my_channel in active_channels )
+			delete active_channels[my_channel]$c_users[nick];
+		}
+	}
+
+function check_message(c: connection, source: string, target: string,
+			msg: string, msg_type: string)
+	{
+	check_connection(c);
+	irc_check_hot(c, msg, msg);
+	log_activity(c, fmt("%s%s to '%s': %s", msg_type,
+				source != "" ? fmt(" from '%s'", source) : "",
+				target, msg));
+	}
+
+event irc_privmsg_message(c: connection, source: string, target: string,
+				message: string)
+	{
+	check_message(c, source, target, message, "message");
+	}
+
+event irc_notice_message(c: connection, source: string, target: string,
+				message: string)
+	{
+	check_message(c, source, target, message, "notice");
+	}
+
+event irc_squery_message(c: connection, source: string, target: string,
+				message: string)
+	{
+	check_message(c, source, target, message, "squery");
+	}
+
+event irc_join_message(c: connection, info_list: irc_join_list)
+	{
+	check_connection(c);
+
+	for ( l in info_list )
+		{
+		log_activity(c, fmt("user '%s' joined '%s'%s",
+					l$nick, l$channel,
+					l$password != "" ?
+						fmt("with password '%s'",
+							l$password) : ""));
+
+		if ( l$nick == "" )
+			next;
+
+		if ( l$nick in active_users )
+			add (active_users[l$nick]$u_channels)[l$channel];
+		else
+			{
+			local user: irc_user;
+			user$u_nick = l$nick;
+			user$u_real = "";
+			user$u_conn = c;
+			user$u_host = "";
+			user$u_is_operator = F;
+			add user$u_channels[l$channel];
+
+			active_users[l$nick] = user;
+			}
+
+		# Add channel to lists.
+		if ( l$channel in active_channels )
+			add (active_channels[l$channel]$c_users)[l$nick];
+		else
+			{
+			local my_c: irc_channel;
+			my_c$c_name = l$channel;
+			add my_c$c_users[l$nick];
+
+			my_c$c_type = my_c$c_modes = "";
+
+			active_channels[l$channel] = my_c;
+			}
+		}
+	}
+
+event irc_part_message(c: connection, nick: string,
+			chans: string_set, message: string)
+	{
+	check_connection(c);
+
+	local channel_str = "";
+	for ( ch in chans )
+		channel_str = channel_str == "" ?
+			ch : fmt("%s, %s", channel_str, ch);
+
+	log_activity(c, fmt("%s channel '%s'%s",
+				nick == "" ? "leaving" :
+					fmt("user '%s' leaving", nick),
+				channel_str,
+				message == "" ?
+					"" : fmt("with message '%s'", message)));
+
+	# Remove user from channel.
+	if ( nick == "" )
+		return;
+
+	for ( ch in active_channels )
+		{
+		delete (active_channels[ch]$c_users)[nick];
+		delete (active_channels[ch]$c_ops)[nick];
+		if ( nick in active_users )
+			delete (active_users[nick]$u_channels)[ch];
+		}
+	}
+
+event irc_nick_message(c: connection, who: string, newnick: string)
+	{
+	check_connection(c);
+
+	log_activity(c, fmt("%s nick name to '%s'",
+				who == "" ?  "changing" :
+						fmt("user '%s' changing", who),
+				newnick));
+	}
+
+event irc_invalid_nick(c: connection)
+	{
+	check_connection(c);
+	log_activity(c, "changing nick name failed");
+	}
+
+event irc_network_info(c: connection, users: count, services: count,
+			servers: count)
+	{
+	check_connection(c);
+	log_activity(c, fmt("network includes %d users, %d services, %d servers",
+				users, services, servers));
+	}
+
+event irc_server_info(c: connection, users: count, services: count,
+			servers: count)
+	{
+	check_connection(c);
+	log_activity(c, fmt("server includes %d users, %d services, %d peers",
+				users, services, servers));
+	}
+
+event irc_channel_info(c: connection, chans: count)
+	{
+	check_connection(c);
+	log_activity(c, fmt("network includes %d channels", chans));
+	}
+
+event irc_who_line(c: connection, target_nick: string, channel: string,
+			user: string, host: string, server: string,
+			nick: string, params: string, hops: count,
+			real_name: string)
+	{
+	check_connection(c);
+
+	log_activity(c, fmt("channel '%s' includes '%s' on %s connected to %s with nick '%s', real name '%s', params %s",
+				channel, user, host, server,
+				nick, real_name, params));
+
+	if ( nick == "" || channel == "" )
+		return;
+
+	if ( nick in active_users )
+		active_users[nick]$u_conn = c;
+
+	else
+		{
+		local myuser: irc_user;
+		myuser$u_nick = nick;
+		myuser$u_real = real_name;
+		myuser$u_conn = c;
+		myuser$u_host = host;
+		myuser$u_is_operator = F;
+		add myuser$u_channels[channel];
+
+		active_users[nick] = myuser;
+
+		if ( channel in active_channels )
+			add (active_channels[channel]$c_users)[nick];
+		else
+			{
+			local my_c: irc_channel;
+			my_c$c_name = channel;
+			add my_c$c_users[nick];
+			my_c$c_type = "";
+			my_c$c_modes = "";
+
+			active_channels[channel] = my_c;
+			}
+		}
+	}
+
+event irc_who_message(c: connection, mask: string, oper: bool)
+	{
+	check_connection(c);
+
+	log_activity(c, fmt("WHO with mask %s%s", mask,
+				oper ? ", only operators" : ""));
+	}
+
+event irc_whois_message(c: connection, server: string, users: string)
+	{
+	check_connection(c);
+
+	log_activity(c, fmt("WHOIS%s for user(s) %s",
+				server == "" ?
+					server : fmt(" to server %s", server),
+				users));
+	}
+
+event irc_whois_user_line(c: connection, nick: string,
+				user: string, host: string, real_name: string)
+	{
+	check_connection(c);
+
+	log_activity(c, fmt("user '%s' with nick '%s' on host %s has real name '%s'",
+				user, nick, host, real_name));
+
+	if ( nick in active_users )
+		{
+		active_users[nick]$u_real = real_name;
+		active_users[nick]$u_host = host;
+		}
+	else
+		{
+		local u: irc_user;
+		u$u_nick = nick;
+		u$u_real = real_name;
+		u$u_conn = c;
+		u$u_host = host;
+		u$u_is_operator = F;
+
+		active_users[nick] = u;
+		}
+	}
+
+event irc_whois_operator_line(c: connection, nick: string)
+	{
+	check_connection(c);
+	log_activity(c, fmt("user '%s' is an IRC operator", nick));
+
+	if ( nick in active_users )
+		active_users[nick]$u_is_operator = T;
+	else
+		{
+		local u: irc_user;
+		u$u_nick = nick;
+		u$u_real = "";
+		u$u_conn = c;
+		u$u_host = "";
+		u$u_is_operator = T;
+
+		active_users[nick] = u;
+		}
+	}
+
+event irc_whois_channel_line(c: connection, nick: string, chans: string_set)
+	{
+	check_connection(c);
+
+	local message = fmt("user '%s' is on channels:", nick);
+	for ( channel in chans )
+		message = fmt("%s %s", message, channel);
+
+	log_activity(c, message);
+
+	if ( nick in active_users )
+		{
+		for ( ch in chans )
+			add active_users[nick]$u_channels[ch];
+		}
+	else
+		{
+		local u: irc_user;
+		u$u_nick = nick;
+		u$u_real = "";
+		u$u_conn = c;
+		u$u_host = "";
+		u$u_is_operator = F;
+		u$u_channels = chans;
+
+		active_users[nick] = u;
+		}
+
+	for ( ch in chans )
+		{
+		if ( ch in active_channels )
+			add (active_channels[ch]$c_users)[nick];
+		else
+			{
+			local my_c: irc_channel;
+			my_c$c_name = ch;
+			add my_c$c_users[nick];
+			my_c$c_type = "";
+			my_c$c_modes = "";
+
+			active_channels[ch] = my_c;
+			}
+		}
+	}
+
+event irc_oper_message(c: connection, user: string, password: string)
+	{
+	check_connection(c);
+	log_activity(c, fmt("user requests operator status with name '%s', password '%s'",
+				user, password));
+	}
+
+event irc_oper_response(c: connection, got_oper: bool)
+	{
+	check_connection(c);
+	log_activity(c, fmt("user %s operator status",
+				got_oper ? "received" : "did not receive"));
+	}
+
+event irc_kick_message(c: connection, prefix: string, chans: string,
+			users: string, comment: string)
+	{
+	check_connection(c);
+	log_activity(c, fmt("user '%s' requested to kick '%s' from channel(s) %s with comment %s",
+				prefix, users, chans, comment));
+	}
+
+event irc_error_message(c: connection, prefix: string, message: string)
+	{
+	check_connection(c);
+	log_activity(c, fmt("error message%s: %s",
+				prefix == "" ? "" : fmt("from '%s'", prefix),
+				message));
+	}
+
+event irc_invite_message(c: connection, prefix: string,
+				nickname: string, channel: string)
+	{
+	check_connection(c);
+	log_activity(c, fmt("'%s' invited to channel %s%s",
+				nickname, channel,
+				prefix == "" ? "" : fmt(" by %s", prefix)));
+	}
+
+event irc_mode_message(c: connection, prefix: string, params: string)
+	{
+	check_connection(c);
+	log_activity(c, fmt("mode command%s: %s",
+				prefix == "" ? "" : fmt(" from '%s'", prefix),
+				params));
+	}
+
+event irc_squit_message(c: connection, prefix: string,
+			server: string, message: string)
+	{
+	check_connection(c);
+
+	log_activity(c, fmt("server disconnect attempt%s for %s with comment %s",
+				prefix == "" ? "" : fmt(" from '%s'", prefix),
+				server, message));
+	}
+
+event irc_names_info(c: connection, c_type: string, channel: string,
+			users: string_set)
+	{
+	check_connection(c);
+
+	local chan_type =
+		c_type == "@" ? "secret" :
+			(c_type == "*" ? "private" : "public");
+
+	local message = fmt("channel '%s' (%s) contains users:",
+				channel, chan_type);
+
+	for ( user in users )
+		message = fmt("%s %s", message, user);
+
+	log_activity(c, message);
+
+	if ( channel in active_channels )
+		{
+		for ( u in users )
+			add (active_channels[channel]$c_users)[u];
+		}
+	else
+		{
+		local my_c: irc_channel;
+		my_c$c_name = channel;
+		my_c$c_users = users;
+		my_c$c_type = "";
+		my_c$c_modes = "";
+
+		active_channels[channel] = my_c;
+		}
+
+	for ( nick in users )
+		{
+		if ( nick in active_users )
+			add (active_users[nick]$u_channels)[channel];
+		else
+			{
+			local usr: irc_user;
+			usr$u_nick = nick;
+			usr$u_real = "";
+			usr$u_conn = c;
+			usr$u_host = "";
+			usr$u_is_operator = F;
+			add usr$u_channels[channel];
+
+			active_users[nick] = usr;
+			}
+		}
+	}
+
+event irc_dcc_message(c: connection, prefix: string, target: string,
+			dcc_type: string, argument: string,
+			address: addr, dest_port: count, size: count)
+	{
+	check_connection(c);
+
+	log_activity(c, fmt("DCC %s invitation for '%s' to host %s on port %s%s",
+				dcc_type, target, address, dest_port,
+				dcc_type == "SEND" ?
+					fmt(" (%s: %s bytes)", argument, size) :
+					""));
+	}
+
+event irc_channel_topic(c: connection, channel: string, topic: string)
+	{
+	check_connection(c);
+	log_activity(c, fmt("topic for %s is '%s'", channel, topic));
+	}
+
+event irc_password_message(c: connection, password: string)
+	{
+	check_connection(c);
+	log_activity(c, fmt("password %s", password));
+	}
+
+function expired_user(t: table[string] of irc_user, idx: string): interval
+	{
+	for ( my_c in active_users[idx]$u_channels )
+		{
+		suspend_state_updates();
+		delete active_channels[my_c]$c_users[idx];
+		delete active_channels[my_c]$c_ops[idx];
+		resume_state_updates();
+		}
+
+	return 0 secs;
+	}
+
+function expired_channel(t:table[string] of irc_channel, idx: string): interval
+	{
+	for ( my_u in active_channels[idx]$c_users )
+		if ( my_u in active_users )
+			delete active_users[my_u]$u_channels[idx];
+		# Else is there a possible state leak?  How could it not
+		# be in active_users?  Yet sometimes it isn't, which
+		# is why we needed to add the above test.
+
+	return 0 secs;
+	}
+
+function check_connection(c: connection)
+	{
+	if ( c$id !in conn_list )
+		{
+		++conn_ID;
+		append_addl(c, fmt("#%d", conn_ID));
+		conn_list[c$id] = conn_ID;
+
+		log_activity(c, fmt("new connection %s", id_string(c$id)));
+		}
+	}
diff --git a/policy/large-conns.bro b/policy/large-conns.bro
new file mode 100644
index 0000000000..7c55c8ff1c
--- /dev/null
+++ b/policy/large-conns.bro
@@ -0,0 +1,336 @@
+# $Id: large-conns.bro 1332 2005-09-07 17:39:17Z vern $
+
+# Written by Chema Gonzalez.
+
+
+# Estimates the size of large "flows" (i.e., each direction of a TCP
+# connection) by noting when their sequence numbers cross a set of regions
+# in the sequence space.  This can be done using a static packet filter,
+# so is very efficient.  It works for (TCP) traffic that Bro otherwise doesn't
+# see.
+
+# Usage
+#
+# 1) Set the appropriate number_of_regions and region_size:
+#
+#    Modify the number_of_regions and (perhaps) region_size global
+#    variables.  You do this *prior* to loading this script, so
+#    for example:
+#
+#	const number_of_regions = 32;
+#	@load large-conns
+#
+#    You do *not* redef them like you would with other script variables
+#    (this is because they need to be used directly in the initializations
+#    of other variables used by this script).
+#
+#    Note that number_of_regions affects the granularity
+#    and definition of the script (see below).
+#
+# 2) To get an estimate of the true size of a flow, call:
+#
+#	function estimate_flow_size_and_remove(cid: conn_id, orig: bool):
+#								flow_size_est
+#
+#    If orig=T, then an estimate of the size of the forward (originator)
+#    direction is returned.  If orig=F, then the reverse (responder)
+#    direction is returned.  In both cases, what's returned is a
+#    flow_size_est, which includes a flag indicating whether there was
+#    any estimate formed, and, if the flag is T, a lower bound, an upper bound,
+#    and an inconsistency-count (which, if > 0, means that the estimates
+#    came from sequence numbers that were inconsistent, and thus something
+#    is wrong - perhaps packet drops by the secondary filter).  Finally,
+#    calling this function causes the flow's record to be deleted.  Perhaps
+#    at some point we'll need to add a version that just retrieves the
+#    estimate.
+
+type flow_size_est: record {
+	have_est: bool;
+	lower: double &optional;
+	upper: double &optional;
+	num_inconsistent: count &optional;
+};
+
+global estimate_flow_size_and_remove:
+	function(cid: conn_id, orig: bool): flow_size_est;
+
+module LargeConn;
+
+
+# Rationale
+#
+# One of the mechanisms that Bro uses to detect large TCP flows is 
+# to calculate the difference in the sequence number (seq) field contents 
+# between the last packet (FIN or RST) and the first packet (SYN). This 
+# method may be wrong if a) the seq number is busted (which can happen
+# frequently with RST termination), or b) the seq number wraps around
+# the 4GB sequence number space (note that this is OK for TCP while
+# there is no ambiguity on what a packet's sequence number means,
+# due to its use of a window <= 2 GB in size).
+#
+# The purpose of this script is to resolve these ambiguities. In other 
+# words, help with differentiating truly large flows from flows with
+# a busted seq, and detecting very large flows that wrap around the
+# 4GB seq space. 
+#
+# To do so, large-flow listens to a small group of thin regions in
+# the sequence space, located at equal distances from each other. The idea 
+# is that a truly large flow will pass through the regions in 
+# an orderly fashion, maybe several times. This script keeps track of 
+# all packets that pass through any of the regions, counting the number 
+# of times a packet from a given flow passes through consecutive regions. 
+#
+# Note that the exact number of regions, and the size of each region, can 
+# be controlled by redefining the global variables number_of_regions 
+# and region_size, respectively.  Both should be powers of two (if not,
+# they are rounded to be such), and default to 4 and 16KB, respectively. 
+# The effect of varying these parameters is the following:
+#
+# - Increasing number_of_regions will increase the granularity of the 
+#   script, at the cost of elevating its cost in both processing (more 
+#   packets will be seen) and memory (more flows will be seen). 
+#   The granularity of the script is defined as the minimum variation 
+#   in size the script can see. Its value is: 
+#
+#     granularity = (4GB / number_of_regions)
+#
+#   For example, if we're using 4 regions, the minimum flow size difference
+#   that the script can see is 1GB.
+#
+#   number_of_regions also affects the script definition, defined as the 
+#   smallest size of a flow which ensures that the flow will be seen by
+#   the script. The script definition is:
+#
+#     definition = (2 * granularity)
+#
+#   The script sees no flow smaller than the granularity, some flows with
+#   size between granularity and definition, and all flows larger than
+#   definition. In our example, the script definition is 2GB (it will see
+#   for sure only flows bigger than 2GB). 
+#
+# - Increasing region_size will only increase the resilience of the script 
+#   to lost packets, at the cost of augmenting the cost in both processing 
+#   and memory (see above). The default value of 16 KB is chosen to work
+#   in the presence of largish packets without too much additional work.
+
+# Set up defaults, unless the user has already specified these.  Note that
+# these variables are *not* redef'able, since they are used in initializations
+# later in this script (so a redef wouldn't be "seen" in time).
+@ifndef ( number_of_regions )
+	const number_of_regions = 4;
+@endif
+@ifndef ( region_size )
+	const region_size = 16 * 1024;	# 16 KB
+@endif
+
+
+# Track the regions visited for each flow.
+type t_info: record {
+	last_region: count;	# last region visited
+	num_regions: count;	# number of regions visited
+	num_inconsistent: count;	# num. inconsistent region crossings
+};
+
+# The state expiration for this table needs to be generous, as it's
+# for tracking very large flows, which could be quite long-lived.
+global flow_region_info: table[conn_id] of t_info &write_expire = 6 hr;
+
+
+# Returns the integer logarithm in base b.
+function logarithm(base: count, x: count): count
+	{
+	if ( x < base )
+		return 0;
+	else
+		return 1 + logarithm(base, x / base);
+	}
+
+
+# Function used to get around Bro's lack of real ordered loop.
+function do_while(i: count, max: count, total: count,
+			f: function(i: count, total: count): count): count
+	{
+	if ( i >= max )
+		return total;
+	else
+		return do_while(++i, max, f(--i, total), f);
+	}
+
+function fn_mask_location(i: count, total: count): count
+	{
+	return total * 2 + 1;
+	}
+
+function fn_filter_location(i: count, total: count): count
+	{
+	# The location pattern is 1010101010...
+	return total * 2 + (i % 2 == 0 ? 1 : 0);
+	}
+
+function fn_common_region_size(i: count, total: count): count
+	{
+	return total * 2;
+	}
+
+
+function get_interregion_distance(number_of_regions: count,
+					region_size: count): count
+	{
+	local bits_number_of_regions = logarithm(2, number_of_regions);
+	local bits_other = int_to_count(32 - bits_number_of_regions);
+
+	return do_while(0, bits_other, 1, fn_common_region_size);
+	}
+
+
+global interregion_distance =
+	get_interregion_distance(number_of_regions, region_size);
+
+
+# Returns an estiamte of size of the flow (one direction of a TCP connection)
+# that this script has seen. This is based on the number of consecutive
+# regions a flow has visited, weighted with the distance between regions.  
+#
+# We know that the full sequence number space accounts for 4GB. This 
+# space comprises number_of_regions regions, separated from each other 
+# a (4GB / number_of_regions) distance. If a flow has been seen 
+# in X consecutive regions, it means that the size of the flow is 
+# greater than ((X - 1) * distance_between_regions) GB. 
+#
+# Note that seeing a flow in just one region is no different from 
+# not seeing it at all. 
+function estimate_flow_size_and_remove(cid: conn_id, orig: bool): flow_size_est
+	{
+	local id = orig ? cid :
+			  [$orig_h = cid$resp_h, $orig_p = cid$resp_p,
+			   $resp_h = cid$orig_h, $resp_p = cid$orig_p];
+
+	if ( id !in flow_region_info )
+		return [$have_est = F];
+
+	local regions_crossed =
+		int_to_count(flow_region_info[id]$num_regions - 1);
+
+	local lower = regions_crossed * interregion_distance * 1.0;
+	local upper = lower + interregion_distance * 2.0;
+	local num_inconsis = flow_region_info[id]$num_inconsistent;
+
+	delete flow_region_info[id];
+
+	return [$have_est = T, $lower = lower, $upper = upper,
+		$num_inconsistent = num_inconsis];
+	}
+
+
+# Returns a tcpdump filter corresponding to the number of regions and 
+# region size requested by the user.
+#
+# How to calculate the tcpdump filter used to hook packet_event to the 
+# secondary filter system?  We are interested only in TCP packets whose
+# seq number belongs to any of the test slices. Let's focus on the case
+# of 4 regions, 16KB per region.
+#
+# The mask should be: [ x x  L L L ... L L L  x x ... x ]
+#                      <---><---------------><--------->
+#                       |          |            |
+#                       |          |            +-> suffix: region size
+#                       |          +-> location: remaining bits
+#                       +-> prefix: number of equidistant regions
+#
+# The 32-bit seq number is masked as follows: 
+#
+#   - suffix: defines size of the regions (16KB implies log_2(16KB) = 14 bits)
+#
+#   - location: defines the exact location of the 4 regions. Note that, to 
+#     minimize the amount of data we keep, the location will be distinct from
+#     zero, so segments with seq == 0 are not in a valid region
+#
+#   - prefix: defines number of regions (4 implies log_2(4) = 2 bits)
+#
+# E.g., the mask will be seq_number & 0011...1100..00_2 = 00LL..LL00..00_2,
+# which, by setting the location to 1010101010101010, will finally be
+# seq_number & 0011...1100..00_2 = 00101010101010101000..00_2, i.e., 
+# seq_number & 0x3fffc000 = 0x2aaa8000. 
+#
+# For that particular parameterization, we'd like to wind up with a
+# packet event filter of "(tcp[4:4] & 0x3fffc000) == 0x2aaa8000".
+
+function get_event_filter(number_of_regions: count, region_size: count): string
+	{
+	local bits_number_of_regions = logarithm(2, number_of_regions);
+	local bits_region_size = logarithm(2, region_size);
+	local bits_remaining = 
+		int_to_count(32 - bits_number_of_regions - bits_region_size);
+
+	# Set the bits corresponding to the location:
+	#	i = 0;
+	#	while ( i < bits_remaining )
+	#		{
+	#		mask = (mask * 2) + 1;
+	#		filter = (filter * 2) + (((i % 2) == 0) ? 1 : 0);
+	#		++i;
+	#		}
+	local mask = do_while(0, bits_remaining, 0, fn_mask_location);
+	local filter = do_while(0, bits_remaining, 0, fn_filter_location);
+
+	# Set the bits corrsponding to the region size
+	#	i = 0;
+	#	while ( i < bits_region_size )
+	#		{
+	#		mask = mask * 2;
+	#		filter = filter * 2;
+	#		++i;
+	#		}
+	mask = do_while(0, bits_region_size, mask, fn_common_region_size);
+	filter = do_while(0, bits_region_size, filter, fn_common_region_size);
+
+	return fmt("(tcp[4:4] & 0x%x) == 0x%x", mask, filter);
+	}
+
+
+# packet_event --
+#
+# This event is raised once per (TCP) packet falling into any of the regions. 
+# It updates the flow_region_info table. 
+event packet_event(filter: string, pkt: pkt_hdr)
+	{
+	# Distill the region from the seq number.
+	local region = pkt$tcp$seq / interregion_distance;
+
+	# Get packet info and update global counters.
+	local cid = [$orig_h = pkt$ip$src, $orig_p = pkt$tcp$sport,
+			$resp_h = pkt$ip$dst, $resp_p = pkt$tcp$dport];
+
+	if ( cid !in flow_region_info )
+		{
+		flow_region_info[cid] =
+			[$last_region = region, $num_regions = 1,
+			 $num_inconsistent = 0];
+		return;
+		}
+
+	local info = flow_region_info[cid];
+	local next_region = (info$last_region + 1) % number_of_regions;
+
+	if ( region == next_region )
+		{ # flow seen in the next region
+		info$last_region = region;
+		++info$num_regions;
+		}
+
+	else if ( region == info$last_region )
+		{ # flow seen in the same region, ignore
+		}
+	else 
+		{
+		# Flow seen in another region (not the next one).
+		info$last_region = region;
+		info$num_regions = 1;	# restart accounting
+		++info$num_inconsistent;
+		}
+	}
+
+
+# Glue the filter into the secondary filter hookup.
+global packet_event_filter = get_event_filter(number_of_regions, region_size);
+redef secondary_filters += { [packet_event_filter] = packet_event };
diff --git a/policy/listen-clear.bro b/policy/listen-clear.bro
new file mode 100644
index 0000000000..0922bc053e
--- /dev/null
+++ b/policy/listen-clear.bro
@@ -0,0 +1,16 @@
+# $Id: listen-clear.bro 416 2004-09-17 03:52:28Z vern $
+#
+# Listen for other Bros (non-SSL).
+
+@load remote
+
+# On which port to listen.
+const listen_port_clear = Remote::default_port_clear &redef;
+
+# On which IP to bind (0.0.0.0 for any interface)
+const listen_if_clear = 0.0.0.0 &redef;
+
+event bro_init()
+	{
+	listen(listen_if_clear, listen_port_clear, F);
+	}
diff --git a/policy/listen-ssl.bro b/policy/listen-ssl.bro
new file mode 100644
index 0000000000..fdf22a8e30
--- /dev/null
+++ b/policy/listen-ssl.bro
@@ -0,0 +1,16 @@
+# $Id: listen-ssl.bro 1015 2005-01-31 13:46:50Z kreibich $
+#
+# Listen for other Bros (SSL).
+
+@load remote
+
+# On which port to listen.
+const listen_port_ssl = Remote::default_port_ssl &redef;
+
+# On which IP to bind (0.0.0.0 for any interface)
+const listen_if_ssl = 0.0.0.0 &redef;
+
+event bro_init()
+	{
+	listen(listen_if_ssl, listen_port_ssl, T);
+	}
diff --git a/policy/load-level.bro b/policy/load-level.bro
new file mode 100644
index 0000000000..b8f9730bde
--- /dev/null
+++ b/policy/load-level.bro
@@ -0,0 +1,194 @@
+# $Id: load-level.bro 1904 2005-12-14 03:27:15Z vern $
+#
+# Support for shedding/reinstating load.
+
+@load notice
+
+# If no load_level is given, a filter is always activated.
+#
+# If a level is given for a filter (using the same ID than in
+# {capture,restrict}_filter), then:
+#
+#     -  a capture_filter is activated if current load_level is <=
+#     -  a restrict_filter is activated if current load_level is >=
+
+global capture_load_levels: table[string] of PcapFilterID &redef;
+global restrict_load_levels: table[string] of PcapFilterID &redef;
+
+redef enum PcapFilterID += {
+	LoadLevel1, LoadLevel2, LoadLevel3, LoadLevel4, LoadLevel5,
+	LoadLevel6, LoadLevel7, LoadLevel8, LoadLevel9, LoadLevel10,
+};
+
+const Levels = {
+	LoadLevel1, LoadLevel2, LoadLevel3, LoadLevel4, LoadLevel5,
+	LoadLevel6, LoadLevel7, LoadLevel8, LoadLevel9, LoadLevel10
+};
+
+# The load-level cannot not leave this interval.
+const MinLoad = LoadLevel1;
+const MaxLoad = LoadLevel10;
+
+# The initial load-level.
+global default_load_level = LoadLevel10 &redef;
+
+# Set to 0 to turn off any changes of the filter.
+global can_adjust_filter = T &redef;
+
+global current_load_level = DefaultPcapFilter;
+
+global ll_file = open_log_file("load-level");
+
+# Interface functions for switching load levels.
+
+function set_load_level(level: PcapFilterID): bool
+	{
+	if ( level == current_load_level )
+		return T;
+
+	if ( ! can_adjust_filter )
+		{
+		print ll_file, fmt("%.6f can't set %s (load-levels are turned off)", network_time(), level);
+		return F;
+		}
+
+	if ( ! install_pcap_filter(level) )
+		{
+		print ll_file, fmt("%.6f can't set %s (install failed)", network_time(), level);
+
+		# Don't try again.
+		can_adjust_filter = F;
+		return F;
+		}
+
+	current_load_level = level;
+
+	print ll_file, fmt("%.6f switched to %s", network_time(), level);
+
+	return T;
+	}
+
+# Too bad that we can't use enums like integers...
+const IncreaseLoadLevelTab = {
+	[LoadLevel1] = LoadLevel2,
+	[LoadLevel2] = LoadLevel3,
+	[LoadLevel3] = LoadLevel4,
+	[LoadLevel4] = LoadLevel5,
+	[LoadLevel5] = LoadLevel6,
+	[LoadLevel6] = LoadLevel7,
+	[LoadLevel7] = LoadLevel8,
+	[LoadLevel8] = LoadLevel9,
+	[LoadLevel9] = LoadLevel10,
+	[LoadLevel10] = LoadLevel10,
+};
+
+const DecreaseLoadLevelTab = {
+	[LoadLevel1] = LoadLevel1,
+	[LoadLevel2] = LoadLevel1,
+	[LoadLevel3] = LoadLevel2,
+	[LoadLevel4] = LoadLevel3,
+	[LoadLevel5] = LoadLevel4,
+	[LoadLevel6] = LoadLevel5,
+	[LoadLevel7] = LoadLevel6,
+	[LoadLevel8] = LoadLevel7,
+	[LoadLevel9] = LoadLevel8,
+	[LoadLevel10] = LoadLevel9,
+};
+
+const LoadLevelToInt = {
+	[DefaultPcapFilter] = 0,
+	[LoadLevel1] = 1,
+	[LoadLevel2] = 2,
+	[LoadLevel3] = 3,
+	[LoadLevel4] = 4,
+	[LoadLevel5] = 5,
+	[LoadLevel6] = 6,
+	[LoadLevel7] = 7,
+	[LoadLevel8] = 8,
+	[LoadLevel9] = 9,
+	[LoadLevel10] = 10,
+};
+
+function increase_load_level()
+	{
+	set_load_level(IncreaseLoadLevelTab[current_load_level]);
+	}
+
+function decrease_load_level()
+	{
+	set_load_level(DecreaseLoadLevelTab[current_load_level]);
+	}
+
+
+# Internal functions.
+
+function load_level_error()
+	{
+	print ll_file, fmt("%.6f Error, switching back to DefaultPcapFilter",
+				network_time());
+
+	install_default_pcap_filter();
+
+	# Don't try changing the load level any more.
+	can_adjust_filter = F;
+	}
+
+function build_load_level_filter(level: PcapFilterID): string
+	{
+	# Build up capture_filter.
+	local cfilter = "";
+
+	for ( id in capture_filters )
+		{
+		if ( id !in capture_load_levels ||
+		     LoadLevelToInt[level] <= LoadLevelToInt[capture_load_levels[id]] )
+			cfilter = add_to_pcap_filter(cfilter, capture_filters[id], "or");
+		}
+
+	# Build up restrict_filter.
+	local rfilter = "";
+	for ( id in restrict_filters )
+		{
+		if ( id !in restrict_load_levels ||
+		     LoadLevelToInt[level] >= LoadLevelToInt[restrict_load_levels[id]] )
+			rfilter = add_to_pcap_filter(rfilter, restrict_filters[id], "and");
+		}
+
+	return join_filters(cfilter, rfilter);
+	}
+
+function precompile_load_level_filters(): bool
+	{
+	print ll_file, fmt("%.6f <<< Begin of precompilation", network_time() );
+
+	for ( i in Levels )
+		{
+		local filter = build_load_level_filter(i);
+
+		if ( ! precompile_pcap_filter(i, filter) )
+			{
+			print ll_file, fmt("%.6f Level %d: %s",
+				network_time(), LoadLevelToInt[i], pcap_error());
+			load_level_error();
+			return F;
+			}
+
+		print ll_file, fmt("%.6f  Level %2d: %s", network_time(), LoadLevelToInt[i], filter);
+		}
+
+	print ll_file, fmt("%.6f >>> End of precompilation", network_time() );
+
+	return T;
+	}
+
+
+event bro_init()
+	{
+	set_buf(ll_file, F);
+	precompile_load_level_filters();
+	set_load_level(default_load_level);
+
+	# Don't adjust the filter when reading a trace.
+	if ( ! reading_live_traffic() )
+		can_adjust_filter = F;
+	}
diff --git a/policy/load-sample.bro b/policy/load-sample.bro
new file mode 100644
index 0000000000..16b26580ab
--- /dev/null
+++ b/policy/load-sample.bro
@@ -0,0 +1,43 @@
+# $Id: load-sample.bro 1758 2005-11-22 00:58:10Z vern $
+
+# A simple form of profiling based on sampling the work done per-packet.
+# load_sample() is generated every load_sample_freq packets (roughly;
+# it's randomized).  For each sampled packet, "samples" contains a set
+# of the functions, event handlers, and their source files that were accessed
+# during the processing of that packet, along with an estimate of the
+# CPU cost of processing the packet and (currently broken) memory allocated/
+# freed.
+
+global sampled_count: table[string] of count &default = 0;
+global sampled_CPU: table[string] of interval &default = 0 sec;
+global sampled_mem: table[string] of int &default = +0;
+
+global num_samples = 0;
+global total_sampled_CPU = 0 sec;
+global total_sampled_mem = +0;
+
+event load_sample(samples: load_sample_info, CPU: interval, dmem: int)
+	{
+	++num_samples;
+	total_sampled_CPU += CPU;
+	total_sampled_mem += dmem;
+
+	if ( |samples| == 0 )
+		add samples["<nothing>"];
+
+	for ( i in samples )
+		{
+		++sampled_count[i];
+		sampled_CPU[i] += CPU;
+		sampled_mem[i] += dmem;
+		}
+	}
+
+event bro_done()
+	{
+	for ( i in sampled_CPU )
+		print fmt("%s: %d%% pkts, %.1f%% CPU",
+			i, sampled_count[i] * 100 / num_samples,
+			sampled_CPU[i] * 100 / total_sampled_CPU);
+			# sampled_mem[i] / total_sampled_mem;
+	}
diff --git a/policy/log-append.bro b/policy/log-append.bro
new file mode 100644
index 0000000000..440b78a894
--- /dev/null
+++ b/policy/log-append.bro
@@ -0,0 +1,10 @@
+# $Id: log-append.bro 2797 2006-04-23 05:56:24Z vern $
+
+# By default, logs are overwritten when opened, deleting the contents
+# of any existing log of the same name.  Loading this module changes the
+# behavior to appending.
+
+function open_log_file(tag: string): file
+	{
+	return open_for_append(log_file_name(tag));
+	}
diff --git a/policy/login.bro b/policy/login.bro
new file mode 100644
index 0000000000..26d32ca08c
--- /dev/null
+++ b/policy/login.bro
@@ -0,0 +1,680 @@
+# $Id: login.bro 6481 2008-12-15 00:47:57Z vern $
+
+@load notice
+@load weird
+@load hot-ids
+@load conn
+# scan.bro is needed for "account_tried" event.
+@load scan
+@load demux
+@load terminate-connection
+
+module Login;
+
+global telnet_ports = { 23/tcp } &redef;
+redef dpd_config += { [ANALYZER_TELNET] = [$ports = telnet_ports] };
+
+global rlogin_ports = { 513/tcp } &redef;
+redef dpd_config += { [ANALYZER_RLOGIN] = [$ports = rlogin_ports] };
+
+export {
+	redef enum Notice += {
+		SensitiveLogin,		# interactive login using sensitive username
+
+		# Interactive login seen using forbidden username, but the analyzer
+		# was confused in following the login dialog, so may be in error.
+		LoginForbiddenButConfused,
+
+		# During a login dialog, a sensitive username (e.g., "rewt") was
+		# seen in the user's *password*.  This is reported as a notice
+		# because it could be that the login analyzer didn't track the
+		# authentication dialog correctly, and in fact what it thinks is
+		# the user's password is instead the user's username.
+		SensitiveUsernameInPassword,
+	};
+
+	# If these patterns appear anywhere in the user's keystrokes, do a notice.
+	const input_trouble =
+		  /rewt/
+		| /eggdrop/
+		| /\/bin\/eject/
+		| /oir##t/
+		| /ereeto/
+		| /(shell|xploit)_?code/
+		| /execshell/
+		| /ff\.core/
+		| /unset[ \t]+(histfile|history|HISTFILE|HISTORY)/
+		| /neet\.tar/
+		| /r0kk0/
+		| /su[ \t]+(daemon|news|adm)/
+		| /\.\/clean/
+		| /rm[ \t]+-rf[ \t]+secure/
+		| /cd[ \t]+\/dev\/[a-zA-Z]{3}/
+		| /solsparc_lpset/
+		| /\.\/[a-z]+[ \t]+passwd/
+		| /\.\/bnc/
+		| /bnc\.conf/
+		| /\"\/bin\/ksh\"/
+		| /LAST STAGE OF DELIRIUM/
+		| /SNMPXDMID_PROG/
+		| /snmpXdmid for solaris/
+		| /\"\/bin\/uname/
+		| /gcc[ \t]+1\.c/
+		| />\/etc\/passwd/
+		| /lynx[ \t]+-source[ \t]+.*(packetstorm|shellcode|linux|sparc)/
+		| /gcc.*\/bin\/login/
+		| /#define NOP.*0x/
+		| /printf\(\"overflowing/
+		| /exec[a-z]*\(\"\/usr\/openwin/
+		| /perl[ \t]+.*x.*[0-9][0-9][0-9][0-9]/
+		| /ping.*-s.*%d/
+	&redef;
+
+	# If this pattern appears anywhere in the user's input after applying
+	# <backspace>/<delete> editing, do a notice ...
+	const edited_input_trouble =
+		/[ \t]*(cd|pushd|more|less|cat|vi|emacs|pine)[ \t]+((['"]?\.\.\.)|(["'](\.*)[ \t]))/
+	&redef;
+
+	# ... *unless* the corresponding output matches this:
+	const output_indicates_input_not_trouble = /No such file or directory/ &redef;
+
+	# NOTICE on these, but only after waiting for the corresponding output,
+	# so it can be displayed at the same time.
+	const input_wait_for_output = edited_input_trouble &redef;
+
+	# If the user's entire input matches this pattern, do a notice.  Putting
+	# "loadmodule" here rather than in input_trouble is just to illustrate
+	# the idea, it could go in either.
+	const full_input_trouble = /.*loadmodule.*/ &redef;
+
+	# If the following appears anywhere in the user's output, do a notice.
+	const output_trouble =
+		  /^-r.s.*root.*\/bin\/(sh|csh|tcsh)/
+		| /Jumping to address/
+		| /Jumping Address/
+		| /smashdu\.c/
+		| /PATH_UTMP/
+		| /Log started at =/
+		| /www\.anticode\.com/
+		| /www\.uberhax0r\.net/
+		| /smurf\.c by TFreak/
+		| /Super Linux Xploit/
+		| /^# \[root@/
+		| /^-r.s.*root.*\/bin\/(time|sh|csh|tcsh|bash|ksh)/
+		| /invisibleX/
+		| /PATH_(UTMP|WTMP|LASTLOG)/
+		| /[0-9]{5,} bytes from/
+		| /(PATH|STAT):\ .*=>/
+		| /----- \[(FIN|RST|DATA LIMIT|Timed Out)\]/
+		| /IDLE TIMEOUT/
+		| /DATA LIMIT/
+		| /-- TCP\/IP LOG --/
+		| /STAT: (FIN|TIMED_OUT) /
+		| /(shell|xploit)_code/
+		| /execshell/
+		| /x86_bsd_compaexec/
+		| /\\xbf\\xee\\xee\\xee\\x08\\xb8/	# from x.c worm
+		| /Coded by James Seter/
+		| /Irc Proxy v/
+		| /Daemon port\.\.\.\./
+		| /BOT_VERSION/
+		| /NICKCRYPT/
+		| /\/etc\/\.core/
+		| /exec.*\/bin\/newgrp/
+		| /deadcafe/
+		| /[ \/]snap\.sh/
+		| /Secure atime,ctime,mtime/
+		| /Can\'t fix checksum/
+		| /Promisc Dectection/
+		| /ADMsn0ofID/
+		| /(cd \/; uname -a; pwd; id)/
+		| /drw0rm/
+		| /[Rr][Ee3][Ww][Tt][Ee3][Dd]/
+		| /rpc\.sadmin/
+		| /AbraxaS/
+		| /\[target\]/
+		| /ID_SENDSYN/
+		| /ID_DISTROIT/
+		| /by Mixter/
+		| /rap(e?)ing.*using weapons/
+		| /spsiod/
+		| /[aA][dD][oO][rR][eE][bB][sS][dD]/	# rootkit
+	&redef;
+
+	# Same, but must match entire output.
+	const full_output_trouble = /.*Trojaning in progress.*/ &redef;
+
+	const backdoor_prompts =
+		  /^[!-~]*( ?)[#%$] /
+		| /.*no job control/
+		| /WinGate>/
+	&redef;
+
+	const non_backdoor_prompts = /^ *#.*#/ &redef;
+	const hot_terminal_types = /VT666|007/ &redef;
+	const hot_telnet_orig_ports = { 53982/tcp, } &redef;
+	const router_prompts: set[string] &redef;
+	const non_ASCII_hosts: set[addr] &redef;
+	const skip_logins_to = { non_ASCII_hosts, } &redef;
+	const always_hot_login_ids = { always_hot_ids } &redef;
+	const hot_login_ids = { hot_ids } &redef;
+	const rlogin_id_okay_if_no_password_exposed = { "root", } &redef;
+
+	const BS = "\x08";
+	const DEL = "\x7f";
+
+	global new_login_session:
+		function(c: connection, pid: peer_id, output_line: count);
+	global remove_login_session: function(c: connection, pid: peer_id);
+	global ext_set_login_state:
+		function(cid: conn_id, pid: peer_id, state: count);
+	global ext_get_login_state:
+		function(cid: conn_id, pid: peer_id): count;
+}
+
+redef capture_filters += { ["login"] = "port telnet or tcp port 513" };
+
+redef skip_authentication = {
+	"WELCOME TO THE BERKELEY PUBLIC LIBRARY",
+};
+
+redef direct_login_prompts = { "TERMINAL?", };
+
+redef login_prompts = {
+	"Login:", "login:", "Name:", "Username:", "User:", "Member Name",
+	"User Access Verification", "Cisco Systems Console",
+	direct_login_prompts
+};
+
+redef login_non_failure_msgs = {
+	"Failures", "failures",	# probably is "<n> failures since last login"
+	"failure since last successful login",
+	"failures since last successful login",
+};
+
+redef login_non_failure_msgs = {
+	"Failures", "failures",	# probably is "<n> failures since last login"
+	"failure since last successful login",
+	"failures since last successful login",
+} &redef;
+
+redef login_failure_msgs = {
+	"invalid", "Invalid", "incorrect", "Incorrect", "failure", "Failure",
+	# "Unable to authenticate", "unable to authenticate",
+	"User authorization failure",
+	"Login failed",
+	"INVALID", "Sorry.", "Sorry,",
+};
+
+redef login_success_msgs = {
+	"Last login",
+	"Last successful login", "Last   successful login",
+	"checking for disk quotas", "unsuccessful login attempts",
+	"failure since last successful login",
+	"failures since last successful login",
+	router_prompts,
+};
+
+redef login_timeouts = {
+	"timeout", "timed out", "Timeout", "Timed out",
+	"Error reading command input",	# VMS
+};
+
+
+type check_info: record {
+	expanded_line: string;	# line with all possible editing seqs
+	hot: bool;	# whether any editing sequence was a hot user id
+	hot_id: string;	# the ID considered hot
+	forbidden: bool;	# same, but forbidden user id
+};
+
+type login_session_info: record {
+	user: string;
+	output_line: count;	# number of lines seen
+
+	# input string for which we want to match the output.
+	waiting_for_output: string;
+	waiting_for_output_line: count;	# output line we want to match it to
+	state: count;	# valid for external connections only
+};
+
+global login_sessions: table[peer_id, conn_id] of login_session_info;
+
+
+# The next two functions are "external-to-the-event-engine",
+# hence the ext_ prefix.  They're used by the script to manage
+# login state so that they can work with login sessions unknown
+# to the event engine (such as those received from remote peers).
+
+function ext_get_login_state(cid: conn_id, pid: peer_id): count
+	{
+	if ( pid == PEER_ID_NONE )
+		return get_login_state(cid);
+
+	return login_sessions[pid, cid]$state;
+	}
+
+function ext_set_login_state(cid: conn_id, pid: peer_id, state: count)
+	{
+	if ( pid == PEER_ID_NONE )
+		set_login_state(cid, state);
+	else
+		login_sessions[pid, cid]$state = state;
+	}
+
+function new_login_session(c: connection, pid: peer_id, output_line: count)
+	{
+	local s: login_session_info;
+	s$waiting_for_output = s$user = "";
+	s$output_line = output_line;
+	s$state = LOGIN_STATE_AUTHENTICATE;
+
+	login_sessions[pid, c$id] = s;
+	}
+
+function remove_login_session(c: connection, pid: peer_id)
+	{
+	delete login_sessions[pid, c$id];
+	}
+
+function is_login_conn(c: connection): bool
+	{
+	return c$id$resp_p == telnet || c$id$resp_p == rlogin;
+	}
+
+function hot_login(c: connection, pid: peer_id, msg: string, tag: string)
+	{
+	if ( [pid, c$id] in login_sessions )
+		NOTICE([$note=SensitiveLogin, $conn=c,
+			$user=login_sessions[pid, c$id]$user, $msg=msg]);
+	else
+		NOTICE([$note=SensitiveLogin, $conn=c, $msg=msg]);
+
+	++c$hot;
+	demux_conn(c$id, tag, "keys", service_name(c));
+	}
+
+function is_hot_id(id: string, successful: bool, confused: bool): bool
+	{
+	return successful ? id in hot_login_ids :
+		(confused ? id in forbidden_ids :
+			id in always_hot_login_ids);
+	}
+
+function is_forbidden_id(id: string): bool
+	{
+	return id in forbidden_ids || id == forbidden_id_patterns;
+	}
+
+function edit_and_check_line(c: connection, pid: peer_id, line: string,
+				successful: bool): check_info
+	{
+	line = to_lower(line);
+
+	local ctrl_H_edit = edit(line, BS);
+	local del_edit = edit(line, DEL);
+
+	local confused =
+		(ext_get_login_state(c$id, pid) == LOGIN_STATE_CONFUSED);
+	local hot = is_hot_id(line, successful, confused);
+	local hot_id = hot ? line : "";
+	local forbidden = is_forbidden_id(line);
+
+	local eline = line;
+
+	if ( ctrl_H_edit != line )
+		{
+		eline = fmt("%s,%s", eline, ctrl_H_edit);
+		if ( ! hot && is_hot_id(ctrl_H_edit, successful, confused) )
+			{
+			hot = T;
+			hot_id = ctrl_H_edit;
+			}
+
+		forbidden = forbidden || is_forbidden_id(ctrl_H_edit);
+		}
+
+	if ( del_edit != line )
+		{
+		eline = fmt("%s,%s", eline, del_edit);
+		if ( ! hot && is_hot_id(del_edit, successful, confused) )
+			{
+			hot = T;
+			hot_id = del_edit;
+			}
+
+		forbidden = forbidden || is_forbidden_id(del_edit);
+		}
+
+	local results: check_info;
+	results$expanded_line = eline;
+	results$hot = hot;
+	results$hot_id = hot_id;
+	results$forbidden = forbidden;
+
+	return results;
+	}
+
+function edit_and_check_user(c: connection, pid: peer_id, user: string,
+				successful: bool, fmt_s: string): bool
+	{
+	local check = edit_and_check_line(c, pid, user, successful);
+
+	if ( [pid, c$id] !in login_sessions )
+		new_login_session(c, pid, 9999);
+
+	login_sessions[pid, c$id]$user = check$expanded_line;
+
+	c$addl = fmt(fmt_s, c$addl, check$expanded_line);
+
+	if ( check$hot )
+		{
+		++c$hot;
+		demux_conn(c$id, check$hot_id, "keys", service_name(c));
+		}
+
+	if ( check$forbidden )
+		{
+		if ( ext_get_login_state(c$id, pid) == LOGIN_STATE_CONFUSED )
+			NOTICE([$note=LoginForbiddenButConfused, $conn=c,
+				$user = user,
+				$msg=fmt("not terminating %s because confused about state", full_id_string(c))]);
+		else
+			TerminateConnection::terminate_connection(c);
+		}
+
+	return c$hot > 0;
+	}
+
+function edit_and_check_password(c: connection, pid: peer_id, password: string)
+	{
+	local check = edit_and_check_line(c, pid, password, T);
+	if ( check$hot )
+		{
+		++c$hot;
+		NOTICE([$note=SensitiveUsernameInPassword, $conn=c,
+			$user=password,
+			$msg=fmt("%s password: \"%s\"",
+				id_string(c$id), check$expanded_line)]);
+		}
+	}
+
+event login_failure(c: connection, user: string, client_user: string,
+			password: string, line: string)
+	{
+	local pid = get_event_peer()$id;
+
+	event account_tried(c, user, password);
+	edit_and_check_password(c, pid, password);
+
+	if ( c$hot == 0 && password == "" &&
+	     ! edit_and_check_line(c, pid, user, F)$hot )
+		# Don't both reporting it, this was clearly a half-hearted
+		# attempt and it's not a sensitive username.
+		return;
+
+	local user_hot = edit_and_check_user(c, pid, user, F, "%sfail/%s ");
+	if ( client_user != "" && client_user != user &&
+	     edit_and_check_user(c, pid, client_user, F, "%s(%s) ") )
+		user_hot = T;
+
+	if ( user_hot || c$hot > 0 )
+		NOTICE([$note=SensitiveLogin, $conn=c,
+			$user=user, $sub=client_user,
+			$msg=fmt("%s %s", id_string(c$id), c$addl)]);
+	}
+
+event login_success(c: connection, user: string, client_user: string,
+			password: string, line: string)
+	{
+	local pid = get_event_peer()$id;
+
+	Hot::check_hot(c, Hot::APPL_ESTABLISHED);
+	event account_tried(c, user, password);
+	edit_and_check_password(c, pid, password);
+
+	# Look for whether the user name is sensitive; but allow for
+	# some ids being okay if no password was exposed accessing them.
+	local user_hot = F;
+	if ( c$id$resp_p == rlogin && password == "<none>" &&
+	     user in rlogin_id_okay_if_no_password_exposed )
+		append_addl(c, fmt("\"%s\"", user));
+
+	else
+		user_hot = edit_and_check_user(c, pid, user, T, "%s\"%s\" ");
+
+	if ( c$id$resp_p == rlogin && client_user in always_hot_login_ids )
+		{
+		append_addl(c, fmt("(%s)", client_user));
+		demux_conn(c$id, client_user, "keys", service_name(c));
+		user_hot = T;
+		}
+
+	if ( user_hot || c$hot > 0 )
+		NOTICE([$note=SensitiveLogin, $conn=c,
+			$user=user, $sub=client_user,
+			$msg=fmt("%s %s", id_string(c$id), c$addl)]);
+
+	# else if ( password == "" )
+	# 	alarm fmt("%s %s <no password>", id_string(c$id), c$addl);
+
+### use the following if no login_input_line/login_output_line
+# 	else
+# 		{
+# 		set_record_packets(c$id, F);
+# 		skip_further_processing(c$id);
+# 		}
+	}
+
+event login_input_line(c: connection, line: string)
+	{
+	local pid = get_event_peer()$id;
+	local BS_line = edit(line, BS);
+	local DEL_line = edit(line, DEL);
+	if ( input_trouble in line ||
+	### need to merge input_trouble and edited_input_trouble here
+	### ideally, match on input_trouble would tell whether we need
+	### to invoke the edit functions, as an attribute of a .*(^H|DEL)
+	### rule.
+	     input_trouble in BS_line || input_trouble in DEL_line ||
+	     (edited_input_trouble in BS_line &&
+	      # If one is in but the other not, then the one that's not
+	      # is presumably the correct edit, and the one that is, isn't
+	      # in fact edited at all
+	      edited_input_trouble in DEL_line) ||
+	     line == full_input_trouble )
+		{
+		if ( [pid, c$id] !in login_sessions )
+			new_login_session(c, pid, 9999);
+
+		if ( edited_input_trouble in BS_line &&
+		     edited_input_trouble in DEL_line )
+			{
+			login_sessions[pid, c$id]$waiting_for_output = line;
+			login_sessions[pid, c$id]$waiting_for_output_line =
+				# We don't want the *next* line, that's just
+				# the echo of this input.
+				login_sessions[pid, c$id]$output_line + 2;
+			}
+
+		else if ( ++c$hot <= 2 )
+			hot_login(c, pid, fmt("%s input \"%s\"", id_string(c$id), line), "trb");
+		}
+	}
+
+event login_output_line(c: connection, line: string)
+	{
+	local pid = get_event_peer()$id;
+	if ( [pid, c$id] !in login_sessions )
+		new_login_session(c, pid, 9999);
+
+	local s = login_sessions[pid, c$id];
+
+	if ( line != "" && ++s$output_line == 1 )
+		{
+		if ( byte_len(line) < 40 &&
+		     backdoor_prompts in line && non_backdoor_prompts !in line )
+			hot_login(c, pid, fmt("%s possible backdoor \"%s\"", id_string(c$id), line), "trb");
+		}
+
+	if ( s$waiting_for_output != "" &&
+	     s$output_line >= s$waiting_for_output_line )
+		{
+		if ( output_indicates_input_not_trouble !in line )
+			hot_login(c, pid,
+				fmt("%s input \"%s\" yielded output \"%s\"",
+					id_string(c$id),
+					s$waiting_for_output,
+					line),
+				"trb");
+
+		s$waiting_for_output = "";
+		}
+
+	if ( byte_len(line) < 256 &&
+	     (output_trouble in line || line == full_output_trouble) &&
+	     ++c$hot <= 2 )
+		hot_login(c, pid, fmt("%s output \"%s\"", id_string(c$id), line), "trb");
+	}
+
+event login_confused(c: connection, msg: string, line: string)
+	{
+	Hot::check_hot(c, Hot::APPL_ESTABLISHED);
+
+	append_addl(c, "<confused>");
+
+	if ( line == "" )
+		print Weird::weird_file, fmt("%.6f %s %s", network_time(), id_string(c$id), msg);
+	else
+		print Weird::weird_file, fmt("%.6f %s %s (%s)", network_time(), id_string(c$id), msg, line);
+
+	set_record_packets(c$id, T);
+	}
+
+event login_confused_text(c: connection, line: string)
+	{
+	local pid = get_event_peer()$id;
+	if ( c$hot == 0 && edit_and_check_line(c, pid, line, F)$hot )
+		{
+		local ignore =
+			edit_and_check_user(c, pid, line, F, "%sconfused/%s ");
+		NOTICE([$note=SensitiveLogin, $conn=c,
+			$user=line,
+			$msg=fmt("%s %s", id_string(c$id), c$addl)]);
+		set_record_packets(c$id, T);
+		}
+	}
+
+event login_terminal(c: connection, terminal: string)
+	{
+	local pid = get_event_peer()$id;
+	if ( hot_terminal_types in terminal )
+		hot_login(c, pid,
+			fmt("%s term %s", id_string(c$id), terminal), "trb");
+	}
+
+event login_prompt(c: connection, prompt: string)
+	{
+	# Could check length >= 6, per Solaris exploit ...
+	local pid = get_event_peer()$id;
+	hot_login(c, pid,
+		fmt("%s $TTYPROMPT %s", id_string(c$id), prompt), "trb");
+	}
+
+event excessive_line(c: connection)
+	{
+	if ( is_login_conn(c) )
+		{
+		local pid = get_event_peer()$id;
+
+		if ( ! c$hot && c$id$resp_h in non_ASCII_hosts )
+			{
+			ext_set_login_state(c$id, pid, LOGIN_STATE_SKIP);
+			set_record_packets(c$id, F);
+			}
+		else if ( ext_get_login_state(c$id, pid) == LOGIN_STATE_AUTHENTICATE )
+			{
+			event login_confused(c, "excessive_line", "");
+			ext_set_login_state(c$id, pid, LOGIN_STATE_CONFUSED);
+			}
+		}
+	}
+
+event inconsistent_option(c: connection)
+	{
+	print Weird::weird_file, fmt("%.6f %s inconsistent option", network_time(), id_string(c$id));
+	}
+
+event bad_option(c: connection)
+	{
+	print Weird::weird_file, fmt("%.6f %s bad option", network_time(), id_string(c$id));
+	}
+
+event bad_option_termination(c: connection)
+	{
+	print Weird::weird_file, fmt("%.6f %s bad option termination", network_time(), id_string(c$id));
+	}
+
+event authentication_accepted(name: string, c: connection)
+	{
+	local addl_msg = fmt("auth/%s", name);
+	append_addl(c, addl_msg);
+	}
+
+event authentication_rejected(name: string, c: connection)
+	{
+	append_addl(c, fmt("auth-failed/%s", name));
+	}
+
+event authentication_skipped(c: connection)
+	{
+	append_addl(c, "(skipped)");
+	skip_further_processing(c$id);
+
+	if ( ! c$hot )
+		set_record_packets(c$id, F);
+	}
+
+event connection_established(c: connection)
+	{
+	if ( is_login_conn(c) )
+		{
+		local pid = get_event_peer()$id;
+
+		new_login_session(c, pid, 0);
+
+		if ( c$id$resp_h in skip_logins_to )
+			event authentication_skipped(c);
+
+		if ( c$id$resp_p == telnet &&
+		     c$id$orig_p in hot_telnet_orig_ports )
+			hot_login(c, pid, fmt("%s hot_orig_port", id_string(c$id)), "orig");
+		}
+	}
+
+event partial_connection(c: connection)
+	{
+	if ( is_login_conn(c) )
+		{
+		local pid = get_event_peer()$id;
+		new_login_session(c, pid, 9999);
+		ext_set_login_state(c$id, pid, LOGIN_STATE_CONFUSED);
+
+		if ( c$id$resp_p == telnet &&
+		     c$id$orig_p in hot_telnet_orig_ports )
+			hot_login(c, pid, fmt("%s hot_orig_port", id_string(c$id)), "orig");
+		}
+	}
+
+event connection_finished(c: connection)
+	{
+	local pid = get_event_peer()$id;
+	remove_login_session(c, pid);
+	}
+
+event activating_encryption(c: connection)
+	{
+	if ( is_login_conn(c) )
+		append_addl(c, "(encrypted)");
+	}
diff --git a/policy/mime-pop.bro b/policy/mime-pop.bro
new file mode 100644
index 0000000000..eed2565036
--- /dev/null
+++ b/policy/mime-pop.bro
@@ -0,0 +1,180 @@
+# $Id: mime-pop.bro 4758 2007-08-10 06:49:23Z vern $
+#
+# A stripped-down version of mime.bro adapted to work on POP3 events.
+#
+# FIXME: What's the best way to merge mime.bro and mime-pop3.bro?
+
+@load pop3
+
+module MIME_POP3;
+	
+const mime_log = open_log_file("mime-pop") &redef;
+
+type mime_session_info: record {
+	id: count;
+	connection_id: conn_id;
+	level: count;
+	data_offset: count;
+};
+
+global mime_session_id = 0;
+global mime_sessions: table[conn_id] of mime_session_info;
+
+function mime_session_string(session: mime_session_info): string
+	{
+	return fmt("#%s %s +%d", prefixed_id(session$id),
+			id_string(session$connection_id), session$level);
+	}
+
+function mime_log_warning(what: string)
+	{
+	print mime_log, fmt("%.6f warning: %s", network_time(), what);
+	}
+
+function mime_log_msg(session: mime_session_info, where: string, what: string)
+	{
+	print mime_log, fmt("%.6f %s: [%s] %s",
+				network_time(),
+				mime_session_string(session),
+				where,
+				what);
+	}
+
+function new_mime_session(c: connection)
+	{
+	local id = c$id;
+	local session_id = ++mime_session_id;
+	local info: mime_session_info;
+
+	info$id = session_id;
+	info$connection_id = id;
+	info$level = 0;
+	info$data_offset = 0;
+
+	mime_sessions[id] = info;
+	mime_log_msg(info, "start", "");
+	}
+
+function get_mime_session(c: connection, new_session_ok: bool): mime_session_info
+	{
+	local id = c$id;
+
+	if ( id !in mime_sessions )
+		{
+		if ( ! new_session_ok )
+			mime_log_warning(fmt("begin_entity missing for new MIME session %s", id_string(id)));
+
+		new_mime_session(c);
+		}
+
+	return mime_sessions[id];
+	}
+
+function end_mime_session(session: mime_session_info)
+	{
+	mime_log_msg(session, "finish", "");
+	delete mime_sessions[session$connection_id];
+	}
+
+event connection_state_remove(c: connection)
+	{
+	if ( c$id$resp_p != 110/tcp )
+		return;
+	
+	local id = c$id;
+
+	if ( id in mime_sessions )
+		{
+		mime_log_msg(mime_sessions[id], "state remove", "");
+		delete mime_sessions[id];
+		}
+	}
+
+function do_mime_begin_entity(c: connection)
+	{
+	local session = get_mime_session(c, T);
+
+	++session$level;
+	session$data_offset = 0;
+	mime_log_msg(session, "begin entity", "");
+	}
+
+event mime_begin_entity(c: connection)
+	{
+	if ( c$id$resp_p != 110/tcp )
+		return;
+	
+	do_mime_begin_entity(c);
+	}
+
+function do_mime_end_entity(c: connection)
+	{
+	local session = get_mime_session(c, T);
+
+	mime_log_msg(session, "end entity", "");
+
+	if ( session$level > 0 )
+		{
+		--session$level;
+		if ( session$level == 0 )
+			end_mime_session(session);
+		}
+	else
+		mime_log_warning(fmt("unmatched end_entity for MIME session %s",
+					mime_session_string(session)));
+	}
+
+event mime_end_entity(c: connection)
+	{
+	if ( c$id$resp_p != 110/tcp )
+		return;
+	
+	do_mime_end_entity(c);
+	}
+
+event mime_next_entity(c: connection)
+	{
+	if ( c$id$resp_p != 110/tcp )
+		return;
+	
+	do_mime_end_entity(c);
+	do_mime_begin_entity(c);
+	}
+
+event mime_all_headers(c: connection, hlist: mime_header_list)
+	{
+	if ( c$id$resp_p != 110/tcp )
+		return;
+	
+	local session = get_mime_session(c, T);
+	local i = 0;
+
+	for ( i in hlist )
+		{
+		local h = hlist[i];
+		mime_log_msg(session, "header",
+				fmt("%s: \"%s\"", h$name, h$value));
+		}
+	}
+
+event mime_segment_data(c: connection, length: count, data: string)
+ 	{
+	if ( c$id$resp_p != 110/tcp )
+		return;
+	
+	local session = get_mime_session(c, T);
+
+ 	if ( session$data_offset < 256 )
+ 		mime_log_msg(session, "data", fmt("%d: %s", length, data));
+
+ 	session$data_offset = session$data_offset + length;
+ 	}
+
+event mime_event(c: connection, event_type: string, detail: string)
+	{
+	if ( c$id$resp_p != 110/tcp )
+		return;
+	
+	local session = get_mime_session(c, T);
+	mime_log_msg(session, "event", fmt("%s: %s", event_type, detail));
+	}
diff --git a/policy/mime.bro b/policy/mime.bro
new file mode 100644
index 0000000000..7f923aac08
--- /dev/null
+++ b/policy/mime.bro
@@ -0,0 +1,259 @@
+# $Id: mime.bro 6724 2009-06-07 09:23:03Z vern $
+
+@load smtp
+
+module MIME;
+
+export {
+	const mime_log = open_log_file("mime") &redef;
+
+	type mime_session_info: record {
+		id: count;
+		connection_id: conn_id;
+		smtp_session: SMTP::smtp_session_info;
+		level: count;
+		data_offset: count;
+		content_hash: string;
+	};
+
+	global get_session:
+		function(c: connection, new_session_ok: bool): mime_session_info;
+}
+
+function mime_header_default_handler(session: mime_session_info,
+					name: string, arg: string)
+	{
+	}
+
+type mime_header_handler_func:
+	function(session: mime_session_info, name: string, arg: string);
+
+type mime_header_handler_table: table[string] of mime_header_handler_func;
+
+export {
+	global mime_header_handler: mime_header_handler_table &redef &default
+	= function(name: string): mime_header_handler_func
+		{
+		# This looks a little weird, but there is no other way
+		# to specify a function as the default *value*
+		return mime_header_default_handler;
+		};
+}
+
+global mime_session_id = 0;
+global mime_sessions: table[conn_id] of mime_session_info;
+
+function mime_session_string(session: mime_session_info): string
+	{
+	return fmt("#%s %s +%d", prefixed_id(session$id),
+			id_string(session$connection_id), session$level);
+	}
+
+function mime_log_warning(what: string)
+	{
+	print mime_log, fmt("%.6f warning: %s", network_time(), what);
+	}
+
+function mime_log_msg(session: mime_session_info, where: string, what: string)
+	{
+	print mime_log, fmt("%.6f %s: [%s] %s",
+				network_time(),
+				mime_session_string(session),
+				where,
+				what);
+	}
+
+function mime_header_subject(session: mime_session_info,
+				name: string, arg: string)
+	{
+	if ( session$level == 1 )
+		session$smtp_session$subject = arg;
+	}
+
+
+### This is a bit clunky.  These are functions we call out to, defined
+# elsewhere.  The way we really ought to do this is to have them passed
+# in during initialization.  But for now, we presume knowledge of their
+# names in global scope.
+module GLOBAL;
+global check_relay_3:
+	function(session: MIME::mime_session_info, msg_id: string);
+global check_relay_4:
+	function(session: MIME::mime_session_info, content_hash: string);
+module MIME;
+
+function mime_header_message_id(session: mime_session_info, name: string, arg: string)
+	{
+	local s = arg;
+
+	local t = split1(s, /</);
+	if ( length(t) != 2 )
+		{
+		mime_log_msg(session, "event",
+			fmt("message id does not contain '<': %s", arg));
+		return;
+		}
+
+	s = t[2];
+
+	t = split1(s, />/);
+	if ( length(t) != 2 )
+		{
+		mime_log_msg(session, "event",
+			fmt("message id does not contain '>': %s", arg));
+		return;
+		}
+
+	s = t[1];
+
+	if ( session$level == 1 && SMTP::process_smtp_relay )
+		check_relay_3(session, s);
+	}
+
+redef mime_header_handler = {
+	["SUBJECT"] = mime_header_subject,
+	["MESSAGE-ID"] = mime_header_message_id,
+};
+
+function new_mime_session(c: connection)
+	{
+	local id = c$id;
+	local session_id = ++mime_session_id;
+	local info: mime_session_info;
+
+	info$id = session_id;
+	info$connection_id = id;
+	info$level = 0;
+	info$data_offset = 0;
+	info$content_hash = "";
+
+	if ( id !in SMTP::smtp_sessions )
+		SMTP::new_smtp_session(c);
+
+	info$smtp_session = SMTP::smtp_sessions[id];
+
+	mime_sessions[id] = info;
+	mime_log_msg(info, "start", "");
+	}
+
+function get_session(c: connection, new_session_ok: bool): mime_session_info
+	{
+	local id = c$id;
+
+	if ( id !in mime_sessions )
+		{
+		if ( ! new_session_ok )
+			mime_log_warning(fmt("begin_entity missing for new MIME session %s", id_string(id)));
+
+		new_mime_session(c);
+		}
+
+	return mime_sessions[id];
+	}
+
+function end_mime_session(session: mime_session_info)
+	{
+	mime_log_msg(session, "finish", "");
+	delete mime_sessions[session$connection_id];
+	}
+
+event connection_state_remove(c: connection)
+	{
+	local id = c$id;
+
+	if ( id in mime_sessions )
+		{
+		mime_log_msg(mime_sessions[id], "state remove", "");
+		delete mime_sessions[id];
+		}
+	}
+
+function do_mime_begin_entity(c: connection)
+	{
+	local session = get_session(c, T);
+
+	++session$level;
+	session$data_offset = 0;
+	mime_log_msg(session, "begin entity", "");
+	}
+
+event mime_begin_entity(c: connection)
+	{
+	do_mime_begin_entity(c);
+	}
+
+function do_mime_end_entity(c: connection)
+	{
+	local session = get_session(c, T);
+
+	mime_log_msg(session, "end entity", "");
+
+	session$smtp_session$num_bytes_in_body =
+		session$smtp_session$num_bytes_in_body + session$data_offset;
+
+	if ( session$level > 0 )
+		{
+		--session$level;
+		if ( session$level == 0 )
+			end_mime_session(session);
+		}
+	else
+		mime_log_warning(fmt("unmatched end_entity for MIME session %s",
+					mime_session_string(session)));
+	}
+
+event mime_end_entity(c: connection)
+	{
+	do_mime_end_entity(c);
+	}
+
+event mime_next_entity(c: connection)
+	{
+	do_mime_end_entity(c);
+	do_mime_begin_entity(c);
+	}
+
+# event mime_one_header(c: connection, h: mime_header_rec)
+#	{
+#	local session = get_session(c, T);
+#	mime_log_msg(session, "header",
+#			fmt("%s: \"%s\"", h$name, h$value));
+#	mime_header_handler[h$name](session, h$name, h$value);
+#	}
+
+event mime_all_headers(c: connection, hlist: mime_header_list)
+	{
+	local session = get_session(c, T);
+	local i = 0;
+
+	for ( i in hlist )
+		{
+		local h = hlist[i];
+		mime_log_msg(session, "header",
+				fmt("%s: \"%s\"", h$name, h$value));
+		mime_header_handler[h$name](session, h$name, h$value);
+		}
+	}
+
+event mime_segment_data(c: connection, length: count, data: string)
+	{
+	local session = get_session(c, T);
+
+	if ( session$data_offset < 256 )
+		mime_log_msg(session, "data", fmt("%d: %s", length, data));
+
+	session$data_offset = session$data_offset + length;
+	}
+
+# event mime_entity_data(c: connection, length: count, data: string)
+# 	{
+#  	local session = get_session(c, T);
+#
+# 	mime_log_msg(session, "data", fmt("%d: %s", length, sub_bytes(data, 0, 256)));
+# 	}
+
+event mime_event(c: connection, event_type: string, detail: string)
+	{
+	local session = get_session(c, T);
+	mime_log_msg(session, "event", fmt("%s: %s", event_type, detail));
+	}
diff --git a/policy/mt.bro b/policy/mt.bro
new file mode 100644
index 0000000000..456708c4ea
--- /dev/null
+++ b/policy/mt.bro
@@ -0,0 +1,16 @@
+# $Id: mt.bro 340 2004-09-09 06:38:27Z vern $
+
+@load alarm
+@load dns-lookup
+@load hot
+@load frag
+@load tcp
+@load scan
+@load weird
+@load finger
+@load ident
+@load ftp
+@load login
+@load portmapper
+@load ntp
+@load tftp
diff --git a/policy/ncp.bro b/policy/ncp.bro
new file mode 100644
index 0000000000..53a798eec3
--- /dev/null
+++ b/policy/ncp.bro
@@ -0,0 +1,101 @@
+# $Id:$
+
+@load conn-id
+
+module NCP;
+
+global ncp_log = open_log_file("ncp") &redef;
+
+redef capture_filters += {["ncp"] = "tcp port 524"};
+
+export {
+
+const ncp_frame_type_name = {
+	[ 0x1111 ] = "NCP_ALLOC_SLOT",
+	[ 0x2222 ] = "NCP_REQUEST",
+	[ 0x3333 ] = "NCP_REPLY",
+	[ 0x5555 ] = "NCP_DEALLOC_SLOT",
+	[ 0x7777 ] = "NCP_BURST",
+	[ 0x9999 ] = "NCP_ACK",
+} &default = function(code: count): string
+	{
+	return fmt("NCP_UNKNOWN_FRAME_TYPE(%x)", code);
+	};
+
+const ncp_function_name = {
+	[ 0x01 ] = "NCP_FILE_SET_LOCK",
+	[ 0x02 ] = "NCP_FILE_RELEASE_LOCK",
+	[ 0x03 ] = "NCP_LOG_FILE",
+	[ 0x04 ] = "NCP_LOCK_FILE_SET",
+	[ 0x05 ] = "NCP_RELEASE_FILE",
+	[ 0x06 ] = "NCP_RELEASE_FILE_SET",
+	[ 0x07 ] = "NCP_CLEAR_FILE",
+	[ 0x08 ] = "NCP_CLEAR_FILE_SET",
+	[ 0x09 ] = "NCP_LOG_LOGICAL_RECORD",
+	[ 0x0a ] = "NCP_LOCK_LOGICAL_RECORD_SET",
+	[ 0x0b ] = "NCP_CLEAR_LOGICAL_RECORD",
+	[ 0x0c ] = "NCP_RELEASE_LOGICAL_RECORD",
+	[ 0x0d ] = "NCP_RELEASE_LOGICAL_RECORD_SET",
+	[ 0x0e ] = "NCP_CLEAR_LOGICAL_RECORD_SET",
+	[ 0x0f ] = "NCP_ALLOC_RESOURCE",
+	[ 0x10 ] = "NCP_DEALLOC_RESOURCE",
+	[ 0x11 ] = "NCP_PRINT",
+	[ 0x15 ] = "NCP_MESSAGE",
+	[ 0x16 ] = "NCP_DIRECTORY",
+	[ 0x17 ] = "NCP_BINDARY_AND_MISC",
+	[ 0x18 ] = "NCP_END_OF_JOB",
+	[ 0x19 ] = "NCP_LOGOUT",
+	[ 0x1a ] = "NCP_LOG_PHYSICAL_RECORD",
+	[ 0x1b ] = "NCP_LOCK_PHYSICAL_RECORD_SET",
+	[ 0x1c ] = "NCP_RELEASE_PHYSICAL_RECORD",
+	[ 0x1d ] = "NCP_RELEASE_PHYSICAL_RECORD_SET",
+	[ 0x1e ] = "NCP_CLEAR_PHYSICAL_RECORD",
+	[ 0x1f ] = "NCP_CLEAR_PHYSICAL_RECORD_SET",
+	[ 0x20 ] = "NCP_SEMAPHORE",
+	[ 0x22 ] = "NCP_TRANSACTION_TRACKING",
+	[ 0x23 ] = "NCP_AFP",
+	[ 0x42 ] = "NCP_CLOSE_FILE",
+	[ 0x47 ] = "NCP_GET_FILE_SIZE",
+	[ 0x48 ] = "NCP_READ_FILE",
+	[ 0x49 ] = "NCP_WRITE_FILE",
+	[ 0x56 ] = "NCP_EXT_ATTR",
+	[ 0x57 ] = "NCP_FILE_DIR",
+	[ 0x58 ] = "NCP_AUDITING",
+	[ 0x5a ] = "NCP_MIGRATION",
+	[ 0x60 ] = "NCP_PNW",
+	[ 0x61 ] = "NCP_GET_MAX_PACKET_SIZE",
+	[ 0x68 ] = "NCP_NDS",
+	[ 0x6f ] = "NCP_SEMAPHORE_NEW",
+	[ 0x7b ] = "NCP_7B",
+
+	[ 0x5701 ] = "NCP_CREATE_FILE_DIR",
+	[ 0x5702 ] = "NCP_INIT_SEARCH",
+	[ 0x5703 ] = "NCP_SEARCH_FILE_DIR",
+	[ 0x5704 ] = "NCP_RENAME_FILE_DIR",
+	[ 0x5706 ] = "NCP_OBTAIN_FILE_DIR_INFO",
+	[ 0x5707 ] = "NCP_MODIFY_FILE_DIR_DOS_INFO",
+	[ 0x5708 ] = "NCP_DELETE_FILE_DIR",
+	[ 0x5709 ] = "NCP_SET_SHORT_DIR_HANDLE",
+	[ 0x5714 ] = "NCP_SEARCH_FOR_FILE_DIR_SET",
+	[ 0x5718 ] = "NCP_GET_NAME_SPACE_LOADED_LIST",
+	[ 0x5742 ] = "NCP_GET_CURRENT_SIZE_OF_FILE",
+
+} &default = function(code: count): string
+	{
+	return fmt("NCP_UNKNOWN_FUNCTION(%x)", code);
+	};
+
+} # export
+
+event ncp_request(c: connection, frame_type: count, length: count, func: count)
+	{
+	print ncp_log, fmt("%.6f %s NCP request type=%s function=%s",
+		network_time(), id_string(c$id),
+		ncp_frame_type_name[frame_type],
+		ncp_function_name[func]);
+	}
+
+event ncp_reply(c: connection, frame_type: count, length: count,
+		req_frame: count, req_func: count, completion_code: count)
+	{
+	}
diff --git a/policy/netflow.bro b/policy/netflow.bro
new file mode 100644
index 0000000000..4fb1ac0fd0
--- /dev/null
+++ b/policy/netflow.bro
@@ -0,0 +1,106 @@
+# $Id:$
+#
+# Netflow data-dumper and proof-of-concept flow restitcher.
+# Written by Bernhard Ager (2007).
+
+module NetFlow;
+
+export {
+	# Perform flow restitching?
+	global netflow_restitch = T &redef;
+
+	# How long to wait for additional flow records after a RST or FIN,
+	# so we can compress multiple RST/FINs for the same flow rather than
+	# treating them as separate flows.  It's not clear what's the best
+	# setting for this timer, but for now we use something larger
+	# than the NetFlow inactivity timeout (5 minutes).
+	global netflow_finished_conn_expire = 310 sec &redef;
+}
+
+global netflow_log = open_log_file("netflow") &redef;
+
+# Should be larger than activity timeout.  Setting only affects table
+# declaration, therefore &redef useless.
+const netflow_table_expire = 31 min;
+
+type flow: record {
+	cnt: count;
+	pkts: count;
+	octets: count;
+	syn: bool;
+	fin: bool;
+	first: time;
+	last: time;
+};
+
+function new_flow(r: nf_v5_record): flow
+	{
+	return [ $cnt = 1,
+		 $pkts = r$pkts,
+		 $octets = r$octets,
+	         $syn = r$tcpflag_syn,
+		 $fin = r$tcpflag_fin,
+		 $first = r$first,
+		 $last = r$last ];
+	}
+
+function update_flow(f: flow, r: nf_v5_record)
+	{
+	f$pkts += r$pkts;
+	f$octets += r$octets;
+	++f$cnt;
+	f$syn = f$syn || r$tcpflag_syn;
+	f$fin = f$fin || r$tcpflag_fin;
+
+	if ( r$first < f$first )
+		f$first = r$first;
+	if ( r$last > f$last )
+		f$last = r$last;
+	}
+
+function print_flow(t: table[conn_id] of flow, idx: conn_id): interval
+	{
+	print netflow_log, fmt("%.6f flow %s: %s", network_time(), idx, t[idx]);
+	return -1 sec;
+	}
+
+event v5flow_finished(t: table[conn_id] of flow, idx: conn_id)
+	{
+        if ( idx in t )
+		{
+		print_flow(t, idx);
+		delete t[idx];
+		}
+	}
+
+global flows: table[conn_id] of flow &write_expire = netflow_table_expire
+				     &expire_func = print_flow;
+
+event netflow_v5_header(h: nf_v5_header)
+	{
+	print netflow_log, fmt("%.6f header %s", network_time(), h);
+	}
+
+event netflow_v5_record (r: nf_v5_record)
+	{
+	if ( netflow_restitch )
+		{
+		if ( r$id in flows )
+			update_flow (flows[r$id], r);
+		else
+			flows[r$id] = new_flow (r);
+
+		if ( r$tcpflag_fin || r$tcpflag_rst )
+			schedule netflow_finished_conn_expire {
+				v5flow_finished (flows, r$id)
+			};
+		}
+
+	print netflow_log, fmt("%.6f record %s", network_time(), r);
+	}
+
+event bro_done ()
+	{
+	for ( f_id in flows )
+		print_flow(flows, f_id);
+	}
diff --git a/policy/netstats.bro b/policy/netstats.bro
new file mode 100644
index 0000000000..eca27cc9b5
--- /dev/null
+++ b/policy/netstats.bro
@@ -0,0 +1,34 @@
+# $Id: netstats.bro 564 2004-10-23 02:27:57Z vern $
+
+@load notice
+
+redef enum Notice += {
+	DroppedPackets,	# Bro reported packets dropped by the packet filter
+};
+
+global last_stat: net_stats;
+global last_stat_time: time;
+global have_stats = F;
+
+event net_stats_update(t: time, ns: net_stats)
+	{
+	if ( have_stats )
+		{
+		local new_dropped = ns$pkts_dropped - last_stat$pkts_dropped;
+		if ( new_dropped > 0 )
+			{
+			local new_recvd = ns$pkts_recvd - last_stat$pkts_recvd;
+			local new_link = ns$pkts_link - last_stat$pkts_link;
+			NOTICE([$note=DroppedPackets,
+				$msg=fmt("%d packets dropped after filtering, %d received%s",
+					new_dropped, new_recvd + new_dropped,
+					new_link != 0 ?
+						fmt(", %d on link", new_link) : "")]);
+			}
+		}
+	else
+		have_stats = T;
+
+	last_stat = ns;
+	last_stat_time = t;
+	}
diff --git a/policy/nfs.bro b/policy/nfs.bro
new file mode 100644
index 0000000000..dec46d593e
--- /dev/null
+++ b/policy/nfs.bro
@@ -0,0 +1,100 @@
+# $Id: nfs.bro 4017 2007-02-28 07:11:54Z vern $
+
+@load udp
+
+module NFS;
+
+export {
+	global log_file = open_log_file("nfs") &redef;
+}
+
+redef capture_filters += { 
+	["nfs"] = "port 2049",
+	# NFS UDP packets are often fragmented.
+	["nfs-frag"] = "(ip[6:2] & 0x3fff != 0) and udp",
+};
+
+global nfs_ports = { 2049/tcp, 2049/udp } &redef;
+redef dpd_config += { [ANALYZER_NFS] = [$ports = nfs_ports] };
+
+# Maps opaque file handles to numbers for easier tracking.
+global num_fhs = 0;
+global fh_map: table[string] of count;
+
+function map_fh(fh: string): string
+	{
+	if ( fh !in fh_map )
+		fh_map[fh] = ++num_fhs;
+
+	return cat("FH", fh_map[fh]);
+	}
+
+
+function NFS_request(n: connection, req: string, addl: string)
+	{
+	print log_file, fmt("%.06f %s NFS %s: %s",
+				network_time(), id_string(n$id), req, addl);
+	}
+
+function NFS_attempt(n: connection, req: string, status: count, addl: string)
+	{
+	print log_file, fmt("%.06f %s NFS attempt %s (%d): %s",
+			network_time(), id_string(n$id), req, status, addl);
+	}
+
+
+event nfs_request_null(n: connection)
+	{
+	NFS_request(n, "null", "");
+	}
+
+event nfs_attempt_null(n: connection, status: count)
+	{
+	NFS_attempt(n, "null", status, "");
+	}
+
+
+event nfs_request_getattr(n: connection, fh: string, attrs: nfs3_attrs)
+	{
+	NFS_request(n, "getattr", fmt("%s -> %s", map_fh(fh), attrs));
+	}
+
+event nfs_attempt_getattr(n: connection, status: count, fh: string)
+	{
+	NFS_attempt(n, "getattr", status, map_fh(fh));
+	}
+
+
+function opt_attr_fmt(a: nfs3_opt_attrs): string
+	{
+	return a?$attrs ? fmt("%s", a$attrs) : "<missing>";
+	}
+
+event nfs_request_lookup(n: connection, req: nfs3_lookup_args, rep: nfs3_lookup_reply)
+	{
+	NFS_request(n, "lookup", fmt("%s -> %s (file-attr: %s, dir-attr: %s)",
+			req, rep$fh,
+			opt_attr_fmt(rep$file_attr),
+			opt_attr_fmt(rep$dir_attr)));
+	}
+
+event nfs_attempt_lookup(n: connection, status: count, req: nfs3_lookup_args)
+	{
+	NFS_attempt(n, "lookup", status, fmt("%s", req));
+	}
+
+
+event nfs_request_fsstat(n: connection, root_fh: string, stat: nfs3_fsstat)
+	{
+	NFS_request(n, "fsstat", fmt("%s -> attr: %s, tbytes: %s, fbytes: %s, abytes: %s, tfiles: %s, ffiles: %s, afiles: %s, invarsec: %s",
+		map_fh(root_fh),
+		opt_attr_fmt(stat$attrs),
+		stat$tbytes, stat$fbytes, stat$abytes,
+		stat$tfiles, stat$ffiles, stat$afiles,
+		stat$invarsec));
+	}
+
+event nfs_attempt_fsstat(n: connection, status: count, root_fh: string)
+	{
+	NFS_attempt(n, "fsstat", status, map_fh(root_fh));
+	}
diff --git a/policy/notice-action-filters.bro b/policy/notice-action-filters.bro
new file mode 100644
index 0000000000..0a6e83d1d3
--- /dev/null
+++ b/policy/notice-action-filters.bro
@@ -0,0 +1,121 @@
+# $Id:$
+#
+# A few predefined notice_action_filters (see notice.bro).
+
+@load notice
+@load site
+@load terminate-connection
+
+function ignore_notice(n: notice_info, a: NoticeAction): NoticeAction
+	{
+	return NOTICE_IGNORE;
+	}
+
+function file_notice(n: notice_info, a: NoticeAction): NoticeAction
+	{
+	return NOTICE_FILE;
+	}
+
+function send_email_notice(n: notice_info, a: NoticeAction): NoticeAction
+	{
+	return NOTICE_EMAIL;
+	}
+
+function send_page_notice(n: notice_info, a: NoticeAction): NoticeAction
+	{
+	return NOTICE_PAGE;
+	}
+
+global notice_tallies: table[string] of count &default = 0;
+
+function tally_notice(s: string)
+	{
+	++notice_tallies[s];
+	}
+
+function tally_notice_type(n: notice_info, a: NoticeAction): NoticeAction
+	{
+	tally_notice(fmt("%s", n$note));
+	return NOTICE_FILE;
+	}
+
+function tally_notice_type_and_ignore(n: notice_info, a: NoticeAction)
+		: NoticeAction
+	{
+	tally_notice(fmt("%s", n$note));
+	return NOTICE_IGNORE;
+	}
+
+function file_local_bro_notices(n: notice_info, a: NoticeAction): NoticeAction
+	{
+	if ( n$src_peer$is_local )
+		return NOTICE_FILE;
+
+	return a;
+	}
+
+function file_if_remote(n: notice_info, a: NoticeAction): NoticeAction
+	{
+	if ( n?$src && ! is_local_addr(n$src) )
+		return NOTICE_FILE;
+
+	return a;
+	}
+
+function drop_source(n: notice_info, a: NoticeAction): NoticeAction
+	{
+	return NOTICE_DROP;
+	}
+
+function drop_source_and_terminate(n: notice_info, a: NoticeAction): NoticeAction
+	{
+	if ( n?$conn )
+		TerminateConnection::terminate_connection(n$conn);
+
+	return NOTICE_DROP;
+	}
+
+event bro_done()
+	{
+	for ( s in notice_tallies )
+		{
+		local n = notice_tallies[s];
+		local msg = fmt("%s (%d time%s)", s, n, n > 1 ? "s" : "");
+		NOTICE([$note=NoticeTally, $msg=msg, $n=n]);
+		}
+	}
+
+# notice_alarm_per_orig.
+#
+# Reports a specific NoticeType the first time we see it for a source.  From
+# then on, we tally instances per source.
+
+global notice_once_per_orig: table[Notice, addr] of count
+	&default=0 &read_expire=5hrs;
+global notice_once_per_orig_tally_interval = 1 hr &redef;
+
+event notice_alarm_per_orig_tally(n: notice_info, host: addr)
+	{
+	local i = notice_once_per_orig[n$note, host];
+	if ( i > 1 )
+		{
+		local msg = fmt("%s seen %d time%s from %s",
+				n$note, i, i > 1 ? "s" : "", host);
+		NOTICE([$note=NoticeTally, $msg=msg, $src=host, $n=i]);
+		}
+	}
+
+function notice_alarm_per_orig(n: notice_info, a: NoticeAction): NoticeAction
+	{
+	local host = n$src;
+
+	++notice_once_per_orig[n$note, host];
+
+	if ( notice_once_per_orig[n$note, host] > 1 )
+		return NOTICE_FILE;
+
+	schedule notice_once_per_orig_tally_interval
+		{ notice_alarm_per_orig_tally(n, host) };
+
+	return NOTICE_ALARM_ALWAYS;
+	}
diff --git a/policy/notice-policy.bro b/policy/notice-policy.bro
new file mode 100644
index 0000000000..78d26c26ed
--- /dev/null
+++ b/policy/notice-policy.bro
@@ -0,0 +1,72 @@
+# $Id: notice-policy.bro 4758 2007-08-10 06:49:23Z vern $
+
+# Examples of using notice_policy and other mechanisms to filter out
+# alarms that are not interesting.
+
+# Note: this file is not self-contained, in that it refers to Notice
+# names that will only be defined if you've loaded other files (e.g.,
+# print-resources for the ResourceSummary notice).  The full list of
+# policy files it needs is:
+#
+#	blaster.bro
+#	conn.bro
+#	http-request.bro
+#	netstats.bro
+#	print-resources.bro
+#	trw.bro
+#	weird.bro
+
+
+# Remove these notices from logging since they can be too noisy.
+redef notice_action_filters += {
+        [[Weird::ContentGap, Weird::AckAboveHole]] = ignore_notice,
+};
+
+# Send these only to the notice log, not the alarm log.
+redef notice_action_filters += {
+        [[Drop::AddressDropIgnored, DroppedPackets,
+	  ResourceSummary, W32B_SourceRemote,
+	  TRW::TRWScanSummary, Scan::BackscatterSeen,
+	  Weird::WeirdActivity,
+	  Weird::RetransmissionInconsistency]] = file_notice,
+};
+
+# Other example use of notice_action_filters:
+#
+# To just get a summary Notice when Bro is shutdown/checkpointed, use
+# tally_notice_type, such as:
+#redef notice_action_filters += {
+# 	[[RetransmissionInconsistency, ContentGap, AckAboveHole]] =
+#	 	tally_notice_type,
+#};
+
+# To get a summary once every hour per originator, use notice_alarm_per_orig,
+# such as:
+#redef notice_action_filters += {
+# 	[[ BackscatterSeen, RetransmissionInconsistency]] =
+# 		notice_alarm_per_orig,
+#};
+
+
+# Fine-grained filtering of specific alarms.
+redef notice_policy += {
+
+	# Connections to 2766/tcp ("Solaris listen service") appear
+	# nearly always actually due to P2P apps.
+        [$pred(n: notice_info) =
+		{
+		return n$note == SensitiveConnection &&
+ 		       /Solaris listen service/ in n$msg;
+		},
+         $result = NOTICE_FILE,
+         $priority = 1],
+
+	# Ignore sensitive URLs that end in .gif, .jpg, .png
+	[$pred(n: notice_info) =
+		{
+		return n$note == HTTP::HTTP_SensitiveURI &&
+		       n$URL == /.*\.(gif|GIF|png|PNG|jpg|JPG)/; 
+		},
+	 $result = NOTICE_FILE,
+	 $priority = 1],
+};
diff --git a/policy/notice.bro b/policy/notice.bro
new file mode 100644
index 0000000000..b19a4fb860
--- /dev/null
+++ b/policy/notice.bro
@@ -0,0 +1,408 @@
+# $Id: notice.bro 6756 2009-06-14 21:31:19Z vern $
+
+const use_tagging = F &redef;
+
+type Notice: enum {
+	NoticeNone,	# placeholder
+	NoticeTally,	# notice reporting count of how often a notice occurred
+};
+
+type NoticeAction: enum {
+	# Similar to WeirdAction in weird.bro.
+	NOTICE_UNKNOWN,	# placeholder
+	NOTICE_IGNORE, NOTICE_FILE, NOTICE_ALARM_ALWAYS,
+	NOTICE_EMAIL, NOTICE_PAGE,
+	NOTICE_DROP,	# drops the address via Drop::drop_address, and alarms
+};
+
+
+type notice_info: record {
+	note: Notice;
+	msg: string &default="";
+	sub: string &optional;	# sub-message
+
+	conn: connection &optional;	# connection associated with notice
+	iconn: icmp_conn &optional;	# associated ICMP "connection"
+	id: conn_id &optional;	# connection-ID, if we don't have a connection handy
+	src: addr &optional;	# source address, if we don't have a connection
+	dst: addr &optional;	# destination address
+
+	p: port &optional;	# associated port, if we don't have a conn.
+
+	# The following are detailed attributes that are associated with some
+	# notices, but not all.
+
+	user: string &optional;
+
+	filename: string &optional;
+
+	method: string &optional;
+	URL: string &optional;
+
+	n: count &optional;	# associated count, or perhaps status code
+
+	aux: table[string] of string &optional;	# further NOTICE-specific data
+
+	# Automatically set attributes.
+	action: NoticeAction &default=NOTICE_UNKNOWN; # once action determined
+	src_peer: event_peer &optional;	# source that raised this notice
+	tag: string &optional;	# tag associated with this notice
+	dropped: bool &optional &default=F; # true if src successfully dropped
+
+	# If we asked the Time Machine to capture, the filename prefix.
+	captured: string &optional;
+
+	# If false, don't alarm independent of the determined notice action.
+	# If true, alarm dependening on notice action.
+	do_alarm: bool &default=T;
+
+};
+
+type notice_policy_item: record {
+	result: NoticeAction &default=NOTICE_FILE;
+	pred: function(n: notice_info): bool;
+	priority: count &default=1;
+};
+
+global notice_policy: set[notice_policy_item] = {
+	[$pred(n: notice_info) = { return T; },
+	 $result = NOTICE_ALARM_ALWAYS,
+	 $priority = 0],
+} &redef;
+
+global NOTICE: function(n: notice_info);
+
+# Variables the control email notification.
+const mail_script = "/bin/mail" &redef;	# local system mail program
+const mail_dest = "" &redef;	# email address to send mail to
+const mail_page_dest = "bro-page" &redef;	# email address of pager
+
+
+# Table that maps notices into a function that should be called
+# to determine the action.
+global notice_action_filters:
+	table[Notice] of
+		function(n: notice_info, a: NoticeAction): NoticeAction &redef;
+
+
+# Each notice has a unique ID associated with it.
+global notice_id = 0;
+
+# This should have a high probability of being unique without
+# generating overly long tags.  This is redef'able in case you need
+# determinism in tags (such as for regression testing).
+global notice_tag_prefix =
+		fmt("%x-%x-",
+			double_to_count(time_to_double(current_time())) % 255,
+			getpid())
+		&redef;
+
+# Likewise redef'able for regression testing.
+global new_notice_tag =
+	function(): string
+		{
+		return fmt("%s%x", notice_tag_prefix, ++notice_id);
+		}
+	&redef;
+
+# Function to add a unique NOTICE tag to a connection.  This is done
+# automatically whenever a NOTICE is raised, but sometimes one might need
+# to call this function in advance of that to ensure that the tag appears
+# in the connection summaries (i.e., when connection_state_remove() can be
+# raised before the NOTICE is generated.)
+global notice_tags: table[conn_id] of string;
+
+function add_notice_tag(c: connection): string
+	{
+	if ( c$id in notice_tags )
+		return notice_tags[c$id];
+
+	local tag_id = new_notice_tag();
+	append_addl(c, fmt("@%s", tag_id));
+	notice_tags[c$id] = tag_id;
+
+	return tag_id;
+	}
+
+event delete_notice_tags(c: connection)
+	{
+	delete notice_tags[c$id];
+	}
+
+event connection_state_remove(c: connection)
+	{
+	# We do not delete the tag right here because there may be other
+	# connection_state_remove handlers invoked after us which
+	# want to generate a notice.
+	schedule 1 secs { delete_notice_tags(c) };
+	}
+
+const notice_file = open_log_file("notice") &redef;
+
+# This handler is useful for processing notices after the notice filters
+# have been applied and yielded an NoticeAction.
+#
+# It's tempting to make the default handler do the logging and
+# printing to notice_file, rather than NOTICE.  I hesitate to do that,
+# though, because it perhaps could slow down notification, because
+# in the absence of event priorities, the event would have to wait
+# behind any other already-queued events.
+
+event notice_action(n: notice_info, action: NoticeAction)
+	{
+	}
+
+# Do not generate notice_action events for these NOTICE types.
+global suppress_notice_actions: set[Notice] &redef; 
+
+# Similar to notice_action but only generated if the notice also
+# triggers an alarm.
+event notice_alarm(n: notice_info, action: NoticeAction)
+	{
+	}
+
+# Hack to suppress duplicate notice_actions for remote notices.
+global suppress_notice_action = F;
+
+function notice_info_tags(n: notice_info) : table[string] of string
+	{
+	local tags: table[string] of string;
+
+	local t = is_remote_event() ? current_time() : network_time();
+	tags["t"] = fmt("%.06f", t);
+	tags["no"] = fmt("%s", n$note);
+	tags["na"] = fmt("%s", n$action);
+	tags["sa"] = n?$src ? fmt("%s", n$src) : "";
+	tags["sp"] = n?$id && n$id$orig_h == n$src ? fmt("%s", n$id$orig_p) : "";
+	tags["da"] = n?$dst ? fmt("%s", n$dst) : "";
+	tags["dp"] = n?$id && n$id$resp_h == n$dst ? fmt("%s", n$id$resp_p) : "";
+	tags["p"] = n?$p ? fmt("%s", n$p) : "";
+	tags["user"] = n?$user ? n$user : "";
+	tags["file"] = n?$filename ? n$filename : "";
+	tags["method"] =  n?$method ? n$method : "";
+	tags["url"] = n?$URL ? n$URL : "";
+	tags["num"] = n?$n ? fmt("%s", n$n) : "";
+	tags["msg"] = n?$msg ? n$msg : "";
+	tags["sub"] = n?$sub ? n$sub : "";
+	tags["captured"] = n?$captured ? n$captured : "";
+	tags["tag"] = fmt("@%s", n$tag);
+	tags["dropped"] = n$dropped ? "1" : "";
+
+	if ( n?$aux )
+		{
+		for ( a in n$aux )
+			tags[fmt("aux_%s", a)] = n$aux[a];
+		}
+
+	if ( is_remote_event() )
+		{
+		if ( n$src_peer$descr != "" )
+			tags["es"] = n$src_peer$descr;
+		else
+			tags["es"] = fmt("%s/%s", n$src_peer$host, n$src_peer$p);
+		}
+
+	else
+		tags["es"] = peer_description;
+
+	return tags;
+	}
+
+function build_notice_info_string_untagged(n: notice_info) : string
+	{
+	# We add the fields in this order. Fields not listed won't be added.
+	local fields = vector("t", "no", "na", "es", "sa", "sp", "da", "dp", 
+		"user", "file", "method", "url", "num", "msg", "sub", "tag");
+
+	local tags = notice_info_tags(n);
+	local cur_info = "";
+
+	for ( i in fields )
+		{
+		local val = tags[fields[i]];
+		val = string_escape(val, ":");
+
+		if ( cur_info == "" )
+			cur_info = val;
+		else
+			cur_info = fmt("%s:%s", cur_info, val);
+		}
+
+	return cur_info;
+	}
+
+function build_notice_info_string_tagged(n: notice_info) : string
+	{
+	# We add the fields in this order. Fields not listed won't be added
+	# (except aux_*).
+	local fields = vector("t", "no", "na", "dropped", "es", "sa", "sp",
+			"da", "dp", "p", "user", "file", "method", "url",
+			"num", "msg", "sub", "captured", "tag");
+
+	local tags = notice_info_tags(n);
+	local cur_info = "";
+
+	for ( i in fields )
+		{
+		local val = tags[fields[i]];
+		local f = fields[i];
+
+		if ( val == "" )
+			next;
+
+		val = string_escape(val, "= ");
+
+		if ( cur_info == "" )
+			cur_info = fmt("%s=%s", f, val);
+		else
+			cur_info = fmt("%s %s=%s", cur_info, f, val);
+		}
+
+	for ( t in tags )
+		{
+		if ( t == /aux_.*/ )
+			{
+			if ( cur_info == "" )
+				cur_info = fmt("%s=%s", t, tags[t]);
+			else
+				cur_info = fmt("%s %s=%s", cur_info, t, tags[t]);
+			}
+		}
+
+	return cur_info;
+	}
+
+function email_notice_to(n: notice_info, dest: string)
+	{
+	if ( reading_traces() || dest == "" )
+		return;
+
+	# The contortions here ensure that the arguments to the mail
+	# script will not be confused.  Re-evaluate if 'system' is reworked.
+	local mail_cmd =
+		fmt("echo \"%s\" | %s -s \"[Bro Alarm] %s\" %s",
+			str_shell_escape(n$msg), mail_script, n$note, dest);
+
+	system(mail_cmd);
+	}
+
+function email_notice(n: notice_info, action: NoticeAction)
+	{
+	# Choose destination address based on action type.
+	local destination =
+		(action == NOTICE_EMAIL) ?  mail_dest : mail_page_dest;
+
+	email_notice_to(n, destination);
+	}
+
+# Executes a script with all of the notice fields put into the
+# new process' environment as "BRO_ARG_<field>" variables.
+function execute_with_notice(cmd: string, n: notice_info)
+	{
+	local tags = notice_info_tags(n);
+	system_env(cmd, tags);
+	}
+
+# Can't load it at the beginning due to circular dependencies.
+@load drop
+
+function NOTICE(n: notice_info)
+	{
+	# Fill in some defaults.
+	if ( ! n?$id && n?$conn )
+		n$id = n$conn$id;
+
+	if ( ! n?$src && n?$id )
+		n$src = n$id$orig_h;
+	if ( ! n?$dst && n?$id )
+		n$dst = n$id$resp_h;
+
+	if ( ! n?$p && n?$id )
+		n$p = n$id$resp_p;
+
+	if ( ! n?$src && n?$iconn )
+		n$src = n$iconn$orig_h;
+	if ( ! n?$dst && n?$iconn )
+		n$dst = n$iconn$resp_h;
+
+	if ( ! n?$src_peer )
+		n$src_peer = get_event_peer();
+
+	if ( n?$conn )
+		n$tag = add_notice_tag(n$conn);
+
+	if ( ! n?$tag )
+		n$tag = new_notice_tag();
+
+	local action = match n using notice_policy;
+
+	local n_id = "";
+
+	if ( action != NOTICE_IGNORE && action != NOTICE_FILE &&
+		n$note in notice_action_filters )
+		action = notice_action_filters[n$note](n, action);
+
+	n$action = action;
+
+	if ( action == NOTICE_EMAIL || action == NOTICE_PAGE )
+		email_notice(n, action);
+
+	if ( action == NOTICE_DROP )
+		{
+		local drop = Drop::drop_address(n$src, "");
+		local addl = drop?$sub ? fmt(" %s", drop$sub) : "";
+		n$dropped = drop$note != Drop::AddressDropIgnored;
+		n$msg += fmt(" [%s%s]", drop$note, addl);
+		}
+
+	if ( action != NOTICE_IGNORE )
+		{
+		# Build the info here after we had a chance to set the
+		# $dropped field.
+		local info: string;
+		if ( use_tagging )
+			info = build_notice_info_string_tagged(n);
+		else
+			info = build_notice_info_string_untagged(n);
+
+		print notice_file, info;
+
+		if ( action != NOTICE_FILE && n$do_alarm )
+			{
+			if ( use_tagging )
+				{
+				alarm info;
+				event notice_alarm(n, action);
+				}
+			else
+				{
+				local descr = "";
+				if ( is_remote_event() )
+					{
+					if ( n$src_peer$descr != "" )
+						descr = fmt("<%s> ",
+							n$src_peer$descr);
+					else
+						descr = fmt("<%s:%s> ",
+							n$src_peer$host,
+							n$src_peer$p);
+					}
+
+				alarm fmt("%s %s%s", n$note, descr, n$msg);
+				event notice_alarm(n, action);
+				}
+			}
+		}
+
+@ifdef ( IDMEF_support )
+	if ( n?$id )
+		generate_idmef(n$id$orig_h, n$id$orig_p,
+			       n$id$resp_h, n$id$resp_p);
+@endif
+
+	if ( ! suppress_notice_action && n$note !in suppress_notice_actions )
+		event notice_action(n, action);
+	}
+
+
+@load notice-action-filters
diff --git a/policy/ntp.bro b/policy/ntp.bro
new file mode 100644
index 0000000000..eb746bc830
--- /dev/null
+++ b/policy/ntp.bro
@@ -0,0 +1,53 @@
+# $Id: ntp.bro 4758 2007-08-10 06:49:23Z vern $
+
+@load udp-common
+
+redef capture_filters += { ["ntp"] = "udp port 123" };
+
+module NTP;
+
+export {
+	const excessive_ntp_request = 48 &redef;
+	const allow_excessive_ntp_requests: set[addr] &redef;
+}
+
+# DPM configuration.
+global ntp_ports = { 123/udp } &redef;
+redef dpd_config += { [ANALYZER_NTP] = [$ports = ntp_ports] };
+
+const ntp_code: table[count] of string = {
+	[0] = "unspec",
+	[1] = "sym_act",
+	[2] = "sym_psv",
+	[3] = "client",
+	[4] = "server",
+	[5] = "bcast",
+	[6] = "rsv1",
+	[7] = "rsv2",
+};
+
+event ntp_message(u: connection, msg: ntp_msg, excess: string)
+	{
+	local id = u$id;
+
+	if ( id !in udp_rep_count && id !in udp_req_count )
+		{
+		Hot::check_hot(u, Hot::CONN_ATTEMPTED);
+		Scan::check_scan(u, F, F);
+		}
+
+	if ( msg$code == 4 )
+		# "server"
+		++udp_rep_count[id];
+	else
+		# anything else
+		++udp_req_count[id];
+
+	local n_excess = byte_len(excess);
+	if ( n_excess > excessive_ntp_request &&
+	     id$orig_h !in allow_excessive_ntp_requests )
+		{
+		append_addl_marker(u, fmt("%s", n_excess), ",");
+		++u$hot;
+		}
+	}
diff --git a/policy/passwords.bro b/policy/passwords.bro
new file mode 100644
index 0000000000..84e98ec3ff
--- /dev/null
+++ b/policy/passwords.bro
@@ -0,0 +1,29 @@
+# $Id: passwords.bro 688 2004-11-02 23:59:55Z vern $
+
+# Generates notices of exposed passwords.  Currently just works
+# on telnet/rlogin access.  Should be extended to do FTP, HTTP, etc.
+
+@load login
+
+redef enum Notice += {
+	PasswordExposed,
+};
+
+# Usernames which we ignore.
+global okay_usernames: set[string] &redef;
+
+# Passwords which we ignore.
+global okay_passwords = { "", "<none>" } &redef;
+
+event login_success(c:connection, user: string, client_user: string,
+			password: string, line: string)
+	{
+	if ( user in okay_usernames || password in okay_passwords )
+		return;
+
+	NOTICE([$note=PasswordExposed,
+		$conn=c,
+		$user=user,
+		$sub=password,
+		$msg="login exposed user's password"]);
+	}
diff --git a/policy/pcap.bro b/policy/pcap.bro
new file mode 100644
index 0000000000..091233dd52
--- /dev/null
+++ b/policy/pcap.bro
@@ -0,0 +1,100 @@
+# $Id: pcap.bro 261 2004-08-31 19:25:40Z vern $
+
+# The set of capture_filters indexed by some user-definable ID.
+global capture_filters: table[string] of string &redef;
+global restrict_filters: table[string] of string &redef;
+
+# Filter string which is unconditionally or'ed to every pcap filter.
+global unrestricted_filter = "" &redef;
+
+redef enum PcapFilterID += {
+	DefaultPcapFilter,
+};
+
+function add_to_pcap_filter(fold: string, fnew: string, op: string): string
+	{
+	if ( fold == "" )
+		return fnew;
+	else if ( fnew == "" )
+		return fold;
+	else
+		return fmt("(%s) %s (%s)", fold, op, fnew);
+	}
+
+function join_filters(capture_filter: string, restrict_filter: string): string
+	{
+	local filter: string;
+
+	if ( capture_filter != "" && restrict_filter != "" )
+		filter = fmt( "(%s) and (%s)", restrict_filter, capture_filter );
+	else if ( capture_filter != "" )
+		filter = capture_filter;
+
+	else if ( restrict_filter != "" )
+		filter = restrict_filter;
+
+	else
+		filter = "tcp or udp or icmp";
+
+	if ( unrestricted_filter != "" )
+		filter = fmt( "(%s) or (%s)", unrestricted_filter, filter );
+
+	return filter;
+	}
+
+function build_default_pcap_filter(): string
+	{
+	# Build capture_filter.
+	local cfilter = "";
+
+	for ( id in capture_filters )
+		cfilter = add_to_pcap_filter(cfilter, capture_filters[id], "or");
+
+	# Build restrict_filter.
+	local rfilter = "";
+	local saw_VLAN = F;
+	for ( id in restrict_filters )
+		{
+		if ( restrict_filters[id] == "vlan" )
+			# These are special - they need to come first.
+			saw_VLAN = T;
+		else
+			rfilter = add_to_pcap_filter(rfilter, restrict_filters[id], "and");
+		}
+
+	if ( saw_VLAN )
+		rfilter = add_to_pcap_filter("vlan", rfilter, "and");
+
+	return join_filters(cfilter, rfilter);
+	}
+
+function install_default_pcap_filter()
+	{
+	if ( ! install_pcap_filter(DefaultPcapFilter) )
+		 {
+		 ### This could be due to a true failure, or simply
+		 # because the user specified -f.  Since we currently
+		 # don't have an easy way to distinguish, we punt on
+		 # reporting it for now.
+		 }
+	}
+
+global default_pcap_filter = "<not set>";
+
+function update_default_pcap_filter()
+	{
+	default_pcap_filter = build_default_pcap_filter();
+
+	if ( ! precompile_pcap_filter(DefaultPcapFilter, default_pcap_filter) )
+		 {
+		 print fmt("can't compile filter %s", default_pcap_filter);
+		 exit();
+		 }
+
+	install_default_pcap_filter();
+	}
+
+event bro_init()
+	{
+	update_default_pcap_filter();
+	}
diff --git a/policy/peer-status.bro b/policy/peer-status.bro
new file mode 100644
index 0000000000..95189873fd
--- /dev/null
+++ b/policy/peer-status.bro
@@ -0,0 +1,84 @@
+# $Id: peer-status.bro 5954 2008-07-15 00:07:50Z vern $
+#
+# Emits process status "update" event periodically.
+
+module PeerStatus;
+
+export {
+	type peer_status: record {
+		res: bro_resources;
+		stats: net_stats;
+		current_time: time;
+		cpu: double;		# average CPU load since last update
+		default_filter: string;	# default capture filter
+	};
+
+	# Event sent periodically.
+	global update: event(status: peer_status);
+
+	# Update interval.
+	const update_interval = 1 min;
+
+	# This keeps track of all (local and remote) updates
+	# (indexed by peer ID).
+	global peers: table[peer_id] of peer_status;
+}
+
+global start_time = 0;
+global cpu_last_proc_time = 0 secs;
+global cpu_last_wall_time: time = 0;
+global stats: net_stats;
+global default_filter : string;
+
+event net_stats_update(t: time, ns: net_stats)
+	{
+	stats = ns;
+	}
+
+event emit_update()
+	{
+	# Get CPU load.
+	local res = resource_usage();
+	local proc_time = res$user_time + res$system_time;
+	local wall_time = current_time();
+	local dproc = proc_time - cpu_last_proc_time;
+	local dwall = wall_time - cpu_last_wall_time;
+	local load = dproc / dwall * 100.0;
+	cpu_last_proc_time = proc_time;
+	cpu_last_wall_time = wall_time;
+
+	local status: peer_status;
+	status$res = res;
+	status$stats = stats;
+	status$current_time = current_time();
+	status$cpu = load;
+	status$default_filter = default_filter;
+
+	event PeerStatus::update(status);
+
+	schedule update_interval { emit_update() };
+	}
+
+event bro_init()
+	{
+	default_filter = build_default_pcap_filter();
+
+	local res = resource_usage();
+	cpu_last_proc_time = res$user_time + res$system_time;
+	cpu_last_wall_time = current_time();
+	stats = [$pkts_recvd=0, $pkts_dropped=0, $pkts_link=0];
+
+	schedule update_interval { emit_update() };
+	}
+
+event update(status: peer_status)
+	{
+	local peer = get_event_peer();
+	peers[peer$id] = status;
+	}
+
+event remote_connection_closed(p: event_peer)
+	{
+	if ( p$id in peers )
+		delete peers[p$id];
+	}
diff --git a/policy/pkt-profile.bro b/policy/pkt-profile.bro
new file mode 100644
index 0000000000..a499ec2c6e
--- /dev/null
+++ b/policy/pkt-profile.bro
@@ -0,0 +1,5 @@
+# $Id: pkt-profile.bro 325 2004-09-03 01:33:15Z vern $
+
+redef pkt_profile_file = open_log_file("pkt-prof");
+redef pkt_profile_mode = PKT_PROFILE_MODE_SECS;
+redef pkt_profile_freq = 1.0;
diff --git a/policy/pop3.bro b/policy/pop3.bro
new file mode 100644
index 0000000000..40ae3920a9
--- /dev/null
+++ b/policy/pop3.bro
@@ -0,0 +1,155 @@
+# $Id: pop3.bro 4758 2007-08-10 06:49:23Z vern $
+#
+# Analyzer for Post Office Protocol, version 3.
+#
+# If you want to decode the mail itself, also load mime-pop.bro.
+
+@load login
+
+module POP3;
+
+export {
+	# Report if source triggers more ERR messages.
+	const error_threshold: count = 3 &redef;
+ 	# Don't log these commands.
+	const ignore_commands: set[string] = { "STAT" } &redef;
+}
+
+redef capture_filters += { ["pop3"] = "port 110" };
+
+global pop3_ports = { 110/tcp } &redef;
+redef dpd_config += { [ANALYZER_POP3] = [$ports = pop3_ports] };
+
+const log_file = open_log_file("pop3") &redef;
+
+type pop3_session_info: record {
+	id: count; 		# Unique session ID.
+	quit_sent: bool;	# Client issued a QUIT.
+	last_command: string;	# Last command of client.
+};
+
+
+global pop_log: function(conn: pop3_session_info,
+				command: string, message: string);
+global get_connection: function(id: conn_id): pop3_session_info;
+
+
+global pop_connections:
+	table[conn_id] of pop3_session_info &read_expire = 60 mins;
+global pop_connection_weirds:
+	table[addr] of count &default=0 &read_expire = 60 mins;
+global pop_session_id = 0;
+
+
+event pop3_request(c: connection, is_orig: bool, command: string, arg: string)
+	{
+	local conn = get_connection(c$id);
+
+	pop_log(conn, command, fmt("%.6f #%s > %s %s",
+		network_time(), prefixed_id(conn$id), command, arg));
+
+	conn$last_command = command;
+
+	if ( command == "QUIT" )
+		conn$quit_sent = T;
+	}
+
+event pop3_reply(c: connection, is_orig: bool, cmd: string, msg: string)
+	{
+	local conn = get_connection(c$id);
+
+	pop_log(conn, cmd,
+		fmt("%.6f #%s < %s %s", network_time(), prefixed_id(conn$id), cmd, msg));
+
+	if ( cmd == "OK" )
+		{
+		if ( conn$quit_sent )
+			delete pop_connections[c$id];
+		}
+
+	else if ( cmd == "ERR" )
+		{
+		++pop_connection_weirds[c$id$orig_h];
+		if ( pop_connection_weirds[c$id$orig_h] > error_threshold )
+			print log_file, fmt("%.6f #%s %s/%d > %s/%d WARNING: error count exceeds threshold",
+					network_time(), prefixed_id(conn$id),
+					c$id$orig_h, c$id$orig_p,
+					c$id$resp_h, c$id$resp_p);
+		}
+	}
+
+event pop3_login_success(c: connection, is_orig: bool,
+				user: string, password: string)
+	{
+	local conn = get_connection(c$id);
+
+	local pw = byte_len(password) != 0 ? password : "<not seen>";
+
+	print log_file, fmt("%.6f #%s > login successful: user %s password: %s",
+				network_time(), prefixed_id(conn$id), user, pw);
+
+	event login_success(c, user, "", password, "");
+	}
+
+event pop3_login_failure(c: connection, is_orig: bool,
+				user: string, password: string)
+	{
+	local conn = get_connection(c$id);
+
+	print log_file, fmt("%.6f #%s > login failed: user %s password: %s",
+			network_time(), prefixed_id(conn$id), user, password);
+
+	event login_failure(c, user, "", password, "");
+	}
+
+# event pop3_data(c: connection, is_orig: bool, data: string)
+# 	{
+# 	# We could instantiate partial connections here if we wished,
+# 	# but at considerable cost in terms of event counts.
+# 	local conn = get_connection(c$id);
+# 	}
+
+event pop3_unexpected(c: connection, is_orig: bool, msg: string, detail: string)
+	{
+	local conn = get_connection(c$id);
+	print log_file, fmt("%.6f #%s unexpected cmd: %s detail: %s",
+				network_time(), prefixed_id(conn$id),
+				msg, detail);
+	}
+
+event pop3_terminate(c: connection, is_orig: bool, msg: string)
+	{
+	delete pop_connections[c$id];
+	}
+
+
+function pop_log(conn: pop3_session_info, command: string, message: string)
+	{
+	if ( command !in ignore_commands )
+		{
+		if ( (command == "OK" || command == "ERR") &&
+		     conn$last_command in ignore_commands )
+			;
+		else
+			print log_file, message;
+		}
+	}
+
+function get_connection(id: conn_id): pop3_session_info
+	{
+	if ( id in pop_connections )
+		return pop_connections[id];
+
+	local conn: pop3_session_info;
+
+	conn$id = ++pop_session_id;
+	conn$quit_sent = F;
+	conn$last_command = "INIT";
+	pop_connections[id] = conn;
+
+	print log_file, fmt("%.6f #%s %s/%d > %s/%d: new connection",
+				network_time(), prefixed_id(conn$id),
+				id$orig_h, id$orig_p, id$resp_h, id$resp_p);
+
+	return conn;
+	}
diff --git a/policy/port-name.bro b/policy/port-name.bro
new file mode 100644
index 0000000000..c5b0f8c11f
--- /dev/null
+++ b/policy/port-name.bro
@@ -0,0 +1,63 @@
+const port_names: table[port] of string = {
+	[0/icmp] = "icmp-echo",
+	[3/icmp] = "icmp-unreach",
+	[8/icmp] = "icmp-echo",
+
+	[7/tcp] = "echo",
+	[9/tcp] = "discard",
+	[20/tcp] = "ftp-data",
+	[21/tcp] = "ftp",
+	[22/tcp] = "ssh",
+	[23/tcp] = "telnet",
+	[25/tcp] = "smtp",
+	[37/tcp] = "time",
+	[43/tcp] = "whois",
+	[53/tcp] = "dns",
+	[79/tcp] = "finger",
+	[80/tcp] = "http",
+	[109/tcp] = "pop-2",
+	[110/tcp] = "pop-3",
+	[111/tcp] = "portmap",
+	[113/tcp] = "ident",
+	[119/tcp] = "nntp",
+	[135/tcp] = "epmapper",
+	[139/tcp] = "netbios-ssn",
+	[143/tcp] = "imap4",
+	[179/tcp] = "bgp",
+	[389/tcp] = "ldap",
+	[443/tcp] = "https",
+	[445/tcp] = "smb",
+	[512/tcp] = "exec",
+	[513/tcp] = "rlogin",
+	[514/tcp] = "shell",
+	[515/tcp] = "printer",
+	[524/tcp] = "ncp",
+	[543/tcp] = "klogin",
+	[544/tcp] = "kshell",
+	[631/tcp] = "ipp",
+	[993/tcp] = "simap",
+	[995/tcp] = "spop",
+	[1521/tcp] = "oracle-sql",
+	[2049/tcp] = "nfs",
+	[6000/tcp] = "X11",
+	[6001/tcp] = "X11",
+	[6667/tcp] = "IRC",
+
+	[53/udp] = "dns",
+	[69/udp] = "tftp",
+	[111/udp] = "portmap",
+	[123/udp] = "ntp",
+	[137/udp] = "netbios-ns",
+	[138/udp] = "netbios-dgm",
+	[161/udp] = "snmp",
+	[2049/udp] = "nfs",
+
+} &redef;
+
+function endpoint_id(h: addr, p: port): string
+	{
+	if ( p in port_names )
+		return fmt("%s/%s", h, port_names[p]);
+	else
+		return fmt("%s/%d", h, p);
+	}
diff --git a/policy/portmapper.bro b/policy/portmapper.bro
new file mode 100644
index 0000000000..ecf952e9fc
--- /dev/null
+++ b/policy/portmapper.bro
@@ -0,0 +1,401 @@
+# $Id: portmapper.bro 4758 2007-08-10 06:49:23Z vern $
+
+@load notice
+@load hot
+@load conn
+@load weird
+
+module Portmapper;
+
+export {
+	redef enum Notice += {
+		# Some combination of the service looked up, the host doing the
+		# request, and the server contacted is considered sensitive.
+		SensitivePortmapperAccess,
+	};
+
+	# Kudos to Job de Haas for a lot of these entries.
+
+	const rpc_programs = {
+		[200] = "aarp",
+
+		[100000] = "portmapper", [100001] = "rstatd",
+		[100002] = "rusersd", [100003] = "nfs", [100004] = "ypserv",
+		[100005] = "mountd", [100007] = "ypbind", [100008] = "walld",
+		[100009] = "yppasswdd", [100010] = "etherstatd",
+		[100011] = "rquotad", [100012] = "sprayd",
+		[100013] = "3270_mapper", [100014] = "rje_mapper",
+		[100015] = "selection_svc", [100016] = "database_svc",
+		[100017] = "rexd", [100018] = "alis", [100019] = "sched",
+		[100020] = "llockmgr", [100021] = "nlockmgr",
+		[100022] = "x25.inr", [100023] = "statmon",
+		[100024] = "status", [100026] = "bootparam",
+		[100028] = "ypupdate", [100029] = "keyserv",
+		[100033] = "sunlink_mapper", [100036] = "pwdauth",
+		[100037] = "tfsd", [100038] = "nsed",
+		[100039] = "nsemntd", [100041] = "pnpd",
+		[100042] = "ipalloc", [100043] = "filehandle",
+		[100055] = "ioadmd", [100062] = "NETlicense",
+		[100065] = "sunisamd", [100066] = "debug_svc",
+		[100068] = "cms", [100069] = "ypxfrd",
+		[100071] = "bugtraqd", [100078] = "kerbd",
+		[100083] = "tooltalkdb", [100087] = "admind",
+		[100099] = "autofsd",
+
+		[100101] = "event", [100102] = "logger", [100104] = "sync",
+		[100105] = "diskinfo", [100106] = "iostat",
+		[100107] = "hostperf", [100109] = "activity",
+		[100111] = "lpstat", [100112] = "hostmem",
+		[100113] = "sample", [100114] = "x25", [100115] = "ping",
+		[100116] = "rpcnfs", [100117] = "hostif", [100118] = "etherif",
+		[100119] = "ippath", [100120] = "iproutes",
+		[100121] = "layers", [100122] = "snmp", [100123] = "traffic",
+		[100131] = "layers2", [100135] = "etherif2",
+		[100136] = "hostmem2", [100137] = "iostat2",
+		[100138] = "snmpv2", [100139] = "sender",
+
+		[100221] = "kcms", [100227] = "nfs_acl", [100229] = "metad",
+		[100230] = "metamhd", [100232] = "sadmind", [100233] = "ufsd",
+		[100235] = "cachefsd", [100249] = "snmpXdmid",
+
+		[100300] = "nisd", [100301] = "nis_cache",
+		[100302] = "nis_callback", [100303] = "nispasswd",
+
+		[120126] = "nf_snmd", [120127] = "nf_snmd",
+
+		[150001] = "pcnfsd",
+
+		[300004] = "frameuser", [300009] = "stdfm", [300019] = "amd",
+
+		[300433] = "bssd", [300434] = "drdd",
+
+		[300598] = "dmispd",
+
+		[390100] = "prestoctl_svc",
+
+		[390600] = "arserverd", [390601] = "ntserverd",
+		[390604] = "arservtcd",
+
+		[391000] = "SGI_snoopd", [391001] = "SGI_toolkitbus",
+		[391002] = "SGI_fam", [391003] = "SGI_notepad",
+		[391004] = "SGI_mountd", [391005] = "SGI_smtd",
+		[391006] = "SGI_pcsd", [391007] = "SGI_nfs",
+		[391008] = "SGI_rfind", [391009] = "SGI_pod",
+		[391010] = "SGI_iphone", [391011] = "SGI_videod",
+		[391012] = "SGI_testcd", [391013] = "SGI_ha_hb",
+		[391014] = "SGI_ha_nc", [391015] = "SGI_ha_appmon",
+		[391016] = "SGI_xfsmd", [391017] = "SGI_mediad",
+
+		# 391018 - 391063 = "SGI_reserved"
+
+		[545580417] = "bwnfsd",
+
+		[555555554] = "inetray.start", [555555555] = "inetray",
+		[555555556] = "inetray", [555555557] = "inetray",
+		[555555558] = "inetray", [555555559] = "inetray",
+		[555555560] = "inetray",
+
+		[600100069] = "fypxfrd",
+
+		[1342177279] = "Solaris/CDE",	# = 0x4fffffff
+
+		# Some services that choose numbers but start often at these values.
+		[805306368] = "dmispd",
+		[824395111] = "cfsd", [1092830567] = "cfsd",
+	} &redef;
+
+	const NFS_services = {
+		"mountd", "nfs", "pcnfsd", "nlockmgr", "rquotad", "status"
+	} &redef;
+
+	# Indexed by the host providing the service, the host requesting it,
+	# and the service.
+	const RPC_okay: set[addr, addr, string] &redef;
+	const RPC_okay_nets: set[subnet] &redef;
+	const RPC_okay_services: set[string] &redef;
+	const NFS_world_servers: set[addr] &redef;
+
+	# Indexed by the portmapper request and a boolean that's T if
+	# the request was answered, F it was attempted but not answered.
+	# If there's an entry in the set, then the access won't be logged
+	# (unless the connection is hot for some other reason).
+	const RPC_do_not_complain: set[string, bool] = {
+		["pm_null", [T, F]],
+	} &redef;
+
+	# Indexed by the host requesting the dump and the host from which it's
+	# requesting it.
+	const RPC_dump_okay: set[addr, addr] &redef;
+
+	# Indexed by the host providing the service - any host can request it.
+	const any_RPC_okay = {
+		[NFS_world_servers, NFS_services],
+		[sun-rpc.mcast.net, "ypserv"],	# sigh
+	} &redef;
+}
+
+redef capture_filters += { ["portmapper"] = "port 111" };
+
+const portmapper_ports = { 111/tcp } &redef;
+redef dpd_config += { [ANALYZER_PORTMAPPER] = [$ports = portmapper_ports] };
+
+const portmapper_binpac_ports = { 111/udp } &redef;
+redef dpd_config += { [ANALYZER_RPC_UDP_BINPAC] = [$ports = portmapper_binpac_ports] };
+
+# Indexed by source and destination addresses, plus the portmapper service.
+# If the tuple is in the set, then we already logged it and shouldn't do
+# so again.
+global did_pm_log: set[addr, addr, string];
+
+# Indexed by source and portmapper service.  If set, we already logged
+# and shouldn't do so again.
+global suppress_pm_log: set[addr, string];
+
+
+function RPC_weird_action_filter(c: connection): Weird::WeirdAction
+	{
+	if ( c$id$orig_h in RPC_okay_nets )
+		return Weird::WEIRD_FILE;
+	else
+		return Weird::WEIRD_UNSPECIFIED;
+	}
+
+redef Weird::weird_action_filters += {
+	[["bad_RPC", "excess_RPC", "multiple_RPCs", "partial_RPC"]] =
+		RPC_weird_action_filter,
+};
+
+function rpc_prog(p: count): string
+	{
+	if ( p in rpc_programs )
+		return rpc_programs[p];
+	else
+		return fmt("unknown-%d", p);
+	}
+
+function pm_check_getport(r: connection, prog: string): bool
+	{
+	if ( prog in RPC_okay_services ||
+	     [r$id$resp_h, prog] in any_RPC_okay ||
+	     [r$id$resp_h, r$id$orig_h, prog] in RPC_okay )
+		return F;
+
+	if ( r$id$orig_h in RPC_okay_nets )
+		return F;
+
+	return T;
+	}
+
+function pm_activity(r: connection, log_it: bool, proc: string)
+	{
+	local id = r$id;
+
+	if ( log_it &&
+	     [id$orig_h, id$resp_h, proc] !in did_pm_log &&
+	     [id$orig_h, proc] !in suppress_pm_log )
+		{
+		NOTICE([$note=SensitivePortmapperAccess, $conn=r,
+			$msg=fmt("rpc: %s %s: %s",
+				id_string(r$id), proc, r$addl)]);
+		add did_pm_log[id$orig_h, id$resp_h, proc];
+		}
+	}
+
+function pm_request(r: connection, proc: string, addl: string, log_it: bool)
+	{
+	if ( [proc, T] in RPC_do_not_complain )
+		log_it = F;
+
+	if ( ! is_tcp_port(r$id$orig_p) )
+		{
+		# It's UDP, so no connection_established event - check for
+		# scanning, hot access, here, instead.
+		Scan::check_scan(r, T, F);
+		Hot::check_hot(r, Hot::CONN_ESTABLISHED);
+		}
+
+	if ( r$addl == "" )
+		r$addl = addl;
+
+	else
+		{
+		if ( byte_len(r$addl) > 80 )
+			{
+			# r already has a lot of annotation.  We can sometimes
+			# get *zillions* of successive pm_request's with the
+			# same connection ID, depending on how the RPC client
+			# behaves.  For those, don't add any further, except
+			# add an ellipses if we don't already have one.
+			append_addl(r, "...");
+			}
+		else
+			append_addl_marker(r, addl, ", ");
+		}
+
+	add r$service[proc];
+	Hot::check_hot(r, Hot::CONN_FINISHED);
+	pm_activity(r, log_it || r$hot > 0, proc);
+	}
+
+
+event pm_request_null(r: connection)
+	{
+	pm_request(r, "pm_null", "", F);
+	}
+
+event pm_request_set(r: connection, m: pm_mapping, success: bool)
+	{
+	pm_request(r, "pm_set", fmt("%s %d (%s)",
+		rpc_prog(m$program), m$p, success ? "ok" : "failed"), T);
+	}
+
+event pm_request_unset(r: connection, m: pm_mapping, success: bool)
+	{
+	pm_request(r, "pm_unset", fmt("%s %d (%s)",
+		rpc_prog(m$program), m$p, success ? "ok" : "failed"), T);
+	}
+
+function update_RPC_server_map(server: addr, p: port, prog: string)
+	{
+	if ( [server, p] in RPC_server_map )
+		{
+		if ( prog !in RPC_server_map[server, p] )
+			{
+			RPC_server_map[server, p] =
+				fmt("%s/%s", RPC_server_map[server, p], prog);
+			}
+		}
+	else
+		RPC_server_map[server, p] = prog;
+	}
+
+event pm_request_getport(r: connection, pr: pm_port_request, p: port)
+	{
+	local prog = rpc_prog(pr$program);
+	local log_it = pm_check_getport(r, prog);
+
+	update_RPC_server_map(r$id$resp_h, p, prog);
+
+	pm_request(r, "pm_getport", fmt("%s -> %s", prog, p), log_it);
+	}
+
+function pm_mapping_to_text(server: addr, m: pm_mappings): string
+	{
+	# Used to suppress multiple entries for multiple versions.
+	local mapping_seen: set[count, port];
+	local addls: vector of string;
+	local num_addls = 0;
+
+	for ( mp in m )
+		{
+		local prog = m[mp]$program;
+		local p = m[mp]$p;
+
+		if ( [prog, p] !in mapping_seen )
+			{
+			add mapping_seen[prog, p];
+			addls[++num_addls] = fmt("%s -> %s", rpc_prog(prog), p);
+
+			update_RPC_server_map(server, p, rpc_prog(prog));
+			}
+		}
+
+	local addl_str = fmt("%s", sort(addls, strcmp));
+
+	# Lop off surrounding []'s for compatibility with previous
+	# format.
+	addl_str = sub(addl_str, /^\[/, "");
+	addl_str = sub(addl_str, /\]$/, "");
+
+	return addl_str;
+	}
+
+event pm_request_dump(r: connection, m: pm_mappings)
+	{
+	local log_it = [r$id$orig_h, r$id$resp_h] !in RPC_dump_okay;
+	pm_request(r, "pm_dump", length(m) == 0 ? "(nil)" : "(done)", log_it);
+	append_addl(r, cat("<", pm_mapping_to_text(r$id$resp_h, m), ">"));
+	}
+
+event pm_request_callit(r: connection, call: pm_callit_request, p: port)
+	{
+	local orig_h = r$id$orig_h;
+	local prog = rpc_prog(call$program);
+	local log_it = [orig_h, prog] !in suppress_pm_log;
+
+	pm_request(r, "pm_callit", fmt("%s/%d (%d bytes) -> %s",
+		prog, call$proc, call$arg_size, p), log_it);
+
+	if ( prog == "walld" )
+		add suppress_pm_log[orig_h, prog];
+	}
+
+
+function pm_attempt(r: connection, proc: string, status: rpc_status,
+			addl: string, log_it: bool)
+	{
+	if ( [proc, F] in RPC_do_not_complain )
+		log_it = F;
+
+	if ( ! is_tcp_port(r$id$orig_p) )
+		{
+		# It's UDP, so no connection_attempt event - check for
+		# scanning here, instead.
+		Scan::check_scan(r, F, F);
+		Hot::check_hot(r, Hot::CONN_ATTEMPTED);
+		}
+
+	add r$service[proc];
+	append_addl(r, fmt("(%s)", RPC_status[status]));
+
+	# Current policy is ignore any failed attempts.
+	pm_activity(r, F, proc);
+	}
+
+event pm_attempt_null(r: connection, status: rpc_status)
+	{
+	pm_attempt(r, "pm_null", status, "", T);
+	}
+
+event pm_attempt_set(r: connection, status: rpc_status, m: pm_mapping)
+	{
+	pm_attempt(r, "pm_set", status, fmt("%s %d", rpc_prog(m$program), m$p), T);
+	}
+
+event pm_attempt_unset(r: connection, status: rpc_status, m: pm_mapping)
+	{
+	pm_attempt(r, "pm_unset", status, fmt("%s %d", rpc_prog(m$program), m$p), T);
+	}
+
+event pm_attempt_getport(r: connection, status: rpc_status, pr: pm_port_request)
+	{
+	local prog = rpc_prog(pr$program);
+	local log_it = pm_check_getport(r, prog);
+	pm_attempt(r, "pm_getport", status, prog, log_it);
+	}
+
+event pm_attempt_dump(r: connection, status: rpc_status)
+	{
+	local log_it = [r$id$orig_h, r$id$resp_h] !in RPC_dump_okay;
+	pm_attempt(r, "pm_dump", status, "", log_it);
+	}
+
+event pm_attempt_callit(r: connection, status: rpc_status,
+			call: pm_callit_request)
+	{
+	local orig_h = r$id$orig_h;
+	local prog = rpc_prog(call$program);
+	local log_it = [orig_h, prog] !in suppress_pm_log;
+
+	pm_attempt(r, "pm_callit", status,
+		fmt("%s/%d (%d bytes)", prog, call$proc, call$arg_size),
+		log_it);
+
+	if ( prog == "walld" )
+		add suppress_pm_log[orig_h, prog];
+	}
+
+event pm_bad_port(r: connection, bad_p: count)
+	{
+	event conn_weird_addl("bad_pm_port", r, fmt("port %d", bad_p));
+	}
diff --git a/policy/print-filter.bro b/policy/print-filter.bro
new file mode 100644
index 0000000000..5d8d03b80a
--- /dev/null
+++ b/policy/print-filter.bro
@@ -0,0 +1,26 @@
+# $Id: print-filter.bro 4506 2007-06-27 14:40:34Z vern $
+
+module PrintFilter;
+
+export {
+	# If true, terminate Bro after printing the filter.
+	const terminate_bro = T &redef;
+
+	# If true, write to log file instead of stdout.
+	const to_file = F &redef;
+	}
+
+event bro_init()
+	{
+	if ( to_file )
+		{
+		local f = open_log_file("pcap_filter");
+		print f, build_default_pcap_filter();
+		close(f);
+		}
+	else
+		print build_default_pcap_filter();
+
+	if ( terminate_bro )
+		exit();
+	}
diff --git a/policy/print-globals.bro b/policy/print-globals.bro
new file mode 100644
index 0000000000..994ea17eba
--- /dev/null
+++ b/policy/print-globals.bro
@@ -0,0 +1,4 @@
+event bro_done()
+	{
+	print global_sizes();
+	}
diff --git a/policy/print-resources.bro b/policy/print-resources.bro
new file mode 100644
index 0000000000..7b069f9415
--- /dev/null
+++ b/policy/print-resources.bro
@@ -0,0 +1,21 @@
+# $Id: print-resources.bro 6703 2009-05-13 22:27:44Z vern $
+
+# Logs Bro resource usage information upon termination.
+
+@load notice
+
+redef enum Notice += {
+	ResourceSummary,	# Notice type for this event
+};
+ 
+event bro_done()
+	{
+	local res = resource_usage();
+	
+	NOTICE([$note=ResourceSummary,
+		$msg=fmt("elapsed time = %s, total CPU = %s, maximum memory = %d KB, peak connections = %d, peak timers = %d, peak fragments = %d",
+		res$real_time, res$user_time + res$system_time,
+		res$mem / 1024,
+		res$max_TCP_conns + res$max_UDP_conns + res$max_ICMP_conns,
+		res$max_timers, res$max_fragments)]);
+	}
diff --git a/policy/print-sig-states.bro b/policy/print-sig-states.bro
new file mode 100644
index 0000000000..c13677f6ca
--- /dev/null
+++ b/policy/print-sig-states.bro
@@ -0,0 +1,18 @@
+# $Id: print-sig-states.bro 491 2004-10-05 05:44:59Z vern $
+#
+# Simple profiling script for periodicaly dumping out signature-matching
+# statistics.
+
+global sig_state_stats_interval = 5 mins;
+global sig_state_file = open_log_file("sig-states");
+
+event dump_sig_state_stats()
+	{
+	dump_rule_stats(sig_state_file);
+	schedule sig_state_stats_interval { dump_sig_state_stats() };
+	}
+
+event bro_init()
+	{
+	schedule sig_state_stats_interval { dump_sig_state_stats() };
+	}
diff --git a/policy/profiling.bro b/policy/profiling.bro
new file mode 100644
index 0000000000..a8aef46440
--- /dev/null
+++ b/policy/profiling.bro
@@ -0,0 +1,17 @@
+# $Id: profiling.bro 1102 2005-03-17 09:17:46Z vern $
+#
+# Turns on profiling of Bro resource consumption.
+
+redef profiling_file = open_log_file("prof");
+
+# Cheap profiling every 15 seconds.
+redef profiling_interval = 15 secs &redef;
+
+# Expensive profiling every 5 minutes.
+redef expensive_profiling_multiple = 20;
+
+event bro_init()
+	{
+	set_buf(profiling_file, F);
+	}
+
diff --git a/policy/proxy.bro b/policy/proxy.bro
new file mode 100644
index 0000000000..1f43308f3a
--- /dev/null
+++ b/policy/proxy.bro
@@ -0,0 +1,99 @@
+# $Id: proxy.bro,v 1.1.4.2 2006/05/31 00:16:22 sommer Exp $
+#
+# Finds open proxies by matching incoming HTTP requests with outgoing ones.
+
+@load notice
+
+module Proxy;
+
+export {
+	const KnownProxies: set[addr] = { };
+
+	redef enum Notice += {
+		HTTPProxyFound,
+	};
+}
+
+
+type request: record {
+	p: port;
+	paths: set[string];
+};
+
+# Maps the address of the potential proxy to the paths that
+# have been requested from it.
+global requests: table[addr] of request;
+
+# A parsed URL.
+type url: record {
+	host: string;
+	path: string;
+};
+
+global found_proxies: set[addr] &create_expire = 24 hrs;
+
+function parse_url(u: string) : url
+	{
+	# The URL parsing is imperfect, but should work sufficiently well.
+	local a = split1(u, /:\/\//);
+	if ( |a| == 1 )
+		return [$host="", $path=a[1]];
+
+	local b = split1(a[2], /\//);
+	return [$host=b[1], $path=(|b| == 2 ? cat("/", b[2]) : "/")];
+	}
+
+event http_request(c: connection, method: string, original_URI: string,
+			unescaped_URI: string, version: string)
+	{
+	if ( method != "GET" && method != "CONNECT" )
+		return;
+
+	local client = c$id$orig_h;
+	local server = c$id$resp_h;
+
+	if ( server in KnownProxies )
+		return;
+
+	# FIXME: Which one? original_URI or unescaped_URI?
+	local u = parse_url(original_URI);
+
+	if ( client in requests )
+		{
+		# We have already seen requests to this host.  Let's see
+		# any matches the one we're very currently seeing.
+		local r = requests[client];
+		if ( u$path in r$paths )
+			{
+			if ( client !in found_proxies )
+				{
+				NOTICE([$note=HTTPProxyFound,
+						$conn=c, $src=client,
+						$p=r$p, $URL=original_URI,
+						$msg=fmt("HTTP proxy found %s:%d (%s)",
+						client, r$p, original_URI)]);
+				add found_proxies[client];
+				}
+
+			return;
+			}
+		}
+
+	if ( u$host == "" )
+		# A relative URL. That's fine.
+		return;
+
+	# An absolute URL.  Remember path for later.
+	#
+	# Note: using "when", could even lookup the destination
+	# host and remember that one, too!
+
+	if ( server !in requests )
+		{
+		local empty_set: set[string] &read_expire = 15 secs;
+		local req = [$p=c$id$resp_p, $paths=empty_set];
+		requests[server] = req;
+		}
+
+	add requests[server]$paths[u$path];
+	}
diff --git a/policy/remote-pcap.bro b/policy/remote-pcap.bro
new file mode 100644
index 0000000000..18b124707e
--- /dev/null
+++ b/policy/remote-pcap.bro
@@ -0,0 +1,52 @@
+# $Id: remote-pcap.bro 2704 2006-04-04 07:35:46Z vern $
+#
+# Allows remote peers to set our capture filter.
+
+@load remote
+
+# We install a filter which (hopefully) doesn't match anything to avoid Bro's
+# default "tcp or udp" when no other script/peers adds a filter.
+
+## FIXME: We need non-blocking pacp for this to work.
+##
+## ##redef capture_filters["match-nothing"] = "ether src 0:0:0:0:0:0";
+
+function build_capture_filter_index(p: event_peer): string
+	{
+	return fmt("remote-%d", p$id);
+	}
+
+event remote_capture_filter(p: event_peer, filter: string)
+	{
+	# If we send a capture filter to a peer and are subscribed to all
+	# of its events, we will get a remote_capture_filter event back.
+	if ( is_remote_event() )
+		return;
+
+	Remote::do_script_log(p, fmt("received capture filter: %s", filter));
+
+	capture_filters[build_capture_filter_index(p)] = filter;
+
+	# This will recompile the filter, which may take some time.
+	# Thus, setting a new capture_filter may cost us some packets :-(.
+	update_default_pcap_filter();
+
+	Remote::do_script_log(p, fmt("new default pcap filter: %s",
+					default_pcap_filter));
+	}
+
+event remote_connection_closed(p: event_peer)
+	{
+	local i = build_capture_filter_index(p);
+
+	if ( i in capture_filters )
+		{
+		Remote::do_script_log(p, fmt("removed capture filter: %s",
+					capture_filters[i]));
+		delete capture_filters[i];
+		update_default_pcap_filter();
+		}
+
+	Remote::do_script_log(p, fmt("new default pcap filter: %s",
+				default_pcap_filter));
+	}
diff --git a/policy/remote-ping.bro b/policy/remote-ping.bro
new file mode 100644
index 0000000000..c27c8884d2
--- /dev/null
+++ b/policy/remote-ping.bro
@@ -0,0 +1,49 @@
+# $Id: remote-ping.bro 2704 2006-04-04 07:35:46Z vern $
+#
+# Exchanges periodic pings between communicating Bro's to measure their
+# processing times.
+
+@load remote
+
+module RemotePing;
+
+export {
+	const ping_interval = 1 secs;
+}
+
+global pings: table[event_peer] of count;
+
+event remote_connection_established(p: event_peer)
+	{
+	pings[p] = 0;
+	}
+
+event remote_connection_closed(p: event_peer)
+	{
+	delete pings[p];
+	}
+
+event ping()
+	{
+	for ( p in pings )
+		send_ping(p, ++pings[p]);
+
+	schedule ping_interval { ping() };
+	}
+
+event remote_pong(p: event_peer, seq: count,
+			d1: interval, d2: interval, d3: interval)
+	{
+	# We log three times: "time=<t1> [<t2>/<t3>]"
+	#    t1: round-trip between the two parent processes.
+	#    t2: round-trip between the two child processes.
+	#    t3: sum of time spent in client<->parent communication on
+	#	 either side
+	Remote::do_script_log(p, fmt("ping seq=%d time=%.3fs [%.3fs/%.3fs]", seq,
+				d1, d2 - d3, d1 - d2 + d3));
+	}
+
+event bro_init()
+	{
+	schedule ping_interval { ping() };
+	}
diff --git a/policy/remote-print-id-reply.bro b/policy/remote-print-id-reply.bro
new file mode 100644
index 0000000000..81d0efe35e
--- /dev/null
+++ b/policy/remote-print-id-reply.bro
@@ -0,0 +1,17 @@
+# $Id:$
+#
+# Load this script to support remote printing of variables.  The remote
+# peer accesses these by loading remote-print-id.bro.
+
+module PrintID;
+
+global request_id_response: event(id: string, content: string);
+
+event request_id(id: string)
+	{
+	if ( ! is_remote_event() )
+		return;
+
+	local val = lookup_ID(id);
+	event request_id_response(id, fmt("%s", val));
+	}
diff --git a/policy/remote-print-id.bro b/policy/remote-print-id.bro
new file mode 100644
index 0000000000..550ff8b8b8
--- /dev/null
+++ b/policy/remote-print-id.bro
@@ -0,0 +1,53 @@
+# $Id:$
+#
+# Requests the current value of a variable (identifier) from a remote
+# peer, prints it, and then terminates. The other side must load
+# remote-print-id-reply.bro.
+#
+# Intended to be used from the command line as in:
+#
+# bro -e 'redef PrintID::dst="<dst>" PrintID::id="<name-of-id>"'
+#		<other scripts> remote-print-id
+#
+# The other scripts must set up the connection.  <dst> is an index into
+# Remote::destinations corresponding to the destination.
+
+module PrintID;
+
+@load remote
+@load remote-print-id-reply
+
+export {
+	const dst = "<no-destination-given>" &redef;
+	const id = "<no-id-given>" &redef;
+}
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	local peer = Remote::destinations[dst];
+
+	if ( peer$host == p$host )
+		{
+		print fmt("Requesting %s from %s at %s:%d",
+				id, dst, p$host, p$p);
+		event request_id(id);
+		}
+	}
+
+event request_id_response(id: string, content: string)
+	{
+	print fmt("%s = %s", id, content);
+	terminate_communication();
+	}
+
+event bro_init()
+	{
+	if ( dst !in Remote::destinations )
+		{
+		print fmt("Unknown destination %s", dst);
+		terminate();
+		return;
+		}
+
+	Remote::connect_peer(dst);
+	}
diff --git a/policy/remote-print.bro b/policy/remote-print.bro
new file mode 100644
index 0000000000..e0d29259c6
--- /dev/null
+++ b/policy/remote-print.bro
@@ -0,0 +1,9 @@
+# $Id: remote-print.bro 415 2004-09-17 03:25:12Z vern $
+#
+# Write remote print messages into local files.
+
+event print_hook(f: file, s: string)
+	{
+	if ( is_remote_event() )
+		print f, s;
+	}
diff --git a/policy/remote-report-notices.bro b/policy/remote-report-notices.bro
new file mode 100644
index 0000000000..9b43ad865f
--- /dev/null
+++ b/policy/remote-report-notices.bro
@@ -0,0 +1,14 @@
+# $Id:$
+#
+# Forward remote alarms to our local system.
+
+event notice_action(n: notice_info, action: NoticeAction)
+	{
+	if ( is_remote_event() )
+		{
+		# Don't raise this event recursively.
+		suppress_notice_action = T;
+		NOTICE(n);
+		suppress_notice_action = F;
+		}
+	}
diff --git a/policy/remote-send-id.bro b/policy/remote-send-id.bro
new file mode 100644
index 0000000000..15c1df5f75
--- /dev/null
+++ b/policy/remote-send-id.bro
@@ -0,0 +1,45 @@
+# $Id:$
+#
+# Sends the current value of an ID to a remote Bro and then terminates
+# processing.
+#
+# Intended to be used from the command line as in:
+#
+# bro -e "redef Send::dst="<dst>" Send::id="<name-of-id>"
+#		<other scripts> remote-send-id
+#
+# The other scripts must set up the connection.  <dst> is an index into
+# Remote::destinations corresponding to the destination.
+
+module Send;
+
+@load remote
+
+export {
+	const dst = "<no-destination-given>" &redef;
+	const id = "<no-id-given>" &redef;
+}
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	local peer = Remote::destinations[dst];
+
+	if ( peer$host == p$host )
+		{
+		print fmt("Sending %s to %s at %s:%d", id, dst, p$host, p$p);
+		send_id(p, id);
+		terminate_communication();
+		}
+	}
+
+event bro_init()
+	{
+	if ( dst !in Remote::destinations )
+		{
+		print fmt("Unknown destination %s", dst);
+		terminate();
+		return;
+		}
+
+	Remote::connect_peer(dst);
+	}
diff --git a/policy/remote.bro b/policy/remote.bro
new file mode 100644
index 0000000000..fad2beb900
--- /dev/null
+++ b/policy/remote.bro
@@ -0,0 +1,263 @@
+# $Id: remote.bro 5101 2007-11-29 07:02:27Z vern $
+#
+# Connect to remote Bros and request some of their events.
+
+module Remote;
+
+export {
+	const default_port_ssl = 47756/tcp &redef;
+	const default_port_clear = 47757/tcp &redef;
+
+	# Default compression level.
+	global default_compression = 0 &redef;
+
+	# A remote peer to which we would like to talk.
+	# If there's no entry for a peer, it may still connect
+	# and request state, but not send us any.
+	type Destination : record {
+		# Destination endpoint.
+		host: addr;
+		p: port &optional;
+
+		# When accepting a connection, the configuration only
+		# applies if the class matches the one transmitted by
+		# the peer.
+		#
+		# When initiating a connection, the class is sent to
+		# the other side.
+		class: string &optional;
+
+		# Events requested from remote side.
+		events: pattern &optional;
+
+		# Whether we are going to connect (rather than waiting
+		# for the other sie to connect to us).
+		connect: bool &default = F;
+
+		# If disconnected, reconnect after this many seconds.
+		retry: interval &default = 0 secs;
+
+		# Whether to accept remote events.
+		accept_input: bool &default = T;
+
+		# Whether to perform state synchronization with peer.
+		sync: bool &default = T;
+
+		# When performing state synchronization, whether we consider
+		# our state to be authoritative.  If so, we will send the peer
+		# our current set when the connection is set up.
+		# (Only one side can be authoritative.)
+		auth: bool &default = F;
+
+		# If not set, no capture filter is sent.
+		# If set to "", the default cature filter is sent.
+		capture_filter: string &optional;
+
+		# Whether to use SSL-based communication.
+		ssl: bool &default = F;
+
+		# Take-over state from this host
+		# (activated by loading hand-over.bro)
+		hand_over: bool &default = F;
+
+		# Compression level is 0-9, with 0 = no compression.
+		compression: count &default = default_compression;
+
+		# Set when connected.
+		peer: event_peer &optional;
+		connected: bool &default = F;
+	};
+
+	const destinations: table[string] of Destination &redef;
+
+	# redef destinations += {
+	#	["foo"] = [$host = foo.bar.com, $events = /.*/, $connect=T, $retry = 60 secs, $ssl=T]
+	# };
+
+	# Write log message into remote.log
+	global do_script_log: function(p: event_peer, msg: string);
+
+	global pending_peers: table[peer_id] of Destination;
+	global connected_peers: table[peer_id] of Destination;
+
+	# Connect to destionations[dst], independent of its "connect" flag.
+	global connect_peer: function(peer: string);
+}
+
+# Called rm_log rather than remote_log because there's an event by that name.
+global rm_log = open_log_file("remote");
+
+global src_names = {
+	[REMOTE_SRC_CHILD] = "[child] ",
+	[REMOTE_SRC_PARENT] = "[parent]",
+	[REMOTE_SRC_SCRIPT] = "[script]",
+};
+
+function do_script_log_common(level: count, src: count, msg: string)
+	{
+	print rm_log,
+		fmt("%.6f %s %s %s", current_time(),
+			(level == REMOTE_LOG_INFO ? "[info] " : "[error]"),
+			src_names[src], msg);
+	}
+
+event remote_log(level: count, src: count, msg: string)
+	{
+	do_script_log_common(level, src, msg);
+	}
+
+function do_script_log(p: event_peer, msg: string)
+	{
+	do_script_log_common(REMOTE_LOG_INFO, REMOTE_SRC_SCRIPT,
+				  fmt("[#%d/%s:%d] %s", p$id, p$host, p$p, msg));
+	}
+
+function connect_peer(peer: string)
+	{
+	local dst = destinations[peer];
+	local p = dst$ssl ? default_port_ssl : default_port_clear;
+
+	if ( dst?$p )
+		p = dst$p;
+
+	local class = dst?$class ? dst$class : "";
+	local id = connect(dst$host, p, class ,dst$retry, dst$ssl);
+
+	if ( id == PEER_ID_NONE )
+		print rm_log,
+		fmt("%.6f %s/%d can't trigger connect",
+			current_time(), dst$host, p);
+
+	pending_peers[id] = dst;
+	}
+
+event bro_init() &priority = -10	# let others modify destinations
+	{
+	set_buf(rm_log, F);
+
+	for ( tag in destinations )
+		{
+		if ( ! destinations[tag]$connect )
+			next;
+
+		connect_peer(tag);
+		}
+	}
+
+function setup_peer(p: event_peer, dst: Destination)
+	{
+	if ( dst?$events )
+		{
+		do_script_log(p, fmt("requesting events matching %s", dst$events));
+		request_remote_events(p, dst$events);
+		}
+
+	if ( dst?$capture_filter )
+		{
+		local filter = dst$capture_filter;
+		if ( filter == "" )
+			filter = default_pcap_filter;
+
+		do_script_log(p, fmt("sending capture_filter: %s", filter));
+		send_capture_filter(p, filter);
+		}
+
+	if ( dst$accept_input )
+		{
+		do_script_log(p, "accepting state");
+		set_accept_state(p, T);
+		}
+
+	set_compression_level(p, dst$compression);
+
+	if ( dst$sync )
+		{
+		do_script_log(p, "requesting synchronized state");
+		request_remote_sync(p, dst$auth);
+		}
+
+	dst$peer = p;
+	dst$connected = T;
+	connected_peers[p$id] = dst;
+	}
+
+event remote_connection_established(p: event_peer)
+	{
+	if ( is_remote_event() )
+		return;
+
+	do_script_log(p, "connection established");
+
+	if ( p$id in pending_peers )
+		{
+		# We issued the connect.
+		local dst = pending_peers[p$id];
+		setup_peer(p, dst);
+		delete pending_peers[p$id];
+		}
+	else
+		{ # The other side connected to us.
+		local found = F;
+		for ( i in destinations )
+			{
+			dst = destinations[i];
+			if ( dst$host == p$host )
+				{
+				local c = 0;
+
+				# See if classes match = either both have
+				# the same class, or neither of them has
+				# a class.
+				if ( p?$class && p$class != "" )
+					++c;
+
+				if ( dst?$class && dst$class != "" )
+					++c;
+
+				if ( c == 1 ||
+				     (c == 2 && p$class != dst$class) )
+					next;
+
+				found = T;
+				setup_peer(p, dst);
+				break;
+				}
+			}
+
+		if ( ! found )
+			set_compression_level(p, default_compression);
+		}
+
+	complete_handshake(p);
+	}
+
+event remote_connection_closed(p: event_peer)
+	{
+	if ( is_remote_event() )
+		return;
+
+	do_script_log(p, "connection closed");
+
+	if ( p$id in connected_peers )
+		{
+		local dst = connected_peers[p$id];
+		dst$connected = F;
+
+		delete connected_peers[p$id];
+
+		if ( dst$retry != 0secs )
+			# The core will retry.
+			pending_peers[p$id] = dst;
+		}
+	}
+
+event remote_state_inconsistency(operation: string, id: string,
+				expected_old: string, real_old: string)
+	{
+	if ( is_remote_event() )
+		return;
+
+	print rm_log,
+		fmt("%.6f state inconsistency: %s should be %s but is %s before %s",
+			network_time(), id, expected_old, real_old, operation);
+	}
diff --git a/policy/rotate-logs.bro b/policy/rotate-logs.bro
new file mode 100644
index 0000000000..65bfa05474
--- /dev/null
+++ b/policy/rotate-logs.bro
@@ -0,0 +1,159 @@
+# $Id: rotate-logs.bro 4685 2007-07-30 23:50:26Z vern $
+
+module RotateLogs;
+
+export {
+	# Maps file names to postprocessors.
+	global postprocessors: table[string] of string &redef;
+
+	# Default postprocessor.
+	global default_postprocessor = "" &redef;
+
+	# Files which are to be rotated according to log_rotate_interval
+	# and log_max_size, but aren't represented by a file object.
+	global aux_files: set[string] &redef;
+
+	# For aux_files, the time interval in which we check the files' sizes.
+	global aux_check_size_interval = 30 secs &redef;
+
+	# Callback to provide name for rotated file.
+	global build_name: function(info: rotate_info): string &redef;
+
+	# Default naming suffix format.
+	global date_format = "%y-%m-%d_%H.%M.%S" &redef;
+
+	# Whether to rotate files when shutting down.
+	global rotate_on_shutdown = T &redef;
+
+	# If set, postprocessors get this tag as an additional argument.
+	global tag = "" &redef;
+}
+
+# Default rotation is once per hour.
+redef log_rotate_interval = 1 hr;
+
+# There are other variables that are defined in bro.init.  Here are
+# some example of how these might be redefined.
+# redef log_rotate_base_time = "0:00";
+# redef log_max_size = 1e7;
+# redef log_encryption_key = "mybigsecret";
+
+# Given a rotate info record, returns new rotated filename.
+function build_name(info: rotate_info): string
+	{
+	return fmt("%s-%s", info$old_name, strftime(date_format, info$open));
+	}
+
+# Run post-processor on file. If there isn't any postprocessor defined,
+# we move the file to a nicer name.
+function run_pp(info: rotate_info)
+	{
+	local pp = default_postprocessor;
+
+	if ( info$old_name in postprocessors )
+		pp = postprocessors[info$old_name];
+
+	if ( pp != "" )
+		# The date format is hard-coded here to provide a standardized
+		# script interface.
+		system(fmt("%s %s %s %s %s %s",
+				pp, info$new_name, info$old_name,
+				strftime("%y-%m-%d_%H.%M.%S", info$open),
+				strftime("%y-%m-%d_%H.%M.%S", info$close),
+				tag));
+	else
+		system(fmt("/bin/mv %s %s %s",
+				info$new_name, build_name(info), tag));
+	}
+
+# Rotate file.
+function rotate(f: file)
+	{
+	local info = rotate_file(f);
+	if ( info$old_name == "" )
+		# Error.
+		return;
+
+	run_pp(info);
+	}
+
+# Rotate file, but only if we know the name.
+function rotate_by_name(f: string)
+	{
+	local info = rotate_file_by_name(f);
+	if ( info$old_name == "" )
+		# Error.
+		return;
+
+	run_pp(info);
+	}
+
+function make_nice_timestamp(i: interval) : time
+	{
+	# To get nice timestamps, we round the time up to
+	# the next multiple of the rotation interval.
+
+	local nt = time_to_double(network_time());
+	local ri = interval_to_double(i);
+
+	return double_to_time(floor(nt / ri) * ri + ri);
+	}
+
+# Raised when a &rotate_interval expires.
+event rotate_interval(f: file)
+	{
+	if ( bro_is_terminating() && ! rotate_on_shutdown )
+		return;
+
+	rotate(f);
+	}
+
+# Raised when a &rotate_size is reached.
+event rotate_size(f: file)
+	{
+	rotate(f);
+	}
+
+# Raised for aux_files when log_rotate_inverval expires.
+
+global first_aux_rotate_interval = T;
+
+event aux_rotate_interval()
+	{
+	if ( bro_is_terminating() && ! rotate_on_shutdown )
+		return;
+
+	if ( ! first_aux_rotate_interval )
+		for ( f in aux_files )
+			rotate_by_name(f);
+
+	first_aux_rotate_interval = F;
+
+	if ( ! bro_is_terminating() )
+		schedule calc_next_rotate(log_rotate_interval)
+			{ aux_rotate_interval() };
+	}
+
+# Regularly raised to check aux_files' sizes.
+event aux_check_size()
+	{
+	for ( f in aux_files )
+		if ( file_size(f) > log_max_size )
+			rotate_by_name(f);
+
+	if ( ! bro_is_terminating() )
+		schedule aux_check_size_interval { aux_check_size() };
+	}
+
+event bro_init()
+	{
+	if ( length(aux_files) != 0 )
+		{
+		if ( log_rotate_interval != 0 secs )
+			schedule calc_next_rotate(log_rotate_interval)
+				{ aux_rotate_interval() };
+
+		if ( log_max_size != 0 )
+			schedule aux_check_size_interval { aux_check_size() };
+		}
+	}
diff --git a/policy/rsh.bro b/policy/rsh.bro
new file mode 100644
index 0000000000..933d765dc7
--- /dev/null
+++ b/policy/rsh.bro
@@ -0,0 +1,105 @@
+# $Id: rsh.bro 4758 2007-08-10 06:49:23Z vern $
+
+@load conn
+@load login
+
+module RSH;
+
+export {
+	redef enum Notice += {
+	# RSH client username and server username differ.
+		DifferentRSH_Usernames,
+
+		# Attempt to authenticate via RSH failed.
+		FailedRSH_Authentication,
+
+		# RSH session appears to be interactive - multiple lines of
+		# user commands.
+		InteractiveRSH,
+
+		SensitiveRSH_Input,
+		SensitiveRSH_Output,
+	};
+
+	const failure_msgs =
+		  /^Permission denied/
+		| /Login failed/
+	&redef;
+}
+
+redef capture_filters += { ["rsh"] = "tcp port 514" };
+
+global rsh_ports = { 514/tcp } &redef;
+redef dpd_config += { [ANALYZER_RSH] = [$ports = rsh_ports] };
+
+type rsh_session_info: record {
+        client_user: string;
+        server_user: string;
+	initial_cmd: string;
+        output_line: count;     # number of lines seen
+};
+
+global rsh_sessions: table[conn_id] of rsh_session_info;
+
+function new_rsh_session(c: connection, client_user: string,
+			 server_user: string, line: string)
+	{
+	if ( c$id in rsh_sessions )
+		delete rsh_sessions[c$id];
+
+	local s: rsh_session_info;
+	s$client_user = client_user;
+	s$server_user = server_user;
+	s$initial_cmd = line;
+        s$output_line = 0;
+
+	rsh_sessions[c$id] = s;
+	}
+
+event rsh_request(c: connection, client_user: string, server_user: string,
+		  line: string, new_session: bool)
+	{
+	local id = c$id;
+
+	local BS_line = edit(line, Login::BS);
+      	local DEL_line = edit(line, Login::DEL);
+
+	if ( new_session )
+		{
+		new_rsh_session(c, client_user, server_user, line);
+
+		if ( client_user != server_user )
+			NOTICE([$note=DifferentRSH_Usernames, $conn=c,
+				$msg=fmt("differing client/server usernames (%s/%s)",
+					client_user, server_user),
+				$sub=client_user, $user=server_user]);
+		}
+
+	local s = rsh_sessions[c$id];
+	if ( s$output_line > 0 )
+		NOTICE([$note=InteractiveRSH, $conn=c,
+			$msg="interactive RSH session, input following output",
+			$sub=s$client_user, $user=s$server_user]);
+
+	if ( Login::input_trouble in line ||
+	     Login::input_trouble in BS_line ||
+	     Login::input_trouble in DEL_line ||
+	     line == Login::full_input_trouble )
+		NOTICE([$note=SensitiveRSH_Input, $conn=c,
+			$msg=line, $sub=s$client_user, $user=s$server_user]);
+	}
+
+event rsh_reply(c: connection, client_user: string, server_user: string,
+		line: string)
+	{
+	local s = rsh_sessions[c$id];
+
+        if ( line != "" && ++s$output_line == 1 && failure_msgs in line )
+		NOTICE([$note=FailedRSH_Authentication, $conn=c,
+			$msg=line, $sub=s$client_user, $user=s$server_user]);
+
+	if ( Login::output_trouble in line ||
+	     line == Login::full_output_trouble )
+		NOTICE([$note=SensitiveRSH_Output, $conn=c,
+			$msg=line, $sub=s$client_user, $user=s$server_user]);
+	}
diff --git a/policy/save-peer-status.bro b/policy/save-peer-status.bro
new file mode 100644
index 0000000000..26481bc093
--- /dev/null
+++ b/policy/save-peer-status.bro
@@ -0,0 +1,53 @@
+# $Id$
+#
+# Writes a summary of our peer's status into a file.
+
+@load peer-status
+
+event PeerStatus::update(status: PeerStatus::peer_status) &priority = -5
+	{
+	local f = open_log_file("peer_status");
+
+	for ( id in PeerStatus::peers )
+		{
+		local stat = PeerStatus::peers[id];
+		local host: string;
+
+		if ( id != 0 )
+			{
+			if ( id !in Remote::connected_peers )
+				next;
+
+			host = Remote::connected_peers[id]$peer$descr;
+			}
+		else
+			host = get_local_event_peer()$descr;
+
+		print f, fmt("%18s %s%s %D %D %02.0f%% %4dM #%d %dK/%dK/%dK (%.1f%%)",
+			host, stat$res$version, stat$res$debug ? "-DEBUG" : "",
+			stat$res$start_time, stat$current_time, stat$cpu,
+			stat$res$mem / 1024 / 1024,
+			stat$res$num_TCP_conns + stat$res$num_UDP_conns + stat$res$num_ICMP_conns,
+			stat$stats$pkts_dropped / 1024,
+			stat$stats$pkts_recvd / 1024,
+			stat$stats$pkts_link / 1024,
+			100.0 * stat$stats$pkts_dropped / (stat$stats$pkts_dropped + stat$stats$pkts_recvd));
+		}
+
+	print f, "###";
+
+#	for ( id in PeerStatus::peers )
+#		{
+#		stat = PeerStatus::peers[id];
+#
+#		if ( id != 0 )
+#			host = Remote::connected_peers[id]$peer$descr;
+#		else
+#			host = get_local_event_peer()$descr;
+#
+#		print f, fmt("%10s %s", host, stat$default_filter);
+#		print f;
+#		}
+
+	close(f);
+	}
diff --git a/policy/scan.bro b/policy/scan.bro
new file mode 100644
index 0000000000..c1e956125b
--- /dev/null
+++ b/policy/scan.bro
@@ -0,0 +1,706 @@
+# $Id: scan.bro 7073 2010-09-13 00:45:02Z vern $
+
+@load conn
+@load notice
+@load port-name
+@load hot
+@load drop
+@load trw-impl
+
+module Scan;
+
+export {
+	redef enum Notice += {
+		PortScan,	# the source has scanned a number of ports
+		AddressScan,	# the source has scanned a number of addrs
+		BackscatterSeen,
+			# apparent flooding backscatter seen from source
+
+		ScanSummary,	# summary of scanning activity
+		PortScanSummary,	# summary of distinct ports per scanner
+		LowPortScanSummary, # summary of distinct low ports per scanner
+
+		PasswordGuessing, # source tried many user/password combinations
+		SuccessfulPasswordGuessing,	# same, but a login succeeded
+
+		Landmine,	# source touched a landmine destination
+		ShutdownThresh,	# source reached shut_down_thresh
+		LowPortTrolling,	# source touched privileged ports
+	};
+
+	# If true, we suppress scan-checking (we still do account-tried
+	# accounting).  This is provided because scan-checking can consume
+	# a lot of memory.
+	const suppress_scan_checks = F &redef;
+
+	# Whether to consider UDP "connections" for scan detection.
+	# Can lead to false positives due to UDP fanout from some P2P apps.
+	const suppress_UDP_scan_checks = F &redef;
+
+	const activate_priv_port_check = T &redef;
+	const activate_landmine_check = F &redef;
+	const landmine_thresh_trigger = 5 &redef;
+
+	const landmine_address: set[addr] &redef;
+
+	const scan_summary_trigger = 25 &redef;
+	const port_summary_trigger = 20 &redef;
+	const lowport_summary_trigger = 10 &redef;
+
+	# Raise ShutdownThresh after this many failed attempts
+	const shut_down_thresh = 100 &redef;
+
+	# Which services should be analyzed when detecting scanning
+	# (not consulted if analyze_all_services is set).
+	const analyze_services: set[port] &redef;
+	const analyze_all_services = T &redef;
+
+	# Track address scaners only if at least these many hosts contacted.
+	const addr_scan_trigger = 0 &redef;
+
+	# Ignore address scanners for further scan detection after
+	# scanning this many hosts.
+	# 0 disables.
+	const ignore_scanners_threshold = 0 &redef;
+
+	# Report a scan of peers at each of these points.
+	const report_peer_scan: vector of count = {
+		20, 100, 1000, 10000, 50000, 100000, 250000, 500000, 1000000,
+	} &redef;
+
+	const report_outbound_peer_scan: vector of count = {
+		100, 1000, 10000,
+	} &redef;
+
+	# Report a scan of ports at each of these points.
+	const report_port_scan: vector of count = {
+		50, 250, 1000, 5000, 10000, 25000, 65000,
+	} &redef;
+
+	# Once a source has scanned this many different ports (to however many
+	# different remote hosts), start tracking its per-destination access.
+	const possible_port_scan_thresh = 20 &redef;
+
+	# Threshold for scanning privileged ports.
+	const priv_scan_trigger = 5 &redef;
+	const troll_skip_service = {
+		smtp, ftp, ssh, 20/tcp, http,
+	} &redef;
+
+	const report_accounts_tried: vector of count = {
+		20, 100, 1000, 10000, 100000, 1000000,
+	} &redef;
+
+	const report_remote_accounts_tried: vector of count = {
+		100, 500,
+	} &redef;
+
+	# Report a successful password guessing if the source attempted
+	# at least this many.
+	const password_guessing_success_threshhold = 20 &redef;
+
+	const skip_accounts_tried: set[addr] &redef;
+
+	const addl_web = {
+		81/tcp, 443/tcp, 8000/tcp, 8001/tcp, 8080/tcp, }
+	&redef;
+
+	const skip_services = { ident, } &redef;
+	const skip_outbound_services = { Hot::allow_services, ftp, addl_web, }
+		&redef;
+
+	const skip_scan_sources = {
+		255.255.255.255,	# who knows why we see these, but we do
+
+		# AltaVista.  Here just as an example of what sort of things
+		# you might list.
+		test-scooter.av.pa-x.dec.com,
+	} &redef;
+
+	const skip_scan_nets: set[subnet] = {} &redef;
+
+	# List of well known local server/ports to exclude for scanning
+	# purposes.
+	const skip_dest_server_ports: set[addr, port] = {} &redef;
+
+	# Reverse (SYN-ack) scans seen from these ports are considered
+	# to reflect possible SYN-flooding backscatter, and not true
+	# (stealth) scans.
+	const backscatter_ports = {
+		http, 53/tcp, 53/udp, bgp, 6666/tcp, 6667/tcp,
+	} &redef;
+
+	const report_backscatter: vector of count = {
+		20,
+	} &redef;
+
+	global check_scan:
+		function(c: connection, established: bool, reverse: bool): bool;
+
+	# The following tables are defined here so that we can redef
+	# the expire timeouts.
+	# FIXME: should we allow redef of attributes on IDs which
+	# are not exported?
+
+	# How many different hosts connected to with a possible
+	# backscatter signature.
+	global distinct_backscatter_peers: table[addr] of table[addr] of count
+		&read_expire = 15 min;
+
+	# Expire functions that trigger summaries.
+	global scan_summary:
+		function(t: table[addr] of set[addr], orig: addr): interval;
+	global port_summary:
+		function(t: table[addr] of set[port], orig: addr): interval;
+	global lowport_summary:
+		function(t: table[addr] of set[port], orig: addr): interval;
+
+	# Indexed by scanner address, yields # distinct peers scanned.
+	# pre_distinct_peers tracks until addr_scan_trigger hosts first.
+	global pre_distinct_peers: table[addr] of set[addr]
+		&read_expire = 15 mins &redef;
+
+	global distinct_peers: table[addr] of set[addr]
+		&read_expire = 15 mins &expire_func=scan_summary &redef;
+	global distinct_ports: table[addr] of set[port]
+		&read_expire = 15 mins &expire_func=port_summary &redef;
+	global distinct_low_ports: table[addr] of set[port]
+		&read_expire = 15 mins &expire_func=lowport_summary &redef;
+
+	# Indexed by scanner address, yields a table with scanned hosts
+	# (and ports).
+	global scan_triples: table[addr] of table[addr] of set[port];
+
+	global remove_possible_source:
+		function(s: set[addr], idx: addr): interval;
+	global possible_scan_sources: set[addr]
+		&expire_func=remove_possible_source &read_expire = 15 mins;
+
+	# Indexed by source address, yields user name & password tried.
+	global accounts_tried: table[addr] of set[string, string]
+		&read_expire = 1 days;
+
+	global ignored_scanners: set[addr] &create_expire = 1 day &redef;
+
+	# These tables track whether a threshold has been reached.
+	# More precisely, the counter is the next index of threshold vector.
+	global shut_down_thresh_reached: table[addr] of bool &default=F;
+	global rb_idx: table[addr] of count
+			&default=1 &read_expire = 1 days &redef;
+	global rps_idx: table[addr] of count
+			&default=1 &read_expire = 1 days &redef;
+	global rops_idx: table[addr] of count
+			&default=1 &read_expire = 1 days &redef;
+	global rpts_idx: table[addr,addr] of count
+			&default=1 &read_expire = 1 days &redef;
+	global rat_idx: table[addr] of count
+			&default=1 &read_expire = 1 days &redef;
+	global rrat_idx: table[addr] of count
+			&default=1 &read_expire = 1 days &redef;
+}
+
+global thresh_check: function(v: vector of count, idx: table[addr] of count,
+				orig: addr, n: count): bool;
+global thresh_check_2: function(v: vector of count,
+				idx: table[addr,addr] of count, orig: addr,
+				resp: addr, n: count): bool;
+
+function scan_summary(t: table[addr] of set[addr], orig: addr): interval
+	{
+	local num_distinct_peers = orig in t ? |t[orig]| : 0;
+
+	if ( num_distinct_peers >= scan_summary_trigger )
+		NOTICE([$note=ScanSummary, $src=orig, $n=num_distinct_peers,
+			$msg=fmt("%s scanned a total of %d hosts",
+					orig, num_distinct_peers)]);
+
+	return 0 secs;
+	}
+
+function port_summary(t: table[addr] of set[port], orig: addr): interval
+	{
+	local num_distinct_ports = orig in t ? |t[orig]| : 0;
+
+	if ( num_distinct_ports >= port_summary_trigger )
+		NOTICE([$note=PortScanSummary, $src=orig, $n=num_distinct_ports,
+			$msg=fmt("%s scanned a total of %d ports",
+					orig, num_distinct_ports)]);
+
+	return 0 secs;
+	}
+
+function lowport_summary(t: table[addr] of set[port], orig: addr): interval
+	{
+	local num_distinct_lowports = orig in t ? |t[orig]| : 0;
+
+	if ( num_distinct_lowports >= lowport_summary_trigger )
+		NOTICE([$note=LowPortScanSummary, $src=orig,
+			$n=num_distinct_lowports,
+			$msg=fmt("%s scanned a total of %d low ports",
+					orig, num_distinct_lowports)]);
+
+	return 0 secs;
+	}
+
+function clear_addr(a: addr)
+	{
+	delete distinct_peers[a];
+	delete distinct_ports[a];
+	delete distinct_low_ports[a];
+	delete scan_triples[a];
+	delete possible_scan_sources[a];
+	delete distinct_backscatter_peers[a];
+	delete pre_distinct_peers[a];
+	delete rb_idx[a];
+	delete rps_idx[a];
+	delete rops_idx[a];
+	delete rat_idx[a];
+	delete rrat_idx[a];
+	delete shut_down_thresh_reached[a];
+	delete ignored_scanners[a];
+	}
+
+function ignore_addr(a: addr)
+	{
+	clear_addr(a);
+	add ignored_scanners[a];
+	}
+
+function check_scan(c: connection, established: bool, reverse: bool): bool
+	{
+	if ( suppress_scan_checks )
+		return F;
+
+	local id = c$id;
+
+	local service = "ftp-data" in c$service ? 20/tcp
+			: (reverse ? id$orig_p : id$resp_p);
+	local rev_service = reverse ? id$resp_p : id$orig_p;
+	local orig = reverse ? id$resp_h : id$orig_h;
+	local resp = reverse ? id$orig_h : id$resp_h;
+	local outbound = is_local_addr(orig);
+
+	# The following works better than using get_conn_transport_proto()
+	# because c might not correspond to an active connection (which
+	# causes the function to fail).
+	if ( suppress_UDP_scan_checks &&
+	     service >= 0/udp && service <= 65535/udp )
+		return F;
+
+	if ( service in skip_services && ! outbound )
+		return F;
+
+	if ( outbound && service in skip_outbound_services )
+		return F;
+
+	if ( orig in skip_scan_sources )
+		return F;
+
+	if ( orig in skip_scan_nets )
+		return F;
+
+	# Don't include well known server/ports for scanning purposes.
+	if ( ! outbound && [resp, service] in skip_dest_server_ports )
+		return F;
+
+	if ( orig in ignored_scanners)
+		return F;
+
+	if ( (! established || service !in Hot::allow_services) &&
+		# not established, service not expressly allowed
+
+		# not known peer set
+	     (orig !in distinct_peers || resp !in distinct_peers[orig]) &&
+
+		# want to consider service for scan detection
+	     (analyze_all_services || service in analyze_services) )
+		{
+		if ( reverse && rev_service in backscatter_ports &&
+		     # reverse, non-priv backscatter port
+		     service >= 1024/tcp )
+			{
+			if ( orig !in distinct_backscatter_peers )
+				{
+				local empty_bs_table:
+					table[addr] of count &default=0;
+				distinct_backscatter_peers[orig] =
+					empty_bs_table;
+				}
+
+			if ( ++distinct_backscatter_peers[orig][resp] <= 2 &&
+			     # The test is <= 2 because we get two check_scan()
+			     # calls, once on connection attempt and once on
+			     # tear-down.
+
+			     distinct_backscatter_peers[orig][resp] == 1 &&
+
+			     # Looks like backscatter, and it's not scanning
+			     # a privileged port.
+
+			     thresh_check(report_backscatter, rb_idx, orig,
+					|distinct_backscatter_peers[orig]|)
+			   )
+				{
+				local rev_svc = rev_service in port_names ?
+					port_names[rev_service] :
+					fmt("%s", rev_service);
+
+				NOTICE([$note=BackscatterSeen, $src=orig,
+					$p=rev_service,
+					$msg=fmt("backscatter seen from %s (%d hosts; %s)",
+						orig, |distinct_backscatter_peers[orig]|, rev_svc)]);
+				}
+
+			if ( ignore_scanners_threshold > 0 &&
+			     |distinct_backscatter_peers[orig]| >
+					ignore_scanners_threshold )
+				ignore_addr(orig);
+			}
+
+		else
+			{ # done with backscatter check
+			local ignore = F;
+
+			local svc = service in port_names ?
+				port_names[service] : fmt("%s", service);
+
+			if ( orig !in distinct_peers && addr_scan_trigger > 0 )
+				{
+				if ( orig !in pre_distinct_peers )
+					pre_distinct_peers[orig] = set();
+
+				add pre_distinct_peers[orig][resp];
+				if ( |pre_distinct_peers[orig]| < addr_scan_trigger )
+					ignore = T;
+				}
+
+			if ( ! ignore )
+				{ # XXXXX
+
+				if ( orig !in distinct_peers )
+					distinct_peers[orig] = set() &mergeable;
+
+				if ( resp !in distinct_peers[orig] )
+					add distinct_peers[orig][resp];
+
+				local n = |distinct_peers[orig]|;
+
+				if ( activate_landmine_check &&
+				     n >= landmine_thresh_trigger &&
+				     mask_addr(resp, 24) in landmine_address )
+					{
+					local msg2 = fmt("landmine address trigger %s%s ", orig, svc);
+					NOTICE([$note=Landmine, $src=orig,
+						$p=service, $msg=msg2]);
+					}
+
+				# Check for threshold if not outbound.
+				if ( ! shut_down_thresh_reached[orig] &&
+				     n >= shut_down_thresh &&
+				     ! outbound && orig !in neighbor_nets )
+					{
+					shut_down_thresh_reached[orig] = T;
+					local msg = fmt("shutdown threshold reached for %s", orig);
+					NOTICE([$note=ShutdownThresh, $src=orig,
+						$p=service, $msg=msg]);
+					}
+
+				else
+					{
+					local address_scan = F;
+					if ( outbound &&
+					     # inside host scanning out?
+					     thresh_check(report_outbound_peer_scan, rops_idx, orig, n) )
+						address_scan = T;
+
+					if ( ! outbound &&
+					     thresh_check(report_peer_scan, rps_idx, orig, n) )
+						address_scan = T;
+
+					if ( address_scan )
+						NOTICE([$note=AddressScan,
+							$src=orig, $p=service,
+							$n=n,
+							$msg=fmt("%s has scanned %d hosts (%s)",
+								orig, n, svc)]);
+
+					if ( address_scan &&
+					     ignore_scanners_threshold > 0 &&
+					     n > ignore_scanners_threshold )
+						ignore_addr(orig);
+					}
+				}
+			} # XXXX
+		}
+
+	if ( established )
+		# Don't consider established connections for port scanning,
+		# it's too easy to be mislead by FTP-like applications that
+		# legitimately gobble their way through the port space.
+		return F;
+
+	# Coarse search for port-scanning candidates: those that have made
+	# connections (attempts) to possible_port_scan_thresh or more
+	# distinct ports.
+	if ( orig !in distinct_ports || service !in distinct_ports[orig] )
+		{
+		if ( orig !in distinct_ports )
+			distinct_ports[orig] = set() &mergeable;
+
+		if ( service !in distinct_ports[orig] )
+			add distinct_ports[orig][service];
+
+		if ( |distinct_ports[orig]| >= possible_port_scan_thresh &&
+			orig !in scan_triples )
+			{
+			scan_triples[orig] = table() &mergeable;
+			add possible_scan_sources[orig];
+			}
+		}
+
+	# Check for low ports.
+	if ( activate_priv_port_check && ! outbound && service < 1024/tcp &&
+	     service !in troll_skip_service )
+		{
+		if ( orig !in distinct_low_ports ||
+		     service !in distinct_low_ports[orig] )
+			{
+			if ( orig !in distinct_low_ports )
+				distinct_low_ports[orig] = set() &mergeable;
+
+			add distinct_low_ports[orig][service];
+
+			if ( |distinct_low_ports[orig]| == priv_scan_trigger &&
+			     orig !in neighbor_nets )
+				{
+				local s = service in port_names ? port_names[service] :
+						fmt("%s", service);
+				local svrc_msg = fmt("low port trolling %s %s", orig, s);
+				NOTICE([$note=LowPortTrolling, $src=orig,
+					$p=service, $msg=svrc_msg]);
+				}
+
+			if ( ignore_scanners_threshold > 0 &&
+			     |distinct_low_ports[orig]| >
+					ignore_scanners_threshold )
+				ignore_addr(orig);
+			}
+		}
+
+	# For sources that have been identified as possible scan sources,
+	# keep track of per-host scanning.
+	if ( orig in possible_scan_sources )
+		{
+		if ( orig !in scan_triples )
+			scan_triples[orig] = table() &mergeable;
+
+		if ( resp !in scan_triples[orig] )
+			scan_triples[orig][resp] = set() &mergeable;
+
+		if ( service !in scan_triples[orig][resp] )
+			{
+			add scan_triples[orig][resp][service];
+
+			if ( thresh_check_2(report_port_scan, rpts_idx,
+					    orig, resp,
+					    |scan_triples[orig][resp]|) )
+				{
+				local m = |scan_triples[orig][resp]|;
+				NOTICE([$note=PortScan, $n=m, $src=orig,
+					$p=service,
+					$msg=fmt("%s has scanned %d ports of %s",
+					orig, m, resp)]);
+				}
+			}
+		}
+
+	return T;
+	}
+
+
+event account_tried(c: connection, user: string, passwd: string)
+	{
+	local src = c$id$orig_h;
+
+	if ( src !in accounts_tried )
+		accounts_tried[src] = set();
+
+	if ( [user, passwd] in accounts_tried[src] )
+		return;
+
+	local threshold_check = F;
+
+	if ( is_local_addr(src) )
+		{
+		if ( thresh_check(report_remote_accounts_tried, rrat_idx, src,
+					|accounts_tried[src]|) )
+			threshold_check = T;
+		}
+	else
+		{
+		if ( thresh_check(report_accounts_tried, rat_idx, src,
+					|accounts_tried[src]|) )
+			 threshold_check = T;
+		}
+
+	if ( threshold_check && src !in skip_accounts_tried )
+		{
+		local m = |accounts_tried[src]|;
+		NOTICE([$note=PasswordGuessing, $src=src, $n=m,
+			$user=user, $sub=passwd, $p=c$id$resp_p,
+			$msg=fmt("%s has tried %d username/password combinations (latest: %s@%s)",
+				src, m,	user, c$id$resp_h)]);
+		}
+
+	add accounts_tried[src][user, passwd];
+	}
+
+# Check for a successful login attempt from a scan.
+event login_successful(c: connection, user: string)
+	{
+	local id = c$id;
+	local src = id$orig_h;
+
+	if ( src in accounts_tried &&
+	     |accounts_tried[src]| >= password_guessing_success_threshhold )
+		NOTICE([$note=SuccessfulPasswordGuessing, $src=src, $conn=c,
+			$msg=fmt("%s successfully logged in user '%s' after trying %d username/password combinations",
+				src, user, |accounts_tried[src]|)]);
+	}
+
+
+# Hook into the catch&release dropping. When an address gets restored, we reset
+# the source to allow dropping it again.
+event Drop::address_restored(a: addr)
+	{
+	Drop::debug_log(fmt("received restored for %s (scan.bro)", a));
+	clear_addr(a);
+	}
+
+event Drop::address_cleared(a: addr)
+	{
+	Drop::debug_log(fmt("received cleared for %s (scan.bro)", a));
+	clear_addr(a);
+	}
+
+# When removing a possible scan source, we automatically delete its scanned
+# hosts and ports.  But we do not want the deletion propagated, because every
+# peer calls the expire_function on its own (and thus applies the delete
+# operation on its own table).
+function remove_possible_source(s: set[addr], idx: addr): interval
+	{
+	suspend_state_updates();
+	delete scan_triples[idx];
+	resume_state_updates();
+
+	return 0 secs;
+	}
+
+# To recognize whether a certain threshhold vector (e.g. report_peer_scans)
+# has been transgressed, a global variable containing the next vector index
+# (idx) must be incremented.  This cumbersome mechanism is necessary because
+# values naturally don't increment by one (e.g. replayed table merges).
+function thresh_check(v: vector of count, idx: table[addr] of count,
+			orig: addr, n: count): bool
+	{
+	if ( ignore_scanners_threshold > 0 && n > ignore_scanners_threshold )
+		{
+		ignore_addr(orig);
+		return F;
+		}
+
+	if ( idx[orig] <= |v| && n >= v[idx[orig]] )
+		{
+		++idx[orig];
+		return T;
+		}
+	else
+		return F;
+	}
+
+# Same as above, except the index has a different type signature.
+function thresh_check_2(v: vector of count, idx: table[addr, addr] of count,
+			orig: addr, resp: addr, n: count): bool
+	{
+	if ( ignore_scanners_threshold > 0 && n > ignore_scanners_threshold )
+		{
+		ignore_addr(orig);
+		return F;
+		}
+
+	if ( idx[orig,resp] <= |v| && n >= v[idx[orig, resp]] )
+		{
+		++idx[orig,resp];
+		return T;
+		}
+	else
+		return F;
+	}
+
+event connection_established(c: connection)
+	{
+	local is_reverse_scan = (c$orig$state == TCP_INACTIVE);
+	Scan::check_scan(c, T, is_reverse_scan);
+
+	local trans = get_port_transport_proto(c$id$orig_p);
+	if ( trans == tcp && ! is_reverse_scan && TRW::use_TRW_algorithm )
+		TRW::check_TRW_scan(c, conn_state(c, trans), F);
+	}
+
+event partial_connection(c: connection)
+	{
+	Scan::check_scan(c, T, F);
+	}
+
+event connection_attempt(c: connection)
+	{
+	Scan::check_scan(c, F, c$orig$state == TCP_INACTIVE);
+
+	local trans = get_port_transport_proto(c$id$orig_p);
+	if ( trans == tcp && TRW::use_TRW_algorithm )
+		TRW::check_TRW_scan(c, conn_state(c, trans), F);
+	}
+
+event connection_half_finished(c: connection)
+	{
+	# Half connections never were "established", so do scan-checking here.
+	Scan::check_scan(c, F, F);
+	}
+
+event connection_rejected(c: connection)
+	{
+	local is_reverse_scan = c$orig$state == TCP_RESET;
+
+	Scan::check_scan(c, F, is_reverse_scan);
+
+	local trans = get_port_transport_proto(c$id$orig_p);
+	if ( trans == tcp && TRW::use_TRW_algorithm )
+		TRW::check_TRW_scan(c, conn_state(c, trans), is_reverse_scan);
+	}
+
+event connection_reset(c: connection)
+	{
+	if ( c$orig$state == TCP_INACTIVE || c$resp$state == TCP_INACTIVE )
+		# We never heard from one side - that looks like a scan.
+		Scan::check_scan(c, c$orig$size + c$resp$size > 0,
+				c$orig$state == TCP_INACTIVE);
+	}
+
+event connection_pending(c: connection)
+	{
+	if ( c$orig$state == TCP_PARTIAL && c$resp$state == TCP_INACTIVE )
+		Scan::check_scan(c, F, F);
+	}
+
+# Report the remaining entries in the tables.
+event bro_done()
+	{
+	for ( orig in distinct_peers )
+		scan_summary(distinct_peers, orig);
+
+	for ( orig in distinct_ports )
+		port_summary(distinct_ports, orig);
+
+	for ( orig in distinct_low_ports )
+		lowport_summary(distinct_low_ports, orig);
+	}
diff --git a/policy/secondary-filter.bro b/policy/secondary-filter.bro
new file mode 100644
index 0000000000..025e450225
--- /dev/null
+++ b/policy/secondary-filter.bro
@@ -0,0 +1,44 @@
+# $Id: secondary-filter.bro 6022 2008-07-25 19:15:00Z vern $
+
+# Examples of using the secondary-filter matching path.
+
+event rst_syn_fin_flag(filter: string, pkt: pkt_hdr)
+	{
+	print "rst_syn_fin_flag()";
+	print fmt("    %s:%s -> %s:%s", pkt$ip$src, pkt$tcp$sport,
+			pkt$ip$dst, pkt$tcp$dport);
+	}
+
+event a_udp_event(filter: string, pkt: pkt_hdr)
+	{
+	print "a_udp_event()";
+	print fmt("    %s:%s -> %s:%s", pkt$ip$src, pkt$udp$sport,
+			pkt$ip$dst, pkt$udp$dport);
+	}
+
+event a_tcp_event(filter: string, pkt: pkt_hdr)
+	{
+	print "a_tcp_event()";
+	print fmt("    %s:%s -> %s:%s", pkt$ip$src, pkt$tcp$sport,
+			pkt$ip$dst, pkt$tcp$dport);
+	}
+
+event sampled_1_in_1024_packet(filter: string, pkt: pkt_hdr)
+	{
+	print "sampled packet:";
+	print "ip", pkt$ip;
+
+	if ( pkt?$tcp )
+		print "tcp", pkt$tcp;
+	if ( pkt?$udp )
+		print "udp", pkt$udp;
+	if ( pkt?$icmp )
+		print "icmp", pkt$icmp;
+	}
+
+redef secondary_filters += {
+	["tcp[13] & 7 != 0"] = rst_syn_fin_flag,
+	["udp"] = a_udp_event,
+	["tcp"] = a_tcp_event,
+	["ip[10:2] & 0xffc == 0x398"] = sampled_1_in_1024_packet,
+};
diff --git a/policy/sensor-sshd.bro b/policy/sensor-sshd.bro
new file mode 100644
index 0000000000..060f0cef68
--- /dev/null
+++ b/policy/sensor-sshd.bro
@@ -0,0 +1,276 @@
+# $Id: sensor-sshd.bro 4758 2007-08-10 06:49:23Z vern $
+#
+# sshd sensor input, i.e., events received from instrumented SSH servers
+# that communicate with Bro via the Broccoli library.
+
+# We leverage the login analyzer:
+@load login
+@load remote
+
+# To prevent requesting sshd events from any peering Bro that connects,
+# here is a list of our sshds. List the IP addresses of the hosts your
+# sshds are running on here:
+#
+redef Remote::destinations += {
+	["sshd1"] = [$host = 127.0.0.1, $events = /sensor_sshd.*/, $connect=F, $ssl=F]
+};
+
+# A big log file for all kinds of notes:
+#
+global sshd_log: file = open_log_file("sshd");
+
+# A record gathering everything we need to know per connection
+# from an ssh client to the sshd:
+#
+type sshd_conn: record {
+
+	# Connection record we create for connections to sshd
+	conn: connection;
+
+	# A table indexed by channel numbers, yielding files.
+	# For each channel that contains a shell session this
+	# table contains a file to which the session content is
+	# logged.
+	sessions: table[count] of file;
+};
+
+# To avoid reporting IP/port quadruples repeatedly, connections in
+# sshd are identified through a globally unique identifier for the
+# sshd server (a string) plus an numerical identifier for each
+# connection to that sshd.
+#
+global sshd_conns: table[string, count] of sshd_conn;
+
+
+function sshd_conn_new(src_ip: addr, src_p: port,
+		       dst_ip: addr, dst_p: port,
+		       ts: time): sshd_conn
+	{
+	local id: conn_id;
+	id$orig_h = src_ip;
+	id$orig_p = src_p;
+	id$resp_h = dst_ip;
+	id$resp_p = dst_p;
+
+	local orig: endpoint;
+	local resp: endpoint;
+	orig$size = resp$size = 0;
+	orig$state = resp$state = 0;
+
+	local c: connection;
+	c$id = id;
+	c$orig = orig;
+	c$resp = resp;
+	c$start_time = ts;
+	c$duration = 0 sec;
+
+	# We mark this connection so the login analyzer can
+	# understand that it is a login session.
+	add c$service["ssh-login"];
+
+	c$addl = "";
+	c$hot = 0;
+
+	local sc: sshd_conn;
+	sc$conn	= c;
+
+	return sc;
+	}
+
+
+event sensor_sshd_listen(ts: time, sid: string,
+			 server_ip: addr, server_p: port)
+	{
+	print sshd_log, fmt("[%D][%s:%s] sshd listening at %s:%d",
+			    ts, get_event_peer()$host, sid, server_ip, server_p);
+	}
+
+
+event sensor_sshd_restart(ts: time, sid: string)
+	{
+	print sshd_log, fmt("[%D][%s:%s] sshd %s restarted",
+			    ts, get_event_peer()$host, sid, sid);
+	}
+
+
+event sensor_sshd_exit(ts: time, sid: string)
+	{
+	print sshd_log, fmt("[%D][%s:%s] sshd %s exiting",
+			    ts, get_event_peer()$host, sid, sid);
+	}
+
+
+event sensor_sshd_conn_new(ts: time, sid: string, cid: count,
+			   src_ip: addr, src_p: port,
+			   dst_ip: addr, dst_p: port)
+	{
+	local sc = sshd_conn_new(src_ip, src_p, dst_ip, dst_p, ts);
+	sshd_conns[sid, cid] = sc;
+	print sshd_log, fmt("[%D][%s:%s:%d] conn attempt from %s:%d to %s:%d",
+			    ts, get_event_peer()$host, sid, cid, src_ip, sc$conn$id$orig_p,
+			    dst_ip, sc$conn$id$resp_p);
+
+	Login::new_login_session(sc$conn, get_event_peer()$id, 0);
+	}
+
+
+event sensor_sshd_conn_end(ts: time, sid: string, cid: count)
+	{
+	local pid = get_event_peer()$id;
+	local sc = sshd_conns[sid, cid];
+
+	print sshd_log, fmt("[%D][%s:%s:%d] conn terminated",
+		            ts, get_event_peer()$host, sid, cid);
+
+	Login::remove_login_session(sc$conn, pid);
+	delete sshd_conns[sid, cid];
+	}
+
+
+event sensor_sshd_auth_ok(ts: time, sid: string, cid: count,
+			  user: string, uid: int, gid: int)
+	{
+	local pid = get_event_peer()$id;
+	local sc = sshd_conns[sid, cid];
+	print sshd_log, fmt("[%D][%s:%s:%d] auth ok: %s (%d/%d)",
+			    ts, get_event_peer()$host, sid, cid, user, uid, gid);
+
+	Login::ext_set_login_state(sc$conn$id, pid, LOGIN_STATE_LOGGED_IN);
+	event authentication_accepted(user, sc$conn);
+	}
+
+
+event sensor_sshd_auth_failed(ts: time, sid: string, cid: count, user: string)
+	{
+	local sc = sshd_conns[sid, cid];
+	print sshd_log, fmt("[%D][%s:%s:%d] auth reject: user %s from %s:%d",
+			    ts, get_event_peer()$host, sid, cid, user,
+			    sc$conn$id$orig_h, sc$conn$id$orig_p);
+
+	event authentication_rejected(user, sc$conn);
+	}
+
+
+event sensor_sshd_auth_timeout(ts: time, sid: string, cid: count)
+	{
+	local sc = sshd_conns[sid, cid];
+	print sshd_log, fmt("[%D][%s:%s:%d] auth timeout", ts,
+			    sid, get_event_peer()$host, cid);
+	}
+
+
+event sensor_sshd_auth_password_attempt(ts: time, sid: string, cid: count,
+				        user: string, password: string,
+					valid: bool)
+	{
+	local sc = sshd_conns[sid, cid];
+
+	if ( ! valid )
+		{
+		print sshd_log, fmt("[%D][%s:%s:%d] password bad: user %s, password '%s'",
+				    ts, get_event_peer()$host, sid, cid, user, password);
+		event login_failure(sc$conn, user, "", password, "");
+		}
+	else
+		{
+		print sshd_log, fmt("[%D][%s:%s:%d] password ok: user %s, password '%s'",
+				    ts, get_event_peer()$host, sid, cid, user, password);
+		event login_success(sc$conn, user, "", password, "");
+		}
+	}
+
+
+event sensor_sshd_channel_new_session(ts: time, sid: string, cid: count,
+					chan_id: count, stype: string)
+	{
+	local sc = sshd_conns[sid, cid];
+
+	print sshd_log, fmt("[%D][%s:%s:%d:%d] new session: type %s",
+			    ts, get_event_peer()$host, sid, cid, chan_id, stype);
+
+	if ( stype == "shell" )
+		{
+		local filename =
+			fmt("sshd-%s-%s-%d-%d.log",
+				get_event_peer()$host, sid, cid, chan_id);
+		sc$sessions[chan_id] = open(filename);
+		}
+	}
+
+
+event sensor_sshd_channel_new_forward(ts: time, sid: string,
+				      cid: count, chan_id: count,
+				      src_ip: addr, src_p: port,
+				      dst_ip: addr, dst_p: port,
+				      s2h: bool)
+	{
+	if ( s2h )
+		print sshd_log, fmt("[%D][%s:%s:%d:%d] new port channel: %s:%d -> c -> s -> %s:%d",
+				    ts, get_event_peer()$host, sid, cid,
+				    chan_id, src_ip, src_p, dst_ip, dst_p);
+	else
+		print sshd_log, fmt("[%D][%s:%s:%d:%d] new port channel: %s:%d <- c <- s <- %s:%d",
+				    ts, get_event_peer()$host, sid, cid,
+				    chan_id, dst_ip, dst_p, src_ip, src_p);
+	}
+
+
+event sensor_sshd_data_rx(ts: time, sid: string, cid: count, chan_id: count,
+			line: string)
+	{
+	local sc = sshd_conns[sid, cid];
+
+	if ( chan_id in sc$sessions )
+		{
+		print sc$sessions[chan_id],
+			fmt("[%D][%s:%s:%d:%d] rx: %s", ts,
+				get_event_peer()$host, sid, cid, chan_id, line);
+		event login_output_line(sc$conn, line);
+		}
+	}
+
+
+event sensor_sshd_data_tx(ts: time, sid: string, cid: count,
+				chan_id: count, line: string)
+	{
+	local sc: sshd_conn = sshd_conns[sid, cid];
+
+	if ( chan_id in sc$sessions )
+		{
+		print sc$sessions[chan_id],
+			fmt("[%D][%s:%s:%d:%d] tx: %s", ts,
+				get_event_peer()$host, sid, cid, chan_id, line);
+		event login_input_line(sc$conn, line);
+		}
+	}
+
+
+event sensor_sshd_exec(ts: time, sid: string, cid: count,
+			chan_id: count, command: string)
+	{
+	print sshd_log,
+		fmt("[%D][%s:%s:%d:%d] exec: '%s'", ts, get_event_peer()$host,
+			sid, cid, chan_id, command);
+	}
+
+
+event sensor_sshd_channel_exit(ts: time, sid: string, cid: count,
+				chan_id: count, status: int)
+	{
+	print sshd_log,
+		fmt("[%D][%s:%s:%d:%d] channel exit, code %d", ts,
+			get_event_peer()$host, sid, cid, chan_id, status);
+	}
+
+
+event sensor_sshd_channel_cleanup(ts: time, sid: string, cid: count,
+					chan_id: count)
+	{
+	local sc: sshd_conn = sshd_conns[sid, cid];
+
+	print sshd_log, fmt("[%D][%s:%s:%d:%d] channel cleanup",
+			    ts, get_event_peer()$host, sid, cid, chan_id);
+
+	if ( chan_id in sc$sessions )
+		delete sc$sessions[chan_id];
+	}
diff --git a/policy/server-ports.bro b/policy/server-ports.bro
new file mode 100644
index 0000000000..5645b6c716
--- /dev/null
+++ b/policy/server-ports.bro
@@ -0,0 +1,70 @@
+# $Id: server-ports.bro,v 1.1.2.1 2006/05/31 23:19:07 sommer Exp $
+#
+# Automatically-loaded script which sets defaults for likely server ports.
+
+redef likely_server_ports += {
+
+	### TCP
+
+	21/tcp,
+	22/tcp,
+	23/tcp,
+	25/tcp,
+	587/tcp,
+	513/tcp,
+	79/tcp,
+	113/tcp,
+	80/tcp,
+	8080/tcp,
+	8000/tcp,
+	8888/tcp,
+	3128/tcp,
+	53/tcp,
+	111/tcp,
+	139/tcp,
+	6346/tcp,
+	8436/tcp,
+	135/tcp,
+	445/tcp,
+	110/tcp,
+	6666/tcp,
+	6667/tcp,
+
+	# SSL-relatd ports/tcp,
+	443/tcp,
+	563/tcp,
+	585/tcp,
+	614/tcp,
+	636/tcp,
+	989/tcp,
+	990/tcp,
+	992/tcp,
+	993/tcp,
+	994/tcp,
+	995/tcp,
+	8443/tcp,
+
+	# Not analyzed (yet), but give a hint which side the server is.
+	143/tcp,	# IMAP
+	497/tcp,	# Dantz
+	515/tcp,	# LPD
+	524/tcp,	# Netware core protocol
+	631/tcp,	# IPP
+	1521/tcp,	# Oracle SQL
+	2049/tcp,	# NFS
+	5730/tcp,	# Calendar
+	6000/tcp,	# X11
+	6001/tcp, 	# X11
+	16384/tcp,	# Connected Backup
+
+	### UDP
+
+	53/udp,
+	111/udp,
+	123/udp,
+	137/udp,
+	138/udp,
+	161/udp,
+	427/udp,	# srvloc
+	2049/udp,	# NFS
+};
diff --git a/policy/service-probe.bro b/policy/service-probe.bro
new file mode 100644
index 0000000000..2cb02a3463
--- /dev/null
+++ b/policy/service-probe.bro
@@ -0,0 +1,97 @@
+# $Id: service-probe.bro 5892 2008-07-01 02:37:03Z vern $
+#
+# Detects hosts that continually bang away at a particular service
+# of a local host, for example for brute-forcing passwords.
+#
+# Written by Jim Mellander, LBNL.
+# Updated by Robin Sommer, ICSI.
+
+@load conn
+
+module ServiceProbe;
+
+export {
+	redef enum Notice += { ServiceProbe };
+
+	# No work gets done unless this is set.
+	global detect_probes = F &redef;
+
+	# By default, look for service probes targeting MySQL and SSH.
+	global probe_ports = { 1433/tcp, 22/tcp, } &redef;
+
+	# They have to connect to this many to be flagged.
+	global connect_threshold: table[port] of count &default=100 &redef;
+
+	# How many bytes the connection must have to be considered potentially
+	# a probe.  If missing, then there's no lower/upper bound.
+	#
+	# Note, the attack that motivated including these was SSH password
+	# guessing, where it was empirically determined that connections
+	# with > 1KB and < 2KB bytes transferred appear to be unsuccessful
+	# password guesses.
+	#
+	global min_bytes: table[port] of int &default=-1 &redef;
+	global max_bytes: table[port] of int &default=-1 &redef;
+
+	# How many tries a given originator host has made against a given
+	# port on a given responder host.
+	global tries: table[addr, addr, port] of count
+					&default=0 &read_expire = 10 min;
+}
+
+global reported_hosts: set[addr] &read_expire = 1 day;
+
+function service_probe_check(c: connection)
+	{
+	if ( ! detect_probes )
+		return;
+
+	local id = c$id;
+	local orig = id$orig_h;
+	local resp = id$resp_h;
+	local service = (port_names[20/tcp] in c$service) ? 20/tcp : id$resp_p;
+
+	if ( orig in reported_hosts )
+		# We've already blocked them.
+		return;
+
+	if ( is_local_addr(orig) )
+		# We only analyze probes of local servers.
+		return;
+
+	if ( service !in probe_ports )
+		# Not a port we care about.
+		return;
+
+	local enough_bytes = T;
+	local bytes_xferred = c$orig$size + c$resp$size;
+
+	if ( service in min_bytes && bytes_xferred < min_bytes[service] )
+		enough_bytes = F;
+
+	if ( service in max_bytes && bytes_xferred > max_bytes[service] )
+		enough_bytes = F;
+
+	if ( ! enough_bytes )
+		return;
+
+	local cnt = ++tries[orig, resp, service];
+	if ( cnt == connect_threshold[service] )
+		{
+		local svc = service_name(c);
+
+		NOTICE([$note=ServiceProbe, $src=orig,
+			$msg=fmt("service probing %s -> %s %s",
+			orig, resp, svc)]);
+
+		# Since we've dropped this host, we can now release the space.
+		delete tries[orig, resp, service];
+		add reported_hosts[orig];
+		}
+	}
+
+
+event connection_state_remove(c: connection)
+	{
+	service_probe_check(c);
+	}
diff --git a/policy/signatures.bro b/policy/signatures.bro
new file mode 100644
index 0000000000..5dfe4d6d50
--- /dev/null
+++ b/policy/signatures.bro
@@ -0,0 +1,307 @@
+# $Id: signatures.bro 4909 2007-09-24 02:26:36Z vern $
+
+@load notice
+
+redef enum Notice += {
+	SensitiveSignature,	# generic for alarm-worthy
+	MultipleSignatures,	# host has triggered many signatures
+	MultipleSigResponders,	# host has triggered same signature on
+				# multiple responders
+	CountSignature,		# sig. has triggered mutliple times for a dest
+	SignatureSummary,	# summarize # times a host triggered a signature
+};
+
+type SigAction: enum {
+	SIG_IGNORE,	# ignore this sig. completely (even for scan detection)
+	SIG_QUIET,	# process, but don't report individually
+	SIG_FILE,	# write to signatures and notice files
+	SIG_FILE_BUT_NO_SCAN,	# as SIG_FILE, but ignore for scan processing
+	SIG_ALARM,	# alarm and write to signatures, notice, and alarm files
+	SIG_ALARM_PER_ORIG, 	# alarm once per originator
+	SIG_ALARM_ONCE, 	# alarm once and then never again
+	SIG_ALARM_NO_WORM,	# alarm if not originated by a known worm-source
+	SIG_COUNT_PER_RESP,	# count per dest. and alarm if threshold reached
+	SIG_SUMMARY, 	# don't alarm, but generate per-orig summary
+};
+
+# Actions for a signature.
+const signature_actions: table[string] of SigAction =  {
+	["unspecified"] = SIG_IGNORE,	# place-holder
+} &redef &default = SIG_ALARM;
+
+type sig_info: record {
+	note: Notice;			# notice associated with signature event
+	src_addr: addr &optional;
+	src_port: port &optional;
+	dst_addr: addr &optional;
+	dst_port: port &optional;
+	sig_id: string &optional &default="";
+	event_msg: string;
+	sub_msg: string &optional;	# matched payload data or extra message
+	sig_count: count &optional;	# num. sigs, usually from summary count
+	host_count: count &optional;	# num. hosts, from a summary count
+};
+
+global sig_file = open_log_file("signatures");
+
+global sig_summary_interval = 1 day &redef;
+
+# Given a string, returns an escaped version suitable for being
+# printed in the colon-separated notice format.  This means that
+# (1) any colons are escaped using '\', and (2) any '\'s are
+# likewise escaped.
+function signature_escape(s: string): string
+	{
+	s = subst_string(s, "\\", "\\\\");
+	return subst_string(s, ":", "\\:");
+	}
+
+# function call for writing to the signatures log file
+function signature_file_write(s: sig_info)
+	{
+	local t = fmt("%.06f", network_time());
+	local src_addr = s?$src_addr ? fmt("%s", s$src_addr) : "";
+	local src_port = s?$src_port ? fmt("%s", s$src_port) : "";
+	local dst_addr = s?$dst_addr ? fmt("%s", s$dst_addr) : "";
+	local dst_port = s?$dst_port ? fmt("%s", s$dst_port) : "";
+	local sub_msg = s?$sub_msg ? signature_escape(s$sub_msg) : "";
+	local sig_count = s?$sig_count ? fmt("%s", s$sig_count) : "";
+	local host_count = s?$host_count ? fmt("%s", s$host_count) : "";
+
+	local info =
+		fmt("%s:%s:%s:%s:%s:%s:%s:%s:%s:%s:%s",
+			t, s$note, src_addr, src_port, dst_addr,
+			dst_port, s$sig_id, s$event_msg, sub_msg,
+			sig_count, host_count);
+
+	print sig_file, info;
+	}
+
+
+# Scan detection.
+
+# Alarm if, for a pair [orig, signature], the number of different responders
+# has reached one of the thresholds.
+const horiz_scan_thresholds = { 5, 10, 50, 100, 500, 1000 } &redef;
+
+# Alarm if, for a pair [orig, resp], the number of different signature matches
+# has reached one of the thresholds.
+const vert_scan_thresholds = { 5, 10, 50, 100, 500, 1000 } &redef;
+
+# Alarm if a SIG_COUNT_PER_RESP signature is triggered as often as given
+# by one of these thresholds.
+const count_thresholds = { 5, 10, 50, 100, 500, 1000, 10000, 1000000, } &redef;
+
+type sig_set: set[string];
+type addr_set: set[addr];
+
+# We may need to define some &read_expires on these:
+global horiz_table: table[addr, string] of addr_set &read_expire = 1 hr;
+global vert_table: table[addr, addr] of sig_set &read_expire = 1 hr;
+global last_hthresh: table[addr] of count &default = 0 &read_expire = 1 hr;
+global last_vthresh: table[addr] of count &default = 0 &read_expire = 1 hr;
+global count_per_resp: table[addr, string] of count
+					&default = 0 &read_expire = 1 hr;
+global count_per_orig: table[addr, string] of count
+					&default = 0 &read_expire = 1 hr;
+global did_sig_log: set[string] &read_expire = 1 hr;
+
+event sig_summary(orig: addr, id: string, msg: string)
+	{
+@ifdef ( is_worm_infectee )
+	if ( is_worm_infectee(orig) )
+			return;
+@endif
+
+	NOTICE([$note=SignatureSummary, $src=orig,
+		$filename=id, $msg=fmt("%s: %s", orig, msg),
+		$n=count_per_orig[orig,id] ]);
+	}
+
+event signature_match(state: signature_state, msg: string, data: string)
+	{
+	local id = state$id;
+	local action = signature_actions[id];
+
+	if ( action == SIG_IGNORE )
+		return;
+
+	# We always add it to the connection record.
+	append_addl(state$conn, state$id);
+
+	# Trim the matched data down to something reasonable
+	if ( byte_len(data) > 140 )
+		data = fmt("%s...", sub_bytes(data, 0, 140));
+
+	if ( action != SIG_QUIET && action != SIG_COUNT_PER_RESP )
+		{
+		if ( state$is_orig )
+			{
+			signature_file_write(
+				[$note=SensitiveSignature,
+				 $src_addr=state$conn$id$orig_h,
+				 $src_port=state$conn$id$orig_p,
+				 $dst_addr=state$conn$id$resp_h,
+				 $dst_port=state$conn$id$resp_p,
+				 $sig_id=state$id,
+				 $event_msg=fmt("%s: %s", state$conn$id$orig_h, msg),
+				 $sub_msg=data]);
+			}
+		else
+			{
+			signature_file_write(
+				[$note=SensitiveSignature,
+				 $src_addr=state$conn$id$resp_h,
+				 $src_port=state$conn$id$resp_p,
+				 $dst_addr=state$conn$id$orig_h,
+				 $dst_port=state$conn$id$orig_p,
+				 $sig_id=state$id,
+				 $event_msg=fmt("%s: %s", state$conn$id$resp_h, msg),
+				 $sub_msg=data]);
+			}
+		}
+
+	local notice = F;
+
+	if ( action == SIG_ALARM )
+		notice = T;
+
+@ifdef ( is_worm_infectee )
+	if ( action == SIG_ALARM_NO_WORM &&
+	     ! is_worm_infectee(state$conn$id$orig_h) )
+		notice = T;
+@endif
+
+	if ( action == SIG_COUNT_PER_RESP )
+		{
+		local dst = state$conn$id$resp_h;
+		if ( ++count_per_resp[dst,id] in count_thresholds )
+			{
+			NOTICE([$note=CountSignature, $conn=state$conn,
+				   $msg=msg,
+				   $filename=id,
+				   $n=count_per_resp[dst,id],
+				   $sub=fmt("%d matches of signature %s on host %s",
+						count_per_resp[dst,id],
+						state$id, dst)]);
+			}
+		}
+
+	if ( (action == SIG_ALARM_PER_ORIG || action == SIG_SUMMARY) &&
+	     ++count_per_orig[state$conn$id$orig_h, state$id] == 1 )
+		{
+		if ( action == SIG_ALARM_PER_ORIG )
+			notice = T;
+		else
+			schedule sig_summary_interval
+				{
+				sig_summary(state$conn$id$orig_h, state$id, msg)
+				};
+		}
+
+	if ( action == SIG_ALARM_ONCE )
+		{
+		if ( [state$id] !in did_sig_log )
+			{
+			notice = T;
+			add did_sig_log[state$id];
+			}
+		}
+
+	if ( notice )
+		{
+		local src_addr: addr;
+		local src_port: port;
+		local dst_addr: addr;
+		local dst_port: port;
+
+		if ( state$is_orig )
+			{
+			src_addr = state$conn$id$orig_h;
+			src_port = state$conn$id$orig_p;
+			dst_addr = state$conn$id$resp_h;
+			dst_port = state$conn$id$resp_p;
+			}
+		else
+			{
+			src_addr = state$conn$id$resp_h;
+			src_port = state$conn$id$resp_p;
+			dst_addr = state$conn$id$orig_h;
+			dst_port = state$conn$id$orig_p;
+			}
+
+		NOTICE([$note=SensitiveSignature,
+			$conn=state$conn, $src=src_addr,
+			$dst=dst_addr, $filename=id, $msg=fmt("%s: %s", src_addr, msg),
+			$sub=data]);
+		}
+
+	if ( action == SIG_FILE_BUT_NO_SCAN || action == SIG_SUMMARY )
+		return;
+
+@ifdef ( is_worm_infectee )
+	# Ignore scanning of known worm infectees.
+	if ( is_worm_infectee(state$conn$id$orig_h) )
+		return;
+@endif
+
+	# Keep track of scans.
+	local orig = state$conn$id$orig_h;
+	local resp = state$conn$id$resp_h;
+
+	if ( [orig, id] !in horiz_table )
+		horiz_table[orig, id] = set();
+
+	add horiz_table[orig, id][resp];
+
+	if ( [orig, resp] !in vert_table )
+		vert_table[orig, resp] = set();
+
+	add vert_table[orig, resp][id];
+
+	local hcount = length(horiz_table[orig, id]);
+	local vcount = length(vert_table[orig, resp]);
+
+	if ( hcount in horiz_scan_thresholds && hcount != last_hthresh[orig] )
+		{
+		local horz_scan_msg =
+			fmt("%s has triggered signature %s on %d hosts",
+				orig, id, hcount);
+
+		signature_file_write([$note=MultipleSigResponders,
+			$src_addr=orig, $sig_id=id, $event_msg=msg,
+			$host_count=hcount, $sub_msg=horz_scan_msg]);
+
+		NOTICE([$note=MultipleSigResponders, $src=orig, $filename=id,
+			$msg=msg, $n=hcount, $sub=horz_scan_msg]);
+
+		last_hthresh[orig] = hcount;
+		}
+
+	if ( vcount in vert_scan_thresholds && vcount != last_vthresh[orig] )
+		{
+		local vert_scan_msg =
+			fmt("%s has triggered %d different signatures on host %s",
+				orig, vcount, resp);
+
+		signature_file_write([$note=MultipleSignatures, $src_addr=orig,
+			$dst_addr=resp, $sig_id=id, $sig_count=vcount,
+			$event_msg= fmt("%s different signatures triggered",
+					vcount),
+			$sub_msg=vert_scan_msg]);
+
+		NOTICE([$note=MultipleSignatures, $src=orig, $dst=resp,
+			$filename=id,
+			$msg=fmt("%s different signatures triggered", vcount),
+			$n=vcount, $sub=vert_scan_msg]);
+
+		last_vthresh[orig] = vcount;
+		}
+	}
+
+# Returns true if the given signature has already been triggered for the given
+# [orig, resp] pair.
+function has_signature_matched(id: string, orig: addr, resp: addr): bool
+	{
+	return [orig, resp] in vert_table ? id in vert_table[orig, resp] : F;
+	}
diff --git a/policy/sigs/Makefile.am b/policy/sigs/Makefile.am
new file mode 100644
index 0000000000..389de9f94a
--- /dev/null
+++ b/policy/sigs/Makefile.am
@@ -0,0 +1,6 @@
+## Process this file with automake to produce Makefile.in
+
+sigsdir=${datadir}/bro/sigs
+dist_sigs_DATA = dpd.sig ex.web-rules.sig http-bots.sig p0fsyn.osf \
+	snort-default.sig ssl-worm.sig worm.sig 
+
diff --git a/policy/sigs/dpd.sig b/policy/sigs/dpd.sig
new file mode 100644
index 0000000000..abc66d8db1
--- /dev/null
+++ b/policy/sigs/dpd.sig
@@ -0,0 +1,151 @@
+# ALS signatures for protocol detection.
+
+signature dpd_ftp_client {
+  ip-proto == tcp
+  payload /(|.*[\n\r]) *[uU][sS][eE][rR] /
+  tcp-state originator
+}
+
+# Match for server greeting (220, 120) and for login or passwd
+# required (230, 331).
+signature dpd_ftp_server {
+  ip-proto == tcp
+  payload /[\n\r ]*(120|220)[^0-9].*[\n\r] *(230|331)[^0-9]/
+  tcp-state responder
+  requires-reverse-signature dpd_ftp_client
+  enable "ftp"
+}
+
+signature dpd_http_client {
+  ip-proto == tcp
+  payload /^[[:space:]]*(GET|HEAD|POST)[[:space:]]*/
+  tcp-state originator
+}
+
+signature dpd_http_server {
+  ip-proto == tcp
+  payload /^HTTP\/[0-9]/
+  tcp-state responder
+  requires-reverse-signature dpd_http_client
+  enable "http"
+}
+
+signature dpd_bittorrenttracker_client {
+  ip-proto == tcp
+  payload /^.*\/announce\?.*info_hash/
+  tcp-state originator
+}
+
+signature dpd_bittorrenttracker_server {
+  ip-proto == tcp
+  payload /^HTTP\/[0-9]/
+  tcp-state responder
+  requires-reverse-signature dpd_bittorrenttracker_client
+  enable "bittorrenttracker"
+}
+
+signature dpd_bittorrent_peer1 {
+  ip-proto == tcp
+  payload /^\x13BitTorrent protocol/
+  tcp-state originator
+}
+
+signature dpd_bittorrent_peer2 {
+  ip-proto == tcp
+  payload /^\x13BitTorrent protocol/
+  tcp-state responder
+  requires-reverse-signature dpd_bittorrent_peer1
+  enable "bittorrent"
+}
+
+signature irc_client1 {
+  ip-proto == tcp
+  payload /(|.*[\r\n]) *[Uu][Ss][Ee][Rr] +.+[\n\r]+ *[Nn][Ii][Cc][Kk] +.*[\r\n]/
+  requires-reverse-signature irc_server_reply
+  tcp-state originator
+  enable "irc"
+}
+
+signature irc_client2 {
+  ip-proto == tcp
+  payload /(|.*[\r\n]) *[Nn][Ii][Cc][Kk] +.+[\r\n]+ *[Uu][Ss][Ee][Rr] +.+[\r\n]/
+  requires-reverse-signature irc_server_reply
+  tcp-state originator
+  enable "irc"
+}
+
+signature irc_server_reply {
+  ip-proto == tcp
+  payload /^(|.*[\n\r])(:[^ \n\r]+ )?[0-9][0-9][0-9] /
+  tcp-state responder
+}
+
+signature irc_sig3 {
+  ip-proto == tcp
+  payload /(.*\x0a)*(\x20)*[Ss][Ee][Rr][Vv][Ee][Rr](\x20)+.+\x0a/
+}
+
+signature irc_sig4 {
+  ip-proto == tcp
+  payload /(.*\x0a)*(\x20)*[Ss][Ee][Rr][Vv][Ee][Rr](\x20)+.+\x0a/
+  requires-reverse-signature irc_sig3
+  enable "irc"
+}
+
+signature dpd_smtp_client {
+  ip-proto == tcp
+  payload /(|.*[\n\r])[[:space:]]*([hH][eE][lL][oO]|[eE][hH][lL][oO])/
+  requires-reverse-signature dpd_smtp_server
+  enable "smtp"
+  tcp-state originator
+}
+
+signature dpd_smtp_server {
+  ip-proto == tcp
+  payload /^[[:space:]]*220[[:space:]-]/
+  tcp-state responder
+}
+
+signature dpd_ssh_client {
+  ip-proto == tcp
+  payload /^[sS][sS][hH]-/
+  requires-reverse-signature dpd_ssh_server
+  enable "ssh"
+  tcp-state originator
+}
+
+signature dpd_ssh_server {
+  ip-proto == tcp
+  payload /^[sS][sS][hH]-/
+  tcp-state responder
+}
+
+signature dpd_pop3_server {
+  ip-proto == tcp
+  payload /^\+OK/
+  requires-reverse-signature dpd_pop3_client
+  enable "pop3"
+  tcp-state responder
+}
+
+signature dpd_pop3_client {
+  ip-proto == tcp
+  payload /(|.*[\r\n])[[:space:]]*([uU][sS][eE][rR][[:space:]]|[aA][pP][oO][pP][[:space:]]|[cC][aA][pP][aA]|[aA][uU][tT][hH])/
+  tcp-state originator
+}
+
+signature dpd_ssl_server {
+  ip-proto == tcp
+  # Server hello.
+  payload /^(\x16\x03[\x00\x01\x02]..\x02...\x03[\x00\x01\x02]|...?\x04..\x00\x02).*/
+  requires-reverse-signature dpd_ssl_client
+  enable "ssl"
+  tcp-state responder
+}
+
+signature dpd_ssl_client {
+  ip-proto == tcp
+  # Client hello.
+  payload /^(\x16\x03[\x00\x01\x02]..\x01...\x03[\x00\x01\x02]|...?\x01[\x00\x01\x02][\x02\x03]).*/
+  tcp-state originator
+}
diff --git a/policy/sigs/ex.web-rules.sig b/policy/sigs/ex.web-rules.sig
new file mode 100644
index 0000000000..cd2571b33b
--- /dev/null
+++ b/policy/sigs/ex.web-rules.sig
@@ -0,0 +1,8914 @@
+# $Id: ex.web-rules.sig 6 2004-04-30 00:31:26Z jason $
+#
+# This is a subset of Snort's signatures (automatically converted into Bro's 
+# language by snort2bro).
+#
+# [web-*.rules from snortrules-current.tar.gz as of Oct 9 19:15:02 2003 GMT]
+#
+# To use it, customize the variables contained in snort.bro and load snort.bro 
+# and signatures.bro.
+
+signature sid-1328 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS ps command attempt"
+  http /.*[\/\\]bin[\/\\]ps/
+  tcp-state established,originator
+  }
+
+signature sid-1329 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS /bin/ps command attempt"
+  http /.*ps%20/
+  tcp-state established,originator
+  }
+
+signature sid-1330 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS wget command attempt"
+  tcp-state established,originator
+  payload /.*[wW][gG][eE][tT]%20/
+  }
+
+signature sid-1331 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS uname -a command attempt"
+  tcp-state established,originator
+  payload /.*[uU][nN][aA][mM][eE]%20-[aA]/
+  }
+
+signature sid-1332 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS /usr/bin/id command attempt"
+  tcp-state established,originator
+  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[iI][dD]/
+  }
+
+signature sid-1333 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS id command attempt"
+  tcp-state established,originator
+  payload /.*;[iI][dD]/
+  }
+
+signature sid-1334 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS echo command attempt"
+  tcp-state established,originator
+  payload /.*\/[bB][iI][nN]\/[eE][cC][hH][oO]/
+  }
+
+signature sid-1335 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS kill command attempt"
+  tcp-state established,originator
+  payload /.*\/[bB][iI][nN]\/[kK][iI][lL][lL]/
+  }
+
+signature sid-1336 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS chmod command attempt"
+  tcp-state established,originator
+  payload /.*\/[bB][iI][nN]\/[cC][hH][mM][oO][dD]/
+  }
+
+signature sid-1337 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS chgrp command attempt"
+  tcp-state established,originator
+  payload /.*\/[cC][hH][gG][rR][pP]/
+  }
+
+signature sid-1338 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS chown command attempt"
+  tcp-state established,originator
+  payload /.*\/[cC][hH][oO][wW][nN]/
+  }
+
+signature sid-1339 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS chsh command attempt"
+  tcp-state established,originator
+  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][hH][sS][hH]/
+  }
+
+signature sid-1340 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS tftp command attempt"
+  tcp-state established,originator
+  payload /.*[tT][fF][tT][pP]%20/
+  }
+
+signature sid-1341 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS /usr/bin/gcc command attempt"
+  tcp-state established,originator
+  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[gG][cC][cC]/
+  }
+
+signature sid-1342 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS gcc command attempt"
+  tcp-state established,originator
+  payload /.*[gG][cC][cC]%20-[oO]/
+  }
+
+signature sid-1343 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS /usr/bin/cc command attempt"
+  tcp-state established,originator
+  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][cC]/
+  }
+
+signature sid-1344 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS cc command attempt"
+  tcp-state established,originator
+  payload /.*[cC][cC]%20/
+  }
+
+signature sid-1345 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS /usr/bin/cpp command attempt"
+  tcp-state established,originator
+  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][pP][pP]/
+  }
+
+signature sid-1346 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS cpp command attempt"
+  tcp-state established,originator
+  payload /.*[cC][pP][pP]%20/
+  }
+
+signature sid-1347 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS /usr/bin/g++ command attempt"
+  tcp-state established,originator
+  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[gG]\+\+/
+  }
+
+signature sid-1348 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS g++ command attempt"
+  tcp-state established,originator
+  payload /.*[gG]\+\+%20/
+  }
+
+signature sid-1349 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS bin/python access attempt"
+  tcp-state established,originator
+  payload /.*[bB][iI][nN]\/[pP][yY][tT][hH][oO][nN]/
+  }
+
+signature sid-1350 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS python access attempt"
+  tcp-state established,originator
+  payload /.*[pP][yY][tT][hH][oO][nN]%20/
+  }
+
+signature sid-1351 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS bin/tclsh execution attempt"
+  tcp-state established,originator
+  payload /.*[bB][iI][nN]\/[tT][cC][lL][sS][hH]/
+  }
+
+signature sid-1352 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS tclsh execution attempt"
+  tcp-state established,originator
+  payload /.*[tT][cC][lL][sS][hH]8%20/
+  }
+
+signature sid-1353 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS bin/nasm command attempt"
+  tcp-state established,originator
+  payload /.*[bB][iI][nN]\/[nN][aA][sS][mM]/
+  }
+
+signature sid-1354 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS nasm command attempt"
+  tcp-state established,originator
+  payload /.*[nN][aA][sS][mM]%20/
+  }
+
+signature sid-1355 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS /usr/bin/perl execution attempt"
+  tcp-state established,originator
+  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[pP][eE][rR][lL]/
+  }
+
+signature sid-1356 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS perl execution attempt"
+  tcp-state established,originator
+  payload /.*[pP][eE][rR][lL]%20/
+  }
+
+signature sid-1357 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS nt admin addition attempt"
+  tcp-state established,originator
+  payload /.*[nN][eE][tT] [lL][oO][cC][aA][lL][gG][rR][oO][uU][pP] [aA][dD][mM][iI][nN][iI][sS][tT][rR][aA][tT][oO][rR][sS] \/[aA][dD][dD]/
+  }
+
+signature sid-1358 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS traceroute command attempt"
+  tcp-state established,originator
+  payload /.*[tT][rR][aA][cC][eE][rR][oO][uU][tT][eE]%20/
+  }
+
+signature sid-1359 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS ping command attempt"
+  tcp-state established,originator
+  payload /.*\/[bB][iI][nN]\/[pP][iI][nN][gG]/
+  }
+
+signature sid-1360 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS netcat command attempt"
+  tcp-state established,originator
+  payload /.*[nN][cC]%20/
+  }
+
+signature sid-1361 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS nmap command attempt"
+  tcp-state established,originator
+  payload /.*[nN][mM][aA][pP]%20/
+  }
+
+signature sid-1362 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS xterm command attempt"
+  tcp-state established,originator
+  payload /.*\/[uU][sS][rR]\/[xX]11[rR]6\/[bB][iI][nN]\/[xX][tT][eE][rR][mM]/
+  }
+
+signature sid-1363 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS X application to remote host attempt"
+  tcp-state established,originator
+  payload /.*%20-[dD][iI][sS][pP][lL][aA][yY]%20/
+  }
+
+signature sid-1364 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS lsof command attempt"
+  tcp-state established,originator
+  payload /.*[lL][sS][oO][fF]%20/
+  }
+
+signature sid-1365 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS rm command attempt"
+  tcp-state established,originator
+  payload /.*[rR][mM]%20/
+  }
+
+signature sid-1366 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS mail command attempt"
+  tcp-state established,originator
+  payload /.*\/[bB][iI][nN]\/[mM][aA][iI][lL]/
+  }
+
+signature sid-1367 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS mail command attempt"
+  tcp-state established,originator
+  payload /.*[mM][aA][iI][lL]%20/
+  }
+
+signature sid-1368 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS /bin/ls| command attempt"
+  http /.*[\/\\]bin[\/\\]ls\|/
+  tcp-state established,originator
+  }
+
+signature sid-1369 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS /bin/ls command attempt"
+  http /.*[\/\\]bin[\/\\]ls/
+  tcp-state established,originator
+  }
+
+signature sid-1370 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS /etc/inetd.conf access"
+  tcp-state established,originator
+  payload /.*\/[eE][tT][cC]\/[iI][nN][eE][tT][dD]\.[cC][oO][nN][fF]/
+  }
+
+signature sid-1371 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS /etc/motd access"
+  tcp-state established,originator
+  payload /.*\/[eE][tT][cC]\/[mM][oO][tT][dD]/
+  }
+
+signature sid-1372 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS /etc/shadow access"
+  tcp-state established,originator
+  payload /.*\/[eE][tT][cC]\/[sS][hH][aA][dD][oO][wW]/
+  }
+
+signature sid-1373 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS conf/httpd.conf attempt"
+  tcp-state established,originator
+  payload /.*[cC][oO][nN][fF]\/[hH][tT][tT][pP][dD]\.[cC][oO][nN][fF]/
+  }
+
+signature sid-1374 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-ATTACKS .htgroup access"
+  http /.*\.htgroup/
+  tcp-state established,originator
+  }
+
+signature sid-803 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI HyperSeek hsx.cgi directory traversal attempt"
+  http /.*[\/\\]hsx\.cgi/
+  tcp-state established,originator
+  payload /.*\.\.\/\.\.\/.{1}.*%00/
+  }
+
+signature sid-1607 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI HyperSeek hsx.cgi access"
+  http /.*[\/\\]hsx\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-804 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI SWSoft ASPSeek Overflow attempt"
+  http /.*[\/\\]s\.cgi/
+  tcp-state established,originator
+  payload /.*[tT][mM][pP][lL]=/
+  }
+
+signature sid-805 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI webspeed access"
+  http /.*[\/\\]wsisa\.dll[\/\\]WService=/
+  tcp-state established,originator
+  payload /.*[wW][sS][mM][aA][dD][mM][iI][nN]/
+  }
+
+signature sid-806 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI yabb.cgi directory traversal attempt"
+  http /.*[\/\\]YaBB\.pl/
+  tcp-state established,originator
+  payload /.*\.\.\//
+  }
+
+signature sid-1637 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI yabb.cgi access"
+  http /.*[\/\\]YaBB\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-807 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI /wwwboard/passwd.txt access"
+  http /.*[\/\\]wwwboard[\/\\]passwd\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-808 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI webdriver access"
+  http /.*[\/\\]webdriver/
+  tcp-state established,originator
+  }
+
+signature sid-809 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI whois_raw.cgi arbitrary command execution attempt"
+  http /.*[\/\\]whois_raw\.cgi\?/
+  tcp-state established,originator
+  payload /.*\x0a/
+  }
+
+signature sid-810 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI whois_raw.cgi access"
+  http /.*[\/\\]whois_raw\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-811 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI websitepro path access"
+  tcp-state established,originator
+  payload /.* \/[hH][tT][tT][pP]\/1\./
+  }
+
+signature sid-812 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI webplus version access"
+  http /.*[\/\\]webplus\?about/
+  tcp-state established,originator
+  }
+
+signature sid-813 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI webplus directory traversal"
+  http /.*[\/\\]webplus\?script/
+  tcp-state established,originator
+  payload /.*\.\.\//
+  }
+
+signature sid-815 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI websendmail access"
+  http /.*[\/\\]websendmail/
+  tcp-state established,originator
+  }
+
+signature sid-1571 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI dcforum.cgi directory traversal attempt"
+  http /.*[\/\\]dcforum\.cgi/
+  tcp-state established,originator
+  payload /.*forum=\.\.\/\.\./
+  }
+
+signature sid-818 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI dcforum.cgi access"
+  http /.*[\/\\]dcforum\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-817 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI dcboard.cgi invalid user addition attempt"
+  http /.*[\/\\]dcboard\.cgi/
+  tcp-state established,originator
+  payload /.*command=register/
+  payload /.*%7cadmin/
+  }
+
+signature sid-1410 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI dcboard.cgi access"
+  http /.*[\/\\]dcboard\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-819 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI mmstdod.cgi access"
+  http /.*[\/\\]mmstdod\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-820 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI anaconda directory transversal attempt"
+  http /.*[\/\\]apexec\.pl/
+  tcp-state established,originator
+  payload /.*[tT][eE][mM][pP][lL][aA][tT][eE]=\.\.\//
+  }
+
+signature sid-821 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI imagemap.exe overflow attempt"
+  http /.*[\/\\]imagemap\.exe\?/
+  tcp-state established,originator
+  }
+
+signature sid-1700 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI imagemap.exe access"
+  http /.*[\/\\]imagemap\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-823 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cvsweb.cgi access"
+  http /.*[\/\\]cvsweb\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-824 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI php.cgi access"
+  http /.*[\/\\]php\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-825 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI glimpse access"
+  http /.*[\/\\]glimpse/
+  tcp-state established,originator
+  }
+
+signature sid-1608 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI htmlscript attempt"
+  http /.*[\/\\]htmlscript\?\.\.[\/\\]\.\./
+  tcp-state established,originator
+  }
+
+signature sid-826 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI htmlscript access"
+  http /.*[\/\\]htmlscript/
+  tcp-state established,originator
+  }
+
+signature sid-827 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI info2www access"
+  http /.*[\/\\]info2www/
+  tcp-state established,originator
+  }
+
+signature sid-828 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI maillist.pl access"
+  http /.*[\/\\]maillist\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-829 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI nph-test-cgi access"
+  http /.*[\/\\]nph-test-cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1451 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI NPH-publish access"
+  http /.*[\/\\]nph-maillist\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-830 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI NPH-publish access"
+  http /.*[\/\\]nph-publish/
+  tcp-state established,originator
+  }
+
+signature sid-833 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI rguest.exe access"
+  http /.*[\/\\]rguest\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-834 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI rwwwshell.pl access"
+  http /.*[\/\\]rwwwshell\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1644 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI test-cgi attempt"
+  http /.*[\/\\]test-cgi[\/\\]\*\?\*/
+  tcp-state established,originator
+  }
+
+signature sid-835 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI test-cgi access"
+  http /.*[\/\\]test-cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1645 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI testcgi access"
+  http /.*[\/\\]testcgi/
+  tcp-state established,originator
+  }
+
+signature sid-1646 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI test.cgi access"
+  http /.*[\/\\]test\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-836 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI textcounter.pl access"
+  http /.*[\/\\]textcounter\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-837 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI uploader.exe access"
+  http /.*[\/\\]uploader\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-838 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI webgais access"
+  http /.*[\/\\]webgais/
+  tcp-state established,originator
+  }
+
+signature sid-839 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI finger access"
+  http /.*[\/\\]finger/
+  tcp-state established,originator
+  }
+
+signature sid-840 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI perlshop.cgi access"
+  http /.*[\/\\]perlshop\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-841 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI pfdisplay.cgi access"
+  http /.*[\/\\]pfdisplay\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-842 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI aglimpse access"
+  http /.*[\/\\]aglimpse/
+  tcp-state established,originator
+  }
+
+signature sid-843 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI anform2 access"
+  http /.*[\/\\]AnForm2/
+  tcp-state established,originator
+  }
+
+signature sid-844 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI args.bat access"
+  http /.*[\/\\]args\.bat/
+  tcp-state established,originator
+  }
+
+signature sid-1452 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI args.cmd access"
+  http /.*[\/\\]args\.cmd/
+  tcp-state established,originator
+  }
+
+signature sid-845 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI AT-admin.cgi access"
+  http /.*[\/\\]AT-admin\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1453 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI AT-generated.cgi access"
+  http /.*[\/\\]AT-generated\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-846 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bnbform.cgi access"
+  http /.*[\/\\]bnbform\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-847 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI campas access"
+  http /.*[\/\\]campas/
+  tcp-state established,originator
+  }
+
+signature sid-848 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI view-source directory traversal"
+  http /.*[\/\\]view-source/
+  tcp-state established,originator
+  payload /.*\.\.\//
+  }
+
+signature sid-849 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI view-source access"
+  http /.*[\/\\]view-source/
+  tcp-state established,originator
+  }
+
+signature sid-850 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI wais.pl access"
+  http /.*[\/\\]wais\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1454 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI wwwwais access"
+  http /.*[\/\\]wwwwais/
+  tcp-state established,originator
+  }
+
+signature sid-851 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI files.pl access"
+  http /.*[\/\\]files\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-852 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI wguest.exe access"
+  http /.*[\/\\]wguest\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-853 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI wrap access"
+  http /.*[\/\\]wrap/
+  tcp-state established,originator
+  }
+
+signature sid-854 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI classifieds.cgi access"
+  http /.*[\/\\]classifieds\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-856 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI environ.cgi access"
+  http /.*[\/\\]environ\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1647 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI faxsurvey attempt (full path)"
+  http /.*[\/\\]faxsurvey\?[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1609 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI faxsurvey arbitrary file read attempt"
+  http /.*[\/\\]faxsurvey\?cat%20/
+  tcp-state established,originator
+  }
+
+signature sid-857 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI faxsurvey access"
+  http /.*[\/\\]faxsurvey/
+  tcp-state established,originator
+  }
+
+signature sid-858 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI filemail access"
+  http /.*[\/\\]filemail\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-859 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI man.sh access"
+  http /.*[\/\\]man\.sh/
+  tcp-state established,originator
+  }
+
+signature sid-860 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI snork.bat access"
+  http /.*[\/\\]snork\.bat/
+  tcp-state established,originator
+  }
+
+signature sid-861 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI w3-msql access"
+  http /.*[\/\\]w3-msql[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-863 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI day5datacopier.cgi access"
+  http /.*[\/\\]day5datacopier\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-864 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI day5datanotifier.cgi access"
+  http /.*[\/\\]day5datanotifier\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-866 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI post-query access"
+  http /.*[\/\\]post-query/
+  tcp-state established,originator
+  }
+
+signature sid-867 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI visadmin.exe access"
+  http /.*[\/\\]visadmin\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-869 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI dumpenv.pl access"
+  http /.*[\/\\]dumpenv\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1536 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI calendar_admin.pl arbitrary command execution attempt"
+  http /.*[\/\\]calendar_admin\.pl\?config=\|/
+  tcp-state established,originator
+  }
+
+signature sid-1537 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI calendar_admin.pl access"
+  http /.*[\/\\]calendar_admin\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1701 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI calendar-admin.pl access"
+  http /.*[\/\\]calendar-admin\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1455 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI calender.pl access"
+  http /.*[\/\\]calender\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-882 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI calendar access"
+  http /.*[\/\\]calendar/
+  tcp-state established,originator
+  }
+
+signature sid-1457 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI user_update_admin.pl access"
+  http /.*[\/\\]user_update_admin\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1458 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI user_update_passwd.pl access"
+  http /.*[\/\\]user_update_passwd\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-870 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI snorkerz.cmd access"
+  http /.*[\/\\]snorkerz\.cmd/
+  tcp-state established,originator
+  }
+
+signature sid-871 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI survey.cgi access"
+  http /.*[\/\\]survey\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-873 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI scriptalias access"
+  http /.*[\/\\][\/\\][\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-875 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI win-c-sample.exe access"
+  http /.*[\/\\]win-c-sample\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-878 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI w3tvars.pm access"
+  http /.*[\/\\]w3tvars\.pm/
+  tcp-state established,originator
+  }
+
+signature sid-879 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI admin.pl access"
+  http /.*[\/\\]admin\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-880 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI LWGate access"
+  http /.*[\/\\]LWGate/
+  tcp-state established,originator
+  }
+
+signature sid-881 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI archie access"
+  http /.*[\/\\]archie/
+  tcp-state established,originator
+  }
+
+signature sid-883 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI flexform access"
+  http /.*[\/\\]flexform/
+  tcp-state established,originator
+  }
+
+signature sid-1610 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI formmail arbitrary command execution attempt"
+  http /.*[\/\\]formmail/
+  tcp-state established,originator
+  payload /.*%0[aA]/
+  }
+
+signature sid-884 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI formmail access"
+  http /.*[\/\\]formmail/
+  tcp-state established,originator
+  }
+
+signature sid-1762 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI phf arbitrary command execution attempt"
+  http /.*[\/\\]phf/
+  tcp-state established,originator
+  payload /.*[qQ][aA][lL][iI][aA][sS]/
+  payload /.*%0a\//
+  }
+
+signature sid-886 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI phf access"
+  http /.*[\/\\]phf/
+  tcp-state established,originator
+  }
+
+signature sid-887 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI www-sql access"
+  http /.*[\/\\]www-sql/
+  tcp-state established,originator
+  }
+
+signature sid-888 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI wwwadmin.pl access"
+  http /.*[\/\\]wwwadmin\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-889 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ppdscgi.exe access"
+  http /.*[\/\\]ppdscgi\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-890 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI sendform.cgi access"
+  http /.*[\/\\]sendform\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-891 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI upload.pl access"
+  http /.*[\/\\]upload\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-892 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI AnyForm2 access"
+  http /.*[\/\\]AnyForm2/
+  tcp-state established,originator
+  }
+
+signature sid-893 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI MachineInfo access"
+  http /.*[\/\\]MachineInfo/
+  tcp-state established,originator
+  }
+
+signature sid-1531 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bb-hist.sh attempt"
+  http /.*[\/\\]bb-hist\.sh\?HISTFILE=\.\.[\/\\]\.\./
+  tcp-state established,originator
+  }
+
+signature sid-894 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bb-hist.sh access"
+  http /.*[\/\\]bb-hist\.sh/
+  tcp-state established,originator
+  }
+
+signature sid-1459 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bb-histlog.sh access"
+  http /.*[\/\\]bb-histlog\.sh/
+  tcp-state established,originator
+  }
+
+signature sid-1460 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bb-histsvc.sh access"
+  http /.*[\/\\]bb-histsvc\.sh/
+  tcp-state established,originator
+  }
+
+signature sid-1532 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bb-hostscv.sh attempt"
+  http /.*[\/\\]bb-hostsvc\.sh\?HOSTSVC\?\.\.[\/\\]\.\./
+  tcp-state established,originator
+  }
+
+signature sid-1533 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bb-hostscv.sh access"
+  http /.*[\/\\]bb-hostsvc\.sh/
+  tcp-state established,originator
+  }
+
+signature sid-1461 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bb-rep.sh access"
+  http /.*[\/\\]bb-rep\.sh/
+  tcp-state established,originator
+  }
+
+signature sid-1462 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bb-replog.sh access"
+  http /.*[\/\\]bb-replog\.sh/
+  tcp-state established,originator
+  }
+
+signature sid-895 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI redirect access"
+  http /.*[\/\\]redirect/
+  tcp-state established,originator
+  }
+
+signature sid-1397 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI wayboard attempt"
+  http /.*[\/\\]way-board[\/\\]way-board\.cgi/
+  tcp-state established,originator
+  payload /.*db=/
+  payload /.*\.\.\/\.\./
+  }
+
+signature sid-896 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI way-board access"
+  http /.*[\/\\]way-board/
+  tcp-state established,originator
+  }
+
+signature sid-1222 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI pals-cgi arbitrary file access attempt"
+  http /.*[\/\\]pals-cgi/
+  tcp-state established,originator
+  payload /.*[dD][oO][cC][uU][mM][eE][nN][tT][nN][aA][mM][eE]=/
+  }
+
+signature sid-897 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI pals-cgi access"
+  http /.*[\/\\]pals-cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1572 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI commerce.cgi arbitrary file access attempt"
+  http /.*[\/\\]commerce\.cgi/
+  tcp-state established,originator
+  payload /.*page=/
+  payload /.*\/\.\.\//
+  }
+
+signature sid-898 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI commerce.cgi access"
+  http /.*[\/\\]commerce\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-899 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt"
+  http /.*[\/\\]sendtemp\.pl/
+  tcp-state established,originator
+  payload /.*[tT][eE][mM][pP][lL]=/
+  }
+
+signature sid-1702 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Amaya templates sendtemp.pl access"
+  http /.*[\/\\]sendtemp\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-900 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI webspirs.cgi directory traversal attempt"
+  http /.*[\/\\]webspirs\.cgi/
+  tcp-state established,originator
+  payload /.*\.\.\/\.\.\//
+  }
+
+signature sid-901 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI webspirs.cgi access"
+  http /.*[\/\\]webspirs\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-902 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI tstisapi.dll access"
+  http /.*tstisapi\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1308 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI sendmessage.cgi access"
+  http /.*[\/\\]sendmessage\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1392 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI lastlines.cgi access"
+  http /.*[\/\\]lastlines\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1395 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI zml.cgi attempt"
+  http /.*[\/\\]zml\.cgi/
+  tcp-state established,originator
+  payload /.*file=\.\.\//
+  }
+
+signature sid-1396 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI zml.cgi access"
+  http /.*[\/\\]zml\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1405 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI AHG search.cgi access"
+  http /.*[\/\\]publisher[\/\\]search\.cgi/
+  tcp-state established,originator
+  payload /.*[tT][eE][mM][pP][lL][aA][tT][eE]=/
+  }
+
+signature sid-1534 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI agora.cgi attempt"
+  http /.*[\/\\]store[\/\\]agora\.cgi\?cart_id=<SCRIPT>/
+  tcp-state established,originator
+  }
+
+signature sid-1406 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI agora.cgi access"
+  http /.*[\/\\]store[\/\\]agora\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-877 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI rksh access"
+  http /.*[\/\\]rksh/
+  tcp-state established,originator
+  }
+
+signature sid-885 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bash access"
+  http /.*[\/\\]bash/
+  tcp-state established,originator
+  }
+
+signature sid-1648 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI perl.exe command attempt"
+  http /.*[\/\\]perl\.exe\?/
+  tcp-state established,originator
+  }
+
+signature sid-832 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI perl.exe access"
+  http /.*[\/\\]perl\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1649 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI perl command attempt"
+  http /.*[\/\\]perl\?/
+  tcp-state established,originator
+  }
+
+signature sid-1309 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI zsh access"
+  http /.*[\/\\]zsh/
+  tcp-state established,originator
+  }
+
+signature sid-862 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI csh access"
+  http /.*[\/\\]csh/
+  tcp-state established,originator
+  }
+
+signature sid-872 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI tcsh access"
+  http /.*[\/\\]tcsh/
+  tcp-state established,originator
+  }
+
+signature sid-868 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI rsh access"
+  http /.*[\/\\]rsh/
+  tcp-state established,originator
+  }
+
+signature sid-865 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ksh access"
+  http /.*[\/\\]ksh/
+  tcp-state established,originator
+  }
+
+signature sid-1703 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI auktion.cgi directory traversal attempt"
+  http /.*[\/\\]auktion\.cgi/
+  tcp-state established,originator
+  payload /.*[mM][eE][nN][uU][eE]=\.\.\/\.\.\//
+  }
+
+signature sid-1465 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI auktion.cgi access"
+  http /.*[\/\\]auktion\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1573 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cgiforum.pl attempt"
+  http /.*[\/\\]cgiforum\.pl\?thesection=\.\.[\/\\]\.\./
+  tcp-state established,originator
+  }
+
+signature sid-1466 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cgiforum.pl access"
+  http /.*[\/\\]cgiforum\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1574 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI directorypro.cgi attempt"
+  http /.*[\/\\]directorypro\.cgi/
+  tcp-state established,originator
+  payload /.*show=.{1}.*\.\.\/\.\./
+  }
+
+signature sid-1467 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI directorypro.cgi access"
+  http /.*[\/\\]directorypro\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1468 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Web Shopper shopper.cgi attempt"
+  http /.*[\/\\]shopper\.cgi/
+  tcp-state established,originator
+  payload /.*[nN][eE][wW][pP][aA][gG][eE]=\.\.\//
+  }
+
+signature sid-1469 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Web Shopper shopper.cgi access"
+  http /.*[\/\\]shopper\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1470 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI listrec.pl access"
+  http /.*[\/\\]listrec\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1471 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI mailnews.cgi access"
+  http /.*[\/\\]mailnews\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1879 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI book.cgi arbitrary command execution attempt"
+  http /.*[\/\\]book\.cgi/
+  tcp-state established,originator
+  payload /.*[cC][uU][rR][rR][eE][nN][tT]=\|/
+  }
+
+signature sid-1472 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI book.cgi access"
+  http /.*[\/\\]book\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1473 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI newsdesk.cgi access"
+  http /.*[\/\\]newsdesk\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1704 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cal_make.pl directory traversal attempt"
+  http /.*[\/\\]cal_make\.pl/
+  tcp-state established,originator
+  payload /.*[pP]0=\.\.\/\.\.\//
+  }
+
+signature sid-1474 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cal_make.pl access"
+  http /.*[\/\\]cal_make\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1475 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI mailit.pl access"
+  http /.*[\/\\]mailit\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1476 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI sdbsearch.cgi access"
+  http /.*[\/\\]sdbsearch\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1478 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI swc access"
+  http /.*[\/\\]swc/
+  tcp-state established,originator
+  }
+
+signature sid-1479 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ttawebtop.cgi arbitrary file attempt"
+  http /.*[\/\\]ttawebtop\.cgi/
+  tcp-state established,originator
+  payload /.*[pP][gG]=\.\.\//
+  }
+
+signature sid-1480 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ttawebtop.cgi access"
+  http /.*[\/\\]ttawebtop\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1481 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI upload.cgi access"
+  http /.*[\/\\]upload\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1482 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI view_source access"
+  http /.*[\/\\]view_source/
+  tcp-state established,originator
+  }
+
+signature sid-1730 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ustorekeeper.pl directory traversal attempt"
+  http /.*[\/\\]ustorekeeper\.pl/
+  tcp-state established,originator
+  payload /.*[fF][iI][lL][eE]=\.\.\/\.\.\//
+  }
+
+signature sid-1483 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ustorekeeper.pl access"
+  http /.*[\/\\]ustorekeeper\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1606 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI icat access"
+  http /.*[\/\\]icat/
+  tcp-state established,originator
+  }
+
+signature sid-1617 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Bugzilla doeditvotes.cgi access"
+  http /.*[\/\\]doeditvotes\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1600 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI htsearch arbitrary configuration file attempt"
+  http /.*[\/\\]htsearch\?-c/
+  tcp-state established,originator
+  }
+
+signature sid-1601 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI htsearch arbitrary file read attempt"
+  http /.*[\/\\]htsearch\?exclude=`/
+  tcp-state established,originator
+  }
+
+signature sid-1602 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI htsearch access"
+  http /.*[\/\\]htsearch/
+  tcp-state established,originator
+  }
+
+signature sid-1501 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI a1stats a1disp3.cgi directory traversal attempt"
+  http /.*[\/\\]a1disp3\.cgi\?[\/\\]\.\.[\/\\]\.\.[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1502 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI a1stats a1disp3.cgi access"
+  http /.*[\/\\]a1disp3\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1731 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI a1stats access"
+  http /.*[\/\\]a1stats[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1503 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI admentor admin.asp access"
+  http /.*[\/\\]admentor[\/\\]admin[\/\\]admin\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1505 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI alchemy http server PRN arbitrary command execution attempt"
+  http /.*[\/\\]PRN[\/\\]\.\.[\/\\]\.\.[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1506 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI alchemy http server NUL arbitrary command execution attempt"
+  http /.*[\/\\]NUL[\/\\]\.\.[\/\\]\.\.[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1507 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI alibaba.pl arbitrary command execution attempt"
+  http /.*[\/\\]alibaba\.pl\|/
+  tcp-state established,originator
+  }
+
+signature sid-1508 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI alibaba.pl access"
+  http /.*[\/\\]alibaba\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1509 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI AltaVista Intranet Search directory traversal attempt"
+  http /.*[\/\\]query\?mss=\.\./
+  tcp-state established,originator
+  }
+
+signature sid-1510 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI test.bat arbitrary command execution attempt"
+  http /.*[\/\\]test\.bat\|/
+  tcp-state established,originator
+  }
+
+signature sid-1511 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI test.bat access"
+  http /.*[\/\\]test\.bat/
+  tcp-state established,originator
+  }
+
+signature sid-1512 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI input.bat arbitrary command execution attempt"
+  http /.*[\/\\]input\.bat\|/
+  tcp-state established,originator
+  }
+
+signature sid-1513 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI input.bat access"
+  http /.*[\/\\]input\.bat/
+  tcp-state established,originator
+  }
+
+signature sid-1514 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI input2.bat arbitrary command execution attempt"
+  http /.*[\/\\]input2\.bat\|/
+  tcp-state established,originator
+  }
+
+signature sid-1515 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI input2.bat access"
+  http /.*[\/\\]input2\.bat/
+  tcp-state established,originator
+  }
+
+signature sid-1516 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI envout.bat arbitrary command execution attempt"
+  http /.*[\/\\]envout\.bat\|/
+  tcp-state established,originator
+  }
+
+signature sid-1517 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI envout.bat access"
+  http /.*[\/\\]envout\.bat/
+  tcp-state established,originator
+  }
+
+signature sid-1705 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI echo.bat arbitrary command execution attempt"
+  http /.*[\/\\]echo\.bat/
+  tcp-state established,originator
+  payload /.*&/
+  }
+
+signature sid-1706 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI echo.bat access"
+  http /.*[\/\\]echo\.bat/
+  tcp-state established,originator
+  }
+
+signature sid-1707 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI hello.bat arbitrary command execution attempt"
+  http /.*[\/\\]hello\.bat/
+  tcp-state established,originator
+  payload /.*&/
+  }
+
+signature sid-1708 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI hello.bat access"
+  http /.*[\/\\]hello\.bat/
+  tcp-state established,originator
+  }
+
+signature sid-1650 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI tst.bat access"
+  http /.*[\/\\]tst\.bat/
+  tcp-state established,originator
+  }
+
+signature sid-1539 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI /cgi-bin/ls access"
+  http /.*[\/\\]cgi-bin[\/\\]ls/
+  tcp-state established,originator
+  }
+
+signature sid-1542 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cgimail access"
+  http /.*[\/\\]cgimail/
+  tcp-state established,originator
+  }
+
+signature sid-1543 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cgiwrap access"
+  http /.*[\/\\]cgiwrap/
+  tcp-state established,originator
+  }
+
+signature sid-1547 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI csSearch.cgi arbitrary command execution attempt"
+  http /.*[\/\\]csSearch\.cgi/
+  tcp-state established,originator
+  payload /.*setup=/
+  payload /.*`.{1}.*`/
+  }
+
+signature sid-1548 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI csSearch.cgi access"
+  http /.*[\/\\]csSearch\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1553 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI /cart/cart.cgi access"
+  http /.*[\/\\]cart[\/\\]cart\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1554 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI dbman db.cgi access"
+  http /.*[\/\\]dbman[\/\\]db\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1555 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI DCShop access"
+  http /.*[\/\\]dcshop/
+  tcp-state established,originator
+  }
+
+signature sid-1556 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI DCShop orders.txt access"
+  http /.*[\/\\]orders[\/\\]orders\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-1557 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI DCShop auth_user_file.txt access"
+  http /.*[\/\\]auth_data[\/\\]auth_user_file\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-1565 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI eshop.pl arbitrary commane execution attempt"
+  http /.*[\/\\]eshop\.pl\?seite=;/
+  tcp-state established,originator
+  }
+
+signature sid-1566 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI eshop.pl access"
+  http /.*[\/\\]eshop\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1569 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI loadpage.cgi directory traversal attempt"
+  http /.*[\/\\]loadpage\.cgi/
+  tcp-state established,originator
+  payload /.*[fF][iI][lL][eE]=\.\.\//
+  }
+
+signature sid-1570 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI loadpage.cgi access"
+  http /.*[\/\\]loadpage\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1590 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI faqmanager.cgi arbitrary file access attempt"
+  http /.*[\/\\]faqmanager\.cgi\?toc=/
+  http /.*%00/
+  tcp-state established,originator
+  }
+
+signature sid-1591 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI faqmanager.cgi access"
+  http /.*[\/\\]faqmanager\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1592 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI /fcgi-bin/echo.exe access"
+  http /.*[\/\\]fcgi-bin[\/\\]echo\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1628 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI FormHandler.cgi directory traversal attempt attempt"
+  http /.*[\/\\]FormHandler\.cgi/
+  tcp-state established,originator
+  payload /.*[rR][eE][pP][lL][yY]_[mM][eE][sS][sS][aA][gG][eE]_[aA][tT][tT][aA][cC][hH]=/
+  payload /.*\/\.\.\//
+  }
+
+signature sid-1593 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI FormHandler.cgi external site redirection attempt"
+  http /.*[\/\\]FormHandler\.cgi/
+  tcp-state established,originator
+  payload /.*[rR][eE][dD][iI][rR][eE][cC][tT]=[hH][tT][tT][pP]/
+  }
+
+signature sid-1594 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI FormHandler.cgi access"
+  http /.*[\/\\]FormHandler\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1597 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI guestbook.cgi access"
+  http /.*[\/\\]guestbook\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1598 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Home Free search.cgi directory traversal attempt"
+  http /.*[\/\\]search\.cgi/
+  tcp-state established,originator
+  payload /.*[lL][eE][tT][tT][eE][rR]=\.\.\/\.\./
+  }
+
+signature sid-1599 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI search.cgi access"
+  http /.*[\/\\]search\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1651 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI enivorn.pl access"
+  http /.*[\/\\]enivron\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1652 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI campus attempt"
+  http /.*[\/\\]campus\?%0a/
+  tcp-state established,originator
+  }
+
+signature sid-1653 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI campus access"
+  http /.*[\/\\]campus/
+  tcp-state established,originator
+  }
+
+signature sid-1654 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cart32.exe access"
+  http /.*[\/\\]cart32\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1655 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI pfdispaly.cgi arbitrary command execution attempt"
+  http /.*[\/\\]pfdispaly\.cgi\?'/
+  tcp-state established,originator
+  }
+
+signature sid-1656 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI pfdispaly.cgi access"
+  http /.*[\/\\]pfdispaly\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1657 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI pagelog.cgi directory traversal attempt"
+  http /.*[\/\\]pagelog\.cgi/
+  tcp-state established,originator
+  payload /.*[nN][aA][mM][eE]=\.\.\//
+  }
+
+signature sid-1658 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI pagelog.cgi access"
+  http /.*[\/\\]pagelog\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1709 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ad.cgi access"
+  http /.*[\/\\]ad\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1710 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bbs_forum.cgi access"
+  http /.*[\/\\]bbs_forum\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1711 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bsguest.cgi access"
+  http /.*[\/\\]bsguest\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1712 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bslist.cgi access"
+  http /.*[\/\\]bslist\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1713 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cgforum.cgi access"
+  http /.*[\/\\]cgforum\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1714 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI newdesk access"
+  http /.*[\/\\]newdesk/
+  tcp-state established,originator
+  }
+
+signature sid-1715 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI register.cgi access"
+  http /.*[\/\\]register\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1716 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI gbook.cgi access"
+  http /.*[\/\\]gbook\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1717 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI simplestguest.cgi access"
+  http /.*[\/\\]simplestguest\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1718 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI statusconfig.pl access"
+  http /.*[\/\\]statusconfig\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1719 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI talkback.cgi directory traversal attempt"
+  http /.*[\/\\]talkbalk\.cgi/
+  tcp-state established,originator
+  payload /.*[aA][rR][tT][iI][cC][lL][eE]=\.\.\/\.\.\//
+  }
+
+signature sid-1720 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI talkback.cgi access"
+  http /.*[\/\\]talkbalk\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1721 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI adcycle access"
+  http /.*[\/\\]adcycle/
+  tcp-state established,originator
+  }
+
+signature sid-1722 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI MachineInfo access"
+  http /.*[\/\\]MachineInfo/
+  tcp-state established,originator
+  }
+
+signature sid-1723 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI emumail.cgi NULL attempt"
+  http /.*[\/\\]emumail\.cgi/
+  tcp-state established,originator
+  payload /.*[tT][yY][pP][eE]=/
+  payload /.*%00/
+  }
+
+signature sid-1724 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI emumail.cgi access"
+  http /.*[\/\\]emumail\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1642 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI document.d2w access"
+  http /.*[\/\\]document\.d2w/
+  tcp-state established,originator
+  }
+
+signature sid-1643 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI db2www access"
+  http /.*[\/\\]db2www/
+  tcp-state established,originator
+  }
+
+signature sid-1668 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI /cgi-bin/ access"
+  http /.*[\/\\]cgi-bin[\/\\]/
+  tcp-state established,originator
+  payload /.*\/[cC][gG][iI]-[bB][iI][nN]\/ [hH][tT][tT][pP]/
+  }
+
+signature sid-1669 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI /cgi-dos/ access"
+  http /.*[\/\\]cgi-dos[\/\\]/
+  tcp-state established,originator
+  payload /.*\/[cC][gG][iI]-[dD][oO][sS]\/ [hH][tT][tT][pP]/
+  }
+
+signature sid-1051 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI technote main.cgi file directory traversal attempt"
+  http /.*[\/\\]technote[\/\\]main\.cgi/
+  tcp-state established,originator
+  payload /.*[fF][iI][lL][eE][nN][aA][mM][eE]=/
+  payload /.*\.\.\/\.\.\//
+  }
+
+signature sid-1052 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI technote print.cgi directory traversal attempt"
+  http /.*[\/\\]technote[\/\\]print\.cgi/
+  tcp-state established,originator
+  payload /.*[bB][oO][aA][rR][dD]=/
+  payload /.*\.\.\/\.\.\//
+  payload /.*%00/
+  }
+
+signature sid-1053 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ads.cgi command execution attempt"
+  http /.*[\/\\]ads\.cgi/
+  tcp-state established,originator
+  payload /.*[fF][iI][lL][eE]=/
+  payload /.*\.\.\/\.\.\//
+  payload /.*\|/
+  }
+
+signature sid-1088 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI eXtropia webstore directory traversal"
+  http /.*[\/\\]web_store\.cgi/
+  tcp-state established,originator
+  payload /.*page=\.\.\//
+  }
+
+signature sid-1611 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI eXtropia webstore access"
+  http /.*[\/\\]web_store\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1089 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI shopping cart directory traversal"
+  http /.*[\/\\]shop\.cgi/
+  tcp-state established,originator
+  payload /.*page=\.\.\//
+  }
+
+signature sid-1090 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Allaire Pro Web Shell attempt"
+  http /.*[\/\\]authenticate\.cgi\?PASSWORD/
+  tcp-state established,originator
+  payload /.*config\.ini/
+  }
+
+signature sid-1092 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Armada Style Master Index directory traversal"
+  http /.*[\/\\]search\.cgi\?keys/
+  tcp-state established,originator
+  payload /.*catigory=\.\.\//
+  }
+
+signature sid-1093 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cached_feed.cgi moreover shopping cart directory traversal"
+  http /.*[\/\\]cached_feed\.cgi/
+  tcp-state established,originator
+  payload /.*\.\.\//
+  }
+
+signature sid-2051 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cached_feed.cgi moreover shopping cart access"
+  http /.*[\/\\]cached_feed\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1097 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Talentsoft Web+ exploit attempt"
+  http /.*[\/\\]webplus\.cgi\?Script=[\/\\]webplus[\/\\]webping[\/\\]webping\.wml/
+  tcp-state established,originator
+  }
+
+signature sid-1106 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Poll-it access"
+  http /.*[\/\\]pollit[\/\\]Poll_It_SSI_v2\.0\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1149 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI count.cgi access"
+  http /.*[\/\\]count\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1865 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI webdist.cgi arbitrary command attempt"
+  http /.*[\/\\]webdist\.cgi/
+  tcp-state established,originator
+  payload /.*[dD][iI][sS][tT][lL][oO][cC]=;/
+  }
+
+signature sid-1163 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI webdist.cgi access"
+  http /.*[\/\\]webdist\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1172 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bigconf.cgi access"
+  http /.*[\/\\]bigconf\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1174 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI /cgi-bin/jj access"
+  http /.*[\/\\]cgi-bin[\/\\]jj/
+  tcp-state established,originator
+  }
+
+signature sid-1185 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bizdbsearch attempt"
+  http /.*[\/\\]bizdb1-search\.cgi/
+  tcp-state established,originator
+  payload /.*[mM][aA][iI][lL]/
+  }
+
+signature sid-1535 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bizdbsearch access"
+  http /.*[\/\\]bizdb1-search\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1194 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI sojourn.cgi File attempt"
+  http /.*[\/\\]sojourn\.cgi\?cat=/
+  tcp-state established,originator
+  payload /.*%00/
+  }
+
+signature sid-1195 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI sojourn.cgi access"
+  http /.*[\/\\]sojourn\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1196 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI SGI InfoSearch fname attempt"
+  http /.*[\/\\]infosrch\.cgi\?/
+  tcp-state established,originator
+  payload /.*[fF][nN][aA][mM][eE]=/
+  }
+
+signature sid-1727 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI SGI InfoSearch fname access"
+  http /.*[\/\\]infosrch\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1204 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ax-admin.cgi access"
+  http /.*[\/\\]ax-admin\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1205 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI axs.cgi access"
+  http /.*[\/\\]axs\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1206 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cachemgr.cgi access"
+  http /.*[\/\\]cachemgr\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1208 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI responder.cgi access"
+  http /.*[\/\\]responder\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1211 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI web-map.cgi access"
+  http /.*[\/\\]web-map\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1215 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ministats admin access"
+  http /.*[\/\\]ministats[\/\\]admin\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1219 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI dfire.cgi access"
+  http /.*[\/\\]dfire\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1305 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI txt2html.cgi directory traversal attempt"
+  http /.*[\/\\]txt2html\.cgi/
+  tcp-state established,originator
+  payload /.*\/\.\.\/\.\.\/\.\.\/\.\.\//
+  }
+
+signature sid-1304 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI txt2html.cgi access"
+  http /.*[\/\\]txt2html\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1488 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI store.cgi directory traversal attempt"
+  http /.*[\/\\]store\.cgi/
+  tcp-state established,originator
+  payload /.*\.\.\//
+  }
+
+signature sid-1307 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI store.cgi access"
+  http /.*[\/\\]store\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1494 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI SIX webboard generate.cgi attempt"
+  http /.*[\/\\]generate\.cgi/
+  tcp-state established,originator
+  payload /.*content=\.\.\//
+  }
+
+signature sid-1495 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI SIX webboard generate.cgi access"
+  http /.*[\/\\]generate\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1496 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI spin_client.cgi access"
+  http /.*[\/\\]spin_client\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1787 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI csPassword.cgi access"
+  http /.*[\/\\]csPassword\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1788 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI csPassword password.cgi.tmp access"
+  http /.*[\/\\]password\.cgi\.tmp/
+  tcp-state established,originator
+  }
+
+signature sid-1763 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Nortel Contivity cgiproc DOS attempt"
+  http /.*[\/\\]cgiproc\?Nocfile=/
+  tcp-state established,originator
+  }
+
+signature sid-1764 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Nortel Contivity cgiproc DOS attempt"
+  http /.*[\/\\]cgiproc\?\$/
+  tcp-state established,originator
+  }
+
+signature sid-1765 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Nortel Contivity cgiproc access"
+  http /.*[\/\\]cgiproc/
+  tcp-state established,originator
+  }
+
+signature sid-1805 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Oracle reports CGI access"
+  http /.*[\/\\]rwcgi60/
+  tcp-state established,originator
+  payload /.*setauth=/
+  }
+
+signature sid-1822 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI alienform.cgi directory traversal attempt"
+  http /.*[\/\\]alienform\.cgi/
+  tcp-state established,originator
+  payload /.*\.\|\.\/\.\|\./
+  }
+
+signature sid-1823 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI AlienForm af.cgi directory traversal attempt"
+  http /.*[\/\\]af\.cgi/
+  tcp-state established,originator
+  payload /.*\.\|\.\/\.\|\./
+  }
+
+signature sid-1824 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI alienform.cgi access"
+  http /.*[\/\\]alienform\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1825 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI AlienForm af.cgi access"
+  http /.*[\/\\]af\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1868 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8080
+  event "WEB-CGI story.pl arbitrary file read attempt"
+  http /.*[\/\\]story\.pl/
+  tcp-state established,originator
+  payload /.*next=\.\.\//
+  }
+
+signature sid-1869 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8080
+  event "WEB-CGI story.pl access"
+  http /.*[\/\\]story\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1870 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI siteUserMod.cgi access"
+  http /.*[\/\\]\.cobalt[\/\\]siteUserMod[\/\\]siteUserMod\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1875 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cgicso access"
+  http /.*[\/\\]cgicso/
+  tcp-state established,originator
+  }
+
+signature sid-1876 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI nph-publish.cgi access"
+  http /.*[\/\\]nph-publish\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1877 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI printenv access"
+  http /.*[\/\\]printenv/
+  tcp-state established,originator
+  }
+
+signature sid-1878 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI sdbsearch.cgi access"
+  http /.*[\/\\]sdbsearch\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1931 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI rpc-nlog.pl access"
+  http /.*[\/\\]rpc-nlog\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1932 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI rpc-smb.pl access"
+  http /.*[\/\\]rpc-smb\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1933 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cart.cgi access"
+  http /.*[\/\\]cart\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1994 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI vpasswd.cgi access"
+  http /.*[\/\\]vpasswd\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1995 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI alya.cgi access"
+  http /.*[\/\\]alya\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1996 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI viralator.cgi access"
+  http /.*[\/\\]viralator\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-2001 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI smartsearch.cgi access"
+  http /.*[\/\\]smartsearch\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1862 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI mrtg.cgi directory traversal attempt"
+  http /.*[\/\\]mrtg\.cgi/
+  tcp-state established,originator
+  payload /.*cfg=\/\.\.\//
+  }
+
+signature sid-2052 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI overflow.cgi access"
+  http /.*[\/\\]overflow\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1850 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI way-board.cgi access"
+  http /.*[\/\\]way-board\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-2053 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI process_bug.cgi access"
+  http /.*[\/\\]process_bug\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-2054 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI enter_bug.cgi arbitrary command attempt"
+  http /.*[\/\\]enter_bug\.cgi/
+  tcp-state established,originator
+  payload /.*[wW][hH][oO]=.*.{0}.*;/
+  }
+
+signature sid-2055 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI enter_bug.cgi access"
+  http /.*[\/\\]enter_bug\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-2085 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI parse_xml.cgi access"
+  http /.*[\/\\]parse_xml\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-2086 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == 1220
+  event "WEB-CGI streaming server parse_xml.cgi access"
+  tcp-state established,originator
+  payload /.*\/[pP][aA][rR][sS][eE]_[xX][mM][lL]\.[cC][gG][iI]/
+  }
+
+signature sid-2115 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI album.pl access"
+  tcp-state established,originator
+  payload /.*\/[aA][lL][bB][uU][mM]\.[pP][lL]/
+  }
+
+signature sid-2116 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI chipcfg.cgi access"
+  http /.*[\/\\]chipcfg\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-2127 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ikonboard.cgi access"
+  http /.*[\/\\]ikonboard\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-2128 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI swsrv.cgi access"
+  http /.*[\/\\]srsrv\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1233 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  dst-port == http_ports
+  event "WEB-CLIENT Outlook EML access"
+  http /.*\.eml/
+  tcp-state established,originator
+  }
+
+signature sid-1735 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  src-port == http_ports
+  event "WEB-CLIENT XMLHttpRequest attempt"
+  tcp-state established,responder
+  payload /.*new XMLHttpRequest\(/
+  payload /.*[fF][iI][lL][eE]:\/\//
+  }
+
+signature sid-1284 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  dst-port == http_ports
+  event "WEB-CLIENT readme.eml download attempt"
+  http /.*[\/\\]readme\.eml/
+  tcp-state established,originator
+  }
+
+signature sid-1290 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  src-port == http_ports
+  event "WEB-CLIENT readme.eml autoload attempt"
+  tcp-state established,responder
+  payload /.*[wW][iI][nN][dD][oO][wW]\.[oO][pP][eE][nN]\(\"[rR][eE][aA][dD][mM][eE]\.[eE][mM][lL]\"/
+  }
+
+signature sid-1840 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  src-port == http_ports
+  event "WEB-CLIENT Javascript document.domain attempt"
+  tcp-state established,responder
+  payload /.*[dD][oO][cC][uU][mM][eE][nN][tT]\.[dD][oO][mM][aA][iI][nN]\(/
+  }
+
+signature sid-1841 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  src-port == http_ports
+  event "WEB-CLIENT Javascript URL host spoofing attempt"
+  tcp-state established,responder
+  payload /.*[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]:\/\//
+  }
+
+signature sid-903 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION cfcache.map access"
+  http /.*[\/\\]cfcache\.map/
+  tcp-state established,originator
+  }
+
+signature sid-904 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION exampleapp application.cfm"
+  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]email[\/\\]application\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-905 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION application.cfm access"
+  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]publish[\/\\]admin[\/\\]application\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-906 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION getfile.cfm access"
+  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]email[\/\\]getfile\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-907 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION addcontent.cfm access"
+  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]publish[\/\\]admin[\/\\]addcontent\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-908 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION administrator access"
+  http /.*[\/\\]cfide[\/\\]administrator[\/\\]index\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-909 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION datasource username attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF]_[sS][eE][tT][dD][aA][tT][aA][sS][oO][uU][rR][cC][eE][uU][sS][eE][rR][nN][aA][mM][eE]\(\)/
+  }
+
+signature sid-910 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION fileexists.cfm access"
+  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]fileexists\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-911 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION exprcalc access"
+  http /.*[\/\\]cfdocs[\/\\]expeval[\/\\]exprcalc\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-912 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION parks access"
+  http /.*[\/\\]cfdocs[\/\\]examples[\/\\]parks[\/\\]detail\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-913 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION cfappman access"
+  http /.*[\/\\]cfappman[\/\\]index\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-914 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION beaninfo access"
+  http /.*[\/\\]cfdocs[\/\\]examples[\/\\]cvbeans[\/\\]beaninfo\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-915 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION evaluate.cfm access"
+  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]evaluate\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-916 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION getodbcdsn access"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[gG][eE][tT][oO][dD][bB][cC][dD][sS][nN]\(\)/
+  }
+
+signature sid-917 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION db connections flush attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[dD][bB][cC][oO][nN][nN][eE][cC][tT][iI][oO][nN][sS]_[fF][lL][uU][sS][hH]\(\)/
+  }
+
+signature sid-918 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION expeval access"
+  http /.*[\/\\]cfdocs[\/\\]expeval[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-919 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION datasource passwordattempt"
+  tcp-state established,originator
+  payload /.*[cC][fF]_[sS][eE][tT][dD][aA][tT][aA][sS][oO][uU][rR][cC][eE][pP][aA][sS][sS][wW][oO][rR][dD]\(\)/
+  }
+
+signature sid-920 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION datasource attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF]_[iI][sS][cC][oO][lL][dD][fF][uU][sS][iI][oO][nN][dD][aA][tT][aA][sS][oO][uU][rR][cC][eE]\(\)/
+  }
+
+signature sid-921 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION admin encrypt attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[eE][nN][cC][rR][yY][pP][tT]\(\)/
+  }
+
+signature sid-922 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION displayfile access"
+  http /.*[\/\\]cfdocs[\/\\]expeval[\/\\]displayopenedfile\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-923 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION getodbcin attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[gG][eE][tT][oO][dD][bB][cC][iI][nN][iI]\(\)/
+  }
+
+signature sid-924 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION admin decrypt attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[dD][eE][cC][rR][yY][pP][tT]\(\)/
+  }
+
+signature sid-925 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION mainframeset access"
+  http /.*[\/\\]cfdocs[\/\\]examples[\/\\]mainframeset\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-926 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION set odbc ini attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[sS][eE][tT][oO][dD][bB][cC][iI][nN][iI]\(\)/
+  }
+
+signature sid-927 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION settings refresh attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[sS][eE][tT][tT][iI][nN][gG][sS]_[rR][eE][fF][rR][eE][sS][hH]\(\)/
+  }
+
+signature sid-928 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION exampleapp access"
+  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-929 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION CFUSION_VERIFYMAIL access"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[vV][eE][rR][iI][fF][yY][mM][aA][iI][lL]\(\)/
+  }
+
+signature sid-930 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION snippets attempt"
+  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-931 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION cfmlsyntaxcheck.cfm access"
+  http /.*[\/\\]cfdocs[\/\\]cfmlsyntaxcheck\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-932 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION application.cfm access"
+  http /.*[\/\\]application\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-933 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION onrequestend.cfm access"
+  http /.*[\/\\]onrequestend\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-935 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION startstop DOS access"
+  http /.*[\/\\]cfide[\/\\]administrator[\/\\]startstop\.html/
+  tcp-state established,originator
+  }
+
+signature sid-936 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION gettempdirectory.cfm access "
+  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]gettempdirectory\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-1659 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION sendmail.cfm access"
+  http /.*[\/\\]sendmail\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-1540 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION ?Mode=debug attempt"
+  http /.*Mode=debug/
+  tcp-state established,originator
+  }
+
+signature sid-1248 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE rad fp30reg.dll access"
+  http /.*[\/\\]fp30reg\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1249 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE frontpage rad fp4areg.dll access"
+  http /.*[\/\\]fp4areg\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-937 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE _vti_rpc access"
+  http /.*[\/\\]_vti_rpc/
+  tcp-state established,originator
+  }
+
+signature sid-939 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE posting"
+  http /.*[\/\\]author\.dll/
+  tcp-state established,originator
+  payload /.*[pP][oO][sS][tT]/
+  }
+
+signature sid-940 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE shtml.dll access"
+  http /.*[\/\\]_vti_bin[\/\\]shtml\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-941 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE contents.htm access"
+  http /.*[\/\\]admcgi[\/\\]contents\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-942 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE orders.htm access"
+  http /.*[\/\\]_private[\/\\]orders\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-943 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE fpsrvadm.exe access"
+  http /.*[\/\\]fpsrvadm\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-944 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE fpremadm.exe access"
+  http /.*[\/\\]fpremadm\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-945 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE fpadmin.htm access"
+  http /.*[\/\\]admisapi[\/\\]fpadmin\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-946 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE fpadmcgi.exe access"
+  http /.*[\/\\]scripts[\/\\]Fpadmcgi\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-947 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE orders.txt access"
+  http /.*[\/\\]_private[\/\\]orders\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-948 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE form_results access"
+  http /.*[\/\\]_private[\/\\]form_results\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-949 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE registrations.htm access"
+  http /.*[\/\\]_private[\/\\]registrations\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-950 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE cfgwiz.exe access"
+  http /.*[\/\\]cfgwiz\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-951 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE authors.pwd access"
+  http /.*[\/\\]authors\.pwd/
+  tcp-state established,originator
+  }
+
+signature sid-952 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE author.exe access"
+  http /.*[\/\\]_vti_bin[\/\\]_vti_aut[\/\\]author\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-953 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE administrators.pwd access"
+  http /.*[\/\\]administrators\.pwd/
+  tcp-state established,originator
+  }
+
+signature sid-954 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE form_results.htm access"
+  http /.*[\/\\]_private[\/\\]form_results\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-955 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE access.cnf access"
+  http /.*[\/\\]_vti_pvt[\/\\]access\.cnf/
+  tcp-state established,originator
+  }
+
+signature sid-956 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE register.txt access"
+  http /.*[\/\\]_private[\/\\]register\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-957 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE registrations.txt access"
+  http /.*[\/\\]_private[\/\\]registrations\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-958 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE service.cnf access"
+  http /.*[\/\\]_vti_pvt[\/\\]service\.cnf/
+  tcp-state established,originator
+  }
+
+signature sid-959 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE service.pwd"
+  http /.*[\/\\]service\.pwd/
+  tcp-state established,originator
+  }
+
+signature sid-960 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE service.stp access"
+  http /.*[\/\\]_vti_pvt[\/\\]service\.stp/
+  tcp-state established,originator
+  }
+
+signature sid-961 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE services.cnf access"
+  http /.*[\/\\]_vti_pvt[\/\\]services\.cnf/
+  tcp-state established,originator
+  }
+
+signature sid-962 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE shtml.exe access"
+  http /.*[\/\\]_vti_bin[\/\\]shtml\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-963 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE svcacl.cnf access"
+  http /.*[\/\\]_vti_pvt[\/\\]svcacl\.cnf/
+  tcp-state established,originator
+  }
+
+signature sid-964 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE users.pwd access"
+  http /.*[\/\\]users\.pwd/
+  tcp-state established,originator
+  }
+
+signature sid-965 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE writeto.cnf access"
+  http /.*[\/\\]_vti_pvt[\/\\]writeto\.cnf/
+  tcp-state established,originator
+  }
+
+signature sid-966 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE fourdots request"
+  tcp-state established,originator
+  payload /.*\x2e\x2e\x2e\x2e\x2f/
+  }
+
+signature sid-967 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE dvwssr.dll access"
+  http /.*[\/\\]dvwssr\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-968 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE register.htm access"
+  http /.*[\/\\]_private[\/\\]register\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-1288 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE /_vti_bin/ access"
+  http /.*[\/\\]_vti_bin[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1970 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-IIS MDAC Content-Type overflow attempt"
+  http /.*[\/\\]msadcs\.dll/
+  tcp-state established,originator
+  payload /.*Content-Type:[^\x0A]{50}/
+  }
+
+signature sid-1076 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS repost.asp access"
+  http /.*[\/\\]scripts[\/\\]repost\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1806 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS .htr Transfer-Encoding: chunked"
+  http /.*\.htr/
+  tcp-state established,originator
+  payload /.*[tT][rR][aA][nN][sS][fF][eE][rR]-[eE][nN][cC][oO][dD][iI][nN][gG]:/
+  payload /.*[cC][hH][uU][nN][kK][eE][dD]/
+  }
+
+signature sid-1618 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS .asp Transfer-Encoding: chunked"
+  http /.*\.asp/
+  tcp-state established,originator
+  payload /.*[tT][rR][aA][nN][sS][fF][eE][rR]-[eE][nN][cC][oO][dD][iI][nN][gG]:/
+  payload /.*[cC][hH][uU][nN][kK][eE][dD]/
+  }
+
+signature sid-1626 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS /StoreCSVS/InstantOrder.asmx request"
+  http /.*[\/\\]StoreCSVS[\/\\]InstantOrder\.asmx/
+  tcp-state established,originator
+  }
+
+signature sid-1750 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS users.xml access"
+  http /.*[\/\\]users\.xml/
+  tcp-state established,originator
+  }
+
+signature sid-1753 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS as_web.exe access"
+  http /.*[\/\\]as_web\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1754 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS as_web4.exe access"
+  http /.*[\/\\]as_web4\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1756 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS NewsPro administration authentication attempt"
+  tcp-state established,originator
+  payload /.*logged,true/
+  }
+
+signature sid-1772 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS pbserver access"
+  http /.*[\/\\]pbserver[\/\\]pbserver\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1660 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS trace.axd access"
+  http /.*[\/\\]trace\.axd/
+  tcp-state established,originator
+  }
+
+signature sid-1484 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS /isapi/tstisapi.dll access"
+  http /.*[\/\\]isapi[\/\\]tstisapi\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1485 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS mkilog.exe access"
+  http /.*[\/\\]mkilog\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1486 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS ctss.idc access"
+  http /.*[\/\\]ctss\.idc/
+  tcp-state established,originator
+  }
+
+signature sid-1487 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS /iisadmpwd/aexp2.htr access"
+  http /.*[\/\\]iisadmpwd[\/\\]aexp2\.htr/
+  tcp-state established,originator
+  }
+
+signature sid-969 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS WebDAV file lock attempt"
+  tcp-state established,originator
+  payload /LOCK /
+  }
+
+signature sid-971 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS ISAPI .printer access"
+  http /.*\.printer/
+  tcp-state established,originator
+  }
+
+signature sid-1243 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS ISAPI .ida attempt"
+  http /.*\.ida\?/
+  tcp-state established,originator
+  }
+
+signature sid-1242 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS ISAPI .ida access"
+  http /.*\.ida/
+  tcp-state established,originator
+  }
+
+signature sid-1244 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS ISAPI .idq attempt"
+  http /.*\.idq\?/
+  tcp-state established,originator
+  }
+
+signature sid-1245 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS ISAPI .idq access"
+  http /.*\.idq/
+  tcp-state established,originator
+  }
+
+signature sid-972 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS %2E-asp access"
+  http /.*%2e\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-973 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS *.idc attempt"
+  http /.*[\/\\]\*\.idc/
+  tcp-state established,originator
+  }
+
+signature sid-974 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS .... access"
+  tcp-state established,originator
+  payload /.*\x2e\x2e\x5c\x2e\x2e/
+  }
+
+signature sid-975 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS .asp::$DATA access"
+  http /.*\.asp\x3a\x3a\$DATA/
+  tcp-state established,originator
+  }
+
+signature sid-976 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS .bat? access"
+  http /.*\.bat\?/
+  tcp-state established,originator
+  }
+
+signature sid-977 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS .cnf access"
+  http /.*\.cnf/
+  tcp-state established,originator
+  }
+
+signature sid-978 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS ASP contents view"
+  tcp-state established,originator
+  payload /.*%20/
+  payload /.*&[cC][iI][rR][eE][sS][tT][rR][iI][cC][tT][iI][oO][nN]=[nN][oO][nN][eE]/
+  payload /.*&[cC][iI][hH][iI][lL][iI][tT][eE][tT][yY][pP][eE]=[fF][uU][lL][lL]/
+  }
+
+signature sid-979 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS ASP contents view"
+  http /.*\.htw\?CiWebHitsFile/
+  tcp-state established,originator
+  }
+
+signature sid-980 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS CGImail.exe access"
+  http /.*[\/\\]scripts[\/\\]CGImail\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-981 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS unicode directory traversal attempt"
+  tcp-state established,originator
+  payload /.*\/\.\.%[cC]0%[aA][fF]\.\.\//
+  }
+
+signature sid-982 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS unicode directory traversal attempt"
+  tcp-state established,originator
+  payload /.*\/\.\.%[cC]1%1[cC]\.\.\//
+  }
+
+signature sid-983 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS unicode directory traversal attempt"
+  tcp-state established,originator
+  payload /.*\/\.\.%[cC]1%9[cC]\.\.\//
+  }
+
+signature sid-1945 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS unicode directory traversal attempt"
+  tcp-state established,originator
+  payload /.*\/\.\.%255[cC]\.\./
+  }
+
+signature sid-986 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS MSProxy access"
+  http /.*[\/\\]scripts[\/\\]proxy[\/\\]w3proxy\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1725 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS +.htr code fragment attempt"
+  http /.*\+\.htr/
+  tcp-state established,originator
+  }
+
+signature sid-987 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS .htr access"
+  http /.*\.htr/
+  tcp-state established,originator
+  }
+
+signature sid-988 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS SAM Attempt"
+  tcp-state established,originator
+  payload /.*[sS][aA][mM]\._/
+  }
+
+signature sid-989 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS Unicode2.pl script (File permission canonicalization)"
+  http /.*[\/\\]sensepost\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-990 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS _vti_inf access"
+  http /.*_vti_inf\.html/
+  tcp-state established,originator
+  }
+
+signature sid-991 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS achg.htr access"
+  http /.*[\/\\]iisadmpwd[\/\\]achg\.htr/
+  tcp-state established,originator
+  }
+
+signature sid-994 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS /scripts/iisadmin/default.htm access"
+  http /.*[\/\\]scripts[\/\\]iisadmin[\/\\]default\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-995 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS ism.dll access"
+  http /.*[\/\\]scripts[\/\\]iisadmin[\/\\]ism\.dll\?http[\/\\]dir/
+  tcp-state established,originator
+  }
+
+signature sid-996 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS anot.htr access"
+  http /.*[\/\\]iisadmpwd[\/\\]anot/
+  tcp-state established,originator
+  }
+
+signature sid-997 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS asp-dot attempt"
+  http /.*\.asp\./
+  tcp-state established,originator
+  }
+
+signature sid-998 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS asp-srch attempt"
+  http /.*#filename=\*\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1000 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS bdir.htr access"
+  http /.*[\/\\]bdir\.htr/
+  tcp-state established,originator
+  }
+
+signature sid-1661 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS cmd32.exe access"
+  tcp-state established,originator
+  payload /.*[cC][mM][dD]32\.[eE][xX][eE]/
+  }
+
+signature sid-1002 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS cmd.exe access"
+  tcp-state established,originator
+  payload /.*[cC][mM][dD]\.[eE][xX][eE]/
+  }
+
+signature sid-1003 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS cmd? access"
+  tcp-state established,originator
+  payload /.*\.[cC][mM][dD]\?&/
+  }
+
+signature sid-1007 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS cross-site scripting attempt"
+  http /.*[\/\\]Form_JScript\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1380 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS cross-site scripting attempt"
+  http /.*[\/\\]Form_VBScript\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1008 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS del attempt"
+  tcp-state established,originator
+  payload /.*&[dD][eE][lL]\+\/[sS]\+[cC]\x3a\\\*\.\*/
+  }
+
+signature sid-1009 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS directory listing"
+  http /.*[\/\\]ServerVariables_Jscript\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1010 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS encoding access"
+  tcp-state established,originator
+  payload /.*\x25\x31\x75/
+  }
+
+signature sid-1011 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS exec-src access"
+  tcp-state established,originator
+  payload /.*#[fF][iI][lL][eE][nN][aA][mM][eE]=\*\.[eE][xX][eE]/
+  }
+
+signature sid-1012 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS fpcount attempt"
+  http /.*[\/\\]fpcount\.exe/
+  tcp-state established,originator
+  payload /.*[dD][iI][gG][iI][tT][sS]=/
+  }
+
+signature sid-1013 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS fpcount access"
+  http /.*[\/\\]fpcount\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1015 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS getdrvs.exe access"
+  http /.*[\/\\]scripts[\/\\]tools[\/\\]getdrvs\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1016 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS global.asa access"
+  http /.*[\/\\]global\.asa/
+  tcp-state established,originator
+  }
+
+signature sid-1017 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS idc-srch attempt"
+  tcp-state established,originator
+  payload /.*#[fF][iI][lL][eE][nN][aA][mM][eE]=\*\.[iI][dD][cC]/
+  }
+
+signature sid-1018 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS iisadmpwd attempt"
+  http /.*[\/\\]iisadmpwd[\/\\]aexp/
+  tcp-state established,originator
+  }
+
+signature sid-1019 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS index server file source code attempt"
+  http /.*\?CiWebHitsFile=[\/\\]/
+  tcp-state established,originator
+  payload /.*&CiRestriction=none&CiHiliteType=Full/
+  }
+
+signature sid-1020 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS isc$data attempt"
+  http /.*\.idc\x3a\x3a\$data/
+  tcp-state established,originator
+  }
+
+signature sid-1021 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS ism.dll attempt"
+  http /.*%20%20%20%20%20\.htr/
+  tcp-state established,originator
+  }
+
+signature sid-1022 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS jet vba access"
+  http /.*[\/\\]advworks[\/\\]equipment[\/\\]catalog_type\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1023 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS msadcs.dll access"
+  http /.*[\/\\]msadcs\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1024 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS newdsn.exe access"
+  http /.*[\/\\]scripts[\/\\]tools[\/\\]newdsn\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1025 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS perl access"
+  http /.*[\/\\]scripts[\/\\]perl/
+  tcp-state established,originator
+  }
+
+signature sid-1026 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS perl-browse0a attempt"
+  http /.*%0a\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1027 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS perl-browse20 attempt"
+  http /.*%20\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1029 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS scripts-browse access"
+  http /.*[\/\\]scripts[\/\\]\x20/
+  tcp-state established,originator
+  }
+
+signature sid-1030 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS search97.vts access"
+  http /.*[\/\\]search97\.vts/
+  tcp-state established,originator
+  }
+
+signature sid-1037 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS showcode.asp access"
+  http /.*[\/\\]showcode\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1038 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS site server config access"
+  http /.*[\/\\]adsamples[\/\\]config[\/\\]site\.csc/
+  tcp-state established,originator
+  }
+
+signature sid-1039 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS srch.htm access"
+  http /.*[\/\\]samples[\/\\]isapi[\/\\]srch\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-1040 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS srchadm access"
+  http /.*[\/\\]srchadm/
+  tcp-state established,originator
+  }
+
+signature sid-1041 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS uploadn.asp access"
+  http /.*[\/\\]scripts[\/\\]uploadn\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1042 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS view source via translate header"
+  tcp-state established,originator
+  payload /.*[tT][rR][aA][nN][sS][lL][aA][tT][eE]\x3a [fF]/
+  }
+
+signature sid-1043 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS viewcode.asp access"
+  http /.*[\/\\]viewcode\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1044 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS webhits access"
+  http /.*\.htw/
+  tcp-state established,originator
+  }
+
+signature sid-1726 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS doctodep.btr access"
+  http /.*doctodep\.btr/
+  tcp-state established,originator
+  }
+
+signature sid-1046 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS site/iisamples access"
+  http /.*[\/\\]site[\/\\]iisamples/
+  tcp-state established,originator
+  }
+
+signature sid-1256 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS CodeRed v2 root.exe access"
+  http /.*[\/\\]root\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1283 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS outlook web dos"
+  http /.*[\/\\]exchange[\/\\]LogonFrm\.asp\?/
+  tcp-state established,originator
+  payload /.*[mM][aA][iI][lL][bB][oO][xX]=/
+  payload /.*\x25\x25\x25/
+  }
+
+signature sid-1400 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS /scripts/samples/ access"
+  http /.*[\/\\]scripts[\/\\]samples[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1401 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS /msadc/samples/ access"
+  http /.*[\/\\]msadc[\/\\]samples[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1402 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS iissamples access"
+  http /.*[\/\\]iissamples[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-970 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS multiple decode attempt"
+  http /.*%5c/
+  http /.*\.\./
+  tcp-state established,originator
+  }
+
+signature sid-993 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS iisadmin access"
+  http /.*[\/\\]iisadmin/
+  tcp-state established,originator
+  }
+
+signature sid-1285 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS msdac access"
+  http /.*[\/\\]msdac[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1286 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS _mem_bin access"
+  http /.*[\/\\]_mem_bin[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1595 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS htimage.exe access"
+  http /.*[\/\\]htimage\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1817 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS MS Site Server default login attempt"
+  http /.*[\/\\]SiteServer[\/\\]Admin[\/\\]knowledge[\/\\]persmbr[\/\\]/
+  tcp-state established,originator
+  payload /.*[aA][uU][tT][hH][oO][rR][iI][zZ][aA][tT][iI][oO][nN]: [bB][aA][sS][iI][cC] [tT][eE][rR][bB][uU][fF]9[bB][bB][mM]9[uU][eE][wW]1[vV][dD][xX][mM]6[tT][gG][rR][hH][cC][fF][bB][hH][cC]3[nN]3[bB]3[jJ][kK][xX][zZ][eE]=/
+  }
+
+signature sid-1818 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS MS Site Server admin attempt"
+  http /.*[\/\\]Site Server[\/\\]Admin[\/\\]knowledge[\/\\]persmbr[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1075 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS postinfo.asp access"
+  http /.*[\/\\]scripts[\/\\]postinfo\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1567 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS /exchange/root.asp attempt"
+  http /.*[\/\\]exchange[\/\\]root\.asp\?acs=anon/
+  tcp-state established,originator
+  }
+
+signature sid-1568 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS /exchange/root.asp access"
+  http /.*[\/\\]exchange[\/\\]root\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-2090 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS WEBDAV exploit attempt"
+  tcp-state established,originator
+  payload /.*HTTP\/1\.1\x0aContent-type\x3a text\/xml\x0aHOST\x3a.{1}.*Accept\x3a \x2a\/\x2a\x0aTranslate\x3a f\x0aContent-length\x3a5276\x0a\x0a/
+  }
+
+signature sid-2091 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS WEBDAV nessus safe scan attempt"
+  tcp-state established,originator
+  payload /.*SEARCH \/ HTTP\/1\.1\x0d\x0aHost\x3a.{0,251}\x0d\x0a\x0d\x0a/
+  }
+
+signature sid-2117 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS Battleaxe Forum login.asp access"
+  http /.*myaccount[\/\\]login\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-2129 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS nsiislog.dll access"
+  http /.*[\/\\]nsiislog\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-2130 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS IISProtect siteadmin.asp access"
+  http /.*[\/\\]iisprotect[\/\\]admin[\/\\]SiteAdmin\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-2157 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS IISProtect globaladmin.asp access"
+  http /.*[\/\\]iisprotect[\/\\]admin[\/\\]GlobalAdmin\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-2131 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS IISProtect access"
+  http /.*[\/\\]iisprotect[\/\\]admin[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-2132 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS Synchrologic Email Accelerator userid list access attempt"
+  http /.*[\/\\]en[\/\\]admin[\/\\]aggregate\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-2133 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS MS BizTalk server access"
+  http /.*[\/\\]biztalkhttpreceive\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-2134 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS register.asp access"
+  http /.*[\/\\]register\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1497 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cross site scripting attempt"
+  tcp-state established,originator
+  payload /.*<[sS][cC][rR][iI][pP][tT]>/
+  }
+
+signature sid-1667 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cross site scripting (img src=javascript) attempt"
+  tcp-state established,originator
+  payload /.*[iI][mM][gG] [sS][rR][cC]=[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]/
+  }
+
+signature sid-1250 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Cisco IOS HTTP configuration attempt"
+  http /.*[\/\\]level[\/\\]/
+  http /.*[\/\\]exec[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1047 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise DOS"
+  tcp-state established,originator
+  payload /REVLOG \/ /
+  }
+
+signature sid-1048 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise directory listing attempt"
+  tcp-state established,originator
+  payload /INDEX /
+  }
+
+signature sid-1050 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC iPlanet GETPROPERTIES attempt"
+  tcp-state established,originator
+  payload /GETPROPERTIES/
+  }
+
+signature sid-1054 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC weblogic view source attempt"
+  http /.*\.js%70/
+  tcp-state established,originator
+  }
+
+signature sid-1055 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Tomcat directory traversal attempt"
+  http /.*%00\.jsp/
+  tcp-state established,originator
+  }
+
+signature sid-1056 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Tomcat view source attempt"
+  http /.*%252ejsp/
+  tcp-state established,originator
+  }
+
+signature sid-1057 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ftp attempt"
+  tcp-state established,originator
+  payload /.*[fF][tT][pP]\.[eE][xX][eE]/
+  }
+
+signature sid-1058 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC xp_enumdsn attempt"
+  tcp-state established,originator
+  payload /.*[xX][pP]_[eE][nN][uU][mM][dD][sS][nN]/
+  }
+
+signature sid-1059 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC xp_filelist attempt"
+  tcp-state established,originator
+  payload /.*[xX][pP]_[fF][iI][lL][eE][lL][iI][sS][tT]/
+  }
+
+signature sid-1060 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC xp_availablemedia attempt"
+  tcp-state established,originator
+  payload /.*[xX][pP]_[aA][vV][aA][iI][lL][aA][bB][lL][eE][mM][eE][dD][iI][aA]/
+  }
+
+signature sid-1061 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC xp_cmdshell attempt"
+  tcp-state established,originator
+  payload /.*[xX][pP]_[cC][mM][dD][sS][hH][eE][lL][lL]/
+  }
+
+signature sid-1062 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC nc.exe attempt"
+  tcp-state established,originator
+  payload /.*[nN][cC]\.[eE][xX][eE]/
+  }
+
+signature sid-1064 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC wsh attempt"
+  tcp-state established,originator
+  payload /.*[wW][sS][hH]\.[eE][xX][eE]/
+  }
+
+signature sid-1065 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC rcmd attempt"
+  tcp-state established,originator
+  payload /.*[rR][cC][mM][dD]\.[eE][xX][eE]/
+  }
+
+signature sid-1066 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC telnet attempt"
+  tcp-state established,originator
+  payload /.*[tT][eE][lL][nN][eE][tT]\.[eE][xX][eE]/
+  }
+
+signature sid-1067 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC net attempt"
+  tcp-state established,originator
+  payload /.*[nN][eE][tT]\.[eE][xX][eE]/
+  }
+
+signature sid-1068 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC tftp attempt"
+  tcp-state established,originator
+  payload /.*[tT][fF][tT][pP]\.[eE][xX][eE]/
+  }
+
+signature sid-1069 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC xp_regread attempt"
+  tcp-state established,originator
+  payload /.*[xX][pP]_[rR][eE][gG][rR][eE][aA][dD]/
+  }
+
+signature sid-1977 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC xp_regwrite attempt"
+  tcp-state established,originator
+  payload /.*[xX][pP]_[rR][eE][gG][wW][rR][iI][tT][eE]/
+  }
+
+signature sid-1978 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC xp_regdeletekey attempt"
+  tcp-state established,originator
+  payload /.*[xX][pP]_[rR][eE][gG][dD][eE][lL][eE][tT][eE][kK][eE][yY]/
+  }
+
+signature sid-1070 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC WebDAV search access"
+  tcp-state established,originator
+  payload /.{0,1}[sS][eE][aA][rR][cC][hH] /
+  }
+
+signature sid-1071 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC .htpasswd access"
+  tcp-state established,originator
+  payload /.*\.[hH][tT][pP][aA][sS][sS][wW][dD]/
+  }
+
+signature sid-1072 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Lotus Domino directory traversal"
+  http /.*\.nsf[\/\\]/
+  http /.*\.\.[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1077 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC queryhit.htm access"
+  http /.*[\/\\]samples[\/\\]search[\/\\]queryhit\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-1078 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC counter.exe access"
+  http /.*[\/\\]scripts[\/\\]counter\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1079 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC WebDAV propfind access"
+  tcp-state established,originator
+  payload /.*<[aA]:[pP][rR][oO][pP][fF][iI][nN][dD]/
+  payload /.*[xX][mM][lL][nN][sS]:[aA]=\"[dD][aA][vV]\">/
+  }
+
+signature sid-1080 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC unify eWave ServletExec upload"
+  http /.*[\/\\]servlet[\/\\]com\.unify\.servletexec\.UploadServlet/
+  tcp-state established,originator
+  }
+
+signature sid-1081 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Servers suite DOS"
+  http /.*[\/\\]dsgw[\/\\]bin[\/\\]search\?context=/
+  tcp-state established,originator
+  }
+
+signature sid-1082 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC amazon 1-click cookie theft"
+  tcp-state established,originator
+  payload /.*[rR][eE][fF]%3[cC][sS][cC][rR][iI][pP][tT]%20[lL][aA][nN][gG][uU][aA][gG][eE]%3[dD]%22[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]/
+  }
+
+signature sid-1083 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC unify eWave ServletExec DOS"
+  http /.*[\/\\]servlet[\/\\]ServletExec/
+  tcp-state established,originator
+  }
+
+signature sid-1084 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Allaire JRUN DOS attempt"
+  http /.*servlet[\/\\]\.\.\.\.\.\.\./
+  tcp-state established,originator
+  }
+
+signature sid-1091 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ICQ Webfront HTTP DOS"
+  http /.*\?\?\?\?\?\?\?\?\?\?/
+  tcp-state established,originator
+  }
+
+signature sid-1095 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Talentsoft Web+ Source Code view access"
+  http /.*[\/\\]webplus\.exe\?script=test\.wml/
+  tcp-state established,originator
+  }
+
+signature sid-1096 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Talentsoft Web+ internal IP Address access"
+  http /.*[\/\\]webplus\.exe\?about/
+  tcp-state established,originator
+  }
+
+signature sid-1098 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC SmartWin CyberOffice Shopping Cart access"
+  http /.*_private[\/\\]shopping_cart\.mdb/
+  tcp-state established,originator
+  }
+
+signature sid-1099 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cybercop scan"
+  http /.*[\/\\]cybercop/
+  tcp-state established,originator
+  }
+
+signature sid-1100 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC L3retriever HTTP Probe"
+  tcp-state established,originator
+  payload /.*User-Agent\x3a Java1\.2\.1\x0d\x0a/
+  }
+
+signature sid-1101 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Webtrends HTTP probe"
+  tcp-state established,originator
+  payload /.*User-Agent\x3a Webtrends Security Analyzer\x0d\x0a/
+  }
+
+signature sid-1102 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Nessus 404 probe"
+  http /.*[\/\\]nessus_is_probing_you_/
+  tcp-state established,originator
+  }
+
+signature sid-1103 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape admin passwd"
+  http /.*[\/\\]admin-serv[\/\\]config[\/\\]admpw/
+  tcp-state established,originator
+  }
+
+signature sid-1105 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC BigBrother access"
+  http /.*[\/\\]bb-hostsvc\.sh\?HOSTSVC/
+  tcp-state established,originator
+  }
+
+signature sid-1612 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ftp.pl attempt"
+  http /.*[\/\\]ftp\.pl\?dir=\.\.[\/\\]\.\./
+  tcp-state established,originator
+  }
+
+signature sid-1107 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ftp.pl access"
+  http /.*[\/\\]ftp\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1108 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Tomcat server snoop access"
+  http /.*[\/\\]jsp[\/\\]snp[\/\\]/
+  http /.*\.snp/
+  tcp-state established,originator
+  }
+
+signature sid-1109 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ROXEN directory list attempt"
+  http /.*\x2F\x25\x30\x30/
+  tcp-state established,originator
+  }
+
+signature sid-1110 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC apache source.asp file access"
+  http /.*[\/\\]site[\/\\]eg[\/\\]source\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1111 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Tomcat server exploit access"
+  http /.*[\/\\]contextAdmin[\/\\]contextAdmin\.html/
+  tcp-state established,originator
+  }
+
+signature sid-1112 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC http directory traversal"
+  tcp-state established,originator
+  payload /.*\.\.\\/
+  }
+
+signature sid-1115 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ICQ webserver DOS"
+  http /.*\.html[\/\\]\.\.\.\.\.\./
+  tcp-state established,originator
+  }
+
+signature sid-1116 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Lotus DelDoc attempt"
+  http /.*\?DeleteDocument/
+  tcp-state established,originator
+  }
+
+signature sid-1117 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Lotus EditDoc attempt"
+  http /.*\?EditDocument/
+  tcp-state established,originator
+  }
+
+signature sid-1118 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ls%20-l"
+  tcp-state established,originator
+  payload /.*[lL][sS]%20-[lL]/
+  }
+
+signature sid-1119 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC mlog.phtml access"
+  http /.*[\/\\]mlog\.phtml/
+  tcp-state established,originator
+  }
+
+signature sid-1120 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC mylog.phtml access"
+  http /.*[\/\\]mylog\.phtml/
+  tcp-state established,originator
+  }
+
+signature sid-1122 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /etc/passwd"
+  tcp-state established,originator
+  payload /.*\/[eE][tT][cC]\/[pP][aA][sS][sS][wW][dD]/
+  }
+
+signature sid-1123 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ?PageServices access"
+  http /.*\?PageServices/
+  tcp-state established,originator
+  }
+
+signature sid-1124 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Ecommerce check.txt access"
+  http /.*[\/\\]config[\/\\]check\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-1125 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC webcart access"
+  http /.*[\/\\]webcart[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1126 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC AuthChangeUrl access"
+  http /.*_AuthChangeUrl\?/
+  tcp-state established,originator
+  }
+
+signature sid-1127 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC convert.bas access"
+  http /.*[\/\\]scripts[\/\\]convert\.bas/
+  tcp-state established,originator
+  }
+
+signature sid-1128 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cpshost.dll access"
+  http /.*[\/\\]scripts[\/\\]cpshost\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1129 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC .htaccess access"
+  tcp-state established,originator
+  payload /.*\.[hH][tT][aA][cC][cC][eE][sS][sS]/
+  }
+
+signature sid-1130 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC .wwwacl access"
+  http /.*\.wwwacl/
+  tcp-state established,originator
+  }
+
+signature sid-1131 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC .wwwacl access"
+  http /.*\.www_acl/
+  tcp-state established,originator
+  }
+
+signature sid-1136 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cd.."
+  tcp-state established,originator
+  payload /.*[cC][dD]\.\./
+  }
+
+signature sid-1140 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC guestbook.pl access"
+  http /.*[\/\\]guestbook\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1613 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC handler attempt"
+  http /.*[\/\\]handler/
+  http /.*\|/
+  tcp-state established,originator
+  }
+
+signature sid-1141 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC handler access"
+  http /.*[\/\\]handler/
+  tcp-state established,originator
+  }
+
+signature sid-1142 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /.... access"
+  tcp-state established,originator
+  payload /.*\/\.\.\.\./
+  }
+
+signature sid-1143 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ///cgi-bin access"
+  http /.*[\/\\][\/\\][\/\\]cgi-bin/
+  tcp-state established,originator
+  }
+
+signature sid-1144 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /cgi-bin/// access"
+  http /.*[\/\\]cgi-bin[\/\\][\/\\][\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1145 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /~root access"
+  http /.*[\/\\]~root/
+  tcp-state established,originator
+  }
+
+signature sid-1662 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /~ftp access"
+  http /.*[\/\\]~ftp/
+  tcp-state established,originator
+  }
+
+signature sid-1146 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Ecommerce import.txt access"
+  http /.*[\/\\]config[\/\\]import\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-1147 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cat%20 access"
+  tcp-state established,originator
+  payload /.*[cC][aA][tT]%20/
+  }
+
+signature sid-1148 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Ecommerce import.txt access"
+  http /.*[\/\\]orders[\/\\]import\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-1150 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino catalog.nsf access"
+  http /.*[\/\\]catalog\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1151 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino domcfg.nsf access"
+  http /.*[\/\\]domcfg\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1152 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino domlog.nsf access"
+  http /.*[\/\\]domlog\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1153 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino log.nsf access"
+  http /.*[\/\\]log\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1154 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino names.nsf access"
+  http /.*[\/\\]names\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1575 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino mab.nsf access"
+  http /.*[\/\\]mab\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1576 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino cersvr.nsf access"
+  http /.*[\/\\]cersvr\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1577 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino setup.nsf access"
+  http /.*[\/\\]setup\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1578 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino statrep.nsf access"
+  http /.*[\/\\]statrep\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1579 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino webadmin.nsf access"
+  http /.*[\/\\]webadmin\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1580 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino events4.nsf access"
+  http /.*[\/\\]events4\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1581 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino ntsync4.nsf access"
+  http /.*[\/\\]ntsync4\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1582 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino collect4.nsf access"
+  http /.*[\/\\]collect4\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1583 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino mailw46.nsf access"
+  http /.*[\/\\]mailw46\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1584 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino bookmark.nsf access"
+  http /.*[\/\\]bookmark\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1585 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino agentrunner.nsf access"
+  http /.*[\/\\]agentrunner\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1586 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino mail.box access"
+  http /.*[\/\\]mail\.box/
+  tcp-state established,originator
+  }
+
+signature sid-1155 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Ecommerce checks.txt access"
+  http /.*[\/\\]orders[\/\\]checks\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-1156 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC apache DOS attempt"
+  tcp-state established,originator
+  payload /.*\x2f\x2f\x2f\x2f\x2f\x2f\x2f\x2f/
+  }
+
+signature sid-1157 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape PublishingXpert access"
+  http /.*[\/\\]PSUser[\/\\]PSCOErrPage\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-1158 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC windmail.exe access"
+  http /.*[\/\\]windmail\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1159 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC webplus access"
+  http /.*[\/\\]webplus\?script/
+  tcp-state established,originator
+  }
+
+signature sid-1160 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape dir index wp"
+  http /.*\?wp-/
+  tcp-state established,originator
+  }
+
+signature sid-1162 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cart 32 AdminPwd access"
+  http /.*[\/\\]c32web\.exe[\/\\]ChangeAdminPassword/
+  tcp-state established,originator
+  }
+
+signature sid-1164 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC shopping cart access"
+  http /.*[\/\\]quikstore\.cfg/
+  tcp-state established,originator
+  }
+
+signature sid-1614 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Novell Groupwise gwweb.exe attempt"
+  http /.*[\/\\]GWWEB\.EXE\?HELP=/
+  tcp-state established,originator
+  }
+
+signature sid-1165 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Novell Groupwise gwweb.exe access"
+  tcp-state established,originator
+  payload /.*\/[gG][wW][wW][eE][bB]\.[eE][xX][eE]/
+  }
+
+signature sid-1166 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ws_ftp.ini access"
+  http /.*[\/\\]ws_ftp\.ini/
+  tcp-state established,originator
+  }
+
+signature sid-1167 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC rpm_query access"
+  http /.*[\/\\]rpm_query/
+  tcp-state established,originator
+  }
+
+signature sid-1168 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC mall log order access"
+  http /.*[\/\\]mall_log_files[\/\\]order\.log/
+  tcp-state established,originator
+  }
+
+signature sid-1173 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC architext_query.pl access"
+  http /.*[\/\\]ews[\/\\]architext_query\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1175 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC wwwboard.pl access"
+  http /.*[\/\\]wwwboard\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1176 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC order.log access"
+  http /.*[\/\\]admin_files[\/\\]order\.log/
+  tcp-state established,originator
+  }
+
+signature sid-1177 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-verify-link/
+  tcp-state established,originator
+  }
+
+signature sid-1180 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC get32.exe access"
+  http /.*[\/\\]get32\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1181 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Annex Terminal DOS attempt"
+  http /.*[\/\\]ping\?query=/
+  tcp-state established,originator
+  }
+
+signature sid-1182 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cgitest.exe attempt"
+  http /.*[\/\\]cgitest\.exe\x0d\x0auser/
+  tcp-state established,originator
+  }
+
+signature sid-1587 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cgitest.exe access"
+  http /.*[\/\\]cgitest\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1183 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-cs-dump/
+  tcp-state established,originator
+  }
+
+signature sid-1184 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-ver-info/
+  tcp-state established,originator
+  }
+
+signature sid-1186 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-ver-diff/
+  tcp-state established,originator
+  }
+
+signature sid-1187 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC SalesLogix Eviewer web command attempt"
+  http /.*[\/\\]slxweb\.dll[\/\\]admin\?command=/
+  tcp-state established,originator
+  }
+
+signature sid-1588 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC SalesLogix Eviewer access"
+  http /.*[\/\\]slxweb\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1188 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-start-ver/
+  tcp-state established,originator
+  }
+
+signature sid-1189 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-stop-ver/
+  tcp-state established,originator
+  }
+
+signature sid-1190 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-uncheckout/
+  tcp-state established,originator
+  }
+
+signature sid-1191 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-html-rend/
+  tcp-state established,originator
+  }
+
+signature sid-1381 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Trend Micro OfficeScan attempt"
+  http /.*[\/\\]officescan[\/\\]cgi[\/\\]jdkRqNotify\.exe\?/
+  http /.*domain=/
+  http /.*event=/
+  tcp-state established,originator
+  }
+
+signature sid-1192 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Trend Micro OfficeScan access"
+  http /.*[\/\\]officescan[\/\\]cgi[\/\\]jdkRqNotify\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1193 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC oracle web arbitrary command execution attempt"
+  http /.*[\/\\]ows-bin[\/\\]/
+  http /.*\?&/
+  tcp-state established,originator
+  }
+
+signature sid-1880 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC oracle web application server access"
+  http /.*[\/\\]ows-bin[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1198 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-usr-prop/
+  tcp-state established,originator
+  }
+
+signature sid-1202 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC search.vts access"
+  http /.*[\/\\]search\.vts/
+  tcp-state established,originator
+  }
+
+signature sid-1615 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC htgrep attempt"
+  http /.*[\/\\]htgrep/
+  tcp-state established,originator
+  payload /.*hdr=\//
+  }
+
+signature sid-1207 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC htgrep access"
+  http /.*[\/\\]htgrep/
+  tcp-state established,originator
+  }
+
+signature sid-1209 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC .nsconfig access"
+  http /.*[\/\\]\.nsconfig/
+  tcp-state established,originator
+  }
+
+signature sid-1212 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Admin_files access"
+  http /.*[\/\\]admin_files/
+  tcp-state established,originator
+  }
+
+signature sid-1213 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC backup access"
+  http /.*[\/\\]backup/
+  tcp-state established,originator
+  }
+
+signature sid-1214 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC intranet access"
+  http /.*[\/\\]intranet[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1216 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC filemail access"
+  http /.*[\/\\]filemail/
+  tcp-state established,originator
+  }
+
+signature sid-1217 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC plusmail access"
+  http /.*[\/\\]plusmail/
+  tcp-state established,originator
+  }
+
+signature sid-1218 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC adminlogin access"
+  http /.*[\/\\]adminlogin/
+  tcp-state established,originator
+  }
+
+signature sid-1220 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ultraboard access"
+  http /.*[\/\\]ultraboard/
+  tcp-state established,originator
+  }
+
+signature sid-1589 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC musicat empower attempt"
+  http /.*[\/\\]empower\?DB=/
+  tcp-state established,originator
+  }
+
+signature sid-1221 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC musicat empower access"
+  http /.*[\/\\]empower/
+  tcp-state established,originator
+  }
+
+signature sid-1224 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ROADS search.pl attempt"
+  http /.*[\/\\]ROADS[\/\\]cgi-bin[\/\\]search\.pl/
+  tcp-state established,originator
+  payload /.*[fF][oO][rR][mM]=/
+  }
+
+signature sid-1230 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC VirusWall FtpSave access"
+  http /.*[\/\\]FtpSave\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1234 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC VirusWall FtpSaveCSP access"
+  http /.*[\/\\]FtpSaveCSP\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1235 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC VirusWall FtpSaveCVP access"
+  http /.*[\/\\]FtpSaveCVP\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1236 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Tomcat sourecode view"
+  http /.*\.js%2570/
+  tcp-state established,originator
+  }
+
+signature sid-1237 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Tomcat sourecode view"
+  http /.*\.j%2573p/
+  tcp-state established,originator
+  }
+
+signature sid-1238 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Tomcat sourecode view"
+  http /.*\.%256Asp/
+  tcp-state established,originator
+  }
+
+signature sid-1241 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC SWEditServlet directory traversal attempt"
+  http /.*[\/\\]SWEditServlet/
+  tcp-state established,originator
+  payload /.*template=\.\.\/\.\.\/\.\.\//
+  }
+
+signature sid-1259 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC SWEditServlet access"
+  http /.*[\/\\]SWEditServlet/
+  tcp-state established,originator
+  }
+
+signature sid-1139 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC whisker HEAD/./"
+  tcp-state established,originator
+  payload /.*HEAD\/\.\//
+  }
+
+signature sid-1258 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC HP OpenView Manager DOS"
+  http /.*[\/\\]OvCgi[\/\\]OpenView5\.exe\?Context=Snmp&Action=Snmp&Host=&Oid=/
+  tcp-state established,originator
+  }
+
+signature sid-1260 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC long basic authorization string"
+  tcp-state established,originator
+  payload /.*[aA][uU][tT][hH][oO][rR][iI][zZ][aA][tT][iI][oO][nN]: [bB][aA][sS][iI][cC] [^\x0A]{512}/
+  }
+
+signature sid-1291 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC sml3com access"
+  http /.*[\/\\]graphics[\/\\]sml3com/
+  tcp-state established,originator
+  }
+
+signature sid-1001 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC carbo.dll access"
+  http /.*[\/\\]carbo\.dll/
+  tcp-state established,originator
+  payload /.*[iI][cC][aA][tT][cC][oO][mM][mM][aA][nN][dD]=/
+  }
+
+signature sid-1302 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC console.exe access"
+  http /.*[\/\\]cgi-bin[\/\\]console\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1303 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cs.exe access"
+  http /.*[\/\\]cgi-bin[\/\\]cs\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1113 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC http directory traversal"
+  tcp-state established,originator
+  payload /.*\.\.\//
+  }
+
+signature sid-1375 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC sadmind worm access"
+  tcp-state established,originator
+  payload /.{0,1}GET x HTTP\/1\.0/
+  }
+
+signature sid-1376 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC jrun directory browse attempt"
+  http /.*[\/\\]%3f\.jsp/
+  tcp-state established,originator
+  }
+
+signature sid-1385 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC mod-plsql administration access"
+  http /.*[\/\\]admin_[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1391 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Phorecast remote code execution attempt"
+  tcp-state established,originator
+  payload /.*includedir=/
+  }
+
+signature sid-1403 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC viewcode access"
+  http /.*[\/\\]viewcode/
+  tcp-state established,originator
+  }
+
+signature sid-1404 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC showcode access"
+  http /.*[\/\\]showcode/
+  tcp-state established,originator
+  }
+
+signature sid-1433 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC .history access"
+  http /.*[\/\\]\.history/
+  tcp-state established,originator
+  }
+
+signature sid-1434 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC .bash_history access"
+  http /.*[\/\\]\.bash_history/
+  tcp-state established,originator
+  }
+
+signature sid-1489 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /~nobody access"
+  http /.*[\/\\]~nobody/
+  tcp-state established,originator
+  }
+
+signature sid-1492 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC RBS ISP /newuser  directory traversal attempt"
+  http /.*[\/\\]newuser\?Image=\.\.[\/\\]\.\./
+  tcp-state established,originator
+  }
+
+signature sid-1493 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC RBS ISP /newuser access"
+  http /.*[\/\\]newuser/
+  tcp-state established,originator
+  }
+
+signature sid-1663 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC *%0a.pl access"
+  http /.*[\/\\]\*%0a\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1664 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC mkplog.exe access"
+  http /.*[\/\\]mkplog\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1665 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC mkilog.exe access"
+  http /.*[\/\\]mkilog\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-509 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC PCCS mysql database admin tool access"
+  tcp-state established,originator
+  payload /.{0,5}[pP][cC][cC][sS][mM][yY][sS][qQ][lL][aA][dD][mM]\/[iI][nN][cC][sS]\/[dD][bB][cC][oO][nN][nN][eE][cC][tT]\.[iI][nN][cC]/
+  }
+
+signature sid-1769 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC .DS_Store access"
+  http /.*[\/\\]\.DS_Store/
+  tcp-state established,originator
+  }
+
+signature sid-1770 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC .FBCIndex access"
+  http /.*[\/\\]\.FBCIndex/
+  tcp-state established,originator
+  }
+
+signature sid-1500 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ExAir access"
+  http /.*[\/\\]exair[\/\\]search[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1519 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC apache ?M=D directory list attempt"
+  http /.*[\/\\]\?M=D/
+  tcp-state established,originator
+  }
+
+signature sid-1520 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC server-info access"
+  http /.*[\/\\]server-info/
+  tcp-state established,originator
+  }
+
+signature sid-1521 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC server-status access"
+  http /.*[\/\\]server-status/
+  tcp-state established,originator
+  }
+
+signature sid-1522 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ans.pl attempt"
+  http /.*[\/\\]ans\.pl\?p=\.\.[\/\\]\.\.[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1523 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ans.pl access"
+  http /.*[\/\\]ans\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1524 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC AxisStorpoint CD attempt"
+  http /.*[\/\\]cd[\/\\]\.\.[\/\\]config[\/\\]html[\/\\]cnf_gi\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-1525 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Axis Storpoint CD access"
+  http /.*[\/\\]config[\/\\]html[\/\\]cnf_gi\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-1526 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC basilix sendmail.inc access"
+  http /.*[\/\\]inc[\/\\]sendmail\.inc/
+  tcp-state established,originator
+  }
+
+signature sid-1527 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC basilix mysql.class access"
+  http /.*[\/\\]class[\/\\]mysql\.class/
+  tcp-state established,originator
+  }
+
+signature sid-1528 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC BBoard access"
+  http /.*[\/\\]servlet[\/\\]sunexamples\.BBoardServlet/
+  tcp-state established,originator
+  }
+
+signature sid-1544 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Cisco Catalyst command execution attempt"
+  http /.*[\/\\]exec[\/\\]show[\/\\]config[\/\\]cr/
+  tcp-state established,originator
+  }
+
+signature sid-1546 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Cisco /%% DOS attempt"
+  http /.*[\/\\]%%/
+  tcp-state established,originator
+  }
+
+signature sid-1551 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /CVS/Entries access"
+  http /.*[\/\\]CVS[\/\\]Entries/
+  tcp-state established,originator
+  }
+
+signature sid-1552 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cvsweb version access"
+  http /.*[\/\\]cvsweb[\/\\]version/
+  tcp-state established,originator
+  }
+
+signature sid-1559 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /doc/packages access"
+  http /.*[\/\\]doc[\/\\]packages/
+  tcp-state established,originator
+  }
+
+signature sid-1560 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /doc/ access"
+  http /.*[\/\\]doc[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1561 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ?open access"
+  http /.*\?open/
+  tcp-state established,originator
+  }
+
+signature sid-1563 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC login.htm attempt"
+  http /.*[\/\\]login\.htm\?password=/
+  tcp-state established,originator
+  }
+
+signature sid-1564 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC login.htm access"
+  http /.*[\/\\]login\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-1603 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC DELETE attempt"
+  tcp-state established,originator
+  payload /[dD][eE][lL][eE][tT][eE] /
+  }
+
+signature sid-1670 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /home/ftp access"
+  http /.*[\/\\]home[\/\\]ftp/
+  tcp-state established,originator
+  }
+
+signature sid-1671 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /home/www access"
+  http /.*[\/\\]home[\/\\]www/
+  tcp-state established,originator
+  }
+
+signature sid-1738 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC global.inc access"
+  http /.*[\/\\]global\.inc/
+  tcp-state established,originator
+  }
+
+signature sid-1744 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC SecureSite authentication bypass attempt"
+  tcp-state established,originator
+  payload /.*[sS][eE][cC][uU][rR][eE]_[sS][iI][tT][eE], [oO][kK]/
+  }
+
+signature sid-1757 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC b2 arbitrary command execution attempt"
+  http /.*[\/\\]b2[\/\\]b2-include[\/\\]/
+  tcp-state established,originator
+  payload /.*b2inc/
+  payload /.*http:\/\//
+  }
+
+signature sid-1758 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC b2 access"
+  http /.*[\/\\]b2[\/\\]b2-include[\/\\]/
+  tcp-state established,originator
+  payload /.*b2inc/
+  payload /.*http:\/\//
+  }
+
+signature sid-1766 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC search.dll directory listing attempt"
+  http /.*[\/\\]search\.dll/
+  tcp-state established,originator
+  payload /.*query=%00/
+  }
+
+signature sid-1767 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC search.dll access"
+  http /.*[\/\\]search\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1498 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8181
+  event "WEB-MISC PIX firewall manager directory traversal attempt"
+  http /.*[\/\\]\.\.[\/\\]\.\.[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1604 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 4080
+  event "WEB-MISC iChat directory traversal attempt"
+  http /.*[\/\\]\.\.[\/\\]\.\.[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1558 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8080
+  event "WEB-MISC Delegate whois overflow attempt"
+  tcp-state established,originator
+  payload /.*[wW][hH][oO][iI][sS]:\/\//
+  }
+
+signature sid-1518 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8000
+  event "WEB-MISC nstelemetry.adp access"
+  http /.*[\/\\]nstelemetry\.adp/
+  tcp-state established,originator
+  }
+
+signature sid-1132 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 457
+  event "WEB-MISC Netscape Unixware overflow"
+  tcp-state established,originator
+  payload /.*\xeb\x5f\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\x9d/
+  }
+
+signature sid-1199 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 2301
+  event "WEB-MISC Compaq Insight directory traversal"
+  http /.*\.\.[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1231 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC VirusWall catinfo access"
+  http /.*[\/\\]catinfo/
+  tcp-state established,originator
+  }
+
+signature sid-1232 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 1812
+  event "WEB-MISC VirusWall catinfo access"
+  http /.*[\/\\]catinfo/
+  tcp-state established,originator
+  }
+
+signature sid-1809 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Apache Chunked-Encoding worm attempt"
+  tcp-state established,originator
+  payload /.*[cC][cC][cC][cC][cC][cC][cC]: [aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA]/
+  }
+
+signature sid-1807 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Transfer-Encoding: chunked"
+  tcp-state established,originator
+  payload /.*[tT][rR][aA][nN][sS][fF][eE][rR]-[eE][nN][cC][oO][dD][iI][nN][gG]:/
+  payload /.*[cC][hH][uU][nN][kK][eE][dD]/
+  }
+
+signature sid-1814 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC CISCO VoIP DOS ATTEMPT"
+  http /.*[\/\\]StreamingStatistics/
+  tcp-state established,originator
+  }
+
+signature sid-1820 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC IBM Net.Commerce orderdspc.d2w access"
+  http /.*[\/\\]ncommerce3[\/\\]ExecMacro[\/\\]orderdspc\.d2w/
+  tcp-state established,originator
+  }
+
+signature sid-1826 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC WEB-INF access"
+  http /.*[\/\\]WEB-INF/
+  tcp-state established,originator
+  }
+
+signature sid-1827 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Tomcat servlet mapping cross site scripting attempt"
+  http /.*[\/\\]servlet[\/\\]/
+  http /.*[\/\\]org\.apache\./
+  tcp-state established,originator
+  }
+
+signature sid-1828 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC iPlanet Search directory traversal attempt"
+  http /.*[\/\\]search/
+  tcp-state established,originator
+  payload /.*NS-query-pat=/
+  payload /.*\.\.\/\.\.\//
+  }
+
+signature sid-1829 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Tomcat TroubleShooter servlet access"
+  http /.*[\/\\]examples[\/\\]servlet[\/\\]TroubleShooter/
+  tcp-state established,originator
+  }
+
+signature sid-1830 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Tomcat SnoopServlet servlet access"
+  http /.*[\/\\]examples[\/\\]servlet[\/\\]SnoopServlet/
+  tcp-state established,originator
+  }
+
+signature sid-1831 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC jigsaw dos attempt"
+  http /.*[\/\\]servlet[\/\\]con/
+  tcp-state established,originator
+  }
+
+signature sid-1835 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Macromedia SiteSpring cross site scripting attempt"
+  http /.*[\/\\]error[\/\\]500error\.jsp/
+  http /.*et=/
+  http /.*<script/
+  tcp-state established,originator
+  }
+
+signature sid-1839 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC mailman cross site scripting attempt"
+  http /.*[\/\\]mailman[\/\\]/
+  http /.*\?/
+  http /.*info=/
+  http /.*<script/
+  tcp-state established,originator
+  }
+
+signature sid-1847 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC webalizer access"
+  http /.*[\/\\]webalizer[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1848 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC webcart-lite access"
+  http /.*[\/\\]webcart-lite[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1849 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC webfind.exe access"
+  http /.*[\/\\]webfind\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1851 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC active.log access"
+  http /.*[\/\\]active\.log/
+  tcp-state established,originator
+  }
+
+signature sid-1852 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC robots.txt access"
+  http /.*[\/\\]robots\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-1857 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC robot.txt access"
+  http /.*[\/\\]robot\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-1858 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8181
+  event "WEB-MISC CISCO PIX Firewall Manager directory traversal attempt"
+  http /.*[\/\\]pixfir~1[\/\\]how_to_login\.html/
+  tcp-state established,originator
+  }
+
+signature sid-1859 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 9090
+  event "WEB-MISC Sun JavaServer default password login attempt"
+  http /.*[\/\\]servlet[\/\\]admin/
+  tcp-state established,originator
+  payload /.*ae9f86d6beaa3f9ecb9a5b7e072a4138/
+  }
+
+signature sid-1860 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8080
+  event "WEB-MISC Linksys router default password login attempt (:admin)"
+  tcp-state established,originator
+  payload /.*Authorization: Basic OmFkbWlu/
+  }
+
+signature sid-1861 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8080
+  event "WEB-MISC Linksys router default password login attempt (admin:admin)"
+  tcp-state established,originator
+  payload /.*[aA][uU][tT][hH][oO][rR][iI][zZ][aA][tT][iI][oO][nN]: /
+  payload /.* [bB][aA][sS][iI][cC] /
+  payload /.*YWRtaW46YWRtaW4/
+  }
+
+signature sid-1871 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Oracle XSQLConfig.xml access"
+  http /.*[\/\\]XSQLConfig\.xml/
+  tcp-state established,originator
+  }
+
+signature sid-1872 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Oracle Dynamic Monitoring Services (dms) access"
+  http /.*[\/\\]dms0/
+  tcp-state established,originator
+  }
+
+signature sid-1873 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC globals.jsa access"
+  http /.*[\/\\]globals\.jsa/
+  tcp-state established,originator
+  }
+
+signature sid-1874 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Oracle Java Process Manager access"
+  http /.*[\/\\]oprocmgr-status/
+  tcp-state established,originator
+  }
+
+signature sid-1881 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC bad HTTP/1.1 request, Potentially worm attack"
+  tcp-state established,originator
+  payload /GET \/ HTTP\/1\.1\x0d\x0a\x0d\x0a/
+  }
+
+signature sid-1104 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  payload-size == 1
+  event "WEB-MISC whisker space splice attack"
+  tcp-state established,originator
+  payload /\x20/
+  }
+
+signature sid-1087 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  payload-size < 5
+  event "WEB-MISC whisker tab splice attack"
+  tcp-state established,originator
+  payload /.*\x09/
+  }
+
+signature sid-1808 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC apache chunked encoding memory corruption exploit attempt"
+  tcp-state established,originator
+  payload /.*\xC0\x50\x52\x89\xE1\x50\x51\x52\x50\xB8\x3B\x00\x00\x00\xCD\x80/
+  }
+
+signature sid-1943 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /Carello/add.exe access"
+  http /.*[\/\\]Carello[\/\\]add\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1944 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /ecscripts/ecware.exe access"
+  http /.*[\/\\]ecscripts[\/\\]ecware\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1969 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ion-p access"
+  http /.*[\/\\]ion-p/
+  tcp-state established,originator
+  }
+
+signature sid-1499 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8888
+  event "WEB-MISC SiteScope Service access"
+  http /.*[\/\\]SiteScope[\/\\]cgi[\/\\]go\.exe[\/\\]SiteScope/
+  tcp-state established,originator
+  }
+
+signature sid-1946 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8888
+  event "WEB-MISC answerbook2 admin attempt"
+  http /.*[\/\\]cgi-bin[\/\\]admin[\/\\]admin/
+  tcp-state established,originator
+  }
+
+signature sid-1947 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8888
+  event "WEB-MISC answerbook2 arbitrary command execution attempt"
+  http /.*[\/\\]ab2[\/\\]/
+  tcp-state established,originator
+  payload /.{1}.*;/
+  }
+
+signature sid-1979 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC perl post attempt"
+  http /.*[\/\\]perl[\/\\]/
+  tcp-state established,originator
+  payload /POST/
+  }
+
+signature sid-2056 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC TRACE attempt"
+  tcp-state established,originator
+  payload /TRACE/
+  }
+
+signature sid-2057 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC helpout.exe access"
+  http /.*[\/\\]helpout\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-2058 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC MsmMask.exe attempt"
+  http /.*[\/\\]MsmMask\.exe/
+  tcp-state established,originator
+  payload /.*mask=/
+  }
+
+signature sid-2059 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC MsmMask.exe access"
+  http /.*[\/\\]MsmMask\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-2060 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC DB4Web access"
+  http /.*[\/\\]DB4Web[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-2061 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC Tomcat null byte directory listing attempt"
+  http /.*\x00\.jsp/
+  tcp-state established,originator
+  }
+
+signature sid-2062 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC iPlanet .perf access"
+  http /.*[\/\\]\.perf/
+  tcp-state established,originator
+  }
+
+signature sid-2063 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC Demarc SQL injection attempt"
+  http /.*[\/\\]dm[\/\\]demarc/
+  tcp-state established,originator
+  payload /.*s_key=.*.{0}.*'.{1}.*'.*.{0}.*'/
+  }
+
+signature sid-2064 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC Lotus Notes .csp script source download attempt"
+  http /.*\.csp/
+  tcp-state established,originator
+  payload /.*\.csp\./
+  }
+
+signature sid-2066 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC Lotus Notes .pl script source download attempt"
+  http /.*\.pl/
+  tcp-state established,originator
+  payload /.*\.pl\./
+  }
+
+signature sid-2067 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC Lotus Notes .exe script source download attempt"
+  http /.*\.exe/
+  tcp-state established,originator
+  payload /.*\.exe\./
+  }
+
+signature sid-2068 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC BitKeeper arbitrary command attempt"
+  http /.*[\/\\]diffs[\/\\]/
+  tcp-state established,originator
+  payload /.*'.*.{0}.*\x3b.{1}.*'/
+  }
+
+signature sid-2069 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC chip.ini access"
+  http /.*[\/\\]chip\.ini/
+  tcp-state established,originator
+  }
+
+signature sid-2070 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC post32.exe arbitrary command attempt"
+  http /.*[\/\\]post32\.exe\|/
+  tcp-state established,originator
+  }
+
+signature sid-2071 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC post32.exe access"
+  http /.*[\/\\]post32\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-2072 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC lyris.pl access"
+  http /.*[\/\\]lyris\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-2073 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC globals.pl access"
+  http /.*[\/\\]globals\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-2135 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC philboard.mdb access"
+  http /.*[\/\\]philboard\.mdb/
+  tcp-state established,originator
+  }
+
+signature sid-2136 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC philboard_admin.asp authentication bypass attempt"
+  http /.*[\/\\]philboard_admin\.asp/
+  tcp-state established,originator
+  payload /.*[cC][oO][oO][kK][iI][eE].*.{0}.*philboard_admin=True/
+  }
+
+signature sid-2137 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC philboard_admin.asp access"
+  http /.*[\/\\]philboard_admin\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-2138 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC logicworks.ini access"
+  http /.*[\/\\]logicworks\.ini/
+  tcp-state established,originator
+  }
+
+signature sid-2139 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC /*.shtml access"
+  http /.*[\/\\]\*\.shtml/
+  tcp-state established,originator
+  }
+
+signature sid-2156 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC mod_gzip_status access"
+  http /.*[\/\\]mod_gzip_status/
+  tcp-state established,originator
+  }
+
+signature sid-1774 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP bb_smilies.php access"
+  http /.*[\/\\]bb_smilies\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1423 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP content-disposition memchr overflow"
+  tcp-state established,originator
+  payload /.*Content-Disposition:/
+  payload /.*name=\"\xCC\xCC\xCC\xCC\xCC/
+  }
+
+signature sid-1736 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP squirrel mail spell-check arbitrary command attempt"
+  http /.*[\/\\]squirrelspell[\/\\]modules[\/\\]check_me\.mod\.php/
+  tcp-state established,originator
+  payload /.*[sS][qQ][sS][pP][eE][lL][lL]_[aA][pP][pP]\[/
+  }
+
+signature sid-1737 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP squirrel mail theme arbitrary command attempt"
+  http /.*[\/\\]left_main\.php/
+  tcp-state established,originator
+  payload /.*[cC][mM][dD][dD]=/
+  }
+
+signature sid-1739 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP DNSTools administrator authentication bypass attempt"
+  http /.*[\/\\]dnstools\.php/
+  tcp-state established,originator
+  payload /.*[uU][sS][eE][rR]_[lL][oO][gG][gG][eE][dD]_[iI][nN]=[tT][rR][uU][eE]/
+  payload /.*[uU][sS][eE][rR]_[dD][nN][sS][tT][oO][oO][lL][sS]_[aA][dD][mM][iI][nN][iI][sS][tT][rR][aA][tT][oO][rR]=[tT][rR][uU][eE]/
+  }
+
+signature sid-1740 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP DNSTools authentication bypass attempt"
+  http /.*[\/\\]dnstools\.php/
+  tcp-state established,originator
+  payload /.*[uU][sS][eE][rR]_[lL][oO][gG][gG][eE][dD]_[iI][nN]=[tT][rR][uU][eE]/
+  }
+
+signature sid-1741 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP DNSTools access"
+  http /.*[\/\\]dnstools\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1742 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Blahz-DNS dostuff.php modify user attempt"
+  http /.*[\/\\]dostuff\.php\?action=modify_user/
+  tcp-state established,originator
+  }
+
+signature sid-1743 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Blahz-DNS dostuff.php access"
+  http /.*[\/\\]dostuff\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1745 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Messagerie supp_membre.php access"
+  http /.*[\/\\]supp_membre\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1773 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP php.exe access"
+  http /.*[\/\\]php\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1815 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP directory.php arbitrary command attempt"
+  http /.*[\/\\]directory\.php/
+  tcp-state established,originator
+  payload /.*dir=/
+  payload /.*;/
+  }
+
+signature sid-1816 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP directory.php access"
+  http /.*[\/\\]directory\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1834 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP PHP-Wiki cross site scripting attempt"
+  http /.*[\/\\]modules\.php\?/
+  http /.*name=Wiki/
+  http /.*<script/
+  tcp-state established,originator
+  }
+
+signature sid-1967 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP phpbb quick-reply.php arbitrary command attempt"
+  http /.*[\/\\]quick-reply\.php/
+  tcp-state established,originator
+  payload /.{1}.*phpbb_root_path=/
+  }
+
+signature sid-1968 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP phpbb quick-reply.php access"
+  http /.*[\/\\]quick-reply\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1997 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP read_body.php access attempt"
+  http /.*[\/\\]read_body\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1998 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP calendar.php access"
+  http /.*[\/\\]calendar\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1999 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP edit_image.php access"
+  http /.*[\/\\]edit_image\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2000 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP readmsg.php access"
+  http /.*[\/\\]readmsg\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2002 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP external include path"
+  http /.*\.php/
+  tcp-state established,originator
+  payload /.*path=http:\/\//
+  }
+
+signature sid-1134 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Phorum admin access"
+  http /.*[\/\\]admin\.php3/
+  tcp-state established,originator
+  }
+
+signature sid-1161 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP piranha passwd.php3 access"
+  http /.*[\/\\]passwd\.php3/
+  tcp-state established,originator
+  }
+
+signature sid-1178 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Phorum read access"
+  http /.*[\/\\]read\.php3/
+  tcp-state established,originator
+  }
+
+signature sid-1179 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Phorum violation access"
+  http /.*[\/\\]violation\.php3/
+  tcp-state established,originator
+  }
+
+signature sid-1197 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Phorum code access"
+  http /.*[\/\\]code\.php3/
+  tcp-state established,originator
+  }
+
+signature sid-1300 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP admin.php file upload attempt"
+  http /.*[\/\\]admin\.php/
+  tcp-state established,originator
+  payload /.*[fF][iI][lL][eE]_[nN][aA][mM][eE]=/
+  }
+
+signature sid-1301 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP admin.php access"
+  http /.*[\/\\]admin\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1407 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP smssend.php access"
+  http /.*[\/\\]smssend\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1399 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP PHP-Nuke remote file include attempt"
+  http /.*index\.php/
+  tcp-state established,originator
+  payload /.*[fF][iI][lL][eE]=[hH][tT][tT][pP]:\/\//
+  }
+
+signature sid-1490 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Phorum /support/common.php attempt"
+  http /.*[\/\\]support[\/\\]common\.php/
+  tcp-state established,originator
+  payload /.*ForumLang=\.\.\//
+  }
+
+signature sid-1491 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Phorum /support/common.php access"
+  http /.*[\/\\]support[\/\\]common\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1137 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Phorum authentication access"
+  tcp-state established,originator
+  payload /.*[pP][hH][pP]_[aA][uU][tT][hH]_[uU][sS][eE][rR]=[bB][oO][oO][gG][iI][eE][mM][aA][nN]/
+  }
+
+signature sid-1085 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP strings overflow"
+  tcp-state established,originator
+  payload /.*\xba\x49\xfe\xff\xff\xf7\xd2\xb9\xbf\xff\xff\xff\xf7\xd1/
+  }
+
+signature sid-1086 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP strings overflow"
+  http /.*\?STRENGUR/
+  tcp-state established,originator
+  }
+
+signature sid-1254 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP PHPLIB remote command attempt"
+  tcp-state established,originator
+  payload /.*_PHPLIB\[libdir\]/
+  }
+
+signature sid-1255 {
+  ip-proto == tcp
+  src-ip == http_servers
+  dst-ip != local_nets
+  dst-port == http_ports
+  event "WEB-PHP PHPLIB remote command attempt"
+  http /.*[\/\\]db_mysql\.inc/
+  tcp-state established,originator
+  }
+
+signature sid-2074 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Mambo uploadimage.php upload php file attempt"
+  http /.*[\/\\]uploadimage\.php/
+  tcp-state established,originator
+  payload /.*userfile_name=.{1}.*\.php/
+  }
+
+signature sid-2075 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Mambo upload.php upload php file attempt"
+  http /.*[\/\\]upload\.php/
+  tcp-state established,originator
+  payload /.*userfile_name=.{1}.*\.php/
+  }
+
+signature sid-2076 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Mambo uploadimage.php access"
+  http /.*[\/\\]uploadimage\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2077 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Mambo upload.php access"
+  http /.*[\/\\]upload\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2078 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP phpBB privmsg.php access"
+  http /.*[\/\\]privmsg\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2140 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP p-news.php access"
+  http /.*[\/\\]p-news\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2141 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP shoutbox.php directory traversal attempt"
+  http /.*[\/\\]shoutbox\.php/
+  tcp-state established,originator
+  payload /.*conf=.*.{0}.*\.\.\//
+  }
+
+signature sid-2142 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP shoutbox.php access"
+  http /.*[\/\\]shoutbox\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2143 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP b2 cafelog gm-2-b2.php remote command execution attempt"
+  http /.*[\/\\]gm-2-b2\.php/
+  tcp-state established,originator
+  payload /.*b2inc=http/
+  }
+
+signature sid-2144 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP b2 cafelog gm-2-b2.php access"
+  http /.*[\/\\]gm-2-b2\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2145 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP TextPortal admin.php default password (admin) attempt"
+  http /.*[\/\\]admin\.php/
+  tcp-state established,originator
+  payload /.*op=admin_enter/
+  payload /.*password=admin/
+  }
+
+signature sid-2146 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP TextPortal admin.php default password (12345) attempt"
+  http /.*[\/\\]admin\.php/
+  tcp-state established,originator
+  payload /.*op=admin_enter/
+  payload /.*password=12345/
+  }
+
+signature sid-2147 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP BLNews objects.inc.php4 remote command execution attempt"
+  http /.*[\/\\]objects\.inc\.php4/
+  tcp-state established,originator
+  payload /.*Server\[path\]=http/
+  }
+
+signature sid-2148 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP BLNews objects.inc.php4 access"
+  http /.*[\/\\]objects\.inc\.php4/
+  tcp-state established,originator
+  }
+
+signature sid-2149 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Turba status.php access"
+  http /.*[\/\\]turba[\/\\]status\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2150 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP ttCMS header.php remote command execution attempt"
+  http /.*[\/\\]admin[\/\\]templates[\/\\]header\.php/
+  tcp-state established,originator
+  payload /.*admin_root=http/
+  }
+
+signature sid-2151 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP ttCMS header.php access"
+  http /.*[\/\\]admin[\/\\]templates[\/\\]header\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2152 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP test.php access"
+  http /.*[\/\\]test\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2153 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP autohtml.php directory traversal attempt"
+  http /.*[\/\\]autohtml\.php/
+  tcp-state established,originator
+  payload /.*name=.*.{0}.*\.\.\/\.\.\//
+  }
+
+signature sid-2154 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP autohtml.php access"
+  http /.*[\/\\]autohtml\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2155 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP ttforum remote command execution attempt"
+  http /.*forum[\/\\]index\.php/
+  tcp-state established,originator
+  payload /.*template=http/
+  }
+
diff --git a/policy/sigs/http-bots.sig b/policy/sigs/http-bots.sig
new file mode 100644
index 0000000000..26f61c7d45
--- /dev/null
+++ b/policy/sigs/http-bots.sig
@@ -0,0 +1,93 @@
+# $Id:$
+#
+# Some signatures for detecting certain HTTP-based botnet activity.
+
+signature nethell {
+	http-request /.*php\?userid=/
+	http-request-body /userid=[0-9]{8}_/
+	event "Nethell request"
+}
+
+signature bzub {
+	http-request /.*ver=.*&lg=.*&phid=.*&r=/
+	http-request-body /phid=[A-F0-9]{64}/
+	event "bzub request"
+}
+
+signature iebho {
+	http-request /.*ver=.*&lg=.*&phid=/
+	http-request-body /phid=[A-F0-9]{32}/
+	event "IEBHO request"
+}
+
+signature bebloh {
+	payload /^GET/
+	http-request /.*get\.php\?type=slg&id=/
+	event "Bebloh request"
+}
+
+signature black_enery {
+	payload /^POST/
+	http-request-header /Cache-Control: no-cache/
+	http-request-body /.*id=.*&build_id=.*id=x.+_[0-9A-F]{8}&build_id=.+/
+	event "Black energy request"
+}
+
+signature waledec {
+	payload /^POST/
+	http-request /\/[A-Za-z0-9]+\.[pP][nN][gG]/
+	event "Waledec request"
+}
+
+signature silentbanker {
+	payload /^POST/
+	http-request /.*\/getcfg\.php/
+	event "SilentBanker request"
+}
+
+signature icepack {
+	payload /^GET/
+	http-request /.*\/exe\.php/
+	event "Icepack request"
+}
+
+signature torpig {
+	payload /^POST/
+	http-request /.*\/gate\.php/
+	event "Torpig request"
+}
+
+signature peed {
+	http-request /.*\/controller\.php\?action=/
+	http-request /.*&entity/
+	http-request /.*&rnd=/
+	event "Peed request"
+}
+
+signature gozi {
+	payload /^GET/
+	http-request /.*\?user_id=/
+	http-request /.*&version_id=/
+	http-request /.*&crc=/
+	event "Gozi request"
+}
+
+signature wsnpoem {
+	payload /^GET/
+	http-request /.*\/((cfg|config)[0-9]*)\.bin$/
+	event "wsnpoem request"
+}
+
+signature pinch {
+	payload /^POST/
+	http-request /.*\?act=online&.*s4=.*&s5=.*&nickname=/
+	http-request-body /.*msg_out=/
+	event "pinch request"
+}
+
+signature grum {
+	payload /^GET/
+	http-request /.*s_alive\.php/
+	event "Grum request"
+}
+
diff --git a/policy/sigs/p0fsyn.osf b/policy/sigs/p0fsyn.osf
new file mode 100644
index 0000000000..8767265819
--- /dev/null
+++ b/policy/sigs/p0fsyn.osf
@@ -0,0 +1,773 @@
+#
+# p0f - SYN fingerprints
+# ----------------------
+#
+# .-------------------------------------------------------------------------.
+# | The purpose of this file is to cover signatures for incoming TCP/IP     |
+# | connections (SYN packets). This is the default mode of operation for    |
+# | p0f. This is also the biggest and most up-to-date set of signatures     |
+# | shipped with this project. The file also contains a detailed discussion |
+# | of all metrics examined by p0f, and some practical notes on how to      |
+# | add new signatures.                                                     |
+# `-------------------------------------------------------------------------'
+#
+# (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx>
+#
+# Each line in this file specifies a single fingerprint. Please read the
+# information below carefully before attempting to append any signatures
+# reported by p0f as UNKNOWN to this file to avoid mistakes. Note that
+# this file is compatible only with the default operation mode, and not
+# with -R or -A options (SYN+ACK and RST+ modes).
+#
+# We use the following set metrics for fingerprinting:
+#
+# - Window size (WSS) - a highly OS dependent setting used for TCP/IP
+#   performance control (max. amount of data to be sent without ACK).
+#   Some systems use a fixed value for initial packets. On other
+#   systems, it is a multiple of MSS or MTU (MSS+40). In some rare
+#   cases, the value is just arbitrary.
+#
+#   NEW SIGNATURE: if p0f reported a special value of 'Snn', the number
+#   appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn'
+#   means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the
+#   value of nn is not fixed (unlikely), just copy the Snn or Tnn token
+#   literally. If you know this device has a simple stack and a fixed
+#   MTU, you can however multiply S value by MSS, or T value by MSS+40,
+#   and put it instead of Snn or Tnn. One system may exhibit several T
+#   or S values. In some situations, this might be a source of some
+#   additional information about the setup if you have some time to dig
+#   thru the kernel sources; in some other cases, like Windows, there seem
+#   to be a multitude of variants and WSS selection algorithms, but it's
+#   rather difficult to find a pattern without having the source.
+#
+#   If WSS looks like a regular fixed value (for example is a power of two),
+#   or if you can confirm the value is fixed by looking at several
+#   fingerprints, please quote it literaly. If there's no apparent pattern
+#   in WSS chosen, you should consider wildcarding this value - but this
+#   should be the last option.
+#
+#   NOTE: Some NAT devices, such as Linux iptables with --set-mss, will
+#   modify MSS, but not WSS. As a result, MSS is changed to reflect
+#   the MTU of the NAT device, but WSS remains a multiple of the original
+#   MSS. Fortunately for us, the source device would almost always be
+#   hooked up to Ethernet. P0f handles it automatically for the original
+#   MSS of 1460, by adding "NAT!" tag to the result.
+#
+#   In certain configurations, Linux erratically (?) uses MTU from another
+#   interface on the default gw interface. This only happens on systems with
+#   two network interfaces. Thus, some Linux systems that do not go thru NAT,
+#   but have multiple interfaces instead, will be also tagged this way.
+#
+#   P0f recognizes and automatically wildcards WSS of 12345, as generated
+#   by sendack and sendsyn utilities shipped with the program, when
+#   reporting a new signature. See test/sendack.c and test/sendsyn.c for more
+#   information about this.
+#
+# - Overall packet size - a function of all IP and TCP options and bugs.
+#   While this is partly redundant in the real world, we record this value
+#   to capture rare cases when there are IP options (which we do not currently
+#   examine) or packet data past the headers. Both situations are rare.
+#
+#   Packet size MAY be wildcarded, but the meaning of the wildcard is
+#   very special, and means the packet must be larger than PACKET_BIG
+#   (defined in config.h as 100). This is usually not necessary, except
+#   for some really broken implementations in RST+ mode. For more information,
+#   see p0fr.fp. P0f automatically wildcards big packets when reporting
+#   new signatures.
+#
+#   NEW SIGNATURE: Copy this value literally.
+#
+# - Initial TTL - We check the actual TTL of a received packet. It can't
+#   be higher than the initial TTL, and also shouldn't be dramatically
+#   lower (maximum distance is defined in config.h as 40 hops).
+#
+#   NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally.
+#   You need to determine the initial TTL. The best way to do it is to
+#   check the documentation for a remote system, or check its settings.
+#   A fairly good method is to simply round the observed TTL up to
+#   32, 64, 128, or 255, but it should be noted that some obscure devices
+#   might not use round TTLs (in particular, some shoddy appliances and
+#   IRIX and Tru64 are known to use "original" initial TTL settings). If not
+#   sure, use traceroute or mtr to see how far you are from the host.
+#
+#   Note that -F option overrides this check if no signature can be found.
+#
+# - Don't fragment flag (DF) - some modern OSes set this to implement PMTU
+#   discovery. Others do not bother.
+#
+#   NEW SIGNATURE: Copy this value literally. Note: this setting is
+#   sometimes cleared by firewalls and/or certain connectivity clients.
+#   Try to find out what's the actual state for a given OS if you see both,
+#   and add the right one. P0f will automatically detect a case when a
+#   firewall removed the DF flag and will append "(firewall!)" suffix to
+#   the signature, so if the DF version is the right one, don't add no-DF
+#   variant, unless it has a different meaning.
+#
+# - Maximum segment size (MSS) - this setting is usually link-dependent. P0f
+#   uses it to determine link type of the remote host.
+#
+#   NEW SIGNATURE: Always wildcard this value, except for rare cases when
+#   you have an appliance with a fixed value, know the system supports only
+#   a very limited number of network interface types, or know the system
+#   is using a value it pulled out of nowhere. I use specific unique MSS
+#   to tell Google crawlbots from the rest of Linux population, for example.
+#
+#   If a specific MSS/MTU is unique to a certain link type, be sure to
+#   add it to mtu.h instead of creating several variants of each signature.
+#
+# - Window scaling (WSCALE) - this feature is used to scale WSS.
+#   It extends the size of a TCP/IP window to 32 bits, of sorts. Some modern
+#   systems implement this feature.
+#
+#   NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set
+#   to zero or other low value. There's usually no need to wildcard this
+#   parameter.
+#
+# - Timestamp - some systems that implement timestamps set them to
+#   zero in the initial SYN. This case is detected and handled appropriately.
+#
+#   NEW SIGNATURE: Copy T or T0 option literally.
+#
+# - Selective ACK permitted - a flag set by systems that implement
+#   selective ACK functionality,
+#
+#   NEW SIGNATURE: copy S option literally.
+#
+# - NOP option - its presence, count and sequence is a useful OS-dependent
+#   characteristic,
+#
+#   NEW SIGNATURE: copy N options literally.
+#
+# - Other and unrecognized options (TTCP-related and such) - implemented by
+#   some eccentric or very buggy TCP/IP stacks ;-),
+#
+#   NEW SIGNATURE: copy ? options literally.
+#
+# - EOL option. Contrary to the popular belief, the presence of EOL
+#   option is actually quite rare, most systems just NOP-pad to the
+#   packet boundary.
+#
+#   NEW SIGNATURE: copy E option literally.
+#
+# - The sequence of TCP all options mentioned above - this is very
+#   specific to the implementation,
+#
+#   NEW SIGNATURE: Copy the sequence literally.
+#
+# - Quirks. Some buggy stacks set certain values that should be zeroed in a
+#   TCP packet to non-zero values. This has no effect as of today, but is
+#   a valuable source of information. Some systems actually seem to leak
+#   memory there. Other systems just exhibit harmful but very specific
+#   behavior. This section captures all unusual yes-no properties not
+#   related to the main and expected header layout. We detect the following:
+#
+#   - Data past the headers. Neither SYN nor SYN+ACK packets are supposed
+#     to carry any payload. If they do, we should take notice. The actual
+#     payload is not examined, but will be displayed if use the -X option.
+#     Note that payload is not unusual in RST+ mode (see p0fr.fp), very
+#     rare otherwise.
+#
+#   - Options past EOL. Some systems have some trailing data past EOL
+#     in the options section of TCP/IP headers. P0f does not examine this
+#     data as of today, simply detects its presence. If there is a
+#     confirmed sizable population of systems that have data past EOL, it
+#     might be a good idea to look at it. Until then, you have to recompile
+#     p0f with DEBUG_EXTRAS set or use -x to display this data,
+#
+#   - Zero IP ID. This again is a (mostly) harmless setting to use a fixed
+#     IP ID for packets with DF set. Some systems reportedly use zero ID,
+#     most OSes do not. There is a very slight probability of a false
+#     positive when IP ID is "naturally" chosen to be zero on a system
+#     that otherwise does set proper values, but the probability is
+#     neglible (if it becomes a problem, recompile p0f with IGNORE_ZEROID
+#     set in the sources).
+#
+#   - IP options specified. Usually, packets do not have any IP options
+#     set, but there can be some. Until there is a confirmed sizable
+#     population of systems that do have IP options in a packet, p0f
+#     does not examine those in detail, but it might change (use
+#     DEBUG_EXTRAS or -x to display IP options if any found),
+#
+#   - URG pointer value. SYN packets do not have URG flag set, so the
+#     value in URG pointer in TCP header is ignored. Most systems set it
+#     to zero, but some OSes (some versions of Windows, for example) do
+#     not zero this field or even simply leak memory; the actual value is
+#     not examined, because most cases seem to be just random garbage
+#     (you can use DEBUG_EXTRAS or -x to report this information though);
+#     see doc/win-memleak.txt for more information,
+#
+#   - "Unused" field value. This should be always zero, but some systems
+#     forget to clear it. This might result in some funny issues in the
+#     future. P0f checks for non-zero value (and will display it if
+#     DEBUG_EXTRAS is set, or you can use -x),
+#
+#   - ACK number non-zero. ACK value in SYN packets with no ACK flag
+#     is disregarded and is usually set to zero (just like with URG
+#     pointer), but some systems forget to do it. The exact value is
+#     not examined (but will be displayed with DEBUG_EXTRAS, or you can
+#     use -x). Note that this is not an anomaly in SYN+ACK and RST+ modes,
+#
+#   - Non-zero second timestamp. The initial SYN packet should have the
+#     second timestamp always zeroed. SYN+ACK and RST+ may "legally" have
+#     this quirk though,
+#
+#   - Unusual flags. If, in addition to SYN (or SYN+ACK), there are some
+#     auxilinary flags that do not modify the very meaning of a packet,
+#     p0f records this (this can be URG, PUSH, or something else).
+#
+#     Note: ECN flags (ECE and CWR) are ignored and denoted in a separate
+#     way. ECN is never by default, because some systems can't handle it,
+#     and it probably does not make much sense to include it in signatures
+#     right now.
+#
+#   - TCP option segment parsing problems. If p0f fails to decode options
+#     because of a badly broken packet, it records this fact.
+#
+#   There are several other quirks valid only in RST+ mode, see p0fr.fp for
+#   more information. Those quirks are unheard of in SYN and SYN+ACK
+#   modes.
+#
+#   NEW SIGNATURE: Copy "quirks" section literally.
+#
+# We DO NOT use ToS for fingerprinting. While the original TCP/IP
+# fingerprinting research believed this value would be useful for this
+# purpose, it is not. The setting is way too often tweaked by network
+# devices.
+#
+# To wildcard MSS, WSS or WSCALE, replace it with '*'. You can also use a
+# modulo operator to match any values that divide by nnn - '%nnn' (and,
+# as stated above, WSS also supports special values Snn and Tnn).
+#
+# Fingerprint entry format:
+#
+# wwww:ttt:D:ss:OOO...:QQ:OS:Details
+#
+# wwww     - window size (can be * or %nnn or Sxx or Txx)
+#	     "Snn" (multiple of MSS) and "Tnn" (multiple of MTU) are allowed.
+# ttt      - initial TTL
+# D        - don't fragment bit (0 - not set, 1 - set)
+# ss       - overall SYN packet size (* has a special meaning)
+# OOO      - option value and order specification (see below)
+# QQ       - quirks list (see below)
+# OS       - OS genre (Linux, Solaris, Windows)
+# details  - OS description (2.0.27 on x86, etc)
+#
+# If OS genre starts with '*', p0f will not show distance, link type
+# and timestamp data. It is useful for userland TCP/IP stacks of
+# network scanners and so on, where many settings are randomized or
+# bogus.
+#
+# If OS genre starts with @, it denotes an approximate hit for a group
+# of operating systems (signature reporting still enabled in this case).
+# Use this feature at the end of this file to catch cases for which
+# you don't have a precise match, but can tell it's Windows or FreeBSD
+# or whatnot by looking at, say, flag layout alone.
+#
+# If OS genre starts with - (which can prefix @ or *), the entry is
+# not considered to be a real operating system (but userland stack
+# instead). It is important to mark all scanners and so on with -,
+# so that they are not used for masquerade detection (also add this
+# prefix for signatures of application-induced behavior, such as
+# increased window size with Opera browser).
+#
+# Option block description is a list of comma or space separated
+# options in the order they appear in the packet:
+#
+# N	   - NOP option
+# E	   - EOL option
+# Wnnn	   - window scaling option, value nnn (or * or %nnn)
+# Mnnn	   - maximum segment size option, value nnn (or * or %nnn)
+# S	   - selective ACK OK
+# T 	   - timestamp
+# T0	   - timestamp with zero value
+# ?n       - unrecognized option number n.
+#
+# P0f can sometimes report ?nn among the options. This means it couldn't
+# recognize this option (option number nn). It's either a bug in p0f, or
+# a faulty TCP/IP stack, or, if the number is listed here:
+#
+#   http://www.iana.org/assignments/tcp-parameters
+#
+# ...the stack might be simply quite exotic.
+#
+# To denote no TCP options, use a single '.'.
+#
+# Quirks section is usually an empty list ('.') of oddities or bugs of this
+# particular stack. List items are not separated in any way. Possible values:
+#
+# P     - options past EOL,
+# Z	- zero IP ID,
+# I	- IP options specified,
+# U	- urg pointer non-zero,
+# X     - unused (x2) field non-zero,
+# A	- ACK number non-zero,
+# T     - non-zero second timestamp,
+# F     - unusual flags (PUSH, URG, etc),
+# D     - data payload,
+# !     - broken options segment.
+#
+# WARNING WARNING WARNING
+# -----------------------
+#
+# Do not add a system X as OS Y just because NMAP says so. It is often
+# the case that X is a NAT firewall. While nmap is talking to the
+# device itself, p0f is fingerprinting the guy behind the firewall
+# instead.
+#
+# When in doubt, use common sense, don't add something that looks like
+# a completely different system as Linux or FreeBSD or LinkSys router.
+# Check DNS name, establish a connection to the remote host and look
+# at SYN+ACK (p0f -A -S should do) - does it look similar?
+#
+# Some users tweak their TCP/IP settings - enable or disable RFC1323,
+# RFC1644 or RFC2018 support, disable PMTU discovery, change MTU, initial
+# TTL and so on. Always compare a new rule to other fingerprints for
+# this system, and verify the system isn't "customized". It is OK to
+# add signature variants caused by commonly used software (PFs, security
+# packages, etc), but it makes no sense to try to add every single
+# possible /proc/sys/net/ipv4/* tweak on Linux or so.
+#
+# KEEP IN MIND: Some packet firewalls configured to normalize outgoing
+# traffic (OpenBSD pf with "scrub" enabled, for example) will, well,
+# normalize packets. Signatures will not correspond to the originating
+# system (and probably not quite to the firewall either).
+#
+# NOTE: Try to keep this file in some reasonable order, from most to
+# least likely systems. This will speed up operation. Also keep most
+# generic and broad rules near ehe end.
+#
+# Still decided to add signature? Let us know - mail a copy of your discovery
+# to lcamtuf@coredump.cx. You can help make p0f better, and I can help you
+# make your signature more accurate.
+#
+
+##########################
+# Standard OS signatures #
+##########################
+
+# ----------------- AIX ---------------------
+
+# AIX is first because its signatures are close to NetBSD, MacOS X and
+# Linux 2.0, but it uses a fairly rare MSSes, at least sometimes...
+# This is a shoddy hack, though.
+
+45046:64:0:44:M*:.:AIX:4.3
+
+16384:64:0:44:M512:.:AIX:4.3.2 and earlier
+
+16384:64:0:60:M512,N,W%2,N,N,T:.:AIX:4.3.3-5.2 (1)
+32768:64:0:60:M512,N,W%2,N,N,T:.:AIX:4.3.3-5.2 (2)
+65535:64:0:60:M512,N,W%2,N,N,T:.:AIX:4.3.3-5.2 (3)
+
+65535:64:0:64:M*,N,W1,N,N,T,N,N,S:.:AIX:5.3 ML1
+
+# ----------------- Linux -------------------
+
+512:64:0:44:M*:.:Linux:2.0.3x (1)
+16384:64:0:44:M*:.:Linux:2.0.3x (2)
+
+# Endian snafu! Nelson says "ha-ha":
+2:64:0:44:M*:.:Linux:2.0.3x (MkLinux) on Mac (1)
+64:64:0:44:M*:.:Linux:2.0.3x (MkLinux) on Mac (2)
+
+S4:64:1:60:M1360,S,T,N,W0:.:Linux:2.4 (Google crawlbot)
+
+# Linux 2.6.0-test has an identical footprint as 2.4. I
+# wouldn't put it here until 2.6 gets a bit more, err,
+# mature (and perhaps starts to differ ;-), but many
+# people keep submitting 2.6.0-tests.
+
+S2:64:1:60:M*,S,T,N,W0:.:Linux:2.4 (big boy)
+S3:64:1:60:M*,S,T,N,W0:.:Linux:2.4.18 and newer
+S4:64:1:60:M*,S,T,N,W0:.:Linux:2.4/2.6
+
+S3:64:1:60:M*,S,T,N,W1:.:Linux:2.5 (sometimes 2.4) (1)
+S4:64:1:60:M*,S,T,N,W1:.:Linux:2.5/2.6 (sometimes 2.4) (2)
+S3:64:1:60:M*,S,T,N,W2:.:Linux:2.5 (sometimes 2.4) (3)
+S4:64:1:60:M*,S,T,N,W2:.:Linux:2.5 (sometimes 2.4) (4)
+
+S20:64:1:60:M*,S,T,N,W0:.:Linux:2.2.20 and newer
+S22:64:1:60:M*,S,T,N,W0:.:Linux:2.2 (1)
+S11:64:1:60:M*,S,T,N,W0:.:Linux:2.2 (2)
+
+# Popular cluster config scripts disable timestamps and
+# selective ACK:
+
+S4:64:1:48:M1460,N,W0:.:Linux:2.4 in cluster
+
+# This needs to be investigated. On some systems, WSS
+# is selected as a multiple of MTU instead of MSS. I got
+# many submissions for this for many late versions of 2.4:
+
+T4:64:1:60:M1412,S,T,N,W0:.:Linux:2.4 (late, uncommon)
+
+# This happens only over loopback, but let's make folks happy:
+32767:64:1:60:M16396,S,T,N,W0:.:Linux:2.4 (local)
+S8:64:1:60:M3884,S,T,N,W0:.:Linux:2.2 (local)
+
+# Opera visitors:
+16384:64:1:60:M*,S,T,N,W0:.:-Linux:2.2 (Opera?)
+32767:64:1:60:M*,S,T,N,W0:.:-Linux:2.4 (Opera?)
+
+# Some fairly common mods:
+S4:64:1:52:M*,N,N,S,N,W0:.:Linux:2.4 w/o timestamps
+S22:64:1:52:M*,N,N,S,N,W0:.:Linux:2.2 w/o timestamps
+
+# ----------------- FreeBSD -----------------
+
+16384:64:1:44:M*:.:FreeBSD:2.0-4.1
+16384:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.4 (1)
+
+1024:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.4 (2)
+
+57344:64:1:44:M*:.:FreeBSD:4.6-4.8 (no RFC1323)
+57344:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.6-4.8
+
+32768:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.8-5.1 (or MacOS X 10.2-10.3)
+65535:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.7-5.1 (or MacOS X 10.2-10.3) (1)
+65535:64:1:60:M*,N,W1,N,N,T:.:FreeBSD:4.7-5.1 (or MacOS X 10.2-10.3) (2)
+
+65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1-current (1)
+65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1-current (2)
+65535:64:1:60:M*,N,W2,N,N,T:Z:FreeBSD:5.1-current (3)
+
+# 16384:64:1:60:M*,N,N,N,N,N,N,T:.:FreeBSD:4.4 (w/o timestamps)
+
+# ----------------- NetBSD ------------------
+
+16384:64:0:60:M*,N,W0,N,N,T:.:NetBSD:1.3
+65535:64:0:60:M*,N,W0,N,N,T0:.:-NetBSD:1.6 (Opera)
+16384:64:1:60:M*,N,W0,N,N,T0:.:NetBSD:1.6
+65535:64:1:60:M*,N,W1,N,N,T0:.:NetBSD:1.6W-current (DF)
+65535:64:1:60:M*,N,W0,N,N,T0:.:NetBSD:1.6X (DF)
+
+# ----------------- OpenBSD -----------------
+
+16384:64:1:64:M*,N,N,S,N,W0,N,N,T:.:OpenBSD:3.0-3.4
+57344:64:1:64:M*,N,N,S,N,W0,N,N,T:.:OpenBSD:3.3-3.4
+16384:64:0:64:M*,N,N,S,N,W0,N,N,T:.:OpenBSD:3.0-3.4 (scrub)
+65535:64:1:64:M*,N,N,S,N,W0,N,N,T:.:-OpenBSD:3.0-3.4 (Opera)
+
+# ----------------- Solaris -----------------
+
+S17:64:1:64:N,W3,N,N,T0,N,N,S,M*:.:Solaris:8 (RFC1323 on)
+S17:64:1:48:N,N,S,M*:.:Solaris:8 (1)
+S17:255:1:44:M*:.:Solaris:2.5 to 7
+
+# Sometimes, just sometimes, Solaris feels like coming up with
+# rather arbitrary MSS values ;-)
+
+S6:255:1:44:M*:.:Solaris:2.5-7
+S23:64:1:48:N,N,S,M*:.:Solaris:8 (2)
+S34:64:1:48:M*,N,N,S:.:Solaris:9
+S44:255:1:44:M*:.:Solaris:7
+
+4096:64:0:44:M1460:.:SunOS:4.1.x
+
+S34:64:1:52:M*,N,W0,N,N,S:.:Solaris:10 (beta)
+
+# ----------------- IRIX --------------------
+
+49152:60:0:44:M*:.:IRIX:6.2-6.4
+61440:60:0:44:M*:.:IRIX:6.2-6.5
+49152:60:0:52:M*,N,W2,N,N,S:.:IRIX:6.5 (RFC1323) (1)
+49152:60:0:52:M*,N,W3,N,N,S:.:IRIX:6.5 (RFC1323) (2)
+
+61440:60:0:48:M*,N,N,S:.:IRIX:6.5.12-6.5.21 (1)
+49152:60:0:48:M*,N,N,S:.:IRIX:6.5.12-6.5.21 (2)
+
+# ----------------- Tru64 -------------------
+# Tru64 and OpenVMS share the same stack on occassions.
+# Relax.
+
+32768:60:1:48:M*,N,W0:.:Tru64:4.0 (or OS/2 Warp 4)
+32768:60:0:48:M*,N,W0:.:Tru64:5.0 (or OpenVMS 7.x on Compaq 5.0 stack)
+8192:60:0:44:M1460:.:Tru64:5.1 (no RFC1323) (or QNX 6)
+61440:60:0:48:M*,N,W0:.:Tru64:v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack)
+
+# ----------------- OpenVMS -----------------
+
+6144:64:1:60:M*,N,W0,N,N,T:.:OpenVMS:7.2 (Multinet 4.3-4.4 stack)
+
+# ----------------- MacOS -------------------
+
+S2:255:1:48:M*,W0,E:.:MacOS:8.6 classic
+
+16616:255:1:48:M*,W0,E:.:MacOS:7.3-8.6 (OTTCP)
+16616:255:1:48:M*,N,N,N,E:.:MacOS:8.1-8.6 (OTTCP)
+32768:255:1:48:M*,W0,N:.:MacOS:9.0-9.2
+
+32768:255:1:48:M1380,N,N,N,N:.:MacOS:9.1 (1) (OT 2.7.4)
+65535:255:1:48:M*,N,N,N,N:.:MacOS:9.1 (2) (OT 2.7.4)
+
+# ----------------- Windows -----------------
+
+# Windows TCP/IP stack is a mess. For most recent XP, 2000 and
+# even 98, the pathlevel, not the actual OS version, is more
+# relevant to the signature. They share the same code, so it would
+# seem. Luckily for us, almost all Windows 9x boxes have an
+# awkward MSS of 536, which I use to tell one from another
+# in most difficult cases.
+
+8192:32:1:44:M*:.:Windows:3.11 (Tucows)
+S44:64:1:64:M*,N,W0,N,N,T0,N,N,S:.:Windows:95
+8192:128:1:64:M*,N,W0,N,N,T0,N,N,S:.:Windows:95b
+
+# There were so many tweaking tools and so many stack versions for
+# Windows 98 it is no longer possible to tell them from each other
+# without some very serious research. Until then, there's an insane
+# number of signatures, for your amusement:
+
+S44:32:1:48:M*,N,N,S:.:Windows:98 (low TTL) (1)
+8192:32:1:48:M*,N,N,S:.:Windows:98 (low TTL) (2)
+%8192:64:1:48:M536,N,N,S:.:Windows:98 (13)
+%8192:128:1:48:M536,N,N,S:.:Windows:98 (15)
+S4:64:1:48:M*,N,N,S:.:Windows:98 (1)
+S6:64:1:48:M*,N,N,S:.:Windows:98 (2)
+S12:64:1:48:M*,N,N,S:.:Windows:98 (3
+T30:64:1:64:M1460,N,W0,N,N,T0,N,N,S:.:Windows:98 (16)
+32767:64:1:48:M*,N,N,S:.:Windows:98 (4)
+37300:64:1:48:M*,N,N,S:.:Windows:98 (5)
+46080:64:1:52:M*,N,W3,N,N,S:.:Windows:98 (RFC1323)
+65535:64:1:44:M*:.:Windows:98 (no sack)
+S16:128:1:48:M*,N,N,S:.:Windows:98 (6)
+S16:128:1:64:M*,N,W0,N,N,T0,N,N,S:.:Windows:98 (7)
+S26:128:1:48:M*,N,N,S:.:Windows:98 (8)
+T30:128:1:48:M*,N,N,S:.:Windows:98 (9)
+32767:128:1:52:M*,N,W0,N,N,S:.:Windows:98 (10)
+60352:128:1:48:M*,N,N,S:.:Windows:98 (11)
+60352:128:1:64:M*,N,W2,N,N,T0,N,N,S:.:Windows:98 (12)
+
+# What's with 1414 on NT?
+T31:128:1:44:M1414:.:Windows:NT 4.0 SP6a (1)
+64512:128:1:44:M1414:.:Windows:NT 4.0 SP6a (2)
+8192:128:1:44:M*:.:Windows:NT 4.0 (older)
+
+# Windows XP and 2000. Most of the signatures that were
+# either dubious or non-specific (no service pack data)
+# were deleted and replaced with generics at the end.
+
+65535:128:1:48:M*,N,N,S:.:Windows:2000 SP4, XP SP1
+%8192:128:1:48:M*,N,N,S:.:Windows:2000 SP2+, XP SP1 (seldom 98 4.10.2222)
+S20:128:1:48:M*,N,N,S:.:Windows:SP3
+S45:128:1:48:M*,N,N,S:.:Windows:2000 SP4, XP SP 1 (2)
+40320:128:1:48:M*,N,N,S:.:Windows:2000 SP4
+
+S6:128:1:48:M*,N,N,S:.:Windows:XP, 2000 SP2+
+S12:128:1:48:M*,N,N,S:.:Windows:XP SP1 (1)
+S44:128:1:48:M*,N,N,S:.:Windows:XP Pro SP1, 2000 SP3
+64512:128:1:48:M*,N,N,S:.:Windows:XP SP1, 2000 SP3 (2)
+32767:128:1:48:M*,N,N,S:.:Windows:XP SP1, 2000 SP4 (3)
+
+# Odds, ends, mods:
+
+S52:128:1:48:M1260,N,N,S:.:Windows:XP/2000 via Cisco
+65520:128:1:48:M*,N,N,S:.:Windows:XP bare-bone
+16384:128:1:52:M536,N,W0,N,N,S:.:Windows:2000 w/ZoneAlarm?
+2048:255:0:40:.:.:Windows:.NET Enterprise Server
+
+# No need to be more specific, it passes:
+*:128:1:48:M*,N,N,S:U:-Windows:XP/2000 while downloading (leak!)
+
+# ----------------- HP/UX -------------------
+
+32768:64:1:44:M*:.:HP-UX:B.10.20
+32768:64:1:48:M*,W0,N:.:HP-UX:11.00-11.11
+
+# Whoa. Hardcore WSS.
+0:64:0:48:M*,W0,N:.:HP-UX:B.11.00 A (RFC1323)
+
+# ----------------- RiscOS ------------------
+
+16384:64:1:68:M1460,N,W0,N,N,T,N,N,?12:.:RISC OS:3.70-4.36 (inet 5.04)
+12288:32:0:44:M536:.:RISC OS:3.70 inet 4.10
+4096:64:1:56:M1460,N,N,T:T:.:RISC OS:3.70 freenet 2.00
+
+# ----------------- BSD/OS ------------------
+
+8192:64:1:60:M1460,N,W0,N,N,T:.:BSD/OS:3.1-4.3 (or MacOS X 10.2)
+
+# ---------------- NetwonOS -----------------
+
+4096:64:0:44:M1420:.:NewtonOS:2.1
+
+# ---------------- NeXTSTEP -----------------
+
+S8:64:0:44:M512:.:NeXTSTEP:3.3
+
+# ------------------ BeOS -------------------
+
+1024:255:0:48:M*,N,W0:.:BeOS:5.0-5.1
+12288:255:0:44:M*:.:BeOS:5.0.x
+
+# ------------------ OS/400 -----------------
+
+8192:64:1:60:M1440,N,W0,N,N,T:.:OS/400:V4R4/R5
+8192:64:0:44:M536:.:OS/400:V4R3/M0
+4096:64:1:60:M1440,N,W0,N,N,T:.:OS/400:V4R5 + CF67032
+
+28672:64:0:44:M1460:A:OS/390:?
+
+# ------------------ ULTRIX -----------------
+
+16384:64:0:40:.:.:ULTRIX:4.5
+
+# ------------------- QNX -------------------
+
+S16:64:0:44:M512:.:QNX:demodisk
+
+# ------------------ Novell -----------------
+
+16384:128:1:44:M1460:.:Novell:NetWare 5.0
+6144:128:1:44:M1460:.:Novell:IntranetWare 4.11
+6144:128:1:44:M1368:.:Novell:BorderManager ?
+
+# According to rfp:
+6144:128:1:52:M*,W0,N,S,N,N:.:Novell:Netware 6 SP3
+
+# -------------- SCO UnixWare ---------------
+
+S3:64:1:60:M1460,N,W0,N,N,T:.:SCO:UnixWare 7.1
+S23:64:1:44:M1380:.:SCO:OpenServer 5.0
+
+# ------------------- DOS -------------------
+
+2048:255:0:44:M536:.:DOS:Arachne via WATTCP/1.05
+
+# ------------------ OS/2 -------------------
+
+S56:64:0:44:M512:.:OS/2:4
+
+# ----------------- TOPS-20 -----------------
+
+# Another hardcore MSS, one of the ACK leakers hunted down.
+0:64:0:44:M1460:A:TOPS-20:version 7
+
+# ------------------ AMIGA ------------------
+
+S32:64:1:56:M*,N,N,S,N,N,?12:.:AMIGA:3.9 BB2 with Miami stack
+
+# ------------------ Minix ------------------
+
+# Not quite sure.
+# 8192:210:0:44:M1460:X:@Minix:?
+
+# ------------------ Plan9 ------------------
+
+65535:255:0:48:M1460,W0,N:.:Plan9:edition 4
+
+# ----------------- AMIGAOS -----------------
+
+16384:64:1:48:M1560,N,N,S:.:AMIGAOS:3.9 BB2 MiamiDX
+
+###########################################
+# Appliance / embedded / other signatures #
+###########################################
+
+# ---------- Firewalls / routers ------------
+
+S12:64:1:44:M1460:.:@Checkpoint:(unknown 1)
+S12:64:1:48:N,N,S,M1460:.:@Checkpoint:(unknown 2)
+4096:32:0:44:M1460:.:ExtremeWare:4.x
+60352:64:0:52:M1460,N,W2,N,N,S:.:Clavister:firewall 7.x
+
+S32:64:0:68:M512,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO w/Checkpoint NG FP3
+S16:64:0:68:M1024,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO 3.7 build 026
+
+S4:64:1:60:W0,N,S,T,M1460:.:FortiNet:FortiGate 50
+
+8192:64:1:44:M1460:.:@Eagle:Secure Gateway
+
+# ------- Switches and other stuff ----------
+
+4128:255:0:44:M*:Z:Cisco:7200, Catalyst 3500, et
+S8:255:0:44:M*:.:Cisco:12008
+60352:128:1:64:M1460,N,W2,N,N,T,N,N,S:.:Alteon:ACEswitch
+64512:128:1:44:M1370:.:Nortel:Contivity Client
+
+# ---------- Caches and whatnots ------------
+
+8192:64:1:64:M1460,N,N,S,N,W0,N,N,T:.:NetCache:5.2
+16384:64:1:64:M1460,N,N,S,N,W0,N:.:NetCache:5.3
+65535:64:1:64:M1460,N,N,S,N,W*,N,N,T:.:NetCache:5.3-5.5
+20480:64:1:64:M1460,N,N,S,N,W0,N,N,T:.:NetCache:4.1
+
+32850:64:1:64:N,W1,N,N,T,N,N,S,M*:.:NetCache:Data OnTap 5.x
+
+65535:64:0:60:M1460,N,W0,N,N,T:.:CacheFlow:CacheOS 4.1
+8192:64:0:60:M1380,N,N,N,N,N,N,T:.:CacheFlow:CacheOS 1.1
+
+S4:64:0:48:M1460,N,N,S:.:Cisco:Content Engine
+
+27085:128:0:40:.:.:Dell:PowerApp cache (Linux-based)
+
+65535:255:1:48:N,W1,M1460:.:Inktomi:crawler
+S1:255:1:60:M1460,S,T,N,W0:.:LookSmart:ZyBorg
+
+16384:255:0:40:.:.:Proxyblocker:(what's this?)
+
+# ----------- Embedded systems --------------
+
+S9:255:0:44:M536:.:PalmOS:Tungsten C
+S5:255:0:44:M536:.:PalmOS:3/4
+S4:255:0:44:M536:.:PalmOS:3.5
+2948:255:0:44:M536:.:PalmOS:3.5.3 (Handera)
+S29:255:0:44:M536:.:PalmOS:5.0
+
+S23:64:1:64:N,W1,N,N,T,N,N,S,M1460:.:SymbianOS:7
+8192:255:0:44:M1460:.:SymbianOS:6048 (on Nokia 7650?)
+8192:255:0:44:M536:.:SymbianOS:(on Nokia 9210?)
+
+32768:32:1:44:M1460:.:Windows:CE 3
+
+# Perhaps S4?
+5840:64:1:60:M1452,S,T,N,W1:.:Zaurus:3.10
+
+32768:128:1:64:M1460,N,W0,N,N,T0,N,N,S:.:PocketPC:2002
+
+S1:255:0:44:M346:.:Contiki:1.1-rc0
+
+4096:128:0:44:M1460:.:Sega:Dreamcast Dreamkey 3.0
+T5:64:0:44:M536:.:Sega:Dreamcast HKT-3020 (browser disc 51027)
+S22:64:1:44:M1460:.:Sony:Playstation 2 (SOCOM?)
+
+S12:64:0:44:M1452:.:AXIS:Printer Server 5600 v5.64
+
+####################
+# Fancy signatures #
+####################
+
+1024:64:0:40:.:.:-*NMAP:syn scan (1)
+2048:64:0:40:.:.:-*NMAP:syn scan (2)
+3072:64:0:40:.:.:-*NMAP:syn scan (3)
+4096:64:0:40:.:.:-*NMAP:syn scan (4)
+
+1024:64:0:60:W10,N,M265,T,E:P:-*NMAP:OS detection probe (1)
+2048:64:0:60:W10,N,M265,T,E:P:-*NMAP:OS detection probe (2)
+3072:64:0:60:W10,N,M265,T,E:P:-*NMAP:OS detection probe (3)
+4096:64:0:60:W10,N,M265,T,E:P:-*NMAP:OS detection probe (4)
+
+1024:64:0:60:W10,N,M265,T,E:PF:-*NMAP:OS detection probe w/flags (1)
+2048:64:0:60:W10,N,M265,T,E:PF:-*NMAP:OS detection probe w/flags (2)
+3072:64:0:60:W10,N,M265,T,E:PF:-*NMAP:OS detection probe w/flags (3)
+4096:64:0:60:W10,N,M265,T,E:PF:-*NMAP:OS detection probe w/flags (4)
+
+12345:255:0:40:.:A:-p0f:sendsyn utility
+
+# UFO - see tmp/*:
+56922:128:0:40:.:A:-@Mysterious:port scanner (?)
+5792:64:1:60:M1460,S,T,N,W0:T:-@Mysterious:NAT device (2nd tstamp)
+S12:128:1:48:M1460,E:P:@Mysterious:Chello proxy (?)
+S23:64:1:64:N,W1,N,N,T,N,N,S,M1380:.:@Mysterious:GPRS gateway (?)
+
+#####################################
+# Generic signatures - just in case #
+#####################################
+
+*:128:1:52:M*,N,W0,N,N,S:.:@Windows:XP/2000 (RFC1323 no tstamp)
+*:128:1:64:M*,N,W0,N,N,T0,N,N,S:.:@Windows:XP/2000 (RFC1323)
+*:128:1:64:M*,N,W*,N,N,T0,N,N,S:.:@Windows:XP (RFC1323, w+)
+*:128:1:48:M536,N,N,S:.:@Windows:98
+*:128:1:48:M*,N,N,S:.:@Windows:XP/2000
+
+
diff --git a/policy/sigs/snort-default.sig b/policy/sigs/snort-default.sig
new file mode 100644
index 0000000000..0e10358824
--- /dev/null
+++ b/policy/sigs/snort-default.sig
@@ -0,0 +1,14888 @@
+signature sid-524-a {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 0
+  event "BAD-TRAFFIC tcp port 0 traffic"
+  }
+
+signature sid-524-b {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 0
+  event "BAD-TRAFFIC tcp port 0 traffic"
+  }
+
+signature sid-525-a {
+  ip-proto == udp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 0
+  event "BAD-TRAFFIC udp port 0 traffic"
+  }
+
+signature sid-525-b {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 0
+  event "BAD-TRAFFIC udp port 0 traffic"
+  }
+
+signature sid-526 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  payload-size > 6
+  header tcp[13:1] & 255 == 2
+  event "BAD-TRAFFIC data in TCP SYN packet"
+  }
+
+signature sid-528-a {
+  src-ip == 127.0.0.0/8
+  event "BAD-TRAFFIC loopback traffic"
+  }
+
+signature sid-528-b {
+  dst-ip == 127.0.0.0/8
+  event "BAD-TRAFFIC loopback traffic"
+  }
+
+signature sid-527 {
+  same-ip
+  event "BAD-TRAFFIC same SRC/DST"
+  }
+
+signature sid-523 {
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "BAD-TRAFFIC ip reserved bit set"
+  header ip[6:1] & 224 == 128
+  }
+
+signature sid-1321 {
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "BAD-TRAFFIC 0 ttl"
+  header ip[8:1] == 0
+  }
+
+signature sid-1322 {
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "BAD-TRAFFIC bad frag bits"
+  header ip[6:1] & 224 == 96
+  }
+
+signature sid-1627 {
+  src-ip != local_nets
+  dst-ip == local_nets
+  header ip[9:1] > 134
+  event "BAD-TRAFFIC Unassigned/Reserved IP protocol"
+  }
+
+signature sid-1431 {
+  ip-proto == tcp
+  dst-ip == 232.0.0.0/8,233.0.0.0/8,239.0.0.0/8
+  event "BAD-TRAFFIC syn to multicast address"
+  header tcp[13:1] & 255 == 2
+  }
+
+signature sid-2186 {
+  header ip[9:1] == 53
+  event "BAD-TRAFFIC IP Proto 53 (SWIPE)"
+  }
+
+signature sid-2187 {
+  header ip[9:1] == 55
+  event "BAD-TRAFFIC IP Proto 55 (IP Mobility)"
+  }
+
+signature sid-2188 {
+  header ip[9:1] == 77
+  event "BAD-TRAFFIC IP Proto 77 (Sun ND)"
+  }
+
+signature sid-2189 {
+  header ip[9:1] == 103
+  event "BAD-TRAFFIC IP Proto 103 (PIM)"
+  }
+
+signature sid-1324 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 22
+  event "EXPLOIT ssh CRC32 overflow /bin/sh"
+  tcp-state established,originator
+  payload /.*\/bin\/sh/
+  }
+
+signature sid-1326 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 22
+  event "EXPLOIT ssh CRC32 overflow NOOP"
+  tcp-state established,originator
+  payload /.*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90/
+  }
+
+signature sid-1327 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 22
+  event "EXPLOIT ssh CRC32 overflow"
+  tcp-state established,originator
+  payload /\x00\x01\x57\x00\x00\x00\x18/
+  payload /.{7}\xFF\xFF\xFF\xFF\x00\x00/
+  }
+
+signature sid-283 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  src-port == 80
+  event "EXPLOIT Netscape 4.7 client overflow"
+  tcp-state established,responder
+  payload /.*\x33\xC9\xB1\x10\x3F\xE9\x06\x51\x3C\xFA\x47\x33\xC0\x50\xF7\xD0\x50/
+  }
+
+signature sid-300 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 2766
+  event "EXPLOIT nlps x86 Solaris overflow"
+  tcp-state established,originator
+  payload /.*\xeb\x23\x5e\x33\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36/
+  }
+
+signature sid-301 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 515
+  event "EXPLOIT LPRng overflow"
+  tcp-state established,originator
+  payload /.*\x43\x07\x89\x5B\x08\x8D\x4B\x08\x89\x43\x0C\xB0\x0B\xCD\x80\x31\xC0\xFE\xC0\xCD\x80\xE8\x94\xFF\xFF\xFF\x2F\x62\x69\x6E\x2F\x73\x68\x0A/
+  }
+
+signature sid-302 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 515
+  event "EXPLOIT Redhat 7.0 lprd overflow"
+  tcp-state established,originator
+  payload /.*\x58\x58\x58\x58\x25\x2E\x31\x37\x32\x75\x25\x33\x30\x30\x24\x6E/
+  }
+
+signature sid-304 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 6373
+  event "EXPLOIT SCO calserver overflow"
+  tcp-state established,originator
+  payload /.*\xeb\x7f\x5d\x55\xfe\x4d\x98\xfe\x4d\x9b/
+  }
+
+signature sid-305 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8080
+  payload-size > 1000
+  event "EXPLOIT delegate proxy overflow"
+  tcp-state established,originator
+  payload /.*[wW][hH][oO][iI][sS]\x3a\/\//
+  }
+
+signature sid-306 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 9090
+  event "EXPLOIT VQServer admin"
+  tcp-state established,originator
+  payload /.*[gG][eE][tT] \/ [hH][tT][tT][pP]\/1\.1/
+  }
+
+signature sid-308 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  src-port == 21
+  event "EXPLOIT NextFTP client overflow"
+  tcp-state established,responder
+  payload /.*\xb4\x20\xb4\x21\x8b\xcc\x83\xe9\x04\x8b\x19\x33\xc9\x66\xb9\x10/
+  }
+
+signature sid-309 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  payload-size > 512
+  header tcp[13:1] & 255 == 16
+  event "EXPLOIT sniffit overflow"
+  payload /.*[fF][rR][oO][mM]\x3A\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90/
+  }
+
+signature sid-310 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "EXPLOIT x86 windows MailMax overflow"
+  tcp-state established,originator
+  payload /.*\xeb\x45\xeb\x20\x5b\xfc\x33\xc9\xb1\x82\x8b\xf3\x80\x2b/
+  }
+
+signature sid-311 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  dst-port == 80
+  event "EXPLOIT Netscape 4.7 unsucessful overflow"
+  tcp-state established,originator
+  payload /.*\x33\xC9\xB1\x10\x3F\xE9\x06\x51\x3C\xFA\x47\x33\xC0\x50\xF7\xD0\x50/
+  }
+
+signature sid-312 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 123
+  payload-size > 128
+  event "EXPLOIT ntpdx overflow attempt"
+  }
+
+signature sid-313 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 518
+  event "EXPLOIT ntalkd x86 Linux overflow"
+  payload /.*\x01\x03\x00\x00\x00\x00\x00\x01\x00\x02\x02\xe8/
+  }
+
+signature sid-315 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 635
+  event "EXPLOIT x86 Linux mountd overflow"
+  payload /.*\x5e\xb0\x02\x89\x06\xfe\xc8\x89\x46\x04\xb0\x06\x89\x46/
+  }
+
+signature sid-316 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 635
+  event "EXPLOIT x86 Linux mountd overflow"
+  payload /.*\xeb\x56\x5E\x56\x56\x56\x31\xd2\x88\x56\x0b\x88\x56\x1e/
+  }
+
+signature sid-317 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 635
+  event "EXPLOIT x86 Linux mountd overflow"
+  payload /.*\xeb\x40\x5E\x31\xc0\x40\x89\x46\x04\x89\xc3\x40\x89\x06/
+  }
+
+signature sid-1240 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 2224
+  event "EXPLOIT MDBMS overflow"
+  tcp-state established,originator
+  payload /.*\x01\x31\xDB\xCD\x80\xE8\x5B\xFF\xFF\xFF/
+  }
+
+signature sid-1261 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 4242
+  payload-size > 1000
+  event "EXPLOIT AIX pdnsd overflow"
+  tcp-state established,originator
+  payload /.*\x7F\xFF\xFB\x78\x7F\xFF\xFB\x78\x7F\xFF\xFB\x78\x7F\xFF\xFB\x78/
+  payload /.*\x40\x8A\xFF\xC8\x40\x82\xFF\xD8\x3B\x36\xFE\x03\x3B\x76\xFE\x02/
+  }
+
+signature sid-1323 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 4321
+  event "EXPLOIT rwhoisd format string attempt"
+  tcp-state established,originator
+  payload /.*-soa %p/
+  }
+
+signature sid-1398 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 6112
+  event "EXPLOIT CDE dtspcd exploit attempt"
+  tcp-state established,originator
+  payload /.{9}1/
+  payload /.{10}<willnevermatch>/
+  }
+
+signature sid-1751 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port >= 32772
+  dst-port <= 34000
+  payload-size > 720
+  event "EXPLOIT cachefsd buffer overflow attempt"
+  tcp-state established,originator
+  payload /.*\x00\x01\x87\x86\x00\x00\x00\x01\x00\x00\x00\x05/
+  }
+
+signature sid-1894 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 749
+  event "EXPLOIT kadmind buffer overflow attempt"
+  tcp-state established,originator
+  payload /.*\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08/
+  }
+
+signature sid-1895 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 751
+  event "EXPLOIT kadmind buffer overflow attempt"
+  tcp-state established,originator
+  payload /.*\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08/
+  }
+
+signature sid-1896 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 749
+  event "EXPLOIT kadmind buffer overflow attempt"
+  tcp-state established,originator
+  payload /.*\xff\xff\x4b\x41\x44\x4d\x30\x2e\x30\x41\x00\x00\xfb\x03/
+  }
+
+signature sid-1897 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 751
+  event "EXPLOIT kadmind buffer overflow attempt"
+  tcp-state established,originator
+  payload /.*\xff\xff\x4b\x41\x44\x4d\x30\x2e\x30\x41\x00\x00\xfb\x03/
+  }
+
+signature sid-1898 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 749
+  event "EXPLOIT kadmind buffer overflow attempt"
+  tcp-state established,originator
+  payload /.*\x2F\x73\x68\x68\x2F\x2F\x62\x69/
+  }
+
+signature sid-1899 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 751
+  event "EXPLOIT kadmind buffer overflow attempt"
+  tcp-state established,originator
+  payload /.*\x2F\x73\x68\x68\x2F\x2F\x62\x69/
+  }
+
+signature sid-1812 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 22
+  event "EXPLOIT gobbles SSH exploit attempt"
+  tcp-state established,originator
+  payload /.*GOBBLES/
+  }
+
+signature sid-1821 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 515
+  event "EXPLOIT LPD dvips remote command execution attempt"
+  tcp-state established,originator
+  payload /.*psfile=\x22\x60/
+  }
+
+signature sid-1838 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  src-port == 22
+  event "EXPLOIT SSH server banner overflow"
+  tcp-state established,responder
+  payload /SSH-[^\x0a]{600}/
+  }
+
+signature sid-307 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port >= 6666
+  dst-port <= 7000
+  event "EXPLOIT CHAT IRC topic overflow"
+  tcp-state established,responder
+  payload /.*\xeb\x4b\x5b\x53\x32\xe4\x83\xc3\x0b\x4b\x88\x23\xb8\x50\x77/
+  }
+
+signature sid-1382 {
+  ip-proto == tcp
+  dst-port >= 6666
+  dst-port <= 7000
+  event "EXPLOIT CHAT IRC Ettercap parse overflow attempt"
+  tcp-state established,originator
+  payload /.*[pP][rR][iI][vV][mM][sS][gG] [nN][iI][cC][kK][sS][eE][rR][vV] [iI][dD][eE][nN][tT][iI][fF][yY][^\x0a]{150}/
+  }
+
+signature sid-292 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 139
+  event "EXPLOIT x86 Linux samba overflow"
+  tcp-state established,originator
+  payload /.*\xeb\x2f\x5f\xeb\x4a\x5e\x89\xfb\x89\x3e\x89\xf2/
+  }
+
+signature sid-613 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  src-port == 10101
+  header tcp[8:4] == 0
+  header tcp[13:1] & 255 == 2
+  header ip[8:1] > 220
+  event "SCAN myscan"
+  }
+
+signature sid-616 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 113
+  event "SCAN ident version request"
+  tcp-state established,originator
+  payload /.{0,8}VERSION\x0A/
+  }
+
+signature sid-619 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 80
+  payload-size == 0
+  header tcp[13:1] & 255 == 195
+  event "SCAN cybercop os probe"
+  }
+
+signature sid-618 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 3128
+  event "SCAN Squid Proxy attempt"
+  header tcp[13:1] & 255 == 2
+  }
+
+signature sid-615 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 1080
+  header tcp[13:1] & 255 == 2
+  event "SCAN SOCKS Proxy attempt"
+  }
+
+signature sid-620 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8080
+  event "SCAN Proxy (8080) attempt"
+  header tcp[13:1] & 255 == 2
+  }
+
+signature sid-621 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header tcp[13:1] & 255 == 1
+  event "SCAN FIN"
+  }
+
+signature sid-622 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header tcp[13:1] & 255 == 2
+  header tcp[4:4] == 1958810375
+  event "SCAN ipEye SYN scan"
+  }
+
+signature sid-623 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header tcp[8:4] == 0
+  header tcp[13:1] & 255 == 0
+  header tcp[4:4] == 0
+  event "SCAN NULL"
+  }
+
+signature sid-624 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header tcp[13:1] & 255 == 3
+  event "SCAN SYN FIN"
+  }
+
+signature sid-625 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header tcp[13:1] & 255 == 63
+  event "SCAN XMAS"
+  }
+
+signature sid-1228 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header tcp[13:1] & 255 == 41
+  event "SCAN nmap XMAS"
+  }
+
+signature sid-628 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header tcp[8:4] == 0
+  header tcp[13:1] & 255 == 16
+  event "SCAN nmap TCP"
+  }
+
+signature sid-629 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header tcp[13:1] & 255 == 43
+  event "SCAN nmap fingerprint attempt"
+  }
+
+signature sid-630 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header tcp[13:1] & 255 == 3
+  event "SCAN synscan portscan"
+  header ip[4:2] == 39426
+  }
+
+signature sid-626 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header tcp[13:1] & 255 == 216
+  event "SCAN cybercop os PA12 attempt"
+  payload /AAAAAAAAAAAAAAAA/
+  }
+
+signature sid-627 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header tcp[8:4] == 0
+  header tcp[13:1] & 255 == 227
+  event "SCAN cybercop os SFU12 probe"
+  payload /AAAAAAAAAAAAAAAA/
+  }
+
+signature sid-634 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port >= 10080
+  dst-port <= 10081
+  event "SCAN Amanda client version request"
+  payload /.*[aA][mM][aA][nN][dD][aA]/
+  }
+
+signature sid-635 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 49
+  event "SCAN XTACACS logout"
+  payload /.*\x80\x07\x00\x00\x07\x00\x00\x04\x00\x00\x00\x00\x00/
+  }
+
+signature sid-636 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 7
+  event "SCAN cybercop udp bomb"
+  payload /.*cybercop/
+  }
+
+signature sid-637 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "SCAN Webtrends Scanner UDP Probe"
+  payload /.*\x0Ahelp\x0Aquite\x0A/
+  }
+
+signature sid-1638 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 22
+  event "SCAN SSH Version map attempt"
+  tcp-state established,originator
+  payload /.*[vV][eE][rR][sS][iI][oO][nN]_[mM][aA][pP][pP][eE][rR]/
+  }
+
+signature sid-1917 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 1900
+  event "SCAN UPnP service discover attempt"
+  payload /M-SEARCH /
+  payload /.*ssdp:discover/
+  }
+
+signature sid-1918 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[1:1] == 0
+  header icmp[0:1] == 8
+  event "SCAN SolarWinds IP scan attempt"
+  payload /.*SolarWinds\.Net/
+  }
+
+signature sid-1133 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  header tcp[8:4] == 0
+  header tcp[13:1] & 255 == 11
+  event "SCAN cybercop os probe"
+  payload /AAAAAAAAAAAAAAAA/
+  }
+
+signature sid-320 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 79
+  event "FINGER cmd_rootsh backdoor attempt"
+  tcp-state established,originator
+  payload /.*cmd_rootsh/
+  }
+
+signature sid-321 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 79
+  event "FINGER account enumeration attempt"
+  tcp-state established,originator
+  payload /.*[aA] [bB] [cC] [dD] [eE] [fF]/
+  }
+
+signature sid-322 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 79
+  event "FINGER search query"
+  tcp-state established,originator
+  payload /.*search/
+  }
+
+signature sid-323 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 79
+  event "FINGER root query"
+  tcp-state established,originator
+  payload /.*root/
+  }
+
+signature sid-324 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 79
+  event "FINGER null request"
+  tcp-state established,originator
+  payload /.*\x00/
+  }
+
+signature sid-326 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 79
+  event "FINGER remote command ; execution attempt"
+  tcp-state established,originator
+  payload /.*\x3b/
+  }
+
+signature sid-327 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 79
+  event "FINGER remote command pipe execution attempt"
+  tcp-state established,originator
+  payload /.*\x7c/
+  }
+
+signature sid-328 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 79
+  event "FINGER bomb attempt"
+  tcp-state established,originator
+  payload /.*@@/
+  }
+
+signature sid-330 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 79
+  event "FINGER redirection attempt"
+  tcp-state established,originator
+  payload /.*@/
+  }
+
+signature sid-331 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 79
+  event "FINGER cybercop query"
+  tcp-state established,originator
+  payload /.{0,4}\x0A     /
+  }
+
+signature sid-332 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 79
+  event "FINGER 0 query"
+  tcp-state established,originator
+  payload /.*0/
+  }
+
+signature sid-333 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 79
+  event "FINGER . query"
+  tcp-state established,originator
+  payload /.*\./
+  }
+
+signature sid-1541 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 79
+  event "FINGER version query"
+  tcp-state established,originator
+  payload /.*version/
+  }
+
+signature sid-337 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP CEL overflow attempt"
+  tcp-state established,originator
+  payload /.*[cC][eE][lL] [^\x0a]{100}/
+  }
+
+signature sid-1919 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP CWD overflow attempt"
+  tcp-state established,originator
+  payload /.*[cC][wW][dD] [^\x0a]{100}/
+  }
+
+signature sid-1621 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP CMD overflow attempt"
+  tcp-state established,originator
+  payload /.*[cC][mM][dD] [^\x0a]{100}/
+  }
+
+signature sid-1379 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP STAT overflow attempt"
+  tcp-state established,originator
+  payload /.*[sS][tT][aA][tT] [^\x0a]{100}/
+  }
+
+signature sid-1562 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP SITE CHOWN overflow attempt"
+  tcp-state established,originator
+  payload /.*[sS][iI][tT][eE] /
+  payload /.* [cC][hH][oO][wW][nN] [^\x0a]{100}/
+  }
+
+signature sid-1920 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP SITE NEWER overflow attempt"
+  tcp-state established,originator
+  payload /.*[sS][iI][tT][eE] /
+  payload /.* [nN][eE][wW][eE][rR] [^\x0a]{100}/
+  }
+
+signature sid-1888 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP SITE CPWD overflow attempt"
+  tcp-state established,originator
+  payload /.*[sS][iI][tT][eE] /
+  payload /.* [cC][pP][wW][dD] [^\x0a]{100}/
+  }
+
+signature sid-1971 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP SITE EXEC format string attempt"
+  tcp-state established,originator
+  payload /.*[sS][iI][tT][eE].*.{0}.*[eE][xX][eE][cC] .{1}.*%.{1}.*%/
+  }
+
+signature sid-1529 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP SITE overflow attempt"
+  tcp-state established,originator
+  payload /.*[sS][iI][tT][eE] [^\x0a]{100}/
+  }
+
+signature sid-1734 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP USER overflow attempt"
+  tcp-state established,originator
+  payload /.*[uU][sS][eE][rR] [^\x0a]{100}/
+  }
+
+signature sid-1972 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP PASS overflow attempt"
+  tcp-state established,originator
+  payload /.*[pP][aA][sS][sS] [^\x0a]{100}/
+  }
+
+signature sid-1942 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP RMDIR overflow attempt"
+  tcp-state established,originator
+  payload /.*[rR][mM][dD][iI][rR] [^\x0a]{100}/
+  }
+
+signature sid-1973 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP MKD overflow attempt"
+  tcp-state established,originator
+  payload /.*[mM][kK][dD] [^\x0a]{100}/
+  }
+
+signature sid-1974 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP REST overflow attempt"
+  tcp-state established,originator
+  payload /.*[rR][eE][sS][tT] [^\x0a]{100}/
+  }
+
+signature sid-1975 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP DELE overflow attempt"
+  tcp-state established,originator
+  payload /.*[dD][eE][lL][eE] [^\x0a]{100}/
+  }
+
+signature sid-1976 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP RMD overflow attempt"
+  tcp-state established,originator
+  payload /.*[rR][mM][dD] [^\x0a]{100}/
+  }
+
+signature sid-1623 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP invalid MODE"
+  tcp-state established,originator
+  payload /.*[mM][oO][dD][eE] /
+  payload /.*<willnevermatch>/
+  payload /.*<willnevermatch>/
+  payload /.*<willnevermatch>/
+  payload /.*<willnevermatch>/
+  }
+
+signature sid-1624 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  payload-size == 10
+  event "FTP large PWD command"
+  tcp-state established,originator
+  payload /.*[pP][wW][dD]/
+  }
+
+signature sid-1625 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  payload-size == 10
+  event "FTP large SYST command"
+  tcp-state established,originator
+  payload /.*[sS][yY][sS][tT]/
+  }
+
+signature sid-2125 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP CWD C:\"
+  tcp-state established,originator
+  payload /.*[cC][wW][dD].{1}.*C:\\/
+  }
+
+signature sid-1921 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP SITE ZIPCHK attempt"
+  tcp-state established,originator
+  payload /.*[sS][iI][tT][eE] /
+  payload /.* [zZ][iI][pP][cC][hH][kK] [^\x0a]{100}/
+  }
+
+signature sid-1864 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP SITE NEWER attempt"
+  tcp-state established,originator
+  payload /.*[sS][iI][tT][eE] /
+  payload /.* [nN][eE][wW][eE][rR] /
+  }
+
+signature sid-361 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP site exec"
+  tcp-state established,originator
+  payload /.*[sS][iI][tT][eE] .*.{0}.*[eE][xX][eE][cC] /
+  }
+
+signature sid-1777 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP EXPLOIT STAT * dos attempt"
+  tcp-state established,originator
+  payload /.*[sS][tT][aA][tT].{1}.*\*/
+  }
+
+signature sid-1778 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP EXPLOIT STAT ? dos attempt"
+  tcp-state established,originator
+  payload /.*[sS][tT][aA][tT].{1}.*\?/
+  }
+
+signature sid-362 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP tar parameters"
+  tcp-state established,originator
+  payload /.*\" --[uU][sS][eE]-[cC][oO][mM][pP][rR][eE][sS][sS]-[pP][rR][oO][gG][rR][aA][mM]\" /
+  }
+
+signature sid-336 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP CWD ~root attempt"
+  tcp-state established,originator
+  payload /.*CWD /
+  payload /.* ~[rR][oO][oO][tT]/
+  }
+
+signature sid-1229 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP CWD ..."
+  tcp-state established,originator
+  payload /.*CWD /
+  payload /.* \.\.\./
+  }
+
+signature sid-1672 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP CWD ~<NEWLINE> attempt"
+  tcp-state established,originator
+  payload /.*CWD /
+  payload /.* ~\x0A/
+  }
+
+signature sid-1728 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP CWD ~<CR><NEWLINE> attempt"
+  tcp-state established,originator
+  payload /.*CWD /
+  payload /.* ~\x0D\x0A/
+  }
+
+signature sid-1779 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP CWD .... attempt"
+  tcp-state established,originator
+  payload /.*CWD /
+  payload /.* \.\.\.\./
+  }
+
+signature sid-360 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP serv-u directory transversal"
+  tcp-state established,originator
+  payload /.*\.%20\./
+  }
+
+signature sid-1377 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP wu-ftp bad file completion attempt ["
+  tcp-state established,originator
+  payload /.*~.{1}.*\[/
+  }
+
+signature sid-1378 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP wu-ftp bad file completion attempt {"
+  tcp-state established,originator
+  payload /.*~.{1}.*\{/
+  }
+
+signature sid-1530 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP format string attempt"
+  tcp-state established,originator
+  payload /.*%[pP]/
+  }
+
+signature sid-1622 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP RNFR ././ attempt"
+  tcp-state established,originator
+  payload /.*[rR][nN][fF][rR] /
+  payload /.* \.\/\.\//
+  }
+
+signature sid-1748 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  payload-size > 100
+  event "FTP command overflow attempt"
+  tcp-state established,originator
+  }
+
+signature sid-1992 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP LIST directory traversal attempt"
+  payload /.*LIST.{1}.*\.\..{1}.*\.\./
+  }
+
+signature sid-334 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP .forward"
+  tcp-state established,originator
+  payload /.*\.forward/
+  }
+
+signature sid-335 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP .rhosts"
+  tcp-state established,originator
+  payload /.*\.rhosts/
+  }
+
+signature sid-1927 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP authorized_keys"
+  tcp-state established,originator
+  payload /.*authorized_keys/
+  }
+
+signature sid-356 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP passwd retrieval attempt"
+  tcp-state established,originator
+  payload /.*[rR][eE][tT][rR]/
+  payload /.*passwd/
+  }
+
+signature sid-1928 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP shadow retrieval attempt"
+  tcp-state established,originator
+  payload /.*[rR][eE][tT][rR]/
+  payload /.*shadow/
+  }
+
+signature sid-144 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP ADMw0rm ftp login attempt"
+  tcp-state established,originator
+  payload /.*USER w0rm\x0D\x0A/
+  }
+
+signature sid-353 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP adm scan"
+  tcp-state established,originator
+  payload /.*PASS ddd@\x0a/
+  }
+
+signature sid-354 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP iss scan"
+  tcp-state established,originator
+  payload /.*pass -iss@iss/
+  }
+
+signature sid-355 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP pass wh00t"
+  tcp-state established,originator
+  payload /.*[pP][aA][sS][sS] [wW][hH]00[tT]/
+  }
+
+signature sid-357 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP piss scan"
+  tcp-state established,originator
+  payload /.*pass -cklaus/
+  }
+
+signature sid-358 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP saint scan"
+  tcp-state established,originator
+  payload /.*pass -saint/
+  }
+
+signature sid-359 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 21
+  event "FTP satan scan"
+  tcp-state established,originator
+  payload /.*pass -satan/
+  }
+
+signature sid-1430 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == telnet_servers
+  dst-port == 23
+  event "TELNET Solaris memory mismanagement exploit attempt"
+  tcp-state established,originator
+  payload /.*\xA0\x23\xA0\x10\xAE\x23\x80\x10\xEE\x23\xBF\xEC\x82\x05\xE0\xD6\x90\x25\xE0/
+  }
+
+signature sid-711 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == telnet_servers
+  dst-port == 23
+  event "TELNET SGI telnetd format bug"
+  tcp-state established,originator
+  payload /.*_RLD/
+  payload /.*bin\/sh/
+  }
+
+signature sid-712 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == telnet_servers
+  dst-port == 23
+  event "TELNET ld_library_path"
+  tcp-state established,originator
+  payload /.*ld_library_path/
+  }
+
+signature sid-713 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == telnet_servers
+  dst-port == 23
+  event "TELNET livingston DOS"
+  tcp-state established,originator
+  payload /.*\xff\xf3\xff\xf3\xff\xf3\xff\xf3\xff\xf3/
+  }
+
+signature sid-714 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == telnet_servers
+  dst-port == 23
+  event "TELNET resolv_host_conf"
+  tcp-state established,originator
+  payload /.*resolv_host_conf/
+  }
+
+signature sid-715 {
+  ip-proto == tcp
+  src-ip == telnet_servers
+  dst-ip != local_nets
+  src-port == 23
+  event "TELNET Attempted SU from wrong group"
+  tcp-state established,responder
+  payload /.*[tT][oO] [sS][uU] [rR][oO][oO][tT]/
+  }
+
+signature sid-717 {
+  ip-proto == tcp
+  src-ip == telnet_servers
+  dst-ip != local_nets
+  src-port == 23
+  event "TELNET not on console"
+  tcp-state established,responder
+  payload /.*[nN][oO][tT] [oO][nN] [sS][yY][sS][tT][eE][mM] [cC][oO][nN][sS][oO][lL][eE]/
+  }
+
+signature sid-718 {
+  ip-proto == tcp
+  src-ip == telnet_servers
+  dst-ip != local_nets
+  src-port == 23
+  event "TELNET login incorrect"
+  tcp-state established,responder
+  payload /.*Login incorrect/
+  }
+
+signature sid-719 {
+  ip-proto == tcp
+  src-ip == telnet_servers
+  dst-ip != local_nets
+  src-port == 23
+  event "TELNET root login"
+  tcp-state established,responder
+  payload /.*login: root/
+  }
+
+signature sid-1252 {
+  ip-proto == tcp
+  src-ip == telnet_servers
+  dst-ip != local_nets
+  src-port == 23
+  event "TELNET bsd telnet exploit response"
+  tcp-state established,responder
+  payload /.*\x0D\x0A\[Yes\]\x0D\x0A\xFF\xFE\x08\xFF\xFD\x26/
+  }
+
+signature sid-1253 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == telnet_servers
+  dst-port == 23
+  payload-size > 200
+  event "TELNET bsd exploit client finishing"
+  tcp-state established,responder
+  payload /.{199}\xFF\xF6\xFF\xF6\xFF\xFB\x08\xFF\xF6/
+  }
+
+signature sid-709 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == telnet_servers
+  dst-port == 23
+  event "TELNET 4Dgifts SGI account attempt"
+  tcp-state established,originator
+  payload /.*4Dgifts/
+  }
+
+signature sid-710 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == telnet_servers
+  dst-port == 23
+  event "TELNET EZsetup account attempt"
+  tcp-state established,originator
+  payload /.*OutOfBox/
+  }
+
+signature sid-716 {
+  ip-proto == tcp
+  src-ip == telnet_servers
+  dst-ip != local_nets
+  src-port == 23
+  event "TELNET access"
+  tcp-state established,responder
+  payload /.*\xFF\xFD\x18\xFF\xFD\x1F\xFF\xFD\x23\xFF\xFD\x27\xFF\xFD\x24/
+  }
+
+signature sid-2093 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_test: 4,>,2048,12,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap proxy integer overflow attempt TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0\x00.{3}\x00\x00\x00\x05/
+  }
+
+signature sid-2092 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap proxy integer overflow attempt UDP"
+  # Not supported: byte_test: 4,>,2048,12,relative
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0\x00.{3}\x00\x00\x00\x05/
+  }
+
+signature sid-1922 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  event "RPC portmap proxy attempt TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x05/
+  }
+
+signature sid-1923 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  event "RPC portmap proxy attempt UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x05/
+  }
+
+signature sid-1280 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  event "RPC portmap listing UDP 111"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/
+  }
+
+signature sid-598 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  event "RPC portmap listing TCP 111"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/
+  }
+
+signature sid-1949 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  event "RPC portmap SET attempt TCP 111"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x01/
+  }
+
+signature sid-1950 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  event "RPC portmap SET attempt UDP 111"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x01/
+  }
+
+signature sid-2014 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  event "RPC portmap UNSET attempt TCP 111"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x02/
+  }
+
+signature sid-2015 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  event "RPC portmap UNSET attempt UDP 111"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x02/
+  }
+
+signature sid-599 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 32771
+  event "RPC portmap listing TCP 32771"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/
+  }
+
+signature sid-1281 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 32771
+  event "RPC portmap listing UDP 32771"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/
+  }
+
+signature sid-1746 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap cachefsd request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x8B/
+  }
+
+signature sid-1747 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap cachefsd request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x8B/
+  }
+
+signature sid-1732 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap rwalld request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA8/
+  }
+
+signature sid-1733 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap rwalld request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA8/
+  }
+
+signature sid-575 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap admind request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xF7/
+  }
+
+signature sid-1262 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap admind request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xF7/
+  }
+
+signature sid-576 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap amountd request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x03/
+  }
+
+signature sid-1263 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap amountd request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x03/
+  }
+
+signature sid-577 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap bootparam request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xBA/
+  }
+
+signature sid-1264 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap bootparam request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xBA/
+  }
+
+signature sid-580 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap nisd request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\xcc/
+  }
+
+signature sid-1267 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap nisd request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\xcc/
+  }
+
+signature sid-581 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap pcnfsd request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x02\x49\xf1/
+  }
+
+signature sid-1268 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap pcnfsd request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x02\x49\xf1/
+  }
+
+signature sid-582 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap rexd request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB1/
+  }
+
+signature sid-1269 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap rexd request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB1/
+  }
+
+signature sid-584 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap rusers request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA2/
+  }
+
+signature sid-1271 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap rusers request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA2/
+  }
+
+signature sid-612 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC rusers query UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA2.{4}\x00\x00\x00\x02/
+  }
+
+signature sid-586 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap selection_svc request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAF/
+  }
+
+signature sid-1273 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap selection_svc request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAF/
+  }
+
+signature sid-587 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap status request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB8/
+  }
+
+signature sid-2016 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap status request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB8/
+  }
+
+signature sid-593 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap snmpXdmi request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x99/
+  }
+
+signature sid-1279 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap snmpXdmi request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x99/
+  }
+
+signature sid-569 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_test: 4,>,1024,20,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC snmpXdmi overflow attempt TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x87\x99.{4}\x00\x00\x01\x01/
+  }
+
+signature sid-2045 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC snmpXdmi overflow attempt UDP"
+  # Not supported: byte_test: 4,>,1024,20,relative
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x87\x99.{4}\x00\x00\x01\x01/
+  }
+
+signature sid-2017 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap espd request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7\x75/
+  }
+
+signature sid-595 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap espd request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7\x75/
+  }
+
+signature sid-1890 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port >= 1024
+  dst-port <= 65535
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC status GHBN format string attack"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02.{0,251}%x %x/
+  }
+
+signature sid-1891 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port >= 1024
+  dst-port <= 65535
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC status GHBN format string attack"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02.{0,251}%x %x/
+  }
+
+signature sid-579 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap mountd request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA5/
+  }
+
+signature sid-1266 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap mountd request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA5/
+  }
+
+signature sid-574 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC mountd TCP export request"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x05/
+  }
+
+signature sid-1924 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC mountd UDP export request"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x05/
+  }
+
+signature sid-1925 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC mountd TCP exportall request"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x06/
+  }
+
+signature sid-1926 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC mountd UDP exportall request"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x06/
+  }
+
+signature sid-1951 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC mountd TCP mount request"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x01/
+  }
+
+signature sid-1952 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC mountd UDP mount request"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x01/
+  }
+
+signature sid-2018 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC mountd TCP dump request"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x02/
+  }
+
+signature sid-2019 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC mountd UDP dump request"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x02/
+  }
+
+signature sid-2020 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC mountd TCP unmount request"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x03/
+  }
+
+signature sid-2021 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC mountd UDP unmount request"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x03/
+  }
+
+signature sid-2022 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC mountd TCP unmountall request"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x04/
+  }
+
+signature sid-2023 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC mountd UDP unmountall request"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x04/
+  }
+
+signature sid-1905 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port >= 500
+  dst-port <= 65535
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC AMD UDP amqproc_mount plog overflow attempt"
+  # Not supported: byte_test: 4,>,512,0,relative
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x04\x93\xF3.{4}\x00\x00\x00\x07/
+  }
+
+signature sid-1906 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port >= 500
+  dst-port <= 65535
+  # Not supported: byte_test: 4,>,512,0,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC AMD TCP amqproc_mount plog overflow attempt"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x04\x93\xF3.{4}\x00\x00\x00\x07/
+  }
+
+signature sid-1953 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port >= 500
+  dst-port <= 65535
+  event "RPC AMD TCP pid request"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x04\x93\xF3.{4}\x00\x00\x00\x09/
+  }
+
+signature sid-1954 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port >= 500
+  dst-port <= 65535
+  event "RPC AMD UDP pid request"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x04\x93\xF3.{4}\x00\x00\x00\x09/
+  }
+
+signature sid-1955 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port >= 500
+  dst-port <= 65535
+  event "RPC AMD TCP version request"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x04\x93\xF3.{4}\x00\x00\x00\x08/
+  }
+
+signature sid-1956 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port >= 500
+  dst-port <= 65535
+  event "RPC AMD UDP version request"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x04\x93\xF3.{4}\x00\x00\x00\x08/
+  }
+
+signature sid-578 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap cmsd request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xE4/
+  }
+
+signature sid-1265 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap cmsd request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xE4/
+  }
+
+signature sid-1907 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC CMSD UDP CMSD_CREATE buffer overflow attempt"
+  # Not supported: byte_test: 4,>,1024,0,relative
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/
+  }
+
+signature sid-1908 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_test: 4,>,1024,0,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC CMSD TCP CMSD_CREATE buffer overflow attempt"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/
+  }
+
+signature sid-2094 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"
+  # Not supported: byte_test: 4,>,1024,20,relative
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/
+  }
+
+signature sid-2095 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_test: 4,>,1024,20,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/
+  }
+
+signature sid-1909 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_test: 4,>,1000,28,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align
+  event "RPC CMSD TCP CMSD_INSERT buffer overflow attempt"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xE4.{4}\x00\x00\x00\x06/
+  }
+
+signature sid-1910 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align
+  event "RPC CMSD udp CMSD_INSERT buffer overflow attempt"
+  # Not supported: byte_test: 4,>,1000,28,relative
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xE4.{4}\x00\x00\x00\x06/
+  }
+
+signature sid-1272 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap sadmind request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x88/
+  }
+
+signature sid-585 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap sadmind request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x88/
+  }
+
+signature sid-1911 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,124,relative,align,4,20,relative,align
+  event "RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"
+  # Not supported: byte_test: 4,>,512,4,relative
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x87\x88.{4}\x00\x00\x00\x01/
+  }
+
+signature sid-1912 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_test: 4,>,512,4,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,124,relative,align,4,20,relative,align
+  event "RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x87\x88.{4}\x00\x00\x00\x01/
+  }
+
+signature sid-1957 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC sadmind UDP PING"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x87\x88.{4}\x00\x00\x00\x00/
+  }
+
+signature sid-1958 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC sadmind TCP PING"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x87\x88.{4}\x00\x00\x00\x00/
+  }
+
+signature sid-583 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap rstatd request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA1/
+  }
+
+signature sid-1270 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap rstatd request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA1/
+  }
+
+signature sid-1913 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC STATD UDP stat mon_name format string exploit attempt"
+  # Not supported: byte_test: 4,>,100,0,relative
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xB8.{4}\x00\x00\x00\x01/
+  }
+
+signature sid-1914 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_test: 4,>,100,0,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC STATD TCP stat mon_name format string exploit attempt"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xB8.{4}\x00\x00\x00\x01/
+  }
+
+signature sid-1915 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC STATD UDP monitor mon_name format string exploit attempt"
+  # Not supported: byte_test: 4,>,100,0,relative
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02/
+  }
+
+signature sid-1916 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_test: 4,>,100,0,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC STATD TCP monitor mon_name format string exploit attempt"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02/
+  }
+
+signature sid-1277 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap ypupdated request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xBC/
+  }
+
+signature sid-591 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap ypupdated request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xBC/
+  }
+
+signature sid-2088 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC ypupdated arbitrary command attempt UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xBC.{4}\x00\x00\x00\x01.{4}.*\|/
+  }
+
+signature sid-2089 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC ypupdated arbitrary command attempt TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xBC.{4}\x00\x00\x00\x01.{4}.*\|/
+  }
+
+signature sid-1959 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap NFS request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA3/
+  }
+
+signature sid-1960 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap NFS request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA3/
+  }
+
+signature sid-1961 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap RQUOTA request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAB/
+  }
+
+signature sid-1962 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap RQUOTA request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAB/
+  }
+
+signature sid-1963 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC RQUOTA getquota overflow attempt UDP"
+  # Not supported: byte_test: 4,>,128,0,relative
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xAB.{4}\x00\x00\x00\x01/
+  }
+
+signature sid-2024 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC RQUOTA getquota overflow attempt TCP"
+  # Not supported: byte_test: 4,>,128,0,relative
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xAB.{4}\x00\x00\x00\x01/
+  }
+
+signature sid-588 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap ttdbserv request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xF3/
+  }
+
+signature sid-1274 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap ttdbserv request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xF3/
+  }
+
+signature sid-1964 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC tooltalk UDP overflow attempt"
+  # Not supported: byte_test: 4,>,128,0,relative
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xF3.{4}\x00\x00\x00\x07/
+  }
+
+signature sid-1965 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_test: 4,>,128,0,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC tooltalk TCP overflow attempt"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xF3.{4}\x00\x00\x00\x07/
+  }
+
+signature sid-589 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap yppasswd request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA9/
+  }
+
+signature sid-1275 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap yppasswd request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA9/
+  }
+
+signature sid-2027 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  # Not supported: byte_test: 4,>,64,0,relative
+  event "RPC yppasswd old password overflow attempt UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
+  }
+
+signature sid-2028 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_test: 4,>,64,0,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC yppasswd old password overflow attempt TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
+  }
+
+signature sid-2025 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align
+  event "RPC yppasswd username overflow attempt UDP"
+  # Not supported: byte_test: 4,>,64,0,relative
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
+  }
+
+signature sid-2026 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_test: 4,>,64,0,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align
+  event "RPC yppasswd username overflow attempt TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
+  }
+
+signature sid-2029 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align,4,0,relative,align
+  # Not supported: byte_test: 4,>,64,0,relative
+  event "RPC yppasswd new password overflow attempt UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
+  }
+
+signature sid-2030 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  # Not supported: byte_test: 4,>,64,0,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align,4,0,relative,align
+  event "RPC yppasswd new password overflow attempt TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
+  }
+
+signature sid-2031 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC yppasswd user update UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
+  }
+
+signature sid-2032 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC yppasswd user update TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
+  }
+
+signature sid-590 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap ypserv request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA4/
+  }
+
+signature sid-1276 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap ypserv request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA4/
+  }
+
+signature sid-2033 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC ypserv maplist request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA4.{4}\x00\x00\x00\x0B/
+  }
+
+signature sid-2034 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC ypserv maplist request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA4.{4}\x00\x00\x00\x0B/
+  }
+
+signature sid-2035 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap network-status-monitor request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x03\x0D\x70/
+  }
+
+signature sid-2036 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap network-status-monitor request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x03\x0D\x70/
+  }
+
+signature sid-2037 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC network-status-monitor mon-callback request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x03\x0D\x70.{4}\x00\x00\x00\x01/
+  }
+
+signature sid-2038 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC network-status-monitor mon-callback request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x03\x0D\x70.{4}\x00\x00\x00\x01/
+  }
+
+signature sid-2079 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap nlockmgr request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB5/
+  }
+
+signature sid-2080 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap nlockmgr request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB5/
+  }
+
+signature sid-2081 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap rpc.xfsmd request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7\x68/
+  }
+
+signature sid-2082 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap rpc.xfsmd request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7\x68/
+  }
+
+signature sid-2083 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC rpc.xfsmd xfs_export attempt UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x05\xF7\x68.{4}\x00\x00\x00\x0D/
+  }
+
+signature sid-2084 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "RPC rpc.xfsmd xfs_export attempt TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x05\xF7\x68.{4}\x00\x00\x00\x0D/
+  }
+
+signature sid-2005 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap kcms_server request UDP"
+  payload /.{3}\x00\x00\x00\x00/
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x7D/
+  }
+
+signature sid-2006 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap kcms_server request TCP"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x7D/
+  }
+
+signature sid-2007 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port >= 32771
+  dst-port <= 34000
+  # Not supported: byte_jump: 4,20,relative,align,4,4,relative,align
+  event "RPC kcms_server directory traversal attempt"
+  tcp-state established,originator
+  payload /.{7}\x00\x00\x00\x00/
+  payload /.{15}\x00\x01\x87\x7D.*.{0}.*\/\.\.\//
+  }
+
+signature sid-601 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 513
+  event "RSERVICES rlogin LinuxNIS"
+  tcp-state established,originator
+  payload /.*\x3a\x3a\x3a\x3a\x3a\x3a\x3a\x3a\x00\x3a\x3a\x3a\x3a\x3a\x3a\x3a\x3a/
+  }
+
+signature sid-602 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 513
+  event "RSERVICES rlogin bin"
+  tcp-state established,originator
+  payload /.*bin\x00bin\x00/
+  }
+
+signature sid-603 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 513
+  event "RSERVICES rlogin echo++"
+  tcp-state established,originator
+  payload /.*echo \x22 \+ \+ \x22/
+  }
+
+signature sid-604 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 513
+  event "RSERVICES rsh froot"
+  tcp-state established,originator
+  payload /.*-froot\x00/
+  }
+
+signature sid-611 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 513
+  event "RSERVICES rlogin login failure"
+  tcp-state established,responder
+  payload /.*\x01rlogind\x3a Permission denied\./
+  }
+
+signature sid-605 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 513
+  event "RSERVICES rlogin login failure"
+  tcp-state established,responder
+  payload /.*login incorrect/
+  }
+
+signature sid-606 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 513
+  event "RSERVICES rlogin root"
+  tcp-state established,originator
+  payload /.*root\x00root\x00/
+  }
+
+signature sid-607 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 514
+  event "RSERVICES rsh bin"
+  tcp-state established,originator
+  payload /.*bin\x00bin\x00/
+  }
+
+signature sid-608 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 514
+  event "RSERVICES rsh echo + +"
+  tcp-state established,originator
+  payload /.*echo \x22\+ \+\x22/
+  }
+
+signature sid-609 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 514
+  event "RSERVICES rsh froot"
+  tcp-state established,originator
+  payload /.*-froot\x00/
+  }
+
+signature sid-610 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 514
+  event "RSERVICES rsh root"
+  tcp-state established,originator
+  payload /.*root\x00root\x00/
+  }
+
+signature sid-2113 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 512
+  event "RSERVICES rexec username overflow attempt"
+  payload /.{8}.*\x00.*.{0}.*\x00.*.{0}.*\x00/
+  }
+
+signature sid-2114 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 512
+  event "RSERVICES rexec password overflow attempt"
+  payload /.*\x00.{33}.*\x00.*.{0}.*\x00/
+  }
+
+signature sid-268 {
+  src-ip != local_nets
+  dst-ip == local_nets
+  payload-size == 408
+  event "DOS Jolt attack"
+  header ip[6:1] & 224 == 32
+  }
+
+signature sid-270 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "DOS Teardrop attack"
+  header ip[6:1] & 224 == 32
+  header ip[4:2] == 242
+  }
+
+signature sid-271-a {
+  ip-proto == udp
+  src-port == 7
+  dst-port == 19
+  event "DOS UDP echo+chargen bomb"
+  }
+
+signature sid-271-b {
+  ip-proto == udp
+  src-port == 19
+  dst-port == 7
+  event "DOS UDP echo+chargen bomb"
+  }
+
+signature sid-272 {
+  src-ip != local_nets
+  dst-ip == local_nets
+  header ip[9:1] == 2
+  event "DOS IGMP dos attack"
+  header ip[6:1] & 224 == 32
+  payload /\x02\x00/
+  }
+
+signature sid-273 {
+  src-ip != local_nets
+  dst-ip == local_nets
+  header ip[9:1] == 2
+  event "DOS IGMP dos attack"
+  header ip[6:1] & 224 == 32
+  payload /\x00\x00/
+  }
+
+signature sid-274 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[0:1] == 8
+  event "DOS ath"
+  payload /.*\+\+\+[aA][tT][hH]/
+  }
+
+signature sid-275-a {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  header tcp[13:1] & 255 == 2
+  header tcp[4:4] == 6060842
+  event "DOS NAPTHA"
+  header ip[4:2] == 413
+  }
+
+signature sid-275-b {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header tcp[13:1] & 255 == 2
+  header tcp[4:4] == 6060842
+  event "DOS NAPTHA"
+  header ip[4:2] == 413
+  }
+
+signature sid-276 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 7070
+  event "DOS Real Audio Server"
+  tcp-state established,originator
+  payload /.*\xff\xf4\xff\xfd\x06/
+  }
+
+signature sid-277 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 7070
+  event "DOS Real Server template.html"
+  tcp-state established,originator
+  payload /.*\/[vV][iI][eE][wW][sS][oO][uU][rR][cC][eE]\/[tT][eE][mM][pP][lL][aA][tT][eE]\.[hH][tT][mM][lL]\?/
+  }
+
+signature sid-278 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8080
+  event "DOS Real Server template.html"
+  tcp-state established,originator
+  payload /.*\/[vV][iI][eE][wW][sS][oO][uU][rR][cC][eE]\/[tT][eE][mM][pP][lL][aA][tT][eE]\.[hH][tT][mM][lL]\?/
+  }
+
+signature sid-279 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 161
+  payload-size == 0
+  event "DOS Bay/Nortel Nautica Marlin"
+  }
+
+signature sid-281 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 9
+  event "DOS Ascend Route"
+  payload /.{24}.{0,17}\x4e\x41\x4d\x45\x4e\x41\x4d\x45/
+  }
+
+signature sid-282 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 617
+  payload-size > 1445
+  event "DOS arkiea backup"
+  tcp-state established,originator
+  }
+
+signature sid-1257 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port >= 135
+  dst-port <= 139
+  header tcp[13:1] & 255 == 32
+  event "DOS Winnuke attack"
+  }
+
+signature sid-1408 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 3372
+  payload-size > 1023
+  event "DOS MSDTC attempt"
+  tcp-state established,originator
+  }
+
+signature sid-1605 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 6004
+  event "DOS iParty DOS attempt"
+  tcp-state established,originator
+  payload /.*\xFF\xFF\xFF\xFF\xFF\xFF/
+  }
+
+signature sid-1641 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port >= 6789
+  dst-port <= 6790
+  payload-size == 1
+  event "DOS DB2 dos attempt"
+  tcp-state established,originator
+  }
+
+signature sid-1545 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == 80
+  payload-size == 1
+  event "DOS Cisco attempt"
+  tcp-state established,originator
+  payload /\x13/
+  }
+
+signature sid-221 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[0:1] == 8
+  event "DDOS TFN Probe"
+  header ip[4:2] == 678
+  payload /.*1234/
+  }
+
+signature sid-222 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[0:1] == 0
+  event "DDOS tfn2k icmp possible communication"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 0
+  payload /.*AAAAAAAAAA/
+  }
+
+signature sid-223 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 31335
+  event "DDOS Trin00:DaemontoMaster(PONGdetected)"
+  payload /.*PONG/
+  }
+
+signature sid-228 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[0:1] == 0
+  header icmp[0:1] == 0,8
+  header icmp[6:2] == 0
+  event "DDOS TFN client command BE"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 456
+  }
+
+signature sid-230 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 20432
+  event "DDOS shaft client to handler"
+  tcp-state established
+  }
+
+signature sid-231 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 31335
+  event "DDOS Trin00:DaemontoMaster(messagedetected)"
+  payload /.*l44/
+  }
+
+signature sid-232 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 31335
+  event "DDOS Trin00:DaemontoMaster(*HELLO*detected)"
+  payload /.*\*HELLO\*/
+  }
+
+signature sid-233 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 27665
+  event "DDOS Trin00:Attacker to Master default startup password"
+  tcp-state established,originator
+  payload /.*betaalmostdone/
+  }
+
+signature sid-234 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 27665
+  event "DDOS Trin00 Attacker to Master default password"
+  tcp-state established,originator
+  payload /.*gOrave/
+  }
+
+signature sid-235 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 27665
+  event "DDOS Trin00 Attacker to Master default mdie password"
+  tcp-state established,originator
+  payload /.*killme/
+  }
+
+signature sid-237 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 27444
+  event "DDOS Trin00:MastertoDaemon(defaultpassdetected!)"
+  payload /.*l44adsl/
+  }
+
+signature sid-238 {
+  ip-proto == icmp
+  src-ip == local_nets
+  dst-ip != local_nets
+  header icmp[0:1] == 0
+  header icmp[0:1] == 0,8
+  header icmp[6:2] == 0
+  event "DDOS TFN server response"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 123
+  payload /.*shell bound to port/
+  }
+
+signature sid-239 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 18753
+  event "DDOS shaft handler to agent"
+  payload /.*alive tijgu/
+  }
+
+signature sid-240 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 20433
+  event "DDOS shaft agent to handler"
+  payload /.*alive/
+  }
+
+signature sid-241-a {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header tcp[13:1] & 255 == 2
+  header tcp[4:4] == 674711609
+  event "DDOS shaft synflood"
+  }
+
+signature sid-241-b {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  header tcp[13:1] & 255 == 2
+  header tcp[4:4] == 674711609
+  event "DDOS shaft synflood"
+  }
+
+signature sid-243 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 6838
+  event "DDOS mstream agent to handler"
+  payload /.*newserver/
+  }
+
+signature sid-244 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 10498
+  event "DDOS mstream handler to agent"
+  payload /.*stream\//
+  }
+
+signature sid-245 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 10498
+  event "\"DDOS mstream handler ping to agent\" "
+  payload /.*ping/
+  }
+
+signature sid-246 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 10498
+  event "\"DDOS mstream agent pong to handler\" "
+  payload /.*pong/
+  }
+
+signature sid-247 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 12754
+  event "DDOS mstream client to handler"
+  tcp-state established,originator
+  payload /.*>/
+  }
+
+signature sid-248 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 12754
+  event "DDOS mstream handler to client"
+  tcp-state established,responder
+  payload /.*>/
+  }
+
+signature sid-249 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 15104
+  header tcp[13:1] & 255 == 2
+  event "DDOS mstream client to handler"
+  }
+
+signature sid-250 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 15104
+  event "DDOS mstream handler to client"
+  tcp-state established,responder
+  payload /.*>/
+  }
+
+signature sid-251 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[0:1] == 0
+  header icmp[0:1] == 0,8
+  header icmp[6:2] == 0
+  event "DDOS - TFN client command LE"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 51201
+  }
+
+signature sid-224 {
+  ip-proto == icmp
+  src-ip == 3.3.3.3/32
+  dst-ip != local_nets
+  header icmp[0:1] == 0
+  event "DDOS Stacheldraht server spoof"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 666
+  }
+
+signature sid-225 {
+  ip-proto == icmp
+  src-ip == local_nets
+  dst-ip != local_nets
+  header icmp[0:1] == 0
+  event "DDOS Stacheldraht gag server response"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 669
+  payload /.*sicken/
+  }
+
+signature sid-226 {
+  ip-proto == icmp
+  src-ip == local_nets
+  dst-ip != local_nets
+  header icmp[0:1] == 0
+  event "DDOS Stacheldraht server response"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 667
+  payload /.*ficken/
+  }
+
+signature sid-227 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[0:1] == 0
+  event "DDOS Stacheldraht client spoofworks"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 1000
+  payload /.*spoofworks/
+  }
+
+signature sid-236 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[0:1] == 0
+  event "DDOS Stacheldraht client check gag"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 668
+  payload /.*gesundheit!/
+  }
+
+signature sid-229 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[0:1] == 0
+  event "DDOS Stacheldraht client check skillz"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 666
+  payload /.*skillz/
+  }
+
+signature sid-1854-a {
+  ip-proto == icmp
+  src-ip == local_nets
+  dst-ip != local_nets
+  header icmp[0:1] == 0
+  event "DDOS Stacheldraht handler->agent (niggahbitch)"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 9015
+  payload /.*niggahbitch/
+  }
+
+signature sid-1854-b {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[0:1] == 0
+  event "DDOS Stacheldraht handler->agent (niggahbitch)"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 9015
+  payload /.*niggahbitch/
+  }
+
+signature sid-1855-a {
+  ip-proto == icmp
+  src-ip == local_nets
+  dst-ip != local_nets
+  header icmp[0:1] == 0
+  event "DDOS Stacheldraht agent->handler (skillz)"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 6666
+  payload /.*skillz/
+  }
+
+signature sid-1855-b {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[0:1] == 0
+  event "DDOS Stacheldraht agent->handler (skillz)"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 6666
+  payload /.*skillz/
+  }
+
+signature sid-1856-a {
+  ip-proto == icmp
+  src-ip == local_nets
+  dst-ip != local_nets
+  header icmp[0:1] == 0
+  event "DDOS Stacheldraht handler->agent (ficken)"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 6667
+  payload /.*ficken/
+  }
+
+signature sid-1856-b {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[0:1] == 0
+  event "DDOS Stacheldraht handler->agent (ficken)"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 6667
+  payload /.*ficken/
+  }
+
+signature sid-255 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 53
+  event "DNS zone transfer TCP"
+  tcp-state established,originator
+  payload /.{14}.*\x00\x00\xFC/
+  }
+
+signature sid-1948 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 53
+  event "DNS zone transfer UDP"
+  payload /.{13}.*\x00\x00\xFC/
+  }
+
+signature sid-1435 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 53
+  event "DNS named authors attempt"
+  tcp-state established,originator
+  payload /.{11}.*\x07[aA][uU][tT][hH][oO][rR][sS]/
+  payload /.{11}.*\x04[bB][iI][nN][dD]/
+  }
+
+signature sid-256 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 53
+  event "DNS named authors attempt"
+  payload /.{11}.*\x07[aA][uU][tT][hH][oO][rR][sS]/
+  payload /.{11}.*\x04[bB][iI][nN][dD]/
+  }
+
+signature sid-257 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 53
+  event "DNS named version attempt"
+  tcp-state established,originator
+  payload /.{11}.*\x07[vV][eE][rR][sS][iI][oO][nN]/
+  payload /.{11}.*\x04[bB][iI][nN][dD]/
+  }
+
+signature sid-1616 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 53
+  event "DNS named version attempt"
+  payload /.{11}.*\x07[vV][eE][rR][sS][iI][oO][nN]/
+  payload /.{11}.*\x04[bB][iI][nN][dD]/
+  }
+
+signature sid-253 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  src-port == 53
+  event "DNS SPOOF query response PTR with TTL: 1 min. and no authority"
+  payload /.*\x85\x80\x00\x01\x00\x01\x00\x00\x00\x00/
+  payload /.*\xc0\x0c\x00\x0c\x00\x01\x00\x00\x00\x3c\x00\x0f/
+  }
+
+signature sid-254 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  src-port == 53
+  event "DNS SPOOF query response with ttl: 1 min. and no authority"
+  payload /.*\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00/
+  payload /.*\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x3c\x00\x04/
+  }
+
+signature sid-258 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 53
+  event "DNS EXPLOIT named 8.2->8.2.1"
+  tcp-state established,originator
+  payload /.*\.\.\/\.\.\/\.\.\//
+  }
+
+signature sid-303 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 53
+  event "DNS EXPLOIT named tsig overflow attempt"
+  tcp-state established,originator
+  payload /.*\xAB\xCD\x09\x80\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x00\x01\x20\x20\x20\x20\x02\x61/
+  }
+
+signature sid-314 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 53
+  event "DNS EXPLOIT named tsig overflow attempt"
+  payload /.*\x80\x00\x07\x00\x00\x00\x00\x00\x01\x3F\x00\x01\x02/
+  }
+
+signature sid-259 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 53
+  event "DNS EXPLOIT named overflow (ADM)"
+  tcp-state established,originator
+  payload /.*thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool/
+  }
+
+signature sid-260 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 53
+  event "DNS EXPLOIT named overflow (ADMROCKS)"
+  tcp-state established,originator
+  payload /.*ADMROCKS/
+  }
+
+signature sid-261 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 53
+  event "DNS EXPLOIT named overflow attempt"
+  tcp-state established,originator
+  payload /.*\xCD\x80\xE8\xD7\xFF\xFF\xFF\/bin\/sh/
+  }
+
+signature sid-262 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 53
+  event "DNS EXPLOIT x86 Linux overflow attempt"
+  tcp-state established,originator
+  payload /.*\x31\xc0\xb0\x3f\x31\xdb\xb3\xff\x31\xc9\xcd\x80\x31\xc0/
+  }
+
+signature sid-264 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 53
+  event "DNS EXPLOIT x86 Linux overflow attempt"
+  tcp-state established,originator
+  payload /.*\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x4c\xeb\x4c\x5e\xb0/
+  }
+
+signature sid-265 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 53
+  event "DNS EXPLOIT x86 Linux overflow attempt (ADMv2)"
+  tcp-state established,originator
+  payload /.*\x89\xf7\x29\xc7\x89\xf3\x89\xf9\x89\xf2\xac\x3c\xfe/
+  }
+
+signature sid-266 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 53
+  event "DNS EXPLOIT x86 FreeBSD overflow attempt"
+  tcp-state established,originator
+  payload /.*\xeb\x6e\x5e\xc6\x06\x9a\x31\xc9\x89\x4e\x01\xc6\x46\x05/
+  }
+
+signature sid-267 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 53
+  event "DNS EXPLOIT sparc overflow attempt"
+  tcp-state established,originator
+  payload /.*\x90\x1a\xc0\x0f\x90\x02\x20\x08\x92\x02\x20\x0f\xd0\x23\xbf\xf8/
+  }
+
+signature sid-1941 {
+  ip-proto == udp
+  dst-port == 69
+  event "TFTP filename overflow attempt"
+  payload /\x00\x01[^\x00]{100}/
+  }
+
+signature sid-1289 {
+  ip-proto == udp
+  dst-port == 69
+  event "TFTP GET Admin.dll"
+  payload /\x00\x01/
+  payload /.{1}.*[aA][dD][mM][iI][nN]\.[dD][lL][lL]/
+  }
+
+signature sid-1441 {
+  ip-proto == udp
+  dst-port == 69
+  event "TFTP GET nc.exe"
+  payload /\x00\x01/
+  payload /.{1}.*[nN][cC]\.[eE][xX][eE]/
+  }
+
+signature sid-1442 {
+  ip-proto == udp
+  dst-port == 69
+  event "TFTP GET shadow"
+  payload /\x00\x01/
+  payload /.{1}.*[sS][hH][aA][dD][oO][wW]/
+  }
+
+signature sid-1443 {
+  ip-proto == udp
+  dst-port == 69
+  event "TFTP GET passwd"
+  payload /\x00\x01/
+  payload /.{1}.*[pP][aA][sS][sS][wW][dD]/
+  }
+
+signature sid-519 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 69
+  event "TFTP parent directory"
+  payload /.{1}.*\.\./
+  }
+
+signature sid-520 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 69
+  event "TFTP root directory"
+  payload /\x00\x01\//
+  }
+
+signature sid-518 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 69
+  event "TFTP Put"
+  payload /\x00\x02/
+  }
+
+signature sid-1444 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 69
+  event "TFTP Get"
+  payload /\x00\x01/
+  }
+
+signature sid-803 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI HyperSeek hsx.cgi directory traversal attempt"
+  http /.*[\/\\]hsx\.cgi/
+  tcp-state established,originator
+  payload /.*\.\.\/\.\.\/.{1}.*%00/
+  }
+
+signature sid-1607 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI HyperSeek hsx.cgi access"
+  http /.*[\/\\]hsx\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-804 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI SWSoft ASPSeek Overflow attempt"
+  http /.*[\/\\]s\.cgi/
+  tcp-state established,originator
+  payload /.*[tT][mM][pP][lL]=/
+  }
+
+signature sid-805 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI webspeed access"
+  http /.*[\/\\]wsisa\.dll[\/\\]WService=/
+  tcp-state established,originator
+  payload /.*[wW][sS][mM][aA][dD][mM][iI][nN]/
+  }
+
+signature sid-806 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI yabb.cgi directory traversal attempt"
+  http /.*[\/\\]YaBB\.pl/
+  tcp-state established,originator
+  payload /.*\.\.\//
+  }
+
+signature sid-1637 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI yabb.cgi access"
+  http /.*[\/\\]YaBB\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-807 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI /wwwboard/passwd.txt access"
+  http /.*[\/\\]wwwboard[\/\\]passwd\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-808 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI webdriver access"
+  http /.*[\/\\]webdriver/
+  tcp-state established,originator
+  }
+
+signature sid-809 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI whois_raw.cgi arbitrary command execution attempt"
+  http /.*[\/\\]whois_raw\.cgi\?/
+  tcp-state established,originator
+  payload /.*\x0a/
+  }
+
+signature sid-810 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI whois_raw.cgi access"
+  http /.*[\/\\]whois_raw\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-811 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI websitepro path access"
+  tcp-state established,originator
+  payload /.* \/[hH][tT][tT][pP]\/1\./
+  }
+
+signature sid-812 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI webplus version access"
+  http /.*[\/\\]webplus\?about/
+  tcp-state established,originator
+  }
+
+signature sid-813 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI webplus directory traversal"
+  http /.*[\/\\]webplus\?script/
+  tcp-state established,originator
+  payload /.*\.\.\//
+  }
+
+signature sid-815 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI websendmail access"
+  http /.*[\/\\]websendmail/
+  tcp-state established,originator
+  }
+
+signature sid-1571 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI dcforum.cgi directory traversal attempt"
+  http /.*[\/\\]dcforum\.cgi/
+  tcp-state established,originator
+  payload /.*forum=\.\.\/\.\./
+  }
+
+signature sid-818 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI dcforum.cgi access"
+  http /.*[\/\\]dcforum\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-817 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI dcboard.cgi invalid user addition attempt"
+  http /.*[\/\\]dcboard\.cgi/
+  tcp-state established,originator
+  payload /.*command=register/
+  payload /.*%7cadmin/
+  }
+
+signature sid-1410 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI dcboard.cgi access"
+  http /.*[\/\\]dcboard\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-819 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI mmstdod.cgi access"
+  http /.*[\/\\]mmstdod\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-820 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI anaconda directory transversal attempt"
+  http /.*[\/\\]apexec\.pl/
+  tcp-state established,originator
+  payload /.*[tT][eE][mM][pP][lL][aA][tT][eE]=\.\.\//
+  }
+
+signature sid-821 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI imagemap.exe overflow attempt"
+  http /.*[\/\\]imagemap\.exe\?/
+  tcp-state established,originator
+  }
+
+signature sid-1700 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI imagemap.exe access"
+  http /.*[\/\\]imagemap\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-823 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cvsweb.cgi access"
+  http /.*[\/\\]cvsweb\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-824 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI php.cgi access"
+  http /.*[\/\\]php\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-825 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI glimpse access"
+  http /.*[\/\\]glimpse/
+  tcp-state established,originator
+  }
+
+signature sid-1608 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI htmlscript attempt"
+  http /.*[\/\\]htmlscript\?\.\.[\/\\]\.\./
+  tcp-state established,originator
+  }
+
+signature sid-826 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI htmlscript access"
+  http /.*[\/\\]htmlscript/
+  tcp-state established,originator
+  }
+
+signature sid-827 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI info2www access"
+  http /.*[\/\\]info2www/
+  tcp-state established,originator
+  }
+
+signature sid-828 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI maillist.pl access"
+  http /.*[\/\\]maillist\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-829 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI nph-test-cgi access"
+  http /.*[\/\\]nph-test-cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1451 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI NPH-publish access"
+  http /.*[\/\\]nph-maillist\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-830 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI NPH-publish access"
+  http /.*[\/\\]nph-publish/
+  tcp-state established,originator
+  }
+
+signature sid-833 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI rguest.exe access"
+  http /.*[\/\\]rguest\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-834 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI rwwwshell.pl access"
+  http /.*[\/\\]rwwwshell\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1644 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI test-cgi attempt"
+  http /.*[\/\\]test-cgi[\/\\]\*\?\*/
+  tcp-state established,originator
+  }
+
+signature sid-835 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI test-cgi access"
+  http /.*[\/\\]test-cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1645 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI testcgi access"
+  http /.*[\/\\]testcgi/
+  tcp-state established,originator
+  }
+
+signature sid-1646 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI test.cgi access"
+  http /.*[\/\\]test\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-836 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI textcounter.pl access"
+  http /.*[\/\\]textcounter\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-837 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI uploader.exe access"
+  http /.*[\/\\]uploader\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-838 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI webgais access"
+  http /.*[\/\\]webgais/
+  tcp-state established,originator
+  }
+
+signature sid-839 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI finger access"
+  http /.*[\/\\]finger/
+  tcp-state established,originator
+  }
+
+signature sid-840 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI perlshop.cgi access"
+  http /.*[\/\\]perlshop\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-841 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI pfdisplay.cgi access"
+  http /.*[\/\\]pfdisplay\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-842 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI aglimpse access"
+  http /.*[\/\\]aglimpse/
+  tcp-state established,originator
+  }
+
+signature sid-843 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI anform2 access"
+  http /.*[\/\\]AnForm2/
+  tcp-state established,originator
+  }
+
+signature sid-844 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI args.bat access"
+  http /.*[\/\\]args\.bat/
+  tcp-state established,originator
+  }
+
+signature sid-1452 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI args.cmd access"
+  http /.*[\/\\]args\.cmd/
+  tcp-state established,originator
+  }
+
+signature sid-845 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI AT-admin.cgi access"
+  http /.*[\/\\]AT-admin\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1453 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI AT-generated.cgi access"
+  http /.*[\/\\]AT-generated\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-846 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bnbform.cgi access"
+  http /.*[\/\\]bnbform\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-847 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI campas access"
+  http /.*[\/\\]campas/
+  tcp-state established,originator
+  }
+
+signature sid-848 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI view-source directory traversal"
+  http /.*[\/\\]view-source/
+  tcp-state established,originator
+  payload /.*\.\.\//
+  }
+
+signature sid-849 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI view-source access"
+  http /.*[\/\\]view-source/
+  tcp-state established,originator
+  }
+
+signature sid-850 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI wais.pl access"
+  http /.*[\/\\]wais\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1454 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI wwwwais access"
+  http /.*[\/\\]wwwwais/
+  tcp-state established,originator
+  }
+
+signature sid-851 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI files.pl access"
+  http /.*[\/\\]files\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-852 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI wguest.exe access"
+  http /.*[\/\\]wguest\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-853 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI wrap access"
+  http /.*[\/\\]wrap/
+  tcp-state established,originator
+  }
+
+signature sid-854 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI classifieds.cgi access"
+  http /.*[\/\\]classifieds\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-856 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI environ.cgi access"
+  http /.*[\/\\]environ\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1647 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI faxsurvey attempt (full path)"
+  http /.*[\/\\]faxsurvey\?[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1609 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI faxsurvey arbitrary file read attempt"
+  http /.*[\/\\]faxsurvey\?cat%20/
+  tcp-state established,originator
+  }
+
+signature sid-857 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI faxsurvey access"
+  http /.*[\/\\]faxsurvey/
+  tcp-state established,originator
+  }
+
+signature sid-858 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI filemail access"
+  http /.*[\/\\]filemail\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-859 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI man.sh access"
+  http /.*[\/\\]man\.sh/
+  tcp-state established,originator
+  }
+
+signature sid-860 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI snork.bat access"
+  http /.*[\/\\]snork\.bat/
+  tcp-state established,originator
+  }
+
+signature sid-861 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI w3-msql access"
+  http /.*[\/\\]w3-msql[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-863 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI day5datacopier.cgi access"
+  http /.*[\/\\]day5datacopier\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-864 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI day5datanotifier.cgi access"
+  http /.*[\/\\]day5datanotifier\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-866 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI post-query access"
+  http /.*[\/\\]post-query/
+  tcp-state established,originator
+  }
+
+signature sid-867 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI visadmin.exe access"
+  http /.*[\/\\]visadmin\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-869 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI dumpenv.pl access"
+  http /.*[\/\\]dumpenv\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1536 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI calendar_admin.pl arbitrary command execution attempt"
+  http /.*[\/\\]calendar_admin\.pl\?config=\|/
+  tcp-state established,originator
+  }
+
+signature sid-1537 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI calendar_admin.pl access"
+  http /.*[\/\\]calendar_admin\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1701 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI calendar-admin.pl access"
+  http /.*[\/\\]calendar-admin\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1455 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI calender.pl access"
+  http /.*[\/\\]calender\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-882 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI calendar access"
+  http /.*[\/\\]calendar/
+  tcp-state established,originator
+  }
+
+signature sid-1457 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI user_update_admin.pl access"
+  http /.*[\/\\]user_update_admin\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1458 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI user_update_passwd.pl access"
+  http /.*[\/\\]user_update_passwd\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-870 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI snorkerz.cmd access"
+  http /.*[\/\\]snorkerz\.cmd/
+  tcp-state established,originator
+  }
+
+signature sid-871 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI survey.cgi access"
+  http /.*[\/\\]survey\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-873 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI scriptalias access"
+  http /.*[\/\\][\/\\][\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-875 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI win-c-sample.exe access"
+  http /.*[\/\\]win-c-sample\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-878 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI w3tvars.pm access"
+  http /.*[\/\\]w3tvars\.pm/
+  tcp-state established,originator
+  }
+
+signature sid-879 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI admin.pl access"
+  http /.*[\/\\]admin\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-880 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI LWGate access"
+  http /.*[\/\\]LWGate/
+  tcp-state established,originator
+  }
+
+signature sid-881 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI archie access"
+  http /.*[\/\\]archie/
+  tcp-state established,originator
+  }
+
+signature sid-883 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI flexform access"
+  http /.*[\/\\]flexform/
+  tcp-state established,originator
+  }
+
+signature sid-1610 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI formmail arbitrary command execution attempt"
+  http /.*[\/\\]formmail/
+  tcp-state established,originator
+  payload /.*%0[aA]/
+  }
+
+signature sid-884 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI formmail access"
+  http /.*[\/\\]formmail/
+  tcp-state established,originator
+  }
+
+signature sid-1762 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI phf arbitrary command execution attempt"
+  http /.*[\/\\]phf/
+  tcp-state established,originator
+  payload /.*[qQ][aA][lL][iI][aA][sS]/
+  payload /.*%0a\//
+  }
+
+signature sid-886 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI phf access"
+  http /.*[\/\\]phf/
+  tcp-state established,originator
+  }
+
+signature sid-887 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI www-sql access"
+  http /.*[\/\\]www-sql/
+  tcp-state established,originator
+  }
+
+signature sid-888 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI wwwadmin.pl access"
+  http /.*[\/\\]wwwadmin\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-889 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ppdscgi.exe access"
+  http /.*[\/\\]ppdscgi\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-890 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI sendform.cgi access"
+  http /.*[\/\\]sendform\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-891 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI upload.pl access"
+  http /.*[\/\\]upload\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-892 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI AnyForm2 access"
+  http /.*[\/\\]AnyForm2/
+  tcp-state established,originator
+  }
+
+signature sid-893 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI MachineInfo access"
+  http /.*[\/\\]MachineInfo/
+  tcp-state established,originator
+  }
+
+signature sid-1531 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bb-hist.sh attempt"
+  http /.*[\/\\]bb-hist\.sh\?HISTFILE=\.\.[\/\\]\.\./
+  tcp-state established,originator
+  }
+
+signature sid-894 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bb-hist.sh access"
+  http /.*[\/\\]bb-hist\.sh/
+  tcp-state established,originator
+  }
+
+signature sid-1459 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bb-histlog.sh access"
+  http /.*[\/\\]bb-histlog\.sh/
+  tcp-state established,originator
+  }
+
+signature sid-1460 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bb-histsvc.sh access"
+  http /.*[\/\\]bb-histsvc\.sh/
+  tcp-state established,originator
+  }
+
+signature sid-1532 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bb-hostscv.sh attempt"
+  http /.*[\/\\]bb-hostsvc\.sh\?HOSTSVC\?\.\.[\/\\]\.\./
+  tcp-state established,originator
+  }
+
+signature sid-1533 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bb-hostscv.sh access"
+  http /.*[\/\\]bb-hostsvc\.sh/
+  tcp-state established,originator
+  }
+
+signature sid-1461 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bb-rep.sh access"
+  http /.*[\/\\]bb-rep\.sh/
+  tcp-state established,originator
+  }
+
+signature sid-1462 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bb-replog.sh access"
+  http /.*[\/\\]bb-replog\.sh/
+  tcp-state established,originator
+  }
+
+signature sid-895 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI redirect access"
+  http /.*[\/\\]redirect/
+  tcp-state established,originator
+  }
+
+signature sid-1397 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI wayboard attempt"
+  http /.*[\/\\]way-board[\/\\]way-board\.cgi/
+  tcp-state established,originator
+  payload /.*db=/
+  payload /.*\.\.\/\.\./
+  }
+
+signature sid-896 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI way-board access"
+  http /.*[\/\\]way-board/
+  tcp-state established,originator
+  }
+
+signature sid-1222 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI pals-cgi arbitrary file access attempt"
+  http /.*[\/\\]pals-cgi/
+  tcp-state established,originator
+  payload /.*[dD][oO][cC][uU][mM][eE][nN][tT][nN][aA][mM][eE]=/
+  }
+
+signature sid-897 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI pals-cgi access"
+  http /.*[\/\\]pals-cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1572 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI commerce.cgi arbitrary file access attempt"
+  http /.*[\/\\]commerce\.cgi/
+  tcp-state established,originator
+  payload /.*page=/
+  payload /.*\/\.\.\//
+  }
+
+signature sid-898 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI commerce.cgi access"
+  http /.*[\/\\]commerce\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-899 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt"
+  http /.*[\/\\]sendtemp\.pl/
+  tcp-state established,originator
+  payload /.*[tT][eE][mM][pP][lL]=/
+  }
+
+signature sid-1702 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Amaya templates sendtemp.pl access"
+  http /.*[\/\\]sendtemp\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-900 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI webspirs.cgi directory traversal attempt"
+  http /.*[\/\\]webspirs\.cgi/
+  tcp-state established,originator
+  payload /.*\.\.\/\.\.\//
+  }
+
+signature sid-901 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI webspirs.cgi access"
+  http /.*[\/\\]webspirs\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-902 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI tstisapi.dll access"
+  http /.*tstisapi\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1308 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI sendmessage.cgi access"
+  http /.*[\/\\]sendmessage\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1392 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI lastlines.cgi access"
+  http /.*[\/\\]lastlines\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1395 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI zml.cgi attempt"
+  http /.*[\/\\]zml\.cgi/
+  tcp-state established,originator
+  payload /.*file=\.\.\//
+  }
+
+signature sid-1396 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI zml.cgi access"
+  http /.*[\/\\]zml\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1405 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI AHG search.cgi access"
+  http /.*[\/\\]publisher[\/\\]search\.cgi/
+  tcp-state established,originator
+  payload /.*[tT][eE][mM][pP][lL][aA][tT][eE]=/
+  }
+
+signature sid-1534 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI agora.cgi attempt"
+  http /.*[\/\\]store[\/\\]agora\.cgi\?cart_id=<SCRIPT>/
+  tcp-state established,originator
+  }
+
+signature sid-1406 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI agora.cgi access"
+  http /.*[\/\\]store[\/\\]agora\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-877 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI rksh access"
+  http /.*[\/\\]rksh/
+  tcp-state established,originator
+  }
+
+signature sid-885 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bash access"
+  http /.*[\/\\]bash/
+  tcp-state established,originator
+  }
+
+signature sid-1648 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI perl.exe command attempt"
+  http /.*[\/\\]perl\.exe\?/
+  tcp-state established,originator
+  }
+
+signature sid-832 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI perl.exe access"
+  http /.*[\/\\]perl\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1649 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI perl command attempt"
+  http /.*[\/\\]perl\?/
+  tcp-state established,originator
+  }
+
+signature sid-1309 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI zsh access"
+  http /.*[\/\\]zsh/
+  tcp-state established,originator
+  }
+
+signature sid-862 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI csh access"
+  http /.*[\/\\]csh/
+  tcp-state established,originator
+  }
+
+signature sid-872 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI tcsh access"
+  http /.*[\/\\]tcsh/
+  tcp-state established,originator
+  }
+
+signature sid-868 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI rsh access"
+  http /.*[\/\\]rsh/
+  tcp-state established,originator
+  }
+
+signature sid-865 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ksh access"
+  http /.*[\/\\]ksh/
+  tcp-state established,originator
+  }
+
+signature sid-1703 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI auktion.cgi directory traversal attempt"
+  http /.*[\/\\]auktion\.cgi/
+  tcp-state established,originator
+  payload /.*[mM][eE][nN][uU][eE]=\.\.\/\.\.\//
+  }
+
+signature sid-1465 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI auktion.cgi access"
+  http /.*[\/\\]auktion\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1573 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cgiforum.pl attempt"
+  http /.*[\/\\]cgiforum\.pl\?thesection=\.\.[\/\\]\.\./
+  tcp-state established,originator
+  }
+
+signature sid-1466 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cgiforum.pl access"
+  http /.*[\/\\]cgiforum\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1574 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI directorypro.cgi attempt"
+  http /.*[\/\\]directorypro\.cgi/
+  tcp-state established,originator
+  payload /.*show=.{1}.*\.\.\/\.\./
+  }
+
+signature sid-1467 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI directorypro.cgi access"
+  http /.*[\/\\]directorypro\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1468 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Web Shopper shopper.cgi attempt"
+  http /.*[\/\\]shopper\.cgi/
+  tcp-state established,originator
+  payload /.*[nN][eE][wW][pP][aA][gG][eE]=\.\.\//
+  }
+
+signature sid-1469 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Web Shopper shopper.cgi access"
+  http /.*[\/\\]shopper\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1470 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI listrec.pl access"
+  http /.*[\/\\]listrec\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1471 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI mailnews.cgi access"
+  http /.*[\/\\]mailnews\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1879 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI book.cgi arbitrary command execution attempt"
+  http /.*[\/\\]book\.cgi/
+  tcp-state established,originator
+  payload /.*[cC][uU][rR][rR][eE][nN][tT]=\|/
+  }
+
+signature sid-1472 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI book.cgi access"
+  http /.*[\/\\]book\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1473 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI newsdesk.cgi access"
+  http /.*[\/\\]newsdesk\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1704 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cal_make.pl directory traversal attempt"
+  http /.*[\/\\]cal_make\.pl/
+  tcp-state established,originator
+  payload /.*[pP]0=\.\.\/\.\.\//
+  }
+
+signature sid-1474 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cal_make.pl access"
+  http /.*[\/\\]cal_make\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1475 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI mailit.pl access"
+  http /.*[\/\\]mailit\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1476 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI sdbsearch.cgi access"
+  http /.*[\/\\]sdbsearch\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1478 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI swc access"
+  http /.*[\/\\]swc/
+  tcp-state established,originator
+  }
+
+signature sid-1479 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ttawebtop.cgi arbitrary file attempt"
+  http /.*[\/\\]ttawebtop\.cgi/
+  tcp-state established,originator
+  payload /.*[pP][gG]=\.\.\//
+  }
+
+signature sid-1480 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ttawebtop.cgi access"
+  http /.*[\/\\]ttawebtop\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1481 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI upload.cgi access"
+  http /.*[\/\\]upload\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1482 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI view_source access"
+  http /.*[\/\\]view_source/
+  tcp-state established,originator
+  }
+
+signature sid-1730 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ustorekeeper.pl directory traversal attempt"
+  http /.*[\/\\]ustorekeeper\.pl/
+  tcp-state established,originator
+  payload /.*[fF][iI][lL][eE]=\.\.\/\.\.\//
+  }
+
+signature sid-1483 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ustorekeeper.pl access"
+  http /.*[\/\\]ustorekeeper\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1606 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI icat access"
+  http /.*[\/\\]icat/
+  tcp-state established,originator
+  }
+
+signature sid-1617 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Bugzilla doeditvotes.cgi access"
+  http /.*[\/\\]doeditvotes\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1600 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI htsearch arbitrary configuration file attempt"
+  http /.*[\/\\]htsearch\?-c/
+  tcp-state established,originator
+  }
+
+signature sid-1601 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI htsearch arbitrary file read attempt"
+  http /.*[\/\\]htsearch\?exclude=`/
+  tcp-state established,originator
+  }
+
+signature sid-1602 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI htsearch access"
+  http /.*[\/\\]htsearch/
+  tcp-state established,originator
+  }
+
+signature sid-1501 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI a1stats a1disp3.cgi directory traversal attempt"
+  http /.*[\/\\]a1disp3\.cgi\?[\/\\]\.\.[\/\\]\.\.[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1502 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI a1stats a1disp3.cgi access"
+  http /.*[\/\\]a1disp3\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1731 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI a1stats access"
+  http /.*[\/\\]a1stats[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1503 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI admentor admin.asp access"
+  http /.*[\/\\]admentor[\/\\]admin[\/\\]admin\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1505 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI alchemy http server PRN arbitrary command execution attempt"
+  http /.*[\/\\]PRN[\/\\]\.\.[\/\\]\.\.[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1506 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI alchemy http server NUL arbitrary command execution attempt"
+  http /.*[\/\\]NUL[\/\\]\.\.[\/\\]\.\.[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1507 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI alibaba.pl arbitrary command execution attempt"
+  http /.*[\/\\]alibaba\.pl\|/
+  tcp-state established,originator
+  }
+
+signature sid-1508 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI alibaba.pl access"
+  http /.*[\/\\]alibaba\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1509 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI AltaVista Intranet Search directory traversal attempt"
+  http /.*[\/\\]query\?mss=\.\./
+  tcp-state established,originator
+  }
+
+signature sid-1510 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI test.bat arbitrary command execution attempt"
+  http /.*[\/\\]test\.bat\|/
+  tcp-state established,originator
+  }
+
+signature sid-1511 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI test.bat access"
+  http /.*[\/\\]test\.bat/
+  tcp-state established,originator
+  }
+
+signature sid-1512 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI input.bat arbitrary command execution attempt"
+  http /.*[\/\\]input\.bat\|/
+  tcp-state established,originator
+  }
+
+signature sid-1513 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI input.bat access"
+  http /.*[\/\\]input\.bat/
+  tcp-state established,originator
+  }
+
+signature sid-1514 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI input2.bat arbitrary command execution attempt"
+  http /.*[\/\\]input2\.bat\|/
+  tcp-state established,originator
+  }
+
+signature sid-1515 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI input2.bat access"
+  http /.*[\/\\]input2\.bat/
+  tcp-state established,originator
+  }
+
+signature sid-1516 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI envout.bat arbitrary command execution attempt"
+  http /.*[\/\\]envout\.bat\|/
+  tcp-state established,originator
+  }
+
+signature sid-1517 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI envout.bat access"
+  http /.*[\/\\]envout\.bat/
+  tcp-state established,originator
+  }
+
+signature sid-1705 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI echo.bat arbitrary command execution attempt"
+  http /.*[\/\\]echo\.bat/
+  tcp-state established,originator
+  payload /.*&/
+  }
+
+signature sid-1706 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI echo.bat access"
+  http /.*[\/\\]echo\.bat/
+  tcp-state established,originator
+  }
+
+signature sid-1707 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI hello.bat arbitrary command execution attempt"
+  http /.*[\/\\]hello\.bat/
+  tcp-state established,originator
+  payload /.*&/
+  }
+
+signature sid-1708 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI hello.bat access"
+  http /.*[\/\\]hello\.bat/
+  tcp-state established,originator
+  }
+
+signature sid-1650 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI tst.bat access"
+  http /.*[\/\\]tst\.bat/
+  tcp-state established,originator
+  }
+
+signature sid-1539 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI /cgi-bin/ls access"
+  http /.*[\/\\]cgi-bin[\/\\]ls/
+  tcp-state established,originator
+  }
+
+signature sid-1542 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cgimail access"
+  http /.*[\/\\]cgimail/
+  tcp-state established,originator
+  }
+
+signature sid-1543 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cgiwrap access"
+  http /.*[\/\\]cgiwrap/
+  tcp-state established,originator
+  }
+
+signature sid-1547 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI csSearch.cgi arbitrary command execution attempt"
+  http /.*[\/\\]csSearch\.cgi/
+  tcp-state established,originator
+  payload /.*setup=/
+  payload /.*`.{1}.*`/
+  }
+
+signature sid-1548 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI csSearch.cgi access"
+  http /.*[\/\\]csSearch\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1553 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI /cart/cart.cgi access"
+  http /.*[\/\\]cart[\/\\]cart\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1554 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI dbman db.cgi access"
+  http /.*[\/\\]dbman[\/\\]db\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1555 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI DCShop access"
+  http /.*[\/\\]dcshop/
+  tcp-state established,originator
+  }
+
+signature sid-1556 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI DCShop orders.txt access"
+  http /.*[\/\\]orders[\/\\]orders\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-1557 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI DCShop auth_user_file.txt access"
+  http /.*[\/\\]auth_data[\/\\]auth_user_file\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-1565 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI eshop.pl arbitrary commane execution attempt"
+  http /.*[\/\\]eshop\.pl\?seite=;/
+  tcp-state established,originator
+  }
+
+signature sid-1566 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI eshop.pl access"
+  http /.*[\/\\]eshop\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1569 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI loadpage.cgi directory traversal attempt"
+  http /.*[\/\\]loadpage\.cgi/
+  tcp-state established,originator
+  payload /.*[fF][iI][lL][eE]=\.\.\//
+  }
+
+signature sid-1570 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI loadpage.cgi access"
+  http /.*[\/\\]loadpage\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1590 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI faqmanager.cgi arbitrary file access attempt"
+  http /.*[\/\\]faqmanager\.cgi\?toc=/
+  http /.*%00/
+  tcp-state established,originator
+  }
+
+signature sid-1591 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI faqmanager.cgi access"
+  http /.*[\/\\]faqmanager\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1592 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI /fcgi-bin/echo.exe access"
+  http /.*[\/\\]fcgi-bin[\/\\]echo\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1628 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI FormHandler.cgi directory traversal attempt attempt"
+  http /.*[\/\\]FormHandler\.cgi/
+  tcp-state established,originator
+  payload /.*[rR][eE][pP][lL][yY]_[mM][eE][sS][sS][aA][gG][eE]_[aA][tT][tT][aA][cC][hH]=/
+  payload /.*\/\.\.\//
+  }
+
+signature sid-1593 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI FormHandler.cgi external site redirection attempt"
+  http /.*[\/\\]FormHandler\.cgi/
+  tcp-state established,originator
+  payload /.*[rR][eE][dD][iI][rR][eE][cC][tT]=[hH][tT][tT][pP]/
+  }
+
+signature sid-1594 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI FormHandler.cgi access"
+  http /.*[\/\\]FormHandler\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1597 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI guestbook.cgi access"
+  http /.*[\/\\]guestbook\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1598 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Home Free search.cgi directory traversal attempt"
+  http /.*[\/\\]search\.cgi/
+  tcp-state established,originator
+  payload /.*[lL][eE][tT][tT][eE][rR]=\.\.\/\.\./
+  }
+
+signature sid-1599 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI search.cgi access"
+  http /.*[\/\\]search\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1651 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI enivorn.pl access"
+  http /.*[\/\\]enivron\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1652 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI campus attempt"
+  http /.*[\/\\]campus\?%0a/
+  tcp-state established,originator
+  }
+
+signature sid-1653 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI campus access"
+  http /.*[\/\\]campus/
+  tcp-state established,originator
+  }
+
+signature sid-1654 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cart32.exe access"
+  http /.*[\/\\]cart32\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1655 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI pfdispaly.cgi arbitrary command execution attempt"
+  http /.*[\/\\]pfdispaly\.cgi\?'/
+  tcp-state established,originator
+  }
+
+signature sid-1656 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI pfdispaly.cgi access"
+  http /.*[\/\\]pfdispaly\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1657 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI pagelog.cgi directory traversal attempt"
+  http /.*[\/\\]pagelog\.cgi/
+  tcp-state established,originator
+  payload /.*[nN][aA][mM][eE]=\.\.\//
+  }
+
+signature sid-1658 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI pagelog.cgi access"
+  http /.*[\/\\]pagelog\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1709 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ad.cgi access"
+  http /.*[\/\\]ad\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1710 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bbs_forum.cgi access"
+  http /.*[\/\\]bbs_forum\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1711 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bsguest.cgi access"
+  http /.*[\/\\]bsguest\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1712 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bslist.cgi access"
+  http /.*[\/\\]bslist\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1713 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cgforum.cgi access"
+  http /.*[\/\\]cgforum\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1714 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI newdesk access"
+  http /.*[\/\\]newdesk/
+  tcp-state established,originator
+  }
+
+signature sid-1715 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI register.cgi access"
+  http /.*[\/\\]register\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1716 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI gbook.cgi access"
+  http /.*[\/\\]gbook\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1717 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI simplestguest.cgi access"
+  http /.*[\/\\]simplestguest\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1718 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI statusconfig.pl access"
+  http /.*[\/\\]statusconfig\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1719 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI talkback.cgi directory traversal attempt"
+  http /.*[\/\\]talkbalk\.cgi/
+  tcp-state established,originator
+  payload /.*[aA][rR][tT][iI][cC][lL][eE]=\.\.\/\.\.\//
+  }
+
+signature sid-1720 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI talkback.cgi access"
+  http /.*[\/\\]talkbalk\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1721 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI adcycle access"
+  http /.*[\/\\]adcycle/
+  tcp-state established,originator
+  }
+
+signature sid-1722 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI MachineInfo access"
+  http /.*[\/\\]MachineInfo/
+  tcp-state established,originator
+  }
+
+signature sid-1723 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI emumail.cgi NULL attempt"
+  http /.*[\/\\]emumail\.cgi/
+  tcp-state established,originator
+  payload /.*[tT][yY][pP][eE]=/
+  payload /.*%00/
+  }
+
+signature sid-1724 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI emumail.cgi access"
+  http /.*[\/\\]emumail\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1642 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI document.d2w access"
+  http /.*[\/\\]document\.d2w/
+  tcp-state established,originator
+  }
+
+signature sid-1643 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI db2www access"
+  http /.*[\/\\]db2www/
+  tcp-state established,originator
+  }
+
+signature sid-1668 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI /cgi-bin/ access"
+  http /.*[\/\\]cgi-bin[\/\\]/
+  tcp-state established,originator
+  payload /.*\/[cC][gG][iI]-[bB][iI][nN]\/ [hH][tT][tT][pP]/
+  }
+
+signature sid-1669 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI /cgi-dos/ access"
+  http /.*[\/\\]cgi-dos[\/\\]/
+  tcp-state established,originator
+  payload /.*\/[cC][gG][iI]-[dD][oO][sS]\/ [hH][tT][tT][pP]/
+  }
+
+signature sid-1051 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI technote main.cgi file directory traversal attempt"
+  http /.*[\/\\]technote[\/\\]main\.cgi/
+  tcp-state established,originator
+  payload /.*[fF][iI][lL][eE][nN][aA][mM][eE]=/
+  payload /.*\.\.\/\.\.\//
+  }
+
+signature sid-1052 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI technote print.cgi directory traversal attempt"
+  http /.*[\/\\]technote[\/\\]print\.cgi/
+  tcp-state established,originator
+  payload /.*[bB][oO][aA][rR][dD]=/
+  payload /.*\.\.\/\.\.\//
+  payload /.*%00/
+  }
+
+signature sid-1053 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ads.cgi command execution attempt"
+  http /.*[\/\\]ads\.cgi/
+  tcp-state established,originator
+  payload /.*[fF][iI][lL][eE]=/
+  payload /.*\.\.\/\.\.\//
+  payload /.*\|/
+  }
+
+signature sid-1088 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI eXtropia webstore directory traversal"
+  http /.*[\/\\]web_store\.cgi/
+  tcp-state established,originator
+  payload /.*page=\.\.\//
+  }
+
+signature sid-1611 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI eXtropia webstore access"
+  http /.*[\/\\]web_store\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1089 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI shopping cart directory traversal"
+  http /.*[\/\\]shop\.cgi/
+  tcp-state established,originator
+  payload /.*page=\.\.\//
+  }
+
+signature sid-1090 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Allaire Pro Web Shell attempt"
+  http /.*[\/\\]authenticate\.cgi\?PASSWORD/
+  tcp-state established,originator
+  payload /.*config\.ini/
+  }
+
+signature sid-1092 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Armada Style Master Index directory traversal"
+  http /.*[\/\\]search\.cgi\?keys/
+  tcp-state established,originator
+  payload /.*catigory=\.\.\//
+  }
+
+signature sid-1093 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cached_feed.cgi moreover shopping cart directory traversal"
+  http /.*[\/\\]cached_feed\.cgi/
+  tcp-state established,originator
+  payload /.*\.\.\//
+  }
+
+signature sid-2051 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cached_feed.cgi moreover shopping cart access"
+  http /.*[\/\\]cached_feed\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1097 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Talentsoft Web+ exploit attempt"
+  http /.*[\/\\]webplus\.cgi\?Script=[\/\\]webplus[\/\\]webping[\/\\]webping\.wml/
+  tcp-state established,originator
+  }
+
+signature sid-1106 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Poll-it access"
+  http /.*[\/\\]pollit[\/\\]Poll_It_SSI_v2\.0\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1149 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI count.cgi access"
+  http /.*[\/\\]count\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1865 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI webdist.cgi arbitrary command attempt"
+  http /.*[\/\\]webdist\.cgi/
+  tcp-state established,originator
+  payload /.*[dD][iI][sS][tT][lL][oO][cC]=;/
+  }
+
+signature sid-1163 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI webdist.cgi access"
+  http /.*[\/\\]webdist\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1172 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bigconf.cgi access"
+  http /.*[\/\\]bigconf\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1174 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI /cgi-bin/jj access"
+  http /.*[\/\\]cgi-bin[\/\\]jj/
+  tcp-state established,originator
+  }
+
+signature sid-1185 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bizdbsearch attempt"
+  http /.*[\/\\]bizdb1-search\.cgi/
+  tcp-state established,originator
+  payload /.*[mM][aA][iI][lL]/
+  }
+
+signature sid-1535 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI bizdbsearch access"
+  http /.*[\/\\]bizdb1-search\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1194 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI sojourn.cgi File attempt"
+  http /.*[\/\\]sojourn\.cgi\?cat=/
+  tcp-state established,originator
+  payload /.*%00/
+  }
+
+signature sid-1195 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI sojourn.cgi access"
+  http /.*[\/\\]sojourn\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1196 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI SGI InfoSearch fname attempt"
+  http /.*[\/\\]infosrch\.cgi\?/
+  tcp-state established,originator
+  payload /.*[fF][nN][aA][mM][eE]=/
+  }
+
+signature sid-1727 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI SGI InfoSearch fname access"
+  http /.*[\/\\]infosrch\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1204 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ax-admin.cgi access"
+  http /.*[\/\\]ax-admin\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1205 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI axs.cgi access"
+  http /.*[\/\\]axs\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1206 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cachemgr.cgi access"
+  http /.*[\/\\]cachemgr\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1208 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI responder.cgi access"
+  http /.*[\/\\]responder\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1211 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI web-map.cgi access"
+  http /.*[\/\\]web-map\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1215 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ministats admin access"
+  http /.*[\/\\]ministats[\/\\]admin\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1219 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI dfire.cgi access"
+  http /.*[\/\\]dfire\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1305 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI txt2html.cgi directory traversal attempt"
+  http /.*[\/\\]txt2html\.cgi/
+  tcp-state established,originator
+  payload /.*\/\.\.\/\.\.\/\.\.\/\.\.\//
+  }
+
+signature sid-1304 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI txt2html.cgi access"
+  http /.*[\/\\]txt2html\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1488 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI store.cgi directory traversal attempt"
+  http /.*[\/\\]store\.cgi/
+  tcp-state established,originator
+  payload /.*\.\.\//
+  }
+
+signature sid-1307 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI store.cgi access"
+  http /.*[\/\\]store\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1494 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI SIX webboard generate.cgi attempt"
+  http /.*[\/\\]generate\.cgi/
+  tcp-state established,originator
+  payload /.*content=\.\.\//
+  }
+
+signature sid-1495 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI SIX webboard generate.cgi access"
+  http /.*[\/\\]generate\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1496 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI spin_client.cgi access"
+  http /.*[\/\\]spin_client\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1787 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI csPassword.cgi access"
+  http /.*[\/\\]csPassword\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1788 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI csPassword password.cgi.tmp access"
+  http /.*[\/\\]password\.cgi\.tmp/
+  tcp-state established,originator
+  }
+
+signature sid-1763 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Nortel Contivity cgiproc DOS attempt"
+  http /.*[\/\\]cgiproc\?Nocfile=/
+  tcp-state established,originator
+  }
+
+signature sid-1764 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Nortel Contivity cgiproc DOS attempt"
+  http /.*[\/\\]cgiproc\?\$/
+  tcp-state established,originator
+  }
+
+signature sid-1765 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Nortel Contivity cgiproc access"
+  http /.*[\/\\]cgiproc/
+  tcp-state established,originator
+  }
+
+signature sid-1805 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI Oracle reports CGI access"
+  http /.*[\/\\]rwcgi60/
+  tcp-state established,originator
+  payload /.*setauth=/
+  }
+
+signature sid-1822 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI alienform.cgi directory traversal attempt"
+  http /.*[\/\\]alienform\.cgi/
+  tcp-state established,originator
+  payload /.*\.\|\.\/\.\|\./
+  }
+
+signature sid-1823 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI AlienForm af.cgi directory traversal attempt"
+  http /.*[\/\\]af\.cgi/
+  tcp-state established,originator
+  payload /.*\.\|\.\/\.\|\./
+  }
+
+signature sid-1824 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI alienform.cgi access"
+  http /.*[\/\\]alienform\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1825 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI AlienForm af.cgi access"
+  http /.*[\/\\]af\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1868 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8080
+  event "WEB-CGI story.pl arbitrary file read attempt"
+  http /.*[\/\\]story\.pl/
+  tcp-state established,originator
+  payload /.*next=\.\.\//
+  }
+
+signature sid-1869 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8080
+  event "WEB-CGI story.pl access"
+  http /.*[\/\\]story\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1870 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI siteUserMod.cgi access"
+  http /.*[\/\\]\.cobalt[\/\\]siteUserMod[\/\\]siteUserMod\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1875 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cgicso access"
+  http /.*[\/\\]cgicso/
+  tcp-state established,originator
+  }
+
+signature sid-1876 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI nph-publish.cgi access"
+  http /.*[\/\\]nph-publish\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1877 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI printenv access"
+  http /.*[\/\\]printenv/
+  tcp-state established,originator
+  }
+
+signature sid-1878 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI sdbsearch.cgi access"
+  http /.*[\/\\]sdbsearch\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1931 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI rpc-nlog.pl access"
+  http /.*[\/\\]rpc-nlog\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1932 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI rpc-smb.pl access"
+  http /.*[\/\\]rpc-smb\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1933 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI cart.cgi access"
+  http /.*[\/\\]cart\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1994 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI vpasswd.cgi access"
+  http /.*[\/\\]vpasswd\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1995 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI alya.cgi access"
+  http /.*[\/\\]alya\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1996 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI viralator.cgi access"
+  http /.*[\/\\]viralator\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-2001 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI smartsearch.cgi access"
+  http /.*[\/\\]smartsearch\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1862 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI mrtg.cgi directory traversal attempt"
+  http /.*[\/\\]mrtg\.cgi/
+  tcp-state established,originator
+  payload /.*cfg=\/\.\.\//
+  }
+
+signature sid-2052 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI overflow.cgi access"
+  http /.*[\/\\]overflow\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-1850 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI way-board.cgi access"
+  http /.*[\/\\]way-board\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-2053 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI process_bug.cgi access"
+  http /.*[\/\\]process_bug\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-2054 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI enter_bug.cgi arbitrary command attempt"
+  http /.*[\/\\]enter_bug\.cgi/
+  tcp-state established,originator
+  payload /.*[wW][hH][oO]=.*.{0}.*;/
+  }
+
+signature sid-2055 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI enter_bug.cgi access"
+  http /.*[\/\\]enter_bug\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-2085 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI parse_xml.cgi access"
+  http /.*[\/\\]parse_xml\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-2086 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == 1220
+  event "WEB-CGI streaming server parse_xml.cgi access"
+  tcp-state established,originator
+  payload /.*\/[pP][aA][rR][sS][eE]_[xX][mM][lL]\.[cC][gG][iI]/
+  }
+
+signature sid-2115 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI album.pl access"
+  tcp-state established,originator
+  payload /.*\/[aA][lL][bB][uU][mM]\.[pP][lL]/
+  }
+
+signature sid-2116 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI chipcfg.cgi access"
+  http /.*[\/\\]chipcfg\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-2127 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI ikonboard.cgi access"
+  http /.*[\/\\]ikonboard\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-2128 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-CGI swsrv.cgi access"
+  http /.*[\/\\]srsrv\.cgi/
+  tcp-state established,originator
+  }
+
+signature sid-903 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION cfcache.map access"
+  http /.*[\/\\]cfcache\.map/
+  tcp-state established,originator
+  }
+
+signature sid-904 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION exampleapp application.cfm"
+  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]email[\/\\]application\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-905 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION application.cfm access"
+  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]publish[\/\\]admin[\/\\]application\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-906 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION getfile.cfm access"
+  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]email[\/\\]getfile\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-907 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION addcontent.cfm access"
+  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]publish[\/\\]admin[\/\\]addcontent\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-908 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION administrator access"
+  http /.*[\/\\]cfide[\/\\]administrator[\/\\]index\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-909 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION datasource username attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF]_[sS][eE][tT][dD][aA][tT][aA][sS][oO][uU][rR][cC][eE][uU][sS][eE][rR][nN][aA][mM][eE]\(\)/
+  }
+
+signature sid-910 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION fileexists.cfm access"
+  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]fileexists\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-911 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION exprcalc access"
+  http /.*[\/\\]cfdocs[\/\\]expeval[\/\\]exprcalc\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-912 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION parks access"
+  http /.*[\/\\]cfdocs[\/\\]examples[\/\\]parks[\/\\]detail\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-913 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION cfappman access"
+  http /.*[\/\\]cfappman[\/\\]index\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-914 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION beaninfo access"
+  http /.*[\/\\]cfdocs[\/\\]examples[\/\\]cvbeans[\/\\]beaninfo\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-915 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION evaluate.cfm access"
+  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]evaluate\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-916 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION getodbcdsn access"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[gG][eE][tT][oO][dD][bB][cC][dD][sS][nN]\(\)/
+  }
+
+signature sid-917 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION db connections flush attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[dD][bB][cC][oO][nN][nN][eE][cC][tT][iI][oO][nN][sS]_[fF][lL][uU][sS][hH]\(\)/
+  }
+
+signature sid-918 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION expeval access"
+  http /.*[\/\\]cfdocs[\/\\]expeval[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-919 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION datasource passwordattempt"
+  tcp-state established,originator
+  payload /.*[cC][fF]_[sS][eE][tT][dD][aA][tT][aA][sS][oO][uU][rR][cC][eE][pP][aA][sS][sS][wW][oO][rR][dD]\(\)/
+  }
+
+signature sid-920 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION datasource attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF]_[iI][sS][cC][oO][lL][dD][fF][uU][sS][iI][oO][nN][dD][aA][tT][aA][sS][oO][uU][rR][cC][eE]\(\)/
+  }
+
+signature sid-921 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION admin encrypt attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[eE][nN][cC][rR][yY][pP][tT]\(\)/
+  }
+
+signature sid-922 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION displayfile access"
+  http /.*[\/\\]cfdocs[\/\\]expeval[\/\\]displayopenedfile\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-923 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION getodbcin attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[gG][eE][tT][oO][dD][bB][cC][iI][nN][iI]\(\)/
+  }
+
+signature sid-924 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION admin decrypt attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[dD][eE][cC][rR][yY][pP][tT]\(\)/
+  }
+
+signature sid-925 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION mainframeset access"
+  http /.*[\/\\]cfdocs[\/\\]examples[\/\\]mainframeset\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-926 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION set odbc ini attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[sS][eE][tT][oO][dD][bB][cC][iI][nN][iI]\(\)/
+  }
+
+signature sid-927 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION settings refresh attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[sS][eE][tT][tT][iI][nN][gG][sS]_[rR][eE][fF][rR][eE][sS][hH]\(\)/
+  }
+
+signature sid-928 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION exampleapp access"
+  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-929 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION CFUSION_VERIFYMAIL access"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[vV][eE][rR][iI][fF][yY][mM][aA][iI][lL]\(\)/
+  }
+
+signature sid-930 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION snippets attempt"
+  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-931 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION cfmlsyntaxcheck.cfm access"
+  http /.*[\/\\]cfdocs[\/\\]cfmlsyntaxcheck\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-932 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION application.cfm access"
+  http /.*[\/\\]application\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-933 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION onrequestend.cfm access"
+  http /.*[\/\\]onrequestend\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-935 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION startstop DOS access"
+  http /.*[\/\\]cfide[\/\\]administrator[\/\\]startstop\.html/
+  tcp-state established,originator
+  }
+
+signature sid-936 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION gettempdirectory.cfm access "
+  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]gettempdirectory\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-1659 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION sendmail.cfm access"
+  http /.*[\/\\]sendmail\.cfm/
+  tcp-state established,originator
+  }
+
+signature sid-1540 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-COLDFUSION ?Mode=debug attempt"
+  http /.*Mode=debug/
+  tcp-state established,originator
+  }
+
+signature sid-1970 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-IIS MDAC Content-Type overflow attempt"
+  http /.*[\/\\]msadcs\.dll/
+  tcp-state established,originator
+  payload /.*Content-Type:[^\x0A]{50}/
+  }
+
+signature sid-1076 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS repost.asp access"
+  http /.*[\/\\]scripts[\/\\]repost\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1806 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS .htr Transfer-Encoding: chunked"
+  http /.*\.htr/
+  tcp-state established,originator
+  payload /.*[tT][rR][aA][nN][sS][fF][eE][rR]-[eE][nN][cC][oO][dD][iI][nN][gG]:/
+  payload /.*[cC][hH][uU][nN][kK][eE][dD]/
+  }
+
+signature sid-1618 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS .asp Transfer-Encoding: chunked"
+  http /.*\.asp/
+  tcp-state established,originator
+  payload /.*[tT][rR][aA][nN][sS][fF][eE][rR]-[eE][nN][cC][oO][dD][iI][nN][gG]:/
+  payload /.*[cC][hH][uU][nN][kK][eE][dD]/
+  }
+
+signature sid-1626 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS /StoreCSVS/InstantOrder.asmx request"
+  http /.*[\/\\]StoreCSVS[\/\\]InstantOrder\.asmx/
+  tcp-state established,originator
+  }
+
+signature sid-1750 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS users.xml access"
+  http /.*[\/\\]users\.xml/
+  tcp-state established,originator
+  }
+
+signature sid-1753 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS as_web.exe access"
+  http /.*[\/\\]as_web\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1754 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS as_web4.exe access"
+  http /.*[\/\\]as_web4\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1756 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS NewsPro administration authentication attempt"
+  tcp-state established,originator
+  payload /.*logged,true/
+  }
+
+signature sid-1772 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS pbserver access"
+  http /.*[\/\\]pbserver[\/\\]pbserver\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1660 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS trace.axd access"
+  http /.*[\/\\]trace\.axd/
+  tcp-state established,originator
+  }
+
+signature sid-1484 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS /isapi/tstisapi.dll access"
+  http /.*[\/\\]isapi[\/\\]tstisapi\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1485 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS mkilog.exe access"
+  http /.*[\/\\]mkilog\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1486 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS ctss.idc access"
+  http /.*[\/\\]ctss\.idc/
+  tcp-state established,originator
+  }
+
+signature sid-1487 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS /iisadmpwd/aexp2.htr access"
+  http /.*[\/\\]iisadmpwd[\/\\]aexp2\.htr/
+  tcp-state established,originator
+  }
+
+signature sid-969 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS WebDAV file lock attempt"
+  tcp-state established,originator
+  payload /LOCK /
+  }
+
+signature sid-971 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS ISAPI .printer access"
+  http /.*\.printer/
+  tcp-state established,originator
+  }
+
+signature sid-1243 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS ISAPI .ida attempt"
+  http /.*\.ida\?/
+  tcp-state established,originator
+  }
+
+signature sid-1242 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS ISAPI .ida access"
+  http /.*\.ida/
+  tcp-state established,originator
+  }
+
+signature sid-1244 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS ISAPI .idq attempt"
+  http /.*\.idq\?/
+  tcp-state established,originator
+  }
+
+signature sid-1245 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS ISAPI .idq access"
+  http /.*\.idq/
+  tcp-state established,originator
+  }
+
+signature sid-972 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS %2E-asp access"
+  http /.*%2e\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-973 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS *.idc attempt"
+  http /.*[\/\\]\*\.idc/
+  tcp-state established,originator
+  }
+
+signature sid-974 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS .... access"
+  tcp-state established,originator
+  payload /.*\x2e\x2e\x5c\x2e\x2e/
+  }
+
+signature sid-975 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS .asp::$DATA access"
+  http /.*\.asp\x3a\x3a\$DATA/
+  tcp-state established,originator
+  }
+
+signature sid-976 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS .bat? access"
+  http /.*\.bat\?/
+  tcp-state established,originator
+  }
+
+signature sid-977 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS .cnf access"
+  http /.*\.cnf/
+  tcp-state established,originator
+  }
+
+signature sid-978 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS ASP contents view"
+  tcp-state established,originator
+  payload /.*%20/
+  payload /.*&[cC][iI][rR][eE][sS][tT][rR][iI][cC][tT][iI][oO][nN]=[nN][oO][nN][eE]/
+  payload /.*&[cC][iI][hH][iI][lL][iI][tT][eE][tT][yY][pP][eE]=[fF][uU][lL][lL]/
+  }
+
+signature sid-979 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS ASP contents view"
+  http /.*\.htw\?CiWebHitsFile/
+  tcp-state established,originator
+  }
+
+signature sid-980 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS CGImail.exe access"
+  http /.*[\/\\]scripts[\/\\]CGImail\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-981 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS unicode directory traversal attempt"
+  tcp-state established,originator
+  payload /.*\/\.\.%[cC]0%[aA][fF]\.\.\//
+  }
+
+signature sid-982 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS unicode directory traversal attempt"
+  tcp-state established,originator
+  payload /.*\/\.\.%[cC]1%1[cC]\.\.\//
+  }
+
+signature sid-983 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS unicode directory traversal attempt"
+  tcp-state established,originator
+  payload /.*\/\.\.%[cC]1%9[cC]\.\.\//
+  }
+
+signature sid-1945 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS unicode directory traversal attempt"
+  tcp-state established,originator
+  payload /.*\/\.\.%255[cC]\.\./
+  }
+
+signature sid-986 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS MSProxy access"
+  http /.*[\/\\]scripts[\/\\]proxy[\/\\]w3proxy\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1725 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS +.htr code fragment attempt"
+  http /.*\+\.htr/
+  tcp-state established,originator
+  }
+
+signature sid-987 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS .htr access"
+  http /.*\.htr/
+  tcp-state established,originator
+  }
+
+signature sid-988 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS SAM Attempt"
+  tcp-state established,originator
+  payload /.*[sS][aA][mM]\._/
+  }
+
+signature sid-989 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS Unicode2.pl script (File permission canonicalization)"
+  http /.*[\/\\]sensepost\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-990 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS _vti_inf access"
+  http /.*_vti_inf\.html/
+  tcp-state established,originator
+  }
+
+signature sid-991 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS achg.htr access"
+  http /.*[\/\\]iisadmpwd[\/\\]achg\.htr/
+  tcp-state established,originator
+  }
+
+signature sid-994 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS /scripts/iisadmin/default.htm access"
+  http /.*[\/\\]scripts[\/\\]iisadmin[\/\\]default\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-995 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS ism.dll access"
+  http /.*[\/\\]scripts[\/\\]iisadmin[\/\\]ism\.dll\?http[\/\\]dir/
+  tcp-state established,originator
+  }
+
+signature sid-996 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS anot.htr access"
+  http /.*[\/\\]iisadmpwd[\/\\]anot/
+  tcp-state established,originator
+  }
+
+signature sid-997 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS asp-dot attempt"
+  http /.*\.asp\./
+  tcp-state established,originator
+  }
+
+signature sid-998 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS asp-srch attempt"
+  http /.*#filename=\*\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1000 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS bdir.htr access"
+  http /.*[\/\\]bdir\.htr/
+  tcp-state established,originator
+  }
+
+signature sid-1661 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS cmd32.exe access"
+  tcp-state established,originator
+  payload /.*[cC][mM][dD]32\.[eE][xX][eE]/
+  }
+
+signature sid-1002 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS cmd.exe access"
+  tcp-state established,originator
+  payload /.*[cC][mM][dD]\.[eE][xX][eE]/
+  }
+
+signature sid-1003 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS cmd? access"
+  tcp-state established,originator
+  payload /.*\.[cC][mM][dD]\?&/
+  }
+
+signature sid-1007 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS cross-site scripting attempt"
+  http /.*[\/\\]Form_JScript\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1380 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS cross-site scripting attempt"
+  http /.*[\/\\]Form_VBScript\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1008 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS del attempt"
+  tcp-state established,originator
+  payload /.*&[dD][eE][lL]\+\/[sS]\+[cC]\x3a\\\*\.\*/
+  }
+
+signature sid-1009 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS directory listing"
+  http /.*[\/\\]ServerVariables_Jscript\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1010 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS encoding access"
+  tcp-state established,originator
+  payload /.*\x25\x31\x75/
+  }
+
+signature sid-1011 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS exec-src access"
+  tcp-state established,originator
+  payload /.*#[fF][iI][lL][eE][nN][aA][mM][eE]=\*\.[eE][xX][eE]/
+  }
+
+signature sid-1012 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS fpcount attempt"
+  http /.*[\/\\]fpcount\.exe/
+  tcp-state established,originator
+  payload /.*[dD][iI][gG][iI][tT][sS]=/
+  }
+
+signature sid-1013 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS fpcount access"
+  http /.*[\/\\]fpcount\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1015 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS getdrvs.exe access"
+  http /.*[\/\\]scripts[\/\\]tools[\/\\]getdrvs\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1016 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS global.asa access"
+  http /.*[\/\\]global\.asa/
+  tcp-state established,originator
+  }
+
+signature sid-1017 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS idc-srch attempt"
+  tcp-state established,originator
+  payload /.*#[fF][iI][lL][eE][nN][aA][mM][eE]=\*\.[iI][dD][cC]/
+  }
+
+signature sid-1018 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS iisadmpwd attempt"
+  http /.*[\/\\]iisadmpwd[\/\\]aexp/
+  tcp-state established,originator
+  }
+
+signature sid-1019 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS index server file source code attempt"
+  http /.*\?CiWebHitsFile=[\/\\]/
+  tcp-state established,originator
+  payload /.*&CiRestriction=none&CiHiliteType=Full/
+  }
+
+signature sid-1020 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS isc$data attempt"
+  http /.*\.idc\x3a\x3a\$data/
+  tcp-state established,originator
+  }
+
+signature sid-1021 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS ism.dll attempt"
+  http /.*%20%20%20%20%20\.htr/
+  tcp-state established,originator
+  }
+
+signature sid-1022 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS jet vba access"
+  http /.*[\/\\]advworks[\/\\]equipment[\/\\]catalog_type\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1023 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS msadcs.dll access"
+  http /.*[\/\\]msadcs\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1024 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS newdsn.exe access"
+  http /.*[\/\\]scripts[\/\\]tools[\/\\]newdsn\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1025 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS perl access"
+  http /.*[\/\\]scripts[\/\\]perl/
+  tcp-state established,originator
+  }
+
+signature sid-1026 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS perl-browse0a attempt"
+  http /.*%0a\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1027 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS perl-browse20 attempt"
+  http /.*%20\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1029 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS scripts-browse access"
+  http /.*[\/\\]scripts[\/\\]\x20/
+  tcp-state established,originator
+  }
+
+signature sid-1030 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS search97.vts access"
+  http /.*[\/\\]search97\.vts/
+  tcp-state established,originator
+  }
+
+signature sid-1037 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS showcode.asp access"
+  http /.*[\/\\]showcode\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1038 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS site server config access"
+  http /.*[\/\\]adsamples[\/\\]config[\/\\]site\.csc/
+  tcp-state established,originator
+  }
+
+signature sid-1039 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS srch.htm access"
+  http /.*[\/\\]samples[\/\\]isapi[\/\\]srch\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-1040 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS srchadm access"
+  http /.*[\/\\]srchadm/
+  tcp-state established,originator
+  }
+
+signature sid-1041 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS uploadn.asp access"
+  http /.*[\/\\]scripts[\/\\]uploadn\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1042 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS view source via translate header"
+  tcp-state established,originator
+  payload /.*[tT][rR][aA][nN][sS][lL][aA][tT][eE]\x3a [fF]/
+  }
+
+signature sid-1043 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS viewcode.asp access"
+  http /.*[\/\\]viewcode\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1044 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS webhits access"
+  http /.*\.htw/
+  tcp-state established,originator
+  }
+
+signature sid-1726 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS doctodep.btr access"
+  http /.*doctodep\.btr/
+  tcp-state established,originator
+  }
+
+signature sid-1046 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS site/iisamples access"
+  http /.*[\/\\]site[\/\\]iisamples/
+  tcp-state established,originator
+  }
+
+signature sid-1256 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS CodeRed v2 root.exe access"
+  http /.*[\/\\]root\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1283 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS outlook web dos"
+  http /.*[\/\\]exchange[\/\\]LogonFrm\.asp\?/
+  tcp-state established,originator
+  payload /.*[mM][aA][iI][lL][bB][oO][xX]=/
+  payload /.*\x25\x25\x25/
+  }
+
+signature sid-1400 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS /scripts/samples/ access"
+  http /.*[\/\\]scripts[\/\\]samples[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1401 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS /msadc/samples/ access"
+  http /.*[\/\\]msadc[\/\\]samples[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1402 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS iissamples access"
+  http /.*[\/\\]iissamples[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-970 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS multiple decode attempt"
+  http /.*%5c/
+  http /.*\.\./
+  tcp-state established,originator
+  }
+
+signature sid-993 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS iisadmin access"
+  http /.*[\/\\]iisadmin/
+  tcp-state established,originator
+  }
+
+signature sid-1285 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS msdac access"
+  http /.*[\/\\]msdac[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1286 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS _mem_bin access"
+  http /.*[\/\\]_mem_bin[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1595 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS htimage.exe access"
+  http /.*[\/\\]htimage\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1817 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS MS Site Server default login attempt"
+  http /.*[\/\\]SiteServer[\/\\]Admin[\/\\]knowledge[\/\\]persmbr[\/\\]/
+  tcp-state established,originator
+  payload /.*[aA][uU][tT][hH][oO][rR][iI][zZ][aA][tT][iI][oO][nN]: [bB][aA][sS][iI][cC] [tT][eE][rR][bB][uU][fF]9[bB][bB][mM]9[uU][eE][wW]1[vV][dD][xX][mM]6[tT][gG][rR][hH][cC][fF][bB][hH][cC]3[nN]3[bB]3[jJ][kK][xX][zZ][eE]=/
+  }
+
+signature sid-1818 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS MS Site Server admin attempt"
+  http /.*[\/\\]Site Server[\/\\]Admin[\/\\]knowledge[\/\\]persmbr[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1075 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS postinfo.asp access"
+  http /.*[\/\\]scripts[\/\\]postinfo\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1567 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS /exchange/root.asp attempt"
+  http /.*[\/\\]exchange[\/\\]root\.asp\?acs=anon/
+  tcp-state established,originator
+  }
+
+signature sid-1568 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS /exchange/root.asp access"
+  http /.*[\/\\]exchange[\/\\]root\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-2090 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS WEBDAV exploit attempt"
+  tcp-state established,originator
+  payload /.*HTTP\/1\.1\x0aContent-type\x3a text\/xml\x0aHOST\x3a.{1}.*Accept\x3a \x2a\/\x2a\x0aTranslate\x3a f\x0aContent-length\x3a5276\x0a\x0a/
+  }
+
+signature sid-2091 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS WEBDAV nessus safe scan attempt"
+  tcp-state established,originator
+  payload /.*SEARCH \/ HTTP\/1\.1\x0d\x0aHost\x3a.{0,251}\x0d\x0a\x0d\x0a/
+  }
+
+signature sid-2117 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS Battleaxe Forum login.asp access"
+  http /.*myaccount[\/\\]login\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-2129 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS nsiislog.dll access"
+  http /.*[\/\\]nsiislog\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-2130 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS IISProtect siteadmin.asp access"
+  http /.*[\/\\]iisprotect[\/\\]admin[\/\\]SiteAdmin\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-2157 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS IISProtect globaladmin.asp access"
+  http /.*[\/\\]iisprotect[\/\\]admin[\/\\]GlobalAdmin\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-2131 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS IISProtect access"
+  http /.*[\/\\]iisprotect[\/\\]admin[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-2132 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS Synchrologic Email Accelerator userid list access attempt"
+  http /.*[\/\\]en[\/\\]admin[\/\\]aggregate\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-2133 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS MS BizTalk server access"
+  http /.*[\/\\]biztalkhttpreceive\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-2134 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-IIS register.asp access"
+  http /.*[\/\\]register\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1248 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE rad fp30reg.dll access"
+  http /.*[\/\\]fp30reg\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1249 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE frontpage rad fp4areg.dll access"
+  http /.*[\/\\]fp4areg\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-937 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE _vti_rpc access"
+  http /.*[\/\\]_vti_rpc/
+  tcp-state established,originator
+  }
+
+signature sid-939 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE posting"
+  http /.*[\/\\]author\.dll/
+  tcp-state established,originator
+  payload /.*[pP][oO][sS][tT]/
+  }
+
+signature sid-940 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE shtml.dll access"
+  http /.*[\/\\]_vti_bin[\/\\]shtml\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-941 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE contents.htm access"
+  http /.*[\/\\]admcgi[\/\\]contents\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-942 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE orders.htm access"
+  http /.*[\/\\]_private[\/\\]orders\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-943 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE fpsrvadm.exe access"
+  http /.*[\/\\]fpsrvadm\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-944 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE fpremadm.exe access"
+  http /.*[\/\\]fpremadm\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-945 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE fpadmin.htm access"
+  http /.*[\/\\]admisapi[\/\\]fpadmin\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-946 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE fpadmcgi.exe access"
+  http /.*[\/\\]scripts[\/\\]Fpadmcgi\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-947 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE orders.txt access"
+  http /.*[\/\\]_private[\/\\]orders\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-948 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE form_results access"
+  http /.*[\/\\]_private[\/\\]form_results\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-949 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE registrations.htm access"
+  http /.*[\/\\]_private[\/\\]registrations\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-950 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE cfgwiz.exe access"
+  http /.*[\/\\]cfgwiz\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-951 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE authors.pwd access"
+  http /.*[\/\\]authors\.pwd/
+  tcp-state established,originator
+  }
+
+signature sid-952 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE author.exe access"
+  http /.*[\/\\]_vti_bin[\/\\]_vti_aut[\/\\]author\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-953 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE administrators.pwd access"
+  http /.*[\/\\]administrators\.pwd/
+  tcp-state established,originator
+  }
+
+signature sid-954 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE form_results.htm access"
+  http /.*[\/\\]_private[\/\\]form_results\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-955 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE access.cnf access"
+  http /.*[\/\\]_vti_pvt[\/\\]access\.cnf/
+  tcp-state established,originator
+  }
+
+signature sid-956 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE register.txt access"
+  http /.*[\/\\]_private[\/\\]register\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-957 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE registrations.txt access"
+  http /.*[\/\\]_private[\/\\]registrations\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-958 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE service.cnf access"
+  http /.*[\/\\]_vti_pvt[\/\\]service\.cnf/
+  tcp-state established,originator
+  }
+
+signature sid-959 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE service.pwd"
+  http /.*[\/\\]service\.pwd/
+  tcp-state established,originator
+  }
+
+signature sid-960 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE service.stp access"
+  http /.*[\/\\]_vti_pvt[\/\\]service\.stp/
+  tcp-state established,originator
+  }
+
+signature sid-961 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE services.cnf access"
+  http /.*[\/\\]_vti_pvt[\/\\]services\.cnf/
+  tcp-state established,originator
+  }
+
+signature sid-962 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE shtml.exe access"
+  http /.*[\/\\]_vti_bin[\/\\]shtml\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-963 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE svcacl.cnf access"
+  http /.*[\/\\]_vti_pvt[\/\\]svcacl\.cnf/
+  tcp-state established,originator
+  }
+
+signature sid-964 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE users.pwd access"
+  http /.*[\/\\]users\.pwd/
+  tcp-state established,originator
+  }
+
+signature sid-965 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE writeto.cnf access"
+  http /.*[\/\\]_vti_pvt[\/\\]writeto\.cnf/
+  tcp-state established,originator
+  }
+
+signature sid-966 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE fourdots request"
+  tcp-state established,originator
+  payload /.*\x2e\x2e\x2e\x2e\x2f/
+  }
+
+signature sid-967 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE dvwssr.dll access"
+  http /.*[\/\\]dvwssr\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-968 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE register.htm access"
+  http /.*[\/\\]_private[\/\\]register\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-1288 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-FRONTPAGE /_vti_bin/ access"
+  http /.*[\/\\]_vti_bin[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1497 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cross site scripting attempt"
+  tcp-state established,originator
+  payload /.*<[sS][cC][rR][iI][pP][tT]>/
+  }
+
+signature sid-1667 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cross site scripting (img src=javascript) attempt"
+  tcp-state established,originator
+  payload /.*[iI][mM][gG] [sS][rR][cC]=[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]/
+  }
+
+signature sid-1250 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Cisco IOS HTTP configuration attempt"
+  http /.*[\/\\]level[\/\\]/
+  http /.*[\/\\]exec[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1047 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise DOS"
+  tcp-state established,originator
+  payload /REVLOG \/ /
+  }
+
+signature sid-1048 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise directory listing attempt"
+  tcp-state established,originator
+  payload /INDEX /
+  }
+
+signature sid-1050 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC iPlanet GETPROPERTIES attempt"
+  tcp-state established,originator
+  payload /GETPROPERTIES/
+  }
+
+signature sid-1054 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC weblogic view source attempt"
+  http /.*\.js%70/
+  tcp-state established,originator
+  }
+
+signature sid-1055 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Tomcat directory traversal attempt"
+  http /.*%00\.jsp/
+  tcp-state established,originator
+  }
+
+signature sid-1056 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Tomcat view source attempt"
+  http /.*%252ejsp/
+  tcp-state established,originator
+  }
+
+signature sid-1057 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ftp attempt"
+  tcp-state established,originator
+  payload /.*[fF][tT][pP]\.[eE][xX][eE]/
+  }
+
+signature sid-1058 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC xp_enumdsn attempt"
+  tcp-state established,originator
+  payload /.*[xX][pP]_[eE][nN][uU][mM][dD][sS][nN]/
+  }
+
+signature sid-1059 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC xp_filelist attempt"
+  tcp-state established,originator
+  payload /.*[xX][pP]_[fF][iI][lL][eE][lL][iI][sS][tT]/
+  }
+
+signature sid-1060 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC xp_availablemedia attempt"
+  tcp-state established,originator
+  payload /.*[xX][pP]_[aA][vV][aA][iI][lL][aA][bB][lL][eE][mM][eE][dD][iI][aA]/
+  }
+
+signature sid-1061 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC xp_cmdshell attempt"
+  tcp-state established,originator
+  payload /.*[xX][pP]_[cC][mM][dD][sS][hH][eE][lL][lL]/
+  }
+
+signature sid-1062 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC nc.exe attempt"
+  tcp-state established,originator
+  payload /.*[nN][cC]\.[eE][xX][eE]/
+  }
+
+signature sid-1064 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC wsh attempt"
+  tcp-state established,originator
+  payload /.*[wW][sS][hH]\.[eE][xX][eE]/
+  }
+
+signature sid-1065 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC rcmd attempt"
+  tcp-state established,originator
+  payload /.*[rR][cC][mM][dD]\.[eE][xX][eE]/
+  }
+
+signature sid-1066 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC telnet attempt"
+  tcp-state established,originator
+  payload /.*[tT][eE][lL][nN][eE][tT]\.[eE][xX][eE]/
+  }
+
+signature sid-1067 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC net attempt"
+  tcp-state established,originator
+  payload /.*[nN][eE][tT]\.[eE][xX][eE]/
+  }
+
+signature sid-1068 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC tftp attempt"
+  tcp-state established,originator
+  payload /.*[tT][fF][tT][pP]\.[eE][xX][eE]/
+  }
+
+signature sid-1069 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC xp_regread attempt"
+  tcp-state established,originator
+  payload /.*[xX][pP]_[rR][eE][gG][rR][eE][aA][dD]/
+  }
+
+signature sid-1977 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC xp_regwrite attempt"
+  tcp-state established,originator
+  payload /.*[xX][pP]_[rR][eE][gG][wW][rR][iI][tT][eE]/
+  }
+
+signature sid-1978 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC xp_regdeletekey attempt"
+  tcp-state established,originator
+  payload /.*[xX][pP]_[rR][eE][gG][dD][eE][lL][eE][tT][eE][kK][eE][yY]/
+  }
+
+signature sid-1070 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC WebDAV search access"
+  tcp-state established,originator
+  payload /.{0,1}[sS][eE][aA][rR][cC][hH] /
+  }
+
+signature sid-1071 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC .htpasswd access"
+  tcp-state established,originator
+  payload /.*\.[hH][tT][pP][aA][sS][sS][wW][dD]/
+  }
+
+signature sid-1072 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Lotus Domino directory traversal"
+  http /.*\.nsf[\/\\]/
+  http /.*\.\.[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1077 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC queryhit.htm access"
+  http /.*[\/\\]samples[\/\\]search[\/\\]queryhit\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-1078 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC counter.exe access"
+  http /.*[\/\\]scripts[\/\\]counter\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1079 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC WebDAV propfind access"
+  tcp-state established,originator
+  payload /.*<[aA]:[pP][rR][oO][pP][fF][iI][nN][dD]/
+  payload /.*[xX][mM][lL][nN][sS]:[aA]=\"[dD][aA][vV]\">/
+  }
+
+signature sid-1080 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC unify eWave ServletExec upload"
+  http /.*[\/\\]servlet[\/\\]com\.unify\.servletexec\.UploadServlet/
+  tcp-state established,originator
+  }
+
+signature sid-1081 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Servers suite DOS"
+  http /.*[\/\\]dsgw[\/\\]bin[\/\\]search\?context=/
+  tcp-state established,originator
+  }
+
+signature sid-1082 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC amazon 1-click cookie theft"
+  tcp-state established,originator
+  payload /.*[rR][eE][fF]%3[cC][sS][cC][rR][iI][pP][tT]%20[lL][aA][nN][gG][uU][aA][gG][eE]%3[dD]%22[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]/
+  }
+
+signature sid-1083 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC unify eWave ServletExec DOS"
+  http /.*[\/\\]servlet[\/\\]ServletExec/
+  tcp-state established,originator
+  }
+
+signature sid-1084 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Allaire JRUN DOS attempt"
+  http /.*servlet[\/\\]\.\.\.\.\.\.\./
+  tcp-state established,originator
+  }
+
+signature sid-1091 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ICQ Webfront HTTP DOS"
+  http /.*\?\?\?\?\?\?\?\?\?\?/
+  tcp-state established,originator
+  }
+
+signature sid-1095 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Talentsoft Web+ Source Code view access"
+  http /.*[\/\\]webplus\.exe\?script=test\.wml/
+  tcp-state established,originator
+  }
+
+signature sid-1096 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Talentsoft Web+ internal IP Address access"
+  http /.*[\/\\]webplus\.exe\?about/
+  tcp-state established,originator
+  }
+
+signature sid-1098 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC SmartWin CyberOffice Shopping Cart access"
+  http /.*_private[\/\\]shopping_cart\.mdb/
+  tcp-state established,originator
+  }
+
+signature sid-1099 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cybercop scan"
+  http /.*[\/\\]cybercop/
+  tcp-state established,originator
+  }
+
+signature sid-1100 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC L3retriever HTTP Probe"
+  tcp-state established,originator
+  payload /.*User-Agent\x3a Java1\.2\.1\x0d\x0a/
+  }
+
+signature sid-1101 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Webtrends HTTP probe"
+  tcp-state established,originator
+  payload /.*User-Agent\x3a Webtrends Security Analyzer\x0d\x0a/
+  }
+
+signature sid-1102 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Nessus 404 probe"
+  http /.*[\/\\]nessus_is_probing_you_/
+  tcp-state established,originator
+  }
+
+signature sid-1103 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape admin passwd"
+  http /.*[\/\\]admin-serv[\/\\]config[\/\\]admpw/
+  tcp-state established,originator
+  }
+
+signature sid-1105 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC BigBrother access"
+  http /.*[\/\\]bb-hostsvc\.sh\?HOSTSVC/
+  tcp-state established,originator
+  }
+
+signature sid-1612 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ftp.pl attempt"
+  http /.*[\/\\]ftp\.pl\?dir=\.\.[\/\\]\.\./
+  tcp-state established,originator
+  }
+
+signature sid-1107 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ftp.pl access"
+  http /.*[\/\\]ftp\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1108 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Tomcat server snoop access"
+  http /.*[\/\\]jsp[\/\\]snp[\/\\]/
+  http /.*\.snp/
+  tcp-state established,originator
+  }
+
+signature sid-1109 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ROXEN directory list attempt"
+  http /.*\x2F\x25\x30\x30/
+  tcp-state established,originator
+  }
+
+signature sid-1110 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC apache source.asp file access"
+  http /.*[\/\\]site[\/\\]eg[\/\\]source\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-1111 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Tomcat server exploit access"
+  http /.*[\/\\]contextAdmin[\/\\]contextAdmin\.html/
+  tcp-state established,originator
+  }
+
+signature sid-1112 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC http directory traversal"
+  tcp-state established,originator
+  payload /.*\.\.\\/
+  }
+
+signature sid-1115 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ICQ webserver DOS"
+  http /.*\.html[\/\\]\.\.\.\.\.\./
+  tcp-state established,originator
+  }
+
+signature sid-1116 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Lotus DelDoc attempt"
+  http /.*\?DeleteDocument/
+  tcp-state established,originator
+  }
+
+signature sid-1117 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Lotus EditDoc attempt"
+  http /.*\?EditDocument/
+  tcp-state established,originator
+  }
+
+signature sid-1118 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ls%20-l"
+  tcp-state established,originator
+  payload /.*[lL][sS]%20-[lL]/
+  }
+
+signature sid-1119 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC mlog.phtml access"
+  http /.*[\/\\]mlog\.phtml/
+  tcp-state established,originator
+  }
+
+signature sid-1120 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC mylog.phtml access"
+  http /.*[\/\\]mylog\.phtml/
+  tcp-state established,originator
+  }
+
+signature sid-1122 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /etc/passwd"
+  tcp-state established,originator
+  payload /.*\/[eE][tT][cC]\/[pP][aA][sS][sS][wW][dD]/
+  }
+
+signature sid-1123 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ?PageServices access"
+  http /.*\?PageServices/
+  tcp-state established,originator
+  }
+
+signature sid-1124 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Ecommerce check.txt access"
+  http /.*[\/\\]config[\/\\]check\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-1125 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC webcart access"
+  http /.*[\/\\]webcart[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1126 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC AuthChangeUrl access"
+  http /.*_AuthChangeUrl\?/
+  tcp-state established,originator
+  }
+
+signature sid-1127 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC convert.bas access"
+  http /.*[\/\\]scripts[\/\\]convert\.bas/
+  tcp-state established,originator
+  }
+
+signature sid-1128 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cpshost.dll access"
+  http /.*[\/\\]scripts[\/\\]cpshost\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1129 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC .htaccess access"
+  tcp-state established,originator
+  payload /.*\.[hH][tT][aA][cC][cC][eE][sS][sS]/
+  }
+
+signature sid-1130 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC .wwwacl access"
+  http /.*\.wwwacl/
+  tcp-state established,originator
+  }
+
+signature sid-1131 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC .wwwacl access"
+  http /.*\.www_acl/
+  tcp-state established,originator
+  }
+
+signature sid-1136 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cd.."
+  tcp-state established,originator
+  payload /.*[cC][dD]\.\./
+  }
+
+signature sid-1140 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC guestbook.pl access"
+  http /.*[\/\\]guestbook\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1613 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC handler attempt"
+  http /.*[\/\\]handler/
+  http /.*\|/
+  tcp-state established,originator
+  }
+
+signature sid-1141 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC handler access"
+  http /.*[\/\\]handler/
+  tcp-state established,originator
+  }
+
+signature sid-1142 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /.... access"
+  tcp-state established,originator
+  payload /.*\/\.\.\.\./
+  }
+
+signature sid-1143 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ///cgi-bin access"
+  http /.*[\/\\][\/\\][\/\\]cgi-bin/
+  tcp-state established,originator
+  }
+
+signature sid-1144 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /cgi-bin/// access"
+  http /.*[\/\\]cgi-bin[\/\\][\/\\][\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1145 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /~root access"
+  http /.*[\/\\]~root/
+  tcp-state established,originator
+  }
+
+signature sid-1662 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /~ftp access"
+  http /.*[\/\\]~ftp/
+  tcp-state established,originator
+  }
+
+signature sid-1146 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Ecommerce import.txt access"
+  http /.*[\/\\]config[\/\\]import\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-1147 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cat%20 access"
+  tcp-state established,originator
+  payload /.*[cC][aA][tT]%20/
+  }
+
+signature sid-1148 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Ecommerce import.txt access"
+  http /.*[\/\\]orders[\/\\]import\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-1150 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino catalog.nsf access"
+  http /.*[\/\\]catalog\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1151 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino domcfg.nsf access"
+  http /.*[\/\\]domcfg\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1152 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino domlog.nsf access"
+  http /.*[\/\\]domlog\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1153 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino log.nsf access"
+  http /.*[\/\\]log\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1154 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino names.nsf access"
+  http /.*[\/\\]names\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1575 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino mab.nsf access"
+  http /.*[\/\\]mab\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1576 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino cersvr.nsf access"
+  http /.*[\/\\]cersvr\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1577 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino setup.nsf access"
+  http /.*[\/\\]setup\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1578 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino statrep.nsf access"
+  http /.*[\/\\]statrep\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1579 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino webadmin.nsf access"
+  http /.*[\/\\]webadmin\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1580 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino events4.nsf access"
+  http /.*[\/\\]events4\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1581 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino ntsync4.nsf access"
+  http /.*[\/\\]ntsync4\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1582 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino collect4.nsf access"
+  http /.*[\/\\]collect4\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1583 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino mailw46.nsf access"
+  http /.*[\/\\]mailw46\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1584 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino bookmark.nsf access"
+  http /.*[\/\\]bookmark\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1585 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino agentrunner.nsf access"
+  http /.*[\/\\]agentrunner\.nsf/
+  tcp-state established,originator
+  }
+
+signature sid-1586 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Domino mail.box access"
+  http /.*[\/\\]mail\.box/
+  tcp-state established,originator
+  }
+
+signature sid-1155 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Ecommerce checks.txt access"
+  http /.*[\/\\]orders[\/\\]checks\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-1156 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC apache DOS attempt"
+  tcp-state established,originator
+  payload /.*\x2f\x2f\x2f\x2f\x2f\x2f\x2f\x2f/
+  }
+
+signature sid-1157 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape PublishingXpert access"
+  http /.*[\/\\]PSUser[\/\\]PSCOErrPage\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-1158 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC windmail.exe access"
+  http /.*[\/\\]windmail\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1159 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC webplus access"
+  http /.*[\/\\]webplus\?script/
+  tcp-state established,originator
+  }
+
+signature sid-1160 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape dir index wp"
+  http /.*\?wp-/
+  tcp-state established,originator
+  }
+
+signature sid-1162 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cart 32 AdminPwd access"
+  http /.*[\/\\]c32web\.exe[\/\\]ChangeAdminPassword/
+  tcp-state established,originator
+  }
+
+signature sid-1164 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC shopping cart access"
+  http /.*[\/\\]quikstore\.cfg/
+  tcp-state established,originator
+  }
+
+signature sid-1614 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Novell Groupwise gwweb.exe attempt"
+  http /.*[\/\\]GWWEB\.EXE\?HELP=/
+  tcp-state established,originator
+  }
+
+signature sid-1165 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Novell Groupwise gwweb.exe access"
+  tcp-state established,originator
+  payload /.*\/[gG][wW][wW][eE][bB]\.[eE][xX][eE]/
+  }
+
+signature sid-1166 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ws_ftp.ini access"
+  http /.*[\/\\]ws_ftp\.ini/
+  tcp-state established,originator
+  }
+
+signature sid-1167 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC rpm_query access"
+  http /.*[\/\\]rpm_query/
+  tcp-state established,originator
+  }
+
+signature sid-1168 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC mall log order access"
+  http /.*[\/\\]mall_log_files[\/\\]order\.log/
+  tcp-state established,originator
+  }
+
+signature sid-1173 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC architext_query.pl access"
+  http /.*[\/\\]ews[\/\\]architext_query\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1175 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC wwwboard.pl access"
+  http /.*[\/\\]wwwboard\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1176 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC order.log access"
+  http /.*[\/\\]admin_files[\/\\]order\.log/
+  tcp-state established,originator
+  }
+
+signature sid-1177 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-verify-link/
+  tcp-state established,originator
+  }
+
+signature sid-1180 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC get32.exe access"
+  http /.*[\/\\]get32\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1181 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Annex Terminal DOS attempt"
+  http /.*[\/\\]ping\?query=/
+  tcp-state established,originator
+  }
+
+signature sid-1182 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cgitest.exe attempt"
+  http /.*[\/\\]cgitest\.exe\x0d\x0auser/
+  tcp-state established,originator
+  }
+
+signature sid-1587 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cgitest.exe access"
+  http /.*[\/\\]cgitest\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1183 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-cs-dump/
+  tcp-state established,originator
+  }
+
+signature sid-1184 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-ver-info/
+  tcp-state established,originator
+  }
+
+signature sid-1186 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-ver-diff/
+  tcp-state established,originator
+  }
+
+signature sid-1187 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC SalesLogix Eviewer web command attempt"
+  http /.*[\/\\]slxweb\.dll[\/\\]admin\?command=/
+  tcp-state established,originator
+  }
+
+signature sid-1588 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC SalesLogix Eviewer access"
+  http /.*[\/\\]slxweb\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1188 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-start-ver/
+  tcp-state established,originator
+  }
+
+signature sid-1189 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-stop-ver/
+  tcp-state established,originator
+  }
+
+signature sid-1190 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-uncheckout/
+  tcp-state established,originator
+  }
+
+signature sid-1191 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-html-rend/
+  tcp-state established,originator
+  }
+
+signature sid-1381 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Trend Micro OfficeScan attempt"
+  http /.*[\/\\]officescan[\/\\]cgi[\/\\]jdkRqNotify\.exe\?/
+  http /.*domain=/
+  http /.*event=/
+  tcp-state established,originator
+  }
+
+signature sid-1192 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Trend Micro OfficeScan access"
+  http /.*[\/\\]officescan[\/\\]cgi[\/\\]jdkRqNotify\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1193 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC oracle web arbitrary command execution attempt"
+  http /.*[\/\\]ows-bin[\/\\]/
+  http /.*\?&/
+  tcp-state established,originator
+  }
+
+signature sid-1880 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC oracle web application server access"
+  http /.*[\/\\]ows-bin[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1198 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-usr-prop/
+  tcp-state established,originator
+  }
+
+signature sid-1202 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC search.vts access"
+  http /.*[\/\\]search\.vts/
+  tcp-state established,originator
+  }
+
+signature sid-1615 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC htgrep attempt"
+  http /.*[\/\\]htgrep/
+  tcp-state established,originator
+  payload /.*hdr=\//
+  }
+
+signature sid-1207 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC htgrep access"
+  http /.*[\/\\]htgrep/
+  tcp-state established,originator
+  }
+
+signature sid-1209 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC .nsconfig access"
+  http /.*[\/\\]\.nsconfig/
+  tcp-state established,originator
+  }
+
+signature sid-1212 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Admin_files access"
+  http /.*[\/\\]admin_files/
+  tcp-state established,originator
+  }
+
+signature sid-1213 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC backup access"
+  http /.*[\/\\]backup/
+  tcp-state established,originator
+  }
+
+signature sid-1214 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC intranet access"
+  http /.*[\/\\]intranet[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1216 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC filemail access"
+  http /.*[\/\\]filemail/
+  tcp-state established,originator
+  }
+
+signature sid-1217 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC plusmail access"
+  http /.*[\/\\]plusmail/
+  tcp-state established,originator
+  }
+
+signature sid-1218 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC adminlogin access"
+  http /.*[\/\\]adminlogin/
+  tcp-state established,originator
+  }
+
+signature sid-1220 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ultraboard access"
+  http /.*[\/\\]ultraboard/
+  tcp-state established,originator
+  }
+
+signature sid-1589 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC musicat empower attempt"
+  http /.*[\/\\]empower\?DB=/
+  tcp-state established,originator
+  }
+
+signature sid-1221 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC musicat empower access"
+  http /.*[\/\\]empower/
+  tcp-state established,originator
+  }
+
+signature sid-1224 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ROADS search.pl attempt"
+  http /.*[\/\\]ROADS[\/\\]cgi-bin[\/\\]search\.pl/
+  tcp-state established,originator
+  payload /.*[fF][oO][rR][mM]=/
+  }
+
+signature sid-1230 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC VirusWall FtpSave access"
+  http /.*[\/\\]FtpSave\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1234 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC VirusWall FtpSaveCSP access"
+  http /.*[\/\\]FtpSaveCSP\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1235 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC VirusWall FtpSaveCVP access"
+  http /.*[\/\\]FtpSaveCVP\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1236 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Tomcat sourecode view"
+  http /.*\.js%2570/
+  tcp-state established,originator
+  }
+
+signature sid-1237 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Tomcat sourecode view"
+  http /.*\.j%2573p/
+  tcp-state established,originator
+  }
+
+signature sid-1238 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Tomcat sourecode view"
+  http /.*\.%256Asp/
+  tcp-state established,originator
+  }
+
+signature sid-1241 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC SWEditServlet directory traversal attempt"
+  http /.*[\/\\]SWEditServlet/
+  tcp-state established,originator
+  payload /.*template=\.\.\/\.\.\/\.\.\//
+  }
+
+signature sid-1259 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC SWEditServlet access"
+  http /.*[\/\\]SWEditServlet/
+  tcp-state established,originator
+  }
+
+signature sid-1139 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC whisker HEAD/./"
+  tcp-state established,originator
+  payload /.*HEAD\/\.\//
+  }
+
+signature sid-1258 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC HP OpenView Manager DOS"
+  http /.*[\/\\]OvCgi[\/\\]OpenView5\.exe\?Context=Snmp&Action=Snmp&Host=&Oid=/
+  tcp-state established,originator
+  }
+
+signature sid-1260 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC long basic authorization string"
+  tcp-state established,originator
+  payload /.*[aA][uU][tT][hH][oO][rR][iI][zZ][aA][tT][iI][oO][nN]: [bB][aA][sS][iI][cC] [^\x0A]{512}/
+  }
+
+signature sid-1291 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC sml3com access"
+  http /.*[\/\\]graphics[\/\\]sml3com/
+  tcp-state established,originator
+  }
+
+signature sid-1001 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC carbo.dll access"
+  http /.*[\/\\]carbo\.dll/
+  tcp-state established,originator
+  payload /.*[iI][cC][aA][tT][cC][oO][mM][mM][aA][nN][dD]=/
+  }
+
+signature sid-1302 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC console.exe access"
+  http /.*[\/\\]cgi-bin[\/\\]console\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1303 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cs.exe access"
+  http /.*[\/\\]cgi-bin[\/\\]cs\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1113 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC http directory traversal"
+  tcp-state established,originator
+  payload /.*\.\.\//
+  }
+
+signature sid-1375 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC sadmind worm access"
+  tcp-state established,originator
+  payload /.{0,1}GET x HTTP\/1\.0/
+  }
+
+signature sid-1376 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC jrun directory browse attempt"
+  http /.*[\/\\]%3f\.jsp/
+  tcp-state established,originator
+  }
+
+signature sid-1385 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC mod-plsql administration access"
+  http /.*[\/\\]admin_[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1391 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Phorecast remote code execution attempt"
+  tcp-state established,originator
+  payload /.*includedir=/
+  }
+
+signature sid-1403 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC viewcode access"
+  http /.*[\/\\]viewcode/
+  tcp-state established,originator
+  }
+
+signature sid-1404 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC showcode access"
+  http /.*[\/\\]showcode/
+  tcp-state established,originator
+  }
+
+signature sid-1433 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC .history access"
+  http /.*[\/\\]\.history/
+  tcp-state established,originator
+  }
+
+signature sid-1434 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC .bash_history access"
+  http /.*[\/\\]\.bash_history/
+  tcp-state established,originator
+  }
+
+signature sid-1489 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /~nobody access"
+  http /.*[\/\\]~nobody/
+  tcp-state established,originator
+  }
+
+signature sid-1492 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC RBS ISP /newuser  directory traversal attempt"
+  http /.*[\/\\]newuser\?Image=\.\.[\/\\]\.\./
+  tcp-state established,originator
+  }
+
+signature sid-1493 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC RBS ISP /newuser access"
+  http /.*[\/\\]newuser/
+  tcp-state established,originator
+  }
+
+signature sid-1663 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC *%0a.pl access"
+  http /.*[\/\\]\*%0a\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1664 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC mkplog.exe access"
+  http /.*[\/\\]mkplog\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1665 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC mkilog.exe access"
+  http /.*[\/\\]mkilog\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-509 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC PCCS mysql database admin tool access"
+  tcp-state established,originator
+  payload /.{0,5}[pP][cC][cC][sS][mM][yY][sS][qQ][lL][aA][dD][mM]\/[iI][nN][cC][sS]\/[dD][bB][cC][oO][nN][nN][eE][cC][tT]\.[iI][nN][cC]/
+  }
+
+signature sid-1769 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC .DS_Store access"
+  http /.*[\/\\]\.DS_Store/
+  tcp-state established,originator
+  }
+
+signature sid-1770 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC .FBCIndex access"
+  http /.*[\/\\]\.FBCIndex/
+  tcp-state established,originator
+  }
+
+signature sid-1500 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ExAir access"
+  http /.*[\/\\]exair[\/\\]search[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1519 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC apache ?M=D directory list attempt"
+  http /.*[\/\\]\?M=D/
+  tcp-state established,originator
+  }
+
+signature sid-1520 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC server-info access"
+  http /.*[\/\\]server-info/
+  tcp-state established,originator
+  }
+
+signature sid-1521 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC server-status access"
+  http /.*[\/\\]server-status/
+  tcp-state established,originator
+  }
+
+signature sid-1522 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ans.pl attempt"
+  http /.*[\/\\]ans\.pl\?p=\.\.[\/\\]\.\.[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1523 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ans.pl access"
+  http /.*[\/\\]ans\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-1524 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC AxisStorpoint CD attempt"
+  http /.*[\/\\]cd[\/\\]\.\.[\/\\]config[\/\\]html[\/\\]cnf_gi\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-1525 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Axis Storpoint CD access"
+  http /.*[\/\\]config[\/\\]html[\/\\]cnf_gi\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-1526 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC basilix sendmail.inc access"
+  http /.*[\/\\]inc[\/\\]sendmail\.inc/
+  tcp-state established,originator
+  }
+
+signature sid-1527 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC basilix mysql.class access"
+  http /.*[\/\\]class[\/\\]mysql\.class/
+  tcp-state established,originator
+  }
+
+signature sid-1528 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC BBoard access"
+  http /.*[\/\\]servlet[\/\\]sunexamples\.BBoardServlet/
+  tcp-state established,originator
+  }
+
+signature sid-1544 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Cisco Catalyst command execution attempt"
+  http /.*[\/\\]exec[\/\\]show[\/\\]config[\/\\]cr/
+  tcp-state established,originator
+  }
+
+signature sid-1546 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Cisco /%% DOS attempt"
+  http /.*[\/\\]%%/
+  tcp-state established,originator
+  }
+
+signature sid-1551 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /CVS/Entries access"
+  http /.*[\/\\]CVS[\/\\]Entries/
+  tcp-state established,originator
+  }
+
+signature sid-1552 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC cvsweb version access"
+  http /.*[\/\\]cvsweb[\/\\]version/
+  tcp-state established,originator
+  }
+
+signature sid-1559 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /doc/packages access"
+  http /.*[\/\\]doc[\/\\]packages/
+  tcp-state established,originator
+  }
+
+signature sid-1560 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /doc/ access"
+  http /.*[\/\\]doc[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1561 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ?open access"
+  http /.*\?open/
+  tcp-state established,originator
+  }
+
+signature sid-1563 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC login.htm attempt"
+  http /.*[\/\\]login\.htm\?password=/
+  tcp-state established,originator
+  }
+
+signature sid-1564 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC login.htm access"
+  http /.*[\/\\]login\.htm/
+  tcp-state established,originator
+  }
+
+signature sid-1603 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC DELETE attempt"
+  tcp-state established,originator
+  payload /[dD][eE][lL][eE][tT][eE] /
+  }
+
+signature sid-1670 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /home/ftp access"
+  http /.*[\/\\]home[\/\\]ftp/
+  tcp-state established,originator
+  }
+
+signature sid-1671 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /home/www access"
+  http /.*[\/\\]home[\/\\]www/
+  tcp-state established,originator
+  }
+
+signature sid-1738 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC global.inc access"
+  http /.*[\/\\]global\.inc/
+  tcp-state established,originator
+  }
+
+signature sid-1744 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC SecureSite authentication bypass attempt"
+  tcp-state established,originator
+  payload /.*[sS][eE][cC][uU][rR][eE]_[sS][iI][tT][eE], [oO][kK]/
+  }
+
+signature sid-1757 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC b2 arbitrary command execution attempt"
+  http /.*[\/\\]b2[\/\\]b2-include[\/\\]/
+  tcp-state established,originator
+  payload /.*b2inc/
+  payload /.*http:\/\//
+  }
+
+signature sid-1758 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC b2 access"
+  http /.*[\/\\]b2[\/\\]b2-include[\/\\]/
+  tcp-state established,originator
+  payload /.*b2inc/
+  payload /.*http:\/\//
+  }
+
+signature sid-1766 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC search.dll directory listing attempt"
+  http /.*[\/\\]search\.dll/
+  tcp-state established,originator
+  payload /.*query=%00/
+  }
+
+signature sid-1767 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC search.dll access"
+  http /.*[\/\\]search\.dll/
+  tcp-state established,originator
+  }
+
+signature sid-1498 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8181
+  event "WEB-MISC PIX firewall manager directory traversal attempt"
+  http /.*[\/\\]\.\.[\/\\]\.\.[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1604 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 4080
+  event "WEB-MISC iChat directory traversal attempt"
+  http /.*[\/\\]\.\.[\/\\]\.\.[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1558 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8080
+  event "WEB-MISC Delegate whois overflow attempt"
+  tcp-state established,originator
+  payload /.*[wW][hH][oO][iI][sS]:\/\//
+  }
+
+signature sid-1518 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8000
+  event "WEB-MISC nstelemetry.adp access"
+  http /.*[\/\\]nstelemetry\.adp/
+  tcp-state established,originator
+  }
+
+signature sid-1132 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 457
+  event "WEB-MISC Netscape Unixware overflow"
+  tcp-state established,originator
+  payload /.*\xeb\x5f\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\x9d/
+  }
+
+signature sid-1199 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 2301
+  event "WEB-MISC Compaq Insight directory traversal"
+  http /.*\.\.[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1231 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC VirusWall catinfo access"
+  http /.*[\/\\]catinfo/
+  tcp-state established,originator
+  }
+
+signature sid-1232 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 1812
+  event "WEB-MISC VirusWall catinfo access"
+  http /.*[\/\\]catinfo/
+  tcp-state established,originator
+  }
+
+signature sid-1809 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Apache Chunked-Encoding worm attempt"
+  tcp-state established,originator
+  payload /.*[cC][cC][cC][cC][cC][cC][cC]: [aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA]/
+  }
+
+signature sid-1807 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Transfer-Encoding: chunked"
+  tcp-state established,originator
+  payload /.*[tT][rR][aA][nN][sS][fF][eE][rR]-[eE][nN][cC][oO][dD][iI][nN][gG]:/
+  payload /.*[cC][hH][uU][nN][kK][eE][dD]/
+  }
+
+signature sid-1814 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC CISCO VoIP DOS ATTEMPT"
+  http /.*[\/\\]StreamingStatistics/
+  tcp-state established,originator
+  }
+
+signature sid-1820 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC IBM Net.Commerce orderdspc.d2w access"
+  http /.*[\/\\]ncommerce3[\/\\]ExecMacro[\/\\]orderdspc\.d2w/
+  tcp-state established,originator
+  }
+
+signature sid-1826 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC WEB-INF access"
+  http /.*[\/\\]WEB-INF/
+  tcp-state established,originator
+  }
+
+signature sid-1827 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Tomcat servlet mapping cross site scripting attempt"
+  http /.*[\/\\]servlet[\/\\]/
+  http /.*[\/\\]org\.apache\./
+  tcp-state established,originator
+  }
+
+signature sid-1828 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC iPlanet Search directory traversal attempt"
+  http /.*[\/\\]search/
+  tcp-state established,originator
+  payload /.*NS-query-pat=/
+  payload /.*\.\.\/\.\.\//
+  }
+
+signature sid-1829 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Tomcat TroubleShooter servlet access"
+  http /.*[\/\\]examples[\/\\]servlet[\/\\]TroubleShooter/
+  tcp-state established,originator
+  }
+
+signature sid-1830 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Tomcat SnoopServlet servlet access"
+  http /.*[\/\\]examples[\/\\]servlet[\/\\]SnoopServlet/
+  tcp-state established,originator
+  }
+
+signature sid-1831 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC jigsaw dos attempt"
+  http /.*[\/\\]servlet[\/\\]con/
+  tcp-state established,originator
+  }
+
+signature sid-1835 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Macromedia SiteSpring cross site scripting attempt"
+  http /.*[\/\\]error[\/\\]500error\.jsp/
+  http /.*et=/
+  http /.*<script/
+  tcp-state established,originator
+  }
+
+signature sid-1839 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC mailman cross site scripting attempt"
+  http /.*[\/\\]mailman[\/\\]/
+  http /.*\?/
+  http /.*info=/
+  http /.*<script/
+  tcp-state established,originator
+  }
+
+signature sid-1847 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC webalizer access"
+  http /.*[\/\\]webalizer[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1848 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC webcart-lite access"
+  http /.*[\/\\]webcart-lite[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-1849 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC webfind.exe access"
+  http /.*[\/\\]webfind\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1851 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC active.log access"
+  http /.*[\/\\]active\.log/
+  tcp-state established,originator
+  }
+
+signature sid-1852 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC robots.txt access"
+  http /.*[\/\\]robots\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-1857 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC robot.txt access"
+  http /.*[\/\\]robot\.txt/
+  tcp-state established,originator
+  }
+
+signature sid-1858 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8181
+  event "WEB-MISC CISCO PIX Firewall Manager directory traversal attempt"
+  http /.*[\/\\]pixfir~1[\/\\]how_to_login\.html/
+  tcp-state established,originator
+  }
+
+signature sid-1859 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 9090
+  event "WEB-MISC Sun JavaServer default password login attempt"
+  http /.*[\/\\]servlet[\/\\]admin/
+  tcp-state established,originator
+  payload /.*ae9f86d6beaa3f9ecb9a5b7e072a4138/
+  }
+
+signature sid-1860 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8080
+  event "WEB-MISC Linksys router default password login attempt (:admin)"
+  tcp-state established,originator
+  payload /.*Authorization: Basic OmFkbWlu/
+  }
+
+signature sid-1861 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8080
+  event "WEB-MISC Linksys router default password login attempt (admin:admin)"
+  tcp-state established,originator
+  payload /.*[aA][uU][tT][hH][oO][rR][iI][zZ][aA][tT][iI][oO][nN]: /
+  payload /.* [bB][aA][sS][iI][cC] /
+  payload /.*YWRtaW46YWRtaW4/
+  }
+
+signature sid-1871 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Oracle XSQLConfig.xml access"
+  http /.*[\/\\]XSQLConfig\.xml/
+  tcp-state established,originator
+  }
+
+signature sid-1872 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Oracle Dynamic Monitoring Services (dms) access"
+  http /.*[\/\\]dms0/
+  tcp-state established,originator
+  }
+
+signature sid-1873 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC globals.jsa access"
+  http /.*[\/\\]globals\.jsa/
+  tcp-state established,originator
+  }
+
+signature sid-1874 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC Oracle Java Process Manager access"
+  http /.*[\/\\]oprocmgr-status/
+  tcp-state established,originator
+  }
+
+signature sid-1881 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC bad HTTP/1.1 request, Potentially worm attack"
+  tcp-state established,originator
+  payload /GET \/ HTTP\/1\.1\x0d\x0a\x0d\x0a/
+  }
+
+signature sid-1104 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  payload-size == 1
+  event "WEB-MISC whisker space splice attack"
+  tcp-state established,originator
+  payload /\x20/
+  }
+
+signature sid-1087 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  payload-size < 5
+  event "WEB-MISC whisker tab splice attack"
+  tcp-state established,originator
+  payload /.*\x09/
+  }
+
+signature sid-1808 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC apache chunked encoding memory corruption exploit attempt"
+  tcp-state established,originator
+  payload /.*\xC0\x50\x52\x89\xE1\x50\x51\x52\x50\xB8\x3B\x00\x00\x00\xCD\x80/
+  }
+
+signature sid-1943 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /Carello/add.exe access"
+  http /.*[\/\\]Carello[\/\\]add\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1944 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC /ecscripts/ecware.exe access"
+  http /.*[\/\\]ecscripts[\/\\]ecware\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1969 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-MISC ion-p access"
+  http /.*[\/\\]ion-p/
+  tcp-state established,originator
+  }
+
+signature sid-1499 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8888
+  event "WEB-MISC SiteScope Service access"
+  http /.*[\/\\]SiteScope[\/\\]cgi[\/\\]go\.exe[\/\\]SiteScope/
+  tcp-state established,originator
+  }
+
+signature sid-1946 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8888
+  event "WEB-MISC answerbook2 admin attempt"
+  http /.*[\/\\]cgi-bin[\/\\]admin[\/\\]admin/
+  tcp-state established,originator
+  }
+
+signature sid-1947 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 8888
+  event "WEB-MISC answerbook2 arbitrary command execution attempt"
+  http /.*[\/\\]ab2[\/\\]/
+  tcp-state established,originator
+  payload /.{1}.*;/
+  }
+
+signature sid-1979 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC perl post attempt"
+  http /.*[\/\\]perl[\/\\]/
+  tcp-state established,originator
+  payload /POST/
+  }
+
+signature sid-2056 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC TRACE attempt"
+  tcp-state established,originator
+  payload /TRACE/
+  }
+
+signature sid-2057 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC helpout.exe access"
+  http /.*[\/\\]helpout\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-2058 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC MsmMask.exe attempt"
+  http /.*[\/\\]MsmMask\.exe/
+  tcp-state established,originator
+  payload /.*mask=/
+  }
+
+signature sid-2059 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC MsmMask.exe access"
+  http /.*[\/\\]MsmMask\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-2060 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC DB4Web access"
+  http /.*[\/\\]DB4Web[\/\\]/
+  tcp-state established,originator
+  }
+
+signature sid-2061 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC Tomcat null byte directory listing attempt"
+  http /.*\x00\.jsp/
+  tcp-state established,originator
+  }
+
+signature sid-2062 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC iPlanet .perf access"
+  http /.*[\/\\]\.perf/
+  tcp-state established,originator
+  }
+
+signature sid-2063 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC Demarc SQL injection attempt"
+  http /.*[\/\\]dm[\/\\]demarc/
+  tcp-state established,originator
+  payload /.*s_key=.*.{0}.*'.{1}.*'.*.{0}.*'/
+  }
+
+signature sid-2064 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC Lotus Notes .csp script source download attempt"
+  http /.*\.csp/
+  tcp-state established,originator
+  payload /.*\.csp\./
+  }
+
+signature sid-2066 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC Lotus Notes .pl script source download attempt"
+  http /.*\.pl/
+  tcp-state established,originator
+  payload /.*\.pl\./
+  }
+
+signature sid-2067 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC Lotus Notes .exe script source download attempt"
+  http /.*\.exe/
+  tcp-state established,originator
+  payload /.*\.exe\./
+  }
+
+signature sid-2068 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC BitKeeper arbitrary command attempt"
+  http /.*[\/\\]diffs[\/\\]/
+  tcp-state established,originator
+  payload /.*'.*.{0}.*\x3b.{1}.*'/
+  }
+
+signature sid-2069 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC chip.ini access"
+  http /.*[\/\\]chip\.ini/
+  tcp-state established,originator
+  }
+
+signature sid-2070 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC post32.exe arbitrary command attempt"
+  http /.*[\/\\]post32\.exe\|/
+  tcp-state established,originator
+  }
+
+signature sid-2071 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC post32.exe access"
+  http /.*[\/\\]post32\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-2072 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC lyris.pl access"
+  http /.*[\/\\]lyris\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-2073 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC globals.pl access"
+  http /.*[\/\\]globals\.pl/
+  tcp-state established,originator
+  }
+
+signature sid-2135 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC philboard.mdb access"
+  http /.*[\/\\]philboard\.mdb/
+  tcp-state established,originator
+  }
+
+signature sid-2136 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC philboard_admin.asp authentication bypass attempt"
+  http /.*[\/\\]philboard_admin\.asp/
+  tcp-state established,originator
+  payload /.*[cC][oO][oO][kK][iI][eE].*.{0}.*philboard_admin=True/
+  }
+
+signature sid-2137 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC philboard_admin.asp access"
+  http /.*[\/\\]philboard_admin\.asp/
+  tcp-state established,originator
+  }
+
+signature sid-2138 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC logicworks.ini access"
+  http /.*[\/\\]logicworks\.ini/
+  tcp-state established,originator
+  }
+
+signature sid-2139 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC /*.shtml access"
+  http /.*[\/\\]\*\.shtml/
+  tcp-state established,originator
+  }
+
+signature sid-2156 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-MISC mod_gzip_status access"
+  http /.*[\/\\]mod_gzip_status/
+  tcp-state established,originator
+  }
+
+signature sid-1233 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  dst-port == http_ports
+  event "WEB-CLIENT Outlook EML access"
+  http /.*\.eml/
+  tcp-state established,originator
+  }
+
+signature sid-1735 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  src-port == http_ports
+  event "WEB-CLIENT XMLHttpRequest attempt"
+  tcp-state established,responder
+  payload /.*new XMLHttpRequest\(/
+  payload /.*[fF][iI][lL][eE]:\/\//
+  }
+
+signature sid-1284 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  dst-port == http_ports
+  event "WEB-CLIENT readme.eml download attempt"
+  http /.*[\/\\]readme\.eml/
+  tcp-state established,originator
+  }
+
+signature sid-1290 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  src-port == http_ports
+  event "WEB-CLIENT readme.eml autoload attempt"
+  tcp-state established,responder
+  payload /.*[wW][iI][nN][dD][oO][wW]\.[oO][pP][eE][nN]\(\"[rR][eE][aA][dD][mM][eE]\.[eE][mM][lL]\"/
+  }
+
+signature sid-1840 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  src-port == http_ports
+  event "WEB-CLIENT Javascript document.domain attempt"
+  tcp-state established,responder
+  payload /.*[dD][oO][cC][uU][mM][eE][nN][tT]\.[dD][oO][mM][aA][iI][nN]\(/
+  }
+
+signature sid-1841 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  src-port == http_ports
+  event "WEB-CLIENT Javascript URL host spoofing attempt"
+  tcp-state established,responder
+  payload /.*[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]:\/\//
+  }
+
+signature sid-1774 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP bb_smilies.php access"
+  http /.*[\/\\]bb_smilies\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1423 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP content-disposition memchr overflow"
+  tcp-state established,originator
+  payload /.*Content-Disposition:/
+  payload /.*name=\"\xCC\xCC\xCC\xCC\xCC/
+  }
+
+signature sid-1736 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP squirrel mail spell-check arbitrary command attempt"
+  http /.*[\/\\]squirrelspell[\/\\]modules[\/\\]check_me\.mod\.php/
+  tcp-state established,originator
+  payload /.*[sS][qQ][sS][pP][eE][lL][lL]_[aA][pP][pP]\[/
+  }
+
+signature sid-1737 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP squirrel mail theme arbitrary command attempt"
+  http /.*[\/\\]left_main\.php/
+  tcp-state established,originator
+  payload /.*[cC][mM][dD][dD]=/
+  }
+
+signature sid-1739 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP DNSTools administrator authentication bypass attempt"
+  http /.*[\/\\]dnstools\.php/
+  tcp-state established,originator
+  payload /.*[uU][sS][eE][rR]_[lL][oO][gG][gG][eE][dD]_[iI][nN]=[tT][rR][uU][eE]/
+  payload /.*[uU][sS][eE][rR]_[dD][nN][sS][tT][oO][oO][lL][sS]_[aA][dD][mM][iI][nN][iI][sS][tT][rR][aA][tT][oO][rR]=[tT][rR][uU][eE]/
+  }
+
+signature sid-1740 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP DNSTools authentication bypass attempt"
+  http /.*[\/\\]dnstools\.php/
+  tcp-state established,originator
+  payload /.*[uU][sS][eE][rR]_[lL][oO][gG][gG][eE][dD]_[iI][nN]=[tT][rR][uU][eE]/
+  }
+
+signature sid-1741 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP DNSTools access"
+  http /.*[\/\\]dnstools\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1742 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Blahz-DNS dostuff.php modify user attempt"
+  http /.*[\/\\]dostuff\.php\?action=modify_user/
+  tcp-state established,originator
+  }
+
+signature sid-1743 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Blahz-DNS dostuff.php access"
+  http /.*[\/\\]dostuff\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1745 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Messagerie supp_membre.php access"
+  http /.*[\/\\]supp_membre\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1773 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP php.exe access"
+  http /.*[\/\\]php\.exe/
+  tcp-state established,originator
+  }
+
+signature sid-1815 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP directory.php arbitrary command attempt"
+  http /.*[\/\\]directory\.php/
+  tcp-state established,originator
+  payload /.*dir=/
+  payload /.*;/
+  }
+
+signature sid-1816 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP directory.php access"
+  http /.*[\/\\]directory\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1834 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP PHP-Wiki cross site scripting attempt"
+  http /.*[\/\\]modules\.php\?/
+  http /.*name=Wiki/
+  http /.*<script/
+  tcp-state established,originator
+  }
+
+signature sid-1967 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP phpbb quick-reply.php arbitrary command attempt"
+  http /.*[\/\\]quick-reply\.php/
+  tcp-state established,originator
+  payload /.{1}.*phpbb_root_path=/
+  }
+
+signature sid-1968 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP phpbb quick-reply.php access"
+  http /.*[\/\\]quick-reply\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1997 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP read_body.php access attempt"
+  http /.*[\/\\]read_body\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1998 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP calendar.php access"
+  http /.*[\/\\]calendar\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1999 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP edit_image.php access"
+  http /.*[\/\\]edit_image\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2000 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP readmsg.php access"
+  http /.*[\/\\]readmsg\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2002 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP external include path"
+  http /.*\.php/
+  tcp-state established,originator
+  payload /.*path=http:\/\//
+  }
+
+signature sid-1134 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Phorum admin access"
+  http /.*[\/\\]admin\.php3/
+  tcp-state established,originator
+  }
+
+signature sid-1161 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP piranha passwd.php3 access"
+  http /.*[\/\\]passwd\.php3/
+  tcp-state established,originator
+  }
+
+signature sid-1178 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Phorum read access"
+  http /.*[\/\\]read\.php3/
+  tcp-state established,originator
+  }
+
+signature sid-1179 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Phorum violation access"
+  http /.*[\/\\]violation\.php3/
+  tcp-state established,originator
+  }
+
+signature sid-1197 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Phorum code access"
+  http /.*[\/\\]code\.php3/
+  tcp-state established,originator
+  }
+
+signature sid-1300 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP admin.php file upload attempt"
+  http /.*[\/\\]admin\.php/
+  tcp-state established,originator
+  payload /.*[fF][iI][lL][eE]_[nN][aA][mM][eE]=/
+  }
+
+signature sid-1301 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP admin.php access"
+  http /.*[\/\\]admin\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1407 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP smssend.php access"
+  http /.*[\/\\]smssend\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1399 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP PHP-Nuke remote file include attempt"
+  http /.*index\.php/
+  tcp-state established,originator
+  payload /.*[fF][iI][lL][eE]=[hH][tT][tT][pP]:\/\//
+  }
+
+signature sid-1490 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Phorum /support/common.php attempt"
+  http /.*[\/\\]support[\/\\]common\.php/
+  tcp-state established,originator
+  payload /.*ForumLang=\.\.\//
+  }
+
+signature sid-1491 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Phorum /support/common.php access"
+  http /.*[\/\\]support[\/\\]common\.php/
+  tcp-state established,originator
+  }
+
+signature sid-1137 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Phorum authentication access"
+  tcp-state established,originator
+  payload /.*[pP][hH][pP]_[aA][uU][tT][hH]_[uU][sS][eE][rR]=[bB][oO][oO][gG][iI][eE][mM][aA][nN]/
+  }
+
+signature sid-1085 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP strings overflow"
+  tcp-state established,originator
+  payload /.*\xba\x49\xfe\xff\xff\xf7\xd2\xb9\xbf\xff\xff\xff\xf7\xd1/
+  }
+
+signature sid-1086 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP strings overflow"
+  http /.*\?STRENGUR/
+  tcp-state established,originator
+  }
+
+signature sid-1254 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP PHPLIB remote command attempt"
+  tcp-state established,originator
+  payload /.*_PHPLIB\[libdir\]/
+  }
+
+signature sid-1255 {
+  ip-proto == tcp
+  src-ip == http_servers
+  dst-ip != local_nets
+  dst-port == http_ports
+  event "WEB-PHP PHPLIB remote command attempt"
+  http /.*[\/\\]db_mysql\.inc/
+  tcp-state established,originator
+  }
+
+signature sid-2074 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Mambo uploadimage.php upload php file attempt"
+  http /.*[\/\\]uploadimage\.php/
+  tcp-state established,originator
+  payload /.*userfile_name=.{1}.*\.php/
+  }
+
+signature sid-2075 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Mambo upload.php upload php file attempt"
+  http /.*[\/\\]upload\.php/
+  tcp-state established,originator
+  payload /.*userfile_name=.{1}.*\.php/
+  }
+
+signature sid-2076 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Mambo uploadimage.php access"
+  http /.*[\/\\]uploadimage\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2077 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Mambo upload.php access"
+  http /.*[\/\\]upload\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2078 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP phpBB privmsg.php access"
+  http /.*[\/\\]privmsg\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2140 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP p-news.php access"
+  http /.*[\/\\]p-news\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2141 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP shoutbox.php directory traversal attempt"
+  http /.*[\/\\]shoutbox\.php/
+  tcp-state established,originator
+  payload /.*conf=.*.{0}.*\.\.\//
+  }
+
+signature sid-2142 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP shoutbox.php access"
+  http /.*[\/\\]shoutbox\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2143 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP b2 cafelog gm-2-b2.php remote command execution attempt"
+  http /.*[\/\\]gm-2-b2\.php/
+  tcp-state established,originator
+  payload /.*b2inc=http/
+  }
+
+signature sid-2144 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP b2 cafelog gm-2-b2.php access"
+  http /.*[\/\\]gm-2-b2\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2145 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP TextPortal admin.php default password (admin) attempt"
+  http /.*[\/\\]admin\.php/
+  tcp-state established,originator
+  payload /.*op=admin_enter/
+  payload /.*password=admin/
+  }
+
+signature sid-2146 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP TextPortal admin.php default password (12345) attempt"
+  http /.*[\/\\]admin\.php/
+  tcp-state established,originator
+  payload /.*op=admin_enter/
+  payload /.*password=12345/
+  }
+
+signature sid-2147 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP BLNews objects.inc.php4 remote command execution attempt"
+  http /.*[\/\\]objects\.inc\.php4/
+  tcp-state established,originator
+  payload /.*Server\[path\]=http/
+  }
+
+signature sid-2148 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP BLNews objects.inc.php4 access"
+  http /.*[\/\\]objects\.inc\.php4/
+  tcp-state established,originator
+  }
+
+signature sid-2149 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP Turba status.php access"
+  http /.*[\/\\]turba[\/\\]status\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2150 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP ttCMS header.php remote command execution attempt"
+  http /.*[\/\\]admin[\/\\]templates[\/\\]header\.php/
+  tcp-state established,originator
+  payload /.*admin_root=http/
+  }
+
+signature sid-2151 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP ttCMS header.php access"
+  http /.*[\/\\]admin[\/\\]templates[\/\\]header\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2152 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP test.php access"
+  http /.*[\/\\]test\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2153 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP autohtml.php directory traversal attempt"
+  http /.*[\/\\]autohtml\.php/
+  tcp-state established,originator
+  payload /.*name=.*.{0}.*\.\.\/\.\.\//
+  }
+
+signature sid-2154 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP autohtml.php access"
+  http /.*[\/\\]autohtml\.php/
+  tcp-state established,originator
+  }
+
+signature sid-2155 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == http_ports
+  event "WEB-PHP ttforum remote command execution attempt"
+  http /.*forum[\/\\]index\.php/
+  tcp-state established,originator
+  payload /.*template=http/
+  }
+
+signature sid-676 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 139
+  event "MS-SQL/SMB sp_start_job - program execution"
+  tcp-state established,originator
+  payload /.{31}[sS]\x00[pP]\x00_\x00[sS]\x00[tT]\x00[aA]\x00[rR]\x00[tT]\x00_\x00[jJ]\x00[oO]\x00[bB]\x00/
+  }
+
+signature sid-677 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 139
+  event "MS-SQL/SMB sp_password password change"
+  tcp-state established,originator
+  payload /.*[sS]\x00[pP]\x00_\x00[pP]\x00[aA]\x00[sS]\x00[sS]\x00[wW]\x00[oO]\x00[rR]\x00[dD]\x00/
+  }
+
+signature sid-678 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 139
+  event "MS-SQL/SMB sp_delete_alert log file deletion"
+  tcp-state established,originator
+  payload /.*[sS]\x00[pP]\x00_\x00[dD]\x00[eE]\x00[lL]\x00[eE]\x00[tT]\x00[eE]\x00_\x00[aA]\x00[lL]\x00[eE]\x00/
+  }
+
+signature sid-679 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 139
+  event "MS-SQL/SMB sp_adduser database user creation"
+  tcp-state established,originator
+  payload /.{31}[sS]\x00[pP]\x00_\x00[aA]\x00[dD]\x00[dD]\x00[uU]\x00[sS]\x00[eE]\x00[rR]\x00/
+  }
+
+signature sid-708 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 139
+  event "MS-SQL/SMB xp_enumresultset possible buffer overflow"
+  tcp-state established,originator
+  payload /.{31}.*[xX]\x00[pP]\x00_\x00[eE]\x00[nN]\x00[uU]\x00[mM]\x00[rR]\x00[eE]\x00[sS]\x00[uU]\x00[lL]\x00[tT]\x00[sS]\x00[eE]\x00[tT]\x00/
+  }
+
+signature sid-1386 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 139
+  event "MS-SQL/SMB raiserror possible buffer overflow"
+  tcp-state established,originator
+  payload /.{31}.*[rR]\x00[aA]\x00[iI]\x00[sS]\x00[eE]\x00[rR]\x00[rR]\x00[oO]\x00[rR]\x00/
+  }
+
+signature sid-702 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 139
+  event "MS-SQL/SMB xp_displayparamstmt possible buffer overflow"
+  tcp-state established,originator
+  payload /.{31}.*[xX]\x00[pP]\x00_\x00[dD]\x00[iI]\x00[sS]\x00[pP]\x00[lL]\x00[aA]\x00[yY]\x00[pP]\x00[aA]\x00[rR]\x00[aA]\x00[mM]\x00[sS]\x00[tT]\x00[mM]\x00[tT]\x00/
+  }
+
+signature sid-703 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 139
+  event "MS-SQL/SMB xp_setsqlsecurity possible buffer overflow"
+  tcp-state established,originator
+  payload /.{31}.*[xX]\x00[pP]\x00_\x00[sS]\x00[eE]\x00[tT]\x00[sS]\x00[qQ]\x00[lL]\x00[sS]\x00[eE]\x00[cC]\x00[uU]\x00[rR]\x00[iI]\x00[tT]\x00[yY]\x00/
+  }
+
+signature sid-681 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 139
+  event "MS-SQL/SMB xp_cmdshell program execution"
+  tcp-state established,originator
+  payload /.{31}.*[xX]\x00[pP]\x00_\x00[cC]\x00[mM]\x00[dD]\x00[sS]\x00[hH]\x00[eE]\x00[lL]\x00[lL]\x00/
+  }
+
+signature sid-689 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 139
+  event "MS-SQL/SMB xp_reg* registry access"
+  tcp-state established,originator
+  payload /.{31}[xX]\x00[pP]\x00_\x00[rR]\x00[eE]\x00[gG]\x00/
+  }
+
+signature sid-690 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 139
+  event "MS-SQL/SMB xp_printstatements possible buffer overflow"
+  tcp-state established,originator
+  payload /.{31}.*[xX]\x00[pP]\x00_\x00[pP]\x00[rR]\x00[iI]\x00[nN]\x00[tT]\x00[sS]\x00[tT]\x00[aA]\x00[tT]\x00[eE]\x00[mM]\x00[eE]\x00[nN]\x00[tT]\x00[sS]\x00/
+  }
+
+signature sid-692 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 139
+  event "MS-SQL/SMB shellcode attempt"
+  tcp-state established,originator
+  payload /.*\x39\x20\xd0\x00\x92\x01\xc2\x00\x52\x00\x55\x00\x39\x20\xec\x00/
+  }
+
+signature sid-694 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 139
+  event "MS-SQL/SMB shellcode attempt"
+  tcp-state established,originator
+  payload /.*\x48\x00\x25\x00\x78\x00\x77\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00\x33\x00\xc0\x00\x50\x00\x68\x00\x2e\x00/
+  }
+
+signature sid-695 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 139
+  event "MS-SQL/SMB xp_sprintf possible buffer overflow"
+  tcp-state established,originator
+  payload /.{31}.*[xX]\x00[pP]\x00_\x00[sS]\x00[pP]\x00[rR]\x00[iI]\x00[nN]\x00[tT]\x00[fF]\x00/
+  }
+
+signature sid-696 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 139
+  event "MS-SQL/SMB xp_showcolv possible buffer overflow"
+  tcp-state established,originator
+  payload /.{31}.*[xX]\x00[pP]\x00_\x00[sS]\x00[hH]\x00[oO]\x00[wW]\x00[cC]\x00[oO]\x00[lL]\x00[vV]\x00/
+  }
+
+signature sid-697 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 139
+  event "MS-SQL/SMB xp_peekqueue possible buffer overflow"
+  tcp-state established,originator
+  payload /.{31}.*[xX]\x00[pP]\x00_\x00[pP]\x00[eE]\x00[eE]\x00[kK]\x00[qQ]\x00[uU]\x00[eE]\x00[uU]\x00[eE]\x00/
+  }
+
+signature sid-698 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 139
+  event "MS-SQL/SMB xp_proxiedmetadata possible buffer overflow"
+  tcp-state established,originator
+  payload /.{31}.*[xX]\x00[pP]\x00_\x00[pP]\x00[rR]\x00[oO]\x00[xX]\x00[iI]\x00[eE]\x00[dD]\x00[mM]\x00[eE]\x00[tT]\x00[aA]\x00[dD]\x00[aA]\x00[tT]\x00[aA]\x00/
+  }
+
+signature sid-700 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 139
+  event "MS-SQL/SMB xp_updatecolvbm possible buffer overflow"
+  tcp-state established,originator
+  payload /.{31}.*[xX]\x00[pP]\x00_\x00[uU]\x00[pP]\x00[dD]\x00[aA]\x00[tT]\x00[eE]\x00[cC]\x00[oO]\x00[lL]\x00[vV]\x00[bB]\x00[mM]\x00/
+  }
+
+signature sid-673 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 1433
+  event "MS-SQL sp_start_job - program execution"
+  tcp-state established,originator
+  payload /.*[sS]\x00[pP]\x00_\x00[sS]\x00[tT]\x00[aA]\x00[rR]\x00[tT]\x00_\x00[jJ]\x00[oO]\x00[bB]\x00/
+  }
+
+signature sid-674 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 1433
+  event "MS-SQL xp_displayparamstmt possible buffer overflow"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[dD]\x00[iI]\x00[sS]\x00[pP]\x00[lL]\x00[aA]\x00[yY]\x00[pP]\x00[aA]\x00[rR]\x00[aA]\x00[mM]\x00[sS]\x00[tT]\x00[mM]\x00[tT]/
+  }
+
+signature sid-675 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 1433
+  event "MS-SQL xp_setsqlsecurity possible buffer overflow"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[sS]\x00[eE]\x00[tT]\x00[sS]\x00[qQ]\x00[lL]\x00[sS]\x00[eE]\x00[cC]\x00[uU]\x00[rR]\x00[iI]\x00[tT]\x00[yY]\x00/
+  }
+
+signature sid-682 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 1433
+  event "MS-SQL xp_enumresultset possible buffer overflow"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[eE]\x00[nN]\x00[uU]\x00[mM]\x00[rR]\x00[eE]\x00[sS]\x00[uU]\x00[lL]\x00[tT]\x00[sS]\x00[eE]\x00[tT]\x00/
+  }
+
+signature sid-683 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 1433
+  event "MS-SQL sp_password - password change"
+  tcp-state established,originator
+  payload /.*[sS]\x00[pP]\x00_\x00[pP]\x00[aA]\x00[sS]\x00[sS]\x00[wW]\x00[oO]\x00[rR]\x00[dD]\x00/
+  }
+
+signature sid-684 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 1433
+  event "MS-SQL sp_delete_alert log file deletion"
+  tcp-state established,originator
+  payload /.*[sS]\x00[pP]\x00_\x00[dD]\x00[eE]\x00[lL]\x00[eE]\x00[tT]\x00[eE]\x00_\x00[aA]\x00[lL]\x00[eE]\x00[rR]\x00[tT]\x00/
+  }
+
+signature sid-685 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 1433
+  event "MS-SQL sp_adduser - database user creation"
+  tcp-state established,originator
+  payload /.*[sS]\x00[pP]\x00_\x00[aA]\x00[dD]\x00[dD]\x00[uU]\x00[sS]\x00[eE]\x00[rR]\x00/
+  }
+
+signature sid-686 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 1433
+  event "MS-SQL xp_reg* - registry access"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[rR]\x00[eE]\x00[gG]\x00/
+  }
+
+signature sid-687 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 1433
+  event "MS-SQL xp_cmdshell - program execution"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[cC]\x00[mM]\x00[dD]\x00[sS]\x00[hH]\x00[eE]\x00[lL]\x00[lL]\x00/
+  }
+
+signature sid-691 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 1433
+  event "MS-SQL shellcode attempt"
+  tcp-state established,originator
+  payload /.*\x39\x20\xd0\x00\x92\x01\xc2\x00\x52\x00\x55\x00\x39\x20\xec\x00/
+  }
+
+signature sid-693 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 1433
+  event "MS-SQL shellcode attempt"
+  tcp-state established,originator
+  payload /.*\x48\x00\x25\x00\x78\x00\x77\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00\x33\x00\xc0\x00\x50\x00\x68\x00\x2e\x00/
+  }
+
+signature sid-699 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 1433
+  event "MS-SQL xp_printstatements possible buffer overflow"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[pP]\x00[rR]\x00[iI]\x00[nN]\x00[tT]\x00[sS]\x00[tT]\x00[aA]\x00[tT]\x00[eE]\x00[mM]\x00[eE]\x00[nN]\x00[tT]\x00[sS]\x00/
+  }
+
+signature sid-701 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 1433
+  event "MS-SQL xp_updatecolvbm possible buffer overflow"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[uU]\x00[pP]\x00[dD]\x00[aA]\x00[tT]\x00[eE]\x00[cC]\x00[oO]\x00[lL]\x00[vV]\x00[bB]\x00[mM]\x00/
+  }
+
+signature sid-704 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 1433
+  event "MS-SQL xp_sprintf possible buffer overflow"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[sS]\x00[pP]\x00[rR]\x00[iI]\x00[nN]\x00[tT]\x00[fF]\x00/
+  }
+
+signature sid-705 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 1433
+  event "MS-SQL xp_showcolv possible buffer overflow"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[sS]\x00[hH]\x00[oO]\x00[wW]\x00[cC]\x00[oO]\x00[lL]\x00[vV]\x00/
+  }
+
+signature sid-706 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 1433
+  event "MS-SQL xp_peekqueue possible buffer overflow"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[pP]\x00[eE]\x00[eE]\x00[kK]\x00[qQ]\x00[uU]\x00[eE]\x00[uU]\x00[eE]\x00/
+  }
+
+signature sid-707 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 1433
+  event "MS-SQL xp_proxiedmetadata possible buffer overflow"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[pP]\x00[rR]\x00[oO]\x00[xX]\x00[iI]\x00[eE]\x00[dD]\x00[mM]\x00[eE]\x00[tT]\x00[aA]\x00[dD]\x00[aA]\x00[tT]\x00[aA]\x00/
+  }
+
+signature sid-1387 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 1433
+  event "MS-SQL raiserror possible buffer overflow"
+  tcp-state established,originator
+  payload /.*[rR]\x00[aA]\x00[iI]\x00[sS]\x00[eE]\x00[rR]\x00[rR]\x00[oO]\x00[rR]\x00/
+  }
+
+signature sid-1759 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 445
+  event "MS-SQL xp_cmdshell program execution (445)"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[cC]\x00[mM]\x00[dD]\x00[sS]\x00[hH]\x00[eE]\x00[lL]\x00[lL]\x00/
+  }
+
+signature sid-688 {
+  ip-proto == tcp
+  src-ip == sql_servers
+  dst-ip != local_nets
+  src-port == 1433
+  event "MS-SQL sa login failed"
+  tcp-state established,responder
+  payload /.*Login failed for user \x27sa\x27/
+  }
+
+signature sid-680 {
+  ip-proto == tcp
+  src-ip == sql_servers
+  dst-ip != local_nets
+  src-port == 139
+  event "MS-SQL/SMB sa login failed"
+  tcp-state established,responder
+  payload /.{82}.*Login failed for user \x27sa\x27/
+  }
+
+signature sid-2003 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 1434
+  event "MS-SQL Worm propagation attempt"
+  payload /\x04/
+  payload /.*\x81\xF1\x03\x01\x04\x9B\x81\xF1\x01/
+  payload /.*sock/
+  payload /.*send/
+  }
+
+signature sid-2004 {
+  ip-proto == udp
+  src-ip == local_nets
+  dst-ip != local_nets
+  dst-port == 1434
+  event "MS-SQL Worm propagation attempt OUTBOUND"
+  payload /\x04/
+  payload /.*\x81\xF1\x03\x01\x04\x9B\x81\xF1/
+  payload /.*sock/
+  payload /.*send/
+  }
+
+signature sid-2049 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 1434
+  event "MS-SQL ping attempt"
+  payload /\x02/
+  }
+
+signature sid-2050 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 1434
+  payload-size > 100
+  event "MS-SQL version overflow attempt"
+  payload /\x04/
+  }
+
+signature sid-1225 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 6000
+  event "X11 MIT Magic Cookie detected"
+  tcp-state established
+  payload /.*MIT-MAGIC-COOKIE-1/
+  }
+
+signature sid-1226 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 6000
+  event "X11 xopen"
+  tcp-state established
+  payload /.*\x6c\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00/
+  }
+
+signature sid-465 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[0:1] == 8
+  event "ICMP ISS Pinger"
+  payload /.{0,24}\x49\x53\x53\x50\x4e\x47\x52\x51/
+  }
+
+signature sid-466 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[1:1] == 0
+  header icmp[0:1] == 8
+  event "ICMP L3retriever Ping"
+  payload /ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI/
+  }
+
+signature sid-467 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  payload-size == 20
+  header icmp[0:1] == 8
+  header icmp[0:1] == 0,8
+  header icmp[6:2] == 0
+  event "ICMP Nemesis v1.1 Echo"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 0
+  payload /\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00/
+  }
+
+signature sid-469 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  payload-size == 0
+  header icmp[0:1] == 8
+  event "ICMP PING NMAP"
+  }
+
+signature sid-471 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  payload-size == 0
+  header icmp[0:1] == 8
+  header icmp[0:1] == 0,8
+  header icmp[6:2] == 0
+  event "ICMP icmpenum v1.1.1"
+  header ip[4:2] == 666
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 666
+  }
+
+signature sid-472 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[1:1] == 1
+  header icmp[0:1] == 5
+  event "ICMP redirect host"
+  }
+
+signature sid-473 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[1:1] == 0
+  header icmp[0:1] == 5
+  event "ICMP redirect net"
+  }
+
+signature sid-474 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  payload-size == 8
+  header icmp[0:1] == 8
+  event "ICMP superscan echo"
+  payload /\x00\x00\x00\x00\x00\x00\x00\x00/
+  }
+
+signature sid-475 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[0:1] == 0
+  event "ICMP traceroute ipopts"
+  ip-options rr
+  }
+
+signature sid-476 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[1:1] == 0
+  header icmp[0:1] == 8
+  event "ICMP webtrends scanner"
+  payload /.*\x00\x00\x00\x00\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45\x45/
+  }
+
+signature sid-477 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[1:1] == 0
+  header icmp[0:1] == 4
+  event "ICMP Source Quench"
+  }
+
+signature sid-478 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  payload-size == 4
+  header icmp[0:1] == 8
+  header icmp[0:1] == 0,8
+  header icmp[6:2] == 0
+  event "ICMP Broadscan Smurf Scanner"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 0
+  }
+
+signature sid-480 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[0:1] == 8
+  event "ICMP PING speedera"
+  payload /.{0,92}\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f/
+  }
+
+signature sid-481 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[0:1] == 8
+  event "ICMP TJPingPro1.1Build 2 Windows"
+  payload /.{0,16}\x54\x4a\x50\x69\x6e\x67\x50\x72\x6f\x20\x62\x79\x20\x4a\x69\x6d/
+  }
+
+signature sid-482 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[0:1] == 8
+  event "ICMP PING WhatsupGold Windows"
+  payload /.{0,16}\x57\x68\x61\x74\x73\x55\x70\x20\x2d\x20\x41\x20\x4e\x65\x74\x77/
+  }
+
+signature sid-483 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[0:1] == 8
+  event "ICMP PING CyberKit 2.2 Windows"
+  payload /.{0,16}\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa/
+  }
+
+signature sid-484 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  header icmp[0:1] == 8
+  event "ICMP PING Sniffer Pro/NetXRay network scan"
+  payload /.{0,13}\x43\x69\x6e\x63\x6f\x20\x4e\x65\x74\x77\x6f\x72\x6b\x2c\x20\x49\x6e\x63\x2e/
+  }
+
+signature sid-485 {
+  ip-proto == icmp
+  header icmp[1:1] == 13
+  header icmp[0:1] == 3
+  event "ICMP Destination Unreachable (Communication Administratively Prohibited)"
+  }
+
+signature sid-486 {
+  ip-proto == icmp
+  header icmp[1:1] == 10
+  header icmp[0:1] == 3
+  event "ICMP Destination Unreachable (Communication with Destination Host is Administratively Prohibited)"
+  }
+
+signature sid-487 {
+  ip-proto == icmp
+  header icmp[1:1] == 9
+  header icmp[0:1] == 3
+  event "ICMP Destination Unreachable (Communication with Destination Network is Administratively Prohibited)"
+  }
+
+signature sid-1813 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "ICMP digital island bandwidth query"
+  payload /mailto:ops@digisle\.com/
+  }
+
+signature sid-499 {
+  ip-proto == icmp
+  src-ip != local_nets
+  dst-ip == local_nets
+  payload-size > 800
+  event "ICMP Large ICMP Packet"
+  }
+
+signature sid-1293 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 139
+  event "NETBIOS nimda .eml"
+  tcp-state established,originator
+  payload /.*\x00\.\x00E\x00M\x00L/
+  }
+
+signature sid-1294 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 139
+  event "NETBIOS nimda .nws"
+  tcp-state established,originator
+  payload /.*\x00\.\x00N\x00W\x00S/
+  }
+
+signature sid-1295 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 139
+  event "NETBIOS nimda RICHED20.DLL"
+  tcp-state established,originator
+  payload /.*R\x00I\x00C\x00H\x00E\x00D\x002\x000/
+  }
+
+signature sid-529 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 139
+  event "NETBIOS DOS RFPoison"
+  tcp-state established,originator
+  payload /.*\x5C\x00\x5C\x00\x2A\x00\x53\x00\x4D\x00\x42\x00\x53\x00\x45\x00\x52\x00\x56\x00\x45\x00\x52\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00/
+  }
+
+signature sid-530 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 139
+  event "NETBIOS NT NULL session"
+  tcp-state established,originator
+  payload /.*\x00\x00\x00\x00\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00\x4E\x00\x54\x00\x20\x00\x31\x00\x33\x00\x38\x00\x31/
+  }
+
+signature sid-1239 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 139
+  event "NETBIOS RFParalyze Attempt"
+  tcp-state established,originator
+  payload /.*BEAVIS/
+  payload /.*yep yep/
+  }
+
+signature sid-532 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 139
+  event "NETBIOS SMB ADMIN$access"
+  tcp-state established,originator
+  payload /.*\\ADMIN\$\x00\x41\x3a\x00/
+  }
+
+signature sid-533 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 139
+  event "NETBIOS SMB C$ access"
+  tcp-state established,originator
+  payload /.*\x5cC\$\x00\x41\x3a\x00/
+  }
+
+signature sid-534 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 139
+  event "NETBIOS SMB CD.."
+  tcp-state established,originator
+  payload /.*\\\.\.\x2f\x00\x00\x00/
+  }
+
+signature sid-535 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 139
+  event "NETBIOS SMB CD..."
+  tcp-state established,originator
+  payload /.*\\\.\.\.\x00\x00\x00/
+  }
+
+signature sid-536 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 139
+  event "NETBIOS SMB D$access"
+  tcp-state established,originator
+  payload /.*\\D\$\x00\x41\x3a\x00/
+  }
+
+signature sid-537 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 139
+  event "NETBIOS SMB IPC$ share access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMB\x75/
+  payload /.*\\[iI][pP][cC]\$\x00/
+  }
+
+signature sid-538 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 139
+  event "NETBIOS SMB IPC$ share access (unicode)"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMB\x75/
+  payload /.*\x5c\x00[iI]\x00[pP]\x00[cC]\x00\$\x00/
+  }
+
+signature sid-2101 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 139
+  event "NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMB\x25/
+  payload /.{42}\x00\x00\x00\x00/
+  }
+
+signature sid-2103 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 139
+  # Not supported: byte_test: 2,>,1024,0,relative,little
+  event "NETBIOS SMB trans2open buffer overflow attempt"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xffSMB\x32/
+  payload /.{59}\x00\x14/
+  }
+
+signature sid-2174 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 139
+  event "NETBIOS SMB winreg access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMB\xa2/
+  payload /.{84}.*\\[wW][iI][nN][rR][eE][gG]\x00/
+  }
+
+signature sid-2175 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 139
+  event "NETBIOS SMB winreg access (unicode)"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMB\xa2/
+  payload /.{84}.*\\\x00[wW]\x00[iI]\x00[nN]\x00[rR]\x00[eE]\x00[gG]\x00/
+  }
+
+signature sid-2176 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 139
+  event "NETBIOS SMB Startup Folder access attempt"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMB\x32/
+  payload /.*Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\x00/
+  }
+
+signature sid-2177 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 139
+  event "NETBIOS SMB Startup Folder access attempt (unicode)"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMB\x32/
+  payload /.*\\\x00S\x00t\x00a\x00r\x00t\x00 \x00M\x00e\x00n\x00u\x00\\\x00P\x00r\x00o\x00g\x00r\x00a\x00m\x00s\x00\\\x00S\x00t\x00a\x00r\x00t\x00u\x00p/
+  }
+
+signature sid-2190 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 135
+  # Not supported: byte_test: 1,&,1,0,relative
+  event "NETBIOS DCERPC invalid bind attempt"
+  tcp-state established,originator
+  payload /.{0}\x05.{1}\x0b.{21}\x00/
+  }
+
+signature sid-2191 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 445
+  # Not supported: byte_test: 1,&,1,0,relative
+  event "NETBIOS SMB DCERPC invalid bind attempt"
+  tcp-state established,originator
+  payload /.{3}\xFF[sS][mM][bB]\x25.{56}\x26\x00.{5}\x5c\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5c\x00.{2}\x05.{1}\x0b.{21}\x00/
+  }
+
+signature sid-2192 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 135
+  # Not supported: byte_test: 1,&,1,0,relative
+  event "NETBIOS DCERPC ISystemActivator bind attempt"
+  tcp-state established,originator
+  payload /.{0}\x05.{1}\x0b.{29}\xA0\x01\x00\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00\x46/
+  }
+
+signature sid-2193 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 445
+  # Not supported: byte_test: 1,&,1,0,relative
+  event "NETBIOS SMB DCERPC ISystemActivator bind attempt"
+  tcp-state established,originator
+  payload /.{3}\xFF[sS][mM][bB]\x25.{56}\x26\x00.{5}\x5c\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5c\x00.{0}\x05.{1}\x0b.{29}\xA0\x01\x00\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00\x46/
+  }
+
+signature sid-2251 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 135
+  # Not supported: byte_test: 1,&,1,0,relative
+  event "NETBIOS DCERPC Remote Activation bind attempt"
+  payload /.{0}\x05.{1}\x0b.{29}\xB8\x4A\x9F\x4D\x1C\x7D\xCF\x11\x86\x1E\x00\x20\xAF\x6E\x7C\x57/
+  }
+
+signature sid-2252 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 445
+  # Not supported: byte_test: 1,&,1,0,relative
+  event "NETBIOS SMB DCERPC Remote Activation bind attempt"
+  tcp-state established,originator
+  payload /.{3}\xFF[sS][mM][bB]\x25.{56}\x26\x00.{5}\x5c\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5c\x00.{0}\x05.{1}\x0b.{29}\xB8\x4A\x9F\x4D\x1C\x7D\xCF\x11\x86\x1E\x00\x20\xAF\x6E\x7C\x57/
+  }
+
+signature sid-500 {
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "MISC source route lssr"
+  ip-options lsrr
+  }
+
+signature sid-501 {
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "MISC source route lssre"
+  ip-options lsrre
+  }
+
+signature sid-502 {
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "MISC source route ssrr"
+  ip-options ssrr 
+  }
+
+signature sid-503 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  src-port == 20
+  dst-port >= 0
+  dst-port <= 1023
+  header tcp[13:1] & 255 == 2
+  event "MISC Source Port 20 to <1024"
+  }
+
+signature sid-504 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  src-port == 53
+  dst-port >= 0
+  dst-port <= 1023
+  header tcp[13:1] & 255 == 2
+  event "MISC source port 53 to <1024"
+  }
+
+signature sid-505 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 1417
+  event "MISC Insecure TIMBUKTU Password"
+  tcp-state established,originator
+  payload /.{0,13}\x05\x00\x3E/
+  }
+
+signature sid-507 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 5631
+  event "MISC PCAnywhere Attempted Administrator Login"
+  tcp-state established,originator
+  payload /.*ADMINISTRATOR/
+  }
+
+signature sid-508 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 70
+  event "MISC gopher proxy"
+  tcp-state established,originator
+  payload /.*[fF][tT][pP]\x3a/
+  payload /.*@\//
+  }
+
+signature sid-512 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port >= 5631
+  src-port <= 5632
+  event "MISC PCAnywhere Failed Login"
+  tcp-state established,responder
+  payload /.{0,3}Invalid login/
+  }
+
+signature sid-513 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 7161
+  header tcp[13:1] & 255 == 18
+  event "MISC Cisco Catalyst Remote Access"
+  }
+
+signature sid-514 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  dst-port == 27374
+  event "MISC ramen worm"
+  tcp-state established,originator
+  payload /.{0,4}[gG][eE][tT] /
+  }
+
+signature sid-516 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 161
+  event "MISC SNMP NT UserList"
+  payload /.*\x2b\x06\x10\x40\x14\xd1\x02\x19/
+  }
+
+signature sid-517 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 177
+  event "MISC xdmcp query"
+  payload /.*\x00\x01\x00\x03\x00\x01\x00/
+  }
+
+signature sid-1867 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 177
+  event "MISC xdmcp info query"
+  payload /.*\x00\x01\x00\x02\x00\x01\x00/
+  }
+
+signature sid-522 {
+  src-ip != local_nets
+  dst-ip == local_nets
+  header ip[6:1] & 224 == 32
+  payload-size < 25
+  event "MISC Tiny Fragments"
+  }
+
+signature sid-1384 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 1900
+  event "MISC UPnP malformed advertisement"
+  payload /.*[nN][oO][tT][iI][fF][yY] \* /
+  }
+
+signature sid-1388 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 1900
+  event "MISC UPnP Location overflow"
+  payload /.*\x0d[lL][oO][cC][aA][tT][iI][oO][nN]\x3a[^\x0a]{128}/
+  }
+
+signature sid-1393 {
+  ip-proto == tcp
+  src-ip == aim_servers
+  dst-ip == local_nets
+  event "MISC AIM AddGame attempt"
+  tcp-state established,responder
+  payload /.*[aA][iI][mM]:[aA][dD][dD][gG][aA][mM][eE]\?/
+  }
+
+signature sid-1752 {
+  ip-proto == tcp
+  src-ip == aim_servers
+  dst-ip == local_nets
+  event "MISC AIM AddExternalApp attempt"
+  tcp-state established,responder
+  payload /.*[aA][iI][mM]:[aA][dD][dD][eE][xX][tT][eE][rR][nN][aA][lL][aA][pP][pP]\?/
+  }
+
+signature sid-1504 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 7001
+  event "MISC AFS access"
+  payload /.*\x00\x00\x03\xe7\x00\x00\x00\x00\x00\x00\x00\x65\x00\x00\x00\x00\x00\x00\x00\x00\x0d\x05\x00\x00\x00\x00\x00\x00\x00/
+  }
+
+signature sid-1636 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 32000
+  payload-size > 500
+  event "MISC Xtramail Username overflow attempt"
+  tcp-state established,originator
+  payload /.*[uU][sS][eE][rR][nN][aA][mM][eE]: /
+  }
+
+signature sid-1887 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == http_servers
+  dst-port == 443
+  event "MISC OpenSSL Worm traffic"
+  tcp-state established,originator
+  payload /.*[tT][eE][rR][mM]=[xX][tT][eE][rR][mM]/
+  }
+
+signature sid-1889 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == http_servers
+  src-port == 2002
+  dst-port == 2002
+  event "MISC slapper worm admin traffic"
+  payload /\x00\x00\x45\x00\x00\x45\x00\x00\x40\x00/
+  }
+
+signature sid-1447 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 3389
+  event "MISC MS Terminal server request (RDP)"
+  tcp-state established,originator
+  payload /\x03\x00\x00\x0b\x06\xE0\x00\x00\x00\x00\x00/
+  }
+
+signature sid-1448 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 3389
+  event "MISC MS Terminal server request"
+  tcp-state established,originator
+  payload /\x03\x00\x00/
+  payload /.{4}\xe0\x00\x00\x00\x00\x00/
+  }
+
+signature sid-1819 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 2533
+  event "MISC Alcatel PABX 4400 connection attempt"
+  tcp-state established,originator
+  payload /\x00\x01\x43/
+  }
+
+signature sid-1939 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 67
+  # Not supported: byte_test: 1,>,6,2
+  event "MISC bootp hardware address length overflow"
+  payload /\x01/
+  }
+
+signature sid-1940 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 67
+  # Not supported: byte_test: 1,>,7,1
+  event "MISC bootp invalid hardware type"
+  payload /\x01/
+  }
+
+signature sid-2039 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 67
+  event "MISC bootp hostname format string attempt"
+  payload /\x01.{240}.*\x0C.*.{0}.*%.{1}.{0,7}%.{1}.{0,7}%/
+  }
+
+signature sid-1966 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 27155
+  event "MISC GlobalSunTech Access Point Information Disclosure attempt"
+  payload /.*gstsearch/
+  }
+
+signature sid-1987 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 7100
+  payload-size > 512
+  event "MISC xfs overflow attempt"
+  tcp-state established,originator
+  payload /\x42\x00\x02/
+  }
+
+signature sid-2041 {
+  ip-proto == udp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 49
+  event "MISC xtacacs failed login response"
+  payload /\x80\x02.{4}.*\x02/
+  }
+
+signature sid-2043 {
+  ip-proto == udp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 500
+  dst-port == 500
+  event "MISC isakmp login failed"
+  payload /.{16}\x10\x05.{13}\x00\x00\x00\x01\x01\x00\x00\x18/
+  }
+
+signature sid-2047 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 873
+  event "MISC rsyncd module list access"
+  tcp-state established,originator
+  payload /\x23list/
+  }
+
+signature sid-2048 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 873
+  # Not supported: byte_test: 2,>,4000,0
+  event "MISC rsyncd overflow attempt"
+  tcp-state originator
+  payload /.{1}\x00\x00/
+  }
+
+signature sid-2008 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 2401
+  event "MISC CVS invalid user authentication response"
+  tcp-state established,responder
+  payload /.*E Fatal error, aborting\./
+  payload /.*\x3a no such user/
+  }
+
+signature sid-2009 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 2401
+  event "MISC CVS invalid repository response"
+  tcp-state established,responder
+  payload /.*error /
+  payload /.*: no such repository/
+  payload /.*I HATE YOU/
+  }
+
+signature sid-2010 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 2401
+  event "MISC CVS double free exploit attempt response"
+  tcp-state established,responder
+  payload /.*free\(\): warning: chunk is already free/
+  }
+
+signature sid-2011 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 2401
+  event "MISC CVS invalid directory response"
+  tcp-state established,responder
+  payload /.*E protocol error: invalid directory syntax in/
+  }
+
+signature sid-2012 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 2401
+  event "MISC CVS missing cvsroot response"
+  tcp-state established,responder
+  payload /.*E protocol error: Root request missing/
+  }
+
+signature sid-2013 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 2401
+  event "MISC CVS invalid module response"
+  tcp-state established,responder
+  payload /.*cvs server: cannot find module.{1}.*error/
+  }
+
+signature sid-2126 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 1723
+  payload-size > 156
+  event "MISC Microsoft PPTP Start Control Request buffer overflow attempt"
+  tcp-state established,originator
+  payload /.{1}\x00\x01/
+  payload /.{7}\x00\x01/
+  }
+
+signature sid-2158-a {
+  ip-proto == tcp
+  src-port == 179
+  # Not supported: byte_test: 2,<,19,0,relative
+  event "MISC BGP invalid length"
+  payload /.*\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff/
+  }
+
+signature sid-2158-b {
+  ip-proto == tcp
+  dst-port == 179
+  # Not supported: byte_test: 2,<,19,0,relative
+  event "MISC BGP invalid length"
+  payload /.*\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff/
+  }
+
+signature sid-2159-a {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 179
+  event "MISC BGP invalid type (0)"
+  tcp-state established
+  payload /\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff.{2}\x00/
+  }
+
+signature sid-2159-b {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 179
+  event "MISC BGP invalid type (0)"
+  tcp-state established
+  payload /\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff.{2}\x00/
+  }
+
+signature sid-1292 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  event "ATTACK-RESPONSES directory listing"
+  tcp-state established,responder
+  payload /.*Volume Serial Number/
+  }
+
+signature sid-494 {
+  ip-proto == tcp
+  src-ip == http_servers
+  dst-ip != local_nets
+  src-port == http_ports
+  event "ATTACK-RESPONSES command completed"
+  tcp-state established,responder
+  payload /.*[cC][oO][mM][mM][aA][nN][dD] [cC][oO][mM][pP][lL][eE][tT][eE][dD]/
+  }
+
+signature sid-495 {
+  ip-proto == tcp
+  src-ip == http_servers
+  dst-ip != local_nets
+  src-port == http_ports
+  event "ATTACK-RESPONSES command error"
+  tcp-state established,responder
+  payload /.*[bB][aA][dD] [cC][oO][mM][mM][aA][nN][dD] [oO][rR] [fF][iI][lL][eE][nN][aA][mM][eE]/
+  }
+
+signature sid-497 {
+  ip-proto == tcp
+  src-ip == http_servers
+  dst-ip != local_nets
+  src-port == http_ports
+  event "ATTACK-RESPONSES file copied ok"
+  tcp-state established,responder
+  payload /.*1 [fF][iI][lL][eE]\([sS]\) [cC][oO][pP][iI][eE][dD]/
+  }
+
+signature sid-1200 {
+  ip-proto == tcp
+  src-ip == http_servers
+  dst-ip != local_nets
+  src-port == http_ports
+  event "ATTACK-RESPONSES Invalid URL"
+  tcp-state established,responder
+  payload /.*[iI][nN][vV][aA][lL][iI][dD] [uU][rR][lL]/
+  }
+
+signature sid-1666 {
+  ip-proto == tcp
+  src-ip == http_servers
+  dst-ip != local_nets
+  src-port == http_ports
+  event "ATTACK-RESPONSES index of /cgi-bin/ response"
+  tcp-state established,responder
+  payload /.*[iI][nN][dD][eE][xX] [oO][fF] \/[cC][gG][iI]-[bB][iI][nN]\//
+  }
+
+signature sid-1201 {
+  ip-proto == tcp
+  src-ip == http_servers
+  dst-ip != local_nets
+  src-port == http_ports
+  event "ATTACK-RESPONSES 403 Forbidden"
+  tcp-state established,responder
+  payload /HTTP\/1\.1 403/
+  }
+
+signature sid-498 {
+  event "ATTACK-RESPONSES id check returned root"
+  payload /.*uid=0\(root\)/
+  }
+
+signature sid-1882 {
+  src-ip == local_nets
+  dst-ip != local_nets
+  # Not supported: byte_test: 5,<,65537,0,relative,string,5,<,65537,0,relative,string
+  event "ATTACK-RESPONSES id check returned userid"
+  payload /.*uid=.{0}.{0,10} gid=/
+  }
+
+signature sid-1464 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 8002
+  event "ATTACK-RESPONSES oracle one hour install"
+  tcp-state established,responder
+  payload /.*Oracle Applications One-Hour Install/
+  }
+
+signature sid-1900 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 749
+  event "ATTACK-RESPONSES successful kadmind buffer overflow attempt"
+  tcp-state established,responder
+  payload /\*GOBBLE\*/
+  }
+
+signature sid-1901 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 751
+  event "ATTACK-RESPONSES successful kadmind buffer overflow attempt"
+  tcp-state established,responder
+  payload /\*GOBBLE\*/
+  }
+
+signature sid-1810 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 22
+  event "ATTACK-RESPONSES successful gobbles ssh exploit (GOBBLE)"
+  tcp-state established,responder
+  payload /.*\x2aGOBBLE\x2a/
+  }
+
+signature sid-1811 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 22
+  event "ATTACK-RESPONSES successful gobbles ssh exploit (uname)"
+  tcp-state established,responder
+  payload /.*uname/
+  }
+
+signature sid-2104 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 512
+  event "ATTACK-RESPONSES rexec username too long response"
+  tcp-state established,responder
+  payload /username too long/
+  }
+
+signature sid-2123 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port < 21
+  src-port > 23
+  event "ATTACK-RESPONSES Microsoft cmd.exe banner"
+  tcp-state established,responder
+  payload /.*Microsoft Windows.*.{0}.*\(C\) Copyright 1985-.*.{0}.*Microsoft Corp\./
+  }
+
+signature sid-1673 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE EXECUTE_SYSTEM attempt"
+  tcp-state established,originator
+  payload /.*[eE][xX][eE][cC][uU][tT][eE]_[sS][yY][sS][tT][eE][mM]/
+  }
+
+signature sid-1674 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE connect_data(command=version) attempt"
+  tcp-state established,originator
+  payload /.*[cC][oO][nN][nN][eE][cC][tT]_[dD][aA][tT][aA]\([cC][oO][mM][mM][aA][nN][dD]=[vV][eE][rR][sS][iI][oO][nN]\)/
+  }
+
+signature sid-1675 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE misparsed login response"
+  tcp-state established,responder
+  payload /.*[dD][eE][sS][cC][rR][iI][pP][tT][iI][oO][nN]=\(/
+  payload /.*<willnevermatch>/
+  payload /.*<willnevermatch>/
+  }
+
+signature sid-1676 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE select union attempt"
+  tcp-state established,originator
+  payload /.*[sS][eE][lL][eE][cC][tT] /
+  payload /.* [uU][nN][iI][oO][nN] /
+  }
+
+signature sid-1677 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE select like '%' attempt"
+  tcp-state established,originator
+  payload /.* [wW][hH][eE][rR][eE] /
+  payload /.* [lL][iI][kK][eE] '%'/
+  }
+
+signature sid-1678 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE select like \"%\" attempt"
+  tcp-state established,originator
+  payload /.* [wW][hH][eE][rR][eE] /
+  payload /.* [lL][iI][kK][eE] \"%\"/
+  }
+
+signature sid-1679 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE describe attempt"
+  tcp-state established,originator
+  payload /.*[dD][eE][sS][cC][rR][iI][bB][eE] /
+  }
+
+signature sid-1680 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE all_constraints access"
+  tcp-state established,originator
+  payload /.*[aA][lL][lL]_[cC][oO][nN][sS][tT][rR][aA][iI][nN][tT][sS]/
+  }
+
+signature sid-1681 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE all_views access"
+  tcp-state established,originator
+  payload /.*[aA][lL][lL]_[vV][iI][eE][wW][sS]/
+  }
+
+signature sid-1682 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE all_source access"
+  tcp-state established,originator
+  payload /.*[aA][lL][lL]_[sS][oO][uU][rR][cC][eE]/
+  }
+
+signature sid-1683 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE all_tables access"
+  tcp-state established,originator
+  payload /.*[aA][lL][lL]_[tT][aA][bB][lL][eE][sS]/
+  }
+
+signature sid-1684 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE all_tab_columns access"
+  tcp-state established,originator
+  payload /.*[aA][lL][lL]_[tT][aA][bB]_[cC][oO][lL][uU][mM][nN][sS]/
+  }
+
+signature sid-1685 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE all_tab_privs access"
+  tcp-state established,originator
+  payload /.*[aA][lL][lL]_[tT][aA][bB]_[cC][oO][lL][uU][mM][nN][sS]/
+  }
+
+signature sid-1686 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE dba_tablespace access"
+  tcp-state established,originator
+  payload /.*[dD][bB][aA]_[tT][aA][bB][lL][eE][sS][pP][aA][cC][eE]/
+  }
+
+signature sid-1687 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE dba_tables access"
+  tcp-state established,originator
+  payload /.*[dD][bB][aA]_[tT][aA][bB][lL][eE][sS]/
+  }
+
+signature sid-1688 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE user_tablespace access"
+  tcp-state established,originator
+  payload /.*[uU][sS][eE][rR]_[tT][aA][bB][lL][eE][sS][pP][aA][cC][eE]/
+  }
+
+signature sid-1689 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE sys.all_users access"
+  tcp-state established,originator
+  payload /.*[sS][yY][sS]\.[aA][lL][lL]_[uU][sS][eE][rR][sS]/
+  }
+
+signature sid-1690 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE grant attempt"
+  tcp-state established,originator
+  payload /.*[gG][rR][aA][nN][tT] /
+  payload /.* [tT][oO] /
+  }
+
+signature sid-1691 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE ALTER USER attempt"
+  tcp-state established,originator
+  payload /.*[aA][lL][tT][eE][rR] [uU][sS][eE][rR]/
+  payload /.* [iI][dD][eE][nN][tT][iI][fF][iI][eE][dD] [bB][yY] /
+  }
+
+signature sid-1692 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE drop table attempt"
+  tcp-state established,originator
+  payload /.*[dD][rR][oO][pP] [tT][aA][bB][lL][eE]/
+  }
+
+signature sid-1693 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE create table attempt"
+  tcp-state established,originator
+  payload /.*[cC][rR][eE][aA][tT][eE] [tT][aA][bB][lL][eE]/
+  }
+
+signature sid-1694 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE alter table attempt"
+  tcp-state established,originator
+  payload /.*[aA][lL][tT][eE][rR] [tT][aA][bB][lL][eE]/
+  }
+
+signature sid-1695 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE truncate table attempt"
+  tcp-state established,originator
+  payload /.*[tT][rR][uU][nN][cC][aA][tT][eE] [tT][aA][bB][lL][eE]/
+  }
+
+signature sid-1696 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE create database attempt"
+  tcp-state established,originator
+  payload /.*[cC][rR][eE][aA][tT][eE] [dD][aA][tT][aA][bB][aA][sS][eE]/
+  }
+
+signature sid-1697 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == oracle_ports
+  event "ORACLE alter database attempt"
+  tcp-state established,originator
+  payload /.*[aA][lL][tT][eE][rR] [dD][aA][tT][aA][bB][aA][sS][eE]/
+  }
+
+signature sid-1775 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 3306
+  event "MYSQL root login attempt"
+  tcp-state established,originator
+  payload /.*\x0A\x00\x00\x01\x85\x04\x00\x00\x80\x72\x6F\x6F\x74\x00/
+  }
+
+signature sid-1776 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == sql_servers
+  dst-port == 3306
+  event "MYSQL show databases attempt"
+  tcp-state established,originator
+  payload /.*\x0f\x00\x00\x00\x03show databases/
+  }
+
+signature sid-1893 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 161
+  event "SNMP missing community string attempt"
+  payload /.{4}.{0,8}\x04\x00/
+  }
+
+signature sid-1892 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 161
+  event "SNMP null community string attempt"
+  payload /.{4}.{0,7}\x04\x01\x00/
+  }
+
+signature sid-1409 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port >= 161
+  dst-port <= 162
+  event "SNMP community string buffer overflow attempt"
+  payload /.{3}.*\x02\x01\x00\x04\x82\x01\x00/
+  }
+
+signature sid-1422 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port >= 161
+  dst-port <= 162
+  event "SNMP community string buffer overflow attempt (with evasion)"
+  payload /.{6} \x04\x82\x01\x00/
+  }
+
+signature sid-1411 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 161
+  event "SNMP public access udp"
+  payload /.*public/
+  }
+
+signature sid-1412 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 161
+  event "SNMP public access tcp"
+  tcp-state established,originator
+  payload /.*public/
+  }
+
+signature sid-1413 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 161
+  event "SNMP private access udp"
+  payload /.*private/
+  }
+
+signature sid-1414 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 161
+  event "SNMP private access tcp"
+  tcp-state established,originator
+  payload /.*private/
+  }
+
+signature sid-1415 {
+  ip-proto == udp
+  dst-ip == 255.255.255.255
+  dst-port == 161
+  event "SNMP Broadcast request"
+  }
+
+signature sid-1416 {
+  ip-proto == udp
+  dst-ip == 255.255.255.255
+  dst-port == 162
+  event "SNMP broadcast trap"
+  }
+
+signature sid-1417 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 161
+  event "SNMP request udp"
+  }
+
+signature sid-1418 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 161
+  event "SNMP request tcp"
+  }
+
+signature sid-1419 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 162
+  event "SNMP trap udp"
+  }
+
+signature sid-1420 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 162
+  event "SNMP trap tcp"
+  }
+
+signature sid-1421 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 705
+  event "SNMP AgentX/tcp request"
+  }
+
+signature sid-1426 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 161
+  event "SNMP PROTOS test-suite-req-app attempt"
+  payload /.*\x30\x26\x02\x01\x00\x04\x06\x70\x75\x62\x6C\x69\x63\xA0\x19\x02\x01\x00\x02\x01\x00\x02\x01\x00\x30\x0E\x30\x0C\x06\x08\x2B\x06\x01\x02\x01\x01\x05\x00\x05\x00/
+  }
+
+signature sid-1427 {
+  ip-proto == udp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 162
+  event "SNMP PROTOS test-suite-trap-app attempt"
+  payload /.*\x30\x38\x02\x01\x00\x04\x06\x70\x75\x62\x6C\x69\x63\xA4\x2B\x06/
+  }
+
+signature sid-655 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  src-port == 113
+  dst-port == 25
+  event "SMTP sendmail 8.6.9 exploit"
+  tcp-state established,originator
+  payload /.*\x0aD\//
+  }
+
+signature sid-658 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "SMTP exchange mime DOS"
+  tcp-state established,originator
+  payload /.*charset = \x22\x22/
+  }
+
+signature sid-659 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "SMTP expn decode"
+  tcp-state established,originator
+  payload /.*[eE][xX][pP][nN] [dD][eE][cC][oO][dD][eE]/
+  }
+
+signature sid-660 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "SMTP expn root"
+  tcp-state established,originator
+  payload /.*[eE][xX][pP][nN] [rR][oO][oO][tT]/
+  }
+
+signature sid-1450 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "SMTP expn *@"
+  tcp-state established,originator
+  payload /.*[eE][xX][pP][nN] \*@/
+  }
+
+signature sid-661 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "SMTP majordomo ifs"
+  tcp-state established,originator
+  payload /.*eply-to\x3a a~\.`\/bin\//
+  }
+
+signature sid-662 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "SMTP sendmail 5.5.5 exploit"
+  tcp-state established,originator
+  payload /.*[mM][aA][iI][lL] [fF][rR][oO][mM]\x3a\x20\x22\x7c/
+  }
+
+signature sid-663 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "SMTP rcpt to sed command attempt"
+  tcp-state established,originator
+  payload /.*[rR][cC][pP][tT] [tT][oO]:.*.{0}.*\|.*.{0}.*sed /
+  }
+
+signature sid-664 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "SMTP RCPT TO decode attempt"
+  tcp-state established,originator
+  payload /.*[rR][cC][pP][tT] [tT][oO]\x3a [dD][eE][cC][oO][dD][eE]/
+  }
+
+signature sid-665 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "SMTP sendmail 5.6.5 exploit"
+  tcp-state established,originator
+  payload /.*[mM][aA][iI][lL] [fF][rR][oO][mM]\x3a\x20\x7c\/[uU][sS][rR]\/[uU][cC][bB]\/[tT][aA][iI][lL]/
+  }
+
+signature sid-667 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "SMTP sendmail 8.6.10 exploit"
+  tcp-state established,originator
+  payload /.*Croot\x0d\x0aMprog, P=\/bin\//
+  }
+
+signature sid-668 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "SMTP sendmail 8.6.10 exploit"
+  tcp-state established,originator
+  payload /.*Croot\x09\x09\x09\x09\x09\x09\x09Mprog,P=\/bin/
+  }
+
+signature sid-669 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "SMTP sendmail 8.6.9 exploit"
+  tcp-state established,originator
+  payload /.*\x0aCroot\x0aMprog/
+  }
+
+signature sid-670 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "SMTP sendmail 8.6.9 exploit"
+  tcp-state established,originator
+  payload /.*\x0aC\x3adaemon\x0aR/
+  }
+
+signature sid-671 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "SMTP sendmail 8.6.9c exploit"
+  tcp-state established,originator
+  payload /.*\x0aCroot\x0d\x0aMprog/
+  }
+
+signature sid-672 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "SMTP vrfy decode"
+  tcp-state established,originator
+  payload /.*[vV][rR][fF][yY] [dD][eE][cC][oO][dD][eE]/
+  }
+
+signature sid-1446 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "SMTP vrfy root"
+  tcp-state established,originator
+  payload /.*[vV][rR][fF][yY] [rR][oO][oO][tT]/
+  }
+
+signature sid-631 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "SMTP ehlo cybercop attempt"
+  tcp-state established,originator
+  payload /.*ehlo cybercop\x0aquit\x0a/
+  }
+
+signature sid-632 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "SMTP expn cybercop attempt"
+  tcp-state established,originator
+  payload /.*expn cybercop/
+  }
+
+signature sid-1549 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "SMTP HELO overflow attempt"
+  tcp-state established,originator
+  payload /HELO [^\x0a]{500}/
+  }
+
+signature sid-1550 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "SMTP ETRN overflow attempt"
+  tcp-state established,originator
+  payload /ETRN [^\x0A]{500}/
+  }
+
+signature sid-2087 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  event "SMTP From comment overflow attempt"
+  tcp-state established,originator
+  payload /.*From:.*.{0}.*<><><><><><><><><><><><><><><><><><><><><><>.{1}.*\(.{1}.*\)/
+  }
+
+signature sid-2183 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == smtp_servers
+  dst-port == 25
+  # Not supported: byte_test: 1,<,256,100,relative
+  event "SMTP Content-Transfer-Encoding overflow attempt"
+  tcp-state established,originator
+  payload /.*Content-Transfer-Encoding:[^\x0a]{100}/
+  }
+
+signature sid-1993 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 143
+  # Not supported: byte_test: 5,>,256,0,string,dec,relative
+  event "IMAP login literal buffer overflow attempt"
+  tcp-state established,originator
+  payload /.* LOGIN .*.{0}.* \{/
+  }
+
+signature sid-1842 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 143
+  event "IMAP login buffer overflow attempt"
+  tcp-state established,originator
+  payload /.* LOGIN [^\x0a]{100}/
+  }
+
+signature sid-2105 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 143
+  # Not supported: byte_test: 5,>,256,0,string,dec,relative
+  event "IMAP authenticate literal overflow attempt"
+  tcp-state established,originator
+  payload /.* [aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE] .*.{0}.*\{/
+  }
+
+signature sid-1844 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 143
+  event "IMAP authenticate overflow attempt"
+  tcp-state established,originator
+  payload /.* [aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE] [^\x0a]{100}/
+  }
+
+signature sid-1930 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 143
+  # Not supported: byte_test: 5,>,256,0,string,dec,relative
+  event "IMAP auth overflow attempt"
+  tcp-state established,originator
+  payload /.* [aA][uU][tT][hH]/
+  payload /.*\{/
+  }
+
+signature sid-1902 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 143
+  # Not supported: byte_test: 5,>,256,0,string,dec,relative
+  event "IMAP lsub literal overflow attempt"
+  payload /.* LSUB \x22.*.{0}.*\x22 \{/
+  }
+
+signature sid-2106 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 143
+  event "IMAP lsub overflow attempt"
+  payload /.* LSUB [^\x0a]{100}/
+  }
+
+signature sid-1845 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 143
+  # Not supported: byte_test: 5,>,256,0,string,dec,relative
+  event "IMAP list literal overflow attempt"
+  tcp-state established,originator
+  payload /.* LIST \x22.*.{0}.*\x22 \{/
+  }
+
+signature sid-2118 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 143
+  event "IMAP list overflow attempt"
+  tcp-state established,originator
+  payload /.* [lL][iI][sS][tT] [^\x0a]{100}/
+  }
+
+signature sid-2119 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 143
+  # Not supported: byte_test: 5,>,256,0,string,dec,relative
+  event "IMAP rename literal overflow attempt"
+  tcp-state established,originator
+  payload /.* RENAME \x22.*.{0}.*\x22 \{/
+  }
+
+signature sid-1903 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 143
+  event "IMAP rename overflow attempt"
+  tcp-state established,originator
+  payload /.* [rR][eE][nN][aA][mM][eE] [^\x0a]{1024}/
+  }
+
+signature sid-1904 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 143
+  event "IMAP find overflow attempt"
+  tcp-state established,originator
+  payload /.* [fF][iI][nN][dD] [^\x0a]{1024}/
+  }
+
+signature sid-1755 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 143
+  event "IMAP partial body buffer overflow attempt"
+  tcp-state established,originator
+  payload /.* PARTIAL /
+  payload /.* BODY\[[^\]]{1024}/
+  }
+
+signature sid-2046 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 143
+  event "IMAP partial body.peek buffer overflow attempt"
+  tcp-state established,originator
+  payload /.* PARTIAL /
+  payload /.* BODY\.PEEK\[[^\]]{1024}/
+  }
+
+signature sid-2107 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 143
+  event "IMAP create buffer overflow attempt"
+  tcp-state established,originator
+  payload /.* CREATE [^\x0a]{1024}/
+  }
+
+signature sid-2120 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 143
+  # Not supported: byte_test: 5,>,256,0,string,dec,relative
+  event "IMAP create literal buffer overflow attempt"
+  tcp-state established,originator
+  payload /.* CREATE.*.{0}.* \{/
+  }
+
+signature sid-1934 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 109
+  event "POP2 FOLD overflow attempt"
+  tcp-state established,originator
+  payload /.*FOLD [^\x0A]{256}/
+  }
+
+signature sid-1935 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 109
+  event "POP2 FOLD arbitrary file attempt"
+  tcp-state established,originator
+  payload /.*FOLD \//
+  }
+
+signature sid-284 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 109
+  event "POP2 x86 Linux overflow"
+  tcp-state established,originator
+  payload /.*\xeb\x2c\x5b\x89\xd9\x80\xc1\x06\x39\xd9\x7c\x07\x80\x01/
+  }
+
+signature sid-285 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 109
+  event "POP2 x86 Linux overflow"
+  tcp-state established,originator
+  payload /.*\xff\xff\xff\x2f\x42\x49\x4e\x2f\x53\x48\x00/
+  }
+
+signature sid-2121 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 110
+  # Not supported: byte_test: 1,>,0,0,relative,string
+  event "POP3 DELE negative arguement attempt"
+  payload /[dD][eE][lL][eE].{1}.*-/
+  }
+
+signature sid-2122 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 110
+  # Not supported: byte_test: 1,>,0,0,relative,string
+  event "POP3 UIDL negative arguement attempt"
+  payload /[uU][iI][dD][lL].{1}.*-/
+  }
+
+signature sid-1866 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 110
+  event "POP3 USER overflow attempt"
+  tcp-state established,originator
+  payload /.*[uU][sS][eE][rR][^\x0a]{50}/
+  }
+
+signature sid-2108 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 110
+  event "POP3 CAPA overflow attempt"
+  tcp-state established,originator
+  payload /.*[cC][aA][pP][aA][^\x0a]{10}/
+  }
+
+signature sid-2109 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 110
+  event "POP3 TOP overflow attempt"
+  tcp-state established,originator
+  payload /.*[tT][oO][pP][^\x0a]{10}/
+  }
+
+signature sid-2110 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 110
+  event "POP3 STAT overflow attempt"
+  tcp-state established,originator
+  payload /.*[sS][tT][aA][tT][^\x0a]{10}/
+  }
+
+signature sid-2111 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 110
+  event "POP3 DELE overflow attempt"
+  tcp-state established,originator
+  payload /.*[dD][eE][lL][eE][^\x0a]{10}/
+  }
+
+signature sid-2112 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 110
+  event "POP3 RSET overflow attempt"
+  tcp-state established,originator
+  payload /.*[rR][sS][eE][tT][^\x0a]{10}/
+  }
+
+signature sid-1936 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 110
+  event "POP3 AUTH overflow attempt"
+  tcp-state established,originator
+  payload /.*[aA][uU][tT][hH][^\x0a]{50}/
+  }
+
+signature sid-1937 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 110
+  event "POP3 LIST overflow attempt"
+  tcp-state established,originator
+  payload /.*[lL][iI][sS][tT][^\x0a]{50}/
+  }
+
+signature sid-1938 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 110
+  event "POP3 XTND overflow attempt"
+  tcp-state established,originator
+  payload /.*[xX][tT][nN][dD][^\x0a]{50}/
+  }
+
+signature sid-1634 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 110
+  event "POP3 PASS overflow attempt"
+  tcp-state established,originator
+  payload /.*[pP][aA][sS][sS][^\x0a]{50}/
+  }
+
+signature sid-1635 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 110
+  event "POP3 APOP overflow attempt"
+  tcp-state established,originator
+  payload /.*[aA][pP][oO][pP][^\x0a]{256}/
+  }
+
+signature sid-286 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 110
+  event "POP3 EXPLOIT x86 BSD overflow"
+  tcp-state established,originator
+  payload /.*\|5e0 e31c 0b03 b8d7 e0e8 9fa 89f9\|/
+  }
+
+signature sid-287 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 110
+  event "POP3 EXPLOIT x86 BSD overflow"
+  tcp-state established,originator
+  payload /.*\x68\x5d\x5e\xff\xd5\xff\xd4\xff\xf5\x8b\xf5\x90\x66\x31/
+  }
+
+signature sid-288 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 110
+  event "POP3 EXPLOIT x86 Linux overflow"
+  tcp-state established,originator
+  payload /.*\xd8\x40\xcd\x80\xe8\xd9\xff\xff\xff\/bin\/sh/
+  }
+
+signature sid-289 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 110
+  event "POP3 EXPLOIT x86 SCO overflow"
+  tcp-state established,originator
+  payload /.*\x56\x0e\x31\xc0\xb0\x3b\x8d\x7e\x12\x89\xf9\x89\xf9/
+  }
+
+signature sid-290 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 110
+  event "POP3 EXPLOIT qpopper overflow"
+  tcp-state established,originator
+  payload /.*\xE8\xD9\xFF\xFF\xFF\/bin\/sh/
+  }
+
+signature sid-1792 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  src-port == 119
+  event "NNTP return code buffer overflow attempt"
+  tcp-state established,originator
+  payload /200 [^\x0a]{64}/
+  }
+
+signature sid-1538 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  dst-port == 119
+  event "NNTP AUTHINFO USER overflow attempt"
+  tcp-state established,originator
+  payload /[aA][uU][tT][hH][iI][nN][fF][oO] [uU][sS][eE][rR] [^\x0a]{500}/
+  }
+
+signature sid-1760 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 902
+  event "OTHER-IDS ISS RealSecure 6 event collector connection attempt"
+  tcp-state established,responder
+  payload /.{29}6[iI][sS][sS] [eE][cC][nN][rR][aA] [bB][uU][iI][lL][tT]-[iI][nN] [pP][rR][oO][vV][iI][dD][eE][rR], [sS][tT][rR][oO][nN][gG] [eE][nN][cC][rR][yY][pP][tT][iI][oO][nN]/
+  }
+
+signature sid-1761 {
+  ip-proto == tcp
+  src-ip == local_nets
+  dst-ip != local_nets
+  src-port == 2998
+  event "OTHER-IDS ISS RealSecure 6 daemon connection attempt"
+  tcp-state established,responder
+  payload /.{29}6[iI][sS][sS] [eE][cC][nN][rR][aA] [bB][uU][iI][lL][tT]-[iI][nN] [pP][rR][oO][vV][iI][dD][eE][rR], [sS][tT][rR][oO][nN][gG] [eE][nN][cC][rR][yY][pP][tT][iI][oO][nN]/
+  }
+
+signature sid-1629 {
+  ip-proto == tcp
+  src-ip != local_nets
+  dst-ip == local_nets
+  event "OTHER-IDS SecureNetPro traffic"
+  tcp-state established
+  payload /\x00\x67\x00\x01\x00\x03/
+  }
+
+
diff --git a/policy/sigs/ssl-worm.sig b/policy/sigs/ssl-worm.sig
new file mode 100644
index 0000000000..e18f683992
--- /dev/null
+++ b/policy/sigs/ssl-worm.sig
@@ -0,0 +1,38 @@
+signature sslworm-probe {
+  header ip[9:1] == 6
+  header ip[16:4] == local_nets
+  header tcp[2:2] == 80
+  payload /.*GET \/ HTTP\/1\.1\x0d\x0a\x0d\x0a/
+  event "Host may have been probed by Apache/SSL worm"
+  }
+
+signature sslworm-vulnerable-probe {
+  requires-signature sslworm-probe
+  eval sslworm_is_server_vulnerable
+  event "Host may have been probed by Apache/SSL worm and is vulnerable"
+  }
+
+signature sslworm-exploit {
+  header ip[9:1] == 6
+  header ip[16:4] == local_nets
+  header tcp[2:2] == 443
+  eval sslworm_has_server_been_probed
+  event "Apache/Worm has tried to exploit host"
+  }
+
+signature sslworm-infection {
+  header ip[9:1] == 17
+  header ip[12:4] == local_nets
+  header udp[0:2] == 2002
+  eval sslworm_has_server_been_exploited 
+  event "Host has been infected by Apache/SSL worm"
+}
+
+signature sslworm-udp2002 {
+  header ip[9:1] == 17
+  header udp[0:2] == 2002
+  header udp[2:2] == 2002
+  event "Hosts may have been infected by Apache/SSL worm"
+  }
+
+
diff --git a/policy/sigs/worm.sig b/policy/sigs/worm.sig
new file mode 100644
index 0000000000..588679c24a
--- /dev/null
+++ b/policy/sigs/worm.sig
@@ -0,0 +1,41 @@
+# $Id: worm.sig 47 2004-06-11 07:26:32Z vern $
+
+signature nimda {
+	ip-proto == tcp
+	dst-port == http_ports
+	tcp-state established,originator
+	http /.*\/((MSDAC|scripts)\/root|winnt\/system32)\/.*c\+dir$/
+	event "Nimda"
+}
+
+signature codered1 {
+	ip-proto == tcp
+	dst-port == http_ports
+	tcp-state established,originator
+	http /.*\.id[aq]\?.*NNNNNNNNNNNNN/
+	event "CodeRed 1"
+}
+
+signature codered2 {
+	ip-proto == tcp
+	dst-port == http_ports
+	tcp-state established,originator
+	http /.*\.id[aq]\?.*XXXXXXXXXXXXX/
+	event "CodeRed 2"
+}
+
+# Taken from Snort
+signature slammer {
+	ip-proto == udp
+	dst-port == 1434
+	payload /.*\x81\xf1\x03\x01\x04\x9b\x81\xf1\x01/
+	event "Slammer propagation attempt"
+}
+
+signature witty {
+	# header udp[0:2] == 4000
+	ip-proto == udp
+	src-port == 4000
+	payload /.*insert witty message here/
+	event "Witty propagation attempt"
+}
diff --git a/policy/site.bro b/policy/site.bro
new file mode 100644
index 0000000000..95c9c5cb89
--- /dev/null
+++ b/policy/site.bro
@@ -0,0 +1,17 @@
+# $Id: site.bro 416 2004-09-17 03:52:28Z vern $
+#
+# Definitions describing a site - which networks are "local"
+# and "neighbors", and servers running particular services.
+
+# Networks that are considered "local".
+const local_nets: set[subnet] &redef;
+
+# Networks that are considered "neighbors".
+const neighbor_nets: set[subnet] &redef;
+
+# Function that returns true if an address corresponds to one of
+# the local networks, false if not.
+function is_local_addr(a: addr): bool
+	{
+	return a in local_nets;
+	}
diff --git a/policy/smb-anonymizer.bro b/policy/smb-anonymizer.bro
new file mode 100644
index 0000000000..1051f8843c
--- /dev/null
+++ b/policy/smb-anonymizer.bro
@@ -0,0 +1,80 @@
+# $Id:$
+
+redef rewriting_smb_trace = T;
+
+
+event smb_message(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body_length: count, body: string)
+	{
+	}
+
+event smb_com_tree_connect_andx(c: connection, hdr: smb_hdr, path: string, service: string)
+	{
+	}
+
+event smb_com_tree_disconnect(c: connection, hdr: smb_hdr)
+	{
+	}
+
+event smb_com_nt_create_andx(c: connection, hdr: smb_hdr, name: string)
+	{
+	}
+
+event smb_com_transaction(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool)
+	{
+	}
+
+event smb_com_transaction2(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool)
+	{
+	}
+
+event smb_com_trans_mailslot(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool)
+	{
+	}
+
+event smb_com_trans_rap(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool)
+	{
+	}
+
+event smb_com_trans_pipe(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool)
+	{
+	}
+
+event smb_com_read_andx(c: connection, hdr: smb_hdr, data: string)
+	{
+	}
+
+event smb_com_write_andx(c: connection, hdr: smb_hdr, data: string)
+	{
+	}
+
+event smb_get_dfs_referral(c: connection, hdr: smb_hdr, max_referral_level: count, file_name: string)
+	{
+	}
+
+event smb_com_negotiate(c: connection, hdr: smb_hdr)
+	{
+	}
+
+event smb_com_negotiate_response(c: connection, hdr: smb_hdr, dialect_index: count)
+	{
+	}
+
+event smb_com_setup_andx(c: connection, hdr: smb_hdr)
+	{
+	}
+
+event smb_com_generic_andx(c: connection, hdr: smb_hdr)
+	{
+	}
+
+event smb_com_close(c: connection, hdr: smb_hdr)
+	{
+	}
+
+event smb_com_logoff_andx(c: connection, hdr: smb_hdr)
+	{
+	}
+
+event smb_error(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: string)
+	{
+	}
diff --git a/policy/smb.bro b/policy/smb.bro
new file mode 100644
index 0000000000..4d31393a13
--- /dev/null
+++ b/policy/smb.bro
@@ -0,0 +1,8 @@
+# $Id:$
+
+redef capture_filters += { ["smb"] = "port 445" };
+
+global smb_ports = { 445/tcp } &redef;
+redef dpd_config += { [ANALYZER_SMB] = [$ports = smb_ports] };
+
+# No default implementation for events.
diff --git a/policy/smtp-relay.bro b/policy/smtp-relay.bro
new file mode 100644
index 0000000000..0a7f84e7ad
--- /dev/null
+++ b/policy/smtp-relay.bro
@@ -0,0 +1,192 @@
+# $Id: smtp-relay.bro 5911 2008-07-03 22:59:01Z vern $
+#
+# Tracks email relaying.
+
+@load smtp
+@load mime
+
+module SMTP;
+
+redef process_smtp_relay = T;
+
+export {
+	const relay_log = open_log_file("relay") &redef;
+}
+
+global print_smtp_relay: function(t: table[count] of smtp_session_info,
+					idx: count): interval;
+
+global smtp_relay_table: table[count] of smtp_session_info
+	&write_expire = 5 min &expire_func = print_smtp_relay;
+
+global smtp_session_by_recipient: table[string] of smtp_session_info
+	&write_expire = 5 min;
+global smtp_session_by_message_id: table[string] of smtp_session_info
+	&write_expire = 5 min;
+global smtp_session_by_content_hash: table[string] of smtp_session_info
+	&write_expire = 5 min;
+
+
+function add_to_smtp_relay_table(session: smtp_session_info)
+	{
+	if ( session$id !in smtp_relay_table )
+		smtp_relay_table[session$id] = session;
+	}
+
+function check_relay_1(session: smtp_session_info, rcpt: string)
+	{
+	if ( session$external_orig && rcpt != local_mail_addr )
+		{
+		smtp_message(session,
+			fmt("relaying(1) message (from %s, to %s) to address %s",
+				session$connection_id$orig_h,
+				session$connection_id$resp_h,
+				rcpt));
+
+		if ( session$relay_1_rcpt != "" )
+			session$relay_1_rcpt = cat(session$relay_1_rcpt, ",");
+
+		session$relay_1_rcpt = cat(session$relay_1_rcpt, rcpt);
+		add_to_smtp_relay_table(session);
+		}
+	}
+
+function check_relay_2(session: smtp_session_info, rcpt: string)
+	{
+	if ( rcpt in smtp_session_by_recipient )
+		{
+		local prev_session = smtp_session_by_recipient[rcpt];
+
+		# Should only check the first condition only (external
+		# followed by internal) but let's include the second one
+		# for testing purposes for now.
+		if ( (prev_session$external_orig && ! session$external_orig) ||
+		     (! prev_session$external_orig && session$external_orig) )
+			{
+			smtp_message(session,
+				fmt("relaying(2) message (seen during #%d) to address %s (%s -> %s, %s -> %s)",
+					prev_session$id, rcpt,
+					prev_session$connection_id$orig_h,
+					prev_session$connection_id$resp_h,
+					session$connection_id$orig_h,
+					session$connection_id$resp_h));
+
+			session$relay_2_from = prev_session$id;
+			++prev_session$relay_2_to;
+
+			add_to_smtp_relay_table(session);
+			add_to_smtp_relay_table(prev_session);
+			}
+		}
+
+	smtp_session_by_recipient[rcpt] = session;
+	}
+
+function check_relay_3(session: MIME::mime_session_info, msg_id: string)
+	{
+	local smtp_session = session$smtp_session;
+
+	if ( msg_id in smtp_session_by_message_id )
+		{
+		local prev_smtp_session = smtp_session_by_message_id[msg_id];
+
+		smtp_message(smtp_session,
+			fmt("relaying(3) message (seen during #%d) with id %s (%s -> %s, %s -> %s)",
+				prev_smtp_session$id, msg_id,
+				prev_smtp_session$connection_id$orig_h,
+				prev_smtp_session$connection_id$resp_h,
+				smtp_session$connection_id$orig_h,
+				smtp_session$connection_id$resp_h));
+
+		smtp_session$relay_3_from = prev_smtp_session$id;
+		++prev_smtp_session$relay_3_to;
+
+		add_to_smtp_relay_table(smtp_session);
+		add_to_smtp_relay_table(prev_smtp_session);
+		}
+	else
+		smtp_session_by_message_id[msg_id] = smtp_session;
+	}
+
+function check_relay_4(session: MIME::mime_session_info, content_hash: string)
+	{
+	local smtp_session = session$smtp_session;
+	smtp_session$content_hash = content_hash;
+
+	if ( content_hash in smtp_session_by_content_hash )
+		{
+		local prev_smtp_session = smtp_session_by_content_hash[content_hash];
+		smtp_message(smtp_session,
+			fmt("relaying(4) message (seen during #%d) with hash %s (%s -> %s, %s -> %s)",
+				prev_smtp_session$id,
+				string_to_ascii_hex(content_hash),
+				prev_smtp_session$connection_id$orig_h,
+				prev_smtp_session$connection_id$resp_h,
+				smtp_session$connection_id$orig_h,
+				smtp_session$connection_id$resp_h));
+
+		smtp_session$relay_4_from = prev_smtp_session$id;
+		++prev_smtp_session$relay_4_to;
+
+		add_to_smtp_relay_table(smtp_session);
+		add_to_smtp_relay_table(prev_smtp_session);
+		}
+	else
+		smtp_session_by_content_hash[content_hash] = smtp_session;
+	}
+
+# event mime_all_data(c: connection, length: count, data: string)
+#  	{
+#  	local session = get_mime_session(c, T);
+#  	session$content_hash = md5_hash(data);
+# 	if ( process_smtp_relay )
+# 	 	check_relay_4(session, session$content_hash);
+#  	# mime_log_msg(session, "all data", fmt("%s", data));
+#  	}
+
+event mime_content_hash(c: connection, content_len: count, hash_value: string)
+	{
+	local session = MIME::get_session(c, T);
+	session$content_hash = hash_value;
+	if ( process_smtp_relay && content_len > 0 )
+		check_relay_4(session, session$content_hash);
+	}
+
+function relay_flow(from: count, to: count): string
+	{
+	if ( from > 0 )
+		return fmt("<#%d", from);
+
+	if ( to > 0 )
+		return fmt(">%d", to);
+
+	return "-";
+	}
+
+function print_smtp_relay(t: table[count] of smtp_session_info,
+				idx: count): interval
+	{
+	local session = t[idx];
+
+	print relay_log, fmt("#%d: %s",
+		session$id,
+		directed_id_string(session$connection_id, T));
+
+	print relay_log, fmt("#%d: RCPT: <%s>, Subject: %s",
+		session$id,
+		session$recipients, session$subject);
+
+	print relay_log, fmt("#%d: detected: [%s %s %s %s] %s",
+		session$id,
+		session$relay_1_rcpt == "" ? "-" : "1",
+		relay_flow(session$relay_2_from, session$relay_2_to),
+		relay_flow(session$relay_3_from, session$relay_3_to),
+		relay_flow(session$relay_4_from, session$relay_4_to),
+		session$content_gap ? "(content gap)" : "");
+
+	print relay_log, fmt("#%d: relay 1: <%s>",
+		session$id,
+		session$relay_1_rcpt);
+
+	return 0 sec;
+	}
diff --git a/policy/smtp-rewriter.bro b/policy/smtp-rewriter.bro
new file mode 100644
index 0000000000..be8e726dcc
--- /dev/null
+++ b/policy/smtp-rewriter.bro
@@ -0,0 +1,94 @@
+# $Id: smtp-rewriter.bro 4758 2007-08-10 06:49:23Z vern $
+
+@load smtp
+@load mime 	# need mime for content hash
+
+module SMTP;
+
+redef rewriting_smtp_trace = T;
+
+# We want this event handler to execute *after* the one in smtp.bro.
+event smtp_request(c: connection, is_orig: bool, command: string, arg: string)
+	{
+	if ( ! rewriting_trace() )
+		return;
+
+	local session = smtp_sessions[c$id];
+
+	if ( command != ">" )
+		{
+		if ( command == "." )
+			{
+			# A hack before we have MIME rewriter.
+			# rewrite_smtp_data(c, is_orig, fmt("X-number-of-lines: %d",
+			# 			session$num_lines_in_body));
+			rewrite_smtp_data(c, is_orig, fmt("X-number-of-bytes: %d",
+						session$num_bytes_in_body));
+
+			# Write empty line to avoid MIME analyzer complaints.
+			rewrite_smtp_data(c, is_orig, "");
+			rewrite_smtp_data(c, is_orig, fmt("%s", session$content_hash));
+			}
+
+		if ( command in smtp_legal_cmds )
+			{
+			# Avoid the situation in which we mistake
+			# mail contents for SMTP commands.
+			rewrite_smtp_request(c, is_orig, command, arg);
+			rewrite_push_packet(c, is_orig);
+			}
+		}
+	}
+
+event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
+			msg: string, cont_resp: bool)
+	{
+	if ( ! rewriting_trace() )
+		return;
+
+	rewrite_smtp_reply(c, is_orig, code, msg, cont_resp);
+	}
+
+function starts_with_leading_whitespace(s: string): bool
+	{
+	return /^[ \t]/ in s;
+	}
+
+function rewrite_smtp_header_line(c: connection, is_orig: bool,
+				session: smtp_session_info, line: string)
+	{
+	if ( starts_with_leading_whitespace(line) )
+		{ # a continuing header
+		if ( session$keep_current_header )
+			rewrite_smtp_data(c, is_orig, line);
+		}
+	else
+		{
+		session$keep_current_header = F;
+
+		local pair = split1(line, /:/);
+		if ( length(pair) < 2 )
+			{
+			session$keep_current_header = T;
+			rewrite_smtp_data(c, is_orig, line);
+			}
+		else
+			{
+			local field_name = to_upper(pair[1]);
+
+			# Currently, the MIME analyzer is sensitive to
+			# CONTENT-TYPE and CONTENT_TRANSFER_ENCODING,
+			# so we want to remove these when anonymizing,
+			# because we can't ensure their integrity when
+			# rewriting message bodies.
+			#
+			# To be conservative, however, we strip out *all*
+			# CONTENT-* headers.
+			if ( /^CONTENT-/ !in field_name )
+				{
+				session$keep_current_header = T;
+				rewrite_smtp_data(c, is_orig, line);
+				}
+			}
+		}
+	}
diff --git a/policy/smtp.bro b/policy/smtp.bro
new file mode 100644
index 0000000000..cddb926456
--- /dev/null
+++ b/policy/smtp.bro
@@ -0,0 +1,557 @@
+# $Id: smtp.bro 5230 2008-01-14 01:38:18Z vern $
+
+@load conn
+
+module SMTP;
+
+export {
+	redef enum Notice += { HotEmailRecipient, };
+
+	const process_smtp_relay = F &redef;
+
+	const smtp_log = open_log_file("smtp") &redef;
+
+	# Used to detect relaying.
+	const local_mail_addr = /.*@.*lbl.gov/ &redef;
+
+	const hot_recipients = /@/ &redef;
+
+	const smtp_legal_cmds: set[string] = {
+		">", "EHLO", "HELO", "MAIL",
+		"RCPT", "DATA", ".", "QUIT",
+		"RSET", "VRFY", "EXPN", "HELP", "NOOP",
+		"SEND",	"SOML", "SAML", "TURN",
+		"STARTTLS",
+		"BDAT",
+		"ETRN",
+		"AUTH",
+		"***",
+	} &redef;
+
+	const smtp_hot_cmds: table[string] of pattern = {
+		["MAIL"] = /.*<.*@.*:.*>.*/,	# relay path
+		["RCPT"] = /.*<.*@.*:.*>.*/,	# relay path
+		["VRFY"] = /.*/,
+		["EXPN"] = /.*/,
+		["TURN"] = /.*/,
+	} &redef;
+
+	const smtp_sensitive_cmds: set[string] = {
+		"VRFY", "EXPN", "TURN",
+	} &redef;
+
+	const smtp_expected_reply: set[string, count] = {
+		[">", 220],
+		["EHLO", 250],
+		["HELO", 250],
+		["MAIL", 250],
+		["RCPT", 250],
+		["RCPT", 554],	# transaction failed
+		["QUIT", 221],
+		["DATA", 354],
+		[".", 250],	# end of data
+		["RSET", 250],
+		["VRFY", 250],
+		["EXPN", 250],
+		["HELP", 250],
+		["HELP", 502],	# help command not supported
+		["NOOP", 250],
+		["AUTH", 334],		# two round authentication
+		["AUTH", 235],		# one round authentication
+		["AUTH_ANSWER", 334],	# multiple step authentication
+		["AUTH_ANSWER", 235],	# authentication successful
+		["STARTTLS", 220],	# Willing to do TLS
+		["TURN", 502],		# TURN is expected to be rejected
+	};
+
+	type smtp_cmd_info: record {
+		cmd: string;
+		cmd_arg: string;
+		reply: count;
+		reply_arg: string;
+		cont_reply: bool;
+		log_reply: bool;
+	};
+
+	type smtp_cmd_info_list: table[count] of smtp_cmd_info;
+
+	type smtp_session_info: record {
+		id: count;
+		connection_id: conn_id;
+		external_orig: bool;
+		in_data: bool;
+		num_cmds: count;
+		num_replies: count;
+		cmds: smtp_cmd_info_list;
+		in_header: bool;
+		keep_current_header: bool;	# hack till MIME rewriter ready
+		recipients: string;
+		subject: string;
+		content_hash: string;
+		num_lines_in_body: count;
+			# lines in RFC 822 body before MIME decoding
+		num_bytes_in_body: count;
+			# bytes in entity bodies after MIME decoding
+		content_gap: bool;	# whether content gap in conversation
+
+		relay_1_rcpt: string;	# external recipients
+		relay_2_from: count;	# session id of same recipient
+		relay_2_to: count;
+		relay_3_from: count;	# session id of same msg id
+		relay_3_to: count;
+		relay_4_from: count;	# session id of same content hash
+		relay_4_to: count;
+	};
+
+	global smtp_sessions: table[conn_id] of smtp_session_info;
+	global smtp_session_id = 0;
+
+	global new_smtp_session: function(c: connection);
+}
+
+redef capture_filters += { ["smtp"] = "tcp port smtp or tcp port 587" };
+
+# DPM configuration.
+global smtp_ports = { 25/tcp, 587/tcp } &redef;
+redef dpd_config += { [ANALYZER_SMTP] = [$ports = smtp_ports] };
+
+function is_smtp_connection(c: connection): bool
+	{
+	return c$id$resp_p == smtp;
+	}
+
+event bro_init()
+	{
+	have_SMTP = T;
+	}
+
+global add_to_smtp_relay_table: function(session: smtp_session_info);
+
+function new_smtp_command(session: smtp_session_info, cmd: string, arg: string)
+	{
+	++session$num_cmds;
+
+	local cmd_info: smtp_cmd_info;
+	cmd_info$cmd = cmd;
+	cmd_info$cmd_arg = arg;
+	cmd_info$reply = 0;
+	cmd_info$reply_arg = "";
+	cmd_info$cont_reply = F;
+	cmd_info$log_reply = F;
+
+	session$cmds[session$num_cmds] = cmd_info;
+	}
+
+function new_smtp_session(c: connection)
+	{
+	local session = c$id;
+	local new_id = ++smtp_session_id;
+
+	local info: smtp_session_info;
+	local cmds: smtp_cmd_info_list;
+
+	info$id = new_id;
+	info$connection_id = session;
+	info$in_data = F;
+	info$num_cmds = 0;
+	info$num_replies = 0;
+	info$cmds = cmds;
+	info$in_header = F;
+	info$keep_current_header = T;
+	info$external_orig = !is_local_addr(session$orig_h);
+
+	info$subject = "";
+	info$recipients = "";
+	info$content_hash = "";
+	info$num_lines_in_body = info$num_bytes_in_body = 0;
+	info$content_gap = F;
+
+	info$relay_1_rcpt = "";
+	info$relay_2_from = info$relay_2_to = info$relay_3_from =
+		info$relay_3_to = info$relay_4_from = info$relay_4_to = 0;
+
+	new_smtp_command(info, ">", "<connection>");
+
+	smtp_sessions[session] = info;
+	append_addl(c, fmt("#%s", prefixed_id(new_id)));
+
+	print smtp_log, fmt("%.6f #%s %s start %s", c$start_time,
+			prefixed_id(new_id), id_string(session), info$external_orig ?
+			"external" : "internal" );
+	}
+
+function smtp_message(session: smtp_session_info, msg: string)
+	{
+	print smtp_log, fmt("%.6f #%s %s",
+			network_time(), prefixed_id(session$id), msg);
+	}
+
+function smtp_log_msg(session: smtp_session_info, is_orig: bool, msg: string)
+	{
+	print smtp_log, fmt("%.6f #%s %s: %s",
+				network_time(),
+				prefixed_id(session$id),
+				directed_id_string(session$connection_id, is_orig),
+				msg);
+	}
+
+function smtp_log_reject_recipient(session: smtp_session_info, rcpt: string)
+	{
+	if ( rcpt == "" )
+		rcpt = "<none>";
+
+	smtp_message(session, fmt("Recipient addresses rejected: %s", rcpt));
+	}
+
+function smtp_log_command(session: smtp_session_info, is_orig: bool,
+				msg: string, cmd_info: smtp_cmd_info)
+	{
+	smtp_log_msg(session, is_orig, fmt("%s: %s(%s)",
+					msg, cmd_info$cmd, cmd_info$cmd_arg));
+	}
+
+function smtp_log_reply(session: smtp_session_info, is_orig: bool,
+			msg: string, cmd_info: smtp_cmd_info)
+	{
+	smtp_log_msg(session, is_orig, fmt("%s: %s(%s) --> %d(%s)",
+					msg,
+					cmd_info$cmd, cmd_info$cmd_arg,
+					cmd_info$reply, cmd_info$reply_arg));
+	}
+
+event smtp_request(c: connection, is_orig: bool, command: string, arg: string)
+	{
+	local id = c$id;
+
+	if ( id !in smtp_sessions )
+		new_smtp_session(c);
+
+	local session = smtp_sessions[id];
+	new_smtp_command(session, command, arg);
+	local cmd_info = session$cmds[session$num_cmds];
+
+	# Store the command in session record.
+	local log_this_cmd = F;
+
+	if ( command in smtp_hot_cmds && arg == smtp_hot_cmds[command] )
+		{
+		log_this_cmd = T;
+		cmd_info$log_reply = T;
+		}
+
+	if ( command in smtp_sensitive_cmds )
+		{
+		log_this_cmd = T;
+		cmd_info$log_reply = T;
+		}
+
+	if ( log_this_cmd )
+		smtp_log_command(session, is_orig, "unusual command", cmd_info);
+
+	if ( command == "DATA" )
+		{
+		session$in_data = T;
+		session$in_header = T;
+		}
+
+	else if ( command == "." )
+		session$in_data = F;
+	}
+
+function check_cmd_info(session: smtp_session_info): bool
+	{
+	if ( session$num_replies == 0 )
+		return T;
+
+	if ( session$num_replies <= session$num_cmds &&
+	     session$num_replies in session$cmds )
+		return T;
+
+	smtp_message(session, fmt("error: invalid num_replies: %d (num_cmds = %d)",
+				session$num_replies, session$num_cmds));
+	return F;
+	}
+
+function smtp_command_mail(session: smtp_session_info, cmd_info: smtp_cmd_info)
+	{
+	local tokens = split(cmd_info$cmd_arg, /(<|:|>)*/);
+
+	local i = 0;
+	for ( i in tokens )
+		smtp_log_msg(session, T, fmt("%d: \"%s\"", i, tokens[i]));
+	}
+
+function extract_recipient(session: smtp_session_info, rcpt_cmd_arg: string): string
+	{
+	local pair: string_array;
+	local s: string;
+
+	s = rcpt_cmd_arg;
+
+	pair = split1(s, /<( |\t)*/);
+	if ( length(pair) != 2 )
+		{
+		smtp_message(session, fmt("error: '<' not found in argument to RCPT: %s",
+					rcpt_cmd_arg));
+		return "";
+		}
+
+	s = pair[2];
+	# smtp_message(session, fmt("%s<%s", pair[1], pair[2]));
+
+	pair = split1(s, /( |\t)*>/);
+	if ( length(pair) != 2 )
+		{
+		smtp_message(session, fmt("error: '>' not found in argument to RCPT: %s",
+					rcpt_cmd_arg));
+		return "";
+		}
+
+	s = pair[1];
+	# smtp_message(session, fmt("%s>%s", pair[1], pair[2]));
+
+	pair = split1(s, /:/);
+	if ( length(pair) == 2 )
+		{
+		smtp_message(session, fmt("RCPT address is source route path: %s",
+					rcpt_cmd_arg));
+		s = pair[2];
+		}
+
+	# Actually the local part of an address might be case-sensitive,
+	# but in most cases it is not.
+
+	s = to_lower(s);
+
+	return s;
+	}
+
+global check_relay_1: function(session: smtp_session_info, rcpt: string);
+global check_relay_2: function(session: smtp_session_info, rcpt: string);
+
+function smtp_command_rcpt(c: connection, session: smtp_session_info,
+				cmd_info: smtp_cmd_info)
+	{
+	local rcpt = extract_recipient(session, cmd_info$cmd_arg);
+
+	if ( cmd_info$reply == 554 )
+		smtp_log_reject_recipient(session, rcpt);
+
+	else if ( rcpt != "" )
+		{
+		smtp_message(session, fmt("recipient: <%s>", rcpt));
+
+		if ( session$recipients != "" )
+			session$recipients = cat(session$recipients, ",");
+
+		session$recipients = cat(session$recipients, rcpt);
+
+		if ( process_smtp_relay )
+			{
+			check_relay_1(session, rcpt);
+			check_relay_2(session, rcpt);
+			}
+
+		if ( rcpt == hot_recipients )
+			{
+			local src = session$connection_id$orig_h;
+			local dst = session$connection_id$resp_h;
+
+			NOTICE([$note=HotEmailRecipient, $src=src, $conn=c,
+				$user=rcpt,
+				$msg=fmt("hot email recipient %s -> %s@%s",
+					src, rcpt, dst)]);
+			}
+		}
+	}
+
+event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
+			msg: string, cont_resp: bool)
+	{
+	local id = c$id;
+
+	if ( id !in smtp_sessions )
+		new_smtp_session(c);
+
+	local session = smtp_sessions[id];
+	local new_reply = F;
+
+	# Check entry before indexing.
+	if ( ! check_cmd_info(session) )
+		return;
+
+	if ( session$num_replies == 0 ||
+	     ! session$cmds[session$num_replies]$cont_reply )
+		{
+		++session$num_replies;
+		if ( session$num_replies !in session$cmds )
+			{
+			smtp_message(session, fmt("error: unmatched reply: %d %s (%s)",
+							code, msg, cmd));
+			return;
+			}
+
+		new_reply = T;
+		}
+
+	if ( ! check_cmd_info(session) )
+		return;
+
+	local cmd_info = session$cmds[session$num_replies];
+
+	if ( cmd_info$cmd != cmd )
+		{
+		smtp_message(session,
+			fmt("error: command mismatch: %s(%d) %s(%d), %s (%d %s)",
+				cmd_info$cmd, session$num_replies,
+				session$cmds[session$num_cmds], session$num_cmds,
+				cmd, code, msg));
+		return;
+		}
+
+	cmd_info$reply = code;
+	if ( new_reply )
+		cmd_info$reply_arg = msg;
+	else
+		cmd_info$reply_arg = cat(cmd_info$reply_arg, "\r\n", msg);
+
+	cmd_info$cont_reply = cont_resp;
+
+	local log_this_reply = cmd_info$log_reply;
+
+	if ( [cmd, code] !in smtp_expected_reply )
+		log_this_reply = T;
+
+	if ( log_this_reply && ! cont_resp )
+		smtp_log_reply(session, is_orig, "unusual command/reply", cmd_info);
+
+	#	else if ( cmd == "MAIL" && code == 250 )
+	#		smtp_command_mail(session, cmd_info);
+
+	else if ( cmd == "RCPT" )
+		{
+		if ( code == 250 || code == 554 )
+			smtp_command_rcpt(c, session, cmd_info);
+		}
+
+	else if ( cmd == "STARTTLS" && code == 220 )
+		{ # it'll now go encrypted - no more we can do.
+		skip_further_processing(c$id);
+		smtp_message(session, cmd);
+		}
+	}
+
+function reset_on_gap(session: smtp_session_info)
+	{
+	local i: count;
+
+	clear_table(session$cmds);
+
+	session$num_cmds = session$num_replies = 0;
+	session$in_data = F;
+	}
+
+event smtp_unexpected(c: connection, is_orig: bool, msg: string, detail: string)
+	{
+	local id = c$id;
+
+	if ( id !in smtp_sessions )
+		new_smtp_session(c);
+
+	local session = smtp_sessions[id];
+
+	smtp_log_msg(session, is_orig, fmt("unexpected: %s: %s", msg, detail));
+	}
+
+function clear_smtp_session(session: smtp_session_info)
+	{
+	clear_table(session$cmds);
+	}
+
+event content_gap(c: connection, is_orig: bool, seq: count, length: count)
+	{
+	if ( is_smtp_connection(c) )
+		{
+		local id = c$id;
+		if ( id !in smtp_sessions )
+			new_smtp_session(c);
+		local session = smtp_sessions[id];
+		session$content_gap = T;
+		reset_on_gap(session);
+		}
+	}
+
+event connection_finished(c: connection)
+	{
+	local id = c$id;
+	if ( id in smtp_sessions )
+		{
+		local session = smtp_sessions[id];
+		smtp_message(session, "finish");
+		clear_smtp_session(session);
+		delete smtp_sessions[id];
+		}
+	}
+
+event connection_state_remove(c: connection)
+	{
+	local id = c$id;
+	if ( id in smtp_sessions )
+		{
+		local session = smtp_sessions[id];
+		smtp_message(session, "state remove");
+		clear_smtp_session(session);
+		delete smtp_sessions[id];
+		}
+	}
+
+global rewrite_smtp_header_line:
+	function(c: connection, is_orig: bool,
+			session: smtp_session_info, line: string);
+
+function smtp_header_line(c: connection, is_orig: bool,
+				session: smtp_session_info, line: string)
+	{
+	if ( rewriting_smtp_trace )
+		rewrite_smtp_header_line(c, is_orig, session, line);
+	}
+
+function smtp_body_line(c: connection, is_orig: bool,
+			session: smtp_session_info, line: string)
+	{
+	++session$num_lines_in_body;
+	session$num_bytes_in_body =
+		session$num_bytes_in_body + byte_len(line) + 2; # including CRLF
+	}
+
+event smtp_data(c: connection, is_orig: bool, data: string)
+	{
+	local id = c$id;
+	if ( id in smtp_sessions )
+		{
+		local session = smtp_sessions[id];
+		# smtp_log_msg(session, is_orig, fmt("data: %s", data));
+		if ( session$in_header )
+			{
+			if ( data == "" )
+				{
+				session$in_header = F;
+				skip_smtp_data(c);
+				}
+			else
+				{
+				smtp_header_line(c, is_orig, session, data);
+				# smtp_log_msg(session, T, fmt("header: %s", data));
+				}
+			}
+		else
+			{
+			# smtp_body_line(c, is_orig, session, data);
+			}
+		}
+	}
+
+event bro_done()
+	{
+	clear_table(smtp_sessions);
+	}
diff --git a/policy/snort.bro b/policy/snort.bro
new file mode 100644
index 0000000000..16a173de13
--- /dev/null
+++ b/policy/snort.bro
@@ -0,0 +1,21 @@
+# $Id: snort.bro 720 2004-11-12 16:45:48Z rwinslow $
+#
+# Definitions needed for signatures converted by snort2bro.
+
+# Servers for some services.
+const dns_servers: set[subnet] = { local_nets } &redef;
+const http_servers: set[subnet] = { local_nets } &redef;
+const smtp_servers: set[subnet] = { local_nets } &redef;
+const telnet_servers: set[subnet] = { local_nets } &redef;
+const sql_servers: set[subnet] = { local_nets } &redef;
+
+const aim_servers: set[subnet] = {
+	64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24,
+	64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24,
+	205.188.9.0/24
+} &redef;
+
+# Ports for some services.
+const http_ports = { 80/tcp, 8000/tcp, 8001/tcp, 8080/tcp };
+const oracle_ports = { 1521/tcp };
+const non_shellcode_ports = { 80/tcp };
diff --git a/policy/software.bro b/policy/software.bro
new file mode 100644
index 0000000000..0bdeb824b7
--- /dev/null
+++ b/policy/software.bro
@@ -0,0 +1,172 @@
+# $Id: software.bro 4907 2007-09-23 23:44:07Z vern $
+#
+# Keeps track of the software running on hosts.
+
+@load site
+@load weird
+
+# Operational use of software.bro on a busy network can result in huge
+# data files.  By default creating a log file is turned off.
+global log_software = F &redef;
+
+# If true, then logging is confined to just software versions of local hosts.
+global only_report_local = T &redef;
+
+global software_file = open_log_file("software");
+
+# Invoked whenever we discover new software for a host (but not for a new
+# version of previously found software).
+global software_new: event(c: connection, host: addr, s: software,
+				descr: string);
+
+# Invoked whenever we discover a new version of previously discovered
+# software.
+global software_version_change: event(c: connection, host: addr, s: software,
+	old_version: software_version, descr: string);
+
+# Index is the name of the software.
+type software_set: table[string] of software;
+
+# You may or may not want to define a timeout for this.
+global software_table: table[addr] of software_set;
+
+# Some software can be installed twice on the same server
+# with different major numbers.
+global software_ident_by_major: set[string] = {
+	"PHP",
+	"WebSTAR",
+} &redef;
+
+# Compare two versions.
+#   Returns -1 for v1 < v2, 0 for v1 == v2, 1 for v1 > v2.
+#   If the numerical version numbers match, the addl string
+#   is compared lexicographically.
+function software_cmp_version(v1: software_version, v2: software_version): int
+	{
+	if ( v1$major < v2$major )
+		return -1;
+	if ( v1$major > v2$major )
+		return 1;
+
+	if ( v1$minor < v2$minor )
+		return -1;
+	if ( v1$minor > v2$minor )
+		return 1;
+
+	if ( v1$minor2 < v2$minor2 )
+		return -1;
+	if ( v1$minor2 > v2$minor2 )
+		return 1;
+
+	return strcmp(v1$addl, v2$addl);
+	}
+
+# Convert a version into a string "a.b.c-x".
+function software_fmt_version(v: software_version): string
+	{
+	return fmt("%s%s%s%s",
+			v$major >= 0 ? fmt("%d", v$major) : "",
+			v$minor >= 0 ? fmt(".%d", v$minor) : "",
+			v$minor2 >= 0 ? fmt(".%d", v$minor2) : "",
+			v$addl != "" ? fmt("-%s", v$addl) : "");
+	}
+
+# Convert a software into a string "name a.b.cx".
+function software_fmt(s: software): string
+	{
+	return fmt("%s %s", s$name, software_fmt_version(s$version));
+	}
+
+# Insert a mapping into the table
+# Overides old entries for the same software and generates events if needed.
+### FIXME: Do we need a software_unregister() as well?
+function software_register(c: connection, host: addr, s: software,
+				descr: string)
+	{
+	# Host already known?
+	if ( host !in software_table )
+		software_table[host] = set();
+
+	# If a software can be installed more than once on a host
+	# (with a different major version), we identify it by "<name>-<major>"
+	if ( s$name in software_ident_by_major && s$version$major >= 0 )
+		s$name = fmt("%s-%d", s$name, s$version$major);
+
+	local soft_set = software_table[host];
+
+	# Software already registered for this host?
+	if ( s$name in soft_set )
+		{
+		# Is it a different version?
+		local old = soft_set[s$name];
+		if ( software_cmp_version(old$version, s$version) != 0 )
+			event software_version_change(c, host, s, old$version,
+							descr);
+		}
+	else
+		event software_new(c, host, s, descr);
+
+	soft_set[s$name] = s;
+	}
+
+event software_version_found(c: connection, host: addr, s: software,
+				descr: string)
+	{
+	if ( ! only_report_local || is_local_addr(host) )
+		software_register(c, host, s, descr);
+	}
+
+function software_endpoint_name(c: connection, host: addr): string
+	{
+	return fmt("%s %s", host,
+			host == c$id$orig_h ? "client" : "server");
+	}
+
+event software_parse_error(c: connection, host: addr, descr: string)
+	{
+	if ( ! only_report_local || is_local_addr(host) )
+		{
+		# Here we need a little hack, since software_file is
+		# not always there.
+		local msg = fmt("%.6f %s: can't parse '%s'", network_time(),
+				software_endpoint_name(c, host), descr);
+
+		if ( log_software )
+			print software_file, msg;
+		else
+			print Weird::weird_file, msg;
+		}
+	}
+
+event software_new(c: connection, host: addr, s: software, descr: string)
+	{
+	if ( log_software )
+		{
+		print software_file, fmt("%.6f %s uses %s (%s)", network_time(),
+					software_endpoint_name(c, host),
+					software_fmt(s), descr);
+		}
+	}
+
+event software_version_change(c: connection, host: addr, s: software,
+				old_version: software_version, descr: string)
+	{
+	if ( log_software )
+		{
+		local msg = fmt("%.6f %s switched from %s to %s (%s)",
+				network_time(), software_endpoint_name(c, host),
+				software_fmt_version(old_version),
+				software_fmt(s), descr);
+
+		print software_file, msg;
+		}
+	}
+
+event software_unparsed_version_found(c: connection, host: addr, str: string)
+	{
+	if ( log_software )
+		{
+		print software_file, fmt("%.6f %s: [%s]", network_time(),
+					software_endpoint_name(c, host), str);
+		}
+	}
diff --git a/policy/ssh-stepping.bro b/policy/ssh-stepping.bro
new file mode 100644
index 0000000000..5658a56043
--- /dev/null
+++ b/policy/ssh-stepping.bro
@@ -0,0 +1,45 @@
+@load stepping
+
+redef capture_filters += { ["ssh-stepping"] = "tcp port 22" };
+
+module SSH_Stepping;
+
+# Keeps track of how many connections each source is responsible for.
+global ssh_src_cnt: table[addr] of count &default=0 &write_expire=15sec;
+
+export {
+	# Threshold above which we stop analyzing a source.
+	# Use 0 to never stop.
+	global src_fanout_no_stp_analysis_thresh = 100 &redef;
+}
+
+event connection_established(c: connection)
+	{
+	if ( c$id$resp_p == ssh )
+		{
+		# No point recording these, and they're potentially huge
+		# due to use of ssh for file transfers.
+		set_record_packets(c$id, F);
+
+		# Keep track of sources that create lots of connections
+		# so we can skip analyzing them - they're very likely
+		# uninteresting for stepping stones, and can present
+		# a large state burden.
+		local src = c$id$orig_h;
+		if ( ++ssh_src_cnt[src] == src_fanout_no_stp_analysis_thresh )
+			add stp_skip_src[src];
+
+		if ( ssh_src_cnt[src] == 1 )
+			# First entry.  It's possible this entry was set
+			# before and has now expired.  If so, stop skipping it.
+			delete stp_skip_src[src];
+		}
+	}
+
+event partial_connection(c: connection)
+	{
+	if ( c$id$orig_p == ssh || c$id$resp_p == ssh )
+		# No point recording these, and they're potentially huge
+		# due to use of ssh for file transfers.
+		set_record_packets(c$id, F);
+	}
diff --git a/policy/ssh.bro b/policy/ssh.bro
new file mode 100644
index 0000000000..5ebd075d7f
--- /dev/null
+++ b/policy/ssh.bro
@@ -0,0 +1,41 @@
+# $Id: ssh.bro 6588 2009-02-17 00:02:53Z vern $
+
+module SSH;
+
+export {
+	# If true, we tell the event engine to not look at further data
+	# packets after the initial SSH handshake. Helps with performance
+	# (especially with large file transfers) but precludes some
+	# kinds of analyses (e.g., tracking connection size).
+	const skip_processing_after_handshake = T &redef;
+
+	global ssh_ports = { 22/tcp } &redef;
+}
+
+redef capture_filters += { ["ssh"] = "tcp port 22" };
+
+redef dpd_config += { [ANALYZER_SSH] = [$ports = ssh_ports] };
+
+const ssh_log = open_log_file("ssh") &redef;
+
+# Indexed by address and T for client, F for server.
+global did_ssh_version: table[addr, bool] of count
+				&default = 0 &read_expire = 7 days;
+
+event ssh_client_version(c: connection, version: string)
+	{
+	if ( ++did_ssh_version[c$id$orig_h, T] == 1 )
+		print ssh_log, fmt("%s %s \"%s\"", c$id$orig_h, "C", version);
+
+	if ( skip_processing_after_handshake )
+		{
+		skip_further_processing(c$id);
+		set_record_packets(c$id, F);
+		}
+	}
+
+event ssh_server_version(c: connection, version: string)
+	{
+	if ( ++did_ssh_version[c$id$resp_h, F] == 1 )
+		print ssh_log, fmt("%s %s \"%s\"", c$id$resp_h, "S", version);
+	}
diff --git a/policy/ssl-alerts.bro b/policy/ssl-alerts.bro
new file mode 100644
index 0000000000..1a0d65dead
--- /dev/null
+++ b/policy/ssl-alerts.bro
@@ -0,0 +1,120 @@
+# $Id: ssl-alerts.bro 416 2004-09-17 03:52:28Z vern $
+#
+# Interface for SSL/TLS support.
+
+# --- constant definitions of the SSL/TLS alert/error records ---
+
+# --- Error descriptions for SSLv2.
+const SSLv2_PE_NO_CIPHER = 0x0001;
+const SSLv2_PE_NO_CERTIFICATE = 0x0002;
+const SSLv2_PE_BAD_CERTIFICATE = 0x0004;
+const SSLv2_PE_UNSUPPORTED_CERTIFICATE_TYPE = 0x0006;
+
+# --- Alert descriptions in SSLv3.0 and SSLv3.1.
+const SSLv3x_ALERT_DESCR_CLOSE_NOTIFY = 0;
+const SSLv3x_ALERT_DESCR_UNEXPECTED_MESSSAGE = 10;
+const SSLv3x_ALERT_DESCR_BAD_RECORD_MAC = 20;
+const SSLv3x_ALERT_DESCR_DECOMPRESSION_FAILURE = 30;
+const SSLv3x_ALERT_DESCR_HANDSHAKE_FAILURE = 40;
+const SSLv3x_ALERT_DESCR_BAD_CERTIFICATE = 42;
+const SSLv3x_ALERT_DESCR_UNSUPPORTED_CERTIFICATE = 43;
+const SSLv3x_ALERT_DESCR_CERTIFICATE_REVOKED = 44;
+const SSLv3x_ALERT_DESCR_CERTIFICATE_EXPIRED = 45;
+const SSLv3x_ALERT_DESCR_CERTIFICATE_UNKNOWN = 46;
+
+# --- Alert descriptions only in SSLv3.0.
+const SSLv30_ALERT_DESCR_NO_CERTIFICATE = 41;
+
+# --- Alert descriptions only in SSLv3.1.
+const SSLv31_ALERT_DESCR_DESCRYPTION_FAILED = 21;
+const SSLv31_ALERT_DESCR_RECORD_OVERFLOW = 22;
+const SSLv31_ALERT_DESCR_ILLEGAL_PARAMETER = 47;
+const SSLv31_ALERT_DESCR_UNKNOWN_CA = 48;
+const SSLv31_ALERT_DESCR_ACCESS_DENIED = 49;
+const SSLv31_ALERT_DESCR_DECODE_ERROR = 50;
+const SSLv31_ALERT_DESCR_DECRYPT_ERROR = 51;
+const SSLv31_ALERT_DESCR_EXPORT_RESTRICTION = 60;
+const SSLv31_ALERT_DESCR_PROTOCOL_VERSION = 70;
+const SSLv31_ALERT_DESCR_INSUFFICIENT_SECURITY = 71;
+const SSLv31_ALERT_DESCR_INTERNAL_ERROR = 80;
+const SSLv31_ALERT_DESCR_USER_CANCELED = 90;
+const SSLv31_ALERT_DESCR_NO_RENEGOTIATION = 100;
+
+# --- This is a table of all known alert descriptions.
+# --- It can be used for detecting unknown alerts and for
+# --- converting the alert descriptions constants into a human readable format.
+
+const ssl_alert_desc: table[count] of string = {
+	# --- SSLv2
+	[SSLv2_PE_NO_CIPHER] = "SSLv2_PE_NO_CIPHER",
+	[SSLv2_PE_NO_CERTIFICATE] = "SSLv2_PE_NO_CERTIFICATE",
+	[SSLv2_PE_BAD_CERTIFICATE] = "SSLv2_PE_BAD_CERTIFICATE",
+	[SSLv2_PE_UNSUPPORTED_CERTIFICATE_TYPE] =
+		"SSLv2_PE_UNSUPPORTED_CERTIFICATE_TYPE",
+
+	# --- sslv30
+	[SSLv30_ALERT_DESCR_NO_CERTIFICATE] =
+		"SSLv30_ALERT_DESCR_NO_CERTIFICATE",
+
+	# --- sslv31
+	[SSLv31_ALERT_DESCR_DESCRYPTION_FAILED] =
+		"SSLv31_ALERT_DESCR_DESCRYPTION_FAILED",
+	[SSLv31_ALERT_DESCR_RECORD_OVERFLOW] =
+		"SSLv31_ALERT_DESCR_RECORD_OVERFLOW",
+	[SSLv31_ALERT_DESCR_ILLEGAL_PARAMETER] =
+		"SSLv31_ALERT_DESCR_ILLEGAL_PARAMETER",
+	[SSLv31_ALERT_DESCR_UNKNOWN_CA] = "SSLv31_ALERT_DESCR_UNKNOWN_CA",
+	[SSLv31_ALERT_DESCR_ACCESS_DENIED] = "SSLv31_ALERT_DESCR_ACCESS_DENIED",
+	[SSLv31_ALERT_DESCR_DECODE_ERROR] = "SSLv31_ALERT_DESCR_DECODE_ERROR",
+	[SSLv31_ALERT_DESCR_DECRYPT_ERROR] = "SSLv31_ALERT_DESCR_DECRYPT_ERROR",
+	[SSLv31_ALERT_DESCR_EXPORT_RESTRICTION] =
+		"SSLv31_ALERT_DESCR_EXPORT_RESTRICTION",
+	[SSLv31_ALERT_DESCR_PROTOCOL_VERSION] =
+		"SSLv31_ALERT_DESCR_PROTOCOL_VERSION",
+	[SSLv31_ALERT_DESCR_INSUFFICIENT_SECURITY] =
+		"SSLv31_ALERT_DESCR_INSUFFICIENT_SECURITY",
+	[SSLv31_ALERT_DESCR_INTERNAL_ERROR] =
+		"SSLv31_ALERT_DESCR_INTERNAL_ERROR",
+	[SSLv31_ALERT_DESCR_USER_CANCELED] =
+		"SSLv31_ALERT_DESCR_USER_CANCELED",
+	[SSLv31_ALERT_DESCR_NO_RENEGOTIATION] =
+		"SSLv31_ALERT_DESCR_NO_RENEGOTIATION",
+
+	# -- sslv3.0 and sslv3.1
+	[SSLv3x_ALERT_DESCR_CLOSE_NOTIFY] = "SSLv3x_ALERT_DESCR_CLOSE_NOTIFY",
+	[SSLv3x_ALERT_DESCR_UNEXPECTED_MESSSAGE] =
+		"SSLv3x_ALERT_DESCR_UNEXPECTED_MESSSAGE",
+	[SSLv3x_ALERT_DESCR_BAD_RECORD_MAC] =
+		"SSLv3x_ALERT_DESCR_BAD_RECORD_MAC",
+	[SSLv3x_ALERT_DESCR_DECOMPRESSION_FAILURE] =
+		"SSLv3x_ALERT_DESCR_DECOMPRESSION_FAILURE",
+	[SSLv3x_ALERT_DESCR_HANDSHAKE_FAILURE] =
+		"SSLv3x_ALERT_DESCR_HANDSHAKE_FAILURE",
+	[SSLv3x_ALERT_DESCR_BAD_CERTIFICATE] =
+		"SSLv3x_ALERT_DESCR_BAD_CERTIFICATE",
+	[SSLv3x_ALERT_DESCR_UNSUPPORTED_CERTIFICATE] =
+		"SSLv3x_ALERT_DESCR_UNSUPPORTED_CERTIFICATE",
+	[SSLv3x_ALERT_DESCR_CERTIFICATE_REVOKED] =
+		"SSLv3x_ALERT_DESCR_CERTIFICATE_REVOKED",
+	[SSLv3x_ALERT_DESCR_CERTIFICATE_EXPIRED] =
+		"SSLv3x_ALERT_DESCR_CERTIFICATE_EXPIRED",
+	[SSLv3x_ALERT_DESCR_CERTIFICATE_UNKNOWN] =
+		"SSLv3x_ALERT_DESCR_CERTIFICATE_UNKNOWN",
+};
+
+# --- definitions for SSLv2 error levels:
+# NOTE: We currently use the SSLv3x alert levels "WARNING" and "FATAL"
+#       for SSLv2, since SSLv2 does not support an explicit error level.
+
+# --- definitions for SSLv3.0/SSLv3.1 alert levels
+const SSLv3x_ALERT_LEVEL_WARNING = 1;
+const SSLv3x_ALERT_LEVEL_FATAL = 2;
+
+# --- This is a table of all known alert levels.
+# --- It can be used for detecting unknown alert levels and for
+# --- converting the alert level constants into a human readable format.
+
+const ssl_alert_level: table[count] of string = {
+	[SSLv3x_ALERT_LEVEL_WARNING] = "SSLv3x_ALERT_LEVEL_WARNING",
+	[SSLv3x_ALERT_LEVEL_FATAL] = "SSLv3x_ALERT_LEVEL_FATAL",
+};
diff --git a/policy/ssl-ciphers.bro b/policy/ssl-ciphers.bro
new file mode 100644
index 0000000000..143244d364
--- /dev/null
+++ b/policy/ssl-ciphers.bro
@@ -0,0 +1,485 @@
+# $Id: ssl-ciphers.bro 5857 2008-06-26 23:00:03Z vern $
+
+# --- constant definitions of the cipher specs ---
+
+# --- sslv2 ---
+const SSLv20_CK_RC4_128_WITH_MD5 = 0x010080;
+const SSLv20_CK_RC4_128_EXPORT40_WITH_MD5 = 0x020080;
+const SSLv20_CK_RC2_128_CBC_WITH_MD5 = 0x030080;
+const SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5 = 0x040080;
+const SSLv20_CK_IDEA_128_CBC_WITH_MD5 = 0x050080;
+const SSLv20_CK_DES_64_CBC_WITH_MD5 = 0x060040;
+const SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5 = 0x0700C0;
+
+# --- sslv3x ---
+
+const SSLv3x_NULL_WITH_NULL_NULL  = 0x0000;
+
+# The following CipherSuite definitions require that the server
+# provide an RSA certificate that can be used for key exchange.  The
+# server may request either an RSA or a DSS signature-capable
+# certificate in the certificate request message.
+
+const SSLv3x_RSA_WITH_NULL_MD5 = 0x0001;
+const SSLv3x_RSA_WITH_NULL_SHA = 0x0002;
+const SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003;
+const SSLv3x_RSA_WITH_RC4_128_MD5 = 0x0004;
+const SSLv3x_RSA_WITH_RC4_128_SHA = 0x0005;
+const SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006;
+const SSLv3x_RSA_WITH_IDEA_CBC_SHA = 0x0007;
+const SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008;
+const SSLv3x_RSA_WITH_DES_CBC_SHA = 0x0009;
+const SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A;
+
+# The following CipherSuite definitions are used for
+# server-authenticated (and optionally client-authenticated)
+# Diffie-Hellman.  DH denotes cipher suites in which the server's
+# certificate contains the Diffie-Hellman parameters signed by the
+# certificate authority (CA).  DHE denotes ephemeral Diffie-Hellman,
+# where the Diffie-Hellman parameters are signed by a DSS or RSA
+# certificate, which has been signed by the CA.  The signing
+# algorithm used is specified after the DH or DHE parameter.  In all
+# cases, the client must have the same type of certificate, and must
+# use the Diffie-Hellman parameters chosen by the server.
+
+const SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000B;
+const SSLv3x_DH_DSS_WITH_DES_CBC_SHA = 0x000C;
+const SSLv3x_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000D;
+const SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000E;
+const SSLv3x_DH_RSA_WITH_DES_CBC_SHA = 0x000F;
+const SSLv3x_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010;
+const SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011;
+const SSLv3x_DHE_DSS_WITH_DES_CBC_SHA = 0x0012;
+const SSLv3x_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013;
+const SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014;
+const SSLv3x_DHE_RSA_WITH_DES_CBC_SHA = 0x0015;
+const SSLv3x_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016;
+
+#  The following cipher suites are used for completely anonymous
+#  Diffie-Hellman communications in which neither party is
+#  authenticated.  Note that this mode is vulnerable to
+#  man-in-the-middle attacks and is therefore strongly discouraged.
+
+const SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5 = 0x0017;
+const SSLv3x_DH_anon_WITH_RC4_128_MD5 = 0x0018;
+const SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA = 0x0019;
+const SSLv3x_DH_anon_WITH_DES_CBC_SHA = 0x001A;
+const SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x001B;
+
+#   The final cipher suites are for the FORTEZZA token.
+
+const SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA = 0x001C;
+const SSLv3x_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D;
+# This seems to be assigned to a Kerberos cipher in TLS 1.1
+#const SSLv3x_FORTEZZA_KEA_WITH_RC4_128_SHA = 0x001E; 
+
+
+# Following are some newer ciphers defined in RFC 4346 (TLS 1.1)
+
+# Kerberos ciphers
+
+const SSLv3x_KRB5_WITH_DES_CBC_SHA           = 0x001E;
+const SSLv3x_KRB5_WITH_3DES_EDE_CBC_SHA      = 0x001F;
+const SSLv3x_KRB5_WITH_RC4_128_SHA           = 0x0020;
+const SSLv3x_KRB5_WITH_IDEA_CBC_SHA          = 0x0021;
+const SSLv3x_KRB5_WITH_DES_CBC_MD5           = 0x0022;
+const SSLv3x_KRB5_WITH_3DES_EDE_CBC_MD5      = 0x0023;
+const SSLv3x_KRB5_WITH_RC4_128_MD5           = 0x0024;
+const SSLv3x_KRB5_WITH_IDEA_CBC_MD5          = 0x0025;
+
+# Kerberos export ciphers
+
+const SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA = 0x0026;
+const SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = 0x0027;
+const SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA     = 0x0028;
+const SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = 0x0029;
+const SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = 0x002A;
+const SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5     = 0x002B;
+
+
+# AES ciphers
+
+const SSLv3x_RSA_WITH_AES_128_CBC_SHA        = 0x002F;
+const SSLv3x_DH_DSS_WITH_AES_128_CBC_SHA     = 0x0030;
+const SSLv3x_DH_RSA_WITH_AES_128_CBC_SHA     = 0x0031;
+const SSLv3x_DHE_DSS_WITH_AES_128_CBC_SHA    = 0x0032;
+const SSLv3x_DHE_RSA_WITH_AES_128_CBC_SHA    = 0x0033;
+const SSLv3x_DH_anon_WITH_AES_128_CBC_SHA    = 0x0034;
+const SSLv3x_RSA_WITH_AES_256_CBC_SHA        = 0x0035;
+const SSLv3x_DH_DSS_WITH_AES_256_CBC_SHA     = 0x0036;
+const SSLv3x_DH_RSA_WITH_AES_256_CBC_SHA     = 0x0037;
+const SSLv3x_DHE_DSS_WITH_AES_256_CBC_SHA    = 0x0038;
+const SSLv3x_DHE_RSA_WITH_AES_256_CBC_SHA    = 0x0039;
+const SSLv3x_DH_anon_WITH_AES_256_CBC_SHA    = 0x003A;
+
+# Mostly more RFC defined suites
+const TLS_RSA_WITH_CAMELLIA_128_CBC_SHA      = 0x0041; # [RFC4132]
+const TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA   = 0x0042; # [RFC4132]
+const TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA   = 0x0043; # [RFC4132]
+const TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA  = 0x0044; # [RFC4132]
+const TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA  = 0x0045; # [RFC4132]
+const TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA  = 0x0046; # [RFC4132]
+
+# The following are tagged as "Widely Deployed implementation":
+const TLS_ECDH_ECDSA_WITH_NULL_SHA           = 0x0047;
+const TLS_ECDH_ECDSA_WITH_RC4_128_SHA        = 0x0048;
+const TLS_ECDH_ECDSA_WITH_DES_CBC_SHA        = 0x0049;
+const TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA   = 0x004A;
+const TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA    = 0x004B;
+const TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA    = 0x004C;
+const TLS_CK_RSA_EXPORT1024_WITH_RC4_56_MD5       = 0x0060;
+const TLS_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5   = 0x0061;
+const TLS_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA      = 0x0062;
+const TLS_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA  = 0x0063;
+const TLS_CK_RSA_EXPORT1024_WITH_RC4_56_SHA       = 0x0064;
+const TLS_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA   = 0x0065;
+const TLS_CK_DHE_DSS_WITH_RC4_128_SHA             = 0x0066;
+
+const TLS_RSA_WITH_CAMELLIA_256_CBC_SHA      = 0x0084; # [RFC4132]
+const TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA   = 0x0085; # [RFC4132]
+const TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA   = 0x0086; # [RFC4132]
+const TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA  = 0x0087; # [RFC4132]
+const TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA  = 0x0088; # [RFC4132]
+const TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA  = 0x0089; # [RFC4132]
+const TLS_PSK_WITH_RC4_128_SHA               = 0x008A; # [RFC4279]
+const TLS_PSK_WITH_3DES_EDE_CBC_SHA          = 0x008B; # [RFC4279]
+const TLS_PSK_WITH_AES_128_CBC_SHA           = 0x008C; # [RFC4279]
+const TLS_PSK_WITH_AES_256_CBC_SHA           = 0x008D; # [RFC4279]
+const TLS_DHE_PSK_WITH_RC4_128_SHA           = 0x008E; # [RFC4279]
+const TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA      = 0x008F; # [RFC4279]
+const TLS_DHE_PSK_WITH_AES_128_CBC_SHA       = 0x0090; # [RFC4279]
+const TLS_DHE_PSK_WITH_AES_256_CBC_SHA       = 0x0091; # [RFC4279]
+const TLS_RSA_PSK_WITH_RC4_128_SHA           = 0x0092; # [RFC4279]
+const TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA      = 0x0093; # [RFC4279]
+const TLS_RSA_PSK_WITH_AES_128_CBC_SHA       = 0x0094; # [RFC4279]
+const TLS_RSA_PSK_WITH_AES_256_CBC_SHA       = 0x0095; # [RFC4279]
+const TLS_RSA_WITH_SEED_CBC_SHA              = 0x0096; # [RFC4162]
+const TLS_DH_DSS_WITH_SEED_CBC_SHA           = 0x0097; # [RFC4162]
+const TLS_DH_RSA_WITH_SEED_CBC_SHA           = 0x0098; # [RFC4162]
+const TLS_DHE_DSS_WITH_SEED_CBC_SHA          = 0x0099; # [RFC4162]
+const TLS_DHE_RSA_WITH_SEED_CBC_SHA          = 0x009A; # [RFC4162]
+const TLS_DH_anon_WITH_SEED_CBC_SHA          = 0x009B; # [RFC4162]
+
+
+# Cipher specifications native to TLS can be included in Version 2.0 client
+# hello messages using the syntax below. Any V2CipherSpec element with its
+# first byte equal to zero will be ignored by Version 2.0 servers. Clients
+# sending any of the above V2CipherSpecs should also include the TLS equivalent
+# (see Appendix A.5):
+# V2CipherSpec (see TLS name) = { 0x00, CipherSuite };
+
+
+# --- This is a table of all known cipher specs.
+# --- It can be used for detecting unknown ciphers and for
+# --- converting the cipher spec constants into a human readable format.
+
+const ssl_cipher_desc: table[count] of string = {
+	# --- sslv20 ---
+	[SSLv20_CK_RC4_128_EXPORT40_WITH_MD5] =
+		"SSLv20_CK_RC4_128_EXPORT40_WITH_MD5",
+	[SSLv20_CK_RC4_128_WITH_MD5] = "SSLv20_CK_RC4_128_WITH_MD5",
+	[SSLv20_CK_RC2_128_CBC_WITH_MD5] = "SSLv20_CK_RC2_128_CBC_WITH_MD5",
+	[SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5] =
+		"SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5",
+	[SSLv20_CK_IDEA_128_CBC_WITH_MD5] = "SSLv20_CK_IDEA_128_CBC_WITH_MD5",
+	[SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5] =
+		"SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5",
+	[SSLv20_CK_DES_64_CBC_WITH_MD5] = "SSLv20_CK_DES_64_CBC_WITH_MD5",
+
+	# --- sslv3x ---
+	[SSLv3x_NULL_WITH_NULL_NULL] = "SSLv3x_NULL_WITH_NULL_NULL",
+
+	[SSLv3x_RSA_WITH_NULL_MD5] = "SSLv3x_RSA_WITH_NULL_MD5",
+	[SSLv3x_RSA_WITH_NULL_SHA] = "SSLv3x_RSA_WITH_NULL_SHA",
+	[SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5] =
+		"SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5",
+	[SSLv3x_RSA_WITH_RC4_128_MD5] = "SSLv3x_RSA_WITH_RC4_128_MD5",
+	[SSLv3x_RSA_WITH_RC4_128_SHA] = "SSLv3x_RSA_WITH_RC4_128_SHA",
+	[SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5] =
+		"SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
+	[SSLv3x_RSA_WITH_IDEA_CBC_SHA] = "SSLv3x_RSA_WITH_IDEA_CBC_SHA",
+	[SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA] =
+		"SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA",
+	[SSLv3x_RSA_WITH_DES_CBC_SHA] = "SSLv3x_RSA_WITH_DES_CBC_SHA",
+	[SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA] = "SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA",
+
+	[SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA] =
+		"SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
+	[SSLv3x_DH_DSS_WITH_DES_CBC_SHA] = "SSLv3x_DH_DSS_WITH_DES_CBC_SHA",
+	[SSLv3x_DH_DSS_WITH_3DES_EDE_CBC_SHA] =
+		"SSLv3x_DH_DSS_WITH_3DES_EDE_CBC_SHA",
+	[SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA] =
+		"SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
+	[SSLv3x_DH_RSA_WITH_DES_CBC_SHA] = "SSLv3x_DH_RSA_WITH_DES_CBC_SHA",
+	[SSLv3x_DH_RSA_WITH_3DES_EDE_CBC_SHA] =
+		"SSLv3x_DH_RSA_WITH_3DES_EDE_CBC_SHA",
+	[SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] =
+		"SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
+	[SSLv3x_DHE_DSS_WITH_DES_CBC_SHA] = "SSLv3x_DHE_DSS_WITH_DES_CBC_SHA",
+	[SSLv3x_DHE_DSS_WITH_3DES_EDE_CBC_SHA] =
+		"SSLv3x_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
+	[SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA] =
+		"SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
+	[SSLv3x_DHE_RSA_WITH_DES_CBC_SHA] = "SSLv3x_DHE_RSA_WITH_DES_CBC_SHA",
+	[SSLv3x_DHE_RSA_WITH_3DES_EDE_CBC_SHA] =
+		"SSLv3x_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
+
+	[SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5] =
+		"SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5",
+	[SSLv3x_DH_anon_WITH_RC4_128_MD5] = "SSLv3x_DH_anon_WITH_RC4_128_MD5",
+	[SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA] =
+		"SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
+	[SSLv3x_DH_anon_WITH_DES_CBC_SHA] = "SSLv3x_DH_anon_WITH_DES_CBC_SHA",
+	[SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA] =
+		"SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA",
+
+	[SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA] =
+		"SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA",
+	[SSLv3x_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA] =
+		"SSLv3x_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA",
+	[SSLv3x_KRB5_WITH_DES_CBC_SHA] =
+		"SSLv3x_KRB5_WITH_DES_CBC_SHA",
+	[SSLv3x_KRB5_WITH_3DES_EDE_CBC_SHA] =
+		"SSLv3x_KRB5_WITH_3DES_EDE_CBC_SHA",
+	[SSLv3x_KRB5_WITH_RC4_128_SHA] =
+		"SSLv3x_KRB5_WITH_RC4_128_SHA",
+	[SSLv3x_KRB5_WITH_IDEA_CBC_SHA] =
+		"SSLv3x_KRB5_WITH_IDEA_CBC_SHA",
+	[SSLv3x_KRB5_WITH_DES_CBC_MD5] =
+		"SSLv3x_KRB5_WITH_DES_CBC_MD5",
+	[SSLv3x_KRB5_WITH_3DES_EDE_CBC_MD5] =
+		"SSLv3x_KRB5_WITH_3DES_EDE_CBC_MD5",
+	[SSLv3x_KRB5_WITH_RC4_128_MD5] =
+		"SSLv3x_KRB5_WITH_RC4_128_MD5",
+	[SSLv3x_KRB5_WITH_IDEA_CBC_MD5] =
+		"SSLv3x_KRB5_WITH_IDEA_CBC_MD5",
+	[SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA] =
+		"SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
+	[SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA] =
+		"SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
+	[SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA] =
+		"SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA",
+	[SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5] =
+		"SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
+	[SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5] =
+		"SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
+	[SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5] =
+		"SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5",
+	[SSLv3x_RSA_WITH_AES_128_CBC_SHA] =
+		"SSLv3x_RSA_WITH_AES_128_CBC_SHA",
+	[SSLv3x_DH_DSS_WITH_AES_128_CBC_SHA] =
+		"SSLv3x_DH_DSS_WITH_AES_128_CBC_SHA",
+	[SSLv3x_DH_RSA_WITH_AES_128_CBC_SHA] =
+		"SSLv3x_DH_RSA_WITH_AES_128_CBC_SHA",
+	[SSLv3x_DHE_DSS_WITH_AES_128_CBC_SHA] =
+		"SSLv3x_DHE_DSS_WITH_AES_128_CBC_SHA",
+	[SSLv3x_DHE_RSA_WITH_AES_128_CBC_SHA] =
+		"SSLv3x_DHE_RSA_WITH_AES_128_CBC_SHA",
+	[SSLv3x_DH_anon_WITH_AES_128_CBC_SHA] =
+		"SSLv3x_DH_anon_WITH_AES_128_CBC_SHA",
+	[SSLv3x_RSA_WITH_AES_256_CBC_SHA] =
+		"SSLv3x_RSA_WITH_AES_256_CBC_SHA",
+	[SSLv3x_DH_DSS_WITH_AES_256_CBC_SHA] =
+		"SSLv3x_DH_DSS_WITH_AES_256_CBC_SHA",
+	[SSLv3x_DH_RSA_WITH_AES_256_CBC_SHA] =
+		"SSLv3x_DH_RSA_WITH_AES_256_CBC_SHA",
+	[SSLv3x_DHE_DSS_WITH_AES_256_CBC_SHA] =
+		"SSLv3x_DHE_DSS_WITH_AES_256_CBC_SHA",
+	[SSLv3x_DHE_RSA_WITH_AES_256_CBC_SHA] =
+		"SSLv3x_DHE_RSA_WITH_AES_256_CBC_SHA",
+	[SSLv3x_DH_anon_WITH_AES_256_CBC_SHA] =
+		"SSLv3x_DH_anon_WITH_AES_256_CBC_SHA",
+		
+    [TLS_RSA_WITH_CAMELLIA_128_CBC_SHA] = 
+        "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
+    [TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA] = 
+        "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
+    [TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA] = 
+        "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
+    [TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA] = 
+        "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
+    [TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA] = 
+        "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
+    [TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA] = 
+        "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA",
+    [TLS_ECDH_ECDSA_WITH_NULL_SHA] = 
+        "TLS_ECDH_ECDSA_WITH_NULL_SHA",
+    [TLS_ECDH_ECDSA_WITH_RC4_128_SHA] = 
+        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
+    [TLS_ECDH_ECDSA_WITH_DES_CBC_SHA] = 
+        "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA",
+    [TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA] = 
+        "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
+    [TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA] = 
+        "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
+    [TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA] = 
+        "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
+    [TLS_CK_RSA_EXPORT1024_WITH_RC4_56_MD5] = 
+        "TLS_CK_RSA_EXPORT1024_WITH_RC4_56_MD5",
+    [TLS_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5] = 
+        "TLS_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5",
+    [TLS_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA] = 
+        "TLS_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA",
+    [TLS_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA] = 
+        "TLS_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA",
+    [TLS_CK_RSA_EXPORT1024_WITH_RC4_56_SHA] = 
+        "TLS_CK_RSA_EXPORT1024_WITH_RC4_56_SHA",
+    [TLS_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA] = 
+        "TLS_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA",
+    [TLS_CK_DHE_DSS_WITH_RC4_128_SHA] = 
+        "TLS_CK_DHE_DSS_WITH_RC4_128_SHA",
+    [TLS_RSA_WITH_CAMELLIA_256_CBC_SHA] = 
+        "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
+    [TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA] = 
+        "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
+    [TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA] = 
+        "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
+    [TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA] = 
+        "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
+    [TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA] = 
+        "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
+    [TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA] = 
+        "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
+    [TLS_PSK_WITH_RC4_128_SHA] = 
+        "TLS_PSK_WITH_RC4_128_SHA",
+    [TLS_PSK_WITH_3DES_EDE_CBC_SHA] = 
+        "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
+    [TLS_PSK_WITH_AES_128_CBC_SHA] = 
+        "TLS_PSK_WITH_AES_128_CBC_SHA",
+    [TLS_PSK_WITH_AES_256_CBC_SHA] = 
+        "TLS_PSK_WITH_AES_256_CBC_SHA",
+    [TLS_DHE_PSK_WITH_RC4_128_SHA] = 
+        "TLS_DHE_PSK_WITH_RC4_128_SHA",
+    [TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA] = 
+        "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
+    [TLS_DHE_PSK_WITH_AES_128_CBC_SHA] = 
+        "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
+    [TLS_DHE_PSK_WITH_AES_256_CBC_SHA] = 
+        "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
+    [TLS_RSA_PSK_WITH_RC4_128_SHA] = 
+        "TLS_RSA_PSK_WITH_RC4_128_SHA",
+    [TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA] = 
+        "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
+    [TLS_RSA_PSK_WITH_AES_128_CBC_SHA] = 
+        "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
+    [TLS_RSA_PSK_WITH_AES_256_CBC_SHA] = 
+        "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
+    [TLS_RSA_WITH_SEED_CBC_SHA] = 
+        "TLS_RSA_WITH_SEED_CBC_SHA",
+    [TLS_DH_DSS_WITH_SEED_CBC_SHA] = 
+        "TLS_DH_DSS_WITH_SEED_CBC_SHA",
+    [TLS_DH_RSA_WITH_SEED_CBC_SHA] = 
+        "TLS_DH_RSA_WITH_SEED_CBC_SHA",
+    [TLS_DHE_DSS_WITH_SEED_CBC_SHA] = 
+        "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
+    [TLS_DHE_RSA_WITH_SEED_CBC_SHA] = 
+        "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
+    [TLS_DH_anon_WITH_SEED_CBC_SHA] = 
+        "TLS_DH_anon_WITH_SEED_CBC_SHA"
+};
+
+
+# --- the following sets are provided for convenience
+
+# --- this set holds all EXPORT ciphers
+const ssl_cipherset_EXPORT: set[count] = {
+	SSLv20_CK_RC4_128_EXPORT40_WITH_MD5,
+	SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
+	SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5,
+	SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+	SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
+	SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+	SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5,
+	SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
+	SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
+	SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA,
+	SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA,
+	SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5,
+	SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5,
+	SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5
+};
+
+# --- this set holds all DES ciphers
+const ssl_cipherset_DES: set[count] = {
+	SSLv20_CK_DES_64_CBC_WITH_MD5,
+	SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	SSLv3x_RSA_WITH_DES_CBC_SHA,
+	SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
+	SSLv3x_DH_DSS_WITH_DES_CBC_SHA,
+	SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	SSLv3x_DH_RSA_WITH_DES_CBC_SHA,
+	SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+	SSLv3x_DHE_DSS_WITH_DES_CBC_SHA,
+	SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	SSLv3x_DHE_RSA_WITH_DES_CBC_SHA,
+	SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
+	SSLv3x_DH_anon_WITH_DES_CBC_SHA,
+	SSLv3x_KRB5_WITH_DES_CBC_SHA,
+	SSLv3x_KRB5_WITH_DES_CBC_MD5,
+	SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
+	SSLv3x_KRB5_EXPORT_WITH_DES_CBC_40_MD5
+};
+
+
+# --- this set holds all 3DES ciphers
+const ssl_cipherset_3DES: set[count] = {
+	SSLv20_CK_DES_192_EDE3_CBC_WITH_MD5,
+	SSLv3x_DH_DSS_WITH_3DES_EDE_CBC_SHA,
+	SSLv3x_DH_RSA_WITH_3DES_EDE_CBC_SHA,
+	SSLv3x_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+	SSLv3x_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA,
+	SSLv3x_KRB5_WITH_3DES_EDE_CBC_SHA,
+	SSLv3x_KRB5_WITH_3DES_EDE_CBC_MD5
+};
+
+# --- this set holds all RC2 ciphers
+const ssl_cipherset_RC2: set[count] = {
+	SSLv20_CK_RC2_128_CBC_WITH_MD5,
+	SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
+	SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+	SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_SHA,
+	SSLv3x_KRB5_EXPORT_WITH_RC2_CBC_40_MD5
+};
+
+# --- this set holds all RC4 ciphers
+const ssl_cipherset_RC4: set[count] = {
+	SSLv20_CK_RC4_128_WITH_MD5,
+	SSLv20_CK_RC4_128_EXPORT40_WITH_MD5,
+	SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5,
+	SSLv3x_RSA_WITH_RC4_128_MD5,
+	SSLv3x_RSA_WITH_RC4_128_SHA,
+	SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5,
+	SSLv3x_DH_anon_WITH_RC4_128_MD5,
+	SSLv3x_KRB5_WITH_RC4_128_SHA,
+	SSLv3x_KRB5_WITH_RC4_128_MD5,
+	SSLv3x_KRB5_EXPORT_WITH_RC4_40_SHA,
+	SSLv3x_KRB5_EXPORT_WITH_RC4_40_MD5
+};
+
+# --- this set holds all IDEA ciphers
+const ssl_cipherset_IDEA: set[count] = {
+	SSLv20_CK_IDEA_128_CBC_WITH_MD5,
+	SSLv3x_RSA_WITH_IDEA_CBC_SHA,
+	SSLv3x_KRB5_WITH_IDEA_CBC_SHA,
+	SSLv3x_KRB5_WITH_IDEA_CBC_MD5
+};
+
+# --- this set holds all AES ciphers
+const ssl_cipherset_AES: set[count] = {
+	SSLv3x_RSA_WITH_AES_128_CBC_SHA,
+	SSLv3x_DH_DSS_WITH_AES_128_CBC_SHA,
+	SSLv3x_DH_RSA_WITH_AES_128_CBC_SHA,
+	SSLv3x_DHE_DSS_WITH_AES_128_CBC_SHA,
+	SSLv3x_DHE_RSA_WITH_AES_128_CBC_SHA,
+	SSLv3x_DH_anon_WITH_AES_128_CBC_SHA,
+	SSLv3x_RSA_WITH_AES_256_CBC_SHA,
+	SSLv3x_DH_DSS_WITH_AES_256_CBC_SHA,
+	SSLv3x_DH_RSA_WITH_AES_256_CBC_SHA,
+	SSLv3x_DHE_DSS_WITH_AES_256_CBC_SHA,
+	SSLv3x_DHE_RSA_WITH_AES_256_CBC_SHA,
+	SSLv3x_DH_anon_WITH_AES_256_CBC_SHA
+};
diff --git a/policy/ssl-errors.bro b/policy/ssl-errors.bro
new file mode 100644
index 0000000000..9751174e7d
--- /dev/null
+++ b/policy/ssl-errors.bro
@@ -0,0 +1,74 @@
+# $Id: ssl-errors.bro 6 2004-04-30 00:31:26Z jason $
+
+# --- const defns of error messages
+const X509_V_OK = +0;
+const X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT = +1;
+const X509_V_ERR_UNABLE_TO_GET_CRL = +2;
+const X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE = +3;
+const X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE = +4;
+const X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY = +5;
+const X509_V_ERR_CERT_SIGNATURE_FAILURE = +6;
+const X509_V_ERR_CRL_SIGNATURE_FAILURE = +7;
+const X509_V_ERR_CERT_NOT_YET_VALID = +8;
+const X509_V_ERR_CERT_HAS_EXPIRED = +9;
+const X509_V_ERR_CRL_NOT_YET_VALID = +10;
+const X509_V_ERR_CRL_HAS_EXPIRED = +11;
+const X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = +12;
+const X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = +13;
+const X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD = +14;
+const X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = +15;
+const X509_V_ERR_OUT_OF_MEM = +16;
+const X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT = +17;
+const X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN = +18;
+const X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = +19;
+const X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = +20;
+const X509_V_ERR_CERT_CHAIN_TOO_LONG = +21;
+const X509_V_ERR_CERT_REVOKED = +22;
+const X509_V_ERR_INVALID_CA = +23;
+const X509_V_ERR_PATH_LENGTH_EXCEEDED = +24;
+const X509_V_ERR_INVALID_PURPOSE = +25;
+const X509_V_ERR_CERT_UNTRUSTED = +26;
+const X509_V_ERR_CERT_REJECTED = +27;
+const X509_V_ERR_SUBJECT_ISSUER_MISMATCH = +28;
+const X509_V_ERR_AKID_SKID_MISMATCH = +29;
+const X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH = +30;
+const X509_V_ERR_KEYUSAGE_NO_CERTSIGN = +31;
+const X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER = +32;
+const X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION = +33;
+
+const x509_errors: table[int] of string = {
+	[+0] = "X509_V_OK",
+	[+1] = "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT",
+	[+2] = "X509_V_ERR_UNABLE_TO_GET_CRL",
+	[+3] = "X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE",
+	[+4] = "X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE",
+	[+5] = "X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY",
+	[+6] = "X509_V_ERR_CERT_SIGNATURE_FAILURE",
+	[+7] = "X509_V_ERR_CRL_SIGNATURE_FAILURE",
+	[+8] = "X509_V_ERR_CERT_NOT_YET_VALID",
+	[+9] = "X509_V_ERR_CERT_HAS_EXPIRED",
+	[+10] = "X509_V_ERR_CRL_NOT_YET_VALID",
+	[+11] = "X509_V_ERR_CRL_HAS_EXPIRED",
+	[+12] = "X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD",
+	[+13] = "X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD",
+	[+14] = "X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD",
+	[+15] = "X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD",
+	[+16] = "X509_V_ERR_OUT_OF_MEM",
+	[+17] = "X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT",
+	[+18] = "X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN",
+	[+19] = "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY",
+	[+20] = "X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE",
+	[+21] = "X509_V_ERR_CERT_CHAIN_TOO_LONG",
+	[+22] = "X509_V_ERR_CERT_REVOKED",
+	[+23] = "X509_V_ERR_INVALID_CA",
+	[+24] = "X509_V_ERR_PATH_LENGTH_EXCEEDED",
+	[+25] = "X509_V_ERR_INVALID_PURPOSE",
+	[+26] = "X509_V_ERR_CERT_UNTRUSTED",
+	[+27] = "X509_V_ERR_CERT_REJECTED",
+	[+28] = "X509_V_ERR_SUBJECT_ISSUER_MISMATCH",
+	[+29] = "X509_V_ERR_AKID_SKID_MISMATCH",
+	[+30] = "X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH",
+	[+31] = "X509_V_ERR_KEYUSAGE_NO_CERTSIGN",
+	[+32] = "X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER",
+	[+33] = "X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION"
+};
diff --git a/policy/ssl-worm.bro b/policy/ssl-worm.bro
new file mode 100644
index 0000000000..a8db78eed3
--- /dev/null
+++ b/policy/ssl-worm.bro
@@ -0,0 +1,59 @@
+# $Id: ssl-worm.bro 340 2004-09-09 06:38:27Z vern $
+
+@load signatures
+@load software
+@load alarm
+
+redef signature_files += "ssl-worm.sig";
+
+redef capture_filters +=  {
+	["ssl-worm"] = "udp port 2002 and src net 134.96"
+};
+
+function sslworm_is_server_vulnerable(state: signature_state): bool
+	{
+	local ip = state$conn$id$resp_h;
+
+	if ( ip !in software_table )
+		return F;
+
+	local softset = software_table[ip];
+
+	if ( "Apache" !in softset )
+		return F;
+
+	if ( "OpenSSL" !in softset )
+		return F;
+
+	local safe_version: software_version =
+		[$major = +0, $minor = +9, $minor2 = +6, $addl = "e"];
+
+	if ( software_cmp_version(softset["OpenSSL"]$version, safe_version) >= 0 )
+		return F;
+
+	return T;
+	}
+
+function sslworm_has_server_been_probed(state: signature_state): bool
+	{
+	# FIXME: Bro segfaults without the tmp variable
+	local result =
+		has_signature_matched("sslworm-probe",
+				state$conn$id$orig_h, state$conn$id$resp_h);
+
+	return result;
+	}
+
+function sslworm_has_server_been_exploited(state: signature_state): bool
+	{
+	# FIXME: I don't know which side starts the UDP conversation
+	local result =
+		has_signature_matched("sslworm-exploit",
+				state$conn$id$orig_h, state$conn$id$resp_h);
+
+	if ( ! result )
+		result = has_signature_matched("sslworm-exploit",
+				state$conn$id$resp_h, state$conn$id$orig_h);
+
+	return result;
+	}
diff --git a/policy/ssl.bro b/policy/ssl.bro
new file mode 100644
index 0000000000..216abb2d10
--- /dev/null
+++ b/policy/ssl.bro
@@ -0,0 +1,537 @@
+# $Id: ssl.bro 5988 2008-07-19 07:02:12Z vern $
+
+@load notice
+@load conn
+@load weird
+@load ssl-ciphers
+@load ssl-errors
+
+global ssl_log = open_log_file("ssl") &redef;
+
+redef enum Notice += {
+	SSL_X509Violation,	# blanket X509 error
+	SSL_SessConIncon,	# session data not consistent with connection
+};
+
+
+const SSLv2  = 0x0002;
+const SSLv3  = 0x0300;
+const TLSv10 = 0x0301;
+const TLSv11 = 0x0302;
+
+# If true, Bro stores the client and server cipher specs and performs
+# additional tests.  This costs an extra amount of memory (normally
+# only for a short time) but enables detecting of non-intersecting
+# cipher sets, for example.
+const ssl_compare_cipherspecs = T &redef;
+
+# Whether to analyze certificates seen in SSL connections.
+const ssl_analyze_certificates = T &redef;
+
+# If we analyze SSL certificates, we can choose to store them.
+const ssl_store_certificates = T &redef;
+
+# Path where we dump the certificates into.  If it's empty,
+# use the current directory.
+const ssl_store_cert_path = "certs" &redef;
+
+# If we analyze SSL certificates, we can choose to verify them.
+const ssl_verify_certificates = T &redef;
+
+# This is the path where OpenSSL looks after the trusted certificates.
+# If empty, the default path will be used.
+const x509_trusted_cert_path = "" &redef;
+
+# Whether to store key-material exchanged in the handshaking phase.
+const ssl_store_key_material = F &redef;
+
+# Report weak/unknown ciphers in CLIENT_HELLO, SSLv2 SERVER_HELLO.
+const ssl_report_client_weak = F &redef;
+const ssl_report_client_unknown = F &redef;
+const ssl_report_server_weak = F &redef;
+
+# Log all ciphers.
+const ssl_log_ciphers = T &redef;
+
+# NOTE: this is a 'local' port format for your site
+# --- well-known ports for ssl ---------
+redef capture_filters += {
+	["ssl"] = "tcp port 443",
+	["nntps"] = "tcp port 563",
+	["imap4-ssl"] = "tcp port 585",
+	["sshell"] = "tcp port 614",
+	["ldaps"] = "tcp port 636",
+	["ftps-data"] = "tcp port 989",
+	["ftps"] = "tcp port 990",
+	["telnets"] = "tcp port 992",
+	["imaps"] = "tcp port 993",
+	["ircs"] = "tcp port 994",
+	["pop3s"] = "tcp port 995"
+};
+
+global ssl_ports = {
+	443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
+	989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp,
+} &redef;
+
+redef dpd_config += {
+	[[ANALYZER_SSL, ANALYZER_SSL_BINPAC]] = [$ports = ssl_ports]
+};
+
+# --- Weak Cipher Demo -------------
+
+const myWeakCiphers: set[count] = {
+	SSLv20_CK_RC4_128_EXPORT40_WITH_MD5,
+	SSLv20_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
+	SSLv20_CK_DES_64_CBC_WITH_MD5,
+
+	SSLv3x_NULL_WITH_NULL_NULL,
+	SSLv3x_RSA_WITH_NULL_MD5,
+	SSLv3x_RSA_WITH_NULL_SHA,
+	SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5,
+	SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+	SSLv3x_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	SSLv3x_RSA_WITH_DES_CBC_SHA,
+
+	SSLv3x_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
+	SSLv3x_DH_DSS_WITH_DES_CBC_SHA,
+	SSLv3x_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	SSLv3x_DH_RSA_WITH_DES_CBC_SHA,
+	SSLv3x_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+	SSLv3x_DHE_DSS_WITH_DES_CBC_SHA,
+	SSLv3x_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	SSLv3x_DHE_RSA_WITH_DES_CBC_SHA,
+
+	SSLv3x_DH_anon_EXPORT_WITH_RC4_40_MD5,
+	SSLv3x_DH_anon_WITH_RC4_128_MD5,
+	SSLv3x_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
+	SSLv3x_DH_anon_WITH_DES_CBC_SHA,
+	SSLv3x_DH_anon_WITH_3DES_EDE_CBC_SHA,
+	SSLv3x_FORTEZZA_KEA_WITH_NULL_SHA
+};
+
+const x509_ignore_errors: set[int] = {
+	X509_V_OK,
+	# X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
+};
+
+const x509_hot_errors: set[int] = {
+	X509_V_ERR_CRL_SIGNATURE_FAILURE,
+	X509_V_ERR_CERT_NOT_YET_VALID,
+	X509_V_ERR_CERT_HAS_EXPIRED,
+	X509_V_ERR_CERT_REVOKED,
+	X509_V_ERR_SUBJECT_ISSUER_MISMATCH,
+	# X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE	# for testing
+};
+
+redef Weird::weird_action += {
+	[["SSLv2: Unknown CIPHER-SPEC in CLIENT-HELLO!",
+	  "SSLv2: Client has CipherSpecs > MAX_CIPHERSPEC_SIZE",
+	  "unexpected_SSLv3_record",
+	  "SSLv3_data_without_full_handshake"]]	= Weird::WEIRD_IGNORE
+};
+
+
+global SSL_cipherCount: table[count] of count &default = 0;
+
+type ssl_connection_info: record {
+	id: count;			# the log identifier number
+	connection_id: conn_id;		# IP connection information
+	version: string;		# version assosciated with connection
+	client_cert: X509;
+	server_cert: X509;
+	id_index: string;		# index for associated SSL_sessionID
+	handshake_cipher: string;	# agreed-upon cipher for session/conn.
+};
+
+# SSL_sessionID index - used to track version assosciated with a session id.
+type SSL_sessionID_record: record {
+	num_reuse: count;
+	id: SSL_sessionID;	# literal session ID
+
+	# everything below is an example of session vs connection monitoring.
+	version: string;	# version assosciated with session id
+	client_cert: X509;
+	server_cert: X509;
+	handshake_cipher: string;
+};
+
+global ssl_connections: table[conn_id] of ssl_connection_info;
+global ssl_sessionIDs: table[string] of SSL_sessionID_record
+						&read_expire = 2 hrs;
+global ssl_connection_id = 0;
+
+# Used when there's no issuer/subject/cipher.
+const NONE = "<none>";
+
+# --- SSL helper functions ---------
+function new_ssl_connection(c: connection)
+	{
+	local conn = c$id;
+	local new_id = ++ssl_connection_id;
+
+	local info: ssl_connection_info;
+	info$id = new_id;
+	info$id_index = md5_hash(info$id);
+	info$version = "";
+	info$client_cert$issuer = NONE;
+	info$client_cert$subject = NONE;
+	info$server_cert$issuer = NONE;
+	info$server_cert$subject = NONE;
+	info$handshake_cipher = NONE;
+	info$connection_id = conn;
+
+	ssl_connections[conn] = info;
+	append_addl(c,  fmt("#%d", new_id));
+
+	print ssl_log, fmt("%.6f #%d %s start",
+				network_time(), new_id, id_string(conn));
+	}
+
+function new_sessionID_record(session: SSL_sessionID)
+	{
+	local info: SSL_sessionID_record;
+
+	info$num_reuse = 1;
+	info$client_cert$issuer = NONE;
+	info$client_cert$subject = NONE;
+	info$server_cert$issuer = NONE;
+	info$server_cert$subject = NONE;
+	info$handshake_cipher = NONE;
+
+	local index = md5_hash(session);
+	ssl_sessionIDs[index] = info;
+	}
+
+function ssl_get_cipher_name(cipherSuite: count): string
+	{
+	return cipherSuite in ssl_cipher_desc ?
+		ssl_cipher_desc[cipherSuite] : "UNKNOWN";
+	}
+
+function ssl_get_version_string(version: count): string
+	{
+	if ( version == SSLv2 )
+		return "SSL version 2";
+	else if ( version == SSLv3 )
+		return "SSL version 3";
+	else if ( version == TLSv10 )
+		return "TLS version 1.0";
+	else if ( version == TLSv11 )
+		return "TLS version 1.1";
+	else
+		return "?.?";
+	}
+
+function ssl_con2str(c: connection): string
+	{
+	return fmt("%s:%s -> %s:%s",
+			c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p);
+	}
+
+function lookup_ssl_conn(c: connection, func: string, log_if_new: bool)
+	{
+	if ( c$id !in ssl_connections )
+		{
+		new_ssl_connection(c);
+
+		if ( log_if_new )
+			print ssl_log,
+				fmt("%.6f #%d creating new SSL connection in %s",
+					network_time(), ssl_connections[c$id]$id, func);
+		}
+	}
+
+event ssl_conn_weak(name: string, c: connection)
+	{
+	lookup_ssl_conn(c, "ssl_conn_weak", T);
+	print ssl_log, fmt("%.6f #%d %s",
+		network_time(), ssl_connections[c$id]$id, name);
+	}
+
+# --- SSL events -------------------
+
+event ssl_certificate_seen(c: connection, is_server: bool)
+	{
+	# Called whenever there's an certificate to analyze.
+	# we could do something here, like...
+
+	# if ( c$id$orig_h in hostsToIgnore )
+	#	{
+	#	ssl_store_certificates = F;
+	#	ssl_verify_certificates = F;
+	#	}
+	# else
+	#	{
+	#	ssl_store_certificates = T;
+	#	ssl_verify_certificates = T;
+	#	}
+	}
+
+event ssl_certificate(c: connection, cert: X509, is_server: bool)
+	{
+	local direction = is_local_addr(c$id$orig_h) ? "client" : "server";
+
+	lookup_ssl_conn(c, "ssl_certificate", T);
+	local conn = ssl_connections[c$id];
+
+	if( direction == "client" )
+		conn$client_cert = cert;
+	else
+		{
+		conn$server_cert = cert;
+
+		# We have not filled in the field for the master session
+		# for this connection.  Do it now, but only if this is not a
+		# SSLv2 connection (no session information in that case).
+		if ( conn$id_index in ssl_sessionIDs &&
+		     ssl_sessionIDs[conn$id_index]$server_cert$subject == NONE )
+			ssl_sessionIDs[conn$id_index]$server_cert$subject =
+				cert$subject;
+		}
+
+	print ssl_log, fmt("%.6f #%d X.509 %s issuer %s",
+			network_time(), conn$id, direction, cert$issuer);
+
+	print ssl_log, fmt("%.6f #%d X.509 %s subject %s",
+			network_time(), conn$id, direction, cert$subject);
+	}
+
+event ssl_conn_attempt(c: connection, version: count,
+			ciphers: cipher_suites_list)
+	{
+	lookup_ssl_conn(c, "ssl_conn_attempt", F);
+	local conn = ssl_connections[c$id];
+	local version_string = ssl_get_version_string(version);
+
+	print ssl_log, fmt("%.6f #%d SSL connection attempt %s",
+				network_time(), conn$id, version_string);
+
+	conn$version = version_string;
+
+	for ( cs in ciphers )
+		{ # display a list of the cipher suites
+		# Demo: report clients who support weak ciphers.
+		if ( ssl_report_client_weak && cs in myWeakCiphers )
+			event ssl_conn_weak(
+				fmt("SSL client supports weak cipher: %s (0x%x)",
+					ssl_get_cipher_name(cs), cs), c);
+
+		# Demo: report unknown ciphers.
+		if ( ssl_report_client_unknown && cs !in ssl_cipher_desc )
+			event ssl_conn_weak(
+				fmt("SSL: unknown cipher-spec: %s (0x%x)",
+					ssl_get_cipher_name(cs), cs), c);
+
+		if ( ssl_log_ciphers )
+			print ssl_log, fmt("%.6f #%d client cipher %s (0x%x)",
+					network_time(), conn$id,
+					ssl_get_cipher_name(cs), cs);
+		}
+	}
+
+event ssl_conn_server_reply(c: connection, version: count,
+				ciphers: cipher_suites_list)
+	{
+	lookup_ssl_conn(c, "ssl_conn_server_reply", T);
+
+	local conn = ssl_connections[c$id];
+	local version_string = ssl_get_version_string(version);
+
+	print ssl_log, fmt("%.6f #%d SSL connection server reply, %s",
+				network_time(), conn$id, version_string);
+
+	conn$version = version_string;
+
+	for ( cs in ciphers )
+		{
+		# Demo: report servers who support weak ciphers.
+		if ( ssl_report_server_weak && version == SSLv2 &&
+		     cs in myWeakCiphers )
+			event ssl_conn_weak(
+				fmt("SSLv2 server supports weak cipher: %s (0x%x)",
+					ssl_get_cipher_name(cs), cs), c);
+
+                if ( ssl_log_ciphers )
+                        print ssl_log, fmt("%.6f #%d server cipher %s (0x%x)",
+					network_time(), conn$id,
+                                        ssl_get_cipher_name(cs), cs);
+		}
+	}
+
+event ssl_conn_established(c: connection, version: count, cipher_suite: count)
+	{
+	lookup_ssl_conn(c, "ssl_conn_established", T);
+
+	local conn = ssl_connections[c$id];
+	local version_string = ssl_get_version_string(version);
+
+	print ssl_log,
+		fmt("%.6f #%d handshake finished, %s",
+			network_time(), conn$id, version_string);
+
+	if ( cipher_suite in myWeakCiphers )
+		event ssl_conn_weak(fmt("%.6f #%d weak cipher: %s (0x%x)",
+			network_time(), conn$id,
+			ssl_get_cipher_name(cipher_suite), cipher_suite), c);
+
+	if ( ssl_log_ciphers )
+		print ssl_log, fmt("%.6f #%d connection cipher %s (0x%x)",
+			network_time(), conn$id,
+			ssl_get_cipher_name(cipher_suite), cipher_suite);
+
+	++SSL_cipherCount[cipher_suite];
+
+	# This should be the version identified with the session, unless
+	# there is some renegotiation.  That will be caught later.
+	conn$version = version_string;
+	}
+
+event process_X509_extensions(c: connection, ex: X509_extension)
+	{
+	lookup_ssl_conn(c, "process_X509_extensions", T);
+	local conn = ssl_connections[c$id];
+
+	local msg = fmt("%.6f #%d X.509 extensions: ", network_time(), conn$id);
+	for ( i in ex )
+		msg = fmt("%s, %s", msg, ex[i]);
+
+	print ssl_log, msg;
+	}
+
+event ssl_session_insertion(c: connection, id: SSL_sessionID)
+	{
+	local idd = c$id;
+
+	if ( idd !in ssl_connections)
+		{
+		new_ssl_connection(c);
+
+		print ssl_log,
+			fmt("%.6f #%d creating new SSL connection in ssl_session_insertion",
+				network_time(), ssl_connections[c$id]$id);
+
+		# None of the conn$object values will exist, so we leave this
+		# to prevent needless crashing.
+		return;
+		}
+
+	local conn = ssl_connections[idd];
+	local id_index = md5_hash(id);
+
+	# If there is no session with thIS id we create (a typical) one,
+	# otherwise we move on.
+	if ( id_index !in ssl_sessionIDs )
+		{
+		new_sessionID_record(id);
+
+		local session = ssl_sessionIDs[id_index];
+		session$version = conn$version;
+		session$client_cert$subject = conn$client_cert$subject;
+		session$server_cert$subject = conn$server_cert$subject;
+		session$handshake_cipher = conn$handshake_cipher;
+		session$id = id;
+
+		conn$id_index = id_index;
+		}
+
+	else
+		{ # should we ever get here?
+		session = ssl_sessionIDs[id_index];
+		conn$id_index = id_index;
+		}
+	}
+
+event ssl_conn_reused(c: connection, session_id: SSL_sessionID)
+	{
+	lookup_ssl_conn(c, "ssl_conn_reused", T);
+	local conn = ssl_connections[c$id];
+	local id_index = md5_hash(session_id);
+
+	print ssl_log, fmt("%.6f #%d reusing former SSL session: %s",
+				network_time(), conn$id, id_index);
+
+	# We cannot track sessions with SSLv2.
+	if ( conn$version == ssl_get_version_string(SSLv2) )
+		return;
+
+	if ( id_index !in ssl_sessionIDs )
+		{
+		new_sessionID_record(session_id);
+		local session = ssl_sessionIDs[id_index];
+		session$version = conn$version;
+		session$client_cert$subject = conn$client_cert$subject;
+		session$server_cert$subject = conn$server_cert$subject;
+		session$id = session_id;
+		}
+	else
+		session = ssl_sessionIDs[id_index];
+
+	++session$num_reuse;
+
+	# At this point, the connection values have been set.  We can then
+	# compare session and connection values with some confidence.
+	if ( session$version != conn$version ||
+	     session$handshake_cipher != conn$handshake_cipher )
+		{
+		NOTICE([$note=SSL_SessConIncon, $conn=c,
+			$msg="session violation"]);
+		++c$hot;
+		}
+	}
+
+event ssl_X509_error(c: connection, err: int, err_string: string)
+	{
+	if ( err in x509_ignore_errors )
+		return;
+
+	lookup_ssl_conn(c, "ssl_X509_error", T);
+	local conn = ssl_connections[c$id];
+	local error =
+		err in x509_errors ?  x509_errors[err] : "unknown X.509 error";
+
+	local severity = "warning";
+	if ( err in x509_hot_errors )
+		{
+		NOTICE([$note=SSL_X509Violation, $conn=c, $msg=error]);
+		++c$hot;
+		severity = "error";
+		}
+
+	print ssl_log,
+		fmt("%.6f #%d X.509 %s %s (%s)",
+			network_time(), conn$id, severity, error, err_string);
+	}
+
+event connection_state_remove(c: connection)
+	{
+	delete ssl_connections[c$id];
+	}
+
+event bro_init()
+	{
+	if ( ssl_store_cert_path != "" )
+		# The event engine will generate a run-time if this fails for
+		# reasons other than that the directory already exists.
+		mkdir(ssl_store_cert_path);
+	}
+
+event bro_done()
+	{
+	print ssl_log, "Cipher suite statistics: ";
+	for ( i in SSL_cipherCount )
+		print ssl_log, fmt("%s (0x%x): %d", ssl_get_cipher_name(i), i,
+					SSL_cipherCount[i]);
+
+	print ssl_log, ("count     session ID");
+	print ssl_log, ("-----     ---------------------------------");
+	for ( j in ssl_sessionIDs )
+		if ( ssl_sessionIDs[j]$server_cert$subject != NONE )
+			{
+			print ssl_log,
+				fmt("(%s)      %s   %s",
+					ssl_sessionIDs[j]$num_reuse,
+					ssl_sessionIDs[j]$server_cert$subject,
+					j);
+			}
+	}
diff --git a/policy/stats.bro b/policy/stats.bro
new file mode 100644
index 0000000000..b0a35c09a6
--- /dev/null
+++ b/policy/stats.bro
@@ -0,0 +1,133 @@
+# $Id: stats.bro 4011 2007-02-28 07:01:12Z vern $
+
+# Track memory/lag statistics.  Differs from profiling.bro in that this
+# is lighter-weight (much less info, and less load to generate).
+
+@load notice
+
+redef enum Notice += {
+	ResourceStats,		# generated when running live packet capture
+	OfflineResourceStats,	# generated when reading trace files
+};
+
+# ResourceStats should by default be sent to the notice file
+redef notice_action_filters += {
+	[[ResourceStats, OfflineResourceStats]] = file_notice
+};
+
+global last_stats_time = current_time();
+global last_stats_CPU_time =
+	resource_usage()$user_time + resource_usage()$system_time;
+
+# Global to store the last net_stats object received.
+global last_packet_stat: net_stats;
+
+# Globals to store the results between reporting intervals
+global stat_packets_received = 0;
+global stat_packets_dropped = 0;
+global stat_packets_link = 0;
+
+global last_packets_processed = 0;
+global last_events_dispatched = 0;
+global last_events_queued = 0;
+
+# Interval in which the results are sent as a notice.  If this is less
+# than heartbeat_interval, then it is set to heartbeat_interval, since
+# some of the reported statistics are only gathered via the heartbeat.
+global stats_report_interval = 10 sec &redef;
+
+event check_stats()
+	{
+	local now = current_time();
+	local lag = now - network_time();
+	local report_delta = now - last_stats_time;
+
+	local res = resource_usage();
+	local mem = res$mem;
+	local total_CPU_time = res$user_time + res$system_time;
+	local CPU_util = (total_CPU_time - last_stats_CPU_time) / report_delta;
+
+	if ( bro_is_terminating() )
+		# No more stats will be written or scheduled when Bro is
+		# shutting down.
+		return;
+
+	local delta_pkts_processed = res$num_packets - last_packets_processed;
+	local delta_events = res$num_events_dispatched - last_events_dispatched;
+	local delta_queued = res$num_events_queued - last_events_queued;
+
+	local stat_msg =
+		fmt("mem=%dMB pkts_proc=%d events_proc=%d events_queued=%d",
+			mem / 1000000, delta_pkts_processed,
+			delta_events, delta_queued);
+
+	if ( reading_live_traffic() )
+		{
+		stat_msg = fmt("%s et=%.2f lag=%fsec util=%.01f%% pkts_rcv=%d pkts_drp=%d pkts_link=%d",
+				stat_msg, report_delta, lag, CPU_util * 100.0,
+				stat_packets_received, stat_packets_dropped,
+				stat_packets_link);
+		NOTICE([$note=ResourceStats, $msg=stat_msg]);
+		}
+
+	else if ( reading_traces() )
+		NOTICE([$note=OfflineResourceStats, $msg=stat_msg]);
+
+	else
+		{
+		# Remote communication only.
+		stat_msg = fmt("mem=%dMB events_proc=%d events_queued=%d lag=%fsec util=%.01f%%",
+				mem / 1000000, delta_events, delta_queued,
+				lag, CPU_util * 100.0 );
+		NOTICE([$note=ResourceStats, $msg=stat_msg]);
+		}
+
+	last_stats_time = now;
+	last_stats_CPU_time = total_CPU_time;
+	last_packets_processed = res$num_packets;
+	last_events_dispatched = res$num_events_dispatched;
+	last_events_queued = res$num_events_queued;
+
+	stat_packets_received = 0;
+	stat_packets_dropped = 0;
+
+	schedule stats_report_interval { check_stats() };
+	}
+
+event net_stats_update(t: time, ns: net_stats)
+	{
+	if ( ns$pkts_recvd > last_packet_stat$pkts_recvd )
+		stat_packets_received +=
+			ns$pkts_recvd - last_packet_stat$pkts_recvd;
+
+	if ( ns$pkts_dropped > last_packet_stat$pkts_dropped )
+		stat_packets_dropped +=
+			ns$pkts_dropped - last_packet_stat$pkts_dropped;
+
+	if ( ns$pkts_link > last_packet_stat$pkts_link )
+		stat_packets_link += ns$pkts_link - last_packet_stat$pkts_link;
+
+	last_packet_stat = ns;
+	}
+
+event start_check_stats()
+	{
+	# Can't start reporting data until network_time() is up.
+	local zero_time: time = 0;
+
+	if ( network_time() > zero_time )
+		schedule stats_report_interval { check_stats() };
+	else
+		schedule stats_report_interval { start_check_stats() };
+	}
+
+event bro_init()
+	{
+	last_packet_stat$pkts_recvd = last_packet_stat$pkts_dropped =
+		last_packet_stat$pkts_link = 0;
+
+	if ( stats_report_interval < heartbeat_interval )
+		stats_report_interval = heartbeat_interval;
+
+	schedule stats_report_interval { start_check_stats() };
+	}
diff --git a/policy/stepping.bro b/policy/stepping.bro
new file mode 100644
index 0000000000..e9aed914e1
--- /dev/null
+++ b/policy/stepping.bro
@@ -0,0 +1,485 @@
+# $Id: stepping.bro 6481 2008-12-15 00:47:57Z vern $
+
+@load notice
+@load port-name
+@load demux
+@load login
+@load alarm
+
+module Stepping;
+
+export {
+	redef enum Notice += {
+		# A stepping stone was seen in which the first part of
+		# the chain is a clear-text connection but the second part
+		# is encrypted.  This often means that a password or
+		# passphrase has been exposed in the clear, and may also
+		# mean that the user has an incomplete notion that their
+		# connection is protected from eavesdropping.
+		ClearToEncrypted_SS,
+	};
+}
+
+global step_log = open_log_file("step") &redef;
+
+# The following must be defined for the event engine to generate
+# stepping stone events.
+redef stp_delta = 0.08 sec;
+redef stp_idle_min = 0.5 sec;
+
+global stepping_stone: event(c1: connection, c2: connection, method: string);
+
+#### First, tag-based schemes - $DISPLAY, Last Login ####
+
+# If <conn> was a login to <dst> propagating a $DISPLAY of <display>,
+# then we make an entry of [<dst>, <display>] = <conn>.
+global display_pairs: table[addr, string] of connection;
+
+# Maps login tags like "Last login ..." to connections.
+global tag_to_conn_map: table[string] of connection;
+
+type tag_info: record {
+	display: string;	# $DISPLAY, if any
+	tag: string;		# login tag, e.g. "Last login ..."
+};
+
+global conn_tag_info: table[conn_id] of tag_info;
+
+const STONE_DISPLAY = 1;
+const STONE_LOGIN_BANNER = 2;
+const STONE_TIMING = 4;
+### fixme
+global detected_stones: table[addr, port, addr, port, addr, port, addr, port]
+	of count &default = 0;
+global did_stone_summary: table[addr, port, addr, port, addr, port, addr, port]
+	of count &default = 0;
+
+function new_tag_info(c: connection)
+	{
+	local ti: tag_info;
+	ti$tag = ti$display = "";
+	conn_tag_info[c$id] = ti;
+	}
+
+event login_display(c: connection, display: string)
+	{
+	local id = c$id;
+	if ( id !in conn_tag_info )
+		new_tag_info(c);
+
+	conn_tag_info[id]$display = display;
+	display_pairs[id$resp_h, display] = c;
+
+	if ( [id$orig_h, display] in display_pairs )
+		event Stepping::stepping_stone(display_pairs[id$orig_h, display], c, "display");
+	}
+
+event login_output_line(c: connection, line: string)
+	{
+	if  ( /^([Ll]ast +(successful)? *login)/ | /^Last interactive login/
+	     !in line ||
+	      # Some finger output includes "Last login ..." but luckily
+	      # appears to be terminated by ctrl-A.
+	      /\001/ in line )
+		return;
+
+	if ( c$id !in conn_tag_info )
+		new_tag_info(c);
+
+	local ti = conn_tag_info[c$id];
+	local tag = line;
+
+	if ( ti$tag == "" )
+		ti$tag = tag;
+
+	if ( tag in tag_to_conn_map )
+		{
+		local c2 = tag_to_conn_map[tag];
+
+		### Would really like this taken care of by having
+		# tag_to_conn_map[tag] deleted when c2 goes away.
+		if ( active_connection(c2$id) )
+			event Stepping::stepping_stone(c2, c, "login-tag");
+		}
+	else
+		tag_to_conn_map[tag] = c;
+	}
+
+event connection_finished(c: connection)
+	{
+	### would really like some automatic destructors invoked
+	### whenever a connection goes away
+	local id = c$id;
+	if ( id in conn_tag_info )
+		{
+		local ti = conn_tag_info[id];
+		delete display_pairs[id$resp_h, ti$display];
+		delete tag_to_conn_map[ti$tag];
+		delete conn_tag_info[id];
+		}
+	}
+
+
+#### Now, timing-based correlation ####
+
+const stp_ratio_thresh = 0.3 &redef;	# prop. of idle times that must coincide
+
+# Time scale to which following thresholds apply.
+const stp_scale =  100.0 &redef;
+
+const stp_common_host_thresh = 2 &redef; # must be <= stp_random_pair_thresh
+const stp_random_pair_thresh = 4 &redef;
+
+const stp_demux_disabled = T &redef;
+
+# Indexed by the center host (or destination of the first connection,
+# for ABCD stepping stones) and the $addl information associated with
+# the connection (i.e., often username).  If present in the set, then
+# we shouldn't bother generating a report for a clear->ssh stepping stone.
+const skip_clear_ssh_reports: set[addr, string] &redef;
+
+global num_stp_pairs = 0;
+
+type endp_info: record {
+	conn: connection;
+	id: conn_id;
+	resume_time: time; # time when resuming from most recent idle period
+	old_resume_time: time; # time when resuming from penultimate idle period
+	idle_cnt: count; # number of idle periods for this endpoint (flow)
+};
+
+type pair_info: record {
+	is_stp: bool; # true if flow pair considered a stepping stone pair
+	hit: count; # number of coincidences
+	hit_two_in_row: count; # number of coincidences two-in-row
+};
+
+# For connection k:
+#	stp_endps[2k] is the orig endpoint
+#	stp_endps[2k+1] is the resp endpoint
+global stp_endps: table[int] of endp_info;
+
+# Some endpoint pairs are weird, e.g., when two endp's share a common port.
+# Such weird endp pairs may be correlated, but are unlikely to be stepping
+# stone pairs.
+global stp_weird_pairs: set[int, int];
+
+# Normal (i.e., not weird) endp pairs.
+global stp_normal_pairs: table[int, int] of pair_info;
+
+function is_orig(e: int): bool
+	{
+	return (e % 2) == 0;
+	}
+
+function peer(e: int): int
+	{
+	return (e % 2) == 0 ? (e + 1): (e - 1);
+	}
+
+function orig_host(e: int): addr
+	{
+	return stp_endps[e]$id$orig_h;
+	}
+
+function resp_host(e: int): addr
+	{
+	return stp_endps[e]$id$resp_h;
+	}
+
+function orig_port(e: int): port
+	{
+	return stp_endps[e]$id$orig_p;
+	}
+
+function resp_port(e: int): port
+	{
+	return stp_endps[e]$id$resp_p;
+	}
+
+function build_conn(e: int): connection
+	{ # return the id of the orig, not the resp
+	return stp_endps[e]$conn;
+	}
+
+function stp_id_string(id: conn_id): string
+	{
+	return fmt("%s.%d > %s.%d", id$orig_h, id$orig_p, id$resp_h, id$resp_p);
+	}
+
+function stp_create_weird_pair(e1: int, e2: int)
+	{
+	add stp_weird_pairs[e1, e2];
+	}
+
+function stp_create_normal_pair(e1: int, e2: int)
+	{
+	local pair: pair_info;
+
+	pair$is_stp = F;
+	pair$hit = pair$hit_two_in_row = 0;
+
+	stp_normal_pairs[e1, e2] = pair;
+	}
+
+function stp_correlate_weird_pair(e1: int, e2: int)
+	{ # do nothing right now
+	}
+
+global stp_check_normal_pair: function(e1: int, e2: int): bool;
+
+function stp_correlate_normal_pair(e1: int, e2: int)
+	{
+	if ( stp_normal_pairs[e1, e2]$is_stp )
+		return; # already classified as stepping stone pair
+
+	++stp_normal_pairs[e1, e2]$hit;
+
+	if ( stp_endps[e1]$old_resume_time != 0.0 &&
+	     stp_endps[e2]$old_resume_time != 0.0 )
+		{
+		local dt = stp_endps[e2]$old_resume_time -
+			   stp_endps[e1]$old_resume_time;
+		if ( dt >= 0.0 sec && dt <= stp_delta )
+			++stp_normal_pairs[e1, e2]$hit_two_in_row;
+		}
+	stp_check_normal_pair(e1, e2);
+	}
+
+function stp_check_weird_pair(e1: int, e2: int)
+	{ # do nothing right now
+	}
+
+function stp_check_normal_pair(e1: int, e2: int): bool
+	{
+	if ( stp_normal_pairs[e1, e2]$is_stp )
+		return T; # already classified as stepping stone pair
+
+	local p1 = peer(e1);
+	local p2 = peer(e2);
+	local reverse_exists = [p2, p1] in stp_normal_pairs;
+
+	if ( reverse_exists && stp_normal_pairs[p2, p1]$is_stp )
+		{ # already classified as stepping stone pair
+		stp_normal_pairs[e1, e2]$is_stp = T;
+		return T;
+		}
+
+	local hit_two_in_row = stp_normal_pairs[e1, e2]$hit_two_in_row;
+	if ( reverse_exists )
+		hit_two_in_row = hit_two_in_row +
+				stp_normal_pairs[p2, p1]$hit_two_in_row;
+
+	# Criteria 1:
+	#	if ( e1 and e2 share a common host )
+	#		hit_two_in_row >= stp_common_host_thresh
+	#	else
+	#		hit_two_in_row >= stp_random_pair_thresh
+
+	local factor = max_double(1.0,
+				min_count(stp_endps[e1]$idle_cnt,
+					  stp_endps[e2]$idle_cnt) / stp_scale);
+
+	if ( hit_two_in_row < factor * stp_common_host_thresh )
+		return F;
+
+	if ( hit_two_in_row < factor * stp_random_pair_thresh &&
+	     orig_host(e1) != orig_host(e2) && orig_host(e1) != resp_host(e2) &&
+	     resp_host(e1) != orig_host(e2) && resp_host(e1) != resp_host(e2) )
+		return F;
+
+	# Criteria 2:
+	#	hit_ratio >= stp_ratio_thresh
+
+	local hit_ratio: double;
+	if ( reverse_exists &&
+	     stp_normal_pairs[p2, p1]$hit > stp_normal_pairs[e1, e2]$hit )
+		hit_ratio = (1.0 * stp_normal_pairs[p2, p1]$hit) /
+				min_count(stp_endps[p1]$idle_cnt,
+					  stp_endps[p2]$idle_cnt);
+	else
+		hit_ratio = (1.0 * stp_normal_pairs[e1, e2]$hit) /
+				min_count(stp_endps[e1]$idle_cnt,
+					  stp_endps[e2]$idle_cnt);
+
+	if ( hit_ratio < stp_ratio_thresh )
+		return F;
+
+	stp_normal_pairs[e1, e2]$is_stp = T;
+	event Stepping::stepping_stone(build_conn(e1), build_conn(e2), "timing");
+
+	return T;
+	}
+
+function reverse_id(id: conn_id): conn_id
+	{
+	local rid: conn_id;
+
+	rid$orig_h = id$resp_h;
+	rid$orig_p = id$resp_p;
+	rid$resp_h = id$orig_h;
+	rid$resp_p = id$orig_p;
+
+	return rid;
+	}
+
+event stp_create_endp(c: connection, e: int, is_orig: bool)
+	{
+	local end_i: endp_info;
+
+	end_i$conn = c;
+	end_i$id = is_orig ? c$id : reverse_id(c$id);
+	end_i$resume_time = end_i$old_resume_time = 0.0;
+	end_i$idle_cnt = 0;
+
+	stp_endps[e] = end_i;
+	}
+
+event stp_resume_endp(e: int)
+	{
+	stp_endps[e]$old_resume_time = stp_endps[e]$resume_time;
+	stp_endps[e]$resume_time = network_time();
+	++stp_endps[e]$idle_cnt;
+	}
+
+event stp_correlate_pair(e1: int, e2: int)
+	{
+	local normal = T;
+
+	if ( [e1, e2] in stp_normal_pairs )
+		;
+
+	else if ( [e1, e2] in stp_weird_pairs )
+		normal = F;
+
+	else
+		{
+		# An endpoint pair is considered weird, iff:
+		#	the two flows both originated at same host, or
+		#	both terminated at same host, or
+		#	at least one flow is within a single host, or
+		#	two flows share an endpoint (host, port)
+
+		if ( orig_host(e1) == orig_host(e2) || resp_host(e1) == resp_host(e2) ||
+		     orig_host(e1) == resp_host(e1) || orig_host(e2) == resp_host(e2) ||
+		     (orig_host(e1) == resp_host(e2) && orig_port(e1) == resp_port(e2)) ||
+		     (resp_host(e1) == orig_host(e2) && resp_port(e1) == orig_port(e2)) )
+			{
+			stp_create_weird_pair(e1, e2);
+			normal = F;
+			}
+		else
+			stp_create_normal_pair(e1, e2);
+		}
+
+	if ( normal )
+		stp_correlate_normal_pair(e1, e2);
+	else
+		stp_correlate_weird_pair(e1, e2);
+	}
+
+event stp_remove_pair(e1: int, e2: int)
+	{
+	delete stp_normal_pairs[e1, e2];
+	delete stp_weird_pairs[e1, e2];
+	}
+
+event stp_remove_endp(e: int)
+	{
+	delete stp_endps[e];
+	}
+
+
+function report_stone(id1: conn_id, addl1: string, id2: conn_id, addl2: string)
+: string
+	{
+	if ( id1$resp_h == id2$orig_h )
+		# A single-intermediary stepping stone.
+		return fmt("%s -> %s %s-> %s %s",
+				id1$orig_h,
+				endpoint_id(id1$resp_h, id1$resp_p), addl1,
+				endpoint_id(id2$resp_h, id2$resp_p), addl2);
+	else
+		# A multi-intermediary stepping stone.
+		return fmt("%s -> %s %s... %s -> %s %s",
+				id1$orig_h,
+				endpoint_id(id1$resp_h, id1$resp_p), addl1,
+				id2$orig_h,
+				endpoint_id(id2$resp_h, id2$resp_p), addl2);
+	}
+
+event stone_summary(id1: conn_id, id2: conn_id)
+	{
+	if ( ++did_stone_summary[id1$orig_h, id1$orig_p, id1$resp_h, id1$resp_p, id2$orig_h, id2$orig_p, id2$resp_h, id2$resp_p] > 1 )
+		return;
+
+	local detection_type = detected_stones[id1$orig_h, id1$orig_p, id1$resp_h, id1$resp_p, id2$orig_h, id2$orig_p, id2$resp_h, id2$resp_p];
+
+	local report: string;
+
+	if ( detection_type == STONE_DISPLAY )
+		report = "only-display";
+	else if ( detection_type == STONE_LOGIN_BANNER )
+		report = "only-banner";
+	else if ( detection_type == STONE_TIMING )
+		report = "only-timing";
+	else if ( detection_type == STONE_LOGIN_BANNER + STONE_TIMING )
+		report = "stone-both";
+	else
+		report = fmt("stone-other-%d", detection_type);
+
+	print step_log, fmt("%s detected %s %s %d %s %d %s %d %s %d",
+		network_time(), report, id1$orig_h, id1$orig_p, id1$resp_h,
+		id1$resp_p, id2$orig_h, id2$orig_p, id2$resp_h, id2$resp_p);
+	}
+
+event stepping_stone(c1: connection, c2: connection, method: string)
+	{
+	# Put into canonical form: make #1 be the earlier of the two
+	# connections.
+	local id1 = c1$start_time < c2$start_time ? c1$id : c2$id;
+	local id2 = c1$start_time < c2$start_time ? c2$id : c1$id;
+
+	local addl1 = c1$start_time < c2$start_time ? c1$addl : c2$addl;
+	local addl2 = c1$start_time < c2$start_time ? c2$addl : c1$addl;
+
+	if ( id1$orig_h == id2$orig_h || id1$resp_h == id2$resp_h )
+		# of the form A->B, A->C ; or B->A, C->A ; uninteresting.
+		return;
+
+	local tag = fmt("stp.%d", ++num_stp_pairs);
+	local prelude = fmt("%.6f step %s (%s)", network_time(),  num_stp_pairs, method);
+
+	local stone_type = (method == "display" ? STONE_DISPLAY :
+				(method == "login-tag" ? STONE_LOGIN_BANNER :
+					STONE_TIMING));
+
+	local current_stones = detected_stones[id1$orig_h, id1$orig_p, id1$resp_h, id1$resp_p, id2$orig_h, id2$orig_p, id2$resp_h, id2$resp_p];
+
+	if ( (current_stones / stone_type) % 2 == 0 )
+		detected_stones[id1$orig_h, id1$orig_p, id1$resp_h, id1$resp_p, id2$orig_h, id2$orig_p, id2$resp_h, id2$resp_p] = current_stones + stone_type;
+
+	schedule 1 day { stone_summary(id1, id2) };
+
+	print step_log, fmt("%s: %s", prelude, report_stone(id1, addl1, id2, addl2));
+
+	local is_ssh1 = id1$orig_p == ssh || id1$resp_p == ssh;
+	local is_ssh2 = id2$orig_p == ssh || id2$resp_p == ssh;
+
+	if ( ! is_ssh1 && is_ssh2 )
+		{ # Inbound clear-text, outbound ssh.
+		if ( [id1$resp_h, addl1] !in skip_clear_ssh_reports )
+			NOTICE([$note=ClearToEncrypted_SS,
+				# The following isn't sufficient for
+				# A->(B->C)->D stepping stones, only A->B->C.
+				$src=c1$id$orig_h, $conn=c2,
+				$user=addl1, $sub=addl2,
+				$msg=fmt("clear -> ssh: %s", report_stone(id1, addl1, id2, addl2))]);
+		}
+
+	if ( ! stp_demux_disabled )
+		{
+		demux_conn(id1, tag, "keys", "server");
+		demux_conn(id2, tag, "keys", "server");
+		}
+	}
diff --git a/policy/summaries/app-summary.bro b/policy/summaries/app-summary.bro
new file mode 100644
index 0000000000..5be50f661a
--- /dev/null
+++ b/policy/summaries/app-summary.bro
@@ -0,0 +1,57 @@
+@load conn-util
+@load conn-app-reduced
+
+global conn_size_table: table[conn_id] of count;
+global conn_size_log = open_log_file("conn-size") &redef;
+
+function add_to_conn_size(id: conn_id, size: count)
+	{
+	if ( id !in conn_size_table )
+		conn_size_table[id] = 0;
+	local previous_size = conn_size_table[id];
+	conn_size_table[id] = conn_size_table[id] + size;
+	if ( conn_size_table[id] < previous_size )
+		{
+		print conn_size_log, fmt("ERROR: %.6f size wrapping around: %s, prev_size = %d, add = %d",
+			network_time(), conn_id_string(id), previous_size, size);
+		}
+	}
+
+event after_connections_state_remove(c: connection)
+	{
+	local id = c$id;
+	local app_size: count;
+	local transport_size: count;
+	if ( id !in conn_size_table )
+		conn_size_table[id] = 0;
+	app_size = conn_size_table[id];
+	transport_size = c$orig$size + c$resp$size;
+	local size_delta: int = transport_size - app_size;
+	local annotation: string = "none";
+	if ( app_size > transport_size )
+		annotation = "negative_transport_overhead";
+	else if ( size_delta > 1000 && 1.0 * size_delta / transport_size > 0.3 )
+		annotation = "suspicious_transport_overhead";
+
+	print conn_size_log, fmt("conn %s app_size %d conn_size %d annotation %s", conn_id_string(id), app_size, transport_size, annotation);
+
+	delete conn_size_table[id];
+	}
+
+event connection_state_remove(c: connection)
+	{
+	event after_connections_state_remove(c);
+	}
+
+function print_app_summary(log: file,
+		id: conn_id, conn_start: time, func: string, start: time,
+		num_req: count, req_size: count, num_resp: count, resp_size: count,
+		extra: string)
+	{
+	add_to_conn_size(id, req_size + resp_size);
+	print log, fmt("conn %s conn_start %.6f app %s app_func %s start %.6f req %d pyld_^ %d reply %d pyld_v %d%s",
+		conn_id_string(id), conn_start, conn_app[id], func, start,
+		num_req, req_size,
+		num_resp, resp_size,
+		byte_len(extra) > 0 ? cat(" ", extra) : "");
+	}
diff --git a/policy/summaries/conn-app-reduced.bro b/policy/summaries/conn-app-reduced.bro
new file mode 100644
index 0000000000..74cce70dee
--- /dev/null
+++ b/policy/summaries/conn-app-reduced.bro
@@ -0,0 +1,37 @@
+@load port-name
+
+# Used to annotate apps for connections on ephemeral ports
+global conn_app: table[conn_id] of string &default =
+	function(id: conn_id): string
+		{
+		local p = is_icmp_port(id$resp_p) ? id$orig_p : id$resp_p;
+		if ( p in port_names )
+			return port_names[p];
+		else
+			return fmt("%s", p);
+		};
+
+redef port_names += {
+	[0/icmp]	= "icmp-echo",
+	[8/icmp]	= "icmp-echo",
+	[3/icmp]	= "icmp-unreach",
+
+	[497/tcp]	= "dantz",
+	[554/tcp]	= "rtsp",
+	[5730/tcp]	= "steltor",	# calendar
+	[[7501/tcp, 7502/tcp, 7503/tcp, 7504/tcp, 7505/tcp,
+	  7506/tcp, 7507/tcp, 7508/tcp, 7509/tcp, 7510/tcp]]
+			= "hpss",
+	[[3128/tcp, 8000/tcp, 8080/tcp, 8888/tcp]] = "http",
+	[8443/tcp]	= "https",
+	[3396/tcp]	= "printer-agent",
+	[13782/tcp]	= "veritas-backup-ctrl",
+	[16384/tcp]	= "connected-backup",
+
+	[67/udp]	= "dhcp-s",	# bootstrap for diskless hosts
+	[68/udp]	= "dhcp-c",	# reply-port
+	[427/udp]	= "srvloc",
+	[11001/udp]	= "metasys",	# cardkey
+	[38293/udp]	= "nav-ping",	# norton anti-virus host discovery
+};
+
diff --git a/policy/summaries/conn-app.bro b/policy/summaries/conn-app.bro
new file mode 100644
index 0000000000..243ad03f36
--- /dev/null
+++ b/policy/summaries/conn-app.bro
@@ -0,0 +1,21 @@
+@load conn-app-reduced
+
+@load ftp
+@load dce-rpc
+
+event new_connection(c: connection)
+	{
+	local id = c$id;
+	if ( [id$resp_h, id$resp_p] in DCE_RPC::dce_rpc_endpoint )
+		{
+		# local uuid = DCE_RPC::dce_rpc_endpoint[id$resp_h, id$resp_p];
+		# conn_app[id] = fmt("dce-rpc-%s",
+		#	 ( uuid in DCE_RPC::dce_rpc_uuid_name ) ?
+		#	 DCE_RPC::dce_rpc_uuid_name[uuid] : "unknown");
+		conn_app[id] = "dce-rpc";
+		}
+	else if ( FTP::is_ftp_data_connection(c) )
+		{
+		conn_app[id] = "ftp-data";
+		}
+	}
diff --git a/policy/summaries/conn-size.bro b/policy/summaries/conn-size.bro
new file mode 100644
index 0000000000..8001911ed6
--- /dev/null
+++ b/policy/summaries/conn-size.bro
@@ -0,0 +1,83 @@
+# const number_of_regions = 32;
+const region_size = 1024 * 1024;	# 1MB
+@load large-conns
+
+global conn_size_log = open_log_file("conn-size") &redef;
+
+function conn_id_string(id: conn_id): string
+	{
+	return fmt("%s/%d=>%s/%s",
+		id$orig_h, id$orig_p,
+		id$resp_h, id$resp_p);
+	}
+
+function report_size_error(c: connection, msg: string)
+	{
+	print conn_size_log, fmt("conn %s start %.6f duration %.6f pkt_^ %d pyld_^ %d pkt_v %d pyld_v %d size_error [%s]",
+		conn_id_string(c$id),
+		c$start_time,
+		c$duration,
+		c$orig$num_pkts, c$orig$size,
+		c$resp$num_pkts, c$resp$size,
+		msg);
+	}
+
+function conn_size(c: connection, is_orig: bool): string
+	{
+	local endp = is_orig ? c$orig : c$resp;
+	local endp_name = is_orig ? "orig" : "resp";
+	local size = endp$size;
+
+	if ( is_tcp_port(c$id$resp_p) )
+		# double check TCP sizes
+		{
+		local est = estimate_flow_size_and_remove(c$id, is_orig);
+		if ( est$have_est )
+			{
+			print conn_size_log,
+				fmt("conn %s endpoint %s size %d low %.0fMB high %.0fMB inconsistent %d",
+					conn_id_string(c$id), endp_name,
+					endp$size,
+					est$lower / 1e6,
+					est$upper / 1e6,
+					est$num_inconsistent);
+
+			if ( est$num_inconsistent > 0 )
+				{
+				report_size_error(c,
+					fmt("%s size error inconsistent %d",
+						endp_name,
+						est$num_inconsistent));
+				return "-";
+				}
+
+			if ( size < est$lower || size > est$upper )
+				{
+				report_size_error(c,
+					fmt("%s size error estimates: %.0fMB - %.0fMB",
+						endp_name,
+						est$lower / 1e6,
+						est$upper / 1e6));
+				return "-";
+				}
+			}
+		}
+	else if ( is_udp_port(c$id$resp_p) )
+		{
+		if ( endp$num_pkts > size && size != 0 )
+			{
+			report_size_error(c,
+				fmt("%s size error: pkt > size",
+					endp_name));
+			return "-";
+			}
+		}
+
+	return fmt("%d", size);
+	}
+
+event connection_state_remove(c: connection)
+	{
+	local orig_size = conn_size(c, T);
+	local resp_size = conn_size(c, F);
+	}
diff --git a/policy/summaries/conn-summary.bro b/policy/summaries/conn-summary.bro
new file mode 100644
index 0000000000..dc89e49acc
--- /dev/null
+++ b/policy/summaries/conn-summary.bro
@@ -0,0 +1,99 @@
+@load conn-util
+# @load conn-app
+# @load smb-tag
+# @load dce-rpc-tag
+
+module ConnSummary;
+
+# redef capture_filters += { ["TUI"] = "tcp or udp or icmp" };
+redef capture_filters = { ["ip"] = "ip" };	# to also capture IP fragments
+# redef SMB_tag::log_smb_tags = F;
+# redef DCE_RPC_tag::log_dce_rpc_tags = F;
+
+global conn_summary_log = open_log_file("conn-summary") &redef;
+
+global conn_annotation: table[conn_id] of string &default = "";
+
+function add_to_conn_annotation(cid: conn_id, new_annotation: string)
+	{
+	local a: string;
+	if ( cid in conn_annotation )
+		conn_annotation[cid] =
+			cat(conn_annotation[cid], ",", new_annotation);
+	else
+		conn_annotation[cid] = new_annotation;
+	}
+
+# II. Annotation events
+event new_connection(c: connection)
+	{
+	if ( is_tcp_port(c$id$resp_p) )
+		{
+		if ( c$orig$state != TCP_SYN_SENT )
+			{
+			# add_to_conn_annotation(c$id, "partial");
+			}
+		}
+	}
+
+event partial_connection(c: connection)
+	{
+	add_to_conn_annotation(c$id, "partial");
+	}
+
+event connection_established(c: connection)
+	{
+	if ( c$orig$state == TCP_ESTABLISHED && c$resp$state == TCP_ESTABLISHED )
+		{
+		add_to_conn_annotation(c$id, "established");
+		}
+	}
+
+event connection_rejected(c: connection)
+	{
+	add_to_conn_annotation(c$id, "rejected");
+	}
+
+event connection_reset(c: connection)
+	{
+	add_to_conn_annotation(c$id, "reset");
+	}
+
+event connection_attempt(c: connection)
+	{
+	add_to_conn_annotation(c$id, "attempt");
+	}
+
+event connection_finished(c: connection)
+	{
+	add_to_conn_annotation(c$id, "finished");
+	}
+
+event icmp_unreachable(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
+	{
+	add_to_conn_annotation(context$id, "unreach");
+	}
+
+event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
+	{
+	add_to_conn_annotation(context$id, "time_exceeded");
+	}
+
+event connection_state_remove(c: connection)
+	{
+	# local tag_smb = get_smb_tag(c$id);
+	# local tag_dce_rpc = get_dce_rpc_tag(c$id);
+
+	print conn_summary_log, fmt("conn %s start %.6f duration %.6f app %s pkt_^ %d pyld_^ %d pkt_v %d pyld_v %d state %s notes [%s]",
+		conn_id_string(c$id),
+		c$start_time,
+		c$duration,
+		conn_app[c$id],
+		c$orig$num_pkts, c$orig$size,
+		c$resp$num_pkts, c$resp$size,
+		conn_state(c, get_port_transport_proto(c$id$resp_p)),
+		conn_annotation[c$id]);
+
+	delete conn_annotation[c$id];
+	delete conn_app[c$id];
+	}
diff --git a/policy/summaries/conn-util.bro b/policy/summaries/conn-util.bro
new file mode 100644
index 0000000000..623ca04955
--- /dev/null
+++ b/policy/summaries/conn-util.bro
@@ -0,0 +1,55 @@
+function conn_id_string(id: conn_id): string
+	{
+	return fmt("%s/%d=>%s/%s",
+		id$orig_h, id$orig_p,
+		id$resp_h, id$resp_p);
+	}
+
+function connection_state(c: connection, trans: transport_proto): string
+	{
+	local os = c$orig$state;
+	local rs = c$resp$state;
+
+	local o_inactive = os == TCP_INACTIVE || os == TCP_PARTIAL;
+	local r_inactive = rs == TCP_INACTIVE || rs == TCP_PARTIAL;
+
+	if ( trans == tcp )
+		{
+		if ( rs == TCP_RESET )
+			{
+			if ( os == TCP_SYN_SENT || os == TCP_SYN_ACK_SENT ||
+			     (os == TCP_RESET &&
+			      c$orig$size == 0 && c$resp$size == 0) )
+				return "REJ";
+			else if ( o_inactive )
+				return "RSTRH";
+			else
+				return "RSTR";
+			}
+		else if ( os == TCP_RESET )
+			return r_inactive ? "RSTOS0" : "RSTO";
+		else if ( rs == TCP_CLOSED && os == TCP_CLOSED )
+			return "SF";
+		else if ( os == TCP_CLOSED )
+			return r_inactive ? "SH" : "S2";
+		else if ( rs == TCP_CLOSED )
+			return o_inactive ? "SHR" : "S3";
+		else if ( os == TCP_SYN_SENT && rs == TCP_INACTIVE )
+			return "S0";
+		else if ( os == TCP_ESTABLISHED && rs == TCP_ESTABLISHED )
+			return "S1";
+		else
+			return "OTH";
+		}
+
+	else if ( trans == udp )
+		{
+		if ( os == UDP_ACTIVE )
+			return rs == UDP_ACTIVE ? "SF" : "S0";
+		else
+			return rs == UDP_ACTIVE ? "SHR" : "OTH";
+		}
+
+	else
+		return "OTH";
+	}
diff --git a/policy/summaries/dce-rpc-summary.bro b/policy/summaries/dce-rpc-summary.bro
new file mode 100644
index 0000000000..0d6ffecf96
--- /dev/null
+++ b/policy/summaries/dce-rpc-summary.bro
@@ -0,0 +1,93 @@
+@load conn-util
+@load dce-rpc
+@load app-summary
+
+module DCE_RPC_summary;
+
+global log = open_log_file("dce-rpc-summary") &redef;
+
+type dce_rpc_transaction: record {
+	connection_id: conn_id;
+	conn_start: time;
+	uuid: string;
+	opnum: count;
+	start: time;
+	num_req: count;
+	req_size: count;
+	num_resp: count;
+	resp_size: count;
+};
+
+global conn_uuid: table[conn_id] of string &default = DCE_RPC::null_uuid;
+global dce_rpc_trans_table: table[conn_id] of dce_rpc_transaction;
+# global msg_size: table[conn_id, bool] of count;
+
+function end_dce_rpc_transaction(id: conn_id)
+	{
+	if ( id !in dce_rpc_trans_table )
+		return;
+
+	local t = dce_rpc_trans_table[id];
+	local ifname = DCE_RPC::dce_rpc_uuid_name[t$uuid];
+	local func_name = DCE_RPC::dce_rpc_func_name[ifname, t$opnum];
+	print_app_summary(log,
+		t$connection_id,
+		t$conn_start,
+		fmt("%s/%s", ifname, func_name),
+		t$start,
+		t$num_req, t$req_size,
+		t$num_resp, t$resp_size,
+		fmt("ifname %s", ifname));
+
+	delete dce_rpc_trans_table[id];
+	}
+
+function new_dce_rpc_transaction(c: connection, uuid: string, opnum: count): dce_rpc_transaction
+	{
+	local id = c$id;
+
+	# End any previous trans
+	end_dce_rpc_transaction(id);
+
+	local t = [
+		$connection_id = id, $conn_start = c$start_time,
+		$uuid = uuid, $opnum = opnum,
+		$start = network_time(),
+		$num_req = 0, $req_size = 0,
+		$num_resp = 0, $resp_size = 0];
+
+	dce_rpc_trans_table[id] = t;
+	return t;
+	}
+
+event dce_rpc_message(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string)
+	{
+	# msg_size[c$id, is_orig] = byte_len(msg);
+	}
+
+event dce_rpc_bind(c: connection, uuid: string)
+	{
+	conn_uuid[c$id] = uuid;
+	}
+
+event dce_rpc_request(c: connection, opnum: count, stub: string)
+	{
+	local t = new_dce_rpc_transaction(c, conn_uuid[c$id], opnum);
+	++t$num_req;
+	t$req_size = t$req_size + byte_len(stub);
+	# t$req_size = t$req_size + msg_size[c$id, T];
+	}
+
+event dce_rpc_response(c: connection, opnum: count, stub: string)
+	{
+	local t = dce_rpc_trans_table[c$id];
+	++t$num_resp;
+	t$resp_size = t$resp_size + byte_len(stub);
+	# t$resp_size = t$resp_size + msg_size[c$id, F];
+	}
+
+event connection_state_remove(c: connection)
+	{
+	if ( c$id in dce_rpc_trans_table )
+		end_dce_rpc_transaction(c$id);
+	}
diff --git a/policy/summaries/dce-rpc-tag.bro b/policy/summaries/dce-rpc-tag.bro
new file mode 100644
index 0000000000..b74aaa704b
--- /dev/null
+++ b/policy/summaries/dce-rpc-tag.bro
@@ -0,0 +1,68 @@
+@load conn-util
+@load dce-rpc
+
+redef capture_filters += {
+	["dce-rpc"] = "tcp or udp",
+};
+
+global dce_rpc_tag: table[conn_id] of string &default = "";
+
+const log_dce_rpc_tags = T &redef;
+function get_dce_rpc_tag(id: conn_id): string
+	{
+	if ( id in dce_rpc_tag )
+		return dce_rpc_tag[id];
+	else
+		return "";
+	}
+
+module DCE_RPC_tag;
+
+global log = open_log_file("dce_rpc-tag") &redef;
+
+function add_to_dce_rpc_tag(c: connection, name: string): bool
+	{
+	local id = c$id;
+	local orig_tag = dce_rpc_tag[id];
+
+	if ( orig_tag == "" )
+		{
+		dce_rpc_tag[id] = name;
+		}
+	else if ( strstr(orig_tag, name) == 0 )
+		{
+		dce_rpc_tag[id] = cat(orig_tag, ",", name);
+		}
+
+	return T;
+	}
+
+# Deficiency: it only looks at the bind request, but not the reply, so we
+# do not know if the bind is successful.
+
+event dce_rpc_bind(c: connection, uuid: string)
+	{
+	local if_name = DCE_RPC::dce_rpc_uuid_name[uuid];
+	if ( log_dce_rpc_tags )
+		print log, fmt("%.6f %s DCE_RPC_Bind: %s",
+			network_time(), id_string(c$id), if_name);
+	add_to_dce_rpc_tag(c, if_name);
+	}
+
+event delete_dce_rpc_tag(c: connection)
+	{
+	delete dce_rpc_tag[c$id];
+	}
+
+event connection_state_remove(c: connection)
+	{
+	if ( c$id in dce_rpc_tag )
+		{
+		if ( log_dce_rpc_tags )
+			print log, fmt("conn %s start %.6f DCE/RPC [%s]",
+				conn_id_string(c$id),
+				c$start_time,
+				dce_rpc_tag[c$id]);
+		event delete_dce_rpc_tag(c);
+		}
+	}
diff --git a/policy/summaries/dns-common-summary.bro b/policy/summaries/dns-common-summary.bro
new file mode 100644
index 0000000000..14d4187d3f
--- /dev/null
+++ b/policy/summaries/dns-common-summary.bro
@@ -0,0 +1,245 @@
+@load conn-util
+@load app-summary
+@load dns-info
+
+module DNS_common_summary;
+
+
+export {
+
+	global dns_summary_log = open_log_file("dns-common-summary") &redef;
+
+	const server_ports = {
+		53/udp, 53/tcp, 137/udp,
+	} &redef;
+}
+
+redef capture_filters += {
+	["dns"] = "port 53",
+	["netbios-ns"] = "udp port 137",
+};
+
+const dns_op_name = {
+	[0] = "QUERY",
+	[1] = "IQUERY",
+	[2] = "STATUS",
+	[5] = "NB_REGISTER",
+	[6] = "NB_RELEASE",
+	[7] = "NB_WACK",
+	[8] = "NB_REFRESH",
+} &default = function(op: count): string
+	{
+	return fmt("op-%d", op);
+	};
+
+function dns_qtype(qtype: int, server_port: port): string
+	{
+	if ( qtype < 0 )
+		return "none";
+
+	if ( server_port == 137/udp )
+		{
+		if ( qtype == 32 )
+			return "NB";
+		if ( qtype == 33 )
+			return "NBSTAT";
+		}
+
+	return query_types[int_to_count(qtype)];
+	}
+
+function dns_rcode(rcode: int): string
+	{
+	return ( rcode < 0 ) ? "none" :
+		base_error[int_to_count(rcode)];
+	}
+
+const netbios_host_type = {
+	["00"] = "workstation",
+	["03"] = "messenger",
+	["1b"] = "domain_master_browser",
+	["20"] = "server",
+	["1c"] = "domain_group",
+	["1d"] = "master_browser_group",
+	["1e"] = "group",
+} &default = function(t: string): string { return t; };
+
+const dns_transaction_timeout = 30 sec &redef;
+
+type dns_transaction: record {
+	connection_id: conn_id;
+	conn_start: time;
+	func: string;
+	start: time;
+	num_req: count;
+	req_size: count;
+	num_resp: count;
+	resp_size: count;
+
+	num_q: count;
+	qtype: string;
+	query: string;
+	host_type: string;
+	rcode: string;
+	resp_time: time;	# of the first resp
+};
+
+# Use only the client addr and transaction id for index, because
+# Netbios/NS clients sometimes send to broadcast address
+type dns_trans_index: record {
+	client: addr;
+	client_port: port;
+	id: count;
+	server: addr;
+	server_port: port;
+};
+global dns_trans_table: table[dns_trans_index] of dns_transaction;
+
+function fmt_list(x: string): string
+	{
+	if ( strstr(x, ",") > 0 )
+		return cat("[", x, "]");
+	else
+		return x;
+	}
+
+event expire_DNS_transaction(ind: dns_trans_index)
+	{
+	if ( ind !in dns_trans_table )
+		return;
+
+	local t = dns_trans_table[ind];
+	if ( ind$server_port in server_ports )
+		{
+		print_app_summary(dns_summary_log,
+			t$connection_id,
+			t$conn_start,
+			t$func, t$start,
+			t$num_req, t$req_size,
+			t$num_resp, t$resp_size,
+			fmt("qtype %s return %s query '%s' host_type %s latency %.6f",
+				fmt_list(t$qtype), fmt_list(t$rcode),
+				fmt_list(gsub(t$query, / /, "_")),
+				fmt_list(t$host_type),
+				t$resp_time >= t$start ? t$resp_time - t$start : -1 sec));
+		}
+	delete dns_trans_table[ind];
+	}
+
+function lookup_dns_transaction(c: connection, msg: dns_msg, is_orig: bool): dns_transaction
+	{
+	local id = c$id;
+	local client: addr;
+	local server: addr;
+	local client_port: port;
+	local server_port: port;
+
+	if ( ( ! msg$QR && is_orig ) || ( msg$QR && ! is_orig ) )
+		{
+		client = id$orig_h;
+		client_port = id$orig_p;
+		server = id$resp_h;
+		server_port = id$resp_p;
+		}
+	else
+		{
+		client = id$resp_h;
+		client_port = id$resp_p;
+		server = id$orig_h;
+		server_port = id$orig_p;
+		}
+
+	# print fmt("%.6f client %s server %s", network_time(), client, server);
+
+	# Netbios queries are sometimes sent to broadcast addresses,
+	# so we ignore the server part
+	if ( server_port == 137/udp )
+		server = 0.0.0.0;
+
+	local ind = [$client = client, $client_port = client_port,
+			$id = msg$id,
+			$server = server, $server_port = server_port];
+
+	if ( ind !in dns_trans_table )
+		{
+		local t = [
+			$connection_id = id,
+			$conn_start = c$start_time,
+			$func = dns_op_name[msg$opcode],
+			$start = network_time(),
+			$num_req = 0, $req_size = 0,
+			$num_resp = 0, $resp_size = 0,
+			$num_q = 0,
+			$qtype = "none",
+			$query = "none", $host_type = "none",
+			$rcode = "none",
+			$resp_time = network_time() - 1 sec];
+		dns_trans_table[ind] = t;
+		}
+
+	schedule dns_transaction_timeout {
+		expire_DNS_transaction(ind)
+		};
+
+	return dns_trans_table[ind];
+	}
+
+event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count)
+	{
+	local t = lookup_dns_transaction(c, msg, is_orig);
+	if ( ! msg$QR )
+		{
+		++t$num_req;
+		t$req_size = t$req_size + len;
+		}
+	else
+		{
+		local rcode = dns_rcode(msg$rcode);
+		if ( t$rcode == "none" )
+			t$rcode = rcode;
+		else if ( t$rcode != rcode )
+			t$rcode = cat(t$rcode, ",", rcode);
+		++t$num_resp;
+		t$resp_size = t$resp_size + len;
+		if ( t$num_resp == 1 )
+			t$resp_time = network_time();
+		}
+	}
+
+function append_query(t: dns_transaction, query: string, host_type: string, qtype: string)
+	{
+	++t$num_q;
+	if ( t$num_q == 1 )
+		{
+		t$qtype = qtype;
+		t$query = query;
+		t$host_type = host_type;
+		}
+	else
+		{
+		if ( qtype != t$qtype )
+			t$qtype = cat(t$qtype, ",", qtype);
+		if ( query != t$query )
+			t$query = cat(t$query, ",", query);
+		if ( host_type != t$host_type )
+			t$host_type = cat(t$host_type, ",", host_type);
+		}
+	}
+
+event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
+	{
+	local host_type = "n/a";
+	if ( c$id$resp_p == 137/udp )
+		{
+		query = decode_netbios_name(query);
+		local last_byte = sub_bytes(query, byte_len(query) - 2, 2);
+		host_type = netbios_host_type[last_byte];
+		}
+
+	# print log, fmt("conn %s start %.6f op %d qtype 0x%x name [%s]",
+	#	conn_id_string(c$id), network_time(),
+	#	msg$opcode, qtype, query);
+
+	local t = lookup_dns_transaction(c, msg, T);
+	append_query(t, query, host_type, dns_qtype(qtype, c$id$resp_p));
+	}
diff --git a/policy/summaries/dns-summary.bro b/policy/summaries/dns-summary.bro
new file mode 100644
index 0000000000..327f2f5032
--- /dev/null
+++ b/policy/summaries/dns-summary.bro
@@ -0,0 +1,8 @@
+@load dns-common-summary
+
+redef DNS_common_summary::log = open_log_file("dns-summary");
+redef DNS_common_summary::server_ports = { 53/udp, 53/tcp };
+
+redef capture_filters = {
+	["dns"] = "port 53",
+};
diff --git a/policy/summaries/http-rps-summary.bro b/policy/summaries/http-rps-summary.bro
new file mode 100644
index 0000000000..0241a886b7
--- /dev/null
+++ b/policy/summaries/http-rps-summary.bro
@@ -0,0 +1,171 @@
+# $Id:$
+
+@load http
+@load app-summary
+
+redef capture_filters = {
+	["http"] = "tcp port 80 or tcp port 8080 or tcp port 8000 or tcp port 8888 or tcp port 3128",
+};
+
+module HTTP_req_per_session;
+
+export {
+	global log = open_log_file("http-rps-summary") &redef;
+	const http_session_idle_timeout = 1 sec &redef;
+}
+
+type http_session: record {
+	# standard stuff
+	connection_id: conn_id;		# of the first conn
+	conn_start: time;
+	func: string;
+	start: time;
+	num_req: count;
+	req_size: count;
+	num_resp: count;
+	resp_size: count;
+
+	# for timeout
+	unfinished_req: count;
+	unfinished_resp: count;
+	last_time: time;
+};
+
+global expire_http_session: function(
+	tbl: table[addr] of http_session, index: addr): interval;
+
+global http_ssn_table: table[addr] of http_session
+	&read_expire = http_session_idle_timeout
+	&expire_func = expire_http_session;
+
+function new_http_session(c: connection): http_session
+	{
+	local t = [
+		$connection_id = c$id,
+		$conn_start = c$start_time,
+		$func = "unknown",
+		$start = network_time(),
+		$num_req = 0, $req_size = 0,
+		$num_resp = 0, $resp_size = 0,
+		$unfinished_req = 0, $unfinished_resp = 0,
+		$last_time = network_time()];
+
+	return t;
+	}
+
+function lookup_http_session(c: connection, is_orig: bool): http_session
+	{
+	local id = c$id;
+	local index = id$orig_h;
+
+	if ( index !in http_ssn_table )
+		{
+		if ( ! is_orig )
+			print fmt("%.6f HTTP session not found for a resposne",
+				network_time(), conn_id_string(id));
+
+		http_ssn_table[index] = new_http_session(c);
+		}
+
+	return http_ssn_table[index];
+	}
+
+function end_http_session(t: http_session)
+	{
+	print_app_summary(log, t$connection_id, t$conn_start, t$func, t$start,
+		t$num_req, t$req_size,
+		t$num_resp, t$resp_size,
+		fmt("duration %.6f", t$last_time - t$start));
+	}
+
+function check_expiration(t: http_session): bool
+	{
+	print fmt("%.6f check expiration http_session %s: %.6f %d,%d %d,%d",
+		network_time(), conn_id_string(t$connection_id),
+		t$last_time,
+		t$num_req, t$num_resp,
+		t$unfinished_req, t$unfinished_resp);
+
+	if ( network_time() - t$last_time < http_session_idle_timeout
+	     || ( t$unfinished_req + t$unfinished_resp > 0 &&
+	          network_time() - t$last_time < 15 min &&
+		  ! done_with_network ) )
+		{
+		print fmt("do not expire");
+		return F;
+		}
+
+	end_http_session(t);
+	return T;
+	}
+
+function expire_http_session(tbl: table[addr] of http_session,
+		index: addr): interval
+	{
+	local t = tbl[index];
+	if ( ! check_expiration(t) )
+		{
+		print fmt("... no, wait one more second: %d, %d",
+			t$unfinished_req, t$unfinished_resp);
+		return 1 sec;
+		}
+	return 0 sec;
+	}
+
+event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
+	{
+	local t = lookup_http_session(c, T);
+	if ( check_expiration(t) )
+		{
+		delete http_ssn_table[c$id$orig_h];
+		t = lookup_http_session(c, T);
+		}
+	t$func = method;
+	++t$num_req;
+	++t$unfinished_req;
+	t$last_time = network_time();
+	}
+
+event http_reply(c: connection, version: string, code: count, reason: string)
+	{
+	# print fmt("http reply");
+	local t = lookup_http_session(c, F);
+	++t$num_resp;
+	++t$unfinished_resp;
+	t$last_time = network_time();
+	}
+
+function http_request_done(c: connection, stat: http_message_stat)
+	{
+	# print fmt("http request done");
+	local t = lookup_http_session(c, T);
+	t$req_size = t$req_size + stat$body_length;
+	if ( t$unfinished_req > 0 )
+		--t$unfinished_req;
+	t$last_time = network_time();
+	}
+
+function http_reply_done(c: connection, stat: http_message_stat)
+	{
+	local t = lookup_http_session(c, F);
+	t$resp_size = t$resp_size + stat$body_length;
+	if ( t$unfinished_resp > 0 )
+		--t$unfinished_resp;
+	t$last_time = network_time();
+	}
+
+event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
+	{
+	if ( is_orig )
+		http_request_done(c, stat);
+	else
+		http_reply_done(c, stat);
+	}
+
+event bro_done()
+	{
+	for ( index in http_ssn_table )
+		{
+		end_http_session(http_ssn_table[index]);
+		}
+	}
diff --git a/policy/summaries/http-summary.bro b/policy/summaries/http-summary.bro
new file mode 100644
index 0000000000..1f6c1219e4
--- /dev/null
+++ b/policy/summaries/http-summary.bro
@@ -0,0 +1,281 @@
+@load http
+@load app-summary
+
+redef capture_filters = {
+	["http"] = "tcp port 80 or tcp port 8080 or tcp port 8000 or tcp port 8888 or tcp port 3128",
+	["ipp"] = "tcp port 631",
+};
+
+module HTTP_summary;
+
+global log = open_log_file("http-summary") &redef;
+
+type http_transaction: record {
+	# standard stuff
+	connection_id: conn_id;
+	conn_start: time;
+	func: string;
+	start: time;
+	num_req: count;
+	req_size: count;
+	num_resp: count;
+	resp_size: count;
+
+	# for tracking the state
+	req_done: bool;
+	resp_done: bool;
+	done: bool;
+
+	# http-specific stuff
+	code: count;
+	req_content_type: string;
+	resp_content_type: string;
+	conditional_get: string;
+	user_agent: string;
+	cache_control: string;
+	last_modified: string;
+	etag: string;
+};
+
+type http_trans_group: record {
+	trans: table[count] of http_transaction;
+	first_req: count;
+	last_req: count;
+};
+
+global http_trans_table: table[conn_id] of http_trans_group;
+
+function lookup_http_trans_group(id: conn_id, create: bool): http_trans_group
+	{
+	if ( id !in http_trans_table )
+		{
+		if ( create )
+			{
+			local trans: table[count] of http_transaction;
+			http_trans_table[id] = [
+				$trans = trans, $first_req = 1, $last_req = 0];
+			}
+		else
+			print fmt("HTTP trans_group not found: %s", conn_id_string(id));
+		}
+
+	return http_trans_table[id];
+	}
+
+function new_http_transaction(c: connection, func: string): http_transaction
+	{
+	# print fmt("new http trans: %.6f %s", network_time(), func);
+	local g = lookup_http_trans_group(c$id, T);
+
+	local t = [
+		$connection_id = c$id,
+		$conn_start = c$start_time,
+		$func = func,
+		$start = network_time(),
+		$num_req = 0, $req_size = 0,
+		$num_resp = 0, $resp_size = 0,
+		$req_done = F, $resp_done = F, $done = F,
+		$code = 0,
+		$req_content_type = "none",
+		$resp_content_type = "none",
+		$conditional_get = "no",
+		$user_agent = "none",
+		$cache_control = "none",
+		$last_modified = "none",
+		$etag = "none"];
+
+	++g$last_req;
+	g$trans[g$last_req] = t;
+
+	return t;
+	}
+
+function lookup_http_transaction(id: conn_id, is_orig: bool): http_transaction
+	{
+	local g = lookup_http_trans_group(id, F);
+	local index = is_orig ? g$last_req : g$first_req;
+
+	if ( index !in g$trans )
+		{
+		print fmt("HTTP transaction not found: %s : %d-%d",
+			conn_id_string(id), g$first_req, g$last_req);
+		}
+
+	return g$trans[index];
+	}
+
+function end_http_transaction(t: http_transaction)
+	{
+	if ( t$req_done && t$resp_done )
+		{
+		if ( t$done )
+			return;
+		t$done = T;
+		print_app_summary(log, t$connection_id, t$conn_start, t$func, t$start,
+			t$num_req, t$req_size,
+			t$num_resp, t$resp_size,
+			fmt("code %d content_type_^ %s content_type_v %s conditional_get %s user_agent %s cache_control %s last_modified %s etag %s",
+				t$code,
+				t$req_content_type, t$resp_content_type,
+				t$conditional_get,
+				subst_string(t$user_agent, " ", "_"),
+				subst_string(t$cache_control, " ", ""),
+				t$last_modified == "none" ? "none" : "present",
+				t$etag == "none" ? "none" : "present"
+				));
+		}
+	}
+
+event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
+	{
+	# print fmt("http request");
+	local t = new_http_transaction(c, method);
+	++t$num_req;
+	t$req_done = F;
+	}
+
+event http_reply(c: connection, version: string, code: count, reason: string)
+	{
+	# print fmt("http reply");
+	local id = c$id;
+	local g = lookup_http_trans_group(id, T);
+	local t: http_transaction;
+	if ( g$first_req in g$trans )
+		t = g$trans[g$first_req];
+	else
+		t = new_http_transaction(c, "none");
+
+	++t$num_resp;
+	t$code = code;
+	t$resp_done = F;
+	}
+
+function http_request_done(c: connection, stat: http_message_stat)
+	{
+	# print fmt("http request done");
+	local t = lookup_http_transaction(c$id, T);
+	t$req_size = t$req_size + stat$body_length;
+	t$req_done = T;
+	end_http_transaction(t);
+	}
+
+function http_reply_done(c: connection, stat: http_message_stat)
+	{
+	# print fmt("http reply done");
+	local t = lookup_http_transaction(c$id, F);
+	t$resp_size = t$resp_size + stat$body_length;
+	if ( t$code >= 200 )
+		{
+		t$resp_done = T;
+		end_http_transaction(t);
+		local g = lookup_http_trans_group(t$connection_id, F);
+		++g$first_req;
+		}
+	}
+
+event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
+	{
+	if ( is_orig )
+		http_request_done(c, stat);
+	else
+		http_reply_done(c, stat);
+	}
+
+event http_content_type(c: connection, is_orig: bool, ty: string, subty: string)
+	{
+	local t = lookup_http_transaction(c$id, is_orig);
+	local type_str = fmt("%s/%s", ty, subty);
+	if ( is_orig )
+		t$req_content_type = type_str;
+	else
+		t$resp_content_type = type_str;
+	}
+
+function http_conditional_get(c: connection, is_orig: bool, h: mime_header_rec)
+	{
+	local t = lookup_http_transaction(c$id, is_orig);
+	t$conditional_get = h$name;
+	}
+
+function http_user_agent(c: connection, is_orig: bool, h: mime_header_rec)
+	{
+	local t = lookup_http_transaction(c$id, is_orig);
+	t$user_agent = h$value;
+	}
+
+function http_cache_control(c: connection, is_orig: bool, h: mime_header_rec)
+	{
+	local t = lookup_http_transaction(c$id, is_orig);
+	t$cache_control = h$value;
+	}
+
+function http_last_modified(c: connection, is_orig: bool, h: mime_header_rec)
+	{
+	local t = lookup_http_transaction(c$id, is_orig);
+	t$last_modified = h$value;
+	}
+
+function http_etag(c: connection, is_orig: bool, h: mime_header_rec)
+	{
+	local t = lookup_http_transaction(c$id, is_orig);
+	t$etag = h$value;
+	}
+
+# type mime_header_rec: record {
+#	name: string;
+#	value: string;
+# };
+# type mime_header_list: table[count] of mime_header_rec;
+
+const conditional_get_headers = {
+	"IF-MODIFIED-SINCE",
+	"IF-UNMODIFIED-SINCE",
+	"IF-MATCH",
+	"IF-NONE-MATCH",
+	"IF-RANGE",
+};
+
+event http_all_headers(c: connection, is_orig: bool, hlist: mime_header_list)
+	{
+	if ( ! is_orig )
+		return;
+
+	for ( i in hlist )
+		{
+		local h = hlist[i];
+		if ( h$name in conditional_get_headers )
+			http_conditional_get(c, is_orig, h);
+		if ( h$name == "USER-AGENT" )
+			http_user_agent(c, is_orig, h);
+		if ( h$name == "CACHE-CONTROL" )
+			http_cache_control(c, is_orig, h);
+		if ( h$name == "LAST-MODIFIED" )
+			http_last_modified(c, is_orig, h);
+		if ( h$name == "ETAG" )
+			http_etag(c, is_orig, h);
+		}
+	}
+
+function end_http_trans_group(g: http_trans_group, index: count)
+	{
+	if ( index !in g$trans )
+		return;
+	local t = g$trans[index];
+
+	t$req_done = T;
+	t$resp_done = T;
+	end_http_transaction(t);
+
+	delete g$trans[index];
+	end_http_trans_group(g, index + 1);
+	}
+
+event connection_state_remove(c: connection)
+	{
+	local id = c$id;
+	if ( id in http_trans_table )
+		{
+		end_http_trans_group(http_trans_table[id], 1);
+		delete http_trans_table[id];
+		}
+	}
diff --git a/policy/summaries/ipp-summary.bro b/policy/summaries/ipp-summary.bro
new file mode 100644
index 0000000000..5bc4c3df86
--- /dev/null
+++ b/policy/summaries/ipp-summary.bro
@@ -0,0 +1,3 @@
+@load http-summary
+
+redef HTTP_summary::log = open_log_file("ipp-summary") &redef;
diff --git a/policy/summaries/ncp-summary.bro b/policy/summaries/ncp-summary.bro
new file mode 100644
index 0000000000..89c19c6713
--- /dev/null
+++ b/policy/summaries/ncp-summary.bro
@@ -0,0 +1,78 @@
+@load ncp
+@load app-summary
+
+module NCP_summary;
+
+global ncp_summary_log = open_log_file("ncp-summary") &redef;
+
+type ncp_transaction: record {
+	connection_id: conn_id;
+	conn_start: time;
+	func: string;
+	start: time;
+	num_req: count;
+	req_size: count;
+	num_resp: count;
+	resp_size: count;
+	completion_code: int;	# ... of the first reply
+};
+
+global ncp_trans_table: table[conn_id] of ncp_transaction;
+
+function end_ncp_transaction(id: conn_id)
+	{
+	if ( id !in ncp_trans_table )
+		return;
+
+	local t = ncp_trans_table[id];
+	print_app_summary(ncp_summary_log, t$connection_id, t$conn_start, t$func, t$start,
+		t$num_req, t$req_size,
+		t$num_resp, t$resp_size,
+		fmt("completion_code %d", t$completion_code));
+	}
+
+function new_ncp_transaction(c: connection, func: string): ncp_transaction
+	{
+	local id = c$id;
+
+	# End any previous trans
+	end_ncp_transaction(id);
+
+	local t = [
+		$connection_id = id,
+		$conn_start = c$start_time,
+		$func = func,
+		$start = network_time(),
+		$num_req = 0, $req_size = 0,
+		$num_resp = 0, $resp_size = 0,
+		$completion_code = -1];
+
+	ncp_trans_table[id] = t;
+	return t;
+	}
+
+event ncp_request(c: connection, frame_type: count, length: count, func: count)
+	{
+	local f = ( frame_type == 0x2222 ) ?
+			NCP::ncp_function_name[func] :
+			NCP::ncp_frame_type_name[frame_type];
+
+	local t = new_ncp_transaction(c, f);
+	++t$num_req;
+	t$req_size = t$req_size + length;
+	}
+
+event ncp_reply(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count)
+	{
+	local t = ncp_trans_table[c$id];
+	++t$num_resp;
+	if ( t$num_resp == 1 )
+		t$completion_code = completion_code;
+	t$resp_size = t$resp_size + length;
+	}
+
+event connection_state_remove(c: connection)
+	{
+	if ( c$id in ncp_trans_table )
+		end_ncp_transaction(c$id);
+	}
diff --git a/policy/summaries/ncp-tag.bro b/policy/summaries/ncp-tag.bro
new file mode 100644
index 0000000000..61c63a2f3f
--- /dev/null
+++ b/policy/summaries/ncp-tag.bro
@@ -0,0 +1,26 @@
+@load conn-id
+@load ncp
+
+module NCP_tag;
+
+global log = open_log_file("ncp-tag") &redef;
+
+const ncp_request_type = {
+[ 0x11 ] = "print",
+[ 0x16, 0x68 ] = "directory",
+} &default = function(code: count): string
+	{
+	return fmt("unknown(%x)", code);
+	};
+
+event ncp_request(c: connection, frame_type: count, length: count, func: count)
+	{
+	print log, fmt("%.6f %s NCP request type=%s function=%s",
+		network_time(), id_string(c$id),
+		NCP::ncp_frame_type_name[frame_type],
+		NCP::ncp_function_name[func]);
+	}
+
+event ncp_reply(c: connection, frame_type: count, length: count, completion_code: count)
+	{
+	}
diff --git a/policy/summaries/netbios-ns-summary.bro b/policy/summaries/netbios-ns-summary.bro
new file mode 100644
index 0000000000..3587b9a954
--- /dev/null
+++ b/policy/summaries/netbios-ns-summary.bro
@@ -0,0 +1,9 @@
+@load dns-common-summary
+
+redef DNS_common_summary::dns_summary_log = open_log_file("netbios-ns-summary");
+redef DNS_common_summary::server_ports = { 137/udp };
+
+redef capture_filters += {
+	["netbios-ns"] = "udp port 137",
+};
+
diff --git a/policy/summaries/netbios-ssn-summary.bro b/policy/summaries/netbios-ssn-summary.bro
new file mode 100644
index 0000000000..5166e56baa
--- /dev/null
+++ b/policy/summaries/netbios-ssn-summary.bro
@@ -0,0 +1,112 @@
+@load app-summary
+
+redef capture_filters = {
+	["netbios-ssn"] = "tcp port 139",
+};
+
+module NetbiosSSN_summary;
+
+global netbios_log = open_log_file("netbios-ssn-summary") &redef;
+
+const netbios_msg_types = {
+	[0x0]	= "ssn_message",
+	[0x81]	= "ssn_request",
+	[0x82]	= "positive_resp",
+	[0x83]	= "negative_resp",
+	[0x84]	= "retarget_resp",
+	[0x85]	= "keep_alive",
+} &default = function(msg_type: count): string
+	{
+	return fmt("unknown-0x%x", msg_type);
+	};
+
+type netbios_ssn_transaction: record {
+	connection_id: conn_id;
+	conn_start: time;
+	start: time;
+	num_req: count;
+	req_size: count;
+	num_resp: count;
+	resp_size: count;
+	req_type: string;
+	resp_type: string;	# ... of the first reply
+	raw_ssn_msg: count;
+};
+
+global netbios_ssn_trans_table: table[conn_id] of netbios_ssn_transaction;
+
+function end_netbios_ssn_transaction(id: conn_id)
+	{
+	if ( id !in netbios_ssn_trans_table )
+		return;
+
+	local t = netbios_ssn_trans_table[id];
+	print_app_summary(netbios_log, t$connection_id, t$conn_start,
+		t$req_type, t$start,
+		t$num_req, t$req_size,
+		t$num_resp, t$resp_size,
+		fmt("req_type %s resp_type %s raw %d",
+			t$req_type, t$resp_type, t$raw_ssn_msg));
+
+	delete netbios_ssn_trans_table[id];
+	}
+
+function lookup_netbios_ssn_transaction(c: connection, new_trans: bool): netbios_ssn_transaction
+	{
+	local id = c$id;
+
+	if ( new_trans )
+		{
+		# End any previous trans
+		end_netbios_ssn_transaction(id);
+		}
+
+	if ( id !in netbios_ssn_trans_table )
+		{
+		local t = [
+			$connection_id = id,
+			$conn_start = c$start_time,
+			$start = network_time(),
+			$num_req = 0, $req_size = 0,
+			$num_resp = 0, $resp_size = 0,
+			$req_type = "none", $resp_type = "none",
+			$raw_ssn_msg = 0];
+		netbios_ssn_trans_table[c$id] = t;
+		}
+
+	return netbios_ssn_trans_table[c$id];
+	}
+
+event netbios_ssn_message(c: connection, is_orig: bool, msg_type: count, data_len: count)
+	{
+	local msg_type_name = netbios_msg_types[msg_type];
+	local t: netbios_ssn_transaction;
+	if ( is_orig )
+		{
+		t = lookup_netbios_ssn_transaction(c, T);
+		++t$num_req;
+		if ( t$num_req == 1 )
+			t$req_type = msg_type_name;
+		t$req_size = t$req_size + data_len;
+		}
+	else
+		{
+		t = lookup_netbios_ssn_transaction(c, F);
+		++t$num_resp;
+		if ( t$num_resp == 1 )
+			t$resp_type = msg_type_name;
+		t$resp_size = t$resp_size + data_len;
+		}
+	}
+
+event netbios_session_raw_message(c: connection, is_orig: bool, msg: string)
+	{
+	local t = lookup_netbios_ssn_transaction(c, F);
+	++t$raw_ssn_msg;
+	}
+
+event connection_state_remove(c: connection)
+	{
+	if ( c$id in netbios_ssn_trans_table )
+		end_netbios_ssn_transaction(c$id);
+	}
diff --git a/policy/summaries/nfs-summary.bro b/policy/summaries/nfs-summary.bro
new file mode 100644
index 0000000000..ad1979b33b
--- /dev/null
+++ b/policy/summaries/nfs-summary.bro
@@ -0,0 +1,9 @@
+@load sun-rpc-summary
+
+redef SUN_RPC_summary::log = open_log_file("nfs-summary");
+
+redef capture_filters = {
+	["nfs"] = "port 2049",
+	# UDP packets are often fragmented
+	["nfs-frag"] = "ip[6:2] & 0x1fff != 0",
+};
diff --git a/policy/summaries/rexmit-summary.bro b/policy/summaries/rexmit-summary.bro
new file mode 100644
index 0000000000..9f5c1ef0c9
--- /dev/null
+++ b/policy/summaries/rexmit-summary.bro
@@ -0,0 +1,26 @@
+# Statistical analysis of TCP connection in terms of the packet streams
+# in each direction.
+
+@load conn-util
+
+redef capture_filters = { ["tcp"] = "tcp" };
+redef ignore_keep_alive_rexmit = T;
+
+global log = open_log_file("rexmit-summary") &redef;
+
+const min_num_pkts = 0;
+
+event conn_stats(c: connection, os: endpoint_stats, rs: endpoint_stats)
+	{
+	if ( os$num_pkts < min_num_pkts && rs$num_pkts < min_num_pkts )
+		return;
+
+	print log, fmt("conn %s start %.6f duration %.6f pkt_^ %d rexmit_pkt_^ %d pyld_^ %d rexmit_pyld_^ %d pkt_v %d rexmit_pkt_v %d pyld_v %d rexmit_pyld_v %d",
+		conn_id_string(c$id), c$start_time, c$duration,
+		os$num_pkts, os$num_rxmit,
+		# os$num_pkts == 0 ? 0.0 : 1.0 * os$num_rxmit / os$num_pkts,
+		c$orig$size, os$num_rxmit_bytes,
+		rs$num_pkts, rs$num_rxmit,
+		# rs$num_pkts == 0 ? 0.0 : 1.0 * rs$num_rxmit / rs$num_pkts,
+		c$resp$size, rs$num_rxmit_bytes);
+	}
diff --git a/policy/summaries/smb-summary.bro b/policy/summaries/smb-summary.bro
new file mode 100644
index 0000000000..4ba9c575a0
--- /dev/null
+++ b/policy/summaries/smb-summary.bro
@@ -0,0 +1,251 @@
+@load app-summary
+
+redef capture_filters += {
+	["netbios-dgm"] = "udp port 138",
+	["netbios-ssn"] = "tcp port 139",
+	["microsft-ds"] = "tcp port 445",
+};
+
+module SMB_summary;
+
+global smb_log = open_log_file("smb-summary") &redef;
+global chris_log = open_log_file("chris-summary") &redef;
+
+#const smb_transaction_func = {
+#	["SMB_COM_TRANSACTION", 0x0 ] = "\\PIPE\\LANMAN\\",
+#	["SMB_COM_TRANSACTION", 0x1 ] = "\\MAILSLOT\\",
+#	["SMB_COM_TRANSACTION", 0x54] = "CallNamedPipe",
+#	["SMB_COM_TRANSACTION", 0x53] = "WaitNamedPipe",
+#	["SMB_COM_TRANSACTION", 0x26] = "TransactNmPipe",
+#
+#	["SMB_COM_TRANSACTION2", 0x0] = "TRANS2_OPEN2",
+#	["SMB_COM_TRANSACTION2", 0x1] = "TRANS2_FIND_FIRST2",
+#	["SMB_COM_TRANSACTION2", 0x2] = "TRANS2_FIND_NEXT2",
+#	["SMB_COM_TRANSACTION2", 0x3] = "TRANS2_QUERY_FS_INFORMATION",
+#	["SMB_COM_TRANSACTION2", 0x5] = "TRANS2_QUERY_PATH_INFORMATION",
+#	["SMB_COM_TRANSACTION2", 0x6] = "TRANS2_SET_PATH_INFORMATION",
+#	["SMB_COM_TRANSACTION2", 0x7] = "TRANS2_QUERY_FILE_INFORMATION",
+#	["SMB_COM_TRANSACTION2", 0x8] = "TRANS2_SET_FILE_INFORMATION",
+#	["SMB_COM_TRANSACTION2", 0x0d] = "TRANS2_CREATE_DIRECTORY",
+#	["SMB_COM_TRANSACTION2", 0x0e] = "TRANS2_SESSION_SETUP",
+#	["SMB_COM_TRANSACTION2", 0x10] = "TRANS2_GET_DFS_REFERRAL",
+#} &default = function(cmd: string, subcmd: count): string
+#	{
+#	return fmt("%s/%d", cmd, subcmd);
+#	};
+
+type smb_req_resp: record {
+	connection_id: conn_id;
+	conn_start: time;
+	func: string;
+	cmd: string;
+	start: time;
+	num_req: count;
+	req_size: count;
+	num_resp: count;
+	resp_size: count;
+};
+
+type smb_req_reply_group: record {
+	trans: table[count] of smb_req_resp;
+	first_req: count;
+	last_req: count;
+};
+
+global smb_trans_table: table[conn_id] of smb_req_reply_group;
+
+function lookup_smb_req_reply_group(id: conn_id, create: bool): smb_req_reply_group
+	{
+	if ( id !in smb_trans_table )
+		{
+		if ( create )
+			{
+			local trans: table[count] of smb_req_resp;
+			smb_trans_table[id] = [
+				$trans = trans, $first_req = 1, $last_req = 0];
+			}
+		else
+			print fmt("SMB req_reply_group not found: %s",
+				conn_id_string(id));
+		}
+
+	return smb_trans_table[id];
+	}
+
+function new_smb_req_resp(c: connection, cmd: string): smb_req_resp
+	{
+	local id = c$id;
+	local g = lookup_smb_req_reply_group(id, T);
+
+	if( is_udp_port(id$orig_p) || is_udp_port(id$resp_p) )
+		print fmt("%.6f %s a new req_resp was triggered on a UDP connection!: %s",
+			network_time(), conn_id_string(id), cmd);
+
+	local t = [
+		$connection_id = id, $conn_start = c$start_time,
+		$cmd = cmd, $func = cmd,
+		$start = network_time(),
+		$num_req = 0, $req_size = 0,
+		$num_resp = 0, $resp_size = 0
+		];
+
+	++g$last_req;
+	g$trans[g$last_req] = t;
+
+	return g$trans[g$last_req];
+	}
+
+function end_smb_req_resp(t: smb_req_resp)
+	{
+	print_app_summary(smb_log, t$connection_id, t$conn_start,
+		t$func, t$start,
+		t$num_req, t$req_size,
+		t$num_resp, t$resp_size,
+		fmt("cmd %s", t$cmd));
+	}
+
+function lookup_smb_req_resp(c: connection, is_orig: bool, cmd: string): smb_req_resp
+	{
+	local id = c$id;
+	local g = lookup_smb_req_reply_group(id, T);
+
+	if( is_udp_port(id$orig_p) || is_udp_port(id$resp_p) )
+		print fmt("%.6f %s a lookup was triggered on a UDP connection!: %s",
+			network_time(), conn_id_string(id), cmd);
+
+	if ( g$first_req > g$last_req )
+		{
+		print fmt("%.6f %s request missing: %s",
+			network_time(), conn_id_string(id), cmd);
+		return new_smb_req_resp(c, cmd);
+		}
+
+	if ( is_orig )
+		{
+		return g$trans[g$last_req];
+		}
+	else if ( cmd == "(current)" )
+		{
+		return g$trans[g$first_req];
+		}
+	else
+		{
+		local t = g$trans[g$first_req];
+		if ( g$first_req < g$last_req )
+			{
+			end_smb_req_resp(t);
+			++g$first_req;
+			t = g$trans[g$first_req];
+			}
+		if ( t$cmd != cmd )
+			{
+			if ( g$first_req < g$last_req )
+				return lookup_smb_req_resp(c, is_orig, cmd);
+			print fmt("%.6f %s SMB command-reply mismatch",
+				network_time(), conn_id_string(id));
+			}
+		return t;
+		}
+	}
+
+event smb_message(c: connection, hdr: smb_hdr, is_orig: bool, cmd:
+						string, body_length: count, body : string)
+	{
+	print chris_log, fmt("%.6f %s %s", network_time(), conn_id_string(c$id), cmd);
+
+	local t: smb_req_resp;
+
+	if ( is_udp_port( c$id$orig_p ) || is_udp_port ( c$id$resp_p ) )
+		{
+		# dont need to keep track of UDP smb commands
+		print_app_summary(smb_log, c$id, network_time(),
+			cmd, network_time(),
+			0, 0, 0, 0,
+			fmt("cmd %s", cmd));
+		}
+	else if ( is_orig )
+		{
+		t = new_smb_req_resp(c, cmd);
+		++t$num_req;
+		t$req_size = t$req_size + body_length;
+		}
+	else
+		{
+		t = lookup_smb_req_resp(c, is_orig, cmd);
+		++t$num_resp;
+		t$resp_size = t$resp_size + body_length;
+		}
+	}
+
+event smb_error(c: connection, hdr: smb_hdr,  cmd: count, cmd_str: string, data: string)
+	{
+	print chris_log, fmt("%.6f %s SMB_ERROR:%s", network_time(), conn_id_string(c$id), cmd_str);
+	}
+
+event dce_rpc_bind(c: connection, uuid: string)
+	{
+	local id = c$id;
+	if ( id !in smb_trans_table )
+		return;
+	local t = lookup_smb_req_resp(c, T, "(current)");
+	t$func = "DCE_RPC_BIND";
+	}
+
+event dce_rpc_request(c: connection, opnum: count, stub: string)
+	{
+	local id = c$id;
+	if ( id !in smb_trans_table )
+		return;
+	local t = lookup_smb_req_resp(c, T, "(current)");
+	t$func = "DCE_RPC_CALL";
+	}
+
+event dce_rpc_response(c: connection, opnum: count, stub: string)
+	{
+	local id = c$id;
+	if ( id !in smb_trans_table )
+		return;
+	local t = lookup_smb_req_resp(c, F, "(current)");
+	t$func = "DCE_RPC_CALL";
+	}
+
+event smb_com_transaction(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool)
+	{
+	if ( is_orig && !is_udp_port( c$id$orig_p ) )
+		{
+		local t = lookup_smb_req_resp(c, T, "(current)");
+		}
+	}
+
+event smb_com_transaction2(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool)
+	{
+	if ( is_orig && !is_udp_port( c$id$orig_p ) )
+		{
+		local t = lookup_smb_req_resp(c, T, "(current)");
+		}
+	}
+
+function end_smb_req_reply_group(g: smb_req_reply_group, index: count)
+	{
+	if ( index > g$last_req )
+		return;
+
+	if ( index >= g$first_req && index in g$trans )
+		end_smb_req_resp(g$trans[index]);
+
+	if( index in g$trans )
+		{
+		delete g$trans[index];
+		end_smb_req_reply_group(g, index + 1);
+		}
+	}
+
+event connection_state_remove(c: connection)
+	{
+	local id = c$id;
+	if ( !is_udp_port( id$orig_p ) && id in smb_trans_table )
+		{
+		local g = smb_trans_table[id];
+		end_smb_req_reply_group(g, 1);
+		}
+	}
diff --git a/policy/summaries/smb-tag.bro b/policy/summaries/smb-tag.bro
new file mode 100644
index 0000000000..82813b5284
--- /dev/null
+++ b/policy/summaries/smb-tag.bro
@@ -0,0 +1,160 @@
+@load conn-util
+
+redef capture_filters += {
+	["smb"] = "tcp port 445",
+	["netbios-ss"] = "tcp port 139",
+};
+
+global smb_filename_tag: table[conn_id] of string &default = "";
+
+const log_smb_tags = T &redef;
+function get_smb_tag(id: conn_id): string
+	{
+	if ( id in smb_filename_tag )
+		return smb_filename_tag[id];
+	else
+		return "";
+	}
+
+module SMB_tag;
+
+global log = open_log_file("smb-tag") &redef;
+
+const well_known_files = {
+	"\\IPC$",
+	"\\print$",
+	"\\LANMAN",
+	"\\atsvc",
+	"\\AudioSrv",
+	"\\browser",
+	"\\cert",
+	"\\Ctx_Winstation_API_Service",
+	"\\DAV",
+	"\\dnsserver",
+	"\\epmapper",
+	"\\eventlog",
+	"\\HydraLsPipe",
+	"\\InitShutdown",
+	"\\keysvc",
+	"\\locator",
+	"\\llsrpc",
+	"\\lsarpc",
+	"\\msgsvc",
+	"\\netdfs",
+	"\\netlogon",
+	"\\ntsvcs",
+	"\\policyagent",
+	"\\ipsec",
+	"\\ProfMapApi",
+	"\\protected_storage",
+	"\\ROUTER",
+	"\\samr",
+	"\\scerpc",
+	"\\SECLOGON",
+	"\\SfcApi",
+	"\\spoolss",
+	"\\srvsvc",
+	"\\ssdpsrv",
+	"\\svcctl",
+	"\\tapsrv",
+	"\\trkwks",
+	"\\W32TIME",
+	"\\W32TIME_ALT",
+	"\\winlogonrpc",
+	"\\winreg",
+	"\\winspipe",
+	"\\wkssvc",
+	"\\lbl.gov",
+	"\\LBL"
+};
+
+function well_known_file(n: string): string
+	{
+	n = to_lower(n);
+	local a = "";
+	for ( p in well_known_files )
+		{
+		if ( strstr(n, to_lower(p)) > 0 )
+			if ( byte_len(p) > byte_len(a) )
+				a = p;
+		}
+	return a;
+	}
+
+function add_to_smb_filename_tag(c: connection, name: string): bool
+	{
+	if ( name == "\\PIPE\\" || name == "" )
+		return F;
+
+	local id = c$id;
+	local orig_tag = smb_filename_tag[id];
+
+	local n = well_known_file(name);
+	if ( n == "" )
+		{
+		if ( log_smb_tags )
+			print log, fmt("%.6f %s regular file: \"%s\"",
+				network_time(), conn_id_string(c$id), name);
+		n = "<file>";
+		}
+
+	n = fmt("\"%s\"", n);
+
+	if ( orig_tag == "" )
+		{
+		smb_filename_tag[id] = n;
+		}
+	else if ( strstr(orig_tag, n) == 0 )
+		{
+		smb_filename_tag[id] = cat(orig_tag, ",", n);
+		}
+
+	return T;
+	}
+
+event smb_com_nt_create_andx(c: connection, name: string)
+	{
+	add_to_smb_filename_tag(c, name);
+	}
+
+event smb_com_transaction(c: connection, is_orig: bool, subcmd: count,
+		name: string, data: string)
+	{
+	add_to_smb_filename_tag(c, name);
+	}
+
+event smb_com_transaction2(c: connection, is_orig: bool, subcmd: count,
+		name: string, data: string)
+	{
+	add_to_smb_filename_tag(c, name);
+	}
+
+event smb_get_dfs_referral(c: connection, max_referral_level: count, file_name: string)
+	{
+	add_to_smb_filename_tag(c, file_name);
+	}
+
+event smb_com_tree_connect_andx(c: connection, path: string, service: string)
+	{
+	local basic = sub(path, /.*\\/, "\\");
+	if ( /\$$/ in basic )
+		add_to_smb_filename_tag(c, basic);
+	}
+
+event delete_smb_tag(c: connection)
+	{
+	delete smb_filename_tag[c$id];
+	}
+
+event connection_state_remove(c: connection)
+	{
+	if ( c$id in smb_filename_tag )
+		{
+		if ( log_smb_tags )
+			print log, fmt("conn %s start %.6f SMB [%s]",
+				conn_id_string(c$id),
+				c$start_time,
+				smb_filename_tag[c$id]);
+		event delete_smb_tag(c);
+		}
+	}
diff --git a/policy/summaries/sun-rpc-summary.bro b/policy/summaries/sun-rpc-summary.bro
new file mode 100644
index 0000000000..9f0f376cfd
--- /dev/null
+++ b/policy/summaries/sun-rpc-summary.bro
@@ -0,0 +1,46 @@
+@load app-summary
+@load rpc
+
+redef capture_filters += {
+	["port-map"] = "port 111",
+	["nfs"] = "port 2049",
+	# UDP packets are often fragmented
+	["nfs-frag"] = "ip[6:2] & 0x1fff != 0",
+};
+
+module SUN_RPC_summary;
+
+export {
+	global log = open_log_file("sun-rpc-summary") &redef;
+}
+
+global nfs_status: table[conn_id] of count;
+
+event nfs_reply_status(n: connection, status: count)
+	{
+	# print fmt("%.6f status = %d", network_time(), status);
+	nfs_status[n$id] = status;
+	}
+
+event rpc_call(c: connection, prog: count, ver: count, proc: count, status: count,
+		start_time: time, call_len: count, reply_len: count)
+	{
+	# print fmt("%.6f rpc_call", network_time());
+	local prog_name = RPC::program_name(prog);
+	local nfs_st = "n/a";
+	if ( c$id in nfs_status )
+		{
+		nfs_st = fmt("%d", nfs_status[c$id]);
+		# print fmt("%.6f get_status = %s", network_time(), nfs_st);
+		delete nfs_status[c$id];
+		}
+
+	print_app_summary(log, c$id, c$start_time,
+		fmt("%sv%d/%s",
+			prog_name,
+			ver,
+			RPC::procedure_name(prog, ver, proc)),
+		start_time,
+		1, call_len, status == RPC_TIMEOUT ? 0 : 1, reply_len,
+		fmt("rpc_status %s nfs_status %s", status, nfs_st));
+	}
diff --git a/policy/synflood.bro b/policy/synflood.bro
new file mode 100644
index 0000000000..3c2ecde4b7
--- /dev/null
+++ b/policy/synflood.bro
@@ -0,0 +1,131 @@
+# $Id: synflood.bro 4054 2007-03-05 21:45:58Z vern $
+
+@load notice
+
+redef enum Notice += {
+	SynFloodStart,    # start of syn-flood against a certain victim
+	SynFloodEnd,      # end of syn-flood against a certain victim
+	SynFloodStatus,   # report of ongoing syn-flood
+};
+
+# We report a syn-flood if more than SYNFLOOD_THRESHOLD new connections
+# have been reported within the last SYNFLOOD_INTERVAL for a certain IP.
+# (We sample the conns by one out of SYNFLOOD_SAMPLE_RATE, so the attempt
+# counter is an estimated value.). If a victim is identified, we install a
+# filter via install_dst_filter and sample the packets targeting it by
+# SYNFLOOD_VICTIM_SAMPLE_RATE.
+#
+# Ongoing syn-floods are reported every SYNFLOOD_REPORT_INTERVAL.
+
+global SYNFLOOD_THRESHOLD = 15000 &redef;
+global SYNFLOOD_INTERVAL = 60 secs &redef;
+global SYNFLOOD_REPORT_INTERVAL = 1 mins &redef;
+
+# Sample connections by one out of x.
+global SYNFLOOD_SAMPLE_RATE = 100 &redef;
+
+# Sample packets to known victims with probability x.
+global SYNFLOOD_VICTIM_SAMPLE_RATE = 0.01 &redef;
+
+global conn_attempts: table[addr] of count &default = 0;
+global victim_attempts: table[addr,addr] of count
+	&default = 0  &read_expire = 5mins;
+
+# We remember up to this many number of sources per victim.
+global max_sources = 100;
+global current_victims: table[addr] of set[addr] &read_expire = 60mins;
+global accumulated_conn_attempts: table[addr] of count &default = 0;
+
+global sample_count = 0;
+global interval_start: time = 0;
+
+# Using new_connection() can be quite expensive but connection_attempt() has
+# a rather large lag that may lead to detecting flood too late. Additionally,
+# it does not cover UDP/ICMP traffic.
+event new_connection(c: connection)
+	{
+	if ( c$id$resp_h in current_victims )
+		{
+		++conn_attempts[c$id$resp_h];
+
+		local srcs = current_victims[c$id$resp_h];
+		if ( length(srcs) < max_sources )
+			add srcs[c$id$orig_h];
+		return;
+		}
+
+	if ( ++sample_count % SYNFLOOD_SAMPLE_RATE == 0 )
+		{
+		local ip = c$id$resp_h;
+
+		if ( ++conn_attempts[ip] * SYNFLOOD_SAMPLE_RATE >
+		     SYNFLOOD_THRESHOLD )
+			{
+			NOTICE([$note=SynFloodStart, $src=ip,
+				   $msg=fmt("start of syn-flood against %s; sampling packets now", ip)]);
+
+			add current_victims[ip][c$id$orig_h];
+
+			# Drop most packets to victim.
+			install_dst_addr_filter(ip, 0,
+					1 - SYNFLOOD_VICTIM_SAMPLE_RATE);
+			# Drop all packets from victim.
+			install_src_addr_filter(ip, 0, 1.0);
+			}
+		}
+	}
+
+event check_synflood()
+	{
+	for ( ip in current_victims )
+		{
+		accumulated_conn_attempts[ip] =
+			accumulated_conn_attempts[ip] + conn_attempts[ip];
+
+		if ( conn_attempts[ip] * (1 / SYNFLOOD_VICTIM_SAMPLE_RATE) <
+		     SYNFLOOD_THRESHOLD )
+			{
+			NOTICE([$note=SynFloodEnd, $src=ip, $n=length(current_victims[ip]),
+				   $msg=fmt("end of syn-flood against %s; stopping sampling",
+					ip)]);
+
+			delete current_victims[ip];
+			uninstall_dst_addr_filter(ip);
+			uninstall_src_addr_filter(ip);
+			}
+		}
+
+	clear_table(conn_attempts);
+	schedule SYNFLOOD_INTERVAL { check_synflood() };
+	}
+
+event report_synflood()
+	{
+	for ( ip in current_victims )
+		{
+		local est_num_conn = accumulated_conn_attempts[ip] *
+					(1 / SYNFLOOD_VICTIM_SAMPLE_RATE);
+
+		local interv: interval;
+
+		if ( interval_start != 0 )
+			interv = network_time() - interval_start;
+		else
+			interv = SYNFLOOD_INTERVAL;
+
+		NOTICE([$note=SynFloodStatus, $src=ip, $n=length(current_victims[ip]),
+			   $msg=fmt("syn-flood against %s; estimated %.0f connections in last %s",
+				    ip, est_num_conn, interv)]);
+		}
+
+	clear_table(accumulated_conn_attempts);
+
+	schedule SYNFLOOD_REPORT_INTERVAL { report_synflood() };
+	interval_start = network_time();
+	}
+
+event bro_init()
+	{
+	schedule SYNFLOOD_INTERVAL { check_synflood() };
+	schedule SYNFLOOD_REPORT_INTERVAL { report_synflood() };
+	}
diff --git a/policy/targeted-scan.bro b/policy/targeted-scan.bro
new file mode 100644
index 0000000000..09922644ba
--- /dev/null
+++ b/policy/targeted-scan.bro
@@ -0,0 +1,114 @@
+# $Id:$
+#
+# Drop external hosts that continually bang away on a particular open port.
+#
+# Note that we time out identified scanners to avoid excessive memory
+# utilitization in the event of a wide scan across address space.
+
+@load notice
+@load site
+
+module TargetedScan;
+
+export {
+	redef enum Notice += { TargetedScan, };
+
+	# If true, then only consider traffic from external sources.
+	global external_only = T &redef;
+
+	# Which ports to consider.
+	const ports = { 1433/tcp, } &redef;
+
+	# If set, at least/most this many bytes need to be transferred for
+	# a connection using the given port.  These are useful for example
+	# for inferring that SSH connections reflect password-guessing
+	# attempts.
+	const min_bytes: table[port] of count &redef;
+	const max_bytes: table[port] of count &redef;
+
+	# If set, then this is the threshold for reportin accessing
+	# for a given service.
+	const port_threshold: table[port] of count &redef;
+
+	# Otherwise, this is the threshold.
+	const general_threshold = 1000 &redef;
+
+	# The data structure we use to track targeted probing.
+	# It's exported to enable redef'ing the &write_expire value.
+	global targeted_tries: table[addr, addr, port] of count
+		&default=0 &write_expire=10 min &redef;
+}
+
+function delete_targeted_data(orig: addr, resp: addr, service: port)
+	{
+	delete targeted_tries[orig, resp, service];
+	}
+
+function targeted_check(c: connection)
+	{
+	local id = c$id;
+	local orig = id$orig_h;
+	local resp = id$resp_h;
+	local service = ("ftp-data" in c$service) ? 20/tcp : id$resp_p;
+
+	if ( service !in ports || (external_only && is_local_addr(orig)) )
+		return;
+
+	local bytes_xferred = c$orig$size + c$resp$size;
+
+	if ( service in min_bytes && bytes_xferred < min_bytes[service] )
+		return;
+	if ( service in max_bytes && bytes_xferred > max_bytes[service] )
+		return;
+
+	local cnt = ++targeted_tries[orig, resp, service];
+
+	if ( service in port_threshold )
+		{
+		if ( cnt != port_threshold[service] )
+			return;
+		}
+
+	else if ( cnt != general_threshold )
+		return;
+		
+	local svc = service in port_names ?
+			port_names[service] : fmt("%s", service);
+
+	NOTICE([$note=TargetedScan, $src=orig, $dst=resp, $p=service,
+		$msg=fmt("targeted attack on service %s, count = %d", svc, cnt)]);
+
+	# Since we've reported this host, we can stop tracking it.
+	delete targeted_tries[orig, resp, service];
+	}
+
+
+event connection_finished(c: connection)
+	{
+	targeted_check(c);
+	}
+
+event connection_rejected(c: connection)
+	{
+	targeted_check(c);
+	}
+
+event connection_half_finished(c: connection)
+	{
+	targeted_check(c);
+	}
+
+event connection_reset(c: connection)
+	{
+	targeted_check(c);
+	}
+
+event connection_partial_close(c: connection)
+	{
+	targeted_check(c);
+	}
+
+event connection_state_remove(c: connection)
+	{
+	targeted_check(c);
+	}
diff --git a/policy/tcp.bro b/policy/tcp.bro
new file mode 100644
index 0000000000..fd561180bb
--- /dev/null
+++ b/policy/tcp.bro
@@ -0,0 +1,6 @@
+# Generic TCP connection processing.
+
+@load conn
+
+redef capture_filters += { ["tcp"] = "tcp[13] & 7 != 0" };
+# redef capture_filters += { ["tcp"] = "(tcp[13] & 7 != 0) or (ip6[53] & 7 != 0)" };
diff --git a/policy/terminate-connection.bro b/policy/terminate-connection.bro
new file mode 100644
index 0000000000..8ee6c4f090
--- /dev/null
+++ b/policy/terminate-connection.bro
@@ -0,0 +1,65 @@
+# $Id$
+
+@load site
+@load notice
+
+# Ugly: we need the following from conn.bro, but we can't soundly load
+# it because it in turn loads us.
+global full_id_string: function(c: connection): string;
+
+module TerminateConnection;
+
+export {
+	redef enum Notice += {
+		TerminatingConnection,	# connection will be terminated
+		TerminatingConnectionIgnored,	# connection terminated disabled
+	};
+
+	# Whether we're allowed (and/or are capable) to terminate connections
+	# using "rst".
+	const activate_terminate_connection = F &redef;
+
+	# Terminate the given connection.
+	global terminate_connection: function(c: connection);
+
+}
+
+function terminate_connection(c: connection)
+	{
+	local id = c$id;
+
+	if ( activate_terminate_connection )
+		{
+		local local_init = is_local_addr(id$orig_h);
+
+		local term_cmd = fmt("rst %s -n 32 -d 20 %s %d %d %s %d %d",
+					local_init ? "-R" : "",
+					id$orig_h, id$orig_p, get_orig_seq(id),
+					id$resp_h, id$resp_p, get_resp_seq(id));
+
+		if ( reading_live_traffic() )
+			system(term_cmd);
+		else
+			NOTICE([$note=TerminatingConnection, $conn=c,
+				$msg=term_cmd, $sub="first termination command"]);
+
+		term_cmd = fmt("rst %s -r 2 -n 4 -s 512 -d 20 %s %d %d %s %d %d",
+				local_init ? "-R" : "",
+				id$orig_h, id$orig_p, get_orig_seq(id),
+				id$resp_h, id$resp_p, get_resp_seq(id));
+
+		if ( reading_live_traffic() )
+			system(term_cmd);
+		else
+			NOTICE([$note=TerminatingConnection, $conn=c,
+				$msg=term_cmd, $sub="second termination command"]);
+
+		NOTICE([$note=TerminatingConnection, $conn=c,
+			$msg=fmt("terminating %s", full_id_string(c))]);
+		}
+
+	else
+		NOTICE([$note=TerminatingConnectionIgnored, $conn=c,
+			$msg=fmt("ignoring request to terminate %s",
+					full_id_string(c))]);
+	}
diff --git a/policy/tftp.bro b/policy/tftp.bro
new file mode 100644
index 0000000000..d1f3e43746
--- /dev/null
+++ b/policy/tftp.bro
@@ -0,0 +1,33 @@
+# $Id: tftp.bro 4758 2007-08-10 06:49:23Z vern $
+
+# Very simplistic - doesn't pick up the replies.
+
+@load notice
+@load udp-common
+@load site
+
+module TFTP;
+
+export {
+	redef enum Notice += {
+		OutboundTFTP,		# outbound TFTP seen
+	};
+}
+
+redef capture_filters += { ["tftp"] = "udp port 69" };
+
+global tftp_notice_count: table[addr] of count &default = 0 &read_expire = 7 days;
+
+event udp_request(u: connection)
+	{
+	if ( u$id$resp_p == 69/udp && u$id$orig_p >= 1024/udp )
+		{
+		local src = u$id$orig_h;
+		local dst = u$id$resp_h;
+
+		if ( is_local_addr(src) && ! is_local_addr(dst) &&
+		     ++tftp_notice_count[src] == 1 )
+			NOTICE([$note=OutboundTFTP, $conn=u,
+				$msg=fmt("outbound TFTP: %s -> %s", src, dst)]);
+		}
+	}
diff --git a/policy/time-machine/Makefile.am b/policy/time-machine/Makefile.am
new file mode 100644
index 0000000000..49f18b7c72
--- /dev/null
+++ b/policy/time-machine/Makefile.am
@@ -0,0 +1,7 @@
+## Process this file with automake to produce Makefile.in
+
+tmdir=${datadir}/bro/time-machine
+dist_tm_DATA = \
+	time-machine.bro tm-capture.bro tm-class.bro tm-contents.bro \
+	tm-ftp.bro tm-gap.bro tm-http.bro
+
diff --git a/policy/time-machine/time-machine.bro b/policy/time-machine/time-machine.bro
new file mode 100644
index 0000000000..98e37437ae
--- /dev/null
+++ b/policy/time-machine/time-machine.bro
@@ -0,0 +1,278 @@
+# $Id: time-machine.bro,v 1.1.2.8 2006/01/06 01:51:37 sommer Exp $
+#
+# Low-level time-machine interface.
+
+@load notice
+
+module TimeMachine;
+
+export {
+	# Request to send us a connection.  Automatically subscribes
+	# and suspends cut-off.
+	#
+	#   start : time where to start searching (0 for as early as possible).
+	#   in_mem: only scan TM's memory-buffer but not any on-disk data.
+	#   descr: description to be written to log file to identify the query
+	#
+	# Returns tag of this query.
+	global request_connection:
+		function(c: connection, in_mem: bool, descr: string) : string;
+
+	# id$orig_p = 0/tcp acts as wildcard.
+	global request_connection_id:
+		function(id: conn_id, start: time, in_mem: bool, descr: string)
+		: string;
+
+	# Request to save connection to file in TM host.  Automatically
+	# suspends cut-off.
+	#
+	#   filename: destination file on TM host.
+	#   start   : time where to start searching (0 = as early as possible).
+	#   in_mem  : only scan TM's memory-buffer, but not any on-disk data.
+	global capture_connection:
+		function(filename: string, c: connection, in_mem: bool,
+				descr: string);
+
+	# id$orig_p = 0/tcp acts as wildcard.
+	global capture_connection_id:
+		function(filename: string, id: conn_id, start: time,
+				in_mem: bool, descr: string);
+
+	# Request to send everything involving a certain host to us.
+	# Always searches mem and disk buffers.
+	#
+	#   host : address of host
+	#   start: time where to start searching (0 for as early as possible).
+	#
+	# Returns tag of this query.
+	global request_addr: function(host: addr, start: time,
+				in_mem: bool, descr: string) : string;
+
+	# Don't issue duplicate queries.  Should be on for normal use;
+	# only need to turn off for benchmarking.
+	global filter_duplicates = T &redef;
+
+	# Automatically issue suspend_cutoff as specified above.
+	# Should be on for normal use; off only used for benchmarking.
+	global auto_suspend_cutoff = T &redef;
+
+	# Automatically subscribe as specified above.
+	# Should be on for normal use; off only used for benchmarking.
+	global auto_subscribe = F &redef;
+
+	# Automatically set start time for query.
+	# Should be on for normal use; off only used for benchmarking.
+	global auto_set_start = T &redef;
+
+	# Request to save everything involving a certain host.
+	# Always searches mem and disk buffers.
+	#
+	#   filename: destination file on TM host.
+	#   host : address of host
+	#   start: time where to start searching (0 for as early as possible).
+	#
+	global capture_addr: function(filename: string, host: addr,
+					start: time, in_mem: bool,
+					descr: string);
+
+	# Prevent the TM from cutting the connection off.
+	global suspend_cut_off: function(c: connection, descr: string);
+
+	# id$orig_p = 0/tcp acts as wildcard.
+	global suspend_cut_off_id: function(id: conn_id, descr: string);
+
+	type Direction: enum {
+		ORIG,	# connections originating from host
+		RESP,	# connections responded to by host
+		BOTH	# independent of direction
+	};
+
+	# Change the TM class for given IP.
+	global set_class: function(host: addr, class: string, dir: Direction,
+					descr: string);
+
+	# Revoke class assignment for IP.
+	global unset_class: function(host: addr, descr: string);
+
+	# ID of this Bro instance for TM queries.  Automatically set.
+	global feed_id = "";
+}
+
+global tag = 0;
+
+global cmds: table[string] of string &read_expire = 1 day;
+
+global command: event(cmd: string);
+global descrs: table[string] of string;
+
+global profile: file;
+global logfile = open_log_file("tm");
+
+function id2str(id: conn_id, include_index: bool) : string
+	{
+	local index = "";
+	if ( include_index )
+		index = id$orig_p != 0/tcp ? "connection4 " : "connection3 ";
+
+	if ( id$orig_p != 0/tcp)
+		return fmt("%s\"%s %s:%d %s:%d\"", index,
+			get_port_transport_proto(id$resp_p),
+			id$orig_h, id$orig_p,
+			id$resp_h, id$resp_p);
+	else
+		return fmt("%s\"%s %s %s:%d\"", index,
+			get_port_transport_proto(id$resp_p),
+			id$orig_h,
+			id$resp_h, id$resp_p);
+	}
+
+function issue_query(result: string, add_tag: bool, cmd: string,
+			start: time, in_mem: bool, sub: bool, descr: string) : string
+	{
+	local key = fmt("%s %s", result, cmd);
+	local qtag = "";
+
+	if ( key in cmds && filter_duplicates )
+		return cmds[key];
+
+	if ( add_tag )
+		{
+		qtag = fmt("t%x", ++tag);
+		result = fmt("%s tag %s", result, qtag);
+		}
+
+	local range = "";
+
+	if ( time_to_double(start) > 0.0 && auto_set_start )
+		{ # We subtract a few seconds to allow for clock skew.
+		start = start -  2 secs;
+		range += fmt("start %.6f end 9876543210 ", start);
+		}
+
+	if ( in_mem )
+		range += "mem_only ";
+
+	if ( sub )
+		range += "subscribe ";
+
+	local c = fmt("query %s %s %s", result, cmd, range);
+	descrs[c] = descr;
+
+	if ( time_machine_profiling )
+		print profile, fmt("%.6f %s %s", current_time(),
+					(qtag != "" ? qtag : "-"), c);
+
+	event TimeMachine::command(c);
+
+	cmds[key] = qtag;
+
+	return qtag;
+	}
+
+function issue_command(cmd: string, descr: string)
+	{
+	if ( cmd in cmds && filter_duplicates )
+		return;
+
+	descrs[cmd] = descr;
+	event TimeMachine::command(cmd);
+
+	cmds[cmd] = "";
+	}
+
+function request_connection(c: connection, in_mem: bool, descr: string) : string
+	{
+	return request_connection_id(c$id, c$start_time, in_mem, descr);
+	}
+
+function request_connection_id(id: conn_id, start: time, in_mem: bool,
+				descr: string) : string
+	{
+	if ( auto_suspend_cutoff )
+		suspend_cut_off_id(id, descr);
+	return issue_query(fmt("feed %s", feed_id), T,
+		fmt("index %s", id2str(id, T)), start, in_mem,
+			auto_subscribe, descr);
+	}
+
+function capture_connection(filename: string, c: connection,
+				in_mem: bool, descr: string)
+	{
+	capture_connection_id(filename, c$id, c$start_time, in_mem, descr);
+	}
+
+function capture_connection_id(filename: string, id: conn_id, start: time,
+				in_mem: bool, descr: string)
+	{
+	if ( auto_suspend_cutoff )
+		suspend_cut_off_id(id, descr);
+
+	issue_query(fmt("to_file \"%s\"", filename), F,
+			fmt("index %s", id2str(id, T)),
+			start, in_mem, auto_subscribe, descr);
+	}
+
+function request_addr(host: addr, start: time, in_mem: bool, descr: string)
+: string
+	{
+	return issue_query(fmt("feed %s", feed_id), T,
+			fmt("index ip \"%s\"", host), start, in_mem, F, descr);
+	}
+
+function capture_addr(filename: string, host: addr, start: time,
+			in_mem: bool, descr: string)
+	{
+	issue_query(fmt("to_file \"%s\"", filename), F,
+			fmt("index ip \"%s\"", host), start, in_mem, F, descr);
+	}
+
+function suspend_cut_off(c: connection, descr: string)
+	{
+	suspend_cut_off_id(c$id, descr);
+	}
+
+function suspend_cut_off_id(id: conn_id, descr: string)
+	{
+	issue_command(fmt("suspend_cutoff %s", id2str(id, F)), descr);
+	}
+
+function set_class(host: addr, class: string, dir: Direction, descr: string)
+	{
+	local d = "";
+
+	if ( dir == ORIG )
+		d = " orig";
+	else if ( dir == RESP )
+		d = " resp";
+
+	issue_command(fmt("set_dyn_class %s %s%s", host, class, d), descr);
+	}
+
+function unset_class(host: addr, descr: string)
+	{
+	issue_command(fmt("unset_dyn_class %s", host), descr);
+	}
+
+event command(cmd: string)
+	{
+	# We might not know the command if we're just relaying the event
+	# from external.
+	if ( cmd in descrs )
+		{
+		local descr = descrs[cmd];
+		delete descrs[cmd];
+
+		print logfile, fmt("%.6f %.6f [%s] %s", network_time(), current_time(), descr, cmd);
+		}
+	}
+
+event bro_init()
+	{
+	set_buf(logfile, F);
+
+	# Create a feed ID that's unique across restarts w/ high probability.
+	feed_id = fmt("%s-%d-%d", gethostname(), getpid(), rand(100));
+
+	if ( time_machine_profiling )
+		profile = open_log_file("tm-prof.queries");
+	}
diff --git a/policy/time-machine/tm-capture.bro b/policy/time-machine/tm-capture.bro
new file mode 100644
index 0000000000..a322f25263
--- /dev/null
+++ b/policy/time-machine/tm-capture.bro
@@ -0,0 +1,91 @@
+# $Id: tm-capture.bro,v 1.1.2.1 2006/01/04 03:52:02 sommer Exp $
+#
+# For each non-scan alert, we can
+#   (a) tell the time-machine to permanently store the connection's packets
+#   (b) request the connection, to store the (reassembled) payload ourselves
+#   (c) request all other traffic from that IP within the last X hours
+#   (d) store all other traffic from that IP within the last X hours
+
+@load time-machine
+@load tm-contents
+@load notice
+@load scan
+
+module TimeMachineCapture;
+
+export {
+	# Request past traffic. Set to 0 to disable.
+	# This does on-disk queries, potentially expensive.
+	const history_interval = 0 hrs &redef;
+
+	# Capture past traffic. Set to 0 to disable.
+	# This does on-disk queries, potentially expensive.
+	const history_capture_interval = 0 hrs &redef;
+
+	const ignore_notices: set[Notice] = {
+		Scan::AddressScan,
+		Scan::PortScan,
+	} &redef;
+}
+
+@ifdef ( TimeMachineGap::ContentGapTmAndLink )
+redef ignore_notices += {
+	TimeMachineGap::ContentGapTmAndLink,
+	TimeMachineGap::ContentGapSolved,
+};
+@endif
+
+global hosts: set[addr] &create_expire = history_capture_interval;
+
+global dbg = open_log_file("tm-capture");
+
+event notice_alarm(n: notice_info, action: NoticeAction)
+	{
+	if ( n$note in ignore_notices )
+		return;
+
+	if ( ! n?$id )
+		return;
+
+	if ( n?$conn && is_external_connection(n$conn) )
+		return;
+
+	local id = n$id;
+	local start: time;
+
+	if ( n?$conn )
+		start = n$conn$start_time;
+	else if ( connection_exists(id) )
+		start = lookup_connection(id)$start_time;
+	else
+		start = network_time() - 5 min;	# shouldn't usually get here
+
+	local tag = fmt("conn.%s", n$tag);
+	n$captured = tag;
+
+	# It should be in the TM's memory.
+	TimeMachine::capture_connection_id(fmt("%s.pcap", tag), id, start,
+						T, "tm-capture");
+
+	if ( get_port_transport_proto(id$resp_p) == tcp )
+		{
+		n$captured += " (contents)";
+		TimeMachine::save_contents_id(tag, id, start, T, "tm-capture");
+		}
+
+	if ( n$src !in hosts )
+		{
+		if ( history_interval != 0 sec )
+			TimeMachine::request_addr(n$src,
+					network_time() - history_interval, F,
+					"tm-capture");
+
+		if ( history_capture_interval != 0secs )
+			TimeMachine::capture_addr(fmt("host.%s.%s.pcap",
+					n$src, n$tag), n$src,
+					network_time() - history_capture_interval, F,
+					"tm-capture");
+
+		add hosts[n$src];
+		}
+	}
diff --git a/policy/time-machine/tm-class.bro b/policy/time-machine/tm-class.bro
new file mode 100644
index 0000000000..4d69308517
--- /dev/null
+++ b/policy/time-machine/tm-class.bro
@@ -0,0 +1,22 @@
+# $Id:$
+#
+# Changes the class for addresses that have generated alerts.
+
+@load time-machine
+@load notice
+@load scan
+
+event notice_alarm(n: notice_info, action: NoticeAction)
+	{
+	if ( ! n?$src )
+		return;
+
+	if ( n?$conn && is_external_connection(n$conn) )
+		return;
+
+	local class = "alarm";
+	if ( n$note == Scan::AddressScan || n$note == Scan::PortScan )
+		class = "scanner";
+
+	TimeMachine::set_class(n$src, class, TimeMachine::BOTH, "tm-class");
+	}
diff --git a/policy/time-machine/tm-contents.bro b/policy/time-machine/tm-contents.bro
new file mode 100644
index 0000000000..ea921342ae
--- /dev/null
+++ b/policy/time-machine/tm-contents.bro
@@ -0,0 +1,111 @@
+# $Id:$
+#
+# Provides a function that requests a particular connection from the
+# Time Machine and stores the subsequent reassembled payload into a
+# local file.
+
+@load time-machine
+
+module TimeMachine;
+
+export {
+	global save_contents:
+		function(filename_prefix: string, c: connection,
+				in_mem: bool, descr: string);
+
+	global save_contents_id:
+		function(filename_prefix: string, id: conn_id, start: time,
+				in_mem: bool, descr: string);
+
+	# Raised when contents have been fully saved.
+	global contents_saved:
+		event(c: connection, orig_file: string, resp_file: string);
+
+	const contents_dir = "tm-contents" &redef;
+	}
+
+# Table associating TM tag with filename.
+global requested_conns: table[string] of string;
+
+type fnames: record {
+	orig: string;
+	resp: string;
+	orig_f: file;
+	resp_f: file;
+	};
+
+global external_conns: table[conn_id] of fnames;
+
+function save_contents(filename_prefix: string, c: connection,
+			in_mem: bool, descr: string)
+	{
+	if ( is_external_connection(c) )
+		return;
+
+	save_contents_id(filename_prefix, c$id, c$start_time, in_mem, descr);
+	}
+
+function save_contents_id(filename_prefix: string, id: conn_id, start: time,
+				in_mem: bool, descr: string)
+	{
+	TimeMachine::suspend_cut_off_id(id, descr);
+	local qtag = TimeMachine::request_connection_id(id, start, in_mem, descr);
+	if ( qtag == "" )
+		return;
+
+	requested_conns[qtag] = filename_prefix;
+	}
+
+event connection_external(c: connection, tag: string)
+	{
+	if ( tag !in requested_conns )
+		return;
+
+	local fn = requested_conns[tag];
+	local id = c$id;
+	local idstr = fmt("%s.%d-%s.%d", id$orig_h, id$orig_p, id$resp_h, id$resp_p);
+
+	local orig_fn = fmt("%s/%s.%s.orig.dat", contents_dir, fn, idstr);
+	local resp_fn = fmt("%s/%s.%s.resp.dat", contents_dir, fn, idstr);
+	local orig_f = open(orig_fn);
+	local resp_f = open(resp_fn);
+
+	set_contents_file(c$id, CONTENTS_ORIG, orig_f);
+	set_contents_file(c$id, CONTENTS_RESP, resp_f);
+
+	delete requested_conns[tag];
+	external_conns[c$id] =
+		[$orig=orig_fn, $resp=resp_fn, $orig_f=orig_f, $resp_f=resp_f];
+	}
+
+event delayed_contents_saved(c: connection, orig_file: string, resp_file: string)
+	{
+	schedule 2 min { TimeMachine::contents_saved(c, orig_file, resp_file) };
+	}
+
+event connection_state_remove(c: connection)
+	{
+	if ( ! is_external_connection(c) )
+		return;
+
+	if ( c$id !in external_conns )
+		return;
+
+	local fn = external_conns[c$id];
+
+	close(fn$orig_f);
+	close(fn$resp_f);
+
+	# FIXME: We delay this a bit as there seems to be some race-condition
+	# with the file's data being flushed to disk.  Not sure why, though.
+	# However, we need to delay indirectly through another event to
+	# install it into the global timer manager.
+	event delayed_contents_saved(c, fn$orig, fn$resp);
+
+	delete external_conns[c$id];
+	}
+
+event bro_init()
+	{
+	mkdir(contents_dir);
+	}
diff --git a/policy/time-machine/tm-ftp.bro b/policy/time-machine/tm-ftp.bro
new file mode 100644
index 0000000000..cc09fc8328
--- /dev/null
+++ b/policy/time-machine/tm-ftp.bro
@@ -0,0 +1,42 @@
+# $Id: tm-ftp.bro,v 1.1.2.1 2006/01/04 03:55:48 sommer Exp $
+#
+# For sensitive FTP connections, request the data connection from the TM.
+# When we get it, we store the reassembled payload and run the file-analyzer
+# (the latter is automatically done by ftp.bro).
+
+@load time-machine
+@load tm-contents
+@load ftp
+
+module TimeMachineFTP;
+
+global data_conns: table[count] of conn_id;
+
+event ftp_sensitive_file(c: connection, session: FTP::ftp_session_info,
+				filename: string)
+	{
+	if ( is_external_connection(c) )
+		return;
+
+	if ( session$id !in data_conns )
+		# Should not happen, as transfer parameters need to be
+		# negotiated first.  We let ftp.bro deal with this, though.
+		return;
+
+	local id = data_conns[session$id];
+	TimeMachine::save_contents(fmt("ftp.%s", session$id), c, T, "tm-ftp");
+	}
+
+event ftp_connection_expected(c: connection, orig_h: addr, resp_h: addr,
+				resp_p: port, session: FTP::ftp_session_info)
+	{
+	data_conns[session$id] =
+		[$orig_h=orig_h, $orig_p=0/tcp, $resp_h=resp_h, $resp_p=resp_p];
+	}
+
+event connection_state_remove(c: connection)
+		&priority = 5 # to be called before FTP's handler
+	{
+	if ( c$id in FTP::ftp_sessions )
+		delete data_conns[FTP::ftp_sessions[c$id]$id];
+	}
diff --git a/policy/time-machine/tm-gap.bro b/policy/time-machine/tm-gap.bro
new file mode 100644
index 0000000000..e97d6a848a
--- /dev/null
+++ b/policy/time-machine/tm-gap.bro
@@ -0,0 +1,127 @@
+# $Id: tm-gap.bro,v 1.1.2.1 2006/01/05 22:38:37 sommer Exp $
+#
+# When we see a content gap, we request the same connection from the TM.
+# If we get it from there completely, fine.  If not, we check whether the
+# gap is at the same place as before, which would indicate that the packet
+# was indeed missing on the link.
+
+@load conn-id
+@load time-machine
+
+module TimeMachineGap;
+
+export {
+	# If true, we assume a BPF filter that includes *all* data packets.
+	const seeing_all_packets = F &redef;
+
+	# Exclude these ports.
+	const ignore_ports = { 80/tcp, 22/tcp, 443/tcp };
+
+	redef enum Notice += {
+		# A connection has at least one gap that matches a gap
+		# on the link.
+		ContentGapTmAndLink,
+
+		# A connection that had a gap on the link has been fully
+		# received from the TM.
+		ContentGapSolved,
+	};
+}
+
+type gap : record {
+	is_orig: bool;
+	seq: count;
+	length: count;
+};
+
+# Remembers the first gap per connection.
+# (FIXME: Would it make sense to remember all gaps?)
+global conns: table[conn_id] of gap;
+
+global f = open_log_file("gap");
+
+event content_gap(c: connection, is_orig: bool, seq: count, length: count)
+	{
+	if ( ! is_external_connection(c) )
+		{
+		if ( c$id in conns )
+			# We already requested the conn.
+			return;
+
+		if ( c$id$resp_p in ignore_ports )
+			return;
+
+		# It only makes sense to request the connection if we are
+		# not just analyzing TCP control packets for it.  There's
+		# no perfect way to determine whether we do so but, as a
+		# heuristic, we assume that we are supposed to see data
+		# packets if:
+		#
+		# (1) the service port is well-known for one of our analyzers
+		#     (because then the analyzer script is loaded which extends
+		#     the capture filter accordingly; or
+		# (2) the user explicitly tells us they are using a filter that
+		#     includes all packets (e.g., DPD); or
+		# (3) (special case) it's an HTTP reply, but we only
+		#     load http-request.
+
+		if ( ! seeing_all_packets )
+			{
+			if ( c$id$resp_p !in dpd_analyzer_ports )
+				return;
+
+			if ( c$id$resp_p in dpd_analyzer_ports && ! is_orig &&
+			     ANALYZER_HTTP in dpd_analyzer_ports[c$id$resp_p])
+				{
+@ifdef ( process_HTTP_replies )
+				if ( ! process_HTTP_replies )
+@endif
+				return;
+				}
+			}
+
+		local g: gap = [$is_orig=is_orig, $seq=seq, $length=length];
+		conns[c$id] = g;
+
+		# Should be in TM's memory.
+		TimeMachine::request_connection(c, T, "tm-gap");
+
+		print f, "ask", id_string(c$id);
+		}
+
+	else
+		{ # a gap in a connection from the TM
+		if ( c$id !in conns )
+			# Will be reported as ContentGap by weird.bro.
+			return;
+
+		local h = conns[c$id];
+
+		if ( h$is_orig == is_orig && h$seq == seq && h$length == length )
+			{
+			NOTICE([$note=ContentGapTmAndLink, $conn=c,
+				$msg=fmt("%s same content gap on link and from time-machine (%s %d/%d)",
+					 id_string(c$id),
+					 is_orig ? ">" : "<", seq, length)]);
+			}
+
+		delete conns[c$id];
+		}
+	}
+
+event connection_external(c: connection, tag: string)
+	{
+	if ( c$id in conns )
+		print f, "got", id_string(c$id);
+	}
+
+event connection_state_remove(c: connection)
+	{
+	if ( c$id in conns && is_external_connection(c) )
+		{ # It's still in the table, so we got it completely. Yippie!
+		NOTICE([$note=ContentGapSolved, $conn=c,
+			$msg=fmt("%s content gap(s) solved by time-machine",
+					id_string(c$id))]);
+		delete conns[c$id];
+		}
+	}
diff --git a/policy/time-machine/tm-http.bro b/policy/time-machine/tm-http.bro
new file mode 100644
index 0000000000..ad9d997ffc
--- /dev/null
+++ b/policy/time-machine/tm-http.bro
@@ -0,0 +1,18 @@
+# $Id: tm-http.bro,v 1.1.2.1 2005/11/29 21:39:05 sommer Exp $
+#
+# Requests connections from time-machine for which we have seen a sensitive URI.
+
+@load http
+@load time-machine
+
+redef notice_policy += {
+	[$pred(a: notice_info) =
+		{
+		if ( a$note == HTTP::HTTP_SensitiveURI &&
+		     a?$conn && ! is_external_connection(a$conn) )
+			TimeMachine::request_connection(a$conn, T, "tm-http");
+		return F;
+		},
+	 $result = NOTICE_FILE,	# irrelevant, since we always return F
+	 $priority = 1]
+};
diff --git a/policy/trw-impl.bro b/policy/trw-impl.bro
new file mode 100644
index 0000000000..fc3fcd837a
--- /dev/null
+++ b/policy/trw-impl.bro
@@ -0,0 +1,191 @@
+# $Id: trw.bro 2911 2006-05-06 17:58:43Z vern $
+
+@load notice
+@load port-name
+@load hot
+
+module TRW;
+
+export {
+	redef enum Notice += {
+		TRWAddressScan,	# source flagged as scanner by TRW algorithm
+		TRWScanSummary,	# summary of scanning activities reported by TRW
+	};
+
+	# Activate TRW if T.
+	global use_TRW_algorithm = F &redef;
+
+	# Tell TRW not to flag a friendly remote.
+	global do_not_flag_friendly_remotes = T &redef;
+
+	# Set of services for outbound connections that are possibly triggered
+	# by incoming connections.
+	const triggered_outbound_services = { ident, finger, 20/tcp, } &redef;
+
+	# The following correspond to P_D and P_F in the TRW paper, i.e., the
+	# desired detection and false positive probabilities.
+	global target_detection_prob = 0.99 &redef;
+	global target_false_positive_prob = 0.01 &redef;
+
+	# Given a legitimate remote, the probability that its connection
+	# attempt will succeed.
+	global theta_zero = 0.8 &redef;
+
+	# Given a scanner, the probability that its connection attempt
+	# will succeed.
+	global theta_one  = 0.2 &redef;
+
+
+	# These variables the user usually won't alter, except they
+	# might want to adjust the expiration times, which is why
+	# they're exported here.
+	global scan_sources: set[addr] &write_expire = 1 hr;
+	global benign_sources: set[addr] &write_expire = 1 hr;
+
+	global failed_locals: set[addr, addr] &write_expire = 30 mins;
+	global successful_locals: set[addr, addr] &write_expire = 30 mins;
+
+	global lambda: table[addr] of double
+		&default = 1.0 &write_expire = 30 mins;
+	global num_scanned_locals:
+		table[addr] of count &default = 0 &write_expire = 30 mins;
+
+	# Function called to perform TRW analysis.
+	global check_TRW_scan: function(c: connection, state: string,
+					reverse: bool): bool;
+}
+
+# Set of remote hosts that have been successfully accessed by local hosts.
+global friendly_remotes: set[addr] &read_expire = 30 mins;
+
+# Set of local honeypot hosts - for internal use at LBL.
+global honeypot: set[addr];
+
+# Approximate solutions for upper and lower thresholds.
+global eta_zero: double;	# initialized when Bro starts
+global eta_one: double;
+
+event bro_init()
+	{
+	eta_zero =
+		(1 - target_detection_prob) / (1 - target_false_positive_prob);
+	eta_one = target_detection_prob / target_false_positive_prob;
+	}
+
+
+event TRW_scan_summary(orig: addr)
+	{
+	NOTICE([$note=TRWScanSummary, $src=orig,
+		$msg=fmt("%s scanned a total of %d hosts",
+		orig, num_scanned_locals[orig])]);
+	}
+
+function check_TRW_scan(c: connection, state: string, reverse: bool): bool
+	{
+	local id = c$id;
+
+	local service = "ftp-data" in c$service ? 20/tcp
+		: (reverse ? id$orig_p : id$resp_p);
+	local orig = reverse ? id$resp_h : id$orig_h;
+	local resp = reverse ? id$orig_h : id$resp_h;
+	local outbound = is_local_addr(orig);
+
+	# Mark a remote as friendly if it is successfully accessed by
+	# a local with protocols other than triggered_outbound_services.
+	# XXX There is an ambiguity to determine who initiated a
+	# connection when the status is "OTH".
+	if ( outbound )
+		{
+		if ( resp !in scan_sources &&
+		     service !in triggered_outbound_services &&
+		     orig !in honeypot && state != "OTH" )
+			add friendly_remotes[resp];
+
+		return F;
+		}
+
+	if ( orig in scan_sources )
+		return T;
+
+	if ( orig in benign_sources )
+		return F;
+
+	if ( do_not_flag_friendly_remotes && orig in friendly_remotes )
+		return F;
+
+	# Start TRW evaluation.
+	local flag = +0;
+	local resp_byte = reverse ? c$orig$size : c$resp$size;
+	local established = T;
+
+	if ( state == "S0" || state == "REJ" || state == "OTH" ||
+	     (state == "RSTOS0" && resp_byte <= 0) )
+		established = F;
+
+	if ( ! established || resp in honeypot )
+		{
+		if ( [orig, resp] !in failed_locals )
+			{
+			flag = 1;
+			add failed_locals[orig, resp];
+			}
+		}
+
+	else if ( [orig, resp] !in successful_locals )
+		{
+		flag = -1;
+		add successful_locals[orig, resp];
+		}
+
+	if ( flag == 0 )
+		return F;
+
+	local ratio = 1.0;
+
+	# Update the corresponding likelihood ratio of orig.
+	if ( theta_zero <= 0 || theta_zero >= 1 || theta_one <= 0 ||
+	     theta_one >= 1 || theta_one >= theta_zero )
+		{
+		# Error: theta_zero should be between 0 and 1.
+		alarm "bad theta_zero/theta_one in check_TRW_scan";
+		use_TRW_algorithm = F;
+		return F;
+		}
+
+	if ( flag == 1 )
+		ratio = (1 - theta_one) / (1 - theta_zero);
+
+	if ( flag == -1 )
+		ratio = theta_one / theta_zero;
+
+	++num_scanned_locals[orig];
+
+	lambda[orig] = lambda[orig] * ratio;
+	local updated_lambda = lambda[orig];
+
+	if ( target_detection_prob <= 0 ||
+	     target_detection_prob >= 1 ||
+	     target_false_positive_prob <= 0 ||
+	     target_false_positive_prob >= 1 )
+		{
+		# Error: target probabilities should be between 0 and 1
+		alarm "bad target probabilities in check_TRW_scan";
+		use_TRW_algorithm = F;
+		return F;
+		}
+
+	if ( updated_lambda > eta_one )
+		{
+		add scan_sources[orig];
+		NOTICE([$note=TRWAddressScan, $src=orig,
+			$msg=fmt("%s scanned a total of %d hosts",
+				orig, num_scanned_locals[orig])]);
+		schedule 1 day { TRW_scan_summary(orig) };
+		return T;
+		}
+
+	if ( updated_lambda < eta_zero )
+		add benign_sources[orig];
+
+	return F;
+	}
diff --git a/policy/trw.bro b/policy/trw.bro
new file mode 100644
index 0000000000..0ffe6246f7
--- /dev/null
+++ b/policy/trw.bro
@@ -0,0 +1,7 @@
+# $Id: trw.bro 3297 2006-06-18 00:56:58Z vern $
+#
+# Load this file to actiate TRW analysis.
+
+@load trw-impl
+
+redef TRW::use_TRW_algorithm = T;
diff --git a/policy/udp-common.bro b/policy/udp-common.bro
new file mode 100644
index 0000000000..a6ca5a647b
--- /dev/null
+++ b/policy/udp-common.bro
@@ -0,0 +1,46 @@
+# $Id: udp-common.bro 4758 2007-08-10 06:49:23Z vern $
+#
+# Performs generic UDP request/reply processing, but doesn't set
+# the packet filter to capture all UDP traffic (use udp.bro for that).
+
+@load hot
+@load conn
+@load scan
+
+global udp_req_count: table[conn_id] of count &default = 0;
+global udp_rep_count: table[conn_id] of count &default = 0;
+
+event udp_request(u: connection)
+	{
+	Scan::check_scan(u, F, F);
+#	if ( TRW::use_TRW_algorithm )
+#		TRW::check_TRW_scan(u, conn_state(u, udp), F);
+
+	Hot::check_hot(u, Hot::CONN_ATTEMPTED);
+	}
+
+event udp_reply(u: connection)
+	{
+	Scan::check_scan(u, T, F);
+#	if ( TRW::use_TRW_algorithm )
+#		TRW::check_TRW_scan(u, conn_state(u, udp), F);
+
+	Hot::check_hot(u, Hot::CONN_ESTABLISHED);
+	Hot::check_hot(u, Hot::CONN_FINISHED);
+	}
+
+function add_req_rep_addl(u: connection)
+	{
+	local id = u$id;
+	if ( udp_req_count[id] > 1 || udp_rep_count[id] > 1 )
+		append_addl(u, fmt("[%d/%d]", udp_req_count[id], udp_rep_count[id]));
+
+	delete udp_req_count[id];
+	delete udp_rep_count[id];
+	}
+
+event udp_session_done(u: connection)
+	{
+	add_req_rep_addl(u);
+	Hot::check_hot(u, Hot::CONN_FINISHED);
+	}
diff --git a/policy/udp.bro b/policy/udp.bro
new file mode 100644
index 0000000000..ae5f1834ad
--- /dev/null
+++ b/policy/udp.bro
@@ -0,0 +1,5 @@
+# $Id: udp.bro 1103 2005-03-17 09:18:28Z vern $
+
+@load udp-common
+
+redef capture_filters += { ["udp"] = "udp" };
diff --git a/policy/vlan.bro b/policy/vlan.bro
new file mode 100644
index 0000000000..82fcb75af8
--- /dev/null
+++ b/policy/vlan.bro
@@ -0,0 +1,5 @@
+# $Id: vlan.bro 416 2004-09-17 03:52:28Z vern $
+
+redef restrict_filters += { ["vlan"] = "vlan" };
+
+redef encap_hdr_size = 4;
diff --git a/policy/weird.bro b/policy/weird.bro
new file mode 100644
index 0000000000..245f6b79ac
--- /dev/null
+++ b/policy/weird.bro
@@ -0,0 +1,424 @@
+# $Id: weird.bro 6452 2008-12-07 01:19:13Z vern $
+
+@load notice
+@load port-name
+
+module Weird;
+
+export {
+	redef enum Notice += {
+		WeirdActivity,	# generic unusual, alarm-worthy activity
+		RetransmissionInconsistency,
+			# possible evasion; usually just chud
+		AckAboveHole,
+			# could mean packet drop; could also be chud
+		ContentGap,
+			# data has sequence hole; perhaps due to filtering
+	};
+
+	const weird_file = open_log_file("weird") &redef;
+
+	type WeirdAction: enum {
+		WEIRD_UNSPECIFIED, WEIRD_IGNORE, WEIRD_FILE,
+		WEIRD_NOTICE_ALWAYS, WEIRD_NOTICE_PER_CONN,
+		WEIRD_NOTICE_PER_ORIG, WEIRD_NOTICE_ONCE,
+	};
+
+	# Which of the above actions lead to logging.  For internal use.
+	const notice_actions = {
+		WEIRD_NOTICE_ALWAYS, WEIRD_NOTICE_PER_CONN,
+		WEIRD_NOTICE_PER_ORIG, WEIRD_NOTICE_ONCE,
+	};
+
+	const weird_action: table[string] of WeirdAction = {
+		# tcp_weird
+		["above_hole_data_without_any_acks"]	=	WEIRD_FILE,
+		["active_connection_reuse"]	=	WEIRD_FILE,
+		["bad_HTTP_reply"]	=	WEIRD_FILE,
+		["bad_HTTP_version"]	=	WEIRD_FILE,
+		["bad_ICMP_checksum"]	=	WEIRD_FILE,
+		["bad_ident_port"]	=	WEIRD_FILE,
+		["bad_ident_reply"]	=	WEIRD_FILE,
+		["bad_ident_request"]	=	WEIRD_FILE,
+		["bad_rlogin_prolog"]	=	WEIRD_FILE,
+		["bad_rsh_prolog"] = 	WEIRD_FILE,
+		["rsh_text_after_rejected"] = 	WEIRD_FILE,
+		["bad_RPC"]	=	WEIRD_NOTICE_PER_ORIG,
+		["bad_RPC_program"]	=	WEIRD_FILE,
+		["bad_SYN_ack"]	=	WEIRD_FILE,
+		["bad_TCP_checksum"]	=	WEIRD_FILE,
+		["bad_UDP_checksum"]	=	WEIRD_FILE,
+		["baroque_SYN"]	=	WEIRD_FILE,
+		["base64_illegal_encoding"]	=	WEIRD_FILE,
+		["connection_originator_SYN_ack"]	=	WEIRD_FILE,
+		["corrupt_tcp_options"]	=	WEIRD_FILE,
+		["crud_trailing_HTTP_request"]	=	WEIRD_FILE,
+		["data_after_reset"]	=	WEIRD_FILE,
+		["data_before_established"]	=	WEIRD_FILE,
+		["data_without_SYN_ACK"]	=	WEIRD_FILE,
+		["DHCP_no_type_option"] = 	WEIRD_FILE,
+		["DHCP_wrong_msg_type"] = 	WEIRD_FILE,
+		["DHCP_wrong_op_type"] = 	WEIRD_FILE,
+		["DNS_AAAA_neg_length"] = 	WEIRD_FILE,
+		["DNS_Conn_count_too_large"] = 	WEIRD_FILE,
+		["DNS_NAME_too_long"] = 	WEIRD_FILE,
+		["DNS_RR_bad_length"] = 	WEIRD_FILE,
+		["DNS_RR_length_mismatch"] = 	WEIRD_FILE,
+		["DNS_RR_unknown_type"] = 	WEIRD_FILE,
+		["DNS_label_forward_compress_offset"] = 	WEIRD_NOTICE_PER_ORIG,
+		["DNS_label_len_gt_name_len"] = 	WEIRD_NOTICE_PER_ORIG,
+		["DNS_label_len_gt_pkt"] = 	WEIRD_NOTICE_PER_ORIG,
+		["DNS_label_too_long"] = 	WEIRD_NOTICE_PER_ORIG,
+		["DNS_truncated_RR_rdlength_lt_len"] = 	WEIRD_FILE,
+		["DNS_truncated_ans_too_short"] = 	WEIRD_FILE,
+		["DNS_truncated_len_lt_hdr_len"] = 	WEIRD_FILE,
+		["DNS_truncated_quest_too_short"] = 	WEIRD_FILE,
+		["excessive_data_without_further_acks"] = 	WEIRD_FILE,
+		["excess_RPC"]	=	WEIRD_NOTICE_PER_ORIG,
+		["excessive_RPC_len"]	=	WEIRD_NOTICE_PER_ORIG,
+		["FIN_advanced_last_seq"]	=	WEIRD_FILE,
+		["FIN_after_reset"]	=	WEIRD_IGNORE,
+		["FIN_storm"]	=	WEIRD_NOTICE_ALWAYS,
+		["HTTP_bad_chunk_size"]	=	WEIRD_FILE,
+		["HTTP_chunked_transfer_for_multipart_message"]	=	WEIRD_FILE,
+		["HTTP_overlapping_messages"]	=	WEIRD_FILE,
+		["HTTP_unknown_method"]	=	WEIRD_FILE,
+		["HTTP_version_mismatch"]	=	WEIRD_FILE,
+		["ident_request_addendum"]	=	WEIRD_FILE,
+		["inappropriate_FIN"]	=	WEIRD_FILE,
+		["inflate_data_failed"]	=	WEIRD_FILE,
+		["inflate_failed"]	=	WEIRD_FILE,
+		["invalid_irc_global_users_reply"] = 	WEIRD_FILE,
+		["irc_invalid_command"] = 	WEIRD_FILE,
+		["irc_invalid_dcc_message_format"] = 	WEIRD_FILE,
+		["irc_invalid_invite_message_format"] = 	WEIRD_FILE,
+		["irc_invalid_join_line"] = 	WEIRD_FILE,
+		["irc_invalid_kick_message_format"] = 	WEIRD_FILE,
+		["irc_invalid_line"] = 	WEIRD_FILE,
+		["irc_invalid_mode_message_format"] = 	WEIRD_FILE,
+		["irc_invalid_names_line"] = 	WEIRD_FILE,
+		["irc_invalid_njoin_line"] = 	WEIRD_FILE,
+		["irc_invalid_notice_message_format"] = 	WEIRD_FILE,
+		["irc_invalid_oper_message_format"] = 	WEIRD_FILE,
+		["irc_invalid_privmsg_message_format"] = 	WEIRD_FILE,
+		["irc_invalid_reply_number"] = 	WEIRD_FILE,
+		["irc_invalid_squery_message_format"] = 	WEIRD_FILE,
+		["irc_invalid_topic_reply"] = 	WEIRD_FILE,
+		["irc_invalid_who_line"] = 	WEIRD_FILE,
+		["irc_invalid_who_message_format"] = 	WEIRD_FILE,
+		["irc_invalid_whois_channel_line"] = 	WEIRD_FILE,
+		["irc_invalid_whois_message_format"] = 	WEIRD_FILE,
+		["irc_invalid_whois_operator_line"] = 	WEIRD_FILE,
+		["irc_invalid_whois_user_line"] = 	WEIRD_FILE,
+		["irc_line_size_exceeded"] = 	WEIRD_FILE,
+		["irc_line_too_short"] = 	WEIRD_FILE,
+		["irc_too_many_invalid"] = 	WEIRD_FILE,
+		["line_terminated_with_single_CR"]	=	WEIRD_FILE,
+		["line_terminated_with_single_LF"]	=	WEIRD_FILE,
+		["malformed_ssh_identification"]	= WEIRD_FILE,
+		["malformed_ssh_version"] = 	WEIRD_FILE,
+		["matching_undelivered_data"]	= WEIRD_FILE,
+		["multiple_HTTP_request_elements"]	=	WEIRD_FILE,
+		["multiple_RPCs"]	=	WEIRD_NOTICE_PER_ORIG,
+		["non_IPv4_packet"]	=	WEIRD_NOTICE_ONCE,
+		["NUL_in_line"]	=	WEIRD_FILE,
+		["originator_RPC_reply"]	=	WEIRD_NOTICE_PER_ORIG,
+		["partial_finger_request"]	=	WEIRD_FILE,
+		["partial_ftp_request"]	=	WEIRD_FILE,
+		["partial_ident_request"]	=	WEIRD_FILE,
+		["partial_RPC"]	=	WEIRD_NOTICE_PER_ORIG,
+		["partial_RPC_request"]	=	WEIRD_FILE,
+		["pending_data_when_closed"]	=	WEIRD_FILE,
+		["pop3_bad_base64_encoding"]	=	WEIRD_FILE,
+		["pop3_client_command_unknown"]	=	WEIRD_FILE,
+		["pop3_client_sending_server_commands"]	=	WEIRD_FILE,
+		["pop3_malformed_auth_plain"]	=	WEIRD_FILE,
+		["pop3_server_command_unknown"]	=	WEIRD_FILE,
+		["pop3_server_sending_client_commands"]	=	WEIRD_FILE,
+		["possible_split_routing"]	=	WEIRD_FILE,
+		["premature_connection_reuse"]	=	WEIRD_FILE,
+		["repeated_SYN_reply_wo_ack"]	=	WEIRD_FILE,
+		["repeated_SYN_with_ack"]	=	WEIRD_FILE,
+		["responder_RPC_call"]	=	WEIRD_NOTICE_PER_ORIG,
+		["rlogin_text_after_rejected"]	=	WEIRD_FILE,
+		["RPC_rexmit_inconsistency"]	=	WEIRD_FILE,
+		["RPC_underflow"] = 	WEIRD_FILE,
+		["RST_storm"]	=	WEIRD_NOTICE_ALWAYS,
+		["RST_with_data"]	=	WEIRD_FILE,	# PC's do this
+		["simultaneous_open"]	=	WEIRD_NOTICE_PER_CONN,
+		["spontaneous_FIN"]	=	WEIRD_IGNORE,
+		["spontaneous_RST"]	=	WEIRD_IGNORE,
+		["SMB_parsing_error"] = 	WEIRD_FILE,
+		["no_smb_session_using_parsesambamsg"] = 	WEIRD_FILE,
+		["smb_andx_command_failed_to_parse"] = 	WEIRD_FILE,
+		["transaction_subcmd_missing"] = 	WEIRD_FILE,
+		["SSLv3_data_without_full_handshake"] = 	WEIRD_FILE,
+		["unexpected_SSLv3_record"] = 	WEIRD_FILE,
+		["successful_RPC_reply_to_invalid_request"] = 	WEIRD_NOTICE_PER_ORIG,
+		["SYN_after_close"]	=	WEIRD_FILE,
+		["SYN_after_partial"]	=	WEIRD_NOTICE_PER_ORIG,
+		["SYN_after_reset"]	=	WEIRD_FILE,
+		["SYN_inside_connection"]	=	WEIRD_FILE,
+		["SYN_seq_jump"]	=	WEIRD_FILE,
+		["SYN_with_data"]	=	WEIRD_FILE,
+		["TCP_christmas"]	=	WEIRD_FILE,
+		["truncated_ARP"]	=	WEIRD_FILE,
+		["truncated_NTP"]	=	WEIRD_FILE,
+		["UDP_datagram_length_mismatch"]	=	WEIRD_NOTICE_PER_ORIG,
+		["unexpected_client_HTTP_data"] = 	WEIRD_FILE,
+		["unexpected_multiple_HTTP_requests"]	=	WEIRD_FILE,
+		["unexpected_server_HTTP_data"] = 	WEIRD_FILE,
+		["unmatched_HTTP_reply"]	=	WEIRD_FILE,
+		["unpaired_RPC_response"]	=	WEIRD_FILE,
+		["unsolicited_SYN_response"]	=	WEIRD_IGNORE,
+		["window_recision"]	= WEIRD_FILE,
+		["double_%_in_URI"]	= WEIRD_FILE,
+		["illegal_%_at_end_of_URI"]	= WEIRD_FILE,
+		["unescaped_%_in_URI"]	= WEIRD_FILE,
+		["unescaped_special_URI_char"]	= WEIRD_FILE,
+
+		["UDP_zone_transfer"]	= WEIRD_NOTICE_ONCE,
+
+		["deficit_netbios_hdr_len"]	= WEIRD_FILE,
+		["excess_netbios_hdr_len"]	= WEIRD_FILE,
+		["netbios_client_session_reply"]	= WEIRD_FILE,
+		["netbios_raw_session_msg"]	= WEIRD_FILE,
+		["netbios_server_session_request"]	= WEIRD_FILE,
+		["unknown_netbios_type"]	= WEIRD_FILE,
+
+		# flow_weird
+		["excessively_large_fragment"]	=	WEIRD_NOTICE_ALWAYS,
+
+		# Code Red generates slews ...
+		["excessively_small_fragment"]	=	WEIRD_NOTICE_PER_ORIG,
+
+		["fragment_inconsistency"]	=	WEIRD_NOTICE_ALWAYS,
+		["fragment_overlap"]	=	WEIRD_NOTICE_ALWAYS,
+		["fragment_protocol_inconsistency"]	=	WEIRD_NOTICE_ALWAYS,
+		["fragment_size_inconsistency"]	=	WEIRD_NOTICE_ALWAYS,
+		["fragment_with_DF"]	=	WEIRD_FILE,	# these do indeed happen!
+		["incompletely_captured_fragment"]	=	WEIRD_NOTICE_ALWAYS,
+
+		# net_weird
+		["bad_IP_checksum"]	=	WEIRD_FILE,
+		["bad_TCP_header_len"]	=	WEIRD_FILE,
+		["internally_truncated_header"]	=	WEIRD_NOTICE_ALWAYS,
+		["truncated_IP"]	=	WEIRD_FILE,
+		["truncated_header"]	=	WEIRD_FILE,
+
+		# generated by policy script
+		["Land_attack"]	=		WEIRD_NOTICE_PER_ORIG,
+		["bad_pm_port"]	=		WEIRD_NOTICE_PER_ORIG,
+	} &redef;
+
+	# table that maps weird types into a function that should be called
+	# to determine the action.
+	const weird_action_filters:
+		table[string] of function(c: connection): WeirdAction &redef;
+
+	const weird_ignore_host: set[addr, string] &redef;
+
+	# But don't ignore these (for the weird file), it's handy keeping
+	# track of clustered checksum errors.
+	const weird_do_not_ignore_repeats = {
+		"bad_IP_checksum", "bad_TCP_checksum", "bad_UDP_checksum",
+		"bad_ICMP_checksum",
+	} &redef;
+}
+
+# id/msg pairs that should be ignored (because the problem has already
+# been reported).
+global weird_ignore: table[string] of set[string] &write_expire = 10 min;
+
+# For WEIRD_NOTICE_PER_CONN.
+global did_notice_conn: set[addr, port, addr, port, string]
+							&read_expire = 1 day;
+
+# For WEIRD_NOTICE_PER_ORIG.
+global did_notice_orig: set[addr, string] &read_expire = 1 day;
+
+# For WEIRD_NOTICE_ONCE.
+global did_weird_log: set[string] &read_expire = 1 day;
+
+global did_inconsistency_msg: set[conn_id];
+
+function weird_id_string(id: conn_id): string
+	{
+	return fmt("%s > %s",
+		endpoint_id(id$orig_h, id$orig_p),
+		endpoint_id(id$resp_h, id$resp_p));
+	}
+
+# Used to pass the optional connection into report_weird().
+global current_conn: connection;
+
+function report_weird(t: time, name: string, id: string, have_conn: bool,
+			addl: string, action: WeirdAction, no_log: bool)
+	{
+	if ( action == WEIRD_IGNORE ||
+	     (id in weird_ignore && name in weird_ignore[id]) )
+		return;
+
+	local msg = id;
+
+	if ( action == WEIRD_UNSPECIFIED )
+		{
+		if ( name in weird_action )
+			{
+			action = weird_action[name];
+			if ( action == WEIRD_IGNORE )
+				return;
+
+			msg = fmt("%s: %s", msg, name);
+			}
+		else
+			{
+			action = WEIRD_NOTICE_ALWAYS;
+			msg = fmt("** %s: %s", msg, name);
+			}
+		}
+	else
+		msg = fmt("%s: %s", msg, name);
+
+	if ( addl != "" )
+		msg = fmt("%s (%s)", msg, addl);
+
+	if ( action in notice_actions && ! no_log )
+		{
+		if ( have_conn )
+			NOTICE([$note=WeirdActivity, $conn=current_conn,
+				$msg=msg]);
+		else
+			NOTICE([$note=WeirdActivity, $msg=msg]);
+		}
+
+	else if ( id != "" && name !in weird_do_not_ignore_repeats )
+		{
+		if ( id !in weird_ignore )
+			weird_ignore[id] = set() &mergeable;
+
+		add weird_ignore[id][name];
+		}
+
+	print weird_file, fmt("%.6f %s", t, msg);
+	}
+
+function report_weird_conn(t: time, name: string, id: string, addl: string,
+				c: connection)
+	{
+	if ( [c$id$orig_h, name] in weird_ignore_host ||
+	     [c$id$resp_h, name] in weird_ignore_host )
+		return;
+
+	local no_log = F;
+	local action = WEIRD_UNSPECIFIED;
+
+	if ( name in weird_action )
+		{
+		if ( name in weird_action_filters )
+			action = weird_action_filters[name](c);
+
+		if ( action == WEIRD_UNSPECIFIED )
+			action = weird_action[name];
+
+		local cid = c$id;
+
+		if ( action == WEIRD_NOTICE_PER_CONN )
+			{
+			if ( [cid$orig_h, cid$orig_p, cid$resp_h, cid$resp_p, name] in did_notice_conn )
+				no_log = T;
+			else
+				add did_notice_conn[cid$orig_h, cid$orig_p, cid$resp_h, cid$resp_p, name];
+			}
+
+		else if ( action == WEIRD_NOTICE_PER_ORIG )
+			{
+			if ( [c$id$orig_h, name] in did_notice_orig )
+				no_log = T;
+			else
+				add did_notice_orig[c$id$orig_h, name];
+			}
+
+		else if ( action == WEIRD_NOTICE_ONCE )
+			{
+			if ( name in did_weird_log )
+				no_log = T;
+			else
+				add did_weird_log[name];
+			}
+		}
+
+	current_conn = c;
+	report_weird(t, name, id, T, addl, action, no_log);
+	}
+
+function report_weird_orig(t: time, name: string, id: string, orig: addr)
+	{
+	local no_log = F;
+	local action = WEIRD_UNSPECIFIED;
+
+	if ( name in weird_action )
+		{
+		action = weird_action[name];
+		if ( action == WEIRD_NOTICE_PER_ORIG )
+			{
+			if ( [orig, name] in did_notice_orig )
+				no_log = T;
+			else
+				add did_notice_orig[orig, name];
+			}
+		}
+
+	report_weird(t, name, id, F, "", action, no_log);
+	}
+
+event conn_weird(name: string, c: connection)
+	{
+	report_weird_conn(network_time(), name, weird_id_string(c$id), "", c);
+	}
+
+event conn_weird_addl(name: string, c: connection, addl: string)
+	{
+	report_weird_conn(network_time(), name, weird_id_string(c$id), addl, c);
+	}
+
+event flow_weird(name: string, src: addr, dst: addr)
+	{
+	report_weird_orig(network_time(), name, fmt("%s -> %s", src, dst), src);
+	}
+
+event net_weird(name: string)
+	{
+	report_weird(network_time(), name, "", F, "", WEIRD_UNSPECIFIED, F);
+	}
+
+event rexmit_inconsistency(c: connection, t1: string, t2: string)
+	{
+	if ( c$id !in did_inconsistency_msg )
+		{
+		NOTICE([$note=RetransmissionInconsistency, $conn=c,
+			$msg=fmt("%s rexmit inconsistency (%s) (%s)",
+				weird_id_string(c$id), t1, t2)]);
+		add did_inconsistency_msg[c$id];
+		}
+	}
+
+event ack_above_hole(c: connection)
+	{
+	NOTICE([$note=AckAboveHole, $conn=c,
+		$msg=fmt("%s ack above a hole", weird_id_string(c$id))]);
+	}
+
+event content_gap(c: connection, is_orig: bool, seq: count, length: count)
+	{
+	NOTICE([$note=ContentGap, $conn=c,
+		$msg=fmt("%s content gap (%s %d/%d)%s",
+			weird_id_string(c$id), is_orig ? ">" : "<", seq, length,
+				 is_external_connection(c) ? " [external]" : "")]);
+	}
+
+event connection_state_remove(c: connection)
+	{
+	delete weird_ignore[weird_id_string(c$id)];
+	delete did_inconsistency_msg[c$id];
+	}
diff --git a/policy/worm.bro b/policy/worm.bro
new file mode 100644
index 0000000000..18e9649096
--- /dev/null
+++ b/policy/worm.bro
@@ -0,0 +1,117 @@
+# $Id: worm.bro 4758 2007-08-10 06:49:23Z vern $
+
+@load notice
+@load site
+
+# signatures.bro needs this.
+global is_worm_infectee: function(ip: addr) : bool;
+
+@load signatures
+
+redef enum Notice += {
+	LocalWorm,		# worm seen in local host
+	RemoteWorm,		# worm seen in remote host
+};
+
+# redef capture_filters += { ["worm"] = "tcp dst port 80" };
+
+const worm_log = open_log_file("worm") &redef;
+
+# Maps types of worms to URI patterns.
+const worm_types: table[string] of pattern = {
+	["Code Red 1"] = /\.id[aq]\?.*NNNNNNNNNNNNN/,
+	["Code Red 2"] = /\.id[aq]\?.*XXXXXXXXXXXXX/,
+	["Nimda"] = /\/scripts\/root\.exe\?\/c\+tftp/ |
+			/\/MSADC\/root.exe\?\/c\+dir/ |
+			/cool\.dll.*httpodbc\.dll/,	# 29Oct01 Nimda variant
+} &redef;
+
+# Maps signatures to worm types.
+const worm_sigs: table[string] of string = {
+	["slammer"] = "Slammer",
+	["nimda"] = "Nimda",
+	["bagle-bc"] = "Bagle.bc"
+};
+
+# We handle these ourselves.
+redef signature_actions += {
+	["codered1"] = SIG_IGNORE,
+	["codered2"] = SIG_IGNORE,
+	["slammer"] = SIG_IGNORE,
+	["nimda"] = SIG_IGNORE,
+	["bagle-bc"] = SIG_IGNORE
+};
+
+# Indexed by infectee.
+global worm_list: table[addr] of count &default=0 &read_expire = 2 days;
+
+# Indexed by infectee and type of worm.
+global worm_type_list: table[addr, string] of count
+					&default=0 &read_expire = 2 days;
+
+# Invoked each time a new infectee (or a new type of worm for an existing
+# infectee) is seen.  For the first instance of any type for a new infectee,
+# two events will be generated, one with worm_type of "first instance",
+# and another with the particular worm type.
+global worm_infectee_seen: event(c: connection, is_local: bool, worm_type: string);
+
+# Invoked whenever connection c has included a URI of worm type "worm_type".
+event worm_instance(c: connection, worm_type: string)
+	{
+	local id = c$id;
+	local src = id$orig_h;
+	local is_local = is_local_addr(src);
+
+	if ( ++worm_list[src] == 1 )
+		event worm_infectee_seen(c, is_local, "first instance");
+
+	if ( ++worm_type_list[src, worm_type] == 1 )
+		event worm_infectee_seen(c, is_local, worm_type);
+	}
+
+event worm_infectee_seen(c: connection, is_local: bool, worm_type: string)
+	{
+	if ( worm_type == "first instance" )
+		return;	# just do the reporting for the specific type
+
+	local infectee = c$id$orig_h;
+	local where = is_local ? "local" : "remote";
+	local msg = fmt("%s %s worm source: %s", where, worm_type, infectee);
+
+	if ( is_local )
+		NOTICE([$note=LocalWorm, $conn=c, $src=infectee,
+			$msg=msg, $sub=worm_type]);
+	else
+		NOTICE([$note=RemoteWorm, $conn=c, $src=infectee,
+			$msg=msg, $sub=worm_type]);
+
+	print worm_log, fmt("%.6f %s", network_time(), msg);
+	}
+
+event http_request(c: connection, method: string,
+		   original_URI: string, unescaped_URI: string, version: string)
+	{
+	# It's a pity to do this as a loop.  Better would be if Bro could
+	# search the patterns as one large RE and note which matched.
+
+	for ( wt in worm_types )
+		if ( worm_types[wt] in unescaped_URI )
+			event worm_instance(c, wt);
+	}
+
+event signature_match(state: signature_state, msg: string, data: string)
+	{
+	if ( state$id in worm_sigs )
+		event worm_instance(state$conn, worm_sigs[state$id]);
+	}
+
+# Ignore "weird" events, we get some due to the capture_filter above that
+# only captures the client side of an HTTP session.
+event conn_weird(name: string, c: connection)
+	{
+	}
+
+function is_worm_infectee(ip: addr): bool
+	{
+	return ip in worm_list;
+	}
diff --git a/scripts/IP4.pm b/scripts/IP4.pm
new file mode 100644
index 0000000000..e920fc8902
--- /dev/null
+++ b/scripts/IP4.pm
@@ -0,0 +1,150 @@
+package IP4;
+
+use Exporter;
+@ISA = ('Exporter');
+@EXPORT = ( 'getIPFromString',
+	    'getStringFromIP',
+	    'getMaskFromPrefix',
+	    'getPrefixFromMask',
+	    'isPartOf',
+	    'aggregateSinglesTo'
+            );
+
+use strict;
+my $DEBUG = 0;
+
+sub getIPFromString{
+    my ($net) = @_;
+    my @octets = split (/\./, $net);
+
+    #check ip!
+    foreach my $oct (@octets){
+	if ($oct!~/\d+/ || $oct<0 || $oct > 255){return 0;}
+    }
+
+    my $ip=0;
+    for (my $i = 0; $i < 4; $i++){
+	$ip |= $octets[$i] << ((3-$i)*8);
+    }
+    return $ip;
+}
+
+sub getStringFromIP{
+    my ($net) = @_;
+    my @octets;
+    my $bitmask=0xff;
+    for (my $i = 0; $i<4; $i++){
+	$octets[$i] = ($net & $bitmask);
+	$net >>= 8;
+    }
+    return "$octets[3].$octets[2].$octets[1].$octets[0]";
+}
+
+sub getMaskFromPrefix{
+    my ($pre) = @_;
+
+    #check prefix!
+    if ($pre!~/\d+/ || $pre < 0 || $pre > 32){return 0;}
+
+    my $mask=0;
+    for (my $i = 0; $i < $pre; $i++){
+	$mask |= 1 << (31-$i);
+    }
+    return $mask;
+}
+
+sub getPrefixFromMask{
+    my ($mask) = @_;
+    if ($mask == 0){return 0}; #special case, we would loop forever with this:
+    my $prefix;
+    for ($prefix = 32; !($mask & 1); $prefix--){
+	$mask >>= 1;
+    }
+    return $prefix;
+}
+
+sub isPartOf{
+    my ($iip, $imask, $oip, $omask) = @_;
+    if ($omask > $imask){return 0;} 
+    #if the net which should contain the other is 
+    #smaller we did something wrong!
+
+    return ( (($oip ^ $iip) & $omask) == 0 );
+} 
+
+sub aggregateSinglesTo{
+    #paramters: 
+    #1. reference to array of addresses (will be changed!)
+    #2. refernce to array of masks (will be deleted and changed)
+    #3. max Bits to aggregate to.
+
+    my ($addr, $masks, $bitlimit) = @_;
+    $bitlimit = 32-$bitlimit; #the way it will be used we'll need the inverse 
+    @$addr = sort{$a<=>$b}(@$addr) or return 0;
+    @$masks = ();
+    my $fullmask = getMaskFromPrefix(32);
+    foreach my $dummy (@$addr){push(@$masks, $fullmask);}
+    if ($DEBUG){
+	print STDERR "sorted list before aggregating\n";
+	print STDERR join(" ", map(getStringFromIP($_), @$addr));
+	print STDERR "\n";
+    }
+
+	for (my $i = 0;
+	     $i < (scalar(@$addr) - 1);
+	     $i ++)
+	{
+	    my $lip = $addr->[$i];
+	    my $lmask = $masks->[$i];
+	    my $hip = $addr->[$i + 1];
+	    my $hmask = $masks->[$i + 1];
+
+	    if (isPartOf($hip, $hmask, $lip, $lmask)) { #parameter: (inner, outer)
+		if ($DEBUG){
+		    printf STDERR ("removing %s/%s since it is contained in %s/%s ", 
+				   getStringFromIP($hip), getPrefixFromMask($hmask), 
+				   getStringFromIP($lip), getPrefixFromMask($lmask) );
+		}
+		splice(@$addr, $i + 1, 1);
+		splice(@$masks, $i + 1, 1);
+		-- $i;
+	    }else{
+		my $nb = $lip;
+
+		$nb ^= $hip; #look for first non-matching bit!
+		my $firstdiff=0;
+		while ($nb > 0){
+		    $firstdiff++;
+		    $nb >>= 1;
+		}
+		if ($firstdiff <= $bitlimit){
+		    if ($DEBUG){print STDERR "$firstdiff : ";}
+		    while($firstdiff>0){
+			$firstdiff--;
+			$nb <<= 1;
+			$nb += 1;
+		    }
+		    
+		    my $nm = ~$nb; #negate to get the new (joint) mask
+		    my $na = $lip & $nm;
+		    $addr->[$i] = $na;
+		    $masks->[$i] = $nm;
+		    if ($DEBUG){
+			printf STDERR ("%s to %s/%s (aggregating %s)\n", 
+				       getStringFromIP($lip), getStringFromIP($addr->[$i]), 
+				       getPrefixFromMask($masks->[$i]), getStringFromIP($hip));
+		    }
+		    splice(@$addr, $i + 1, 1);
+		    $i--; #do with the same address again. perhaps it collects even more
+		}
+	    }
+	}
+    if ($DEBUG){
+	print STDERR "sorted list after aggregation\n";
+	print STDERR join(" ", map(getStringFromIP($_), @$addr));
+	print STDERR "\n";
+    }
+    return 1;
+}
+
+1;
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
new file mode 100644
index 0000000000..c898010557
--- /dev/null
+++ b/scripts/Makefile.am
@@ -0,0 +1,167 @@
+## Process this file with automake to produce Makefile.in
+
+bro_bin		= ${prefix}/bin
+bro_logs	= ${prefix}/logs
+bro_etc		= ${prefix}/etc
+bro_site	= ${prefix}/site
+bro_scripts	= ${prefix}/scripts
+bro_reports	= ${prefix}/reports
+bro_perlmods	= ${prefix}/perl
+
+# where to download signatures from.
+SIGHOST=www.bro-ids.org
+
+# whats our name ..
+brohost = @BROHOST@
+
+SUBDIRS = s2b
+
+# these files need to be in the distribution
+EXTRA_DIST = bro.cfg.example  bro_config.in  alert_scores  bro.rc.in \
+	bro.rc-hooks.sh  bro_log_compress.sh  install_cron.sh \
+	local.site.bro.default  localnetMAC.pl.in \
+	mail_notice.sh  mail_reports.sh \
+	make-ftp-safe-vocabulary.awk  IP4.pm signature_scores \
+	perl local.lite.bro \
+	alert_scores signature_scores \
+	bro_log_compress.sh \
+	frontend-mail-reports.sh frontend-site-report.sh push_logs.sh mail_notice.sh
+
+# this cleans up some genereated files
+MOSTLYCLEAN = bro.rc bro.cfg bro_config intern.bro bro_user_id bro_user_id.bak \
+			  localnetMAC.pl local.site.bro
+
+scoredir=$(prefix)/etc
+scriptsdir=$(prefix)/scripts
+
+# just update dist files, not the site file
+# and ask me no questions, I'll tell you no ..
+update: 
+	$(MAKE) install_default_files
+
+# install brolite
+install-brolite: 
+	- $(INSTALL) -d /usr/local/etc/rc.d/
+	$(MAKE) create_dirs
+	
+	$(INSTALL) $(srcdir)/alert_scores $(scoredir)/alert_scores
+	$(INSTALL) $(srcdir)/signature_scores $(scoredir)/signature_scores
+	$(INSTALL) $(srcdir)/bro_log_compress.sh  $(bro_scripts)/bro_log_compress.sh
+	$(INSTALL) $(srcdir)/frontend-mail-reports.sh  $(bro_scripts)/frontend-mail-reports.sh
+	$(INSTALL) $(srcdir)/frontend-site-report.sh  $(bro_scripts)/frontend-site-report.sh
+	$(INSTALL) $(srcdir)/push_logs.sh  $(bro_scripts)/push_logs.sh
+	$(INSTALL) $(srcdir)/mail_notice.sh $(bro_scripts)/mail_notice.sh
+	$(INSTALL) $(srcdir)/s2b/example_bro_files/signatures.sig $(prefix)/site
+	$(INSTALL) $(srcdir)/s2b/bro-include/sig-addendum.sig $(datadir)/bro
+	$(INSTALL) $(srcdir)/s2b/bro-include/sig-functions.bro $(datadir)/bro
+	$(INSTALL) $(srcdir)/s2b/example_bro_files/sig-action.bro $(datadir)/bro
+
+# install perl libraries and executables
+install_perl_scripts:
+	@if ! ${PERL} -e 'exit ($] >= 5.006001)' > /dev/null 2>&1; then \
+		(cd perl && $(PERL) Makefile.PL INSTALLSCRIPT=$(bro_scripts) BROCONFIG=$(prefix)/etc/bro.cfg PREFIX=$(bro_perlmods); $(MAKE) ; $(MAKE) install) ; \
+	else \
+		echo "*************************************************" ; \
+		echo "* Need newer version of perl to install reports *" ; \
+		echo "*    and other supporting perl based tools.     *" ; \
+		echo "*************************************************" ; \
+	fi
+# clean up the mess we made
+uninstall-local:
+	rm -f $(bro_scripts)/mail_reports.sh
+	rm -f $(bro_scripts)/bro_log_compress.sh
+	rm -f $(bro_scripts)/bro_config
+	rm -f $(bro_etc)/bro.rc
+	rm -f $(bro_etc)/bro.cfg
+	rm -f $(bro_etc)/bro.cfg.example
+	rm -f $(prefix)/etc/bro.rc-hooks.sh
+	rm -f  $(prefix)/site/local.site.bro
+	rm -f  $(prefix)/site/${brohost}.bro
+	$(srcdir)/install_cron.sh uninstall
+	-rm -f $(prefix)/etc/bro.rc-hooks.sh.new 
+	-rm -f /usr/local/etc/rc.d/bro.sh
+
+
+# install the stuff to do reports
+reports:
+	$(INSTALL) -d $(bro_scripts)
+	$(INSTALL) -d $(bro_etc)
+	(cd s2b && $(MAKE) all)
+	(cd s2b && $(MAKE) install)
+	@./bro_config
+	$(INSTALL_DATA) bro.cfg  $(bro_etc)/bro.cfg
+	$(INSTALL) $(srcdir)/mail_reports.sh $(bro_scripts)/mail_reports.sh
+	$(INSTALL) $(srcdir)/bro_log_compress.sh $(bro_scripts)/bro_log_compress.sh
+	$(INSTALL) $(srcdir)/frontend-mail-reports.sh $(bro_scripts)/frontend-mail-reports.sh
+	$(INSTALL) $(srcdir)/frontend-site-report.sh $(bro_scripts)/frontend-site-report.sh
+	$(INSTALL) $(srcdir)/push_logs.sh  $(bro_scripts)/push_logs.sh
+	$(MAKE) install_perl_scripts
+
+# update the signature file in $BROHOME/site, don't clobber it!
+update-sigs:
+	@echo "Getting signature file from $(SIGHOST)" 
+	- wget http://$(SIGHOST)/download/signatures.sig -O signatures.sig.new  -o /dev/null 
+	@if [ ! -s signatures.sig.new ] ; then \
+		echo "Error in download. Try again later." ; \
+	else \
+		if [ ! -f $(prefix)/site/signatures.sig ] ; then  \
+			echo "No previous version, installing new version." ; \
+			cp signatures.sig.new $(prefix)/site/signatures.sig ; \
+		else \
+			cp signatures.sig.new $(prefix)/site/signatures.sig.new ; \
+			echo "***********************************************************" ; \
+			echo "A new signature file (signatures.sig.new) has been placed in" ; \
+			echo "$(prefix)/site. Please compare it to your current signatures.sig " ; \
+			echo "and copy it over if there are no significant differences." ; \
+			echo "***********************************************************" ; \
+		fi \
+	fi
+		
+create_dirs:
+	- $(INSTALL) -d $(bro_bin)
+	$(INSTALL) -d $(bro_etc)
+	$(INSTALL) -d $(bro_logs)
+	$(INSTALL) -d $(bro_site)
+	$(INSTALL) -d $(bro_scripts)
+	$(INSTALL) -d $(bro_reports)
+
+# these are files that SHOULD NOT be updated and are site specific
+install_local_files:
+	@if [ ! -f ${bro_site}/local.site.bro ] ; then                \
+		echo "Installing local.site.bro ..." ;                           \
+		if [ ! -f local.site.bro ]; then                      \
+			$(INSTALL_DATA) local.site.bro.default $(bro_site)/local.site.bro ; \
+		else \
+			$(INSTALL_DATA) local.site.bro $(bro_site)/local.site.bro ; \
+		fi \
+	else \
+		if [ -f local.site.bro ]; then                      \
+			$(INSTALL_DATA) local.site.bro $(bro_site)/local.site.bro.new ; \
+		fi \
+	fi
+	@if [ ! -f ${bro_site}/${brohost}.bro ] ; then                 \
+		echo "Installing ${brohost}.bro ..." ;                             \
+		$(INSTALL_DATA) $(srcdir)/local.lite.bro $(bro_site)/${brohost}.bro ;   \
+	else \
+		$(INSTALL_DATA) $(srcdir)/local.lite.bro $(bro_site)/${brohost}.bro.new ;   \
+	fi
+	@if [ ! -f $(prefix)/etc/bro.rc-hooks.sh ] ; then              \
+		$(INSTALL_DATA) $(srcdir)/bro.rc-hooks.sh $(prefix)/etc/bro.rc-hooks.sh ;   \
+	else \
+		$(INSTALL_DATA) $(srcdir)/bro.rc-hooks.sh $(prefix)/etc/bro.rc-hooks.sh.new ; \
+	fi
+
+# Default files that can be installed/reinstalled, not site specific
+install_default_files:
+	$(INSTALL) $(srcdir)/mail_reports.sh $(bro_scripts)/mail_reports.sh
+	$(INSTALL) bro.rc $(prefix)/etc/bro.rc
+	$(INSTALL) bro_config  $(prefix)/scripts/bro_config
+	-$(INSTALL_DATA) bro.cfg  $(bro_etc)/bro.cfg
+	$(INSTALL_DATA) $(srcdir)/bro.cfg.example $(bro_etc)/bro.cfg.example
+	- $(INSTALL) bro.rc /usr/local/etc/rc.d/bro.sh
+	(cd s2b ; $(MAKE) install)
+
+# install cron file
+install_cron:
+	$(srcdir)/install_cron.sh install
+
diff --git a/scripts/README b/scripts/README
new file mode 100644
index 0000000000..b51a02af21
--- /dev/null
+++ b/scripts/README
@@ -0,0 +1,29 @@
+
+This directory contains scripts to help configure and run bro.
+
+
+bro.cfg.in      This is the bro configuration file
+bro.cfg         This is the bro configuration file with all runtime values set
+
+localnetMAC.pl  Program to figure out your network topology based on a 
+                tcpdump input file.
+IP4.pm          Helper perl module for localnetMac.
+
+brolite.bro     This is the default policy file
+bro.rc	        This is the start/stop script, with all runtime values set
+bro.rc-hooks.sh User level interface into the start and stop events in bro.rc
+bro.rc.in       This si the raw start stop script
+bro_config      This is the script run at 'make install' that sets the 
+                values in bro.cfg
+
+bro_config.in   Raw bro_config script, before pre-processing
+bro.cfg.example Example file of what bro.cfg should look like
+
+intern.bro.default 
+               This is an example of what intern.bro should look like.
+
+mail_reports.sh
+               Shell script to email out reports
+
+make-ftp-safe-vocabulary.awk
+
diff --git a/scripts/alert_scores b/scripts/alert_scores
new file mode 100644
index 0000000000..bb2eadf4de
--- /dev/null
+++ b/scripts/alert_scores
@@ -0,0 +1,37 @@
+# DESCRIPTION:
+# 
+# This file is used by the report generator to assign scores to
+# certain types of alerts.  Use this file to increase the likelyhood
+# that a certain type of alarm is successful.  The scores listed
+# in this file will be added to any scores derived by the report
+# generator.  The format is -> ALERT_TYPE<white space>SCORE
+#
+# The score derived by the report generator is influenced by certain
+# traffic patterns.  If an alarm is generated and a connection is
+# seen coming from the victim host back to the suspect host this will
+# drive the score past the $ALARM_THRESHOLD.  Also an alarm generated by
+# a host from the internal network will likely produce a score higher
+# than the $ALARM_THRESHOLD.  This functionality only affects alarms
+# which produce an incident.
+#
+# EXAMPLE:
+# Lets assume you have created a custom alert type of 
+# "Employee_Did_Something_Bad".  Lets also assume that this alarm
+# is triggered only under certain conditions and you know the alarm is
+# always correct or of great interest.  To make this always show up in
+# the report set the score to something equal to or higher than the
+# $ALARM_THRESHOLD (default: 100).
+#
+# NOTES:
+#
+# The only alert type that cannot be given a score is
+# "SensitiveSignature".  Instead signatures are given their own
+# scores specified in their meta-data. (still in the works)
+#
+
+TRWAddressSca          40
+WeirdActivit           1
+PortScan               20 
+PasswordGuessing       60
+MultipleSignature      20
+_DEFAULT_              0
diff --git a/scripts/bro.cfg.example b/scripts/bro.cfg.example
new file mode 100644
index 0000000000..8bef983163
--- /dev/null
+++ b/scripts/bro.cfg.example
@@ -0,0 +1,161 @@
+# Source file config for running bro
+
+# On a linux system this file will normally exist in /etc/sysconfig
+# and will have the same filename as the RC start script which calls it.
+
+# On a FreeBSD machine this file will normally reside in /usr/local/etc
+# and will have the same filename as the RC start script which calls it.
+
+# The following variables are exported and needed by Bro at runtime
+# These are mostly undocumented. arrrrrr!!!!!!
+# BROLOGS
+# BROHOME
+# BROPATH
+
+# host only format
+BRO_HOSTNAME=`hostname | awk -F. ' { print  } '`
+# FQDN format
+# HOSTNAME=`hostname`
+
+# Directory containing Bro binaries
+BRO_BIN_DIR="${BROHOME}/bin"
+
+# Filename of the Bro start policy
+# START_POLICY="default.bro"
+BRO_START_POLICY="localhost.bro"
+
+# Directory containing Bro logs
+BROLOGS="${BROHOME}/logs"
+export BROLOGS
+
+# Log archive directory
+BRO_LOG_ARCHIVE="${BROHOME}/archive"
+
+# Directory containing Bro signature files
+BRO_SIG_DIR="${BROHOME}/site"
+
+# Bro policy paths
+BROPATH="${BROHOME}/share/bro/site:${BROHOME}/share/bro:${BROHOME}/share/bro/sigs:${BROHOME}/share/bro/time-machine"
+export BROPATH
+
+# Location of site specific policy and configurations
+BROSITE="${BROHOME}/site"
+
+# Location of host specific policy and configurations
+BROHOST="${BROHOME}/host"
+
+# A prefix to use when looking for local policy files to load.
+# BRO_PREFIX="local"
+
+# Location of the Bro executable
+BRO="${BRO_BIN_DIR}/bro"
+
+# Base command line options.
+BRO_ADD_OPTS=" -W"
+# Turn on Bro's Watchdog feature
+BRO_OPTS="${BRO_ADD_OPTS}"
+
+# Interface name to listen on.  The default is to use the busiest one found.
+BRO_CAPTURE_INTERFACE=""
+# Multiple interface should be specified as a space delimited list.
+# Examples: 
+#   CAPTURE_INTERFACE="sk0 sk1 sk5"
+#   CAPTURE_INTERFACE="eth0 eth3"
+#   CAPTURE_INTERFACE="eth0"
+
+# If set to YES and there are any signature files ending with .bro in $SIG_DIR
+# then they will be started with bro.  Set to NO to disable signatures
+# Set to YES to enable bro to run with 'signature matching' on (YES/NO)
+BRO_USE_SIGNATURES=YES
+
+# Shoud a trace (tcpdump) file be created in the log directory (YES/NO)
+BRO_CREATE_TRACE_FILE=NO
+
+# How long to wait during checkpointing after startin a new Bro process and
+# stopping the old one.  This value is in seconds
+BRO_CHECKPOINT_OVERLAP_TIME=20
+
+# Starting time for a report run (0001 is 12:01 am and 1201 is 12:01pm)
+BRO_REPORT_START_TIME=0010
+
+# How often (in hours) to generate an activity report
+BRO_REPORT_INTERVAL=24
+
+# This is the how often to rotate the logs (in hours)
+BRO_LOG_ROTATE_INTERVAL=24
+
+# This is the how often to restart bro (in hours)
+BRO_CHECKPOINT_INTERVAL=24
+
+# The maximum time allowed for a Bro process to cleanup and exit
+# This value is in seconds
+BRO_MAX_SHUTDOWN_TIME=$(( 60 * 60 * 2 ))    # 2 hours
+
+# Use this to enable the init script to autorestart Bro in the event of an
+# unexpected shutdown.  The value should be YES or NO
+BRO_ENABLE_AUTORESTART="YES"
+
+# A value less than 1 means there will be no limit to the number of restarts
+# Maximum times to try to auto-restart Bro before giving up.
+BRO_MAX_RESTART_ATTEMPTS=-1
+
+# Location of the run-time variable directory.  This is normally /var/run/bro
+# and contains the pidfile and other temporal data. 
+BRO_RUNTIME_DIR=""
+
+# Email address for local reports to be mailed to
+BRO_EMAIL_LOCAL="bro@localhost"
+
+# Email address to send from
+BRO_EMAIL_FROM="bro@localhost"
+
+# Do you want to send external reports to a incident reporting org (e.g.: CERT, CIAC, etc)
+BRO_EMAIL_EXTERNAL="NO"
+
+# Email address for remote reports to be mailed to
+BRO_EMAIL_REMOTE="BRO-IDS@bro-ids.org"
+
+# User id to install and run Bro under
+BRO_USER_ID="bro"
+
+# Site name for reports (i.e. LBNL, FOO.COM, BAZ.ORG)
+BRO_SITE_NAME=""
+
+# Do you want to encrypt email reports (YES/NO)
+BRO_ENCRYPT_EMAIL="NO"
+
+# Location of GPG binary or encrypting email
+BRO_GPG_BIN="/usr/local/bin/gpg"
+
+# Default BPF buffer
+BRO_BPF_BUFSIZE=4194304
+
+# Do BPF bonding
+BRO_BPFBOND_ENABLE="NO"
+# Interfaces to bond
+BRO_BPFBOND_FLAGS="em0 em1"
+
+# diskspace management settings
+# Should I manage diskspace
+BRO_DISKSPACE_ENABLE="YES"
+# percent full to worry about
+BRO_DISKSPACE_PCT=90
+# account watching disk space
+BRO_DISKSPACE_WATCHER="root"
+# days before deleting old logs
+BRO_DAYS_2_DELETION=45
+# days before compressing logs
+BRO_DAYS_2_COMPRESSION=20
+
+# Bulk data capture settings
+# Buld data directory
+BRO_BULK_DIR="${BROHOME}/bulk-trace"
+# Capture filter for bulk data
+BRO_BULK_CAPTURE_FILTER=""
+# days before deleting bulk data
+BRO_BULK_DAYS_2_DELETION=4
+# days before compressing bulk data
+BRO_BULK_DAYS_2_COMPRESSION=2
+# location of sorted log files, needed by Brooery
+BROOERY_LOGS="${BROHOME}/sorted-logs"
+
diff --git a/scripts/bro.rc-hooks.sh b/scripts/bro.rc-hooks.sh
new file mode 100644
index 0000000000..ca8d74febd
--- /dev/null
+++ b/scripts/bro.rc-hooks.sh
@@ -0,0 +1,57 @@
+
+# $Id: bro.rc-hooks.sh 555 2004-10-22 07:48:30Z rwinslow $
+
+# This script is called by bro.rc at various points during the starting
+# and stopping of Bro.  This is presented as an interface into the start
+# and stop process so that customizations can be made.  Some simple
+# examples are given as defaults.
+
+# As these functions are within the same scope as bro.rc it is possible
+# to alter variables that bro.rc needs to run properly.  It is HIGHLY
+# recommended that this not be done.  If you do it don't ask why it broke
+# because you were already warned.
+
+# These functions should always return true so that bro.rc can complete
+# and exit normally.  If these fail to always return unexpected results
+# may occur.
+
+# Variables which are intended to be available to this script.
+# These are in addition to normal variables in bro.cfg
+# LOG_SUFFIX="string"
+# PID="integer"
+# EXIT_CODE="POSIX exit codes"
+# ERROR_MESSAGE="string"
+# AUTO_RESTART="t|f"
+# START_TIME=`date`
+# END_TIME=`date`
+
+
+post_start_hook() {
+	# Exit code should not be set at this point.  If it is there's a problem.
+	if [ "${EXIT_CODE}x" = 'x' ]; then
+		# example of a successful start
+		true
+	else
+		# example of a failed start
+		false
+	fi
+}
+
+
+post_exit_hook() {
+	if [ "${EXIT_CODE}x" = 'x' ]; then
+		# This was set to null on purpose when messages on exit relate to
+		# operations encountered by bro.rc and not the bro process itself
+		# An example may be notification that bro.rc was sent a TERM
+		# so it therefore shutdown the Bro process it was monitoring
+		true
+	elif [ "${EXIT_CODE}" = '0' ]; then
+		# Bro exited normally
+		true
+	else
+		# Bro failed unexpectedly
+		false
+	fi
+	
+}
+
diff --git a/scripts/bro.rc.in b/scripts/bro.rc.in
new file mode 100755
index 0000000000..3d09b524b5
--- /dev/null
+++ b/scripts/bro.rc.in
@@ -0,0 +1,1098 @@
+#!/bin/sh
+
+# $Id: bro.rc.in 4620 2007-07-09 21:23:52Z vern $
+#
+# Start script for running Bro.
+#
+# This will run one instance of Bro.  If there is a need to run more than one
+# instance at a time then copy this script to a new file and change the name
+# to something else.
+#
+# chkconfig: - 57 30
+#
+# description: Bro is a highly customizable intrusion detection system \
+#	developed at Lawrence Berkeley National Labs.
+# processname: bro
+# pidfile: /var/run/bro-lite/pid
+# config: /etc/sysconfig/bro-lite
+#
+# Written by Roger Winslow rwinslow@lbl.gov
+
+# Variables which are exported on a startup and needed by Bro
+# This variable used to be called BRO_ID
+# BRO_LOG_SUFFIX
+
+# For tasks to complete before and after Bro starts please edit the following
+# scripts to suit your needs.  For those of you familiar with dhclient this
+# uses the same idea.
+#  Before Bro starts $BROHOME/etc/bro.rc-hooks.sh
+
+# See the bottom of this script for an explanation of how this all works.
+# I'll try my best to be clear....
+
+prog="bro.rc"
+
+RETVAL=0
+
+# picked up from configure at install time
+BROHOME="@prefix@"
+export BROHOME
+
+# Set the environment.
+source_config="${BROHOME}/etc/bro.cfg"
+
+# Location of bro-hooks.sh script
+bro_hooks="${BROHOME}/etc/bro.rc-hooks.sh"
+
+# Set the full path to this script as called
+if [ `echo ${0} | grep -E "^/"` ]; then
+	this_script="${0}"
+else
+	this_script="`pwd`/${0}"
+fi
+
+# Set the args as passed to this script
+cur_args="$*"
+
+# Load the source config
+if ! [ -f ${source_config} ] || ! . "${source_config}"; then
+	echo "${prog}: Unable to load the source config file at ${source_config}" >&2
+	exit 1
+fi
+
+# Source the bro_hooks script if exists and readable
+if ! [ -f "${bro_hooks}" ] || ! . "${bro_hooks}"; then
+	echo "${prog}: Unable to source the bro.rc-hooks.sh script at ${bro_hooks}" >&2
+fi
+
+syslog_cmd="logger"
+run_dir="${BRO_RUNTIME_DIR}"
+pidfile="${run_dir}/pid"
+start_time_file="${run_dir}/start_time"
+active_log_file="${BROLOGS}/active_log"
+autorestart_file="${run_dir}/autorestart"
+alternate_user_id=${BRO_USER_ID}
+renice_checkpoint_level=15
+time_between_restarts=2
+minimum_mortality_time=60
+
+# Setting DEBUG to 1 will prevent the following
+ # forking of the Bro process into the background
+ # any autorestart features
+ # any bro.rc-hooks.sh functions
+ # writing of data to $BRO_RUNTIME_DIR
+ # redirection of STDERR and STDOUT to the info file
+DEBUG=0
+
+# Export a few items that Bro needs to run
+export BROLOGS
+export BROPATH
+export BROHOME
+export PATH="${BROHOME}/bro/bin:${BROHOME}/bro/scripts:/usr/local/bin:/usr/local/sbin:${PATH}" 
+
+# Make sure that the $BRO_RUNTIME_DIR exists and is writtable
+if [ ! -d "${BRO_RUNTIME_DIR}" ]; then
+	mkdir "${BRO_RUNTIME_DIR}"
+	if [ "$?" != "0" ]; then
+		echo "${prog}: Failed to create the runtime directory at ${BRO_RUNTIME_DIR}" >&2
+		echo "${prog}: Unable to continue" >&2
+		exit 1
+	fi
+
+	if [ "${alternate_user_id}x" != "x" ] && [ "${alternate_user_id}" != "${USER}" ]; then
+		chown ${alternate_user_id} "${BRO_RUNTIME_DIR}"
+		if [ "$?" != "0" ]; then
+			echo "${prog}: Failed to change owner on runtime directory ${BRO_RUNTIME_DIR}" >&2
+			echo "${prog}: Unable to continue" >&2
+			exit 1
+		fi
+	fi
+fi
+
+start() {
+	# Make a few sanity checks
+	# Make sure the BROLOGS directory is writeable
+	if [ ! -d ${BROLOGS} ] || [ ! -w ${BROLOGS} ]; then
+		echo "${prog}: BROLOGS directory at ${BROLOGS} is not writable." >&2
+		echo "${prog}: Unable to continue" >&2
+		exit 1
+	fi
+
+	# Check to make sure that the Bro executable is at least --x
+	if [ ! -x "${BRO}" ]; then
+		echo "${prog}: Unable to execute the bro binary at ${BRO}" >&2
+		echo "${prog}: Unable to continue" >&2
+		exit 1
+	fi
+
+	# Check to make sure that bro is not already running
+	local pid
+	if [ -f "${pidfile}" ]; then
+		pid=`cat "${pidfile}"`
+
+		if [ "${pid}x" = "x" ]; then
+			cleanup
+		else
+			local _is_running
+			pidisrunning ${pid} "${BRO}"
+			_is_running=$?
+			if [ "${_is_running}" != "0" ]; then
+				cleanup
+			else
+				echo "${prog}: already running with a pid of ${pid}"
+				# errno code for EEXIST = 17
+				return 17
+			fi
+		fi
+	fi
+
+	# Check to make sure that a start policy has been specified
+	if [ "${BRO_START_POLICY}x" = "x" ]; then
+		echo "${prog}: No start policy file specified." >&2
+		echo "${prog}: Unable to continue" >&2
+		return 1
+	fi
+
+	# Change to the BROLOGS directory
+	local _did_cd
+	cd "${BROLOGS}"
+	_did_cd=$?
+
+	if [ "${_did_cd}" != "0" ]; then
+		echo "${prog}: Failed to change to BROLOGS directory at ${BROLOGS}" >&2
+		echo "${prog}: Unable to continue" >&2
+		return 1
+	fi
+
+	# Start Bro
+	local _start_result
+	echo -n "${prog}: Starting "
+
+	# What type of start should be performed
+	if [ "${DEBUG}" = '1' ]; then
+		startbro
+		return
+	elif [ "${AUTO_RESTART}" = 't' ]; then
+		autorestart &
+	else
+		startbro &
+	fi
+
+	sleep 1
+	_start_result=$?
+
+	# Check the return code to see if it started
+	local _failed_check_count
+	_failed_check_count=0
+	if [ "${_start_result}" = '0' ] || [ "${_start_result}x" = 'x' ]; then
+	local _loop_count
+	_loop_count=0
+		while [ ${_loop_count} -lt 12 ]
+		do
+			_loop_count=$(( ${_loop_count} + 1 ))
+			echo -n '.'
+
+			# Sometimes the result from the fork takes a few seconds
+			# Check if was not set yet
+			if [ "${_start_result}x" = 'x' ]; then
+				_start_result=$?
+
+				if [ "${_start_result}x" != 'x' ] && [ "${_start_result}" != '0' ]; then
+					break
+				fi
+			else
+				# Use the status function to see if Bro is still up
+				local _status_result
+				status 2>/dev/null >/dev/null
+				_status_result=$?
+
+				if [ "${_status_result}" != '0' ] || [ "${_start_result}" != '0' ]; then
+					_failed_check_count=$(( ${_failed_check_count} + 1 ))
+					if [ ${_failed_check_count} -gt 11 ]; then
+						_start_result=1
+						break
+					fi
+				fi
+			fi
+			sleep 1
+		done
+	fi
+
+	if [ "${_start_result}" = '0' ]; then
+		echo ". SUCCESS"
+	else
+		echo ". FAILED"
+	fi
+
+	return ${_start_result}
+}
+
+startbro() {
+
+	local cur_date
+	local _already_running
+	local trace_file
+	local cmd_opts
+	local basic_cmd_opts
+	cur_date=`date +%y-%m-%d_%H.%M.%S`
+	BRO_LOG_SUFFIX="${BRO_HOSTNAME}.${cur_date}"
+	export BRO_LOG_SUFFIX
+	trace_file="${BROLOGS}/trace.${BRO_LOG_SUFFIX}"
+	info_log="${BROLOGS}/info.${BRO_LOG_SUFFIX}"
+	cmd_opts="${BRO_OPTS}"
+
+	# Check if Bro is already running
+	status 2>/dev/null >/dev/null
+	_already_running=$?
+	if [ "${_already_running}" = '0' ]; then
+		return 17
+	fi
+
+	# Build the command line.
+	# Should a trace file be created
+	if [ "${BRO_CREATE_TRACE_FILE}" = 'YES' ] || [ "${BRO_CREATE_TRACE_FILE}" = 'yes' ]; then
+		cmd_opts="${cmd_opts} -w ${trace_file}"
+	fi
+
+	# If a specific interface to capture on is specified then add it in
+	# This is a space delimited list
+	if [ "${BRO_CAPTURE_INTERFACE}x" != 'x' ]; then
+		for _intf in ${BRO_CAPTURE_INTERFACE}
+		do
+			cmd_opts="${cmd_opts} -i ${_intf}"
+		done
+	fi
+
+	# Append the Bro policy which to start
+	if [ "${BRO_START_POLICY}x" != 'x' ]; then
+		cmd_opts="${cmd_opts} ${BRO_START_POLICY}"
+	else
+		echo "${prog}: No start policy file specified." >&2
+	fi
+
+	local new_pid
+	local bro_result
+	cd "${BROLOGS}"
+
+	# Check whether DEBUG is set.  If so then keep Bro attached to the shell
+	# and don't fork.
+	if [ "${DEBUG}" != '0' ]; then
+		"${BRO}" ${cmd_opts}
+		return
+	# Run bro.  Redirect STDERR and STDOUT to $info_log
+	else
+		"${BRO}" ${cmd_opts} 2>>"${info_log}" >>"${info_log}" &
+	fi
+
+	bro_result=$?
+	new_pid=$!
+
+	# Check the exit code returned by Bro
+	if [ "${bro_result}" = '0' ] || [ -z "${bro_result}" ]; then
+		local _loop_count
+		_loop_count=0
+		while [ ${_loop_count} -lt 10 ]
+		do
+			_loop_count=$(( ${_loop_count} + 1 ))
+			if [ -f "${info_log}" ]; then
+				if [ "`grep -E '^listening on' ${info_log}`x" != 'x' ]; then
+					break
+				fi
+			fi
+
+			# break now if the process returned a non-zero value
+			if [ "${bro_result}x" != 'x' ] && [ "${bro_result}" != '0' ]; then
+				break
+			fi
+			sleep 1
+		done
+	fi
+
+	# check to make sure that Bro actually started
+	if [ "${new_pid}x" = 'x' ] || [ "${bro_result}" != '0' ]; then
+		false
+	else
+		pidisrunning ${new_pid} "${BRO}"
+		_is_running=$?
+		if [ "${_is_running}" != '0' ]; then
+			bro_result=1
+		fi
+	fi
+
+	if [ "${bro_result}" != '0' ]; then
+		echo "${prog}: Failed to start Bro"
+		if [ -f "${info_log}" ] && [ -s "${info_log}" ]; then
+			cat "${info_log}"
+			ERROR_MESSAGE=`cat "${info_log}"`
+		else
+			ERROR_MESSAGE='Unknown error, no messages recieved on STDERR or STDOUT'
+		fi
+
+		# Call the post_start_hook function
+		LOG_SUFFIX="${BRO_LOG_SUFFIX}"
+		EXIT_CODE=${bro_result}
+
+		"${syslog_cmd}" -t "${prog}" "Bro has failed to start. ${ERROR_MESSAGE}"
+
+		post_start_hook
+
+		return ${bro_result}
+	else
+		"${syslog_cmd}" -t "${prog}" "Bro process (${new_pid}) has started"
+	fi
+
+	# Write the pid out to file
+	echo ${new_pid} > "${pidfile}"
+
+	# Write the active log suffix out to file
+	echo "${BRO_LOG_SUFFIX}" > "${active_log_file}"
+
+	# Write the start date out to file
+	local _start_time
+	_start_time=`date`
+	echo "${_start_time}" > "${start_time_file}"
+
+	# Write the auto-restart status out to file
+	if [ "${AUTO_RESTART}" = 't' ]; then
+		echo "ON" > "${autorestart_file}"
+	else
+		echo "OFF" > "${autorestart_file}"
+	fi
+
+	echo "Bro Version: `\"${BRO}\" -v 2>&1 | awk ' { print $3 } '`" >> "${info_log}"
+	echo "Started with the following command line options: ${cmd_opts}" >> "${info_log}"
+
+	# Get the BPF capture filter
+	local _print_filter
+	local _print_filter_result
+	# Strip out the trace file parameter if it exists
+	basic_cmd_opts=`removetraceopt "${cmd_opts}"`
+	_print_filter=`capturefilter "${basic_cmd_opts}"`
+	_print_filter_result=$?
+	if [ "${_print_filter_result}" = '0' ]; then
+		echo "Capture filter: ${_print_filter}" >> "${info_log}"
+	else
+		echo 'Capture filter: <not available>' >> "${info_log}"
+	fi
+
+	# Call the post_start_hook function
+	LOG_SUFFIX="${BRO_LOG_SUFFIX}"
+	PID=${new_pid}
+	EXIT_CODE=""
+	ERROR_MESSAGE=""
+	START_TIME="${_start_time}"
+	END_TIME=""
+
+	post_start_hook
+
+	local _exitwatch_result
+	exitwatch ${new_pid}
+	_exitwatch_result=$?
+
+	return ${_exitwatch_result}
+}
+
+autorestart() {
+
+	local _cur_restart_count
+	local _max_restart_count
+	local _called_from		# name of function that called autorestart if any
+	local _failed_first_start
+	local _start_res
+	local _minimum_life
+	_minimum_life=$(( `epochtime` + ${minimum_mortality_time} ))
+
+	_called_from="${1}"
+	_cur_restart_count=0
+	_max_restart_count=${BRO_MAX_RESTART_ATTEMPTS}
+
+	# If _max_restart_count is not defined or is less than 1 then
+	# this equats to no restart limit.
+	if [ "${_max_restart_count}x" = 'x' ] || [ ${_max_restart_count} -lt '1' ]; then
+		_cur_restart_count=-2
+		_max_restart_count=-1
+	fi
+
+	# loop and restart bro until told to exit
+	while [ ${_cur_restart_count} -lt ${_max_restart_count} ]
+	do
+		local _cur_epoch_time
+		# startbro will block until Bro exits
+		startbro
+		_start_res=$?
+
+		_cur_epoch_time="`epochtime`"
+
+		if [ "${_start_res}" = '0' ]; then
+			# Bro exited normally due to a planned stop
+			break
+		elif [ "${_start_res}" = '17' ]; then
+			echo "${prog}: Unable to begin autorestart.  Stop the running instance of Bro first." >&2
+			echo "${prog}: Unable to continue" >&2
+			break
+		elif [ ${_cur_epoch_time} -lt ${_minimum_life} ]; then
+			_failed_first_start=1
+			break
+		fi
+
+		# If _max_restart_count is greater than 0 increment _cur_restart_count
+		# otherwise don't because no restart limit has been set.
+		if [ ${_max_restart_count} -gt '0' ]; then
+			_cur_restart_count=$(( ${_cur_restart_count} + 1 ))
+		fi
+
+		sleep ${time_between_restarts}
+		"${syslog_cmd}" -t "${prog}" "Autorestarting Bro due to unexpected exit"
+	done
+
+	# Check why the loop exited
+	if ! [ ${_cur_restart_count} -lt ${_max_restart_count} ]; then
+		# Stop Bro, this will force a cleanup of the run-time directory
+		stopbro 2> /dev/null 1> /dev/null
+		EXIT_CODE=${_start_res}
+		ERROR_MESSAGE="Exceeded maximum autorestart count of ${BRO_MAX_RESTART_ATTEMPTS}. No further attempts will be made to restart Bro"
+		END_TIME=`date`
+
+		# Call the post_exit_hook to report the error
+		post_exit_hook
+
+		return 1
+	elif [ "${_failed_first_start}" = '1' ]; then
+		# Bro failed on the very first start and this was not during a checkpoint.
+		# No further restarts will be attempted.
+		"${syslog_cmd}" -t "${prog}" "Bro process failed on first start attempt.  No further restart attempts will be made."
+		EXIT_CODE=""
+		ERROR_MESSAGE="Failed on first start attempt.  No further restart attempts will be made."
+
+		# Call the post_exit_hook to report the error
+		post_exit_hook
+
+		return ${_start_res}
+	fi
+
+	return 0
+}
+
+
+stopbro() {
+	# Check to see if bro is running
+	local _pid
+	local _bro_is_running
+	local _status_result
+
+	status 2>/dev/null >/dev/null
+	_status_result=$?
+
+	if [ "${_status_result}" = '0' ]; then
+		# try and stop it
+		local _kill_result
+		echo -n "${prog}: Stopping "
+		_pid=`cat "${pidfile}"`
+		_bro_is_running="t"
+
+		cleanup
+		for _i in 1 2; do
+			echo -n '.'
+			sleep 1
+		done
+
+		kill -TERM ${_pid}
+		_kill_result=$?
+		if [ "${_kill_result}" = "0" ]; then
+			true
+		else
+			echo "${prog}: Failed to stop process with pid ${_pid}"
+			return 1
+		fi
+	else
+		_bro_is_running="f"
+		if [ -f "${pidfile}" ]; then
+			cleanup
+		fi
+	fi
+
+	if [ "${_bro_is_running}" = "f" ]; then
+		echo "${prog}: No running process to stop"
+		return 0
+	fi
+
+	# Now see if the process is still hanging around.
+	# Bro can stick around a long time as it writes out logs and writes it's
+	# state info to disk
+	local _is_dead
+	for _i in 1 2 3 4 5 6 7 8 9 10; do
+		_is_dead=""
+		pidisrunning ${_pid} "${BRO}"
+		_is_dead=$?
+		echo -n "."
+		if [ "${_is_dead}" != "0" ]; then
+			break
+		fi
+		sleep 1
+	done
+
+	if [ "${_is_dead}" != "0" ]; then
+		echo " SUCCESS !"
+
+	else
+		echo "${prog}: Process (${_pid}) has still not exited."
+		echo "${prog}: If it has not exited after ${BRO_MAX_SHUTDOWN_TIME} seconds from now it will be forced to exit."
+		# Create a backgound process to watch the terminated Bro
+		# If the process still exists after the BRO_MAX_SHUTDOWN_TIME
+		# then send it a SIG_KILL
+		stopwatch ${_pid} "${BRO}" &
+	fi
+
+	return 0
+}
+
+
+checkpoint() {
+	# Check to make sure bro is already running
+	local _old_pid=""
+	local _old_bro_running
+	local _status_result
+
+	echo "${prog}: Beginning the checkpoint process"
+	status 2>/dev/null >/dev/null
+	_status_result=$?
+
+	if [ "${_status_result}" = '0' ]; then
+		_old_pid=`cat "${pidfile}"`
+		_old_bro_running="t"
+	else
+		_old_bro_running="f"
+	fi
+
+	if [ "${_old_bro_running}" = "f" ]; then
+		cleanup
+		echo "${prog}: No current instance of Bro is running."
+		return 1
+	fi
+
+	echo "${prog}: Starting a new Bro instance."
+	if [ "${_old_bro_running}" = "t" ]; then
+		echo "${prog}: Will wait for ${BRO_CHECKPOINT_OVERLAP_TIME} seconds before stopping the old Bro instance."
+	fi
+
+	# start a new Bro
+	"${syslog_cmd}" -t "${prog}" "Starting the checkpoint process (${_old_pid})"
+	cleanup
+	${this_script} start > /dev/null &
+
+	# Create a background process to stop the old Bro process if
+	# it is still running
+	if [ "${_old_bro_running}" = "t" ]; then
+		{
+			# Renice the old process so it doesn't compete with the new active Bro
+			renice ${renice_checkpoint_level} ${_old_pid} 2> /dev/null 1> /dev/null
+
+			# Sleep for BRO_CHECKPOINT_OVERLAP_TIME
+			sleep ${BRO_CHECKPOINT_OVERLAP_TIME}
+
+			# kill the old bro process
+			kill -TERM ${_old_pid}
+
+			# call the stopwatch function to make sure the old bro process exits
+			# before BRO_MAX_SHUTDOWN_TIME
+			stopwatch ${_old_pid} "${BRO}"
+			"${syslog_cmd}" -t "${prog}" "Checkpoint process complete. Bro process (${_old_pid}) is done"
+		} &
+	fi
+
+	return 0
+}
+
+
+status() {
+	local _pid
+	local _ret_val
+	if [ -f "${pidfile}" ] && [ -f "${start_time_file}" ] && [ "${active_log_file}" ]; then
+		_pid=`cat "${pidfile}" | awk '{ print $1 }'`
+		pidisrunning ${_pid}
+		_ret_val=$?
+		if [ "${_ret_val}" = "0" ]; then
+			true
+		else
+			echo "${prog}: Bro is not running"
+			return 1
+		fi
+	else
+		echo "${prog}: Bro is not running"
+		return 1
+	fi
+
+	local _start_time
+	local _log_suffix
+	local _bro_ver
+	local _autorestart_status
+
+	_start_time=`cat "${start_time_file}"`
+	_log_suffix=`activelogsuffix`
+	_bro_ver=`"${BRO}" -v 2>&1 | awk ' { print $3 } '`
+	_autorestart_status=`cat "${autorestart_file}"`
+	echo "Bro is running (pid: ${_pid})"
+	echo "Autorestart: ${_autorestart_status}"
+	echo "Running since: ${_start_time}"
+	echo "Bro Version: ${_bro_ver}"
+	echo "Active log suffix: ${_log_suffix}"
+
+	return 0
+}
+
+activelogsuffix() {
+	local _log_suffix
+
+	if [ -f "${active_log_file}" ] && [ -r "${active_log_file}" ]; then
+		# ok file exists
+		_log_suffix=`cat "${active_log_file}"`
+		echo -n "${_log_suffix}"
+	else
+		return 1
+	fi
+
+	return 0
+}
+
+
+exitwatch() {
+	# pid number to wait for
+	PID=${1}
+
+	if [ -z ${PID} ]; then
+		echo "${prog}: No pid number passed to function exitwatch" > 2
+		echo "${prog}: Unable to continue" > 2
+		exit 1
+	fi
+
+	# trap some signals
+	# Ignore HUP, QUIT, INT signals
+	trap '' SIGHUP SIGINT SIGQUIT
+	# Call stop if a TERM signal is sent to this ($$) process
+	trap 'stopbro 2>/dev/null >/dev/null; true' SIGTERM
+
+	wait ${PID} 2> /dev/null
+
+	EXIT_CODE=$?
+	END_TIME=`date`
+
+	# Currently Bro does not always exit with the right exit codes
+	# Need to figure out if something besides 0 really happened
+	if [ "${EXIT_CODE}x" = 'x' ]; then
+		# Something evil happened!
+		EXIT_CODE=1
+		false
+	# The following exit codes are expected for a successful exit:
+	# 0, 130, 145
+	# 143 (SIGTERM) and 130 (SIGINT) are returned when wait is interrupted by
+	# a trapped signal.
+	elif [ "${EXIT_CODE}" = '0' ] || \
+		[ "${EXIT_CODE}" = '143' ] || \
+		[ "${EXIT_CODE}" = '130' ]; then
+		if ! [ -f "${pidfile}" ]; then
+			# A normal exit occurred as the pid file has been cleaned up
+			EXIT_CODE=0
+			true
+		else
+			check_pid=`cat "${pidfile}"`
+			if [ "${check_pid}" != "${PID}" ]; then
+				# The PID has changed which means either a restart was forced
+				# or a checkpoint has occurred.  In either case it is
+				# likely that Bro exited correctly
+				true
+			else
+				# Something went wrong with Bro because it exited before the
+				# temporal files were cleaned up
+				EXIT_CODE=1
+				cleanup
+				false
+			fi
+		fi
+	elif [ ! -f "${pidfile}" ] && [ ! -f "${start_time_file}" ]; then
+		# Bro exited with a non-zero value but the exit was planned.
+		# Log the an error message but return a zero exit status as this
+		# was a planned exit.
+		"${syslog_cmd}" -t "${prog}" "Bro process (${PID}) returned a non-zero exit status but the exit was planned."
+		EXIT_CODE=0
+	else
+		# An unexpected exit code was returned by Bro
+		false
+	fi
+
+	# Set the ERROR_MESSAGE to something useful if there was an error
+	if [ "${EXIT_CODE}" != '0' ]; then
+		if [ -f "${info_log}" ] && [ -s "${info_log}" ]; then
+			ERROR_MESSAGE=`tail -2 "${info_log}"`
+		else
+			ERROR_MESSAGE="Unknown error occurred"
+		fi
+
+		"${syslog_cmd}" -t "${prog}" "Bro process (${PID}) exited with a code of ${EXIT_CODE}"
+	else
+		"${syslog_cmd}" -t "${prog}" "Bro process (${PID}) stopped"
+	fi
+
+	# Call the post_exit_hook function
+	post_exit_hook
+
+	# renamed logfiles now that file writing is done.
+	# turned off till sc04 is over
+	# rename_logfiles "${BRO_LOG_SUFFIX}"
+
+	return ${EXIT_CODE}
+}
+
+stopwatch() {
+	# This function is used to run in the background and watch the pid
+	# and command line as returned by ps.  This function should be
+	# forked off as a background process to monitor a terminating Bro
+	# process to make sure that it ends by BRO_MAX_SHUTDOWN_TIME
+
+	local _pid
+	local _cmd_line
+	_pid=${1}
+	_cmd_line="${2}"
+
+	# Make sure that _pid has a value
+	if [ -z ${_pid} ]; then
+		_pid=`cat "${pidfile}"`
+		if [ -z ${_pid} ]; then
+			echo "${prog}: Unable to find a process number to monitor for stopwatch" >&2
+		fi
+		echo "First argument passed to function stopwatch must be a PID greater than zero." >&2
+		return 1
+	fi
+
+	# Make sure that _pid has a value larger than 0
+	if [ "${_pid}" -lt 1 ]; then
+		echo "First argument passed to function stopwatch must be a PID greater than zero." >&2
+		return 1
+	fi
+
+	# Make sure that _cmd_line has a value
+	if [ -z ${_cmd_line} ]; then
+		echo "Second option passed to function stopwatch must be the program name as" >&2
+		echo "specified on the command line when first started." >&2
+	fi
+
+	local _cur_wait
+	local _max_wait
+	local _sleep_time
+	_cur_wait=0
+	_max_wait=${BRO_MAX_SHUTDOWN_TIME}
+	_sleep_time=10
+	while [ "${_cur_wait}" -lt "${_max_wait}" ]
+	do
+		local _res
+		pidisrunning ${_pid} "${_cmd_line}"
+		local _ret_val=$?
+		if [ "${_ret_val}" != "0" ]; then
+			break
+		fi
+		_cur_wait=$(( ${_cur_wait} + ${_sleep_time} ))
+		sleep ${_sleep_time}
+	done
+
+	# Check if the process died on it's own
+	if [ "${_cur_wait}" -ge "${_max_wait}" ]; then
+		# Nope, didn't exit on it's own
+		kill -KILL ${_pid}
+		"${syslog_cmd}" -t "${prog}" "Bro process (${_pid}) exceeded the maximum shutdown time and was forcibly terminated"
+	fi
+
+	return 0
+}
+
+
+runasnonroot() {
+
+	# Check on whether to start as the current user or a different user
+	#
+	# Check if the alternate user has been specified
+	if [ "${alternate_user_id}x" != "x" ]; then
+		# Check if the current username is the same as that in $alternate_user_id
+		if [ "${USER}" = "${alternate_user_id}" ]; then
+			# The alternate is the same as the current, no need to su
+			alternate_user_id=''
+			return 254
+		else
+			# Allow only users with root privelages to use su -
+			if [ -w /etc/passwd ]; then
+				echo "${prog}: Running as non-root user ${alternate_user_id}" >&2
+				su - ${alternate_user_id} -c "${this_script} ${cur_args} < /dev/null"
+			else
+				# Nope, no root privelage
+				alternate_user_id=''
+				echo "$prog: Must have root privileges in order to run as a non-root user" >&2
+				echo "FAILED!" >&2
+				return 1
+			fi
+		fi
+	else
+		# No alternate user specified
+		return 254
+	fi
+
+	return 0
+}
+
+pidisrunning() {
+
+	local _pid
+	local _cmd_line
+	local _running_pid
+
+	_pid=${1}
+	_cmd_line="${2}"	# optional
+
+	if [ `uname | grep "CYGWIN"` ]; then
+		# cygwin ps command
+		if [ -z ${_cmd_line} ]; then
+			_running_pid=`ps -as | awk ' { print $1 } ' | grep ${_pid}`
+		else
+			_running_pid=`ps -as | grep "${_pid}.*${_cmd_line}"`
+		fi
+	else
+		# the rest of *NIX
+		_running_pid=`ps ax -o "pid,command" | grep "${_pid}.*${_cmd_line}" | grep -v "grep ${_pid}.*${_cmd_line}"`
+	fi
+
+	if [ "${_running_pid}x" = 'x' ]; then
+		return 1
+	else
+		return 0
+	fi
+
+}
+
+removetraceopt() {
+	local _cmd_opts
+	local _ret_string
+	local _sed_patt
+
+	_cmd_opts="${1}"
+
+	_sed_patt='/-w/ {
+/-w *\"/ {
+s/ -w *\"[^"]\{1,\}\" */ /
+t
+s/^-w *[^" ]\{1,\} */ /
+}
+t
+/-w *[^ ]\{1,\}/ {
+s/ -w *[^ ]\{1,\} */ /
+t
+s/^-w *[^ ]\{1,\} */ /
+}
+}'
+
+	_ret_string=`echo -n "${cmd_opts}" | sed "${_sed_patt}"`
+
+	echo -n "${_ret_string}"
+	return 0
+}
+
+capturefilter() {
+	local _cmd_opts
+	local _ret_string
+	local _dummy_dir
+	local _cur_log_suffix
+
+	_cmd_opts="${1}"
+	_cmd_opts="${_cmd_opts} print-filter.bro"
+	_dummy_dir="${BROLOGS}/.print-filter"
+
+	mkdir "${_dummy_dir}" 1>/dev/null 2>/dev/null
+	cd "${_dummy_dir}"
+
+	_ret_string=`"${BRO}" ${_cmd_opts} 2>/dev/null`
+
+	cd "${BROLOGS}"
+	rm -rf "${_dummy_dir}"
+
+	if [ "${_ret_string}x" = 'x' ]; then
+		return 1
+	else
+		echo "${_ret_string}"
+		return 0
+	fi
+}
+
+cleanup() {
+
+	rm -f "${pidfile}"
+	rm -f "${active_log_file}"
+	rm -f "${start_time_file}"
+	rm -f "${autorestart_file}"
+	return 0
+}
+
+epochtime() {
+    echo -n "`date +'%s'`"
+}
+
+# Need something more comprehensive but this does fine for now.
+rename_logfiles() {
+    # rename the closed log file passed in as arg ${1} and add
+    # the stop time. The format of the files will now be:
+    # file.host.YY-MM-DD_HH.MM.SS-YY-MM-DD_HH.MM.SS, where the first date
+    # is the start time, and the end date is the time bro was shutdown
+    local _end_time
+    local _cur_log_suffix
+
+	# The start time log suffix is passed in as an argument
+	_cur_log_suffix="${1}"
+
+    # change directory to where we need to do our work
+    cd "${BROLOGS}"
+
+    # If _cur_log_suffix has no value then don't do anything
+    if [ "${_cur_log_suffix}x" = 'x' ]; then
+        #echo "No logs to rename"
+        return 1
+    fi
+    # format the end time once, and use for all the logs
+    _end_time=`date "+%y-%m-%d_%H.%M.%S"`
+
+    # grok out the logs to change, and change them, hope we have lots of disk space
+    filelist=`ls *.${_cur_log_suffix}`
+    for name in ${filelist}; do
+        #echo "Moving ${name} to ${name}-${_end_time}"
+        mv "${name}" "${name}-${_end_time}"
+    done
+
+    return 0
+}
+
+
+# See how we were called.
+case "$1" in
+	status|--status)
+		status
+		;;
+	start|--start|autorestart|--autorestart|stop|--stop|stopwatch|--stopwatch|checkpoint|--checkpoint)
+		# Check on whether to run as non-root
+		runasnonroot
+		_run_non_root_res=$?
+		if [ "${_run_non_root_res}" = "0" ]; then
+			true
+		elif [ "${_run_non_root_res}" = "1" ]; then
+			false
+		else
+			# If it gets here then the script is either running as root or it has
+			# already done an su - to the non-root user.
+			case "$1" in
+				start|--start)
+					# One more command line option is available
+					second_opt="${2}"
+
+					# enable autorestart?
+					AUTO_RESTART="f"
+					if [ "${BRO_ENABLE_AUTORESTART}" = "YES" ] || \
+						[ "${BRO_ENABLE_AUTORESTART}" = "yes" ] || \
+						[ "${second_opt}" = "autorestart" ]; then
+						AUTO_RESTART="t"
+					fi
+
+					# An explicit noautorestart will always disable it
+					if [ "${second_opt}" = "noautorestart" ]; then
+						AUTO_RESTART="f"
+					fi
+
+					start
+					;;
+				startbro|--startbro)
+					startbro
+					;;
+				stop|--stop)
+					stopbro
+					;;
+#				stopwatch|--stopwatch)
+#					stopwatch ${2}
+#					;;
+				checkpoint|--checkpoint)
+					checkpoint
+			esac
+		fi
+		;;
+	*)
+		echo "Usage: ${prog} {start|stop|checkpoint|status}"
+		echo "start has the additional option which can be used to disable/enable "
+		echo "autorestart: "
+		echo "   start [no]autorestart"
+		echo ""
+		exit 1
+esac
+
+exit $?
+
+
+# So how does this thing work and why is it always running when Bro is running?
+
+# bro.rc is the init script which starts, stops, checkpoints, and monitors a
+# running instance of Bro.
+# bro.rc logs it's actions to syslog via the logger command.
+# bro.rc offers users an interface into the starting and stopping of a Bro
+# process via the file $BROHOME/etc/bro.rc-hooks.rc.  This allows for
+# actions to be sent to any custom monitoring or alerting programs the
+# user may wish to use.
+
+
+# There are four command line options available
+# to the user.  Each is covered below with an explanation.
+# 1) start
+#   Start has two additional commands of autorestart and noautorestart which
+#   can be used to enable and disable the autorestart feature.  This feature
+#   is also controlled by setting the variable BRO_ENABLE_AUTORESTART in
+#   to 'YES' or 'NO' bro.cfg.  Any autorestart option given to start on the
+#   command line will override the bro.cfg setting in BRO_ENABLE_AUTORESTART.
+#
+#   'start' does just as it's name implies, it starts a new Bro process.
+#   When autorestart is enabled bro.rc will monitor the Bro process and
+#   restart it if it fails unexpectedly for any reason.  Bro will be restarted
+#   a maximum count as set by BRO_MAX_RESTART_ATTEMPTS in bro.cfg.  If the
+#   BRO_MAX_RESTART_ATTEMPTS count is exceeded then no further restart
+#   attempts will be made and the error will be sent to syslog.
+#
+#   After Bro has started either successfully or unsuccessfully the function
+#   post_start_hook will be called.  (see bro.rc-hooks.sh for more info).
+#
+#   If start is called and Bro is already running this is an error and
+#   the script will return 1.
+#
+#   If Bro starts successfully bro.rc will return 0.
+#
+# 2) stop
+#   Self explantory, stops a running Bro process.  Stop will cleanup the
+#   temporal files such as pid, start_time, etc, send a SIGTERM to the
+#   running instance of Bro, and then if needed call another process to
+#   to watch the exiting process.  If the process has not terminated by
+#   BRO_MAX_SHUTDOWN_TIME seconds then a SIGKILL will be sent to the process
+#   and a message will be sent to syslog.
+#
+# 3) checkpoint
+#   A checkpoint is where a new instance of Bro is started and then the old
+#   one is terminated. (see documentation on when and why this is done).
+#   Essentially what happens is that temporal files are cleaned up, a
+#   new instance of Bro is started, bro.rc thens waits
+#   BRO_CHECKPOINT_OVERLAP_TIME seconds before sending the old Bro process
+#   a SIGTERM.  An exit code of 1 will be returned in the event checkpoint
+#   is called and there is no running Bro process.
+#
+# 4) status
+#   Used to check if Bro is running.  Also outputs the Bro version, the start
+#   time, the current log suffix, and whether autorestart is enabled or not.
+#   If Bro is running the command will return 0 and if Bro is not running the
+#   command will return 1.
+#
+# The detection of when Bro exits is done through the use of the shell
+# builtin 'wait'.  The function exitwatch will wait on the Bro child
+# pif until it exits.  A few tests are run after Bro returns to determine
+# If the exit was expected or unexpected.  An unexpected exit is anytime
+# Bro exits or terminates outside the control of bro.rc.  After the Bro
+# process returns and before bro.rc exits the post_exit_hook will be called.
+#
+# bro.rc traps SIGTERM and ignores SIGHUP.  If SIGTERM is sent to the
+# bro.rc process this will also cause bro.rc to stop the running Bro process
+# it monitors as well.  This is to provide proper behavior in the event of
+# a system reboot or halt.
diff --git a/scripts/bro_config.in b/scripts/bro_config.in
new file mode 100755
index 0000000000..c0f057067d
--- /dev/null
+++ b/scripts/bro_config.in
@@ -0,0 +1,1008 @@
+#!/bin/sh
+# $Id: bro_config.in 6059 2008-08-14 16:54:16Z robin $
+#
+# default install location for bro 
+# We probably need to sync this with what was used for --prefix
+# on the "configure" command line
+# some machines (i.e. OSX) don't put sbin in the path by default
+PATH=$PATH:/usr/sbin:/sbin
+BROHOME=@prefix@
+# Usage
+Usage="bro_config: [-p prefix] [-d]"
+# Debug mode? 
+Debug=0
+# Am I running as a regular user?
+nonroot=0
+# prompt for everyth
+full=0
+# is there a pw available to us?
+no_pw=0
+# is BRO_USER_ID valid?
+valid_id=0
+# automode: ask any question or use all defaults?
+# used with make distcheck to generate files with
+# out all the questions
+automode=0
+######################################################################
+# figure out what kind of echo to use
+bro_config_echo_settings()
+{
+if [ "`echo -n`" = "-n" ]; then
+    n="";  c="\c"
+else
+    n="-n";     c=""
+fi
+}
+
+######################################################################
+# Got root? Are we root? if not print warning, and limp along
+bro_config_got_root()
+{ 
+    # make a backup of local.site.bro if it exists
+    if [ -f local.site.bro ]; then 
+        echo "Detected an old local.site.bro, saving it to local.site.bro.save"
+        cp local.site.bro local.site.bro.save
+    fi
+
+    if [ `id -ur` -ne 0 ]; then 
+        nonroot=1
+        echo "You need to be root when you run this script for it to"
+        echo "be fully effective. Please login as root and rerun this"
+        echo "script (or the make install that called this script)."
+        echo ""
+        echo "This script will run as a non-root user,  but it will not"
+        echo "be able to tune the system or install system files. "
+        echo "It will only be able to create a bro.cfg file."
+        bro_config_create_local_site_bro
+        #cp local.site.bro.default local.site.bro
+    fi
+}
+######################################################################
+# This creates the default local.site.net 
+######################################################################
+bro_config_create_local_site_bro()
+{
+cat - > local.site.bro << _EOF
+# This file should describe your network configuration.
+# If your local network is a class C, and its network
+# address was 192.168.1.0 and a class B network 
+# with address space 10.1.0.0.
+# Then you would put 192.168.1.0/24 and 10.1.0.0/16 into 
+# this file, telling bro what your local networks are.
+
+@load site
+
+redef local_nets: set[subnet] = {
+    # example of a class C network
+    192.168.1.0/24,
+    # example of a class B network
+    10.1.0.0/16
+};
+
+_EOF
+
+}
+
+######################################################################
+bro_config_nonroot_message()
+{
+    echo "*** You need to hand edit your local networks in the file"
+    echo "*** $BROHOME/site/local.site.bro. Please read the file for an"
+    echo "*** example of what it should look like"
+    echo ""
+}
+######################################################################
+bro_config_get_desc()
+{
+    desc=`grep --before-context=1  "^$1" ${cfgused:-bro.cfg.example} | head -1| sed 's/#//'`
+}
+######################################################################
+bro_config_print_desc()
+{
+    desc=`grep --before-context=1  "^$1" ${cfgused:-bro.cfg.example} | head -1| sed 's/#//'|sed 's/\n//'`
+    echo $desc
+}
+######################################################################
+# what kind of system are we running on.
+bro_config_sys_type()
+{
+    sys=`uname -s`
+    case $sys in
+        Linux*) BRO_SYS_TYPE="LINUX";;
+        Darwin*) BRO_SYS_TYPE="DARWIN";;
+        FreeBSD*) rtype=`uname -r` 
+            case $rtype in 
+                4*) BRO_SYS_TYPE="FREEBSD4";;
+                5*) BRO_SYS_TYPE="FREEBSD5";;
+                6*) BRO_SYS_TYPE="FREEBSD6";;
+            esac;;
+        *) BRO_SYS_TYPE="UNKNOWN";;
+    esac
+}
+######################################################################
+# ok. This should pick the interface with the most traffic on it.
+# not always correct, but a start at least -- 
+bro_config_get_busy_iface()
+{
+    echo -n "Checking interfaces ...."
+
+    # tmp file to hold stuff in
+    touch /tmp/bro_config.tmp.$$
+
+    # grab all the interfaces
+    ifs=`ifconfig -a | grep '^[A-Za-z].*'|cut -d' ' -f1|sed 's/\://' `
+
+    # FreeBSD and Darwin are alike
+    #if [ $BRO_SYS_TYPE = "FREEBSD" -o $BRO_SYS_TYPE = "DARWIN" ]; then
+    if ! [ x$BRO_SYS_TYPE = 'xLINUX' ]; then
+        for iface in $ifs; do
+            stats=`netstat -I $iface|grep -v '^Name'| awk '{print $1, $5}'|sort -k2 -r | head -1`
+            echo "$stats" >> /tmp/bro_config.tmp.$$
+        done
+    fi
+    # its linux
+    if [ "x$BRO_SYS_TYPE" = 'xLINUX' ]; then
+        for iface in $ifs; do
+            stats=`ifconfig $iface|grep 'RX packets'|awk '{print $2}'|sed 's/.*\://'`
+            echo "$ifs $stats" >> /tmp/bro_config.tmp.$$
+        done
+    fi
+
+    if [ -f /tmp/bro_config.tmp.$$ ]; then
+        busy_iface=`cat /tmp/bro_config.tmp.$$ | sort -r -n -k 2 |head -1|awk '{print $1}'`
+        busy_iface2=`cat /tmp/bro_config.tmp.$$ | sort -r -n -k 2 |head -2|tail -1|awk '{print $1}'`
+        rm /tmp/bro_config.tmp.$$
+    else
+        busy_iface=""
+        busy_iface2=""
+    fi
+    echo "Done."
+}
+
+######################################################################
+# prompt for input for a variable
+# $1 name of var
+# $2 defualt value
+# $3 prompt string (if empty get from config file )
+bro_config_input()
+{
+    if [ -z "$1" ] ; then
+        name=""
+    else
+        name=$1
+    fi
+    
+    if [ -z "$2" ] ; then
+        default=""
+    else
+        default=$2
+    fi
+
+    if [ -z "$3" ] ; then 
+        prompt=""
+    else
+        prompt=$3
+    fi
+
+    #empty it out
+    RESP=
+    desc=
+    # if we weren't passed a prompt, get one
+    if [ -z "$prompt" ] ; then 
+        bro_config_get_desc $name
+    else
+        desc=$prompt
+    fi
+    
+    while [ -z "$RESP" ]; do
+        echo $n "$desc [$default] " >&0
+        read RESP
+
+        case "$RESP" in 
+            [Yy]|[Yy][Ee][Ss]) ret="YES"; RESP="YES";;
+            [Nn]|[Nn][Oo] ) ret="NO"; RESP="NO" ;;
+            "") ret=$default ; RESP="$default" ;;
+            *) ret=$RESP;;
+        esac
+    done
+
+    # set back the value
+    eval $1=\$ret
+    eval $name=\$ret
+    return 1
+}
+######################################################################
+# creates the bro.cfg file
+# add in anything you want in the bro.cfg file below
+bro_config_export_vars()
+{
+    # CREATE_TRACE_FILE needs to be YES or NO
+    if [ x$BRO_CREATE_TRACE_FILE != "xYES" ]; then
+        BRO_CREATE_TRACE_FILE="NO"
+    fi
+
+    # BRO_ENCRYPT_EMAIL needs to be YES or NO
+    if [ x$BRO_ENCRYPT_EMAIL != "xYES" ]; then
+        BRO_ENCRYPT_EMAIL="NO"
+    fi
+
+    # don't overwite existing bro.cfg
+    if [ -w bro.cfg ]; then
+        mv bro.cfg bro.cfg.bak
+    fi
+
+    # This is from Roger Winslow --
+cat - > bro.cfg << EOF
+# Source file config for running bro
+
+# Values in this file are shell style variables but make sure that the
+# values are literal strings and not shell expressions.  Other programs
+# read this file as well to determine where the different resources are
+# so if the value is not a literal string then other programming languages
+# won't be able to make sense of it.
+
+# Comments start with "#" characters and will be effective until the 
+# end of the line.  A literal "#" character can be used by escaping it
+# like this -> \#
+
+# Multiline values can be continued with the traditional backslash \
+
+# This file will normally reside in ${BROHOME}/etc
+
+# The following variables are exported and needed by Bro at runtime
+# BROLOGS
+# BROHOME
+# BROPATH
+
+BROHOME=$BROHOME
+export BROHOME
+
+# Hostname to add into log filenames and reports
+BRO_HOSTNAME=`(hostname || uname -n) 2>/dev/null |awk -F.  '{print $1}'`
+# FQDN format
+# BRO_HOSTNAME=`hostname`
+
+# Directory containing Bro binaries
+BRO_BIN_DIR="${BRO_BIN_DIR:-${BROHOME}/bin}"
+
+# Directory containing Bro logs
+BROLOGS="${BROLOGS:-${BROHOME}/logs}"
+export BROLOGS
+
+# Log archive directory
+BRO_LOG_ARCHIVE="${BRO_LOG_ARCHIVE:-${BROHOME}/archive}"
+
+# Bro policy paths
+BROPATH="${BROHOME}/share/bro/site:${BROHOME}/share/bro:${BROHOME}/share/bro/sigs:${BROHOME}/share/bro/time-machine"
+export BROPATH
+
+# Filename of the Bro start policy.  Must be located in one of the directories in \$BROPATH
+BRO_START_POLICY="@BROHOST@.bro"
+
+# Location of site specific policy and configurations
+BROSITE="${BROSITE:-$BROHOME/site}"
+export BROSITE
+
+# A prefix to use when looking for local policy files to load.
+# BRO_PREFIX="local"
+
+# Location of the Bro executable
+BRO="${BRO:-$BRO_BIN_DIR/bro}"
+
+# Base command line options.
+BRO_ADD_OPTS=" -W"
+# Turn on Bro's Watchdog feature
+BRO_OPTS="${BRO_ADD_OPTS}"
+
+# Interface name to listen on.  The default is to use the busiest one found.
+BRO_CAPTURE_INTERFACE="${BRO_CAPTURE_INTERFACE}"
+# Multiple interface should be specified as a space delimited list.
+# Examples: 
+#   CAPTURE_INTERFACE="sk0 sk1 sk5"
+#   CAPTURE_INTERFACE="eth0 eth3"
+#   CAPTURE_INTERFACE="eth0"
+
+# Shoud a trace (tcpdump) file be created in the log directory (YES/NO)
+BRO_CREATE_TRACE_FILE=$BRO_CREATE_TRACE_FILE
+
+# How long to wait during checkpointing after startin a new Bro process and stopping the old one (in seconds).
+BRO_CHECKPOINT_OVERLAP_TIME=20
+
+# Base directory where reports will be stored
+BRO_REPORT_DIR="${BRO_REPORT_DIR:-$BROHOME/reports}"
+export BRO_REPORT_DIR
+
+# Starting time for a report run (0001 is 12:01 am and 1201 is 12:01pm)
+BRO_REPORT_START_TIME=${BRO_REPORT_START_TIME:-0020}
+
+# How often (in hours) to generate an activity report
+BRO_REPORT_INTERVAL=${BRO_REPORT_INTERVAL:-24}
+
+# This is the how often to rotate the logs (in hours)
+BRO_LOG_ROTATE_INTERVAL=24
+
+# This is the how often to checkpoint bro (in hours)
+BRO_CHECKPOINT_INTERVAL=24
+
+# The maximum time allowed for a Bro process to cleanup and exit (in seconds).
+BRO_MAX_SHUTDOWN_TIME=7200    # 2 hours
+
+# Use this to enable the init script to autorestart Bro in the event of an unexpected shutdown (YES/NO)
+BRO_ENABLE_AUTORESTART="YES"
+
+# A value less than 1 means there will be no limit to the number of restarts
+# Maximum times to try to auto-restart Bro before giving up.
+BRO_MAX_RESTART_ATTEMPTS="-1"
+
+# This is normally /var/run/bro and contains the pidfile and other temporal data.
+# Location of the run-time directory.  
+BRO_RUNTIME_DIR="${BRO_RUNTIME_DIR:-${BROHOME}/var}"
+
+# Email address for local reports to be mailed to
+BRO_EMAIL_LOCAL="${BRO_EMAIL_LOCAL:-NO}"
+
+# Email address to send from
+BRO_EMAIL_FROM="${BRO_EMAIL_FROM:-$BRO_EMAIL_LOCAL}"
+
+# Do you want to send external reports to a incident reporting org (e.g.: CERT, CIAC, etc)
+BRO_EMAIL_EXTERNAL="${BRO_EMAIL_EXTERNAL:-NO}"
+export BRO_EMAIL_EXTERNAL
+
+# Email address for remote reports to be mailed to
+BRO_EMAIL_REMOTE="${BRO_EMAIL_REMOTE}"
+
+# User id to install and run Bro under
+BRO_USER_ID="${BRO_USER_ID:-brother}"
+
+# Site name for reports (i.e. LBNL, FOO.COM, BAZ.ORG)
+BRO_SITE_NAME="${BRO_SITE_NAME}"
+export BRO_SITE_NAME
+
+# Do you want to encrypt email reports (YES/NO)
+BRO_ENCRYPT_EMAIL="${BRO_ENCRYPT_EMAIL}"
+
+# Location of GPG binary for encrypting email
+BRO_GPG_BIN="${BRO_GPG_BIN}"
+
+# Default BPF buffer
+BRO_BPF_BUFSIZE=${BRO_BPF_BUFSIZE:-4194304}
+
+# Do BPF bonding
+BRO_BPFBOND_ENABLE="${BRO_BPFBOND_ENABLE:-NO}"
+
+# Interfaces to bond
+BRO_BPFBOND_FLAGS="${BRO_BPFBOND_FLAGS}"
+
+# diskspace management settings
+# Should I manage diskspace
+BRO_DISKSPACE_ENABLE="${BRO_DISKSPACE_ENABLE:-YES}"
+
+# percent full to worry about
+BRO_DISKSPACE_PCT=${BRO_DISKSPACE_PCT:-90}
+
+# account watching disk space
+BRO_DISKSPACE_WATCHER="${BRO_DISKSPACE_WATCHER:-root}"
+
+# days before deleting old logs
+BRO_DAYS_2_DELETION=${BRO_DAYS_2_DELETION:-45}
+
+# days before compressing logs
+BRO_DAYS_2_COMPRESSION=${BRO_DAYS_2_COMPRESSION:-20}
+
+# Bulk data capture settings
+# Buld data directory
+BRO_BULK_DIR="${BRO_BULK_DIR:-${BROHOME}/bulk-trace}"
+
+# Capture filter for bulk data
+BRO_BULK_CAPTURE_FILTER="${BRO_BULK_CAPTURE_FILTER}"
+
+# days before deleting bulk data
+BRO_BULK_DAYS_2_DELETION=${BRO_BULK_DAYS_2_DELETION:-4}
+
+# days before compressing bulk data
+BRO_BULK_DAYS_2_COMPRESSION=${BRO_BULK_DAYS_2_COMPRESSION:-2}
+
+# location of sorted log files, needed by Brooery
+BROOERY_LOGS="${BROOERY_LOGS:-${BROHOME}/sorted-logs}"
+
+EOF
+}
+
+
+######################################################################
+# run the localnets program
+bro_config_run_localnets()
+{
+    # how long to run tcpdump for ..
+    BRO_DUMP_TIME=20
+
+    bro_check_network="YES"
+    bro_config_input "bro_check_network" $bro_check_network " May I guess your network configuration for you? "
+
+    if [ "$bro_check_network" = "YES" ] ; then 
+        # make sure tcpdump is working ...
+	    echo "Checking network"
+        tcpdump -V > /dev/null  2>&1 
+        state=$?
+        # A little debug info just in case ...
+        if [ $Debug = 1 ]; then
+            echo "State $state Test $test"
+        fi
+        # if we can't run tcpdump, return to configuring 
+        if [ $state -eq 127 ]; then 
+            echo "Can't run tcpdump, please make sure its in your path"
+            return 2
+        fi
+        test=`tcpdump -V 2>&1 | grep version| awk '{print $3}'`
+        # do a one packet capture to check we can use the interface
+        tcpdump -i $BRO_CAPTURE_INTERFACE -n -w /tmp/bro_config.tcpdump.file.$$ -c 1 > /dev/null 2>&1
+        permis=$?
+        if [ $permis -eq 1 ]; then
+            rm /tmp/bro_config.tcpdump.file.$$ 2>&1 > /dev/null
+            echo "Can't run tcpdump, please check your permissions or run as root "
+            return 2
+        fi
+        # lets figure out what we are on
+        echo "Running localnets script to determine the local network range ... " 
+        echo "This will take about $BRO_DUMP_TIME seconds"
+        echo -n "Capturing packets ...."
+
+        # do it quietly in the background
+        tcpdump -n -i $BRO_CAPTURE_INTERFACE -w /tmp/bro_config.tcpdump.file.$$ > /dev/null 2>&1 &
+        pid=$!
+        sleep $BRO_DUMP_TIME
+        echo " done."
+        kill -INT $pid 2>&1 > /dev/null
+        echo -n "Analyzing dump file....."
+        ./localnetMAC.pl -a 16 -r /tmp/bro_config.tcpdump.file.$$  -b local.site.bro 2>&1 > /dev/null
+        rm /tmp/bro_config.tcpdump.file.$$
+        #Yes there is a spelling error in the output
+        echo " done."
+        num=`grep "MAC adresses" local.site.bro | awk '{print $3}'`
+        if [ "$num" -gt 2 ] ; then 
+            echo "You don't appear to be running on a DMZ (found more then two (2) hardware "
+            echo "address. Please edit local.site.bro to reflect your correct network parameters"
+            cp local.site.bro.default local.site.bro
+        else
+            echo "Your network appears to contain the following networks:"
+            for net in ` grep ",$" local.site.bro|sed 's/,//g'`; 
+            do 
+               echo $net; 
+            done
+            echo "Edit local.site.bro by hand if this is not correct" 
+        fi
+    else
+        if [ -f local.site.bro ]; then
+            echo "No previous local.site.bro found. Creating default"
+            bro_config_create_local_site_bro
+            #cp local.site.bro.default local.site.bro
+            echo "Please edit local.site.bro so that it describes your network configuration"
+        fi
+    fi
+}
+
+######################################################################
+# Use pw to create the account adding a group name that is the same
+# as the user id to use. Also create the account in the BROHOME area
+#
+bro_config_add_user()
+{
+
+    # see if user exists already
+    xx=`id $BRO_USER_ID > /dev/null 2>&1`
+    stat=$?
+    if [ $stat -eq 0 ]; then 
+        valid_id=1
+        return 
+    fi
+
+    # Silently check for existance of pw
+    /usr/sbin/pw > /dev/null 2>&1
+    stat=$?
+    if [ $stat -eq 127 ] ; then 
+        echo "/usr/sbin/pw not found, can't add user $BRO_USER to your system"
+        echo "please add $BRO_USER manually to your system."
+        no_pw=1
+        return 1
+    fi
+    echo -n "Should I add the user $BRO_USER_ID to your system? [YES] "
+    read ans
+    if [ -z "$ans" -o x$ans = "xy" -o x$ans = "xyes" -o x$ans = "xY" -o x$ans = "xYES" ] ; then 
+        # add user to group wheel at the same time
+        /usr/sbin/pw useradd $BRO_USER_ID -d $BROHOME -q -n $BRO_USER_ID 
+        result=$?
+        if [ $result -ne 0 ]; then 
+            echo "Error adding user $BRO_USER"
+            echo "Failed command: \"/usr/sbin/pw useradd $BRO_USER_ID -d $BROHOME -q -m -n $BRO_USER_ID \""
+        else
+            echo "Added user $BRO_USER_ID to the system."
+            valid_id=1
+       fi
+   else
+       echo "Not adding user $BRO_USER_ID"
+   fi
+}
+
+
+######################################################################
+bro_config_run_bpf()
+{
+    echo $n "Running bpf script to check if you have enough devices ... "
+    num=`ls -1 /dev/bpf[0-9]*|wc -l`
+    echo "done."
+    echo You have $num bpf devices
+    if [ $num -gt 10 ] ; then 
+        echo "You should have enough devices"
+    else
+        bro_config_get_more_bpf
+    fi
+}
+######################################################################
+
+bro_config_get_more_bpf()
+{
+    RESP=
+    while [ -z "$RESP" ]; do
+        echo $n "Bro recommends more devices, may I create more for you [Y/n] "
+        read RESP
+        case "$RESP" in 
+            [Yy]|[Yy][Ee][Ss]) 
+                echo $n "Creating 32 bpf devices" ; 
+                cd /dev; ./MAKEDEV bpf31 ;;
+            [Nn]|[Nn][Oo]) return 1;;
+            *) echo "Please answer Y or N" ;;
+        esac
+    done
+    echo " Done."
+}
+
+######################################################################
+# If I'm root, I'll be able to read bpf no matter what!
+# so a test of head -1 /dev/bpf0 is meaningless.....
+# So all I can really do is check the that group is 
+# the same as the $BRO_USER_ID and go with that.
+bro_config_chown_bpf()
+{
+    if [ $valid_id -eq 0 ] ; then 
+        echo "$BRO_USER_ID needs to be added to the system and enabled"
+        echo "to read the /dev/bpf devices for bro to work."
+        return 1
+    fi
+    readable=0
+    # grab the group
+    bpf_grp=`ls -al /dev/bpf*|head -1|awk '{print $4}'`
+    # bro user groups
+    user_grp=`id $BRO_USER_ID`
+    #echo "Checking $BRO_USER_ID against $grp"
+    # is it in the same as bro?
+    if echo $user_grp | grep $bpf_grp  2>&1 > /dev/null; then
+        # if so, better make sure its group readable
+        perm=`ls -al /dev/bpf*|head -1| cut -c5`
+        if [ "x$perm" = "xr" ] ; then
+            echo "$BRO_USER_ID can read /dev/bpf devices.... Good"
+            readable=1
+        else
+            readable=0
+        fi
+    else
+        bpf_own=`ls -al /dev/bpf*|head -1|awk '{print $3}'` 
+        if [ "$BRO_USER_ID" = "$bpf_own" ] ; then
+            echo "$BRO_USER_ID can read /dev/bpf devices.... Good"
+            readable=1
+        fi
+    fi
+    if [ $readable -eq 0 ]; then 
+        echo "$BRO_USER_ID can NOT read /dev/bpf devices!"
+        RESP=
+        while [ -z "$RESP" ]; do
+            echo $n "May I make the bfp devices owned by user $BRO_USER_ID ? [Y/n]"
+            read RESP
+            case "$RESP" in 
+                [Yy]|[Yy][Ee][Ss]) 
+                    chown $BRO_USER_ID /dev/bpf* ;
+                    chmod u=rw /dev/bpf* ;;
+                [Nn]|[Nn][Oo]) 
+                    echo "You will need to enable the user $BRO_USER_ID" ;
+                    echo "read access to the /dev/bpf devices." ;
+                    return 1;;
+                *) echo "Please answer Y or N" ;;
+            esac
+        done
+    fi
+}
+
+######################################################################
+bro_config_source()
+{
+    #  source a bro.cfg if it exists, so we know the past default values from the
+    #  last run
+
+    dirs="$BROHOME/etc/bro.cfg $BROHOME/etc/bro.cfg.example `pwd`/bro.cfg"
+    cfgused=
+
+    for cfgfile in $dirs ; do 
+        #echo "checking $cfgfile"
+        if [ -r $cfgfile ] ; then
+            if [ $automode -eq 1 ] ; then
+                break
+            fi
+            RESP=
+            while [ -z "$RESP" ]; do
+                echo "**** Detected previous bro.cfg file *****"
+                echo $n "May I use $cfgfile for defaults? [Y/n]"
+                read RESP
+                case "$RESP" in
+                    [Yy]|[Yy][Ee][Ss])
+                        echo "Sourcing $cfgfile for defaults.";
+                        . $cfgfile;
+                        cfgused=${cfgfile};;
+                    [Nn]|[Nn][Oo])
+                        break;;
+                    *) echo "Please answer Y or N" ;;
+                esac
+            done
+            break
+        fi
+    done
+
+    if [ -z $cfgused ] ; then
+        echo "Using defaults from bro.cfg.example"
+        cfgfile=`pwd`/bro.cfg.example
+        if [ -r $cfgfile ] ; then
+            . `pwd`/bro.cfg.example
+        else
+            echo "No bro.cfg.example found. Using built-in defaults"
+            # generate some defaults
+            if [ -r ./bro.cfg ] ; then 
+                # back up their cfg if exists
+                mv bro.cfg bro.cfg.bak.$$
+            fi
+            bro_config_export_vars
+            mv bro.cfg bro.cfg.example
+            . ./bro.cfg.example
+            if [ -r ./bro.cfg ] ; then 
+                # replace the cfg if exists
+                mv bro.cfg.$$ bro.cfg
+            fi
+
+        fi
+    fi
+}
+
+######################################################################
+# See if we are going to use gpg 
+
+bro_config_gpg_vals()
+{
+    gpg_vals="BRO_GPG_BIN"
+
+    bro_config_input "BRO_ENCRYPT_EMAIL" $BRO_ENCRYPT_EMAIL
+
+    if [ x$BRO_ENCRYPT_EMAIL = "xYES" ]; then 
+        for val in $gpg_vals; do  
+            varname="$`echo $val`"
+            varval=`eval echo $varname` 
+            bro_config_input $val $varval
+        done
+	echo "Make sure to read the manual on how to install GPG keys!"
+    fi
+}
+
+######################################################################
+# snarf some system values and make sure that they are set
+# correctly
+# values that I might need to know: debug.sk_interrupt_mod, 
+# debug.sk_do_packet_timestamps, debug.bpf_bufsize, debug.bpf_maxbufsize
+bro_config_system_parms()
+{
+    
+    if [ "x$BRO_SYS_TYPE" = 'xLINUX' ]; then
+        sysctl -w net.core.rmem_max = 16777216
+        if grep net.core.rmem_max /etc/sysctl.conf 2>&1 > /dev/null ; then
+            echo "ERROR: Can't change value, entry exists in /etc/sysctl.conf!"
+        else
+            echo "net.core.rmem_max = 16777216" >> /etc/sysctl.conf
+        fi
+        return 
+    fi
+
+    # FreeBSD 6 uses differnt var names
+    if [ "x$BRO_SYS_TYPE" = 'xFREEBSD6' ]; then
+        MAXBUF='net.bpf.maxbufsize'
+        BUFSZ='net.bpf.bufsize'
+    else
+        MAXBUF='debug.bpf_maxbufsize'
+        BUFSZ='debug.bpf_bufsize'
+    fi
+
+
+    if [ `sysctl -n $MAXBUF` -lt 8388608 ] ; then
+        bpf_maxbufsize=`sysctl -n $MAXBUF`
+        echo "Current max buffer size for your BPF filter is $bpf_maxbufsize bytes. Bro recommends a max bpf buffer size of 8388608."
+        bro_config_input "bpf_maxbufsize" $bpf_maxbufsize "Please input a new value (or return to keep the current value)"
+        sysctl -w $MAXBUF=$bpf_maxbufsize
+        makepermanent="NO"
+        bro_config_input "makepermanent" $makepermanent "May I make this permanent?  [y/N] "
+        if [ x$makepermanent = "xYES" ] ; then 
+            if grep $MAXBUF /etc/sysctl.conf 2>&1 > /dev/null ; then 
+                echo "ERROR: Can't change value, entry exists in /etc/sysctl.conf!"
+            else
+                echo "$MAXBUF=$bpf_maxbufsize" >> /etc/sysctl.conf
+            fi
+        fi
+    fi
+
+    if [ `sysctl -n $BUFSZ` -lt 4194304 ] ; then
+        bpf_bufsize=`sysctl -n $BUFSZ`
+        echo "Current buffer size of your BPF filter is $bpf_bufsize bytes. Bro recommends a BPF buffer size of 4194304."
+        bro_config_input "bpf_bufsize" $bpf_bufsize "Please input a new value (or return to keep the current value)"
+        sysctl -w $BUFSZ=$bpf_bufsize
+        makepermanent="NO"
+        bro_config_input "makepermanent" $makepermanent "May I make this permanent? [y/N]"
+        if [ x$makepermanent = "xYES" ] ; then 
+            if grep $BUFSZ /etc/sysctl.conf 2>&1 > /dev/null ; then 
+                echo "ERROR: Can't change value, entry exists in /etc/sysctl.conf!"
+            else
+                echo "debug.bpf_bufsize=$bpf_bufsize" >> /etc/sysctl.conf
+            fi
+        fi
+    fi
+}
+
+
+######################################################################
+# Ask if we want to send local/external email reports
+# if so set the local/external email address(es)
+bro_config_email()
+{
+    bro_do_email_local="NO"
+    if [ "$BRO_EMAIL_LOCAL" ] ; then
+       bro_do_email_local="YES"
+    else
+       bro_do_email_local="NO"
+    fi
+    bro_config_input "bro_do_email_local" $bro_do_email_local " Email reports? (YES/no) "
+    if [ x$bro_do_email_local = "xYES" ] ; then
+        bro_config_input "BRO_EMAIL_LOCAL" "$BRO_EMAIL_LOCAL"
+    else
+        BRO_EMAIL_LOCAL=""
+    fi
+
+    # don't ask about emailing remote reports (for now)
+#    bro_config_input "BRO_EMAIL_EXTERNAL" $BRO_EMAIL_EXTERNAL
+#    if [ x$BRO_EMAIL_EXTERNAL = "xYES" ]; then 
+#            bro_config_input "BRO_EMAIL_REMOTE" $BRO_EMAIL_REMOTE
+#    fi
+
+}
+
+######################################################################
+# Try to figure out the site name. host1.fooobar.com becomes
+# foobarcom, and host1 becomes host1. If the hostname isn't set
+# it should default to SOMESITE.
+bro_config_site_name()
+{
+    if [ -z $BRO_SITE_NAME ]; then
+        BRO_SITE_NAME=`hostname|awk -F. '{print $2 $3}'`
+        if [ -z $BRO_SITE_NAME ] ; then 
+            BRO_SITE_NAME="SOMESITE"
+        fi
+    fi
+}
+######################################################################
+# if qutomode is set, just source the example setttings (or guess)
+# and output the files. Then exit! 
+bro_check_automode()
+{
+    if [ ! -z $BRO_AUTOMODE ] ; then
+        echo "Doing automode"
+        automode=1
+        # shouldn't run this as root!
+        nonroot=1
+        bro_config_source
+        bro_config_sys_type
+        if [ -z $BRO_CAPTURE_INTERFACE ]; then
+            bro_config_get_busy_iface
+            BRO_CAPTURE_INTERFACE=$busy_iface
+        fi
+        bro_config_got_root
+        bro_config_site_name
+        # export everything
+        bro_config_export_vars
+        bro_config_export_user
+        echo "Automode finished"
+        exit 0
+    else
+        echo "Automode not enabled"
+    fi
+
+}
+
+######################################################################
+# FREEBSD5 isms (dang devfs bpf)
+#
+bro_config_freebsd_devfs()
+{
+    # see if we've mucked with it before *dang* octothorp!
+    if [ -e /etc/rc.local ] ; then 
+        foo=`grep "BRO BPF PERMISSIONS CHANGES" /etc/rc.local |sed s/#//g`
+        if ! [ -z "$foo" ]; then
+            echo "Looks like /etc/rc.local has already been setup"
+            echo "Not changing /etc/rc.local"
+            return 
+        fi
+        # see if they already have a policy
+        bar=`grep "bpf" /etc/devfs.conf|sed s/#//g`
+        if ! [ -z "$bar" ]; then
+            echo "/etc/devfs.conf has policy for bpf devices already!"
+            echo "Not adding one to /etc/rc.local"
+            return 
+        fi
+
+    fi
+    # make sure brouser has its own group
+    brogroup=`grep ^$BRO_USER_ID /etc/group | awk -F: '{print $3}'`
+    if [ -z $brogroup ] ; then
+        echo "Can't find group for $BRO_USER_ID"
+        echo "Not changing /etc/rc.local"
+        return 
+    fi
+
+    # always make a backup
+    cp /etc/rc.local /etc/rc.local.$$.bak > /dev/null 2>&1 
+
+    # do it 
+cat - >> /etc/rc.local << BAZ
+
+# BRO BPF PERMISSIONS CHANGES
+devfs ruleset 15
+devfs rule add 15 path 'bpf*' mode 660 user $brogroup
+
+BAZ
+
+    echo "Added devfs line to /etc/rc.local"
+}
+######################################################################
+# Give a name for the user id to install everything under
+#
+bro_config_export_user()
+{
+    if [ -w bro_user_id ] ; then
+        mv bro_user_id bro_user_id.bak
+    fi
+
+    if [ -z "$BRO_USER_ID" ]; then
+        BRO_USER_ID=`id -un`
+    fi
+    echo "$BRO_USER_ID" > bro_user_id
+
+}
+######################################################################
+# main program 
+
+
+# check for automode
+# XXX: this may exit the program at this point
+bro_check_automode
+
+while [ $# -ge 1 ]; do
+    case $1 in
+    -p)     shift; BROHOME=$1 ;;
+    -p*)    BROHOME=`echo $1 | cut -c3-`;;
+    -d)     Debug=1;;
+    -f)     full=1;;
+    -*)     echo $Usage; exit 1 ;;
+    esac
+    shift
+done
+
+echo ""
+echo "Running Bro Configuration Utility"
+echo ""
+
+bro_config_echo_settings
+
+do_config="YES"
+bro_config_input "do_config" $do_config "Configure settings in bro.cfg? (YES/no) "
+if [ x$do_config = "xYES" ] ; then
+    echo "Values enclosed in '[ ]'s are the default value set if you hit return."
+else
+    exit
+fi
+
+echo ""
+
+
+# get the old vars first
+bro_config_source
+
+# what system are we running on second
+bro_config_sys_type
+
+# if we aren't root, better not ask the wrong questions ...
+bro_config_got_root
+
+#List of all variables we can set
+#vars="BROHOME BRO_BIN_DIR BRO_LOG_ARCHIVE BROPATH BRO_POLICY_PREFIX BRO BRO_OPTS BRO_USER_ID BRO_CHECKPOINT_INTERVAL BRO_REPORT_INTERVAL BRO_CAPTURE_INTERFACE BRO_EMAIL_LOCAL BRO_EMAIL_REMOTE BRO_CREATE_TRACE_FILE BRO_SITE_NAME BRO_GPG_BIN"
+
+if [ $nonroot -eq 1 ] ; then 
+    BRO_USER_ID=`id -un`
+    vars="BRO_LOG_ARCHIVE BRO_USER_ID BRO_CAPTURE_INTERFACE BRO_SITE_NAME BRO_REPORT_START_TIME BRO_REPORT_INTERVAL"
+else
+    # if this is linux then preset the username to root as it is unlikely that
+    # any patches have been applied to allow non-root users to open devices
+    # for packet capture.
+    if [ "x$BRO_SYS_TYPE" = 'xLINUX' ]; then
+        BRO_USER_ID='root'
+    fi
+    
+    vars="BRO_LOG_ARCHIVE BRO_USER_ID BRO_CAPTURE_INTERFACE BRO_SITE_NAME BRO_REPORT_START_TIME BRO_REPORT_INTERVAL"
+fi
+
+# set the iface to what I think is correct
+# if there is no default
+if [ -z "$BRO_CAPTURE_INTERFACE" ]; then
+    bro_config_get_busy_iface
+    BRO_CAPTURE_INTERFACE=$busy_iface
+fi
+
+# setup the SITE name
+bro_config_site_name
+
+# prompt for all the values
+# NOTE: ${!variable} only works in bash
+for val in $vars;
+do
+    # Grrr, why can't bsd ship with a *real* shell like bash!
+    # can't use bro_config_input $val ${!val}
+    varname="$`echo $val`"
+    varval=`eval echo $varname` 
+    bro_config_input $val $varval
+done
+
+bro_config_email 
+if [ "x$bro_do_email_local" = "xYES" ]; then
+    bro_config_gpg_vals 
+fi
+
+#output all the values (if debug)
+if [ $Debug -eq 1 ]; then
+    for val in $vars;
+    do
+        varname="$`echo $val`"
+        varval=`eval echo $varname` 
+        echo Setting $val to $varval
+    done
+fi
+
+# we can only do the following if we are root
+if [ $nonroot -ne 1 ] ; then 
+    bro_config_add_user
+    # check various system parameters
+    bro_config_system_parms
+    # Linux does not do bpf devices, skip these tests.
+    if [ "x$BRO_SYS_TYPE" = 'xFREEBSD4' ]; then
+        # configure the bpfs before doing the dump :-)
+        bro_config_run_bpf
+        # configure the bpfs to be group readable
+        bro_config_chown_bpf
+    fi
+    if [ "x$BRO_SYS_TYPE" = 'xFREEBSD5' -o "x$BRO_SYS_TYPE" = 'xFREEBSD6' ]; then
+        bro_config_freebsd_devfs
+    fi
+    # if perl doesn't exist, don't bother...
+    if [ "@PERL@" != "" ]; then
+        # run the localnets program
+        bro_config_run_localnets
+    fi
+else
+    bro_config_nonroot_message
+fi
+# create the output file
+bro_config_export_vars
+bro_config_export_user
+echo "Bro Configuration Finished. "
+echo $n "Press any key to now to continue. "
+read RESP
+exit 0
+
diff --git a/scripts/bro_log_compress.sh b/scripts/bro_log_compress.sh
new file mode 100755
index 0000000000..5659e7c7a6
--- /dev/null
+++ b/scripts/bro_log_compress.sh
@@ -0,0 +1,88 @@
+#!/bin/sh 
+# very simple script to compress old files and remove older files
+# You will probably want to do something more sophisticated for
+#	a production bro installation (e.g.: Integrate this into
+#	your backup scripts)
+#
+# Note: might want to check current disk space and just exit
+#	if there is lots of space
+#
+#set -x
+
+if [ $BROHOME ] ; then
+  . $BROHOME/etc/bro.cfg
+else
+  # if BROHOME is not set, try default location
+  . /usr/local/bro/etc/bro.cfg
+fi
+
+#echo found BROLOGS in bro.cfg: $BROLOGS
+logdir=$BROLOGS/
+
+if [ ! -d $logdir ] ; then
+    echo "Error: log file directory not found"
+    exit
+fi
+
+Days2deletion=$BRO_DAYS_2_DELETION
+Days2compression=$BRO_DAYS_2_COMPRESSION
+
+echo "Deleting files older than $BRO_DAYS_2_DELETION days, and compressing files older than $BRO_DAYS_2_COMPRESSION days"
+
+echo "Checking directory: $BRO_LOG_ARCHIVE"
+# first delete old archives
+filelist=`find $BRO_LOG_ARCHIVE -type f -mtime +$Days2deletion -print `
+#echo list of files to delete: $filelist
+
+for file in $filelist
+   do
+        echo removing: $file
+	rm -f $file
+   done
+
+# next delete old sorted log files needed by Brooery
+if [ -d $BROOERY_LOGS ] ; then
+   echo "Checking directory: $BROOERY_LOGS"
+   filelist=`find $BROOERY_LOGS -type f -mtime +$Days2deletion -print `
+   #echo list of files to delete: $filelist
+
+   for file in $filelist
+      do
+           echo removing: $file
+	   rm -f $file
+      done
+fi
+
+echo "Checking directory: $logdir"
+# also check for any old stuff in the main log dir (just in case)
+filelist=`find $logdir -type f -mtime +$Days2deletion -print `
+#echo list of files to delete: $filelist
+
+for file in $filelist
+   do
+        echo removing: $file
+	rm -f $file
+   done
+
+#delete core files that are more than 4 days old
+filelist=`find $logdir -name "*core*" -mtime +4 -print `
+for file in $filelist
+   do
+        echo removing: $file
+	rm -f $file
+   done
+
+
+filelist=`find $logdir -type f -mtime +$Days2compression -print `
+#echo list of files to compress: $filelist
+
+for file in $filelist
+   do
+        echo compressing: $file
+	nice gzip $file
+   done
+
+echo Moving compressed files to archive dir: $BRO_LOG_ARCHIVE
+mv $logdir/*.gz $BRO_LOG_ARCHIVE
+echo Done.
+exit
diff --git a/scripts/diskspace.sh b/scripts/diskspace.sh
new file mode 100755
index 0000000000..53b94b526b
--- /dev/null
+++ b/scripts/diskspace.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+# script to check disk space and send email if getting full.
+# constants are in BROHOME/etc/bro.cfg
+
+. $BROHOME/etc/bro.cfg
+
+if [ -n "$diskspace_enable" -a "x$diskspace_enable" != "xNO" ]; then
+	prog="`basename $0 .sh`"
+	t=/tmp/$prog.$$
+	o=$prog.list
+	df -kt ufs | sed -e '1d' -e 's/% / /' | \
+	(while read filesys size used avail pct path ;do
+		if [ "$pct" -ge "$diskspace_pct" ]; then
+			echo "Filesystem $path ($filesys) getting full ($pct%)"
+		fi
+	done) > $t 2>&1
+	if [ -s $t ]; then
+		if [ -f $o ]; then
+			diff $o $t > /dev/null 2>&1
+			# remove temp file if no differences
+			if [ $? = 0 ]; then
+				rm $t
+			else
+				rm $o
+			fi
+		fi
+		if [ -f $t ]; then
+			mail -s "`hostname` disk space report" \
+			    "$diskspace_watcher" < $t
+			/bin/cp $t $o
+		fi
+	else
+		rm -f $o
+	fi
+	rm -f $t
+fi
diff --git a/scripts/frontend-mail-reports.sh b/scripts/frontend-mail-reports.sh
new file mode 100644
index 0000000000..32c419e617
--- /dev/null
+++ b/scripts/frontend-mail-reports.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+#
+# script to check if rsync of logs has finished, and runs site-report.pl
+#
+# usage: frontend-mail-report.sh BroConfigFile
+#
+
+# where are we located
+base=`dirname $0`
+#set up the environment
+if [ $1 ] ; then
+   . $1
+else
+   . $base/../etc/bro.cfg
+fi
+
+echo " "
+echo "`date`: checking if reports are ready to mail:" $BROHOME/logs/MailReports.$BRO_HOSTNAME
+
+# only run if file $BROHOME/logs/MailReports.$BRO_HOSTNAME 
+if [ -e $BROHOME/logs/MailReports.$BRO_HOSTNAME ] ; then
+     echo "Reports ready: Running mail reports script"
+     $BROHOME/scripts/mail_reports.sh $1
+     rm $BROHOME/logs/MailReports.$BRO_HOSTNAME 
+else
+     echo "Reports not ready"
+fi
+
+
diff --git a/scripts/frontend-site-report.sh b/scripts/frontend-site-report.sh
new file mode 100644
index 0000000000..55b6bf72ab
--- /dev/null
+++ b/scripts/frontend-site-report.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+#
+# script to check if rsync of logs has finished, and runs site-report.pl
+#
+# usage: frontend-site-report.sh BroConfigFile
+#
+#set -x
+
+# where are we located
+base=`dirname $0`
+#set up the environment
+if [ $1 ] ; then
+   . $1
+else
+   . $base/../etc/bro.cfg
+fi
+
+echo " "
+echo "`date`: checking if reports are ready to generate:" $BROHOME/logs/DoReports.$BRO_HOSTNAME
+
+# only run if file $BROHOME/logs/DoReports.$BROHOST
+if [ -e $BROHOME/logs/DoReports.$BRO_HOSTNAME ] ; then
+     echo "rsync done: running site report script"
+     rm $BROHOME/logs/DoReports.$BRO_HOSTNAME
+     $BROHOME/scripts/site-report.pl --broconfig $1
+     # create file indicating report is finished
+     echo "creating file" $BROHOME/logs/MailReports.$BRO_HOSTNAME
+     touch $BROHOME/logs/MailReports.$BRO_HOSTNAME
+else
+     echo "rsync not done"
+fi
+
diff --git a/scripts/install_cron.sh b/scripts/install_cron.sh
new file mode 100755
index 0000000000..435a730a6b
--- /dev/null
+++ b/scripts/install_cron.sh
@@ -0,0 +1,111 @@
+#!/bin/sh
+
+#install bro into your crontab for checkpointing
+
+# source our cfg or guess at some defaults
+if [ -r ./bro.cfg ] ; then
+    . ./bro.cfg
+else
+    echo "Can't find bro.cfg, not installing crontab"
+    #BRO_REPORT_START_TIME=0000
+    #BROHOME="/usr/local/bro"
+    #BRO_REPORT_INTERVAL=24
+    #BRO_CHECKPOINT_INTERVAL=24
+fi
+
+RPT_MIN=`echo ${BRO_REPORT_START_TIME} | cut -c3-`
+RPT_HR=`echo ${BRO_REPORT_START_TIME} | cut -c1,2`
+RPT_INT=${BRO_REPORT_INTERVAL}
+CHK_INT=${BRO_CHECKPOINT_INTERVAL}
+
+if [ ${CHK_INT} -ge 24 ] ; then 
+    CHK_INT=24
+fi
+
+if [ ${RPT_INT} -ge 24 ] ; then 
+    RPT_INT=24
+fi
+
+create_cron()
+{
+    echo "BROHOME=${BROHOME}" >> /tmp/bro.crontab
+    echo "# checkpoint Bro once a week" >> /tmp/bro.crontab
+    echo "0 0 * * 1 ${BROHOME}/etc/bro.rc --checkpoint" >> /tmp/bro.crontab 
+    #if [ ${CHK_INT} -eq 24 ] ; then 
+    #    echo "0 0 * * 1 ${BROHOME}/etc/bro.rc --checkpoint" >> /tmp/bro.crontab 
+    #else
+    #    echo "0 0/${CHK_INT} * * * ${BROHOME}/etc/bro.rc --checkpoint" >> /tmp/bro.crontab 
+    #fi
+    if [ ${RPT_INT} -eq 24 ] ; then 
+        echo "${RPT_MIN} ${RPT_HR} * * * ( nice -n 19 ${BROHOME}/scripts/site-report.pl )" >> /tmp/bro.crontab 
+    else
+        echo "${RPT_MIN} ${RPT_HR}/${RPT_INT} * * * ( nice -n 19 ${BROHOME}/scripts/site-report.pl )" >> /tmp/bro.crontab 
+    fi
+
+    echo "${RPT_MIN} $((${RPT_HR} + 3)) * * * (${BROHOME}/scripts/mail_reports.sh ${BROHOME}/etc/bro.cfg)" >> /tmp/bro.crontab 
+    echo "0 3 * * * (${BROHOME}/scripts/bro_log_compress.sh)" >> /tmp/bro.crontab 
+
+# insert rsync stuff, commented out, as an example:
+    echo "# If you are process logs on a front end host, add this: " >> /tmp/bro.crontab 
+    echo "#10 3 * * * (${BROHOME}/scripts/push_logs.sh FrontendHost)" >> /tmp/bro.crontab 
+
+    crontab /tmp/bro.crontab 
+    s=$? 
+    if [ $s -ne 0 ] ; then 
+        echo "Can NOT install crontab. Please see crontab.example" 
+        echo "for an example crontab to install" 
+    else 
+        echo "" 
+        echo "New crontab installed." 
+        echo "" 
+    fi 
+    rm /tmp/bro.crontab 
+    echo "" 
+    echo "New crontab installed." 
+    echo "" 
+}
+
+install_cron ()
+{
+    if [ -f /tmp/bro.crontab ] ; then                        
+        rm  /tmp/bro.crontab  
+    fi 
+    if crontab -l > /tmp/bro.crontab ; then 
+        if grep bro.rc /tmp/bro.crontab > /dev/null; then 
+            echo "" 
+            echo "Bro already installed in crontab!" 
+            echo "Not installing a new crontab" 
+            echo "" 
+        else 
+            create_cron
+        fi 
+    else 
+        create_cron
+    fi 
+}
+
+uninstall_cron()
+{
+    pid=$$
+    crontab -l > /tmp/cron.orig.${pid} 2>&1 
+    echo "status = $?"
+    if [ $? -eq 0 ] ; then
+        cat /tmp/cron.orig.${pid} | sed -e '/^.*bro_log_compress.sh)$/d' -e '/^.*etc\/bro.cfg; .\/mail_reports.sh)$/d' -e '/^.*.\/site-report.pl)$/d' -e '/^.*bro.rc --checkpoint$/d' > /tmp/cron.new.${pid}
+    else
+        echo "crontab missing?"
+    fi
+    echo "yes" | crontab -r 
+    crontab /tmp/cron.new.${pid}
+    echo "You can view your new crontab with a 'crontab -l'"
+    echo "Your old crontab is in /tmp/cron.orig.${pid}"
+}
+
+case $1 in
+    install)
+        install_cron
+        ;;
+    uninstall)
+        uninstall_cron
+        ;;
+esac
+exit 0
diff --git a/scripts/intern.bro.default b/scripts/intern.bro.default
new file mode 100644
index 0000000000..d40b39a556
--- /dev/null
+++ b/scripts/intern.bro.default
@@ -0,0 +1,15 @@
+# This file should describe your network configuration.
+# If your local network is a class C, and its network
+# address was 192.168.1.0 and a class B network 
+# with address space 10.1.0.0.
+# Then you would put 192.168.1.0/24 and 10.1.0.0/16 into 
+# this file, telling bro what your local networks are.
+
+@load site
+
+redef local_nets: set[subnet] = {
+    # example of a class C network
+    192.168.1.0/24,
+    # example of a class B network
+    10.1.0.0/16
+};
diff --git a/scripts/local.lite.bro b/scripts/local.lite.bro
new file mode 100644
index 0000000000..0bdecde13b
--- /dev/null
+++ b/scripts/local.lite.bro
@@ -0,0 +1,30 @@
+# $Id: local.lite.bro 1115 2005-03-20 06:51:11Z vern $
+
+# This file is intended for host-specific Bro policy.
+
+# What is host-specific?  It can be anything that is not the default
+# after installation.  This is the place to make tweaks and changes
+# to modify policy to suit your network environment and preferences.
+
+# The following causes Bro to load local.XXX.bro anytime you
+# "@load XXX" (along with first loading XXX.bro).
+#
+@prefixes = local
+
+@load brolite	# root policy which loads all other default policies.
+
+# File generated by the network script for dynamic configuration of
+# the local network subnets.
+@load site
+
+
+# Make any changes to policy starting HERE:
+
+# To run signatures, uncomment the following line.
+# @load brolite-sigs
+
+@ifdef ( use_signatures )
+	# Load Bro signatures.  This is the default file containing Bro
+	# signatures.
+	redef signature_files += "signatures";
+@endif
diff --git a/scripts/local.site.bro.default b/scripts/local.site.bro.default
new file mode 100644
index 0000000000..d40b39a556
--- /dev/null
+++ b/scripts/local.site.bro.default
@@ -0,0 +1,15 @@
+# This file should describe your network configuration.
+# If your local network is a class C, and its network
+# address was 192.168.1.0 and a class B network 
+# with address space 10.1.0.0.
+# Then you would put 192.168.1.0/24 and 10.1.0.0/16 into 
+# this file, telling bro what your local networks are.
+
+@load site
+
+redef local_nets: set[subnet] = {
+    # example of a class C network
+    192.168.1.0/24,
+    # example of a class B network
+    10.1.0.0/16
+};
diff --git a/scripts/localnetMAC.pl.in b/scripts/localnetMAC.pl.in
new file mode 100755
index 0000000000..76d2e4d8a4
--- /dev/null
+++ b/scripts/localnetMAC.pl.in
@@ -0,0 +1,184 @@
+#!@PERL@
+
+##This script assumes that there are a lot more external IP Adresses
+##than internal ones. It associates all IP adresses with a MAC Adress
+##and tracks what MAC adress communicates with what other MAC adress.
+
+use strict;
+use IP4;
+use Getopt::Std;
+
+my $usage="localnetMac.pl -r <dumpfile> or
+localnetMac.pl -t <ascii file>
+options:
+\t-a <aggregate up to bits>
+\t-b <output bro-syntax internal nets to file>
+\t-m do not ignore multicast IP addresses
+\t-v output debug info
+\nInput is taken either from plain or gzip compressed files.
+Input formats:
+\tlibpcap dump file containing ethernet packets
+\tasci file containing <LinkLayerAdr1 LinkLayerAdr2 IPAdr1 IPAdr2> per line
+\nNote: for libpcap inputs currently only ethernet is supported. Other link layer protocols should work if using ascii input.\n";
+
+my %args;
+getopts("a:b:mr:t:v", \%args);
+my $aggto=0;
+my $broout="";
+my $decomp;
+my $multicast = 0;
+my $MCASTMIN=224;
+my $MCASTMAX=239;
+my $debug = 0;
+if (!defined $args{r} and !defined $args{t}){die $usage;}
+if (defined $args{a}){$aggto = $args{a};}
+if (defined $args{b}){$broout=$args{b};}
+if (defined $args{m}){$multicast = 1;}
+if (defined $args{v}){$debug = 1;}
+
+if($args{r}=~/gz$/ or $args{t}=~/gz$/){
+    $decomp = `which zcat`;
+    chomp($decomp);
+    if ($decomp eq ""){
+	$decomp = `which gzcat`;
+	chomp($decomp);
+    }
+    if ($decomp eq ""){
+	die "You need zcat or gzcat in your \$PATH in order to process compressed files\n";
+    }
+}
+
+my $fh;
+if ($args{r} and $args{r}=~/gz$/){
+    open (IN, "$decomp $args{r} |../aux/adtrace/adtrace -|") or die "cannot execute $decomp $args{r} |../aux/adtrace/adtrace - : $!\n";
+    $fh = *IN;
+}elsif($args{r}){
+    open (IN, "../aux/adtrace/adtrace $args{r}|") or die "cannot execute ./adtrace/adtrace $args{r}: $!\n";
+    $fh = *IN;
+}elsif($args{t} and $args{t}=~/gz$/){
+    open (IN, "$decomp $args{t} |") or die "cannot execute $decomp $args{t} | : $!\n";
+    $fh = *IN;
+}elsif($args{t} and $args{t} eq "-"){
+    $fh = *STDIN;
+}else{
+    open (IN, "$args{t}") or die "cannot open $args{t}: $!\n";
+    $fh = *IN;
+}
+
+my %cMacs;
+my %macIP;
+
+#for statistics:
+my $ips=0;
+my $pkt=0;
+
+my $line;
+while ($line=<$fh>){
+    chomp($line);
+    $pkt++;
+    my ($sMac, $dMac, $sIP, $dIP)=split(/ /, $line);
+
+    if (!$multicast and $sIP=~/^(\d+)\./ and $1>=$MCASTMIN and $1<=$MCASTMAX){next;}
+    if (!$multicast and $dIP=~/^(\d+)\./ and $1>=$MCASTMIN and $1<=$MCASTMAX){next;}
+
+    $macIP{$sMac}->{count}++ if (!exists $macIP{$sMac}->{$sIP});    
+    $macIP{$sMac}->{$sIP}++;
+    $macIP{$dMac}->{count}++ if (!exists $macIP{$dMac}->{$dIP});
+    $macIP{$dMac}->{$dIP}++;
+    
+    $cMacs{join(" ", sort($sMac, $dMac))}++;
+
+}
+
+close ($fh);
+
+foreach my $mac (keys %macIP){
+    $ips += $macIP{$mac}->{count};
+}
+
+printf ("observed %d MAC adresses\n", scalar(keys %macIP));
+print (join ("\n", keys %cMacs));
+print "\n";
+print "observed $pkt packets and $ips distinct IP adresses\nLocal IP addresses:\n";
+
+
+if ($broout){
+    open (OUT, "> $broout") or die "cannot open $broout: $!\n";
+    print OUT "### Local Networks automatically generated by localnetMAC.pl ###\n";
+    if ($aggto){
+	print OUT "### NOTE: Internal Networks have been aggregated up to /$aggto networks.\n";
+	print OUT "### NOTE: Therefore it may happen that some external Networks\n";
+	print OUT "### NOTE: are considered local\n";
+    }
+    print OUT "### file generated at ".localtime()." (local system-time)\n";
+    printf OUT ("### observed %d MAC adresses:\n###\t", scalar(keys %macIP));
+    print OUT (join ("\n###\t", keys %cMacs));
+    print OUT "\n";
+    print OUT "### observed $pkt packets and $ips distinct IP adresses\n";
+    print OUT "\n\n";
+    print OUT "\@load site\n\n";
+    print OUT "redef local_nets: set[subnet] = {\n";
+}
+
+foreach my $macPair (keys %cMacs){
+    my ($mac1, $mac2) = split(/ /, $macPair);
+    my %record1;
+    my %record2;
+    my ($smallRec, $bigRec);
+    $record1{mac} = $mac1;
+    $record2{mac} = $mac2;
+    $record1{hash} = $macIP{$mac1};
+    $record2{hash} = $macIP{$mac2};
+    $record1{count} = delete $record1{hash}->{count};
+    $record2{count} = delete $record2{hash}->{count};
+    $record1{masks} = [];
+    $record2{masks} = [];
+
+    if ($debug){
+	print "*** $mac1 ($record1{count}) ***\n";
+	print join("\n", sort keys %{$macIP{$mac1}});
+	print "\n*** $mac1 ($record1{count}) end***\n";
+	print "*** $mac2 ($record2{count}) ***\n";
+	print join("\n", sort keys %{$macIP{$mac2}});
+	print "\n*** $mac2 ($record2{count}) end***\n";
+    }
+
+    my @ips1 = map(getIPFromString($_), keys %{$record1{hash}});
+    $record1{ips} = \@ips1;
+    aggregateSinglesTo($record1{ips}, $record1{masks}, $aggto) if ($aggto);
+    my @ips2 = map(getIPFromString($_), keys %{$record2{hash}} );
+    $record2{ips} = \@ips2;
+    aggregateSinglesTo($record2{ips}, $record2{masks}, $aggto) if ($aggto);
+
+    if (scalar( @{$record1{ips}} ) < scalar( @{$record2{ips}} )){
+	$smallRec = \%record1;
+	$bigRec = \%record2;
+    }else{
+	$smallRec = \%record2;
+	$bigRec = \%record1;
+    }
+    if ($broout){
+	printf OUT ("\t# $smallRec->{mac}: %d(%d) IPs (considered local);\n\t# $bigRec->{mac}: %d(%d) IPs (considered extern)\n", 
+		    scalar( @{$smallRec->{ips}} ),$smallRec->{count}, 
+		    scalar( @{$bigRec->{ips}} ), $bigRec->{count});
+    }
+    printf ("$smallRec->{mac}: %d(%d) IPs (considered local); $bigRec->{mac}: %d(%d) IPs (considered extern)\n", 
+	    scalar( @{$smallRec->{ips}} ),$smallRec->{count},
+	    scalar( @{$bigRec->{ips}} ), $bigRec->{count});
+    @{$smallRec->{ips}} = map( getStringFromIP($_), @{$smallRec->{ips}} );
+    @{$smallRec->{masks}} = map( getPrefixFromMask($_), @{$smallRec->{masks}} );
+    for(my $i = 0; $i <= $#{$smallRec->{ips}}; $i++){
+	if ($smallRec->{masks}->[$i]){
+	    print "$smallRec->{ips}->[$i]/$smallRec->{masks}->[$i]\n";
+	    if ($broout){print OUT "\t $smallRec->{ips}->[$i]/$smallRec->{masks}->[$i],\n";}
+	}else{
+	    print "$smallRec->{ips}->[$i]\n";
+	    if ($broout){print OUT "\t $smallRec->{ips}->[$i]/32,\n";}
+	}
+    }
+}
+
+if ($broout){
+    print OUT "};\n";
+    close(OUT);
+}
diff --git a/scripts/mail_notice.sh b/scripts/mail_notice.sh
new file mode 100755
index 0000000000..d2925dd49c
--- /dev/null
+++ b/scripts/mail_notice.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+#
+# This is a sample script to provide basic email notification for
+# notices marked NOTICE_EMAIL .
+#
+# Usage: mail_notice "subject" recipient (optional config path)
+
+notice="/tmp/bro.notice.$$"
+
+# Clean up after ourselves.
+trap "rm -f $notice; exit" 1 2 15
+
+# Where are we located.
+base=`dirname $0`
+
+# Set up the environment.
+if [ $3 ] ; then
+	. $3
+else
+	. $base/../etc/bro.cfg
+fi
+
+echo "From:<$BRO_EMAIL_FROM>" > $notice
+echo "To:<$2>" >> $notice
+echo "Subject: Bro alarm: $1" >> $notice
+
+sendmail <$notice -oi -f $BRO_EMAIL_FROM $2
+rm -f $notice
diff --git a/scripts/mail_reports.sh b/scripts/mail_reports.sh
new file mode 100755
index 0000000000..6e67177677
--- /dev/null
+++ b/scripts/mail_reports.sh
@@ -0,0 +1,81 @@
+#!/bin/sh
+#
+# Shell script to mail reports, should be called from
+# crontab
+# $Id: mail_reports.sh 1554 2005-10-24 22:20:26Z tierney $
+#
+# Usage: mail_reports.sh configFile (default config file = ../etc/bro.cfg)
+
+gpg_error=""
+sent_message=""
+tmp_file="/tmp/bro.report.$$"
+
+# Clean up after ourselves.
+trap "rm $tmp_file; exit" 1 2 15
+
+# Where are we located.
+base=`dirname $0`
+
+# Set up the environment.
+if [ $1 ] ; then
+   . $1
+else
+   . $base/../etc/bro.cfg
+fi
+
+for f in /usr/bin/sendmail /usr/sbin/sendmail /usr/lib/sendmail; do
+   if [ -x ${f} ]; then
+	    d="`dirname ${f}`"
+	    PATH="${d}:${PATH}"
+	    export PATH
+   fi
+done
+
+# find the newest report in the report directory
+report=`ls -1t $BRO_REPORT_DIR/$BRO_SITE_NAME*.rpt | head -1`
+report_interval=`grep Report $report | awk '{print $6,"-",$9}'`
+
+# set up temporary report with subject line embedded
+report_subject="Subject: $BRO_HOSTNAME Report: $report_interval"
+
+# and email it
+# if encrypted make sure we have a good (gpg) bin  and keys
+if [ $BRO_ENCRYPT_EMAIL = "YES" ] ; then
+    if [ -x $BRO_GPG_BIN ] ; then
+	for recpt in $BRO_EMAIL_LOCAL ;  do
+	    echo "From: <$BRO_EMAIL_FROM>" > $tmp_file
+	    echo "To: <$recpt>" >> $tmp_file
+	    echo "$report_subject" >> $tmp_file
+	    cat $report | $BRO_GPG_BIN --yes -ea -r $recpt >> $tmp_file
+	    # If the encryption fails, send it unencrypted
+	    if [ $? -ne 0 ] ; then
+		echo "From:<$BRO_EMAIL_FROM>" > $tmp_file
+		echo "To: <$recpt>" >> $tmp_file
+		echo "$report_subject" >> $tmp_file
+		cat $report >> $tmp_file
+	    fi
+	    cat $tmp_file | sendmail -oi -f $BRO_EMAIL_FROM $recpt
+	done
+	sent_message="1"
+	rm $tmp_file
+    else
+	gpg_error="1"
+    fi
+fi
+
+# if there was an error or we are sending unencrypted ...
+if [ -z $sent_message ] ; then
+    for recpt in $BRO_EMAIL_LOCAL ;  do
+	echo "From: <$BRO_EMAIL_FROM>" > $tmp_file
+	echo "To: <$recpt>" >> $tmp_file
+	echo "$report_subject" >> $tmp_file
+	cat $report >> $tmp_file
+	if [ $gpg_error ] ; then
+	    echo "Invalid gpg bin $BRO_GPG_BIN" >> $tmp_file
+	fi
+	cat $tmp_file | sendmail -oi -f $BRO_EMAIL_FROM $recpt
+    done
+    rm  $tmp_file
+fi
+
+exit 0
diff --git a/scripts/make-ftp-safe-vocabulary.awk b/scripts/make-ftp-safe-vocabulary.awk
new file mode 100644
index 0000000000..57c83d3352
--- /dev/null
+++ b/scripts/make-ftp-safe-vocabulary.awk
@@ -0,0 +1,19 @@
+# Usage:
+#
+# grep "^word_in_reply" ftp-anon.log |
+# grep -v "ty=ip" |
+# sort -k 3 -k 2 -k 5 -n -r |
+# awk -f make-ftp-safe-vocabulary.awk -
+#
+# grep "^word_in_reply" ftp-anon.log | grep -v "ty=ip" | awk -f make-ftp-safe-vocabulary.awk - | sort
+
+BEGIN	{
+    FS = ",";
+	print "redef safe_ftp_word += {"
+	}
+
+	{
+	printf("# \t%s, \t\t# %s, %s, %s\n", $2, $3, $4, $5);
+	}
+
+END	{ print "};" }
diff --git a/scripts/my-local.bro b/scripts/my-local.bro
new file mode 100644
index 0000000000..ab513666fd
--- /dev/null
+++ b/scripts/my-local.bro
@@ -0,0 +1,20 @@
+# $Id: my-local.bro 507 2004-10-12 11:43:19Z rwinslow $
+
+# This file is intended for host specific Bro policy.
+
+# What is host specific?  It can be anything that is not the default
+# after installation.  This is the place to make tweaks and changes
+# to modify policy to suite your network environment and preferences.
+
+@load brolite	# root policy which loads all other default policies.
+@load intern	# file generated by the network script for dynamic config
+		# of the local network subnets.
+@load my-site	# local policy file with site specific configurations.
+
+
+
+# Make any changes to policy starting here
+
+# Load Bro rules
+redef signature_files += "s2b-addendum-sigs";
+redef signature_files += "s2b";
diff --git a/scripts/my-site.bro b/scripts/my-site.bro
new file mode 100644
index 0000000000..fcc2469969
--- /dev/null
+++ b/scripts/my-site.bro
@@ -0,0 +1,17 @@
+# $Id: my-site.bro 506 2004-10-12 11:13:03Z rwinslow $
+
+# This file is intended for site specific Bro policy.
+
+# What is site specific?  For instances in which there are multiple
+# Bro machines or instances running it may be useful to store common
+# configuration data among them.
+
+# Common data may be certain subnets to which attacks should be alerted
+# differently or perhaps certain addresses which you never care about
+# or want to change the notice actions.
+
+# This file is left blank as a place holder.
+
+
+
+
diff --git a/scripts/perl/MANIFEST b/scripts/perl/MANIFEST
new file mode 100644
index 0000000000..ebd707e4ae
--- /dev/null
+++ b/scripts/perl/MANIFEST
@@ -0,0 +1,13 @@
+lib/Bro/Config.pm
+lib/Bro/Log.pm
+lib/Bro/Log/Alarm.pm
+lib/Bro/Log/Conn.pm
+lib/Bro/Report.pm
+lib/Bro/Report/Alarm.pm
+lib/Bro/Report/Conn.pm
+lib/Bro/Signature.pm
+Makefile.PL
+MANIFEST			This list of files
+README
+script/edit-brorule.pl
+script/site-report.pl
diff --git a/scripts/perl/Makefile.PL b/scripts/perl/Makefile.PL
new file mode 100644
index 0000000000..aa5175ca4f
--- /dev/null
+++ b/scripts/perl/Makefile.PL
@@ -0,0 +1,230 @@
+require 5.006_001;
+use ExtUtils::MakeMaker;
+use Cwd;
+use strict;
+# See lib/ExtUtils/MakeMaker.pm for details of how to influence
+# the contents of the Makefile that is written.
+
+my @args = @ARGV;
+my @cleaned_args;
+my $scripts_dir = './script';
+my $scripts_list;
+my $brohome = '';
+my $broconfig = '';
+my %extra_args = ( 'BROHOME' => \$brohome, 'BROCONFIG' => \$broconfig, );
+
+# Look for any extra args that are not recognized by MakeMaker.  Use and
+# then omit from the array of the final args to pass to MakeMaker.
+foreach my $arg( @args )
+{
+	$arg =~ m/^(.+)=(.+)/;
+	my $key = $1;
+	my $val = $2;
+	if( exists( $extra_args{$key} ) )
+	{
+		${$extra_args{$key}} = $val;
+	}
+	else
+	{
+		push( @cleaned_args, $arg );
+	}
+}
+
+# If any extra args that are not recognized by MakeMaker existed they are removed
+# by now.
+@_ = @cleaned_args;
+@ARGV = @cleaned_args;
+
+if( ! $brohome )
+{
+	if( exists( $ENV{BROHOME} ) )
+	{
+		$brohome = $ENV{BROHOME};
+	}
+	else
+	{
+		$brohome = '/usr/local/bro';
+	}
+}
+
+if( ! $broconfig )
+{
+	$broconfig = "$brohome/etc/bro.cfg";
+}
+
+
+
+check_prereqs();
+
+$scripts_list = get_exe_list();
+
+foreach my $file( @{$scripts_list} )
+{
+	setbroconfig( $broconfig, $file );
+}
+
+WriteMakefile(
+	'NAME'			=> 'Bro',
+	'DISTNAME'		=> 'Bro-Utilities',
+	'VERSION_FROM'		=> 'lib/Bro/Config.pm', # finds $VERSION
+	'PREREQ_PM'		=> { 'Config::General' => 2.27,
+					'Time::Local' => 0,
+					'Getopt::Long' => 0,
+					'Socket' => 0,
+					},
+	'EXE_FILES'		=> $scripts_list,
+	'dist'		=> {
+		'COMPRESS'	=> 'gzip',
+		'SUFFIX'		=> 'gz'
+	},
+	($] >= 5.005 ?    ## Add these new keywords supported since 5.005
+	('AUTHOR'		=> 'Roger Winslow <rwinslow@lbl.gov>') : ()),
+);
+
+
+sub chk_version
+{
+	no strict qw( refs vars );
+	my($pkg,$wanted,$msg) = @_;
+
+	local($|) = 1;
+	print "Checking for $pkg...";
+
+	eval { my $p; ($p = $pkg . ".pm") =~ s#::#/#g; require $p; };
+
+	print ${"${pkg}::VERSION"} ? "found v" . ${"${pkg}::VERSION"}
+						   : "not found";
+	print "\n";
+	my $vnum = ${"${pkg}::VERSION"} || 0;
+
+	if( $vnum >= $wanted )
+	{
+		print "$pkg is installed\n";
+		return( 1 );
+	}
+	else
+	{
+		return();
+	}
+	
+	use strict;
+}
+
+sub check_prereqs
+{	
+	my $failed_prereq = 0;
+	
+	# Require perl version 5.6.1 or greater
+	eval { require 5.006_001; };
+	if( $@ )
+	{
+		die( "The minimum version of perl required is 5.6.1 (5.006_001).  Please use a different perl binary to install this package.\n" );
+	}
+	
+	if( chk_version( 'Config::General' => '2.27' ) )
+	{
+		# do nothing
+	}
+	else
+	{
+		my $orig_dir = cwd();
+		
+		# Bypass the user prompt for this version
+		# my $confer = prompt( "Config::General is not installed. Would you like to install it now?",
+		#		'yes' );
+		
+		my $confer = 'y';
+		if( $confer =~ m/yes|y/i )
+		{
+			chdir 'ext';
+			unpack_archive( 'Config-General-2.27.tar.gz' );
+			chdir 'Config-General-2.27';
+			print "Installing Config-General-2.27.\n";
+			sleep( 1 );
+			do 'Makefile.PL';
+			if( system( "make; make install" ) == 0 )
+			{
+				print "\n ........... done\n";
+			}
+			else
+			{
+				warn( "Failed to install perl package Config-General-2.27.\n" );
+			}
+			
+			chdir "$orig_dir";
+		}
+	}
+	
+	if( $failed_prereq )
+	{
+		warn( "Failed one or more prerequisite test, unable to continue.\n" );
+		exit( 1 );
+	}
+
+	print "\n";
+}
+
+sub unpack_archive
+{
+	my $_archive = shift || return( undef );
+	
+	system( "gzip -d < $_archive | tar xf -" );
+}
+
+sub get_exe_list
+{
+	my @ret_list;
+	
+	if( ! opendir( DIR, $scripts_dir ) )
+	{
+		warn( "Failed to open the scripts directory at $scripts_dir. Unable to continue.\n" );
+		exit( 1 );
+	}
+	
+	while( my $file = readdir( DIR ) )
+	{
+		if( $file !~ m/^\./ and $file !~ m/^makefile.*/i and
+			-f "$scripts_dir/$file" )
+		{
+			push( @ret_list, "$scripts_dir/$file" );
+		}
+	}
+	closedir( DIR );
+	
+	return( \@ret_list );
+}
+
+sub setbroconfig
+{
+	my $sub_name = 'setbroconfig';
+	
+	my $_broconfig = shift || return( undef );
+	my $_file = shift || return( undef );
+	
+	if( ! open( INFILE, $_file ) )
+	{
+		warn( "$sub_name, Failed to open file $_file for reading.\n" );
+		return( undef );
+	}
+	
+	if( ! open( OUTFILE, ">$_file.in" ) )
+	{
+		warn( "$sub_name, Failed to open file $_file.in for writing.\n" );
+		return( undef );
+	}
+	
+	while( defined( my $line = <INFILE> ) )
+	{
+		$line =~ s/^([[:space:]]*\$DEFAULT_BRO_CONFIG_FILE[[:space:]]*=[[:space:]]*).+(\;.*)$/$1\'$_broconfig\'$2/;
+        $line =~ s/\$DEFAULT_BRO_HOME/$brohome/;
+		print OUTFILE $line;
+	}
+	
+	close( OUTFILE );
+	close( INFILE );
+	
+	system( "mv -f $_file.in $_file" );
+	
+	return( 1 );
+}
+
diff --git a/scripts/perl/README b/scripts/perl/README
new file mode 100644
index 0000000000..082febe528
--- /dev/null
+++ b/scripts/perl/README
@@ -0,0 +1,64 @@
+This follows the same mantra as all other perl installers.
+
+
+PURPOSE:
+
+  This will install perl modules, libraries, and scripts that are used
+  for reports, editing signatures, and other useful utilities.
+
+
+DEFINITIONS:
+
+  $(PERL) is the path to the perl binary which you wish to use.
+  $(INSTALL_ROOT) is this directory which contains the Makefile.PL file.
+  BROHOME is the variable found in bro.cfg and defines the start of all
+    things Bro. (default: /usr/local/bro)
+  BROCONFIG is the location of the bro.cfg file.  (default: 
+    /usr/local/bro/etc/bro/cfg)
+
+
+REQUIREMENTS:
+
+  The minimum version of perl required by this installer and it's libraries
+  is 5.6.1 (5.006_001)
+  
+  The following perl modules are required:
+    Socket
+    Time::Local
+    Config::General (included and will install if neccessary)
+    Cwd
+    Getopt::Long
+
+
+INSTALL:
+
+  $(PERL) Makefile.PL (optional args)
+  make
+  make install
+
+
+INSTALLER NOTES:
+
+  For those of you maintaining this installer and/or want to include
+  additional packages to be installed here's how things are setup.
+  
+  $(INSTALL_ROOT)/lib contains perl modules (ending in .pm) and will be
+  installed in the perl site directory.
+  
+  $(INSTALL_ROOT)/script contains executable perl scripts which will be
+  installed in the directory defined by INSTALLSCRIPT.  The bang paths
+  will be automatically changed to the path of the perl binary that was
+  used to run Makefile.PL.  Files placed in here will also be scanned
+  for the variable $DEFAULT_BRO_CONFIG_FILE.  The value will automatically
+  be changed to one of the following in the order listed:
+    arguments passed to Makfile.PL:
+      BROCONFIG  (this is the path to bro.cfg)
+      BROHOME    (this is the path to BROHOME.  etc/bro.cfg will be appended)
+    Environment variable:
+      $BROHOME   (this is the path to BROHOME.  etc/bro.cfg will be appended)
+  
+  $(INSTALL_ROOT)/ext contains gzipped perl modules which are included
+  as a convenience.  These are packages created by other developers and
+  are usually found on cpan.org.  It will be necessary to change Makefile.PL
+  if additional packages are placed in here and they need to be installed.
+  
\ No newline at end of file
diff --git a/scripts/perl/ext/Config-General-2.27.tar.gz b/scripts/perl/ext/Config-General-2.27.tar.gz
new file mode 100644
index 0000000000..b6b2ce559a
Binary files /dev/null and b/scripts/perl/ext/Config-General-2.27.tar.gz differ
diff --git a/scripts/perl/lib/Bro/Config.pm b/scripts/perl/lib/Bro/Config.pm
new file mode 100644
index 0000000000..0fd6b3342d
--- /dev/null
+++ b/scripts/perl/lib/Bro/Config.pm
@@ -0,0 +1,120 @@
+package Bro::Config;
+
+use strict;
+use Config::General;
+require Exporter;
+
+use vars qw( $VERSION
+			$DEBUG
+			@ISA
+			@EXPORT_OK
+			%DEFAULTS
+			$DEFAULT_CONFIG_FILE
+			$BRO_CONFIG );
+
+# $Id: Config.pm 987 2005-01-08 01:04:43Z rwinslow $
+$VERSION = 1.20;
+$DEBUG = 0;
+
+@ISA = ( 'Exporter' );
+@EXPORT_OK = qw( $BRO_CONFIG );
+%DEFAULTS = ( BROHOME => '/usr/local/bro',
+			BRO_POLICY_SUFFIX => '.bro',
+			BRO_SIG_SUFFIX => '.sig',
+			META_DATA_PREFIX => '.',
+			);
+			
+$DEFAULTS{CONFIG_FILE} = $DEFAULTS{BROHOME} . '/etc/bro.cfg';
+
+sub parse
+{
+	my $sub_name = 'parse';
+	
+	my %args = @_;
+	my $config_file;
+	my $brohome;
+	my $conf;
+	my $ret_hash;
+	
+	# Check for a config-path that may override the default
+	if( exists( $args{'File'} ) )
+	{
+		$config_file = $args{'File'};
+	}
+	else
+	{
+		$config_file = $DEFAULT_CONFIG_FILE;
+	}
+	
+	# Check for the existance and readability of the config file
+	if( !( -f $config_file and -r $config_file ) )
+	{
+		warn( __PACKAGE__ . "::$sub_name, The Bro config file at $config_file is not readable\n" );
+		return( undef );
+	}
+	
+	$conf = Config::General->new( -ConfigFile => $config_file,
+						-MergeDuplicateOptions => 1,
+						-AutoTrue => 1,
+					);
+	%{$ret_hash} = $conf->getall;
+	
+	return( $ret_hash );
+}
+
+sub Configure
+{
+	my $sub_name = 'Configure';
+	
+	my %args = @_;
+		
+	if( exists( $args{File} ) )
+	{
+		if( $args{File} !~ m/[\;\|\?\*\&\{\}]/ and $args{File} =~ m/^([[:print:]]+)$/ )
+		{
+			my $clean_name = $1;
+			if( -f $clean_name and -r $clean_name )
+			{
+				$DEFAULT_CONFIG_FILE = $clean_name;
+			}
+			else
+			{
+				warn( __PACKAGE__ . "::$sub_name, Unable to read config file at $clean_name\n" );
+				return( undef );
+			}
+		}
+		else
+		{
+			warn( __PACKAGE__ . "::$sub_name, Filename contains invalid characters\n" );
+			return( undef );
+		}
+	}
+	
+	$BRO_CONFIG = parse();
+	
+	# Set other defaults that have been omitted or don't exist in the config file
+	setdefaults();
+	
+	return( 1 );
+}
+
+sub setdefaults
+{
+	my $sub_name = 'setdefaults';
+	
+	my $override = $_[0] || 0;
+	my @variables_changed;
+	
+	foreach my $key( keys( %DEFAULTS ) )
+	{
+		if( $override or !( exists( $BRO_CONFIG->{$key} ) ) )
+		{
+			$BRO_CONFIG->{$key} = $DEFAULTS{$key};
+			push( @variables_changed, $key )
+		}
+	}
+	
+	return( @variables_changed );
+}
+
+1;
\ No newline at end of file
diff --git a/scripts/perl/lib/Bro/Log.pm b/scripts/perl/lib/Bro/Log.pm
new file mode 100644
index 0000000000..ceed5b747d
--- /dev/null
+++ b/scripts/perl/lib/Bro/Log.pm
@@ -0,0 +1,295 @@
+package Bro::Log;
+
+require 5.006_001;
+use strict;
+use Bro::Config( '$BRO_CONFIG' );
+use Time::Local;
+
+use vars qw( $VERSION
+			$BROLOGS );
+
+# $Id: Log.pm 2865 2006-04-27 19:09:18Z tierney $
+$VERSION = 1.20;
+
+
+
+# This is the bare minimum format in which the filename must conform
+my $FILENAME_REGEX = qr/^[[:alnum:]]\.(?:log|[[:print:]]\.[[:print:]])/;
+
+# filename produced by Bro running from a trace file
+my $name_trace = qr/^([[:alnum:]]+)\.log$/;
+
+# filename produced from a Bro running on live traffic and currently open
+# or logs that are not rotated or post processed
+my $name_running = qr/^([[:alnum:]]+)	# log name
+				\.	# seperator
+				([^-][[:alnum:]-]*(?:\.[^-][[:alnum:]-])*)	# hostname
+				\.	# seperator
+				([[:digit:]]{2}-[[:digit:]]{2}-[[:digit:]]{2} # date
+				_	# time seperator
+				[[:digit:]]{2}\.[[:digit:]]{2}\.[[:digit:]]{2})	# time
+				$/x;
+
+# filename produced after post processing for things like the GUI.  The 
+# filename contains the log name, hostname, begin epoch time, and end 
+# epoch time.
+my $name_epoch_range = qr/^([[:alnum:]]+)	# log name
+				\.	# seperator
+				([^-][[:alnum:]-]*(?:\.[^-][[:alnum:]-])*)	# hostname
+				\.	# seperator
+				([[:digit:]]{10})	# beginning epoch time
+				-	# seperator
+				([[:digit:]]{10})	# ending epoch time
+				$/x;
+
+my $name_rotate_log = qr/^([[:alnum:]]+)   # log name
+                 \.  # seperator
+                   ([^-][[:alnum:]-]*(?:\.[^-][[:alnum:]-])*)  # hostname
+                   \.	# seperator
+                   ([[:digit:]]{2}-[[:digit:]]{2}-[[:digit:]]{2} # date
+                   _	# time seperator
+                   [[:digit:]]{2}\.[[:digit:]]{2}\.[[:digit:]]{2})	# time
+                   -	# second time seperator
+                   ([[:digit:]]{2}-[[:digit:]]{2}-[[:digit:]]{2} # date
+                   _	# time seperator
+                   [[:digit:]]{2}\.[[:digit:]]{2}\.[[:digit:]]{2})	# time
+                   (\.log)?$/x;
+
+sub activelog
+{
+	my $sub_name = 'activelog';
+
+	my $log_dir = $BRO_CONFIG->{BROLOGS};
+	my $ret_str;
+
+	if( !( defined( $log_dir ) ) )
+	{
+		warn( "no log directory defined\n" );
+		return( undef );
+	}
+
+	if( -f "$log_dir/active_log" )
+	{
+		if( open( I_FILE, "$log_dir/active_log" ) )
+		{
+			if( defined( $ret_str = <I_FILE> ) )
+			{
+				# remove any trailing newlines
+				if( $ret_str !~ m/[[:space]]+$/ )
+				{
+					chomp( $ret_str );
+				}
+				else
+				{
+					return( 0 );
+				}
+			}
+			else
+			{
+				return( 0 );
+			}
+		}
+		else
+		{
+			warn( "Failed to read the active log file at $log_dir/active_log\n" );
+		}
+
+		close( I_FILE );
+	}
+	else
+	{
+		return( 0 );
+	}
+
+	return( $ret_str );
+}
+
+sub loglist
+{
+	my $sub_name = 'log_list';
+
+	my $__log_type = $_[0] || return( undef );
+	my $brologs_dir = $BRO_CONFIG->{BROLOGS};
+	my @ret_list;
+
+	if( opendir( DIR, $brologs_dir ) )
+	{
+		while( defined( my $file_name = readdir( DIR ) ) )
+		{
+			if( my $log_type = ( filenametoepochtime( $file_name ) )[0] )
+			{
+				if( $log_type eq $__log_type )
+				{
+					push( @ret_list, "$brologs_dir/$file_name" );
+				}
+			}
+		}
+	}
+	else
+	{
+		warn( __PACKAGE__ . "::$sub_name, Unable to open the BROLOGS directory\n" );
+		return( undef );
+	}
+
+	closedir( DIR );
+
+	if( wantarray )
+	{
+		return( @ret_list );
+	}
+	else
+	{
+		return( \@ret_list );
+	}
+}
+
+sub filenametoepochtime
+{
+	my $sub_name = 'filenametoepochtime';
+
+	# returns the log name, hostname, start time, and end time
+	# log name will always return.
+	# If any of the other three are not available then return value
+	# will be undef.
+	
+	my $filename = $_[0] || return( undef );
+	my $log_name;
+	my $host_name;
+	my $start_time;
+	my $end_time;
+	
+	if( ! $filename =~ $FILENAME_REGEX )
+	{
+		print "$filename is bad!!\n";
+		return( undef );
+	}
+	
+	# There are several ways in which the filename is formatted.  This
+	# if tree attempts to parse each of those
+	
+	# Log name but no hostname or times.  This can occur when running Bro
+	# from a trace file.
+	if( $filename =~ $name_trace )
+	{
+		$log_name = $1;
+	}
+	# filename contains the log name, hostname, and start time.  This usually
+	# occurs on filenames which are currently being written to or are not
+	# rotated.
+	elsif( my @file_parts = $filename =~ $name_running )
+	{
+		my $start_time_string;
+		( $log_name, $host_name, $start_time_string ) = ( @file_parts );
+		
+		# split up the string so it can be passed to timetoepoch
+		my @parts = $start_time_string =~ m/^([[:digit:]]{2})	# year
+		-	# seperator
+		([[:digit:]]{2})	# month
+		-	# seperator
+		([[:digit:]]{2}) # day
+		_	# time seperator
+		([[:digit:]]{2})	# hour
+		\.	# seperator
+		([[:digit:]]{2})	# minute
+		\.	# seperator
+		([[:digit:]]{2})	# second
+		$/x;
+		
+		if( @parts == 6 )
+		{
+			$start_time = timetoepoch( @parts );
+		}
+		else
+		{
+			return( undef );
+		}
+	}
+	# filename contains the log name, hostname, epoch start time, epoch end time
+	elsif( my @file_parts = $filename =~ $name_epoch_range )
+	{
+		( $log_name, $host_name, $start_time, $end_time ) = @file_parts;
+	}
+    # filename contains the log name, hostname, start time and end time as
+    # strings as put out by rotate logs.
+    # i.e weird.lite3.06-04-27_10.40.53-06-04-27_10.41.12
+    elsif( my @file_parts = $filename =~ $name_rotate_log )
+    {
+        my $start_time_string;
+        my $end_time_string;
+
+        ( $log_name, $host_name, $start_time_string, $end_time_string ) = @file_parts;
+
+	#print "***** $filename: st: $start_time_string, et: $end_time_string\n";
+
+        # look at the start date
+        my @parts = $start_time_string =~ m/^([[:digit:]]{2})	# year
+        -	# seperator
+        ([[:digit:]]{2})	# month
+        -	# seperator
+        ([[:digit:]]{2}) # day
+        _	# time seperator
+        ([[:digit:]]{2})	# hour
+        \.	# seperator
+        ([[:digit:]]{2})	# minute
+        \.	# seperator
+        ([[:digit:]]{2})	# second
+        $/x;
+        $start_time = timetoepoch( @parts );
+
+        # look at the start date
+        @parts = $end_time_string =~ m/^([[:digit:]]{2})	# year
+        -	# seperator
+        ([[:digit:]]{2})	# month
+        -	# seperator
+        ([[:digit:]]{2}) # day
+        _	# time seperator
+        ([[:digit:]]{2})	# hour
+        \.	# seperator
+        ([[:digit:]]{2})	# minute
+        \.	# seperator
+        ([[:digit:]]{2})	# second
+        $/x;
+
+        $end_time = timetoepoch( @parts );
+
+	#print "***** st: $start_time, et: $end_time\n";
+    }
+	else
+	{
+		return( undef );
+	}
+	
+	return( $log_name, $host_name, $start_time, $end_time );
+}
+
+sub timetoepoch
+{
+	my $sub_name = 'timetoepoch';
+	
+	# arguments are in the order
+	# year
+	# month
+	# day
+	# hour
+	# minutes
+	# seconds
+	
+	my $epoch_time;
+	my( $year, $mon, $day, $hour, $min, $sec ) = @_;
+	# The month fed into timelocal is 0 based index
+	if( $mon > 0 )
+	{
+		--$mon;
+	}
+	
+	if( $epoch_time = timelocal($sec,$min,$hour,$day,$mon,$year) )
+	{
+		return( $epoch_time );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+1;
diff --git a/scripts/perl/lib/Bro/Log/Alarm.pm b/scripts/perl/lib/Bro/Log/Alarm.pm
new file mode 100644
index 0000000000..d94168dfa5
--- /dev/null
+++ b/scripts/perl/lib/Bro/Log/Alarm.pm
@@ -0,0 +1,694 @@
+package Bro::Log::Alarm;
+
+use strict;
+require 5.006_001;
+use strict;
+
+use vars qw( $VERSION
+		%DATA_MAP );
+
+# $Id: Alarm.pm 987 2005-01-08 01:04:43Z rwinslow $
+$VERSION = 1.20;
+
+# Map data descriptions to subroutine names
+%DATA_MAP = ( t => \&timestamp,
+			timestamp => \&timestamp,
+			notice => \&notice_type,
+			notice_type => \&notice_type,
+			notice_act => \&notice_action,
+			notice_action => \&notice_action,
+			event_src => \&event_source,
+			event_source => \&event_source,
+			source_addr => \&source_addr,
+			src_addr => \&source_addr,
+			srcip => \&source_addr,
+			source_ip => \&source_addr,
+			src_port => \&source_port,
+			source_port => \&source_port,
+			destination_addr => \&destination_addr,
+			dst_addr => \&destination_addr,
+			dstip => \&destination_addr,
+			destination_ip => \&destination_addr,
+			dst_port => \&destination_port,
+			destination_port => \&destination_port,
+			user => \&user,
+			filename => \&filename,
+			sigid => \&sigid,
+			method => \&method,
+			URL => \&url,
+			n => \&misc_integer,
+			count => \&misc_integer,
+			return_code => \&misc_integer,
+			msg => \&message,
+			message => \&message,
+			sub_msg => \&sub_message,
+			sub_message => \&sub_message,
+			);
+
+sub new
+{
+	my $sub_name = 'new';
+	
+	# This is the parser for tag based alarm and notice files.
+	my $_log_line;
+	my @_args = @_;
+	my %alarm_parts;
+
+	if( @_args == 1 )
+	{
+		$_log_line = $_args[0];
+	}
+	else
+	{
+		return( undef );
+	}
+
+	# Order of data in array
+	# t = timestamp
+	# no = notice_type
+	# na = notice_action
+	# es = event_src, event_source
+	# sa = source_ip (source address)
+	# sp = source_port
+	# da = destination_ip (destination address)
+	# dp = destination_port
+	# user = user
+	# file = filename or sigid
+	# method = method
+	# url = URL
+	# num = count or number or return_code
+	# msg = message
+	# sub = sub_message
+	# tag = tag
+	
+	# Is this a tag based log line delimited by spaces?
+	if( $_log_line =~ m/^t\=/ )
+	{
+		my $i = 0;
+		my $i2 = 0;
+		my $len = length( $_log_line );
+		my $p_idx = 0;
+		my $buff_pos = 0;
+		my $subtr_len = 0;
+		my @log_parts;
+		
+		for( $i2 = 0; $i2 < $len; ++$i2 )
+		{
+			if( substr( $_log_line, $i2, 1 ) eq ' ' and
+				substr( $_log_line, $p_idx, 1 ) ne "\\" )
+			{
+				if( $subtr_len < 1 )
+				{
+					# Skip over this entry, probably just leading space.
+					# Regardless of what happened there is no useful data.
+				}
+				else
+				{
+					my $tag;
+					my $tag_data;
+					
+					( $tag, $tag_data ) = extracttag( substr( $_log_line, $buff_pos, $subtr_len ) );
+					if( exists( $alarm_parts{$tag} ) )
+					{
+						warn( __PACKAGE__ . "::$sub_name, Found duplicate tag '$tag', in data.  It will be ignored\n" );
+					}
+					else
+					{
+						$alarm_parts{$tag} = $tag_data;
+					}
+				}
+				$subtr_len = 0;
+				$p_idx = $i2 + 1;
+				$buff_pos = $i2 + 1;
+				++$i;
+			}
+			else
+			{
+				++$subtr_len;
+				$p_idx = $i2;				
+			}
+		}
+
+		# Get the last piece of data
+		my $tag;
+		my $tag_data;
+		( $tag, $tag_data ) = extracttag( substr( $_log_line, $buff_pos, $subtr_len ) );
+		
+		# Make sure this is not a duplicate tag.
+		if( exists( $alarm_parts{$tag} ) )
+		{
+			warn( __PACKAGE__ . "::$sub_name, Found duplicate tag '$tag', in data.  It will be ignored\n" );
+		}
+		else
+		{
+			# Remove any trailing newlines
+			chomp( $tag_data );
+			$alarm_parts{$tag} = $tag_data;
+		}
+	}
+	# Is this a colon delimited log line?
+	elsif( $_log_line =~ m/^[[:digit:]]{10}\.[[:digit:]]{6}/ and $_log_line =~ m/\:/ )
+	{
+		my $i = 0;
+		my $i2 = 0;
+		my $len = length( $_log_line );
+		my $p_idx = 0;
+		my $buff_pos = 0;
+		my $subtr_len = 0;
+		my @log_parts;
+		
+		for( $i2 = 0; $i2 < $len; ++$i2 )
+		{
+			if( substr( $_log_line, $i2, 1 ) eq ':' and
+				substr( $_log_line, $p_idx, 1 ) ne "\\" )
+			{
+				if( $subtr_len < 1 )
+				{
+					$log_parts[$i] = '';
+				}
+				else
+				{
+					$log_parts[$i] = substr( $_log_line, $buff_pos, $subtr_len );
+					$log_parts[$i] = unescape_colons( $log_parts[$i] );
+				}
+				$subtr_len = 0;
+				$p_idx = $i2 + 1;
+				$buff_pos = $i2 + 1;
+				++$i;
+			}
+			else
+			{
+				++$subtr_len;
+				$p_idx = $i2;				
+			}
+		}
+
+		# Get the last piece of data
+		$log_parts[$i] = unescape_colons( substr( $_log_line, $buff_pos, $subtr_len ) );
+		
+		# Remove any trailing newline that may have been left on
+		chomp( $log_parts[$i] );
+		
+		$alarm_parts{t} = $log_parts[0];
+		$alarm_parts{no} = $log_parts[1];
+		$alarm_parts{na} = $log_parts[2];
+		$alarm_parts{es} = $log_parts[3];
+		$alarm_parts{sa} = $log_parts[4];
+		$alarm_parts{sp} = $log_parts[5];
+		$alarm_parts{da} = $log_parts[6];
+		$alarm_parts{dp} = $log_parts[7];
+		$alarm_parts{user} = $log_parts[8];
+		$alarm_parts{file} = $log_parts[9];
+		$alarm_parts{method} = $log_parts[10];
+		$alarm_parts{url} = $log_parts[11];
+		$alarm_parts{num} = $log_parts[12];
+		$alarm_parts{msg} = $log_parts[13];
+		$alarm_parts{sub} = $log_parts[14];
+	}
+	else
+	{
+		return( undef );
+	}
+	
+	# Make sure that certain fields have values otherwise the data is invalid
+	if( exists( $alarm_parts{t} ) )
+	{
+		return( \%alarm_parts );
+	}
+	else
+	{
+		return( undef );
+	}
+	
+}
+
+sub unescape
+{
+	my $sub_name = 'unescape';
+	
+	&unescape_spaces;
+}
+
+sub unescape_spaces
+{
+	my $sub_name = 'unescape_spaces';
+	
+	my $data = $_[0];
+	
+	if( ! defined( $data ) )
+	{
+		return( undef );
+	}
+	else
+	{
+		$data =~ s/\\ / /g;
+		$data =~ s/\\\\/\\/g;
+	}
+	
+	return( $data );
+}
+
+sub unescape_colons
+{
+	my $sub_name = 'unescape_colons';
+	
+	my $data = $_[0];
+	
+	if( ! defined( $data ) )
+	{
+		return( undef );
+	}
+	else
+	{
+		$data =~ s/\\:/:/g;
+		$data =~ s/\\\\/\\/g;
+	}
+	
+	return( $data );
+}
+
+sub extracttag
+{
+	my $sub_name = 'extracttag';
+	
+	# Seperate the tag from it's data and return them.  If there is a problem
+	# this sub will return undef.  If a tag has no data then a zero length
+	# string will be returned.
+	
+	my $__data = $_[0];
+	my $ret_tag;
+	my $ret_data;
+	
+	# Seperate out the tag from the data
+	( $ret_tag, $ret_data ) = split( /\=/, $__data, 2 );
+	
+	if( length( $ret_tag ) > 0 )
+	{
+		if( defined( $ret_data ) )
+		{
+			$ret_data = unescape_spaces( $ret_data );
+		}
+		else
+		{
+			$ret_data = '';
+		}
+		
+		return( $ret_tag, $ret_data );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+sub timestamp
+{
+	my $sub_name = 'timestamp';
+
+	my $data = $_[0];
+	my $format = $_[1];	# Maybe for future expansion.  Just thinking out loud.
+
+	return( $data->{t} );
+}
+
+sub notice_type
+{
+	my $sub_name = 'notice_type';
+
+	my $data = $_[0] || return( undef );
+
+	return( $data->{no} );
+}
+
+sub notice_action
+{
+	my $sub_name = 'notice_action';
+
+	my $data = $_[0] || return( undef );
+
+	return( $data->{na} );
+}
+
+sub event_source
+{
+	my $sub_name = 'event_source';
+
+	my $data = $_[0] || return( undef );
+	
+	if( exists( $data->{es} ) )
+	{
+		return( $data->{es} );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+sub source_addr
+{
+	my $sub_name = 'source_addr';
+
+	my $data = $_[0] || return( undef );
+	
+	if( exists( $data->{sa} ) )
+	{
+		return( $data->{sa} );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+sub source_ip
+{
+	# This is for backwards compatibility and will be removed in the future
+	&source_addr;
+}
+
+sub source_port
+{
+	my $sub_name = 'source_port';
+
+	my $data = $_[0] || return( undef );
+
+	if( exists( $data->{sp} ) )
+	{
+		return( $data->{sp} );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+sub destination_addr
+{
+	my $sub_name = 'destination_addr';
+
+	my $data = $_[0] || return( undef );
+
+	return( $data->{da} );
+}
+
+sub destination_ip
+{
+	# This is for backwards compatibility and will be removed in the future
+	&destination_addr;
+}
+
+sub destination_port
+{
+	my $sub_name = 'destination_port';
+
+	my $data = $_[0] || return( undef );
+	
+	if( exists( $data->{dp} ) )
+	{
+		return( $data->{dp} );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+sub user
+{
+	my $sub_name = 'user';
+
+	my $data = $_[0] || return( undef );
+	
+	if( exists( $data->{user} ) )
+	{
+		return( $data->{user} );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+sub filename
+{
+	my $sub_name = 'filename';
+
+	my $data = $_[0] || return( undef );
+	
+	if( exists( $data->{file} ) )
+	{
+		return( $data->{file} );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+sub sigid
+{
+	my $sub_name = 'sigid';
+	
+	&filename;
+}
+
+sub method
+{
+	my $sub_name = 'method';
+
+	my $data = $_[0] || return( undef );
+
+	if( exists( $data->{method} ) )
+	{
+		return( $data->{method} );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+sub url
+{
+	my $sub_name = 'url';
+
+	my $data = $_[0] || return( undef );
+
+	if( exists( $data->{url} ) )
+	{
+		return( $data->{url} );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+sub misc_integer
+{
+	my $sub_name = 'misc_integer';
+
+	my $data = $_[0] || return( undef );
+
+	if( exists( $data->{num} ) )
+	{
+		return( $data->{num} );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+sub count
+{
+	&misc_integer;
+}
+
+sub return_code
+{
+	&misc_integer;
+}
+
+sub message
+{
+	my $sub_name = 'message';
+
+	my $data = $_[0] || return( undef );
+
+	if( exists( $data->{msg} ) )
+	{
+		return( $data->{msg} );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+sub sub_message
+{
+	my $sub_name = 'sub_message';
+
+	my $data = $_[0] || return( undef );
+
+	if( exists( $data->{sub} ) )
+	{
+		return( $data->{sub} );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+sub tag
+{
+	my $sub_name = 'tag';
+	
+	my $data = $_[0] || return( undef );
+	
+	if( exists( $data->{tag} ) )
+	{
+		return( $data->{tag} );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+sub timerange
+{
+	my $sub_name = 'timerange';
+	# Find the most likely beginning and ending times covered by a given
+	# alarm file.
+
+	my $filename = $_[0];
+	my $start_time = 9999999999;
+	my $end_time = -1;
+	my $f_size = ( stat( $filename ) )[7];
+	
+	if( open( INFILE, $filename ) )
+	{
+		my $s_idx = 0;
+		my $s_no_change = 0;
+
+		# Find the smallest timestamp in the first 1000 lines.
+		while( defined( my $ln = <INFILE> ) and
+			( $s_idx < 1000 ) and
+			( $s_no_change < 20 ) )
+		{
+			if( my $alarm_line = new( $ln ) )
+			{
+				my $w_timestamp = timestamp( $alarm_line );
+				if( $w_timestamp < $start_time )
+				{
+					$start_time = $w_timestamp;
+					$s_no_change = 0;
+				}
+				else
+				{
+					++$s_no_change;
+				}
+			}
+
+			++$s_idx;
+		}
+
+		close( INFILE );
+
+		# Find the largest timestamp in the last 1000 lines
+		# Each connection with a status of "SF" will be counted as one line
+		# Every line will be examined but the "SF" lines are the only ones
+		# that give a good picture as to the time state of the file.
+		if( sysopen( INFILE, $filename, 0 ) )
+		{
+			sysseek( INFILE, $f_size, 0 );
+			my $cur_pos = sysseek( INFILE, 0, 1 );
+			my $nl_pos = $cur_pos;
+			my $line_count = 0;
+			my $e_no_change = 0;
+
+			# Get last 1000 lines
+			while( $line_count < 1000 and $e_no_change < 20 )
+			{
+				my $new_line_found = 0;
+				my $buf;
+				sysread( INFILE, $buf, 1 );
+
+				if( $cur_pos > -1 )
+				{
+					if( $buf eq $/ )
+					{
+						$new_line_found = 1;
+					}
+				}
+				else
+				{
+					# Must have hit the beginning of the file
+					if( $nl_pos > 20 )
+					{
+						$cur_pos = 0;
+						sysseek( INFILE, 0, 0 );
+						$new_line_found = 1;
+					}
+					else
+					{
+						last;
+					}
+				}
+
+				if( $new_line_found )
+				{
+					my $cur_line = '';
+					sysread( INFILE, $cur_line, $nl_pos - $cur_pos );
+					if( my $alarm_line = new( $cur_line ) )
+					{
+						my $w_timestamp = timestamp( $alarm_line );
+						if( $w_timestamp > $end_time )
+						{
+							$end_time = $w_timestamp;
+						}
+						else
+						{
+							++$e_no_change;
+						}
+					}
+					$nl_pos = $cur_pos;
+					++$line_count;
+				}
+				--$cur_pos;
+				if( $cur_pos < 0 )
+				{
+					last;
+				}
+				sysseek( INFILE, $cur_pos, 0 );
+			}
+
+		}
+		else
+		{
+			warn( __PACKAGE__ . "::$sub_name, Unable to open file '$filename' with sysread.\n" );
+			return( undef );
+		}
+
+		close( INFILE );
+	}
+	else
+	{
+		warn( __PACKAGE__ . "::$sub_name, Unable to open file '$filename'.\n" );
+		return( undef );
+	}
+	
+	# Make sure that sane values were found for the start and end times
+	if( $start_time == 9999999999 or $end_time == -1 )
+	{
+		# warn( __PACKAGE__ . "::$sub_name, There was an error determining the start and end ranges.\n" );
+		# warn( "No valid values could be found.\n" );
+		return( undef );
+	}
+	
+	return( $start_time, $end_time );
+}
diff --git a/scripts/perl/lib/Bro/Log/Conn.pm b/scripts/perl/lib/Bro/Log/Conn.pm
new file mode 100644
index 0000000000..69391d55be
--- /dev/null
+++ b/scripts/perl/lib/Bro/Log/Conn.pm
@@ -0,0 +1,773 @@
+package Bro::Log::Conn;
+
+require 5.006_001;
+use strict;
+
+use vars qw( $VERSION
+		$NULL_VALUE
+		$DEBUG );
+
+# $Id: Conn.pm 1426 2005-09-30 00:19:18Z rwinslow $
+$VERSION = 1.20;
+$NULL_VALUE = -1;
+$DEBUG = 0;
+
+my $CONN_SPLIT_PATT = ' ';
+# my $CONN_SPLIT_PATT = qr/ /o;
+
+# Map data descriptions to subroutine names
+my %DATA_MAP = ( timestamp => \&timestamp,
+			duration => \&duration,
+			source_ip => \&srcip,
+			srcip => \&srcip,
+			destination_ip => \&dstip,
+			dstip => \&dstip,
+			service => \&service,
+			source_port => \&srcport,
+			srcport => \&srcport,
+			destination_port => \&dstport,
+			dstport => \&dstport,
+			protocol => \&protocol,
+			source_bytes => \&srcbytes,
+			srcbytes => \&srcbytes,
+			destination_bytes => \&srcbytes,
+			dstbytes => \&dstbytes,
+			connection_status => \&connstat,
+			connstat => \&connstat,
+			source_network => \&srcnetwork,
+			srcnetwork => \&srcnetwork,
+			other => \&other,
+			);
+
+sub new
+{
+	my $_log_line = $_[0] || return( undef );	# string ref
+
+	# Order of data in array
+	# 0 = timestamp
+	# 1 = duration
+	# 2 = source ip
+	# 3 = destination ip
+	# 4 = service
+	# 5 = source port
+	# 6 = destination port
+	# 7 = protocol
+	# 8 = source bytes
+	# 9 = destination bytes
+	# 10 = connection status
+	# 11 = source network
+	# 12 = other
+
+	my @log_parts = split( $CONN_SPLIT_PATT, $$_log_line, 13 );
+	if( defined( $log_parts[11] ) )
+	{
+		return( \@log_parts );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+sub output
+{
+	my $sub_name = 'output';
+
+	my $data = $_[0] || return undef;
+	my $format = $_[1] || '';
+	my @ret_data;
+
+	if( ref( $format ) ne 'ARRAY' )
+	{
+		$format = [ 'timestamp',
+				'duration',
+				'srcip',
+				'dstip',
+				'service',
+				'srcport',
+				'dstport',
+				'protocol',
+				'srcbytes',
+				'dstbytes',
+				'connstat',
+				'srcnetwork',
+				'other',
+				];
+	}
+	
+	my $i = 0;
+	foreach my $key( @{$format} )
+	{
+		if( exists( $DATA_MAP{$key} ) )
+		{
+			$ret_data[$i] = &{$DATA_MAP{$key}}( $data );
+			++$i;
+		}
+		else
+		{
+			return( undef );
+		}
+	}
+	
+	if( wantarray )
+	{
+		return( @ret_data );
+	}
+	else
+	{
+		return( join( ' ', @ret_data ) );
+	}
+}
+
+sub timestamp
+{
+	my $sub_name = 'timestamp';
+	
+	my $data = $_[0] || return( undef );
+	
+	return( $data->[0] );
+}
+
+sub duration
+{
+	my $sub_name = 'duration';
+
+	my $data = $_[0] || return undef;
+	my $arg1 = $_[1] || 0;
+
+	if( $arg1 eq 'raw' )
+	{
+		return( $data->[1] );
+	}
+	elsif( $data->[1] eq '?' and defined( $NULL_VALUE ) )
+	{
+		return( $NULL_VALUE );
+	}
+	else
+	{
+		return( $data->[1] );
+	}
+}
+
+sub source_ip
+{
+	&srcip;
+}
+
+sub srcip
+{
+	my $sub_name = 'srcip';
+
+	return( $_[0]->[2] );
+}
+
+sub destination_ip
+{
+	&dstip;
+}
+
+sub dstip
+{
+	my $sub_name = 'dstip';
+
+	return( $_[0]->[3] );
+}
+
+sub service
+{
+	my $sub_name = 'service';
+
+	return( $_[0]->[4] );
+}
+
+sub source_port
+{
+	&srcport;
+}
+
+sub srcport
+{
+	my $sub_name = 'srcport';
+
+	return( $_[0]->[5] );
+}
+
+sub destination_port
+{
+	&dstport
+}
+
+sub dstport
+{
+	my $sub_name = 'dstport';
+
+	return( $_[0]->[6] );
+}
+
+sub protocol
+{
+	my $sub_name = 'protocol';
+
+	return( $_[0]->[7] );
+}
+
+sub source_bytes
+{
+	&srcbytes;
+}
+
+sub srcbytes
+{
+	my $sub_name = 'srcbytes';
+
+	my $data = $_[0] || return undef;
+	my $arg1 = $_[1] || 0;
+
+	if( $arg1 eq 'raw' )
+	{
+		return( $data->[8] );
+	}
+	elsif( $data->[8] eq '?' and defined( $NULL_VALUE ) )
+	{
+		return( $NULL_VALUE );
+	}
+	elsif( $data->[10] eq 'SF') 
+	{
+		# safest to only count sessions with normal termination
+		return( $data->[8] );
+	}
+	else
+	{
+		return( $NULL_VALUE );
+	}
+}
+
+sub destination_bytes
+{
+	&dstbytes;
+}
+
+sub dstbytes
+{
+	my $sub_name = 'dstbytes';
+
+	my $data = $_[0] || return undef;
+	my $arg1 = $_[1] || 0;
+
+	if( $arg1 eq 'raw' )
+	{
+		return( $data->[9] );
+	}
+	elsif( $data->[9] eq '?' and defined( $NULL_VALUE ) )
+	{
+		return( $NULL_VALUE );
+	}
+	elsif( $data->[10] eq 'SF' )
+	{
+		# safest to only count sessions with normal termination
+		return( $data->[9] );
+	}
+	else
+	{
+		return( $NULL_VALUE );
+	}
+}
+
+sub connstat
+{
+	my $sub_name = 'connstat';
+
+	my $data = $_[0] || return undef;
+	
+	return( $data->[10] );
+}
+
+sub source_network
+{
+	&srcnetwork;
+}
+
+sub srcnetwork
+{
+	my $sub_name = 'srcnetwork';
+
+	my $data = $_[0] || return undef;
+	chomp( $data->[11] );
+	
+	return( $data->[11] );
+}
+
+sub tag
+{
+	my $sub_name = 'tag';
+	
+	my $data = $_[0] || return( undef );
+	my $other_field = $data->[12];
+	my @ret_tag_ids;
+	
+	while( $other_field =~ s/(\@[[:digit:]]+)// )
+	{
+		push( @ret_tag_ids, $1 );
+	}
+	
+	if( @ret_tag_ids > 0 )
+	{
+		if( wantarray )
+		{
+			return( @ret_tag_ids );
+		}
+		else
+		{
+			return( \@ret_tag_ids );
+		}
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+sub other
+{
+	my $sub_name = 'other';
+
+	my $data = $_[0] || return undef;
+
+	# Remove any newline character at the end
+	chomp( $data->[12] );
+
+	return( $data->[12] );
+}
+
+sub timerange
+{
+	my $sub_name = 'timerange';
+	# Find the most likely beginning and ending times covered by a given
+	# conn file.
+
+	my $filename = $_[0];
+	my $find_start_time = $_[1];
+	my $find_end_time = $_[2];
+	my $start_time = 9999999999;
+	my $end_time = -1;
+	my $max_start_lines = 10000;
+	my $max_end_lines = 10000;
+	my $max_line_length = 5000;
+	my $f_size = ( stat( $filename ) )[7] || 0;
+	my $default_start;
+	my $default_end;
+	
+	if( $DEBUG > 2 )
+	{
+		warn( __PACKAGE__ . "::$sub_name, Filename: $filename\n" );
+	}
+	
+	# If the file is zero size then don't even both continuing
+	if( $f_size < 1 )
+	{
+		if( $DEBUG > 2 )
+		{
+			warn( __PACKAGE__ . "::$sub_name, File is zero size, skipping\n" );
+		}
+		return( undef );
+	}
+	
+	# If $find_start_time and $find_end_time are defined then the the first
+	# line that is greater than or equal to the timestamp in $find_start_time
+	# will be read by seek and then set into $start_pos.
+	# The last line that contains a timestamp less than or equal to 
+	# $find_end_time will be read by seek and then set in $end_pos.
+	eval {
+	local $SIG{ALRM} = sub { die( "Alarm Timeout\n" ) };
+	alarm 90;
+	if( open( INFILE, $filename ) )
+	{
+		my $s_idx = 0;			# start line counter
+		my $s_no_change = 0;	# start no change counter
+		
+		# Set the very first connection timestamp to $default_start
+		while( ! $default_start and defined( my $line = <INFILE> ) )
+		{
+			if( my $conn_line = new( \$line ) )
+			{
+				$default_start = timestamp( $conn_line );
+			}
+		}
+		
+		# Find the smallest timestamp in the first 1000 lines where the
+		# connection is complete (SF) or (REJ) and the duration is less
+		# than .1 seconds
+		while( ( $s_idx < $max_start_lines ) and
+			( $s_no_change < 20 ) and
+			defined( my $ln = <INFILE> ) )
+		{
+			if( my $conn_line = new( \$ln ) )
+			{
+				if( connstat( $conn_line ) =~ m/^(?:SF)|(?:REJ)$/ )
+				{
+					if( duration( $conn_line ) < 0.1 )
+					{
+						my $w_timestamp = timestamp( $conn_line );
+						if( $w_timestamp < $start_time )
+						{
+							$start_time = $w_timestamp;
+							$s_no_change = 0;
+						}
+						else
+						{
+							++$s_no_change;
+						}
+					}
+				}
+			}
+
+			++$s_idx;
+		}
+		
+		close( INFILE );
+		
+		# Find the largest timestamp in the last 20 lines
+		# Each connection with a status of "SF" or "REJ" will be counted as
+		# one line.  Every line will be examined but the "SF" or "REJ"
+		# lines are the only ones that give a good picture as to the time
+		# state of the file.
+		if( sysopen( INFILE, $filename, 0 ) )
+		{
+			sysseek( INFILE, $f_size, 0 );
+			my $cur_pos = sysseek( INFILE, 0, 1 );
+			my $nl_pos = $cur_pos;
+			my $matched_count = 0;
+			my $line_count = 0;
+
+			# Get last 20 lines
+			while( $matched_count < 20 and
+				$line_count < $max_end_lines )
+			{
+				my $new_line_found = 0;
+				my $buf;
+				sysread( INFILE, $buf, 1 );
+
+				if( $cur_pos > -1 )
+				{
+					if( $buf eq $/ )
+					{
+						$new_line_found = 1;
+					}
+				}
+				else
+				{
+					# Must have hit the beginning of the file
+					if( $nl_pos > 20 )	# supress things like blank lines
+					{
+						sysseek( INFILE, 0, 0 );
+						$new_line_found = 1;
+					}
+					else
+					{
+						last;
+					}
+				}
+
+				if( $new_line_found )
+				{
+					my $cur_line = '';
+					++$line_count;
+					# Make sure that the line is not too large
+					# Fix for some funky rsync errors that may occur
+					if( $nl_pos - $cur_pos > $max_line_length )
+					{
+						# WAY too big, just mark new position and ignore
+					}
+					else
+					{
+						sysread( INFILE, $cur_line, $nl_pos - $cur_pos );
+						if( my $conn_line = new( \$cur_line ) )
+						{
+							if( ! $default_end )
+							{
+								$default_end = timestamp( $conn_line );
+							}
+							
+							if( duration( $conn_line ) < 0.1 and duration( $conn_line ) >= 0 )
+							{
+								my $w_timestamp = timestamp( $conn_line );
+								if( $w_timestamp > $end_time )
+								{
+									$end_time = $w_timestamp;
+								}
+							}
+							
+							if( connstat( $conn_line ) =~ m/^(?:SF)|(?:REJ)$/ )
+							{
+								++$matched_count;
+							}
+						}
+					}
+					$nl_pos = $cur_pos;
+				}
+				--$cur_pos;
+				if( $cur_pos < 0 )
+				{
+					last;
+				}
+				sysseek( INFILE, $cur_pos, 0 );
+			}
+		}
+		else
+		{
+			if( $DEBUG > 0 )
+			{
+				warn( __PACKAGE__ . "::$sub_name, Unable to open file '$filename' with sysread.\n" );
+			}
+			return( undef );
+		}
+
+		close( INFILE );
+	}
+	else
+	{
+		if( $DEBUG > 0 )
+		{
+			warn( __PACKAGE__ . "::$sub_name, Unable to open file '$filename'.\n" );
+		}
+		return( undef );
+	}
+	
+	close( INFILE );
+	};
+	
+	alarm 0;
+	
+	# Make sure that $start_time has something other than the filler value.
+	if( $start_time == 9999999999 )
+	{
+		if( $default_start )
+		{
+			$start_time = $default_start;
+			if( $DEBUG > 1 )
+			{
+				warn( __PACKAGE__ . "::$sub_name, No start_time was found, setting to a default of $default_start\n" );
+			}
+		}
+		else
+		{
+			if( $DEBUG > 1 )
+			{
+				warn( __PACKAGE__ . "::$sub_name, No start_time was found and no default_start time was found\n" );
+			}
+		}
+	}
+	
+	# Make sure that $end_time has something other than the filler value.
+	if( $end_time == -1 )
+	{
+		if( $default_end )
+		{
+			$end_time = $default_end;
+			if( $DEBUG > 1 )
+			{
+				warn( __PACKAGE__ . "::$sub_name, No end_time was found, setting to a default of $default_start\n" );
+			}
+		}
+		else
+		{
+			if( $DEBUG > 1 )
+			{
+				warn( __PACKAGE__ . "::$sub_name, No end_time was found and no default_end time was found\n" );
+			}
+		}
+	}
+	
+	if( $DEBUG > 2 )
+	{
+		warn( "  " . __PACKAGE__ . "::$sub_name, Start time: $start_time\n" );
+		warn( "  " . __PACKAGE__ . "::$sub_name, End time: $end_time\n" );
+	}
+	
+	if( $@ )
+	{
+		if( $@ =~ m/Alarm Timeout/ )
+		{
+			if( !( $start_time and $end_time ) )
+			{
+				if( $DEBUG > 0 )
+				{
+					warn( __PACKAGE__ . "::$sub_name, Error occurred in trying to read the file $filename\n" );
+				}
+				return( undef );
+			}
+			else
+			{
+				if( $DEBUG > 0 )
+				{
+					warn( __PACKAGE__ . "::$sub_name, Timed out during file read.  The first and last timestamps have been set as the range of time available\n" );
+				}
+			}
+		}
+		else
+		{
+			warn( $@ );
+			return( undef );
+		}
+	}
+	
+	return( $start_time, $end_time );
+}
+
+sub containstag
+{
+	my $sub_name = 'containstag';
+	
+	my $data = shift || return( undef );
+	my @tags_to_match = @_;
+	my $conn_tags = tag( $data ) || return( 0 );
+	my $matched_tag = 0;
+	
+	OUT_LOOP:
+	{
+		foreach my $tag_to_match( @tags_to_match )
+		{
+			foreach my $tag_id( @{$conn_tags} )
+			{
+				if( $tag_id eq $tag_to_match )
+				{
+					$matched_tag = $tag_id;
+					last OUT_LOOP;
+				}
+			}
+		}
+	}	# end OUT_LOOP
+	
+	return( $matched_tag );
+}
+
+sub startposition
+{
+	my $sub_name = 'startposition';
+	# Find the first file position where $timestamp is greater than or equal to
+	# a timestamp in the file.
+	my $timestamp = $_[0];
+}
+
+sub endposition
+{
+	my $sub_name = 'endposition';
+	# Find the last file position where $timestamp is less than or equal to
+	# a timestamp in a file.
+	my $timestamp = $_[0];
+}
+
+sub connectsucceed
+{
+	my $sub_name = 'connectsucceed';
+	
+	my $data = $_[0] || return( undef );
+	
+	my $S_REGEX = qr/^S/o;
+	my $S123_REGEX = qr/^S[123]$/o;
+	my $connstat = connstat( $data );
+	
+	if( $connstat =~ $S_REGEX )
+	{
+		if( $connstat eq 'SF' )
+		{
+			return( 1 );
+		}
+		elsif( $connstat =~ $S123_REGEX )
+		{
+			if( srcbytes( $data ) > 0 && dstbytes( $data ) > 0 )
+			{
+				return( 1 );
+			}
+			else
+			{
+				return( 0 );
+			}
+		}
+	}
+	else
+	{
+		# connection failed
+		return( 0 );
+	}
+}
+
+sub range
+{
+	my $sub_name = 'range';
+	
+	my $data = $_[0] || return( undef );
+	my $match_time = $_[1];
+	my $error_margin = $_[2];
+	my $start_time;
+	my $end_time;
+	my $duration;
+	
+	# Make sure that the error margin is greater than zero
+	if( !( defined( $error_margin ) and $error_margin > 0 ) )
+	{
+		$error_margin = 0;
+	}
+	
+	$start_time = timestamp( $data );
+	$duration = duration( $data );
+	
+	if( $match_time )
+	{
+		if( $duration < 0 )
+		{
+			$duration = 10;
+		}
+	
+		$end_time = $start_time + $duration + $error_margin;
+		$start_time = $start_time - $error_margin;
+		
+		if( $match_time >= $start_time and
+			$match_time <= $end_time )
+		{
+			return( 1 );
+		}
+		else
+		{
+			return( 0 );
+		}
+	}
+	else
+	{
+		if( $duration > -1 )
+		{
+			$end_time = $start_time + $duration;
+		}
+		
+		return( $start_time, $end_time );
+	}
+}
+
+1;
+
+# The args to Bro::Log::Conn::output are the connection array ref returned by
+ # Bro::Log::Conn::new and an optional array ref of what order and fields
+ # should be printed.
+
+# EXAMPLE:
+ # $array_ref = Bro::Log::Conn::new( $ln );
+ # @output_parts = Bro::Log::Conn::output( $array_ref, [ 'srcip', 'dstip', 'timestamp' ] )
+ #
+ # The available fields are as follows:
+ #	timestamp
+ #	duration
+ #	srcip
+ #	dstip
+ #	service
+ #	srcport
+ #	dstport
+ #	protocol
+ #	srcbytes
+ #	dstbytes
+ #	connstat
+ #	srcnetwork
+ #	other
+
+# For convenience any data that is represented by a ? will be replaced by a -1
+# This occurs for duration, srcbytes, and dstbytes
+# This is adjustable by changing $NULL_VALUE
diff --git a/scripts/perl/lib/Bro/Report.pm b/scripts/perl/lib/Bro/Report.pm
new file mode 100644
index 0000000000..413bd9ba5c
--- /dev/null
+++ b/scripts/perl/lib/Bro/Report.pm
@@ -0,0 +1,714 @@
+package Bro::Report;
+
+use strict;
+require 5.006_001;
+require Exporter;
+
+use Socket;
+use vars qw( $VERSION
+			$DEBUG
+			@EXPORT_OK
+			@ISA
+			$USE_FLOCK
+			$INCIDENT_COUNT_FILE
+			$TEMP_DIR
+			@TEMP_FILES
+			$IPTONAME_TIMEOUT
+			$USE_IPTONAME_CACHE
+			%IPTONAME_CACHE );
+
+@ISA = ( 'Exporter' );
+# $Id: Report.pm 1419 2005-09-29 18:56:06Z rwinslow $
+$VERSION = 1.20;
+$DEBUG = 0;
+@EXPORT_OK = qw( iptoname swrite trimhostname trimbytes time_mdhm time_hms date_md
+			date_ymd getincidentnumber standard_deviation mean_val tempfile
+			trimstring );
+
+	my %STEPS = ( 0 => '',
+				1 => 'K',
+				2 => 'M',
+				3 => 'G',
+				4 => 'T',
+				5 => 'P',
+				K => 1,
+				M => 2,
+				G => 3,
+				T => 4,
+				G => 5, );
+
+# Check if flock can be used
+eval {
+	flock( STDIN, 1 )
+};
+
+if( $@ )
+{
+	$USE_FLOCK = 0;
+}
+else
+{
+	$USE_FLOCK = 1;
+}
+
+# Default temp directorywhich to write to
+$TEMP_DIR = '/tmp';
+
+# Default timeout for dns reverse lookups
+$IPTONAME_TIMEOUT = 3;
+
+# Should ip to name reverse lookups be cached?
+$USE_IPTONAME_CACHE = 1;
+
+sub iptoname
+{
+	my $sub_name = 'iptoname';
+	
+	my $h_ip = $_[0] || return( undef );
+	
+	my $resolved_hostname = undef;
+	my $ret_val;
+	
+	if( exists( $IPTONAME_CACHE{$h_ip} ) )
+	{
+		return( $IPTONAME_CACHE{$h_ip} );
+	}
+	
+	eval
+	{
+		local $SIG{ALRM} = sub { die( "Lookup Timeout\n" ) };
+		alarm( $IPTONAME_TIMEOUT);
+		$resolved_hostname = gethostbyaddr( inet_aton( $h_ip ), 2 );
+		alarm( 0 );
+	};
+	
+	if( $resolved_hostname )
+	{
+		$ret_val = $resolved_hostname;
+	}
+	else
+	{
+		$ret_val = $h_ip;
+	}
+	
+	if( $USE_IPTONAME_CACHE )
+	{
+		$IPTONAME_CACHE{$h_ip} = $ret_val;
+	}
+	
+	return( $ret_val );
+}
+
+sub swrite
+{
+	my $sub_name = 'swrite';
+	
+	my $format = shift;
+	my @args = @_;
+	my $ret_val;
+	
+	$^A = '';
+	formline( $format, @args );
+	$ret_val = $^A;
+	$^A = '';
+	return( $ret_val );
+}
+
+sub trimhostname
+{
+	my $sub_name = 'trimhostname';
+	
+	my $hostname = $_[0];
+	my $max_length = $_[1] || 35;
+	my $direction = $_[2] || '>';
+	my $ret_val = '';
+	
+	my $len = length( $hostname );
+	if( $len > $max_length )
+	{
+		my $dif = $len - $max_length + 3;
+		if( $direction eq '>' )
+		{
+			$ret_val =  "..." . substr( $hostname, $dif, $len);
+		}
+		else
+		{
+			$ret_val =  substr( $hostname, 0, $len - $dif) . "...";
+		}
+	}
+	else
+	{
+		$ret_val = $hostname;
+	}
+	
+	return( $ret_val );
+}
+
+sub trimbytes
+{
+	my $sub_name = 'trimbytes';
+	
+	my $arg1 = $_[0];
+	my $max_width = $_[1] || 6;
+	my $quantifiers = 'KMGTP';
+	my $step_count = 0;
+	my $bytes;
+	my $ret_val;
+	
+	if( $arg1 =~ m/([[:digit:]]+)[[:space:]]*([$quantifiers])$/ )
+	{
+		$bytes = $1;
+		$step_count = $STEPS{$2};
+	}
+	else
+	{
+		$bytes = $arg1;
+	}
+	
+	if( length( $bytes ) > $max_width )
+	{
+		$max_width -= 2;
+		my $ints = int( $bytes );
+		while( exists( $STEPS{$step_count} ) and length( $ints ) > $max_width )
+		{
+			$bytes = $bytes / 1024;
+			$ints = int( $bytes );
+			++$step_count;
+		}
+		my $float_length = $max_width - length( $ints ) - 1;
+		if( $float_length > 0 )
+		{
+			$bytes = sprintf( "%.$float_length" . 'f', $bytes );
+		}
+		else
+		{
+			$bytes = sprintf( "%d", $bytes );
+		}
+	}
+	
+	if( $STEPS{$step_count} )
+	{
+		return( $bytes . " $STEPS{$step_count}" );
+	}
+	else
+	{
+		return( $bytes );
+	}
+}
+
+sub trimstring
+{
+	my $sub_name = 'trimstring';
+	
+	my $string = $_[0] || return( undef );
+	my $max_length = $_[1] || 73;
+	my $max_lines = $_[2];
+	my @ret_lines;
+	my $trunc_string = 0;
+	
+	if( length( $string ) <= $max_length )
+	{
+		return( $string );
+	}
+	
+	if( defined( $max_lines ) 
+		and $max_lines =~ /^[[:digit:]]+$/
+		and $max_lines > 0 )
+	{
+		# OK, looks good
+	}
+	else
+	{
+		$max_lines = 1;
+	}
+	
+	while( length( $string ) > $max_length
+		and !( scalar( @ret_lines ) >= $max_lines ) )
+	{
+		my $cur_idx = $max_length - 1;
+		my $found_break_point = 0;
+		while( $cur_idx > 0 )
+		{
+			if( substr( $string, $cur_idx, 1 ) =~ m/[[:space:]]/ )
+			{
+				push( @ret_lines, substr( $string, 0, $cur_idx + 1 ) );
+				$string = substr( $string, $cur_idx );
+				$found_break_point = 1;
+				last;
+			}
+			else
+			{
+				--$cur_idx;
+			}
+		}
+		
+		if( ! $found_break_point )
+		{
+			push( @ret_lines, substr( $string, 0, $max_length ) );
+			$string = substr( $string, $max_length );
+		}
+	}
+	
+	# Check if anything is left in the string
+	if( length( $string ) > 0 )
+	{
+		$trunc_string = 1;
+		
+		if( !( scalar( @ret_lines ) >= $max_lines ) )
+		{
+			push( @ret_lines, $string );
+			$trunc_string = 0;
+		}
+		elsif( length( $ret_lines[$#ret_lines] ) < $max_length )
+		{
+			$ret_lines[$#ret_lines] .= substr( $string, 0, $max_length - length( $ret_lines[$#ret_lines] ) );
+		}
+		
+		if( $trunc_string )
+		{
+			$ret_lines[$#ret_lines] =~ s/.{4}$/\.\.\.>/;
+		}
+	}
+	
+	return( @ret_lines );
+}
+
+sub time_mdhm
+{
+	my $sub_name = 'time_mdhm';
+	# Convert time from epoch to MONTH/DAY HOUR:MINUTE
+	#						08/13 13:44
+	my $arg1 = $_[0];
+	my $ret_val;
+	
+	if( my @tp = localtime( $arg1 ) )
+	{
+		my $mon = sprintf( "%02d", $tp[4] + 1 );
+		my $day = sprintf( "%02d", $tp[3] );
+		my $hour = sprintf( "%02d", $tp[2] );
+		my $min = sprintf( "%02d", $tp[1] );
+		
+		$ret_val =  "$mon/$day $hour:$min";
+	}
+	else
+	{
+		return( undef );
+	}
+	
+	return( $ret_val );
+}
+
+sub time_hms
+{
+	my $sub_name = 'time_hms';
+	# Convert epoch to to HH:MM:SS
+	
+	my $arg1 = $_[0];
+	my $ret_val;
+	
+	if( my @tp = localtime( $arg1 ) )
+	{
+		my $hour = sprintf( "%02d", $tp[2] );
+		my $min = sprintf( "%02d", $tp[1] );
+		my $sec = sprintf( "%02d", $tp[0] );
+		
+		$ret_val =  "$hour:$min:$sec";
+	}
+	else
+	{
+		return( undef );
+	}
+	
+	return( $ret_val );
+	
+}
+
+sub date_md
+{
+	my $sub_name = 'date_md';
+	# Convert time from epoch to MONTH/DAY
+	
+	my $arg1 = $_[0];
+	my $ret_val;
+	
+	if( my @tp = localtime( $arg1 ) )
+	{
+		my $mon = sprintf( "%02d", $tp[4] + 1 );
+		my $day = sprintf( "%02d", $tp[3] );
+		
+		$ret_val =  "$mon/$day";
+	}
+	else
+	{
+		return( undef );
+	}
+	
+	return( $ret_val );
+}
+
+sub date_ymd
+{
+	my $sub_name = 'date_ymd';
+	# Convert time from epoch to YEAR/MONTH/DAY
+	
+	my $arg1 = $_[0];
+	my $ret_val;
+	
+	if( my @tp = localtime( $arg1 ) )
+	{
+		my $mon = sprintf( "%02d", $tp[4] + 1 );
+		my $day = sprintf( "%02d", $tp[3] );
+		my $year = $tp[5] + 1900;
+		
+		$ret_val =  "$year/$mon/$day";
+	}
+	else
+	{
+		return( undef );
+	}
+	
+	return( $ret_val );
+}
+
+sub getincidentnumber
+{
+	my $sub_name = 'getincidentnumber';
+	
+	my $arg1 = $_[0];
+	my $failed = 0;
+	my $ret_count;
+	
+	# Check if the $INCIDENT_COUNT_FILE has been set yet
+	if( ! $INCIDENT_COUNT_FILE )
+	{
+		setincidentcountfile();
+	}
+	
+	# Make sure that the files exists
+	if( ! -f $INCIDENT_COUNT_FILE )
+	{
+		if( open( OUTFILE, ">$INCIDENT_COUNT_FILE" ) )
+		{
+			print OUTFILE "0\n";
+		}
+		else
+		{
+			warn( "Failed to create the incident count file at $INCIDENT_COUNT_FILE\n;" );
+			$failed = 1;
+		}
+		close( OUTFILE );
+		
+		return( undef ) if $failed;
+	}
+	
+	# If anything besides 0 or undef is passed in then this is true
+	# If true then don't get a new incident number but rather return the current.
+	if( open( RW_FILE, $INCIDENT_COUNT_FILE ) )
+	{
+		lock( *RW_FILE );
+		my $cur_count = <RW_FILE>;
+		chomp( $cur_count );
+		if( $arg1 )
+		{
+			$ret_count = $cur_count;
+		}
+		else
+		{
+			if( open( RW_FILE, ">$INCIDENT_COUNT_FILE" ) )
+			{
+				lock( *RW_FILE ) or print "FAILED TO RE-LOCK\n";
+				$ret_count = $cur_count + 1;;
+				print RW_FILE "$ret_count\n";
+			}
+			else
+			{
+				warn( "Failed to reopen incident count file $INCIDENT_COUNT_FILE for wirtting.\n" );
+				$failed = 1;
+			}
+		}
+		unlock( *RW_FILE );
+		close( RW_FILE );
+	}
+	else
+	{
+		warn( "Failed to open incident count file $INCIDENT_COUNT_FILE for reading.\n" );
+		$failed = 1;
+	}
+	
+	return( $ret_count );
+}
+
+sub lock
+{
+	my $sub_name = 'lock';
+	
+	my $fh = $_[0];
+	
+	if( $USE_FLOCK )
+	{
+		flock( $fh, 2 );
+	}
+	return( 1 );
+}
+
+sub unlock
+{
+	my $sub_name = 'unlock';
+	
+	my $fh = $_[0];
+	
+	if( $USE_FLOCK )
+	{
+		flock( $fh, 8 );
+	}
+	
+	return( 1 );
+}
+
+sub standard_deviation
+{
+	my $sub_name = 'standard_deviation';
+	
+	my $arg1 = $_[0];	# ref to array
+	my $mean;
+	my $dev_mean;
+	my $ret_val;
+	my $num_elements;
+	my $sum;
+	
+	if( ref( $arg1 ) eq 'ARRAY' )
+	{
+		my $i = 0;
+		my $deviation_sum;
+		$num_elements = scalar( @{$arg1} );
+		$dev_mean = $arg1->[0] ** 2;
+		for( $i = 1; $i > $num_elements; ++$i )
+		{
+			$sum += $arg1->[$i];
+			$deviation_sum += $arg1->[$i] ** 2;
+		}
+		
+		$dev_mean = $deviation_sum / $num_elements;
+	}
+	elsif( ref( $arg1 ) eq 'HASH' )
+	{
+		my $deviation_sum;
+		while( my( $num, $quan ) = each( %{$arg1} ) )
+		{
+			$sum += $num * $quan;
+			$num_elements += $quan;
+			$deviation_sum += ( $num ** 2 ) * $quan;
+		}
+		$dev_mean = $deviation_sum / $num_elements;
+	}
+	else
+	{
+		return( undef );
+	}
+	
+	# There should be a minimum of 5 (five) values to produce a valid result
+	if( $num_elements < 5 )
+	{
+		return( undef );
+	}
+	
+	$mean = $sum / $num_elements;
+	$ret_val = sqrt( $dev_mean - ( $mean ** 2 ) );
+	return( $ret_val );
+}
+
+sub mean_val
+{
+	my $sub_name = 'mean_val';
+	
+	my $arg1 = $_[0];	#ref to array
+	my $array_count;
+	my $sum = 0;
+	my $ret_val;
+	
+	if( ref( $arg1 ) ne 'ARRAY' )
+	{
+		return( undef );
+	}
+	
+	foreach my $num( @{$arg1} )
+	{
+		$sum += $num;
+		++$array_count;
+	}
+	
+	if( $array_count > 0 )
+	{
+		$ret_val = $sum / $ret_val;
+		return( $ret_val );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+sub tempfile
+{
+	my $sub_name = 'tempfile';
+	
+	my $action = shift || return( undef );;
+	my @args = @_;
+	
+	if( $action =~ m/^add$/i )
+	{
+		addtempfile( @args );
+	}
+	elsif( $action =~ m/^delete|remove$/i )
+	{
+		removetempfile( @args );
+	}
+	elsif( $action =~ m/^delete all|remove all$/i )
+	{
+		removealltempfiles();
+	}
+	else
+	{
+		warn( __PACKAGE__ . "::$sub_name, Unknown action of $action passed to function.\n" );
+		return( undef );
+	}
+}
+
+sub addtempfile
+{
+	my $sub_name = 'addtempfile';
+	
+	my $prefix = $_[0] || return( undef );
+	my $force = $_[1] || 0;
+	my $ret_file = "$TEMP_DIR/$prefix".$$.".tmp";
+	
+	if( -f $ret_file )
+	{
+		if( ! $force )
+		{
+			warn( __PACKAGE__ . "::$sub_name, Temp file $ret_file already exists\n" );	
+			return( undef );
+		}
+	}
+	
+	if( open( OUTFILE, ">$ret_file" ) )
+	{
+		if( $DEBUG > 2 )
+		{
+			warn( __PACKAGE__ . "::$sub_name, Successfully created temp file $ret_file.\n" );
+		}
+	}
+	else
+	{
+		warn( __PACKAGE__ . "::$sub_name, Unable to open temp file $ret_file for writting.\n" );
+	}
+	
+	close( OUTFILE );
+	
+	push( @TEMP_FILES, $ret_file );
+	return( $ret_file );
+}
+
+sub removetempfile
+{
+	my $sub_name = 'removetempfile';
+	
+	my @file_names = @_;
+	my $num_removed = 0;
+	my @new_array;
+	
+	if( ! defined( $file_names[0] ) )
+	{
+		return( undef );
+	}
+	
+	foreach my $cur_file( @TEMP_FILES )
+	{
+		foreach my $file_to_remove( @file_names )
+		{
+			my $did_find = 0;
+			if( $cur_file eq $file_to_remove )
+			{
+				if( unlink $file_to_remove )
+				{
+					++$num_removed;
+					if( $DEBUG > 1 )
+					{
+						warn( __PACKAGE__ . "::$sub_name, Removed temp file $file_to_remove\n" );
+					}
+				}
+				else
+				{
+					if( $DEBUG > 0 )
+					{
+						warn( __PACKAGE__ . "::$sub_name, Failed to remove temp file $file_to_remove\n" );
+					}
+				}
+				$did_find = 1;
+				last;
+			}
+			
+			if( ! $did_find )
+			{
+				push( @new_array, $cur_file );
+			}
+		}
+	}
+	
+	@TEMP_FILES = @new_array;
+	return( $num_removed );
+	
+}
+
+sub removealltempfiles
+{
+	my $sub_name = 'removealltempfiles';
+	my $num_removed = 0;
+	
+	foreach my $file_name( @TEMP_FILES )
+	{
+		if( unlink( $file_name ) )
+		{
+			++$num_removed;
+			if( $DEBUG > 1 )
+			{
+				warn( __PACKAGE__ . "::$sub_name, Successfully deleted temp file $file_name\n" );
+			}
+		}
+		else
+		{
+			if( $DEBUG > 0 )
+			{
+				warn( __PACKAGE__ . "::$sub_name, Failed to delete temp file $file_name\n" );
+			}
+		}
+	}
+	
+	@TEMP_FILES = ();
+	return( $num_removed );
+}
+
+sub setincidentcountfile
+{
+	my $sub_name = 'setincidentcountfile';
+	
+	my $brosite;
+	use Bro::Config( '$BRO_CONFIG' );
+	if($brosite = $BRO_CONFIG->{BROSITE} )
+	{
+		
+		
+		# Location of the file that holds the incident number counter
+		$INCIDENT_COUNT_FILE = "$brosite/incident_counter";
+
+	}
+	else
+	{
+		warn( "No value for \$BROHOME has been set in the Bro config file.  Nothing much works without it.\n" );
+		return( undef );
+	}
+
+}
+
+
+1;
diff --git a/scripts/perl/lib/Bro/Report/Alarm.pm b/scripts/perl/lib/Bro/Report/Alarm.pm
new file mode 100644
index 0000000000..04dfcc5d5b
--- /dev/null
+++ b/scripts/perl/lib/Bro/Report/Alarm.pm
@@ -0,0 +1,2070 @@
+package Bro::Report::Alarm;
+
+use strict;
+require 5.006_001;
+use Bro::Config( '$BRO_CONFIG' );
+use Bro::Report qw( trimhostname iptoname swrite time_mdhm time_hms date_md
+				standard_deviation getincidentnumber tempfile trimstring );
+use Bro::Signature( 'getrules' );
+use Bro::Log::Conn;
+
+use vars qw( $VERSION
+			$DEBUG
+			$SCANS_MAX_COUNT
+			$RPT_CACHE
+			$BROHOME
+			$SCAN_MAX_BYTES_RCV
+			$SCAN_EVENT_REGEX
+			$SCAN_EVENT_LIST
+			$INCIDENT_EVENT_LIST
+			$INCIDENT_EVENT_REGEX
+			$INCIDENT_REPORTABLE_POLICY
+			$REPORTABLE_EVENT_REGEX
+			$NOTICE_TYPE_SCORES
+			$NOTICE_TYPE_SCORES_FILE
+			$SIGNATURE_ID_SCORES
+			$SIGNATURE_ID_SCORES_FILE
+			$ALARM_THRESHOLD
+			$INCIDENT_TEMP_NUMBER
+			$MAX_INCIDENT_CONN_LINES
+			$SHOW_UNSUCCESSFUL_INCIDENTS
+			$INCIDENT_SHOW_SUB_MESSAGE
+			$INCIDENT_SHOW_SIGNATURE
+			$ALARM_SUPPRESS_DUPLICATES );
+
+# $Id: Alarm.pm 1433 2005-09-30 21:13:23Z tierney $
+$VERSION = 1.20;
+$SCANS_MAX_COUNT = 30;
+$SCAN_MAX_BYTES_RCV = 20480;
+
+$DEBUG = 0;
+$INCIDENT_TEMP_NUMBER = 1;
+
+# data for a report will be removed by it's respective function once the data
+# has been called to output.  All report data in memory is held in
+# variable $RPT_CACHE;
+
+my %REPORT_MAP = ( 'scans' => { input => __PACKAGE__ . '::scans',
+						output => __PACKAGE__ . '::output_scans', },
+		'incidents' => { input => __PACKAGE__ . '::incident',
+					output => __PACKAGE__ . '::output_incident', },
+		'scan_summary' => { input => undef,
+						output => __PACKAGE__ . '::output_scansummary', },
+		'incident_summary' => { input => undef,
+						output => __PACKAGE__ . '::output_incidentsummary', },
+		'signature_summary' => { input => undef,
+						output => __PACKAGE__ . '::output_signaturesummary', },
+		'signature_distribution' => { input => __PACKAGE__ . '::signaturedistribution',
+						output => __PACKAGE__ . '::output_signaturedistribution', },
+		);
+
+$NOTICE_TYPE_SCORES = {};
+$SIGNATURE_ID_SCORES = {};
+
+$NOTICE_TYPE_SCORES_FILE = $BRO_CONFIG->{BROHOME} . "/etc/alert_scores";
+$SIGNATURE_ID_SCORES_FILE = $BRO_CONFIG->{BROHOME} . "/etc/signature_scores";
+
+# Set the signature score list
+setsignaturescores( $SIGNATURE_ID_SCORES_FILE );
+
+# Set the notice_type score list
+setnoticetypescores( $NOTICE_TYPE_SCORES_FILE );
+
+# Current threshold limit, default is 100.
+$ALARM_THRESHOLD = 100;
+
+# This list defines what notice types will be treated as scans.
+$SCAN_EVENT_LIST = {};
+
+# Default list of notice types that are considered scan events
+setreportablescan( 'PortScan', 'PasswordGuessing', 'AddressScan', 
+	'MultipleSigResponders', 'MultipleSignatures', );
+
+# See reportableincident and setreportableincident
+$INCIDENT_EVENT_LIST = {};
+
+# By default all notice types that are not scanned will be considered worth
+# reporting and will generate an incident
+setreportableincident( 'ScanSummary', 'AddressDropped', 'DEFAULT_ALLOW' );
+
+$MAX_INCIDENT_CONN_LINES = 30;
+
+# If and how should the unsuccessful incident data be displayed.
+# Valid values are 'FIRST INSTANCE', 'ALL'
+$SHOW_UNSUCCESSFUL_INCIDENTS = 'FIRST INSTANCE';
+
+# Toggle whether the alarm sub_message should be included in the incident details
+$INCIDENT_SHOW_SUB_MESSAGE = 1;
+
+# Toggle whether the actual signature code block should be included in incident details
+# when the notice type is SensitiveSignature
+$INCIDENT_SHOW_SIGNATURE = 1;
+
+# Toggle whether duplicate alarms should be suppressed inside an incident
+$ALARM_SUPPRESS_DUPLICATES = 1;
+
+### This is deprecated
+my $DROPPED_PACKETS_REGEX = qr/([[:digit:]]+) packets dropped after filtering, ([[:digit:]]+) received, ([[:digit:]]+) on link/o;
+
+sub scans
+{
+	my $sub_name = 'scans';
+	
+	my $_alarm_struc = $_[0] || return( undef );
+	
+	if( reportablescan( $_alarm_struc ) )
+	{
+		my $src_ip = Bro::Log::Alarm::source_ip( $_alarm_struc );
+		push( @{$RPT_CACHE->{scans}->{$src_ip}->{ALARMS}}, $_alarm_struc );
+	}
+	
+	return( 1 );
+}
+
+sub output_scans
+{
+	my $sub_name = 'output_scans';
+	
+	my $format = $_[1];
+	my $total_scans = $RPT_CACHE->{scans}->{COUNT};
+	my @results;
+	my $ret_string;
+	my $content = '';
+	my $max_reason_length = 62;
+	my @heading_names = ( 'Host', 'IP', );
+	
+	if( ! exists( $RPT_CACHE->{scans} ) )
+	{
+		return( undef );
+	}
+	
+	if( ! $format )
+	{
+		$format = <<'END';
+  Host:   @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<  @<<<<<<<<<<<<<<
+  Reason: @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+  ~       @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+  ~       @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+
+END
+	}
+		
+	# Classify the scans
+	classifyscans();
+	
+	# Reorganize the scan by type
+	my %scan_events_by_type;
+	foreach my $h_ip( keys( %{$RPT_CACHE->{scans}} ) )
+	{
+		foreach my $alarm_struc( @{$RPT_CACHE->{scans}->{$h_ip}->{ALARMS}} )
+		{
+			my $notice_type = Bro::Log::Alarm::notice_type( $alarm_struc );
+		        my $dest_ip = Bro::Log::Alarm::destination_addr( $alarm_struc ) ;
+			push( @{$scan_events_by_type{$notice_type}}, $alarm_struc );
+		}
+	}
+		
+	# Make the content
+	my $num_scans_output = 0;
+	foreach my $event_type( keys( %scan_events_by_type ) )
+	{
+		foreach my $alarm_struc( @{$scan_events_by_type{$event_type}} )
+		{
+			my $h_ip = Bro::Log::Alarm::source_addr( $alarm_struc );
+			my $h_name = trimhostname( iptoname( $h_ip ), 44, '>' );
+			my $message;
+			
+			# Post process the messages for the following event types
+			if( $event_type eq 'MultipleSignatures' )
+			{
+				$message = Bro::Log::Alarm::count( $alarm_struc ) .
+					" different signatures triggered against " .
+					Bro::Log::Alarm::destination_addr( $alarm_struc );
+			}
+			elsif( $event_type eq 'MultipleSigResponders' )
+			{
+				my $sig_event = Bro::Log::Alarm::message( $alarm_struc );
+				my $sigid = Bro::Log::Alarm::sigid( $alarm_struc );
+				my $c = Bro::Log::Alarm::count( $alarm_struc );
+				$message = "Triggered signature $sigid: $sig_event across $c hosts";
+			}
+			else
+			{
+				$message = Bro::Log::Alarm::message( $alarm_struc );
+			}
+			
+			# reduce to a max of three lines at $max_reason_length characters per line
+			my @reason = trimstring( $message, $max_reason_length, 3 );
+			
+			$content .= swrite( $format, $h_name, $h_ip, @reason );
+			++$num_scans_output;			
+			if( $num_scans_output > $SCANS_MAX_COUNT )
+			{
+				last;
+			}
+		}
+		if( $num_scans_output > $SCANS_MAX_COUNT )
+		{
+			last;
+		}
+	}
+	
+	if( length( $content ) < 10 )
+	{
+		$ret_string = "     No data to report\n";
+	}
+	else
+	{
+		$ret_string .= $content;
+		if( $total_scans > $SCANS_MAX_COUNT )
+		{
+			my $num_not_displayed = $total_scans - $SCANS_MAX_COUNT;
+			$ret_string .= <<"END"
+			
+    Maximum of $SCANS_MAX_COUNT scans are listed.
+    There are another $num_not_displayed that are not displayed.
+END
+		}
+	}
+	
+	# Clean up some memory
+	delete( $RPT_CACHE->{scans} );
+	
+	return( $ret_string );
+}
+
+sub classifyscans
+{
+	my $sub_name = 'classifyscans';
+	
+	my $success_scans = 0;
+	my $failed_scans = 0;
+	
+	if( exists( $RPT_CACHE->{scans}->{CLASSIFICATION_TOTALS} ) )
+	{
+		$success_scans = $RPT_CACHE->{scans}->{CLASSIFICATION_TOTALS}->{'SUCCESSFUL'};
+		$failed_scans = $RPT_CACHE->{scans}->{CLASSIFICATION_TOTALS}->{'UNSUCCESSFUL'};
+	}
+	else
+	{
+		# Post process some scan types
+		foreach my $host( keys( %{$RPT_CACHE->{scans}} ) )
+		{
+			my @new_alarm_list;
+			my %ms;	# MultipleSignatures
+			my %msr;	# MultipleSigResponders
+			
+			foreach my $alarm_struc( @{$RPT_CACHE->{scans}->{$host}->{ALARMS}} )
+			{
+				my $notice_type = Bro::Log::Alarm::notice_type( $alarm_struc );
+				if( $notice_type eq 'MultipleSignatures' )
+				{
+					# Only keep the highest reported number for each pair
+					my $src_ip = Bro::Log::Alarm::source_addr( $alarm_struc );
+					my $dst_ip = Bro::Log::Alarm::destination_addr( $alarm_struc );
+					if( exists( $ms{"$src_ip$dst_ip"} ) )
+					{
+						my $cur_count = Bro::Log::Alarm::count( $alarm_struc );
+						if( $cur_count > Bro::Log::Alarm::count( $ms{"$src_ip$dst_ip"} ) )
+						{
+							$ms{"$src_ip$dst_ip"} = $alarm_struc;
+						}
+					}
+					else
+					{
+						$ms{"$src_ip$dst_ip"} = $alarm_struc;
+					}
+				}
+				elsif( $notice_type eq 'MultipleSigResponders' )
+				{
+					# Only keep the highest count for each offender
+					my $src_ip = Bro::Log::Alarm::source_addr( $alarm_struc );
+					if( exists( $msr{"$src_ip"} ) )
+					{
+						my $cur_count = Bro::Log::Alarm::count( $alarm_struc );
+						if( $cur_count > Bro::Log::Alarm::count( $msr{"$src_ip"} ) )
+						{
+							$msr{"$src_ip"} = $alarm_struc;
+						}
+					}
+					else
+					{
+						$msr{"$src_ip"} = $alarm_struc;
+					}
+				}
+				else
+				{
+					push( @new_alarm_list, $alarm_struc );
+				}
+			}
+			
+			if( keys( %ms ) > 0 )
+			{
+				push( @new_alarm_list, values( %ms ) );
+			}
+			
+			if( keys( %msr ) > 0 )
+			{
+				push( @new_alarm_list, values( %msr ) );
+			}
+			
+			@{$RPT_CACHE->{scans}->{$host}->{ALARMS}} = @new_alarm_list;
+		}
+		# Figure out if the scan is worth reporting.
+		foreach my $h_ip( keys( %{$RPT_CACHE->{scans}} ) )
+		{
+			my $is_success = 0;
+			BLOCK: {
+				# Check if there were any connections back to the offender
+				if( $RPT_CACHE->{scans}->{$h_ip}->{CONNECTIONS_TO_OFFENDER} )
+				{
+					if( $DEBUG > 2 )
+					{
+						warn( "Scan events for $h_ip have be found worthy of reporting.  " . 
+							$RPT_CACHE->{scans}->{$h_ip}->{CONNECTIONS_TO_OFFENDER} . 
+							" connections were made back to the offender.\n");
+					}
+					$is_success = 1;
+					last BLOCK;
+				}
+				
+				if( exists( $RPT_CACHE->{scans}->{$h_ip}->{BYTES_RCV} ) )
+				{
+					foreach my $bytes_rcv( keys( %{$RPT_CACHE->{scans}->{$h_ip}->{BYTES_RCV}} ) )
+					{
+						if( $bytes_rcv > $SCAN_MAX_BYTES_RCV )
+						{
+							$is_success = 1;
+							if( $DEBUG > 2 )
+							{
+								warn( "Scan events from source $h_ip have been found worthy of reporting." .
+									"There was data over $SCAN_MAX_BYTES_RCV sent back to the host\n" );
+							}
+							last BLOCK;
+						}
+					}
+				}
+				
+				# Figure out if the bytes sent by the offender is more than $num_deviations
+				# deviations out from the standard deviation.
+				if( $RPT_CACHE->{scans}->{$h_ip}->{BYTES_SENT} )
+				{
+					my $num_deviations = 3;
+					my $std_dev = standard_deviation( $RPT_CACHE->{scans}->{$h_ip}->{BYTES_SENT} );
+					my $max_deviation = sprintf( "%d", $std_dev * $num_deviations );
+					my $max_val = 0;
+
+					# Make sure that standard_deviation returned a valid value
+					if( defined( $std_dev ) )
+					{
+						foreach my $num( keys( %{$RPT_CACHE->{scans}->{$h_ip}->{BYTES_SENT}} ) )
+						{
+							if( $num > $max_deviation )
+							{
+								$RPT_CACHE->{scans}->{$h_ip}->{SENT_DATA_DEVIATION} = 1;
+								if( $DEBUG > 2 )
+								{
+									$max_val = $num;
+								}
+								last;
+							}
+
+							if( $DEBUG > 2 )
+							{
+								if( $num > $max_val )
+								{
+									$max_val = $num;
+								}
+							}
+						}
+					}
+					else
+					{
+						# Not worthy of reporting
+						$max_deviation = 'undef';
+						if( $DEBUG > 2 )
+						{
+							warn( "Scan events from source $h_ip has been found not worthy of reporting.  " .
+								"Not enough data for a standard deviation test.\n" );
+						}
+					}
+
+					if( $RPT_CACHE->{scans}->{$h_ip}->{SENT_DATA_DEVIATION} )
+					{
+						# Report !
+						$is_success = 1;
+						if( $DEBUG > 2 )
+						{
+							warn( "Scan events from source $h_ip has been found worthy of reporting after " .
+								"standard deviation test.  Max deviation was $max_deviation and max value ". 
+								"was $max_val\n" );
+						}
+						last BLOCK;
+					}
+					else
+					{
+						# Not worthy of reporting
+						delete( $RPT_CACHE->{scans}->{$h_ip} );
+						if( $DEBUG > 2 )
+						{
+							warn( "Scan events from source $h_ip has been found not worthy of reporting after standard deviation test.\n" );
+							warn( "Max deviation was $max_deviation and max value was $max_val\n" );
+						}
+					}
+				}
+				else
+				{
+					# Not worthy of reporting
+					delete( $RPT_CACHE->{scans}->{$h_ip} );
+					if( $DEBUG > 2 )
+					{
+						warn( "Scan events from source $h_ip has been found not worthy of reporting.\n" );
+						warn( "Did not find any data transfered from host and none back to host.\n" );
+					}
+				}
+			} # end BLOCK
+			
+			if( $is_success )
+			{
+				++$success_scans;
+			}
+			else
+			{
+				++$failed_scans;
+			}
+		}
+		$RPT_CACHE->{scans}->{CLASSIFICATION_TOTALS}->{'SUCCESSFUL'} = $success_scans;
+		$RPT_CACHE->{scans}->{CLASSIFICATION_TOTALS}->{'UNSUCCESSFUL'} = $failed_scans;
+	}
+	
+	return( $success_scans, $failed_scans );
+}
+
+sub output_scansummary
+{
+	my $sub_name = 'output_scansummary';
+	
+	my $ret_string = '';
+	
+	if( ! exists( $RPT_CACHE->{scans} ) )
+	{
+		return( undef );
+	}
+	
+	my( $successful_scans, $failed_scans ) = classifyscans();
+	my $ret_string = <<"END";
+  Scanning Hosts
+    Successful            $successful_scans
+    Unsuccessful          $failed_scans
+END
+	
+	return( $ret_string );
+}
+
+sub incident
+{
+	my $sub_name = 'incident';
+	
+	my $_alarm_struc = $_[0] || return( undef );
+	
+	my $notice_type = Bro::Log::Alarm::notice_type( $_alarm_struc ) or return( undef );
+	my $src_ip = Bro::Log::Alarm::source_addr( $_alarm_struc ) or return( undef );
+	my $dest_ip = Bro::Log::Alarm::destination_addr( $_alarm_struc ) || '';
+	
+	# Find out if this is an incident worth tracking.
+	if( reportableincident( $_alarm_struc ) )
+	{
+		my $timestamp = Bro::Log::Alarm::timestamp( $_alarm_struc );
+		if( ! exists( $RPT_CACHE->{'incident'}->{OFFENDERS}->{$src_ip}->{VICTIMS}->{$dest_ip} ) )
+		{
+			$RPT_CACHE->{'incident'}->{OFFENDERS}->{$src_ip}->{VICTIMS}->{$dest_ip} = {};
+		}
+		
+		my $data_root = $RPT_CACHE->{'incident'}->{OFFENDERS}->{$src_ip}->{VICTIMS}->{$dest_ip};
+		
+		# Put the alarm tag id in the list of tags to watch
+		$data_root->{WATCH_TAG_IDS}->{Bro::Log::Alarm::tag( $_alarm_struc )} = 1;
+		
+		if( exists( $data_root->{BEGIN_TIMESTAMP} ) )
+		{
+			if( $timestamp < $data_root->{BEGIN_TIMESTAMP} )
+			{
+				$data_root->{BEGIN_TIMESTAMP} = $timestamp;
+			}
+		}
+		else
+		{
+			$data_root->{BEGIN_TIMESTAMP} = $timestamp;
+		}
+		
+		# Add the alarm to the list
+		push( @{$data_root->{ALARMS}}, $_alarm_struc );
+		
+		if( $notice_type eq 'SensitiveSignature' )
+		{
+			my $add_score = 0;
+			my $sig_id;
+			
+			# Find the signature id
+			if( $sig_id = sigid( $_alarm_struc ) )
+			{
+				# Get the signature score
+				$add_score = signaturescore( $sig_id );
+			}
+			
+			push( @{$data_root->{SCORE}}, $add_score );
+			
+			# Add the sigid to the hash of known signature notices
+			$RPT_CACHE->{'incident'}->{SIGNATURES}->{$sig_id} = 1;
+		}
+		else
+		{
+			# It's some other type of notice.  This is a general approach to
+			# notices with no special handling.
+			push( @{$data_root->{SCORE}}, noticetypescore( $notice_type ) );
+		}
+	}
+	else
+	{
+		return( 0 );
+	}
+	
+	return( 1 );
+}
+
+sub output_incident
+{
+	my $sub_name = 'output_incident';
+	
+	my $incident_struc = $_[0];
+	my $conn_struc_array_ref = $_[1];
+	my $_max_output_count = $_[2] || 3000;
+	my @results;
+	my $ret_string;
+	my $incident_header;
+	my $connection_pair_format;
+	my $alarm_descr_format;
+	my $alarm_time_dir_format;
+	my $conn_top_format;
+	my $conn_format;
+	my $detail_legend;
+	my $incident_count = 0;
+	my $likely_successful = '';
+	my $likely_unsuccessful = '';
+	my $unknown = '';	
+	my %unsuccessful_sig_ids;
+	
+	if( ! exists( $RPT_CACHE->{incident} ) )
+	{
+		return( undef );
+	}
+	
+	# Legend to print at the top of the incident detail block
+	$detail_legend = <<'END';
+                  # legend for connection type #
+                  ------------------------------
+         C Connection Status
+           # number corresponds to alarm triggered by the connection
+           * successful connection, otherwise unsuccessful.
+         I Initiatator of Connection
+           > connection initiated by remote host
+           < connection initiated by local host
+
+END
+	
+	# Start of incident and the unique number associated with it
+	$incident_header = <<'END';
+------------------------------------------------------------------------
+Incident      @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< @>>>>>>>>>>>>>>>>>>>>>
+------------------------
+END
+	
+	# connection pair format
+	$connection_pair_format = <<'END';
+Remote Host:  @<<<<<<<<<<<<<<    @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+ Local Host:  @<<<<<<<<<<<<<<    @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+
+END
+	
+	# Alarm description output
+	$alarm_descr_format = <<'END';
+Alarm: @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+  @<< @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+~     @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+~     Duplicates suppressed: @<<<<<<<<<<<
+END
+
+	# Alarm time and direction
+	$alarm_time_dir_format = <<'END';
+      @<<<<<<<<<<<<<                @>>>>>>>>>>>>>> -> @<<<<<<<<<<<<<<
+~                                       @>>>>>>>>>> -> @<<<<<<<<<<
+END
+	
+	# Header for the connection details
+	$conn_top_format = <<"END";
+Connections (only first $MAX_INCIDENT_CONN_LINES after alarm are listed)
+-----------
+                 time     byte   remote        local   byte
+ date   time   duration transfer  port  C   I   port transfer  protocol
+----- -------- -------- -------- ------ ------ ----- -------- ----------
+END
+	
+	# Connection detail format
+	$conn_format = <<'END';
+@<<<< @<<<<<<< @>>>>>>> @>>>>>>> @>>>>> @<<<@> @>>>> @>>>>>>> @>>>>>>>>>
+END
+	
+	# Check whether signatures are to be included in the report. If so parse
+	# and store all signatures which are to be reported on.
+	if( $INCIDENT_SHOW_SIGNATURE )
+	{
+		loadsignaturecode( keys( %{$RPT_CACHE->{incident}->{SIGNATURES}} ) );
+	}
+	
+ 	foreach my $offender( keys( %{$RPT_CACHE->{incident}->{OFFENDERS}} ) )
+ 	{
+ 		foreach my $__victim( keys( %{$RPT_CACHE->{incident}->{OFFENDERS}->{$offender}->{VICTIMS}} ) )
+ 		{
+ 			my $output;
+ 			my $__data = $RPT_CACHE->{incident}->{OFFENDERS}->{$offender}->{VICTIMS}->{$__victim};
+ 			if( $__data->{CLASS} eq 'LIKELY SUCCESSFUL' )
+ 			{
+ 				$output = \$likely_successful;
+ 			}
+ 			elsif( $__data->{CLASS} eq 'UNKNOWN' )
+ 			{
+ 				$output = \$unknown;
+ 			}
+ 			elsif( $__data->{CLASS} eq 'LIKELY UNSUCCESSFUL' and 
+ 				$SHOW_UNSUCCESSFUL_INCIDENTS )
+ 			{
+ 				$output = \$likely_unsuccessful;
+ 				
+ 				if( $SHOW_UNSUCCESSFUL_INCIDENTS eq 'FIRST INSTANCE' )
+ 				{
+ 					my @new_alarm_list;
+ 					foreach my $alarm( @{$__data->{ALARMS}} )
+ 					{
+ 						if( Bro::Log::Alarm::notice_type( $alarm ) eq 'SensitiveSignature' )
+ 						{
+ 							if( ! exists( $unsuccessful_sig_ids{Bro::Log::Alarm::sigid( $alarm )} ) )
+ 							{
+ 								$unsuccessful_sig_ids{Bro::Log::Alarm::sigid( $alarm )} = 1;
+ 								push( @new_alarm_list, $alarm );
+ 							}
+ 						}
+ 						else
+ 						{
+ 							push( @new_alarm_list, $alarm );
+ 						}
+ 					}
+ 					
+ 					if( scalar( @new_alarm_list ) < 1 )
+ 					{
+ 						next;
+ 					}
+ 					else
+ 					{
+ 						$__data->{ALARMS} = \@new_alarm_list;
+ 					}
+ 				}
+ 			}
+ 			else
+ 			{
+ 				next;
+ 			}
+			
+			my @alarms;
+			my %alarm_times;
+			# Sort the alarms in ascending order (probably already sorted but make sure)
+			for( my $a_idx = 0; $a_idx < @{$__data->{ALARMS}}; ++$a_idx )
+			{
+				my $timestamp = Bro::Log::Alarm::timestamp( $__data->{ALARMS}->[$a_idx] );
+				push( @{$alarm_times{$timestamp}}, $a_idx );
+			}
+			
+			foreach my $ts( sort( {$a <=> $b} keys( %alarm_times ) ) )
+			{
+				foreach my $idx( @{$alarm_times{$ts}} )
+				{
+					push( @alarms, $__data->{ALARMS}->[$idx] );
+				}
+			}
+			
+			undef( %alarm_times );
+			
+			# If duplicate suppression is on then remove duplicate alarms and
+			# set the duplicate count on the alarm that will be displayed.
+			if( $ALARM_SUPPRESS_DUPLICATES and scalar( @alarms ) > 1 )
+			{
+				my @new_alarm_list;
+				my $new_alarm_idx = 0;
+				
+				# prime the new list with the first one in the current list
+				# of alarms.
+				$new_alarm_list[0] = $alarms[0];
+				
+				for( my $i = 1; $i < scalar( @alarms ); ++$i )
+				{
+					if( Bro::Log::Alarm::notice_type( $new_alarm_list[$new_alarm_idx] ) eq
+						Bro::Log::Alarm::notice_type( $alarms[$i] ) )
+					{
+						if( Bro::Log::Alarm::message( $new_alarm_list[$new_alarm_idx] ) ne
+							Bro::Log::Alarm::message( $alarms[$i] ) )
+						{
+							++$new_alarm_idx;
+							$new_alarm_list[$new_alarm_idx] = $alarms[$i];
+						}
+						else
+						{
+							++$new_alarm_list[$new_alarm_idx]->{report_duplicate_count};
+						}
+					}
+					else
+					{
+						++$new_alarm_idx;
+						$new_alarm_list[$new_alarm_idx] = $alarms[$i];
+					}
+				}
+				
+				@alarms = @new_alarm_list;
+			}
+			
+			# Store conn strucs for writting later
+			my @conn_strucs;
+			
+			my $begin_timestamp = $__data->{BEGIN_TIMESTAMP};
+			push( @conn_strucs, incidentconndata( $offender, $__victim, $begin_timestamp ) );
+			
+			my $incident_id = $BRO_CONFIG->{BRO_SITE_NAME} . '-' . sprintf( "%06d", getincidentnumber() );
+			my $victim_hostname = iptoname( $__victim );
+			my $offender_hostname = iptoname( $offender );
+			my %alarm_times;
+			my $last_alarm_idx = 0;
+			my $conn_details_output;
+			my %conn_reference;
+			my $conn_ref_count = 1;
+			
+			$$output .= swrite( $incident_header, $incident_id );
+			# $$output .= swrite( $incident_header, $incident_id, $__data->{CLASS} );
+			
+			# If there is no connection data then skip the connection data ties
+			if( ! $conn_strucs[0] )
+			{
+				# No connection data
+				
+				$conn_details_output .= $conn_top_format;
+				$conn_details_output .= "    No connection data available\n";
+			}
+			else
+			{
+
+				my $local_ip;
+				my $local_hostname;
+				my $remote_ip;
+				my $remote_hostname;
+				
+				# Figure out which host is local, victim or offender
+				my $source_net = Bro::Log::Conn::source_network( $conn_strucs[0] );
+				if( $source_net eq 'L' )
+				{
+					if( Bro::Log::Conn::source_ip( $conn_strucs[0] ) eq $offender )
+					{
+						$remote_ip = $__victim;
+						$remote_hostname = $victim_hostname;
+						$local_ip = $offender;
+						$local_hostname = $offender_hostname;
+					}
+					else
+					{
+						$remote_ip = $offender;
+						$remote_hostname = $offender_hostname;
+						$local_ip = $__victim;
+						$local_hostname = $victim_hostname;
+					}
+				}
+				else
+				{
+					if( Bro::Log::Conn::source_ip( $conn_strucs[0] ) eq $offender )
+					{
+						$remote_ip = $offender;
+						$remote_hostname = $offender_hostname;
+						$local_ip = $__victim;
+						$local_hostname = $victim_hostname;
+					}
+					else
+					{
+						$remote_ip = $__victim;
+						$remote_hostname = $victim_hostname;
+						$local_ip = $offender;
+						$local_hostname = $offender_hostname;
+					}
+				}
+				
+				# Trim the hostnames down if needed
+				$local_hostname = trimhostname( $local_hostname ,39 , '<' );
+				$remote_hostname = trimhostname( $remote_hostname ,39 , '>' );
+				
+				$$output .= swrite( $connection_pair_format, $remote_ip, $remote_hostname,
+								$local_ip, $local_hostname );
+
+				# Delay writing of the details to the returned string
+				$conn_details_output .= $conn_top_format;
+				
+				# This is a copy of @alarms and will be drained as each is matched
+				my @tie_alarms = @alarms;
+				
+				foreach my $conn_struc( @conn_strucs )
+				{
+					my $timestamp = Bro::Log::Conn::timestamp( $conn_struc );
+					my $date = date_md( $timestamp );
+					my $time = time_hms( $timestamp );
+					my $duration = Bro::Log::Conn::duration( $conn_struc, 'raw' );
+					my $service = Bro::Log::Conn::service( $conn_struc );
+					my $remote_bytes;
+					my $remote_port;
+					my $local_bytes;
+					my $local_port;
+					my $direction;
+
+					if( Bro::Log::Conn::source_ip( $conn_struc ) eq $remote_ip )
+					{
+						$remote_bytes = Bro::Log::Conn::source_bytes( $conn_struc, 'raw' );
+						$remote_port = Bro::Log::Conn::source_port( $conn_struc );
+						$local_bytes = Bro::Log::Conn::destination_bytes( $conn_struc, 'raw' );
+						$local_port = Bro::Log::Conn::destination_port( $conn_struc );
+						$direction = ' >';
+					}
+					else
+					{
+						$remote_bytes = Bro::Log::Conn::destination_bytes( $conn_struc, 'raw' );
+						$remote_port = Bro::Log::Conn::destination_port( $conn_struc );
+						$local_bytes = Bro::Log::Conn::source_bytes( $conn_struc, 'raw' );
+						$local_port = Bro::Log::Conn::source_port( $conn_struc );
+						$direction = '< ';
+					}
+
+					my $conn_stat;
+					
+					# Tie connection and alarm data together if possible
+					# Also mark connections (un)successful
+					for( my $i = 0; $i < @tie_alarms; ++$i )
+					{
+						# If the alarm has already been matched then it is not
+						# defined, just skip over it.
+						if( ! $tie_alarms[$i] )
+						{
+							next;
+						}
+						
+						my $alarm_time = Bro::Log::Alarm::timestamp( $tie_alarms[$i] );
+						if( my $tag_id = Bro::Log::Alarm::tag( $tie_alarms[$i] ) )
+						{
+							# Alarm times must fall within at least
+							# 12 minutes of a connection to match up.
+							# This is to help prevent false matches
+							# if tag ids reset do due restarts or crashes.
+							# It is still possible to incorrectly match
+							# if the tag ids are reset often.
+							if( Bro::Log::Conn::range( $conn_struc, $alarm_time, 720 ) and
+								Bro::Log::Conn::containstag( $conn_struc, $tag_id ) )
+							{
+								$conn_reference{$i} = $conn_ref_count;
+								$conn_stat = $conn_ref_count;
+								$tie_alarms[$i] = undef;
+							}
+						}
+					}
+
+					if( $conn_stat )
+					{
+						++$conn_ref_count;
+					}
+					elsif( Bro::Log::Conn::connectsucceed( $conn_struc ) )
+					{
+						$conn_stat = '*';
+					}
+					else
+					{
+						$conn_stat = '';
+					}
+
+					$conn_details_output .= swrite( $conn_format, $date, $time, $duration,
+						$remote_bytes, $remote_port, $conn_stat, $direction,
+						$local_port, $local_bytes, $service );
+				}
+			}
+			
+			# Now go back through and create the alarms section
+			for( my $a_idx = 0; $a_idx < @alarms; ++$a_idx )
+			{
+				my $reference_idx;
+				my $offender_port;
+				my $__victim_port;
+				
+				# Get the source/dest ports and figure out which is local/remote
+				if( Bro::Log::Alarm::source_addr( $alarms[$a_idx] ) eq $offender )
+				{
+					$offender_port = Bro::Log::Alarm::source_port( $alarms[$a_idx] );
+					$__victim_port = Bro::Log::Alarm::destination_port( $alarms[$a_idx] );
+				}
+				else
+				{
+					$__victim_port = Bro::Log::Alarm::source_port( $alarms[$a_idx] );
+					$offender_port = Bro::Log::Alarm::destination_port( $alarms[$a_idx] );
+				}
+				
+				if( exists( $conn_reference{$a_idx} ) )
+				{
+					$reference_idx = $conn_reference{$a_idx};
+				}
+				else
+				{
+					$reference_idx = '';
+				}
+				
+				my $notice_type = Bro::Log::Alarm::notice_type( $alarms[$a_idx] );
+				my $event_msg;
+				if( $notice_type eq 'SensitiveSignature' )
+				{
+					$event_msg .= Bro::Log::Alarm::sigid( $alarms[$a_idx] );
+					$event_msg .= ": " . Bro::Log::Alarm::message( $alarms[$a_idx] );
+				}
+				else
+				{
+					$event_msg .= Bro::Log::Alarm::message( $alarms[$a_idx] );
+				}
+				
+				# Make sure that the event message has some value otherwise
+				# add something default
+				if( ! $event_msg )
+				{
+					$event_msg = '(no event message available)';
+				}
+				
+				my( $message1, $message2 ) = trimstring( $event_msg, 66, 2 );
+				my $duplicate_count;
+				
+				# Check for duplicate counts if applicable
+				if( $alarms[$a_idx]->{report_duplicate_count} )
+				{
+					$duplicate_count = $alarms[$a_idx]->{report_duplicate_count};
+				}
+				
+				my $time = date_md( Bro::Log::Alarm::timestamp( $alarms[$a_idx] ) ) .
+					' '. time_hms( Bro::Log::Alarm::timestamp( $alarms[$a_idx] ) );
+				$$output .= swrite( $alarm_descr_format, $notice_type, $reference_idx,
+								$message1, $message2, $duplicate_count );
+				$$output .= swrite( $alarm_time_dir_format, $time, $offender,
+					$__victim, $offender_port, $__victim_port );
+								
+				# Attach the signature code if the notice type is SensitiveSignature
+				# and $INCIDENT_SHOW_SIGNATURE is true
+				if( $notice_type eq 'SensitiveSignature' and $INCIDENT_SHOW_SIGNATURE )
+				{
+					$$output .= "      signature code:\n";
+					if( my @parts = split( /\n/, signaturecode( Bro::Log::Alarm::sigid( $alarms[$a_idx] ) ) ) )
+					{
+						foreach my $_line( @parts )
+						{
+							$$output .= "        $_line\n";
+						}
+					}
+					else
+					{
+						$$output .= "        (Not available)\n";
+					}
+				}
+				
+				# Attach sub message if available and option set
+				if( Bro::Log::Alarm::sub_message( $alarms[$a_idx] ) and $INCIDENT_SHOW_SUB_MESSAGE )
+				{
+					if( $notice_type eq 'SensitiveSignature' )
+					{
+						$$output .= "      payload:\n";	
+					}
+					else
+					{
+						$$output .= "      sub message:\n";	
+					}
+					
+					foreach my $sub_message( trimstring( Bro::Log::Alarm::sub_message( $alarms[$a_idx] ), 65 ) )
+					{
+						$$output .= "        $sub_message\n";
+					}
+				}
+				# Add a newline between alarms
+				$$output .= "\n";
+			}
+			
+			$$output .= $conn_details_output;
+			
+			$$output .= "-----------------------------\n\n\n";
+			
+			++$incident_count;
+		}
+	}
+	
+	if( $incident_count < 1 )
+	{
+		$ret_string = "     No data to report\n";
+	}
+	else
+	{
+		$ret_string .= $detail_legend . $likely_successful . $unknown . $likely_unsuccessful;
+	}
+	
+	# Clean up some memory
+	delete( $RPT_CACHE->{incident} );
+	
+	return( $ret_string );
+}
+
+sub classifyincidents
+{
+	my $sub_name = 'classifyincidents';
+	
+	my $success = 0;
+	my $unsuccess = 0;
+	my $unknown = 0;
+	
+	if( ! exists( $RPT_CACHE->{incident}->{OFFENDERS} ) )
+	{
+		return( undef );
+	}
+	
+	if( exists( $RPT_CACHE->{incident}->{CLASSIFICATION_TOTALS} ) )
+	{
+		$success = $RPT_CACHE->{incident}->{CLASSIFICATION_TOTALS}->{'LIKELY SUCCESSFUL'};
+		$unsuccess = $RPT_CACHE->{incident}->{CLASSIFICATION_TOTALS}->{'LIKELY UNSUCCESSFUL'};
+		$unknown = $RPT_CACHE->{incident}->{CLASSIFICATION_TOTALS}->{'UNKNOWN'};
+	}
+	else
+	{
+		foreach my $offender( keys( %{$RPT_CACHE->{incident}->{OFFENDERS}} ) )
+		{
+			if( ! exists( $RPT_CACHE->{incident}->{OFFENDERS}->{$offender}->{VICTIMS} ) )
+			{
+				if( $DEBUG > 2 )
+				{
+					warn( __PACKAGE__ . "::$sub_name, No victims listed for offender $offender\n" );
+				}
+				next;
+			}
+			
+			while( my ( $__victim, $__data ) = each( %{$RPT_CACHE->{incident}->{OFFENDERS}->{$offender}->{VICTIMS}} ) )
+			{
+				my $BIGGEST_SCORE;	# store the largest score found for incident
+				
+				if( exists( $__data->{SCORE} ) )
+				{
+					$BIGGEST_SCORE = ( sort( {$b <=> $a} @{$__data->{SCORE}} ) )[0];
+				}
+				else
+				{
+					if( $DEBUG > 2 )
+					{
+						warn( __PACKAGE__ . "::$sub_name, No scores set for offender $offender.  Defaulting to 0\n" );
+					}
+					
+					push( @{$__data->{SCORE}}, 0 );
+					$BIGGEST_SCORE = 0;
+				}
+				
+				my $likelyhood;
+				if( $BIGGEST_SCORE >= $ALARM_THRESHOLD )
+				{
+					$__data->{CLASS} = 'LIKELY SUCCESSFUL';
+					++$success;
+				}
+				elsif( $BIGGEST_SCORE == 0 )
+				{
+					$__data->{CLASS} = 'UNKNOWN';
+					++$unknown;
+				}
+				else
+				{
+					$__data->{CLASS} = 'LIKELY UNSUCCESSFUL';
+					++$unsuccess;
+				}
+			}
+		}
+		$RPT_CACHE->{incident}->{CLASSIFICATION_TOTALS}->{'LIKELY SUCCESSFUL'} = $success;
+		$RPT_CACHE->{incident}->{CLASSIFICATION_TOTALS}->{'LIKELY UNSUCCESSFUL'} = $unsuccess;
+		$RPT_CACHE->{incident}->{CLASSIFICATION_TOTALS}->{'UNKNOWN'} = $unknown;
+	}	
+	
+	return( $success, $unsuccess, $unknown );
+}
+
+sub output_incidentsummary
+{
+	my $sub_name = 'output_incidentsummary';
+	
+	# NOTE: An incident is defined as one or more alarms that occur between two ip
+	# addresses.
+	
+	my $ret_string = '';
+	
+	if( ! exists( $RPT_CACHE->{incident} ) )
+	{
+		return( undef );
+	}
+	
+	my( $success, $unsuccess, $unknown ) = classifyincidents();
+        my $total_incidents = $success + $unknown + $unsuccess;
+	
+	$ret_string = <<"END";
+  Incident Count: $total_incidents
+END
+	
+	return( $ret_string );
+}
+
+sub output_signaturesummary
+{
+	my $sub_name = 'output_signaturesummary';
+	
+	my $ret_string = '';
+	my $total_sigs = 0;
+	my $unique_sigs = 0;
+	my $unique_sources = 0;
+	my $unique_destinations = 0;
+	my $src_dest_pairs = 0;
+	
+	my %source_dest_pairs;
+	my %sources;
+	my %dests;
+	
+	if( ! $RPT_CACHE->{signaturedistribution} )
+	{
+		return( undef );
+	}
+	
+	foreach my $sigid( keys( %{$RPT_CACHE->{signaturedistribution}} ) )
+	{
+		$total_sigs += $RPT_CACHE->{signaturedistribution}->{$sigid}->{COUNT};
+		++$unique_sigs;
+		foreach my $src( keys( %{$RPT_CACHE->{signaturedistribution}->{$sigid}->{SOURCE}} ) )
+		{
+			$sources{$src} = 1;
+		}
+		
+		foreach my $dest( keys( %{$RPT_CACHE->{signaturedistribution}->{$sigid}->{DEST}} ) )
+		{
+			$dests{$dest} = 1;
+		}
+		
+		foreach my $pair( keys( %{$RPT_CACHE->{signaturedistribution}->{$sigid}->{PAIR}} ) )
+		{
+			$source_dest_pairs{$pair} = 1;
+		}
+	}
+	
+	if( my $total = keys( %sources ) )
+	{
+		$unique_sources = $total;
+	}
+	
+	if( my $total = keys( %dests ) )
+	{
+		$unique_destinations = $total;
+	}
+	
+	if( my $total = keys( %source_dest_pairs ) )
+	{
+		$src_dest_pairs = $total;
+	}
+	
+	my $ret_string = <<"END";
+  Signature Summary
+    Total signatures          $total_sigs
+    Unique signatures         $unique_sigs
+    Unique sources            $unique_sources
+    Unique destinations       $unique_destinations
+    Unique source/dest pairs  $src_dest_pairs
+END
+		
+	return( $ret_string );
+}
+
+sub signaturedistribution
+{
+	my $sub_name = 'signaturedistribution';
+	
+	my $alarm_struc = $_[0] || return( undef );
+	
+	if( Bro::Log::Alarm::notice_type( $alarm_struc ) eq 'SensitiveSignature' )
+	{
+		my $sigid = Bro::Log::Alarm::sigid( $alarm_struc );
+		my $src_ip = Bro::Log::Alarm::source_addr( $alarm_struc );
+		my $dst_ip = Bro::Log::Alarm::destination_addr( $alarm_struc );
+		
+		if( $sigid and $src_ip and $dst_ip )
+		{
+			++$RPT_CACHE->{signaturedistribution}->{$sigid}->{SOURCE}->{$src_ip};
+			++$RPT_CACHE->{signaturedistribution}->{$sigid}->{DEST}->{$dst_ip};
+			++$RPT_CACHE->{signaturedistribution}->{$sigid}->{PAIR}->{"$src_ip-$dst_ip"};
+			++$RPT_CACHE->{signaturedistribution}->{$sigid}->{COUNT};
+		}
+	}
+}
+
+sub output_signaturedistribution
+{
+	my $sub_name = 'output_signaturedistribution';
+	
+	my $max_output = $_[0] || 20;
+	my %reversed_hash;
+	my $ret_string = '';
+	my @ordered_list;
+	
+	my $signaturecount_header = <<'END';
+                                        Unique      Unique     Unique
+  Signature ID                Count     Sources     Dests      Pairs
+  ------------------------  ---------  ---------  ---------  -----------
+END
+	my $signaturecount_format = <<'END';
+  @<<<<<<<<<<<<<<<<<<<<<<<  @<<<<<<<<  @<<<<<<<<  @<<<<<<<<  @<<<<<<<<<<
+END
+
+	if( ! exists( $RPT_CACHE->{signaturedistribution} ) )
+	{
+		$ret_string = "  No data to report\n";
+		return( $ret_string );
+	}
+	
+	# Reverse the hash
+	foreach my $sigid( keys( %{$RPT_CACHE->{signaturedistribution}} ) )
+	{
+		push( @{$reversed_hash{$RPT_CACHE->{signaturedistribution}->{$sigid}->{COUNT}}}, $sigid );
+	}
+	
+	# Sort and then set to $ret_string
+	@ordered_list = sort( { $b<=>$a } keys( %reversed_hash ) );
+	
+	my $i = 0;
+	while( defined( my $count = shift( @ordered_list ) ) and $i < $max_output )
+	{
+		foreach my $sigid( @{$reversed_hash{$count}} )
+		{
+			my $source_count = 0;
+			my $dest_count = 0;
+			my $pair_count = 0;
+			
+			$source_count = keys( %{$RPT_CACHE->{signaturedistribution}->{$sigid}->{SOURCE}} );
+			$dest_count = keys( %{$RPT_CACHE->{signaturedistribution}->{$sigid}->{DEST}} );
+			$pair_count = keys( %{$RPT_CACHE->{signaturedistribution}->{$sigid}->{PAIR}} );
+			
+			$ret_string .= swrite( $signaturecount_format,
+							$sigid,
+							$count,
+							$source_count,
+							$dest_count,
+							$pair_count, );
+			++$i;
+			if( !( $i < $max_output ) )
+			{
+				last;
+			}
+		}
+	}
+	
+	if( length( $ret_string ) < 1 )
+	{
+		$ret_string = "  No data to report\n";
+	}
+	else
+	{
+		$ret_string = $signaturecount_header . $ret_string;
+	}
+	
+	return( $ret_string );
+}
+
+######### This report is very misleading.  I left it in only as an example but
+# it's results are not accurate.
+sub droppedpackets
+{
+	my $sub_name = 'droppedpackets';
+	
+	my $alarm_struc = $_[0] || return( undef );
+	
+	if( Bro::Log::Alarm::notice_type( $alarm_struc ) eq 'DroppedPackets' )
+	{
+		if( Bro::Log::Alarm::message( $alarm_struc ) =~ $DROPPED_PACKETS_REGEX )
+		{
+			my $dropped = $1 || 0;
+			my $packets_since_last_notice = $3 || 0;
+			$RPT_CACHE->{droppedpackets}->{DROPPED} += $dropped;
+			$RPT_CACHE->{droppedpackets}->{RECIEVED} += $packets_since_last_notice;
+		}
+		else
+		{
+			return( undef );
+		}
+		return( 1 );
+	}
+	else
+	{
+		return( 0 );
+	}
+}
+
+######### This report is very misleading.  I left it in only as an example but
+# it's results are not accurate.
+sub output_droppedpackets
+{
+	my $sub_name = 'output_droppedpackets';
+	
+	my $dropped;
+	my $recieved;
+	my $percent_dropped;
+	my $ret_string;
+	
+	if( exists( $RPT_CACHE->{droppedpackets} ) and 
+		$RPT_CACHE->{droppedpackets}->{RECIEVED} > 0 )
+	{
+		$dropped = $RPT_CACHE->{droppedpackets}->{DROPPED};
+		$recieved = $RPT_CACHE->{droppedpackets}->{RECIEVED} + $dropped;
+		
+		if( $dropped > 0 )
+		{
+			$percent_dropped = sprintf( "%.4f", ( $dropped / $recieved ) * 100 );
+		}
+		else
+		{
+			$percent_dropped = '0%';
+		}
+	}
+	else
+	{
+		return( undef );
+	}
+	
+	$ret_string = <<"END";
+  Dropped Packets
+    Packets Recieved: $recieved
+    Packets Dropped:  $dropped
+    Percent Dropped: $percent_dropped\%
+END
+	
+	# Clean up some memory
+	delete( $RPT_CACHE->{droppedpackets} );
+	
+	return( $ret_string );
+
+}
+
+sub sigid
+{
+	my $sub_name = 'sigid';
+	
+	my $_alarm_struc = $_[0];
+	my $ret_val;
+	
+	my $ret_val = Bro::Log::Alarm::filename( $_alarm_struc );
+	
+	return( $ret_val );	
+}
+
+sub setsignaturescores
+{
+	my $sub_name = 'setsignaturescores';
+	
+	my $_sigid = $_[0];
+	my $ret_hash = {};
+	
+	if( open( INFILE, $SIGNATURE_ID_SCORES_FILE ) )
+	{
+		while( defined( my $line = <INFILE> ) )
+		{
+			if( $line !~ m/^[[:space:]]*\#/ )
+			{
+				my( $key, $val, $junk ) = split( " ", $line, 3 );
+				$ret_hash->{$key} = $val;
+			}
+		}
+	}
+	else
+	{
+		warn( "Unable to open signature score file at $SIGNATURE_ID_SCORES_FILE\n" );
+		return( undef );
+	}
+	
+	# Capitalize the _DEFAULT_ parameter if not already
+	if( exists( $ret_hash->{'_default_'} ) )
+	{
+		$ret_hash->{'_DEFAULT_'} = $ret_hash->{'_default_'};
+		delete( $ret_hash->{'_default_'} );
+	}
+	
+	# Make sure that a default has been set
+	if( ! exists( $ret_hash->{'_DEFAULT_'} ) or
+		$ret_hash->{'_DEFAULT_'} !~ m/^[[:digit:]]+$/ )
+	{
+		$ret_hash->{'_DEFAULT_'} = 5;
+	}
+	
+	close( INFILE );
+	
+	# Set the package variable to the signature scores taken from the file
+	$SIGNATURE_ID_SCORES = $ret_hash;
+	
+	if( $DEBUG > 3 )
+	{
+		warn( "Current scores for signature ids\n" );
+		while( my( $key, $val ) = each( %{$ret_hash} ) )
+		{
+			warn( "SIGID: $key => SCORE: $val\n" );
+		}
+		warn( "\n" );
+	}
+	
+	return( $ret_hash );
+}
+
+sub setnoticetypescores
+{
+	my $sub_name = 'setnoticetypescores';
+	
+	my $_sigid = $_[0];
+	my $ret_hash = {};
+	
+	if( open( INFILE, $NOTICE_TYPE_SCORES_FILE ) )
+	{
+		while( defined( my $line = <INFILE> ) )
+		{
+			if( $line !~ m/^[[:space:]]*\#/ )
+			{
+				my( $key, $val, $junk ) = split( " ", $line, 3 );
+				$ret_hash->{$key} = $val;
+			}
+		}
+	}
+	else
+	{
+		warn( "Unable to open notice_type score file at $NOTICE_TYPE_SCORES_FILE\n" );
+		return( undef );
+	}
+	
+	# Capitalize the _DEFAULT_ parameter if not already
+	if( exists( $ret_hash->{'_default_'} ) )
+	{
+		$ret_hash->{'_DEFAULT_'} = $ret_hash->{'_default_'};
+		delete( $ret_hash->{'_default_'} );
+	}
+	
+	# Make sure that a default has been set
+	if( ! exists( $ret_hash->{'_DEFAULT_'} ) or
+		$ret_hash->{'_DEFAULT_'} !~ m/^[[:digit:]]+$/ )
+	{
+		$ret_hash->{'_DEFAULT_'} = 0;
+	}
+	
+	close( INFILE );
+	
+	# Set the package variable to the signature scores taken from the file
+	$NOTICE_TYPE_SCORES = $ret_hash;
+	
+	if( $DEBUG > 3 )
+	{
+		warn( "Current scores for notice types\n" );
+		while( my( $key, $val ) = each( %{$ret_hash} ) )
+		{
+			warn( "NOTICE_TYPE: $key => SCORE: $val\n" );
+		}
+		warn( "\n" );
+	}
+	
+	return( $ret_hash );
+}
+
+sub signaturescore
+{
+	my $sub_name = 'signaturescore';
+	
+	my $sigid = $_[0] || '_DEFAULT_';
+	my $ret_val;
+	
+	if( exists( $SIGNATURE_ID_SCORES->{$sigid} ) )
+	{
+		$ret_val = $SIGNATURE_ID_SCORES->{$sigid};
+	}
+	else
+	{
+		$ret_val = $SIGNATURE_ID_SCORES->{'_DEFAULT_'};
+	}
+	
+	return( $ret_val );
+}
+
+
+sub noticetypescore
+{
+	my $sub_name = 'noticetypescore';
+	
+	my $notice_type = $_[0] || '_DEFAULT_';
+	my $ret_val;
+	
+	if( exists( $NOTICE_TYPE_SCORES->{$notice_type} ) )
+	{
+		$ret_val = $NOTICE_TYPE_SCORES->{$notice_type};
+	}
+	else
+	{
+		$ret_val = $NOTICE_TYPE_SCORES->{'_DEFAULT_'};
+	}
+	
+	return( $ret_val );
+}
+sub addconndata
+{
+	my $sub_name = 'addconndata';
+	# The purpose of this function is to add additional data to report
+	# parts that can use it.  The data can be used to weight probabilities
+	# or add data to a report.
+	
+	# Filehandle which contains connection data.
+	my $conn_struc = $_[0] || return( undef );	# ref to Bro::Log::Conn struc
+	my $conn_line = $_[1] || return( undef );	# ref to string
+	my $add_override = $_[2];
+	
+	# Scans really only mean something if a successful connection was made
+	# or an annomylous conection out of the scan was made.
+	my $src_ip = Bro::Log::Conn::source_ip( $conn_struc );
+	my $dest_ip = Bro::Log::Conn::destination_ip( $conn_struc );
+	my $service = Bro::Log::Conn::service( $conn_struc );
+	my $success_connect = Bro::Log::Conn::connectsucceed( $conn_struc );
+	my $src_net = Bro::Log::Conn::source_network( $conn_struc );
+	if( exists( $RPT_CACHE->{scans}->{$src_ip} ) and
+		$RPT_CACHE->{scans}->{$src_ip}->{CONNECTIONS_TO_OFFENDER} )
+	{
+		if( $service !~ m/^dns|ident$/ and
+				$src_net eq 'L' and
+				$success_connect )
+		{
+			++$RPT_CACHE->{scans}->{$dest_ip}->{CONNECTIONS_TO_OFFENDER};
+		}
+	}
+	# If a scanner and not a service to ignore and bytes >= 0 then store
+	# the byte count for a post collection standard deviation test.
+	elsif( exists( $RPT_CACHE->{scans}->{$src_ip} ) )
+	{
+		my $src_bytes = Bro::Log::Conn::source_bytes( $conn_struc );
+		my $dest_bytes = Bro::Log::Conn::destination_bytes( $conn_struc );
+		if( $service !~ m/^dns|ident$/ )
+		{
+			if( $src_bytes >= 0 )
+			{
+				++$RPT_CACHE->{scans}->{$src_ip}->{BYTES_SENT}->{$src_bytes};
+				++$RPT_CACHE->{scans}->{$src_ip}->{BYTES_RCV}->{$dest_bytes};
+			}
+		}
+	}
+	# If a scanner is the destination and our local_net is the orginator
+	# of the connection this may be very interesting.
+	elsif( exists( $RPT_CACHE->{scans}->{$dest_ip} ) and
+		$service !~ m/^dns|ident$/ and
+		$src_net eq 'L' )
+	{
+		++$RPT_CACHE->{scans}->{$dest_ip}->{CONNECTIONS_TO_OFFENDER};
+	}
+	
+	# Add connection data to incidents
+	my $offender_address;
+	my $victim_address;
+	if( exists( $RPT_CACHE->{incident}->{OFFENDERS}->{$src_ip} ) )
+	{
+		# Does the connection data contain the victim address
+		if( exists( $RPT_CACHE->{incident}->{OFFENDERS}->{$src_ip}->{VICTIMS}->{$dest_ip} ) )
+		{
+			$offender_address = $src_ip;
+			$victim_address = $dest_ip;
+		}
+	}
+	elsif( exists( $RPT_CACHE->{incident}->{OFFENDERS}->{$dest_ip} ) )
+	{
+		# Does the connection data contain the victim address
+		if( exists( $RPT_CACHE->{incident}->{OFFENDERS}->{$dest_ip}->{VICTIMS}->{$src_ip} ) )
+		{
+			$offender_address = $dest_ip;
+			$victim_address = $src_ip;
+			if( $service !~ m/^dns|ident$/ )
+			{
+				# This means there was a connection from the victim back to the 
+				# offender.  Most likely very interesting.
+				push( @{$RPT_CACHE->{incident}->{OFFENDERS}->{$dest_ip}->{VICTIMS}->{$src_ip}->{SCORE}}, 100 );
+			}
+		}
+	}
+	
+	# If the offender address was found in the connection struc then do a few
+	# more checks on whether to store the data for later retrieval.
+	if( $offender_address )
+	{
+		if( ! $victim_address )
+		{
+			$victim_address = '';
+		}
+		
+		my $temp_fh = $RPT_CACHE->{incident}->{'TEMP_FILE_HANDLE'};
+		my $incident_data;
+		
+		if( exists( $RPT_CACHE->{incident}->{OFFENDERS}->{$offender_address} ) and
+			exists( $RPT_CACHE->{incident}->{OFFENDERS}->{$offender_address}->{VICTIMS}->{$victim_address} ) )
+		{
+			my $data_root = $RPT_CACHE->{incident}->{OFFENDERS}->{$offender_address}->{VICTIMS}->{$victim_address};
+			$incident_data = $RPT_CACHE->{incident}->{OFFENDERS}->{$offender_address}->{VICTIMS}->{$victim_address};
+
+			# Check if there was an explict override set. This currently means
+			# that the tag id in the conn data matches a tag id in an alarm of
+			# interest.
+			
+			if( my $matched_tag =
+				Bro::Log::Conn::containstag( $conn_struc,
+					keys( %{$data_root->{WATCH_TAG_IDS}} ) ) )
+			{
+				delete( $data_root->{WATCH_TAG_IDS}->{$matched_tag} );
+				print $temp_fh $$conn_line;
+				++$incident_data->{CONN_COUNT};
+			}
+			# CONN_COUNT must be > 0.  This means that the tagged alarm has
+			# been added and further conn data should be gathered.
+			# Check if enough conn data has already been gathered for this incident
+			elsif( $incident_data->{CONN_COUNT} > 0 and
+				$incident_data->{CONN_COUNT} < $MAX_INCIDENT_CONN_LINES )
+			{
+				print $temp_fh $$conn_line;
+				++$incident_data->{CONN_COUNT};
+			}
+			# Conn data can be out of order.  If the conn data containing a tag
+			# id has not been encountered then start gathering data that's at
+			# least at or after the first alarm time for an incident.
+			elsif( $incident_data->{CONN_COUNT} < 1 and
+				Bro::Log::Conn::timestamp( $conn_struc ) >= $incident_data->{BEGIN_TIMESTAMP} )
+			{
+				print $temp_fh $$conn_line;
+				++$incident_data->{CONN_COUNT};
+			}
+		}
+	}
+	
+	return( 1 );
+}
+
+sub reportableoffense
+{
+	my $sub_name = 'reportableoffense';
+	
+	my $alarm_struc = $_[0] || return( undef );
+	my $ret_val = 0;
+	
+	if( reportableincident( $alarm_struc ) )
+	{
+		$ret_val = 1;
+	}
+	elsif( reportablescan( $alarm_struc ) )
+	{
+		$ret_val = 1;
+	}
+	
+	return( $ret_val );
+}
+
+sub reportableincident
+{
+	my $sub_name = 'reportableincident';
+	
+	my $alarm_struc = $_[0] || return( undef );
+	my $notice_type = Bro::Log::Alarm::notice_type( $alarm_struc );
+	my $ret_val = 0;
+	
+	if( exists( $INCIDENT_EVENT_LIST->{$notice_type} ) )
+	{
+		if( exists( $INCIDENT_EVENT_LIST->{DEFAULT_IGNORE} ) )
+		{
+			$ret_val = 1;
+		}
+		else
+		{
+			$ret_val = 0;
+		}
+	}
+	elsif( exists( $INCIDENT_EVENT_LIST->{DEFAULT_IGNORE} ) )
+	{
+		$ret_val = 0;
+	}
+	else
+	{
+		$ret_val = 1;
+	}
+	
+	# If it is reportable make sure it is not classified as a scan
+	if( $ret_val and reportablescan( $alarm_struc ) )
+	{
+		$ret_val = 0;
+	}
+	
+	return( $ret_val );
+}
+
+sub setreportableincident
+{
+	my $sub_name = 'setreportableincident';
+	my @incident_list = @_;
+	
+	# If called with one or more parameters then modify the list
+	if( @incident_list > 0 )
+	{
+		foreach my $notice_type( @incident_list )
+		{
+			if( $notice_type eq 'DEFAULT_ALLOW' )
+			{
+				$INCIDENT_EVENT_LIST->{'DEFAULT_ALLOW'} = 1;
+				delete( $INCIDENT_EVENT_LIST->{'DEFAULT_IGNORE'} );
+			}
+			elsif( $notice_type eq 'DEFAULT_IGNORE' )
+			{
+				$INCIDENT_EVENT_LIST->{'DEFAULT_IGNORE'} = 1;
+				delete( $INCIDENT_EVENT_LIST->{'DEFAULT_ALLOW'} )
+			}
+			elsif( $notice_type =~ m/^\-([^[:space:]]+)$/ )
+			{
+				$notice_type = $1;
+				delete( $INCIDENT_EVENT_LIST->{$notice_type} );
+			}
+			elsif( $notice_type =~ m/^\+?([^[:space:]]+)$/ )
+			{
+				$notice_type = $1;
+				$INCIDENT_EVENT_LIST->{$notice_type} = 1;
+			}
+		}
+
+		# Make sure that a default policy has been set
+		if( ! ( exists( $INCIDENT_EVENT_LIST->{'DEFAULT_IGNORE'} ) or
+			exists( $INCIDENT_EVENT_LIST->{'DEFAULT_ALLOW'} ) ) )
+		{
+			$INCIDENT_EVENT_LIST->{'DEFAULT_ALLOW'} = 1;
+		}
+	}
+	
+	# construct the current list contained in the incident event list.
+	# The last element of the list will alway be the current default 
+	# policy of DEFAULT_ALLOW or DEFAULT_IGNORE
+	my %dupe_event_list = %{$INCIDENT_EVENT_LIST};
+	my $default_policy;
+	if( exists( $dupe_event_list{DEFAULT_ALLOW} ) )
+	{
+		$default_policy = 'DEFAULT_ALLOW';
+	}
+	else
+	{
+		$default_policy = 'DEFAULT_IGNORE';
+	}
+	delete( $dupe_event_list{$default_policy} );
+	
+	# Return the list of incident events and the default policy
+	# that will be applied to the list.
+	return( keys( %dupe_event_list ), $default_policy );
+}
+
+sub reportablescan
+{
+	my $sub_name = 'reportablescan';
+	
+	my $alarm_struc = $_[0] || return( undef );
+	my $notice_type = Bro::Log::Alarm::notice_type( $alarm_struc );
+	
+	if( exists( $SCAN_EVENT_LIST->{$notice_type} ) )
+	{
+		return( 1 );
+	}
+	else
+	{
+		return( 0 );
+	}
+}
+
+sub setreportablescan
+{
+	my $sub_name = 'setreportablescan';
+	
+	my @scan_list = @_;
+	
+	# If one or more args are passed then modify the list
+	if( @scan_list > 0 )
+	{
+		foreach my $notice_type( @scan_list )
+		{
+			if( $notice_type =~ m/^\-([^[:space:]]+)$/ )
+			{
+				$notice_type = $1;
+				delete( $SCAN_EVENT_LIST->{$notice_type} );
+			}
+			elsif( $notice_type =~ m/^\+?([^[:space:]]+)$/ )
+			{
+				$notice_type = $1;
+				$SCAN_EVENT_LIST->{$notice_type} = 1;
+			}
+		}
+	}
+	
+	# Return the list of notices types that are considered scans.
+	return( keys( %{$SCAN_EVENT_LIST} ) );
+}
+
+sub tempincidentfile
+{
+	my $sub_name = 'tempincidentfile';
+	
+	my $arg = $_[0];
+	
+	if( $arg eq 'close' )
+	{
+		close( $RPT_CACHE->{incident}->{TEMP_FILE_HANDLE} );
+		delete( $RPT_CACHE->{incident}->{TEMP_FILE_HANDLE} );
+		return( 1 );
+	}
+	
+	if( ! exists( $RPT_CACHE->{incident}->{TEMP_FILE_NAME} ) )
+	{
+		$RPT_CACHE->{incident}->{TEMP_FILE_NAME} = 
+			tempfile( 'add', "incident_conn_data." );
+		
+		if( $DEBUG > 2 )
+		{
+			warn( "Created incident temp file " . $RPT_CACHE->{incident}->{TEMP_FILE_NAME} . "\n" );
+		}
+	}
+	
+	if( exists( $RPT_CACHE->{incident}->{TEMP_FILE_HANDLE} ) )
+	{
+		return( $RPT_CACHE->{incident}->{TEMP_FILE_HANDLE} );
+	}
+	else
+	{
+		if( open( INCTEMPOUT, ">>" .$RPT_CACHE->{incident}->{TEMP_FILE_NAME} ) )
+		{
+			$RPT_CACHE->{incident}->{TEMP_FILE_HANDLE} = \*INCTEMPOUT;
+			return( $RPT_CACHE->{incident}->{TEMP_FILE_HANDLE} );
+		}
+		else
+		{
+			warn( __PACKAGE__ . "::$sub_name, Unable to open temp file " . $RPT_CACHE->{incident}->{TEMP_FILE_NAME} . " for writting\n" );
+			return( undef );
+		}
+	}
+}
+
+sub incidentconndata
+{
+	my $sub_name = 'incidentconndata';
+	
+	my $offender = $_[0] || return( undef );
+	my $victim = $_[1] || return( undef );
+	my $start_time = $_[2] || -1;
+	my $end_time = $_[3] || 9999999999;
+	
+	my @matching_lines;
+	my %times;
+	my $idx = 0;
+	my @ret_strucs;
+	
+	if( ! $RPT_CACHE->{incident}->{TEMP_FILE_NAME} )
+	{
+		warn( "No incident temp file exists.  Unable to add connection data to incidents.\n" );
+		return( undef );
+	}
+	
+	if( open( INFILE, $RPT_CACHE->{incident}->{TEMP_FILE_NAME} ) )
+	{
+		while( defined( my $line = <INFILE> ) and $idx < $MAX_INCIDENT_CONN_LINES )
+		{
+			if( $line =~ m/$victim/ and $line =~ m/$offender/ )
+			{
+				my $conn_struc = Bro::Log::Conn::new( \$line );
+				my( $conn_start, $conn_end ) = Bro::Log::Conn::range( $conn_struc );
+
+				# Conn timestamps can be duplicates, check here for that case.
+				if( exists( $times{$conn_start} ) )
+				{
+					push( @{$matching_lines[$times{$conn_start}]}, $conn_struc );
+				}
+				else
+				{
+					$times{$conn_start} = $idx;
+					
+					push( @{$matching_lines[$idx]}, $conn_struc );
+					++$idx;
+				}
+			}
+		}
+	}
+	else
+	{
+		warn( "Failed to open incident temp file " . $RPT_CACHE->{incident}->{TEMP_FILE_NAME} . " for reading.\n" );
+	}
+	
+	close( INFILE );
+	
+	# Sort the lines in ascending order
+	foreach my $key( sort( {$a <=> $b} keys( %times ) ) )
+	{
+		push( @ret_strucs, @{$matching_lines[$times{$key}]} );
+	}
+	
+	return( @ret_strucs );
+}
+
+
+sub check_incident_struc
+{
+	foreach my $sus( keys( %{$RPT_CACHE->{incident}->{OFFENDERS}} ) )
+	{
+		if( ! $sus )
+		{
+			print "Suspect is undef\n";
+			return( undef );
+		}
+		
+		if( ! $RPT_CACHE->{incident}->{OFFENDERS}->{$sus} )
+		{
+			print "Incident data not defined\n";
+			return( undef );
+		}
+		
+		if( ! exists( $RPT_CACHE->{incident}->{OFFENDERS}->{$sus}->{VICTIMS} ) )
+		{
+			print "No data for VICTIMS\n";
+			return( undef );
+		}
+		
+		print "NEW OFFENDER: $sus\n";
+		foreach my $vic( keys( %{$RPT_CACHE->{incident}->{OFFENDERS}->{$sus}->{VICTIMS}} ) )
+		{
+			if( ! $vic )
+			{
+				print "Victim is not defined\n";
+				return( undef );
+			}
+			print "NEW VICTIM: $vic\n";
+			
+			if( ! $RPT_CACHE->{incident}->{OFFENDERS}->{$sus}->{VICTIMS}->{$vic} )
+			{
+				print "Victim data is not defined\n";
+				return( undef );
+			}
+			
+			foreach my $key( keys( %{$RPT_CACHE->{incident}->{OFFENDERS}->{$sus}->{VICTIMS}->{$vic}} ) )
+			{
+				print "KEY: $key\n";
+			}
+			
+			foreach my $alarm( @{$RPT_CACHE->{incident}->{OFFENDERS}->{$sus}->{VICTIMS}->{$vic}->{ALARMS}} )
+			{
+				print "Message: ". Bro::Log::Alarm::message( $alarm ) ."\n";
+			}
+		}
+		
+		print "     END\n";
+	}
+}
+
+sub availablereports
+{
+	my $sub_name = 'availablereports';
+	
+	my @ret_list = keys( %REPORT_MAP );
+	
+	return( @ret_list );
+}
+
+sub reportinputfunc
+{
+	my $sub_name = 'reportinputfunc';
+	
+	my $report_name = $_[0] || return( undef );
+	
+	if( exists( $REPORT_MAP{$report_name} ) )
+	{
+		return( $REPORT_MAP{$report_name}->{'input'} );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+sub reportoutputfunc
+{
+	my $sub_name = 'reportoutputfunc';
+	
+	my $report_name = $_[0] || return( undef );
+	
+	if( exists( $REPORT_MAP{$report_name} ) )
+	{
+		return( $REPORT_MAP{$report_name}->{'output'} );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+sub loadsignaturecode
+{
+	my $sub_name = 'loadsignaturecode';
+	
+	my @args = @_;
+	my %match_sigs;
+	my @file_list;
+	
+	if( @args > 0 )
+	{
+		# If a list of signatures to find is given then only those will be 
+		  # stored otherwise all signatures will be stored.
+		
+		foreach my $sigid( @args )
+		{
+			$match_sigs{$sigid} = 1;
+		}
+	}
+	
+	if( ! ( @file_list = Bro::Signature::filelist() ) )
+	{
+		warn( __PACKAGE__ . "::$sub_name, Unable to retrieve a list of signature files\n" );
+	}
+	
+	foreach my $file_name( @file_list )
+	{
+		foreach my $sig_obj( getrules( $file_name ) )
+		{
+			my $code_sigid = $sig_obj->sigid();
+			if( !( %match_sigs ) or exists( $match_sigs{$code_sigid} ) )
+			{
+				$RPT_CACHE->{signaturecode}->{$code_sigid} = $sig_obj->output();
+			}
+		}
+	}
+}
+
+sub signaturecode
+{
+	my $sub_name = 'signaturecode';
+	
+	my $sigid = $_[0] || return( undef );
+	
+	# Check on whether the signature block has been found and stored.
+	if( $RPT_CACHE->{signaturecode}->{$sigid} )
+	{
+		return( $RPT_CACHE->{signaturecode}->{$sigid} );
+	}
+	else
+	{
+		return( '' );
+	}
+}
+
+
+1;
diff --git a/scripts/perl/lib/Bro/Report/Conn.pm b/scripts/perl/lib/Bro/Report/Conn.pm
new file mode 100644
index 0000000000..cfa6fda635
--- /dev/null
+++ b/scripts/perl/lib/Bro/Report/Conn.pm
@@ -0,0 +1,770 @@
+package Bro::Report::Conn;
+
+use strict;
+require 5.006_001;
+use Bro::Report qw( trimhostname iptoname swrite trimbytes );
+use Bro::Log::Conn;
+
+use vars qw( $VERSION
+			$MAX_LOCAL_SERVICE_USERS );
+
+# $Id: Conn.pm 1418 2005-09-29 18:25:09Z tierney $
+$VERSION = 1.20;
+
+$MAX_LOCAL_SERVICE_USERS = 50;
+
+my %REPORT_MAP = ( 'top_sources' => { input => __PACKAGE__ . '::sourcecount',
+							output => __PACKAGE__ . '::output_sourcecount' },
+		'top_destinations' => { input => __PACKAGE__ . '::destcount',
+							output => __PACKAGE__ . '::output_destcount' },
+		'top_services' => { input => __PACKAGE__ . '::servicecount',
+						output => __PACKAGE__ . '::output_servicecount', },
+		'top_local_service_users' => { input => __PACKAGE__ . '::localserviceusers',
+								output => __PACKAGE__ . '::output_localserviceusers', },
+		'success_fail_stats' => { input => __PACKAGE__ . '::successfailcount',
+							output => __PACKAGE__ . '::output_successfailcount', },
+		'byte_transfer_pairs' => { input => __PACKAGE__ . '::bytetransferpairs',
+						output => __PACKAGE__ . '::output_bytetransferpairs', },
+		);
+
+# Memory used in this variable will be deleted by functions which output
+# the values stored for it's respective counting function.
+my $RPT_CACHE;
+
+sub sourcecount
+{
+	my $sub_name = 'sourcecount';
+	
+	# [0] CONN_COUNT
+	# [1] BYTE_COUNT
+	my $_conn_struc = $_[0] || return( undef );
+	my $src_ip = Bro::Log::Conn::source_ip( $_conn_struc ) || return( undef );
+	if( Bro::Log::Conn::connectsucceed( $_conn_struc ) )
+	{
+		my $bytes = Bro::Log::Conn::source_bytes( $_conn_struc );
+		++$RPT_CACHE->{$sub_name}->{$src_ip}->[0];
+		$RPT_CACHE->{$sub_name}->{$src_ip}->[1] += $bytes;
+		return( 1 );
+	}
+	else
+	{
+		return( 0 );
+	}
+}
+
+sub output_sourcecount
+{
+	my $sub_name = 'output_sourcecount';
+	
+	my $_max_output = $_[0] || 20;
+	my $top_format = $_[1];
+	my $format = $_[2];
+	my $conn_sum = 0;
+	my $cnt = 0;
+	my $avg = 0;
+	my $max_hostname_length = 31;
+	my @results;
+	my $ret_string;
+	my @heading_names = ( 'Host', 'IP', 'Bytes', 'Conn. Count' );
+	
+	if( ! $top_format )
+	{
+		$top_format = <<'END'
+  @||||||||||||||||||||||||||||||  @||||||||||||||  @|||||  @|||||||||||
+  -------------------------------  ---------------  ------  ------------
+END
+	}
+	
+	if( ! $format )
+	{
+		$format = <<'END'
+  @>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>  @<<<<<<<<<<<<<<  @>>>>>  @>>>>>>>>>>>
+END
+	}
+	
+	# Figure out what the average count is
+	foreach my $count_struc( values( %{$RPT_CACHE->{sourcecount}} ) )
+	{
+		$conn_sum += $count_struc->[0];
+		++$cnt
+	}
+	
+	# If there are no connection counts then bail
+	if( $cnt < 1 )
+	{
+		return( undef );
+	}
+	
+	$avg = $conn_sum / $cnt;
+	
+	# remove anything which is way too small before sorting
+	my $smallest_count = 2;
+	my $percent_of_avg = .1;
+	my $max_sort_size = $_max_output * 2;
+	while( ( $cnt > $max_sort_size ) and ( $percent_of_avg < .3 ) )
+	{
+		while( my( $ip, $struc ) = each( %{$RPT_CACHE->{sourcecount}} ) and $cnt > $max_sort_size )
+		{
+			if( $struc->[0] < $smallest_count )
+			{
+				delete( $RPT_CACHE->{sourcecount}->{$ip} );
+				--$cnt;
+			}
+			$smallest_count = int( $avg * $percent_of_avg );
+		}
+		$percent_of_avg += .1;
+	}
+	
+	# Put the remaining data into a temp hash for sorting
+	my %count_hash;
+	foreach my $ip( keys( %{$RPT_CACHE->{sourcecount}} ) )
+	{
+		# connection count = $RPT_CACHE->{sourcecount}->{$ip}->[0];
+		# byte count = $RPT_CACHE->{sourcecount}->{$ip}->[1];
+		push( @{$count_hash{$RPT_CACHE->{sourcecount}->{$ip}->[0]}},
+			[ $ip, $RPT_CACHE->{sourcecount}->{$ip}->[0], $RPT_CACHE->{sourcecount}->{$ip}->[1] ] );
+	}
+	
+	my $output_cnt = 0;
+	foreach my $num_conn( sort { $b <=> $a } keys( %count_hash ) )
+	{
+		foreach my $struc( @{$count_hash{$num_conn}} )
+		{
+			++$output_cnt;
+			if( $output_cnt > $_max_output )
+			{
+				last;
+			}
+			else
+			{
+				push( @results, $struc );
+			}
+		}
+		if( $output_cnt > $_max_output )
+		{
+			last;
+		}
+	}
+	
+	# clear out memory space
+	delete( $RPT_CACHE->{sourcecount} );
+	
+	# Set the heading
+	$ret_string .= swrite( $top_format, @heading_names );
+	
+	# Write the contents
+	foreach my $line( @results )
+	{
+		my $ip = $line->[0];
+		my $num_conn = $line->[1];
+		my $num_bytes = trimbytes( $line->[2], 5 );
+		my $name = trimhostname( iptoname( $ip ), $max_hostname_length, '>' );
+		$ret_string .= swrite( $format, $name, $ip, $num_bytes, $num_conn );
+	}
+	
+	return( $ret_string );
+}
+
+sub destcount
+{
+	my $sub_name = 'destcount';
+	
+	my $_conn_struc = $_[0] || return( undef );
+	my $dst_ip = Bro::Log::Conn::destination_ip( $_conn_struc ) || return( undef );
+	if( Bro::Log::Conn::connectsucceed( $_conn_struc ) )
+	{
+		my $bytes = Bro::Log::Conn::destination_bytes( $_conn_struc );
+		++$RPT_CACHE->{$sub_name}->{$dst_ip}->[0];
+		$RPT_CACHE->{$sub_name}->{$dst_ip}->[1] += $bytes;
+		return( 1 );
+	}
+	else
+	{
+		return( 0 );
+	}
+}
+
+sub output_destcount
+{
+	my $sub_name = 'output_destcount';
+	
+	my $_max_output = $_[0] || 20;
+	my $top_format = $_[1];
+	my $format = $_[2];
+	my $conn_sum = 0;
+	my $cnt = 0;
+	my $avg = 0;
+	my $max_hostname_length = 31;
+	my @results;
+	my $ret_string;
+	my @heading_names = ( 'Host', 'IP', 'Bytes', 'Conn. Count' );
+	
+	if( ! $top_format )
+	{
+		$top_format = <<'END'
+  @||||||||||||||||||||||||||||||  @||||||||||||||  @|||||  @|||||||||||
+  -------------------------------  ---------------  ------  ------------
+END
+	}
+	
+	if( ! $format )
+	{
+		$format = <<'END'
+  @>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>  @<<<<<<<<<<<<<<  @>>>>>  @>>>>>>>>>>>
+END
+	}
+	
+	# Figure out what the average count is
+	foreach my $count_struc( values( %{$RPT_CACHE->{destcount}} ) )
+	{
+		$conn_sum += $count_struc->[0];
+		++$cnt
+	}
+	
+	# If there are no connection counts then bail
+	if( $cnt < 1 )
+	{
+		return( undef );
+	}
+	
+	$avg = $conn_sum / $cnt;
+	
+	# remove anything which is way too small before sorting
+	my $smallest_count = 2;
+	my $percent_of_avg = .1;
+	my $max_sort_size = $_max_output * 2;
+	while( ( $cnt > $max_sort_size ) and ( $percent_of_avg < .3 ) )
+	{
+		while( my( $ip, $struc ) = each( %{$RPT_CACHE->{destcount}} ) and $cnt > $max_sort_size )
+		{
+			if( $struc->[0] < $smallest_count )
+			{
+				delete( $RPT_CACHE->{destcount}->{$ip} );
+				--$cnt;
+			}
+			$smallest_count = int( $avg * $percent_of_avg );
+		}
+		$percent_of_avg += .1;
+	}
+	
+	# Put the remaining data into a temp hash for sorting
+	my %count_hash;
+	foreach my $ip( keys( %{$RPT_CACHE->{destcount}} ) )
+	{
+		# connection count = $RPT_CACHE->{destcount}->{$ip}->{CONN_COUNT};
+		# byte count = $RPT_CACHE->{destcount}->{$ip}->{BYTE_COUNT};
+		push( @{$count_hash{$RPT_CACHE->{destcount}->{$ip}->[0]}},
+			[ $ip, $RPT_CACHE->{destcount}->{$ip}->[0], $RPT_CACHE->{destcount}->{$ip}->[1] ] );
+	}
+	
+	my $output_cnt = 0;
+	foreach my $num_conn( sort { $b <=> $a } keys( %count_hash ) )
+	{
+		foreach my $struc( @{$count_hash{$num_conn}} )
+		{
+			++$output_cnt;
+			if( $output_cnt > $_max_output )
+			{
+				last;
+			}
+			else
+			{
+				push( @results, $struc );
+			}
+		}
+		if( $output_cnt > $_max_output )
+		{
+			last;
+		}
+	}
+	
+	# clear out memory space
+	delete( $RPT_CACHE->{destcount} );
+	
+	# Set the heading
+	$ret_string .= swrite( $top_format, @heading_names );
+	
+	# Write the contents
+	foreach my $line( @results )
+	{
+		my $ip = $line->[0];
+		my $num_conn = $line->[1];
+		my $num_bytes = trimbytes( $line->[2], 5 );
+		my $name = trimhostname( iptoname( $ip ), $max_hostname_length, '>' );
+		$ret_string .= swrite( $format, $name, $ip, $num_bytes, $num_conn );
+	}
+	
+	return( $ret_string );
+}
+
+sub servicecount
+{
+	my $sub_name = 'servicecount';
+	
+	# [0] CONN_COUNT
+	# [1] BYTES_IN
+	# [2] BYTES_OUT
+	
+	my $_conn_struc = $_[0] || return( undef );
+	my $service = Bro::Log::Conn::service( $_conn_struc ) || return( undef );
+	if( Bro::Log::Conn::connectsucceed( $_conn_struc ) )
+	{
+		my $src_bytes = Bro::Log::Conn::source_bytes( $_conn_struc );
+		my $dest_bytes = Bro::Log::Conn::destination_bytes( $_conn_struc );
+		++$RPT_CACHE->{$sub_name}->{$service}->[0];
+		if( Bro::Log::Conn::source_network( $_conn_struc ) eq 'L' )
+		{
+			$RPT_CACHE->{$sub_name}->{$service}->[1] += $dest_bytes;
+			$RPT_CACHE->{$sub_name}->{$service}->[2] += $src_bytes;
+		}
+		else
+		{
+			$RPT_CACHE->{$sub_name}->{$service}->[1] += $src_bytes;
+			$RPT_CACHE->{$sub_name}->{$service}->[2] += $dest_bytes;
+		}
+		return( 1 );
+	}
+	else
+	{
+		return( 0 );
+	}
+}
+
+sub output_servicecount
+{
+	my $sub_name = 'output_servicecount';
+	
+	my $_max_output_count = $_[0] || 20;
+	my $top_format;
+	my $format;
+	my @results;
+	my @heading_names = ( 'Service', 'Conn. Count', '% of Total', 'Bytes In', 'Bytes Out' );
+	my $ret_string;
+	
+	if( ! $top_format )
+	{
+		$top_format = <<'END'
+  @<<<<<<<<<<<  @>>>>>>>>>>>  @>>>>>>>>>  @>>>>>>>>  @>>>>>>>>
+  ------------  ------------  ----------  ---------  ---------
+END
+	}
+	
+	if( ! $format )
+	{
+		$format = <<'END'
+  @<<<<<<<<<<<  @>>>>>>>>>>>  @>>>>>>>>>  @>>>>>>>>  @>>>>>>>>
+END
+	}
+	
+	my %count_hash;
+	my $total_count = 0;
+	while( my( $name, $struc ) = each( %{$RPT_CACHE->{servicecount}} ) )
+	{
+		$total_count += $struc->[0];
+		push( @{$count_hash{$struc->[0]}}, 
+			[ $name, $struc->[1], $struc->[2] ] );
+	}
+	
+	my $ret_count = 0;
+	foreach my $num( sort { $b <=> $a } keys( %count_hash ) )
+	{
+		if( $ret_count < $_max_output_count )
+		{
+			foreach my $struc( @{$count_hash{$num}} )
+			{
+				if( $ret_count < $_max_output_count )
+				{
+					my $avg_of_total = sprintf( "%.2f", $num / $total_count * 100 );
+					my $service = $struc->[0];
+					my $bytes_in = trimbytes( $struc->[1], 5 );
+					my $bytes_out = trimbytes( $struc->[2], 5 );
+					push( @results, [ $service, $num, $avg_of_total, $bytes_in, $bytes_out ] );
+					++$ret_count;
+				}
+				else
+				{
+					last;
+				}
+			}
+		}
+		else
+		{
+			last;
+		}
+	}
+	
+	# Clean up some memory
+	delete( $RPT_CACHE->{servicecount} );
+	
+	# Print the heading
+	$ret_string .= swrite( $top_format, @heading_names );
+	
+	foreach my $line( @results )
+	{
+		$ret_string .= swrite( $format, @{$line} );
+	}
+	
+	return( $ret_string );
+}
+
+sub localserviceusers
+{
+	my $sub_name = 'localserviceusers';
+	
+	my $_conn_struc = $_[0] || return( undef );
+	my $service_name = $_[1] || 'smtp';
+	
+	my $service = Bro::Log::Conn::service( $_conn_struc );
+	
+	if( $service eq $service_name )
+	{
+		my $src_net = Bro::Log::Conn::source_network( $_conn_struc );
+		
+		if( $src_net eq 'L' and Bro::Log::Conn::connectsucceed( $_conn_struc ) )
+		{
+			my $source_ip = Bro::Log::Conn::source_ip( $_conn_struc );
+			++$RPT_CACHE->{$sub_name}->{$service_name}->{$source_ip};
+		}
+	}
+	
+	return( 1 );
+}
+
+sub output_localserviceusers
+{
+	my $sub_name = 'output_localserviceusers';
+	
+	my $service_name = $_[0] || return( undef );
+	my $max_count = $_[1] || $MAX_LOCAL_SERVICE_USERS;
+	my $top_format;
+	my $format;
+	my @results;
+	my $ret_string;
+	my @heading_names = ( 'Hostname', 'IP', 'Conn. Count' );
+	my $total_count = keys( %{$RPT_CACHE->{localserviceusers}->{$service_name}} );
+	my $max_hostname_length = 39;
+	my $actual_count = 0;
+
+	if( ! $top_format )
+	{
+		$top_format = <<'END'
+  @||||||||||||||||||||||||||||||||||||||  @||||||||||||||  @>>>>>>>>>>>
+  ---------------------------------------  ---------------  ------------
+END
+	}
+	
+	if( ! $format )
+	{
+		$format = <<'END'
+  @>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>  @<<<<<<<<<<<<<<  @>>>>>>>>>>>
+END
+	}
+	
+	my %count_hash;
+	while( my( $key, $val ) = each( %{$RPT_CACHE->{localserviceusers}->{$service_name}} ) )
+	{
+		push( @{$count_hash{$val}}, $key );
+	}
+	
+	foreach my $num( sort { $b <=> $a } keys( %count_hash ) )
+	{
+		foreach my $ip( @{$count_hash{$num}} )
+		{
+			if( $actual_count + 1 > $max_count )
+			{
+				last;
+			}
+			$results[$actual_count] = [ $ip, $num ];
+			++$actual_count;
+		}
+	}
+	
+	# Clean up some memory usage
+	delete( $RPT_CACHE->{localserviceusers}->{$service_name} );
+	
+	# Set the heading
+	$ret_string .= swrite( $top_format, @heading_names );
+	
+	# Write the contents
+	foreach my $line( @results )
+	{
+		# my $ip = $line->[0];
+		# my $num_conn = $line->[1];
+		my $name = trimhostname( iptoname( $line->[0] ), $max_hostname_length, '>' );
+		$ret_string .= swrite( $format, $name, $line->[0], $line->[1] );
+	}
+	
+	if( $actual_count > 0 )
+	{
+		if( $total_count > $max_count )
+		{
+			my $not_listed = $total_count - $max_count;
+			$ret_string .= <<"END";
+
+  A maximum of $max_count entries are show.
+  There are another $not_listed that are not displayed.
+END
+		}
+	}
+	else
+	{
+		$ret_string = "\n  No data to report for this section\n";
+	}
+	
+	return( $ret_string );
+}
+
+sub successfailcount
+{
+	my $sub_name = 'successfailcount';
+	
+	my $_conn_struc = $_[0] || return( undef );
+	
+	if( Bro::Log::Conn::connectsucceed( $_conn_struc ) )
+	{
+		++$RPT_CACHE->{$sub_name}->{SUCCESS};
+	}
+	else
+	{
+		# connection is failed
+		++$RPT_CACHE->{$sub_name}->{FAIL};
+	}
+}
+
+sub output_successfailcount
+{
+	my $sub_name = 'output_successfailcount';
+	
+	my $format = $_[0];
+	my $ret_string;
+	
+	if( ! $format )
+	{
+		$format = <<'END'
+    Successful:   @<<<<<<<<<<<<<<<
+    Unsuccessful: @<<<<<<<<<<<<<<<
+    Ratio: @<<<<<<
+END
+	}
+	
+	# Success and fail counts must be greater than zero
+	if( $RPT_CACHE->{successfailcount}->{FAIL} < 1 or
+		$RPT_CACHE->{successfailcount}->{SUCCESS} < 1 )
+	{
+		return( 'undef' );
+	}
+	my $ratio = $RPT_CACHE->{successfailcount}->{FAIL} / $RPT_CACHE->{successfailcount}->{SUCCESS};
+	
+	$ret_string = swrite( $format, 
+		$RPT_CACHE->{successfailcount}->{SUCCESS},
+		$RPT_CACHE->{successfailcount}->{FAIL},
+		"1:$ratio" );
+	
+	return( $ret_string );
+}
+
+sub bytetransferpairs
+{
+	my $sub_name = 'bytetransferpairs';
+	
+	# This report can be very memory expensive.  It can also be very processor
+	# intesive as the hash tables can get very large and take longer and 
+	# longer to traverse.
+	
+	my $conn_struc = $_[0] || return( undef );
+	
+	my $local_host;
+	my $remote_host;
+	my $local_bytes;
+	my $remote_bytes;
+	
+	if( Bro::Log::Conn::source_network( $conn_struc ) eq 'L' )
+	{
+		$local_host = Bro::Log::Conn::source_ip( $conn_struc );
+		$remote_host = Bro::Log::Conn::destination_ip( $conn_struc );
+		$local_bytes = Bro::Log::Conn::source_bytes( $conn_struc );
+		$remote_bytes = Bro::Log::Conn::destination_bytes( $conn_struc );
+	}
+	else
+	{
+		$remote_host = Bro::Log::Conn::source_ip( $conn_struc );
+		$local_host = Bro::Log::Conn::destination_ip( $conn_struc );
+		$remote_bytes = Bro::Log::Conn::source_bytes( $conn_struc );
+		$local_bytes = Bro::Log::Conn::destination_bytes( $conn_struc );
+	}
+	
+	if( $local_bytes > 0 and $remote_bytes > 0 )
+	{
+		$RPT_CACHE->{bytetransferpairs}->{$local_host}->{$remote_host}->{LOCAL_BYTES} += $local_bytes;
+		$RPT_CACHE->{bytetransferpairs}->{$local_host}->{$remote_host}->{REMOTE_BYTES} += $remote_bytes;
+		++$RPT_CACHE->{bytetransferpairs}->{$local_host}->{$remote_host}->{CONN_COUNT};
+		return( 1 );
+	}
+	elsif( exists( $RPT_CACHE->{bytetransferpairs}->{$local_host} ) and
+		exists( $RPT_CACHE->{bytetransferpairs}->{$local_host}->{$remote_host} ) )
+	{
+		$RPT_CACHE->{bytetransferpairs}->{$local_host}->{$remote_host}->{LOCAL_BYTES} += $local_bytes || 0;
+		$RPT_CACHE->{bytetransferpairs}->{$local_host}->{$remote_host}->{REMOTE_BYTES} += $remote_bytes || 0;
+		++$RPT_CACHE->{bytetransferpairs}->{$local_host}->{$remote_host}->{CONN_COUNT};
+		return( 1 );
+	}
+	else
+	{
+		return( 0 );
+	}
+}
+
+sub output_bytetransferpairs
+{
+	my $sub_name = 'output_bytetransferpairs';
+        my $max_hostname_length = 22;
+	
+	my $max_output = $_[0] || 20;
+	
+	my $ret_string;
+	my $_base = $RPT_CACHE->{bytetransferpairs};
+	my %reversed_hash;
+	my @ordered_list;
+	my $top_format;
+	my $format;
+	
+	$top_format = <<"END";
+Hot Report - Top $max_output
+                                                    Local      Remote    Conn.
+     Local Host               Remote Host           Bytes      Bytes     Count
+-----------------------  -----------------------  ---------  ---------  -------
+END
+	
+	$format = <<'END';
+@<<<<<<<<<<<<<<<<<<<<<<  @<<<<<<<<<<<<<<<<<<<<<<  @>>>>>>>>  @>>>>>>>>  @<<<<<<<<
+END
+
+	foreach my $l_host( keys( %{$_base} ) )
+	{
+		foreach my $r_host( keys( %{$_base->{$l_host}} ) )
+		{
+			my $big_bytes;
+			if( $_base->{$l_host}->{$r_host}->{LOCAL_BYTES} > $_base->{$l_host}->{$r_host}->{REMOTE_BYTES} )
+			{
+				$big_bytes = $_base->{$l_host}->{$r_host}->{LOCAL_BYTES};
+			}
+			else
+			{
+				$big_bytes = $_base->{$l_host}->{$r_host}->{REMOTE_BYTES};
+			}
+			
+			push( @{$reversed_hash{$big_bytes}}, { REF => $_base->{$l_host}->{$r_host},
+										LOCAL_HOST => $l_host,
+										REMOTE_HOST => $r_host, } );
+		}
+	}
+	
+	my @ordered_list = sort( { $b<=>$a } keys( %reversed_hash ) );
+	
+	my $i = 0;
+	while( defined( my $key = shift( @ordered_list ) ) and $i < $max_output )
+	{
+		foreach my $data( @{$reversed_hash{$key}} )
+		{
+			my $local_bytes = trimbytes( $data->{REF}->{LOCAL_BYTES}, 6 );
+			my $remote_bytes = trimbytes( $data->{REF}->{REMOTE_BYTES}, 6 );
+			my $conn_count = $data->{REF}->{CONN_COUNT};
+		        my $local_name = trimhostname( iptoname( $data->{LOCAL_HOST} ), $max_hostname_length, '>' );
+		        my $remote_name = trimhostname( iptoname( $data->{REMOTE_HOST} ), $max_hostname_length, '>' );
+			
+			$ret_string .= swrite( $format, 
+						$local_name,
+						$remote_name, 
+						$local_bytes,
+						$remote_bytes,
+						$conn_count );
+			
+			++$i;
+			if( !( $i < $max_output ) )
+			{
+				last;
+			}
+		}
+	}
+	
+	# Free up some memory
+	$_base = undef;
+	%reversed_hash = ();
+	delete( $RPT_CACHE->{bytetransferpairs} );
+	
+	if( length( $ret_string ) < 32 )
+	{
+		$ret_string = $top_format . "  No data to report\n";
+	}
+	else
+	{
+		$ret_string = $top_format . $ret_string . "\n";
+	}
+	
+	return( $ret_string );
+}
+
+sub output_successcount
+{
+	my $sub_name = 'output_successcount';
+	my $ret_val = $RPT_CACHE->{successfailcount}->{SUCCESS};
+	
+	# Clean up some memory
+	delete( $RPT_CACHE->{successfailcount}->{SUCCESS} );
+	
+	return( $ret_val );
+}
+
+sub output_failcount
+{
+	my $sub_name = 'output_failcount';
+	my $ret_val = $RPT_CACHE->{successfailcount}->{FAIL};
+	
+	# Clean up some memory
+	delete( $RPT_CACHE->{successfailcount}->{FAIL} );
+	
+	return( $ret_val );
+}
+
+sub availablereports
+{
+	my $sub_name = 'availablereports';
+	
+	my @ret_list = keys( %REPORT_MAP );
+	
+	return( @ret_list );
+}
+
+sub reportinputfunc
+{
+	my $sub_name = 'reportinputfunc';
+	
+	my $report_name = $_[0] || return( undef );
+	
+	if( exists( $REPORT_MAP{$report_name} ) )
+	{
+		return( $REPORT_MAP{$report_name}->{'input'} );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+sub reportoutputfunc
+{
+	my $sub_name = 'reportoutputfunc';
+	
+	my $report_name = $_[0] || return( undef );
+	
+	if( exists( $REPORT_MAP{$report_name} ) )
+	{
+		return( $REPORT_MAP{$report_name}->{'output'} );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+1;
diff --git a/scripts/perl/lib/Bro/Signature.pm b/scripts/perl/lib/Bro/Signature.pm
new file mode 100644
index 0000000000..076c88fbd6
--- /dev/null
+++ b/scripts/perl/lib/Bro/Signature.pm
@@ -0,0 +1,1316 @@
+# $Id: Signature.pm 987 2005-01-08 01:04:43Z rwinslow $
+# Read and parse a Bro signature from a string or array reference
+package Bro::Signature;
+
+use strict;
+require 5.006_001;
+use Bro::Config qw( $BRO_CONFIG );
+require Exporter;
+use vars qw( $VERSION
+			@ISA
+			@EXPORT_OK
+			%SKIP_OPT
+			%ACTIONS
+			$DEBUG );
+
+$VERSION = 1.20;
+@EXPORT_OK = qw( findkeyblocks filelist getrules utctimenow );
+@ISA = qw( Exporter );
+$DEBUG = 0;
+
+# These conditions, actions, meta data will be skipped when comparing two
+# signature objects for differences.  Reasons are given.
+%SKIP_OPT = ( 'active' => 1,			# evaluated seperately
+			'__raw_data__' => 1,	# internal data
+			'__value__' => 1,		# internal data
+			'sig_id' => 1,			# not evaluated
+			'.revision' => 1,		# evaluated seperately
+			'.version' => 1,		# evaluated seperately
+			'.location' => 1,		# reserved for editor use as a temporary field
+			);
+
+# Hash of valid actions in a signature.  Currently there is only one.
+%ACTIONS = ( 'event' => 1, );
+
+
+sub new
+{
+	my $sub_name = 'new';
+
+	my $self;
+	my $proto = shift;
+	my $class = ref( $proto ) || $proto;
+	my %args = @_;
+	my $sig_data = {};
+	
+	if( defined( $args{string} ) )
+	{
+		if( !( $sig_data = parsesig( $args{string} ) ) )
+		{
+			return( undef );
+		}
+	}
+	else
+	{
+		warn( __PACKAGE__ . "::$sub_name, Signature must be passed in as a string for now.  Direct" .
+			" object creation is not supported yet\n" );
+		return( undef );
+	}
+
+	$self = $sig_data;
+	bless( $self, $class );
+	
+	if( $DEBUG > 1 )
+	{
+		warn( $self->output() . "\n" );
+	}
+	return( $self );
+
+}
+
+sub parsesig
+{
+	my $sub_name = 'parsesig';
+
+	my $sig_block = shift || return( undef );
+	my $sig_data;
+	my $ret_data = {};
+
+	# Check on the storage of the data
+	if( ref( $sig_block ) eq 'ARRAY' )
+	{
+		$sig_data = join( "\n", @{$sig_block} );
+	}
+	else
+	{
+		# Otherwise it gets treated as a string
+		$sig_data = $sig_block;
+	}
+	
+	# remove any leading or trailing white space
+	$sig_data =~ s/^[[:space:]]*//;
+	$sig_data =~ s/[[:space:]]*$//;
+	
+	my $parse_err = 0;
+
+	if( $sig_data =~
+		m/^signature[[:space:]]+([[:alnum:]_-]+)[[:space:]]*\{[[:space:]\n]+	# signature declaration
+		(.+?)		# signature data
+		[[:space:]]*\}$/xs )	# end of block
+	{
+		my $sig_id = $1;
+		my $sig_options = $2;
+
+		$ret_data->{sig_id} = $sig_id;
+
+		my @raw_data;
+		my $i = 0;
+
+		foreach my $line( split( /\n/, $sig_options ) )
+		{
+			# Each line of the signature is stored in an
+			 # array to maintain the order and any comments.
+			 # The actual data is stored in a hash.
+			 # Access of the data should be done through the methods
+			 # to output the whole signature along with comments.
+
+			# remove any leading spaces
+			$line =~ s/^[[:space:]]*//;
+
+			# Put the line into the raw_data array
+			$raw_data[$i] = $line;
+
+			# Strip any comments from the line
+			$line =~ s/(?:[[:space:]]+|)#.+$//;
+
+			my( $key, $value ) = split( /[[:space:]]+/, $line, 2 );
+			# if there is still data in the line then process
+			if( defined( $value ) )
+			{
+				# Remove any leading spaces
+				$value =~ s/^[[:space:]]*//;
+				# place a reference to the raw_data array for this attribute
+				# set the value for this attribute instance
+				push( @{$ret_data->{$key}}, { 
+						'__raw_data_pos__' => $i,
+						'__value__' => $value, },
+				);
+			}
+
+			++$i;
+		}
+
+		$ret_data->{'__raw_data__'} = \@raw_data;
+	}
+	else
+	{
+		if( $DEBUG > 0 )
+		{
+			warn( __PACKAGE__ . "::$sub_name, Signature read error. Could not find a valid signature block\n" );
+		}
+		$parse_err = 1;
+	}
+
+	if( $parse_err )
+	{
+		return( undef );
+	}
+	else
+	{
+		return( $ret_data );
+	}
+}
+
+sub findkeyblocks
+{
+	my $sub_name = 'findkeyblocks';
+
+	my $string = $_[0];
+	my $keyword = 'signature';
+	my $key_len = length( $keyword );
+	my @ret_blocks;
+	my $block_idx = 0;			# Current idx of the keyword blocks that will be returned
+	my $open_brace_count = 0;	# Number of open braces encountered
+	my $close_brace_count = 0;	# number of close braces encountered
+	my $len = length( $string );	# length of string passed in
+	my $pos_idx = 0;			# current position of substring
+	my $st_blk_pos = 0;			# string position of a new block
+	my $blk_len = 0;			# length of code block
+	my $found_key_start = 0;		# flag that a new keyword block has started
+	my $comment_line = 0;		# flag if comments are in effect
+	my $quoted;			# flag if quoting is active. contents are the quote character
+
+	# make sure the string is of non-zero length.  Add one more so our
+	 # loop below works
+	if( $len > 0 )
+	{
+		++$len;
+	}
+	else
+	{
+		return( undef );
+	}
+
+	# Push a newline onto the front of the string.  This just helps in
+	 # starting the pattern matching.  It's easier than writting a
+	 # bunch more lines of code.
+	$string = "\n" . $string;
+	++$len;
+
+	while( $pos_idx < $len )
+	{
+		# If the two numbers match then a complete block has been found.
+		if( $open_brace_count == $close_brace_count and
+			$open_brace_count > 0 )
+		{
+			$ret_blocks[$block_idx] = substr( $string, $st_blk_pos, $blk_len );
+			
+			if( $DEBUG > 2 )
+			{
+				my $end_pos = $st_blk_pos + $blk_len;
+				warn( __PACKAGE__ . "::$sub_name, Found signature block between bytes $st_blk_pos and $end_pos\n" );
+				warn( $ret_blocks[$block_idx] . "\n" );
+			}
+			
+			++$block_idx;
+			$open_brace_count = 0;
+			$close_brace_count = 0;
+			$found_key_start = 0;
+			$st_blk_pos = $pos_idx;
+			$blk_len = 0;
+		}
+		elsif( $close_brace_count > $open_brace_count )
+		{
+			# Looks like there was a syntax error perhaps the
+			 # file contains a keyword but no valid block
+			 # Reset the counters and backup to $st_blk_pos + 1
+			if( $DEBUG > 0 )
+			{
+				warn( __PACKAGE__ . "::$sub_name, Error in parsing $keyword, found closed brace",
+					" for a block but no open brace at char position $pos_idx\n" );
+			}
+			$open_brace_count = 0;
+			$close_brace_count = 0;
+			$found_key_start = 0;
+			$pos_idx = $st_blk_pos + 1;
+			$st_blk_pos = '';
+			$blk_len = 0;
+			next;
+		}
+
+		# Make sure that substr returns a value
+		if( defined( my $wc = substr( $string, $pos_idx, 1 ) ) )
+		{
+			if( $quoted
+				and $found_key_start )
+			{
+				if( $wc eq $quoted
+					and substr( $string, $pos_idx - 1, 1 ) ne '\\' )
+				{
+					$quoted = undef;
+				}
+			}
+			# check for comment '#' character which is active until the 
+			 # start of a newline
+			elsif( ! $comment_line and 
+				$wc eq '#' and
+				substr( $string, $pos_idx - 1, 1 ) ne '\\' )
+			{
+				$comment_line = 1;
+			}
+			# Check if the comment flag is set
+			elsif( $comment_line )
+			{
+				# If the current character is a newline then reset the comment flag
+				if( $wc =~ m/\n/ )
+				{
+					$comment_line = 0;
+				}
+			}
+			# start this if not currently working in a block and not a comment
+			elsif( ! $found_key_start and ! $comment_line )
+			{
+				# check if the keyword is found 
+				if( $pos_idx + $key_len + 1 < $len
+				and substr( $string, $pos_idx, $key_len ) eq $keyword )
+				{
+					# check to make sure that the keyword is followed by a space
+					if( substr( $string, $pos_idx + $key_len, 1 ) =~
+						m/[[:space:]]/ )
+					{
+						$found_key_start = 1;
+						$st_blk_pos = $pos_idx;
+					}
+				}
+			}
+		# Need to re-think this one at some point though it's not going to kill things
+		  # to leave it out right now.
+		
+		# Check if a nested block has started.
+		#	elsif( $pos_idx + $key_len + 1 < $len
+		#		and $found_key_start
+		#		and substr( $string, $pos_idx, $key_len ) eq $keyword )
+		#	{
+		#		if( substr( $string, $pos_idx + $key_len, 1 ) =~
+		#				m/[[:space:]]/ )
+		#		{
+		#			if( $DEBUG > 0 )
+		#			{
+		#				warn( __PACKAGE__ . "::$sub_name, New $keyword keyword found inside of another $keyword block",
+		#					" at char position $pos_idx\n" );
+		#
+		#				#print "STRING => $string\n";
+		#			}
+		#
+		#			# Reset the search params
+		#			$open_brace_count = 0;
+		#			$close_brace_count = 0;
+		#			$found_key_start = 0;
+		#			++$pos_idx;
+		#			$st_blk_pos = '';
+		#			$blk_len = 0;
+		#			next;
+		#		}
+		#	}
+			elsif( $wc eq '{' and 
+				substr( $string, $pos_idx - 1, 1 ) ne '\\'
+				and substr( $string, $pos_idx + 1, 1 ) =~ m/[[:space:]\n]/ )
+			{
+				++$open_brace_count;
+			}
+			elsif( $wc eq '}' and
+				substr( $string, $pos_idx - 1, 1 ) ne '\\'
+				and substr( $string, $pos_idx - 1, 1 ) =~ m/[[:space:]\n]/ )
+			{
+				++$close_brace_count;
+			}
+			elsif( ! $quoted
+				and ! $comment_line
+				and $found_key_start )
+			{
+				if( $wc eq '"'
+					and substr( $string, $pos_idx - 1, 1 ) ne '\\' )
+				{
+					$quoted = $wc;
+				}
+			}
+			else
+			{
+
+			}
+
+			# Only append chars to the working string if in a $keyword block
+			if( $found_key_start )
+			{
+				++$blk_len;
+			}
+			++$pos_idx;
+		}
+		else
+		{
+			warn( __PACKAGE__ . "::$sub_name, Failed to pull data out using substr at position $pos_idx\n" );
+			++$pos_idx;
+		}
+	}
+
+	if( wantarray )
+	{
+		return( @ret_blocks );
+	}
+	else
+	{
+		return( \@ret_blocks );
+	}
+}
+
+sub addcomment
+{
+	my $sub_name = 'addcomment';
+
+	my $self = shift || return( undef );
+	my $comment = shift || return( undef );
+
+	# Make sure the comment starts with a '#'
+	if( $comment !~ m/^[[:space:]]*#/ )
+	{
+		$comment = '#' . $comment;
+	}
+
+	if( $self->{'__raw_data__'} )
+	{
+		my $next_idx = $#{$self->{'__raw_data__'}} + 1;
+		$self->{'__raw_data__'}->[$next_idx] = $comment;
+	}
+	else
+	{
+		return( undef );
+	}
+
+	return( 1 );
+}
+
+sub option
+{
+	my $sub_name = 'option';
+
+	my $self = shift || return( undef );
+	my $sig_option = shift || return( undef );
+	my $ret_data;
+
+	if( $self->{$sig_option} )
+	{
+		foreach my $data( @{$self->{$sig_option}} )
+		{
+			push( @{$ret_data}, $data->{'__value__'} );
+		}
+	}
+	else
+	{
+		return( undef );
+	}
+
+	if( @{$ret_data} > 1 )
+	{
+		return( @{$ret_data} );
+	}
+	else
+	{
+		return( $ret_data->[0] );
+	}
+}
+
+sub addoption
+{
+	my $sub_name = 'addoption';
+
+	my $self = shift || return( undef );
+	my $option = shift || return( undef );
+	my $option_data = shift || return( undef );
+
+	if( $self->{'__raw_data__'} )
+	{
+		my $next_idx = $#{$self->{'__raw_data__'}} + 1;
+		$self->{'__raw_data__'}->[$next_idx] = $option . ' ' . $option_data;
+		push( @{$self->{$option}}, 
+			{ '__raw_data_pos__' => $next_idx,
+			'__value__' => $option_data, } );
+	}
+	else
+	{
+		return( undef );
+	}
+
+	return( 1 );
+}
+
+sub modoption
+{
+	my $sub_name = 'modoption';
+	
+	# If successful the value which was replaced is returned.
+	# If failure then an undefined value is returned.
+	
+	my $self = shift || return( undef );
+	my $match_option = shift || return( undef );
+	my $new_data = shift || return( undef );
+	my $match_data = shift;	#optional
+	my $replaced_data;
+	
+	if( exists( $self->{$match_option} ) )
+	{				
+		if( @{$self->{$match_option}} > 1 )
+		{
+			# This won't work if $match_data is not defined
+			if( ! defined( $match_data ) )
+			{
+				if( $DEBUG > 0 )
+				{
+					warn( __PACKAGE__ .
+					"::$sub_name, Failed to modify option $match_option.  Data which to match against is required for options with more than one instance.\n" );
+				}
+				return( undef );
+			}
+			
+			foreach my $opt_inst( @{$self->{$match_option}} )
+			{
+				if( $opt_inst->{'__value__'} eq $match_data )
+				{
+					$replaced_data = $opt_inst->{'__value__'};
+					$opt_inst->{'__value__'} = $new_data;
+					$self->{'__raw_data__'}->[$opt_inst->{'__raw_data_pos__'}] = "$match_option $new_data";
+				}
+			}
+		}
+		else
+		{
+			$replaced_data = $self->{$match_option}->[0]->{'__value__'};
+			
+			if( defined( $match_data ) and $match_data ne $replaced_data )
+			{
+				return( undef );
+			}
+			else
+			{
+				$self->{$match_option}->[0]->{'__value__'} = $new_data;
+				$self->{'__raw_data__'}->[$self->{$match_option}->[0]->{'__raw_data_pos__'}] = "$match_option $new_data";
+			}
+		}
+	}
+	else
+	{
+		# no matching option found
+		return( undef );
+	}
+	
+	return( $replaced_data );
+}
+
+sub deloption
+{
+	my $sub_name = 'deloption';
+	# Accepts at a minimum the object and an option to remove
+	# For options that have multivalues the value can be passed in as 
+	 # option_data to remove only the one value from the object.
+	# If an option has multivalues and no option_data is given then all
+	 # options are removed.
+
+
+	my $self = shift || return( undef );
+	my $match_option = shift || return( undef );
+	my $match_data = shift;	#optional
+	my $success = 0;
+	my @raw_data_pos;
+
+	if( defined( $match_data ) )
+	{
+		if( $DEBUG > 4 )
+		{
+			warn( __PACKAGE__ . "::$sub_name, Method $sub_name has been asked to delete option '" .
+				$match_option . "', value '" . $match_data . "'\n" );
+		}
+		# Must match on both the option key and it's value
+		if( exists( $self->{$match_option} ) )
+		{				
+			if( ref( $self->{$match_option} ) eq 'ARRAY' )
+			{
+				if( $DEBUG > 4 )
+				{
+					warn( __PACKAGE__ . "::$sub_name, Found a match on $match_option in signature\n" );
+				}
+
+				my $__found = 0;
+				my @good_data;
+				foreach my $opt_value( @{$self->{$match_option}} )
+				{
+					if( $opt_value->{'__value__'} eq $match_data )
+					{
+						++$__found;
+						$success = 1;
+						push( @raw_data_pos, $opt_value->{'__raw_data_pos__'} );
+					}
+					elsif( defined( my $tt = $opt_value->{'__value__'} ) )
+					{
+						push( @good_data, $opt_value );
+					}
+
+				}
+
+				if( $success )
+				{
+					if( defined( $good_data[0] ) )
+					{
+						# Replace the object's old data with the good data
+						$self->{$match_option} = [ @good_data ];
+					}
+					else
+					{
+						delete $self->{$match_option};
+					}
+				}
+			}
+		}
+	}
+	elsif( exists( $self->{$match_option} ) )
+	{
+		if( $DEBUG > 4 )
+		{
+			warn( __PACKAGE__ . "::$sub_name, Method $sub_name has been asked to delete all data with" .
+				" an option name of $match_option\n" );
+		}
+
+		foreach my $opt_data( @{$self->{$match_option}} )
+		{
+			push( @raw_data_pos, $opt_data->{'__raw_data_pos__'} );
+		}
+		delete $self->{$match_option};
+		$success = 1;
+	}
+
+
+	if( $success )
+	{
+		# cleanup the __raw_data__ storage in the object
+		# get the last index of the __raw_data__ array
+		foreach my $idx( @raw_data_pos )
+		{
+			$self->{'__raw_data__'}->[$idx] = undef;
+		}
+
+		# Delete the 
+	}
+
+	return( $success );
+
+}
+
+sub meta
+{
+	my $sub_name = 'meta';
+	
+	my $self = shift || return( undef );
+	my $meta_name = shift || return( undef );
+	
+	return( $self->option( $BRO_CONFIG->{META_DATA_PREFIX} . $meta_name ) );
+	
+}
+
+sub output
+{
+	my $sub_name = 'output';
+
+	my $self = shift || return( undef );
+	my %args = @_;
+	my $ret_string;
+	my $prefix = '';
+	my $comments = 0;
+
+	# Make a few checks on the signature to make sure it has all the
+	# mandatory parts before outputting.
+	$self->active();
+	
+	# Check on options
+	if( $args{sigprefix} )
+	{
+		$prefix = $args{sigprefix};
+	}
+
+	if( defined( $args{comments} ) )
+	{
+		$comments = $args{comments};
+	}
+	else
+	{
+		$comments = 1;
+	}
+	
+	if( defined( $args{live} ) )
+	{
+		
+	}
+	elsif( defined( $args{meta} ) )
+	{
+		
+	}
+	else
+	{
+		# opening to a Bro signature block
+		$ret_string = 'signature ' . $prefix . $self->{sig_id} . ' {' . "\n";
+
+		if( $comments )
+		{
+			foreach my $line( @{$self->{'__raw_data__'}} )
+			{
+				if( defined( $line ) )
+				{
+					$ret_string = $ret_string . '  ' . $line . "\n";
+				}
+			}
+		}
+		else
+		{
+			while( my( $option, $opt_array ) = each( %{$self} ) )
+			{
+				if( $option ne '__raw_data__' and $option ne 'sig_id' )
+				{
+					foreach my $opt_data( @{$opt_array} )
+					{
+						$ret_string = $ret_string . 
+						'  ' .
+						$option .
+						' ' .
+						$opt_data->{'__value__'} .
+						"\n";
+					}
+				}
+			}
+		}
+
+		# closing of the Bro signature block
+		$ret_string = $ret_string . '}';
+	}
+
+	return( $ret_string );
+}
+
+sub sigid
+{
+	# This is the entire Bro signature id as parsed in from a 
+	 # signature block
+	my $sub_name = 'sigid';
+
+	my $self = shift || return( undef );
+
+	if( $self->{sig_id} )
+	{
+		return( $self->{sig_id} );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+sub active
+{
+	my $sub_name = 'active';
+	
+	# If passed with an argument then the new value will be set if it is valid.
+	# If the new value is set properly then 2 is returned otherwise return -1
+	# If no args called then 0 returned if value is false and 1 returned if
+	# value is true.
+	
+	my $self = shift || return( undef );
+	my $new_status;
+	
+	if( @_ > 0 )
+	{
+		$new_status = shift;
+		
+		# The default is true, set it now if it doesn't already exist.
+		if( ! defined( $self->option( 'active' ) ) )
+		{
+			$self->addoption( 'active', 'true' );
+		}
+	
+		# Make sure that $new_status contains valid data
+		if( $new_status =~ m/^(?:1|true)$/ )
+		{
+			$new_status = 'true';
+		}
+		elsif( $new_status =~ m/^(?:0|false)$/ )
+		{
+			$new_status = 'false';
+		}
+		else
+		{
+			return( undef );
+		}
+		
+		$self->modoption( 'active', $new_status );
+		return( 2 );
+	}
+	
+	if( ! defined( $self->option( 'active' ) ) or
+		$self->option( 'active' ) eq 'true' )
+	{
+		return( 1 );
+	}
+	else
+	{
+		return( 0 );
+	}
+}
+
+sub version
+{
+	my $sub_name = 'version';
+	
+	my $self = shift || return( undef );
+	
+	my $ver = $self->meta( 'version' );
+	if( defined( $ver ) and $ver =~ m/^[[:digit:]]+$/ )
+	{
+		return( $ver );
+	}
+	else
+	{
+		return( '' );
+	}
+}
+
+sub revision
+{
+	my $sub_name = 'revision';
+	
+	my $self = shift || return( undef );
+	
+	my $rev = $self->meta( 'revision' );
+	if( defined( $rev ) and $rev =~ m/^[[:digit:]]+$/ )
+	{
+		return( $rev );
+	}
+	else
+	{
+		return( '' );
+	}
+}
+
+sub filelist
+{
+	my $sub_name = 'filelist';
+	
+	my @args = @_;	# optional arguments
+	my @file_list;
+	my @signature_dirs;
+	my @extra_sig_dirs;
+	my $sigfile_suffix = $BRO_CONFIG->{BRO_SIG_SUFFIX};
+	
+	# valid modes are add and override, default is add
+	my $extra_dir_mode = 'add';
+	
+	# If there are args figure out what to do with them.
+	if( @args > 0 )
+	{
+		if( $args[0] eq 'mode' )
+		{
+			shift @args;
+			$extra_dir_mode = shift @args;
+		}
+		
+		push( @extra_sig_dirs, @args );
+	}
+	
+	# Verify that a valid mode was specified
+	if( $extra_dir_mode ne 'add' and $extra_dir_mode ne 'override' )
+	{
+		warn( __PACKAGE__ . "::$sub_name, Invalid method of '$extra_dir_mode' set.\n" );
+		return( undef );
+	}
+	
+	if( $extra_dir_mode eq 'override' )
+	{
+		@signature_dirs = @extra_sig_dirs;
+	}
+	elsif( defined( $BRO_CONFIG->{BRO_SIG_DIR} ) or defined( $BRO_CONFIG->{BROPATH} ) )
+	{
+		my $rule_path;
+		
+		# if/else ladder is to allow for backwards compatability and will eventually
+		# be removed.
+		if( defined( $BRO_CONFIG->{BRO_SIG_DIR} ) and defined( $BRO_CONFIG->{BROPATH} ) )
+		{
+			$rule_path = join( ':', $BRO_CONFIG->{BRO_SIG_DIR}, $BRO_CONFIG->{BROPATH} );
+		}
+		elsif( defined( $BRO_CONFIG->{BROPATH} ) )
+		{
+			$rule_path = $BRO_CONFIG->{BROPATH};
+		}
+		else
+		{
+			$rule_path = $BRO_CONFIG->{BRO_SIG_DIR};
+		}
+		
+		if( $rule_path =~ m/:/ )
+		{
+			@signature_dirs = split( /:/, $rule_path );
+		}
+		else
+		{
+			$signature_dirs[0] = $rule_path;
+		}
+		
+		# If mode is add then add the additional directories into @signature_dirs
+		if( $extra_dir_mode eq 'add' )
+		{
+			push( @signature_dirs, @extra_sig_dirs );
+		}
+	}
+		
+	foreach my $sig_dir( @signature_dirs )
+	{
+		if( -d $sig_dir and -r $sig_dir and $sig_dir =~ m/^([[:print:]]+)$/ )
+		{
+			# Taint clean the directory name
+			$sig_dir = $1;
+
+			if( opendir( INDIR, $sig_dir ) )
+			{
+				foreach my $file_name( readdir( INDIR ) )
+				{
+					if( $file_name =~ m/^([[:print:]]+$sigfile_suffix)$/ )
+					{
+						# Taint clean the file name
+						$file_name = $1;
+						push( @file_list, join( '/', $sig_dir, $file_name ) );
+					}
+				}
+			}
+			else
+			{
+				warn( __PACKAGE__ . "::$sub_name, Unable to read directory $sig_dir\n" );
+				next;
+			}
+
+			closedir( INDIR );
+		}
+	}
+	return( @file_list );
+}
+
+sub getrules
+{
+	my $sub_name = 'getrules';
+	# Given a Bro rule file it will return a reference to a list of 
+	# Bro::Signature objects in scalar contents and a regular list
+	# in list context.
+	
+	my $rule_file = shift || return( undef );
+	
+	my $sig_file_data;
+	my @sig_blocks;
+	my @sig_objs;
+
+	if( open( INFILE, $rule_file ) )
+	{
+		local $/ = undef;
+		$sig_file_data = <INFILE>;
+		@sig_blocks = findkeyblocks( $sig_file_data );
+	}
+	else
+	{
+		warn( "Failed to open Bro rule file at $rule_file\n" );
+	}
+
+	close( INFILE );
+
+	# clean up some memory
+	undef $sig_file_data;
+
+	foreach my $sig_block( @sig_blocks )
+	{
+		if( my $rule_obj = Bro::Signature->new( string => $sig_block ) )
+		{
+			push( @sig_objs, $rule_obj );
+		}
+	}
+	
+	if( @sig_objs > 0 )
+	{
+		if( wantarray )
+		{
+			return( @sig_objs );
+		}
+		else
+		{
+			return( \@sig_objs );
+		}
+	}
+}
+
+sub compare
+{
+	my $sub_name = 'compare';
+	# Given two signature objects compare them and return whether they are
+	# the same or if there is difference.
+	# If there are no changes then this returns undef.
+	# Valid return values for changes are:
+	# condition - There is a difference between the conditions ( ex. http, payload, dst-ip, etc. )
+	# action - There is a difference in the actions ( ex. event )
+	# active - There is a difference in the active status ( ex. true, false )
+	# meta - There is a difference in the metadata ( ex. .version, .date-created, etc. )
+	my $first_obj = shift || return( undef );
+	my $second_obj = shift || return( undef );
+	
+	my $meta_prefix = $BRO_CONFIG->{META_DATA_PREFIX};
+	$meta_prefix =~ s/\./\\./g;
+	my $m_p = qr/^$meta_prefix.+/;	# Meta prefix
+	my %f_meta;
+	my %f_cond;
+	my %f_act;
+	my %s_meta;
+	my %s_cond;
+	my %s_act;
+	my %results;
+	
+	# If the version number is different then there is definetly an action
+	# and/or a condition difference
+	if( $first_obj->version() ne $second_obj->version() )
+	{
+		$results{'condition'} = 1;
+	}
+	
+	# Compare the active status
+	if( $first_obj->active() ne $second_obj->active() )
+	{
+		$results{'active'} = 1;
+	}
+	
+	# Seperate out all of the option data from meta data for the first obj
+	foreach my $key( keys( %{$first_obj} ) )
+	{
+		if( exists( $SKIP_OPT{$key} ) )
+		{
+			# Ignore the key
+		}
+		elsif( $key =~ $m_p )
+		{
+			@{$f_meta{$key}} = $first_obj->option( $key );
+		}
+		elsif( exists( $ACTIONS{$key} ) )
+		{
+			@{$f_act{$key}} = $first_obj->option( $key );
+		}
+		else
+		{
+			# the data is part of a condition which is used
+			# by Bro to define how a signature matches.
+			@{$f_cond{$key}} = $first_obj->option( $key );
+		}
+	}
+	
+	# Seperate out all of the option data from meta data for the second obj
+	foreach my $key( keys( %{$second_obj} ) )
+	{
+		if( exists( $SKIP_OPT{$key} ) )
+		{
+			# Ignore the key
+		}
+		elsif( $key =~ $m_p )
+		{
+			@{$s_meta{$key}} = $second_obj->option( $key );
+		}
+		elsif( exists( $ACTIONS{$key} ) )
+		{
+			@{$s_act{$key}} = $second_obj->option( $key );
+		}
+		else
+		{
+			# the data is part of a condition which is used
+			# by Bro to define how a signature matches.
+			@{$s_cond{$key}} = $second_obj->option( $key );
+		}
+	}
+	
+	# Compare the conditions
+	foreach my $key( keys( %f_cond ) )
+	{
+		if( exists( $results{'condition'} ) )
+		{
+			last;
+		}
+		
+		if( exists( $s_cond{$key} ) )
+		{
+			if( @{$f_cond{$key}} != @{$s_cond{$key}} )
+			{
+				$results{'condition'} = 1;
+			}
+		}
+		else
+		{
+			$results{'condition'} = 1;
+		}
+		
+		foreach my $val( @{$f_cond{$key}} )
+		{
+			if( exists( $results{'condition'} ) )
+			{
+				last;
+			}
+			
+			my $did_match = 0;
+			foreach my $val2( @{$s_cond{$key}} )
+			{
+				if( $val eq $val2 )
+				{
+					$did_match = 1;
+					last;
+				}
+			}
+			
+			if( ! $did_match )
+			{
+				$results{'condition'} = 1;
+			}
+		}
+	}
+	foreach my $key( keys( %s_cond ) )
+	{
+		if( exists( $results{'condition'} ) )
+		{
+			last;
+		}
+		
+		if( ! exists( $f_cond{$key} ) )
+		{
+			$results{'condition'} = 1;
+		}
+		
+		foreach my $val( @{$s_cond{$key}} )
+		{
+			if( exists( $results{'condition'} ) )
+			{
+				last;
+			}
+			
+			my $did_match = 0;
+			foreach my $val2( @{$f_cond{$key}} )
+			{
+				if( $val eq $val2 )
+				{
+					$did_match = 1;
+					last;
+				}
+			}
+			
+			if( ! $did_match )
+			{
+				$results{'condition'} = 1;
+			}
+		}
+	}
+	
+	# Compare the actions
+	foreach my $key( keys( %f_act ) )
+	{
+		if( exists( $results{'action'} ) )
+		{
+			last;
+		}
+		
+		if( exists( $s_act{$key} ) )
+		{
+			if( @{$f_act{$key}} != @{$s_act{$key}} )
+			{
+				$results{'action'} = 1;
+			}
+		}
+		else
+		{
+			$results{'action'} = 1;
+		}
+				
+		foreach my $val( @{$f_act{$key}} )
+		{
+			if( exists( $results{'action'} ) )
+			{
+				last;
+			}
+			
+			my $did_match = 0;
+			foreach my $val2( @{$s_act{$key}} )
+			{
+				if( $val eq $val2 )
+				{
+					$did_match = 1;
+					last;
+				}
+			}
+			
+			if( ! $did_match )
+			{
+				$results{'action'} = 1;
+			}
+		}
+	}
+	foreach my $key( keys( %s_act ) )
+	{
+		if( exists( $results{'action'} ) )
+		{
+			last;
+		}
+		
+		if( ! exists( $f_act{$key} ) )
+		{
+			$results{'action'} = 1;
+		}
+		
+		foreach my $val( @{$s_act{$key}} )
+		{
+			if( exists( $results{'action'} ) )
+			{
+				last;
+			}
+			
+			my $did_match = 0;
+			foreach my $val2( @{$f_act{$key}} )
+			{
+				if( $val eq $val2 )
+				{
+					$did_match = 1;
+					last;
+				}
+			}
+			
+			if( ! $did_match )
+			{
+				$results{'action'} = 1;
+			}
+		}
+	}
+	
+	# If the revision numbers are differnet then there is definetly a
+	# meta data difference
+	if( $first_obj->revision() ne $second_obj->revision() )
+	{
+		$results{'meta'} = 1;
+	}
+	
+	# Compare the meta data
+	foreach my $key( keys( %f_meta ) )
+	{
+		if( exists( $results{'meta'} ) )
+		{
+			last;
+		}
+		
+		if( exists( $s_meta{$key} ) )
+		{
+			if( @{$f_meta{$key}} != @{$s_meta{$key}} )
+			{
+				$results{'meta'} = 1;
+			}
+		}
+		else
+		{
+			$results{'meta'} = 1;
+		}
+				
+		foreach my $val( @{$f_meta{$key}} )
+		{
+			if( exists( $results{'meta'} ) )
+			{
+				last;
+			}
+			
+			my $did_match = 0;
+			foreach my $val2( @{$s_meta{$key}} )
+			{
+				if( $val eq $val2 )
+				{
+					$did_match = 1;
+					last;
+				}
+			}
+			
+			if( ! $did_match )
+			{
+				$results{'meta'} = 1;
+			}
+		}
+	}
+	foreach my $key( keys( %s_meta ) )
+	{
+		if( exists( $results{'meta'} ) )
+		{
+			last;
+		}
+		
+		if( ! exists( $f_meta{$key} ) )
+		{
+			$results{'meta'} = 1;
+		}
+		
+		foreach my $val( @{$s_meta{$key}} )
+		{
+			if( exists( $results{'meta'} ) )
+			{
+				last;
+			}
+			
+			my $did_match = 0;
+			foreach my $val2( @{$f_meta{$key}} )
+			{
+				if( $val eq $val2 )
+				{
+					$did_match = 1;
+					last;
+				}
+			}
+			
+			if( ! $did_match )
+			{
+				$results{'meta'} = 1;
+			}
+		}
+	}
+		
+	if( keys( %results ) > 0 )
+	{
+		return( \%results );
+	}
+	else
+	{
+		return( 0 );
+	}
+}
+
+sub utctimenow
+{
+	my $sub_name = 'utctimenow';
+	
+	my @tp = gmtime();
+	
+	my $ret_time = sprintf( "%4d-%02d-%02dT%02d:%02d:%02dZ", 
+					$tp[5] + 1900, $tp[4] + 1, $tp[3], $tp[2], $tp[1], $tp[0] );
+	
+	return( $ret_time );
+}
+
+1;
+
+# List of reserved meta-data keywords for use by signature manipulation tools
+# and the number of instances which may exist in each signature.
+
+# date-created		max: 1
+# version-date		max: 1
+# revision-date	max: 1
+# category		max: unlimited
+# from-file		max: 1		reserved for use during editing, not used in actual signatures
+# version			max: 1		version supplied by signature creator.
+#							This number will be rolled if any of the 
+#							matching content changes, not meta-data.
+# rev			max: 1		This number will be rolled if changes to
+#							meta-data are made.  No matching content
+#							changes.
+# 
\ No newline at end of file
diff --git a/scripts/perl/script/edit-brorule.pl b/scripts/perl/script/edit-brorule.pl
new file mode 100755
index 0000000000..5cba38d381
--- /dev/null
+++ b/scripts/perl/script/edit-brorule.pl
@@ -0,0 +1,1126 @@
+#!/usr/bin/perl -w
+
+BEGIN
+{
+	require 5.006_001;
+	use strict;
+	use vars qw( $VERSION
+				$DEBUG
+				$DEFAULT_CONFIG
+				$RFC3339_REGEX
+				$TEMP_DIR_NAME
+				$DEFAULT_BRO_CONFIG_FILE
+				@BRO_RULE_FILES
+				$BRO_CONFIG_FILE );
+	
+	use Getopt::Long;
+	Getopt::Long::Configure ( 'bundling', 'no_getopt_compat', 'pass_through', 'no_ignore_case' );
+	use Bro::Config qw( $BRO_CONFIG );
+	
+	
+	$DEFAULT_BRO_CONFIG_FILE = '/usr/local/bro/etc/bro.cfg';
+	$BRO_CONFIG_FILE = getbroconfigfile() || $DEFAULT_BRO_CONFIG_FILE;
+	Bro::Config::Configure( File => $BRO_CONFIG_FILE );
+	
+	sub getbroconfigfile
+	{
+		my $sub_name = 'getbroconfigfile';
+		
+		my %cmd_line_cfg;
+		
+		GetOptions( \%cmd_line_cfg,
+				'broconfig|b=s' );
+		
+		return( $cmd_line_cfg{broconfig} );
+	}
+}
+
+# $Id: edit-brorule.pl 5222 2008-01-09 20:05:27Z vern $
+$VERSION = 1.20;
+use Time::Local;
+use Bro::Signature qw( findkeyblocks getrules utctimenow );
+
+%{$DEFAULT_CONFIG} = ( temp => '/tmp',
+					editor => 'vi',
+					'require_write' => 0,);
+my $temp_prefix = 'edit-brorule';
+my $config = getconfig();
+my $temp_file = $config->{temp} . '/' . $temp_prefix . $$ . '.tmp';
+
+$RFC3339_REGEX = qr/^([[:digit:]]{4})			# year
+					-([[:digit:]]{2})		# month
+					-([[:digit:]]{2})		# day
+					(?:[Tt ]					# begin time section
+					([[:digit:]]{2})		# hour
+					(?::([[:digit:]]{2})	# minute
+					(?::([[:digit:]]{2}(\.[[:digit:]]{1,2})?)|)|)	# second
+					)?					# end time section
+					([Zz]|([-+][[:digit:]]{2}:[[:digit:]]{2}))?	# timezone offset
+					$/xo;
+
+
+########### Begin main here #################
+
+# Set the list of Bro rule files which will be used
+if( exists( $config->{addpath} ) and $config->{addpath} )
+{
+	@BRO_RULE_FILES = Bro::Signature::filelist( @{$config->{addpath}} );
+}
+elsif( exists( $config->{ruledir} ) and $config->{ruledir} )
+{
+	@BRO_RULE_FILES = Bro::Signature::filelist( mode => 'override', $config->{ruledir} );
+}
+elsif( exists( $config->{rulefile} ) and $config->{rulefile} )
+{
+	@BRO_RULE_FILES = ( $config->{rulefile} );
+}
+else
+{
+	@BRO_RULE_FILES = Bro::Signature::filelist();
+}
+
+# If there are no rule files then no need to continue any further
+if( @BRO_RULE_FILES < 1 )
+{
+	warn( "Unable to find any Bro signature files to edit\n" );
+	exit( 1 );
+}
+
+# If any option which edits a signature is called then the rules files
+# must be writtable.
+if( $config->{require_write} )
+{
+	foreach my $rule_file( @BRO_RULE_FILES )
+	{
+		if( ! -w $rule_file )
+		{
+			warn( "Do not have write access on Bro signature file $rule_file\n" );
+			warn( "Must have write access to continue. Resolve this issue and then try again\n" );
+			exit( 1 );
+		}
+	}
+}
+
+# Check if the temp file already exists.  If so it must be writtable
+if( -f $temp_file and ! -w $temp_file )
+{
+	warn( "Temp file $temp_file already exists and is not writtable.\n" );
+	warn( "Please resolve the problem and try again.\n" );
+	exit( 1 );
+}
+
+
+# How were we called.
+
+# These options will require a temp file for writting.
+if( exists( $config->{disable} ) )
+{
+	changeactivestatus( 'false', @{$config->{disable}} );
+}
+elsif( exists( $config->{enable} ) )
+{
+	changeactivestatus( 'true', @{$config->{enable}} );
+}
+
+if( $config->{edit} )
+{
+	if( ! editbrorule( @{$config->{edit}} ) )
+	{
+		warn( "Failed to edit brorules.  No changes have been made.\n" );
+		exit( 1 );
+	}
+}
+elsif( $config->{add} )
+{
+	if( addbrorule( @{$config->{add}} ) )
+	{
+		print "Rule added successfully\n";
+	}
+}
+
+
+exit( 0 );
+
+
+
+
+
+
+
+
+
+############# Begin subs here ################
+
+sub getconfig
+{
+	my $sub_name = 'getconfig';
+	
+	my $arg1 = shift || $DEFAULT_CONFIG;
+	my %default_config;
+	my %config;
+	my $active_method = '__NULL__';
+	my %clc = ( usage => 0,
+				debug => 0,
+				version => 0,
+				copyright => 0, );
+	
+	if( ref( $arg1 ) eq 'HASH' )
+	{
+		%default_config = %{$arg1};
+	}
+	else
+	{
+		return( undef );
+	}
+	
+	# This is kind of funky.  The subroutine set in '<>' will be called
+	# when an argument unknown to the parser is encountered.  This sub
+	# will handle sucking up lists that can occur after an option.  Where
+	# the list is saved depends upon the option which prefixed the list
+	GetOptions( 'broconfig|b' => \$clc{broconfig},
+			'disable|deactivate' => sub { $active_method = 'disable'; },
+			'<>' => sub { push( @{$clc{$active_method}}, @_ ); },
+			'enable|activate' => sub { $active_method = 'enable'; },
+			'edit|e' => sub { $active_method = 'edit'; },
+			'add|a' => sub { $active_method = 'add'; },
+			'rulefile=s' => \$clc{rulefile},
+			'ruledir=s' => \$clc{ruledir},
+			'addpath' => sub { $active_method = 'addpath'; },
+			'editor=s' => \$clc{editor},
+			'temp|t=s' => \$clc{temp},
+			'usage|help|h' => \$clc{usage},
+			'debug|verbose|d|v:+' => \$clc{debug},
+			'version|V' => \$clc{version},
+			'copyright' => \$clc{copyright}, );
+	
+	# Check for options which will prevent the program from running
+	# any further
+	if( $clc{usage} )
+	{
+		print usage();
+		exit( 0 );
+	}
+	elsif( $clc{version} )
+	{
+		print version();
+		exit( 0 );
+	}
+	elsif( $clc{copyright} )
+	{
+		print copyright();
+		exit( 0 );
+	}
+	else
+	{
+		# just continue on
+	}
+	
+	# Set the location in which to write temp files
+	if( exists( $ENV{TEMP} ) and $ENV{TEMP} )
+	{
+		$config{temp} = $ENV{TEMP};
+	}
+	elsif( exists( $ENV{TMP} ) and $ENV{TMP} )
+	{
+		$config{temp} = $ENV{TMP};
+	}
+	
+	# Set the location of the preferred text editor
+	if( exists( $ENV{EDITOR} ) and $ENV{EDITOR} )
+	{
+		$config{editor} = $ENV{EDITOR};
+	}
+	
+	# Set Debug level
+	$DEBUG = $clc{debug};
+		
+	# Print the list of rules passed to enable.disable
+	if( $DEBUG > 1 )
+	{
+		if( $clc{disable} )
+		{
+			print "List of rules to disable/deactivate: ";
+			print join( ' ', @{$clc{disable}} );
+			print "\n";
+		}
+		
+		if( $clc{enable} )
+		{
+			print "List of rules to enable/activate: ";
+			print join( ' ' , @{$clc{enable}} );
+			print "\n";
+		}
+		
+		if( $clc{edit} )
+		{
+			print "List of rules to edit: ";
+			print join( ' ' , @{$clc{edit}} );
+			print "\n";
+		}
+		
+		if( $clc{addpath} )
+		{
+			print "List of additional directories to search: ";
+			print join( ':', @{$clc{addpath}} );
+			print "\n"
+		}
+		
+		if( $clc{add} )
+		{
+			print "List of arguments passed to add: ";
+			print join( ' ', @{$clc{add}} );
+			print "\n"
+		}
+	}
+	
+	# Any args passed through the command line will override file options
+	while( my( $key, $value ) = each( %clc ) )
+	{
+		if( defined( $value ) )
+		{
+			$config{$key} = $value;
+		}
+	}
+	
+	# Set default values for options that have not already been configured
+	while( my( $key, $value ) = each( %{$arg1} ) )
+	{
+		if( ! exists( $config{$key} ) )
+		{
+			$config{$key} = $value;
+		}
+	}
+	
+	if( checkconfig( \%config ) )
+	{
+		if( $DEBUG > 4 )
+		{
+			warn( "Configuration memory dump:\n" );
+			foreach my $key( keys( %config ) )
+			{
+				print "$key\t=> " . $config{$key} . "\n";
+			}
+			warn( "\n" );
+		}
+		return( \%config );
+	}
+	else
+	{
+		warn( "exiting program\n" );
+		exit( 1 );
+	}
+	
+}
+
+sub checkconfig
+{
+	my $sub_name = 'checkconfig';
+	
+	my $config = shift || return( undef );
+	my $valid_action = 0;
+	my $failed = 0;
+	
+	# Temp directory must exist and be writtable
+	if( -d $config->{temp} )
+	{
+		if( ! -w $config->{temp} )
+		{
+			warn( "Temp directory at " . $config->{temp} . " must be writtable\n" );
+			$failed = 1;
+		}
+	}
+	else
+	{
+		warn( "Temp directory at " . $config->{temp} . " does not exist\n" );
+		$failed = 1;
+	}
+	
+	if( my $verified_editor = seteditor( $config->{editor} ) )
+	{
+		$config->{editor} = $verified_editor;
+	}
+	else
+	{
+		warn( "Could not find absolute path for editor " . $config->{editor} . "\n" );
+		$failed = 1;
+	}
+	
+	# If any of these edit functions are used then set the require-write flag
+	if( $config->{enable} or $config->{disable} or $config->{edit} or
+		$config->{add} )
+	{
+		$config->{require_write} = 1;
+	}
+	
+	# Can't have both enable and disable at the same time.
+	if( ref( $config->{enable} ) eq 'ARRAY' and 
+		ref( $config->{disable} ) eq 'ARRAY' )
+	{
+		warn( "Can not use both --enable and --disable at the same time.\n" );
+		$failed = 1;
+	}
+	
+	# Can't have both add and edit at the same time
+	if( ref( $config->{edit} ) eq 'ARRAY' and
+		ref( $config->{add} ) eq 'ARRAY' )
+	{
+		warn( "Can not use both --edit and --add at the same time.\n" );
+		$failed = 1;
+	}
+	
+	# A valid action must be given
+	if( ! ( $config->{enable} or $config->{disable} or $config->{edit} or
+			$config->{add} ) )
+	{
+		warn( "No action specified.\n" );
+		print usage();
+		exit( 1 );
+	}
+	
+	# Check to make sure that the rule id and the optional file values are sane
+	if( $config->{add} )
+	{
+		my $sigid = $config->{add}->[0];
+		my $file = $config->{add}->[1];
+				
+		if( ! $sigid =~ m/^([[:print:]]+)$/ )
+		{
+			warn( "Error in sig id argument to --add, invalid value.\n" );
+			$failed = 1;
+		}
+		
+		if( $file )
+		{
+			# Taint clean the filename
+			if( $file =~ m/^([[:print:]]+)$/ )
+			{
+				# filename is now taint clean.
+				$config->{add}->[1] = $1;
+				$file = $config->{add}->[1];
+			}
+			else
+			{
+				warn( "Error in file argument to --add, invalid file name.\n" );
+				$failed = 1;
+			}
+			
+			if( ! ( -f $file && -w $file ) )
+			{
+				warn( "Error in file argument to --add, file does not exist or is not writtable.\n" );
+				$failed = 1;
+			}
+		}
+	}
+	
+	if( $failed )
+	{
+		return( 0 );
+	}
+	else
+	{
+		return( 1 );
+	}
+}
+
+sub changeactivestatus
+{
+	my $sub_name = 'changeactivestatus';
+	
+	my $new_status = shift || return( undef );
+	my @id_list = @_;
+	my %match_ids;
+	my $total_num_changes = 0;
+	my $type_of_change = '';
+	
+	# valid values for $new_status are true, false, 0, 1
+	if( $new_status =~ m/^(?:0|false)$/ )
+	{
+		$type_of_change = 'disabled';
+	}
+	elsif( $new_status =~ m/^(?:1|true)$/ )
+	{
+		$type_of_change = 'enabled';
+	}
+	else
+	{
+		warn( "Invalid value '$new_status' passed to function $sub_name.\n" );
+		print usage();
+		return( undef );
+	}
+	
+	foreach my $id( @id_list )
+	{
+		$match_ids{$id} = 1;
+	}
+	
+	foreach my $rule_file( @BRO_RULE_FILES )
+	{
+		my $num_changes = 0;
+		
+		# Open a temp file for writting
+		if( ! open( OUTFILE, ">$temp_file" ) )
+		{
+			warn( "Failed to open temp file $temp_file for writting.\n" );
+			exit( 1 );
+		}
+		
+		foreach $sig_obj( getrules( $rule_file ) )
+		{
+			if( exists( $match_ids{$sig_obj->sigid()} ) )
+			{
+				$sig_obj->active( $new_status );
+				++$num_changes;
+				delete( $match_ids{$sig_obj->sigid()} );
+			}
+			
+			print OUTFILE $sig_obj->output() . "\n\n";
+		}
+		
+		close( OUTFILE );
+		
+		if( $num_changes > 0 )
+		{
+			$total_num_changes += $num_changes;
+			replacefile( $rule_file, $temp_file );
+		}
+		
+		unlink $temp_file;
+	}
+	
+	print "A total of $total_num_changes ids were matched and $type_of_change\n";
+	
+	if( keys( %match_ids ) > 0 )
+	{
+		print "The following ids were not found: ";
+		print join( " ", keys( %match_ids ) ) . "\n";
+	}
+	
+	return( 1 );
+}
+
+sub editbrorule
+{
+	my $sub_name = 'editbrorule';
+	
+	my @args = @_;
+	my %rules_to_edit;
+	my @modified_rules;
+	
+	# {$rule_file}{$sigid}
+	my %rules_by_file;
+	my %new_rules_by_file;
+	my %unmatched_files;
+	my $temp_size;
+	my $temp_mtime;
+	
+	# There must be at least one bro rule to edit
+	if( @args < 1 )
+	{
+		warn( "No Bro rules have been given to edit.\n" );
+		return( undef );
+	}
+	
+	# Put the list of rules to edit in a hash for easier matching
+	foreach my $rule_id( @args )
+	{
+		$rules_to_edit{$rule_id} = 1;
+	}
+	
+	foreach my $rule_file( @BRO_RULE_FILES )
+	{
+		my $num_changes = 0;
+		
+		foreach my $rule_obj( getrules( $rule_file ) )
+		{
+			if( exists( $rules_to_edit{$rule_obj->sigid()} ) )
+			{
+				# If the location option is here for any reason blow
+				# it away before adding the current one.
+				removefilelocation( $rule_obj );
+				
+				# Add in the location from which the rule came
+				addfilelocation( $rule_obj, $rule_file );
+			
+				# Look for duplicate rules.
+				if( exists( $rules_by_file{$rule_file}{$rule_obj->sigid()} ) )
+				{
+					warn( "Duplicate rule found in file $rule_file for rule id " .
+						$rule_obj->sigid() . "\n" );
+				}
+				
+				$rules_by_file{$rule_file}{$rule_obj->sigid()} = $rule_obj;
+			}
+		}
+	}
+	
+	# If no rules to edit were found then bail.
+	if( keys( %rules_by_file ) < 1 )
+	{
+		return( 0 );
+	}
+	
+	if( ! open( OUTFILE, ">$temp_file" ) )
+	{
+		warn( "Failed to open temp file '$temp_file' for writing.\n" );
+		return( undef );
+	}
+	
+	# Output to temp file for user editing.
+	foreach my $rule_file( keys( %rules_by_file ) )
+	{
+		foreach my $rule_obj( values( %{$rules_by_file{$rule_file}} ) )
+		{
+			print OUTFILE $rule_obj->output() . "\n\n";
+		}
+	}
+	
+	close( OUTFILE );
+	
+	# Record the mtime and size of the the current temp file
+	$temp_mtime = ( stat( $temp_file ) )[9];
+	$temp_size = ( stat( $temp_file ) )[7];
+	
+	# Open the external editor. If the editor returns anything but zero
+	# there was an error.
+	if( system( $config->{editor}, $temp_file ) != 0 )
+	{
+		warn( "An unknown error was encountered while using the external editor.\n" );
+		return( undef );
+	}
+	
+	# Check if the temp file has been modified at all.  If no changes then
+	# just cleanup and return.
+	if( ( stat( $temp_file ) )[9] == $temp_mtime and
+		( stat( $temp_file ) )[7] == $temp_size )
+	{
+		unlink $temp_file;
+		return( 1 );
+	}
+	
+	# Put the new rule objects in a hash for easy matching.  Order by
+	# the location option which will also be removed.
+	foreach my $new_rule( getrules( $temp_file ) )
+	{
+		my $rule_file = $new_rule->option( '.location' );
+		# Remove the location option as it only for the editor
+		removefilelocation( $new_rule );
+		
+		$new_rules_by_file{$rule_file}{$new_rule->sigid()} = $new_rule;
+		$unmatched_files{$rule_file} = 1;
+	}
+	
+	# Any rule file name must exist in the list of files which the rules
+	# came from.  In other words, no new signature file will be created.
+	foreach my $cur_rule( @BRO_RULE_FILES )
+	{
+		if( exists( $unmatched_files{$cur_rule} ) )
+		{
+			delete( $unmatched_files{$cur_rule} );
+		}
+	}
+	
+	foreach my $unmatched_file( keys( %unmatched_files ) )
+	{
+		warn( "Bro rule file '$unmatched_file' encountered but was not in the list of" .
+			" Bro rules searched.  All rules with this location will be ignored.\n" );
+		delete( $new_rules_by_file{$unmatched_file} );
+	}
+	
+	# Edit each rule file for which we have data.
+	foreach my $rule_file( keys( %new_rules_by_file ) )
+	{
+		if( ! open( OUTFILE, ">$temp_file" ) )
+		{
+			warn( "Failed to open temp file $temp_file for writing.\n" );
+			return( undef );
+		}
+
+		foreach my $old_rule( getrules( $rule_file ) )
+		{
+			if( exists( $new_rules_by_file{$rule_file}{$old_rule->sigid()} ) )
+			{
+				my $new_rule = $new_rules_by_file{$rule_file}{$old_rule->sigid()};
+				my $compare_res = $old_rule->compare( $new_rule );
+				
+				if( $compare_res )
+				{
+					if( exists( $compare_res->{'meta'} ) )
+					{
+						bumprevision( $new_rule );
+					}
+					
+					if( exists( $compare_res->{'action'} ) or 
+						exists( $compare_res->{'condition'} ) )
+					{
+						bumpversion( $new_rule );
+						resetrevision( $new_rule );
+					}
+					
+					print OUTFILE $new_rule->output() . "\n\n";
+				}
+				else
+				{
+					# No changes
+					print OUTFILE $old_rule->output() . "\n\n";
+				}
+				
+				delete( $new_rules_by_file{$rule_file}{$old_rule->sigid()} );
+			}
+			else
+			{
+				print OUTFILE $old_rule->output() . "\n\n";
+			}
+		}
+
+		close( OUTFILE );
+		
+		delete( $new_rules_by_file{$rule_file} );
+		
+		replacefile( $rule_file, $temp_file );
+	}
+	
+	unlink $temp_file;
+}
+
+sub addbrorule
+{
+	my $sub_name = 'addbrorule';
+	
+	my $rule_id = shift || return( undef );
+	my $rule_file = shift;	# optional
+	
+	my $sig_suffix = $BRO_CONFIG->{BRO_SIG_SUFFIX};
+	my $brosite = $BRO_CONFIG->{BROSITE};
+	my $failed = 0;
+	
+	# If no rule file then grab the first one found in $BROSITE
+	if( ! $rule_file )
+	{
+		if( -d $brosite )
+		{
+			if( ! opendir( DIR, $brosite ) )
+			{
+				warn( "Failed to open $brosite directory $brosite for reading.\n" );
+				return( undef );
+			}
+			
+			while( my $file = readdir( DIR ) )
+			{
+				if( $file =~ m/^[^\.].*$sig_suffix$/ and -f "$brosite/$file" )
+				{
+					$rule_file = "$brosite/$file";
+					last;
+				}
+			}
+			
+			closedir( DIR );
+		}
+		else
+		{
+			warn( "$brosite is either not specified or it is not a directory.\n" );
+			return( undef );
+		}
+		
+		if( ! $rule_file )
+		{
+			warn( "Unable to find a rule file in $brosite to add the new rule to.\n" );
+			return( undef );
+		}
+	}
+	
+	# Read in the rule file and look for a duplicate rule
+	foreach my $rule_obj( getrules( $rule_file ) )
+	{
+		if( $rule_obj->sigid() eq $rule_id )
+		{
+			warn( "Bro rule id $rule_id already exists, edit it or try something else.\n" );
+			return( undef );
+		}
+	}
+	
+	# Create the skeleton of the new rule
+	my $utc_now = utctimenow();
+	my $rule_template = qq~
+signature $rule_id \{
+  active true
+  .date-created $utc_now
+\}
+~;
+	# Create a new rule object and add some default attributes
+	my $new_rule = Bro::Signature->new( string => $rule_template );
+	bumpversion( $new_rule, $utc_now );
+	bumprevision( $new_rule, $utc_now );
+	addfilelocation( $new_rule, $rule_file );
+	
+	TEMP_FILE_OPEN: {
+		# Output the new rule to a temp file for editing
+		if( open( OUTFILE, ">$temp_file" ) )
+		{
+			print OUTFILE $new_rule->output() . "\n\n";
+		}
+		else
+		{
+			warn( "Failed to open temp file '$temp_file' for writing.\n" );
+			$failed = 1;
+			last;
+		}
+
+		close( OUTFILE );
+
+		# Open the external editor. If the editor returns anything but zero
+		# there was an error.
+		if( system( $config->{editor}, $temp_file ) != 0 )
+		{
+			warn( "An unknown error was encountered while using the external editor.\n" );
+			$failed = 1;
+			last;
+		}
+
+		# Read the rule file back in.  Only one rule should be in here.
+		my @temp_rules = getrules( $temp_file );
+		if( @temp_rules > 1 )
+		{
+			warn( "More than one rule was found in the temp file.  Only one rule at a time can be created.\n" );
+			$failed = 1;
+			last;
+		}
+
+		# Make sure that the rule id has not been changed.
+		if( $rule_id ne $temp_rules[0]->sigid() )
+		{
+			warn( "The rule id has been changed, aborting add.\n" );
+			$failed = 1;
+			last;
+		}
+
+		# The file location is put in for convenience.  User modification will be ignored.
+		removefilelocation( $temp_rules[0]->sigid() );
+
+		# Write the new signature out to the bottom of the file
+		if( open( OUTFILE, ">>$rule_file" ) )
+		{
+			print OUTFILE $temp_rules[0]->output() . "\n\n";
+		}
+		else
+		{
+			warn( "Failed to open rule file $rule_file for writing, rule addidtion aborted.\n" );
+			$failed = 1;
+			last;
+		}
+	}	# end TEMP_FILE_OPEN
+	
+	unlink $temp_file;
+	
+	if( $failed )
+	{
+		return( undef );
+	}
+	else
+	{
+		return( 1 );
+	}
+}
+
+sub bumpversion
+{
+	my $sub_name = 'bumpversion';
+	
+	my $self = shift || return( undef );
+	my $new_date = shift;	# optional
+	
+	my $cur_ver = $self->version();
+	
+	# If $new_date was not passed in then set it now.
+	if( ! $new_date )
+	{
+		$new_date = utctimenow();
+	}
+	
+	if( length( $cur_ver ) > 0 )
+	{
+		$self->modoption( '.version', $cur_ver + 1 );
+	}
+	else
+	{
+		$self->addoption( '.version', 1 );
+	}
+	
+	if( ! $self->modoption( '.version-date', $new_date ) )
+	{
+		$self->addoption( '.version-date', $new_date );
+	}
+	
+	return( $self->version() );
+}
+
+sub bumprevision
+{
+	my $sub_name = 'bumprevision';
+	
+	my $self = shift || return( undef );
+	my $new_date = shift;	# optional
+	
+	my $cur_rev = $self->revision();
+	
+	# .version must exist!
+	if( ! $self->option( '.version' ) )
+	{
+		bumpversion( $self, $new_date );
+	}
+	
+	# If $new_date was not passed in then set it now.
+	if( ! $new_date )
+	{
+		$new_date = utctimenow();
+	}
+	
+	if( length( $cur_rev ) > 0 )
+	{
+		$self->modoption( '.revision', $cur_rev + 1 );
+	}
+	else
+	{
+		$self->addoption( '.revision', 1 );
+	}
+	
+	if( ! $self->modoption( '.revision-date', $new_date ) )
+	{
+		$self->addoption( '.revision-date', $new_date );
+	}
+	
+	return( $self->revision() );
+}
+
+sub resetrevision
+{
+	my $sub_name = 'resetrevision';
+	
+	my $self = shift || return( undef );
+	
+	if( ! $self->modoption( '.revision', 1 ) )
+	{
+		bumprevision( $self );
+	}
+	
+	return( $self->revision() );
+}
+
+sub addfilelocation
+{
+	my $sub_name = 'addfilelocation';
+	
+	my $rule_obj = shift || return( undef );
+	my $rule_file = shift || return( undef );
+	
+	# Make sure the obj is of Bro::Signature type
+	if( ref( $rule_obj ) ne 'Bro::Signature' )
+	{
+		warn( "First arg passed to $sub_name is not a Bro::Signature object.\n" );
+		return( undef );
+	}
+	
+	if( $rule_obj->addoption( '.location', $rule_file ) )
+	{
+		return( 1 );
+	}
+	else
+	{
+		warn( "Failed to add file location to Bro rule " . $rule_obj->sigid() . ".\n" );
+		return( undef );
+	}
+}
+
+sub removefilelocation
+{
+	my $sub_name = 'removefilelocation';
+	
+	my $rule_obj = shift || return( undef );
+	
+	# Make sure the obj is of Bro::Signature type
+	if( ref( $rule_obj ) ne 'Bro::Signature' )
+	{
+		warn( "First arg passed to $sub_name is not a Bro::Signature object.\n" );
+		return( undef );
+	}
+	
+	if( $rule_obj->deloption( '.location' ) )
+	{
+		return( 1 );
+	}
+	else
+	{
+		return( 0 );
+	}
+}
+
+sub seteditor
+{
+	my $sub_name = 'seteditor';
+	
+	my $editor = shift || return( undef );
+	my $clean_editor;
+	my @path_list = split( /:/, $ENV{PATH} );
+	
+	if( $editor =~ m/^(\/[[:print:]]+)$/ )
+	{
+		$clean_editor = $1;
+	}
+	else
+	{
+		foreach my $dir_name( @path_list )
+		{
+			my $full_path = "$dir_name/$editor";
+			if( -f $full_path and $full_path =~ m/^(\/[[:print:]]+)$/ )
+			{
+				$clean_editor = $1;
+			}
+		}
+	}
+	
+	# Make sure that the file exists and is executable
+	if( -f $clean_editor and -x $clean_editor )
+	{
+		return( $clean_editor );
+	}
+	else
+	{
+		return( undef );
+	}
+}
+
+sub replacefile
+{
+	my $sub_name = 'replacefile';
+	
+	my $old_file = shift || return( undef );
+	my $new_file = shift || return( undef );
+	my $cp_result;
+	my $_cur_pid = $$;
+	
+	if( system( "cp -f $new_file $old_file.$_cur_pid.tmp" ) == 0 )
+	{
+		if( system( "mv -f $old_file.$_cur_pid.tmp $old_file" ) == 0 )
+		{
+			return( 1 );
+		}
+		else
+		{
+			warn( "Failed to replace $old_file with new file $new_file\n" );
+			return( undef );
+		}
+	}
+	else
+	{
+		warn( "Failed to move new file $new_file to $old_file.$_cur_pid.tmp\n" );
+		return( undef );
+	}
+}
+
+sub normalize_time
+{
+	my $sub_name = 'normalize_time';
+	# change various time formats into a unix epoch time with 6 decimal places
+	
+	my $arg1 = $_[0];
+	my $ret_time;
+	
+	if( $arg1 =~ m/^([[:digit:]]{10}(?:\.[[:digit:]]{1,6})?)$/ )
+	{
+		# Already in the right format.
+		$ret_time = sprintf( "%.6f", $1 );
+	}
+	# RFC 3339 format -> 2004-08-06T19:59:39-07:00
+	elsif( my @time_parts = ( $arg1 =~ $RFC3339_REGEX ) )
+	{
+		my $year = $time_parts[0];
+		my $mon = $time_parts[1];
+		my $day = $time_parts[2];
+		my $hour = $time_parts[3] || 0;
+		my $min = $time_parts[4] || 0;
+		my $sec = $time_parts[5] || 0;
+		my $timezone = $time_parts[6] || undef;
+		
+		# month is zero base indexed
+		if( $mon )
+		{
+			--$mon;
+		}
+		
+		if( $timezone =~ m/^(?:[-+]00:00)|(?:[Zz])$/ )
+		{
+			$ret_time = timegm($sec,$min,$hour,$day,$mon,$year);
+		}
+		else
+		{
+			$ret_time = timelocal($sec,$min,$hour,$day,$mon,$year);
+		}
+	}
+	else
+	{
+		if( $DEBUG > 0 )
+		{
+			warn( "Unknown date format passed to sub $sub_name. Unable to convert time to a unix epoch time\n" );
+		}
+	}
+	
+	return( $ret_time );
+}
+
+sub usage
+{
+	my $sub_name = 'usage';
+	
+	my $usage_text = copyright();
+	$usage_text .= q~
+
+Options passed to the program on the command line 
+Command line reference
+  --disable|--deactivate  List of bro rule ids seperated by spaces to disable
+                          This is mutually exclusive to --enable
+  --enable|--activate     List of bro rule ids seperated by spaces to enable
+                          This is mutually exclusive to --disable
+  --edit|-e               List of bro rule ids to edit. An external editor
+                          will be opened and any changes made by the user will
+                          be intergrated in.
+  --add|-a                Add a new rule.  One rule at a time may be added.
+                          Arguments to follow are the sig id and the file
+                          in which to write the new sig.  If no file argument
+                          is given then the first signature file in $BROSITE
+                          will be used. (example --add test-sig myrules.sig)
+  --rulefile              Restrict edits to only the one filename given.
+  --ruledir               Restrict searches and edits to just one directory.
+  --addpath               Directories to look in for bro rule files. This is
+                          in addition to those already in $BROPATH
+  --broconfig|-b          Alternate location containing Bro configuration data
+  --editor                Location of prefered text editor
+                          (default $EDITOR or vi)
+  --temp                  Alternate directory in which to write temp files
+                          (default $TEMP or $TMP or /tmp)
+  --usage|--help|-h       Summary of command line options
+  --debug|-d              Specify the debug level from 0 to 5. (default: 1)
+  --version               Output the version number to STDOUT
+  --copyright             Output the copyright info to STDOUT
+  
+~;
+	
+	return( $usage_text );
+}
+
+sub version
+{
+	my $sub_name = 'version';
+	
+	return( $VERSION );
+}
+
+sub copyright
+{
+	my $sub_name = 'copyright';
+	
+	my $copyright =
+qq~edit-brorule.pl
+version $VERSION, Copyright (C) 2004 Lawrence Berkeley National Labs, NERSC
+Written by Roger Winslow~;
+	
+	return( $copyright );
+}
diff --git a/scripts/perl/script/site-report.pl b/scripts/perl/script/site-report.pl
new file mode 100755
index 0000000000..3cafad9ec6
--- /dev/null
+++ b/scripts/perl/script/site-report.pl
@@ -0,0 +1,1367 @@
+#!/usr/bin/perl
+
+# look for our modules first
+use lib '/usr/local/bro/perl/lib/perl5/site_perl';
+
+# This is all stuff that needs to be set before compile time of other Bro modules
+# because the other modules depend of Bro::Config to be configures properly
+# given that the config file could be something different than the default.
+BEGIN
+{
+	require 5.006_001;
+	use vars qw( $VERSION
+				$DEBUG
+				$DEFAULT_CONFIG
+				$RFC3339_REGEX
+				$TEMP_DIR_NAME
+				$DEFAULT_BRO_CONFIG_FILE
+				$BRO_CONFIG_FILE );
+	
+	use Getopt::Long;
+	Getopt::Long::Configure ( 'bundling', 'no_getopt_compat', 'pass_through', 'no_ignore_case' );
+	use Bro::Config qw( $BRO_CONFIG );
+	
+	
+	$DEFAULT_BRO_CONFIG_FILE = '/usr/local/bro/etc/bro.cfg';
+	$BRO_CONFIG_FILE = getbroconfigfile() || $DEFAULT_BRO_CONFIG_FILE;
+	Bro::Config::Configure( File => $BRO_CONFIG_FILE );
+	
+	sub getbroconfigfile
+	{
+		my $sub_name = 'getbroconfigfile';
+		
+		my %cmd_line_cfg;
+		
+		GetOptions( \%cmd_line_cfg,
+				'broconfig|b=s' );
+		
+		return( $cmd_line_cfg{broconfig} );
+	}
+}
+
+
+use strict;
+use Time::Local;
+use Socket;
+			
+# $Id: site-report.pl 5222 2008-01-09 20:05:27Z vern $
+$VERSION = 1.06;
+$TEMP_DIR_NAME = '.reports.tmp';
+
+# A config file MUST exist in order to continue
+if( $BRO_CONFIG->{BROHOME} )
+{
+	$DEFAULT_CONFIG = $BRO_CONFIG;
+}
+else
+{
+	print usage(), "\n";
+	exit( 1 );
+}
+
+$DEFAULT_CONFIG->{'broconfig'} = $BRO_CONFIG_FILE;
+$DEFAULT_CONFIG->{'report-range'} = 24;
+$DEFAULT_CONFIG->{'report-start'} = 'yesterday';
+$DEFAULT_CONFIG->{'max-hosts'} = 4000;
+$DEFAULT_CONFIG->{'max-alarms'} = 300;
+$DEFAULT_CONFIG->{'history-dir'} = $DEFAULT_CONFIG->{'BRO_HISTORY_DIR'};
+$DEFAULT_CONFIG->{'report'} = $DEFAULT_CONFIG->{'BRO_REPORT_DIR'} . "/" . $DEFAULT_CONFIG->{'BRO_SITE_NAME'} . '.' . time() . ".$$.rpt";
+$DEFAULT_CONFIG->{'temp'} = $DEFAULT_CONFIG->{'BROLOGS'};
+$DEFAULT_CONFIG->{'summary_only'} = 1;
+$DEFAULT_CONFIG->{'debug'} = 1;
+
+
+$RFC3339_REGEX = qr/^([[:digit:]]{4})			# year
+					-([[:digit:]]{2})		# month
+					-([[:digit:]]{2})		# day
+					(?:[Tt ]				# begin time section
+					([[:digit:]]{2})		# hour
+					(?::([[:digit:]]{2})	# minute
+					(?::([[:digit:]]{2}(\.[[:digit:]]{1,2})?)|)|)	# second
+					)?					# end time section
+					([Zz]|([-+][[:digit:]]{2}:[[:digit:]]{2}))?	# timezone offset
+					$/xo;
+
+# sig handlers
+$SIG{INT} = sub
+{
+	warn ("$0: caught INT signal.  Cleaning up...\n" );
+	end_program();
+	warn( "Done!\n" );
+};
+
+$SIG{TERM} = sub
+{
+	warn ("$0: caught TERM signal.  Cleaning up...\n" );
+	end_program();
+	warn( "Done!\n" );
+};
+
+$SIG{HUP} = 'IGNORE';
+
+# hash ref that will contain all config data
+my $config = {};
+
+main();
+
+sub main
+{
+	my $sub_name = 'main';
+	
+	$config = getconfig();
+	
+	# Must set/get the Bro config before loading some of these modules in the event that
+	# a different bro.cfg file is specified.
+	use Bro::Log;
+	use Bro::Log::Conn;
+	use Bro::Report qw( date_ymd time_hms );
+	use Bro::Report::Conn;
+	use Bro::Report::Alarm;
+	use Bro::Log::Alarm;
+	
+	# Check if BRO_SITE_NAME has a value otherwise set a default
+	if( length( $config->{BRO_SITE_NAME} ) < 1 )
+	{
+		$config->{BRO_SITE_NAME} = '_unknown_';
+	}
+
+	my @alarm_ordered_list;
+	my @notice_ordered_list;
+	my @conn_ordered_list;
+
+	my $actual_stats;
+	my $reported_stats;
+
+	# Set the temp file directory
+	$Bro::Report::TEMP_DIR = $config->{'temp'};
+
+	# Get the list of alarm reports the user wants run.  Need to write this part
+	my $alarm_report_input_funcs;
+	my %alarm_report_output_funcs;
+	$alarm_report_input_funcs = 'sub { my $alarm_struc = $_[0] || return( undef );'."\n";
+	foreach my $report_name( Bro::Report::Alarm::availablereports() )
+	{
+		$alarm_report_output_funcs{$report_name} = Bro::Report::Alarm::reportoutputfunc( $report_name );
+		if( my $input_func = Bro::Report::Alarm::reportinputfunc( $report_name ) )
+		{
+			$alarm_report_input_funcs .= $input_func . '( $alarm_struc );' . "\n";
+		}
+	}
+	$alarm_report_input_funcs .= 'undef( $alarm_struc );' . "\n";
+	$alarm_report_input_funcs .= '};'."\n";
+	$alarm_report_input_funcs = eval $alarm_report_input_funcs;
+
+	# Get the list of conn reports the user wants run.  Need to write this part
+	my $conn_report_input_funcs;
+	my %conn_report_output_funcs;
+	$conn_report_input_funcs = 'sub { my $conn_struc = $_[0] || return( undef );'."\n";
+	foreach my $report_name( Bro::Report::Conn::availablereports() )
+	{
+		$conn_report_output_funcs{$report_name} = Bro::Report::Conn::reportoutputfunc( $report_name );
+		if( my $input_func = Bro::Report::Conn::reportinputfunc( $report_name ) )
+		{
+			$conn_report_input_funcs .= $input_func . '( $conn_struc );' . "\n";
+		}
+	}
+	$conn_report_input_funcs .= 'undef( $conn_struc );' . "\n";
+	$conn_report_input_funcs .= '};';
+	$conn_report_input_funcs = eval $conn_report_input_funcs;
+
+	# get a list of alarm files which contain data between the report start 
+	# and end times
+	# Sort ascending
+	{
+		if( $DEBUG > 2 )
+		{
+			warn( "Starting search for alarm files\n" );
+		}
+
+		my @file_list;
+		foreach my $fn( Bro::Log::loglist( 'alarm' ) )
+		{
+			my( $start, $end ) = Bro::Log::Alarm::timerange( $fn );
+			push( @file_list, [ $fn, $start, $end ] );
+
+			if( $DEBUG > 3 )
+			{
+				print "Filename: $fn, Start: $start, End: $end\n";
+			}
+		}
+
+		@alarm_ordered_list = filesinrange( \@file_list, 
+									$config->{'report-start'},
+									$config->{'report-end'} );
+		if( $DEBUG > 2 )
+		{
+			warn( "List of alarm files which are within the time range -> " .
+				join( ', ', @alarm_ordered_list ) . "\n" );
+		}
+
+		if( $DEBUG > 2 )
+		{
+			warn( "Finished search for alarm files\n" );
+		}
+	}
+
+	# get a list of notice files which contain data between the report start 
+	# and end times
+	# Sort ascending
+	{
+		if( $DEBUG > 2 )
+		{
+			warn( "Starting search for notice files\n" );
+		}
+
+		my @file_list;
+		foreach my $fn( Bro::Log::loglist( 'notice' ) )
+		{
+			my( $start, $end ) = Bro::Log::Alarm::timerange( $fn );
+			push( @file_list, [ $fn, $start, $end ] );
+
+			if( $DEBUG > 3 )
+			{
+				print "Filename: $fn, Start: $start, End: $end\n";
+			}
+		}
+
+		@notice_ordered_list = filesinrange( \@file_list, 
+									$config->{'report-start'},
+									$config->{'report-end'} );
+		if( $DEBUG > 2 )
+		{
+			warn( "List of notice files which are within the time range -> " .
+				join( ', ', @notice_ordered_list ) . "\n" );
+		}
+
+		if( $DEBUG > 2 )
+		{
+			warn( "Finished search for notice files\n" );
+		}
+	}
+	
+	# get a list of conn files which contain data between the report start 
+	# and end times
+	# Sort ascending
+	{
+		if( $DEBUG > 2 )
+		{
+			warn( "Starting search for conn files\n" );
+		}
+
+		my @file_list;
+		foreach my $fn( Bro::Log::loglist( 'conn' ) )
+		{
+			my( $start, $end ) = Bro::Log::Conn::timerange( $fn );
+
+			if( defined( $start ) and defined( $end ) )
+			{
+				push( @file_list, [ $fn, $start, $end ] );
+			}
+
+			if( $DEBUG > 3 )
+			{
+				print "Filename: $fn, Start: $start, End: $end\n";
+			}
+		}
+
+
+		@conn_ordered_list = filesinrange( \@file_list, 
+									$config->{'report-start'},
+									$config->{'report-end'} );
+
+		if( $DEBUG > 2 )
+		{
+			warn( "List of connection files which are within the time range -> " .
+				join( ', ', @conn_ordered_list ) . "\n" );
+		}
+
+		if( scalar( @conn_ordered_list ) < 1 )
+		{
+			warn( "No connection data found for the time period specified.\n" );
+			warn( "Unable to create a report.\n" );
+			exit ( 1 );
+		}
+
+		if( $DEBUG > 2 )
+		{
+			warn( "Finshed search for conn files\n" );
+		}
+	}
+
+	my %interesting_addresses;
+	if( @alarm_ordered_list )
+	{
+		if( $DEBUG > 2 )
+		{
+			warn( "Starting processing of alarm files\n" );
+		}
+
+		my $time_out_of_bounds = 0;
+		my $last_timestamp = $config->{'report-start'};
+		foreach my $al_fn( @alarm_ordered_list )
+		{
+			if( open( INFILE, $al_fn ) )
+			{			
+				while( defined( my $ln = <INFILE> ) )
+				{
+					my $alarm_struc = Bro::Log::Alarm::new( $ln );
+					if( ! $alarm_struc )
+					{
+						next;
+					}
+
+					my $timestamp = Bro::Log::Alarm::timestamp( $alarm_struc );
+
+					# Make sure that the file is at least up to the point of the
+					# report-start time
+					if( $timestamp < $config->{'report-start'} )
+					{
+						next;
+					}
+
+					if( $timestamp >= $last_timestamp and
+						$timestamp <= $config->{'report-end'} )
+					{
+						$time_out_of_bounds = 0;
+
+						&$alarm_report_input_funcs( $alarm_struc );
+
+						if( my $src_ip = Bro::Log::Alarm::source_addr( $alarm_struc ) )
+						{
+							if( Bro::Report::Alarm::reportableoffense( $alarm_struc ) )
+							{
+								$interesting_addresses{$src_ip} = 1;
+								if( $DEBUG > 3 )
+								{
+									my $offense = Bro::Log::Alarm::notice_type( $alarm_struc );
+									warn( "Adding $src_ip to interesting list for $offense.\n" );
+								}
+							}
+						}
+						
+						if( $time_out_of_bounds > 0 )
+						{
+							--$time_out_of_bounds;
+						}
+					}
+					else
+					{
+						if( $time_out_of_bounds > 500 )
+						{
+							# Looks like we have reached a point beyond the
+							# report-end time.
+							if( $DEBUG > 3 )
+							{
+								warn( "Read over 500 lines which are beyond the end time of " .
+									$config->{'report-end'} . ". Last read timestamp was $timestamp\n" );
+							}
+							last;
+						}
+						++$time_out_of_bounds;
+						next;
+					}
+					$last_timestamp = $timestamp;
+				}
+			}
+			else
+			{
+
+			}
+			close( INFILE );
+		}
+
+		if( $DEBUG > 2 )
+		{
+			warn( "Finished processing alarm files\n" );
+		}
+	}
+
+	foreach my $conn_file( @conn_ordered_list )
+	{
+		my $found_start = 0;
+		my $found_end = 0;
+
+		if( $DEBUG > 2 )
+		{
+			warn( "Starting processing of conn file $conn_file\n" );
+		}
+
+		# Create and open a temp file for incident conn data to be written to
+		Bro::Report::Alarm::tempincidentfile();
+
+		if( open( INFILE, $conn_file ) )
+		{
+			my $conn_struc;
+			my $timestamp;
+			my $duration;
+
+			# This first loop is for checking if the beginning of the file has been
+			# found.  Once found it will run the next loop.  Should save some time.
+			while( ! $found_start and defined( my $line = <INFILE> ) )
+			{
+				my $within_range = 0;
+				$conn_struc = Bro::Log::Conn::new( \$line ) or next;
+				$timestamp = Bro::Log::Conn::timestamp( $conn_struc ) or next;
+				$duration = Bro::Log::Conn::duration( $conn_struc );
+
+				if( ( $timestamp >= $config->{'report-start'} or
+					$timestamp + $duration >= $config->{'report-start'} ) and
+					$timestamp <= $config->{'report-end'} )
+				{
+					$within_range = 1;
+				}
+
+				if( $within_range )
+				{
+					&$conn_report_input_funcs( $conn_struc );
+
+					my $src_ip = Bro::Log::Conn::source_ip( $conn_struc );
+					if( $interesting_addresses{$src_ip} )
+					{
+						Bro::Report::Alarm::addconndata( $conn_struc, \$line );
+					}
+					else
+					{
+						my $dest_ip = Bro::Log::Conn::destination_ip( $conn_struc );
+						if( $interesting_addresses{$dest_ip} )
+						{
+							Bro::Report::Alarm::addconndata( $conn_struc, \$line );
+						}
+					}
+
+					# Check to see if this is the logical place for connection data
+					# within the time frame to begin.  Even though the start time
+					# may not be greater than the start, anything from this point
+					# forward will have be an active connection during the time range
+					# given.
+					if( $duration >= 0 and $duration < .01 )
+					{
+						$found_start = 1;
+						last;
+					}
+				}
+			}
+
+			while( defined( my $line = <INFILE> ) )
+			{
+				$conn_struc = Bro::Log::Conn::new( \$line ) or next;
+				$timestamp = Bro::Log::Conn::timestamp( $conn_struc ) or next;
+				if( $timestamp <= $config->{'report-end'} )
+				{
+					&$conn_report_input_funcs( $conn_struc );
+
+					my $src_ip = Bro::Log::Conn::source_ip( $conn_struc );
+					if( $interesting_addresses{$src_ip} )
+					{
+						Bro::Report::Alarm::addconndata( $conn_struc, \$line );
+					}
+					else
+					{
+						my $dest_ip = Bro::Log::Conn::destination_ip( $conn_struc );
+						if( $interesting_addresses{$dest_ip} )
+						{
+							Bro::Report::Alarm::addconndata( $conn_struc, \$line );
+						}
+					}
+				}
+			}
+		}
+		else
+		{
+			warn( "Failed to open conn file $conn_file for reading.\n" );
+		}
+
+		Bro::Report::Alarm::tempincidentfile( 'close' );
+		close( INFILE );
+
+		if( $DEBUG > 2 )
+		{
+			warn( "Finished processing conn file\n" );
+		}
+	}
+
+	# Get the data now so the memory is released.
+	my $conn_summ = output_connsummary();
+    my $header;
+    my $incident_summ;
+    my $incident_details;
+    my $system_summ;
+    my $scan_summ;
+    my $signature_distribution;
+
+    if ($DEFAULT_CONFIG->{'summary_only'} == 0)
+    {
+	    # Gather up the different report pieces
+	    $header = output_header();
+	    $incident_summ = output_incidentsummary();
+	    $incident_details = output_incidentdetails();
+	    $system_summ = output_system_summary();
+	    $scan_summ = output_scans();
+	    $signature_distribution = output_signaturedistribution();
+    }
+	my $byte_transfer_pairs = output_bytetransferpairs();
+
+	my $filename = $config->{'report'};
+	print "Generating report file: " . $filename . "\n";
+	if( open( OUTFILE, ">$filename" ) )
+	{
+        if ($DEFAULT_CONFIG->{'summary_only'} == 0)
+        {
+		    writereport( \*OUTFILE, $header, $conn_summ, $byte_transfer_pairs, );
+        } else
+        {
+		    writereport( \*OUTFILE, $header, $incident_summ, 
+					$incident_details, $signature_distribution, 
+					$scan_summ, $conn_summ, $byte_transfer_pairs, );
+        }
+	}
+	else
+	{
+		warn( "Failed to create report file at $filename\n" );
+	}
+	
+	close( OUTFILE );
+
+	end_program();
+
+} # end main
+
+#################################################
+###                                           ###
+###                 Begin Subs                ###
+###                                           ###
+#################################################
+
+
+sub getconfig
+{
+	my $sub_name = 'getconfig';
+	
+	my $arg1 = shift || $DEFAULT_CONFIG;
+	my %default_config;
+	my %cmd_line_cfg;
+	my %config;
+	
+	if( ref( $arg1 ) eq 'HASH' )
+	{
+		%default_config = %{$arg1};
+	}
+	else
+	{
+		return( undef );
+	}
+	
+	GetOptions( \%cmd_line_cfg,
+			'broconfig|b=s',
+			'report-range|r=s',
+			'report-start|s=s',
+			'report-end|e=s',
+			'max-hosts|i=s',
+			'max-alarms|m=s',
+			'history-dir=s',
+			'temp|t=s',
+			'usage|help|h',
+			'debug|verbose|d|v:i',
+			'summary_only|S',
+			'version|V',
+			'copyright', );
+	
+	# Check for options which will prevent the program from running
+	# any further
+	if( $cmd_line_cfg{usage} )
+	{
+		print usage();
+		exit( 0 );
+	}
+	elsif( $cmd_line_cfg{version} )
+	{
+		print version();
+		exit( 0 );
+	}
+	elsif( $cmd_line_cfg{copyright} )
+	{
+		print copyright();
+		exit( 0 );
+	}
+	else
+	{
+		# just continue on
+	}
+	
+	if( ! $cmd_line_cfg{brologs} )
+	{
+		$cmd_line_cfg{broconfig} = $default_config{broconfig};
+	}
+	
+	# Any args passed through the command line will override file options
+	while( my( $key, $value ) = each( %cmd_line_cfg ) )
+	{
+		$config{$key} = $value;
+	}
+	
+	# Set default values for options that have not already been configured
+	while( my( $key, $value ) = each( %{$arg1} ) )
+	{
+		if( ! exists( $config{$key} ) )
+		{
+			$config{$key} = $value;
+		}
+	}
+	
+	# Set Debug level
+	$DEBUG = $config{debug} if exists( $config{debug} );
+		
+	if( checkconfig( \%config ) )
+	{
+		if( $DEBUG > 4 )
+		{
+			warn( "Configuration memory dump:\n" );
+			warn( "\n" );
+		}
+		return( \%config );
+	}
+	else
+	{
+		warn( "exiting program\n" );
+		exit( 1 );
+	}
+	
+}
+
+sub checkconfig
+{
+	my $sub_name = 'checkconfig';
+	
+	my $cfg_hash = shift || return undef;
+	
+	# Check to make sure that broconfig is defined.
+	if( defined( $cfg_hash->{'broconfig'} ) )
+	{
+		# Check to make sure that the config filename has a sane value.
+		if( $cfg_hash->{'broconfig'} !~ m/[*;`{}%]+/ and
+				$cfg_hash->{'broconfig'} =~ m~^([[:print:]]{1,1024}?)/*$~ )
+		{
+			$cfg_hash->{'broconfig'} = $1;
+			if( !( -f $cfg_hash->{'broconfig'} and -r $cfg_hash->{'broconfig'} ) )
+			{
+				warn( "broconfig file '" .$cfg_hash->{'broconfig'} . "' is not a file or can not be opened\n" );
+				return( 0 );
+			}
+		}
+		else
+		{
+			warn( "broconfig filename contains invalid characters or is longer than 1024 bytes\n" );
+			return( 0 );
+		}
+	}
+	else
+	{
+		warn( "No config file specified\n" );
+		return( 0 );
+	}
+	
+	# Check to make sure that start-time is at least one hour less than the current time
+	if( defined( $cfg_hash->{'report-start'} ) )
+	{
+		# time() returns the gm time in epoch.  Add the timezone offset for calculation
+		# purposes only.  The offset will later be subtracted before being set.
+		my $_cur_time = time() + timezoneoffset();
+		my $one_day = 24 * 60 * 60;
+		
+		if( $cfg_hash->{'report-start'} =~ m/yesterday/i )
+		{
+			my $_start_time = int( ( $_cur_time - $one_day ) / $one_day ) * $one_day;
+			
+			# Add some time to the start time.  This helps avoid the small overlap
+			# encountered from a checkpoint and therefore less data to munge over.
+			$_start_time = $_start_time + 30;
+			$cfg_hash->{'report-start'} = $_start_time - timezoneoffset();
+		}
+		elsif( $cfg_hash->{'report-start'} =~ m/today/i )
+		{
+			my $_start_time = int( $_cur_time / $one_day ) * $one_day;
+			$cfg_hash->{'report-start'} = $_start_time - timezoneoffset();
+		}
+		elsif( my $new_time = normalize_time( $cfg_hash->{'report-start'} ) )
+		{
+			$cfg_hash->{'report-start'} = $new_time;
+		}
+		else
+		{
+			warn( "report-start time '" . $cfg_hash->{'report-start'} . "' format is unknown.\n" );
+			return( 0 );
+		}
+		
+		if( $cfg_hash->{'report-start'} < ( time() - 3600 + 1 ) )
+		{
+			# ok
+		}
+		else
+		{
+			warn( "report-start must be at least one hour less than the current time.\n" );
+			return( 0 );
+		}
+		
+		if( $DEBUG > 2 )
+		{
+			warn( "report-start time: " . localtime($cfg_hash->{'report-start'}) .
+				' (' . $cfg_hash->{'report-start'} . ')' . "\n" );
+		}
+	}
+	else
+	{
+		warn( "report-start has not been defined\n" );
+		return( 0 );
+	}
+	
+	# Check to see if report-range was specified and report-end has not value
+	if( defined( $cfg_hash->{'report-range'} ) and ! defined( $cfg_hash->{'report-end'} ) )
+	{
+		if( $cfg_hash->{'report-range'} =~ m/^[[:space:]]*((?:\+\-)?[[:digit:]]+)[[:space:]]*$/ )
+		{
+			$cfg_hash->{'report-range'} = $1;
+			
+			# report-range is given in hours, change to seconds
+			my $_range = $cfg_hash->{'report-range'} * 60 * 60;
+			$cfg_hash->{'report-end'} = $cfg_hash->{'report-start'} + $_range;
+		}
+		else
+		{
+			warn( "report-range argument '" . $cfg_hash->{'report-range'} . "' is unknown.\n" );
+			return( 0 );
+		}
+		
+		if( $cfg_hash->{'report-end'} < ( time() + 1 ) )
+		{
+			# ok
+		}
+		else
+		{
+			warn( "report-range + report-start exceeds the current time\n" );
+			return( 0 );
+		}
+	}
+	
+	# Check to make sure that report-end is no greater than the current time
+	if( defined( $cfg_hash->{'report-end'} ) )
+	{
+		if( ! ( $cfg_hash->{'report-end'} = int( normalize_time( $cfg_hash->{'report-end'} ) ) ) )
+		{
+			warn( "report-end time '" . $cfg_hash->{'report-end'} . "' format is unknown.\n" );
+			return( 0 );
+		}
+		
+		if( $cfg_hash->{'report-end'} < ( time() + 1 ) )
+		{
+			# ok
+		}
+		else
+		{
+			warn( "report-end must be equal to or less than the current time\n" );
+			return( 0 );
+		}
+		
+		if( $DEBUG > 2 )
+		{
+			warn( "report-end time: " . localtime($cfg_hash->{'report-end'}) .
+				' (' . $cfg_hash->{'report-end'} . ')' . "\n" );
+		}
+	}
+	else
+	{
+		warn( "report-end has not been defined\n" );
+		return( 0 );
+	}
+	
+	# Make sure that the report-end is at least one hour more than report-start
+	if( ! ( ( $cfg_hash->{'report-end'} - 3600 ) >= $cfg_hash->{'report-start'} ) )
+	{
+		warn( "There must be at least one hour between the report-start and report-end times.\n" );
+		return( 0 );
+	}
+	
+	# Make sure that max-alarms is a number and greater than 0
+	if( defined( $cfg_hash->{'max-alarms'} ) and 
+		$cfg_hash->{'max-alarms'} =~ m/^[[:digit:]]+$/
+		and $cfg_hash->{'max-alarms'} > 0 )
+	{
+		# ok
+	}
+	else
+	{
+		warn( "Invlaid value given for max-alarms.  Must be an number greater than 0\n" );
+		return( 0 );
+	}
+	
+	# Make sure that max-hosts is a number greater than 0
+	if( defined( $cfg_hash->{'max-hosts'} ) and 
+		$cfg_hash->{'max-hosts'} =~ m/^[[:digit:]]+$/
+		and $cfg_hash->{'max-hosts'} > 0 )
+	{
+		# ok
+	}
+	else
+	{
+		warn( "Invalid value given for max-hosts.  Must be an number greater than 0\n" );
+		return( 0 );
+	}
+	
+	# Make sure the report file can be written to
+	if( exists( $cfg_hash->{BRO_REPORT_DIR} ) )
+	{
+		if( ! -d $cfg_hash->{BRO_REPORT_DIR} )
+		{
+			if( $DEBUG > 0 )
+			{
+				warn( "\$BRO_REPORT_DIR " . $cfg_hash->{BRO_REPORT_DIR} . " is not a directory.\n" );
+			}
+		}
+		elsif( ! -w $cfg_hash->{BRO_REPORT_DIR} )
+		{
+			warn( "\$BRO_REPORT_DIR " . $cfg_hash->{BRO_REPORT_DIR} . " is not writtable.\n" );
+		}
+	}
+	else
+	{
+		if( $DEBUG > 0 )
+		{
+			warn( "\$BRO_REPORT_DIR environment variable has not been set.\n" );
+		}
+	}
+	
+	# Make sure that the temp directory is defined and writtable
+	if( defined( $cfg_hash->{'temp'} ) )
+	{
+		my $full_path = $cfg_hash->{'temp'} . "/$TEMP_DIR_NAME";
+		if( ! -d $cfg_hash->{'temp'} )
+		{
+			warn( "The temp directory at '" . $cfg_hash->{'temp'} . "' either does not exist or is not a directory.\n" );
+			return( 0 );
+		}
+		
+		if( ! -w $cfg_hash->{'temp'} )
+		{
+			warn( "The temp directory at '" . $cfg_hash->{'temp'} . "' is not writtable.\n" );
+			return( 0 );
+		}
+		
+		if( ! -d $full_path )
+		{
+			if( ! mkdir $full_path )
+			{
+				warn( "Unable to create the temp directory '$full_path' inside of '" . $cfg_hash->{'temp'} . "'.\n" );
+				return( 0 );
+			}
+		}
+		
+		if( -w $full_path )
+		{
+			$cfg_hash->{'temp'} = $full_path;
+		}
+		else
+		{
+			warn( "Temp directory at '$full_path' is not writtable.\n" );
+			return( 0 );
+		}
+	}
+	else
+	{
+		warn( "No temp directory has been specified.\n" );
+		return( 0 );
+	}
+	
+	# Check for a history directory (not implemented yet)
+	if( exists( $cfg_hash->{'history-dir'} ) and length( $cfg_hash->{'history-dir'} ) > 0 )
+	{
+		if( -d $cfg_hash->{'history-dir'} )
+		{
+			if( -r $cfg_hash->{'history-dir'} )
+			{
+				$cfg_hash->{'history-dir'} =~ m/^[[:space:]]*(.+?)[[:space:]]*$/;
+				$cfg_hash->{'history-dir'} = $1;
+			}
+			else
+			{
+				if( $DEBUG > 0 )
+				{
+					warn( "Unable to read the history-dir at " . $cfg_hash->{'history-dir'} . "\n" );
+				}
+			}
+		}
+		else
+		{
+			if( $DEBUG > 1 )
+			{
+				warn( "The history directory at " . $cfg_hash->{'history-dir'} . " could not be found\n" );
+			}
+		}
+	}
+	
+	return( 1 );
+}
+
+sub normalize_time
+{
+	my $sub_name = 'normalize_time';
+	# change various time formats into a unix epoch time with 6 decimal places
+	
+	my $arg1 = $_[0];
+	my $ret_time;
+	
+	if( $arg1 =~ m/^([[:digit:]]{10}(?:\.[[:digit:]]{1,6})?)$/ )
+	{
+		# Already in the right format.
+		$ret_time = sprintf( "%.6f", $1 );
+	}
+	# ISO 8601 format -> 2004-08-06T19:59:39-0700
+	elsif( my @time_parts = ( $arg1 =~ $RFC3339_REGEX ) )
+	{
+		my $year = $time_parts[0];
+		my $mon = $time_parts[1];
+		my $day = $time_parts[2];
+		my $hour = $time_parts[3] || 0;
+		my $min = $time_parts[4] || 0;
+		my $sec = $time_parts[5] || 0;
+		my $timezone = $time_parts[6] || undef;
+		
+		# month is zero based indexed
+		if( $mon )
+		{
+			--$mon;
+		}
+		
+		$ret_time = timelocal($sec,$min,$hour,$day,$mon,$year);
+	}
+	else
+	{
+		if( $DEBUG > 0 )
+		{
+			warn( "Unknown date format passed to sub $sub_name. Unable to convert time to a unix epoch time\n" );
+		}
+	}
+	
+	return( $ret_time );
+}
+
+sub filesinrange
+{
+	my $sub_name = 'filesinrange';
+	
+	my $_file_list = $_[0] || return( undef );
+	my $_start = $_[1] || return( undef );
+	my $_end = $_[2] || return( undef );
+	my @ordered_list;
+	my $found_start = 0;
+	my $duration = $_end - $_start;
+	my $found_file_count = 0;
+	my @ret_list;
+	
+	my %time_hash;
+	for( my $i = 0; $i < @{$_file_list}; ++$i )
+	{
+		$time_hash{$_file_list->[$i]->[1]} = $i;
+	}
+	
+	foreach my $ts( sort {$a <=> $b} keys( %time_hash ) )
+	{
+		push( @ordered_list, $time_hash{$ts} );
+	}
+	
+	my $file_count = scalar( @ordered_list );
+	foreach my $idx( @ordered_list )
+	{
+		my $file_name = $_file_list->[$idx]->[0];
+		my $file_start_time = $_file_list->[$idx]->[1];
+		my $file_end_time = $_file_list->[$idx]->[2];
+		
+		if( $found_start )
+		{
+			if( $file_start_time <= $_end )
+			{
+				push( @ret_list, $file_name );
+				++$found_file_count;
+				if( ( $file_end_time - $_start ) > $duration )
+				{
+					last;
+				}
+			}
+			else
+			{
+				last;
+			}
+		}
+		elsif( ( $file_start_time <= $_start and $file_end_time >= $_start )
+			or $file_start_time >= $_start )
+		{
+			$found_start = 1;
+			push( @ret_list, $file_name );
+			++$found_file_count;
+			if( $file_end_time > $_end )
+			{
+				last;
+			}
+		}
+	}
+		
+	if( wantarray )
+	{
+		return( @ret_list );
+	}
+	else
+	{
+		return( \@ret_list );
+	}
+}
+
+sub true
+{
+	my $sub_name = 'true';
+	
+	my $arg = $_[0] || return( 0 );
+	
+	if( $arg =~ m/^1|y(?:es)?|t(?:rue)?$/i )
+	{
+		return( 1 );
+	}
+	else
+	{
+		return( 0 );
+	}
+}
+
+sub false
+{
+	my $sub_name = 'false';
+	
+	my $arg = $_[0];
+	
+	if( $arg =~ m/^0|n(?:o)?|f(?:alse)?$/i )
+	{
+		return( 1 );
+	}
+	else
+	{
+		return( 0 );
+	}
+}
+
+sub output_header
+{
+	my $sub_name = 'output_header';
+	
+	my $ret_string;
+	my $cur_time = localtime();
+	my $start_time = date_ymd( $config->{'report-start'} ) . " " .
+		time_hms( $config->{'report-start'} );
+	my $end_time = date_ymd( $config->{'report-end'} ) . " " .
+		time_hms( $config->{'report-end'} );
+	my $brosite = $config->{BRO_SITE_NAME};
+	
+	$ret_string = <<"END";
+
+Site Report for $brosite, from $start_time to $end_time
+generated on $cur_time
+END
+	
+	return( \$ret_string );
+}
+
+sub output_system_summary
+{
+	my $sub_name = 'output_system_summary';
+	
+	my $ret_string;
+	
+	
+	# Header
+	$ret_string .= <<'END';
+========================================================================
+System Summary
+========================================================================
+END
+	
+	# Dropped packet summary
+	# NOTE: this routine no longer works becase these are now in the 
+	#	notice file, not the alarm file
+	my $dropped_packets = Bro::Report::Alarm::output_droppedpackets();
+$ret_string .= <<"END";
+
+$dropped_packets
+END
+		
+	return( \$ret_string );
+}
+
+sub output_connsummary
+{
+	my $sub_name = 'output_connsummary';
+	
+	my $ret_string = '';
+	
+	# Site success/fail connections
+	my $total_connects = Bro::Report::Conn::output_successfailcount(), "\n";
+	
+	# Top 20 source format
+	my $top_20_sources = Bro::Report::Conn::output_sourcecount( 20 );
+	
+	# Top 20 destination format
+	my $top_20_destinations = Bro::Report::Conn::output_destcount( 20 );
+	
+	# Top 20 service format
+	my $top_20_services = Bro::Report::Conn::output_servicecount( 20 );
+	
+	# Top 20 local email source format
+	my $top_20_local_email = Bro::Report::Conn::output_localserviceusers( 'smtp', 20 );
+	
+	# Header
+	$ret_string .= <<'END';
+========================================================================
+Connection Log Summary
+========================================================================
+END
+
+	# Content
+	$ret_string .= <<"END";
+Site-wide connection statistics
+
+$total_connects
+
+Top 20 Sources
+
+$top_20_sources
+
+Top 20 Destinations
+
+$top_20_destinations
+
+Top 20 Local Email Senders
+
+$top_20_local_email
+
+Top 20 Services
+
+$top_20_services
+END
+	
+	return( \$ret_string );
+
+}
+
+sub output_incidentsummary
+{
+	my $sub_name = 'output_incidentsummary';
+		
+	my $ret_string = '';
+	
+	# Incident Summary Header
+	$ret_string .= <<'END';
+========================================================================
+Summary
+========================================================================
+END
+	
+	if( my $data = Bro::Report::Alarm::output_incidentsummary() )
+	{
+		$ret_string .= $data . "\n";
+	}
+	
+	if( my $data = Bro::Report::Alarm::output_scansummary() )
+	{
+		$ret_string .= $data . "\n";
+	}
+	
+	if( my $data = Bro::Report::Alarm::output_signaturesummary() )
+	{
+		$ret_string .= $data . "\n";
+	}
+	
+	return( \$ret_string );
+}
+
+sub output_incidentdetails
+{
+	my $sub_name = 'output_incidentdetails';
+	
+	my $ret_string = '';
+	
+	# Incident Details Header
+	$ret_string .= <<'END';
+========================================================================
+Incident Details
+========================================================================
+END
+	
+	$ret_string .= Bro::Report::Alarm::output_incident();
+	
+	return( \$ret_string );    
+}
+
+sub output_scans
+{
+	my $sub_name = 'output_scans';
+	
+	my $ret_string;
+	
+	# Header
+	$ret_string .= <<'END';
+========================================================================
+Scans
+========================================================================
+END
+	
+	$ret_string .= Bro::Report::Alarm::output_scans();
+	$ret_string .= "\n";
+	
+	return( \$ret_string );
+}
+
+sub output_signaturedistribution
+{
+	my $sub_name = 'output_signaturedistribution';
+	
+	my $ret_string = '';
+	
+	# Header
+	$ret_string .= <<'END';
+========================================================================
+Signature Distributions
+========================================================================
+END
+
+	if( my $data = Bro::Report::Alarm::output_signaturedistribution( 20 ) )
+	{
+		$ret_string .= $data . "\n";
+	}
+	
+	return( \$ret_string );
+}
+
+sub output_bytetransferpairs
+{
+	my $sub_name = 'output_bytetransferpairs';
+	
+	my $ret_string = '';
+	
+	# Header
+	$ret_string .= <<'END';
+========================================================================
+Byte Transfer Pairs
+========================================================================
+END
+
+	if( my $data = Bro::Report::Conn::output_bytetransferpairs( 20 ) )
+	{
+		$ret_string .= $data . "\n";
+	}
+	
+	return( \$ret_string );
+}
+
+sub writereport
+{
+	my $sub_name = 'writereport';
+	
+	my $fh;
+	if( ref( $_[0] ) eq 'GLOB' or ref( $_[0] ) eq 'IO' )
+	{
+		$fh = shift;
+	}
+	else
+	{
+		$fh = \*STDOUT;
+	}
+	
+	my @args = @_;
+	
+	foreach my $part( @args )
+	{
+		if( !( print $fh $$part ) )
+		{
+			warn( "$sub_name, Unable to print to filehandle\n" );
+			return( undef );
+		}
+	}
+	
+	return( 1 );
+}
+
+
+sub timezoneoffset
+{
+	my $sub_name = 'timezone';
+	
+	my $offset  = sprintf "%.1f", ( timegm( localtime ) - time );
+	
+	return( $offset );
+}
+
+sub usage
+{
+	my $sub_name = 'usage';
+	
+	my $usage_text = copyright();
+	$usage_text = qq~$usage_text
+
+Options passed to the program on the command line 
+Command line reference
+  --broconfig|-b      Alternate location containing Bro configuration data
+  --report-range|-r   Length of time (in hours) from report-start to report
+                      on. This will be overridden by report-end if specified.
+                      (default: 24)
+  --report-start|-s   The start time of the data to report on. See date format
+                      below.  Values of yesterday and today are also
+                      understood and default to to a start time of 00:30 hours
+                      (default: yesterday)
+  --report-end|-e     The end time of the data to report on.  This will
+                      override report-range if specified.
+  --max-hosts|-i
+  --max-alarms|-m     The maximum number of alarms per host to include in a
+                      report (default: 100)
+  --temp              Alternate directory in which to write temp files
+                      (default \$BROHOME/logs)
+  --summary-only|-S   Output Connection Summaries only
+  --usage|--help|-h   Summary of command line options
+  --debug|-d          Specify the debug level from 0 to 5. (default: 1)
+  --version           Output the version number to STDOUT
+  --copyright         Output the copyright info to STDOUT
+  
+  Dates are specified as YEAR-MONTH-DAY"T"HOUR:MINUTE:SECOND
+  Any time period not specified is assumed to be 0
+  ( Examples: 2004-12-26T01:23:00, accurate to seconds field
+              2004-12-26, Is the same as 2004-12-26T00:00:00
+              2004-12-26T13, Is the same as 2004-12-26T13:00:00 )
+~;
+	
+	return( $usage_text );
+}
+
+sub version
+{
+	my $sub_name = 'version';
+	
+	return( $VERSION );
+}
+
+sub copyright
+{
+	my $sub_name = 'copyright';
+	
+	my $copyright =
+qq~s2b.pl
+version $VERSION, Copyright (C) 2004 Lawrence Berkeley National Labs, NERSC
+Written by Roger Winslow~;
+	
+	return( $copyright );
+}
+
+sub end_program
+{
+	my $sub_name = 'cleanup';
+	
+	my $exit_code = shift || 0;
+	
+	# Remove any temp files
+	Bro::Report::tempfile( 'remove all' );
+	
+	exit( $exit_code );
+}
diff --git a/scripts/process_bro_logs.py b/scripts/process_bro_logs.py
new file mode 100755
index 0000000000..ed540bf2b4
--- /dev/null
+++ b/scripts/process_bro_logs.py
@@ -0,0 +1,182 @@
+#!/usr/bin/env python
+import re
+import os
+import sys
+import time
+import string
+import math
+import getopt
+
+rawlogs=None
+processedlogs=None
+
+# invoke a sed script to remove the last byte from the ips 
+def maskit(file):
+    cmd = "sed -f mask-addr.sed %s > %s.masked" % (file,file)
+    ret = os.system(cmd)
+    if ret != 0:
+        print "error with %s" % cmd
+    cmd = "rm %s" % file
+    ret = os.system(cmd)
+    if ret != 0:
+        print "error with %s" % cmd
+    cmd = "mv %s.masked %s" % (file, file)
+    ret = os.system(cmd)
+    if ret != 0:
+        print "error with %s" % cmd
+
+def get_files(dir, myfilter='.*\.example$', includezero = False):
+    """get all '*.example' files"""
+    SIZE = 6
+    flist=[]
+    files = os.listdir(dir)
+    test = re.compile(myfilter, re.IGNORECASE)
+    files = filter(test.search, files)
+    for f in files:
+        s = os.stat(dir + '/' + f)[SIZE]
+        if s > 0 or includezero:
+            flist.append(f)
+    return flist
+
+def sort_conn(f):
+    # move to new file
+    cmd = "mv %s %s.sortme" % (f,f)
+    ret = os.system(cmd)
+    if ret != 0:
+        print "error with %s" % cmd
+    # sort it
+    cmd = "sort %s.sortme > %s" % (f, f)
+    ret = os.system(cmd)
+    if ret != 0:
+        print "error with %s" % cmd
+    # we can allow a one byte difference (probably newline)
+    if math.fabs(os.stat(f)[6] - size) >= 2:
+        print "Error sizes don't match! %d != %d (%s)" % ( os.stat(f)[6], size, f)
+        sys.exit(1)
+    # remove old file (now called .sortme)
+    cmd = "rm %s" % (f + ".sortme")
+    ret = os.system(cmd)
+    if ret != 0:
+        print "error with %s" % cmd
+
+def move_it(f,fname):
+    # move it on over
+    cmd = "mv %s %s/%s" % ( f, processedlogs, fname )
+    ret = os.system(cmd)
+    if ret != 0:
+        print "error with %s" % cmd
+
+def usage(msg=None):
+    if msg != None:
+        print msg
+    print """process_bro_logs.py -h -l logsdir -r rawlogsdir"""
+    print """    -h             This help message"""
+    print """    -l logsdir     Directory where the logs should end up"""
+    print """    -r rawlogsdir  Directory where the raw logs reside"""
+    sys.exit(1)
+
+####################################################
+# This is the start of the script
+
+
+try:
+    options,prog_args = getopt.getopt(sys.argv[1:],'hl:r:')
+except getopt.GetoptError, E:
+   usage(E)
+
+for opt,val in options:
+  if opt == '-l':
+      processedlogs = val
+  elif opt == '-r':
+      rawlogs = val
+  else:
+      usage()
+
+
+if rawlogs == None or processedlogs == None:
+    usage()
+
+# get to the right place
+os.chdir(rawlogs)
+
+# look for logs that have been split
+fl1 = get_files(rawlogs, 
+    myfilter='^(\w+)\.\w+\.(\d{2})-(\d{2})-(\d{2})[-_](\d{2})[:.](\d{2})[:.](\d{2})\.[0-9]+\.[0-9]+\.[0-9]+$')
+
+for f in fl1:
+    print "Working on split file: ", f
+    # grab times before we mess with it
+    size,atime,mtime,ctime = os.stat(f)[6:10]
+    type,host = string.split(f,'.')[0:2]
+
+    broend = string.split(f, ".")[-2:-1][0]
+
+    # only sort conn files
+    if f[:4] == 'conn':
+        sort_conn(f)
+
+    cmd = 'sync'
+    ret = os.system(cmd)
+    #grab the 2nd timestamp
+    cmd = 'head -2 %s | tail -1' % f
+    if ret != 0:
+        print "error with %s" % cmd
+
+    fo=os.popen(cmd)
+    buf = fo.read()
+    fo.close()
+    brostart = buf.split('.')[:1]
+
+    # sanity check
+    if brostart[0] < 1090000000 or len(brostart[0]) != 10:
+        print "File error! Stopping"
+        sys.exit(1)
+
+    # construct new filenaem
+    fname = "%s.%s.%s-%s" % (type,host,brostart[0],broend)
+
+    # does a file with name already exist?
+    if os.access("%s/%s" % (processedlogs, fname), os.F_OK):
+        print "File %s already exists" % fname
+        print "Skipping %s" % fname
+        continue
+
+    move_it(f,fname)
+    os.utime("%s/%s" % (processedlogs,fname), (mtime,mtime))
+    print "Done with %s" % f
+    # lets not run too fast
+    time.sleep(3)
+    continue
+
+# look for files that haven't been split
+fl2 = get_files(rawlogs, 
+    myfilter='^(\w+)\.\w+\.(\d{2})-(\d{2})-(\d{2})[-_](\d{2})[:.](\d{2})[:.](\d{2})$')
+
+for f in fl2:
+    print "Working on file: ", f
+    # grab times before we mess with it
+    size,atime,mtime,ctime = os.stat(f)[6:10]
+    type,host = string.split(f,'.')[0:2]
+
+    brostart = string.join(string.split(f, ".", 2)[2:])
+    foo = list(time.strptime(brostart, '%Y-%m-%d_%H.%M.%S'))
+
+    # toggle guessing of daylight savings, grrrr
+    foo[-1] = -1
+    bs = time.mktime(foo)
+    fname = "%s.%s.%d-%s" % (type,host,bs,mtime)
+
+    if os.access("%s/%s" % (processedlogs,fname), os.F_OK):
+        print "File %s already exists, skipping" % fname
+        continue
+
+    # sort conn files
+    if f[:4] == 'conn':
+        sort_conn(f)
+
+    move_it(f, fname)
+    os.utime("%s/%s" % (processedlogs,fname), (mtime,mtime))
+    print "Done with %s (%s)" % (fname,f)
+    # lets not overrun things
+    time.sleep(3)
+    continue
diff --git a/scripts/push_logs.sh b/scripts/push_logs.sh
new file mode 100644
index 0000000000..f1cbd7dd0e
--- /dev/null
+++ b/scripts/push_logs.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# script to push logs from a bro host to a front end host, including a file "DoReports.HOST" telling
+# the report generation script that the new days logs are ready to process
+#
+# usage: push_logs.sh hostname:path
+#
+
+# where are we located
+base=`dirname $0`
+#set the environment
+. $base/../etc/bro.cfg
+
+nice -n 20 /usr/local/bin/rsync -avzt $BROHOME/logs/ $1
+
+# create and copy file to trigger report generation
+touch /tmp/DoReports.$BRO_HOSTNAME
+/usr/local/bin/rsync -avzt /tmp/DoReports.$BRO_HOSTNAME $1
+
+# and if you need to sort the logs for Brooery, add this:
+#ssh $1 "/usr/local/bro/scripts/log2gui.py -r /usr/local/bro/logs -l /usr/local/bro/sorted-logs"
+
diff --git a/scripts/s2b/Makefile.am b/scripts/s2b/Makefile.am
new file mode 100644
index 0000000000..1853af02e1
--- /dev/null
+++ b/scripts/s2b/Makefile.am
@@ -0,0 +1,3 @@
+## Process this file with automake to produce Makefile.in
+
+SUBDIRS = bro-include example_bro_files etc bin pm snort_rules2.2
diff --git a/scripts/s2b/README b/scripts/s2b/README
new file mode 100644
index 0000000000..a5a7ea2d6e
--- /dev/null
+++ b/scripts/s2b/README
@@ -0,0 +1,74 @@
+# quick README
+
+For the purpose of this readme file it is assumed that Bro is already 
+installed and running and you are familiar with the general directory 
+structure.
+
+REQUIREMENTS:
+
+	PERL 5.6.1 or greater
+	Python
+
+
+Copy all of the files in the bro-include directory that end in .bro
+or .sig to your $BROHOME/policy directory.
+
+If you are running multiple versions of PERL or Python and the required 
+version is not running from the default place then you are going to need 
+to change the bang path (example: #!/usr/bin/perl) to whatever is appropriate.
+
+All files created by s2b.pl that are used in a running Bro instance will end 
+with either .bro or .sig.  The recommended place to put these file is under 
+the directory $BROHOME/policy/local as these files can change often and will 
+be tuned to a specific site or network traffic type.
+
+Here are example entries to be added to the Bro policy start script so that 
+the signature preqrequisites get loaded correctly.
+
+	@load software
+	@load signatures
+	@load snort
+	@load sig-functions.bro
+	@load sig-action.bro
+
+On the command line which starts the running Bro process include the 
+following.  It is assumed that the frequently updated signatures.sig and 
+sig-action.bro are put in the directories $BROHOME/site and 
+$BROHOME/policy respectively.  $BRO is the path to the bro binary in use.
+
+	$BRO -s $BROHOME/policy/sig-addendum.sig -s $BROHOME/site/signatures.sig <other command line stuff>
+
+
+# These are just some quick examples
+# Since most of the programs control resides in the --configdir these 
+ # commands point to the relative config dir of 'etc/' which is included
+ # in the tarball.
+# Change to bin/ and try the following commands
+
+# This PERL program requires PERL 5.6.1 minimum and module Config::General
+ # which is included in directory pm/ or it can be downloaded from cpan.org
+
+# Create a new s2b-augment.cfg file
+
+./s2b.pl --mainconfig ../etc/s2b.cfg --configdir ../etc --snortrulesetdir ../snort_rules2.2 --updateaugment --augmentconfig ../etc/s2b-augment.cfg
+
+
+# Create Bro s2b.sig and s2b-siagaction.bro files a remain completely silent outputting no errors if encountered
+
+./s2b.pl --mainconfig ../etc/s2b.cfg --configdir ../etc --snortrulesetdir ../snort_rules2.2 --augmentconfig ../etc/s2b-augment.cfg --debug 0
+
+
+# Create Bro s2b.sig and s2b-sigaction.bro files and print any errors to STDERR.  (default debug level is 1)
+
+./s2b.pl --mainconfig ../etc/s2b.cfg --configdir ../etc --snortrulesetdir ../snort_rules2.2 --augmentconfig ../etc/s2b-augment.cfg --debug 1
+
+
+# Show some usage info
+
+./s2b.pl --help
+
+
+TODO:
+
+   Need to update this readme after the directory structure of Bro has been 
+   finalized.
diff --git a/scripts/s2b/bin/Makefile.am b/scripts/s2b/bin/Makefile.am
new file mode 100644
index 0000000000..4b7604c44e
--- /dev/null
+++ b/scripts/s2b/bin/Makefile.am
@@ -0,0 +1,8 @@
+## Process this file with automake to produce Makefile.in
+
+# include in the dist for now
+EXTRA_DIST = s2b.pl snort2bro
+
+# OR we can install them on a make install 
+#scriptsdir=$(prefix)/etc
+#dist_scripts_SCRIPTS = s2b.pl snort2bro
diff --git a/scripts/s2b/bin/s2b.pl b/scripts/s2b/bin/s2b.pl
new file mode 100755
index 0000000000..cb2be82511
--- /dev/null
+++ b/scripts/s2b/bin/s2b.pl
@@ -0,0 +1,2991 @@
+#!/usr/bin/perl -Tw
+
+# s2b.pl
+
+# Read and parse a Bro signature from a string or array reference
+package Bro::Signature;
+{
+	use strict;
+	require 5.006_001;
+	require Exporter;
+	use vars qw( $VERSION
+				@ISA
+				@EXPORT_OK
+				$DEBUG );
+	
+	$VERSION = '1.10';
+	@EXPORT_OK = qw( findkeyblocks );
+	@ISA = qw( Exporter );
+	$DEBUG = 0;
+	
+	sub new
+	{
+		my $sub_name = 'new';
+		
+		my $self;
+		my $proto = shift;
+		my $class = ref( $proto ) || $proto;
+		my %args = @_;
+		my $sig_data = {};
+		
+		if( defined( $args{string} ) )
+		{
+			if( !( $sig_data = parsesig( $args{string} ) ) )
+			{
+				return( undef );
+			}
+		}
+		else
+		{
+			warn( "Signature must be passed in as a string for now.  Direct" .
+				" object creation is not supported yet\n" );
+			return( undef );
+		}
+		
+		$self = $sig_data;
+		bless( $self, $class );
+		return( $self );
+		
+	}
+	
+	sub parsesig
+	{
+		my $sub_name = 'parsesig';
+		
+		my $sig_block = shift || return( undef );
+		my $sig_data;
+		my $ret_data = {};
+		
+		# Check on the storage of the data
+		if( ref( $sig_block ) eq 'ARRAY' )
+		{
+			$sig_data = join( "\n", @{$sig_block} );
+		}
+		else
+		{
+			# Otherwise it gets treated as a string
+			$sig_data = $sig_block;
+		}
+		
+		my $parse_err = 0;
+		
+		if( $sig_data =~
+			m/^signature[[:space:]]+([[:alnum:]_-]{3,})[[:space:]]*\{[[:space:]]*?\n?	# signature declaration
+			(.+?)		# signature data
+			[[:space:]]*\}$/xs )	# end of block
+		{
+			my $sig_id = $1;
+			my $sig_options = $2;
+			
+			$ret_data->{sig_id} = $sig_id;
+			
+			my @raw_data;
+			my $i = 0;
+			
+			foreach my $line( split( /\n/, $sig_options ) )
+			{
+				# Each line of the signature is stored in an
+				 # array to maintain the order and any comments.
+				 # The actual data is stored in a hash.
+				 # Access of the data should be done through the methods
+				 # to output the whole signature along with comments.
+				
+				# remove any leading spaces
+				$line =~ s/^[[:space:]]*//;
+				
+				# Put the line into the raw_data array
+				$raw_data[$i] = $line;
+				
+				# Strip any comments from the line
+				$line =~ s/(?:[[:space:]]+|)#.+$//;
+				
+				my( $key, $value ) = split( /[[:space:]]+/, $line, 2 );
+				# if there is still data in the line then process
+				if( defined( $value ) )
+				{
+					# Remove any leading spaces
+					$value =~ s/^[[:space:]]*//;
+					# place a reference to the raw_data array for this attribute
+					# set the value for this attribute instance
+					push( @{$ret_data->{$key}}, { 
+							'__raw_data_pos__' => $i,
+							'__value__' => $value, },
+					);
+				}
+				
+				++$i;
+			}
+			
+			$ret_data->{'__raw_data__'} = \@raw_data;
+		}
+		else
+		{
+			if( $DEBUG > 0 )
+			{
+				warn( "Signature read error. Could not find a valid signature block\n" );
+			}
+			$parse_err = 1;
+		}
+		
+		if( $parse_err )
+		{
+			return( undef );
+		}
+		else
+		{
+			return( $ret_data );
+		}
+	}
+	
+	sub findkeyblocks
+	{
+		my $sub_name = 'findkeyblocks';
+		
+		my $string = shift;
+		my $keyword = 'signature';
+		my $key_len = length( $keyword );
+		my @ret_blocks;
+		my $block_idx = 0;			# Current idx of the keyword blocks that will be returned
+		my $open_brace_count = 0;	# Number of open braces encountered
+		my $close_brace_count = 0;	# number of close braces encountered
+		my $len = length( $string );	# length of string passed in
+		my $pos_idx = 0;			# current position of substring
+		my $st_blk_pos = 0;			# string position of a new block
+		my $ws = '';				# working string
+		my $found_key_start = 0;		# flag that a new keyword block has started
+		my $comment_line = 0;		# flag if comments are in effect
+		my $quoted;			# flag if quoting is active. contents are the quote character
+		
+		# make sure the string is of non-zero length.  Add one more so our
+		 # loop below works
+		if( $len > 0 )
+		{
+			++$len;
+		}
+		else
+		{
+			return( undef );
+		}
+		
+		# Push a space onto the front of the string.  This just helps in
+		 # starting the pattern matching.  It's easier than writting a
+		 # bunch more lines of code.
+		$string = "\n" . $string;
+		++$len;
+		
+		while( $pos_idx < $len )
+		{
+			# If the two numbers match then a complete block has been found.
+			if( $open_brace_count == $close_brace_count and
+				$open_brace_count > 0 )
+			{
+				$ret_blocks[$block_idx] = $ws;
+				++$block_idx;
+				$open_brace_count = 0;
+				$close_brace_count = 0;
+				$found_key_start = 0;
+				$st_blk_pos = $pos_idx;
+				$ws = '';
+			}
+			elsif( $close_brace_count > $open_brace_count )
+			{
+				# Looks like there was a syntax error perhaps the
+				 # file contains a keyword but no valid block
+				 # Reset the counters and backup to $st_blk_pos + 1
+				if( $DEBUG > 0 )
+				{
+					warn( "Error in parsing $keyword, found closed brace",
+						" for a block but no open brace at char position $pos_idx\n" );
+				}
+				$open_brace_count = 0;
+				$close_brace_count = 0;
+				$found_key_start = 0;
+				$pos_idx = $st_blk_pos + 1;
+				$st_blk_pos = '';
+				$ws = '';
+				next;
+			}
+			
+			# Make sure that substr returns a value
+			if( defined( my $wc = substr( $string, $pos_idx, 1 ) ) )
+			{
+				if( $quoted
+					and $found_key_start )
+				{
+					if( $wc eq $quoted
+						and substr( $string, $pos_idx - 1, 1 ) ne '\\' )
+					{
+						$quoted = undef;
+					}
+				}
+				# check for comment '#' character which is active until the 
+				 # start of a newline
+				elsif( ! $comment_line and 
+					$wc eq '#' and
+					substr( $string, $pos_idx - 1, 1 ) ne '\\' )
+				{
+					$comment_line = 1;
+				}
+				# Check if the comment flag is set
+				elsif( $comment_line )
+				{
+					# If the current character is a newline then reset the comment flag
+					if( $wc =~ m/\n/ )
+					{
+						$comment_line = 0;
+					}
+				}
+				# start this if not currently working in a block and not a comment
+				elsif( ! $found_key_start and ! $comment_line )
+				{
+					# check if the keyword is found 
+					if( $pos_idx + $key_len + 1 < $len
+					and substr( $string, $pos_idx, $key_len ) eq $keyword )
+					{
+						# check to make sure that the keyword is followed by a space
+						if( substr( $string, $pos_idx + $key_len, 1 ) =~
+							m/[[:space:]]/ )
+						{
+							$found_key_start = 1;
+							$st_blk_pos = $pos_idx;
+						}
+					}
+				}
+				elsif( $pos_idx + $key_len + 1 < $len
+					and $found_key_start
+					and substr( $string, $pos_idx, $key_len ) eq $keyword )
+				{
+					if( substr( $string, $pos_idx + $key_len, 1 ) =~
+							m/[[:space:]]/ )
+					{
+						if( $DEBUG > 0 )
+						{
+							warn( "New $keyword keyword found inside of another $keyword block",
+								" at char position $pos_idx\n" );
+							
+							#print "STRING => $string\n";
+						}
+						
+						# Reset the search params
+						$open_brace_count = 0;
+						$close_brace_count = 0;
+						$found_key_start = 0;
+						++$pos_idx;
+						$st_blk_pos = '';
+						$ws = '';
+						next;
+					}
+				}
+				elsif( $wc eq '{' and 
+					substr( $string, $pos_idx - 1, 1 ) ne '\\' )
+				{
+					++$open_brace_count;
+				}
+				elsif( $wc eq '}' and
+					substr( $string, $pos_idx - 1, 1 ) ne '\\' )
+				{
+					++$close_brace_count;
+				}
+				elsif( ! $quoted
+					and ! $comment_line
+					and $found_key_start )
+				{
+					if( $wc eq '"'
+						and substr( $string, $pos_idx - 1, 1 ) ne '\\' )
+					{
+						$quoted = $wc;
+					}
+				}
+				else
+				{
+					
+				}
+				
+				# Only append chars to the working string if in a $keyword block
+				if( $found_key_start )
+				{
+					$ws = $ws . $wc;
+				}
+				++$pos_idx;
+			}
+			else
+			{
+				print "Failed to pull data out using substr at position $pos_idx\n";
+				++$pos_idx;
+			}
+		}
+		
+		if( wantarray )
+		{
+			return( @ret_blocks );
+		}
+		else
+		{
+			return( \@ret_blocks );
+		}
+	}
+	
+	sub addcomment
+	{
+		my $sub_name = 'addcomment';
+		
+		my $self = shift || return( undef );
+		my $comment = shift || return( undef );
+		
+		# Make sure the comment starts with a '#'
+		if( $comment !~ m/^[[:space:]]*#/ )
+		{
+			$comment = '#' . $comment;
+		}
+		
+		if( $self->{'__raw_data__'} )
+		{
+			my $next_idx = $#{$self->{'__raw_data__'}} + 1;
+			$self->{'__raw_data__'}->[$next_idx] = $comment;
+		}
+		else
+		{
+			return( undef );
+		}
+		
+		return( 1 );
+	}
+	
+	sub addoption
+	{
+		my $sub_name = 'addoption';
+		
+		my $self = shift || return( undef );
+		my $option = shift || return( undef );
+		my $option_data = shift || return( undef );
+		
+		if( $self->{'__raw_data__'} )
+		{
+			my $next_idx = $#{$self->{'__raw_data__'}} + 1;
+			$self->{'__raw_data__'}->[$next_idx] = $option . ' ' . $option_data;
+			push( @{$self->{$option}}, 
+				{ '__raw_data_pos__' => $next_idx,
+				'__value__' => $option_data, } );
+		}
+		else
+		{
+			return( undef );
+		}
+		
+		return( 1 );
+	}
+	
+	sub deloption
+	{
+		my $sub_name = 'deloption';
+		# Accepts at a minimum the object and an option to remove
+		# For options that have multivalues the value can be passed in as 
+		 # option_data to remove only the one value from the object.
+		# If an option has multivalues and no option_data is given then all
+		 # options are removed.
+		
+		
+		my $self = shift || return( undef );
+		my $match_option = shift || return( undef );
+		my $match_data = shift;	#optional
+		my $success = 0;
+		my @raw_data_pos;
+				
+		if( defined( $match_data ) )
+		{
+			if( $DEBUG > 4 )
+			{
+				warn( "Method $sub_name has been asked to delete option '" .
+					$match_option . "', value '" . $match_data . "'\n" );
+			}
+			# Must match on both the option key and it's value
+			if( exists( $self->{$match_option} ) )
+			{				
+				if( ref( $self->{$match_option} ) eq 'ARRAY' )
+				{
+					if( $DEBUG > 4 )
+					{
+						warn( "Found a match on $match_option in signature\n" );
+					}
+					
+					my $__found = 0;
+					my @good_data;
+					foreach my $opt_value( @{$self->{$match_option}} )
+					{
+						if( $opt_value->{'__value__'} eq $match_data )
+						{
+							++$__found;
+							$success = 1;
+							push( @raw_data_pos, $opt_value->{'__raw_data_pos__'} );
+						}
+						elsif( defined( my $tt = $opt_value->{'__value__'} ) )
+						{
+							push( @good_data, $opt_value );
+						}
+						
+					}
+					
+					if( $success )
+					{
+						if( defined( $good_data[0] ) )
+						{
+							# Replace the object's old data with the good data
+							$self->{$match_option} = [ @good_data ];
+						}
+						else
+						{
+							delete $self->{$match_option};
+						}
+					}
+				}
+			}
+		}
+		elsif( exists( $self->{$match_option} ) )
+		{
+			if( $DEBUG > 4 )
+			{
+				warn( "Method $sub_name has been asked to delete all data with" .
+					" an option name of $match_option\n" );
+			}
+			
+			foreach my $opt_data( @{$self->{$match_option}} )
+			{
+				push( @raw_data_pos, $opt_data->{'__raw_data_pos__'} );
+			}
+			delete $self->{$match_option};
+			$success = 1;
+		}
+		
+		
+		if( $success )
+		{
+			# cleanup the __raw_data__ storage in the object
+			# get the last index of the __raw_data__ array
+			foreach my $idx( @raw_data_pos )
+			{
+				$self->{'__raw_data__'}->[$idx] = undef;
+			}
+			
+			# Delete the 
+		}
+		
+		return( $success );
+		
+	}
+	
+	sub output
+	{
+		my $sub_name = 'output';
+		
+		my $self = shift || return( undef );
+		my %args = @_;
+		my $ret_string;
+		my $prefix = '';
+		my $comments = 0;
+		
+		# Check on options
+		if( $args{sigprefix} )
+		{
+			$prefix = $args{sigprefix};
+		}
+		
+		if( defined( $args{comments} ) )
+		{
+			$comments = $args{comments};
+		}
+		else
+		{
+			$comments = 1;
+		}
+		
+		# opening to a Bro signature block
+		$ret_string = 'signature ' . $prefix . $self->{sig_id} . ' {' . "\n";
+		
+		if( $comments )
+		{
+			foreach my $line( @{$self->{'__raw_data__'}} )
+			{
+				if( defined( $line ) )
+				{
+					$ret_string = $ret_string . '  ' . $line . "\n";
+				}
+			}
+		}
+		else
+		{
+			while( my( $option, $opt_array ) = each( %{$self} ) )
+			{
+				if( $option ne '__raw_data__' and $option ne 'sig_id' )
+				{
+					foreach my $opt_data( @{$opt_array} )
+					{
+						$ret_string = $ret_string . 
+						'  ' .
+						$option .
+						' ' .
+						$opt_data->{'__value__'} .
+						"\n";
+					}
+				}
+			}
+		}
+		
+		# closing of the Bro signature block
+		$ret_string = $ret_string . '}';
+		
+		return( $ret_string );
+	}
+	
+	sub option
+	{
+		my $sub_name = 'option';
+		
+		my $self = shift || return( undef );
+		my $sig_option = shift || return( undef );
+		my $ret_data;
+		
+		if( $self->{$sig_option} )
+		{
+			foreach my $data( @{$self->{$sig_option}} )
+			{
+				push( @{$ret_data}, $data->{'__value__'} );
+			}
+		}
+		else
+		{
+			return( undef );
+		}
+		
+		if( @{$ret_data} > 1 )
+		{
+			return( @{$ret_data} );
+		}
+		else
+		{
+			return( $ret_data->[0] );
+		}
+	}
+	
+	sub sigid
+	{
+		# This is the entire Bro signature id as parsed in from a 
+		 # signature block
+		my $sub_name = 'sigid';
+		
+		my $self = shift || return( undef );
+		
+		if( $self->{sig_id} )
+		{
+			return( $self->{sig_id} );
+		}
+		else
+		{
+			return( undef );
+		}
+	}
+	
+	sub openportlist
+	{
+		my $sub_name = 'openportlist';
+		
+		my $self = shift || return( undef );
+		
+	}
+};
+
+
+package Bro::S2b::Augment;
+{
+	use strict;
+	require 5.006_001;
+	use Config::General;
+	#require Bro::Signature;
+	
+	use vars qw( $VERSION
+			$DEBUG
+			%VALID_AUGMENT_OPTIONS
+			$QUOTE_PATT );
+	
+	$VERSION = '1.10';
+	
+	%VALID_AUGMENT_OPTIONS = (
+		'active' =>
+			{ fatal => '{1}',
+			msg => "One required with values of T or F",
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 0, },
+		'comment' =>
+			{ fatal => '*',
+			msg => "Zero or more allowed, value is plain text",
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 0, },
+		'dst-ip' =>
+			{ fatal => '*',
+			warn => '{0,10}',
+			msg => "Zero or many with a max of 10 recommended",
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 1, },
+		'dst-port' =>
+			{ fatal => '*',
+			warn => '{0,10}',
+			msg => "Zero or many with a max of 10 recommended",
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 1, },
+		'src-ip' =>
+			{ fatal => '*',
+			warn => '{0,10}',
+			msg => "Zero or many with a max of 10 recommended",
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 1, },
+		'src-port' =>
+			{ fatal => '*',
+			warn => '{0,10}',
+			msg => "Zero or many with a max of 10 recommended",
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 1, },
+		'ip-proto' =>
+			{ fatal => '*',
+			warn => '{0,10}',
+			msg => "Zero or many with a max of 10 recommended",
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 1, },
+		'eval' =>
+			{ fatal => '*',
+			warn => '{0,10}',
+			msg => "Zero or many with a max of 10 recommended",
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 1, },
+		'ftp' =>
+			{ fatal => '*',
+			warn => '{0,10}',
+			msg => "Zero or many with a max of 10 recommended",
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 1, },
+		'header' =>
+			{ fatal => '*',
+			warn => '{0,10}',
+			msg => "Zero or many with a max of 10 recommended",
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 1, },
+		'http' =>
+			{ fatal => '*',
+			warn => '{0,10}',
+			msg => "Zero or many with a max of 10 recommended",
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 1, },
+		'http-request' =>
+			{ fatal => '*',
+			warn => '{0,10}',
+			msg => "Zero or many with a max of 10 recommended",
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 1, },
+		'http-request-header' =>
+			{ fatal => '*',
+			warn => '{0,10}',
+			msg => "Zero or many with a max of 10 recommended",
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 1, },
+		'http-reply-header' =>
+			{ fatal => '*',
+			warn => '{0,10}',
+			msg => "Zero or many with a max of 10 recommended",
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 1, },
+		'ip-options' =>
+			{ fatal => '?',
+			msg => "One or zero allowed. Not implemented yet.",
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 1, },
+		'payload' =>
+			{ fatal => '*',
+			warn => '{0,10}',
+			msg => "Zero or many with a max of 10 recommened.",
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 1, },
+		'payload-size' =>
+			{ fatal => '?',
+			msg => 'One or zero allowed.',
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 1, },
+		'requires-signature' => 
+			{ fatal => '*',
+			warn => '{0,10}',
+			msg => "Zero or many with a max of 10 recommended",
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 1, },
+		'requires-reverse-signature' =>
+			{ fatal => '*',
+			warn => '{0,10}',
+			msg => "Zero or many with a max of 10 recommended",
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 1, },
+		'same-ip' =>
+			{ fatal => '?',
+			msg => 'One or zero allowed.',
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 1, },
+		'snort-rule-file' =>
+			{ fatal => '?',
+			msg => "Zero or one allowed, filename from where the Snort rule came from is recommened",
+			no_modify => 1,
+			write_to_cfg => 1,
+			write_to_sig => 0, },
+		'sid-rev' =>
+			{ fatal => '{1}',
+			msg => "One is required.  SID rev number provided in the Snort ruleset file",
+			no_modify => 1,
+			write_to_cfg => 0,
+			write_to_sig => 0, },
+		'sid' =>
+			{ fatal => '{1}',
+			msg => "One is required.  Sid number is provided in the Snort ruleset file",
+			no_modify => 1,
+			write_to_cfg => 0,
+			write_to_sig => 0, },
+		'sigaction' =>
+			{ fatal => '{1}',
+			msg => "One required with a Bro SigAction as a value",
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 0, },
+		'tcp-state' =>
+			{ fatal => '?',
+			msg => 'One or zero allowed.',
+			no_modify => 0,
+			write_to_cfg => 1,
+			write_to_sig => 1, },
+		);
+	
+	$QUOTE_PATT = qr~(?:[=!]{2}|\;|[|]{2}|\"|\>|\<)~;
+	
+	sub new
+	{
+		my $sub_name = 'new';
+		
+		my $self;
+		my $proto = shift;
+		my $class = ref( $proto ) || $proto;
+		my %args = @_;
+		my $augment_objs = [];
+		my $sig_data = {};
+		
+		if( defined( $args{filename} ) )
+		{
+			if( !( $augment_objs = getaugmentconfig( $args{filename} ) ) )
+			{
+				return( undef );
+			}
+			else
+			{
+				return( $augment_objs );
+			}
+		}
+		else
+		{
+			if( validate( \%args ) )
+			{
+				$sig_data = \%args;
+			}
+			else
+			{
+				return( undef );
+			}
+		}
+		
+		$self = $sig_data;
+		bless( $self, $class );
+		return( $self );
+		
+	}
+	
+	sub getaugmentconfig
+	{
+		my $sub_name = 'getaugmentconfig';
+		
+		my $augment_file = shift || undef;
+		my $valid_opts = \%VALID_AUGMENT_OPTIONS;
+		my @ret_arr;
+		my %aug_conf;
+		my $conf;
+		
+		if( -r $augment_file )
+		{
+			$conf = Config::General->new( -ConfigFile => $augment_file,
+							-LowerCaseNames => 1,
+							-MergeDuplicateBlocks => 0,
+							);
+		}
+		else
+		{
+			if( $DEBUG > 0 )
+			{
+				warn( "Error reading augment config at \"$augment_file\".\n" );
+			}
+			return( undef );
+		}
+		
+		%aug_conf = $conf->getall();
+		
+		if( ref( $aug_conf{augment} ) eq 'HASH' )
+		{
+			%aug_conf = %{$aug_conf{augment}}
+		}
+		
+		while( my( $sid_id, $aug_data ) = each( %aug_conf ) )
+		{
+			my( $sid_num, $sid_rev ) = split( /-/, $sid_id, 2 );
+			my $invalid_sid = 0;
+			
+			# The sid_id is represents both the sid number and the rev
+			 # in the form sid-rev, example: 540-2 would have a sid number
+			 # of 540 and an rev of 2
+			
+			if( ref( $aug_data ) eq 'ARRAY' )
+			{
+				if( $DEBUG > 1 )
+				{
+					warn( "SID number $sid_num with rev number $sid_rev has duplicate" .
+					" entries.  Keeping the first instance and removing all others\n" );
+				}
+				
+				my $keep_data = $aug_conf{$sid_id}->[0];
+				$aug_conf{$sid_id} = undef;
+				$aug_conf{$sid_id} = $keep_data;
+			}
+			else
+			{
+				if( my $aug_obj = Bro::S2b::Augment->new( 'sid' => $sid_num,
+										'sid-rev' => $sid_rev,
+										%{$aug_data} ) )
+				{
+					push( @ret_arr, $aug_obj );
+				}
+				else
+				{
+					warn( "Failed to parse sid $sid_num, rev $sid_rev\n" );
+					$invalid_sid = 1;
+				}
+			}
+			
+			if( $invalid_sid )
+			{
+				if( $DEBUG > 0 )
+				{
+					warn( "Snort SID number $sid_num is being ignored\n" );
+				}
+			}
+		}
+		
+		if( $DEBUG > 4 )
+		{
+			warn( "\nMemory dump of augment config file $augment_file\n" );
+			warn( $conf->save_string( \%aug_conf ) . "\n" );
+			warn( "\n" );
+		}
+		
+		if( wantarray )
+		{
+			return( @ret_arr );
+		}
+		else
+		{
+			return( \@ret_arr );
+		}
+	}
+	
+	sub validate
+	{
+		my $sub_name = 'validate';
+		
+		# The hash passed in is in the form
+		 # <snort sid> => <hash ref of augment data>
+		
+		my $aug_data = shift || return( undef );
+		my %ret_hash;
+		my $invalid_sid = 0;
+		my $sid_num = $aug_data->{sid};
+		my $del_data = {};	# hash ref of options that will later be removed from a sig
+		
+		# make sure that the snort sid number is greater than 100
+		if( $sid_num =~ m/^([[:digit:]]+)$/ and $sid_num > 100 )
+		{
+			$sid_num = $1;
+		}
+		
+		# Check for a delete block
+		if( exists( $aug_data->{delete} ) )
+		{
+			$del_data = $aug_data->{delete};
+		}
+		
+		# Check to make sure that the sid contains only valid options.
+		# Each option will be totalled as a string of 1's where each 1
+		# represents one instance of a particular option.
+		# Regular expression contained in %VALID_AUGMENT_OPTIONS for that
+		# option will be evaluated against the quantity found.
+		while( my( $sid_option, $sid_opt_data ) = each( %{$aug_data} ) )
+		{
+			my $option_count;
+			if( defined( $VALID_AUGMENT_OPTIONS{$sid_option} ) )
+			{
+				# OK, all good
+			}
+			elsif( $sid_option eq 'delete' )
+			{
+				next;
+			}
+			else
+			{
+				if( $DEBUG > 0 )
+				{
+					warn( "Option '$sid_option' in augment config" .
+					" for SID number $sid_num is unknown." .
+					"  Option will be ignored\n" );
+				}
+				
+				delete $aug_data->{$sid_option};
+				next;
+			}
+			
+			if( ref( $sid_opt_data ) eq 'HASH' )
+			{
+				foreach( keys( %{$sid_opt_data} ) )
+				{
+					$option_count .= '1';
+				}
+			}
+			elsif( ref( $sid_opt_data ) eq 'ARRAY' )
+			{
+				foreach( @{$sid_opt_data} )
+				{
+					$option_count .= '1';
+				}
+			}
+			else
+			{
+				# Otherwise treat the sid_option as a scalar
+				$option_count = 1;
+			}
+			
+			my $fatal_exp = qr/1$VALID_AUGMENT_OPTIONS{$sid_option}->{fatal}/;
+			if( $option_count =~ m/^$fatal_exp$/ )
+			{
+				# ok
+				if( defined( $VALID_AUGMENT_OPTIONS{$sid_option}->{warn} ) )
+				{
+					my $warn_exp = qr/1$VALID_AUGMENT_OPTIONS{$sid_option}->{warn}/;
+					if( $option_count =~ m/^$warn_exp$/ )
+					{
+						#ok
+					}
+					else
+					{
+						if( $DEBUG > 0 )
+						{
+							warn( "Warning for option '$sid_option' in SID number $sid_num, " .
+							$VALID_AUGMENT_OPTIONS{$sid_option}->{msg} .
+							"\n" );
+						}
+					}
+				}
+			}
+			else
+			{
+				if( $DEBUG > 0 )
+				{
+					warn( "Invalid SID option '$sid_option' in SID number $sid_num, " .
+					$VALID_AUGMENT_OPTIONS{$sid_option}->{msg} .
+					"\n" );
+				}
+				$invalid_sid = 1;
+			}
+		}
+		
+		
+		while( my( $sid_option, $sid_opt_data ) = each( %{$del_data} ) )
+		{
+			if( defined( $VALID_AUGMENT_OPTIONS{$sid_option} ) )
+			{
+				# OK, all good
+			}
+			else
+			{
+				if( $DEBUG > 0 )
+				{
+					warn( "Option '$sid_option' in the delete section of" .
+					" augment config for SID number $sid_num is unknown." .
+					"  Option will be ignored\n" );
+				}
+				
+				delete $aug_data->{delete}->{$sid_option};
+				next;
+			}
+		}
+		
+		if( $invalid_sid )
+		{
+			return( 0 );
+		}
+		else
+		{
+			return( 1 );
+		}
+	}
+	
+	sub augmentbrosig
+	{
+		my $sub_name = 'augmentbrosig';
+		
+		my $self = shift || return( undef );
+		my $bro_sig_obj = shift || return( undef );
+		my $new_bro_sig;
+		my $err = 0;
+		my $del_data = {};
+		
+		# Go through each option in the augment data
+		while( my( $option, $opt_data ) = each( %{$self} )
+			and !( $err ) )
+		{
+			# Is this the delete section of the data
+			if( $option eq 'delete' and ref( $opt_data ) )
+			{
+				$del_data = $opt_data;
+			}
+			# check whether the option is allowed to be exported to 
+			 # a Bro sig
+			elsif( exists( $VALID_AUGMENT_OPTIONS{$option} )
+				and $VALID_AUGMENT_OPTIONS{$option}->{write_to_sig} )
+			{
+				
+				my @data_list;
+				my $remove_before_add = 0;
+				
+				# Check if $opt_data has mutlivalues
+				if( ref( $opt_data ) eq 'ARRAY' )
+				{
+					@data_list = @{$opt_data};
+				}
+				else
+				{
+					if( $VALID_AUGMENT_OPTIONS{$option}->{fatal} eq '?'
+						or $VALID_AUGMENT_OPTIONS{$option}->{fatal} eq '{1}' )
+					{
+						$remove_before_add = 1;
+					}
+					@data_list = ( $opt_data );
+				}
+				
+				foreach my $opt_value( @data_list )
+				{
+					if( $remove_before_add )
+					{
+						$bro_sig_obj->deloption( $option );
+						
+						if( $DEBUG > 2 )
+						{
+							warn( "Augment option $option for sigid " . $self->sigid()
+								. " can only have one instance in a Bro siganture.\n" );
+							warn( "Found a prexisting context for \"$option\" in the Bro signature"
+								. " which will be replaced by the augment data.\n" );
+						}
+					}
+					
+					if( $bro_sig_obj->addoption( $option, $opt_value ) )
+					{
+						# ok
+					}
+					else
+					{
+						if( $DEBUG > 0 )
+						{
+							warn( "Failed to add augment option $option to Bro" .
+								" signature object with sid of " .
+								$bro_sig_obj->sigid . "\n" );
+						}
+						$err = 1;
+						last;
+					}
+				}
+			}
+		}
+		
+		# Loop over the delete section of the data and remove matching
+		 # data from a bro signature.
+		while( my( $opt, $val ) = each( %{$del_data} ) and ! $err )
+		{
+			if( exists( $VALID_AUGMENT_OPTIONS{$opt} )
+				and $VALID_AUGMENT_OPTIONS{$opt}->{write_to_sig} )
+			{
+				my @data_list;
+				
+				# Check if $opt_data has mutlivalues
+				if( ref( $val ) eq 'ARRAY' )
+				{
+					@data_list = @{$val};
+				}
+				elsif( defined( $val ) )
+				{
+					$data_list[0] = $val;
+				}
+				else
+				{
+					next;
+				}
+				
+				foreach my $opt_value( @data_list )
+				{
+					if( $bro_sig_obj->deloption( $opt, $opt_value ) )
+					{
+						# ok
+					}
+					else
+					{
+						if( $DEBUG > 0 )
+						{
+							warn( "Failed to remove augment option '$opt', value '$opt_value'" .
+								" from Bro signature object with sid of " .
+								$bro_sig_obj->sigid() . "\n" );
+						}
+						$err = 1;
+						last;
+					}
+				}
+			}
+		}
+		
+		if( $err )
+		{
+			if( $DEBUG > 0 )
+			{
+				warn( "Unable to apply all options from augment object to the Bro signature\n" );
+			}
+			return( undef );
+		}
+		else
+		{
+			return( $bro_sig_obj );
+		}
+	}
+	
+	sub sid
+	{
+		my $sub_name = 'sid';
+		
+		my $self = shift || return( undef );
+		
+		if( my $sid = $self->{sid} )
+		{
+			return( $sid );
+		}
+		else
+		{
+			return( undef );
+		}
+	}
+	
+	sub rev
+	{
+		my $sub_name = 'rev';
+		
+		my $self = shift || return( undef );
+		
+		if( my $rev = $self->{'sid-rev'} )
+		{
+			return( $rev );
+		}
+		else
+		{
+			return( undef );
+		}
+	}
+	sub sigid
+	{
+		my $sub_name = 'sigid';
+		
+		my $self = shift || return( undef );
+		
+		if( my $rev = $self->{'sid-rev'}
+			and my $sid = $self->{sid} )
+		{
+			return( $sid . '-' . $rev );
+		}
+		else
+		{
+			return( undef );
+		}
+	}
+	
+	sub option
+	{
+		my $sub_name = 'option';
+		
+		my $self = shift || return( undef );
+		my $aug_option = shift || return( undef );
+		my $ret_data;
+		
+		if( $self->{$aug_option} )
+		{
+			if( ( $self->{$aug_option} ) eq 'ARRAY' )
+			{
+				foreach my $data( @{$self->{$aug_option}} )
+				{
+					push( @{$ret_data}, $data );
+				}
+			}
+			else
+			{
+				push( @{$ret_data}, $self->{$aug_option} );
+			}
+		}
+		else
+		{
+			return( undef );
+		}
+		
+		if( @{$ret_data} > 1 )
+		{
+			return( @{$ret_data} );
+		}
+		else
+		{
+			return( $ret_data->[0] );
+		}
+	}
+	
+	sub active
+	{
+		my $sub_name = 'active';
+		
+		my $self = shift || return( undef );
+		my $new_status = shift;
+		my $ret_status = 0;
+		
+		# NOTE, for now the active status is kept as a character value.
+		 # This just makes it easy for importing augment data into objects
+		 # This needs to be changed internally but for now the user doesn't
+		 # know the difference.
+		
+		if( defined( $new_status ) )
+		{
+			if( $new_status =~ m/^(?:t|1)/i )
+			{
+				$self->{active} = 'T';
+			}
+			else
+			{
+				$self->{active} = 'F';
+			}
+		}
+		
+		if( ! exists( $self->{active} ) )
+		{
+			$ret_status = undef;
+		}
+		elsif( $self->{active} =~ m/^t/i )
+		{
+			$ret_status = 1;
+		}
+		
+		return( $ret_status );
+	}
+	
+	sub output
+	{
+		my $sub_name = 'output';
+		
+		my $self = shift || return( undef );
+		my $ret_string = '';
+		my $sid_num;
+		my $sid_rev;
+		
+		if( $sid_num = $self->sid() and $sid_rev = $self->rev() )
+		{
+			# ok
+		}
+		else
+		{
+			return( undef );
+		}
+		
+		my $already_quoted = qr/^\".+\"$/;
+		foreach my $key( sort( keys( %{$self} ) ) )
+		{
+			my $value = $self->{$key};
+			if( $VALID_AUGMENT_OPTIONS{$key}->{write_to_cfg} )
+			{
+				# If the option data has muti values
+				if( ref( $value ) )
+				{
+					foreach my $value_inst( @{$value} )
+					{
+						if( $value_inst =~ $QUOTE_PATT
+							and $value_inst !~ $already_quoted )
+						{
+							$value_inst = '"' . $value_inst . '"';
+						}
+						$ret_string = $ret_string . '  ' . $key . ' ' . $value_inst ."\n";
+					}
+				}
+				# Otherwise the option value is reated as a scalar
+				else
+				{
+					if( $value =~ $QUOTE_PATT
+						and $value !~ $already_quoted )
+					{
+						$value = '"' . $value . '"';
+					}
+					$ret_string = $ret_string . '  ' . $key . ' ' . $value . "\n";
+				}
+			}
+		}
+		
+		if( length( $ret_string ) > 3 )
+		{
+			# prepend the beginning of the augment block
+			$ret_string = "<augment $sid_num-$sid_rev>\n" . $ret_string;
+			
+			# append the closing of the augment block
+			$ret_string = $ret_string . '</augment>';
+			
+			return( $ret_string );
+		}
+		else
+		{
+			return( undef );
+		}
+	}
+	
+	sub merge
+	{
+		my $sub_name = 'merge';
+		# will attempt to merge an augment object together with either a
+		 # valid data strcuture or another augment object.  There is 
+		 # no checking on whether the objects are similar in any way
+		 # only that the data from the source does not cause the target
+		 # to become invalid according to %VALID_AUGMENT_OPTIONS.
+		# If an attempt to add a value exceeds the allowable quantity for 
+		 # a given option then the option from the source object will replace
+		 # the target object's option.  Otherwise the option will just be added
+		 # If a delete block exists then the option that matches will be
+		 # deleted from the target.  A final check will be made after all 
+		 # data has been processed to make sure that the target still conforms 
+		 # to the requirements in %VALID_AUGMENT_OPTIONS.
+		
+		my $self = shift || return( undef );	# Merge to, target
+		my $new_data = shift || return( undef );	# Merge from, source
+		# Make a copy of the object.  The copy will be operated on and once
+		 # all tests have completed it will replace the contents of the 
+		 # original object.
+		my $wo = Bro::S2b::Augment->new( %{$self} );	# Working Object
+		my $del_opts = {};
+		my $failed = 0;
+		
+		while( my( $key, $value ) = each( %{$new_data} ) )
+		{
+			if( $key eq 'delete' )
+			{
+				$del_opts = $value;
+			}
+			else
+			{
+				if( ! $wo->add( $key, $value ) )
+				{
+					# Failed to add in the value
+					if( $DEBUG > 0 )
+					{
+						$failed = 1;
+						warn( "Failed to add option $key to augment object\n" );
+					}
+				}
+			}
+		}
+		
+		while( my( $del_opt, $del_val ) = each( %{$del_opts} ) )
+		{
+			if( ! $wo->del( $del_opt, $del_val ) )
+			{
+				if( $DEBUG > 0 )
+				{
+					$failed = 1;
+					warn( "Failed to delete option $del_opt from object\n" );
+				}
+			}
+		}
+		
+		if( ! validate( $wo ) )
+		{
+			if( $DEBUG > 0 )
+			{
+				warn( "There was an error in validating the merged augment object." .
+				"  No changes made to the original augment object.\n" );
+			}
+			return( undef );
+		}
+		
+		if( ! $failed )
+		{
+			return( $wo );
+		}
+		else
+		{
+			if( $DEBUG > 0 )
+			{
+				warn( "One or more operations failed during an augment merge." .
+				"  Original object has not been modified\n" );
+			}
+			return( undef );
+		}
+	}
+	
+	sub add
+	{
+		my $sub_name = 'add';
+		
+		my $self = shift || return( undef );
+		my $opt = shift || return( undef );
+		my $val = shift;
+		my $cur_contents;
+		my $opt_quan = '';
+		my $eval_quan = $VALID_AUGMENT_OPTIONS{$opt}->{fatal};
+		
+		if( ! $VALID_AUGMENT_OPTIONS{$opt} )
+		{
+			if( $DEBUG > 0 )
+			{
+				warn( "Attempt to merge an unknown option \"$opt\" into an augment object\n" );
+			}
+			return( undef );
+		}
+		
+		if( $VALID_AUGMENT_OPTIONS{$opt}->{no_modify} )
+		{
+			if( $DEBUG > 0 )
+			{
+				warn( "Failed to add option $opt.  Modification is forbidden by configuration\n" );
+			}
+			return( undef );
+		}
+		
+		# figure out what type of value is stored
+		if( exists( $self->{$opt} ) and ref( $self->{$opt} ) eq 'ARRAY' )
+		{
+			my @t1 = @{$self->{$opt}};
+			$cur_contents = \@t1;
+			foreach( @{$cur_contents} )
+			{
+				$opt_quan .= '1';
+			}
+		}
+		else
+		{
+			$cur_contents = $self->{$opt};
+			$opt_quan = '1';
+		}
+		
+		# figure out if we should replace or add
+		# If the allowed option count is a max of one and we have only one option
+		 # to add then this is an overwrite
+		if( $eval_quan eq'?' or $eval_quan eq '{1}' )
+		{
+			if( $opt_quan =~ m/^1|$/ )
+			{
+				$self->{$opt} = $val;
+				if( $DEBUG > 2 )
+				{
+					warn( "Added/replaced option $opt with contents $val\n" );
+				}
+			}
+			else
+			{
+				if( $DEBUG > 0 )
+				{
+					warn( "Tried to add more values to an option than the option type allows.\n" );
+				}
+				return( undef );
+			}
+		}
+		else
+		{
+			$opt_quan .= '1';
+			if( $opt_quan =~ m/^1$eval_quan$/ )
+			{
+				# Check if the data structure is an array, if not change it
+				if( ! exists( $self->{$opt} ) )
+				{
+					$self->{$opt} = [];
+				}
+				elsif( ref( $self->{$opt} ) ne 'ARRAY' )
+				{
+					my $cur_val = $self->{$opt};
+					delete( $self->{$opt} );
+					$self->{$opt}->[0] = $cur_val;
+				}
+				
+				push( @{$self->{$opt}}, $val );
+			}
+			else
+			{
+				if( $DEBUG > 0 )
+				{
+					warn( $VALID_AUGMENT_OPTIONS{$opt}->{msg} . "\n" );
+				}
+				return( undef );
+			}
+		}
+		
+		# Search the delete section of the data and remove any matching entries
+		if( ref( $self->{delete} ) )
+		{
+			# Need to complete later!
+		}
+		
+		return( $self );
+	}
+	
+	sub del
+	{
+		my $sub_name = 'del';
+		
+		my $self = shift || return( undef );
+		my $opt = shift || return( undef );
+		my $opt_val = shift || '';
+		my $opt_quan = '';
+		my $eval_quan = $VALID_AUGMENT_OPTIONS{$opt}->{fatal};
+		
+		if( ! $VALID_AUGMENT_OPTIONS{$opt} )
+		{
+			if( $DEBUG > 0 )
+			{
+				warn( "Attempt to remove an unknown option \"$opt\" from an augment object\n" );
+			}
+			return( undef );
+		}
+		
+		if( $VALID_AUGMENT_OPTIONS{$opt}->{no_modify} )
+		{
+			if( $DEBUG > 0 )
+			{
+				warn( "Failed to delete option $opt.  Modification is forbidden by configuration\n" );
+			}
+			return( undef );
+		}
+		
+		if( ! exists( $self->{$opt} ) )
+		{
+			# no option with the name in $opt exists
+			return( 0 );
+		}
+		elsif( ref( $self->{$opt} ) eq 'ARRAY' )
+		{
+			my @t1 = @{$self->{$opt}};
+			my $cur_contents = \@t1;
+			my $found = 0;
+			my @new_contents;
+			
+			foreach my $cont_inst( @{$cur_contents} )
+			{
+				if( $cont_inst eq $opt_val )
+				{
+					++$found;
+				}
+				else
+				{
+					$opt_quan .= '1';
+					push( @new_contents, $cont_inst );
+				}
+			}
+			
+			if( $found )
+			{
+				if( $opt_quan =~ /^1$eval_quan$/ )
+				{
+					delete( $self->{$opt} );
+					$self->{$opt} = \@new_contents;
+				}
+				else
+				{
+					if( $DEBUG > 0 )
+					{
+						warn( "Removal of option $opt failed." . $VALID_AUGMENT_OPTIONS{$opt}->{msg} . "\n" );
+					}
+					return( undef );
+				}
+			}
+			else
+			{
+				if( $DEBUG > 2 )
+				{
+					warn( "Could not find '$opt' with value '$opt_val' to delete.  No big deal\n" );
+				}
+			}
+		}
+		else
+		{
+			$opt_quan = '';
+			
+			if( $self->{$opt} eq $opt_val )
+			{
+				if( $opt_quan =~ /^1$eval_quan$/ )
+				{
+					delete( $self->{$opt} );
+				}
+				else
+				{
+					if( $DEBUG > 0 ) 
+					{
+						warn( "Removal of option $opt is not allowed," . $VALID_AUGMENT_OPTIONS{$opt}->{msg} . "\n" );
+					}
+					return( undef );
+				}
+			}
+			else
+			{
+				if( $DEBUG > 2 )
+				{
+					warn( "Could not find '$opt' with value '$opt_val' to delete.  No big deal\n" );
+				}
+			}
+		}
+		
+		return( $self );
+	}
+};
+
+
+#####################################################################
+##### s2b.pl	Snort to Bro rule conversion script
+##### Roger Winslow
+#####
+#####################################################################
+
+
+use strict;
+require 5.006_001;	# 5.6.1 minimum is required.
+use Config::General;
+use Getopt::Long;
+Getopt::Long::Configure qw( no_ignore_case no_getopt_compat );
+
+# clear these shell environment variables so Taint mode doesn't complain
+$ENV{PATH} = '';
+$ENV{BASH_ENV} = '';
+$ENV{ENV} = '';
+
+use vars qw( $VERSION
+			%DEFAULT_CONFIG
+			$SNORT_TO_BRO_PROG
+			$DEBUG );
+
+$VERSION = '1.10';
+$DEBUG = 1;
+%DEFAULT_CONFIG = ( configdir => '/usr/local/etc/bro/s2b',
+				mainconfig => 's2b.cfg',
+				augmentconfig => 's2b-augment.cfg',
+				useraugmentconfig => 's2b-user-augment.cfg',
+				sigactiondest => 's2b-sigaction.bro',
+				brosignaturedest => 's2b.sig',
+				sigmapconfig => 's2b-sigmap.cfg',
+				defaultsigaction => 'SIG_LOG',
+				rulesetaugmentconfig => 's2b-ruleset-augment.cfg',
+				sigprefix => 's2b-',
+				snortrulesetdir => './',
+				ignorehostdirection => 1,
+				);
+
+# This is hardcoded until I get to intergrating the Snort conversion into 
+ # a PERL program.
+$SNORT_TO_BRO_PROG = './snort2bro';
+
+# Until I can rewrite the python conversion script it will be used for initial conversion
+ # make sure it runs before continuing on.
+if( my $result = `$SNORT_TO_BRO_PROG --help 2>&1` )
+{
+	# ok.
+}
+else
+{
+	warn( "Unable to run $SNORT_TO_BRO_PROG.  Check to make sure that the python run" .
+	" path is set correctly in the program.\n" );
+	exit( 1 );
+}
+
+# ref to hash containing all config data
+my $config = {};
+$config = getconfig( \%DEFAULT_CONFIG );
+
+# Build the ruleset exclusion list
+my $ignorerules = {};
+$ignorerules = getignorerules( $config );
+
+# Parse and store the system level augment file
+# An array ref containing Bro::S2b::Augment objects will be returned in 
+ # $augment_objects
+my $augment_objects = [];
+if( $augment_objects = Bro::S2b::Augment->new( filename => $config->{augmentconfig} ) )
+{
+	# ok
+}
+else
+{
+	if( $DEBUG > 0 )
+	{
+		warn( "Unable to retrieve any augment data." . 
+			"  This can be expected if the file has not been created yet.\n" );
+		if( ! $config->{updateaugment} )
+		{
+			warn( "Perhaps you have forgotten to run --updateaugment first?\n" );
+		}
+	}
+}
+
+my $snort_rule_files = [];
+$snort_rule_files = getsnortrulefiles( $config->{snortrulesetdir}, $ignorerules );
+
+# Is this a request to update the s2b-augment.cfg file?
+if( $config->{updateaugment} )
+{
+	my $ruleset_based_augment;
+	my $new_augment_data;
+	my $sigmap = {};
+	my %existing_sidrev;
+	
+	# Read and parse the Snort alert classtype to Bro SigAction mappings
+	$sigmap = getsigmap( $config->{sigmapconfig} );
+	
+	# Build a hash of "sid-rev" strings from the existing augment objects
+	 # (if any)
+	foreach my $aug_obj( @{$augment_objects} )
+	{
+		my $key = $aug_obj->sigid();
+		$existing_sidrev{$key} = 1;
+	}
+	
+	# Read and parse the ruleset augment data which is to be included into 
+	 # the augment config based on the Snort ruleset from which they come.
+	if( $config->{rulesetaugmentconfig} )
+	{
+		$ruleset_based_augment = getrulesetaugment( $config->{rulesetaugmentconfig} );
+	}
+	
+	# Build the augment file
+	$new_augment_data = buildaugment( $snort_rule_files, $sigmap ) || [];
+	
+	my @append_aug_list;
+	# Check for new augment objects
+	foreach my $new_aug( @{$new_augment_data} )
+	{
+		if( ! $existing_sidrev{$new_aug->sigid()} )
+		{
+			$new_aug->option( 'snort-rule-file' ) =~ m/([^\/]+)$/;
+			my $aug_snort_rulename = $1;
+			if( exists( $ruleset_based_augment->{$aug_snort_rulename} )  )
+			{
+				if( !(  $new_aug = $new_aug->merge( $ruleset_based_augment->{$aug_snort_rulename} ) ) )
+				{
+					next;
+				}
+			}
+			
+			push( @append_aug_list, $new_aug );
+		}
+	}
+	
+	if( @append_aug_list > 0 )
+	{
+		appendaugment( \@append_aug_list, $config->{augmentconfig} );
+	}
+	
+	if( $DEBUG > 0 )
+	{
+		my $num_aug_blocks = scalar( @append_aug_list );
+		if( $num_aug_blocks > 0 )
+		{
+			warn( "Added a total of $num_aug_blocks new augment data blocks to augment file " . $config->{augmentconfig} . "\n" );
+		}
+		else
+		{
+			warn( "No new augment data found.  Nothing added to augment file " . $config->{augmentconfig} . "\n" );
+		}
+	}
+}
+# Else assume this is a request to build Bro signatures
+else
+{
+	my %sigaction_list;
+	my @active_sigs;
+	
+	# Parse and store the user level augment file
+	# An array ref containing Bro::S2b::Augment objects will be returned in 
+	 # $user_augment_objects
+	my $user_augment_objects = [];
+	if( -r $config->{useraugmentconfig} and
+		$user_augment_objects = Bro::S2b::Augment->new( filename => $config->{useraugmentconfig} ) )
+	{
+		# ok
+	}
+	else
+	{
+		if( $DEBUG > 1 )
+		{
+			warn( "Unable to retrieve any user level augment data." . 
+				"  This is non-fatal and can be expected if the file has not been created yet.\n" );
+		}
+	}
+	
+	# Loop over each user augment object and build an index of sigids
+	my %user_aug_obj_idx;
+	for( my $i=0; $i < scalar( @{$user_augment_objects} ); ++$i )
+	{
+		$user_aug_obj_idx{$user_augment_objects->[$i]->sigid()} = $i;
+	}
+	
+	my $ignore_snort_sids = {};
+	$ignore_snort_sids = getignoresids( $augment_objects );
+
+	# An array ref containing Bro::Signature objects will be returned in
+	 # $converted_snort_rules
+	my $converted_snort_rules = {};
+	$converted_snort_rules = convertfromsnort( $snort_rule_files,
+						$ignore_snort_sids );
+	
+	# Loop over the list of Bro::Signature objects and process each
+	foreach my $sig_obj( @{$converted_snort_rules} )
+	{
+		my $sig_is_active = 0;
+		my $user_aug_obj;
+		my $sig_obj_id = $sig_obj->sigid();
+		my $augment_obj;
+		# Find the corresponding Bro::S2b::Augment object.  The match is found
+		 # by comparing each object's sigid (minus the prefix if any).
+		# I realize at this point that this is a bit of a waste.  I'll work on a
+		 # better indexed version later.
+		foreach my $augment_obj( @{$augment_objects} )
+		{
+			# Compare the sigids and see if they match
+			if( $augment_obj->sigid() eq $sig_obj_id )
+			{
+				# Look for a matching user augment option and put it in
+				 # $user_aug_obj if found.
+				if( exists( $user_aug_obj_idx{$sig_obj_id} ) )
+				{
+					$user_aug_obj = $user_augment_objects->[$user_aug_obj_idx{$sig_obj_id}];
+				}
+				
+				# Determine if the rule is active
+				if( $augment_obj->active() )
+				{
+					$sig_is_active = 1;
+				}
+				if( $user_aug_obj and defined( $user_aug_obj->active() ) )
+				{
+					$sig_is_active = $user_aug_obj->active();
+				}
+				
+				# Skip this instance if the sig is not set to active
+				if( ! $sig_is_active )
+				{
+					# must be inactive. No need to continue processing this 
+					 # signature
+					last;
+				}
+				
+				# Check whether the connection direction information should be 
+				 # ignored.  If so then remove it from the Bro::Signature object.
+				if( $config->{ignorehostdirection} )
+				{
+					if( my $dst_ip = $sig_obj->option( 'dst-ip' ) )
+					{
+						if( $dst_ip =~ m/[[:alpha:]]+/ )
+						{
+							$sig_obj->deloption( 'dst-ip' );
+						}
+					}
+					
+					if( my $src_ip = $sig_obj->option( 'src-ip' ) )
+					{
+						if( $src_ip =~ m/[[:alpha:]]+/ )
+						{
+							$sig_obj->deloption( 'src-ip' );
+						}
+					}
+				}
+
+				# Modify the Bro::Signature object and include the augment data.
+				if( $augment_obj->augmentbrosig( $sig_obj ) )
+				{
+					# If user augment data exists then apply it now
+					if( $user_aug_obj )
+					{
+						$user_aug_obj->augmentbrosig( $sig_obj );
+					}
+					
+					# Determine which sigaction to use, system or user
+					my $cur_sigaction;
+					if( $user_aug_obj and $user_aug_obj->option( 'sigaction' ) )
+					{
+						$cur_sigaction = $user_aug_obj->option( 'sigaction' );
+					}
+					else
+					{
+						$cur_sigaction = $augment_obj->option( 'sigaction' );
+					}
+					
+					# Check if the sigaction is anything other than the default
+					# If so then add it to the hash.
+					if( $cur_sigaction ne $config->{defaultsigaction} )
+					{
+						$sigaction_list{$sig_obj_id} = $cur_sigaction;
+					}
+					
+					# Put the bro signature object into the active list of
+					 # signatures
+					push( @active_sigs, $sig_obj );
+				}
+				else
+				{
+					if( $DEBUG > 0 )
+					{
+						warn( "Failed to augment Bro signature $sig_obj_id\n" );
+					}
+				}
+
+				last;
+			}
+		}
+	}
+		
+	# Write the sigactions to a file or if the file in $config is an empty string 
+	 # then send it to STDOUT
+	if( $config->{sigactiondest} )
+	{
+		if( open( OUTFILE, '>', $config->{sigactiondest} ) )
+		{
+			outputsigactions( \%sigaction_list, \*OUTFILE );
+		}
+		else
+		{
+			warn( "Failed to open file " . $config->{sigactiondest} . " for writing, unable to continue\n" );
+			exit( 1 );
+		}
+		
+		close( OUTFILE );
+	}
+	else
+	{
+		outputsigactions( \%sigaction_list );
+	}
+	
+	
+	# Output the final signatures or if the file in $config is an empty string 
+	 # then send it to STDOUT
+	if( $config->{brosignaturedest} )
+	{
+		if( open( OUTFILE, '>', $config->{brosignaturedest} ) )
+		{
+			outputsigs( \@active_sigs, \*OUTFILE );
+		}
+		else
+		{
+			warn( "Failed to open file " . $config->{brosignaturedest} . " for writing, unable to continue\n" );
+			exit( 1 );
+		}
+		
+		close( OUTFILE );
+	}
+	else
+	{
+		outputsigs( $converted_snort_rules );
+	}
+	
+}
+
+
+exit( 0 );
+
+
+
+#################################################
+#####
+#####  Begin subroutines
+#####
+#################################################
+
+sub getconfig
+{
+	my $sub_name = 'getconfig';
+	
+	my $arg1 = shift || \%DEFAULT_CONFIG;
+	my %default_config;
+	my %cmd_line_cfg;
+	my $main_config_file;
+	my %config;
+	
+	if( ref( $arg1 ) eq 'HASH' )
+	{
+		%default_config = %{$arg1};
+	}
+	else
+	{
+		return( undef );
+	}
+	
+	GetOptions( \%cmd_line_cfg,
+			'configdir=s',
+			'mainconfig=s',
+			'augmentconfig=s',
+			'useraugmentconfig=s',
+			'sigactiondest=s',
+			'brosignaturedest=s',
+			'sigmapconfig=s',
+			'snortrulesetdir=s',
+			'defaultsigaction=s',
+			'ignorehostdirection:s',
+			'rulesetaugmentconfig',
+			'updateaugment',
+			'usage|help|h',
+			'debug|verbose|d|v:i',
+			'version|V',
+			'copyright', );
+	
+	# Check for options which will prevent the program from running
+	# any further
+	if( $cmd_line_cfg{usage} )
+	{
+		print usage();
+		exit( 0 );
+	}
+	elsif( $cmd_line_cfg{version} )
+	{
+		print version();
+		exit( 0 );
+	}
+	elsif( $cmd_line_cfg{copyright} )
+	{
+		print copyright();
+		exit( 0 );
+	}
+	else
+	{
+		# just continue on
+	}
+	
+	if( ! $cmd_line_cfg{mainconfig} )
+	{
+		if( defined( $ARGV[0] ) )
+		{
+			$cmd_line_cfg{mainconfig} = $ARGV[0];
+		}
+		else
+		{
+			$cmd_line_cfg{mainconfig} = $default_config{mainconfig};
+		}
+	}
+	
+	$main_config_file = $cmd_line_cfg{mainconfig};
+
+	my $conf = Config::General->new( -ConfigFile => $main_config_file,
+						-LowerCaseNames => 1,
+						);
+	
+	%config = $conf->getall;
+	$config{'mainconfig'} = $main_config_file;
+	
+	# Any args passed through the command line will override file options
+	while( my( $key, $value ) = each( %cmd_line_cfg ) )
+	{
+		$config{$key} = $value;
+	}
+	
+	# Set default values for options that have not already been configured
+	while( my( $key, $value ) = each( %{$arg1} ) )
+	{
+		if( ! exists( $config{$key} ) )
+		{
+			$config{$key} = $value;
+		}
+	}
+	
+	# Set Debug level
+	$DEBUG = $config{debug} if exists( $config{debug} );
+		
+	if( checkconfig( \%config ) )
+	{
+		if( $DEBUG > 4 )
+		{
+			warn( "Configuration memory dump:\n" );
+			warn( $conf->save_string( \%config ) );
+			warn( "\n" );
+		}
+			return( \%config );
+	}
+	else
+	{
+		warn( "exiting program" );
+		exit( 1 );
+	}
+}
+
+sub checkconfig
+{
+	my $sub_name = 'checkconfig';
+	
+	my $cfg_hash = shift || return undef;
+	
+	# Check to make sure that the config directory is defined.
+	if( defined( $cfg_hash->{'configdir'} ) )
+	{
+		# Check to make sure that the config directory has a sane value.
+		if( $cfg_hash->{configdir} !~ m/[*;`{}%]+/ and
+				$cfg_hash->{configdir} =~ m~^([[:print:]]{1,1024}?)/*$~ )
+		{
+			$cfg_hash->{configdir} = $1;
+			if( !( -d $cfg_hash->{configdir} ) )
+			{
+				warn( "configdir '" .$cfg_hash->{configdir} . "' is not a directory\n" );
+				return( 0 );
+			}
+		}
+		else
+		{
+			warn( "Config directory contains invalid characters or is longer than 1024 bytes\n" );
+			return( 0 );
+		}
+	}
+	else
+	{
+		warn( "No config directory specified\n" );
+		return( 0 );
+	}
+	
+	# Check to make sure that the Snort rule directory is
+	# specified and readable
+	if( defined( $cfg_hash->{snortrulesetdir} ) )
+	{
+		if( -d $cfg_hash->{snortrulesetdir} )
+		{
+			if( ! -r $cfg_hash->{snortrulesetdir} )
+			{
+				warn( "Unable to read directory " . $cfg_hash->{snortrulesetdir} ."\n" );
+				return( 0 );
+			}
+			else
+			{
+				# Strip of any trailing slash on the end
+				$cfg_hash->{snortrulesetdir} =~ m~^([[:print:]]+?)/*$~;
+				$cfg_hash->{snortrulesetdir} = $1;
+			}
+		}
+		else
+		{
+			warn( $cfg_hash->{snortrulesetdir} . " is not a valid directory\n" );
+			return( 0 );
+		}
+	}
+	else
+	{
+		warn( "No snortruleset directory has been specified\n" );
+		return( 0 );
+	}
+	
+	# Check to make sure the sidprefix only conatins alphanumeric and dash characters
+	if( defined( $cfg_hash->{sidprefix} ) )
+	{
+		if( $cfg_hash->{sidprefix} =~ m/^([[:alnum:]-]*)$/ )
+		{
+			$cfg_hash->{sidprefix} = $1;
+		}
+		else
+		{
+			warn( "Invalid charcters in the sidprefix.  May only contain alphanumeric and dash characters\n" );
+			return( 0 );
+		}
+	}
+	else
+	{
+		# else set it to a blank string
+		$cfg_hash->{sidprefix} = '';
+	}
+	
+	# Check to make sure default-sigaction is valid and set otherwise use 
+	 # the default. Need to tie into the Bro config later to thoroughly check this.
+	if( defined( $cfg_hash->{defaultsigaction} ) )
+	{
+		if( $cfg_hash->{defaultsigaction} =~ m/^[[:alnum:]_]+$/ )
+		{
+			# ok
+		}
+		else
+		{
+			warn( "Default Bro SigAction --default-sigaction has invalid characters\n" );
+		}
+	}
+	else
+	{
+		warn( "No default Bro SigAction --default-sigaction has been set\n" );
+		return( undef );
+	}
+	
+	# Check the ignorehostdirection option for values other than true or false
+	if( defined( $cfg_hash->{ignorehostdirection} ) )
+	{
+		if( $cfg_hash->{ignorehostdirection} =~ m/^(?:f|0)/i )
+		{
+			$cfg_hash->{ignorehostdirection} = 0;
+		}
+		elsif( $cfg_hash->{ignorehostdirection} )
+		{
+			$cfg_hash->{ignorehostdirection} = 1;
+		}
+		else
+		{
+			if( $DEBUG > 0 )
+			{
+				warn( "Unknown value of " . $cfg_hash->{ignorehostdirection} .
+				" assigned to option ignorehostdirection, defaulting to true.\n" );
+			}
+			
+			$cfg_hash->{ignorehostdirection} = 1;
+		}
+	}
+	
+	# Check to make sure the sigmap file exists, is readable and > 0 bytes.
+	if( defined( $cfg_hash->{sigmapconfig} ) )
+	{
+		my $fn = $cfg_hash->{configdir} . '/' . $cfg_hash->{sigmapconfig};
+		if( -r $fn and -s $fn )
+		{
+			$fn =~ m/^([[:print:]]+)$/;
+			$cfg_hash->{sigmapconfig} = $1;
+		}
+		else
+		{
+			warn( "sigmapconfig file at '$fn' is not readable or zero length\n" );
+			return( 0 );
+		}
+	}
+	else
+	{
+		if( $cfg_hash->{updateaugment} )
+		{
+			warn( "No sigmapconfig file specified\n" );
+			return( 0 );
+		}
+	}
+	
+	# Check if the augmentconfig option exists and validate it if it does.
+	if( defined( $cfg_hash->{augmentconfig} ) )
+	{
+		my $fn = $cfg_hash->{configdir} . '/' . $cfg_hash->{augmentconfig};
+		$fn =~ m/^([[:print:]]+)$/;
+		$cfg_hash->{augmentconfig} = $1;
+	}
+	
+	# Check if the rulesetaugmentconfig file exists and validate it if it does.
+	if( defined( $cfg_hash->{rulesetaugmentconfig} ) )
+	{
+		my $fn = $cfg_hash->{configdir} . '/' . $cfg_hash->{rulesetaugmentconfig};
+		if( -r $fn and -s $fn )
+		{
+			$fn =~ m/^([[:print:]]+)$/;
+			$cfg_hash->{rulesetaugmentconfig} = $1;
+		}
+		else
+		{
+			warn( "rulesetaugmentconfig file at '$fn' is not readable\n" );
+			return( 0 );
+		}
+	}
+	
+	# Check to make sure that sigactiondest is defined and contains valid characters
+	if( ! $cfg_hash->{updateaugment} )
+	{
+		# {brosignaturedest}
+		if( defined( $cfg_hash->{sigactiondest} ) )
+		{
+			if( $cfg_hash eq '' )
+			{
+				# ok, send to stdout
+				$cfg_hash->{sigactiondest} = '';
+			}
+			elsif( my $fn = canwritefile( $cfg_hash->{sigactiondest} ) )
+			{
+				$cfg_hash->{sigactiondest} = $fn;
+			}
+			else
+			{
+				warn( "No valid --sigactiondest, unable to continue.\n" );
+				return( undef );
+			}
+		}
+		else
+		{
+			warn( "No filename specified for --sigactiondest\n" );
+			return( undef );
+		}
+	}
+	
+	# Check to make sure that brosignaturedest is defined and contains valid characters
+	if( ! $cfg_hash->{updateaugment} )
+	{
+		if( defined( $cfg_hash->{brosignaturedest} ) )
+		{
+			if( $cfg_hash eq '' )
+			{
+				# ok, send to stdout
+				$cfg_hash->{brosignaturedest} = '';
+			}
+			elsif( my $fn = canwritefile( $cfg_hash->{brosignaturedest} ) )
+			{
+				$cfg_hash->{brosignaturedest} = $fn;
+			}
+			else
+			{
+				warn( "No valid --brosignaturedest, unable to continue.\n" );
+				return( undef );
+			}
+		}
+		else
+		{
+			warn( "No filename specified for --brosignaturedest\n" );
+			return( undef );
+		}
+	}
+	
+	return( 1 );
+}
+
+sub getignorerules
+{
+	my $sub_name = 'getignorerules';
+	
+	my $cfg_hash = shift || return( undef );
+	my $ret_hash_ref = {};
+	
+	if( ref( $cfg_hash->{ignoresnortrulesets} ) eq 'HASH' )
+	{
+		foreach my $rule_name( keys( %{$cfg_hash->{ignoresnortrulesets}} ) )
+		{
+			$ret_hash_ref->{$rule_name} = 1;
+		}
+	}
+	elsif( ref( $cfg_hash->{ignoresnortruleset} ) eq 'ARRAY' )
+	{
+		foreach my $rule_name( @{$cfg_hash->{ignoresnortruleset}} )
+		{
+			$ret_hash_ref->{$rule_name} = 1;
+		}
+		
+	}
+	
+	return( $ret_hash_ref );
+}
+
+sub getignoresids
+{
+	my $sub_name = 'getignoresids';
+	
+	# Argument will be a ref to an array of augment objects
+	my $augment_list = shift || return( undef );
+	my $ret_hash_ref = {};
+	
+	if( ref( $augment_list ) eq 'ARRAY' )
+	{
+		foreach my $aug_obj( @{$augment_list} )
+		{
+			if( $aug_obj->active() )
+			{
+				# rule is active
+			}
+			else
+			{
+				# rule is marked as not active
+				my $ignore_sid = $aug_obj->sid();
+				$ret_hash_ref->{$ignore_sid} = 1;
+			}
+		}
+	}
+	else
+	{
+		return( undef );
+	}
+	
+	return( $ret_hash_ref );
+}
+
+sub getsnortrulefiles
+{
+	my $sub_name = 'getsnortrulefiles';
+	
+	my $rules_dir = shift || undef;
+	my $exclusion_hash = shift || {};
+	my @ret_file_list;
+		
+	if( opendir( DIR, $rules_dir ) )
+	{
+		while( my $fn = readdir( DIR ) )
+		{
+			# Make sure that the filename has only sane characters,
+			 # ends with '.rules' , and does not begin with a '.'
+			if( $fn =~ m/^([^.]+[[:print:]]+\.rules)$/ )
+			{
+				# Untaint
+				$fn = $1;
+				
+				# Make sure the file isn't set as ignored in the config
+				if( ! $exclusion_hash->{$fn} )
+				{
+					# expand the filename to it's full path
+					my $full_fn = "$rules_dir/$fn";
+					if( -f $full_fn and -r $full_fn )
+					{
+						push( @ret_file_list, $full_fn );
+						if( $DEBUG > 4 )
+						{
+							warn( "Adding Snort rule file $full_fn to list of rules to convert\n" );
+						}
+					}
+					else
+					{
+						if( $DEBUG > 0 )
+						{
+							warn( "Unable to read Snort rule file $full_fn\n" );
+						}
+						next;
+					}
+				}
+				else
+				{
+					if( $DEBUG > 1 )
+					{
+						warn( "Snort ruleset \'$fn\' is being ignored as specified in the config file\n" );
+					}
+					next;
+				}
+			}
+			else
+			{
+				next;
+			}
+		}
+	}
+	else
+	{
+		warn( "Unable to open Snort ruleset directory for reading at $rules_dir\n" );
+	}
+	
+	return( \@ret_file_list );
+}
+
+sub getsigmap
+{
+	my $sub_name = 'getsigmap';
+	
+	my $sigmapfile = shift || return( undef );
+	my %config;
+	my $conf;
+	
+	if( $conf = Config::General->new( -ConfigFile => $sigmapfile,
+						-LowerCaseNames => 1,
+						-AutoLaunder => 1,
+						-AllowMultiOptions => 'no' ) )
+	{
+		%config = $conf->getall;
+	}
+	else
+	{
+		warn( "Unable to read the sigmapconfig file\n" );
+		return( 0 );
+	}
+	
+	if( $DEBUG > 4 )
+	{
+		warn( "List of default Snort alert classtype to Bro SigAction maps:\n" );
+		while( my( $key, $value ) = each( %config ) )
+		{
+			warn( "'$key' maps to '$value'\n" );
+		}
+	}
+	
+	return( \%config );
+}
+
+sub convertfromsnort
+{
+	my $sub_name = 'convertfromsnort';
+	
+	my $rule_files = shift || return( undef );
+	my $ignore_sids = shift || return( undef );
+	
+	my @converted_rules;
+	
+	foreach my $rule_file( @{$rule_files} )
+	{
+		my $convert = `$SNORT_TO_BRO_PROG 2>/dev/null $rule_file`;
+		if( $DEBUG > 4 )
+		{
+			warn( "SIGNATURES BEGIN for file $rule_file => \n" );
+			warn( $convert || '' . "\n" );
+			warn( "----SIGNATURES END----\n" );
+		}
+		
+		foreach my $sig_block( Bro::Signature::findkeyblocks( $convert ) )
+		{
+			if( ! $sig_block )
+			{
+				next;
+			}
+			
+			if( my $bro_sig_obj = Bro::Signature->new( string => $sig_block ) )
+			{
+				push( @converted_rules, $bro_sig_obj );
+			}
+			else
+			{
+				if( $DEBUG > 0 )
+				{
+					warn( "Failed to create a Bro::Signature for a rule in file $rule_file\n" );
+				}
+			}
+		}
+	}
+		
+	# If successful this returns an array ref of Bro::Signature objects
+	return( \@converted_rules );
+}
+
+sub outputsigactions
+{
+	my $sub_name = 'outputsigactions';
+	
+	my $_sigactions = shift;
+	my $_output_dest = shift || \*STDOUT;
+	
+	# Heading of SigAction table
+	my $tm = scalar( localtime() );
+	print $_output_dest "\# This file was created by s2b.pl on $tm.\n";
+	print $_output_dest "\# This file is dynamically generated each time s2b.pl is" .
+	" run and therefore any \n\# changes done manually will be overwritten.\n\n";
+	print $_output_dest 'redef signature_actions += {' . "\n";
+	
+	while( my( $sigid, $sigaction ) = each( %{$_sigactions} ) )
+	{
+		print $_output_dest '  ["' . 
+			$config->{sigprefix} . 
+			$sigid . 
+			'"] = ' . 
+			$sigaction . 
+			",\n";
+	}
+	
+	# ending of SigAction table
+	print $_output_dest '}; ' . "\n";
+}
+
+sub outputsigs
+{
+	my $sub_name = '';
+	
+	my $_sig_objs = shift;
+	my $_output_dest = shift || \*STDOUT;
+	
+	my $tm = scalar( localtime() );
+	print $_output_dest "\# This file was created by s2b.pl on $tm.\n";
+	print $_output_dest "\# This file is dynamically generated each time s2b.pl is" .
+	" run and therefore any \n\# changes done manually will be overwritten.\n\n";
+	
+	foreach my $sig( @{$_sig_objs} )
+	{
+		print $_output_dest $sig->output( sigprefix => $config->{sigprefix} ), "\n\n";
+	}
+}
+
+sub getrulesetaugment
+{
+	my $sub_name = 'getrulesetaugment';
+	
+	my $raf = shift || return( undef );	# ruleset augment file
+	my $ret_hash;
+	
+	if( $DEBUG > 2 )
+	{
+		warn( "Attempting to parse the ruleset augment file at \'$raf\'\n" );
+	}
+	
+	my $conf = Config::General->new( -ConfigFile => $raf,
+						-LowerCaseNames => 1,
+						);
+	
+	my %config = $conf->getall;
+	
+	while( my( $key, $value ) = each( %config ) )
+	{
+		if( $DEBUG > 2 )
+		{
+			warn( "Looking for augment data for ruleset $key\n" );
+		}
+		
+		if( keys( %{$value} ) > 0 )
+		{
+			while( my( $opt, $opt_val ) = each( %{$value} ) )
+			{
+				$ret_hash->{$key}->{$opt} = $opt_val;
+				if( $DEBUG > 2 )
+				{
+					warn( "  Found option $opt\n" );
+				}
+			}
+		}
+		else
+		{
+			if( $DEBUG > 2 )
+			{
+				warn( "No augment data found\n" );
+			}
+		}
+	}
+	
+	return( $ret_hash );
+}
+
+sub buildaugment
+{
+	my $sub_name = 'buildaugment';
+	
+	my $rulesets = shift || return( undef );
+	my $sigmap = shift || return( undef );
+	my $default_sigaction = shift || $DEFAULT_CONFIG{defaultsigaction};
+	my $ret_aug_objs = {};
+	
+	foreach my $rule_file( @{$rulesets} )
+	{
+		if( open( IN_FILE, $rule_file ) )
+		{
+			my $full_line = '';
+			my $line_num = 0;
+			while( defined( my $line = <IN_FILE> ) )
+			{
+				++$line_num;
+				my $end_of_rule = 0;
+				if( $line =~ m/^[[:space:]]\#/
+					or $line =~ m/^[[:space:]]*$/ )
+				{
+					# ignore this line, it's all comments or whitespace
+					next;
+				}
+				else
+				{
+					if( $line =~ m/^(alert.+)/ )
+					{
+						$line = $1;
+						if( $line =~ m/^(.+?)[[:space:]]*\\[[:space:]]*$/ )
+						{
+							$full_line = join( ' ', $full_line, $1 );
+						}
+						elsif( $full_line )
+						{
+							$full_line = join( ' ', $full_line, $line );
+							$end_of_rule = 1;
+						}
+						else
+						{
+							$full_line = $line;
+							$end_of_rule = 1;
+						}
+					}
+					else
+					{
+						# Snort action is not supported for conversion
+						next;
+					}
+				}
+				
+				if( $end_of_rule )
+				{
+					# Extract the directives section
+					if( $full_line =~ m/\((.+)\)/ )
+					{
+						my $sigaction;
+						my %directive_args;
+						my @new_aug_objs;
+						my $directive_section = $1;
+						my @directives = split( /[[:space:]]*\;[[:space:]]*/, $directive_section );
+						foreach( @directives )
+						{
+							# split the directive name from it's value
+							my( $directive_name, $directive_value ) = split( /:[[:space:]]*/, $_, 2 );
+							if( defined( $directive_name ) and defined( $directive_value ) )
+							{
+								$directive_args{$directive_name} = $directive_value;
+								#print "DIRECTIVE => ", $directive_name;
+								#print ", VALUE => ", $directive_value, "\n";
+							}
+						}
+						
+						# translate the snort event classtype to a Bro SigAction
+						if( $sigmap->{$directive_args{classtype}} )
+						{
+							# ok, found one
+							$sigaction = $sigmap->{$directive_args{classtype}};
+						}
+						else
+						{
+							# Didn't find a mapping, using the default
+							$sigaction = $default_sigaction;
+							
+							if( $DEBUG > 0 )
+							{
+								warn( "No Snort classtype to Bro SigAction mapping found",
+								 " for classtype " . $directive_args{classtype} . " using default",
+								 " of $default_sigaction\n" );
+							}
+						}
+						
+						# create a new augment object with the directive parts
+						 # we are interested in.
+						my $new_aug_obj = Bro::S2b::Augment->new( 
+							'sid' => $directive_args{sid},
+							'snort-rule-file' => $rule_file,
+							'sid-rev' => $directive_args{rev},
+							'comment' => $directive_args{msg},
+							'active' => 'T',
+							'sigaction' => $sigaction,
+							);
+						
+						#print $new_aug_obj->output(), "\n\n";
+						my $new_aug_sigid = $new_aug_obj->sigid();
+						my $new_aug_sid = $new_aug_obj->sid();
+						my $new_aug_rev = $new_aug_obj->rev();
+						if( exists( $ret_aug_objs->{$new_aug_sigid} ) )
+						{
+							if( $DEBUG > 0 )
+							{
+								warn( "Duplicate augment block found for SID number",
+									" $new_aug_sid, rev $new_aug_rev\n" );
+							}
+						}
+						else
+						{
+							$ret_aug_objs->{$new_aug_sigid} = $new_aug_obj;
+						}
+					}
+					else
+					{
+						warn( "Could not find a diretives section for Snort rule in",
+						 " file $rule_file at line $line_num\n" );
+					}
+					
+					$full_line = '';
+					$end_of_rule = 0;
+				}
+			}
+			
+			close( IN_FILE );
+		}
+		else
+		{
+			warn( "Failed to open file $rule_file for reading while trying to",
+				" update the augment file\n" );
+		}
+	}
+	
+	my @ret_vals = values( %{$ret_aug_objs} );
+	
+	return( \@ret_vals );
+}
+
+sub appendaugment
+{
+	my $sub_name = 'appendaugment';
+	
+	my $aug_obj = shift || return( undef );
+	my $filename = shift || return( undef );
+	my @proc_objs;
+	
+	if( ref( $aug_obj ) eq 'ARRAY' )
+	{
+		@proc_objs = @{$aug_obj};
+	}
+	else
+	{
+		$proc_objs[0] = $aug_obj;
+	}
+	
+	if( open( OUTFILE, '>>', $filename ) )
+	{
+		my $tm = scalar( localtime() );
+		print OUTFILE '##########  Start of new augment data created on ' . "$tm\n";
+		foreach my $aug_inst( @proc_objs )
+		{
+			print OUTFILE $aug_inst->output(), "\n\n";
+		}
+		print OUTFILE '##########  End of new augment data created on ' . "$tm\n\n";
+	}
+	else
+	{
+		if( $DEBUG > 0 )
+		{
+			warn( "Unable to open file $filename for writing.\n" );
+		}
+		return( undef );
+	}
+	
+	close( OUTFILE );
+	
+	return( 1 );
+}
+
+
+sub sigidnum
+{
+	# The sidnum is assumed to be the first part before the last '-' 
+	 # and up to but not including '-'
+	 # s2b-123-1   prefix-sidnum-sidrev
+	my $sub_name = 'sigidnum';
+
+	my $sigid = shift || return( undef );
+	my $ret_sid;
+
+	if( $sigid =~ m/([[:digit:]]+)-[[:digit:]]+$/ )
+	{
+		$ret_sid = $1;
+	}
+
+	return( $ret_sid );
+}
+
+sub sigidrev
+{
+	# The sidrev is assumed to be the last part of the sigid after a '-'
+	 # s2b-123-1   prefix-sidnum-sidrev
+	my $sub_name = 'sigidrev';
+
+	my $sigid = shift || return( undef );
+	my $ret_rev;
+
+	if( $sigid =~ m/[[:digit:]]+-([[:digit:]]+)$/ )
+	{
+		$ret_rev = $1;
+	}
+
+	return( $ret_rev );
+}
+
+sub canwritefile
+{
+	my $sub_name = 'canwritefile';
+	
+	my $filename = shift;
+	my $ret_fn;
+	
+	if( $filename =~ m/^([[:print:]]+)$/ )
+	{
+		my $fn = $1;
+		my $dir = $fn;
+		$dir =~ s/[^\/]+$//;
+		if( length( $dir ) < 1 )
+		{
+			$dir = './';
+		}
+
+		# Check to make sure that the file can be created/written to.
+		# Does the file already exist and can be written to
+		if( -w $fn )
+		{
+			# ok.
+			$ret_fn = $fn;
+		}
+		# Is the directory writtable
+		elsif( -d $dir and -w $dir )
+		{
+			# ok.
+			$ret_fn = $fn;
+		}
+		# Blow chunks
+		else
+		{
+			warn( "Unable to create or modify file '$fn'\n" );
+		}
+	}
+	else
+	{
+		warn( "Filename contains non-printable characters and is invalid.\n" );
+	}
+	
+	return( $ret_fn );
+
+}
+
+sub usage
+{
+	my $sub_name = 'usage';
+	
+	my $usage_text = copyright();
+	$usage_text = qq~$usage_text
+
+Options passed to the program on the command line 
+Command line reference
+  --configdir         Directory containing the various configuration files
+  --mainconfig        Main configuration file
+  --augmentconfig     Filename of System Augment Config file
+  --useraugmentconfig Filename of the User Augment Config file
+  --rulesetaugmentconfig
+                      Filename of the Ruleset Augment Config file
+  --sigmapconfig      Filename of Mappings for Snort alert classtype to 
+                      Bro SigAction
+  --brosignaturedest  Filename to write the Bro signatures to
+  --defaultsigaction  Default Bro SigAction 
+  --sigactiondest     Filename to write the SigActions to
+  --snortrulesetdir   Directory containing Snort rules
+  --ignorehostdirection
+                      Ignore Snort connection direction information and
+                      do not include in the Bro signature. default 'true'
+  --updateaugment     Build or update the s2b-augment.cfg file using rulesets
+                      found in --snortrulesdir 
+  --usage|--help|-h   Summary of command line options
+  --debug|-d          Specify the debug level from 0 to 5. default 1
+  --version           Output the version numberto STDOUT
+  --copyright         Output the copyright info to STDOUT
+  
+~;
+	
+	return( $usage_text );
+}
+
+sub version
+{
+	my $sub_name = 'version';
+	
+	return( $VERSION );
+}
+
+sub copyright
+{
+	my $sub_name = 'copyright';
+	
+	my $copyright =
+qq~s2b.pl
+version $VERSION, Copyright (C) 2004 Lawrence Berkeley National Labs, NERSC
+Written by Roger Winslow~;
+	
+	return( $copyright );
+}
+
diff --git a/scripts/s2b/bin/snort2bro b/scripts/s2b/bin/snort2bro
new file mode 100755
index 0000000000..8c88033e81
--- /dev/null
+++ b/scripts/s2b/bin/snort2bro
@@ -0,0 +1,1036 @@
+#!/usr/bin/python
+
+import sys
+import re
+import getopt
+import os.path
+import struct
+
+# FIXME: Not all of the implemented Snort options are really tested...
+
+snortcmd       = re.compile( "(preprocessor|include|var|config|alert|log|pass|activate|dynamic|output)\s*:?\s*(.*)" )
+snortrule      = re.compile( "(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+\((.*)\)" )
+snortopt       = re.compile( r"([a-zA-Z_]+)\s*(:\s*(([^;]|(?<=\\);)+)|);" )
+
+snortipre      = "(\d+\.\d+\.\d+\.\d+(/\d+)?)"
+snortip        = re.compile( "(!)?%s" % snortipre )
+snortiplist    = re.compile( "(!)?\[(%s(,%s)*)\]" % ( snortipre,snortipre ) )
+snortport      = re.compile( "(!)?(\d+)" )
+snortportrange = re.compile( "(!)?(\d+)?:(\d+)?" )
+snortval       = re.compile( "([<>=!]?) *(\d+)" )
+snortvalrange  = re.compile( "(\d+)? *- *(\d+)?" )
+snortbytecode  = re.compile( r"\\\|\s*(([a-fA-F0-9]{2}\s*)+)\s*\\\|" ) # "|" are quoted when we do the match
+snorthex       = re.compile( "(..) *" )
+snortquote     = re.compile( r"\\(.)" )
+snortalpha     = re.compile( r"(\\x[a-fA-F0-9]{2}|[A-Za-z])" )
+snortrpc       = re.compile( r"((\d)+|\*) *, *((\d)+|\*) *, *((\d)+|\*)" )
+
+snortsid       = re.compile( "sid: *(\d+)" )
+snortrev       = re.compile( "rev: *(\d+)" )
+
+# Mapping of Snort's variables to Bro's
+#     <snort> -> ( <bro>, <invert> )
+MapVars = {
+    "external_net": ( "local_nets", 1 ),
+    "home_net": ( "local_nets", 0 ),
+    "http_servers": ( "http_servers", 0 ),
+    "http_ports": ( "http_ports", 0 ),
+    "oracle_ports": ( "oracle_ports", 0 ),
+    "smtp_servers": ( "smtp_servers", 0 ),
+    "sql_servers": ( "sql_servers", 0 ),
+    "telnet_servers": ( "telnet_servers", 0 ),
+    "aim_servers": ( "aim_servers", 0 ),
+    "shellcode_ports": ( "non_shellcode_ports", 1 ),
+}
+
+# Mapping of variables to content
+SnortVars = {}
+
+# List of tuples (file,linenr) for all not fully processed input files:
+Inputs = []
+
+# Last input line read
+RawInputLine = ""
+
+# Counts Snort rules without SID
+UnknownCount = 0
+
+# There may be some rules for which it don't make sense to translate them. We ignore them.
+IgnoreSIDs = {}
+
+# Always include these signatures, even if they would be ignored with option -c.
+AlwaysIncludeSIDs = {}
+
+def error( str ):
+    if Inputs:
+        if RawInputLine:
+            print >>sys.stderr, ">>", RawInputLine,
+            if RawInputLine[-1] != "\n":
+                print >>sys.stderr
+        print >>sys.stderr, "Error in %s, line %d: %s" % ( Inputs[0][0].name, Inputs[0][1], str )
+
+    else:
+        print >>sys.stderr, "Error:", str
+    sys.exit( 1 )
+
+def warning( str ):
+    if Inputs:
+        if RawInputLine:
+            print >>sys.stderr, ">>", RawInputLine,
+            if RawInputLine[-1] != "\n":
+                print >>sys.stderr
+        print >>sys.stderr, "Warning in %s, line %d: %s" % ( Inputs[0][0].name, Inputs[0][1], str )
+    else:
+        print >>sys.stderr, "Warning:", str
+
+# Converts Snort-like globs into regexp chars
+def replaceGlobs( str ):
+    # Note that the globs are quoted when we see them here
+    # FIXME: If the original pattern contains a "\?" or "\*" it
+    # will be converted as well.
+    str = str.replace( "\\*", ".*" )
+    str = str.replace( "\\?", "." )
+    return str
+
+# Replaces Snort-like bytecodes by \x.. sequences
+def replaceByteCodes( str ):
+    return snortbytecode.sub( lambda bytecode: snorthex.sub( "\\x\\1", bytecode.group( 1 ) ), str )
+
+# Removes Snort's \ quotations
+def removeQuotes( str ):
+    return snortquote.sub( "\\1", str )
+
+# Quotes all '"'
+def quoteStr( str ):
+    return str.replace( "\"", "\\\"" )
+
+# Translates all alphabetical characters to case-insensitive classes
+def makeCaseInsensitive( str ):
+
+    def replaceby( match ):
+        s = match.group( 1 )
+        # Do not change hex codes
+        if s.startswith( "\\x" ):
+            return s
+        return "[%s%s]" % ( s.lower(), s.upper() )
+
+    str = snortalpha.sub( replaceby , str )
+    return str
+
+# Insert some special variants/character classes for URIs
+#     - "/ -> [/\]"
+def makeURIPattern( str ):
+    str = str.replace( "\\/", "[\\/\\\\]" )
+    return str
+
+# Escapes all regex control characters  so that it can be safely used as a regex
+def escapeCtrl( str ):
+    re = ""
+    for i in str:
+        if "^$|.*+?[](){}/\"\\".find( i ) >= 0:
+            i = "\\" + i
+        re += i
+    return re
+
+# Converts a Snort pattern into a RE
+# If icase==1, constructs an case-insensitive regex.
+# If uri==1, creates some special things for URIs (see above)
+# If glob==1, the pattern is a Snort-like "regex" glob
+# If negate==1, the pattern is negated
+# If neglen>0, it's the number of character which are *not* allowed to match the negated pattern
+#
+# FIXME: We should use a more sophisticated parser here
+#
+def patternToRE( str, icase, uri, globs, negate, neglen ):
+
+    if negate:
+        if patternLength( str ) > 1:
+            warning( "Can\'t negate patterns with more than one character" )
+            return "<willnevermatch>"
+        str = "[^%s]" % replaceByteCodes( escapeCtrl( str ) )
+
+        if neglen > 0:
+            return str + "{%d}" % neglen
+        else:
+            return str + "*"
+
+    str = removeQuotes( str )
+    str = escapeCtrl( str )
+    if globs:
+        str = replaceGlobs( str )
+    str = replaceByteCodes( str )
+
+    if uri:
+        str = makeURIPattern( str )
+
+    if icase:
+        str = makeCaseInsensitive( str )
+
+    return str
+
+# Counts the number chars in the Snort pattern
+def patternLength( str ):
+    str = removeQuotes( str )
+    str = escapeCtrl( str )
+    str = replaceByteCodes( str )
+
+    count = 0
+    esc = 0
+
+    for c in str:
+        if c == "\\" and not esc:
+            esc = 1
+            continue
+
+        if esc and c == "x":
+            count -= 2
+
+        esc = 0
+        count += 1
+
+    return count
+
+# Parse a Snort variable declaration
+def parseVar( decl ):
+    ( key, value ) = decl.split()
+    SnortVars[ "$"+key ] = value
+
+# Perform Snort's variable expansion
+def expandVars( str ):
+    for ( key, value ) in SnortVars.items():
+        str = str.replace( key, value )
+    return str
+
+# Parse Snort's rule options
+def parseRuleOptions( str ):
+
+    options = {}
+
+    m = snortopt.findall( str )
+
+    lastcontent = None
+    depth = distance = negate = nocase = offset = regex = within = -1
+
+    negpattern = -1
+
+#    print str
+
+    for ( b1, b2, b3, b4 ) in m:
+        if b2:
+            val = b3
+            if val[0] == "!":
+                negpattern = 1
+                val = val[1:]
+            if len( val ) >= 2:
+                if val[0] == '"' and val[-1] == '"':
+                    val = val[1:-1]
+        else:
+            val = ""
+
+        # Note that there may be more than one depth/offset per rule.
+        # Each depth/offset/regex affects exactly that content which precedes it.
+        # It's illegal to have a depth/offset/regex before a content.
+        # That is all undocumented.
+        # ... !@#$%^&* ...
+
+        option = b1.lower()
+
+        if option == "content":
+
+            if not lastcontent:
+                lastcontent = val
+                continue
+
+            oldval = val
+            val = ( lastcontent, depth, distance, negate, nocase, offset, regex, within )
+            depth = distance = negate = nocase = offset = regex = within = -1
+            negate = negpattern
+            lastcontent = oldval
+
+        elif option == "depth":
+            depth = int( val )
+            continue
+
+        elif option == "distance":
+            distance = int( val )
+            continue
+
+        elif option == "within":
+            within = int( val )
+            continue
+
+        elif option == "offset":
+            offset = int( val )
+            continue
+
+        elif option == "regex":
+            regex = 1
+            continue
+
+        elif option == "nocase":
+            nocase = 1
+            continue
+
+        try:
+            options[ option ] += [ val ]
+        except LookupError:
+            options[ option ] = [ val ]
+
+    if lastcontent:
+        try:
+            options[ "content" ] += [ ( lastcontent, depth, distance, negate, nocase, offset, regex, within ) ]
+        except LookupError:
+            options[ "content" ] = [ ( lastcontent, depth, distance, negate, nocase, offset, regex, within ) ]
+
+    return options
+
+# Parses a list of IPs in Snort's format
+def parseIP( ip ):
+
+    # See if it's an unexpanded var.
+    if ip.startswith( "$" ):
+        try:
+            ( brovar, neg ) = MapVars[ ip[1:] ]
+            return ( neg, [brovar] )
+        except LookupError:
+            error( "Unknown variable " + ip )
+
+    m = snortip.match( ip )
+    if m:
+        ips = ( m.group( 2 ), )
+    else:
+        m = snortiplist.match( ip )
+        if m:
+            ips = m.group( 2 ).split( "," )
+        else:
+            error( "Can\'t parse IP " + ip )
+
+    if m.group( 1 ) != "!":
+        return( 0, ips )
+    else:
+        return( 1, ips )
+
+# Parses a list of ports in Snort's format
+def parsePort( port ):
+
+    # See if it's an unexpanded var.
+    if port.startswith( "$" ):
+        try:
+            ( brovar, neg ) = MapVars[ port[1:] ]
+            return ( neg, brovar, brovar )
+        except LookupError:
+            error( "Unknown variable " + port )
+
+    m = snortportrange.match( port )
+    if m:
+        try:
+            min = int( m.group( 2 ) )
+        except TypeError:
+            min = 0
+        try:
+            max = int( m.group( 3 ) )
+        except TypeError:
+            max = 65535
+    else:
+        m = snortport.match( port )
+        if m:
+            min = max = int( m.group( 2 ) )
+        else:
+            error( "Can\'t parse port " + port )
+
+    if m.group( 1 ) != "!":
+        return( 0, min, max )
+    else:
+        return( 1, min, max )
+
+######
+
+# Convert the common head of a Snort rule
+def convertHead( prot, srcip, srcport, dstip, dstport ):
+
+    rule = ""
+
+    # Convert IP protocol
+    if prot.lower() != "ip":
+	rule += "  ip-proto == %s\n" % prot.lower()
+
+    # Convert IPs
+    for ( tag, ip ) in ( ( "src-ip", srcip ), ( "dst-ip", dstip ) ):
+        if ip != "any":
+            ( negate, iplist ) = parseIP( ip )
+            if not negate:
+                cmp = "=="
+            else:
+                cmp = "!="
+
+            rule += "  %s %s %s\n" % ( tag, cmp, ",".join( iplist ) )
+
+    # Convert Ports
+    for ( tag, port ) in ( ( "src-port", srcport ), ( "dst-port", dstport ) ):
+        if port != "any":
+            ( negate, min, max ) = parsePort( port )
+            if min == max:
+                if not negate:
+                    cmp = "=="
+                else:
+                    cmp = "!="
+                rule += "  %s %s %s\n" % ( tag, cmp, min )
+            else:
+                if not negate:
+                    cmp1 = ">="
+                    cmp2 = "<="
+                else:
+                    cmp1 = "<"
+                    cmp2 = ">"
+
+                rule += "  %s %s %s\n" % ( tag, cmp1, min )
+                rule += "  %s %s %s\n" % ( tag, cmp2, max )
+
+    return rule
+
+# Converts one of Snort's bit strings (like "A+" for "flags")
+def convertBitSet( str, bitspecs, hdrfield, fieldmask ):
+
+    # Split into flags and mask
+    parts = str.split(",")
+    if len(parts) > 1:
+        ( str, snortmask ) = parts
+        # FIXME: We ignore the mask for now. This would again need some
+        # digging in Snort's source as I don't really understand what they
+        # are doing...
+        
+    # This is not strictly Snort conforming but works as long as the
+    # flag string is not ambigious.
+
+    type = ""
+    mask = 0
+    for c in str:
+        if "+!*".find( c ) >= 0:
+            type = c
+            continue
+        try:
+            mask |= bitspecs[c]
+        except LookupError:
+            error( "Unknown bit in \"%s\"" % str )
+
+    if type == "":
+        # Snort's default is check for equality (undocumented)
+        rule = "  %s & %d == %d\n" % ( hdrfield, fieldmask, mask )
+    if type == "+":
+        rule = "  %s & %d == %d\n" % ( hdrfield, ( mask | fieldmask ), mask )
+    if type == "*":
+        rule = "  %s & %d != 0\n" % ( hdrfield, ( mask | fieldmask ) )
+    if type == "!":
+        rule = "  %s & %d == 0\n" % ( hdrfield, ( mask | fieldmask ) )
+
+    return rule
+
+# Converts a test for a value which may include some range (e.g. "<5", "21-42")
+def convertVal( str, hdrfield ):
+
+    m = snortvalrange.match( str )
+    if m:
+        try:
+            min = int( m.group( 1 ) )
+        except TypeError:
+            min = 0
+        try:
+            max = int( m.group( 2 ) )
+        except TypeError:
+            max = -1
+
+        rule = ""
+        if min > 0:
+            rule += "  %s >= %d\n" % ( hdrfield, min )
+        if min >= 0:
+            rule += "  %s <= %d\n" % ( hdrfield, max )
+        return rule
+
+    m = snortval.match( str )
+    if m:
+        val = int( m.group( 2 ) )
+        cmp = m.group( 1 )
+
+        if cmp == "<" or cmp == ">":
+            return "  %s %s %d\n" % ( hdrfield, cmp, val )
+        if cmp == "!":
+            return "  %s != %d\n" % ( hdrfield, val )
+        if cmp == "" or cmp == "=":
+            return "  %s == %d\n" % ( hdrfield, val )
+
+    error( "Can\'t parse value \"%s\"" % str )
+
+# Convert one value of the RPC triple into a RE
+def convertRPCVal( str ):
+    if str == "*":
+        return "."
+    else:
+        # Convert value to hex pattern in network bye order
+        val = struct.pack( "!I", int( str ) )
+        return ( "\\x%02x" * 4 ) % struct.unpack( "BBBB", val )
+
+# Sanity check to see if the two protocols match
+def checkProt( testprot, option, ruleprot ):
+    if testprot != ruleprot:
+        error( "Option \"%s\" only valid for %s rules" % ( option, testprot.upper() ) )
+
+def convertOptions( options, prot ):
+
+    global IsPayloadRule
+    
+    rule = ""
+    payloads = []
+
+    for ( key, vallist ) in options.items():
+
+        if key == "ack":
+            checkProt( "tcp", key, prot )
+            rule += "  header tcp[8:4] == %d\n" % int( vallist[0] )
+
+        elif key == "classtype":
+            pass
+
+        elif key == "content":
+
+           IsPayloadRule = 1
+           
+           for i in range( len( vallist ) ):
+
+                ( content, depth, distance, negate, nocase, offset, regex, within ) = vallist[i]
+
+                # Special case: If have we have a payload size which equals the size of the pattern,
+                # the payload has to match exactly
+
+                prefix = ".*"
+
+                if "dsize" in options.keys():
+                    try:
+                        if patternLength( content ) == int( options["dsize"][0] ):
+                            prefix = ""
+                    except ValueError:
+                        # dsize is something which contains a range; do nothing as
+                        # it's just an optimization after all
+                        pass
+
+                realdepth = depth;
+                realoffset = offset;
+
+                maxdist = 1
+
+                if depth >= 0:
+                    realdepth -= patternLength( content )
+
+                if offset >= 0:
+                    realoffset -= 1
+                    maxdist = 0
+
+                if offset >= 0 and depth >= 0:
+                    realdepth -= offset
+                    maxdist = 1
+
+                if within >= 0:
+                    realdepth += within - patternLength( content ) + 1
+
+                if distance >= 0:
+                    realoffset += distance + 1
+                    maxdist = 0
+
+                if within >= 0 and distance >= 0:
+                    maxdist = 1
+
+                if realdepth < 0 and realoffset <= 0:
+                    re = prefix
+                else:
+                    re = ""
+
+                if realdepth < 0:
+                    realdepth = -1
+
+                if realoffset > 0:
+                    if maxdist:
+                        re += ".{%d}" % realoffset
+                    else:
+                        re += ".{%d}.*" % realoffset
+                elif realoffset == 0 and not maxdist:
+                        re += ".*"
+
+                if realdepth > 0 and negate < 0:
+                    re += ".{0,%d}" % realdepth
+                    maxdist = 1
+
+                re += patternToRE( content, nocase >= 0, 0, regex >= 0, negate >= 0, realdepth + 1 )
+
+                if distance >= 0 or within >= 0:
+                    try:
+                        payloads[-1] += re
+                    except LookupError:
+                        payloads = [ re ]
+                else:
+                    payloads += [ re ]
+
+                if REFile:
+                    print >>REFile, re
+                if PatternFile:
+                    print >>PatternFile, val
+
+        elif key == "depth":
+            # Ignore it here; we test for it when handling content
+            pass
+
+        elif key == "distance":
+            # Ignore it here; we test for it when handling content
+            pass
+
+        elif key == "dsize":
+            rule += convertVal( vallist[0], "payload-size" )
+            pass
+
+        elif key == "flags":
+            checkProt( "tcp", key, prot )
+
+            TCPFlags =  { "F": 0x01, "S": 0x02, "R": 0x04, "P": 0x08,
+                          "A": 0x10, "U": 0x20, "2": 0x40, "1": 0x80, "0": 0x00 }
+            rule += convertBitSet( "".join( vallist ), TCPFlags, "header tcp[13:1]", 0xff )
+
+        elif key == "flow":
+            checkProt( "tcp", key, prot )
+
+            Flows = { "established" : "established",
+                      "to_server" : "originator",
+                      "to_client" : "responder",
+                      "from_server" : "responder",
+                      "from_client" : "originator",
+                      "stateless" : "stateless"
+                      }
+
+            tcpstate = []
+            for val in vallist:
+                for ( snort, bro ) in Flows.items():
+                    if val.find( snort.lower() ) >= 0:
+                        tcpstate += ( bro, )
+            if tcpstate:
+                rule += "  tcp-state %s\n" % ",".join( tcpstate )
+
+        elif key == "fragbits":
+            FragFlags = { "M": 0x20, "D": 0x40, "R": 0x80 }
+            rule += convertBitSet( "".join( vallist ), FragFlags, "header ip[6:1]", 0xe0 )
+
+        elif key == "icmp_seq":
+            checkProt( "icmp", key, prot )
+            # Check if it's an ECHO or ECHO_REPLY packet
+            # Note Snort's undocumented behaviour: It does check REPLYs
+            # as well, and it does not check the ICMP code
+            rule += "  header icmp[0:1] == 0,8\n"
+            rule += "  header icmp[6:2] == %d\n" % int( vallist[0] )
+
+        elif key == "icmp_id":
+            checkProt( "icmp", key, prot )
+            # Check if it's an ECHO or ECHO_REPLY packet
+            # Note Snort's undocumented behaviour: It does check REPLYs
+            # as well, and it does not check the ICMP code
+            rule += "  header icmp[0:1] == 0,8\n"
+            rule += "  header icmp[4:2] == %d\n" % int( vallist[0] )
+
+        elif key == "icode":
+            checkProt( "icmp", key, prot )
+            rule += "  header icmp[1:1] == %d\n" % int( vallist[0] )
+
+        elif key == "id":
+            rule += "  header ip[4:2] == %d\n" % int( vallist[0] )
+
+        elif key == "ip_proto":
+            rule += convertVal( vallist[0], "header ip[9:1]" )
+
+        elif key == "ipopts":
+            rule += "  ip-options %s\n" % ",".join( vallist ).lower()
+
+        elif key == "itype":
+            checkProt( "icmp", key, prot )
+            rule += "  header icmp[0:1] == %d\n" % int( vallist[0] )
+
+        elif key == "msg":
+            rule += "  event \"%s\"\n" % quoteStr( removeQuotes( " ".join( vallist ) ) )
+
+        elif key == "nocase":
+            # Ignore it here; we test for it when handling content
+            pass
+
+        elif key == "offset":
+            # Ignore it here; we test for it when handling content
+            pass
+
+        elif key == "rawbytes":
+            # We can ignore this as we're always matching raw bytes.
+            pass
+        
+        elif key == "ref":
+            pass
+
+        elif key == "reference":
+            pass
+
+        elif key == "regex":
+            pass
+
+        elif key == "rev":
+            pass
+
+        elif key == "rpc":
+            m = snortrpc.match( vallist[0] )
+            if not m:
+                error( "Can\'t parse RPC values" )
+            ( app, proc, version ) = ( m.group( 1 ), m.group( 3 ), m.group( 5 ) )
+
+            # The Snort rule set has only explicit UDP/TCP rules containg
+            # "rpc" but no general IP rules. So we use the rule type
+            # to decide whether we check for UDP- or TCP-style RPC
+            #
+            # Snort only looks at calls, but not on replies (undocumented)
+            # Snort validates the RPC_MSG_VERSION (undocumented)
+            if prot == "udp":
+                off = 7
+            else:
+                checkProt( "tcp", key, prot )
+                off = 11
+
+            # RPC version == 2, Call == 1 \
+            rule += "  payload /" + ( "." * off ) \
+                    + "\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x01"  \
+                    + convertRPCVal( app ) + convertRPCVal( version ) + convertRPCVal( proc ) \
+                    + "/\n"
+
+        elif key == "sameip":
+            rule += "  same-ip\n"
+
+        elif key == "seq":
+            checkProt( "tcp", key, prot )
+            rule += "  header tcp[4:4] == %d\n" % int( vallist[0] )
+
+        elif key == "sid":
+            pass
+        
+        elif key == "rev":
+            pass
+        
+        elif key == "tag":
+            # In Snort, this capture packets of session/host for later analysis.
+            # Unsupported for now, but we could come up with something similar
+            # by passing it on to set_record_contents(). Doesn't affect the
+            # matching, though.
+            pass
+
+        elif key == "ttl":
+            rule += convertVal( vallist[0], "header ip[8:1]" )
+            pass
+
+        elif key == "uricontent":
+            
+           IsPayloadRule = 1            
+            
+           for val in vallist:
+#                if ALTERNATIVE_PATTERNS:
+#                    re = "(|.*\\r\\n\\r\\n)(GET|HEAD|POST) *[^\\n]*%s" % patternToRE( val, "nocase" in options.keys(), 1, 0 )
+#                else:
+#                    re = "(GET|HEAD|POST) *[^\\n]*%s" % patternToRE( val, "nocase" in options.keys(), 1, 0 )
+#
+#                rule += "  payload /%s/\n" % re
+
+                if ALTERNATIVE_PATTERNS:
+                    re = "(|.*\\r\\n\\r\\n)(GET|HEAD|POST) *[^\\n]*%s" % patternToRE( val, "nocase" in options.keys(), 1, 0, 0, 0 )
+                    rule += "  payload /%s/\n" % re
+                else:
+                    re = ".*%s" % patternToRE( val, "nocase" in options.keys(), 1, 0, 0, 0 )
+                    rule += "  http /%s/\n" % re
+
+
+
+                if REFile:
+                    print >>REFile, re
+                if PatternFile:
+                    print >>PatternFile, val
+
+        elif key == "within":
+            # Ignore it here; we test for it when handling content
+            pass
+
+        else:
+            warning( "Option '%s' not supported currently; ignored" % key )
+            rule += "  # Not supported: %s: %s\n" % ( key, ",".join( vallist ) )
+
+    for p in payloads:
+        rule += "  payload /%s/\n" % p
+
+    return rule
+
+def parseAlert( rule ):
+
+    global UnknownCount
+    global IsPayloadRule
+
+    IsPayloadRule = 0
+    
+    m = snortrule.match( rule )
+    if not m:
+        error( "Can\'t parse alert rule" )
+
+    fields = m.groups()
+
+    ( prot, srcip, srcport, dir, dstip, dstport ) = map( lambda s: s.lower(), fields[0:6] )
+
+    options = parseRuleOptions( fields[6] )
+
+    try:
+        sid = options["sid"][0]
+        rev = options["rev"][0]
+        try:
+            if int( sid ) in  IgnoreSIDs:
+                return
+#            id = "sid-" + sid
+# 2004-06-21, rwinslow, Added rev level for sid
+            id = sid + "-" + rev
+        except ValueError:
+            id = sid
+
+    except LookupError:
+        id = "sid-unknown-%d" % UnknownCount
+        UnknownCount += 1
+
+    try:
+        # Create rules depending on the direction; for "<>" we simply create
+        # two rules
+
+        #if dir == "<>":
+        #    id1 = id + "-a"
+        #    id2 = id + "-b"
+        #else:
+        #    id1 = id2 = id
+				
+				id1 = id2 = id
+				
+				if dir == "<>":
+						rule = "signature %s {\n" % id1
+						rule += convertHead( prot, "any", dstport, "any", srcport )
+						rule += convertOptions( options, prot )
+						
+						if not PAYLOAD_ONLY or IsPayloadRule or id in AlwaysIncludeSIDs:
+							print rule + "  }\n"
+				else:
+						if dir != "->":
+								rule = "signature %s {\n" % id1
+								rule += convertHead( prot, dstip, dstport, srcip, srcport )
+								rule += convertOptions( options, prot )
+								
+								if not PAYLOAD_ONLY or IsPayloadRule or id in AlwaysIncludeSIDs:
+										print rule + "  }\n"
+
+						if dir != "<-":
+								rule = "signature %s {\n" % id2
+								rule += convertHead( prot, srcip, srcport, dstip, dstport )
+								rule += convertOptions( options, prot )
+								
+								if not PAYLOAD_ONLY or IsPayloadRule or id in AlwaysIncludeSIDs:
+										print rule + "  }\n"
+        	
+
+    except LookupError, e:
+        error( "Can\'t convert rule: " + str( e ) )
+
+#### Main
+
+# Use some alternative patterns
+ALTERNATIVE_PATTERNS = 0
+# If PatternFile is a file, all content/uricontent patterns are written to it
+PatternFile = 0
+# If REFile is a file, all REs generated from content/uricontent patterns are written to it
+REFile = 0
+# Directories where to look for include's
+INCPATH = [ "./" ]
+# Only include signatures which match contain payload/uricontent
+# (Exceptions can be defined in AlwaysIncludeSIDs)
+PAYLOAD_ONLY = 0
+
+# Number of Snort rules to output (no conversion to Bro format)
+SnortRules = -1
+
+# Total number of rules
+TotalRules = 0
+
+def openInputFile( filename ):
+
+    for i in INCPATH:
+        try:
+            fullpath =  os.path.join( i, filename )
+            file = open( fullpath )
+            print >>sys.stderr, "Reading", fullpath
+            return file
+        except IOError:
+            pass
+
+    error( "Can\'t find file %s" % filename )
+
+def ReadConfig( file ):
+    
+    try:
+        cfg = open( arg )
+        for line in cfg:
+            
+            line = line.strip()
+            if len( line ) == 0 or line.startswith("#"):
+                continue
+
+            try:
+                ( action, sid ) = line.split()
+                sid = int( sid )
+            except ValueError:
+                print >>sys.stderr, "Warning: illegal format '%s'" % line
+                continue
+            
+            if action == "ignoresid":
+                IgnoreSIDs[sid] = 1
+                
+    except IOError:
+        print >>sys.stderr, "Warning: Can't read config file %s" % arg
+                
+def usage():
+    print >>sys.stderr
+    print >>sys.stderr, "Usage: snort2bro [<options>] [<snort-files>] "
+    print >>sys.stderr
+    print >>sys.stderr, "  Options:"
+    print >>sys.stderr
+    print >>sys.stderr, "    -c <file>: File containing signature in-/excludes"
+    print >>sys.stderr, "    -p       : Only include signatures which match on payload"
+    print >>sys.stderr, "    -I <dir> : Add dir to search path for Snort\'s include statement"
+    print >>sys.stderr
+    print >>sys.stderr, "    -P       : Write all patterns to patterns.txt and "
+    print >>sys.stderr, "               all generared REs to res.txt"
+    print >>sys.stderr, "    -S <n>   : No conversion; just print out one big Snort config file"
+    print >>sys.stderr, "               containing the first <n> rules"
+    print >>sys.stderr, "    -X       : Produce some alternate REs"
+
+    print >>sys.stderr
+    sys.exit( 1 )
+
+try:
+    options, rest = getopt.getopt( sys.argv[1:], "XPI:S:pc:" )
+except:
+    usage()
+
+for( opt, arg ) in options:
+    if opt == "-X":
+        ALTERNATIVE_PATTERNS = 1
+
+    if opt == "-P":
+        PatternFile = open( "patterns.txt", "w" );
+        REFile = open( "res.txt", "w" );
+
+    if opt == "-I":
+        INCPATH += [ arg, ]
+
+    if opt == "-S":
+        SnortRules = int( arg )
+
+    if opt == "-p":
+        PAYLOAD_ONLY = 1
+
+    if opt == "-c":
+        ReadConfig( arg )
+        
+if len( rest ):
+    Inputs = [ ( openInputFile( file ), 0 ) for file in rest ]
+else:
+    Inputs = [ ( sys.stdin, 0 ) ]
+
+continued = False
+
+while Inputs:
+
+    if not continued:
+        line = ""
+    
+    RawInputLine = Inputs[0][0].readline()
+    if not RawInputLine:
+        Inputs = Inputs[1:]
+        continue
+
+    single_line = RawInputLine.strip()
+    
+    # Increase line count
+    Inputs[0] = ( Inputs[0][0], Inputs[0][1] + 1 )
+
+    # Continuation of lines
+    if single_line.endswith("\\"):
+        line += single_line[:-1]
+        continued = True
+        continue
+
+    line += single_line
+    continued = False
+
+    # Empty or comments
+    if not line or line.startswith( '#' ):
+        continue
+            
+    line = expandVars( line )
+
+    m = snortcmd.match( line )
+    if not m:
+        error( "Can\'t parse line " + line )
+
+    cmd = m.group( 1 )
+    args = m.group( 2 )
+
+    if cmd == "include":
+        Inputs = [ ( openInputFile( args ), 0 ) ] + Inputs
+        continue
+
+    if cmd == "var":
+        parseVar( args )
+
+    if cmd == "alert":
+        TotalRules += 1
+
+    if SnortRules >= 0:
+
+        noprint = 0
+
+        if cmd == "alert":
+
+            for i in IgnoreSIDs:
+                m = snortsid.search( args )
+                if m and int( m.group( 1 ) ) == i:
+                    noprint = 1
+                    
+            if SnortRules == 0:
+                noprint = 1
+
+            if not noprint:
+                SnortRules -= 1
+
+        if not noprint:
+            print RawInputLine,
+
+        continue
+
+    if cmd == "var":
+        continue
+
+    if cmd == "alert":
+        parseAlert( args )
+        continue
+
+    if cmd == "output":
+        continue
+
+    if cmd == "preprocessor":
+        continue
+
+    if cmd == "config":
+        # FIXME: Should we convert this to Bro?
+        continue
+
+    warning( "'%s' is not supported yet; line ignored." % cmd )
+
+
+# Options -S returns the number of rules as exit code
+if SnortRules >= 0:
+    print >>sys.stderr, TotalRules
diff --git a/scripts/s2b/bro-include/Makefile.am b/scripts/s2b/bro-include/Makefile.am
new file mode 100644
index 0000000000..a76ae0e922
--- /dev/null
+++ b/scripts/s2b/bro-include/Makefile.am
@@ -0,0 +1,4 @@
+## Process this file with automake to produce Makefile.in
+
+EXTRA_DIST = sig-addendum.sig sig-functions.bro
+
diff --git a/scripts/s2b/bro-include/sig-addendum.sig b/scripts/s2b/bro-include/sig-addendum.sig
new file mode 100644
index 0000000000..e2dadc3367
--- /dev/null
+++ b/scripts/s2b/bro-include/sig-addendum.sig
@@ -0,0 +1,408 @@
+# these are translations for pcre -> lex/bro
+#
+#       \w AN and _     : [a-zA-Z_]
+#       \W not \w       : [^a-zA-Z_]
+#       \s whitespace   : [\x20\x09\x0b]
+#       \S not \s       : [^\x20\x09\x0b]
+#       \d numeric      : [0-9]
+#       \D not \d       : [^0-9]
+#
+#
+
+# the sig error also will hold for the 3xx and 5xx series also(?)
+# 304 not modified may be a problem here
+
+signature http_error {
+        ip-proto == tcp
+        src-port == http_ports
+        payload /.*HTTP\/1\.. *[3-5][0-9][0-9]/
+        tcp-state established 
+}
+
+signature http_good {
+        ip-proto == tcp
+        src-port == http_ports
+        payload /.*HTTP\/1\.. *2[0-9][0-9]/
+        tcp-state established
+}
+
+signature http_shell_check {
+        ip-proto == tcp
+        src-port == http_ports
+        # this should filter out most typical references to the various shell commands
+        # from man pages and reference guides
+        payload /((ksh)|(rsh)|(zsh)|(csh)|(tcsh)|(sh)|(bash))[a-zA-Z0-9\x2d\x2e\x5f\x2f]/
+        tcp-state established
+}
+
+signature got_http_root {
+        # this is to get around the 'permission denied' == response
+        # == 200 reply problem for /etc/passwd checking
+        # just a sanity check to see if there is some suggestion of success
+        ip-proto == tcp
+        src-port == 80
+        payload /.*root:.*/
+        tcp-state established
+}
+
+# the following sigs should give some idea of the server software type and
+# version.  This assumes that the configuration has not been changed
+
+signature http_apache_server {
+	ip-proto == tcp
+	src-port == http_ports
+	# this should catch *most* apache instances that are normal
+	# in behavior
+	payload /.*\x0aServer: Apache.*/
+	tcp-state established
+}
+
+signature http_apache1_server {
+        ip-proto == tcp
+        src-port == http_ports
+        # this should catch *most* apache instances that are normal
+        # in behavior
+        payload /.*\x0aServer: Apache\/1\..*/
+        tcp-state established
+}
+
+signature http_apache2_server {
+        ip-proto == tcp
+        src-port == http_ports
+        # this should catch *most* apache instances that are normal
+        # in behavior
+        payload /.*\x0aServer: Apache\/2\..*/
+        tcp-state established
+}
+
+signature http_iis_server {
+	ip-proto == tcp
+	src-port == http_ports
+	payload /.*\x0aServer: Microsoft-IIS.*/
+	tcp-state established
+}
+
+signature http_iis4_server {
+        ip-proto == tcp
+        src-port == http_ports
+        payload /.*\x0aServer: Microsoft-IIS\/4\.0.*/
+        tcp-state established
+}
+
+signature http_iis5_server {
+        ip-proto == tcp
+        src-port == http_ports
+        payload /.*\x0aServer: Microsoft-IIS\/\5\.0.*/
+        tcp-state established
+}
+
+signature http_iis6_server {
+        ip-proto == tcp
+        src-port == http_ports
+        payload /.*\x0aServer: Microsoft-IIS\/\6\.0.*/
+        tcp-state established
+}
+
+signature http_cool_dll {
+  ip-proto == tcp
+  dst-port == http_ports
+  payload /.*cool.dll*./
+  }
+
+########################## client section #
+#
+#        "User-Agent: "
+#        payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20/
+#
+#######
+
+signature http_msie_client {
+	ip-proto == tcp
+	dst-port == http_ports
+	# "User-Agent:...... MSIE #"
+	payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20.{5,30}MSIE\x20[1-9]*./
+	tcp-state established
+}
+
+signature http_real_client {
+	ip-proto == tcp
+	dst-port == http_ports
+	# "User-Agent:.RMA/1.0.(compatible;.RealMedia)"
+	payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x52\x4d\x41\x2f\x31\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x52\x65\x61\x6c\x4d\x65\x64\x69\x61\x29*./
+	tcp-state established
+}
+
+
+signature http_opera_client {
+	ip-proto == tcp
+	dst-port == http_ports
+	# "User-Agent: Opera/6.1"
+	payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a.{3,50}\x4f\x70\x65\x72\x61\x2f.*/
+	tcp-state established
+}
+
+signature http_netscape_client {
+	ip-proto == tcp
+	dst-port == http_ports
+	# "User-Agent: ... Netscape/A
+	payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20.{10,90}Netscape\x2f[4-7].*/
+	tcp-state established
+}
+
+signature http_netscape_client4 {
+        ip-proto == tcp
+        dst-port == http_ports
+        # "User-Agent: ... Netscape/A.B
+        payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20.{10,90}Netscape\x2f4\x2e[0-9].*/
+        tcp-state established
+}
+
+signature http_netscape_client7 {
+        ip-proto == tcp
+        dst-port == http_ports
+        # "User-Agent: ... Netscape/A.B - note that for Netscape/7 there is no .X subversion
+        payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20.{10,90}Netscape\x2f7.*/
+        tcp-state established
+}
+
+signature http_netscape_client8 {
+        ip-proto == tcp
+        dst-port == http_ports
+        # "User-Agent: ... Netscape/A.B
+        payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20.{10,90}Netscape\x2f8\x2e[0-9].*/
+        tcp-state established
+}
+
+signature http_moz_client {
+	ip-proto == tcp
+	dst-port == http_ports
+	# "User-Agent: ... rv:A.B ... Gecko/"
+	payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20.{10,70}rv\x3a[0-2]\x2e[0-9].{0,30}Gecko\x2f.*/
+	tcp-state established
+}
+
+signature http_old_gecko_client  {
+        ip-proto == tcp
+        dst-port == http_ports
+        # "User-Agent: ... rv:A.B ... Gecko/"
+        payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20.{10,70}rv\x3a[0-2]\x2e[0-9].{0,30}Gecko\x2f(2000|2001|2002).*/
+        tcp-state established
+}
+
+## end client sigs ##
+
+
+##  ftp based signatures ##
+
+signature got_ftp_root {
+        ip-proto == tcp
+        src-port == 21
+        payload /.*root:.*/
+        tcp-state established
+}
+
+signature got_tftp_root {
+        # this checks to see if a tftp get /etc/passwd or /etc/shadow
+        # actually returns any data.  we assume that root will always
+        # be in the file
+        ip-proto == udp
+        src-port == 69
+        payload /.*root:.*/
+}
+
+# smtp return code checking
+signature smtp_server_ok {
+        ip-proto == tcp
+        src-port == 25
+        payload /. [2-3][0-9][0-9]../ # 2xx-3xx successful
+        tcp-state established
+}
+
+signature smtp_server_pending {
+        ip-proto == tcp
+        src-port == 25
+        payload /.4[0-9][0-9]../  # 4xx failure, ask sender to try later
+        tcp-state established
+}
+
+signature smtp_server_fail {
+        ip-proto == tcp
+        src-port == 25
+        payload /.5[0-9][0-9]../  # 5xx permanent failure
+        tcp-state established
+}       
+
+# ftp server return code information.  a few assumptions made here
+# in theory '150' is a good return, but I skip it here for simplicity
+signature ftp_server_ok {
+        ip-proto == tcp
+        src-port == 21
+        payload /.2[0-9][0-9]../ # 2xx ok
+        tcp-state established
+}
+
+signature ftp_server_error {
+        ip-proto == tcp
+        src-port == 21
+        payload /.5[0-9][0-9]../ # 5xx fail
+        tcp-state established
+}
+
+# snmp return checker - we ought to expect a non-trivial quantity of data for a
+# successful snmp connection
+signature snmp_userver_ok_return {
+        ip-proto == udp
+        src-port >= 161
+        src-port <= 162
+        payload-size > 10
+}
+
+signature snmp_tserver_ok_return {
+        ip-proto == tcp
+        src-port >= 161
+        src-port <= 162
+        payload-size > 10
+        tcp-state established
+}
+
+signature pop_return_ok {
+        ip-proto == tcp
+        src-port >= 109
+        src-port <= 110
+        payload /.\x2bOK/
+        tcp-state established
+}
+
+signature pop_return_error {
+        ip-proto == tcp
+        src-port >= 109
+        src-port <= 110
+        payload /.\x2dERR/
+        tcp-state established
+}
+
+# this series of sigs is provided by CIAC based on suckit rootkit
+# backdoor traffic.  the 'signature' has only been seen on port 22
+# up till now.
+signature sid-ciac-sk1 {
+  ip-proto == tcp
+  event "CIAC-1 suckit backdoor"
+  payload /.*\xd1\xe4\x22\x07\x57\xd3\xa9\x9a\x5a\xd5\xcc\xc7\x9d\xa1\xd5\xc5\xa6\xf1\x6d\x57/
+  }
+ 
+signature sid-ciac-sk2 {
+  ip-proto == tcp
+  event "CIAC-2 suckit backdoor"
+  payload /.*\x7c\x83\x3b\x3f\x8a\x80\x59\xbf\x45\xbd\x5f\xf2\xa3\xc9\x36\x85\xa9\xd1\x15\xc3/
+  }
+ 
+signature sid-ciac-sk3 {
+  ip-proto == tcp
+  event "CIAC-3 suckit backdoor"
+  payload /.*\x12\xc4\xf6\x62\x55\xe6\x36\xbd\xe4\x65\xbc\x24\xbe\xb0\x50\xac\xe0\xef\x9a\x4f/
+  }
+ 
+signature sid-ciac-sk6 {
+  ip-proto == tcp
+  event "CIAC-6 suckit backdoor"
+  payload /.*\xd2\x9b\xec\xe0\x8c\x09\x28\xcb\x05\x60\x1b\xc5\x59\x34\xab\xbd\x56\xd6\x78\xaa/
+  }
+ 
+signature sid-ciac-sk7 {
+  ip-proto == tcp
+  event "CIAC-7 suckit backdoor"
+  payload /.*\xdd\xbd\x4c\x7b\x35\x9a\x89\x88\xf0\x0d\xa8\xf1\x44\x67\x7b\xcd\x18\xf0\xe6\x70/
+  }
+ 
+signature sid-ciac-sk10 {
+  ip-proto == tcp
+  event "CIAC-10 suckit backdoor"
+  payload /.*\xe7\xa7\x74\xb8\xb9\xfe\x9a\x6e\x6c\xe1\xd5\xde\x5f\x5c\xd5\x9d\x49\x69\x9a\xba/
+  }
+
+signature sid-ciac-sk11 {
+  ip-proto == tcp
+  event "CIAC-11 suckit backdoor"
+  payload /.*\x4b\x56\xde\x0c\x47\xbf\x12\x9f\xc7\x24\x40\x64\x5c\xfd\xa8\x2b\xaf\x3f\x09\xc7/
+  }
+
+signature sid-ciac-sk12 {
+  ip-proto == tcp
+  event "CIAC-12 suckit backdoor"
+  payload /\xe1\xac\x20\x5a\xda\x5a\xf7\x0c\x17\x24\x8e\xc2\x0e\xa0\x0b\xee\x7a\x77\xe0\x64/
+  }
+
+signature sid-ciac-sk13 {
+  ip-proto == tcp
+  event "CIAC-13 suckit backdoor"
+  payload /\xc9\xe9\x36\xa1\xce\xae\x10\x3c\x32\x81\xac\x9b\x01\x81\x5a\x68\x01\x91\x82\xa4/
+  }
+
+signature sid-ciac-sk14 {
+  ip-proto == tcp
+  event "CIAC-14 suckit backdoor"
+  payload /\x45\x2e\xe5\x01\x80\xb0\x0a\xca\xdb\x16\xa1\x8f\xc6\xcd\x97\x60\x92\x44\x93\x16/
+  }
+ 
+signature sid-ciac-7 {
+  ip-proto == tcp
+  event "HXDEF 1.0-0.84 backdoor"
+  payload /.*\x01\x9A\x8C\x66\xAF\xC0\x4A\x11\x9E\x3F\x40\x88\x12\x2C\x3A\x4A\x84\x65\x38\xB0\xB4\x08\x0B\xAF\xDB\xCE\x02\x94\x34\x5F\x22\x00*./
+  }
+
+signature sid-ciac-8 {
+  ip-proto == tcp
+  event "HXDEF 0.73 backdoor"
+  payload /.*\x01\xFE\x3C\x6C\x6A\xFF\x99\xA8\x34\x83\x38\x24\xA1\xA4\xF2\x11\x5A\xD3\x18\x8D\xBC\xC4\x3E\x40\x07\xA4\x28\xD4\x18\x48\xFE\x00*./
+}
+
+signature sid-ciac-modrootme-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  tcp-state established
+  requires-signature ! http_error
+  http /GET root .*/
+}
+
+## end payload 
+
+## misc sigs ##
+signature dest_microsoft_address {
+	dst-ip == 207.46.0.0/16
+}
+
+signature src_microsoft_address {
+	src-ip == 207.46.0.0/16
+}
+
+# experimental phatbot sig
+signature phatbot_sig {
+        ip-proto == tcp
+        dst-port == http_ports
+        http /POST \0x20{1,10}\/ HTTP\/1\.0.*/
+	http /Content-Length: 204800.*/
+        tcp-state established
+	requires-signature ! http_error
+	event "phatbot sig"
+}
+
+signature thinstall_trojan {
+        ip-proto == tcp
+        dst-port == http_ports
+        http /[pP][oO][sS][tT]\x20{1,}\/bi\/servlet\/ThinstallPre/
+        tcp-state established,originator
+        event "ThinstallPre Adware Trojan, personal and machine data theft, successful"
+        # reference: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_REVOP.F&VSect=T
+}
+
+signature bagle-bc {
+	ip-proto == tcp
+	dst-port == http_ports
+	src-ip == local_nets
+	tcp-state established
+	http /[\/][gG]\.[jJ][pP][gG]/
+	event "bagle.bc g.jpg download attempt"
+} 
+
+## end misc ##
+
diff --git a/scripts/s2b/bro-include/sig-functions.bro b/scripts/s2b/bro-include/sig-functions.bro
new file mode 100644
index 0000000000..377b5af395
--- /dev/null
+++ b/scripts/s2b/bro-include/sig-functions.bro
@@ -0,0 +1,278 @@
+# series of functions to be used by the signatures
+#
+
+# we see *allot* of odd patch related traffic to and from M$
+const  MS_ADDR_RANGE: set[subnet] &redef;
+redef MS_ADDR_RANGE = { 207.46.0.0/16 };
+
+# the following are all based on the existance of software.bro
+# being loaded
+@ifdef ( software_table )
+function isApache(state: signature_state): bool
+        {
+        local ip = state$conn$id$resp_h;
+
+        if ( ip !in software_table )
+                return F;
+
+        local softset = software_table[ip];
+
+        if ( "Apache" !in softset )
+                return F;
+
+        return T;
+        }
+
+function isApacheLt12(state: signature_state): bool
+        {
+        local ip = state$conn$id$resp_h;
+                                                                                                                                            
+        if ( ip !in software_table )
+                return F;
+                                                                                                                                            
+        local softset = software_table[ip];
+
+        if ( "Apache" !in softset )
+                return F;
+		
+        local safe_version: software_version =
+                [$major = +1, $minor = +2, $minor2 = +0, $addl = ""];
+
+        if ( software_cmp_version(softset["Apache"]$version, safe_version) >= 0 )
+                return F;
+ 
+        return T;
+        }
+
+function isApacheLt1322(state: signature_state): bool
+        {
+        local ip = state$conn$id$resp_h;
+                                                                                               
+                                                                                               
+        if ( ip !in software_table )
+                return F;
+                                                                                               
+                                                                                               
+        local softset = software_table[ip];
+        
+        if ( "Apache" !in softset )
+                return F;
+		
+        local safe_version: software_version =
+                [$major = +1, $minor = +3, $minor2 = -22, $addl = ""];
+                                                                                               
+        if ( software_cmp_version(softset["Apache"]$version, safe_version) >= 0 )
+                return F;
+                                                                                               
+        return T;
+        }
+
+function isApacheLt1325(state: signature_state): bool
+        {
+        local ip = state$conn$id$resp_h;
+                                                                                               
+                                                                                               
+        if ( ip !in software_table )
+                return F;
+                                                                                               
+                                                                                               
+        local softset = software_table[ip];
+                                                                                               
+        if ( "Apache" !in softset )
+                return F;
+		
+        local safe_version: software_version =
+                [$major = +1, $minor = +3, $minor2 = -25, $addl = ""];
+                                                                                               
+        if ( software_cmp_version(softset["Apache"]$version, safe_version) >= 0 )
+                return F;
+                                                                                               
+        return T;
+        }
+
+
+
+function isNotApache(state: signature_state): bool
+        {
+        local ip = state$conn$id$resp_h;
+ 
+        if ( ip !in software_table )
+                return F;
+ 
+        local softset = software_table[ip];
+ 
+        if ( "Apache" !in softset )
+                return T;
+
+        return F;
+        }
+
+
+function isIIS(state: signature_state): bool
+        {
+        local ip = state$conn$id$resp_h;
+ 
+        if ( ip !in software_table )
+                return F;
+ 
+        local softset = software_table[ip];
+ 
+        if ( "IIS" !in softset )
+                return F;
+
+        return T;
+        }
+
+function isNotIIS(state: signature_state): bool
+        {
+        local ip = state$conn$id$resp_h;
+ 
+        if ( ip !in software_table )
+                return F;
+ 
+        local softset = software_table[ip];
+ 
+        if ( "IIS" !in softset )
+                return T;
+ 
+        return F;
+        }
+
+function isMSIE(state: signature_state): bool
+        {
+        local ip = state$conn$id$resp_h;
+ 
+        if ( ip !in software_table )
+                return F;
+ 
+        local softset = software_table[ip];
+ 
+        if ( "MSIE" !in softset )
+                return F;
+ 
+        return T;
+        }
+
+function isNotMSIE(state: signature_state): bool
+        {
+        local ip = state$conn$id$resp_h;
+
+        if ( ip !in software_table )
+                return F;
+
+        local softset = software_table[ip];
+
+        if ( "MSIE" !in softset )
+                return T;
+
+        return F;
+        }
+
+
+function isMozilla(state: signature_state): bool
+        {
+        local ip = state$conn$id$resp_h;
+
+        if ( ip !in software_table )
+                return F;
+
+        local softset = software_table[ip];
+
+        if ( "Mozilla" !in softset )
+                return F;
+
+        return T;
+        }
+
+function isNotMozilla(state: signature_state): bool
+        {
+        local ip = state$conn$id$resp_h;
+
+        if ( ip !in software_table )
+                return F;
+
+        local softset = software_table[ip];
+
+        if ( "Mozilla" !in softset )
+                return T;
+
+        return F;
+        }
+
+function isRealMedia(state: signature_state): bool
+        {
+        local ip = state$conn$id$resp_h;
+
+        if ( ip !in software_table )
+                return F;
+
+        local softset = software_table[ip];
+
+        if ( "Mozilla" !in softset )
+                return F;
+
+        return T;
+        }
+
+
+@endif
+# end of the software.bro related functions
+
+function dataSizeG50(state: signature_state): bool
+	{
+	local size = state$payload_size;
+
+	if ( size < 50 )
+		return F;
+
+	return T;
+	}
+
+function dataSizeG100(state: signature_state): bool
+        {
+        local size = state$payload_size;
+
+        if ( size < 100 )
+                return F;
+
+        return T;
+        }
+
+function dataSizeG150(state: signature_state): bool
+        {
+        local size = state$payload_size;
+
+        if ( size < 150 )
+                return F;
+
+        return T;
+        }
+
+
+function dataSizeG200(state: signature_state): bool
+        {
+        local size = state$payload_size;
+
+        if ( size < 200 )
+                return F;
+
+        return T;
+        }
+
+
+
+function respInMsNet(state: signature_state): bool
+        {
+	local ip = state$conn$id$resp_h;
+
+	return ip in MS_ADDR_RANGE;
+	}
+
+
+function origInMsNet(state: signature_state): bool
+        {
+        local ip = state$conn$id$orig_h;
+                                                                                                                              
+        return ip in MS_ADDR_RANGE;
+        }
+
diff --git a/scripts/s2b/etc/Makefile.am b/scripts/s2b/etc/Makefile.am
new file mode 100644
index 0000000000..d7aa5fc19b
--- /dev/null
+++ b/scripts/s2b/etc/Makefile.am
@@ -0,0 +1,8 @@
+## Process this file with automake to produce Makefile.in
+
+# include in the dist for now
+EXTRA_DIST = s2b-augment.cfg s2b-ruleset-augment.cfg s2b-sigmap.cfg s2b.cfg
+
+# OR we can install them on a make install 
+#scriptsdir=$(prefix)/etc
+#dist_scripts_SCRIPTS = s2b-augment.cfg s2b-ruleset-augment.cfg s2b-sigmap.cfg s2b.cfg
diff --git a/scripts/s2b/etc/s2b-augment.cfg b/scripts/s2b/etc/s2b-augment.cfg
new file mode 100644
index 0000000000..d7834f3968
--- /dev/null
+++ b/scripts/s2b/etc/s2b-augment.cfg
@@ -0,0 +1,17162 @@
+# $Id: s2b-augment.cfg 797 2004-11-27 20:26:50Z rwinslow $
+
+<augment 1724-6>
+  active T
+  comment WEB-CGI emumail.cgi access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2005-10>
+  active T
+  comment RPC portmap kcms_server request UDP
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1600-6>
+  active T
+  comment WEB-CGI htsearch arbitrary configuration file attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 657-12>
+  active T
+  comment SMTP chameleon overflow
+  comment pcre: /^HELP\s[^\n]{500}/ism
+  payload /((^)|(\n+))[hH][eE][lL][pP][\x20\x09\x0b][^\n]{500}/
+  sigaction SIG_LOG
+  requires-reverse-signature ! smtp_server_fail
+  snort-rule-file s2b_data_on_weed/rules2.1/smtp.rules
+  <delete>
+    payload /.*[hH][eE][lL][pP]/
+  </delete>
+</augment>
+
+<augment 1970-6>
+  active T
+  comment WEB-IIS MDAC Content-Type overflow attempt
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 333-8>
+  active T
+  comment FINGER . query
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/finger.rules
+</augment>
+
+<augment 818-10>
+  active T
+  comment WEB-CGI dcforum.cgi access
+  comment "informational only"
+  comment "too general but low occurence"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 683-5>
+  active T
+  comment MS-SQL sp_password - password change
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 1503-8>
+  active T
+  comment WEB-CGI admentor admin.asp access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2104-3>
+  active T
+  comment ATTACK-RESPONSES rexec username too long response
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/attack-responses.rules
+</augment>
+
+<augment 1588-8>
+  active T
+  comment WEB-MISC SalesLogix Eviewer access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1502-8>
+  active T
+  comment WEB-CGI a1stats a1disp3.cgi access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1426-5>
+  active T
+  comment SNMP PROTOS test-suite-req-app attempt
+  requires-reverse-signature snmp_userver_ok_return
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/snmp.rules
+</augment>
+
+<augment 2533-5>
+  active T
+  comment "MISC LDAP SSLv3 Server_Hello request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 262-6>
+  active T
+  comment "DNS EXPLOIT x86 Linux overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/dns.rules
+</augment>
+
+<augment 1865-4>
+  active T
+  comment "WEB-CGI webdist.cgi arbitrary command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2063-1>
+  active T
+  comment "WEB-MISC Demarc SQL injection attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 937-7>
+  active T
+  comment "WEB-FRONTPAGE _vti_rpc access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 879-7>
+  active T
+  comment "WEB-CGI admin.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1378-14>
+  active T
+  comment "FTP wu-ftp bad file completion attempt {"
+  sigaction SIG_LOG
+  <delete>
+  	payload /.*~.{1}.*\{/
+  </delete>
+  ftp /.{2,} ~.?\{/
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 1107-10>
+  active T
+  comment "WEB-MISC ftp.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2084-8>
+  active T
+  comment "RPC rpc.xfsmd xfs_export attempt TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1729-5>
+  active T
+  comment "CHAT IRC channel join"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 2575-1>
+  active T
+  comment "WEB-PHP Opt-X header.php remote file include attempt"
+  comment pcre: /systempath=(http|https|ftp)/i
+  payload /.*[sS][yY][sS][tT][eE][mM][pP][aA][tT][hH]=([hH][tT]{2}[pP][sS]?)|([fF][tT][pP])/
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+  <delete>
+    payload /.*[sS][yY][sS][tT][eE][mM][pP][aA][tT][hH]=/
+  </delete>
+</augment>
+
+<augment 1000-7>
+  active T
+  comment "WEB-IIS bdir.htr access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1505-7>
+  active T
+  comment "WEB-CGI alchemy http server PRN arbitrary command execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2385-9>
+  active T
+  comment "NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1675-4>
+  active T
+  comment "ORACLE misparsed login response"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/oracle.rules
+</augment>
+
+<augment 1997-3>
+  active T
+  comment "WEB-PHP read_body.php access attempt"
+  comment "java script squirrel mail exploit: just add to signature "
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+  http /.*[fF][rR][oO][mM]\x3a.*\x3cscript\x3e.*document.cookie.*\x3c\x2fscript\x3e/
+</augment>
+
+<augment 1181-8>
+  active T
+  comment "WEB-MISC Annex Terminal DOS attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2411-5>
+  active T
+  comment WEB-MISC Real Server DESCRIBE buffer overflow attempt
+  comment "pcre: /^DESCRIBE\s[^\n]{300}/smi"
+  http "/((^)|(\n+))[dD][eE][sS][cC][rR][iI][bB][eE][\x20\x09\x0b][^\n]{300}/"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+  <delete>
+    payload "/.*[dD][eE][sS][cC][rR][iI][bB][eE].{1}.*\.\.\//"
+  </delete>
+</augment>
+
+<augment 1634-11>
+  active T
+  comment POP3 PASS overflow attempt
+  comment "pcre: /^PASS\s[^\n]{50}/smi"
+  payload "/((^)|(\n+))[pP][aA][sS][sS][\x20\x09\x0b][^\n]{50}/"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/pop3.rules
+  <delete>
+    payload "/.*[pP][aA][sS][sS]/"
+  </delete>
+</augment>
+
+<augment 1960-7>
+  active T
+  comment "RPC portmap NFS request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1334-5>
+  active T
+  comment "WEB-ATTACKS echo command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 393-8>
+  active F
+  comment "ICMP Datagram Conversion Error undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 401-6>
+  active F
+  comment "ICMP Destination Unreachable Network Unreachable"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2143-3>
+  active T
+  comment "WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 461-7>
+  active F
+  comment "ICMP unassigned type 2 undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2081-9>
+  active T
+  comment "RPC portmap rpc.xfsmd request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2103-9>
+  active T
+  comment "NETBIOS SMB trans2open buffer overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 940-7>
+  active T
+  comment "WEB-FRONTPAGE shtml.dll access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 335-5>
+  active T
+  comment "FTP .rhosts"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  ftp /.*\.rhosts/
+  <delete>
+  	payload /.*\.rhosts/
+  </delete>
+</augment>
+
+<augment 2212-6>
+  active T
+  dst-ip == local_nets
+  http /.*[\/\\]imageFolio\.cgi\?.*<script>/
+  comment "WEB-CGI imageFolio.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  <delete>
+  	http /.*[\/\\]imageFolio\.cgi/
+  </delete>
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1231-8>
+  active T
+  comment "WEB-MISC VirusWall catinfo access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1975-6>
+  active T
+  comment FTP DELE overflow attempt
+  comment "pcre: /^DELE\s[^\n]{100}/smi"
+  eval dataSizeG100
+  ftp "/((^)|(\n+))[dD][eE][lL][eE][\x20\x09\x0b][^\n]{100}/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[dD][eE][lL][eE]/"
+  </delete>
+</augment>
+
+<augment 426-7>
+  active F
+  comment "ICMP Parameter Problem Missing a Required Option"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 494-7>
+  active F
+  comment "ATTACK-RESPONSES command completed"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/attack-responses.rules
+</augment>
+
+<augment 1473-5>
+  active T
+  comment "WEB-CGI newsdesk.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2026-9>
+  active T
+  comment "RPC yppasswd username overflow attempt TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1392-10>
+  active T
+  comment "WEB-CGI lastlines.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1453-5>
+  active T
+  comment "WEB-CGI AT-generated.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1496-5>
+  active T
+  comment "WEB-CGI spin_client.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1197-6>
+  active T
+  comment "WEB-PHP Phorum code access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1887-3>
+  active T
+  comment "MISC OpenSSL Worm traffic"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 589-8>
+  active T
+  comment "RPC portmap yppasswd request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 533-8>
+  active T
+  comment "NETBIOS SMB C$ share access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 2530-3>
+  active T
+  comment "IMAP SSLv3 Server_Hello request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/imap.rules
+</augment>
+
+<augment 1108-10>
+  active T
+  comment "WEB-MISC Tomcat server snoop access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 977-7>
+  active T
+  comment "WEB-IIS .cnf access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1514-9>
+  active T
+  comment "WEB-CGI input2.bat arbitrary command execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 396-6>
+  active F
+  comment "ICMP Destination Unreachable Fragmentation Needed and DF bit was set"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 803-9>
+  active T
+  comment "WEB-CGI HyperSeek hsx.cgi directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1268-12>
+  active T
+  comment "RPC portmap pcnfsd request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2415-7>
+  active T
+  comment "EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1391-7>
+  active T
+  comment "WEB-MISC Phorecast remote code execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2436-2>
+  active F
+  comment "WEB-CLIENT Microsoft wmf metafile access"
+  requires-signature http_msie_client
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-client.rules
+  comment "Informational only"
+</augment>
+
+<augment 1447-11>
+  active T
+  comment "MISC MS Terminal server request RDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 303-11>
+  active T
+  comment "DNS EXPLOIT named tsig overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/dns.rules
+</augment>
+
+<augment 1720-4>
+  active T
+  comment "WEB-CGI talkback.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2229-4>
+  active T
+  comment "WEB-PHP viewtopic.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  http /.*[sS][uU][bB][sS][Ss][tT][rR][iI][nN][gG]\x28[uU][sS][eE][rR][pP][aA][sS][sS][wW][oO][rR][dD]*./
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 236-6>
+  active T
+  comment "DDOS Stacheldraht client check gag"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 1023-9>
+  active T
+  comment "WEB-IIS msadcs.dll access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 681-6>
+  active T
+  comment "MS-SQL/SMB xp_cmdshell program execution"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 1629-6>
+  active T
+  comment "OTHER-IDS SecureNetPro traffic"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/other-ids.rules
+</augment>
+
+<augment 1200-10>
+  active F
+  comment "ATTACK-RESPONSES Invalid URL"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/attack-responses.rules
+</augment>
+
+<augment 2329-6>
+  active T
+  dst-port == 1434
+  dst-ip == local_nets
+  comment "MS-SQL probe response overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 2019-4>
+  active T
+  comment "RPC mountd UDP dump request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 956-6>
+  active T
+  comment "WEB-FRONTPAGE register.txt access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 372-7>
+  active F
+  comment "ICMP PING Delphi-Piette Windows"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1190-6>
+  active T
+  comment "WEB-MISC Netscape Enterprise Server directory view"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 676-6>
+  active T
+  comment "MS-SQL/SMB sp_start_job - program execution"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 2014-5>
+  active T
+  comment "RPC portmap UNSET attempt TCP 111"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 108-6>
+  active T
+  comment "BACKDOOR QAZ Worm Client Login access"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 2056-4>
+  active T
+  comment "WEB-MISC TRACE attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2068-2>
+  active T
+  comment "WEB-MISC BitKeeper arbitrary command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 361-12>
+  active T
+  comment "FTP SITE EXEC attempt"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 586-8>
+  active T
+  comment "RPC portmap selection_svc request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 549-8>
+  active F
+  comment "P2P napster login"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/p2p.rules
+</augment>
+
+<augment 1704-5>
+  active T
+  comment "WEB-CGI cal_make.pl directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1342-5>
+  active T
+  comment "WEB-ATTACKS gcc command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 2520-5>
+  active T
+  comment "WEB-MISC SSLv3 Client_Hello request"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1346-5>
+  active F
+  comment "WEB-ATTACKS cpp command attempt"
+  comment "too general"
+  comment "too many false positives"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 520-5>
+  active T
+  comment "TFTP root directory"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/tftp.rules
+</augment>
+
+<augment 1870-5>
+  active T
+  comment "WEB-CGI siteUserMod.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1864-7>
+  active T
+  comment FTP SITE NEWER attempt
+  comment "pcre: /^SITE\s+NEWER/smi"
+  ftp "/((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[nN][eE][wW][eE][rR]/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[sS][iI][tT][eE].{1}.*[nN][eE][wW][eE][rR]/"
+  </delete>
+</augment>
+
+<augment 1002-6>
+  active T
+  comment "WEB-IIS cmd.exe access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1823-7>
+  active T
+  dst-ip == local_nets
+  http /.*[\/\\](af|alienform)\.cgi\?.*\.\|\./
+  event "WEB-CGI AlienForm directory traversal attempt"
+  comment "WEB-CGI AlienForm af.cgi directory traversal attempt"
+  requires-reverse-signature ! http_error
+  <delete>
+  	event "WEB-CGI AlienForm af.cgi directory traversal attempt"
+  	http /.*[\/\\]af\.cgi/
+  	payload /.*\.\x7C\.\/\.\x7C\./
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1556-7>
+  active T
+  comment "WEB-CGI DCShop orders.txt access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2263-6>
+  active T
+  comment SMTP SAML FROM sendmail prescan too many addresses overflow
+  comment "pcre: /^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^ ..."
+  payload "/((^)|(\n+))[sS][aA][mM][lL] [fF][rR][oO][mM]\x3a[\x20\x09\x0b]*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</"
+  sigaction SIG_LOG
+  requires-reverse-signature ! smtp_server_fail
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  <delete>
+    payload /.*[sS][aA][mM][lL] [fF][rR][oO][mM]\x3A/
+  </delete>
+</augment>
+
+<augment 974-10>
+  active T
+  comment "WEB-IIS Directory transversal attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 690-7>
+  active T
+  comment "MS-SQL/SMB xp_printstatements possible buffer overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 1929-5>
+  active F
+  comment "BACKDOOR TCPDUMP/PCAP trojan traffic"
+  comment "Too general.  Ephemeral windows ports match this easily"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 2048-2>
+  active T
+  comment "MISC rsyncd overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 386-5>
+  active F
+  comment "ICMP Address Mask Reply"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1134-7>
+  active T
+  comment "WEB-PHP Phorum admin access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 374-7>
+  active F
+  comment "ICMP PING IP NetMonitor Macintosh"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 309-9>
+  active T
+  comment "EXPLOIT sniffit overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 637-3>
+  active T
+  comment "SCAN Webtrends Scanner UDP Probe"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 978-11>
+  active T
+  comment "WEB-IIS ASP contents view"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1151-5>
+  active T
+  comment "WEB-MISC Domino domcfg.nsf access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2311-7>
+  active T
+  comment "NETBIOS SMB-DS DCERPC Workstation Service bind attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1955-6>
+  active T
+  comment "RPC AMD TCP version request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 833-8>
+  active T
+  comment "WEB-CGI rguest.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 883-5>
+  active T
+  comment "WEB-CGI flexform access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 887-6>
+  active T
+  comment "WEB-CGI www-sql access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 588-17>
+  active T
+  comment "RPC portmap ttdbserv request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1952-5>
+  active T
+  comment "RPC mountd UDP mount request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 144-9>
+  active T
+  comment "FTP ADMw0rm ftp login attempt"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 1039-6>
+  active T
+  comment "WEB-IIS srch.htm access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1146-5>
+  active T
+  comment "WEB-MISC Ecommerce import.txt access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 121-5>
+  active F
+  comment "BACKDOOR Infector 1.6 Client to Server Connection Request"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 2119-5>
+  active T
+  comment IMAP rename literal overflow attempt
+  comment  "pcre: /\sRENAME\s[^\n]*?\s\{/smi"
+  payload "/((^)|(\n+))[\x20\x09\x0b][rR][eE][nN][aA][mM][eE][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/imap.rules
+  <delete>
+    payload "/.*[rR][eE][nN][aA][mM][eE]/"
+  </delete>
+</augment>
+
+<augment 2424-3>
+  active T
+  comment NNTP sendsys overflow attempt
+  comment "pcre: /^sendsys\x3a[^\n]{21}/smi"
+  payload "/((^)|(\n+))[sS][eE][nN][dD][sS][yY][sS]\x3a[^\n]{21}/"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/nntp.rules
+  <delete>
+    payload "/.*[sS][eE][nN][dD][sS][yY][sS]/"
+  </delete>
+</augment>
+
+<augment 370-7>
+  active F
+  comment "ICMP PING BeOS4.x"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1050-7>
+  active T
+  comment "WEB-MISC iPlanet GETPROPERTIES attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 967-11>
+  active T
+  comment "WEB-FRONTPAGE dvwssr.dll access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 1487-4>
+  active T
+  comment "WEB-IIS /iisadmpwd/aexp2.htr access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1861-7>
+  active T
+  comment "WEB-MISC Linksys router default username and password login attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2348-6>
+  active T
+  comment "NETBIOS SMB-DS DCERPC print spool bind attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1259-5>
+  active T
+  comment "WEB-MISC SWEditServlet access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1206-10>
+  active T
+  comment "WEB-CGI cachemgr.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1542-6>
+  active T
+  comment "WEB-CGI cgimail access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2560-2>
+  active T
+  comment "EXPLOIT Oracle Web Cache MOVE overflow attempt"
+  comment pcre: /^MOVE[^s]{432}/sm
+  payload /((^)|(\n+))MOVE[^s]{432}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+  <delete>
+    payload /.*MOVE/
+  </delete>
+</augment>
+
+<augment 944-6>
+  active T
+  comment "WEB-FRONTPAGE fpremadm.exe access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 110-4>
+  active T
+  comment "BACKDOOR netbus getinfo"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 2086-4>
+  active T
+  comment "WEB-CGI streaming server parse_xml.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1721-4>
+  active T
+  comment "WEB-CGI adcycle access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2477-3>
+  active T
+  comment "NETBIOS SMB-DS Create AndX Request winreg unicode attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1663-6>
+  active T
+  comment "WEB-MISC *%0a.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1764-6>
+  active T
+  comment "WEB-CGI Nortel Contivity cgiproc DOS attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1093-10>
+  active T
+  comment "WEB-CGI cached_feed.cgi moreover shopping cart directory traversal"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 264-6>
+  active T
+  comment "DNS EXPLOIT x86 Linux overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/dns.rules
+</augment>
+
+<augment 1859-5>
+  active T
+  comment "WEB-MISC Sun JavaServer default password login attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 804-9>
+  active T
+  comment "WEB-CGI SWSoft ASPSeek Overflow attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1691-3>
+  active T
+  comment "ORACLE ALTER USER attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/oracle.rules
+</augment>
+
+<augment 718-7>
+  active T
+  comment "TELNET login incorrect"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/telnet.rules
+</augment>
+
+<augment 2464-6>
+  active T
+  comment "EXPLOIT EIGRP prefix length overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 448-7>
+  active F
+  comment "ICMP Source Quench undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1189-6>
+  active T
+  comment "WEB-MISC Netscape Enterprise Server directory view"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2248-3>
+  active T
+  comment "WEB-IIS DirectoryListing.asp access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2029-5>
+  active T
+  comment "RPC yppasswd new password overflow attempt UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 865-8>
+  active T
+  comment "WEB-CGI ksh access"
+  requires-reverse-signature ! http_error
+  requires-signature ! http_shell_check
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 921-7>
+  active T
+  comment "WEB-COLDFUSION admin encrypt attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 1205-6>
+  active T
+  comment "WEB-CGI axs.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 841-7>
+  active T
+  comment "WEB-CGI pfdisplay.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2021-4>
+  active T
+  comment "RPC mountd UDP unmount request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 219-6>
+  active T
+  comment "BACKDOOR HidePak backdoor attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 686-5>
+  active T
+  comment "MS-SQL xp_reg* - registry access"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 1939-4>
+  active T
+  comment "MISC bootp hardware address length overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 638-5>
+  active T
+  comment "SHELLCODE SGI NOOP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+</augment>
+
+<augment 1828-6>
+  active T
+  comment "WEB-MISC iPlanet Search directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2136-2>
+  active T
+  comment "WEB-MISC philboard_admin.asp authentication bypass attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1645-6>
+  active T
+  comment "WEB-CGI testcgi access"
+  dst-ip == local_nets
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 624-6>
+  active F
+  comment "SCAN SYN FIN"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 290-7>
+  active T
+  comment "POP3 EXPLOIT qpopper overflow"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/pop3.rules
+</augment>
+
+<augment 640-6>
+  active T
+  comment "SHELLCODE AIX NOOP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+</augment>
+
+<augment 1995-2>
+  active T
+  comment "WEB-CGI alya.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1411-10>
+  active T
+  comment "SNMP public access udp"
+  requires-reverse-signature snmp_userver_ok_return
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/snmp.rules
+</augment>
+
+<augment 2456-3>
+  active F
+  comment "CHAT Yahoo IM file transfer request"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 1524-9>
+  active T
+  comment "WEB-MISC AxisStorpoint CD attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1661-4>
+  active T
+  comment "WEB-IIS cmd32.exe access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 809-11>
+  active T
+  comment "WEB-CGI whois_raw.cgi arbitrary command execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2386-6>
+  active T
+  comment "WEB-IIS NTLM ASN.1 vulnerability scan attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 272-7>
+  active T
+  comment "DOS IGMP dos attack"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dos.rules
+</augment>
+
+<augment 2301-4>
+  active T
+  comment "WEB-PHP Advanced Poll booth.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2334-2>
+  active T
+  comment FTP Yak! FTP server default account login attempt
+  comment "pcre: /^USER\s+y049575046/smi"
+  payload "/((^)|(\n+))USER[\x20\x09\x0b]+y049575046/"
+  sigaction SIG_LOG
+  requires-reverse-signature ! ftp_server_error
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[uU][sS][eE][rR]/"
+    payload "/.*[yY]049575046/"
+  </delete>
+</augment>
+
+<augment 1402-4>
+  active T
+  comment "WEB-IIS iissamples access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1243-11>
+  active T
+  comment "WEB-IIS ISAPI .ida attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 483-5>
+  active F
+  comment "ICMP PING CyberKit 2.2 Windows"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 480-5>
+  active F
+  comment "ICMP PING speedera"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 316-6>
+  active T
+  comment "EXPLOIT x86 Linux mountd overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 2536-3>
+  active T
+  comment "POP3 SSLv3 Server_Hello request"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/pop3.rules
+</augment>
+
+<augment 618-8>
+  active F
+  comment "SCAN Squid Proxy attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 1085-8>
+  active T
+  comment "WEB-PHP strings overflow"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2557-2>
+  active T
+  comment "EXPLOIT Oracle Web Cache LOCK overflow attempt"
+  comment pcre: /^LOCK[^s]{432}/sm
+  payload /((^)|(\n+))LOCK[^s]{432}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+  <delete>
+    payload /.*LOCK/
+  </delete>
+</augment>
+
+<augment 265-7>
+  active T
+  comment "DNS EXPLOIT x86 Linux overflow attempt ADMv2"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/dns.rules
+</augment>
+
+<augment 2446-4>
+  active T
+  comment "EXPLOIT ICQ SRV_MULTI/SRV_META_USER email overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 2453-3>
+  active F
+  comment "CHAT Yahoo IM conference invitation"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 832-11>
+  active T
+  comment "WEB-CGI perl.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1587-12>
+  active T
+  comment "WEB-MISC cgitest.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1575-4>
+  active T
+  comment "WEB-MISC Domino mab.nsf access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1555-7>
+  active T
+  dst-ip == local_nets
+  comment "WEB-CGI DCShop access"
+  comment "only important if destination is local_nets"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 647-6>
+  active T
+  comment "SHELLCODE sparc setuid 0"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+</augment>
+
+<augment 2514-7>
+  active T
+  comment "NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1232-8>
+  active T
+  comment "WEB-MISC VirusWall catinfo access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1196-10>
+  active T
+  comment "WEB-CGI SGI InfoSearch fname attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1573-6>
+  active T
+  comment "WEB-CGI cgiforum.pl attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1989-4>
+  active F
+  comment "CHAT MSN file transfer reject"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 2505-7>
+  active T
+  comment "WEB-MISC SSLv3 invalid data version attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1594-10>
+  active T
+  comment "WEB-CGI FormHandler.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 551-7>
+  active F
+  comment "P2P napster download attempt"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/p2p.rules
+</augment>
+
+<augment 2080-6>
+  active T
+  comment "RPC portmap nlockmgr request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1987-6>
+  active T
+  comment "MISC xfs overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 699-7>
+  active T
+  comment "MS-SQL xp_printstatements possible buffer overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 2459-3>
+  active F
+  comment "CHAT Yahoo IM webcam offer invitation"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 651-8>
+  active T
+  comment "SHELLCODE x86 stealth NOOP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+</augment>
+
+<augment 2486-5>
+  active T
+  comment "DOS ISAKMP invalid identification payload attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dos.rules
+</augment>
+
+<augment 2325-2>
+  active T
+  comment "WEB-IIS VP-ASP ShopDisplayProducts.asp access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1898-8>
+  active T
+  comment "EXPLOIT kadmind buffer overflow attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1215-6>
+  active T
+  comment "WEB-CGI ministats admin access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2545-4>
+  active T
+  comment "EXPLOIT AFP FPLoginExt username buffer overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1162-7>
+  active T
+  comment "WEB-MISC cart 32 AdminPwd access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 576-8>
+  active T
+  comment "RPC portmap amountd request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1714-4>
+  active T
+  comment "WEB-CGI newdesk access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 241-7>
+  active T
+  comment "DDOS shaft synflood"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 382-7>
+  active F
+  comment "ICMP PING Windows"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2235-5>
+  active T
+  comment "WEB-MISC SpamExcp.dll access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 821-12>
+  active T
+  comment "WEB-CGI imagemap.exe overflow attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2207-6>
+  active T
+  comment "WEB-CGI fileseek.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 364-7>
+  active F
+  comment "ICMP IRDP router selection"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 509-6>
+  active T
+  comment "WEB-MISC PCCS mysql database admin tool access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 825-6>
+  active F
+  comment "WEB-CGI glimpse access"
+  comment "informational only"
+  comment "old signature from 06-01-1999"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1443-4>
+  active T
+  comment "TFTP GET passwd"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/tftp.rules
+</augment>
+
+<augment 1228-6>
+  active T
+  comment "SCAN nmap XMAS"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 1460-5>
+  active T
+  comment "WEB-CGI bb-histsvc.sh access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2268-4>
+  active T
+  comment SMTP MAIL FROM sendmail prescan too long addresses overflow
+  comment "pcre: /^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"
+  payload "/((^)|(\n+))[mM][aA][iI][lL] [fF][rR][oO][mM]:[\x20\x09\x0b]+[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{200,}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}/"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  <delete>
+    payload /.*[mM][aA][iI][lL] [fF][rR][oO][mM]\x3A/
+  </delete>
+</augment>
+
+<augment 916-7>
+  active T
+  comment "WEB-COLDFUSION getodbcdsn access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 1547-11>
+  active T
+  comment "WEB-CGI csSearch.cgi arbitrary command execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1845-15>
+  active T
+  comment IMAP list literal overflow attempt
+  comment "pcre: /\sLIST\s[^\n]*?\s\{/smi"
+  payload "/((^)|(\n+))[\x20\x09\x0b][lL][iI][sS][tT][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/imap.rules
+  <delete>
+    payload "/.*[lL][iI][sS][tT]/"
+  </delete>
+</augment>
+
+<augment 708-8>
+  active T
+  comment "MS-SQL/SMB xp_enumresultset possible buffer overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 276-5>
+  active T
+  comment "DOS Real Audio Server"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dos.rules
+</augment>
+
+<augment 1599-7>
+  active T
+  comment "WEB-CGI search.cgi access"
+  http /.*[\/\\]search\.cgi\?.*letter\=[^\&]*?\.\.[\\\/]/
+  <delete>
+  	http /.*[\/\\]search\.cgi/
+  </delete>
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2564-4>
+  active T
+  comment "NETBIOS NS lookup short response attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1105-5>
+  active T
+  comment "WEB-MISC BigBrother access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 680-6>
+  active T
+  comment "MS-SQL/SMB sa login failed"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 1003-7>
+  active T
+  comment "WEB-IIS cmd? access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1356-5>
+  active T
+  comment "WEB-ATTACKS perl execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 2548-1>
+  active T
+  comment "MISC HP Web JetAdmin setinfo access"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 675-6>
+  active T
+  comment "MS-SQL xp_setsqlsecurity possible buffer overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 2222-5>
+  active T
+  comment "WEB-CGI nph-exploitscanget.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2218-6>
+  active T
+  dst-ip == local_nets
+  comment "WEB-CGI service.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1658-7>
+  active T
+  comment "WEB-CGI pagelog.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1256-8>
+  active T
+  comment "WEB-IIS CodeRed v2 root.exe access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1813-5>
+  active T
+  comment "ICMP digital island bandwidth query"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 2251-11>
+  active T
+  comment "NETBIOS DCERPC Remote Activation bind attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 422-7>
+  active T
+  comment "ICMP Mobile Registration Reply undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 973-10>
+  active T
+  comment "WEB-IIS *.idc attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1706-7>
+  active T
+  comment "WEB-CGI echo.bat access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1637-7>
+  active F
+  comment "WEB-CGI yabb access"
+  comment "informational only"
+  comment "old signature from 2000"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1748-7>
+  active F
+  comment "FTP command overflow attempt"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 868-9>
+  active T
+  comment "WEB-CGI rsh access"
+  requires-reverse-signature ! http_error
+  requires-signature ! http_shell_check
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 424-7>
+  active T
+  comment "ICMP Mobile Registration Request undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2085-4>
+  active T
+  comment "WEB-CGI parse_xml.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 619-5>
+  active T
+  comment "SCAN cybercop os probe"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 1732-9>
+  active T
+  comment "RPC portmap rwalld request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2403-4>
+  active T
+  comment "NETBIOS SMB Session Setup AndX request unicode username overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 610-5>
+  active T
+  comment "RSERVICES rsh root"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rservices.rules
+</augment>
+
+<augment 1021-11>
+  active T
+  comment "WEB-IIS ism.dll attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1307-9>
+  active T
+  dst-ip == local_nets
+  comment "WEB-CGI store.cgi access"
+  comment "verify application is not vulnerable"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 850-5>
+  active T
+  comment "WEB-CGI wais.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2392-4>
+  active T
+  comment FTP RETR overflow attempt
+  comment "pcre: /^RETR\s[^\n]{100}/smi"
+  eval dataSizeG100
+  ftp "/((^)|(\n+))[rR][eE][tT][rR][\x20\x09\x0b][^\n]{100}/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[rR][eE][tT][rR]/"
+  </delete>
+</augment>
+
+<augment 1053-10>
+  active T
+  comment "WEB-CGI ads.cgi command execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 920-7>
+  active T
+  comment "WEB-COLDFUSION datasource attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 1590-7>
+  active T
+  comment "WEB-CGI faqmanager.cgi arbitrary file access attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1755-14>
+  active T
+  comment IMAP partial body buffer overflow attempt
+  comment pcre: /\sPARTIAL.*BODY\[[^\]]{1024}/smi
+  payload "/((^)|(\n+))[\x20\x09\x0b][pP][aA][rR][tT][iI][aA][lL].*[bB][oO][dD][yY]\[[^\]]{1024}/"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/imap.rules
+  <delete>
+    payload "/.*[pP][aA][rR][tT][iI][aA][lL].*.*[bB][oO][dD][yY]\[/"
+  </delete>
+</augment>
+
+<augment 1852-3>
+  active F
+  comment "WEB-MISC robots.txt access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 924-7>
+  active T
+  comment "WEB-COLDFUSION admin decrypt attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 2225-1>
+  active T
+  comment "WEB-CGI gozila.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1125-8>
+  active T
+  comment "WEB-MISC webcart access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 612-6>
+  active T
+  comment "RPC rusers query UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 228-3>
+  active T
+  comment "DDOS TFN client command BE"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 1182-17>
+  active T
+  comment "WEB-MISC cgitest.exe attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 696-7>
+  active T
+  comment "MS-SQL/SMB xp_showcolv possible buffer overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 356-5>
+  active T
+  comment "FTP passwd retrieval attempt"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  <delete>
+  	payload /.*passwd/
+  </delete>
+  payload /[\x20\x09\x0b\/.]*passwd[\x20\x09\x0b]*$/
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 1251-6>
+  active T
+  comment "INFO TELNET Bad Login"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/info.rules
+</augment>
+
+<augment 704-6>
+  active T
+  comment "MS-SQL xp_sprintf possible buffer overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 2145-3>
+  active T
+  comment "WEB-PHP TextPortal admin.php default password admin attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 239-2>
+  active T
+  comment "DDOS shaft handler to agent"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 1895-8>
+  active T
+  comment "EXPLOIT kadmind buffer overflow attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 2079-6>
+  active T
+  comment "RPC portmap nlockmgr request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 986-6>
+  active T
+  comment "WEB-IIS MSProxy access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 942-6>
+  active T
+  comment "WEB-FRONTPAGE orders.htm access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 1458-6>
+  active T
+  comment "WEB-CGI user_update_passwd.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2217-6>
+  active T
+  comment "WEB-CGI printmail.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1752-4>
+  active T
+  comment "MISC AIM AddExternalApp attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 957-6>
+  active T
+  comment "WEB-FRONTPAGE registrations.txt access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 945-6>
+  active T
+  comment "WEB-FRONTPAGE fpadmin.htm access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 1572-7>
+  active T
+  comment "WEB-CGI commerce.cgi arbitrary file access attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 261-6>
+  active T
+  comment "DNS EXPLOIT named overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/dns.rules
+</augment>
+
+<augment 1068-6>
+  active T
+  comment "WEB-MISC tftp attempt"
+  requires-reverse-signature ! http_error
+  http /.*[tT][fF][tT][pP]\.[eE][xX][eE]/
+  <delete>
+  	payload /.*[tT][fF][tT][pP]\.[eE][xX][eE]/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1326-6>
+  active T
+  comment "EXPLOIT ssh CRC32 overflow NOOP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 2537-3>
+  active T
+  comment "POP3 SSLv3 invalid Client_Hello attempt"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/pop3.rules
+</augment>
+
+<augment 2438-3>
+  active T
+  comment "WEB-CLIENT RealPlayer playlist file URL overflow attempt"
+  comment pcre: /^file\x3a\x2f\x2f[^\n]{400}/smi
+  payload /((^)|(\n+))[fF][iI][lL][eE]\x3a\x2f\x2f[^\n]{400}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-client.rules
+  <delete>
+    payload /.*[fF][iI][lL][eE]\x3A\/\//
+  </delete>
+</augment>
+
+<augment 580-9>
+  active T
+  comment "RPC portmap nisd request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2372-2>
+  active F
+  comment "WEB-PHP Photopost PHP Pro showphoto.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2441-3>
+  active T
+  comment WEB-MISC NetObserve authentication bypass attempt
+  comment pcre: /^Cookie\x3a[^\n]*?login=0/smi
+  http /((^)|(\n+))[cC][oO][oO][kK][iI][eE]\x3a[^\n]*?[lL][oO][gG][iI][nN]=0/
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+  <delete>
+    payload /.*[lL][oO][gG][iI][nN]=0/
+    payload /.*[cC][oO][oO][kK][iI][eE]\x3A/
+  </delete>
+</augment>
+
+<augment 653-8>
+  active T
+  comment "SHELLCODE x86 unicode NOOP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+</augment>
+
+<augment 2418-3>
+  active T
+  comment "MISC MS Terminal Server no encryption session initiation attmept"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 1664-5>
+  active T
+  comment "WEB-MISC mkplog.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 221-3>
+  active T
+  comment "DDOS TFN Probe"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 2554-2>
+  active T
+  comment "EXPLOIT Oracle Web Cache POST overflow attempt"
+  comment pcre: /^POST[^s]{432}/sm
+  payload /((^)|(\n+))POST[^s]{432}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+  <delete>
+    payload /.*POST/
+  </delete>
+</augment>
+
+<augment 1986-4>
+  active F
+  comment "CHAT MSN file transfer request"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 2300-4>
+  active T
+  comment "WEB-PHP Advanced Poll admin_tpl_new.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1261-10>
+  active T
+  comment "EXPLOIT AIX pdnsd overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1531-6>
+  active T
+  comment "WEB-CGI bb-hist.sh attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 404-6>
+  active F
+  comment "ICMP Destination Unreachable Protocol Unreachable"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2115-2>
+  active T
+  comment "WEB-CGI album.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1598-7>
+  active T
+  comment "WEB-CGI Home Free search.cgi directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1700-8>
+  active F
+  comment "WEB-CGI imagemap.exe access"
+  comment "informational only"
+  comment "old signature from 10-22-1999"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1064-6>
+  active T
+  comment "WEB-MISC wsh attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1882-10>
+  active T
+  comment "ATTACK-RESPONSES id check returned userid"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/attack-responses.rules
+</augment>
+
+<augment 1412-13>
+  active T
+  comment "SNMP public access tcp"
+  requires-reverse-signature snmp_userver_ok_return
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/snmp.rules
+</augment>
+
+<augment 2190-3>
+  active T
+  comment "NETBIOS DCERPC invalid bind attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 578-8>
+  active T
+  comment "RPC portmap cmsd request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1208-6>
+  active T
+  comment "WEB-CGI responder.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2524-7>
+  active T
+  comment "NETBIOS DCERPC LSASS direct bind attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 153-5>
+  active T
+  comment "BACKDOOR DonaldDick 1.53 Traffic"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 2495-5>
+  active T
+  comment "NETBIOS SMB DCEPRC ORPCThis request flood attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 2053-2>
+  active F
+  comment "WEB-CGI proces_bug.cgi access"
+  comment "informational only"
+  comment "not exploit worthy"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2238-5>
+  active T
+  comment "WEB-MISC WebLogic ConsoleHelp view source attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2324-2>
+  active T
+  comment "WEB-IIS VP-ASP shopsearch.asp access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1409-10>
+  active T
+  comment "SNMP community string buffer overflow attempt"
+  requires-reverse-signature snmp_userver_ok_return
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/snmp.rules
+</augment>
+
+<augment 2124-3>
+  active T
+  comment "BACKDOOR Remote PC Access connection attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 1123-9>
+  active T
+  comment "WEB-MISC ?PageServices access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 591-10>
+  active T
+  comment "RPC portmap ypupdated request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2155-5>
+  active T
+  comment "WEB-PHP ttforum remote file include attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 357-5>
+  active T
+  comment "FTP piss scan"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 622-6>
+  active T
+  comment "SCAN ipEye SYN scan"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 643-7>
+  active F
+  comment "SHELLCODE HP-UX NOOP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+</augment>
+
+<augment 908-8>
+  active T
+  comment "WEB-COLDFUSION administrator access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 106-8>
+  active T
+  comment "BACKDOOR ACKcmdC trojan scan"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 716-10>
+  active F
+  comment "TELNET access"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/telnet.rules
+</augment>
+
+<augment 2401-4>
+  active T
+  comment "NETBIOS SMB Session Setup AndX request username overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1154-5>
+  active T
+  comment "WEB-MISC Domino names.nsf access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1046-6>
+  active T
+  comment "WEB-IIS site/iisamples access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2261-4>
+  active T
+  comment SMTP SEND FROM sendmail prescan too many addresses overflow
+  comment "pcre: /^SEND FROM\x3a\s*[^\n]*?<[^\n]* ..."
+  payload "/((^)|(\n+))[sS][eE][nN][dD] [fF][rR][oO][mM]\x3a[\x20\x09\x0b]*[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</"
+  sigaction SIG_LOG
+  requires-reverse-signature ! smtp_server_fail
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  <delete>
+    payload /.*[sS][eE][nN][dD] [fF][rR][oO][mM]\x3A/
+  </delete>
+</augment>
+
+<augment 1998-4>
+  active F
+  comment "WEB-PHP calendar.php access"
+  comment "informational only"
+  comment "too general"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 390-5>
+  active T
+  comment "ICMP Alternate Host Address"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1515-9>
+  active T
+  comment "WEB-CGI input2.bat access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1734-16>
+  active T
+  comment FTP USER overflow attempt
+  comment "pcre: /^USER\s[^\n]{100}/smi"
+  eval dataSizeG100
+  ftp "/((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]{100}/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[uU][sS][eE][rR]/"
+  </delete>
+</augment>
+
+<augment 2006-10>
+  active T
+  comment "RPC portmap kcms_server request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1080-13>
+  active T
+  comment "WEB-MISC unify eWave ServletExec upload"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2547-2>
+  active T
+  comment "MISC HP Web JetAdmin remote file upload attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 1041-6>
+  active T
+  comment "WEB-IIS uploadn.asp access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2210-5>
+  active T
+  comment "WEB-CGI global.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2183-5>
+  active F
+  comment "Sendmail SMTP Content-Transfer-Encoding overflow attempt"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  comment "Fair amount of false positives, haven't found a way to fill this out to make it more accurate"
+  comment "Released on 2003-03-30"
+</augment>
+
+<augment 1840-5>
+  active T
+  comment "WEB-CLIENT Javascript document.domain attempt"
+  requires-signature http_msie_client
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-client.rules
+</augment>
+
+<augment 1351-5>
+  active T
+  comment "WEB-ATTACKS bin/tclsh execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 806-11>
+  active T
+  comment "WEB-CGI yabb directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1881-6>
+  active T
+  comment "WEB-MISC bad HTTP/1.1 request, Potential worm attack"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1372-5>
+  active T
+  comment "WEB-ATTACKS /etc/shadow access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+  comment "Many false positives are possible"
+  payload /.*\/[eE][tT][cC]\/[sS][hH][aA][dD][oO][wW].{1,}root:.*:.*:.*:.*:.*:.*:/
+  <delete>
+  	payload /.*\/[eE][tT][cC]\/[sS][hH][aA][dD][oO][wW]/
+  </delete>
+</augment>
+
+<augment 1418-11>
+  active T
+  comment "SNMP request tcp"
+  requires-reverse-signature snmp_tserver_ok_return
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/snmp.rules
+</augment>
+
+<augment 2230-5>
+  active T
+  comment "WEB-MISC NetGear router default password login attempt admin/password"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1508-5>
+  active T
+  comment "WEB-CGI alibaba.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1760-3>
+  active T
+  comment "OTHER-IDS ISS RealSecure 6 event collector connection attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/other-ids.rules
+</augment>
+
+<augment 1043-7>
+  active T
+  comment "WEB-IIS viewcode.asp access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 678-6>
+  active T
+  comment "MS-SQL/SMB sp_delete_alert log file deletion"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 950-7>
+  active T
+  comment "WEB-FRONTPAGE cfgwiz.exe access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 1042-8>
+  active T
+  comment "WEB-IIS view source via translate header"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1444-3>
+  active T
+  comment "TFTP Get"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/tftp.rules
+</augment>
+
+<augment 1582-4>
+  active T
+  comment "WEB-MISC Domino collect4.nsf access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1099-6>
+  active T
+  comment "WEB-MISC cybercop scan"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 614-7>
+  active T
+  comment "BACKDOOR hack-a-tack attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 2003-6>
+  active F
+  comment "MS-SQL Worm propagation attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 1474-7>
+  active T
+  comment "WEB-CGI cal_make.pl access"
+  requires-reverse-signature ! http_error
+  http /.*[\/\\]cal_make\.pl(\.\.\/){2,}/
+  <delete>
+  	http /.*[\/\\]cal_make\.pl/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 689-6>
+  active T
+  comment "MS-SQL/SMB xp_reg* registry access"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 411-5>
+  active F
+  comment "ICMP IPV6 I-Am-Here"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2382-8>
+  active T
+  comment "NETBIOS SMB NTLMSSP invalid mechtype attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 2402-5>
+  active T
+  comment "NETBIOS SMB-DS Session Setup AndX request username overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 2573-1>
+  active T
+  comment "WEB-IIS SmarterTools SmarterMail frmCompose.asp access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1212-5>
+  active T
+  comment "WEB-MISC Admin_files access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2243-4>
+  active T
+  comment "WEB-MISC ndcgi.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 642-6>
+  active T
+  comment "SHELLCODE HP-UX NOOP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+</augment>
+
+<augment 2028-5>
+  active T
+  comment "RPC yppasswd old password overflow attempt TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1294-10>
+  active T
+  comment "NETBIOS nimda .nws"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1305-6>
+  active T
+  comment "WEB-CGI txt2html.cgi directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 882-5>
+  active F
+  comment "WEB-CGI calendar access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 994-7>
+  active T
+  comment "WEB-IIS /scripts/iisadmin/default.htm access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 906-7>
+  active T
+  comment "WEB-COLDFUSION getfile.cfm access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 1914-10>
+  active T
+  comment "RPC STATD TCP stat mon_name format string exploit attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1226-4>
+  active T
+  comment "X11 xopen"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/x11.rules
+</augment>
+
+<augment 605-6>
+  active T
+  comment "RSERVICES rlogin login failure"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rservices.rules
+</augment>
+
+<augment 685-5>
+  active T
+  comment "MS-SQL sp_adduser - database user creation"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 1740-5>
+  active T
+  comment "WEB-PHP DNSTools authentication bypass attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2318-3>
+  active T
+  comment MISC CVS non-relative path access attempt
+  comment "pcre: m?^Argument\s+/?smi,/^Directory/smiR"
+  payload "/((^)|(\n+))[aA][Rr][Gg][Uu}[Mm][Ee][Nn][Tt][\x20\x09\x0b]]+/"
+  payload "/.*[Dd][Ii][Rr][Ee][Cc][Tt][Oo][Rr][Yy]/"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+  <delete>
+    payload "/.*Argument/"
+  </delete>
+</augment>
+
+<augment 185-5>
+  active T
+  comment "BACKDOOR CDK"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 1940-3>
+  active T
+  comment "MISC bootp invalid hardware type"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 152-6>
+  active T
+  comment "BACKDOOR BackConstruction 2.1 Connection"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 623-5>
+  active F
+  comment "SCAN NULL"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 1276-14>
+  active T
+  comment "RPC portmap ypserv request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 141-5>
+  active F
+  comment "BACKDOOR HackAttack 1.20 Connect"
+  comment "too many false positives as this is in the Linux ephemeral range"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 1415-9>
+  active T
+  comment "SNMP Broadcast request"
+  requires-reverse-signature snmp_userver_ok_return
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/snmp.rules
+</augment>
+
+<augment 1770-3>
+  active T
+  comment "WEB-MISC .FBCIndex access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1639-6>
+  active T
+  comment "CHAT IRC DCC file transfer request"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 1272-10>
+  active T
+  comment "RPC portmap sadmind request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1640-6>
+  active T
+  comment "CHAT IRC DCC chat request"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 698-8>
+  active T
+  comment "MS-SQL/SMB xp_proxiedmetadata possible buffer overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 2413-7>
+  active T
+  comment "EXPLOIT ISAKMP delete hash with empty hash attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1430-7>
+  active T
+  comment "TELNET Solaris memory mismanagement exploit attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/telnet.rules
+</augment>
+
+<augment 2200-6>
+  active T
+  comment "WEB-CGI dnewsweb.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1088-9>
+  active T
+  dst-ip == local_nets
+  comment "WEB-CGI eXtropia webstore directory traversal"
+  requires-reverse-signature ! http_error
+  <delete>
+  	http /.*[\/\\]web_store\.cgi/
+  	payload /.*page=\.\.\//
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1263-11>
+  active T
+  comment "RPC portmap amountd request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 354-5>
+  active T
+  comment "FTP iss scan"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 1766-7>
+  active T
+  comment "WEB-MISC search.dll directory listing attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1363-5>
+  active T
+  comment "WEB-ATTACKS X application to remote host attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 1386-8>
+  active T
+  comment "MS-SQL/SMB raiserror possible buffer overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 2211-5>
+  active T
+  comment "WEB-CGI guestserver.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 827-7>
+  active T
+  comment "WEB-CGI info2www access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1595-10>
+  active T
+  comment "WEB-IIS htimage.exe access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1194-8>
+  active T
+  comment "WEB-CGI sojourn.cgi File attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 608-5>
+  active T
+  comment "RSERVICES rsh echo + +"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rservices.rules
+</augment>
+
+<augment 481-5>
+  active T
+  comment "ICMP TJPingPro1.1Build 2 Windows"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 939-6>
+  active T
+  comment "WEB-FRONTPAGE posting"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 1610-11>
+  active T
+  comment "WEB-CGI formmail arbitrary command execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+  http /.*[\/\\]formmail{0,5}\?/
+  <delete>
+  	http /.*[\/\\]formmail/
+  </delete>
+</augment>
+
+<augment 2061-4>
+  active T
+  comment "WEB-MISC Tomcat null byte directory listing attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 817-10>
+  active T
+  comment "WEB-CGI dcboard.cgi invalid user addition attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 501-4>
+  active T
+  comment "MISC source route lssre"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 388-5>
+  active T
+  comment "ICMP Address Mask Request"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 625-6>
+  active F
+  comment "SCAN XMAS"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 1193-10>
+  active T
+  comment "WEB-MISC oracle web arbitrary command execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1545-7>
+  active T
+  comment "DOS Cisco attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/dos.rules
+</augment>
+
+<augment 2458-3>
+  active F
+  comment "CHAT Yahoo IM successful chat join"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 232-5>
+  active T
+  comment "DDOS Trin00 Daemon to Master *HELLO* message detected"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 1062-6>
+  active T
+  comment "WEB-MISC nc.exe attempt"
+  comment "sig too general - add some clarity.  remove if noise continues"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+  http /.*[nN][cC]\.[eE][xX][eE]\x20.{5}/
+  <delete>
+	payload /.*[nN][cC]\.[eE][xX][eE]/
+  </delete>
+</augment>
+
+<augment 935-6>
+  active T
+  comment "WEB-COLDFUSION startstop DOS access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 2376-3>
+  active T
+  comment "EXPLOIT ISAKMP first payload certificate request length overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 2180-2>
+  active F
+  comment "P2P BitTorrent announce request"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/p2p.rules
+</augment>
+
+<augment 2443-4>
+  active T
+  comment "EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1856-7>
+  active T
+  comment "DDOS Stacheldraht handler->agent ficken"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 1254-8>
+  active T
+  comment "WEB-PHP PHPLIB remote command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1536-8>
+  active T
+  comment "WEB-CGI calendar_admin.pl arbitrary command execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1224-10>
+  active T
+  comment "WEB-MISC ROADS search.pl attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 853-9>
+  active F
+  comment "WEB-CGI wrap access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+  comment "informational only"
+</augment>
+
+<augment 1433-5>
+  active T
+  comment "WEB-MISC .history access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1157-7>
+  active T
+  comment "WEB-MISC Netscape PublishingXpert access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1269-10>
+  active T
+  comment "RPC portmap rexd request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1048-9>
+  active T
+  comment "WEB-MISC Netscape Enterprise directory listing attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 145-5>
+  active T
+  comment "BACKDOOR GirlFriendaccess"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 641-6>
+  active T
+  comment "SHELLCODE Digital UNIX NOOP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+</augment>
+
+<augment 1394-5>
+  active T
+  comment "SHELLCODE x86 NOOP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+</augment>
+
+<augment 2572-2>
+  active T
+  comment "WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1814-6>
+  active T
+  comment "WEB-MISC CISCO VoIP DOS ATTEMPT"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1343-5>
+  active T
+  comment "WEB-ATTACKS /usr/bin/cc command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 184-6>
+  active F
+  comment "BACKDOOR Q access"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 2227-2>
+  active T
+  comment "WEB-PHP forum_details.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1843-6>
+  active T
+  comment "BACKDOOR trinity connection attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 446-7>
+  active T
+  comment "ICMP SKIP undefined code"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2196-6>
+  active F
+  comment "WEB-CGI catgy.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1534-8>
+  active T
+  comment "WEB-CGI agora.cgi attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1958-5>
+  active T
+  comment "RPC sadmind TCP PING"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 104-7>
+  active T
+  comment "BACKDOOR - Dagger_1.4.0_client_connect"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 2015-5>
+  active T
+  comment "RPC portmap UNSET attempt UDP 111"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1710-4>
+  active T
+  comment "WEB-CGI bbs_forum.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 519-6>
+  active T
+  comment "TFTP parent directory"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/tftp.rules
+</augment>
+
+<augment 1344-5>
+  active T
+  comment "WEB-ATTACKS cc command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 1792-8>
+  active T
+  comment NNTP return code buffer overflow attempt
+  comment "pcre: /^200\s[^\n]{64}/smi"
+  payload "/((^)|(\n+))200[\x20\x09\x0b][^\n]{64}/"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/nntp.rules
+  <delete>
+   payload "/.*200/"
+  </delete>
+</augment>
+
+<augment 2481-3>
+  active T
+  comment "NETBIOS SMB-DS DCERPC shutdown unicode little endian attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 2467-3>
+  active T
+  comment "NETBIOS SMB D$ share unicode access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 429-6>
+  active T
+  comment "ICMP Photuris Reserved"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1338-6>
+  active T
+  comment "WEB-ATTACKS chown command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+  http /.*\/[cC][hH][oO][wW][nN]([^-a-zA-Z0-9_.]|$)/
+  <delete>
+  	payload /.*\/[cC][hH][oO][wW][nN]/
+  </delete>
+</augment>
+
+<augment 445-5>
+  active T
+  comment "ICMP SKIP"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1511-9>
+  active T
+  comment "WEB-CGI test.bat access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1214-5>
+  active F
+  comment "WEB-MISC intranet access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1222-9>
+  active T
+  comment "WEB-CGI pals-cgi arbitrary file access attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1860-4>
+  active T
+  comment "WEB-MISC Linksys router default password login attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1303-7>
+  active T
+  comment "WEB-MISC cs.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2049-2>
+  active F
+  comment "MS-SQL ping attempt"
+  src-port != 53
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+  comment Informational only
+</augment>
+
+<augment 1422-10>
+  active T
+  comment "SNMP community string buffer overflow attempt with evasion"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/snmp.rules
+</augment>
+
+<augment 1932-3>
+  active T
+  comment "WEB-CGI rpc-smb.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1455-5>
+  active F
+  comment "WEB-CGI calender.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 292-8>
+  active T
+  comment "EXPLOIT x86 Linux samba overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1678-5>
+  active T
+  comment "ORACLE select like '%' attempt backslash escaped"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/oracle.rules
+</augment>
+
+<augment 157-5>
+  active T
+  comment "BACKDOOR BackConstruction 2.1 Client FTP Open Request"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 1633-6>
+  active F
+  comment "CHAT AIM receive message"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 244-3>
+  active T
+  comment "DDOS mstream handler to agent"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 1350-5>
+  active F
+  comment "WEB-ATTACKS python access attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 1327-7>
+  active T
+  comment "EXPLOIT ssh CRC32 overflow"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 391-8>
+  active T
+  comment "ICMP Alternate Host Address undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 844-7>
+  active T
+  comment "WEB-CGI args.bat access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2379-3>
+  active T
+  comment "EXPLOIT ISAKMP forth payload certificate request length overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 358-5>
+  active T
+  comment "FTP saint scan"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 719-7>
+  active T
+  comment "TELNET root login"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/telnet.rules
+</augment>
+
+<augment 460-7>
+  active T
+  comment "ICMP unassigned type 2"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1330-5>
+  active T
+  comment "WEB-ATTACKS wget command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+  comment "would like to inspect contents of reply"
+</augment>
+
+<augment 2414-7>
+  active T
+  comment "EXPLOIT ISAKMP initial contact notification without SPI attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1893-4>
+  active F
+  comment "SNMP missing community string attempt"
+  comment "this is related to NT 4.0 unpatched < sp 4, circa '99"
+  requires-reverse-signature snmp_userver_ok_return
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/snmp.rules
+</augment>
+
+<augment 2093-5>
+  active T
+  comment "RPC portmap proxy integer overflow attempt TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2241-5>
+  active T
+  comment "WEB-MISC cwmail.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1903-8>
+  active T
+  comment IMAP rename overflow attempt
+  comment "pcre: /\sRENAME\s[^\n]{100}/smi"
+  payload "/((^)|(\n+))[\x20\x09\x0b][rR][eE][nN][aA][mM][eE][\x20\x09\x0b][^\n]{100}/"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/imap.rules
+  <delete>
+    payload "/.*[rR][eE][nN][aA][mM][eE]/"
+  </delete>
+</augment>
+
+<augment 2555-2>
+  active T
+  comment "EXPLOIT Oracle Web Cache TRACE overflow attempt"
+  comment pcre: /^TRACE[^s]{432}/sm
+  payload /((^)|(\n+))TRACE[^s]{432}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+  <delete>
+    payload /.*TRACE/
+  </delete>
+</augment>
+
+<augment 961-6>
+  active T
+  comment "WEB-FRONTPAGE services.cnf access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 1186-6>
+  active T
+  comment "WEB-MISC Netscape Enterprise Server directory view"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2546-1>
+  active T
+  comment "FTP MDTM overflow attempt"
+  comment pcre: /^MDTM\s[^\n]{100}/smi
+  payload /((^)|(\n+))[mM][dD][tT][mM][\x20\x09\x0b][^\n]{100}/
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload /.*[mM][dD][tT][mM]/
+  </delete>
+</augment>
+
+<augment 1873-4>
+  active T
+  comment "WEB-MISC globals.jsa access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 253-4>
+  active T
+  comment "DNS SPOOF query response PTR with TTL of 1 min. and no authority"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dns.rules
+</augment>
+
+<augment 313-4>
+  active T
+  comment "EXPLOIT ntalkd x86 Linux overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 2051-3>
+  active T
+  comment "WEB-CGI cached_feed.cgi moreover shopping cart access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1725-6>
+  active T
+  comment "WEB-IIS +.htr code fragment attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1309-9>
+  active T
+  comment "WEB-CGI zsh access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1221-6>
+  active T
+  comment "WEB-MISC musicat empower access"
+  requires-reverse-signature ! http_error
+  http /.*[\/\\]empower\?DB=.{1,}/
+  <delete>
+  	http /.*[\/\\]empower/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1617-8>
+  active T
+  comment "WEB-CGI Bugzilla doeditvotes.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1091-7>
+  active F
+  comment "WEB-MISC ICQ Webfront HTTP DOS"
+  comment "too general"
+  comment "too many false positives"
+  comment "exploit from year 2000"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1733-9>
+  active T
+  comment "RPC portmap rwalld request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1113-5>
+  active T
+  comment "WEB-MISC http directory traversal"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2050-5>
+  active T
+  comment "MS-SQL version overflow attempt"
+  sigaction SIG_FILE
+  # sigaction SIG_SUMMARY
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 1535-7>
+  active T
+  comment "WEB-CGI bizdbsearch access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1776-2>
+  active T
+  comment "MYSQL show databases attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/mysql.rules
+</augment>
+
+<augment 603-5>
+  active T
+  comment "RSERVICES rlogin echo++"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rservices.rules
+</augment>
+
+<augment 1291-8>
+  active T
+  comment "WEB-MISC sml3com access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 485-4>
+  active F
+  comment "ICMP Destination Unreachable Communication Administratively Prohibited"
+  sigaction SIG_FILE
+  # sigaction SIG_SUMMARY
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 1280-9>
+  active T
+  comment "RPC portmap listing UDP 111"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1242-10>
+  active T
+  comment "WEB-IIS ISAPI .ida access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1889-5>
+  active T
+  comment "MISC slapper worm admin traffic"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 870-5>
+  active T
+  comment "WEB-CGI snorkerz.cmd access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1353-5>
+  active T
+  comment "WEB-ATTACKS bin/nasm command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 1233-9>
+  active F
+  comment "WEB-CLIENT Outlook EML access"
+  comment "too general"
+  comment "not an exploit"
+  requires-signature http_msie_client
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-client.rules
+</augment>
+
+<augment 2277-4>
+  active T
+  comment "WEB-MISC PeopleSoft PeopleBooks psdoccgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1922-6>
+  active T
+  comment "RPC portmap proxy attempt TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1644-8>
+  active T
+  comment "WEB-CGI test-cgi attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2425-3>
+  active T
+  comment NNTP senduuname overflow attempt
+  comment pcre: /^senduuname\x3a[^\n]{21}/smi
+  payload /((^)|(\n+))[sS][eE][nN][dD][uU][uU][nN][aA][mM][eE]\x3a[^\n]{21}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/nntp.rules
+  <delete>
+    payload /.*[sS][eE][nN][dD][uU][uU][nN][aA][mM][eE]/
+  </delete>
+</augment>
+
+<augment 582-8>
+  active T
+  comment "RPC portmap rexd request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 952-6>
+  active T
+  comment "WEB-FRONTPAGE author.exe access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 1709-4>
+  active F
+  comment "WEB-CGI ad.cgi access"
+  comment "rule too general, no details provided to fix"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2047-2>
+  active F
+  comment "MISC rsyncd module list access"
+  comment "informational only, not exploit worthy"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 911-7>
+  active T
+  comment "WEB-COLDFUSION exprcalc access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 2219-6>
+  active T
+  comment "WEB-CGI setpasswd.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1543-12>
+  active F
+  comment "WEB-CGI cgiwrap access"
+  comment "too general to be useful"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1454-6>
+  active T
+  comment "WEB-CGI wwwwais access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 452-7>
+  active F
+  comment "ICMP Timestamp Reply undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2561-2>
+  active T
+  comment "MISC rsync backup-dir directory traversal attempt"
+  comment pcre: /--backup-dir\s+\x2e\x2e\x2f/
+  payload /--backup-dir[\x20\x09\x0b]+\x2e\x2e\x2f/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+  <delete>
+    payload /.*--backup-dir/
+  </delete>
+</augment>
+
+<augment 1216-5>
+  active T
+  comment "WEB-MISC filemail access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2390-4>
+  active T
+  comment FTP STOU overflow attempt
+  comment pcre: /^STOU\s[^\n]{100}/smi
+  eval dataSizeG100
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  payload /((^)|(\n+))[sS][tT][oO][uU][\x20\x09\x0b][^\n]{100}/
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload /.*[sS][tT][oO][uU]/
+  </delete>
+</augment>
+
+<augment 491-8>
+  active T
+  comment "INFO FTP Bad login"
+  comment pcre: /^530\s+(Login|User)/smi
+  ftp /((^)|(\n+))530[\x20\x09\x0b]+([lL][oO][gG][iI][nN]|[uU][sS][eE][rR])/
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/info.rules
+  <delete>
+    payload /.*530 /
+  </delete>
+</augment>
+
+<augment 246-2>
+  active T
+  comment "DDOS mstream agent pong to handler"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 324-5>
+  active T
+  comment "FINGER null request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/finger.rules
+</augment>
+
+<augment 2440-3>
+  active T
+  comment "WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt"
+  comment pcre: /^http\x3a\x2f\x2f[^\n]{400}/smi
+  payload /((^)|(\n+))[hH][tT]{2}[pP]\x3a\x2f\x2f[^\n]{400}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-client.rules
+</augment>
+
+<augment 881-5>
+  active T
+  comment "WEB-CGI archie access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 829-9>
+  active T
+  comment "WEB-CGI nph-test-cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 330-9>
+  active T
+  comment "FINGER redirection attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/finger.rules
+</augment>
+
+<augment 981-9>
+  active T
+  comment "WEB-IIS unicode directory traversal attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 847-7>
+  active T
+  comment "WEB-CGI campas access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1132-6>
+  active T
+  comment "WEB-MISC Netscape Unixware overflow"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2534-3>
+  active T
+  comment "MISC LDAP SSLv3 invalid Client_Hello attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 227-6>
+  active T
+  comment "DDOS Stacheldraht client spoofworks"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 1902-9>
+  active T
+  comment "IMAP lsub literal overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/imap.rules
+  payload /((^)|(\n+))[\x20\x09\x0b][lL][sS][uU][bB][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/
+ <delete>
+	payload /.*[lL][sS][uU][bB]/
+ </delete>
+</augment>
+
+<augment 1648-7>
+  active T
+  comment "WEB-CGI perl.exe command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1965-8>
+  active T
+  comment "RPC tooltalk TCP overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1723-7>
+  active T
+  comment "WEB-CGI emumail.cgi NULL attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1147-7>
+  active T
+  comment "WEB-MISC cat%20 access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2240-3>
+  active T
+  comment "WEB-MISC changepw.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1825-6>
+  active F
+  dst-ip == local_nets
+  comment "WEB-CGI AlienForm af.cgi access"
+  comment "informational only"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1529-10>
+  active T
+  comment FTP SITE overflow attempt
+  comment "pcre: /^SITE\s[^\n]{100}/smi"
+  eval dataSizeG100
+  ftp "/((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b][^\n]{100}/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[sS][iI][tT][eE]/"
+  </delete>
+</augment>
+
+<augment 486-4>
+  active F
+  comment "ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 1459-5>
+  active T
+  comment "WEB-CGI bb-histlog.sh access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2213-6>
+  active T
+  comment "WEB-CGI mailfile.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 474-4>
+  active F
+  comment "ICMP superscan echo"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 1383-6>
+  active F
+  comment "P2P Fastrack kazaa/morpheus GET request"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/p2p.rules
+</augment>
+
+<augment 2032-5>
+  active T
+  comment "RPC yppasswd user update TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1267-11>
+  active T
+  comment "RPC portmap nisd request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2308-6>
+  active T
+  comment "NETBIOS SMB DCERPC Workstation Service unicode bind attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 268-4>
+  active T
+  comment "DOS Jolt attack"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dos.rules
+</augment>
+
+<augment 1072-9>
+  active T
+  comment "WEB-MISC Lotus Domino directory traversal"
+  requires-reverse-signature ! http_error
+  http /.*\.nsf[\/\\].*(\.\.\/){1,}.{2,}/
+  <delete>
+  	http /.*\.nsf[\/\\]/
+  	http /.*\.\.[\/\\]/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 613-5>
+  active F
+  comment "SCAN myscan"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 251-3>
+  active T
+  comment "DDOS - TFN client command LE"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 400-7>
+  active F
+  comment "ICMP Destination Unreachable Network Unreachable for Type of Service"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1124-5>
+  active F
+  comment "WEB-MISC Ecommerce check.txt access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1805-4>
+  active T
+  comment "WEB-CGI Oracle reports CGI access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 889-7>
+  active T
+  comment "WEB-CGI ppdscgi.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 432-6>
+  active T
+  comment "ICMP Photuris Valid Security Parameters, But Decryption Failed"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1862-7>
+  active T
+  comment "WEB-CGI mrtg.cgi directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2473-3>
+  active T
+  comment "NETBIOS SMB ADMIN$ share unicode access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 437-6>
+  active F
+  comment "ICMP Redirect for TOS and Network"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 904-7>
+  active T
+  comment "WEB-COLDFUSION exampleapp application.cfm"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 1930-3>
+  active T
+  comment "IMAP auth literal overflow attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/imap.rules
+</augment>
+
+<augment 230-5>
+  active T
+  comment "DDOS shaft client login to handler"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 583-9>
+  active T
+  comment "RPC portmap rstatd request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 837-8>
+  active T
+  comment "WEB-CGI uploader.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1485-4>
+  active T
+  comment "WEB-IIS mkilog.exe access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 536-7>
+  active T
+  comment "NETBIOS SMB D$ share access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1161-9>
+  active T
+  comment "WEB-PHP piranha passwd.php3 access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 648-7>
+  active T
+  comment "SHELLCODE x86 NOOP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+</augment>
+
+<augment 1301-11>
+  active T
+  comment "WEB-PHP admin.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 713-7>
+  active F
+  comment "TELNET livingston DOS"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/telnet.rules
+</augment>
+
+<augment 1286-6>
+  active T
+  comment "WEB-IIS _mem_bin access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1554-9>
+  active T
+  dst-ip == local_nets
+  comment "WEB-CGI dbman db.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1909-10>
+  active T
+  comment "RPC CMSD TCP CMSD_INSERT buffer overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 286-9>
+  active T
+  comment "POP3 EXPLOIT x86 BSD overflow"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/pop3.rules
+</augment>
+
+<augment 1816-3>
+  active T
+  comment "WEB-PHP directory.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  <delete>
+  	http /.*[\/\\]directory\.php/
+  </delete>
+  http /.*[\/\\]directory\.php[\;\|]{1,}/
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 421-5>
+  active T
+  comment "ICMP Mobile Registration Reply"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1366-5>
+  active T
+  comment "WEB-ATTACKS mail command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 409-7>
+  active F
+  comment "ICMP Echo Reply undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2271-2>
+  active T
+  comment "BACKDOOR FsSniffer connection attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 1509-9>
+  active T
+  comment "WEB-CGI AltaVista Intranet Search directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1202-5>
+  active T
+  comment "WEB-MISC search.vts access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2426-3>
+  active T
+  comment NNTP version overflow attempt
+  comment "pcre: /^version\x3a[^\n]{21}/smi"
+  payload "/((^)|(\n+))[vV][eE][rR][sS][iI][oO][nN]\x3a[^\n]{21}/"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/nntp.rules
+  <delete>
+    payload "/.*[vV][eE][rR][sS][iI][oO][nN]/"
+  </delete>
+</augment>
+
+<augment 1225-4>
+  active T
+  comment "X11 MIT Magic Cookie detected"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/x11.rules
+</augment>
+
+<augment 1994-3>
+  active T
+  comment "WEB-CGI vpasswd.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 538-10>
+  active T
+  comment "NETBIOS SMB IPC$ share unicode access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 2034-7>
+  active T
+  comment "RPC ypserv maplist request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2138-2>
+  active T
+  comment "WEB-MISC logicworks.ini access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1355-5>
+  active T
+  comment "WEB-ATTACKS /usr/bin/perl execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 2022-4>
+  active T
+  comment "RPC mountd TCP unmountall request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1708-7>
+  active T
+  comment "WEB-CGI hello.bat access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 454-7>
+  active F
+  comment "ICMP Timestamp Request undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2279-2>
+  active T
+  comment "WEB-PHP UpdateClasses.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 684-5>
+  active T
+  comment "MS-SQL sp_delete_alert log file deletion"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 922-6>
+  active T
+  comment "WEB-COLDFUSION displayfile access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 1954-5>
+  active T
+  comment "RPC AMD UDP pid request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 323-5>
+  active T
+  comment "FINGER root query"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/finger.rules
+</augment>
+
+<augment 2430-3>
+  active T
+  comment NNTP newgroup overflow attempt
+  comment "pcre: /^newgroup\x3a[^\n]{21}/smi"
+  payload "/((^)|(\n+))[nN][eE][wW][gG][rR][oO][uU][pP]\x3a[^\n]{21}/"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/nntp.rules
+  <delete>
+    payload "/.*[nN][eE][wW][gG][rR][oO][uU][pP]/"
+  </delete>
+</augment>
+
+<augment 2432-2>
+  active F
+  comment "NNTP article post without path attempt"
+  comment pcre: ! /^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si
+  comment Negation of a pattern is not supported
+  payload /((^)|(\n+))[tT][aA][kK][eE][tT][hH][iI][sS].*?[pP][aA][tT][hH]\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules2.2/nntp.rules
+  <delete>
+    payload /.*[tT][aA][kK][eE][tT][hH][iI][sS]/
+  </delete>
+</augment>
+
+<augment 903-7>
+  active T
+  comment "WEB-COLDFUSION cfcache.map access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 2460-3>
+  active F
+  comment CHAT Yahoo IM webcam request
+  comment "informational only"
+  comment pcre translate
+  payload "/((^)|(\n+))\x3c([rR][eE][qQ][iI][mM][gG]|[rR][vV][wW][cC][fF][gG])\x3e/"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 1097-6>
+  active T
+  comment "WEB-CGI Talentsoft Web+ exploit attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 406-6>
+  active F
+  comment "ICMP Destination Unreachable Source Route Failed"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 550-8>
+  active F
+  comment "P2P napster new user login"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/p2p.rules
+</augment>
+
+<augment 1371-5>
+  active F
+  comment "WEB-ATTACKS /etc/motd access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+  comment "informational only"
+</augment>
+
+<augment 943-6>
+  active T
+  comment "WEB-FRONTPAGE fpsrvadm.exe access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 852-8>
+  active T
+  comment "WEB-CGI wguest.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 306-9>
+  active F
+  comment "EXPLOIT VQServer admin"
+  comment Too many false positives!!!!!!!!!!!!!!
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 399-6>
+  active F
+  comment "ICMP Destination Unreachable Host Unreachable"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 891-5>
+  active T
+  comment "WEB-CGI upload.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1396-8>
+  active T
+  comment "WEB-CGI zml.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 691-5>
+  active T
+  comment "MS-SQL shellcode attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 1255-8>
+  active T
+  comment "WEB-PHP PHPLIB remote command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 910-5>
+  active T
+  comment "WEB-COLDFUSION fileexists.cfm access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 2122-7>
+  active T
+  comment POP3 UIDL negative arguement attempt
+  comment "pcre: /^UIDL\s+-\d/smi"
+  payload "/((^)|(\n+))[uU][iI][dD][lL][\x20\x09\x0b]+-[0-9]/"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/pop3.rules
+  <delete>
+    payload "/.*[uU][iI][dD][lL]/"
+  </delete>
+</augment>
+
+<augment 1414-11>
+  active T
+  comment "SNMP private access tcp"
+  requires-reverse-signature snmp_tserver_ok_return
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/snmp.rules
+</augment>
+
+<augment 1288-6>
+  active T
+  comment "WEB-FRONTPAGE /_vti_bin/ access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 1354-5>
+  active T
+  comment "WEB-ATTACKS nasm command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 307-9>
+  active T
+  comment "EXPLOIT CHAT IRC topic overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1962-7>
+  active T
+  comment "RPC portmap RQUOTA request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2199-6>
+  active T
+  comment "WEB-CGI multidiff.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1037-10>
+  active T
+  dst-ip == local_nets
+  comment "WEB-IIS showcode.asp access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 463-7>
+  active T
+  comment "ICMP unassigned type 7 undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1510-9>
+  active T
+  comment "WEB-CGI test.bat arbitrary command execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 487-4>
+  active F
+  comment "ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 1365-5>
+  active T
+  comment "WEB-ATTACKS rm command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 1576-4>
+  active T
+  comment "WEB-MISC Domino cersvr.nsf access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1038-8>
+  active T
+  comment "WEB-IIS site server config access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 377-7>
+  active T
+  comment "ICMP PING Network Toolbox 3 Windows"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 433-8>
+  active T
+  comment "ICMP Photuris undefined code!"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2502-7>
+  active T
+  comment "POP3 SSLv3 invalid data version attempt"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/pop3.rules
+</augment>
+
+<augment 2375-3>
+  active T
+  comment "BACKDOOR DoomJuice file upload attempt"
+  payload /^\x85\x13<\x9E\xA2/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+  <delete>
+    payload /\x85\x13<\x9E\xA2/
+  </delete>
+</augment>
+
+<augment 1589-4>
+  active T
+  comment "WEB-MISC musicat empower attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2233-5>
+  active T
+  comment "WEB-MISC SFNofitication.dll access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1370-5>
+  active T
+  comment "WEB-ATTACKS /etc/inetd.conf access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 1651-4>
+  active T
+  comment "WEB-CGI enivorn.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1369-5>
+  active T
+  comment "WEB-ATTACKS /bin/ls command attempt"
+  requires-reverse-signature ! http_error
+  http /.*[\/\\]bin[\/\\]ls[^a-zA-Z0-9_.-]/
+  <delete>
+  	http /.*[\/\\]bin[\/\\]ls/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 1468-7>
+  active T
+  comment "WEB-CGI Web Shopper shopper.cgi attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2565-1>
+  active T
+  comment "WEB-PHP modules.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 626-7>
+  active T
+  comment "SCAN cybercop os PA12 attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 1956-5>
+  active F
+  comment "RPC AMD UDP version request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2480-3>
+  active T
+  comment "NETBIOS SMB-DS DCERPC shutdown unicode attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 897-10>
+  active T
+  comment "WEB-CGI pals-cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1158-10>
+  active T
+  comment "WEB-MISC windmail.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 664-13>
+  active T
+  comment SMTP RCPT TO decode attempt
+  comment "pcre: /^rcpt to\:\s+decode/smi"
+  payload "/((^)|(\n+))[rR][cC][pP][tT][\x20\x09\x0b][tT][oO]:[\x20\x09\x0b]+[dD][eE][cC][oO][dD][eE]/"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  <delete>
+    payload /.*rcpt to\x3A.*.*[dD][eE][cC][oO][dD][eE]/
+  </delete>
+</augment>
+
+<augment 2395-3>
+  active T
+  comment "WEB-MISC InteractiveQuery.jsp access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 877-8>
+  active T
+  comment "WEB-CGI rksh access"
+  requires-reverse-signature ! http_error
+  requires-signature ! http_shell_check
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 585-7>
+  active T
+  comment "RPC portmap sadmind request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2368-4>
+  active T
+  comment "WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1512-9>
+  active T
+  comment "WEB-CGI input.bat arbitrary command execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1470-5>
+  active T
+  comment "WEB-CGI listrec.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2500-4>
+  active T
+  comment "MISC LDAP SSLv3 invalid data version attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 245-3>
+  active T
+  comment "DDOS mstream handler ping to agent"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 1407-8>
+  active T
+  comment "WEB-PHP smssend.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1331-5>
+  active T
+  comment "WEB-ATTACKS uname -a command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 2457-2>
+  active F
+  comment "CHAT Yahoo IM message"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 2550-2>
+  active T
+  comment "EXPLOIT winamp XM module name overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1809-9>
+  active T
+  comment "WEB-MISC Apache Chunked-Encoding worm attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1483-9>
+  active T
+  comment "WEB-CGI ustorekeeper.pl access"
+  dst-ip == local_nets
+  requires-reverse-signature ! http_error
+  comment "informational only"
+  comment "verify that application is not vulnerable"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1614-8>
+  active T
+  comment "WEB-MISC Novell Groupwise gwweb.exe attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1480-9>
+  active T
+  comment "WEB-CGI ttawebtop.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 670-7>
+  active T
+  comment "SMTP sendmail 8.6.9 exploit"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 1248-13>
+  active T
+  comment "WEB-FRONTPAGE rad fp30reg.dll access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 2130-5>
+  active T
+  comment "WEB-IIS IISProtect siteadmin.asp access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1380-4>
+  active T
+  comment "WEB-IIS cross-site scripting attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1337-6>
+  active T
+  comment "WEB-ATTACKS chgrp command attempt"
+  requires-reverse-signature ! http_error
+  http /.*\/[cC][hH][gG][rR][pP]([^-a-zA-Z0-9_.]|$)/
+  <delete>
+  	payload /.*\/[cC][hH][gG][rR][pP]/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 2451-3>
+  active F
+  comment "CHAT Yahoo IM voicechat"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 928-5>
+  active T
+  comment "WEB-COLDFUSION exampleapp access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 926-7>
+  active T
+  comment "WEB-COLDFUSION set odbc ini attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 2242-4>
+  active T
+  comment "WEB-MISC ddicgi.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2298-4>
+  active T
+  comment "WEB-PHP Advanced Poll admin_templates.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2118-6>
+  active T
+  comment IMAP list overflow attempt
+  comment "pcre: /\sLIST\s[^\n]{100}/smi"
+  payload "/((^)|(\n+))[\x20\x09\x0b][lL][iI][sS][tT][\x20\x09\x0b][^\n]{100}/"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/imap.rules
+  <delete>
+    payload "/.*[lL][iI][sS][tT]/"
+  </delete>
+</augment>
+
+<augment 1442-4>
+  active T
+  comment "TFTP GET shadow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/tftp.rules
+</augment>
+
+<augment 1250-11>
+  active T
+  comment "WEB-MISC Cisco IOS HTTP configuration attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+  comment "would like to inspect contents of reply"
+</augment>
+
+<augment 1996-3>
+  active T
+  comment "WEB-CGI viralator.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 418-7>
+  active F
+  comment "ICMP Information Request undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2478-3>
+  active T
+  comment "NETBIOS SMB-DS DCERPC bind winreg attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1241-5>
+  active T
+  comment "WEB-MISC SWEditServlet directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1971-4>
+  active T
+  comment FTP SITE EXEC format string attempt
+  comment "pcre: /^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi"
+  ftp "/((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[eE][xX][eE][cC][\x20\x09\x0b][^\n]*?%[^\n]*?%/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[sS][iI][tT][eE].*.*[eE][xX][eE][cC]/"
+  </delete>
+</augment>
+
+<augment 2286-2>
+  active T
+  comment "WEB-PHP friends.php access"
+  comment "added details for sql *injection*.  rules differ for"
+  comment "other attacks, but this seems the most dangerous"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+  http /.*[\/\\]friends\.php\x3fadmin\x3d[a-zA-Z0-9]{5,20}.* /
+  <delete>
+  	http /.*[\/\\]friends\.php/
+  </delete>
+</augment>
+
+<augment 1522-10>
+  active T
+  comment "WEB-MISC ans.pl attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2192-8>
+  active T
+  comment "NETBIOS DCERPC ISystemActivator bind attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1926-6>
+  active T
+  comment "RPC mountd UDP exportall request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1717-4>
+  active T
+  comment "WEB-CGI simplestguest.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2522-7>
+  active F
+  comment "WEB-MISC SSLv3 invalid Client_Hello attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1738-5>
+  active T
+  comment "WEB-MISC global.inc access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2121-8>
+  active T
+  comment POP3 DELE negative arguement attempt
+  comment pcre: /^DELE\s+-\d/smi
+  payload /((^)|(\n+))[dD][eE][lL][eE]+-[0-9]/
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/pop3.rules
+  <delete>
+    payload "/.*[dD][eE][lL][eE]/"
+  </delete>
+</augment>
+
+<augment 1219-10>
+  active T
+  comment "WEB-CGI dfire.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 834-7>
+  active T
+  comment "WEB-CGI rwwwshell.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1537-6>
+  active T
+  comment "WEB-CGI calendar_admin.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 701-7>
+  active T
+  comment "MS-SQL xp_updatecolvbm possible buffer overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 1163-11>
+  active T
+  comment "WEB-CGI webdist.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1519-8>
+  active T
+  comment "WEB-MISC apache ?M=D directory list attempt"
+  comment "add additional filters"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+  http /Content-language:.* /
+  eval isApacheLt1322
+</augment>
+
+<augment 846-8>
+  active T
+  comment "WEB-CGI bnbform.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 412-7>
+  active F
+  comment "ICMP IPV6 I-Am-Here undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 492-8>
+  active F
+  comment "INFO TELNET Bad Login"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/info.rules
+</augment>
+
+<augment 2422-2>
+  active F
+  comment "MULTIMEDIA realplayer .rt playlist download attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/multimedia.rules
+</augment>
+
+<augment 1110-7>
+  active T
+  comment "WEB-MISC apache source.asp file access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1484-5>
+  active T
+  comment "WEB-IIS /isapi/tstisapi.dll access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2476-3>
+  active T
+  comment "NETBIOS SMB-DS Create AndX Request winreg attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 440-7>
+  active F
+  comment "ICMP Reserved for Security Type 19 undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 503-6>
+  active T
+  comment "MISC Source Port 20 to <1024"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 2471-3>
+  active T
+  comment "NETBIOS SMB-DS C$ share access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 458-7>
+  active T
+  comment "ICMP unassigned type 1"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2568-1>
+  active T
+  comment "WEB-CGI Emumail emumail.fcgi access"
+  requires-reverse-signature ! http_error
+  http /.*[\/\\]emumail\.fcgi\?./
+  <delete>
+  	http /.*[\/\\]emumail\.fcgi/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1359-5>
+  active T
+  comment "WEB-ATTACKS ping command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 1569-5>
+  active T
+  comment "WEB-CGI loadpage.cgi directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1405-5>
+  active F
+  comment "WEB-CGI AHG search.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 813-9>
+  active T
+  comment "WEB-CGI webplus directory traversal"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 700-8>
+  active T
+  comment "MS-SQL/SMB xp_updatecolvbm possible buffer overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 1078-8>
+  active F
+  comment "WEB-MISC counter.exe access"
+  comment "'99 exploit against iis 4.0, remove"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 866-8>
+  active T
+  comment "WEB-CGI post-query access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 314-9>
+  active T
+  comment "DNS EXPLOIT named tsig overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/dns.rules
+</augment>
+
+<augment 2137-2>
+  active T
+  comment "WEB-MISC philboard_admin.asp access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2069-5>
+  active T
+  comment "WEB-MISC chip.ini access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 991-8>
+  active T
+  comment "WEB-IIS achg.htr access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1566-7>
+  active T
+  comment "WEB-CGI eshop.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2116-3>
+  active T
+  comment "WEB-CGI chipcfg.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1872-3>
+  active T
+  comment "WEB-MISC Oracle Dynamic Monitoring Services dms access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1832-7>
+  active F
+  comment "CHAT ICQ forced user addition"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 1399-11>
+  active T
+  comment "WEB-PHP PHP-Nuke remote file include attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  <delete>
+  	payload /.*[fF][iI][lL][eE]=/
+  	http /.*[\/\\]index\.php/
+  </delete>
+  http /.*[\/\\]index\.php.*[fF][iI][lL][eE]=([hH][tT][tT][pP][sS]?|[fF][tT][pP])/
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 954-6>
+  active T
+  comment "WEB-FRONTPAGE form_results.htm access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 1736-6>
+  active T
+  comment "WEB-PHP squirrel mail spell-check arbitrary command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1469-5>
+  active T
+  comment "WEB-CGI Web Shopper shopper.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 705-7>
+  active T
+  comment "MS-SQL xp_showcolv possible buffer overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 1177-6>
+  active T
+  comment "WEB-MISC Netscape Enterprise Server directory view"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2521-5>
+  active F
+  comment "WEB-MISC SSLv3 Server_Hello request"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 869-8>
+  active T
+  comment "WEB-CGI dumpenv.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 811-9>
+  active F
+  comment "WEB-CGI websitepro path access"
+  comment "informational only"
+  comment "not exploit worthy"
+  comment "too general"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1769-3>
+  active T
+  comment "WEB-MISC .DS_Store access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 963-6>
+  active T
+  comment "WEB-FRONTPAGE svcacl.cnf access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 1137-9>
+  active T
+  comment "WEB-PHP Phorum authentication access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1066-6>
+  active T
+  comment "WEB-MISC telnet attempt"
+  requires-reverse-signature ! http_error
+  http /.*[tT][eE][lL][nN][eE][tT]\.[eE][xX][eE]/
+  <delete>
+  	payload /.*[tT][eE][lL][nN][eE][tT]\.[eE][xX][eE]/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2182-6>
+  active F
+  comment "BACKDOOR typot trojan traffic"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 892-8>
+  active T
+  comment "WEB-CGI AnyForm2 access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2012-2>
+  active T
+  comment "MISC CVS missing cvsroot response"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 2307-5>
+  active T
+  comment WEB-PHP PayPal Storefront arbitrary command execution attempt
+  comment pcre: /page=(http|https|ftp)/i
+  http /[pP][aA][gG][eE]=(http|https|ftp)/
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+  <delete>
+    payload /.*page=/
+  </delete>
+</augment>
+
+<augment 2404-5>
+  active T
+  comment "NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1913-10>
+  active T
+  comment "RPC STATD UDP stat mon_name format string exploit attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2518-10>
+  active T
+  comment "POP3 PCT Client_Hello overflow attempt"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/pop3.rules
+</augment>
+
+<augment 1945-4>
+  active T
+  comment "WEB-IIS unicode directory traversal attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2493-5>
+  active T
+  comment "NETBIOS SMB DCERPC ISystemActivator unicode bind attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 2517-10>
+  active T
+  comment "IMAP PCT Client_Hello overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/imap.rules
+</augment>
+
+<augment 389-7>
+  active F
+  comment "ICMP Address Mask Request undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 443-5>
+  active F
+  comment "ICMP Router Selection"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2563-4>
+  active F
+  comment "NETBIOS NS lookup response name overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 2284-3>
+  active T
+  comment "WEB-PHP rolis guestbook remote file include attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 420-7>
+  active F
+  comment "ICMP Mobile Host Redirect undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1917-6>
+  active F
+  comment "SCAN UPnP service discover attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 820-9>
+  active T
+  comment "WEB-CGI anaconda directory transversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1746-11>
+  active T
+  comment "RPC portmap cachefsd request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 414-7>
+  active F
+  comment "ICMP IPV6 Where-Are-You undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 220-6>
+  active F
+  dst-ip == local_nets
+  comment "BACKDOOR HideSource backdoor attempt"
+  comment "old signature from 1997"
+  comment "moved check to hot-ids.bro"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 300-7>
+  active T
+  comment "EXPLOIT nlps x86 Solaris overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 601-6>
+  active T
+  comment "RSERVICES rlogin LinuxNIS"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rservices.rules
+</augment>
+
+<augment 1096-6>
+  active T
+  comment "WEB-MISC Talentsoft Web+ internal IP Address access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2302-4>
+  active T
+  comment "WEB-PHP Advanced Poll poll_ssi.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1570-5>
+  active T
+  dst-ip == local_nets
+  comment "WEB-CGI loadpage.cgi access"
+  requires-reverse-signature ! http_error
+  http /.*[\/\\]loadpage\.cgi\?{1,}\//
+  <delete>
+  	http /.*[\/\\]loadpage\.cgi/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2519-9>
+  active T
+  comment "SMTP Client_Hello overflow attempt"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 885-9>
+  active F
+  comment "WEB-CGI bash access"
+  comment "sig too general, shell check does not keep man pages from triggering this"
+  requires-reverse-signature ! http_error
+  requires-signature ! http_shell_check
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 569-14>
+  active T
+  comment "RPC snmpXdmi overflow attempt TCP"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2378-3>
+  active T
+  comment "EXPLOIT ISAKMP third payload certificate request length overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1674-5>
+  active T
+  comment "ORACLE connect_data remote version detection attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/oracle.rules
+</augment>
+
+<augment 914-5>
+  active T
+  comment "WEB-COLDFUSION beaninfo access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 322-10>
+  active T
+  comment "FINGER search query"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/finger.rules
+</augment>
+
+<augment 365-8>
+  active F
+  comment "ICMP PING undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2191-3>
+  active T
+  comment "NETBIOS SMB DCERPC invalid bind attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 2037-5>
+  active T
+  comment "RPC network-status-monitor mon-callback request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 968-6>
+  active T
+  comment "WEB-FRONTPAGE register.htm access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 901-10>
+  active T
+  comment "WEB-CGI webspirs.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 609-5>
+  active T
+  comment "RSERVICES rsh froot"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rservices.rules
+</augment>
+
+<augment 513-10>
+  active T
+  comment "MISC Cisco Catalyst Remote Access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 457-7>
+  active F
+  comment "ICMP Traceroute undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1067-6>
+  active T
+  comment "WEB-MISC net attempt"
+  requires-reverse-signature ! http_error
+  http /.*[^a-zA-Z0-9_.-][nN][eE][tT]\.[eE][xX][eE]/
+  <delete>
+  	payload /.*[nN][eE][tT]\.[eE][xX][eE]/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 332-8>
+  active T
+  comment "FINGER 0 query"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/finger.rules
+</augment>
+
+<augment 2323-2>
+  active T
+  comment "WEB-CGI quickstore.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 692-6>
+  active T
+  comment "MS-SQL/SMB shellcode attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 851-7>
+  active T
+  comment "WEB-CGI files.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 105-7>
+  active T
+  comment "BACKDOOR - Dagger_1.4.0"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 599-11>
+  active T
+  comment "RPC portmap listing TCP 32771"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1847-8>
+  active F
+  comment "WEB-MISC webalizer access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+  comment "informational only"
+</augment>
+
+<augment 1071-6>
+  active T
+  comment "WEB-MISC .htpasswd access"
+  requires-reverse-signature ! http_error
+  http /.*\/\.[hH][tT][pP][aA][sS][sS][wW][dD]/
+  <delete>
+  	payload /.*\.[hH][tT][pP][aA][sS][sS][wW][dD]/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 620-9>
+  active F
+  comment "SCAN Proxy Port 8080 attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 635-3>
+  active T
+  comment "SCAN XTACACS logout"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 1265-9>
+  active T
+  comment "RPC portmap cmsd request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1669-5>
+  active T
+  comment "WEB-CGI /cgi-dos/ access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1949-5>
+  active T
+  comment "RPC portmap SET attempt TCP 111"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1581-4>
+  active T
+  comment "WEB-MISC Domino ntsync4.nsf access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2008-4>
+  active T
+  comment "MISC CVS invalid user authentication response"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 431-6>
+  active F
+  comment "ICMP Photuris Valid Security Parameters, But Authentication Failed"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1406-11>
+  active T
+  comment "WEB-CGI agora.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1871-4>
+  active T
+  comment "WEB-MISC Oracle XSQLConfig.xml access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1292-8>
+  active T
+  comment "ATTACK-RESPONSES directory listing"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/attack-responses.rules
+</augment>
+
+<augment 109-5>
+  active T
+  comment "BACKDOOR netbus active"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 1789-3>
+  active T
+  comment "CHAT IRC dns request"
+  comment "informational only"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 1925-6>
+  active F
+  comment "RPC mountd TCP exportall request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1618-14>
+  active T
+  comment "WEB-IIS .asp chunked Transfer-Encoding"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1501-8>
+  active T
+  comment "WEB-CGI a1stats a1disp3.cgi directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 249-7>
+  active T
+  comment "DDOS mstream client to handler"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 2454-3>
+  active F
+  comment "CHAT Yahoo IM conference logon success"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 2439-3>
+  active T
+  comment "WEB-CLIENT RealPlayer playlist http URL overflow attempt"
+  comment pcre: /^http\x3a\x2f\x2f[^\n]{400}/smi
+  payload /((^)|(\n+))[hH][tT]{2}[pP]\x3a\x2f\x2f[^\n]{400}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-client.rules
+</augment>
+
+<augment 2472-3>
+  active T
+  comment "NETBIOS SMB-DS C$ share unicode access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1070-7>
+  active T
+  comment "WEB-MISC WebDAV search access"
+  requires-signature http_iis_server
+  http /((^)|(\n+))[sS][eE][aA][rR][cC][hH]/
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  # sigaction SIG_SUMMARY
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+  <delete>
+    payload /.{0,1}[sS][eE][aA][rR][cC][hH] /
+  </delete>
+</augment>
+
+<augment 283-10>
+  active T
+  comment "EXPLOIT Netscape 4.7 client overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 947-6>
+  active T
+  comment "WEB-FRONTPAGE orders.txt access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 2126-6>
+  active F
+  comment "MISC Microsoft PPTP Start Control Request buffer overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 1918-6>
+  active F
+  comment "SCAN SolarWinds IP scan attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 1358-5>
+  active T
+  comment "WEB-ATTACKS traceroute command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 2236-5>
+  active T
+  comment "WEB-MISC spamrule.dll access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 376-7>
+  active F
+  comment "ICMP PING Microsoft Windows"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2335-2>
+  active T
+  comment "FTP RMD / attempt"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 495-7>
+  active T
+  comment "ATTACK-RESPONSES command error"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/attack-responses.rules
+</augment>
+
+<augment 2523-6>
+  active F
+  comment "DOS BGP spoofed connection reset attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dos.rules
+</augment>
+
+<augment 1972-10>
+  active T
+  comment FTP PASS overflow attempt
+  comment "pcre: /^PASS\s[^\n]{100}/smi"
+  eval dataSizeG100
+  ftp "/((^)|(\n+))[pP][aA][sS][sS][\x20\x09\x0b][^\n]{100}/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[pP][aA][sS][sS]/"
+  </delete>
+</augment>
+
+<augment 2374-4>
+  active T
+  comment FTP NLST overflow attempt
+  comment "pcre: /^NLST\s[^\n]{100}/smi"
+  eval dataSizeG100
+  ftp "/((^)|(\n+))[nNlLsStT][\x20\x09\x0b][^\n]{100}/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[nN][lL][sS][tT]/"
+  </delete>
+</augment>
+
+<augment 2088-5>
+  active T
+  comment "RPC ypupdated arbitrary command attempt UDP"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 327-8>
+  active T
+  comment "FINGER remote command pipe execution attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/finger.rules
+</augment>
+
+<augment 2535-3>
+  active F
+  comment "POP3 SSLv3 Client_Hello request"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/pop3.rules
+</augment>
+
+<augment 317-6>
+  active T
+  comment "EXPLOIT x86 Linux mountd overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 856-5>
+  active T
+  comment "WEB-CGI environ.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1527-7>
+  active T
+  comment "WEB-MISC basilix mysql.class access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1065-6>
+  active T
+  comment "WEB-MISC rcmd attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1324-6>
+  active T
+  comment "EXPLOIT ssh CRC32 overflow /bin/sh"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 507-4>
+  active T
+  comment "MISC PCAnywhere Attempted Administrator Login"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 899-8>
+  active T
+  comment "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2337-7>
+  active T
+  comment "TFTP PUT filename overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/tftp.rules
+</augment>
+
+<augment 819-7>
+  active F
+  comment "WEB-CGI mmstdod.cgi access"
+  comment "informational only"
+  comment "old signature from 03-01-2001"
+  requires-reverse-signature ! http_error
+  http /.*[\/\\]smartsearch\.cgi.*\|/
+  <delete>
+  	http /.*[\/\\]smartsearch\.cgi/
+  </delete>
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1743-5>
+  active T
+  comment "WEB-PHP Blahz-DNS dostuff.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1083-6>
+  active T
+  comment "WEB-MISC unify eWave ServletExec DOS"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2228-4>
+  active T
+  comment "WEB-PHP phpMyAdmin db_details_importdocsql.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 979-9>
+  active T
+  comment "WEB-IIS ASP contents view"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1230-8>
+  active T
+  comment "WEB-MISC VirusWall FtpSave access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2377-3>
+  active T
+  comment "EXPLOIT ISAKMP second payload certificate request length overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 905-7>
+  active T
+  comment "WEB-COLDFUSION application.cfm access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 1759-5>
+  active T
+  comment "MS-SQL xp_cmdshell program execution 445"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 1585-4>
+  active T
+  comment "WEB-MISC Domino agentrunner.nsf access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 965-6>
+  active T
+  comment "WEB-FRONTPAGE writeto.cnf access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 2367-4>
+  active T
+  comment "WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 980-7>
+  active T
+  comment "WEB-IIS CGImail.exe access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2041-2>
+  active T
+  comment "MISC xtacacs failed login response"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 1829-5>
+  active T
+  comment "WEB-MISC Tomcat TroubleShooter servlet access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 946-6>
+  active T
+  comment "WEB-FRONTPAGE fpadmcgi.exe access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 1593-10>
+  active T
+  comment "WEB-CGI FormHandler.cgi external site redirection attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 473-4>
+  active F
+  comment "ICMP redirect net"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 925-5>
+  active T
+  comment "WEB-COLDFUSION mainframeset access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 1195-8>
+  active T
+  comment "WEB-CGI sojourn.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1899-8>
+  active T
+  comment "EXPLOIT kadmind buffer overflow attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1907-10>
+  active T
+  comment "RPC CMSD UDP CMSD_CREATE buffer overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2203-6>
+  active T
+  comment "WEB-CGI everythingform.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 993-7>
+  active T
+  comment "WEB-IIS iisadmin access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2567-1>
+  active T
+  comment "WEB-CGI Emumail init.emu access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1649-7>
+  active T
+  comment "WEB-CGI perl command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2497-6>
+  active T
+  comment "IMAP SSLv3 invalid data version attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/imap.rules
+</augment>
+
+<augment 2055-2>
+  active F
+  comment "WEB-CGI enter_bug.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+  comment "Informational only"
+</augment>
+
+<augment 1213-5>
+  active T
+  comment "WEB-MISC backup access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1631-6>
+  active F
+  comment "CHAT AIM login"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 466-4>
+  active F
+  comment "ICMP L3retriever Ping"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 917-7>
+  active T
+  comment "WEB-COLDFUSION db connections flush attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 697-8>
+  active T
+  comment "MS-SQL/SMB xp_peekqueue possible buffer overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 1152-5>
+  active T
+  comment "WEB-MISC Domino domlog.nsf access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1283-9>
+  active T
+  comment "WEB-IIS outlook web dos"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1462-5>
+  active T
+  comment "WEB-CGI bb-replog.sh access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 805-10>
+  active F
+  comment "WEB-CGI webspeed access"
+  comment "informational only, not exploit worthy"
+  comment "old signature from 2000"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1266-10>
+  active T
+  comment "RPC portmap mountd request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1204-6>
+  active T
+  comment "WEB-CGI ax-admin.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1010-7>
+  active T
+  comment "WEB-IIS encoding access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 482-5>
+  active F
+  comment "ICMP PING WhatsupGold Windows"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 688-6>
+  active T
+  comment "MS-SQL sa login failed"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 890-10>
+  active T
+  comment "WEB-CGI sendform.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 587-8>
+  active T
+  comment "RPC portmap status request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1401-4>
+  active T
+  comment "WEB-IIS /msadc/samples/ access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 355-5>
+  active T
+  comment "FTP pass wh00t"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 405-6>
+  active F
+  comment "ICMP Destination Unreachable Source Host Isolated"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 828-5>
+  active T
+  comment "WEB-CGI maillist.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 238-6>
+  active F
+  comment "DDOS TFN server response"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 2148-4>
+  active T
+  comment "WEB-PHP BLNews objects.inc.php4 access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1103-8>
+  active T
+  comment "WEB-MISC Netscape admin passwd"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2419-2>
+  active F
+  comment "MULTIMEDIA realplayer .ram playlist download attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/multimedia.rules
+</augment>
+
+<augment 410-5>
+  active F
+  comment "ICMP Fragment Reassembly Time Exceeded"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2082-9>
+  active T
+  comment "RPC portmap rpc.xfsmd request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 929-7>
+  active T
+  comment "WEB-COLDFUSION CFUSION_VERIFYMAIL access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 2281-2>
+  active T
+  comment "WEB-PHP Setup.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2226-5>
+  active T
+  comment "WEB-PHP pmachine remote file include attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 413-5>
+  active F
+  comment "ICMP IPV6 Where-Are-You"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 564-7>
+  active F
+  comment "P2P Napster Client Data"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/p2p.rules
+</augment>
+
+<augment 1747-11>
+  active T
+  comment "RPC portmap cachefsd request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 644-5>
+  active T
+  comment "SHELLCODE sparc NOOP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+</augment>
+
+<augment 1375-6>
+  active T
+  comment "WEB-MISC sadmind worm access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1719-4>
+  active T
+  comment "WEB-CGI talkback.cgi directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1507-9>
+  active T
+  comment "WEB-CGI alibaba.pl arbitrary command execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1081-10>
+  active T
+  comment "WEB-MISC Netscape Servers suite DOS"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1943-3>
+  active T
+  comment "WEB-MISC /Carello/add.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1815-4>
+  active T
+  comment "WEB-PHP directory.php arbitrary command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2011-4>
+  active T
+  comment "MISC CVS invalid directory response"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 1260-10>
+  active T
+  comment "WEB-MISC long basic authorization string"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1602-6>
+  active T
+  comment "WEB-CGI htsearch access"
+  comment "add sanity checking to sig to reduce noise"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+  <delete>
+	http /.*[\/\\]htsearch/
+  </delete>
+  http /.*[\/\\]htsearch\x3f.*\x3d[\x22\x60].*[\x22\x60].* /
+</augment>
+
+<augment 216-6>
+  active T
+  comment "BACKDOOR MISC Linux rootkit satori attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 1891-8>
+  active T
+  comment "RPC status GHBN format string attack"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1526-8>
+  active T
+  comment "WEB-MISC basilix sendmail.inc access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2195-6>
+  active T
+  comment "WEB-CGI alert.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2462-6>
+  active T
+  comment "EXPLOIT IGMP IGAP account overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1220-5>
+  active T
+  comment "WEB-MISC ultraboard access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1854-7>
+  active T
+  comment "DDOS Stacheldraht handler->agent niggahbitch"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 277-5>
+  active F
+  comment "DOS Real Server template.html"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dos.rules
+</augment>
+
+<augment 469-3>
+  active F
+  comment "ICMP PING NMAP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 1532-7>
+  active T
+  comment "WEB-CGI bb-hostscv.sh attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 281-5>
+  active T
+  comment "DOS Ascend Route"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dos.rules
+</augment>
+
+<augment 258-6>
+  active F
+  comment "DNS EXPLOIT named 8.2->8.2.1"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/dns.rules
+</augment>
+
+<augment 959-6>
+  active T
+  comment "WEB-FRONTPAGE service.pwd"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 2559-2>
+  active T
+  comment "EXPLOIT Oracle Web Cache COPY overflow attempt"
+  comment pcre: /^COPY[^s]{432}/sm
+  payload /((^)|(\n+))COPY[^s]{432}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+  <delete>
+    payload /.*COPY/
+  </delete>
+</augment>
+
+<augment 2149-1>
+  active T
+  comment "WEB-PHP Turba status.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2237-5>
+  active T
+  comment "WEB-MISC cgiWebupdate.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1084-8>
+  active T
+  comment "WEB-MISC Allaire JRUN DOS attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2073-3>
+  active T
+  comment "WEB-MISC globals.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1374-5>
+  active T
+  comment "WEB-ATTACKS .htgroup access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  <delete>
+  	http /.*\.htgroup/
+  </delete>
+  http /.*\.htgroup[\x20\x09\x0b]*$/
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 1128-5>
+  active T
+  comment "WEB-MISC cpshost.dll access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1122-5>
+  active T
+  comment "WEB-MISC /etc/passwd"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+  payload /.*\/[eE][tT][cC]\/[pP][aA][sS][sS][wW][dD].{1,}root:x:0:0/
+  <delete>
+  	payload /.*\/[eE][tT][cC]\/[pP][aA][sS][sS][wW][dD]/
+  </delete>
+</augment>
+
+<augment 1012-10>
+  active T
+  comment "WEB-IIS fpcount attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 645-5>
+  active T
+  comment "SHELLCODE sparc NOOP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+</augment>
+
+<augment 1398-10>
+  active T
+  comment "EXPLOIT CDE dtspcd exploit attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 2543-3>
+  active F
+  comment "SMTP TLS SSLv3 Server_Hello request"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 2139-5>
+  active T
+  comment "WEB-MISC /*.shtml access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 229-5>
+  active T
+  comment "DDOS Stacheldraht client check skillz"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 373-6>
+  active F
+  comment "ICMP PING Flowpoint2200 or Network Management Software"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 969-5>
+  active T
+  comment "WEB-IIS WebDAV file lock attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1087-8>
+  active T
+  comment "WEB-MISC whisker tab splice attack"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 842-7>
+  active T
+  comment "WEB-CGI aglimpse access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2146-3>
+  active T
+  comment "WEB-PHP TextPortal admin.php default password 12345 attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1866-10>
+  active T
+  comment POP3 USER overflow attempt
+  comment "pcre: /^USER\s[^\n]{50,}/smi"
+  payload "/((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]{50,}/"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/pop3.rules
+  <delete>
+    payload "/.*[uU][sS][eE][rR]/"
+  </delete>
+</augment>
+
+<augment 1906-8>
+  active T
+  comment "RPC AMD TCP amqproc_mount plog overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2175-5>
+  active T
+  comment "NETBIOS SMB winreg unicode access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1699-7>
+  active F
+  comment "P2P Fastrack kazaa/morpheus traffic"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/p2p.rules
+</augment>
+
+<augment 498-6>
+  active T
+  comment "ATTACK-RESPONSES id check returned root"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/attack-responses.rules
+</augment>
+
+<augment 976-10>
+  active T
+  comment "WEB-IIS .bat? access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 907-5>
+  active T
+  comment "WEB-COLDFUSION addcontent.cfm access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 2177-4>
+  active T
+  comment "NETBIOS SMB startup folder unicode access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 616-4>
+  active T
+  comment "SCAN ident version request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 2562-3>
+  active T
+  comment "WEB-MISC McAfee ePO file upload attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 183-4>
+  active F
+  comment "BACKDOOR SIGNATURE - Q ICMP"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 1472-9>
+  active F
+  comment "WEB-CGI book.cgi access"
+  comment "informational only"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1393-12>
+  active T
+  comment "MISC AIM AddGame attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 893-7>
+  active T
+  comment "WEB-CGI MachineInfo access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 115-5>
+  active T
+  comment "BACKDOOR netbus active"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 2100-2>
+  active T
+  comment "BACKDOOR SubSeven 2.1 Gold server connection response"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 450-8>
+  active F
+  comment "ICMP Time-To-Live Exceeded in Transit undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2087-5>
+  active T
+  comment "Sendmail SMTP From comment overflow attempt"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  payload /.*From\x3A<><><><><><><><><><><><><><><><><><><><><><>.{1}\x28.{1}\x29/
+  <delete>
+  	payload /.*From\x3A.*.*<><><><><><><><><><><><><><><><><><><><><><>.{1}.*\x28.{1}.*\x29/
+  </delete>
+</augment>
+
+<augment 951-10>
+  active T
+  comment "WEB-FRONTPAGE authors.pwd access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 1395-8>
+  active T
+  comment "WEB-CGI zml.cgi attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1198-7>
+  active T
+  comment "WEB-MISC Netscape Enterprise Server directory view"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1563-6>
+  active T
+  comment "WEB-MISC login.htm attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1290-10>
+  active F
+  comment "WEB-CLIENT readme.eml autoload attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-client.rules
+</augment>
+
+<augment 2549-1>
+  active T
+  comment "MISC HP Web JetAdmin file write attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 1403-5>
+  active T
+  comment "WEB-MISC viewcode access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 966-9>
+  active T
+  comment "WEB-FRONTPAGE .... request"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 843-7>
+  active T
+  comment "WEB-CGI anform2 access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1191-6>
+  active T
+  comment "WEB-MISC Netscape Enterprise Server directory view"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1413-10>
+  active T
+  comment "SNMP private access udp"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/snmp.rules
+</augment>
+
+<augment 1533-7>
+  active T
+  comment "WEB-CGI bb-hostscv.sh access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1092-7>
+  active T
+  comment "WEB-CGI Armada Style Master Index directory traversal"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 331-10>
+  active T
+  comment "FINGER cybercop query"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/finger.rules
+</augment>
+
+<augment 1577-4>
+  active T
+  comment "WEB-MISC Domino setup.nsf access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2496-5>
+  active F
+  comment "NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 471-3>
+  active T
+  comment "ICMP icmpenum v1.1.1"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 2120-3>
+  active T
+  comment IMAP create literal buffer overflow attempt
+  comment pcre: /\sCREATE\s[^\n]*?\s\{/smi
+  payload /((^)|(\n+))[\x20\x09\x0b][cC][rR][eE][aA][tT][eE][\x20\x09\x0b][^\n]*?\s\{/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/imap.rules
+  <delete>
+    payload /.*[cC][rR][eE][aA][tT][eE]/
+  </delete>
+</augment>
+
+<augment 1436-4>
+  active F
+  comment "MULTIMEDIA Quicktime User Agent access"
+  comment "informational only, not exploit worthy"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/multimedia.rules
+</augment>
+
+<augment 302-6>
+  active T
+  comment "EXPLOIT Redhat 7.0 lprd overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1077-6>
+  active T
+  comment "WEB-MISC queryhit.htm access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 248-4>
+  active F
+  comment "DDOS mstream handler to client"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 1467-7>
+  active T
+  comment "WEB-CGI directorypro.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 867-9>
+  active T
+  comment "WEB-CGI visadmin.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2201-5>
+  active T
+  comment "WEB-CGI download.cgi access"
+  comment "add f=../ to sig for refinement"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+  http /.*[\/\\]download\.cgi.*f\x3d\x2e\x2e\x2f.* /
+  <delete>
+	http /.*[\/\\]download\.cgi/
+  </delete>
+</augment>
+
+<augment 1908-9>
+  active T
+  comment "RPC CMSD TCP CMSD_CREATE buffer overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1357-5>
+  active T
+  comment "WEB-ATTACKS nt admin addition attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 1175-10>
+  active T
+  comment "WEB-MISC wwwboard.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1905-8>
+  active T
+  comment "RPC AMD UDP amqproc_mount plog overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1957-5>
+  active T
+  comment "RPC sadmind UDP PING"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1495-6>
+  active T
+  comment "WEB-CGI SIX webboard generate.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1628-10>
+  active T
+  comment "WEB-CGI FormHandler.cgi directory traversal attempt attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1778-4>
+  active T
+  comment "FTP EXPLOIT STAT ? dos attempt"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 2266-4>
+  active T
+  comment SMTP SOML FROM sendmail prescan too long addresses overflow
+  comment pcre: /^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi
+  payload /((^)|(\n+))[sS][oO][mM][lL] [fF][rR][oO][mM]:[\x20\x09\x0b]+[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{200,}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  <delete>
+    payload /.*[sS][oO][mM][lL] [fF][rR][oO][mM]\x3A/
+  </delete>
+</augment>
+
+<augment 1293-10>
+  active T
+  comment "NETBIOS nimda .eml"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1446-6>
+  active T
+  comment SMTP vrfy root
+  comment pcre: /^vrfy\s+root/smi
+  payload /((^)|(\n+))[vV][rR][fF][yY][\x20\x09\x0b]+[rR][oO][oO][tT]/
+  sigaction SIG_FILE
+  requires-reverse-signature ! smtp_server_fail
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  <delete>
+    payload /.*[vV][rR][fF][yY].{1}.*[rR][oO][oO][tT]/
+  </delete>
+</augment>
+
+<augment 2384-8>
+  active T
+  comment "NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1119-7>
+  active T
+  comment "WEB-MISC mlog.phtml access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2178-13>
+  active T
+  comment FTP USER format string attempt
+  comment pcre: /^USER\s[^\n]*?%[^\n]*?%/smi
+  ftp /((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]*?%[^\n]*?%/
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload /.*[uU][sS][eE][rR]/
+  </delete>
+</augment>
+
+<augment 854-7>
+  active T
+  comment "WEB-CGI classifieds.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2220-6>
+  active T
+  comment "WEB-CGI simplestmail.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 931-6>
+  active T
+  comment "WEB-COLDFUSION cfmlsyntaxcheck.cfm access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 1806-7>
+  active T
+  comment "WEB-IIS .htr chunked Transfer-Encoding"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2492-5>
+  active F
+  comment "NETBIOS SMB DCERPC ISystemActivator bind attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1715-4>
+  active T
+  comment "WEB-CGI register.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  http /.*[\/\\]register\.cgi/
+  payload /SEND_MAIL/
+  <delete>
+  	http /.*[\/\\]register\.cgi/
+  </delete>
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+  comment "Informational only"
+</augment>
+
+<augment 2574-1>
+  active T
+  comment "FTP RETR format string attempt"
+  comment pcre: /^RETR\s[^\n]*?%[^\n]*?%/smi
+  ftp /((^)|(\n+))[rR][eE][tT][rR][\x20\x09\x0b][^\n]*?%[^\n]*?%/
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload /.*[rR][eE][tT][rR]/
+  </delete>
+</augment>
+
+<augment 661-6>
+  active T
+  comment "SMTP majordomo ifs"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 840-7>
+  active T
+  comment "WEB-CGI perlshop.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2209-5>
+  active T
+  comment "WEB-CGI getdoc.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  <delete>
+  	http /.*[\/\\]getdoc\.cgi/
+  </delete>
+  http /.*[\/\\]getdoc\.cgi\?.*form-attachment.*command/
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1289-4>
+  active T
+  comment "TFTP GET Admin.dll"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/tftp.rules
+</augment>
+
+<augment 607-5>
+  active T
+  comment "RSERVICES rsh bin"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rservices.rules
+</augment>
+
+<augment 679-6>
+  active T
+  comment "MS-SQL/SMB sp_adduser database user creation"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 2326-3>
+  active T
+  comment "WEB-IIS sgdynamo.exe access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1702-5>
+  active F
+  comment "WEB-CGI Amaya templates sendtemp.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 915-5>
+  active T
+  comment "WEB-COLDFUSION evaluate.cfm access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 2033-8>
+  active T
+  comment "RPC ypserv maplist request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 835-9>
+  active T
+  comment "WEB-CGI test-cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1333-6>
+  active T
+  comment WEB-ATTACKS id command attempt
+  http /.*;[iI][dD]([;|\x20\x09\x0b]|$)./
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+  <delete>
+    payload /.*\x3B[iI][dD]/
+  </delete>
+</augment>
+
+<augment 826-7>
+  active T
+  comment "WEB-CGI htmlscript access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 159-6>
+  active T
+  comment "BACKDOOR NetMetro File List"
+  dst-ip == local_nets
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 1015-6>
+  active T
+  comment "WEB-IIS getdrvs.exe access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1173-5>
+  active T
+  comment "WEB-MISC architext_query.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1104-9>
+  active T
+  comment "WEB-MISC whisker space splice attack"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+
+<augment 353-6>
+  active T
+  comment "FTP adm scan"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 1712-4>
+  active T
+  comment "WEB-CGI bslist.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 362-12>
+  active T
+  comment "FTP tar parameters"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 990-6>
+  active T
+  comment "WEB-IIS _vti_inf access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1668-6>
+  active T
+  comment "WEB-CGI /cgi-bin/ access"
+  comment "under most conditions the root of cgi-bin should never return a list or valid document"
+  comment "tune for site specific"
+  http /.*[\/\\]cgi-bin[\/\\]$/
+  requires-reverse-signature ! http_error
+  <delete>
+  	http /.*[\/\\]cgi-bin[\/\\]/
+  	payload /.*\/[cC][gG][iI]-[bB][iI][nN]\/ [hH][tT][tT][pP]/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2150-7>
+  active T
+  comment "WEB-PHP ttCMS header.php remote file include attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2468-3>
+  active T
+  comment "NETBIOS SMB-DS D$ share access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 2013-2>
+  active T
+  comment "MISC CVS invalid module response"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 665-5>
+  active T
+  comment "SMTP sendmail 5.6.5 exploit"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 1550-10>
+  active T
+  comment SMTP ETRN overflow attempt
+  comment pcre: /^ETRN\s[^\n]{500}/smi
+  payload /((^)|(\n+))[eE][tT][rR][nN]][\x20\x09\x0b][^\n]{500}/
+  sigaction SIG_LOG
+  requires-reverse-signature ! smtp_server_fail
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  <delete>
+    payload /.*ETRN/
+  </delete>
+</augment>
+
+<augment 1428-5>
+  active T
+  comment "MULTIMEDIA audio galaxy keepalive"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/multimedia.rules
+</augment>
+
+<augment 2260-5>
+  active T
+  comment SMTP VRFY overflow attempt
+  comment pcre: /^VRFY[^\n]{255,}/smi
+  payload /((^)|(\n+))[vV][rR][fF][yY][^\n]{255,}/
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  <delete>
+    payload /.*[vV][rR][fF][yY]/
+  </delete>
+</augment>
+
+<augment 1024-8>
+  active T
+  comment "WEB-IIS newdsn.exe access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2252-11>
+  active T
+  comment "NETBIOS SMB-DS DCERPC Remote Activation bind attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 848-9>
+  active T
+  comment "WEB-CGI view-source directory traversal"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2296-4>
+  active T
+  comment "WEB-PHP Advanced Poll admin_stats.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1335-5>
+  active T
+  comment "WEB-ATTACKS kill command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 2488-4>
+  active T
+  comment "SMTP WinZip MIME content-disposition buffer overflow"
+  comment pcre: /name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi
+  comment pcre: /name=s*[^\r\n\x3b\s\x2c]{300}/smi
+  payload /[nN][aA][mM][eE]=[^\r\n]*?\.(([mM][iI]]mM])|([uU]{2}[eE])|([uU]{2})|([bB]64)|([bB][hH][xX])|([hH][qQ][xX])|([xX]{2}[eE]))/
+  payload /[nN][aA][mM][eE]=s*[^\r\n\x3b\x20\x09\x0b\x2c]{300}/
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 1660-4>
+  active T
+  comment "WEB-IIS trace.axd access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2018-4>
+  active T
+  comment "RPC mountd TCP dump request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1985-1>
+  active F
+  comment "BACKDOOR Doly 1.5 server response"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 1308-5>
+  active T
+  comment "WEB-CGI sendmessage.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1323-6>
+  active F
+  comment "EXPLOIT rwhoisd format string attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1901-10>
+  active T
+  comment "ATTACK-RESPONSES successful kadmind buffer overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/attack-responses.rules
+</augment>
+
+<augment 2070-2>
+  active T
+  comment "WEB-MISC post32.exe arbitrary command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1164-10>
+  active T
+  comment "WEB-MISC shopping cart access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 706-7>
+  active T
+  comment "MS-SQL xp_peekqueue possible buffer overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 392-5>
+  active F
+  comment "ICMP Datagram Conversion Error"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1384-8>
+  active T
+  comment "MISC UPnP malformed advertisement"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 823-6>
+  active F
+  comment "WEB-CGI cvsweb.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+  comment "informational only"
+</augment>
+
+<augment 1156-6>
+  active T
+  comment "WEB-MISC apache DOS attempt"
+  requires-signature ! http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1742-5>
+  active T
+  comment "WEB-PHP Blahz-DNS dostuff.php modify user attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 155-5>
+  active T
+  comment "BACKDOOR NetSphere 1.31.337 access"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 1217-7>
+  active T
+  comment "WEB-MISC plusmail access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1969-3>
+  active T
+  comment "WEB-MISC ion-p remote file access"
+  dst-ip == local_nets
+  http /.*[\/\\]ion-p\?.*(c:\\|\.\.\/)/
+  requires-reverse-signature ! http_error
+  <delete>
+  	http /.*[\/\\]ion-p/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2176-4>
+  active T
+  comment "NETBIOS SMB startup folder access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1438-6>
+  active F
+  comment "MULTIMEDIA Windows Media Video download"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/multimedia.rules
+</augment>
+
+<augment 988-7>
+  active T
+  comment "WEB-IIS SAM Attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2541-5>
+  active F
+  comment "SMTP TLS SSLv3 invalid data version attempt"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 983-9>
+  active T
+  comment "WEB-IIS unicode directory traversal attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1950-5>
+  active T
+  comment "RPC portmap SET attempt UDP 111"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1130-5>
+  active T
+  comment "WEB-MISC .wwwacl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1434-5>
+  active T
+  comment "WEB-MISC .bash_history access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 864-7>
+  active T
+  comment "WEB-CGI day5datanotifier.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1118-5>
+  active T
+  comment "WEB-MISC ls%20-l"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2256-3>
+  active T
+  comment "RPC sadmind query with root credentials attempt UDP"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2239-3>
+  active T
+  comment "WEB-MISC redirect.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2570-6>
+  active T
+  comment "WEB-MISC Invalid HTTP Version String"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2542-3>
+  active F
+  comment "SMTP TLS SSLv3 Client_Hello request"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 895-7>
+  active F
+  comment "WEB-CGI redirect access"
+  comment "sig too general for general use"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 654-13>
+  active T
+  comment SMTP RCPT TO overflow
+  comment pcre: /^RCPT TO\s[^\n]{300}/ism
+  payload /((^)|(\n+))[rR][cC][pP][tT] [tT][oO][\x20\x09\x0b][^\n]{300}/
+  sigaction SIG_LOG
+  requires-reverse-signature ! smtp_server_fail
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 2435-2>
+  active F
+  comment "WEB-CLIENT Microsoft emf metafile access"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-client.rules
+  comment "Informational only"
+</augment>
+
+<augment 1516-10>
+  active T
+  comment "WEB-CGI envout.bat arbitrary command execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 260-9>
+  active T
+  comment "DNS EXPLOIT named overflow ADMROCKS"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/dns.rules
+</augment>
+
+<augment 2455-3>
+  active F
+  comment "CHAT Yahoo IM conference message"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 312-6>
+  active F
+  comment "EXPLOIT ntpdx overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+  comment "Too general"
+  comment "Better handled by the ntp.bro policy"
+</augment>
+
+<augment 1199-11>
+  active T
+  comment "WEB-MISC Compaq Insight directory traversal"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2327-2>
+  active T
+  comment "WEB-MISC bsml.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2259-5>
+  active T
+  comment SMTP EXPN overflow attempt
+  comment "pcre: /^EXPN[^\n]{255,}/smi"
+  payload "/((^)|(\n+))[eE][xX][pP][nN][^\n]{255,}/"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  <delete>
+    payload "/.*[eE][xX][pP][nN]/"
+  </delete>
+</augment>
+
+<augment 2280-2>
+  active T
+  comment "WEB-PHP Title.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2106-7>
+  active T
+  comment IMAP lsub overflow attempt
+  comment "pcre: /\sLSUB\s[^\n]{100}/smi"
+  payload "/((^)|(\n+))[\x20\x09\x0b][lL][sS][uU][bB][\x20\x09\x0b][^\n]{100}/"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/imap.rules
+  <delete>
+    payload "/.*LSUB/"
+  </delete>
+</augment>
+
+<augment 646-5>
+  active T
+  comment "SHELLCODE sparc NOOP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+</augment>
+
+<augment 1141-10>
+  active F
+  comment "WEB-MISC handler access"
+  comment "Disabled because it is too general"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1273-10>
+  active T
+  comment "RPC portmap selection_svc request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1451-6>
+  active T
+  comment "WEB-CGI NPH-publish access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1701-4>
+  active T
+  comment "WEB-CGI calendar-admin.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1716-6>
+  active T
+  dst-ip == local_nets
+  payload /_MAILTO.*\;/
+  comment "WEB-CGI gbook.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1149-12>
+  active F
+  comment "WEB-CGI count.cgi access"
+  comment "circa '97, remove rule as too general"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 593-18>
+  active T
+  comment "RPC portmap snmpXdmi request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 407-7>
+  active F
+  comment "ICMP Destination Unreachable cndefined code"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1812-5>
+  active T
+  comment "EXPLOIT gobbles SSH exploit attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 2002-4>
+  active T
+  comment "WEB-PHP remote include path"
+  comment "add better rule"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+  <delete>
+	http /.*\.php/
+  </delete>
+  http /.*\.php.*[pP][aA][tT][hH]\x3d(http|https|ftp)\x2fi/
+</augment>
+
+<augment 1423-12>
+  active T
+  comment "WEB-PHP content-disposition memchr overflow"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2525-6>
+  active F
+  comment "NETBIOS SMB DCERPC LSASS direct bind attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 672-6>
+  active T
+  comment SMTP vrfy decode
+  comment "pcre: /^vrfy\s+decode/smi"
+  payload "/((^)|(\n+))[vV][rR][fF][yY][\x20\x09\x0b]+[dD][eE][cC][oO][dD][eE]/"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  <delete>
+    payload "/.*[vV][rR][fF][yY].{1}.*[dD][eE][cC][oO][dD][eE]/"
+  </delete>
+</augment>
+
+<augment 1624-5>
+  active T
+  comment "FTP large PWD command"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 2204-6>
+  active T
+  comment "WEB-CGI ezadmin.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 301-7>
+  active T
+  comment "EXPLOIT LPRng overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 2292-4>
+  active T
+  comment "WEB-PHP Advanced Poll admin_logout.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2179-4>
+  active T
+  comment FTP PASS format string attempt
+  comment "pcre: /^PASS\s[^\n]*?%[^\n]*?%/smi"
+  ftp "/((^)|(\n+))[pP][aA][sS][sS]\x20\x09\x0b][^\n]*?%[^\n]*?%/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[pP][aA][sS][sS]/"
+  </delete>
+</augment>
+
+<augment 630-5>
+  active T
+  comment "SCAN synscan portscan"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 147-5>
+  active T
+  comment "BACKDOOR GateCrasher"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 304-9>
+  active F
+  comment "EXPLOIT SCO calserver overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 2214-6>
+  active T
+  comment "WEB-CGI mailview.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1727-7>
+  active T
+  comment "WEB-CGI SGI InfoSearch fname access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1641-5>
+  active T
+  comment "DOS DB2 dos attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dos.rules
+</augment>
+
+<augment 1924-6>
+  active T
+  comment "RPC mountd UDP export request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1245-10>
+  active T
+  comment "WEB-IIS ISAPI .idq access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2221-6>
+  active T
+  comment "WEB-CGI ws_mail.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2507-6>
+  active F
+  comment "NETBIOS DCERPC LSASS bind attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1340-5>
+  active T
+  comment "WEB-ATTACKS tftp command attempt"
+  requires-reverse-signature ! http_error
+  requires-signature ! http_cool_dll
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 1476-5>
+  active T
+  comment "WEB-CGI sdbsearch.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2193-9>
+  active T
+  comment "NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1869-5>
+  active T
+  comment "WEB-CGI story.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1165-9>
+  active T
+  comment "WEB-MISC Novell Groupwise gwweb.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2215-6>
+  active T
+  comment "WEB-CGI nsManager.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2267-4>
+  active T
+  comment SMTP MAIL FROM sendmail prescan too many addresses overflow
+  comment "pcre: /^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*? ..."
+  payload "/((^)|(\n+))[mM][aA][iI][lL] [fF][rR][oO][mM]\x3a\x20*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  <delete>
+    payload /.*[mM][aA][iI][lL] [fF][rR][oO][mM]\x3A/
+  </delete>
+</augment>
+
+<augment 2255-3>
+  active T
+  comment "RPC sadmind query with root credentials attempt TCP"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 703-7>
+  active F
+  comment "MS-SQL/SMB xp_setsqlsecurity possible buffer overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 1211-6>
+  active T
+  comment "WEB-CGI web-map.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2465-3>
+  active T
+  comment "NETBIOS SMB-DS IPC$ share access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1160-11>
+  active T
+  comment "WEB-MISC Netscape dir index wp"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1082-8>
+  active F
+  comment "WEB-MISC amazon 1-click cookie theft"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 909-6>
+  active T
+  comment "WEB-COLDFUSION datasource username attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 1155-5>
+  active T
+  comment "WEB-MISC Ecommerce checks.txt access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2287-4>
+  active T
+  comment "WEB-PHP Advanced Poll admin_comment.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 927-7>
+  active T
+  comment "WEB-COLDFUSION settings refresh attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 378-7>
+  active F
+  comment "ICMP PING Ping-O-MeterWindows"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2544-3>
+  active F
+  comment "SMTP TLS SSLv3 invalid Client_Hello attempt"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 1842-9>
+  active T
+  comment IMAP login buffer overflow attempt
+  comment "pcre: /\sLOGIN\s[^\n]{100}/smi"
+  payload "/((^)|(\n+))[\x20\x09\x0b]LOGIN[\x20\x09\x0b][^\n]{100}/"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/imap.rules
+  <delete>
+    payload "/.*LOGIN/"
+  </delete>
+</augment>
+
+<augment 932-7>
+  active T
+  comment "WEB-COLDFUSION application.cfm access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 499-4>
+  active F
+  comment "ICMP Large ICMP Packet"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 838-9>
+  active T
+  comment "WEB-CGI webgais access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2448-2>
+  active T
+  comment "WEB-MISC setinfo.hts access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 465-3>
+  active T
+  comment "ICMP ISS Pinger"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 674-6>
+  active T
+  comment "MS-SQL xp_displayparamstmt possible buffer overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 590-12>
+  active T
+  comment "RPC portmap ypserv request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1787-7>
+  active T
+  comment "WEB-CGI csPassword.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1244-10>
+  active T
+  comment "WEB-IIS ISAPI .idq attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 971-7>
+  active T
+  comment "WEB-IIS ISAPI .printer access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1662-5>
+  active T
+  comment "WEB-MISC /~ftp access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1054-7>
+  active T
+  comment WEB-MISC weblogic/tomcat .jsp view source attempt
+  comment "pcre: /^\w+\s+[^\n\s\?]*\.jsp/smi"
+  http "/((^)|(\n+))[a-zA-Z0-9_]+[\x20\x09\x0b]+[^\n\x20\x09\x0b\?]*\.[jJ][sS][pP]/"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+  <delete>
+    http "/.*\.jsp/"
+  </delete>
+</augment>
+
+<augment 1737-6>
+  active T
+  comment "WEB-PHP squirrel mail theme arbitrary command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1892-6>
+  active T
+  comment "SNMP null community string attempt"
+  requires-reverse-signature snmp_userver_ok_return
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/snmp.rules
+</augment>
+
+<augment 2269-4>
+  active T
+  comment SMTP RCPT TO sendmail prescan too many addresses overflow
+  comment "pcre: /^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<"
+  payload "/((^)|(\n+))[rR][cC][pP][tT] [tT][oO]\x3a\x20*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  <delete>
+    payload /.*[rR][cC][pP][tT] [tT][oO]\x3A/
+  </delete>
+</augment>
+
+<augment 1679-4>
+  active F
+  comment "ORACLE describe attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/oracle.rules
+</augment>
+
+<augment 259-7>
+  active T
+  comment "DNS EXPLOIT named overflow ADM"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/dns.rules
+</augment>
+
+<augment 415-5>
+  active F
+  comment "ICMP Information Reply"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2045-8>
+  active T
+  comment "RPC snmpXdmi overflow attempt UDP"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2133-5>
+  active T
+  comment "WEB-IIS MS BizTalk server access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2339-2>
+  active T
+  comment "TFTP NULL command attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/tftp.rules
+</augment>
+
+<augment 1819-5>
+  active T
+  comment "MISC Alcatel PABX 4400 connection attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 1479-8>
+  active T
+  comment "WEB-CGI ttawebtop.cgi arbitrary file attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 995-10>
+  active T
+  comment "WEB-IIS ism.dll access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1159-10>
+  active T
+  comment "WEB-MISC webplus access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 427-6>
+  active F
+  comment "ICMP Parameter Problem Unspecified Error"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2091-8>
+  active T
+  comment "WEB-IIS WEBDAV nessus safe scan attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1604-6>
+  active F
+  comment "WEB-MISC iChat directory traversal attempt"
+  comment "too general"
+  comment "old signature from 1999"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 381-6>
+  active F
+  comment "ICMP PING Sun Solaris"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1117-6>
+  active T
+  comment "WEB-MISC Lotus EditDoc attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1176-5>
+  active T
+  comment "WEB-MISC order.log access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 677-6>
+  active T
+  comment "MS-SQL/SMB sp_password password change"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 871-7>
+  active T
+  comment "WEB-CGI survey.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2489-2>
+  active T
+  comment "EXPLOIT esignal STREAMQUOTE buffer overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1030-7>
+  active T
+  comment "WEB-IIS search97.vts access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2539-3>
+  active F
+  comment "SMTP SSLv3 Server_Hello request"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 1408-8>
+  active T
+  comment "DOS MSDTC attempt"
+  comment "change payload-size == 1024"
+  payload-size "== 1024"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dos.rules
+</augment>
+
+<augment 1638-5>
+  active T
+  comment "SCAN SSH Version map attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 1133-11>
+  active T
+  comment "SCAN cybercop os probe"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 2057-5>
+  active T
+  comment "WEB-MISC helpout.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1988-3>
+  active F
+  comment "CHAT MSN file transfer accept"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 1625-5>
+  active F
+  comment "FTP large SYST command"
+  comment Too many false positives for normal FTP traffic
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 417-5>
+  active F
+  comment "ICMP Information Request"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1562-11>
+  active T
+  comment FTP SITE CHOWN overflow attempt
+  comment pcre: /^SITE\s+CHOWN\s[^\n]{100}/smi
+  eval dataSizeG100
+  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[cC][hH][oO][wW][nN][\x20\x09\x0b][^\n]{100}/
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload /.*[sS][iI][tT][eE].*.*[cC][hH][oO][wW][nN]/
+  </delete>
+</augment>
+
+<augment 1131-5>
+  active T
+  comment "WEB-MISC .wwwacl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2479-3>
+  active F
+  comment "NETBIOS SMB-DS DCERPC bind winreg unicode attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1849-7>
+  active T
+  comment "WEB-MISC webfind.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 402-7>
+  active F
+  comment "ICMP Destination Unreachable Port Unreachable"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1188-6>
+  active T
+  comment "WEB-MISC Netscape Enterprise Server directory view"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 250-4>
+  active T
+  comment "DDOS mstream handler to client"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 652-9>
+  active T
+  comment "SHELLCODE Linux shellcode"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+</augment>
+
+<augment 1345-5>
+  active T
+  comment "WEB-ATTACKS /usr/bin/cpp command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 1218-5>
+  active T
+  comment "WEB-MISC adminlogin access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 627-7>
+  active T
+  comment "SCAN cybercop os SFU12 probe"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 1235-8>
+  active T
+  comment "WEB-MISC VirusWall FtpSaveCVP access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1580-4>
+  active T
+  comment "WEB-MISC Domino events4.nsf access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1711-4>
+  active T
+  comment "WEB-CGI bsguest.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1009-4>
+  active T
+  comment "WEB-IIS directory listing"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1544-5>
+  active T
+  comment "WEB-MISC Cisco Catalyst command execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1915-9>
+  active T
+  comment "RPC STATD UDP monitor mon_name format string exploit attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2272-4>
+  active T
+  comment FTP LIST integer overflow attempt
+  comment "pcre: /^LIST\s+\x22-W\s+\d+/smi"
+  ftp "/((^)|(\n+))[lL][iI][sS][tT][\x20\x09\x0b]+\x22-W[\x20\x09\x0b]+[0-9]+/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[lL][iI][sS][tT]/"
+  </delete>
+</augment>
+
+<augment 1948-4>
+  active T
+  comment "DNS zone transfer UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dns.rules
+</augment>
+
+<augment 103-7>
+  active T
+  comment "BACKDOOR subseven 22"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 663-13>
+  active T
+  comment SMTP rcpt to command attempt
+  comment "pcre: /^rcpt\s+to\:\s+[|\x3b]/smi"
+  payload "/((^)|(\n+))[rR][cC][pP][tT][\x20\x09\x0b][tT][oO]:[\x20\x09\x0b]+[|\x3b]/"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  <delete>
+    payload /.*[rR][cC][pP][tT] [tT][oO]\x3A/
+  </delete>
+</augment>
+
+<augment 1959-7>
+  active T
+  comment "RPC portmap NFS request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2317-4>
+  active T
+  comment "MISC CVS non-relative path error response"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 1140-11>
+  active T
+  comment "WEB-MISC guestbook.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1718-4>
+  active T
+  comment "WEB-CGI statusconfig.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 462-7>
+  active F
+  comment "ICMP unassigned type 7"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 436-6>
+  active F
+  comment "ICMP Redirect for TOS and Host"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 579-8>
+  active T
+  comment "RPC portmap mountd request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 900-11>
+  active F
+  comment "WEB-CGI webspirs.cgi directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 287-6>
+  active T
+  comment "POP3 EXPLOIT x86 BSD overflow"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/pop3.rules
+</augment>
+
+<augment 1992-5>
+  active T
+  comment "FTP LIST directory traversal attempt"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 1404-5>
+  active F
+  comment "WEB-MISC showcode access"
+  comment "duplicate of 1037"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 575-8>
+  active T
+  comment "RPC portmap admind request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 502-2>
+  active T
+  comment "MISC source route ssrr"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 1574-7>
+  active T
+  comment "WEB-CGI directorypro.cgi attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1258-10>
+  active T
+  comment "WEB-MISC HP OpenView Manager DOS"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1827-7>
+  active T
+  comment "WEB-MISC Tomcat servlet mapping cross site scripting attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1008-7>
+  active T
+  comment "WEB-IIS del attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2208-5>
+  active T
+  comment "WEB-CGI fom.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2007-10>
+  active T
+  comment "RPC kcms_server directory traversal attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1174-8>
+  active T
+  comment "WEB-CGI /cgi-bin/jj access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2412-3>
+  active T
+  comment "ATTACK-RESPONSES successful cross site scripting forced download attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/attack-responses.rules
+</augment>
+
+<augment 2366-4>
+  active T
+  comment "WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 886-11>
+  active F
+  comment "WEB-CGI phf access"
+  comment "too general a sig, attack circa '99"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1921-5>
+  active T
+  comment FTP SITE ZIPCHK overflow attempt
+  comment pcre: /^SITE\s+ZIPCHK\s[^\n]{100}/smi
+  eval dataSizeG100
+  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[zZ][iI][pP][cC][hH][kK][\x20\x09\x0b][^\n]{100}/
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload /.*[sS][iI][tT][eE].{1}.*[zZ][iI][pP][cC][hH][kK]/
+  </delete>
+</augment>
+
+<augment 1488-8>
+  active T
+  dst-ip == local_nets
+  comment "WEB-CGI store.cgi directory traversal attempt"
+  comment "verify application is not vulnerable"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1150-6>
+  active T
+  comment "WEB-MISC Domino catalog.nsf access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 541-9>
+  active F
+  comment "CHAT ICQ access"
+  comment "informational only, not exploit worthy"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 2388-4>
+  active T
+  comment "WEB-CGI streaming server view_broadcast.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 702-8>
+  active T
+  comment "MS-SQL/SMB xp_displayparamstmt possible buffer overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 2202-6>
+  active T
+  comment "WEB-CGI edit_action.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 972-8>
+  active F
+  comment "WEB-IIS %2E-asp access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 584-11>
+  active T
+  comment "RPC portmap rusers request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2315-6>
+  active T
+  comment "NETBIOS DCERPC Workstation Service direct service bind attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1877-5>
+  active T
+  comment "WEB-CGI printenv access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+  http /.*\/cgi-bin[^\/]*\/printenv/
+  comment "Informational only"
+  <delete>
+  	http /.*[\/\\]printenv/
+  </delete>
+</augment>
+
+<augment 1013-9>
+  active T
+  comment "WEB-IIS fpcount access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 518-6>
+  active T
+  comment "TFTP Put"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/tftp.rules
+</augment>
+
+<augment 860-8>
+  active T
+  comment "WEB-CGI snork.bat access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1999-4>
+  active T
+  comment "WEB-PHP edit_image.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 453-5>
+  active F
+  comment "ICMP Timestamp Request"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 669-8>
+  active F
+  comment "SMTP sendmail 8.6.9 exploit"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 1020-10>
+  active T
+  comment "WEB-IIS isc$data attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2352-7>
+  active F
+  comment "NETBIOS DCERPC ISystemActivator path overflow attempt big endian"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 208-5>
+  active T
+  comment "BACKDOOR PhaseZero Server Active on Network"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 1824-6>
+  active F
+  dst-ip == local_nets
+  comment "WEB-CGI alienform.cgi access"
+  comment "informational only"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 574-8>
+  active T
+  comment "RPC mountd TCP export request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1427-4>
+  active T
+  comment "SNMP PROTOS test-suite-trap-app attempt"
+  requires-reverse-signature snmp_userver_ok_return
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/snmp.rules
+</augment>
+
+<augment 1098-8>
+  active T
+  comment "WEB-MISC SmartWin CyberOffice Shopping Cart access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2159-8>
+  active T
+  comment "MISC BGP invalid type 0"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 807-11>
+  active F
+  comment "WEB-CGI /wwwboard/passwd.txt access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1961-7>
+  active T
+  comment "RPC portmap RQUOTA request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 552-7>
+  active F
+  comment "P2P napster upload request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/p2p.rules
+</augment>
+
+<augment 1022-8>
+  active T
+  comment "WEB-IIS jet vba access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 863-7>
+  active T
+  comment "WEB-CGI day5datacopier.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2054-4>
+  active T
+  comment "WEB-CGI enter_bug.cgi arbitrary command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2450-3>
+  active F
+  comment "CHAT Yahoo IM successful logon"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 1120-8>
+  active T
+  comment "WEB-MISC mylog.phtml access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 710-7>
+  active T
+  comment "TELNET EZsetup account attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/telnet.rules
+</augment>
+
+<augment 416-7>
+  active F
+  comment "ICMP Information Reply undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 875-9>
+  active T
+  comment "WEB-CGI win-c-sample.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1302-7>
+  active T
+  comment "WEB-MISC console.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2020-4>
+  active T
+  comment "RPC mountd TCP unmount request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1090-7>
+  active T
+  comment "WEB-CGI Allaire Pro Web Shell attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2010-4>
+  active T
+  comment "MISC CVS double free exploit attempt response"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 1672-10>
+  active T
+  comment FTP CWD ~ attempt
+  comment pcre: /^CWD\s+~/smi
+  ftp /((^)|(\n+))CWD[\x20\x09\x0b]+~/
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload /.*CWD/
+  </delete>
+</augment>
+
+<augment 1051-9>
+  active T
+  comment "WEB-CGI technote main.cgi file directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 898-9>
+  active T
+  comment "WEB-CGI commerce.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1578-4>
+  active F
+  comment "WEB-MISC Domino statrep.nsf access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1397-6>
+  active T
+  comment "WEB-CGI wayboard attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 423-5>
+  active F
+  comment "ICMP Mobile Registration Request"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1878-5>
+  active T
+  comment "WEB-CGI sdbsearch.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2030-6>
+  active T
+  comment "RPC yppasswd new password overflow attempt TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 673-5>
+  active T
+  comment "MS-SQL sp_start_job - program execution"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 1450-5>
+  active T
+  comment "SMTP expn *@"
+  comment "pcre: /^expn\s+\*@/smi"
+  payload "/((^)|(\n+))[eE][xX][pP][nN][\x20\x09\x0b]\*@/"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  <delete>
+    payload "/.*[eE][xX][pP][nN]/"
+    payload "/.*\*@/"
+  </delete>
+</augment>
+
+<augment 1106-9>
+  active T
+  comment "WEB-CGI Poll-it access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1844-9>
+  active T
+  comment IMAP authenticate overflow attempt
+  comment "pcre: /\sAUTHENTICATE\s[^\n]{100}/smi"
+  payload "/((^)|(\n+))[\x20\x09\x0b][aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE][\x20\x09\x0b][^\n]{100}/"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/imap.rules
+  <delete>
+    payload "/.*[aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE]/"
+  </delete>
+</augment>
+
+<augment 671-8>
+  active T
+  comment "SMTP sendmail 8.6.9c exploit"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 894-8>
+  active T
+  comment "WEB-CGI bb-hist.sh access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2206-6>
+  active T
+  comment "WEB-CGI ezman.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 375-6>
+  active F
+  comment "ICMP PING LINUX/*BSD"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1148-5>
+  active T
+  comment "WEB-MISC Ecommerce import.txt access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 695-7>
+  active T
+  comment "MS-SQL/SMB xp_sprintf possible buffer overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 857-10>
+  active T
+  comment "WEB-CGI faxsurvey access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2474-3>
+  active T
+  comment "NETBIOS SMB-DS ADMIN$ share access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1894-8>
+  active T
+  comment "EXPLOIT kadmind buffer overflow attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1011-7>
+  active T
+  comment "WEB-IIS exec-src access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 397-6>
+  active F
+  comment "ICMP Destination Unreachable Host Precedence Violation"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 255-11>
+  active T
+  comment "DNS zone transfer TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dns.rules
+</augment>
+
+<augment 1774-3>
+  active T
+  comment "WEB-PHP bb_smilies.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2501-8>
+  active F
+  comment "POP3 SSLv3 invalid timestamp attempt"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/pop3.rules
+</augment>
+
+<augment 430-6>
+  active F
+  comment "ICMP Photuris Unknown Security Parameters Index"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 707-8>
+  active T
+  comment "MS-SQL xp_proxiedmetadata possible buffer overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 1332-5>
+  active T
+  comment "WEB-ATTACKS /usr/bin/id command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 667-5>
+  active T
+  comment "SMTP sendmail 8.6.10 exploit"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 2216-6>
+  active T
+  comment "WEB-CGI readmail.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2558-2>
+  active T
+  comment "EXPLOIT Oracle Web Cache MKCOL overflow attempt"
+  comment pcre: /^MKCOL[^s]{432}/sm
+  payload /((^)|(\n+))MKCOL[^s]{432}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+  <delete>
+    payload /.*MKCOL/
+  </delete>
+</augment>
+
+<augment 2205-6>
+  active F
+  dst-ip == local_nets
+  comment "WEB-CGI ezboard.cgi access"
+  comment "Too general"
+  comment "vulnerabilities are too broad"
+  comment "Suggestion: analyze site version of software and test for vulnerability, make any adjustments, and then disable this rule."
+  requires-reverse-signature ! http_error
+  http /.*[\/\\]ezboard\.cgi/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1910-10>
+  active T
+  comment "RPC CMSD udp CMSD_INSERT buffer overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 668-6>
+  active T
+  comment "SMTP sendmail 8.6.10 exploit"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 311-11>
+  active T
+  comment "EXPLOIT Netscape 4.7 unsucessful overflow"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 2351-7>
+  active F
+  comment "NETBIOS DCERPC ISystemActivator path overflow attempt little endian"
+  comment "Functions not supported"
+  comment "Better suited to a Bro analizer"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1951-5>
+  active T
+  comment "RPC mountd TCP mount request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1185-10>
+  active T
+  comment "WEB-CGI bizdbsearch attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1608-5>
+  active T
+  comment "WEB-CGI htmlscript attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 278-5>
+  active T
+  comment "DOS Real Server template.html"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dos.rules
+</augment>
+
+<augment 812-9>
+  active F
+  comment "WEB-CGI webplus version access"
+  comment "informational only"
+  comment "old signature from 04-10-2000"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1707-7>
+  active T
+  comment "WEB-CGI hello.bat arbitrary command execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2526-6>
+  active F
+  comment "NETBIOS SMB-DS DCERPC LSASS direct bind attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1642-7>
+  active T
+  comment "WEB-CGI document.d2w access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1751-5>
+  active T
+  comment "EXPLOIT cachefsd buffer overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1591-6>
+  active T
+  comment "WEB-CGI faqmanager.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1336-5>
+  active T
+  comment "WEB-ATTACKS chmod command attempt"
+  requires-reverse-signature ! http_error
+  http /.*\/[cC][hH][mM][oO][dD]([^-a-zA-Z0-9_.]|$)/
+  <delete>
+  	payload /.*\/[bB][iI][nN]\/[cC][hH][mM][oO][dD]/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 1029-7>
+  active T
+  comment "WEB-IIS scripts-browse access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 380-7>
+  active F
+  comment "ICMP PING Seer Windows"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 808-8>
+  active F
+  comment "WEB-CGI webdriver access"
+  comment "informational only"
+  comment "old signature from 12-30-2000"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2410-2>
+  active T
+  comment "WEB-PHP IGeneric Free Shopping Cart page.php access"
+  dst-ip == local_nets
+  http /.*[\/\\]page\.php\?.*script/
+  <delete>
+  	http /.*[\/\\]page\.php/
+  </delete>
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1475-4>
+  active T
+  comment "WEB-CGI mailit.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2151-4>
+  active T
+  comment "WEB-PHP ttCMS header.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_QUIET
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1730-7>
+  active T
+  comment "WEB-CGI ustorekeeper.pl directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 310-8>
+  active T
+  comment "EXPLOIT x86 windows MailMax overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 2510-7>
+  active F
+  comment "NETBIOS SMB DCERPC LSASS bind attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 2293-4>
+  active T
+  comment "WEB-PHP Advanced Poll admin_password.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1492-5>
+  active T
+  comment "WEB-MISC RBS ISP /newuser  directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2538-3>
+  active F
+  comment "SMTP SSLv3 Client_Hello request"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 2428-3>
+  active T
+  comment NNTP ihave overflow attempt
+  comment "pcre: /^ihave\x3a[^\n]{21}/smi"
+  payload "/((^)|(\n+))[iI][hH][aA][vV][eE]\x3a[^\n]{21}/"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/nntp.rules
+  <delete>
+    payload "/.*[iI][hH][aA][vV][eE]/"
+  </delete>
+</augment>
+
+<augment 1810-9>
+  active T
+  comment "ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/attack-responses.rules
+</augment>
+
+<augment 1912-9>
+  active T
+  comment "RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2017-12>
+  active T
+  comment "RPC portmap espd request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 497-8>
+  active T
+  comment "ATTACK-RESPONSES file copied ok"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/attack-responses.rules
+</augment>
+
+<augment 1964-8>
+  active T
+  comment "RPC tooltalk UDP overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 936-5>
+  active T
+  comment "WEB-COLDFUSION gettempdirectory.cfm access "
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 505-5>
+  active T
+  comment "MISC Insecure TIMBUKTU Password"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 1506-7>
+  active T
+  comment "WEB-CGI alchemy http server NUL arbitrary command execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1923-6>
+  active T
+  comment "RPC portmap proxy attempt UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1390-5>
+  active T
+  comment "SHELLCODE x86 inc ebx NOOP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+</augment>
+
+<augment 2264-4>
+  active T
+  comment SMTP SAML FROM sendmail prescan too long addresses overflow
+  comment "pcre: /^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"
+  payload "/((^)|(\n+))[sS][aA][mM][lL] [fF][rR][oO][mM]:[\x20\x09\x0b]+[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{200,}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}/"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  <delete>
+    payload /.*[sS][aA][mM][lL] [fF][rR][oO][mM]\x3A/
+  </delete>
+</augment>
+
+<augment 709-7>
+  active T
+  comment "TELNET 4Dgifts SGI account attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/telnet.rules
+</augment>
+
+<augment 606-5>
+  active T
+  comment "RSERVICES rlogin root"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rservices.rules
+</augment>
+
+<augment 1788-3>
+  active T
+  comment "WEB-CGI csPassword password.cgi.tmp access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2469-3>
+  active T
+  comment "NETBIOS SMB-DS D$ share unicode access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 226-6>
+  active T
+  comment "DDOS Stacheldraht server response"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 1095-6>
+  active T
+  comment "WEB-MISC Talentsoft Web+ Source Code view access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 490-6>
+  active F
+  comment "INFO battle-mail traffic"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/info.rules
+</augment>
+
+<augment 2181-2>
+  active F
+  comment "P2P BitTorrent transfer"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/p2p.rules
+</augment>
+
+<augment 1385-11>
+  active T
+  comment "WEB-MISC mod-plsql administration access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1109-8>
+  active T
+  comment "WEB-MISC ROXEN directory list attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2105-4>
+  active T
+  comment IMAP authenticate literal overflow attempt
+  comment "pcre: /\sAUTHENTICATE\s[^\n]*?\s\{/smi"
+  payload "/((^)|(\n+))[\x20\x09\x0b][aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/imap.rules
+  <delete>
+    payload "/.*[aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE]/"
+  </delete>
+</augment>
+
+<augment 231-3>
+  active T
+  comment "DDOS Trin00 Daemon to Master message detected"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 1439-5>
+  active F
+  comment "MULTIMEDIA Shoutcast playlist redirection"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/multimedia.rules
+</augment>
+
+<augment 1838-8>
+  active T
+  comment EXPLOIT SSH server banner overflow
+  comment "pcre: /^SSH-\s[^\n]{200}/ism"
+  payload "/((^)|(\n+))[sS][sS][hH]-[\x20\x09\x0b][^\n]{200}/"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+  <delete>
+    payload "/.*[sS][sS][hH]-/"
+  </delete>
+</augment>
+
+<augment 1597-7>
+  active F
+  comment "WEB-CGI guestbook.cgi access"
+  comment "too general"
+  comment "informational only"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1858-5>
+  active T
+  comment "WEB-MISC CISCO PIX Firewall Manager directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 449-6>
+  active F
+  comment "ICMP Time-To-Live Exceeded in Transit"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 830-7>
+  active F
+  comment "WEB-CGI NPH-publish access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+  comment "duplicate of 1451-6"
+</augment>
+
+<augment 1349-5>
+  active F
+  comment "WEB-ATTACKS bin/python access attempt"
+  comment "informational only"
+  comment "too general"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 1368-6>
+  active T
+  comment "WEB-ATTACKS /bin/ls| command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 2101-9>
+  active T
+  comment "NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 2529-3>
+  active F
+  comment "IMAP SSLv3 Client_Hello request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/imap.rules
+</augment>
+
+<augment 2031-5>
+  active T
+  comment "RPC yppasswd user update UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1025-6>
+  active T
+  comment "WEB-IIS perl access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2490-3>
+  active T
+  comment "EXPLOIT esignal SNAPQUOTE buffer overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 810-11>
+  active F
+  comment "WEB-CGI whois_raw.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+  comment "duplicate of 1410"
+</augment>
+
+<augment 2349-5>
+  active F
+  comment "NETBIOS SMB-DS DCERPC enumerate printers request attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 2312-2>
+  active T
+  comment "SHELLCODE x86 0x71FB7BAB NOOP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+</augment>
+
+<augment 1166-8>
+  active T
+  comment "WEB-MISC ws_ftp.ini access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 997-6>
+  active T
+  comment "WEB-IIS asp-dot attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2306-4>
+  active T
+  comment WEB-PHP gallery arbitrary command execution attempt
+  comment pcre: /GALLERY_BASEDIR=(http|https|ftp)/i
+  http /.*[gG][aA][lL][lL][eE][rR][yY]_[bB][aA][sS][eE][dD][iI][rR]=(http|https|ftp)/
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+  <delete>
+    payload /.*GALLERY_BASEDIR=/
+  </delete>
+</augment>
+
+<augment 1973-6>
+  active T
+  comment FTP MKD overflow attempt
+  comment pcre: /^MKD\s[^\n]{100}/smi
+  eval dataSizeG100
+  ftp /((^)|(\n+))[mM][kK][dD][\x20\x09\x0b][^\n]{100}/
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload /.*[mM][kK][dD]/
+  </delete>
+</augment>
+
+<augment 1279-14>
+  active T
+  comment "RPC portmap snmpXdmi request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 120-5>
+  active T
+  comment "BACKDOOR Infector 1.6 Server to Client"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 2310-8>
+  active T
+  comment "NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1876-4>
+  active T
+  comment "WEB-CGI nph-publish.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1558-5>
+  active T
+  comment "WEB-MISC Delegate whois overflow attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2396-2>
+  active T
+  comment "WEB-CGI CCBill whereami.cgi arbitrary command execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1757-3>
+  active T
+  comment "WEB-MISC b2 arbitrary command execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1888-8>
+  active T
+  comment FTP SITE CPWD overflow attempt
+  comment "pcre: /^SITE\s+CPWD\s[^\n]{100}/smi"
+  eval dataSizeG100
+  ftp "/((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[cC][pP][wW][dD][\x20\x09\x0b][^\n]{100}/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[sS][iI][tT][eE].*.*[cC][pP][wW][dD]/"
+  </delete>
+</augment>
+
+<augment 508-7>
+  active T
+  comment "MISC gopher proxy"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 2095-6>
+  active T
+  comment "RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2491-5>
+  active F
+  comment "NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1178-6>
+  active T
+  comment "WEB-PHP Phorum read access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1419-9>
+  active T
+  comment "SNMP trap udp"
+  requires-reverse-signature snmp_userver_ok_return
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/snmp.rules
+</augment>
+
+<augment 1553-7>
+  active T
+  comment "WEB-CGI /cart/cart.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2288-4>
+  active T
+  comment "WEB-PHP Advanced Poll admin_edit.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 271-4>
+  active T
+  comment "DOS UDP echo+chargen bomb"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dos.rules
+</augment>
+
+<augment 308-8>
+  active T
+  comment "EXPLOIT NextFTP client overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 2294-4>
+  active F
+  comment "WEB-PHP Advanced Poll admin_preview.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2035-6>
+  active T
+  comment "RPC portmap network-status-monitor request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2123-2>
+  active T
+  comment "ATTACK-RESPONSES Microsoft cmd.exe banner"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/attack-responses.rules
+</augment>
+
+<augment 1234-8>
+  active T
+  comment "WEB-MISC VirusWall FtpSaveCSP access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2147-7>
+  active T
+  comment "WEB-PHP BLNews objects.inc.php4 remote file include attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1381-5>
+  active T
+  comment "WEB-MISC Trend Micro OfficeScan attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 371-7>
+  active F
+  comment "ICMP PING Cisco Type.x"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 522-2>
+  active T
+  comment "MISC Tiny Fragments"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 1417-9>
+  active F
+  comment "SNMP request udp"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/snmp.rules
+</augment>
+
+<augment 639-5>
+  active T
+  comment "SHELLCODE SGI NOOP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+</augment>
+
+<augment 1457-6>
+  active T
+  comment "WEB-CGI user_update_admin.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 334-5>
+  active T
+  comment "FTP .forward"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 1979-4>
+  active F
+  comment "WEB-MISC perl post attempt"
+  comment "too general"
+  comment "perl POST attempts are normal in the real world"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 225-6>
+  active T
+  comment "DDOS Stacheldraht gag server response"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 2291-4>
+  active T
+  comment "WEB-PHP Advanced Poll admin_license.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1851-6>
+  active T
+  comment "WEB-MISC active.log access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1848-5>
+  active T
+  comment "WEB-MISC webcart-lite access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2487-4>
+  active T
+  comment "SMTP WinZip MIME content-type buffer overflow"
+  comment pcre: /name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi
+  comment pcre: /(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi
+  payload /[nN][aA][mM][eE]=[^\r\n]*?\.([mM][iI][mM]|[uU]{2}[eE]?|[bB]64|[bB][hH][xX]|[hH][qQ][xX]|[xX]{2}[eE])/
+  payload /([nN][aA][mM][eE]|[iI][dD]|[nN][uU][mM][bB][eE][rR]|[tT][oO][tT][aA][lL]|[bB][oO][uU][nN][dD][aA][rR][yY])=[\x20\x09\x0b]*[^\r\n\x3b\s\x2c]{300}/
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 2553-2>
+  active T
+  comment "EXPLOIT Oracle Web Cache PUT overflow attempt"
+  comment pcre: /^PUT[^s]{432}/sm
+  payload /((^)|(\n+))PUT[^s]{432}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+  <delete>
+    payload /.*PUT/
+  </delete>
+</augment>
+
+<augment 2009-2>
+  active T
+  src-ip == local_nets
+  comment "MISC CVS invalid repository response"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 459-7>
+  active F
+  comment "ICMP unassigned type 1 undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2437-5>
+  active T
+  comment WEB-CLIENT RealPlayer arbitrary javascript command attempt
+  comment "pcre: /^Content-Type\x3a\s+application\x2fsmi.*?<area[\s\n\r]+href=[\x22\x27]file\x3ajavascript\x3a/smi"
+  requires-signature http_real_client
+  http "/((^)|(\n+))[cC][oO][nN][tT][eE][nN][tT]-[tT][yY][pP][eE]\x3a[\x20\x09\x0b][aA][pP][pP][lL][iI][cC][aA][tT][iI][oO][nN]\x2f[sS][mM][iI].*?<[aA][rR][eE][aA][\x20\x09\x0b\n\r]+href=[\x22\x27][fF][iI][lL][eE]\x3ajavascript\x3a/"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-client.rules
+  <delete>
+    payload /.*[cC][oO][nN][tT][eE][nN][tT]-[tT][yY][pP][eE]\x3A/
+  </delete>
+</augment>
+
+<augment 1904-7>
+  active T
+  comment "IMAP find overflow attempt"
+  comment pcre: /\sFIND\s[^\n]{100}/smi
+  payload /((^)|(\n+))[\x20\x09\x0b][fF][iI][nN][dD][\x20\x09\x0b][^\n]{100}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/imap.rules
+  <delete>
+    payload /.*[fF][iI][nN][dD]/
+  </delete>
+</augment>
+
+<augment 1636-8>
+  active T
+  comment MISC Xtramail Username overflow attempt
+  comment pcre: /^Username\:[^\n]{100}/smi
+  payload /((^)|(\n+))[uU][sS][eE][rR][nN][aA][mM][eE]\:[^\n]{100}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+  <delete>
+    payload /.*[uU][sS][eE][rR][nN][aA][mM][eE]\x3A/
+  </delete>
+</augment>
+
+<augment 1790-4>
+  active T
+  comment "CHAT IRC dns response"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 815-9>
+  active F
+  comment "WEB-CGI websendmail access"
+  comment "informational only"
+  comment "old signature from 06-01-1999"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2016-6>
+  active T
+  comment "RPC portmap status request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1493-5>
+  active T
+  comment "WEB-MISC RBS ISP /newuser access"
+  comment "port 8002 needs to be referencd and some ../ needs to be there as well"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+  http /.*\x3a8002.*[\/\\]newuser\x3f.*\x2e\x2e[\/\\]/
+  <delete>
+	http /.*[\/\\]newuser/
+  </delete>
+</augment>
+
+<augment 581-9>
+  active T
+  comment "RPC portmap pcnfsd request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 577-13>
+  active F
+  comment "RPC portmap bootparam request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 223-3>
+  active T
+  comment "DDOS Trin00 Daemon to Master PONG message detected"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 305-9>
+  active T
+  comment "EXPLOIT delegate proxy overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 2383-9>
+  active T
+  comment "NETBIOS SMB-DS DCERPC NTLMSSP invalid mechtype attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 243-2>
+  active T
+  comment "DDOS mstream agent to handler"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 2072-3>
+  active T
+  dst-ip == local_nets
+  comment "WEB-MISC lyris.pl admin access"
+  requires-reverse-signature ! http_error
+  http /POST.*[\/\\]lyris\.pl/
+  payload /list_admin=T/
+  event "WEB-MISC lyris.pl admin access"
+  <delete>
+  	http /.*[\/\\]lyris\.pl/
+  	event "WEB-MISC lyris.pl access"
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 472-4>
+  active T
+  comment "ICMP redirect host"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 369-6>
+  active F
+  comment "ICMP PING BayRS Router"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2470-3>
+  active T
+  comment "NETBIOS SMB C$ share unicode access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1650-6>
+  active T
+  comment "WEB-CGI tst.bat access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 615-8>
+  active F
+  comment "SCAN SOCKS Proxy attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 1868-5>
+  active T
+  comment "WEB-CGI story.pl arbitrary file read attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 693-5>
+  active T
+  comment "MS-SQL shellcode attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 2052-3>
+  active T
+  comment "WEB-CGI overflow.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1145-7>
+  active T
+  comment "WEB-MISC /~root access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1448-10>
+  active T
+  comment "MISC MS Terminal server request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 266-6>
+  active T
+  comment "DNS EXPLOIT x86 FreeBSD overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/dns.rules
+</augment>
+
+<augment 2092-5>
+  active F
+  comment "RPC portmap proxy integer overflow attempt UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+
+<augment 2576-2>
+  active T
+  comment "ORACLE generate_replication_support prefix overflow attempt"
+  comment "pcre: /(package|procedure)_prefix[\s\r\n]*=>[\s\r\n]*('[^']{1000,}|"[^"]{1000,})/Rsmi"
+  payload "/([pP][aA][cC][kK][aA][gG][eE]|[pP][rR][oO][cC][eE][dD][uU][rR][eE])_[pP][rR][eE][fF][iI][xX][\x20\x09\x0b\r\n]*=>[\x20\x09\x0b\r\n]*('[^']{1000,}|"[^"]{1000,})/"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/oracle.rules
+</augment>
+
+<augment 2125-8>
+  active T
+  comment "FTP CWD Root directory transversal attempt"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 516-3>
+  active T
+  comment "MISC SNMP NT UserList"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 1539-6>
+  active F
+  comment "WEB-CGI /cgi-bin/ls access"
+  comment "too many false positives"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1916-9>
+  active T
+  comment "RPC STATD TCP monitor mon_name format string exploit attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 595-16>
+  active T
+  comment "RPC portmap espd request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 534-6>
+  active T
+  comment "NETBIOS SMB CD.."
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 2482-3>
+  active F
+  comment "NETBIOS SMB-DS DCERPC shutdown attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 949-6>
+  active T
+  comment "WEB-FRONTPAGE registrations.htm access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 824-9>
+  active F
+  comment "WEB-CGI php.cgi access"
+  comment "informational only"
+  comment "too general"
+  comment "old signature from 06-01-1999"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2197-7>
+  active T
+  comment "WEB-CGI cvsview2.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 540-11>
+  active F
+  comment "CHAT MSN message"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 1461-5>
+  active T
+  comment "WEB-CGI bb-rep.sh access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 395-6>
+  active F
+  comment "ICMP Destination Unreachable Destination Network Unknown"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1616-6>
+  active F
+  comment "DNS named version attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dns.rules
+</augment>
+
+<augment 1500-6>
+  active T
+  comment "WEB-MISC ExAir access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2262-4>
+  active T
+  comment SMTP SEND FROM sendmail prescan too long addresses overflow
+  comment pcre: /^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi
+  payload /((^)|(\n+))[sS][eE][nN][dD] [fF][rR][oO][mM]:[\x20\x09\x0b]+[a-zA-Z0-9\x5f\x20\x09\x0b@\.]{0,200}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{200,}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}/
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  <delete>
+    payload /.*[sS][eE][nN][dD] [fF][rR][oO][mM]\x3A/
+  </delete>
+</augment>
+
+<augment 2504-6>
+  active T
+  comment "SMTP SSLv3 invalid data version attempt"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 2089-5>
+  active T
+  comment "RPC ypupdated arbitrary command attempt TCP"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1513-9>
+  active T
+  comment "WEB-CGI input.bat access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 682-6>
+  active T
+  comment "MS-SQL xp_enumresultset possible buffer overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 2282-2>
+  active T
+  comment "WEB-PHP GlobalFunctions.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2508-6>
+  active F
+  comment "NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 117-6>
+  active T
+  comment "BACKDOOR Infector.1.x"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 158-5>
+  active T
+  comment "BACKDOOR BackConstruction 2.1 Server FTP Open Reply"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 1763-6>
+  active T
+  comment "WEB-CGI Nortel Contivity cgiproc DOS attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1762-4>
+  active T
+  comment "WEB-CGI phf arbitrary command execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1179-7>
+  active T
+  comment "WEB-PHP Phorum violation access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1494-6>
+  active T
+  comment "WEB-CGI SIX webboard generate.cgi attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1834-5>
+  active T
+  comment "WEB-PHP PHP-Wiki cross site scripting attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2475-3>
+  active T
+  comment "NETBIOS SMB-DS ADMIN$ share unicode access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 964-6>
+  active T
+  comment "WEB-FRONTPAGE users.pwd access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 320-9>
+  active T
+  comment "FINGER cmd_rootsh backdoor attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/finger.rules
+</augment>
+
+<augment 878-6>
+  active T
+  comment "WEB-CGI w3tvars.pm access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1452-5>
+  active T
+  comment "WEB-CGI args.cmd access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1101-7>
+  active T
+  comment "WEB-MISC Webtrends HTTP probe"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1441-4>
+  active T
+  comment "TFTP GET nc.exe"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/tftp.rules
+</augment>
+
+<augment 1207-7>
+  active T
+  comment "WEB-MISC htgrep access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1019-8>
+  active T
+  comment "WEB-IIS index server file source code attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1339-5>
+  active T
+  comment "WEB-ATTACKS chsh command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 1240-5>
+  active T
+  comment "EXPLOIT MDBMS overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1557-7>
+  active T
+  comment "WEB-CGI DCShop auth_user_file.txt access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1264-13>
+  active T
+  comment "RPC portmap bootparam request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 933-7>
+  active T
+  comment "WEB-COLDFUSION onrequestend.cfm access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 512-4>
+  active T
+  comment "MISC PCAnywhere Failed Login"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 1525-9>
+  active T
+  comment "WEB-MISC Axis Storpoint CD access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1348-5>
+  active T
+  comment "WEB-ATTACKS g++ command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_QUIET
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 902-7>
+  active T
+  comment "WEB-CGI tstisapi.dll access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1767-6>
+  active T
+  comment "WEB-MISC search.dll access"
+  comment "requires sambar web server"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+  eval isNotIIS
+  eval isNotApache
+</augment>
+
+<augment 1047-9>
+  active T
+  comment "WEB-MISC Netscape Enterprise DOS"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1089-9>
+  active T
+  comment "WEB-CGI shopping cart directory traversal"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 687-5>
+  active T
+  comment "MS-SQL xp_cmdshell - program execution"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 2552-2>
+  active T
+  comment "EXPLOIT Oracle Web Cache HEAD overflow attempt"
+  comment pcre: /^HEAD[^s]{432}/sm
+  payload /((^)|(\n+))HEAD[^s]{432}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 384-5>
+  active F
+  comment "ICMP PING"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 836-7>
+  active T
+  comment "WEB-CGI textcounter.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1722-4>
+  active T
+  comment "WEB-CGI MachineInfo access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 873-8>
+  active F
+  comment "WEB-CGI scriptalias access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 477-2>
+  active F
+  comment "ICMP Source Quench"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 2198-6>
+  active T
+  comment "WEB-CGI cvslog.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 859-7>
+  active T
+  comment "WEB-CGI man.sh access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 662-5>
+  active T
+  comment "SMTP sendmail 5.5.5 exploit"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 441-6>
+  active F
+  comment "ICMP Router Advertisement"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 880-8>
+  active T
+  comment "WEB-CGI LWGate access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1017-8>
+  active T
+  comment "WEB-IIS idc-srch attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 326-9>
+  active T
+  comment "FINGER remote command execution attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/finger.rules
+</augment>
+
+<augment 2234-5>
+  active T
+  comment "WEB-MISC TOP10.dll access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 359-5>
+  active T
+  comment "FTP satan scan"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 2420-2>
+  active F
+  comment "MULTIMEDIA realplayer .rmp playlist download attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/multimedia.rules
+</augment>
+
+<augment 2429-3>
+  active T
+  comment NNTP sendme overflow attempt
+  comment "pcre: /^sendme\x3a[^\n]{21}/smi"
+  payload /((^)|(\n+))[sS][eE][nN][dD][mM][eE]\x3a[^\n]{21}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/nntp.rules
+  <delete>
+    payload /.*[sS][eE][nN][dD][mM][eE]/
+  </delete>
+</augment>
+
+<augment 2513-7>
+  active F
+  comment "NETBIOS SMB-DS DCERPC LSASS unicode bind attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 2427-3>
+  active T
+  comment "NNTP checkgroups overflow attempt"
+  comment pcre: /^checkgroups\x3a[^\n]{21}/smi
+  payload /((^)|(\n+))[cC][hH][eE][cC][kK][gG][rR][oO][uU][pP][sS]\x3a[^\n]{21}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/nntp.rules
+  <delete>
+    payload /.*[cC][hH][eE][cC][kK][gG][rR][oO][uU][pP][sS]/
+  </delete>
+</augment>
+
+<augment 2485-4>
+  active T
+  comment "WEB-CLIENT Nortan antivirus sysmspam.dll load attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-client.rules
+</augment>
+
+<augment 488-4>
+  active F
+  comment "INFO Connection Closed MSG from Port 80"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/info.rules
+</augment>
+
+<augment 2483-3>
+  active F
+  comment "NETBIOS SMB-DS DCERPC shutdown little endian attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 2129-9>
+  active T
+  comment "WEB-IIS nsiislog.dll access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1486-4>
+  active T
+  comment "WEB-IIS ctss.idc access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 923-7>
+  active T
+  comment "WEB-COLDFUSION getodbcin attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 2245-5>
+  active T
+  comment "WEB-MISC Webnews.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2370-2>
+  active T
+  comment "WEB-MISC BugPort config.conf file access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_QUIET
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2531-3>
+  active F
+  comment "IMAP SSLv3 invalid Client_Hello attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/imap.rules
+</augment>
+
+<augment 2244-4>
+  active T
+  comment "WEB-MISC VsSetCookie.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1172-10>
+  active T
+  comment "WEB-CGI bigconf.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1168-5>
+  active T
+  comment "WEB-MISC mall log order access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1167-7>
+  active T
+  comment "WEB-MISC rpm_query access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 530-10>
+  active T
+  comment "NETBIOS NT NULL session"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 2466-3>
+  active T
+  comment "NETBIOS SMB-DS IPC$ share unicode access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1920-6>
+  active T
+  comment FTP SITE NEWER overflow attempt
+  comment pcre: /^SITE\s+NEWER\s[^\n]{100}/smi
+  eval dataSizeG100
+  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[nN][eE][wW][eE][rR][\x20\x09\x0b][^\n]{100}/
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload /.*[sS][iI][tT][eE].*.*[nN][eE][wW][eE][rR]/
+  </delete>
+</augment>
+
+<augment 1410-9>
+  active T
+  comment "WEB-CGI dcboard.cgi access"
+  comment "too general but low occurence"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1579-4>
+  active T
+  comment "WEB-MISC Domino webadmin.nsf access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 403-6>
+  active F
+  comment "ICMP Destination Unreachable Precedence Cutoff in effect"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2389-4>
+  active T
+  comment FTP RNTO overflow attempt
+  comment pcre: /^RNTO\s[^\n]{100}/smi
+  eval dataSizeG100
+  ftp /((^)|(\n+))[rR][nN][tT][oO][\x20\x09\x0b][^\n]{100}/
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload /.*[rR][nN][tT][oO]/
+  </delete>
+</augment>
+
+<augment 2158-5>
+  active F
+  comment "MISC BGP invalid length"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 2417-1>
+  active T
+  comment "FTP format string attempt"
+  comment pcre: /\s+.*?%.*?%/smi
+  ftp /[\x20\x09\x0b]+.*?%.*?%/
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 1275-10>
+  active T
+  comment "RPC portmap yppasswd request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2290-4>
+  active T
+  comment "WEB-PHP Advanced Poll admin_help.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1253-11>
+  active T
+  comment "TELNET bsd exploit client finishing"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/telnet.rules
+</augment>
+
+<augment 2185-7>
+  active T
+  comment "RPC mountd UDP mount path overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 387-7>
+  active F
+  comment "ICMP Address Mask Reply undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 274-5>
+  active T
+  comment "DOS ath"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dos.rules
+</augment>
+
+<augment 1362-5>
+  active T
+  comment "WEB-ATTACKS xterm command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 2423-2>
+  active T
+  comment NNTP article post without path attempt
+  comment pcre: /^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si
+  http /((^)|(\n+))[tT][aA][kK][eE][tT][hH][iI][sS].*?[pP][Aa][Tt][Hh]\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/nntp.rules
+  <delete>
+    http /.*\.rp/
+  </delete>
+</augment>
+
+<augment 1741-5>
+  active T
+  comment "WEB-PHP DNSTools access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1822-7>
+  active F
+  comment "WEB-CGI alienform.cgi directory traversal attempt"
+  comment "merged with s2b-1823-7"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2569-1>
+  active F
+  comment "WEB-MISC cPanel resetpass access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2043-2>
+  active T
+  comment "MISC isakmp login failed"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 1586-4>
+  active T
+  comment "WEB-MISC Domino mail.box access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 542-10>
+  active T
+  comment "CHAT IRC nick change"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 1643-6>
+  active F
+  comment "WEB-CGI db2www access"
+  comment "too general to be useful"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2577-2>
+  active F
+  comment "WEB-CLIENT local resource redirection attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-client.rules
+</augment>
+
+<augment 2299-4>
+  active T
+  comment "WEB-PHP Advanced Poll admin_tpl_misc_new.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 275-10>
+  active T
+  comment "DOS NAPTHA"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dos.rules
+</augment>
+
+<augment 1890-8>
+  active T
+  comment "RPC status GHBN format string attack"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1284-10>
+  active T
+  comment "WEB-CLIENT readme.eml download attempt"
+  requires-signature http_msie_client
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-client.rules
+</augment>
+
+<augment 368-6>
+  active F
+  comment "ICMP PING BSDtype"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1735-4>
+  active T
+  comment "WEB-CLIENT XMLHttpRequest attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-client.rules
+</augment>
+
+<augment 379-7>
+  active F
+  comment "ICMP PING Pinger Windows"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1605-6>
+  active T
+  dst-ip == local_nets
+  comment "DOS iParty DOS attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/dos.rules
+</augment>
+
+<augment 2094-6>
+  active T
+  comment "RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2540-3>
+  active F
+  comment "SMTP SSLv3 invalid Client_Hello attempt"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 2004-5>
+  active F
+  comment "MS-SQL Worm propagation attempt OUTBOUND"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 2391-4>
+  active T
+  comment FTP APPE overflow attempt
+  comment pcre: /^APPE\s[^\n]{100}/smi
+  eval dataSizeG100
+  payload /((^)|(\n+))[aA][pP][pP][eE][\x20\x09\x0b][^\n]{100}/
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload /.*[aA][pP][pP][eE]/
+  </delete>
+</augment>
+
+<augment 2025-9>
+  active T
+  comment "RPC yppasswd username overflow attempt UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 532-8>
+  active T
+  comment "NETBIOS SMB ADMIN$ share access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 2431-3>
+  active T
+  comment NNTP rmgroup overflow attempt
+  comment pcre: /^rmgroup\x3a[^\n]{21}/smi
+  payload /((^)|(\n+))[rR][mM][gG][rR][oO][uU][pP]\x3a[^\n]{21}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/nntp.rules
+  <delete>
+    payload /.*[rR][mM][gG][rR][oO][uU][pP]/
+  </delete>
+</augment>
+
+<augment 162-4>
+  active T
+  comment "BACKDOOR Matrix 2.0 Server access"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 1552-4>
+  active T
+  comment "WEB-MISC cvsweb version access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1652-6>
+  active T
+  comment "WEB-CGI campus attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 222-2>
+  active T
+  comment "DDOS tfn2k icmp possible communication"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 1435-6>
+  active T
+  comment "DNS named authors attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dns.rules
+</augment>
+
+<augment 535-6>
+  active T
+  comment "NETBIOS SMB CD..."
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1549-16>
+  active T
+  comment SMTP HELO overflow attempt
+  comment pcre: /^HELO\s[^\n]{500}/smi
+  payload /((^)|(\n+))[hH][eE][lL][oO][\x20\x09\x0b][^\n]{500}/
+  sigaction SIG_LOG
+  requires-reverse-signature ! smtp_server_fail
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  <delete>
+    payload /.*HELO/
+  </delete>
+</augment>
+
+<augment 1613-7>
+  active F
+  dst-ip == local_nets
+  http /[\/]handler.{1,}?\;.{2,}\|/
+  comment "WEB-MISC handler attempt"
+  comment "old IRIX web server vulnerability"
+  requires-reverse-signature ! http_error
+  <delete>
+  	http /.*[\/\\]handler/
+  	http /.*\x7C/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 419-5>
+  active F
+  comment "ICMP Mobile Host Redirect"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 858-7>
+  active T
+  comment "WEB-CGI filemail access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 315-6>
+  active T
+  comment "EXPLOIT x86 Linux mountd overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1523-10>
+  active T
+  comment "WEB-MISC ans.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1726-4>
+  active T
+  comment "WEB-IIS doctodep.btr access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2528-7>
+  active F
+  comment "SMTP TLS PCT Client_Hello overflow attempt"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 884-14>
+  active T
+  comment "WEB-CGI formmail access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+  http /.*[\/\\]formmail{0,5}\?/
+  <delete>
+  	http /.*[\/\\]formmail/
+  </delete>
+</augment>
+
+<augment 1086-12>
+  active T
+  comment "WEB-PHP strings overflow"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1271-14>
+  active T
+  comment "RPC portmap rusers request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1517-9>
+  active T
+  comment "WEB-CGI envout.bat access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1115-7>
+  active T
+  comment "WEB-MISC ICQ webserver DOS"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1919-12>
+  active T
+  comment FTP CWD overflow attempt
+  comment "pcre: /^CWD\s[^\n]{100}/smi"
+  eval dataSizeG100
+  ftp "/((^)|(\n+))[cC][wW][dD][\x20\x09\x0b][^\n]{100}/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[cC][wW][dD]/"
+  </delete>
+</augment>
+
+<augment 1947-4>
+  active T
+  comment "WEB-MISC answerbook2 arbitrary command execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1841-5>
+  active T
+  comment "WEB-CLIENT Javascript URL host spoofing attempt"
+  requires-signature http_old_gecko_client
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-client.rules
+</augment>
+
+<augment 439-6>
+  active F
+  comment "ICMP Reserved for Security Type 19"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2285-2>
+  active T
+  comment "WEB-PHP rolis guestbook access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 996-8>
+  active T
+  comment "WEB-IIS anot.htr access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1571-8>
+  active T
+  comment "WEB-CGI dcforum.cgi directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 478-3>
+  active T
+  comment "ICMP Broadscan Smurf Scanner"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 1880-4>
+  active T
+  comment "WEB-MISC oracle web application server access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1934-6>
+  active T
+  comment POP2 FOLD overflow attempt
+  comment pcre: /^FOLD\s[^\n]{256}/smi
+  payload /((^)|(\n+))[fF][oO][lL][dD][\x20\x09\x0b][^\n]{256}/
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/pop2.rules
+  <delete>
+    payload /.*FOLD/
+  </delete>
+</augment>
+
+<augment 861-12>
+  active T
+  comment "WEB-CGI w3-msql access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1304-7>
+  active T
+  comment "WEB-CGI txt2html.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 998-7>
+  active T
+  comment "WEB-IIS asp-srch attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 254-4>
+  active T
+  comment "DNS SPOOF query response with TTL of 1 min. and no authority"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dns.rules
+</augment>
+
+<augment 941-6>
+  active T
+  comment "WEB-FRONTPAGE contents.htm access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 611-7>
+  active T
+  comment "RSERVICES rlogin login failure"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rservices.rules
+</augment>
+
+<augment 2421-2>
+  active F
+  comment "MULTIMEDIA realplayer .smi playlist download attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/multimedia.rules
+</augment>
+
+<augment 2313-2>
+  active T
+  comment "SHELLCODE x86 0x71FB7BAB NOOP unicode"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+</augment>
+
+<augment 2511-9>
+  active F
+  comment "NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1538-13>
+  active T
+  comment "NNTP AUTHINFO USER overflow attempt"
+  comment pcre: /^AUTHINFO\s+USER\s[^\n]{200}/smi
+  payload /((^)|(\n+))[aA][uU][tT][hH][iI][nN][fF][oO][\x20\x09\x0b]+[uU][sS][eE][rR][\x20\x09\x0b][^\n]{200}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/nntp.rules
+  <delete>
+    payload /.*[aA][uU][tT][hH][iI][nN][fF][oO].*.*[uU][sS][eE][rR]/
+  </delete>
+</augment>
+
+<augment 1373-6>
+  active T
+  comment "WEB-ATTACKS conf/httpd.conf attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 1129-5>
+  active T
+  comment "WEB-MISC .htaccess access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2445-4>
+  active T
+  comment "EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1896-8>
+  active T
+  comment "EXPLOIT kadmind buffer overflow attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 2380-3>
+  active T
+  comment "EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 2447-4>
+  active T
+  comment "WEB-MISC ServletManager access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1911-10>
+  active T
+  comment "RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2444-4>
+  active T
+  comment "EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 438-9>
+  active F
+  comment "ICMP Redirect undefined code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 500-4>
+  active T
+  comment "MISC source route lssr"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 1937-5>
+  active T
+  comment POP3 LIST overflow attempt
+  comment "pcre: /^LIST\s[^\n]{10}/smi"
+  payload "/((^)|(\n+))[lL][iI][sS][tT][\x20\x09\x0b][^\n]{10}/"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/pop3.rules
+  <delete>
+    payload "/.*[lL][iI][sS][tT]/"
+  </delete>
+</augment>
+
+<augment 2247-3>
+  active T
+  comment "WEB-IIS UploadScript11.asp access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1060-6>
+  active T
+  comment "WEB-MISC xp_availablemedia attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2184-7>
+  active T
+  comment "RPC mountd TCP mount path overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 385-4>
+  active F
+  comment "ICMP traceroute"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1328-5>
+  active T
+  comment "WEB-ATTACKS ps command attempt"
+  requires-reverse-signature ! http_error
+  http /.*[\/\\]bin[\/\\]ps([^-_a-zA-Z0-9.]|$)/
+  <delete>
+  	http /.*[\/\\]bin[\/\\]ps/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 650-8>
+  active F
+  comment "SHELLCODE x86 setuid 0"
+  sigaction SIG_FILE
+  dst-ip == local_nets
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+  comment "Short binary pattern"
+  comment "Mild suspicion"
+  comment "too many false positives"
+</augment>
+
+<augment 2303-4>
+  active F
+  comment "WEB-PHP Advanced Poll popup.php access"
+  comment "informational only"
+  comment "too general"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 598-12>
+  active T
+  comment "RPC portmap listing TCP 111"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2283-2>
+  active T
+  comment "WEB-PHP DatabaseFunctions.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 408-5>
+  active F
+  comment "ICMP Echo Reply"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2494-5>
+  active F
+  comment "NETBIOS DCEPRC ORPCThis request flood attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 955-6>
+  active T
+  comment "WEB-FRONTPAGE access.cnf access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 1560-6>
+  active F
+  comment "WEB-MISC /doc/ access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1853-6>
+  active T
+  comment "BACKDOOR win-trin00 connection attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 1052-8>
+  active T
+  comment "WEB-CGI technote print.cgi directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2532-3>
+  active F
+  comment "MISC LDAP SSLv3 Client_Hello request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 1739-6>
+  active T
+  comment "WEB-PHP DNSTools administrator authentication bypass attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 529-7>
+  active T
+  comment "NETBIOS DOS RFPoison"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1941-8>
+  active T
+  comment "TFTP GET filename overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/tftp.rules
+</augment>
+
+<augment 839-7>
+  active F
+  comment "WEB-CGI finger access"
+  comment "informational only"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2027-5>
+  active T
+  comment "RPC yppasswd old password overflow attempt UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 428-7>
+  active F
+  comment "ICMP Parameter Problem undefined Code"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1440-5>
+  active F
+  comment "MULTIMEDIA Icecast playlist redirection"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/multimedia.rules
+</augment>
+
+<augment 1656-4>
+  active T
+  comment "WEB-CGI pfdispaly.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1612-8>
+  active T
+  comment "WEB-MISC ftp.pl attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2038-5>
+  active T
+  comment "RPC network-status-monitor mon-callback request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1136-5>
+  active T
+  comment "WEB-MISC cd.."
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1611-5>
+  active F
+  dst-ip == local_nets
+  comment "WEB-CGI eXtropia webstore access"
+  comment "informational only"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1807-9>
+  active T
+  comment "WEB-MISC Chunked-Encoding transfer attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  eval isApacheLt1322
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1300-7>
+  active T
+  comment "WEB-PHP admin.php file upload attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1953-5>
+  active T
+  comment "RPC AMD TCP pid request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 119-5>
+  active T
+  comment "BACKDOOR Doly 2.0 access"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 1057-6>
+  active T
+  comment "WEB-MISC ftp attempt"
+  requires-reverse-signature ! http_error
+  http /.*[fF][tT][pP]\.[eE][xX][eE]/
+  <delete>
+  	payload /.*[fF][tT][pP]\.[eE][xX][eE]/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 337-10>
+  active T
+  comment FTP CEL overflow attempt
+  comment "pcre: /^CEL\s[^\n]{100}/smi"
+  eval dataSizeG100
+  ftp "/((^)|(\n+))[cC][eE][lL][\x20\x09\x0b][^\n]{100}/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[cC][eE][lL]/"
+  </delete>
+</augment>
+
+<augment 2297-4>
+  active T
+  comment "WEB-PHP Advanced Poll admin_templates_misc.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1974-6>
+  active T
+  comment FTP REST overflow attempt
+  comment "pcre: /^REST\s[^\n]{100}/smi"
+  eval dataSizeG100
+  ftp "/((^)|(\n+))[rR][eE][sS][tT][\x20\x09\x0b][^\n]{100}/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[rR][eE][sS][tT]/"
+  </delete>
+</augment>
+
+<augment 1277-9>
+  active T
+  comment "RPC portmap ypupdated request UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 649-8>
+  active T
+  comment "SHELLCODE x86 setgid 0"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+  comment "Short binary pattern"
+  comment "Mild suspicion"
+</augment>
+
+<augment 2023-4>
+  active T
+  comment "RPC mountd UDP unmountall request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2350-7>
+  active F
+  comment "NETBIOS DCERPC ISystemActivator bind accept"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1875-4>
+  active T
+  dst-ip == local_nets
+  comment "WEB-CGI cgicso access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 328-8>
+  active T
+  comment "FINGER bomb attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/finger.rules
+</augment>
+
+<augment 2461-3>
+  active F
+  comment "CHAT Yahoo IM webcam watch"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 1777-4>
+  active T
+  comment "FTP EXPLOIT STAT * dos attempt"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 1963-9>
+  active T
+  comment "RPC RQUOTA getquota overflow attempt UDP"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 862-9>
+  active T
+  comment "WEB-CGI csh access"
+  requires-reverse-signature ! http_error
+  requires-signature ! http_shell_check
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 537-11>
+  active T
+  comment "NETBIOS SMB IPC$ share access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 2556-2>
+  active T
+  comment "EXPLOIT Oracle Web Cache DELETE overflow attempt"
+  comment pcre: /^DELETE[^s]{432}/sm
+  payload /((^)|(\n+))DELETE[^s]{432}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 694-6>
+  active T
+  comment "MS-SQL/SMB shellcode attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 1187-12>
+  active T
+  comment "WEB-MISC SalesLogix Eviewer web command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2516-10>
+  active T
+  comment "MISC LDAP PCT Client_Hello overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 161-4>
+  active T
+  comment "BACKDOOR Matrix 2.0 Client connect"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 1388-12>
+  active T
+  comment MISC UPnP Location overflow
+  comment pcre: /^Location\:[^\n]{128}/smi
+  payload /((^)|(\n+))[lL][oO][cC][aA][tT][iI][oO][nN]\x3a[^\n]{128}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+  <delete>
+    payload /.*[lL][oO][cC][aA][tT][iI][oO][nN]\x3A/
+  </delete>
+</augment>
+
+<augment 1615-5>
+  active T
+  comment "WEB-MISC htgrep attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2249-3>
+  active T
+  comment "WEB-IIS /pcadmin/login.asp access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1437-5>
+  active F
+  comment "MULTIMEDIA Windows Media audio download"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/multimedia.rules
+</augment>
+
+<augment 146-5>
+  active T
+  comment "BACKDOOR NetSphere access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 2566-1>
+  active T
+  comment "WEB-PHP PHPBB viewforum.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2046-6>
+  active T
+  comment IMAP partial body.peek buffer overflow attempt
+  comment "pcre: /\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"
+  payload "/((^)|(\n+))[\x20\x09\x0b][pP][aA][rR][tT][iI][aA][lL].*[bB][oO][dD][yY]\.[pP][eE][eE][kK]\[[^\]]{1024}/"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/imap.rules
+  <delete>
+    payload "/.*[pP][aA][rR][tT][iI][aA][lL].*.*[bB][oO][dD][yY]\.[pP][eE][eE][kK]\[/"
+  </delete>
+</augment>
+
+<augment 1731-7>
+  active T
+  comment "WEB-CGI a1stats access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 279-3>
+  active T
+  comment "DOS Bay/Nortel Nautica Marlin"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dos.rules
+</augment>
+
+<augment 2571-1>
+  active T
+  comment "WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 425-6>
+  active F
+  comment "ICMP Parameter Problem Bad Length"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1606-6>
+  active F
+  comment "WEB-CGI icat access"
+  requires-reverse-signature ! http_error
+  http /.*[\/\\]icat([^\.][^h][^t][^m]|$)/
+  <delete>
+  	http /.*[\/\\]icat/
+  </delete>
+  sigaction SIG_LOG
+  comment "too many false positives"
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 975-12>
+  active T
+  comment "WEB-IIS Alternate Data streams ASP file access attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 163-8>
+  active T
+  comment "BACKDOOR WinCrash 1.0 Server Active"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 451-5>
+  active F
+  comment "ICMP Timestamp Reply"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 2024-8>
+  active T
+  comment "RPC RQUOTA getquota overflow attempt TCP"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2174-4>
+  active T
+  comment "NETBIOS SMB winreg access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1635-13>
+  active T
+  comment POP3 APOP overflow attempt
+  comment "pcre: /^APOP\s[^\n]{256}/smi"
+  payload "/((^)|(\n+))[aA][pP][oO][pP][\x20\x09\x0b][^\n]{256}/"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/pop3.rules
+  <delete>
+    payload "/.*[aA][pP][oO][pP]/"
+  </delete>
+</augment>
+
+<augment 394-6>
+  active F
+  comment "ICMP Destination Unreachable Destination Host Unknown"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 475-3>
+  active T
+  comment "ICMP traceroute ipopts"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 2223-5>
+  active F
+  comment "WEB-CGI csNews.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+  comment "Informational only"
+</augment>
+
+<augment 270-6>
+  active T
+  comment "DOS Teardrop attack"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dos.rules
+</augment>
+
+<augment 2231-5>
+  active T
+  comment "WEB-MISC register.dll access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1400-4>
+  active T
+  comment "WEB-IIS /scripts/samples/ access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1184-6>
+  active T
+  comment "WEB-MISC Netscape Enterprise Server directory view"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1839-4>
+  active T
+  comment "WEB-MISC mailman cross site scripting attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1360-5>
+  active T
+  comment "WEB-ATTACKS netcat command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 1601-7>
+  active T
+  comment "WEB-CGI htsearch arbitrary file read attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 962-9>
+  active T
+  comment "WEB-FRONTPAGE shtml.exe access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 1180-12>
+  active T
+  comment "WEB-MISC get32.exe access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2551-2>
+  active T
+  comment "EXPLOIT Oracle Web Cache GET overflow attempt"
+  comment pcre: /^GET[^s]{432}/sm
+  payload /((^)|(\n+))GET[^s]{432}/
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 514-5>
+  active T
+  comment "MISC ramen worm"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 224-3>
+  active T
+  comment "DDOS Stacheldraht server spoof"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 2316-6>
+  active T
+  comment "NETBIOS DCERPC Workstation Service direct service access attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 247-4>
+  active T
+  comment "DDOS mstream client to handler"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 919-7>
+  active T
+  comment "WEB-COLDFUSION datasource passwordattempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 1835-5>
+  active T
+  comment "WEB-MISC Macromedia SiteSpring cross site scripting attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1758-3>
+  active T
+  comment "WEB-MISC b2 access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 953-7>
+  active T
+  comment "WEB-FRONTPAGE administrators.pwd access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 1465-8>
+  active T
+  comment "WEB-CGI auktion.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1367-5>
+  active T
+  comment "WEB-ATTACKS mail command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 1421-11>
+  active T
+  comment "SNMP AgentX/tcp request"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/snmp.rules
+</augment>
+
+<augment 2258-6>
+  active T
+  comment "NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1811-8>
+  active T
+  comment "ATTACK-RESPONSES successful gobbles ssh exploit uname"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/attack-responses.rules
+</augment>
+
+<augment 1183-8>
+  active T
+  comment "WEB-MISC Netscape Enterprise Server directory view"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 918-6>
+  active T
+  comment "WEB-COLDFUSION expeval access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-coldfusion.rules
+</augment>
+
+<augment 2515-9>
+  active F
+  comment "WEB-MISC PCT Client_Hello overflow attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1270-11>
+  active T
+  comment "RPC portmap rstatd request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 2512-7>
+  active F
+  comment "NETBIOS SMB-DS DCERPC LSASS bind attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1347-5>
+  active T
+  comment "WEB-ATTACKS /usr/bin/g++ command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 1100-7>
+  active T
+  comment "WEB-MISC L3retriever HTTP Probe"
+  requires-reverse-signature ! http_error
+  sigaction SIG_QUIET
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1127-7>
+  active T
+  comment "WEB-MISC convert.bas access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2340-4>
+  active T
+  comment FTP SITE CHMOD overflow attempt
+  comment "pcre: /^SITE\s+CHMOD\s[^\n]{100}/smi"
+  eval dataSizeG100
+  ftp "/((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[cC][hH][mM][oO][dD][\x20\x09\x0b][^\n]{100}/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[sS][iI][tT][eE].*.*[cC][hH][mM][oO][dD]/"
+  </delete>
+</augment>
+
+<augment 1504-6>
+  active F
+  comment "MISC AFS access"
+  comment "informational only, not exploit worthy"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 896-11>
+  active T
+  comment "WEB-CGI way-board access"
+  dst-ip == local_nets
+  requires-reverse-signature ! http_error
+  http /.*[\/\\]way-board\?db\=.{2,}\x00/
+  <delete>
+  	http /.*[\/\\]way-board/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1855-7>
+  active T
+  comment "DDOS Stacheldraht agent->handler skillz"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 256-5>
+  active T
+  comment "DNS named authors attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dns.rules
+</augment>
+
+<augment 989-8>
+  active T
+  comment "WEB-IIS Unicode2.pl script File permission canonicalization"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1352-5>
+  active T
+  comment "WEB-ATTACKS tclsh execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 1209-5>
+  active T
+  comment "WEB-MISC .nsconfig access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1900-10>
+  active T
+  comment "ATTACK-RESPONSES successful kadmind buffer overflow attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/attack-responses.rules
+</augment>
+
+<augment 366-7>
+  active F
+  comment "ICMP PING *NIX"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1361-5>
+  active T
+  comment "WEB-ATTACKS nmap command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 872-9>
+  active T
+  comment "WEB-CGI tcsh access"
+  requires-reverse-signature ! http_error
+  requires-signature ! http_shell_check
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1274-17>
+  active T
+  comment "RPC portmap ttdbserv request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1817-4>
+  active T
+  comment "WEB-IIS MS Site Server default login attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1079-11>
+  active T
+  comment "WEB-MISC WebDAV propfind access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2309-6>
+  active T
+  comment "NETBIOS SMB DCERPC Workstation Service bind attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1657-6>
+  active T
+  comment "WEB-CGI pagelog.cgi directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 982-9>
+  active T
+  comment "WEB-IIS unicode directory traversal attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 845-7>
+  active T
+  comment "WEB-CGI AT-admin.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 849-8>
+  active F
+  comment "WEB-CGI view-source access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules2.2/web-cgi.rules
+</augment>
+
+<augment 655-8>
+  active T
+  comment "SMTP sendmail 8.6.9 exploit"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 2278-6>
+  active T
+  comment "WEB-MISC negative Content-Length attempt"
+  comment pcre: /^Content-Length\x3a\s+-\d+/+/smi
+  http /((^)|(\n+))[cC][oO][nN][tT][eE][nN][tT]-[lL][eE][nN][gG][tT][hH]\x3a[\x20\x09\x0b]+-[0-9]+\/+/
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+  <delete>
+    payload /.*[cC][oO][nN][tT][eE][nN][tT]-[lL][eE][nN][gG][tT][hH]\x3A/
+  </delete>
+</augment>
+
+<augment 2265-4>
+  active T
+  comment SMTP SOML FROM sendmail prescan too many addresses overflow
+  comment "pcre: /^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^"
+  payload "/((^)|(\n+))[sS][oO][mM][lL] [fF][rR][oO][mM]\x3a[\x20\x09\x0b]*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  <delete>
+    payload /.*[sS][oO][mM][lL] [fF][rR][oO][mM]\x3A/
+  </delete>
+</augment>
+
+<augment 240-2>
+  active T
+  comment "DDOS shaft agent to handler"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 398-6>
+  active F
+  comment "ICMP Destination Unreachable Host Unreachable for Type of Service"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 888-5>
+  active T
+  comment "WEB-CGI wwwadmin.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 493-5>
+  active F
+  comment "INFO psyBNC access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/info.rules
+</augment>
+
+<augment 948-6>
+  active T
+  comment "WEB-FRONTPAGE form_results access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 1489-5>
+  active T
+  comment "WEB-MISC /~nobody access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1713-4>
+  active F
+  comment "WEB-CGI cgforum.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1153-5>
+  active T
+  comment "WEB-MISC Domino log.nsf access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1654-4>
+  active T
+  comment "WEB-CGI cart32.exe access"
+  dst-ip == local_nets
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2083-8>
+  active T
+  comment "RPC rpc.xfsmd xfs_export attempt UDP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+
+<augment 960-6>
+  active T
+  comment "WEB-FRONTPAGE service.stp access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 1018-9>
+  active T
+  comment "WEB-IIS iisadmpwd attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1257-8>
+  active T
+  comment "DOS Winnuke attack"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dos.rules
+</augment>
+
+<augment 2442-6>
+  active T
+  comment WEB-MISC Quicktime User-Agent buffer overflow attempt
+  comment pcre: /^User-Agent\x3a[^\n]{244,255}/smi
+  http /((^)|(\n+))[uU][sS][eE][rR]-[aA][gG][eE][nN][tT]\x3a[^\n]{244,255}/
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+  <delete>
+    payload /.*[uU][sS][eE][rR]-[aA][gG][eE][nN][tT]\x3A/
+  </delete>
+</augment>
+
+<augment 484-4>
+  active T
+  comment "ICMP PING Sniffer Pro/NetXRay network scan"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 1565-8>
+  active T
+  comment "WEB-CGI eshop.pl arbitrary commane execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1016-10>
+  active T
+  comment "WEB-IIS global.asa access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1607-5>
+  active F
+  comment "WEB-CGI HyperSeek hsx.cgi access"
+  comment "informational only"
+  comment "old signature based on NT 4.0 and Linux 2.3x kernel"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 721-7>
+  active F
+  comment "VIRUS OUTBOUND bad file attachment"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/virus.rules
+</augment>
+
+<augment 467-3>
+  active T
+  comment "ICMP Nemesis v1.1 Echo"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 987-12>
+  active T
+  comment "WEB-IIS .htr access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2338-5>
+  active T
+  comment FTP LIST buffer overflow attempt
+  comment "pcre: /^LIST\s[^\n]{100,}/smi"
+  ftp "/((^)|(\n+))[lL][iI][sS][tT][\x20\x09\x0b][^\n]{100,}/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[lL][iI][sS][tT]/"
+  </delete>
+</augment>
+
+<augment 1040-6>
+  active T
+  comment "WEB-IIS srchadm access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2463-6>
+  active T
+  comment "EXPLOIT IGMP IGAP message overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 1192-6>
+  active T
+  comment "WEB-MISC Trend Micro OfficeScan access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1603-5>
+  active T
+  comment "WEB-MISC DELETE attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+  <delete>
+	payload /[dD][eE][lL][eE][tT][eE] /
+  </delete>
+  http /.{0,7}[dD][eE][lL][eE][tT][eE] /
+</augment>
+
+<augment 363-7>
+  active F
+  comment "ICMP IRDP router advertisement"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1584-4>
+  active T
+  comment "WEB-MISC Domino bookmark.nsf access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1830-5>
+  active T
+  comment "WEB-MISC Tomcat SnoopServlet servlet access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1976-6>
+  active T
+  comment FTP RMD overflow attempt
+  comment "pcre: /^RMD\s[^\n]{100}/smi"
+  eval dataSizeG100
+  ftp "/((^)|(\n+))[rR][mM][dD][\x20\x09\x0b][^\n]{100}/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[rR][mM][dD]/"
+  </delete>
+</augment>
+
+<augment 476-4>
+  active T
+  comment "ICMP webtrends scanner"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/icmp.rules
+</augment>
+
+<augment 602-5>
+  active T
+  comment "RSERVICES rlogin bin"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rservices.rules
+</augment>
+
+<augment 1897-8>
+  active T
+  comment "EXPLOIT kadmind buffer overflow attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 336-10>
+  active T
+  comment FTP CWD ~root attempt
+  comment "pcre: /^CWD\s+~root/smi"
+  payload "/((^)|(\n+))[cC][wW][dD][\x20\x09\x0b]+~[rR][oO][oO][tT]/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[cC][wW][dD].{1}.*~[rR][oO][oO][tT]/"
+  </delete>
+</augment>
+
+<augment 2039-4>
+  active T
+  comment "MISC bootp hostname format string attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 2194-6>
+  active T
+  comment "WEB-CGI CSMailto.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1564-6>
+  active F
+  comment "WEB-MISC login.htm access"
+  comment "this is removed since *any* login.htm will match "
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1341-5>
+  active T
+  comment "WEB-ATTACKS /usr/bin/gcc command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 2295-4>
+  active T
+  comment "WEB-PHP Advanced Poll admin_settings.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2345-4>
+  active T
+  comment "WEB-PHP PhpGedView search.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2509-7>
+  active F
+  comment "NETBIOS SMB DCERPC LSASS unicode bind attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1471-5>
+  active T
+  comment "WEB-CGI mailnews.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2036-6>
+  active T
+  comment "RPC portmap network-status-monitor request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 257-8>
+  active T
+  comment "DNS named version attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dns.rules
+</augment>
+
+<augment 958-6>
+  active T
+  comment "WEB-FRONTPAGE service.cnf access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 2289-4>
+  active T
+  comment "WEB-PHP Advanced Poll admin_embed.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1249-10>
+  active T
+  comment "WEB-FRONTPAGE frontpage rad fp4areg.dll access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-frontpage.rules
+</augment>
+
+<augment 1583-4>
+  active T
+  comment "WEB-MISC Domino mailw46.nsf access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1775-2>
+  active T
+  comment "MYSQL root login attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/mysql.rules
+</augment>
+
+<augment 1808-6>
+  active T
+  comment "WEB-MISC apache chunked encoding memory corruption exploit attempt"
+  requires-signature ! http_msie_client
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1528-8>
+  active T
+  comment "WEB-MISC BBoard access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2270-4>
+  active T
+  comment SMTP RCPT TO sendmail prescan too long addresses overflow
+  comment "pcre: /^RCPT TO\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"
+  payload "/((^)|(\n+))[rR][cC][pP][tT] [tT][oO]\x3a[\x20\x09\x0b]+[a-zA-Z0-9\x5f\x20\x09\x0b\x40\.]{0,200}\x3b[a-zA-Z0-9\x5f\x20\x09\x0b=x40\.]{200,}\x3b[a-zA-Z0-9\x5f\x20\x09\x0b\x40\.]{0,200}/"
+  sigaction SIG_LOG
+  requires-reverse-signature ! smtp_server_fail
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  <delete>
+    payload /.*[rR][cC][pP][tT] [tT][oO]\x3A/
+  </delete>
+</augment>
+
+<augment 2128-5>
+  active T
+  comment "WEB-CGI swsrv.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1416-9>
+  active T
+  comment "SNMP broadcast trap"
+  requires-reverse-signature snmp_userver_ok_return
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/snmp.rules
+</augment>
+
+<augment 2387-4>
+  active T
+  comment "WEB-CGI view_broadcast.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 273-7>
+  active T
+  comment "DOS IGMP dos attack"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/dos.rules
+</augment>
+
+<augment 2232-5>
+  active T
+  comment "WEB-MISC ContentFilter.dll access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1102-7>
+  active T
+  comment "WEB-MISC Nessus 404 probe"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 456-5>
+  active F
+  comment "ICMP Traceroute"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/icmp-info.rules
+</augment>
+
+<augment 1285-6>
+  active T
+  comment "WEB-IIS msdac access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1548-9>
+  active T
+  comment "WEB-CGI csSearch.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+  eval isApacheLt1325
+</augment>
+
+<augment 1765-6>
+  active T
+  comment "WEB-CGI Nortel Contivity cgiproc access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 712-8>
+  active T
+  comment "TELNET ld_library_path"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/telnet.rules
+</augment>
+
+<augment 1027-8>
+  active T
+  comment "WEB-IIS perl-browse space attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1420-11>
+  active T
+  comment "SNMP trap tcp"
+  requires-reverse-signature snmp_tserver_ok_return
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/snmp.rules
+</augment>
+
+<augment 282-7>
+  active T
+  comment "DOS arkiea backup"
+  sigaction SIG_QUIET
+  snort-rule-file snort_rules/rules2.2/dos.rules
+</augment>
+
+<augment 360-7>
+  active T
+  comment "FTP serv-u directory transversal"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 1705-7>
+  active T
+  comment "WEB-CGI echo.bat arbitrary command execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1821-7>
+  active T
+  comment "EXPLOIT LPD dvips remote command execution attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/exploit.rules
+</augment>
+
+<augment 2452-4>
+  active F
+  comment "CHAT Yahoo IM ping"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 504-6>
+  active T
+  comment "MISC source port 53 to <1024"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 267-5>
+  active T
+  comment "DNS EXPLOIT sparc overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/dns.rules
+</augment>
+
+<augment 1001-7>
+  active T
+  comment "WEB-MISC carbo.dll access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1931-3>
+  active T
+  comment "WEB-CGI rpc-nlog.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1116-6>
+  active T
+  comment "WEB-MISC Lotus DelDoc attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 288-6>
+  active T
+  comment "POP3 EXPLOIT x86 Linux overflow"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/pop3.rules
+</augment>
+
+<augment 1281-7>
+  active T
+  comment "RPC portmap listing UDP 32771"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 1655-4>
+  active T
+  comment "WEB-CGI pfdispaly.cgi arbitrary command execution attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1262-9>
+  active F
+  comment "RPC portmap admind request TCP"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/rpc.rules
+</augment>
+
+<augment 118-5>
+  active T
+  comment "BACKDOOR SatansBackdoor.2.0.Beta"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 1646-5>
+  active T
+  comment "WEB-CGI test.cgi access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 289-6>
+  active T
+  comment "POP3 EXPLOIT x86 SCO overflow"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/pop3.rules
+</augment>
+
+<augment 2371-2>
+  active T
+  comment "WEB-MISC Sample_showcode.html access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1377-14>
+  active F
+  comment "FTP wu-ftp bad file completion attempt ["
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 1112-6>
+  active F
+  comment "WEB-MISC http directory traversal"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1820-7>
+  active T
+  comment "WEB-MISC IBM Net.Commerce orderdspc.d2w access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1364-5>
+  active T
+  comment "WEB-ATTACKS lsof command attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-attacks.rules
+</augment>
+
+<augment 1026-9>
+  active T
+  comment "WEB-IIS perl-browse newline attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1387-7>
+  active T
+  comment "MS-SQL raiserror possible buffer overflow"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/sql.rules
+</augment>
+
+<augment 2090-8>
+  active T
+  comment "WEB-IIS WEBDAV exploit attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1703-7>
+  active T
+  comment "WEB-CGI auktion.cgi directory traversal attempt"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 2381-5>
+  active T
+  comment WEB-MISC schema overflow attempt
+  comment pcre: /^[^\/]{14,}?\x3a\/\//U
+  http /^[^\/]{14,}?\x3a\/\//
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+  <delete>
+    http /.*\x3A[\/\\][\/\\]/
+  </delete>
+</augment>
+
+<augment 1139-7>
+  active T
+  comment "WEB-MISC whisker HEAD/./"
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1432-6>
+  active F
+  comment "P2P GNUTella client request"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/p2p.rules
+</augment>
+
+<augment 2328-3>
+  active T
+  comment "WEB-PHP authentication_index.php access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 631-6>
+  active T
+  comment "SMTP ehlo cybercop attempt"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 621-6>
+  active F
+  comment "SCAN FIN"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 2257-5>
+  active T
+  comment "NETBIOS DCERPC Messenger Service buffer overflow attempt"
+  sigaction SIG_FILE
+  # sigaction SIG_SUMMARY
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 1632-6>
+  active F
+  comment "CHAT AIM send message"
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 1295-9>
+  active T
+  comment "NETBIOS nimda RICHED20.DLL"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/netbios.rules
+</augment>
+
+<augment 2527-3>
+  active F
+  comment "SMTP STARTTLS attempt"
+  requires-reverse-signature ! smtp_server_fail
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+</augment>
+
+<augment 195-5>
+  active T
+  comment "BACKDOOR DeepThroat 3.1 Server Response"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 2117-5>
+  active T
+  comment "WEB-IIS Battleaxe Forum login.asp access"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1252-13>
+  active T
+  comment "TELNET bsd telnet exploit response"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/telnet.rules
+</augment>
+
+<augment 1007-6>
+  active T
+  comment "WEB-IIS cross-site scripting attempt"
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1761-3>
+  active T
+  comment "OTHER-IDS ISS RealSecure 6 daemon connection attempt"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/other-ids.rules
+</augment>
+
+<augment 1942-4>
+  active T
+  comment FTP RMDIR overflow attempt
+  comment "pcre: /^RMDIR\s[^\n]{100}/smi"
+  eval dataSizeG100
+  ftp "/((^)|(\n+))[rR][mM][dD][iI][rR][\x20\x09\x0b][^\n]{100}/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[rR][mM][dD][iI][rR]/"
+  </delete>
+</augment>
+
+<augment 1466-8>
+  active T
+  comment "WEB-CGI cgiforum.pl access"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1481-4>
+  active T
+  comment WEB-CGI upload.cgi access
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 517-1>
+  active T
+  comment MISC xdmcp query
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/misc.rules
+</augment>
+
+<augment 634-2>
+  active T
+  comment SCAN Amanda client version request
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/scan.rules
+</augment>
+
+<augment 2067-2>
+  active F
+  comment WEB-MISC Lotus Notes .exe script source download attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2154-1>
+  active T
+  comment WEB-PHP autohtml.php access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2144-1>
+  active T
+  comment WEB-PHP b2 cafelog gm-2-b2.php access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 211-3>
+  active T
+  comment BACKDOOR MISC r00t attempt
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 2406-1>
+  active T
+  comment TELNET APC SmartSlot default admin account attempt
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/telnet.rules
+</augment>
+
+<augment 2314-1>
+  active T
+  comment SHELLCODE x86 0x90 NOOP unicode
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+</augment>
+
+<augment 218-4>
+  active F
+  comment BACKDOOR MISC Solaris 2.5 attempt
+  comment "too general"
+  comment "too many false positives"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 285-6>
+  active T
+  comment POP2 x86 Linux overflow
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/pop2.rules
+</augment>
+
+<augment 234-2>
+  active T
+  comment DDOS Trin00 Attacker to Master default password
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ddos.rules
+</augment>
+
+<augment 1667-5>
+  active T
+  comment WEB-MISC cross site scripting HTML Image tag set to javascript attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2134-2>
+  active T
+  comment WEB-IIS register.asp access
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2359-2>
+  active T
+  comment WEB-PHP Invision Board ipchat.php file include
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2434-1>
+  active T
+  comment WEB-CGI MDaemon form2raw.cgi access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1061-6>
+  active T
+  comment WEB-MISC xp_cmdshell attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1653-4>
+  active F
+  comment WEB-CGI campus access
+  comment NCSA web server only, depricate sig
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-cgi.rules
+</augment>
+
+<augment 1676-3>
+  active T
+  comment "ORACLE select union attempt"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules2.2/oracle.rules
+</augment>
+
+<augment 1681-3>
+  active T
+  comment "ORACLE all_views access"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules2.2/oracle.rules
+</augment>
+
+<augment 1688-3>
+  active T
+  comment ORACLE user_tablespace access
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/oracle.rules
+</augment>
+
+<augment 2394-1>
+  active F
+  comment WEB-MISC Compaq web-based management agent denial of service attempt
+  comment "too general"
+  comment "too many false positives"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2330-1>
+  active T
+  comment IMAP auth overflow attempt
+  comment "pcre: /AUTH\s[^\n]{100}/smi"
+  payload "/((^)|(\n+))[aA][uU][tT][hH][\x20\x09\x0b][^\n]{100}/"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/imap.rules
+  <delete>
+    payload "/.*[aA][uU][tT][hH]/"
+  </delete>
+</augment>
+
+<augment 107-6>
+  active T
+  comment BACKDOOR subseven DEFCON8 2.1 access
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 1424-6>
+  active T
+  comment SHELLCODE x86 0xEB0C NOOP
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/shellcode.rules
+</augment>
+
+<augment 1530-6>
+  active T
+  comment FTP format string attempt
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 1144-5>
+  active T
+  comment WEB-MISC /cgi-bin/// access
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1935-4>
+  active T
+  comment POP2 FOLD arbitrary file attempt
+  comment "pcre: /^FOLD\s+\//smi"
+  payload "/((^)|(\n+))[fF][oO][lL][dD][\x20\x09\x0b]+\//"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/pop2.rules
+  <delete>
+    payload /.*FOLD/
+  </delete>
+</augment>
+
+<augment 2078-2>
+  active T
+  dst-ip == local_nets
+  comment WEB-PHP phpBB privmsg.php access
+  requires-reverse-signature ! http_error
+  http /.*[\/\\]privmsg\.php.{1,}?[Ff][Oo][Ll][Dd][Ee][Rr]=.{1,}[Mm][Oo][Dd][Ee]=.{1,}[Cc][Oo][Nn][Ff][Ii][Rr][Mm]=[Yy][Ee][Ss]/
+  <delete>
+  	http /.*[\/\\]privmsg\.php/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1991-1>
+  active F
+  comment CHAT MSN login attempt
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/chat.rules
+</augment>
+
+<augment 1622-5>
+  active F
+  comment FTP RNFR ././ attempt
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 1677-3>
+  active T
+  comment ORACLE select like '%' attempt
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/oracle.rules
+</augment>
+
+<augment 2400-1>
+  active T
+  comment WEB-MISC edittag.pl access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1541-4>
+  active T
+  comment FINGER version query
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/finger.rules
+</augment>
+
+<augment 1993-4>
+  active T
+  comment IMAP login literal buffer overflow attempt
+  comment "pcre: /\sLOGIN\s[^\n]*?\s\{/smi"
+  payload "/((^)|(\n+))[lL][oO][gG][iI][nN][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/"
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/imap.rules
+  <delete>
+    payload "/.*[lL][oO][gG][iI][nN]/"
+  </delete>
+</augment>
+
+<augment 2343-1>
+  active T
+  comment FTP STOR overflow attempt
+  comment "pcre: /^STOR\s[^\n]{100}/smi"
+  eval dataSizeG100
+  ftp "/((^)|(\n+))[sS][tT][oO][rR][\x20\x09\x0b][^\n]{100}/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[sS][tT][oO][rR]/"
+  </delete>
+</augment>
+
+<augment 1499-5>
+  active T
+  comment WEB-MISC SiteScope Service access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 2108-3>
+  active T
+  comment POP3 CAPA overflow attempt
+  comment "pcre: /^CAPA\s[^\n]{10}/smi"
+  payload "/((^)|(\n+))[cC][aA][pP][aA][\x20\x09\x0b][^\n]{10}/"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/pop3.rules
+  <delete>
+    payload "/.*[cC][aA][pP][aA]/"
+  </delete>
+</augment>
+
+<augment 1983-1>
+  active T
+  comment BACKDOOR DeepThroat 3.1 Connection attempt [4120]
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 1977-1>
+  active T
+  comment WEB-MISC xp_regwrite attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1754-2>
+  active T
+  comment WEB-IIS as_web4.exe access
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 1927-2>
+  active T
+  comment FTP authorized_keys
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+</augment>
+
+<augment 2075-2>
+  active T
+  comment WEB-PHP Mambo upload.php upload php file attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 1981-1>
+  active T
+  comment BACKDOOR DeepThroat 3.1 Connection attempt [3150]
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 1874-1>
+  active T
+  comment WEB-MISC Oracle Java Process Manager access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 1201-7>
+  active F
+  comment ATTACK-RESPONSES 403 Forbidden
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/attack-responses.rules
+</augment>
+
+<augment 1567-5>
+  active T
+  comment WEB-IIS /exchange/root.asp attempt
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-iis.rules
+</augment>
+
+<augment 2362-2>
+  active T
+  comment WEB-PHP YaBB SE packages.php file include
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2356-2>
+  active T
+  comment WEB-PHP WebChat db_mysql.php file include
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+</augment>
+
+<augment 2142-1>
+  active F
+  comment WEB-PHP shoutbox.php access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-php.rules
+  comment "Informational only"
+</augment>
+
+<augment 1684-3>
+  active T
+  comment ORACLE all_tab_columns access
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/oracle.rules
+</augment>
+
+<augment 1944-1>
+  active T
+  comment WEB-MISC /ecscripts/ecware.exe access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 212-3>
+  active T
+  comment BACKDOOR MISC rewt attempt
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/backdoor.rules
+</augment>
+
+<augment 2407-1>
+  active F
+  comment WEB-MISC util.pl access
+  comment "too general"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+</augment>
+
+<augment 660-7>
+  active T
+  comment SMTP expn root
+  comment "pcre: /^expn\s+root/smi"
+  payload "/((^)|(\n+))[eE][xX][pP][nN][\x20\x09\x0b][rR][oO][oO][tT]/"
+  sigaction SIG_FILE
+  requires-reverse-signature ! smtp_server_fail
+  snort-rule-file snort_rules/rules2.2/smtp.rules
+  <delete>
+    payload "/.*[eE][xX][pP][nN]/"
+    payload "/.*[rR][oO][oO][tT]/"
+  </delete>
+</augment>
+
+<augment 1559-5>
+  active F
+  comment WEB-MISC /doc/packages access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/web-misc.rules
+  comment "too many false positives"
+</augment>
+
+<augment 2250-1>
+  active T
+  comment POP3 USER format string attempt
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/pop3.rules
+</augment>
+
+<augment 1229-7>
+  active T
+  comment FTP CWD ...
+  comment "pcre: /^CWD\s[^\n]*?\.\.\./smi"
+  payload "/((^)|(\n+))[cC][wW][dD][\x20\x09\x0b][^\n]*?\.\.\./"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_FILE
+  snort-rule-file snort_rules/rules2.2/ftp.rules
+  <delete>
+    payload "/.*[cC][wW][dD].*.*\.\.\./"
+  </delete>
+</augment>
+
+<augment 604-5>
+  active T
+  comment RSERVICES rsh froot
+  sigaction SIG_LOG
+  snort-rule-file snort_rules/rules2.2/rservices.rules
+</augment>
+
+<augment 556-5>
+  active F
+  comment P2P Outbound GNUTella client request
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/p2p.rules
+</augment>
+
+<augment 717-6>
+  active T
+  comment TELNET not on console
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/telnet.rules
+</augment>
+
+<augment 1857-3>
+  active F
+  comment WEB-MISC robot.txt access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 2321-1>
+  active T
+  comment WEB-IIS foxweb.exe access
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
+</augment>
+
+<augment 1076-6>
+  active T
+  comment WEB-IIS repost.asp access
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
+</augment>
+
+<augment 1946-3>
+  active T
+  comment WEB-MISC answerbook2 admin attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 2276-1>
+  active T
+  comment WEB-MISC oracle portal demo access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 658-5>
+  active T
+  comment SMTP exchange mime DOS
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/smtp.rules
+</augment>
+
+<augment 659-6>
+  active T
+  comment SMTP expn decode
+  comment "pcre: /^expn\s+decode/smi?"
+  payload "/((^)|(\n+))[eE][xX][pP][nN][\x20\x09\x0b][dD][eE][cC][oO][dD][eE]/"
+  sigaction SIG_FILE
+  requires-reverse-signature ! smtp_server_fail
+  snort-rule-file s2b_data_on_weed/rules2.1/smtp.rules
+  <delete>
+    payload "/.*[eE][xX][pP][nN]/"
+    payload "/.*[dD][eE][cC][oO][dD][eE]/"
+  </delete>
+</augment>
+
+<augment 2409-1>
+  active T
+  comment POP3 APOP USER overflow attempt
+  comment "pcre: /^APOP\s+USER\s[^\n]{256}/smi"
+  payload "/((^)|(\n+))[aA][pP][oO][pP][\x20\x09\x0b]+[uU][sS][eE][rR][\x20\x09\x0b][^\n]{2,56}/"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/pop3.rules
+  <delete>
+    payload "/.*[aA][pP][oO][pP]/"
+  </delete>
+</augment>
+
+<augment 1520-6>
+  active T
+  comment WEB-MISC server-info access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 1879-5>
+  active T
+  dst-ip == local_nets
+  http /.*[\/]book.cgi\?.{1,}\|.{2,}\|/
+  comment WEB-CGI book.cgi arbitrary command execution attempt
+  requires-reverse-signature ! http_error
+  <delete>
+  	http /.*[\/\\]book\.cgi/
+  	payload /.*[cC][uU][rR][rR][eE][nN][tT]=\x7C/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
+</augment>
+
+<augment 2342-1>
+  active T
+  comment WEB-PHP DCP-Portal remote file include attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 2304-2>
+  active T
+  comment WEB-PHP files.inc.php access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 2135-1>
+  active T
+  comment WEB-MISC philboard.mdb access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 2341-1>
+  active T
+  comment WEB-PHP DCP-Portal remote file include attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 1831-3>
+  active T
+  comment WEB-MISC jigsaw dos attempt
+  comment "not iis or apache web server"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+  eval isNotIIS
+  eval isNotApache
+</augment>
+
+<augment 2398-1>
+  active T
+  comment WEB-PHP WAnewsletter newsletter.php file include attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 2354-2>
+  active T
+  comment WEB-PHP IdeaBox notification.php file include
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 930-5>
+  active T
+  comment WEB-COLDFUSION snippets attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/web-coldfusion.rules
+</augment>
+
+<augment 2156-1>
+  active T
+  comment WEB-MISC mod_gzip_status access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 1329-5>
+  active F
+  comment WEB-ATTACKS ps command attempt
+  comment this sig is *yoo* general to be useful
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-attacks.rules
+</augment>
+
+<augment 1059-6>
+  active T
+  comment WEB-MISC xp_filelist attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 913-5>
+  active T
+  comment WEB-COLDFUSION cfappman access
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/web-coldfusion.rules
+</augment>
+
+<augment 1670-4>
+  active T
+  comment WEB-MISC /home/ftp access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 2127-1>
+  active T
+  comment WEB-CGI ikonboard.cgi access
+  dst-ip == local_nets
+  payload /Cookie: [^\=]{1,}\=\/[^\x0D\x0A]{2,}\x0D\x0A\x0D\x0A/
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
+</augment>
+
+<augment 1984-1>
+  active T
+  comment BACKDOOR DeepThroat 3.1 Server Response [4120]
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
+</augment>
+
+<augment 1671-4>
+  active F
+  comment WEB-MISC /home/www access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+  comment "Informational only"
+</augment>
+
+<augment 1463-6>
+  active T
+  comment CHAT IRC message
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/chat.rules
+</augment>
+
+<augment 2062-1>
+  active T
+  comment WEB-MISC iPlanet .perf access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 1867-1>
+  active T
+  comment MISC xdmcp info query
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/misc.rules
+</augment>
+
+<augment 2322-1>
+  active T
+  comment WEB-IIS foxweb.dll access
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
+</augment>
+
+<augment 1623-6>
+  active T
+  comment FTP invalid MODE
+  comment "pcre: /^MODE\s+[^ABSC]{1}/msi"
+  ftp "/((^)|(\n+))[mM][oO][dD][eE][\x20\x09\x0b]+[^aAbBsScC]{1}/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
+  <delete>
+    payload "/.*[mM][oO][dD][eE]/"
+  </delete>
+</augment>
+
+<augment 1666-5>
+  active T
+  comment ATTACK-RESPONSES index of /cgi-bin/ response
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/attack-responses.rules
+</augment>
+
+<augment 1694-3>
+  active T
+  comment ORACLE alter table attempt
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
+</augment>
+
+<augment 2319-1>
+  active T
+  comment EXPLOIT ebola PASS overflow attempt
+  comment "pcre: /^USER\s[^\n]{49}/smi"
+  payload "/((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]{49}/"
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/exploit.rules
+  <delete>
+    payload "/.*[pP][aA][sS][sS]/"
+  </delete>
+</augment>
+
+<augment 1044-6>
+  active T
+  comment WEB-IIS webhits access
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
+</augment>
+
+<augment 214-4>
+  active T
+  comment BACKDOOR MISC Linux rootkit attempt lrkr0x
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
+</augment>
+
+<augment 563-6>
+  active F
+  comment P2P Napster Client Data
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/p2p.rules
+</augment>
+
+<augment 2074-2>
+  active T
+  comment WEB-PHP Mambo uploadimage.php upload php file attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 1967-1>
+  active T
+  comment WEB-PHP phpbb quick-reply.php arbitrary command attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 1928-3>
+  active T
+  comment FTP shadow retrieval attempt
+  requires-reverse-signature ! ftp_server_error
+  requires-signature got_ftp_root
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
+</augment>
+
+<augment 1756-2>
+  active T
+  comment WEB-IIS NewsPro administration authentication attempt
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
+</augment>
+
+<augment 2059-1>
+  active F
+  dst-ip == local_nets
+  comment WEB-MISC MsmMask.exe access
+  comment "informational only"
+  comment "verify that the application is not vulnerable"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 217-3>
+  active T
+  comment BACKDOOR MISC sm4ck attempt
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
+</augment>
+
+<augment 628-3>
+  active F
+  comment SCAN nmap TCP
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/scan.rules
+</augment>
+
+<augment 2353-2>
+  active T
+  comment WEB-PHP IdeaBox cord.php file include
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 2373-1>
+  active T
+  comment FTP XMKD overflow attempt
+  comment "pcre: /^XMKD\s[^\n]{100}/smi"
+  eval dataSizeG100
+  payload "/((^)|(\n+))[xXmMkKdD][\x20\x09\x0b][^\n]{100}/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
+  <delete>
+    payload "/.*[xX][mM][kK][dD]/"
+  </delete>
+</augment>
+
+<augment 711-5>
+  active T
+  comment TELNET SGI telnetd format bug
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/telnet.rules
+</augment>
+
+<augment 1791-2>
+  active F
+  comment BACKDOOR fragroute trojan connection attempt
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
+</augment>
+
+<augment 2071-1>
+  active T
+  comment WEB-MISC post32.exe access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 2152-1>
+  active F
+  comment WEB-PHP test.php access
+  comment "informational only"
+  requires-reverse-signature ! http_error
+  http /.*[\/\\]test\.php(\?.{1,}|$)/
+  <delete>
+  	http /.*[\/\\]test\.php/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 1687-3>
+  active T
+  comment ORACLE dba_tables access
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
+</augment>
+
+<augment 714-4>
+  active T
+  comment TELNET resolv_host_conf
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/telnet.rules
+</augment>
+
+<augment 2076-2>
+  active T
+  comment WEB-PHP Mambo uploadimage.php access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 1058-6>
+  active T
+  comment WEB-MISC xp_enumdsn attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 1773-3>
+  active T
+  comment WEB-PHP php.exe access
+  requires-reverse-signature ! http_error
+  http /.*\/php\/php\.exe\?[cCdD]\:\//
+  <delete>
+  	http /.*[\/\\]php\.exe/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 284-6>
+  active T
+  comment POP2 x86 Linux overflow
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/pop2.rules
+</augment>
+
+<augment 1753-2>
+  active T
+  comment WEB-IIS as_web.exe access
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
+</augment>
+
+<augment 1938-4>
+  active T
+  comment POP3 XTND overflow attempt
+  comment pcre: /^XTND\s[^\n]{50}/smi
+  payload /((^)|(\n+))[xX][tT][nN][dD][\x20\x09\x0b][^\n]{50}/
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/pop3.rules
+</augment>
+
+<augment 1142-5>
+  active T
+  comment WEB-MISC /.... access
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 2397-2>
+  active T
+  comment WEB-CGI CCBill whereami.cgi access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
+</augment>
+
+<augment 2060-1>
+  active T
+  comment WEB-MISC DB4Web access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 1551-3>
+  active F
+  comment WEB-MISC /CVS/Entries access
+  comment "informational only"
+  comment "not exploit worthy"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 636-1>
+  active T
+  comment SCAN cybercop udp bomb
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/scan.rules
+</augment>
+
+<augment 2346-2>
+  active T
+  comment WEB-PHP myPHPNuke chatheader.php access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 561-6>
+  active F
+  comment P2P Napster Client Data
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/p2p.rules
+</augment>
+
+<augment 2224-1>
+  active T
+  comment WEB-CGI psunami.cgi access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
+</augment>
+
+<augment 2112-3>
+  active T
+  comment POP3 RSET overflow attempt
+  comment "pcre: /^RSET\s[^\n]{10}/smi"
+  payload "/((^)|(\n+))[rR][sS][eE][tT][\x20\x09\x0b][^\n]{10}/"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/pop3.rules
+  <delete>
+    payload "/.*[rR][sS][eE][tT]/"
+  </delete>
+</augment>
+
+<augment 209-4>
+  active T
+  comment BACKDOOR w00w00 attempt
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
+</augment>
+
+<augment 1673-3>
+  active T
+  comment ORACLE EXECUTE_SYSTEM attempt
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
+</augment>
+
+<augment 2132-2>
+  active T
+  comment WEB-IIS Synchrologic Email Accelerator userid list access attempt
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
+</augment>
+
+<augment 2253-3>
+  active T
+  comment SMTP XEXCH50 overflow attempt
+  comment pcre: /^XEXCH50\s+-\d/smi
+  payload /((^)|(\n+))[xX][eE][xX][cC][hH]50[\x20\x09\x0b]+-[0-9]/
+  sigaction SIG_LOG
+  requires-reverse-signature ! smtp_server_fail
+  snort-rule-file s2b_data_on_weed/rules2.1/smtp.rules
+  <delete>
+    payload "/.*[xX][eE][xX][cC][hH]50/"
+  </delete>
+</augment>
+
+<augment 2433-1>
+  active T
+  comment WEB-CGI MDaemon form2raw.cgi overflow attempt
+  comment "pcre: /\Wfrom=[^\x3b&\n]{100}/si"
+  http "/[^a-zA-Z0-9_][fF][rR][oO][mM]=[^\x3b&\n]{100}/"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
+  <delete>
+    http "/.*[\/\\]form2raw\.cgi/"
+  </delete>
+</augment>
+
+<augment 210-3>
+  active T
+  comment BACKDOOR attempt
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
+</augment>
+
+<augment 1978-1>
+  active T
+  comment WEB-MISC xp_regdeletekey attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 2364-2>
+  active T
+  comment WEB-PHP Cyboards options_form.php access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 2360-2>
+  active T
+  comment WEB-PHP myphpPagetool pt_config.inc file include
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 1696-3>
+  active T
+  comment ORACLE create database attempt
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
+</augment>
+
+<augment 2332-1>
+  active T
+  comment FTP MKDIR format string attempt
+  comment "pcre: /^MKDIR\s[^\n]*?%[^\n]*?%/smi"
+  ftp "/((^)|(\n+))[mM][kK][dD][iI][rR][\x20\x09\x0b][^\n]*?%[^\n]*?%/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
+  <delete>
+    payload "/.*[mM][kK][dD][iI][rR]/"
+  </delete>
+</augment>
+
+<augment 2358-2>
+  active T
+  comment WEB-PHP Typo3 translations.php file include
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 1744-3>
+  active T
+  comment WEB-MISC SecureSite authentication bypass attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 1686-3>
+  active T
+  comment ORACLE dba_tablespace access
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
+</augment>
+
+<augment 1659-3>
+  active T
+  comment WEB-COLDFUSION sendmail.cfm access
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/web-coldfusion.rules
+</augment>
+
+<augment 2365-2>
+  active T
+  comment WEB-PHP newsPHP Language file include attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 1689-3>
+  active T
+  comment ORACLE sys.all_users access
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
+</augment>
+
+<augment 1772-4>
+  active T
+  comment WEB-IIS pbserver access
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
+</augment>
+
+<augment 2333-1>
+  active T
+  comment FTP RENAME format string attempt
+  comment "pcre: /^RENAME\s[^\n]*?%[^\n]*?%/smi"
+  ftp "/((^)|(\n+))[rR][eE][nN][aA][mM][eE][\x20\x09\x0b][^\n]*?%[^\n]*?%/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
+  <delete>
+    payload "/.*[rR][eE][nN][aA][mM][eE]/"
+  </delete>
+</augment>
+
+<augment 1518-5>
+  active T
+  comment WEB-MISC nstelemetry.adp access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 715-6>
+  active T
+  comment TELNET Attempted SU from wrong group
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/telnet.rules
+</augment>
+
+<augment 1692-3>
+  active T
+  comment ORACLE drop table attempt
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
+</augment>
+
+<augment 2449-1>
+  active T
+  comment FTP ALLO overflow attempt
+  comment "pcre: /^ALLO\s[^\n]{100}/smi"
+  payload "/((^)|(\n+))[aAlLlLoO][\x20\x09\x0b][^\n]{100}/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
+  <delete>
+    payload "/.*[aA][lL][lL][oO]/"
+  </delete>
+</augment>
+
+<augment 2066-2>
+  active T
+  comment WEB-MISC Lotus Notes .pl script source download attempt
+  comment "requires lotus notes web server"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+  eval isNotApache
+  eval isNotIIS
+</augment>
+
+<augment 1498-4>
+  active T
+  comment WEB-MISC PIX firewall manager directory traversal attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 1056-6>
+  active F
+  comment WEB-MISC Tomcat view source attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+  comment "Informational only"
+  comment "Too general"
+</augment>
+
+<augment 2344-1>
+  active T
+  comment FTP XCWD overflow attempt
+  comment "pcre: /^XCWD\s[^\n]{100}/smi"
+  eval dataSizeG100
+  ftp "/((^)|(\n+))[xX][cC][wW][dD][\x20\x09\x0b][^\n]{100}/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
+  <delete>
+    payload "/.*[xX][cC][wW][dD]/"
+  </delete>
+</augment>
+
+<augment 237-2>
+  active T
+  comment DDOS Trin00 Master to Daemon default password attempt
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/ddos.rules
+</augment>
+
+<augment 2153-1>
+  active T
+  comment WEB-PHP autohtml.php directory traversal attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 2405-1>
+  active T
+  comment WEB-PHP phptest.php access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 1075-6>
+  active T
+  comment WEB-IIS postinfo.asp access
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
+</augment>
+
+<augment 1568-5>
+  active T
+  comment WEB-IIS /exchange/root.asp access
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
+</augment>
+
+<augment 235-2>
+  active T
+  comment DDOS Trin00 Attacker to Master default mdie password
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/ddos.rules
+</augment>
+
+<augment 2110-3>
+  active T
+  comment POP3 STAT overflow attempt
+  comment "pcre: /^STAT\s[^\n]{10}/smi"
+  payload "/((^)|(\n+))[sS][tT][aA][tT][\x20\x09\x0b][^\n]{10}/"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/pop3.rules
+  <delete>
+    payload "/.*[sS][tT][aA][tT]/"
+  </delete>
+</augment>
+
+<augment 1968-1>
+  active T
+  comment WEB-PHP phpbb quick-reply.php access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 213-4>
+  active T
+  comment BACKDOOR MISC Linux rootkit attempt
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
+</augment>
+
+<augment 1143-5>
+  active T
+  comment WEB-MISC ///cgi-bin access
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 2131-2>
+  active T
+  comment WEB-IIS IISProtect access
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
+</augment>
+
+<augment 1621-10>
+  active T
+  comment FTP CMD overflow attempt
+  comment "pcre: /^CMD\s[^\n]{100}/smi"
+  eval dataSizeG100
+  ftp "/((^)|(\n+))[cC][mM][dD][\x20\x09\x0b][^\n]{100}/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
+  <delete>
+    payload "/.*[cC][mM][dD]/"
+  </delete>
+</augment>
+
+<augment 2331-2>
+  active T
+  comment WEB-PHP MatrikzGB privilege escalation attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 2001-1>
+  active T
+  comment WEB-CGI smartsearch.cgi access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
+</augment>
+
+<augment 557-6>
+  active F
+  comment P2P GNUTella client request
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/p2p.rules
+</augment>
+
+<augment 1239-5>
+  active T
+  comment NETBIOS RFParalyze Attempt
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/netbios.rules
+</augment>
+
+<augment 1980-1>
+  active T
+  comment BACKDOOR DeepThroat 3.1 Connection attempt
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
+</augment>
+
+<augment 2275-2>
+  active T
+  comment SMTP AUTH LOGON brute force attempt
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/smtp.rules
+</augment>
+
+<augment 1111-5>
+  active T
+  comment WEB-MISC Tomcat server exploit access
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 1690-3>
+  active T
+  comment ORACLE grant attempt
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
+</augment>
+
+<augment 1982-1>
+  active T
+  comment BACKDOOR DeepThroat 3.1 Server Response [3150]
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
+</augment>
+
+<augment 2393-1>
+  active F
+  dst-ip ==local_nets
+  comment "WEB-PHP /_admin access"
+  comment "Lots of false positives are possible as this attack really requires multiple steps to be successful"
+  comment "Suggestion: analyze site and test for vulnerability, make any adjustments, and then disable this rule."
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 2408-1>
+  active F
+  comment WEB-MISC Invision Power Board search.pl access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+  comment "Informational only"
+  comment "Too general"
+</augment>
+
+<augment 629-2>
+  active T
+  comment SCAN nmap fingerprint attempt
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/scan.rules
+</augment>
+
+<augment 1540-5>
+  active F
+  comment WEB-COLDFUSION ?Mode=debug attempt
+  comment "not exploit worthy"
+  comment "informational only"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-coldfusion.rules
+</augment>
+
+<augment 2305-2>
+  active T
+  comment WEB-PHP chatbox.php access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 2064-2>
+  active T
+  dst-ip == local_nets
+  comment WEB-MISC Lotus Notes .csp script source download attempt
+  comment "verify that the application is not vulnerable"
+  comment "informational only"
+  requires-reverse-signature ! http_error
+  <delete>
+  	payload /.*\.csp\./
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 1592-4>
+  active T
+  comment WEB-CGI /fcgi-bin/echo.exe access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
+</augment>
+
+<augment 1933-1>
+  active F
+  comment WEB-CGI cart.cgi access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
+  comment "Informational only"
+</augment>
+
+<augment 1682-3>
+  active T
+  comment ORACLE all_source access
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
+</augment>
+
+<augment 2416-1>
+  active T
+  comment FTP invalid MDTM command attempt
+  comment "pcre: /^MDTM \d+[-+]\D/smi"
+  ftp "/((^)|(\n+))[mMdDtTmM][0-9]+[-+][^0-9]/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
+  <delete>
+    payload "/.*[mM][dD][tT][mM]/"
+  </delete>
+</augment>
+
+<augment 2107-3>
+  active T
+  comment IMAP create buffer overflow attempt
+  comment "pcre: /\sCREATE\s[^\n]{1024}/smi"
+  payload "/((^)|(\n+))[\x20\x09\x0b][cC][rR][eE][aA][tT][eE][\x20\x09\x0b][^\n]{1024}/"
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/imap.rules
+  <delete>
+    payload "/.*CREATE/"
+  </delete>
+</augment>
+
+<augment 1697-3>
+  active T
+  comment ORACLE alter database attempt
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
+</augment>
+
+<augment 1491-6>
+  active T
+  comment WEB-PHP Phorum /support/common.php access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 632-5>
+  active T
+  comment SMTP expn cybercop attempt
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/smtp.rules
+</augment>
+
+<augment 2357-2>
+  active T
+  comment WEB-PHP WebChat english.php file include
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 2484-1>
+  active T
+  comment WEB-MISC source.jsp access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 2114-3>
+  active T
+  comment "RSERVICES rexec password overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/rservices.rules
+</augment>
+
+<augment 2113-3>
+  active T
+  dst-ip == local_nets
+  comment "RSERVICES rexec username overflow attempt"
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/rservices.rules
+</augment>
+
+<augment 2246-1>
+  active T
+  comment WEB-MISC webadmin.dll access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 1626-4>
+  active T
+  comment WEB-IIS /StoreCSVS/InstantOrder.asmx request
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
+</augment>
+
+<augment 2141-1>
+  active T
+  comment WEB-PHP shoutbox.php directory traversal attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 2157-2>
+  active T
+  comment WEB-IIS IISProtect globaladmin.asp access
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
+</augment>
+
+<augment 1683-3>
+  active T
+  comment ORACLE all_tables access
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
+</augment>
+
+<augment 1382-9>
+  active T
+  comment EXPLOIT CHAT IRC Ettercap parse overflow attempt
+  comment "pcre: /^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"
+  payload "/((^)|(\n+))[pP][rR][iI][vV][mM][sS][gG][\x20\x09\x0b]+[nN][iI][cC][kK][sS][eE][rR][vV][\x20\x09\x0b]+[iI][dD][eE][nN][tT][iI][fF][yY][\x20\x09\x0b][^\n]{100}/"
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/exploit.rules
+  <delete>
+    payload "/.*[pP][rR][iI][vV][mM][sS][gG]/"
+    payload "/.*[nN][iI][cC][kK][sS][eE][rR][vV]/"
+    payload "/.*[iI][dD][eE][nN][tT][iI][fF][yY]/"
+  </delete>
+</augment>
+
+<augment 215-4>
+  active T
+  comment BACKDOOR MISC Linux rootkit attempt
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/backdoor.rules
+</augment>
+
+<augment 2363-2>
+  active T
+  comment WEB-PHP Cyboards default_header.php access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 1850-3>
+  active T
+  comment WEB-CGI way-board.cgi access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
+</augment>
+
+<augment 565-6>
+  active F
+  comment P2P Napster Server Login
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/p2p.rules
+</augment>
+
+<augment 1069-6>
+  active T
+  comment WEB-MISC xp_regread attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 233-3>
+  active T
+  comment DDOS Trin00 Attacker to Master default startup password
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/ddos.rules
+</augment>
+
+<augment 1490-6>
+  active T
+  comment WEB-PHP Phorum /support/common.php attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 1693-4>
+  active T
+  comment ORACLE create table attempt
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
+</augment>
+
+<augment 2320-1>
+  active T
+  comment EXPLOIT ebola USER overflow attempt
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/exploit.rules
+  <delete>
+	payload /.*[uU][sS][eE][rR]/
+  </delete>
+  payload /((^)|(\n+))[uU][sS][eE][rR][^\x0a]{49}/
+</augment>
+
+<augment 2140-1>
+  active T
+  comment WEB-PHP p-news.php access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 2000-1>
+  active T
+  comment WEB-PHP readmsg.php access
+  comment "Possible many false positives"
+  commnet "If running this webmail server check version to make sure it's not vulnerable and then disable this signature or adjust the notice action."
+  dst-ip == local_nets
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 489-7>
+  active T
+  comment INFO FTP no password
+  comment "pcre: /^PASS\s*\n/smi"
+  ftp "/((^)|(\n+))[\x20\x09\x0b][pP][aA][sS][sS][\x20\x09\x0b]*\n/"
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/info.rules
+  <delete>
+    payload "/.*[pP][aA][sS][sS]/"
+  </delete>
+</augment>
+
+<augment 1936-4>
+  active T
+  comment POP3 AUTH overflow attempt
+  comment "pcre: /^AUTH\s[^\n]{50}/smi"
+  payload "/((^)|(\n+))[aA][uU][tT][hH][\x20\x09\x0b][^\n]{50}/"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/pop3.rules
+  <delete>
+    payload "/.*[aA][uU][tT][hH]/"
+  </delete>
+</augment>
+
+<augment 2361-2>
+  active F
+  comment WEB-PHP news.php file include
+  comment "Too general"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 2058-1>
+  active T
+  comment WEB-MISC MsmMask.exe attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 2355-2>
+  active T
+  comment WEB-PHP Invision Board emailer.php file include
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 1680-3>
+  active T
+  comment ORACLE all_constraints access
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
+</augment>
+
+<augment 1826-4>
+  active T
+  comment WEB-MISC WEB-INF access
+  requires-reverse-signature ! http_error
+  http /.*[\/\\]WEB-INF \./.{1,}/
+  <delete>
+  	http /.*[\/\\]WEB-INF/
+  </delete>
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 2077-2>
+  active T
+  comment WEB-PHP Mambo upload.php access
+  comment "very general"
+  comment "only matters if dest is local_nets and then may be too noisy"
+  dst-ip == local_nets
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 1695-3>
+  active T
+  comment ORACLE truncate table attempt
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
+</augment>
+
+<augment 1126-6>
+  active T
+  comment WEB-MISC AuthChangeUrl access
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 1464-3>
+  active T
+  comment ATTACK-RESPONSES oracle one hour install
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/attack-responses.rules
+</augment>
+
+<augment 1818-3>
+  active T
+  comment WEB-IIS MS Site Server admin attempt
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
+</augment>
+
+<augment 2347-2>
+  active T
+  comment WEB-PHP myPHPNuke partner.php access
+  comment "adjusted sig based on attack example - this may be too limiting"
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+  http /.*\x3d.*\x3cscript\x3e.*document.cookie.*\x3c\x2fscript\x3e/
+</augment>
+
+<augment 1685-4>
+  active T
+  comment ORACLE all_tab_privs access
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/oracle.rules
+</augment>
+
+<augment 562-5>
+  active F
+  comment P2P Napster Client Data
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/p2p.rules
+</augment>
+
+<augment 1497-6>
+  active T
+  comment WEB-MISC cross site scripting attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 1478-3>
+  active T
+  comment WEB-CGI swc access
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
+</augment>
+
+<augment 1379-7>
+  active T
+  comment FTP STAT overflow attempt
+  comment "pcre: /^STAT\s[^\n]{100}/smi"
+  eval dataSizeG100
+  ftp "/((^)|(\n+))[sS][tT][aA][tT][\x20\x09\x0b][^\n]{100}/"
+  requires-reverse-signature ! ftp_server_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/ftp.rules
+  <delete>
+    payload "/.*[sS][tT][aA][tT]/"
+  </delete>
+</augment>
+
+<augment 2399-1>
+  active T
+  comment WEB-PHP WAnewsletter db_type.php access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 1376-5>
+  active T
+  comment WEB-MISC jrun directory browse attempt
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 912-5>
+  active T
+  comment WEB-COLDFUSION parks access
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/web-coldfusion.rules
+</augment>
+
+<augment 2369-1>
+  active T
+  comment WEB-MISC ISAPISkeleton.dll access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+</augment>
+
+<augment 1750-3>
+  active T
+  comment WEB-IIS users.xml access
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-iis.rules
+</augment>
+
+<augment 1966-2>
+  active T
+  comment MISC GlobalSunTech Access Point Information Disclosure attempt
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/misc.rules
+</augment>
+
+<augment 321-5>
+  active T
+  comment FINGER account enumeration attempt
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/finger.rules
+</augment>
+
+<augment 1990-1>
+  active F
+  comment CHAT MSN user search
+  comment "informational only"
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/chat.rules
+</augment>
+
+<augment 1482-4>
+  active T
+  comment WEB-CGI view_source access
+  requires-reverse-signature ! http_error
+  sigaction SIG_FILE
+  snort-rule-file s2b_data_on_weed/rules2.1/web-cgi.rules
+</augment>
+
+<augment 2109-3>
+  active T
+  comment POP3 TOP overflow attempt
+  comment "pcre: /^TOP\s[^\n]{10}/smi"
+  payload "/((^)|(\n+))[tT][oO][pP][\x20\x09\x0b][^\n]{10}/"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/pop3.rules
+  <delete>
+    payload "/.*[tT][oO][pP]/"
+  </delete>
+</augment>
+
+<augment 1745-3>
+  active T
+  comment WEB-PHP Messagerie supp_membre.php access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-php.rules
+</augment>
+
+<augment 2111-3>
+  active T
+  comment POP3 DELE overflow attempt
+  comment "pcre: /^DELE\s[^\n]{10}/smi"
+  payload "/((^)|(\n+))[dD][eE][lL][eE][\x20\x09\x0b][^\n]{10}/"
+  requires-reverse-signature ! pop_return_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/pop3.rules
+  <delete>
+    payload "/.*[dD][eE][lL][eE]/"
+  </delete>
+</augment>
+
+<augment 1521-6>
+  active F
+  comment WEB-MISC server-status access
+  requires-reverse-signature ! http_error
+  sigaction SIG_LOG
+  snort-rule-file s2b_data_on_weed/rules2.1/web-misc.rules
+  comment "Informational only"
+  comment "Could point to a default install or an incorrectly configured Apache server"
+</augment>
+
+<augment http-shell-check>
+  active T
+  comment http_shell_check used for filtering shell reference from man pages
+  sigaction SIG_IGNORE
+</augment>
+
+###############################
+## Augment file compiled on 2004-07-12 from Snort rules dated 2004-07-09
+###############################
+
diff --git a/scripts/s2b/etc/s2b-ruleset-augment.cfg b/scripts/s2b/etc/s2b-ruleset-augment.cfg
new file mode 100644
index 0000000000..627991907c
--- /dev/null
+++ b/scripts/s2b/etc/s2b-ruleset-augment.cfg
@@ -0,0 +1,157 @@
+
+<attack-responses.rules>
+</attack-responses.rules>
+
+<backdoor.rules>
+</backdoor.rules>
+
+<bad-traffic.rules>
+</bad-traffic.rules>
+
+<chat.rules>
+</chat.rules>
+
+<ddos.rules>
+</ddos.rules>
+
+<deleted.rules>
+</deleted.rules>
+
+<dns.rules>
+</dns.rules>
+
+<dos.rules>
+</dos.rules>
+
+<experimental.rules>
+</experimental.rules>
+
+<exploit.rules>
+</exploit.rules>
+
+<finger.rules>
+</finger.rules>
+
+<ftp.rules>
+	requires-reverse-signature ! ftp_server_error
+</ftp.rules>
+
+<icmp.rules>
+</icmp.rules>
+
+<imap.rules>
+</imap.rules>
+
+<info.rules>
+</info.rules>
+
+<local.rules>
+</local.rules>
+
+<misc.rules>
+</misc.rules>
+
+<multimedia.rules>
+</multimedia.rules>
+
+<mysql.rules>
+</mysql.rules>
+
+<netbios.notes>
+</netbios.notes>
+
+<netbios.rules>
+</netbios.rules>
+
+<nntp.rules>
+</nntp.rules>
+
+<oracle.rules>
+</oracle.rules>
+
+<other-ids.rules>
+</other-ids.rules>
+
+<p2p.rules>
+</p2p.rules>
+
+<policy.rules>
+</policy.rules>
+
+<pop2.rules>
+	requires-reverse-signature ! pop_return_error
+</pop2.rules>
+
+<pop3.rules>
+	requires-reverse-signature ! pop_return_error
+</pop3.rules>
+
+<porn.rules>
+</porn.rules>
+
+<rpc.rules>
+</rpc.rules>
+
+<rservices.rules>
+</rservices.rules>
+
+<scan.rules>
+</scan.rules>
+
+<shellcode.rules>
+</shellcode.rules>
+
+<smtp.rules>
+	requires-reverse-signature ! smtp_server_fail
+</smtp.rules>
+
+<snmp.rules>
+</snmp.rules>
+
+<sql.rules>
+</sql.rules>
+
+<telnet.rules>
+</telnet.rules>
+
+<tftp.rules>
+</tftp.rules>
+
+<virus.rules>
+</virus.rules>
+
+<web-attacks.rules>
+	requires-reverse-signature ! http_error
+</web-attacks.rules>
+
+<web-cgi.rules>
+	requires-reverse-signature ! http_error
+</web-cgi.rules>
+
+<web-client.rules>
+</web-client.rules>
+
+<web-coldfusion.rules>
+	requires-reverse-signature ! http_error
+</web-coldfusion.rules>
+
+<web-frontpage.rules>
+	requires-reverse-signature ! http_error
+	eval isIIS
+</web-frontpage.rules>
+
+<web-iis.rules>
+	requires-reverse-signature ! http_error
+	eval isIIS
+</web-iis.rules>
+
+<web-misc.rules>
+	requires-reverse-signature ! http_error
+</web-misc.rules>
+
+<web-php.rules>
+	requires-reverse-signature ! http_error
+</web-php.rules>
+
+<x11.rules>
+</x11.rules>
diff --git a/scripts/s2b/etc/s2b-sigmap.cfg b/scripts/s2b/etc/s2b-sigmap.cfg
new file mode 100644
index 0000000000..a3ea280763
--- /dev/null
+++ b/scripts/s2b/etc/s2b-sigmap.cfg
@@ -0,0 +1,38 @@
+# this table is used to generate the automatic sid-to-sig action table that bro imports
+# the fields here are used as a table translation between snort and bro
+# currently there is no sound reason not to change any of this
+# *do not* make any comment line the same as any snort alert type!!
+
+attempted-admin				SIG_LOG
+attempted-user				SIG_LOG
+shellcode-detect			SIG_FILE
+successful-admin			SIG_LOG
+successful-user				SIG_LOG
+trojan-activity				SIG_LOG
+unsuccessful-user			SIG_FILE
+web-application-attack			SIG_LOG
+attempted-dos				SIG_FILE
+attempted-recon				SIG_FILE
+bad-unknown				SIG_FILE
+denial-of-service			SIG_FILE
+misc-attack				SIG_LOG
+non-standard-protocol			SIG_FILE
+rpc-portmap-decode			SIG_FILE	
+successful-dos				SIG_LOG
+successful-recon-largescale		SIG_LOG	
+successful-recon-limited		SIG_LOG
+suspicious-filename-detect		SIG_LOG
+suspicious-login			SIG_LOG	
+system-call-detect			SIG_LOG
+unusual-client-port-connection		SIG_LOG
+web-application-activity		SIG_LOG
+icmp-event				SIG_FILE
+misc-activity				SIG_LOG
+network-scan				SIG_FILE
+not-suspicious				SIG_QUIET
+protocol-command-decode			SIG_FILE
+string-detect				SIG_LOG
+unknown					SIG_FILE
+policy-violation			SIG_QUIET
+kickass-porn				SIG_QUIET
+default-login-attempt			SIG_LOG
\ No newline at end of file
diff --git a/scripts/s2b/etc/s2b.cfg b/scripts/s2b/etc/s2b.cfg
new file mode 100644
index 0000000000..46b27290b5
--- /dev/null
+++ b/scripts/s2b/etc/s2b.cfg
@@ -0,0 +1,113 @@
+# Snort2Bro
+
+# Bro Signature ID prefix
+# May only contain alphanumberic and dash characters
+#
+# sigprefix	s2b-
+##
+
+# Configuration directory
+# 
+# configdir	/usr/local/etc/bro/s2b
+##
+#configdir	/home/rwinslow/projects/s2b
+configdir	./
+
+# Augment Configuration filename
+# 
+# augmentconfig	s2b-augment.cfg
+##
+
+# Ruleset Augment Configuration filename
+# This file contains Bro signature options and contexts which are included
+# into rules based on the ruleset filenames from which they come.  The syntax 
+# rules for this file are the same as s2b-augment.cfg
+# This file is used during augment building only.
+#
+# rulesetaugmentconfig s2b-ruleset-augment.cfg
+##
+
+# User Augment Configuration filename
+# This is the user level augment config file which should be the location in
+# which behavior for individual signatures is controlled.
+#
+# useraugmentconfig s2b-user-augment.cfg
+##
+
+# Bro signature output filename
+# This should probably be a full path name otherwise it will write 
+# to the present working directory
+#
+# brosignaturedest	s2b.sig
+##
+
+# Bro sigaction output filename
+# This should probably be a full path name otherwise it will write to the 
+# present working directory.
+# This file contains mappings of signature id to SigActions which  
+# will be included into a running Bro instance.  These mappings are created 
+# for any Bro signature which uses anything but the default SigAction.
+#
+# sigactiondest	s2b-sigaction.bro
+##
+
+# Debug level
+#
+# debug 0
+##
+
+# sid prefix
+#
+# sigprefix	s2b-
+##
+
+# Mappings for Snort alert classtype to Bro SigAction. 
+#
+# sigmapconfig	s2b-sigmap.cfg
+##
+
+# Snort ruleset directory
+# All files ending in .rules are considered during parsing by default
+#
+# snortrulesetdir	'./'
+##
+
+# Snort rule sets to exclude from conversion
+# Any filename specified here will not even be read by the program
+# There are two different ways to specify the list. Both are listed but only
+# one style may be used.
+#
+#<ignoresnortrulesets>
+#	porn.rules
+#	icmp.rules
+#	experimental.rules
+#	deleted.rules
+#	policy.rules
+#	bad-traffic.rules
+#	info.rules
+#</ignoresnortrulesets>
+##
+
+ignoresnortruleset porn.rules
+#ignoresnortruleset icmp.rules
+ignoresnortruleset experimental.rules
+ignoresnortruleset deleted.rules
+ignoresnortruleset policy.rules
+ignoresnortruleset bad-traffic.rules
+#ignoresnortruleset info.rules
+
+# Default Bro SigAction that will be used for creating the Bro signature 
+# s2b.sig and the Bro SigAction file s2b-sigaction.bro
+#
+# defaultsigaction SIG_LOG
+##
+
+# This option will apply a signature to traffic flowing in either direction.
+# Snort defines two networks, $HOME_NET and $EXTERNAL_NET, for a source
+# and destination pairing.  These two variables will be ignored and not
+# converted if this option is set to true.  The default is set to true.
+# There is one exception.  If the destination or source is a subnet or ip
+# address then it will remain intact.
+# 
+# ignorehostdirection	true
+##
diff --git a/scripts/s2b/example_bro_files/Makefile.am b/scripts/s2b/example_bro_files/Makefile.am
new file mode 100644
index 0000000000..d7751ef343
--- /dev/null
+++ b/scripts/s2b/example_bro_files/Makefile.am
@@ -0,0 +1,4 @@
+## Process this file with automake to produce Makefile.in
+
+EXTRA_DIST = sig-action.bro signatures.sig
+
diff --git a/scripts/s2b/example_bro_files/sig-action.bro b/scripts/s2b/example_bro_files/sig-action.bro
new file mode 100644
index 0000000000..b941dd20a9
--- /dev/null
+++ b/scripts/s2b/example_bro_files/sig-action.bro
@@ -0,0 +1,626 @@
+# This file was created by s2b.pl on Wed Sep 15 18:34:41 2004.
+# This file is dynamically generated each time s2b.pl is run and therefore any 
+# changes done manually will be overwritten.
+# $Id: sig-action.bro 840 2004-11-30 22:33:48Z jason $
+
+redef signature_actions += {
+  ["s2b-1186-6"] = SIG_FILE,
+  ["s2b-1790-4"] = SIG_FILE,
+  ["s2b-2000-1"] = SIG_FILE,
+  ["s2b-2005-10"] = SIG_FILE,
+  ["s2b-253-4"] = SIG_FILE,
+  ["s2b-2016-6"] = SIG_FILE,
+  ["s2b-581-9"] = SIG_FILE,
+  ["s2b-650-8"] = SIG_FILE,
+  ["s2b-498-6"] = SIG_FILE,
+  ["s2b-333-8"] = SIG_FILE,
+  ["s2b-1143-5"] = SIG_FILE,
+  ["s2b-2314-1"] = SIG_FILE,
+  ["s2b-1126-6"] = SIG_FILE,
+  ["s2b-907-5"] = SIG_FILE,
+  ["s2b-223-3"] = SIG_FILE,
+  ["s2b-818-10"] = SIG_FILE,
+  ["s2b-2177-4"] = SIG_FILE,
+  ["s2b-1482-4"] = SIG_FILE,
+  ["s2b-616-4"] = SIG_FILE,
+  ["s2b-2383-9"] = SIG_FILE,
+  ["s2b-2104-3"] = SIG_FILE,
+  ["s2b-1697-3"] = SIG_FILE,
+  ["s2b-2533-5"] = SIG_FILE,
+  ["s2b-243-2"] = SIG_FILE,
+  ["s2b-1309-9"] = SIG_FILE,
+  ["s2b-472-4"] = SIG_FILE,
+  ["s2b-879-7"] = SIG_FILE,
+  ["s2b-1733-9"] = SIG_FILE,
+  ["s2b-2470-3"] = SIG_FILE,
+  ["s2b-321-5"] = SIG_FILE,
+  ["s2b-1113-5"] = SIG_FILE,
+  ["s2b-893-7"] = SIG_FILE,
+  ["s2b-2050-5"] = SIG_FILE,
+  ["s2b-1776-2"] = SIG_FILE,
+  ["s2b-1868-5"] = SIG_FILE,
+  ["s2b-693-5"] = SIG_FILE,
+  ["s2b-603-5"] = SIG_FILE,
+  ["s2b-2084-8"] = SIG_FILE,
+  ["s2b-1729-5"] = SIG_ALARM,
+  ["s2b-1145-7"] = SIG_FILE,
+  ["s2b-1280-9"] = SIG_FILE,
+  ["s2b-2385-9"] = SIG_FILE,
+  ["s2b-1448-10"] = SIG_FILE,
+  ["s2b-1181-8"] = SIG_FILE,
+  ["s2b-1481-4"] = SIG_FILE,
+  ["s2b-870-5"] = SIG_FILE,
+  ["s2b-1960-7"] = SIG_FILE,
+  ["s2b-2125-8"] = SIG_FILE,
+  ["s2b-843-7"] = SIG_FILE,
+  ["s2b-1922-6"] = SIG_FILE,
+  ["s2b-516-3"] = SIG_FILE,
+  ["s2b-1191-6"] = SIG_FILE,
+  ["s2b-1413-10"] = SIG_FILE,
+  ["s2b-582-8"] = SIG_FILE,
+  ["s2b-331-10"] = SIG_FILE,
+  ["s2b-2081-9"] = SIG_FILE,
+  ["s2b-911-7"] = SIG_FILE,
+  ["s2b-1231-8"] = SIG_FILE,
+  ["s2b-1577-4"] = SIG_FILE,
+  ["s2b-1454-6"] = SIG_FILE,
+  ["s2b-471-3"] = SIG_FILE,
+  ["s2b-1216-5"] = SIG_FILE,
+  ["s2b-595-16"] = SIG_FILE,
+  ["s2b-1473-5"] = SIG_FILE,
+  ["s2b-2026-9"] = SIG_FILE,
+  ["s2b-534-6"] = SIG_FILE,
+  ["s2b-1392-10"] = SIG_FILE,
+  ["s2b-491-8"] = SIG_FILE,
+  ["s2b-1453-5"] = SIG_FILE,
+  ["s2b-324-5"] = SIG_FILE,
+  ["s2b-246-2"] = SIG_FILE,
+  ["s2b-1197-6"] = SIG_FILE,
+  ["s2b-881-5"] = SIG_FILE,
+  ["s2b-589-8"] = SIG_FILE,
+  ["s2b-533-8"] = SIG_FILE,
+  ["s2b-2530-3"] = SIG_FILE,
+  ["s2b-829-9"] = SIG_FILE,
+  ["s2b-1108-10"] = SIG_FILE,
+  ["s2b-1461-5"] = SIG_FILE,
+  ["s2b-867-9"] = SIG_FILE,
+  ["s2b-330-9"] = SIG_FILE,
+  ["s2b-1175-10"] = SIG_FILE,
+  ["s2b-847-7"] = SIG_FILE,
+  ["s2b-1132-6"] = SIG_FILE,
+  ["s2b-1268-12"] = SIG_FILE,
+  ["s2b-2534-3"] = SIG_FILE,
+  ["s2b-2504-6"] = SIG_FILE,
+  ["s2b-227-6"] = SIG_FILE,
+  ["s2b-1648-7"] = SIG_FILE,
+  ["s2b-1447-11"] = SIG_FILE,
+  ["s2b-236-6"] = SIG_FILE,
+  ["s2b-1629-6"] = SIG_FILE,
+  ["s2b-1497-6"] = SIG_FILE,
+  ["s2b-1147-7"] = SIG_FILE,
+  ["s2b-2019-4"] = SIG_FILE,
+  ["s2b-1778-4"] = SIG_FILE,
+  ["s2b-1293-10"] = SIG_FILE,
+  ["s2b-1179-7"] = SIG_FILE,
+  ["s2b-1190-6"] = SIG_FILE,
+  ["s2b-1446-6"] = SIG_FILE,
+  ["s2b-1459-5"] = SIG_FILE,
+  ["s2b-2014-5"] = SIG_FILE,
+  ["s2b-1119-7"] = SIG_FILE,
+  ["s2b-2384-8"] = SIG_FILE,
+  ["s2b-2032-5"] = SIG_FILE,
+  ["s2b-2475-3"] = SIG_FILE,
+  ["s2b-361-12"] = SIG_FILE,
+  ["s2b-1267-11"] = SIG_FILE,
+  ["s2b-586-8"] = SIG_FILE,
+  ["s2b-2520-5"] = SIG_FILE,
+  ["s2b-520-5"] = SIG_FILE,
+  ["s2b-878-6"] = SIG_FILE,
+  ["s2b-268-4"] = SIG_FILE,
+  ["s2b-854-7"] = SIG_FILE,
+  ["s2b-1864-7"] = SIG_FILE,
+  ["s2b-1452-5"] = SIG_FILE,
+  ["s2b-931-6"] = SIG_FILE,
+  ["s2b-251-3"] = SIG_FILE,
+  ["s2b-840-7"] = SIG_FILE,
+  ["s2b-1264-13"] = SIG_FILE,
+  ["s2b-933-7"] = SIG_FILE,
+  ["s2b-512-4"] = SIG_FILE,
+  ["s2b-1348-5"] = SIG_QUIET,
+  ["s2b-1688-3"] = SIG_FILE,
+  ["s2b-902-7"] = SIG_FILE,
+  ["s2b-1134-7"] = SIG_FILE,
+  ["s2b-889-7"] = SIG_FILE,
+  ["s2b-234-2"] = SIG_FILE,
+  ["s2b-915-5"] = SIG_FILE,
+  ["s2b-637-3"] = SIG_FILE,
+  ["s2b-836-7"] = SIG_FILE,
+  ["s2b-2473-3"] = SIG_FILE,
+  ["s2b-2033-8"] = SIG_FILE,
+  ["s2b-1151-5"] = SIG_FILE,
+  ["s2b-835-9"] = SIG_FILE,
+  ["s2b-1955-6"] = SIG_FILE,
+  ["s2b-660-7"] = SIG_FILE,
+  ["s2b-904-7"] = SIG_FILE,
+  ["s2b-826-7"] = SIG_FILE,
+  ["s2b-833-8"] = SIG_FILE,
+  ["s2b-883-5"] = SIG_FILE,
+  ["s2b-1930-3"] = SIG_FILE,
+  ["s2b-887-6"] = SIG_FILE,
+  ["s2b-859-7"] = SIG_FILE,
+  ["s2b-588-17"] = SIG_FILE,
+  ["s2b-1682-3"] = SIG_FILE,
+  ["s2b-230-5"] = SIG_FILE,
+  ["s2b-1952-5"] = SIG_FILE,
+  ["s2b-1173-5"] = SIG_FILE,
+  ["s2b-583-9"] = SIG_FILE,
+  ["s2b-880-8"] = SIG_FILE,
+  ["s2b-1104-9"] = SIG_FILE,
+  ["s2b-1146-5"] = SIG_FILE,
+  ["s2b-837-8"] = SIG_FILE,
+  ["s2b-1694-3"] = SIG_FILE,
+  ["s2b-362-12"] = SIG_FILE,
+  ["s2b-536-7"] = SIG_FILE,
+  ["s2b-1161-9"] = SIG_FILE,
+  ["s2b-648-7"] = SIG_FILE,
+  ["s2b-2468-3"] = SIG_FILE,
+  ["s2b-1301-11"] = SIG_FILE,
+  ["s2b-2348-6"] = SIG_FILE,
+  ["s2b-1259-5"] = SIG_FILE,
+  ["s2b-2370-2"] = SIG_QUIET,
+  ["s2b-1464-3"] = SIG_FILE,
+  ["s2b-1721-4"] = SIG_FILE,
+  ["s2b-1696-3"] = SIG_FILE,
+  ["s2b-2477-3"] = SIG_FILE,
+  ["s2b-1168-5"] = SIG_FILE,
+  ["s2b-1680-3"] = SIG_FILE,
+  ["s2b-848-9"] = SIG_FILE,
+  ["s2b-1366-5"] = SIG_FILE,
+  ["s2b-1167-7"] = SIG_FILE,
+  ["s2b-1202-5"] = SIG_FILE,
+  ["s2b-530-10"] = SIG_FILE,
+  ["s2b-2466-3"] = SIG_FILE,
+  ["s2b-1410-9"] = SIG_FILE,
+  ["s2b-1579-4"] = SIG_FILE,
+  ["s2b-2018-4"] = SIG_FILE,
+  ["s2b-1691-3"] = SIG_FILE,
+  ["s2b-718-7"] = SIG_FILE,
+  ["s2b-2034-7"] = SIG_FILE,
+  ["s2b-538-10"] = SIG_FILE,
+  ["s2b-1189-6"] = SIG_FILE,
+  ["s2b-1308-5"] = SIG_FILE,
+  ["s2b-2029-5"] = SIG_FILE,
+  ["s2b-865-8"] = SIG_FILE,
+  ["s2b-2022-4"] = SIG_FILE,
+  ["s2b-841-7"] = SIG_FILE,
+  ["s2b-2021-4"] = SIG_FILE,
+  ["s2b-1164-10"] = SIG_FILE,
+  ["s2b-1275-10"] = SIG_FILE,
+  ["s2b-1954-5"] = SIG_FILE,
+  ["s2b-323-5"] = SIG_FILE,
+  ["s2b-903-7"] = SIG_FILE,
+  ["s2b-638-5"] = SIG_FILE,
+  ["s2b-274-5"] = SIG_FILE,
+  ["s2b-1156-6"] = SIG_FILE,
+  ["s2b-823-6"] = SIG_FILE,
+  ["s2b-1217-7"] = SIG_FILE,
+  ["s2b-2176-4"] = SIG_FILE,
+  ["s2b-1586-4"] = SIG_FILE,
+  ["s2b-640-6"] = SIG_FILE,
+  ["s2b-1411-10"] = SIG_FILE,
+  ["s2b-275-10"] = SIG_FILE,
+  ["s2b-1239-5"] = SIG_FILE,
+  ["s2b-852-8"] = SIG_FILE,
+  ["s2b-1950-5"] = SIG_FILE,
+  ["s2b-1130-5"] = SIG_FILE,
+  ["s2b-864-7"] = SIG_FILE,
+  ["s2b-2386-6"] = SIG_FILE,
+  ["s2b-1118-5"] = SIG_FILE,
+  ["s2b-891-5"] = SIG_FILE,
+  ["s2b-2570-6"] = SIG_FILE,
+  ["s2b-691-5"] = SIG_FILE,
+  ["s2b-272-7"] = SIG_FILE,
+  ["s2b-910-5"] = SIG_FILE,
+  ["s2b-1414-11"] = SIG_FILE,
+  ["s2b-1867-1"] = SIG_FILE,
+  ["s2b-1962-7"] = SIG_FILE,
+  ["s2b-2025-9"] = SIG_FILE,
+  ["s2b-532-8"] = SIG_FILE,
+  ["s2b-1199-11"] = SIG_FILE,
+  ["s2b-2536-3"] = SIG_FILE,
+  ["s2b-1693-4"] = SIG_FILE,
+  ["s2b-1365-5"] = SIG_FILE,
+  ["s2b-1576-4"] = SIG_FILE,
+  ["s2b-1541-4"] = SIG_FILE,
+  ["s2b-1666-5"] = SIG_FILE,
+  ["s2b-832-11"] = SIG_FILE,
+  ["s2b-2502-7"] = SIG_FILE,
+  ["s2b-646-5"] = SIG_FILE,
+  ["s2b-1575-4"] = SIG_FILE,
+  ["s2b-1142-5"] = SIG_FILE,
+  ["s2b-222-2"] = SIG_FILE,
+  ["s2b-1435-6"] = SIG_FILE,
+  ["s2b-535-6"] = SIG_FILE,
+  ["s2b-1451-6"] = SIG_FILE,
+  ["s2b-1273-10"] = SIG_FILE,
+  ["s2b-2565-1"] = SIG_FILE,
+  ["s2b-858-7"] = SIG_FILE,
+  ["s2b-626-7"] = SIG_FILE,
+  ["s2b-1232-8"] = SIG_FILE,
+  ["s2b-593-18"] = SIG_FILE,
+  ["s2b-672-6"] = SIG_FILE,
+  ["s2b-1624-5"] = SIG_FILE,
+  ["s2b-2480-3"] = SIG_FILE,
+  ["s2b-897-10"] = SIG_FILE,
+  ["s2b-1158-10"] = SIG_FILE,
+  ["s2b-877-8"] = SIG_FILE,
+  ["s2b-585-7"] = SIG_FILE,
+  ["s2b-1271-14"] = SIG_FILE,
+  ["s2b-1115-7"] = SIG_FILE,
+  ["s2b-630-5"] = SIG_FILE,
+  ["s2b-2505-7"] = SIG_FILE,
+  ["s2b-1684-3"] = SIG_FILE,
+  ["s2b-1470-5"] = SIG_FILE,
+  ["s2b-1924-6"] = SIG_FILE,
+  ["s2b-1641-5"] = SIG_FILE,
+  ["s2b-2500-4"] = SIG_FILE,
+  ["s2b-245-3"] = SIG_FILE,
+  ["s2b-2080-6"] = SIG_FILE,
+  ["s2b-233-3"] = SIG_FILE,
+  ["s2b-478-3"] = SIG_FILE,
+  ["s2b-651-8"] = SIG_FILE,
+  ["s2b-2486-5"] = SIG_FILE,
+  ["s2b-861-12"] = SIG_FILE,
+  ["s2b-1476-5"] = SIG_FILE,
+  ["s2b-1614-8"] = SIG_FILE,
+  ["s2b-1898-8"] = SIG_FILE,
+  ["s2b-1165-9"] = SIG_FILE,
+  ["s2b-1869-5"] = SIG_FILE,
+  ["s2b-1480-9"] = SIG_FILE,
+  ["s2b-2193-9"] = SIG_FILE,
+  ["s2b-1162-7"] = SIG_FILE,
+  ["s2b-576-8"] = SIG_FILE,
+  ["s2b-254-4"] = SIG_FILE,
+  ["s2b-611-7"] = SIG_FILE,
+  ["s2b-241-7"] = SIG_FILE,
+  ["s2b-928-5"] = SIG_FILE,
+  ["s2b-2313-2"] = SIG_FILE,
+  ["s2b-2465-3"] = SIG_FILE,
+  ["s2b-1160-11"] = SIG_FILE,
+  ["s2b-1129-5"] = SIG_FILE,
+  ["s2b-1155-5"] = SIG_FILE,
+  ["s2b-1228-6"] = SIG_FILE,
+  ["s2b-489-7"] = SIG_FILE,
+  ["s2b-1460-5"] = SIG_FILE,
+  ["s2b-1896-8"] = SIG_FILE,
+  ["s2b-932-7"] = SIG_FILE,
+  ["s2b-838-9"] = SIG_FILE,
+  ["s2b-500-4"] = SIG_FILE,
+  ["s2b-2478-3"] = SIG_FILE,
+  ["s2b-1971-4"] = SIG_FILE,
+  ["s2b-465-3"] = SIG_FILE,
+  ["s2b-276-5"] = SIG_FILE,
+  ["s2b-1599-7"] = SIG_FILE,
+  ["s2b-1105-5"] = SIG_FILE,
+  ["s2b-2192-8"] = SIG_FILE,
+  ["s2b-590-12"] = SIG_FILE,
+  ["s2b-1926-6"] = SIG_FILE,
+  ["s2b-834-7"] = SIG_FILE,
+  ["s2b-1662-5"] = SIG_FILE,
+  ["s2b-1356-5"] = SIG_FILE,
+  ["s2b-598-12"] = SIG_FILE,
+  ["s2b-1144-5"] = SIG_FILE,
+  ["s2b-1689-3"] = SIG_FILE,
+  ["s2b-846-8"] = SIG_FILE,
+  ["s2b-1110-7"] = SIG_FILE,
+  ["s2b-2476-3"] = SIG_FILE,
+  ["s2b-1813-5"] = SIG_FILE,
+  ["s2b-2339-2"] = SIG_FILE,
+  ["s2b-503-6"] = SIG_FILE,
+  ["s2b-2471-3"] = SIG_FILE,
+  ["s2b-1159-10"] = SIG_FILE,
+  ["s2b-868-9"] = SIG_FILE,
+  ["s2b-619-5"] = SIG_FILE,
+  ["s2b-529-7"] = SIG_FILE,
+  ["s2b-1732-9"] = SIG_FILE,
+  ["s2b-1176-5"] = SIG_FILE,
+  ["s2b-1117-6"] = SIG_FILE,
+  ["s2b-659-6"] = SIG_FILE,
+  ["s2b-2027-5"] = SIG_FILE,
+  ["s2b-850-5"] = SIG_FILE,
+  ["s2b-866-8"] = SIG_FILE,
+  ["s2b-871-7"] = SIG_FILE,
+  ["s2b-1408-8"] = SIG_FILE,
+  ["s2b-1638-5"] = SIG_FILE,
+  ["s2b-1133-11"] = SIG_FILE,
+  ["s2b-2038-5"] = SIG_FILE,
+  ["s2b-1136-5"] = SIG_FILE,
+  ["s2b-1125-8"] = SIG_FILE,
+  ["s2b-612-6"] = SIG_FILE,
+  ["s2b-1131-5"] = SIG_FILE,
+  ["s2b-228-3"] = SIG_FILE,
+  ["s2b-1469-5"] = SIG_FILE,
+  ["s2b-1177-6"] = SIG_FILE,
+  ["s2b-869-8"] = SIG_FILE,
+  ["s2b-1251-6"] = SIG_FILE,
+  ["s2b-1137-9"] = SIG_FILE,
+  ["s2b-239-2"] = SIG_FILE,
+  ["s2b-1953-5"] = SIG_FILE,
+  ["s2b-1188-6"] = SIG_FILE,
+  ["s2b-1895-8"] = SIG_FILE,
+  ["s2b-250-4"] = SIG_FILE,
+  ["s2b-2079-6"] = SIG_FILE,
+  ["s2b-1218-5"] = SIG_FILE,
+  ["s2b-652-9"] = SIG_FILE,
+  ["s2b-1458-6"] = SIG_FILE,
+  ["s2b-892-8"] = SIG_FILE,
+  ["s2b-627-7"] = SIG_FILE,
+  ["s2b-1277-9"] = SIG_FILE,
+  ["s2b-1235-8"] = SIG_FILE,
+  ["s2b-2023-4"] = SIG_FILE,
+  ["s2b-1580-4"] = SIG_FILE,
+  ["s2b-2493-5"] = SIG_FILE,
+  ["s2b-1572-7"] = SIG_FILE,
+  ["s2b-1326-6"] = SIG_FILE,
+  ["s2b-328-8"] = SIG_FILE,
+  ["s2b-2537-3"] = SIG_FILE,
+  ["s2b-1777-4"] = SIG_FILE,
+  ["s2b-862-9"] = SIG_FILE,
+  ["s2b-580-9"] = SIG_FILE,
+  ["s2b-1948-4"] = SIG_FILE,
+  ["s2b-537-11"] = SIG_FILE,
+  ["s2b-1746-11"] = SIG_FILE,
+  ["s2b-601-6"] = SIG_FILE,
+  ["s2b-2418-3"] = SIG_FILE,
+  ["s2b-653-8"] = SIG_FILE,
+  ["s2b-658-5"] = SIG_FILE,
+  ["s2b-221-3"] = SIG_FILE,
+  ["s2b-1959-7"] = SIG_FILE,
+  ["s2b-1674-5"] = SIG_FILE,
+  ["s2b-914-5"] = SIG_FILE,
+  ["s2b-322-10"] = SIG_FILE,
+  ["s2b-1140-11"] = SIG_FILE,
+  ["s2b-146-5"] = SIG_FILE,
+  ["s2b-2191-3"] = SIG_FILE,
+  ["s2b-1692-3"] = SIG_FILE,
+  ["s2b-2566-1"] = SIG_FILE,
+  ["s2b-2037-5"] = SIG_FILE,
+  ["s2b-634-2"] = SIG_FILE,
+  ["s2b-1882-10"] = SIG_FILE,
+  ["s2b-901-10"] = SIG_FILE,
+  ["s2b-279-3"] = SIG_FILE,
+  ["s2b-1412-13"] = SIG_FILE,
+  ["s2b-579-8"] = SIG_FILE,
+  ["s2b-2190-3"] = SIG_FILE,
+  ["s2b-1992-5"] = SIG_FILE,
+  ["s2b-513-10"] = SIG_FILE,
+  ["s2b-578-8"] = SIG_FILE,
+  ["s2b-2524-7"] = SIG_FILE,
+  ["s2b-332-8"] = SIG_FILE,
+  ["s2b-575-8"] = SIG_FILE,
+  ["s2b-502-2"] = SIG_FILE,
+  ["s2b-692-6"] = SIG_FILE,
+  ["s2b-851-7"] = SIG_FILE,
+  ["s2b-599-11"] = SIG_FILE,
+  ["s2b-2174-4"] = SIG_FILE,
+  ["s2b-635-3"] = SIG_FILE,
+  ["s2b-475-3"] = SIG_FILE,
+  ["s2b-1265-9"] = SIG_FILE,
+  ["s2b-235-2"] = SIG_FILE,
+  ["s2b-270-6"] = SIG_FILE,
+  ["s2b-1659-3"] = SIG_FILE,
+  ["s2b-1695-3"] = SIG_FILE,
+  ["s2b-1681-3"] = SIG_FILE,
+  ["s2b-1949-5"] = SIG_FILE,
+  ["s2b-1184-6"] = SIG_FILE,
+  ["s2b-1581-4"] = SIG_FILE,
+  ["s2b-1150-6"] = SIG_FILE,
+  ["s2b-1123-9"] = SIG_FILE,
+  ["s2b-1292-8"] = SIG_FILE,
+  ["s2b-584-11"] = SIG_FILE,
+  ["s2b-591-10"] = SIG_FILE,
+  ["s2b-1360-5"] = SIG_FILE,
+  ["s2b-622-6"] = SIG_FILE,
+  ["s2b-518-6"] = SIG_FILE,
+  ["s2b-860-8"] = SIG_FILE,
+  ["s2b-908-8"] = SIG_FILE,
+  ["s2b-249-7"] = SIG_FILE,
+  ["s2b-1180-12"] = SIG_FILE,
+  ["s2b-2472-3"] = SIG_FILE,
+  ["s2b-1154-5"] = SIG_FILE,
+  ["s2b-1070-7"] = SIG_FILE,
+  ["s2b-574-8"] = SIG_FILE,
+  ["s2b-1478-3"] = SIG_FILE,
+  ["s2b-514-5"] = SIG_FILE,
+  ["s2b-2006-10"] = SIG_FILE,
+  ["s2b-2159-8"] = SIG_FILE,
+  ["s2b-224-3"] = SIG_FILE,
+  ["s2b-1961-7"] = SIG_FILE,
+  ["s2b-247-4"] = SIG_FILE,
+  ["s2b-2335-2"] = SIG_FILE,
+  ["s2b-495-7"] = SIG_FILE,
+  ["s2b-552-7"] = SIG_QUIET,
+  ["s2b-636-1"] = SIG_FILE,
+  ["s2b-863-7"] = SIG_FILE,
+  ["s2b-1685-4"] = SIG_FILE,
+  ["s2b-1367-5"] = SIG_FILE,
+  ["s2b-806-11"] = SIG_FILE,
+  ["s2b-1120-8"] = SIG_FILE,
+  ["s2b-2450-3"] = SIG_FILE,
+  ["s2b-1302-7"] = SIG_FILE,
+  ["s2b-1421-11"] = SIG_FILE,
+  ["s2b-875-9"] = SIG_FILE,
+  ["s2b-913-5"] = SIG_FILE,
+  ["s2b-2020-4"] = SIG_FILE,
+  ["s2b-1418-11"] = SIG_FILE,
+  ["s2b-2230-5"] = SIG_FILE,
+  ["s2b-1183-8"] = SIG_FILE,
+  ["s2b-1672-10"] = SIG_FILE,
+  ["s2b-717-6"] = SIG_FILE,
+  ["s2b-856-5"] = SIG_FILE,
+  ["s2b-1324-6"] = SIG_FILE,
+  ["s2b-1270-11"] = SIG_FILE,
+  ["s2b-632-5"] = SIG_FILE,
+  ["s2b-1444-3"] = SIG_FILE,
+  ["s2b-1582-4"] = SIG_FILE,
+  ["s2b-1127-7"] = SIG_FILE,
+  ["s2b-1100-7"] = SIG_QUIET,
+  ["s2b-614-7"] = SIG_FILE,
+  ["s2b-898-9"] = SIG_FILE,
+  ["s2b-1229-7"] = SIG_FILE,
+  ["s2b-2030-6"] = SIG_FILE,
+  ["s2b-2382-8"] = SIG_FILE,
+  ["s2b-256-5"] = SIG_FILE,
+  ["s2b-1855-7"] = SIG_FILE,
+  ["s2b-894-8"] = SIG_FILE,
+  ["s2b-1209-5"] = SIG_FILE,
+  ["s2b-1148-5"] = SIG_FILE,
+  ["s2b-1230-8"] = SIG_FILE,
+  ["s2b-1212-5"] = SIG_FILE,
+  ["s2b-905-7"] = SIG_FILE,
+  ["s2b-2474-3"] = SIG_FILE,
+  ["s2b-642-6"] = SIG_FILE,
+  ["s2b-1585-4"] = SIG_FILE,
+  ["s2b-872-9"] = SIG_FILE,
+  ["s2b-1894-8"] = SIG_FILE,
+  ["s2b-1294-10"] = SIG_FILE,
+  ["s2b-2028-5"] = SIG_FILE,
+  ["s2b-255-11"] = SIG_FILE,
+  ["s2b-1274-17"] = SIG_FILE,
+  ["s2b-925-5"] = SIG_FILE,
+  ["s2b-237-2"] = SIG_FILE,
+  ["s2b-845-7"] = SIG_FILE,
+  ["s2b-1899-8"] = SIG_FILE,
+  ["s2b-906-7"] = SIG_FILE,
+  ["s2b-1683-3"] = SIG_FILE,
+  ["s2b-1686-3"] = SIG_FILE,
+  ["s2b-311-11"] = SIG_FILE,
+  ["s2b-1951-5"] = SIG_FILE,
+  ["s2b-1226-4"] = SIG_FILE,
+  ["s2b-605-6"] = SIG_FILE,
+  ["s2b-1649-7"] = SIG_FILE,
+  ["s2b-2497-6"] = SIG_FILE,
+  ["s2b-240-2"] = SIG_FILE,
+  ["s2b-278-5"] = SIG_FILE,
+  ["s2b-888-5"] = SIG_FILE,
+  ["s2b-1213-5"] = SIG_FILE,
+  ["s2b-1276-14"] = SIG_FILE,
+  ["s2b-1475-4"] = SIG_FILE,
+  ["s2b-2151-4"] = SIG_QUIET,
+  ["s2b-1676-3"] = SIG_FILE,
+  ["s2b-1415-9"] = SIG_FILE,
+  ["s2b-1272-10"] = SIG_FILE,
+  ["s2b-1153-5"] = SIG_FILE,
+  ["s2b-1152-5"] = SIG_FILE,
+  ["s2b-1640-6"] = SIG_ALARM,
+  ["s2b-1687-3"] = SIG_FILE,
+  ["s2b-1623-6"] = SIG_FILE,
+  ["s2b-2083-8"] = SIG_FILE,
+  ["s2b-1430-7"] = SIG_FILE,
+  ["s2b-1263-11"] = SIG_FILE,
+  ["s2b-2017-12"] = SIG_FILE,
+  ["s2b-1462-5"] = SIG_FILE,
+  ["s2b-1257-8"] = SIG_FILE,
+  ["s2b-497-8"] = SIG_FILE,
+  ["s2b-936-5"] = SIG_FILE,
+  ["s2b-505-5"] = SIG_FILE,
+  ["s2b-1111-5"] = SIG_FILE,
+  ["s2b-1923-6"] = SIG_FILE,
+  ["s2b-1390-5"] = SIG_FILE,
+  ["s2b-467-3"] = SIG_FILE,
+  ["s2b-1266-10"] = SIG_FILE,
+  ["s2b-2469-3"] = SIG_FILE,
+  ["s2b-827-7"] = SIG_FILE,
+  ["s2b-226-6"] = SIG_FILE,
+  ["s2b-1192-6"] = SIG_FILE,
+  ["s2b-688-6"] = SIG_FILE,
+  ["s2b-890-10"] = SIG_FILE,
+  ["s2b-1109-8"] = SIG_FILE,
+  ["s2b-501-4"] = SIG_FILE,
+  ["s2b-231-3"] = SIG_FILE,
+  ["s2b-1584-4"] = SIG_FILE,
+  ["s2b-587-8"] = SIG_FILE,
+  ["s2b-476-4"] = SIG_FILE,
+  ["s2b-1897-8"] = SIG_FILE,
+  ["s2b-336-10"] = SIG_FILE,
+  ["s2b-830-7"] = SIG_FILE,
+  ["s2b-2101-9"] = SIG_FILE,
+  ["s2b-232-5"] = SIG_FILE,
+  ["s2b-828-5"] = SIG_FILE,
+  ["s2b-2031-5"] = SIG_FILE,
+  ["s2b-1471-5"] = SIG_FILE,
+  ["s2b-2036-6"] = SIG_FILE,
+  ["s2b-1856-7"] = SIG_FILE,
+  ["s2b-810-11"] = SIG_FILE,
+  ["s2b-1224-10"] = SIG_FILE,
+  ["s2b-853-9"] = SIG_FILE,
+  ["s2b-257-8"] = SIG_FILE,
+  ["s2b-1269-10"] = SIG_FILE,
+  ["s2b-2312-2"] = SIG_FILE,
+  ["s2b-1166-8"] = SIG_FILE,
+  ["s2b-641-6"] = SIG_FILE,
+  ["s2b-1394-5"] = SIG_FILE,
+  ["s2b-1583-4"] = SIG_FILE,
+  ["s2b-2082-9"] = SIG_FILE,
+  ["s2b-1775-2"] = SIG_FILE,
+  ["s2b-1279-14"] = SIG_FILE,
+  ["s2b-1416-9"] = SIG_FILE,
+  ["s2b-273-7"] = SIG_FILE,
+  ["s2b-1747-11"] = SIG_FILE,
+  ["s2b-644-5"] = SIG_FILE,
+  ["s2b-930-5"] = SIG_FILE,
+  ["s2b-1375-6"] = SIG_FILE,
+  ["s2b-1690-3"] = SIG_FILE,
+  ["s2b-1424-6"] = SIG_FILE,
+  ["s2b-1420-11"] = SIG_FILE,
+  ["s2b-1260-10"] = SIG_FILE,
+  ["s2b-508-7"] = SIG_FILE,
+  ["s2b-282-7"] = SIG_QUIET,
+  ["s2b-2015-5"] = SIG_FILE,
+  ["s2b-1891-8"] = SIG_FILE,
+  ["s2b-360-7"] = SIG_FILE,
+  ["s2b-519-6"] = SIG_FILE,
+  ["s2b-504-6"] = SIG_FILE,
+  ["s2b-1344-5"] = SIG_FILE,
+  ["s2b-1178-6"] = SIG_FILE,
+  ["s2b-1220-5"] = SIG_FILE,
+  ["s2b-1792-8"] = SIG_FILE,
+  ["s2b-1419-9"] = SIG_FILE,
+  ["s2b-1854-7"] = SIG_FILE,
+  ["s2b-2481-3"] = SIG_FILE,
+  ["s2b-2467-3"] = SIG_FILE,
+  ["s2b-1001-7"] = SIG_FILE,
+  ["s2b-1116-6"] = SIG_FILE,
+  ["s2b-271-4"] = SIG_FILE,
+  ["s2b-281-5"] = SIG_FILE,
+  ["s2b-2035-6"] = SIG_FILE,
+  ["s2b-1281-7"] = SIG_FILE,
+  ["s2b-1234-8"] = SIG_FILE,
+  ["s2b-1381-5"] = SIG_FILE,
+  ["s2b-1860-4"] = SIG_FILE,
+  ["s2b-522-2"] = SIG_FILE,
+  ["s2b-912-5"] = SIG_FILE,
+  ["s2b-1128-5"] = SIG_FILE,
+  ["s2b-1677-3"] = SIG_FILE,
+  ["s2b-639-5"] = SIG_FILE,
+  ["s2b-1303-7"] = SIG_FILE,
+  ["s2b-1457-6"] = SIG_FILE,
+  ["s2b-1122-5"] = SIG_FILE,
+  ["s2b-1678-5"] = SIG_FILE,
+  ["s2b-1139-7"] = SIG_FILE,
+  ["s2b-645-5"] = SIG_FILE,
+  ["s2b-631-6"] = SIG_FILE,
+  ["s2b-2257-5"] = SIG_FILE,
+  ["s2b-244-3"] = SIG_FILE,
+  ["s2b-1295-9"] = SIG_FILE,
+  ["s2b-225-6"] = SIG_FILE,
+  ["s2b-1327-7"] = SIG_FILE,
+  ["s2b-844-7"] = SIG_FILE,
+  ["s2b-229-5"] = SIG_FILE,
+  ["s2b-2093-5"] = SIG_FILE,
+  ["s2b-1087-8"] = SIG_FILE,
+  ["s2b-517-1"] = SIG_FILE,
+  ["s2b-1252-13"] = SIG_FILE,
+  ["s2b-842-7"] = SIG_FILE,
+  ["s2b-2175-5"] = SIG_FILE,
+}; 
diff --git a/scripts/s2b/example_bro_files/signatures.sig b/scripts/s2b/example_bro_files/signatures.sig
new file mode 100644
index 0000000000..b4f53c24ce
--- /dev/null
+++ b/scripts/s2b/example_bro_files/signatures.sig
@@ -0,0 +1,15805 @@
+# This file was created by s2b.pl on Mon Sep 20 13:14:53 2004.
+# This file is dynamically generated each time s2b.pl is run and therefore any 
+# changes done manually will be overwritten.
+# $Id: signatures.sig 840 2004-11-30 22:33:48Z jason $
+
+signature s2b-1292-8 {
+  ip-proto == tcp
+  event "ATTACK-RESPONSES directory listing"
+  tcp-state established,responder
+  payload /.*Volume Serial Number/
+}
+
+signature s2b-495-7 {
+  ip-proto == tcp
+  src-port == http_ports
+  event "ATTACK-RESPONSES command error"
+  tcp-state established,responder
+  payload /.*[bB][aA][dD] [cC][oO][mM][mM][aA][nN][dD] [oO][rR] [fF][iI][lL][eE][nN][aA][mM][eE]/
+}
+
+signature s2b-497-8 {
+  ip-proto == tcp
+  src-port == http_ports
+  event "ATTACK-RESPONSES file copied ok"
+  tcp-state established,responder
+  payload /.*1 [fF][iI][lL][eE]\x28[sS]\x29 [cC][oO][pP][iI][eE][dD]/
+}
+
+signature s2b-1666-5 {
+  ip-proto == tcp
+  src-port == http_ports
+  event "ATTACK-RESPONSES index of /cgi-bin/ response"
+  tcp-state established,responder
+  payload /.*[iI][nN][dD][eE][xX] [oO][fF] \/[cC][gG][iI]-[bB][iI][nN]\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-498-6 {
+  event "ATTACK-RESPONSES id check returned root"
+  payload /.*uid=0\x28root\x29/
+}
+
+signature s2b-1882-10 {
+  # Not supported: byte_test: 5,<,65537,0,relative,string,5,<,65537,0,relative,string
+  event "ATTACK-RESPONSES id check returned userid"
+  payload /.*uid=.{0,10} gid=/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1464-3 {
+  ip-proto == tcp
+  src-port == 8002
+  event "ATTACK-RESPONSES oracle one hour install"
+  tcp-state established,responder
+  payload /.*Oracle Applications One-Hour Install/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1900-10 {
+  ip-proto == tcp
+  src-port == 749
+  event "ATTACK-RESPONSES successful kadmind buffer overflow attempt"
+  tcp-state established,responder
+  payload /\*GOBBLE\*/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1901-10 {
+  ip-proto == tcp
+  src-port == 751
+  event "ATTACK-RESPONSES successful kadmind buffer overflow attempt"
+  tcp-state established,responder
+  payload /\*GOBBLE\*/
+}
+
+signature s2b-1810-9 {
+  ip-proto == tcp
+  src-port == 22
+  event "ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE"
+  tcp-state established,responder
+  payload /.*\*GOBBLE\*/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1811-8 {
+  ip-proto == tcp
+  src-port == 22
+  event "ATTACK-RESPONSES successful gobbles ssh exploit uname"
+  tcp-state established,responder
+  payload /.*uname/
+}
+
+signature s2b-2104-3 {
+  ip-proto == tcp
+  src-port == 512
+  event "ATTACK-RESPONSES rexec username too long response"
+  tcp-state established,responder
+  payload /username too long/
+}
+
+signature s2b-2123-2 {
+  ip-proto == tcp
+  src-port < 21
+  src-port > 23
+  event "ATTACK-RESPONSES Microsoft cmd.exe banner"
+  tcp-state established,responder
+  payload /.*Microsoft Windows.*.*\x28C\x29 Copyright 1985-.*.*Microsoft Corp\./
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2412-3 {
+  ip-proto == tcp
+  event "ATTACK-RESPONSES successful cross site scripting forced download attempt"
+  tcp-state established,originator
+  payload /.*\x0AReferer\x3A res\x3A\/C\x3A/
+}
+
+signature s2b-103-7 {
+  ip-proto == tcp
+  src-port == 27374
+  event "BACKDOOR subseven 22"
+  tcp-state established,originator
+  payload /.*\x0D\x0A\[RPL\]002\x0D\x0A/
+}
+
+signature s2b-107-6 {
+  ip-proto == tcp
+  src-port == 16959
+  event "BACKDOOR subseven DEFCON8 2.1 access"
+  tcp-state established,responder
+  payload /.*PWD/
+}
+
+signature s2b-109-5 {
+  ip-proto == tcp
+  src-port >= 12345
+  src-port <= 12346
+  event "BACKDOOR netbus active"
+  tcp-state established,responder
+  payload /.*NetBus/
+}
+
+signature s2b-110-4 {
+  ip-proto == tcp
+  dst-port >= 12345
+  dst-port <= 12346
+  event "BACKDOOR netbus getinfo"
+  tcp-state established,originator
+  payload /.*GetInfo\x0D/
+}
+
+signature s2b-115-5 {
+  ip-proto == tcp
+  src-port == 20034
+  event "BACKDOOR netbus active"
+  tcp-state established,originator
+  payload /.*NetBus/
+}
+
+signature s2b-1980-1 {
+  ip-proto == udp
+  dst-port == 2140
+  event "BACKDOOR DeepThroat 3.1 Connection attempt"
+  payload /00/
+}
+
+signature s2b-195-5 {
+  ip-proto == udp
+  src-port == 2140
+  event "BACKDOOR DeepThroat 3.1 Server Response"
+  payload /.*Ahhhh My Mouth Is Open/
+}
+
+signature s2b-1981-1 {
+  ip-proto == udp
+  dst-port == 3150
+  event "BACKDOOR DeepThroat 3.1 Connection attempt [3150]"
+  payload /00/
+}
+
+signature s2b-1982-1 {
+  ip-proto == udp
+  src-port == 3150
+  event "BACKDOOR DeepThroat 3.1 Server Response [3150]"
+  payload /.*Ahhhh My Mouth Is Open/
+}
+
+signature s2b-1983-1 {
+  ip-proto == udp
+  dst-port == 4120
+  event "BACKDOOR DeepThroat 3.1 Connection attempt [4120]"
+  payload /00/
+}
+
+signature s2b-1984-1 {
+  ip-proto == udp
+  src-port == 4120
+  event "BACKDOOR DeepThroat 3.1 Server Response [4120]"
+  payload /.*Ahhhh My Mouth Is Open/
+}
+
+signature s2b-119-5 {
+  ip-proto == tcp
+  src-port == 6789
+  event "BACKDOOR Doly 2.0 access"
+  tcp-state established,responder
+  payload /.{0,23}Wtzup Use/
+}
+
+signature s2b-104-7 {
+  ip-proto == tcp
+  src-port >= 1024
+  src-port <= 65535
+  dst-port == 2589
+  event "BACKDOOR - Dagger_1.4.0_client_connect"
+  tcp-state established,originator
+  payload /.{0,1}\x0B\x00\x00\x00\x07\x00\x00\x00Connect/
+}
+
+signature s2b-105-7 {
+  ip-proto == tcp
+  src-port == 2589
+  dst-port >= 1024
+  dst-port <= 65535
+  event "BACKDOOR - Dagger_1.4.0"
+  tcp-state established,responder
+  payload /2\x00\x00\x00\x06\x00\x00\x00Drives\x24\x00/
+}
+
+signature s2b-106-8 {
+  ip-proto == tcp
+  src-port == 80
+  dst-port == 1054
+  header tcp[8:4] == 101058054
+  header tcp[13:1] & 255 == 16
+  header tcp[4:4] == 101058054
+  event "BACKDOOR ACKcmdC trojan scan"
+  tcp-state stateless
+}
+
+signature s2b-108-6 {
+  ip-proto == tcp
+  dst-port == 7597
+  event "BACKDOOR QAZ Worm Client Login access"
+  tcp-state established,originator
+  payload /.*qazwsx\.hsq/
+}
+
+signature s2b-117-6 {
+  ip-proto == tcp
+  src-port == 146
+  dst-port >= 1024
+  dst-port <= 65535
+  event "BACKDOOR Infector.1.x"
+  tcp-state established,responder
+  payload /.*WHATISIT/
+}
+
+signature s2b-118-5 {
+  ip-proto == tcp
+  src-port == 666
+  dst-port >= 1024
+  dst-port <= 65535
+  event "BACKDOOR SatansBackdoor.2.0.Beta"
+  tcp-state established,responder
+  payload /.*Remote\x3A You are connected to me\./
+}
+
+signature s2b-120-5 {
+  ip-proto == tcp
+  src-port == 146
+  dst-port >= 1000
+  dst-port <= 1300
+  event "BACKDOOR Infector 1.6 Server to Client"
+  tcp-state established,responder
+  payload /.*WHATISIT/
+}
+
+signature s2b-145-5 {
+  ip-proto == tcp
+  src-port != 80
+  dst-port == 21554
+  event "BACKDOOR GirlFriendaccess"
+  tcp-state established,originator
+  payload /.*Girl/
+}
+
+signature s2b-146-5 {
+  ip-proto == tcp
+  src-port == 30100
+  event "BACKDOOR NetSphere access"
+  tcp-state established,responder
+  payload /.*NetSphere/
+}
+
+signature s2b-147-5 {
+  ip-proto == tcp
+  src-port == 6969
+  event "BACKDOOR GateCrasher"
+  tcp-state established,responder
+  payload /.*GateCrasher/
+}
+
+signature s2b-152-6 {
+  ip-proto == tcp
+  src-port >= 5401
+  src-port <= 5402
+  event "BACKDOOR BackConstruction 2.1 Connection"
+  tcp-state established,responder
+  payload /.*c\x3A\x5C/
+}
+
+signature s2b-153-5 {
+  ip-proto == tcp
+  src-port == 23476
+  event "BACKDOOR DonaldDick 1.53 Traffic"
+  tcp-state established,responder
+  payload /.*pINg/
+}
+
+signature s2b-155-5 {
+  ip-proto == tcp
+  src-port >= 30100
+  src-port <= 30102
+  event "BACKDOOR NetSphere 1.31.337 access"
+  tcp-state established,responder
+  payload /.*NetSphere/
+}
+
+signature s2b-157-5 {
+  ip-proto == tcp
+  dst-port == 666
+  event "BACKDOOR BackConstruction 2.1 Client FTP Open Request"
+  tcp-state established,originator
+  payload /.*FTPON/
+}
+
+signature s2b-158-5 {
+  ip-proto == tcp
+  src-port == 666
+  event "BACKDOOR BackConstruction 2.1 Server FTP Open Reply"
+  tcp-state established,responder
+  payload /.*FTP Port open/
+}
+
+signature s2b-159-6 {
+  ip-proto == tcp
+  dst-port == 5032
+  dst-ip == local_nets
+  event "BACKDOOR NetMetro File List"
+  tcp-state established,originator
+  payload /.*--/
+}
+
+signature s2b-161-4 {
+  ip-proto == udp
+  src-port == 3344
+  dst-port == 3345
+  event "BACKDOOR Matrix 2.0 Client connect"
+  payload /.*activate/
+}
+
+signature s2b-162-4 {
+  ip-proto == udp
+  src-port == 3345
+  dst-port == 3344
+  event "BACKDOOR Matrix 2.0 Server access"
+  payload /.*logged in/
+}
+
+signature s2b-163-8 {
+  ip-proto == tcp
+  src-port == 5714
+  header tcp[13:1] & 255 == 18
+  event "BACKDOOR WinCrash 1.0 Server Active"
+  tcp-state stateless
+  payload /.*\xB4\xB4/
+}
+
+signature s2b-185-5 {
+  ip-proto == tcp
+  dst-port == 79
+  event "BACKDOOR CDK"
+  tcp-state established,originator
+  payload /.{0,9}[yY][pP][iI]0[cC][aA]/
+}
+
+signature s2b-208-5 {
+  ip-proto == tcp
+  src-port == 555
+  event "BACKDOOR PhaseZero Server Active on Network"
+  tcp-state established,responder
+  payload /.*phAse/
+}
+
+signature s2b-209-4 {
+  ip-proto == tcp
+  dst-port == 23
+  event "BACKDOOR w00w00 attempt"
+  tcp-state established,originator
+  payload /.*w00w00/
+}
+
+signature s2b-210-3 {
+  ip-proto == tcp
+  dst-port == 23
+  event "BACKDOOR attempt"
+  tcp-state established,originator
+  payload /.*[bB][aA][cC][kK][dD][oO][oO][rR]/
+}
+
+signature s2b-211-3 {
+  ip-proto == tcp
+  dst-port == 23
+  event "BACKDOOR MISC r00t attempt"
+  tcp-state established,originator
+  payload /.*r00t/
+}
+
+signature s2b-212-3 {
+  ip-proto == tcp
+  dst-port == 23
+  event "BACKDOOR MISC rewt attempt"
+  tcp-state established,originator
+  payload /.*rewt/
+}
+
+signature s2b-213-4 {
+  ip-proto == tcp
+  dst-port == 23
+  event "BACKDOOR MISC Linux rootkit attempt"
+  tcp-state established,originator
+  payload /.*wh00t!/
+}
+
+signature s2b-214-4 {
+  ip-proto == tcp
+  dst-port == 23
+  event "BACKDOOR MISC Linux rootkit attempt lrkr0x"
+  tcp-state established,originator
+  payload /.*lrkr0x/
+}
+
+signature s2b-215-4 {
+  ip-proto == tcp
+  dst-port == 23
+  event "BACKDOOR MISC Linux rootkit attempt"
+  tcp-state established,originator
+  payload /.*[dD]13[hH][hH]\[/
+}
+
+signature s2b-216-6 {
+  ip-proto == tcp
+  dst-port == 23
+  event "BACKDOOR MISC Linux rootkit satori attempt"
+  tcp-state established,originator
+  payload /.*satori/
+}
+
+signature s2b-217-3 {
+  ip-proto == tcp
+  dst-port == 23
+  event "BACKDOOR MISC sm4ck attempt"
+  tcp-state established,originator
+  payload /.*hax0r/
+}
+
+signature s2b-219-6 {
+  ip-proto == tcp
+  dst-port == 23
+  event "BACKDOOR HidePak backdoor attempt"
+  tcp-state established,originator
+  payload /.*StoogR/
+}
+
+signature s2b-614-7 {
+  ip-proto == tcp
+  src-port == 31790
+  dst-port == 31789
+  header tcp[13:1] & 255 == 16
+  event "BACKDOOR hack-a-tack attempt"
+  tcp-state stateless
+  payload /A/
+}
+
+signature s2b-1853-6 {
+  ip-proto == udp
+  dst-port == 35555
+  event "BACKDOOR win-trin00 connection attempt"
+  payload /png \[\]\.\.Ks l44/
+}
+
+signature s2b-1843-6 {
+  ip-proto == tcp
+  dst-port == 33270
+  event "BACKDOOR trinity connection attempt"
+  tcp-state established,originator
+  payload /!@\x23/
+}
+
+signature s2b-2100-2 {
+  ip-proto == tcp
+  event "BACKDOOR SubSeven 2.1 Gold server connection response"
+  tcp-state established,responder
+  payload /connected\. time\/date\x3A .{1}.*version\x3A GOLD 2\.1/
+}
+
+signature s2b-2124-3 {
+  ip-proto == tcp
+  dst-port == 34012
+  event "BACKDOOR Remote PC Access connection attempt"
+  tcp-state established,originator
+  payload /\x28\x00\x01\x00\x04\x00\x00\x00\x00\x00\x00\x00/
+}
+
+signature s2b-2271-2 {
+  ip-proto == tcp
+  event "BACKDOOR FsSniffer connection attempt"
+  tcp-state established,originator
+  payload /.*RemoteNC Control Password\x3A/
+}
+
+signature s2b-2375-3 {
+  ip-proto == tcp
+  dst-port >= 3127
+  dst-port <= 3199
+  event "BACKDOOR DoomJuice file upload attempt"
+  tcp-state established,originator
+  payload /^\x85\x13<\x9E\xA2/
+}
+
+signature s2b-542-10 {
+  ip-proto == tcp
+  dst-port >= 6666
+  dst-port <= 7000
+  event "CHAT IRC nick change"
+  tcp-state established,originator
+  payload /.*NICK /
+}
+
+signature s2b-1639-6 {
+  ip-proto == tcp
+  dst-port >= 6666
+  dst-port <= 7000
+  event "CHAT IRC DCC file transfer request"
+  tcp-state established,originator
+  payload /.*[pP][rR][iI][vV][mM][sS][gG] /
+  payload /.* \x3A\.[dD][cC][cC] [sS][eE][nN][dD]/
+}
+
+signature s2b-1640-6 {
+  ip-proto == tcp
+  dst-port >= 6666
+  dst-port <= 7000
+  event "CHAT IRC DCC chat request"
+  tcp-state established,originator
+  payload /.*[pP][rR][iI][vV][mM][sS][gG] /
+  payload /.* \x3A\.[dD][cC][cC] [cC][hH][aA][tT] [cC][hH][aA][tT]/
+}
+
+signature s2b-1729-5 {
+  ip-proto == tcp
+  dst-port >= 6666
+  dst-port <= 7000
+  event "CHAT IRC channel join"
+  tcp-state established,originator
+  payload /.*[jJ][oO][iI][nN] \x3A \x23/
+}
+
+signature s2b-1463-6 {
+  ip-proto == tcp
+  src-port >= 6666
+  src-port <= 7000
+  event "CHAT IRC message"
+  tcp-state established
+  payload /.*[pP][rR][iI][vV][mM][sS][gG] /
+}
+
+signature s2b-1789-3 {
+  ip-proto == tcp
+  dst-port >= 6666
+  dst-port <= 7000
+  event "CHAT IRC dns request"
+  tcp-state established,originator
+  payload /.*[uU][sS][eE][rR][hH][oO][sS][tT] /
+}
+
+signature s2b-1790-4 {
+  ip-proto == tcp
+  src-port >= 6666
+  src-port <= 7000
+  event "CHAT IRC dns response"
+  tcp-state established,responder
+  payload /.*\x3A/
+  payload /.* 302 /
+  payload /.*=\+/
+}
+
+signature s2b-221-3 {
+  ip-proto == icmp
+  header icmp[0:1] == 8
+  event "DDOS TFN Probe"
+  header ip[4:2] == 678
+  payload /.*1234/
+}
+
+signature s2b-222-2 {
+  ip-proto == icmp
+  header icmp[0:1] == 0
+  event "DDOS tfn2k icmp possible communication"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 0
+  payload /.*AAAAAAAAAA/
+}
+
+signature s2b-223-3 {
+  ip-proto == udp
+  dst-port == 31335
+  event "DDOS Trin00 Daemon to Master PONG message detected"
+  payload /.*PONG/
+}
+
+signature s2b-228-3 {
+  ip-proto == icmp
+  header icmp[0:1] == 0
+  header icmp[0:1] == 0,8
+  header icmp[6:2] == 0
+  event "DDOS TFN client command BE"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 456
+}
+
+signature s2b-230-5 {
+  ip-proto == tcp
+  src-port == 20432
+  event "DDOS shaft client login to handler"
+  tcp-state established,responder
+  payload /.*login\x3A/
+}
+
+signature s2b-239-2 {
+  ip-proto == udp
+  dst-port == 18753
+  event "DDOS shaft handler to agent"
+  payload /.*alive tijgu/
+}
+
+signature s2b-240-2 {
+  ip-proto == udp
+  dst-port == 20433
+  event "DDOS shaft agent to handler"
+  payload /.*alive/
+}
+
+signature s2b-241-7 {
+  ip-proto == tcp
+  header tcp[13:1] & 255 == 2
+  header tcp[4:4] == 674711609
+  event "DDOS shaft synflood"
+  tcp-state stateless
+}
+
+signature s2b-231-3 {
+  ip-proto == udp
+  dst-port == 31335
+  event "DDOS Trin00 Daemon to Master message detected"
+  payload /.*l44/
+}
+
+signature s2b-232-5 {
+  ip-proto == udp
+  dst-port == 31335
+  event "DDOS Trin00 Daemon to Master *HELLO* message detected"
+  payload /.*\*HELLO\*/
+}
+
+signature s2b-233-3 {
+  ip-proto == tcp
+  dst-port == 27665
+  event "DDOS Trin00 Attacker to Master default startup password"
+  tcp-state established,originator
+  payload /.*betaalmostdone/
+}
+
+signature s2b-234-2 {
+  ip-proto == tcp
+  dst-port == 27665
+  event "DDOS Trin00 Attacker to Master default password"
+  tcp-state established,originator
+  payload /.*gOrave/
+}
+
+signature s2b-235-2 {
+  ip-proto == tcp
+  dst-port == 27665
+  event "DDOS Trin00 Attacker to Master default mdie password"
+  tcp-state established,originator
+  payload /.*killme/
+}
+
+signature s2b-237-2 {
+  ip-proto == udp
+  dst-port == 27444
+  event "DDOS Trin00 Master to Daemon default password attempt"
+  payload /.*l44adsl/
+}
+
+signature s2b-243-2 {
+  ip-proto == udp
+  dst-port == 6838
+  event "DDOS mstream agent to handler"
+  payload /.*newserver/
+}
+
+signature s2b-244-3 {
+  ip-proto == udp
+  dst-port == 10498
+  event "DDOS mstream handler to agent"
+  payload /.*stream\//
+}
+
+signature s2b-245-3 {
+  ip-proto == udp
+  dst-port == 10498
+  event "DDOS mstream handler ping to agent"
+  payload /.*ping/
+}
+
+signature s2b-246-2 {
+  ip-proto == udp
+  dst-port == 10498
+  event "DDOS mstream agent pong to handler"
+  payload /.*pong/
+}
+
+signature s2b-247-4 {
+  ip-proto == tcp
+  dst-port == 12754
+  event "DDOS mstream client to handler"
+  tcp-state established,originator
+  payload /.*>/
+}
+
+signature s2b-249-7 {
+  ip-proto == tcp
+  dst-port == 15104
+  header tcp[13:1] & 255 == 2
+  event "DDOS mstream client to handler"
+  tcp-state stateless
+}
+
+signature s2b-250-4 {
+  ip-proto == tcp
+  src-port == 15104
+  event "DDOS mstream handler to client"
+  tcp-state established,responder
+  payload /.*>/
+}
+
+signature s2b-251-3 {
+  ip-proto == icmp
+  header icmp[0:1] == 0
+  header icmp[0:1] == 0,8
+  header icmp[6:2] == 0
+  event "DDOS - TFN client command LE"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 51201
+}
+
+signature s2b-224-3 {
+  ip-proto == icmp
+  src-ip == 3.3.3.3/32
+  header icmp[0:1] == 0
+  event "DDOS Stacheldraht server spoof"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 666
+}
+
+signature s2b-225-6 {
+  ip-proto == icmp
+  header icmp[0:1] == 0
+  event "DDOS Stacheldraht gag server response"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 669
+  payload /.*sicken/
+}
+
+signature s2b-226-6 {
+  ip-proto == icmp
+  header icmp[0:1] == 0
+  event "DDOS Stacheldraht server response"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 667
+  payload /.*ficken/
+}
+
+signature s2b-227-6 {
+  ip-proto == icmp
+  header icmp[0:1] == 0
+  event "DDOS Stacheldraht client spoofworks"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 1000
+  payload /.*spoofworks/
+}
+
+signature s2b-236-6 {
+  ip-proto == icmp
+  header icmp[0:1] == 0
+  event "DDOS Stacheldraht client check gag"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 668
+  payload /.*gesundheit!/
+}
+
+signature s2b-229-5 {
+  ip-proto == icmp
+  header icmp[0:1] == 0
+  event "DDOS Stacheldraht client check skillz"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 666
+  payload /.*skillz/
+}
+
+signature s2b-1854-7 {
+  ip-proto == icmp
+  header icmp[0:1] == 0
+  event "DDOS Stacheldraht handler->agent niggahbitch"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 9015
+  payload /.*niggahbitch/
+}
+
+signature s2b-1855-7 {
+  ip-proto == icmp
+  header icmp[0:1] == 0
+  event "DDOS Stacheldraht agent->handler skillz"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 6666
+  payload /.*skillz/
+}
+
+signature s2b-1856-7 {
+  ip-proto == icmp
+  header icmp[0:1] == 0
+  event "DDOS Stacheldraht handler->agent ficken"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 6667
+  payload /.*ficken/
+}
+
+signature s2b-255-11 {
+  ip-proto == tcp
+  dst-port == 53
+  event "DNS zone transfer TCP"
+  tcp-state established,originator
+  payload /.{14}.*\x00\x00\xFC/
+}
+
+signature s2b-1948-4 {
+  ip-proto == udp
+  dst-port == 53
+  event "DNS zone transfer UDP"
+  payload /.{13}.*\x00\x00\xFC/
+}
+
+signature s2b-1435-6 {
+  ip-proto == tcp
+  dst-port == 53
+  event "DNS named authors attempt"
+  tcp-state established,originator
+  payload /.{11}.*\x07[aA][uU][tT][hH][oO][rR][sS]/
+  payload /.{11}.*\x04[bB][iI][nN][dD]/
+}
+
+signature s2b-256-5 {
+  ip-proto == udp
+  dst-port == 53
+  event "DNS named authors attempt"
+  payload /.{11}.*\x07[aA][uU][tT][hH][oO][rR][sS]/
+  payload /.{11}.*\x04[bB][iI][nN][dD]/
+}
+
+signature s2b-257-8 {
+  ip-proto == tcp
+  dst-port == 53
+  event "DNS named version attempt"
+  tcp-state established,originator
+  payload /.{11}.*\x07[vV][eE][rR][sS][iI][oO][nN]/
+  payload /.{11}.*\x04[bB][iI][nN][dD]/
+}
+
+signature s2b-253-4 {
+  ip-proto == udp
+  src-port == 53
+  event "DNS SPOOF query response PTR with TTL of 1 min. and no authority"
+  payload /.*\x85\x80\x00\x01\x00\x01\x00\x00\x00\x00/
+  payload /.*\xC0\x0C\x00\x0C\x00\x01\x00\x00\x00<\x00\x0F/
+}
+
+signature s2b-254-4 {
+  ip-proto == udp
+  src-port == 53
+  event "DNS SPOOF query response with TTL of 1 min. and no authority"
+  payload /.*\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00/
+  payload /.*\xC0\x0C\x00\x01\x00\x01\x00\x00\x00<\x00\x04/
+}
+
+signature s2b-303-11 {
+  ip-proto == tcp
+  dst-port == 53
+  event "DNS EXPLOIT named tsig overflow attempt"
+  tcp-state established,originator
+  payload /.*\xAB\xCD\x09\x80\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x00\x01    \x02a/
+}
+
+signature s2b-314-9 {
+  ip-proto == udp
+  dst-port == 53
+  event "DNS EXPLOIT named tsig overflow attempt"
+  payload /.*\x80\x00\x07\x00\x00\x00\x00\x00\x01\?\x00\x01\x02/
+}
+
+signature s2b-259-7 {
+  ip-proto == tcp
+  dst-port == 53
+  event "DNS EXPLOIT named overflow ADM"
+  tcp-state established,originator
+  payload /.*thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool/
+}
+
+signature s2b-260-9 {
+  ip-proto == tcp
+  dst-port == 53
+  event "DNS EXPLOIT named overflow ADMROCKS"
+  tcp-state established,originator
+  payload /.*ADMROCKS/
+}
+
+signature s2b-261-6 {
+  ip-proto == tcp
+  dst-port == 53
+  event "DNS EXPLOIT named overflow attempt"
+  tcp-state established,originator
+  payload /.*\xCD\x80\xE8\xD7\xFF\xFF\xFF\/bin\/sh/
+}
+
+signature s2b-262-6 {
+  ip-proto == tcp
+  dst-port == 53
+  event "DNS EXPLOIT x86 Linux overflow attempt"
+  tcp-state established,originator
+  payload /.*1\xC0\xB0\?1\xDB\xB3\xFF1\xC9\xCD\x801\xC0/
+}
+
+signature s2b-264-6 {
+  ip-proto == tcp
+  dst-port == 53
+  event "DNS EXPLOIT x86 Linux overflow attempt"
+  tcp-state established,originator
+  payload /.*1\xC0\xB0\x02\xCD\x80\x85\xC0uL\xEBL\^\xB0/
+}
+
+signature s2b-265-7 {
+  ip-proto == tcp
+  dst-port == 53
+  event "DNS EXPLOIT x86 Linux overflow attempt ADMv2"
+  tcp-state established,originator
+  payload /.*\x89\xF7\x29\xC7\x89\xF3\x89\xF9\x89\xF2\xAC<\xFE/
+}
+
+signature s2b-266-6 {
+  ip-proto == tcp
+  dst-port == 53
+  event "DNS EXPLOIT x86 FreeBSD overflow attempt"
+  tcp-state established,originator
+  payload /.*\xEBn\^\xC6\x06\x9A1\xC9\x89N\x01\xC6F\x05/
+}
+
+signature s2b-267-5 {
+  ip-proto == tcp
+  dst-port == 53
+  event "DNS EXPLOIT sparc overflow attempt"
+  tcp-state established,originator
+  payload /.*\x90\x1A\xC0\x0F\x90\x02 \x08\x92\x02 \x0F\xD0\x23\xBF\xF8/
+}
+
+signature s2b-268-4 {
+  payload-size == 408
+  event "DOS Jolt attack"
+  header ip[6:1] & 224 == 32
+}
+
+signature s2b-270-6 {
+  ip-proto == udp
+  event "DOS Teardrop attack"
+  header ip[6:1] & 224 == 32
+  header ip[4:2] == 242
+}
+
+signature s2b-271-4 {
+  ip-proto == udp
+  src-port == 7
+  dst-port == 19
+  event "DOS UDP echo+chargen bomb"
+}
+
+signature s2b-272-7 {
+  header ip[9:1] == 2
+  event "DOS IGMP dos attack"
+  header ip[6:1] & 224 == 32
+  payload /\x02\x00/
+}
+
+signature s2b-273-7 {
+  header ip[9:1] == 2
+  event "DOS IGMP dos attack"
+  header ip[6:1] & 224 == 32
+  payload /\x00\x00/
+}
+
+signature s2b-274-5 {
+  ip-proto == icmp
+  header icmp[0:1] == 8
+  event "DOS ath"
+  payload /.*\+\+\+[aA][tT][hH]/
+}
+
+signature s2b-275-10 {
+  ip-proto == tcp
+  header tcp[13:1] & 255 == 2
+  header tcp[4:4] == 6060842
+  event "DOS NAPTHA"
+  tcp-state stateless
+  header ip[4:2] == 413
+}
+
+signature s2b-276-5 {
+  ip-proto == tcp
+  dst-port == 7070
+  event "DOS Real Audio Server"
+  tcp-state established,originator
+  payload /.*\xFF\xF4\xFF\xFD\x06/
+}
+
+signature s2b-278-5 {
+  ip-proto == tcp
+  dst-port == 8080
+  event "DOS Real Server template.html"
+  tcp-state established,originator
+  payload /.*\/[vV][iI][eE][wW][sS][oO][uU][rR][cC][eE]\/[tT][eE][mM][pP][lL][aA][tT][eE]\.[hH][tT][mM][lL]\?/
+}
+
+signature s2b-279-3 {
+  ip-proto == udp
+  dst-port == 161
+  payload-size == 0
+  event "DOS Bay/Nortel Nautica Marlin"
+}
+
+signature s2b-281-5 {
+  ip-proto == udp
+  dst-port == 9
+  event "DOS Ascend Route"
+  payload /.{24}.{0,17}NAMENAME/
+}
+
+signature s2b-282-7 {
+  ip-proto == tcp
+  dst-port == 617
+  payload-size > 1445
+  event "DOS arkiea backup"
+  tcp-state established,originator
+}
+
+signature s2b-1257-8 {
+  ip-proto == tcp
+  dst-port >= 135
+  dst-port <= 139
+  header tcp[13:1] & 255 == 32
+  event "DOS Winnuke attack"
+  tcp-state stateless
+}
+
+signature s2b-1408-8 {
+  ip-proto == tcp
+  dst-port == 3372
+  event "DOS MSDTC attempt"
+  tcp-state established,originator
+  payload-size == 1024
+}
+
+signature s2b-1605-6 {
+  ip-proto == tcp
+  dst-port == 6004
+  dst-ip == local_nets
+  event "DOS iParty DOS attempt"
+  tcp-state established,originator
+  payload /.*\xFF\xFF\xFF\xFF\xFF\xFF/
+}
+
+signature s2b-1641-5 {
+  ip-proto == tcp
+  dst-port >= 6789
+  dst-port <= 6790
+  payload-size == 1
+  event "DOS DB2 dos attempt"
+  tcp-state established,originator
+}
+
+signature s2b-1545-7 {
+  ip-proto == tcp
+  dst-port == 80
+  payload-size == 1
+  event "DOS Cisco attempt"
+  tcp-state established,originator
+  payload /\x13/
+}
+
+signature s2b-2486-5 {
+  ip-proto == udp
+  dst-port == 500
+  # Not supported: byte_test: 2,>,4,30,2,<,8,30
+  event "DOS ISAKMP invalid identification payload attempt"
+  payload /.{15}\x05/
+}
+
+signature s2b-1324-6 {
+  ip-proto == tcp
+  dst-port == 22
+  event "EXPLOIT ssh CRC32 overflow /bin/sh"
+  tcp-state established,originator
+  payload /.*\/bin\/sh/
+}
+
+signature s2b-1326-6 {
+  ip-proto == tcp
+  dst-port == 22
+  event "EXPLOIT ssh CRC32 overflow NOOP"
+  tcp-state established,originator
+  payload /.*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90/
+}
+
+signature s2b-1327-7 {
+  ip-proto == tcp
+  dst-port == 22
+  event "EXPLOIT ssh CRC32 overflow"
+  tcp-state established,originator
+  payload /\x00\x01W\x00\x00\x00\x18/
+  payload /.{7}\xFF\xFF\xFF\xFF\x00\x00/
+}
+
+signature s2b-283-10 {
+  ip-proto == tcp
+  src-port == 80
+  event "EXPLOIT Netscape 4.7 client overflow"
+  tcp-state established,responder
+  payload /.*3\xC9\xB1\x10\?\xE9\x06Q<\xFAG3\xC0P\xF7\xD0P/
+}
+
+signature s2b-300-7 {
+  ip-proto == tcp
+  dst-port == 2766
+  event "EXPLOIT nlps x86 Solaris overflow"
+  tcp-state established,originator
+  payload /.*\xEB\x23\^3\xC0\x88F\xFA\x89F\xF5\x896/
+}
+
+signature s2b-301-7 {
+  ip-proto == tcp
+  dst-port == 515
+  event "EXPLOIT LPRng overflow"
+  tcp-state established,originator
+  payload /.*C\x07\x89\[\x08\x8DK\x08\x89C\x0C\xB0\x0B\xCD\x801\xC0\xFE\xC0\xCD\x80\xE8\x94\xFF\xFF\xFF\/bin\/sh\x0A/
+}
+
+signature s2b-302-6 {
+  ip-proto == tcp
+  dst-port == 515
+  event "EXPLOIT Redhat 7.0 lprd overflow"
+  tcp-state established,originator
+  payload /.*XXXX%\.172u%300\x24n/
+}
+
+signature s2b-305-9 {
+  ip-proto == tcp
+  dst-port == 8080
+  payload-size > 1000
+  event "EXPLOIT delegate proxy overflow"
+  tcp-state established,originator
+  payload /.*[wW][hH][oO][iI][sS]\x3A\/\//
+}
+
+signature s2b-308-8 {
+  ip-proto == tcp
+  src-port == 21
+  event "EXPLOIT NextFTP client overflow"
+  tcp-state established,responder
+  payload /.*\xB4 \xB4!\x8B\xCC\x83\xE9\x04\x8B\x193\xC9f\xB9\x10/
+}
+
+signature s2b-309-9 {
+  ip-proto == tcp
+  dst-port == 25
+  payload-size > 512
+  header tcp[13:1] & 255 == 16
+  event "EXPLOIT sniffit overflow"
+  tcp-state stateless
+  payload /.*[fF][rR][oO][mM]\x3A\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90/
+}
+
+signature s2b-310-8 {
+  ip-proto == tcp
+  dst-port == 25
+  event "EXPLOIT x86 windows MailMax overflow"
+  tcp-state established,originator
+  payload /.*\xEBE\xEB \[\xFC3\xC9\xB1\x82\x8B\xF3\x80\+/
+}
+
+signature s2b-311-11 {
+  ip-proto == tcp
+  dst-port == 80
+  event "EXPLOIT Netscape 4.7 unsucessful overflow"
+  tcp-state established,originator
+  payload /.*3\xC9\xB1\x10\?\xE9\x06Q<\xFAG3\xC0P\xF7\xD0P/
+}
+
+signature s2b-313-4 {
+  ip-proto == udp
+  dst-port == 518
+  event "EXPLOIT ntalkd x86 Linux overflow"
+  payload /.*\x01\x03\x00\x00\x00\x00\x00\x01\x00\x02\x02\xE8/
+}
+
+signature s2b-315-6 {
+  ip-proto == udp
+  dst-port == 635
+  event "EXPLOIT x86 Linux mountd overflow"
+  payload /.*\^\xB0\x02\x89\x06\xFE\xC8\x89F\x04\xB0\x06\x89F/
+}
+
+signature s2b-316-6 {
+  ip-proto == udp
+  dst-port == 635
+  event "EXPLOIT x86 Linux mountd overflow"
+  payload /.*\xEBV\^VVV1\xD2\x88V\x0B\x88V\x1E/
+}
+
+signature s2b-317-6 {
+  ip-proto == udp
+  dst-port == 635
+  event "EXPLOIT x86 Linux mountd overflow"
+  payload /.*\xEB@\^1\xC0@\x89F\x04\x89\xC3@\x89\x06/
+}
+
+signature s2b-1240-5 {
+  ip-proto == tcp
+  dst-port == 2224
+  event "EXPLOIT MDBMS overflow"
+  tcp-state established,originator
+  payload /.*\x011\xDB\xCD\x80\xE8\[\xFF\xFF\xFF/
+}
+
+signature s2b-1261-10 {
+  ip-proto == tcp
+  dst-port == 4242
+  payload-size > 1000
+  event "EXPLOIT AIX pdnsd overflow"
+  tcp-state established,originator
+  payload /.*\x7F\xFF\xFBx\x7F\xFF\xFBx\x7F\xFF\xFBx\x7F\xFF\xFBx/
+  payload /.*@\x8A\xFF\xC8@\x82\xFF\xD8\x3B6\xFE\x03\x3Bv\xFE\x02/
+}
+
+signature s2b-1398-10 {
+  ip-proto == tcp
+  dst-port == 6112
+  event "EXPLOIT CDE dtspcd exploit attempt"
+  tcp-state established,originator
+  payload /.{9}1/
+  payload /.{10}<willnevermatch>/
+}
+
+signature s2b-1751-5 {
+  ip-proto == tcp
+  dst-port >= 32772
+  dst-port <= 34000
+  payload-size > 720
+  event "EXPLOIT cachefsd buffer overflow attempt"
+  tcp-state established,originator
+  payload /.*\x00\x01\x87\x86\x00\x00\x00\x01\x00\x00\x00\x05/
+}
+
+signature s2b-1894-8 {
+  ip-proto == tcp
+  dst-port == 749
+  event "EXPLOIT kadmind buffer overflow attempt"
+  tcp-state established,originator
+  payload /.*\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08/
+}
+
+signature s2b-1895-8 {
+  ip-proto == tcp
+  dst-port == 751
+  event "EXPLOIT kadmind buffer overflow attempt"
+  tcp-state established,originator
+  payload /.*\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08\x00\xC0\x05\x08/
+}
+
+signature s2b-1896-8 {
+  ip-proto == tcp
+  dst-port == 749
+  event "EXPLOIT kadmind buffer overflow attempt"
+  tcp-state established,originator
+  payload /.*\xFF\xFFKADM0\.0A\x00\x00\xFB\x03/
+}
+
+signature s2b-1897-8 {
+  ip-proto == tcp
+  dst-port == 751
+  event "EXPLOIT kadmind buffer overflow attempt"
+  tcp-state established,originator
+  payload /.*\xFF\xFFKADM0\.0A\x00\x00\xFB\x03/
+}
+
+signature s2b-1898-8 {
+  ip-proto == tcp
+  dst-port == 749
+  event "EXPLOIT kadmind buffer overflow attempt"
+  tcp-state established,originator
+  payload /.*\/shh\/\/bi/
+}
+
+signature s2b-1899-8 {
+  ip-proto == tcp
+  dst-port == 751
+  event "EXPLOIT kadmind buffer overflow attempt"
+  tcp-state established,originator
+  payload /.*\/shh\/\/bi/
+}
+
+signature s2b-1812-5 {
+  ip-proto == tcp
+  dst-port == 22
+  event "EXPLOIT gobbles SSH exploit attempt"
+  tcp-state established,originator
+  payload /.*GOBBLES/
+}
+
+signature s2b-1821-7 {
+  ip-proto == tcp
+  dst-port == 515
+  event "EXPLOIT LPD dvips remote command execution attempt"
+  tcp-state established,originator
+  payload /.*psfile=\x22`/
+}
+
+signature s2b-1838-8 {
+  ip-proto == tcp
+  src-port == 22
+  # Not supported: pcre: /^SSH-\s[^\n]{200}/ism
+  event "EXPLOIT SSH server banner overflow"
+  tcp-state established,responder
+  # Not supported: isdataat: 200,relative
+  payload /((^)|(\n+))[sS][sS][hH]-[\x20\x09\x0b][^\n]{200}/
+}
+
+signature s2b-307-9 {
+  ip-proto == tcp
+  dst-port >= 6666
+  dst-port <= 7000
+  event "EXPLOIT CHAT IRC topic overflow"
+  tcp-state established,responder
+  payload /.*\xEBK\[S2\xE4\x83\xC3\x0BK\x88\x23\xB8Pw/
+}
+
+signature s2b-1382-9 {
+  ip-proto == tcp
+  dst-port >= 6666
+  dst-port <= 7000
+  # Not supported: pcre: /^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi
+  event "EXPLOIT CHAT IRC Ettercap parse overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  payload /((^)|(\n+))[pP][rR][iI][vV][mM][sS][gG][\x20\x09\x0b]+[nN][iI][cC][kK][sS][eE][rR][vV][\x20\x09\x0b]+[iI][dD][eE][nN][tT][iI][fF][yY][\x20\x09\x0b][^\n]{100}/
+}
+
+signature s2b-292-8 {
+  ip-proto == tcp
+  dst-port == 139
+  event "EXPLOIT x86 Linux samba overflow"
+  tcp-state established,originator
+  payload /.*\xEB\/_\xEBJ\^\x89\xFB\x89>\x89\xF2/
+}
+
+signature s2b-2319-1 {
+  ip-proto == tcp
+  dst-port == 1655
+  # Not supported: pcre: /^PASS\s[^\n]{49}/smi
+  event "EXPLOIT ebola PASS overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]{49}/
+}
+
+signature s2b-2320-1 {
+  ip-proto == tcp
+  dst-port == 1655
+  # Not supported: pcre: /^USER\s[^\n]{49}/smi
+  event "EXPLOIT ebola USER overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))[uU][sS][eE][rR][^\x0a]{49}/
+}
+
+signature s2b-2376-3 {
+  ip-proto == udp
+  dst-port == 500
+  # Not supported: byte_test: 4,>,2043,24,2,>,2043,30
+  event "EXPLOIT ISAKMP first payload certificate request length overflow attempt"
+  payload /.{15}\x07/
+}
+
+signature s2b-2377-3 {
+  ip-proto == udp
+  dst-port == 500
+  # Not supported: byte_test: 4,>,2043,24,2,>,2043,-2,relative
+  # Not supported: byte_jump: 2,30
+  event "EXPLOIT ISAKMP second payload certificate request length overflow attempt"
+  payload /.{27}\x07/
+}
+
+signature s2b-2378-3 {
+  ip-proto == udp
+  dst-port == 500
+  # Not supported: byte_test: 4,>,2043,24,2,>,2043,-2,relative
+  # Not supported: byte_jump: 2,30,relative,2,1,relative
+  event "EXPLOIT ISAKMP third payload certificate request length overflow attempt"
+  payload /\x07/
+}
+
+signature s2b-2379-3 {
+  ip-proto == udp
+  dst-port == 500
+  # Not supported: byte_test: 4,>,2043,24,2,>,2043,-2,relative
+  # Not supported: byte_jump: 2,30,relative,2,-2,relative,2,1,relative
+  event "EXPLOIT ISAKMP forth payload certificate request length overflow attempt"
+  payload /\x07/
+}
+
+signature s2b-2380-3 {
+  ip-proto == udp
+  dst-port == 500
+  # Not supported: byte_test: 4,>,2043,24,2,>,2043,-2,relative
+  # Not supported: byte_jump: 2,30,relative,2,-2,relative,2,-2,relative,2,1,relative
+  event "EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"
+  payload /\x07/
+}
+
+signature s2b-2413-7 {
+  ip-proto == udp
+  dst-port == 500
+  event "EXPLOIT ISAKMP delete hash with empty hash attempt"
+  payload /.{15}\x08/
+  payload /.{27}\x0C/
+  payload /.{29}\x00\x04/
+}
+
+signature s2b-2414-7 {
+  ip-proto == udp
+  dst-port == 500
+  event "EXPLOIT ISAKMP initial contact notification without SPI attempt"
+  payload /.{15}\x0B/
+  payload /.{29}\x00\x0C\x00\x00\x00\x01\x01\x00\x06\x02/
+}
+
+signature s2b-2415-7 {
+  ip-proto == udp
+  dst-port == 500
+  # Not supported: byte_jump: 2,30
+  event "EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"
+  payload /.{27}\x0B\x00\x0C\x00\x00\x00\x01\x01\x00`\x02/
+}
+
+signature s2b-2443-4 {
+  ip-proto == udp
+  src-port == 4000
+  # Not supported: byte_test: 1,>,1,12,relative,2,>,128,18,relative,little
+  event "EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"
+  payload /\x05\x00.{5}\x12\x02.*.*\x05\x00.{5}n\x00/
+  payload /.*\x05\x00.{5}\xDE\x03/
+}
+
+signature s2b-2444-4 {
+  ip-proto == udp
+  src-port == 4000
+  # Not supported: byte_jump: 2,18,relative,little
+  event "EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"
+  # Not supported: byte_test: 1,>,1,12,relative,2,>,128,0,relative,little
+  payload /\x05\x00.{5}\x12\x02.*.*\x05\x00.{5}n\x00/
+  payload /.*\x05\x00.{5}\xDE\x03/
+}
+
+signature s2b-2445-4 {
+  ip-proto == udp
+  src-port == 4000
+  # Not supported: byte_test: 2,>,128,0,relative,little,1,>,1,12,relative
+  event "EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt"
+  # Not supported: byte_jump: 2,18,relative,little,2,0,relative,little
+  payload /\x05\x00.{5}\x12\x02.*.*\x05\x00.{5}n\x00/
+  payload /.*\x05\x00.{5}\xDE\x03/
+}
+
+signature s2b-2446-4 {
+  ip-proto == udp
+  src-port == 4000
+  # Not supported: byte_jump: 2,0,relative,little,2,18,relative,little,2,0,relative,little
+  event "EXPLOIT ICQ SRV_MULTI/SRV_META_USER email overflow attempt"
+  # Not supported: byte_test: 2,>,128,0,relative,little,1,>,1,12,relative
+  payload /\x05\x00.{5}\x12\x02.*.*\x05\x00.{5}n\x00/
+  payload /.*\x05\x00.{5}\xDE\x03/
+}
+
+signature s2b-2462-6 {
+  # Not supported: byte_test: 1,>,63,0,1,<,67,0,1,>,16,12
+  header ip[9:1] == 2
+  event "EXPLOIT IGMP IGAP account overflow attempt"
+}
+
+signature s2b-2463-6 {
+  # Not supported: byte_test: 1,>,63,0,1,<,67,0,1,>,64,13
+  header ip[9:1] == 2
+  event "EXPLOIT IGMP IGAP message overflow attempt"
+}
+
+signature s2b-2464-6 {
+  # Not supported: byte_test: 1,>,32,44
+  header ip[9:1] == 88
+  event "EXPLOIT EIGRP prefix length overflow attempt"
+}
+
+signature s2b-2489-2 {
+  ip-proto == tcp
+  dst-port == 80
+  event "EXPLOIT esignal STREAMQUOTE buffer overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 1024,relative
+  payload /.*<[sS][tT][rR][eE][aA][mM][qQ][uU][oO][tT][eE]><willnevermatch>/
+}
+
+signature s2b-2490-3 {
+  ip-proto == tcp
+  dst-port == 80
+  event "EXPLOIT esignal SNAPQUOTE buffer overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 1024,relative
+  payload /.*<[sS][nN][aA][pP][qQ][uU][oO][tT][eE]><willnevermatch>/
+}
+
+signature s2b-2545-4 {
+  ip-proto == tcp
+  dst-port == 548
+  # Not supported: byte_jump: 2,1,relative,2,1,relative
+  event "EXPLOIT AFP FPLoginExt username buffer overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 2,relative
+  payload /\x00\x02.{14}\?/
+  payload /.*[cC][lL][eE][aA][rR][tT][xX][tT] [pP][aA][sS][sS][wW][rR][dD]/
+}
+
+signature s2b-2550-2 {
+  ip-proto == tcp
+  src-port == 80
+  event "EXPLOIT winamp XM module name overflow"
+  tcp-state established,responder
+  # Not supported: isdataat: 20,relative
+  payload /.*[eE][xX][tT][eE][nN][dD][eE][dD] [mM][oO][dD][uU][lL][eE]\x3A[^\x1A]{21}/
+}
+
+signature s2b-2551-2 {
+  ip-proto == tcp
+  dst-port >= 7777
+  dst-port <= 7778
+  # Not supported: pcre: /^GET[^s]{432}/sm
+  event "EXPLOIT Oracle Web Cache GET overflow attempt"
+  tcp-state established,originator
+  payload /.*GET/
+  payload /((^)|(\n+))GET[^s]{432}/
+}
+
+signature s2b-2552-2 {
+  ip-proto == tcp
+  dst-port >= 7777
+  dst-port <= 7778
+  # Not supported: pcre: /^HEAD[^s]{432}/sm
+  event "EXPLOIT Oracle Web Cache HEAD overflow attempt"
+  tcp-state established,originator
+  payload /.*HEAD/
+  payload /((^)|(\n+))HEAD[^s]{432}/
+}
+
+signature s2b-2553-2 {
+  ip-proto == tcp
+  dst-port >= 7777
+  dst-port <= 7778
+  # Not supported: pcre: /^PUT[^s]{432}/sm
+  event "EXPLOIT Oracle Web Cache PUT overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))PUT[^s]{432}/
+}
+
+signature s2b-2554-2 {
+  ip-proto == tcp
+  dst-port >= 7777
+  dst-port <= 7778
+  # Not supported: pcre: /^POST[^s]{432}/sm
+  event "EXPLOIT Oracle Web Cache POST overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))POST[^s]{432}/
+}
+
+signature s2b-2555-2 {
+  ip-proto == tcp
+  dst-port >= 7777
+  dst-port <= 7778
+  # Not supported: pcre: /^TRACE[^s]{432}/sm
+  event "EXPLOIT Oracle Web Cache TRACE overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))TRACE[^s]{432}/
+}
+
+signature s2b-2556-2 {
+  ip-proto == tcp
+  dst-port >= 7777
+  dst-port <= 7778
+  # Not supported: pcre: /^DELETE[^s]{432}/sm
+  event "EXPLOIT Oracle Web Cache DELETE overflow attempt"
+  tcp-state established,originator
+  payload /.*DELETE/
+  payload /((^)|(\n+))DELETE[^s]{432}/
+}
+
+signature s2b-2557-2 {
+  ip-proto == tcp
+  dst-port >= 7777
+  dst-port <= 7778
+  # Not supported: pcre: /^LOCK[^s]{432}/sm
+  event "EXPLOIT Oracle Web Cache LOCK overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))LOCK[^s]{432}/
+}
+
+signature s2b-2558-2 {
+  ip-proto == tcp
+  dst-port >= 7777
+  dst-port <= 7778
+  # Not supported: pcre: /^MKCOL[^s]{432}/sm
+  event "EXPLOIT Oracle Web Cache MKCOL overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))MKCOL[^s]{432}/
+}
+
+signature s2b-2559-2 {
+  ip-proto == tcp
+  dst-port >= 7777
+  dst-port <= 7778
+  # Not supported: pcre: /^COPY[^s]{432}/sm
+  event "EXPLOIT Oracle Web Cache COPY overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))COPY[^s]{432}/
+}
+
+signature s2b-2560-2 {
+  ip-proto == tcp
+  dst-port >= 7777
+  dst-port <= 7778
+  # Not supported: pcre: /^MOVE[^s]{432}/sm
+  event "EXPLOIT Oracle Web Cache MOVE overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))MOVE[^s]{432}/
+}
+
+signature s2b-320-9 {
+  ip-proto == tcp
+  dst-port == 79
+  event "FINGER cmd_rootsh backdoor attempt"
+  tcp-state established,originator
+  payload /.*cmd_rootsh/
+}
+
+signature s2b-321-5 {
+  ip-proto == tcp
+  dst-port == 79
+  event "FINGER account enumeration attempt"
+  tcp-state established,originator
+  payload /.*[aA] [bB] [cC] [dD] [eE] [fF]/
+}
+
+signature s2b-322-10 {
+  ip-proto == tcp
+  dst-port == 79
+  event "FINGER search query"
+  tcp-state established,originator
+  payload /.*search/
+}
+
+signature s2b-323-5 {
+  ip-proto == tcp
+  dst-port == 79
+  event "FINGER root query"
+  tcp-state established,originator
+  payload /.*root/
+}
+
+signature s2b-324-5 {
+  ip-proto == tcp
+  dst-port == 79
+  event "FINGER null request"
+  tcp-state established,originator
+  payload /.*\x00/
+}
+
+signature s2b-326-9 {
+  ip-proto == tcp
+  dst-port == 79
+  event "FINGER remote command execution attempt"
+  tcp-state established,originator
+  payload /.*\x3B/
+}
+
+signature s2b-327-8 {
+  ip-proto == tcp
+  dst-port == 79
+  event "FINGER remote command pipe execution attempt"
+  tcp-state established,originator
+  payload /.*\x7C/
+}
+
+signature s2b-328-8 {
+  ip-proto == tcp
+  dst-port == 79
+  event "FINGER bomb attempt"
+  tcp-state established,originator
+  payload /.*@@/
+}
+
+signature s2b-330-9 {
+  ip-proto == tcp
+  dst-port == 79
+  event "FINGER redirection attempt"
+  tcp-state established,originator
+  payload /.*@/
+}
+
+signature s2b-331-10 {
+  ip-proto == tcp
+  dst-port == 79
+  event "FINGER cybercop query"
+  tcp-state established,originator
+  payload /.{0,4}\x0A     /
+}
+
+signature s2b-332-8 {
+  ip-proto == tcp
+  dst-port == 79
+  event "FINGER 0 query"
+  tcp-state established,originator
+  payload /.*0/
+}
+
+signature s2b-333-8 {
+  ip-proto == tcp
+  dst-port == 79
+  event "FINGER . query"
+  tcp-state established,originator
+  payload /.*\./
+}
+
+signature s2b-1541-4 {
+  ip-proto == tcp
+  dst-port == 79
+  event "FINGER version query"
+  tcp-state established,originator
+  payload /.*version/
+}
+
+signature s2b-2546-1 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^MDTM\s[^\n]{100}/smi
+  event "FTP MDTM overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  payload /((^)|(\n+))[mM][dD][tT][mM][\x20\x09\x0b][^\n]{100}/
+}
+
+signature s2b-2373-1 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^XMKD\s[^\n]{100}/smi
+  event "FTP XMKD overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  payload /((^)|(\n+))[xXmMkKdD][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-2374-4 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^NLST\s[^\n]{100}/smi
+  event "FTP NLST overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[nNlLsStT][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-2449-1 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^ALLO\s[^\n]{100}/smi
+  event "FTP ALLO overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  payload /((^)|(\n+))[aAlLlLoO][\x20\x09\x0b][^\n]{100}/
+}
+
+signature s2b-2389-4 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^RNTO\s[^\n]{100}/smi
+  event "FTP RNTO overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[rR][nN][tT][oO][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-2390-4 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^STOU\s[^\n]{100}/smi
+  event "FTP STOU overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  payload /((^)|(\n+))[sS][tT][oO][uU][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-2391-4 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^APPE\s[^\n]{100}/smi
+  event "FTP APPE overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  payload /((^)|(\n+))[aA][pP][pP][eE][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-2392-4 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^RETR\s[^\n]{100}/smi
+  event "FTP RETR overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[rR][eE][tT][rR][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-2343-1 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^STOR\s[^\n]{100}/smi
+  event "FTP STOR overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[sS][tT][oO][rR][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-337-10 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^CEL\s[^\n]{100}/smi
+  event "FTP CEL overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[cC][eE][lL][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-2344-1 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^XCWD\s[^\n]{100}/smi
+  event "FTP XCWD overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[xX][cC][wW][dD][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-1919-12 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^CWD\s[^\n]{100}/smi
+  event "FTP CWD overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[cC][wW][dD][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-1621-10 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^CMD\s[^\n]{100}/smi
+  event "FTP CMD overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[cC][mM][dD][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-1379-7 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^STAT\s[^\n]{100}/smi
+  event "FTP STAT overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[sS][tT][aA][tT][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-2340-4 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^SITE\s+CHMOD\s[^\n]{100}/smi
+  event "FTP SITE CHMOD overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[cC][hH][mM][oO][dD][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-1562-11 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^SITE\s+CHOWN\s[^\n]{100}/smi
+  event "FTP SITE CHOWN overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[cC][hH][oO][wW][nN][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-1920-6 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^SITE\s+NEWER\s[^\n]{100}/smi
+  event "FTP SITE NEWER overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[nN][eE][wW][eE][rR][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-1888-8 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^SITE\s+CPWD\s[^\n]{100}/smi
+  event "FTP SITE CPWD overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[cC][pP][wW][dD][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-1971-4 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi
+  event "FTP SITE EXEC format string attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[eE][xX][eE][cC][\x20\x09\x0b][^\n]*?%[^\n]*?%/
+}
+
+signature s2b-1529-10 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^SITE\s[^\n]{100}/smi
+  event "FTP SITE overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-1734-16 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^USER\s[^\n]{100}/smi
+  event "FTP USER overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-1972-10 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^PASS\s[^\n]{100}/smi
+  event "FTP PASS overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[pP][aA][sS][sS][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-1942-4 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^RMDIR\s[^\n]{100}/smi
+  event "FTP RMDIR overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[rR][mM][dD][iI][rR][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-1973-6 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^MKD\s[^\n]{100}/smi
+  event "FTP MKD overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[mM][kK][dD][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-1974-6 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^REST\s[^\n]{100}/smi
+  event "FTP REST overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[rR][eE][sS][tT][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-1975-6 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^DELE\s[^\n]{100}/smi
+  event "FTP DELE overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[dD][eE][lL][eE][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-1976-6 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^RMD\s[^\n]{100}/smi
+  event "FTP RMD overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[rR][mM][dD][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-1623-6 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^MODE\s+[^ABSC]{1}/msi
+  event "FTP invalid MODE"
+  tcp-state established,originator
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[mM][oO][dD][eE][\x20\x09\x0b]+[^aAbBsScC]{1}/
+}
+
+signature s2b-1624-5 {
+  ip-proto == tcp
+  dst-port == 21
+  payload-size == 10
+  event "FTP large PWD command"
+  tcp-state established,originator
+  payload /.*[pP][wW][dD]/
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-2125-8 {
+  ip-proto == tcp
+  dst-port == 21
+  event "FTP CWD Root directory transversal attempt"
+  tcp-state established,originator
+  payload /.*[cC][wW][dD].{1}.*C\x3A\x5C/
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-1921-5 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^SITE\s+ZIPCHK\s[^\n]{100}/smi
+  event "FTP SITE ZIPCHK overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[zZ][iI][pP][cC][hH][kK][\x20\x09\x0b][^\n]{100}/
+  eval dataSizeG100
+}
+
+signature s2b-1864-7 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^SITE\s+NEWER/smi
+  event "FTP SITE NEWER attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[sS][iI][tT][eE][\x20\x09\x0b]+[nN][eE][wW][eE][rR]/
+}
+
+signature s2b-361-12 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^SITE\s+EXEC/smi
+  event "FTP SITE EXEC attempt"
+  tcp-state established,originator
+  payload /.*[sS][iI][tT][eE].*.*[eE][xX][eE][cC]/
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-1777-4 {
+  ip-proto == tcp
+  dst-port == 21
+  event "FTP EXPLOIT STAT * dos attempt"
+  tcp-state established,originator
+  payload /.*[sS][tT][aA][tT].{1}.*\*/
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-1778-4 {
+  ip-proto == tcp
+  dst-port == 21
+  event "FTP EXPLOIT STAT ? dos attempt"
+  tcp-state established,originator
+  payload /.*[sS][tT][aA][tT].{1}.*\?/
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-362-12 {
+  ip-proto == tcp
+  dst-port == 21
+  event "FTP tar parameters"
+  tcp-state established,originator
+  payload /.* --[uU][sS][eE]-[cC][oO][mM][pP][rR][eE][sS][sS]-[pP][rR][oO][gG][rR][aA][mM] /
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-336-10 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^CWD\s+~root/smi
+  event "FTP CWD ~root attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! ftp_server_error
+  payload /((^)|(\n+))[cC][wW][dD][\x20\x09\x0b]+~[rR][oO][oO][tT]/
+}
+
+signature s2b-1229-7 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^CWD\s[^\n]*?\.\.\./smi
+  event "FTP CWD ..."
+  tcp-state established,originator
+  requires-reverse-signature ! ftp_server_error
+  payload /((^)|(\n+))[cC][wW][dD][\x20\x09\x0b][^\n]*?\.\.\./
+}
+
+signature s2b-1672-10 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^CWD\s+~/smi
+  event "FTP CWD ~ attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))CWD[\x20\x09\x0b]+~/
+}
+
+signature s2b-360-7 {
+  ip-proto == tcp
+  dst-port == 21
+  event "FTP serv-u directory transversal"
+  tcp-state established,originator
+  payload /.*\.%20\./
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-1378-14 {
+  ip-proto == tcp
+  dst-port == 21
+  event "FTP wu-ftp bad file completion attempt {"
+  tcp-state established,originator
+  ftp /.{2,} ~.?\{/
+}
+
+signature s2b-1992-5 {
+  ip-proto == tcp
+  dst-port == 21
+  event "FTP LIST directory traversal attempt"
+  tcp-state established,originator
+  payload /.*LIST.{1}.*\.\..{1}.*\.\./
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-334-5 {
+  ip-proto == tcp
+  dst-port == 21
+  event "FTP .forward"
+  tcp-state established,originator
+  payload /.*\.forward/
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-335-5 {
+  ip-proto == tcp
+  dst-port == 21
+  event "FTP .rhosts"
+  tcp-state established,originator
+  ftp /.*\.rhosts/
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-1927-2 {
+  ip-proto == tcp
+  dst-port == 21
+  event "FTP authorized_keys"
+  tcp-state established,originator
+  payload /.*authorized_keys/
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-356-5 {
+  ip-proto == tcp
+  dst-port == 21
+  event "FTP passwd retrieval attempt"
+  tcp-state established,originator
+  payload /.*[rR][eE][tT][rR]/
+  payload /[\x20\x09\x0b\/.]*passwd[\x20\x09\x0b]*$/
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-1928-3 {
+  ip-proto == tcp
+  dst-port == 21
+  event "FTP shadow retrieval attempt"
+  tcp-state established,originator
+  payload /.*[rR][eE][tT][rR]/
+  payload /.*shadow/
+  requires-signature got_ftp_root
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-144-9 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^USER\s+w0rm/smi
+  event "FTP ADMw0rm ftp login attempt"
+  tcp-state established,originator
+  payload /.*[uU][sS][eE][rR].{1}.*[wW]0[rR][mM]/
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-353-6 {
+  ip-proto == tcp
+  dst-port == 21
+  event "FTP adm scan"
+  tcp-state established,originator
+  payload /.*PASS ddd@\x0A/
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-354-5 {
+  ip-proto == tcp
+  dst-port == 21
+  event "FTP iss scan"
+  tcp-state established,originator
+  payload /.*pass -iss@iss/
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-355-5 {
+  ip-proto == tcp
+  dst-port == 21
+  event "FTP pass wh00t"
+  tcp-state established,originator
+  payload /.*[pP][aA][sS][sS] [wW][hH]00[tT]/
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-357-5 {
+  ip-proto == tcp
+  dst-port == 21
+  event "FTP piss scan"
+  tcp-state established,originator
+  payload /.*pass -cklaus/
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-358-5 {
+  ip-proto == tcp
+  dst-port == 21
+  event "FTP saint scan"
+  tcp-state established,originator
+  payload /.*pass -saint/
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-359-5 {
+  ip-proto == tcp
+  dst-port == 21
+  event "FTP satan scan"
+  tcp-state established,originator
+  payload /.*pass -satan/
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-2178-13 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^USER\s[^\n]*?%[^\n]*?%/smi
+  event "FTP USER format string attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]*?%[^\n]*?%/
+}
+
+signature s2b-2179-4 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^PASS\s[^\n]*?%[^\n]*?%/smi
+  event "FTP PASS format string attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[pP][aA][sS][sS]\x20\x09\x0b][^\n]*?%[^\n]*?%/
+}
+
+signature s2b-2332-1 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^MKDIR\s[^\n]*?%[^\n]*?%/smi
+  event "FTP MKDIR format string attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[mM][kK][dD][iI][rR][\x20\x09\x0b][^\n]*?%[^\n]*?%/
+}
+
+signature s2b-2333-1 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^RENAME\s[^\n]*?%[^\n]*?%/smi
+  event "FTP RENAME format string attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[rR][eE][nN][aA][mM][eE][\x20\x09\x0b][^\n]*?%[^\n]*?%/
+}
+
+signature s2b-2338-5 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^LIST\s[^\n]{100,}/smi
+  event "FTP LIST buffer overflow attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[lL][iI][sS][tT][\x20\x09\x0b][^\n]{100,}/
+}
+
+signature s2b-2272-4 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^LIST\s+\x22-W\s+\d+/smi
+  event "FTP LIST integer overflow attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[lL][iI][sS][tT][\x20\x09\x0b]+\x22-W[\x20\x09\x0b]+[0-9]+/
+}
+
+signature s2b-2334-2 {
+  ip-proto == tcp
+  dst-port == 3535
+  # Not supported: pcre: /^USER\s+y049575046/smi
+  event "FTP Yak! FTP server default account login attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! ftp_server_error
+  payload /((^)|(\n+))USER[\x20\x09\x0b]+y049575046/
+}
+
+signature s2b-2335-2 {
+  ip-proto == tcp
+  dst-port == 3535
+  # Not supported: pcre: /^RMD\s+\x2f$/smi
+  event "FTP RMD / attempt"
+  tcp-state established,originator
+  payload /.*[rR][mM][dD]/
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-2416-1 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^MDTM \d+[-+]\D/smi
+  event "FTP invalid MDTM command attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[mMdDtTmM][0-9]+[-+][^0-9]/
+}
+
+signature s2b-2417-1 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /\s+.*?%.*?%/smi
+  event "FTP format string attempt"
+  tcp-state established,originator
+  payload /.*%/
+  ftp /[\x20\x09\x0b]+.*?%.*?%/
+  requires-reverse-signature ! ftp_server_error
+}
+
+signature s2b-2574-1 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^RETR\s[^\n]*?%[^\n]*?%/smi
+  event "FTP RETR format string attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! ftp_server_error
+  ftp /((^)|(\n+))[rR][eE][tT][rR][\x20\x09\x0b][^\n]*?%[^\n]*?%/
+}
+
+signature s2b-377-7 {
+  ip-proto == icmp
+  header icmp[0:1] == 8
+  event "ICMP PING Network Toolbox 3 Windows"
+  payload /.{0,16}================/
+}
+
+signature s2b-465-3 {
+  ip-proto == icmp
+  header icmp[0:1] == 8
+  event "ICMP ISS Pinger"
+  payload /.{0,24}ISSPNGRQ/
+}
+
+signature s2b-467-3 {
+  ip-proto == icmp
+  payload-size == 20
+  header icmp[0:1] == 8
+  header icmp[0:1] == 0,8
+  header icmp[6:2] == 0
+  event "ICMP Nemesis v1.1 Echo"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 0
+  payload /\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00/
+}
+
+signature s2b-471-3 {
+  ip-proto == icmp
+  payload-size == 0
+  header icmp[0:1] == 8
+  header icmp[0:1] == 0,8
+  header icmp[6:2] == 0
+  event "ICMP icmpenum v1.1.1"
+  header ip[4:2] == 666
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 666
+}
+
+signature s2b-472-4 {
+  ip-proto == icmp
+  header icmp[1:1] == 1
+  header icmp[0:1] == 5
+  event "ICMP redirect host"
+}
+
+signature s2b-475-3 {
+  ip-proto == icmp
+  header icmp[0:1] == 0
+  event "ICMP traceroute ipopts"
+  ip-options rr
+}
+
+signature s2b-476-4 {
+  ip-proto == icmp
+  header icmp[1:1] == 0
+  header icmp[0:1] == 8
+  event "ICMP webtrends scanner"
+  payload /.*\x00\x00\x00\x00EEEEEEEEEEEE/
+}
+
+signature s2b-478-3 {
+  ip-proto == icmp
+  payload-size == 4
+  header icmp[0:1] == 8
+  header icmp[0:1] == 0,8
+  header icmp[6:2] == 0
+  event "ICMP Broadscan Smurf Scanner"
+  header icmp[0:1] == 0,8
+  header icmp[4:2] == 0
+}
+
+signature s2b-481-5 {
+  ip-proto == icmp
+  header icmp[0:1] == 8
+  event "ICMP TJPingPro1.1Build 2 Windows"
+  payload /.{0,16}TJPingPro by Jim/
+}
+
+signature s2b-484-4 {
+  ip-proto == icmp
+  header icmp[0:1] == 8
+  event "ICMP PING Sniffer Pro/NetXRay network scan"
+  payload /.{0,13}Cinco Network, Inc\./
+}
+
+signature s2b-1813-5 {
+  ip-proto == icmp
+  event "ICMP digital island bandwidth query"
+  payload /mailto\x3Aops@digisle\.com/
+}
+
+signature s2b-1993-4 {
+  ip-proto == tcp
+  dst-port == 143
+  # Not supported: pcre: /\sLOGIN\s[^\n]*?\s\{/smi
+  # Not supported: byte_test: 5,>,256,0,string,dec,relative
+  event "IMAP login literal buffer overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))[lL][oO][gG][iI][nN][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/
+}
+
+signature s2b-1842-9 {
+  ip-proto == tcp
+  dst-port == 143
+  # Not supported: pcre: /\sLOGIN\s[^\n]{100}/smi
+  event "IMAP login buffer overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  payload /((^)|(\n+))[\x20\x09\x0b]LOGIN[\x20\x09\x0b][^\n]{100}/
+}
+
+signature s2b-2105-4 {
+  ip-proto == tcp
+  dst-port == 143
+  # Not supported: pcre: /\sAUTHENTICATE\s[^\n]*?\s\{/smi
+  # Not supported: byte_test: 5,>,256,0,string,dec,relative
+  event "IMAP authenticate literal overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))[\x20\x09\x0b][aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/
+}
+
+signature s2b-1844-9 {
+  ip-proto == tcp
+  dst-port == 143
+  # Not supported: pcre: /\sAUTHENTICATE\s[^\n]{100}/smi
+  event "IMAP authenticate overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  payload /((^)|(\n+))[\x20\x09\x0b][aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][eE][\x20\x09\x0b][^\n]{100}/
+}
+
+signature s2b-1930-3 {
+  ip-proto == tcp
+  dst-port == 143
+  # Not supported: byte_test: 5,>,256,0,string,dec,relative
+  event "IMAP auth literal overflow attempt"
+  tcp-state established,originator
+  payload /.* [aA][uU][tT][hH]/
+  payload /.*\{/
+}
+
+signature s2b-2330-1 {
+  ip-proto == tcp
+  dst-port == 143
+  # Not supported: pcre: /AUTH\s[^\n]{100}/smi
+  event "IMAP auth overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))[aA][uU][tT][hH][\x20\x09\x0b][^\n]{100}/
+}
+
+signature s2b-1902-9 {
+  ip-proto == tcp
+  dst-port == 143
+  # Not supported: pcre: /\sLSUB\s[^\n]*?\s\{/smi
+  # Not supported: byte_test: 5,>,256,0,string,dec,relative
+  event "IMAP lsub literal overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))[\x20\x09\x0b][lL][sS][uU][bB][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/
+}
+
+signature s2b-2106-7 {
+  ip-proto == tcp
+  dst-port == 143
+  # Not supported: pcre: /\sLSUB\s[^\n]{100}/smi
+  event "IMAP lsub overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  payload /((^)|(\n+))[\x20\x09\x0b][lL][sS][uU][bB][\x20\x09\x0b][^\n]{100}/
+}
+
+signature s2b-1845-15 {
+  ip-proto == tcp
+  dst-port == 143
+  # Not supported: pcre: /\sLIST\s[^\n]*?\s\{/smi
+  # Not supported: byte_test: 5,>,256,0,string,dec,relative
+  event "IMAP list literal overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))[\x20\x09\x0b][lL][iI][sS][tT][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/
+}
+
+signature s2b-2118-6 {
+  ip-proto == tcp
+  dst-port == 143
+  # Not supported: pcre: /\sLIST\s[^\n]{100}/smi
+  event "IMAP list overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  payload /((^)|(\n+))[\x20\x09\x0b][lL][iI][sS][tT][\x20\x09\x0b][^\n]{100}/
+}
+
+signature s2b-2119-5 {
+  ip-proto == tcp
+  dst-port == 143
+  # Not supported: pcre: /\sRENAME\s[^\n]*?\s\{/smi
+  # Not supported: byte_test: 5,>,256,0,string,dec,relative
+  event "IMAP rename literal overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))[\x20\x09\x0b][rR][eE][nN][aA][mM][eE][\x20\x09\x0b][^\n]*?[\x20\x09\x0b]\{/
+}
+
+signature s2b-1903-8 {
+  ip-proto == tcp
+  dst-port == 143
+  # Not supported: pcre: /\sRENAME\s[^\n]{100}/smi
+  event "IMAP rename overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  payload /((^)|(\n+))[\x20\x09\x0b][rR][eE][nN][aA][mM][eE][\x20\x09\x0b][^\n]{100}/
+}
+
+signature s2b-1904-7 {
+  ip-proto == tcp
+  dst-port == 143
+  # Not supported: pcre: /\sFIND\s[^\n]{100}/smi
+  event "IMAP find overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  payload /((^)|(\n+))[\x20\x09\x0b][fF][iI][nN][dD][\x20\x09\x0b][^\n]{100}/
+}
+
+signature s2b-1755-14 {
+  ip-proto == tcp
+  dst-port == 143
+  # Not supported: pcre: /\sPARTIAL.*BODY\[[^\]]{1024}/smi
+  event "IMAP partial body buffer overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))[\x20\x09\x0b][pP][aA][rR][tT][iI][aA][lL].*[bB][oO][dD][yY]\[[^\]]{1024}/
+}
+
+signature s2b-2046-6 {
+  ip-proto == tcp
+  dst-port == 143
+  # Not supported: pcre: /\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi
+  event "IMAP partial body.peek buffer overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))[\x20\x09\x0b][pP][aA][rR][tT][iI][aA][lL].*[bB][oO][dD][yY]\.[pP][eE][eE][kK]\[[^\]]{1024}/
+}
+
+signature s2b-2107-3 {
+  ip-proto == tcp
+  dst-port == 143
+  # Not supported: pcre: /\sCREATE\s[^\n]{1024}/smi
+  event "IMAP create buffer overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 1024,relative
+  payload /((^)|(\n+))[\x20\x09\x0b][cC][rR][eE][aA][tT][eE][\x20\x09\x0b][^\n]{1024}/
+}
+
+signature s2b-2120-3 {
+  ip-proto == tcp
+  dst-port == 143
+  # Not supported: pcre: /\sCREATE\s*\{/smi
+  # Not supported: byte_test: 5,>,256,0,string,dec,relative
+  event "IMAP create literal buffer overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))[\x20\x09\x0b][cC][rR][eE][aA][tT][eE][\x20\x09\x0b][^\n]*?\s\{/
+}
+
+signature s2b-2497-6 {
+  ip-proto == tcp
+  dst-port == 993
+  event "IMAP SSLv3 invalid data version attempt"
+  tcp-state established,originator
+  payload /\x16\x03/
+  payload /.{4}\x01/
+  payload /.{8}[^\x03]*/
+}
+
+signature s2b-2517-10 {
+  ip-proto == tcp
+  dst-port == 993
+  # Not supported: byte_test: 2,>,0,6,2,!,0,8,2,!,16,8,2,>,20,10,2,>,32768,0,relative
+  event "IMAP PCT Client_Hello overflow attempt"
+  tcp-state established,originator
+  payload /.{1}\x01/
+  payload /.{10}\x8F/
+}
+
+signature s2b-2530-3 {
+  ip-proto == tcp
+  src-port == 993
+  # Not supported: flowbits: isset,sslv3.client_hello.request,set,sslv3.server_hello.request,noalert
+  event "IMAP SSLv3 Server_Hello request"
+  tcp-state established,responder
+  payload /\x16\x03/
+  payload /.{4}\x02/
+}
+
+signature s2b-489-7 {
+  ip-proto == tcp
+  dst-port == 21
+  # Not supported: pcre: /^PASS\s*\n/smi
+  event "INFO FTP no password"
+  tcp-state established,originator
+  ftp /((^)|(\n+))[\x20\x09\x0b][pP][aA][sS][sS][\x20\x09\x0b]*\n/
+}
+
+signature s2b-491-8 {
+  ip-proto == tcp
+  src-port == 21
+  # Not supported: pcre: /^530\s+(Login|User)/smi
+  event "INFO FTP Bad login"
+  tcp-state established,responder
+  ftp /((^)|(\n+))530[\x20\x09\x0b]+([lL][oO][gG][iI][nN]|[uU][sS][eE][rR])/
+}
+
+signature s2b-1251-6 {
+  ip-proto == tcp
+  src-port == 23
+  event "INFO TELNET Bad Login"
+  tcp-state established,responder
+  payload /.*[lL][oO][gG][iI][nN] [iI][nN][cC][oO][rR][rR][eE][cC][tT]/
+}
+
+signature s2b-500-4 {
+  event "MISC source route lssr"
+  ip-options lsrr
+}
+
+signature s2b-501-4 {
+  event "MISC source route lssre"
+  ip-options lsrre
+}
+
+signature s2b-502-2 {
+  event "MISC source route ssrr"
+  ip-options ssrr
+}
+
+signature s2b-503-6 {
+  ip-proto == tcp
+  src-port == 20
+  dst-port >= 0
+  dst-port <= 1023
+  header tcp[13:1] & 255 == 2
+  event "MISC Source Port 20 to <1024"
+  tcp-state stateless
+}
+
+signature s2b-504-6 {
+  ip-proto == tcp
+  src-port == 53
+  dst-port >= 0
+  dst-port <= 1023
+  header tcp[13:1] & 255 == 2
+  event "MISC source port 53 to <1024"
+  tcp-state stateless
+}
+
+signature s2b-505-5 {
+  ip-proto == tcp
+  dst-port == 1417
+  event "MISC Insecure TIMBUKTU Password"
+  tcp-state established,originator
+  payload /.{0,13}\x05\x00>/
+}
+
+signature s2b-507-4 {
+  ip-proto == tcp
+  dst-port == 5631
+  event "MISC PCAnywhere Attempted Administrator Login"
+  tcp-state established,originator
+  payload /.*ADMINISTRATOR/
+}
+
+signature s2b-508-7 {
+  ip-proto == tcp
+  dst-port == 70
+  event "MISC gopher proxy"
+  tcp-state established,originator
+  payload /.*[fF][tT][pP]\x3A/
+  payload /.*@\//
+}
+
+signature s2b-512-4 {
+  ip-proto == tcp
+  src-port >= 5631
+  src-port <= 5632
+  event "MISC PCAnywhere Failed Login"
+  tcp-state established,responder
+  payload /.{0,3}Invalid login/
+}
+
+signature s2b-513-10 {
+  ip-proto == tcp
+  src-port == 7161
+  header tcp[13:1] & 255 == 18
+  event "MISC Cisco Catalyst Remote Access"
+  tcp-state stateless
+}
+
+signature s2b-514-5 {
+  ip-proto == tcp
+  dst-port == 27374
+  event "MISC ramen worm"
+  tcp-state established,originator
+  payload /.{0,4}[gG][eE][tT] /
+}
+
+signature s2b-516-3 {
+  ip-proto == udp
+  dst-port == 161
+  event "MISC SNMP NT UserList"
+  payload /.*\+\x06\x10@\x14\xD1\x02\x19/
+}
+
+signature s2b-517-1 {
+  ip-proto == udp
+  dst-port == 177
+  event "MISC xdmcp query"
+  payload /.*\x00\x01\x00\x03\x00\x01\x00/
+}
+
+signature s2b-1867-1 {
+  ip-proto == udp
+  dst-port == 177
+  event "MISC xdmcp info query"
+  payload /.*\x00\x01\x00\x02\x00\x01\x00/
+}
+
+signature s2b-522-2 {
+  header ip[6:1] & 224 == 32
+  payload-size < 25
+  event "MISC Tiny Fragments"
+}
+
+signature s2b-1384-8 {
+  ip-proto == udp
+  dst-port == 1900
+  event "MISC UPnP malformed advertisement"
+  payload /.*[nN][oO][tT][iI][fF][yY] \* /
+}
+
+signature s2b-1388-12 {
+  ip-proto == udp
+  dst-port == 1900
+  # Not supported: pcre: /^Location\:[^\n]{128}/smi
+  event "MISC UPnP Location overflow"
+  payload /((^)|(\n+))[lL][oO][cC][aA][tT][iI][oO][nN]\x3a[^\n]{128}/
+}
+
+signature s2b-1393-12 {
+  ip-proto == tcp
+  event "MISC AIM AddGame attempt"
+  tcp-state established,responder
+  payload /.*[aA][iI][mM]\x3A[aA][dD][dD][gG][aA][mM][eE]\?/
+}
+
+signature s2b-1752-4 {
+  ip-proto == tcp
+  event "MISC AIM AddExternalApp attempt"
+  tcp-state established,responder
+  payload /.*[aA][iI][mM]\x3A[aA][dD][dD][eE][xX][tT][eE][rR][nN][aA][lL][aA][pP][pP]\?/
+}
+
+signature s2b-1636-8 {
+  ip-proto == tcp
+  dst-port == 32000
+  # Not supported: pcre: /^Username\:[^\n]{100}/smi
+  payload-size > 500
+  event "MISC Xtramail Username overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 100,relative
+  payload /((^)|(\n+))[uU][sS][eE][rR][nN][aA][mM][eE]\:[^\n]{100}/
+}
+
+signature s2b-1887-3 {
+  ip-proto == tcp
+  dst-port == 443
+  event "MISC OpenSSL Worm traffic"
+  tcp-state established,originator
+  payload /.*[tT][eE][rR][mM]=[xX][tT][eE][rR][mM]/
+}
+
+signature s2b-1889-5 {
+  ip-proto == udp
+  src-port == 2002
+  dst-port == 2002
+  event "MISC slapper worm admin traffic"
+  payload /\x00\x00E\x00\x00E\x00\x00@\x00/
+}
+
+signature s2b-1447-11 {
+  ip-proto == tcp
+  dst-port == 3389
+  event "MISC MS Terminal server request RDP"
+  tcp-state established,originator
+  payload /\x03\x00\x00\x0B\x06\xE0\x00\x00\x00\x00\x00/
+}
+
+signature s2b-1448-10 {
+  ip-proto == tcp
+  dst-port == 3389
+  event "MISC MS Terminal server request"
+  tcp-state established,originator
+  payload /\x03\x00\x00/
+  payload /.{4}\xE0\x00\x00\x00\x00\x00/
+}
+
+signature s2b-2418-3 {
+  ip-proto == tcp
+  dst-port == 3389
+  event "MISC MS Terminal Server no encryption session initiation attmept"
+  tcp-state established,originator
+  payload /\x03\x00\x01/
+  payload /.{287}\x00/
+}
+
+signature s2b-1819-5 {
+  ip-proto == tcp
+  dst-port == 2533
+  event "MISC Alcatel PABX 4400 connection attempt"
+  tcp-state established,originator
+  payload /\x00\x01C/
+}
+
+signature s2b-1939-4 {
+  ip-proto == udp
+  dst-port == 67
+  # Not supported: byte_test: 1,>,6,2
+  event "MISC bootp hardware address length overflow"
+  payload /\x01/
+}
+
+signature s2b-1940-3 {
+  ip-proto == udp
+  dst-port == 67
+  # Not supported: byte_test: 1,>,7,1
+  event "MISC bootp invalid hardware type"
+  payload /\x01/
+}
+
+signature s2b-2039-4 {
+  ip-proto == udp
+  dst-port == 67
+  event "MISC bootp hostname format string attempt"
+  payload /\x01.{240}.*\x0C.*.*%.{1}.{0,7}%.{1}.{0,7}%/
+}
+
+signature s2b-1966-2 {
+  ip-proto == udp
+  dst-port == 27155
+  event "MISC GlobalSunTech Access Point Information Disclosure attempt"
+  payload /.*gstsearch/
+}
+
+signature s2b-1987-6 {
+  ip-proto == tcp
+  dst-port == 7100
+  payload-size > 512
+  event "MISC xfs overflow attempt"
+  tcp-state established,originator
+  payload /B\x00\x02/
+}
+
+signature s2b-2041-2 {
+  ip-proto == udp
+  src-port == 49
+  event "MISC xtacacs failed login response"
+  payload /\x80\x02.{4}.*\x02/
+}
+
+signature s2b-2043-2 {
+  ip-proto == udp
+  src-port == 500
+  dst-port == 500
+  event "MISC isakmp login failed"
+  payload /.{16}\x10\x05.{13}\x00\x00\x00\x01\x01\x00\x00\x18/
+}
+
+signature s2b-2048-2 {
+  ip-proto == tcp
+  dst-port == 873
+  # Not supported: byte_test: 2,>,4000,0
+  event "MISC rsyncd overflow attempt"
+  tcp-state originator
+  payload /.{1}\x00\x00/
+}
+
+signature s2b-2008-4 {
+  ip-proto == tcp
+  src-port == 2401
+  event "MISC CVS invalid user authentication response"
+  tcp-state established,responder
+  payload /.*E Fatal error, aborting\./
+  payload /.*\x3A no such user/
+}
+
+signature s2b-2009-2 {
+  ip-proto == tcp
+  src-port == 2401
+  src-ip == local_nets
+  event "MISC CVS invalid repository response"
+  tcp-state established,responder
+  payload /.*error /
+  payload /.*\x3A no such repository/
+  payload /.*I HATE YOU/
+}
+
+signature s2b-2010-4 {
+  ip-proto == tcp
+  src-port == 2401
+  event "MISC CVS double free exploit attempt response"
+  tcp-state established,responder
+  payload /.*free\x28\x29\x3A warning\x3A chunk is already free/
+}
+
+signature s2b-2011-4 {
+  ip-proto == tcp
+  src-port == 2401
+  event "MISC CVS invalid directory response"
+  tcp-state established,responder
+  payload /.*E protocol error\x3A invalid directory syntax in/
+}
+
+signature s2b-2012-2 {
+  ip-proto == tcp
+  src-port == 2401
+  event "MISC CVS missing cvsroot response"
+  tcp-state established,responder
+  payload /.*E protocol error\x3A Root request missing/
+}
+
+signature s2b-2013-2 {
+  ip-proto == tcp
+  src-port == 2401
+  event "MISC CVS invalid module response"
+  tcp-state established,responder
+  payload /.*cvs server\x3A cannot find module.{1}.*error/
+}
+
+signature s2b-2317-4 {
+  ip-proto == tcp
+  src-port == 2401
+  event "MISC CVS non-relative path error response"
+  tcp-state established,responder
+  payload /.*E cvs server\x3A warning\x3A cannot make directory CVS in \//
+}
+
+signature s2b-2318-3 {
+  ip-proto == tcp
+  dst-port == 2401
+  # Not supported: pcre: m?^Argument\s+/?smi,/^Directory/smiR
+  event "MISC CVS non-relative path access attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))[aA][Rr][Gg][Uu}[Mm][Ee][Nn][Tt][\x20\x09\x0b]]+/
+  payload /.*[Dd][Ii][Rr][Ee][Cc][Tt][Oo][Rr][Yy]/
+}
+
+signature s2b-2159-8 {
+  ip-proto == tcp
+  src-port == 179
+  event "MISC BGP invalid type 0"
+  tcp-state stateless
+  payload /\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF.{2}\x00/
+}
+
+signature s2b-2500-4 {
+  ip-proto == tcp
+  dst-port == 636
+  event "MISC LDAP SSLv3 invalid data version attempt"
+  tcp-state established,originator
+  payload /\x16\x03/
+  payload /.{4}\x01/
+  payload /.{8}[^\x03]*/
+}
+
+signature s2b-2516-10 {
+  ip-proto == tcp
+  dst-port == 639
+  # Not supported: byte_test: 2,>,0,6,2,!,0,8,2,!,16,8,2,>,20,10,2,>,32768,0,relative
+  event "MISC LDAP PCT Client_Hello overflow attempt"
+  tcp-state established,originator
+  payload /.{1}\x01/
+  payload /.{10}\x8F/
+}
+
+signature s2b-2533-5 {
+  ip-proto == tcp
+  src-port == 639
+  # Not supported: flowbits: isset,sslv3.client_hello.request,set,sslv3.server_hello.request,noalert
+  event "MISC LDAP SSLv3 Server_Hello request"
+  tcp-state established,responder
+  payload /\x16\x03/
+  payload /.{4}\x02/
+}
+
+signature s2b-2534-3 {
+  ip-proto == tcp
+  dst-port == 639
+  # Not supported: flowbits: isset,sslv3.server_hello.request
+  event "MISC LDAP SSLv3 invalid Client_Hello attempt"
+  tcp-state established,originator
+  payload /\x16\x03/
+  payload /.{4}\x01/
+}
+
+signature s2b-2547-2 {
+  ip-proto == tcp
+  dst-port == 8000
+  event "MISC HP Web JetAdmin remote file upload attempt"
+  tcp-state established,originator
+  payload /.*\/[pP][lL][uU][gG][iI][nN][sS]\/[hH][pP][jJ][wW][jJ][aA]\/[sS][cC][rR][iI][pP][tT]\/[dD][eE][vV][iI][cC][eE][sS]_[uU][pP][dD][aA][tT][eE]_[pP][rR][iI][nN][tT][eE][rR]_[fF][wW]_[uU][pP][lL][oO][aA][dD]\.[hH][tT][sS]/
+  payload /.*[cC][oO][nN][tT][eE][nN][tT]-[tT][yY][pP][eE]\x3A.*.*[mM][uU][lL][tT][iI][pP][aA][rR][tT]/
+}
+
+signature s2b-2548-1 {
+  ip-proto == tcp
+  dst-port == 8000
+  event "MISC HP Web JetAdmin setinfo access"
+  tcp-state established,originator
+  payload /.*\/[pP][lL][uU][gG][iI][nN][sS]\/[hH][pP][jJ][dD][wW][mM]\/[sS][cC][rR][iI][pP][tT]\/[tT][eE][sS][tT]\/[sS][eE][tT][iI][nN][fF][oO]\.[hH][tT][sS]/
+}
+
+signature s2b-2549-1 {
+  ip-proto == tcp
+  dst-port == 8000
+  event "MISC HP Web JetAdmin file write attempt"
+  tcp-state established,originator
+  payload /.*\/[pP][lL][uU][gG][iI][nN][sS]\/[fF][rR][aA][mM][eE][wW][oO][rR][kK]\/[sS][cC][rR][iI][pP][tT]\/[tT][rR][eE][eE]\.[xX][mM][sS]/
+  payload /.*[wW][rR][iI][tT][eE][tT][oO][fF][iI][lL][eE]/
+}
+
+signature s2b-2561-2 {
+  ip-proto == tcp
+  dst-port == 873
+  # Not supported: pcre: /--backup-dir\s+\x2e\x2e\x2f/
+  event "MISC rsync backup-dir directory traversal attempt"
+  tcp-state established,originator
+  payload /--backup-dir[\x20\x09\x0b]+\x2e\x2e\x2f/
+}
+
+signature s2b-1428-5 {
+  ip-proto == tcp
+  dst-ip == 64.245.58.0/23
+  event "MULTIMEDIA audio galaxy keepalive"
+  tcp-state established
+  payload /E_\x00\x03\x05/
+}
+
+signature s2b-2423-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  # Not supported: flowbits: set,realplayer.playlist,noalert
+  event "MULTIMEDIA realplayer .rp playlist download attempt"
+  tcp-state established,originator
+  http /((^)|(\n+))[tT][aA][kK][eE][tT][hH][iI][sS].*?[pP][Aa][Tt][Hh]\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/
+}
+
+signature s2b-1775-2 {
+  ip-proto == tcp
+  dst-port == 3306
+  event "MYSQL root login attempt"
+  tcp-state established,originator
+  payload /.*\x0A\x00\x00\x01\x85\x04\x00\x00\x80root\x00/
+}
+
+signature s2b-1776-2 {
+  ip-proto == tcp
+  dst-port == 3306
+  event "MYSQL show databases attempt"
+  tcp-state established,originator
+  payload /.*\x0F\x00\x00\x00\x03show databases/
+}
+
+signature s2b-537-11 {
+  ip-proto == tcp
+  dst-port == 139
+  # Not supported: byte_test: 1,<,128,6,relative
+  event "NETBIOS SMB IPC$ share access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMBu.{32}.*[iI][pP][cC]\x24\x00/
+}
+
+signature s2b-538-10 {
+  ip-proto == tcp
+  dst-port == 139
+  # Not supported: byte_test: 1,>,127,6,relative
+  event "NETBIOS SMB IPC$ share unicode access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMBu.{32}.*[iI]\x00[pP]\x00[cC]\x00\x24\x00\x00/
+}
+
+signature s2b-2465-3 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: byte_test: 1,<,128,6,relative
+  event "NETBIOS SMB-DS IPC$ share access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMBu.{32}.*[iI][pP][cC]\x24\x00/
+}
+
+signature s2b-2466-3 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: byte_test: 1,>,127,6,relative
+  event "NETBIOS SMB-DS IPC$ share unicode access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMBu.{32}.*[iI]\x00[pP]\x00[cC]\x00\x24\x00\x00/
+}
+
+signature s2b-536-7 {
+  ip-proto == tcp
+  dst-port == 139
+  # Not supported: byte_test: 1,<,128,6,relative
+  event "NETBIOS SMB D$ share access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMBu.{32}.*[dD]\x24\x00/
+}
+
+signature s2b-2467-3 {
+  ip-proto == tcp
+  dst-port == 139
+  # Not supported: byte_test: 1,>,127,6,relative
+  event "NETBIOS SMB D$ share unicode access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMBu.{32}.*[dD]\x00\x24\x00\x00/
+}
+
+signature s2b-2468-3 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: byte_test: 1,<,128,6,relative
+  event "NETBIOS SMB-DS D$ share access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMBu.{32}.*[dD]\x24\x00/
+}
+
+signature s2b-2469-3 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: byte_test: 1,>,127,6,relative
+  event "NETBIOS SMB-DS D$ share unicode access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMBu.{32}.*[dD]\x00\x24\x00\x00/
+}
+
+signature s2b-533-8 {
+  ip-proto == tcp
+  dst-port == 139
+  # Not supported: byte_test: 1,<,128,6,relative
+  event "NETBIOS SMB C$ share access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMBu.{32}.*[cC]\x24\x00/
+}
+
+signature s2b-2470-3 {
+  ip-proto == tcp
+  dst-port == 139
+  # Not supported: byte_test: 1,>,127,6,relative
+  event "NETBIOS SMB C$ share unicode access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMBu.{32}.*[cC]\x00\x24\x00\x00/
+}
+
+signature s2b-2471-3 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: byte_test: 1,<,128,6,relative
+  event "NETBIOS SMB-DS C$ share access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMBu.{32}.*[cC]\x24\x00/
+}
+
+signature s2b-2472-3 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: byte_test: 1,>,127,6,relative
+  event "NETBIOS SMB-DS C$ share unicode access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMBu.{32}.*[cC]\x00\x24\x00\x00/
+}
+
+signature s2b-532-8 {
+  ip-proto == tcp
+  dst-port == 139
+  # Not supported: byte_test: 1,<,128,6,relative
+  event "NETBIOS SMB ADMIN$ share access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMBu.{32}.*[aA][dD][mM][iI][nN]\x24\x00/
+}
+
+signature s2b-2473-3 {
+  ip-proto == tcp
+  dst-port == 139
+  # Not supported: byte_test: 1,>,127,6,relative
+  event "NETBIOS SMB ADMIN$ share unicode access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMBu.{32}.*[aA]\x00[dD]\x00[mM]\x00[iI]\x00[nN]\x00\x24\x00\x00/
+}
+
+signature s2b-2474-3 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: byte_test: 1,<,128,6,relative
+  event "NETBIOS SMB-DS ADMIN$ share access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMBu.{32}.*[aA][dD][mM][iI][nN]\x24\x00/
+}
+
+signature s2b-2475-3 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: byte_test: 1,>,127,6,relative
+  event "NETBIOS SMB-DS ADMIN$ share unicode access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMBu.{32}.*[aA]\x00[dD]\x00[mM]\x00[iI]\x00[nN]\x00\x24\x00\x00/
+}
+
+signature s2b-2174-4 {
+  ip-proto == tcp
+  dst-port == 139
+  event "NETBIOS SMB winreg access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMB\xA2/
+  payload /.{84}.*\x5C[wW][iI][nN][rR][eE][gG]\x00/
+}
+
+signature s2b-2175-5 {
+  ip-proto == tcp
+  dst-port == 139
+  event "NETBIOS SMB winreg unicode access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMB\xA2/
+  payload /.{84}.*\x5C\x00[wW]\x00[iI]\x00[nN]\x00[rR]\x00[eE]\x00[gG]\x00/
+}
+
+signature s2b-2476-3 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: flowbits: set,smb.winreg.create
+  # Not supported: byte_test: 1,>,127,6,relative
+  event "NETBIOS SMB-DS Create AndX Request winreg attempt"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMB\xA2.{79}\x5C[wW][iI][nN][rR][eE][gG]\x00/
+}
+
+signature s2b-2477-3 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: flowbits: set,smb.winreg.create
+  # Not supported: byte_test: 1,>,127,6,relative
+  event "NETBIOS SMB-DS Create AndX Request winreg unicode attempt"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMB\xA2.{79}\x5C\x00[wW]\x00[iI]\x00[nN]\x00[rR]\x00[eE]\x00[gG]\x00\x00\x00/
+}
+
+signature s2b-2478-3 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: flowbits: set,smb.dce.bind.winreg,isset,smb.winreg.create
+  # Not supported: byte_test: 1,<,128,6,relative,1,&,16,1,relative
+  event "NETBIOS SMB-DS DCERPC bind winreg attempt"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C[pP][iI][pP][eE]\x5C\x00\x05\x00\x0B.{29}\x01\xD0\x8C3D\x22\xF11\xAA\xAA\x90\x008\x00\x10\x03/
+}
+
+signature s2b-2480-3 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: flowbits: isset,smb.dce.bind.winreg
+  # Not supported: byte_test: 1,>,127,6,relative,1,&,16,1,relative
+  event "NETBIOS SMB-DS DCERPC shutdown unicode attempt"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5C\x00\x00\x00\x05\x00\x00.{19}\x18\x00/
+}
+
+signature s2b-2481-3 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: flowbits: isset,smb.dce.bind.winreg
+  # Not supported: byte_test: 1,>,127,6,relative,1,<,16,1,relative
+  event "NETBIOS SMB-DS DCERPC shutdown unicode little endian attempt"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5C\x00\x00\x00\x05\x00\x00.{19}\x00\x18/
+}
+
+signature s2b-1293-10 {
+  ip-proto == tcp
+  dst-port == 139
+  event "NETBIOS nimda .eml"
+  tcp-state established,originator
+  payload /.*\x00\.\x00E\x00M\x00L/
+}
+
+signature s2b-1294-10 {
+  ip-proto == tcp
+  dst-port == 139
+  event "NETBIOS nimda .nws"
+  tcp-state established,originator
+  payload /.*\x00\.\x00N\x00W\x00S/
+}
+
+signature s2b-1295-9 {
+  ip-proto == tcp
+  dst-port == 139
+  event "NETBIOS nimda RICHED20.DLL"
+  tcp-state established,originator
+  payload /.*R\x00I\x00C\x00H\x00E\x00D\x002\x000/
+}
+
+signature s2b-529-7 {
+  ip-proto == tcp
+  dst-port == 139
+  event "NETBIOS DOS RFPoison"
+  tcp-state established,originator
+  payload /.*\x5C\x00\x5C\x00\*\x00S\x00M\x00B\x00S\x00E\x00R\x00V\x00E\x00R\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00/
+}
+
+signature s2b-530-10 {
+  ip-proto == tcp
+  dst-port == 139
+  event "NETBIOS NT NULL session"
+  tcp-state established,originator
+  payload /.*\x00\x00\x00\x00W\x00i\x00n\x00d\x00o\x00w\x00s\x00 \x00N\x00T\x00 \x001\x003\x008\x001/
+}
+
+signature s2b-1239-5 {
+  ip-proto == tcp
+  dst-port == 139
+  event "NETBIOS RFParalyze Attempt"
+  tcp-state established,originator
+  payload /.*BEAVIS/
+  payload /.*yep yep/
+}
+
+signature s2b-534-6 {
+  ip-proto == tcp
+  dst-port == 139
+  event "NETBIOS SMB CD.."
+  tcp-state established,originator
+  payload /.*\x5C\.\.\/\x00\x00\x00/
+}
+
+signature s2b-535-6 {
+  ip-proto == tcp
+  dst-port == 139
+  event "NETBIOS SMB CD..."
+  tcp-state established,originator
+  payload /.*\x5C\.\.\.\x00\x00\x00/
+}
+
+signature s2b-2176-4 {
+  ip-proto == tcp
+  dst-port == 139
+  event "NETBIOS SMB startup folder access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMB2.*.*[dD][oO][cC][uU][mM][eE][nN][tT][sS] [aA][nN][dD] [sS][eE][tT][tT][iI][nN][gG][sS]\x5C[aA][lL][lL] [uU][sS][eE][rR][sS]\x5C[sS][tT][aA][rR][tT] [mM][eE][nN][uU]\x5C[pP][rR][oO][gG][rR][aA][mM][sS]\x5C[sS][tT][aA][rR][tT][uU][pP]\x00/
+}
+
+signature s2b-2177-4 {
+  ip-proto == tcp
+  dst-port == 139
+  event "NETBIOS SMB startup folder unicode access"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMB2.*.*\x5C\x00[sS]\x00[tT]\x00[aA]\x00[rR]\x00[tT]\x00 \x00[mM]\x00[eE]\x00[nN]\x00[uU]\x00\x5C\x00[pP]\x00[rR]\x00[oO]\x00[gG]\x00[rR]\x00[aA]\x00[mM]\x00[sS]\x00\x5C\x00[sS]\x00[tT]\x00[aA]\x00[rR]\x00[tT]\x00[uU]\x00[pP]/
+}
+
+signature s2b-2101-9 {
+  ip-proto == tcp
+  dst-port == 139
+  event "NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMB%/
+  payload /.{42}\x00\x00\x00\x00/
+}
+
+signature s2b-2103-9 {
+  ip-proto == tcp
+  dst-port == 139
+  # Not supported: byte_test: 2,>,256,0,relative,little
+  event "NETBIOS SMB trans2open buffer overflow attempt"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFFSMB2/
+  payload /.{59}\x00\x14/
+}
+
+signature s2b-2190-3 {
+  ip-proto == tcp
+  dst-port == 135
+  # Not supported: byte_test: 1,&,1,0,relative
+  event "NETBIOS DCERPC invalid bind attempt"
+  tcp-state established,originator
+  payload /\x05.{1}\x0B.{21}\x00/
+}
+
+signature s2b-2191-3 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: byte_test: 1,&,1,0,relative
+  event "NETBIOS SMB DCERPC invalid bind attempt"
+  tcp-state established,originator
+  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5C\x00.{2}\x05.{1}\x0B.{21}\x00/
+}
+
+signature s2b-2192-8 {
+  ip-proto == tcp
+  dst-port == 135
+  # Not supported: flowbits: set,dce.isystemactivator.bind.attempt,noalert
+  event "NETBIOS DCERPC ISystemActivator bind attempt"
+  # Not supported: byte_test: 1,&,1,0,relative
+  tcp-state established,originator
+  payload /\x05.{1}\x0B.{29}\xA0\x01\x00\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00F/
+}
+
+signature s2b-2193-9 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: flowbits: set,dce.isystemactivator.bind.call.attempt
+  event "NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"
+  # Not supported: byte_test: 1,&,1,0,relative
+  tcp-state established,originator
+  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5C\x00\x05.{1}\x0B.{29}\xA0\x01\x00\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00F/
+}
+
+signature s2b-2493-5 {
+  ip-proto == tcp
+  dst-port == 139
+  # Not supported: flowbits: set,dce.isystemactivator.bind.call.attempt
+  event "NETBIOS SMB DCERPC ISystemActivator unicode bind attempt"
+  # Not supported: byte_test: 2,&,1,5,relative,1,&,16,1,relative
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{4}\x5C\x00P\x00I\x00P\x00E\x00\x5C\x00\x05\x00\x0B.{29}\xA0\x01\x00\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00F/
+}
+
+signature s2b-2251-11 {
+  ip-proto == tcp
+  dst-port == 135
+  # Not supported: byte_test: 1,&,1,0,relative
+  event "NETBIOS DCERPC Remote Activation bind attempt"
+  tcp-state established,originator
+  payload /\x05.{1}\x0B.{29}\xB8J\x9FM\x1C\}\xCF\x11\x86\x1E\x00 \xAFn\x7CW/
+}
+
+signature s2b-2252-11 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: byte_test: 1,&,1,0,relative
+  event "NETBIOS SMB-DS DCERPC Remote Activation bind attempt"
+  tcp-state established,originator
+  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5C\x00\x05.{1}\x0B.{29}\xB8J\x9FM\x1C\}\xCF\x11\x86\x1E\x00 \xAFn\x7CW/
+}
+
+signature s2b-2257-5 {
+  ip-proto == udp
+  dst-port == 135
+  # Not supported: byte_test: 1,>,15,2,relative,4,>,1024,0,little,relative
+  # Not supported: byte_jump: 4,86,little,align,relative,4,8,little,align,relative
+  event "NETBIOS DCERPC Messenger Service buffer overflow attempt"
+  payload /\x04\x00/
+}
+
+signature s2b-2258-6 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: byte_test: 1,>,15,2,relative,4,>,1024,0,little,relative
+  # Not supported: byte_jump: 4,86,little,align,relative,4,8,little,align,relative
+  event "NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"
+  tcp-state established,originator
+  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C\x00[pP]\x00[iI]\x00[pP]\x00[eE]\x00\x5C\x00\x04\x00/
+}
+
+signature s2b-2308-6 {
+  ip-proto == tcp
+  dst-port == 139
+  # Not supported: byte_test: 2,&,1,5,relative,1,&,16,1,relative
+  event "NETBIOS SMB DCERPC Workstation Service unicode bind attempt"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{4}\x5C\x00P\x00I\x00P\x00E\x00\x5C\x00\x05\x00\x0B.{29}\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z/
+}
+
+signature s2b-2309-6 {
+  ip-proto == tcp
+  dst-port == 139
+  # Not supported: byte_test: 2,^,1,5,relative,1,&,16,1,relative
+  event "NETBIOS SMB DCERPC Workstation Service bind attempt"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{4}\x5CPIPE\x5C\x00\x05\x00\x0B.{29}\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z/
+}
+
+signature s2b-2310-8 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: byte_test: 2,&,1,5,relative,1,&,16,1,relative
+  event "NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{4}\x5C\x00P\x00I\x00P\x00E\x00\x5C\x00\x05\x00\x0B.{29}\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z/
+}
+
+signature s2b-2311-7 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: byte_test: 2,^,1,5,relative,1,&,16,1,relative
+  event "NETBIOS SMB-DS DCERPC Workstation Service bind attempt"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{4}\x5CPIPE\x5C\x00\x05\x00\x0B.{29}\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z/
+}
+
+signature s2b-2315-6 {
+  ip-proto == tcp
+  dst-port >= 1024
+  dst-port <= 65535
+  # Not supported: byte_test: 1,&,16,1,relative
+  event "NETBIOS DCERPC Workstation Service direct service bind attempt"
+  tcp-state established,originator
+  payload /\x05\x00\x0B.{29}\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z/
+}
+
+signature s2b-2316-6 {
+  ip-proto == udp
+  dst-port >= 1024
+  dst-port <= 65535
+  # Not supported: byte_test: 1,&,16,2,relative
+  event "NETBIOS DCERPC Workstation Service direct service access attempt"
+  payload /\x04\x00.{22}\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z/
+}
+
+signature s2b-2348-6 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: flowbits: set,dce.printer.bind,noalert
+  # Not supported: byte_test: 1,&,16,1,relative
+  event "NETBIOS SMB-DS DCERPC print spool bind attempt"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFF[sS][mM][bB]%.{56}&\x00.{5}\x5C\x00P\x00I\x00P\x00E\x00\x5C\x00\x00\x00\x05\x00\x0B.{29}xV4\x124\x12\xCD\xAB\xEF\x00\x01\x23Eg\x89\xAB/
+}
+
+signature s2b-2382-8 {
+  ip-proto == tcp
+  dst-port == 139
+  event "NETBIOS SMB NTLMSSP invalid mechtype attempt"
+  tcp-state established,originator
+  payload /.{3}\xFF[sS][mM][bB][sS]/
+  payload /.{62}`.{1}\x06\x06\+\x06\x01\x05\x05\x02.*.*\x06\x0A\+\x06\x01\x04\x01\x827\x02\x02\x0A.*.*\xA1\x05\x23\x03\x03\x01\x07/
+}
+
+signature s2b-2383-9 {
+  ip-proto == tcp
+  dst-port == 445
+  event "NETBIOS SMB-DS DCERPC NTLMSSP invalid mechtype attempt"
+  tcp-state established,originator
+  payload /.{3}\xFF[sS][mM][bB][sS]/
+  payload /.{62}`.{1}\x06\x06\+\x06\x01\x05\x05\x02.*.*\x06\x0A\+\x06\x01\x04\x01\x827\x02\x02\x0A.*.*\xA1\x05\x23\x03\x03\x01\x07/
+}
+
+signature s2b-2384-8 {
+  ip-proto == tcp
+  dst-port == 139
+  event "NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"
+  tcp-state established,originator
+  payload /.{3}\xFF[sS][mM][bB][sS]/
+  payload /.{62}`.{1}\x00\x00\x00b\x06\x83\x00\x00\x06\+\x06\x01\x05\x05\x02.*.*\x06\x0A\+\x06\x01\x04\x01\x827\x02\x02\x0A.*.*\xA3>0<\xA00/
+}
+
+signature s2b-2385-9 {
+  ip-proto == tcp
+  dst-port == 445
+  event "NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"
+  tcp-state established,originator
+  payload /.{3}\xFF[sS][mM][bB][sS]/
+  payload /.{62}`.{1}\x00\x00\x00b\x06\x83\x00\x00\x06\+\x06\x01\x05\x05\x02.*.*\x06\x0A\+\x06\x01\x04\x01\x827\x02\x02\x0A.*.*\xA3>0<\xA00/
+}
+
+signature s2b-2401-4 {
+  ip-proto == tcp
+  dst-port == 139
+  # Not supported: byte_test: 2,>,322,2,1,<,128,6,relative,2,>,255,8,relative,little
+  event "NETBIOS SMB Session Setup AndX request username overflow attempt"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFF[sS][mM][bB][sS].{42}\x00\x00\x00\x00.{10}[^\x00]{255}/
+}
+
+signature s2b-2402-5 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: byte_test: 2,>,322,2,1,<,128,6,relative,2,>,255,8,relative,little
+  event "NETBIOS SMB-DS Session Setup AndX request username overflow attempt"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFF[sS][mM][bB][sS].{42}\x00\x00\x00\x00.{10}[^\x00]{255}/
+}
+
+signature s2b-2403-4 {
+  ip-proto == tcp
+  dst-port == 139
+  # Not supported: byte_test: 2,>,322,2,1,&,128,6,relative,2,>,255,54,relative,little
+  event "NETBIOS SMB Session Setup AndX request unicode username overflow attempt"
+  tcp-state established,originator
+  payload /.*.*\x00\x00.*.*\x00\x00/
+  payload /\x00/
+  payload /.{3}\xFF[sS][mM][bB][sS].{56}.*\x00.{255}.*\x00\x00.*.*\x00\x00/
+}
+
+signature s2b-2404-5 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: byte_test: 2,>,322,2,1,&,128,6,relative,2,>,255,54,relative,little
+  event "NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt"
+  tcp-state established,originator
+  payload /.*.*\x00\x00.*.*\x00\x00/
+  payload /\x00/
+  payload /.{3}\xFF[sS][mM][bB][sS].{56}.*\x00.{255}.*\x00\x00.*.*\x00\x00/
+}
+
+signature s2b-2495-5 {
+  ip-proto == tcp
+  dst-port == 139
+  # Not supported: threshold: type both, track by_dst, count 20, seconds 60
+  # Not supported: flowbits: isset,dce.isystemactivator.bind.call.attempt
+  # Not supported: byte_test: 1,&,1,0,relative
+  event "NETBIOS SMB DCEPRC ORPCThis request flood attempt"
+  tcp-state established,originator
+  payload /\x05.{1}\x00.{21}\x05/
+  payload /.*MEOW/
+}
+
+signature s2b-2524-7 {
+  ip-proto == tcp
+  dst-port == 135
+  # Not supported: flowbits: set,netbios.lsass.bind.attempt,noalert
+  event "NETBIOS DCERPC LSASS direct bind attempt"
+  tcp-state established,originator
+  payload /\x00/
+  payload /.{3}\xFF[sS][mM][bB]/
+  payload /.*\x05.{1}\x0B.{29}j\x28\x199\x0C\xB1\xD0\x11\x9B\xA8\x00\xC0O\xD9\.\xF5/
+}
+
+signature s2b-2514-7 {
+  ip-proto == tcp
+  dst-port == 445
+  # Not supported: flowbits: isset,netbios.lsass.bind.attempt
+  event "NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"
+  tcp-state established,originator
+  payload /.{3}\xFF[sS][mM][bB].{59}.*\x05.{1}\x00.{19}\x09\x00/
+}
+
+signature s2b-2564-4 {
+  ip-proto == udp
+  src-port == 137
+  dst-port == 137
+  # Not supported: byte_test: 1,>,127,2
+  payload-size < 56
+  event "NETBIOS NS lookup short response attempt"
+  payload /.{5}\x00\x01/
+}
+
+signature s2b-1792-8 {
+  ip-proto == tcp
+  src-port == 119
+  # Not supported: pcre: /^200\s[^\n]{64}/smi
+  event "NNTP return code buffer overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 64,relative
+  payload /((^)|(\n+))200[\x20\x09\x0b][^\n]{64}/
+}
+
+signature s2b-1538-13 {
+  ip-proto == tcp
+  dst-port == 119
+  # Not supported: pcre: /^AUTHINFO\s+USER\s[^\n]{200}/smi
+  event "NNTP AUTHINFO USER overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 200,relative
+  payload /((^)|(\n+))[aA][uU][tT][hH][iI][nN][fF][oO][\x20\x09\x0b]+[uU][sS][eE][rR][\x20\x09\x0b][^\n]{200}/
+}
+
+signature s2b-2424-3 {
+  ip-proto == tcp
+  dst-port == 119
+  # Not supported: pcre: /^sendsys\x3a[^\n]{21}/smi
+  event "NNTP sendsys overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))[sS][eE][nN][dD][sS][yY][sS]\x3a[^\n]{21}/
+}
+
+signature s2b-2425-3 {
+  ip-proto == tcp
+  dst-port == 119
+  # Not supported: pcre: /^senduuname\x3a[^\n]{21}/smi
+  event "NNTP senduuname overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))[sS][eE][nN][dD][uU][uU][nN][aA][mM][eE]\x3a[^\n]{21}/
+}
+
+signature s2b-2426-3 {
+  ip-proto == tcp
+  dst-port == 119
+  # Not supported: pcre: /^version\x3a[^\n]{21}/smi
+  event "NNTP version overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))[vV][eE][rR][sS][iI][oO][nN]\x3a[^\n]{21}/
+}
+
+signature s2b-2427-3 {
+  ip-proto == tcp
+  dst-port == 119
+  # Not supported: pcre: /^checkgroups\x3a[^\n]{21}/smi
+  event "NNTP checkgroups overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))[cC][hH][eE][cC][kK][gG][rR][oO][uU][pP][sS]\x3a[^\n]{21}/
+}
+
+signature s2b-2428-3 {
+  ip-proto == tcp
+  dst-port == 119
+  # Not supported: pcre: /^ihave\x3a[^\n]{21}/smi
+  event "NNTP ihave overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))[iI][hH][aA][vV][eE]\x3a[^\n]{21}/
+}
+
+signature s2b-2429-3 {
+  ip-proto == tcp
+  dst-port == 119
+  # Not supported: pcre: /^sendme\x3a[^\n]{21}/smi
+  event "NNTP sendme overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))[sS][eE][nN][dD][mM][eE]\x3a[^\n]{21}/
+}
+
+signature s2b-2430-3 {
+  ip-proto == tcp
+  dst-port == 119
+  # Not supported: pcre: /^newgroup\x3a[^\n]{21}/smi
+  event "NNTP newgroup overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))[nN][eE][wW][gG][rR][oO][uU][pP]\x3a[^\n]{21}/
+}
+
+signature s2b-2431-3 {
+  ip-proto == tcp
+  dst-port == 119
+  # Not supported: pcre: /^rmgroup\x3a[^\n]{21}/smi
+  event "NNTP rmgroup overflow attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))[rR][mM][gG][rR][oO][uU][pP]\x3a[^\n]{21}/
+}
+
+signature s2b-1673-3 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE EXECUTE_SYSTEM attempt"
+  tcp-state established,originator
+  payload /.*[eE][xX][eE][cC][uU][tT][eE]_[sS][yY][sS][tT][eE][mM]/
+}
+
+signature s2b-1674-5 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE connect_data remote version detection attempt"
+  tcp-state established,originator
+  payload /.*[cC][oO][nN][nN][eE][cC][tT]_[dD][aA][tT][aA]\x28[cC][oO][mM][mM][aA][nN][dD]=[vV][eE][rR][sS][iI][oO][nN]\x29/
+}
+
+signature s2b-1675-4 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE misparsed login response"
+  tcp-state established,responder
+  payload /.*[dD][eE][sS][cC][rR][iI][pP][tT][iI][oO][nN]=\x28/
+  payload /.*<willnevermatch>/
+  payload /.*<willnevermatch>/
+}
+
+signature s2b-1676-3 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE select union attempt"
+  tcp-state established,originator
+  payload /.*[sS][eE][lL][eE][cC][tT] /
+  payload /.* [uU][nN][iI][oO][nN] /
+}
+
+signature s2b-1677-3 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE select like '%' attempt"
+  tcp-state established,originator
+  payload /.* [wW][hH][eE][rR][eE] /
+  payload /.* [lL][iI][kK][eE] '%'/
+}
+
+signature s2b-1678-5 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE select like '%' attempt backslash escaped"
+  tcp-state established,originator
+  payload /.* [wW][hH][eE][rR][eE] /
+  payload /.* [lL][iI][kK][eE] \x22%\x22/
+}
+
+signature s2b-1680-3 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE all_constraints access"
+  tcp-state established,originator
+  payload /.*[aA][lL][lL]_[cC][oO][nN][sS][tT][rR][aA][iI][nN][tT][sS]/
+}
+
+signature s2b-1681-3 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE all_views access"
+  tcp-state established,originator
+  payload /.*[aA][lL][lL]_[vV][iI][eE][wW][sS]/
+}
+
+signature s2b-1682-3 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE all_source access"
+  tcp-state established,originator
+  payload /.*[aA][lL][lL]_[sS][oO][uU][rR][cC][eE]/
+}
+
+signature s2b-1683-3 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE all_tables access"
+  tcp-state established,originator
+  payload /.*[aA][lL][lL]_[tT][aA][bB][lL][eE][sS]/
+}
+
+signature s2b-1684-3 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE all_tab_columns access"
+  tcp-state established,originator
+  payload /.*[aA][lL][lL]_[tT][aA][bB]_[cC][oO][lL][uU][mM][nN][sS]/
+}
+
+signature s2b-1685-4 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE all_tab_privs access"
+  tcp-state established,originator
+  payload /.*[aA][lL][lL]_[tT][aA][bB]_[pP][rR][iI][vV][sS]/
+}
+
+signature s2b-1686-3 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE dba_tablespace access"
+  tcp-state established,originator
+  payload /.*[dD][bB][aA]_[tT][aA][bB][lL][eE][sS][pP][aA][cC][eE]/
+}
+
+signature s2b-1687-3 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE dba_tables access"
+  tcp-state established,originator
+  payload /.*[dD][bB][aA]_[tT][aA][bB][lL][eE][sS]/
+}
+
+signature s2b-1688-3 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE user_tablespace access"
+  tcp-state established,originator
+  payload /.*[uU][sS][eE][rR]_[tT][aA][bB][lL][eE][sS][pP][aA][cC][eE]/
+}
+
+signature s2b-1689-3 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE sys.all_users access"
+  tcp-state established,originator
+  payload /.*[sS][yY][sS]\.[aA][lL][lL]_[uU][sS][eE][rR][sS]/
+}
+
+signature s2b-1690-3 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE grant attempt"
+  tcp-state established,originator
+  payload /.*[gG][rR][aA][nN][tT] /
+  payload /.* [tT][oO] /
+}
+
+signature s2b-1691-3 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE ALTER USER attempt"
+  tcp-state established,originator
+  payload /.*[aA][lL][tT][eE][rR] [uU][sS][eE][rR]/
+  payload /.* [iI][dD][eE][nN][tT][iI][fF][iI][eE][dD] [bB][yY] /
+}
+
+signature s2b-1692-3 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE drop table attempt"
+  tcp-state established,originator
+  payload /.*[dD][rR][oO][pP] [tT][aA][bB][lL][eE]/
+}
+
+signature s2b-1693-4 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE create table attempt"
+  tcp-state established,originator
+  payload /.*[cC][rR][eE][aA][tT][eE] [tT][aA][bB][lL][eE]/
+}
+
+signature s2b-1694-3 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE alter table attempt"
+  tcp-state established,originator
+  payload /.*[aA][lL][tT][eE][rR] [tT][aA][bB][lL][eE]/
+}
+
+signature s2b-1695-3 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE truncate table attempt"
+  tcp-state established,originator
+  payload /.*[tT][rR][uU][nN][cC][aA][tT][eE] [tT][aA][bB][lL][eE]/
+}
+
+signature s2b-1696-3 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE create database attempt"
+  tcp-state established,originator
+  payload /.*[cC][rR][eE][aA][tT][eE] [dD][aA][tT][aA][bB][aA][sS][eE]/
+}
+
+signature s2b-1697-3 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  event "ORACLE alter database attempt"
+  tcp-state established,originator
+  payload /.*[aA][lL][tT][eE][rR] [dD][aA][tT][aA][bB][aA][sS][eE]/
+}
+
+signature s2b-2576-2 {
+  ip-proto == tcp
+  dst-port == oracle_ports
+  # Not supported: pcre: /(package|procedure)_prefix[\s\r\n]*=>[\s\r\n]*('[^']{1000,}|"[^"]{1000,})/Rsmi
+  event "ORACLE generate_replication_support prefix overflow attempt"
+  tcp-state established,originator
+  payload /.*[gG][eE][nN][eE][rR][aA][tT][eE]_[rR][eE][pP][lL][iI][cC][aA][tT][iI][oO][nN]_[sS][uU][pP][pP][oO][rR][tT]/
+  payload /([pP][aA][cC][kK][aA][gG][eE]|[pP][rR][oO][cC][eE][dD][uU][rR][eE])_[pP][rR][eE][fF][iI][xX][\x20\x09\x0b\r\n]*=>[\x20\x09\x0b\r\n]*('[^']{1000,}|"[^"]{1000,})/
+}
+
+signature s2b-1760-3 {
+  ip-proto == tcp
+  src-port == 902
+  event "OTHER-IDS ISS RealSecure 6 event collector connection attempt"
+  tcp-state established,responder
+  payload /.{29}6[iI][sS][sS] [eE][cC][nN][rR][aA] [bB][uU][iI][lL][tT]-[iI][nN] [pP][rR][oO][vV][iI][dD][eE][rR], [sS][tT][rR][oO][nN][gG] [eE][nN][cC][rR][yY][pP][tT][iI][oO][nN]/
+}
+
+signature s2b-1761-3 {
+  ip-proto == tcp
+  src-port == 2998
+  event "OTHER-IDS ISS RealSecure 6 daemon connection attempt"
+  tcp-state established,responder
+  payload /.{29}6[iI][sS][sS] [eE][cC][nN][rR][aA] [bB][uU][iI][lL][tT]-[iI][nN] [pP][rR][oO][vV][iI][dD][eE][rR], [sS][tT][rR][oO][nN][gG] [eE][nN][cC][rR][yY][pP][tT][iI][oO][nN]/
+}
+
+signature s2b-1629-6 {
+  ip-proto == tcp
+  event "OTHER-IDS SecureNetPro traffic"
+  tcp-state established
+  payload /\x00g\x00\x01\x00\x03/
+}
+
+signature s2b-1934-6 {
+  ip-proto == tcp
+  dst-port == 109
+  # Not supported: pcre: /^FOLD\s[^\n]{256}/smi
+  event "POP2 FOLD overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 256,relative
+  requires-reverse-signature ! pop_return_error
+  payload /((^)|(\n+))[fF][oO][lL][dD][\x20\x09\x0b][^\n]{256}/
+}
+
+signature s2b-1935-4 {
+  ip-proto == tcp
+  dst-port == 109
+  # Not supported: pcre: /^FOLD\s+\//smi
+  event "POP2 FOLD arbitrary file attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! pop_return_error
+  payload /((^)|(\n+))[fF][oO][lL][dD][\x20\x09\x0b]+\//
+}
+
+signature s2b-284-6 {
+  ip-proto == tcp
+  dst-port == 109
+  event "POP2 x86 Linux overflow"
+  tcp-state established,originator
+  payload /.*\xEB,\[\x89\xD9\x80\xC1\x069\xD9\x7C\x07\x80\x01/
+  requires-reverse-signature ! pop_return_error
+}
+
+signature s2b-285-6 {
+  ip-proto == tcp
+  dst-port == 109
+  event "POP2 x86 Linux overflow"
+  tcp-state established,originator
+  payload /.*\xFF\xFF\xFF\/BIN\/SH\x00/
+  requires-reverse-signature ! pop_return_error
+}
+
+signature s2b-2121-8 {
+  ip-proto == tcp
+  dst-port == 110
+  # Not supported: pcre: /^DELE\s+-\d/smi
+  event "POP3 DELE negative arguement attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! pop_return_error
+  payload /((^)|(\n+))[dD][eE][lL][eE]+-[0-9]/
+}
+
+signature s2b-2122-7 {
+  ip-proto == tcp
+  dst-port == 110
+  # Not supported: pcre: /^UIDL\s+-\d/smi
+  event "POP3 UIDL negative arguement attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! pop_return_error
+  payload /((^)|(\n+))[uU][iI][dD][lL][\x20\x09\x0b]+-[0-9]/
+}
+
+signature s2b-1866-10 {
+  ip-proto == tcp
+  dst-port == 110
+  # Not supported: pcre: /^USER\s[^\n]{50,}/smi
+  event "POP3 USER overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 50,relative
+  requires-reverse-signature ! pop_return_error
+  payload /((^)|(\n+))[uU][sS][eE][rR][\x20\x09\x0b][^\n]{50,}/
+}
+
+signature s2b-2108-3 {
+  ip-proto == tcp
+  dst-port == 110
+  # Not supported: pcre: /^CAPA\s[^\n]{10}/smi
+  event "POP3 CAPA overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 10,relative
+  requires-reverse-signature ! pop_return_error
+  payload /((^)|(\n+))[cC][aA][pP][aA][\x20\x09\x0b][^\n]{10}/
+}
+
+signature s2b-2109-3 {
+  ip-proto == tcp
+  dst-port == 110
+  # Not supported: pcre: /^TOP\s[^\n]{10}/smi
+  event "POP3 TOP overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 10,relative
+  requires-reverse-signature ! pop_return_error
+  payload /((^)|(\n+))[tT][oO][pP][\x20\x09\x0b][^\n]{10}/
+}
+
+signature s2b-2110-3 {
+  ip-proto == tcp
+  dst-port == 110
+  # Not supported: pcre: /^STAT\s[^\n]{10}/smi
+  event "POP3 STAT overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 10,relative
+  requires-reverse-signature ! pop_return_error
+  payload /((^)|(\n+))[sS][tT][aA][tT][\x20\x09\x0b][^\n]{10}/
+}
+
+signature s2b-2111-3 {
+  ip-proto == tcp
+  dst-port == 110
+  # Not supported: pcre: /^DELE\s[^\n]{10}/smi
+  event "POP3 DELE overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 10,relative
+  requires-reverse-signature ! pop_return_error
+  payload /((^)|(\n+))[dD][eE][lL][eE][\x20\x09\x0b][^\n]{10}/
+}
+
+signature s2b-2112-3 {
+  ip-proto == tcp
+  dst-port == 110
+  # Not supported: pcre: /^RSET\s[^\n]{10}/smi
+  event "POP3 RSET overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 10,relative
+  requires-reverse-signature ! pop_return_error
+  payload /((^)|(\n+))[rR][sS][eE][tT][\x20\x09\x0b][^\n]{10}/
+}
+
+signature s2b-1936-4 {
+  ip-proto == tcp
+  dst-port == 110
+  # Not supported: pcre: /^AUTH\s[^\n]{50}/smi
+  event "POP3 AUTH overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 50,relative
+  requires-reverse-signature ! pop_return_error
+  payload /((^)|(\n+))[aA][uU][tT][hH][\x20\x09\x0b][^\n]{50}/
+}
+
+signature s2b-1937-5 {
+  ip-proto == tcp
+  dst-port == 110
+  # Not supported: pcre: /^LIST\s[^\n]{10}/smi
+  event "POP3 LIST overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 10,relative
+  requires-reverse-signature ! pop_return_error
+  payload /((^)|(\n+))[lL][iI][sS][tT][\x20\x09\x0b][^\n]{10}/
+}
+
+signature s2b-1938-4 {
+  ip-proto == tcp
+  dst-port == 110
+  # Not supported: pcre: /^XTND\s[^\n]{50}/smi
+  event "POP3 XTND overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 50,relative
+  payload /.*[xX][tT][nN][dD]/
+  requires-reverse-signature ! pop_return_error
+  payload /((^)|(\n+))[xX][tT][nN][dD][\x20\x09\x0b][^\n]{50}/
+}
+
+signature s2b-1634-11 {
+  ip-proto == tcp
+  dst-port == 110
+  # Not supported: pcre: /^PASS\s[^\n]{50}/smi
+  event "POP3 PASS overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 50,relative
+  requires-reverse-signature ! pop_return_error
+  payload /((^)|(\n+))[pP][aA][sS][sS][\x20\x09\x0b][^\n]{50}/
+}
+
+signature s2b-1635-13 {
+  ip-proto == tcp
+  dst-port == 110
+  # Not supported: pcre: /^APOP\s[^\n]{256}/smi
+  event "POP3 APOP overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 256,relative
+  requires-reverse-signature ! pop_return_error
+  payload /((^)|(\n+))[aA][pP][oO][pP][\x20\x09\x0b][^\n]{256}/
+}
+
+signature s2b-286-9 {
+  ip-proto == tcp
+  dst-port == 110
+  event "POP3 EXPLOIT x86 BSD overflow"
+  tcp-state established,originator
+  payload /.*\^\x0E1\xC0\xB0\x3B\x8D~\x0E\x89\xFA\x89\xF9/
+  requires-reverse-signature ! pop_return_error
+}
+
+signature s2b-287-6 {
+  ip-proto == tcp
+  dst-port == 110
+  event "POP3 EXPLOIT x86 BSD overflow"
+  tcp-state established,originator
+  payload /.*h\]\^\xFF\xD5\xFF\xD4\xFF\xF5\x8B\xF5\x90f1/
+  requires-reverse-signature ! pop_return_error
+}
+
+signature s2b-288-6 {
+  ip-proto == tcp
+  dst-port == 110
+  event "POP3 EXPLOIT x86 Linux overflow"
+  tcp-state established,originator
+  payload /.*\xD8@\xCD\x80\xE8\xD9\xFF\xFF\xFF\/bin\/sh/
+  requires-reverse-signature ! pop_return_error
+}
+
+signature s2b-289-6 {
+  ip-proto == tcp
+  dst-port == 110
+  event "POP3 EXPLOIT x86 SCO overflow"
+  tcp-state established,originator
+  payload /.*V\x0E1\xC0\xB0\x3B\x8D~\x12\x89\xF9\x89\xF9/
+  requires-reverse-signature ! pop_return_error
+}
+
+signature s2b-290-7 {
+  ip-proto == tcp
+  dst-port == 110
+  event "POP3 EXPLOIT qpopper overflow"
+  tcp-state established,originator
+  payload /.*\xE8\xD9\xFF\xFF\xFF\/bin\/sh/
+  requires-reverse-signature ! pop_return_error
+}
+
+signature s2b-2250-1 {
+  ip-proto == tcp
+  dst-port == 110
+  event "POP3 USER format string attempt"
+  tcp-state established,originator
+  payload /.*[uU][sS][eE][rR].{1}.*%.{1}.*%/
+  requires-reverse-signature ! pop_return_error
+}
+
+signature s2b-2409-1 {
+  ip-proto == tcp
+  dst-port == 110
+  # Not supported: pcre: /^APOP\s+USER\s[^\n]{256}/smi
+  event "POP3 APOP USER overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 256,relative
+  requires-reverse-signature ! pop_return_error
+  payload /((^)|(\n+))[aA][pP][oO][pP][\x20\x09\x0b]+[uU][sS][eE][rR][\x20\x09\x0b][^\n]{2,56}/
+}
+
+signature s2b-2502-7 {
+  ip-proto == tcp
+  dst-port == 995
+  event "POP3 SSLv3 invalid data version attempt"
+  tcp-state established,originator
+  payload /\x16\x03/
+  payload /.{4}\x01/
+  payload /.{8}[^\x03]*/
+  requires-reverse-signature ! pop_return_error
+}
+
+signature s2b-2518-10 {
+  ip-proto == tcp
+  dst-port == 995
+  # Not supported: byte_test: 2,>,0,6,2,!,0,8,2,!,16,8,2,>,20,10,2,>,32768,0,relative
+  event "PO3 PCT Client_Hello overflow attempt"
+  tcp-state established,originator
+  payload /.{1}\x01/
+  payload /.{10}\x8F/
+  requires-reverse-signature ! pop_return_error
+}
+
+signature s2b-2536-3 {
+  ip-proto == tcp
+  src-port == 995
+  # Not supported: flowbits: isset,sslv3.client_hello.request,set,sslv3.server_hello.request,noalert
+  event "POP3 SSLv3 Server_Hello request"
+  tcp-state established,responder
+  payload /\x16\x03/
+  payload /.{4}\x02/
+  requires-reverse-signature ! pop_return_error
+}
+
+signature s2b-2537-3 {
+  ip-proto == tcp
+  dst-port == 993
+  # Not supported: flowbits: isset,sslv3.server_hello.request
+  event "POP3 SSLv3 invalid Client_Hello attempt"
+  tcp-state established,originator
+  payload /\x16\x03/
+  payload /.{4}\x01/
+  requires-reverse-signature ! pop_return_error
+}
+
+signature s2b-2093-5 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_test: 4,>,2048,12,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap proxy integer overflow attempt TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0\x00.{3}\x00\x00\x00\x05/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1922-6 {
+  ip-proto == tcp
+  dst-port == 111
+  event "RPC portmap proxy attempt TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x05/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1923-6 {
+  ip-proto == udp
+  dst-port == 111
+  event "RPC portmap proxy attempt UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x05/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1280-9 {
+  ip-proto == udp
+  dst-port == 111
+  event "RPC portmap listing UDP 111"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-598-12 {
+  ip-proto == tcp
+  dst-port == 111
+  event "RPC portmap listing TCP 111"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1949-5 {
+  ip-proto == tcp
+  dst-port == 111
+  event "RPC portmap SET attempt TCP 111"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x01/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1950-5 {
+  ip-proto == udp
+  dst-port == 111
+  event "RPC portmap SET attempt UDP 111"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x01/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-2014-5 {
+  ip-proto == tcp
+  dst-port == 111
+  event "RPC portmap UNSET attempt TCP 111"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x02/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-2015-5 {
+  ip-proto == udp
+  dst-port == 111
+  event "RPC portmap UNSET attempt UDP 111"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x02/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-599-11 {
+  ip-proto == tcp
+  dst-port == 32771
+  event "RPC portmap listing TCP 32771"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1281-7 {
+  ip-proto == udp
+  dst-port == 32771
+  event "RPC portmap listing UDP 32771"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x04/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1746-11 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap cachefsd request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x8B/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1747-11 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap cachefsd request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x8B/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1732-9 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap rwalld request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA8/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1733-9 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap rwalld request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA8/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-575-8 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap admind request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xF7/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-576-8 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap amountd request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x03/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1263-11 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap amountd request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x03/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1264-13 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap bootparam request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xBA/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-580-9 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap nisd request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\xCC/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1267-11 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap nisd request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\xCC/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-581-9 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap pcnfsd request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x02I\xF1/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1268-12 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap pcnfsd request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x02I\xF1/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-582-8 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap rexd request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB1/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1269-10 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap rexd request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB1/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-584-11 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap rusers request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA2/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1271-14 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap rusers request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA2/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-612-6 {
+  ip-proto == udp
+  event "RPC rusers query UDP"
+  payload /.{11}\x00\x01\x86\xA2.{4}\x00\x00\x00\x02/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-586-8 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap selection_svc request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAF/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1273-10 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap selection_svc request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAF/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-587-8 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap status request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB8/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-2016-6 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap status request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB8/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-593-18 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap snmpXdmi request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x99/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1279-14 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap snmpXdmi request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x99/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-569-14 {
+  ip-proto == tcp
+  # Not supported: byte_test: 4,>,1024,20,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC snmpXdmi overflow attempt TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x87\x99.{4}\x00\x00\x01\x01/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-2045-8 {
+  ip-proto == udp
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC snmpXdmi overflow attempt UDP"
+  # Not supported: byte_test: 4,>,1024,20,relative
+  payload /.{11}\x00\x01\x87\x99.{4}\x00\x00\x01\x01/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-2017-12 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap espd request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7u/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-595-16 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap espd request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7u/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1890-8 {
+  ip-proto == udp
+  dst-port >= 1024
+  dst-port <= 65535
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC status GHBN format string attack"
+  payload /.{11}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02.{0,251}%x %x/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1891-8 {
+  ip-proto == tcp
+  dst-port >= 1024
+  dst-port <= 65535
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC status GHBN format string attack"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02.{0,251}%x %x/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-579-8 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap mountd request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA5/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1266-10 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap mountd request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA5/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-574-8 {
+  ip-proto == tcp
+  event "RPC mountd TCP export request"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x05/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1924-6 {
+  ip-proto == udp
+  event "RPC mountd UDP export request"
+  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x05/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1926-6 {
+  ip-proto == udp
+  event "RPC mountd UDP exportall request"
+  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x06/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-2184-7 {
+  ip-proto == tcp
+  # Not supported: byte_test: 4,>,1023,0,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC mountd TCP mount path overflow attempt"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA5\x00.{3}\x00\x00\x00\x01/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-2185-7 {
+  ip-proto == udp
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC mountd UDP mount path overflow attempt"
+  # Not supported: byte_test: 4,>,1023,0,relative
+  payload /.{11}\x00\x01\x86\xA5\x00.{3}\x00\x00\x00\x01/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1951-5 {
+  ip-proto == tcp
+  event "RPC mountd TCP mount request"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x01/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1952-5 {
+  ip-proto == udp
+  event "RPC mountd UDP mount request"
+  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x01/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-2018-4 {
+  ip-proto == tcp
+  event "RPC mountd TCP dump request"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x02/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-2019-4 {
+  ip-proto == udp
+  event "RPC mountd UDP dump request"
+  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x02/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-2020-4 {
+  ip-proto == tcp
+  event "RPC mountd TCP unmount request"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x03/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-2021-4 {
+  ip-proto == udp
+  event "RPC mountd UDP unmount request"
+  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x03/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-2022-4 {
+  ip-proto == tcp
+  event "RPC mountd TCP unmountall request"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA5.{4}\x00\x00\x00\x04/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-2023-4 {
+  ip-proto == udp
+  event "RPC mountd UDP unmountall request"
+  payload /.{11}\x00\x01\x86\xA5.{4}\x00\x00\x00\x04/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1905-8 {
+  ip-proto == udp
+  dst-port >= 500
+  dst-port <= 65535
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC AMD UDP amqproc_mount plog overflow attempt"
+  # Not supported: byte_test: 4,>,512,0,relative
+  payload /.{11}\x00\x04\x93\xF3.{4}\x00\x00\x00\x07/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1906-8 {
+  ip-proto == tcp
+  dst-port >= 500
+  dst-port <= 65535
+  # Not supported: byte_test: 4,>,512,0,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC AMD TCP amqproc_mount plog overflow attempt"
+  tcp-state established,originator
+  payload /.{15}\x00\x04\x93\xF3.{4}\x00\x00\x00\x07/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1953-5 {
+  ip-proto == tcp
+  dst-port >= 500
+  dst-port <= 65535
+  event "RPC AMD TCP pid request"
+  tcp-state established,originator
+  payload /.{15}\x00\x04\x93\xF3.{4}\x00\x00\x00\x09/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1954-5 {
+  ip-proto == udp
+  dst-port >= 500
+  dst-port <= 65535
+  event "RPC AMD UDP pid request"
+  payload /.{11}\x00\x04\x93\xF3.{4}\x00\x00\x00\x09/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1955-6 {
+  ip-proto == tcp
+  dst-port >= 500
+  dst-port <= 65535
+  event "RPC AMD TCP version request"
+  tcp-state established,originator
+  payload /.{15}\x00\x04\x93\xF3.{4}\x00\x00\x00\x08/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-578-8 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap cmsd request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xE4/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1265-9 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap cmsd request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xE4/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1907-10 {
+  ip-proto == udp
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC CMSD UDP CMSD_CREATE buffer overflow attempt"
+  # Not supported: byte_test: 4,>,1024,0,relative
+  payload /.{11}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1908-9 {
+  ip-proto == tcp
+  # Not supported: byte_test: 4,>,1024,0,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC CMSD TCP CMSD_CREATE buffer overflow attempt"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-2094-6 {
+  ip-proto == udp
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"
+  # Not supported: byte_test: 4,>,1024,20,relative
+  payload /.{11}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-2095-6 {
+  ip-proto == tcp
+  # Not supported: byte_test: 4,>,1024,20,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xE4.{4}\x00\x00\x00\x15/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1909-10 {
+  ip-proto == tcp
+  # Not supported: byte_test: 4,>,1000,28,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align
+  event "RPC CMSD TCP CMSD_INSERT buffer overflow attempt"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xE4.{4}\x00\x00\x00\x06/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1910-10 {
+  ip-proto == udp
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align
+  event "RPC CMSD udp CMSD_INSERT buffer overflow attempt"
+  # Not supported: byte_test: 4,>,1000,28,relative
+  payload /.{11}\x00\x01\x86\xE4.{4}\x00\x00\x00\x06/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1272-10 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap sadmind request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x88/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-585-7 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap sadmind request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\x88/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1911-10 {
+  ip-proto == udp
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,124,relative,align,4,20,relative,align
+  event "RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"
+  # Not supported: byte_test: 4,>,512,4,relative
+  payload /.{11}\x00\x01\x87\x88.{4}\x00\x00\x00\x01/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1912-9 {
+  ip-proto == tcp
+  # Not supported: byte_test: 4,>,512,4,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,124,relative,align,4,20,relative,align
+  event "RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x87\x88.{4}\x00\x00\x00\x01/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1957-5 {
+  ip-proto == udp
+  event "RPC sadmind UDP PING"
+  payload /.{11}\x00\x01\x87\x88.{4}\x00\x00\x00\x00/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1958-5 {
+  ip-proto == tcp
+  event "RPC sadmind TCP PING"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x87\x88.{4}\x00\x00\x00\x00/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-583-9 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap rstatd request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA1/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1270-11 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap rstatd request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA1/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1913-10 {
+  ip-proto == udp
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC STATD UDP stat mon_name format string exploit attempt"
+  # Not supported: byte_test: 4,>,100,0,relative
+  payload /.{11}\x00\x01\x86\xB8.{4}\x00\x00\x00\x01/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1914-10 {
+  ip-proto == tcp
+  # Not supported: byte_test: 4,>,100,0,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC STATD TCP stat mon_name format string exploit attempt"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xB8.{4}\x00\x00\x00\x01/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1915-9 {
+  ip-proto == udp
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC STATD UDP monitor mon_name format string exploit attempt"
+  # Not supported: byte_test: 4,>,100,0,relative
+  payload /.{11}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1916-9 {
+  ip-proto == tcp
+  # Not supported: byte_test: 4,>,100,0,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC STATD TCP monitor mon_name format string exploit attempt"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xB8.{4}\x00\x00\x00\x02/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1277-9 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap ypupdated request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xBC/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-591-10 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap ypupdated request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xBC/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-2088-5 {
+  ip-proto == udp
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC ypupdated arbitrary command attempt UDP"
+  payload /.{11}\x00\x01\x86\xBC.{4}\x00\x00\x00\x01.{4}.*\x7C/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-2089-5 {
+  ip-proto == tcp
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC ypupdated arbitrary command attempt TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xBC.{4}\x00\x00\x00\x01.{4}.*\x7C/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1959-7 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap NFS request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA3/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1960-7 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap NFS request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA3/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1961-7 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap RQUOTA request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAB/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1962-7 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap RQUOTA request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xAB/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1963-9 {
+  ip-proto == udp
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC RQUOTA getquota overflow attempt UDP"
+  # Not supported: byte_test: 4,>,128,0,relative
+  payload /.{11}\x00\x01\x86\xAB.{4}\x00\x00\x00\x01/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-2024-8 {
+  ip-proto == tcp
+  # Not supported: byte_test: 4,>,128,0,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC RQUOTA getquota overflow attempt TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xAB.{4}\x00\x00\x00\x01/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-588-17 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap ttdbserv request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xF3/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1274-17 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap ttdbserv request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xF3/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-1964-8 {
+  ip-proto == udp
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC tooltalk UDP overflow attempt"
+  # Not supported: byte_test: 4,>,128,0,relative
+  payload /.{11}\x00\x01\x86\xF3.{4}\x00\x00\x00\x07/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1965-8 {
+  ip-proto == tcp
+  # Not supported: byte_test: 4,>,128,0,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC tooltalk TCP overflow attempt"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xF3.{4}\x00\x00\x00\x07/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-589-8 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap yppasswd request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA9/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1275-10 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap yppasswd request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA9/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-2027-5 {
+  ip-proto == udp
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  # Not supported: byte_test: 4,>,64,0,relative
+  event "RPC yppasswd old password overflow attempt UDP"
+  payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-2028-5 {
+  ip-proto == tcp
+  # Not supported: byte_test: 4,>,64,0,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC yppasswd old password overflow attempt TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-2025-9 {
+  ip-proto == udp
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align
+  event "RPC yppasswd username overflow attempt UDP"
+  # Not supported: byte_test: 4,>,64,0,relative
+  payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-2026-9 {
+  ip-proto == tcp
+  # Not supported: byte_test: 4,>,64,0,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align
+  event "RPC yppasswd username overflow attempt TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-2029-5 {
+  ip-proto == udp
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align,4,0,relative,align
+  # Not supported: byte_test: 4,>,64,0,relative
+  event "RPC yppasswd new password overflow attempt UDP"
+  payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-2030-6 {
+  ip-proto == tcp
+  # Not supported: byte_test: 4,>,64,0,relative
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align,4,0,relative,align,4,0,relative,align
+  event "RPC yppasswd new password overflow attempt TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-2031-5 {
+  ip-proto == udp
+  event "RPC yppasswd user update UDP"
+  payload /.{11}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-2032-5 {
+  ip-proto == tcp
+  event "RPC yppasswd user update TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA9.{4}\x00\x00\x00\x01/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-590-12 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap ypserv request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA4/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-1276-14 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap ypserv request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xA4/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-2033-8 {
+  ip-proto == udp
+  event "RPC ypserv maplist request UDP"
+  payload /.{11}\x00\x01\x86\xA4.{4}\x00\x00\x00\x0B/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-2034-7 {
+  ip-proto == tcp
+  event "RPC ypserv maplist request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA4.{4}\x00\x00\x00\x0B/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-2035-6 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap network-status-monitor request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x03\x0Dp/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-2036-6 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap network-status-monitor request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x03\x0Dp/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-2037-5 {
+  ip-proto == udp
+  event "RPC network-status-monitor mon-callback request UDP"
+  payload /.{11}\x00\x03\x0Dp.{4}\x00\x00\x00\x01/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-2038-5 {
+  ip-proto == tcp
+  event "RPC network-status-monitor mon-callback request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x03\x0Dp.{4}\x00\x00\x00\x01/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-2079-6 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap nlockmgr request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB5/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-2080-6 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap nlockmgr request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x86\xB5/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-2081-9 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap rpc.xfsmd request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7h/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-2082-9 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap rpc.xfsmd request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x05\xF7h/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-2083-8 {
+  ip-proto == udp
+  event "RPC rpc.xfsmd xfs_export attempt UDP"
+  payload /.{11}\x00\x05\xF7h.{4}\x00\x00\x00\x0D/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-2084-8 {
+  ip-proto == tcp
+  event "RPC rpc.xfsmd xfs_export attempt TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x05\xF7h.{4}\x00\x00\x00\x0D/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-2005-10 {
+  ip-proto == udp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap kcms_server request UDP"
+  payload /.{11}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\}/
+  payload /.{3}\x00\x00\x00\x00/
+}
+
+signature s2b-2006-10 {
+  ip-proto == tcp
+  dst-port == 111
+  # Not supported: byte_jump: 4,4,relative,align,4,4,relative,align
+  event "RPC portmap kcms_server request TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x86\xA0.{4}\x00\x00\x00\x03\x00\x01\x87\}/
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-2007-10 {
+  ip-proto == tcp
+  dst-port >= 32771
+  dst-port <= 34000
+  # Not supported: byte_jump: 4,20,relative,align,4,4,relative,align
+  event "RPC kcms_server directory traversal attempt"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x87\}.*.*\/\.\.\//
+  payload /.{7}\x00\x00\x00\x00/
+}
+
+signature s2b-2255-3 {
+  ip-proto == tcp
+  # Not supported: byte_jump: 4,8,relative,align
+  event "RPC sadmind query with root credentials attempt TCP"
+  tcp-state established,originator
+  payload /.{15}\x00\x01\x87\x88.{4}\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00/
+}
+
+signature s2b-2256-3 {
+  ip-proto == udp
+  # Not supported: byte_jump: 4,8,relative,align
+  event "RPC sadmind query with root credentials attempt UDP"
+  payload /.{11}\x00\x01\x87\x88.{4}\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00/
+}
+
+signature s2b-601-6 {
+  ip-proto == tcp
+  dst-port == 513
+  event "RSERVICES rlogin LinuxNIS"
+  tcp-state established,originator
+  payload /.*\x3A\x3A\x3A\x3A\x3A\x3A\x3A\x3A\x00\x3A\x3A\x3A\x3A\x3A\x3A\x3A\x3A/
+}
+
+signature s2b-602-5 {
+  ip-proto == tcp
+  dst-port == 513
+  event "RSERVICES rlogin bin"
+  tcp-state established,originator
+  payload /.*bin\x00bin\x00/
+}
+
+signature s2b-603-5 {
+  ip-proto == tcp
+  dst-port == 513
+  event "RSERVICES rlogin echo++"
+  tcp-state established,originator
+  payload /.*echo \x22 \+ \+ \x22/
+}
+
+signature s2b-604-5 {
+  ip-proto == tcp
+  dst-port == 513
+  event "RSERVICES rsh froot"
+  tcp-state established,originator
+  payload /.*-froot\x00/
+}
+
+signature s2b-611-7 {
+  ip-proto == tcp
+  src-port == 513
+  event "RSERVICES rlogin login failure"
+  tcp-state established,responder
+  payload /.*\x01rlogind\x3A Permission denied\./
+}
+
+signature s2b-605-6 {
+  ip-proto == tcp
+  src-port == 513
+  event "RSERVICES rlogin login failure"
+  tcp-state established,responder
+  payload /.*login incorrect/
+}
+
+signature s2b-606-5 {
+  ip-proto == tcp
+  dst-port == 513
+  event "RSERVICES rlogin root"
+  tcp-state established,originator
+  payload /.*root\x00root\x00/
+}
+
+signature s2b-607-5 {
+  ip-proto == tcp
+  dst-port == 514
+  event "RSERVICES rsh bin"
+  tcp-state established,originator
+  payload /.*bin\x00bin\x00/
+}
+
+signature s2b-608-5 {
+  ip-proto == tcp
+  dst-port == 514
+  event "RSERVICES rsh echo + +"
+  tcp-state established,originator
+  payload /.*echo \x22\+ \+\x22/
+}
+
+signature s2b-609-5 {
+  ip-proto == tcp
+  dst-port == 514
+  event "RSERVICES rsh froot"
+  tcp-state established,originator
+  payload /.*-froot\x00/
+}
+
+signature s2b-610-5 {
+  ip-proto == tcp
+  dst-port == 514
+  event "RSERVICES rsh root"
+  tcp-state established,originator
+  payload /.*root\x00root\x00/
+}
+
+signature s2b-2113-3 {
+  ip-proto == tcp
+  dst-port == 512
+  dst-ip == local_nets
+  event "RSERVICES rexec username overflow attempt"
+  tcp-state established,originator
+  payload /.{8}.*\x00.*.*\x00.*.*\x00/
+}
+
+signature s2b-2114-3 {
+  ip-proto == tcp
+  dst-port == 512
+  event "RSERVICES rexec password overflow attempt"
+  tcp-state established,originator
+  payload /.*\x00.{33}.*\x00.*.*\x00/
+}
+
+signature s2b-616-4 {
+  ip-proto == tcp
+  dst-port == 113
+  event "SCAN ident version request"
+  tcp-state established,originator
+  payload /.{0,8}VERSION\x0A/
+}
+
+signature s2b-619-5 {
+  ip-proto == tcp
+  dst-port == 80
+  payload-size == 0
+  header tcp[13:1] & 255 == 195
+  event "SCAN cybercop os probe"
+  tcp-state stateless
+}
+
+signature s2b-622-6 {
+  ip-proto == tcp
+  header tcp[13:1] & 255 == 2
+  header tcp[4:4] == 1958810375
+  event "SCAN ipEye SYN scan"
+  tcp-state stateless
+}
+
+signature s2b-1228-6 {
+  ip-proto == tcp
+  header tcp[13:1] & 255 == 41
+  event "SCAN nmap XMAS"
+  tcp-state stateless
+}
+
+signature s2b-630-5 {
+  ip-proto == tcp
+  header tcp[13:1] & 255 == 3
+  event "SCAN synscan portscan"
+  tcp-state stateless
+  header ip[4:2] == 39426
+}
+
+signature s2b-626-7 {
+  ip-proto == tcp
+  header tcp[13:1] & 255 == 216
+  event "SCAN cybercop os PA12 attempt"
+  tcp-state stateless
+  payload /AAAAAAAAAAAAAAAA/
+}
+
+signature s2b-627-7 {
+  ip-proto == tcp
+  header tcp[8:4] == 0
+  header tcp[13:1] & 255 == 227
+  event "SCAN cybercop os SFU12 probe"
+  tcp-state stateless
+  payload /AAAAAAAAAAAAAAAA/
+}
+
+signature s2b-634-2 {
+  ip-proto == udp
+  dst-port >= 10080
+  dst-port <= 10081
+  event "SCAN Amanda client version request"
+  payload /.*[aA][mM][aA][nN][dD][aA]/
+}
+
+signature s2b-635-3 {
+  ip-proto == udp
+  dst-port == 49
+  event "SCAN XTACACS logout"
+  payload /.*\x80\x07\x00\x00\x07\x00\x00\x04\x00\x00\x00\x00\x00/
+}
+
+signature s2b-636-1 {
+  ip-proto == udp
+  dst-port == 7
+  event "SCAN cybercop udp bomb"
+  payload /.*cybercop/
+}
+
+signature s2b-637-3 {
+  ip-proto == udp
+  event "SCAN Webtrends Scanner UDP Probe"
+  payload /.*\x0Ahelp\x0Aquite\x0A/
+}
+
+signature s2b-1638-5 {
+  ip-proto == tcp
+  dst-port == 22
+  event "SCAN SSH Version map attempt"
+  tcp-state established,originator
+  payload /.*[vV][eE][rR][sS][iI][oO][nN]_[mM][aA][pP][pP][eE][rR]/
+}
+
+signature s2b-1133-11 {
+  ip-proto == tcp
+  dst-port == http_ports
+  header tcp[8:4] == 0
+  header tcp[13:1] & 255 == 11
+  event "SCAN cybercop os probe"
+  tcp-state stateless
+  payload /AAAAAAAAAAAAAAAA/
+}
+
+signature s2b-647-6 {
+  src-port != non_shellcode_ports
+  event "SHELLCODE sparc setuid 0"
+  payload /.*\x82\x10 \x17\x91\xD0 \x08/
+}
+
+signature s2b-649-8 {
+  src-port != non_shellcode_ports
+  event "SHELLCODE x86 setgid 0"
+  payload /.*\xB0\xB5\xCD\x80/
+}
+
+signature s2b-638-5 {
+  src-port != non_shellcode_ports
+  event "SHELLCODE SGI NOOP"
+  payload /.*\x03\xE0\xF8%\x03\xE0\xF8%\x03\xE0\xF8%\x03\xE0\xF8%/
+}
+
+signature s2b-639-5 {
+  src-port != non_shellcode_ports
+  event "SHELLCODE SGI NOOP"
+  payload /.*\x24\x0F\x124\x24\x0F\x124\x24\x0F\x124\x24\x0F\x124/
+}
+
+signature s2b-640-6 {
+  src-port != non_shellcode_ports
+  event "SHELLCODE AIX NOOP"
+  payload /.*O\xFF\xFB\x82O\xFF\xFB\x82O\xFF\xFB\x82O\xFF\xFB\x82/
+}
+
+signature s2b-641-6 {
+  src-port != non_shellcode_ports
+  event "SHELLCODE Digital UNIX NOOP"
+  payload /.*G\xFF\x04\x1FG\xFF\x04\x1FG\xFF\x04\x1FG\xFF\x04\x1F/
+}
+
+signature s2b-642-6 {
+  src-port != non_shellcode_ports
+  event "SHELLCODE HP-UX NOOP"
+  payload /.*\x08!\x02\x80\x08!\x02\x80\x08!\x02\x80\x08!\x02\x80/
+}
+
+signature s2b-644-5 {
+  src-port != non_shellcode_ports
+  event "SHELLCODE sparc NOOP"
+  payload /.*\x13\xC0\x1C\xA6\x13\xC0\x1C\xA6\x13\xC0\x1C\xA6\x13\xC0\x1C\xA6/
+}
+
+signature s2b-645-5 {
+  src-port != non_shellcode_ports
+  event "SHELLCODE sparc NOOP"
+  payload /.*\x80\x1C@\x11\x80\x1C@\x11\x80\x1C@\x11\x80\x1C@\x11/
+}
+
+signature s2b-646-5 {
+  src-port != non_shellcode_ports
+  event "SHELLCODE sparc NOOP"
+  payload /.*\xA6\x1C\xC0\x13\xA6\x1C\xC0\x13\xA6\x1C\xC0\x13\xA6\x1C\xC0\x13/
+}
+
+signature s2b-648-7 {
+  src-port != non_shellcode_ports
+  event "SHELLCODE x86 NOOP"
+  payload /.{0,114}\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90/
+}
+
+signature s2b-651-8 {
+  src-port != non_shellcode_ports
+  event "SHELLCODE x86 stealth NOOP"
+  payload /.*\xEB\x02\xEB\x02\xEB\x02/
+}
+
+signature s2b-653-8 {
+  src-port != non_shellcode_ports
+  event "SHELLCODE x86 unicode NOOP"
+  payload /.*\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00/
+}
+
+signature s2b-652-9 {
+  src-port != non_shellcode_ports
+  event "SHELLCODE Linux shellcode"
+  payload /.*\x90\x90\x90\xE8\xC0\xFF\xFF\xFF\/bin\/sh/
+}
+
+signature s2b-1390-5 {
+  src-port != non_shellcode_ports
+  event "SHELLCODE x86 inc ebx NOOP"
+  payload /.*CCCCCCCCCCCCCCCCCCCCCCCC/
+}
+
+signature s2b-1394-5 {
+  src-port != non_shellcode_ports
+  event "SHELLCODE x86 NOOP"
+  payload /.*aaaaaaaaaaaaaaaaaaaaa/
+}
+
+signature s2b-1424-6 {
+  src-port != non_shellcode_ports
+  event "SHELLCODE x86 0xEB0C NOOP"
+  payload /.*\xEB\x0C\xEB\x0C\xEB\x0C\xEB\x0C\xEB\x0C\xEB\x0C\xEB\x0C\xEB\x0C/
+}
+
+signature s2b-2312-2 {
+  src-port != non_shellcode_ports
+  event "SHELLCODE x86 0x71FB7BAB NOOP"
+  payload /.*q\xFB\{\xABq\xFB\{\xABq\xFB\{\xABq\xFB\{\xAB/
+}
+
+signature s2b-2313-2 {
+  src-port != non_shellcode_ports
+  event "SHELLCODE x86 0x71FB7BAB NOOP unicode"
+  payload /.*q\x00\xFB\x00\{\x00\xAB\x00q\x00\xFB\x00\{\x00\xAB\x00q\x00\xFB\x00\{\x00\xAB\x00q\x00\xFB\x00\{\x00\xAB\x00/
+}
+
+signature s2b-2314-1 {
+  src-port != non_shellcode_ports
+  event "SHELLCODE x86 0x90 NOOP unicode"
+  payload /.*\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x00/
+}
+
+signature s2b-654-13 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^RCPT TO\s[^\n]{300}/ism
+  event "SMTP RCPT TO overflow"
+  tcp-state established,originator
+  # Not supported: isdataat: 300,relative
+  payload /.*[rR][cC][pP][tT] [tT][oO]\x3A/
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[rR][cC][pP][tT] [tT][oO][\x20\x09\x0b][^\n]{300}/
+}
+
+signature s2b-657-12 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^HELP\s[^\n]{500}/ism
+  event "SMTP chameleon overflow"
+  tcp-state established,originator
+  # Not supported: isdataat: 500,relative
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[hH][eE][lL][pP][\x20\x09\x0b][^\n]{500}/
+}
+
+signature s2b-655-8 {
+  ip-proto == tcp
+  src-port == 113
+  dst-port == 25
+  event "SMTP sendmail 8.6.9 exploit"
+  tcp-state established,originator
+  payload /.*\x0AD\//
+  requires-reverse-signature ! smtp_server_fail
+}
+
+signature s2b-658-5 {
+  ip-proto == tcp
+  dst-port == 25
+  event "SMTP exchange mime DOS"
+  tcp-state established,originator
+  payload /.*charset = \x22\x22/
+}
+
+signature s2b-659-6 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^expn\s+decode/smi
+  event "SMTP expn decode"
+  tcp-state established,originator
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[eE][xX][pP][nN][\x20\x09\x0b][dD][eE][cC][oO][dD][eE]/
+}
+
+signature s2b-660-7 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^expn\s+root/smi
+  event "SMTP expn root"
+  tcp-state established,originator
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[eE][xX][pP][nN][\x20\x09\x0b][rR][oO][oO][tT]/
+}
+
+signature s2b-1450-5 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^expn\s+\*@/smi
+  event "SMTP expn *@"
+  tcp-state established,originator
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[eE][xX][pP][nN][\x20\x09\x0b]\*@/
+}
+
+signature s2b-661-6 {
+  ip-proto == tcp
+  dst-port == 25
+  event "SMTP majordomo ifs"
+  tcp-state established,originator
+  payload /.*eply-to\x3A a~\.`\/bin\//
+  requires-reverse-signature ! smtp_server_fail
+}
+
+signature s2b-662-5 {
+  ip-proto == tcp
+  dst-port == 25
+  event "SMTP sendmail 5.5.5 exploit"
+  tcp-state established,originator
+  payload /.*[mM][aA][iI][lL] [fF][rR][oO][mM]\x3A \x22\x7C/
+  requires-reverse-signature ! smtp_server_fail
+}
+
+signature s2b-663-13 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^rcpt\s+to\:\s+[|\x3b]/smi
+  event "SMTP rcpt to command attempt"
+  tcp-state established,originator
+  payload /((^)|(\n+))[rR][cC][pP][tT][\x20\x09\x0b][tT][oO]:[\x20\x09\x0b]+[|\x3b]/
+}
+
+signature s2b-664-13 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^rcpt to\:\s+decode/smi
+  event "SMTP RCPT TO decode attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[rR][cC][pP][tT][\x20\x09\x0b][tT][oO]:[\x20\x09\x0b]+[dD][eE][cC][oO][dD][eE]/
+}
+
+signature s2b-665-5 {
+  ip-proto == tcp
+  dst-port == 25
+  event "SMTP sendmail 5.6.5 exploit"
+  tcp-state established,originator
+  payload /.*[mM][aA][iI][lL] [fF][rR][oO][mM]\x3A \x7C\/[uU][sS][rR]\/[uU][cC][bB]\/[tT][aA][iI][lL]/
+  requires-reverse-signature ! smtp_server_fail
+}
+
+signature s2b-667-5 {
+  ip-proto == tcp
+  dst-port == 25
+  event "SMTP sendmail 8.6.10 exploit"
+  tcp-state established,originator
+  payload /.*Croot\x0D\x0AMprog, P=\/bin\//
+  requires-reverse-signature ! smtp_server_fail
+}
+
+signature s2b-668-6 {
+  ip-proto == tcp
+  dst-port == 25
+  event "SMTP sendmail 8.6.10 exploit"
+  tcp-state established,originator
+  payload /.*Croot\x09\x09\x09\x09\x09\x09\x09Mprog,P=\/bin/
+  requires-reverse-signature ! smtp_server_fail
+}
+
+signature s2b-670-7 {
+  ip-proto == tcp
+  dst-port == 25
+  event "SMTP sendmail 8.6.9 exploit"
+  tcp-state established,originator
+  payload /.*\x0AC\x3Adaemon\x0AR/
+  requires-reverse-signature ! smtp_server_fail
+}
+
+signature s2b-671-8 {
+  ip-proto == tcp
+  dst-port == 25
+  event "SMTP sendmail 8.6.9c exploit"
+  tcp-state established,originator
+  payload /.*\x0ACroot\x0D\x0AMprog/
+  requires-reverse-signature ! smtp_server_fail
+}
+
+signature s2b-672-6 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^vrfy\s+decode/smi
+  event "SMTP vrfy decode"
+  tcp-state established,originator
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[vV][rR][fF][yY][\x20\x09\x0b]+[dD][eE][cC][oO][dD][eE]/
+}
+
+signature s2b-1446-6 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^vrfy\s+root/smi
+  event "SMTP vrfy root"
+  tcp-state established,originator
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[vV][rR][fF][yY][\x20\x09\x0b]+[rR][oO][oO][tT]/
+}
+
+signature s2b-631-6 {
+  ip-proto == tcp
+  dst-port == 25
+  event "SMTP ehlo cybercop attempt"
+  tcp-state established,originator
+  payload /.*ehlo cybercop\x0Aquit\x0A/
+  requires-reverse-signature ! smtp_server_fail
+}
+
+signature s2b-632-5 {
+  ip-proto == tcp
+  dst-port == 25
+  event "SMTP expn cybercop attempt"
+  tcp-state established,originator
+  payload /.*expn cybercop/
+}
+
+signature s2b-1549-16 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^HELO\s[^\n]{500}/smi
+  event "SMTP HELO overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 500,relative
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[hH][eE][lL][oO][\x20\x09\x0b][^\n]{500}/
+}
+
+signature s2b-1550-10 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^ETRN\s[^\n]{500}/smi
+  event "SMTP ETRN overflow attempt"
+  tcp-state established,originator
+  # Not supported: isdataat: 500,relative
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[eE][tT][rR][nN]][\x20\x09\x0b][^\n]{500}/
+}
+
+signature s2b-2087-5 {
+  ip-proto == tcp
+  dst-port == 25
+  event "Sendmail SMTP From comment overflow attempt"
+  tcp-state established,originator
+  payload /.*From\x3A<><><><><><><><><><><><><><><><><><><><><><>.{1}\x28.{1}\x29/
+  requires-reverse-signature ! smtp_server_fail
+}
+
+signature s2b-2253-3 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^XEXCH50\s+-\d/smi
+  event "SMTP XEXCH50 overflow attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[xX][eE][xX][cC][hH]50[\x20\x09\x0b]+-[0-9]/
+}
+
+signature s2b-2259-5 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^EXPN[^\n]{255,}/smi
+  event "SMTP EXPN overflow attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[eE][xX][pP][nN][^\n]{255,}/
+}
+
+signature s2b-2260-5 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^VRFY[^\n]{255,}/smi
+  event "SMTP VRFY overflow attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[vV][rR][fF][yY][^\n]{255,}/
+}
+
+signature s2b-2261-4 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^SEND FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi
+  event "SMTP SEND FROM sendmail prescan too many addresses overflow"
+  tcp-state established,originator
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[sS][eE][nN][dD] [fF][rR][oO][mM]\x3a[\x20\x09\x0b]*[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? <[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</
+}
+
+signature s2b-2262-4 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi
+  event "SMTP SEND FROM sendmail prescan too long addresses overflow"
+  tcp-state established,originator
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[sS][eE][nN][dD] [fF][rR][oO][mM]:[\x20\x09\x0b]+[a-zA-Z0-9\x5f\x20\x09\x0b@\.]{0,200}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{200,}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}/
+}
+
+signature s2b-2263-6 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi
+  event "SMTP SAML FROM sendmail prescan too many addresses overflow"
+  tcp-state established,originator
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[sS][aA][mM][lL] [fF][rR][oO][mM]\x3a[\x20\x09\x0b]*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</
+}
+
+signature s2b-2264-4 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi
+  event "SMTP SAML FROM sendmail prescan too long addresses overflow"
+  tcp-state established,originator
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[sS][aA][mM][lL] [fF][rR][oO][mM]:[\x20\x09\x0b]+[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{200,}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}/
+}
+
+signature s2b-2265-4 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi
+  event "SMTP SOML FROM sendmail prescan too many addresses overflow"
+  tcp-state established,originator
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[sS][oO][mM][lL] [fF][rR][oO][mM]\x3a[\x20\x09\x0b]*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</
+}
+
+signature s2b-2266-4 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi
+  event "SMTP SOML FROM sendmail prescan too long addresses overflow"
+  tcp-state established,originator
+  payload /((^)|(\n+))[sS][oO][mM][lL] [fF][rR][oO][mM]:[\x20\x09\x0b]+[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{200,}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}/
+}
+
+signature s2b-2267-4 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi
+  event "SMTP MAIL FROM sendmail prescan too many addresses overflow"
+  tcp-state established,originator
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[mM][aA][iI][lL] [fF][rR][oO][mM]\x3a\x20*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</
+}
+
+signature s2b-2268-4 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi
+  event "SMTP MAIL FROM sendmail prescan too long addresses overflow"
+  tcp-state established,originator
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[mM][aA][iI][lL] [fF][rR][oO][mM]:[\x20\x09\x0b]+[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{200,}\x3b[a-zA-Z0-9_\x20\x09\x0b@\.]{0,200}/
+}
+
+signature s2b-2269-4 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi
+  event "SMTP RCPT TO sendmail prescan too many addresses overflow"
+  tcp-state established,originator
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[rR][cC][pP][tT] [tT][oO]\x3a\x20*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</
+}
+
+signature s2b-2270-4 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /^RCPT TO\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi
+  event "SMTP RCPT TO sendmail prescan too long addresses overflow"
+  tcp-state established,originator
+  requires-reverse-signature ! smtp_server_fail
+  payload /((^)|(\n+))[rR][cC][pP][tT] [tT][oO]\x3a[\x20\x09\x0b]+[a-zA-Z0-9\x5f\x20\x09\x0b\x40\.]{0,200}\x3b[a-zA-Z0-9\x5f\x20\x09\x0b=x40\.]{200,}\x3b[a-zA-Z0-9\x5f\x20\x09\x0b\x40\.]{0,200}/
+}
+
+signature s2b-2275-2 {
+  ip-proto == tcp
+  src-port == 25
+  # Not supported: threshold: type threshold, track by_dst, count 5, seconds 60
+  event "SMTP AUTH LOGON brute force attempt"
+  tcp-state established,responder
+  payload /.{53}.*[aA][uU][tT][hH][eE][nN][tT][iI][cC][aA][tT][iI][oO][nN] [uU][nN][sS][uU][cC][cC][eE][sS][sS][fF][uU][lL]/
+}
+
+signature s2b-2487-4 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi,/(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi
+  event "SMTP WinZip MIME content-type buffer overflow"
+  tcp-state established,originator
+  payload /.*[cC][oO][nN][tT][eE][nN][tT]-[tT][yY][pP][eE]\x3A/
+  requires-reverse-signature ! smtp_server_fail
+  payload /[nN][aA][mM][eE]=[^\r\n]*?\.([mM][iI][mM]|[uU]{2}[eE]?|[bB]64|[bB][hH][xX]|[hH][qQ][xX]|[xX]{2}[eE])/
+  payload /([nN][aA][mM][eE]|[iI][dD]|[nN][uU][mM][bB][eE][rR]|[tT][oO][tT][aA][lL]|[bB][oO][uU][nN][dD][aA][rR][yY])=[\x20\x09\x0b]*[^\r\n\x3b\s\x2c]{300}/
+}
+
+signature s2b-2488-4 {
+  ip-proto == tcp
+  dst-port == 25
+  # Not supported: pcre: /name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi,/name=\s*[^\r\n\x3b\s\x2c]{300}/smi
+  event "SMTP WinZip MIME content-disposition buffer overflow"
+  tcp-state established,originator
+  payload /.*[cC][oO][nN][tT][eE][nN][tT]-[tT][yY][pP][eE]\x3A/
+  payload /.*[cC][oO][nN][tT][eE][nN][tT]-[dD][iI][sS][pP][oO][sS][iI][tT][iI][oO][nN]\x3A/
+  requires-reverse-signature ! smtp_server_fail
+  payload /[nN][aA][mM][eE]=[^\r\n]*?\.(([mM][iI]]mM])|([uU]{2}[eE])|([uU]{2})|([bB]64)|([bB][hH][xX])|([hH][qQ][xX])|([xX]{2}[eE]))/
+  payload /[nN][aA][mM][eE]=s*[^\r\n\x3b\x20\x09\x0b\x2c]{300}/
+}
+
+signature s2b-2504-6 {
+  ip-proto == tcp
+  dst-port == 465
+  event "SMTP SSLv3 invalid data version attempt"
+  tcp-state established,originator
+  payload /\x16\x03/
+  payload /.{4}\x01/
+  payload /.{8}[^\x03]*/
+  requires-reverse-signature ! smtp_server_fail
+}
+
+signature s2b-2519-9 {
+  ip-proto == tcp
+  dst-port == 465
+  # Not supported: byte_test: 2,>,0,6,2,!,0,8,2,!,16,8,2,>,20,10,2,>,32768,0,relative
+  event "SMTP Client_Hello overflow attempt"
+  tcp-state established,originator
+  payload /.{1}\x01/
+  payload /.{10}\x8F/
+  requires-reverse-signature ! smtp_server_fail
+}
+
+signature s2b-1892-6 {
+  ip-proto == udp
+  dst-port == 161
+  event "SNMP null community string attempt"
+  payload /.{4}.{0,7}\x04\x01\x00/
+  requires-reverse-signature snmp_userver_ok_return
+}
+
+signature s2b-1409-10 {
+  ip-proto == udp
+  dst-port >= 161
+  dst-port <= 162
+  event "SNMP community string buffer overflow attempt"
+  payload /.{3}.*\x02\x01\x00\x04\x82\x01\x00/
+  requires-reverse-signature snmp_userver_ok_return
+}
+
+signature s2b-1422-10 {
+  ip-proto == udp
+  dst-port >= 161
+  dst-port <= 162
+  event "SNMP community string buffer overflow attempt with evasion"
+  payload /.{6} \x04\x82\x01\x00/
+}
+
+signature s2b-1411-10 {
+  ip-proto == udp
+  dst-port == 161
+  event "SNMP public access udp"
+  payload /.*public/
+  requires-reverse-signature snmp_userver_ok_return
+}
+
+signature s2b-1412-13 {
+  ip-proto == tcp
+  dst-port == 161
+  event "SNMP public access tcp"
+  tcp-state established,originator
+  payload /.*public/
+  requires-reverse-signature snmp_userver_ok_return
+}
+
+signature s2b-1413-10 {
+  ip-proto == udp
+  dst-port == 161
+  event "SNMP private access udp"
+  payload /.*private/
+}
+
+signature s2b-1414-11 {
+  ip-proto == tcp
+  dst-port == 161
+  event "SNMP private access tcp"
+  tcp-state established,originator
+  payload /.*private/
+  requires-reverse-signature snmp_tserver_ok_return
+}
+
+signature s2b-1415-9 {
+  ip-proto == udp
+  dst-ip == 255.255.255.255
+  dst-port == 161
+  event "SNMP Broadcast request"
+  requires-reverse-signature snmp_userver_ok_return
+}
+
+signature s2b-1416-9 {
+  ip-proto == udp
+  dst-ip == 255.255.255.255
+  dst-port == 162
+  event "SNMP broadcast trap"
+  requires-reverse-signature snmp_userver_ok_return
+}
+
+signature s2b-1418-11 {
+  ip-proto == tcp
+  dst-port == 161
+  event "SNMP request tcp"
+  tcp-state stateless
+  requires-reverse-signature snmp_tserver_ok_return
+}
+
+signature s2b-1419-9 {
+  ip-proto == udp
+  dst-port == 162
+  event "SNMP trap udp"
+  requires-reverse-signature snmp_userver_ok_return
+}
+
+signature s2b-1420-11 {
+  ip-proto == tcp
+  dst-port == 162
+  event "SNMP trap tcp"
+  tcp-state stateless
+  requires-reverse-signature snmp_tserver_ok_return
+}
+
+signature s2b-1421-11 {
+  ip-proto == tcp
+  dst-port == 705
+  event "SNMP AgentX/tcp request"
+  tcp-state stateless
+}
+
+signature s2b-1426-5 {
+  ip-proto == udp
+  dst-port == 161
+  event "SNMP PROTOS test-suite-req-app attempt"
+  payload /.*0&\x02\x01\x00\x04\x06public\xA0\x19\x02\x01\x00\x02\x01\x00\x02\x01\x000\x0E0\x0C\x06\x08\+\x06\x01\x02\x01\x01\x05\x00\x05\x00/
+  requires-reverse-signature snmp_userver_ok_return
+}
+
+signature s2b-1427-4 {
+  ip-proto == udp
+  dst-port == 162
+  event "SNMP PROTOS test-suite-trap-app attempt"
+  payload /.*08\x02\x01\x00\x04\x06public\xA4\+\x06/
+  requires-reverse-signature snmp_userver_ok_return
+}
+
+signature s2b-676-6 {
+  ip-proto == tcp
+  dst-port == 139
+  event "MS-SQL/SMB sp_start_job - program execution"
+  tcp-state established,originator
+  payload /.{31}[sS]\x00[pP]\x00_\x00[sS]\x00[tT]\x00[aA]\x00[rR]\x00[tT]\x00_\x00[jJ]\x00[oO]\x00[bB]\x00/
+}
+
+signature s2b-677-6 {
+  ip-proto == tcp
+  dst-port == 139
+  event "MS-SQL/SMB sp_password password change"
+  tcp-state established,originator
+  payload /.*[sS]\x00[pP]\x00_\x00[pP]\x00[aA]\x00[sS]\x00[sS]\x00[wW]\x00[oO]\x00[rR]\x00[dD]\x00/
+}
+
+signature s2b-678-6 {
+  ip-proto == tcp
+  dst-port == 139
+  event "MS-SQL/SMB sp_delete_alert log file deletion"
+  tcp-state established,originator
+  payload /.*[sS]\x00[pP]\x00_\x00[dD]\x00[eE]\x00[lL]\x00[eE]\x00[tT]\x00[eE]\x00_\x00[aA]\x00[lL]\x00[eE]\x00/
+}
+
+signature s2b-679-6 {
+  ip-proto == tcp
+  dst-port == 139
+  event "MS-SQL/SMB sp_adduser database user creation"
+  tcp-state established,originator
+  payload /.{31}[sS]\x00[pP]\x00_\x00[aA]\x00[dD]\x00[dD]\x00[uU]\x00[sS]\x00[eE]\x00[rR]\x00/
+}
+
+signature s2b-708-8 {
+  ip-proto == tcp
+  dst-port == 139
+  event "MS-SQL/SMB xp_enumresultset possible buffer overflow"
+  tcp-state established,originator
+  payload /.{31}.*[xX]\x00[pP]\x00_\x00[eE]\x00[nN]\x00[uU]\x00[mM]\x00[rR]\x00[eE]\x00[sS]\x00[uU]\x00[lL]\x00[tT]\x00[sS]\x00[eE]\x00[tT]\x00/
+}
+
+signature s2b-1386-8 {
+  ip-proto == tcp
+  dst-port == 139
+  event "MS-SQL/SMB raiserror possible buffer overflow"
+  tcp-state established,originator
+  payload /.{31}.*[rR]\x00[aA]\x00[iI]\x00[sS]\x00[eE]\x00[rR]\x00[rR]\x00[oO]\x00[rR]\x00/
+}
+
+signature s2b-702-8 {
+  ip-proto == tcp
+  dst-port == 139
+  event "MS-SQL/SMB xp_displayparamstmt possible buffer overflow"
+  tcp-state established,originator
+  payload /.{31}.*[xX]\x00[pP]\x00_\x00[dD]\x00[iI]\x00[sS]\x00[pP]\x00[lL]\x00[aA]\x00[yY]\x00[pP]\x00[aA]\x00[rR]\x00[aA]\x00[mM]\x00[sS]\x00[tT]\x00[mM]\x00[tT]\x00/
+}
+
+signature s2b-681-6 {
+  ip-proto == tcp
+  dst-port == 139
+  event "MS-SQL/SMB xp_cmdshell program execution"
+  tcp-state established,originator
+  payload /.{31}.*[xX]\x00[pP]\x00_\x00[cC]\x00[mM]\x00[dD]\x00[sS]\x00[hH]\x00[eE]\x00[lL]\x00[lL]\x00/
+}
+
+signature s2b-689-6 {
+  ip-proto == tcp
+  dst-port == 139
+  event "MS-SQL/SMB xp_reg* registry access"
+  tcp-state established,originator
+  payload /.{31}[xX]\x00[pP]\x00_\x00[rR]\x00[eE]\x00[gG]\x00/
+}
+
+signature s2b-690-7 {
+  ip-proto == tcp
+  dst-port == 139
+  event "MS-SQL/SMB xp_printstatements possible buffer overflow"
+  tcp-state established,originator
+  payload /.{31}.*[xX]\x00[pP]\x00_\x00[pP]\x00[rR]\x00[iI]\x00[nN]\x00[tT]\x00[sS]\x00[tT]\x00[aA]\x00[tT]\x00[eE]\x00[mM]\x00[eE]\x00[nN]\x00[tT]\x00[sS]\x00/
+}
+
+signature s2b-692-6 {
+  ip-proto == tcp
+  dst-port == 139
+  event "MS-SQL/SMB shellcode attempt"
+  tcp-state established,originator
+  payload /.*9 \xD0\x00\x92\x01\xC2\x00R\x00U\x009 \xEC\x00/
+}
+
+signature s2b-694-6 {
+  ip-proto == tcp
+  dst-port == 139
+  event "MS-SQL/SMB shellcode attempt"
+  tcp-state established,originator
+  payload /.*H\x00%\x00x\x00w\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x003\x00\xC0\x00P\x00h\x00\.\x00/
+}
+
+signature s2b-695-7 {
+  ip-proto == tcp
+  dst-port == 139
+  event "MS-SQL/SMB xp_sprintf possible buffer overflow"
+  tcp-state established,originator
+  payload /.{31}.*[xX]\x00[pP]\x00_\x00[sS]\x00[pP]\x00[rR]\x00[iI]\x00[nN]\x00[tT]\x00[fF]\x00/
+}
+
+signature s2b-696-7 {
+  ip-proto == tcp
+  dst-port == 139
+  event "MS-SQL/SMB xp_showcolv possible buffer overflow"
+  tcp-state established,originator
+  payload /.{31}.*[xX]\x00[pP]\x00_\x00[sS]\x00[hH]\x00[oO]\x00[wW]\x00[cC]\x00[oO]\x00[lL]\x00[vV]\x00/
+}
+
+signature s2b-697-8 {
+  ip-proto == tcp
+  dst-port == 139
+  event "MS-SQL/SMB xp_peekqueue possible buffer overflow"
+  tcp-state established,originator
+  payload /.{31}.*[xX]\x00[pP]\x00_\x00[pP]\x00[eE]\x00[eE]\x00[kK]\x00[qQ]\x00[uU]\x00[eE]\x00[uU]\x00[eE]\x00/
+}
+
+signature s2b-698-8 {
+  ip-proto == tcp
+  dst-port == 139
+  event "MS-SQL/SMB xp_proxiedmetadata possible buffer overflow"
+  tcp-state established,originator
+  payload /.{31}.*[xX]\x00[pP]\x00_\x00[pP]\x00[rR]\x00[oO]\x00[xX]\x00[iI]\x00[eE]\x00[dD]\x00[mM]\x00[eE]\x00[tT]\x00[aA]\x00[dD]\x00[aA]\x00[tT]\x00[aA]\x00/
+}
+
+signature s2b-700-8 {
+  ip-proto == tcp
+  dst-port == 139
+  event "MS-SQL/SMB xp_updatecolvbm possible buffer overflow"
+  tcp-state established,originator
+  payload /.{31}.*[xX]\x00[pP]\x00_\x00[uU]\x00[pP]\x00[dD]\x00[aA]\x00[tT]\x00[eE]\x00[cC]\x00[oO]\x00[lL]\x00[vV]\x00[bB]\x00[mM]\x00/
+}
+
+signature s2b-673-5 {
+  ip-proto == tcp
+  dst-port == 1433
+  event "MS-SQL sp_start_job - program execution"
+  tcp-state established,originator
+  payload /.*[sS]\x00[pP]\x00_\x00[sS]\x00[tT]\x00[aA]\x00[rR]\x00[tT]\x00_\x00[jJ]\x00[oO]\x00[bB]\x00/
+}
+
+signature s2b-674-6 {
+  ip-proto == tcp
+  dst-port == 1433
+  event "MS-SQL xp_displayparamstmt possible buffer overflow"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[dD]\x00[iI]\x00[sS]\x00[pP]\x00[lL]\x00[aA]\x00[yY]\x00[pP]\x00[aA]\x00[rR]\x00[aA]\x00[mM]\x00[sS]\x00[tT]\x00[mM]\x00[tT]/
+}
+
+signature s2b-675-6 {
+  ip-proto == tcp
+  dst-port == 1433
+  event "MS-SQL xp_setsqlsecurity possible buffer overflow"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[sS]\x00[eE]\x00[tT]\x00[sS]\x00[qQ]\x00[lL]\x00[sS]\x00[eE]\x00[cC]\x00[uU]\x00[rR]\x00[iI]\x00[tT]\x00[yY]\x00/
+}
+
+signature s2b-682-6 {
+  ip-proto == tcp
+  dst-port == 1433
+  event "MS-SQL xp_enumresultset possible buffer overflow"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[eE]\x00[nN]\x00[uU]\x00[mM]\x00[rR]\x00[eE]\x00[sS]\x00[uU]\x00[lL]\x00[tT]\x00[sS]\x00[eE]\x00[tT]\x00/
+}
+
+signature s2b-683-5 {
+  ip-proto == tcp
+  dst-port == 1433
+  event "MS-SQL sp_password - password change"
+  tcp-state established,originator
+  payload /.*[sS]\x00[pP]\x00_\x00[pP]\x00[aA]\x00[sS]\x00[sS]\x00[wW]\x00[oO]\x00[rR]\x00[dD]\x00/
+}
+
+signature s2b-684-5 {
+  ip-proto == tcp
+  dst-port == 1433
+  event "MS-SQL sp_delete_alert log file deletion"
+  tcp-state established,originator
+  payload /.*[sS]\x00[pP]\x00_\x00[dD]\x00[eE]\x00[lL]\x00[eE]\x00[tT]\x00[eE]\x00_\x00[aA]\x00[lL]\x00[eE]\x00[rR]\x00[tT]\x00/
+}
+
+signature s2b-685-5 {
+  ip-proto == tcp
+  dst-port == 1433
+  event "MS-SQL sp_adduser - database user creation"
+  tcp-state established,originator
+  payload /.*[sS]\x00[pP]\x00_\x00[aA]\x00[dD]\x00[dD]\x00[uU]\x00[sS]\x00[eE]\x00[rR]\x00/
+}
+
+signature s2b-686-5 {
+  ip-proto == tcp
+  dst-port == 1433
+  event "MS-SQL xp_reg* - registry access"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[rR]\x00[eE]\x00[gG]\x00/
+}
+
+signature s2b-687-5 {
+  ip-proto == tcp
+  dst-port == 1433
+  event "MS-SQL xp_cmdshell - program execution"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[cC]\x00[mM]\x00[dD]\x00[sS]\x00[hH]\x00[eE]\x00[lL]\x00[lL]\x00/
+}
+
+signature s2b-691-5 {
+  ip-proto == tcp
+  dst-port == 1433
+  event "MS-SQL shellcode attempt"
+  tcp-state established,originator
+  payload /.*9 \xD0\x00\x92\x01\xC2\x00R\x00U\x009 \xEC\x00/
+}
+
+signature s2b-693-5 {
+  ip-proto == tcp
+  dst-port == 1433
+  event "MS-SQL shellcode attempt"
+  tcp-state established,originator
+  payload /.*H\x00%\x00x\x00w\x00\x90\x00\x90\x00\x90\x00\x90\x00\x90\x003\x00\xC0\x00P\x00h\x00\.\x00/
+}
+
+signature s2b-699-7 {
+  ip-proto == tcp
+  dst-port == 1433
+  event "MS-SQL xp_printstatements possible buffer overflow"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[pP]\x00[rR]\x00[iI]\x00[nN]\x00[tT]\x00[sS]\x00[tT]\x00[aA]\x00[tT]\x00[eE]\x00[mM]\x00[eE]\x00[nN]\x00[tT]\x00[sS]\x00/
+}
+
+signature s2b-701-7 {
+  ip-proto == tcp
+  dst-port == 1433
+  event "MS-SQL xp_updatecolvbm possible buffer overflow"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[uU]\x00[pP]\x00[dD]\x00[aA]\x00[tT]\x00[eE]\x00[cC]\x00[oO]\x00[lL]\x00[vV]\x00[bB]\x00[mM]\x00/
+}
+
+signature s2b-704-6 {
+  ip-proto == tcp
+  dst-port == 1433
+  event "MS-SQL xp_sprintf possible buffer overflow"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[sS]\x00[pP]\x00[rR]\x00[iI]\x00[nN]\x00[tT]\x00[fF]\x00/
+}
+
+signature s2b-705-7 {
+  ip-proto == tcp
+  dst-port == 1433
+  event "MS-SQL xp_showcolv possible buffer overflow"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[sS]\x00[hH]\x00[oO]\x00[wW]\x00[cC]\x00[oO]\x00[lL]\x00[vV]\x00/
+}
+
+signature s2b-706-7 {
+  ip-proto == tcp
+  dst-port == 1433
+  event "MS-SQL xp_peekqueue possible buffer overflow"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[pP]\x00[eE]\x00[eE]\x00[kK]\x00[qQ]\x00[uU]\x00[eE]\x00[uU]\x00[eE]\x00/
+}
+
+signature s2b-707-8 {
+  ip-proto == tcp
+  dst-port == 1433
+  event "MS-SQL xp_proxiedmetadata possible buffer overflow"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[pP]\x00[rR]\x00[oO]\x00[xX]\x00[iI]\x00[eE]\x00[dD]\x00[mM]\x00[eE]\x00[tT]\x00[aA]\x00[dD]\x00[aA]\x00[tT]\x00[aA]\x00/
+}
+
+signature s2b-1387-7 {
+  ip-proto == tcp
+  dst-port == 1433
+  event "MS-SQL raiserror possible buffer overflow"
+  tcp-state established,originator
+  payload /.*[rR]\x00[aA]\x00[iI]\x00[sS]\x00[eE]\x00[rR]\x00[rR]\x00[oO]\x00[rR]\x00/
+}
+
+signature s2b-1759-5 {
+  ip-proto == tcp
+  dst-port == 445
+  event "MS-SQL xp_cmdshell program execution 445"
+  tcp-state established,originator
+  payload /.*[xX]\x00[pP]\x00_\x00[cC]\x00[mM]\x00[dD]\x00[sS]\x00[hH]\x00[eE]\x00[lL]\x00[lL]\x00/
+}
+
+signature s2b-688-6 {
+  ip-proto == tcp
+  src-port == 1433
+  event "MS-SQL sa login failed"
+  tcp-state established,responder
+  payload /.*Login failed for user 'sa'/
+}
+
+signature s2b-680-6 {
+  ip-proto == tcp
+  src-port == 139
+  event "MS-SQL/SMB sa login failed"
+  tcp-state established,responder
+  payload /.{82}.*Login failed for user 'sa'/
+}
+
+signature s2b-2050-5 {
+  ip-proto == udp
+  dst-port == 1434
+  payload-size > 100
+  event "MS-SQL version overflow attempt"
+  payload /\x04/
+}
+
+signature s2b-2329-6 {
+  ip-proto == udp
+  dst-port == 1434
+  dst-ip == local_nets
+  # Not supported: byte_test: 2,>,512,1
+  event "MS-SQL probe response overflow attempt"
+  # Not supported: isdataat: 512,relative
+  payload /\x05.*.*\x3B[^\x3B]{512}/
+}
+
+signature s2b-1430-7 {
+  ip-proto == tcp
+  dst-port == 23
+  event "TELNET Solaris memory mismanagement exploit attempt"
+  tcp-state established,originator
+  payload /.*\xA0\x23\xA0\x10\xAE\x23\x80\x10\xEE\x23\xBF\xEC\x82\x05\xE0\xD6\x90%\xE0/
+}
+
+signature s2b-711-5 {
+  ip-proto == tcp
+  dst-port == 23
+  event "TELNET SGI telnetd format bug"
+  tcp-state established,originator
+  payload /.*_RLD/
+  payload /.*bin\/sh/
+}
+
+signature s2b-712-8 {
+  ip-proto == tcp
+  dst-port == 23
+  event "TELNET ld_library_path"
+  tcp-state established,originator
+  payload /.*ld_library_path/
+}
+
+signature s2b-714-4 {
+  ip-proto == tcp
+  dst-port == 23
+  event "TELNET resolv_host_conf"
+  tcp-state established,originator
+  payload /.*resolv_host_conf/
+}
+
+signature s2b-715-6 {
+  ip-proto == tcp
+  src-port == 23
+  event "TELNET Attempted SU from wrong group"
+  tcp-state established,responder
+  payload /.*[tT][oO] [sS][uU] [rR][oO][oO][tT]/
+}
+
+signature s2b-717-6 {
+  ip-proto == tcp
+  src-port == 23
+  event "TELNET not on console"
+  tcp-state established,responder
+  payload /.*[nN][oO][tT] [oO][nN] [sS][yY][sS][tT][eE][mM] [cC][oO][nN][sS][oO][lL][eE]/
+}
+
+signature s2b-718-7 {
+  ip-proto == tcp
+  src-port == 23
+  event "TELNET login incorrect"
+  tcp-state established,responder
+  payload /.*Login incorrect/
+}
+
+signature s2b-719-7 {
+  ip-proto == tcp
+  src-port == 23
+  event "TELNET root login"
+  tcp-state established,responder
+  payload /.*login\x3A root/
+}
+
+signature s2b-1252-13 {
+  ip-proto == tcp
+  src-port == 23
+  event "TELNET bsd telnet exploit response"
+  tcp-state established,responder
+  payload /.*\x0D\x0A\[Yes\]\x0D\x0A\xFF\xFE\x08\xFF\xFD&/
+}
+
+signature s2b-1253-11 {
+  ip-proto == tcp
+  dst-port == 23
+  payload-size > 200
+  event "TELNET bsd exploit client finishing"
+  tcp-state established,responder
+  payload /.{199}\xFF\xF6\xFF\xF6\xFF\xFB\x08\xFF\xF6/
+}
+
+signature s2b-709-7 {
+  ip-proto == tcp
+  dst-port == 23
+  event "TELNET 4Dgifts SGI account attempt"
+  tcp-state established,originator
+  payload /.*4Dgifts/
+}
+
+signature s2b-710-7 {
+  ip-proto == tcp
+  dst-port == 23
+  event "TELNET EZsetup account attempt"
+  tcp-state established,originator
+  payload /.*OutOfBox/
+}
+
+signature s2b-2406-1 {
+  ip-proto == tcp
+  dst-port == 23
+  event "TELNET APC SmartSlot default admin account attempt"
+  tcp-state established,originator
+  payload /.*TENmanUFactOryPOWER/
+}
+
+signature s2b-1941-8 {
+  ip-proto == udp
+  dst-port == 69
+  event "TFTP GET filename overflow attempt"
+  payload /\x00\x01[^\x00]{100}/
+}
+
+signature s2b-2337-7 {
+  ip-proto == udp
+  dst-port == 69
+  event "TFTP PUT filename overflow attempt"
+  payload /\x00\x02[^\x00]{100}/
+}
+
+signature s2b-1289-4 {
+  ip-proto == udp
+  dst-port == 69
+  event "TFTP GET Admin.dll"
+  payload /\x00\x01/
+  payload /.{1}.*[aA][dD][mM][iI][nN]\.[dD][lL][lL]/
+}
+
+signature s2b-1441-4 {
+  ip-proto == udp
+  dst-port == 69
+  event "TFTP GET nc.exe"
+  payload /\x00\x01/
+  payload /.{1}.*[nN][cC]\.[eE][xX][eE]/
+}
+
+signature s2b-1442-4 {
+  ip-proto == udp
+  dst-port == 69
+  event "TFTP GET shadow"
+  payload /\x00\x01/
+  payload /.{1}.*[sS][hH][aA][dD][oO][wW]/
+}
+
+signature s2b-1443-4 {
+  ip-proto == udp
+  dst-port == 69
+  event "TFTP GET passwd"
+  payload /\x00\x01/
+  payload /.{1}.*[pP][aA][sS][sS][wW][dD]/
+}
+
+signature s2b-519-6 {
+  ip-proto == udp
+  dst-port == 69
+  event "TFTP parent directory"
+  payload /.{1}.*\.\./
+}
+
+signature s2b-520-5 {
+  ip-proto == udp
+  dst-port == 69
+  event "TFTP root directory"
+  payload /\x00\x01\//
+}
+
+signature s2b-518-6 {
+  ip-proto == udp
+  dst-port == 69
+  event "TFTP Put"
+  payload /\x00\x02/
+}
+
+signature s2b-1444-3 {
+  ip-proto == udp
+  dst-port == 69
+  event "TFTP Get"
+  payload /\x00\x01/
+}
+
+signature s2b-2339-2 {
+  ip-proto == udp
+  dst-port == 69
+  event "TFTP NULL command attempt"
+  payload /\x00\x00/
+}
+
+signature s2b-1328-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS ps command attempt"
+  http /.*[\/\\]bin[\/\\]ps([^_a-zA-Z0-9.\/-]|$)/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1330-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS wget command attempt"
+  tcp-state established,originator
+  payload /.*[wW][gG][eE][tT]%20/
+  requires-reverse-signature ! http_error
+  # would like to inspect contents of reply
+}
+
+signature s2b-1331-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS uname -a command attempt"
+  tcp-state established,originator
+  payload /.*[uU][nN][aA][mM][eE]%20-[aA]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1332-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS /usr/bin/id command attempt"
+  tcp-state established,originator
+  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[iI][dD]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1333-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS id command attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  http /.*;[iI][dD]([;|\x20\x09\x0b]|$)./
+}
+
+signature s2b-1334-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS echo command attempt"
+  tcp-state established,originator
+  payload /.*\/[bB][iI][nN]\/[eE][cC][hH][oO]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1335-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS kill command attempt"
+  tcp-state established,originator
+  payload /.*\/[bB][iI][nN]\/[kK][iI][lL][lL]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1336-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS chmod command attempt"
+  tcp-state established,originator
+  http /.*\/[cC][hH][mM][oO][dD]([^-a-zA-Z0-9_.]|$)/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1337-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS chgrp command attempt"
+  tcp-state established,originator
+  http /.*\/[cC][hH][gG][rR][pP]([^-a-zA-Z0-9_.]|$)/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1338-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS chown command attempt"
+  tcp-state established,originator
+  http /.*\/[cC][hH][oO][wW][nN]([^-a-zA-Z0-9_.]|$)/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1339-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS chsh command attempt"
+  tcp-state established,originator
+  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][hH][sS][hH]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1340-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS tftp command attempt"
+  tcp-state established,originator
+  payload /.*[tT][fF][tT][pP]%20/
+  requires-signature ! http_cool_dll
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1341-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS /usr/bin/gcc command attempt"
+  tcp-state established,originator
+  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[gG][cC][cC]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1342-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS gcc command attempt"
+  tcp-state established,originator
+  payload /.*[gG][cC][cC]%20-[oO]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1343-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS /usr/bin/cc command attempt"
+  tcp-state established,originator
+  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][cC]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1344-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS cc command attempt"
+  tcp-state established,originator
+  payload /.*[cC][cC]%20/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1345-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS /usr/bin/cpp command attempt"
+  tcp-state established,originator
+  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][pP][pP]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1347-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS /usr/bin/g++ command attempt"
+  tcp-state established,originator
+  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[gG]\+\+/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1348-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS g++ command attempt"
+  tcp-state established,originator
+  payload /.*[gG]\+\+%20/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1351-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS bin/tclsh execution attempt"
+  tcp-state established,originator
+  payload /.*[bB][iI][nN]\/[tT][cC][lL][sS][hH]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1352-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS tclsh execution attempt"
+  tcp-state established,originator
+  payload /.*[tT][cC][lL][sS][hH]8%20/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1353-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS bin/nasm command attempt"
+  tcp-state established,originator
+  payload /.*[bB][iI][nN]\/[nN][aA][sS][mM]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1354-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS nasm command attempt"
+  tcp-state established,originator
+  payload /.*[nN][aA][sS][mM]%20/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1355-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS /usr/bin/perl execution attempt"
+  tcp-state established,originator
+  payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[pP][eE][rR][lL]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1356-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS perl execution attempt"
+  tcp-state established,originator
+  payload /.*[pP][eE][rR][lL]%20/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1357-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS nt admin addition attempt"
+  tcp-state established,originator
+  payload /.*[nN][eE][tT] [lL][oO][cC][aA][lL][gG][rR][oO][uU][pP] [aA][dD][mM][iI][nN][iI][sS][tT][rR][aA][tT][oO][rR][sS] \/[aA][dD][dD]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1358-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS traceroute command attempt"
+  tcp-state established,originator
+  payload /.*[tT][rR][aA][cC][eE][rR][oO][uU][tT][eE]%20/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1359-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS ping command attempt"
+  tcp-state established,originator
+  payload /.*\/[bB][iI][nN]\/[pP][iI][nN][gG]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1360-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS netcat command attempt"
+  tcp-state established,originator
+  payload /.*[nN][cC]%20/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1361-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS nmap command attempt"
+  tcp-state established,originator
+  payload /.*[nN][mM][aA][pP]%20/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1362-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS xterm command attempt"
+  tcp-state established,originator
+  payload /.*\/[uU][sS][rR]\/[xX]11[rR]6\/[bB][iI][nN]\/[xX][tT][eE][rR][mM]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1363-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS X application to remote host attempt"
+  tcp-state established,originator
+  payload /.*%20-[dD][iI][sS][pP][lL][aA][yY]%20/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1364-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS lsof command attempt"
+  tcp-state established,originator
+  payload /.*[lL][sS][oO][fF]%20/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1365-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS rm command attempt"
+  tcp-state established,originator
+  payload /.*[rR][mM]%20/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1366-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS mail command attempt"
+  tcp-state established,originator
+  payload /.*\/[bB][iI][nN]\/[mM][aA][iI][lL]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1367-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS mail command attempt"
+  tcp-state established,originator
+  payload /.*[mM][aA][iI][lL]%20/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1368-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS /bin/ls| command attempt"
+  http /.*[\/\\]bin[\/\\]ls\x7C/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1369-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS /bin/ls command attempt"
+  http /.*[\/\\]bin[\/\\]ls[^a-zA-Z0-9_.-]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1370-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS /etc/inetd.conf access"
+  tcp-state established,originator
+  payload /.*\/[eE][tT][cC]\/[iI][nN][eE][tT][dD]\.[cC][oO][nN][fF]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1372-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS /etc/shadow access"
+  tcp-state established,originator
+  payload /.*\/[eE][tT][cC]\/[sS][hH][aA][dD][oO][wW].{1,}root:/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1373-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS conf/httpd.conf attempt"
+  tcp-state established,originator
+  payload /.*[cC][oO][nN][fF]\/[hH][tT][tT][pP][dD]\.[cC][oO][nN][fF]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1374-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-ATTACKS .htgroup access"
+  http /.*\.htgroup[\x20\x09\x0b]*$/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-803-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI HyperSeek hsx.cgi directory traversal attempt"
+  http /.*[\/\\]hsx\.cgi/
+  tcp-state established,originator
+  payload /.*\.\.\/\.\.\/.{1}.*%00/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-804-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI SWSoft ASPSeek Overflow attempt"
+  http /.*[\/\\]s\.cgi/
+  tcp-state established,originator
+  payload /.*[tT][mM][pP][lL]=/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-806-11 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI yabb directory traversal attempt"
+  http /.*[\/\\]YaBB/
+  tcp-state established,originator
+  payload /.*\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-809-11 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI whois_raw.cgi arbitrary command execution attempt"
+  http /.*[\/\\]whois_raw\.cgi\?/
+  tcp-state established,originator
+  payload /.*\x0A/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-810-11 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI whois_raw.cgi access"
+  http /.*[\/\\]whois_raw\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-813-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI webplus directory traversal"
+  http /.*[\/\\]webplus\?script/
+  tcp-state established,originator
+  payload /.*\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1571-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI dcforum.cgi directory traversal attempt"
+  http /.*[\/\\]dcforum\.cgi/
+  tcp-state established,originator
+  payload /.*forum=\.\.\/\.\./
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-817-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI dcboard.cgi invalid user addition attempt"
+  http /.*[\/\\]dcboard\.cgi/
+  tcp-state established,originator
+  payload /.*command=register/
+  payload /.*%7cadmin/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1410-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI dcboard.cgi access"
+  http /.*[\/\\]dcboard\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-820-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI anaconda directory transversal attempt"
+  http /.*[\/\\]apexec\.pl/
+  tcp-state established,originator
+  payload /.*[tT][eE][mM][pP][lL][aA][tT][eE]=\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-821-12 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI imagemap.exe overflow attempt"
+  http /.*[\/\\]imagemap\.exe\?/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1608-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI htmlscript attempt"
+  http /.*[\/\\]htmlscript\?\.\.[\/\\]\.\./
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-826-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI htmlscript access"
+  http /.*[\/\\]htmlscript/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-827-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI info2www access"
+  http /.*[\/\\]info2www/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-828-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI maillist.pl access"
+  http /.*[\/\\]maillist\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-829-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI nph-test-cgi access"
+  http /.*[\/\\]nph-test-cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1451-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI NPH-publish access"
+  http /.*[\/\\]nph-maillist\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-833-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI rguest.exe access"
+  http /.*[\/\\]rguest\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-834-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI rwwwshell.pl access"
+  http /.*[\/\\]rwwwshell\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1644-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI test-cgi attempt"
+  http /.*[\/\\]test-cgi[\/\\]\*\?\*/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-835-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI test-cgi access"
+  http /.*[\/\\]test-cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1645-6 {
+  ip-proto == tcp
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-CGI testcgi access"
+  http /.*[\/\\]testcgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1646-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI test.cgi access"
+  http /.*[\/\\]test\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-836-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI textcounter.pl access"
+  http /.*[\/\\]textcounter\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-837-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI uploader.exe access"
+  http /.*[\/\\]uploader\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-838-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI webgais access"
+  http /.*[\/\\]webgais/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-840-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI perlshop.cgi access"
+  http /.*[\/\\]perlshop\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-841-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI pfdisplay.cgi access"
+  http /.*[\/\\]pfdisplay\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-842-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI aglimpse access"
+  http /.*[\/\\]aglimpse/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-843-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI anform2 access"
+  http /.*[\/\\]AnForm2/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-844-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI args.bat access"
+  http /.*[\/\\]args\.bat/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1452-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI args.cmd access"
+  http /.*[\/\\]args\.cmd/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-845-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI AT-admin.cgi access"
+  http /.*[\/\\]AT-admin\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1453-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI AT-generated.cgi access"
+  http /.*[\/\\]AT-generated\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-846-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI bnbform.cgi access"
+  http /.*[\/\\]bnbform\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-847-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI campas access"
+  http /.*[\/\\]campas/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-848-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI view-source directory traversal"
+  http /.*[\/\\]view-source/
+  tcp-state established,originator
+  payload /.*\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-850-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI wais.pl access"
+  http /.*[\/\\]wais\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1454-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI wwwwais access"
+  http /.*[\/\\]wwwwais/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-851-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI files.pl access"
+  http /.*[\/\\]files\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-852-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI wguest.exe access"
+  http /.*[\/\\]wguest\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-854-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI classifieds.cgi access"
+  http /.*[\/\\]classifieds\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-856-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI environ.cgi access"
+  http /.*[\/\\]environ\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-857-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI faxsurvey access"
+  http /.*[\/\\]faxsurvey/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-858-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI filemail access"
+  http /.*[\/\\]filemail\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-859-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI man.sh access"
+  http /.*[\/\\]man\.sh/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-860-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI snork.bat access"
+  http /.*[\/\\]snork\.bat/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-861-12 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI w3-msql access"
+  http /.*[\/\\]w3-msql[\/\\]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-863-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI day5datacopier.cgi access"
+  http /.*[\/\\]day5datacopier\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-864-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI day5datanotifier.cgi access"
+  http /.*[\/\\]day5datanotifier\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-866-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI post-query access"
+  http /.*[\/\\]post-query/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-867-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI visadmin.exe access"
+  http /.*[\/\\]visadmin\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-869-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI dumpenv.pl access"
+  http /.*[\/\\]dumpenv\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1536-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI calendar_admin.pl arbitrary command execution attempt"
+  http /.*[\/\\]calendar_admin\.pl\?config=\x7C/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1537-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI calendar_admin.pl access"
+  http /.*[\/\\]calendar_admin\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1701-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI calendar-admin.pl access"
+  http /.*[\/\\]calendar-admin\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1457-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI user_update_admin.pl access"
+  http /.*[\/\\]user_update_admin\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1458-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI user_update_passwd.pl access"
+  http /.*[\/\\]user_update_passwd\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-870-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI snorkerz.cmd access"
+  http /.*[\/\\]snorkerz\.cmd/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-871-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI survey.cgi access"
+  http /.*[\/\\]survey\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-875-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI win-c-sample.exe access"
+  http /.*[\/\\]win-c-sample\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-878-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI w3tvars.pm access"
+  http /.*[\/\\]w3tvars\.pm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-879-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI admin.pl access"
+  http /.*[\/\\]admin\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-880-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI LWGate access"
+  http /.*[\/\\]LWGate/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-881-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI archie access"
+  http /.*[\/\\]archie/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-883-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI flexform access"
+  http /.*[\/\\]flexform/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1610-11 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI formmail arbitrary command execution attempt"
+  http /.*[\/\\]formmail{0,5}\?/
+  tcp-state established,originator
+  payload /.*%0[aA]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-884-14 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI formmail access"
+  http /.*[\/\\]formmail{0,5}\?/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1762-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI phf arbitrary command execution attempt"
+  http /.*[\/\\]phf/
+  tcp-state established,originator
+  payload /.*[qQ][aA][lL][iI][aA][sS]/
+  payload /.*%0a\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-887-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI www-sql access"
+  http /.*[\/\\]www-sql/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-888-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI wwwadmin.pl access"
+  http /.*[\/\\]wwwadmin\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-889-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI ppdscgi.exe access"
+  http /.*[\/\\]ppdscgi\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-890-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI sendform.cgi access"
+  http /.*[\/\\]sendform\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-891-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI upload.pl access"
+  http /.*[\/\\]upload\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-892-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI AnyForm2 access"
+  http /.*[\/\\]AnyForm2/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-893-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI MachineInfo access"
+  http /.*[\/\\]MachineInfo/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1531-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI bb-hist.sh attempt"
+  http /.*[\/\\]bb-hist\.sh\?HISTFILE=\.\.[\/\\]\.\./
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-894-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI bb-hist.sh access"
+  http /.*[\/\\]bb-hist\.sh/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1459-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI bb-histlog.sh access"
+  http /.*[\/\\]bb-histlog\.sh/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1460-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI bb-histsvc.sh access"
+  http /.*[\/\\]bb-histsvc\.sh/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1532-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI bb-hostscv.sh attempt"
+  http /.*[\/\\]bb-hostsvc\.sh\?HOSTSVC\?\.\.[\/\\]\.\./
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1533-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI bb-hostscv.sh access"
+  http /.*[\/\\]bb-hostsvc\.sh/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1461-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI bb-rep.sh access"
+  http /.*[\/\\]bb-rep\.sh/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1462-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI bb-replog.sh access"
+  http /.*[\/\\]bb-replog\.sh/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1397-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI wayboard attempt"
+  http /.*[\/\\]way-board[\/\\]way-board\.cgi/
+  tcp-state established,originator
+  payload /.*db=/
+  payload /.*\.\.\/\.\./
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-896-11 {
+  ip-proto == tcp
+  dst-port == http_ports
+  dst-ip == local_nets
+  event "WEB-CGI way-board access"
+  http /.*[\/\\]way-board\?db\=.{2,}\x00/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1222-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI pals-cgi arbitrary file access attempt"
+  http /.*[\/\\]pals-cgi/
+  tcp-state established,originator
+  payload /.*[dD][oO][cC][uU][mM][eE][nN][tT][nN][aA][mM][eE]=/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-897-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI pals-cgi access"
+  http /.*[\/\\]pals-cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1572-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI commerce.cgi arbitrary file access attempt"
+  http /.*[\/\\]commerce\.cgi/
+  tcp-state established,originator
+  payload /.*page=/
+  payload /.*\/\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-898-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI commerce.cgi access"
+  http /.*[\/\\]commerce\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-899-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt"
+  http /.*[\/\\]sendtemp\.pl/
+  tcp-state established,originator
+  payload /.*[tT][eE][mM][pP][lL]=/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-901-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI webspirs.cgi access"
+  http /.*[\/\\]webspirs\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-902-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI tstisapi.dll access"
+  http /.*tstisapi\.dll/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1308-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI sendmessage.cgi access"
+  http /.*[\/\\]sendmessage\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1392-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI lastlines.cgi access"
+  http /.*[\/\\]lastlines\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1395-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI zml.cgi attempt"
+  http /.*[\/\\]zml\.cgi/
+  tcp-state established,originator
+  payload /.*file=\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1396-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI zml.cgi access"
+  http /.*[\/\\]zml\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1534-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI agora.cgi attempt"
+  http /.*[\/\\]store[\/\\]agora\.cgi\?cart_id=<SCRIPT>/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1406-11 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI agora.cgi access"
+  http /.*[\/\\]store[\/\\]agora\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-877-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI rksh access"
+  http /.*[\/\\]rksh/
+  tcp-state established,originator
+  requires-signature ! http_shell_check
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1648-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI perl.exe command attempt"
+  http /.*[\/\\]perl\.exe\?/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-832-11 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI perl.exe access"
+  http /.*[\/\\]perl\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1649-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI perl command attempt"
+  http /.*[\/\\]perl\?/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1309-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI zsh access"
+  http /.*[\/\\]zsh/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-862-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI csh access"
+  http /.*[\/\\]csh/
+  tcp-state established,originator
+  requires-signature ! http_shell_check
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-872-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI tcsh access"
+  http /.*[\/\\]tcsh/
+  tcp-state established,originator
+  requires-signature ! http_shell_check
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-868-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI rsh access"
+  http /.*[\/\\]rsh/
+  tcp-state established,originator
+  requires-signature ! http_shell_check
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-865-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI ksh access"
+  http /.*[\/\\]ksh/
+  tcp-state established,originator
+  requires-signature ! http_shell_check
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1703-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI auktion.cgi directory traversal attempt"
+  http /.*[\/\\]auktion\.cgi/
+  tcp-state established,originator
+  payload /.*[mM][eE][nN][uU][eE]=\.\.\/\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1465-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI auktion.cgi access"
+  http /.*[\/\\]auktion\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1573-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI cgiforum.pl attempt"
+  http /.*[\/\\]cgiforum\.pl\?thesection=\.\.[\/\\]\.\./
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1466-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI cgiforum.pl access"
+  http /.*[\/\\]cgiforum\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1574-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI directorypro.cgi attempt"
+  http /.*[\/\\]directorypro\.cgi/
+  tcp-state established,originator
+  payload /.*show=.{1}.*\.\.\/\.\./
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1467-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI directorypro.cgi access"
+  http /.*[\/\\]directorypro\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1468-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI Web Shopper shopper.cgi attempt"
+  http /.*[\/\\]shopper\.cgi/
+  tcp-state established,originator
+  payload /.*[nN][eE][wW][pP][aA][gG][eE]=\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1469-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI Web Shopper shopper.cgi access"
+  http /.*[\/\\]shopper\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1470-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI listrec.pl access"
+  http /.*[\/\\]listrec\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1471-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI mailnews.cgi access"
+  http /.*[\/\\]mailnews\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1879-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  dst-ip == local_nets
+  event "WEB-CGI book.cgi arbitrary command execution attempt"
+  http /.*[\/]book.cgi\?.{1,}\|.{2,}\|/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1473-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI newsdesk.cgi access"
+  http /.*[\/\\]newsdesk\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1704-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI cal_make.pl directory traversal attempt"
+  http /.*[\/\\]cal_make\.pl/
+  tcp-state established,originator
+  payload /.*[pP]0=\.\.\/\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1474-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI cal_make.pl access"
+  http /.*[\/\\]cal_make\.pl.{1,}(\.\.\/){2,}/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1475-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI mailit.pl access"
+  http /.*[\/\\]mailit\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1476-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI sdbsearch.cgi access"
+  http /.*[\/\\]sdbsearch\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1478-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI swc access"
+  http /.*[\/\\]swc/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1479-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI ttawebtop.cgi arbitrary file attempt"
+  http /.*[\/\\]ttawebtop\.cgi/
+  tcp-state established,originator
+  payload /.*[pP][gG]=\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1480-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI ttawebtop.cgi access"
+  http /.*[\/\\]ttawebtop\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1481-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI upload.cgi access"
+  http /.*[\/\\]upload\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1482-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI view_source access"
+  http /.*[\/\\]view_source/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1730-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI ustorekeeper.pl directory traversal attempt"
+  http /.*[\/\\]ustorekeeper\.pl/
+  tcp-state established,originator
+  payload /.*[fF][iI][lL][eE]=\.\.\/\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1483-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  dst-ip == local_nets
+  event "WEB-CGI ustorekeeper.pl access"
+  http /.*[\/\\]ustorekeeper\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1617-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI Bugzilla doeditvotes.cgi access"
+  http /.*[\/\\]doeditvotes\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1600-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI htsearch arbitrary configuration file attempt"
+  http /.*[\/\\]htsearch\?-c/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1601-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI htsearch arbitrary file read attempt"
+  http /.*[\/\\]htsearch\?exclude=`/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1602-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI htsearch access"
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  http /.*[\/\\]htsearch\x3f.*\x3d[\x22\x60].*[\x22\x60].* /
+}
+
+signature s2b-1501-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI a1stats a1disp3.cgi directory traversal attempt"
+  http /.*[\/\\]a1disp3\.cgi\?[\/\\]\.\.[\/\\]\.\.[\/\\]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1502-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI a1stats a1disp3.cgi access"
+  http /.*[\/\\]a1disp3\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1731-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI a1stats access"
+  http /.*[\/\\]a1stats[\/\\]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1503-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI admentor admin.asp access"
+  http /.*[\/\\]admentor[\/\\]admin[\/\\]admin\.asp/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1505-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI alchemy http server PRN arbitrary command execution attempt"
+  http /.*[\/\\]PRN[\/\\]\.\.[\/\\]\.\.[\/\\]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1506-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI alchemy http server NUL arbitrary command execution attempt"
+  http /.*[\/\\]NUL[\/\\]\.\.[\/\\]\.\.[\/\\]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1507-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI alibaba.pl arbitrary command execution attempt"
+  http /.*[\/\\]alibaba\.pl\x7C/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1508-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI alibaba.pl access"
+  http /.*[\/\\]alibaba\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1509-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI AltaVista Intranet Search directory traversal attempt"
+  http /.*[\/\\]query\?mss=\.\./
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1510-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI test.bat arbitrary command execution attempt"
+  http /.*[\/\\]test\.bat\x7C/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1511-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI test.bat access"
+  http /.*[\/\\]test\.bat/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1512-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI input.bat arbitrary command execution attempt"
+  http /.*[\/\\]input\.bat\x7C/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1513-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI input.bat access"
+  http /.*[\/\\]input\.bat/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1514-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI input2.bat arbitrary command execution attempt"
+  http /.*[\/\\]input2\.bat\x7C/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1515-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI input2.bat access"
+  http /.*[\/\\]input2\.bat/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1516-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI envout.bat arbitrary command execution attempt"
+  http /.*[\/\\]envout\.bat\x7C/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1517-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI envout.bat access"
+  http /.*[\/\\]envout\.bat/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1705-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI echo.bat arbitrary command execution attempt"
+  http /.*[\/\\]echo\.bat/
+  tcp-state established,originator
+  payload /.*&/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1706-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI echo.bat access"
+  http /.*[\/\\]echo\.bat/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1707-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI hello.bat arbitrary command execution attempt"
+  http /.*[\/\\]hello\.bat/
+  tcp-state established,originator
+  payload /.*&/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1708-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI hello.bat access"
+  http /.*[\/\\]hello\.bat/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1650-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI tst.bat access"
+  http /.*[\/\\]tst\.bat/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1542-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI cgimail access"
+  http /.*[\/\\]cgimail/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1547-11 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI csSearch.cgi arbitrary command execution attempt"
+  http /.*[\/\\]csSearch\.cgi/
+  tcp-state established,originator
+  payload /.*setup=/
+  payload /.*`.{1}.*`/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1548-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI csSearch.cgi access"
+  http /.*[\/\\]csSearch\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  eval isApacheLt1325
+}
+
+signature s2b-1553-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI /cart/cart.cgi access"
+  http /.*[\/\\]cart[\/\\]cart\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1554-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  dst-ip == local_nets
+  event "WEB-CGI dbman db.cgi access"
+  http /.*[\/\\]dbman[\/\\]db\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1555-7 {
+  ip-proto == tcp
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-CGI DCShop access"
+  http /.*[\/\\]dcshop/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1556-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI DCShop orders.txt access"
+  http /.*[\/\\]orders[\/\\]orders\.txt/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1557-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI DCShop auth_user_file.txt access"
+  http /.*[\/\\]auth_data[\/\\]auth_user_file\.txt/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1565-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI eshop.pl arbitrary commane execution attempt"
+  http /.*[\/\\]eshop\.pl\?seite=\x3B/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1566-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI eshop.pl access"
+  http /.*[\/\\]eshop\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1569-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI loadpage.cgi directory traversal attempt"
+  http /.*[\/\\]loadpage\.cgi/
+  tcp-state established,originator
+  payload /.*[fF][iI][lL][eE]=\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1570-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  dst-ip == local_nets
+  event "WEB-CGI loadpage.cgi access"
+  http /.*[\/\\]loadpage\.cgi\?{1,}\//
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1590-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI faqmanager.cgi arbitrary file access attempt"
+  http /.*[\/\\]faqmanager\.cgi\?toc=/
+  http /.*\x00/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1591-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI faqmanager.cgi access"
+  http /.*[\/\\]faqmanager\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1592-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI /fcgi-bin/echo.exe access"
+  http /.*[\/\\]fcgi-bin[\/\\]echo\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1628-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI FormHandler.cgi directory traversal attempt attempt"
+  http /.*[\/\\]FormHandler\.cgi/
+  tcp-state established,originator
+  payload /.*[rR][eE][pP][lL][yY]_[mM][eE][sS][sS][aA][gG][eE]_[aA][tT][tT][aA][cC][hH]=/
+  payload /.*\/\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1593-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI FormHandler.cgi external site redirection attempt"
+  http /.*[\/\\]FormHandler\.cgi/
+  tcp-state established,originator
+  payload /.*[rR][eE][dD][iI][rR][eE][cC][tT]=[hH][tT][tT][pP]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1594-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI FormHandler.cgi access"
+  http /.*[\/\\]FormHandler\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1598-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI Home Free search.cgi directory traversal attempt"
+  http /.*[\/\\]search\.cgi/
+  tcp-state established,originator
+  payload /.*[lL][eE][tT][tT][eE][rR]=\.\.\/\.\./
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1599-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI search.cgi access"
+  http /.*[\/\\]search\.cgi\?.*letter\=[^&]*?\.\.[\/\\]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1651-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI enivorn.pl access"
+  http /.*[\/\\]enivron\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1652-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI campus attempt"
+  http /.*[\/\\]campus\?\x0A/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1654-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  dst-ip == local_nets
+  event "WEB-CGI cart32.exe access"
+  http /.*[\/\\]cart32\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1655-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI pfdispaly.cgi arbitrary command execution attempt"
+  http /.*[\/\\]pfdispaly\.cgi\?'/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1656-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI pfdispaly.cgi access"
+  http /.*[\/\\]pfdispaly\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1657-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI pagelog.cgi directory traversal attempt"
+  http /.*[\/\\]pagelog\.cgi/
+  tcp-state established,originator
+  payload /.*[nN][aA][mM][eE]=\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1658-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI pagelog.cgi access"
+  http /.*[\/\\]pagelog\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1710-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI bbs_forum.cgi access"
+  http /.*[\/\\]bbs_forum\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1711-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI bsguest.cgi access"
+  http /.*[\/\\]bsguest\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1712-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI bslist.cgi access"
+  http /.*[\/\\]bslist\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1714-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI newdesk access"
+  http /.*[\/\\]newdesk/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1715-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI register.cgi access"
+  http /.*[\/\\]register\.cgi/
+  payload /SEND_MAIL/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1716-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  dst-ip == local_nets
+  event "WEB-CGI gbook.cgi access"
+  http /.*[\/\\]gbook\.cgi/
+  payload /_MAILTO.*\;/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1717-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI simplestguest.cgi access"
+  http /.*[\/\\]simplestguest\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1718-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI statusconfig.pl access"
+  http /.*[\/\\]statusconfig\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1719-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI talkback.cgi directory traversal attempt"
+  http /.*[\/\\]talkbalk\.cgi/
+  tcp-state established,originator
+  payload /.*[aA][rR][tT][iI][cC][lL][eE]=\.\.\/\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1720-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI talkback.cgi access"
+  http /.*[\/\\]talkbalk\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1721-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI adcycle access"
+  http /.*[\/\\]adcycle/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1722-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI MachineInfo access"
+  http /.*[\/\\]MachineInfo/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1723-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI emumail.cgi NULL attempt"
+  http /.*[\/\\]emumail\.cgi/
+  tcp-state established,originator
+  payload /.*[tT][yY][pP][eE]=/
+  payload /.*%00/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1724-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI emumail.cgi access"
+  http /.*[\/\\]emumail\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1642-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI document.d2w access"
+  http /.*[\/\\]document\.d2w/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1668-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  dst-ip == local_nets
+  event "WEB-CGI /cgi-bin/ access"
+  http /.*[\/\\]cgi-bin[\/\\]$/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  # under most conditions the root of cgi-bin should never return a list or valid document
+  # tune for site specific
+}
+
+signature s2b-1669-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI /cgi-dos/ access"
+  http /.*[\/\\]cgi-dos[\/\\]/
+  tcp-state established,originator
+  payload /.*\/[cC][gG][iI]-[dD][oO][sS]\/ [hH][tT][tT][pP]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1051-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI technote main.cgi file directory traversal attempt"
+  http /.*[\/\\]technote[\/\\]main\.cgi/
+  tcp-state established,originator
+  payload /.*[fF][iI][lL][eE][nN][aA][mM][eE]=/
+  payload /.*\.\.\/\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1052-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI technote print.cgi directory traversal attempt"
+  http /.*[\/\\]technote[\/\\]print\.cgi/
+  tcp-state established,originator
+  payload /.*[bB][oO][aA][rR][dD]=/
+  payload /.*\.\.\/\.\.\//
+  payload /.*%00/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1053-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI ads.cgi command execution attempt"
+  http /.*[\/\\]ads\.cgi/
+  tcp-state established,originator
+  payload /.*[fF][iI][lL][eE]=/
+  payload /.*\.\.\/\.\.\//
+  payload /.*\x7C/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1088-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  dst-ip == local_nets
+  event "WEB-CGI eXtropia webstore directory traversal"
+  http /.*[\/\\]web_store\.cgi\?.*page=\.\.\//
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1089-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI shopping cart directory traversal"
+  http /.*[\/\\]shop\.cgi/
+  tcp-state established,originator
+  payload /.*page=\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1090-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI Allaire Pro Web Shell attempt"
+  http /.*[\/\\]authenticate\.cgi\?PASSWORD/
+  tcp-state established,originator
+  payload /.*config\.ini/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1092-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI Armada Style Master Index directory traversal"
+  http /.*[\/\\]search\.cgi\?keys/
+  tcp-state established,originator
+  payload /.*catigory=\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1093-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI cached_feed.cgi moreover shopping cart directory traversal"
+  http /.*[\/\\]cached_feed\.cgi/
+  tcp-state established,originator
+  payload /.*\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2051-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI cached_feed.cgi moreover shopping cart access"
+  http /.*[\/\\]cached_feed\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1097-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI Talentsoft Web+ exploit attempt"
+  http /.*[\/\\]webplus\.cgi\?Script=[\/\\]webplus[\/\\]webping[\/\\]webping\.wml/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1106-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI Poll-it access"
+  http /.*[\/\\]pollit[\/\\]Poll_It_SSI_v2\.0\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1865-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI webdist.cgi arbitrary command attempt"
+  http /.*[\/\\]webdist\.cgi/
+  tcp-state established,originator
+  payload /.*[dD][iI][sS][tT][lL][oO][cC]=\x3B/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1163-11 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI webdist.cgi access"
+  http /.*[\/\\]webdist\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1172-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI bigconf.cgi access"
+  http /.*[\/\\]bigconf\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1174-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI /cgi-bin/jj access"
+  http /.*[\/\\]cgi-bin[\/\\]jj/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1185-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI bizdbsearch attempt"
+  http /.*[\/\\]bizdb1-search\.cgi/
+  tcp-state established,originator
+  payload /.*[mM][aA][iI][lL]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1535-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI bizdbsearch access"
+  http /.*[\/\\]bizdb1-search\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1194-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI sojourn.cgi File attempt"
+  http /.*[\/\\]sojourn\.cgi\?cat=/
+  tcp-state established,originator
+  payload /.*%00/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1195-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI sojourn.cgi access"
+  http /.*[\/\\]sojourn\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1196-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI SGI InfoSearch fname attempt"
+  http /.*[\/\\]infosrch\.cgi\?/
+  tcp-state established,originator
+  payload /.*[fF][nN][aA][mM][eE]=/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1727-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI SGI InfoSearch fname access"
+  http /.*[\/\\]infosrch\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1204-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI ax-admin.cgi access"
+  http /.*[\/\\]ax-admin\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1205-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI axs.cgi access"
+  http /.*[\/\\]axs\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1206-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI cachemgr.cgi access"
+  http /.*[\/\\]cachemgr\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1208-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI responder.cgi access"
+  http /.*[\/\\]responder\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1211-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI web-map.cgi access"
+  http /.*[\/\\]web-map\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1215-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI ministats admin access"
+  http /.*[\/\\]ministats[\/\\]admin\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1219-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI dfire.cgi access"
+  http /.*[\/\\]dfire\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1305-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI txt2html.cgi directory traversal attempt"
+  http /.*[\/\\]txt2html\.cgi/
+  tcp-state established,originator
+  payload /.*\/\.\.\/\.\.\/\.\.\/\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1304-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI txt2html.cgi access"
+  http /.*[\/\\]txt2html\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1488-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  dst-ip == local_nets
+  event "WEB-CGI store.cgi directory traversal attempt"
+  http /.*[\/\\]store\.cgi/
+  tcp-state established,originator
+  payload /.*\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1307-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  dst-ip == local_nets
+  event "WEB-CGI store.cgi access"
+  http /.*[\/\\]store\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1494-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI SIX webboard generate.cgi attempt"
+  http /.*[\/\\]generate\.cgi/
+  tcp-state established,originator
+  payload /.*content=\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1495-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI SIX webboard generate.cgi access"
+  http /.*[\/\\]generate\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1496-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI spin_client.cgi access"
+  http /.*[\/\\]spin_client\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1787-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI csPassword.cgi access"
+  http /.*[\/\\]csPassword\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1788-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI csPassword password.cgi.tmp access"
+  http /.*[\/\\]password\.cgi\.tmp/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1763-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI Nortel Contivity cgiproc DOS attempt"
+  http /.*[\/\\]cgiproc\?Nocfile=/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1764-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI Nortel Contivity cgiproc DOS attempt"
+  http /.*[\/\\]cgiproc\?\x24/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1765-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI Nortel Contivity cgiproc access"
+  http /.*[\/\\]cgiproc/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1805-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI Oracle reports CGI access"
+  http /.*[\/\\]rwcgi60/
+  tcp-state established,originator
+  payload /.*setauth=/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1823-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  dst-ip == local_nets
+  event "WEB-CGI AlienForm af.cgi directory traversal attempt"
+  http /.*[\/\\](af|alienform)\.cgi\?.*\.\|\./
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1868-5 {
+  ip-proto == tcp
+  dst-port == 8080
+  event "WEB-CGI story.pl arbitrary file read attempt"
+  http /.*[\/\\]story\.pl/
+  tcp-state established,originator
+  payload /.*next=\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1869-5 {
+  ip-proto == tcp
+  dst-port == 8080
+  event "WEB-CGI story.pl access"
+  http /.*[\/\\]story\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1870-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI siteUserMod.cgi access"
+  http /.*[\/\\]\.cobalt[\/\\]siteUserMod[\/\\]siteUserMod\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1875-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  dst-ip == local_nets
+  event "WEB-CGI cgicso access"
+  http /.*[\/\\]cgicso/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1876-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI nph-publish.cgi access"
+  http /.*[\/\\]nph-publish\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1877-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI printenv access"
+  http /.*\/cgi-bin[^\/]*\/printenv/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1878-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI sdbsearch.cgi access"
+  http /.*[\/\\]sdbsearch\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1931-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI rpc-nlog.pl access"
+  http /.*[\/\\]rpc-nlog\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1932-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI rpc-smb.pl access"
+  http /.*[\/\\]rpc-smb\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1994-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI vpasswd.cgi access"
+  http /.*[\/\\]vpasswd\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1995-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI alya.cgi access"
+  http /.*[\/\\]alya\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1996-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI viralator.cgi access"
+  http /.*[\/\\]viralator\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2001-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI smartsearch.cgi access"
+  http /.*[\/\\]smartsearch\.cgi.*\|/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1862-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI mrtg.cgi directory traversal attempt"
+  http /.*[\/\\]mrtg\.cgi/
+  tcp-state established,originator
+  payload /.*cfg=\/\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2052-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI overflow.cgi access"
+  http /.*[\/\\]overflow\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1850-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI way-board.cgi access"
+  http /.*[\/\\]way-board\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2054-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI enter_bug.cgi arbitrary command attempt"
+  http /.*[\/\\]enter_bug\.cgi/
+  tcp-state established,originator
+  payload /.*[wW][hH][oO]=.*.*\x3B/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2085-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI parse_xml.cgi access"
+  http /.*[\/\\]parse_xml\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2086-4 {
+  ip-proto == tcp
+  dst-port == 1220
+  event "WEB-CGI streaming server parse_xml.cgi access"
+  tcp-state established,originator
+  payload /.*\/[pP][aA][rR][sS][eE]_[xX][mM][lL]\.[cC][gG][iI]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2115-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI album.pl access"
+  tcp-state established,originator
+  payload /.*\/[aA][lL][bB][uU][mM]\.[pP][lL]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2116-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI chipcfg.cgi access"
+  http /.*[\/\\]chipcfg\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2127-1 {
+  ip-proto == tcp
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-CGI ikonboard.cgi access"
+  http /.*[\/\\]ikonboard\.cgi/
+  payload /Cookie: [^\=]{1,}\=\/[^\x0D\x0A]{2,}\x0D\x0A\x0D\x0A/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2128-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI swsrv.cgi access"
+  http /.*[\/\\]srsrv\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2194-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI CSMailto.cgi access"
+  http /.*[\/\\]CSMailto\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2195-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI alert.cgi access"
+  http /.*[\/\\]alert\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2197-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI cvsview2.cgi access"
+  http /.*[\/\\]cvsview2\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2198-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI cvslog.cgi access"
+  http /.*[\/\\]cvslog\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2199-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI multidiff.cgi access"
+  http /.*[\/\\]multidiff\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2200-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI dnewsweb.cgi access"
+  http /.*[\/\\]dnewsweb\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2201-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI download.cgi access"
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  http /.*[\/\\]download\.cgi.*f\x3d\x2e\x2e\x2f.* /
+}
+
+signature s2b-2202-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI edit_action.cgi access"
+  http /.*[\/\\]edit_action\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2203-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI everythingform.cgi access"
+  http /.*[\/\\]everythingform\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2204-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI ezadmin.cgi access"
+  http /.*[\/\\]ezadmin\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2206-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI ezman.cgi access"
+  http /.*[\/\\]ezman\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2207-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI fileseek.cgi access"
+  http /.*[\/\\]fileseek\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2208-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI fom.cgi access"
+  http /.*[\/\\]fom\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2209-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI getdoc.cgi access"
+  http /.*[\/\\]getdoc\.cgi\?.*form-attachment.*command/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2210-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI global.cgi access"
+  http /.*[\/\\]global\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2211-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI guestserver.cgi access"
+  http /.*[\/\\]guestserver\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2212-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  dst-ip == local_nets
+  event "WEB-CGI imageFolio.cgi access"
+  http /.*[\/\\]imageFolio\.cgi\?.*<script>/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2213-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI mailfile.cgi access"
+  http /.*[\/\\]mailfile\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2214-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI mailview.cgi access"
+  http /.*[\/\\]mailview\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2215-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI nsManager.cgi access"
+  http /.*[\/\\]nsManager\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2216-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI readmail.cgi access"
+  http /.*[\/\\]readmail\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2217-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI printmail.cgi access"
+  http /.*[\/\\]printmail\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2218-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  dst-ip == local_nets
+  event "WEB-CGI service.cgi access"
+  http /.*[\/\\]service\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2219-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI setpasswd.cgi access"
+  http /.*[\/\\]setpasswd\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2220-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI simplestmail.cgi access"
+  http /.*[\/\\]simplestmail\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2221-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI ws_mail.cgi access"
+  http /.*[\/\\]ws_mail\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2222-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI nph-exploitscanget.cgi access"
+  http /.*[\/\\]nph-exploitscanget\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2224-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI psunami.cgi access"
+  http /.*[\/\\]psunami\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2225-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI gozila.cgi access"
+  http /.*[\/\\]gozila\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2323-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI quickstore.cgi access"
+  http /.*[\/\\]quickstore\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2387-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI view_broadcast.cgi access"
+  http /.*[\/\\]view_broadcast\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2388-4 {
+  ip-proto == tcp
+  dst-port == 1220
+  event "WEB-CGI streaming server view_broadcast.cgi access"
+  http /.*[\/\\]view_broadcast\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2396-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI CCBill whereami.cgi arbitrary command execution attempt"
+  http /.*[\/\\]whereami\.cgi\?g=/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2397-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI CCBill whereami.cgi access"
+  http /.*[\/\\]whereami\.cgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2433-1 {
+  ip-proto == tcp
+  dst-port == 3000
+  # Not supported: pcre: /\Wfrom=[^\x3b&\n]{100}/si
+  event "WEB-CGI MDaemon form2raw.cgi overflow attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  http /[^a-zA-Z0-9_][fF][rR][oO][mM]=[^\x3b&\n]{100}/
+}
+
+signature s2b-2434-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI MDaemon form2raw.cgi access"
+  tcp-state established,originator
+  payload /.*\/[fF][oO][rR][mM]2[rR][aA][wW]\.[cC][gG][iI]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2567-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI Emumail init.emu access"
+  http /.*[\/\\]init\.emu/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2568-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CGI Emumail emumail.fcgi access"
+  http /.*[\/\\]emumail\.fcgi\?./
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1735-4 {
+  ip-proto == tcp
+  src-port == http_ports
+  event "WEB-CLIENT XMLHttpRequest attempt"
+  tcp-state established,responder
+  payload /.*new XMLHttpRequest\x28/
+  payload /.*[fF][iI][lL][eE]\x3A\/\//
+}
+
+signature s2b-1284-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-CLIENT readme.eml download attempt"
+  http /.*[\/\\]readme\.eml/
+  tcp-state established,originator
+  requires-signature http_msie_client
+}
+
+signature s2b-1840-5 {
+  ip-proto == tcp
+  src-port == http_ports
+  event "WEB-CLIENT Javascript document.domain attempt"
+  tcp-state established,responder
+  payload /.*[dD][oO][cC][uU][mM][eE][nN][tT]\.[dD][oO][mM][aA][iI][nN]\x28/
+  requires-signature http_msie_client
+}
+
+signature s2b-1841-5 {
+  ip-proto == tcp
+  src-port == http_ports
+  event "WEB-CLIENT Javascript URL host spoofing attempt"
+  tcp-state established,responder
+  payload /.*[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]\x3A\/\//
+  requires-signature http_old_gecko_client
+}
+
+signature s2b-2437-5 {
+  ip-proto == tcp
+  src-port == http_ports
+  # Not supported: pcre: /^Content-Type\x3a\s+application\x2fsmi.*?<area[\s\n\r]+href=[\x22\x27]file\x3ajavascript\x3a/smi
+  event "WEB-CLIENT RealPlayer arbitrary javascript command attempt"
+  tcp-state established,responder
+  http /((^)|(\n+))[cC][oO][nN][tT][eE][nN][tT]-[tT][yY][pP][eE]\x3a[\x20\x09\x0b][aA][pP][pP][lL][iI][cC][aA][tT][iI][oO][nN]\x2f[sS][mM][iI].*?<[aA][rR][eE][aA][\x20\x09\x0b\n\r]+href=[\x22\x27][fF][iI][lL][eE]\x3ajavascript\x3a/
+  requires-signature http_real_client
+}
+
+signature s2b-2438-3 {
+  ip-proto == tcp
+  src-port == http_ports
+  # Not supported: pcre: /^file\x3a\x2f\x2f[^\n]{400}/smi
+  # Not supported: flowbits: isset,realplayer.playlist
+  event "WEB-CLIENT RealPlayer playlist file URL overflow attempt"
+  tcp-state established,responder
+  payload /((^)|(\n+))[fF][iI][lL][eE]\x3a\x2f\x2f[^\n]{400}/
+}
+
+signature s2b-2439-3 {
+  ip-proto == tcp
+  src-port == http_ports
+  # Not supported: pcre: /^http\x3a\x2f\x2f[^\n]{400}/smi
+  # Not supported: flowbits: isset,realplayer.playlist
+  event "WEB-CLIENT RealPlayer playlist http URL overflow attempt"
+  tcp-state established,responder
+  payload /.*[hH][tT][tT][pP]\x3A\/\//
+  payload /((^)|(\n+))[hH][tT]{2}[pP]\x3a\x2f\x2f[^\n]{400}/
+}
+
+signature s2b-2440-3 {
+  ip-proto == tcp
+  src-port == http_ports
+  # Not supported: pcre: /^http\x3a\x2f\x2f[^\n]{400}/smi
+  # Not supported: flowbits: isset,realplayer.playlist
+  event "WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt"
+  tcp-state established,responder
+  payload /.*[rR][tT][sS][pP]\x3A\/\//
+  payload /((^)|(\n+))[hH][tT]{2}[pP]\x3a\x2f\x2f[^\n]{400}/
+}
+
+signature s2b-2485-4 {
+  ip-proto == tcp
+  src-port == http_ports
+  event "WEB-CLIENT Nortan antivirus sysmspam.dll load attempt"
+  tcp-state established,responder
+  payload /.*[cC][lL][sS][iI][dD]\x3A/
+  payload /.*0534[cC][fF]61-83[cC]5-4765-[bB]19[bB]-45[fF]7[aA]4[eE]135[dD]0/
+}
+
+signature s2b-903-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION cfcache.map access"
+  http /.*[\/\\]cfcache\.map/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-904-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION exampleapp application.cfm"
+  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]email[\/\\]application\.cfm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-905-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION application.cfm access"
+  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]publish[\/\\]admin[\/\\]application\.cfm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-906-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION getfile.cfm access"
+  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]email[\/\\]getfile\.cfm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-907-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION addcontent.cfm access"
+  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]publish[\/\\]admin[\/\\]addcontent\.cfm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-908-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION administrator access"
+  http /.*[\/\\]cfide[\/\\]administrator[\/\\]index\.cfm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-909-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION datasource username attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF]_[sS][eE][tT][dD][aA][tT][aA][sS][oO][uU][rR][cC][eE][uU][sS][eE][rR][nN][aA][mM][eE]\x28\x29/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-910-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION fileexists.cfm access"
+  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]fileexists\.cfm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-911-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION exprcalc access"
+  http /.*[\/\\]cfdocs[\/\\]expeval[\/\\]exprcalc\.cfm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-912-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION parks access"
+  http /.*[\/\\]cfdocs[\/\\]examples[\/\\]parks[\/\\]detail\.cfm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-913-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION cfappman access"
+  http /.*[\/\\]cfappman[\/\\]index\.cfm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-914-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION beaninfo access"
+  http /.*[\/\\]cfdocs[\/\\]examples[\/\\]cvbeans[\/\\]beaninfo\.cfm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-915-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION evaluate.cfm access"
+  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]evaluate\.cfm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-916-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION getodbcdsn access"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[gG][eE][tT][oO][dD][bB][cC][dD][sS][nN]\x28\x29/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-917-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION db connections flush attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[dD][bB][cC][oO][nN][nN][eE][cC][tT][iI][oO][nN][sS]_[fF][lL][uU][sS][hH]\x28\x29/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-918-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION expeval access"
+  http /.*[\/\\]cfdocs[\/\\]expeval[\/\\]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-919-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION datasource passwordattempt"
+  tcp-state established,originator
+  payload /.*[cC][fF]_[sS][eE][tT][dD][aA][tT][aA][sS][oO][uU][rR][cC][eE][pP][aA][sS][sS][wW][oO][rR][dD]\x28\x29/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-920-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION datasource attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF]_[iI][sS][cC][oO][lL][dD][fF][uU][sS][iI][oO][nN][dD][aA][tT][aA][sS][oO][uU][rR][cC][eE]\x28\x29/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-921-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION admin encrypt attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[eE][nN][cC][rR][yY][pP][tT]\x28\x29/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-922-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION displayfile access"
+  http /.*[\/\\]cfdocs[\/\\]expeval[\/\\]displayopenedfile\.cfm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-923-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION getodbcin attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[gG][eE][tT][oO][dD][bB][cC][iI][nN][iI]\x28\x29/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-924-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION admin decrypt attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[dD][eE][cC][rR][yY][pP][tT]\x28\x29/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-925-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION mainframeset access"
+  http /.*[\/\\]cfdocs[\/\\]examples[\/\\]mainframeset\.cfm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-926-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION set odbc ini attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[sS][eE][tT][oO][dD][bB][cC][iI][nN][iI]\x28\x29/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-927-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION settings refresh attempt"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[sS][eE][tT][tT][iI][nN][gG][sS]_[rR][eE][fF][rR][eE][sS][hH]\x28\x29/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-928-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION exampleapp access"
+  http /.*[\/\\]cfdocs[\/\\]exampleapp[\/\\]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-929-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION CFUSION_VERIFYMAIL access"
+  tcp-state established,originator
+  payload /.*[cC][fF][uU][sS][iI][oO][nN]_[vV][eE][rR][iI][fF][yY][mM][aA][iI][lL]\x28\x29/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-930-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION snippets attempt"
+  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-931-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION cfmlsyntaxcheck.cfm access"
+  http /.*[\/\\]cfdocs[\/\\]cfmlsyntaxcheck\.cfm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-932-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION application.cfm access"
+  http /.*[\/\\]application\.cfm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-933-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION onrequestend.cfm access"
+  http /.*[\/\\]onrequestend\.cfm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-935-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION startstop DOS access"
+  http /.*[\/\\]cfide[\/\\]administrator[\/\\]startstop\.html/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-936-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION gettempdirectory.cfm access "
+  http /.*[\/\\]cfdocs[\/\\]snippets[\/\\]gettempdirectory\.cfm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1659-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-COLDFUSION sendmail.cfm access"
+  http /.*[\/\\]sendmail\.cfm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1248-13 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE rad fp30reg.dll access"
+  http /.*[\/\\]fp30reg\.dll/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1249-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE frontpage rad fp4areg.dll access"
+  http /.*[\/\\]fp4areg\.dll/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-937-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE _vti_rpc access"
+  http /.*[\/\\]_vti_rpc/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-939-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE posting"
+  http /.*[\/\\]author\.dll/
+  tcp-state established,originator
+  payload /.*[pP][oO][sS][tT]/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-940-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE shtml.dll access"
+  http /.*[\/\\]_vti_bin[\/\\]shtml\.dll/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-941-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE contents.htm access"
+  http /.*[\/\\]admcgi[\/\\]contents\.htm/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-942-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE orders.htm access"
+  http /.*[\/\\]_private[\/\\]orders\.htm/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-943-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE fpsrvadm.exe access"
+  http /.*[\/\\]fpsrvadm\.exe/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-944-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE fpremadm.exe access"
+  http /.*[\/\\]fpremadm\.exe/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-945-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE fpadmin.htm access"
+  http /.*[\/\\]admisapi[\/\\]fpadmin\.htm/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-946-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE fpadmcgi.exe access"
+  http /.*[\/\\]scripts[\/\\]Fpadmcgi\.exe/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-947-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE orders.txt access"
+  http /.*[\/\\]_private[\/\\]orders\.txt/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-948-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE form_results access"
+  http /.*[\/\\]_private[\/\\]form_results\.txt/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-949-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE registrations.htm access"
+  http /.*[\/\\]_private[\/\\]registrations\.htm/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-950-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE cfgwiz.exe access"
+  http /.*[\/\\]cfgwiz\.exe/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-951-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE authors.pwd access"
+  http /.*[\/\\]authors\.pwd/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-952-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE author.exe access"
+  http /.*[\/\\]_vti_bin[\/\\]_vti_aut[\/\\]author\.exe/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-953-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE administrators.pwd access"
+  http /.*[\/\\]administrators\.pwd/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-954-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE form_results.htm access"
+  http /.*[\/\\]_private[\/\\]form_results\.htm/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-955-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE access.cnf access"
+  http /.*[\/\\]_vti_pvt[\/\\]access\.cnf/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-956-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE register.txt access"
+  http /.*[\/\\]_private[\/\\]register\.txt/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-957-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE registrations.txt access"
+  http /.*[\/\\]_private[\/\\]registrations\.txt/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-958-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE service.cnf access"
+  http /.*[\/\\]_vti_pvt[\/\\]service\.cnf/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-959-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE service.pwd"
+  http /.*[\/\\]service\.pwd/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-960-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE service.stp access"
+  http /.*[\/\\]_vti_pvt[\/\\]service\.stp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-961-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE services.cnf access"
+  http /.*[\/\\]_vti_pvt[\/\\]services\.cnf/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-962-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE shtml.exe access"
+  http /.*[\/\\]_vti_bin[\/\\]shtml\.exe/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-963-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE svcacl.cnf access"
+  http /.*[\/\\]_vti_pvt[\/\\]svcacl\.cnf/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-964-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE users.pwd access"
+  http /.*[\/\\]users\.pwd/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-965-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE writeto.cnf access"
+  http /.*[\/\\]_vti_pvt[\/\\]writeto\.cnf/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-966-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE .... request"
+  http /.*\.\.\.\.[\/\\]/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-967-11 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE dvwssr.dll access"
+  http /.*[\/\\]dvwssr\.dll/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-968-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE register.htm access"
+  http /.*[\/\\]_private[\/\\]register\.htm/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1288-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-FRONTPAGE /_vti_bin/ access"
+  http /.*[\/\\]_vti_bin[\/\\]/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1970-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS MDAC Content-Type overflow attempt"
+  http /.*[\/\\]msadcs\.dll/
+  tcp-state established,originator
+  payload /.*[cC][oO][nN][tT][eE][nN][tT]-[tT][yY][pP][eE]\x3A[^\x0A]{50}/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1076-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS repost.asp access"
+  http /.*[\/\\]scripts[\/\\]repost\.asp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1806-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS .htr chunked Transfer-Encoding"
+  http /.*\.htr/
+  tcp-state established,originator
+  payload /.*[tT][rR][aA][nN][sS][fF][eE][rR]-[eE][nN][cC][oO][dD][iI][nN][gG]\x3A/
+  payload /.*[cC][hH][uU][nN][kK][eE][dD]/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1618-14 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS .asp chunked Transfer-Encoding"
+  http /.*\.asp/
+  tcp-state established,originator
+  payload /.*[tT][rR][aA][nN][sS][fF][eE][rR]-[eE][nN][cC][oO][dD][iI][nN][gG]\x3A/
+  payload /.*[cC][hH][uU][nN][kK][eE][dD]/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1626-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS /StoreCSVS/InstantOrder.asmx request"
+  http /.*[\/\\]StoreCSVS[\/\\]InstantOrder\.asmx/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1750-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS users.xml access"
+  http /.*[\/\\]users\.xml/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1753-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS as_web.exe access"
+  http /.*[\/\\]as_web\.exe/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1754-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS as_web4.exe access"
+  http /.*[\/\\]as_web4\.exe/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1756-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS NewsPro administration authentication attempt"
+  tcp-state established,originator
+  payload /.*logged,true/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1772-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS pbserver access"
+  http /.*[\/\\]pbserver[\/\\]pbserver\.dll/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1660-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS trace.axd access"
+  http /.*[\/\\]trace\.axd/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1484-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS /isapi/tstisapi.dll access"
+  http /.*[\/\\]isapi[\/\\]tstisapi\.dll/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1485-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS mkilog.exe access"
+  http /.*[\/\\]mkilog\.exe/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1486-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS ctss.idc access"
+  http /.*[\/\\]ctss\.idc/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1487-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS /iisadmpwd/aexp2.htr access"
+  http /.*[\/\\]iisadmpwd[\/\\]aexp2\.htr/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-969-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS WebDAV file lock attempt"
+  tcp-state established,originator
+  payload /LOCK /
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-971-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS ISAPI .printer access"
+  http /.*\.printer/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1243-11 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS ISAPI .ida attempt"
+  http /.*\.ida\?/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1242-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS ISAPI .ida access"
+  http /.*\.ida/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1244-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS ISAPI .idq attempt"
+  http /.*\.idq\?/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1245-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS ISAPI .idq access"
+  http /.*\.idq/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-973-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS *.idc attempt"
+  http /.*[\/\\]\*\.idc/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-974-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS Directory transversal attempt"
+  tcp-state established,originator
+  payload /.*\.\.\x5C\.\./
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-975-12 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS Alternate Data streams ASP file access attempt"
+  http /.*\.asp\x3A\x3A\x24DATA/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-976-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS .bat? access"
+  http /.*\.bat\?/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-977-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS .cnf access"
+  http /.*\.cnf/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-978-11 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS ASP contents view"
+  tcp-state established,originator
+  payload /.*%20/
+  payload /.*&[cC][iI][rR][eE][sS][tT][rR][iI][cC][tT][iI][oO][nN]=[nN][oO][nN][eE]/
+  payload /.*&[cC][iI][hH][iI][lL][iI][tT][eE][tT][yY][pP][eE]=[fF][uU][lL][lL]/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-979-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS ASP contents view"
+  http /.*\.htw\?CiWebHitsFile/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-980-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS CGImail.exe access"
+  http /.*[\/\\]scripts[\/\\]CGImail\.exe/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-981-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS unicode directory traversal attempt"
+  tcp-state established,originator
+  payload /.*\/\.\.%[cC]0%[aA][fF]\.\.\//
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-982-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS unicode directory traversal attempt"
+  tcp-state established,originator
+  payload /.*\/\.\.%[cC]1%1[cC]\.\.\//
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-983-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS unicode directory traversal attempt"
+  tcp-state established,originator
+  payload /.*\/\.\.%[cC]1%9[cC]\.\.\//
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1945-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS unicode directory traversal attempt"
+  tcp-state established,originator
+  payload /.*\/\.\.%255[cC]\.\./
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-986-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS MSProxy access"
+  http /.*[\/\\]scripts[\/\\]proxy[\/\\]w3proxy\.dll/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1725-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS +.htr code fragment attempt"
+  http /.*\+\.htr/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-987-12 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS .htr access"
+  http /.*\.htr/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-988-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS SAM Attempt"
+  tcp-state established,originator
+  payload /.*[sS][aA][mM]\._/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-989-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS Unicode2.pl script File permission canonicalization"
+  http /.*[\/\\]sensepost\.exe/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-990-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS _vti_inf access"
+  http /.*_vti_inf\.html/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-991-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS achg.htr access"
+  http /.*[\/\\]iisadmpwd[\/\\]achg\.htr/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-994-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS /scripts/iisadmin/default.htm access"
+  http /.*[\/\\]scripts[\/\\]iisadmin[\/\\]default\.htm/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-995-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS ism.dll access"
+  http /.*[\/\\]scripts[\/\\]iisadmin[\/\\]ism\.dll\?http[\/\\]dir/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-996-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS anot.htr access"
+  http /.*[\/\\]iisadmpwd[\/\\]anot/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-997-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS asp-dot attempt"
+  http /.*\.asp\./
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-998-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS asp-srch attempt"
+  http /.*\x23filename=\*\.asp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1000-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS bdir.htr access"
+  http /.*[\/\\]bdir\.htr/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1661-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS cmd32.exe access"
+  tcp-state established,originator
+  payload /.*[cC][mM][dD]32\.[eE][xX][eE]/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1002-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS cmd.exe access"
+  tcp-state established,originator
+  payload /.*[cC][mM][dD]\.[eE][xX][eE]/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1003-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS cmd? access"
+  tcp-state established,originator
+  payload /.*\.[cC][mM][dD]\?&/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1007-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS cross-site scripting attempt"
+  http /.*[\/\\]Form_JScript\.asp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1380-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS cross-site scripting attempt"
+  http /.*[\/\\]Form_VBScript\.asp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1008-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS del attempt"
+  tcp-state established,originator
+  payload /.*&[dD][eE][lL]\+\/[sS]\+[cC]\x3A\x5C\*\.\*/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1009-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS directory listing"
+  http /.*[\/\\]ServerVariables_Jscript\.asp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1010-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS encoding access"
+  tcp-state established,originator
+  payload /.*%1u/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1011-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS exec-src access"
+  tcp-state established,originator
+  payload /.*\x23[fF][iI][lL][eE][nN][aA][mM][eE]=\*\.[eE][xX][eE]/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1012-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS fpcount attempt"
+  http /.*[\/\\]fpcount\.exe/
+  tcp-state established,originator
+  payload /.*[dD][iI][gG][iI][tT][sS]=/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1013-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS fpcount access"
+  http /.*[\/\\]fpcount\.exe/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1015-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS getdrvs.exe access"
+  http /.*[\/\\]scripts[\/\\]tools[\/\\]getdrvs\.exe/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1016-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS global.asa access"
+  http /.*[\/\\]global\.asa/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1017-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS idc-srch attempt"
+  tcp-state established,originator
+  payload /.*\x23[fF][iI][lL][eE][nN][aA][mM][eE]=\*\.[iI][dD][cC]/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1018-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS iisadmpwd attempt"
+  http /.*[\/\\]iisadmpwd[\/\\]aexp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1019-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS index server file source code attempt"
+  http /.*\?CiWebHitsFile=[\/\\]/
+  tcp-state established,originator
+  payload /.*&CiRestriction=none&CiHiliteType=Full/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1020-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS isc$data attempt"
+  http /.*\.idc\x3A\x3A\x24data/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1021-11 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS ism.dll attempt"
+  http /.* \.htr/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1022-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS jet vba access"
+  http /.*[\/\\]advworks[\/\\]equipment[\/\\]catalog_type\.asp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1023-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS msadcs.dll access"
+  http /.*[\/\\]msadcs\.dll/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1024-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS newdsn.exe access"
+  http /.*[\/\\]scripts[\/\\]tools[\/\\]newdsn\.exe/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1025-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS perl access"
+  http /.*[\/\\]scripts[\/\\]perl/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1026-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS perl-browse newline attempt"
+  http /.*\x0A\.pl/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1027-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS perl-browse space attempt"
+  http /.* \.pl/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1029-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS scripts-browse access"
+  http /.*[\/\\]scripts[\/\\] /
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1030-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS search97.vts access"
+  http /.*[\/\\]search97\.vts/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1037-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  dst-ip == local_nets
+  event "WEB-IIS showcode.asp access"
+  http /.*[\/\\]showcode\.asp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1038-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS site server config access"
+  http /.*[\/\\]adsamples[\/\\]config[\/\\]site\.csc/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1039-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS srch.htm access"
+  http /.*[\/\\]samples[\/\\]isapi[\/\\]srch\.htm/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1040-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS srchadm access"
+  http /.*[\/\\]srchadm/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1041-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS uploadn.asp access"
+  http /.*[\/\\]scripts[\/\\]uploadn\.asp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1042-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS view source via translate header"
+  tcp-state established,originator
+  payload /.*[tT][rR][aA][nN][sS][lL][aA][tT][eE]\x3A [fF]/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1043-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS viewcode.asp access"
+  http /.*[\/\\]viewcode\.asp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1044-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS webhits access"
+  http /.*\.htw/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1726-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS doctodep.btr access"
+  http /.*doctodep\.btr/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1046-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS site/iisamples access"
+  http /.*[\/\\]site[\/\\]iisamples/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1256-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS CodeRed v2 root.exe access"
+  http /.*[\/\\]root\.exe/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1283-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS outlook web dos"
+  http /.*[\/\\]exchange[\/\\]LogonFrm\.asp\?/
+  tcp-state established,originator
+  payload /.*[mM][aA][iI][lL][bB][oO][xX]=/
+  payload /.*%%%/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1400-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS /scripts/samples/ access"
+  http /.*[\/\\]scripts[\/\\]samples[\/\\]/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1401-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS /msadc/samples/ access"
+  http /.*[\/\\]msadc[\/\\]samples[\/\\]/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1402-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS iissamples access"
+  http /.*[\/\\]iissamples[\/\\]/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-993-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS iisadmin access"
+  http /.*[\/\\]iisadmin/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1285-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS msdac access"
+  http /.*[\/\\]msdac[\/\\]/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1286-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS _mem_bin access"
+  http /.*[\/\\]_mem_bin[\/\\]/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1595-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS htimage.exe access"
+  http /.*[\/\\]htimage\.exe/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1817-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS MS Site Server default login attempt"
+  http /.*[\/\\]SiteServer[\/\\]Admin[\/\\]knowledge[\/\\]persmbr[\/\\]/
+  tcp-state established,originator
+  payload /.*[aA][uU][tT][hH][oO][rR][iI][zZ][aA][tT][iI][oO][nN]\x3A [bB][aA][sS][iI][cC] [tT][eE][rR][bB][uU][fF]9[bB][bB][mM]9[uU][eE][wW]1[vV][dD][xX][mM]6[tT][gG][rR][hH][cC][fF][bB][hH][cC]3[nN]3[bB]3[jJ][kK][xX][zZ][eE]=/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1818-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS MS Site Server admin attempt"
+  http /.*[\/\\]Site Server[\/\\]Admin[\/\\]knowledge[\/\\]persmbr[\/\\]/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1075-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS postinfo.asp access"
+  http /.*[\/\\]scripts[\/\\]postinfo\.asp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1567-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS /exchange/root.asp attempt"
+  http /.*[\/\\]exchange[\/\\]root\.asp\?acs=anon/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1568-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS /exchange/root.asp access"
+  http /.*[\/\\]exchange[\/\\]root\.asp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2090-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS WEBDAV exploit attempt"
+  tcp-state established,originator
+  payload /.*HTTP\/1\.1\x0AContent-type\x3A text\/xml\x0AHOST\x3A.{1}.*Accept\x3A \*\/\*\x0ATranslate\x3A f\x0AContent-length\x3A5276\x0A\x0A/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2091-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS WEBDAV nessus safe scan attempt"
+  tcp-state established,originator
+  payload /.*SEARCH \/ HTTP\/1\.1\x0D\x0AHost\x3A.{0,251}\x0D\x0A\x0D\x0A/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2117-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS Battleaxe Forum login.asp access"
+  http /.*myaccount[\/\\]login\.asp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2129-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS nsiislog.dll access"
+  http /.*[\/\\]nsiislog\.dll/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2130-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS IISProtect siteadmin.asp access"
+  http /.*[\/\\]iisprotect[\/\\]admin[\/\\]SiteAdmin\.asp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2157-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS IISProtect globaladmin.asp access"
+  http /.*[\/\\]iisprotect[\/\\]admin[\/\\]GlobalAdmin\.asp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2131-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS IISProtect access"
+  http /.*[\/\\]iisprotect[\/\\]admin[\/\\]/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2132-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS Synchrologic Email Accelerator userid list access attempt"
+  http /.*[\/\\]en[\/\\]admin[\/\\]aggregate\.asp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2133-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS MS BizTalk server access"
+  http /.*[\/\\]biztalkhttpreceive\.dll/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2134-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS register.asp access"
+  http /.*[\/\\]register\.asp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2247-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS UploadScript11.asp access"
+  http /.*[\/\\]UploadScript11\.asp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2248-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS DirectoryListing.asp access"
+  http /.*[\/\\]DirectoryListing\.asp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2249-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS /pcadmin/login.asp access"
+  http /.*[\/\\]pcadmin[\/\\]login\.asp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2321-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS foxweb.exe access"
+  http /.*[\/\\]foxweb\.exe/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2322-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS foxweb.dll access"
+  http /.*[\/\\]foxweb\.dll/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2324-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS VP-ASP shopsearch.asp access"
+  http /.*[\/\\]shopsearch\.asp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2325-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS VP-ASP ShopDisplayProducts.asp access"
+  http /.*[\/\\]ShopDisplayProducts\.asp/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2326-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS sgdynamo.exe access"
+  http /.*[\/\\]sgdynamo\.exe/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2386-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS NTLM ASN.1 vulnerability scan attempt"
+  tcp-state established,originator
+  payload /.*Authorization\x3A Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2571-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access"
+  http /.*[\/\\]frmGetAttachment\.aspx/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2572-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt"
+  http /.*[\/\\]login\.aspx/
+  tcp-state established,originator
+  # Not supported: isdataat: 980,relative
+  payload /.*[tT][xX][tT][uU][sS][eE][rR][nN][aA][mM][eE]=[^\x0A]{980}/
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2573-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-IIS SmarterTools SmarterMail frmCompose.asp access"
+  http /.*[\/\\]frmCompose\.aspx/
+  tcp-state established,originator
+  requires-signature http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1497-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC cross site scripting attempt"
+  tcp-state established,originator
+  payload /.*<[sS][cC][rR][iI][pP][tT]>/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1667-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC cross site scripting HTML Image tag set to javascript attempt"
+  tcp-state established,originator
+  payload /.*[iI][mM][gG] [sS][rR][cC]=[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1250-11 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Cisco IOS HTTP configuration attempt"
+  http /.*[\/\\]level[\/\\]/
+  http /.*[\/\\]exec[\/\\]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  # would like to inspect contents of reply
+}
+
+signature s2b-1047-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise DOS"
+  tcp-state established,originator
+  payload /REVLOG \/ /
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1048-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise directory listing attempt"
+  tcp-state established,originator
+  payload /INDEX /
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1050-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC iPlanet GETPROPERTIES attempt"
+  tcp-state established,originator
+  payload /GETPROPERTIES/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1057-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC ftp attempt"
+  tcp-state established,originator
+  http /.*[fF][tT][pP]\.[eE][xX][eE]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1058-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC xp_enumdsn attempt"
+  tcp-state established,originator
+  payload /.*[xX][pP]_[eE][nN][uU][mM][dD][sS][nN]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1059-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC xp_filelist attempt"
+  tcp-state established,originator
+  payload /.*[xX][pP]_[fF][iI][lL][eE][lL][iI][sS][tT]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1060-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC xp_availablemedia attempt"
+  tcp-state established,originator
+  payload /.*[xX][pP]_[aA][vV][aA][iI][lL][aA][bB][lL][eE][mM][eE][dD][iI][aA]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1061-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC xp_cmdshell attempt"
+  tcp-state established,originator
+  payload /.*[xX][pP]_[cC][mM][dD][sS][hH][eE][lL][lL]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1062-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC nc.exe attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  http /.*[nN][cC]\.[eE][xX][eE]\x20.{5}/
+}
+
+signature s2b-1064-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC wsh attempt"
+  tcp-state established,originator
+  payload /.*[wW][sS][hH]\.[eE][xX][eE]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1065-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC rcmd attempt"
+  tcp-state established,originator
+  payload /.*[rR][cC][mM][dD]\.[eE][xX][eE]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1066-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC telnet attempt"
+  tcp-state established,originator
+  http /.*[tT][eE][lL][nN][eE][tT]\.[eE][xX][eE]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1067-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC net attempt"
+  tcp-state established,originator
+  http /.*[^a-zA-Z0-9_.-][nN][eE][tT]\.[eE][xX][eE]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1068-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC tftp attempt"
+  tcp-state established,originator
+  http /.*[tT][fF][tT][pP]\.[eE][xX][eE]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1069-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC xp_regread attempt"
+  tcp-state established,originator
+  payload /.*[xX][pP]_[rR][eE][gG][rR][eE][aA][dD]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1977-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC xp_regwrite attempt"
+  tcp-state established,originator
+  payload /.*[xX][pP]_[rR][eE][gG][wW][rR][iI][tT][eE]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1978-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC xp_regdeletekey attempt"
+  tcp-state established,originator
+  payload /.*[xX][pP]_[rR][eE][gG][dD][eE][lL][eE][tT][eE][kK][eE][yY]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1070-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC WebDAV search access"
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  http /((^)|(\n+))[sS][eE][aA][rR][cC][hH]/
+  requires-signature http_iis_server
+}
+
+signature s2b-1071-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC .htpasswd access"
+  tcp-state established,originator
+  http /.*\/\.[hH][tT][pP][aA][sS][sS][wW][dD]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1072-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Lotus Domino directory traversal"
+  http /.*\.nsf[\/\\].*(\.\.\/){1,}.{2,}/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1077-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC queryhit.htm access"
+  http /.*[\/\\]samples[\/\\]search[\/\\]queryhit\.htm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1079-11 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC WebDAV propfind access"
+  tcp-state established,originator
+  payload /.*<[aA]\x3A[pP][rR][oO][pP][fF][iI][nN][dD]/
+  payload /.*[xX][mM][lL][nN][sS]\x3A[aA]=\x22[dD][aA][vV]\x22>/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1080-13 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC unify eWave ServletExec upload"
+  http /.*[\/\\]servlet[\/\\]com\.unify\.servletexec\.UploadServlet/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1081-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Netscape Servers suite DOS"
+  http /.*[\/\\]dsgw[\/\\]bin[\/\\]search\?context=/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1083-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC unify eWave ServletExec DOS"
+  http /.*[\/\\]servlet[\/\\]ServletExec/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1084-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Allaire JRUN DOS attempt"
+  http /.*servlet[\/\\]\.\.\.\.\.\.\./
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1095-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Talentsoft Web+ Source Code view access"
+  http /.*[\/\\]webplus\.exe\?script=test\.wml/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1096-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Talentsoft Web+ internal IP Address access"
+  http /.*[\/\\]webplus\.exe\?about/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1098-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC SmartWin CyberOffice Shopping Cart access"
+  http /.*_private[\/\\]shopping_cart\.mdb/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1099-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC cybercop scan"
+  http /.*[\/\\]cybercop/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1100-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC L3retriever HTTP Probe"
+  tcp-state established,originator
+  payload /.*User-Agent\x3A Java1\.2\.1\x0D\x0A/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1101-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Webtrends HTTP probe"
+  tcp-state established,originator
+  payload /.*User-Agent\x3A Webtrends Security Analyzer\x0D\x0A/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1102-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Nessus 404 probe"
+  http /.*[\/\\]nessus_is_probing_you_/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1103-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Netscape admin passwd"
+  http /.*[\/\\]admin-serv[\/\\]config[\/\\]admpw/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1105-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC BigBrother access"
+  http /.*[\/\\]bb-hostsvc\.sh\?HOSTSVC/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1612-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC ftp.pl attempt"
+  http /.*[\/\\]ftp\.pl\?dir=\.\.[\/\\]\.\./
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1107-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC ftp.pl access"
+  http /.*[\/\\]ftp\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1108-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Tomcat server snoop access"
+  http /.*[\/\\]jsp[\/\\]snp[\/\\]/
+  http /.*\.snp/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1109-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC ROXEN directory list attempt"
+  http /.*[\/\\]%00/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1110-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC apache source.asp file access"
+  http /.*[\/\\]site[\/\\]eg[\/\\]source\.asp/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1111-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Tomcat server exploit access"
+  http /.*[\/\\]contextAdmin[\/\\]contextAdmin\.html/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1115-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC ICQ webserver DOS"
+  http /.*\.html[\/\\]\.\.\.\.\.\./
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1116-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Lotus DelDoc attempt"
+  http /.*\?DeleteDocument/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1117-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Lotus EditDoc attempt"
+  http /.*\?EditDocument/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1118-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC ls%20-l"
+  tcp-state established,originator
+  payload /.*[lL][sS]%20-[lL]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1119-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC mlog.phtml access"
+  http /.*[\/\\]mlog\.phtml/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1120-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC mylog.phtml access"
+  http /.*[\/\\]mylog\.phtml/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1122-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC /etc/passwd"
+  tcp-state established,originator
+  payload /.*\/[eE][tT][cC]\/[sS][hH][aA][dD][oO][wW].{1,}root:.*:.*:.*:.*:.*:.*:/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1123-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC ?PageServices access"
+  http /.*\?PageServices/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1125-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC webcart access"
+  http /.*[\/\\]webcart[\/\\]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1126-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC AuthChangeUrl access"
+  http /.*_AuthChangeUrl\?/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1127-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC convert.bas access"
+  http /.*[\/\\]scripts[\/\\]convert\.bas/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1128-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC cpshost.dll access"
+  http /.*[\/\\]scripts[\/\\]cpshost\.dll/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1129-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC .htaccess access"
+  tcp-state established,originator
+  payload /.*\.[hH][tT][aA][cC][cC][eE][sS][sS]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1130-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC .wwwacl access"
+  http /.*\.wwwacl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1131-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC .wwwacl access"
+  http /.*\.www_acl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1136-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC cd.."
+  tcp-state established,originator
+  payload /.*[cC][dD]\.\./
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1140-11 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC guestbook.pl access"
+  http /.*[\/\\]guestbook\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1142-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC /.... access"
+  tcp-state established,originator
+  payload /.*\/\.\.\.\./
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1143-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC ///cgi-bin access"
+  http /.*[\/\\][\/\\][\/\\]cgi-bin/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1144-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC /cgi-bin/// access"
+  http /.*[\/\\]cgi-bin[\/\\][\/\\][\/\\]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1145-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC /~root access"
+  http /.*[\/\\]~root/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1662-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC /~ftp access"
+  http /.*[\/\\]~ftp/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1146-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Ecommerce import.txt access"
+  http /.*[\/\\]config[\/\\]import\.txt/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1147-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC cat%20 access"
+  tcp-state established,originator
+  payload /.*[cC][aA][tT]%20/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1148-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Ecommerce import.txt access"
+  http /.*[\/\\]orders[\/\\]import\.txt/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1150-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Domino catalog.nsf access"
+  http /.*[\/\\]catalog\.nsf/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1151-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Domino domcfg.nsf access"
+  http /.*[\/\\]domcfg\.nsf/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1152-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Domino domlog.nsf access"
+  http /.*[\/\\]domlog\.nsf/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1153-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Domino log.nsf access"
+  http /.*[\/\\]log\.nsf/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1154-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Domino names.nsf access"
+  http /.*[\/\\]names\.nsf/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1575-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Domino mab.nsf access"
+  http /.*[\/\\]mab\.nsf/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1576-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Domino cersvr.nsf access"
+  http /.*[\/\\]cersvr\.nsf/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1577-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Domino setup.nsf access"
+  http /.*[\/\\]setup\.nsf/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1579-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Domino webadmin.nsf access"
+  http /.*[\/\\]webadmin\.nsf/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1580-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Domino events4.nsf access"
+  http /.*[\/\\]events4\.nsf/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1581-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Domino ntsync4.nsf access"
+  http /.*[\/\\]ntsync4\.nsf/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1582-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Domino collect4.nsf access"
+  http /.*[\/\\]collect4\.nsf/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1583-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Domino mailw46.nsf access"
+  http /.*[\/\\]mailw46\.nsf/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1584-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Domino bookmark.nsf access"
+  http /.*[\/\\]bookmark\.nsf/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1585-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Domino agentrunner.nsf access"
+  http /.*[\/\\]agentrunner\.nsf/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1586-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Domino mail.box access"
+  http /.*[\/\\]mail\.box/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1155-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Ecommerce checks.txt access"
+  http /.*[\/\\]orders[\/\\]checks\.txt/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1156-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC apache DOS attempt"
+  tcp-state established,originator
+  payload /.*\/\/\/\/\/\/\/\//
+  requires-signature ! http_iis_server
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1157-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Netscape PublishingXpert access"
+  http /.*[\/\\]PSUser[\/\\]PSCOErrPage\.htm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1158-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC windmail.exe access"
+  http /.*[\/\\]windmail\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1159-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC webplus access"
+  http /.*[\/\\]webplus\?script/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1160-11 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Netscape dir index wp"
+  http /.*\?wp-/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1162-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC cart 32 AdminPwd access"
+  http /.*[\/\\]c32web\.exe[\/\\]ChangeAdminPassword/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1164-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC shopping cart access"
+  http /.*[\/\\]quikstore\.cfg/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1614-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Novell Groupwise gwweb.exe attempt"
+  http /.*[\/\\]GWWEB\.EXE\?HELP=/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1165-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Novell Groupwise gwweb.exe access"
+  tcp-state established,originator
+  payload /.*\/[gG][wW][wW][eE][bB]\.[eE][xX][eE]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1166-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC ws_ftp.ini access"
+  http /.*[\/\\]ws_ftp\.ini/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1167-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC rpm_query access"
+  http /.*[\/\\]rpm_query/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1168-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC mall log order access"
+  http /.*[\/\\]mall_log_files[\/\\]order\.log/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1173-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC architext_query.pl access"
+  http /.*[\/\\]ews[\/\\]architext_query\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1175-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC wwwboard.pl access"
+  http /.*[\/\\]wwwboard\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1176-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC order.log access"
+  http /.*[\/\\]admin_files[\/\\]order\.log/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1177-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-verify-link/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1180-12 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC get32.exe access"
+  http /.*[\/\\]get32\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1181-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Annex Terminal DOS attempt"
+  http /.*[\/\\]ping\?query=/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1182-17 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC cgitest.exe attempt"
+  http /.*[\/\\]cgitest\.exe\x0D\x0Auser/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1587-12 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC cgitest.exe access"
+  http /.*[\/\\]cgitest\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1183-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-cs-dump/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1184-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-ver-info/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1186-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-ver-diff/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1187-12 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC SalesLogix Eviewer web command attempt"
+  http /.*[\/\\]slxweb\.dll[\/\\]admin\?command=/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1588-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC SalesLogix Eviewer access"
+  http /.*[\/\\]slxweb\.dll/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1188-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-start-ver/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1189-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-stop-ver/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1190-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-uncheckout/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1191-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-html-rend/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1381-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Trend Micro OfficeScan attempt"
+  http /.*[\/\\]officescan[\/\\]cgi[\/\\]jdkRqNotify\.exe\?/
+  http /.*domain=/
+  http /.*event=/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1192-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Trend Micro OfficeScan access"
+  http /.*[\/\\]officescan[\/\\]cgi[\/\\]jdkRqNotify\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1193-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC oracle web arbitrary command execution attempt"
+  http /.*[\/\\]ows-bin[\/\\]/
+  http /.*\?&/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1880-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC oracle web application server access"
+  http /.*[\/\\]ows-bin[\/\\]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1198-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Netscape Enterprise Server directory view"
+  http /.*\?wp-usr-prop/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1202-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC search.vts access"
+  http /.*[\/\\]search\.vts/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1615-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC htgrep attempt"
+  http /.*[\/\\]htgrep/
+  tcp-state established,originator
+  payload /.*hdr=\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1207-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC htgrep access"
+  http /.*[\/\\]htgrep/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1209-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC .nsconfig access"
+  http /.*[\/\\]\.nsconfig/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1212-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Admin_files access"
+  http /.*[\/\\]admin_files/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1213-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC backup access"
+  http /.*[\/\\]backup/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1216-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC filemail access"
+  http /.*[\/\\]filemail/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1217-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC plusmail access"
+  http /.*[\/\\]plusmail/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1218-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC adminlogin access"
+  http /.*[\/\\]adminlogin/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1220-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC ultraboard access"
+  http /.*[\/\\]ultraboard/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1589-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC musicat empower attempt"
+  http /.*[\/\\]empower\?DB=/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1221-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC musicat empower access"
+  http /.*[\/\\]empower\?DB=.{1,}/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1224-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC ROADS search.pl attempt"
+  http /.*[\/\\]ROADS[\/\\]cgi-bin[\/\\]search\.pl/
+  tcp-state established,originator
+  payload /.*[fF][oO][rR][mM]=/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1230-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC VirusWall FtpSave access"
+  http /.*[\/\\]FtpSave\.dll/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1234-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC VirusWall FtpSaveCSP access"
+  http /.*[\/\\]FtpSaveCSP\.dll/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1235-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC VirusWall FtpSaveCVP access"
+  http /.*[\/\\]FtpSaveCVP\.dll/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1054-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  # Not supported: pcre: /^\w+\s+[^\n\s\?]*\.jsp/smi
+  event "WEB-MISC weblogic/tomcat .jsp view source attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  http /((^)|(\n+))[a-zA-Z0-9_]+[\x20\x09\x0b]+[^\n\x20\x09\x0b\?]*\.[jJ][sS][pP]/
+}
+
+signature s2b-1241-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC SWEditServlet directory traversal attempt"
+  http /.*[\/\\]SWEditServlet/
+  tcp-state established,originator
+  payload /.*template=\.\.\/\.\.\/\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1259-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC SWEditServlet access"
+  http /.*[\/\\]SWEditServlet/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1139-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC whisker HEAD/./"
+  tcp-state established,originator
+  payload /.*HEAD\/\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1258-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC HP OpenView Manager DOS"
+  http /.*[\/\\]OvCgi[\/\\]OpenView5\.exe\?Context=Snmp&Action=Snmp&Host=&Oid=/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1260-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC long basic authorization string"
+  tcp-state established,originator
+  payload /.*[aA][uU][tT][hH][oO][rR][iI][zZ][aA][tT][iI][oO][nN]\x3A [bB][aA][sS][iI][cC] [^\x0A]{512}/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1291-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC sml3com access"
+  http /.*[\/\\]graphics[\/\\]sml3com/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1001-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC carbo.dll access"
+  http /.*[\/\\]carbo\.dll/
+  tcp-state established,originator
+  payload /.*[iI][cC][aA][tT][cC][oO][mM][mM][aA][nN][dD]=/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1302-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC console.exe access"
+  http /.*[\/\\]cgi-bin[\/\\]console\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1303-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC cs.exe access"
+  http /.*[\/\\]cgi-bin[\/\\]cs\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1113-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC http directory traversal"
+  tcp-state established,originator
+  payload /.*\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1375-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC sadmind worm access"
+  tcp-state established,originator
+  payload /.{0,1}GET x HTTP\/1\.0/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1376-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC jrun directory browse attempt"
+  http /.*[\/\\]\?\.jsp/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1385-11 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC mod-plsql administration access"
+  http /.*[\/\\]admin_[\/\\]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1391-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Phorecast remote code execution attempt"
+  tcp-state established,originator
+  payload /.*includedir=/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1403-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC viewcode access"
+  http /.*[\/\\]viewcode/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1433-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC .history access"
+  http /.*[\/\\]\.history/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1434-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC .bash_history access"
+  http /.*[\/\\]\.bash_history/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1489-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC /~nobody access"
+  http /.*[\/\\]~nobody/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1492-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC RBS ISP /newuser  directory traversal attempt"
+  http /.*[\/\\]newuser\?Image=\.\.[\/\\]\.\./
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1493-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC RBS ISP /newuser access"
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  http /.*\x3a8002.*[\/\\]newuser\x3f.*\x2e\x2e[\/\\]/
+}
+
+signature s2b-1663-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC *%0a.pl access"
+  http /.*[\/\\]\*\x0A\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1664-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC mkplog.exe access"
+  http /.*[\/\\]mkplog\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-509-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC PCCS mysql database admin tool access"
+  tcp-state established,originator
+  payload /.{0,5}[pP][cC][cC][sS][mM][yY][sS][qQ][lL][aA][dD][mM]\/[iI][nN][cC][sS]\/[dD][bB][cC][oO][nN][nN][eE][cC][tT]\.[iI][nN][cC]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1769-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC .DS_Store access"
+  http /.*[\/\\]\.DS_Store/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1770-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC .FBCIndex access"
+  http /.*[\/\\]\.FBCIndex/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1500-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC ExAir access"
+  http /.*[\/\\]exair[\/\\]search[\/\\]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1519-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC apache ?M=D directory list attempt"
+  http /.*[\/\\]\?M=D/
+  tcp-state established,originator
+  http /Content-language:.* /
+  requires-reverse-signature ! http_error
+  eval isApacheLt1322
+}
+
+signature s2b-1520-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC server-info access"
+  http /.*[\/\\]server-info/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1522-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC ans.pl attempt"
+  http /.*[\/\\]ans\.pl\?p=\.\.[\/\\]\.\.[\/\\]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1523-10 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC ans.pl access"
+  http /.*[\/\\]ans\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1524-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC AxisStorpoint CD attempt"
+  http /.*[\/\\]cd[\/\\]\.\.[\/\\]config[\/\\]html[\/\\]cnf_gi\.htm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1525-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Axis Storpoint CD access"
+  http /.*[\/\\]config[\/\\]html[\/\\]cnf_gi\.htm/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1526-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC basilix sendmail.inc access"
+  http /.*[\/\\]inc[\/\\]sendmail\.inc/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1527-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC basilix mysql.class access"
+  http /.*[\/\\]class[\/\\]mysql\.class/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1528-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC BBoard access"
+  http /.*[\/\\]servlet[\/\\]sunexamples\.BBoardServlet/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1544-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Cisco Catalyst command execution attempt"
+  http /.*[\/\\]exec[\/\\]show[\/\\]config[\/\\]cr/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1552-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC cvsweb version access"
+  http /.*[\/\\]cvsweb[\/\\]version/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1563-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC login.htm attempt"
+  http /.*[\/\\]login\.htm\?password=/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1603-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC DELETE attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  http /.{0,7}[dD][eE][lL][eE][tT][eE] /
+}
+
+signature s2b-1670-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC /home/ftp access"
+  http /.*[\/\\]home[\/\\]ftp/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1738-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC global.inc access"
+  http /.*[\/\\]global\.inc/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1744-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC SecureSite authentication bypass attempt"
+  tcp-state established,originator
+  payload /.*[sS][eE][cC][uU][rR][eE]_[sS][iI][tT][eE], [oO][kK]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1757-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC b2 arbitrary command execution attempt"
+  http /.*[\/\\]b2[\/\\]b2-include[\/\\]/
+  tcp-state established,originator
+  payload /.*b2inc/
+  payload /.*http\x3A\/\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1758-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC b2 access"
+  http /.*[\/\\]b2[\/\\]b2-include[\/\\]/
+  tcp-state established,originator
+  payload /.*b2inc/
+  payload /.*http\x3A\/\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1766-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC search.dll directory listing attempt"
+  http /.*[\/\\]search\.dll/
+  tcp-state established,originator
+  payload /.*query=%00/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1767-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC search.dll access"
+  http /.*[\/\\]search\.dll/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  eval isNotIIS
+  eval isNotApache
+}
+
+signature s2b-1498-4 {
+  ip-proto == tcp
+  dst-port == 8181
+  event "WEB-MISC PIX firewall manager directory traversal attempt"
+  tcp-state established,originator
+  payload /.*\/\.\.\/\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1558-5 {
+  ip-proto == tcp
+  dst-port == 8080
+  event "WEB-MISC Delegate whois overflow attempt"
+  tcp-state established,originator
+  payload /.*[wW][hH][oO][iI][sS]\x3A\/\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1518-5 {
+  ip-proto == tcp
+  dst-port == 8000
+  event "WEB-MISC nstelemetry.adp access"
+  tcp-state established,originator
+  payload /.*\/nstelemetry\.adp/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1132-6 {
+  ip-proto == tcp
+  dst-port == 457
+  event "WEB-MISC Netscape Unixware overflow"
+  tcp-state established,originator
+  payload /.*\xEB_\x9A\xFF\xFF\xFF\xFF\x07\xFF\xC3\^1\xC0\x89F\x9D/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1199-11 {
+  ip-proto == tcp
+  dst-port == 2301
+  event "WEB-MISC Compaq Insight directory traversal"
+  tcp-state established,originator
+  payload /.*\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1231-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC VirusWall catinfo access"
+  http /.*[\/\\]catinfo/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1232-8 {
+  ip-proto == tcp
+  dst-port == 1812
+  event "WEB-MISC VirusWall catinfo access"
+  tcp-state established,originator
+  payload /.*\/[cC][aA][tT][iI][nN][fF][oO]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1809-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Apache Chunked-Encoding worm attempt"
+  tcp-state established,originator
+  payload /.*[cC][cC][cC][cC][cC][cC][cC]\x3A [aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA][aA]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1807-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Chunked-Encoding transfer attempt"
+  tcp-state established,originator
+  payload /.*[tT][rR][aA][nN][sS][fF][eE][rR]-[eE][nN][cC][oO][dD][iI][nN][gG]\x3A/
+  payload /.*[cC][hH][uU][nN][kK][eE][dD]/
+  requires-reverse-signature ! http_error
+  eval isApacheLt1322
+}
+
+signature s2b-1814-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC CISCO VoIP DOS ATTEMPT"
+  http /.*[\/\\]StreamingStatistics/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1820-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC IBM Net.Commerce orderdspc.d2w access"
+  http /.*[\/\\]ncommerce3[\/\\]ExecMacro[\/\\]orderdspc\.d2w/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1826-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC WEB-INF access"
+  http /.*[\/\\]WEB-INF \.\/.{1,}/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1827-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Tomcat servlet mapping cross site scripting attempt"
+  http /.*[\/\\]servlet[\/\\]/
+  http /.*[\/\\]org\.apache\./
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1828-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC iPlanet Search directory traversal attempt"
+  http /.*[\/\\]search/
+  tcp-state established,originator
+  payload /.*NS-query-pat=/
+  payload /.*\.\.\/\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1829-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Tomcat TroubleShooter servlet access"
+  http /.*[\/\\]examples[\/\\]servlet[\/\\]TroubleShooter/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1830-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Tomcat SnoopServlet servlet access"
+  http /.*[\/\\]examples[\/\\]servlet[\/\\]SnoopServlet/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1831-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC jigsaw dos attempt"
+  http /.*[\/\\]servlet[\/\\]con/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  eval isNotIIS
+  eval isNotApache
+}
+
+signature s2b-1835-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Macromedia SiteSpring cross site scripting attempt"
+  http /.*[\/\\]error[\/\\]500error\.jsp/
+  http /.*et=/
+  http /.*<script/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1839-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC mailman cross site scripting attempt"
+  http /.*[\/\\]mailman[\/\\]/
+  http /.*\?/
+  http /.*info=/
+  http /.*<script/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1848-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC webcart-lite access"
+  http /.*[\/\\]webcart-lite[\/\\]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1849-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC webfind.exe access"
+  http /.*[\/\\]webfind\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1851-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC active.log access"
+  http /.*[\/\\]active\.log/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1858-5 {
+  ip-proto == tcp
+  dst-port == 8181
+  event "WEB-MISC CISCO PIX Firewall Manager directory traversal attempt"
+  tcp-state established,originator
+  payload /.*\/pixfir~1\/how_to_login\.html/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1859-5 {
+  ip-proto == tcp
+  dst-port == 9090
+  event "WEB-MISC Sun JavaServer default password login attempt"
+  tcp-state established,originator
+  payload /.*\/servlet\/admin/
+  payload /.*ae9f86d6beaa3f9ecb9a5b7e072a4138/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1860-4 {
+  ip-proto == tcp
+  dst-port == 8080
+  event "WEB-MISC Linksys router default password login attempt"
+  tcp-state established,originator
+  payload /.*Authorization\x3A Basic OmFkbWlu/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1861-7 {
+  ip-proto == tcp
+  dst-port == 8080
+  event "WEB-MISC Linksys router default username and password login attempt"
+  tcp-state established,originator
+  payload /.*[aA][uU][tT][hH][oO][rR][iI][zZ][aA][tT][iI][oO][nN]\x3A /
+  payload /.* [bB][aA][sS][iI][cC] /
+  payload /.*YWRtaW46YWRtaW4/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2230-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC NetGear router default password login attempt admin/password"
+  tcp-state established,originator
+  payload /.*[aA][uU][tT][hH][oO][rR][iI][zZ][aA][tT][iI][oO][nN]\x3A /
+  payload /.* [bB][aA][sS][iI][cC] /
+  payload /.*YWRtaW46cGFzc3dvcmQ/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1871-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Oracle XSQLConfig.xml access"
+  http /.*[\/\\]XSQLConfig\.xml/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1872-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Oracle Dynamic Monitoring Services dms access"
+  http /.*[\/\\]dms0/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1873-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC globals.jsa access"
+  http /.*[\/\\]globals\.jsa/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1874-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Oracle Java Process Manager access"
+  http /.*[\/\\]oprocmgr-status/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1881-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC bad HTTP/1.1 request, Potential worm attack"
+  tcp-state established,originator
+  payload /GET \/ HTTP\/1\.1\x0D\x0A\x0D\x0A/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1104-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  payload-size == 1
+  event "WEB-MISC whisker space splice attack"
+  tcp-state established,originator
+  payload / /
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1087-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  payload-size < 5
+  event "WEB-MISC whisker tab splice attack"
+  tcp-state established,originator
+  payload /.*\x09/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1808-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC apache chunked encoding memory corruption exploit attempt"
+  tcp-state established,originator
+  payload /.*\xC0PR\x89\xE1PQRP\xB8\x3B\x00\x00\x00\xCD\x80/
+  requires-signature ! http_msie_client
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1943-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC /Carello/add.exe access"
+  http /.*[\/\\]Carello[\/\\]add\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1944-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC /ecscripts/ecware.exe access"
+  http /.*[\/\\]ecscripts[\/\\]ecware\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1969-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  dst-ip == local_nets
+  event "WEB-MISC ion-p remote file access"
+  http /.*[\/\\]ion-p\?.*(c:\\|\.\.\/)/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1499-5 {
+  ip-proto == tcp
+  dst-port == 8888
+  event "WEB-MISC SiteScope Service access"
+  tcp-state established,originator
+  payload /.*\/SiteScope\/cgi\/go\.exe\/SiteScope/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1946-3 {
+  ip-proto == tcp
+  dst-port == 8888
+  event "WEB-MISC answerbook2 admin attempt"
+  tcp-state established,originator
+  payload /.*\/cgi-bin\/admin\/admin/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1947-4 {
+  ip-proto == tcp
+  dst-port == 8888
+  event "WEB-MISC answerbook2 arbitrary command execution attempt"
+  tcp-state established,originator
+  payload /.*\/ab2\/.{1}.*\x3B/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2056-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC TRACE attempt"
+  tcp-state established,originator
+  payload /TRACE/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2057-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC helpout.exe access"
+  http /.*[\/\\]helpout\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2058-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC MsmMask.exe attempt"
+  http /.*[\/\\]MsmMask\.exe/
+  tcp-state established,originator
+  payload /.*mask=/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2060-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC DB4Web access"
+  http /.*[\/\\]DB4Web[\/\\]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2061-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Tomcat null byte directory listing attempt"
+  http /.*\x00\.jsp/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2062-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC iPlanet .perf access"
+  http /.*[\/\\]\.perf/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2063-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Demarc SQL injection attempt"
+  http /.*[\/\\]dm[\/\\]demarc/
+  tcp-state established,originator
+  payload /.*s_key=.*.*'.{1}.*'.*.*'/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2064-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  dst-ip == local_nets
+  event "WEB-MISC Lotus Notes .csp script source download attempt"
+  http /.*\.csp/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2066-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Lotus Notes .pl script source download attempt"
+  http /.*\.pl/
+  tcp-state established,originator
+  payload /.*\.pl\./
+  requires-reverse-signature ! http_error
+  eval isNotApache
+  eval isNotIIS
+}
+
+signature s2b-2068-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC BitKeeper arbitrary command attempt"
+  http /.*[\/\\]diffs[\/\\]/
+  tcp-state established,originator
+  payload /.*'.*.*\x3B.{1}.*'/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2069-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC chip.ini access"
+  http /.*[\/\\]chip\.ini/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2070-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC post32.exe arbitrary command attempt"
+  http /.*[\/\\]post32\.exe\x7C/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2071-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC post32.exe access"
+  http /.*[\/\\]post32\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2072-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  dst-ip == local_nets
+  event "WEB-MISC lyris.pl admin access"
+  http /POST.*[\/\\]lyris\.pl/
+  payload /list_admin=[Tt]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2073-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC globals.pl access"
+  http /.*[\/\\]globals\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2135-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC philboard.mdb access"
+  http /.*[\/\\]philboard\.mdb/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2136-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC philboard_admin.asp authentication bypass attempt"
+  http /.*[\/\\]philboard_admin\.asp/
+  tcp-state established,originator
+  payload /.*[cC][oO][oO][kK][iI][eE].*.*philboard_admin=True/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2137-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC philboard_admin.asp access"
+  http /.*[\/\\]philboard_admin\.asp/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2138-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC logicworks.ini access"
+  http /.*[\/\\]logicworks\.ini/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2139-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC /*.shtml access"
+  http /.*[\/\\]\*\.shtml/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2156-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC mod_gzip_status access"
+  http /.*[\/\\]mod_gzip_status/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2231-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC register.dll access"
+  http /.*[\/\\]register\.dll/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2232-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC ContentFilter.dll access"
+  http /.*[\/\\]ContentFilter\.dll/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2233-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC SFNofitication.dll access"
+  http /.*[\/\\]SFNofitication\.dll/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2234-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC TOP10.dll access"
+  http /.*[\/\\]TOP10\.dll/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2235-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC SpamExcp.dll access"
+  http /.*[\/\\]SpamExcp\.dll/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2236-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC spamrule.dll access"
+  http /.*[\/\\]spamrule\.dll/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2237-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC cgiWebupdate.exe access"
+  http /.*[\/\\]cgiWebupdate\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2238-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC WebLogic ConsoleHelp view source attempt"
+  http /.*[\/\\]ConsoleHelp[\/\\]/
+  http /.*\.jsp/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2239-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC redirect.exe access"
+  http /.*[\/\\]redirect\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2240-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC changepw.exe access"
+  http /.*[\/\\]changepw\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2241-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC cwmail.exe access"
+  http /.*[\/\\]cwmail\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2242-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC ddicgi.exe access"
+  http /.*[\/\\]ddicgi\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2243-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC ndcgi.exe access"
+  http /.*[\/\\]ndcgi\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2244-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC VsSetCookie.exe access"
+  http /.*[\/\\]VsSetCookie\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2245-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Webnews.exe access"
+  http /.*[\/\\]Webnews\.exe/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2246-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC webadmin.dll access"
+  http /.*[\/\\]webadmin\.dll/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2276-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC oracle portal demo access"
+  http /.*[\/\\]pls[\/\\]portal[\/\\]PORTAL_DEMO/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2277-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC PeopleSoft PeopleBooks psdoccgi access"
+  http /.*[\/\\]psdoccgi/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2278-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  # Not supported: pcre: /^Content-Length\x3a\s+-\d+/smi
+  event "WEB-MISC negative Content-Length attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  http /((^)|(\n+))[cC][oO][nN][tT][eE][nN][tT]-[lL][eE][nN][gG][tT][hH]\x3a[\x20\x09\x0b]+-[0-9]+\/+/
+}
+
+signature s2b-2327-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC bsml.pl access"
+  http /.*[\/\\]bsml\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2369-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC ISAPISkeleton.dll access"
+  http /.*[\/\\]ISAPISkeleton\.dll/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2370-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC BugPort config.conf file access"
+  http /.*[\/\\]config\.conf/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2371-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Sample_showcode.html access"
+  http /.*[\/\\]Sample_showcode\.html/
+  tcp-state established,originator
+  payload /.*[fF][nN][aA][mM][eE]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2381-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  # Not supported: pcre: /^[^\/]{14,}?\x3a\/\//U
+  event "WEB-MISC schema overflow attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  http /^[^\/]{14,}?\x3a\/\//
+}
+
+signature s2b-2395-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC InteractiveQuery.jsp access"
+  http /.*[\/\\]InteractiveQuery\.jsp/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2400-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC edittag.pl access"
+  http /.*[\/\\]edittag\.pl/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2411-5 {
+  ip-proto == tcp
+  dst-port == 554
+  # Not supported: pcre: /^DESCRIBE\s[^\n]{300}/smi
+  event "WEB-MISC Real Server DESCRIBE buffer overflow attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  http /((^)|(\n+))[dD][eE][sS][cC][rR][iI][bB][eE][\x20\x09\x0b][^\n]{300}/
+}
+
+signature s2b-2441-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  # Not supported: pcre: /^Cookie\x3a[^\n]*?login=0/smi
+  event "WEB-MISC NetObserve authentication bypass attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  http /((^)|(\n+))[cC][oO][oO][kK][iI][eE]\x3a[^\n]*?[lL][oO][gG][iI][nN]=0/
+}
+
+signature s2b-2442-6 {
+  ip-proto == tcp
+  dst-port >= 8000
+  dst-port <= 8001
+  # Not supported: pcre: /^User-Agent\x3a[^\n]{244,255}/smi
+  event "WEB-MISC Quicktime User-Agent buffer overflow attempt"
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  http /((^)|(\n+))[uU][sS][eE][rR]-[aA][gG][eE][nN][tT]\x3a[^\n]{244,255}/
+}
+
+signature s2b-2484-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC source.jsp access"
+  http /.*[\/\\]source\.jsp/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2447-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC ServletManager access"
+  http /.*[\/\\]servlet[\/\\]ServletManager/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2448-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC setinfo.hts access"
+  http /.*[\/\\]setinfo\.hts/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2505-7 {
+  ip-proto == tcp
+  dst-port == 443
+  event "WEB-MISC SSLv3 invalid data version attempt"
+  tcp-state established,originator
+  payload /\x16\x03/
+  payload /.{4}\x01/
+  payload /.{8}[^\x03]*/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2520-5 {
+  ip-proto == tcp
+  dst-port == 443
+  # Not supported: flowbits: isnotset,sslv3.client_hello.request,set,sslv3.client_hello.request,noalert
+  event "WEB-MISC SSLv3 Client_Hello request"
+  tcp-state established,originator
+  payload /\x16\x03/
+  payload /.{4}\x01/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2562-3 {
+  ip-proto == tcp
+  dst-port == 81
+  event "WEB-MISC McAfee ePO file upload attempt"
+  tcp-state established,originator
+  payload /.*\/[sS][pP][iI][pP][eE]\/[rR][eE][pP][lL]_[fF][iI][lL][eE]/
+  payload /.*[cC][oO][mM][mM][aA][nN][dD]=[bB][eE][gG][iI][nN]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2570-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-MISC Invalid HTTP Version String"
+  tcp-state established,originator
+  # Not supported: isdataat: 6,relative
+  payload /.*HTTP\/[^\x0A]{5}/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1774-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP bb_smilies.php access"
+  http /.*[\/\\]bb_smilies\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1423-12 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP content-disposition memchr overflow"
+  tcp-state established,originator
+  payload /.*[cC][oO][nN][tT][eE][nN][tT]-[dD][iI][sS][pP][oO][sS][iI][tT][iI][oO][nN]\x3A/
+  payload /.*name=\x22\xCC\xCC\xCC\xCC\xCC/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1736-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP squirrel mail spell-check arbitrary command attempt"
+  http /.*[\/\\]squirrelspell[\/\\]modules[\/\\]check_me\.mod\.php/
+  tcp-state established,originator
+  payload /.*[sS][qQ][sS][pP][eE][lL][lL]_[aA][pP][pP]\[/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1737-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP squirrel mail theme arbitrary command attempt"
+  http /.*[\/\\]left_main\.php/
+  tcp-state established,originator
+  payload /.*[cC][mM][dD][dD]=/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1739-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP DNSTools administrator authentication bypass attempt"
+  http /.*[\/\\]dnstools\.php/
+  tcp-state established,originator
+  payload /.*[uU][sS][eE][rR]_[lL][oO][gG][gG][eE][dD]_[iI][nN]=[tT][rR][uU][eE]/
+  payload /.*[uU][sS][eE][rR]_[dD][nN][sS][tT][oO][oO][lL][sS]_[aA][dD][mM][iI][nN][iI][sS][tT][rR][aA][tT][oO][rR]=[tT][rR][uU][eE]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1740-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP DNSTools authentication bypass attempt"
+  http /.*[\/\\]dnstools\.php/
+  tcp-state established,originator
+  payload /.*[uU][sS][eE][rR]_[lL][oO][gG][gG][eE][dD]_[iI][nN]=[tT][rR][uU][eE]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1741-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP DNSTools access"
+  http /.*[\/\\]dnstools\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1742-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Blahz-DNS dostuff.php modify user attempt"
+  http /.*[\/\\]dostuff\.php\?action=modify_user/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1743-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Blahz-DNS dostuff.php access"
+  http /.*[\/\\]dostuff\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1745-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Messagerie supp_membre.php access"
+  http /.*[\/\\]supp_membre\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1773-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP php.exe access"
+  http /.*\/php\/php\.exe\?[cCdD]\:\//
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1815-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP directory.php arbitrary command attempt"
+  http /.*[\/\\]directory\.php/
+  tcp-state established,originator
+  payload /.*dir=/
+  payload /.*\x3B/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1816-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP directory.php access"
+  http /.*[\/\\]directory\.php[\;\|]{1,}/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1834-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP PHP-Wiki cross site scripting attempt"
+  http /.*[\/\\]modules\.php\?/
+  http /.*name=Wiki/
+  http /.*<script/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1967-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP phpbb quick-reply.php arbitrary command attempt"
+  http /.*[\/\\]quick-reply\.php/
+  tcp-state established,originator
+  payload /.{1}.*phpbb_root_path=/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1968-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP phpbb quick-reply.php access"
+  http /.*[\/\\]quick-reply\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1997-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP read_body.php access attempt"
+  http /.*[\/\\]read_body\.php/
+  tcp-state established,originator
+  http /.*[fF][rR][oO][mM]\x3a.*\x3cscript\x3e.*document.cookie.*\x3c\x2fscript\x3e/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1999-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP edit_image.php access"
+  http /.*[\/\\]edit_image\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2000-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  dst-ip == local_nets
+  event "WEB-PHP readmsg.php access"
+  http /.*[\/\\]readmsg\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  # "Possible many false positives"
+  # "If running this webmail server check version to make sure it's not vulnerable and then disable this signature or adjust the notice action."
+}
+
+signature s2b-2002-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  # Not supported: pcre: /page=(http|https|ftp)/i
+  event "WEB-PHP remote include path"
+  tcp-state established,originator
+  payload /.*path=/
+  requires-reverse-signature ! http_error
+  http /.*\.php.*[pP][aA][tT][hH]\x3d(http|https|ftp)\x2fi/
+}
+
+signature s2b-1134-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Phorum admin access"
+  http /.*[\/\\]admin\.php3/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1161-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP piranha passwd.php3 access"
+  http /.*[\/\\]passwd\.php3/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1178-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Phorum read access"
+  http /.*[\/\\]read\.php3/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1179-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Phorum violation access"
+  http /.*[\/\\]violation\.php3/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1197-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Phorum code access"
+  http /.*[\/\\]code\.php3/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1300-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP admin.php file upload attempt"
+  http /.*[\/\\]admin\.php/
+  tcp-state established,originator
+  payload /.*[fF][iI][lL][eE]_[nN][aA][mM][eE]=/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1301-11 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP admin.php access"
+  http /.*[\/\\]admin\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1407-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP smssend.php access"
+  http /.*[\/\\]smssend\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1399-11 {
+  ip-proto == tcp
+  dst-port == http_ports
+  # Not supported: pcre: /file=(http|https|ftp)/i
+  event "WEB-PHP PHP-Nuke remote file include attempt"
+  http /.*[\/\\]index\.php.*[fF][iI][lL][eE]=([hH][tT][tT][pP][sS]?|[fF][tT][pP])/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1490-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Phorum /support/common.php attempt"
+  http /.*[\/\\]support[\/\\]common\.php/
+  tcp-state established,originator
+  payload /.*ForumLang=\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1491-6 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Phorum /support/common.php access"
+  http /.*[\/\\]support[\/\\]common\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1137-9 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Phorum authentication access"
+  tcp-state established,originator
+  payload /.*[pP][hH][pP]_[aA][uU][tT][hH]_[uU][sS][eE][rR]=[bB][oO][oO][gG][iI][eE][mM][aA][nN]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1085-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP strings overflow"
+  tcp-state established,originator
+  payload /.*\xBAI\xFE\xFF\xFF\xF7\xD2\xB9\xBF\xFF\xFF\xFF\xF7\xD1/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1086-12 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP strings overflow"
+  http /.*\?STRENGUR/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1254-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP PHPLIB remote command attempt"
+  tcp-state established,originator
+  payload /.*_PHPLIB\[libdir\]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-1255-8 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP PHPLIB remote command attempt"
+  http /.*[\/\\]db_mysql\.inc/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2074-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Mambo uploadimage.php upload php file attempt"
+  http /.*[\/\\]uploadimage\.php/
+  tcp-state established,originator
+  payload /.*userfile_name=.{1}.*\.php/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2075-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Mambo upload.php upload php file attempt"
+  http /.*[\/\\]upload\.php/
+  tcp-state established,originator
+  payload /.*userfile_name=.{1}.*\.php/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2076-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Mambo uploadimage.php access"
+  http /.*[\/\\]uploadimage\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2077-2 {
+  ip-proto == tcp
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-PHP Mambo upload.php access"
+  http /.*[\/\\]upload\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2078-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  dst-ip == local_nets
+  event "WEB-PHP phpBB privmsg.php access"
+  http /.*[\/\\]privmsg\.php.{1,}\?[Ff][Oo][Ll][Dd][Ee][Rr]=.{1,}[Mm][Oo][Dd][Ee]=.{1,}[Cc][Oo][Nn][Ff][Ii][Rr][Mm]=[Yy][Ee][Ss]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2140-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP p-news.php access"
+  http /.*[\/\\]p-news\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2141-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP shoutbox.php directory traversal attempt"
+  http /.*[\/\\]shoutbox\.php/
+  tcp-state established,originator
+  payload /.*conf=.*.*\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2143-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  # Not supported: pcre: /b2inc=(http|https|ftp)/i
+  event "WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt"
+  http /.*[\/\\]gm-2-b2\.php/
+  tcp-state established,originator
+  payload /.*b2inc=/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2144-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP b2 cafelog gm-2-b2.php access"
+  http /.*[\/\\]gm-2-b2\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2145-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP TextPortal admin.php default password admin attempt"
+  http /.*[\/\\]admin\.php/
+  tcp-state established,originator
+  payload /.*op=admin_enter/
+  payload /.*password=admin/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2146-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP TextPortal admin.php default password 12345 attempt"
+  http /.*[\/\\]admin\.php/
+  tcp-state established,originator
+  payload /.*op=admin_enter/
+  payload /.*password=12345/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2147-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  # Not supported: pcre: /Server\x5bpath\x5d=(http|https|ftp)/
+  event "WEB-PHP BLNews objects.inc.php4 remote file include attempt"
+  http /.*[\/\\]objects\.inc\.php4/
+  tcp-state established,originator
+  payload /.*Server\[path\]=/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2148-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP BLNews objects.inc.php4 access"
+  http /.*[\/\\]objects\.inc\.php4/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2149-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Turba status.php access"
+  http /.*[\/\\]turba[\/\\]status\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2150-7 {
+  ip-proto == tcp
+  dst-port == http_ports
+  # Not supported: pcre: /admin_root=(http|https|ftp)/
+  event "WEB-PHP ttCMS header.php remote file include attempt"
+  http /.*[\/\\]admin[\/\\]templates[\/\\]header\.php/
+  tcp-state established,originator
+  payload /.*admin_root=/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2151-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP ttCMS header.php access"
+  http /.*[\/\\]admin[\/\\]templates[\/\\]header\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2153-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP autohtml.php directory traversal attempt"
+  http /.*[\/\\]autohtml\.php/
+  tcp-state established,originator
+  payload /.*name=.*.*\.\.\/\.\.\//
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2154-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP autohtml.php access"
+  http /.*[\/\\]autohtml\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2155-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  # Not supported: pcre: /template=(http|https|ftp)/i
+  event "WEB-PHP ttforum remote file include attempt"
+  http /.*forum[\/\\]index\.php/
+  tcp-state established,originator
+  payload /.*template=/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2226-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  # Not supported: pcre: /pm_path=(http|https|ftp)/
+  event "WEB-PHP pmachine remote file include attempt"
+  http /.*lib\.inc\.php/
+  tcp-state established,originator
+  payload /.*pm_path=/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2227-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP forum_details.php access"
+  http /.*forum_details\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2228-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP phpMyAdmin db_details_importdocsql.php access"
+  http /.*db_details_importdocsql\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2229-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP viewtopic.php access"
+  http /.*viewtopic\.php/
+  tcp-state established,originator
+  http /.*[sS][uU][bB][sS][Ss][tT][rR][iI][nN][gG]\x28[uU][sS][eE][rR][pP][aA][sS][sS][wW][oO][rR][dD]*./
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2279-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP UpdateClasses.php access"
+  http /.*[\/\\]UpdateClasses\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2280-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Title.php access"
+  http /.*[\/\\]Title\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2281-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Setup.php access"
+  http /.*[\/\\]Setup\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2282-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP GlobalFunctions.php access"
+  http /.*[\/\\]GlobalFunctions\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2283-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP DatabaseFunctions.php access"
+  http /.*[\/\\]DatabaseFunctions\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2284-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP rolis guestbook remote file include attempt"
+  http /.*[\/\\]insert\.inc\.php/
+  tcp-state established,originator
+  payload /.*[pP][aA][tT][hH]=/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2285-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP rolis guestbook access"
+  http /.*[\/\\]insert\.inc\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2286-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP friends.php access"
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  http /.*[\/\\]friends\.php\x3fadmin\x3d[a-zA-Z0-9]{5,20}.* /
+}
+
+signature s2b-2287-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Advanced Poll admin_comment.php access"
+  http /.*[\/\\]admin_comment\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2288-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Advanced Poll admin_edit.php access"
+  http /.*[\/\\]admin_edit\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2289-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Advanced Poll admin_embed.php access"
+  http /.*[\/\\]admin_embed\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2290-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Advanced Poll admin_help.php access"
+  http /.*[\/\\]admin_help\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2291-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Advanced Poll admin_license.php access"
+  http /.*[\/\\]admin_license\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2292-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Advanced Poll admin_logout.php access"
+  http /.*[\/\\]admin_logout\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2293-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Advanced Poll admin_password.php access"
+  http /.*[\/\\]admin_password\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2295-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Advanced Poll admin_settings.php access"
+  http /.*[\/\\]admin_settings\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2296-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Advanced Poll admin_stats.php access"
+  http /.*[\/\\]admin_stats\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2297-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Advanced Poll admin_templates_misc.php access"
+  http /.*[\/\\]admin_templates_misc\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2298-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Advanced Poll admin_templates.php access"
+  http /.*[\/\\]admin_templates\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2299-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Advanced Poll admin_tpl_misc_new.php access"
+  http /.*[\/\\]admin_tpl_misc_new\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2300-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Advanced Poll admin_tpl_new.php access"
+  http /.*[\/\\]admin_tpl_new\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2301-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Advanced Poll booth.php access"
+  http /.*[\/\\]booth\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2302-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Advanced Poll poll_ssi.php access"
+  http /.*[\/\\]poll_ssi\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2304-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP files.inc.php access"
+  http /.*[\/\\]files\.inc\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2305-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP chatbox.php access"
+  http /.*[\/\\]chatbox\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2306-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  # Not supported: pcre: /GALLERY_BASEDIR=(http|https|ftp)/i
+  event "WEB-PHP gallery remote file include attempt"
+  http /.*[\/\\]setup[\/\\]/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  http /.*[gG][aA][lL][lL][eE][rR][yY]_[bB][aA][sS][eE][dD][iI][rR]=(http|https|ftp)/
+}
+
+signature s2b-2307-5 {
+  ip-proto == tcp
+  dst-port == http_ports
+  # Not supported: pcre: /page=(http|https|ftp)/i
+  event "WEB-PHP PayPal Storefront remote file include attemtp"
+  tcp-state established,originator
+  payload /.*do=ext/
+  requires-reverse-signature ! http_error
+  http /[pP][aA][gG][eE]=(http|https|ftp)/
+}
+
+signature s2b-2328-3 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP authentication_index.php access"
+  http /.*[\/\\]authentication_index\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2331-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP MatrikzGB privilege escalation attempt"
+  tcp-state established,originator
+  payload /.*[nN][eE][wW]_[rR][iI][gG][hH][tT][sS]=[aA][dD][mM][iI][nN]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2341-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP DCP-Portal remote file include attempt"
+  http /.*[\/\\]library[\/\\]editor[\/\\]editor\.php/
+  tcp-state established,originator
+  payload /.*[rR][oO][oO][tT]=/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2342-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP DCP-Portal remote file include attempt"
+  http /.*[\/\\]library[\/\\]lib\.php/
+  tcp-state established,originator
+  payload /.*[rR][oO][oO][tT]=/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2345-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP PhpGedView search.php access"
+  http /.*[\/\\]search\.php/
+  http /.*action=soundex/
+  http /.*firstname=/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2346-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP myPHPNuke chatheader.php access"
+  http /.*[\/\\]chatheader\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2347-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP myPHPNuke partner.php access"
+  http /.*[\/\\]partner\.php/
+  tcp-state established,originator
+  http /.*\x3d.*\x3cscript\x3e.*document.cookie.*\x3c\x2fscript\x3e/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2353-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP IdeaBox cord.php file include"
+  http /.*[\/\\]index\.php/
+  tcp-state established,originator
+  payload /.*[iI][dD][eE][aA][dD][iI][rR]/
+  payload /.*[cC][oO][rR][dD]\.[pP][hH][pP]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2354-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP IdeaBox notification.php file include"
+  http /.*[\/\\]index\.php/
+  tcp-state established,originator
+  payload /.*[gG][oO][rR][uU][mM][dD][iI][rR]/
+  payload /.*[nN][oO][tT][iI][fF][iI][cC][aA][tT][iI][oO][nN]\.[pP][hH][pP]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2355-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Invision Board emailer.php file include"
+  http /.*[\/\\]ad_member\.php/
+  tcp-state established,originator
+  payload /.*[eE][mM][aA][iI][lL][eE][rR]\.[pP][hH][pP]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2356-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP WebChat db_mysql.php file include"
+  http /.*[\/\\]defines\.php/
+  tcp-state established,originator
+  payload /.*[wW][eE][bB][cC][hH][aA][tT][pP][aA][tT][hH]/
+  payload /.*[dD][bB]_[mM][yY][sS][qQ][lL]\.[pP][hH][pP]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2357-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP WebChat english.php file include"
+  http /.*[\/\\]defines\.php/
+  tcp-state established,originator
+  payload /.*[wW][eE][bB][cC][hH][aA][tT][pP][aA][tT][hH]/
+  payload /.*[eE][nN][gG][lL][iI][sS][hH]\.[pP][hH][pP]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2358-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Typo3 translations.php file include"
+  http /.*[\/\\]translations\.php/
+  tcp-state established,originator
+  payload /.*[oO][nN][lL][yY]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2359-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Invision Board ipchat.php file include"
+  http /.*[\/\\]ipchat\.php/
+  tcp-state established,originator
+  payload /.*[rR][oO][oO][tT]_[pP][aA][tT][hH]/
+  payload /.*[cC][oO][nN][fF]_[gG][lL][oO][bB][aA][lL]\.[pP][hH][pP]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2360-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP myphpPagetool pt_config.inc file include"
+  http /.*[\/\\]doc[\/\\]admin/
+  tcp-state established,originator
+  payload /.*[pP][tT][iI][nN][cC][lL][uU][dD][eE]/
+  payload /.*[pP][tT]_[cC][oO][nN][fF][iI][gG]\.[iI][nN][cC]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2362-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP YaBB SE packages.php file include"
+  http /.*[\/\\]packages\.php/
+  tcp-state established,originator
+  payload /.*[pP][aA][cC][kK][eE][rR]\.[pP][hH][pP]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2363-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Cyboards default_header.php access"
+  http /.*[\/\\]default_header\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2364-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP Cyboards options_form.php access"
+  http /.*[\/\\]options_form\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2365-2 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP newsPHP Language file include attempt"
+  http /.*[\/\\]nphpd\.php/
+  tcp-state established,originator
+  payload /.*[lL][aA][nN][gG][fF][iI][lL][eE]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2366-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt"
+  http /.*[\/\\]authentication_index\.php/
+  tcp-state established,originator
+  payload /.*[pP][gG][vV]_[bB][aA][sS][eE]_[dD][iI][rR][eE][cC][tT][oO][rR][yY]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2367-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt"
+  http /.*[\/\\]functions\.php/
+  tcp-state established,originator
+  payload /.*[pP][gG][vV]_[bB][aA][sS][eE]_[dD][iI][rR][eE][cC][tT][oO][rR][yY]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2368-4 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt"
+  http /.*[\/\\]config_gedcom\.php/
+  tcp-state established,originator
+  payload /.*[pP][gG][vV]_[bB][aA][sS][eE]_[dD][iI][rR][eE][cC][tT][oO][rR][yY]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2398-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP WAnewsletter newsletter.php file include attempt"
+  http /.*newsletter\.php/
+  tcp-state established,originator
+  payload /.*[wW][aA][rR][oO][oO][tT]/
+  payload /.*[sS][tT][aA][rR][tT]\.[pP][hH][pP]/
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2399-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP WAnewsletter db_type.php access"
+  http /.*[\/\\]sql[\/\\]db_type\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2405-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP phptest.php access"
+  http /.*[\/\\]phptest\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2410-2 {
+  ip-proto == tcp
+  dst-ip == local_nets
+  dst-port == http_ports
+  event "WEB-PHP IGeneric Free Shopping Cart page.php access"
+  http /.*[\/\\]page\.php\?.*script/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2565-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP modules.php access"
+  http /.*[\/\\]modules\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2566-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  event "WEB-PHP PHPBB viewforum.php access"
+  http /.*[\/\\]viewforum\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+}
+
+signature s2b-2575-1 {
+  ip-proto == tcp
+  dst-port == http_ports
+  # Not supported: pcre: /systempath=(http|https|ftp)/i
+  event "WEB-PHP Opt-X header.php remote file include attempt"
+  http /.*[\/\\]header\.php/
+  tcp-state established,originator
+  requires-reverse-signature ! http_error
+  payload /.*[sS][yY][sS][tT][eE][mM][pP][aA][tT][hH]=([hH][tT]{2}[pP][sS]?)|([fF][tT][pP])/
+}
+
+signature s2b-1225-4 {
+  ip-proto == tcp
+  dst-port == 6000
+  event "X11 MIT Magic Cookie detected"
+  tcp-state established
+  payload /.*MIT-MAGIC-COOKIE-1/
+}
+
+signature s2b-1226-4 {
+  ip-proto == tcp
+  dst-port == 6000
+  event "X11 xopen"
+  tcp-state established
+  payload /.*l\x00\x0B\x00\x00\x00\x00\x00\x00\x00\x00\x00/
+}
+
diff --git a/scripts/s2b/pm/Config-General-2.26.tar.gz b/scripts/s2b/pm/Config-General-2.26.tar.gz
new file mode 100644
index 0000000000..7de1bbedd4
Binary files /dev/null and b/scripts/s2b/pm/Config-General-2.26.tar.gz differ
diff --git a/scripts/s2b/pm/Makefile.am b/scripts/s2b/pm/Makefile.am
new file mode 100644
index 0000000000..a8d875b7fa
--- /dev/null
+++ b/scripts/s2b/pm/Makefile.am
@@ -0,0 +1,4 @@
+## Process this file with automake to produce Makefile.in
+
+# include in the dist 
+EXTRA_DIST = Config-General-2.26.tar.gz
diff --git a/scripts/s2b/snort_rules2.2/Makefile.am b/scripts/s2b/snort_rules2.2/Makefile.am
new file mode 100644
index 0000000000..6328bf1ef8
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/Makefile.am
@@ -0,0 +1,15 @@
+## Process this file with automake to produce Makefile.in
+
+# include in the dist 
+EXTRA_DIST = attack-responses.rules backdoor.rules bad-traffic.rules \
+	cgi-bin.list chat.rules classification.config ddos.rules deleted.rules \
+	dns.rules dos.rules experimental.rules exploit.rules finger.rules \
+	ftp.rules gen-msg.map generators icmp-info.rules icmp.rules imap.rules \
+	info.rules local.rules misc.rules multimedia.rules mysql.rules \
+	netbios.rules nntp.rules oracle.rules other-ids.rules p2p.rules 
+	policy.rules pop2.rules pop3.rules porn.rules reference.config rpc.rules \
+	rservices.rules scan.rules shellcode.rules sid sid-msg.map smtp.rules \
+	snmp.rules snort.conf sql.rules telnet.rules tftp.rules threshold.conf \
+	unicode.map virus.rules web-attacks.rules web-cgi.rules web-client.rules \
+	web-coldfusion.rules web-frontpage.rules web-iis.rules web-misc.rules \
+	web-php.rules x11.rules
diff --git a/scripts/s2b/snort_rules2.2/attack-responses.rules b/scripts/s2b/snort_rules2.2/attack-responses.rules
new file mode 100644
index 0000000000..cf7e878d95
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/attack-responses.rules
@@ -0,0 +1,29 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: attack-responses.rules 91 2004-07-15 08:13:57Z rwinslow $
+# ----------------
+# ATTACK RESPONSES
+# ----------------
+# These signatures are those when they happen, its usually because a machine
+# has been compromised.  These should not false that often and almost always
+# mean a compromise.
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES directory listing"; flow:from_server,established; content:"Volume Serial Number"; classtype:bad-unknown; sid:1292; rev:8;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES command completed"; flow:from_server,established; content:"Command completed"; nocase; classtype:bad-unknown; sid:494; rev:7;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES command error"; flow:from_server,established; content:"Bad command or filename"; nocase; classtype:bad-unknown; sid:495; rev:7;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES file copied ok"; flow:from_server,established; content:"1 file|28|s|29| copied"; nocase; classtype:bad-unknown; sid:497; rev:8;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Invalid URL"; flow:from_server,established; content:"Invalid URL"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx; classtype:attempted-recon; sid:1200; rev:10;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES index of /cgi-bin/ response"; flow:from_server,established; content:"Index of /cgi-bin/"; nocase; reference:nessus,10039; classtype:bad-unknown; sid:1666; rev:5;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES 403 Forbidden"; flow:from_server,established; content:"HTTP/1.1 403"; depth:12; classtype:attempted-recon; sid:1201; rev:7;)
+
+alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:498; rev:6;)
+alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; content:" gid="; within:15; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882; rev:10;)
+
+alert tcp $HOME_NET 8002 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES oracle one hour install"; flow:from_server,established; content:"Oracle Applications One-Hour Install"; classtype:bad-unknown; sid:1464; rev:3;)
+alert tcp $HOME_NET 749 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1900; rev:10;)
+alert tcp $HOME_NET 751 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1901; rev:10;)
+alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE"; flow:from_server,established; content:"*GOBBLE*"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:successful-admin; sid:1810; rev:9;)
+alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful gobbles ssh exploit uname"; flow:from_server,established; content:"uname"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:1811; rev:8;)
+alert tcp $HOME_NET 512 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES rexec username too long response"; flow:from_server,established; content:"username too long"; depth:17; classtype:unsuccessful-user; sid:2104; rev:3;)
+alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Microsoft cmd.exe banner"; flow:from_server,established; content:"Microsoft Windows"; content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; reference:nessus,11633; classtype:successful-admin; sid:2123; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful cross site scripting forced download attempt"; flow:to_server,established; content:"|0A|Referer|3A| res|3A|/C|3A|"; classtype:successful-user; sid:2412; rev:3;)
diff --git a/scripts/s2b/snort_rules2.2/backdoor.rules b/scripts/s2b/snort_rules2.2/backdoor.rules
new file mode 100644
index 0000000000..685e822a7a
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/backdoor.rules
@@ -0,0 +1,87 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: backdoor.rules 91 2004-07-15 08:13:57Z rwinslow $
+#---------------
+# BACKDOOR RULES
+#---------------
+#
+
+alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flow:to_server,established; content:"|0D 0A|[RPL]002|0D 0A|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; classtype:misc-activity; sid:103; rev:7;)
+alert tcp $HOME_NET 16959 -> $EXTERNAL_NET any (msg:"BACKDOOR subseven DEFCON8 2.1 access"; flow:from_server,established; content:"PWD"; classtype:trojan-activity; sid:107; rev:6;)
+
+
+alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:from_server,established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:109; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:110; rev:4;)
+alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:to_server,established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:115; rev:5;)
+
+# 3150, 4120
+alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt"; content:"00"; depth:2; classtype:misc-activity; sid:1980; rev:1;)
+alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; classtype:misc-activity; sid:195; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [3150]"; content:"00"; depth:2; classtype:misc-activity; sid:1981; rev:1;)
+alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [3150]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; classtype:misc-activity; sid:1982; rev:1;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [4120]"; content:"00"; depth:2; classtype:misc-activity; sid:1983; rev:1;)
+alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [4120]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; classtype:misc-activity; sid:1984; rev:1;)
+
+
+alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 2.0 access"; flow:established,from_server; content:"Wtzup Use"; depth:32; reference:arachnids,312; classtype:misc-activity; sid:119; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1094 (msg:"BACKDOOR Doly 1.5 server response"; flow:from_server,established; content:"Connected."; classtype:trojan-activity; sid:1985; rev:1;)
+
+
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 2589 (msg:"BACKDOOR - Dagger_1.4.0_client_connect"; flow:to_server,established; content:"|0B 00 00 00 07 00 00 00|Connect"; depth:16; reference:arachnids,483; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:104; rev:7;)
+alert tcp $HOME_NET 2589 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR - Dagger_1.4.0"; flow:from_server,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|"; depth:16; reference:arachnids,484; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:105; rev:7;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET 1054 (msg:"BACKDOOR ACKcmdC trojan scan"; ack:101058054; flags:A,12; seq:101058054; flow:stateless; reference:arachnids,445; classtype:misc-activity; sid:106; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"BACKDOOR QAZ Worm Client Login access"; flow:to_server,established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:108; rev:6;)
+
+
+alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR Infector.1.x"; flow:established,from_server; content:"WHATISIT"; reference:arachnids,315; classtype:misc-activity; sid:117; rev:6;)
+alert tcp $HOME_NET 666 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR SatansBackdoor.2.0.Beta"; flow:established,from_server; content:"Remote|3A| You are connected to me."; reference:arachnids,316; classtype:misc-activity; sid:118; rev:5;)
+alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1000:1300 (msg:"BACKDOOR Infector 1.6 Server to Client"; flow:established,from_server; content:"WHATISIT"; classtype:misc-activity; sid:120; rev:5;)
+alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"BACKDOOR Infector 1.6 Client to Server Connection Request"; flow:to_server,established; content:"FC "; classtype:misc-activity; sid:121; rev:5;)
+
+alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"BACKDOOR HackAttack 1.20 Connect"; flow:established,from_server; content:"host"; classtype:misc-activity; sid:141; rev:5;)
+
+alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR GirlFriendaccess"; flow:to_server,established; content:"Girl"; reference:arachnids,98; classtype:misc-activity; sid:145; rev:5;)
+alert tcp $HOME_NET 30100 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere access"; flow:established,from_server; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:146; rev:5;)
+alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"BACKDOOR GateCrasher"; flow:established,from_server; content:"GateCrasher"; reference:arachnids,99; classtype:misc-activity; sid:147; rev:5;)
+alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Connection"; flow:established,from_server; content:"c|3A 5C|"; classtype:misc-activity; sid:152; rev:6;)
+alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (msg:"BACKDOOR DonaldDick 1.53 Traffic"; flow:from_server,established; content:"pINg"; classtype:misc-activity; sid:153; rev:5;)
+alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere 1.31.337 access"; flow:from_server,established; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:155; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; classtype:misc-activity; sid:157; rev:5;)
+alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flow:from_server,established; content:"FTP Port open"; classtype:misc-activity; sid:158; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5032 (msg:"BACKDOOR NetMetro File List"; flow:to_server,established; content:"--"; reference:arachnids,79; classtype:misc-activity; sid:159; rev:6;)
+# alert tcp $EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro Incoming Traffic"; flags:A+; flow:stateless; reference:arachnids,79; classtype:misc-activity; sid:160; rev:5;)
+alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 (msg:"BACKDOOR Matrix 2.0 Client connect"; content:"activate"; reference:arachnids,83; classtype:misc-activity; sid:161; rev:4;)
+alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 (msg:"BACKDOOR Matrix 2.0 Server access"; content:"logged in"; reference:arachnids,83; classtype:misc-activity; sid:162; rev:4;)
+alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"BACKDOOR WinCrash 1.0 Server Active"; flags:SA,12; flow:stateless; content:"|B4 B4|"; reference:arachnids,36; classtype:misc-activity; sid:163; rev:8;)
+alert icmp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR SIGNATURE - Q ICMP"; dsize:>1; itype:0; reference:arachnids,202; classtype:misc-activity; sid:183; rev:4;)
+alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR Q access"; dsize:>1; flags:A+; flow:stateless; reference:arachnids,203; classtype:misc-activity; sid:184; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"BACKDOOR CDK"; flow:to_server,established; content:"ypi0ca"; depth:15; nocase; reference:arachnids,263; classtype:misc-activity; sid:185; rev:5;)
+
+
+alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"BACKDOOR PhaseZero Server Active on Network"; flow:established,from_server; content:"phAse"; classtype:misc-activity; sid:208; rev:5;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; reference:arachnids,510; classtype:attempted-admin; sid:209; rev:4;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR attempt"; flow:to_server,established; content:"backdoor"; nocase; classtype:attempted-admin; sid:210; rev:3;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t"; classtype:attempted-admin; sid:211; rev:3;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt"; classtype:attempted-admin; sid:212; rev:3;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; classtype:attempted-admin; sid:213; rev:4;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; classtype:attempted-admin; sid:214; rev:4;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh["; nocase; classtype:attempted-admin; sid:215; rev:4;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; reference:arachnids,516; classtype:attempted-admin; sid:216; rev:6;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC sm4ck attempt"; flow:to_server,established; content:"hax0r"; classtype:attempted-admin; sid:217; rev:3;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established; content:"friday"; classtype:attempted-user; sid:218; rev:4;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HidePak backdoor attempt"; flow:to_server,established; content:"StoogR"; classtype:misc-activity; sid:219; rev:6;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HideSource backdoor attempt"; flow:to_server,established; content:"wank"; classtype:misc-activity; sid:220; rev:6;)
+alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"BACKDOOR hack-a-tack attempt"; flags:A+; flow:stateless; content:"A"; depth:1; reference:arachnids,314; classtype:attempted-recon; sid:614; rev:7;)
+alert ip any any -> 216.80.99.202 any (msg:"BACKDOOR fragroute trojan connection attempt"; reference:bugtraq,4898; classtype:trojan-activity; sid:1791; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 35555 (msg:"BACKDOOR win-trin00 connection attempt"; content:"png []..Ks l44"; depth:14; reference:cve,2000-0138; reference:nessus,10307; classtype:attempted-admin; sid:1853; rev:6;)
+
+
+# NOTES: this string should be within the first 3 bytes of the connection
+alert tcp $EXTERNAL_NET any -> $HOME_NET 33270 (msg:"BACKDOOR trinity connection attempt"; flow:to_server,established; content:"!@|23|"; depth:3; reference:cve,2000-0138; reference:nessus,10501; classtype:attempted-admin; sid:1843; rev:6;)
+alert tcp any any -> 212.146.0.34 1963 (msg:"BACKDOOR TCPDUMP/PCAP trojan traffic"; flow:stateless; reference:url,hlug.fscker.com; classtype:trojan-activity; sid:1929; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR SubSeven 2.1 Gold server connection response"; flow:from_server,established; content:"connected. time/date|3A| "; depth:22; content:"version|3A| GOLD 2.1"; distance:1; classtype:misc-activity; sid:2100; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 (msg:"BACKDOOR Remote PC Access connection attempt"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00 00 00 00 00|"; depth:12; reference:nessus,11673; classtype:trojan-activity; sid:2124; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR typot trojan traffic"; flags:S,12; window:55808; flow:stateless; classtype:trojan-activity; sid:2182; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR FsSniffer connection attempt"; flow:to_server,established; content:"RemoteNC Control Password|3A|"; reference:nessus,11854; classtype:trojan-activity; sid:2271; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3199 (msg:"BACKDOOR DoomJuice file upload attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html; classtype:trojan-activity; sid:2375; rev:3;)
diff --git a/scripts/s2b/snort_rules2.2/bad-traffic.rules b/scripts/s2b/snort_rules2.2/bad-traffic.rules
new file mode 100644
index 0000000000..e093bb5971
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/bad-traffic.rules
@@ -0,0 +1,26 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: bad-traffic.rules 91 2004-07-15 08:13:57Z rwinslow $
+#------------------
+# BAD TRAFFIC RULES
+#------------------
+# These signatures are representitive of traffic that should never be seen on
+# any network.  None of these signatures include datagram content checking
+# and are extremely quick signatures
+#
+
+alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;)
+alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0 traffic"; reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:525; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN packet"; dsize:>6; flags:S,12; flow:stateless; reference:url,www.cert.org/incident_notes/IN-99-07.html; classtype:misc-activity; sid:526; rev:9;)
+alert ip any any <> 127.0.0.0/8 any (msg:"BAD-TRAFFIC loopback traffic"; reference:url,rr.sans.org/firewall/egress.php; classtype:bad-unknown; sid:528; rev:5;)
+alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;)
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC ip reserved bit set"; fragbits:R; classtype:misc-activity; sid:523; rev:5;)
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;)
+# linux happens.  Blah
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC bad frag bits"; fragbits:MD; classtype:misc-activity; sid:1322; rev:7;)
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC Unassigned/Reserved IP protocol"; ip_proto:>134; reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standard-protocol; sid:1627; rev:3;)
+alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD-TRAFFIC syn to multicast address"; flags:S+; flow:stateless; classtype:bad-unknown; sid:1431; rev:8;)
+alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 53 SWIPE"; ip_proto:53; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2186; rev:3;)
+alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 55 IP Mobility"; ip_proto:55; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2187; rev:3;)
+alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 77 Sun ND"; ip_proto:77; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2188; rev:3;)
+alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2189; rev:3;)
diff --git a/scripts/s2b/snort_rules2.2/cgi-bin.list b/scripts/s2b/snort_rules2.2/cgi-bin.list
new file mode 100644
index 0000000000..02da630654
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/cgi-bin.list
@@ -0,0 +1,16 @@
+# (C) Copyright 2001,2002 Brian Caswell, et al.  All rights reserved.
+# $Id: cgi-bin.list 91 2004-07-15 08:13:57Z rwinslow $
+#--------------
+# cgi-bin list
+#--------------
+# if content-list actually worked, this would be our content-list for 
+# the different CGI bin directories we would check for.
+
+"/cgi-bin/"
+"/cgi/"
+"/cgi-local/"
+"/perl/"
+"/mod_perl/"
+"/scripts/"
+"/comps/"
+"/cgi-bin-sdb/"
diff --git a/scripts/s2b/snort_rules2.2/chat.rules b/scripts/s2b/snort_rules2.2/chat.rules
new file mode 100644
index 0000000000..e3788cc4e5
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/chat.rules
@@ -0,0 +1,48 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: chat.rules 91 2004-07-15 08:13:57Z rwinslow $
+#-------------
+# CHAT RULES
+#-------------
+# These signatures look for people using various types of chat programs (for
+# example: AIM, ICQ, and IRC) which may be against corporate policy
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flow:to_server,established; content:"User-Agent|3A|ICQ"; classtype:policy-violation; sid:541; rev:9;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"CHAT ICQ forced user addition"; flow:established,to_client; content:"Content-Type|3A| application/x-icq"; nocase; content:"[ICQ User]"; reference:bugtraq,3226; reference:cve,2001-1305; classtype:policy-violation; sid:1832; rev:7;)
+
+alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; classtype:policy-violation; sid:540; rev:11;)
+alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; distance:0; nocase; content:"text/x-msmsgsinvite"; distance:0; nocase; content:"Application-Name|3A|"; content:"File Transfer"; distance:0; nocase; classtype:policy-violation; sid:1986; rev:4;)
+alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file transfer accept"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance:0; content:"Invitation-Command|3A|"; content:"ACCEPT"; distance:1; classtype:policy-violation; sid:1988; rev:3;)
+alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file transfer reject"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance:0; content:"Invitation-Command|3A|"; content:"CANCEL"; distance:0; content:"Cancel-Code|3A|"; nocase; content:"REJECT"; distance:0; nocase; classtype:policy-violation; sid:1989; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; classtype:policy-violation; sid:1990; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase; content:" TWN "; distance:1; nocase; classtype:policy-violation; sid:1991; rev:1;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC nick change"; flow:to_server,established; content:"NICK "; offset:0; classtype:policy-violation; sid:542; rev:10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG "; offset:0; nocase; content:" |3A|.DCC SEND"; nocase; classtype:policy-violation; sid:1639; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG "; offset:0; nocase; content:" |3A|.DCC CHAT chat"; nocase; classtype:policy-violation; sid:1640; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC channel join"; flow:to_server,established; content:"JOIN |3A| |23|"; offset:0; nocase; classtype:policy-violation; sid:1729; rev:5;)
+alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC message"; flow:established; content:"PRIVMSG "; nocase; classtype:policy-violation; sid:1463; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC dns request"; flow:to_server,established; content:"USERHOST "; offset:0; nocase; classtype:policy-violation; sid:1789; rev:3;)
+alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"CHAT IRC dns response"; flow:to_client,established; content:"|3A|"; offset:0; content:" 302 "; content:"=+"; classtype:policy-violation; sid:1790; rev:4;)
+
+alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login"; flow:to_server,established; content:"*|01|"; depth:2; classtype:policy-violation; sid:1631; rev:6;)
+alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM send message"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; depth:4; offset:6; classtype:policy-violation; sid:1632; rev:6;)
+alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"CHAT AIM receive message"; flow:to_client; content:"*|02|"; depth:2; content:"|00 04 00 07|"; depth:4; offset:6; classtype:policy-violation; sid:1633; rev:6;)
+
+
+
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful logon"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 01|"; depth:2; offset:10; classtype:policy-violation; sid:2450; rev:3;)
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00|J"; depth:2; offset:10; classtype:policy-violation; sid:2451; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|"; depth:2; offset:10; classtype:policy-violation; sid:2452; rev:4;)
+
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 18|"; depth:2; offset:10; classtype:policy-violation; sid:2453; rev:3;)
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference logon success"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10; classtype:policy-violation; sid:2454; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; classtype:policy-violation; sid:2455; rev:3;)
+
+alert tcp any any -> any 5050 (msg:"CHAT Yahoo IM file transfer request"; flow:established; content:"YMSG"; depth:4; nocase; content:"|00|M"; depth:2; offset:10; classtype:policy-violation; sid:2456; rev:3;)
+alert tcp any any <> any 5101 (msg:"CHAT Yahoo IM message"; flow:established; content:"YMSG"; depth:4; nocase; classtype:policy-violation; sid:2457; rev:2;)
+
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; classtype:policy-violation; sid:2458; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM webcam offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10; classtype:policy-violation; sid:2459; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"CHAT Yahoo IM webcam request"; flow:to_server,established; content:"<R"; depth:2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; classtype:policy-violation; sid:2460; rev:3;)
+alert tcp $EXTERNAL_NET 5100 -> $HOME_NET any (msg:"CHAT Yahoo IM webcam watch"; flow:from_server,established; content:"|0D 00 05 00|"; depth:4; classtype:policy-violation; sid:2461; rev:3;)
diff --git a/scripts/s2b/snort_rules2.2/classification.config b/scripts/s2b/snort_rules2.2/classification.config
new file mode 100644
index 0000000000..be64a0f561
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/classification.config
@@ -0,0 +1,66 @@
+# $Id: classification.config 91 2004-07-15 08:13:57Z rwinslow $
+# The following includes information for prioritizing rules
+# 
+# Each classification includes a shortname, a description, and a default
+# priority for that classification.
+#
+# This allows alerts to be classified and prioritized.  You can specify
+# what priority each classification has.  Any rule can override the default
+# priority for that rule.
+#
+# Here are a few example rules:
+# 
+#   alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow"; 
+#	dsize: > 128; classtype:attempted-admin; priority:10;
+#
+#   alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
+#	      content:"expn root"; nocase; classtype:attempted-recon;)
+#
+# The first rule will set its type to "attempted-admin" and override 
+# the default priority for that type to 10.
+#
+# The second rule set its type to "attempted-recon" and set its
+# priority to the default for that type.
+# 
+
+#
+# config classification:shortname,short description,priority
+#
+
+config classification: not-suspicious,Not Suspicious Traffic,3
+config classification: unknown,Unknown Traffic,3
+config classification: bad-unknown,Potentially Bad Traffic, 2
+config classification: attempted-recon,Attempted Information Leak,2
+config classification: successful-recon-limited,Information Leak,2
+config classification: successful-recon-largescale,Large Scale Information Leak,2
+config classification: attempted-dos,Attempted Denial of Service,2
+config classification: successful-dos,Denial of Service,2
+config classification: attempted-user,Attempted User Privilege Gain,1
+config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
+config classification: successful-user,Successful User Privilege Gain,1
+config classification: attempted-admin,Attempted Administrator Privilege Gain,1
+config classification: successful-admin,Successful Administrator Privilege Gain,1
+
+
+# NEW CLASSIFICATIONS
+config classification: rpc-portmap-decode,Decode of an RPC Query,2
+config classification: shellcode-detect,Executable code was detected,1
+config classification: string-detect,A suspicious string was detected,3
+config classification: suspicious-filename-detect,A suspicious filename was detected,2
+config classification: suspicious-login,An attempted login using a suspicious username was detected,2
+config classification: system-call-detect,A system call was detected,2
+config classification: tcp-connection,A TCP connection was detected,4
+config classification: trojan-activity,A Network Trojan was detected, 1
+config classification: unusual-client-port-connection,A client was using an unusual port,2
+config classification: network-scan,Detection of a Network Scan,3
+config classification: denial-of-service,Detection of a Denial of Service Attack,2
+config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
+config classification: protocol-command-decode,Generic Protocol Command Decode,3
+config classification: web-application-activity,access to a potentially vulnerable web application,2
+config classification: web-application-attack,Web Application Attack,1
+config classification: misc-activity,Misc activity,3
+config classification: misc-attack,Misc Attack,2
+config classification: icmp-event,Generic ICMP event,3
+config classification: kickass-porn,SCORE! Get the lotion!,1
+config classification: policy-violation,Potential Corporate Privacy Violation,1
+config classification: default-login-attempt,Attempt to login by a default username and password,2
diff --git a/scripts/s2b/snort_rules2.2/ddos.rules b/scripts/s2b/snort_rules2.2/ddos.rules
new file mode 100644
index 0000000000..b32b28328e
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/ddos.rules
@@ -0,0 +1,51 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: ddos.rules 91 2004-07-15 08:13:57Z rwinslow $
+#-----------
+# DDOS RULES
+#-----------
+
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN Probe"; id:678; itype:8; content:"1234"; reference:arachnids,443; classtype:attempted-recon; sid:221; rev:3;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA"; reference:arachnids,425; classtype:attempted-dos; sid:222; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master PONG message detected"; content:"PONG"; reference:arachnids,187; classtype:attempted-recon; sid:223; rev:3;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; reference:arachnids,184; classtype:attempted-dos; sid:228; rev:3;)
+
+
+alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"DDOS shaft client login to handler"; flow:from_server,established; content:"login|3A|"; reference:arachnids,254; reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml; classtype:attempted-dos; sid:230; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"DDOS shaft handler to agent"; content:"alive tijgu"; reference:arachnids,255; classtype:attempted-dos; sid:239; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"DDOS shaft agent to handler"; content:"alive"; reference:arachnids,256; classtype:attempted-dos; sid:240; rev:2;)
+alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood"; flags:S,12; seq:674711609; flow:stateless; reference:arachnids,253; classtype:attempted-dos; sid:241; rev:7;)
+
+
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master message detected"; content:"l44"; reference:arachnids,186; classtype:attempted-dos; sid:231; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master *HELLO* message detected"; content:"*HELLO*"; reference:arachnids,185; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; reference:arachnids,197; classtype:attempted-dos; sid:233; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default password"; flow:established,to_server; content:"gOrave"; classtype:attempted-dos; sid:234; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; classtype:bad-unknown; sid:235; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"DDOS Trin00 Master to Daemon default password attempt"; content:"l44adsl"; reference:arachnids,197; classtype:attempted-dos; sid:237; rev:2;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS TFN server response"; icmp_id:123; icmp_seq:0; itype:0; content:"shell bound to port"; reference:arachnids,182; classtype:attempted-dos; sid:238; rev:6;)
+
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 6838 (msg:"DDOS mstream agent to handler"; content:"newserver"; classtype:attempted-dos; sid:243; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler to agent"; content:"stream/"; reference:cve,2000-0138; classtype:attempted-dos; sid:244; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler ping to agent"; content:"ping"; reference:cve,2000-0138; classtype:attempted-dos; sid:245; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream agent pong to handler"; content:"pong"; classtype:attempted-dos; sid:246; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"DDOS mstream client to handler"; flow:to_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:247; rev:4;)
+alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:to_client,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:248; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 15104 (msg:"DDOS mstream client to handler"; flags:S,12; flow:stateless; reference:arachnids,111; reference:cve,2000-0138; classtype:attempted-dos; sid:249; rev:7;)
+alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:from_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:250; rev:4;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS - TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; reference:arachnids,183; classtype:attempted-dos; sid:251; rev:3;)
+
+
+alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server spoof"; icmp_id:666; itype:0; reference:arachnids,193; classtype:attempted-dos; sid:224; rev:3;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; reference:arachnids,195; classtype:attempted-dos; sid:225; rev:6;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; reference:arachnids,191; classtype:attempted-dos; sid:226; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client spoofworks"; icmp_id:1000; itype:0; content:"spoofworks"; reference:arachnids,192; classtype:attempted-dos; sid:227; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check gag"; icmp_id:668; itype:0; content:"gesundheit!"; reference:arachnids,194; classtype:attempted-dos; sid:236; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; reference:arachnids,190; classtype:attempted-dos; sid:229; rev:5;)
+alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent niggahbitch"; icmp_id:9015; itype:0; content:"niggahbitch"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1854; rev:7;)
+alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht agent->handler skillz"; icmp_id:6666; itype:0; content:"skillz"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1855; rev:7;)
+alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0; content:"ficken"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1856; rev:7;)
diff --git a/scripts/s2b/snort_rules2.2/deleted.rules b/scripts/s2b/snort_rules2.2/deleted.rules
new file mode 100644
index 0000000000..a1b595ab7e
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/deleted.rules
@@ -0,0 +1,399 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: deleted.rules 91 2004-07-15 08:13:57Z rwinslow $
+#-------------
+# DELETED RULES
+#-------------
+# These signatures have been deleted for various reasons, but we are keeping
+# them here for historical purposes.
+
+# Duplicate to 332
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER probe 0 attempt"; flow:to_server,established; content:"0"; reference:arachnids,378; classtype:attempted-recon; sid:325; rev:4;)
+
+# Duplicate of 512
+alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"MISC Invalid PCAnywhere Login"; flow:from_server,established; content:"Invalid login"; depth:13; offset:5; classtype:unsuccessful-user; sid:511; rev:5;)
+
+# Duplicate of 514
+alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg:"MISC ramen worm incoming"; flow:established; content:"GET "; depth:8; nocase; reference:arachnids,460; classtype:bad-unknown; sid:506; rev:4;)
+
+# Duplicate of 557
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INFO Outbound GNUTella client request"; flow:established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:558; rev:5;)
+
+# Duplicate of 559
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"P2P Inbound GNUTella client request"; flags:A+; flow:established; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:559; rev:6;)
+
+# Duplicate of 844
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC O'Reilly args.bat access"; flow:to_server,established; uricontent:"/cgi-dos/args.bat"; nocase; classtype:attempted-recon; sid:1121; rev:5;)
+
+# Yeah, so the one site that was vulnerable to edit.pl aint no more.
+# http://packetstorm.widexs.nl/new-exploits/freestats-cgi.txt
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI edit.pl access"; flow:to_server,established; uricontent:"/edit.pl"; nocase; reference:bugtraq,2713; classtype:attempted-recon; sid:855; rev:6;)
+
+# duplicate of 987
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .htr request"; flow:to_server,established; uricontent:".htr"; nocase; reference:bugtraq,4474; reference:cve,2002-0071; reference:nessus,10932; classtype:web-application-activity; sid:1619; rev:8;)
+
+# webmasters suck, so this happens ever so often.  Its really not that bad,
+# so lets disable it.
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC prefix-get //"; flow:to_server,established; uricontent:"get //"; nocase; classtype:attempted-recon; sid:1114; rev:6;)
+
+# dup of 1660
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .NET trace.axd access"; flow:to_server,established; uricontent:"/traace.axd"; nocase; classtype:web-application-attack; sid:1749; rev:4;)
+
+# dup
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet ../../ DOS attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/../../../../../../../../../../../"; reference:bugtraq,2282; reference:cve,2001-0252; classtype:web-application-attack; sid:1049; rev:11;)
+
+
+# Falses WAAAYYY too often.
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES directory listing"; flow:from_server,established; content:"Directory of"; nocase; classtype:unknown; sid:496; rev:8;)
+
+# Replaced with 1801,1802,1803,1804
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS header field buffer overflow attempt"; flow:to_server,established; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; classtype:web-application-attack; sid:1768; rev:7;)
+
+# duplicate of sid:1673
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE execute_system attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:protocol-command-decode; sid:1698; rev:4;)
+
+# Port based only sigs suck, this is why stream4 has flow logs
+alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound client connection detected"; flow:established; reference:arachnids,126; classtype:misc-activity; sid:1227; rev:5;)
+
+# basically duplicate of 330
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop redirection"; dsize:11; flow:to_server,established; content:"@localhost|0A|"; reference:arachnids,11; classtype:attempted-recon; sid:329; rev:8;)
+
+# duplicate of 1478
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swc attempt"; flow:to_server,established; uricontent:"/swc"; nocase; classtype:attempted-recon; sid:1477; rev:5;)
+
+# duplicate of 1248
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; dsize:>258; flow:to_server,established; uricontent:"/fp30reg.dll"; nocase; reference:arachnids,555; reference:bugtraq,2906; reference:cve,2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx; classtype:web-application-attack; sid:1246; rev:14;)
+
+# duplicate of 1249
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; dsize:>259; flow:to_server,established; uricontent:"/fp4areg.dll"; nocase; reference:bugtraq,2906; reference:cve,2001-0341; classtype:web-application-attack; sid:1247; rev:11;)
+
+# duplicate of 1755
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT partial body overflow attempt"; dsize:>1092; flow:to_server,established; content:" x PARTIAL 1 BODY["; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:1780; rev:9;)
+
+# duplicate of 1538
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP Cassandra Overflow"; dsize:>512; flow:to_server,established; content:"AUTHINFO USER"; depth:16; nocase; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-user; sid:291; rev:12;)
+
+# This rule looks for the exploit for w3-msql, but very badly
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3-msql solaris x86  access"; flow:to_server,established; uricontent:"/bin/shA-cA/usr/openwin"; nocase; reference:arachnids,211; reference:cve,1999-0276; classtype:attempted-recon; sid:874; rev:7;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 bsd overfow"; content:"echo netrjs stre"; reference:bugtraq,324; reference:cve,1999-0914; classtype:attempted-admin; sid:318; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:319; rev:5;)
+
+
+# duplicate of 109
+alert tcp $HOME_NET 12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags:A+; flow:established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:114; rev:5;)
+
+# duplicate of 110
+alert tcp $EXTERNAL_NET any -> $HOME_NET 12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:111; rev:5;)
+
+
+# we have a backorifice preprocessor
+alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"BACKDOOR BackOrifice access"; flags:A+; flow:established; content:"server|3A| BO/"; reference:arachnids,400; classtype:misc-activity; sid:112; rev:6;)
+
+# we have a backorifice preprocessor
+alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice access"; content:"|CE|c|D1 D2 16 E7 13 CF|9|A5 A5 86|"; reference:arachnids,399; classtype:misc-activity; sid:116; rev:5;)
+
+
+
+alert udp $EXTERNAL_NET 2140 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; reference:arachnids,106; classtype:misc-activity; sid:164; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server ON"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; classtype:misc-activity; sid:165; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Picture Client Request"; content:"22"; reference:arachnids,106; classtype:misc-activity; sid:166; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request"; content:"32"; reference:arachnids,106; classtype:misc-activity; sid:167; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request"; content:"33"; reference:arachnids,106; classtype:misc-activity; sid:168; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request"; content:"34"; reference:arachnids,106; classtype:misc-activity; sid:169; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"; content:"110"; reference:arachnids,106; classtype:misc-activity; sid:170; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request"; content:"35"; reference:arachnids,106; classtype:misc-activity; sid:171; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request"; content:"70"; reference:arachnids,106; classtype:misc-activity; sid:172; rev:6;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request"; content:"71"; reference:arachnids,106; classtype:misc-activity; sid:173; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"31"; reference:arachnids,106; classtype:misc-activity; sid:174; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Resolution Change Client Request"; content:"125"; reference:arachnids,106; classtype:misc-activity; sid:175; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"04"; reference:arachnids,106; classtype:misc-activity; sid:176; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server OFF"; content:"KeyLogger Shut Down"; reference:arachnids,106; classtype:misc-activity; sid:177; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Server Port Client Request"; content:"21"; reference:arachnids,106; classtype:misc-activity; sid:179; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Process List Client request"; content:"64"; reference:arachnids,106; classtype:misc-activity; sid:180; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Close Port Scan Client Request"; content:"121"; reference:arachnids,106; classtype:misc-activity; sid:181; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Registry Add Client Request"; content:"89"; reference:arachnids,106; classtype:misc-activity; sid:182; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 System Info Client Request"; content:"13"; reference:arachnids,106; classtype:misc-activity; sid:122; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Status Client Request"; content:"09"; reference:arachnids,106; classtype:misc-activity; sid:124; rev:5;)
+alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info From Server"; content:"Retreaving"; reference:arachnids,106; classtype:misc-activity; sid:125; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info Client Request"; content:"12"; reference:arachnids,106; classtype:misc-activity; sid:126; rev:5;)
+alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Status From Server"; content:"Host"; reference:arachnids,106; classtype:misc-activity; sid:127; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Status Client Request"; content:"10"; reference:arachnids,106; classtype:misc-activity; sid:128; rev:5;)
+alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Drive Info From Server"; content:"C - "; reference:arachnids,106; classtype:misc-activity; sid:129; rev:5;)
+alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 System Info From Server"; content:"Comp Name"; reference:arachnids,106; classtype:misc-activity; sid:130; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Drive Info Client Request"; content:"130"; reference:arachnids,106; classtype:misc-activity; sid:131; rev:5;)
+alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server"; content:"FTP Server changed to"; reference:arachnids,106; classtype:misc-activity; sid:132; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Cached Passwords Client Request"; content:"16"; reference:arachnids,106; classtype:misc-activity; sid:133; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 RAS Passwords Client Request"; content:"17"; reference:arachnids,106; classtype:misc-activity; sid:134; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Change Client Request"; content:"91"; reference:arachnids,106; classtype:misc-activity; sid:135; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Remove Client Request"; content:"92"; reference:arachnids,106; classtype:misc-activity; sid:136; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Rehash Client Request"; content:"911"; reference:arachnids,106; classtype:misc-activity; sid:137; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Server Rehash Client Request"; content:"shutd0wnM0therF***eR"; reference:arachnids,106; classtype:misc-activity; sid:138; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request"; content:"88"; reference:arachnids,106; classtype:misc-activity; sid:140; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request"; content:"40"; reference:arachnids,106; classtype:misc-activity; sid:142; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request"; content:"20"; reference:arachnids,106; classtype:misc-activity; sid:143; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; content:"|00 23|"; reference:arachnids,106; classtype:misc-activity; sid:149; rev:5;)
+alert udp $EXTERNAL_NET 3150 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; content:"|00 23|"; reference:arachnids,106; classtype:misc-activity; sid:150; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; reference:arachnids,106; classtype:misc-activity; sid:151; rev:5;)
+alert udp $HOME_NET 3150 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Wrong Password"; content:"Wrong Password"; reference:arachnids,106; classtype:misc-activity; sid:154; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Visible Window List Client Request"; content:"37"; reference:arachnids,106; classtype:misc-activity; sid:156; rev:5;)
+alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content:"--Ahhhhhhhhhh"; reference:arachnids,405; classtype:misc-activity; sid:113; rev:6;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Monitor on/off Client Request"; content:"07"; reference:arachnids,106; classtype:misc-activity; sid:186; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Delete File Client Request"; content:"41"; reference:arachnids,106; classtype:misc-activity; sid:187; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Kill Window Client Request"; content:"38"; reference:arachnids,106; classtype:misc-activity; sid:188; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Disable Window Client Request"; content:"23"; reference:arachnids,106; classtype:misc-activity; sid:189; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable Window Client Request"; content:"24"; reference:arachnids,106; classtype:misc-activity; sid:190; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Window Title Client Request"; content:"60"; reference:arachnids,106; classtype:misc-activity; sid:191; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide Window Client Request"; content:"26"; reference:arachnids,106; classtype:misc-activity; sid:192; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Window Client Request"; content:"25"; reference:arachnids,106; classtype:misc-activity; sid:193; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Send Text to Window Client Request"; content:"63"; reference:arachnids,106; classtype:misc-activity; sid:194; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request"; content:"30"; reference:arachnids,106; classtype:misc-activity; sid:196; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Create Directory Client Request"; content:"39"; reference:arachnids,106; classtype:misc-activity; sid:197; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 All Window List Client Request"; content:"370"; reference:arachnids,106; classtype:misc-activity; sid:198; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Play Sound Client Request"; content:"36"; reference:arachnids,106; classtype:misc-activity; sid:199; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Normal Client Request"; content:"14"; reference:arachnids,106; classtype:misc-activity; sid:200; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request"; content:"15"; reference:arachnids,106; classtype:misc-activity; sid:201; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Get NET File Client Request"; content:"100"; reference:arachnids,106; classtype:misc-activity; sid:202; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"117"; reference:arachnids,106; classtype:misc-activity; sid:203; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"118"; reference:arachnids,106; classtype:misc-activity; sid:204; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 HUP Modem Client Request"; content:"199"; reference:arachnids,106; classtype:misc-activity; sid:205; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Open Client Request"; content:"02"; reference:arachnids,106; classtype:misc-activity; sid:206; rev:5;)
+alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Close Client Request"; content:"03"; reference:arachnids,106; classtype:misc-activity; sid:207; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named iquery attempt"; content:"|09 80 00 00 00 01 00 00 00 00|"; depth:16; offset:2; reference:arachnids,277; reference:bugtraq,134; reference:cve,1999-0009; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:252; rev:7;)
+alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Keylogger Active on Network"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; classtype:misc-activity; sid:148; rev:5;)
+
+# The following ftp rules look for specific exploits, which are not needed now
+# that initial protocol decoding is available.
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT format string"; flow:to_server,established; content:"SITE EXEC %020d|7C|%.f%.f|7C 0A|"; depth:32; nocase; reference:arachnids,453; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:338; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT OpenBSD x86 ftpd"; flow:to_server,established; content:" |90|1|C0 99|RR|B0 17 CD 80|h|CC|sh"; reference:arachnids,446; reference:bugtraq,2124; reference:cve,2001-0053; classtype:attempted-user; sid:339; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"PWD|0A|/i"; classtype:attempted-admin; sid:340; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"XXXXX/"; classtype:attempted-admin; sid:341; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8"; flow:to_server,established; content:"|90 1B C0 0F 82 10| |17 91 D0| |08|"; reference:arachnids,451; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:342; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD"; flow:to_server,established; content:"1|C0|PPP|B0|~|CD 80|1|DB|1|C0|"; depth:32; reference:arachnids,228; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:343; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux"; flow:to_server,established; content:"1|C0|1|DB|1|C9 B0|F|CD 80|1|C0|1|DB|"; reference:arachnids,287; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:344; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic"; flow:to_server,established; content:"SITE "; nocase; content:" EXEC "; nocase; content:" %p"; nocase; reference:arachnids,285; reference:bugtraq,1387; reference:cve,2000-0573; reference:nessus,10452; classtype:attempted-admin; sid:345; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check"; flow:to_server,established; content:"f%.f%.f%.f%.f%."; depth:32; reference:arachnids,286; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-recon; sid:346; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0"; flow:to_server,established; content:"..11venglin@"; reference:arachnids,440; reference:bugtraq,1387; classtype:attempted-user; sid:348; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT MKD overflow"; flow:to_server,established; content:"MKD AAAAAA"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:349; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|C0|1|DB B0 17 CD 80|1|C0 B0 17 CD 80|"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:350; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|DB 89 D8 B0 17 CD 80 EB|,"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:351; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|83 EC 04|^|83 C6|p|83 C6 28 D5 E0 C0|"; reference:bugtraq, 113; reference:cve, CVE-1999-0368; classtype:attempted-admin; sid:352; rev:6;)
+
+# duplicate of 475
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:misc-activity; sid:455; rev:7;)
+
+
+# not needed thanks to 1964 and 1965
+alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"|C0 22|?|FC A2 02| |09 C0|,|7F FF E2 22|?|F4|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:570; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:571; rev:8;)
+
+# dup of 589
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:4;)
+# dup of 1275
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; flow:to_server,established; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1297; rev:8;)
+
+# dup of 1280
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:596; rev:6;)
+
+# dup of 1281
+alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:597; rev:6;)
+
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!6; ip_proto:!89; classtype:non-standard-protocol; sid:1620; rev:5;)
+
+# this has been replaced with sid 1905 and 1906
+alert tcp $EXTERNAL_NET any -> $HOME_NET 634:1400 (msg:"RPC AMD Overflow"; flow:to_server,established; content:"|80 00 04|,L|15|u[|00 00 00 00 00 00 00 02|"; depth:32; reference:arachnids,217; reference:cve,1999-0704; classtype:attempted-admin; sid:573; rev:8;)
+
+# these have been replaced by 1915, 1916, 1914, and 1913
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; flow:to_server,established; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600; rev:7;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:1282; rev:5;)
+
+# duplicate of 1088
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webstore directory traversal"; flow:to_server,established; uricontent:"/web_store.cgi?page=../.."; reference:bugtraq,1774; reference:cve,2000-1005; classtype:web-application-attack; sid:1094; rev:10;)
+
+
+# these are obsolete
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT overflow"; flow:to_server,established; content:"|E8 C0 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:293; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|89 D8|@|CD 80 E8 C8 FF FF FF|/"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:295; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|4^|8D 1E 89|^|0B|1|D2 89|V|07|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:296; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|5^|80|F|01|0|80|F|02|0|80|F|03|0"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:297; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|8^|89 F3 89 D8 80|F|01| |80|F|02|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:298; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|X^1|DB 83 C3 08 83 C3 02 88|^&"; reference:bugtraq,130; reference:cve, CVE-1999-0005; classtype:attempted-admin; sid:299; rev:6;)
+
+# what is this rule?  we have no idea...
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00|`|00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:617; rev:4;)
+
+# These have been replaced by better rules (1915,1916,1913,1914)
+alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:592; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:1278; rev:5;)
+
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned nobody"; flow:from_server,established; content:"uid="; content:"|28|nobody|29|"; classtype:bad-unknown; sid:1883; rev:5;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned web"; flow:from_server,established; content:"uid="; content:"|28|web|29|"; classtype:bad-unknown; sid:1884; rev:5;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned http"; flow:from_server,established; content:"uid="; content:"|28|http|29|"; classtype:bad-unknown; sid:1885; rev:5;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned apache"; flow:from_server,established; content:"uid="; content:"|28|apache|29|"; classtype:bad-unknown; sid:1886; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00|"; depth:2; offset:45; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; sid:2102; rev:8;)
+
+# specific example for sid:1549
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT x86 windows CSMMail overflow"; flow:to_server,established; content:"|EB|S|EB| [|FC|3|C9 B1 82 8B F3 80|+"; reference:bugtraq,895; reference:cve,2000-0042; classtype:attempted-admin; sid:656; rev:8;)
+
+# this is properly caught by sid:527
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Land attack"; flags:S; id:3868; seq:3868; flow:stateless; reference:bugtraq,2666; reference:cve,1999-0016; classtype:attempted-dos; sid:269; rev:9;)
+
+# duplicate of 1546
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco Web DOS attempt"; flow:to_server,established; content:" /%%"; depth:16; reference:arachnids,275; classtype:attempted-dos; sid:1138; rev:7;)
+
+# these are obsoleted by cleaning up 663
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.4.1 exploit"; flow:to_server,established; content:"rcpt to|3A| |7C| sed '1,/^|24|/d'|7C|"; nocase; reference:arachnids,120; classtype:attempted-user; sid:666; rev:7;)
+
+# dup of 588
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request TCP"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1298; rev:15;)
+# dup of 1274
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request UDP"; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1299; rev:14;)
+
+# these virus rules suck.
+alert tcp any 110 -> any any (msg:"Virus - SnowWhite Trojan Incoming"; flow:established; content:"Suddlently"; classtype:misc-activity; sid:720; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NAVIDAD Worm"; flow:established; content:"NAVIDAD.EXE"; nocase; classtype:misc-activity; sid:722; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myromeo.exe"; nocase; classtype:misc-activity; sid:723; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myjuliet.chm"; nocase; classtype:misc-activity; sid:724; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"ble bla"; nocase; classtype:misc-activity; sid:725; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"I Love You"; classtype:misc-activity; sid:726; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"Sorry... Hey you !"; classtype:misc-activity; sid:727; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"my picture from shake-beer"; classtype:misc-activity; sid:728; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible QAZ Worm"; flow:established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:731; rev:7;)
+alert tcp any any -> any 25 (msg:"Virus - Possible QAZ Worm Calling Home"; flow:established; content:"nongmin_cn"; reference:MCAFEE,98775; classtype:misc-activity; sid:733; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Matrix worm"; flow:established; content:"Software provide by [MATRiX]"; nocase; classtype:misc-activity; sid:734; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"Matrix has you..."; classtype:misc-activity; sid:735; rev:6;)
+alert tcp any any -> any 25 (msg:"Virus - Successful eurocalculator execution"; flags:PA; flow:established; content:"funguscrack@hotmail.com"; nocase; classtype:misc-activity; sid:736; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible eurocalculator.exe file"; flow:established; content:"filename="; content:"eurocalculator.exe"; nocase; classtype:misc-activity; sid:737; rev:6;)
+alert tcp any any -> any 110 (msg:"Virus - Possible Pikachu Pokemon Virus"; flags:PA; flow:established; content:"Pikachu Pokemon"; reference:MCAFEE,98696; classtype:misc-activity; sid:738; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Triplesix Worm"; flow:established; content:"filename=|22|666TEST.VBS|22|"; nocase; reference:MCAFEE,10389; classtype:misc-activity; sid:739; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Tune.vbs"; flow:established; content:"filename=|22|tune.vbs|22|"; nocase; reference:MCAFEE,10497; classtype:misc-activity; sid:740; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"Market share tipoff"; reference:MCAFEE,10109; classtype:misc-activity; sid:741; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"name =|22|WWIII!"; reference:MCAFEE,10109; classtype:misc-activity; sid:742; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"New Developments"; reference:MCAFEE,10109; classtype:misc-activity; sid:743; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"Good Times"; reference:MCAFEE,10109; classtype:misc-activity; sid:744; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Papa Worm"; flow:established; content:"filename=|22|XPASS.XLS|22|"; nocase; reference:MCAFEE,10145; classtype:misc-activity; sid:745; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Freelink Worm"; flow:established; content:"LINKS.VBS"; reference:MCAFEE,10225; classtype:misc-activity; sid:746; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Simbiosis Worm"; flow:established; content:"filename=|22|SETUP.EXE|22|"; nocase; classtype:misc-activity; sid:747; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible BADASS Worm"; flow:established; content:"name =|22|BADASS.EXE|22|"; reference:MCAFEE,10388; classtype:misc-activity; sid:748; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible ExploreZip.B Worm"; flow:established; content:"name =|22|File_zippati.exe|22|"; reference:MCAFEE,10471; classtype:misc-activity; sid:749; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible wscript.KakWorm"; flow:established; content:"filename=|22|KAK.HTA|22|"; nocase; reference:MCAFEE,10509; classtype:misc-activity; sid:751; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus Possible Suppl Worm"; flow:established; content:"filename=|22|Suppl.doc|22|"; nocase; reference:MCAFEE,10361; classtype:misc-activity; sid:752; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - theobbq.exe"; flow:established; content:"filename=|22|THEOBBQ.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:753; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; flow:established; content:"filename=|22|MONEY.DOC|22|"; nocase; reference:MCAFEE,10502; classtype:misc-activity; sid:754; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible IROK Worm"; flow:established; content:"filename=|22|irok.exe|22|"; nocase; reference:MCAFEE,98552; classtype:misc-activity; sid:755; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Fix2001 Worm"; flow:established; content:"filename=|22|Fix2001.exe|22|"; nocase; reference:MCAFEE,10355; classtype:misc-activity; sid:756; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Y2K Zelu Trojan"; flow:established; content:"filename=|22|Y2K.EXE|22|"; nocase; reference:MCAFEE,10505; classtype:misc-activity; sid:757; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible The_Fly Trojan"; flow:established; content:"filename=|22|THE_FLY.CHM|22|"; nocase; reference:MCAFEE,10478; classtype:misc-activity; sid:758; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; flow:established; content:"filename=|22|DINHEIRO.DOC|22|"; nocase; reference:MCAFEE,10502; classtype:misc-activity; sid:759; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Passion Worm"; flow:established; content:"filename=|22|ICQ_GREETINGS.EXE|22|"; nocase; reference:MCAFEE,10467; classtype:misc-activity; sid:760; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler3.exe"; flow:established; content:"filename=|22|COOLER3.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:761; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - party.exe"; flow:established; content:"filename=|22|PARTY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:762; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - hog.exe"; flow:established; content:"filename=|22|HOG.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:763; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal1.exe"; flow:established; content:"filename=|22|GOAL1.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:764; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - pirate.exe"; flow:established; content:"filename=|22|PIRATE.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:765; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - video.exe"; flow:established; content:"filename=|22|VIDEO.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:766; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - baby.exe"; flow:established; content:"filename=|22|BABY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:767; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler1.exe"; flow:established; content:"filename=|22|COOLER1.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:768; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - boss.exe"; flow:established; content:"filename=|22|BOSS.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:769; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - g-zilla.exe"; flow:established; content:"filename=|22|G-ZILLA.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:770; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible ToadieE-mail Trojan"; flow:established; content:"filename=|22|Toadie.exe|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:771; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible PrettyPark Trojan"; flow:established; content:"|5C|CoolProgs|5C|"; depth:750; offset:300; reference:MCAFEE,10175; classtype:misc-activity; sid:772; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Happy99 Virus"; flow:established; content:"X-Spanska|3A|Yes"; reference:MCAFEE,10144; classtype:misc-activity; sid:773; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible CheckThis Trojan"; flow:established; content:"name =|22|links.vbs|22|"; classtype:misc-activity; sid:774; rev:5;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Bubbleboy Worm"; flow:established; content:"BubbleBoy is back!"; reference:MCAFEE,10418; classtype:misc-activity; sid:775; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - copier.exe"; flow:established; content:"filename=|22|COPIER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:776; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible MyPics Worm"; flow:established; content:"name =|22|pics4you.exe|22|"; reference:MCAFEE,10467; classtype:misc-activity; sid:777; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Babylonia - X-MAS.exe"; flow:established; content:"name =|22|X-MAS.EXE|22|"; reference:MCAFEE,10461; classtype:misc-activity; sid:778; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - gadget.exe"; flow:established; content:"filename=|22|GADGET.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:779; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - irnglant.exe"; flow:established; content:"filename=|22|IRNGLANT.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:780; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - casper.exe"; flow:established; content:"filename=|22|CASPER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:781; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - fborfw.exe"; flow:established; content:"filename=|22|FBORFW.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:782; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - saddam.exe"; flow:established; content:"filename=|22|SADDAM.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:783; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - bboy.exe"; flow:established; content:"filename=|22|BBOY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:784; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - monica.exe"; flow:established; content:"filename=|22|MONICA.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:785; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal.exe"; flow:established; content:"filename=|22|GOAL.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:786; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - panther.exe"; flow:established; content:"filename=|22|PANTHER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:787; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - chestburst.exe"; flow:established; content:"filename=|22|CHESTBURST.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:788; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Common Sense Worm"; flow:established; content:"name =|22|THE_FLY.CHM|22|"; classtype:misc-activity; sid:790; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cupid2.exe"; flow:established; content:"filename=|22|CUPID2.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:791; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|RESUME1.DOC|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:792; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|Explorer.doc|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:794; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Worm -  txt.vbs file"; flow:established; content:"filename="; content:".txt.vbs"; nocase; classtype:misc-activity; sid:795; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Worm - xls.vbs file"; flow:established; content:"filename="; content:".xls.vbs"; nocase; classtype:misc-activity; sid:796; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Worm - jpg.vbs file"; flow:established; content:"filename="; content:".jpg.vbs"; nocase; classtype:misc-activity; sid:797; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Worm -  gif.vbs file"; flow:established; content:"filename="; content:".gif.vbs"; nocase; classtype:misc-activity; sid:798; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Timofonica Worm"; flow:established; content:"filename=|22|TIMOFONICA.TXT.vbs|22|"; nocase; reference:MCAFEE,98674; classtype:misc-activity; sid:799; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|NORMAL.DOT|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:800; rev:7;)
+alert tcp any 110 -> any any (msg:"Virus - Possible Worm - doc.vbs file"; flow:established; content:"filename="; content:".doc.vbs"; nocase; classtype:misc-activity; sid:801; rev:6;)
+alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - farter.exe"; flow:established; content:"filename=|22|FARTER.EXE|22|"; nocase; reference:MCAFEE,1054; classtype:misc-activity; sid:789; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming"; dsize:>120; flow:to_server,established; content:"MIME"; content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:4;)
+# pcre makes this not needed
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow with evasion attempt"; flow:to_server,established; content:"XEXCH50"; nocase; content:"-0"; distance:1; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2254; rev:3;)
+
+# historical reference... this used to be here...
+alert tcp any 110 -> any any (msg:"Virus - Possbile Zipped Files Trojan"; flow:established; content:"name =|22|Zipped_Files.EXE|22|"; reference:MCAFEE,10450; classtype:misc-activity; sid:802; rev:7;)
+
+# taken care of by http_inspect now
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS multiple decode attempt"; flow:to_server,established; uricontent:"%5c"; uricontent:".."; reference:bugtraq,2708; reference:cve,2001-0333; classtype:web-application-attack; sid:970; rev:10;)
+
+# better rule for 1054 caused these rules to not be needed
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".js%2570"; nocase; classtype:attempted-recon; sid:1236; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".j%2573p"; nocase; classtype:attempted-recon; sid:1237; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".%256Asp"; nocase; classtype:attempted-recon; sid:1238; rev:6;)
+
+# these rules are dumb.  sid:857 looks for the access, and thats all we can do
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey attempt full path"; flow:to_server,established; uricontent:"/faxsurvey?/"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-attack; sid:1647; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey arbitrary file read attempt"; flow:to_server,established; uricontent:"/faxsurvey?cat%20"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-attack; sid:1609; rev:7;)
+
+# dup of 2061
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat directory traversal attempt"; flow:to_server,established; uricontent:"|00|.jsp"; reference:bugtraq,2518; classtype:web-application-attack; sid:1055; rev:9;)
+
+
+
+# squash all of the virus rules into one rule.  go PCRE!
+alert tcp any any -> any 139 (msg:"Virus - Possible QAZ Worm Infection"; flow:established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:732; rev:8;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .shs file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".shs|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:730; rev:7;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .exe file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".exe|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2160; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .doc file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".doc|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2161; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vbs file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".vbs|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:793; rev:7;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hta file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".hta|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2162; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .chm file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".chm|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2163; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .reg file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".reg|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2164; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .ini file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".ini|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2165; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .bat file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".bat|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2166; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .diz file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".diz|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2167; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .cpp file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".cpp|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2168; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .dll file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".dll|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2169; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vxd file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".vxd|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2170; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .sys file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".sys|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2171; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .com file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".com|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2172; rev:4;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .scr file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".scr|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:729; rev:7;)
+alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hsq file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".hsq|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2173; rev:4;)
+
+# uh, yeah this happens quite a bit.
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ?open access"; flow:to_server,established; uricontent:"?open"; nocase; classtype:web-application-activity; sid:1561; rev:5;)
+
+# dup of 1485
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mkilog.exe access"; flow:to_server,established; uricontent:"/mkilog.exe"; nocase; classtype:web-application-activity; sid:1665; rev:6;)
+
+# dup of 2339
+alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2336; rev:3;)
+
+# these happen.  more research = more better rules
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2503; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2506; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2499; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2498; rev:7;)
+
+
+#nmap is no longer as dumb as it once was...
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:628; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:629; rev:6;)
+
+# dup of 553
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:" ftp|0D 0A|"; nocase; classtype:misc-activity; sid:1449; rev:7;)
+
+# dup of 2417, which is a better rule anyways
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string attempt"; flow:to_server,established; content:"%p"; nocase; classtype:attempted-admin; sid:1530; rev:6;)
diff --git a/scripts/s2b/snort_rules2.2/dns.rules b/scripts/s2b/snort_rules2.2/dns.rules
new file mode 100644
index 0000000000..73a2e5b79e
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/dns.rules
@@ -0,0 +1,35 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: dns.rules 91 2004-07-15 08:13:57Z rwinslow $
+#----------
+# DNS RULES
+#----------
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; classtype:attempted-recon; sid:255; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:arachnids,212; reference:cve,1999-0532; classtype:attempted-recon; sid:1948; rev:4;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; content:"|07|authors"; offset:12; nocase; content:"|04|bind"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:256; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:257; rev:8;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; content:"|07|version"; offset:12; nocase; content:"|04|bind"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:1616; rev:6;)
+
+
+
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:253; rev:4;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:254; rev:4;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:6;)
+
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01|    |02|a"; reference:arachnids,482; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:303; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; reference:bugtraq,2303; reference:cve,2001-0010; classtype:attempted-admin; sid:314; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADMROCKS"; flow:to_server,established; content:"ADMROCKS"; reference:bugtraq,788; reference:cve,1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; classtype:attempted-admin; sid:260; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0|?1|DB B3 FF|1|C9 CD 80|1|C0|"; classtype:attempted-admin; sid:262; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0 02 CD 80 85 C0|uL|EB|L^|B0|"; classtype:attempted-admin; sid:264; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt ADMv2"; flow:to_server,established; content:"|89 F7 29 C7 89 F3 89 F9 89 F2 AC|<|FE|"; classtype:attempted-admin; sid:265; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 FreeBSD overflow attempt"; flow:to_server,established; content:"|EB|n^|C6 06 9A|1|C9 89|N|01 C6|F|05|"; classtype:attempted-admin; sid:266; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; classtype:attempted-admin; sid:267; rev:5;)
diff --git a/scripts/s2b/snort_rules2.2/dos.rules b/scripts/s2b/snort_rules2.2/dos.rules
new file mode 100644
index 0000000000..ae094cbdf3
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/dos.rules
@@ -0,0 +1,28 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+# All rights reserved.
+# $Id: dos.rules 91 2004-07-15 08:13:57Z rwinslow $
+#----------
+# DOS RULES
+#----------
+
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:268; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:270; rev:6;)
+alert udp any 19 <> any 7 (msg:"DOS UDP echo+chargen bomb"; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:4;)
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; content:"|02 00|"; depth:2; reference:bugtraq,514; reference:cve,1999-0918; classtype:attempted-dos; sid:272; rev:7;)
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; content:"|00 00|"; depth:2; reference:bugtraq,514; reference:cve,1999-0918; classtype:attempted-dos; sid:273; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS ath"; itype:8; content:"+++ath"; nocase; reference:arachnids,264; reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:5;)
+alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"DOS NAPTHA"; flags:S; id:413; seq:6060842; flow:stateless; reference:bugtraq,2022; reference:cve,2000-1039; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx; classtype:attempted-dos; sid:275; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Audio Server"; flow:to_server,established; content:"|FF F4 FF FD 06|"; reference:arachnids,411; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:276; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:277; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:278; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"DOS Bay/Nortel Nautica Marlin"; dsize:0; reference:bugtraq,1009; reference:cve,2000-0221; classtype:attempted-dos; sid:279; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"DOS Ascend Route"; content:"NAMENAME"; depth:50; offset:25; reference:arachnids,262; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:281; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"DOS arkiea backup"; dsize:>1445; flow:to_server,established; reference:arachnids,261; reference:bugtraq,662; reference:cve,1999-0788; classtype:attempted-dos; sid:282; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 (msg:"DOS Winnuke attack"; flags:U+; flow:stateless; reference:bugtraq,2010; reference:cve,1999-0153; classtype:attempted-dos; sid:1257; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt"; dsize:>1023; flow:to_server,established; reference:bugtraq,4006; reference:cve,2002-0224; classtype:attempted-dos; sid:1408; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6004 (msg:"DOS iParty DOS attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF|"; offset:0; reference:bugtraq,6844; reference:cve,1999-1566; classtype:misc-attack; sid:1605; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6789:6790 (msg:"DOS DB2 dos attempt"; dsize:1; flow:to_server,established; classtype:denial-of-service; sid:1641; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"DOS Cisco attempt"; dsize:1; flow:to_server,established; content:"|13|"; classtype:web-application-attack; sid:1545; rev:7;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"DOS ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2486; rev:5;)
+alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"DOS BGP spoofed connection reset attempt"; flags:RSF*; flow:established; threshold:type both,track by_dst,count 10,seconds 10; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2523; rev:6;)
+
diff --git a/scripts/s2b/snort_rules2.2/experimental.rules b/scripts/s2b/snort_rules2.2/experimental.rules
new file mode 100644
index 0000000000..efd4462506
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/experimental.rules
@@ -0,0 +1,12 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: experimental.rules 91 2004-07-15 08:13:57Z rwinslow $
+# ---------------
+# EXPERIMENTAL RULES
+# ---------------
+# These signatures are experimental, new and may trigger way too often.
+#
+# Be forwarned, this is our testing ground.  We put new signatures here for
+# testing before incorporating them into the default signature set.  This is
+# for bleeding edge stuff only.
+#
diff --git a/scripts/s2b/snort_rules2.2/exploit.rules b/scripts/s2b/snort_rules2.2/exploit.rules
new file mode 100644
index 0000000000..d6775b459e
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/exploit.rules
@@ -0,0 +1,78 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: exploit.rules 91 2004-07-15 08:13:57Z rwinslow $
+#--------------
+# EXPLOIT RULES
+#--------------
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow filler"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1325; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1327; rev:7;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT Netscape 4.7 client overflow"; flow:to_client,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; reference:arachnids,215; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:attempted-user; sid:283; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"EXPLOIT nlps x86 Solaris overflow"; flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|F5 89|6"; reference:bugtraq,2319; classtype:attempted-admin; sid:300; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPRng overflow"; flow:to_server,established; content:"C|07 89|[|08 8D|K|08 89|C|0C B0 0B CD 80|1|C0 FE C0 CD 80 E8 94 FF FF FF|/bin/sh|0A|"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:301; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; classtype:attempted-admin; sid:302; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"EXPLOIT SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:304; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"EXPLOIT delegate proxy overflow"; dsize:>1000; flow:to_server,established; content:"whois|3A|//"; nocase; reference:arachnids,267; reference:bugtraq,808; reference:cve,2000-0165; classtype:attempted-admin; sid:305; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"EXPLOIT VQServer admin"; flow:to_server,established; content:"GET / HTTP/1.1"; nocase; reference:bugtraq,1610; reference:cve,2000-0766; reference:url,www.vqsoft.com/vq/server/docs/other/control.html; classtype:attempted-admin; sid:306; rev:9;)
+alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"EXPLOIT NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT sniffit overflow"; dsize:>512; flags:A+; flow:stateless; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; reference:arachnids,273; reference:bugtraq,1158; reference:cve,2000-0343; classtype:attempted-admin; sid:309; rev:9;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT x86 windows MailMax overflow"; flow:to_server,established; content:"|EB|E|EB| [|FC|3|C9 B1 82 8B F3 80|+"; reference:bugtraq,2312; reference:cve,1999-0404; classtype:attempted-admin; sid:310; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"EXPLOIT Netscape 4.7 unsucessful overflow"; flow:to_server,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; reference:arachnids,214; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:unsuccessful-user; sid:311; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx overflow attempt"; dsize:>128; reference:arachnids,492; reference:bugtraq,2540; reference:cve,2001-0414; classtype:attempted-admin; sid:312; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"EXPLOIT ntalkd x86 Linux overflow"; content:"|01 03 00 00 00 00 00 01 00 02 02 E8|"; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|EB|V^VVV1|D2 88|V|0B 88|V|1E|"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:316; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|89 06|"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:317; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"EXPLOIT MDBMS overflow"; flow:to_server,established; content:"|01|1|DB CD 80 E8|[|FF FF FF|"; reference:bugtraq,1252; reference:cve,2000-0446; classtype:attempted-admin; sid:1240; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"EXPLOIT AIX pdnsd overflow"; dsize:>1000; flow:to_server,established; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:1261; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"EXPLOIT rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; reference:bugtraq,3474; reference:cve,2001-0838; classtype:misc-attack; sid:1323; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:1398; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"EXPLOIT cachefsd buffer overflow attempt"; dsize:>720; flow:to_server,established; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; reference:bugtraq,4631; reference:cve,2002-0084; classtype:misc-attack; sid:1751; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1894; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1895; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1896; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1897; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1898; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1899; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT gobbles SSH exploit attempt"; flow:to_server,established; content:"GOBBLES"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:1812; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=|22|`"; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:1821; rev:7;)
+
+alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; reference:cve,2002-1059; classtype:misc-attack; sid:1838; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"EXPLOIT CHAT IRC topic overflow"; flow:to_client,established; content:"|EB|K[S2|E4 83 C3 0B|K|88 23 B8|Pw"; reference:bugtraq,573; reference:cve,1999-0672; classtype:attempted-user; sid:307; rev:9;)
+alert tcp any any -> any 6666:7000 (msg:"EXPLOIT CHAT IRC Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG"; nocase; content:"nickserv"; nocase; content:"IDENTIFY"; nocase; isdataat:100,relative; pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"EXPLOIT x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:292; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2319; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2320; rev:1;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2376; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2377; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP third payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2378; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2379; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2380; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:bugtraq,CAN-2004-0164; reference:cve,2004-0164; classtype:misc-attack; sid:2413; rev:7;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:bugtraq,CAN-2004-0164; reference:cve,2004-0164; classtype:misc-attack; sid:2414; rev:7;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:bugtraq,CAN-2004-0164; reference:cve,2004-0164; classtype:misc-attack; sid:2415; rev:7;)
+alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,128,18,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2443; rev:4;)
+alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_test:2,>,128,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2444; rev:4;)
+alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt"; content:"|05 00|"; depth:2; byte_test:2,>,128,0,relative,little; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_jump:2,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2445; rev:4;)
+alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER email overflow attempt"; content:"|05 00|"; depth:2; byte_jump:2,0,relative,little; byte_test:2,>,128,0,relative,little; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_jump:2,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2446; rev:4;)
+
+alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve, CAN-2004-0367; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2462; rev:6;)
+alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve, CAN-2004-0367; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2463; rev:6;)
+alert ip any any -> any any (msg:"EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve, CAN-2004-0367; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2464; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal STREAMQUOTE buffer overflow attempt"; flow:to_server,established; content:"<STREAMQUOTE>"; nocase; isdataat:1024,relative; content:!"</STREAMQUOTE>"; within:1054; nocase; reference:bugtraq,9978; classtype:attempted-admin; sid:2489; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal SNAPQUOTE buffer overflow attempt"; flow:to_server,established; content:"<SNAPQUOTE>"; nocase; isdataat:1024,relative; content:!"</SNAPQUOTE>"; within:1052; nocase; reference:bugtraq,9978; classtype:attempted-admin; sid:2490; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"EXPLOIT AFP FPLoginExt username buffer overflow attempt"; flow:to_server,established; content:"|00 02|"; depth:2; content:"?"; within:1; distance:14; content:"cleartxt passwrd"; nocase; byte_jump:2,1,relative; byte_jump:2,1,relative; isdataat:2,relative; reference:bugtraq,10271; reference:cve,2004-0430; reference:url,www.atstake.com/research/advisories/2004/a050304-1.txt; classtype:attempted-admin; sid:2545; rev:4;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT winamp XM module name overflow"; flow:established,from_server; content:"Extended module|3A|"; nocase; isdataat:20,relative; content:!"|1A|"; within:21; reference:url,www.nextgenss.com/advisories/winampheap.txt; classtype:attempted-user; sid:2550; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache GET overflow attempt"; flow:to_server,established; content:"GET"; pcre:"/^GET[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2551; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2552; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2553; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2554; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2555; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; pcre:"/^DELETE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2556; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2557; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2558; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2559; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2560; rev:2;)
diff --git a/scripts/s2b/snort_rules2.2/finger.rules b/scripts/s2b/snort_rules2.2/finger.rules
new file mode 100644
index 0000000000..34c1d6e5a2
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/finger.rules
@@ -0,0 +1,21 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: finger.rules 91 2004-07-15 08:13:57Z rwinslow $
+#-------------
+# FINGER RULES
+#-------------
+#
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; reference:cve,1999-0660; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:320; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER account enumeration attempt"; flow:to_server,established; content:"a b c d e f"; nocase; reference:nessus,10788; classtype:attempted-recon; sid:321; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER search query"; flow:to_server,established; content:"search"; reference:arachnids,375; reference:cve,1999-0259; classtype:attempted-recon; sid:322; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER root query"; flow:to_server,established; content:"root"; reference:arachnids,376; classtype:attempted-recon; sid:323; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER null request"; flow:to_server,established; content:"|00|"; reference:arachnids,377; classtype:attempted-recon; sid:324; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote command execution attempt"; flow:to_server,established; content:"|3B|"; reference:arachnids,379; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:326; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; reference:arachnids,380; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:327; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER bomb attempt"; flow:to_server,established; content:"@@"; reference:arachnids,381; reference:cve,1999-0106; classtype:attempted-dos; sid:328; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER redirection attempt"; flow:to_server,established; content:"@"; reference:arachnids,251; reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon; sid:330; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop query"; flow:to_server,established; content:"|0A|     "; depth:10; reference:arachnids,132; reference:cve,1999-0612; classtype:attempted-recon; sid:331; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER 0 query"; flow:to_server,established; content:"0"; reference:arachnids,131; reference:arachnids,378; reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon; sid:332; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER . query"; flow:to_server,established; content:"."; reference:arachnids,130; reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon; sid:333; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER version query"; flow:to_server,established; content:"version"; classtype:attempted-recon; sid:1541; rev:4;)
diff --git a/scripts/s2b/snort_rules2.2/ftp.rules b/scripts/s2b/snort_rules2.2/ftp.rules
new file mode 100644
index 0000000000..b057fe3b12
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/ftp.rules
@@ -0,0 +1,100 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: ftp.rules 91 2004-07-15 08:13:57Z rwinslow $
+#----------
+# FTP RULES
+#----------
+
+
+# protocol verification
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM\s[^\n]{100}/smi"; reference:bugtraq,9751; classtype:attempted-admin; sid:2546; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:100,relative; pcre:"/^XMKD\s[^\n]{100}/smi"; reference:bugtraq,7909; classtype:attempted-admin; sid:2373; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:100,relative; pcre:"/^NLST\s[^\n]{100}/smi"; reference:bugtraq,10184; reference:bugtraq,7909; reference:bugtraq,9675; classtype:attempted-admin; sid:2374; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ALLO overflow attempt"; flow:to_server,established; content:"ALLO"; nocase; isdataat:100,relative; pcre:"/^ALLO\s[^\n]{100}/smi"; reference:bugtraq,9953; classtype:attempted-admin; sid:2449; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNTO overflow attempt"; flow:to_server,established; content:"RNTO"; nocase; isdataat:100,relative; pcre:"/^RNTO\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2389; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STOU overflow attempt"; flow:to_server,established; content:"STOU"; nocase; isdataat:100,relative; pcre:"/^STOU\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2390; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP APPE overflow attempt"; flow:to_server,established; content:"APPE"; nocase; isdataat:100,relative; pcre:"/^APPE\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2391; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RETR overflow attempt"; flow:to_server,established; content:"RETR"; nocase; isdataat:100,relative; pcre:"/^RETR\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2392; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STOR overflow attempt"; flow:to_server,established; content:"STOR"; nocase; isdataat:100,relative; pcre:"/^STOR\s[^\n]{100}/smi"; reference:bugtraq,8668; classtype:attempted-admin; sid:2343; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CEL overflow attempt"; flow:to_server,established; content:"CEL"; nocase; isdataat:100,relative; pcre:"/^CEL\s[^\n]{100}/smi"; reference:arachnids,257; reference:bugtraq,679; reference:cve,1999-0789; classtype:attempted-admin; sid:337; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP XCWD overflow attempt"; flow:to_server,established; content:"XCWD"; nocase; isdataat:100,relative; pcre:"/^XCWD\s[^\n]{100}/smi"; reference:bugtraq,8704; classtype:attempted-admin; sid:2344; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD overflow attempt"; flow:to_server,established; content:"CWD"; nocase; isdataat:100,relative; pcre:"/^CWD\s[^\n]{100}/smi"; reference:bugtraq,1227; reference:bugtraq,1690; reference:bugtraq,7950; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2002-0126; classtype:attempted-admin; sid:1919; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CMD overflow attempt"; flow:to_server,established; content:"CMD"; nocase; isdataat:100,relative; pcre:"/^CMD\s[^\n]{100}/smi"; classtype:attempted-admin; sid:1621; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:100,relative; pcre:"/^STAT\s[^\n]{100}/smi"; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHMOD overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHMOD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHMOD\s[^\n]{100}/smi"; reference:bugtraq,10181; reference:bugtraq,9483; reference:nessus,12037; classtype:attempted-admin; sid:2340; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHOWN overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHOWN"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHOWN\s[^\n]{100}/smi"; reference:bugtraq,2120; reference:cve,2001-0065; classtype:attempted-admin; sid:1562; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+NEWER\s[^\n]{100}/smi"; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-admin; sid:1920; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CPWD overflow attempt"; flow:established,to_server; content:"SITE"; nocase; content:"CPWD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CPWD\s[^\n]{100}/smi"; reference:bugtraq,5427; reference:cve,2002-0826; classtype:misc-attack; sid:1888; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi"; classtype:bad-unknown; sid:1971; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE overflow attempt"; flow:to_server,established; content:"SITE"; nocase; isdataat:100,relative; pcre:"/^SITE\s[^\n]{100}/smi"; reference:cve,1999-0838; reference:cve,2001-0755; reference:cve,2001-0770; classtype:attempted-admin; sid:1529; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow attempt"; flow:to_server,established,no_stream; content:"USER"; nocase; isdataat:100,relative; pcre:"/^USER\s[^\n]{100}/smi"; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,1690; reference:bugtraq,4638; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0943; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; classtype:attempted-admin; sid:1734; rev:16;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS overflow attempt"; flow:to_server,established,no_stream; content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS\s[^\n]{100}/smi"; reference:bugtraq,1690; reference:bugtraq,3884; reference:bugtraq,8601; reference:bugtraq,9285; reference:cve,2000-1035; reference:cve,2002-0126; classtype:attempted-admin; sid:1972; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMDIR overflow attempt"; flow:to_server,established; content:"RMDIR"; nocase; isdataat:100,relative; pcre:"/^RMDIR\s[^\n]{100}/smi"; classtype:attempted-admin; sid:1942; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKD overflow attempt"; flow:to_server,established; content:"MKD"; nocase; isdataat:100,relative; pcre:"/^MKD\s[^\n]{100}/smi"; reference:bugtraq,612; reference:bugtraq,9872; reference:cve,1999-0911; classtype:attempted-admin; sid:1973; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP REST overflow attempt"; flow:to_server,established; content:"REST"; nocase; isdataat:100,relative; pcre:"/^REST\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; classtype:attempted-admin; sid:1974; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:100,relative; pcre:"/^DELE\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; classtype:attempted-admin; sid:1975; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMD overflow attempt"; flow:to_server,established; content:"RMD"; nocase; isdataat:100,relative; pcre:"/^RMD\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; classtype:attempted-admin; sid:1976; rev:6;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MODE"; flow:to_server,established; content:"MODE"; nocase; pcre:"/^MODE\s+[^ABSC]{1}/msi"; classtype:protocol-command-decode; sid:1623; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP large PWD command"; dsize:10; flow:to_server,established; content:"PWD"; nocase; classtype:protocol-command-decode; sid:1624; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP large SYST command"; dsize:10; flow:to_server,established; content:"SYST"; nocase; classtype:protocol-command-decode; sid:1625; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD Root directory transversal attempt"; flow:to_server,established; content:"CWD"; nocase; content:"C|3A 5C|"; distance:1; reference:bugtraq,7674; reference:cve,2003-0392; reference:nessus,11677; classtype:protocol-command-decode; sid:2125; rev:8;)
+
+
+
+
+# bad ftp commands
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE ZIPCHK overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"ZIPCHK"; distance:1; nocase; isdataat:100,relative; pcre:"/^SITE\s+ZIPCHK\s[^\n]{100}/smi"; reference:cve,2000-0040; classtype:attempted-admin; sid:1921; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:1; nocase; pcre:"/^SITE\s+NEWER/smi"; reference:cve,1999-0880; reference:nessus,10319; classtype:attempted-dos; sid:1864; rev:7;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC/smi"; reference:arachnids,317; reference:bugtraq,2241; reference:cve,1999-0080; classtype:bad-unknown; sid:361; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT * dos attempt"; flow:to_server,established; content:"STAT"; nocase; content:"*"; distance:1; reference:bugtraq,4482; reference:cve,2002-0073; classtype:attempted-dos; sid:1777; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT ? dos attempt"; flow:to_server,established; content:"STAT"; nocase; content:"?"; distance:1; reference:bugtraq,4482; reference:cve,2002-0073; classtype:attempted-dos; sid:1778; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP tar parameters"; flow:to_server,established; content:" --use-compress-program "; nocase; reference:arachnids,134; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:362; rev:12;)
+
+# bad directories
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; reference:arachnids,318; reference:cve,1999-0082; classtype:bad-unknown; sid:336; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; reference:bugtraq,9237; classtype:bad-unknown; sid:1229; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~ attempt"; flow:to_server,established; content:"CWD"; pcre:"/^CWD\s+~/smi"; reference:bugtraq,2601; reference:bugtraq,9215; reference:cve,2001-0421; classtype:denial-of-service; sid:1672; rev:10;)
+
+# dup of 1672
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~<CR><NEWLINE> attempt"; flow:to_server,established; content:"CWD "; content:" ~|0D 0A|"; reference:bugtraq,2601; reference:cve,2001-0421; classtype:denial-of-service; sid:1728; rev:6;)
+
+# dup of 1229
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD .... attempt"; flow:to_server,established; content:"CWD "; content:" ...."; reference:bugtraq,4884; classtype:denial-of-service; sid:1779; rev:2;)
+
+# vulnerabilities against specific implementations of ftp
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u directory transversal"; flow:to_server,established; content:".%20."; nocase; reference:bugtraq,2052; reference:cve,2001-0054; classtype:bad-unknown; sid:360; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad file completion attempt ["; flow:to_server,established; content:"~"; content:"["; distance:1; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:1377; rev:14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad file completion attempt {"; flow:to_server,established; content:"~"; content:"{"; distance:1; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:1378; rev:14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNFR ././ attempt"; flow:to_server,established; content:"RNFR "; nocase; content:" ././"; nocase; classtype:misc-attack; sid:1622; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP command overflow attempt"; dsize:>100; flow:to_server,established,no_stream; reference:bugtraq,4638; reference:cve,2002-0606; classtype:protocol-command-decode; sid:1748; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST directory traversal attempt"; flow:to_server,established; content:"LIST"; content:".."; distance:1; content:".."; distance:1; reference:bugtraq,2618; reference:cve,2001-0680; reference:nessus,11112; classtype:protocol-command-decode; sid:1992; rev:5;)
+
+
+# BAD FILES
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .forward"; flow:to_server,established; content:".forward"; reference:arachnids,319; classtype:suspicious-filename-detect; sid:334; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .rhosts"; flow:to_server,established; content:".rhosts"; reference:arachnids,328; classtype:suspicious-filename-detect; sid:335; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP authorized_keys"; flow:to_server,established; content:"authorized_keys"; classtype:suspicious-filename-detect; sid:1927; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:356; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP shadow retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow"; classtype:suspicious-filename-detect; sid:1928; rev:3;)
+
+# suspicious login attempts
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; distance:1; nocase; pcre:"/^USER\s+w0rm/smi"; reference:arachnids,01; classtype:suspicious-login; sid:144; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP adm scan"; flow:to_server,established; content:"PASS ddd@|0A|"; reference:arachnids,332; classtype:suspicious-login; sid:353; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP iss scan"; flow:to_server,established; content:"pass -iss@iss"; reference:arachnids,331; classtype:suspicious-login; sid:354; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; nocase; reference:arachnids,324; classtype:suspicious-login; sid:355; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; classtype:suspicious-login; sid:357; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP saint scan"; flow:to_server,established; content:"pass -saint"; reference:arachnids,330; classtype:suspicious-login; sid:358; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP satan scan"; flow:to_server,established; content:"pass -satan"; reference:arachnids,329; classtype:suspicious-login; sid:359; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,7776; reference:bugtraq,9262; reference:bugtraq,9402; reference:bugtraq,9600; reference:bugtraq,9800; reference:cve,2004-0277; classtype:misc-attack; sid:2178; rev:13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9800; classtype:misc-attack; sid:2179; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKDIR format string attempt"; flow:to_server,established; content:"MKDIR"; nocase; pcre:"/^MKDIR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2332; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RENAME format string attempt"; flow:to_server,established; content:"RENAME"; nocase; pcre:"/^RENAME\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2333; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST buffer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s[^\n]{100,}/smi"; reference:bugtraq,10181; reference:bugtraq,8486; reference:bugtraq,9675; classtype:misc-attack; sid:2338; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s+\x22-W\s+\d+/smi"; reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854; classtype:misc-attack; sid:2272; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"FTP Yak! FTP server default account login attempt"; flow:to_server,established; content:"USER"; nocase; content:"y049575046"; nocase; pcre:"/^USER\s+y049575046/smi"; reference:bugtraq,9072; classtype:suspicious-login; sid:2334; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"FTP RMD / attempt"; flow:to_server,established; content:"RMD"; nocase; pcre:"/^RMD\s+\x2f$/smi"; reference:bugtraq,9159; classtype:attempted-dos; sid:2335; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; nocase; pcre:"/^MDTM \d+[-+]\D/smi"; classtype:attempted-admin; sid:2416; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string attempt"; flow:to_server,established; content:"%"; pcre:"/\s+.*?%.*?%/smi"; classtype:string-detect; sid:2417; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RETR format string attempt"; flow:to_server,established; content:"RETR"; nocase; pcre:"/^RETR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9800; classtype:attempted-admin; sid:2574; rev:1;)
diff --git a/scripts/s2b/snort_rules2.2/gen-msg.map b/scripts/s2b/snort_rules2.2/gen-msg.map
new file mode 100644
index 0000000000..02a1d85c5d
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/gen-msg.map
@@ -0,0 +1,131 @@
+# $Id: gen-msg.map 91 2004-07-15 08:13:57Z rwinslow $
+# GENERATORS -> msg map
+# Format: generatorid || alertid || MSG
+
+1 || 1 || snort general alert
+2 || 1 || tag: Tagged Packet
+100 || 1 || spp_portscan: Portscan Detected
+100 || 2 || spp_portscan: Portscan Status
+100 || 3 || spp_portscan: Portscan Ended
+101 || 1 || spp_minfrag: minfrag alert
+102 || 1 || http_decode: Unicode Attack
+102 || 2 || http_decode: CGI NULL Byte Attack
+102 || 3 || http_decode: large method attempted
+102 || 4 || http_decode: missing uri
+102 || 5 || http_decode: double encoding detected
+102 || 6 || http_decode: illegal hex values detected
+102 || 7 || http_decode: overlong character detected
+103 || 1 || spp_defrag: Fragmentation Overflow Detected
+103 || 2 || spp_defrag: Stale Fragments Discarded
+104 || 1 || spp_anomsensor: SPADE Anomaly Threshold Exceeded
+104 || 2 || spp_anomsensor: SPADE Anomaly Threshold Adjusted
+105 || 1 || spp_bo: Back Orifice Traffic Detected
+106 || 1 || spp_rpc_decode: Fragmented RPC Records
+106 || 2 || spp_rpc_decode: Multiple Records in one packet
+106 || 3 || spp_rpc_decode: Large RPC Record Fragment
+106 || 4 || spp_rpc_decode: Incomplete RPC segment
+110 || 1 || spp_unidecode: CGI NULL Attack
+110 || 2 || spp_unidecode: Directory Traversal
+110 || 3 || spp_unidecode: Unknown Mapping
+110 || 4 || spp_unidecode: Invalid Mapping
+111 || 1 || spp_stream4: Stealth Activity Detected
+111 || 2 || spp_stream4: Evasive Reset Packet
+111 || 3 || spp_stream4: Retransmission
+111 || 4 || spp_stream4: Window Violation
+111 || 5 || spp_stream4: Data on SYN Packet
+111 || 6 || spp_stream4: Full XMAS Stealth Scan
+111 || 7 || spp_stream4: SAPU Stealth Scan
+111 || 8 || spp_stream4: FIN Stealth Scan 
+111 || 9 || spp_stream4: NULL Stealth Scan
+111 || 10 || spp_stream4: NMAP XMAS Stealth Scan
+111 || 11 || spp_stream4: VECNA Stealth Scan
+111 || 12 || spp_stream4: NMAP Fingerprint Stateful Detection
+111 || 13 || spp_stream4: SYN FIN Stealth Scan
+111 || 14 || spp_stream4: TCP forward overlap detected
+111 || 15 || spp_stream4: TTL Evasion attempt
+111 || 16 || spp_stream4: Evasive retransmitited data attempt
+111 || 17 || spp_stream4: Evasive retransmitited data with the data split attempt
+111 || 18 || spp_stream4: Multiple acked
+111 || 19 || spp_stream4: Shifting to Emegency Session Mode
+111 || 20 || spp_stream4: Shifting to Suspend Mode
+112 || 1 || spp_arpspoof: Directed ARP Request
+112 || 2 || spp_arpspoof: Etherframe ARP Mismatch SRC
+112 || 3 || spp_arpspoof: Etherframe ARP Mismatch DST
+112 || 4 || spp_arpspoof: ARP Cache Overwrite Attack
+113 || 1 || spp_frag2: Oversized Frag
+113 || 2 || spp_frag2: Teardrop/Fragmentation Overlap Attack
+113 || 3 || spp_frag2: TTL evasion detected
+113 || 4 || spp_frag2: overlap detected
+113 || 5 || spp_frag2: Duplicate first fragments
+113 || 6 || spp_frag2: memcap exceeded
+113 || 7 || spp_frag2: Out of order fragments
+113 || 8 || spp_frag2: IP Options on Fragmented Packet
+113 || 9 || spp_frag2: Shifting to Emegency Session Mode
+113 || 10 || spp_frag2: Shifting to Suspend Mode
+114 || 1 || spp_fnord: Possible Mutated GENERIC NOP Sled detected
+114 || 2 || spp_fnord: Possible Mutated IA32 NOP Sled detected
+114 || 3 || spp_fnord: Possible Mutated HPPA NOP Sled detected
+114 || 4 || spp_fnord: Possible Mutated SPARC NOP Sled detected
+115 || 1 || spp_asn1: Indefinite ASN.1 length encoding
+115 || 2 || spp_asn1: Invalid ASN.1 length encoding
+115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow
+115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow
+115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length
+116 || 1 || snort_decoder: Not IPv4 datagram!
+116 || 2 || snort_decoder: WARNING: Not IPv4 datagram!
+116 || 3 || snort_decoder: WARNING: hlen < IP_HEADER_LEN!
+116 || 4 || snort_decoder: Bad IPv4 Options
+116 || 5 || snort_decoder: Truncated IPv4 Options
+116 || 45 || snort_decoder: TCP packet len is smaller than 20 bytes!
+116 || 46 || snort_decoder: TCP Data Offset is less than 5!
+116 || 47 || snort_decoder: TCP Data Offset is longer than payload!
+116 || 54 || snort_decoder: Tcp Options found with bad lengths
+116 || 55 || snort_decoder: Truncated Tcp Options
+116 || 56 || snort_decoder: T/TCP Detected
+116 || 57 || snort_decoder: Obsolete TCP options
+116 || 58 || snort_decoder: Experimental TCP options
+116 || 95 || snort_decoder: Truncated UDP Header!
+116 || 96 || snort_decoder: Invalid UDP header, length field < 8
+116 || 97 || snort_decoder: Short UDP packet, length field > payload length
+116 || 105 || snort_decoder: ICMP Header Truncated!
+116 || 106 || snort_decoder: ICMP Timestamp Header Truncated!
+116 || 107 || snort_decoder: ICMP Address Header Truncated!
+116 || 108 || snort_decoder: Unknown Datagram decoding problem!
+116 || 109 || snort_decoder: Unknown Datagram decoding problem!
+116 || 110 || snort_decoder: Truncated EAP Header!
+116 || 111 || snort_decoder: EAP Key Truncated!
+116 || 112 || snort_decoder: EAP Header Truncated!
+116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected!
+116 || 130 || snort_decoder: WARNING: Bad VLAN Frame!
+116 || 131 || snort_decoder: WARNING: Bad LLC header!
+116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info!
+116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header!
+116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info!
+116 || 140 || snort_decoder: WARNING: Bad Token Ring Header!
+116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header!
+116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header!
+116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header!
+117 || 1 || spp_portscan2: Portscan detected!
+118 || 1 || spp_conversation: Bad IP protocol!
+119 || 1 || http_inspect: ASCII ENCODING
+119 || 2 || http_inspect: DOUBLE DECODING ATTACK
+119 || 3 || http_inspect: U ENCODING
+119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING
+119 || 5 || http_inspect: BASE36 ENCODING
+119 || 6 || http_inspect: UTF-8 ENCODING
+119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING
+119 || 8 || http_inspect: MULTI_SLASH ENCODING
+119 || 9 || http_inspect: IIS BACKSLASH EVASION
+119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL
+119 || 11 || http_inspect: DIRECTORY TRAVERSAL
+119 || 12 || http_inspect: APACHE WHITESPACE (TAB)
+119 || 13 || http_inspect: NON-RFC HTTP DELIMITER
+119 || 14 || http_inspect: NON-RFC DEFINED CHAR
+119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY
+119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING
+119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED
+120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT
+121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded
+121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded
+121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded
+121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded
diff --git a/scripts/s2b/snort_rules2.2/generators b/scripts/s2b/snort_rules2.2/generators
new file mode 100644
index 0000000000..f6ea516d4e
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/generators
@@ -0,0 +1,37 @@
+# Master Registry of Snort Generator Ids
+#
+#
+# This file is used to maintain unique generator ids for files even if
+# the default snort configuration doesn't include some patch that is
+# required for a specific preprocessor to work
+#
+# 
+#
+# Maintainer: Chris Green <cmg@sourcefire.com>
+# 
+# Contact cmg@sourcefire.com for an assignment
+
+rules_subsystem		   1   # Snort Rules Engine
+tag_subsystem		   2   # Tagging Subsystem
+portscan                   100 # Portscan1
+minfrag                    101 # Minfrag [ removed ]
+http_decode                102 # HTTP decode 1/2
+defrag                     103 # First defragmenter [ removed ]
+spade                      104 # SPADE [ not included anymore ]
+bo                         105 # Back Orifice 
+rpc_decode                 106 # RPC Preprocessor
+stream2                    107 # 2nd stream preprocessor [removed] 
+stream3                    108 # 3rd stream preprocessor (AVL nightmare) [ removed ] 
+telnet_neg                 109 # telnet option decoder
+unidecode                  110 # unicode decoder
+stream4                    111 # Stream4 preprocessor
+arpspoof                   112 # Arp Spoof detector
+frag2                      113 # 2nd fragment preprocessor
+fnord                      114 # NOP detector [ removed ]
+asn1                       115 # ASN.1 Validator [ removed ]
+decode                     116 # Snort Internal Decoder
+scan2                      117 # portscan2
+conversation               118 # conversation
+reserved                   119 # TBA
+reserved                   120 # TBA
+snmp                       121 # Andrew Baker's newer SNMP decoder
diff --git a/scripts/s2b/snort_rules2.2/icmp-info.rules b/scripts/s2b/snort_rules2.2/icmp-info.rules
new file mode 100644
index 0000000000..6a73cfc3a8
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/icmp-info.rules
@@ -0,0 +1,107 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: icmp-info.rules 91 2004-07-15 08:13:57Z rwinslow $
+#--------------
+# ICMP-INFO
+#--------------
+#
+# Description:
+# These rules are standard ICMP traffic.  They include OS pings, as well
+# as normal routing done by ICMP.  There are a number of "catch all" rules
+# that will alert on unknown ICMP types.
+#
+# Potentially "BAD" ICMP rules are included in icmp.rules
+
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IRDP router advertisement"; itype:9; reference:arachnids,173; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:363; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IRDP router selection"; itype:10; reference:arachnids,174; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:364; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING *NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; classtype:misc-activity; sid:366; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BSDtype"; itype:8; content:"|08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17|"; depth:32; reference:arachnids,152; classtype:misc-activity; sid:368; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BayRS Router"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F|"; depth:32; reference:arachnids,438; reference:arachnids,444; classtype:misc-activity; sid:369; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BeOS4.x"; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 08 09 0A 0B|"; depth:32; reference:arachnids,151; classtype:misc-activity; sid:370; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Cisco Type.x"; itype:8; content:"|AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD|"; depth:32; reference:arachnids,153; classtype:misc-activity; sid:371; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Delphi-Piette Windows"; itype:8; content:"Pinging from Del"; depth:32; reference:arachnids,155; classtype:misc-activity; sid:372; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Flowpoint2200 or Network Management Software"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10|"; depth:32; reference:arachnids,156; classtype:misc-activity; sid:373; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING IP NetMonitor Macintosh"; itype:8; content:"|A9| Sustainable So"; depth:32; reference:arachnids,157; classtype:misc-activity; sid:374; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING LINUX/*BSD"; dsize:8; id:13170; itype:8; reference:arachnids,447; classtype:misc-activity; sid:375; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Microsoft Windows"; itype:8; content:"0123456789abcdefghijklmnop"; depth:32; reference:arachnids,159; classtype:misc-activity; sid:376; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Network Toolbox 3 Windows"; itype:8; content:"================"; depth:32; reference:arachnids,161; classtype:misc-activity; sid:377; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Ping-O-MeterWindows"; itype:8; content:"OMeterObeseArmad"; depth:32; reference:arachnids,164; classtype:misc-activity; sid:378; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Pinger Windows"; itype:8; content:"Data|00 00 00 00 00 00 00 00 00 00 00 00|"; depth:32; reference:arachnids,163; classtype:misc-activity; sid:379; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Seer Windows"; itype:8; content:"|88 04|              "; depth:32; reference:arachnids,166; classtype:misc-activity; sid:380; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sun Solaris"; dsize:8; itype:8; reference:arachnids,448; classtype:misc-activity; sid:381; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Windows"; itype:8; content:"abcdefghijklmnop"; depth:16; reference:arachnids,169; classtype:misc-activity; sid:382; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute"; itype:8; ttl:1; reference:arachnids,118; classtype:attempted-recon; sid:385; rev:4;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING"; icode:0; itype:8; classtype:misc-activity; sid:384; rev:5;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Address Mask Reply"; icode:0; itype:18; classtype:misc-activity; sid:386; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Reply undefined code"; icode:>0; itype:18; classtype:misc-activity; sid:387; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request"; icode:0; itype:17; classtype:misc-activity; sid:388; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request undefined code"; icode:>0; itype:17; classtype:misc-activity; sid:389; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Alternate Host Address"; icode:0; itype:6; classtype:misc-activity; sid:390; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Alternate Host Address undefined code"; icode:>0; itype:6; classtype:misc-activity; sid:391; rev:8;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Datagram Conversion Error"; icode:0; itype:31; classtype:misc-activity; sid:392; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Datagram Conversion Error undefined code"; icode:>0; itype:31; classtype:misc-activity; sid:393; rev:8;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Destination Host Unknown"; icode:7; itype:3; classtype:misc-activity; sid:394; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Destination Network Unknown"; icode:6; itype:3; classtype:misc-activity; sid:395; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Fragmentation Needed and DF bit was set"; icode:4; itype:3; classtype:misc-activity; sid:396; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Host Precedence Violation"; icode:14; itype:3; classtype:misc-activity; sid:397; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Host Unreachable for Type of Service"; icode:12; itype:3; classtype:misc-activity; sid:398; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Host Unreachable"; icode:1; itype:3; classtype:misc-activity; sid:399; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Network Unreachable for Type of Service"; icode:11; itype:3; classtype:misc-activity; sid:400; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Network Unreachable"; icode:0; itype:3; classtype:misc-activity; sid:401; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Port Unreachable"; icode:3; itype:3; classtype:misc-activity; sid:402; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Precedence Cutoff in effect"; icode:15; itype:3; classtype:misc-activity; sid:403; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Protocol Unreachable"; icode:2; itype:3; classtype:misc-activity; sid:404; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Source Host Isolated"; icode:8; itype:3; classtype:misc-activity; sid:405; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Source Route Failed"; icode:5; itype:3; classtype:misc-activity; sid:406; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable cndefined code"; icode:>15; itype:3; classtype:misc-activity; sid:407; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply"; icode:0; itype:0; classtype:misc-activity; sid:408; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply undefined code"; icode:>0; itype:0; classtype:misc-activity; sid:409; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Fragment Reassembly Time Exceeded"; icode:1; itype:11; classtype:misc-activity; sid:410; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 I-Am-Here"; icode:0; itype:34; classtype:misc-activity; sid:411; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 I-Am-Here undefined code"; icode:>0; itype:34; classtype:misc-activity; sid:412; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 Where-Are-You"; icode:0; itype:33; classtype:misc-activity; sid:413; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 Where-Are-You undefined code"; icode:>0; itype:33; classtype:misc-activity; sid:414; rev:7;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Information Reply"; icode:0; itype:16; classtype:misc-activity; sid:415; rev:5;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Information Reply undefined code"; icode:>0; itype:16; classtype:misc-activity; sid:416; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Information Request"; icode:0; itype:15; classtype:misc-activity; sid:417; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Information Request undefined code"; icode:>0; itype:15; classtype:misc-activity; sid:418; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Host Redirect"; icode:0; itype:32; classtype:misc-activity; sid:419; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Host Redirect undefined code"; icode:>0; itype:32; classtype:misc-activity; sid:420; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Reply"; icode:0; itype:36; classtype:misc-activity; sid:421; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Reply undefined code"; icode:>0; itype:36; classtype:misc-activity; sid:422; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Request"; icode:0; itype:35; classtype:misc-activity; sid:423; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Request undefined code"; icode:>0; itype:35; classtype:misc-activity; sid:424; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem Bad Length"; icode:2; itype:12; classtype:misc-activity; sid:425; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem Missing a Required Option"; icode:1; itype:12; classtype:misc-activity; sid:426; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem Unspecified Error"; icode:0; itype:12; classtype:misc-activity; sid:427; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem undefined Code"; icode:>2; itype:12; classtype:misc-activity; sid:428; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Reserved"; icode:0; itype:40; classtype:misc-activity; sid:429; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Unknown Security Parameters Index"; icode:1; itype:40; classtype:misc-activity; sid:430; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Valid Security Parameters, But Authentication Failed"; icode:2; itype:40; classtype:misc-activity; sid:431; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Valid Security Parameters, But Decryption Failed"; icode:3; itype:40; classtype:misc-activity; sid:432; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris undefined code!"; icode:>3; itype:40; classtype:misc-activity; sid:433; rev:8;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect for TOS and Host"; icode:3; itype:5; classtype:misc-activity; sid:436; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect for TOS and Network"; icode:2; itype:5; classtype:misc-activity; sid:437; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect undefined code"; icode:>3; itype:5; classtype:misc-activity; sid:438; rev:9;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Reserved for Security Type 19"; icode:0; itype:19; classtype:misc-activity; sid:439; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Reserved for Security Type 19 undefined code"; icode:>0; itype:19; classtype:misc-activity; sid:440; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Router Advertisement"; icode:0; itype:9; reference:arachnids,173; classtype:misc-activity; sid:441; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Router Selection"; icode:0; itype:10; reference:arachnids,174; classtype:misc-activity; sid:443; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SKIP"; icode:0; itype:39; classtype:misc-activity; sid:445; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SKIP undefined code"; icode:>0; itype:39; classtype:misc-activity; sid:446; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench undefined code"; icode:>0; itype:4; classtype:misc-activity; sid:448; rev:7;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit"; icode:0; itype:11; classtype:misc-activity; sid:449; rev:6;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit undefined code"; icode:>1; itype:11; classtype:misc-activity; sid:450; rev:8;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Reply"; icode:0; itype:14; classtype:misc-activity; sid:451; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Reply undefined code"; icode:>0; itype:14; classtype:misc-activity; sid:452; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Request"; icode:0; itype:13; classtype:misc-activity; sid:453; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Request undefined code"; icode:>0; itype:13; classtype:misc-activity; sid:454; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute"; icode:0; itype:30; classtype:misc-activity; sid:456; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute undefined code"; icode:>0; itype:30; classtype:misc-activity; sid:457; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 1"; icode:0; itype:1; classtype:misc-activity; sid:458; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 1 undefined code"; itype:1; classtype:misc-activity; sid:459; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 2"; icode:0; itype:2; classtype:misc-activity; sid:460; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 2 undefined code"; itype:2; classtype:misc-activity; sid:461; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 7"; icode:0; itype:7; classtype:misc-activity; sid:462; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 7 undefined code"; itype:7; classtype:misc-activity; sid:463; rev:7;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING undefined code"; icode:>0; itype:8; classtype:misc-activity; sid:365; rev:8;)
diff --git a/scripts/s2b/snort_rules2.2/icmp.rules b/scripts/s2b/snort_rules2.2/icmp.rules
new file mode 100644
index 0000000000..87bd70d5c8
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/icmp.rules
@@ -0,0 +1,35 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: icmp.rules 91 2004-07-15 08:13:57Z rwinslow $
+#-----------
+# ICMP RULES
+#-----------
+#
+# Description:
+# These rules are potentially bad ICMP traffic.  They include most of the
+# ICMP scanning tools and other "BAD" ICMP traffic (Such as redirect host)
+#
+# Other ICMP rules are included in icmp-info.rules
+
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; classtype:attempted-recon; sid:465; rev:3;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:4;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:arachnids,449; classtype:attempted-recon; sid:467; rev:3;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:3;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP icmpenum v1.1.1"; dsize:0; icmp_id:666 ; icmp_seq:0; id:666; itype:8; reference:arachnids,450; classtype:attempted-recon; sid:471; rev:3;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect host"; icode:1; itype:5; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:472; rev:4;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect net"; icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265; classtype:bad-unknown; sid:473; rev:4;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|"; classtype:attempted-recon; sid:474; rev:4;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:attempted-recon; sid:475; rev:3;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE"; reference:arachnids,307; classtype:attempted-recon; sid:476; rev:4;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench"; icode:0; itype:4; classtype:bad-unknown; sid:477; rev:2;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; itype:8; classtype:attempted-recon; sid:478; rev:3;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING speedera"; itype:8; content:"89|3A 3B|<=>?"; depth:100; classtype:misc-activity; sid:480; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim"; depth:32; reference:arachnids,167; classtype:misc-activity; sid:481; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw"; depth:32; reference:arachnids,168; classtype:misc-activity; sid:482; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; depth:32; reference:arachnids,154; classtype:misc-activity; sid:483; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc."; depth:32; classtype:misc-activity; sid:484; rev:4;)
+alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication Administratively Prohibited"; icode:13; itype:3; classtype:misc-activity; sid:485; rev:4;)
+alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity; sid:486; rev:4;)
+alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited"; icode:9; itype:3; classtype:misc-activity; sid:487; rev:4;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP digital island bandwidth query"; content:"mailto|3A|ops@digisle.com"; depth:22; classtype:misc-activity; sid:1813; rev:5;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;)
diff --git a/scripts/s2b/snort_rules2.2/imap.rules b/scripts/s2b/snort_rules2.2/imap.rules
new file mode 100644
index 0000000000..86e7a94b8e
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/imap.rules
@@ -0,0 +1,41 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: imap.rules 91 2004-07-15 08:13:57Z rwinslow $
+#--------------
+# IMAP RULES
+#--------------
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login literal buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298; classtype:misc-attack; sid:1993; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:cve,1999-0005; reference:nessus,10125; classtype:attempted-user; sid:1842; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate literal overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:2105; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:1844; rev:9;)
+
+# auth is an imap2 function and only accepts literal usage
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP auth literal overflow attempt"; flow:established,to_server; content:" AUTH"; nocase; content:"{"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0005; classtype:misc-attack; sid:1930; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP auth overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/AUTH\s[^\n]{100}/smi"; reference:bugtraq,8861; classtype:misc-attack; sid:2330; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB"; nocase; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1902; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub overflow attempt"; flow:to_server,established; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2106; rev:7;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list literal overflow attempt"; flow:established,to_server; content:"LIST"; nocase; pcre:"/\sLIST\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1845; rev:15;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow attempt"; flow:established,to_server; content:"LIST"; nocase; isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2118; rev:6;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename literal overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; pcre:"/\sRENAME\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2119; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1903; rev:8;)
+
+# FIND does not accept a literal command
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/\sFIND\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1904; rev:7;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:1755; rev:14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY.PEEK["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2046; rev:6;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create buffer overflow attempt"; flow:to_server,established; content:"CREATE"; isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi"; reference:bugtraq,7446; classtype:misc-attack; sid:2107; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create literal buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; pcre:"/\sCREATE\s*\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,7446; classtype:misc-attack; sid:2120; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login brute force attempt"; flow:to_server,established; content:"LOGIN"; nocase; threshold:type threshold, track by_dst, count 30, seconds 30; classtype:suspicious-login; sid:2273; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2497; rev:6;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2517; rev:10;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2529; rev:3;)
+alert tcp $HOME_NET 993 -> $EXTERNAL_NET any (msg:"IMAP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2530; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2531; rev:3;)
diff --git a/scripts/s2b/snort_rules2.2/info.rules b/scripts/s2b/snort_rules2.2/info.rules
new file mode 100644
index 0000000000..31db270b2a
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/info.rules
@@ -0,0 +1,14 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: info.rules 91 2004-07-15 08:13:57Z rwinslow $
+#-----------
+# INFO RULES
+#-----------
+
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Connection Closed MSG from Port 80"; flow:from_server,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:488; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP no password"; flow:from_client,established; content:"PASS"; nocase; pcre:"/^PASS\s*\n/smi"; reference:arachnids,322; classtype:unknown; sid:489; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INFO battle-mail traffic"; flow:to_server,established; content:"BattleMail"; classtype:unknown; sid:490; rev:6;)
+alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"INFO FTP Bad login"; flow:from_server,established; content:"530 "; pcre:"/^530\s+(Login|User)/smi"; classtype:bad-unknown; sid:491; rev:8;)
+alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"INFO TELNET Bad Login"; flow:from_server,established; content:"Login failed"; nocase; classtype:bad-unknown; sid:492; rev:8;)
+alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"INFO TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; nocase; classtype:bad-unknown; sid:1251; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO psyBNC access"; flow:from_server,established; content:"Welcome!psyBNC@lam3rz.de"; classtype:bad-unknown; sid:493; rev:5;)
diff --git a/scripts/s2b/snort_rules2.2/local.rules b/scripts/s2b/snort_rules2.2/local.rules
new file mode 100644
index 0000000000..e62b737ac0
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/local.rules
@@ -0,0 +1,6 @@
+# $Id: local.rules 91 2004-07-15 08:13:57Z rwinslow $
+# ----------------
+# LOCAL RULES
+# ----------------
+# This file intentionally does not come with signatures.  Put your local
+# additions here.
diff --git a/scripts/s2b/snort_rules2.2/misc.rules b/scripts/s2b/snort_rules2.2/misc.rules
new file mode 100644
index 0000000000..73b1a3beea
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/misc.rules
@@ -0,0 +1,94 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: misc.rules 91 2004-07-15 08:13:57Z rwinslow $
+#-----------
+# MISC RULES
+#-----------
+
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssr"; ipopts:lsrr; reference:arachnids,418; reference:bugtraq,646; reference:cve,1999-0909; classtype:bad-unknown; sid:500; rev:4;)
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssre"; ipopts:lsrre; reference:arachnids,420; reference:bugtraq,646; reference:cve,1999-0909; classtype:bad-unknown; sid:501; rev:4;)
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:502; rev:2;)
+alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"MISC Source Port 20 to <1024"; flags:S,12; flow:stateless; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:6;)
+alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; flags:S,12; flow:stateless; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 (msg:"MISC Insecure TIMBUKTU Password"; flow:to_server,established; content:"|05 00|>"; depth:16; reference:arachnids,229; classtype:bad-unknown; sid:505; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"MISC PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:507; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 70 (msg:"MISC gopher proxy"; flow:to_server,established; content:"ftp|3A|"; nocase; content:"@/"; reference:arachnids,409; classtype:bad-unknown; sid:508; rev:7;)
+alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"MISC PCAnywhere Failed Login"; flow:from_server,established; content:"Invalid login"; depth:16; reference:arachnids,240; classtype:unsuccessful-user; sid:512; rev:4;)
+alert tcp $HOME_NET 7161 -> $EXTERNAL_NET any (msg:"MISC Cisco Catalyst Remote Access"; flags:SA,12; flow:stateless; reference:arachnids,129; reference:bugtraq,705; reference:cve,1999-0430; classtype:bad-unknown; sid:513; rev:10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"MISC ramen worm"; flow:to_server,established; content:"GET "; depth:8; nocase; reference:arachnids,461; classtype:bad-unknown; sid:514; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"MISC SNMP NT UserList"; content:"+|06 10|@|14 D1 02 19|"; classtype:attempted-recon; sid:516; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"MISC xdmcp query"; content:"|00 01 00 03 00 01 00|"; reference:arachnids,476; classtype:attempted-recon; sid:517; rev:1;)
+
+# once we get response, check for content:"|00 01 00|"; offset:0; depth:3;
+alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"MISC xdmcp info query"; content:"|00 01 00 02 00 01 00|"; reference:nessus,10891; classtype:attempted-recon; sid:1867; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Large UDP Packet"; dsize:>4000; reference:arachnids,247; classtype:bad-unknown; sid:521; rev:2;)
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Tiny Fragments"; dsize:< 25; fragbits:M; classtype:bad-unknown; sid:522; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:1384; rev:8;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP Location overflow"; content:"Location|3A|"; nocase; pcre:"/^Location\:[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:1388; rev:12;)
+alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"MISC AIM AddGame attempt"; flow:to_client,established; content:"aim|3A|AddGame?"; nocase; reference:bugtraq,3769; reference:cve,2002-0005; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1393; rev:12;)
+alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"MISC AIM AddExternalApp attempt"; flow:to_client,established; content:"aim|3A|AddExternalApp?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1752; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"MISC AFS access"; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; reference:nessus,10441; classtype:misc-activity; sid:1504; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"MISC Xtramail Username overflow attempt"; dsize:>500; flow:to_server,established; content:"Username|3A|"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; reference:bugtraq,791; reference:cve,1999-1511; classtype:attempted-admin; sid:1636; rev:8;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"MISC OpenSSL Worm traffic"; flow:to_server,established; content:"TERM=xterm"; nocase; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:web-application-attack; sid:1887; rev:3;)
+alert udp $EXTERNAL_NET 2002 -> $HTTP_SERVERS 2002 (msg:"MISC slapper worm admin traffic"; content:"|00 00|E|00 00|E|00 00|@|00|"; depth:10; reference:url,isc.incidents.org/analysis.html?id=167; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:trojan-activity; sid:1889; rev:5;)
+
+
+# once we get response, check for content:"|03|"; offset:0; depth:1;
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal server request RDP"; flow:to_server,established; content:"|03 00 00 0B 06 E0 00 00 00 00 00|"; depth:11; reference:bugtraq,3099; reference:cve,2001-0540; classtype:protocol-command-decode; sid:1447; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal server request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|E0 00 00 00 00 00|"; depth:6; offset:5; reference:bugtraq,3099; reference:cve,2001-0540; classtype:protocol-command-decode; sid:1448; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal Server no encryption session initiation attmept"; flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; depth:1; offset:288; reference:url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx; classtype:attempted-dos; sid:2418; rev:3;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2533 (msg:"MISC Alcatel PABX 4400 connection attempt"; flow:established,to_server; content:"|00 01|C"; depth:3; reference:nessus,11019; classtype:misc-activity; sid:1819; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hardware address length overflow"; content:"|01|"; depth:1; byte_test:1,>,6,2; reference:cve,1999-0798; classtype:misc-activity; sid:1939; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp invalid hardware type"; content:"|01|"; depth:1; byte_test:1,>,7,1; reference:cve,1999-0798; classtype:misc-activity; sid:1940; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hostname format string attempt"; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; reference:bugtraq,4701; reference:cve,2002-0702; classtype:misc-attack; sid:2039; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 27155 (msg:"MISC GlobalSunTech Access Point Information Disclosure attempt"; content:"gstsearch"; reference:bugtraq,6100; classtype:misc-activity; sid:1966; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"MISC xfs overflow attempt"; dsize:>512; flow:to_server,established; content:"B|00 02|"; depth:3; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:1987; rev:6;)
+
+alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"MISC xtacacs failed login response"; content:"|80 02|"; depth:2; content:"|02|"; distance:4; classtype:misc-activity; sid:2041; rev:2;)
+alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"MISC isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; classtype:misc-activity; sid:2043; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd module list access"; flow:to_server,established; content:"|23|list"; depth:5; classtype:misc-activity; sid:2047; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"|00 00|"; depth:2; offset:2; classtype:misc-activity; sid:2048; rev:2;)
+
+
+# This rule needs some work since you don't have to pass BEGIN and END
+# anywhere near each other.
+#
+#! alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 ( \
+#!   msg:"MISC CVS username overflow attempt"; flow:to_server,established; \
+#!   content:"BEGIN AUTH REQUEST|0A|"; content:!"|0A|END AUTH REQUEST|0A|"; \
+#!   within:255; classtype:misc-attack;)
+
+
+# normally Idon't like using 3a for :, but in this case... I'd like to remove the false positives stemming from someone using anoncvs to checkout snort rules :)
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid user authentication response"; flow:from_server,established; content:"E Fatal error, aborting."; content:"|3A| no such user"; classtype:misc-attack; sid:2008; rev:4;)
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid repository response"; flow:from_server,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU"; classtype:misc-attack; sid:2009; rev:2;)
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS double free exploit attempt response"; flow:from_server,established; content:"free|28 29 3A| warning|3A| chunk is already free"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2010; rev:4;)
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid directory response"; flow:from_server,established; content:"E protocol error|3A| invalid directory syntax in"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2011; rev:4;)
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS missing cvsroot response"; flow:from_server,established; content:"E protocol error|3A| Root request missing"; classtype:misc-attack; sid:2012; rev:2;)
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid module response"; flow:from_server,established; content:"cvs server|3A| cannot find module"; content:"error"; distance:1; classtype:misc-attack; sid:2013; rev:2;)
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS non-relative path error response"; flow:from_server,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2317; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS non-relative path access attempt"; flow:to_server,established; content:"Argument"; pcre:"m?^Argument\s+/?smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2318; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"MISC Microsoft PPTP Start Control Request buffer overflow attempt"; dsize:>156; flow:to_server,established,no_stream; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; reference:bugtraq,5807; reference:cve,2002-1214; classtype:attempted-admin; sid:2126; rev:6;)
+
+# this rule is specificly not looking for flow, since tcpdump handles lengths wrong
+alert tcp any any <> any 179 (msg:"MISC BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2158; rev:5;)
+alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"MISC BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; classtype:bad-unknown; sid:2159; rev:8;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2500; rev:4;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2516; rev:10;)
+
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2532; rev:3;)
+alert tcp $HOME_NET 639 -> $EXTERNAL_NET any (msg:"MISC LDAP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2533; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2534; rev:3;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin remote file upload attempt"; flow:to_server,established; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; nocase; content:"Content-Type|3A|"; nocase; content:"Multipart"; distance:0; nocase; reference:bugtraq,9978; classtype:web-application-activity; sid:2547; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin setinfo access"; flow:to_server,established; content:"/plugins/hpjdwm/script/test/setinfo.hts"; nocase; reference:bugtraq,9972; classtype:web-application-activity; sid:2548; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; nocase; content:"WriteToFile"; nocase; reference:bugtraq,9973; classtype:web-application-activity; sid:2549; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; reference:bugtraq,10247; reference:cve,2004-0426; classtype:string-detect; sid:2561; rev:2;)
diff --git a/scripts/s2b/snort_rules2.2/multimedia.rules b/scripts/s2b/snort_rules2.2/multimedia.rules
new file mode 100644
index 0000000000..6b68fe4f52
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/multimedia.rules
@@ -0,0 +1,20 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: multimedia.rules 91 2004-07-15 08:13:57Z rwinslow $
+#-------------
+# MULTIMEDIA RULES
+#-------------
+# These signatures look for people using streaming multimedia technologies.
+# Using streaming media may be a violation of corporate policies.
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MULTIMEDIA Quicktime User Agent access"; flow:to_server,established; content:"User-Agent|3A| Quicktime"; classtype:policy-violation; sid:1436; rev:4;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media audio download"; flow:from_server,established; content:"Content-type|3A| audio/x-ms-wma"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1437; rev:5;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media Video download"; flow:from_server,established; content:"Content-type|3A| video/x-ms-asf"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1438; rev:6;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Shoutcast playlist redirection"; flow:from_server,established; content:"Content-type|3A| audio/x-scpls"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1439; rev:5;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Icecast playlist redirection"; flow:from_server,established; content:"Content-type|3A| audio/x-mpegurl"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1440; rev:5;)
+alert tcp $HOME_NET any -> 64.245.58.0/23 any (msg:"MULTIMEDIA audio galaxy keepalive"; flow:established; content:"E_|00 03 05|"; depth:5; classtype:misc-activity; sid:1428; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .ram playlist download attempt"; flow:to_server,established; uricontent:".ram"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2419; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rmp playlist download attempt"; flow:to_server,established; uricontent:".rmp"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2420; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .smi playlist download attempt"; flow:to_server,established; uricontent:".smi"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2421; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rt playlist download attempt"; flow:to_server,established; uricontent:".rt"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2422; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rp playlist download attempt"; flow:to_server,established; uricontent:".rp"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2423; rev:2;)
diff --git a/scripts/s2b/snort_rules2.2/mysql.rules b/scripts/s2b/snort_rules2.2/mysql.rules
new file mode 100644
index 0000000000..c78ffc5bb3
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/mysql.rules
@@ -0,0 +1,15 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: mysql.rules 91 2004-07-15 08:13:57Z rwinslow $
+#----------
+# MYSQL RULES
+#----------
+#
+# These signatures detect unusual and potentially malicious mysql traffic.
+#
+# These signatures are not enabled by default as they may generate false
+# positive alarms on networks that do mysql development.
+#
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:1776; rev:2;)
diff --git a/scripts/s2b/snort_rules2.2/netbios.rules b/scripts/s2b/snort_rules2.2/netbios.rules
new file mode 100644
index 0000000000..31439a5181
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/netbios.rules
@@ -0,0 +1,150 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: netbios.rules 91 2004-07-15 08:13:57Z rwinslow $
+#--------------
+# NETBIOS RULES
+#--------------
+
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"IPC|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:537; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"I|00|P|00|C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:538; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"IPC|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2465; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"I|00|P|00|C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2466; rev:3;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"D|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:536; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"D|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2467; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"D|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2468; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"D|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2469; rev:3;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:533; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2470; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2471; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2472; rev:3;)
+
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"ADMIN|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:532; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2473; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"ADMIN|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2474; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2475; rev:3;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C|winreg|00|"; offset:85; nocase; classtype:protocol-command-decode; sid:2174; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00|"; offset:85; nocase; classtype:protocol-command-decode; sid:2175; rev:5;)
+
+# where did these come from?  I don't know.  lets disable them for real for now
+# and deal with it later...
+### alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C|winreg|00|"; offset:85; nocase; classtype:attempted-recon; rev:2;)
+### alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00|"; offset:85; nocase; classtype:attempted-recon; rev:2;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Create AndX Request winreg attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"|5C|winreg|00|"; within:8; distance:79; nocase; flowbits:set,smb.winreg.create; classtype:protocol-command-decode; sid:2476; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Create AndX Request winreg unicode attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:79; nocase; flowbits:set,smb.winreg.create; classtype:protocol-command-decode; sid:2477; rev:3;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC bind winreg attempt"; flow:to_server,established; flowbits:set,smb.dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|pipe|5C 00 05 00 0B|"; within:10; distance:5; nocase; byte_test:1,&,16,1,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:isset,smb.winreg.create; classtype:protocol-command-decode; sid:2478; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC bind winreg unicode attempt"; flow:to_server,established; flowbits:set,smb.dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:1,>,127,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 0B|"; within:17; distance:5; nocase; byte_test:1,&,16,1,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:isset,smb.winreg.create; classtype:protocol-command-decode; sid:2479; rev:3;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC shutdown unicode attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:1,>,127,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 00|"; within:17; distance:5; nocase; byte_test:1,&,16,1,relative; content:"|18 00|"; within:2; distance:19; flowbits:isset,smb.dce.bind.winreg; classtype:protocol-command-decode; sid:2480; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC shutdown unicode little endian attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:1,>,127,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 00|"; within:17; distance:5; nocase; byte_test:1,<,16,1,relative; content:"|00 18|"; within:2; distance:19; flowbits:isset,smb.dce.bind.winreg; classtype:protocol-command-decode; sid:2481; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC shutdown attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 00|"; within:10; distance:5; nocase; byte_test:1,&,16,1,relative; content:"|18 00|"; within:2; distance:19; flowbits:isset,smb.dce.bind.winreg; classtype:protocol-command-decode; sid:2482; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC shutdown little endian attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 00|"; within:10; distance:5; nocase; byte_test:1,<,16,1,relative; content:"|00 18|"; within:2; distance:19; flowbits:isset,smb.dce.bind.winreg; classtype:protocol-command-decode; sid:2483; rev:3;)
+
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; flow:to_server,established; content:"|00|.|00|E|00|M|00|L"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1293; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws"; flow:to_server,established; content:"|00|.|00|N|00|W|00|S"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1294; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda RICHED20.DLL"; flow:to_server,established; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1295; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS DOS RFPoison"; flow:to_server,established; content:"|5C 00 5C 00|*|00|S|00|M|00|B|00|S|00|E|00|R|00|V|00|E|00|R|00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00|"; reference:arachnids,454; classtype:attempted-dos; sid:529; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; reference:arachnids,204; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:530; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; classtype:attempted-recon; sid:1239; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; reference:arachnids,338; classtype:attempted-recon; sid:534; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; reference:arachnids,337; classtype:attempted-recon; sid:535; rev:6;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB startup folder access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|"; distance:0; nocase; classtype:attempted-recon; sid:2176; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB startup folder unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; classtype:attempted-recon; sid:2177; rev:4;)
+
+
+
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Samba clientaccess"; flow:to_server,established; content:"|00|Unix|00|Samba"; reference:arachnids,341; classtype:not-suspicious; sid:539; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00 00 00|"; depth:4; offset:43; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; sid:2101; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 14|"; depth:2; offset:60; byte_test:2,>,256,0,relative,little; reference:bugtraq,7294; reference:cve,2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2103; rev:9;)
+
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2190; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2191; rev:3;)
+alert tcp $HOME_NET 135 -> $EXTERNAL_NET any (msg:"NETBIOS DCERPC ISystemActivator bind accept"; flow:from_server,established; content:"|05|"; within:1; content:"|0C|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00 00|"; within:2; distance:33; flowbits:isset,dce.isystemactivator.bind.attempt; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2350; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt little endian"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,little,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2351; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt big endian"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,<,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2352; rev:7;)
+
+
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.attempt; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2192; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2193; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2491; rev:5;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2492; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2493; rev:5;)
+
+
+
+
+
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2251; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2252; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2257; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2258; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2308; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2309; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2310; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2311; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:to_server,established; content:"|05 00 0B|"; depth:3; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2315; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2316; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC print spool bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 0B|"; within:17; distance:5; byte_test:1,&,16,1,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:29; flowbits:set,dce.printer.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2348; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC enumerate printers request attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; distance:1; content:"|00|"; within:1; distance:1; byte_test:1,&,3,0,relative; content:"|00 00|"; within:2; distance:19; flowbits:isset,dce.printer.bind; classtype:attempted-recon; sid:2349; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NTLMSSP invalid mechtype attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|06 06|+|06 01 05 05 02|"; within:8; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A1 05 23 03 03 01 07|"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; classtype:attempted-dos; sid:2382; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC NTLMSSP invalid mechtype attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|06 06|+|06 01 05 05 02|"; within:8; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A1 05 23 03 03 01 07|"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; classtype:attempted-dos; sid:2383; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; sid:2384; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; sid:2385; rev:9;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2401; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2402; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup AndX request unicode username overflow attempt"; flow:to_server,established; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,128,6,relative; byte_test:2,>,255,54,relative,little; content:"|00|"; distance:56; content:"|00 00|"; distance:255; content:"|00 00|"; distance:0; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2403; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt"; flow:to_server,established; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,128,6,relative; byte_test:2,>,255,54,relative,little; content:"|00|"; distance:56; content:"|00 00|"; distance:255; content:"|00 00|"; distance:0; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2404; rev:5;)
+
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2494; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2495; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2496; rev:5;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2507; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2524; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; flowbits:isset,netbios.lsass.bind.attempt; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2508; rev:6;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2509; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2510; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2525; rev:6;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2511; rev:9;)
+
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2512; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2526; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2513; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2514; rev:7;)
+alert udp $EXTERNAL_NET 137 -> $HOME_NET any (msg:"NETBIOS NS lookup response name overflow attempt"; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; reference:bugtraq,10333; reference:bugtraq,10334; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2563; rev:4;)
+alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup short response attempt"; dsize:<56; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; reference:bugtraq,10334; reference:bugtraq,10335; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512C.html; classtype:attempted-admin; sid:2564; rev:4;)
diff --git a/scripts/s2b/snort_rules2.2/nntp.rules b/scripts/s2b/snort_rules2.2/nntp.rules
new file mode 100644
index 0000000000..9d4032a848
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/nntp.rules
@@ -0,0 +1,18 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: nntp.rules 91 2004-07-15 08:13:57Z rwinslow $
+#----------
+# NNTP RULES
+#----------
+
+alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"NNTP return code buffer overflow attempt"; flow:to_server,established,no_stream; content:"200"; isdataat:64,relative; pcre:"/^200\s[^\n]{64}/smi"; reference:bugtraq,4900; reference:cve,2002-0909; classtype:protocol-command-decode; sid:1792; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO"; nocase; content:"USER"; distance:0; nocase; isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi"; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-admin; sid:1538; rev:13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; nocase; pcre:"/^sendsys\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2424; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; nocase; pcre:"/^senduuname\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2425; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP version overflow attempt"; flow:to_server,established; content:"version"; nocase; pcre:"/^version\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2426; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups"; nocase; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2427; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; nocase; pcre:"/^ihave\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2428; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme"; nocase; pcre:"/^sendme\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2429; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; nocase; pcre:"/^newgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2430; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; nocase; pcre:"/^rmgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2431; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; nocase; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si"; classtype:attempted-admin; sid:2432; rev:2;)
diff --git a/scripts/s2b/snort_rules2.2/oracle.rules b/scripts/s2b/snort_rules2.2/oracle.rules
new file mode 100644
index 0000000000..4e4f8947b3
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/oracle.rules
@@ -0,0 +1,44 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: oracle.rules 91 2004-07-15 08:13:57Z rwinslow $
+#----------
+# ORACLE RULES
+#----------
+#
+# These signatures detect unusual and potentially malicious oracle traffic.
+# These signatures are based from signatures written by Hank Leininger
+# <hlein@progressive-comp.com> for Enterasys's Dragon IDS that he released
+# publicly.
+#
+# These signatures are not enabled by default as they may generate false
+# positive alarms on networks that do oracle development.  If you use an
+# Oracle based web application, you should set the destination port to
+# 80 to catch attackers attempting to exploit your web application.
+#
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE EXECUTE_SYSTEM attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:system-call-detect; sid:1673; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE connect_data remote version detection attempt"; flow:to_server,established; content:"connect_data|28|command=version|29|"; nocase; classtype:protocol-command-decode; sid:1674; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE misparsed login response"; flow:from_server,established; content:"description=|28|"; nocase; content:!"connect_data=|28|sid="; nocase; content:!"address=|28|protocol=tcp"; nocase; classtype:suspicious-login; sid:1675; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select union attempt"; flow:to_server,established; content:"select "; nocase; content:" union "; nocase; classtype:protocol-command-decode; sid:1676; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt"; flow:to_server,established; content:" where "; nocase; content:" like '%'"; nocase; classtype:protocol-command-decode; sid:1677; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt backslash escaped"; flow:to_server,established; content:" where "; nocase; content:" like |22|%|22|"; nocase; classtype:protocol-command-decode; sid:1678; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE describe attempt"; flow:to_server,established; content:"describe "; nocase; classtype:protocol-command-decode; sid:1679; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_constraints access"; flow:to_server,established; content:"all_constraints"; nocase; classtype:protocol-command-decode; sid:1680; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_views access"; flow:to_server,established; content:"all_views"; nocase; classtype:protocol-command-decode; sid:1681; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_source access"; flow:to_server,established; content:"all_source"; nocase; classtype:protocol-command-decode; sid:1682; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tables access"; flow:to_server,established; content:"all_tables"; nocase; classtype:protocol-command-decode; sid:1683; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_columns access"; flow:to_server,established; content:"all_tab_columns"; nocase; classtype:protocol-command-decode; sid:1684; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_privs access"; flow:to_server,established; content:"all_tab_privs"; nocase; classtype:protocol-command-decode; sid:1685; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tablespace access"; flow:to_server,established; content:"dba_tablespace"; nocase; classtype:protocol-command-decode; sid:1686; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tables access"; flow:to_server,established; content:"dba_tables"; nocase; classtype:protocol-command-decode; sid:1687; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE user_tablespace access"; flow:to_server,established; content:"user_tablespace"; nocase; classtype:protocol-command-decode; sid:1688; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.all_users access"; flow:to_server,established; content:"sys.all_users"; nocase; classtype:protocol-command-decode; sid:1689; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE grant attempt"; flow:to_server,established; content:"grant "; nocase; content:" to "; nocase; classtype:protocol-command-decode; sid:1690; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ALTER USER attempt"; flow:to_server,established; content:"alter user"; nocase; content:" identified by "; nocase; classtype:protocol-command-decode; sid:1691; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop table attempt"; flow:to_server,established; content:"drop table"; nocase; classtype:protocol-command-decode; sid:1692; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create table attempt"; flow:to_server,established; content:"create table"; nocase; classtype:protocol-command-decode; sid:1693; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter table attempt"; flow:to_server,established; content:"alter table"; nocase; classtype:protocol-command-decode; sid:1694; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE truncate table attempt"; flow:to_server,established; content:"truncate table"; nocase; classtype:protocol-command-decode; sid:1695; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create database attempt"; flow:to_server,established; content:"create database"; nocase; classtype:protocol-command-decode; sid:1696; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter database attempt"; flow:to_server,established; content:"alter database"; nocase; classtype:protocol-command-decode; sid:1697; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE generate_replication_support prefix overflow attempt"; flow:to_server,established; content:"generate_replication_support"; nocase; pcre:"/(package|procedure)_prefix[\s\r\n]*=>[\s\r\n]*('[^']{1000,}|"[^"]{1000,})/Rsmi"; classtype:attempted-user; sid:2576; rev:2;)
diff --git a/scripts/s2b/snort_rules2.2/other-ids.rules b/scripts/s2b/snort_rules2.2/other-ids.rules
new file mode 100644
index 0000000000..ead2e6bcb2
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/other-ids.rules
@@ -0,0 +1,22 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: other-ids.rules 91 2004-07-15 08:13:57Z rwinslow $
+# ---------------
+# OTHER-IDS RULES
+# ---------------
+# These signatures look for uses of other IDSs.
+#
+# These signatures serve two purposes.
+#  1) If you are "IDS GUY" for a company, and someone else sets up an IDS
+#     without letting you know, thats bad.
+#  2) If you are "pen-tester", this is a good way to find out what IDS
+#     systems your target is using after you have gained access to their
+#     network.
+#
+
+
+alert tcp $HOME_NET 902 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 event collector connection attempt"; flow:from_server,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1760; rev:3;)
+alert tcp $HOME_NET 2998 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 daemon connection attempt"; flow:from_server,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1761; rev:3;)
+
+# To limit false positives, limit to the default port of 975
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OTHER-IDS SecureNetPro traffic"; flow:established; content:"|00|g|00 01 00 03|"; depth:6; classtype:bad-unknown; sid:1629; rev:6;)
diff --git a/scripts/s2b/snort_rules2.2/p2p.rules b/scripts/s2b/snort_rules2.2/p2p.rules
new file mode 100644
index 0000000000..ea3fcbba19
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/p2p.rules
@@ -0,0 +1,25 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: p2p.rules 91 2004-07-15 08:13:57Z rwinslow $
+#-------------
+# P2P RULES
+#-------------
+# These signatures look for usage of P2P protocols, which are usually
+# against corporate policy
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster login"; flow:to_server,established; content:"|00 02 00|"; depth:3; offset:1; classtype:policy-violation; sid:549; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster new user login"; flow:to_server,established; content:"|00 06 00|"; depth:3; offset:1; classtype:policy-violation; sid:550; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"P2P napster download attempt"; flow:to_server,established; content:"|00 CB 00|"; depth:3; offset:1; classtype:policy-violation; sid:551; rev:7;)
+alert tcp $EXTERNAL_NET 8888 -> $HOME_NET any (msg:"P2P napster upload request"; flow:from_server,established; content:"|00|_|02|"; depth:3; offset:1; classtype:policy-violation; sid:552; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; classtype:policy-violation; sid:1432; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; classtype:policy-violation; sid:556; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; classtype:policy-violation; sid:557; rev:6;)
+alert tcp $HOME_NET any <> $EXTERNAL_NET 6699 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:561; rev:6;)
+alert tcp $HOME_NET any <> $EXTERNAL_NET 7777 (msg:"P2P Napster Client Data"; flow:to_server,established; content:".mp3"; nocase; classtype:policy-violation; sid:562; rev:5;)
+alert tcp $HOME_NET any <> $EXTERNAL_NET 6666 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:563; rev:6;)
+alert tcp $HOME_NET any <> $EXTERNAL_NET 5555 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:564; rev:7;)
+alert tcp $HOME_NET any <> $EXTERNAL_NET 8875 (msg:"P2P Napster Server Login"; flow:established; content:"anon@napster.com"; classtype:policy-violation; sid:565; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack kazaa/morpheus GET request"; flow:to_server,established; content:"GET "; depth:4; reference:url,www.kazaa.com; reference:url,www.musiccity.com/technology.htm; classtype:policy-violation; sid:1383; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Fastrack kazaa/morpheus traffic"; flow:to_server,established; content:"GET"; depth:3; content:"UserAgent|3A| KazaaClient"; reference:url,www.kazaa.com; classtype:policy-violation; sid:1699; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P BitTorrent announce request"; flow:to_server,established; content:"GET"; depth:4; content:"/announce"; distance:1; content:"info_hash="; offset:4; content:"event=started"; offset:4; classtype:policy-violation; sid:2180; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6881:6889 (msg:"P2P BitTorrent transfer"; flow:to_server,established; content:"|13|BitTorrent protocol"; depth:20; classtype:policy-violation; sid:2181; rev:2;)
diff --git a/scripts/s2b/snort_rules2.2/policy.rules b/scripts/s2b/snort_rules2.2/policy.rules
new file mode 100644
index 0000000000..457e18f5ea
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/policy.rules
@@ -0,0 +1,40 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: policy.rules 91 2004-07-15 08:13:57Z rwinslow $
+#-------------
+# POLICY RULES
+#-------------
+#
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous login attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s+(anonymous|ftp)/smi"; classtype:misc-activity; sid:553; rev:7;)
+
+alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"POLICY WinGate telnet server response"; flow:from_server,established; content:"WinGate>"; reference:arachnids,366; reference:cve,1999-0657; classtype:misc-activity; sid:555; rev:8;)
+
+
+# we have started to see multiple versions of this beyond 003.003, so we have
+# expanded this signature to take that into account.
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:560; rev:6;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"POLICY PCAnywhere server response"; content:"ST"; depth:2; reference:arachnids,239; classtype:misc-activity; sid:566; rev:4;)
+alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"POLICY SMTP relaying denied"; flow:established,from_server; content:"550 5.7.1"; depth:70; reference:arachnids,249; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:567; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"POLICY HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:568; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"POLICY HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:510; rev:8;)
+alert ip 63.251.224.177 any -> $HOME_NET any (msg:"POLICY poll.gotomypc.com access"; reference:url,www.gotomypc.com/help2.tmpl; classtype:misc-activity; sid:1429; rev:2;)
+
+# NOTES: This signature would be better off using uricontent, and having the
+# http decoder looking at 5800 and 5802, but that is on by default
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"POLICY vncviewer Java applet download attempt"; flow:to_server,established; content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity; sid:1846; rev:4;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; classtype:suspicious-filename-detect; sid:1445; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:543; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:544; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD  ' possible warez site"; flow:to_server,established; content:"CWD  "; depth:5; nocase; classtype:misc-activity; sid:546; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD  ' possible warez site"; flow:to_Server,established; content:"MKD  "; depth:5; nocase; classtype:misc-activity; sid:547; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD ."; depth:5; nocase; classtype:misc-activity; sid:548; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD / ' possible warez site"; flow:to_server,established; content:"CWD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:545; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD / ' possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:554; rev:6;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"POLICY PPTP Start Control Request attempt"; flow:to_server,established,no_stream; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; classtype:attempted-admin; sid:2044; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"POLICY xtacacs login attempt"; content:"|80 01|"; depth:2; content:"|00|"; distance:4; classtype:misc-activity; sid:2040; rev:3;)
+alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"POLICY xtacacs accepted login response"; content:"|80 02|"; depth:2; content:"|01|"; distance:4; classtype:misc-activity; sid:2042; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"POLICY IPSec PGPNet connection attempt"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|"; classtype:protocol-command-decode; sid:1771; rev:6;)
diff --git a/scripts/s2b/snort_rules2.2/pop2.rules b/scripts/s2b/snort_rules2.2/pop2.rules
new file mode 100644
index 0000000000..303cd1608a
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/pop2.rules
@@ -0,0 +1,11 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: pop2.rules 91 2004-07-15 08:13:57Z rwinslow $
+#--------------
+# POP2 RULES
+#--------------
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD overflow attempt"; flow:established,to_server; isdataat:256,relative; content:"FOLD"; pcre:"/^FOLD\s[^\n]{256}/smi"; reference:bugtraq,283; reference:cve,1999-0920; classtype:attempted-admin; sid:1934; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD arbitrary file attempt"; flow:established,to_server; pcre:"/^FOLD\s+\//smi"; content:"FOLD"; classtype:misc-attack; sid:1935; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|EB|,[|89 D9 80 C1 06|9|D9 7C 07 80 01|"; classtype:attempted-admin; sid:284; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|FF FF FF|/BIN/SH|00|"; classtype:attempted-admin; sid:285; rev:6;)
diff --git a/scripts/s2b/snort_rules2.2/pop3.rules b/scripts/s2b/snort_rules2.2/pop3.rules
new file mode 100644
index 0000000000..678eddd7a2
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/pop3.rules
@@ -0,0 +1,42 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: pop3.rules 91 2004-07-15 08:13:57Z rwinslow $
+#--------------
+# POP3 RULES
+#--------------
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE negative arguement attempt"; flow:to_server,established; content:"DELE"; nocase; pcre:"/^DELE\s+-\d/smi"; reference:bugtraq,6053; reference:bugtraq,7445; reference:cve,2002-1539; classtype:misc-attack; sid:2121; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 UIDL negative arguement attempt"; flow:to_server,established; content:"UIDL"; nocase; pcre:"/^UIDL\s+-\d/smi"; reference:bugtraq,6053; reference:cve,2002-1539; classtype:misc-attack; sid:2122; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:50,relative; pcre:"/^USER\s[^\n]{50,}/smi"; reference:bugtraq,789; reference:cve,1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:1866; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 CAPA overflow attempt"; flow:to_server,established; content:"CAPA"; nocase; isdataat:10,relative; pcre:"/^CAPA\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2108; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; isdataat:10,relative; pcre:"/^TOP\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2109; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:10,relative; pcre:"/^STAT\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2110; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2111; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 RSET overflow attempt"; flow:to_server,established; content:"RSET"; nocase; isdataat:10,relative; pcre:"/^RSET\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2112; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative; pcre:"/^AUTH\s[^\n]{50}/smi"; classtype:attempted-admin; sid:1936; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; reference:bugtraq,948; reference:cve,2000-0096; classtype:attempted-admin; sid:1937; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; classtype:attempted-admin; sid:1938; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi"; reference:cve,1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/smi"; reference:bugtraq,1652; reference:cve,2000-0840; reference:cve,2000-0841; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:13;)
+
+# bsd-qpopper.c
+# overflow in the reading of a line in qpopper
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; reference:bugtraq,133; reference:cve,1999-0006; classtype:attempted-admin; sid:286; rev:9;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; classtype:attempted-admin; sid:287; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:288; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; classtype:attempted-admin; sid:289; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; reference:bugtraq,830; reference:cve,1999-0822; classtype:attempted-admin; sid:290; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER format string attempt"; flow:to_server,established; content:"USER"; nocase; content:"%"; distance:1; content:"%"; distance:1; reference:bugtraq,7667; reference:nessus,11742; classtype:attempted-admin; sid:2250; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 login brute force attempt"; flow:to_server,established; content:"USER"; nocase; threshold:type threshold, track by_dst, count 30, seconds 30; classtype:suspicious-login; sid:2274; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; reference:bugtraq,9794; classtype:attempted-admin; sid:2409; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2501; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2502; rev:7;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"PO3 PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2518; rev:10;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2535; rev:3;)
+alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2536; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2537; rev:3;)
+
diff --git a/scripts/s2b/snort_rules2.2/porn.rules b/scripts/s2b/snort_rules2.2/porn.rules
new file mode 100644
index 0000000000..e565722457
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/porn.rules
@@ -0,0 +1,36 @@
+# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: porn.rules 91 2004-07-15 08:13:57Z rwinslow $
+#-------------
+# PORN RULES
+#-------------
+#
+
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN alt.binaries.pictures.erotica"; flow:to_client,established; content:"alt.binaries.pictures.erotica"; nocase; classtype:kickass-porn; sid:1836; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN alt.binaries.pictures.tinygirls"; flow:to_client,established; content:"alt.binaries.pictures.tinygirls"; nocase; classtype:kickass-porn; sid:1837; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN free XXX"; content:"FREE XXX"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1310; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hardcore anal"; content:"hardcore anal"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1311; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nude cheerleader"; content:"nude cheerleader"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1312; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN up skirt"; content:"up skirt"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1313; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN young teen"; content:"young teen"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1314; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hot young sex"; content:"hot young sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1315; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fuck fuck fuck"; content:"fuck fuck fuck"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1316; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN anal sex"; content:"anal sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1317; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hardcore rape"; content:"hardcore rape"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1318; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN real snuff"; content:"real snuff"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1319; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fuck movies"; content:"fuck movies"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1320; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN dildo"; content:"dildo"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1781; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nipple clamp"; content:"nipple"; nocase; content:"clamp"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1782; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN oral sex"; content:"oral sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1783; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nude celeb"; content:"nude celeb"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1784; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN voyeur"; content:"voyeur"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1785; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN raw sex"; content:"raw sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1786; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fetish"; content:"fetish"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1793; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN masturbation"; content:"masturbat"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1794; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN ejaculation"; content:"ejaculat"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1795; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN virgin"; content:"virgin "; nocase; flow:to_client,established; classtype:kickass-porn; sid:1796; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN BDSM"; content:"BDSM"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1797; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN erotica"; content:"erotic"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1798; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fisting"; content:"fisting"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1799; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN naked lesbians"; content:"naked lesbians"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1833; rev:1;)
+
diff --git a/scripts/s2b/snort_rules2.2/reference.config b/scripts/s2b/snort_rules2.2/reference.config
new file mode 100644
index 0000000000..f60eeaf726
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/reference.config
@@ -0,0 +1,14 @@
+# $Id: reference.config 91 2004-07-15 08:13:57Z rwinslow $
+# The following defines URLs for the references found in the rules
+#
+# config reference: system URL
+
+config reference: bugtraq   http://www.securityfocus.com/bid/ 
+config reference: cve       http://cve.mitre.org/cgi-bin/cvename.cgi?name=
+config reference: arachNIDS http://www.whitehats.com/info/IDS
+
+# Note, this one needs a suffix as well.... lets add that in a bit.
+config reference: McAfee    http://vil.nai.com/vil/content/v_
+config reference: nessus    http://cgi.nessus.org/plugins/dump.php3?id=
+config reference: url       http://
+
diff --git a/scripts/s2b/snort_rules2.2/rpc.rules b/scripts/s2b/snort_rules2.2/rpc.rules
new file mode 100644
index 0000000000..c5ab37e07c
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/rpc.rules
@@ -0,0 +1,219 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: rpc.rules 91 2004-07-15 08:13:57Z rwinslow $
+#----------
+# RPC RULES
+#----------
+
+
+# portmap specific stuff.
+
+## bleck.  Not happy about this.  because of the non-rule ordering foo, I'm
+## checking the first byte in the version, which should always be 0.  When we
+## alert multiple times on a packet, I'll put these rules back to:
+##   content:"|0a 01 86 a0|"; offset:16; depth:4; content:"|00 00 00 05|";
+##    distance:4; within:4;
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2093; rev:5;)
+# this rule makes me not happy as well.  see above.
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt UDP"; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2092; rev:5;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1922; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1923; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,428; classtype:rpc-portmap-decode; sid:1280; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,428; classtype:rpc-portmap-decode; sid:598; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1949; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1950; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2014; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2015; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,429; classtype:rpc-portmap-decode; sid:599; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing UDP 32771"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1281; rev:7;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:1746; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:1747; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1732; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1733; rev:9;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:575; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:1262; rev:9;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:576; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,19; classtype:rpc-portmap-decode; sid:1263; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:577; rev:13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:1264; rev:13;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:580; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,21; classtype:rpc-portmap-decode; sid:1267; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:581; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,22; classtype:rpc-portmap-decode; sid:1268; rev:12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:582; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,23; classtype:rpc-portmap-decode; sid:1269; rev:10;)
+
+
+# rusers
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:584; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:1271; rev:14;)
+# XXX - Need to find out if rusers exists on TCP and if so, implement one of
+# these for TCP...
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rusers query UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:cve,1999-0626; classtype:attempted-recon; sid:612; rev:6;)
+
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:586; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,25; classtype:rpc-portmap-decode; sid:1273; rev:10;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:587; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2016; rev:6;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:593; rev:18;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1279; rev:14;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:14;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt UDP"; content:"|00 01 87 99|"; depth:4; offset:12; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2045; rev:8;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2017; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:595; rev:16;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:1890; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; flow:to_server, established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:1891; rev:8;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:579; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,13; classtype:rpc-portmap-decode; sid:1266; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:574; rev:8;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP export request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,26; classtype:attempted-recon; sid:1924; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:1925; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP exportall request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,26; classtype:attempted-recon; sid:1926; rev:6;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount path overflow attempt"; flow:to_server,established; content:"|00 01 86 A5 00|"; depth:5; offset:16; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2184; rev:7;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount path overflow attempt"; content:"|00 01 86 A5 00|"; depth:5; offset:12; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2185; rev:7;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:1951; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:1952; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP dump request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2018; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP dump request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2019; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2020; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmount request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2021; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmountall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2022; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmountall request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2023; rev:4;)
+
+
+# amd
+alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP amqproc_mount plog overflow attempt"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1905; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1906; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1953; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP pid request"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1954; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP version request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1955; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP version request"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1956; rev:5;)
+
+# cmsd
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:578; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,17; classtype:rpc-portmap-decode; sid:1265; rev:9;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:1907; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:1908; rev:9;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2094; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2095; rev:6;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1909; rev:10;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD udp CMSD_INSERT buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1910; rev:10;)
+
+
+# sadmind
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,20; classtype:rpc-portmap-decode; sid:1272; rev:10;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:585; rev:7;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1911; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1912; rev:9;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP PING"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,866; classtype:attempted-admin; sid:1957; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,866; classtype:attempted-admin; sid:1958; rev:5;)
+
+
+# statd
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:583; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,10; classtype:rpc-portmap-decode; sid:1270; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP stat mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1913; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1914; rev:10;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP monitor mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1915; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1916; rev:9;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,125; classtype:rpc-portmap-decode; sid:1277; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:591; rev:10;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt UDP"; content:"|00 01 86 BC|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:misc-attack; sid:2088; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 01 86 BC|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:misc-attack; sid:2089; rev:5;)
+
+# NFS
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1959; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1960; rev:7;)
+
+
+# rquota
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1961; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1962; rev:7;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt UDP"; content:"|00 01 86 AB|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:1963; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 AB|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:2024; rev:8;)
+
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:17;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1274; rev:17;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk UDP overflow attempt"; content:"|00 01 86 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:1964; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:1965; rev:8;)
+
+# not sure what this rule is looking for, other than the procedure 15
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC DOS ttdbserv Solaris"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; depth:32; offset:16; reference:arachnids,241; reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-dos; sid:572; rev:9;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:589; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,14; classtype:rpc-portmap-decode; sid:1275; rev:10;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2027; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2028; rev:5;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2025; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2026; rev:9;)
+
+
+
+# XXX - These need re-verified
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2029; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2030; rev:6;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2031; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2032; rev:5;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:590; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:1276; rev:14;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request UDP"; content:"|00 01 86 A4|"; depth:4; offset:12; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2033; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request TCP"; flow:to_server,established; content:"|00 01 86 A4|"; depth:4; offset:16; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:Cve,CAN-2002-1232; reference:bugtraq,5914; reference:bugtraq,6016; classtype:rpc-portmap-decode; sid:2034; rev:7;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2035; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2036; rev:6;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request UDP"; content:"|00 03 0D|p"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2037; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request TCP"; flow:to_server,established; content:"|00 03 0D|p"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2038; rev:5;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2079; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2080; rev:6;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2081; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2082; rev:9;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt UDP"; content:"|00 05 F7|h"; depth:4; offset:12; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2083; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|00 05 F7|h"; depth:4; offset:16; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2084; rev:8;)
+
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2005; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2006; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:10;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query with root credentials attempt TCP"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; classtype:misc-attack; sid:2255; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query with root credentials attempt UDP"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; classtype:misc-attack; sid:2256; rev:3;)
diff --git a/scripts/s2b/snort_rules2.2/rservices.rules b/scripts/s2b/snort_rules2.2/rservices.rules
new file mode 100644
index 0000000000..d570ad3b57
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/rservices.rules
@@ -0,0 +1,20 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: rservices.rules 91 2004-07-15 08:13:57Z rwinslow $
+#----------------
+# RSERVICES RULES
+#----------------
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; classtype:bad-unknown; sid:601; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,384; classtype:attempted-user; sid:602; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; reference:arachnids,385; classtype:bad-unknown; sid:603; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:604; rev:5;)
+alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"RSERVICES rlogin login failure"; flow:from_server,established; content:"|01|rlogind|3A| Permission denied."; reference:arachnids,392; classtype:unsuccessful-user; sid:611; rev:7;)
+alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"RSERVICES rlogin login failure"; flow:from_server,established; content:"login incorrect"; reference:arachnids,393; classtype:unsuccessful-user; sid:605; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,389; classtype:attempted-admin; sid:606; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,390; classtype:attempted-user; sid:607; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; reference:arachnids,388; classtype:attempted-user; sid:608; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:609; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,391; classtype:attempted-admin; sid:610; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec username overflow attempt"; flow:to_server,established; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; classtype:attempted-admin; sid:2113; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec password overflow attempt"; flow:to_server,established; content:"|00|"; content:"|00|"; distance:33; content:"|00|"; distance:0; classtype:attempted-admin; sid:2114; rev:3;)
diff --git a/scripts/s2b/snort_rules2.2/scan.rules b/scripts/s2b/snort_rules2.2/scan.rules
new file mode 100644
index 0000000000..2460971d64
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/scan.rules
@@ -0,0 +1,36 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: scan.rules 91 2004-07-15 08:13:57Z rwinslow $
+#-----------
+# SCAN RULES
+#-----------
+# These signatures are representitive of network scanners.  These include
+# port scanning, ip mapping, and various application scanners.
+#
+# NOTE: This does NOT include web scanners such as whisker.  Those are
+# in web*
+#
+
+alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; ack:0; flags:S; ttl:>220; flow:stateless; reference:arachnids,439; classtype:attempted-recon; sid:613; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:616; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe"; dsize:0; flags:SF12; flow:stateless; reference:arachnids,146; classtype:attempted-recon; sid:619; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy attempt"; flags:S,12; flow:stateless; classtype:attempted-recon; sid:618; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN SOCKS Proxy attempt"; flags:S,12; flow:stateless; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:615; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy Port 8080 attempt"; flags:S,12; flow:stateless; classtype:attempted-recon; sid:620; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags:F,12; flow:stateless; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan"; flags:S; seq:1958810375; flow:stateless; reference:arachnids,236; classtype:attempted-recon; sid:622; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL"; ack:0; flags:0; seq:0; flow:stateless; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN"; flags:SF,12; flow:stateless; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS"; flags:SRAFPU,12; flow:stateless; reference:arachnids,144; classtype:attempted-recon; sid:625; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flags:FPU,12; flow:stateless; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; flags:SF; id:39426; flow:stateless; reference:arachnids,441; classtype:attempted-recon; sid:630; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os PA12 attempt"; flags:PA12; flow:stateless; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:626; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os SFU12 probe"; ack:0; flags:SFU12; flow:stateless; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:627; rev:7;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"SCAN Amanda client version request"; content:"Amanda"; nocase; classtype:attempted-recon; sid:634; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"SCAN XTACACS logout"; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|"; reference:arachnids,408; classtype:bad-unknown; sid:635; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"SCAN cybercop udp bomb"; content:"cybercop"; reference:arachnids,363; classtype:bad-unknown; sid:636; rev:1;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Webtrends Scanner UDP Probe"; content:"|0A|help|0A|quite|0A|"; reference:arachnids,308; classtype:attempted-recon; sid:637; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; nocase; classtype:network-scan; sid:1638; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SCAN UPnP service discover attempt"; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; classtype:network-scan; sid:1917; rev:6;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; classtype:network-scan; sid:1918; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN cybercop os probe"; ack:0; flags:SFP; flow:stateless; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:11;)
diff --git a/scripts/s2b/snort_rules2.2/shellcode.rules b/scripts/s2b/snort_rules2.2/shellcode.rules
new file mode 100644
index 0000000000..8958879ef7
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/shellcode.rules
@@ -0,0 +1,36 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: shellcode.rules 91 2004-07-15 08:13:57Z rwinslow $
+# ---------------
+# SHELLCODE RULES
+# ---------------
+# These signatures are based on shellcode that is common ammong multiple
+# publicly available exploits.
+#
+# Because these signatures check ALL traffic for shellcode, these signatures
+# are disabled by default.  There is a LARGE performance hit by enabling
+# these signatures.
+#
+
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; reference:arachnids,282; classtype:system-call-detect; sid:647; rev:6;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; reference:arachnids,284; classtype:system-call-detect; sid:649; rev:8;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; reference:arachnids,436; classtype:system-call-detect; sid:650; rev:8;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; reference:arachnids,356; classtype:shellcode-detect; sid:638; rev:5;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; reference:arachnids,357; classtype:shellcode-detect; sid:639; rev:5;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; classtype:shellcode-detect; sid:640; rev:6;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; reference:arachnids,352; classtype:shellcode-detect; sid:641; rev:6;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; reference:arachnids,358; classtype:shellcode-detect; sid:642; rev:6;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; reference:arachnids,359; classtype:shellcode-detect; sid:643; rev:7;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; reference:arachnids,345; classtype:shellcode-detect; sid:644; rev:5;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; reference:arachnids,353; classtype:shellcode-detect; sid:645; rev:5;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; reference:arachnids,355; classtype:shellcode-detect; sid:646; rev:5;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:7;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; reference:arachnids,291; classtype:shellcode-detect; sid:651; rev:8;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:653; rev:8;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:652; rev:9;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:1390; rev:5;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 NOOP"; content:"aaaaaaaaaaaaaaaaaaaaa"; classtype:shellcode-detect; sid:1394; rev:5;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; classtype:shellcode-detect; sid:1424; rev:6;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x71FB7BAB NOOP"; content:"q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|"; classtype:shellcode-detect; sid:2312; rev:2;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x71FB7BAB NOOP unicode"; content:"q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|"; classtype:shellcode-detect; sid:2313; rev:2;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2314; rev:1;)
diff --git a/scripts/s2b/snort_rules2.2/sid b/scripts/s2b/snort_rules2.2/sid
new file mode 100644
index 0000000000..5f6201b867
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/sid
@@ -0,0 +1,2 @@
+# $Id: sid 91 2004-07-15 08:13:57Z rwinslow $
+2577
diff --git a/scripts/s2b/snort_rules2.2/sid-msg.map b/scripts/s2b/snort_rules2.2/sid-msg.map
new file mode 100644
index 0000000000..afc9d6069b
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/sid-msg.map
@@ -0,0 +1,2431 @@
+# $Id: sid-msg.map 91 2004-07-15 08:13:57Z rwinslow $
+# Format: SID || MSG || Optional References || Optional References ...
+# SID -> MSG map
+
+103 || BACKDOOR subseven 22 || url,www.hackfix.org/subseven/ || arachnids,485
+104 || BACKDOOR - Dagger_1.4.0_client_connect || url,www.tlsecurity.net/backdoor/Dagger.1.4.html || arachnids,483
+105 || BACKDOOR - Dagger_1.4.0 || url,www.tlsecurity.net/backdoor/Dagger.1.4.html || arachnids,484
+106 || BACKDOOR ACKcmdC trojan scan || arachnids,445
+107 || BACKDOOR subseven DEFCON8 2.1 access
+108 || BACKDOOR QAZ Worm Client Login access || MCAFEE,98775
+109 || BACKDOOR netbus active || arachnids,401
+110 || BACKDOOR netbus getinfo || arachnids,403
+111 || BACKDOOR netbus getinfo || arachnids,403
+112 || BACKDOOR BackOrifice access || arachnids,400
+113 || BACKDOOR DeepThroat access || arachnids,405
+114 || BACKDOOR netbus active || arachnids,401
+115 || BACKDOOR netbus active || arachnids,401
+116 || BACKDOOR BackOrifice access || arachnids,399
+117 || BACKDOOR Infector.1.x || arachnids,315
+118 || BACKDOOR SatansBackdoor.2.0.Beta || arachnids,316
+119 || BACKDOOR Doly 2.0 access || arachnids,312
+120 || BACKDOOR Infector 1.6 Server to Client
+121 || BACKDOOR Infector 1.6 Client to Server Connection Request
+122 || BACKDOOR DeepThroat 3.1 System Info Client Request || arachnids,106
+124 || BACKDOOR DeepThroat 3.1 FTP Status Client Request || arachnids,106
+125 || BACKDOOR DeepThroat 3.1 E-Mail Info From Server || arachnids,106
+126 || BACKDOOR DeepThroat 3.1 E-Mail Info Client Request || arachnids,106
+127 || BACKDOOR DeepThroat 3.1 Server Status From Server || arachnids,106
+128 || BACKDOOR DeepThroat 3.1 Server Status Client Request || arachnids,106
+129 || BACKDOOR DeepThroat 3.1 Drive Info From Server || arachnids,106
+130 || BACKDOOR DeepThroat 3.1 System Info From Server || arachnids,106
+131 || BACKDOOR DeepThroat 3.1 Drive Info Client Request || arachnids,106
+132 || BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server || arachnids,106
+133 || BACKDOOR DeepThroat 3.1 Cached Passwords Client Request || arachnids,106
+134 || BACKDOOR DeepThroat 3.1 RAS Passwords Client Request || arachnids,106
+135 || BACKDOOR DeepThroat 3.1 Server Password Change Client Request || arachnids,106
+136 || BACKDOOR DeepThroat 3.1 Server Password Remove Client Request || arachnids,106
+137 || BACKDOOR DeepThroat 3.1 Rehash Client Request || arachnids,106
+138 || BACKDOOR DeepThroat 3.1 Server Rehash Client Request || arachnids,106
+140 || BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request || arachnids,106
+141 || BACKDOOR HackAttack 1.20 Connect
+142 || BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request || arachnids,106
+143 || BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request || arachnids,106
+144 || FTP ADMw0rm ftp login attempt || arachnids,01
+145 || BACKDOOR GirlFriendaccess || arachnids,98
+146 || BACKDOOR NetSphere access || arachnids,76
+147 || BACKDOOR GateCrasher || arachnids,99
+148 || BACKDOOR DeepThroat 3.1 Keylogger Active on Network || arachnids,106
+149 || BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network || arachnids,106
+150 || BACKDOOR DeepThroat 3.1 Server Active on Network || arachnids,106
+151 || BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network || arachnids,106
+152 || BACKDOOR BackConstruction 2.1 Connection
+153 || BACKDOOR DonaldDick 1.53 Traffic
+154 || BACKDOOR DeepThroat 3.1 Wrong Password || arachnids,106
+155 || BACKDOOR NetSphere 1.31.337 access || arachnids,76
+156 || BACKDOOR DeepThroat 3.1 Visible Window List Client Request || arachnids,106
+157 || BACKDOOR BackConstruction 2.1 Client FTP Open Request
+158 || BACKDOOR BackConstruction 2.1 Server FTP Open Reply
+159 || BACKDOOR NetMetro File List || arachnids,79
+160 || BACKDOOR NetMetro Incoming Traffic || arachnids,79
+161 || BACKDOOR Matrix 2.0 Client connect || arachnids,83
+162 || BACKDOOR Matrix 2.0 Server access || arachnids,83
+163 || BACKDOOR WinCrash 1.0 Server Active || arachnids,36
+164 || BACKDOOR DeepThroat 3.1 Server Active on Network || arachnids,106
+165 || BACKDOOR DeepThroat 3.1 Keylogger on Server ON || arachnids,106
+166 || BACKDOOR DeepThroat 3.1 Show Picture Client Request || arachnids,106
+167 || BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request || arachnids,106
+168 || BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request || arachnids,106
+169 || BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request || arachnids,106
+170 || BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request || arachnids,106
+171 || BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request || arachnids,106
+172 || BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request || arachnids,106
+173 || BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request || arachnids,106
+174 || BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request || arachnids,106
+175 || BACKDOOR DeepThroat 3.1 Resolution Change Client Request || arachnids,106
+176 || BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request || arachnids,106
+177 || BACKDOOR DeepThroat 3.1 Keylogger on Server OFF || arachnids,106
+179 || BACKDOOR DeepThroat 3.1 FTP Server Port Client Request || arachnids,106
+180 || BACKDOOR DeepThroat 3.1 Process List Client request || arachnids,106
+181 || BACKDOOR DeepThroat 3.1 Close Port Scan Client Request || arachnids,106
+182 || BACKDOOR DeepThroat 3.1 Registry Add Client Request || arachnids,106
+183 || BACKDOOR SIGNATURE - Q ICMP || arachnids,202
+184 || BACKDOOR Q access || arachnids,203
+185 || BACKDOOR CDK || arachnids,263
+186 || BACKDOOR DeepThroat 3.1 Monitor on/off Client Request || arachnids,106
+187 || BACKDOOR DeepThroat 3.1 Delete File Client Request || arachnids,106
+188 || BACKDOOR DeepThroat 3.1 Kill Window Client Request || arachnids,106
+189 || BACKDOOR DeepThroat 3.1 Disable Window Client Request || arachnids,106
+190 || BACKDOOR DeepThroat 3.1 Enable Window Client Request || arachnids,106
+191 || BACKDOOR DeepThroat 3.1 Change Window Title Client Request || arachnids,106
+192 || BACKDOOR DeepThroat 3.1 Hide Window Client Request || arachnids,106
+193 || BACKDOOR DeepThroat 3.1 Show Window Client Request || arachnids,106
+194 || BACKDOOR DeepThroat 3.1 Send Text to Window Client Request || arachnids,106
+195 || BACKDOOR DeepThroat 3.1 Server Response || arachnids,106
+196 || BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request || arachnids,106
+197 || BACKDOOR DeepThroat 3.1 Create Directory Client Request || arachnids,106
+198 || BACKDOOR DeepThroat 3.1 All Window List Client Request || arachnids,106
+199 || BACKDOOR DeepThroat 3.1 Play Sound Client Request || arachnids,106
+200 || BACKDOOR DeepThroat 3.1 Run Program Normal Client Request || arachnids,106
+201 || BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request || arachnids,106
+202 || BACKDOOR DeepThroat 3.1 Get NET File Client Request || arachnids,106
+203 || BACKDOOR DeepThroat 3.1 Find File Client Request || arachnids,106
+204 || BACKDOOR DeepThroat 3.1 Find File Client Request || arachnids,106
+205 || BACKDOOR DeepThroat 3.1 HUP Modem Client Request || arachnids,106
+206 || BACKDOOR DeepThroat 3.1 CD ROM Open Client Request || arachnids,106
+207 || BACKDOOR DeepThroat 3.1 CD ROM Close Client Request || arachnids,106
+208 || BACKDOOR PhaseZero Server Active on Network
+209 || BACKDOOR w00w00 attempt || arachnids,510
+210 || BACKDOOR attempt
+211 || BACKDOOR MISC r00t attempt
+212 || BACKDOOR MISC rewt attempt
+213 || BACKDOOR MISC Linux rootkit attempt
+214 || BACKDOOR MISC Linux rootkit attempt lrkr0x
+215 || BACKDOOR MISC Linux rootkit attempt
+216 || BACKDOOR MISC Linux rootkit satori attempt || arachnids,516
+217 || BACKDOOR MISC sm4ck attempt
+218 || BACKDOOR MISC Solaris 2.5 attempt
+219 || BACKDOOR HidePak backdoor attempt
+220 || BACKDOOR HideSource backdoor attempt
+221 || DDOS TFN Probe || arachnids,443
+222 || DDOS tfn2k icmp possible communication || arachnids,425
+223 || DDOS Trin00 Daemon to Master PONG message detected || arachnids,187
+224 || DDOS Stacheldraht server spoof || arachnids,193
+225 || DDOS Stacheldraht gag server response || arachnids,195
+226 || DDOS Stacheldraht server response || arachnids,191
+227 || DDOS Stacheldraht client spoofworks || arachnids,192
+228 || DDOS TFN client command BE || arachnids,184
+229 || DDOS Stacheldraht client check skillz || arachnids,190
+230 || DDOS shaft client login to handler || url,security.royans.net/info/posts/bugtraq_ddos3.shtml || arachnids,254
+231 || DDOS Trin00 Daemon to Master message detected || arachnids,186
+232 || DDOS Trin00 Daemon to Master *HELLO* message detected || url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm || arachnids,185
+233 || DDOS Trin00 Attacker to Master default startup password || arachnids,197
+234 || DDOS Trin00 Attacker to Master default password
+235 || DDOS Trin00 Attacker to Master default mdie password
+236 || DDOS Stacheldraht client check gag || arachnids,194
+237 || DDOS Trin00 Master to Daemon default password attempt || arachnids,197
+238 || DDOS TFN server response || arachnids,182
+239 || DDOS shaft handler to agent || arachnids,255
+240 || DDOS shaft agent to handler || arachnids,256
+241 || DDOS shaft synflood || arachnids,253
+243 || DDOS mstream agent to handler
+244 || DDOS mstream handler to agent || cve,2000-0138
+245 || DDOS mstream handler ping to agent || cve,2000-0138
+246 || DDOS mstream agent pong to handler
+247 || DDOS mstream client to handler || cve,2000-0138
+248 || DDOS mstream handler to client || cve,2000-0138
+249 || DDOS mstream client to handler || cve,2000-0138 || arachnids,111
+250 || DDOS mstream handler to client || cve,2000-0138
+251 || DDOS - TFN client command LE || arachnids,183
+252 || DNS named iquery attempt || url,www.rfc-editor.org/rfc/rfc1035.txt || cve,1999-0009 || bugtraq,134 || arachnids,277
+253 || DNS SPOOF query response PTR with TTL of 1 min. and no authority
+254 || DNS SPOOF query response with TTL of 1 min. and no authority
+255 || DNS zone transfer TCP || cve,1999-0532 || arachnids,212
+256 || DNS named authors attempt || nessus,10728 || arachnids,480
+257 || DNS named version attempt || nessus,10028 || arachnids,278
+258 || DNS EXPLOIT named 8.2->8.2.1 || cve,1999-0833 || bugtraq,788
+259 || DNS EXPLOIT named overflow ADM || cve,1999-0833 || bugtraq,788
+260 || DNS EXPLOIT named overflow ADMROCKS || url,www.cert.org/advisories/CA-1999-14.html || cve,1999-0833 || bugtraq,788
+261 || DNS EXPLOIT named overflow attempt || url,www.cert.org/advisories/CA-1998-05.html
+262 || DNS EXPLOIT x86 Linux overflow attempt
+264 || DNS EXPLOIT x86 Linux overflow attempt
+265 || DNS EXPLOIT x86 Linux overflow attempt ADMv2
+266 || DNS EXPLOIT x86 FreeBSD overflow attempt
+267 || DNS EXPLOIT sparc overflow attempt
+268 || DOS Jolt attack || cve,1999-0345
+269 || DOS Land attack || cve,1999-0016 || bugtraq,2666
+270 || DOS Teardrop attack || url,www.cert.org/advisories/CA-1997-28.html || nessus,10279 || cve,1999-0015 || bugtraq,124
+271 || DOS UDP echo+chargen bomb || cve,1999-0635 || cve,1999-0103
+272 || DOS IGMP dos attack || cve,1999-0918 || bugtraq,514
+273 || DOS IGMP dos attack || cve,1999-0918 || bugtraq,514
+274 || DOS ath || cve,1999-1228 || arachnids,264
+275 || DOS NAPTHA || url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx || url,www.cert.org/advisories/CA-2000-21.html || url,razor.bindview.com/publish/advisories/adv_NAPTHA.html || cve,2000-1039 || bugtraq,2022
+276 || DOS Real Audio Server || cve,2000-0474 || bugtraq,1288 || arachnids,411
+277 || DOS Real Server template.html || cve,2000-0474 || bugtraq,1288
+278 || DOS Real Server template.html || cve,2000-0474 || bugtraq,1288
+279 || DOS Bay/Nortel Nautica Marlin || cve,2000-0221 || bugtraq,1009
+281 || DOS Ascend Route || cve,1999-0060 || bugtraq,714 || arachnids,262
+282 || DOS arkiea backup || cve,1999-0788 || bugtraq,662 || arachnids,261
+283 || EXPLOIT Netscape 4.7 client overflow || cve,2000-1187 || cve,1999-1189 || bugtraq,822 || arachnids,215
+284 || POP2 x86 Linux overflow
+285 || POP2 x86 Linux overflow
+286 || POP3 EXPLOIT x86 BSD overflow || cve,1999-0006 || bugtraq,133
+287 || POP3 EXPLOIT x86 BSD overflow
+288 || POP3 EXPLOIT x86 Linux overflow
+289 || POP3 EXPLOIT x86 SCO overflow
+290 || POP3 EXPLOIT qpopper overflow || cve,1999-0822 || bugtraq,830
+291 || NNTP Cassandra Overflow || cve,2000-0341 || bugtraq,1156 || arachnids,274
+292 || EXPLOIT x86 Linux samba overflow || cve,1999-0811 || cve,1999-0182 || bugtraq,536 || bugtraq,1816
+293 || IMAP EXPLOIT overflow
+295 || IMAP EXPLOIT x86 linux overflow || cve,1999-0005 || bugtraq,130
+296 || IMAP EXPLOIT x86 linux overflow || cve,1999-0005 || bugtraq,130
+297 || IMAP EXPLOIT x86 linux overflow || cve,1999-0005 || bugtraq,130
+298 || IMAP EXPLOIT x86 linux overflow || cve,1999-0005 || bugtraq,130
+299 || IMAP EXPLOIT x86 linux overflow || cve, CVE-1999-0005 || bugtraq,130
+300 || EXPLOIT nlps x86 Solaris overflow || bugtraq,2319
+301 || EXPLOIT LPRng overflow || cve,2000-0917 || bugtraq,1712
+302 || EXPLOIT Redhat 7.0 lprd overflow
+303 || DNS EXPLOIT named tsig overflow attempt || cve,2001-0010 || bugtraq,2302 || arachnids,482
+304 || EXPLOIT SCO calserver overflow || cve,2000-0306 || bugtraq,2353
+305 || EXPLOIT delegate proxy overflow || cve,2000-0165 || bugtraq,808 || arachnids,267
+306 || EXPLOIT VQServer admin || url,www.vqsoft.com/vq/server/docs/other/control.html || cve,2000-0766 || bugtraq,1610
+307 || EXPLOIT CHAT IRC topic overflow || cve,1999-0672 || bugtraq,573
+308 || EXPLOIT NextFTP client overflow || cve,1999-0671 || bugtraq,572
+309 || EXPLOIT sniffit overflow || cve,2000-0343 || bugtraq,1158 || arachnids,273
+310 || EXPLOIT x86 windows MailMax overflow || cve,1999-0404 || bugtraq,2312
+311 || EXPLOIT Netscape 4.7 unsucessful overflow || cve,2000-1187 || cve,1999-1189 || bugtraq,822 || arachnids,214
+312 || EXPLOIT ntpdx overflow attempt || cve,2001-0414 || bugtraq,2540 || arachnids,492
+313 || EXPLOIT ntalkd x86 Linux overflow || bugtraq,210
+314 || DNS EXPLOIT named tsig overflow attempt || cve,2001-0010 || bugtraq,2303
+315 || EXPLOIT x86 Linux mountd overflow || cve,1999-0002 || bugtraq,121
+316 || EXPLOIT x86 Linux mountd overflow || cve,1999-0002 || bugtraq,121
+317 || EXPLOIT x86 Linux mountd overflow || cve,1999-0002 || bugtraq,121
+318 || EXPLOIT bootp x86 bsd overfow || cve,1999-0914 || bugtraq,324
+319 || EXPLOIT bootp x86 linux overflow || cve,1999-0799 || cve,1999-0798 || cve,1999-0389
+320 || FINGER cmd_rootsh backdoor attempt || url,www.sans.org/y2k/fingerd.htm || url,www.sans.org/y2k/TFN_toolkit.htm || nessus,10070 || cve,1999-0660
+321 || FINGER account enumeration attempt || nessus,10788
+322 || FINGER search query || cve,1999-0259 || arachnids,375
+323 || FINGER root query || arachnids,376
+324 || FINGER null request || arachnids,377
+325 || FINGER probe 0 attempt || arachnids,378
+326 || FINGER remote command execution attempt || cve,1999-0150 || bugtraq,974 || arachnids,379
+327 || FINGER remote command pipe execution attempt || cve,1999-0152 || bugtraq,2220 || arachnids,380
+328 || FINGER bomb attempt || cve,1999-0106 || arachnids,381
+329 || FINGER cybercop redirection || arachnids,11
+330 || FINGER redirection attempt || nessus,10073 || cve,1999-0105 || arachnids,251
+331 || FINGER cybercop query || cve,1999-0612 || arachnids,132
+332 || FINGER 0 query || nessus,10069 || cve,1999-0197 || arachnids,378 || arachnids,131
+333 || FINGER . query || nessus,10072 || cve,1999-0198 || arachnids,130
+334 || FTP .forward || arachnids,319
+335 || FTP .rhosts || arachnids,328
+336 || FTP CWD ~root attempt || cve,1999-0082 || arachnids,318
+337 || FTP CEL overflow attempt || cve,1999-0789 || bugtraq,679 || arachnids,257
+338 || FTP EXPLOIT format string || cve,2000-0573 || bugtraq,1387 || arachnids,453
+339 || FTP EXPLOIT OpenBSD x86 ftpd || cve,2001-0053 || bugtraq,2124 || arachnids,446
+340 || FTP EXPLOIT overflow
+341 || FTP EXPLOIT overflow
+342 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8 || cve,2000-0573 || bugtraq,1387 || arachnids,451
+343 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD || cve,2000-0573 || bugtraq,1387 || arachnids,228
+344 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux || cve,2000-0573 || bugtraq,1387 || arachnids,287
+345 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic || nessus,10452 || cve,2000-0573 || bugtraq,1387 || arachnids,285
+346 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check || cve,2000-0573 || bugtraq,1387 || arachnids,286
+348 || FTP EXPLOIT wu-ftpd 2.6.0 || bugtraq,1387 || arachnids,440
+349 || FTP EXPLOIT MKD overflow || cve,1999-0368 || bugtraq,2242 || bugtraq,113
+350 || FTP EXPLOIT x86 linux overflow || cve,1999-0368 || bugtraq,2242 || bugtraq,113
+351 || FTP EXPLOIT x86 linux overflow || cve,1999-0368 || bugtraq,2242 || bugtraq,113
+352 || FTP EXPLOIT x86 linux overflow || cve, CVE-1999-0368 || bugtraq, 113
+353 || FTP adm scan || arachnids,332
+354 || FTP iss scan || arachnids,331
+355 || FTP pass wh00t || arachnids,324
+356 || FTP passwd retrieval attempt || arachnids,213
+357 || FTP piss scan
+358 || FTP saint scan || arachnids,330
+359 || FTP satan scan || arachnids,329
+360 || FTP serv-u directory transversal || cve,2001-0054 || bugtraq,2052
+361 || FTP SITE EXEC attempt || cve,1999-0080 || bugtraq,2241 || arachnids,317
+362 || FTP tar parameters || cve,1999-0997 || cve,1999-0202 || bugtraq,2240 || arachnids,134
+363 || ICMP IRDP router advertisement || cve,1999-0875 || bugtraq,578 || arachnids,173
+364 || ICMP IRDP router selection || cve,1999-0875 || bugtraq,578 || arachnids,174
+365 || ICMP PING undefined code
+366 || ICMP PING *NIX
+368 || ICMP PING BSDtype || arachnids,152
+369 || ICMP PING BayRS Router || arachnids,444 || arachnids,438
+370 || ICMP PING BeOS4.x || arachnids,151
+371 || ICMP PING Cisco Type.x || arachnids,153
+372 || ICMP PING Delphi-Piette Windows || arachnids,155
+373 || ICMP PING Flowpoint2200 or Network Management Software || arachnids,156
+374 || ICMP PING IP NetMonitor Macintosh || arachnids,157
+375 || ICMP PING LINUX/*BSD || arachnids,447
+376 || ICMP PING Microsoft Windows || arachnids,159
+377 || ICMP PING Network Toolbox 3 Windows || arachnids,161
+378 || ICMP PING Ping-O-MeterWindows || arachnids,164
+379 || ICMP PING Pinger Windows || arachnids,163
+380 || ICMP PING Seer Windows || arachnids,166
+381 || ICMP PING Sun Solaris || arachnids,448
+382 || ICMP PING Windows || arachnids,169
+384 || ICMP PING
+385 || ICMP traceroute || arachnids,118
+386 || ICMP Address Mask Reply
+387 || ICMP Address Mask Reply undefined code
+388 || ICMP Address Mask Request
+389 || ICMP Address Mask Request undefined code
+390 || ICMP Alternate Host Address
+391 || ICMP Alternate Host Address undefined code
+392 || ICMP Datagram Conversion Error
+393 || ICMP Datagram Conversion Error undefined code
+394 || ICMP Destination Unreachable Destination Host Unknown
+395 || ICMP Destination Unreachable Destination Network Unknown
+396 || ICMP Destination Unreachable Fragmentation Needed and DF bit was set
+397 || ICMP Destination Unreachable Host Precedence Violation
+398 || ICMP Destination Unreachable Host Unreachable for Type of Service
+399 || ICMP Destination Unreachable Host Unreachable
+400 || ICMP Destination Unreachable Network Unreachable for Type of Service
+401 || ICMP Destination Unreachable Network Unreachable
+402 || ICMP Destination Unreachable Port Unreachable
+403 || ICMP Destination Unreachable Precedence Cutoff in effect
+404 || ICMP Destination Unreachable Protocol Unreachable
+405 || ICMP Destination Unreachable Source Host Isolated
+406 || ICMP Destination Unreachable Source Route Failed
+407 || ICMP Destination Unreachable cndefined code
+408 || ICMP Echo Reply
+409 || ICMP Echo Reply undefined code
+410 || ICMP Fragment Reassembly Time Exceeded
+411 || ICMP IPV6 I-Am-Here
+412 || ICMP IPV6 I-Am-Here undefined code
+413 || ICMP IPV6 Where-Are-You
+414 || ICMP IPV6 Where-Are-You undefined code
+415 || ICMP Information Reply
+416 || ICMP Information Reply undefined code
+417 || ICMP Information Request
+418 || ICMP Information Request undefined code
+419 || ICMP Mobile Host Redirect
+420 || ICMP Mobile Host Redirect undefined code
+421 || ICMP Mobile Registration Reply
+422 || ICMP Mobile Registration Reply undefined code
+423 || ICMP Mobile Registration Request
+424 || ICMP Mobile Registration Request undefined code
+425 || ICMP Parameter Problem Bad Length
+426 || ICMP Parameter Problem Missing a Required Option
+427 || ICMP Parameter Problem Unspecified Error
+428 || ICMP Parameter Problem undefined Code
+429 || ICMP Photuris Reserved
+430 || ICMP Photuris Unknown Security Parameters Index
+431 || ICMP Photuris Valid Security Parameters, But Authentication Failed
+432 || ICMP Photuris Valid Security Parameters, But Decryption Failed
+433 || ICMP Photuris undefined code!
+436 || ICMP Redirect for TOS and Host
+437 || ICMP Redirect for TOS and Network
+438 || ICMP Redirect undefined code
+439 || ICMP Reserved for Security Type 19
+440 || ICMP Reserved for Security Type 19 undefined code
+441 || ICMP Router Advertisement || arachnids,173
+443 || ICMP Router Selection || arachnids,174
+445 || ICMP SKIP
+446 || ICMP SKIP undefined code
+448 || ICMP Source Quench undefined code
+449 || ICMP Time-To-Live Exceeded in Transit
+450 || ICMP Time-To-Live Exceeded in Transit undefined code
+451 || ICMP Timestamp Reply
+452 || ICMP Timestamp Reply undefined code
+453 || ICMP Timestamp Request
+454 || ICMP Timestamp Request undefined code
+455 || ICMP Traceroute ipopts || arachnids,238
+456 || ICMP Traceroute
+457 || ICMP Traceroute undefined code
+458 || ICMP unassigned type 1
+459 || ICMP unassigned type 1 undefined code
+460 || ICMP unassigned type 2
+461 || ICMP unassigned type 2 undefined code
+462 || ICMP unassigned type 7
+463 || ICMP unassigned type 7 undefined code
+465 || ICMP ISS Pinger || arachnids,158
+466 || ICMP L3retriever Ping || arachnids,311
+467 || ICMP Nemesis v1.1 Echo || arachnids,449
+469 || ICMP PING NMAP || arachnids,162
+471 || ICMP icmpenum v1.1.1 || arachnids,450
+472 || ICMP redirect host || cve,1999-0265 || arachnids,135
+473 || ICMP redirect net || cve,1999-0265 || arachnids,199
+474 || ICMP superscan echo
+475 || ICMP traceroute ipopts || arachnids,238
+476 || ICMP webtrends scanner || arachnids,307
+477 || ICMP Source Quench
+478 || ICMP Broadscan Smurf Scanner
+480 || ICMP PING speedera
+481 || ICMP TJPingPro1.1Build 2 Windows || arachnids,167
+482 || ICMP PING WhatsupGold Windows || arachnids,168
+483 || ICMP PING CyberKit 2.2 Windows || arachnids,154
+484 || ICMP PING Sniffer Pro/NetXRay network scan
+485 || ICMP Destination Unreachable Communication Administratively Prohibited
+486 || ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited
+487 || ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited
+488 || INFO Connection Closed MSG from Port 80
+489 || INFO FTP no password || arachnids,322
+490 || INFO battle-mail traffic
+491 || INFO FTP Bad login
+492 || INFO TELNET Bad Login
+493 || INFO psyBNC access
+494 || ATTACK-RESPONSES command completed
+495 || ATTACK-RESPONSES command error
+496 || ATTACK RESPONSES directory listing
+497 || ATTACK-RESPONSES file copied ok
+498 || ATTACK-RESPONSES id check returned root
+499 || ICMP Large ICMP Packet || arachnids,246
+500 || MISC source route lssr || cve,1999-0909 || bugtraq,646 || arachnids,418
+501 || MISC source route lssre || cve,1999-0909 || bugtraq,646 || arachnids,420
+502 || MISC source route ssrr || arachnids,422
+503 || MISC Source Port 20 to <1024 || arachnids,06
+504 || MISC source port 53 to <1024 || arachnids,07
+505 || MISC Insecure TIMBUKTU Password || arachnids,229
+506 || MISC ramen worm incoming || arachnids,460
+507 || MISC PCAnywhere Attempted Administrator Login
+508 || MISC gopher proxy || arachnids,409
+509 || WEB-MISC PCCS mysql database admin tool access || arachnids,300
+510 || POLICY HP JetDirect LCD modification attempt || bugtraq,2245 || arachnids,302
+511 || MISC Invalid PCAnywhere Login
+512 || MISC PCAnywhere Failed Login || arachnids,240
+513 || MISC Cisco Catalyst Remote Access || cve,1999-0430 || bugtraq,705 || arachnids,129
+514 || MISC ramen worm || arachnids,461
+516 || MISC SNMP NT UserList
+517 || MISC xdmcp query || arachnids,476
+518 || TFTP Put || cve,1999-0183 || arachnids,148
+519 || TFTP parent directory || cve,2002-1209 || cve,1999-0183 || arachnids,137
+520 || TFTP root directory || cve,1999-0183 || arachnids,138
+521 || MISC Large UDP Packet || arachnids,247
+522 || MISC Tiny Fragments
+523 || BAD-TRAFFIC ip reserved bit set
+524 || BAD-TRAFFIC tcp port 0 traffic
+525 || BAD-TRAFFIC udp port 0 traffic || nessus,10074 || cve,1999-0675 || bugtraq,576
+526 || BAD-TRAFFIC data in TCP SYN packet || url,www.cert.org/incident_notes/IN-99-07.html
+527 || BAD-TRAFFIC same SRC/DST || url,www.cert.org/advisories/CA-1997-28.html || cve,1999-0016 || bugtraq,2666
+528 || BAD-TRAFFIC loopback traffic || url,rr.sans.org/firewall/egress.php
+529 || NETBIOS DOS RFPoison || arachnids,454
+530 || NETBIOS NT NULL session || cve,2000-0347 || bugtraq,1163 || arachnids,204
+532 || NETBIOS SMB ADMIN$ share access
+533 || NETBIOS SMB C$ share access
+534 || NETBIOS SMB CD.. || arachnids,338
+535 || NETBIOS SMB CD... || arachnids,337
+536 || NETBIOS SMB D$ share access
+537 || NETBIOS SMB IPC$ share access
+538 || NETBIOS SMB IPC$ share unicode access
+539 || NETBIOS Samba clientaccess || arachnids,341
+540 || CHAT MSN message
+541 || CHAT ICQ access
+542 || CHAT IRC nick change
+543 || POLICY FTP 'STOR 1MB' possible warez site
+544 || POLICY FTP 'RETR 1MB' possible warez site
+545 || POLICY FTP 'CWD / ' possible warez site
+546 || POLICY FTP 'CWD  ' possible warez site
+547 || POLICY FTP 'MKD  ' possible warez site
+548 || POLICY FTP 'MKD .' possible warez site
+549 || P2P napster login
+550 || P2P napster new user login
+551 || P2P napster download attempt
+552 || P2P napster upload request
+553 || POLICY FTP anonymous login attempt
+554 || POLICY FTP 'MKD / ' possible warez site
+555 || POLICY WinGate telnet server response || cve,1999-0657 || arachnids,366
+556 || P2P Outbound GNUTella client request
+557 || P2P GNUTella client request
+558 || INFO Outbound GNUTella client request
+559 || P2P Inbound GNUTella client request
+560 || POLICY VNC server response
+561 || P2P Napster Client Data
+562 || P2P Napster Client Data
+563 || P2P Napster Client Data
+564 || P2P Napster Client Data
+565 || P2P Napster Server Login
+566 || POLICY PCAnywhere server response || arachnids,239
+567 || POLICY SMTP relaying denied || url,mail-abuse.org/tsi/ar-fix.html || arachnids,249
+568 || POLICY HP JetDirect LCD modification attempt || bugtraq,2245 || arachnids,302
+569 || RPC snmpXdmi overflow attempt TCP || url,www.cert.org/advisories/CA-2001-05.html || cve,2001-0236 || bugtraq,2417
+570 || RPC EXPLOIT ttdbserv solaris overflow || url,www.cert.org/advisories/CA-2001-27.html || cve,1999-0003 || bugtraq,122 || arachnids,242
+571 || RPC EXPLOIT ttdbserv Solaris overflow || url,www.cert.org/advisories/CA-2001-27.html || cve,1999-0003 || bugtraq,122 || arachnids,242
+572 || RPC DOS ttdbserv Solaris || cve,1999-0003 || bugtraq,122 || arachnids,241
+573 || RPC AMD Overflow || cve,1999-0704 || arachnids,217
+574 || RPC mountd TCP export request || arachnids,26
+575 || RPC portmap admind request UDP || arachnids,18
+576 || RPC portmap amountd request UDP || arachnids,19
+577 || RPC portmap bootparam request UDP || cve,1999-0647 || arachnids,16
+578 || RPC portmap cmsd request UDP || arachnids,17
+579 || RPC portmap mountd request UDP || arachnids,13
+580 || RPC portmap nisd request UDP || arachnids,21
+581 || RPC portmap pcnfsd request UDP || arachnids,22
+582 || RPC portmap rexd request UDP || arachnids,23
+583 || RPC portmap rstatd request UDP || arachnids,10
+584 || RPC portmap rusers request UDP || cve,1999-0626 || arachnids,133
+585 || RPC portmap sadmind request UDP || arachnids,20
+586 || RPC portmap selection_svc request UDP || arachnids,25
+587 || RPC portmap status request UDP || arachnids,15
+588 || RPC portmap ttdbserv request UDP || url,www.cert.org/advisories/CA-2001-05.html || cve,2001-0717 || cve,1999-1075 || cve,1999-0687 || cve,1999-0003 || bugtraq,3382 || bugtraq,122 || arachnids,24
+589 || RPC portmap yppasswd request UDP || arachnids,14
+590 || RPC portmap ypserv request UDP || cve,2002-1232 || cve,2000-1043 || cve,2000-1042 || bugtraq,6016 || bugtraq,5914 || arachnids,12
+591 || RPC portmap ypupdated request TCP || arachnids,125
+592 || RPC rstatd query || arachnids,9
+593 || RPC portmap snmpXdmi request TCP || url,www.cert.org/advisories/CA-2001-05.html || cve,2001-0236 || bugtraq,2417
+595 || RPC portmap espd request TCP || cve,2001-0331 || bugtraq,2714
+596 || RPC portmap listing || arachnids,429
+597 || RPC portmap listing || arachnids,429
+598 || RPC portmap listing TCP 111 || arachnids,428
+599 || RPC portmap listing TCP 32771 || arachnids,429
+600 || RPC EXPLOIT statdx || arachnids,442
+601 || RSERVICES rlogin LinuxNIS
+602 || RSERVICES rlogin bin || arachnids,384
+603 || RSERVICES rlogin echo++ || arachnids,385
+604 || RSERVICES rsh froot || arachnids,387
+605 || RSERVICES rlogin login failure || arachnids,393
+606 || RSERVICES rlogin root || arachnids,389
+607 || RSERVICES rsh bin || arachnids,390
+608 || RSERVICES rsh echo + + || arachnids,388
+609 || RSERVICES rsh froot || arachnids,387
+610 || RSERVICES rsh root || arachnids,391
+611 || RSERVICES rlogin login failure || arachnids,392
+612 || RPC rusers query UDP || cve,1999-0626
+613 || SCAN myscan || arachnids,439
+614 || BACKDOOR hack-a-tack attempt || arachnids,314
+615 || SCAN SOCKS Proxy attempt || url,help.undernet.org/proxyscan/
+616 || SCAN ident version request || arachnids,303
+617 || SCAN ssh-research-scanner
+618 || SCAN Squid Proxy attempt
+619 || SCAN cybercop os probe || arachnids,146
+620 || SCAN Proxy Port 8080 attempt
+621 || SCAN FIN || arachnids,27
+622 || SCAN ipEye SYN scan || arachnids,236
+623 || SCAN NULL || arachnids,4
+624 || SCAN SYN FIN || arachnids,198
+625 || SCAN XMAS || arachnids,144
+626 || SCAN cybercop os PA12 attempt || arachnids,149
+627 || SCAN cybercop os SFU12 probe || arachnids,150
+628 || SCAN nmap TCP || arachnids,28
+629 || SCAN nmap fingerprint attempt || arachnids,05
+630 || SCAN synscan portscan || arachnids,441
+631 || SMTP ehlo cybercop attempt || arachnids,372
+632 || SMTP expn cybercop attempt || arachnids,371
+634 || SCAN Amanda client version request
+635 || SCAN XTACACS logout || arachnids,408
+636 || SCAN cybercop udp bomb || arachnids,363
+637 || SCAN Webtrends Scanner UDP Probe || arachnids,308
+638 || SHELLCODE SGI NOOP || arachnids,356
+639 || SHELLCODE SGI NOOP || arachnids,357
+640 || SHELLCODE AIX NOOP
+641 || SHELLCODE Digital UNIX NOOP || arachnids,352
+642 || SHELLCODE HP-UX NOOP || arachnids,358
+643 || SHELLCODE HP-UX NOOP || arachnids,359
+644 || SHELLCODE sparc NOOP || arachnids,345
+645 || SHELLCODE sparc NOOP || arachnids,353
+646 || SHELLCODE sparc NOOP || arachnids,355
+647 || SHELLCODE sparc setuid 0 || arachnids,282
+648 || SHELLCODE x86 NOOP || arachnids,181
+649 || SHELLCODE x86 setgid 0 || arachnids,284
+650 || SHELLCODE x86 setuid 0 || arachnids,436
+651 || SHELLCODE x86 stealth NOOP || arachnids,291
+652 || SHELLCODE Linux shellcode || arachnids,343
+653 || SHELLCODE x86 unicode NOOP
+654 || SMTP RCPT TO overflow || cve,2001-0260 || bugtraq,9696 || bugtraq,2283
+655 || SMTP sendmail 8.6.9 exploit || cve,1999-0204 || bugtraq,2311 || arachnids,140
+656 || SMTP EXPLOIT x86 windows CSMMail overflow || cve,2000-0042 || bugtraq,895
+657 || SMTP chameleon overflow || cve,1999-0261 || bugtraq,2387 || arachnids,266
+658 || SMTP exchange mime DOS
+659 || SMTP expn decode || arachnids,32
+660 || SMTP expn root || arachnids,31
+661 || SMTP majordomo ifs || cve,1999-0208 || arachnids,143
+662 || SMTP sendmail 5.5.5 exploit || arachnids,119
+663 || SMTP rcpt to command attempt || cve,1999-0095 || bugtraq,1 || arachnids,172
+664 || SMTP RCPT TO decode attempt || cve,1999-0203 || bugtraq,2308 || arachnids,121
+665 || SMTP sendmail 5.6.5 exploit || arachnids,122
+666 || SMTP sendmail 8.4.1 exploit || arachnids,120
+667 || SMTP sendmail 8.6.10 exploit || arachnids,123
+668 || SMTP sendmail 8.6.10 exploit || arachnids,124
+669 || SMTP sendmail 8.6.9 exploit || cve,1999-0204 || bugtraq,2311 || arachnids,142
+670 || SMTP sendmail 8.6.9 exploit || cve,1999-0204 || bugtraq,2311 || arachnids,139
+671 || SMTP sendmail 8.6.9c exploit || cve,1999-0204 || bugtraq,2311 || arachnids,141
+672 || SMTP vrfy decode || arachnids,373
+673 || MS-SQL sp_start_job - program execution
+674 || MS-SQL xp_displayparamstmt possible buffer overflow || cve,2000-1081 || bugtraq,2030
+675 || MS-SQL xp_setsqlsecurity possible buffer overflow || bugtraq,2043
+676 || MS-SQL/SMB sp_start_job - program execution
+677 || MS-SQL/SMB sp_password password change
+678 || MS-SQL/SMB sp_delete_alert log file deletion
+679 || MS-SQL/SMB sp_adduser database user creation
+680 || MS-SQL/SMB sa login failed
+681 || MS-SQL/SMB xp_cmdshell program execution
+682 || MS-SQL xp_enumresultset possible buffer overflow
+683 || MS-SQL sp_password - password change
+684 || MS-SQL sp_delete_alert log file deletion
+685 || MS-SQL sp_adduser - database user creation
+686 || MS-SQL xp_reg* - registry access
+687 || MS-SQL xp_cmdshell - program execution
+688 || MS-SQL sa login failed
+689 || MS-SQL/SMB xp_reg* registry access
+690 || MS-SQL/SMB xp_printstatements possible buffer overflow || cve,2000-1086 || bugtraq,2041
+691 || MS-SQL shellcode attempt
+692 || MS-SQL/SMB shellcode attempt
+693 || MS-SQL shellcode attempt
+694 || MS-SQL/SMB shellcode attempt
+695 || MS-SQL/SMB xp_sprintf possible buffer overflow || bugtraq,1204
+696 || MS-SQL/SMB xp_showcolv possible buffer overflow || bugtraq,2038
+697 || MS-SQL/SMB xp_peekqueue possible buffer overflow || cve,2000-1085 || bugtraq,2040
+698 || MS-SQL/SMB xp_proxiedmetadata possible buffer overflow || cve,2000-1087 || bugtraq,2042
+699 || MS-SQL xp_printstatements possible buffer overflow || cve,2000-1086 || bugtraq,2041
+700 || MS-SQL/SMB xp_updatecolvbm possible buffer overflow || cve,2000-1084 || bugtraq,2039
+701 || MS-SQL xp_updatecolvbm possible buffer overflow || cve,2000-1084 || bugtraq,2039
+702 || MS-SQL/SMB xp_displayparamstmt possible buffer overflow || cve,2000-1081 || bugtraq,2030
+703 || MS-SQL/SMB xp_setsqlsecurity possible buffer overflow || bugtraq,2043
+704 || MS-SQL xp_sprintf possible buffer overflow || bugtraq,1204
+705 || MS-SQL xp_showcolv possible buffer overflow || cve,2000-1083 || bugtraq,2038
+706 || MS-SQL xp_peekqueue possible buffer overflow || cve,2000-1085 || bugtraq,2040
+707 || MS-SQL xp_proxiedmetadata possible buffer overflow || cve,2000-1087 || cve,1999-0287 || bugtraq,2024
+708 || MS-SQL/SMB xp_enumresultset possible buffer overflow || cve,2000-1082 || bugtraq,2031
+709 || TELNET 4Dgifts SGI account attempt || cve,1999-0501
+710 || TELNET EZsetup account attempt || cve,1999-0501
+711 || TELNET SGI telnetd format bug || arachnids,304
+712 || TELNET ld_library_path || cve,1999-0073 || bugtraq,459 || arachnids,367
+713 || TELNET livingston DOS || arachnids,370
+714 || TELNET resolv_host_conf || arachnids,369
+715 || TELNET Attempted SU from wrong group
+716 || TELNET access || cve,1999-0619 || arachnids,08
+717 || TELNET not on console || arachnids,365
+718 || TELNET login incorrect || arachnids,127
+719 || TELNET root login
+720 || Virus - SnowWhite Trojan Incoming
+721 || VIRUS OUTBOUND bad file attachment
+722 || Virus - Possible NAVIDAD Worm
+723 || Virus - Possible MyRomeo Worm
+724 || Virus - Possible MyRomeo Worm
+725 || Virus - Possible MyRomeo Worm
+726 || Virus - Possible MyRomeo Worm
+727 || Virus - Possible MyRomeo Worm
+728 || Virus - Possible MyRomeo Worm
+729 || VIRUS OUTBOUND .scr file attachment
+730 || VIRUS OUTBOUND .shs file attachment
+731 || Virus - Possible QAZ Worm || MCAFEE,98775
+732 || Virus - Possible QAZ Worm Infection || MCAFEE,98775
+733 || Virus - Possible QAZ Worm Calling Home || MCAFEE,98775
+734 || Virus - Possible Matrix worm
+735 || Virus - Possible MyRomeo Worm
+736 || Virus - Successful eurocalculator execution
+737 || Virus - Possible eurocalculator.exe file
+738 || Virus - Possible Pikachu Pokemon Virus || MCAFEE,98696
+739 || Virus - Possible Triplesix Worm || MCAFEE,10389
+740 || Virus - Possible Tune.vbs || MCAFEE,10497
+741 || Virus - Possible NAIL Worm || MCAFEE,10109
+742 || Virus - Possible NAIL Worm || MCAFEE,10109
+743 || Virus - Possible NAIL Worm || MCAFEE,10109
+744 || Virus - Possible NAIL Worm || MCAFEE,10109
+745 || Virus - Possible Papa Worm || MCAFEE,10145
+746 || Virus - Possible Freelink Worm || MCAFEE,10225
+747 || Virus - Possible Simbiosis Worm
+748 || Virus - Possible BADASS Worm || MCAFEE,10388
+749 || Virus - Possible ExploreZip.B Worm || MCAFEE,10471
+751 || Virus - Possible wscript.KakWorm || MCAFEE,10509
+752 || Virus Possible Suppl Worm || MCAFEE,10361
+753 || Virus - Possible NewApt.Worm - theobbq.exe || MCAFEE,10540
+754 || Virus - Possible Word Macro - VALE || MCAFEE,10502
+755 || Virus - Possible IROK Worm || MCAFEE,98552
+756 || Virus - Possible Fix2001 Worm || MCAFEE,10355
+757 || Virus - Possible Y2K Zelu Trojan || MCAFEE,10505
+758 || Virus - Possible The_Fly Trojan || MCAFEE,10478
+759 || Virus - Possible Word Macro - VALE || MCAFEE,10502
+760 || Virus - Possible Passion Worm || MCAFEE,10467
+761 || Virus - Possible NewApt.Worm - cooler3.exe || MCAFEE,10540
+762 || Virus - Possible NewApt.Worm - party.exe || MCAFEE,10540
+763 || Virus - Possible NewApt.Worm - hog.exe || MCAFEE,10540
+764 || Virus - Possible NewApt.Worm - goal1.exe || MCAFEE,10540
+765 || Virus - Possible NewApt.Worm - pirate.exe || MCAFEE,10540
+766 || Virus - Possible NewApt.Worm - video.exe || MCAFEE,10540
+767 || Virus - Possible NewApt.Worm - baby.exe || MCAFEE,10540
+768 || Virus - Possible NewApt.Worm - cooler1.exe || MCAFEE,10540
+769 || Virus - Possible NewApt.Worm - boss.exe || MCAFEE,10540
+770 || Virus - Possible NewApt.Worm - g-zilla.exe || MCAFEE,10540
+771 || Virus - Possible ToadieE-mail Trojan || MCAFEE,10540
+772 || Virus - Possible PrettyPark Trojan || MCAFEE,10175
+773 || Virus - Possible Happy99 Virus || MCAFEE,10144
+774 || Virus - Possible CheckThis Trojan
+775 || Virus - Possible Bubbleboy Worm || MCAFEE,10418
+776 || Virus - Possible NewApt.Worm - copier.exe || MCAFEE,10540
+777 || Virus - Possible MyPics Worm || MCAFEE,10467
+778 || Virus - Possible Babylonia - X-MAS.exe || MCAFEE,10461
+779 || Virus - Possible NewApt.Worm - gadget.exe || MCAFEE,10540
+780 || Virus - Possible NewApt.Worm - irnglant.exe || MCAFEE,10540
+781 || Virus - Possible NewApt.Worm - casper.exe || MCAFEE,10540
+782 || Virus - Possible NewApt.Worm - fborfw.exe || MCAFEE,10540
+783 || Virus - Possible NewApt.Worm - saddam.exe || MCAFEE,10540
+784 || Virus - Possible NewApt.Worm - bboy.exe || MCAFEE,10540
+785 || Virus - Possible NewApt.Worm - monica.exe || MCAFEE,10540
+786 || Virus - Possible NewApt.Worm - goal.exe || MCAFEE,10540
+787 || Virus - Possible NewApt.Worm - panther.exe || MCAFEE,10540
+788 || Virus - Possible NewApt.Worm - chestburst.exe || MCAFEE,10540
+789 || Virus - Possible NewApt.Worm - farter.exe || MCAFEE,1054
+790 || Virus - Possible Common Sense Worm
+791 || Virus - Possible NewApt.Worm - cupid2.exe || MCAFEE,10540
+792 || Virus - Possible Resume Worm || MCAFEE,98661
+793 || VIRUS OUTBOUND .vbs file attachment
+794 || Virus - Possible Resume Worm || MCAFEE,98661
+795 || Virus - Possible Worm -  txt.vbs file
+796 || Virus - Possible Worm - xls.vbs file
+797 || Virus - Possible Worm - jpg.vbs file
+798 || Virus - Possible Worm -  gif.vbs file
+799 || Virus - Possible Timofonica Worm || MCAFEE,98674
+800 || Virus - Possible Resume Worm || MCAFEE,98661
+801 || Virus - Possible Worm - doc.vbs file
+802 || Virus - Possbile Zipped Files Trojan || MCAFEE,10450
+803 || WEB-CGI HyperSeek hsx.cgi directory traversal attempt || cve,2001-0253 || bugtraq,2314
+804 || WEB-CGI SWSoft ASPSeek Overflow attempt || cve,2001-0476 || bugtraq,2492
+805 || WEB-CGI webspeed access || nessus,10304 || cve,2000-0127 || bugtraq,969 || arachnids,467
+806 || WEB-CGI yabb directory traversal attempt || cve,2000-0853 || bugtraq,1668 || arachnids,462
+807 || WEB-CGI /wwwboard/passwd.txt access || nessus,10321 || cve,1999-0954 || cve,1999-0953 || bugtraq,649 || arachnids,463
+808 || WEB-CGI webdriver access || nessus,10592 || bugtraq,2166 || arachnids,473
+809 || WEB-CGI whois_raw.cgi arbitrary command execution attempt || nessus,10306 || cve,1999-1063 || bugtraq,304 || arachnids,466
+810 || WEB-CGI whois_raw.cgi access || nessus,10306 || cve,1999-1063 || bugtraq,304 || arachnids,466
+811 || WEB-CGI websitepro path access || cve,2000-0066 || bugtraq,932 || arachnids,468
+812 || WEB-CGI webplus version access || cve,2000-0282 || bugtraq,1102 || arachnids,470
+813 || WEB-CGI webplus directory traversal || cve,2000-0282 || bugtraq,1102 || arachnids,471
+815 || WEB-CGI websendmail access || nessus,10301 || cve,1999-0196 || bugtraq,2077 || arachnids,469
+817 || WEB-CGI dcboard.cgi invalid user addition attempt || nessus,10583 || cve,2001-0527 || bugtraq,2728
+818 || WEB-CGI dcforum.cgi access || nessus,10583 || cve,2001-0527 || bugtraq,2728
+819 || WEB-CGI mmstdod.cgi access || cve,2001-0021
+820 || WEB-CGI anaconda directory transversal attempt || cve,2001-0308 || cve,2000-0975 || bugtraq,2388 || bugtraq,2338
+821 || WEB-CGI imagemap.exe overflow attempt || nessus,10122 || cve,1999-0951 || bugtraq,739 || arachnids,412
+823 || WEB-CGI cvsweb.cgi access || cve,2000-0670 || bugtraq,1469
+824 || WEB-CGI php.cgi access || cve,1999-0238 || bugtraq,2250 || arachnids,232
+825 || WEB-CGI glimpse access || bugtraq,2026
+826 || WEB-CGI htmlscript access || cve,1999-0264 || bugtraq,2001
+827 || WEB-CGI info2www access || cve,1999-0266 || bugtraq,1995
+828 || WEB-CGI maillist.pl access
+829 || WEB-CGI nph-test-cgi access || nessus,10165 || cve,1999-0045 || bugtraq,686 || arachnids,224
+830 || WEB-CGI NPH-publish access || cve,1999-1177
+832 || WEB-CGI perl.exe access || url,www.cert.org/advisories/CA-1996-11.html || nessus,10173 || cve,1999-0509 || arachnids,219
+833 || WEB-CGI rguest.exe access || cve,1999-0467 || cve,1999-0287 || bugtraq,2024
+834 || WEB-CGI rwwwshell.pl access || url,www.itsecurity.com/papers/p37.htm
+835 || WEB-CGI test-cgi access || nessus,10282 || cve,1999-0070 || bugtraq,2003 || arachnids,218
+836 || WEB-CGI textcounter.pl access || cve,1999-1479
+837 || WEB-CGI uploader.exe access || nessus,10291 || cve,1999-0177
+838 || WEB-CGI webgais access || nessus,10300 || cve,1999-0176 || bugtraq,2058 || arachnids,472
+839 || WEB-CGI finger access || nessus,10071 || cve,1999-0612 || arachnids,221
+840 || WEB-CGI perlshop.cgi access || cve,1999-1374
+841 || WEB-CGI pfdisplay.cgi access || cve,1999-0270 || bugtraq,64
+842 || WEB-CGI aglimpse access || nessus,10095 || cve,1999-0147 || bugtraq,2026
+843 || WEB-CGI anform2 access || cve,1999-0066 || arachnids,225
+844 || WEB-CGI args.bat access || cve,1999-1374
+845 || WEB-CGI AT-admin.cgi access || cve,1999-1072
+846 || WEB-CGI bnbform.cgi access || cve,1999-0937 || bugtraq,2147
+847 || WEB-CGI campas access || cve,1999-0146 || bugtraq,1975
+848 || WEB-CGI view-source directory traversal || cve,1999-0174 || bugtraq,8883 || bugtraq,2251
+849 || WEB-CGI view-source access || cve,1999-0174 || bugtraq,8883 || bugtraq,2251
+850 || WEB-CGI wais.pl access
+851 || WEB-CGI files.pl access || cve,1999-1081
+852 || WEB-CGI wguest.exe access || cve,1999-0467 || cve,1999-0287 || bugtraq,2024
+853 || WEB-CGI wrap access || nessus,10317 || cve,1999-0149 || bugtraq,373 || arachnids,234
+854 || WEB-CGI classifieds.cgi access || cve,1999-0934 || bugtraq,2020
+855 || WEB-CGI edit.pl access || bugtraq,2713
+856 || WEB-CGI environ.cgi access
+857 || WEB-CGI faxsurvey access || nessus,10067 || cve,1999-0262 || bugtraq,2056
+858 || WEB-CGI filemail access || cve,1999-1154
+859 || WEB-CGI man.sh access || cve,1999-1179
+860 || WEB-CGI snork.bat access || cve,2000-0169 || bugtraq,1053 || arachnids,220
+861 || WEB-CGI w3-msql access || nessus,10296 || cve,2000-0012 || cve,1999-0753 || cve,1999-0276 || bugtraq,898 || bugtraq,591 || arachnids,210
+862 || WEB-CGI csh access || url,www.cert.org/advisories/CA-1996-11.html || cve,1999-0509
+863 || WEB-CGI day5datacopier.cgi access || cve,1999-1232
+864 || WEB-CGI day5datanotifier.cgi access || cve,1999-1232
+865 || WEB-CGI ksh access || url,www.cert.org/advisories/CA-1996-11.html || cve,1999-0509
+866 || WEB-CGI post-query access || cve,2001-0291 || bugtraq,6752
+867 || WEB-CGI visadmin.exe access || nessus,10295 || cve,1999-1970 || cve,1999-0970 || bugtraq,1808
+868 || WEB-CGI rsh access || url,www.cert.org/advisories/CA-1996-11.html || cve,1999-0509
+869 || WEB-CGI dumpenv.pl access || nessus,10060 || cve,1999-1178
+870 || WEB-CGI snorkerz.cmd access
+871 || WEB-CGI survey.cgi access || cve,1999-0936 || bugtraq,1817
+872 || WEB-CGI tcsh access || url,www.cert.org/advisories/CA-1996-11.html || cve,1999-0509
+873 || WEB-CGI scriptalias access || cve,1999-0236 || bugtraq,2300 || arachnids,227
+874 || WEB-CGI w3-msql solaris x86  access || cve,1999-0276 || arachnids,211
+875 || WEB-CGI win-c-sample.exe access || nessus,10008 || cve,1999-0178 || bugtraq,2078 || arachnids,231
+877 || WEB-CGI rksh access || url,www.cert.org/advisories/CA-1996-11.html || cve,1999-0509
+878 || WEB-CGI w3tvars.pm access
+879 || WEB-CGI admin.pl access || url,online.securityfocus.com/archive/1/249355 || bugtraq,3839
+880 || WEB-CGI LWGate access || url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm || url,www.netspace.org/~dwb/lwgate/lwgate-history.html
+881 || WEB-CGI archie access
+882 || WEB-CGI calendar access
+883 || WEB-CGI flexform access || url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm
+884 || WEB-CGI formmail access || nessus,10782 || nessus,10076 || cve,2000-0411 || cve,1999-0172 || bugtraq,2079 || bugtraq,1187 || arachnids,226
+885 || WEB-CGI bash access || url,www.cert.org/advisories/CA-1996-11.html || cve,1999-0509
+886 || WEB-CGI phf access || cve,1999-0067 || bugtraq,629 || arachnids,128
+887 || WEB-CGI www-sql access || url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2
+888 || WEB-CGI wwwadmin.pl access
+889 || WEB-CGI ppdscgi.exe access || url,online.securityfocus.com/archive/1/16878 || bugtraq,491
+890 || WEB-CGI sendform.cgi access || url,www.scn.org/help/sendform.txt || cve,2002-0710 || bugtraq,5286
+891 || WEB-CGI upload.pl access
+892 || WEB-CGI AnyForm2 access || cve,1999-0066 || bugtraq,719
+893 || WEB-CGI MachineInfo access || cve,1999-1067
+894 || WEB-CGI bb-hist.sh access || nessus,10025 || cve,1999-1462 || bugtraq,142
+895 || WEB-CGI redirect access || cve,2000-0382 || bugtraq,1179
+896 || WEB-CGI way-board access || nessus,10610 || cve,2001-0214 || bugtraq,2370
+897 || WEB-CGI pals-cgi access || nessus,10611 || cve,2001-0217 || cve,2001-0216 || bugtraq,2372
+898 || WEB-CGI commerce.cgi access || nessus,10612 || cve,2001-0210 || bugtraq,2361
+899 || WEB-CGI Amaya templates sendtemp.pl directory traversal attempt || cve,2001-0272 || bugtraq,2504
+900 || WEB-CGI webspirs.cgi directory traversal attempt || nessus,10616 || cve,2001-0211 || bugtraq,2362
+901 || WEB-CGI webspirs.cgi access || nessus,10616 || cve,2001-0211 || bugtraq,2362
+902 || WEB-CGI tstisapi.dll access || cve,2001-0302
+903 || WEB-COLDFUSION cfcache.map access || cve,2000-0057 || bugtraq,917
+904 || WEB-COLDFUSION exampleapp application.cfm || cve,2000-0189 || bugtraq,1021
+905 || WEB-COLDFUSION application.cfm access || cve,2000-0189 || bugtraq,1021
+906 || WEB-COLDFUSION getfile.cfm access || cve,1999-0800 || bugtraq,229
+907 || WEB-COLDFUSION addcontent.cfm access
+908 || WEB-COLDFUSION administrator access || cve,2000-0538 || bugtraq,1314
+909 || WEB-COLDFUSION datasource username attempt || bugtraq,550
+910 || WEB-COLDFUSION fileexists.cfm access || bugtraq,550
+911 || WEB-COLDFUSION exprcalc access || cve,1999-0455 || bugtraq,550 || bugtraq,115
+912 || WEB-COLDFUSION parks access || bugtraq,550
+913 || WEB-COLDFUSION cfappman access || bugtraq,550
+914 || WEB-COLDFUSION beaninfo access || bugtraq,550
+915 || WEB-COLDFUSION evaluate.cfm access || bugtraq,550
+916 || WEB-COLDFUSION getodbcdsn access || bugtraq,550
+917 || WEB-COLDFUSION db connections flush attempt || bugtraq,550
+918 || WEB-COLDFUSION expeval access || cve,1999-0477 || bugtraq,550
+919 || WEB-COLDFUSION datasource passwordattempt || bugtraq,550
+920 || WEB-COLDFUSION datasource attempt || bugtraq,550
+921 || WEB-COLDFUSION admin encrypt attempt || bugtraq,550
+922 || WEB-COLDFUSION displayfile access || bugtraq,550
+923 || WEB-COLDFUSION getodbcin attempt || bugtraq,550
+924 || WEB-COLDFUSION admin decrypt attempt || bugtraq,550
+925 || WEB-COLDFUSION mainframeset access || bugtraq,550
+926 || WEB-COLDFUSION set odbc ini attempt || bugtraq,550
+927 || WEB-COLDFUSION settings refresh attempt || bugtraq,550
+928 || WEB-COLDFUSION exampleapp access
+929 || WEB-COLDFUSION CFUSION_VERIFYMAIL access || bugtraq,550
+930 || WEB-COLDFUSION snippets attempt || bugtraq,550
+931 || WEB-COLDFUSION cfmlsyntaxcheck.cfm access || bugtraq,550
+932 || WEB-COLDFUSION application.cfm access || cve,2000-0189 || bugtraq,550 || arachnids,268
+933 || WEB-COLDFUSION onrequestend.cfm access || cve,2000-0189 || bugtraq,550 || arachnids,269
+935 || WEB-COLDFUSION startstop DOS access || bugtraq,247
+936 || WEB-COLDFUSION gettempdirectory.cfm access  || bugtraq,550
+937 || WEB-FRONTPAGE _vti_rpc access || bugtraq,2144
+939 || WEB-FRONTPAGE posting
+940 || WEB-FRONTPAGE shtml.dll access || arachnids,292
+941 || WEB-FRONTPAGE contents.htm access
+942 || WEB-FRONTPAGE orders.htm access
+943 || WEB-FRONTPAGE fpsrvadm.exe access
+944 || WEB-FRONTPAGE fpremadm.exe access
+945 || WEB-FRONTPAGE fpadmin.htm access
+946 || WEB-FRONTPAGE fpadmcgi.exe access
+947 || WEB-FRONTPAGE orders.txt access
+948 || WEB-FRONTPAGE form_results access
+949 || WEB-FRONTPAGE registrations.htm access
+950 || WEB-FRONTPAGE cfgwiz.exe access
+951 || WEB-FRONTPAGE authors.pwd access || nessus,10078 || cve,1999-0386 || bugtraq,989
+952 || WEB-FRONTPAGE author.exe access
+953 || WEB-FRONTPAGE administrators.pwd access || bugtraq,1205
+954 || WEB-FRONTPAGE form_results.htm access
+955 || WEB-FRONTPAGE access.cnf access
+956 || WEB-FRONTPAGE register.txt access
+957 || WEB-FRONTPAGE registrations.txt access
+958 || WEB-FRONTPAGE service.cnf access
+959 || WEB-FRONTPAGE service.pwd || bugtraq,1205
+960 || WEB-FRONTPAGE service.stp access
+961 || WEB-FRONTPAGE services.cnf access
+962 || WEB-FRONTPAGE shtml.exe access || nessus,10405 || cve,2000-0709 || cve,2000-0413 || bugtraq,1608 || bugtraq,1174
+963 || WEB-FRONTPAGE svcacl.cnf access
+964 || WEB-FRONTPAGE users.pwd access
+965 || WEB-FRONTPAGE writeto.cnf access
+966 || WEB-FRONTPAGE .... request || cve,2000-0153 || cve,1999-0386 || bugtraq,989 || arachnids,248
+967 || WEB-FRONTPAGE dvwssr.dll access || url,www.microsoft.com/technet/security/bulletin/ms00-025.mspx || cve,2000-0260 || bugtraq,1109 || bugtraq,1108 || arachnids,271
+968 || WEB-FRONTPAGE register.htm access
+969 || WEB-IIS WebDAV file lock attempt || bugtraq,2736
+970 || WEB-IIS multiple decode attempt || cve,2001-0333 || bugtraq,2708
+971 || WEB-IIS ISAPI .printer access || cve,2001-0241 || bugtraq,2674 || arachnids,533
+972 || WEB-IIS %2E-asp access || cve,1999-0253 || bugtraq,1814
+973 || WEB-IIS *.idc attempt || cve,2000-0661 || cve,1999-0874 || bugtraq,1448
+974 || WEB-IIS Directory transversal attempt || cve,1999-0229 || bugtraq,2218
+975 || WEB-IIS Alternate Data streams ASP file access attempt || url,support.microsoft.com/default.aspx?scid=kb\ || nessus,10362 || cve,1999-0278 || bugtraq,149
+976 || WEB-IIS .bat? access || url,support.microsoft.com/support/kb/articles/Q155/0/56.asp || url,support.microsoft.com/support/kb/articles/Q148/1/88.asp || cve,1999-0233 || bugtraq,2023
+977 || WEB-IIS .cnf access
+978 || WEB-IIS ASP contents view || nessus,10356 || cve,2000-0302 || bugtraq,1084
+979 || WEB-IIS ASP contents view || cve,2000-0942 || bugtraq,1861
+980 || WEB-IIS CGImail.exe access || cve,2000-0726 || bugtraq,1623
+981 || WEB-IIS unicode directory traversal attempt || cve,2000-0884 || bugtraq,1806
+982 || WEB-IIS unicode directory traversal attempt || cve,2000-0884 || bugtraq,1806
+983 || WEB-IIS unicode directory traversal attempt || cve,2000-0884 || bugtraq,1806
+984 || WEB-IIS JET VBA access || cve,1999-0874 || bugtraq,307
+985 || WEB-IIS JET VBA access || cve,1999-0874 || bugtraq,286
+986 || WEB-IIS MSProxy access
+987 || WEB-IIS .htr access || cve,2000-0630 || bugtraq,1488
+988 || WEB-IIS SAM Attempt || url,www.ciac.org/ciac/bulletins/h-45.shtml
+989 || WEB-IIS Unicode2.pl script File permission canonicalization
+990 || WEB-IIS _vti_inf access
+991 || WEB-IIS achg.htr access || cve,1999-0407 || bugtraq,2110
+992 || WEB-IIS adctest.asp access
+993 || WEB-IIS iisadmin access
+994 || WEB-IIS /scripts/iisadmin/default.htm access
+995 || WEB-IIS ism.dll access || cve,2000-0630 || cve,1999-1538 || bugtraq,189
+996 || WEB-IIS anot.htr access || cve,1999-0407 || bugtraq,2110
+997 || WEB-IIS asp-dot attempt
+998 || WEB-IIS asp-srch attempt
+999 || WEB-IIS bdir access
+1000 || WEB-IIS bdir.htr access
+1001 || WEB-MISC carbo.dll access || cve,1999-1069 || bugtraq,2126
+1002 || WEB-IIS cmd.exe access
+1003 || WEB-IIS cmd? access
+1004 || WEB-IIS codebrowser Exair access || cve,1999-0815 || cve,1999-0499
+1005 || WEB-IIS codebrowser SDK access || cve,1999-0736 || bugtraq,167
+1007 || WEB-IIS cross-site scripting attempt
+1008 || WEB-IIS del attempt
+1009 || WEB-IIS directory listing
+1010 || WEB-IIS encoding access || arachnids,200
+1011 || WEB-IIS exec-src access
+1012 || WEB-IIS fpcount attempt || cve,1999-1376 || bugtraq,2252
+1013 || WEB-IIS fpcount access || cve,1999-1376 || bugtraq,2252
+1015 || WEB-IIS getdrvs.exe access
+1016 || WEB-IIS global.asa access || nessus,10491 || cve,2000-0778
+1017 || WEB-IIS idc-srch attempt || cve,1999-0874
+1018 || WEB-IIS iisadmpwd attempt || cve,2000-0304 || bugtraq,2110 || bugtraq,1191
+1019 || WEB-IIS index server file source code attempt
+1020 || WEB-IIS isc$data attempt || cve,1999-0874 || bugtraq,307
+1021 || WEB-IIS ism.dll attempt || cve,2000-0457 || bugtraq,1193
+1022 || WEB-IIS jet vba access || cve,1999-0874 || bugtraq,286
+1023 || WEB-IIS msadcs.dll access || cve,1999-1011 || bugtraq,529
+1024 || WEB-IIS newdsn.exe access || nessus,10360 || cve,1999-0191 || bugtraq,1818
+1025 || WEB-IIS perl access
+1026 || WEB-IIS perl-browse newline attempt || bugtraq,6833
+1027 || WEB-IIS perl-browse space attempt || bugtraq,6833
+1028 || WEB-IIS query.asp access || cve,1999-0449 || bugtraq,193
+1029 || WEB-IIS scripts-browse access
+1030 || WEB-IIS search97.vts access || bugtraq,162
+1031 || WEB-IIS /SiteServer/Publishing/viewcode.asp access || nessus,10576
+1032 || WEB-IIS showcode access || nessus,10576
+1033 || WEB-IIS showcode access || nessus,10576
+1034 || WEB-IIS showcode access || nessus,10576
+1035 || WEB-IIS showcode access || nessus,10576
+1036 || WEB-IIS showcode access || nessus,10576
+1037 || WEB-IIS showcode.asp access || nessus,10007 || cve,1999-0736 || bugtraq,167
+1038 || WEB-IIS site server config access || cve,1999-1520 || bugtraq,256
+1039 || WEB-IIS srch.htm access
+1040 || WEB-IIS srchadm access
+1041 || WEB-IIS uploadn.asp access
+1042 || WEB-IIS view source via translate header || bugtraq,1578 || arachnids,305
+1043 || WEB-IIS viewcode.asp access || nessus,10576
+1044 || WEB-IIS webhits access || arachnids,237
+1045 || WEB-IIS Unauthorized IP Access Attempt
+1046 || WEB-IIS site/iisamples access
+1047 || WEB-MISC Netscape Enterprise DOS || cve,2001-0251 || bugtraq,2294
+1048 || WEB-MISC Netscape Enterprise directory listing attempt || cve,2001-0250 || bugtraq,2285
+1049 || WEB-MISC iPlanet ../../ DOS attempt || cve,2001-0252 || bugtraq,2282
+1050 || WEB-MISC iPlanet GETPROPERTIES attempt
+1051 || WEB-CGI technote main.cgi file directory traversal attempt || cve,2001-0075 || bugtraq,2156
+1052 || WEB-CGI technote print.cgi directory traversal attempt || cve,2001-0075 || bugtraq,2156
+1053 || WEB-CGI ads.cgi command execution attempt || cve,2001-0025 || bugtraq,2103
+1054 || WEB-MISC weblogic/tomcat .jsp view source attempt || bugtraq,2527
+1055 || WEB-MISC Tomcat directory traversal attempt || bugtraq,2518
+1056 || WEB-MISC Tomcat view source attempt || bugtraq,2527
+1057 || WEB-MISC ftp attempt
+1058 || WEB-MISC xp_enumdsn attempt
+1059 || WEB-MISC xp_filelist attempt
+1060 || WEB-MISC xp_availablemedia attempt
+1061 || WEB-MISC xp_cmdshell attempt
+1062 || WEB-MISC nc.exe attempt
+1064 || WEB-MISC wsh attempt
+1065 || WEB-MISC rcmd attempt
+1066 || WEB-MISC telnet attempt
+1067 || WEB-MISC net attempt
+1068 || WEB-MISC tftp attempt
+1069 || WEB-MISC xp_regread attempt
+1070 || WEB-MISC WebDAV search access || arachnids,474
+1071 || WEB-MISC .htpasswd access
+1072 || WEB-MISC Lotus Domino directory traversal || cve,2001-0009 || bugtraq,2173
+1073 || WEB-MISC webhits.exe access
+1075 || WEB-IIS postinfo.asp access
+1076 || WEB-IIS repost.asp access || nessus,10372
+1077 || WEB-MISC queryhit.htm access
+1078 || WEB-MISC counter.exe access || cve,1999-1030 || bugtraq,267
+1079 || WEB-MISC WebDAV propfind access || cve,2000-0869 || bugtraq,1656
+1080 || WEB-MISC unify eWave ServletExec upload || cve,2000-1025 || cve,2000-1024 || bugtraq,1876 || bugtraq,1868
+1081 || WEB-MISC Netscape Servers suite DOS || cve,2000-1025 || bugtraq,1868
+1082 || WEB-MISC amazon 1-click cookie theft || cve,2000-0439 || bugtraq,1194
+1083 || WEB-MISC unify eWave ServletExec DOS
+1084 || WEB-MISC Allaire JRUN DOS attempt || bugtraq,2337
+1085 || WEB-PHP strings overflow || bugtraq,802 || arachnids,431
+1086 || WEB-PHP strings overflow || cve,2000-0967 || bugtraq,1786 || arachnids,430
+1087 || WEB-MISC whisker tab splice attack || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html || arachnids,415
+1088 || WEB-CGI eXtropia webstore directory traversal || cve,2000-1005 || bugtraq,1774
+1089 || WEB-CGI shopping cart directory traversal || cve,2000-0921 || bugtraq,1777
+1090 || WEB-CGI Allaire Pro Web Shell attempt
+1091 || WEB-MISC ICQ Webfront HTTP DOS
+1092 || WEB-CGI Armada Style Master Index directory traversal
+1093 || WEB-CGI cached_feed.cgi moreover shopping cart directory traversal || cve,2000-0906 || bugtraq,1762
+1094 || WEB-CGI webstore directory traversal || cve,2000-1005 || bugtraq,1774
+1095 || WEB-MISC Talentsoft Web+ Source Code view access || bugtraq,1722
+1096 || WEB-MISC Talentsoft Web+ internal IP Address access || bugtraq,1720
+1097 || WEB-CGI Talentsoft Web+ exploit attempt || bugtraq,1725
+1098 || WEB-MISC SmartWin CyberOffice Shopping Cart access || cve,2000-0925 || bugtraq,1734
+1099 || WEB-MISC cybercop scan || arachnids,374
+1100 || WEB-MISC L3retriever HTTP Probe || arachnids,310
+1101 || WEB-MISC Webtrends HTTP probe || arachnids,309
+1102 || WEB-MISC Nessus 404 probe || arachnids,301
+1103 || WEB-MISC Netscape admin passwd || bugtraq,1579
+1104 || WEB-MISC whisker space splice attack || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html || arachnids,296
+1105 || WEB-MISC BigBrother access
+1106 || WEB-CGI Poll-it access || cve,2000-0590 || bugtraq,1431
+1107 || WEB-MISC ftp.pl access || nessus,10467 || cve,2000-0674 || bugtraq,1471
+1108 || WEB-MISC Tomcat server snoop access || cve,2000-0760 || bugtraq,1532
+1109 || WEB-MISC ROXEN directory list attempt || cve,2000-0671 || bugtraq,1510
+1110 || WEB-MISC apache source.asp file access || cve,2000-0628 || bugtraq,1457
+1111 || WEB-MISC Tomcat server exploit access
+1112 || WEB-MISC http directory traversal || arachnids,298
+1113 || WEB-MISC http directory traversal || arachnids,297
+1114 || WEB-MISC prefix-get //
+1115 || WEB-MISC ICQ webserver DOS || cve,1999-0474
+1116 || WEB-MISC Lotus DelDoc attempt
+1117 || WEB-MISC Lotus EditDoc attempt || url,www.securiteam.com/exploits/5NP080A1RE.html
+1118 || WEB-MISC ls%20-l
+1119 || WEB-MISC mlog.phtml access || cve,1999-0346 || cve,1999-0068 || bugtraq,713
+1120 || WEB-MISC mylog.phtml access || cve,1999-0346 || cve,1999-0068 || bugtraq,713
+1121 || WEB-MISC O'Reilly args.bat access
+1122 || WEB-MISC /etc/passwd
+1123 || WEB-MISC ?PageServices access || cve,1999-0269 || bugtraq,7621 || bugtraq,1063
+1124 || WEB-MISC Ecommerce check.txt access
+1125 || WEB-MISC webcart access || nessus,10298 || cve,1999-0610
+1126 || WEB-MISC AuthChangeUrl access
+1127 || WEB-MISC convert.bas access || cve,1999-0175 || bugtraq,2025
+1128 || WEB-MISC cpshost.dll access
+1129 || WEB-MISC .htaccess access
+1130 || WEB-MISC .wwwacl access
+1131 || WEB-MISC .wwwacl access
+1132 || WEB-MISC Netscape Unixware overflow || arachnids,180
+1133 || SCAN cybercop os probe || arachnids,145
+1134 || WEB-PHP Phorum admin access || bugtraq,2271 || arachnids,205
+1136 || WEB-MISC cd..
+1137 || WEB-PHP Phorum authentication access || bugtraq,2274 || arachnids,206
+1138 || WEB-MISC Cisco Web DOS attempt || arachnids,275
+1139 || WEB-MISC whisker HEAD/./ || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
+1140 || WEB-MISC guestbook.pl access || nessus,10099 || cve,1999-1053 || cve,1999-0237 || bugtraq,776 || arachnids,228
+1141 || WEB-MISC handler access || nessus,10100 || cve,1999-0148 || bugtraq,380 || arachnids,235
+1142 || WEB-MISC /.... access
+1143 || WEB-MISC ///cgi-bin access
+1144 || WEB-MISC /cgi-bin/// access
+1145 || WEB-MISC /~root access
+1146 || WEB-MISC Ecommerce import.txt access
+1147 || WEB-MISC cat%20 access || cve,1999-0039 || bugtraq,374
+1148 || WEB-MISC Ecommerce import.txt access
+1149 || WEB-CGI count.cgi access || nessus,10049 || cve,1999-0021 || bugtraq,128
+1150 || WEB-MISC Domino catalog.nsf access
+1151 || WEB-MISC Domino domcfg.nsf access
+1152 || WEB-MISC Domino domlog.nsf access
+1153 || WEB-MISC Domino log.nsf access
+1154 || WEB-MISC Domino names.nsf access
+1155 || WEB-MISC Ecommerce checks.txt access
+1156 || WEB-MISC apache DOS attempt
+1157 || WEB-MISC Netscape PublishingXpert access || cve,2000-1196
+1158 || WEB-MISC windmail.exe access || nessus,10365 || cve,2000-0242 || bugtraq,1073 || arachnids,465
+1159 || WEB-MISC webplus access || cve,2000-1005 || bugtraq,1725 || bugtraq,1722 || bugtraq,1720 || bugtraq,1174
+1160 || WEB-MISC Netscape dir index wp || cve,2000-0236 || bugtraq,1063 || arachnids,270
+1161 || WEB-PHP piranha passwd.php3 access || cve,2000-0322 || bugtraq,1149 || arachnids,272
+1162 || WEB-MISC cart 32 AdminPwd access || cve,2000-0429 || bugtraq,1153
+1163 || WEB-CGI webdist.cgi access || nessus,10299 || cve,1999-0039 || bugtraq,374
+1164 || WEB-MISC shopping cart access || cve,2000-1188 || cve,1999-0607 || bugtraq,2049 || bugtraq,1983
+1165 || WEB-MISC Novell Groupwise gwweb.exe access || nessus,10877 || cve,1999-1006 || cve,1999-1005 || bugtraq,879
+1166 || WEB-MISC ws_ftp.ini access || cve,1999-1078 || bugtraq,547
+1167 || WEB-MISC rpm_query access || cve,2000-0192 || bugtraq,1036
+1168 || WEB-MISC mall log order access
+1171 || WEB-MISC whisker HEAD with large datagram || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
+1172 || WEB-CGI bigconf.cgi access || nessus,10027 || cve,1999-1550 || bugtraq,778
+1173 || WEB-MISC architext_query.pl access
+1174 || WEB-CGI /cgi-bin/jj access || cve,1999-0260 || bugtraq,2002
+1175 || WEB-MISC wwwboard.pl access || cve,1999-0954 || cve,1999-0930 || bugtraq,649 || bugtraq,1795
+1176 || WEB-MISC order.log access
+1177 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063
+1178 || WEB-PHP Phorum read access || arachnids,208
+1179 || WEB-PHP Phorum violation access || bugtraq,2272 || arachnids,209
+1180 || WEB-MISC get32.exe access || nessus,10013 || cve,1999-0885 || bugtraq,770 || bugtraq,1485 || arachnids,258
+1181 || WEB-MISC Annex Terminal DOS attempt || cve,1999-1070 || arachnids,260
+1182 || WEB-MISC cgitest.exe attempt || nessus,10623 || nessus,10040 || cve,2002-0128 || cve,2000-0521 || bugtraq,3885 || bugtraq,1313 || arachnids,265
+1183 || WEB-MISC Netscape Enterprise Server directory view || cve,2000-0236 || bugtraq,1063
+1184 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063
+1185 || WEB-CGI bizdbsearch attempt || cve,2000-0287 || bugtraq,1104
+1186 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063
+1187 || WEB-MISC SalesLogix Eviewer web command attempt || cve,2000-0289 || cve,2000-0278 || bugtraq,1089 || bugtraq,1078
+1188 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063
+1189 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063
+1190 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063
+1191 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063
+1192 || WEB-MISC Trend Micro OfficeScan access || bugtraq,1057
+1193 || WEB-MISC oracle web arbitrary command execution attempt || nessus,10348 || cve,2000-0169 || bugtraq,1053
+1194 || WEB-CGI sojourn.cgi File attempt || cve,2000-0180 || bugtraq,1052
+1195 || WEB-CGI sojourn.cgi access || cve,2000-0180 || bugtraq,1052
+1196 || WEB-CGI SGI InfoSearch fname attempt || cve,2000-0207 || bugtraq,1031 || arachnids,290
+1197 || WEB-PHP Phorum code access || arachnids,207
+1198 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063
+1199 || WEB-MISC Compaq Insight directory traversal || cve,1999-0771 || bugtraq,282 || arachnids,244
+1200 || ATTACK-RESPONSES Invalid URL || url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx
+1201 || ATTACK-RESPONSES 403 Forbidden
+1202 || WEB-MISC search.vts access
+1204 || WEB-CGI ax-admin.cgi access
+1205 || WEB-CGI axs.cgi access
+1206 || WEB-CGI cachemgr.cgi access || nessus,10034 || cve,1999-0710 || bugtraq,2059
+1207 || WEB-MISC htgrep access || cve,2000-0832
+1208 || WEB-CGI responder.cgi access
+1209 || WEB-MISC .nsconfig access
+1211 || WEB-CGI web-map.cgi access
+1212 || WEB-MISC Admin_files access
+1213 || WEB-MISC backup access
+1214 || WEB-MISC intranet access
+1215 || WEB-CGI ministats admin access
+1216 || WEB-MISC filemail access
+1217 || WEB-MISC plusmail access || cve,2000-0074 || bugtraq,2653
+1218 || WEB-MISC adminlogin access
+1219 || WEB-CGI dfire.cgi access || cve,1999-0913 || bugtraq,564 || bugtraq,0564
+1220 || WEB-MISC ultraboard access
+1221 || WEB-MISC musicat empower access
+1222 || WEB-CGI pals-cgi arbitrary file access attempt || nessus,10611 || cve,2001-0217 || bugtraq,2372
+1224 || WEB-MISC ROADS search.pl attempt || nessus,10627 || cve,2001-0215 || bugtraq,2371
+1225 || X11 MIT Magic Cookie detected || arachnids,396
+1226 || X11 xopen || arachnids,395
+1227 || X11 outbound client connection detected || arachnids,126
+1228 || SCAN nmap XMAS || arachnids,30
+1229 || FTP CWD ... || bugtraq,9237
+1230 || WEB-MISC VirusWall FtpSave access || nessus,10733 || cve,2001-0432 || bugtraq,2808
+1231 || WEB-MISC VirusWall catinfo access || nessus,10650 || cve,2001-0432 || bugtraq,2808 || bugtraq,2579
+1232 || WEB-MISC VirusWall catinfo access || nessus,10650 || cve,2001-0432 || bugtraq,2808 || bugtraq,2579
+1233 || WEB-CLIENT Outlook EML access
+1234 || WEB-MISC VirusWall FtpSaveCSP access || nessus,10733 || cve,2001-0432 || bugtraq,2808
+1235 || WEB-MISC VirusWall FtpSaveCVP access || nessus,10733 || cve,2001-0432 || bugtraq,2808
+1236 || WEB-MISC Tomcat sourecode view
+1237 || WEB-MISC Tomcat sourecode view
+1238 || WEB-MISC Tomcat sourecode view
+1239 || NETBIOS RFParalyze Attempt
+1240 || EXPLOIT MDBMS overflow || cve,2000-0446 || bugtraq,1252
+1241 || WEB-MISC SWEditServlet directory traversal attempt
+1242 || WEB-IIS ISAPI .ida access || cve,2000-0071 || bugtraq,1065 || arachnids,552
+1243 || WEB-IIS ISAPI .ida attempt || cve,2000-0071 || bugtraq,1065 || arachnids,552
+1244 || WEB-IIS ISAPI .idq attempt || cve,2000-0071 || bugtraq,1065 || arachnids,553
+1245 || WEB-IIS ISAPI .idq access || cve,2000-0071 || bugtraq,1065 || arachnids,553
+1246 || WEB-FRONTPAGE rad overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx || cve,2001-0341 || bugtraq,2906 || arachnids,555
+1247 || WEB-FRONTPAGE rad overflow attempt || cve,2001-0341 || bugtraq,2906
+1248 || WEB-FRONTPAGE rad fp30reg.dll access || url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx || cve,2001-0341 || bugtraq,2906 || arachnids,555
+1249 || WEB-FRONTPAGE frontpage rad fp4areg.dll access || cve,2001-0341 || bugtraq,2906
+1250 || WEB-MISC Cisco IOS HTTP configuration attempt || cve,2001-0537 || bugtraq,2936
+1251 || INFO TELNET Bad Login
+1252 || TELNET bsd telnet exploit response || cve,2001-0554 || bugtraq,3064
+1253 || TELNET bsd exploit client finishing || cve,2001-0554 || bugtraq,3064
+1254 || WEB-PHP PHPLIB remote command attempt || cve,2001-1370 || bugtraq,3079
+1255 || WEB-PHP PHPLIB remote command attempt || cve,2001-1370 || bugtraq,3079
+1256 || WEB-IIS CodeRed v2 root.exe access || url,www.cert.org/advisories/CA-2001-19.html
+1257 || DOS Winnuke attack || cve,1999-0153 || bugtraq,2010
+1258 || WEB-MISC HP OpenView Manager DOS || cve,2001-0552 || bugtraq,2845
+1259 || WEB-MISC SWEditServlet access
+1260 || WEB-MISC long basic authorization string || cve,2001-1067 || bugtraq,3230
+1261 || EXPLOIT AIX pdnsd overflow || cve,1999-0745 || bugtraq,590 || bugtraq,3237
+1262 || RPC portmap admind request TCP || arachnids,18
+1263 || RPC portmap amountd request TCP || arachnids,19
+1264 || RPC portmap bootparam request TCP || cve,1999-0647 || arachnids,16
+1265 || RPC portmap cmsd request TCP || arachnids,17
+1266 || RPC portmap mountd request TCP || arachnids,13
+1267 || RPC portmap nisd request TCP || arachnids,21
+1268 || RPC portmap pcnfsd request TCP || arachnids,22
+1269 || RPC portmap rexd request TCP || arachnids,23
+1270 || RPC portmap rstatd request TCP || arachnids,10
+1271 || RPC portmap rusers request TCP || cve,1999-0626 || arachnids,133
+1272 || RPC portmap sadmind request TCP || arachnids,20
+1273 || RPC portmap selection_svc request TCP || arachnids,25
+1274 || RPC portmap ttdbserv request TCP || url,www.cert.org/advisories/CA-2001-05.html || cve,2001-0717 || cve,1999-1075 || cve,1999-0687 || cve,1999-0003 || bugtraq,3382 || bugtraq,122 || arachnids,24
+1275 || RPC portmap yppasswd request TCP || arachnids,14
+1276 || RPC portmap ypserv request TCP || cve,2002-1232 || cve,2000-1043 || cve,2000-1042 || bugtraq,6016 || bugtraq,5914 || arachnids,12
+1277 || RPC portmap ypupdated request UDP || arachnids,125
+1278 || RPC rstatd query || arachnids,9
+1279 || RPC portmap snmpXdmi request UDP || url,www.cert.org/advisories/CA-2001-05.html || cve,2001-0236 || bugtraq,2417
+1280 || RPC portmap listing UDP 111 || arachnids,428
+1281 || RPC portmap listing UDP 32771 || arachnids,429
+1282 || RPC EXPLOIT statdx || arachnids,442
+1283 || WEB-IIS outlook web dos || bugtraq,3223
+1284 || WEB-CLIENT readme.eml download attempt || url,www.cert.org/advisories/CA-2001-26.html
+1285 || WEB-IIS msdac access
+1286 || WEB-IIS _mem_bin access
+1287 || WEB-IIS scripts access
+1288 || WEB-FRONTPAGE /_vti_bin/ access
+1289 || TFTP GET Admin.dll || url,www.cert.org/advisories/CA-2001-26.html
+1290 || WEB-CLIENT readme.eml autoload attempt || url,www.cert.org/advisories/CA-2001-26.html
+1291 || WEB-MISC sml3com access || cve,2001-0740 || bugtraq,2721
+1292 || ATTACK-RESPONSES directory listing
+1293 || NETBIOS nimda .eml || url,www.f-secure.com/v-descs/nimda.shtml
+1294 || NETBIOS nimda .nws || url,www.f-secure.com/v-descs/nimda.shtml
+1295 || NETBIOS nimda RICHED20.DLL || url,www.f-secure.com/v-descs/nimda.shtml
+1296 || RPC portmap request yppasswdd || bugtraq,2763
+1297 || RPC portmap request yppasswdd || bugtraq,2763
+1298 || RPC portmap tooltalk request TCP || url,www.cert.org/advisories/CA-2001-05.html || cve,2001-0717 || cve,1999-1075 || cve,1999-0687 || cve,1999-0003 || bugtraq,3382
+1299 || RPC portmap tooltalk request UDP || url,www.cert.org/advisories/CA-2001-05.html || cve,2001-0717 || cve,1999-1075 || cve,1999-0687 || cve,1999-0003 || bugtraq,3382
+1300 || WEB-PHP admin.php file upload attempt || cve,2001-1032 || bugtraq,3361
+1301 || WEB-PHP admin.php access || cve,2001-1032 || bugtraq,9270 || bugtraq,7532 || bugtraq,3361
+1302 || WEB-MISC console.exe access || cve,2001-1252 || bugtraq,3375
+1303 || WEB-MISC cs.exe access || cve,2001-1252 || bugtraq,3375
+1304 || WEB-CGI txt2html.cgi access
+1305 || WEB-CGI txt2html.cgi directory traversal attempt
+1306 || WEB-CGI store.cgi product directory traversal attempt || cve,2001-0305 || bugtraq,2385
+1307 || WEB-CGI store.cgi access || nessus,10639 || cve,2001-0305 || bugtraq,2385
+1308 || WEB-CGI sendmessage.cgi access
+1309 || WEB-CGI zsh access || url,www.cert.org/advisories/CA-1996-11.html || cve,1999-0509
+1310 || PORN free XXX
+1311 || PORN hardcore anal
+1312 || PORN nude cheerleader
+1313 || PORN up skirt
+1314 || PORN young teen
+1315 || PORN hot young sex
+1316 || PORN fuck fuck fuck
+1317 || PORN anal sex
+1318 || PORN hardcore rape
+1319 || PORN real snuff
+1320 || PORN fuck movies
+1321 || BAD-TRAFFIC 0 ttl || url,www.isi.edu/in-notes/rfc1122.txt || url,support.microsoft.com/default.aspx?scid=kb\
+1322 || BAD-TRAFFIC bad frag bits
+1323 || EXPLOIT rwhoisd format string attempt || cve,2001-0838 || bugtraq,3474
+1324 || EXPLOIT ssh CRC32 overflow /bin/sh || cve,2001-0572 || cve,2001-0144 || bugtraq,2347
+1325 || EXPLOIT ssh CRC32 overflow filler || cve,2001-0572 || cve,2001-0144 || bugtraq,2347
+1326 || EXPLOIT ssh CRC32 overflow NOOP || cve,2001-0572 || cve,2001-0144 || bugtraq,2347
+1327 || EXPLOIT ssh CRC32 overflow || cve,2001-0572 || cve,2001-0144 || bugtraq,2347
+1328 || WEB-ATTACKS ps command attempt
+1329 || WEB-ATTACKS /bin/ps command attempt
+1330 || WEB-ATTACKS wget command attempt
+1331 || WEB-ATTACKS uname -a command attempt
+1332 || WEB-ATTACKS /usr/bin/id command attempt
+1333 || WEB-ATTACKS id command attempt
+1334 || WEB-ATTACKS echo command attempt
+1335 || WEB-ATTACKS kill command attempt
+1336 || WEB-ATTACKS chmod command attempt
+1337 || WEB-ATTACKS chgrp command attempt
+1338 || WEB-ATTACKS chown command attempt
+1339 || WEB-ATTACKS chsh command attempt
+1340 || WEB-ATTACKS tftp command attempt
+1341 || WEB-ATTACKS /usr/bin/gcc command attempt
+1342 || WEB-ATTACKS gcc command attempt
+1343 || WEB-ATTACKS /usr/bin/cc command attempt
+1344 || WEB-ATTACKS cc command attempt
+1345 || WEB-ATTACKS /usr/bin/cpp command attempt
+1346 || WEB-ATTACKS cpp command attempt
+1347 || WEB-ATTACKS /usr/bin/g++ command attempt
+1348 || WEB-ATTACKS g++ command attempt
+1349 || WEB-ATTACKS bin/python access attempt
+1350 || WEB-ATTACKS python access attempt
+1351 || WEB-ATTACKS bin/tclsh execution attempt
+1352 || WEB-ATTACKS tclsh execution attempt
+1353 || WEB-ATTACKS bin/nasm command attempt
+1354 || WEB-ATTACKS nasm command attempt
+1355 || WEB-ATTACKS /usr/bin/perl execution attempt
+1356 || WEB-ATTACKS perl execution attempt
+1357 || WEB-ATTACKS nt admin addition attempt
+1358 || WEB-ATTACKS traceroute command attempt
+1359 || WEB-ATTACKS ping command attempt
+1360 || WEB-ATTACKS netcat command attempt
+1361 || WEB-ATTACKS nmap command attempt
+1362 || WEB-ATTACKS xterm command attempt
+1363 || WEB-ATTACKS X application to remote host attempt
+1364 || WEB-ATTACKS lsof command attempt
+1365 || WEB-ATTACKS rm command attempt
+1366 || WEB-ATTACKS mail command attempt
+1367 || WEB-ATTACKS mail command attempt
+1368 || WEB-ATTACKS /bin/ls| command attempt
+1369 || WEB-ATTACKS /bin/ls command attempt
+1370 || WEB-ATTACKS /etc/inetd.conf access
+1371 || WEB-ATTACKS /etc/motd access
+1372 || WEB-ATTACKS /etc/shadow access
+1373 || WEB-ATTACKS conf/httpd.conf attempt
+1374 || WEB-ATTACKS .htgroup access
+1375 || WEB-MISC sadmind worm access || url,www.cert.org/advisories/CA-2001-11.html
+1376 || WEB-MISC jrun directory browse attempt || bugtraq,3592
+1377 || FTP wu-ftp bad file completion attempt [ || cve,2001-0886 || cve,2001-0550 || bugtraq,3707 || bugtraq,3581
+1378 || FTP wu-ftp bad file completion attempt { || cve,2001-0886 || cve,2001-0550 || bugtraq,3707 || bugtraq,3581
+1379 || FTP STAT overflow attempt || url,labs.defcom.com/adv/2001/def-2001-31.txt
+1380 || WEB-IIS cross-site scripting attempt
+1381 || WEB-MISC Trend Micro OfficeScan attempt || bugtraq,1057
+1382 || EXPLOIT CHAT IRC Ettercap parse overflow attempt || url,www.bugtraq.org/dev/GOBBLES-12.txt
+1383 || P2P Fastrack kazaa/morpheus GET request || url,www.musiccity.com/technology.htm || url,www.kazaa.com
+1384 || MISC UPnP malformed advertisement || url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx || cve,2001-0877 || cve,2001-0876 || bugtraq,3723
+1385 || WEB-MISC mod-plsql administration access || nessus,10849 || cve,2001-1217 || cve,2001-1216 || bugtraq,3727 || bugtraq,3726
+1386 || MS-SQL/SMB raiserror possible buffer overflow || cve,2001-0542 || bugtraq,3733
+1387 || MS-SQL raiserror possible buffer overflow || cve,2001-0542 || bugtraq,3733
+1388 || MISC UPnP Location overflow || cve,2001-0876 || bugtraq,3723
+1389 || WEB-MISC viewcode.jse access || bugtraq,3715
+1390 || SHELLCODE x86 inc ebx NOOP
+1391 || WEB-MISC Phorecast remote code execution attempt || cve,2001-1049 || bugtraq,3388
+1392 || WEB-CGI lastlines.cgi access || cve,2001-1206 || cve,2001-1205 || bugtraq,3755 || bugtraq,3754
+1393 || MISC AIM AddGame attempt || url,www.w00w00.org/files/w00aimexp/ || cve,2002-0005 || bugtraq,3769
+1394 || SHELLCODE x86 NOOP
+1395 || WEB-CGI zml.cgi attempt || cve,2001-1209 || bugtraq,3759
+1396 || WEB-CGI zml.cgi access || cve,2001-1209 || bugtraq,3759
+1397 || WEB-CGI wayboard attempt || cve,2001-0214 || bugtraq,2370
+1398 || EXPLOIT CDE dtspcd exploit attempt || url,www.cert.org/advisories/CA-2002-01.html || cve,2001-0803 || bugtraq,3517
+1399 || WEB-PHP PHP-Nuke remote file include attempt || cve,2002-0206 || bugtraq,3889
+1400 || WEB-IIS /scripts/samples/ access
+1401 || WEB-IIS /msadc/samples/ access
+1402 || WEB-IIS iissamples access
+1403 || WEB-MISC viewcode access
+1404 || WEB-MISC showcode access
+1405 || WEB-CGI AHG search.cgi access || bugtraq,3985
+1406 || WEB-CGI agora.cgi access || nessus,10836 || cve,2002-0215 || cve,2001-1199 || bugtraq,3976 || bugtraq,3702
+1407 || WEB-PHP smssend.php access || cve,2002-0220 || bugtraq,3982
+1408 || DOS MSDTC attempt || cve,2002-0224 || bugtraq,4006
+1409 || SNMP community string buffer overflow attempt || url,www.cert.org/advisories/CA-2002-03.html || cve,2002-0013 || cve,2002-0012 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
+1410 || WEB-CGI dcboard.cgi access || nessus,10583 || cve,2001-0527 || bugtraq,2728
+1411 || SNMP public access udp || cve,2002-0013 || cve,2002-0012 || cve,1999-0517 || bugtraq,4089 || bugtraq,4088 || bugtraq,2112
+1412 || SNMP public access tcp || cve,2002-0013 || cve,2002-0012 || cve,1999-0517 || bugtraq,7212 || bugtraq,4089 || bugtraq,4088 || bugtraq,2112
+1413 || SNMP private access udp || cve,2002-0013 || cve,2002-0012 || bugtraq,7212 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
+1414 || SNMP private access tcp || cve,2002-0013 || cve,2002-0012 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
+1415 || SNMP Broadcast request || cve,2002-0013 || cve,2002-0012 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
+1416 || SNMP broadcast trap || cve,2002-0013 || cve,2002-0012 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
+1417 || SNMP request udp || cve,2002-0013 || cve,2002-0012 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
+1418 || SNMP request tcp || cve,2002-0013 || cve,2002-0012 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
+1419 || SNMP trap udp || cve,2002-0013 || cve,2002-0012 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
+1420 || SNMP trap tcp || cve,2002-0013 || cve,2002-0012 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
+1421 || SNMP AgentX/tcp request || cve,2002-0013 || cve,2002-0012 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
+1422 || SNMP community string buffer overflow attempt with evasion || url,www.cert.org/advisories/CA-2002-03.html || cve,2002-0013 || cve,2002-0012 || bugtraq,4132 || bugtraq,4089 || bugtraq,4088
+1423 || WEB-PHP content-disposition memchr overflow || cve,2002-0081 || bugtraq,4183
+1424 || SHELLCODE x86 0xEB0C NOOP
+1425 || WEB-PHP content-disposition || cve,2002-0081 || bugtraq,4183
+1426 || SNMP PROTOS test-suite-req-app attempt || url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html
+1427 || SNMP PROTOS test-suite-trap-app attempt || url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html
+1428 || MULTIMEDIA audio galaxy keepalive
+1429 || POLICY poll.gotomypc.com access || url,www.gotomypc.com/help2.tmpl
+1430 || TELNET Solaris memory mismanagement exploit attempt
+1431 || BAD-TRAFFIC syn to multicast address
+1432 || P2P GNUTella client request
+1433 || WEB-MISC .history access
+1434 || WEB-MISC .bash_history access
+1435 || DNS named authors attempt || nessus,10728 || arachnids,480
+1436 || MULTIMEDIA Quicktime User Agent access
+1437 || MULTIMEDIA Windows Media audio download
+1438 || MULTIMEDIA Windows Media Video download
+1439 || MULTIMEDIA Shoutcast playlist redirection
+1440 || MULTIMEDIA Icecast playlist redirection
+1441 || TFTP GET nc.exe
+1442 || TFTP GET shadow
+1443 || TFTP GET passwd
+1444 || TFTP Get
+1445 || POLICY FTP file_id.diz access possible warez site
+1446 || SMTP vrfy root
+1447 || MISC MS Terminal server request RDP || cve,2001-0540 || bugtraq,3099
+1448 || MISC MS Terminal server request || cve,2001-0540 || bugtraq,3099
+1449 || POLICY FTP anonymous ftp login attempt
+1450 || SMTP expn *@ || cve,1999-1200
+1451 || WEB-CGI NPH-publish access || cve,2001-0400 || bugtraq,2563
+1452 || WEB-CGI args.cmd access || cve,1999-1374
+1453 || WEB-CGI AT-generated.cgi access || cve,1999-1072
+1454 || WEB-CGI wwwwais access || nessus,10597 || cve,2001-0223
+1455 || WEB-CGI calender.pl access || cve,2000-0432
+1456 || WEB-CGI calender_admin.pl access || cve,2000-0432
+1457 || WEB-CGI user_update_admin.pl access || cve,2000-0627 || bugtraq,1486
+1458 || WEB-CGI user_update_passwd.pl access || cve,2000-0627 || bugtraq,1486
+1459 || WEB-CGI bb-histlog.sh access || cve,1999-1462 || bugtraq,142
+1460 || WEB-CGI bb-histsvc.sh access || cve,1999-1462 || bugtraq,142
+1461 || WEB-CGI bb-rep.sh access || cve,1999-1462 || bugtraq,142
+1462 || WEB-CGI bb-replog.sh access || cve,1999-1462 || bugtraq,142
+1463 || CHAT IRC message
+1464 || ATTACK-RESPONSES oracle one hour install
+1465 || WEB-CGI auktion.cgi access || nessus,10638 || cve,2001-0212 || bugtraq,2367
+1466 || WEB-CGI cgiforum.pl access || nessus,10552 || cve,2000-1171 || bugtraq,1963
+1467 || WEB-CGI directorypro.cgi access || cve,2001-0780 || bugtraq,2793
+1468 || WEB-CGI Web Shopper shopper.cgi attempt || cve,2000-0922 || bugtraq,1776
+1469 || WEB-CGI Web Shopper shopper.cgi access || cve,2000-0922 || bugtraq,1776
+1470 || WEB-CGI listrec.pl access || cve,2001-0997
+1471 || WEB-CGI mailnews.cgi access || cve,2001-0271
+1472 || WEB-CGI book.cgi access || nessus,10721 || cve,2001-1114 || bugtraq,3178
+1473 || WEB-CGI newsdesk.cgi access || cve,2001-0232
+1474 || WEB-CGI cal_make.pl access || cve,2001-0463 || bugtraq,2663
+1475 || WEB-CGI mailit.pl access
+1476 || WEB-CGI sdbsearch.cgi access || cve,2001-1130
+1477 || WEB-CGI swc attempt
+1478 || WEB-CGI swc access
+1479 || WEB-CGI ttawebtop.cgi arbitrary file attempt || nessus,10696 || cve,2001-0805 || bugtraq,2890
+1480 || WEB-CGI ttawebtop.cgi access || nessus,10696 || cve,2001-0805 || bugtraq,2890
+1481 || WEB-CGI upload.cgi access || nessus,10290
+1482 || WEB-CGI view_source access || nessus,10294
+1483 || WEB-CGI ustorekeeper.pl access || nessus,10646 || cve,2001-0466
+1484 || WEB-IIS /isapi/tstisapi.dll access || cve,2001-0302 || bugtraq,2381
+1485 || WEB-IIS mkilog.exe access
+1486 || WEB-IIS ctss.idc access
+1487 || WEB-IIS /iisadmpwd/aexp2.htr access
+1488 || WEB-CGI store.cgi directory traversal attempt || nessus,10639 || cve,2001-0305 || bugtraq,2385
+1489 || WEB-MISC /~nobody access
+1490 || WEB-PHP Phorum /support/common.php attempt
+1491 || WEB-PHP Phorum /support/common.php access
+1492 || WEB-MISC RBS ISP /newuser  directory traversal attempt
+1493 || WEB-MISC RBS ISP /newuser access
+1494 || WEB-CGI SIX webboard generate.cgi attempt || cve,2001-1115 || bugtraq,3175
+1495 || WEB-CGI SIX webboard generate.cgi access || cve,2001-1115 || bugtraq,3175
+1496 || WEB-CGI spin_client.cgi access
+1497 || WEB-MISC cross site scripting attempt
+1498 || WEB-MISC PIX firewall manager directory traversal attempt
+1499 || WEB-MISC SiteScope Service access || nessus,10778
+1500 || WEB-MISC ExAir access || cve,1999-0449 || bugtraq,193
+1501 || WEB-CGI a1stats a1disp3.cgi directory traversal attempt || nessus,10669 || cve,2001-0561 || bugtraq,2705
+1502 || WEB-CGI a1stats a1disp3.cgi access || nessus,10669 || cve,2001-0561 || bugtraq,2705
+1503 || WEB-CGI admentor admin.asp access || url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html || nessus,10880 || cve,2002-0308 || bugtraq,4152
+1504 || MISC AFS access || nessus,10441
+1505 || WEB-CGI alchemy http server PRN arbitrary command execution attempt || cve,2001-0871 || bugtraq,3599
+1506 || WEB-CGI alchemy http server NUL arbitrary command execution attempt || cve,2001-0871 || bugtraq,3599
+1507 || WEB-CGI alibaba.pl arbitrary command execution attempt || nessus,10013 || cve,1999-0885
+1508 || WEB-CGI alibaba.pl access || cve ,CAN-1999-0885
+1509 || WEB-CGI AltaVista Intranet Search directory traversal attempt || nessus,10015 || cve,2000-0039 || bugtraq,896
+1510 || WEB-CGI test.bat arbitrary command execution attempt || nessus,10016 || cve,1999-0947 || bugtraq,762
+1511 || WEB-CGI test.bat access || nessus,10016 || cve,1999-0947 || bugtraq,762
+1512 || WEB-CGI input.bat arbitrary command execution attempt || nessus,10016 || cve,1999-0947 || bugtraq,762
+1513 || WEB-CGI input.bat access || nessus,10016 || cve,1999-0947 || bugtraq,762
+1514 || WEB-CGI input2.bat arbitrary command execution attempt || nessus,10016 || cve,1999-0947 || bugtraq,762
+1515 || WEB-CGI input2.bat access || nessus,10016 || cve,1999-0947 || bugtraq,762
+1516 || WEB-CGI envout.bat arbitrary command execution attempt || nessus,10016 || cve,1999-0947 || bugtraq,762
+1517 || WEB-CGI envout.bat access || nessus,10016 || cve,1999-0947 || bugtraq,762
+1518 || WEB-MISC nstelemetry.adp access
+1519 || WEB-MISC apache ?M=D directory list attempt || cve,2001-0731 || bugtraq,3009
+1520 || WEB-MISC server-info access || url,httpd.apache.org/docs/mod/mod_info.html
+1521 || WEB-MISC server-status access || url,httpd.apache.org/docs/mod/mod_info.html
+1522 || WEB-MISC ans.pl attempt || nessus,10875 || cve,2002-0307 || cve,2002-0306 || bugtraq,4149 || bugtraq,4147
+1523 || WEB-MISC ans.pl access || nessus,10875 || cve,2002-0307 || cve,2002-0306 || bugtraq,4149 || bugtraq,4147
+1524 || WEB-MISC AxisStorpoint CD attempt || nessus,10023 || cve,2000-0191 || bugtraq,1025
+1525 || WEB-MISC Axis Storpoint CD access || nessus,10023 || cve,2000-0191 || bugtraq,1025
+1526 || WEB-MISC basilix sendmail.inc access || nessus,10601 || cve,2001-1044
+1527 || WEB-MISC basilix mysql.class access || nessus,10601 || cve,2001-1044
+1528 || WEB-MISC BBoard access || nessus,10507 || cve,2000-0629 || bugtraq,1459
+1529 || FTP SITE overflow attempt || cve,2001-0770 || cve,2001-0755 || cve,1999-0838
+1530 || FTP format string attempt
+1531 || WEB-CGI bb-hist.sh attempt || nessus,10025 || cve,1999-1462 || bugtraq,142
+1532 || WEB-CGI bb-hostscv.sh attempt || nessus,10460 || cve,2000-0638 || bugtraq,1455
+1533 || WEB-CGI bb-hostscv.sh access || nessus,10460 || cve,2000-0638 || bugtraq,1455
+1534 || WEB-CGI agora.cgi attempt || nessus,10836 || cve,2002-0215 || cve,2001-1199 || bugtraq,3976 || bugtraq,3702
+1535 || WEB-CGI bizdbsearch access || cve,2000-0287 || bugtraq,1104
+1536 || WEB-CGI calendar_admin.pl arbitrary command execution attempt || cve,2000-0432
+1537 || WEB-CGI calendar_admin.pl access || cve,2000-0432
+1538 || NNTP AUTHINFO USER overflow attempt || cve,2000-0341 || bugtraq,1156 || arachnids,274
+1539 || WEB-CGI /cgi-bin/ls access || cve,2000-0079 || bugtraq,936
+1540 || WEB-COLDFUSION ?Mode=debug attempt
+1541 || FINGER version query
+1542 || WEB-CGI cgimail access || cve,2000-0726
+1543 || WEB-CGI cgiwrap access || nessus,10041 || cve,2001-0987 || cve,2000-0431 || cve,1999-1530 || bugtraq,777 || bugtraq,3084 || bugtraq,1238
+1544 || WEB-MISC Cisco Catalyst command execution attempt || cve,2000-0945 || bugtraq,1846
+1545 || DOS Cisco attempt
+1546 || WEB-MISC Cisco /%% DOS attempt || cve,2000-0380 || bugtraq,1154
+1547 || WEB-CGI csSearch.cgi arbitrary command execution attempt || nessus,10924 || cve,2002-0495 || bugtraq,4368
+1548 || WEB-CGI csSearch.cgi access || nessus,10924 || cve,2002-0495 || bugtraq,4368
+1549 || SMTP HELO overflow attempt || nessus,11674 || nessus,10324 || cve,2000-0042 || bugtraq,895 || bugtraq,7726
+1550 || SMTP ETRN overflow attempt || cve,2000-0490 || bugtraq,1297
+1551 || WEB-MISC /CVS/Entries access
+1552 || WEB-MISC cvsweb version access || cve,2000-0670
+1553 || WEB-CGI /cart/cart.cgi access || cve,2000-0252 || bugtraq,1115
+1554 || WEB-CGI dbman db.cgi access || nessus,10403 || cve,2000-0381 || bugtraq,1178
+1555 || WEB-CGI DCShop access || cve,2001-0821 || bugtraq,2889
+1556 || WEB-CGI DCShop orders.txt access || cve,2001-0821 || bugtraq,2889
+1557 || WEB-CGI DCShop auth_user_file.txt access || cve,2001-0821 || bugtraq,2889
+1558 || WEB-MISC Delegate whois overflow attempt || cve,2000-0165
+1559 || WEB-MISC /doc/packages access
+1560 || WEB-MISC /doc/ access || cve,1999-0678 || bugtraq,318
+1561 || WEB-MISC ?open access
+1562 || FTP SITE CHOWN overflow attempt || cve,2001-0065 || bugtraq,2120
+1563 || WEB-MISC login.htm attempt || cve,1999-1533 || bugtraq,665
+1564 || WEB-MISC login.htm access || cve,1999-1533 || bugtraq,665
+1565 || WEB-CGI eshop.pl arbitrary commane execution attempt || cve,2001-1014 || bugtraq,3340
+1566 || WEB-CGI eshop.pl access || cve,2001-1014 || bugtraq,3340
+1567 || WEB-IIS /exchange/root.asp attempt
+1568 || WEB-IIS /exchange/root.asp access
+1569 || WEB-CGI loadpage.cgi directory traversal attempt
+1570 || WEB-CGI loadpage.cgi access
+1571 || WEB-CGI dcforum.cgi directory traversal attempt || cve,2001-0437 || cve,2001-0436 || bugtraq,2611
+1572 || WEB-CGI commerce.cgi arbitrary file access attempt || nessus,10612 || cve,2001-0210 || bugtraq,2361
+1573 || WEB-CGI cgiforum.pl attempt || nessus,10552 || cve,2000-1171 || bugtraq,1963
+1574 || WEB-CGI directorypro.cgi attempt || cve,2001-0780 || bugtraq,2793
+1575 || WEB-MISC Domino mab.nsf access
+1576 || WEB-MISC Domino cersvr.nsf access
+1577 || WEB-MISC Domino setup.nsf access
+1578 || WEB-MISC Domino statrep.nsf access
+1579 || WEB-MISC Domino webadmin.nsf access
+1580 || WEB-MISC Domino events4.nsf access
+1581 || WEB-MISC Domino ntsync4.nsf access
+1582 || WEB-MISC Domino collect4.nsf access
+1583 || WEB-MISC Domino mailw46.nsf access
+1584 || WEB-MISC Domino bookmark.nsf access
+1585 || WEB-MISC Domino agentrunner.nsf access
+1586 || WEB-MISC Domino mail.box access
+1587 || WEB-MISC cgitest.exe access || nessus,10623 || nessus,10040 || cve,2002-0128 || cve,2000-0521 || bugtraq,3885 || bugtraq,1313 || arachnids,265
+1588 || WEB-MISC SalesLogix Eviewer access || cve,2000-0289 || cve,2000-0278 || bugtraq,1089 || bugtraq,1078
+1589 || WEB-MISC musicat empower attempt
+1590 || WEB-CGI faqmanager.cgi arbitrary file access attempt || nessus,10837 || bugtraq,3810
+1591 || WEB-CGI faqmanager.cgi access || nessus,10837 || bugtraq,3810
+1592 || WEB-CGI /fcgi-bin/echo.exe access || nessus,10838
+1593 || WEB-CGI FormHandler.cgi external site redirection attempt || nessus,10075 || cve,1999-1050 || bugtraq,799 || bugtraq,798
+1594 || WEB-CGI FormHandler.cgi access || nessus,10075 || cve,1999-1050 || bugtraq,799 || bugtraq,798
+1595 || WEB-IIS htimage.exe access || nessus,10376 || cve,2000-0256 || cve,2000-0122 || bugtraq,964 || bugtraq,1117
+1597 || WEB-CGI guestbook.cgi access || nessus,10098 || cve,1999-0237
+1598 || WEB-CGI Home Free search.cgi directory traversal attempt || cve,2000-0054 || bugtraq,921
+1599 || WEB-CGI search.cgi access || cve,2000-0054 || bugtraq,921
+1600 || WEB-CGI htsearch arbitrary configuration file attempt || cve,2000-0208
+1601 || WEB-CGI htsearch arbitrary file read attempt || cve,2000-0208 || bugtraq,1026
+1602 || WEB-CGI htsearch access || cve,2000-0208
+1603 || WEB-MISC DELETE attempt
+1604 || WEB-MISC iChat directory traversal attempt || cve,1999-0897
+1605 || DOS iParty DOS attempt || cve,1999-1566 || bugtraq,6844
+1606 || WEB-CGI icat access || cve,1999-1069
+1607 || WEB-CGI HyperSeek hsx.cgi access || cve,2001-0253 || bugtraq,2314
+1608 || WEB-CGI htmlscript attempt || cve,1999-0264 || bugtraq,2001
+1609 || WEB-CGI faxsurvey arbitrary file read attempt || nessus,10067 || cve,1999-0262 || bugtraq,2056
+1610 || WEB-CGI formmail arbitrary command execution attempt || nessus,10782 || nessus,10076 || cve,2000-0411 || cve,1999-0172 || bugtraq,2079 || bugtraq,1187 || arachnids,226
+1611 || WEB-CGI eXtropia webstore access || cve,2000-1005 || bugtraq,1774
+1612 || WEB-MISC ftp.pl attempt || nessus,10467 || cve,2000-0674 || bugtraq,1471
+1613 || WEB-MISC handler attempt || nessus,10100 || cve,1999-0148 || bugtraq,380 || arachnids,235
+1614 || WEB-MISC Novell Groupwise gwweb.exe attempt || nessus,10877 || cve,1999-1006 || cve,1999-1005 || bugtraq,879
+1615 || WEB-MISC htgrep attempt || cve,2000-0832
+1616 || DNS named version attempt || nessus,10028 || arachnids,278
+1617 || WEB-CGI Bugzilla doeditvotes.cgi access || cve,2002-0011 || bugtraq,3800
+1618 || WEB-IIS .asp chunked Transfer-Encoding || nessus,10932 || cve,2002-0079 || cve,2002-0071 || bugtraq,4485 || bugtraq,4474
+1619 || EXPERIMENTAL WEB-IIS .htr request || nessus,10932 || cve,2002-0071 || bugtraq,4474
+1620 || BAD TRAFFIC Non-Standard IP protocol
+1621 || FTP CMD overflow attempt
+1622 || FTP RNFR ././ attempt
+1623 || FTP invalid MODE
+1624 || FTP large PWD command
+1625 || FTP large SYST command
+1626 || WEB-IIS /StoreCSVS/InstantOrder.asmx request
+1627 || BAD-TRAFFIC Unassigned/Reserved IP protocol || url,www.iana.org/assignments/protocol-numbers
+1628 || WEB-CGI FormHandler.cgi directory traversal attempt attempt || nessus,10075 || cve,1999-1050 || bugtraq,799 || bugtraq,798
+1629 || OTHER-IDS SecureNetPro traffic
+1631 || CHAT AIM login
+1632 || CHAT AIM send message
+1633 || CHAT AIM receive message
+1634 || POP3 PASS overflow attempt || nessus,10325 || cve,1999-1511
+1635 || POP3 APOP overflow attempt || nessus,10559 || cve,2000-0841 || cve,2000-0840 || bugtraq,1652
+1636 || MISC Xtramail Username overflow attempt || cve,1999-1511 || bugtraq,791
+1637 || WEB-CGI yabb access || cve,2000-0853 || bugtraq,1668 || arachnids,462
+1638 || SCAN SSH Version map attempt
+1639 || CHAT IRC DCC file transfer request
+1640 || CHAT IRC DCC chat request
+1641 || DOS DB2 dos attempt
+1642 || WEB-CGI document.d2w access || cve,2000-1110 || bugtraq,2017
+1643 || WEB-CGI db2www access || cve,2000-0677
+1644 || WEB-CGI test-cgi attempt || nessus,10282 || cve,1999-0070 || bugtraq,2003 || arachnids,218
+1645 || WEB-CGI testcgi access || nessus,11610 || bugtraq,7214
+1646 || WEB-CGI test.cgi access
+1647 || WEB-CGI faxsurvey attempt full path || nessus,10067 || cve,1999-0262 || bugtraq,2056
+1648 || WEB-CGI perl.exe command attempt || url,www.cert.org/advisories/CA-1996-11.html || nessus,10173 || cve,1999-0509 || arachnids,219
+1649 || WEB-CGI perl command attempt || url,www.cert.org/advisories/CA-1996-11.html || nessus,10173 || cve,1999-0509 || arachnids,219
+1650 || WEB-CGI tst.bat access || nessus,10013 || cve,1999-0885 || bugtraq,770
+1651 || WEB-CGI enivorn.pl access
+1652 || WEB-CGI campus attempt || bugtraq,1975
+1653 || WEB-CGI campus access || bugtraq,1975
+1654 || WEB-CGI cart32.exe access
+1655 || WEB-CGI pfdispaly.cgi arbitrary command execution attempt
+1656 || WEB-CGI pfdispaly.cgi access
+1657 || WEB-CGI pagelog.cgi directory traversal attempt || nessus,10591 || cve,2000-0940 || bugtraq,1864
+1658 || WEB-CGI pagelog.cgi access || nessus,10591 || cve,2000-0940 || bugtraq,1864
+1659 || WEB-COLDFUSION sendmail.cfm access
+1660 || WEB-IIS trace.axd access
+1661 || WEB-IIS cmd32.exe access
+1662 || WEB-MISC /~ftp access
+1663 || WEB-MISC *%0a.pl access
+1664 || WEB-MISC mkplog.exe access
+1665 || WEB-MISC mkilog.exe access
+1666 || ATTACK-RESPONSES index of /cgi-bin/ response || nessus,10039
+1667 || WEB-MISC cross site scripting HTML Image tag set to javascript attempt
+1668 || WEB-CGI /cgi-bin/ access
+1669 || WEB-CGI /cgi-dos/ access
+1670 || WEB-MISC /home/ftp access
+1671 || WEB-MISC /home/www access
+1672 || FTP CWD ~ attempt || cve,2001-0421 || bugtraq,9215 || bugtraq,2601
+1673 || ORACLE EXECUTE_SYSTEM attempt
+1674 || ORACLE connect_data remote version detection attempt
+1675 || ORACLE misparsed login response
+1676 || ORACLE select union attempt
+1677 || ORACLE select like '%' attempt
+1678 || ORACLE select like '%' attempt backslash escaped
+1679 || ORACLE describe attempt
+1680 || ORACLE all_constraints access
+1681 || ORACLE all_views access
+1682 || ORACLE all_source access
+1683 || ORACLE all_tables access
+1684 || ORACLE all_tab_columns access
+1685 || ORACLE all_tab_privs access
+1686 || ORACLE dba_tablespace access
+1687 || ORACLE dba_tables access
+1688 || ORACLE user_tablespace access
+1689 || ORACLE sys.all_users access
+1690 || ORACLE grant attempt
+1691 || ORACLE ALTER USER attempt
+1692 || ORACLE drop table attempt
+1693 || ORACLE create table attempt
+1694 || ORACLE alter table attempt
+1695 || ORACLE truncate table attempt
+1696 || ORACLE create database attempt
+1697 || ORACLE alter database attempt
+1698 || ORACLE execute_system attempt
+1699 || P2P Fastrack kazaa/morpheus traffic || url,www.kazaa.com
+1700 || WEB-CGI imagemap.exe access || nessus,10122 || cve,1999-0951 || bugtraq,739 || arachnids,412
+1701 || WEB-CGI calendar-admin.pl access || bugtraq,1215
+1702 || WEB-CGI Amaya templates sendtemp.pl access || cve,2001-0272 || bugtraq,2504
+1703 || WEB-CGI auktion.cgi directory traversal attempt || nessus,10638 || cve,2001-0212 || bugtraq,2367
+1704 || WEB-CGI cal_make.pl directory traversal attempt || cve,2001-0463 || bugtraq,2663
+1705 || WEB-CGI echo.bat arbitrary command execution attempt || nessus,10246 || cve,2000-0213 || bugtraq,1002
+1706 || WEB-CGI echo.bat access || nessus,10246 || cve,2000-0213 || bugtraq,1002
+1707 || WEB-CGI hello.bat arbitrary command execution attempt || nessus,10246 || cve,2000-0213 || bugtraq,1002
+1708 || WEB-CGI hello.bat access || nessus,10246 || cve,2000-0213 || bugtraq,1002
+1709 || WEB-CGI ad.cgi access
+1710 || WEB-CGI bbs_forum.cgi access
+1711 || WEB-CGI bsguest.cgi access
+1712 || WEB-CGI bslist.cgi access
+1713 || WEB-CGI cgforum.cgi access
+1714 || WEB-CGI newdesk access
+1715 || WEB-CGI register.cgi access
+1716 || WEB-CGI gbook.cgi access || cve,2000-1131 || bugtraq,1940
+1717 || WEB-CGI simplestguest.cgi access
+1718 || WEB-CGI statusconfig.pl access
+1719 || WEB-CGI talkback.cgi directory traversal attempt
+1720 || WEB-CGI talkback.cgi access
+1721 || WEB-CGI adcycle access
+1722 || WEB-CGI MachineInfo access
+1723 || WEB-CGI emumail.cgi NULL attempt || cve,2002-1526 || bugtraq,5824
+1724 || WEB-CGI emumail.cgi access || cve,2002-1526 || bugtraq,5824
+1725 || WEB-IIS +.htr code fragment attempt || cve,2000-0630 || bugtraq,1488
+1726 || WEB-IIS doctodep.btr access
+1727 || WEB-CGI SGI InfoSearch fname access || cve,2000-0207 || bugtraq,1031 || arachnids,290
+1728 || FTP CWD ~<CR><NEWLINE> attempt || cve,2001-0421 || bugtraq,2601
+1729 || CHAT IRC channel join
+1730 || WEB-CGI ustorekeeper.pl directory traversal attempt || nessus,10645 || cve,2001-0466
+1731 || WEB-CGI a1stats access || nessus,10669 || cve,2001-0561 || bugtraq,2705
+1732 || RPC portmap rwalld request UDP
+1733 || RPC portmap rwalld request TCP
+1734 || FTP USER overflow attempt || cve,2002-0126 || cve,2001-0826 || cve,2001-0794 || cve,2000-1194 || cve,2000-1035 || cve,2000-0943 || cve,2000-0656 || cve,2000-0479 || bugtraq,4638 || bugtraq,1690 || bugtraq,1504 || bugtraq,1227
+1735 || WEB-CLIENT XMLHttpRequest attempt
+1736 || WEB-PHP squirrel mail spell-check arbitrary command attempt || bugtraq,3952
+1737 || WEB-PHP squirrel mail theme arbitrary command attempt || cve,2002-0516 || bugtraq,4385
+1738 || WEB-MISC global.inc access || cve,2002-0614 || bugtraq,4612
+1739 || WEB-PHP DNSTools administrator authentication bypass attempt || cve,2002-0613 || bugtraq,4617
+1740 || WEB-PHP DNSTools authentication bypass attempt || cve,2002-0613 || bugtraq,4617
+1741 || WEB-PHP DNSTools access || cve,2002-0613 || bugtraq,4617
+1742 || WEB-PHP Blahz-DNS dostuff.php modify user attempt || cve,2002-0599 || bugtraq,4618
+1743 || WEB-PHP Blahz-DNS dostuff.php access || cve,2002-0599 || bugtraq,4618
+1744 || WEB-MISC SecureSite authentication bypass attempt || bugtraq,4621
+1745 || WEB-PHP Messagerie supp_membre.php access || bugtraq,4635
+1746 || RPC portmap cachefsd request UDP || cve,2002-0084 || cve,2002-0033 || bugtraq,4674
+1747 || RPC portmap cachefsd request TCP || cve,2002-0084 || cve,2002-0033 || bugtraq,4674
+1748 || FTP command overflow attempt || cve,2002-0606 || bugtraq,4638
+1749 || EXPERIMENTAL WEB-IIS .NET trace.axd access
+1750 || WEB-IIS users.xml access
+1751 || EXPLOIT cachefsd buffer overflow attempt || cve,2002-0084 || bugtraq,4631
+1752 || MISC AIM AddExternalApp attempt || url,www.w00w00.org/files/w00aimexp/
+1753 || WEB-IIS as_web.exe access || bugtraq,4670
+1754 || WEB-IIS as_web4.exe access || bugtraq,4670
+1755 || IMAP partial body buffer overflow attempt || cve,2002-0379 || bugtraq,4713
+1756 || WEB-IIS NewsPro administration authentication attempt
+1757 || WEB-MISC b2 arbitrary command execution attempt
+1758 || WEB-MISC b2 access
+1759 || MS-SQL xp_cmdshell program execution 445
+1760 || OTHER-IDS ISS RealSecure 6 event collector connection attempt
+1761 || OTHER-IDS ISS RealSecure 6 daemon connection attempt
+1762 || WEB-CGI phf arbitrary command execution attempt || cve,1999-0067 || bugtraq,629 || arachnids,128
+1763 || WEB-CGI Nortel Contivity cgiproc DOS attempt || nessus,10160 || cve,2000-0064 || cve,2000-0063 || bugtraq,938
+1764 || WEB-CGI Nortel Contivity cgiproc DOS attempt || nessus,10160 || cve,2000-0064 || cve,2000-0063 || bugtraq,938
+1765 || WEB-CGI Nortel Contivity cgiproc access || nessus,10160 || cve,2000-0064 || cve,2000-0063 || bugtraq,938
+1766 || WEB-MISC search.dll directory listing attempt || nessus,10514 || cve,2000-0835 || bugtraq,1684
+1767 || WEB-MISC search.dll access || nessus,10514 || cve,2000-0835 || bugtraq,1684
+1768 || WEB-IIS header field buffer overflow attempt || cve,2002-0150 || bugtraq,4476
+1769 || WEB-MISC .DS_Store access || url,www.macintouch.com/mosxreaderreports46.html
+1770 || WEB-MISC .FBCIndex access || url,www.securiteam.com/securitynews/5LP0O005FS.html
+1771 || POLICY IPSec PGPNet connection attempt
+1772 || WEB-IIS pbserver access || url,www.microsoft.com/technet/security/bulletin/ms00-094.mspx
+1773 || WEB-PHP php.exe access || url,www.securitytracker.com/alerts/2002/Jan/1003104.html
+1774 || WEB-PHP bb_smilies.php access || url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html
+1775 || MYSQL root login attempt
+1776 || MYSQL show databases attempt
+1777 || FTP EXPLOIT STAT * dos attempt || cve,2002-0073 || bugtraq,4482
+1778 || FTP EXPLOIT STAT ? dos attempt || cve,2002-0073 || bugtraq,4482
+1779 || FTP CWD .... attempt || bugtraq,4884
+1780 || IMAP EXPLOIT partial body overflow attempt || cve,2002-0379 || bugtraq,4713
+1781 || PORN dildo
+1782 || PORN nipple clamp
+1783 || PORN oral sex
+1784 || PORN nude celeb
+1785 || PORN voyeur
+1786 || PORN raw sex
+1787 || WEB-CGI csPassword.cgi access || cve,2002-0918 || cve,2002-0917 || bugtraq,4889 || bugtraq,4887 || bugtraq,4886 || bugtraq,4885
+1788 || WEB-CGI csPassword password.cgi.tmp access || cve,2002-0920 || bugtraq,4889
+1789 || CHAT IRC dns request
+1790 || CHAT IRC dns response
+1791 || BACKDOOR fragroute trojan connection attempt || bugtraq,4898
+1792 || NNTP return code buffer overflow attempt || cve,2002-0909 || bugtraq,4900
+1793 || PORN fetish
+1794 || PORN masturbation
+1795 || PORN ejaculation
+1796 || PORN virgin
+1797 || PORN BDSM
+1798 || PORN erotica
+1799 || PORN fisting
+1800 || VIRUS Klez Incoming
+1801 || WEB-IIS .asp HTTP header buffer overflow attempt || cve,2002-0150 || bugtraq,4476
+1802 || WEB-IIS .asa HTTP header buffer overflow attempt || cve,2002-0150 || bugtraq,4476
+1803 || WEB-IIS .cer HTTP header buffer overflow attempt || cve,2002-0150 || bugtraq,4476
+1804 || WEB-IIS .cdx HTTP header buffer overflow attempt || cve,2002-0150 || bugtraq,4476
+1805 || WEB-CGI Oracle reports CGI access || cve,2002-0947 || bugtraq,4848
+1806 || WEB-IIS .htr chunked Transfer-Encoding || cve,2002-0364 || bugtraq,5003 || bugtraq,4855
+1807 || WEB-MISC Chunked-Encoding transfer attempt || cve,2002-0392 || cve,2002-0079 || cve,2002-0071 || bugtraq,5033 || bugtraq,4485 || bugtraq,4474
+1808 || WEB-MISC apache chunked encoding memory corruption exploit attempt || cve,2002-0392 || bugtraq,5033
+1809 || WEB-MISC Apache Chunked-Encoding worm attempt || cve,2002-0392 || cve,2002-0079 || cve,2002-0071 || bugtraq,5033 || bugtraq,4485 || bugtraq,4474
+1810 || ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE || cve,2002-0639 || cve,2002-0390 || bugtraq,5093
+1811 || ATTACK-RESPONSES successful gobbles ssh exploit uname || cve,2002-0639 || cve,2002-0390 || bugtraq,5093
+1812 || EXPLOIT gobbles SSH exploit attempt || cve,2002-0639 || cve,2002-0390 || bugtraq,5093
+1813 || ICMP digital island bandwidth query
+1814 || WEB-MISC CISCO VoIP DOS ATTEMPT || cve,2002-0882 || bugtraq,4798 || bugtraq,4794
+1815 || WEB-PHP directory.php arbitrary command attempt || cve,2002-0434 || bugtraq,4278
+1816 || WEB-PHP directory.php access || cve,2002-0434 || bugtraq,4278
+1817 || WEB-IIS MS Site Server default login attempt || nessus,11018
+1818 || WEB-IIS MS Site Server admin attempt || nessus,11018
+1819 || MISC Alcatel PABX 4400 connection attempt || nessus,11019
+1820 || WEB-MISC IBM Net.Commerce orderdspc.d2w access || nessus,11020 || cve,2001-0319 || bugtraq,2350
+1821 || EXPLOIT LPD dvips remote command execution attempt || nessus,11023 || cve,2001-1002 || bugtraq,3241
+1822 || WEB-CGI alienform.cgi directory traversal attempt || nessus,11027 || cve,2002-0934 || bugtraq,4983
+1823 || WEB-CGI AlienForm af.cgi directory traversal attempt || nessus,11027 || cve,2002-0934 || bugtraq,4983
+1824 || WEB-CGI alienform.cgi access || nessus,11027 || cve,2002-0934 || bugtraq,4983
+1825 || WEB-CGI AlienForm af.cgi access || nessus,11027 || cve,2002-0934 || bugtraq,4983
+1826 || WEB-MISC WEB-INF access || nessus,11037
+1827 || WEB-MISC Tomcat servlet mapping cross site scripting attempt || nessus,11041 || cve,2002-0682 || bugtraq,5193
+1828 || WEB-MISC iPlanet Search directory traversal attempt || nessus,11043 || cve,2002-1042 || bugtraq,5191
+1829 || WEB-MISC Tomcat TroubleShooter servlet access || nessus,11046 || bugtraq,4575
+1830 || WEB-MISC Tomcat SnoopServlet servlet access || nessus,11046 || bugtraq,4575
+1831 || WEB-MISC jigsaw dos attempt || nessus,11047
+1832 || CHAT ICQ forced user addition || cve,2001-1305 || bugtraq,3226
+1833 || PORN naked lesbians
+1834 || WEB-PHP PHP-Wiki cross site scripting attempt || cve,2002-1070 || bugtraq,5254
+1835 || WEB-MISC Macromedia SiteSpring cross site scripting attempt || cve,2002-1027 || bugtraq,5249
+1836 || PORN alt.binaries.pictures.erotica
+1837 || PORN alt.binaries.pictures.tinygirls
+1838 || EXPLOIT SSH server banner overflow || cve,2002-1059 || bugtraq,5287
+1839 || WEB-MISC mailman cross site scripting attempt || cve,2002-0855 || bugtraq,5298
+1840 || WEB-CLIENT Javascript document.domain attempt || bugtraq,5346
+1841 || WEB-CLIENT Javascript URL host spoofing attempt || bugtraq,5293
+1842 || IMAP login buffer overflow attempt || nessus,10125 || cve,1999-0005
+1843 || BACKDOOR trinity connection attempt || nessus,10501 || cve,2000-0138
+1844 || IMAP authenticate overflow attempt || nessus,10292 || cve,1999-0042
+1845 || IMAP list literal overflow attempt || nessus,10374 || cve,2000-0284 || bugtraq,1110
+1846 || POLICY vncviewer Java applet download attempt || nessus,10758
+1847 || WEB-MISC webalizer access || nessus,10816 || cve,2001-0835 || cve,1999-0643 || bugtraq,3473
+1848 || WEB-MISC webcart-lite access || nessus,10298 || cve,1999-0610
+1849 || WEB-MISC webfind.exe access || nessus,10475 || cve,2000-0622 || bugtraq,1487
+1850 || WEB-CGI way-board.cgi access || nessus,10610
+1851 || WEB-MISC active.log access || nessus,10470 || cve,2000-0642 || bugtraq,1497
+1852 || WEB-MISC robots.txt access || nessus,10302
+1853 || BACKDOOR win-trin00 connection attempt || nessus,10307 || cve,2000-0138
+1854 || DDOS Stacheldraht handler->agent niggahbitch || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis
+1855 || DDOS Stacheldraht agent->handler skillz || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis
+1856 || DDOS Stacheldraht handler->agent ficken || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis
+1857 || WEB-MISC robot.txt access || nessus,10302
+1858 || WEB-MISC CISCO PIX Firewall Manager directory traversal attempt || nessus,10819 || cve,1999-0158 || bugtraq,691
+1859 || WEB-MISC Sun JavaServer default password login attempt || nessus,10995 || cve,1999-0508
+1860 || WEB-MISC Linksys router default password login attempt || nessus,10999
+1861 || WEB-MISC Linksys router default username and password login attempt || nessus,10999
+1862 || WEB-CGI mrtg.cgi directory traversal attempt || nessus,11001 || cve,2002-0232 || bugtraq,4017
+1864 || FTP SITE NEWER attempt || nessus,10319 || cve,1999-0880
+1865 || WEB-CGI webdist.cgi arbitrary command attempt || nessus,10299 || cve,1999-0039 || bugtraq,374
+1866 || POP3 USER overflow attempt || nessus,10311 || cve,1999-0494 || bugtraq,789
+1867 || MISC xdmcp info query || nessus,10891
+1868 || WEB-CGI story.pl arbitrary file read attempt || nessus,10817 || cve,2001-0804 || bugtraq,3028
+1869 || WEB-CGI story.pl access || nessus,10817 || cve,2001-0804 || bugtraq,3028
+1870 || WEB-CGI siteUserMod.cgi access || nessus,10253 || cve,2000-0117 || bugtraq,951
+1871 || WEB-MISC Oracle XSQLConfig.xml access || nessus,10855 || cve,2002-0568 || bugtraq,4290
+1872 || WEB-MISC Oracle Dynamic Monitoring Services dms access || nessus,10848
+1873 || WEB-MISC globals.jsa access || nessus,10850 || cve,2002-0562 || bugtraq,4034
+1874 || WEB-MISC Oracle Java Process Manager access || nessus,10851
+1875 || WEB-CGI cgicso access || nessus,10780 || nessus,10779 || bugtraq,6141
+1876 || WEB-CGI nph-publish.cgi access || nessus,10164 || cve,1999-1177
+1877 || WEB-CGI printenv access || nessus,10503 || cve,2000-0868 || bugtraq,1658
+1878 || WEB-CGI sdbsearch.cgi access || nessus,10503 || cve,2000-0868 || bugtraq,1658
+1879 || WEB-CGI book.cgi arbitrary command execution attempt || nessus,10721 || cve,2001-1114 || bugtraq,3178
+1880 || WEB-MISC oracle web application server access || nessus,10348 || cve,2000-0169 || bugtraq,1053
+1881 || WEB-MISC bad HTTP/1.1 request, Potentially worm attack || url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html
+1882 || ATTACK-RESPONSES id check returned userid
+1883 || ATTACK-RESPONSES id check returned nobody
+1884 || ATTACK-RESPONSES id check returned web
+1885 || ATTACK-RESPONSES id check returned http
+1886 || ATTACK-RESPONSES id check returned apache
+1887 || MISC OpenSSL Worm traffic || url,www.cert.org/advisories/CA-2002-27.html
+1888 || FTP SITE CPWD overflow attempt || cve,2002-0826 || bugtraq,5427
+1889 || MISC slapper worm admin traffic || url,www.cert.org/advisories/CA-2002-27.html || url,isc.incidents.org/analysis.html?id=167
+1890 || RPC status GHBN format string attack || cve,2000-0666 || bugtraq,1480
+1891 || RPC status GHBN format string attack || cve,2000-0666 || bugtraq,1480
+1892 || SNMP null community string attempt || cve,1999-0517 || bugtraq,8974 || bugtraq,2112
+1893 || SNMP missing community string attempt || cve,1999-0517 || bugtraq,2112
+1894 || EXPLOIT kadmind buffer overflow attempt || url,www.kb.cert.org/vuls/id/875073 || cve,2002-1235 || cve,2002-1226 || bugtraq,6024 || bugtraq,5731
+1895 || EXPLOIT kadmind buffer overflow attempt || url,www.kb.cert.org/vuls/id/875073 || cve,2002-1235 || cve,2002-1226 || bugtraq,6024 || bugtraq,5731
+1896 || EXPLOIT kadmind buffer overflow attempt || url,www.kb.cert.org/vuls/id/875073 || cve,2002-1235 || cve,2002-1226 || bugtraq,6024 || bugtraq,5731
+1897 || EXPLOIT kadmind buffer overflow attempt || url,www.kb.cert.org/vuls/id/875073 || cve,2002-1235 || cve,2002-1226 || bugtraq,6024 || bugtraq,5731
+1898 || EXPLOIT kadmind buffer overflow attempt || url,www.kb.cert.org/vuls/id/875073 || cve,2002-1235 || cve,2002-1226 || bugtraq,6024 || bugtraq,5731
+1899 || EXPLOIT kadmind buffer overflow attempt || url,www.kb.cert.org/vuls/id/875073 || cve,2002-1235 || cve,2002-1226 || bugtraq,6024 || bugtraq,5731
+1900 || ATTACK-RESPONSES successful kadmind buffer overflow attempt || url,www.kb.cert.org/vuls/id/875073 || cve,2002-1235 || cve,2002-1226 || bugtraq,6024 || bugtraq,5731
+1901 || ATTACK-RESPONSES successful kadmind buffer overflow attempt || url,www.kb.cert.org/vuls/id/875073 || cve,2002-1235 || cve,2002-1226 || bugtraq,6024 || bugtraq,5731
+1902 || IMAP lsub literal overflow attempt || nessus,10374 || cve,2000-0284 || bugtraq,1110
+1903 || IMAP rename overflow attempt || nessus,10374 || cve,2000-0284 || bugtraq,1110
+1904 || IMAP find overflow attempt || nessus,10374 || cve,2000-0284 || bugtraq,1110
+1905 || RPC AMD UDP amqproc_mount plog overflow attempt || cve,1999-0704 || bugtraq,614
+1906 || RPC AMD TCP amqproc_mount plog overflow attempt || cve,1999-0704 || bugtraq,614
+1907 || RPC CMSD UDP CMSD_CREATE buffer overflow attempt || cve,1999-0696 || bugtraq,524
+1908 || RPC CMSD TCP CMSD_CREATE buffer overflow attempt || cve,1999-0696 || bugtraq,524
+1909 || RPC CMSD TCP CMSD_INSERT buffer overflow attempt || url,www.cert.org/advisories/CA-99-08-cmsd.html || cve,1999-0696
+1910 || RPC CMSD udp CMSD_INSERT buffer overflow attempt || url,www.cert.org/advisories/CA-99-08-cmsd.html || cve,1999-0696
+1911 || RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || cve,1999-0977 || bugtraq,866 || bugtraq,0866
+1912 || RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || cve,1999-0977 || bugtraq,866 || bugtraq,0866
+1913 || RPC STATD UDP stat mon_name format string exploit attempt || cve,2000-0666 || bugtraq,1480
+1914 || RPC STATD TCP stat mon_name format string exploit attempt || cve,2000-0666 || bugtraq,1480
+1915 || RPC STATD UDP monitor mon_name format string exploit attempt || cve,2000-0666 || bugtraq,1480
+1916 || RPC STATD TCP monitor mon_name format string exploit attempt || cve,2000-0666 || bugtraq,1480
+1917 || SCAN UPnP service discover attempt
+1918 || SCAN SolarWinds IP scan attempt
+1919 || FTP CWD overflow attempt || cve,2002-0126 || cve,2000-1194 || cve,2000-1035 || bugtraq,7950 || bugtraq,1690 || bugtraq,1227
+1920 || FTP SITE NEWER overflow attempt || cve,1999-0800 || bugtraq,229
+1921 || FTP SITE ZIPCHK overflow attempt || cve,2000-0040
+1922 || RPC portmap proxy attempt TCP
+1923 || RPC portmap proxy attempt UDP
+1924 || RPC mountd UDP export request || arachnids,26
+1925 || RPC mountd TCP exportall request || arachnids,26
+1926 || RPC mountd UDP exportall request || arachnids,26
+1927 || FTP authorized_keys
+1928 || FTP shadow retrieval attempt
+1929 || BACKDOOR TCPDUMP/PCAP trojan traffic || url,hlug.fscker.com
+1930 || IMAP auth literal overflow attempt || cve,1999-0005
+1931 || WEB-CGI rpc-nlog.pl access || cve,1999-1278
+1932 || WEB-CGI rpc-smb.pl access || cve,1999-1278
+1933 || WEB-CGI cart.cgi access
+1934 || POP2 FOLD overflow attempt || cve,1999-0920 || bugtraq,283
+1935 || POP2 FOLD arbitrary file attempt
+1936 || POP3 AUTH overflow attempt
+1937 || POP3 LIST overflow attempt || cve,2000-0096 || bugtraq,948
+1938 || POP3 XTND overflow attempt
+1939 || MISC bootp hardware address length overflow || cve,1999-0798
+1940 || MISC bootp invalid hardware type || cve,1999-0798
+1941 || TFTP GET filename overflow attempt || cve,2002-0813 || bugtraq,5328
+1942 || FTP RMDIR overflow attempt
+1943 || WEB-MISC /Carello/add.exe access || cve,2000-0396 || bugtraq,1245
+1944 || WEB-MISC /ecscripts/ecware.exe access
+1945 || WEB-IIS unicode directory traversal attempt || cve,2000-0884 || bugtraq,1806
+1946 || WEB-MISC answerbook2 admin attempt
+1947 || WEB-MISC answerbook2 arbitrary command execution attempt
+1948 || DNS zone transfer UDP || cve,1999-0532 || arachnids,212
+1949 || RPC portmap SET attempt TCP 111
+1950 || RPC portmap SET attempt UDP 111
+1951 || RPC mountd TCP mount request
+1952 || RPC mountd UDP mount request
+1953 || RPC AMD TCP pid request
+1954 || RPC AMD UDP pid request
+1955 || RPC AMD TCP version request
+1956 || RPC AMD UDP version request
+1957 || RPC sadmind UDP PING || bugtraq,866
+1958 || RPC sadmind TCP PING || bugtraq,866
+1959 || RPC portmap NFS request UDP
+1960 || RPC portmap NFS request TCP
+1961 || RPC portmap RQUOTA request UDP
+1962 || RPC portmap RQUOTA request TCP
+1963 || RPC RQUOTA getquota overflow attempt UDP || cve,1999-0974 || bugtraq,864
+1964 || RPC tooltalk UDP overflow attempt || cve,1999-0003 || bugtraq,122
+1965 || RPC tooltalk TCP overflow attempt || cve,1999-0003 || bugtraq,122
+1966 || MISC GlobalSunTech Access Point Information Disclosure attempt || bugtraq,6100
+1967 || WEB-PHP phpbb quick-reply.php arbitrary command attempt || bugtraq,6173
+1968 || WEB-PHP phpbb quick-reply.php access || bugtraq,6173
+1969 || WEB-MISC ion-p access || cve,2002-1559 || bugtraq,6091
+1970 || WEB-IIS MDAC Content-Type overflow attempt || url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337 || cve,2002-1142 || bugtraq,6214
+1971 || FTP SITE EXEC format string attempt
+1972 || FTP PASS overflow attempt || cve,2002-0126 || cve,2000-1035 || bugtraq,9285 || bugtraq,8601 || bugtraq,3884 || bugtraq,1690
+1973 || FTP MKD overflow attempt || cve,1999-0911 || bugtraq,9872 || bugtraq,612
+1974 || FTP REST overflow attempt || cve,2001-0826 || bugtraq,2972
+1975 || FTP DELE overflow attempt || cve,2001-0826 || bugtraq,2972
+1976 || FTP RMD overflow attempt || cve,2001-0826 || bugtraq,2972
+1977 || WEB-MISC xp_regwrite attempt
+1978 || WEB-MISC xp_regdeletekey attempt
+1979 || WEB-MISC perl post attempt || nessus,11158 || cve,2002-1436 || bugtraq,5520
+1980 || BACKDOOR DeepThroat 3.1 Connection attempt
+1981 || BACKDOOR DeepThroat 3.1 Connection attempt [3150]
+1982 || BACKDOOR DeepThroat 3.1 Server Response [3150] || arachnids,106
+1983 || BACKDOOR DeepThroat 3.1 Connection attempt [4120]
+1984 || BACKDOOR DeepThroat 3.1 Server Response [4120] || arachnids,106
+1985 || BACKDOOR Doly 1.5 server response
+1986 || CHAT MSN file transfer request
+1987 || MISC xfs overflow attempt || nessus,11188 || cve,2002-1317 || bugtraq,6241
+1988 || CHAT MSN file transfer accept
+1989 || CHAT MSN file transfer reject
+1990 || CHAT MSN user search
+1991 || CHAT MSN login attempt
+1992 || FTP LIST directory traversal attempt || nessus,11112 || cve,2001-0680 || bugtraq,2618
+1993 || IMAP login literal buffer overflow attempt || bugtraq,6298
+1994 || WEB-CGI vpasswd.cgi access || nessus,11165 || bugtraq,6038
+1995 || WEB-CGI alya.cgi access || nessus,11118
+1996 || WEB-CGI viralator.cgi access || nessus,11107 || cve,2001-0849
+1997 || WEB-PHP read_body.php access attempt || cve,2002-1341 || bugtraq,6302
+1998 || WEB-PHP calendar.php access || nessus,11179 || bugtraq,9353 || bugtraq,5820
+1999 || WEB-PHP edit_image.php access || nessus,11104 || cve,2001-1020 || bugtraq,3288
+2000 || WEB-PHP readmsg.php access || nessus,11073
+2001 || WEB-CGI smartsearch.cgi access
+2002 || WEB-PHP remote include path
+2003 || MS-SQL Worm propagation attempt || url,vil.nai.com/vil/content/v_99992.htm || cve,2002-0649 || bugtraq,5311 || bugtraq,5310
+2004 || MS-SQL Worm propagation attempt OUTBOUND || url,vil.nai.com/vil/content/v_99992.htm || cve,2002-0649 || bugtraq,5311 || bugtraq,5310
+2005 || RPC portmap kcms_server request UDP || url,www.kb.cert.org/vuls/id/850785 || cve,2003-0027 || bugtraq,6665
+2006 || RPC portmap kcms_server request TCP || url,www.kb.cert.org/vuls/id/850785 || cve,2003-0027 || bugtraq,6665
+2007 || RPC kcms_server directory traversal attempt || url,www.kb.cert.org/vuls/id/850785 || cve,2003-0027 || bugtraq,6665
+2008 || MISC CVS invalid user authentication response
+2009 || MISC CVS invalid repository response
+2010 || MISC CVS double free exploit attempt response || cve,2003-0015 || bugtraq,6650
+2011 || MISC CVS invalid directory response || cve,2003-0015 || bugtraq,6650
+2012 || MISC CVS missing cvsroot response
+2013 || MISC CVS invalid module response
+2014 || RPC portmap UNSET attempt TCP 111 || bugtraq,1892
+2015 || RPC portmap UNSET attempt UDP 111 || bugtraq,1892
+2016 || RPC portmap status request TCP || arachnids,15
+2017 || RPC portmap espd request UDP || cve,2001-0331 || bugtraq,2714
+2018 || RPC mountd TCP dump request
+2019 || RPC mountd UDP dump request
+2020 || RPC mountd TCP unmount request
+2021 || RPC mountd UDP unmount request
+2022 || RPC mountd TCP unmountall request
+2023 || RPC mountd UDP unmountall request
+2024 || RPC RQUOTA getquota overflow attempt TCP || cve,1999-0974 || bugtraq,864
+2025 || RPC yppasswd username overflow attempt UDP || cve,2001-0779 || bugtraq,2763
+2026 || RPC yppasswd username overflow attempt TCP || cve,2001-0779 || bugtraq,2763
+2027 || RPC yppasswd old password overflow attempt UDP
+2028 || RPC yppasswd old password overflow attempt TCP
+2029 || RPC yppasswd new password overflow attempt UDP
+2030 || RPC yppasswd new password overflow attempt TCP
+2031 || RPC yppasswd user update UDP
+2032 || RPC yppasswd user update TCP
+2033 || RPC ypserv maplist request UDP || cve,2002-1232 || bugtraq,6016 || bugtraq,5914
+2034 || RPC ypserv maplist request TCP || bugtraq,6016 || bugtraq,5914 || Cve,CAN-2002-1232
+2035 || RPC portmap network-status-monitor request UDP
+2036 || RPC portmap network-status-monitor request TCP
+2037 || RPC network-status-monitor mon-callback request UDP
+2038 || RPC network-status-monitor mon-callback request TCP
+2039 || MISC bootp hostname format string attempt || cve,2002-0702 || bugtraq,4701
+2040 || POLICY xtacacs login attempt
+2041 || MISC xtacacs failed login response
+2042 || POLICY xtacacs accepted login response
+2043 || MISC isakmp login failed
+2044 || POLICY PPTP Start Control Request attempt
+2045 || RPC snmpXdmi overflow attempt UDP || url,www.cert.org/advisories/CA-2001-05.html || cve,2001-0236 || bugtraq,2417
+2046 || IMAP partial body.peek buffer overflow attempt || cve,2002-0379 || bugtraq,4713
+2047 || MISC rsyncd module list access
+2048 || MISC rsyncd overflow attempt
+2049 || MS-SQL ping attempt || nessus,10674
+2050 || MS-SQL version overflow attempt || nessus,10674 || cve,2002-0649 || bugtraq,5310
+2051 || WEB-CGI cached_feed.cgi moreover shopping cart access || cve,2000-0906 || bugtraq,1762
+2052 || WEB-CGI overflow.cgi access || url,www.cert.org/advisories/CA-2002-35.html || nessus,11190
+2053 || WEB-CGI process_bug.cgi access || cve,2002-0008
+2054 || WEB-CGI enter_bug.cgi arbitrary command attempt || cve,2002-0008
+2055 || WEB-CGI enter_bug.cgi access || cve,2002-0008
+2056 || WEB-MISC TRACE attempt || url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf || nessus,11213 || bugtraq,9561
+2057 || WEB-MISC helpout.exe access || nessus,11162 || cve,2002-1169 || bugtraq,6002
+2058 || WEB-MISC MsmMask.exe attempt || nessus,11163
+2059 || WEB-MISC MsmMask.exe access || nessus,11163
+2060 || WEB-MISC DB4Web access || nessus,11180
+2061 || WEB-MISC Tomcat null byte directory listing attempt || cve,2003-0042 || bugtraq,6721 || bugtraq,2518
+2062 || WEB-MISC iPlanet .perf access
+2063 || WEB-MISC Demarc SQL injection attempt
+2064 || WEB-MISC Lotus Notes .csp script source download attempt
+2065 || WEB-MISC Lotus Notes .csp script source download attempt
+2066 || WEB-MISC Lotus Notes .pl script source download attempt
+2067 || WEB-MISC Lotus Notes .exe script source download attempt
+2068 || WEB-MISC BitKeeper arbitrary command attempt || bugtraq,6588
+2069 || WEB-MISC chip.ini access || cve,2001-0771 || cve,2001-0749 || bugtraq,2775 || bugtraq,2755
+2070 || WEB-MISC post32.exe arbitrary command attempt || bugtraq,1485
+2071 || WEB-MISC post32.exe access || bugtraq,1485
+2072 || WEB-MISC lyris.pl access || cve,2000-0758 || bugtraq,1584
+2073 || WEB-MISC globals.pl access || cve,2001-0330 || bugtraq,2671
+2074 || WEB-PHP Mambo uploadimage.php upload php file attempt || bugtraq,6572
+2075 || WEB-PHP Mambo upload.php upload php file attempt || bugtraq,6572
+2076 || WEB-PHP Mambo uploadimage.php access || bugtraq,6572
+2077 || WEB-PHP Mambo upload.php access || bugtraq,6572
+2078 || WEB-PHP phpBB privmsg.php access || bugtraq,6634
+2079 || RPC portmap nlockmgr request UDP || cve,2000-0508 || bugtraq,1372
+2080 || RPC portmap nlockmgr request TCP || cve,2000-0508 || bugtraq,1372
+2081 || RPC portmap rpc.xfsmd request UDP || cve,2002-0359 || bugtraq,5075 || bugtraq,5072
+2082 || RPC portmap rpc.xfsmd request TCP || cve,2002-0359 || bugtraq,5075 || bugtraq,5072
+2083 || RPC rpc.xfsmd xfs_export attempt UDP || cve,2002-0359 || bugtraq,5075 || bugtraq,5072
+2084 || RPC rpc.xfsmd xfs_export attempt TCP || cve,2002-0359 || bugtraq,5075 || bugtraq,5072
+2085 || WEB-CGI parse_xml.cgi access || cve,2003-0054 || bugtraq,6960
+2086 || WEB-CGI streaming server parse_xml.cgi access || cve,2003-0054 || bugtraq,6960
+2087 || SMTP From comment overflow attempt || url,www.kb.cert.org/vuls/id/398025 || cve,2002-1337
+2088 || RPC ypupdated arbitrary command attempt UDP
+2089 || RPC ypupdated arbitrary command attempt TCP
+2090 || WEB-IIS WEBDAV exploit attempt || url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx || cve,2003-0109 || bugtraq,7716 || bugtraq,7116
+2091 || WEB-IIS WEBDAV nessus safe scan attempt || url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx || nessus,11413 || nessus,11412 || cve,2003-0109 || bugtraq,7116
+2092 || RPC portmap proxy integer overflow attempt UDP || cve,2003-0028 || bugtraq,7123
+2093 || RPC portmap proxy integer overflow attempt TCP || cve,2003-0028 || bugtraq,7123
+2094 || RPC CMSD UDP CMSD_CREATE array buffer overflow attempt || cve,2002-0391 || bugtraq,5356
+2095 || RPC CMSD TCP CMSD_CREATE array buffer overflow attempt || cve,2002-0391 || bugtraq,5356
+2100 || BACKDOOR SubSeven 2.1 Gold server connection response
+2101 || NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt || url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx || url,www.corest.com/common/showdoc.php?idx=262 || cve,2002-0724 || bugtraq,5556
+2102 || NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt || url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx || url,www.corest.com/common/showdoc.php?idx=262 || cve,2002-0724 || bugtraq,5556
+2103 || NETBIOS SMB trans2open buffer overflow attempt || url,www.digitaldefense.net/labs/advisories/DDI-1013.txt || cve,2003-0201 || bugtraq,7294
+2104 || ATTACK-RESPONSES rexec username too long response
+2105 || IMAP authenticate literal overflow attempt || nessus,10292 || cve,1999-0042
+2106 || IMAP lsub overflow attempt || nessus,10374 || cve,2000-0284 || bugtraq,1110
+2107 || IMAP create buffer overflow attempt || bugtraq,7446
+2108 || POP3 CAPA overflow attempt
+2109 || POP3 TOP overflow attempt
+2110 || POP3 STAT overflow attempt
+2111 || POP3 DELE overflow attempt
+2112 || POP3 RSET overflow attempt
+2113 || RSERVICES rexec username overflow attempt
+2114 || RSERVICES rexec password overflow attempt
+2115 || WEB-CGI album.pl access || bugtraq,7444
+2116 || WEB-CGI chipcfg.cgi access || cve,2001-1341 || bugtraq,2767
+2117 || WEB-IIS Battleaxe Forum login.asp access || cve,2003-0215 || bugtraq,7416
+2118 || IMAP list overflow attempt || nessus,10374 || cve,2000-0284 || bugtraq,1110
+2119 || IMAP rename literal overflow attempt || nessus,10374 || cve,2000-0284 || bugtraq,1110
+2120 || IMAP create literal buffer overflow attempt || bugtraq,7446
+2121 || POP3 DELE negative arguement attempt || cve,2002-1539 || bugtraq,7445 || bugtraq,6053
+2122 || POP3 UIDL negative arguement attempt || cve,2002-1539 || bugtraq,6053
+2123 || ATTACK-RESPONSES Microsoft cmd.exe banner || nessus,11633
+2124 || BACKDOOR Remote PC Access connection attempt || nessus,11673
+2125 || FTP CWD Root directory transversal attempt || nessus,11677 || cve,2003-0392 || bugtraq,7674
+2126 || MISC Microsoft PPTP Start Control Request buffer overflow attempt || cve,2002-1214 || bugtraq,5807
+2127 || WEB-CGI ikonboard.cgi access || nessus,11605 || bugtraq,7361
+2128 || WEB-CGI swsrv.cgi access || nessus,11608 || cve,2003-0217 || bugtraq,7510
+2129 || WEB-IIS nsiislog.dll access || url,www.microsoft.com/technet/security/bulletin/ms03-018.mspx || nessus,11664 || cve,2003-0349 || bugtraq,8035
+2130 || WEB-IIS IISProtect siteadmin.asp access || nessus,11662 || cve,2003-0377 || bugtraq,7675
+2131 || WEB-IIS IISProtect access || nessus,11661
+2132 || WEB-IIS Synchrologic Email Accelerator userid list access attempt || nessus,11657
+2133 || WEB-IIS MS BizTalk server access || nessus,11638 || cve,2003-0118 || cve,2003-0117 || bugtraq,7470 || bugtraq,7469
+2134 || WEB-IIS register.asp access || nessus,11621
+2135 || WEB-MISC philboard.mdb access || nessus,11682
+2136 || WEB-MISC philboard_admin.asp authentication bypass attempt || nessus,11675 || bugtraq,7739
+2137 || WEB-MISC philboard_admin.asp access || nessus,11675 || bugtraq,7739
+2138 || WEB-MISC logicworks.ini access || nessus,11639 || bugtraq,6996
+2139 || WEB-MISC /*.shtml access || nessus,11604 || cve,2000-0683 || bugtraq,1517
+2140 || WEB-PHP p-news.php access || nessus,11669
+2141 || WEB-PHP shoutbox.php directory traversal attempt || nessus,11668
+2142 || WEB-PHP shoutbox.php access || nessus,11668
+2143 || WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt || nessus,11667
+2144 || WEB-PHP b2 cafelog gm-2-b2.php access || nessus,11667
+2145 || WEB-PHP TextPortal admin.php default password admin attempt || nessus,11660 || bugtraq,7673
+2146 || WEB-PHP TextPortal admin.php default password 12345 attempt || nessus,11660 || bugtraq,7673
+2147 || WEB-PHP BLNews objects.inc.php4 remote file include attempt || nessus,11647 || cve,2003-0394 || bugtraq,7677
+2148 || WEB-PHP BLNews objects.inc.php4 access || nessus,11647 || cve,2003-0394 || bugtraq,7677
+2149 || WEB-PHP Turba status.php access || nessus,11646
+2150 || WEB-PHP ttCMS header.php remote file include attempt || nessus,11636 || bugtraq,7625 || bugtraq,7543 || bugtraq,7542
+2151 || WEB-PHP ttCMS header.php access || nessus,11636 || bugtraq,7625 || bugtraq,7543 || bugtraq,7542
+2152 || WEB-PHP test.php access || nessus,11617
+2153 || WEB-PHP autohtml.php directory traversal attempt || nessus,11630
+2154 || WEB-PHP autohtml.php access || nessus,11630
+2155 || WEB-PHP ttforum remote file include attempt || nessus,11615 || bugtraq,7543 || bugtraq,7542
+2156 || WEB-MISC mod_gzip_status access || nessus,11685
+2157 || WEB-IIS IISProtect globaladmin.asp access || nessus,11661
+2158 || MISC BGP invalid length || url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575
+2159 || MISC BGP invalid type 0
+2160 || VIRUS OUTBOUND .exe file attachment
+2161 || VIRUS OUTBOUND .doc file attachment
+2162 || VIRUS OUTBOUND .hta file attachment
+2163 || VIRUS OUTBOUND .chm file attachment
+2164 || VIRUS OUTBOUND .reg file attachment
+2165 || VIRUS OUTBOUND .ini file attachment
+2166 || VIRUS OUTBOUND .bat file attachment
+2167 || VIRUS OUTBOUND .diz file attachment
+2168 || VIRUS OUTBOUND .cpp file attachment
+2169 || VIRUS OUTBOUND .dll file attachment
+2170 || VIRUS OUTBOUND .vxd file attachment
+2171 || VIRUS OUTBOUND .sys file attachment
+2172 || VIRUS OUTBOUND .com file attachment
+2173 || VIRUS OUTBOUND .hsq file attachment
+2174 || NETBIOS SMB winreg access
+2175 || NETBIOS SMB winreg unicode access
+2176 || NETBIOS SMB startup folder access
+2177 || NETBIOS SMB startup folder unicode access
+2178 || FTP USER format string attempt || cve,2004-0277 || bugtraq,9800 || bugtraq,9600 || bugtraq,9402 || bugtraq,9262 || bugtraq,7776 || bugtraq,7474
+2179 || FTP PASS format string attempt || bugtraq,9800 || bugtraq,9262 || bugtraq,7474
+2180 || P2P BitTorrent announce request
+2181 || P2P BitTorrent transfer
+2182 || BACKDOOR typot trojan traffic
+2183 || SMTP Content-Transfer-Encoding overflow attempt || url,www.cert.org/advisories/CA-2003-12.html || cve,2003-0161
+2184 || RPC mountd TCP mount path overflow attempt || nessus,11800 || cve,2003-0252 || bugtraq,8179
+2185 || RPC mountd UDP mount path overflow attempt || nessus,11800 || cve,2003-0252 || bugtraq,8179
+2186 || BAD-TRAFFIC IP Proto 53 SWIPE || cve,2003-0567 || bugtraq,8211
+2187 || BAD-TRAFFIC IP Proto 55 IP Mobility || cve,2003-0567 || bugtraq,8211
+2188 || BAD-TRAFFIC IP Proto 77 Sun ND || cve,2003-0567 || bugtraq,8211
+2189 || BAD-TRAFFIC IP Proto 103 PIM || cve,2003-0567 || bugtraq,8211
+2190 || NETBIOS DCERPC invalid bind attempt
+2191 || NETBIOS SMB DCERPC invalid bind attempt
+2192 || NETBIOS DCERPC ISystemActivator bind attempt || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx || cve,2003-0352 || bugtraq,8205
+2193 || NETBIOS SMB-DS DCERPC ISystemActivator bind attempt || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx || cve,2003-0352 || bugtraq,8205
+2194 || WEB-CGI CSMailto.cgi access || nessus,11748 || cve,2002-0749 || bugtraq,6265 || bugtraq,4579
+2195 || WEB-CGI alert.cgi access || nessus,11748 || cve,2002-0346 || bugtraq,4579 || bugtraq,4211
+2196 || WEB-CGI catgy.cgi access || nessus,11748 || cve,2001-1212 || bugtraq,4579 || bugtraq,3714
+2197 || WEB-CGI cvsview2.cgi access || nessus,11748 || cve,2003-0153 || bugtraq,5517 || bugtraq,4579
+2198 || WEB-CGI cvslog.cgi access || nessus,11748 || cve,2003-0153 || bugtraq,5517 || bugtraq,4579
+2199 || WEB-CGI multidiff.cgi access || nessus,11748 || cve,2003-0153 || bugtraq,5517 || bugtraq,4579
+2200 || WEB-CGI dnewsweb.cgi access || nessus,11748 || cve,2000-0423 || bugtraq,4579 || bugtraq,1172
+2201 || WEB-CGI download.cgi access || nessus,11748 || cve,1999-1377 || bugtraq,4579
+2202 || WEB-CGI edit_action.cgi access || nessus,11748 || cve,2001-1196 || bugtraq,4579 || bugtraq,3698
+2203 || WEB-CGI everythingform.cgi access || nessus,11748 || cve,2001-0023 || bugtraq,4579 || bugtraq,2101
+2204 || WEB-CGI ezadmin.cgi access || nessus,11748 || cve,2002-0263 || bugtraq,4579 || bugtraq,4068
+2205 || WEB-CGI ezboard.cgi access || nessus,11748 || cve,2002-0263 || bugtraq,4579 || bugtraq,4068
+2206 || WEB-CGI ezman.cgi access || nessus,11748 || cve,2002-0263 || bugtraq,4579 || bugtraq,4068
+2207 || WEB-CGI fileseek.cgi access || nessus,11748 || cve,2002-0611 || bugtraq,6784 || bugtraq,4579
+2208 || WEB-CGI fom.cgi access || nessus,11748 || cve,2002-0230 || bugtraq,4579
+2209 || WEB-CGI getdoc.cgi access || nessus,11748 || cve,2000-0288 || bugtraq,4579
+2210 || WEB-CGI global.cgi access || nessus,11748 || cve,2000-0952 || bugtraq,4579
+2211 || WEB-CGI guestserver.cgi access || nessus,11748 || cve,2001-0180 || bugtraq,4579
+2212 || WEB-CGI imageFolio.cgi access || nessus,11748 || cve,2002-1334 || bugtraq,6265 || bugtraq,4579
+2213 || WEB-CGI mailfile.cgi access || nessus,11748 || cve,2000-0977 || bugtraq,4579 || bugtraq,1807
+2214 || WEB-CGI mailview.cgi access || nessus,11748 || cve,2000-0526 || bugtraq,4579 || bugtraq,1335
+2215 || WEB-CGI nsManager.cgi access || nessus,11748 || cve,2000-1023 || bugtraq,4579 || bugtraq,1710
+2216 || WEB-CGI readmail.cgi access || nessus,11748 || cve,2001-1283 || bugtraq,4579 || bugtraq,3427
+2217 || WEB-CGI printmail.cgi access || nessus,11748 || cve,2001-1283 || bugtraq,4579 || bugtraq,3427
+2218 || WEB-CGI service.cgi access || nessus,11748 || cve,2002-0346 || bugtraq,4579 || bugtraq,4211
+2219 || WEB-CGI setpasswd.cgi access || nessus,11748 || cve,2001-0133 || bugtraq,4579 || bugtraq,2212
+2220 || WEB-CGI simplestmail.cgi access || nessus,11748 || cve,2001-0022 || bugtraq,4579 || bugtraq,2106
+2221 || WEB-CGI ws_mail.cgi access || nessus,11748 || cve,2001-1343 || bugtraq,4579 || bugtraq,2861
+2222 || WEB-CGI nph-exploitscanget.cgi access || nessus,11740 || cve,2003-0434 || bugtraq,7912 || bugtraq,7911 || bugtraq,7910
+2223 || WEB-CGI csNews.cgi access || nessus,11726 || cve,2002-0923 || bugtraq,4994
+2224 || WEB-CGI psunami.cgi access || nessus,11750 || bugtraq,6607
+2225 || WEB-CGI gozila.cgi access || nessus,11773
+2226 || WEB-PHP pmachine remote file include attempt || nessus,11739 || bugtraq,7919
+2227 || WEB-PHP forum_details.php access || nessus,11760 || bugtraq,7933
+2228 || WEB-PHP phpMyAdmin db_details_importdocsql.php access || nessus,11761 || bugtraq,7965 || bugtraq,7962
+2229 || WEB-PHP viewtopic.php access || nessus,11767 || cve,2003-0486 || bugtraq,7979
+2230 || WEB-MISC NetGear router default password login attempt admin/password || nessus,11737
+2231 || WEB-MISC register.dll access || nessus,11747 || cve,2001-0958 || bugtraq,3327
+2232 || WEB-MISC ContentFilter.dll access || nessus,11747 || cve,2001-0958 || bugtraq,3327
+2233 || WEB-MISC SFNofitication.dll access || nessus,11747 || cve,2001-0958 || bugtraq,3327
+2234 || WEB-MISC TOP10.dll access || nessus,11747 || cve,2001-0958 || bugtraq,3327
+2235 || WEB-MISC SpamExcp.dll access || nessus,11747 || cve,2001-0958 || bugtraq,3327
+2236 || WEB-MISC spamrule.dll access || nessus,11747 || cve,2001-0958 || bugtraq,3327
+2237 || WEB-MISC cgiWebupdate.exe access || nessus,11722 || cve,2001-1150 || bugtraq,3216
+2238 || WEB-MISC WebLogic ConsoleHelp view source attempt || nessus,11724 || cve,2000-0682 || bugtraq,1518
+2239 || WEB-MISC redirect.exe access || cve,2000-0401 || bugtraq,1256
+2240 || WEB-MISC changepw.exe access || cve,2000-0401 || bugtraq,1256
+2241 || WEB-MISC cwmail.exe access || nessus,11727 || cve,2002-0273 || bugtraq,4093
+2242 || WEB-MISC ddicgi.exe access || nessus,11728 || cve,2000-0826 || bugtraq,1657
+2243 || WEB-MISC ndcgi.exe access || nessus,11730 || cve,2001-0922
+2244 || WEB-MISC VsSetCookie.exe access || nessus,11731 || cve,2002-0236 || bugtraq,3784
+2245 || WEB-MISC Webnews.exe access || nessus,11732 || cve,2002-0290 || bugtraq,4124
+2246 || WEB-MISC webadmin.dll access || nessus,11771
+2247 || WEB-IIS UploadScript11.asp access || cve,2001-0938
+2248 || WEB-IIS DirectoryListing.asp access || cve,2001-0938
+2249 || WEB-IIS /pcadmin/login.asp access || nessus,11785 || bugtraq,8103
+2250 || POP3 USER format string attempt || nessus,11742 || bugtraq,7667
+2251 || NETBIOS DCERPC Remote Activation bind attempt || url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx || cve,2003-0715 || cve,2003-0605 || cve,2003-0528 || bugtraq,8458 || bugtraq,8234
+2252 || NETBIOS SMB-DS DCERPC Remote Activation bind attempt || url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx || cve,2003-0715 || cve,2003-0605 || cve,2003-0528 || bugtraq,8458 || bugtraq,8234
+2253 || SMTP XEXCH50 overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx
+2254 || SMTP XEXCH50 overflow with evasion attempt || url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx
+2255 || RPC sadmind query with root credentials attempt TCP
+2256 || RPC sadmind query with root credentials attempt UDP
+2257 || NETBIOS DCERPC Messenger Service buffer overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx || cve,2003-0717 || bugtraq,8826
+2258 || NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx || cve,2003-0717 || bugtraq,8826
+2259 || SMTP EXPN overflow attempt || cve,2003-0161 || cve,2002-1337 || bugtraq,7230 || bugtraq,6991
+2260 || SMTP VRFY overflow attempt || cve,2003-0161 || cve,2002-1337 || bugtraq,7230 || bugtraq,6991
+2261 || SMTP SEND FROM sendmail prescan too many addresses overflow || cve,2002-1337 || bugtraq,6991
+2262 || SMTP SEND FROM sendmail prescan too long addresses overflow || cve,2003-0161 || bugtraq,7230
+2263 || SMTP SAML FROM sendmail prescan too many addresses overflow || cve,2002-1337 || bugtraq,6991
+2264 || SMTP SAML FROM sendmail prescan too long addresses overflow || cve,2003-0161 || bugtraq,7230
+2265 || SMTP SOML FROM sendmail prescan too many addresses overflow || cve,2002-1337 || bugtraq,6991
+2266 || SMTP SOML FROM sendmail prescan too long addresses overflow || cve,2003-0161 || bugtraq,7230
+2267 || SMTP MAIL FROM sendmail prescan too many addresses overflow || cve,2002-1337 || bugtraq,6991
+2268 || SMTP MAIL FROM sendmail prescan too long addresses overflow || cve,2003-0161 || bugtraq,7230
+2269 || SMTP RCPT TO sendmail prescan too many addresses overflow || cve,2002-1337 || bugtraq,6991
+2270 || SMTP RCPT TO sendmail prescan too long addresses overflow || cve,2003-0161 || bugtraq,7230
+2271 || BACKDOOR FsSniffer connection attempt || nessus,11854
+2272 || FTP LIST integer overflow attempt || cve,2003-0854 || cve,2003-0853 || bugtraq,8875
+2273 || IMAP login brute force attempt
+2274 || POP3 login brute force attempt
+2275 || SMTP AUTH LOGON brute force attempt
+2276 || WEB-MISC oracle portal demo access || nessus,11918
+2277 || WEB-MISC PeopleSoft PeopleBooks psdoccgi access || cve,2003-0627 || cve,2003-0626 || bugtraq,9038 || bugtraq,9037
+2278 || WEB-MISC negative Content-Length attempt || cve,2004-0095 || bugtraq,9576 || bugtraq,9476 || bugtraq,9098
+2279 || WEB-PHP UpdateClasses.php access || bugtraq,9057
+2280 || WEB-PHP Title.php access || bugtraq,9057
+2281 || WEB-PHP Setup.php access || bugtraq,9057
+2282 || WEB-PHP GlobalFunctions.php access || bugtraq,9057
+2283 || WEB-PHP DatabaseFunctions.php access || bugtraq,9057
+2284 || WEB-PHP rolis guestbook remote file include attempt || bugtraq,9057
+2285 || WEB-PHP rolis guestbook access || bugtraq,9057
+2286 || WEB-PHP friends.php access || bugtraq,9088
+2287 || WEB-PHP Advanced Poll admin_comment.php access || nessus,11487 || bugtraq,8890
+2288 || WEB-PHP Advanced Poll admin_edit.php access || nessus,11487 || bugtraq,8890
+2289 || WEB-PHP Advanced Poll admin_embed.php access || nessus,11487 || bugtraq,8890
+2290 || WEB-PHP Advanced Poll admin_help.php access || nessus,11487 || bugtraq,8890
+2291 || WEB-PHP Advanced Poll admin_license.php access || nessus,11487 || bugtraq,8890
+2292 || WEB-PHP Advanced Poll admin_logout.php access || nessus,11487 || bugtraq,8890
+2293 || WEB-PHP Advanced Poll admin_password.php access || nessus,11487 || bugtraq,8890
+2294 || WEB-PHP Advanced Poll admin_preview.php access || nessus,11487 || bugtraq,8890
+2295 || WEB-PHP Advanced Poll admin_settings.php access || nessus,11487 || bugtraq,8890
+2296 || WEB-PHP Advanced Poll admin_stats.php access || nessus,11487 || bugtraq,8890
+2297 || WEB-PHP Advanced Poll admin_templates_misc.php access || nessus,11487 || bugtraq,8890
+2298 || WEB-PHP Advanced Poll admin_templates.php access || nessus,11487 || bugtraq,8890
+2299 || WEB-PHP Advanced Poll admin_tpl_misc_new.php access || nessus,11487 || bugtraq,8890
+2300 || WEB-PHP Advanced Poll admin_tpl_new.php access || nessus,11487 || bugtraq,8890
+2301 || WEB-PHP Advanced Poll booth.php access || nessus,11487 || bugtraq,8890
+2302 || WEB-PHP Advanced Poll poll_ssi.php access || nessus,11487 || bugtraq,8890
+2303 || WEB-PHP Advanced Poll popup.php access || nessus,11487 || bugtraq,8890
+2304 || WEB-PHP files.inc.php access || bugtraq,8910
+2305 || WEB-PHP chatbox.php access || bugtraq,8930
+2306 || WEB-PHP gallery remote file include attempt || nessus,11876 || bugtraq,8814
+2307 || WEB-PHP PayPal Storefront remote file include attemtp || nessus,11873 || bugtraq,8791
+2308 || NETBIOS SMB DCERPC Workstation Service unicode bind attempt || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx || cve,2003-0812 || bugtraq,9011
+2309 || NETBIOS SMB DCERPC Workstation Service bind attempt || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx || cve,2003-0812 || bugtraq,9011
+2310 || NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx || cve,2003-0812 || bugtraq,9011
+2311 || NETBIOS SMB-DS DCERPC Workstation Service bind attempt || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx || cve,2003-0812 || bugtraq,9011
+2312 || SHELLCODE x86 0x71FB7BAB NOOP
+2313 || SHELLCODE x86 0x71FB7BAB NOOP unicode
+2314 || SHELLCODE x86 0x90 NOOP unicode
+2315 || NETBIOS DCERPC Workstation Service direct service bind attempt || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx || cve,2003-0812 || bugtraq,9011
+2316 || NETBIOS DCERPC Workstation Service direct service access attempt || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx || cve,2003-0812 || bugtraq,9011
+2317 || MISC CVS non-relative path error response || cve,2003-0977 || bugtraq,9178
+2318 || MISC CVS non-relative path access attempt || cve,2003-0977 || bugtraq,9178
+2319 || EXPLOIT ebola PASS overflow attempt || bugtraq,9156
+2320 || EXPLOIT ebola USER overflow attempt || bugtraq,9156
+2321 || WEB-IIS foxweb.exe access || nessus,11939
+2322 || WEB-IIS foxweb.dll access || nessus,11939
+2323 || WEB-CGI quickstore.cgi access || nessus,11975 || bugtraq,9282
+2324 || WEB-IIS VP-ASP shopsearch.asp access || nessus,11942 || bugtraq,9134 || bugtraq,9133
+2325 || WEB-IIS VP-ASP ShopDisplayProducts.asp access || nessus,11942 || bugtraq,9134 || bugtraq,9133
+2326 || WEB-IIS sgdynamo.exe access || nessus,11955 || cve,2002-0375 || bugtraq,4720
+2327 || WEB-MISC bsml.pl access || nessus,11973 || bugtraq,9311
+2328 || WEB-PHP authentication_index.php access || nessus,11982 || cve,2004-0032
+2329 || MS-SQL probe response overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx || cve,2003-0903 || bugtraq,9407
+2330 || IMAP auth overflow attempt || bugtraq,8861
+2331 || WEB-PHP MatrikzGB privilege escalation attempt || bugtraq,8430
+2332 || FTP MKDIR format string attempt || bugtraq,9262
+2333 || FTP RENAME format string attempt || bugtraq,9262
+2334 || FTP Yak! FTP server default account login attempt || bugtraq,9072
+2335 || FTP RMD / attempt || bugtraq,9159
+2336 || TFTP NULL command attempt || bugtraq,7575
+2337 || TFTP PUT filename overflow attempt || cve,2003-0380 || bugtraq,8505 || bugtraq,7819
+2338 || FTP LIST buffer overflow attempt || bugtraq,9675 || bugtraq,8486 || bugtraq,10181
+2339 || TFTP NULL command attempt || bugtraq,7575
+2340 || FTP SITE CHMOD overflow attempt || nessus,12037 || bugtraq,9483 || bugtraq,10181
+2341 || WEB-PHP DCP-Portal remote file include attempt || bugtraq,6525
+2342 || WEB-PHP DCP-Portal remote file include attempt || bugtraq,6525
+2343 || FTP STOR overflow attempt || bugtraq,8668
+2344 || FTP XCWD overflow attempt || bugtraq,8704
+2345 || WEB-PHP PhpGedView search.php access || cve,2004-0032 || bugtraq,9369
+2346 || WEB-PHP myPHPNuke chatheader.php access || bugtraq,6544
+2347 || WEB-PHP myPHPNuke partner.php access || bugtraq,6544
+2348 || NETBIOS SMB-DS DCERPC print spool bind attempt
+2349 || NETBIOS SMB-DS DCERPC enumerate printers request attempt
+2350 || NETBIOS DCERPC ISystemActivator bind accept || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx || cve,2003-0352 || bugtraq,8205
+2351 || NETBIOS DCERPC ISystemActivator path overflow attempt little endian || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx || cve,2003-0352 || bugtraq,8205
+2352 || NETBIOS DCERPC ISystemActivator path overflow attempt big endian || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx || cve,2003-0352 || bugtraq,8205
+2353 || WEB-PHP IdeaBox cord.php file include || bugtraq,7488
+2354 || WEB-PHP IdeaBox notification.php file include || bugtraq,7488
+2355 || WEB-PHP Invision Board emailer.php file include || bugtraq,7204
+2356 || WEB-PHP WebChat db_mysql.php file include || bugtraq,7000
+2357 || WEB-PHP WebChat english.php file include || bugtraq,7000
+2358 || WEB-PHP Typo3 translations.php file include || bugtraq,6984
+2359 || WEB-PHP Invision Board ipchat.php file include || bugtraq,6976
+2360 || WEB-PHP myphpPagetool pt_config.inc file include || bugtraq,6744
+2361 || WEB-PHP news.php file include || bugtraq,6674
+2362 || WEB-PHP YaBB SE packages.php file include || bugtraq,6663
+2363 || WEB-PHP Cyboards default_header.php access || bugtraq,6597
+2364 || WEB-PHP Cyboards options_form.php access || bugtraq,6597
+2365 || WEB-PHP newsPHP Language file include attempt || bugtraq,8488
+2366 || WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt || cve,2004-0030 || bugtraq,9368
+2367 || WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt || cve,2004-0030 || bugtraq,9368
+2368 || WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt || cve,2004-0030 || bugtraq,9368
+2369 || WEB-MISC ISAPISkeleton.dll access || bugtraq,9516
+2370 || WEB-MISC BugPort config.conf file access || bugtraq,9542
+2371 || WEB-MISC Sample_showcode.html access || bugtraq,9555
+2372 || WEB-PHP Photopost PHP Pro showphoto.php access || bugtraq,9557
+2373 || FTP XMKD overflow attempt || bugtraq,7909
+2374 || FTP NLST overflow attempt || bugtraq,9675 || bugtraq,7909 || bugtraq,10184
+2375 || BACKDOOR DoomJuice file upload attempt || url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html
+2376 || EXPLOIT ISAKMP first payload certificate request length overflow attempt || cve,2004-0040 || bugtraq,9582
+2377 || EXPLOIT ISAKMP second payload certificate request length overflow attempt || cve,2004-0040 || bugtraq,9582
+2378 || EXPLOIT ISAKMP third payload certificate request length overflow attempt || cve,2004-0040 || bugtraq,9582
+2379 || EXPLOIT ISAKMP forth payload certificate request length overflow attempt || cve,2004-0040 || bugtraq,9582
+2380 || EXPLOIT ISAKMP fifth payload certificate request length overflow attempt || cve,2004-0040 || bugtraq,9582
+2381 || WEB-MISC schema overflow attempt || cve,2004-0039 || bugtraq,9581
+2382 || NETBIOS SMB NTLMSSP invalid mechtype attempt || nessus,12052 || cve,2003-0818 || bugtraq,9635 || bugtraq,9633
+2383 || NETBIOS SMB-DS DCERPC NTLMSSP invalid mechtype attempt || nessus,12052 || cve,2003-0818 || bugtraq,9635 || bugtraq,9633
+2384 || NETBIOS SMB NTLMSSP invalid mechlistMIC attempt || nessus,12054 || nessus,12052 || cve,2003-0818 || bugtraq,9635 || bugtraq,9633
+2385 || NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt || nessus,12054 || nessus,12052 || cve,2003-0818 || bugtraq,9635 || bugtraq,9633
+2386 || WEB-IIS NTLM ASN.1 vulnerability scan attempt || nessus,12055 || nessus,12052 || cve,2003-0818 || bugtraq,9635 || bugtraq,9633
+2387 || WEB-CGI view_broadcast.cgi access || cve,2003-0422 || bugtraq,8257
+2388 || WEB-CGI streaming server view_broadcast.cgi access || cve,2003-0422 || bugtraq,8257
+2389 || FTP RNTO overflow attempt || cve,2003-0466 || bugtraq,8315
+2390 || FTP STOU overflow attempt || cve,2003-0466 || bugtraq,8315
+2391 || FTP APPE overflow attempt || cve,2003-0466 || bugtraq,8315
+2392 || FTP RETR overflow attempt || cve,2003-0466 || bugtraq,8315
+2393 || WEB-PHP /_admin access || nessus,12032 || bugtraq,9537
+2394 || WEB-MISC Compaq web-based management agent denial of service attempt || bugtraq,8014
+2395 || WEB-MISC InteractiveQuery.jsp access || cve,2003-0624 || bugtraq,8938
+2396 || WEB-CGI CCBill whereami.cgi arbitrary command execution attempt || bugtraq,8095
+2397 || WEB-CGI CCBill whereami.cgi access || bugtraq,8095
+2398 || WEB-PHP WAnewsletter newsletter.php file include attempt || bugtraq,6965
+2399 || WEB-PHP WAnewsletter db_type.php access || bugtraq,6964
+2400 || WEB-MISC edittag.pl access || bugtraq,6675
+2401 || NETBIOS SMB Session Setup AndX request username overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040226.html || bugtraq,9752
+2402 || NETBIOS SMB-DS Session Setup AndX request username overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040226.html || bugtraq,9752
+2403 || NETBIOS SMB Session Setup AndX request unicode username overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040226.html || bugtraq,9752
+2404 || NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040226.html || bugtraq,9752
+2405 || WEB-PHP phptest.php access || bugtraq,9737
+2406 || TELNET APC SmartSlot default admin account attempt || bugtraq,9681
+2407 || WEB-MISC util.pl access || bugtraq,9748
+2408 || WEB-MISC Invision Power Board search.pl access || bugtraq,9766
+2409 || POP3 APOP USER overflow attempt || bugtraq,9794
+2410 || WEB-PHP IGeneric Free Shopping Cart page.php access || bugtraq,9773
+2411 || WEB-MISC Real Server DESCRIBE buffer overflow attempt || url,www.service.real.com/help/faq/security/rootexploit091103.html || bugtraq,8476
+2412 || ATTACK-RESPONSES successful cross site scripting forced download attempt
+2413 || EXPLOIT ISAKMP delete hash with empty hash attempt || cve,2004-0164 || bugtraq,CAN-2004-0164 || bugtraq,9417 || bugtraq,9416
+2414 || EXPLOIT ISAKMP initial contact notification without SPI attempt || cve,2004-0164 || bugtraq,CAN-2004-0164 || bugtraq,9417 || bugtraq,9416
+2415 || EXPLOIT ISAKMP second payload initial contact notification without SPI attempt || cve,2004-0164 || bugtraq,CAN-2004-0164 || bugtraq,9417 || bugtraq,9416
+2416 || FTP invalid MDTM command attempt
+2417 || FTP format string attempt
+2418 || MISC MS Terminal Server no encryption session initiation attmept || url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx
+2419 || MULTIMEDIA realplayer .ram playlist download attempt
+2420 || MULTIMEDIA realplayer .rmp playlist download attempt
+2421 || MULTIMEDIA realplayer .smi playlist download attempt
+2422 || MULTIMEDIA realplayer .rt playlist download attempt
+2423 || MULTIMEDIA realplayer .rp playlist download attempt
+2424 || NNTP sendsys overflow attempt || cve,2004-00045 || bugtraq,9382
+2425 || NNTP senduuname overflow attempt || cve,2004-00045 || bugtraq,9382
+2426 || NNTP version overflow attempt || cve,2004-00045 || bugtraq,9382
+2427 || NNTP checkgroups overflow attempt || cve,2004-00045 || bugtraq,9382
+2428 || NNTP ihave overflow attempt || cve,2004-00045 || bugtraq,9382
+2429 || NNTP sendme overflow attempt || cve,2004-00045 || bugtraq,9382
+2430 || NNTP newgroup overflow attempt || cve,2004-00045 || bugtraq,9382
+2431 || NNTP rmgroup overflow attempt || cve,2004-00045 || bugtraq,9382
+2432 || NNTP article post without path attempt
+2433 || WEB-CGI MDaemon form2raw.cgi overflow attempt || bugtraq,9317
+2434 || WEB-CGI MDaemon form2raw.cgi access || bugtraq,9317
+2435 || WEB-CLIENT Microsoft emf metafile access || bugtraq,9707
+2436 || WEB-CLIENT Microsoft wmf metafile access || bugtraq,9707
+2437 || WEB-CLIENT RealPlayer arbitrary javascript command attempt || cve,2003-0726 || bugtraq,9738 || bugtraq,8453
+2438 || WEB-CLIENT RealPlayer playlist file URL overflow attempt || bugtraq,9579
+2439 || WEB-CLIENT RealPlayer playlist http URL overflow attempt || bugtraq,9579
+2440 || WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt || bugtraq,9579
+2441 || WEB-MISC NetObserve authentication bypass attempt || bugtraq,9319
+2442 || WEB-MISC Quicktime User-Agent buffer overflow attempt || cve,2004-0169 || bugtraq,9735
+2443 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html
+2444 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html
+2445 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html
+2446 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER email overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html
+2447 || WEB-MISC ServletManager access || nessus,12122 || cve,2001-1195 || bugtraq,3697
+2448 || WEB-MISC setinfo.hts access || nessus,12120 || bugtraq,9973
+2449 || FTP ALLO overflow attempt || bugtraq,9953
+2450 || CHAT Yahoo IM successful logon
+2451 || CHAT Yahoo IM voicechat
+2452 || CHAT Yahoo IM ping
+2453 || CHAT Yahoo IM conference invitation
+2454 || CHAT Yahoo IM conference logon success
+2455 || CHAT Yahoo IM conference message
+2456 || CHAT Yahoo IM file transfer request
+2457 || CHAT Yahoo IM message
+2458 || CHAT Yahoo IM successful chat join
+2459 || CHAT Yahoo IM webcam offer invitation
+2460 || CHAT Yahoo IM webcam request
+2461 || CHAT Yahoo IM webcam watch
+2462 || EXPLOIT IGMP IGAP account overflow attempt || cve,2004-0367 || cve,2004-0176 || cve, CAN-2004-0367 || bugtraq,9952
+2463 || EXPLOIT IGMP IGAP message overflow attempt || cve,2004-0367 || cve,2004-0176 || cve, CAN-2004-0367 || bugtraq,9952
+2464 || EXPLOIT EIGRP prefix length overflow attempt || cve,2004-0367 || cve,2004-0176 || cve, CAN-2004-0367 || bugtraq,9952
+2465 || NETBIOS SMB-DS IPC$ share access
+2466 || NETBIOS SMB-DS IPC$ share unicode access
+2467 || NETBIOS SMB D$ share unicode access
+2468 || NETBIOS SMB-DS D$ share access
+2469 || NETBIOS SMB-DS D$ share unicode access
+2470 || NETBIOS SMB C$ share unicode access
+2471 || NETBIOS SMB-DS C$ share access
+2472 || NETBIOS SMB-DS C$ share unicode access
+2473 || NETBIOS SMB ADMIN$ share unicode access
+2474 || NETBIOS SMB-DS ADMIN$ share access
+2475 || NETBIOS SMB-DS ADMIN$ share unicode access
+2476 || NETBIOS SMB-DS Create AndX Request winreg attempt
+2477 || NETBIOS SMB-DS Create AndX Request winreg unicode attempt
+2478 || NETBIOS SMB-DS DCERPC bind winreg attempt
+2479 || NETBIOS SMB-DS DCERPC bind winreg unicode attempt
+2480 || NETBIOS SMB-DS DCERPC shutdown unicode attempt
+2481 || NETBIOS SMB-DS DCERPC shutdown unicode little endian attempt
+2482 || NETBIOS SMB-DS DCERPC shutdown attempt
+2483 || NETBIOS SMB-DS DCERPC shutdown little endian attempt
+2484 || WEB-MISC source.jsp access || nessus,12119
+2485 || WEB-CLIENT Nortan antivirus sysmspam.dll load attempt || cve,2004-0363 || bugtraq,9916
+2486 || DOS ISAKMP invalid identification payload attempt || cve,2004-0184 || bugtraq,10004
+2487 || SMTP WinZip MIME content-type buffer overflow || bugtraq,9758
+2488 || SMTP WinZip MIME content-disposition buffer overflow || bugtraq,9758
+2489 || EXPLOIT esignal STREAMQUOTE buffer overflow attempt || bugtraq,9978
+2490 || EXPLOIT esignal SNAPQUOTE buffer overflow attempt || bugtraq,9978
+2491 || NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0813 || bugtraq,8811
+2492 || NETBIOS SMB DCERPC ISystemActivator bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0813 || bugtraq,8811
+2493 || NETBIOS SMB DCERPC ISystemActivator unicode bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0813 || bugtraq,8811
+2494 || NETBIOS DCEPRC ORPCThis request flood attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0813 || bugtraq,8811
+2495 || NETBIOS SMB DCEPRC ORPCThis request flood attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0813 || bugtraq,8811
+2496 || NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0813 || bugtraq,8811
+2497 || IMAP SSLv3 invalid data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120 || bugtraq,10115
+2498 || IMAP SSLv3 invalid timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120 || bugtraq,10115
+2499 || MISC LDAP SSLv3 invalid timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120 || bugtraq,10115
+2500 || MISC LDAP SSLv3 invalid data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx
+2501 || POP3 SSLv3 invalid timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120 || bugtraq,10115
+2502 || POP3 SSLv3 invalid data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120 || bugtraq,10115
+2503 || SMTP SSLv3 invalid timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120 || bugtraq,10115
+2504 || SMTP SSLv3 invalid data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120 || bugtraq,10115
+2505 || WEB-MISC SSLv3 invalid data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120 || bugtraq,10115
+2506 || WEB-MISC SSLv3 invalid timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120 || bugtraq,10115
+2507 || NETBIOS DCERPC LSASS bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
+2508 || NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
+2509 || NETBIOS SMB DCERPC LSASS unicode bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
+2510 || NETBIOS SMB DCERPC LSASS bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
+2511 || NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
+2512 || NETBIOS SMB-DS DCERPC LSASS bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
+2513 || NETBIOS SMB-DS DCERPC LSASS unicode bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
+2514 || NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
+2515 || WEB-MISC PCT Client_Hello overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0719 || bugtraq,10116
+2516 || MISC LDAP PCT Client_Hello overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0719 || bugtraq,10116
+2517 || IMAP PCT Client_Hello overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0719 || bugtraq,10116
+2518 || PO3 PCT Client_Hello overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0719 || bugtraq,10116
+2519 || SMTP Client_Hello overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0719 || bugtraq,10116
+2520 || WEB-MISC SSLv3 Client_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
+2521 || WEB-MISC SSLv3 Server_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
+2522 || WEB-MISC SSLv3 invalid Client_Hello attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
+2523 || DOS BGP spoofed connection reset attempt || url,www.uniras.gov.uk/vuls/2004/236929/index.htm || cve,2004-0230 || bugtraq,10183
+2524 || NETBIOS DCERPC LSASS direct bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
+2525 || NETBIOS SMB DCERPC LSASS direct bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
+2526 || NETBIOS SMB-DS DCERPC LSASS direct bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0533 || bugtraq,10108
+2527 || SMTP STARTTLS attempt
+2528 || SMTP TLS PCT Client_Hello overflow attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2003-0719 || bugtraq,10116
+2529 || IMAP SSLv3 Client_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
+2530 || IMAP SSLv3 Server_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
+2531 || IMAP SSLv3 invalid Client_Hello attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
+2532 || MISC LDAP SSLv3 Client_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
+2533 || MISC LDAP SSLv3 Server_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
+2534 || MISC LDAP SSLv3 invalid Client_Hello attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
+2535 || POP3 SSLv3 Client_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
+2536 || POP3 SSLv3 Server_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
+2537 || POP3 SSLv3 invalid Client_Hello attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
+2538 || SMTP SSLv3 Client_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
+2539 || SMTP SSLv3 Server_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
+2540 || SMTP SSLv3 invalid Client_Hello attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
+2541 || SMTP TLS SSLv3 invalid data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120 || bugtraq,10115
+2542 || SMTP TLS SSLv3 Client_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
+2543 || SMTP TLS SSLv3 Server_Hello request || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
+2544 || SMTP TLS SSLv3 invalid Client_Hello attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,2004-0120
+2545 || EXPLOIT AFP FPLoginExt username buffer overflow attempt || url,www.atstake.com/research/advisories/2004/a050304-1.txt || cve,2004-0430 || bugtraq,10271
+2546 || FTP MDTM overflow attempt || bugtraq,9751
+2547 || MISC HP Web JetAdmin remote file upload attempt || bugtraq,9978
+2548 || MISC HP Web JetAdmin setinfo access || bugtraq,9972
+2549 || MISC HP Web JetAdmin file write attempt || bugtraq,9973
+2550 || EXPLOIT winamp XM module name overflow || url,www.nextgenss.com/advisories/winampheap.txt
+2551 || EXPLOIT Oracle Web Cache GET overflow attempt || cve,2004-0385 || bugtraq,9868
+2552 || EXPLOIT Oracle Web Cache HEAD overflow attempt || cve,2004-0385 || bugtraq,9868
+2553 || EXPLOIT Oracle Web Cache PUT overflow attempt || cve,2004-0385 || bugtraq,9868
+2554 || EXPLOIT Oracle Web Cache POST overflow attempt || cve,2004-0385 || bugtraq,9868
+2555 || EXPLOIT Oracle Web Cache TRACE overflow attempt || cve,2004-0385 || bugtraq,9868
+2556 || EXPLOIT Oracle Web Cache DELETE overflow attempt || cve,2004-0385 || bugtraq,9868
+2557 || EXPLOIT Oracle Web Cache LOCK overflow attempt || cve,2004-0385 || bugtraq,9868
+2558 || EXPLOIT Oracle Web Cache MKCOL overflow attempt || cve,2004-0385 || bugtraq,9868
+2559 || EXPLOIT Oracle Web Cache COPY overflow attempt || cve,2004-0385 || bugtraq,9868
+2560 || EXPLOIT Oracle Web Cache MOVE overflow attempt || cve,2004-0385 || bugtraq,9868
+2561 || MISC rsync backup-dir directory traversal attempt || cve,2004-0426 || bugtraq,10247
+2562 || WEB-MISC McAfee ePO file upload attempt || cve,2004-0038 || bugtraq,10200
+2563 || NETBIOS NS lookup response name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040512A.html || cve,2004-0445 || cve,2004-0444 || bugtraq,10334 || bugtraq,10333
+2564 || NETBIOS NS lookup short response attempt || url,www.eeye.com/html/Research/Advisories/AD20040512C.html || cve,2004-0445 || cve,2004-0444 || bugtraq,10335 || bugtraq,10334
+2565 || WEB-PHP modules.php access || bugtraq,9879
+2566 || WEB-PHP PHPBB viewforum.php access || bugtraq,9866
+2567 || WEB-CGI Emumail init.emu access || bugtraq,9861
+2568 || WEB-CGI Emumail emumail.fcgi access || bugtraq,9861
+2569 || WEB-MISC cPanel resetpass access || bugtraq,9848
+2570 || WEB-MISC Invalid HTTP Version String || nessus,11593 || bugtraq,9809
+2571 || WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access || bugtraq,9805
+2572 || WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt || bugtraq,9805
+2573 || WEB-IIS SmarterTools SmarterMail frmCompose.asp access || bugtraq,9805
+2574 || FTP RETR format string attempt || bugtraq,9800
+2575 || WEB-PHP Opt-X header.php remote file include attempt || bugtraq,9732
+2576 || ORACLE generate_replication_support prefix overflow attempt
+2577 || WEB-CLIENT local resource redirection attempt || url,www.kb.cert.org/vuls/id/713878 || cve,2004-0549
diff --git a/scripts/s2b/snort_rules2.2/smtp.rules b/scripts/s2b/snort_rules2.2/smtp.rules
new file mode 100644
index 0000000000..80d522d5c7
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/smtp.rules
@@ -0,0 +1,68 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: smtp.rules 91 2004-07-15 08:13:57Z rwinslow $
+#-----------
+# SMTP RULES
+#-----------
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; isdataat:300,relative; pcre:"/^RCPT TO\s[^\n]{300}/ism"; reference:bugtraq,2283; reference:bugtraq,9696; reference:cve,2001-0260; classtype:attempted-admin; sid:654; rev:13;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP chameleon overflow"; flow:to_server,established; content:"HELP"; nocase; isdataat:500,relative; pcre:"/^HELP\s[^\n]{500}/ism"; reference:arachnids,266; reference:bugtraq,2387; reference:cve,1999-0261; classtype:attempted-admin; sid:657; rev:12;)
+alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; reference:arachnids,140; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP exchange mime DOS"; flow:to_server,established; content:"charset = |22 22|"; classtype:attempted-dos; sid:658; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; nocase; pcre:"/^expn\s+decode/smi"; reference:arachnids,32; classtype:attempted-recon; sid:659; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; nocase; pcre:"/^expn\s+root/smi"; reference:arachnids,31; classtype:attempted-recon; sid:660; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn *@"; flow:to_server,established; content:"expn"; nocase; content:"*@"; pcre:"/^expn\s+\*@/smi"; reference:cve,1999-1200; classtype:misc-attack; sid:1450; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP majordomo ifs"; flow:to_server,established; content:"eply-to|3A| a~.`/bin/"; reference:arachnids,143; reference:cve,1999-0208; classtype:attempted-admin; sid:661; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.5.5 exploit"; flow:to_server,established; content:"mail from|3A| |22 7C|"; nocase; reference:arachnids,119; classtype:attempted-admin; sid:662; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to command attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; pcre:"/^rcpt\s+to\:\s+[|\x3b]/smi"; reference:arachnids,172; reference:bugtraq,1; reference:cve,1999-0095; classtype:attempted-admin; sid:663; rev:13;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO decode attempt"; flow:to_server,established; content:"rcpt to|3A|"; content:"decode"; distance:0; nocase; pcre:"/^rcpt to\:\s+decode/smi"; reference:arachnids,121; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-admin; sid:664; rev:13;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.6.5 exploit"; flow:to_server,established; content:"MAIL FROM|3A| |7C|/usr/ucb/tail"; nocase; reference:arachnids,122; classtype:attempted-user; sid:665; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|0D 0A|Mprog, P=/bin/"; reference:arachnids,123; classtype:attempted-user; sid:667; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|09 09 09 09 09 09 09|Mprog,P=/bin"; reference:arachnids,124; classtype:attempted-user; sid:668; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|Croot|0A|Mprog"; reference:arachnids,142; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:669; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|C|3A|daemon|0A|R"; reference:arachnids,139; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:670; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9c exploit"; flow:to_server,established; content:"|0A|Croot|0D 0A|Mprog"; reference:arachnids,141; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:671; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; reference:arachnids,373; classtype:attempted-recon; sid:672; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; classtype:attempted-recon; sid:1446; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; reference:arachnids,372; classtype:protocol-command-decode; sid:631; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; reference:arachnids,371; classtype:protocol-command-decode; sid:632; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow attempt"; flow:to_server,established; content:"HELO"; isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi"; reference:bugtraq,7726; reference:bugtraq,895; reference:cve,2000-0042; reference:nessus,10324; reference:nessus,11674; classtype:attempted-admin; sid:1549; rev:16;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ETRN overflow attempt"; flow:to_server,established; content:"ETRN"; isdataat:500,relative; pcre:"/^ETRN\s[^\n]{500}/smi"; reference:bugtraq,1297; reference:cve,2000-0490; classtype:attempted-admin; sid:1550; rev:10;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From comment overflow attempt"; flow:to_server,established; content:"From|3A|"; content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0; content:"|28|"; distance:1; content:"|29|"; distance:1; reference:cve,2002-1337; reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Transfer-Encoding overflow attempt"; flow:to_server,established; content:"Content-Transfer-Encoding|3A|"; isdataat:100,relative; content:!"|0A|"; within:100; reference:cve,2003-0161; reference:url,www.cert.org/advisories/CA-2003-12.html; classtype:attempted-admin; sid:2183; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50"; nocase; pcre:"/^XEXCH50\s+-\d/smi"; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2253; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; pcre:"/^EXPN[^\n]{255,}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2259; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP VRFY overflow attempt"; flow:to_server,established; content:"VRFY"; nocase; pcre:"/^VRFY[^\n]{255,}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2260; rev:5;)
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; nocase; pcre:"/^SEND FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2261; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; nocase; pcre:"/^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2262; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; nocase; pcre:"/^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2263; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; nocase; pcre:"/^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2264; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; nocase; pcre:"/^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2265; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; nocase; pcre:"/^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2266; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; nocase; pcre:"/^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2267; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; nocase; pcre:"/^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:attempted-admin; sid:2268; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too many addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; pcre:"/^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2269; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too long addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; pcre:"/^RCPT TO\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:attempted-admin; sid:2270; rev:4;)
+alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH LOGON brute force attempt"; flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2275; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-type buffer overflow"; flow:to_server, established; content:"Content-Type|3A|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; pcre:"/(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi"; reference:bugtraq,9758; classtype:attempted-user; sid:2487; rev:4;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-disposition buffer overflow"; flow:to_server, established; content:"Content-Type|3A|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; content:"Content-Disposition|3A|"; nocase; pcre:"/name=\s*[^\r\n\x3b\s\x2c]{300}/smi"; reference:bugtraq,9758; classtype:attempted-user; sid:2488; rev:4;)
+
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2504; rev:6;)
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2519; rev:9;)
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2538; rev:3;)
+alert tcp $SMTP_SERVERS 465 -> $EXTERNAL_NET any (msg:"SMTP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2539; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2540; rev:3;)
+
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP STARTTLS attempt"; flow:to_server,established; content:"STARTTLS|0D 0A|"; within:10; flowbits:set,starttls.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:2527; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2541; rev:5;)
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2528; rev:7;)
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isset,starttls.attempt; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2542; rev:3;)
+alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP TLS SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2543; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2544; rev:3;)
diff --git a/scripts/s2b/snort_rules2.2/snmp.rules b/scripts/s2b/snort_rules2.2/snmp.rules
new file mode 100644
index 0000000000..6ec526f1f5
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/snmp.rules
@@ -0,0 +1,24 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: snmp.rules 91 2004-07-15 08:13:57Z rwinslow $
+# ---------------
+# SNMP RULES
+# ---------------
+#
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing community string attempt"; content:"|04 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:1893; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP null community string attempt"; content:"|04 01 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:1892; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"SNMP community string buffer overflow attempt"; content:"|02 01 00 04 82 01 00|"; offset:4; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1409; rev:10;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"SNMP community string buffer overflow attempt with evasion"; content:" |04 82 01 00|"; depth:5; offset:7; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1422; rev:10;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access udp"; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1411; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access tcp"; flow:to_server,established; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1412; rev:13;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP private access udp"; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1413; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP private access tcp"; flow:to_server,established; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1414; rev:11;)
+alert udp any any -> 255.255.255.255 161 (msg:"SNMP Broadcast request"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1415; rev:9;)
+alert udp any any -> 255.255.255.255 162 (msg:"SNMP broadcast trap"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1416; rev:9;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP trap udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1419; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP trap tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1420; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"SNMP AgentX/tcp request"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1421; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP PROTOS test-suite-req-app attempt"; content:"0&|02 01 00 04 06|public|A0 19 02 01 00 02 01 00 02 01 00|0|0E|0|0C 06 08|+|06 01 02 01 01 05 00 05 00|"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1426; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1427; rev:4;)
diff --git a/scripts/s2b/snort_rules2.2/snort.conf b/scripts/s2b/snort_rules2.2/snort.conf
new file mode 100644
index 0000000000..205d4b6625
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/snort.conf
@@ -0,0 +1,617 @@
+#--------------------------------------------------
+#   http://www.snort.org     Snort 2.1.0 Ruleset
+#     Contact: snort-sigs@lists.sourceforge.net
+#--------------------------------------------------
+# $Id: snort.conf 91 2004-07-15 08:13:57Z rwinslow $
+#
+###################################################
+# This file contains a sample snort configuration. 
+# You can take the following steps to create your own custom configuration:
+#
+#  1) Set the network variables for your network
+#  2) Configure preprocessors
+#  3) Configure output plugins
+#  4) Customize your rule set
+#
+###################################################
+# Step #1: Set the network variables:
+#
+# You must change the following variables to reflect your local network. The
+# variable is currently setup for an RFC 1918 address space.
+#
+# You can specify it explicitly as: 
+#
+# var HOME_NET 10.1.1.0/24
+#
+# or use global variable $<interfacename>_ADDRESS which will be always
+# initialized to IP address and netmask of the network interface which you run
+# snort at.  Under Windows, this must be specified as
+# $(<interfacename>_ADDRESS), such as:
+# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
+#
+# var HOME_NET $eth0_ADDRESS
+#
+# You can specify lists of IP addresses for HOME_NET
+# by separating the IPs with commas like this:
+#
+# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
+#
+# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
+#
+# or you can specify the variable to be any IP address
+# like this:
+
+var HOME_NET any
+
+# Set up the external network addresses as well.  A good start may be "any"
+var EXTERNAL_NET any
+
+# Configure your server lists.  This allows snort to only look for attacks to
+# systems that have a service up.  Why look for HTTP attacks if you are not
+# running a web server?  This allows quick filtering based on IP addresses
+# These configurations MUST follow the same configuration scheme as defined
+# above for $HOME_NET.  
+
+# List of DNS servers on your network 
+var DNS_SERVERS $HOME_NET
+
+# List of SMTP servers on your network
+var SMTP_SERVERS $HOME_NET
+
+# List of web servers on your network
+var HTTP_SERVERS $HOME_NET
+
+# List of sql servers on your network 
+var SQL_SERVERS $HOME_NET
+
+# List of telnet servers on your network
+var TELNET_SERVERS $HOME_NET
+
+# List of snmp servers on your network
+var SNMP_SERVERS $HOME_NET
+
+# Configure your service ports.  This allows snort to look for attacks destined
+# to a specific application only on the ports that application runs on.  For
+# example, if you run a web server on port 8081, set your HTTP_PORTS variable
+# like this:
+#
+# var HTTP_PORTS 8081
+#
+# Port lists must either be continuous [eg 80:8080], or a single port [eg 80].
+# We will adding support for a real list of ports in the future.
+
+# Ports you run web servers on
+#
+# Please note:  [80,8080] does not work.
+# If you wish to define multiple HTTP ports,
+# 
+## var HTTP_PORTS 80 
+## include somefile.rules 
+## var HTTP_PORTS 8080
+## include somefile.rules 
+var HTTP_PORTS 80
+
+# Ports you want to look for SHELLCODE on.
+var SHELLCODE_PORTS !80
+
+# Ports you do oracle attacks on
+var ORACLE_PORTS 1521
+
+# other variables
+# 
+# AIM servers.  AOL has a habit of adding new AIM servers, so instead of
+# modifying the signatures when they do, we add them to this list of servers.
+var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
+
+# Path to your rules files (this can be a relative path)
+var RULE_PATH ../rules
+
+# Configure the snort decoder
+# ============================
+#
+# Snort's decoder will alert on lots of things such as header
+# truncation or options of unusual length or infrequently used tcp options
+#
+#
+# Stop generic decode events:
+#
+# config disable_decode_alerts
+#
+# Stop Alerts on experimental TCP options
+#
+# config disable_tcpopt_experimental_alerts
+#
+# Stop Alerts on obsolete TCP options
+#
+# config disable_tcpopt_obsolete_alerts
+#
+# Stop Alerts on T/TCP alerts
+#
+# In snort 2.0.1 and above, this only alerts when a TCP option is detected
+# that shows T/TCP being actively used on the network.  If this is normal
+# behavior for your network, disable the next option.
+#
+# config disable_tcpopt_ttcp_alerts
+#
+# Stop Alerts on all other TCPOption type events:
+#
+# config disable_tcpopt_alerts
+#
+# Stop Alerts on invalid ip options
+#
+# config disable_ipopt_alerts
+
+# Configure the detection engine
+# ===============================
+#
+# Use a different pattern matcher in case you have a machine with very limited
+# resources:
+#
+# config detection: search-method lowmem
+
+###################################################
+# Step #2: Configure preprocessors
+#
+# General configuration for preprocessors is of 
+# the form
+# preprocessor <name_of_processor>: <configuration_options>
+
+# Configure Flow tracking module
+# -------------------------------
+#
+# The Flow tracking module is meant to start unifying the state keeping
+# mechanisms of snort into a single place. Right now, only a portscan detector
+# is implemented but in the long term,  many of the stateful subsystems of
+# snort will be migrated over to becoming flow plugins. This must be enabled
+# for flow-portscan to work correctly.
+#
+# See README.flow for additional information
+#
+preprocessor flow: stats_interval 0 hash 2
+
+# frag2: IP defragmentation support
+# -------------------------------
+# This preprocessor performs IP defragmentation.  This plugin will also detect
+# people launching fragmentation attacks (usually DoS) against hosts.  No
+# arguments loads the default configuration of the preprocessor, which is a 60
+# second timeout and a 4MB fragment buffer. 
+
+# The following (comma delimited) options are available for frag2
+#    timeout [seconds] - sets the number of [seconds] that an unfinished 
+#                        fragment will be kept around waiting for completion,
+#                        if this time expires the fragment will be flushed
+#    memcap [bytes] - limit frag2 memory usage to [number] bytes
+#                      (default:  4194304)
+#
+#    min_ttl [number] - minimum ttl to accept
+# 
+#    ttl_limit [number] - difference of ttl to accept without alerting
+#                         will cause false positves with router flap
+# 
+# Frag2 uses Generator ID 113 and uses the following SIDS 
+# for that GID:
+#  SID     Event description
+# -----   -------------------
+#   1       Oversized fragment (reassembled frag > 64k bytes)
+#   2       Teardrop-type attack
+
+preprocessor frag2
+
+# stream4: stateful inspection/stream reassembly for Snort
+#----------------------------------------------------------------------
+# Use in concert with the -z [all|est] command line switch to defeat stick/snot
+# against TCP rules.  Also performs full TCP stream reassembly, stateful
+# inspection of TCP streams, etc.  Can statefully detect various portscan
+# types, fingerprinting, ECN, etc.
+
+# stateful inspection directive
+# no arguments loads the defaults (timeout 30, memcap 8388608)
+# options (options are comma delimited):
+#   detect_scans - stream4 will detect stealth portscans and generate alerts
+#                  when it sees them when this option is set
+#   detect_state_problems - detect TCP state problems, this tends to be very
+#                           noisy because there are a lot of crappy ip stack
+#                           implementations out there
+#
+#   disable_evasion_alerts - turn off the possibly noisy mitigation of
+#                            overlapping sequences.
+#
+#
+#   min_ttl [number]       - set a minium ttl that snort will accept to
+#                            stream reassembly
+#
+#   ttl_limit [number]     - differential of the initial ttl on a session versus
+#                             the normal that someone may be playing games.
+#                             Routing flap may cause lots of false positives.
+# 
+#   keepstats [machine|binary] - keep session statistics, add "machine" to 
+#                         get them in a flat format for machine reading, add
+#                         "binary" to get them in a unified binary output 
+#                         format
+#   noinspect - turn off stateful inspection only
+#   timeout [number] - set the session timeout counter to [number] seconds,
+#                      default is 30 seconds
+#   memcap [number] - limit stream4 memory usage to [number] bytes
+#   log_flushed_streams - if an event is detected on a stream this option will
+#                         cause all packets that are stored in the stream4
+#                         packet buffers to be flushed to disk.  This only 
+#                         works when logging in pcap mode!
+#
+# Stream4 uses Generator ID 111 and uses the following SIDS 
+# for that GID:
+#  SID     Event description
+# -----   -------------------
+#   1       Stealth activity
+#   2       Evasive RST packet
+#   3       Evasive TCP packet retransmission
+#   4       TCP Window violation
+#   5       Data on SYN packet
+#   6       Stealth scan: full XMAS
+#   7       Stealth scan: SYN-ACK-PSH-URG
+#   8       Stealth scan: FIN scan
+#   9       Stealth scan: NULL scan
+#   10      Stealth scan: NMAP XMAS scan
+#   11      Stealth scan: Vecna scan
+#   12      Stealth scan: NMAP fingerprint scan stateful detect
+#   13      Stealth scan: SYN-FIN scan
+#   14      TCP forward overlap
+
+preprocessor stream4: disable_evasion_alerts
+
+# tcp stream reassembly directive
+# no arguments loads the default configuration 
+#   Only reassemble the client,
+#   Only reassemble the default list of ports (See below),  
+#   Give alerts for "bad" streams
+#
+# Available options (comma delimited):
+#   clientonly - reassemble traffic for the client side of a connection only
+#   serveronly - reassemble traffic for the server side of a connection only
+#   both - reassemble both sides of a session
+#   noalerts - turn off alerts from the stream reassembly stage of stream4
+#   ports [list] - use the space separated list of ports in [list], "all" 
+#                  will turn on reassembly for all ports, "default" will turn
+#                  on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
+#                  and 513
+
+preprocessor stream4_reassemble
+
+# http_inspect: normalize and detect HTTP traffic and protocol anomalies
+#
+# lots of options available here. See doc/README.http_inspect.
+# unicode.map should be wherever your snort.conf lives, or given
+# a full path to where snort can find it.
+preprocessor http_inspect: global \
+    iis_unicode_map unicode.map 1252 
+
+preprocessor http_inspect_server: server default \
+    profile all ports { 80 8080 8180 } oversize_dir_length 500
+
+#
+#  Example unqiue server configuration
+#
+#preprocessor http_inspect_server: server 1.1.1.1 \
+#    ports { 80 3128 8080 } \
+#    flow_depth 0 \
+#    ascii no \
+#    double_decode yes \
+#    non_rfc_char { 0x00 } \
+#    chunk_length 500000 \
+#    non_strict \
+#    oversize_dir_length 300 \
+#    no_alerts
+
+
+# rpc_decode: normalize RPC traffic
+# ---------------------------------
+# RPC may be sent in alternate encodings besides the usual 4-byte encoding
+# that is used by default. This plugin takes the port numbers that RPC
+# services are running on as arguments - it is assumed that the given ports
+# are actually running this type of service. If not, change the ports or turn
+# it off.
+# The RPC decode preprocessor uses generator ID 106
+#
+# arguments: space separated list
+# alert_fragments - alert on any rpc fragmented TCP data
+# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
+# no_alert_large_fragments - don't alert when the fragmented
+#                            sizes exceed the current packet size
+# no_alert_incomplete - don't alert when a single segment
+#                       exceeds the current packet size
+
+preprocessor rpc_decode: 111 32771
+
+# bo: Back Orifice detector
+# -------------------------
+# Detects Back Orifice traffic on the network.  Takes no arguments in 2.0.
+# 
+# The Back Orifice detector uses Generator ID 105 and uses the 
+# following SIDS for that GID:
+#  SID     Event description
+# -----   -------------------
+#   1       Back Orifice traffic detected
+
+preprocessor bo
+
+# telnet_decode: Telnet negotiation string normalizer
+# ---------------------------------------------------
+# This preprocessor "normalizes" telnet negotiation strings from telnet and ftp
+# traffic.  It works in much the same way as the http_decode preprocessor,
+# searching for traffic that breaks up the normal data stream of a protocol and
+# replacing it with a normalized representation of that traffic so that the
+# "content" pattern matching keyword can work without requiring modifications.
+# This preprocessor requires no arguments.
+# Portscan uses Generator ID 109 and does not generate any SID currently.
+
+preprocessor telnet_decode
+
+# Flow-Portscan: detect a variety of portscans
+# ---------------------------------------
+# Note:  The Flow preprocessor (above) must first be enabled for Flow-Portscan to
+# work.
+#
+# This module detects portscans based off of flow creation in the flow
+# preprocessors.  The goal is to catch catch one->many hosts and one->many
+# ports scans.
+#
+# Flow-Portscan has numerous options available, please read
+# README.flow-portscan for help configuring this option. 
+
+# Flow-Portscan uses Generator ID 121 and uses the following SIDS for that GID:
+#  SID     Event description
+# -----   -------------------
+#   1       flow-portscan: Fixed Scale Scanner Limit Exceeded
+#   2       flow-portscan: Sliding Scale Scanner Limit Exceeded 
+#   3       flow-portscan: Fixed Scale Talker Limit Exceeded
+#   4	    flow-portscan: Sliding Scale Talker Limit Exceeded
+
+# preprocessor flow-portscan: \
+#	talker-sliding-scale-factor 0.50 \
+#	talker-fixed-threshold 30 \
+#	talker-sliding-threshold 30 \
+#	talker-sliding-window 20 \
+#	talker-fixed-window 30 \
+#	scoreboard-rows-talker 30000 \
+#	server-watchnet [10.2.0.0/30] \
+#	server-ignore-limit 200 \
+#	server-rows 65535 \
+#	server-learning-time 14400 \
+#	server-scanner-limit 4 \
+#	scanner-sliding-window 20 \
+#	scanner-sliding-scale-factor 0.50 \
+#	scanner-fixed-threshold 15 \
+#	scanner-sliding-threshold 40 \
+#	scanner-fixed-window 15 \
+#	scoreboard-rows-scanner 30000 \
+#	src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
+#	dst-ignore-net [10.0.0.0/30] \
+#	alert-mode once \
+#	output-mode msg \
+#	tcp-penalties on
+
+# arpspoof
+#----------------------------------------
+# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
+# unicast ARP requests, and specific ARP mapping monitoring.  To make use of
+# this preprocessor you must specify the IP and hardware address of hosts on
+# the same layer 2 segment as you.  Specify one host IP MAC combo per line.
+# Also takes a "-unicast" option to turn on unicast ARP request detection. 
+# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
+
+#  SID     Event description
+# -----   -------------------
+#   1       Unicast ARP request
+#   2       Etherframe ARP mismatch (src)
+#   3       Etherframe ARP mismatch (dst)
+#   4       ARP cache overwrite attack
+
+#preprocessor arpspoof
+#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
+
+
+# Performance Statistics
+# ----------------------
+# Documentation for this is provided in the Snort Manual.  You should read it.
+# It is included in the release distribution as doc/snort_manual.pdf
+# 
+# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
+
+####################################################################
+# Step #3: Configure output plugins
+#
+# Uncomment and configure the output plugins you decide to use.  General
+# configuration for output plugins is of the form:
+#
+# output <name_of_plugin>: <configuration_options>
+#
+# alert_syslog: log alerts to syslog
+# ----------------------------------
+# Use one or more syslog facilities as arguments.  Win32 can also optionally
+# specify a particular hostname/port.  Under Win32, the default hostname is
+# '127.0.0.1', and the default port is 514.
+#
+# [Unix flavours should use this format...]
+# output alert_syslog: LOG_AUTH LOG_ALERT
+#
+# [Win32 can use any of these formats...]
+# output alert_syslog: LOG_AUTH LOG_ALERT
+# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
+# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
+
+# log_tcpdump: log packets in binary tcpdump format
+# -------------------------------------------------
+# The only argument is the output file name.
+#
+# output log_tcpdump: tcpdump.log
+
+# database: log to a variety of databases
+# ---------------------------------------
+# See the README.database file for more information about configuring
+# and using this plugin.
+#
+# output database: log, mysql, user=root password=test dbname=db host=localhost
+# output database: alert, postgresql, user=snort dbname=snort
+# output database: log, odbc, user=snort dbname=snort
+# output database: log, mssql, dbname=snort user=snort password=test
+# output database: log, oracle, dbname=snort user=snort password=test
+
+# unified: Snort unified binary format alerting and logging
+# -------------------------------------------------------------
+# The unified output plugin provides two new formats for logging and generating
+# alerts from Snort, the "unified" format.  The unified format is a straight
+# binary format for logging data out of Snort that is designed to be fast and
+# efficient.  Used with barnyard (the new alert/log processor), most of the
+# overhead for logging and alerting to various slow storage mechanisms such as
+# databases or the network can now be avoided.  
+#
+# Check out the spo_unified.h file for the data formats.
+#
+# Two arguments are supported.
+#    filename - base filename to write to (current time_t is appended)
+#    limit    - maximum size of spool file in MB (default: 128)
+#
+# output alert_unified: filename snort.alert, limit 128
+# output log_unified: filename snort.log, limit 128
+
+# You can optionally define new rule types and associate one or more output
+# plugins specifically to that type.
+#
+# This example will create a type that will log to just tcpdump.
+# ruletype suspicious
+# {
+#   type log
+#   output log_tcpdump: suspicious.log
+# }
+#
+# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
+# suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
+#
+# This example will create a rule type that will log to syslog and a mysql
+# database:
+# ruletype redalert
+# {
+#   type alert
+#   output alert_syslog: LOG_AUTH LOG_ALERT
+#   output database: log, mysql, user=snort dbname=snort host=localhost
+# }
+#
+# EXAMPLE RULE FOR REDALERT RULETYPE:
+# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
+#   (msg:"Someone is being LEET"; flags:A+;)
+
+#
+# Include classification & priority settings
+#
+
+include classification.config
+
+#
+# Include reference systems
+#
+
+include reference.config
+
+####################################################################
+# Step #4: Customize your rule set
+#
+# Up to date snort rules are available at http://www.snort.org
+#
+# The snort web site has documentation about how to write your own custom snort
+# rules.
+#
+# The rules included with this distribution generate alerts based on on
+# suspicious activity. Depending on your network environment, your security
+# policies, and what you consider to be suspicious, some of these rules may
+# either generate false positives ore may be detecting activity you consider to
+# be acceptable; therefore, you are encouraged to comment out rules that are
+# not applicable in your environment.
+#
+# The following individuals contributed many of rules in this distribution.
+#
+# Credits:
+#   Ron Gula <rgula@securitywizards.com> of Network Security Wizards
+#   Max Vision <vision@whitehats.com>
+#   Martin Markgraf <martin@mail.du.gtn.com>
+#   Fyodor Yarochkin <fygrave@tigerteam.net>
+#   Nick Rogness <nick@rapidnet.com>
+#   Jim Forster <jforster@rapidnet.com>
+#   Scott McIntyre <scott@whoi.edu>
+#   Tom Vandepoel <Tom.Vandepoel@ubizen.com>
+#   Brian Caswell <bmc@snort.org>
+#   Zeno <admin@cgisecurity.com>
+#   Ryan Russell <ryan@securityfocus.com>
+
+
+
+#=========================================
+# Include all relevant rulesets here 
+# 
+# The following rulesets are disabled by default:
+#
+#   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
+#   chat, multimedia, and p2p
+#            
+# These rules are either site policy specific or require tuning in order to not
+# generate false positive alerts in most enviornments.
+# 
+# Please read the specific include file for more information and
+# README.alert_order for how rule ordering affects how alerts are triggered.
+#=========================================
+
+include $RULE_PATH/local.rules
+include $RULE_PATH/bad-traffic.rules
+include $RULE_PATH/exploit.rules
+include $RULE_PATH/scan.rules
+include $RULE_PATH/finger.rules
+include $RULE_PATH/ftp.rules
+include $RULE_PATH/telnet.rules
+include $RULE_PATH/rpc.rules
+include $RULE_PATH/rservices.rules
+include $RULE_PATH/dos.rules
+include $RULE_PATH/ddos.rules
+include $RULE_PATH/dns.rules
+include $RULE_PATH/tftp.rules
+
+include $RULE_PATH/web-cgi.rules
+include $RULE_PATH/web-coldfusion.rules
+include $RULE_PATH/web-iis.rules
+include $RULE_PATH/web-frontpage.rules
+include $RULE_PATH/web-misc.rules
+include $RULE_PATH/web-client.rules
+include $RULE_PATH/web-php.rules
+
+include $RULE_PATH/sql.rules
+include $RULE_PATH/x11.rules
+include $RULE_PATH/icmp.rules
+include $RULE_PATH/netbios.rules
+include $RULE_PATH/misc.rules
+include $RULE_PATH/attack-responses.rules
+include $RULE_PATH/oracle.rules
+include $RULE_PATH/mysql.rules
+include $RULE_PATH/snmp.rules
+
+include $RULE_PATH/smtp.rules
+include $RULE_PATH/imap.rules
+include $RULE_PATH/pop2.rules
+include $RULE_PATH/pop3.rules
+
+include $RULE_PATH/nntp.rules
+include $RULE_PATH/other-ids.rules
+# include $RULE_PATH/web-attacks.rules
+# include $RULE_PATH/backdoor.rules
+# include $RULE_PATH/shellcode.rules
+# include $RULE_PATH/policy.rules
+# include $RULE_PATH/porn.rules
+# include $RULE_PATH/info.rules
+# include $RULE_PATH/icmp-info.rules
+ include $RULE_PATH/virus.rules
+# include $RULE_PATH/chat.rules
+# include $RULE_PATH/multimedia.rules
+# include $RULE_PATH/p2p.rules
+include $RULE_PATH/experimental.rules
+
+# Include any thresholding or suppression commands. See threshold.conf in the
+# <snort src>/etc directory for details. Commands don't necessarily need to be
+# contained in this conf, but a separate conf makes it easier to maintain them. 
+# Uncomment if needed.
+# include threshold.conf
diff --git a/scripts/s2b/snort_rules2.2/sql.rules b/scripts/s2b/snort_rules2.2/sql.rules
new file mode 100644
index 0000000000..3e6994e4d4
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/sql.rules
@@ -0,0 +1,51 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: sql.rules 91 2004-07-15 08:13:57Z rwinslow $
+#----------
+# SQL RULES
+#----------
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:676; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_password password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:677; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; nocase; classtype:attempted-user; sid:678; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:679; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; offset:32; nocase; reference:bugtraq,2031; reference:cve,2000-1082; classtype:attempted-user; sid:708; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; offset:32; nocase; reference:bugtraq,3733; reference:cve,2001-0542; classtype:attempted-user; sid:1386; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; offset:32; nocase; reference:bugtraq,2030; reference:cve,2000-1081; classtype:attempted-user; sid:702; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; offset:32; nocase; reference:bugtraq,2043; classtype:attempted-user; sid:703; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_cmdshell program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; offset:32; nocase; classtype:attempted-user; sid:681; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:689; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; offset:32; nocase; reference:bugtraq,2041; reference:cve,2000-1086; classtype:attempted-user; sid:690; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; classtype:shellcode-detect; sid:692; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:attempted-user; sid:694; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; reference:bugtraq,1204; classtype:attempted-user; sid:695; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; offset:32; nocase; reference:bugtraq,2038; classtype:attempted-user; sid:696; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; offset:32; nocase; reference:bugtraq,2040; reference:cve,2000-1085; classtype:attempted-user; sid:697; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; offset:32; nocase; reference:bugtraq,2042; reference:cve,2000-1087; classtype:attempted-user; sid:698; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; offset:32; nocase; reference:bugtraq,2039; reference:cve,2000-1084; classtype:attempted-user; sid:700; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; nocase; classtype:attempted-user; sid:673; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t"; nocase; reference:bugtraq,2030; reference:cve,2000-1081; classtype:attempted-user; sid:674; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; nocase; reference:bugtraq,2043; classtype:attempted-user; sid:675; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; nocase; classtype:attempted-user; sid:682; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_password - password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:683; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|"; nocase; classtype:attempted-user; sid:684; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_adduser - database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; nocase; classtype:attempted-user; sid:685; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; nocase; classtype:attempted-user; sid:686; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:687; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; classtype:shellcode-detect; sid:691; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:shellcode-detect; sid:693; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; nocase; reference:bugtraq,2041; reference:cve,2000-1086; classtype:attempted-user; sid:699; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; nocase; reference:bugtraq,2039; reference:cve,2000-1084; classtype:attempted-user; sid:701; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase; reference:bugtraq,1204; classtype:attempted-user; sid:704; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase; reference:bugtraq,2038; reference:cve,2000-1083; classtype:attempted-user; sid:705; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase; reference:bugtraq,2040; reference:cve,2000-1085; classtype:attempted-user; sid:706; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,2000-1087; classtype:attempted-user; sid:707; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; nocase; reference:bugtraq,3733; reference:cve,2001-0542; classtype:attempted-user; sid:1387; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 (msg:"MS-SQL xp_cmdshell program execution 445"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:1759; rev:5;)
+alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; classtype:unsuccessful-user; sid:688; rev:6;)
+alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"MS-SQL/SMB sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; offset:83; classtype:attempted-user; sid:680; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2003; rev:6;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"MS-SQL Worm propagation attempt OUTBOUND"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2004; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL ping attempt"; content:"|02|"; depth:1; reference:nessus,10674; classtype:misc-activity; sid:2049; rev:2;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL version overflow attempt"; dsize:>100; content:"|04|"; depth:1; reference:bugtraq,5310; reference:cve,2002-0649; reference:nessus,10674; classtype:misc-activity; sid:2050; rev:5;)
+alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"MS-SQL probe response overflow attempt"; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512; reference:bugtraq,9407; reference:cve,2003-0903; reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx; classtype:attempted-user; sid:2329; rev:6;)
diff --git a/scripts/s2b/snort_rules2.2/telnet.rules b/scripts/s2b/snort_rules2.2/telnet.rules
new file mode 100644
index 0000000000..a07b395e3b
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/telnet.rules
@@ -0,0 +1,27 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: telnet.rules 91 2004-07-15 08:13:57Z rwinslow $
+#-------------
+# TELNET RULES
+#-------------
+#
+# These signatures are based on various telnet exploits and unpassword
+# protected accounts.
+#
+
+
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET Solaris memory mismanagement exploit attempt"; flow:to_server,established; content:"|A0 23 A0 10 AE 23 80 10 EE 23 BF EC 82 05 E0 D6 90|%|E0|"; classtype:shellcode-detect; sid:1430; rev:7;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET SGI telnetd format bug"; flow:to_server,established; content:"_RLD"; content:"bin/sh"; reference:arachnids,304; classtype:attempted-admin; sid:711; rev:5;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET ld_library_path"; flow:to_server,established; content:"ld_library_path"; reference:arachnids,367; reference:bugtraq,459; reference:cve,1999-0073; classtype:attempted-admin; sid:712; rev:8;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET livingston DOS"; flow:to_server,established; content:"|FF F3 FF F3 FF F3 FF F3 FF F3|"; rawbytes; reference:arachnids,370; classtype:attempted-dos; sid:713; rev:7;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET resolv_host_conf"; flow:to_server,established; content:"resolv_host_conf"; reference:arachnids,369; classtype:attempted-admin; sid:714; rev:4;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET Attempted SU from wrong group"; flow:from_server,established; content:"to su root"; nocase; classtype:attempted-admin; sid:715; rev:6;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET not on console"; flow:from_server,established; content:"not on system console"; nocase; reference:arachnids,365; classtype:bad-unknown; sid:717; rev:6;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET login incorrect"; flow:from_server,established; content:"Login incorrect"; reference:arachnids,127; classtype:bad-unknown; sid:718; rev:7;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET root login"; flow:from_server,established; content:"login|3A| root"; classtype:suspicious-login; sid:719; rev:7;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET bsd telnet exploit response"; flow:from_server,established; content:"|0D 0A|[Yes]|0D 0A FF FE 08 FF FD|&"; rawbytes; reference:bugtraq,3064; reference:cve,2001-0554; classtype:attempted-admin; sid:1252; rev:13;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET bsd exploit client finishing"; dsize:>200; flow:to_client,established; content:"|FF F6 FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes; reference:bugtraq,3064; reference:cve,2001-0554; classtype:successful-admin; sid:1253; rev:11;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET 4Dgifts SGI account attempt"; flow:to_server,established; content:"4Dgifts"; reference:cve,1999-0501; classtype:suspicious-login; sid:709; rev:7;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET EZsetup account attempt"; flow:to_server,established; content:"OutOfBox"; reference:cve,1999-0501; classtype:suspicious-login; sid:710; rev:7;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET APC SmartSlot default admin account attempt"; flow:to_server,established; content:"TENmanUFactOryPOWER"; reference:bugtraq,9681; classtype:suspicious-login; sid:2406; rev:1;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET access"; flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,1999-0619; classtype:not-suspicious; sid:716; rev:10;)
diff --git a/scripts/s2b/snort_rules2.2/tftp.rules b/scripts/s2b/snort_rules2.2/tftp.rules
new file mode 100644
index 0000000000..63d86fa8f3
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/tftp.rules
@@ -0,0 +1,24 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: tftp.rules 91 2004-07-15 08:13:57Z rwinslow $
+#-----------
+# TFTP RULES
+#-----------
+#
+# These signatures are based on TFTP traffic.  These include malicious files
+# that are distributed via TFTP.
+#
+# The last two signatures refer to generic GET and PUT via TFTP, which is
+# generally frowned upon on most networks, but may be used in some enviornments
+
+alert udp any any -> any 69 (msg:"TFTP GET filename overflow attempt"; content:"|00 01|"; depth:2; content:!"|00|"; within:100; reference:bugtraq,5328; reference:cve,2002-0813; classtype:attempted-admin; sid:1941; rev:8;)
+alert udp any any -> any 69 (msg:"TFTP PUT filename overflow attempt"; content:"|00 02|"; depth:2; content:!"|00|"; within:100; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; classtype:attempted-admin; sid:2337; rev:7;)
+alert udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:1289; rev:4;)
+alert udp any any -> any 69 (msg:"TFTP GET nc.exe"; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; classtype:successful-admin; sid:1441; rev:4;)
+alert udp any any -> any 69 (msg:"TFTP GET shadow"; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; classtype:successful-admin; sid:1442; rev:4;)
+alert udp any any -> any 69 (msg:"TFTP GET passwd"; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; classtype:successful-admin; sid:1443; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP parent directory"; content:".."; offset:2; reference:arachnids,137; reference:cve,1999-0183; reference:cve,2002-1209; classtype:bad-unknown; sid:519; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP root directory"; content:"|00 01|/"; depth:3; reference:arachnids,138; reference:cve,1999-0183; classtype:bad-unknown; sid:520; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Put"; content:"|00 02|"; depth:2; reference:arachnids,148; reference:cve,1999-0183; classtype:bad-unknown; sid:518; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Get"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:1444; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2339; rev:2;)
diff --git a/scripts/s2b/snort_rules2.2/threshold.conf b/scripts/s2b/snort_rules2.2/threshold.conf
new file mode 100644
index 0000000000..8799b80d42
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/threshold.conf
@@ -0,0 +1,61 @@
+# Configure Thresholding and Suppression
+# ======================================
+#
+# Thresholding:
+#
+# This feature is used to reduce the number of logged alerts for noisy rules.
+# This can be tuned to significantly reduce false alarms, and it can also be
+# used to write a newer breed of rules. Thresholding commands limit the number
+# of times a particular event is logged during a specified time interval.
+# There are 3 types of thresholding:
+#
+#        1) Limit
+#           Alert on the 1st M events during the time interval, then ignore
+#           events
+#           for the rest of the time interval.
+#        2) Threshold
+#           Alert every M times we see this event during the time interval.
+#        3) Both
+#           Alert once per time interval after seeing M occurrences of the
+#           event,
+#           then ignore any additional events during the time interval.
+#
+# Threshold commands are formatted as:
+# threshold gen_id gen-id, sig_id sig-id, type limit|threshold|both, track
+# by_src|by_dst, count n , seconds m
+#
+# Limit to logging 1 event per 60 seconds
+# threshold gen_id 1, sig_id 1851, type limit, track by_src, count 1, seconds
+# 60
+
+# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
+# each rule (rules are gen_id 1).
+# threshold gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60
+
+# Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering
+# any alert for any event generator
+# threshold gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60
+#
+# Thresholding does not need to be a stand-alone command, and can instead be
+# written directly into a rule. Please see README.thresholding for more
+# information on thresholding.
+#
+# Suppression:
+#
+# Suppression commands are standalone commands that reference generators and
+# sids and IP addresses via a CIDR block. This allows a rule to be completely
+# suppressed, or suppressed when the causitive traffic is going to or comming
+# from a specific IP or group of IP addresses.
+#
+#  Suppress this event completely
+#
+# suppress gen_id 1, sig_id 1852
+#
+#  Suppress this event from this IP
+#
+# suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
+#
+#  Suppress this event to this CIDR block
+#
+# suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24
+
diff --git a/scripts/s2b/snort_rules2.2/unicode.map b/scripts/s2b/snort_rules2.2/unicode.map
new file mode 100644
index 0000000000..99eaba72c2
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/unicode.map
@@ -0,0 +1,104 @@
+# Windows Version: 5.00.2195
+# OEM codepage: 437
+# ACP codepage: 1252
+
+# INSTALLED CODEPAGES
+10000 (MAC - Roman)
+
+
+10079 (MAC - Icelandic)
+
+
+1250  (ANSI - Central Europe)
+00a1:21 00a2:63 00a3:4c 00a5:59 00aa:61 00b2:32 00b3:33 00b9:31 00ba:6f 00bc:31 00bd:31 00be:33 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+1251  (ANSI - Cyrillic)
+00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221a:76 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2552:2d 2558:4c 2559:4c 255a:4c 255b:2d 255c:2d 255d:2d 2564:54 2565:54 2566:54 256a:2b 256b:2b 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+1252  (ANSI - Latin I)
+0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c8:27 02cb:60 02cd:5f 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 0398:54 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2017:3d 2032:27 2035:60 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 207f:6e 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2212:2d 2215:2f 2216:5c 2217:2a 221a:76 221e:38 2223:7c 2229:6e 2236:3a 223c:7e 2261:3d 2264:3d 2265:3d 2303:5e 2320:28 2321:29 2329:3c 232a:3e 2500:2d 250c:2b 2510:2b 2514:2b 2518:2b 251c:2b 252c:2d 2534:2d 253c:2b 2550:2d 2552:2b 2553:2b 2554:2b 2555:2b 2556:2b 2557:2b 2558:2b 2559:2b 255a:2b 255b:2b 255c:2b 255d:2b 2564:2d 2565:2d 2566:2d 2567:2d 2568:2d 2569:2d 256a:2b 256b:2b 256c:2b 2584:5f 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+1253  (ANSI - Greek)
+00b4:2f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 037e:3b 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+1254  (ANSI - Turkish)
+00dd:59 00fd:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c7:5e 02c8:27 02cb:60 02cd:5f 02d8:5e 02d9:27 0300:60 0302:5e 0331:5f 0332:5f 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2081:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2193:76 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:3d 301d:22 301e:22 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+1255  (ANSI - Hebrew)
+0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+1256  (ANSI - Arabic)
+00c0:41 00c2:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00ce:49 00cf:49 00d4:4f 00d9:55 00db:55 00dc:55 0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+1257  (ANSI - Baltic)
+ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+1258  (ANSI/OEM - Viet Nam)
+ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+#INVALID CODEPAGE: 1361
+20127 (US-ASCII)
+00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+20261 (T.61)
+f8dd:5c f8de:5e f8df:60 f8e0:7b f8fc:7d f8fd:7e f8fe:7f 
+
+20866 (Russian - KOI8)
+00a7:15 00ab:3c 00ad:2d 00ae:52 00b1:2b 00b6:14 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 
+
+28591 (ISO 8859-1 Latin I)
+0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+28592 (ISO 8859-2 Central Europe)
+00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b9:31 00ba:6f 00bb:3e 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+#INVALID CODEPAGE: 28595
+#INVALID CODEPAGE: 28597
+28605 (ISO 8859-15 Latin 9)
+00a6:7c 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0138:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014a:4e 014b:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:54 0169:74 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+37    (IBM EBCDIC - U.S./Canada)
+0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f 
+
+437   (OEM - United States)
+00a4:0f 00a7:15 00a8:22 00a9:63 00ad:2d 00ae:72 00af:5f 00b3:33 00b4:27 00b6:14 00b8:2c 00b9:31 00be:5f 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:78 00d8:4f 00d9:55 00da:55 00db:55 00dd:59 00de:5f 00e3:61 00f0:64 00f5:6f 00f8:6f 00fd:79 00fe:5f 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02ca:27 02cb:60 02cd:5f 02dc:7e 0300:60 0301:27 0302:5e 0303:7e 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:60 2019:27 201a:2c 201c:22 201d:22 201e:2c 2020:2b 2022:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:09 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2212:2d 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 3000:20 3007:09 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+500   (IBM EBCDIC - International)
+0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 
+
+850   (OEM - Multilingual Latin I)
+0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01a9:53 01ab:74 01ae:54 01af:55 01b0:75 01b6:5a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:27 02cd:5f 02dc:7e 0300:27 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:39 207f:6e 2080:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2126:4f 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2211:53 2212:2d 2215:2f 2216:2f 2217:2a 2219:07 221a:56 221e:38 221f:1c 2229:6e 2236:3a 223c:7e 2248:7e 2261:3d 2264:3d 2265:3d 2302:7f 2303:5e 2320:28 2321:29 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2713:56 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+860   (OEM - Portuguese)
+00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00be:33 00c4:41 00c5:41 00c6:41 00cb:45 00ce:49 00cf:49 00d0:44 00d6:4f 00d7:58 00d8:4f 00db:55 00dd:59 00de:54 00e4:61 00e5:61 00e6:61 00eb:65 00ee:69 00ef:69 00f0:64 00f6:6f 00f8:6f 00fb:75 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:5c 0161:7c 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:5f 2011:5f 2013:5f 2014:5f 2017:5f 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 
+
+861   (OEM - Icelandic)
+00a2:63 00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00aa:61 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00ba:6f 00be:33 00c0:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00db:55 00e3:61 00ec:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f9:75 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 
+
+863   (OEM - Canadian French)
+00a1:21 00a5:59 00a9:63 00aa:61 00ad:16 00ae:72 00b9:33 00ba:6f 00c1:41 00c3:41 00c4:41 00c5:41 00c6:41 00cc:49 00cd:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d5:4f 00d6:4f 00d7:58 00d8:4f 00da:55 00dd:59 00de:54 00e1:61 00e3:61 00e4:61 00e5:61 00e6:61 00ec:69 00ed:69 00f0:64 00f1:6e 00f2:6f 00f5:6f 00f6:6f 00f8:6f 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:22 02ba:27 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 0304:16 0305:16 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 
+
+865   (OEM - Nordic)
+00a2:63 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00bb:3e 00be:33 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00da:55 00db:55 00dd:59 00de:54 00e3:61 00f0:64 00f5:6f 00fd:79 00fe:74 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 226b:3c 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 300b:3e 301a:5b 301b:5d 30fb:07 
+
+874   (ANSI/OEM - Thai)
+00a7:15 00b6:14 203c:13 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 
+
+932   (ANSI/OEM - Japanese Shift-JIS)
+00a1:21 00a5:5c 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:64 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 
+
+936   (ANSI/OEM - Simplified Chinese GBK)
+00a6:7c 00aa:61 00ad:2d 00b2:32 00b3:33 00b9:31 00ba:6f 00d0:44 00dd:59 00de:54 00e2:61 00f0:65 00fd:79 00fe:74 
+
+949   (ANSI/OEM - Korean)
+00a6:7c 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c 
+
+950   (ANSI/OEM - Traditional Chinese Big5)
+00a1:21 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:65 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 
+
+65000 (UTF-7)
+
+
+65001 (UTF-8)
+
+
diff --git a/scripts/s2b/snort_rules2.2/virus.rules b/scripts/s2b/snort_rules2.2/virus.rules
new file mode 100644
index 0000000000..7ee1ad0a8f
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/virus.rules
@@ -0,0 +1,20 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: virus.rules 91 2004-07-15 08:13:57Z rwinslow $
+#------------
+# VIRUS RULES
+#------------
+#
+# We don't care about virus rules anymore.  BUT, you people won't stop asking
+# us for virus rules.  So... here ya go.
+#
+# There is now one rule that looks for any of the following attachment types:
+#
+#   ade, adp, asd, asf, asx, bat, chm, cli, cmd, com, cpp, diz, dll, dot, emf,
+#   eml, exe, hlp, hsq, hta, ini, js, jse, lnk, mda, mdb, mde, mdw, msi, msp,
+#   nws, ocx, pif, pl, pm, pot, pps, ppt, reg, rtf, scr, shs, swf, sys, vb,
+#   vbe, vbs, vcf, vxd, wmd, wmf, wms, wmz, wpd, wpm, wps, wpz, wsc, wsf, wsh,
+#   xls, xlt, xlw
+#
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[stw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:721; rev:7;)
diff --git a/scripts/s2b/snort_rules2.2/web-attacks.rules b/scripts/s2b/snort_rules2.2/web-attacks.rules
new file mode 100644
index 0000000000..538017a02a
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/web-attacks.rules
@@ -0,0 +1,60 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: web-attacks.rules 91 2004-07-15 08:13:57Z rwinslow $
+# ----------------
+# WEB ATTACKS
+# ----------------
+# These signatures are generic signatures that will catch common commands
+# used to exploit form variable vulnerabilities.  These signatures should
+# not false very often.
+#
+# Please email example PCAP log dumps to snort-sigs@lists.sourceforge.net
+# if you find one of these signatures to be too false possitive.
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps command attempt"; flow:to_server,established; uricontent:"/bin/ps"; nocase; classtype:web-application-attack; sid:1328; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ps command attempt"; flow:to_server,established; uricontent:"ps%20"; nocase; classtype:web-application-attack; sid:1329; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS wget command attempt"; flow:to_server,established; content:"wget%20"; nocase; classtype:web-application-attack; sid:1330; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS uname -a command attempt"; flow:to_server,established; content:"uname%20-a"; nocase; classtype:web-application-attack; sid:1331; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/id command attempt"; flow:to_server,established; content:"/usr/bin/id"; nocase; classtype:web-application-attack; sid:1332; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS id command attempt"; flow:to_server,established; content:"|3B|id"; nocase; classtype:web-application-attack; sid:1333; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS echo command attempt"; flow:to_server,established; content:"/bin/echo"; nocase; classtype:web-application-attack; sid:1334; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS kill command attempt"; flow:to_server,established; content:"/bin/kill"; nocase; classtype:web-application-attack; sid:1335; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chmod command attempt"; flow:to_server,established; content:"/bin/chmod"; nocase; classtype:web-application-attack; sid:1336; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chgrp command attempt"; flow:to_server,established; content:"/chgrp"; nocase; classtype:web-application-attack; sid:1337; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chown command attempt"; flow:to_server,established; content:"/chown"; nocase; classtype:web-application-attack; sid:1338; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chsh command attempt"; flow:to_server,established; content:"/usr/bin/chsh"; nocase; classtype:web-application-attack; sid:1339; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS tftp command attempt"; flow:to_server,established; content:"tftp%20"; nocase; classtype:web-application-attack; sid:1340; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/gcc command attempt"; flow:to_server,established; content:"/usr/bin/gcc"; nocase; classtype:web-application-attack; sid:1341; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS gcc command attempt"; flow:to_server,established; content:"gcc%20-o"; nocase; classtype:web-application-attack; sid:1342; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/cc command attempt"; flow:to_server,established; content:"/usr/bin/cc"; nocase; classtype:web-application-attack; sid:1343; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS cc command attempt"; flow:to_server,established; content:"cc%20"; nocase; classtype:web-application-attack; sid:1344; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/cpp command attempt"; flow:to_server,established; content:"/usr/bin/cpp"; nocase; classtype:web-application-attack; sid:1345; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS cpp command attempt"; flow:to_server,established; content:"cpp%20"; nocase; classtype:web-application-attack; sid:1346; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/g++ command attempt"; flow:to_server,established; content:"/usr/bin/g++"; nocase; classtype:web-application-attack; sid:1347; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS g++ command attempt"; flow:to_server,established; content:"g++%20"; nocase; classtype:web-application-attack; sid:1348; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/python access attempt"; flow:to_server,established; content:"bin/python"; nocase; classtype:web-application-attack; sid:1349; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS python access attempt"; flow:to_server,established; content:"python%20"; nocase; classtype:web-application-attack; sid:1350; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/tclsh execution attempt"; flow:to_server,established; content:"bin/tclsh"; nocase; classtype:web-application-attack; sid:1351; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS tclsh execution attempt"; flow:to_server,established; content:"tclsh8%20"; nocase; classtype:web-application-attack; sid:1352; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/nasm command attempt"; flow:to_server,established; content:"bin/nasm"; nocase; classtype:web-application-attack; sid:1353; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nasm command attempt"; flow:to_server,established; content:"nasm%20"; nocase; classtype:web-application-attack; sid:1354; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/perl execution attempt"; flow:to_server,established; content:"/usr/bin/perl"; nocase; classtype:web-application-attack; sid:1355; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS perl execution attempt"; flow:to_server,established; content:"perl%20"; nocase; classtype:web-application-attack; sid:1356; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nt admin addition attempt"; flow:to_server,established; content:"net localgroup administrators /add"; nocase; classtype:web-application-attack; sid:1357; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS traceroute command attempt"; flow:to_server,established; content:"traceroute%20"; nocase; classtype:web-application-attack; sid:1358; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ping command attempt"; flow:to_server,established; content:"/bin/ping"; nocase; classtype:web-application-attack; sid:1359; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS netcat command attempt"; flow:to_server,established; content:"nc%20"; nocase; classtype:web-application-attack; sid:1360; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nmap command attempt"; flow:to_server,established; content:"nmap%20"; nocase; classtype:web-application-attack; sid:1361; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS xterm command attempt"; flow:to_server,established; content:"/usr/X11R6/bin/xterm"; nocase; classtype:web-application-attack; sid:1362; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS X application to remote host attempt"; flow:to_server,established; content:"%20-display%20"; nocase; classtype:web-application-attack; sid:1363; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS lsof command attempt"; flow:to_server,established; content:"lsof%20"; nocase; classtype:web-application-attack; sid:1364; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS rm command attempt"; flow:to_server,established; content:"rm%20"; nocase; classtype:web-application-attack; sid:1365; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"/bin/mail"; nocase; classtype:web-application-attack; sid:1366; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"mail%20"; nocase; classtype:web-application-attack; sid:1367; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ls| command attempt"; flow:to_server,established; uricontent:"/bin/ls|7C|"; nocase; classtype:web-application-attack; sid:1368; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ls command attempt"; flow:to_server,established; uricontent:"/bin/ls"; nocase; classtype:web-application-attack; sid:1369; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/inetd.conf access"; flow:to_server,established; content:"/etc/inetd.conf"; nocase; classtype:web-application-activity; sid:1370; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/motd access"; flow:to_server,established; content:"/etc/motd"; nocase; classtype:web-application-activity; sid:1371; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/shadow access"; flow:to_server,established; content:"/etc/shadow"; nocase; classtype:web-application-activity; sid:1372; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS conf/httpd.conf attempt"; flow:to_server,established; content:"conf/httpd.conf"; nocase; classtype:web-application-activity; sid:1373; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS .htgroup access"; flow:to_server,established; uricontent:".htgroup"; nocase; classtype:web-application-activity; sid:1374; rev:5;)
diff --git a/scripts/s2b/snort_rules2.2/web-cgi.rules b/scripts/s2b/snort_rules2.2/web-cgi.rules
new file mode 100644
index 0000000000..2ce715d20c
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/web-cgi.rules
@@ -0,0 +1,372 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: web-cgi.rules 91 2004-07-15 08:13:57Z rwinslow $
+#--------------
+# WEB-CGI RULES
+#--------------
+#
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI HyperSeek hsx.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/hsx.cgi"; content:"../../"; content:"%00"; distance:1; reference:bugtraq,2314; reference:cve,2001-0253; classtype:web-application-attack; sid:803; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI HyperSeek hsx.cgi access"; flow:to_server,established; uricontent:"/hsx.cgi"; reference:bugtraq,2314; reference:cve,2001-0253; classtype:web-application-activity; sid:1607; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SWSoft ASPSeek Overflow attempt"; flow:to_server,established; uricontent:"/s.cgi"; nocase; content:"tmpl="; reference:bugtraq,2492; reference:cve,2001-0476; classtype:web-application-attack; sid:804; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspeed access"; flow:to_server,established; uricontent:"/wsisa.dll/WService="; nocase; content:"WSMadmin"; nocase; reference:arachnids,467; reference:bugtraq,969; reference:cve,2000-0127; reference:nessus,10304; classtype:attempted-user; sid:805; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb directory traversal attempt"; flow:to_server,established; uricontent:"/YaBB"; nocase; content:"../"; reference:arachnids,462; reference:bugtraq,1668; reference:cve,2000-0853; classtype:attempted-recon; sid:806; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb access"; flow:to_server,established; uricontent:"/YaBB"; nocase; reference:arachnids,462; reference:bugtraq,1668; reference:cve,2000-0853; classtype:attempted-recon; sid:1637; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /wwwboard/passwd.txt access"; flow:to_server,established; uricontent:"/wwwboard/passwd.txt"; nocase; reference:arachnids,463; reference:bugtraq,649; reference:cve,1999-0953; reference:cve,1999-0954; reference:nessus,10321; classtype:attempted-recon; sid:807; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webdriver access"; flow:to_server,established; uricontent:"/webdriver"; nocase; reference:arachnids,473; reference:bugtraq,2166; reference:nessus,10592; classtype:attempted-recon; sid:808; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI whois_raw.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/whois_raw.cgi?"; content:"|0A|"; reference:arachnids,466; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:web-application-attack; sid:809; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI whois_raw.cgi access"; flow:to_server,established; uricontent:"/whois_raw.cgi"; reference:arachnids,466; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:attempted-recon; sid:810; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI websitepro path access"; flow:to_server,established; content:" /HTTP/1."; nocase; reference:arachnids,468; reference:bugtraq,932; reference:cve,2000-0066; classtype:attempted-recon; sid:811; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webplus version access"; flow:to_server,established; uricontent:"/webplus?about"; nocase; reference:arachnids,470; reference:bugtraq,1102; reference:cve,2000-0282; classtype:attempted-recon; sid:812; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webplus directory traversal"; flow:to_server,established; uricontent:"/webplus?script"; nocase; content:"../"; reference:arachnids,471; reference:bugtraq,1102; reference:cve,2000-0282; classtype:web-application-attack; sid:813; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI websendmail access"; flow:to_server,established; uricontent:"/websendmail"; nocase; reference:arachnids,469; reference:bugtraq,2077; reference:cve,1999-0196; reference:nessus,10301; classtype:attempted-recon; sid:815; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcforum.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/dcforum.cgi"; content:"forum=../.."; reference:bugtraq,2611; reference:cve,2001-0436; reference:cve,2001-0437; classtype:web-application-attack; sid:1571; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcforum.cgi access"; flow:to_server,established; uricontent:"/dcforum.cgi"; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:818; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcboard.cgi invalid user addition attempt"; flow:to_server,established; uricontent:"/dcboard.cgi"; content:"command=register"; content:"%7cadmin"; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:web-application-attack; sid:817; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcboard.cgi access"; flow:to_server,established; uricontent:"/dcboard.cgi"; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:1410; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mmstdod.cgi access"; flow:to_server,established; uricontent:"/mmstdod.cgi"; nocase; reference:cve,2001-0021; classtype:attempted-recon; sid:819; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI anaconda directory transversal attempt"; flow:to_server,established; uricontent:"/apexec.pl"; content:"template=../"; nocase; reference:bugtraq,2338; reference:bugtraq,2388; reference:cve,2000-0975; reference:cve,2001-0308; classtype:web-application-attack; sid:820; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imagemap.exe overflow attempt"; flow:to_server,established; uricontent:"/imagemap.exe?"; nocase; reference:arachnids,412; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-attack; sid:821; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imagemap.exe access"; flow:to_server,established; uricontent:"/imagemap.exe"; nocase; reference:arachnids,412; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-activity; sid:1700; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvsweb.cgi access"; flow:to_server,established; uricontent:"/cvsweb.cgi"; nocase; reference:bugtraq,1469; reference:cve,2000-0670; classtype:attempted-recon; sid:823; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI php.cgi access"; flow:to_server,established; uricontent:"/php.cgi"; nocase; reference:arachnids,232; reference:bugtraq,2250; reference:cve,1999-0238; classtype:attempted-recon; sid:824; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI glimpse access"; flow:to_server,established; uricontent:"/glimpse"; nocase; reference:bugtraq,2026; classtype:attempted-recon; sid:825; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htmlscript attempt"; flow:to_server,established; uricontent:"/htmlscript?../.."; nocase; reference:bugtraq,2001; reference:cve,1999-0264; classtype:web-application-attack; sid:1608; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htmlscript access"; flow:to_server,established; uricontent:"/htmlscript"; nocase; reference:bugtraq,2001; reference:cve,1999-0264; classtype:attempted-recon; sid:826; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI info2www access"; flow:to_server,established; uricontent:"/info2www"; nocase; reference:bugtraq,1995; reference:cve,1999-0266; classtype:attempted-recon; sid:827; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI maillist.pl access"; flow:to_server,established; uricontent:"/maillist.pl"; nocase; classtype:attempted-recon; sid:828; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-test-cgi access"; flow:to_server,established; uricontent:"/nph-test-cgi"; nocase; reference:arachnids,224; reference:bugtraq,686; reference:cve,1999-0045; reference:nessus,10165; classtype:attempted-recon; sid:829; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI NPH-publish access"; flow:to_server,established; uricontent:"/nph-maillist.pl"; nocase; reference:bugtraq,2563; reference:cve,2001-0400; classtype:attempted-recon; sid:1451; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI NPH-publish access"; flow:to_server,established; uricontent:"/nph-publish"; nocase; reference:cve,1999-1177; classtype:attempted-recon; sid:830; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rguest.exe access"; flow:to_server,established; uricontent:"/rguest.exe"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,1999-0467; classtype:attempted-recon; sid:833; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rwwwshell.pl access"; flow:to_server,established; uricontent:"/rwwwshell.pl"; nocase; reference:url,www.itsecurity.com/papers/p37.htm; classtype:attempted-recon; sid:834; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test-cgi attempt"; flow:to_server,established; uricontent:"/test-cgi/*?*"; nocase; reference:arachnids,218; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:web-application-attack; sid:1644; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test-cgi access"; flow:to_server,established; uricontent:"/test-cgi"; nocase; reference:arachnids,218; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:attempted-recon; sid:835; rev:9;)
+# testcgi is *one* of many scripts to look for.  this *ALSO* triggers on testcgi.exe.
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI testcgi access"; flow:to_server,established; uricontent:"/testcgi"; nocase; reference:bugtraq,7214; reference:nessus,11610; classtype:web-application-activity; sid:1645; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test.cgi access"; flow:to_server,established; uricontent:"/test.cgi"; nocase; classtype:web-application-activity; sid:1646; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI textcounter.pl access"; flow:to_server,established; uricontent:"/textcounter.pl"; nocase; reference:cve,1999-1479; classtype:attempted-recon; sid:836; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI uploader.exe access"; flow:to_server,established; uricontent:"/uploader.exe"; nocase; reference:cve,1999-0177; reference:nessus,10291; classtype:attempted-recon; sid:837; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webgais access"; flow:to_server,established; uricontent:"/webgais"; nocase; reference:arachnids,472; reference:bugtraq,2058; reference:cve,1999-0176; reference:nessus,10300; classtype:attempted-recon; sid:838; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI finger access"; flow:to_server,established; uricontent:"/finger"; nocase; reference:arachnids,221; reference:cve,1999-0612; reference:nessus,10071; classtype:attempted-recon; sid:839; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perlshop.cgi access"; flow:to_server,established; uricontent:"/perlshop.cgi"; nocase; reference:cve,1999-1374; classtype:attempted-recon; sid:840; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pfdisplay.cgi access"; flow:to_server,established; uricontent:"/pfdisplay.cgi"; nocase; reference:bugtraq,64; reference:cve,1999-0270; classtype:attempted-recon; sid:841; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI aglimpse access"; flow:to_server,established; uricontent:"/aglimpse"; nocase; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:842; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI anform2 access"; flow:to_server,established; uricontent:"/AnForm2"; nocase; reference:arachnids,225; reference:cve,1999-0066; classtype:attempted-recon; sid:843; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI args.bat access"; flow:to_server,established; uricontent:"/args.bat"; nocase; reference:cve,1999-1374; classtype:attempted-recon; sid:844; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI args.cmd access"; flow:to_server,established; uricontent:"/args.cmd"; nocase; reference:cve,1999-1374; classtype:attempted-recon; sid:1452; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AT-admin.cgi access"; flow:to_server,established; uricontent:"/AT-admin.cgi"; nocase; reference:cve,1999-1072; classtype:attempted-recon; sid:845; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AT-generated.cgi access"; flow:to_server,established; uricontent:"/AT-generated.cgi"; nocase; reference:cve,1999-1072; classtype:attempted-recon; sid:1453; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bnbform.cgi access"; flow:to_server,established; uricontent:"/bnbform.cgi"; nocase; reference:bugtraq,2147; reference:cve,1999-0937; classtype:attempted-recon; sid:846; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campas access"; flow:to_server,established; uricontent:"/campas"; nocase; reference:bugtraq,1975; reference:cve,1999-0146; classtype:attempted-recon; sid:847; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view-source directory traversal"; flow:to_server,established; uricontent:"/view-source"; nocase; content:"../"; nocase; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:web-application-attack; sid:848; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view-source access"; flow:to_server,established; uricontent:"/view-source"; nocase; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:attempted-recon; sid:849; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wais.pl access"; flow:to_server,established; uricontent:"/wais.pl"; nocase; classtype:attempted-recon; sid:850; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wwwwais access"; flow:to_server,established; uricontent:"/wwwwais"; nocase; reference:cve,2001-0223; reference:nessus,10597; classtype:attempted-recon; sid:1454; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI files.pl access"; flow:to_server,established; uricontent:"/files.pl"; nocase; reference:cve,1999-1081; classtype:attempted-recon; sid:851; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wguest.exe access"; flow:to_server,established; uricontent:"/wguest.exe"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,1999-0467; classtype:attempted-recon; sid:852; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wrap access"; flow:to_server,established; uricontent:"/wrap"; reference:arachnids,234; reference:bugtraq,373; reference:cve,1999-0149; reference:nessus,10317; classtype:attempted-recon; sid:853; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI classifieds.cgi access"; flow:to_server,established; uricontent:"/classifieds.cgi"; nocase; reference:bugtraq,2020; reference:cve,1999-0934; classtype:attempted-recon; sid:854; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI environ.cgi access"; flow:to_server,established; uricontent:"/environ.cgi"; nocase; classtype:attempted-recon; sid:856; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey access"; flow:to_server,established; uricontent:"/faxsurvey"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-activity; sid:857; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI filemail access"; flow:to_server,established; uricontent:"/filemail.pl"; nocase; reference:cve,1999-1154; classtype:attempted-recon; sid:858; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI man.sh access"; flow:to_server,established; uricontent:"/man.sh"; nocase; reference:cve,1999-1179; classtype:attempted-recon; sid:859; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI snork.bat access"; flow:to_server,established; uricontent:"/snork.bat"; nocase; reference:arachnids,220; reference:bugtraq,1053; reference:cve,2000-0169; classtype:attempted-recon; sid:860; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3-msql access"; flow:to_server,established; uricontent:"/w3-msql/"; nocase; reference:arachnids,210; reference:bugtraq,591; reference:bugtraq,898; reference:cve,1999-0276; reference:cve,1999-0753; reference:cve,2000-0012; reference:nessus,10296; classtype:attempted-recon; sid:861; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI day5datacopier.cgi access"; flow:to_server,established; uricontent:"/day5datacopier.cgi"; nocase; reference:cve,1999-1232; classtype:attempted-recon; sid:863; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI day5datanotifier.cgi access"; flow:to_server,established; uricontent:"/day5datanotifier.cgi"; nocase; reference:cve,1999-1232; classtype:attempted-recon; sid:864; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI post-query access"; flow:to_server,established; uricontent:"/post-query"; nocase; reference:bugtraq,6752; reference:cve,2001-0291; classtype:attempted-recon; sid:866; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI visadmin.exe access"; flow:to_server,established; uricontent:"/visadmin.exe"; nocase; reference:bugtraq,1808; reference:cve,1999-0970; reference:cve,1999-1970; reference:nessus,10295; classtype:attempted-recon; sid:867; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dumpenv.pl access"; flow:to_server,established; uricontent:"/dumpenv.pl"; nocase; reference:cve,1999-1178; reference:nessus,10060; classtype:attempted-recon; sid:869; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar_admin.pl arbitrary command execution attempt"; flow:to_server,established; uricontent:"/calendar_admin.pl?config=|7C|"; reference:cve,2000-0432; classtype:web-application-attack; sid:1536; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar_admin.pl access"; flow:to_server,established; uricontent:"/calendar_admin.pl"; reference:cve,2000-0432; classtype:web-application-activity; sid:1537; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calender_admin.pl access"; flow:to_server,established; uricontent:"/calender_admin.pl"; nocase; reference:cve,2000-0432; classtype:attempted-recon; sid:1456; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar-admin.pl access"; flow:to_server,established; uricontent:"/calendar-admin.pl"; nocase; reference:bugtraq,1215; classtype:web-application-activity; sid:1701; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calender.pl access"; flow:to_server,established; uricontent:"/calender.pl"; nocase; reference:cve,2000-0432; classtype:attempted-recon; sid:1455; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar access"; flow:to_server,established; uricontent:"/calendar"; nocase; classtype:attempted-recon; sid:882; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI user_update_admin.pl access"; flow:to_server,established; uricontent:"/user_update_admin.pl"; nocase; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1457; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI user_update_passwd.pl access"; flow:to_server,established; uricontent:"/user_update_passwd.pl"; nocase; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1458; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI snorkerz.cmd access"; flow:to_server,established; uricontent:"/snorkerz.cmd"; nocase; classtype:attempted-recon; sid:870; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI survey.cgi access"; flow:to_server,established; uricontent:"/survey.cgi"; nocase; reference:bugtraq,1817; reference:cve,1999-0936; classtype:attempted-recon; sid:871; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI scriptalias access"; flow:to_server,established; uricontent:"///"; reference:arachnids,227; reference:bugtraq,2300; reference:cve,1999-0236; classtype:attempted-recon; sid:873; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI win-c-sample.exe access"; flow:to_server,established; uricontent:"/win-c-sample.exe"; nocase; reference:arachnids,231; reference:bugtraq,2078; reference:cve,1999-0178; reference:nessus,10008; classtype:attempted-recon; sid:875; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3tvars.pm access"; flow:to_server,established; uricontent:"/w3tvars.pm"; nocase; classtype:attempted-recon; sid:878; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI admin.pl access"; flow:to_server,established; uricontent:"/admin.pl"; nocase; reference:bugtraq,3839; reference:url,online.securityfocus.com/archive/1/249355; classtype:attempted-recon; sid:879; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI LWGate access"; flow:to_server,established; uricontent:"/LWGate"; nocase; reference:url,www.netspace.org/~dwb/lwgate/lwgate-history.html; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:880; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI archie access"; flow:to_server,established; uricontent:"/archie"; nocase; classtype:attempted-recon; sid:881; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI flexform access"; flow:to_server,established; uricontent:"/flexform"; nocase; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:883; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI formmail arbitrary command execution attempt"; flow:to_server,established; uricontent:"/formmail"; nocase; content:"%0a"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-attack; sid:1610; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI formmail access"; flow:to_server,established; uricontent:"/formmail"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-activity; sid:884; rev:14;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf arbitrary command execution attempt"; flow:to_server,established; uricontent:"/phf"; nocase; content:"QALIAS"; nocase; content:"%0a/"; reference:arachnids,128; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-attack; sid:1762; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf access"; flow:to_server,established; uricontent:"/phf"; nocase; reference:arachnids,128; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-activity; sid:886; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI www-sql access"; flow:to_server,established; uricontent:"/www-sql"; nocase; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2; classtype:attempted-recon; sid:887; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wwwadmin.pl access"; flow:to_server,established; uricontent:"/wwwadmin.pl"; nocase; classtype:attempted-recon; sid:888; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ppdscgi.exe access"; flow:to_server,established; uricontent:"/ppdscgi.exe"; nocase; reference:bugtraq,491; reference:url,online.securityfocus.com/archive/1/16878; classtype:attempted-recon; sid:889; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sendform.cgi access"; flow:to_server,established; uricontent:"/sendform.cgi"; nocase; reference:bugtraq,5286; reference:cve,2002-0710; reference:url,www.scn.org/help/sendform.txt; classtype:attempted-recon; sid:890; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI upload.pl access"; flow:to_server,established; uricontent:"/upload.pl"; nocase; classtype:attempted-recon; sid:891; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AnyForm2 access"; flow:to_server,established; uricontent:"/AnyForm2"; nocase; reference:bugtraq,719; reference:cve,1999-0066; classtype:attempted-recon; sid:892; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI MachineInfo access"; flow:to_server,established; uricontent:"/MachineInfo"; nocase; reference:cve,1999-1067; classtype:attempted-recon; sid:893; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hist.sh attempt"; flow:to_server,established; uricontent:"/bb-hist.sh?HISTFILE=../.."; nocase; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:web-application-attack; sid:1531; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hist.sh access"; flow:to_server,established; uricontent:"/bb-hist.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:894; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-histlog.sh access"; flow:to_server,established; uricontent:"/bb-histlog.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1459; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-histsvc.sh access"; flow:to_server,established; uricontent:"/bb-histsvc.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1460; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hostscv.sh attempt"; flow:to_server,established; uricontent:"/bb-hostsvc.sh?HOSTSVC?../.."; nocase; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-attack; sid:1532; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hostscv.sh access"; flow:to_server,established; uricontent:"/bb-hostsvc.sh"; nocase; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-activity; sid:1533; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-rep.sh access"; flow:to_server,established; uricontent:"/bb-rep.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1461; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-replog.sh access"; flow:to_server,established; uricontent:"/bb-replog.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1462; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI redirect access"; flow:to_server,established; uricontent:"/redirect"; nocase; reference:bugtraq,1179; reference:cve,2000-0382; classtype:attempted-recon; sid:895; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wayboard attempt"; flow:to_server,established; uricontent:"/way-board/way-board.cgi"; content:"db="; content:"../.."; nocase; reference:bugtraq,2370; reference:cve,2001-0214; classtype:web-application-attack; sid:1397; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI way-board access"; flow:to_server,established; uricontent:"/way-board"; nocase; reference:bugtraq,2370; reference:cve,2001-0214; reference:nessus,10610; classtype:web-application-activity; sid:896; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pals-cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/pals-cgi"; nocase; content:"documentName="; reference:bugtraq,2372; reference:cve,2001-0217; reference:nessus,10611; classtype:web-application-attack; sid:1222; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pals-cgi access"; flow:to_server,established; uricontent:"/pals-cgi"; nocase; reference:bugtraq,2372; reference:cve,2001-0216; reference:cve,2001-0217; reference:nessus,10611; classtype:attempted-recon; sid:897; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI commerce.cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/commerce.cgi"; content:"page="; content:"/../"; nocase; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:1572; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI commerce.cgi access"; flow:to_server,established; uricontent:"/commerce.cgi"; nocase; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:898; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Amaya templates sendtemp.pl directory traversal attempt"; flow:to_server,established; uricontent:"/sendtemp.pl"; nocase; content:"templ="; nocase; reference:bugtraq,2504; reference:cve,2001-0272; classtype:web-application-attack; sid:899; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Amaya templates sendtemp.pl access"; flow:to_server,established; uricontent:"/sendtemp.pl"; nocase; reference:bugtraq,2504; reference:cve,2001-0272; classtype:web-application-activity; sid:1702; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspirs.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/webspirs.cgi"; nocase; content:"../../"; nocase; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:web-application-attack; sid:900; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspirs.cgi access"; flow:to_server,established; uricontent:"/webspirs.cgi"; nocase; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:attempted-recon; sid:901; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI tstisapi.dll access"; flow:to_server,established; uricontent:"tstisapi.dll"; nocase; reference:cve,2001-0302; classtype:attempted-recon; sid:902; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sendmessage.cgi access"; flow:to_server,established; uricontent:"/sendmessage.cgi"; nocase; classtype:attempted-recon; sid:1308; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI lastlines.cgi access"; flow:to_server,established; uricontent:"/lastlines.cgi"; nocase; reference:bugtraq,3754; reference:bugtraq,3755; reference:cve,2001-1205; reference:cve,2001-1206; classtype:attempted-recon; sid:1392; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zml.cgi attempt"; flow:to_server,established; uricontent:"/zml.cgi"; content:"file=../"; reference:bugtraq,3759; reference:cve,2001-1209; classtype:web-application-activity; sid:1395; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zml.cgi access"; flow:to_server,established; uricontent:"/zml.cgi"; reference:bugtraq,3759; reference:cve,2001-1209; classtype:web-application-activity; sid:1396; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AHG search.cgi access"; flow:to_server,established; uricontent:"/publisher/search.cgi"; nocase; content:"template="; nocase; reference:bugtraq,3985; classtype:web-application-activity; sid:1405; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI agora.cgi attempt"; flow:to_server,established; uricontent:"/store/agora.cgi?cart_id=<SCRIPT>"; nocase; reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-attack; sid:1534; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI agora.cgi access"; flow:to_server,established; uricontent:"/store/agora.cgi"; nocase; reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-activity; sid:1406; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rksh access"; flow:to_server,established; uricontent:"/rksh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:877; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bash access"; flow:to_server,established; uricontent:"/bash"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:web-application-activity; sid:885; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perl.exe command attempt"; flow:to_server,established; uricontent:"/perl.exe?"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1648; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perl.exe access"; flow:to_server,established; uricontent:"/perl.exe"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:832; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perl command attempt"; flow:to_server,established; uricontent:"/perl?"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1649; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zsh access"; flow:to_server,established; uricontent:"/zsh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1309; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csh access"; flow:to_server,established; uricontent:"/csh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:862; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI tcsh access"; flow:to_server,established; uricontent:"/tcsh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:872; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rsh access"; flow:to_server,established; uricontent:"/rsh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:868; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ksh access"; flow:to_server,established; uricontent:"/ksh"; nocase; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:865; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI auktion.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/auktion.cgi"; nocase; content:"menue=../../"; nocase; reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-attack; sid:1703; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI auktion.cgi access"; flow:to_server,established; uricontent:"/auktion.cgi"; nocase; reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-activity; sid:1465; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgiforum.pl attempt"; flow:to_server,established; uricontent:"/cgiforum.pl?thesection=../.."; nocase; reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-attack; sid:1573; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgiforum.pl access"; flow:to_server,established; uricontent:"/cgiforum.pl"; nocase; reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-activity; sid:1466; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI directorypro.cgi attempt"; flow:to_server,established; uricontent:"/directorypro.cgi"; content:"show="; content:"../.."; distance:1; nocase; reference:bugtraq,2793; reference:cve,2001-0780; classtype:web-application-attack; sid:1574; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI directorypro.cgi access"; flow:to_server,established; uricontent:"/directorypro.cgi"; nocase; reference:bugtraq,2793; reference:cve,2001-0780; classtype:web-application-activity; sid:1467; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Web Shopper shopper.cgi attempt"; flow:to_server,established; uricontent:"/shopper.cgi"; nocase; content:"newpage=../"; nocase; reference:bugtraq,1776; reference:cve,2000-0922; classtype:web-application-attack; sid:1468; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Web Shopper shopper.cgi access"; flow:to_server,established; uricontent:"/shopper.cgi"; nocase; reference:bugtraq,1776; reference:cve,2000-0922; classtype:attempted-recon; sid:1469; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI listrec.pl access"; flow:to_server,established; uricontent:"/listrec.pl"; nocase; reference:cve,2001-0997; classtype:attempted-recon; sid:1470; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailnews.cgi access"; flow:to_server,established; uricontent:"/mailnews.cgi"; nocase; reference:cve,2001-0271; classtype:attempted-recon; sid:1471; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI book.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/book.cgi"; nocase; content:"current=|7C|"; nocase; reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-attack; sid:1879; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI book.cgi access"; flow:to_server,established; uricontent:"/book.cgi"; nocase; reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-activity; sid:1472; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI newsdesk.cgi access"; flow:to_server,established; uricontent:"/newsdesk.cgi"; nocase; reference:cve,2001-0232; classtype:attempted-recon; sid:1473; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cal_make.pl directory traversal attempt"; flow:to_server,established; uricontent:"/cal_make.pl"; nocase; content:"p0=../../"; nocase; reference:bugtraq,2663; reference:cve,2001-0463; classtype:web-application-attack; sid:1704; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cal_make.pl access"; flow:to_server,established; uricontent:"/cal_make.pl"; nocase; reference:bugtraq,2663; reference:cve,2001-0463; classtype:web-application-activity; sid:1474; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailit.pl access"; flow:to_server,established; uricontent:"/mailit.pl"; nocase; classtype:attempted-recon; sid:1475; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sdbsearch.cgi access"; flow:to_server,established; uricontent:"/sdbsearch.cgi"; nocase; reference:cve,2001-1130; classtype:attempted-recon; sid:1476; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swc access"; flow:to_server,established; uricontent:"/swc"; nocase; classtype:attempted-recon; sid:1478; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ttawebtop.cgi arbitrary file attempt"; flow:to_server,established; uricontent:"/ttawebtop.cgi"; nocase; content:"pg=../"; nocase; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:web-application-attack; sid:1479; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ttawebtop.cgi access"; flow:to_server,established; uricontent:"/ttawebtop.cgi"; nocase; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:attempted-recon; sid:1480; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI upload.cgi access"; flow:to_server,established; uricontent:"/upload.cgi"; nocase; reference:nessus,10290; classtype:attempted-recon; sid:1481; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view_source access"; flow:to_server,established; uricontent:"/view_source"; nocase; reference:nessus,10294; classtype:attempted-recon; sid:1482; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ustorekeeper.pl directory traversal attempt"; flow:to_server,established; uricontent:"/ustorekeeper.pl"; nocase; content:"file=../../"; nocase; reference:cve,2001-0466; reference:nessus,10645; classtype:web-application-attack; sid:1730; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ustorekeeper.pl access"; flow:to_server,established; uricontent:"/ustorekeeper.pl"; nocase; reference:cve,2001-0466; reference:nessus,10646; classtype:web-application-activity; sid:1483; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI icat access"; flow:to_server,established; uricontent:"/icat"; reference:cve,1999-1069; classtype:web-application-activity; sid:1606; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Bugzilla doeditvotes.cgi access"; flow:to_server,established; uricontent:"/doeditvotes.cgi"; reference:bugtraq,3800; reference:cve,2002-0011; classtype:web-application-activity; sid:1617; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htsearch arbitrary configuration file attempt"; flow:to_server,established; uricontent:"/htsearch?-c"; nocase; reference:cve,2000-0208; classtype:web-application-attack; sid:1600; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htsearch arbitrary file read attempt"; flow:to_server,established; uricontent:"/htsearch?exclude=`"; nocase; reference:bugtraq,1026; reference:cve,2000-0208; classtype:web-application-attack; sid:1601; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htsearch access"; flow:to_server,established; uricontent:"/htsearch"; nocase; reference:cve,2000-0208; classtype:web-application-activity; sid:1602; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI a1stats a1disp3.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/a1disp3.cgi?/../../"; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-attack; sid:1501; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI a1stats a1disp3.cgi access"; flow:to_server,established; uricontent:"/a1disp3.cgi"; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1502; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI a1stats access"; flow:to_server,established; uricontent:"/a1stats/"; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1731; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI admentor admin.asp access"; flow:to_server,established; uricontent:"/admentor/admin/admin.asp"; reference:bugtraq,4152; reference:cve,2002-0308; reference:nessus,10880; reference:url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html; classtype:web-application-activity; sid:1503; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alchemy http server PRN arbitrary command execution attempt"; flow:to_server,established; uricontent:"/PRN/../../"; reference:bugtraq,3599; reference:cve,2001-0871; classtype:web-application-activity; sid:1505; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alchemy http server NUL arbitrary command execution attempt"; flow:to_server,established; uricontent:"/NUL/../../"; reference:bugtraq,3599; reference:cve,2001-0871; classtype:web-application-activity; sid:1506; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alibaba.pl arbitrary command execution attempt"; flow:to_server,established; uricontent:"/alibaba.pl|7C|"; reference:cve,1999-0885; reference:nessus,10013; classtype:web-application-attack; sid:1507; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alibaba.pl access"; flow:to_server,established; uricontent:"/alibaba.pl"; reference:cve ,CAN-1999-0885; classtype:web-application-activity; sid:1508; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AltaVista Intranet Search directory traversal attempt"; flow:to_server,established; uricontent:"/query?mss=.."; reference:bugtraq,896; reference:cve,2000-0039; reference:nessus,10015; classtype:web-application-attack; sid:1509; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/test.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1510; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test.bat access"; flow:to_server,established; uricontent:"/test.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1511; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/input.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1512; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input.bat access"; flow:to_server,established; uricontent:"/input.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1513; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input2.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/input2.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1514; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI input2.bat access"; flow:to_server,established; uricontent:"/input2.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1515; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI envout.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/envout.bat|7C|"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1516; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI envout.bat access"; flow:to_server,established; uricontent:"/envout.bat"; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1517; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI echo.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/echo.bat"; content:"&"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-attack; sid:1705; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI echo.bat access"; flow:to_server,established; uricontent:"/echo.bat"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-activity; sid:1706; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI hello.bat arbitrary command execution attempt"; flow:to_server,established; uricontent:"/hello.bat"; content:"&"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-attack; sid:1707; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI hello.bat access"; flow:to_server,established; uricontent:"/hello.bat"; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-activity; sid:1708; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI tst.bat access"; flow:to_server,established; uricontent:"/tst.bat"; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10013; classtype:web-application-activity; sid:1650; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/ls access"; flow:to_server,established; uricontent:"/cgi-bin/ls"; nocase; reference:bugtraq,936; reference:cve,2000-0079; classtype:web-application-activity; sid:1539; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgimail access"; flow:to_server,established; uricontent:"/cgimail"; nocase; reference:cve,2000-0726; classtype:web-application-activity; sid:1542; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgiwrap access"; flow:to_server,established; uricontent:"/cgiwrap"; nocase; reference:bugtraq,1238; reference:bugtraq,3084; reference:bugtraq,777; reference:cve,1999-1530; reference:cve,2000-0431; reference:cve,2001-0987; reference:nessus,10041; classtype:web-application-activity; sid:1543; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csSearch.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/csSearch.cgi"; content:"setup="; content:"`"; content:"`"; distance:1; reference:bugtraq,4368; reference:cve,2002-0495; reference:nessus,10924; classtype:web-application-attack; sid:1547; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csSearch.cgi access"; flow:to_server,established; uricontent:"/csSearch.cgi"; reference:bugtraq,4368; reference:cve,2002-0495; reference:nessus,10924; classtype:web-application-activity; sid:1548; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cart/cart.cgi access"; flow:to_server,established; uricontent:"/cart/cart.cgi"; reference:bugtraq,1115; reference:cve,2000-0252; classtype:web-application-activity; sid:1553; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dbman db.cgi access"; flow:to_server,established; uricontent:"/dbman/db.cgi"; reference:bugtraq,1178; reference:cve,2000-0381; reference:nessus,10403; classtype:web-application-activity; sid:1554; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI DCShop access"; flow:to_server,established; uricontent:"/dcshop"; nocase; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1555; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI DCShop orders.txt access"; flow:to_server,established; uricontent:"/orders/orders.txt"; nocase; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1556; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI DCShop auth_user_file.txt access"; flow:to_server,established; uricontent:"/auth_data/auth_user_file.txt"; nocase; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1557; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eshop.pl arbitrary commane execution attempt"; flow:to_server,established; uricontent:"/eshop.pl?seite=|3B|"; nocase; reference:bugtraq,3340; reference:cve,2001-1014; classtype:web-application-attack; sid:1565; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eshop.pl access"; flow:to_server,established; uricontent:"/eshop.pl"; nocase; reference:bugtraq,3340; reference:cve,2001-1014; classtype:web-application-activity; sid:1566; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI loadpage.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/loadpage.cgi"; content:"file=../"; nocase; classtype:web-application-attack; sid:1569; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI loadpage.cgi access"; flow:to_server,established; uricontent:"/loadpage.cgi"; nocase; classtype:web-application-activity; sid:1570; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faqmanager.cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/faqmanager.cgi?toc="; uricontent:"|00|"; nocase; reference:bugtraq,3810; reference:nessus,10837; classtype:web-application-attack; sid:1590; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faqmanager.cgi access"; flow:to_server,established; uricontent:"/faqmanager.cgi"; nocase; reference:bugtraq,3810; reference:nessus,10837; classtype:web-application-activity; sid:1591; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /fcgi-bin/echo.exe access"; flow:to_server,established; uricontent:"/fcgi-bin/echo.exe"; nocase; reference:nessus,10838; classtype:web-application-activity; sid:1592; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI FormHandler.cgi directory traversal attempt attempt"; flow:to_server,established; uricontent:"/FormHandler.cgi"; nocase; content:"reply_message_attach="; nocase; content:"/../"; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-attack; sid:1628; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI FormHandler.cgi external site redirection attempt"; flow:to_server,established; uricontent:"/FormHandler.cgi"; nocase; content:"redirect=http"; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-attack; sid:1593; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI FormHandler.cgi access"; flow:to_server,established; uricontent:"/FormHandler.cgi"; nocase; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-activity; sid:1594; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI guestbook.cgi access"; flow:to_server,established; uricontent:"/guestbook.cgi"; nocase; reference:cve,1999-0237; reference:nessus,10098; classtype:web-application-activity; sid:1597; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Home Free search.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/search.cgi"; content:"letter=../.."; nocase; reference:bugtraq,921; reference:cve,2000-0054; classtype:web-application-attack; sid:1598; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI search.cgi access"; flow:to_server,established; uricontent:"/search.cgi"; nocase; reference:bugtraq,921; reference:cve,2000-0054; classtype:web-application-activity; sid:1599; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI enivorn.pl access"; flow:to_server,established; uricontent:"/enivron.pl"; nocase; classtype:web-application-activity; sid:1651; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campus attempt"; flow:to_server,established; uricontent:"/campus?|0A|"; nocase; reference:bugtraq,1975; classtype:web-application-attack; sid:1652; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campus access"; flow:to_server,established; uricontent:"/campus"; nocase; reference:bugtraq,1975; classtype:web-application-activity; sid:1653; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cart32.exe access"; flow:to_server,established; uricontent:"/cart32.exe"; nocase; classtype:web-application-activity; sid:1654; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pfdispaly.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/pfdispaly.cgi?'"; nocase; classtype:web-application-attack; sid:1655; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pfdispaly.cgi access"; flow:to_server,established; uricontent:"/pfdispaly.cgi"; nocase; classtype:web-application-activity; sid:1656; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pagelog.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/pagelog.cgi"; nocase; content:"name=../"; nocase; reference:bugtraq,1864; reference:cve,2000-0940; reference:nessus,10591; classtype:web-application-activity; sid:1657; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pagelog.cgi access"; flow:to_server,established; uricontent:"/pagelog.cgi"; nocase; reference:bugtraq,1864; reference:cve,2000-0940; reference:nessus,10591; classtype:web-application-activity; sid:1658; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ad.cgi access"; flow:to_server,established; uricontent:"/ad.cgi"; nocase; classtype:web-application-activity; sid:1709; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bbs_forum.cgi access"; flow:to_server,established; uricontent:"/bbs_forum.cgi"; nocase; classtype:web-application-activity; sid:1710; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bsguest.cgi access"; flow:to_server,established; uricontent:"/bsguest.cgi"; nocase; classtype:web-application-activity; sid:1711; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bslist.cgi access"; flow:to_server,established; uricontent:"/bslist.cgi"; nocase; classtype:web-application-activity; sid:1712; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgforum.cgi access"; flow:to_server,established; uricontent:"/cgforum.cgi"; nocase; classtype:web-application-activity; sid:1713; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI newdesk access"; flow:to_server,established; uricontent:"/newdesk"; nocase; classtype:web-application-activity; sid:1714; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI register.cgi access"; flow:to_server,established; uricontent:"/register.cgi"; nocase; classtype:web-application-activity; sid:1715; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI gbook.cgi access"; flow:to_server,established; uricontent:"/gbook.cgi"; nocase; reference:bugtraq,1940; reference:cve,2000-1131; classtype:web-application-activity; sid:1716; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI simplestguest.cgi access"; flow:to_server,established; uricontent:"/simplestguest.cgi"; nocase; classtype:web-application-activity; sid:1717; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI statusconfig.pl access"; flow:to_server,established; uricontent:"/statusconfig.pl"; nocase; classtype:web-application-activity; sid:1718; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI talkback.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/talkbalk.cgi"; nocase; content:"article=../../"; nocase; classtype:web-application-attack; sid:1719; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI talkback.cgi access"; flow:to_server,established; uricontent:"/talkbalk.cgi"; nocase; classtype:web-application-activity; sid:1720; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI adcycle access"; flow:to_server,established; uricontent:"/adcycle"; nocase; classtype:web-application-activity; sid:1721; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI MachineInfo access"; flow:to_server,established; uricontent:"/MachineInfo"; nocase; classtype:web-application-activity; sid:1722; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI emumail.cgi NULL attempt"; flow:to_server,established; uricontent:"/emumail.cgi"; content:"type="; nocase; content:"%00"; reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-application-activity; sid:1723; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI emumail.cgi access"; flow:to_server,established; uricontent:"/emumail.cgi"; nocase; reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-application-activity; sid:1724; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI document.d2w access"; flow:to_server,established; uricontent:"/document.d2w"; reference:bugtraq,2017; reference:cve,2000-1110; classtype:web-application-activity; sid:1642; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI db2www access"; flow:to_server,established; uricontent:"/db2www"; reference:cve,2000-0677; classtype:web-application-activity; sid:1643; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/ access"; flow:to_server,established; uricontent:"/cgi-bin/"; content:"/cgi-bin/ HTTP"; nocase; classtype:web-application-attack; sid:1668; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-dos/ access"; flow:to_server,established; uricontent:"/cgi-dos/"; content:"/cgi-dos/ HTTP"; nocase; classtype:web-application-attack; sid:1669; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI technote main.cgi file directory traversal attempt"; flow:to_server,established; uricontent:"/technote/main.cgi"; nocase; content:"filename="; nocase; content:"../../"; reference:bugtraq,2156; reference:cve,2001-0075; classtype:web-application-attack; sid:1051; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI technote print.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/technote/print.cgi"; nocase; content:"board="; nocase; content:"../../"; content:"%00"; reference:bugtraq,2156; reference:cve,2001-0075; classtype:web-application-attack; sid:1052; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ads.cgi command execution attempt"; flow:to_server,established; uricontent:"/ads.cgi"; nocase; content:"file="; nocase; content:"../../"; content:"|7C|"; reference:bugtraq,2103; reference:cve,2001-0025; classtype:web-application-attack; sid:1053; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eXtropia webstore directory traversal"; flow:to_server,established; uricontent:"/web_store.cgi"; content:"page=../"; reference:bugtraq,1774; reference:cve,2000-1005; classtype:web-application-attack; sid:1088; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI eXtropia webstore access"; flow:to_server,established; uricontent:"/web_store.cgi"; reference:bugtraq,1774; reference:cve,2000-1005; classtype:web-application-activity; sid:1611; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI shopping cart directory traversal"; flow:to_server,established; uricontent:"/shop.cgi"; content:"page=../"; reference:bugtraq,1777; reference:cve,2000-0921; classtype:web-application-attack; sid:1089; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Allaire Pro Web Shell attempt"; flow:to_server,established; uricontent:"/authenticate.cgi?PASSWORD"; content:"config.ini"; classtype:web-application-attack; sid:1090; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Armada Style Master Index directory traversal"; flow:to_server,established; uricontent:"/search.cgi?keys"; content:"catigory=../"; classtype:web-application-attack; sid:1092; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cached_feed.cgi moreover shopping cart directory traversal"; flow:to_server,established; uricontent:"/cached_feed.cgi"; content:"../"; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-attack; sid:1093; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cached_feed.cgi moreover shopping cart access"; flow:to_server,established; uricontent:"/cached_feed.cgi"; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-activity; sid:2051; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Talentsoft Web+ exploit attempt"; flow:to_server,established; uricontent:"/webplus.cgi?Script=/webplus/webping/webping.wml"; reference:bugtraq,1725; classtype:web-application-attack; sid:1097; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Poll-it access"; flow:to_server,established; uricontent:"/pollit/Poll_It_SSI_v2.0.cgi"; nocase; reference:bugtraq,1431; reference:cve,2000-0590; classtype:web-application-activity; sid:1106; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI count.cgi access"; flow:to_server,established; uricontent:"/count.cgi"; nocase; reference:bugtraq,128; reference:cve,1999-0021; reference:nessus,10049; classtype:web-application-activity; sid:1149; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webdist.cgi arbitrary command attempt"; flow:to_server,established; uricontent:"/webdist.cgi"; nocase; content:"distloc=|3B|"; nocase; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-attack; sid:1865; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webdist.cgi access"; flow:to_server,established; uricontent:"/webdist.cgi"; nocase; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-activity; sid:1163; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bigconf.cgi access"; flow:to_server,established; uricontent:"/bigconf.cgi"; nocase; reference:bugtraq,778; reference:cve,1999-1550; reference:nessus,10027; classtype:web-application-activity; sid:1172; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /cgi-bin/jj access"; flow:to_server,established; uricontent:"/cgi-bin/jj"; nocase; reference:bugtraq,2002; reference:cve,1999-0260; classtype:web-application-activity; sid:1174; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bizdbsearch attempt"; flow:to_server,established; uricontent:"/bizdb1-search.cgi"; nocase; content:"mail"; nocase; reference:bugtraq,1104; reference:cve,2000-0287; classtype:web-application-attack; sid:1185; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bizdbsearch access"; flow:to_server,established; uricontent:"/bizdb1-search.cgi"; nocase; reference:bugtraq,1104; reference:cve,2000-0287; classtype:web-application-activity; sid:1535; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sojourn.cgi File attempt"; flow:to_server,established; uricontent:"/sojourn.cgi?cat="; content:"%00"; nocase; reference:bugtraq,1052; reference:cve,2000-0180; classtype:web-application-attack; sid:1194; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sojourn.cgi access"; flow:to_server,established; uricontent:"/sojourn.cgi"; nocase; reference:bugtraq,1052; reference:cve,2000-0180; classtype:web-application-activity; sid:1195; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SGI InfoSearch fname attempt"; flow:to_server,established; uricontent:"/infosrch.cgi?"; content:"fname="; nocase; reference:arachnids,290; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-attack; sid:1196; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SGI InfoSearch fname access"; flow:to_server,established; uricontent:"/infosrch.cgi"; reference:arachnids,290; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-activity; sid:1727; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ax-admin.cgi access"; flow:to_server,established; uricontent:"/ax-admin.cgi"; classtype:web-application-activity; sid:1204; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI axs.cgi access"; flow:to_server,established; uricontent:"/axs.cgi"; classtype:web-application-activity; sid:1205; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cachemgr.cgi access"; flow:to_server,established; uricontent:"/cachemgr.cgi"; reference:bugtraq,2059; reference:cve,1999-0710; reference:nessus,10034; classtype:web-application-activity; sid:1206; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI responder.cgi access"; flow:to_server,established; uricontent:"/responder.cgi"; classtype:web-application-activity; sid:1208; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI web-map.cgi access"; flow:to_server,established; uricontent:"/web-map.cgi"; classtype:web-application-activity; sid:1211; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ministats admin access"; flow:to_server,established; uricontent:"/ministats/admin.cgi"; nocase; classtype:web-application-activity; sid:1215; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dfire.cgi access"; flow:to_server,established; uricontent:"/dfire.cgi"; nocase; reference:bugtraq,0564; reference:bugtraq,564; reference:cve,1999-0913; classtype:web-application-activity; sid:1219; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI txt2html.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/txt2html.cgi"; nocase; content:"/../../../../"; classtype:web-application-attack; sid:1305; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI txt2html.cgi access"; flow:to_server,established; uricontent:"/txt2html.cgi"; nocase; classtype:web-application-activity; sid:1304; rev:7;)
+# do we really need two of these?
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI store.cgi product directory traversal attempt"; flow:to_server,established; uricontent:"/store.cgi"; nocase; content:"product="; content:"../.."; reference:bugtraq,2385; reference:cve,2001-0305; classtype:web-application-attack; sid:1306; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI store.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/store.cgi"; nocase; content:"../"; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-attack; sid:1488; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI store.cgi access"; flow:to_server,established; uricontent:"/store.cgi"; nocase; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-activity; sid:1307; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SIX webboard generate.cgi attempt"; flow:to_server,established; uricontent:"/generate.cgi"; content:"content=../"; reference:bugtraq,3175; reference:cve,2001-1115; classtype:web-application-attack; sid:1494; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SIX webboard generate.cgi access"; flow:to_server,established; uricontent:"/generate.cgi"; reference:bugtraq,3175; reference:cve,2001-1115; classtype:web-application-activity; sid:1495; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI spin_client.cgi access"; flow:to_server,established; uricontent:"/spin_client.cgi"; classtype:web-application-activity; sid:1496; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csPassword.cgi access"; flow:to_server,established; uricontent:"/csPassword.cgi"; reference:bugtraq,4885; reference:bugtraq,4886; reference:bugtraq,4887; reference:bugtraq,4889; reference:cve,2002-0917; reference:cve,2002-0918; classtype:web-application-activity; sid:1787; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csPassword password.cgi.tmp access"; flow:to_server,established; uricontent:"/password.cgi.tmp"; reference:bugtraq,4889; reference:cve,2002-0920; classtype:web-application-activity; sid:1788; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Nortel Contivity cgiproc DOS attempt"; flow:to_server,established; uricontent:"/cgiproc?Nocfile="; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-attack; sid:1763; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Nortel Contivity cgiproc DOS attempt"; flow:to_server,established; uricontent:"/cgiproc?|24|"; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-attack; sid:1764; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Nortel Contivity cgiproc access"; flow:to_server,established; uricontent:"/cgiproc"; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-activity; sid:1765; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Oracle reports CGI access"; flow:to_server,established; uricontent:"/rwcgi60"; content:"setauth="; reference:bugtraq,4848; reference:cve,2002-0947; classtype:web-application-activity; sid:1805; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alienform.cgi directory traversal attempt"; flow:established,to_server; uricontent:"/alienform.cgi"; content:".|7C|./.|7C|."; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-attack; sid:1822; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AlienForm af.cgi directory traversal attempt"; flow:established,to_server; uricontent:"/af.cgi"; content:".|7C|./.|7C|."; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-attack; sid:1823; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alienform.cgi access"; flow:established,to_server; uricontent:"/alienform.cgi"; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-activity; sid:1824; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AlienForm af.cgi access"; flow:established,to_server; uricontent:"/af.cgi"; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-activity; sid:1825; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-CGI story.pl arbitrary file read attempt"; flow:to_server,established; uricontent:"/story.pl"; content:"next=../"; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:1868; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-CGI story.pl access"; flow:to_server,established; uricontent:"/story.pl"; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:1869; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI siteUserMod.cgi access"; flow:to_server,established; uricontent:"/.cobalt/siteUserMod/siteUserMod.cgi"; reference:bugtraq,951; reference:cve,2000-0117; reference:nessus,10253; classtype:web-application-activity; sid:1870; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cgicso access"; flow:to_server,established; uricontent:"/cgicso"; reference:bugtraq,6141; reference:nessus,10779; reference:nessus,10780; classtype:web-application-activity; sid:1875; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-publish.cgi access"; flow:to_server,established; uricontent:"/nph-publish.cgi"; reference:cve,1999-1177; reference:nessus,10164; classtype:web-application-activity; sid:1876; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI printenv access"; flow:to_server,established; uricontent:"/printenv"; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10503; classtype:web-application-activity; sid:1877; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sdbsearch.cgi access"; flow:to_server,established; uricontent:"/sdbsearch.cgi"; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10503; classtype:web-application-activity; sid:1878; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rpc-nlog.pl access"; flow:to_server,established; uricontent:"/rpc-nlog.pl"; reference:cve,1999-1278; classtype:web-application-activity; sid:1931; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rpc-smb.pl access"; flow:to_server,established; uricontent:"/rpc-smb.pl"; reference:cve,1999-1278; classtype:web-application-activity; sid:1932; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cart.cgi access"; flow:to_server,established; uricontent:"/cart.cgi"; classtype:web-application-activity; sid:1933; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI vpasswd.cgi access"; flow:to_server,established; uricontent:"/vpasswd.cgi"; reference:bugtraq,6038; reference:nessus,11165; classtype:web-application-activity; sid:1994; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alya.cgi access"; flow:to_server,established; uricontent:"/alya.cgi"; reference:nessus,11118; classtype:web-application-activity; sid:1995; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI viralator.cgi access"; flow:to_server,established; uricontent:"/viralator.cgi"; reference:cve,2001-0849; reference:nessus,11107; classtype:web-application-activity; sid:1996; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI smartsearch.cgi access"; flow:to_server,established; uricontent:"/smartsearch.cgi"; classtype:web-application-activity; sid:2001; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mrtg.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/mrtg.cgi"; content:"cfg=/../"; reference:bugtraq,4017; reference:cve,2002-0232; reference:nessus,11001; classtype:web-application-attack; sid:1862; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI overflow.cgi access"; flow:to_server,established; uricontent:"/overflow.cgi"; reference:nessus,11190; reference:url,www.cert.org/advisories/CA-2002-35.html; classtype:web-application-activity; sid:2052; rev:3;)
+
+# NOTES: this signature looks for someone accessing the web application
+# "way-board.cgi".  This application allows attackers to view arbitrary
+# files that are readable with the privilages of the web server.
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI way-board.cgi access"; flow:to_server,established; uricontent:"/way-board.cgi"; nocase; reference:nessus,10610; classtype:web-application-activity; sid:1850; rev:3;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI process_bug.cgi access"; flow:to_server,established; uricontent:"/process_bug.cgi"; nocase; reference:cve,2002-0008; classtype:web-application-activity; sid:2053; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI enter_bug.cgi arbitrary command attempt"; flow:to_server,established; uricontent:"/enter_bug.cgi"; nocase; content:"who="; content:"|3B|"; distance:0; reference:cve,2002-0008; classtype:web-application-attack; sid:2054; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI enter_bug.cgi access"; flow:to_server,established; uricontent:"/enter_bug.cgi"; nocase; reference:cve,2002-0008; classtype:web-application-activity; sid:2055; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI parse_xml.cgi access"; flow:to_server,established; uricontent:"/parse_xml.cgi"; nocase; reference:bugtraq,6960; reference:cve,2003-0054; classtype:web-application-activity; sid:2085; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 1220 (msg:"WEB-CGI streaming server parse_xml.cgi access"; flow:to_server,established; content:"/parse_xml.cgi"; nocase; reference:bugtraq,6960; reference:cve,2003-0054; classtype:web-application-activity; sid:2086; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI album.pl access"; flow:to_server,established; content:"/album.pl"; nocase; reference:bugtraq,7444; classtype:web-application-activity; sid:2115; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI chipcfg.cgi access"; flow:to_server,established; uricontent:"/chipcfg.cgi"; nocase; reference:bugtraq,2767; reference:cve,2001-1341; classtype:web-application-activity; sid:2116; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ikonboard.cgi access"; flow:to_server,established; uricontent:"/ikonboard.cgi"; nocase; reference:bugtraq,7361; reference:nessus,11605; classtype:web-application-activity; sid:2127; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swsrv.cgi access"; flow:to_server,established; uricontent:"/srsrv.cgi"; nocase; reference:bugtraq,7510; reference:cve,2003-0217; reference:nessus,11608; classtype:web-application-activity; sid:2128; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI CSMailto.cgi access"; flow:to_server,established; uricontent:"/CSMailto.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,6265; reference:cve,2002-0749; reference:nessus,11748; classtype:web-application-activity; sid:2194; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alert.cgi access"; flow:to_server,established; uricontent:"/alert.cgi"; nocase; reference:bugtraq,4211; reference:bugtraq,4579; reference:cve,2002-0346; reference:nessus,11748; classtype:web-application-activity; sid:2195; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI catgy.cgi access"; flow:to_server,established; uricontent:"/alert.cgi"; nocase; reference:bugtraq,3714; reference:bugtraq,4579; reference:cve,2001-1212; reference:nessus,11748; classtype:web-application-activity; sid:2196; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvsview2.cgi access"; flow:to_server,established; uricontent:"/cvsview2.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2197; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvslog.cgi access"; flow:to_server,established; uricontent:"/cvslog.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2198; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI multidiff.cgi access"; flow:to_server,established; uricontent:"/multidiff.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2199; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dnewsweb.cgi access"; flow:to_server,established; uricontent:"/dnewsweb.cgi"; nocase; reference:bugtraq,1172; reference:bugtraq,4579; reference:cve,2000-0423; reference:nessus,11748; classtype:web-application-activity; sid:2200; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI download.cgi access"; flow:to_server,established; uricontent:"/download.cgi"; nocase; reference:bugtraq,4579; reference:cve,1999-1377; reference:nessus,11748; classtype:web-application-activity; sid:2201; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI edit_action.cgi access"; flow:to_server,established; uricontent:"/edit_action.cgi"; nocase; reference:bugtraq,3698; reference:bugtraq,4579; reference:cve,2001-1196; reference:nessus,11748; classtype:web-application-activity; sid:2202; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI everythingform.cgi access"; flow:to_server,established; uricontent:"/everythingform.cgi"; nocase; reference:bugtraq,2101; reference:bugtraq,4579; reference:cve,2001-0023; reference:nessus,11748; classtype:web-application-activity; sid:2203; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ezadmin.cgi access"; flow:to_server,established; uricontent:"/ezadmin.cgi"; nocase; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2204; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ezboard.cgi access"; flow:to_server,established; uricontent:"/ezboard.cgi"; nocase; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2205; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ezman.cgi access"; flow:to_server,established; uricontent:"/ezman.cgi"; nocase; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2206; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI fileseek.cgi access"; flow:to_server,established; uricontent:"/fileseek.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,6784; reference:cve,2002-0611; reference:nessus,11748; classtype:web-application-activity; sid:2207; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI fom.cgi access"; flow:to_server,established; uricontent:"/fom.cgi"; nocase; reference:bugtraq,4579; reference:cve,2002-0230; reference:nessus,11748; classtype:web-application-activity; sid:2208; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI getdoc.cgi access"; flow:to_server,established; uricontent:"/getdoc.cgi"; nocase; reference:bugtraq,4579; reference:cve,2000-0288; reference:nessus,11748; classtype:web-application-activity; sid:2209; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI global.cgi access"; flow:to_server,established; uricontent:"/global.cgi"; nocase; reference:bugtraq,4579; reference:cve,2000-0952; reference:nessus,11748; classtype:web-application-activity; sid:2210; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI guestserver.cgi access"; flow:to_server,established; uricontent:"/guestserver.cgi"; nocase; reference:bugtraq,4579; reference:cve,2001-0180; reference:nessus,11748; classtype:web-application-activity; sid:2211; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imageFolio.cgi access"; flow:to_server,established; uricontent:"/imageFolio.cgi"; nocase; reference:bugtraq,4579; reference:bugtraq,6265; reference:cve,2002-1334; reference:nessus,11748; classtype:web-application-activity; sid:2212; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailfile.cgi access"; flow:to_server,established; uricontent:"/mailfile.cgi"; nocase; reference:bugtraq,1807; reference:bugtraq,4579; reference:cve,2000-0977; reference:nessus,11748; classtype:web-application-activity; sid:2213; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mailview.cgi access"; flow:to_server,established; uricontent:"/mailview.cgi"; nocase; reference:bugtraq,1335; reference:bugtraq,4579; reference:cve,2000-0526; reference:nessus,11748; classtype:web-application-activity; sid:2214; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nsManager.cgi access"; flow:to_server,established; uricontent:"/nsManager.cgi"; nocase; reference:bugtraq,1710; reference:bugtraq,4579; reference:cve,2000-1023; reference:nessus,11748; classtype:web-application-activity; sid:2215; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI readmail.cgi access"; flow:to_server,established; uricontent:"/readmail.cgi"; nocase; reference:bugtraq,3427; reference:bugtraq,4579; reference:cve,2001-1283; reference:nessus,11748; classtype:web-application-activity; sid:2216; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI printmail.cgi access"; flow:to_server,established; uricontent:"/printmail.cgi"; nocase; reference:bugtraq,3427; reference:bugtraq,4579; reference:cve,2001-1283; reference:nessus,11748; classtype:web-application-activity; sid:2217; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI service.cgi access"; flow:to_server,established; uricontent:"/service.cgi"; nocase; reference:bugtraq,4211; reference:bugtraq,4579; reference:cve,2002-0346; reference:nessus,11748; classtype:web-application-activity; sid:2218; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI setpasswd.cgi access"; flow:to_server,established; uricontent:"/setpasswd.cgi"; nocase; reference:bugtraq,2212; reference:bugtraq,4579; reference:cve,2001-0133; reference:nessus,11748; classtype:web-application-activity; sid:2219; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI simplestmail.cgi access"; flow:to_server,established; uricontent:"/simplestmail.cgi"; nocase; reference:bugtraq,2106; reference:bugtraq,4579; reference:cve,2001-0022; reference:nessus,11748; classtype:web-application-activity; sid:2220; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ws_mail.cgi access"; flow:to_server,established; uricontent:"/ws_mail.cgi"; nocase; reference:bugtraq,2861; reference:bugtraq,4579; reference:cve,2001-1343; reference:nessus,11748; classtype:web-application-activity; sid:2221; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-exploitscanget.cgi access"; flow:to_server,established; uricontent:"/nph-exploitscanget.cgi"; nocase; reference:bugtraq,7910; reference:bugtraq,7911; reference:bugtraq,7912; reference:cve,2003-0434; reference:nessus,11740; classtype:web-application-activity; sid:2222; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI csNews.cgi access"; flow:to_server,established; uricontent:"/csNews.cgi"; nocase; reference:bugtraq,4994; reference:cve,2002-0923; reference:nessus,11726; classtype:web-application-activity; sid:2223; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI psunami.cgi access"; flow:to_server,established; uricontent:"/psunami.cgi"; nocase; reference:bugtraq,6607; reference:nessus,11750; classtype:web-application-activity; sid:2224; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI gozila.cgi access"; flow:to_server,established; uricontent:"/gozila.cgi"; nocase; reference:nessus,11773; classtype:web-application-activity; sid:2225; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI quickstore.cgi access"; flow:to_server,established; uricontent:"/quickstore.cgi"; nocase; reference:bugtraq,9282; reference:nessus,11975; classtype:web-application-activity; sid:2323; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view_broadcast.cgi access"; flow:to_server,established; uricontent:"/view_broadcast.cgi"; nocase; reference:bugtraq,8257; reference:cve,2003-0422; classtype:web-application-activity; sid:2387; rev:4;)
+# when we get por lists... merge this with 2387...
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 1220 (msg:"WEB-CGI streaming server view_broadcast.cgi access"; flow:to_server,established; uricontent:"/view_broadcast.cgi"; nocase; reference:bugtraq,8257; reference:cve,2003-0422; classtype:web-application-activity; sid:2388; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI CCBill whereami.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/whereami.cgi?g="; nocase; reference:bugtraq,8095; classtype:web-application-attack; sid:2396; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI CCBill whereami.cgi access"; flow:to_server,established; uricontent:"/whereami.cgi"; nocase; reference:bugtraq,8095; classtype:web-application-activity; sid:2397; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 3000 (msg:"WEB-CGI MDaemon form2raw.cgi overflow attempt"; flow:to_server,established; uricontent:"/form2raw.cgi"; nocase; pcre:"/\Wfrom=[^\x3b&\n]{100}/si"; reference:bugtraq,9317; classtype:web-application-attack; sid:2433; rev:1;)
+# the prevous rule looks for the attack, but we still want to catch the
+# scanners.  if we had port lists, this rule would be HTTP_PORTS and 3000
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI MDaemon form2raw.cgi access"; flow:to_server,established; content:"/form2raw.cgi"; nocase; reference:bugtraq,9317; classtype:web-application-activity; sid:2434; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Emumail init.emu access"; flow:to_server,established; uricontent:"/init.emu"; nocase; reference:bugtraq,9861; classtype:web-application-activity; sid:2567; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Emumail emumail.fcgi access"; flow:to_server,established; uricontent:"/emumail.fcgi"; nocase; reference:bugtraq,9861; classtype:web-application-activity; sid:2568; rev:1;)
diff --git a/scripts/s2b/snort_rules2.2/web-client.rules b/scripts/s2b/snort_rules2.2/web-client.rules
new file mode 100644
index 0000000000..e34d5472b9
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/web-client.rules
@@ -0,0 +1,25 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: web-client.rules 91 2004-07-15 08:13:57Z rwinslow $
+#---------------
+# WEB-CLIENT RULES
+#---------------
+#
+# These signatures look for two things:
+# * bad things coming from our users
+# * attacks against our web users
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Outlook EML access"; flow:from_client,established; uricontent:".eml"; classtype:attempted-user; sid:1233; rev:9;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft emf metafile access"; flow:from_client,established; uricontent:".emf"; reference:bugtraq,9707; classtype:attempted-user; sid:2435; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft wmf metafile access"; flow:from_client,established; uricontent:".wmf"; reference:bugtraq,9707; classtype:attempted-user; sid:2436; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT XMLHttpRequest attempt"; flow:to_client,established; content:"new XMLHttpRequest|28|"; content:"file|3A|//"; nocase; classtype:web-application-attack; sid:1735; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT readme.eml download attempt"; flow:from_client,established; uricontent:"/readme.eml"; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1284; rev:10;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT readme.eml autoload attempt"; flow:to_client,established; content:"window.open|28 22|readme.eml|22|"; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1290; rev:10;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Javascript document.domain attempt"; flow:to_client,established; content:"document.domain|28|"; nocase; reference:bugtraq,5346; classtype:attempted-user; sid:1840; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Javascript URL host spoofing attempt"; flow:to_client,established; content:"javascript|3A|//"; nocase; reference:bugtraq,5293; classtype:attempted-user; sid:1841; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer arbitrary javascript command attempt"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s+application\x2fsmi.*?<area[\s\n\r]+href=[\x22\x27]file\x3ajavascript\x3a/smi"; reference:bugtraq,8453; reference:bugtraq,9738; reference:cve,2003-0726; classtype:attempted-user; sid:2437; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist file URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"file|3A|//"; nocase; pcre:"/^file\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; classtype:attempted-user; sid:2438; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist http URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"http|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; classtype:attempted-user; sid:2439; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"rtsp|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; classtype:attempted-user; sid:2440; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Nortan antivirus sysmspam.dll load attempt"; flow:to_client,established; content:"clsid|3A|"; nocase; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; nocase; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-admin; sid:2485; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT local resource redirection attempt"; flow:to_client,established; content:"Location|3a|"; nocase; pcre:"/^Location\x3a\s*URL\s*\x3a/smi"; reference:cve,2004-0549; reference:url,www.kb.cert.org/vuls/id/713878; classtype:attempted-user; sid:2577; rev:2;)
diff --git a/scripts/s2b/snort_rules2.2/web-coldfusion.rules b/scripts/s2b/snort_rules2.2/web-coldfusion.rules
new file mode 100644
index 0000000000..72925c3775
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/web-coldfusion.rules
@@ -0,0 +1,43 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: web-coldfusion.rules 91 2004-07-15 08:13:57Z rwinslow $
+#---------------------
+# WEB-COLDFUSION RULES
+#---------------------
+#
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfcache.map access"; flow:to_server,established; uricontent:"/cfcache.map"; nocase; reference:bugtraq,917; reference:cve,2000-0057; classtype:attempted-recon; sid:903; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exampleapp application.cfm"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/email/application.cfm"; nocase; reference:bugtraq,1021; reference:cve,2000-0189; classtype:attempted-recon; sid:904; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION application.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/publish/admin/application.cfm"; nocase; reference:bugtraq,1021; reference:cve,2000-0189; classtype:attempted-recon; sid:905; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getfile.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/email/getfile.cfm"; nocase; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-recon; sid:906; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION addcontent.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/publish/admin/addcontent.cfm"; nocase; classtype:attempted-recon; sid:907; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION administrator access"; flow:to_server,established; uricontent:"/cfide/administrator/index.cfm"; nocase; reference:bugtraq,1314; reference:cve,2000-0538; classtype:attempted-recon; sid:908; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:909; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION fileexists.cfm access"; flow:to_server,established; uricontent:"/cfdocs/snippets/fileexists.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:910; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exprcalc access"; flow:to_server,established; uricontent:"/cfdocs/expeval/exprcalc.cfm"; nocase; reference:bugtraq,115; reference:bugtraq,550; reference:cve,1999-0455; classtype:attempted-recon; sid:911; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION parks access"; flow:to_server,established; uricontent:"/cfdocs/examples/parks/detail.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:912; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfappman access"; flow:to_server,established; uricontent:"/cfappman/index.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:913; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION beaninfo access"; flow:to_server,established; uricontent:"/cfdocs/examples/cvbeans/beaninfo.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:914; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION evaluate.cfm access"; flow:to_server,established; uricontent:"/cfdocs/snippets/evaluate.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:915; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getodbcdsn access"; flow:to_server,established; content:"CFUSION_GETODBCDSN|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:916; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION db connections flush attempt"; flow:to_server,established; content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:917; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION expeval access"; flow:to_server,established; uricontent:"/cfdocs/expeval/"; nocase; reference:bugtraq,550; reference:cve,1999-0477; classtype:attempted-user; sid:918; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource passwordattempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:919; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:920; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION admin encrypt attempt"; flow:to_server,established; content:"CFUSION_ENCRYPT|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:921; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION displayfile access"; flow:to_server,established; uricontent:"/cfdocs/expeval/displayopenedfile.cfm"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:922; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:923; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION admin decrypt attempt"; flow:to_server,established; content:"CFUSION_DECRYPT|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:924; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION mainframeset access"; flow:to_server,established; uricontent:"/cfdocs/examples/mainframeset.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:925; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION set odbc ini attempt"; flow:to_server,established; content:"CFUSION_SETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:926; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION settings refresh attempt"; flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:927; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exampleapp access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/"; nocase; classtype:attempted-recon; sid:928; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION CFUSION_VERIFYMAIL access"; flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|"; nocase; reference:bugtraq,550; classtype:attempted-user; sid:929; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION snippets attempt"; flow:to_server,established; uricontent:"/cfdocs/snippets/"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:930; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfmlsyntaxcheck.cfm access"; flow:to_server,established; uricontent:"/cfdocs/cfmlsyntaxcheck.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:931; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION application.cfm access"; flow:to_server,established; uricontent:"/application.cfm"; nocase; reference:arachnids,268; reference:bugtraq,550; reference:cve,2000-0189; classtype:attempted-recon; sid:932; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION onrequestend.cfm access"; flow:to_server,established; uricontent:"/onrequestend.cfm"; nocase; reference:arachnids,269; reference:bugtraq,550; reference:cve,2000-0189; classtype:attempted-recon; sid:933; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION startstop DOS access"; flow:to_server,established; uricontent:"/cfide/administrator/startstop.html"; nocase; reference:bugtraq,247; classtype:web-application-attack; sid:935; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION gettempdirectory.cfm access "; flow:to_server,established; uricontent:"/cfdocs/snippets/gettempdirectory.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:936; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION sendmail.cfm access"; flow:to_server,established; uricontent:"/sendmail.cfm"; nocase; classtype:attempted-recon; sid:1659; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION ?Mode=debug attempt"; flow:to_server,established; uricontent:"Mode=debug"; nocase; classtype:web-application-activity; sid:1540; rev:5;)
diff --git a/scripts/s2b/snort_rules2.2/web-frontpage.rules b/scripts/s2b/snort_rules2.2/web-frontpage.rules
new file mode 100644
index 0000000000..3588cc6c8d
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/web-frontpage.rules
@@ -0,0 +1,41 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: web-frontpage.rules 91 2004-07-15 08:13:57Z rwinslow $
+#--------------------
+# WEB-FRONTPAGE RULES
+#--------------------
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad fp30reg.dll access"; flow:to_server,established; uricontent:"/fp30reg.dll"; nocase; reference:arachnids,555; reference:bugtraq,2906; reference:cve,2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx; classtype:web-application-activity; sid:1248; rev:13;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE frontpage rad fp4areg.dll access"; flow:to_server,established; uricontent:"/fp4areg.dll"; nocase; reference:bugtraq,2906; reference:cve,2001-0341; classtype:web-application-activity; sid:1249; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE _vti_rpc access"; flow:to_server,established; uricontent:"/_vti_rpc"; nocase; reference:bugtraq,2144; classtype:web-application-activity; sid:937; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE posting"; flow:to_server,established; content:"POST"; uricontent:"/author.dll"; nocase; classtype:web-application-activity; sid:939; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.dll access"; flow:to_server,established; uricontent:"/_vti_bin/shtml.dll"; nocase; reference:arachnids,292; classtype:web-application-activity; sid:940; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE contents.htm access"; flow:to_server,established; uricontent:"/admcgi/contents.htm"; nocase; classtype:web-application-activity; sid:941; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE orders.htm access"; flow:to_server,established; uricontent:"/_private/orders.htm"; nocase; classtype:web-application-activity; sid:942; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpsrvadm.exe access"; flow:to_server,established; uricontent:"/fpsrvadm.exe"; nocase; classtype:web-application-activity; sid:943; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpremadm.exe access"; flow:to_server,established; uricontent:"/fpremadm.exe"; nocase; classtype:web-application-activity; sid:944; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpadmin.htm access"; flow:to_server,established; uricontent:"/admisapi/fpadmin.htm"; nocase; classtype:web-application-activity; sid:945; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpadmcgi.exe access"; flow:to_server,established; uricontent:"/scripts/Fpadmcgi.exe"; nocase; classtype:web-application-activity; sid:946; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE orders.txt access"; flow:to_server,established; uricontent:"/_private/orders.txt"; nocase; classtype:web-application-activity; sid:947; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE form_results access"; flow:to_server,established; uricontent:"/_private/form_results.txt"; nocase; classtype:web-application-activity; sid:948; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE registrations.htm access"; flow:to_server,established; uricontent:"/_private/registrations.htm"; nocase; classtype:web-application-activity; sid:949; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE cfgwiz.exe access"; flow:to_server,established; uricontent:"/cfgwiz.exe"; nocase; classtype:web-application-activity; sid:950; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE authors.pwd access"; flow:to_server,established; uricontent:"/authors.pwd"; nocase; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:951; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE author.exe access"; flow:to_server,established; uricontent:"/_vti_bin/_vti_aut/author.exe"; nocase; classtype:web-application-activity; sid:952; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE administrators.pwd access"; flow:to_server,established; uricontent:"/administrators.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:953; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE form_results.htm access"; flow:to_server,established; uricontent:"/_private/form_results.htm"; nocase; classtype:web-application-activity; sid:954; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE access.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/access.cnf"; nocase; classtype:web-application-activity; sid:955; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE register.txt access"; flow:to_server,established; uricontent:"/_private/register.txt"; nocase; classtype:web-application-activity; sid:956; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE registrations.txt access"; flow:to_server,established; uricontent:"/_private/registrations.txt"; nocase; classtype:web-application-activity; sid:957; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/service.cnf"; nocase; classtype:web-application-activity; sid:958; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.pwd"; flow:to_server,established; uricontent:"/service.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:959; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.stp access"; flow:to_server,established; uricontent:"/_vti_pvt/service.stp"; nocase; classtype:web-application-activity; sid:960; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE services.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/services.cnf"; nocase; classtype:web-application-activity; sid:961; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.exe access"; flow:to_server,established; uricontent:"/_vti_bin/shtml.exe"; nocase; reference:bugtraq,1174; reference:bugtraq,1608; reference:cve,2000-0413; reference:cve,2000-0709; reference:nessus,10405; classtype:web-application-activity; sid:962; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE svcacl.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/svcacl.cnf"; nocase; classtype:web-application-activity; sid:963; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE users.pwd access"; flow:to_server,established; uricontent:"/users.pwd"; nocase; classtype:web-application-activity; sid:964; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE writeto.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/writeto.cnf"; nocase; classtype:web-application-activity; sid:965; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE .... request"; flow:to_server,established; uricontent:"..../"; nocase; reference:arachnids,248; reference:bugtraq,989; reference:cve,1999-0386; reference:cve,2000-0153; classtype:web-application-attack; sid:966; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE dvwssr.dll access"; flow:to_server,established; uricontent:"/dvwssr.dll"; nocase; reference:arachnids,271; reference:bugtraq,1108; reference:bugtraq,1109; reference:cve,2000-0260; reference:url,www.microsoft.com/technet/security/bulletin/ms00-025.mspx; classtype:web-application-activity; sid:967; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE register.htm access"; flow:to_server,established; uricontent:"/_private/register.htm"; nocase; classtype:web-application-activity; sid:968; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE /_vti_bin/ access"; flow:to_server,established; uricontent:"/_vti_bin/"; nocase; classtype:web-application-activity; sid:1288; rev:6;)
diff --git a/scripts/s2b/snort_rules2.2/web-iis.rules b/scripts/s2b/snort_rules2.2/web-iis.rules
new file mode 100644
index 0000000000..d33cd58dbc
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/web-iis.rules
@@ -0,0 +1,152 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: web-iis.rules 91 2004-07-15 08:13:57Z rwinslow $
+#--------------
+# WEB-IIS RULES
+#--------------
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS MDAC Content-Type overflow attempt"; flow:to_server,established; uricontent:"/msadcs.dll"; nocase; content:"Content-Type|3A|"; nocase; content:!"|0A|"; within:50; reference:bugtraq,6214; reference:cve,2002-1142; reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337; classtype:web-application-attack; sid:1970; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS repost.asp access"; flow:to_server,established; uricontent:"/scripts/repost.asp"; nocase; reference:nessus,10372; classtype:web-application-activity; sid:1076; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .htr chunked Transfer-Encoding"; flow:to_server,established; uricontent:".htr"; nocase; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; nocase; reference:bugtraq,4855; reference:bugtraq,5003; reference:cve,2002-0364; classtype:web-application-attack; sid:1806; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asp chunked Transfer-Encoding"; flow:to_server,established; uricontent:".asp"; nocase; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:cve,2002-0071; reference:cve,2002-0079; reference:nessus,10932; classtype:web-application-attack; sid:1618; rev:14;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /StoreCSVS/InstantOrder.asmx request"; flow:to_server,established; uricontent:"/StoreCSVS/InstantOrder.asmx"; nocase; classtype:web-application-activity; sid:1626; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS users.xml access"; flow:to_server,established; uricontent:"/users.xml"; nocase; classtype:web-application-activity; sid:1750; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS as_web.exe access"; flow:to_server,established; uricontent:"/as_web.exe"; nocase; reference:bugtraq,4670; classtype:web-application-activity; sid:1753; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS as_web4.exe access"; flow:to_server,established; uricontent:"/as_web4.exe"; nocase; reference:bugtraq,4670; classtype:web-application-activity; sid:1754; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NewsPro administration authentication attempt"; flow:to_server,established; content:"logged,true"; classtype:web-application-activity; sid:1756; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS pbserver access"; flow:to_server,established; uricontent:"/pbserver/pbserver.dll"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/ms00-094.mspx; classtype:web-application-activity; sid:1772; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS trace.axd access"; flow:to_server,established; uricontent:"/trace.axd"; nocase; classtype:web-application-activity; sid:1660; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /isapi/tstisapi.dll access"; flow:to_server,established; uricontent:"/isapi/tstisapi.dll"; nocase; reference:bugtraq,2381; reference:cve,2001-0302; classtype:web-application-activity; sid:1484; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS mkilog.exe access"; flow:to_server,established; uricontent:"/mkilog.exe"; nocase; classtype:web-application-activity; sid:1485; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ctss.idc access"; flow:to_server,established; uricontent:"/ctss.idc"; nocase; classtype:web-application-activity; sid:1486; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /iisadmpwd/aexp2.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/aexp2.htr"; classtype:web-application-activity; sid:1487; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WebDAV file lock attempt"; flow:to_server,established; content:"LOCK "; depth:5; reference:bugtraq,2736; classtype:web-application-activity; sid:969; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .printer access"; flow:to_server,established; uricontent:".printer"; nocase; reference:arachnids,533; reference:bugtraq,2674; reference:cve,2001-0241; classtype:web-application-activity; sid:971; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida attempt"; flow:to_server,established; uricontent:".ida?"; nocase; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:1243; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida access"; flow:to_server,established; uricontent:".ida"; nocase; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1242; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .idq attempt"; flow:to_server,established; uricontent:".idq?"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:1244; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .idq access"; flow:to_server,established; uricontent:".idq"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1245; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS %2E-asp access"; flow:to_server,established; content:"%2easp"; nocase; reference:bugtraq,1814; reference:cve,1999-0253; classtype:web-application-activity; sid:972; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS *.idc attempt"; flow:to_server,established; uricontent:"/*.idc"; nocase; reference:bugtraq,1448; reference:cve,1999-0874; reference:cve,2000-0661; classtype:web-application-attack; sid:973; rev:10;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Directory transversal attempt"; flow:to_server,established; content:"..|5C|.."; reference:bugtraq,2218; reference:cve,1999-0229; classtype:web-application-attack; sid:974; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Alternate Data streams ASP file access attempt"; flow:to_server,established; uricontent:".asp|3A 3A 24|DATA"; nocase; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806; classtype:web-application-attack; sid:975; rev:12;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .bat? access"; flow:to_server,established; uricontent:".bat?"; nocase; reference:bugtraq,2023; reference:cve,1999-0233; reference:url,support.microsoft.com/support/kb/articles/Q148/1/88.asp; reference:url,support.microsoft.com/support/kb/articles/Q155/0/56.asp; classtype:web-application-activity; sid:976; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cnf access"; flow:to_server,established; uricontent:".cnf"; nocase; classtype:web-application-activity; sid:977; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ASP contents view"; flow:to_server,established; content:"%20"; content:"&CiRestriction=none"; nocase; content:"&CiHiliteType=Full"; nocase; reference:bugtraq,1084; reference:cve,2000-0302; reference:nessus,10356; classtype:web-application-attack; sid:978; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ASP contents view"; flow:to_server,established; uricontent:".htw?CiWebHitsFile"; reference:bugtraq,1861; reference:cve,2000-0942; classtype:web-application-attack; sid:979; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CGImail.exe access"; flow:to_server,established; uricontent:"/scripts/CGImail.exe"; nocase; reference:bugtraq,1623; reference:cve,2000-0726; classtype:web-application-activity; sid:980; rev:7;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c0%af../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; sid:981; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; sid:982; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%9c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; sid:983; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%255c.."; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; sid:1945; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS JET VBA access"; flow:to_server,established; uricontent:"/scripts/samples/ctguestb.idc"; nocase; reference:bugtraq,307; reference:cve,1999-0874; classtype:web-application-activity; sid:984; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS JET VBA access"; flow:to_server,established; uricontent:"/scripts/samples/details.idc"; nocase; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:985; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MSProxy access"; flow:to_server,established; uricontent:"/scripts/proxy/w3proxy.dll"; nocase; classtype:web-application-activity; sid:986; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS +.htr code fragment attempt"; flow:to_server,established; uricontent:"+.htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; classtype:web-application-attack; sid:1725; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .htr access"; flow:to_server,established; uricontent:".htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; classtype:web-application-activity; sid:987; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SAM Attempt"; flow:to_server,established; content:"sam._"; nocase; reference:url,www.ciac.org/ciac/bulletins/h-45.shtml; classtype:web-application-attack; sid:988; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Unicode2.pl script File permission canonicalization"; flow:to_server,established; uricontent:"/sensepost.exe"; nocase; classtype:web-application-activity; sid:989; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS _vti_inf access"; flow:to_server,established; uricontent:"_vti_inf.html"; nocase; classtype:web-application-activity; sid:990; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS achg.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/achg.htr"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:991; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS adctest.asp access"; flow:to_server,established; uricontent:"/msadc/samples/adctest.asp"; nocase; classtype:web-application-activity; sid:992; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /scripts/iisadmin/default.htm access"; flow:to_server,established; uricontent:"/scripts/iisadmin/default.htm"; nocase; classtype:web-application-attack; sid:994; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ism.dll access"; flow:to_server,established; uricontent:"/scripts/iisadmin/ism.dll?http/dir"; nocase; reference:bugtraq,189; reference:cve,1999-1538; reference:cve,2000-0630; classtype:web-application-attack; sid:995; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS anot.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/anot"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:996; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS asp-dot attempt"; flow:to_server,established; uricontent:".asp."; nocase; classtype:web-application-attack; sid:997; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS asp-srch attempt"; flow:to_server,established; uricontent:"|23|filename=*.asp"; nocase; classtype:web-application-attack; sid:998; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS bdir access"; flow:to_server,established; uricontent:"/scripts/iisadmin/bdir.htr"; nocase; classtype:web-application-activity; sid:999; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS bdir.htr access"; flow:to_server,established; uricontent:"/bdir.htr"; nocase; classtype:web-application-activity; sid:1000; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; nocase; classtype:web-application-attack; sid:1661; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd? access"; flow:to_server,established; content:".cmd?&"; nocase; classtype:web-application-attack; sid:1003; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS codebrowser Exair access"; flow:to_server,established; uricontent:"/iissamples/exair/howitworks/codebrws.asp"; nocase; reference:cve,1999-0499; reference:cve,1999-0815; classtype:web-application-activity; sid:1004; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS codebrowser SDK access"; flow:to_server,established; uricontent:"/iissamples/sdk/asp/docs/codebrws.asp"; nocase; reference:bugtraq,167; reference:cve,1999-0736; classtype:web-application-activity; sid:1005; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cross-site scripting attempt"; flow:to_server,established; uricontent:"/Form_JScript.asp"; nocase; classtype:web-application-attack; sid:1007; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cross-site scripting attempt"; flow:to_server,established; uricontent:"/Form_VBScript.asp"; nocase; classtype:web-application-attack; sid:1380; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*"; nocase; classtype:web-application-attack; sid:1008; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS directory listing"; flow:to_server,established; uricontent:"/ServerVariables_Jscript.asp"; nocase; classtype:web-application-attack; sid:1009; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS encoding access"; flow:to_server,established; content:"%1u"; reference:arachnids,200; classtype:web-application-activity; sid:1010; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS exec-src access"; flow:to_server,established; content:"|23|filename=*.exe"; nocase; classtype:web-application-activity; sid:1011; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS fpcount attempt"; flow:to_server,established; uricontent:"/fpcount.exe"; content:"Digits="; nocase; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-attack; sid:1012; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS fpcount access"; flow:to_server,established; uricontent:"/fpcount.exe"; nocase; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:1013; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS getdrvs.exe access"; flow:to_server,established; uricontent:"/scripts/tools/getdrvs.exe"; nocase; classtype:web-application-activity; sid:1015; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS global.asa access"; flow:to_server,established; uricontent:"/global.asa"; nocase; reference:cve,2000-0778; reference:nessus,10491; classtype:web-application-activity; sid:1016; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS idc-srch attempt"; flow:to_server,established; content:"|23|filename=*.idc"; nocase; reference:cve,1999-0874; classtype:web-application-attack; sid:1017; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iisadmpwd attempt"; flow:to_server,established; uricontent:"/iisadmpwd/aexp"; nocase; reference:bugtraq,1191; reference:bugtraq,2110; reference:cve,2000-0304; classtype:web-application-attack; sid:1018; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS index server file source code attempt"; flow:to_server,established; uricontent:"?CiWebHitsFile=/"; content:"&CiRestriction=none&CiHiliteType=Full"; classtype:web-application-attack; sid:1019; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS isc$data attempt"; flow:to_server,established; uricontent:".idc|3A 3A 24|data"; nocase; reference:bugtraq,307; reference:cve,1999-0874; classtype:web-application-attack; sid:1020; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ism.dll attempt"; flow:to_server,established; uricontent:" .htr"; nocase; reference:bugtraq,1193; reference:cve,2000-0457; classtype:web-application-attack; sid:1021; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS jet vba access"; flow:to_server,established; uricontent:"/advworks/equipment/catalog_type.asp"; nocase; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:1022; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS msadcs.dll access"; flow:to_server,established; uricontent:"/msadcs.dll"; nocase; reference:bugtraq,529; reference:cve,1999-1011; classtype:web-application-activity; sid:1023; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS newdsn.exe access"; flow:to_server,established; uricontent:"/scripts/tools/newdsn.exe"; nocase; reference:bugtraq,1818; reference:cve,1999-0191; reference:nessus,10360; classtype:web-application-activity; sid:1024; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl access"; flow:to_server,established; uricontent:"/scripts/perl"; nocase; classtype:web-application-activity; sid:1025; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl-browse newline attempt"; flow:to_server,established; uricontent:"|0A|.pl"; nocase; reference:bugtraq,6833; classtype:web-application-attack; sid:1026; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl-browse space attempt"; flow:to_server,established; uricontent:" .pl"; nocase; reference:bugtraq,6833; classtype:web-application-attack; sid:1027; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS query.asp access"; flow:to_server,established; uricontent:"/issamples/query.asp"; nocase; reference:bugtraq,193; reference:cve,1999-0449; classtype:web-application-activity; sid:1028; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS scripts-browse access"; flow:to_server,established; uricontent:"/scripts/ "; nocase; classtype:web-application-attack; sid:1029; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS search97.vts access"; flow:to_server,established; uricontent:"/search97.vts"; reference:bugtraq,162; classtype:web-application-activity; sid:1030; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /SiteServer/Publishing/viewcode.asp access"; flow:to_server,established; uricontent:"/SiteServer/Publishing/viewcode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1031; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Knowledge/Membership/Inspired/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1032; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1033; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1034; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Push/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1035; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Search/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1036; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode.asp access"; flow:to_server,established; uricontent:"/showcode.asp"; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,10007; classtype:web-application-activity; sid:1037; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS site server config access"; flow:to_server,established; uricontent:"/adsamples/config/site.csc"; nocase; reference:bugtraq,256; reference:cve,1999-1520; classtype:web-application-activity; sid:1038; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS srch.htm access"; flow:to_server,established; uricontent:"/samples/isapi/srch.htm"; nocase; classtype:web-application-activity; sid:1039; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS srchadm access"; flow:to_server,established; uricontent:"/srchadm"; nocase; classtype:web-application-activity; sid:1040; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS uploadn.asp access"; flow:to_server,established; uricontent:"/scripts/uploadn.asp"; nocase; classtype:web-application-activity; sid:1041; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS view source via translate header"; flow:to_server,established; content:"Translate|3A| F"; nocase; reference:arachnids,305; reference:bugtraq,1578; classtype:web-application-activity; sid:1042; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS viewcode.asp access"; flow:to_server,established; uricontent:"/viewcode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1043; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS webhits access"; flow:to_server,established; uricontent:".htw"; reference:arachnids,237; classtype:web-application-activity; sid:1044; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS doctodep.btr access"; flow:to_server,established; uricontent:"doctodep.btr"; classtype:web-application-activity; sid:1726; rev:4;)
+# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-IIS Unauthorized IP Access Attempt"; flow:to_server,established; content:"403"; content:"Forbidden|3A|"; classtype:web-application-attack; sid:1045; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS site/iisamples access"; flow:to_server,established; uricontent:"/site/iisamples"; nocase; classtype:web-application-activity; sid:1046; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS outlook web dos"; flow:to_server,established; uricontent:"/exchange/LogonFrm.asp?"; nocase; content:"mailbox="; nocase; content:"%%%"; reference:bugtraq,3223; classtype:web-application-attack; sid:1283; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /scripts/samples/ access"; flow:to_server,established; uricontent:"/scripts/samples/"; nocase; classtype:web-application-attack; sid:1400; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /msadc/samples/ access"; flow:to_server,established; uricontent:"/msadc/samples/"; nocase; classtype:web-application-attack; sid:1401; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iissamples access"; flow:to_server,established; uricontent:"/iissamples/"; nocase; classtype:web-application-attack; sid:1402; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iisadmin access"; flow:to_server,established; uricontent:"/iisadmin"; nocase; classtype:web-application-attack; sid:993; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS msdac access"; flow:to_server,established; uricontent:"/msdac/"; nocase; classtype:web-application-activity; sid:1285; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS _mem_bin access"; flow:to_server,established; uricontent:"/_mem_bin/"; nocase; classtype:web-application-activity; sid:1286; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS scripts access"; flow:to_server,established; uricontent:"/scripts/"; nocase; classtype:web-application-activity; sid:1287; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS htimage.exe access"; flow:to_server,established; uricontent:"/htimage.exe"; nocase; reference:bugtraq,1117; reference:bugtraq,964; reference:cve,2000-0122; reference:cve,2000-0256; reference:nessus,10376; classtype:web-application-activity; sid:1595; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS Site Server default login attempt"; flow:to_server,established; uricontent:"/SiteServer/Admin/knowledge/persmbr/"; nocase; content:"Authorization|3A| Basic TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE="; reference:nessus,11018; classtype:web-application-attack; sid:1817; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS Site Server admin attempt"; flow:to_server,established; uricontent:"/Site Server/Admin/knowledge/persmbr/"; nocase; reference:nessus,11018; classtype:web-application-attack; sid:1818; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS postinfo.asp access"; flow:to_server,established; uricontent:"/scripts/postinfo.asp"; nocase; classtype:web-application-activity; sid:1075; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp attempt"; flow:to_server,established; uricontent:"/exchange/root.asp?acs=anon"; nocase; classtype:web-application-attack; sid:1567; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp access"; flow:to_server,established; uricontent:"/exchange/root.asp"; nocase; classtype:web-application-activity; sid:1568; rev:5;)
+
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asa HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".asa"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; classtype:web-application-attack; sid:1802; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cer HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".cer"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; classtype:web-application-attack; sid:1803; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cdx HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".cdx"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; classtype:web-application-attack; sid:1804; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asp HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".asp"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; classtype:web-application-attack; sid:1801; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2090; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|"; within:255; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2091; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Battleaxe Forum login.asp access"; flow:to_server,established; uricontent:"myaccount/login.asp"; nocase; reference:bugtraq,7416; reference:cve,2003-0215; classtype:web-application-activity; sid:2117; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS nsiislog.dll access"; flow:to_server,established; uricontent:"/nsiislog.dll"; nocase; reference:bugtraq,8035; reference:cve,2003-0349; reference:nessus,11664; reference:url,www.microsoft.com/technet/security/bulletin/ms03-018.mspx; classtype:web-application-activity; sid:2129; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect siteadmin.asp access"; flow:to_server,established; uricontent:"/iisprotect/admin/SiteAdmin.asp"; nocase; reference:bugtraq,7675; reference:cve,2003-0377; reference:nessus,11662; classtype:web-application-activity; sid:2130; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect globaladmin.asp access"; flow:to_server,established; uricontent:"/iisprotect/admin/GlobalAdmin.asp"; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2157; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect access"; flow:to_server,established; uricontent:"/iisprotect/admin/"; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2131; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Synchrologic Email Accelerator userid list access attempt"; flow:to_server,established; uricontent:"/en/admin/aggregate.asp"; nocase; reference:nessus,11657; classtype:web-application-activity; sid:2132; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS BizTalk server access"; flow:to_server,established; uricontent:"/biztalkhttpreceive.dll"; nocase; reference:bugtraq,7469; reference:bugtraq,7470; reference:cve,2003-0117; reference:cve,2003-0118; reference:nessus,11638; classtype:web-application-activity; sid:2133; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS register.asp access"; flow:to_server,established; uricontent:"/register.asp"; nocase; reference:nessus,11621; classtype:web-application-activity; sid:2134; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS UploadScript11.asp access"; flow:to_server,established; uricontent:"/UploadScript11.asp"; nocase; reference:cve,2001-0938; classtype:web-application-activity; sid:2247; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS DirectoryListing.asp access"; flow:to_server,established; uricontent:"/DirectoryListing.asp"; nocase; reference:cve,2001-0938; classtype:web-application-activity; sid:2248; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /pcadmin/login.asp access"; flow:to_server,established; uricontent:"/pcadmin/login.asp"; nocase; reference:bugtraq,8103; reference:nessus,11785; classtype:web-application-activity; sid:2249; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS foxweb.exe access"; flow:to_server,established; uricontent:"/foxweb.exe"; nocase; reference:nessus,11939; classtype:web-application-activity; sid:2321; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS foxweb.dll access"; flow:to_server,established; uricontent:"/foxweb.dll"; nocase; reference:nessus,11939; classtype:web-application-activity; sid:2322; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS VP-ASP shopsearch.asp access"; flow:to_server,established; uricontent:"/shopsearch.asp"; nocase; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2324; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS VP-ASP ShopDisplayProducts.asp access"; flow:to_server,established; uricontent:"/ShopDisplayProducts.asp"; nocase; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2325; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS sgdynamo.exe access"; flow:to_server,established; uricontent:"/sgdynamo.exe"; nocase; reference:bugtraq,4720; reference:cve,2002-0375; reference:nessus,11955; classtype:web-application-activity; sid:2326; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; classtype:attempted-dos; sid:2386; rev:6;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access"; flow:to_server,established; uricontent:"/frmGetAttachment.aspx"; nocase; reference:bugtraq,9805; classtype:web-application-activity; sid:2571; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt"; flow:to_server,established; uricontent:"/login.aspx"; nocase; content:"txtusername="; isdataat:980,relative; content:!"|0A|"; within:980; nocase; reference:bugtraq,9805; classtype:web-application-attack; sid:2572; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail frmCompose.asp access"; flow:to_server,established; uricontent:"/frmCompose.aspx"; reference:bugtraq,9805; classtype:web-application-activity; sid:2573; rev:1;)
diff --git a/scripts/s2b/snort_rules2.2/web-misc.rules b/scripts/s2b/snort_rules2.2/web-misc.rules
new file mode 100644
index 0000000000..2614b61f09
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/web-misc.rules
@@ -0,0 +1,406 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: web-misc.rules 91 2004-07-15 08:13:57Z rwinslow $
+#---------------
+# WEB-MISC RULES
+#---------------
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting attempt"; flow:to_server,established; content:"<SCRIPT>"; nocase; classtype:web-application-attack; sid:1497; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting HTML Image tag set to javascript attempt"; flow:to_server,established; content:"img src=javascript"; nocase; classtype:web-application-attack; sid:1667; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco IOS HTTP configuration attempt"; flow:to_server,established; uricontent:"/level/"; uricontent:"/exec/"; reference:bugtraq,2936; reference:cve,2001-0537; classtype:web-application-attack; sid:1250; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise DOS"; flow:to_server,established; content:"REVLOG / "; depth:9; reference:bugtraq,2294; reference:cve,2001-0251; classtype:web-application-attack; sid:1047; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise directory listing attempt"; flow:to_server,established; content:"INDEX "; depth:6; reference:bugtraq,2285; reference:cve,2001-0250; classtype:web-application-attack; sid:1048; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet GETPROPERTIES attempt"; flow:to_server,established; content:"GETPROPERTIES"; depth:13; classtype:web-application-attack; sid:1050; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat view source attempt"; flow:to_server,established; uricontent:"%252ejsp"; reference:bugtraq,2527; classtype:web-application-attack; sid:1056; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ftp attempt"; flow:to_server,established; content:"ftp.exe"; nocase; classtype:web-application-activity; sid:1057; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; nocase; classtype:web-application-attack; sid:1058; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:1059; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; nocase; classtype:web-application-attack; sid:1060; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; nocase; classtype:web-application-attack; sid:1061; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC nc.exe attempt"; flow:to_server,established; content:"nc.exe"; nocase; classtype:web-application-activity; sid:1062; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC wsh attempt"; flow:to_server,established; content:"wsh.exe"; nocase; classtype:web-application-activity; sid:1064; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC rcmd attempt"; flow:to_server,established; content:"rcmd.exe"; nocase; classtype:web-application-activity; sid:1065; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC telnet attempt"; flow:to_server,established; content:"telnet.exe"; nocase; classtype:web-application-activity; sid:1066; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC net attempt"; flow:to_server,established; content:"net.exe"; nocase; classtype:web-application-activity; sid:1067; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC tftp attempt"; flow:to_server,established; content:"tftp.exe"; nocase; classtype:web-application-activity; sid:1068; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_regread attempt"; flow:to_server,established; content:"xp_regread"; nocase; classtype:web-application-activity; sid:1069; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_regwrite attempt"; flow:to_server,established; content:"xp_regwrite"; nocase; classtype:web-application-activity; sid:1977; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC xp_regdeletekey attempt"; flow:to_server,established; content:"xp_regdeletekey"; nocase; classtype:web-application-activity; sid:1978; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebDAV search access"; flow:to_server,established; content:"SEARCH "; depth:8; nocase; reference:arachnids,474; classtype:web-application-activity; sid:1070; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .htpasswd access"; flow:to_server,established; content:".htpasswd"; nocase; classtype:web-application-attack; sid:1071; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus Domino directory traversal"; flow:to_server,established; uricontent:".nsf/"; uricontent:"../"; nocase; reference:bugtraq,2173; reference:cve,2001-0009; classtype:web-application-attack; sid:1072; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webhits.exe access"; flow:to_server,established; uricontent:"/scripts/samples/search/webhits.exe"; nocase; classtype:web-application-activity; sid:1073; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC queryhit.htm access"; flow:to_server,established; uricontent:"/samples/search/queryhit.htm"; nocase; classtype:web-application-activity; sid:1077; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC counter.exe access"; flow:to_server,established; uricontent:"/counter.exe"; nocase; reference:bugtraq,267; reference:cve,1999-1030; classtype:web-application-activity; sid:1078; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebDAV propfind access"; flow:to_server,established; content:"<a|3A|propfind"; nocase; content:"xmlns|3A|a=|22|DAV|22|>"; nocase; reference:bugtraq,1656; reference:cve,2000-0869; classtype:web-application-activity; sid:1079; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC unify eWave ServletExec upload"; flow:to_server,established; uricontent:"/servlet/com.unify.servletexec.UploadServlet"; nocase; reference:bugtraq,1868; reference:bugtraq,1876; reference:cve,2000-1024; reference:cve,2000-1025; classtype:web-application-attack; sid:1080; rev:13;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Servers suite DOS"; flow:to_server,established; uricontent:"/dsgw/bin/search?context="; nocase; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-attack; sid:1081; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC amazon 1-click cookie theft"; flow:to_server,established; content:"ref%3Cscript%20language%3D%22Javascript"; nocase; reference:bugtraq,1194; reference:cve,2000-0439; classtype:web-application-attack; sid:1082; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC unify eWave ServletExec DOS"; flow:to_server,established; uricontent:"/servlet/ServletExec"; classtype:web-application-activity; sid:1083; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Allaire JRUN DOS attempt"; flow:to_server,established; uricontent:"servlet/......."; nocase; reference:bugtraq,2337; classtype:web-application-attack; sid:1084; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ICQ Webfront HTTP DOS"; flow:to_server,established; uricontent:"??????????"; classtype:web-application-attack; sid:1091; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Talentsoft Web+ Source Code view access"; flow:to_server,established; uricontent:"/webplus.exe?script=test.wml"; reference:bugtraq,1722; classtype:web-application-attack; sid:1095; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Talentsoft Web+ internal IP Address access"; flow:to_server,established; uricontent:"/webplus.exe?about"; reference:bugtraq,1720; classtype:web-application-activity; sid:1096; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SmartWin CyberOffice Shopping Cart access"; flow:to_server,established; uricontent:"_private/shopping_cart.mdb"; reference:bugtraq,1734; reference:cve,2000-0925; classtype:web-application-attack; sid:1098; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cybercop scan"; flow:to_server,established; uricontent:"/cybercop"; nocase; reference:arachnids,374; classtype:web-application-activity; sid:1099; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC L3retriever HTTP Probe"; flow:to_server,established; content:"User-Agent|3A| Java1.2.1|0D 0A|"; reference:arachnids,310; classtype:web-application-activity; sid:1100; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Webtrends HTTP probe"; flow:to_server,established; content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; reference:arachnids,309; classtype:web-application-activity; sid:1101; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Nessus 404 probe"; flow:to_server,established; uricontent:"/nessus_is_probing_you_"; depth:32; reference:arachnids,301; classtype:web-application-attack; sid:1102; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape admin passwd"; flow:to_server,established; uricontent:"/admin-serv/config/admpw"; nocase; reference:bugtraq,1579; classtype:web-application-attack; sid:1103; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC BigBrother access"; flow:to_server,established; uricontent:"/bb-hostsvc.sh?HOSTSVC"; nocase; classtype:attempted-recon; sid:1105; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ftp.pl attempt"; flow:to_server,established; uricontent:"/ftp.pl?dir=../.."; nocase; reference:bugtraq,1471; reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-attack; sid:1612; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ftp.pl access"; flow:to_server,established; uricontent:"/ftp.pl"; nocase; reference:bugtraq,1471; reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-activity; sid:1107; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat server snoop access"; flow:to_server,established; uricontent:"/jsp/snp/"; uricontent:".snp"; reference:bugtraq,1532; reference:cve,2000-0760; classtype:attempted-recon; sid:1108; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ROXEN directory list attempt"; flow:to_server,established; uricontent:"/%00"; reference:bugtraq,1510; reference:cve,2000-0671; classtype:attempted-recon; sid:1109; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache source.asp file access"; flow:to_server,established; uricontent:"/site/eg/source.asp"; nocase; reference:bugtraq,1457; reference:cve,2000-0628; classtype:attempted-recon; sid:1110; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat server exploit access"; flow:to_server,established; uricontent:"/contextAdmin/contextAdmin.html"; nocase; classtype:attempted-recon; sid:1111; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http directory traversal"; flow:to_server,established; content:"..|5C|"; reference:arachnids,298; classtype:attempted-recon; sid:1112; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ICQ webserver DOS"; flow:to_server,established; uricontent:".html/......"; nocase; reference:cve,1999-0474; classtype:attempted-dos; sid:1115; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus DelDoc attempt"; flow:to_server,established; uricontent:"?DeleteDocument"; nocase; classtype:attempted-recon; sid:1116; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Lotus EditDoc attempt"; flow:to_server,established; uricontent:"?EditDocument"; nocase; reference:url,www.securiteam.com/exploits/5NP080A1RE.html; classtype:attempted-recon; sid:1117; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ls%20-l"; flow:to_server,established; content:"ls%20-l"; nocase; classtype:attempted-recon; sid:1118; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mlog.phtml access"; flow:to_server,established; uricontent:"/mlog.phtml"; nocase; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1119; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mylog.phtml access"; flow:to_server,established; uricontent:"/mylog.phtml"; nocase; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1120; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /etc/passwd"; flow:to_server,established; content:"/etc/passwd"; nocase; classtype:attempted-recon; sid:1122; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ?PageServices access"; flow:to_server,established; uricontent:"?PageServices"; nocase; reference:bugtraq,1063; reference:bugtraq,7621; reference:cve,1999-0269; classtype:attempted-recon; sid:1123; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce check.txt access"; flow:to_server,established; uricontent:"/config/check.txt"; nocase; classtype:attempted-recon; sid:1124; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webcart access"; flow:to_server,established; uricontent:"/webcart/"; nocase; reference:cve,1999-0610; reference:nessus,10298; classtype:attempted-recon; sid:1125; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC AuthChangeUrl access"; flow:to_server,established; uricontent:"_AuthChangeUrl?"; nocase; classtype:attempted-recon; sid:1126; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC convert.bas access"; flow:to_server,established; uricontent:"/scripts/convert.bas"; nocase; reference:bugtraq,2025; reference:cve,1999-0175; classtype:attempted-recon; sid:1127; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cpshost.dll access"; flow:to_server,established; uricontent:"/scripts/cpshost.dll"; nocase; classtype:attempted-recon; sid:1128; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .htaccess access"; flow:to_server,established; content:".htaccess"; nocase; classtype:attempted-recon; sid:1129; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .wwwacl access"; flow:to_server,established; uricontent:".wwwacl"; nocase; classtype:attempted-recon; sid:1130; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .wwwacl access"; flow:to_server,established; uricontent:".www_acl"; nocase; classtype:attempted-recon; sid:1131; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cd.."; flow:to_server,established; content:"cd.."; nocase; classtype:attempted-recon; sid:1136; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC guestbook.pl access"; flow:to_server,established; uricontent:"/guestbook.pl"; nocase; reference:arachnids,228; reference:bugtraq,776; reference:cve,1999-0237; reference:cve,1999-1053; reference:nessus,10099; classtype:attempted-recon; sid:1140; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC handler attempt"; flow:to_server,established; uricontent:"/handler"; uricontent:"|7C|"; nocase; reference:arachnids,235; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-attack; sid:1613; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC handler access"; flow:to_server,established; uricontent:"/handler"; nocase; reference:arachnids,235; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-activity; sid:1141; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /.... access"; flow:to_server,established; content:"/...."; classtype:attempted-recon; sid:1142; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ///cgi-bin access"; flow:to_server,established; uricontent:"///cgi-bin"; nocase; rawbytes; classtype:attempted-recon; sid:1143; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /cgi-bin/// access"; flow:to_server,established; uricontent:"/cgi-bin///"; nocase; rawbytes; classtype:attempted-recon; sid:1144; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /~root access"; flow:to_server,established; uricontent:"/~root"; nocase; classtype:attempted-recon; sid:1145; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /~ftp access"; flow:to_server,established; uricontent:"/~ftp"; nocase; classtype:attempted-recon; sid:1662; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce import.txt access"; flow:to_server,established; uricontent:"/config/import.txt"; nocase; classtype:attempted-recon; sid:1146; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cat%20 access"; flow:to_server,established; content:"cat%20"; nocase; reference:bugtraq,374; reference:cve,1999-0039; classtype:attempted-recon; sid:1147; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce import.txt access"; flow:to_server,established; uricontent:"/orders/import.txt"; nocase; classtype:attempted-recon; sid:1148; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino catalog.nsf access"; flow:to_server,established; uricontent:"/catalog.nsf"; nocase; classtype:attempted-recon; sid:1150; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino domcfg.nsf access"; flow:to_server,established; uricontent:"/domcfg.nsf"; nocase; classtype:attempted-recon; sid:1151; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino domlog.nsf access"; flow:to_server,established; uricontent:"/domlog.nsf"; nocase; classtype:attempted-recon; sid:1152; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino log.nsf access"; flow:to_server,established; uricontent:"/log.nsf"; nocase; classtype:attempted-recon; sid:1153; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino names.nsf access"; flow:to_server,established; uricontent:"/names.nsf"; nocase; classtype:attempted-recon; sid:1154; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino mab.nsf access"; flow:to_server,established; uricontent:"/mab.nsf"; nocase; classtype:attempted-recon; sid:1575; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino cersvr.nsf access"; flow:to_server,established; uricontent:"/cersvr.nsf"; nocase; classtype:attempted-recon; sid:1576; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino setup.nsf access"; flow:to_server,established; uricontent:"/setup.nsf"; nocase; classtype:attempted-recon; sid:1577; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino statrep.nsf access"; flow:to_server,established; uricontent:"/statrep.nsf"; nocase; classtype:attempted-recon; sid:1578; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino webadmin.nsf access"; flow:to_server,established; uricontent:"/webadmin.nsf"; nocase; classtype:attempted-recon; sid:1579; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino events4.nsf access"; flow:to_server,established; uricontent:"/events4.nsf"; nocase; classtype:attempted-recon; sid:1580; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino ntsync4.nsf access"; flow:to_server,established; uricontent:"/ntsync4.nsf"; nocase; classtype:attempted-recon; sid:1581; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino collect4.nsf access"; flow:to_server,established; uricontent:"/collect4.nsf"; nocase; classtype:attempted-recon; sid:1582; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino mailw46.nsf access"; flow:to_server,established; uricontent:"/mailw46.nsf"; nocase; classtype:attempted-recon; sid:1583; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino bookmark.nsf access"; flow:to_server,established; uricontent:"/bookmark.nsf"; nocase; classtype:attempted-recon; sid:1584; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino agentrunner.nsf access"; flow:to_server,established; uricontent:"/agentrunner.nsf"; nocase; classtype:attempted-recon; sid:1585; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Domino mail.box access"; flow:to_server,established; uricontent:"/mail.box"; nocase; classtype:attempted-recon; sid:1586; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Ecommerce checks.txt access"; flow:to_server,established; uricontent:"/orders/checks.txt"; nocase; classtype:attempted-recon; sid:1155; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache DOS attempt"; flow:to_server,established; content:"////////"; classtype:attempted-dos; sid:1156; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape PublishingXpert access"; flow:to_server,established; uricontent:"/PSUser/PSCOErrPage.htm"; nocase; reference:cve,2000-1196; classtype:web-application-activity; sid:1157; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC windmail.exe access"; flow:to_server,established; uricontent:"/windmail.exe"; nocase; reference:arachnids,465; reference:bugtraq,1073; reference:cve,2000-0242; reference:nessus,10365; classtype:attempted-recon; sid:1158; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webplus access"; flow:to_server,established; uricontent:"/webplus?script"; nocase; reference:bugtraq,1174; reference:bugtraq,1720; reference:bugtraq,1722; reference:bugtraq,1725; reference:cve,2000-1005; classtype:attempted-recon; sid:1159; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape dir index wp"; flow:to_server,established; uricontent:"?wp-"; nocase; reference:arachnids,270; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1160; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cart 32 AdminPwd access"; flow:to_server,established; uricontent:"/c32web.exe/ChangeAdminPassword"; nocase; reference:bugtraq,1153; reference:cve,2000-0429; classtype:attempted-recon; sid:1162; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC shopping cart access"; flow:to_server,established; uricontent:"/quikstore.cfg"; nocase; reference:bugtraq,1983; reference:bugtraq,2049; reference:cve,1999-0607; reference:cve,2000-1188; classtype:attempted-recon; sid:1164; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Novell Groupwise gwweb.exe attempt"; flow:to_server,established; uricontent:"/GWWEB.EXE?HELP="; nocase; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1614; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Novell Groupwise gwweb.exe access"; flow:to_server,established; content:"/GWWEB.EXE"; nocase; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1165; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ws_ftp.ini access"; flow:to_server,established; uricontent:"/ws_ftp.ini"; nocase; reference:bugtraq,547; reference:cve,1999-1078; classtype:attempted-recon; sid:1166; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC rpm_query access"; flow:to_server,established; uricontent:"/rpm_query"; nocase; reference:bugtraq,1036; reference:cve,2000-0192; classtype:attempted-recon; sid:1167; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mall log order access"; flow:to_server,established; uricontent:"/mall_log_files/order.log"; nocase; classtype:attempted-recon; sid:1168; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC architext_query.pl access"; flow:to_server,established; uricontent:"/ews/architext_query.pl"; nocase; classtype:attempted-recon; sid:1173; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC wwwboard.pl access"; flow:to_server,established; uricontent:"/wwwboard.pl"; nocase; reference:bugtraq,1795; reference:bugtraq,649; reference:cve,1999-0930; reference:cve,1999-0954; classtype:attempted-recon; sid:1175; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC order.log access"; flow:to_server,established; uricontent:"/admin_files/order.log"; nocase; classtype:attempted-recon; sid:1176; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-verify-link"; nocase; reference:bugtraq,1063; classtype:attempted-recon; sid:1177; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC get32.exe access"; flow:to_server,established; uricontent:"/get32.exe"; nocase; reference:arachnids,258; reference:bugtraq,1485; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10013; classtype:attempted-recon; sid:1180; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Annex Terminal DOS attempt"; flow:to_server,established; uricontent:"/ping?query="; reference:arachnids,260; reference:cve,1999-1070; classtype:attempted-dos; sid:1181; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cgitest.exe attempt"; flow:to_server,established; uricontent:"/cgitest.exe|0D 0A|user"; nocase; reference:arachnids,265; reference:bugtraq,1313; reference:bugtraq,3885; reference:cve,2000-0521; reference:cve,2002-0128; reference:nessus,10040; reference:nessus,10623; classtype:web-application-attack; sid:1182; rev:17;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cgitest.exe access"; flow:to_server,established; uricontent:"/cgitest.exe"; nocase; reference:arachnids,265; reference:bugtraq,1313; reference:bugtraq,3885; reference:cve,2000-0521; reference:cve,2002-0128; reference:nessus,10040; reference:nessus,10623; classtype:web-application-activity; sid:1587; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-cs-dump"; nocase; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1183; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-ver-info"; nocase; reference:bugtraq,1063; classtype:attempted-recon; sid:1184; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-ver-diff"; nocase; reference:bugtraq,1063; classtype:attempted-recon; sid:1186; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SalesLogix Eviewer web command attempt"; flow:to_server,established; uricontent:"/slxweb.dll/admin?command="; nocase; reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278; reference:cve,2000-0289; classtype:web-application-attack; sid:1187; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SalesLogix Eviewer access"; flow:to_server,established; uricontent:"/slxweb.dll"; nocase; reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278; reference:cve,2000-0289; classtype:web-application-activity; sid:1588; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-start-ver"; nocase; reference:bugtraq,1063; classtype:attempted-recon; sid:1188; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-stop-ver"; nocase; reference:bugtraq,1063; classtype:attempted-recon; sid:1189; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-uncheckout"; nocase; reference:bugtraq,1063; classtype:attempted-recon; sid:1190; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-html-rend"; nocase; reference:bugtraq,1063; classtype:attempted-recon; sid:1191; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Trend Micro OfficeScan attempt"; flow:to_server,established; uricontent:"/officescan/cgi/jdkRqNotify.exe?"; nocase; uricontent:"domain="; nocase; uricontent:"event="; nocase; reference:bugtraq,1057; classtype:attempted-recon; sid:1381; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Trend Micro OfficeScan access"; flow:to_server,established; uricontent:"/officescan/cgi/jdkRqNotify.exe"; nocase; reference:bugtraq,1057; classtype:attempted-recon; sid:1192; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC oracle web arbitrary command execution attempt"; flow:to_server,established; uricontent:"/ows-bin/"; nocase; uricontent:"?&"; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-attack; sid:1193; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC oracle web application server access"; flow:to_server,established; uricontent:"/ows-bin/"; nocase; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-activity; sid:1880; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Netscape Enterprise Server directory view"; flow:to_server,established; uricontent:"?wp-usr-prop"; nocase; reference:bugtraq,1063; classtype:web-application-attack; sid:1198; rev:7;)
+
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC search.vts access"; flow:to_server,established; uricontent:"/search.vts"; classtype:attempted-recon; sid:1202; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC htgrep attempt"; flow:to_server,established; uricontent:"/htgrep"; content:"hdr=/"; reference:cve,2000-0832; classtype:web-application-attack; sid:1615; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC htgrep access"; flow:to_server,established; uricontent:"/htgrep"; reference:cve,2000-0832; classtype:web-application-activity; sid:1207; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .nsconfig access"; flow:to_server,established; uricontent:"/.nsconfig"; classtype:attempted-recon; sid:1209; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Admin_files access"; flow:to_server,established; uricontent:"/admin_files"; nocase; classtype:attempted-recon; sid:1212; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC backup access"; flow:to_server,established; uricontent:"/backup"; nocase; classtype:attempted-recon; sid:1213; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC intranet access"; flow:to_server,established; uricontent:"/intranet/"; nocase; classtype:attempted-recon; sid:1214; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC filemail access"; flow:to_server,established; uricontent:"/filemail"; nocase; classtype:attempted-recon; sid:1216; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC plusmail access"; flow:to_server,established; uricontent:"/plusmail"; nocase; reference:bugtraq,2653; reference:cve,2000-0074; classtype:attempted-recon; sid:1217; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC adminlogin access"; flow:to_server,established; uricontent:"/adminlogin"; nocase; classtype:attempted-recon; sid:1218; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ultraboard access"; flow:to_server,established; uricontent:"/ultraboard"; nocase; classtype:attempted-recon; sid:1220; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC musicat empower attempt"; flow:to_server,established; uricontent:"/empower?DB="; nocase; classtype:web-application-attack; sid:1589; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC musicat empower access"; flow:to_server,established; uricontent:"/empower"; nocase; classtype:web-application-activity; sid:1221; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ROADS search.pl attempt"; flow:to_server,established; uricontent:"/ROADS/cgi-bin/search.pl"; content:"form="; nocase; reference:bugtraq,2371; reference:cve,2001-0215; reference:nessus,10627; classtype:attempted-recon; sid:1224; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall FtpSave access"; flow:to_server,established; uricontent:"/FtpSave.dll"; nocase; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1230; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall FtpSaveCSP access"; flow:to_server,established; uricontent:"/FtpSaveCSP.dll"; nocase; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1234; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall FtpSaveCVP access"; flow:to_server,established; uricontent:"/FtpSaveCVP.dll"; nocase; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1235; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC weblogic/tomcat .jsp view source attempt"; flow:to_server,established; uricontent:".jsp"; nocase; pcre:!"/^\w+\s+[^\n\s\?]*\.jsp/smi"; reference:bugtraq,2527; classtype:web-application-attack; sid:1054; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SWEditServlet directory traversal attempt"; flow:to_server,established; uricontent:"/SWEditServlet"; content:"template=../../../"; classtype:attempted-user; sid:1241; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SWEditServlet access"; flow:to_server,established; uricontent:"/SWEditServlet"; classtype:attempted-recon; sid:1259; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1139; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC HP OpenView Manager DOS"; flow:to_server,established; uricontent:"/OvCgi/OpenView5.exe?Context=Snmp&Action=Snmp&Host=&Oid="; nocase; reference:bugtraq,2845; reference:cve,2001-0552; classtype:misc-activity; sid:1258; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC long basic authorization string"; flow:to_server,established; content:"Authorization|3A| Basic "; nocase; content:!"|0A|"; within:512; reference:bugtraq,3230; reference:cve,2001-1067; classtype:attempted-dos; sid:1260; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC sml3com access"; flow:to_server,established; uricontent:"/graphics/sml3com"; reference:bugtraq,2721; reference:cve,2001-0740; classtype:web-application-activity; sid:1291; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC carbo.dll access"; flow:to_server,established; uricontent:"/carbo.dll"; content:"icatcommand="; nocase; reference:bugtraq,2126; reference:cve,1999-1069; classtype:attempted-recon; sid:1001; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC console.exe access"; flow:to_server,established; uricontent:"/cgi-bin/console.exe"; nocase; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1302; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cs.exe access"; flow:to_server,established; uricontent:"/cgi-bin/cs.exe"; nocase; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1303; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC http directory traversal"; flow:to_server,established; content:"../"; reference:arachnids,297; classtype:attempted-recon; sid:1113; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC sadmind worm access"; flow:to_server,established; content:"GET x HTTP/1.0"; depth:15; reference:url,www.cert.org/advisories/CA-2001-11.html; classtype:attempted-recon; sid:1375; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC jrun directory browse attempt"; flow:to_server,established; uricontent:"/?.jsp"; reference:bugtraq,3592; classtype:web-application-attack; sid:1376; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mod-plsql administration access"; flow:to_server,established; uricontent:"/admin_/"; reference:bugtraq,3726; reference:bugtraq,3727; reference:cve,2001-1216; reference:cve,2001-1217; reference:nessus,10849; classtype:web-application-activity; sid:1385; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC viewcode.jse access"; flow:to_server,established; uricontent:"/viewcode.jse"; reference:bugtraq,3715; classtype:web-application-activity; sid:1389; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Phorecast remote code execution attempt"; flow:to_server,established; content:"includedir="; reference:bugtraq,3388; reference:cve,2001-1049; classtype:web-application-attack; sid:1391; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC viewcode access"; flow:to_server,established; uricontent:"/viewcode"; classtype:web-application-attack; sid:1403; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC showcode access"; flow:to_server,established; uricontent:"/showcode"; classtype:web-application-attack; sid:1404; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .history access"; flow:to_server,established; uricontent:"/.history"; classtype:web-application-attack; sid:1433; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .bash_history access"; flow:to_server,established; uricontent:"/.bash_history"; classtype:web-application-attack; sid:1434; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /~nobody access"; flow:to_server,established; uricontent:"/~nobody"; classtype:web-application-attack; sid:1489; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC RBS ISP /newuser  directory traversal attempt"; flow:to_server,established; uricontent:"/newuser?Image=../.."; classtype:web-application-attack; sid:1492; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC RBS ISP /newuser access"; flow:to_server,established; uricontent:"/newuser"; classtype:web-application-activity; sid:1493; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC *%0a.pl access"; flow:to_server,established; uricontent:"/*|0A|.pl"; nocase; classtype:web-application-attack; sid:1663; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mkplog.exe access"; flow:to_server,established; uricontent:"/mkplog.exe"; nocase; classtype:web-application-activity; sid:1664; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PCCS mysql database admin tool access"; flow:to_server,established; content:"pccsmysqladm/incs/dbconnect.inc"; depth:36; nocase; reference:arachnids,300; classtype:web-application-attack; sid:509; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .DS_Store access"; flow:to_server,established; uricontent:"/.DS_Store"; reference:url,www.macintouch.com/mosxreaderreports46.html; classtype:web-application-activity; sid:1769; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC .FBCIndex access"; flow:to_server,established; uricontent:"/.FBCIndex"; reference:url,www.securiteam.com/securitynews/5LP0O005FS.html; classtype:web-application-activity; sid:1770; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ExAir access"; flow:to_server,established; uricontent:"/exair/search/"; reference:bugtraq,193; reference:cve,1999-0449; classtype:web-application-activity; sid:1500; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache ?M=D directory list attempt"; flow:to_server,established; uricontent:"/?M=D"; reference:bugtraq,3009; reference:cve,2001-0731; classtype:web-application-activity; sid:1519; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC server-info access"; flow:to_server,established; uricontent:"/server-info"; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1520; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC server-status access"; flow:to_server,established; uricontent:"/server-status"; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1521; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ans.pl attempt"; flow:to_server,established; uricontent:"/ans.pl?p=../../"; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-attack; sid:1522; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ans.pl access"; flow:to_server,established; uricontent:"/ans.pl"; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-activity; sid:1523; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC AxisStorpoint CD attempt"; flow:to_server,established; uricontent:"/cd/../config/html/cnf_gi.htm"; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-attack; sid:1524; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Axis Storpoint CD access"; flow:to_server,established; uricontent:"/config/html/cnf_gi.htm"; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-activity; sid:1525; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC basilix sendmail.inc access"; flow:to_server,established; uricontent:"/inc/sendmail.inc"; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1526; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC basilix mysql.class access"; flow:to_server,established; uricontent:"/class/mysql.class"; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1527; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC BBoard access"; flow:to_server,established; uricontent:"/servlet/sunexamples.BBoardServlet"; reference:bugtraq,1459; reference:cve,2000-0629; reference:nessus,10507; classtype:web-application-activity; sid:1528; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco Catalyst command execution attempt"; flow:to_server,established; uricontent:"/exec/show/config/cr"; nocase; reference:bugtraq,1846; reference:cve,2000-0945; classtype:web-application-activity; sid:1544; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco /%% DOS attempt"; flow:to_server,established; uricontent:"/%%"; reference:bugtraq,1154; reference:cve,2000-0380; classtype:web-application-attack; sid:1546; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /CVS/Entries access"; flow:to_server,established; uricontent:"/CVS/Entries"; classtype:web-application-activity; sid:1551; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cvsweb version access"; flow:to_server,established; uricontent:"/cvsweb/version"; reference:cve,2000-0670; classtype:web-application-activity; sid:1552; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /doc/packages access"; flow:to_server,established; uricontent:"/doc/packages"; nocase; classtype:web-application-activity; sid:1559; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /doc/ access"; flow:to_server,established; uricontent:"/doc/"; nocase; reference:bugtraq,318; reference:cve,1999-0678; classtype:web-application-activity; sid:1560; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC login.htm attempt"; flow:to_server,established; uricontent:"/login.htm?password="; nocase; reference:bugtraq,665; reference:cve,1999-1533; classtype:web-application-activity; sid:1563; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC login.htm access"; flow:to_server,established; uricontent:"/login.htm"; nocase; reference:bugtraq,665; reference:cve,1999-1533; classtype:web-application-activity; sid:1564; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC DELETE attempt"; flow:to_server,established; content:"DELETE "; depth:7; nocase; classtype:web-application-activity; sid:1603; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /home/ftp access"; flow:to_server,established; uricontent:"/home/ftp"; nocase; classtype:web-application-activity; sid:1670; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /home/www access"; flow:to_server,established; uricontent:"/home/www"; nocase; classtype:web-application-activity; sid:1671; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC global.inc access"; flow:to_server,established; uricontent:"/global.inc"; nocase; reference:bugtraq,4612; reference:cve,2002-0614; classtype:web-application-attack; sid:1738; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SecureSite authentication bypass attempt"; flow:to_server,established; content:"secure_site, ok"; nocase; reference:bugtraq,4621; classtype:web-application-attack; sid:1744; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC b2 arbitrary command execution attempt"; flow:to_server,established; uricontent:"/b2/b2-include/"; content:"b2inc"; content:"http|3A|//"; classtype:web-application-attack; sid:1757; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC b2 access"; flow:to_server,established; uricontent:"/b2/b2-include/"; content:"b2inc"; content:"http|3A|//"; classtype:web-application-attack; sid:1758; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC search.dll directory listing attempt"; flow:to_server,established; uricontent:"/search.dll"; content:"query=%00"; reference:bugtraq,1684; reference:cve,2000-0835; reference:nessus,10514; classtype:web-application-attack; sid:1766; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC search.dll access"; flow:to_server,established; uricontent:"/search.dll"; reference:bugtraq,1684; reference:cve,2000-0835; reference:nessus,10514; classtype:web-application-activity; sid:1767; rev:6;)
+
+
+# The following signatures are for non-standard ports.  When ports lists work,
+# then these will be converted to use HTTP_PORTS & HTTP_SERVERS
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8181 (msg:"WEB-MISC PIX firewall manager directory traversal attempt"; flow:to_server,established; content:"/../../"; classtype:web-application-attack; sid:1498; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 4080 (msg:"WEB-MISC iChat directory traversal attempt"; flow:to_server,established; content:"/../../"; reference:cve,1999-0897; classtype:web-application-activity; sid:1604; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-MISC Delegate whois overflow attempt"; flow:to_server,established; content:"whois|3A|//"; nocase; reference:cve,2000-0165; classtype:web-application-activity; sid:1558; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"WEB-MISC nstelemetry.adp access"; flow:to_server,established; content:"/nstelemetry.adp"; classtype:web-application-activity; sid:1518; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"WEB-MISC Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; reference:arachnids,180; classtype:attempted-recon; sid:1132; rev:6;)
+
+# uricontent would be nice, but we can't be sure we are running http decoding
+# on 2301.  oh for rna integration...
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"WEB-MISC Compaq Insight directory traversal"; flow:to_server,established; content:"../"; reference:arachnids,244; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:1199; rev:11;)
+
+
+# when we get real ports list, we will merge these sigs.  so for now, keep the
+# message the same.
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VirusWall catinfo access"; flow:to_server,established; uricontent:"/catinfo"; nocase; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1231; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1812 (msg:"WEB-MISC VirusWall catinfo access"; flow:to_server,established; content:"/catinfo"; nocase; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1232; rev:8;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"CCCCCCC|3A| AAAAAAAAAAAAAAAAAAA"; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; classtype:web-application-attack; sid:1809; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Chunked-Encoding transfer attempt"; flow:to_server,established; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; classtype:web-application-attack; sid:1807; rev:9;)
+
+
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC CISCO VoIP DOS ATTEMPT"; flow:to_server,established; uricontent:"/StreamingStatistics"; reference:bugtraq,4794; reference:bugtraq,4798; reference:cve,2002-0882; classtype:misc-attack; sid:1814; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC IBM Net.Commerce orderdspc.d2w access"; flow:established,to_server; uricontent:"/ncommerce3/ExecMacro/orderdspc.d2w"; reference:bugtraq,2350; reference:cve,2001-0319; reference:nessus,11020; classtype:web-application-activity; sid:1820; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WEB-INF access"; flow:established,to_server; uricontent:"/WEB-INF"; nocase; reference:nessus,11037; classtype:web-application-activity; sid:1826; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat servlet mapping cross site scripting attempt"; flow:established,to_server; uricontent:"/servlet/"; uricontent:"/org.apache."; reference:bugtraq,5193; reference:cve,2002-0682; reference:nessus,11041; classtype:web-application-attack; sid:1827; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet Search directory traversal attempt"; flow:established,to_server; uricontent:"/search"; content:"NS-query-pat="; content:"../../"; reference:bugtraq,5191; reference:cve,2002-1042; reference:nessus,11043; classtype:web-application-attack; sid:1828; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat TroubleShooter servlet access"; flow:established,to_server; uricontent:"/examples/servlet/TroubleShooter"; reference:bugtraq,4575; reference:nessus,11046; classtype:web-application-activity; sid:1829; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat SnoopServlet servlet access"; flow:established,to_server; uricontent:"/examples/servlet/SnoopServlet"; reference:bugtraq,4575; reference:nessus,11046; classtype:web-application-activity; sid:1830; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC jigsaw dos attempt"; flow:established,to_server; uricontent:"/servlet/con"; reference:nessus,11047; classtype:web-application-attack; sid:1831; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Macromedia SiteSpring cross site scripting attempt"; flow:established,to_server; uricontent:"/error/500error.jsp"; nocase; uricontent:"et="; uricontent:"<script"; nocase; reference:bugtraq,5249; reference:cve,2002-1027; classtype:web-application-attack; sid:1835; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mailman cross site scripting attempt"; flow:established,to_server; uricontent:"/mailman/"; nocase; uricontent:"?"; uricontent:"info="; uricontent:"<script"; nocase; reference:bugtraq,5298; reference:cve,2002-0855; classtype:web-application-attack; sid:1839; rev:4;)
+
+
+
+# NOTES: this signature looks for access to common webalizer output directories.
+# Webalizer is a http server log reporting program.  By allowing anyone on the
+# internet to view the web access logs, attackers can gain information about
+# your customers that probably should not be made public.  webalizer had cross
+# site scripting bugs prior to version 2.01-09.
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webalizer access"; flow:established,to_server; uricontent:"/webalizer/"; nocase; reference:bugtraq,3473; reference:cve,1999-0643; reference:cve,2001-0835; reference:nessus,10816; classtype:web-application-activity; sid:1847; rev:8;)
+
+
+# NOTES: this signature looks for someone accessing the directory webcart-lite.
+# webcart-lite allows users to access world readable plain text customer
+# information databases.  To correct this issue, users should make the
+# data directories and databases not world readable, move the files outside of
+# WEBROOT if possible, and verify that a compromise of customer information has
+# not occured.
+# SIMILAR RULES: sid:1125
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webcart-lite access"; flow:to_server,established; uricontent:"/webcart-lite/"; nocase; reference:cve,1999-0610; reference:nessus,10298; classtype:web-application-activity; sid:1848; rev:5;)
+
+
+# NOTES: this signature looks for someone accessing the web application
+# "webfind.exe".  This application has a buffer overflow in the keywords
+# argument.  An attacker can use this vulnerability to execute arbitrary
+# code on the web server.
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webfind.exe access"; flow:to_server,established; uricontent:"/webfind.exe"; nocase; reference:bugtraq,1487; reference:cve,2000-0622; reference:nessus,10475; classtype:web-application-activity; sid:1849; rev:7;)
+
+# NOTES: this signature looks for someone accessing the file "active.log" via
+# a web server.  By allowing anyone on the internet to view the web access
+# logs, attackers can gain information about your customers that probably
+# should not be made public.
+#
+# This logfile is made available from the WebActive webserver.  This webserver
+# is no longer maintained and should be replaced with an actively maintained
+# webserver.  If converting to another webserver is not possible, remove read
+# access to this file.
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC active.log access"; flow:to_server,established; uricontent:"/active.log"; nocase; reference:bugtraq,1497; reference:cve,2000-0642; reference:nessus,10470; classtype:web-application-activity; sid:1851; rev:6;)
+
+
+
+# NOTES: this signature looks for someone accessing the file "robots.txt" via
+# web server.  This file is used to make web spider agents (including search
+# engines) more efficient.  robots.txt is often used to inform a web spider
+# which directories that the spider should ignore because the content may be
+# dynamic or restricted.  An attacker can use this information to gain insite
+# into directories that may have been deemed sensitive.
+#
+# Verify that the robots.txt does not include any sensitive information.
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robots.txt access"; flow:to_server,established; uricontent:"/robots.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1852; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC robot.txt access"; flow:to_server,established; uricontent:"/robot.txt"; nocase; reference:nessus,10302; classtype:web-application-activity; sid:1857; rev:3;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8181 (msg:"WEB-MISC CISCO PIX Firewall Manager directory traversal attempt"; flow:to_server,established; content:"/pixfir~1/how_to_login.html"; reference:bugtraq,691; reference:cve,1999-0158; reference:nessus,10819; classtype:misc-attack; sid:1858; rev:5;)
+
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"WEB-MISC Sun JavaServer default password login attempt"; flow:to_server,established; content:"/servlet/admin"; content:"ae9f86d6beaa3f9ecb9a5b7e072a4138"; reference:cve,1999-0508; reference:nessus,10995; classtype:default-login-attempt; sid:1859; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-MISC Linksys router default password login attempt"; flow:to_server,established; content:"Authorization|3A| Basic OmFkbWlu"; reference:nessus,10999; classtype:default-login-attempt; sid:1860; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"WEB-MISC Linksys router default username and password login attempt"; flow:to_server,established; content:"Authorization|3A| "; nocase; content:" Basic "; nocase; content:"YWRtaW46YWRtaW4"; reference:nessus,10999; classtype:default-login-attempt; sid:1861; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC NetGear router default password login attempt admin/password"; flow:to_server,established; content:"Authorization|3A| "; nocase; content:" Basic "; nocase; content:"YWRtaW46cGFzc3dvcmQ"; reference:nessus,11737; classtype:default-login-attempt; sid:2230; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle XSQLConfig.xml access"; flow:to_server,established; uricontent:"/XSQLConfig.xml"; reference:bugtraq,4290; reference:cve,2002-0568; reference:nessus,10855; classtype:web-application-activity; sid:1871; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle Dynamic Monitoring Services dms access"; flow:to_server,established; uricontent:"/dms0"; reference:nessus,10848; classtype:web-application-activity; sid:1872; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC globals.jsa access"; flow:to_server,established; uricontent:"/globals.jsa"; reference:bugtraq,4034; reference:cve,2002-0562; reference:nessus,10850; classtype:web-application-activity; sid:1873; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Oracle Java Process Manager access"; flow:to_server,established; uricontent:"/oprocmgr-status"; reference:nessus,10851; classtype:web-application-activity; sid:1874; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC bad HTTP/1.1 request, Potentially worm attack"; flow:to_server,established; content:"GET / HTTP/1.1|0D 0A 0D 0A|"; depth:18; reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; classtype:web-application-activity; sid:1881; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker HEAD with large datagram"; dsize:>512; flow:to_server,established,no_stream; content:"HEAD"; depth:4; nocase; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1171; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker space splice attack"; dsize:1; flow:to_server,established; content:" "; reference:arachnids,296; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1104; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC whisker tab splice attack"; dsize:<5; flow:to_server,established; content:"|09|"; reference:arachnids,415; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1087; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC apache chunked encoding memory corruption exploit attempt"; flow:established,to_server; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|"; reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-activity; sid:1808; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /Carello/add.exe access"; flow:to_server,established; uricontent:"/Carello/add.exe"; nocase; reference:bugtraq,1245; reference:cve,2000-0396; classtype:web-application-activity; sid:1943; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /ecscripts/ecware.exe access"; flow:to_server,established; uricontent:"/ecscripts/ecware.exe"; nocase; classtype:web-application-activity; sid:1944; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ion-p access"; flow:to_server,established; uricontent:"/ion-p"; nocase; reference:bugtraq,6091; reference:cve,2002-1559; classtype:web-application-activity; sid:1969; rev:3;)
+
+# uricontent would be nice, but we can't be sure we are running http decoding
+# on 8888.  oh for rna integration...
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC SiteScope Service access"; flow:to_server,established; content:"/SiteScope/cgi/go.exe/SiteScope"; reference:nessus,10778; classtype:web-application-activity; sid:1499; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC answerbook2 admin attempt"; flow:to_server,established; content:"/cgi-bin/admin/admin"; classtype:web-application-activity; sid:1946; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"WEB-MISC answerbook2 arbitrary command execution attempt"; flow:to_server,established; content:"/ab2/"; content:"|3B|"; distance:1; classtype:web-application-attack; sid:1947; rev:4;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC perl post attempt"; flow:to_server,established; content:"POST"; depth:4; uricontent:"/perl/"; reference:bugtraq,5520; reference:cve,2002-1436; reference:nessus,11158; classtype:web-application-attack; sid:1979; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC TRACE attempt"; flow:to_server,established; content:"TRACE"; depth:5; reference:bugtraq,9561; reference:nessus,11213; reference:url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf; classtype:web-application-attack; sid:2056; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC helpout.exe access"; flow:to_server,established; uricontent:"/helpout.exe"; reference:bugtraq,6002; reference:cve,2002-1169; reference:nessus,11162; classtype:web-application-activity; sid:2057; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC MsmMask.exe attempt"; flow:to_server,established; uricontent:"/MsmMask.exe"; content:"mask="; reference:nessus,11163; classtype:web-application-attack; sid:2058; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC MsmMask.exe access"; flow:to_server,established; uricontent:"/MsmMask.exe"; reference:nessus,11163; classtype:web-application-activity; sid:2059; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC DB4Web access"; flow:to_server,established; uricontent:"/DB4Web/"; reference:nessus,11180; classtype:web-application-activity; sid:2060; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Tomcat null byte directory listing attempt"; flow:to_server,established; uricontent:"|00|.jsp"; reference:bugtraq,2518; reference:bugtraq,6721; reference:cve,2003-0042; classtype:web-application-attack; sid:2061; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC iPlanet .perf access"; flow:to_server,established; uricontent:"/.perf"; classtype:web-application-activity; sid:2062; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Demarc SQL injection attempt"; flow:to_server,established; uricontent:"/dm/demarc"; content:"s_key="; content:"'"; distance:0; content:"'"; distance:1; content:"'"; distance:0; classtype:web-application-activity; sid:2063; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .csp script source download attempt"; flow:to_server,established; uricontent:".csp"; content:".csp"; content:"."; within:1; classtype:web-application-attack; sid:2064; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .csp script source download attempt"; flow:to_server,established; uricontent:".csp."; classtype:web-application-attack; sid:2065; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .pl script source download attempt"; flow:to_server,established; uricontent:".pl"; content:".pl"; content:"."; within:1; classtype:web-application-attack; sid:2066; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Lotus Notes .exe script source download attempt"; flow:to_server,established; uricontent:".exe"; content:".exe"; content:"."; within:1; classtype:web-application-attack; sid:2067; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC BitKeeper arbitrary command attempt"; flow:to_server,established; uricontent:"/diffs/"; content:"'"; content:"|3B|"; distance:0; content:"'"; distance:1; reference:bugtraq,6588; classtype:web-application-attack; sid:2068; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC chip.ini access"; flow:to_server,established; uricontent:"/chip.ini"; reference:bugtraq,2755; reference:bugtraq,2775; reference:cve,2001-0749; reference:cve,2001-0771; classtype:web-application-activity; sid:2069; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC post32.exe arbitrary command attempt"; flow:to_server,established; uricontent:"/post32.exe|7C|"; reference:bugtraq,1485; classtype:web-application-attack; sid:2070; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC post32.exe access"; flow:to_server,established; uricontent:"/post32.exe"; reference:bugtraq,1485; classtype:web-application-activity; sid:2071; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC lyris.pl access"; flow:to_server,established; uricontent:"/lyris.pl"; reference:bugtraq,1584; reference:cve,2000-0758; classtype:web-application-activity; sid:2072; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC globals.pl access"; flow:to_server,established; uricontent:"/globals.pl"; reference:bugtraq,2671; reference:cve,2001-0330; classtype:web-application-activity; sid:2073; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC philboard.mdb access"; flow:to_server,established; uricontent:"/philboard.mdb"; reference:nessus,11682; classtype:web-application-activity; sid:2135; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC philboard_admin.asp authentication bypass attempt"; flow:to_server,established; uricontent:"/philboard_admin.asp"; content:"Cookie"; nocase; content:"philboard_admin=True"; distance:0; reference:bugtraq,7739; reference:nessus,11675; classtype:web-application-attack; sid:2136; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC philboard_admin.asp access"; flow:to_server,established; uricontent:"/philboard_admin.asp"; reference:bugtraq,7739; reference:nessus,11675; classtype:web-application-activity; sid:2137; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC logicworks.ini access"; flow:to_server,established; uricontent:"/logicworks.ini"; reference:bugtraq,6996; reference:nessus,11639; classtype:web-application-activity; sid:2138; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC /*.shtml access"; flow:to_server,established; uricontent:"/*.shtml"; reference:bugtraq,1517; reference:cve,2000-0683; reference:nessus,11604; classtype:web-application-activity; sid:2139; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC mod_gzip_status access"; flow:to_server,established; uricontent:"/mod_gzip_status"; reference:nessus,11685; classtype:web-application-activity; sid:2156; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC register.dll access"; flow:to_server,established; uricontent:"/register.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2231; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ContentFilter.dll access"; flow:to_server,established; uricontent:"/ContentFilter.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2232; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SFNofitication.dll access"; flow:to_server,established; uricontent:"/SFNofitication.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2233; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC TOP10.dll access"; flow:to_server,established; uricontent:"/TOP10.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2234; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC SpamExcp.dll access"; flow:to_server,established; uricontent:"/SpamExcp.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2235; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC spamrule.dll access"; flow:to_server,established; uricontent:"/spamrule.dll"; nocase; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2236; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cgiWebupdate.exe access"; flow:to_server,established; uricontent:"/cgiWebupdate.exe"; nocase; reference:bugtraq,3216; reference:cve,2001-1150; reference:nessus,11722; classtype:web-application-activity; sid:2237; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC WebLogic ConsoleHelp view source attempt"; flow:to_server,established; uricontent:"/ConsoleHelp/"; nocase; uricontent:".jsp"; nocase; reference:bugtraq,1518; reference:cve,2000-0682; reference:nessus,11724; classtype:web-application-attack; sid:2238; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC redirect.exe access"; flow:to_server,established; uricontent:"/redirect.exe"; nocase; reference:bugtraq,1256; reference:cve,2000-0401; classtype:web-application-activity; sid:2239; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC changepw.exe access"; flow:to_server,established; uricontent:"/changepw.exe"; nocase; reference:bugtraq,1256; reference:cve,2000-0401; classtype:web-application-activity; sid:2240; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cwmail.exe access"; flow:to_server,established; uricontent:"/cwmail.exe"; nocase; reference:bugtraq,4093; reference:cve,2002-0273; reference:nessus,11727; classtype:web-application-activity; sid:2241; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ddicgi.exe access"; flow:to_server,established; uricontent:"/ddicgi.exe"; nocase; reference:bugtraq,1657; reference:cve,2000-0826; reference:nessus,11728; classtype:web-application-activity; sid:2242; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ndcgi.exe access"; flow:to_server,established; uricontent:"/ndcgi.exe"; nocase; reference:cve,2001-0922; reference:nessus,11730; classtype:web-application-activity; sid:2243; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC VsSetCookie.exe access"; flow:to_server,established; uricontent:"/VsSetCookie.exe"; nocase; reference:bugtraq,3784; reference:cve,2002-0236; reference:nessus,11731; classtype:web-application-activity; sid:2244; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Webnews.exe access"; flow:to_server,established; uricontent:"/Webnews.exe"; nocase; reference:bugtraq,4124; reference:cve,2002-0290; reference:nessus,11732; classtype:web-application-activity; sid:2245; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC webadmin.dll access"; flow:to_server,established; uricontent:"/webadmin.dll"; nocase; reference:nessus,11771; classtype:web-application-activity; sid:2246; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC oracle portal demo access"; flow:to_server,established; uricontent:"/pls/portal/PORTAL_DEMO"; nocase; reference:nessus,11918; classtype:web-application-activity; sid:2276; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC PeopleSoft PeopleBooks psdoccgi access"; flow:to_server,established; uricontent:"/psdoccgi"; nocase; reference:bugtraq,9037; reference:bugtraq,9038; reference:cve,2003-0626; reference:cve,2003-0627; classtype:web-application-activity; sid:2277; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC negative Content-Length attempt"; flow:to_server,established; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s+-\d+/smi"; reference:bugtraq,9098; reference:bugtraq,9476; reference:bugtraq,9576; reference:cve,2004-0095; classtype:misc-attack; sid:2278; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC bsml.pl access"; flow:to_server,established; uricontent:"/bsml.pl"; nocase; reference:bugtraq,9311; reference:nessus,11973; classtype:web-application-activity; sid:2327; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ISAPISkeleton.dll access"; flow:to_server,established; uricontent:"/ISAPISkeleton.dll"; nocase; reference:bugtraq,9516; classtype:web-application-activity; sid:2369; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC BugPort config.conf file access"; flow:to_server,established; uricontent:"/config.conf"; nocase; reference:bugtraq,9542; classtype:attempted-recon; sid:2370; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Sample_showcode.html access"; flow:to_server,established; uricontent:"/Sample_showcode.html"; nocase; content:"fname"; reference:bugtraq,9555; classtype:web-application-activity; sid:2371; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC schema overflow attempt"; flow:to_server,established; uricontent:"|3A|//"; pcre:"/^[^\/]{14,}?\x3a\/\//U"; reference:bugtraq,9581; reference:cve,2004-0039; classtype:attempted-admin; sid:2381; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"WEB-MISC Compaq web-based management agent denial of service attempt"; flow:to_server,established; content:"<!"; depth:75; content:">"; within:50; reference:bugtraq,8014; classtype:web-application-attack; sid:2394; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC InteractiveQuery.jsp access"; flow:to_server,established; uricontent:"/InteractiveQuery.jsp"; nocase; reference:bugtraq,8938; reference:cve,2003-0624; classtype:web-application-activity; sid:2395; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC edittag.pl access"; flow:to_server,established; uricontent:"/edittag.pl"; nocase; reference:bugtraq,6675; classtype:web-application-activity; sid:2400; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC util.pl access"; flow:to_server,established; uricontent:"/util.pl"; nocase; reference:bugtraq,9748; classtype:web-application-activity; sid:2407; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Invision Power Board search.pl access"; flow:to_server,established; uricontent:"/search.pl"; content:"st="; nocase; reference:bugtraq,9766; classtype:web-application-activity; sid:2408; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 554 (msg:"WEB-MISC Real Server DESCRIBE buffer overflow attempt"; flow:to_server,established; content:"DESCRIBE"; nocase; content:"../"; distance:1; pcre:"/^DESCRIBE\s[^\n]{300}/smi"; reference:bugtraq,8476; reference:url,www.service.real.com/help/faq/security/rootexploit091103.html; classtype:web-application-attack; sid:2411; rev:5;)
+
+# YES, the contents are logically backwards as to how the contents are seen on
+# the wire.  snort picks up the first of the longest pattern.  login=0 happens
+# MUCH less than Cookie.  so we do this for speed.
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC NetObserve authentication bypass attempt"; flow:to_server,established; content:"login=0"; nocase; content:"Cookie|3A|"; nocase; pcre:"/^Cookie\x3a[^\n]*?login=0/smi"; reference:bugtraq,9319; classtype:web-application-attack; sid:2441; rev:3;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8000:8001 (msg:"WEB-MISC Quicktime User-Agent buffer overflow attempt"; flow:to_server,established; content:"User-Agent|3A|"; nocase; pcre:"/^User-Agent\x3a[^\n]{244,255}/smi"; reference:bugtraq,9735; reference:cve,2004-0169; classtype:web-application-attack; sid:2442; rev:6;)
+
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC source.jsp access"; flow:to_server,established; uricontent:"/source.jsp"; nocase; reference:nessus,12119; classtype:web-application-activity; sid:2484; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ServletManager access"; flow:to_server,established; uricontent:"/servlet/ServletManager"; nocase; reference:bugtraq,3697; reference:cve,2001-1195; reference:nessus,12122; classtype:web-application-activity; sid:2447; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC setinfo.hts access"; flow:to_server,established; uricontent:"/setinfo.hts"; nocase; reference:bugtraq,9973; reference:nessus,12120; classtype:web-application-activity; sid:2448; rev:2;)
+
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2505; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2520; rev:5;)
+alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"WEB-MISC SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2521; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2522; rev:7;)
+
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2515; rev:9;)
+
+# one of these days, we will have port lists...
+alert tcp $EXTERNAL_NET any -> $HOME_NET 81 (msg:"WEB-MISC McAfee ePO file upload attempt"; flow:to_server,established; content:"/spipe/repl_file"; nocase; content:"Command=BEGIN"; nocase; reference:bugtraq,10200; reference:cve,2004-0038; classtype:attempted-admin; sid:2562; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cPanel resetpass access"; flow:to_server,established; uricontent:"/resetpass"; nocase; reference:bugtraq,9848; classtype:web-application-activity; sid:2569; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Invalid HTTP Version String"; flow:to_server,established; content:"HTTP/"; isdataat:6,relative; content:!"|0A|"; within:5; reference:bugtraq,9809; reference:nessus,11593; classtype:non-standard-protocol; sid:2570; rev:6;)
diff --git a/scripts/s2b/snort_rules2.2/web-php.rules b/scripts/s2b/snort_rules2.2/web-php.rules
new file mode 100644
index 0000000000..de9b4c68ee
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/web-php.rules
@@ -0,0 +1,142 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: web-php.rules 91 2004-07-15 08:13:57Z rwinslow $
+#--------------
+# WEB-PHP RULES
+#--------------
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP bb_smilies.php access"; flow:to_server,established; uricontent:"/bb_smilies.php"; nocase; reference:url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html; classtype:web-application-activity; sid:1774; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition memchr overflow"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"name=|22 CC CC CC CC CC|"; reference:bugtraq,4183; reference:cve,2002-0081; classtype:web-application-attack; sid:1423; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"form-data|3B|"; reference:bugtraq,4183; reference:cve,2002-0081; classtype:web-application-attack; sid:1425; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail spell-check arbitrary command attempt"; flow:to_server,established; uricontent:"/squirrelspell/modules/check_me.mod.php"; nocase; content:"SQSPELL_APP["; nocase; reference:bugtraq,3952; classtype:web-application-attack; sid:1736; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail theme arbitrary command attempt"; flow:to_server,established; uricontent:"/left_main.php"; nocase; content:"cmdd="; reference:bugtraq,4385; reference:cve,2002-0516; classtype:web-application-attack; sid:1737; rev:6;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools administrator authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; nocase; content:"user_dnstools_administrator=true"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1739; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1740; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools access"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-activity; sid:1741; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Blahz-DNS dostuff.php modify user attempt"; flow:to_server,established; uricontent:"/dostuff.php?action=modify_user"; nocase; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-attack; sid:1742; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Blahz-DNS dostuff.php access"; flow:to_server,established; uricontent:"/dostuff.php"; nocase; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-activity; sid:1743; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Messagerie supp_membre.php access"; flow:to_server,established; uricontent:"/supp_membre.php"; nocase; reference:bugtraq,4635; classtype:web-application-activity; sid:1745; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP php.exe access"; flow:to_server,established; uricontent:"/php.exe"; nocase; reference:url,www.securitytracker.com/alerts/2002/Jan/1003104.html; classtype:web-application-activity; sid:1773; rev:3;)
+
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP directory.php arbitrary command attempt"; flow:to_server,established; uricontent:"/directory.php"; content:"dir="; content:"|3B|"; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1815; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP directory.php access"; flow:to_server,established; uricontent:"/directory.php"; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1816; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Wiki cross site scripting attempt"; flow:established,to_server; uricontent:"/modules.php?"; uricontent:"name=Wiki"; nocase; uricontent:"<script"; nocase; reference:bugtraq,5254; reference:cve,2002-1070; classtype:web-application-attack; sid:1834; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpbb quick-reply.php arbitrary command attempt"; flow:established,to_server; uricontent:"/quick-reply.php"; content:"phpbb_root_path="; distance:1; reference:bugtraq,6173; classtype:web-application-attack; sid:1967; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpbb quick-reply.php access"; flow:established,to_server; uricontent:"/quick-reply.php"; reference:bugtraq,6173; classtype:web-application-activity; sid:1968; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP read_body.php access attempt"; flow:established,to_server; uricontent:"/read_body.php"; reference:bugtraq,6302; reference:cve,2002-1341; classtype:web-application-activity; sid:1997; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP calendar.php access"; flow:established,to_server; uricontent:"/calendar.php"; reference:bugtraq,5820; reference:bugtraq,9353; reference:nessus,11179; classtype:web-application-activity; sid:1998; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP edit_image.php access"; flow:established,to_server; uricontent:"/edit_image.php"; reference:bugtraq,3288; reference:cve,2001-1020; reference:nessus,11104; classtype:web-application-activity; sid:1999; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP readmsg.php access"; flow:established,to_server; uricontent:"/readmsg.php"; reference:nessus,11073; classtype:web-application-activity; sid:2000; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP remote include path"; flow:established,to_server; uricontent:".php"; content:"path="; pcre:"/page=(http|https|ftp)/i"; classtype:web-application-attack; sid:2002; rev:4;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum admin access"; flow:to_server,established; uricontent:"/admin.php3"; nocase; reference:arachnids,205; reference:bugtraq,2271; classtype:attempted-recon; sid:1134; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP piranha passwd.php3 access"; flow:to_server,established; uricontent:"/passwd.php3"; reference:arachnids,272; reference:bugtraq,1149; reference:cve,2000-0322; classtype:attempted-recon; sid:1161; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum read access"; flow:to_server,established; uricontent:"/read.php3"; nocase; reference:arachnids,208; classtype:attempted-recon; sid:1178; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum violation access"; flow:to_server,established; uricontent:"/violation.php3"; nocase; reference:arachnids,209; reference:bugtraq,2272; classtype:attempted-recon; sid:1179; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum code access"; flow:to_server,established; uricontent:"/code.php3"; nocase; reference:arachnids,207; classtype:attempted-recon; sid:1197; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php file upload attempt"; flow:to_server,established; uricontent:"/admin.php"; nocase; content:"file_name="; reference:bugtraq,3361; reference:cve,2001-1032; classtype:attempted-admin; sid:1300; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php access"; flow:to_server,established; uricontent:"/admin.php"; nocase; reference:bugtraq,3361; reference:bugtraq,7532; reference:bugtraq,9270; reference:cve,2001-1032; classtype:attempted-recon; sid:1301; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP smssend.php access"; flow:to_server,established; uricontent:"/smssend.php"; reference:bugtraq,3982; reference:cve,2002-0220; classtype:web-application-activity; sid:1407; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Nuke remote file include attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"file="; pcre:"/file=(http|https|ftp)/i"; reference:bugtraq,3889; reference:cve,2002-0206; classtype:web-application-attack; sid:1399; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php attempt"; flow:to_server,established; uricontent:"/support/common.php"; content:"ForumLang=../"; classtype:web-application-attack; sid:1490; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php access"; flow:to_server,established; uricontent:"/support/common.php"; classtype:web-application-attack; sid:1491; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum authentication access"; flow:to_server,established; content:"PHP_AUTH_USER=boogieman"; nocase; reference:arachnids,206; reference:bugtraq,2274; classtype:attempted-recon; sid:1137; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; content:"|BA|I|FE FF FF F7 D2 B9 BF FF FF FF F7 D1|"; reference:arachnids,431; reference:bugtraq,802; classtype:web-application-attack; sid:1085; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; uricontent:"?STRENGUR"; reference:arachnids,430; reference:bugtraq,1786; reference:cve,2000-0967; classtype:web-application-attack; sid:1086; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; content:"_PHPLIB[libdir]"; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1254; rev:8;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; uricontent:"/db_mysql.inc"; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1255; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php upload php file attempt"; flow:to_server,established; uricontent:"/uploadimage.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2074; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php upload php file attempt"; flow:to_server,established; uricontent:"/upload.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2075; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php access"; flow:to_server,established; uricontent:"/uploadimage.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2076; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php access"; flow:to_server,established; uricontent:"/upload.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2077; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpBB privmsg.php access"; flow:to_server,established; uricontent:"/privmsg.php"; reference:bugtraq,6634; classtype:web-application-activity; sid:2078; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP p-news.php access"; flow:to_server,established; uricontent:"/p-news.php"; reference:nessus,11669; classtype:web-application-activity; sid:2140; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP shoutbox.php directory traversal attempt"; flow:to_server,established; uricontent:"/shoutbox.php"; content:"conf="; content:"../"; distance:0; reference:nessus,11668; classtype:web-application-attack; sid:2141; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP shoutbox.php access"; flow:to_server,established; uricontent:"/shoutbox.php"; reference:nessus,11668; classtype:web-application-activity; sid:2142; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt"; flow:to_server,established; uricontent:"/gm-2-b2.php"; content:"b2inc="; pcre:"/b2inc=(http|https|ftp)/i"; reference:nessus,11667; classtype:web-application-attack; sid:2143; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php access"; flow:to_server,established; uricontent:"/gm-2-b2.php"; reference:nessus,11667; classtype:web-application-activity; sid:2144; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TextPortal admin.php default password admin attempt"; flow:to_server,established; uricontent:"/admin.php"; content:"op=admin_enter"; content:"password=admin"; reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity; sid:2145; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TextPortal admin.php default password 12345 attempt"; flow:to_server,established; uricontent:"/admin.php"; content:"op=admin_enter"; content:"password=12345"; reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity; sid:2146; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4 remote file include attempt"; flow:to_server,established; uricontent:"/objects.inc.php4"; content:"Server[path]="; pcre:"/Server\x5bpath\x5d=(http|https|ftp)/"; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-attack; sid:2147; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4 access"; flow:to_server,established; uricontent:"/objects.inc.php4"; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-activity; sid:2148; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Turba status.php access"; flow:to_server,established; uricontent:"/turba/status.php"; reference:nessus,11646; classtype:web-application-activity; sid:2149; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php remote file include attempt"; flow:to_server,established; uricontent:"/admin/templates/header.php"; content:"admin_root="; pcre:"/admin_root=(http|https|ftp)/"; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:nessus,11636; classtype:web-application-attack; sid:2150; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php access"; flow:to_server,established; uricontent:"/admin/templates/header.php"; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:nessus,11636; classtype:web-application-activity; sid:2151; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP test.php access"; flow:to_server,established; uricontent:"/test.php"; reference:nessus,11617; classtype:web-application-activity; sid:2152; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP autohtml.php directory traversal attempt"; flow:to_server,established; uricontent:"/autohtml.php"; content:"name="; content:"../../"; distance:0; reference:nessus,11630; classtype:web-application-attack; sid:2153; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP autohtml.php access"; flow:to_server,established; uricontent:"/autohtml.php"; reference:nessus,11630; classtype:web-application-activity; sid:2154; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttforum remote file include attempt"; flow:to_server,established; uricontent:"forum/index.php"; content:"template="; pcre:"/template=(http|https|ftp)/i"; reference:bugtraq,7542; reference:bugtraq,7543; reference:nessus,11615; classtype:web-application-attack; sid:2155; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP pmachine remote file include attempt"; flow:to_server,established; uricontent:"lib.inc.php"; content:"pm_path="; pcre:"/pm_path=(http|https|ftp)/"; reference:bugtraq,7919; reference:nessus,11739; classtype:web-application-attack; sid:2226; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP forum_details.php access"; flow:to_server,established; uricontent:"forum_details.php"; reference:bugtraq,7933; reference:nessus,11760; classtype:web-application-attack; sid:2227; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpMyAdmin db_details_importdocsql.php access"; flow:to_server,established; uricontent:"db_details_importdocsql.php"; reference:bugtraq,7962; reference:bugtraq,7965; reference:nessus,11761; classtype:web-application-attack; sid:2228; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP viewtopic.php access"; flow:to_server,established; uricontent:"viewtopic.php"; reference:bugtraq,7979; reference:cve,2003-0486; reference:nessus,11767; classtype:web-application-attack; sid:2229; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP UpdateClasses.php access"; flow:to_server,established; uricontent:"/UpdateClasses.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2279; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Title.php access"; flow:to_server,established; uricontent:"/Title.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2280; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Setup.php access"; flow:to_server,established; uricontent:"/Setup.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2281; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP GlobalFunctions.php access"; flow:to_server,established; uricontent:"/GlobalFunctions.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2282; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DatabaseFunctions.php access"; flow:to_server,established; uricontent:"/DatabaseFunctions.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2283; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP rolis guestbook remote file include attempt"; flow:to_server,established; uricontent:"/insert.inc.php"; nocase; content:"path="; reference:bugtraq,9057; classtype:web-application-attack; sid:2284; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP rolis guestbook access"; flow:to_server,established; uricontent:"/insert.inc.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2285; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP friends.php access"; flow:to_server,established; uricontent:"/friends.php"; nocase; reference:bugtraq,9088; classtype:web-application-activity; sid:2286; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_comment.php access"; flow:to_server,established; uricontent:"/admin_comment.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2287; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_edit.php access"; flow:to_server,established; uricontent:"/admin_edit.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2288; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_embed.php access"; flow:to_server,established; uricontent:"/admin_embed.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2289; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_help.php access"; flow:to_server,established; uricontent:"/admin_help.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2290; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_license.php access"; flow:to_server,established; uricontent:"/admin_license.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2291; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_logout.php access"; flow:to_server,established; uricontent:"/admin_logout.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2292; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_password.php access"; flow:to_server,established; uricontent:"/admin_password.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2293; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_preview.php access"; flow:to_server,established; uricontent:"/admin_preview.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2294; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_settings.php access"; flow:to_server,established; uricontent:"/admin_settings.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2295; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_stats.php access"; flow:to_server,established; uricontent:"/admin_stats.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2296; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates_misc.php access"; flow:to_server,established; uricontent:"/admin_templates_misc.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2297; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates.php access"; flow:to_server,established; uricontent:"/admin_templates.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2298; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_misc_new.php access"; flow:to_server,established; uricontent:"/admin_tpl_misc_new.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2299; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_new.php access"; flow:to_server,established; uricontent:"/admin_tpl_new.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2300; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll booth.php access"; flow:to_server,established; uricontent:"/booth.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2301; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll poll_ssi.php access"; flow:to_server,established; uricontent:"/poll_ssi.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2302; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll popup.php access"; flow:to_server,established; uricontent:"/popup.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2303; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP files.inc.php access"; flow:to_server,established; uricontent:"/files.inc.php"; nocase; reference:bugtraq,8910; classtype:web-application-activity; sid:2304; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP chatbox.php access"; flow:to_server,established; uricontent:"/chatbox.php"; nocase; reference:bugtraq,8930; classtype:web-application-activity; sid:2305; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP gallery remote file include attempt"; flow:to_server,established; uricontent:"/setup/"; content:"GALLERY_BASEDIR="; pcre:"/GALLERY_BASEDIR=(http|https|ftp)/i"; reference:bugtraq,8814; reference:nessus,11876; classtype:web-application-attack; sid:2306; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PayPal Storefront remote file include attemtp"; flow:to_server,established; content:"do=ext"; content:"page="; pcre:"/page=(http|https|ftp)/i"; reference:bugtraq,8791; reference:nessus,11873; classtype:web-application-attack; sid:2307; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP authentication_index.php access"; flow:to_server,established; uricontent:"/authentication_index.php"; nocase; reference:cve,2004-0032; reference:nessus,11982; classtype:web-application-activity; sid:2328; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP MatrikzGB privilege escalation attempt"; flow:to_server,established; content:"new_rights=admin"; nocase; reference:bugtraq,8430; classtype:web-application-activity; sid:2331; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DCP-Portal remote file include attempt"; flow:to_server,established; uricontent:"/library/editor/editor.php"; nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2341; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DCP-Portal remote file include attempt"; flow:to_server,established; uricontent:"/library/lib.php"; nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2342; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView search.php access"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"action=soundex"; nocase; uricontent:"firstname="; nocase; reference:bugtraq,9369; reference:cve,2004-0032; classtype:web-application-activity; sid:2345; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke chatheader.php access"; flow:to_server,established; uricontent:"/chatheader.php"; nocase; reference:bugtraq,6544; classtype:web-application-activity; sid:2346; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke partner.php access"; flow:to_server,established; uricontent:"/partner.php"; nocase; reference:bugtraq,6544; classtype:web-application-activity; sid:2347; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IdeaBox cord.php file include"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"ideaDir"; nocase; content:"cord.php"; nocase; reference:bugtraq,7488; classtype:web-application-activity; sid:2353; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IdeaBox notification.php file include"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"gorumDir"; nocase; content:"notification.php"; nocase; reference:bugtraq,7488; classtype:web-application-activity; sid:2354; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Invision Board emailer.php file include"; flow:to_server,established; uricontent:"/ad_member.php"; nocase; content:"emailer.php"; nocase; reference:bugtraq,7204; classtype:web-application-activity; sid:2355; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebChat db_mysql.php file include"; flow:to_server,established; uricontent:"/defines.php"; nocase; content:"WEBCHATPATH"; nocase; content:"db_mysql.php"; nocase; reference:bugtraq,7000; classtype:web-application-attack; sid:2356; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebChat english.php file include"; flow:to_server,established; uricontent:"/defines.php"; nocase; content:"WEBCHATPATH"; nocase; content:"english.php"; nocase; reference:bugtraq,7000; classtype:web-application-attack; sid:2357; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Typo3 translations.php file include"; flow:to_server,established; uricontent:"/translations.php"; nocase; content:"ONLY"; nocase; reference:bugtraq,6984; classtype:web-application-attack; sid:2358; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Invision Board ipchat.php file include"; flow:to_server,established; uricontent:"/ipchat.php"; nocase; content:"root_path"; nocase; content:"conf_global.php"; nocase; reference:bugtraq,6976; classtype:web-application-attack; sid:2359; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myphpPagetool pt_config.inc file include"; flow:to_server,established; uricontent:"/doc/admin"; nocase; content:"ptinclude"; nocase; content:"pt_config.inc"; nocase; reference:bugtraq,6744; classtype:web-application-attack; sid:2360; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP news.php file include"; flow:to_server,established; uricontent:"/news.php"; nocase; content:"template"; nocase; reference:bugtraq,6674; classtype:web-application-attack; sid:2361; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP YaBB SE packages.php file include"; flow:to_server,established; uricontent:"/packages.php"; nocase; content:"packer.php"; nocase; reference:bugtraq,6663; classtype:web-application-attack; sid:2362; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Cyboards default_header.php access"; flow:to_server,established; uricontent:"/default_header.php"; nocase; reference:bugtraq,6597; classtype:web-application-activity; sid:2363; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Cyboards options_form.php access"; flow:to_server,established; uricontent:"/options_form.php"; nocase; reference:bugtraq,6597; classtype:web-application-activity; sid:2364; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP newsPHP Language file include attempt"; flow:to_server,established; uricontent:"/nphpd.php"; nocase; content:"LangFile"; nocase; reference:bugtraq,8488; classtype:web-application-activity; sid:2365; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/authentication_index.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2366; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/functions.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2367; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/config_gedcom.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2368; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Photopost PHP Pro showphoto.php access"; flow:to_server,established; uricontent:"/showphoto.php"; nocase; reference:bugtraq,9557; classtype:web-application-activity; sid:2372; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP /_admin access"; flow:to_server,established; uricontent:"/_admin/"; nocase; reference:bugtraq,9537; reference:nessus,12032; classtype:web-application-activity; sid:2393; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WAnewsletter newsletter.php file include attempt"; flow:to_server,established; uricontent:"newsletter.php"; nocase; content:"waroot"; nocase; content:"start.php"; nocase; reference:bugtraq,6965; classtype:web-application-attack; sid:2398; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WAnewsletter db_type.php access"; flow:to_server,established; uricontent:"/sql/db_type.php"; nocase; reference:bugtraq,6964; classtype:web-application-activity; sid:2399; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phptest.php access"; flow:to_server,established; uricontent:"/phptest.php"; nocase; reference:bugtraq,9737; classtype:web-application-activity; sid:2405; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IGeneric Free Shopping Cart page.php access"; flow:to_server,established; uricontent:"/page.php"; nocase; reference:bugtraq,9773; classtype:web-application-activity; sid:2410; rev:2;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP modules.php access"; flow:to_server,established; uricontent:"/modules.php"; nocase; reference:bugtraq,9879; classtype:web-application-activity; sid:2565; rev:1;)
+
+
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPBB viewforum.php access"; flow:to_server,established; uricontent:"/viewforum.php"; nocase; reference:bugtraq,9866; classtype:web-application-activity; sid:2566; rev:1;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Opt-X header.php remote file include attempt"; flow:to_server,established; uricontent:"/header.php"; nocase; content:"systempath="; pcre:"/systempath=(http|https|ftp)/i"; reference:bugtraq,9732; classtype:web-application-attack; sid:2575; rev:1;)
diff --git a/scripts/s2b/snort_rules2.2/x11.rules b/scripts/s2b/snort_rules2.2/x11.rules
new file mode 100644
index 0000000000..4647b99966
--- /dev/null
+++ b/scripts/s2b/snort_rules2.2/x11.rules
@@ -0,0 +1,9 @@
+# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
+#    All rights reserved.
+# $Id: x11.rules 91 2004-07-15 08:13:57Z rwinslow $
+#----------
+# X11 RULES
+#----------
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flow:established; content:"MIT-MAGIC-COOKIE-1"; reference:arachnids,396; classtype:attempted-user; sid:1225; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established; content:"l|00 0B 00 00 00 00 00 00 00 00 00|"; reference:arachnids,395; classtype:unknown; sid:1226; rev:4;)
diff --git a/scripts/signature_scores b/scripts/signature_scores
new file mode 100644
index 0000000000..b49bdccec0
--- /dev/null
+++ b/scripts/signature_scores
@@ -0,0 +1,11 @@
+sid-ciac-0	100
+sid-ciac-1	100
+sid-ciac-2	100
+sid-ciac-3	100
+sid-ciac-4	100
+sid-ciac-5	100
+sid-ciac-6	100
+sid-ciac-7	100
+sid-ciac-8	100
+bagle-bc	100
+_DEFAULT_		5
diff --git a/scripts/snort2bro/snort2bro b/scripts/snort2bro/snort2bro
new file mode 100644
index 0000000000..237c8c9423
--- /dev/null
+++ b/scripts/snort2bro/snort2bro
@@ -0,0 +1,1023 @@
+#! /usr/bin/env python
+#
+# $Header$
+
+import sys
+import re
+import getopt
+import os.path
+import struct
+
+# FIXME: Not all of the implemented Snort options are really tested...
+
+snortcmd       = re.compile( "(preprocessor|include|var|config|alert|log|pass|activate|dynamic|output)\s*:?\s*(.*)" )
+snortrule      = re.compile( "(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+\((.*)\)" )
+snortopt       = re.compile( r"([a-zA-Z_]+)\s*(:\s*(([^;]|(?<=\\);)+)|);" )
+
+snortipre      = "(\d+\.\d+\.\d+\.\d+(/\d+)?)"
+snortip        = re.compile( "(!)?%s" % snortipre )
+snortiplist    = re.compile( "(!)?\[(%s(,%s)*)\]" % ( snortipre,snortipre ) )
+snortport      = re.compile( "(!)?(\d+)" )
+snortportrange = re.compile( "(!)?(\d+)?:(\d+)?" )
+snortval       = re.compile( "([<>=!]?) *(\d+)" )
+snortvalrange  = re.compile( "(\d+)? *- *(\d+)?" )
+snortbytecode  = re.compile( r"\\\|\s*(([a-fA-F0-9]{2}\s*)+)\s*\\\|" ) # "|" are quoted when we do the match
+snorthex       = re.compile( "(..) *" )
+snortquote     = re.compile( r"\\(.)" )
+snortalpha     = re.compile( r"(\\x[a-fA-F0-9]{2}|[A-Za-z])" )
+snortrpc       = re.compile( r"((\d)+|\*) *, *((\d)+|\*) *, *((\d)+|\*)" )
+
+snortsid       = re.compile( "sid: *(\d+)" )
+
+# Mapping of Snort's variables to Bro's
+#     <snort> -> ( <bro>, <invert> )
+MapVars = {
+    "external_net": ( "local_nets", 1 ),
+    "home_net": ( "local_nets", 0 ),
+    "http_servers": ( "http_servers", 0 ),
+    "http_ports": ( "http_ports", 0 ),
+    "oracle_ports": ( "oracle_ports", 0 ),
+    "smtp_servers": ( "smtp_servers", 0 ),
+    "sql_servers": ( "sql_servers", 0 ),
+    "telnet_servers": ( "telnet_servers", 0 ),
+    "aim_servers": ( "aim_servers", 0 ),
+    "shellcode_ports": ( "non_shellcode_ports", 1 ),
+}
+
+# Mapping of variables to content
+SnortVars = {}
+
+# List of tuples (file,linenr) for all not fully processed input files:
+Inputs = []
+
+# Last input line read
+RawInputLine = ""
+
+# Counts Snort rules without SID
+UnknownCount = 0
+
+# There may be some rules for which it don't make sense to translate them. We ignore them.
+IgnoreSIDs = {}
+
+# Always include these signatures, even if they would be ignored with option -c.
+AlwaysIncludeSIDs = {}
+
+def error( str ):
+    if Inputs:
+        if RawInputLine:
+            print >>sys.stderr, ">>", RawInputLine,
+            if RawInputLine[-1] != "\n":
+                print >>sys.stderr
+        print >>sys.stderr, "Error in %s, line %d: %s" % ( Inputs[0][0].name, Inputs[0][1], str )
+
+    else:
+        print >>sys.stderr, "Error:", str
+    sys.exit( 1 )
+
+def warning( str ):
+    if Inputs:
+        if RawInputLine:
+            print >>sys.stderr, ">>", RawInputLine,
+            if RawInputLine[-1] != "\n":
+                print >>sys.stderr
+        print >>sys.stderr, "Warning in %s, line %d: %s" % ( Inputs[0][0].name, Inputs[0][1], str )
+    else:
+        print >>sys.stderr, "Warning:", str
+
+# Converts Snort-like globs into regexp chars
+def replaceGlobs( str ):
+    # Note that the globs are quoted when we see them here
+    # FIXME: If the original pattern contains a "\?" or "\*" it
+    # will be converted as well.
+    str = str.replace( "\\*", ".*" )
+    str = str.replace( "\\?", "." )
+    return str
+
+# Replaces Snort-like bytecodes by \x.. sequences
+def replaceByteCodes( str ):
+    return snortbytecode.sub( lambda bytecode: snorthex.sub( "\\x\\1", bytecode.group( 1 ) ), str )
+
+# Removes Snort's \ quotations
+def removeQuotes( str ):
+    return snortquote.sub( "\\1", str )
+
+# Quotes all '"'
+def quoteStr( str ):
+    return str.replace( "\"", "\\\"" )
+
+# Translates all alphabetical characters to case-insensitive classes
+def makeCaseInsensitive( str ):
+
+    def replaceby( match ):
+        s = match.group( 1 )
+        # Do not change hex codes
+        if s.startswith( "\\x" ):
+            return s
+        return "[%s%s]" % ( s.lower(), s.upper() )
+
+    str = snortalpha.sub( replaceby , str )
+    return str
+
+# Insert some special variants/character classes for URIs
+#     - "/ -> [/\]"
+def makeURIPattern( str ):
+    str = str.replace( "\\/", "[\\/\\\\]" )
+    return str
+
+# Escapes all regex control characters  so that it can be safely used as a regex
+def escapeCtrl( str ):
+    re = ""
+    for i in str:
+        if "^$|.*+?[](){}/\"\\".find( i ) >= 0:
+            i = "\\" + i
+        re += i
+    return re
+
+# Converts a Snort pattern into a RE
+# If icase==1, constructs an case-insensitive regex.
+# If uri==1, creates some special things for URIs (see above)
+# If glob==1, the pattern is a Snort-like "regex" glob
+# If negate==1, the pattern is negated
+# If neglen>0, it's the number of character which are *not* allowed to match the negated pattern
+#
+# FIXME: We should use a more sophisticated parser here
+#
+def patternToRE( str, icase, uri, globs, negate, neglen ):
+
+    if negate:
+        if patternLength( str ) > 1:
+            warning( "Can\'t negate patterns with more than one character" )
+            return "<willnevermatch>"
+        str = "[^%s]" % replaceByteCodes( escapeCtrl( str ) )
+
+        if neglen > 0:
+            return str + "{%d}" % neglen
+        else:
+            return str + "*"
+
+    str = removeQuotes( str )
+    str = escapeCtrl( str )
+    if globs:
+        str = replaceGlobs( str )
+    str = replaceByteCodes( str )
+
+    if uri:
+        str = makeURIPattern( str )
+
+    if icase:
+        str = makeCaseInsensitive( str )
+
+    return str
+
+# Counts the number chars in the Snort pattern
+def patternLength( str ):
+    str = removeQuotes( str )
+    str = escapeCtrl( str )
+    str = replaceByteCodes( str )
+
+    count = 0
+    esc = 0
+
+    for c in str:
+        if c == "\\" and not esc:
+            esc = 1
+            continue
+
+        if esc and c == "x":
+            count -= 2
+
+        esc = 0
+        count += 1
+
+    return count
+
+# Parse a Snort variable declaration
+def parseVar( decl ):
+    ( key, value ) = decl.split()
+    SnortVars[ "$"+key ] = value
+
+# Perform Snort's variable expansion
+def expandVars( str ):
+    for ( key, value ) in SnortVars.items():
+        str = str.replace( key, value )
+    return str
+
+# Parse Snort's rule options
+def parseRuleOptions( str ):
+
+    options = {}
+
+    m = snortopt.findall( str )
+
+    lastcontent = None
+    depth = distance = negate = nocase = offset = regex = within = -1
+
+    negpattern = -1
+
+#    print str
+
+    for ( b1, b2, b3, b4 ) in m:
+        if b2:
+            val = b3
+            if val[0] == "!":
+                negpattern = 1
+                val = val[1:]
+            if len( val ) >= 2:
+                if val[0] == '"' and val[-1] == '"':
+                    val = val[1:-1]
+        else:
+            val = ""
+
+        # Note that there may be more than one depth/offset per rule.
+        # Each depth/offset/regex affects exactly that content which precedes it.
+        # It's illegal to have a depth/offset/regex before a content.
+        # That is all undocumented.
+        # ... !@#$%^&* ...
+
+        option = b1.lower()
+
+        if option == "content":
+
+            if not lastcontent:
+                lastcontent = val
+                continue
+
+            oldval = val
+            val = ( lastcontent, depth, distance, negate, nocase, offset, regex, within )
+            depth = distance = negate = nocase = offset = regex = within = -1
+            negate = negpattern
+            lastcontent = oldval
+
+        elif option == "depth":
+            depth = int( val )
+            continue
+
+        elif option == "distance":
+            distance = int( val )
+            continue
+
+        elif option == "within":
+            within = int( val )
+            continue
+
+        elif option == "offset":
+            offset = int( val )
+            continue
+
+        elif option == "regex":
+            regex = 1
+            continue
+
+        elif option == "nocase":
+            nocase = 1
+            continue
+
+        try:
+            options[ option ] += [ val ]
+        except LookupError:
+            options[ option ] = [ val ]
+
+    if lastcontent:
+        try:
+            options[ "content" ] += [ ( lastcontent, depth, distance, negate, nocase, offset, regex, within ) ]
+        except LookupError:
+            options[ "content" ] = [ ( lastcontent, depth, distance, negate, nocase, offset, regex, within ) ]
+
+    return options
+
+# Parses a list of IPs in Snort's format
+def parseIP( ip ):
+
+    # See if it's an unexpanded var.
+    if ip.startswith( "$" ):
+        try:
+            ( brovar, neg ) = MapVars[ ip[1:] ]
+            return ( neg, [brovar] )
+        except LookupError:
+            error( "Unknown variable " + ip )
+
+    m = snortip.match( ip )
+    if m:
+        ips = ( m.group( 2 ), )
+    else:
+        m = snortiplist.match( ip )
+        if m:
+            ips = m.group( 2 ).split( "," )
+        else:
+            error( "Can\'t parse IP " + ip )
+
+    if m.group( 1 ) != "!":
+        return( 0, ips )
+    else:
+        return( 1, ips )
+
+# Parses a list of ports in Snort's format
+def parsePort( port ):
+
+    # See if it's an unexpanded var.
+    if port.startswith( "$" ):
+        try:
+            ( brovar, neg ) = MapVars[ port[1:] ]
+            return ( neg, brovar, brovar )
+        except LookupError:
+            error( "Unknown variable " + port )
+
+    m = snortportrange.match( port )
+    if m:
+        try:
+            min = int( m.group( 2 ) )
+        except TypeError:
+            min = 0
+        try:
+            max = int( m.group( 3 ) )
+        except TypeError:
+            max = 65535
+    else:
+        m = snortport.match( port )
+        if m:
+            min = max = int( m.group( 2 ) )
+        else:
+            error( "Can\'t parse port " + port )
+
+    if m.group( 1 ) != "!":
+        return( 0, min, max )
+    else:
+        return( 1, min, max )
+
+######
+
+# Convert the common head of a Snort rule
+def convertHead( prot, srcip, srcport, dstip, dstport ):
+
+    rule = ""
+
+    # Convert IP protocol
+    if prot.lower() != "ip":
+	rule += "  ip-proto == %s\n" % prot.lower()
+
+    # Convert IPs
+    for ( tag, ip ) in ( ( "src-ip", srcip ), ( "dst-ip", dstip ) ):
+        if ip != "any":
+            ( negate, iplist ) = parseIP( ip )
+            if not negate:
+                cmp = "=="
+            else:
+                cmp = "!="
+
+            rule += "  %s %s %s\n" % ( tag, cmp, ",".join( iplist ) )
+
+    # Convert Ports
+    for ( tag, port ) in ( ( "src-port", srcport ), ( "dst-port", dstport ) ):
+        if port != "any":
+            ( negate, min, max ) = parsePort( port )
+            if min == max:
+                if not negate:
+                    cmp = "=="
+                else:
+                    cmp = "!="
+                rule += "  %s %s %s\n" % ( tag, cmp, min )
+            else:
+                if not negate:
+                    cmp1 = ">="
+                    cmp2 = "<="
+                else:
+                    cmp1 = "<"
+                    cmp2 = ">"
+
+                rule += "  %s %s %s\n" % ( tag, cmp1, min )
+                rule += "  %s %s %s\n" % ( tag, cmp2, max )
+
+    return rule
+
+# Converts one of Snort's bit strings (like "A+" for "flags")
+def convertBitSet( str, bitspecs, hdrfield, fieldmask ):
+
+    # Split into flags and mask
+    parts = str.split(",")
+    if len(parts) > 1:
+        ( str, snortmask ) = parts
+        # FIXME: We ignore the mask for now. This would again need some
+        # digging in Snort's source as I don't really understand what they
+        # are doing...
+        
+    # This is not strictly Snort conforming but works as long as the
+    # flag string is not ambigious.
+
+    type = ""
+    mask = 0
+    for c in str:
+        if "+!*".find( c ) >= 0:
+            type = c
+            continue
+        try:
+            mask |= bitspecs[c]
+        except LookupError:
+            error( "Unknown bit in \"%s\"" % str )
+
+    if type == "":
+        # Snort's default is check for equality (undocumented)
+        rule = "  %s & %d == %d\n" % ( hdrfield, fieldmask, mask )
+    if type == "+":
+        rule = "  %s & %d == %d\n" % ( hdrfield, ( mask | fieldmask ), mask )
+    if type == "*":
+        rule = "  %s & %d != 0\n" % ( hdrfield, ( mask | fieldmask ) )
+    if type == "!":
+        rule = "  %s & %d == 0\n" % ( hdrfield, ( mask | fieldmask ) )
+
+    return rule
+
+# Converts a test for a value which may include some range (e.g. "<5", "21-42")
+def convertVal( str, hdrfield ):
+
+    m = snortvalrange.match( str )
+    if m:
+        try:
+            min = int( m.group( 1 ) )
+        except TypeError:
+            min = 0
+        try:
+            max = int( m.group( 2 ) )
+        except TypeError:
+            max = -1
+
+        rule = ""
+        if min > 0:
+            rule += "  %s >= %d\n" % ( hdrfield, min )
+        if min >= 0:
+            rule += "  %s <= %d\n" % ( hdrfield, max )
+        return rule
+
+    m = snortval.match( str )
+    if m:
+        val = int( m.group( 2 ) )
+        cmp = m.group( 1 )
+
+        if cmp == "<" or cmp == ">":
+            return "  %s %s %d\n" % ( hdrfield, cmp, val )
+        if cmp == "!":
+            return "  %s != %d\n" % ( hdrfield, val )
+        if cmp == "" or cmp == "=":
+            return "  %s == %d\n" % ( hdrfield, val )
+
+    error( "Can\'t parse value \"%s\"" % str )
+
+# Convert one value of the RPC triple into a RE
+def convertRPCVal( str ):
+    if str == "*":
+        return "."
+    else:
+        # Convert value to hex pattern in network bye order
+        val = struct.pack( "!I", int( str ) )
+        return ( "\\x%02x" * 4 ) % struct.unpack( "BBBB", val )
+
+# Sanity check to see if the two protocols match
+def checkProt( testprot, option, ruleprot ):
+    if testprot != ruleprot:
+        error( "Option \"%s\" only valid for %s rules" % ( option, testprot.upper() ) )
+
+def convertOptions( options, prot ):
+
+    global IsPayloadRule
+    
+    rule = ""
+    payloads = []
+
+    for ( key, vallist ) in options.items():
+
+        if key == "ack":
+            checkProt( "tcp", key, prot )
+            rule += "  header tcp[8:4] == %d\n" % int( vallist[0] )
+
+        elif key == "classtype":
+            pass
+
+        elif key == "content":
+
+           IsPayloadRule = 1
+           
+           for i in range( len( vallist ) ):
+
+                ( content, depth, distance, negate, nocase, offset, regex, within ) = vallist[i]
+
+                # Special case: If have we have a payload size which equals the size of the pattern,
+                # the payload has to match exactly
+
+                prefix = ".*"
+
+                if "dsize" in options.keys():
+                    try:
+                        if patternLength( content ) == int( options["dsize"][0] ):
+                            prefix = ""
+                    except ValueError:
+                        # dsize is something which contains a range; do nothing as
+                        # it's just an optimization after all
+                        pass
+
+                realdepth = depth;
+                realoffset = offset;
+
+                maxdist = 1
+
+                if depth >= 0:
+                    realdepth -= patternLength( content )
+
+                if offset >= 0:
+                    realoffset -= 1
+                    maxdist = 0
+
+                if offset >= 0 and depth >= 0:
+                    realdepth -= offset
+                    maxdist = 1
+
+                if within >= 0:
+                    realdepth += within - patternLength( content ) + 1
+
+                if distance >= 0:
+                    realoffset += distance + 1
+                    maxdist = 0
+
+                if within >= 0 and distance >= 0:
+                    maxdist = 1
+
+                if realdepth < 0 and realoffset <= 0:
+                    re = prefix
+                else:
+                    re = ""
+
+                if realdepth < 0:
+                    realdepth = -1
+
+                if realoffset > 0:
+                    if maxdist:
+                        re += ".{%d}" % realoffset
+                    else:
+                        re += ".{%d}.*" % realoffset
+                elif realoffset == 0 and not maxdist:
+                        re += ".*"
+
+                if realdepth > 0 and negate < 0:
+                    re += ".{0,%d}" % realdepth
+                    maxdist = 1
+
+                re += patternToRE( content, nocase >= 0, 0, regex >= 0, negate >= 0, realdepth + 1 )
+
+                if distance >= 0 or within >= 0:
+                    try:
+                        payloads[-1] += re
+                    except LookupError:
+                        payloads = [ re ]
+                else:
+                    payloads += [ re ]
+
+                if REFile:
+                    print >>REFile, re
+                if PatternFile:
+                    print >>PatternFile, val
+
+        elif key == "depth":
+            # Ignore it here; we test for it when handling content
+            pass
+
+        elif key == "distance":
+            # Ignore it here; we test for it when handling content
+            pass
+
+        elif key == "dsize":
+            rule += convertVal( vallist[0], "payload-size" )
+            pass
+
+        elif key == "flags":
+            checkProt( "tcp", key, prot )
+
+            TCPFlags =  { "F": 0x01, "S": 0x02, "R": 0x04, "P": 0x08,
+                          "A": 0x10, "U": 0x20, "2": 0x40, "1": 0x80, "0": 0x00 }
+            rule += convertBitSet( "".join( vallist ), TCPFlags, "header tcp[13:1]", 0xff )
+
+        elif key == "flow":
+            checkProt( "tcp", key, prot )
+
+            Flows = { "established" : "established",
+                      "to_server" : "originator",
+                      "to_client" : "responder",
+                      "from_server" : "responder",
+                      "from_client" : "originator",
+                      "state_less" : "state_less"
+                      }
+
+            tcpstate = []
+            for val in vallist:
+                for ( snort, bro ) in Flows.items():
+                    if val.find( snort.lower() ) >= 0:
+                        tcpstate += ( bro, )
+            if tcpstate:
+                rule += "  tcp-state %s\n" % ",".join( tcpstate )
+
+        elif key == "fragbits":
+            FragFlags = { "M": 0x20, "D": 0x40, "R": 0x80 }
+            rule += convertBitSet( "".join( vallist ), FragFlags, "header ip[6:1]", 0xe0 )
+
+        elif key == "icmp_seq":
+            checkProt( "icmp", key, prot )
+            # Check if it's an ECHO or ECHO_REPLY packet
+            # Note Snort's undocumented behaviour: It does check REPLYs
+            # as well, and it does not check the ICMP code
+            rule += "  header icmp[0:1] == 0,8\n"
+            rule += "  header icmp[6:2] == %d\n" % int( vallist[0] )
+
+        elif key == "icmp_id":
+            checkProt( "icmp", key, prot )
+            # Check if it's an ECHO or ECHO_REPLY packet
+            # Note Snort's undocumented behaviour: It does check REPLYs
+            # as well, and it does not check the ICMP code
+            rule += "  header icmp[0:1] == 0,8\n"
+            rule += "  header icmp[4:2] == %d\n" % int( vallist[0] )
+
+        elif key == "icode":
+            checkProt( "icmp", key, prot )
+            rule += "  header icmp[1:1] == %d\n" % int( vallist[0] )
+
+        elif key == "id":
+            rule += "  header ip[4:2] == %d\n" % int( vallist[0] )
+
+        elif key == "ip_proto":
+            rule += convertVal( vallist[0], "header ip[9:1]" )
+
+        elif key == "ipopts":
+            rule += "  ip-options %s\n" % ",".join( vallist ).lower()
+
+        elif key == "itype":
+            checkProt( "icmp", key, prot )
+            rule += "  header icmp[0:1] == %d\n" % int( vallist[0] )
+
+        elif key == "msg":
+            rule += "  event \"%s\"\n" % quoteStr( removeQuotes( " ".join( vallist ) ) )
+
+        elif key == "nocase":
+            # Ignore it here; we test for it when handling content
+            pass
+
+        elif key == "offset":
+            # Ignore it here; we test for it when handling content
+            pass
+
+        elif key == "rawbytes":
+            # We can ignore this as we're always matching raw bytes.
+            pass
+        
+        elif key == "ref":
+            pass
+
+        elif key == "reference":
+            pass
+
+        elif key == "regex":
+            pass
+
+        elif key == "rev":
+            pass
+
+        elif key == "rpc":
+            m = snortrpc.match( vallist[0] )
+            if not m:
+                error( "Can\'t parse RPC values" )
+            ( app, proc, version ) = ( m.group( 1 ), m.group( 3 ), m.group( 5 ) )
+
+            # The Snort rule set has only explicit UDP/TCP rules containg
+            # "rpc" but no general IP rules. So we use the rule type
+            # to decide whether we check for UDP- or TCP-style RPC
+            #
+            # Snort only looks at calls, but not on replies (undocumented)
+            # Snort validates the RPC_MSG_VERSION (undocumented)
+            if prot == "udp":
+                off = 7
+            else:
+                checkProt( "tcp", key, prot )
+                off = 11
+
+            # RPC version == 2, Call == 1 \
+            rule += "  payload /" + ( "." * off ) \
+                    + "\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x01"  \
+                    + convertRPCVal( app ) + convertRPCVal( version ) + convertRPCVal( proc ) \
+                    + "/\n"
+
+        elif key == "sameip":
+            rule += "  same-ip\n"
+
+        elif key == "seq":
+            checkProt( "tcp", key, prot )
+            rule += "  header tcp[4:4] == %d\n" % int( vallist[0] )
+
+        elif key == "sid":
+            pass
+        
+        elif key == "tag":
+            # In Snort, this capture packets of session/host for later analysis.
+            # Unsupported for now, but we could come up with something similar
+            # by passing it on to set_record_contents(). Doesn't affect the
+            # matching, though.
+            pass
+
+        elif key == "ttl":
+            rule += convertVal( vallist[0], "header ip[8:1]" )
+            pass
+
+        elif key == "uricontent":
+            
+           IsPayloadRule = 1            
+            
+           for val in vallist:
+#                if ALTERNATIVE_PATTERNS:
+#                    re = "(|.*\\r\\n\\r\\n)(GET|HEAD|POST) *[^\\n]*%s" % patternToRE( val, "nocase" in options.keys(), 1, 0 )
+#                else:
+#                    re = "(GET|HEAD|POST) *[^\\n]*%s" % patternToRE( val, "nocase" in options.keys(), 1, 0 )
+#
+#                rule += "  payload /%s/\n" % re
+
+                if ALTERNATIVE_PATTERNS:
+                    re = "(|.*\\r\\n\\r\\n)(GET|HEAD|POST) *[^\\n]*%s" % patternToRE( val, "nocase" in options.keys(), 1, 0, 0, 0 )
+                    rule += "  payload /%s/\n" % re
+                else:
+                    re = ".*%s" % patternToRE( val, "nocase" in options.keys(), 1, 0, 0, 0 )
+                    rule += "  http /%s/\n" % re
+
+
+
+                if REFile:
+                    print >>REFile, re
+                if PatternFile:
+                    print >>PatternFile, val
+
+        elif key == "within":
+            # Ignore it here; we test for it when handling content
+            pass
+
+        else:
+            warning( "Option '%s' not supported currently; ignored" % key )
+            rule += "  # Not supported: %s: %s\n" % ( key, ",".join( vallist ) )
+
+    for p in payloads:
+        rule += "  payload /%s/\n" % p
+
+    return rule
+
+def parseAlert( rule ):
+
+    global UnknownCount
+    global IsPayloadRule
+
+    IsPayloadRule = 0
+    
+    m = snortrule.match( rule )
+    if not m:
+        error( "Can\'t parse alert rule" )
+
+    fields = m.groups()
+
+    ( prot, srcip, srcport, dir, dstip, dstport ) = map( lambda s: s.lower(), fields[0:6] )
+
+    options = parseRuleOptions( fields[6] )
+
+    try:
+        sid = options["sid"][0]
+        try:
+            if int( sid ) in  IgnoreSIDs:
+                return
+            id = "sid-" + sid
+        except ValueError:
+            id = sid
+
+    except LookupError:
+        id = "sid-unknown-%d" % UnknownCount
+        UnknownCount += 1
+
+    try:
+        # Create rules depending on the direction; for "<>" we simply create
+        # two rules
+
+        if dir == "<>":
+            id1 = id + "-a"
+            id2 = id + "-b"
+        else:
+            id1 = id2 = id
+
+        if dir != "->":
+            rule = "signature %s {\n" % id1
+            rule += convertHead( prot, dstip, dstport, srcip, srcport )
+            rule += convertOptions( options, prot )
+            
+            if not PAYLOAD_ONLY or IsPayloadRule or id in AlwaysIncludeSIDs:
+                print rule + "  }\n"
+
+        if dir != "<-":
+            rule = "signature %s {\n" % id2
+            rule += convertHead( prot, srcip, srcport, dstip, dstport )
+            rule += convertOptions( options, prot )
+            
+            if not PAYLOAD_ONLY or IsPayloadRule or id in AlwaysIncludeSIDs:
+                print rule + "  }\n"
+
+    except LookupError, e:
+        error( "Can\'t convert rule: " + str( e ) )
+
+#### Main
+
+# Use some alternative patterns
+ALTERNATIVE_PATTERNS = 0
+# If PatternFile is a file, all content/uricontent patterns are written to it
+PatternFile = 0
+# If REFile is a file, all REs generated from content/uricontent patterns are written to it
+REFile = 0
+# Directories where to look for include's
+INCPATH = [ "./" ]
+# Only include signatures which match contain payload/uricontent
+# (Exceptions can be defined in AlwaysIncludeSIDs)
+PAYLOAD_ONLY = 0
+
+# Number of Snort rules to output (no conversion to Bro format)
+SnortRules = -1
+
+# Total number of rules
+TotalRules = 0
+
+def openInputFile( filename ):
+
+    for i in INCPATH:
+        try:
+            fullpath =  os.path.join( i, filename )
+            file = open( fullpath )
+            print >>sys.stderr, "Reading", fullpath
+            return file
+        except IOError:
+            pass
+
+    error( "Can\'t find file %s" % filename )
+
+def ReadConfig( file ):
+    
+    try:
+        cfg = open( arg )
+        for line in cfg:
+            
+            line = line.strip()
+            if len( line ) == 0 or line.startswith("#"):
+                continue
+
+            try:
+                ( action, sid ) = line.split()
+                sid = int( sid )
+            except ValueError:
+                print >>sys.stderr, "Warning: illegal format '%s'" % line
+                continue
+            
+            if action == "ignore":
+                IgnoreSIDs[sid] = 1
+
+            if action == "include":
+                AlwaysIncludeSIDs[sid] = 1
+                
+    except IOError:
+        print >>sys.stderr, "Warning: Can't read config file %s" % arg
+                
+def usage():
+    print >>sys.stderr
+    print >>sys.stderr, "Usage: snort2bro [<options>] [<snort-files>] "
+    print >>sys.stderr
+    print >>sys.stderr, "  Options:"
+    print >>sys.stderr
+    print >>sys.stderr, "    -c <file>: File containing signature in-/excludes"
+    print >>sys.stderr, "    -p       : Only include signatures which match on payload"
+    print >>sys.stderr, "    -I <dir> : Add dir to search path for Snort\'s include statement"
+    print >>sys.stderr
+    print >>sys.stderr, "    -P       : Write all patterns to patterns.txt and "
+    print >>sys.stderr, "               all generared REs to res.txt"
+    print >>sys.stderr, "    -S <n>   : No conversion; just print out one big Snort config file"
+    print >>sys.stderr, "               containing the first <n> rules"
+    print >>sys.stderr, "    -X       : Produce some alternate REs"
+
+    print >>sys.stderr
+    sys.exit( 1 )
+
+try:
+    options, rest = getopt.getopt( sys.argv[1:], "XPI:S:pc:" )
+except:
+    usage()
+
+for( opt, arg ) in options:
+    if opt == "-X":
+        ALTERNATIVE_PATTERNS = 1
+
+    if opt == "-P":
+        PatternFile = open( "patterns.txt", "w" );
+        REFile = open( "res.txt", "w" );
+
+    if opt == "-I":
+        INCPATH += [ arg, ]
+
+    if opt == "-S":
+        SnortRules = int( arg )
+
+    if opt == "-p":
+        PAYLOAD_ONLY = 1
+
+    if opt == "-c":
+        ReadConfig( arg )
+        
+if len( rest ):
+    Inputs = [ ( openInputFile( file ), 0 ) for file in rest ]
+else:
+    Inputs = [ ( sys.stdin, 0 ) ]
+
+continued = False
+
+while Inputs:
+
+    if not continued:
+        line = ""
+    
+    RawInputLine = Inputs[0][0].readline()
+    if not RawInputLine:
+        Inputs = Inputs[1:]
+        continue
+
+    single_line = RawInputLine.strip()
+    
+    # Increase line count
+    Inputs[0] = ( Inputs[0][0], Inputs[0][1] + 1 )
+
+    # Continuation of lines
+    if single_line.endswith("\\"):
+        line += single_line[:-1]
+        continued = True
+        continue
+
+    line += single_line
+    continued = False
+
+    # Empty or comments
+    if not line or line.startswith( '#' ):
+        continue
+            
+    line = expandVars( line )
+
+    m = snortcmd.match( line )
+    if not m:
+        error( "Can\'t parse line " + line )
+
+    cmd = m.group( 1 )
+    args = m.group( 2 )
+
+    if cmd == "include":
+        Inputs = [ ( openInputFile( args ), 0 ) ] + Inputs
+        continue
+
+    if cmd == "var":
+        parseVar( args )
+
+    if cmd == "alert":
+        TotalRules += 1
+
+    if SnortRules >= 0:
+
+        noprint = 0
+
+        if cmd == "alert":
+
+            for i in IgnoreSIDs:
+                m = snortsid.search( args )
+                if m and int( m.group( 1 ) ) == i:
+                    noprint = 1
+                    
+            if SnortRules == 0:
+                noprint = 1
+
+            if not noprint:
+                SnortRules -= 1
+
+        if not noprint:
+            print RawInputLine,
+
+        continue
+
+    if cmd == "var":
+        continue
+
+    if cmd == "alert":
+        parseAlert( args )
+        continue
+
+    if cmd == "output":
+        continue
+
+    if cmd == "preprocessor":
+        continue
+
+    if cmd == "config":
+        # FIXME: Should we convert this to Bro?
+        continue
+
+    warning( "'%s' is not supported yet; line ignored." % cmd )
+
+
+# Options -S returns the number of rules as exit code
+if SnortRules >= 0:
+    print >>sys.stderr, TotalRules
diff --git a/scripts/snort2bro/snort2bro.cfg b/scripts/snort2bro/snort2bro.cfg
new file mode 100644
index 0000000000..8f929c7b5b
--- /dev/null
+++ b/scripts/snort2bro/snort2bro.cfg
@@ -0,0 +1,15 @@
+# $Id: snort2bro.cfg 80 2004-07-14 20:15:50Z jason $
+#
+# An example of an input file to use with snort2bro's -c <file> option.
+#
+# Format:
+#        ignore <sid>       Always skip this signature.
+#        include <sid>      Always include this signature.
+
+# sid-526 BAD TRAFFIC data in TCP SYN packet 
+ignore	526 
+
+# sid-623 matches a null-flags stealth scan.  Include it even
+# if we build with -p, since it doesn't tend to generate any
+# false positives.
+include	623
diff --git a/scripts/spot-trace b/scripts/spot-trace
new file mode 100755
index 0000000000..ac8a8f6c73
--- /dev/null
+++ b/scripts/spot-trace
@@ -0,0 +1,146 @@
+#!/usr/bin/perl
+require 5.002;
+use Cwd;
+use File::Basename;
+use Getopt::Std;
+
+$ENV{'PATH'} = "/bin:/usr/bin:/usr/local/sbin";
+
+my($req_file, $req_name, $req_path, $req_filter);
+my($trace_number, $trace_pid, $trace_path, $trace_filter);
+
+getopts('kqPF') or die __FILE__, " [-kqPF] [<path>]<name> [<filter>]\n";
+$req_file = shift or die "missing argument: <name>\n",
+                         __FILE__, " [-kqPF] [<path>]<name> [<filter>]\n";
+($req_name, $req_path) = fileparse($req_file);
+if ($req_name ne $req_file) {
+  chdir $req_path;
+  $req_path = cwd."/";
+} else {
+  $req_path = "";
+}
+$req_filter = join " ", @ARGV;
+
+($trace_number, $trace_pid, $trace_path, $trace_filter) = scan_ps($req_name);
+
+if ($trace_number) {
+  if ($opt_k) {
+    kill('TERM', $trace_pid) or
+      die __FILE__, ": couldn't kill ", $trace_pid, "\n";
+    $opt_q or print STDERR "killed ", $trace_pid, "\n";
+    exit;
+  }
+  $req_path = $trace_path unless ($req_path);
+  if ($req_path ne $trace_path) {
+    if ($opt_P) {
+      $opt_q or print STDERR "changing path from: ", $trace_path,
+                             "\nto: ", $req_path, "\n";
+    } else {
+      die __FILE__, ": paths don't match\n",
+          $req_path, " != ", $trace_path, "\n";
+    }
+  }
+  $req_filter = $trace_filter unless ($req_filter);
+  if ($req_filter ne $trace_filter) {
+    if ($opt_F) {
+      $opt_q or print STDERR "changing filter from:\n", $trace_filter,
+                             "\nto:\n", $req_filter, "\n";
+    } else {
+      die __FILE__, ": filters don't match\n",
+          $req_filter, "\n!=\n", $trace_filter, "\n";
+    }
+  }
+  start_trace($req_path, $req_name, ++$trace_number, $req_filter);
+  kill('TERM', $trace_pid) or
+    die __FILE__, ": couldn't kill ", $trace_pid, "\n";
+} else {
+  die __FILE__, ": no such trace as ", $req_name, "\n" if ($opt_k);
+  $req_path = cwd."/" unless ($req_path);
+  $req_filter or die __FILE__, ": no filter specified\n";
+  start_trace($req_path, $req_name, 1, $req_filter);
+}
+
+# scan_ps <trace name>
+#   returns (<trace number>, <trace PID>, <trace path>, <trace filter>)
+#
+#   runs ps looking for a trace running with the given name.  If none is
+#   found <trace number> returns 0.  Otherwise the process info is
+#   returned.  If mor than one trace with the given name are found, the
+#   program terminates with an error.
+#
+sub scan_ps {
+  my($trace_name) = @_;
+
+  my($trace_number, $trace_filter, $trace_pid, $trace_path);
+  my($ps_pid, $ps_tt, $ps_stat, $ps_time,
+     $ps_cmd, $ps_cmd1, $ps_cmd2, $ps_cmd3, $ps_cmd4, $ps_filter);
+  my($ps_name, $ps_path, $ps_suffix);
+  
+  open PS, "ps -axww |" or die __FILE__, ": can't run ps\n";
+  while (<PS>) {
+    ($ps_pid, $ps_tt, $ps_stat, $ps_time,
+     $ps_cmd, $ps_cmd1, $ps_cmd2, $ps_cmd3, $ps_cmd4, $ps_cmd5, $ps_cmd6, $ps_filter) =
+       split(" ", $_, 12);
+    if ($ps_cmd eq "tcpdump" && $ps_cmd3 eq "-w" &&
+        $ps_cmd5 eq "-s" && $ps_cmd6 == "8192") {
+      $ps_cmd6 = 0;
+      ($ps_name, $ps_path, $ps_suffix) = fileparse($ps_cmd4, '-\d+\.trace');
+      if ($ps_name eq $trace_name && $ps_suffix =~ /-(\d+)\.trace/) {
+        if ($trace_pid) {
+          die __FILE__, ": more than one $trace_name trace running\n";
+        }
+        $trace_number = $1;
+        $trace_filter = $ps_filter;
+        chomp $trace_filter;
+        $trace_pid = $ps_pid;
+        $trace_path = $ps_path;
+      }
+    }
+  }
+  return ($trace_number, $trace_pid, $trace_path, $trace_filter);
+}
+
+# start_trace <path>, <name>, <number>, <filter>
+#
+#   fork off a new process running this trace.  Nothing is returned.
+#   Any failure terminates the program.
+#
+sub start_trace {
+  my($path, $name, $number, $filter) = @_;
+
+  my($pid);
+
+  $number = next_file($path, $name, $number, ".trace", ".out");
+  $opt_q or print STDERR "starting ", $path.$name."-".$number, "\n";
+  if ($pid = fork) {
+    sleep 3;
+    unless ($opt_q) {
+      open OUTFILE, $path.$name."-".$number.".out" or
+        die __FILE__, ": no ", $path.$name."-".$number.".out\n";
+      print <OUTFILE>;
+      close OUTFILE;
+    }
+    return;
+  } elsif (defined $pid) {
+    exec "/bin/sh", "-c", "tcpdump -i em0 -w ".$path.$name."-".$number.".trace -s 8192 '".$filter.
+         "' > ".$path.$name."-".$number.".out 2>&1 &";
+    die __FILE__, ": couldn't exec\n";
+  } else {
+    die __FILE__, ": couldn't fork\n";
+  }
+}
+
+# next_file <path>, <name>, <number>, <suffix>...
+#   returns <number>
+#
+#   searches for a number (beginning with the target number) for which
+#   no files of the form <path><name>-<number><suffix> exists.
+#   As many suffixes as needed can be passed in.  The resulting number
+#   is returned.
+#
+sub next_file {
+  my($path, $name, $number, @suffixes) = @_;
+
+  ++$number until grep (-e $path.$name."-".$number.$_, @suffixes) == 0;
+  return $number;
+}
diff --git a/scripts/start-capture-all b/scripts/start-capture-all
new file mode 100755
index 0000000000..b45f23c078
--- /dev/null
+++ b/scripts/start-capture-all
@@ -0,0 +1,19 @@
+#!/bin/csh -f
+#
+# usage start-capture-all filename
+#
+#  e.g.: start-capture-all /usr/local/bro/bulk-trace/bulk
+#
+# this will generate a trace with file name filename-N
+#
+# note: if you run this script repeatedly with the same filename, 
+# spot-trace will kill the old instance, and start a new 
+# instance with file filename-N+1
+#
+
+# capture everything
+spot-trace $* all 'tcp and udp'
+
+# capture everything but HTTP
+#spot-trace $* all 'not tcp port 80'
+
diff --git a/shtool b/shtool
new file mode 100755
index 0000000000..4c1a7396fd
--- /dev/null
+++ b/shtool
@@ -0,0 +1,716 @@
+#!/bin/sh
+##
+##  GNU shtool -- The GNU Portable Shell Tool
+##  Copyright (c) 1994-2000 Ralf S. Engelschall <rse@engelschall.com>
+##
+##  See http://www.gnu.org/software/shtool/ for more information.
+##  See ftp://ftp.gnu.org/gnu/shtool/ for latest version.
+##
+##  Version 1.4.9 (16-Apr-2000)
+##  Ingredients: 3/17 available modules
+##
+
+##
+##  This program is free software; you can redistribute it and/or modify
+##  it under the terms of the GNU General Public License as published by
+##  the Free Software Foundation; either version 2 of the License, or
+##  (at your option) any later version.
+##
+##  This program is distributed in the hope that it will be useful,
+##  but WITHOUT ANY WARRANTY; without even the implied warranty of
+##  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+##  General Public License for more details.
+##
+##  You should have received a copy of the GNU General Public License
+##  along with this program; if not, write to the Free Software
+##  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+##  USA, or contact Ralf S. Engelschall <rse@engelschall.com>.
+##
+##  Notice: Given that you include this file verbatim into your own
+##  source tree, you are justified in saying that it remains separate
+##  from your package, and that this way you are simply just using GNU
+##  shtool. So, in this situation, there is no requirement that your
+##  package itself is licensed under the GNU General Public License in
+##  order to take advantage of GNU shtool.
+##
+
+##
+##  Usage: shtool [<options>] [<cmd-name> [<cmd-options>] [<cmd-args>]]
+##
+##  Available commands:
+##    echo       Print string with optional construct expansion
+##    install    Install a program, script or datafile
+##    mkdir      Make one or more directories
+##
+##  Not available commands (because module was not built-in):
+##    mdate      Pretty-print modification time of a file or dir
+##    table      Pretty-print a field-separated list as a table
+##    prop       Display progress with a running propeller
+##    move       Move files with simultaneous substitution
+##    mkln       Make link with calculation of relative paths
+##    mkshadow   Make a shadow tree through symbolic links
+##    fixperm    Fix file permissions inside a source tree
+##    tarball    Roll distribution tarballs
+##    guessos    Simple operating system guesser
+##    arx        Extended archive command
+##    slo        Separate linker options by library class
+##    scpp       Sharing C Pre-Processor
+##    version    Generate and maintain a version information file
+##    path       Deal with program paths
+##
+
+if [ $# -eq 0 ]; then
+    echo "$0:Error: invalid command line" 1>&2
+    echo "$0:Hint:  run \`$0 -h' for usage" 1>&2
+    exit 1
+fi
+if [ ".$1" = ".-h" -o ".$1" = ".--help" ]; then
+    echo "This is GNU shtool, version 1.4.9 (16-Apr-2000)"
+    echo "Copyright (c) 1994-2000 Ralf S. Engelschall <rse@engelschall.com>"
+    echo "Report bugs to <bug-shtool@gnu.org>"
+    echo ''
+    echo "Usage: shtool [<options>] [<cmd-name> [<cmd-options>] [<cmd-args>]]" 
+    echo ''
+    echo 'Available global <options>:'
+    echo '  -v, --version   display shtool version information'
+    echo '  -h, --help      display shtool usage help page (this one)'
+    echo '  -d, --debug     display shell trace information'
+    echo ''
+    echo 'Available <cmd-name> [<cmd-options>] [<cmd-args>]:'
+    echo '  echo     [-n] [-e] [<str> ...]'
+    echo '  install  [-v] [-t] [-c] [-C] [-s] [-m<mode>] [-o<owner>] [-g<group>]'
+    echo '           [-e<ext>] <file> <path>'
+    echo '  mkdir    [-t] [-f] [-p] [-m<mode>] <dir> [<dir> ...]'
+    echo ''
+    echo 'Not available <cmd-name> (because module was not built-in):'
+    echo '  mdate    [-n] [-z] [-s] [-d] [-f<str>] [-o<spec>] <path>'
+    echo '  table    [-F<sep>] [-w<width>] [-c<cols>] [-s<strip>] <str><sep><str>...'
+    echo '  prop     [-p<str>]'
+    echo '  move     [-v] [-t] [-e] [-p] <src-file> <dst-file>'
+    echo '  mkln     [-t] [-f] [-s] <src-path> [<src-path> ...] <dst-path>'
+    echo '  mkshadow [-v] [-t] [-a] <src-dir> <dst-dir>'
+    echo '  fixperm  [-v] [-t] <path> [<path> ...]'
+    echo '  tarball  [-t] [-v] [-o <tarball>] [-c <prog>] [-d <dir>] [-u'
+    echo '           <user>] [-g <group>] [-e <pattern>] <path> [<path> ...]'
+    echo '  guessos  '
+    echo '  arx      [-t] [-C<cmd>] <op> <archive> [<file> ...]'
+    echo '  slo      [-p<str>] -- -L<dir> -l<lib> [-L<dir> -l<lib> ...]'
+    echo '  scpp     [-v] [-p] [-f<filter>] [-o<ofile>] [-t<tfile>] [-M<mark>]'
+    echo '           [-D<dname>] [-C<cname>] <file> [<file> ...]'
+    echo '  version  [-l<lang>] [-n<name>] [-p<prefix>] [-s<version>] [-i<knob>]'
+    echo '           [-d<type>] <file>'
+    echo '  path     [-s] [-r] [-d] [-b] [-m] [-p<path>] <str> [<str> ...]'
+    echo ''
+    exit 0
+fi
+if [ ".$1" = ".-v" -o ".$1" = ."--version" ]; then
+    echo "GNU shtool 1.4.9 (16-Apr-2000)"
+    exit 0
+fi
+if [ ".$1" = ".-d" -o ".$1" = ."--debug" ]; then
+    shift
+    set -x
+fi
+name=`echo "$0" | sed -e 's;.*/\([^/]*\)$;\1;' -e 's;-sh$;;' -e 's;\.sh$;;'`
+case "$name" in
+    echo|install|mkdir )
+        #   implicit tool command selection
+        tool="$name"
+        ;;
+    * )
+        #   explicit tool command selection
+        tool="$1"
+        shift
+        ;;
+esac
+arg_spec=""
+opt_spec=""
+gen_tmpfile=no
+
+##
+##  DISPATCH INTO SCRIPT PROLOG
+##
+
+case $tool in
+    echo )
+        str_tool="echo"
+        str_usage="[-n] [-e] [<str> ...]"
+        arg_spec="0+"
+        opt_spec="n.e."
+        opt_n=no
+        opt_e=no
+        ;;
+    install )
+        str_tool="install"
+        str_usage="[-v] [-t] [-c] [-C] [-s] [-m<mode>] [-o<owner>] [-g<group>] [-e<ext>] <file> <path>"
+        arg_spec="2="
+        opt_spec="v.t.c.C.s.m:o:g:e:"
+        opt_v=no
+        opt_t=no
+        opt_c=no
+        opt_C=no
+        opt_s=no
+        opt_m=""
+        opt_o=""
+        opt_g=""
+        opt_e=""
+        ;;
+    mkdir )
+        str_tool="mkdir"
+        str_usage="[-t] [-f] [-p] [-m<mode>] <dir> [<dir> ...]"
+        arg_spec="1+"
+        opt_spec="t.f.p.m:"
+        opt_t=no
+        opt_f=no
+        opt_p=no
+        opt_m=""
+        ;;
+    -* )
+        echo "$0:Error: unknown option \`$tool'" 2>&1
+        echo "$0:Hint:  run \`$0 -h' for usage" 2>&1
+        exit 1
+        ;;
+    * )
+        echo "$0:Error: unknown command \`$tool'" 2>&1
+        echo "$0:Hint:  run \`$0 -h' for usage" 2>&1
+        exit 1
+        ;;
+esac
+
+##
+##  COMMON UTILITY CODE
+##
+
+#   determine name of tool
+if [ ".$tool" != . ]; then
+    #   used inside shtool script
+    toolcmd="$0 $tool"
+    toolcmdhelp="shtool $tool"
+    msgprefix="shtool:$tool"
+else
+    #   used as standalone script
+    toolcmd="$0"
+    toolcmdhelp="sh $0"
+    msgprefix="$str_tool"
+fi
+
+#   parse argument specification string
+eval `echo $arg_spec |\
+      sed -e 's/^\([0-9]*\)\([+=]\)/arg_NUMS=\1; arg_MODE=\2/'`
+
+#   parse option specification string
+eval `echo h.$opt_spec |\
+      sed -e 's/\([a-zA-Z0-9]\)\([.:+]\)/opt_MODE_\1=\2;/g'`
+
+#   interate over argument line
+opt_PREV=''
+while [ $# -gt 0 ]; do
+    #   special option stops processing
+    if [ ".$1" = ".--" ]; then
+        shift
+        break
+    fi
+
+    #   determine option and argument
+    opt_ARG_OK=no
+    if [ ".$opt_PREV" != . ]; then
+        #   merge previous seen option with argument
+        opt_OPT="$opt_PREV"
+        opt_ARG="$1"
+        opt_ARG_OK=yes
+        opt_PREV=''
+    else
+        #   split argument into option and argument
+        case "$1" in
+            -[a-zA-Z0-9]*)
+                eval `echo "x$1" |\
+                      sed -e 's/^x-\([a-zA-Z0-9]\)/opt_OPT="\1";/' \
+                          -e 's/";\(.*\)$/"; opt_ARG="\1"/'`
+                ;;
+            -[a-zA-Z0-9])
+                opt_OPT=`echo "x$1" | cut -c3-`
+                opt_ARG=''
+                ;;
+            *)
+                break
+                ;;
+        esac
+    fi
+
+    #   eat up option
+    shift
+
+    #   determine whether option needs an argument
+    eval "opt_MODE=\$opt_MODE_${opt_OPT}"
+    if [ ".$opt_ARG" = . -a ".$opt_ARG_OK" != .yes ]; then
+        if [ ".$opt_MODE" = ".:" -o ".$opt_MODE" = ".+" ]; then
+            opt_PREV="$opt_OPT"
+            continue
+        fi
+    fi
+
+    #   process option
+    case $opt_MODE in
+        '.' )
+            #   boolean option
+            eval "opt_${opt_OPT}=yes"
+            ;;
+        ':' )
+            #   option with argument (multiple occurances override)
+            eval "opt_${opt_OPT}=\"\$opt_ARG\""
+            ;;
+        '+' )
+            #   option with argument (multiple occurances append)
+            eval "opt_${opt_OPT}=\"\$opt_${opt_OPT} \$opt_ARG\""
+            ;;
+        * )
+            echo "$msgprefix:Error: unknown option: \`-$opt_OPT'" 1>&2
+            echo "$msgprefix:Hint:  run \`$toolcmdhelp -h' or \`man shtool' for details" 1>&2
+            exit 1
+            ;;
+    esac
+done
+if [ ".$opt_PREV" != . ]; then
+    echo "$msgprefix:Error: missing argument to option \`-$opt_PREV'" 1>&2
+    echo "$msgprefix:Hint:  run \`$toolcmdhelp -h' or \`man shtool' for details" 1>&2
+    exit 1
+fi
+
+#   process help option
+if [ ".$opt_h" = .yes ]; then
+    echo "Usage: $toolcmdhelp $str_usage"
+    exit 0
+fi
+
+#   complain about incorrect number of arguments
+case $arg_MODE in
+    '=' )
+        if [ $# -ne $arg_NUMS ]; then
+            echo "$msgprefix:Error: invalid number of arguments (exactly $arg_NUMS expected)" 1>&2
+            echo "$msgprefix:Hint:  run \`$toolcmd -h' or \`man shtool' for details" 1>&2
+            exit 1
+        fi
+        ;;
+    '+' )
+        if [ $# -lt $arg_NUMS ]; then
+            echo "$msgprefix:Error: invalid number of arguments (at least $arg_NUMS expected)" 1>&2
+            echo "$msgprefix:Hint:  run \`$toolcmd -h' or \`man shtool' for details" 1>&2
+            exit 1
+        fi
+        ;;
+esac
+
+#   establish a temporary file on request
+if [ ".$gen_tmpfile" = .yes ]; then
+    if [ ".$TMPDIR" != . ]; then
+        tmpdir="$TMPDIR"
+    elif [ ".$TEMPDIR" != . ]; then
+        tmpdir="$TEMPDIR"
+    else
+        tmpdir="/tmp"
+    fi
+    tmpfile="$tmpdir/.shtool.$$"
+    rm -f $tmpfile >/dev/null 2>&1
+    touch $tmpfile
+fi
+
+##
+##  DISPATCH INTO SCRIPT BODY
+##
+
+case $tool in
+
+echo )
+    ##
+    ##  echo -- Print string with optional construct expansion
+    ##  Copyright (c) 1998-2000 Ralf S. Engelschall <rse@engelschall.com>
+    ##  Originally written for WML as buildinfo
+    ##
+    
+    text="$*"
+    
+    #   check for broken escape sequence expansion
+    seo=''
+    bytes=`echo '\1' | wc -c | awk '{ printf("%s", $1); }'`
+    if [ ".$bytes" != .3 ]; then
+        bytes=`echo -E '\1' | wc -c | awk '{ printf("%s", $1); }'`
+        if [ ".$bytes" = .3 ]; then
+            seo='-E'
+        fi
+    fi
+    
+    #   check for existing -n option (to suppress newline)
+    minusn=''
+    bytes=`echo -n 123 2>/dev/null | wc -c | awk '{ printf("%s", $1); }'`
+    if [ ".$bytes" = .3 ]; then
+        minusn='-n'
+    fi
+    
+    #   determine terminal bold sequence
+    term_bold='' 
+    term_norm=''
+    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%[Bb]'`" != . ]; then
+        case $TERM in
+            #   for the most important terminal types we directly know the sequences
+            xterm|xterm*|vt220|vt220*)
+                term_bold=`awk 'BEGIN { printf("%c%c%c%c", 27, 91, 49, 109); }' </dev/null 2>/dev/null`
+                term_norm=`awk 'BEGIN { printf("%c%c%c", 27, 91, 109); }' </dev/null 2>/dev/null`
+                ;;
+            vt100|vt100*)
+                term_bold=`awk 'BEGIN { printf("%c%c%c%c%c%c", 27, 91, 49, 109, 0, 0); }' </dev/null 2>/dev/null`
+                term_norm=`awk 'BEGIN { printf("%c%c%c%c%c", 27, 91, 109, 0, 0); }' </dev/null 2>/dev/null`
+                ;;
+            #   for all others, we try to use a possibly existing `tput' or `tcout' utility
+            * )
+                paths=`echo $PATH | sed -e 's/:/ /g'`
+                for tool in tput tcout; do
+                    for dir in $paths; do
+                        if [ -r "$dir/$tool" ]; then
+                            for seq in bold md smso; do # 'smso' is last
+                                bold="`$dir/$tool $seq 2>/dev/null`"
+                                if [ ".$bold" != . ]; then
+                                    term_bold="$bold"
+                                    break
+                                fi
+                            done
+                            if [ ".$term_bold" != . ]; then
+                                for seq in sgr0 me rmso reset; do # 'reset' is last
+                                    norm="`$dir/$tool $seq 2>/dev/null`"
+                                    if [ ".$norm" != . ]; then
+                                        term_norm="$norm"
+                                        break
+                                    fi
+                                done
+                            fi
+                            break
+                        fi
+                    done
+                    if [ ".$term_bold" != . -a ".$term_norm" != . ]; then
+                        break;
+                    fi
+                done
+                ;;
+        esac
+        if [ ".$term_bold" = . -o ".$term_norm" = . ]; then
+            echo "$msgprefix:Warning: unable to determine terminal sequence for bold mode" 1>&2
+        fi
+    fi
+    
+    #   determine user name
+    username=''
+    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%[uU]'`" != . ]; then
+        username="$LOGNAME"
+        if [ ".$username" = . ]; then
+            username="$USER"
+            if [ ".$username" = . ]; then
+                username="`(whoami) 2>/dev/null |\
+                           awk '{ printf("%s", $1); }'`"
+                if [ ".$username" = . ]; then
+                    username="`(who am i) 2>/dev/null |\
+                               awk '{ printf("%s", $1); }'`"
+                    if [ ".$username" = . ]; then
+                        username='unknown'
+                    fi
+                fi
+            fi
+        fi
+    fi
+    
+    #   determine user id
+    userid=''
+    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%U'`" != . ]; then
+        userid="`(id -u) 2>/dev/null`"
+        if [ ".$userid" = . ]; then
+            str="`(id) 2>/dev/null`"
+            if [ ".`echo $str | grep '^uid[ 	]*=[ 	]*[0-9]*('`" != . ]; then
+                userid=`echo $str | sed -e 's/^uid[ 	]*=[ 	]*//' -e 's/(.*//'`
+            fi
+            if [ ".$userid" = . ]; then
+                userid=`egrep "^${username}:" /etc/passwd 2>/dev/null | \
+                        sed -e 's/[^:]*:[^:]*://' -e 's/:.*$//'`
+                if [ ".$userid" = . ]; then
+                    userid=`(ypcat passwd) 2>/dev/null |
+                            egrep "^${username}:" | \
+                            sed -e 's/[^:]*:[^:]*://' -e 's/:.*$//'`
+                    if [ ".$userid" = . ]; then
+                        userid='?'
+                    fi
+                fi
+            fi
+        fi
+    fi
+    
+    #   determine host name
+    hostname=''
+    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%h'`" != . ]; then
+        hostname="`(uname -n) 2>/dev/null |\
+                   awk '{ printf("%s", $1); }'`"
+        if [ ".$hostname" = . ]; then
+            hostname="`(hostname) 2>/dev/null |\
+                       awk '{ printf("%s", $1); }'`"
+            if [ ".$hostname" = . ]; then
+                hostname='unknown'
+            fi
+        fi
+        case $hostname in
+            *.* )
+                domainname=".`echo $hostname | cut -d. -f2-`"
+                hostname="`echo $hostname | cut -d. -f1`"
+                ;;
+        esac
+    fi
+    
+    #   determine domain name
+    domainname=''
+    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%d'`" != . ]; then
+        if [ ".$domainname" = . ]; then
+            if [ -f /etc/resolv.conf ]; then
+                domainname="`egrep '^[ 	]*domain' /etc/resolv.conf | head -1 |\
+                             sed -e 's/.*domain//' \
+                                 -e 's/^[ 	]*//' -e 's/^ *//' -e 's/^	*//' \
+                                 -e 's/^\.//' -e 's/^/./' |\
+                             awk '{ printf("%s", $1); }'`"
+                if [ ".$domainname" = . ]; then
+                    domainname="`egrep '^[ 	]*search' /etc/resolv.conf | head -1 |\
+                                 sed -e 's/.*search//' \
+                                     -e 's/^[ 	]*//' -e 's/^ *//' -e 's/^	*//' \
+                                     -e 's/ .*//' -e 's/	.*//' \
+                                     -e 's/^\.//' -e 's/^/./' |\
+                                 awk '{ printf("%s", $1); }'`"
+                fi
+            fi
+        fi
+    fi
+    
+    #   determine current time
+    time_day=''
+    time_month=''
+    time_year=''
+    time_monthname=''
+    if [ ".$opt_e" = .yes -a ".`echo $text | egrep '%[DMYm]'`" != . ]; then
+        time_day=`date '+%d'`
+        time_month=`date '+%m'`
+        time_year=`date '+%Y' 2>/dev/null`
+        if [ ".$time_year" = . ]; then
+            time_year=`date '+%y'`
+            case $time_year in
+                [5-9][0-9]) time_year="19$time_year" ;;
+                [0-4][0-9]) time_year="20$time_year" ;;
+            esac
+        fi
+        case $time_month in
+            1|01) time_monthname='Jan' ;;
+            2|02) time_monthname='Feb' ;;
+            3|03) time_monthname='Mar' ;;
+            4|04) time_monthname='Apr' ;;
+            5|05) time_monthname='May' ;;
+            6|06) time_monthname='Jun' ;;
+            7|07) time_monthname='Jul' ;;
+            8|08) time_monthname='Aug' ;;
+            9|09) time_monthname='Sep' ;;
+              10) time_monthname='Oct' ;;
+              11) time_monthname='Nov' ;;
+              12) time_monthname='Dec' ;;
+        esac
+    fi
+    
+    #   expand special ``%x'' constructs
+    if [ ".$opt_e" = .yes ]; then
+        text=`echo $seo "$text" |\
+              sed -e "s/%B/${term_bold}/g" \
+                  -e "s/%b/${term_norm}/g" \
+                  -e "s/%u/${username}/g" \
+                  -e "s/%U/${userid}/g" \
+                  -e "s/%h/${hostname}/g" \
+                  -e "s/%d/${domainname}/g" \
+                  -e "s/%D/${time_day}/g" \
+                  -e "s/%M/${time_month}/g" \
+                  -e "s/%Y/${time_year}/g" \
+                  -e "s/%m/${time_monthname}/g" 2>/dev/null`
+    fi
+    
+    #   create output
+    if [ .$opt_n = .no ]; then
+        echo $seo "$text"
+    else
+        #   the harder part: echo -n is best, because
+        #   awk may complain about some \xx sequences.
+        if [ ".$minusn" != . ]; then
+            echo $seo $minusn "$text"
+        else
+            echo dummy | awk '{ printf("%s", TEXT); }' TEXT="$text"
+        fi
+    fi
+    ;;
+
+install )
+    ##
+    ##  install -- Install a program, script or datafile
+    ##  Copyright (c) 1997-2000 Ralf S. Engelschall <rse@engelschall.com>
+    ##  Originally written for shtool
+    ##
+    
+    src="$1"
+    dst="$2"
+    
+    #  If destination is a directory, append the input filename
+    if [ -d $dst ]; then
+        dst=`echo "$dst" | sed -e 's:/$::'`
+        dstfile=`echo "$src" | sed -e 's;.*/\([^/]*\)$;\1;'`
+        dst="$dst/$dstfile"
+    fi
+    
+    #  Add a possible extension to src and dst
+    if [ ".$opt_e" != . ]; then
+        src="$src$opt_e"
+        dst="$dst$opt_e"
+    fi
+    
+    #  Check for correct arguments
+    if [ ".$src" = ".$dst" ]; then
+        echo "$msgprefix:Error: source and destination are the same" 1>&2
+        exit 1
+    fi
+    
+    #  Make a temp file name in the destination directory
+    dstdir=`echo $dst | sed -e 's;[^/]*$;;' -e 's;\(.\)/$;\1;' -e 's;^$;.;'`
+    dsttmp="$dstdir/#INST@$$#"
+    
+    #  Verbosity
+    if [ ".$opt_v" = .yes ]; then
+        echo "$src -> $dst" 1>&2
+    fi
+    
+    #  Copy or move the file name to the temp name
+    #  (because we might be not allowed to change the source)
+    if [ ".$opt_C" = .yes ]; then
+        opt_c=yes
+    fi
+    if [ ".$opt_c" = .yes ]; then
+        if [ ".$opt_t" = .yes ]; then
+            echo "cp $src $dsttmp" 1>&2
+        fi
+        cp $src $dsttmp || exit $?
+    else
+        if [ ".$opt_t" = .yes ]; then
+            echo "mv $src $dsttmp" 1>&2
+        fi
+        mv $src $dsttmp || exit $?
+    fi
+    
+    #  Adjust the target file
+    #  (we do chmod last to preserve setuid bits)
+    if [ ".$opt_s" = .yes ]; then
+        if [ ".$opt_t" = .yes ]; then
+            echo "strip $dsttmp" 1>&2
+        fi
+        strip $dsttmp || exit $?
+    fi
+    if [ ".$opt_o" != . ]; then
+        if [ ".$opt_t" = .yes ]; then
+            echo "chown $opt_o $dsttmp" 1>&2
+        fi
+        chown $opt_o $dsttmp || exit $?
+    fi
+    if [ ".$opt_g" != . ]; then
+        if [ ".$opt_t" = .yes ]; then
+            echo "chgrp $opt_g $dsttmp" 1>&2
+        fi
+        chgrp $opt_g $dsttmp || exit $?
+    fi
+    if [ ".$opt_m" != . ]; then
+        if [ ".$opt_t" = .yes ]; then
+            echo "chmod $opt_m $dsttmp" 1>&2
+        fi
+        chmod $opt_m $dsttmp || exit $?
+    fi
+    
+    #   Determine whether to do a quick install
+    #   (has to be done _after_ the strip was already done)
+    quick=no
+    if [ ".$opt_C" = .yes ]; then
+        if [ -r $dst ]; then
+            if cmp -s $src $dst; then
+                quick=yes
+            fi
+        fi
+    fi
+    
+    #   Finally install the file to the real destination
+    if [ $quick = yes ]; then
+        if [ ".$opt_t" = .yes ]; then
+            echo "rm -f $dsttmp" 1>&2
+        fi
+        rm -f $dsttmp
+    else
+        if [ ".$opt_t" = .yes ]; then
+            echo "rm -f $dst && mv $dsttmp $dst" 1>&2
+        fi
+        rm -f $dst && mv $dsttmp $dst
+    fi
+    ;;
+
+mkdir )
+    ##
+    ##  mkdir -- Make one or more directories
+    ##  Copyright (c) 1996-2000 Ralf S. Engelschall <rse@engelschall.com>
+    ##  Originally written for public domain by Noah Friedman <friedman@prep.ai.mit.edu>
+    ##  Cleaned up and enhanced for shtool
+    ##
+    
+    errstatus=0
+    for p in ${1+"$@"}; do
+        #   if the directory already exists...
+        if [ -d "$p" ]; then
+            if [ ".$opt_f" = .no ] && [ ".$opt_p" = .no ]; then
+                echo "$msgprefix:Error: directory already exists: $p" 1>&2
+                errstatus=1
+                break
+            else
+                continue
+            fi
+        fi
+        #   if the directory has to be created...
+        if [ ".$opt_p" = .no ]; then
+            if [ ".$opt_t" = .yes ]; then
+                echo "mkdir $p" 1>&2
+            fi
+            mkdir $p || errstatus=$?
+        else
+            #   the smart situation
+            set fnord `echo ":$p" |\
+                       sed -e 's/^:\//%/' \
+                           -e 's/^://' \
+                           -e 's/\// /g' \
+                           -e 's/^%/\//'`
+            shift
+            pathcomp=''
+            for d in ${1+"$@"}; do
+                pathcomp="$pathcomp$d"
+                case "$pathcomp" in
+                    -* ) pathcomp="./$pathcomp" ;;
+                esac
+                if [ ! -d "$pathcomp" ]; then
+                    if [ ".$opt_t" = .yes ]; then
+                        echo "mkdir $pathcomp" 1>&2
+                    fi
+                    mkdir $pathcomp || errstatus=$?
+                    if [ ".$opt_m" != . ]; then
+                        if [ ".$opt_t" = .yes ]; then
+                            echo "chmod $opt_m $pathcomp" 1>&2
+                        fi
+                        chmod $opt_m $pathcomp || errstatus=$?
+                    fi
+                fi
+                pathcomp="$pathcomp/"
+            done
+        fi
+    done
+    exit $errstatus
+    ;;
+
+esac
+
+exit 0
+
+##EOF##
diff --git a/src/ARP.cc b/src/ARP.cc
new file mode 100644
index 0000000000..42b9d0e6f8
--- /dev/null
+++ b/src/ARP.cc
@@ -0,0 +1,263 @@
+// $Id: ARP.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+
+#include "ARP.h"
+#include "Event.h"
+
+
+ARP_Analyzer::ARP_Analyzer()
+	{
+	bad_arp = internal_handler("bad_arp");
+	arp_request = internal_handler("arp_request");
+	arp_reply = internal_handler("arp_reply");
+	}
+
+ARP_Analyzer::~ARP_Analyzer()
+	{
+	}
+
+bool ARP_Analyzer::IsARP(const u_char* pkt, int hdr_size) const
+	{
+	unsigned short network_protocol =
+		*(unsigned short*) (pkt + hdr_size - 2);
+
+	switch ( ntohs(network_protocol) ) {
+	case ETHERTYPE_ARP:
+	case ETHERTYPE_REVARP:
+		return true;
+	default:
+		return false;
+	}
+	}
+
+
+// Argh! FreeBSD and Linux have almost completely different net/if_arp.h .
+// ... and on Solaris we are missing half of the ARPOP codes, so define
+// them here as necessary:
+
+#ifndef ARPOP_REQUEST
+#define ARPOP_REQUEST    1 // ARP request.
+#endif
+#ifndef ARPOP_REPLY
+#define ARPOP_REPLY      2 // ARP reply.
+#endif
+#ifndef ARPOP_PREQUEST
+#define ARPOP_RREQUEST   3 // RARP request.
+#endif
+#ifndef ARPOP_RREPLY
+#define ARPOP_RREPLY     4 // RARP reply.
+#endif
+#ifndef ARPOP_InREQUEST
+#define ARPOP_InREQUEST  8 // InARP request.
+#endif
+#ifndef ARPOP_InREPLY
+#define ARPOP_InREPLY    9 // InARP reply.
+#endif
+#ifndef ARPOP_NAK
+#define ARPOP_NAK       10 // (ATM)ARP NAK.
+#endif
+
+#ifndef ar_sha
+#define ar_sha(ap)  ((caddr_t((ap)+1)) + 0)
+#endif
+
+#ifndef ar_spa
+#define ar_spa(ap)  ((caddr_t((ap)+1)) + (ap)->ar_hln)
+#endif
+
+#ifndef ar_tha
+#define ar_tha(ap)  ((caddr_t((ap)+1)) + (ap)->ar_hln + (ap)->ar_pln)
+#endif
+
+#ifndef ar_tpa
+#define ar_tpa(ap)  ((caddr_t((ap)+1)) + 2*(ap)->ar_hln + (ap)->ar_pln)
+#endif
+
+#ifndef ARPOP_REVREQUEST
+#define ARPOP_REVREQUEST ARPOP_RREQUEST
+#endif
+
+#ifndef ARPOP_REVREPLY
+#define ARPOP_REVREPLY ARPOP_RREPLY
+#endif
+
+#ifndef ARPOP_INVREQUEST
+#define ARPOP_INVREQUEST ARPOP_InREQUEST
+#endif
+
+#ifndef ARPOP_INVREPLY
+#define ARPOP_INVREPLY ARPOP_InREPLY
+#endif
+
+
+void ARP_Analyzer::NextPacket(double t, const struct pcap_pkthdr* hdr,
+				const u_char* const pkt, int hdr_size)
+	{
+	// Check whether the packet is OK ("inspired" in tcpdump's print-arp.c).
+	const struct arp_pkthdr* ah =
+		(const struct arp_pkthdr*) (pkt + hdr_size);
+
+	// Check the size.
+	int min_length = (ar_tpa(ah) - (char*) (pkt + hdr_size)) + ah->ar_pln;
+	int real_length = hdr->caplen - hdr_size;
+	if ( min_length > real_length )
+		{
+		Corrupted("truncated_ARP");
+		return;
+		}
+
+	char errbuf[1024];
+
+	// Check the address description fields.
+	switch ( ntohs(ah->ar_hrd) ) {
+	case ARPHRD_ETHER:
+		if ( ah->ar_hln != 6 )
+			{ // don't know how to handle the opcode
+			snprintf(errbuf, sizeof(errbuf),
+					"corrupt-arp-header (hrd=%i, hln=%i)",
+					ntohs(ah->ar_hrd), ah->ar_hln);
+			BadARP(ah, errbuf);
+			return;
+			}
+		break;
+
+	default:
+		{ // don't know how to proceed
+		snprintf(errbuf, sizeof(errbuf),
+			"unknown-arp-hw-address (hrd=%i)", ntohs(ah->ar_hrd));
+		BadARP(ah, errbuf);
+		return;
+		}
+	}
+
+	// ### Note, we don't support IPv6 addresses yet.
+	switch ( ntohs(ah->ar_pro) ) {
+	case ETHERTYPE_IP:
+		if ( ah->ar_pln != 4 )
+			{ // don't know how to handle the opcode
+			snprintf(errbuf, sizeof(errbuf),
+					"corrupt-arp-header (pro=%i, pln=%i)",
+					ntohs(ah->ar_pro), ah->ar_pln);
+			BadARP(ah, errbuf);
+			return;
+			}
+		break;
+
+	default:
+		{ // don't know how to proceed
+		snprintf(errbuf, sizeof(errbuf),
+				"unknown-arp-proto-address (pro=%i)",
+				ntohs(ah->ar_pro));
+		BadARP(ah, errbuf);
+		return;
+		}
+	}
+
+
+	// Check MAC src address = ARP sender MAC address.
+	if ( memcmp((const char*) (pkt+6), ar_sha(ah), ah->ar_hln) )
+		{
+		BadARP(ah, "weird-arp-sha");
+		return;
+		}
+
+	// Check the code is supported.
+	switch ( ntohs(ah->ar_op) ) {
+	case ARPOP_REQUEST:
+		RREvent(arp_request, pkt+6, pkt,
+				ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah));
+		break;
+
+	case ARPOP_REPLY:
+		RREvent(arp_reply, pkt+6, pkt,
+				ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah));
+		break;
+
+	case ARPOP_REVREQUEST:
+	case ARPOP_REVREPLY:
+	case ARPOP_INVREQUEST:
+	case ARPOP_INVREPLY:
+		{ // don't know how to handle the opcode
+		snprintf(errbuf, sizeof(errbuf),
+			"unimplemented-arp-opcode (%i)", ntohs(ah->ar_op));
+		BadARP(ah, errbuf);
+		break;
+		}
+
+	default:
+		{ // invalid opcode
+		snprintf(errbuf, sizeof(errbuf),
+			"invalid-arp-opcode (opcode=%i)", ntohs(ah->ar_op));
+		BadARP(ah, errbuf);
+		return;
+		}
+	}
+	}
+
+void ARP_Analyzer::Describe(ODesc* d) const
+	{
+	d->Add("<ARP analyzer>");
+	d->NL();
+	}
+
+void ARP_Analyzer::BadARP(const struct arp_pkthdr* hdr, const char* msg)
+	{
+	if ( ! bad_arp )
+		return;
+
+	val_list* vl = new val_list;
+	vl->append(ConstructAddrVal(ar_spa(hdr)));
+	vl->append(EthAddrToStr((const u_char*) ar_sha(hdr)));
+	vl->append(ConstructAddrVal(ar_tpa(hdr)));
+	vl->append(EthAddrToStr((const u_char*) ar_tha(hdr)));
+	vl->append(new StringVal(msg));
+	mgr.QueueEvent(bad_arp, vl);
+	}
+
+void ARP_Analyzer::Corrupted(const char* msg)
+	{
+	if ( ! net_weird )
+		return;
+
+	val_list* vl = new val_list;
+	vl->append(new StringVal(msg));
+	mgr.QueueEvent(net_weird, vl);
+	}
+
+void ARP_Analyzer::RREvent(EventHandlerPtr e,
+				const u_char* src, const u_char *dst,
+				const char* spa, const char* sha,
+				const char* tpa, const char* tha)
+	{
+	if ( ! e )
+		return;
+
+	// init the val_list
+	val_list* vl = new val_list;
+
+	// prepare the event arguments
+	vl->append(EthAddrToStr(src));
+	vl->append(EthAddrToStr(dst));
+	vl->append(ConstructAddrVal(spa));
+	vl->append(EthAddrToStr((const u_char*) sha));
+	vl->append(ConstructAddrVal(tpa));
+	vl->append(EthAddrToStr((const u_char*) tha));
+
+	mgr.QueueEvent(e, vl);
+	}
+
+AddrVal* ARP_Analyzer::ConstructAddrVal(const void* addr)
+	{
+	// ### For now, we only handle IPv4 addresses.
+	return new AddrVal(*(const uint32*) addr);
+	}
+
+StringVal* ARP_Analyzer::EthAddrToStr(const u_char* addr)
+	{
+	char buf[1024];
+	snprintf(buf, sizeof(buf), "%02x:%02x:%02x:%02x:%02x:%02x",
+			addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]);
+	return new StringVal(buf);
+	}
diff --git a/src/ARP.h b/src/ARP.h
new file mode 100644
index 0000000000..e815c038d9
--- /dev/null
+++ b/src/ARP.h
@@ -0,0 +1,55 @@
+// $Id: ARP.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef arp_h
+#define arp_h
+
+#include "config.h"
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <net/if.h>
+#include <net/if_arp.h>
+#ifdef HAVE_NET_ETHERNET_H
+#include <net/ethernet.h>
+#elif HAVE_SYS_ETHERNET_H
+#include <sys/ethernet.h>
+#elif HAVE_NETINET_IF_ETHER_H
+#include <netinet/if_ether.h>
+#endif
+
+#ifndef arp_pkthdr
+#define arp_pkthdr arphdr
+#endif
+
+#include "NetVar.h"
+
+
+class ARP_Analyzer : public BroObj {
+public:
+	ARP_Analyzer();
+	virtual ~ARP_Analyzer();
+
+	// Whether a packet is of interest for ARP analysis.
+	bool IsARP(const u_char* pkt, int hdr_size) const;
+
+	void NextPacket(double t, const struct pcap_pkthdr* hdr,
+			const u_char* const pkt, int hdr_size);
+
+	void Describe(ODesc* d) const;
+	void RREvent(EventHandlerPtr e, const u_char* src, const u_char* dst,
+			const char* spa, const char* sha,
+			const char* tpa, const char* tha);
+protected:
+	AddrVal* ConstructAddrVal(const void* addr);
+	StringVal* EthAddrToStr(const u_char* addr);
+	void BadARP(const struct arp_pkthdr* hdr, const char* string);
+	void Corrupted(const char* string);
+
+	EventHandlerPtr arp_corrupted_packet;
+	EventHandlerPtr arp_request;
+	EventHandlerPtr arp_reply;
+};
+
+#endif
diff --git a/src/Active.cc b/src/Active.cc
new file mode 100644
index 0000000000..c7193de089
--- /dev/null
+++ b/src/Active.cc
@@ -0,0 +1,218 @@
+// $Id: Active.cc 1282 2005-09-07 17:02:02Z vern $
+
+#include "config.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+
+#include <arpa/inet.h>
+
+#include <map>
+
+#include "Active.h"
+#include "util.h"
+#include "Dict.h"
+
+declare(PDict,string);
+typedef PDict(string) MachineMap;
+declare(PDict,MachineMap);
+typedef PDict(MachineMap) ActiveMap;
+declare(PDict,NumericData);
+typedef PDict(NumericData) ActiveMapNumeric;
+
+static ActiveMap active_map;
+static ActiveMapNumeric active_map_numeric;
+
+static MachineMap default_values;
+static NumericData default_values_numeric;
+
+static bool map_was_loaded = false;
+
+bool get_map_result(uint32 ip_addr, const char* key, string& result)
+	{
+	const MachineMap* machine_map;
+#ifndef ACTIVE_MAPPING
+	machine_map = &default_values;
+#else
+	HashKey machinekey(ip_addr);
+	machine_map = active_map.Lookup(&machinekey);
+
+	if ( ! machine_map )
+		machine_map = &default_values;
+#endif
+	HashKey mapkey(key);
+	string* entry = machine_map->Lookup(&mapkey);
+	if ( ! entry )
+		{
+		entry = default_values.Lookup(&mapkey);
+		}
+
+	if ( ! entry )
+		{
+		internal_error("Unknown active mapping entry requested: %s", key);
+		return false;
+		}
+
+	result = *entry;
+
+	return true;
+	}
+
+bool get_map_result(uint32 ip_addr, const NumericData*& result)
+	{
+#ifndef ACTIVE_MAPPING
+	result = &default_values_numeric;
+	return true;
+#endif
+	HashKey machinekey(&ip_addr, 1);
+	NumericData* entry = active_map_numeric.Lookup(&machinekey);
+
+	if ( ! entry )
+		result = &default_values_numeric;
+	else
+		result = entry;
+
+	return true;
+	}
+
+
+char* chop (char* s)
+	{
+	s[strlen(s) - 1] = 0;
+	return s;
+	}
+
+map < const char *, ReassemblyPolicy, ltstr > reassem_names;
+
+// Remember to index the table with IP address in network order!
+bool load_mapping_table(const char* map_file)
+	{
+	reassem_names["BSD"] = RP_BSD;
+	reassem_names["linux"] = RP_LINUX;
+	reassem_names["last"] = RP_LAST;
+	reassem_names["first"] = RP_FIRST;
+
+	// Default values are read in from AM file under IP address 0.0.0.0
+	default_values.Insert(new HashKey("accepts_rst_outside_window"),
+			      new string("no"));
+	default_values.Insert(new HashKey("accepts_rst_in_window"),
+			      new string("yes"));
+	default_values.Insert(new HashKey("accepts_rst_in_sequence"),
+			      new string("yes"));
+	default_values.Insert(new HashKey("mtu"),
+			      new string("0"));
+
+	default_values_numeric.path_MTU = 0;   // 0 = unknown
+	default_values_numeric.hops = 0;       // 0 = unknown;
+	default_values_numeric.ip_reassem = RP_UNKNOWN;
+	default_values_numeric.tcp_reassem = RP_UNKNOWN;
+	default_values_numeric.accepts_rst_in_window = true;
+	default_values_numeric.accepts_rst_outside_window = false;
+
+
+	if ( map_file && strlen(map_file) )
+		{
+		FILE* f = fopen(map_file, "r");
+		if ( ! f )
+			return false;
+
+		char buf[512];
+		if ( ! fgets(buf, sizeof(buf), f) )
+			error("Error reading mapping file.\n");
+
+		int num_fields = atoi(buf);
+
+		string* field_names = new string[num_fields];
+		for ( int i = 0; i < num_fields; ++i )
+			{
+			if ( ! fgets(buf, sizeof(buf), f) )
+				error("Error reading mapping file.\n");
+			field_names[i] = chop(buf);
+			}
+
+		if ( ! fgets(buf, sizeof(buf), f) )
+			error("Error reading mapping file.\n");
+
+		int num_machines = atoi(buf);
+
+		for ( int j = 0; j < num_machines; ++j )
+			{ // read ip address, parse it
+			if ( ! fgets(buf, sizeof(buf), f) )
+				error("Error reading mapping file.\n");
+
+			uint32 ip;
+			in_addr in;
+			if ( ! inet_aton(chop(buf), &in) )
+				error("Error reading mapping file.\n");
+
+			ip = in.s_addr;
+
+			MachineMap* newmap;
+			NumericData* newnumeric;
+
+			if ( ip ) // ip = 0.0.0.0 = default values
+				{
+				newmap = new MachineMap;
+				newnumeric = new NumericData;
+				}
+			else
+				{
+				newmap = &default_values;
+				newnumeric = &default_values_numeric;
+				}
+
+			for ( int i = 0; i < num_fields; ++i )
+				{
+				if ( ! fgets(buf, sizeof(buf), f) )
+					error("Error reading mapping file.\n");
+
+				string fname = field_names[i];
+
+				chop(buf);
+
+				// Don't try to parse an unknown value ("").
+				if ( streq(buf, "") )
+					continue;
+
+				HashKey mapkey(fname.c_str());
+				newmap->Insert(&mapkey, new string(buf));
+
+				if ( fname == "mtu" )
+					newnumeric->path_MTU = atoi(buf);
+
+				else if ( fname == "hops" )
+					newnumeric->hops = atoi(buf);
+
+				else if ( fname == "tcp_segment_overlap" )
+					newnumeric->tcp_reassem = reassem_names[buf];
+
+				else if ( fname == "overlap_policy" )
+					newnumeric->ip_reassem = reassem_names[buf];
+
+				else if ( fname == "accepts_rst_in_window" )
+					newnumeric->accepts_rst_in_window = streq(buf, "yes");
+
+				else if ( fname == "accepts_rst_outside_window" )
+					newnumeric->accepts_rst_outside_window = streq(buf, "yes");
+
+				else if ( fname == "accepts_rst_in_sequence" )
+					newnumeric->accepts_rst_in_sequence = streq(buf, "yes");
+
+				else
+					warn("unrecognized mapping file tag:", fname.c_str());
+				}
+
+			HashKey machinekey(&ip, 1);
+			active_map.Insert(&machinekey, newmap);
+			active_map_numeric.Insert(&machinekey, newnumeric);
+			}
+
+		delete [] field_names;
+		}
+
+	map_was_loaded = true;
+
+	return true;
+	}
diff --git a/src/Active.h b/src/Active.h
new file mode 100644
index 0000000000..72ea06c084
--- /dev/null
+++ b/src/Active.h
@@ -0,0 +1,44 @@
+// $Id: Active.h 80 2004-07-14 20:15:50Z jason $
+
+#ifndef active_h
+#define active_h
+
+#include <string>
+using namespace std;
+
+#include "util.h"
+
+enum ReassemblyPolicy {
+	RP_UNKNOWN,
+	RP_BSD,	// Left-trim to equal or lower offset frags
+	RP_LINUX,	// Left-trim to strictly lower offset frags
+	RP_FIRST,	// Accept only new (no previous value) octets
+	RP_LAST	// Accept all
+};
+
+struct NumericData {
+	ReassemblyPolicy ip_reassem;
+	ReassemblyPolicy tcp_reassem;
+	unsigned short path_MTU;	// 0 = unknown
+	unsigned char hops;	// 0 = unknown
+	bool accepts_rst_in_window;
+	bool accepts_rst_outside_window;
+	bool accepts_rst_in_sequence;
+};
+
+// Return value is whether or not there was a known result for that
+// machine (actually, IP address in network order); if not, a default
+// is returned. Note that the map data is a string in all cases: the
+// numeric form is more efficient and is to be preferred ordinarily.
+bool get_map_result(uint32 ip_addr, const char* key, string& result);
+
+// Basically a special case of get_map_result(), but returns numbers
+// directly for efficiency reasons, since these are frequently
+// looked up. ### Perhaps a better generic mechanism is in order.
+bool get_map_result(uint32 ip_addr, const NumericData*& result);
+
+// Reads in AM data from the specified file (basically [IP, policy] tuples)
+// Should be called at initialization time.
+bool load_mapping_table(const char* map_file);
+
+#endif
diff --git a/src/Analyzer.cc b/src/Analyzer.cc
new file mode 100644
index 0000000000..6ad1f7998f
--- /dev/null
+++ b/src/Analyzer.cc
@@ -0,0 +1,953 @@
+// $Id: Analyzer.cc,v 1.1.4.28 2006/06/01 17:18:10 sommer Exp $
+
+#include "Analyzer.h"
+#include "PIA.h"
+#include "Event.h"
+
+#include "BackDoor.h"
+#include "BitTorrent.h"
+#include "BitTorrentTracker.h"
+#include "Finger.h"
+#include "InterConn.h"
+#include "NTP.h"
+#include "HTTP.h"
+#include "HTTP-binpac.h"
+#include "ICMP.h"
+#include "SteppingStone.h"
+#include "IRC.h"
+#include "SMTP.h"
+#include "FTP.h"
+#include "FileAnalyzer.h"
+#include "DNS.h"
+#include "DNS-binpac.h"
+#include "DHCP-binpac.h"
+#include "Telnet.h"
+#include "Rlogin.h"
+#include "RSH.h"
+#include "DCE_RPC.h"
+#include "Gnutella.h"
+#include "Ident.h"
+#include "NCP.h"
+#include "NetbiosSSN.h"
+#include "SMB.h"
+#include "NFS.h"
+#include "Portmap.h"
+#include "POP3.h"
+#include "SSH.h"
+#include "SSLProxy.h"
+#include "SSL-binpac.h"
+
+// Keep same order here as in AnalyzerTag definition!
+const Analyzer::Config Analyzer::analyzer_configs[] = {
+	{ AnalyzerTag::Error, "<ERROR>", 0, 0, 0, false },
+
+	{ AnalyzerTag::PIA_TCP, "PIA_TCP", PIA_TCP::InstantiateAnalyzer,
+		PIA_TCP::Available, 0, false },
+	{ AnalyzerTag::PIA_UDP, "PIA_UDP", PIA_UDP::InstantiateAnalyzer,
+		PIA_UDP::Available, 0, false },
+
+	{ AnalyzerTag::ICMP, "ICMP", ICMP_Analyzer::InstantiateAnalyzer,
+		ICMP_Analyzer::Available, 0, false },
+	{ AnalyzerTag::ICMP_TimeExceeded, "ICMP_TIMEEXCEEDED",
+		ICMP_TimeExceeded_Analyzer::InstantiateAnalyzer,
+		ICMP_TimeExceeded_Analyzer::Available, 0, false },
+	{ AnalyzerTag::ICMP_Unreachable, "ICMP_UNREACHABLE",
+		ICMP_Unreachable_Analyzer::InstantiateAnalyzer,
+		ICMP_Unreachable_Analyzer::Available, 0, false },
+	{ AnalyzerTag::ICMP_Echo, "ICMP_ECHO",
+		ICMP_Echo_Analyzer::InstantiateAnalyzer,
+		ICMP_Echo_Analyzer::Available, 0, false },
+
+	{ AnalyzerTag::TCP, "TCP", TCP_Analyzer::InstantiateAnalyzer,
+		TCP_Analyzer::Available, 0, false },
+	{ AnalyzerTag::UDP, "UDP", UDP_Analyzer::InstantiateAnalyzer,
+		UDP_Analyzer::Available, 0, false },
+
+	{ AnalyzerTag::BitTorrent, "BITTORRENT",
+		BitTorrent_Analyzer::InstantiateAnalyzer,
+		BitTorrent_Analyzer::Available, 0, false },
+	{ AnalyzerTag::BitTorrentTracker, "BITTORRENTTRACKER",
+		BitTorrentTracker_Analyzer::InstantiateAnalyzer,
+		BitTorrentTracker_Analyzer::Available, 0, false },
+	{ AnalyzerTag::DCE_RPC, "DCE_RPC",
+		DCE_RPC_Analyzer::InstantiateAnalyzer,
+		DCE_RPC_Analyzer::Available, 0, false },
+	{ AnalyzerTag::DNS, "DNS", DNS_Analyzer::InstantiateAnalyzer,
+		DNS_Analyzer::Available, 0, false },
+	{ AnalyzerTag::Finger, "FINGER", Finger_Analyzer::InstantiateAnalyzer,
+		Finger_Analyzer::Available, 0, false },
+	{ AnalyzerTag::FTP, "FTP", FTP_Analyzer::InstantiateAnalyzer,
+		FTP_Analyzer::Available, 0, false },
+	{ AnalyzerTag::Gnutella, "GNUTELLA",
+		Gnutella_Analyzer::InstantiateAnalyzer,
+		Gnutella_Analyzer::Available, 0, false },
+	{ AnalyzerTag::HTTP, "HTTP", HTTP_Analyzer::InstantiateAnalyzer,
+		HTTP_Analyzer::Available, 0, false },
+	{ AnalyzerTag::Ident, "IDENT", Ident_Analyzer::InstantiateAnalyzer,
+		Ident_Analyzer::Available, 0, false },
+	{ AnalyzerTag::IRC, "IRC", IRC_Analyzer::InstantiateAnalyzer,
+		IRC_Analyzer::Available, 0, false },
+	{ AnalyzerTag::Login, "LOGIN", 0, 0, 0, false },  // just a base class
+	{ AnalyzerTag::NCP, "NCP", NCP_Analyzer::InstantiateAnalyzer,
+		NCP_Analyzer::Available, 0, false },
+	{ AnalyzerTag::NetbiosSSN, "NetbiosSSN",
+		NetbiosSSN_Analyzer::InstantiateAnalyzer,
+		NetbiosSSN_Analyzer::Available, 0, false },
+	{ AnalyzerTag::NFS, "NFS", NFS_Analyzer::InstantiateAnalyzer,
+		NFS_Analyzer::Available, 0, false },
+	{ AnalyzerTag::NTP, "NTP", NTP_Analyzer::InstantiateAnalyzer,
+		NTP_Analyzer::Available, 0, false },
+	{ AnalyzerTag::POP3, "POP3", POP3_Analyzer::InstantiateAnalyzer,
+		POP3_Analyzer::Available, 0, false },
+	{ AnalyzerTag::Portmapper, "PORTMAPPER",
+		Portmapper_Analyzer::InstantiateAnalyzer,
+		Portmapper_Analyzer::Available, 0, false },
+	{ AnalyzerTag::Rlogin, "RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer,
+		Rlogin_Analyzer::Available, 0, false },
+	{ AnalyzerTag::RPC, "RPC", 0, 0, 0, false },
+	{ AnalyzerTag::Rsh, "RSH", Rsh_Analyzer::InstantiateAnalyzer,
+		Rsh_Analyzer::Available, 0, false },
+	{ AnalyzerTag::SMB, "SMB", SMB_Analyzer::InstantiateAnalyzer,
+		SMB_Analyzer::Available, 0, false },
+	{ AnalyzerTag::SMTP, "SMTP", SMTP_Analyzer::InstantiateAnalyzer,
+		SMTP_Analyzer::Available, 0, false },
+	{ AnalyzerTag::SSH, "SSH", SSH_Analyzer::InstantiateAnalyzer,
+		SSH_Analyzer::Available, 0, false },
+#ifdef USE_OPENSSL
+	{ AnalyzerTag::SSL, "SSL", SSLProxy_Analyzer::InstantiateAnalyzer,
+		SSLProxy_Analyzer::Available, 0, false },
+#endif
+	{ AnalyzerTag::Telnet, "TELNET", Telnet_Analyzer::InstantiateAnalyzer,
+		Telnet_Analyzer::Available, 0, false },
+
+	{ AnalyzerTag::DHCP_BINPAC, "DHCP_BINPAC",
+		DHCP_Analyzer_binpac::InstantiateAnalyzer,
+		DHCP_Analyzer_binpac::Available, 0, false },
+	{ AnalyzerTag::DNS_TCP_BINPAC, "DNS_TCP_BINPAC",
+		DNS_TCP_Analyzer_binpac::InstantiateAnalyzer,
+		DNS_TCP_Analyzer_binpac::Available, 0, false },
+	{ AnalyzerTag::DNS_UDP_BINPAC, "DNS_UDP_BINPAC",
+		DNS_UDP_Analyzer_binpac::InstantiateAnalyzer,
+		DNS_UDP_Analyzer_binpac::Available, 0, false },
+	{ AnalyzerTag::HTTP_BINPAC, "HTTP_BINPAC",
+		HTTP_Analyzer_binpac::InstantiateAnalyzer,
+		HTTP_Analyzer_binpac::Available, 0, false },
+	{ AnalyzerTag::RPC_UDP_BINPAC, "RPC_UDP_BINPAC",
+		RPC_UDP_Analyzer_binpac::InstantiateAnalyzer,
+		RPC_UDP_Analyzer_binpac::Available, 0, false },
+	{ AnalyzerTag::SSL_BINPAC, "SSL_BINPAC",
+		SSL_Analyzer_binpac::InstantiateAnalyzer,
+		SSL_Analyzer_binpac::Available, 0, false },
+
+	{ AnalyzerTag::File, "FILE", File_Analyzer::InstantiateAnalyzer,
+		File_Analyzer::Available, 0, false },
+	{ AnalyzerTag::Backdoor, "BACKDOOR",
+		BackDoor_Analyzer::InstantiateAnalyzer,
+		BackDoor_Analyzer::Available, 0, false },
+	{ AnalyzerTag::InterConn, "INTERCONN",
+		InterConn_Analyzer::InstantiateAnalyzer,
+		InterConn_Analyzer::Available, 0, false },
+	{ AnalyzerTag::SteppingStone, "STEPPINGSTONE",
+		SteppingStone_Analyzer::InstantiateAnalyzer,
+		SteppingStone_Analyzer::Available, 0, false },
+	{ AnalyzerTag::TCPStats, "TCPSTATS",
+		TCPStats_Analyzer::InstantiateAnalyzer,
+		TCPStats_Analyzer::Available, 0, false },
+
+	{ AnalyzerTag::Contents, "CONTENTS", 0, 0, 0, false },
+	{ AnalyzerTag::ContentLine, "CONTENTLINE", 0, 0, 0, false },
+	{ AnalyzerTag::NVT, "NVT", 0, 0, 0, false },
+	{ AnalyzerTag::Zip, "ZIP", 0, 0, 0, false },
+	{ AnalyzerTag::Contents_DNS, "CONTENTS_DNS", 0, 0, 0, false },
+	{ AnalyzerTag::Contents_NetbiosSSN, "CONTENTS_NETBIOSSSN", 0, 0, 0, false },
+	{ AnalyzerTag::Contents_NCP, "CONTENTS_NCP", 0, 0, 0, false },
+	{ AnalyzerTag::Contents_Rlogin, "CONTENTS_Rlogin", 0, 0, 0, false },
+	{ AnalyzerTag::Contents_Rsh, "CONTENTS_RSH", 0, 0, 0, false },
+	{ AnalyzerTag::Contents_DCE_RPC, "CONTENTS_DCE_RPC", 0, 0, 0, false },
+	{ AnalyzerTag::Contents_SMB, "CONTENTS_SMB", 0, 0, 0, false },
+	{ AnalyzerTag::Contents_RPC, "CONTENTS_RPC", 0, 0, 0, false },
+	{ AnalyzerTag::Contents_NFS, "CONTENTS_NFS", 0, 0, 0, false },
+#ifdef USE_OPENSSL
+	{ AnalyzerTag::Contents_SSL, "CONTENTS_SSL", 0, 0, 0, false },
+#endif
+};
+
+AnalyzerTimer::~AnalyzerTimer()
+	{
+	analyzer->RemoveTimer(this);
+	Unref(analyzer->Conn());
+	}
+
+void AnalyzerTimer::Dispatch(double t, int is_expire)
+	{
+	if ( is_expire && ! do_expire )
+		return;
+
+	// Remove ourselves from the connection's set of timers so
+	// it doesn't try to cancel us.
+	analyzer->RemoveTimer(this);
+
+	(analyzer->*timer)(t);
+	}
+
+void AnalyzerTimer::Init(Analyzer* arg_analyzer, analyzer_timer_func arg_timer,
+				int arg_do_expire)
+	{
+	analyzer = arg_analyzer;
+	timer = arg_timer;
+	do_expire = arg_do_expire;
+
+	// We need to Ref the connection as the analyzer doesn't do it and
+	// we need to have it around until we expire.
+	Ref(analyzer->Conn());
+	}
+
+AnalyzerID Analyzer::id_counter = 0;;
+
+Analyzer* Analyzer::InstantiateAnalyzer(AnalyzerTag::Tag tag, Connection* c)
+	{
+	Analyzer* a = analyzer_configs[tag].factory(c);
+	assert(a);
+	return a;
+	}
+
+const char* Analyzer::GetTagName(AnalyzerTag::Tag tag)
+	{
+	return analyzer_configs[tag].name;
+	}
+
+AnalyzerTag::Tag Analyzer::GetTag(const char* name)
+	{
+	for ( int i = 1; i < int(AnalyzerTag::LastAnalyzer); i++ )
+		if ( strcasecmp(analyzer_configs[i].name, name) == 0 )
+			return analyzer_configs[i].tag;
+
+	return AnalyzerTag::Error;
+	}
+
+// Used in debugging output.
+static string fmt_analyzer(Analyzer* a)
+	{
+	return string(a->GetTagName()) + fmt("[%d]", a->GetID());
+	}
+
+Analyzer::Analyzer(AnalyzerTag::Tag arg_tag, Connection* arg_conn)
+	{
+	// Don't Ref conn here to avoid circular ref'ing. It can't be deleted
+	// before us.
+	conn = arg_conn;
+	tag = arg_tag;
+	id = ++id_counter;
+	protocol_confirmed = false;
+	skip = false;
+	finished = false;
+	parent = 0;
+	orig_supporters = 0;
+	resp_supporters = 0;
+	signature = 0;
+	output_handler = 0;
+	}
+
+Analyzer::~Analyzer()
+	{
+	assert(finished);
+
+	LOOP_OVER_CHILDREN(i)
+		delete *i;
+
+	SupportAnalyzer* next = 0;
+
+	for ( SupportAnalyzer* a = orig_supporters; a; a = next )
+		{
+		next = a->sibling;
+		delete a;
+		}
+
+	for ( SupportAnalyzer* a = resp_supporters; a; a = next)
+		{
+		next = a->sibling;
+		delete a;
+		}
+
+	delete output_handler;
+	}
+
+void Analyzer::Init()
+	{
+	}
+
+void Analyzer::InitChildren()
+	{
+	AppendNewChildren();
+
+	LOOP_OVER_CHILDREN(i)
+		{
+		(*i)->Init();
+		(*i)->InitChildren();
+		}
+	}
+
+void Analyzer::Done()
+	{
+	assert(!finished);
+
+	if ( ! skip )
+		{
+		EndOfData(true);
+		EndOfData(false);
+		}
+
+	CancelTimers();
+
+	AppendNewChildren();
+
+	LOOP_OVER_CHILDREN(i)
+		if ( ! (*i)->finished )
+			(*i)->Done();
+
+	for ( SupportAnalyzer* a = orig_supporters; a; a = a->sibling )
+		if ( ! a->finished )
+			a->Done();
+
+	for ( SupportAnalyzer* a = resp_supporters; a; a = a->sibling )
+		if ( ! a->finished )
+			a->Done();
+
+	finished = true;
+	}
+
+void Analyzer::NextPacket(int len, const u_char* data, bool is_orig, int seq,
+				const IP_Hdr* ip, int caplen)
+	{
+	if ( skip )
+		return;
+
+	// If we have support analyzers, we pass it to them.
+	if ( is_orig && orig_supporters )
+		orig_supporters->NextPacket(len, data, is_orig, seq, ip, caplen);
+	else if ( ! is_orig && resp_supporters )
+		resp_supporters->NextPacket(len, data, is_orig, seq, ip, caplen);
+	else
+		{
+		try
+			{
+			DeliverPacket(len, data, is_orig, seq, ip, caplen);
+			}
+		catch ( binpac::Exception const &e )
+			{
+			Weird(e.c_msg());
+			}
+		}
+	}
+
+const char* Analyzer::GetTagName() const
+	{
+	return GetTagName(tag);
+	}
+
+void Analyzer::NextStream(int len, const u_char* data, bool is_orig)
+	{
+	if ( skip )
+		return;
+
+	// If we have support analyzers, we pass it to them.
+	if ( is_orig && orig_supporters )
+		orig_supporters->NextStream(len, data, is_orig);
+	else if ( ! is_orig && resp_supporters )
+		resp_supporters->NextStream(len, data, is_orig);
+	else
+		{
+		try
+			{
+			DeliverStream(len, data, is_orig);
+			}
+		catch ( binpac::Exception const &e )
+			{
+			Weird(e.c_msg());
+			}
+		}
+	}
+
+void Analyzer::NextUndelivered(int seq, int len, bool is_orig)
+	{
+	if ( skip )
+		return;
+
+	// If we have support analyzers, we pass it to them.
+	if ( is_orig && orig_supporters )
+		orig_supporters->NextUndelivered(seq, len, is_orig);
+	else if ( ! is_orig && resp_supporters )
+		resp_supporters->NextUndelivered(seq, len, is_orig);
+	else
+		{
+		try
+			{
+			Undelivered(seq, len, is_orig);
+			}
+		catch ( binpac::Exception const &e )
+			{
+			Weird(e.c_msg());
+			}
+		}
+	}
+
+void Analyzer::NextEndOfData(bool is_orig)
+	{
+	if ( skip )
+		return;
+
+	// If we have support analyzers, we pass it to them.
+	if ( is_orig && orig_supporters )
+		orig_supporters->NextEndOfData(is_orig);
+	else if ( ! is_orig && resp_supporters )
+		resp_supporters->NextEndOfData(is_orig);
+	else
+		EndOfData(is_orig);
+	}
+
+void Analyzer::ForwardPacket(int len, const u_char* data, bool is_orig,
+				int seq, const IP_Hdr* ip, int caplen)
+	{
+	if ( output_handler )
+		output_handler->DeliverPacket(len, data, is_orig, seq,
+						ip, caplen);
+
+	AppendNewChildren();
+
+	// Pass to all children.
+	analyzer_list::iterator next;
+	for ( analyzer_list::iterator i = children.begin();
+	      i != children.end(); i = next )
+		{
+		Analyzer* current = *i;
+		next = ++i;
+
+		if ( ! current->finished )
+			current->NextPacket(len, data, is_orig, seq, ip, caplen);
+		else
+			{
+			// Analyzer has already been disabled so delete it.
+			DBG_LOG(DBG_DPD, "%s deleted child %s",
+					fmt_analyzer(this).c_str(), fmt_analyzer(current).c_str());
+			children.erase(--i);
+			delete current;
+			}
+		}
+
+	AppendNewChildren();
+	}
+
+void Analyzer::ForwardStream(int len, const u_char* data, bool is_orig)
+	{
+	if ( output_handler )
+		output_handler->DeliverStream(len, data, is_orig);
+
+	AppendNewChildren();
+
+	analyzer_list::iterator next;
+	for ( analyzer_list::iterator i = children.begin();
+	      i != children.end(); i = next )
+		{
+		Analyzer* current = *i;
+		next = ++i;
+
+		if ( ! current->finished )
+			current->NextStream(len, data, is_orig);
+		else
+			{
+			// Analyzer has already been disabled so delete it.
+			DBG_LOG(DBG_DPD, "%s deleted child %s",
+					fmt_analyzer(this).c_str(), fmt_analyzer(current).c_str());
+			children.erase(--i);
+			delete current;
+			}
+		}
+
+	AppendNewChildren();
+	}
+
+void Analyzer::ForwardUndelivered(int seq, int len, bool is_orig)
+	{
+	if ( output_handler )
+		output_handler->Undelivered(seq, len, is_orig);
+
+	AppendNewChildren();
+
+	analyzer_list::iterator next;
+	for ( analyzer_list::iterator i = children.begin();
+	      i != children.end(); i = next )
+		{
+		Analyzer* current = *i;
+		next = ++i;
+
+		if ( ! current->finished )
+			current->NextUndelivered(seq, len, is_orig);
+		else
+			{
+			// Analyzer has already been disabled so delete it.
+			DBG_LOG(DBG_DPD, "%s deleted child %s",
+					fmt_analyzer(this).c_str(), fmt_analyzer(current).c_str());
+			children.erase(--i);
+			delete current;
+			}
+		}
+
+	AppendNewChildren();
+	}
+
+void Analyzer::ForwardEndOfData(bool orig)
+	{
+	AppendNewChildren();
+
+	analyzer_list::iterator next;
+	for ( analyzer_list::iterator i = children.begin();
+	      i != children.end(); i = next )
+		{
+		Analyzer* current = *i;
+		next = ++i;
+
+		if ( ! current->finished )
+			current->NextEndOfData(orig);
+		else
+			{
+			// Analyzer has already been disabled so delete it.
+			DBG_LOG(DBG_DPD, "%s deleted child %s",
+					fmt_analyzer(this).c_str(), fmt_analyzer(current).c_str());
+			children.erase(--i);
+			delete current;
+			}
+		}
+
+	AppendNewChildren();
+	}
+
+void Analyzer::AddChildAnalyzer(Analyzer* analyzer, bool init)
+	{
+	if ( HasChildAnalyzer(analyzer->GetTag()) )
+		{
+		analyzer->Done();
+		delete analyzer;
+		return;
+		}
+
+	// We add new children to new_children first.  They are then
+	// later copied to the "real" child list.  This is necessary
+	// because this method may be called while somebody is iterating
+	// over the children and we might confuse the caller by modifying
+	// the list.
+
+	analyzer->parent = this;
+	children.push_back(analyzer);
+
+	if ( init )
+		analyzer->Init();
+
+	DBG_LOG(DBG_DPD, "%s added child %s",
+			fmt_analyzer(this).c_str(), fmt_analyzer(analyzer).c_str());
+	}
+
+Analyzer* Analyzer::AddChildAnalyzer(AnalyzerTag::Tag analyzer)
+	{
+	if ( ! HasChildAnalyzer(analyzer) )
+		{
+		Analyzer* a = InstantiateAnalyzer(analyzer, conn);
+		AddChildAnalyzer(a);
+		return a;
+		}
+
+	return 0;
+	}
+
+void Analyzer::RemoveChildAnalyzer(Analyzer* analyzer)
+	{
+	LOOP_OVER_CHILDREN(i)
+		if ( *i == analyzer && ! analyzer->finished )
+			{
+			DBG_LOG(DBG_DPD, "%s disabled child %s",
+					fmt_analyzer(this).c_str(), fmt_analyzer(*i).c_str());
+			(*i)->Done();
+			// We don't delete it here as we may in fact
+			// iterate over the list right now.  Done() sets
+			// "finished" to true and this is checked
+			// later to delete it.
+			return;
+			}
+	}
+
+void Analyzer::RemoveChildAnalyzer(AnalyzerID id)
+	{
+	LOOP_OVER_CHILDREN(i)
+		if ( (*i)->id == id && ! (*i)->finished )
+			{
+			DBG_LOG(DBG_DPD, "%s  disabled child %s", GetTagName(), id,
+					fmt_analyzer(this).c_str(), fmt_analyzer(*i).c_str());
+			(*i)->Done();
+			return;
+			}
+	}
+
+bool Analyzer::HasChildAnalyzer(AnalyzerTag::Tag tag)
+	{
+	LOOP_OVER_CHILDREN(i)
+		if ( (*i)->tag == tag )
+			return true;
+
+	LOOP_OVER_GIVEN_CHILDREN(i, new_children)
+		if ( (*i)->tag == tag )
+			return true;
+
+	return false;
+	}
+
+Analyzer* Analyzer::FindChild(AnalyzerID arg_id)
+	{
+	if ( id == arg_id )
+		return this;
+
+	LOOP_OVER_CHILDREN(i)
+		{
+		Analyzer* child = (*i)->FindChild(arg_id);
+		if ( child )
+			return child;
+		}
+
+	return 0;
+	}
+
+Analyzer* Analyzer::FindChild(AnalyzerTag::Tag arg_tag)
+	{
+	if ( tag == arg_tag )
+		return this;
+
+	LOOP_OVER_CHILDREN(i)
+		{
+		Analyzer* child = (*i)->FindChild(arg_tag);
+		if ( child )
+			return child;
+		}
+
+	return 0;
+	}
+
+void Analyzer::AddSupportAnalyzer(SupportAnalyzer* analyzer)
+	{
+	if ( HasSupportAnalyzer(analyzer->GetTag(), analyzer->IsOrig()) )
+		{
+		DBG_LOG(DBG_DPD, "%s already has %s %s",
+			fmt_analyzer(this).c_str(),
+			analyzer->IsOrig() ? "originator" : "responder",
+			fmt_analyzer(analyzer).c_str());
+
+		analyzer->Done();
+		delete analyzer;
+		return;
+		}
+
+	SupportAnalyzer** head =
+		analyzer->IsOrig() ? &orig_supporters : &resp_supporters;
+
+	// Find end of the list.
+	SupportAnalyzer* prev = 0;
+	SupportAnalyzer* s;
+	for ( s = *head; s; prev = s, s = s->sibling )
+		;
+
+	if ( prev )
+		prev->sibling = analyzer;
+	else
+		*head = analyzer;
+
+	analyzer->parent = this;
+
+	analyzer->Init();
+
+	DBG_LOG(DBG_DPD, "%s added %s support %s",
+			fmt_analyzer(this).c_str(),
+			analyzer->IsOrig() ? "originator" : "responder",
+			fmt_analyzer(analyzer).c_str());
+	}
+
+void Analyzer::RemoveSupportAnalyzer(SupportAnalyzer* analyzer)
+	{
+	SupportAnalyzer** head =
+		analyzer->IsOrig() ? &orig_supporters : &resp_supporters;
+
+	SupportAnalyzer* prev = 0;
+	SupportAnalyzer* s;
+	for ( s = *head; s && s != analyzer; prev = s, s = s->sibling )
+		;
+
+	if ( ! s )
+		return;
+
+	if ( prev )
+		prev->sibling = s->sibling;
+	else
+		*head = s->sibling;
+
+	DBG_LOG(DBG_DPD, "%s removed support %s",
+			fmt_analyzer(this).c_str(),
+			analyzer->IsOrig() ? "originator" : "responder",
+			fmt_analyzer(analyzer).c_str());
+
+	if ( ! analyzer->finished )
+		analyzer->Done();
+
+	delete analyzer;
+	return;
+	}
+
+bool Analyzer::HasSupportAnalyzer(AnalyzerTag::Tag tag, bool orig)
+	{
+	SupportAnalyzer* s = orig ? orig_supporters : resp_supporters;
+	for ( ; s; s = s->sibling )
+		if ( s->tag == tag )
+			return true;
+
+	return false;
+	}
+
+void Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
+				int seq, const IP_Hdr* ip, int caplen)
+	{
+	DBG_LOG(DBG_DPD, "%s DeliverPacket(%d, %s, %d, %p, %d) [%s%s]",
+			fmt_analyzer(this).c_str(), len, is_orig ? "T" : "F", seq, ip, caplen,
+			fmt_bytes((const char*) data, min(40, len)), len > 40 ? "..." : "");
+	}
+
+void Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
+	{
+	DBG_LOG(DBG_DPD, "%s DeliverStream(%d, %s) [%s%s]",
+			fmt_analyzer(this).c_str(), len, is_orig ? "T" : "F",
+			fmt_bytes((const char*) data, min(40, len)), len > 40 ? "..." : "");
+	}
+
+void Analyzer::Undelivered(int seq, int len, bool is_orig)
+	{
+	DBG_LOG(DBG_DPD, "%s Undelivered(%d, %d, %s)",
+			fmt_analyzer(this).c_str(), seq, len, is_orig ? "T" : "F");
+	}
+
+void Analyzer::EndOfData(bool is_orig)
+	{
+	DBG_LOG(DBG_DPD, "%s EndOfData(%s)",
+			fmt_analyzer(this).c_str(), is_orig ? "T" : "F");
+	}
+
+void Analyzer::FlipRoles()
+	{
+	DBG_LOG(DBG_DPD, "%s FlipRoles()");
+
+	LOOP_OVER_CHILDREN(i)
+		(*i)->FlipRoles();
+
+	LOOP_OVER_GIVEN_CHILDREN(i, new_children)
+		(*i)->FlipRoles();
+
+	for ( SupportAnalyzer* a = orig_supporters; a; a = a->sibling )
+		a->FlipRoles();
+
+	for ( SupportAnalyzer* a = resp_supporters; a; a = a->sibling )
+		a->FlipRoles();
+
+	SupportAnalyzer* tmp = orig_supporters;
+	orig_supporters = resp_supporters;
+	resp_supporters = tmp;
+	}
+
+int Analyzer::RewritingTrace()
+	{
+	LOOP_OVER_CHILDREN(i)
+		if ( (*i)->RewritingTrace() )
+			return 1;
+
+	return 0;
+	}
+
+void Analyzer::ProtocolConfirmation()
+	{
+	if ( protocol_confirmed )
+		return;
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+	vl->append(new Val(tag, TYPE_COUNT));
+	vl->append(new Val(id, TYPE_COUNT));
+
+	// We immediately raise the event so that the analyzer can quickly
+	// react if necessary.
+	::Event* e = new ::Event(protocol_confirmation, vl, SOURCE_LOCAL);
+	mgr.Dispatch(e);
+
+	protocol_confirmed = true;
+	}
+
+void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
+	{
+	StringVal* r;
+
+	if ( data && len )
+		{
+		const char *tmp = copy_string(reason);
+		r = new StringVal(fmt("%s [%s%s]", tmp,
+					fmt_bytes(data, min(40, len)),
+					len > 40 ? "..." : ""));
+		delete [] tmp;
+		}
+	else
+		r = new StringVal(reason);
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+	vl->append(new Val(tag, TYPE_COUNT));
+	vl->append(new Val(id, TYPE_COUNT));
+	vl->append(r);
+
+	// We immediately raise the event so that the analyzer can quickly be
+	// disabled if necessary.
+	::Event* e = new ::Event(protocol_violation, vl, SOURCE_LOCAL);
+	mgr.Dispatch(e);
+	}
+
+void Analyzer::AddTimer(analyzer_timer_func timer, double t,
+			int do_expire, TimerType type)
+	{
+	Timer* analyzer_timer = new
+		AnalyzerTimer(this, timer, t, do_expire, type);
+
+	Conn()->GetTimerMgr()->Add(analyzer_timer);
+	timers.append(analyzer_timer);
+	}
+
+void Analyzer::RemoveTimer(Timer* t)
+	{
+	timers.remove(t);
+	}
+
+void Analyzer::CancelTimers()
+	{
+	// We are going to cancel our timers which, in turn, may cause them to
+	// call RemoveTimer(), which would then modify the list we're just
+	// traversing.  Thus, we first make a copy of the list which we then
+	// iterate through.
+	timer_list tmp(timers.length());
+	loop_over_list(timers, j)
+		tmp.append(timers[j]);
+
+	loop_over_list(tmp, i)
+		Conn()->GetTimerMgr()->Cancel(tmp[i]);
+
+	timers_canceled = 1;
+	timers.clear();
+	}
+
+void Analyzer::AppendNewChildren()
+	{
+	LOOP_OVER_GIVEN_CHILDREN(i, new_children)
+		children.push_back(*i);
+	new_children.clear();
+	}
+
+unsigned int Analyzer::MemoryAllocation() const
+	{
+	unsigned int mem = padded_sizeof(*this)
+		+ (timers.MemoryAllocation() - padded_sizeof(timers));
+
+	LOOP_OVER_CONST_CHILDREN(i)
+		mem += (*i)->MemoryAllocation();
+
+	for ( SupportAnalyzer* a = orig_supporters; a; a = a->sibling )
+		mem += a->MemoryAllocation();
+
+	for ( SupportAnalyzer* a = resp_supporters; a; a = a->sibling )
+		mem += a->MemoryAllocation();
+
+	return mem;
+	}
+
+void SupportAnalyzer::ForwardPacket(int len, const u_char* data, bool is_orig,
+					int seq, const IP_Hdr* ip, int caplen)
+	{
+	// We do not call parent's method, as we're replacing the functionality.
+	if ( GetOutputHandler() )
+		GetOutputHandler()->DeliverPacket(len, data, is_orig, seq,
+							ip, caplen);
+	else if ( sibling )
+		// Pass to next in chain.
+		sibling->NextPacket(len, data, is_orig, seq, ip, caplen);
+	else
+		// Finished with preprocessing - now it's the parent's turn.
+		Parent()->DeliverPacket(len, data, is_orig, seq, ip, caplen);
+	}
+
+void SupportAnalyzer::ForwardStream(int len, const u_char* data, bool is_orig)
+	{
+	// We do not call parent's method, as we're replacing the functionality.
+	if ( GetOutputHandler() )
+		GetOutputHandler()->DeliverStream(len, data, is_orig);
+
+	else if ( sibling )
+		// Pass to next in chain.
+		sibling->NextStream(len, data, is_orig);
+	else
+		// Finished with preprocessing - now it's the parent's turn.
+		Parent()->DeliverStream(len, data, is_orig);
+	}
+
+void SupportAnalyzer::ForwardUndelivered(int seq, int len, bool is_orig)
+	{
+	// We do not call parent's method, as we're replacing the functionality.
+	if ( GetOutputHandler() )
+		GetOutputHandler()->Undelivered(seq, len, is_orig);
+
+	else if ( sibling )
+		// Pass to next in chain.
+		sibling->NextUndelivered(seq, len, is_orig);
+	else
+		// Finished with preprocessing - now it's the parent's turn.
+		Parent()->Undelivered(seq, len, is_orig);
+	}
+
+TransportLayerAnalyzer::~TransportLayerAnalyzer()
+	{
+	delete rewriter;
+	}
+
+void TransportLayerAnalyzer::Done()
+	{
+	Analyzer::Done();
+
+	if ( rewriter )
+		rewriter->Done();
+	}
+
+void TransportLayerAnalyzer::SetContentsFile(unsigned int /* direction */,
+						BroFile* /* f */)
+	{
+	run_time("analyzer type does not support writing to a contents file");
+	}
+
+BroFile* TransportLayerAnalyzer::GetContentsFile(unsigned int /* direction */) const
+	{
+	run_time("analyzer type does not support writing to a contents file");
+	return 0;
+	}
+
+void TransportLayerAnalyzer::SetTraceRewriter(Rewriter* r)
+	{
+	if ( rewriter )
+		rewriter->Done();
+	delete rewriter;
+	rewriter = r;
+	}
+
+void TransportLayerAnalyzer::PacketContents(const u_char* data, int len)
+	{
+	if ( packet_contents && len > 0 )
+		{
+		BroString* cbs = new BroString(data, len, 1);
+		Val* contents = new StringVal(cbs);
+		Event(packet_contents, contents);
+		}
+	}
+
diff --git a/src/Analyzer.h b/src/Analyzer.h
new file mode 100644
index 0000000000..83c5a5c7d7
--- /dev/null
+++ b/src/Analyzer.h
@@ -0,0 +1,400 @@
+// $Id:$
+//
+// Main analyzer interface.
+
+#ifndef ANALYZER_H
+#define ANALYZER_H
+
+#include <list>
+
+#include "AnalyzerTags.h"
+#include "Conn.h"
+#include "Obj.h"
+
+class DPM;
+class PIA;
+class Analyzer;
+typedef list<Analyzer*> analyzer_list;
+
+typedef void (Analyzer::*analyzer_timer_func)(double t);
+
+// FIXME: This is a copy of ConnectionTimer, which we may eventually be
+// able to get rid of.
+class AnalyzerTimer : public Timer {
+public:
+	AnalyzerTimer(Analyzer* arg_analyzer, analyzer_timer_func arg_timer,
+			double arg_t, int arg_do_expire, TimerType arg_type)
+		: Timer(arg_t, arg_type)
+		{ Init(arg_analyzer, arg_timer, arg_do_expire); }
+	virtual ~AnalyzerTimer();
+
+	void Dispatch(double t, int is_expire);
+
+protected:
+	AnalyzerTimer()	{}
+
+	void Init(Analyzer* analyzer, analyzer_timer_func timer, int do_expire);
+
+	Analyzer* analyzer;
+	analyzer_timer_func timer;
+	int do_expire;
+};
+
+
+// Main analyzer interface.
+//
+// Each analyzer is part of a tree, having a parent analyzer and an
+// arbitrary number of child analyzers.  Each analyzer also has a list of
+// *suppport analyzers*.  All its input first passes through this list of
+// support analyzers, which can perform arbitrary preprocessing.  Support
+// analyzers share the same interface as regular analyzers, except that
+// they are unidirectional, i.e., they see only one side of a connection.
+//
+// When overiding any of these methods, always make sure to call the
+// base-class version first.
+
+class SupportAnalyzer;
+class OutputHandler;
+
+class Analyzer {
+public:
+	Analyzer(AnalyzerTag::Tag tag, Connection* conn);
+	virtual ~Analyzer();
+
+	virtual void Init();
+	virtual void Done();
+
+	// Pass data to the analyzer (it's automatically passed through its
+	// support analyzers first).  We have packet-wise and stream-wise
+	// interfaces.  For the packet-interface, some analyzers may require
+	// more information than others, so IP/caplen and seq may or may
+	// not be set.
+	void NextPacket(int len, const u_char* data, bool orig,
+			int seq = -1, const IP_Hdr* ip = 0, int caplen = 0);
+	void NextStream(int len, const u_char* data, bool is_orig);
+
+	// Used for data that can't be delivered (e.g., due to a previous
+	// sequence hole/gap).
+	void NextUndelivered(int seq, int len, bool is_orig);
+
+	// Report message boundary. (See EndOfData() below.)
+	void NextEndOfData(bool orig);
+
+	// Pass data on to all child analyzer(s).  For SupportAnalyzers (see
+	// below), this is overridden to pass it on to the next sibling (or
+	// finally to the parent, if it's the last support analyzer).
+	//
+	// If we have an associated OutputHandler (see below), the data is
+	// additionally passed to that, too. For SupportAnalyzers, it is *only*
+	// delivered to the OutputHandler.
+	virtual void ForwardPacket(int len, const u_char* data,
+					bool orig, int seq,
+					const IP_Hdr* ip, int caplen);
+	virtual void ForwardStream(int len, const u_char* data, bool orig);
+	virtual void ForwardUndelivered(int seq, int len, bool orig);
+
+	// Report a message boundary to all child analyzers
+	virtual void ForwardEndOfData(bool orig);
+
+	AnalyzerID GetID() const	{ return id; }
+	Connection* Conn() const	{ return conn; }
+
+	// An OutputHandler can be used to get access to data extracted by this
+	// analyzer (i.e., all data which is passed to
+	// Forward{Packet,Stream,Undelivered}).  We take the ownership of
+	// the handler.
+	class OutputHandler {
+	public:
+		virtual	~OutputHandler() { }
+
+		virtual void DeliverPacket(int len, const u_char* data,
+						bool orig, int seq,
+						const IP_Hdr* ip, int caplen)
+			{ }
+		virtual void DeliverStream(int len, const u_char* data,
+						bool orig)	{ }
+		virtual void Undelivered(int seq, int len, bool orig)	{ }
+	};
+
+	OutputHandler* GetOutputHandler() const	{ return output_handler; }
+	void SetOutputHandler(OutputHandler* handler)
+		{ output_handler = handler; }
+
+	// If an analyzer was triggered by a signature match, this returns the
+	// name of the signature; nil if not.
+	const Rule* Signature() const		{ return signature; }
+	void SetSignature(const Rule* sig)	{ signature = sig; }
+
+	void SetSkip(bool do_skip)		{ skip = do_skip; }
+	bool Skipping() const			{ return skip; }
+
+	bool IsFinished() const 		{ return finished; }
+
+	AnalyzerTag::Tag GetTag() const		{ return tag; }
+	const char* GetTagName() const;
+	static AnalyzerTag::Tag GetTag(const char* tag);
+	static const char* GetTagName(AnalyzerTag::Tag tag);
+	static bool IsAvailable(AnalyzerTag::Tag tag)
+		{ return analyzer_configs[tag].available(); }
+
+	// Management of the tree.
+	//
+	// We immediately discard an added analyzer if there's already a child
+	// of the same type.
+	void AddChildAnalyzer(Analyzer* analyzer)
+		{ AddChildAnalyzer(analyzer, true); }
+	Analyzer* AddChildAnalyzer(AnalyzerTag::Tag tag);
+
+	void RemoveChildAnalyzer(Analyzer* analyzer);
+	void RemoveChildAnalyzer(AnalyzerID id);
+
+	bool HasChildAnalyzer(AnalyzerTag::Tag tag);
+
+	// Recursive; returns nil if not found.
+	Analyzer* FindChild(AnalyzerID id);
+
+	// Recursive; returns first found, or nil.
+	Analyzer* FindChild(AnalyzerTag::Tag tag);
+
+	const analyzer_list& GetChildren()	{ return children; }
+
+	Analyzer* Parent() const	{ return parent; }
+	void SetParent(Analyzer* p)	{ parent = p; }
+
+	// Remove this child analyzer from the parent's list.
+	void Remove()	{ assert(parent); parent->RemoveChildAnalyzer(this); }
+
+	// Management of support analyzers.  Support analyzers are associated
+	// with a direction, and will only see data in the corresponding flow.
+	//
+	// We immediately discard an added analyzer if there's already a child
+	// of the same type for the same direction.
+
+	// Adds to tail of list.
+	void AddSupportAnalyzer(SupportAnalyzer* analyzer);
+
+	void RemoveSupportAnalyzer(SupportAnalyzer* analyzer);
+
+	// These are the methods where the analyzer actually gets its input.
+	// Each analyzer has only to implement the schemes it supports.
+
+	// Packet-wise (or more generally chunk-wise) input.  "data" points
+	// to the payload that the analyzer is supposed to examine.  If it's
+	// part of a full packet, "ip" points to its IP header.  An analyzer
+	// may or may not require to be given the full packet (and its caplen)
+	// as well.
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen);
+
+	// Stream-wise payload input.
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+
+	// If a parent analyzer can't turn a sequence of packets into a stream
+	// (e.g., due to holes), it can pass the remaining data through this
+	// method to the child.
+	virtual void Undelivered(int seq, int len, bool orig);
+
+	// Report a message boundary.  This is a generic method that can be used
+	// by specific Analyzers if all data of a message has been delivered,
+	// e.g., to report that HTTP body has been delivered completely by the
+	// HTTP analyzer before it starts with the next body. EndOfData() is
+	// automatically generated by the analyzer's Done() method.
+	virtual void EndOfData(bool is_orig);
+
+	// Occasionally we may find during analysis that we got the direction
+	// of the connection wrong.  In these cases, this method is called
+	// to swap state if necessary.  This will not happen after payload
+	// has already been passed on, so most analyzers don't need to care.
+	virtual void FlipRoles();
+
+	// Feedback about protocol conformance, to be called by the
+	// analyzer's processing.  The methods raise the correspondiong
+	// protocol_confirmation and protocol_violation events.
+
+	// Report that we believe we're parsing the right protocol.  This
+	// should be called as early as possible during a connection's
+	// life-time. The protocol_confirmed event is only raised once per
+	// analyzer, even if the method is called multiple times.
+	virtual void ProtocolConfirmation();
+
+	// Report that we found a significant protocol violation which might
+	// indicate that the analyzed data is in fact not the expected
+	// protocol.  The protocol_violation event is raised once per call to
+	// this method so that the script-level may build up some notion of
+	// how "severely" protocol semantics are violated.
+	virtual void ProtocolViolation(const char* reason,
+					const char* data = 0, int len = 0);
+
+	// Returns true if the analyzer or one of its children is rewriting
+	// the trace.
+	virtual int RewritingTrace();
+
+	virtual unsigned int MemoryAllocation() const;
+
+	// The following methods are proxies: calls are directly forwarded
+	// to the connection instance.  These are for convenience only,
+	// allowing us to reuse more of the old analyzer code unchanged.
+	RecordVal* BuildConnVal()
+		{ return conn->BuildConnVal(); }
+	void Event(EventHandlerPtr f, const char* name = 0)
+		{ conn->Event(f, this, name); }
+	void Event(EventHandlerPtr f, Val* v1, Val* v2 = 0)
+		{ conn->Event(f, this, v1, v2); }
+	void ConnectionEvent(EventHandlerPtr f, val_list* vl)
+		{ conn->ConnectionEvent(f, this, vl); }
+	void Weird(const char* name)	{ conn->Weird(name); }
+	void Weird(const char* name, const char* addl)
+		{ conn->Weird(name, addl); }
+	void Weird(const char* name, int addl_len, const char* addl)
+		{ conn->Weird(name, addl_len, addl); };
+
+	// Factory function to instantiate new analyzers.
+	static Analyzer* InstantiateAnalyzer(AnalyzerTag::Tag tag, Connection* c);
+
+protected:
+	friend class DPM;
+	friend class Connection;
+	friend class AnalyzerTimer;
+	friend class TCP_ApplicationAnalyzer;
+
+	Analyzer()	{ }
+
+	// Associates a connection with this analyzer.  Must be called if
+	// we're using the default ctor.
+	void SetConnection(Connection* c)	{ conn = c; }
+
+	// Creates the given timer to expire at time t.  If do_expire
+	// is true, then the timer is also evaluated when Bro terminates,
+	// otherwise not.
+	void AddTimer(analyzer_timer_func timer, double t, int do_expire,
+			TimerType type);
+
+	void RemoveTimer(Timer* t);
+	void CancelTimers();
+
+	bool HasSupportAnalyzer(AnalyzerTag::Tag tag, bool orig);
+
+	void AddChildAnalyzer(Analyzer* analyzer, bool init);
+	void InitChildren();
+	void AppendNewChildren();
+
+private:
+	AnalyzerTag::Tag tag;
+	AnalyzerID id;
+
+	Connection* conn;
+	Analyzer* parent;
+	const Rule* signature;
+	OutputHandler* output_handler;
+
+	analyzer_list children;
+	SupportAnalyzer* orig_supporters;
+	SupportAnalyzer* resp_supporters;
+
+	analyzer_list new_children;
+
+	bool protocol_confirmed;
+
+	timer_list timers;
+	bool timers_canceled;
+	bool skip;
+	bool finished;
+
+	static AnalyzerID id_counter;
+
+	typedef bool (*available_callback)();
+	typedef Analyzer* (*factory_callback)(Connection* conn);
+	typedef bool (*match_callback)(Connection*);
+
+	struct Config {
+		AnalyzerTag::Tag tag;
+		const char* name;
+		factory_callback factory;
+		available_callback available;
+		match_callback match;
+		bool partial;
+	};
+
+	// Table of analyzers.
+	static const Config analyzer_configs[];
+
+};
+
+#define ADD_ANALYZER_TIMER(timer, t, do_expire, type) \
+	AddTimer(analyzer_timer_func(timer), (t), (do_expire), (type))
+
+#define LOOP_OVER_CHILDREN(var) \
+	for ( analyzer_list::iterator var = children.begin(); \
+	      var != children.end(); var++ )
+
+#define LOOP_OVER_CONST_CHILDREN(var) \
+	for ( analyzer_list::const_iterator var = children.begin(); \
+	      var != children.end(); var++ )
+
+#define LOOP_OVER_GIVEN_CHILDREN(var, the_kids) \
+	for ( analyzer_list::iterator var = the_kids.begin(); \
+	      var != the_kids.end(); var++ )
+
+class SupportAnalyzer : public Analyzer {
+public:
+	SupportAnalyzer(AnalyzerTag::Tag tag, Connection* conn, bool arg_orig)
+		: Analyzer(tag, conn)	{ orig = arg_orig; sibling = 0; }
+
+	virtual ~SupportAnalyzer() {}
+
+	bool IsOrig() const 	{ return orig; }
+
+	virtual void ForwardPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen);
+	virtual void ForwardStream(int len, const u_char* data, bool orig);
+	virtual void ForwardUndelivered(int seq, int len, bool orig);
+
+	SupportAnalyzer* Sibling() const 	{ return sibling; }
+
+protected:
+	friend class Analyzer;
+
+	SupportAnalyzer()	{ }
+private:
+	bool orig;
+
+	// Points to next support analyzer in chain.  The list is managed by
+	// parent analyzer.
+	SupportAnalyzer* sibling;
+};
+
+
+class TransportLayerAnalyzer : public Analyzer {
+public:
+	TransportLayerAnalyzer(AnalyzerTag::Tag tag, Connection* conn)
+		: Analyzer(tag, conn)	{ pia = 0; rewriter = 0; }
+
+	virtual ~TransportLayerAnalyzer();
+
+	virtual void Done();
+	virtual void UpdateEndpointVal(RecordVal* endp, int is_orig) = 0;
+	virtual bool IsReuse(double t, const u_char* pkt) = 0;
+
+	virtual void SetContentsFile(unsigned int direction, BroFile* f);
+	virtual BroFile* GetContentsFile(unsigned int direction) const;
+
+	void SetPIA(PIA* arg_PIA)	{ pia = arg_PIA; }
+	PIA* GetPIA() const		{ return pia; }
+
+	Rewriter* TraceRewriter()	{ return rewriter; }
+
+	// Takes ownership.
+	void SetTraceRewriter(Rewriter* r);
+
+	// Raises packet_contents event.
+	void PacketContents(const u_char* data, int len);
+
+protected:
+	TransportLayerAnalyzer()	{ }
+
+private:
+	PIA* pia;
+	Rewriter* rewriter;
+};
+
+#endif
diff --git a/src/AnalyzerTags.h b/src/AnalyzerTags.h
new file mode 100644
index 0000000000..eafa5de300
--- /dev/null
+++ b/src/AnalyzerTags.h
@@ -0,0 +1,56 @@
+// $Id: AnalyzerTags.h,v 1.1.2.5 2006/06/01 01:55:42 sommer Exp $
+
+#ifndef ANALYZERTAGS_H
+#define ANALYZERTAGS_H
+
+// Each kind of analyzer gets a tag. When adding an analyzer here, also adapt
+// the table of analyzers in Analyzer.cc.
+//
+// Using a namespace here is kind of a hack: ideally this would be in "class
+// Analyzer {...}". But then we'd have circular dependencies across the header
+// files.
+
+#include "util.h"
+
+typedef uint32 AnalyzerID;
+
+namespace AnalyzerTag {
+	enum Tag {
+		Error = 0,	// used as error code
+
+		// Analyzer in charge of protocol detection.
+		PIA_TCP, PIA_UDP,
+
+		// Transport-layer analyzers.
+		ICMP, ICMP_TimeExceeded, ICMP_Unreachable, ICMP_Echo, TCP, UDP,
+
+		// Application-layer analyzers (hand-written).
+		BitTorrent, BitTorrentTracker,
+		DCE_RPC, DNS, Finger, FTP, Gnutella, HTTP, Ident, IRC,
+		Login, NCP, NetbiosSSN, NFS, NTP, POP3, Portmapper, Rlogin,
+		RPC, Rsh, SMB, SMTP, SSH,
+#ifdef USE_OPENSSL
+		SSL,
+#endif
+		Telnet,
+
+		// Application-layer analyzers, binpac-generated.
+		DHCP_BINPAC, DNS_TCP_BINPAC, DNS_UDP_BINPAC,
+		HTTP_BINPAC, RPC_UDP_BINPAC, SSL_BINPAC,
+
+		// Other
+		File, Backdoor, InterConn, SteppingStone, TCPStats,
+
+		// Support-analyzers
+		Contents, ContentLine, NVT, Zip, Contents_DNS, Contents_NCP,
+		Contents_NetbiosSSN, Contents_Rlogin, Contents_Rsh,
+		Contents_DCE_RPC, Contents_SMB, Contents_RPC, Contents_NFS,
+#ifdef USE_OPENSSL
+		Contents_SSL,
+#endif
+		// End-marker.
+		LastAnalyzer
+	};
+};
+
+#endif
diff --git a/src/Anon.cc b/src/Anon.cc
new file mode 100644
index 0000000000..36e5e05b86
--- /dev/null
+++ b/src/Anon.cc
@@ -0,0 +1,423 @@
+// $Id: Anon.cc 7075 2010-09-13 02:39:38Z vern $
+
+#include <stdlib.h>
+#include <unistd.h>
+#include <assert.h>
+#include <sys/time.h>
+
+#include "util.h"
+#include "net_util.h"
+#include "md5.h"
+#include "Anon.h"
+#include "Val.h"
+#include "NetVar.h"
+
+
+AnonymizeIPAddr* ip_anonymizer[NUM_ADDR_ANONYMIZATION_METHODS] = {0};
+
+static uint32 rand32()
+	{
+	return ((random() & 0xffff) << 16) | (random() & 0xffff);
+	}
+
+// From tcpdpriv.
+int bi_ffs(uint32 value)
+	{
+	int add = 0;
+	static uint8 bvals[] = {
+		0, 4, 3, 3, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1, 1, 1
+	};
+
+	if ( (value & 0xFFFF0000) == 0 )
+		{
+		if ( value == 0 )
+			// Zero input ==> zero output.
+			return 0;
+
+		add += 16;
+		}
+
+	else
+		value >>= 16;
+
+	if ( (value & 0xFF00) == 0 )
+		add += 8;
+	else
+		value >>= 8;
+
+	if ( (value & 0xF0) == 0 )
+		add += 4;
+	else
+		value >>= 4;
+
+	return add + bvals[value & 0xf];
+	}
+
+#define first_n_bit_mask(n)	(~(0xFFFFFFFFU >> n))
+
+ipaddr32_t AnonymizeIPAddr::Anonymize(ipaddr32_t addr)
+	{
+	map<ipaddr32_t, ipaddr32_t>::iterator p = mapping.find(addr);
+	if ( p != mapping.end() )
+		return p->second;
+	else
+		{
+		ipaddr32_t new_addr = anonymize(addr);
+		mapping[addr] = new_addr;
+
+		return new_addr;
+		}
+	}
+
+int AnonymizeIPAddr::PreserveNet(ipaddr32_t input)
+	{
+	switch ( addr_to_class(ntohl(input)) ) {
+	case 'A':
+		return PreservePrefix(input, 8);
+	case 'B':
+		return PreservePrefix(input, 16);
+	case 'C':
+		return PreservePrefix(input, 24);
+	default:
+		return 0;
+	}
+	}
+
+ipaddr32_t AnonymizeIPAddr_Seq::anonymize(ipaddr32_t /* input */)
+	{
+	return htonl(seq++);
+	}
+
+ipaddr32_t AnonymizeIPAddr_RandomMD5::anonymize(ipaddr32_t input)
+	{
+	uint8 digest[16];
+	ipaddr32_t output = 0;
+
+	hmac_md5(sizeof(input), (u_char*)(&input), digest);
+
+	for ( int i = 0; i < 4; ++i )
+		output = (output << 8) | digest[i];
+
+	return output;
+	}
+
+
+// This code is from "On the Design and Performance of Prefix-Preserving 
+// IP Traffic Trace Anonymization", by Xu et al (IMW 2001)
+// 
+// http://www.imconf.net/imw-2001/proceedings.html
+
+ipaddr32_t AnonymizeIPAddr_PrefixMD5::anonymize(ipaddr32_t input)
+	{
+	uint8 digest[16];
+	ipaddr32_t prefix_mask = 0xffffffff;
+	input = ntohl(input);
+	ipaddr32_t output = input;
+
+	for ( int i = 0; i < 32; ++i )
+		{
+		// PAD(x_0 ... x_{i-1}) = x_0 ... x_{i-1} 1 0 ... 0 .
+		prefix.len = htonl(i + 1);
+		prefix.prefix = htonl((input & ~(prefix_mask>>i)) | (1<<(31-i)));
+
+		// HK(PAD(x_0 ... x_{i-1})).
+		hmac_md5(sizeof(prefix), (u_char*) &prefix, digest);
+
+		// f_{i-1} = LSB(HK(PAD(x_0 ... x_{i-1}))).
+		ipaddr32_t bit_mask = (digest[0] & 1) << (31-i);
+
+		// x_i' = x_i ^ f_{i-1}.
+		output ^= bit_mask;
+		}
+
+	return htonl(output);
+	}
+
+AnonymizeIPAddr_A50::~AnonymizeIPAddr_A50()
+	{
+	for ( unsigned int i = 0; i < blocks.size(); ++i )
+		delete [] blocks[i];
+
+	blocks.clear();
+	}
+
+void AnonymizeIPAddr_A50::init()
+	{
+	root = next_free_node = 0;
+
+	// Prepare special nodes for 0.0.0.0 and 255.255.255.255.
+	memset(&special_nodes[0], 0, sizeof(special_nodes));
+	special_nodes[0].input = special_nodes[0].output = 0;
+	special_nodes[1].input = special_nodes[1].output = 0xFFFFFFFF;
+
+	before_anonymization = 1;
+	}
+
+int AnonymizeIPAddr_A50::PreservePrefix(ipaddr32_t input, int num_bits)
+	{
+	DEBUG_MSG("%s/%d\n", dotted_addr(input), num_bits);
+
+	if ( ! before_anonymization )
+		{
+		run_time("prefix perservation specified after anonymization begun");
+		return 0;
+		}
+
+	input = ntohl(input);
+
+	// Sanitize input.
+	input = input & first_n_bit_mask(num_bits);
+
+	Node* n = find_node(input);
+
+	// Preserve the first num_bits bits of addr.
+	if ( num_bits == 32 )
+		n->output = input;
+
+	else if ( num_bits > 0 )
+		{
+		assert((0xFFFFFFFFU >> 1) == 0x7FFFFFFFU);
+		uint32 suffix_mask = (0xFFFFFFFFU >> num_bits);
+		uint32 prefix_mask = ~suffix_mask;
+		n->output = (input & prefix_mask) | (rand32() & suffix_mask);
+		}
+
+	return 1;
+	}
+
+ipaddr32_t AnonymizeIPAddr_A50::anonymize(ipaddr32_t a)
+	{
+	before_anonymization = 0;
+	new_mapping = 0;
+
+	if ( Node* n = find_node(ntohl(a)) )
+		{
+		ipaddr32_t output = htonl(n->output);
+		return output;
+		}
+	else
+		return 0;
+	}
+
+AnonymizeIPAddr_A50::Node* AnonymizeIPAddr_A50::new_node_block()
+	{
+	assert(! next_free_node);
+
+	int block_size = 1024;
+	Node* block = new Node[block_size];
+	if ( ! block )
+		internal_error("out of memory!");
+
+	blocks.push_back(block);
+
+	for ( int i = 1; i < block_size - 1; ++i )
+		block[i].child[0] = &block[i+1];
+
+	block[block_size - 1].child[0] = 0;
+	next_free_node = &block[1];
+
+	return &block[0];
+	}
+
+inline AnonymizeIPAddr_A50::Node* AnonymizeIPAddr_A50::new_node()
+	{
+	new_mapping = 1;
+
+	if ( next_free_node )
+		{
+		Node* n = next_free_node;
+		next_free_node = n->child[0];
+		return n;
+		}
+	else
+		return new_node_block();
+	}
+
+inline void AnonymizeIPAddr_A50::free_node(Node *n)
+	{
+	n->child[0] = next_free_node;
+	next_free_node = n;
+	}
+
+ipaddr32_t AnonymizeIPAddr_A50::make_output(ipaddr32_t old_output, int swivel) const
+	{
+	// -A50 anonymization
+	if ( swivel == 32 )
+		return old_output ^ 1;
+	else
+		{
+		// Bits up to swivel are unchanged; bit swivel is flipped.
+		ipaddr32_t known_part =
+			((old_output >> (32 - swivel)) ^ 1) << (32 - swivel);
+
+		// Remainder of bits are random.
+		return known_part | ((rand32() & 0x7FFFFFFF) >> swivel);
+		}
+	}
+
+AnonymizeIPAddr_A50::Node* AnonymizeIPAddr_A50::make_peer(ipaddr32_t a, Node* n)
+	{
+	if ( a == 0 || a == 0xFFFFFFFFU )
+		internal_error("0.0.0.0 and 255.255.255.255 should never get into the tree");
+
+	// Become a peer.
+	// Algorithm: create two nodes, the two peers.  Leave orig node as
+	// the parent of the two new ones.
+
+	Node* down[2];
+
+	if ( ! (down[0] = new_node()) )
+		return 0;
+
+	if ( ! (down[1] = new_node()) )
+		{
+		free_node(down[0]);
+		return 0;
+		}
+
+	// swivel is first bit 'a' and 'old->input' differ.
+	int swivel = bi_ffs(a ^ n->input);
+
+	// bitvalue is the value of that bit of 'a'.
+	int bitvalue = (a >> (32 - swivel)) & 1;
+
+	down[bitvalue]->input = a;
+	down[bitvalue]->output = make_output(n->output, swivel);
+	down[bitvalue]->child[0] = down[bitvalue]->child[1] = 0;
+
+	*down[1 - bitvalue] = *n;	// copy orig node down one level
+
+	n->input = down[1]->input;	// NB: 1s to the right (0s to the left)
+	n->output = down[1]->output;
+	n->child[0] = down[0];		// point to children
+	n->child[1] = down[1];
+
+	return down[bitvalue];
+	}
+
+AnonymizeIPAddr_A50::Node* AnonymizeIPAddr_A50::find_node(ipaddr32_t a)
+	{
+	// Watch out for special IP addresses, which never make it
+	// into the tree.
+	if ( a == 0 || a == 0xFFFFFFFFU )
+		return &special_nodes[a & 1];
+
+	if ( ! root )
+		{
+		root = new_node();
+		root->input = a;
+		root->output = rand32();
+		root->child[0] = root->child[1] = 0;
+
+		return root;
+		}
+
+	// Straight from tcpdpriv.
+	Node* n = root;
+	while ( n )
+		{
+		if ( n->input == a )
+			return n;
+
+		if ( ! n->child[0] )
+			n = make_peer(a, n);
+
+		else
+			{
+			// swivel is the first bit in which the two children
+			// differ.
+			int swivel =
+				bi_ffs(n->child[0]->input ^ n->child[1]->input);
+
+			if ( bi_ffs(a ^ n->input) < swivel )
+				// Input differs earlier.
+				n = make_peer(a, n);
+
+			else if ( a & (1 << (32 - swivel)) )
+				n = n->child[1];
+
+			else
+				n = n->child[0];
+			}
+		}
+
+	internal_error("out of memory!");
+	return 0;
+	}
+
+void init_ip_addr_anonymizers()
+	{
+	ip_anonymizer[KEEP_ORIG_ADDR] = 0;
+	ip_anonymizer[SEQUENTIALLY_NUMBERED] = new AnonymizeIPAddr_Seq();
+	ip_anonymizer[RANDOM_MD5] = new AnonymizeIPAddr_RandomMD5();
+	ip_anonymizer[PREFIX_PRESERVING_A50] = new AnonymizeIPAddr_A50();
+	ip_anonymizer[PREFIX_PRESERVING_MD5] = new AnonymizeIPAddr_PrefixMD5();
+	}
+
+ipaddr32_t anonymize_ip(ipaddr32_t ip, enum ip_addr_anonymization_class_t cl)
+	{
+	TableVal* preserve_addr = 0;
+	AddrVal addr(ip);
+
+	int method = -1;
+
+	switch ( cl ) {
+	case ORIG_ADDR: // client address
+		preserve_addr = preserve_orig_addr;
+		method = orig_addr_anonymization;
+		break;
+
+	case RESP_ADDR: // server address
+		preserve_addr = preserve_resp_addr;
+		method = resp_addr_anonymization;
+		break;
+
+	default:
+		preserve_addr = preserve_other_addr;
+		method = other_addr_anonymization;
+		break;
+	}
+
+	ipaddr32_t new_ip = 0;
+		
+	if ( preserve_addr && preserve_addr->Lookup(&addr) )
+		new_ip = ip;
+
+	else if ( method >= 0 && method < NUM_ADDR_ANONYMIZATION_METHODS )
+		{
+		if ( method == KEEP_ORIG_ADDR ) 
+			new_ip = ip;
+
+		else if ( ! ip_anonymizer[method] )
+			internal_error("IP anonymizer not initialized");
+
+		else
+			new_ip = ip_anonymizer[method]->Anonymize(ip);
+		}
+
+	else
+		internal_error("invalid IP anonymization method");
+
+#ifdef LOG_ANONYMIZATION_MAPPING
+	log_anonymization_mapping(ip, new_ip);
+#endif
+	return new_ip;
+	}
+
+#ifdef LOG_ANONYMIZATION_MAPPING
+
+#include "NetVar.h"
+#include "Event.h"
+
+void log_anonymization_mapping(ipaddr32_t input, ipaddr32_t output)
+	{
+	if ( anonymization_mapping )
+		{
+		val_list* vl = new val_list;
+		vl->append(new AddrVal(input));
+		vl->append(new AddrVal(output));
+		mgr.QueueEvent(anonymization_mapping, vl);
+		}
+	}
+
+#endif
diff --git a/src/Anon.h b/src/Anon.h
new file mode 100644
index 0000000000..3368ce16da
--- /dev/null
+++ b/src/Anon.h
@@ -0,0 +1,141 @@
+// $Id: Anon.h 416 2004-09-17 03:52:28Z vern $
+
+// The prefix-preserving IP address anonymization code is largely
+// based on (and sometimes directly copied from) Eddie Kohler's
+// ipsumdump-1.20 code, per:
+//
+//	http://www.icir.org/kohler/ipsumdump/
+//
+// ipsumdump, in turn, takes some of its code from tcpdpriv:
+//
+//	http://ita.ee.lbl.gov/html/contrib/tcpdpriv.html
+
+#ifndef anon_h
+#define anon_h
+
+#include <vector>
+#include <set>
+#include <map>
+using namespace std;
+
+#include "net_util.h"
+
+// TODO: Anon.h may not be the right place to put these functions ...
+
+enum ip_addr_anonymization_class_t {
+	ORIG_ADDR,	// client address
+	RESP_ADDR,	// server address
+	OTHER_ADDR,
+	NUM_ADDR_ANONYMIZATION_CLASSES,
+};
+
+enum ip_addr_anonymization_method_t {
+	KEEP_ORIG_ADDR,
+	SEQUENTIALLY_NUMBERED,
+	RANDOM_MD5,
+	PREFIX_PRESERVING_A50,
+	PREFIX_PRESERVING_MD5,
+	NUM_ADDR_ANONYMIZATION_METHODS,
+};
+
+typedef uint32 ipaddr32_t;
+
+// NOTE: all addresses in parameters of *public* functions are in
+// network order.
+
+class AnonymizeIPAddr {
+public:
+	virtual ~AnonymizeIPAddr()	{ mapping.clear(); }
+
+	ipaddr32_t Anonymize(ipaddr32_t addr);
+
+	// Keep the specified prefix unchanged.
+	virtual int PreservePrefix(ipaddr32_t /* input */, int /* num_bits */)
+		{
+		internal_error("prefix preserving is not supported for the anonymizer");
+		return 0;
+		}
+
+	virtual ipaddr32_t anonymize(ipaddr32_t addr) = 0;
+	
+	int PreserveNet(ipaddr32_t input);
+
+protected:
+	map<ipaddr32_t, ipaddr32_t> mapping;
+};
+
+class AnonymizeIPAddr_Seq : public AnonymizeIPAddr {
+public:
+	AnonymizeIPAddr_Seq()	{ seq = 1; }
+	ipaddr32_t anonymize(ipaddr32_t addr);
+
+protected:
+	ipaddr32_t seq;
+};
+
+class AnonymizeIPAddr_RandomMD5 : public AnonymizeIPAddr {
+public:
+	ipaddr32_t anonymize(ipaddr32_t addr);
+};
+
+class AnonymizeIPAddr_PrefixMD5 : public AnonymizeIPAddr {
+public:
+	ipaddr32_t anonymize(ipaddr32_t addr);
+
+protected:
+	struct anon_prefix {
+		int len;
+		ipaddr32_t prefix;
+	} prefix;
+};
+
+class AnonymizeIPAddr_A50 : public AnonymizeIPAddr {
+public:
+	AnonymizeIPAddr_A50()	{ init(); }
+	~AnonymizeIPAddr_A50();
+
+	ipaddr32_t anonymize(ipaddr32_t addr);
+	int PreservePrefix(ipaddr32_t input, int num_bits);
+
+protected:
+	struct Node {
+		ipaddr32_t input;
+		ipaddr32_t output;
+		Node* child[2];
+	};
+
+	int method;
+	int before_anonymization;
+	int new_mapping;
+
+	// The root of prefix preserving mapping tree.
+	Node* root;
+
+	// A node pool for new_node.
+	Node* next_free_node;
+	std::vector<Node*> blocks;
+
+	// for 0.0.0.0 and 255.255.255.255.
+	Node special_nodes[2];
+
+	void init();
+
+	Node* new_node();
+	Node* new_node_block();
+	void free_node(Node*);
+
+	ipaddr32_t make_output(ipaddr32_t, int) const;
+	Node* make_peer(ipaddr32_t, Node*);
+	Node* find_node(ipaddr32_t);
+};
+
+// The global IP anonymizers.
+extern AnonymizeIPAddr* ip_anonymizer[NUM_ADDR_ANONYMIZATION_METHODS];
+
+void init_ip_addr_anonymizers();
+ipaddr32_t anonymize_ip(ipaddr32_t ip, enum ip_addr_anonymization_class_t cl);
+
+#define LOG_ANONYMIZATION_MAPPING
+void log_anonymization_mapping(ipaddr32_t input, ipaddr32_t output);
+
+#endif
diff --git a/src/Attr.cc b/src/Attr.cc
new file mode 100644
index 0000000000..5a83d0501b
--- /dev/null
+++ b/src/Attr.cc
@@ -0,0 +1,393 @@
+// $Id: Attr.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "Attr.h"
+#include "Expr.h"
+#include "Serializer.h"
+
+const char* attr_name(attr_tag t)
+	{
+	static const char* attr_names[int(NUM_ATTRS)] = {
+		"&optional", "&default", "&redef",
+		"&rotate_interval", "&rotate_size",
+		"&add_func", "&delete_func", "&expire_func",
+		"&read_expire", "&write_expire", "&create_expire",
+		"&persistent", "&synchronized", "&postprocessor",
+		"&encrypt", "&match", "&disable_print_hook",
+		"&raw_output", "&mergeable", "&priority",
+		"&group", "(&tracked)",
+	};
+
+	return attr_names[int(t)];
+	}
+
+Attr::Attr(attr_tag t, Expr* e)
+	{
+	tag = t;
+	expr = e;
+	SetLocationInfo(&start_location, &end_location);
+	}
+
+Attr::~Attr()
+	{
+	Unref(expr);
+	}
+
+void Attr::Describe(ODesc* d) const
+	{
+	AddTag(d);
+
+	if ( expr )
+		{
+		if ( ! d->IsBinary() )
+			d->Add("=");
+
+		expr->Describe(d);
+		}
+	}
+
+void Attr::AddTag(ODesc* d) const
+	{
+	if ( d->IsBinary() )
+		d->Add(static_cast<bro_int_t>(Tag()));
+	else
+		d->Add(attr_name(Tag()));
+	}
+
+Attributes::Attributes(attr_list* a, BroType* t)
+	{
+	attrs = new attr_list(a->length());
+	type = t->Ref();
+
+	SetLocationInfo(&start_location, &end_location);
+
+	// We loop through 'a' and add each attribute individually,
+	// rather than just taking over 'a' for ourselves, so that
+	// the necessary checking gets done.
+
+	loop_over_list(*a, i)
+		AddAttr((*a)[i]);
+
+	delete a;
+	}
+
+Attributes::~Attributes()
+	{
+	loop_over_list(*attrs, i)
+		Unref((*attrs)[i]);
+
+	delete attrs;
+
+	Unref(type);
+	}
+
+void Attributes::AddAttr(Attr* attr)
+	{
+	if ( ! attrs )
+		attrs = new attr_list;
+
+	if ( ! attr->RedundantAttrOkay() )
+		// We overwrite old attributes by deleting them first.
+		RemoveAttr(attr->Tag());
+
+	attrs->append(attr);
+	Ref(attr);
+
+	// We only check the attribute after we've added it, to facilitate
+	// generating error messages via Attributes::Describe.
+	CheckAttr(attr);
+
+	// For ADD_FUNC or DEL_FUNC, add in an implicit REDEF, since
+	// those attributes only have meaning for a redefinable value.
+	if ( (attr->Tag() == ATTR_ADD_FUNC || attr->Tag() == ATTR_DEL_FUNC) &&
+	     ! FindAttr(ATTR_REDEF) )
+		attrs->append(new Attr(ATTR_REDEF));
+
+	// For DEFAULT, add an implicit OPTIONAL.
+	if ( attr->Tag() == ATTR_DEFAULT && ! FindAttr(ATTR_OPTIONAL) )
+		attrs->append(new Attr(ATTR_OPTIONAL));
+	}
+
+void Attributes::AddAttrs(Attributes* a)
+	{
+	attr_list* as = a->Attrs();
+	loop_over_list(*as, i)
+		AddAttr((*as)[i]);
+
+	Unref(a);
+	}
+
+Attr* Attributes::FindAttr(attr_tag t) const
+	{
+	if ( ! attrs )
+		return 0;
+
+	loop_over_list(*attrs, i)
+		{
+		Attr* a = (*attrs)[i];
+		if ( a->Tag() == t )
+			return a;
+		}
+
+	return 0;
+	}
+
+void Attributes::RemoveAttr(attr_tag t)
+	{
+	for ( int i = 0; i < attrs->length(); i++ )
+		if ( (*attrs)[i]->Tag() == t )
+			attrs->remove_nth(i--);
+	}
+
+void Attributes::Describe(ODesc* d) const
+	{
+	if ( ! attrs )
+		{
+		d->AddCount(0);
+		return;
+		}
+
+	d->AddCount(attrs->length());
+
+	loop_over_list(*attrs, i)
+		{
+		if ( (d->IsReadable() || d->IsPortable()) && i > 0 )
+			d->Add(", ");
+
+		(*attrs)[i]->Describe(d);
+		}
+	}
+
+void Attributes::CheckAttr(Attr* a)
+	{
+	switch ( a->Tag() ) {
+	case ATTR_OPTIONAL:
+	case ATTR_REDEF:
+		break;
+
+	case ATTR_ADD_FUNC:
+	case ATTR_DEL_FUNC:
+		{
+		int is_add = a->Tag() == ATTR_ADD_FUNC;
+
+		BroType* at = a->AttrExpr()->Type();
+		if ( at->Tag() != TYPE_FUNC )
+			{
+			a->AttrExpr()->Error(
+				is_add ?
+					"&add_func must be a function" :
+					"&delete_func must be a function");
+			break;
+			}
+
+		FuncType* aft = at->AsFuncType();
+		if ( ! same_type(aft->YieldType(), type) )
+			{
+			a->AttrExpr()->Error(
+				is_add ?
+					"&add_func function must yield same type as variable" :
+					"&delete_func function must yield same type as variable");
+			break;
+			}
+		}
+		break;
+
+	case ATTR_DEFAULT:
+		{
+		BroType* atype = a->AttrExpr()->Type();
+
+		if ( type->Tag() != TYPE_TABLE || type->IsSet() )
+			{
+			if ( ! same_type(atype, type) )
+				a->AttrExpr()->Error("&default value has inconsistent type", type);
+			break;
+			}
+
+		TableType* tt = type->AsTableType();
+
+		if ( ! same_type(atype, tt->YieldType()) )
+			{
+			// It can still be a default function.
+			if ( atype->Tag() == TYPE_FUNC )
+				{
+				FuncType* f = atype->AsFuncType();
+				if ( ! f->CheckArgs(tt->IndexTypes()) ||
+				     ! same_type(f->YieldType(), tt->YieldType()) )
+					Error("&default function type clash");
+				}
+			else
+				Error("&default value has inconsistent type");
+			}
+		}
+		break;
+
+	case ATTR_ROTATE_INTERVAL:
+		if ( type->Tag() != TYPE_FILE )
+			Error("&rotate_interval only applicable to files");
+		break;
+
+	case ATTR_ROTATE_SIZE:
+		if ( type->Tag() != TYPE_FILE )
+			Error("&rotate_size only applicable to files");
+		break;
+
+	case ATTR_POSTPROCESSOR:
+		if ( type->Tag() != TYPE_FILE )
+			Error("&postprocessor only applicable to files");
+		break;
+
+	case ATTR_ENCRYPT:
+		if ( type->Tag() != TYPE_FILE )
+			Error("&encrypt only applicable to files");
+		break;
+
+	case ATTR_EXPIRE_READ:
+	case ATTR_EXPIRE_WRITE:
+	case ATTR_EXPIRE_CREATE:
+		if ( type->Tag() != TYPE_TABLE )
+			{
+			Error("expiration only applicable to tables");
+			break;
+			}
+
+#if 0
+		//### not easy to test this w/o knowing the ID.
+		if ( ! IsGlobal() )
+			Error("expiration not supported for local variables");
+#endif
+		break;
+
+	case ATTR_EXPIRE_FUNC:
+		{
+		if ( type->Tag() != TYPE_TABLE )
+			{
+			Error("expiration only applicable to tables");
+			break;
+			}
+
+		const Expr* expire_func = a->AttrExpr();
+		const FuncType* e_ft = expire_func->Type()->AsFuncType();
+
+		if ( ((const BroType*) e_ft)->YieldType()->Tag() != TYPE_INTERVAL )
+			{
+			Error("&expire_func must yield a value of type interval");
+			break;
+			}
+
+		if ( e_ft->Args()->NumFields() != 2 )
+			{
+			Error("&expire_func function must take exactly two arguments");
+			break;
+			}
+
+		// ### Should type-check arguments to make sure first is
+		// table type and second is table index type.
+		}
+		break;
+
+	case ATTR_PERSISTENT:
+	case ATTR_SYNCHRONIZED:
+	case ATTR_TRACKED:
+		// FIXME: Check here for global ID?
+		break;
+
+	case ATTR_DISABLE_PRINT_HOOK:
+		if ( type->Tag() != TYPE_FILE )
+			Error("&disable_print_hook only applicable to files");
+		break;
+
+	case ATTR_RAW_OUTPUT:
+		if ( type->Tag() != TYPE_FILE )
+			Error("&raw_output only applicable to files");
+		break;
+
+	case ATTR_MERGEABLE:
+		if ( type->Tag() != TYPE_TABLE )
+			Error("&mergeable only applicable to tables/sets");
+		break;
+
+	case ATTR_PRIORITY:
+		Error("&priority only applicable to event bodies");
+		break;
+
+	case ATTR_GROUP:
+		if ( type->Tag() != TYPE_FUNC ||
+		     ! type->AsFuncType()->IsEvent() )
+			{
+			Error("&group only applicable to events");
+			break;
+			}
+		break;
+
+	default:
+		BadTag("Attributes::CheckAttr", attr_name(a->Tag()));
+	}
+	}
+
+bool Attributes::Serialize(SerialInfo* info) const
+	{
+	return SerialObj::Serialize(info);
+	}
+
+Attributes* Attributes::Unserialize(UnserialInfo* info)
+	{
+	return (Attributes*) SerialObj::Unserialize(info, SER_ATTRIBUTES);
+	}
+
+IMPLEMENT_SERIAL(Attributes, SER_ATTRIBUTES);
+
+bool Attributes::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_ATTRIBUTES, BroObj);
+
+	info->s->WriteOpenTag("Attributes");
+	assert(type);
+	if ( ! (type->Serialize(info) && SERIALIZE(attrs->length())) )
+		return false;
+
+	loop_over_list((*attrs), i)
+		{
+		Attr* a = (*attrs)[i];
+		SERIALIZE_OPTIONAL(a->AttrExpr())
+		if ( ! SERIALIZE(char(a->Tag())) )
+			return false;
+		}
+
+	info->s->WriteCloseTag("Attributes");
+	return true;
+	}
+
+bool Attributes::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BroObj);
+
+	type = BroType::Unserialize(info);
+	if ( ! type )
+		return false;
+
+	int len;
+	if ( ! UNSERIALIZE(&len) )
+		return false;
+
+	attrs = new attr_list(len);
+	while ( len-- )
+		{
+		Expr* e;
+		UNSERIALIZE_OPTIONAL(e, Expr::Unserialize(info))
+
+		char tag;
+		if ( ! UNSERIALIZE(&tag) )
+			{
+			delete e;
+			return false;
+			}
+
+		attrs->append(new Attr((attr_tag)tag, e));
+		}
+
+	return true;
+	}
+
diff --git a/src/Attr.h b/src/Attr.h
new file mode 100644
index 0000000000..73fb101841
--- /dev/null
+++ b/src/Attr.h
@@ -0,0 +1,92 @@
+// $Id: Attr.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef attr_h
+#define attr_h
+
+#include "Obj.h"
+
+class Expr;
+
+// Note that there are two kinds of attributes: the kind (here) which
+// modify expressions or supply metadata on types, and the kind that
+// are extra metadata on every variable instance.
+
+typedef enum {
+	ATTR_OPTIONAL,
+	ATTR_DEFAULT,
+	ATTR_REDEF,
+	ATTR_ROTATE_INTERVAL,
+	ATTR_ROTATE_SIZE,
+	ATTR_ADD_FUNC,
+	ATTR_DEL_FUNC,
+	ATTR_EXPIRE_FUNC,
+	ATTR_EXPIRE_READ,
+	ATTR_EXPIRE_WRITE,
+	ATTR_EXPIRE_CREATE,
+	ATTR_PERSISTENT,
+	ATTR_SYNCHRONIZED,
+	ATTR_POSTPROCESSOR,
+	ATTR_ENCRYPT,
+	ATTR_MATCH,
+	ATTR_DISABLE_PRINT_HOOK,
+	ATTR_RAW_OUTPUT,
+	ATTR_MERGEABLE,
+	ATTR_PRIORITY,
+	ATTR_GROUP,
+	ATTR_TRACKED,	// hidden attribute, tracked by NotifierRegistry
+#define NUM_ATTRS (int(ATTR_TRACKED) + 1)
+} attr_tag;
+
+class Attr : public BroObj {
+public:
+	Attr(attr_tag t, Expr* e = 0);
+	~Attr();
+
+	attr_tag Tag() const	{ return tag; }
+	Expr* AttrExpr() const	{ return expr; }
+
+	int RedundantAttrOkay() const
+		{ return tag == ATTR_REDEF || tag == ATTR_OPTIONAL; }
+
+	void Describe(ODesc* d) const;
+
+protected:
+	void AddTag(ODesc* d) const;
+
+	attr_tag tag;
+	Expr* expr;
+};
+
+// Manages a collection of attributes.
+class Attributes : public BroObj {
+public:
+	Attributes(attr_list* a, BroType* t);
+	~Attributes();
+
+	void AddAttr(Attr* a);
+	void AddAttrs(Attributes* a);	// Unref's 'a' when done
+
+	Attr* FindAttr(attr_tag t) const;
+
+	void RemoveAttr(attr_tag t);
+
+	void Describe(ODesc* d) const;
+
+	attr_list* Attrs()	{ return attrs; }
+
+	bool Serialize(SerialInfo* info) const;
+	static Attributes* Unserialize(UnserialInfo* info);
+
+protected:
+	Attributes()	{ type = 0; attrs = 0; }
+	void CheckAttr(Attr* attr);
+
+	DECLARE_SERIAL(Attributes);
+
+	BroType* type;
+	attr_list* attrs;
+};
+
+#endif
diff --git a/src/BPF_Program.cc b/src/BPF_Program.cc
new file mode 100644
index 0000000000..7796ccce81
--- /dev/null
+++ b/src/BPF_Program.cc
@@ -0,0 +1,134 @@
+// $Id: BPF_Program.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "util.h"
+#include "BPF_Program.h"
+
+#ifdef DONT_HAVE_LIBPCAP_PCAP_FREECODE
+extern "C" {
+#include "pcap-int.h"
+
+int pcap_freecode(pcap_t* unused, struct bpf_program* program)
+	{
+	program->bf_len = 0;
+
+	if ( program->bf_insns )
+		{
+		free((char*) program->bf_insns);	// copied from libpcap
+		program->bf_insns = 0;
+		}
+
+	return 0;
+	}
+
+pcap_t* pcap_open_dead(int linktype, int snaplen)
+	{
+	pcap_t* p;
+
+	p = (pcap_t*) malloc(sizeof(*p));
+	if ( ! p )
+		return 0;
+
+	memset(p, 0, sizeof(*p));
+
+	p->fd = -1;
+	p->snapshot = snaplen;
+	p->linktype = linktype;
+
+	return p;
+	}
+
+int pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
+			struct bpf_program* program, char* buf,
+			int optimize, bpf_u_int32 mask)
+	{
+	pcap_t* p;
+	int ret;
+
+	p = pcap_open_dead(linktype_arg, snaplen_arg);
+	if ( ! p )
+		return -1;
+
+	ret = pcap_compile(p, program, buf, optimize, mask);
+	pcap_close(p);
+
+	return ret;
+	}
+}
+#endif
+
+BPF_Program::BPF_Program()
+	{
+	m_compiled = false;
+	}
+
+BPF_Program::~BPF_Program()
+	{
+	FreeCode();
+	}
+
+bool BPF_Program::Compile(pcap_t* pcap, const char* filter, uint32 netmask,
+			  char* errbuf, unsigned int errbuf_len, bool optimize)
+	{
+	if ( ! pcap )
+		return false;
+
+	FreeCode();
+
+	if ( pcap_compile(pcap, &m_program, (char *) filter, optimize, netmask) < 0 )
+		{
+		if ( errbuf )
+			safe_snprintf(errbuf, errbuf_len,
+				      "pcap_compile(%s): %s", filter,
+				      pcap_geterr(pcap));
+
+		return false;
+		}
+
+	m_compiled = true;
+
+	return true;
+	}
+
+bool BPF_Program::Compile(int snaplen, int linktype, const char* filter,
+				uint32 netmask, char* errbuf, bool optimize)
+	{
+	FreeCode();
+
+#ifdef LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER
+	char my_error[PCAP_ERRBUF_SIZE];
+
+	int err = pcap_compile_nopcap(snaplen, linktype, &m_program,
+				     (char *) filter, optimize, netmask, error);
+	if ( err < 0 && errbuf )
+		safe_strncpy(errbuf, my_errbuf, PCAP_ERRBUF_SIZE);
+#else
+	int err = pcap_compile_nopcap(snaplen, linktype, &m_program,
+				     (char*) filter, optimize, netmask);
+#endif
+	if ( err == 0 )
+		m_compiled = true;
+
+	return err == 0;
+	}
+
+bpf_program* BPF_Program::GetProgram()
+	{
+	return m_compiled ? &m_program : 0;
+	}
+
+void BPF_Program::FreeCode()
+	{
+	if ( m_compiled )
+		{
+#ifdef DONT_HAVE_LIBPCAP_PCAP_FREECODE
+		pcap_freecode(NULL, &m_program);
+#else
+		pcap_freecode(&m_program);
+#endif
+		m_compiled = false;
+		}
+	}
diff --git a/src/BPF_Program.h b/src/BPF_Program.h
new file mode 100644
index 0000000000..4c6e090cda
--- /dev/null
+++ b/src/BPF_Program.h
@@ -0,0 +1,54 @@
+// $Id: BPF_Program.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef bpf_program_h
+#define bpf_program_h
+
+extern "C" {
+#include <pcap.h>
+}
+
+#include "util.h"
+
+// BPF_Programs are an abstraction around struct bpf_program,
+// to create a clean facility for creating, compiling, and
+// freeing such programs.
+
+class BPF_Program {
+public:
+	// Creates an empty, uncompiled BPF program.
+	BPF_Program();
+	~BPF_Program();
+
+	// Creates a BPF program for the given pcap handle.
+	// Parameters are like in pcap_compile(). Returns true
+	// for successful compilation, false otherwise.
+	bool Compile(pcap_t* pcap, const char* filter, uint32 netmask,
+		 char* errbuf = 0, unsigned int errbuf_len = 0,
+		 bool optimize = true);
+
+	// Creates a BPF program when no pcap handle is around,
+	// similarly to pcap_compile_nopcap(). Parameters are
+	// similar. Returns true on success.
+	bool Compile(int snaplen, int linktype, const char* filter,
+		uint32 netmask, char* errbuf = 0, bool optimize = true);
+
+	// Returns true if this program currently contains compiled
+	// code, false otherwise.
+	bool IsCompiled()	{ return m_compiled; }
+
+	// Accessor to the compiled program. Returns nil when
+	// no program is currently compiled.
+	bpf_program* GetProgram();
+
+protected:
+	void FreeCode();
+
+	// (I like to prefix member variables with m_, makes it clear
+	// in the implementation whether it's a global or not. --ck)
+	bool m_compiled;
+	struct bpf_program m_program;
+};
+
+#endif
diff --git a/src/BackDoor.cc b/src/BackDoor.cc
new file mode 100644
index 0000000000..493fd9ae00
--- /dev/null
+++ b/src/BackDoor.cc
@@ -0,0 +1,808 @@
+// $Id: BackDoor.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "BackDoor.h"
+#include "Event.h"
+#include "Net.h"
+#include "TCP.h"
+
+BackDoorEndpoint::BackDoorEndpoint(TCP_Endpoint* e)
+	{
+	endp = e;
+	is_partial = 0;
+	max_top_seq = 0;
+
+	rlogin_checking_done = 0;
+	rlogin_string_separator_pos = 0;
+	rlogin_num_null = 0;
+	rlogin_slash_seen = 0;
+
+	num_pkts = num_8k0_pkts = num_8k4_pkts =
+		num_lines = num_normal_lines = num_bytes = num_7bit_ascii = 0;
+	}
+
+#define NORMAL_LINE_LENGTH 80
+
+#define TELNET_IAC 255
+#define IS_TELNET_NEGOTIATION_CMD(c) ((c) >= 251 && (c) <= 254)
+
+#define DEFAULT_MTU 512
+
+#define RLOGIN_MAX_SIGNATURE_LENGTH 256
+
+void BackDoorEndpoint::FinalCheckForRlogin()
+	{
+	if ( ! rlogin_checking_done )
+		{
+		rlogin_checking_done = 1;
+
+		if ( rlogin_num_null > 0 )
+			RloginSignatureFound(0);
+		}
+	}
+
+int BackDoorEndpoint::DataSent(double /* t */, int seq,
+				int len, int caplen, const u_char* data,
+				const IP_Hdr* /* ip */,
+				const struct tcphdr* /* tp */)
+	{
+	if ( caplen < len )
+		len = caplen;
+
+	if ( len <= 0 )
+		return 0;
+
+	if ( endp->state == TCP_ENDPOINT_PARTIAL )
+		is_partial = 1;
+
+	int ack = endp->AckSeq() - endp->StartSeq();
+	int top_seq = seq + len;
+
+	if ( top_seq <= ack || top_seq <= max_top_seq )
+		// There is no new data in this packet.
+		return 0;
+
+	if ( rlogin_signature_found )
+		CheckForRlogin(seq, len, data);
+
+	if ( telnet_signature_found )
+		CheckForTelnet(seq, len, data);
+
+	if ( ssh_signature_found )
+		CheckForSSH(seq, len, data);
+
+	if ( ftp_signature_found )
+		CheckForFTP(seq, len, data);
+
+	if ( root_backdoor_signature_found )
+		CheckForRootBackdoor(seq, len, data);
+
+	if ( napster_signature_found )
+		CheckForNapster(seq, len, data);
+
+	if ( gnutella_signature_found )
+		CheckForGnutella(seq, len, data);
+
+	if ( kazaa_signature_found )
+		CheckForKazaa(seq, len, data);
+
+	if ( http_signature_found || http_proxy_signature_found )
+		CheckForHTTP(seq, len, data);
+
+	if ( smtp_signature_found )
+		CheckForSMTP(seq, len, data);
+
+	if ( irc_signature_found )
+		CheckForIRC(seq, len, data);
+
+	if ( gaobot_signature_found )
+		CheckForGaoBot(seq, len, data);
+
+	max_top_seq = top_seq;
+
+	return 1;
+	}
+
+RecordVal* BackDoorEndpoint::BuildStats()
+	{
+	RecordVal* stats = new RecordVal(backdoor_endp_stats);
+
+	stats->Assign(0, new Val(is_partial, TYPE_BOOL));
+	stats->Assign(1, new Val(num_pkts, TYPE_COUNT));
+	stats->Assign(2, new Val(num_8k0_pkts, TYPE_COUNT));
+	stats->Assign(3, new Val(num_8k4_pkts, TYPE_COUNT));
+	stats->Assign(4, new Val(num_lines, TYPE_COUNT));
+	stats->Assign(5, new Val(num_normal_lines, TYPE_COUNT));
+	stats->Assign(6, new Val(num_bytes, TYPE_COUNT));
+	stats->Assign(7, new Val(num_7bit_ascii, TYPE_COUNT));
+
+	return stats;
+	}
+
+void BackDoorEndpoint::CheckForRlogin(int seq, int len, const u_char* data)
+	{
+	if ( rlogin_checking_done )
+		return;
+
+	// Looking for pattern:
+	//	<null>string<null>string<null>string/string<null>
+	// where all string's are non-empty 7-bit-ascii string
+	//
+	// To avoid having to reassemble, we keep testing each byte until
+	// one of the following happens:
+	//
+	//	- A gap in sequence number occurs
+	//	- Four null's have been found
+	//	- The number of bytes we examined reaches RLOGIN_MAX_SIGNATURE_LENGTH
+	//	- An empty or non-7-bit-ascii string is found
+	//
+	if ( seq == 1 )
+		{ // Check if first byte is a NUL.
+		if ( data[0] == 0 )
+			{
+			rlogin_num_null = 1;
+
+			if ( ! endp->IsOrig() )
+				{
+				RloginSignatureFound(len);
+				return;
+				}
+
+			rlogin_string_separator_pos = 1;
+
+			++seq;	// move past the byte
+			++data;
+			--len;
+			}
+		else
+			{
+			rlogin_checking_done = 1;
+			return;
+			}
+		}
+
+	if ( seq > max_top_seq && max_top_seq != 0 )
+		{ // A gap! Since we don't reassemble things, stop now.
+		RloginSignatureFound(0);
+		return;
+		}
+
+	if ( seq + len <= max_top_seq )
+		return;	// nothing new
+
+	if ( seq < max_top_seq )
+		{ // trim to just the new data
+		int delta = max_top_seq - seq;
+		seq += delta;
+		data += delta;
+		len -= delta;
+		}
+
+	// Search for rlogin signature.
+	for ( int i = 0; i < len && rlogin_num_null < 4; ++i )
+		{
+		if ( data[i] == 0 )
+			{
+			if ( i + seq == rlogin_string_separator_pos + 1 )
+				{ // Empty string found.
+				rlogin_checking_done = 1;
+				return;
+				}
+			else
+				{
+				rlogin_string_separator_pos = i + seq;
+				++rlogin_num_null;
+				}
+			}
+
+		else if ( data[i] == '/' )
+			{
+			if ( rlogin_num_null == 3 )
+				{
+				if ( i + seq == rlogin_string_separator_pos + 1 )
+					{ // Empty terminal type.
+					rlogin_checking_done = 1;
+					return;
+					}
+
+				rlogin_string_separator_pos = i + seq;
+				rlogin_slash_seen = 1;
+				}
+			}
+
+		else if ( data[i] >= 128 )
+			{ // Non-7-bit-ascii
+			rlogin_checking_done = 1;
+			return;
+			}
+		}
+
+	if ( rlogin_num_null == 4 )
+		{
+		if ( rlogin_slash_seen )
+			RloginSignatureFound(0);
+		else
+			rlogin_checking_done = 1;
+
+		return;
+		}
+
+	if ( seq + len > RLOGIN_MAX_SIGNATURE_LENGTH )
+		{ // We've waited for too long
+		RloginSignatureFound(0);
+		return;
+		}
+	}
+
+void BackDoorEndpoint::RloginSignatureFound(int len)
+	{
+	if ( rlogin_checking_done )
+		return;
+
+	rlogin_checking_done = 1;
+
+	val_list* vl = new val_list;
+	vl->append(endp->TCP()->BuildConnVal());
+	vl->append(new Val(endp->IsOrig(), TYPE_BOOL));
+	vl->append(new Val(rlogin_num_null, TYPE_COUNT));
+	vl->append(new Val(len, TYPE_COUNT));
+
+	endp->TCP()->ConnectionEvent(rlogin_signature_found, vl);
+	}
+
+void BackDoorEndpoint::CheckForTelnet(int /* seq */, int len, const u_char* data)
+	{
+	if ( len >= 3 &&
+	     data[0] == TELNET_IAC && IS_TELNET_NEGOTIATION_CMD(data[1]) )
+		{
+		TelnetSignatureFound(len);
+		return;
+		}
+
+	// Note, we do the analysis per-packet rather than on the reassembled
+	// stream.  This is a lot more efficient as then we don't need to
+	// do stream reassembly; but it's potentially less accurate, and
+	// subject to evasion.  *But*: backdoor detection is inherently
+	// subject to a wide variety of evasion, so allowing this form
+	// (which is a pain to exploit) costs little.
+
+	num_bytes += len;
+
+	int last_char = 0;
+	int offset = 0;	// where we consider the latest line to have begun
+	int option_length = 0; // length of options in a line
+
+	for ( int i = 0; i < len; ++i )
+		{
+		unsigned int c = data[i];
+
+		if ( c == '\n' && last_char == '\r' )
+			{
+			// Compress CRLF to just one line termination.
+			last_char = c;
+			continue;
+			}
+
+		if ( c == '\n' || c == '\r' )
+			{
+			++num_lines;
+
+			if ( i - offset - option_length <= NORMAL_LINE_LENGTH )
+				++num_normal_lines;
+
+			option_length = 0;
+			offset = i;
+			}
+
+		else if ( c == TELNET_IAC )
+			{
+			++option_length;
+			--num_bytes;
+
+			if ( ++i < len )
+				{
+				unsigned int code = data[i];
+				if ( code == TELNET_IAC )
+					// Escaped IAC.
+					last_char = code;
+
+				else if ( code >= 251 && code <= 254 )
+					{ // 3-byte option: ignore next byte
+					++i;
+					option_length += 2;
+					num_bytes -= 2;
+					}
+
+				else
+					// XXX: We don't deal with sub option for simplicity
+					// although we SHOULD!
+					{
+					++option_length;
+					--num_bytes;
+					}
+				}
+			continue;
+			}
+
+		else if ( c != 0 && c < 128 )
+			++num_7bit_ascii;
+
+		last_char = c;
+		}
+	}
+
+void BackDoorEndpoint::TelnetSignatureFound(int len)
+	{
+	val_list* vl = new val_list;
+	vl->append(endp->TCP()->BuildConnVal());
+	vl->append(new Val(endp->IsOrig(), TYPE_BOOL));
+	vl->append(new Val(len, TYPE_COUNT));
+
+	endp->TCP()->ConnectionEvent(telnet_signature_found, vl);
+	}
+
+void BackDoorEndpoint::CheckForSSH(int seq, int len, const u_char* data)
+	{
+	if ( seq == 1 && CheckForString("SSH-", data, len) && len > 4 &&
+	     (data[4] == '1' || data[4] == '2') )
+		{
+		SignatureFound(ssh_signature_found, 1);
+		return;
+		}
+
+	// Check for length pattern.
+
+	if ( seq < max_top_seq || max_top_seq == 0 )
+		// Retransmission involved, or first pkt => size info useless.
+		return;
+
+	if ( seq > max_top_seq )
+		{ // Estimate number of packets in the sequence gap
+		int gap = seq - max_top_seq;
+		num_pkts += int((gap + DEFAULT_MTU - 1) / DEFAULT_MTU);
+		}
+
+	++num_pkts;
+
+	// According to the spec:
+	//	SSH 1.x pkts have size 8k+4
+	//	SSH 2.x pkts have size 8k >= 16 (most cipher blocks are 8n)
+	if ( len <= 127 )
+		switch ( len & 7 ) {
+		case 0:
+			if ( len >= 16 )
+				++num_8k0_pkts;
+			break;
+
+		case 4:
+			++num_8k4_pkts;
+			break;
+		}
+	else
+		{ // len is likely to be some MTU.
+		}
+	}
+
+void BackDoorEndpoint::CheckForRootBackdoor(int seq, int len, const u_char* data)
+	{
+	// Check for root backdoor signature: an initial payload of
+	// exactly "# ".
+	if ( seq == 1 && len == 2 && ! endp->IsOrig() &&
+	     data[0] == '#' && data[1] == ' ' )
+		SignatureFound(root_backdoor_signature_found);
+	}
+
+void BackDoorEndpoint::CheckForFTP(int seq, int len, const u_char* data)
+	{
+	// Check for FTP signature
+	//
+	// Currently, the signatures include: "220 ", "220-"
+	//
+	// For a day's worth of LBNL FTP activity (7,229 connections),
+	// the distribution of the code in the first line returned by
+	// the server (the lines always began with a code) is:
+	//
+	//	220: 6685
+	//	421: 535
+	//	226: 7
+	//	426: 1
+	//	200: 1
+	//
+	// The 421's are all "host does not have access" or "timeout" of
+	// some form, so it's not big deal with we miss them (if that helps
+	// keep down the false positives).
+
+	if ( seq != 1 || endp->IsOrig() || len < 4 )
+		return;
+
+	if ( CheckForString("220", data, len) &&
+	     (data[3] == ' ' || data[3] == '-') )
+		SignatureFound(ftp_signature_found);
+
+	else if ( CheckForString("421", data, len) &&
+		  (data[3] == '-' || data[3] == ' ') )
+		SignatureFound(ftp_signature_found);
+	}
+
+void BackDoorEndpoint::CheckForNapster(int seq, int len, const u_char* data)
+	{
+	// Check for Napster signature "GETfoobar" or "SENDfoobar" where
+	// "foobar" is the Napster handle associated with the request
+	// (so pretty much any arbitrary identifier, but sent adjacent
+	// to the GET or SEND with no intervening whitespace; but also
+	// sent in a separate packet.
+
+	if ( seq != 1 || ! endp->IsOrig() )
+		return;
+
+	if ( len == 3 && CheckForString("GET", data, len) )
+		// GETfoobar.
+		SignatureFound(napster_signature_found);
+
+	else if ( len == 4 && CheckForString("SEND", data, len) )
+		// SENDfoobar.
+		SignatureFound(napster_signature_found);
+	}
+
+void BackDoorEndpoint::CheckForSMTP(int seq, int len, const u_char* data)
+	{
+	const char* smtp_handshake[] = { "HELO", "EHLO", 0 };
+
+	if ( seq != 1 )
+		return;
+
+	if ( CheckForStrings(smtp_handshake, data, len) )
+		SignatureFound(smtp_signature_found);
+	}
+
+void BackDoorEndpoint::CheckForIRC(int seq, int len, const u_char* data)
+	{
+	if ( seq != 1 || is_partial )
+		return;
+
+	const char* irc_indicator[] = {
+		"ERROR", "INVITE", "ISON", "JOIN", "KICK", "NICK",
+		"NJOIN", "NOTICE AUTH", "OPER", "PART", "PING", "PONG",
+		"PRIVMSG", "SQUERY", "SQUIT", "WHO", 0,
+	};
+
+	if ( CheckForStrings(irc_indicator, data, len) )
+		SignatureFound(irc_signature_found);
+	}
+
+void BackDoorEndpoint::CheckForGnutella(int seq, int len, const u_char* data)
+	{
+	// After connecting to the server, the connecting client says:
+	//
+	//		GNUTELLA CONNECT/<version>\n\n
+	//
+	// The accepting server responds:
+	//
+	//		GNUTELLA OK\n\n
+	//
+	// We find checking the first 8 bytes suffices, and that will
+	// also catch variants that use something other than "CONNECT".
+
+	if ( seq == 1 && CheckForString("GNUTELLA ", data, len) )
+		SignatureFound(gnutella_signature_found);
+	}
+
+void BackDoorEndpoint::CheckForGaoBot(int seq, int len, const u_char* data)
+	{
+	if ( seq == 1 && CheckForString("220 Bot Server (Win32)", data, len) )
+		SignatureFound(gaobot_signature_found);
+	}
+
+void BackDoorEndpoint::CheckForKazaa(int seq, int len, const u_char* data)
+	{
+	// *Some*, though not all, KaZaa connections begin with:
+	//
+	//		GIVE<space>
+
+	if ( seq == 1 && CheckForString("GIVE ", data, len) )
+		SignatureFound(kazaa_signature_found);
+	}
+
+
+int is_http_whitespace(const u_char ch)
+	{
+	return ! isprint(ch) || isspace(ch);
+	}
+
+int skip_http_whitespace(const u_char* data, int len, int max)
+	{
+	int k;
+	for ( k = 0; k < len; ++k )
+		{
+		if ( ! is_http_whitespace(data[k]) )
+			break;
+
+		// Here we do not go beyond CR -- this is OK for
+		// processing first line of HTTP requests. However, it
+		// cannot be used to process multiple-line headers.
+
+		if ( data[k] == '\015' || k == max )
+			return -1;
+		}
+
+	return k < len ? k : -1;
+	}
+
+int is_absolute_url(const u_char* data, int len)
+	{
+	// Look for '://' in the URL.
+	const char* abs_url_sig = "://";
+	const char* abs_url_sig_pos = abs_url_sig;
+
+	// Warning: the following code is NOT general for any signature string,
+	// but only works for specific strings like "://".
+
+	for ( int pos = 0; pos < len; ++pos )
+		{
+		if ( *abs_url_sig_pos == '\0' )
+			return 1;
+
+		if ( data[pos] == *abs_url_sig_pos )
+			++abs_url_sig_pos;
+
+		else
+			{
+			if ( is_http_whitespace(data[pos]) )
+				return 0;
+
+			abs_url_sig_pos = abs_url_sig;
+			if ( *abs_url_sig != '\0' &&
+			     *abs_url_sig_pos == data[pos] )
+				++abs_url_sig_pos;
+			}
+		}
+
+	return *abs_url_sig_pos == '\0';
+	}
+
+void BackDoorEndpoint::CheckForHTTP(int seq, int len, const u_char* data)
+	{
+	// According to the RFC, we should look for
+	// '<method> SP <url> SP HTTP/<version> CR LF'
+	// where:
+	//
+	//	<method> = GET | HEAD | POST
+	//
+	// (i.e., HTTP 1.1 methods are ignored for now)
+	// <version> = 1.0 | 1.1.
+	//
+	// However, this is probably too restrictive to catch 'non-standard'
+	// requests. Instead, we look for certain methods only in the first
+	// line of the first packet only.
+	//
+	// "The method is case-sensitive." -- RFC 2616
+
+	const char* http_method[] = { "GET", "HEAD", "POST", 0 };
+
+	if ( seq != 1 )
+		return; // first packet only
+
+	// Pick up the method.
+	int pos = skip_http_whitespace (data, len, 0);
+	if ( pos < 0 )
+		return;
+
+	int method;
+	for ( method = 0; http_method[method]; ++method )
+		{
+		const char* s = http_method[method];
+		int i;
+		for ( i = pos; i < len; ++i, ++s )
+			if ( data[i] != *s )
+				break;
+
+		if ( *s == '\0' )
+			{
+			pos = i;
+			break;
+			}
+		}
+
+	if ( ! http_method[method] )
+		return;
+
+	if ( pos >= len || ! is_http_whitespace(data[pos]) )
+		return;
+
+	if ( http_signature_found )
+		SignatureFound(http_signature_found);
+
+	if ( http_proxy_signature_found )
+		{
+		const u_char* rest = data + pos;
+		int rest_len = len - pos;
+
+		pos = skip_http_whitespace(rest, rest_len, rest_len);
+
+		if ( pos >= 0 )
+			CheckForHTTPProxy(seq, rest_len - pos, rest + pos);
+		}
+	}
+
+void BackDoorEndpoint::CheckForHTTPProxy(int /* seq */, int len,
+					const u_char* data)
+	{
+	// Proxy ONLY accepts absolute URI's: "The absoluteURI form is
+	// REQUIRED when the request is being made to a proxy." -- RFC 2616
+
+	if ( is_absolute_url(data, len) )
+		SignatureFound(http_proxy_signature_found);
+	}
+
+
+void BackDoorEndpoint::SignatureFound(EventHandlerPtr e, int do_orig)
+	{
+	val_list* vl = new val_list;
+	vl->append(endp->TCP()->BuildConnVal());
+
+	if ( do_orig )
+		vl->append(new Val(endp->IsOrig(), TYPE_BOOL));
+
+	endp->TCP()->ConnectionEvent(e, vl);
+	}
+
+
+int BackDoorEndpoint::CheckForStrings(const char** strs,
+					const u_char* data, int len)
+	{
+	for ( ; *strs; ++strs )
+		if ( CheckForFullString(*strs, data, len) )
+			return 1;
+
+	return 0;
+	}
+
+int BackDoorEndpoint::CheckForFullString(const char* str,
+					const u_char* data, int len)
+	{
+	for ( ; len > 0 && *str; --len, ++data, ++str )
+		if ( *str != *data )
+			return 0;
+
+	// A "full" string means a non-prefix match.
+	return *str == 0 && (len == 0 || *data == ' ' || *data == '\t');
+	}
+
+int BackDoorEndpoint::CheckForString(const char* str,
+					const u_char* data, int len)
+	{
+	for ( ; len > 0 && *str; --len, ++data, ++str )
+		if ( *str != *data )
+			return 0;
+
+	return *str == 0;
+	}
+
+
+BackDoor_Analyzer::BackDoor_Analyzer(Connection* c)
+: TCP_ApplicationAnalyzer(AnalyzerTag::Backdoor, c)
+	{
+	orig_endp = resp_endp = 0;
+
+	orig_stream_pos = resp_stream_pos = 1;
+
+	timeout = backdoor_stat_period;
+	backoff = backdoor_stat_backoff;
+
+	c->GetTimerMgr()->Add(new BackDoorTimer(network_time + timeout, this));
+	}
+
+BackDoor_Analyzer::~BackDoor_Analyzer()
+	{
+	delete orig_endp;
+	delete resp_endp;
+	}
+
+void BackDoor_Analyzer::Init()
+	{
+	TCP_ApplicationAnalyzer::Init();
+
+	assert(TCP());
+	orig_endp = new BackDoorEndpoint(TCP()->Orig());
+	resp_endp = new BackDoorEndpoint(TCP()->Resp());
+	}
+
+void BackDoor_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
+					int seq, const IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
+
+	if ( is_orig )
+		orig_endp->DataSent(network_time, seq, len, caplen, data, 0, 0);
+	else
+		resp_endp->DataSent(network_time, seq, len, caplen, data, 0, 0);
+	}
+
+void BackDoor_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
+	{
+	Analyzer::DeliverStream(len, data, is_orig);
+
+	if ( is_orig )
+		{
+		orig_endp->DataSent(network_time, orig_stream_pos,
+					len, len, data, 0, 0);
+		orig_stream_pos += len;
+		}
+
+	else
+		{
+		resp_endp->DataSent(network_time, resp_stream_pos,
+					len, len, data, 0, 0);
+		resp_stream_pos += len;
+		}
+	}
+
+void BackDoor_Analyzer::Done()
+	{
+	TCP_ApplicationAnalyzer::Done();
+
+	if ( ! IsFinished() )
+		{
+		orig_endp->FinalCheckForRlogin();
+		resp_endp->FinalCheckForRlogin();
+
+		if ( ! TCP()->Skipping() )
+			StatEvent();
+
+		RemoveEvent();
+		}
+
+	}
+
+void BackDoor_Analyzer::StatTimer(double t, int is_expire)
+	{
+	if ( IsFinished() || TCP()->Skipping() )
+		return;
+
+	StatEvent();
+
+	if ( ! is_expire )
+		{
+		timeout *= backoff;
+		timer_mgr->Add(new BackDoorTimer(t + timeout, this));
+		}
+	}
+
+void BackDoor_Analyzer::StatEvent()
+	{
+	val_list* vl = new val_list;
+	vl->append(TCP()->BuildConnVal());
+	vl->append(orig_endp->BuildStats());
+	vl->append(resp_endp->BuildStats());
+
+	TCP()->ConnectionEvent(backdoor_stats, vl);
+	}
+
+void BackDoor_Analyzer::RemoveEvent()
+	{
+	val_list* vl = new val_list;
+	vl->append(TCP()->BuildConnVal());
+
+	TCP()->ConnectionEvent(backdoor_remove_conn, vl);
+	}
+
+BackDoorTimer::BackDoorTimer(double t, BackDoor_Analyzer* a)
+: Timer(t, TIMER_BACKDOOR)
+	{
+	analyzer = a;
+	// Make sure connection does not expire.
+	Ref(a->Conn());
+	}
+
+BackDoorTimer::~BackDoorTimer()
+	{
+	Unref(analyzer->Conn());
+	}
+
+void BackDoorTimer::Dispatch(double t, int is_expire)
+	{
+	analyzer->StatTimer(t, is_expire);
+	}
diff --git a/src/BackDoor.h b/src/BackDoor.h
new file mode 100644
index 0000000000..50d97514ef
--- /dev/null
+++ b/src/BackDoor.h
@@ -0,0 +1,119 @@
+// $Id: BackDoor.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef backdoor_h
+#define backdoor_h
+
+#include "TCP.h"
+#include "Timer.h"
+#include "NetVar.h"
+#include "Login.h"
+
+class BackDoorEndpoint {
+public:
+	BackDoorEndpoint(TCP_Endpoint* e);
+
+	int DataSent(double t, int seq, int len, int caplen, const u_char* data,
+		     const IP_Hdr* ip, const struct tcphdr* tp);
+
+	RecordVal* BuildStats();
+
+	void FinalCheckForRlogin();
+
+protected:
+	void CheckForRlogin(int seq, int len, const u_char* data);
+	void RloginSignatureFound(int len);
+
+	void CheckForTelnet(int seq, int len, const u_char* data);
+	void TelnetSignatureFound(int len);
+
+	void CheckForSSH(int seq, int len, const u_char* data);
+	void CheckForFTP(int seq, int len, const u_char* data);
+	void CheckForRootBackdoor(int seq, int len, const u_char* data);
+	void CheckForNapster(int seq, int len, const u_char* data);
+	void CheckForGnutella(int seq, int len, const u_char* data);
+	void CheckForKazaa(int seq, int len, const u_char* data);
+	void CheckForHTTP(int seq, int len, const u_char* data);
+	void CheckForHTTPProxy(int seq, int len, const u_char* data);
+	void CheckForSMTP(int seq, int len, const u_char* data);
+	void CheckForIRC(int seq, int len, const u_char* data);
+	void CheckForGaoBot(int seq, int len, const u_char* data);
+
+	void SignatureFound(EventHandlerPtr e, int do_orig = 0);
+
+	int CheckForStrings(const char** strs, const u_char* data, int len);
+	int CheckForFullString(const char* str, const u_char* data, int len);
+	int CheckForString(const char* str, const u_char* data, int len);
+
+	TCP_Endpoint* endp;
+	int is_partial;
+	int max_top_seq;
+
+	int rlogin_checking_done;
+	int rlogin_num_null;
+	int rlogin_string_separator_pos;
+	int rlogin_slash_seen;
+
+	uint32 num_pkts;
+	uint32 num_8k4_pkts;
+	uint32 num_8k0_pkts;
+	uint32 num_lines;
+	uint32 num_normal_lines;
+	uint32 num_bytes;
+	uint32 num_7bit_ascii;
+};
+
+class BackDoor_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	BackDoor_Analyzer(Connection* c);
+	~BackDoor_Analyzer();
+
+	virtual void Init();
+	virtual void Done();
+	void StatTimer(double t, int is_expire);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new BackDoor_Analyzer(conn); }
+
+	static bool Available()
+		{
+		return backdoor_stats || rlogin_signature_found ||
+			telnet_signature_found || ssh_signature_found ||
+			root_backdoor_signature_found || ftp_signature_found ||
+			napster_signature_found || kazaa_signature_found ||
+			http_signature_found || http_proxy_signature_found;
+		}
+
+protected:
+	// We support both packet and stream input, and can be instantiated
+	// even if the TCP analyzer is not yet reassembling.
+	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
+					int seq, const IP_Hdr* ip, int caplen);
+	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
+
+	void StatEvent();
+	void RemoveEvent();
+
+	BackDoorEndpoint* orig_endp;
+	BackDoorEndpoint* resp_endp;
+
+	int orig_stream_pos;
+	int resp_stream_pos;
+
+	double timeout;
+	double backoff;
+};
+
+class BackDoorTimer : public Timer {
+public:
+	BackDoorTimer(double t, BackDoor_Analyzer* a);
+	~BackDoorTimer();
+
+	void Dispatch(double t, int is_expire);
+
+protected:
+	BackDoor_Analyzer* analyzer;
+};
+
+#endif
diff --git a/src/Base64.cc b/src/Base64.cc
new file mode 100644
index 0000000000..a82b2ee24a
--- /dev/null
+++ b/src/Base64.cc
@@ -0,0 +1,170 @@
+// $Id: Base64.cc 6024 2008-07-26 19:20:47Z vern $
+
+#include "config.h"
+#include "Base64.h"
+
+static int base64_table[256];
+
+static void init_base64_table()
+	{
+	static int table_initialized = 0;
+
+	if ( ++table_initialized > 1 )
+		return;
+
+	int i;
+	for ( i = 0; i < 256; ++i )
+		base64_table[i] = -1;
+
+	for ( i = 0; i < 26; ++i )
+		{
+		base64_table['A' + i] = i;
+		base64_table['a' + i] = i + 26;
+		}
+
+	for ( i = 0; i < 10; ++i )
+		base64_table['0' + i] = i + 52;
+
+	// Casts to avoid compiler warnings.
+	base64_table[int('+')] = 62;
+	base64_table[int('/')] = 63;
+	base64_table[int('=')] = 0;
+	}
+
+Base64Decoder::Base64Decoder(Analyzer* arg_analyzer)
+	{
+	init_base64_table();
+	base64_group_next = 0;
+	base64_padding = base64_after_padding = 0;
+	errored = 0;
+	analyzer = arg_analyzer;
+	}
+
+int Base64Decoder::Decode(int len, const char* data, int* pblen, char** pbuf)
+	{
+	int blen;
+	char* buf;
+
+	if ( ! pbuf )
+		internal_error("nil pointer to decoding result buffer");
+
+	if ( *pbuf )
+		{
+		buf = *pbuf;
+		blen = *pblen;
+		}
+	else
+		{
+		// Estimate the maximal number of 3-byte groups needed,
+		// plus 1 byte for the optional ending NUL.
+		blen = int((len + base64_group_next + 3) / 4) * 3 + 1;
+		*pbuf = buf = new char[blen];
+		}
+
+	int dlen = 0;
+
+	while ( 1 )
+		{
+		if ( base64_group_next == 4 )
+			{
+			// For every group of 4 6-bit numbers,
+			// write the decoded 3 bytes to the buffer.
+			if ( base64_after_padding )
+				{
+				if ( ++errored == 1 )
+					IllegalEncoding("extra base64 groups after '=' padding are ignored");
+				base64_group_next = 0;
+				continue;
+				}
+
+			int num_octets = 3 - base64_padding;
+
+			if ( buf + num_octets > *pbuf + blen )
+				break;
+
+			uint32 bit32 =
+				((base64_group[0] & 0x3f) << 18) |
+				((base64_group[1] & 0x3f) << 12) |
+				((base64_group[2] & 0x3f) << 6)  |
+				((base64_group[3] & 0x3f));
+
+			if ( --num_octets >= 0 )
+				*buf++ = char((bit32 >> 16) & 0xff);
+
+			if ( --num_octets >= 0 )
+				*buf++ = char((bit32 >> 8) & 0xff);
+
+			if ( --num_octets >= 0 )
+				*buf++ = char((bit32) & 0xff);
+
+			if ( base64_padding > 0 )
+				base64_after_padding = 1;
+
+			base64_group_next = 0;
+			base64_padding = 0;
+			}
+
+		if ( dlen >= len )
+			break;
+
+		if ( data[dlen] == '=' )
+			++base64_padding;
+
+		int k = base64_table[(unsigned char) data[dlen]];
+		if ( k >= 0 )
+			base64_group[base64_group_next++] = k;
+		else
+			{
+			if ( ++errored == 1 )
+				IllegalEncoding(fmt("character %d ignored by Base64 decoding", (int) (data[dlen])));
+			}
+
+		++dlen;
+		}
+
+	*pblen = buf - *pbuf;
+	return dlen;
+	}
+
+int Base64Decoder::Done(int* pblen, char** pbuf)
+	{
+	const char* padding = "===";
+
+	if ( base64_group_next != 0 )
+		{
+		if ( base64_group_next < 4 )
+			IllegalEncoding(fmt("incomplete base64 group, padding with %d bits of 0", (4-base64_group_next) * 6));
+		Decode(4 - base64_group_next, padding, pblen, pbuf);
+		return -1;
+		}
+
+	if ( pblen )
+		*pblen = 0;
+
+	return 0;
+	}
+
+BroString* decode_base64(const BroString* s)
+	{
+	int buf_len = int((s->Len() + 3) / 4) * 3 + 1;
+	int rlen2, rlen = buf_len;
+	char* rbuf2, *rbuf = new char[rlen];
+
+	Base64Decoder dec(0);
+	if ( dec.Decode(s->Len(), (const char*) s->Bytes(), &rlen, &rbuf) == -1 )
+		goto err;
+
+	rlen2 = buf_len - rlen;
+	rbuf2 = rbuf + rlen;
+	// Done() returns -1 if there isn't enough padding, but we just ignore
+	// it.
+	dec.Done(&rlen2, &rbuf2);
+	rlen += rlen2;
+
+	rbuf[rlen] = '\0';
+	return new BroString(1, (u_char*) rbuf, rlen);
+
+err:
+	delete [] rbuf;
+	return 0;
+	}
diff --git a/src/Base64.h b/src/Base64.h
new file mode 100644
index 0000000000..a8e7c01667
--- /dev/null
+++ b/src/Base64.h
@@ -0,0 +1,66 @@
+// $Id: Base64.h 3526 2006-09-12 07:32:21Z vern $
+
+#ifndef base64_h
+#define base64_h
+
+#include <assert.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "util.h"
+#include "BroString.h"
+#include "Analyzer.h"
+
+// Maybe we should have a base class for generic decoders?
+
+class Base64Decoder {
+public:
+	// <analyzer> is used for error reporting, and it should be zero
+	// when the decoder is called by the built-in function
+	// decode_base64().
+	Base64Decoder(Analyzer* analyzer);
+	~Base64Decoder()	{ }
+
+	// A note on Decode():
+	//
+	// The input is specified by <len> and <data> and the output
+	// buffer by <blen> and <buf>.  If *buf is nil, a buffer of
+	// an appropriate size will be new'd and *buf will point
+	// to the buffer on return. *blen holds the length of
+	// decoded data on return.  The function returns the number of
+	// input bytes processed, since the decoding will stop when there
+	// is not enough output buffer space.
+
+	int Decode(int len, const char* data, int* blen, char** buf);
+
+	int Done(int* pblen, char** pbuf);
+	int HasData() const { return base64_group_next != 0; }
+
+	// True if an error has occurred.
+	int Errored() const	{ return errored; }
+
+	const char* ErrorMsg() const	{ return error_msg; }
+	void IllegalEncoding(const char* msg)
+		{ 
+		// strncpy(error_msg, msg, sizeof(error_msg));
+		if ( analyzer )
+			analyzer->Weird("base64_illegal_encoding", msg);
+		else
+			run_time(msg);
+		}
+
+protected:
+	char error_msg[256];
+
+protected:
+	char base64_group[4];
+	int base64_group_next;
+	int base64_padding;
+	int base64_after_padding;
+	int errored;	// if true, we encountered an error - skip further processing
+	Analyzer* analyzer;
+};
+
+BroString* decode_base64(const BroString* s);
+
+#endif /* base64_h */
diff --git a/src/BitTorrent.cc b/src/BitTorrent.cc
new file mode 100644
index 0000000000..e99047beb1
--- /dev/null
+++ b/src/BitTorrent.cc
@@ -0,0 +1,124 @@
+// $Id:$
+//
+// This code contributed by Nadi Sarrar.
+
+#include "BitTorrent.h"
+#include "TCP_Reassembler.h"
+
+BitTorrent_Analyzer::BitTorrent_Analyzer(Connection* c)
+: TCP_ApplicationAnalyzer(AnalyzerTag::BitTorrent, c)
+	{
+	interp = new binpac::BitTorrent::BitTorrent_Conn(this);
+	stop_orig = stop_resp = false;
+	stream_len_orig = stream_len_resp = 0;
+	}
+
+BitTorrent_Analyzer::~BitTorrent_Analyzer()
+	{
+	delete interp;
+	}
+
+void BitTorrent_Analyzer::Done()
+	{
+	TCP_ApplicationAnalyzer::Done();
+
+	interp->FlowEOF(true);
+	interp->FlowEOF(false);
+	}
+
+void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	uint64& this_stream_len = orig ? stream_len_orig : stream_len_resp;
+	bool& this_stop = orig ? stop_orig : stop_resp;
+
+	TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+
+	assert(TCP());
+
+	if ( TCP()->IsPartial() )
+		// punt on partial.
+		return;
+
+	if ( this_stop )
+		return;
+
+	this_stream_len += len;
+
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( binpac::Exception const &e )
+		{
+		const char except[] = "binpac exception: invalid handshake";
+		if ( ! strncmp(e.c_msg(), except, strlen(except)) )
+			// Does not look like bittorrent - silently
+			// drop the connection.
+			Parent()->RemoveChildAnalyzer(this);
+		else
+			{
+			DeliverWeird(fmt("Stopping BitTorrent analysis: protocol violation (%s)",
+					e.c_msg()), orig);
+			this_stop = true;
+			if ( stop_orig && stop_resp )
+				ProtocolViolation("BitTorrent: content gap and/or protocol violation");
+			}
+		}
+	}
+
+void BitTorrent_Analyzer::Undelivered(int seq, int len, bool orig)
+	{
+	uint64 entry_offset = orig ?
+		*interp->upflow()->next_message_offset() :
+		*interp->downflow()->next_message_offset();
+	uint64& this_stream_len = orig ? stream_len_orig : stream_len_resp;
+	bool& this_stop = orig ? stop_orig : stop_resp;
+
+	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+
+	this_stream_len += len;
+
+	if ( entry_offset < this_stream_len )
+		{ // entry point is somewhere in the gap
+		DeliverWeird("Stopping BitTorrent analysis: cannot recover from content gap", orig);
+		this_stop = true;
+		if ( stop_orig && stop_resp )
+			ProtocolViolation("BitTorrent: content gap and/or protocol violation");
+		}
+	else
+		{ // fill the gap
+		try
+			{
+			u_char gap[len];
+			memset(gap, 0, len);
+			interp->NewData(orig, gap, gap + len);
+			}
+		catch ( binpac::Exception const &e )
+			{
+			DeliverWeird("Stopping BitTorrent analysis: filling content gap failed", orig);
+			this_stop = true;
+			if ( stop_orig && stop_resp )
+				ProtocolViolation("BitTorrent: content gap and/or protocol violation");
+			}
+		}
+	}
+
+void BitTorrent_Analyzer::EndpointEOF(TCP_Reassembler* endp)
+	{
+	TCP_ApplicationAnalyzer::EndpointEOF(endp);
+	interp->FlowEOF(endp->IsOrig());
+	}
+
+void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig)
+	{
+	if ( bittorrent_peer_weird )
+		{
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new Val(orig, TYPE_BOOL));
+		vl->append(new StringVal(msg));
+		ConnectionEvent(bittorrent_peer_weird, vl);
+		}
+	else
+		Weird(msg);
+	}
diff --git a/src/BitTorrent.h b/src/BitTorrent.h
new file mode 100644
index 0000000000..7f745d48c8
--- /dev/null
+++ b/src/BitTorrent.h
@@ -0,0 +1,36 @@
+// $Id:$
+//
+// This code contributed by Nadi Sarrar.
+
+#ifndef bittorrent_h
+#define bittorrent_h
+
+#include "TCP.h"
+
+#include "bittorrent_pac.h"
+
+class BitTorrent_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	BitTorrent_Analyzer(Connection* conn);
+	virtual ~BitTorrent_Analyzer();
+
+	virtual void Done();
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void EndpointEOF(TCP_Reassembler* endp);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new BitTorrent_Analyzer(conn); }
+
+	static bool Available()
+		{ return bittorrent_peer_handshake || bittorrent_peer_piece; }
+
+protected:
+	void DeliverWeird(const char* msg, bool orig);
+
+	binpac::BitTorrent::BitTorrent_Conn* interp;
+	bool stop_orig, stop_resp;
+	uint64 stream_len_orig, stream_len_resp;
+};
+
+#endif
diff --git a/src/BitTorrentTracker.cc b/src/BitTorrentTracker.cc
new file mode 100644
index 0000000000..be72a17d26
--- /dev/null
+++ b/src/BitTorrentTracker.cc
@@ -0,0 +1,805 @@
+// $Id:$
+//
+// This code contributed by Nadi Sarrar.
+
+#include "BitTorrentTracker.h"
+#include "TCP_Reassembler.h"
+
+#include <sys/types.h>
+#include <regex.h>
+
+#ifdef USE_INT64
+# define FMT_INT "%lld"
+# define FMT_UINT "%llu"
+#else
+# define FMT_INT "%d"
+# define FMT_UINT "%u"
+#endif
+
+static TableType* bt_tracker_headers = 0;
+static RecordType* bittorrent_peer;
+static TableType* bittorrent_peer_set;
+static RecordType* bittorrent_benc_value;
+static TableType* bittorrent_benc_dir;
+
+BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(Connection* c)
+: TCP_ApplicationAnalyzer(AnalyzerTag::BitTorrentTracker, c)
+	{
+	if ( ! bt_tracker_headers )
+		{
+		bt_tracker_headers =
+			internal_type("bt_tracker_headers")->AsTableType();
+		bittorrent_peer =
+			internal_type("bittorrent_peer")->AsRecordType();
+		bittorrent_peer_set =
+			internal_type("bittorrent_peer_set")->AsTableType();
+		bittorrent_benc_value =
+			internal_type("bittorrent_benc_value")->AsRecordType();
+		bittorrent_benc_dir =
+			internal_type("bittorrent_benc_dir")->AsTableType();
+		}
+
+	keep_alive = false;
+
+	req_state = BTT_REQ_GET;
+	req_buf[sizeof(req_buf) - 1] = 0;
+	req_buf_pos = req_buf;
+	req_buf_len = 0;
+	req_val_uri = 0;
+	req_val_headers = new TableVal(bt_tracker_headers);
+
+	res_state = BTT_RES_STATUS;
+	res_allow_blank_line = false;
+	res_buf[sizeof(res_buf) - 1] = 0;
+	res_buf_pos = res_buf;
+	res_buf_len = 0;
+	res_status = 0;
+	res_val_headers = new TableVal(bt_tracker_headers);
+	res_val_peers = new TableVal(bittorrent_peer_set);
+	res_val_benc = new TableVal(bittorrent_benc_dir);
+
+	InitBencParser();
+
+	stop_orig = false;
+	stop_resp = false;
+	}
+
+BitTorrentTracker_Analyzer::~BitTorrentTracker_Analyzer()
+	{
+	Unref(req_val_uri);
+	Unref(req_val_headers);
+
+	Unref(res_val_headers);
+	Unref(res_val_peers);
+	Unref(res_val_benc);
+
+	benc_stack.clear();
+	benc_count.clear();
+	}
+
+void BitTorrentTracker_Analyzer::Done()
+	{
+	TCP_ApplicationAnalyzer::Done();
+	}
+
+void BitTorrentTracker_Analyzer::DeliverStream(int len, const u_char* data,
+						bool orig)
+	{
+	TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+
+	assert(TCP());
+
+	if ( TCP()->IsPartial() )
+		// punt on partial.
+		return;
+
+	if ( orig )
+		ClientRequest(len, data);
+	else
+		ServerReply(len, data);
+	}
+
+void BitTorrentTracker_Analyzer::ClientRequest(int len, const u_char* data)
+	{
+	if ( stop_orig )
+		return;
+
+	if ( req_buf_len + len > sizeof(req_buf) - 1 )
+		{
+		ProtocolViolation("BitTorrentTracker: request message too long");
+		stop_orig = true;
+		return;
+		}
+
+	memcpy(&req_buf[req_buf_len], data, len);
+	req_buf_len += len;
+	req_buf[req_buf_len] = 0;
+
+	while ( req_buf_pos < req_buf + req_buf_len )
+		{
+		char* lf = strchr(req_buf_pos, '\n');
+		if ( ! lf )
+			break;
+		*lf = 0;
+
+		char* cr = strrchr(req_buf_pos, '\r');
+		if ( cr )
+			*cr = 0;
+
+		if ( ! ParseRequest(req_buf_pos) )
+			return;
+
+		req_buf_pos = lf + 1;
+
+		if ( req_state == BTT_REQ_DONE && keep_alive )
+			{
+			req_state = BTT_REQ_GET;
+			req_buf_len -= (req_buf_pos - req_buf);
+			memmove(req_buf, req_buf_pos, req_buf_len);
+			req_buf_pos = req_buf;
+			req_val_headers =
+				new TableVal(bt_tracker_headers);
+			}
+		}
+	}
+
+void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data)
+	{
+	if ( stop_resp )
+		return;
+
+	if ( res_state == BTT_RES_DONE )
+		// We are done already, i.e. state != 200.
+		return;
+
+	if ( res_buf_len + len > sizeof(res_buf) - 1 )
+		{
+		ProtocolViolation("BitTorrentTracker: response message too long");
+		stop_resp = true;
+		return;
+		}
+
+	memcpy(&res_buf[res_buf_len], data, len);
+	res_buf_len += len;
+	res_buf[res_buf_len] = 0;
+
+	while ( true )
+		{
+		while ( res_state != BTT_RES_BODY &&
+			res_buf_pos < res_buf + res_buf_len )
+			{
+			char* lf = strchr(res_buf_pos, '\n');
+			if ( ! lf )
+				break;
+			*lf = 0;
+
+			char* cr = strrchr(res_buf_pos, '\r');
+			if ( cr )
+				*cr = 0;
+
+			if ( ! ParseResponse(res_buf_pos) )
+				return;
+
+			res_buf_pos = lf + 1;
+			}
+
+		if ( res_state != BTT_RES_BODY ||
+		     res_buf_pos >= res_buf + res_buf_len )
+			break;
+
+		ResponseBody();
+
+		if ( res_state != BTT_RES_DONE ||
+		     res_status != 200 || ! keep_alive )
+			break;
+
+		res_state = BTT_RES_STATUS;
+		res_allow_blank_line = true;
+		res_buf_len -= res_buf_pos - res_buf;
+		memmove(res_buf, res_buf_pos, res_buf_len);
+		res_buf_pos = res_buf;
+		res_status = 0;
+
+		res_val_headers = new TableVal(bt_tracker_headers);
+		res_val_peers = new TableVal(bittorrent_peer_set);
+		res_val_benc = new TableVal(bittorrent_benc_dir);
+
+		InitBencParser();
+		}
+	}
+
+void BitTorrentTracker_Analyzer::Undelivered(int seq, int len, bool orig)
+	{
+	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+
+	ProtocolViolation("BitTorrentTracker: cannot recover from content gap");
+
+	if ( orig )
+		stop_orig = true;
+	else
+		stop_resp = true;
+	}
+
+void BitTorrentTracker_Analyzer::EndpointEOF(TCP_Reassembler* endp)
+	{
+	TCP_ApplicationAnalyzer::EndpointEOF(endp);
+	}
+
+void BitTorrentTracker_Analyzer::InitBencParser(void)
+	{
+	benc_stack.clear();
+	benc_count.clear();
+
+	benc_state = BENC_STATE_EMPTY;
+	benc_raw = 0;
+	benc_raw_type = BENC_TYPE_NONE;
+	benc_raw_len = 0;
+	benc_key = 0;
+	benc_key_len = 0;
+	benc_strlen = 0;
+	benc_str = 0;
+	benc_str_len = 0;
+	benc_str_have = 0;
+	benc_int = 0;
+	benc_int_val = 0;
+	}
+
+void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig)
+	{
+	if ( bt_tracker_weird )
+		{
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new Val(orig, TYPE_BOOL));
+		vl->append(new StringVal(msg));
+		ConnectionEvent(bt_tracker_weird, vl);
+		}
+	else
+		Weird(msg);
+	}
+
+bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
+	{
+	static bool initialized = false;
+	static regex_t r_get, r_get_end, r_hdr;
+
+	if ( ! initialized )
+		{
+		regcomp(&r_get, "^GET[ \t]+", REG_EXTENDED | REG_ICASE);
+		regcomp(&r_get_end, "[ \t]+HTTP/[0123456789.]+$",
+			REG_EXTENDED | REG_ICASE);
+		regcomp(&r_hdr, "^[^: \t]+:[ ]*", REG_EXTENDED | REG_ICASE);
+		initialized = true;
+		}
+
+	switch ( req_state ) {
+	case BTT_REQ_GET:
+		{
+		regmatch_t match[1];
+		if ( regexec(&r_get, line, 1, match, 0) )
+			{
+			ProtocolViolation("BitTorrentTracker: invalid HTTP GET");
+			stop_orig = true;
+			return false;
+			}
+
+		regmatch_t match_end[1];
+		if ( ! regexec(&r_get_end, line, 1, match_end, 0) )
+			{
+			if ( match_end[0].rm_so <= match[0].rm_eo )
+				{
+				ProtocolViolation("BitTorrentTracker: invalid HTTP GET");
+				stop_orig = true;
+				return false;
+				}
+
+			keep_alive = (line[match_end[0].rm_eo - 1] == '1');
+			line[match_end[0].rm_so] = 0;
+			}
+
+		RequestGet(&line[match[0].rm_eo]);
+
+		req_state = BTT_REQ_HEADER;
+		}
+		break;
+
+	case BTT_REQ_HEADER:
+		{
+		if ( ! *line )
+			{
+			EmitRequest();
+			req_state = BTT_REQ_DONE;
+			break;
+			}
+
+		regmatch_t match[1];
+		if ( regexec(&r_hdr, line, 1, match, 0) )
+			{
+			ProtocolViolation("BitTorrentTracker: invalid HTTP request header");
+			stop_orig = true;
+			return false;
+			}
+
+		*strchr(line, ':') = 0;	// this cannot fail - see regex_hdr
+		RequestHeader(line, &line[match[0].rm_eo]);
+		}
+		break;
+
+	case BTT_REQ_DONE:
+		if ( *line )
+			DeliverWeird(fmt("Got post request data: %s\n", line),
+					true);
+		break;
+
+	default:
+		// Make the compiler happy.
+		break;
+	}
+
+	return true;
+	}
+
+void BitTorrentTracker_Analyzer::RequestGet(char* uri)
+	{
+	req_val_uri = new StringVal(uri);
+	}
+
+void BitTorrentTracker_Analyzer::EmitRequest(void)
+	{
+	val_list* vl;
+
+	ProtocolConfirmation();
+
+	vl = new val_list;
+	vl->append(BuildConnVal());
+	vl->append(req_val_uri);
+	vl->append(req_val_headers);
+
+	req_val_uri = 0;
+	req_val_headers = 0;
+
+	ConnectionEvent(bt_tracker_request, vl);
+	}
+
+bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
+	{
+	static bool initialized = false;
+	static regex_t r_stat, r_hdr;
+
+	if ( ! initialized )
+		{
+		regcomp(&r_stat, "^HTTP/[0123456789.]* ",
+			REG_EXTENDED | REG_ICASE);
+		regcomp(&r_hdr, "^[^: \t]+:[ ]*", REG_EXTENDED | REG_ICASE);
+		initialized = true;
+		}
+
+	switch ( res_state ) {
+	case BTT_RES_STATUS:
+		{
+		if ( res_allow_blank_line && ! *line )
+			{
+			// There may be an empty line after the bencoded
+			// directory, if this is a keep-alive connection.
+			// Ignore it.
+			res_allow_blank_line = false;
+			break;
+			}
+
+		regmatch_t match[1];
+		if ( regexec(&r_stat, line, 1, match, 0) )
+			{
+			ProtocolViolation("BitTorrentTracker: invalid HTTP status");
+			stop_resp = true;
+			return false;
+			}
+
+		ResponseStatus(&line[match[0].rm_eo]);
+		res_state = BTT_RES_HEADER;
+		}
+		break;
+
+	case BTT_RES_HEADER:
+		if ( ! *line )
+			{
+			if ( res_status != 200 )
+				{
+				val_list* vl = new val_list;
+				vl->append(BuildConnVal());
+				vl->append(new Val(res_status, TYPE_COUNT));
+				vl->append(res_val_headers);
+				ConnectionEvent(bt_tracker_response_not_ok, vl);
+				res_val_headers = 0;
+				res_buf_pos = res_buf + res_buf_len;
+				res_state = BTT_RES_DONE;
+				}
+			else
+				res_state = BTT_RES_BODY;
+
+			break;
+			}
+
+		{
+		regmatch_t match[1];
+		if ( regexec(&r_hdr, line, 1, match, 0) )
+			{
+			ProtocolViolation("BitTorrentTracker: invalid HTTP response header");
+			stop_resp = true;
+			return false;
+			}
+
+		*strchr(line, ':') = 0;	// this cannot fail - see regex_hdr
+		ResponseHeader(line, &line[match[0].rm_eo]);
+		}
+		break;
+
+	default:
+		// Make the compiler happy.
+		break;
+	}
+
+	return true;
+	}
+
+void BitTorrentTracker_Analyzer::ResponseStatus(char* status)
+	{
+	if ( sscanf(status, FMT_UINT, &res_status) != 1 )
+		res_status = 0;
+	}
+
+void BitTorrentTracker_Analyzer::ParseHeader(char* name, char* value,
+						bool is_request)
+	{
+	if ( ! strcasecmp(name, "connection") )
+		{
+		if ( ! strcasecmp(value, "close") )
+			keep_alive = false;
+		else
+			keep_alive = true;
+		}
+
+#ifdef BTTRACKER_STORE_HEADERS
+	StringVal* name_ = new StringVal(name);
+	StringVal* value_ = new StringVal(value);
+
+	(is_request ? req_val_headers : res_val_headers)->Assign(name_, value_);
+	Unref(name_);
+#endif
+	}
+
+void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
+			enum btt_benc_types type, int value_len, char* value)
+	{
+	if ( name_len == 5 && ! strncmp(name, "peers", 5) )
+		{
+		for ( char* end = value + value_len; value < end; value += 6 )
+			{
+			// Note, weirdly/unfortunately AddrVal's take
+			// addresses in network order but PortVal's
+			// take ports in host order.  BitTorrent specifies
+			// that both are in network order here.
+			uint32 ad = extract_uint32((u_char*) value);
+			uint16 pt = ntohs((value[4] << 8) | value[5]);
+
+			RecordVal* peer = new RecordVal(bittorrent_peer);
+			peer->Assign(0, new AddrVal(ad));
+			peer->Assign(1, new PortVal(pt, TRANSPORT_TCP));
+			res_val_peers->Assign(peer, 0);
+
+			Unref(peer);
+			}
+		}
+	else
+		{
+		StringVal* name_ = new StringVal(name_len, name);
+		RecordVal* benc_value = new RecordVal(bittorrent_benc_value);
+		benc_value->Assign(type, new StringVal(value_len, value));
+		res_val_benc->Assign(name_, benc_value);
+
+		Unref(name_);
+		}
+	}
+
+void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
+				enum btt_benc_types type, bro_int_t value)
+	{
+	RecordVal* benc_value = new RecordVal(bittorrent_benc_value);
+	StringVal* name_ = new StringVal(name_len, name);
+
+	benc_value->Assign(type, new Val(value, TYPE_INT));
+	res_val_benc->Assign(name_, benc_value);
+
+	Unref(name_);
+	}
+
+void BitTorrentTracker_Analyzer::ResponseBody(void)
+	{
+	switch ( ResponseParseBenc() ) {
+	case 0:
+		EmitResponse();
+		res_state = BTT_RES_DONE;
+		break;
+
+	case -1: // parsing failed
+	case -2: // need more data
+		break;
+	}
+	}
+
+int BitTorrentTracker_Analyzer::ResponseParseBenc(void)
+	{
+#define VIOLATION_IF(expr, msg) \
+	{ \
+	if ( expr ) \
+		{ \
+		ProtocolViolation(msg); \
+		stop_resp = true; \
+		return -1; \
+		} \
+	}
+
+#define INC_COUNT \
+	{ \
+	unsigned int count = benc_count.back(); \
+	benc_count.pop_back(); \
+	benc_count.push_back(count + 1); \
+	}
+
+	for ( unsigned int len = res_buf_len - (res_buf_pos - res_buf); len;
+	      --len, ++res_buf_pos )
+		{
+		switch ( benc_state ) {
+		case BENC_STATE_EMPTY:
+			{
+			switch ( res_buf_pos[0] ) {
+			case 'd':
+				switch ( benc_stack.size() ) {
+				case 0: break;
+				case 1:
+					benc_raw = res_buf_pos;
+					benc_raw_type = BENC_TYPE_DIR;
+					/* fall through */
+				default:
+					VIOLATION_IF(benc_stack.back() == 'd' &&
+						     ! (benc_count.back() % 2),
+						     "BitTorrentTracker: directory key is not a string but a directory")
+					++benc_raw_len;
+				}
+
+				benc_stack.push_back('d');
+				benc_count.push_back(0);
+				break;
+
+			case 'l':
+				switch ( benc_stack.size() ) {
+				case 0:
+					VIOLATION_IF(1, "BitTorrentTracker: not a bencoded directory (first char: l)")
+					/* fall through */
+
+				case 1:
+					benc_raw = res_buf_pos;
+					benc_raw_type = BENC_TYPE_LIST;
+					/* fall through */
+
+				default:
+					VIOLATION_IF(benc_stack.back() == 'd' &&
+						     ! (benc_count.back() % 2),
+						     "BitTorrentTracker: directory key is not a string but a list")
+					++benc_raw_len;
+				}
+
+				benc_stack.push_back('l');
+				benc_count.push_back(0);
+				break;
+
+			case 'i':
+				VIOLATION_IF(! benc_stack.size(),
+					"BitTorrentTracker: not a bencoded directory (first char: i)")
+				VIOLATION_IF(benc_stack.back() == 'd' &&
+					     ! (benc_count.back() % 2),
+					     "BitTorrentTracker: directory key is not a string but an int")
+
+				if ( benc_raw_type != BENC_TYPE_NONE )
+					++benc_raw_len;
+
+				benc_state = BENC_STATE_INT1;
+				break;
+
+			case 'e':
+				VIOLATION_IF(! benc_stack.size(),
+					"BitTorrentTracker: not a bencoded directory (first char: e)")
+				VIOLATION_IF(benc_stack.back() == 'd' &&
+					     benc_count.back() % 2,
+					     "BitTorrentTracker: directory has an odd count of members")
+
+				if ( benc_raw_type != BENC_TYPE_NONE )
+					++benc_raw_len;
+
+				if ( benc_stack.size() == 2 )
+					{ // coming back to level 1
+					ResponseBenc(benc_key_len, benc_key,
+							benc_raw_type,
+							benc_raw_len, benc_raw);
+					benc_key = 0;
+					benc_key_len = 0;
+					benc_raw = 0;
+					benc_raw_len = 0;
+					benc_raw_type = BENC_TYPE_NONE;
+					}
+
+				benc_stack.pop_back();
+				benc_count.pop_back();
+
+				if ( benc_stack.size() )
+					INC_COUNT
+				else
+					{ // benc parsing successful
+					++res_buf_pos;
+					return 0;
+					}
+				break;
+
+			case '0': case '1': case '2': case '3': case '4':
+			case '5': case '6': case '7': case '8': case '9':
+				VIOLATION_IF(! benc_stack.size(),
+					"BitTorrentTracker: not a bencoded directory (first char: [0-9])")
+
+				if ( benc_raw_type != BENC_TYPE_NONE )
+					++benc_raw_len;
+
+				benc_strlen = res_buf_pos;
+				benc_state = BENC_STATE_STR1;
+				break;
+
+			default:
+				VIOLATION_IF(1, "BitTorrentTracker: no valid bencoding")
+			}
+			}
+			break;
+
+		case BENC_STATE_INT1:
+			benc_int = res_buf_pos;
+			if ( res_buf_pos[0] == '-' )
+				{
+				if ( benc_raw_type != BENC_TYPE_NONE )
+					++benc_raw_len;
+				benc_state = BENC_STATE_INT2;
+				break;
+				}
+
+		case BENC_STATE_INT2:
+			VIOLATION_IF(res_buf_pos[0] < '0' ||
+				     res_buf_pos[0] > '9',
+				     "BitTorrentTracker: no valid bencoding")
+
+			if ( benc_raw_type != BENC_TYPE_NONE )
+				++benc_raw_len;
+
+			benc_state = BENC_STATE_INT3;
+			break;
+
+		case BENC_STATE_INT3:
+			if ( res_buf_pos[0] == 'e' )
+				{
+				if ( sscanf(benc_int, FMT_INT,
+					    &benc_int_val) == 1 )
+					{
+					if ( benc_stack.size() == 1 )
+						{
+						ResponseBenc(benc_key_len,
+							benc_key, BENC_TYPE_INT,
+							benc_int_val);
+						benc_key = 0;
+						benc_key_len = 0;
+						}
+					}
+				else
+					VIOLATION_IF(1, "BitTorrentTracker: no valid bencoding")
+
+				INC_COUNT
+				benc_state = BENC_STATE_EMPTY;
+				}
+
+			else
+				VIOLATION_IF(res_buf_pos[0] < '0' ||
+					     res_buf_pos[0] > '9',
+					     "BitTorrentTracker: no valid bencoding");
+
+			if ( benc_raw_type != BENC_TYPE_NONE )
+				++benc_raw_len;
+
+			break;
+
+		case BENC_STATE_STR1:
+			switch ( res_buf_pos[0] ) {
+			case '0': case '1': case '2': case '3': case '4':
+			case '5': case '6': case '7': case '8': case '9':
+				if ( benc_raw_type != BENC_TYPE_NONE )
+					++benc_raw_len;
+				break;
+
+			case ':':
+				VIOLATION_IF(sscanf(benc_strlen, "%u",
+						    &benc_str_len) != 1,
+					     "BitTorrentTracker: no valid bencoding")
+
+				benc_str_have = 0;
+				benc_str = res_buf_pos + 1;
+
+				if ( benc_stack.size() == 1 &&
+				     ! (benc_count.front() % 2) )
+					{
+					benc_key = benc_str;
+					benc_key_len = benc_str_len;
+					}
+
+				if ( benc_raw_type != BENC_TYPE_NONE )
+					++benc_raw_len;
+
+				benc_state = BENC_STATE_STR2;
+				break;
+
+			default:
+				VIOLATION_IF(1, "BitTorrentTracker: no valid bencoding")
+			}
+			break;
+
+		case BENC_STATE_STR2:
+			if ( benc_str_have < benc_str_len )
+				{
+				unsigned int seek =
+					min(len, benc_str_len - benc_str_have);
+				benc_str_have += seek;
+
+				if ( benc_raw_type != BENC_TYPE_NONE )
+					benc_raw_len += seek;
+
+				res_buf_pos += seek - 1;
+				len -= seek - 1;
+				}
+
+			if ( benc_str_have == benc_str_len )
+				{
+				if ( benc_stack.size() == 1 && benc_key &&
+				     benc_key != benc_str )
+					{
+					ResponseBenc(benc_key_len, benc_key,
+							BENC_TYPE_STR,
+							benc_str_len, benc_str);
+					benc_key_len = 0;
+					benc_key = 0;
+					}
+
+				if ( ! benc_str_len )
+					{
+					--res_buf_pos;
+					++len;
+					}
+
+				INC_COUNT
+				benc_state = BENC_STATE_EMPTY;
+				}
+			break;
+		}
+		}
+
+	return -2;	// need more data
+	}
+
+void BitTorrentTracker_Analyzer::EmitResponse(void)
+	{
+	ProtocolConfirmation();
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+	vl->append(new Val(res_status, TYPE_COUNT));
+	vl->append(res_val_headers);
+	vl->append(res_val_peers);
+	vl->append(res_val_benc);
+
+	res_val_headers = 0;
+	res_val_peers = 0;
+	res_val_benc = 0;
+
+	ConnectionEvent(bt_tracker_response, vl);
+	}
diff --git a/src/BitTorrentTracker.h b/src/BitTorrentTracker.h
new file mode 100644
index 0000000000..167c9d0d10
--- /dev/null
+++ b/src/BitTorrentTracker.h
@@ -0,0 +1,134 @@
+// $Id:$
+//
+// This code contributed by Nadi Sarrar.
+
+#ifndef bittorrenttracker_h
+#define bittorrenttracker_h
+
+#include "TCP.h"
+
+#define BTTRACKER_BUF 2048
+
+// If the following is defined, then the analyzer will store all of
+// the headers seen in tracker messages.
+//#define BTTRACKER_STORE_HEADERS 1
+
+enum btt_states {
+	BTT_REQ_GET,
+	BTT_REQ_HEADER,
+	BTT_REQ_DONE,
+
+	BTT_RES_STATUS,
+	BTT_RES_HEADER,
+	BTT_RES_BODY,
+	BTT_RES_DONE,
+};
+
+// "benc" = Bencode ("Bee-Encode"), per http://en.wikipedia.org/wiki/Bencode
+enum btt_benc_types {
+	BENC_TYPE_INT  = 0,
+	BENC_TYPE_STR  = 1,
+	BENC_TYPE_DIR  = 2,
+	BENC_TYPE_LIST = 3,
+	BENC_TYPE_NONE = 10,
+};
+
+enum btt_benc_states {
+	BENC_STATE_EMPTY,
+	BENC_STATE_INT1,
+	BENC_STATE_INT2,
+	BENC_STATE_INT3,
+	BENC_STATE_STR1,
+	BENC_STATE_STR2,
+};
+
+class BitTorrentTracker_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	BitTorrentTracker_Analyzer(Connection* conn);
+	virtual ~BitTorrentTracker_Analyzer();
+
+	virtual void Done();
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void EndpointEOF(TCP_Reassembler* endp);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new BitTorrentTracker_Analyzer(conn); }
+
+	static bool Available()
+		{ return bt_tracker_request || bt_tracker_response; }
+
+protected:
+	void ClientRequest(int len, const u_char* data);
+	void ServerReply(int len, const u_char* data);
+
+	void InitBencParser(void);
+
+	void DeliverWeird(const char* msg, bool orig);
+
+	bool ParseRequest(char* line);
+	void RequestGet(char* uri);
+	void RequestHeader(char* name, char* value)
+		{ ParseHeader(name, value, true); }
+	void EmitRequest(void);
+
+	bool ParseResponse(char* line);
+	void ResponseStatus(char* status);
+	void ResponseHeader(char* name, char* value)
+		{ ParseHeader(name, value, false); }
+	void ResponseBody(void);
+	void ResponseBenc(int name_len, char* name, enum btt_benc_types type,
+				int value_len, char* value);
+	void ResponseBenc(int name_len, char* name, enum btt_benc_types type,
+				bro_int_t value);
+	int ResponseParseBenc(void);
+	void EmitResponse(void);
+
+	void ParseHeader(char* name, char* value, bool is_request);
+
+	// HTTP state.
+	bool keep_alive;
+
+	// Request.
+	enum btt_states req_state;
+	char req_buf[BTTRACKER_BUF];
+	char* req_buf_pos;
+	unsigned int req_buf_len;
+	StringVal* req_val_uri;
+	TableVal* req_val_headers;
+
+	// Response.
+	enum btt_states res_state;
+	bool res_allow_blank_line;
+	char res_buf[BTTRACKER_BUF];
+	char* res_buf_pos;
+	unsigned int res_buf_len;
+	bro_uint_t res_status;
+	TableVal* res_val_headers;
+	TableVal* res_val_peers;
+	TableVal* res_val_benc;
+
+	vector<char> benc_stack;
+	vector<unsigned int> benc_count;
+	enum btt_benc_states benc_state;
+
+	char* benc_raw;
+	enum btt_benc_types benc_raw_type;
+	unsigned int benc_raw_len;
+
+	char* benc_key;
+	unsigned int benc_key_len;
+
+	char* benc_strlen;
+	char* benc_str;
+	unsigned int benc_str_len;
+	unsigned int benc_str_have;
+
+	char* benc_int;
+	bro_int_t benc_int_val;
+
+	// True on protocol violation.
+	bool stop_orig, stop_resp;
+};
+
+#endif
diff --git a/src/BroList.h b/src/BroList.h
new file mode 100644
index 0000000000..b71615a18a
--- /dev/null
+++ b/src/BroList.h
@@ -0,0 +1,58 @@
+// $Id: BroList.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef brolist_h
+#define brolist_h
+
+#include "List.h"
+
+class Expr;
+declare(PList,Expr);
+typedef PList(Expr) expr_list;
+
+class ID;
+declare(PList,ID);
+typedef PList(ID) id_list;
+
+class HashKey;
+declare(PList,HashKey);
+typedef PList(HashKey) hash_key_list;
+
+class Val;
+declare(PList,Val);
+typedef PList(Val) val_list;
+
+class Stmt;
+declare(PList,Stmt);
+typedef PList(Stmt) stmt_list;
+
+class BroType;
+declare(PList,BroType);
+typedef PList(BroType) type_list;
+
+class TypeDecl;
+declare(PList,TypeDecl);
+typedef PList(TypeDecl) type_decl_list;
+
+class Case;
+declare(PList,Case);
+typedef PList(Case) case_list;
+
+class Attr;
+declare(PList,Attr);
+typedef PList(Attr) attr_list;
+
+class Scope;
+declare(PList,Scope);
+typedef PList(Scope) scope_list;
+
+class Timer;
+declare(PList,Timer);
+typedef PList(Timer) timer_list;
+
+class DNS_Mgr_Request;
+declare(PList,DNS_Mgr_Request);
+typedef PList(DNS_Mgr_Request) DNS_mgr_request_list;
+
+#endif
diff --git a/src/BroString.cc b/src/BroString.cc
new file mode 100644
index 0000000000..08c724f5f2
--- /dev/null
+++ b/src/BroString.cc
@@ -0,0 +1,507 @@
+// $Id: BroString.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <algorithm>
+#include <ctype.h>
+
+#include "BroString.h"
+#include "Var.h"
+
+#ifdef DEBUG
+#define DEBUG_STR(msg) DBG_LOG(DBG_STRING, msg)
+#else
+#define DEBUG_STR(msg)
+#endif
+
+const int BroString::EXPANDED_STRING;
+const int BroString::BRO_STRING_LITERAL;
+
+// This constructor forces the user to specify arg_final_NUL.  When str
+// is a *normal* NUL-terminated string, make arg_n == strlen(str) and
+// arg_final_NUL == 1; when str is a sequence of n bytes, make
+// arg_final_NUL == 0.
+
+BroString::BroString(int arg_final_NUL, byte_vec str, int arg_n)
+	{
+	b = str;
+	n = arg_n;
+	final_NUL = arg_final_NUL;
+	use_free_to_delete = 0;
+	}
+
+BroString::BroString(const u_char* str, int arg_n, int add_NUL)
+	{
+	b = 0;
+	n = 0;
+	use_free_to_delete = 0;
+	Set(str, arg_n, add_NUL);
+	}
+
+BroString::BroString(const char* str)
+	{
+	b = 0;
+	n = 0;
+	use_free_to_delete = 0;
+	Set(str);
+	}
+
+BroString::BroString(const string &str)
+	{
+	b = 0;
+	n = 0;
+	use_free_to_delete = 0;
+	Set(str);
+	}
+
+BroString::BroString(const BroString& bs)
+	{
+	b = 0;
+	n = 0;
+	use_free_to_delete = 0;
+	*this = bs;
+	}
+
+BroString::BroString()
+	{
+	b = 0;
+	n = 0;
+	final_NUL = 0;
+	use_free_to_delete = 0;
+	}
+
+void BroString::Reset()
+	{
+	if ( use_free_to_delete )
+		free(b);
+	else
+		delete [] b;
+
+	b = 0;
+	n = 0;
+	final_NUL = 0;
+	use_free_to_delete = 0;
+	}
+
+const BroString& BroString::operator=(const BroString &bs)
+	{
+	Reset();
+	n = bs.n;
+	b = new u_char[n+1];
+
+	memcpy(b, bs.b, n);
+	b[n] = '\0';
+
+	final_NUL = 1;
+	use_free_to_delete = 0;
+	return *this;
+	}
+
+bool BroString::operator==(const BroString &bs) const
+	{
+	return Bstr_eq(this, &bs);
+	}
+
+bool BroString::operator<(const BroString &bs) const
+	{
+	return Bstr_cmp(this, &bs) < 0;
+	}
+
+void BroString::Adopt(byte_vec bytes, int len)
+	{
+	Reset();
+
+	b = bytes;
+
+	// Check if the string ends with a NUL.  If so, mark it as having
+	// a final NUL and adjust the length accordingly.
+	final_NUL = (b[len-1] == '\0') ? 1 : 0;
+	n = len - final_NUL;
+	}
+
+void BroString::Set(const u_char* str, int len, int add_NUL)
+	{
+	Reset();
+
+	n = len;
+	b = new u_char[add_NUL ? n + 1 : n];
+	memcpy(b, str, n);
+	final_NUL = add_NUL;
+
+	if ( add_NUL )
+		b[n] = 0;
+
+	use_free_to_delete = 0;
+	}
+
+void BroString::Set(const char* str)
+	{
+	Reset();
+
+	n = strlen(str);
+	b = new u_char[n+1];
+	memcpy(b, str, n+1);
+	final_NUL = 1;
+	use_free_to_delete = 0;
+	}
+
+void BroString::Set(const string& str)
+	{
+	Reset();
+
+	n = str.size();
+	b = new u_char[n+1];
+	memcpy(b, str.c_str(), n+1);
+	final_NUL = 1;
+	use_free_to_delete = 0;
+	}
+
+void BroString::Set(const BroString& str)
+	{
+	*this = str;
+	}
+
+const char* BroString::CheckString() const
+	{
+	if ( n == 0 )
+		return "";
+
+	if ( memchr(b, '\0', n + final_NUL) != &b[n] )
+		{
+		// Either an embedded NUL, or no final NUL.
+		char* exp_s = Render();
+		if ( b[n-1] != '\0' )
+			run_time("string without NUL terminator: \"%s\"", exp_s);
+		else
+			run_time("string with embedded NUL: \"%s\"", exp_s);
+
+		delete [] exp_s;
+		return "<string-with-NUL>";
+		}
+
+	return (const char*) b;
+	}
+
+char* BroString::Render(int format, int* len) const
+	{
+	// Maxmimum character expansion is as \xHH, so a factor of 4.
+	char* s = new char[n*4 + 1];	// +1 is for final '\0'
+	char* sp = s;
+	int tmp_len;
+
+	for ( int i = 0; i < n; ++i )
+		{
+		if ( b[i] == '\0' && (format & ESC_NULL) )
+			{
+			*sp++ = '\\'; *sp++ = '0';
+			}
+
+		else if ( b[i] == '\x7f' && (format & ESC_DEL) )
+			{
+			*sp++ = '^'; *sp++ = '?';
+			}
+
+		else if ( b[i] <= 26 && (format & ESC_LOW) )
+			{
+			*sp++ = '^'; *sp++ = b[i] + 'A' - 1;
+			}
+
+		else if ( b[i] == '\\' && (format & ESC_ESC) )
+			{
+			*sp++ = '\\'; *sp++ = '\\';
+			}
+
+		else if ( (b[i] == '\'' || b[i] == '"') && (format & ESC_QUOT) )
+			{
+			*sp++ = '\\'; *sp++ = b[i];
+			}
+
+		else if ( (b[i] < ' ' || b[i] > 126) && (format & ESC_HEX) )
+			{
+			char hex_fmt[16];
+
+			*sp++ = '\\'; *sp++ = 'x';
+			sprintf(hex_fmt, "%02x", b[i]);
+			*sp++ = hex_fmt[0]; *sp++ = hex_fmt[1];
+			}
+
+		else if ( (b[i] < ' ' || b[i] > 126) && (format & ESC_DOT) )
+			{
+			*sp++ = '.';
+			}
+
+		else
+			{
+			*sp++ = b[i];
+			}
+		}
+
+	*sp++ = '\0';	// NUL-terminate.
+	tmp_len = sp - s;
+
+	if ( (format & ESC_SER) )
+		{
+		char* result = new char[tmp_len + 16];
+		snprintf(result, tmp_len + 16, "%u ", tmp_len - 1);
+		tmp_len += strlen(result);
+		memcpy(result + strlen(result), s, sp - s);
+		delete [] s;
+		s = result;
+		}
+
+	if ( len )
+		*len = tmp_len;
+
+	return s;
+	}
+
+ostream& BroString::Render(ostream &os, int format) const
+	{
+	char* tmp = Render(format);
+	os << tmp;
+	delete [] tmp;
+	return os;
+	}
+
+istream& BroString::Read(istream &is, int format)
+	{
+	if ( (format & BroString::ESC_SER) )
+		{
+		int len;
+		is >> len;	// Get the length of the string
+
+		char c;
+		is.read(&c, 1);	// Eat single whitespace
+
+		char* buf = new char[len+1];
+		is.read(buf, len);
+		buf[len] = '\0';	// NUL-terminate just for safety
+
+		Adopt((u_char*) buf, len+1);
+		}
+	else
+		{
+		string str;
+		is >> str;
+		Set(str);
+		}
+
+	return is;
+	}
+
+void BroString::ToUpper()
+	{
+	for ( int i = 0; i < n; ++i )
+		if ( islower(b[i]) )
+			b[i] = toupper(b[i]);
+	}
+
+BroString* BroString::GetSubstring(int start, int len) const
+	{
+	// This code used to live in bro.bif's sub_bytes() routine.
+	if ( start < 0 || start > n )
+		return 0;
+
+	if ( len < 0 || len > n - start )
+		len = n - start;
+
+	return new BroString(&b[start], len, 1);
+	}
+
+int BroString::FindSubstring(const BroString* s) const
+	{
+	return strstr_n(n, b, s->Len(), s->Bytes());
+	}
+
+BroString::Vec* BroString::Split(const BroString::IdxVec& indices) const
+	{
+	unsigned int i;
+
+	if ( indices.size() == 0 )
+		return 0;
+
+	// Copy input, ensuring space for "0":
+	IdxVec idx(1 + indices.size());
+
+	idx[0] = 0;
+	idx.insert(idx.end(), indices.begin(), indices.end());
+
+	// Sanity checks.
+	for ( i = 0; i < idx.size(); ++i )
+		if ( idx[i] >= n || idx[i] < 0 )
+			idx[i] = 0;
+
+	// Sort it:
+	sort(idx.begin(), idx.end());
+
+	// Shuffle vector so duplicate entries are used only once:
+	IdxVecIt end = unique(idx.begin(), idx.end());
+
+	// Each element in idx is now the start index of a new
+	// substring, and we know that all indices are within [0, n].
+	//
+	Vec* result = new Vec();
+	int last_idx = -1;
+	int next_idx;
+	i = 0;
+
+	for ( IdxVecIt it = idx.begin(); it != end; ++it, ++i )
+		{
+		int len = (it + 1 == end) ? -1 : idx[i + 1] - idx[i];
+		result->push_back(GetSubstring(idx[i], len));
+		}
+
+	return result;
+	}
+
+VectorVal* BroString:: VecToPolicy(Vec* vec)
+	{
+	VectorVal* result =
+		new VectorVal(internal_type("string_vec")->AsVectorType());
+	if ( ! result )
+		return 0;
+
+	for ( unsigned int i = 0; i < vec->size(); ++i )
+		{
+		BroString* string = (*vec)[i];
+		StringVal* val = new StringVal(string->Len(),
+						(const char*) string->Bytes());
+		result->Assign(i+1, val, 0);
+		}
+
+	return result;
+	}
+
+BroString::Vec* BroString::VecFromPolicy(VectorVal* vec)
+	{
+	Vec* result = new Vec();
+
+	// VectorVals start at index 1!
+	for ( unsigned int i = 1; i <= vec->Size(); ++i )
+		{
+		Val* v = vec->Lookup(i);	// get the RecordVal
+		if ( ! v )
+			continue;
+
+		BroString* string = new BroString(*(v->AsString()));
+		result->push_back(string);
+		}
+
+	return result;
+	}
+
+char* BroString::VecToString(const Vec* vec)
+	{
+	string result("[");
+
+	for ( BroString::VecCIt it = vec->begin(); it != vec->end(); ++it )
+		{
+		result += (*it)->CheckString();
+		result += ",";
+		}
+
+	result += "]";
+
+	return strdup(result.c_str());
+	}
+
+bool BroStringLenCmp::operator()(BroString * const& bst1,
+				 BroString * const& bst2)
+	{
+	return _increasing ? (bst1->Len() < bst2->Len()) :
+				(bst1->Len() > bst2->Len());
+	}
+
+ostream& operator<<(ostream& os, const BroString& bs)
+	{
+	char* tmp = bs.Render(BroString::EXPANDED_STRING);
+	os << tmp;
+	delete [] tmp;
+	return os;
+	}
+
+int Bstr_eq(const BroString* s1, const BroString* s2)
+	{
+	if ( s1->Len() != s2->Len() )
+		return 0;
+
+	return memcmp(s1->Bytes(), s2->Bytes(), s1->Len()) == 0;
+	}
+
+int Bstr_cmp(const BroString* s1, const BroString* s2)
+	{
+	int n = min(s1->Len(), s2->Len());
+	int cmp = memcmp(s1->Bytes(), s2->Bytes(), n);
+
+	if ( cmp || s1->Len() == s2->Len() )
+		return cmp;
+
+	// Compared equal, but one was shorter than the other.  Treat
+	// it as less than the other.
+	if ( s1->Len() < s2->Len() )
+		return -1;
+	else
+		return 1;
+	}
+
+BroString* concatenate(std::vector<data_chunk_t>& v)
+	{
+	int n = v.size();
+	int len = 0;
+	int i;
+	for ( i = 0; i < n; ++i )
+		len += v[i].length;
+
+	char* data = new char[len+1];
+
+	char* b = data;
+	for ( i = 0; i < n; ++i )
+		{
+		memcpy(b, v[i].data, v[i].length);
+		b += v[i].length;
+		}
+
+	*b = '\0';
+
+	return new BroString(1, (byte_vec) data, len);
+	}
+
+BroString* concatenate(BroString::CVec& v)
+	{
+	int n = v.size();
+	int len = 0;
+	int i;
+	for ( i = 0; i < n; ++i )
+		len += v[i]->Len();
+
+	char* data = new char[len+1];
+
+	char* b = data;
+	for ( i = 0; i < n; ++i )
+		{
+		memcpy(b, v[i]->Bytes(), v[i]->Len());
+		b += v[i]->Len();
+		}
+	*b = '\0';
+
+	return new BroString(1, (byte_vec) data, len);
+	}
+
+BroString* concatenate(BroString::Vec& v)
+	{
+	BroString::CVec cv;
+
+	for ( BroString::VecIt it = v.begin(); it != v.end(); ++it )
+		cv.push_back(*it);
+
+	return concatenate(cv);
+	}
+
+void delete_strings(std::vector<const BroString*>& v)
+	{
+	for ( unsigned int i = 0; i < v.size(); ++i )
+		delete v[i];
+	v.clear();
+	}
diff --git a/src/BroString.h b/src/BroString.h
new file mode 100644
index 0000000000..48471cb99e
--- /dev/null
+++ b/src/BroString.h
@@ -0,0 +1,193 @@
+// $Id: BroString.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef brostring_h
+#define brostring_h
+
+#include <vector>
+#include <string>
+#include <iostream>
+#include <stdlib.h>
+#include <sys/types.h>
+using namespace std;
+
+#include "util.h"
+
+typedef u_char* byte_vec;
+
+// Forward declaration, for helper functions that convert (sub)string vectors
+// to and from policy-level representations.
+//
+class VectorVal;
+
+class BroString {
+public:
+	typedef vector<BroString*> Vec;
+	typedef Vec::iterator VecIt;
+	typedef Vec::const_iterator VecCIt;
+
+	typedef vector<const BroString*> CVec;
+	typedef Vec::iterator CVecIt;
+	typedef Vec::const_iterator CVecCIt;
+
+	// IdxVecs are vectors of indices of characters in a string.
+	typedef vector<int> IdxVec;
+	typedef IdxVec::iterator IdxVecIt;
+	typedef IdxVec::const_iterator IdxVecCIt;
+
+	BroString(int arg_final_NUL, byte_vec str, int arg_n);
+	BroString(const u_char* str, int arg_n, int add_NUL);
+	BroString(const char* str);
+	BroString(const string& str);
+	BroString(const BroString& bs);
+	BroString();
+	~BroString()	{ Reset(); }
+
+	const BroString& operator=(const BroString& bs);
+	bool operator==(const BroString& bs) const;
+	bool operator<(const BroString& bs) const;
+
+	byte_vec Bytes() const	{ return b; }
+	int Len() const	{ return n; }
+
+	// Releases the string's current contents, if any, and
+	// adopts the byte vector of given length.  The string will
+	// manage the memory occupied by the string afterwards.
+	//
+	void Adopt(byte_vec bytes, int len);
+
+	// Various flavors of methods that release the string's
+	// current contents, if any, and then set the string's
+	// contents to a copy of the string given by the arguments.
+	//
+	void Set(const u_char* str, int len, int add_NUL=1);
+	void Set(const char* str);
+	void Set(const string& str);
+	void Set(const BroString &str);
+
+	void SetUseFreeToDelete(int use_it)
+		{ use_free_to_delete = use_it; }
+
+	const char* CheckString() const;
+
+	enum render_style {
+		ESC_NONE = 0,
+
+		ESC_NULL = (1 << 0),	// 0 -> "\0"
+		ESC_DEL  = (1 << 1),	// DEL -> "^?"
+		ESC_LOW  = (1 << 2),	// values <= 26 mapped into "^[A-Z]"
+		ESC_ESC  = (1 << 3),	// '\' -> "\\"
+		ESC_QUOT = (1 << 4),	// '"' -> "\"", ''' -> "\'"
+		ESC_HEX  = (1 << 5),	// Not in [32, 126]? -> "%XX"
+		ESC_DOT  = (1 << 6),	// Not in [32, 126]? -> "."
+
+		// For serialization: '<string len> <string>'
+		ESC_SER  = (1 << 7),
+	};
+
+	static const int EXPANDED_STRING =	// the original style
+		ESC_NULL | ESC_DEL | ESC_LOW | ESC_HEX;
+
+	static const int BRO_STRING_LITERAL =	// as in a Bro string literal
+		ESC_ESC | ESC_QUOT | ESC_HEX;
+
+	// Renders a string into a newly allocated character array that
+	// you have to delete[].  You can combine the render styles given
+	// above to achieve the representation you desire.  If you pass a
+	// pointer to an integer as the final argument, you'll receive the
+	// entire length of the resulting char* in it.
+	//
+	// Note that you need to delete[] the resulting string.
+	//
+	char* Render(int format = EXPANDED_STRING, int* len = 0) const;
+
+	// Similar to the above, but useful for output streams.
+	// Also more useful for debugging purposes since no deallocation
+	// is required on your part here.
+	//
+	ostream& Render(ostream& os, int format = ESC_SER) const;
+
+	// Reads a string from an input stream.  Unless you use a render
+	// style combination that uses ESC_SER, note that the streams
+	// will consider whitespace as a field delimiter.
+	//
+	istream& Read(istream& is, int format = ESC_SER);
+
+	// XXX Fix redundancy: strings.bif implements both to_lower
+	// XXX and to_upper; the latter doesn't use BroString::ToUpper().
+	void ToUpper();
+
+	unsigned int MemoryAllocation() const
+		{ return padded_sizeof(*this) + pad_size(n + final_NUL); }
+
+	// Returns new string containing the substring of this string,
+	// starting at @start >= 0 for going up to @length elements,
+	// A negative @length means "until end of string".  Other invalid
+	// values result in a return value of 0.
+	//
+	BroString* GetSubstring(int start, int length) const;
+
+	// Returns the start index of s in this string, counting from 0.
+	// If s is not found, -1 is returned.
+	//
+	int FindSubstring(const BroString* s) const;
+
+	// Splits the string into substrings, taking all the indices in
+	// the given vector as cutting points.  The vector does not need
+	// to be sorted, and can have multiple entries.  Out-of-bounds
+	// indices are ignored.  All returned strings are newly allocated.
+	//
+	Vec* Split(const IdxVec& indices) const;
+
+	// Helper functions for vectors:
+	static VectorVal* VecToPolicy(Vec* vec);
+	static Vec* VecFromPolicy(VectorVal* vec);
+	static char* VecToString(const Vec* vec);
+
+protected:
+	void Reset();
+
+	byte_vec b;
+	int n;
+	unsigned int final_NUL:1;	// whether we have added a final NUL
+	unsigned int use_free_to_delete:1;	// free() vs. operator delete
+};
+
+// A comparison class that sorts pointers to BroString's according to
+// the length of the pointed-to strings. Sort order can be specified
+// through the constructor.
+//
+class BroStringLenCmp {
+public:
+	BroStringLenCmp(bool increasing = true) { _increasing = increasing; }
+	bool operator()(BroString*const& bst1, BroString*const& bst2);
+
+ private:
+	unsigned int _increasing;
+};
+
+// Default output stream operator, using rendering mode EXPANDED_STRING.
+ostream& operator<<(ostream& os, const BroString& bs);
+
+extern int Bstr_eq(const BroString* s1, const BroString* s2);
+extern int Bstr_cmp(const BroString* s1, const BroString* s2);
+
+// A data_chunk_t specifies a length-delimited constant string. It is
+// often used for substrings of other BroString's to avoid memory copy,
+// which would be necessary if BroString were used. Unlike BroString,
+// the string should not be deallocated on destruction.
+//
+// "BroConstString" might be a better name here.
+
+struct data_chunk_t {
+	int length;
+	const char* data;
+};
+
+extern BroString* concatenate(std::vector<data_chunk_t>& v);
+extern BroString* concatenate(BroString::Vec& v);
+extern BroString* concatenate(BroString::CVec& v);
+extern void delete_strings(std::vector<const BroString*>& v);
+
+#endif
diff --git a/src/CCL.cc b/src/CCL.cc
new file mode 100644
index 0000000000..326dcc7320
--- /dev/null
+++ b/src/CCL.cc
@@ -0,0 +1,45 @@
+// $Id: CCL.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "CCL.h"
+#include "RE.h"
+#include "DFA.h"
+
+CCL::CCL()
+	{
+	syms = new int_list;
+	index = -(rem->InsertCCL(this) + 1);
+	negated = 0;
+	}
+
+CCL::~CCL()
+	{
+	delete syms;
+	}
+
+void CCL::Negate()
+	{
+	negated = 1;
+	Add(SYM_BOL);
+	Add(SYM_EOL);
+	}
+
+void CCL::Add(int sym)
+	{
+	ptr_compat_int sym_p = ptr_compat_int(sym);
+
+	// Check to see if the character is already in the ccl.
+	for ( int i = 0; i < syms->length(); ++i )
+		if ( (*syms)[i] == sym_p )
+			return;
+
+	syms->append(sym_p);
+	}
+
+void CCL::Sort()
+	{
+	syms->sort(int_list_cmp);
+	}
diff --git a/src/CCL.h b/src/CCL.h
new file mode 100644
index 0000000000..760e64b6f9
--- /dev/null
+++ b/src/CCL.h
@@ -0,0 +1,39 @@
+// $Id: CCL.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef ccl_h
+#define ccl_h
+
+#include "List.h"
+
+declare(List,ptr_compat_int);
+typedef List(ptr_compat_int) int_list;
+
+class CCL {
+public:
+	CCL();
+	~CCL();
+
+	void Add(int sym);
+	void Negate();
+	int IsNegated()		{ return negated; }
+	int Index()		{ return index; }
+
+	void Sort();
+
+	int_list* Syms()	{ return syms; }
+
+	void ReplaceSyms(int_list* new_syms)
+				{ delete syms; syms = new_syms; }
+
+	unsigned int MemoryAllocation() const
+		{ return padded_sizeof(*this) + syms->MemoryAllocation(); }
+
+protected:
+	int_list* syms;
+	int negated;
+	int index;
+};
+
+#endif
diff --git a/src/ChunkedIO.cc b/src/ChunkedIO.cc
new file mode 100644
index 0000000000..7eb2158184
--- /dev/null
+++ b/src/ChunkedIO.cc
@@ -0,0 +1,1358 @@
+// $Id: ChunkedIO.cc 6888 2009-08-20 18:23:11Z vern $
+
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <signal.h>
+#include <sys/time.h>
+#include <netinet/in.h>
+#include <assert.h>
+
+#include "config.h"
+#include "ChunkedIO.h"
+#include "NetVar.h"
+#include "RemoteSerializer.h"
+
+ChunkedIO::ChunkedIO()
+	{
+	pure = false;
+	}
+
+void ChunkedIO::Stats(char* buffer, int length)
+	{
+	safe_snprintf(buffer, length,
+		      "bytes=%luK/%luK chunks=%lu/%lu io=%lu/%lu bytes/io=%.2fK/%.2fK",
+		      stats.bytes_read / 1024, stats.bytes_written / 1024,
+		      stats.chunks_read, stats.chunks_written,
+		      stats.reads, stats.writes,
+		      stats.bytes_read / (1024.0 * stats.reads),
+		      stats.bytes_written / (1024.0 * stats.writes));
+	}
+
+#ifdef DEBUG_COMMUNICATION
+
+void ChunkedIO::AddToBuffer(uint32 len, char* data, bool is_read)
+	{
+	Chunk* copy = new Chunk;
+	copy->len = len;
+	copy->data = new char[len];
+	memcpy(copy->data, data, len);
+
+	std::list<Chunk*>* l = is_read ? &data_read : &data_written;
+	l->push_back(copy);
+
+	if ( l->size() > DEBUG_COMMUNICATION )
+		{
+		Chunk* old = l->front();
+		l->pop_front();
+		delete [] old->data;
+		delete old;
+		}
+	}
+
+void ChunkedIO::AddToBuffer(Chunk* chunk, bool is_read)
+	{
+	AddToBuffer(chunk->len, chunk->data, is_read);
+	}
+
+void ChunkedIO::DumpDebugData(const char* basefnname, bool want_reads)
+	{
+	std::list<Chunk*>* l = want_reads ? &data_read : &data_written;
+
+	int count = 0;
+
+	for ( std::list<Chunk*>::iterator i = l->begin(); i != l->end(); ++i )
+		{
+		static char buffer[128];
+		snprintf(buffer, sizeof(buffer), "%s.%s.%d", basefnname,
+				 want_reads ? "read" : "write", ++count);
+		buffer[sizeof(buffer) - 1] = '\0';
+
+		int fd = open(buffer, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+		if ( fd < 0 )
+			continue;
+
+		ChunkedIOFd io(fd, "dump-file");
+		io.Write(*i);
+		io.Flush();
+		close(fd);
+		}
+
+	l->clear();
+	}
+
+#endif
+
+ChunkedIOFd::ChunkedIOFd(int arg_fd, const char* arg_tag, pid_t arg_pid)
+	{
+	int flags;
+
+	tag = arg_tag;
+	fd = arg_fd;
+	eof = 0;
+	last_flush = current_time();
+	failed_reads = 0;
+
+	if ( (flags = fcntl(fd, F_GETFL, 0)) < 0)
+		{
+		Log(fmt("can't obtain socket flags: %s", strerror(errno)));
+		exit(1);
+		}
+
+	if ( fcntl(fd, F_SETFL, flags|O_NONBLOCK) < 0 )
+		{
+		Log(fmt("can't set fd to non-blocking: %s (%d)",
+			  strerror(errno), getpid()));
+		exit(1);
+		}
+
+	read_buffer = new char[BUFFER_SIZE];
+	read_len = 0;
+	read_pos = 0;
+	partial = 0;
+	write_buffer = new char[BUFFER_SIZE];
+	write_len = 0;
+	write_pos = 0;
+
+	pending_head = 0;
+	pending_tail = 0;
+
+	pid = arg_pid;
+	}
+
+ChunkedIOFd::~ChunkedIOFd()
+	{
+	Clear();
+
+	delete [] read_buffer;
+	delete [] write_buffer;
+	close(fd);
+
+	if ( partial )
+		{
+		delete [] partial->data;
+		delete partial;
+		}
+	}
+
+bool ChunkedIOFd::Write(Chunk* chunk)
+	{
+#ifdef DEBUG
+	DBG_LOG(DBG_CHUNKEDIO, "write of size %d [%s]",
+		chunk->len, fmt_bytes(chunk->data, min(20, chunk->len)));
+#endif
+
+	// Reject if our queue of pending chunks is way too large. Otherwise,
+	// memory could fill up if the other side doesn't read.
+	if ( stats.pending > MAX_BUFFERED_CHUNKS )
+		{
+		DBG_LOG(DBG_CHUNKEDIO, "write queue full");
+
+#ifdef DEBUG_COMMUNICATION
+		AddToBuffer("<false:write-queue-full>", false);
+#endif
+
+		errno = ENOSPC;
+		return false;
+		}
+
+#ifdef DEBUG_COMMUNICATION
+	AddToBuffer(chunk, false);
+#endif
+
+	if ( chunk->len <= BUFFER_SIZE - sizeof(uint32) )
+		return WriteChunk(chunk, false);
+
+	// We have to split it up.
+	char* p = chunk->data;
+	unsigned long left = chunk->len;
+
+	while ( left )
+		{
+		Chunk* part = new Chunk;
+
+		part->len = min(BUFFER_SIZE - sizeof(uint32), left);
+		part->data = new char[part->len];
+		memcpy(part->data, p, part->len);
+		left -= part->len;
+		p += part->len;
+
+		if ( ! WriteChunk(part, left != 0) )
+			return false;
+		}
+
+	delete [] chunk->data;
+	delete chunk;
+
+	return true;
+	}
+
+bool ChunkedIOFd::WriteChunk(Chunk* chunk, bool partial)
+	{
+	assert(chunk->len <= BUFFER_SIZE - sizeof(uint32) );
+
+	if ( chunk->len == 0 )
+		internal_error( "attempt to write 0 bytes chunk");
+
+	if ( partial )
+		chunk->len |= FLAG_PARTIAL;
+
+	++stats.chunks_written;
+
+	// If it fits into the buffer, we're done (but keep care not
+	// to reorder chunks).
+	if ( ! pending_head && PutIntoWriteBuffer(chunk) )
+		return true;
+
+	// Otherwise queue it.
+	++stats.pending;
+	ChunkQueue* q = new ChunkQueue;
+	q->chunk = chunk;
+	q->next = 0;
+
+	if ( pending_tail )
+		{
+		pending_tail->next = q;
+		pending_tail = q;
+		}
+	else
+		pending_head = pending_tail = q;
+
+	return Flush();
+	}
+
+
+bool ChunkedIOFd::PutIntoWriteBuffer(Chunk* chunk)
+	{
+	uint32 len = chunk->len & ~FLAG_PARTIAL;
+
+	if ( write_len + len + (IsPure() ? 0 : sizeof(len)) > BUFFER_SIZE )
+		return false;
+
+	if ( ! IsPure() )
+		{
+		uint32 nlen = htonl(chunk->len);
+		memcpy(write_buffer + write_len, &nlen, sizeof(nlen));
+		write_len += sizeof(nlen);
+		}
+
+	memcpy(write_buffer + write_len, chunk->data, len);
+	write_len += len;
+
+	delete [] chunk->data;
+	delete chunk;
+
+	if ( network_time - last_flush > 0.005 )
+		FlushWriteBuffer();
+
+	return true;
+	}
+
+bool ChunkedIOFd::FlushWriteBuffer()
+	{
+	last_flush = network_time;
+
+	while ( write_pos != write_len )
+		{
+		uint32 len = write_len - write_pos;
+
+		int written = write(fd, write_buffer + write_pos, len);
+
+		if ( written < 0 )
+			{
+			if ( errno == EPIPE )
+				eof = true;
+
+			if ( errno != EINTR )
+				// These errnos are equal on POSIX.
+				return errno == EWOULDBLOCK || errno == EAGAIN;
+
+			else
+				written = 0;
+			}
+
+		stats.bytes_written += written;
+		if ( written > 0 )
+			++stats.writes;
+
+		if ( unsigned(written) == len )
+			{
+			write_pos = write_len = 0;
+			return true;
+			}
+
+		if ( written == 0 )
+			internal_error("written==0");
+
+		// Short write.
+		write_pos += written;
+		}
+
+	return true;
+	}
+
+bool ChunkedIOFd::OptionalFlush()
+	{
+	// This threshhold is quite arbitrary.
+//	if ( current_time() - last_flush > 0.01 )
+	return Flush();
+	}
+
+bool ChunkedIOFd::Flush()
+	{
+	// Try to write data out.
+	while ( pending_head )
+		{
+		if ( ! FlushWriteBuffer() )
+			return false;
+
+		// If we couldn't write the whole buffer, we stop here
+		// and try again next time.
+		if ( write_len > 0 )
+			return true;
+
+		// Put as many pending chunks into the buffer as possible.
+		while ( pending_head )
+			{
+			if ( ! PutIntoWriteBuffer(pending_head->chunk) )
+				break;
+
+			ChunkQueue* q = pending_head;
+			pending_head = pending_head->next;
+			if ( ! pending_head )
+				pending_tail = 0;
+
+			--stats.pending;
+			delete q;
+			}
+		}
+
+	return FlushWriteBuffer();
+	}
+
+uint32 ChunkedIOFd::ChunkAvailable()
+	{
+	int bytes_left = read_len - read_pos;
+
+	if ( bytes_left < int(sizeof(uint32)) )
+		return 0;
+
+	bytes_left -= sizeof(uint32);
+
+	// We have to copy the value here as it may not be
+	// aligned correctly in the data.
+	uint32 len;
+	memcpy(&len, read_buffer + read_pos, sizeof(len));
+	len = ntohl(len);
+
+	if ( uint32(bytes_left) < (len & ~FLAG_PARTIAL) )
+		return 0;
+
+	assert(len & ~FLAG_PARTIAL);
+
+	return len;
+	}
+
+ChunkedIO::Chunk* ChunkedIOFd::ExtractChunk()
+	{
+	uint32 len = ChunkAvailable();
+	uint32 real_len = len & ~FLAG_PARTIAL;
+	if ( ! real_len )
+		return 0;
+
+	read_pos += sizeof(uint32);
+
+	Chunk* chunk = new Chunk;
+	chunk->len = len;
+	chunk->data = new char[real_len];
+	memcpy(chunk->data, read_buffer + read_pos, real_len);
+	read_pos += real_len;
+
+	++stats.chunks_read;
+
+	return chunk;
+	}
+
+ChunkedIO::Chunk* ChunkedIOFd::ConcatChunks(Chunk* c1, Chunk* c2)
+	{
+	Chunk* c = new Chunk;
+
+	c->len = c1->len + c2->len;
+	c->data = new char[c->len];
+
+	memcpy(c->data, c1->data, c1->len);
+	memcpy(c->data + c1->len, c2->data, c2->len);
+
+	delete [] c1->data;
+	delete c1;
+	delete [] c2->data;
+	delete c2;
+
+	return c;
+	}
+
+void ChunkedIO::Log(const char* str)
+	{
+	RemoteSerializer::Log(RemoteSerializer::LogError, str);
+	}
+
+bool ChunkedIOFd::Read(Chunk** chunk, bool may_block)
+	{
+	*chunk = 0;
+
+	// We will be called regularly. So take the opportunity
+	// to flush the write buffer once in a while.
+	OptionalFlush();
+
+	if ( ! ReadChunk(chunk, may_block) )
+		{
+#ifdef DEBUG_COMMUNICATION
+		AddToBuffer("<false:read-chunk>", true);
+#endif
+		return false;
+		}
+
+	if ( ! *chunk )
+		{
+#ifdef DEBUG_COMMUNICATION
+		AddToBuffer("<null:no-data>", true);
+#endif
+		return true;
+		}
+
+#ifdef DEBUG
+	if ( *chunk )
+		DBG_LOG(DBG_CHUNKEDIO, "read of size %d %s[%s]",
+				(*chunk)->len & ~FLAG_PARTIAL,
+				(*chunk)->len & FLAG_PARTIAL ? "(P) " : "",
+				fmt_bytes((*chunk)->data,
+						min(20, (*chunk)->len)));
+#endif
+
+	if ( ! ((*chunk)->len & FLAG_PARTIAL) )
+		{
+		if ( ! partial )
+			{
+#ifdef DEBUG_COMMUNICATION
+			AddToBuffer(*chunk, true);
+#endif
+			return true;
+			}
+		else
+			{
+			// This is the last chunk of an oversized one.
+			*chunk = ConcatChunks(partial, *chunk);
+			partial = 0;
+
+#ifdef DEBUG
+			if ( *chunk )
+				DBG_LOG(DBG_CHUNKEDIO,
+					"built virtual chunk of size %d [%s]",
+					(*chunk)->len,
+					fmt_bytes((*chunk)->data, 20));
+#endif
+
+#ifdef DEBUG_COMMUNICATION
+			AddToBuffer(*chunk, true);
+#endif
+			return true;
+			}
+		}
+
+	// This chunk is the non-last part of an oversized.
+	(*chunk)->len &= ~FLAG_PARTIAL;
+
+	if ( ! partial )
+		// First part of oversized chunk.
+		partial = *chunk;
+	else
+		partial = ConcatChunks(partial, *chunk);
+
+#ifdef DEBUG_COMMUNICATION
+	AddToBuffer("<null:partial>", true);
+#endif
+
+	*chunk = 0;
+	return true; // Read following part next time.
+	}
+
+bool ChunkedIOFd::ReadChunk(Chunk** chunk, bool may_block)
+	{
+	// We will be called regularly. So take the opportunity
+	// to flush the write buffer once in a while.
+	OptionalFlush();
+
+	*chunk = ExtractChunk();
+	if ( *chunk )
+		return true;
+
+	int bytes_left = read_len - read_pos;
+
+	// If we have a partial chunk left, move this to the head of
+	// the buffer.
+	if ( bytes_left )
+		memmove(read_buffer, read_buffer + read_pos, bytes_left);
+
+	read_pos = 0;
+	read_len = bytes_left;
+
+	// If allowed, wait a bit for something to read.
+	if ( may_block )
+		{
+		fd_set fd_read, fd_write, fd_except;
+
+		FD_ZERO(&fd_read);
+		FD_ZERO(&fd_write);
+		FD_ZERO(&fd_except);
+		FD_SET(fd, &fd_read);
+
+		struct timeval small_timeout;
+		small_timeout.tv_sec = 0;
+		small_timeout.tv_usec = 50;
+
+		select(fd + 1, &fd_read, &fd_write, &fd_except, &small_timeout);
+		}
+
+	// Make sure the process is still runnning
+	// (only checking for EPIPE after a read doesn't
+	// seem to be sufficient).
+	if ( pid && kill(pid, 0) < 0 && errno != EPERM )
+		{
+		eof = true;
+		errno = EPIPE;
+		return false;
+		}
+
+	// Try to fill the buffer.
+	while ( true )
+		{
+		int len = BUFFER_SIZE - read_len;
+		int read = ::read(fd, read_buffer + read_len, len);
+
+		if ( read < 0 )
+			{
+			if ( errno != EINTR )
+				{
+				// These errnos are equal on POSIX.
+				if ( errno == EWOULDBLOCK || errno == EAGAIN )
+					{
+					// Let's see if we have a chunk now --
+					// even if we time out, we may have read
+					// just enough in previous iterations!
+					*chunk = ExtractChunk();
+					++failed_reads;
+					return true;
+					}
+
+				if ( errno == EPIPE )
+					eof = true;
+
+				return false;
+				}
+
+			else
+				read = 0;
+			}
+
+		failed_reads = 0;
+
+		if ( read == 0 && len != 0 )
+			{
+			*chunk = ExtractChunk();
+			if ( *chunk )
+				return true;
+
+			eof = true;
+			return false;
+			}
+
+		read_len += read;
+
+		++stats.reads;
+		stats.bytes_read += read;
+
+		if ( read == len )
+			break;
+		}
+
+	// Let's see if we have a chunk now.
+	*chunk = ExtractChunk();
+
+	return true;
+	}
+
+bool ChunkedIOFd::CanRead()
+	{
+	// We will be called regularly. So take the opportunity
+	// to flush the write buffer once in a while.
+	OptionalFlush();
+
+	if ( ChunkAvailable() )
+		return true;
+
+	fd_set fd_read;
+	FD_ZERO(&fd_read);
+	FD_SET(fd, &fd_read);
+
+	struct timeval no_timeout;
+	no_timeout.tv_sec = 0;
+	no_timeout.tv_usec = 0;
+
+	return select(fd + 1, &fd_read, 0, 0, &no_timeout) > 0;
+	}
+
+bool ChunkedIOFd::CanWrite()
+	{
+	return pending_head != 0;
+	}
+
+bool ChunkedIOFd::IsIdle()
+	{
+	if ( pending_head || ChunkAvailable() )
+		return false;
+
+	if ( failed_reads > 0 )
+		return true;
+
+	return false;
+	}
+
+bool ChunkedIOFd::IsFillingUp()
+	{
+	return stats.pending > MAX_BUFFERED_CHUNKS_SOFT;
+	}
+
+void ChunkedIOFd::Clear()
+	{
+	while ( pending_head )
+		{
+		ChunkQueue* next = pending_head->next;
+		delete [] pending_head->chunk->data;
+		delete pending_head->chunk;
+		delete pending_head;
+		pending_head = next;
+		}
+
+	pending_head = pending_tail = 0;
+	}
+
+const char* ChunkedIOFd::Error()
+	{
+	static char buffer[1024];
+	safe_snprintf(buffer, sizeof(buffer), "%s [%d]", strerror(errno), errno);
+
+	return buffer;
+	}
+
+void ChunkedIOFd::Stats(char* buffer, int length)
+	{
+	int i = safe_snprintf(buffer, length, "pending=%d ", stats.pending);
+	ChunkedIO::Stats(buffer + i, length - i);
+	}
+
+
+#ifdef USE_OPENSSL
+
+#include <openssl/ssl.h>
+
+SSL_CTX* ChunkedIOSSL::ctx;
+
+ChunkedIOSSL::ChunkedIOSSL(int arg_socket, bool arg_server)
+	{
+	socket = arg_socket;
+	eof = false;
+	setup = false;
+	server = arg_server;
+	ssl = 0;
+
+	write_state = LEN;
+	write_head = 0;
+	write_tail = 0;
+
+	read_state = LEN;
+	read_chunk = 0;
+	read_ptr = 0;
+	}
+
+ChunkedIOSSL::~ChunkedIOSSL()
+	{
+	if ( setup )
+		{
+		SSL_shutdown(ssl);
+
+		// We don't care if the other side closes properly.
+		setup = false;
+		}
+
+	if ( ssl )
+		{
+		SSL_free(ssl);
+		ssl = 0;
+		}
+
+	close(socket);
+	}
+
+
+static int pem_passwd_cb(char* buf, int size, int rwflag, void* passphrase)
+	{
+	safe_strncpy(buf, (char*) passphrase, size);
+	buf[size - 1] = '\0';
+	return strlen(buf);
+	}
+
+bool ChunkedIOSSL::Init()
+	{
+	// If the handshake doesn't succeed immediately we will
+	// be called multiple times.
+	if ( ! ctx )
+		{
+		SSL_load_error_strings();
+
+		ctx = SSL_CTX_new(SSLv3_method());
+		if ( ! ctx )
+			{
+			Log("can't create SSL context");
+			return false;
+			}
+
+		// We access global variables here. But as they are
+		// declared const and we don't modify them this should
+		// be fine.
+		const char* key = ssl_private_key->AsString()->CheckString();
+
+		if ( ! (key && *key &&
+			SSL_CTX_use_certificate_chain_file(ctx, key)) )
+			{
+			Log(fmt("can't read certificate from file %s", key));
+			return false;
+			}
+
+		const char* passphrase =
+			ssl_passphrase->AsString()->CheckString();
+
+		if ( passphrase && ! streq(passphrase, "<undefined>") )
+			{
+			SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);
+			SSL_CTX_set_default_passwd_cb_userdata(ctx,
+							(void*) passphrase);
+			}
+
+		if ( ! (key && *key &&
+			SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) )
+			{
+			Log(fmt("can't read private key from file %s", key));
+			return false;
+			}
+
+		const char* ca = ssl_ca_certificate->AsString()->CheckString();
+		if ( ! (ca && *ca && SSL_CTX_load_verify_locations(ctx, ca, 0)) )
+			{
+			Log(fmt("can't read CA certificate from file %s", ca));
+			return false;
+			}
+
+		// Only use real ciphers.
+		if ( ! SSL_CTX_set_cipher_list(ctx, "HIGH") )
+			{
+			Log("can't set cipher list");
+			return false;
+			}
+
+		// Require client certificate.
+		SSL_CTX_set_verify(ctx,
+			SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
+		}
+
+	int flags;
+
+	if ( (flags = fcntl(socket, F_GETFL, 0)) < 0)
+		{
+		Log(fmt("can't obtain socket flags: %s", strerror(errno)));
+		return false;
+		}
+
+	if ( fcntl(socket, F_SETFL, flags|O_NONBLOCK) < 0 )
+		{
+		Log(fmt("can't set socket to non-blocking: %s",
+			  strerror(errno)));
+		return false;
+		}
+
+	if ( ! ssl )
+		{
+		ssl = SSL_new(ctx);
+		if ( ! ssl )
+			{
+			Log("can't create SSL object");
+			return false;
+			}
+
+		BIO* bio = BIO_new_socket(socket, BIO_NOCLOSE);
+		BIO_set_nbio(bio, 1);
+		SSL_set_bio(ssl, bio, bio);
+		}
+
+	int success;
+	if ( server )
+		success = last_ret = SSL_accept(ssl);
+	else
+		success = last_ret = SSL_connect(ssl);
+
+	if ( success > 0 )
+		{ // handshake done
+		setup = true;
+		return true;
+		}
+
+	int error = SSL_get_error(ssl, success);
+
+	if ( success <= 0 &&
+	     (error == SSL_ERROR_WANT_WRITE || error == SSL_ERROR_WANT_READ) )
+		// Handshake not finished yet, but that's ok for now.
+		return true;
+
+	// Some error.
+	eof = true;
+	return false;
+	}
+
+bool ChunkedIOSSL::Write(Chunk* chunk)
+	{
+#ifdef DEBUG
+	DBG_LOG(DBG_CHUNKEDIO, "ssl write of size %d [%s]",
+		chunk->len, fmt_bytes(chunk->data, 20));
+#endif
+
+	// Reject if our queue of pending chunks is way too large. Otherwise,
+	// memory could fill up if the other side doesn't read.
+	if ( stats.pending > MAX_BUFFERED_CHUNKS )
+		{
+		DBG_LOG(DBG_CHUNKEDIO, "write queue full");
+		errno = ENOSPC;
+		return false;
+		}
+
+	// Queue it.
+	++stats.pending;
+	Queue* q = new Queue;
+	q->chunk = chunk;
+	q->next = 0;
+
+	// Temporarily convert len into network byte order.
+	chunk->len = htonl(chunk->len);
+
+	if ( write_tail )
+		{
+		write_tail->next = q;
+		write_tail = q;
+		}
+	else
+		write_head = write_tail = q;
+
+	Flush();
+	return true;
+	}
+
+bool ChunkedIOSSL::WriteData(char* p, uint32 len, bool* error)
+	{
+	*error = false;
+
+	double t = current_time();
+
+	int written = last_ret = SSL_write(ssl, p, len);
+
+	switch ( SSL_get_error(ssl, written) ) {
+		case SSL_ERROR_NONE:
+			// SSL guarantees us that all bytes have been written.
+			// That's nice. :-)
+			return true;
+
+		case SSL_ERROR_WANT_READ:
+		case SSL_ERROR_WANT_WRITE:
+			// Would block.
+			DBG_LOG(DBG_CHUNKEDIO,
+				"SSL_write: SSL_ERROR_WANT_READ [%d,%d]",
+				written, SSL_get_error(ssl, written));
+			*error = false;
+			return false;
+
+		case SSL_ERROR_ZERO_RETURN:
+			// Regular remote connection shutdown.
+			DBG_LOG(DBG_CHUNKEDIO,
+				"SSL_write: SSL_ZERO_RETURN [%d,%d]",
+				written, SSL_get_error(ssl, written));
+			*error = eof = true;
+			return false;
+
+		case SSL_ERROR_SYSCALL:
+			DBG_LOG(DBG_CHUNKEDIO,
+				"SSL_write: SSL_SYS_CALL [%d,%d]",
+				written, SSL_get_error(ssl, written));
+
+			if ( written == 0 )
+				{
+				// Socket connection closed.
+				*error = eof = true;
+				return false;
+				}
+
+			// Fall through.
+
+		default:
+			DBG_LOG(DBG_CHUNKEDIO,
+				"SSL_write: fatal error [%d,%d]",
+				written, SSL_get_error(ssl, written));
+			// Fatal SSL error.
+			*error = true;
+			return false;
+	}
+
+	internal_error("can't be reached");
+	return false;
+	}
+
+bool ChunkedIOSSL::Flush()
+	{
+	if ( ! setup )
+		{
+		// We may need to finish the handshake.
+		if ( ! Init() )
+			return false;
+		if ( ! setup )
+			return true;
+		}
+
+	while ( write_head )
+		{
+		bool error;
+
+		Chunk* c = write_head->chunk;
+
+		if ( write_state == LEN )
+			{
+			if ( ! WriteData((char*)&c->len, sizeof(c->len), &error) )
+				return ! error;
+			write_state = DATA;
+
+			// Convert back from network byte order.
+			c->len = ntohl(c->len);
+			}
+
+		if ( ! WriteData(c->data, c->len, &error) )
+			return ! error;
+
+		// Chunk written, throw away.
+		Queue* q = write_head;
+		write_head = write_head->next;
+		if ( ! write_head )
+			write_tail = 0;
+		--stats.pending;
+		delete q;
+
+		delete [] c->data;
+		delete c;
+
+		write_state = LEN;
+		}
+
+	return true;
+	}
+
+bool ChunkedIOSSL::ReadData(char* p, uint32 len, bool* error)
+	{
+	if ( ! read_ptr )
+		read_ptr = p;
+
+	while ( true )
+		{
+		double t = current_time();
+
+		int read = last_ret =
+			SSL_read(ssl, read_ptr, len - (read_ptr - p));
+
+		switch ( SSL_get_error(ssl, read) ) {
+		case SSL_ERROR_NONE:
+			// We're fine.
+			read_ptr += read;
+
+			if ( unsigned(read_ptr - p) == len )
+				{
+				// We have read as much as requested..
+				read_ptr = 0;
+				*error = false;
+				return true;
+				}
+
+			break;
+
+		case SSL_ERROR_WANT_READ:
+		case SSL_ERROR_WANT_WRITE:
+			// Would block.
+			DBG_LOG(DBG_CHUNKEDIO,
+				"SSL_read: SSL_ERROR_WANT_READ [%d,%d]",
+				read, SSL_get_error(ssl, read));
+			*error = false;
+			return false;
+
+		case SSL_ERROR_ZERO_RETURN:
+			// Regular remote connection shutdown.
+			DBG_LOG(DBG_CHUNKEDIO,
+				"SSL_read: SSL_ZERO_RETURN [%d,%d]",
+				read, SSL_get_error(ssl, read));
+			*error = eof = true;
+			return false;
+
+		case SSL_ERROR_SYSCALL:
+			DBG_LOG(DBG_CHUNKEDIO, "SSL_read: SSL_SYS_CALL [%d,%d]",
+				read, SSL_get_error(ssl, read));
+
+			if ( read == 0 )
+				{
+				// Socket connection closed.
+				*error = eof = true;
+				return false;
+				}
+
+			// Fall through.
+
+		default:
+			DBG_LOG(DBG_CHUNKEDIO,
+				"SSL_read: fatal error [%d,%d]",
+				read, SSL_get_error(ssl, read));
+
+			// Fatal SSL error.
+			*error = true;
+			return false;
+		}
+		}
+
+	// Can't be reached.
+	internal_error("can't be reached");
+	return false;
+	}
+
+bool ChunkedIOSSL::Read(Chunk** chunk, bool mayblock)
+	{
+	*chunk = 0;
+
+	if ( ! setup )
+		{
+		// We may need to finish the handshake.
+		if ( ! Init() )
+			return false;
+		if ( ! setup )
+			return true;
+		}
+
+	bool error;
+
+	Flush();
+
+	if ( read_state == LEN )
+		{
+		if ( ! read_chunk )
+			{
+			read_chunk = new Chunk;
+			read_chunk->data = 0;
+			}
+
+		if ( ! ReadData((char*)&read_chunk->len,
+				sizeof(read_chunk->len),
+				&error) )
+			return ! error;
+
+		read_state = DATA;
+		read_chunk->len = ntohl(read_chunk->len);
+		}
+
+	if ( ! read_chunk->data )
+		read_chunk->data = new char[read_chunk->len];
+
+	if ( ! ReadData(read_chunk->data, read_chunk->len, &error) )
+		return ! error;
+
+	// Chunk fully read. Pass it on.
+	*chunk = read_chunk;
+	read_chunk = 0;
+	read_state = LEN;
+
+#ifdef DEBUG
+	if ( *chunk )
+		DBG_LOG(DBG_CHUNKEDIO, "ssl read of size %d [%s]",
+			(*chunk)->len, fmt_bytes((*chunk)->data, 20));
+#endif
+
+	return true;
+	}
+
+bool ChunkedIOSSL::CanRead()
+	{
+	// We will be called regularly. So take the opportunity
+	// to flush the write buffer.
+	Flush();
+
+	if ( SSL_pending(ssl) )
+		return true;
+
+	fd_set fd_read;
+	FD_ZERO(&fd_read);
+	FD_SET(socket, &fd_read);
+
+	struct timeval notimeout;
+	notimeout.tv_sec = 0;
+	notimeout.tv_usec = 0;
+
+	return select(socket + 1, &fd_read, NULL, NULL, &notimeout) > 0;
+	}
+
+bool ChunkedIOSSL::CanWrite()
+	{
+	return write_head != 0;
+	}
+
+bool ChunkedIOSSL::IsIdle()
+	{
+	return ! (CanRead() || CanWrite());
+	}
+
+bool ChunkedIOSSL::IsFillingUp()
+	{
+	// We don't really need this at the moment (since SSL is only used for
+	// peer-to-peer communication). Thus, we always return false for now.
+	return false;
+	}
+
+void ChunkedIOSSL::Clear()
+	{
+	while ( write_head )
+		{
+		Queue* next = write_head->next;
+		delete [] write_head->chunk->data;
+		delete write_head->chunk;
+		delete write_head;
+		write_head = next;
+		}
+	write_head = write_tail = 0;
+	}
+
+const char* ChunkedIOSSL::Error()
+	{
+	const int BUFLEN = 512;
+	static char buffer[BUFLEN];
+
+	int sslcode = SSL_get_error(ssl, last_ret);
+	int errcode = ERR_get_error();
+
+	int count = safe_snprintf(buffer, BUFLEN, "[%d,%d,%d] SSL error: ",
+					errcode, sslcode, last_ret);
+
+	if ( errcode )
+		ERR_error_string_n(errcode, buffer + count, BUFLEN - count);
+
+	else if ( sslcode == SSL_ERROR_SYSCALL )
+		{
+		if ( last_ret )
+			// Look at errno.
+			safe_snprintf(buffer + count, BUFLEN - count,
+					"syscall: %s", strerror(errno));
+		else
+			// Errno is not valid in this case.
+			safe_strncpy(buffer + count,
+					"syscall: unexpected end-of-file",
+					BUFLEN - count);
+		}
+	else
+		safe_strncpy(buffer + count, "unknown error", BUFLEN - count);
+
+	return buffer;
+	}
+
+void ChunkedIOSSL::Stats(char* buffer, int length)
+	{
+	int i = safe_snprintf(buffer, length, "pending=%ld ", stats.pending);
+	ChunkedIO::Stats(buffer + i, length - i);
+	}
+
+#endif	/* USE_OPENSSL */
+
+#ifdef HAVE_LIBZ
+
+bool CompressedChunkedIO::Init()
+	{
+	zin.zalloc = 0;
+	zin.zfree = 0;
+	zin.opaque = 0;
+
+	zout.zalloc = 0;
+	zout.zfree = 0;
+	zout.opaque = 0;
+
+	compress = uncompress = false;
+	error = 0;
+	uncompressed_bytes_read	= 0;
+	uncompressed_bytes_written = 0;
+
+	return true;
+	}
+
+bool CompressedChunkedIO::Read(Chunk** chunk, bool may_block)
+	{
+	if ( ! io->Read(chunk, may_block) )
+		return false;
+
+	if ( ! uncompress )
+		return true;
+
+	if ( ! *chunk )
+		return true;
+
+	uint32 uncompressed_len =
+		*(uint32*)((*chunk)->data + (*chunk)->len - sizeof(uint32));
+
+	if ( uncompressed_len == 0 )
+		{
+		// Not compressed.
+		DBG_LOG(DBG_CHUNKEDIO, "zlib read pass-through: size=%d",
+			(*chunk)->len);
+		return true;
+		}
+
+	char* uncompressed = new char[uncompressed_len];
+
+	DBG_LOG(DBG_CHUNKEDIO, "zlib read: size=%d uncompressed=%d",
+		(*chunk)->len, uncompressed_len);
+
+	zin.next_in = (Bytef*) (*chunk)->data;
+	zin.avail_in = (*chunk)->len - sizeof(uint32);
+	zin.next_out = (Bytef*) uncompressed;
+	zin.avail_out = uncompressed_len;
+
+	if ( inflate(&zin, Z_SYNC_FLUSH) != Z_OK )
+		{
+		error = zin.msg;
+		return false;
+		}
+
+	if ( zin.avail_in > 0 )
+		{
+		error = "compressed data longer than expected";
+		return false;
+		}
+
+	delete [] (*chunk)->data;
+
+	uncompressed_bytes_read += uncompressed_len;
+
+	(*chunk)->len = uncompressed_len;
+	(*chunk)->data = uncompressed;
+
+	return true;
+	}
+
+bool CompressedChunkedIO::Write(Chunk* chunk)
+	{
+	if ( (! compress) || IsPure() )
+		// No compression.
+		return io->Write(chunk);
+
+	// We compress block-wise (rather than stream-wise) because:
+	//
+	// (1) it's significantly easier to implement due to our block-oriented
+	// communication model (with a stream compression, we'd need to chop
+	// the stream into blocks during decompression which would require
+	// additional buffering and copying).
+	//
+	// (2) it ensures that we do not introduce any additional latencies (a
+	// stream compression may decide to wait for the next chunk of data
+	// before writing anything out).
+	//
+	// The block-wise compression comes at the cost of a smaller compression
+	// factor.
+	//
+	// A compressed chunk's data looks like this:
+	//   char[] compressed data
+	//   uint32 uncompressed_length
+	//
+	// By including uncompressed_length, we again trade easier
+	// decompression for a smaller reduction factor. If uncompressed_length
+	// is zero, the data is *not* compressed.
+
+	uncompressed_bytes_written += chunk->len;
+	uint32 original_size = chunk->len;
+
+	char* compressed = new char[chunk->len + sizeof(uint32)];
+
+	if ( chunk->len < MIN_COMPRESS_SIZE )
+		{
+		// Too small; not worth any compression.
+		memcpy(compressed, chunk->data, chunk->len);
+		*(uint32*) (compressed + chunk->len) = 0; // uncompressed_length
+
+		delete [] chunk->data;
+		chunk->data = compressed;
+		chunk->len += 4;
+
+		DBG_LOG(DBG_CHUNKEDIO, "zlib write pass-through: size=%d", chunk->len);
+		}
+	else
+		{
+		zout.next_in = (Bytef*) chunk->data;
+		zout.avail_in = chunk->len;
+		zout.next_out = (Bytef*) compressed;
+		zout.avail_out = chunk->len;
+
+		if ( deflate(&zout, Z_SYNC_FLUSH) != Z_OK )
+			{
+			error = zout.msg;
+			return false;
+			}
+
+		while ( zout.avail_out == 0 )
+			{
+			// D'oh! Not enough space, i.e., it hasn't got smaller.
+			char* old = compressed;
+			int old_size = (char*) zout.next_out - compressed;
+			int new_size = old_size * 2 + sizeof(uint32);
+
+			compressed = new char[new_size];
+			memcpy(compressed, old, old_size);
+			delete [] old;
+
+			zout.next_out = (Bytef*) (compressed + old_size);
+			zout.avail_out = old_size; // Sic! We doubled.
+
+			if ( deflate(&zout, Z_SYNC_FLUSH) != Z_OK )
+				{
+				error = zout.msg;
+				return false;
+				}
+			}
+
+		*(uint32*) zout.next_out = original_size; // uncompressed_length
+
+		delete [] chunk->data;
+		chunk->data = compressed;
+		chunk->len =
+			((char*) zout.next_out - compressed) + sizeof(uint32);
+
+		DBG_LOG(DBG_CHUNKEDIO, "zlib write: size=%d compressed=%d",
+			original_size, chunk->len);
+		}
+
+	return io->Write(chunk);
+	}
+
+void CompressedChunkedIO::Stats(char* buffer, int length)
+	{
+	const Statistics* stats = io->Stats();
+
+	int i = snprintf(buffer, length, "compression=%.2f/%.2f ",
+			uncompressed_bytes_read ? double(stats->bytes_read) / uncompressed_bytes_read : -1,
+			uncompressed_bytes_written ? double(stats->bytes_written) / uncompressed_bytes_written : -1 );
+
+	io->Stats(buffer + i, length - i);
+	buffer[length-1] = '\0';
+	}
+
+#endif	/* HAVE_LIBZ */
diff --git a/src/ChunkedIO.h b/src/ChunkedIO.h
new file mode 100644
index 0000000000..393f6c8d5d
--- /dev/null
+++ b/src/ChunkedIO.h
@@ -0,0 +1,342 @@
+// $Id: ChunkedIO.h 6888 2009-08-20 18:23:11Z vern $
+//
+// Implements non-blocking chunk-wise I/O.
+
+#ifndef CHUNKEDIO_H
+#define CHUNKEDIO_H
+
+#include "config.h"
+#include "List.h"
+#include "util.h"
+
+#include <list>
+
+class CompressedChunkedIO;
+
+// #define DEBUG_COMMUNICATION 10
+
+// Abstract base class.
+class ChunkedIO {
+public:
+	ChunkedIO();
+	virtual ~ChunkedIO()	{ }
+
+	typedef struct {
+		char* data;
+		uint32 len;
+	} Chunk;
+
+	// Initialization before any I/O operation is performed. Returns false
+	// on any form of error.
+	virtual bool Init()	{ return true; }
+
+	// Tries to read the next chunk of data. If it can be read completely,
+	// a pointer to it is returned in 'chunk' (ownership of chunk is
+	// passed).  If not, 'chunk' is set to nil.  Returns false if any
+	// I/O error occurred (use Eof() to see if it's an end-of-file).
+	// If 'may_block' is true, we explicitly allow blocking.
+	virtual bool Read(Chunk** chunk, bool may_block = false) = 0;
+
+	// Puts the chunk into the write queue and writes as much data
+	// as possible (takes ownership of chunk).
+	// Returns false on any I/O error.
+	virtual bool Write(Chunk* chunk) = 0;
+
+	// Tries to write as much as currently possible.
+	// Returns false on any I/O error.
+	virtual bool Flush() = 0;
+
+	// If an I/O error has been encountered, returns a string describing it.
+	virtual const char* Error() = 0;
+
+	// Return true if there is currently at least one chunk available
+	// for reading.
+	virtual bool CanRead() = 0;
+
+	// Return true if there is currently at least one chunk waiting to be
+	// written.
+	virtual bool CanWrite() = 0;
+
+	// Returns true if source believes that there won't be much data soon.
+	virtual bool IsIdle() = 0;
+
+	// Returns true if internal write buffers are about to fill up.
+	virtual bool IsFillingUp() = 0;
+
+	// Throws away buffered data.
+	virtual void Clear() = 0;
+
+	// Returns true,if end-of-file has been reached.
+	virtual bool Eof() = 0;
+
+	// Returns underlying fd if available, -1 otherwise.
+	virtual int Fd()	{ return -1; }
+
+	// Makes sure that no additional protocol data is written into
+	// the output stream.  If this is activated, the output cannot
+	// be read again by any of these classes!
+	void MakePure()	{ pure = true; }
+	bool IsPure()	{ return pure; }
+
+	// Writes a log message to the error_fd.
+	void Log(const char* str);
+
+	struct Statistics {
+		Statistics()
+			{
+			bytes_read = 0;
+			bytes_written = 0;
+			chunks_read = 0;
+			chunks_written = 0;
+			reads = 0;
+			writes = 0;
+			pending = 0;
+			}
+
+		unsigned long bytes_read;
+		unsigned long bytes_written;
+		unsigned long chunks_read;
+		unsigned long chunks_written;
+		unsigned long reads;	// # calls which transferred > 0 bytes
+		unsigned long writes;
+		unsigned long pending;
+		};
+
+	// Returns raw statistics.
+	const Statistics* Stats() const 	{ return &stats; }
+
+	// Puts a formatted string containing statistics into buffer.
+	virtual void Stats(char* buffer, int length);
+
+#ifdef DEBUG_COMMUNICATION
+	void DumpDebugData(const char* basefnname, bool want_reads);
+#endif
+
+protected:
+	Statistics stats;
+	const char* tag;
+
+#ifdef DEBUG_COMMUNICATION
+	void AddToBuffer(char* data, bool is_read)
+		{ AddToBuffer(strlen(data), data, is_read); }
+	void AddToBuffer(uint32 len, char* data, bool is_read);
+	void AddToBuffer(Chunk* chunk, bool is_read);
+	std::list<Chunk*> data_read;
+	std::list<Chunk*> data_written;
+#endif
+
+private:
+	bool pure;
+};
+
+// Chunked I/O using a file descriptor.
+class ChunkedIOFd : public ChunkedIO {
+public:
+	// fd is an open bidirectional file descriptor, tag is used in error
+	// messages, and pid gives a pid to monitor (if the process dies, we
+	// return EOF).
+	ChunkedIOFd(int fd, const char* tag, pid_t pid = 0);
+	virtual ~ChunkedIOFd();
+
+	virtual bool Read(Chunk** chunk, bool may_block = false);
+	virtual bool Write(Chunk* chunk);
+	virtual bool Flush();
+	virtual const char* Error();
+	virtual bool CanRead();
+	virtual bool CanWrite();
+	virtual bool IsIdle();
+	virtual bool IsFillingUp();
+	virtual void Clear();
+	virtual bool Eof()	{ return eof; }
+	virtual int Fd()	{ return fd; }
+	virtual void Stats(char* buffer, int length);
+
+private:
+
+	bool PutIntoWriteBuffer(Chunk* chunk);
+	bool FlushWriteBuffer();
+	Chunk* ExtractChunk();
+
+	// Returns size of next chunk in buffer or 0 if none.
+	uint32 ChunkAvailable();
+
+	// Flushes if it thinks it is time to.
+	bool OptionalFlush();
+
+	// Concatenates the the data of the two chunks forming a new one.
+	// The old chunkds are deleted.
+	Chunk* ConcatChunks(Chunk* c1, Chunk* c2);
+
+	// Reads/writes on chunk of upto BUFFER_SIZE bytes.
+	bool WriteChunk(Chunk* chunk, bool partial);
+	bool ReadChunk(Chunk** chunk, bool may_block);
+
+	int fd;
+	bool eof;
+	double last_flush;
+	int failed_reads;
+
+	// Optimally, this should match the file descriptor's
+	// buffer size (for sockets, it may be helpful to
+	// increase the send/receive buffers).
+	static const unsigned int BUFFER_SIZE = 1024 * 1024 * 1;
+
+	// We 'or' this to the length of a data chunk to mark
+	// that it's part of a larger one. This has to be larger
+	// than BUFFER_SIZE.
+	static const uint32 FLAG_PARTIAL = 0x80000000;
+
+	// We report that we're filling up when there are more than this number
+	// of pending chunks.
+	static const uint32 MAX_BUFFERED_CHUNKS_SOFT = 400000;
+
+	// Maximum number of chunks we store in memory before rejecting writes.
+	static const uint32 MAX_BUFFERED_CHUNKS = 500000;
+
+	char* read_buffer;
+	uint32 read_len;
+	uint32 read_pos;
+	Chunk* partial;	// when we read an oversized chunk, we store it here
+
+	char* write_buffer;
+	uint32 write_len;
+	uint32 write_pos;
+
+	struct ChunkQueue {
+		Chunk* chunk;
+		ChunkQueue* next;
+	};
+
+	// Chunks that don't fit into our write buffer.
+	ChunkQueue* pending_head;
+	ChunkQueue* pending_tail;
+
+	pid_t pid;
+};
+
+#ifdef USE_OPENSSL
+
+#ifdef NEED_KRB5_H
+# include <krb5.h>
+#endif 
+
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+
+// Chunked I/O using an SSL connection.
+
+class ChunkedIOSSL : public ChunkedIO {
+public:
+	// Argument is an open socket and a flag indicating whether we are the
+	// server side of the connection.
+	ChunkedIOSSL(int socket, bool server);
+	virtual ~ChunkedIOSSL();
+
+	virtual bool Init();
+	virtual bool Read(Chunk** chunk, bool mayblock = false);
+	virtual bool Write(Chunk* chunk);
+	virtual bool Flush();
+	virtual const char* Error();
+	virtual bool CanRead();
+	virtual bool CanWrite();
+	virtual bool IsIdle();
+	virtual bool IsFillingUp();
+	virtual void Clear();
+	virtual bool Eof()	{ return eof; }
+	virtual int Fd()	{ return socket; }
+	virtual void Stats(char* buffer, int length);
+
+private:
+	// Maximum number of chunks we store in memory before rejecting writes.
+	static const uint32 MAX_BUFFERED_CHUNKS = 500000;
+
+	// Only returns true if all data has been read. If not, call
+	// it again with the same parameters as long as error is not
+	// set to true.
+	bool ReadData(char* p, uint32 len, bool* error);
+	// Same for writing.
+	bool WriteData(char* p, uint32 len, bool* error);
+
+	int socket;
+	int last_ret;	// last error code
+	bool eof;
+
+	bool server;	// are we the server?
+	bool setup;	// has the connection been setup successfully?
+
+	SSL* ssl;
+
+	// Write queue.
+	struct Queue {
+		Chunk* chunk;
+		Queue* next;
+	};
+
+	// The chunk part we are reading/writing
+	enum State { LEN, DATA };
+
+	State write_state;
+	Queue* write_head;
+	Queue* write_tail;
+
+	State read_state;
+	Chunk* read_chunk;
+	char* read_ptr;
+
+	// One SSL for all connections.
+	static SSL_CTX* ctx;
+};
+
+#endif	/* USE_OPENSSL */
+
+#ifdef HAVE_LIBZ
+
+#include <zlib.h>
+
+// Wrapper class around a another ChunkedIO which the (un-)compresses data.
+class CompressedChunkedIO : public ChunkedIO {
+public:
+	CompressedChunkedIO(ChunkedIO* arg_io)
+		: io(arg_io) {} // takes ownership
+	virtual ~CompressedChunkedIO()	{ delete io; }
+
+	virtual bool Init(); // does *not* call arg_io->Init()
+	virtual bool Read(Chunk** chunk, bool may_block = false);
+	virtual bool Write(Chunk* chunk);
+	virtual bool Flush()	{ return io->Flush(); }
+	virtual const char* Error()	{ return error ? error : io->Error(); }
+	virtual bool CanRead()	{ return io->CanRead(); }
+	virtual bool CanWrite()	{ return io->CanWrite(); }
+	virtual bool IsIdle()	{ return io->IsIdle(); }
+	virtual bool IsFillingUp()	{ return io->IsFillingUp(); }
+	virtual void Clear()	{ return io->Clear(); }
+
+	virtual bool Eof()	{ return io->Eof(); }
+	virtual int Fd()	{ return io->Fd(); }
+	virtual void Stats(char* buffer, int length);
+
+	void EnableCompression(int level)
+		{ deflateInit(&zout, level); compress = true; }
+	void EnableDecompression()
+		{ inflateInit(&zin); uncompress = true; }
+
+protected:
+	// Only compress block with size >= this.
+	static const unsigned int MIN_COMPRESS_SIZE = 30;
+
+	ChunkedIO* io;
+	z_stream zin;
+	z_stream zout;
+	const char* error;
+
+	bool compress;
+	bool uncompress;
+
+	// Keep some statistics.
+	unsigned long uncompressed_bytes_read;
+	unsigned long uncompressed_bytes_written;
+};
+
+#endif	/* HAVE_LIBZ */
+
+#endif
diff --git a/src/CompHash.cc b/src/CompHash.cc
new file mode 100644
index 0000000000..2e0870303c
--- /dev/null
+++ b/src/CompHash.cc
@@ -0,0 +1,707 @@
+// $Id: CompHash.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "CompHash.h"
+#include "Val.h"
+
+CompositeHash::CompositeHash(TypeList* composite_type)
+	{
+	type = composite_type;
+	Ref(type);
+
+	// If the only element is a record, don't treat it as a
+	// singleton, since it needs to be evaluated specially.
+
+	if ( type->Types()->length() == 1 )
+		{
+		if ( (*type->Types())[0]->Tag() == TYPE_RECORD )
+			{
+			is_complex_type = 1;
+			is_singleton = 0;
+			}
+		else
+			{
+			is_complex_type = 0;
+			is_singleton = 1;
+			}
+		}
+
+	else
+		{
+		is_singleton = 0;
+		is_complex_type = 0;
+		}
+
+	if ( is_singleton )
+		{
+		// Don't do any further key computations - we'll do them
+		// via the singleton later.
+		singleton_tag = (*type->Types())[0]->InternalType();
+		size = 0;
+		key = 0;
+		}
+
+	else
+		{
+		size = ComputeKeySize();
+
+		if ( size > 0 )
+			// Fixed size.  Make sure what we get is fully aligned.
+			key = reinterpret_cast<char*>
+				(new double[size/sizeof(double) + 1]);
+		else
+			key = 0;
+		}
+	}
+
+CompositeHash::~CompositeHash()
+	{
+	Unref(type);
+	delete [] key;
+	}
+
+// Computes the piece of the hash for Val*, returning the new kp.
+char* CompositeHash::SingleValHash(int type_check, char* kp0,
+					BroType* bt, Val* v) const
+	{
+	char* kp1 = 0;
+	InternalTypeTag t = bt->InternalType();
+
+	if ( type_check )
+		{
+		InternalTypeTag vt = v->Type()->InternalType();
+		if ( vt != t )
+			return 0;
+		}
+
+	switch ( t ) {
+	case TYPE_INTERNAL_INT:
+		{
+		bro_int_t* kp = AlignAndPadType<bro_int_t>(kp0);
+		*kp = v->ForceAsInt();
+		kp1 = reinterpret_cast<char*>(kp+1);
+		}
+		break;
+
+	case TYPE_INTERNAL_UNSIGNED:
+		{
+		bro_uint_t* kp = AlignAndPadType<bro_uint_t>(kp0);
+		*kp = v->ForceAsUInt();
+		kp1 = reinterpret_cast<char*>(kp+1);
+		}
+		break;
+
+	case TYPE_INTERNAL_ADDR:
+		{
+		// Use uint32 instead of int, because 'int' is not
+		// guaranteed to be 32-bit.
+		uint32* kp = AlignAndPadType<uint32>(kp0);
+#ifdef BROv6
+		const addr_type av = v->AsAddr();
+		kp[0] = av[0];
+		kp[1] = av[1];
+		kp[2] = av[2];
+		kp[3] = av[3];
+		kp1 = reinterpret_cast<char*>(kp+4);
+#else
+		*kp = v->AsAddr();
+		kp1 = reinterpret_cast<char*>(kp+1);
+#endif
+		}
+		break;
+
+	case TYPE_INTERNAL_SUBNET:
+		{
+		uint32* kp = AlignAndPadType<uint32>(kp0);
+#ifdef BROv6
+		const subnet_type* sv = v->AsSubNet();
+		kp[0] = sv->net[0];
+		kp[1] = sv->net[1];
+		kp[2] = sv->net[2];
+		kp[3] = sv->net[3];
+		kp[4] = sv->width;
+		kp1 = reinterpret_cast<char*>(kp+5);
+#else
+		const subnet_type* sv = v->AsSubNet();
+		kp[0] = sv->net;
+		kp[1] = sv->width;
+		kp1 = reinterpret_cast<char*>(kp+2);
+#endif
+		}
+		break;
+
+	case TYPE_INTERNAL_DOUBLE:
+		{
+		double* kp = AlignAndPadType<double>(kp0);
+		*kp = v->InternalDouble();
+		kp1 = reinterpret_cast<char*>(kp+1);
+		}
+		break;
+
+	case TYPE_INTERNAL_VOID:
+	case TYPE_INTERNAL_OTHER:
+		{
+		if ( v->Type()->Tag() == TYPE_FUNC )
+			{
+			Val** kp = AlignAndPadType<Val*>(kp0);
+			v->Ref();
+			// Ref((BroObj*) v->AsFunc());
+			*kp = v;
+			kp1 = reinterpret_cast<char*>(kp+1);
+			}
+
+		else if ( v->Type()->Tag() == TYPE_RECORD )
+			{
+			char* kp = kp0;
+			RecordVal* rv = v->AsRecordVal();
+			RecordType* rt = v->Type()->AsRecordType();
+			int num_fields = rt->NumFields();
+
+			for ( int i = 0; i < num_fields; ++i )
+				{
+				Val* rv_i = rv->Lookup(i);
+				if ( ! rv_i )
+					return 0;
+
+				if ( ! (kp = SingleValHash(type_check, kp,
+							   rt->FieldType(i),
+							   rv_i)) )
+					return 0;
+				}
+
+			kp1 = kp;
+			}
+		else
+			{
+			internal_error("bad index type in CompositeHash::SingleValHash");
+			return 0;
+			}
+		}
+		break;
+
+	case TYPE_INTERNAL_STRING:
+		{
+		// Align to int for the length field.
+		int* kp = AlignAndPadType<int>(kp0);
+		const BroString* sval = v->AsString();
+
+		*kp = sval->Len();	// so we can recover the value
+
+		kp1 = reinterpret_cast<char*>(kp+1);
+
+		memcpy(kp1, sval->Bytes(), sval->Len());
+		kp1 += sval->Len();
+		}
+		break;
+
+	case TYPE_INTERNAL_ERROR:
+		return 0;
+	}
+
+	return kp1;
+	}
+
+
+HashKey* CompositeHash::ComputeHash(const Val* v, int type_check) const
+	{
+	if ( is_singleton )
+		return ComputeSingletonHash(v, type_check);
+
+	if ( is_complex_type && v->Type()->Tag() != TYPE_LIST )
+		{
+		ListVal lv(TYPE_ANY);
+
+		// Cast away const to use ListVal - but since we
+		// re-introduce const on the recursive call, it should
+		// be okay; the only thing is that the ListVal unref's it.
+		Val* ncv = (Val*) v;
+		ncv->Ref();
+		lv.Append(ncv);
+	        HashKey* hk = ComputeHash(&lv, type_check);
+		return hk;
+		}
+
+	char* k = key;
+
+	if ( ! k )
+		{
+		int sz = ComputeKeySize(v, type_check);
+		if ( sz == 0 )
+			return 0;
+
+		k = reinterpret_cast<char*>(new double[sz/sizeof(double) + 1]);
+		type_check = 0;	// no need to type-check again.
+		}
+
+	const type_list* tl = type->Types();
+
+	if ( type_check && v->Type()->Tag() != TYPE_LIST )
+		return 0;
+
+	const val_list* vl = v->AsListVal()->Vals();
+	if ( type_check && vl->length() != tl->length() )
+		return 0;
+
+	char* kp = k;
+	loop_over_list(*tl, i)
+		{
+		kp = SingleValHash(type_check, kp, (*tl)[i], (*vl)[i]);
+		if ( ! kp )
+			return 0;
+		}
+
+	return new HashKey((k == key), (void*) k, kp - k);
+	}
+
+HashKey* CompositeHash::ComputeSingletonHash(const Val* v, int type_check) const
+	{
+	if ( v->Type()->Tag() == TYPE_LIST )
+		{
+		const val_list* vl = v->AsListVal()->Vals();
+		if ( type_check && vl->length() != 1 )
+			return 0;
+
+		v = (*vl)[0];
+		}
+
+	if ( type_check && v->Type()->InternalType() != singleton_tag )
+		return 0;
+
+	uint32 tmp_addr;
+	switch ( singleton_tag ) {
+	case TYPE_INTERNAL_INT:
+	case TYPE_INTERNAL_UNSIGNED:
+		return new HashKey(v->ForceAsInt());
+
+	case TYPE_INTERNAL_ADDR:
+#ifdef BROv6
+		return new HashKey(v->AsAddr(), 4);
+#else
+		return new HashKey(v->AsAddr());
+#endif
+
+	case TYPE_INTERNAL_SUBNET:
+#ifdef BROv6
+		return new HashKey((const uint32*) v->AsSubNet(), 5);
+#else
+		return new HashKey((const uint32*) v->AsSubNet(), 2);
+
+#endif
+
+	case TYPE_INTERNAL_DOUBLE:
+		return new HashKey(v->InternalDouble());
+
+	case TYPE_INTERNAL_VOID:
+	case TYPE_INTERNAL_OTHER:
+		if ( v->Type()->Tag() == TYPE_FUNC )
+			return new HashKey(v);
+
+		internal_error("bad index type in CompositeHash::ComputeSingletonHash");
+		return 0;
+
+	case TYPE_INTERNAL_STRING:
+		return new HashKey(v->AsString());
+
+	case TYPE_INTERNAL_ERROR:
+		return 0;
+
+	default:
+		internal_error("bad internal type in CompositeHash::ComputeSingletonHash");
+		return 0;
+	}
+	}
+
+int CompositeHash::SingleTypeKeySize(BroType* bt, const Val* v,
+					int type_check, int sz) const
+	{
+	InternalTypeTag t = bt->InternalType();
+
+	if ( type_check && v )
+		{
+		InternalTypeTag vt = v->Type()->InternalType();
+		if ( vt != t )
+			return 0;
+		}
+
+	switch ( t ) {
+	case TYPE_INTERNAL_INT:
+	case TYPE_INTERNAL_UNSIGNED:
+		sz = SizeAlign(sz, sizeof(bro_int_t));
+		break;
+
+	case TYPE_INTERNAL_ADDR:
+#ifdef BROv6
+		sz = SizeAlign(sz, sizeof(uint32));
+		sz += sizeof(uint32) * 3;	// to make a total of 4 words
+#else
+		sz = SizeAlign(sz, sizeof(uint32));
+#endif
+		break;
+
+	case TYPE_INTERNAL_SUBNET:
+#ifdef BROv6
+		sz = SizeAlign(sz, sizeof(uint32));
+		sz += sizeof(uint32) * 4;	// to make a total of 5 words
+#else
+		sz = SizeAlign(sz, sizeof(uint32));
+		sz += sizeof(uint32);	// make room for width
+#endif
+		break;
+
+	case TYPE_INTERNAL_DOUBLE:
+		sz = SizeAlign(sz, sizeof(double));
+		break;
+
+	case TYPE_INTERNAL_VOID:
+	case TYPE_INTERNAL_OTHER:
+		{
+		if ( bt->Tag() == TYPE_FUNC )
+			sz = SizeAlign(sz, sizeof(Val*));
+
+		else if ( bt->Tag() == TYPE_RECORD )
+			{
+			const RecordVal* rv = v ? v->AsRecordVal() : 0;
+			RecordType* rt = bt->AsRecordType();
+			int num_fields = rt->NumFields();
+
+			for ( int i = 0; i < num_fields; ++i )
+				{
+				sz = SingleTypeKeySize(rt->FieldType(i),
+							rv ? rv->Lookup(i) : 0,
+							type_check, sz);
+				if ( ! sz )
+					return 0;
+				}
+			}
+		else
+			{
+			internal_error("bad index type in CompositeHash::CompositeHash");
+			return 0;
+			}
+		}
+		break;
+
+	case TYPE_INTERNAL_STRING:
+		if ( ! v )
+			return 0;
+
+		// Factor in length field.
+		sz = SizeAlign(sz, sizeof(int));
+		sz += v->AsString()->Len();
+		break;
+
+	case TYPE_INTERNAL_ERROR:
+		return 0;
+	}
+
+	return sz;
+	}
+
+int CompositeHash::ComputeKeySize(const Val* v, int type_check) const
+	{
+	const type_list* tl = type->Types();
+	const val_list* vl = 0;
+	if ( v )
+		{
+		if ( type_check && v->Type()->Tag() != TYPE_LIST )
+			return 0;
+
+		vl = v->AsListVal()->Vals();
+		if ( type_check && vl->length() != tl->length() )
+			return 0;
+		}
+
+	int sz = 0;
+	loop_over_list(*tl, i)
+		{
+		sz = SingleTypeKeySize((*tl)[i], v ? v->AsListVal()->Index(i) : 0,
+				       type_check, sz);
+		if ( ! sz )
+			return 0;
+		}
+
+	return sz;
+	}
+
+namespace
+	{
+	inline bool is_power_of_2(bro_uint_t x)
+		{
+		return ((x - 1) & x) == 0;
+		}
+	}
+
+const void* CompositeHash::Align(const char* ptr, unsigned int size) const
+	{
+	if ( ! size )
+		return ptr;
+
+	ASSERT(is_power_of_2(size));
+
+	unsigned int mask = size - 1;	// Assume size is a power of 2.
+	unsigned long l_ptr = reinterpret_cast<unsigned long>(ptr);
+	unsigned long offset = l_ptr & mask;
+
+	if ( offset > 0 )
+		return reinterpret_cast<const void*>(ptr - offset + size);
+	else
+		return reinterpret_cast<const void*>(ptr);
+	}
+
+void* CompositeHash::AlignAndPad(char* ptr, unsigned int size) const
+	{
+	if ( ! size )
+		return ptr;
+
+	ASSERT(is_power_of_2(size));
+
+	unsigned int mask = size - 1;	// Assume size is a power of 2.
+	while ( (reinterpret_cast<unsigned long>(ptr) & mask) != 0 )
+		// Not aligned - zero pad.
+		*ptr++ = '\0';
+
+	return reinterpret_cast<void *>(ptr);
+	}
+
+int CompositeHash::SizeAlign(int offset, unsigned int size) const
+	{
+	if ( ! size )
+		return offset;
+
+	ASSERT(is_power_of_2(size));
+
+	unsigned int mask = size - 1;	// Assume size is a power of 2.
+	if ( offset & mask )
+		{
+		offset &= ~mask;	// Round down.
+		offset += size;		// Round up.
+		}
+
+	offset += size;		// Add in size.
+
+	return offset;
+	}
+
+ListVal* CompositeHash::RecoverVals(const HashKey* k) const
+	{
+	ListVal* l = new ListVal(TYPE_ANY);
+	const type_list* tl = type->Types();
+	const char* kp = (const char*) k->Key();
+	const char* const k_end = kp + k->Size();
+
+	loop_over_list(*tl, i)
+		{
+		Val* v;
+		kp = RecoverOneVal(k, kp, k_end, (*tl)[i], v);
+		ASSERT(v);
+		l->Append(v);
+		}
+
+	if ( kp != k_end )
+		internal_error("under-ran key in CompositeHash::DescribeKey");
+
+	return l;
+	}
+
+const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
+					 const char* const k_end, BroType* t,
+					 Val*& pval) const
+	{
+	// k->Size() == 0 for a single empty string.
+	if ( kp0 >= k_end && k->Size() > 0 )
+		internal_error("over-ran key in CompositeHash::RecoverVals");
+
+	TypeTag tag = t->Tag();
+	InternalTypeTag it = t->InternalType();
+
+	const char* kp1 = 0;
+
+	switch ( it ) {
+	case TYPE_INTERNAL_INT:
+		{
+		const bro_int_t* const kp = AlignType<bro_int_t>(kp0);
+		kp1 = reinterpret_cast<const char*>(kp+1);
+
+		if ( tag == TYPE_ENUM )
+			pval = new EnumVal(*kp, t->AsEnumType());
+		else
+			pval = new Val(*kp, tag);
+		}
+		break;
+
+	case TYPE_INTERNAL_UNSIGNED:
+		{
+		const bro_uint_t* const kp = AlignType<bro_uint_t>(kp0);
+		kp1 = reinterpret_cast<const char*>(kp+1);
+
+		switch ( tag ) {
+		case TYPE_COUNT:
+		case TYPE_COUNTER:
+			pval = new Val(*kp, tag);
+			break;
+
+		case TYPE_PORT:
+			pval = new PortVal(*kp);
+			break;
+
+		default:
+			internal_error("bad internal unsigned int in CompositeHash::RecoverOneVal()");
+			pval = 0;
+			break;
+		}
+		}
+		break;
+
+	case TYPE_INTERNAL_DOUBLE:
+		{
+		const double* const kp = AlignType<double>(kp0);
+		kp1 = reinterpret_cast<const char*>(kp+1);
+
+		if ( tag == TYPE_INTERVAL )
+			pval = new IntervalVal(*kp, 1.0);
+		else
+			pval = new Val(*kp, tag);
+		}
+		break;
+
+	case TYPE_INTERNAL_ADDR:
+		{
+		const uint32* const kp = AlignType<uint32>(kp0);
+#ifdef BROv6
+		const_addr_type addr_val = kp;
+		kp1 = reinterpret_cast<const char*>(kp+4);
+#else
+		const_addr_type addr_val = *kp;
+		kp1 = reinterpret_cast<const char*>(kp+1);
+#endif
+		switch ( tag ) {
+		case TYPE_ADDR:
+			pval = new AddrVal(addr_val);
+			break;
+
+		case TYPE_NET:
+			pval = new NetVal(addr_val);
+			break;
+
+		default:
+			internal_error("bad internal address in CompositeHash::RecoverOneVal()");
+			pval = 0;
+			break;
+		}
+		}
+		break;
+
+	case TYPE_INTERNAL_SUBNET:
+		{
+		const subnet_type* const kp =
+			reinterpret_cast<const subnet_type*>(
+				AlignType<uint32>(kp0));
+		kp1 = reinterpret_cast<const char*>(kp+1);
+
+		pval = new SubNetVal(kp->net, kp->width);
+		}
+		break;
+
+	case TYPE_INTERNAL_VOID:
+	case TYPE_INTERNAL_OTHER:
+		{
+		if ( t->Tag() == TYPE_FUNC )
+			{
+			Val* const * const kp = AlignType<Val*>(kp0);
+			kp1 = reinterpret_cast<const char*>(kp+1);
+
+			Val* v = *kp;
+
+			if ( ! v || ! v->Type() )
+				internal_error("bad aggregate Val in CompositeHash::RecoverOneVal()");
+
+			if ( t->Tag() != TYPE_FUNC &&
+			     // ### Maybe fix later, but may be fundamentally
+			     // un-checkable --US
+			     ! same_type(v->Type(), t) )
+				{
+				internal_error("inconsistent aggregate Val in CompositeHash::RecoverOneVal()");
+				}
+
+			// ### A crude approximation for now.
+			if ( t->Tag() == TYPE_FUNC &&
+			     v->Type()->Tag() != TYPE_FUNC )
+				{
+				internal_error("inconsistent aggregate Val in CompositeHash::RecoverOneVal()");
+				}
+
+			pval = v->Ref();
+			}
+
+		else if ( t->Tag() == TYPE_RECORD )
+			{
+			const char* kp = kp0;
+			RecordType* rt = t->AsRecordType();
+			int num_fields = rt->NumFields();
+
+			vector<Val*> values;
+			int i;
+			for ( i = 0; i < num_fields; ++i )
+				{
+				Val* v;
+				kp = RecoverOneVal(k, kp, k_end,
+				                   rt->FieldType(i), v);
+				if ( ! v )
+					{
+					internal_error("didn't recover expected number of fields from HashKey");
+					pval = 0;
+					break;
+					}
+
+				values.push_back(v);
+				}
+
+			ASSERT(int(values.size()) == num_fields);
+
+			RecordVal* rv = new RecordVal(rt);
+
+			for ( int i = 0; i < num_fields; ++i )
+				rv->Assign(i, values[i]);
+
+			pval = rv;
+			kp1 = kp;
+			}
+		else
+			{
+			internal_error("bad index type in CompositeHash::DescribeKey");
+			}
+		}
+		break;
+
+	case TYPE_INTERNAL_STRING:
+		{
+		// There is a minor issue here -- the pointer does not have to
+		// be aligned by int in the singleton case.
+
+		int n;
+		if ( is_singleton )
+			{
+			kp1 = kp0;
+			n = k->Size();
+			}
+		else
+			{
+			const int* const kp = AlignType<int>(kp0);
+			n = *kp;
+			kp1 = reinterpret_cast<const char*>(kp+1);
+			}
+
+		pval = new StringVal(new BroString((const byte_vec) kp1, n, 1));
+		kp1 += n;
+		}
+		break;
+
+	case TYPE_INTERNAL_ERROR:
+		break;
+	}
+
+	return kp1;
+	}
diff --git a/src/CompHash.h b/src/CompHash.h
new file mode 100644
index 0000000000..a0632e1bfe
--- /dev/null
+++ b/src/CompHash.h
@@ -0,0 +1,93 @@
+// $Id: CompHash.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef comphash_h
+#define comphash_h
+
+#include "Hash.h"
+#include "Type.h"
+
+class ListVal;
+
+class CompositeHash {
+public:
+	CompositeHash(TypeList* composite_type);
+	~CompositeHash();
+
+	// Compute the hash corresponding to the given index val,
+	// or 0 if it fails to typecheck.
+	HashKey* ComputeHash(const Val* v, int type_check) const;
+
+	// Given a hash key, recover the values used to create it.
+	ListVal* RecoverVals(const HashKey* k) const;
+
+	unsigned int MemoryAllocation() const { return padded_sizeof(*this) + pad_size(size); }
+
+protected:
+	HashKey* ComputeSingletonHash(const Val* v, int type_check) const;
+
+	// Computes the piece of the hash for Val*, returning the new kp.
+	// Used as a helper for ComputeHash in the non-singleton case.
+	char* SingleValHash(int type_check, char* kp,
+				BroType* bt, Val* v) const;
+
+	// Recovers just one Val of possibly many; called from RecoverVals.
+	// Upon return, pval will point to the recovered Val of type t.
+	// Returns and updated kp for the next Val.  Calls internal_error()
+	// upon errors, so there is no return value for invalid input.
+	const char* RecoverOneVal(const HashKey* k,
+				  const char* kp, const char* const k_end,
+				  BroType* t, Val*& pval) const;
+
+	// Rounds the given pointer up to the nearest multiple of the
+	// given size, if not already a multiple.
+	const void* Align(const char* ptr, unsigned int size) const;
+
+	// Rounds the given pointer up to the nearest multiple of the
+	// given size, padding the skipped region with 0 bytes.
+	void* AlignAndPad(char* ptr, unsigned int size) const;
+
+	// Returns offset+size rounded up so it can correctly align data
+	// of the given size.
+	int SizeAlign(int offset, unsigned int size) const;
+
+	template<class T>
+	T* AlignAndPadType(char* ptr) const
+		{
+		return reinterpret_cast<T*>(AlignAndPad(ptr, sizeof(T)));
+		}
+
+	template<class T>
+	const T* AlignType(const char* ptr) const
+		{
+		return reinterpret_cast<const T*>(Align(ptr, sizeof(T)));
+		}
+
+	template<class T>
+	int SizeAlignType(int offset) const
+		{
+		return SizeAlign(offset, sizeof(T));
+		}
+
+	// Compute the size of the composite key.  If v is non-nil then
+	// the value is computed for the particular list of values.
+	// Returns 0 if the key has an indeterminant size (if v not given),
+	// or if v doesn't match the index type (if given).
+	int ComputeKeySize(const Val* v = 0, int type_check = 1) const;
+
+	int SingleTypeKeySize(BroType*, const Val*,
+				int type_check, int sz) const;
+
+	TypeList* type;
+	char* key;	// space for composite key
+	int size;
+	int is_singleton;	// if just one type in index
+
+	// If one type, but not normal "singleton", e.g. record.
+	int is_complex_type;
+
+	InternalTypeTag singleton_tag;
+};
+
+#endif
diff --git a/src/Conn.cc b/src/Conn.cc
new file mode 100644
index 0000000000..50afe41d0c
--- /dev/null
+++ b/src/Conn.cc
@@ -0,0 +1,974 @@
+// $Id: Conn.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <ctype.h>
+
+#include "Net.h"
+#include "NetVar.h"
+#include "Conn.h"
+#include "Event.h"
+#include "Sessions.h"
+#include "Logger.h"
+#include "Timer.h"
+#include "PIA.h"
+#include "binpac.h"
+
+HashKey* ConnID::BuildConnKey() const
+	{
+	Key key;
+
+	// Lookup up connection based on canonical ordering, which is
+	// the smaller of <src addr, src port> and <dst addr, dst port>
+	// followed by the other.
+	if ( is_one_way ||
+	     addr_port_canon_lt(src_addr, src_port, dst_addr, dst_port) )
+		{
+		copy_addr(src_addr, key.ip1);
+		copy_addr(dst_addr, key.ip2);
+		key.port1 = src_port;
+		key.port2 = dst_port;
+		}
+	else
+		{
+		copy_addr(dst_addr, key.ip1);
+		copy_addr(src_addr, key.ip2);
+		key.port1 = dst_port;
+		key.port2 = src_port;
+		}
+
+	return new HashKey(&key, sizeof(key));
+	}
+
+void ConnectionTimer::Init(Connection* arg_conn, timer_func arg_timer,
+				int arg_do_expire)
+	{
+	conn = arg_conn;
+	timer = arg_timer;
+	do_expire = arg_do_expire;
+	Ref(conn);
+	}
+
+ConnectionTimer::~ConnectionTimer()
+	{
+	if ( conn->RefCnt() < 1 )
+		internal_error("reference count inconsistency in ~ConnectionTimer");
+
+	conn->RemoveTimer(this);
+	Unref(conn);
+	}
+
+void ConnectionTimer::Dispatch(double t, int is_expire)
+	{
+	if ( is_expire && ! do_expire )
+		return;
+
+	// Remove ourselves from the connection's set of timers so
+	// it doesn't try to cancel us.
+	conn->RemoveTimer(this);
+
+	(conn->*timer)(t);
+
+	if ( conn->RefCnt() < 1 )
+		internal_error("reference count inconsistency in ConnectionTimer::Dispatch");
+	}
+
+IMPLEMENT_SERIAL(ConnectionTimer, SER_CONNECTION_TIMER);
+
+bool ConnectionTimer::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_CONNECTION_TIMER, Timer);
+
+	// We enumerate all the possible timer functions here ... This
+	// has to match the list is DoUnserialize()!
+	char type = 0;
+
+	if ( timer == timer_func(&Connection::DeleteTimer) )
+		type = 1;
+	else if ( timer == timer_func(&Connection::InactivityTimer) )
+		type = 2;
+	else if ( timer == timer_func(&Connection::StatusUpdateTimer) )
+		type = 3;
+	else if ( timer == timer_func(&Connection::RemoveConnectionTimer) )
+		type = 4;
+	else
+		internal_error("unknown function in ConnectionTimer::DoSerialize()");
+
+	return conn->Serialize(info) && SERIALIZE(type) && SERIALIZE(do_expire);
+	}
+
+bool ConnectionTimer::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Timer);
+
+	conn = Connection::Unserialize(info);
+	if ( ! conn )
+		return false;
+
+	char type;
+
+	if ( ! UNSERIALIZE(&type) || ! UNSERIALIZE(&do_expire) )
+		return false;
+
+	switch ( type ) {
+	case 1:
+		timer = timer_func(&Connection::DeleteTimer);
+		break;
+	case 2:
+		timer = timer_func(&Connection::InactivityTimer);
+		break;
+	case 3:
+		timer = timer_func(&Connection::StatusUpdateTimer);
+		break;
+	case 4:
+		timer = timer_func(&Connection::RemoveConnectionTimer);
+		break;
+	default:
+		info->s->Error("unknown connection timer function");
+		return false;
+	}
+
+	return true;
+	}
+
+unsigned int Connection::total_connections = 0;
+unsigned int Connection::current_connections = 0;
+unsigned int Connection::external_connections = 0;
+
+IMPLEMENT_SERIAL(Connection, SER_CONNECTION);
+
+Connection::Connection(NetSessions* s, HashKey* k, double t, const ConnID* id)
+	{
+	sessions = s;
+	key = k;
+	start_time = last_time = t;
+
+	copy_addr(id->src_addr, orig_addr);
+	copy_addr(id->dst_addr, resp_addr);
+	orig_port = id->src_port;
+	resp_port = id->dst_port;
+	proto = TRANSPORT_UNKNOWN;
+
+	conn_val = 0;
+	orig_endp = resp_endp = 0;
+	login_conn = 0;
+
+	is_active = 1;
+	skip = 0;
+	weird = 0;
+	persistent = 0;
+
+	suppress_event = 0;
+
+	record_contents = record_packets = 1;
+
+	timers_canceled = 0;
+	inactivity_timeout = 0;
+	installed_status_timer = 0;
+
+	finished = 0;
+
+	hist_seen = 0;
+	history = "";
+
+	root_analyzer = 0;
+	primary_PIA = 0;
+
+	++current_connections;
+	++total_connections;
+
+	TimerMgr::Tag* tag = current_iosrc->GetCurrentTag();
+	conn_timer_mgr = tag ? new TimerMgr::Tag(*tag) : 0;
+
+	if ( conn_timer_mgr )
+		{
+		++external_connections;
+		// We schedule a timer which removes this connection from memory
+		// indefinitively into the future. Ii will expire when the timer
+		// mgr is drained but not before.
+		ADD_TIMER(&Connection::RemoveConnectionTimer, 1e20, 1,
+				TIMER_REMOVE_CONNECTION);
+		}
+	}
+
+Connection::~Connection()
+	{
+	if ( ! finished )
+		internal_error("Done() not called before destruction of Connection");
+
+	CancelTimers();
+
+	if ( conn_val )
+		{
+		conn_val->SetOrigin(0);
+		Unref(conn_val);
+		}
+
+	delete key;
+	delete root_analyzer;
+	delete conn_timer_mgr;
+
+	--current_connections;
+	if ( conn_timer_mgr )
+		--external_connections;
+	}
+
+void Connection::Done()
+	{
+	finished = 1;
+
+	if ( root_analyzer && ! root_analyzer->IsFinished() )
+		root_analyzer->Done();
+	}
+
+void Connection::NextPacket(double t, int is_orig,
+			const IP_Hdr* ip, int len, int caplen,
+			const u_char*& data,
+			int& record_packet, int& record_content,
+			// arguments for reproducing packets
+			const struct pcap_pkthdr* hdr,
+			const u_char* const pkt,
+			int hdr_size)
+	{
+	current_hdr = hdr;
+	current_hdr_size = hdr_size;
+	current_timestamp = t;
+	current_pkt = pkt;
+
+	if ( Skipping() )
+		return;
+
+	if ( root_analyzer )
+		{
+		record_current_packet = record_packet;
+		record_current_content = record_content;
+		root_analyzer->NextPacket(len, data, is_orig, -1, ip, caplen);
+		record_packet = record_current_packet;
+		record_content = record_current_content;
+		}
+	else
+		last_time = t;
+
+	current_hdr = 0;
+	current_hdr_size = 0;
+	current_timestamp = 0;
+	current_pkt = 0;
+	}
+
+void Connection::SetLifetime(double lifetime)
+	{
+	ADD_TIMER(&Connection::DeleteTimer, network_time + lifetime, 0,
+			TIMER_CONN_DELETE);
+	}
+
+bool Connection::IsReuse(double t, const u_char* pkt)
+	{
+	return root_analyzer && root_analyzer->IsReuse(t, pkt);
+	}
+
+void Connection::DeleteTimer(double /* t */)
+	{
+	if ( is_active )
+		Event(connection_timeout, 0);
+
+	sessions->Remove(this);
+	}
+
+void Connection::InactivityTimer(double t)
+	{
+	// If the inactivity_timeout is zero, there has been an active
+	// timeout once, but it's disabled now. We do nothing then.
+	if ( inactivity_timeout )
+		{
+		if ( last_time + inactivity_timeout <= t )
+			{
+			Event(connection_timeout, 0);
+			sessions->Remove(this);
+			++killed_by_inactivity;
+			}
+		else
+			ADD_TIMER(&Connection::InactivityTimer,
+					last_time + inactivity_timeout, 0,
+					TIMER_CONN_INACTIVITY);
+		}
+	}
+
+void Connection::RemoveConnectionTimer(double t)
+	{
+	Event(connection_state_remove, 0);
+	sessions->Remove(this);
+	}
+
+void Connection::SetInactivityTimeout(double timeout)
+	{
+	// We add a new inactivity timer even if there already is one.  When
+	// it fires, we always use the current value to check for inactivity.
+	if ( timeout )
+		ADD_TIMER(&Connection::InactivityTimer,
+				last_time + timeout, 0, TIMER_CONN_INACTIVITY);
+
+	inactivity_timeout = timeout;
+	}
+
+void Connection::EnableStatusUpdateTimer()
+	{
+	if ( connection_status_update && connection_status_update_interval )
+		{
+		ADD_TIMER(&Connection::StatusUpdateTimer,
+			network_time + connection_status_update_interval, 0,
+			TIMER_CONN_STATUS_UPDATE);
+		installed_status_timer = 1;
+		}
+	}
+
+void Connection::StatusUpdateTimer(double t)
+	{
+	val_list* vl = new val_list(1);
+	vl->append(BuildConnVal());
+	ConnectionEvent(connection_status_update, 0, vl);
+	ADD_TIMER(&Connection::StatusUpdateTimer,
+			network_time + connection_status_update_interval, 0,
+			TIMER_CONN_STATUS_UPDATE);
+	}
+
+RecordVal* Connection::BuildConnVal()
+	{
+	if ( ! conn_val )
+		{
+		conn_val = new RecordVal(connection_type);
+
+		TransportProto prot_type = ConnTransport();
+
+		RecordVal* id_val = new RecordVal(conn_id);
+		id_val->Assign(0, new AddrVal(orig_addr));
+		id_val->Assign(1, new PortVal(ntohs(orig_port), prot_type));
+		id_val->Assign(2, new AddrVal(resp_addr));
+		id_val->Assign(3, new PortVal(ntohs(resp_port), prot_type));
+		conn_val->Assign(0, id_val);
+
+		orig_endp = new RecordVal(endpoint);
+		orig_endp->Assign(0, new Val(0, TYPE_COUNT));
+		orig_endp->Assign(1, new Val(0, TYPE_COUNT));
+		conn_val->Assign(1, orig_endp);
+
+		resp_endp = new RecordVal(endpoint);
+		resp_endp->Assign(0, new Val(0, TYPE_COUNT));
+		resp_endp->Assign(1, new Val(0, TYPE_COUNT));
+		conn_val->Assign(2, resp_endp);
+
+		// conn_val->Assign(3, new Val(start_time, TYPE_TIME));	// ###
+		conn_val->Assign(5, new TableVal(string_set));	// service
+		conn_val->Assign(6, new StringVal(""));	// addl
+		conn_val->Assign(7, new Val(0, TYPE_COUNT));	// hot
+		conn_val->Assign(8, new StringVal(""));	// history
+		}
+
+	if ( root_analyzer )
+		{
+		root_analyzer->UpdateEndpointVal(orig_endp, 1);
+		root_analyzer->UpdateEndpointVal(resp_endp, 0);
+		}
+
+	conn_val->Assign(3, new Val(start_time, TYPE_TIME));	// ###
+	conn_val->Assign(4, new Val(last_time - start_time, TYPE_INTERVAL));
+	conn_val->Assign(8, new StringVal(history.c_str()));
+
+	conn_val->SetOrigin(this);
+
+	Ref(conn_val);
+
+	return conn_val;
+	}
+
+Analyzer* Connection::FindAnalyzer(AnalyzerID id)
+	{
+	return root_analyzer ? root_analyzer->FindChild(id) : 0;
+	}
+
+Analyzer* Connection::FindAnalyzer(AnalyzerTag::Tag tag)
+	{
+	return root_analyzer ? root_analyzer->FindChild(tag) : 0;
+	}
+
+void Connection::AppendAddl(const char* str)
+	{
+	Unref(BuildConnVal());
+
+	const char* old = conn_val->Lookup(6)->AsString()->CheckString();
+	const char* format = *old ? "%s %s" : "%s%s";
+
+	conn_val->Assign(6, new StringVal(fmt(format, old, str)));
+	}
+
+// Returns true if the character at s separates a version number.
+static inline bool is_version_sep(const char* s, const char* end)
+	{
+	return
+		// foo-1.2.3
+			(s < end - 1 && ispunct(s[0]) && isdigit(s[1])) ||
+		// foo-v1.2.3
+			(s < end - 2 && ispunct(s[0]) &&
+			 tolower(s[1]) == 'v' && isdigit(s[2])) ||
+		// foo 1.2.3
+			isspace(s[0]);
+	}
+
+void Connection::Match(Rule::PatternType type, const u_char* data, int len, bool is_orig, bool bol, bool eol, bool clear_state)
+	{
+	if ( primary_PIA )
+		primary_PIA->Match(type, data, len, is_orig, bol, eol, clear_state);
+	}
+
+Val* Connection::BuildVersionVal(const char* s, int len)
+	{
+	Val* name = 0;
+	Val* major = 0;
+	Val* minor = 0;
+	Val* minor2 = 0;
+	Val* addl = 0;
+
+	const char* last = s + len;
+	const char* e = s;
+
+	// This is all just a guess...
+
+	// Eat non-alpha-numerical chars.
+	for ( ; s < last && ! isalnum(*s); ++s )
+		;
+
+	// Leading characters are the program name.
+	// (first character must not be a digit)
+	if ( isalpha(*s) )
+		{
+		for ( e = s; e < last && ! is_version_sep(e, last); ++e )
+			;
+
+		if ( s != e )
+			name = new StringVal(e - s, s);
+		}
+
+	// Find first number - that's the major version.
+	for ( s = e; s < last && ! isdigit(*s); ++s )
+		;
+	for ( e = s; e < last && isdigit(*e); ++e )
+		;
+
+	if ( s != e )
+		major = new Val(atoi(s), TYPE_INT);
+
+	// Find second number seperated only by punctuation chars -
+	// that's the minor version.
+	for ( s = e; s < last && ispunct(*s); ++s )
+		;
+	for ( e = s; e < last && isdigit(*e); ++e )
+		;
+
+	if ( s != e )
+		minor = new Val(atoi(s), TYPE_INT);
+
+	// Find second number seperated only by punctuation chars; -
+	// that's the minor version.
+	for ( s = e; s < last && ispunct(*s); ++s )
+		;
+	for ( e = s; e < last && isdigit(*e); ++e )
+		;
+
+	if ( s != e )
+		minor2 = new Val(atoi(s), TYPE_INT);
+
+	// Anything after following punctuation and until next white space is
+	// an additional version string.
+	for ( s = e; s < last && ispunct(*s); ++s )
+		;
+	for ( e = s; e < last && ! isspace(*e); ++e )
+		;
+
+	if ( s != e )
+		addl = new StringVal(e - s, s);
+
+	// If we do not have a name yet, the next alphanumerical string is it.
+	if ( ! name )
+		{ // eat non-alpha-numerical characters
+		for ( s = e; s < last && ! isalpha(*s); ++s )
+			;
+
+		// Get name.
+		for ( e = s; e < last && (isalnum(*e) || *e == '_'); ++e )
+			;
+
+		if ( s != e )
+			name = new StringVal(e - s, s);
+		}
+
+	// We need at least a name.
+	if ( ! name )
+		return 0;
+
+	RecordVal* version = new RecordVal(software_version);
+	version->Assign(0, major ? major : new Val(-1, TYPE_INT));
+	version->Assign(1, minor ? minor : new Val(-1, TYPE_INT));
+	version->Assign(2, minor2 ? minor2 : new Val(-1, TYPE_INT));
+	version->Assign(3, addl ? addl : new StringVal(""));
+
+	RecordVal* sw = new RecordVal(software);
+	sw->Assign(0, name);
+	sw->Assign(1, version);
+
+	return sw;
+	}
+
+int Connection::VersionFoundEvent(const uint32* addr, const char* s, int len,
+					Analyzer* analyzer)
+	{
+	if ( ! software_version_found && ! software_parse_error )
+		return 1;
+
+	if ( ! is_printable(s, len) )
+		return 0;
+
+	Val* val = BuildVersionVal(s, len);
+	if ( ! val )
+		{
+		if ( software_parse_error )
+			{
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new AddrVal(addr));
+			vl->append(new StringVal(len, s));
+			ConnectionEvent(software_parse_error, analyzer, vl);
+			}
+		return 0;
+		}
+
+	if ( software_version_found )
+		{
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new AddrVal(addr));
+		vl->append(val);
+		vl->append(new StringVal(len, s));
+		ConnectionEvent(software_version_found, 0, vl);
+		}
+	else
+		Unref(val);
+
+	return 1;
+	}
+
+int Connection::UnparsedVersionFoundEvent(const uint32* addr,
+					const char* full, int len, Analyzer* analyzer)
+	{
+	// Skip leading white space.
+	while ( len && isspace(*full) )
+		{
+		--len;
+		++full;
+		}
+
+	if ( ! is_printable(full, len) )
+		return 0;
+
+	if ( software_unparsed_version_found )
+		{
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new AddrVal(addr));
+		vl->append(new StringVal(len, full));
+		ConnectionEvent(software_unparsed_version_found, analyzer, vl);
+		}
+
+	return 1;
+	}
+
+void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, const char* name)
+	{
+	if ( ! f )
+		return;
+
+	val_list* vl = new val_list(2);
+	if ( name )
+		vl->append(new StringVal(name));
+	vl->append(BuildConnVal());
+
+	ConnectionEvent(f, analyzer, vl);
+	}
+
+void Connection::Event(EventHandlerPtr f, Analyzer* analyzer, Val* v1, Val* v2)
+	{
+	if ( ! f )
+		{
+		Unref(v1);
+		Unref(v2);
+		return;
+		}
+
+	val_list* vl = new val_list(3);
+	vl->append(BuildConnVal());
+	vl->append(v1);
+
+	if ( v2 )
+		vl->append(v2);
+
+	ConnectionEvent(f, analyzer, vl);
+	}
+
+void Connection::ConnectionEvent(EventHandlerPtr f, Analyzer* a, val_list* vl)
+	{
+	if ( ! f )
+		{
+		// This may actually happen if there is no local handler
+		// and a previously existing remote handler went away.
+		loop_over_list(*vl, i)
+			Unref((*vl)[i]);
+		delete vl;
+		return;
+		}
+
+	// "this" is passed as a cookie for the event
+	mgr.QueueEvent(f, vl, SOURCE_LOCAL,
+			a ? a->GetID() : 0, GetTimerMgr(), this);
+	}
+
+void Connection::Weird(const char* name)
+	{
+	weird = 1;
+	if ( conn_weird )
+		Event(conn_weird, 0, name);
+	else
+		fprintf(stderr, "%.06f weird: %s\n", network_time, name);
+	}
+
+void Connection::Weird(const char* name, const char* addl)
+	{
+	weird = 1;
+	if ( conn_weird_addl )
+		{
+		val_list* vl = new val_list(3);
+
+		vl->append(new StringVal(name));
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(addl));
+
+		ConnectionEvent(conn_weird_addl, 0, vl);
+		}
+
+	else
+		fprintf(stderr, "%.06f weird: %s (%s)\n", network_time, name, addl);
+	}
+
+void Connection::Weird(const char* name, int addl_len, const char* addl)
+	{
+	weird = 1;
+	if ( conn_weird_addl )
+		{
+		val_list* vl = new val_list(3);
+
+		vl->append(new StringVal(name));
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(addl_len, addl));
+
+		ConnectionEvent(conn_weird_addl, 0, vl);
+		}
+
+	else
+		{
+		fprintf(stderr, "%.06f weird: %s (", network_time, name);
+		for ( int i = 0; i < addl_len; ++i )
+			fputc(addl[i], stderr);
+		fprintf(stderr, ")\n");
+		}
+	}
+
+void Connection::AddTimer(timer_func timer, double t, int do_expire,
+		TimerType type)
+	{
+	if ( timers_canceled )
+		return;
+
+	// If the key is cleared, the connection isn't stored in the connection
+	// table anymore and will soon be deleted. We're not installing new
+	// timers anymore then.
+	if ( ! key )
+		return;
+
+	Timer* conn_timer = new ConnectionTimer(this, timer, t, do_expire, type);
+	GetTimerMgr()->Add(conn_timer);
+	timers.append(conn_timer);
+	}
+
+void Connection::RemoveTimer(Timer* t)
+	{
+	timers.remove(t);
+	}
+
+void Connection::CancelTimers()
+	{
+	// We are going to cancel our timers which, in turn, may cause them to
+	// call RemoveTimer(), which would then modify the list we're just
+	// traversing. Thus, we first make a copy of the list which we then
+	// iterate through.
+	timer_list tmp(timers.length());
+	loop_over_list(timers, j)
+		tmp.append(timers[j]);
+
+	loop_over_list(tmp, i)
+		GetTimerMgr()->Cancel(tmp[i]);
+
+	timers_canceled = 1;
+	timers.clear();
+	}
+
+TimerMgr* Connection::GetTimerMgr() const
+	{
+	if ( ! conn_timer_mgr )
+		// Global manager.
+		return timer_mgr;
+
+	// We need to check whether the local timer manager still exists;
+	// it may have already been timed out, in which case we fall back
+	// to the global manager (though this should be rare).
+	TimerMgr* local_mgr = sessions->LookupTimerMgr(conn_timer_mgr, false);
+	return local_mgr ? local_mgr : timer_mgr;
+	}
+
+void Connection::FlipRoles()
+	{
+	uint32 tmp_addr[NUM_ADDR_WORDS];
+	copy_addr(resp_addr, tmp_addr);
+	copy_addr(orig_addr, resp_addr);
+	copy_addr(tmp_addr, orig_addr);
+
+	uint32 tmp_port = resp_port;
+	resp_port = orig_port;
+	orig_port = tmp_port;
+
+	RecordVal* tmp_rc = resp_endp;
+	resp_endp = orig_endp;
+	orig_endp = tmp_rc;
+
+	Unref(conn_val);
+	conn_val = 0;
+
+	if ( root_analyzer )
+		root_analyzer->FlipRoles();
+	}
+
+int Connection::RewritingTrace()
+	{
+	return root_analyzer ? root_analyzer->RewritingTrace() : 0;
+	}
+
+Rewriter* Connection::TraceRewriter() const
+	{
+	return root_analyzer ? root_analyzer->TraceRewriter() : 0;
+	}
+
+unsigned int Connection::MemoryAllocation() const
+	{
+	return padded_sizeof(*this)
+		+ (key ? key->MemoryAllocation() : 0)
+		+ (timers.MemoryAllocation() - padded_sizeof(timers))
+		+ (conn_val ? conn_val->MemoryAllocation() : 0)
+		+ (root_analyzer ? root_analyzer->MemoryAllocation(): 0)
+		// login_conn is just a casted 'this'.
+		// primary_PIA is already contained in the analyzer tree.
+		;
+	}
+
+unsigned int Connection::MemoryAllocationConnVal() const
+	{
+	return conn_val ? conn_val->MemoryAllocation() : 0;
+	}
+
+void Connection::Describe(ODesc* d) const
+	{
+	d->Add(start_time);
+	d->Add("(");
+	d->Add(last_time);
+	d->AddSP(")");
+
+	switch ( proto ) {
+		case TRANSPORT_TCP:
+			d->Add("TCP");
+			break;
+
+		case TRANSPORT_UDP:
+			d->Add("UDP");
+			break;
+
+		case TRANSPORT_ICMP:
+			d->Add("ICMP");
+			break;
+
+		case TRANSPORT_UNKNOWN:
+			internal_error("unknown transport in Connction::Describe()");
+			break;
+		}
+
+	d->SP();
+	d->Add(dotted_addr(orig_addr));
+	d->Add(":");
+	d->Add(ntohs(orig_port));
+
+	d->SP();
+	d->AddSP("->");
+
+	d->Add(dotted_addr(resp_addr));
+	d->Add(":");
+	d->Add(ntohs(resp_port));
+
+	d->NL();
+	}
+
+bool Connection::Serialize(SerialInfo* info) const
+	{
+	return SerialObj::Serialize(info);
+	}
+
+Connection* Connection::Unserialize(UnserialInfo* info)
+	{
+	return (Connection*) SerialObj::Unserialize(info, SER_CONNECTION);
+	}
+
+bool Connection::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_CONNECTION, BroObj);
+
+	// First we write the members which are needed to
+	// create the HashKey.
+	for ( int j = 0; j < NUM_ADDR_WORDS; ++j )
+		if ( ! SERIALIZE(orig_addr[j]) || ! SERIALIZE(resp_addr[j]) )
+			return false;
+
+	if ( ! SERIALIZE(orig_port) || ! SERIALIZE(resp_port) )
+		return false;
+
+	if ( ! SERIALIZE(timers.length()) )
+		return false;
+
+	loop_over_list(timers, i)
+		if ( ! timers[i]->Serialize(info) )
+			return false;
+
+	SERIALIZE_OPTIONAL(conn_val);
+	SERIALIZE_OPTIONAL(orig_endp);
+	SERIALIZE_OPTIONAL(resp_endp);
+
+	// FIXME: RuleEndpointState not yet serializable.
+	// FIXME: Analyzers not yet serializable.
+
+	return
+		SERIALIZE(int(proto)) &&
+		SERIALIZE(history) &&
+		SERIALIZE(hist_seen) &&
+		SERIALIZE(start_time) &&
+		SERIALIZE(last_time) &&
+		SERIALIZE(inactivity_timeout) &&
+		SERIALIZE(suppress_event) &&
+		SERIALIZE(login_conn != 0) &&
+		SERIALIZE_BIT(installed_status_timer) &&
+		SERIALIZE_BIT(timers_canceled) &&
+		SERIALIZE_BIT(is_active) &&
+		SERIALIZE_BIT(skip) &&
+		SERIALIZE_BIT(weird) &&
+		SERIALIZE_BIT(finished) &&
+		SERIALIZE_BIT(record_packets) &&
+		SERIALIZE_BIT(record_contents) &&
+		SERIALIZE_BIT(persistent);
+	}
+
+bool Connection::DoUnserialize(UnserialInfo* info)
+	{
+	// Make sure this is initialized for the condition in Unserialize().
+	persistent = 0;
+
+	DO_UNSERIALIZE(BroObj);
+
+	// Build the hash key first. Some of the recursive *::Unserialize()
+	// functions may need it.
+	for ( int i = 0; i < NUM_ADDR_WORDS; ++i )
+		if ( ! UNSERIALIZE(&orig_addr[i]) || ! UNSERIALIZE(&resp_addr[i]) )
+			goto error;
+
+	if ( ! UNSERIALIZE(&orig_port) || ! UNSERIALIZE(&resp_port) )
+		goto error;
+
+	ConnID id;
+	id.src_addr = orig_addr;
+	id.dst_addr = resp_addr;
+	// This doesn't work for ICMP. But I guess this is not really important.
+	id.src_port = orig_port;
+	id.dst_port = resp_port;
+	id.is_one_way = 0;	// ### incorrect for ICMP
+	key = id.BuildConnKey();
+
+	int len;
+	if ( ! UNSERIALIZE(&len) )
+		goto error;
+
+	while ( len-- )
+		{
+		Timer* t = Timer::Unserialize(info);
+		if ( ! t )
+			goto error;
+		timers.append(t);
+		}
+
+	UNSERIALIZE_OPTIONAL(conn_val,
+			(RecordVal*) Val::Unserialize(info, connection_type));
+	UNSERIALIZE_OPTIONAL(orig_endp,
+			(RecordVal*) Val::Unserialize(info, endpoint));
+	UNSERIALIZE_OPTIONAL(resp_endp,
+			(RecordVal*) Val::Unserialize(info, endpoint));
+
+	int iproto;
+
+	if ( ! (UNSERIALIZE(&iproto) &&
+		UNSERIALIZE(&history) &&
+		UNSERIALIZE(&hist_seen) &&
+		UNSERIALIZE(&start_time) &&
+		UNSERIALIZE(&last_time) &&
+		UNSERIALIZE(&inactivity_timeout) &&
+		UNSERIALIZE(&suppress_event)) )
+		goto error;
+
+	proto = static_cast<TransportProto>(iproto);
+
+	bool has_login_conn;
+	if ( ! UNSERIALIZE(&has_login_conn) )
+		goto error;
+
+	login_conn = has_login_conn ? (LoginConn*) this : 0;
+
+	UNSERIALIZE_BIT(installed_status_timer);
+	UNSERIALIZE_BIT(timers_canceled);
+	UNSERIALIZE_BIT(is_active);
+	UNSERIALIZE_BIT(skip);
+	UNSERIALIZE_BIT(weird);
+	UNSERIALIZE_BIT(finished);
+	UNSERIALIZE_BIT(record_packets);
+	UNSERIALIZE_BIT(record_contents);
+	UNSERIALIZE_BIT(persistent);
+
+	// Hmm... Why does each connection store a sessions ptr?
+	sessions = ::sessions;
+
+	root_analyzer = 0;
+	primary_PIA = 0;
+	conn_timer_mgr = 0;
+
+	return true;
+
+error:
+	abort();
+	CancelTimers();
+	return false;
+	}
+
+void Connection::SetRootAnalyzer(TransportLayerAnalyzer* analyzer, PIA* pia)
+	{
+	root_analyzer = analyzer;
+	primary_PIA = pia;
+	}
diff --git a/src/Conn.h b/src/Conn.h
new file mode 100644
index 0000000000..bbe3c2b3f6
--- /dev/null
+++ b/src/Conn.h
@@ -0,0 +1,400 @@
+// $Id: Conn.h 6916 2009-09-24 20:48:36Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef conn_h
+#define conn_h
+
+#include <sys/types.h>
+
+#include "Dict.h"
+#include "Val.h"
+#include "Timer.h"
+#include "Serializer.h"
+#include "PersistenceSerializer.h"
+#include "RuleMatcher.h"
+#include "AnalyzerTags.h"
+
+class Connection;
+class ConnectionTimer;
+class NetSessions;
+class LoginConn;
+class RuleHdrTest;
+class Specific_RE_Matcher;
+class TransportLayerAnalyzer;
+class RuleEndpointState;
+class Rewriter;
+
+typedef enum {
+	NUL_IN_LINE,
+	SINGULAR_CR,
+	SINGULAR_LF,
+	NUM_EVENTS_TO_FLAG,
+} ConnEventToFlag;
+
+typedef void (Connection::*timer_func)(double t);
+
+struct ConnID {
+	const uint32* src_addr;
+	const uint32* dst_addr;
+	uint32 src_port;
+	uint32 dst_port;
+	bool is_one_way;	// if true, don't canonicalize
+
+	// Returns a ListVal suitable for looking up a connection in
+	// a hash table.  addr/ports are expected to be in network order.
+	// Unless is_one_way is true, the lookup sorts src and dst,
+	// so src_addr/src_port and dst_addr/dst_port just have to
+	// reflect the two different sides of the connection,
+	// neither has to be the particular source/destination
+	// or originator/responder.
+	HashKey* BuildConnKey() const;
+
+	// The structure used internally for hashing.
+	struct Key {
+		uint32 ip1[NUM_ADDR_WORDS];
+		uint32 ip2[NUM_ADDR_WORDS];
+		uint16 port1;
+		uint16 port2;
+	};
+};
+
+static inline int addr_port_canon_lt(const uint32* a1, uint32 p1,
+					const uint32* a2, uint32 p2)
+	{
+#ifdef BROv6
+	// Because it's a canonical ordering, not a strict ordering,
+	// we can choose to give more weight to the least significant
+	// word than to the most significant word.  This matters
+	// because for the common case of IPv4 addresses embedded in
+	// a IPv6 address, the top three words are identical, so we can
+	// save a few cycles by first testing the bottom word.
+	return a1[3] < a2[3] ||
+		(a1[3] == a2[3] &&
+		 (a1[2] < a2[2] ||
+		  (a1[2] == a2[2] &&
+		   (a1[1] < a2[1] ||
+		    (a1[1] == a2[1] &&
+		     (a1[0] < a2[0] ||
+		      (a1[0] == a2[0] &&
+		       p1 < p2)))))));
+#else
+	return *a1 < *a2 || (*a1 == *a2 && p1 < p2);
+#endif
+	}
+
+class Analyzer;
+
+class Connection : public BroObj {
+public:
+	Connection(NetSessions* s, HashKey* k, double t, const ConnID* id);
+	virtual ~Connection();
+
+	// Invoked when connection is about to be removed.  Use Ref(this)
+	// inside Done to keep the connection object around (though it'll
+	// no longer be accessible from the dictionary of active
+	// connections).
+	void Done();
+
+	// Process the connection's next packet.  "data" points just
+	// beyond the IP header.  It's updated to point just beyond
+	// the transport header (or whatever should be saved, if we
+	// decide not to save the full packet contents).
+	//
+	// If record_packet is true, the packet should be recorded.
+	// If record_content is true, then its entire contents should
+	// be recorded, otherwise just up through the transport header.
+	// Both are assumed set to true when called.
+	void NextPacket(double t, int is_orig,
+			const IP_Hdr* ip, int len, int caplen,
+			const u_char*& data,
+			int& record_packet, int& record_content,
+			// arguments for reproducing packets
+			const struct pcap_pkthdr* hdr,
+			const u_char* const pkt,
+			int hdr_size);
+
+	HashKey* Key() const			{ return key; }
+	void ClearKey()				{ key = 0; }
+
+	double StartTime() const		{ return start_time; }
+	void  SetStartTime(double t)		{ start_time = t; }
+	double LastTime() const			{ return last_time; }
+	void SetLastTime(double t) 		{ last_time = t; }
+
+	const uint32* OrigAddr() const		{ return orig_addr; }
+	const uint32* RespAddr() const		{ return resp_addr; }
+
+	uint32 OrigPort() const			{ return orig_port; }
+	uint32 RespPort() const			{ return resp_port; }
+
+	void FlipRoles();
+
+	Analyzer* FindAnalyzer(AnalyzerID id);
+	Analyzer* FindAnalyzer(AnalyzerTag::Tag tag);	// find first in tree.
+
+	TransportProto ConnTransport() const { return proto; }
+
+	// If we are rewriting the trace of the connection, then we do
+	// not record original packets. We are rewriting if at least one,
+	// then the analyzer is rewriting.
+	int RewritingTrace();
+
+	// If we are rewriting trace, we need a handle to the rewriter.
+	// Returns 0 if not rewriting.  (Note that if multiple analyzers
+	// want to rewrite, only one of them is returned.  It's undefined
+	// which one.)
+	Rewriter* TraceRewriter() const;
+
+	// True if we should record subsequent packets (either headers or
+	// in their entirety, depending on record_contents).  We still
+	// record subsequent SYN/FIN/RST, regardless of how this is set.
+	int RecordPackets() const		{ return record_packets; }
+	void SetRecordPackets(int do_record)	{ record_packets = do_record; }
+
+	// True if we should record full packets for this connection,
+	// false if we should just record headers.
+	int RecordContents() const		{ return record_contents; }
+	void SetRecordContents(int do_record)	{ record_contents = do_record; }
+
+	// Set whether to record *current* packet header/full.
+	void SetRecordCurrentPacket(int do_record)
+		{ record_current_packet = do_record; }
+	void SetRecordCurrentContent(int do_record)
+		{ record_current_content = do_record; }
+
+	// FIXME: Now this is in Analyzer and should eventually be removed here.
+	//
+	// If true, skip processing of remainder of connection.  Note
+	// that this does not in itself imply that record_packets is false;
+	// we might want instead to process the connection off-line.
+	void SetSkip(int do_skip)		{ skip = do_skip; }
+	int Skipping() const			{ return skip; }
+
+	// Arrange for the connection to expire after the given amount of time.
+	void SetLifetime(double lifetime);
+
+	// Returns true if the packet reflects a reuse of this
+	// connection (i.e., not a continuation but the beginning of
+	// a new connection).
+	bool IsReuse(double t, const u_char* pkt);
+
+	// Get/set the inactivity timeout for this connection.
+	void SetInactivityTimeout(double timeout);
+	double InactivityTimeout() const	{ return inactivity_timeout; }
+
+	// Activate connection_status_update timer.
+	void EnableStatusUpdateTimer();
+
+	RecordVal* BuildConnVal();
+	void AppendAddl(const char* str);
+
+	LoginConn* AsLoginConn()		{ return login_conn; }
+
+	void Match(Rule::PatternType type, const u_char* data, int len,
+			bool is_orig, bool bol, bool eol, bool clear_state);
+
+	// Tries really hard to extract a program name and a version.
+	Val* BuildVersionVal(const char* s, int len);
+
+	// Raises a software_version_found event based on the
+	// given string (returns false if it's not parseable).
+	int VersionFoundEvent(const uint32* addr, const char* s, int len,
+				Analyzer* analyzer = 0);
+
+	// Raises a software_unparsed_version_found event.
+	int UnparsedVersionFoundEvent(const uint32* addr,
+			const char* full_descr, int len, Analyzer* analyzer);
+	
+	void Event(EventHandlerPtr f, Analyzer* analyzer, const char* name = 0);
+	void Event(EventHandlerPtr f, Analyzer* analyzer, Val* v1, Val* v2 = 0);
+	void ConnectionEvent(EventHandlerPtr f, Analyzer* analyzer,
+				val_list* vl);
+
+	void Weird(const char* name);
+	void Weird(const char* name, const char* addl);
+	void Weird(const char* name, int addl_len, const char* addl);
+	bool DidWeird() const	{ return weird != 0; }
+
+	// Cancel all associated timers.
+	void CancelTimers();
+
+	inline int FlagEvent(ConnEventToFlag e)
+		{
+		if ( e >= 0 && e < NUM_EVENTS_TO_FLAG )
+			{
+			if ( suppress_event & (1 << e) )
+				return 0;
+			suppress_event |= 1 << e;
+			}
+
+		return 1;
+		}
+
+	void MakePersistent()
+		{
+		persistent = 1;
+		persistence_serializer->Register(this);
+		}
+
+	bool IsPersistent()	{ return persistent; }
+
+	void Describe(ODesc* d) const;
+
+	TimerMgr* GetTimerMgr() const;
+
+	// Returns true if connection has been received externally.
+	bool IsExternal() const	{ return conn_timer_mgr != 0; }
+
+	bool Serialize(SerialInfo* info) const;
+	static Connection* Unserialize(UnserialInfo* info);
+
+	DECLARE_SERIAL(Connection);
+
+	// Statistics.
+
+	// Just a lower bound.
+	unsigned int MemoryAllocation() const;
+	unsigned int MemoryAllocationConnVal() const;
+
+	static unsigned int TotalConnections()
+		{ return total_connections; }
+	static unsigned int CurrentConnections()
+		{ return current_connections; }
+	static unsigned int CurrentExternalConnections()
+		{ return external_connections; }
+
+	// Returns true if the history was already seen, false otherwise.
+	int CheckHistory(uint32 mask, char code)
+		{
+		if ( (hist_seen & mask) == 0 )
+			{
+			hist_seen |= mask;
+			AddHistory(code);
+			return false;
+			}
+		else
+			return true;
+		}
+
+	void AddHistory(char code)	{ history += code; }
+
+	void DeleteTimer(double t);
+
+	// Sets the root of the analyzer tree as well as the primary PIA.
+	void SetRootAnalyzer(TransportLayerAnalyzer* analyzer, PIA* pia);
+	TransportLayerAnalyzer* GetRootAnalyzer()	{ return root_analyzer; }
+	PIA* GetPrimaryPIA()	{ return primary_PIA; }
+
+	// Sets the transport protocol in use.
+	void SetTransport(TransportProto arg_proto)	{ proto = arg_proto; }
+
+	// If the connection compressor is activated, we need a special memory
+	// layout for connections. (See ConnCompressor.h)
+	void* operator new(size_t size)
+		{
+		if ( ! use_connection_compressor )
+			return ::operator new(size);
+
+		void* c = ::operator new(size + 4);
+
+		// We have to turn off the is_pending bit.  By setting the
+		// first four bytes to zero, we'll achieve this.
+		*((uint32*) c) = 0;
+
+		return ((char *) c) + 4;
+		}
+
+	void operator delete(void* ptr)
+		{
+		if ( ! use_connection_compressor )
+			::operator delete(ptr);
+		else
+			::operator delete(((char*) ptr) - 4);
+		}
+
+protected:
+	Connection()	{ persistent = 0; }
+
+	// Add the given timer to expire at time t.  If do_expire
+	// is true, then the timer is also evaluated when Bro terminates,
+	// otherwise not.
+	void AddTimer(timer_func timer, double t, int do_expire,
+			TimerType type);
+
+	void RemoveTimer(Timer* t);
+
+	// Allow other classes to access pointers to these:
+	friend class ConnectionTimer;
+
+	void InactivityTimer(double t);
+	void StatusUpdateTimer(double t);
+	void RemoveConnectionTimer(double t);
+
+	NetSessions* sessions;
+	HashKey* key;
+
+	// Timer manager to use for this conn (or nil).
+	TimerMgr::Tag* conn_timer_mgr;
+	timer_list timers;
+
+	uint32 orig_addr[NUM_ADDR_WORDS];	// in network order
+	uint32 resp_addr[NUM_ADDR_WORDS];	// in network order
+	uint32 orig_port, resp_port;	// in network order
+	TransportProto proto;
+	double start_time, last_time;
+	double inactivity_timeout;
+	RecordVal* conn_val;
+	RecordVal* orig_endp;
+	RecordVal* resp_endp;
+	LoginConn* login_conn;	// either nil, or this
+	int suppress_event;	// suppress certain events to once per conn.
+
+	unsigned int installed_status_timer:1;
+	unsigned int timers_canceled:1;
+	unsigned int is_active:1;
+	unsigned int skip:1;
+	unsigned int weird:1;
+	unsigned int finished:1;
+	unsigned int record_packets:1, record_contents:1;
+	unsigned int persistent:1;
+	unsigned int record_current_packet:1, record_current_content:1;
+
+	// Count number of connections.
+	static unsigned int total_connections;
+	static unsigned int current_connections;
+	static unsigned int external_connections;
+
+	string history;
+	uint32 hist_seen;
+
+	TransportLayerAnalyzer* root_analyzer;
+	PIA* primary_PIA;
+};
+
+class ConnectionTimer : public Timer {
+public:
+	ConnectionTimer(Connection* arg_conn, timer_func arg_timer,
+			double arg_t, int arg_do_expire, TimerType arg_type)
+		: Timer(arg_t, arg_type)
+		{ Init(arg_conn, arg_timer, arg_do_expire); }
+	virtual ~ConnectionTimer();
+
+	void Dispatch(double t, int is_expire);
+
+protected:
+	ConnectionTimer()	{}
+
+	void Init(Connection* conn, timer_func timer, int do_expire);
+
+	DECLARE_SERIAL(ConnectionTimer);
+
+	Connection* conn;
+	timer_func timer;
+	int do_expire;
+};
+
+#define ADD_TIMER(timer, t, do_expire, type) \
+	AddTimer(timer_func(timer), (t), (do_expire), (type))
+
+#endif
diff --git a/src/ConnCompressor.cc b/src/ConnCompressor.cc
new file mode 100644
index 0000000000..f38c0dcb89
--- /dev/null
+++ b/src/ConnCompressor.cc
@@ -0,0 +1,1029 @@
+// $Id: ConnCompressor.cc 7008 2010-03-25 02:42:20Z vern $
+
+#include <arpa/inet.h>
+
+#include "ConnCompressor.h"
+#include "Event.h"
+#include "net_util.h"
+
+// The basic model of the compressor is to wait for an answer before
+// instantiating full connection state.  Until we see a reply, only a minimal
+// amount of state is stored.  This has some consequences:
+//
+// - We try to mimic TCP.cc as close as possible, but this works only to a
+//   certain degree; e.g., we don't consider any of the wait-a-bit-after-
+//   the-connection-has-been-closed timers. That means we will get differences
+//   in connection semantics if the compressor is turned on. On the other
+//   hand, these differences will occur only for not well-established
+//   sessions, and experience shows that for these kinds of connections
+//   semantics are ill-defined in any case.
+//
+// - If an originator sends multiple different packets before we see a reply,
+//   we lose the information about additional packets (more precisely, we
+//   merge the packet headers into one). In particular, we lose any payload.
+//   This is a major problem if we see only one direction of a connection.
+//   When analyzing only SYN/FIN/RSTs this leads to differences if we miss
+//   the SYN/ACK.
+//
+//   To avoid losing payload, there is the option cc_instantiate_on_data:
+//   if enabled and the originator sends a non-control packet after the
+//   initial packet, we instantiate full connection state.
+//
+// - We lose some of the information contained in initial packets (e.g., most
+//   IP/TCP options and any payload). If you depend on them, you don't
+//   want to use the compressor.
+//
+//   Optionally, the compressor can take care only of initial SYNs and
+//   instantiate full connection state for all other connection setups.
+//   To enable, set cc_handle_only_syns to true.
+//
+// - The compressor may handle refused connections (i.e., initial packets
+//   followed by RST from responder) itself. Again, this leads to differences
+//   from default TCP processing and is therefore turned off by default.
+//   To enable, set cc_handle_resets to true.
+//
+// - We don't match signatures on connections which are completely handled
+//   by the compressor. Matching would require significant additional state
+//   w/o being very helpful.
+//
+// - Trace rewriting doesn't work if the compressor is turned on (this is
+//   not a conceptual problem, but simply not implemented).
+
+
+#ifdef DEBUG
+static inline const char* fmt_conn_id(const ConnCompressor::PendingConn* c)
+	{
+	if ( c->ip1_is_src )
+		return fmt_conn_id(c->key.ip1, c->key.port1,
+					c->key.ip2, c->key.port2);
+	else
+		return fmt_conn_id(c->key.ip2, c->key.port2,
+					c->key.ip1, c->key.port1);
+	}
+
+static inline const char* fmt_conn_id(const Connection* c)
+	{
+	return fmt_conn_id(c->OrigAddr(), c->OrigPort(),
+				c->RespAddr(), c->RespPort());
+	}
+
+static inline const char* fmt_conn_id(const IP_Hdr* ip)
+	{
+	const struct tcphdr* tp = (const struct tcphdr*) ip->Payload();
+	return fmt_conn_id(ip->SrcAddr(), tp->th_sport,
+				ip->DstAddr(), tp->th_dport);
+	}
+#endif
+
+ConnCompressor::ConnCompressor()
+	{
+	first_block = last_block = 0;
+	first_non_expired = 0;
+	conn_val = 0;
+
+	sizes.connections = sizes.connections_total = 0;
+	sizes.pending_valid = sizes.pending_total = sizes.pending_in_mem = 0;
+	sizes.hash_table_size = 0;
+	sizes.memory = 0;
+	}
+
+ConnCompressor::~ConnCompressor()
+	{
+	Block* next;
+	for ( Block* b = first_block; b; b = next )
+		{
+		next = b->next;
+		delete b;
+		}
+	}
+
+Connection* ConnCompressor::NextPacket(double t, HashKey* key, const IP_Hdr* ip,
+		const struct pcap_pkthdr* hdr, const u_char* const pkt)
+	{
+	// Expire old stuff.
+	DoExpire(t);
+
+	// Most sanity checks on header sizes are already done ...
+	const struct tcphdr* tp = (const struct tcphdr*) ip->Payload();
+
+	// ... except this one.
+	uint32 tcp_hdr_len = tp->th_off * 4;
+	if ( tcp_hdr_len > uint32(ip->TotalLen() - ip->HdrLen()) )
+		{
+		sessions->Weird("truncated_header", hdr, pkt);
+		delete key;
+		return 0;
+		}
+
+	bool external = current_iosrc->GetCurrentTag();
+	ConnData* c = conns.Lookup(key);
+
+	Unref(conn_val);
+	conn_val = 0;
+
+	// Do we already have a Connection object?
+	if ( c && IsConnPtr(c) )
+		{
+		Connection* conn = MakeConnPtr(c);
+		int consistent = 1;
+
+		if ( external )
+			{
+			// External, and we already have a full connection.
+			// That means we use the same logic as in NetSessions
+			// to compare the tags.
+			consistent = sessions->CheckConnectionTag(conn);
+			if ( consistent < 0 )
+				{
+				delete key;
+				return 0;
+				}
+			}
+
+		if ( ! consistent || conn->IsReuse(t, ip->Payload()) )
+			{
+			if ( consistent )
+				{
+				DBG_LOG(DBG_COMPRESSOR, "%s reuse", fmt_conn_id(conn));
+				conn->Event(connection_reused, 0);
+				}
+
+			sessions->Remove(conn);
+			--sizes.connections;
+
+			return Instantiate(t, key, ip);
+			}
+
+		DBG_LOG(DBG_COMPRESSOR, "%s pass through", fmt_conn_id(conn));
+		delete key;
+		return conn;
+		}
+
+	PendingConn* pending = c ? MakePendingConnPtr(c) : 0;
+
+	if ( c && external )
+		{
+		// External, but previous packets were not, i.e., they used
+		// the global timer queue.  We finish the old connection
+		// and instantiate a full one now.
+		DBG_LOG(DBG_TM, "got packet with tag %s for already"
+				"known cc connection, instantiating full conn",
+				current_iosrc->GetCurrentTag()->c_str());
+
+		Event(pending, 0, connection_attempt,
+			TCP_ENDPOINT_INACTIVE, 0, TCP_ENDPOINT_INACTIVE);
+		Event(pending, 0, connection_state_remove,
+			TCP_ENDPOINT_INACTIVE, 0, TCP_ENDPOINT_INACTIVE);
+		Remove(key);
+
+		return Instantiate(t, key, ip);
+		}
+
+	if ( c && pending->invalid &&
+	     network_time < pending->time + tcp_session_timer )
+		{
+		// The old connection has terminated sooner than
+		// tcp_session_timer.  We assume this packet to be
+		// a latecomer, and ignore it.
+		DBG_LOG(DBG_COMPRESSOR, "%s ignored", fmt_conn_id(pending));
+		sessions->DumpPacket(hdr, pkt);
+		delete key;
+		return 0;
+		}
+
+	// Simulate tcp_{reset,close}_delay for initial FINs/RSTs
+	if ( c && ! pending->invalid &&
+	     ((pending->FIN && pending->time + tcp_close_delay < t ) ||
+	      (pending->RST && pending->time + tcp_reset_delay < t )) )
+		{
+		DBG_LOG(DBG_COMPRESSOR, "%s closed", fmt_conn_id(pending));
+		int orig_state =
+			pending->FIN ? TCP_ENDPOINT_CLOSED : TCP_ENDPOINT_RESET;
+
+		Event(pending, 0, connection_partial_close, orig_state,
+			ip->PayloadLen() - (tp->th_off * 4),
+			TCP_ENDPOINT_INACTIVE);
+		Event(pending, 0, connection_state_remove, orig_state,
+			ip->PayloadLen() - (tp->th_off * 4),
+			TCP_ENDPOINT_INACTIVE);
+
+		Remove(key);
+
+		Connection* tc = FirstFromOrig(t, key, ip, tp);
+		if ( ! tc )
+			{
+			delete key;
+			sessions->DumpPacket(hdr, pkt);
+			}
+
+		return tc;
+		}
+
+	Connection* tc;
+
+	if ( ! c || pending->invalid )
+		{
+		// First packet of a connection.
+		if ( c )
+			Remove(key);
+
+		if ( external  )
+			// External, we directly instantiate a full connection.
+			tc = Instantiate(t, key, ip);
+		else
+			tc = FirstFromOrig(t, key, ip, tp);
+		}
+
+	else if ( addr_eq(ip->SrcAddr(), SrcAddr(pending)) &&
+		  tp->th_sport == SrcPort(pending) )
+		// Another packet from originator.
+		tc = NextFromOrig(pending, t, key, tp);
+
+	else
+		// A reply.
+		tc = Response(pending, t, key, ip, tp);
+
+	if ( ! tc )
+		{
+		delete key;
+		sessions->DumpPacket(hdr, pkt);
+		}
+
+	return tc;
+	}
+
+static int parse_tcp_options(unsigned int opt, unsigned int optlen,
+				const u_char* option, TCP_Analyzer* analyzer,
+				bool is_orig, void* cookie)
+	{
+	ConnCompressor::PendingConn* c = (ConnCompressor::PendingConn*) cookie;
+
+	// We're only interested in window_scale.
+	if ( opt == 3 )
+		c->window_scale = option[2];
+
+	return 0;
+	}
+
+Connection* ConnCompressor::FirstFromOrig(double t, HashKey* key,
+					const IP_Hdr* ip, const tcphdr* tp)
+	{
+	if ( cc_handle_only_syns && ! (tp->th_flags & TH_SYN) )
+		return Instantiate(t, key, ip);
+
+	// The first packet of a connection.
+	PendingConn* pending = MakeNewState(t);
+	PktHdrToPendingConn(t, key, ip, tp, pending);
+
+	DBG_LOG(DBG_COMPRESSOR, "%s our", fmt_conn_id(pending));
+
+	// The created DictEntry will point directly into our PendingConn.
+	// So, we have to be careful when we delete it.
+	conns.Dictionary::Insert(&pending->key, sizeof(pending->key),
+				pending->hash, MakeMapPtr(pending), 0);
+
+	// Mimic some of TCP_Analyzer's weirds for SYNs.
+	// To be completely precise, we'd need to check this at a few
+	// more locations in NextFromOrig() and Reply().  However, that
+	// does not really seem worth it, as this is the standard case.
+	if ( tp->th_flags & TH_SYN )
+		{
+		if ( tp->th_flags & TH_RST )
+			Weird(pending, t, "TCP_christmas");
+
+		if ( tp->th_flags & TH_URG )
+			Weird(pending, t, "baroque_SYN");
+
+		int len = ip->TotalLen() - ip->HdrLen() - tp->th_off * 4;
+
+		if ( len > 0 )
+			// T/TCP definitely complicates this.
+			Weird(pending, t, "SYN_with_data");
+		}
+
+	if ( tp->th_flags & TH_FIN )
+		{
+		if ( ! (tp->th_flags & TH_SYN) )
+			Weird(pending, t, "spontaneous_FIN");
+		}
+
+	if ( tp->th_flags & TH_RST )
+		{
+		if ( ! (tp->th_flags & TH_SYN) )
+			Weird(pending, t, "spontaneous_RST");
+		}
+
+	++sizes.pending_valid;
+	++sizes.pending_total;
+	++sizes.pending_in_mem;
+
+	Event(pending, 0, new_connection,
+		TCP_ENDPOINT_INACTIVE, 0, TCP_ENDPOINT_INACTIVE);
+
+	if ( current_iosrc->GetCurrentTag() )
+		{
+		Val* tag =
+			new StringVal(current_iosrc->GetCurrentTag()->c_str());
+		Event(pending, 0, connection_external,
+			TCP_ENDPOINT_INACTIVE, 0, TCP_ENDPOINT_INACTIVE, tag);
+		}
+
+	return 0;
+	}
+
+Connection* ConnCompressor::NextFromOrig(PendingConn* pending, double t,
+						HashKey* key, const tcphdr* tp)
+	{
+	// Another packet from the same host without seeing an answer so far.
+	DBG_LOG(DBG_COMPRESSOR, "%s same again", fmt_conn_id(pending));
+
+	// New window scale overrides old - not great, this is a (subtle)
+	// evasion opportunity.
+	if ( TCP_Analyzer::ParseTCPOptions(tp, parse_tcp_options, 0, 0,
+						pending) < 0 )
+		Weird(pending, t, "corrupt_tcp_options");
+
+	if ( tp->th_flags & TH_SYN )
+		// New seq overrides old.
+		pending->seq = tp->th_seq;
+
+	// Mimic TCP_Endpoint::Size()
+	int size = ntohl(tp->th_seq) - ntohl(pending->seq);
+	if ( size != 0 )
+		--size;
+
+	if ( size != 0 && (pending->FIN || (tp->th_flags & TH_FIN)) )
+		--size;
+
+	if ( size < 0 )
+		// We only care about the size for broken connections.
+		// Surely for those it's more likely that the sequence
+		// numbers are confused than that they really transferred
+		// > 2 GB of data.  Plus, for 64-bit ints these sign-extend
+		// up to truly huge, non-sensical unsigned values.
+		size = 0;
+
+	if ( pending->SYN )
+		{
+		// We're in state SYN_SENT or SYN_ACK_SENT.
+		if ( tp->th_flags & TH_RST)
+			{
+			Event(pending, t, connection_reset,
+				TCP_ENDPOINT_RESET, size, TCP_ENDPOINT_INACTIVE);
+			Event(pending, t, connection_state_remove,
+				TCP_ENDPOINT_RESET, size, TCP_ENDPOINT_INACTIVE);
+
+			Invalidate(key);
+			return 0;
+			}
+
+		else if ( tp->th_flags & TH_FIN)
+			{
+			Event(pending, t, connection_partial_close,
+				TCP_ENDPOINT_CLOSED, size, TCP_ENDPOINT_INACTIVE);
+			Event(pending, t, connection_state_remove,
+				TCP_ENDPOINT_CLOSED, size, TCP_ENDPOINT_INACTIVE);
+			Invalidate(key);
+			return 0;
+			}
+
+		else if ( tp->th_flags & TH_SYN )
+			{
+			if ( (tp->th_flags & TH_ACK) && ! pending->ACK )
+				Weird(pending, t, "repeated_SYN_with_ack");
+			else
+				{
+				// We adjust the start-time. Unfortunately
+				// this means that we have to create a new
+				// PendingConn as all of them need to be
+				// monotonically increasing in time. This
+				// leads to some inconsistencies with TCP.cc,
+				// as by doing this we basically restart our
+				// attempt_timer.
+
+				pending = MoveState(t, pending);
+
+				// Removing is necessary because the key
+				// will be destroyed at some point.
+				conns.Remove(&pending->key, sizeof(pending->key),
+						pending->hash, true);
+				conns.Dictionary::Insert(&pending->key,
+					sizeof(pending->key), pending->hash,
+					MakeMapPtr(pending), 0);
+				}
+			}
+
+		else
+			{
+			// A data packet without seeing a SYN/ACK first. As
+			// long as we stick with the principle of instantiating
+			// state only when we see a reply, we have to throw
+			// this data away. Optionally we may instantiate a
+			// real connection now.
+
+			if ( cc_instantiate_on_data )
+				return Instantiate(key, pending);
+			// else
+			//     Weird(pending, t, "data_without_SYN_ACK");
+			}
+		}
+
+	else
+		{ // We're in state INACTIVE.
+		if ( tp->th_flags & TH_RST)
+			{
+			Event(pending, t, connection_reset,
+				TCP_ENDPOINT_RESET, size, TCP_ENDPOINT_INACTIVE);
+			Event(pending, t, connection_state_remove,
+				TCP_ENDPOINT_RESET, size, TCP_ENDPOINT_INACTIVE);
+
+			Invalidate(key);
+			return 0;
+			}
+
+		else if ( tp->th_flags & TH_FIN)
+			{
+			Event(pending, t, connection_half_finished,
+				TCP_ENDPOINT_CLOSED, size, TCP_ENDPOINT_INACTIVE);
+			Event(pending, t, connection_state_remove,
+				TCP_ENDPOINT_CLOSED, size, TCP_ENDPOINT_INACTIVE);
+
+			Invalidate(key);
+			return 0;
+			}
+
+		else if ( tp->th_flags & TH_SYN )
+			{
+			if ( ! tp->th_flags & TH_ACK )
+				{
+				Weird(pending, t, "SYN_after_partial");
+				pending->SYN = 1;
+				}
+			}
+
+		else
+			// Another data packet. See discussion above.
+			if ( cc_instantiate_on_data )
+				return Instantiate(key, pending);
+
+		// else
+		//     Weird(pending, t, "data_without_SYN_ACK");
+		}
+
+	return 0;
+	}
+
+Connection* ConnCompressor::Response(PendingConn* pending, double t,
+					HashKey* key, const IP_Hdr* ip,
+					const tcphdr* tp)
+	{
+	// The packet comes from the former responder. That means we are
+	// seeing a reply, so we are going to create a "real" connection now.
+	DBG_LOG(DBG_COMPRESSOR, "%s response", fmt_conn_id(pending));
+
+	// Optional: if it's a RST after SYN, we directly generate a
+	// connection_rejected and throw the state away.
+	if ( cc_handle_resets && (tp->th_flags & TH_RST) && pending->SYN )
+		{
+		// See discussion of size in DoExpire().
+		DBG_LOG(DBG_COMPRESSOR, "%s reset", fmt_conn_id(pending));
+
+		Event(pending, t, connection_reset,
+			TCP_ENDPOINT_SYN_SENT, 0, TCP_ENDPOINT_RESET);
+		Event(pending, t, connection_state_remove,
+			TCP_ENDPOINT_SYN_SENT, 0, TCP_ENDPOINT_RESET);
+
+		Invalidate(key);
+		return 0;
+		}
+
+	// If a connection's initial packet is a RST, Bro's standard TCP
+	// processing considers the connection done right away.  We simulate
+	// this by instantiating a second connection in this case.  The
+	// first one will time out eventually.
+	if ( pending->RST && ! pending->SYN )
+		{
+		int orig_state =
+			pending->RST ? TCP_ENDPOINT_RESET : TCP_ENDPOINT_CLOSED;
+		Event(pending, 0, connection_attempt,
+			  orig_state, 0, TCP_ENDPOINT_INACTIVE);
+		Event(pending, 0, connection_state_remove,
+			  orig_state, 0, TCP_ENDPOINT_INACTIVE);
+
+		// Override with current packet.
+		PktHdrToPendingConn(t, key, ip, tp, pending);
+		return 0;
+		}
+
+	return Instantiate(key, pending);
+	}
+
+Connection* ConnCompressor::Instantiate(HashKey* key, PendingConn* pending)
+	{
+	// Instantantiate a Connection.
+	ConnID conn_id;
+	conn_id.src_addr = SrcAddr(pending);
+	conn_id.dst_addr = DstAddr(pending);
+	conn_id.src_port = SrcPort(pending);
+	conn_id.dst_port = DstPort(pending);
+
+	pending->invalid = 1;
+	--sizes.pending_valid;
+	--sizes.pending_total;
+
+	// Fake the first packet.
+	const IP_Hdr* faked_pkt = PendingConnToPacket(pending);
+	Connection* new_conn = sessions->NewConn(key, pending->time, &conn_id,
+			faked_pkt->Payload(), IPPROTO_TCP);
+
+	if ( ! new_conn )
+		{
+		// This connection is not to be analyzed (e.g., it may be
+		// a partial one).
+		DBG_LOG(DBG_COMPRESSOR, "%s nop", fmt_conn_id(pending));
+		return 0;
+		}
+
+	DBG_LOG(DBG_COMPRESSOR, "%s instantiated", fmt_conn_id(pending));
+
+	++sizes.connections;
+	++sizes.connections_total;
+
+	if ( new_packet )
+		new_conn->Event(new_packet, 0,
+				sessions->BuildHeader(faked_pkt->IP4_Hdr()));
+
+	// NewConn() may have swapped originator and responder.
+	int is_orig = addr_eq(conn_id.src_addr, new_conn->OrigAddr()) &&
+			conn_id.src_port == new_conn->OrigPort();
+
+	// Pass the faked packet to the connection.
+	const u_char* payload = faked_pkt->Payload();
+
+	int dummy_record_packet, dummy_record_content;
+	new_conn->NextPacket(pending->time, is_orig,
+			faked_pkt, faked_pkt->PayloadLen(),
+			faked_pkt->PayloadLen(), payload,
+			dummy_record_packet, dummy_record_content, 0, 0, 0);
+
+	// Removing necessary because the key will be destroyed at some point.
+	conns.Remove(&pending->key, sizeof(pending->key), pending->hash, true);
+	conns.Insert(key, MakeMapPtr(new_conn));
+
+	return new_conn;
+	}
+
+Connection* ConnCompressor::Instantiate(double t, HashKey* key,
+						const IP_Hdr* ip)
+	{
+	const struct tcphdr* tp = (const struct tcphdr*) ip->Payload();
+
+	ConnID conn_id;
+	conn_id.src_addr = ip->SrcAddr();
+	conn_id.dst_addr = ip->DstAddr();
+	conn_id.src_port = tp->th_sport;
+	conn_id.dst_port = tp->th_dport;
+
+	Connection* new_conn =
+		sessions->NewConn(key, t, &conn_id, ip->Payload(), IPPROTO_TCP);
+
+	if ( ! new_conn )
+		{
+		// This connection is not to be analyzed (e.g., it may be
+		// a partial one).
+		DBG_LOG(DBG_COMPRESSOR, "%s nop", fmt_conn_id(ip));
+		return 0;
+		}
+
+	DBG_LOG(DBG_COMPRESSOR, "%s instantiated", fmt_conn_id(ip));
+
+	conns.Insert(key, MakeMapPtr(new_conn));
+	++sizes.connections;
+	++sizes.connections_total;
+
+	if ( new_connection )
+		new_conn->Event(new_connection, 0);
+
+	if ( current_iosrc->GetCurrentTag() )
+		{
+		Val* tag =
+			new StringVal(current_iosrc->GetCurrentTag()->c_str());
+		new_conn->Event(connection_external, 0, tag);
+		}
+
+	return new_conn;
+	}
+
+void ConnCompressor::PktHdrToPendingConn(double time, const HashKey* key,
+		const IP_Hdr* ip, const struct tcphdr* tp, PendingConn* c)
+	{
+	memcpy(&c->key, key->Key(), key->Size());
+
+	c->hash = key->Hash();
+	c->ip1_is_src = addr_eq(c->key.ip1, ip->SrcAddr()) &&
+			c->key.port1 == tp->th_sport;
+	c->time = time;
+	c->window = tp->th_win;
+	c->seq = tp->th_seq;
+	c->ack = tp->th_ack;
+	c->window_scale = 0;
+	c->SYN = (tp->th_flags & TH_SYN) != 0;
+	c->FIN = (tp->th_flags & TH_FIN) != 0;
+	c->RST = (tp->th_flags & TH_RST) != 0;
+	c->ACK = (tp->th_flags & TH_ACK) != 0;
+	c->invalid = 0;
+
+	if ( TCP_Analyzer::ParseTCPOptions(tp, parse_tcp_options, 0, 0, c) < 0 )
+		sessions->Weird("corrupt_tcp_options", ip);
+	}
+
+// Fakes an empty TCP packet based on the information in PendingConn.
+const IP_Hdr* ConnCompressor::PendingConnToPacket(const PendingConn* c)
+	{
+	static ip* ip = 0;
+	static tcphdr* tp = 0;
+	static IP_Hdr* ip_hdr = 0;
+
+	if ( ! ip )
+		{ // Initialize.  ### Note, only handles IPv4 for now.
+		int packet_length = sizeof(*ip) + sizeof(*tp);
+		ip = (struct ip*) new char[packet_length];
+		tp = (struct tcphdr*) (((char*) ip) + sizeof(*ip));
+		ip_hdr = new IP_Hdr(ip);
+
+		// Constant fields.
+		ip->ip_v = 4;
+		ip->ip_hl = sizeof(*ip) / 4;	// no options
+		ip->ip_tos = 0;
+		ip->ip_len = htons(packet_length);
+		ip->ip_id = 0;
+		ip->ip_off = 0;
+		ip->ip_ttl = 255;
+		ip->ip_p = IPPROTO_TCP;
+		ip->ip_sum = 0;	// is not going to be checked
+
+		tp->th_off = sizeof(*tp) / 4;	// no options for now
+		tp->th_urp = 0;
+		}
+
+	// Note, do *not* use copy_addr() here.  This is because we're
+	// copying to an IPv4 header, which has room for exactly and
+	// only an IPv4 address.
+#ifdef BROv6
+	if ( ! is_v4_addr(c->key.ip1) || ! is_v4_addr(c->key.ip2) )
+		internal_error("IPv6 snuck into connection compressor");
+#endif
+	*(uint32*) &ip->ip_src =
+			to_v4_addr(c->ip1_is_src ? c->key.ip1 : c->key.ip2);
+	*(uint32*) &ip->ip_dst =
+			to_v4_addr(c->ip1_is_src ? c->key.ip2 : c->key.ip1);
+
+	if ( c->ip1_is_src )
+		{
+		tp->th_sport = c->key.port1;
+		tp->th_dport = c->key.port2;
+		}
+	else
+		{
+		tp->th_sport = c->key.port2;
+		tp->th_dport = c->key.port1;
+		}
+
+	tp->th_win = c->window;
+	tp->th_seq = c->seq;
+	tp->th_ack = c->ack;
+	tp->th_flags = MakeFlags(c);
+	tp->th_sum = 0;
+	tp->th_sum = 0xffff - tcp_checksum(ip, tp, 0);
+
+	// FIXME: Add TCP options.
+	return ip_hdr;
+	}
+
+uint8 ConnCompressor::MakeFlags(const PendingConn* c) const
+	{
+	uint8 tcp_flags = 0;
+	if ( c->SYN )
+		tcp_flags |= TH_SYN;
+	if ( c->FIN )
+		tcp_flags |= TH_FIN;
+	if ( c->RST )
+		tcp_flags |= TH_RST;
+	if ( c->ACK )
+		tcp_flags |= TH_ACK;
+
+	return tcp_flags;
+	}
+
+ConnCompressor::PendingConn* ConnCompressor::MoveState(double time,
+							PendingConn* c)
+	{
+	PendingConn* nc = MakeNewState(time);
+	memcpy(nc, c, sizeof(PendingConn));
+	c->invalid = 1;
+	nc->time = time;
+	++sizes.pending_in_mem;
+	return nc;
+	}
+
+ConnCompressor::PendingConn* ConnCompressor::MakeNewState(double t)
+	{
+	// See if there is enough space in the current block.
+	if ( last_block &&
+	     int(sizeof(PendingConn)) <= BLOCK_SIZE - last_block->bytes_used )
+		{
+		PendingConn* c = (PendingConn*) &last_block->data[last_block->bytes_used];
+		last_block->bytes_used += sizeof(PendingConn);
+		c->is_pending = true;
+		return c;
+		}
+
+	// Get new block.
+	Block* b = new Block;
+	b->time = t;
+	b->bytes_used = sizeof(PendingConn);
+	b->next = 0;
+	b->prev = last_block;
+
+	if ( last_block )
+		last_block->next = b;
+	else
+		first_block = b;
+
+	last_block = b;
+
+	sizes.memory += padded_sizeof(*b);
+	PendingConn* c = (PendingConn*) &b->data;
+	c->is_pending = true;
+	return c;
+	}
+
+void ConnCompressor::DoExpire(double t)
+	{
+	while ( first_block )
+		{
+		Block* b = first_block;
+
+		unsigned char* p =
+			first_non_expired ? first_non_expired : b->data;
+
+		while ( p < b->data + b->bytes_used )
+			{
+			Unref(conn_val);
+			conn_val = 0;
+
+			PendingConn* c = (PendingConn*) p;
+			if ( t && (c->time + tcp_SYN_timeout > t) )
+				{
+				// All following entries are still
+				// recent enough.
+				first_non_expired = p;
+				return;
+				}
+
+			if ( ! c->invalid )
+				{
+				// Expired.
+				DBG_LOG(DBG_COMPRESSOR, "%s expire", fmt_conn_id(c));
+
+				HashKey key(&c->key, sizeof(c->key), c->hash, true);
+
+				ConnData* cd = conns.Lookup(&key);
+				if ( cd && ! IsConnPtr(cd) )
+					conns.Remove(&c->key, sizeof(c->key),
+							c->hash, true);
+
+				int orig_state = TCP_ENDPOINT_INACTIVE;
+
+				if ( c->FIN )
+					orig_state = TCP_ENDPOINT_CLOSED;
+				if ( c->RST )
+					orig_state = TCP_ENDPOINT_RESET;
+				if ( c->SYN )
+					orig_state = TCP_ENDPOINT_SYN_SENT;
+
+				// We're not able to get the correct size
+				// here (with "correct" meaning value that
+				// standard connection processing reports).
+				// We could if would also store last_seq, but
+				// doesn't seem worth it.
+
+				Event(c, 0, connection_attempt,
+					orig_state, 0, TCP_ENDPOINT_INACTIVE);
+				Event(c, 0, connection_state_remove,
+					orig_state, 0, TCP_ENDPOINT_INACTIVE);
+
+				c->invalid = 1;
+				--sizes.pending_valid;
+				}
+
+			p += sizeof(PendingConn);
+			--sizes.pending_in_mem;
+			}
+
+		// Full block expired, so delete it.
+		first_block = b->next;
+
+		if ( b->next )
+			b->next->prev = 0;
+		else
+			last_block = 0;
+
+		delete b;
+
+		first_non_expired = 0;
+		sizes.memory -= padded_sizeof(*b);
+		}
+	}
+
+void ConnCompressor::Event(const PendingConn* pending, double t,
+				const EventHandlerPtr& event, int orig_state,
+				int orig_size, int resp_state, Val* arg)
+	{
+	if ( ! conn_val )
+		{
+		if ( ! event )
+			return;
+
+		// We only raise events if NewConn() would have actually
+		// instantiated the Connection.
+		bool flip_roles;
+		if ( ! sessions->WantConnection(ntohs(SrcPort(pending)),
+						ntohs(DstPort(pending)),
+						TRANSPORT_TCP,
+						MakeFlags(pending),
+						flip_roles) )
+			return;
+
+		conn_val = new RecordVal(connection_type);
+		RecordVal* id_val = new RecordVal(conn_id);
+		RecordVal* orig_endp = new RecordVal(endpoint);
+		RecordVal* resp_endp = new RecordVal(endpoint);
+
+		if ( orig_state == TCP_ENDPOINT_INACTIVE )
+			{
+			if ( pending->SYN )
+				orig_state = pending->ACK ?
+					TCP_ENDPOINT_SYN_ACK_SENT :
+					TCP_ENDPOINT_SYN_SENT;
+			else
+				orig_state = TCP_ENDPOINT_PARTIAL;
+			}
+
+		int tcp_state = TCP_ENDPOINT_INACTIVE;
+
+		if ( ! flip_roles )
+			{
+			id_val->Assign(0, new AddrVal(SrcAddr(pending)));
+			id_val->Assign(1, new PortVal(ntohs(SrcPort(pending)),
+							TRANSPORT_TCP));
+			id_val->Assign(2, new AddrVal(DstAddr(pending)));
+			id_val->Assign(3, new PortVal(ntohs(DstPort(pending)),
+							TRANSPORT_TCP));
+			orig_endp->Assign(0, new Val(orig_size, TYPE_COUNT));
+			orig_endp->Assign(1, new Val(orig_state, TYPE_COUNT));
+			resp_endp->Assign(0, new Val(0, TYPE_COUNT));
+			resp_endp->Assign(1, new Val(resp_state, TYPE_COUNT));
+			}
+		else
+			{
+			id_val->Assign(0, new AddrVal(DstAddr(pending)));
+			id_val->Assign(1, new PortVal(ntohs(DstPort(pending)),
+							TRANSPORT_TCP));
+			id_val->Assign(2, new AddrVal(SrcAddr(pending)));
+			id_val->Assign(3, new PortVal(ntohs(SrcPort(pending)),
+							TRANSPORT_TCP));
+			orig_endp->Assign(0, new Val(0, TYPE_COUNT));
+			orig_endp->Assign(1, new Val(resp_state, TYPE_COUNT));
+			resp_endp->Assign(0, new Val(orig_size, TYPE_COUNT));
+			resp_endp->Assign(1, new Val(orig_state, TYPE_COUNT));
+			DBG_LOG(DBG_COMPRESSOR, "%s swapped direction", fmt_conn_id(pending));
+			}
+
+		conn_val->Assign(0, id_val);
+		conn_val->Assign(1, orig_endp);
+		conn_val->Assign(2, resp_endp);
+		conn_val->Assign(3, new Val(pending->time, TYPE_TIME));
+		conn_val->Assign(4, new Val(t > 0 ? t - pending->time : 0,
+					TYPE_INTERVAL));	// duration
+		conn_val->Assign(5, new TableVal(string_set));	// service
+		conn_val->Assign(6, new StringVal("cc=1"));	// addl
+		conn_val->Assign(7, new Val(0, TYPE_COUNT));	// hot
+		conn_val->Assign(8, new StringVal(""));	// history
+
+		conn_val->SetOrigin(0);
+		}
+
+	val_list* vl = new val_list;
+	if ( arg )
+		vl->append(arg);
+	vl->append(conn_val->Ref());
+
+	mgr.QueueEvent(event, vl, SOURCE_LOCAL);
+	}
+
+void ConnCompressor::Drain()
+	{
+	IterCookie* cookie = conns.InitForIteration();
+	ConnData* c;
+
+	DoExpire(0);
+
+	while ( (c = conns.NextEntry(cookie)) )
+		{
+		Unref(conn_val);
+		conn_val = 0;
+
+		if ( IsConnPtr(c) )
+			{
+			Connection* tc = MakeConnPtr(c);
+			tc->Done();
+			tc->Event(connection_state_remove, 0);
+			Unref(tc);
+			--sizes.connections;
+			}
+
+		else
+			{
+			PendingConn* pc = MakePendingConnPtr(c);
+			if ( ! pc->invalid )
+				{
+				// Same discussion for size here than
+				// in DoExpire().
+				Event(pc, 0, connection_attempt,
+					TCP_ENDPOINT_INACTIVE, 0,
+					TCP_ENDPOINT_INACTIVE);
+				Event(pc, 0, connection_state_remove,
+					TCP_ENDPOINT_INACTIVE, 0,
+					TCP_ENDPOINT_INACTIVE);
+
+				--sizes.pending_valid;
+				pc->invalid = 1;
+				}
+			}
+		}
+	}
+
+void ConnCompressor::Invalidate(HashKey* k)
+	{
+	ConnData* c = (ConnData*) conns.Lookup(k);
+
+	assert(c && ! IsConnPtr(c));
+	PendingConn* pc = MakePendingConnPtr(c);
+
+	DBG_LOG(DBG_COMPRESSOR, "%s invalidate", fmt_conn_id(pc));
+
+	if ( ! pc->invalid )
+		{
+		conns.Remove(&pc->key, sizeof(pc->key), pc->hash, true);
+		pc->invalid = 1;
+		--sizes.pending_valid;
+		}
+	}
+
+Connection* ConnCompressor::Insert(Connection* newconn)
+	{
+	HashKey* key = newconn->Key();
+	ConnData* c = conns.Lookup(key);
+	Connection* old = 0;
+
+	// Do we already have a Connection object?
+	if ( c )
+		{
+		if ( IsConnPtr(c) )
+			old = MakeConnPtr(c);
+		Remove(key);
+		}
+
+	conns.Insert(key, MakeMapPtr(newconn));
+	return old;
+	}
+
+bool ConnCompressor::Remove(HashKey* k)
+	{
+	ConnData* c = (ConnData*) conns.Lookup(k);
+	if ( ! c )
+		return false;
+
+	if ( IsConnPtr(c) )
+		{
+		DBG_LOG(DBG_COMPRESSOR, "%s remove", fmt_conn_id(MakeConnPtr(c)));
+		conns.Remove(k);
+		--sizes.connections;
+		}
+	else
+		{
+		PendingConn* pc = MakePendingConnPtr(c);
+		DBG_LOG(DBG_COMPRESSOR, "%s remove", fmt_conn_id(pc));
+
+		conns.Remove(&pc->key, sizeof(pc->key), pc->hash, true);
+
+		if ( ! pc->invalid )
+			{
+			pc->invalid = 1;
+			--sizes.pending_valid;
+			}
+		}
+
+	return true;
+	}
diff --git a/src/ConnCompressor.h b/src/ConnCompressor.h
new file mode 100644
index 0000000000..f0069024a2
--- /dev/null
+++ b/src/ConnCompressor.h
@@ -0,0 +1,237 @@
+// $Id: ConnCompressor.h 6008 2008-07-23 00:24:22Z vern $
+//
+// The ConnCompressor keeps track of the first packet seen for a conn_id using
+// only a minimal amount of memory. This helps us to avoid instantiating
+// full Connection objects for never-established sessions.
+//
+// TCP only.
+
+#ifndef CONNCOMPRESSOR_H
+#define CONNCOMPRESSOR_H
+
+#include "Conn.h"
+#include "Dict.h"
+#include "NetVar.h"
+#include "TCP.h"
+
+class ConnCompressor {
+public:
+	ConnCompressor();
+	~ConnCompressor();
+
+	// Handle next packet.  Returns 0 if packet in handled internally.
+	// Takes ownership of key.
+	Connection* NextPacket(double t, HashKey* k, const IP_Hdr* ip_hdr,
+			const struct pcap_pkthdr* hdr, const u_char* const pkt);
+
+	// Look up a connection.  Returns non-nil for connections for
+	// which a Connection object has already been instantiated.
+	Connection* Lookup(HashKey* k)
+		{
+		ConnData* c = conns.Lookup(k);
+		return c && IsConnPtr(c) ? MakeConnPtr(c) : 0;
+		}
+
+	// Inserts connection into compressor.  If another entry with this key
+	// already exists, it's replaced.  If that was a full connection, it is
+	// also returned.
+	Connection* Insert(Connection* c);
+
+	// Remove all state belonging to the given connection.  Returns
+	// true if the connection was found in the compressor's table,
+	// false if not.
+	bool Remove(HashKey* k);
+
+	// Flush state.
+	void Drain();
+
+	struct Sizes {
+		// Current number of already fully instantiated connections.
+		unsigned int connections;
+
+		// Total number of fully instantiated connections.
+		unsigned int connections_total;
+
+		// Current number of seen but non-yet instantiated connections.
+		unsigned int pending_valid;
+
+		// Total number of seen but non-yet instantiated connections.
+		unsigned int pending_total;
+
+		// Total number of all entries in pending list (some a which
+		// may already been invalid, but not yet removed from memory).
+		unsigned int pending_in_mem;
+
+		// Total number of hash table entires
+		// (should equal connections + pending_valid)
+		unsigned int hash_table_size;
+
+		// Total memory usage;
+		unsigned int memory;
+	};
+
+	const Sizes& Size()
+		{ sizes.hash_table_size = conns.Length(); return sizes; }
+
+	unsigned int MemoryAllocation() const	{ return sizes.memory; }
+
+	// As long as we have only seen packets from one side, we just
+	// store a PendingConn.
+	struct PendingConn {
+		// True if the block is indeed a PendingConn (see below).
+		unsigned int is_pending:1;
+
+		// Whether roles in key are flipped.
+		unsigned int ip1_is_src:1;
+
+		unsigned int invalid:1;	// deleted
+		int window_scale:4;
+		unsigned int SYN:1;
+		unsigned int FIN:1;
+		unsigned int RST:1;
+		unsigned int ACK:1;
+
+		double time;
+		ConnID::Key key;
+		uint32 seq;
+		uint32 ack;
+		hash_t hash;
+		uint16 window;
+	};
+
+private:
+	// Helpers to extract addrs/ports from PendingConn.
+
+	const uint32* SrcAddr(const PendingConn* c)
+		{ return c->ip1_is_src ? c->key.ip1 : c->key.ip2; }
+	const uint32* DstAddr(const PendingConn* c)
+		{ return c->ip1_is_src ? c->key.ip2 : c->key.ip1; }
+
+	uint16 SrcPort(const PendingConn* c)
+		{ return c->ip1_is_src ? c->key.port1 : c->key.port2; }
+	uint16 DstPort(const PendingConn* c)
+		{ return c->ip1_is_src ? c->key.port2 : c->key.port1; }
+
+
+	// Called for the first packet in a connection.
+	Connection* FirstFromOrig(double t, HashKey* key,
+					const IP_Hdr* ip, const tcphdr* tp);
+
+	// Called for more packets from the orginator w/o seeing a response.
+	Connection* NextFromOrig(PendingConn* pending,
+				double t, HashKey* key, const tcphdr* tp);
+
+	// Called for the first response packet. Instantiates a Connection.
+	Connection* Response(PendingConn* pending, double t, HashKey* key,
+					const IP_Hdr* ip, const tcphdr* tp);
+
+	// Instantiates a full TCP connection (invalidates pending connection).
+	Connection* Instantiate(HashKey* key, PendingConn* pending);
+
+	// Same but based on packet.
+	Connection* Instantiate(double t, HashKey* key, const IP_Hdr* ip);
+
+	// Fills the attributes of a PendingConn based on the given arguments.
+	void PktHdrToPendingConn(double time, const HashKey* key,
+		const IP_Hdr* ip, const struct tcphdr* tp, PendingConn* c);
+
+	// Fakes a TCP packet based on the available information.
+	const IP_Hdr* PendingConnToPacket(const PendingConn* c);
+
+	// For changing the timestamp of PendingConn - allocates a new one,
+	// sets the given time, and copies all other data from old.
+	PendingConn* MoveState(double time, PendingConn* old);
+
+	// Construct a TCP-flags byte.
+	uint8 MakeFlags(const PendingConn* c) const;
+
+	// Allocate room for a new (Ext)PendingConn.
+	PendingConn* MakeNewState(double t);
+
+	// Expire PendingConns.
+	void DoExpire(double t);
+
+	// Remove all state belonging to the given connection.
+	void Invalidate(HashKey* k);
+
+	// Sends the given connection_* event.  If orig_state is
+	// TCP_ENDPOINT__INACTIVE, tries to guess a better one based
+	// on pending.  If arg in non-nil, it will be used as the
+	// *first* argument of the event call (this is for conn_weird()).
+	void Event(const PendingConn* pending, double t,
+			const EventHandlerPtr& event, int orig_state,
+			int orig_size, int resp_state, Val* arg = 0);
+
+	void Weird(const PendingConn* pending, double t, const char* msg)
+		{
+		if ( conn_weird )
+			Event(pending, t, conn_weird, TCP_ENDPOINT_INACTIVE, 0,
+				TCP_ENDPOINT_INACTIVE, new StringVal(msg));
+		else
+			fprintf(stderr, "%.06f weird: %s\n", t, msg);
+		}
+
+	static const int BLOCK_SIZE = 16 * 1024;
+
+	// The memory managment for PendConns.
+	struct Block {
+		double time;
+		Block* prev;
+		Block* next;
+		int bytes_used;
+		unsigned char data[BLOCK_SIZE];
+	};
+
+	// In the connection hash table, we store pointers to both PendingConns
+	// and Connections. Thus, we need a way to differentiate between
+	// these two types. To avoid an additional indirection, we use a little
+	// hack: a pointer retrieved from the table is interpreted as a
+	// PendingConn first. However, if is_pending is false, it's in fact a
+	// Connection which starts at offset 4. The methods below help to
+	// implement this scheme transparently. An "operator new" in
+	// Connection takes care of building Connection's accordingly.
+	typedef PendingConn ConnData;
+	declare(PDict, ConnData);
+	typedef PDict(ConnData) ConnMap;
+	ConnMap conns;
+
+	static ConnData* MakeMapPtr(PendingConn* c)
+		{ assert(c->is_pending); return c; }
+
+	static ConnData* MakeMapPtr(Connection* c)
+		{
+		ConnData* p = (ConnData*) (((char*) c) - 4);
+		assert(!p->is_pending);
+		return p;
+		}
+
+	static PendingConn* MakePendingConnPtr(ConnData* c)
+		{ assert(c->is_pending); return c; }
+
+	static Connection* MakeConnPtr(ConnData* c)
+		{
+		assert(!c->is_pending);
+		return (Connection*) (((char*) c) + 4);
+		}
+
+	static bool IsConnPtr(ConnData* c)
+		{ return ! c->is_pending; }
+
+	// New blocks are inserted at the end.
+	Block* first_block;
+	Block* last_block;
+
+	// If we have already expired some entries in a block,
+	// this points to the first non-expired.
+	unsigned char* first_non_expired;
+
+	// Last "connection" that we have build.
+	RecordVal* conn_val;
+
+	// Statistics.
+	Sizes sizes;
+	};
+
+extern ConnCompressor* conn_compressor;
+
+#endif
diff --git a/src/ContentLine.cc b/src/ContentLine.cc
new file mode 100644
index 0000000000..6dd772a0f8
--- /dev/null
+++ b/src/ContentLine.cc
@@ -0,0 +1,334 @@
+// $Id: ContentLine.cc,v 1.1.2.8 2006/06/01 01:55:42 sommer Exp $
+
+#include "ContentLine.h"
+#include "TCP.h"
+
+ContentLine_Analyzer::ContentLine_Analyzer(Connection* conn, bool orig)
+: TCP_SupportAnalyzer(AnalyzerTag::ContentLine, conn, orig)
+	{
+	InitState();
+	}
+
+ContentLine_Analyzer::ContentLine_Analyzer(AnalyzerTag::Tag tag,
+						Connection* conn, bool orig)
+: TCP_SupportAnalyzer(tag, conn, orig)
+	{
+	InitState();
+	}
+
+void ContentLine_Analyzer::InitState()
+	{
+	flag_NULs = 0;
+	CR_LF_as_EOL = (CR_as_EOL | LF_as_EOL);
+	skip_deliveries = 0;
+	skip_partial = 0;
+	buf = 0;
+	seq_delivered_in_lines = 0;
+	skip_pending = 0;
+	seq = 0;
+	seq_to_skip = 0;
+	plain_delivery_length = 0;
+	is_plain = 0;
+
+	InitBuffer(0);
+	}
+
+void ContentLine_Analyzer::InitBuffer(int size)
+	{
+	if ( buf && buf_len >= size )
+		// Don't shrink the buffer, because it's not clear in that
+		// case how to deal with characters in it that no longer fit.
+		return;
+
+	if ( size < 128 )
+		size = 128;
+
+	u_char* b = new u_char[size];
+
+	if ( buf )
+		{
+		if ( offset > 0 )
+			memcpy(b, buf, offset);
+		delete [] buf;
+		}
+	else
+		{
+		offset = 0;
+		last_char = 0;
+		}
+
+	buf = b;
+	buf_len = size;
+	}
+
+ContentLine_Analyzer::~ContentLine_Analyzer()
+	{
+	delete [] buf;
+	}
+
+int ContentLine_Analyzer::HasPartialLine() const
+	{
+	return buf && offset > 0;
+	}
+
+void ContentLine_Analyzer::DeliverStream(int len, const u_char* data,
+						bool is_orig)
+	{
+	TCP_SupportAnalyzer::DeliverStream(len, data, is_orig);
+
+	if ( len <= 0 || SkipDeliveries() )
+		return;
+
+	if ( skip_partial )
+		{
+		TCP_Analyzer* tcp =
+			static_cast<TCP_ApplicationAnalyzer*>(Parent())->TCP();
+
+		if ( tcp && tcp->IsPartial() )
+			return;
+		}
+
+	if ( buf && len + offset >= buf_len )
+		{ // Make sure we have enough room to accommodate the new stuff.
+		int old_buf_len = buf_len;
+		buf_len = ((offset + len) * 3) / 2 + 1;
+
+		u_char* tmp = new u_char[buf_len];
+		for ( int i = 0; i < old_buf_len; ++i )
+			tmp[i] = buf[i];
+
+		delete [] buf;
+		buf = tmp;
+
+		if ( ! buf )
+			internal_error("out of memory delivering endpoint line");
+		}
+
+	DoDeliver(len, data);
+
+	seq += len;
+	}
+
+void ContentLine_Analyzer::Undelivered(int seq, int len, bool orig)
+	{
+	ForwardUndelivered(seq, len, orig);
+	}
+
+void ContentLine_Analyzer::EndpointEOF(bool is_orig)
+	{
+	if ( offset > 0 )
+		DeliverStream(1, (const u_char*) "\n", is_orig);
+	}
+
+void ContentLine_Analyzer::SetPlainDelivery(int length)
+	{
+	if ( length < 0 )
+		internal_error("negative length for plain delivery");
+
+	plain_delivery_length = length;
+	}
+
+void ContentLine_Analyzer::DoDeliver(int len, const u_char* data)
+	{
+	seq_delivered_in_lines = seq;
+
+	while ( len > 0 && ! SkipDeliveries() )
+		{
+		if ( (CR_LF_as_EOL & CR_as_EOL) &&
+		     last_char == '\r' && *data == '\n' )
+			{
+			// CR is already considered as EOL.
+			// Compress CRLF to just one line termination.
+			//
+			// Note, we test this prior to checking for
+			// "plain delivery" because (1) we might have
+			// made the decision to switch to plain delivery
+			// based on a line terminated with '\r' for
+			// which a '\n' then arrived, and (2) we are
+			// careful when executing plain delivery to
+			// clear last_char once we do so.
+			last_char = *data;
+			--len; ++data; ++seq;
+			++seq_delivered_in_lines;
+			}
+
+		if ( plain_delivery_length > 0 )
+			{
+			int deliver_plain = min(plain_delivery_length, len);
+
+			last_char = 0; // clear last_char
+			plain_delivery_length -= deliver_plain;
+			is_plain = 1;
+
+			ForwardStream(deliver_plain, data, IsOrig());
+
+			is_plain = 0;
+
+			data += deliver_plain;
+			len -= deliver_plain;
+			if ( len == 0 )
+				return;
+			}
+
+		if ( skip_pending > 0 )
+			SkipBytes(skip_pending);
+
+		// Note that the skipping must take place *after*
+		// the CR/LF check above, so that the '\n' of the
+		// previous line is skipped first.
+		if ( seq < seq_to_skip )
+			{
+			// Skip rest of the data and return
+			int skip_len = seq_to_skip - seq;
+			if ( skip_len > len )
+				skip_len = len;
+
+			ForwardUndelivered(seq, skip_len, IsOrig());
+
+			len -= skip_len; data += skip_len; seq += skip_len;
+			seq_delivered_in_lines += skip_len;
+			}
+
+		if ( len <= 0 )
+			break;
+
+		int n = DoDeliverOnce(len, data);
+		len -= n;
+		data += n;
+		seq += n;
+		}
+	}
+
+int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data)
+	{
+	const u_char* data_start = data;
+
+	if ( len <= 0 )
+		return 0;
+
+	for ( ; len > 0; --len, ++data )
+		{
+		if ( offset >= buf_len )
+			InitBuffer(buf_len * 2);
+
+		int c = data[0];
+
+#define EMIT_LINE \
+	{ \
+	buf[offset] = '\0'; \
+	int seq_len = data + 1 - data_start; \
+	seq_delivered_in_lines = seq + seq_len; \
+	last_char = c; \
+	ForwardStream(offset, buf, IsOrig()); \
+	offset = 0; \
+	return seq_len; \
+	}
+
+		switch ( c ) {
+		case '\r':
+			// Look ahead for '\n'.
+			if ( len > 1 && data[1] == '\n' )
+				{
+				--len; ++data;
+				last_char = c;
+				c = data[0];
+				EMIT_LINE
+				}
+
+			else if ( CR_LF_as_EOL & CR_as_EOL )
+				EMIT_LINE
+
+			else
+				buf[offset++] = c;
+			break;
+
+		case '\n':
+			if ( last_char == '\r' )
+				{
+				--offset; // remove '\r'
+				EMIT_LINE
+				}
+
+			else if ( CR_LF_as_EOL & LF_as_EOL )
+				EMIT_LINE
+
+			else
+				{
+				if ( Conn()->FlagEvent(SINGULAR_LF) )
+					Conn()->Weird("line_terminated_with_single_LF");
+				buf[offset++] = c;
+				}
+			break;
+
+		case '\0':
+			if ( flag_NULs )
+				CheckNUL();
+			else
+				buf[offset++] = c;
+			break;
+
+		default:
+			buf[offset++] = c;
+			break;
+		}
+
+		if ( last_char == '\r' )
+			if ( Conn()->FlagEvent(SINGULAR_CR) )
+				Conn()->Weird("line_terminated_with_single_CR");
+
+		last_char = c;
+		}
+
+	return data - data_start;
+	}
+
+void ContentLine_Analyzer::CheckNUL()
+	{
+	// If this is the first byte seen on this connection,
+	// and if the connection's state is PARTIAL, then we've
+	// intercepted a keep-alive, and shouldn't complain
+	// about it.  Note that for PARTIAL connections, the
+	// starting sequence number is adjusted as though there
+	// had been an initial SYN, so we check for whether
+	// the connection has at most two bytes so far.
+
+	TCP_Analyzer* tcp =
+		static_cast<TCP_ApplicationAnalyzer*>(Parent())->TCP();
+
+	if ( tcp )
+		{
+		TCP_Endpoint* endp = IsOrig() ? tcp->Orig() : tcp->Resp();
+		if ( endp->state == TCP_ENDPOINT_PARTIAL &&
+		     endp->LastSeq() - endp->StartSeq() <= 2 )
+			; // Ignore it.
+		else
+			{
+			if ( Conn()->FlagEvent(NUL_IN_LINE) )
+				Conn()->Weird("NUL_in_line");
+			flag_NULs = 0;
+			}
+		}
+	}
+
+void ContentLine_Analyzer::SkipBytesAfterThisLine(int length)
+	{
+	// This is a little complicated because Bro has to handle
+	// both CR and CRLF as a line break. When a line is delivered,
+	// it's possible that only a CR is seen, and we may not know
+	// if an LF is following until we see the next packet.  If an
+	// LF follows, we should start skipping bytes *after* the LF.
+	// So we keep the skip as 'pending' until we see the next
+	// character in DoDeliver().
+
+	if ( last_char == '\r' )
+		skip_pending = length;
+	else
+		SkipBytes(length);
+	}
+
+void ContentLine_Analyzer::SkipBytes(int length)
+	{
+	skip_pending = 0;
+	seq_to_skip = SeqDelivered() + length;
+	}
+
diff --git a/src/ContentLine.h b/src/ContentLine.h
new file mode 100644
index 0000000000..fe18ae9f95
--- /dev/null
+++ b/src/ContentLine.h
@@ -0,0 +1,109 @@
+// $Id: ContentLine.h,v 1.1.2.9 2006/06/01 01:55:42 sommer Exp $
+//
+// Support-analyzer to split a reassembled stream into lines.
+
+#ifndef CONTENTLINE_H
+#define CONTENTLINE_H
+
+#include "TCP.h"
+
+#define CR_as_EOL 1
+#define LF_as_EOL 2
+
+class ContentLine_Analyzer : public TCP_SupportAnalyzer {
+public:
+	ContentLine_Analyzer(Connection* conn, bool orig);
+	~ContentLine_Analyzer();
+
+	// If enabled, flag (first) line with embedded NUL. Default off.
+	void SetIsNULSensitive(bool enable)
+		{ flag_NULs = enable; }
+
+	// If enabled, skip data above a hole. Default off.
+	void SetSkipPartial(bool enable)
+		{ skip_partial = enable; }
+
+	// If true, single CR / LF are considered as EOL. Default on for both.
+	void SetCRLFAsEOL(int crlf = (CR_as_EOL | LF_as_EOL))
+		{ CR_LF_as_EOL = crlf; }
+
+	int CRLFAsEOL()
+		{ return CR_LF_as_EOL ; }
+
+	int HasPartialLine() const;
+
+	bool SkipDeliveries() const
+		{ return skip_deliveries; }
+
+	void SetSkipDeliveries(int should_skip)
+		{ skip_deliveries = should_skip; }
+
+	// We actually have two delivery modes: line delivery and plain
+	// delivery for data portions which are not line-separated.
+	// SetPlainDelivery() keeps the ContentLine_Analyzer in plain delivery
+	// mode for next <length> bytes.  Plain-delivery data is also passed
+	// via DeliverStream() and can differentiated by calling
+	// IsPlainDelivery().
+	void SetPlainDelivery(int length);
+	int GetPlainDeliveryLength() const	{ return plain_delivery_length; }
+	bool IsPlainDelivery()			{ return is_plain; }
+
+	// Skip <length> bytes after this line.
+	// Can be used to skip HTTP data for performance considerations.
+	void SkipBytesAfterThisLine(int length);
+	void SkipBytes(int length);
+
+	bool IsSkippedContents(int seq, int length)
+		{ return seq + length <= seq_to_skip; }
+
+protected:
+	ContentLine_Analyzer(AnalyzerTag::Tag tag, Connection* conn, bool orig);
+
+	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
+	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void EndpointEOF(bool is_orig);
+
+	class State;
+	void InitState();
+	void InitBuffer(int size);
+	virtual void DoDeliver(int len, const u_char* data);
+	int DoDeliverOnce(int len, const u_char* data);
+	void CheckNUL();
+
+	// Returns the sequence number delivered so far.
+	int SeqDelivered() const	{ return seq_delivered_in_lines; }
+
+	u_char* buf;	// where we build up the body of the request
+	int offset;	// where we are in buf
+	int buf_len;	// how big buf is, total
+	unsigned int last_char;	// last (non-option) character scanned
+
+	int seq;	// last seq number
+	int seq_to_skip;
+
+	// Seq delivered up to through NewLine() -- it is adjusted
+	// *before* NewLine() is called.
+	int seq_delivered_in_lines;
+
+	// Number of bytes to be skipped after this line. See
+	// comments in SkipBytesAfterThisLine().
+	int skip_pending;
+
+	// Remaining bytes to deliver plain.
+	int plain_delivery_length;
+	int is_plain;
+
+	// Don't deliver further data.
+	int skip_deliveries;
+
+	// If true, flag (first) line with embedded NUL.
+	unsigned int flag_NULs:1;
+
+	// Whether single CR / LF are considered as EOL.
+	unsigned int CR_LF_as_EOL:2;
+
+	// Whether to skip partial conns.
+	unsigned int skip_partial:1;
+};
+
+#endif
diff --git a/src/Continuation.h b/src/Continuation.h
new file mode 100644
index 0000000000..bde07203a9
--- /dev/null
+++ b/src/Continuation.h
@@ -0,0 +1,61 @@
+// $Id: Continuation.h 2698 2006-04-03 05:50:52Z vern $
+//
+// Helper class to implement continuation-like mechanisms for
+// suspending/resuming tasks for incremental operation.
+//
+// TODO: - Document how to use this.
+//       - Find some nice macro-based interface?
+
+#ifndef continuation_h
+#define continuation_h
+
+#include "List.h"
+
+class Continuation {
+public:
+	Continuation()	{ current_level = 0; suspend_level = -1; }
+
+	// Returns true if we're called for the first time.
+	bool NewInstance() const
+		{ return suspend_level < current_level; }
+
+	// Returns true if a function called by us has suspended itself.
+	bool ChildSuspended() const
+		{ return suspend_level > current_level;  }
+
+	// Returns true if we have suspended before and are now called again to
+	// resume our operation.
+	bool Resuming() const
+		{ return suspend_level == current_level; }
+
+	// To be called just before we suspend operation for the time being.
+	void Suspend()
+		{ suspend_level = current_level; }
+
+	// To be called right after we resumed operation.
+	void Resume()
+		{ suspend_level = -1; }
+
+	// If we call a function which may suspend itself, we need to
+	// enclose the call with calls to SaveContext() and RestoreContext().
+	void SaveContext()		{ ++current_level; }
+	void RestoreContext()		{ --current_level; }
+
+	// We can store some user state which can be retrieved later.
+	void SaveState(void* user_ptr)
+		{ states.replace(current_level, user_ptr); }
+
+	void* RestoreState() const
+		{ return states[current_level]; }
+
+private:
+	int current_level;
+	int suspend_level;
+
+	declare(PList, void);
+	typedef PList(void) voidp_list;
+
+	voidp_list states;
+};
+
+#endif
diff --git a/src/DCE_RPC.cc b/src/DCE_RPC.cc
new file mode 100644
index 0000000000..fe163f2632
--- /dev/null
+++ b/src/DCE_RPC.cc
@@ -0,0 +1,590 @@
+// $Id: DCE_RPC.cc 6916 2009-09-24 20:48:36Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <stdlib.h>
+#include <string>
+#include <map>
+
+using namespace std;
+
+#include "DCE_RPC.h"
+#include "Sessions.h"
+#include "DPM.h"
+
+#define xbyte(b, n) (((const u_char*) (b))[n])
+
+#define extract_uint16(little_endian, bytes) \
+	((little_endian) ? \
+	 uint16(xbyte(bytes, 0)) | ((uint16(xbyte(bytes, 1))) << 8) : \
+	 uint16(xbyte(bytes, 1)) | ((uint16(xbyte(bytes, 0))) << 8))
+
+static int uuid_index[] = {
+	3, 2, 1, 0,
+	5, 4, 7, 6,
+	8, 9, 10, 11,
+	12, 13, 14, 15
+};
+
+const char* uuid_to_string(const u_char* uuid_data)
+	{
+	static char s[1024];
+	char* sp = s;
+
+	for ( int i = 0; i < 16; ++i )
+		{
+		if ( i == 4 || i == 6 || i == 8 || i == 10 )
+			sp += snprintf(sp, s + sizeof(s) - sp, "-");
+
+		int j = uuid_index[i];
+		sp += snprintf(sp, s + sizeof(s) - sp, "%02x", uuid_data[j]);
+		}
+
+	return s;
+	}
+
+UUID::UUID()
+	{
+	memset(data, 0, 16);
+	s = uuid_to_string(data);
+	}
+
+UUID::UUID(const u_char d[16])
+	{
+	memcpy(data, d, 16);
+	s = uuid_to_string(data);
+	}
+
+UUID::UUID(const binpac::bytestring& uuid)
+	{
+	if ( uuid.length() != 16 )
+		internal_error("UUID length error");
+	memcpy(data, uuid.begin(), 16);
+	s = uuid_to_string(data);
+	}
+
+UUID::UUID(const char* str)
+	{
+	s = string(str);
+	const char* sp = str;
+	int i;
+	for ( i = 0; i < 16; ++i )
+		{
+		if ( *sp == '-' )
+			++sp;
+		if ( ! *sp || ! *(sp+1) )
+			break;
+
+		data[uuid_index[i]] =
+			(u_char) (decode_hex(*sp) * 16 + decode_hex(*(sp+1)));
+		}
+
+	if ( i != 16 )
+		internal_error(fmt("invalid UUID string: %s", str));
+	}
+
+typedef map<UUID, BroEnum::dce_rpc_if_id> uuid_map_t;
+
+static uuid_map_t& well_known_uuid_map()
+	{
+	static uuid_map_t the_map;
+	static bool initialized = false;
+
+	if ( initialized )
+		return the_map;
+
+	using namespace BroEnum;
+
+	the_map[UUID("e1af8308-5d1f-11c9-91a4-08002b14a0fa")] = DCE_RPC_epmapper;
+
+	the_map[UUID("afa8bd80-7d8a-11c9-bef4-08002b102989")] = DCE_RPC_mgmt;
+
+	// It's said that the following interfaces are merely aliases.
+	the_map[UUID("12345778-1234-abcd-ef00-0123456789ab")] = DCE_RPC_lsarpc;
+	the_map[UUID("12345678-1234-abcd-ef00-01234567cffb")] = DCE_RPC_netlogon;
+	the_map[UUID("12345778-1234-abcd-ef00-0123456789ac")] = DCE_RPC_samr;
+
+	// The next group of aliases.
+	the_map[UUID("4b324fc8-1670-01d3-1278-5a47bf6ee188")] = DCE_RPC_srvsvc;
+	the_map[UUID("12345678-1234-abcd-ef00-0123456789ab")] = DCE_RPC_spoolss;
+	the_map[UUID("45f52c28-7f9f-101a-b52b-08002b2efabe")] = DCE_RPC_winspipe;
+	the_map[UUID("6bffd098-a112-3610-9833-46c3f87e345a")] = DCE_RPC_wkssvc;
+
+	// DRS - NT directory replication service.
+	the_map[UUID("e3514235-4b06-11d1-ab04-00c04fc2dcd2")] = DCE_RPC_drs;
+
+	// "The IOXIDResolver RPC interface (formerly known as
+	// IObjectExporter) is remotely used to reach the local object
+	// resolver (OR)."
+	the_map[UUID("99fcfec4-5260-101b-bbcb-00aa0021347a")] = DCE_RPC_oxid;
+
+	the_map[UUID("3919286a-b10c-11d0-9ba8-00c04fd92ef5")] = DCE_RPC_lsa_ds;
+
+	the_map[UUID("000001a0-0000-0000-c000-000000000046")] = DCE_RPC_ISCMActivator;
+
+	initialized = true;
+	return the_map;
+	}
+
+// Used to remember mapped DCE/RPC endpoints and parse the follow-up
+// connections as DCE/RPC sessions.
+map<dce_rpc_endpoint_addr, UUID> dce_rpc_endpoints;
+
+static bool is_mapped_dce_rpc_endpoint(const dce_rpc_endpoint_addr& addr)
+	{
+	return dce_rpc_endpoints.find(addr) != dce_rpc_endpoints.end();
+	}
+
+bool is_mapped_dce_rpc_endpoint(const ConnID* id, TransportProto proto)
+	{
+#ifdef BROv6
+	if ( ! is_v4_addr(id->dst_addr) )
+		return false;
+#endif
+	dce_rpc_endpoint_addr addr;
+	addr.addr = ntohl(to_v4_addr(id->dst_addr));
+	addr.port = ntohs(id->dst_port);
+	addr.proto = proto;
+
+	return is_mapped_dce_rpc_endpoint(addr);
+	}
+
+static void add_dce_rpc_endpoint(const dce_rpc_endpoint_addr& addr,
+					const UUID& uuid)
+	{
+	DEBUG_MSG("Adding endpoint %s @ %s\n",
+		uuid.to_string(), addr.to_string().c_str());
+	dce_rpc_endpoints[addr] = uuid;
+
+	// FIXME: Once we can pass the cookie to the analyzer, we can get rid
+	// of the dce_rpc_endpoints table.
+	// FIXME: Don't hard-code the timeout.
+
+	// Convert the address to a v4/v6 address (depending on how
+	// Bro was configured).  This is all based on the address currently
+	// being a 32-bit host-order v4 address.
+	AddrVal a(htonl(addr.addr));
+	const addr_type at = a.AsAddr();
+	dpm->ExpectConnection(0, at, addr.port, addr.proto,
+				AnalyzerTag::DCE_RPC, 5 * 60, 0);
+	}
+
+DCE_RPC_Header::DCE_RPC_Header(Analyzer* a, const u_char* b)
+	{
+	analyzer = a;
+	bytes = b;
+
+	// This checks whether it's both the first fragment *and*
+	// the last fragment.
+	if ( (bytes[3] & 0x3) != 0x3 )
+		{
+		fragmented = 1;
+		Weird("Fragmented DCE/RPC message");
+		}
+	else
+		fragmented = 0;
+
+	ptype = (BroEnum::dce_rpc_ptype) bytes[2];
+	frag_len = extract_uint16(LittleEndian(), bytes + 8);
+	}
+
+DCE_RPC_Session::DCE_RPC_Session(Analyzer* a)
+: analyzer(a),
+  if_uuid("00000000-0000-0000-0000-000000000000"),
+  if_id(BroEnum::DCE_RPC_unknown_if)
+	{
+	opnum = -1;
+	}
+
+bool DCE_RPC_Session::LooksLikeRPC(int len, const u_char* msg)
+	{
+	// if ( ! is_IPC )
+	//	return false;
+
+	try
+		{
+		binpac::DCE_RPC_Simple::DCE_RPC_Header h;
+		h.Parse(msg, msg + len);
+		if ( h.rpc_vers() == 5 && h.rpc_vers_minor() == 0 )
+			{
+			if ( h.frag_length() == len )
+				return true;
+			else
+				{
+				DEBUG_MSG("length mismatch: %d != %d\n",
+					h.frag_length(), len);
+				return false;
+				}
+			}
+		}
+	catch ( const binpac::Exception& )
+		{
+		// do nothing
+		}
+
+	return false;
+	}
+
+void DCE_RPC_Session::DeliverPDU(int is_orig, int len, const u_char* data)
+	{
+	if ( dce_rpc_message )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(new Val(is_orig, TYPE_BOOL));
+		vl->append(new EnumVal(data[2], enum_dce_rpc_ptype));
+		vl->append(new StringVal(len, (const char*) data));
+
+		analyzer->ConnectionEvent(dce_rpc_message, vl);
+		}
+
+	try
+		{
+		// TODO: handle incremental input
+		binpac::DCE_RPC_Simple::DCE_RPC_PDU pdu;
+		pdu.Parse(data, data + len);
+
+		switch ( pdu.header()->PTYPE() ) {
+		case binpac::DCE_RPC_Simple::DCE_RPC_BIND:
+		case binpac::DCE_RPC_Simple::DCE_RPC_ALTER_CONTEXT:
+			DeliverBind(&pdu);
+			break;
+
+		case binpac::DCE_RPC_Simple::DCE_RPC_REQUEST:
+			DeliverRequest(&pdu);
+			break;
+
+		case binpac::DCE_RPC_Simple::DCE_RPC_RESPONSE:
+			DeliverResponse(&pdu);
+			break;
+		}
+		}
+	catch ( const binpac::Exception& e )
+		{
+		analyzer->Weird(e.msg().c_str());
+		}
+	}
+
+void DCE_RPC_Session::DeliverBind(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu)
+	{
+	binpac::DCE_RPC_Simple::DCE_RPC_Bind* bind = pdu->body()->bind();
+
+	for ( int i = 0; i < bind->p_context_elem()->n_context_elem(); ++i )
+		{
+		binpac::DCE_RPC_Simple::p_cont_elem_t* elem =
+			(*bind->p_context_elem()->p_cont_elem())[i];
+
+		if_uuid = UUID(elem->abstract_syntax()->if_uuid().begin());
+		uuid_map_t::const_iterator uuid_it =
+			well_known_uuid_map().find(if_uuid);
+
+		if ( uuid_it == well_known_uuid_map().end() )
+			{
+#ifdef DEBUG
+			// conn->Weird(fmt("Unknown DCE_RPC interface %s",
+			// 		if_uuid.to_string()));
+#endif
+			if_id = BroEnum::DCE_RPC_unknown_if;
+			}
+		else
+			if_id = uuid_it->second;
+
+		if ( dce_rpc_bind )
+			{
+			val_list* vl = new val_list;
+			vl->append(analyzer->BuildConnVal());
+			vl->append(new StringVal(if_uuid.to_string()));
+			// vl->append(new EnumVal(if_id, enum_dce_rpc_if_id));
+
+			analyzer->ConnectionEvent(dce_rpc_bind, vl);
+			}
+		}
+	}
+
+void DCE_RPC_Session::DeliverRequest(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu)
+	{
+	binpac::DCE_RPC_Simple::DCE_RPC_Request* req = pdu->body()->request();
+
+	opnum = req->opnum();
+
+	if ( dce_rpc_request )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(new Val(opnum, TYPE_COUNT));
+		vl->append(new StringVal(req->stub().length(),
+			(const char*) req->stub().begin()));
+
+		analyzer->ConnectionEvent(dce_rpc_request, vl);
+		}
+
+	switch ( if_id ) {
+	case BroEnum::DCE_RPC_epmapper:
+		DeliverEpmapperRequest(pdu, req);
+		break;
+
+	default:
+		break;
+	}
+	}
+
+void DCE_RPC_Session::DeliverResponse(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu)
+	{
+	binpac::DCE_RPC_Simple::DCE_RPC_Response* resp = pdu->body()->response();
+
+	if ( dce_rpc_response )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(new Val(opnum, TYPE_COUNT));
+		vl->append(new StringVal(resp->stub().length(),
+			(const char*) resp->stub().begin()));
+		analyzer->ConnectionEvent(dce_rpc_response, vl);
+		}
+
+	switch ( if_id ) {
+	case BroEnum::DCE_RPC_epmapper:
+		DeliverEpmapperResponse(pdu, resp);
+		break;
+
+	default:
+		break;
+	}
+	}
+
+void DCE_RPC_Session::DeliverEpmapperRequest(
+	const binpac::DCE_RPC_Simple::DCE_RPC_PDU* /* pdu */,
+	const binpac::DCE_RPC_Simple::DCE_RPC_Request* /* req */)
+	{
+	// DEBUG_MSG("Epmapper request opnum = %d\n", req->opnum());
+	// ### TODO(rpang): generate an event on epmapper request
+	}
+
+void DCE_RPC_Session::DeliverEpmapperResponse(
+	const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu,
+	const binpac::DCE_RPC_Simple::DCE_RPC_Response* resp)
+	{
+	// DEBUG_MSG("Epmapper request opnum = %d\n", req->opnum());
+	switch ( opnum ) {
+	case 3:	// Map
+		DeliverEpmapperMapResponse(pdu, resp);
+		break;
+	}
+	}
+
+
+void DCE_RPC_Session::DeliverEpmapperMapResponse(
+	const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu,
+	const binpac::DCE_RPC_Simple::DCE_RPC_Response* resp)
+	{
+	try
+		{
+		binpac::DCE_RPC_Simple::epmapper_map_resp epm_resp;
+
+		epm_resp.Parse(resp->stub().begin(), resp->stub().end(),
+				pdu->byteorder());
+
+		for ( unsigned int twr_i = 0;
+		      twr_i < epm_resp.towers()->actual_count(); ++twr_i )
+			{
+			binpac::DCE_RPC_Simple::epm_tower* twr =
+				(*epm_resp.towers()->towers())[twr_i]->tower();
+
+			mapped.addr = dce_rpc_endpoint_addr();
+			mapped.uuid = UUID();
+
+			for ( int floor_i = 0; floor_i < twr->num_floors();
+			      ++floor_i )
+				{
+				binpac::DCE_RPC_Simple::epm_floor* floor =
+						(*twr->floors())[floor_i];
+
+				switch ( floor->protocol() ) {
+				case binpac::DCE_RPC_Simple::EPM_PROTOCOL_UUID:
+					if ( floor_i == 0 )
+						mapped.uuid = UUID(floor->lhs()->data()->uuid()->if_uuid());
+					break;
+
+				case binpac::DCE_RPC_Simple::EPM_PROTOCOL_TCP:
+					mapped.addr.port =
+						floor->rhs()->data()->tcp();
+					mapped.addr.proto = TRANSPORT_TCP;
+					break;
+
+				case binpac::DCE_RPC_Simple::EPM_PROTOCOL_UDP:
+					mapped.addr.port =
+						floor->rhs()->data()->udp();
+					mapped.addr.proto = TRANSPORT_UDP;
+					break;
+
+				case binpac::DCE_RPC_Simple::EPM_PROTOCOL_IP:
+					mapped.addr.addr =
+						floor->rhs()->data()->ip();
+					break;
+				}
+				}
+
+			if ( mapped.addr.is_valid_addr() )
+				add_dce_rpc_endpoint(mapped.addr, mapped.uuid);
+
+			if ( epm_map_response )
+				{
+				val_list* vl = new val_list;
+				vl->append(analyzer->BuildConnVal());
+				vl->append(new StringVal(mapped.uuid.to_string()));
+				vl->append(new PortVal(mapped.addr.port, mapped.addr.proto));
+				vl->append(new AddrVal(htonl(mapped.addr.addr)));
+
+				analyzer->ConnectionEvent(epm_map_response, vl);
+				}
+			}
+		}
+	catch ( const binpac::Exception& e )
+		{
+		analyzer->Weird(e.msg().c_str());
+		}
+	}
+
+Contents_DCE_RPC_Analyzer::Contents_DCE_RPC_Analyzer(Connection* conn,
+		bool orig, DCE_RPC_Session* arg_session, bool speculative)
+: TCP_SupportAnalyzer(AnalyzerTag::Contents_DCE_RPC, conn, orig)
+	{
+	session = arg_session;
+	msg_buf = 0;
+	buf_len = 0;
+	speculation = speculative ? 0 : 1;
+
+	InitState();
+	}
+
+void Contents_DCE_RPC_Analyzer::InitState()
+	{
+	// Allocate space for header.
+	if ( ! msg_buf )
+		{
+		buf_len = DCE_RPC_HEADER_LENGTH;
+		msg_buf = new u_char[buf_len];
+		}
+
+	buf_n = 0;
+	msg_len = 0;
+	hdr = 0;
+	}
+
+Contents_DCE_RPC_Analyzer::~Contents_DCE_RPC_Analyzer()
+	{
+	delete [] msg_buf;
+	delete hdr;
+	}
+
+void Contents_DCE_RPC_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	TCP_SupportAnalyzer::DeliverStream(len, data, orig);
+
+	TCP_Analyzer* tcp =
+		static_cast<TCP_ApplicationAnalyzer*>(Parent())->TCP();
+
+	if ( tcp->HadGap(orig) || tcp->IsPartial() )
+		return;
+
+	if ( speculation == 0 ) // undecided
+		{
+		if ( ! DCE_RPC_Session::LooksLikeRPC(len, data) )
+			speculation = -1;
+		else
+			speculation = 1;
+		}
+
+	if ( speculation < 0 )
+		return;
+
+	ASSERT(buf_len >= DCE_RPC_HEADER_LENGTH);
+	while ( len > 0 )
+		{
+		if ( buf_n < DCE_RPC_HEADER_LENGTH )
+			{
+			while ( buf_n < DCE_RPC_HEADER_LENGTH && len > 0 )
+				{
+				msg_buf[buf_n] = *data;
+				++buf_n; ++data; --len;
+				}
+
+			if ( buf_n < DCE_RPC_HEADER_LENGTH )
+				break;
+			else
+				{
+				if ( ! ParseHeader() )
+					return;
+				}
+			}
+
+		while ( buf_n < msg_len && len > 0 )
+			{
+			msg_buf[buf_n] = *data;
+			++buf_n; ++data; --len;
+			}
+
+		if ( buf_n < msg_len )
+			break;
+		else
+			{
+			if ( msg_len > 0 )
+				DeliverPDU(msg_len, msg_buf);
+			// Reset for next message
+			InitState();
+			}
+		}
+	}
+
+void Contents_DCE_RPC_Analyzer::DeliverPDU(int len, const u_char* data)
+	{
+	session->DeliverPDU(IsOrig(), len, data);
+	}
+
+bool Contents_DCE_RPC_Analyzer::ParseHeader()
+	{
+	delete hdr;
+	hdr = 0;
+
+	if ( msg_buf[0] != 5 )	// DCE/RPC version
+		{
+		Conn()->Weird("DCE/RPC_version_error (non-DCE/RPC?)");
+		Conn()->SetSkip(1);
+		msg_len = 0;
+		return false;
+		}
+
+	hdr = new DCE_RPC_Header(this, msg_buf);
+
+	msg_len = hdr->FragLen();
+	if ( msg_len > buf_len )
+		{
+		u_char* new_msg_buf = new u_char[msg_len];
+		memcpy(new_msg_buf, msg_buf, buf_n);
+		delete [] msg_buf;
+		buf_len = msg_len;
+		msg_buf = new_msg_buf;
+		hdr->SetBytes(new_msg_buf);
+		}
+
+	return true;
+	}
+
+DCE_RPC_Analyzer::DCE_RPC_Analyzer(Connection* conn, bool arg_speculative)
+: TCP_ApplicationAnalyzer(AnalyzerTag::DCE_RPC, conn)
+	{
+	session = new DCE_RPC_Session(this);
+	speculative = arg_speculative;
+
+	AddSupportAnalyzer(new Contents_DCE_RPC_Analyzer(conn, true, session,
+								speculative));
+	AddSupportAnalyzer(new Contents_DCE_RPC_Analyzer(conn, false, session,
+								speculative));
+	}
+
+DCE_RPC_Analyzer::~DCE_RPC_Analyzer()
+	{
+	delete session;
+	}
diff --git a/src/DCE_RPC.h b/src/DCE_RPC.h
new file mode 100644
index 0000000000..4e13443148
--- /dev/null
+++ b/src/DCE_RPC.h
@@ -0,0 +1,189 @@
+// $Id: DCE_RPC.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef dce_rpc_h
+#define dce_rpc_h
+
+// NOTE: This is a somewhat crude analyzer for DCE/RPC (used on Microsoft
+// Windows systems) and shouldn't be considered as stable.
+
+#include "NetVar.h"
+#include "TCP.h"
+
+#include "dce_rpc_simple_pac.h"
+
+class UUID {
+public:
+	UUID();
+	UUID(const u_char data[16]);
+	UUID(const binpac::bytestring &uuid);
+	UUID(const char* s);
+
+	const char* to_string() const	{ return s.c_str(); }
+	const string& str() const	{ return s; }
+	bool operator==(const UUID& u) const
+		{ return s == u.str(); }
+	bool operator<(const UUID& u) const
+		{ return s < u.str(); }
+
+protected:
+	u_char data[16];
+	string s;
+};
+
+const char* uuid_to_string(const u_char* uuid_data);
+
+struct dce_rpc_endpoint_addr {
+	// All fields are in host byteorder.
+	uint32 addr;
+	u_short port;
+	TransportProto proto;
+
+	dce_rpc_endpoint_addr()
+		{
+		addr = 0;
+		port = 0;
+		proto = TRANSPORT_UNKNOWN;
+		}
+
+	bool is_valid_addr() const
+		{ return addr != 0 && port != 0 && proto != TRANSPORT_UNKNOWN; }
+
+	bool operator<(dce_rpc_endpoint_addr const &e) const
+		{
+		if ( addr != e.addr )
+			return addr < e.addr;
+		if ( proto != e.proto )
+			return proto < e.proto;
+		if ( port != e.port )
+			return port < e.port;
+
+		return false;
+		}
+
+	string to_string() const
+		{
+		static char buf[128];
+		snprintf(buf, sizeof(buf), "%s/%d/%s",
+			dotted_addr(htonl(addr)), port,
+			proto == TRANSPORT_TCP ? "tcp" :
+			(proto == TRANSPORT_UDP ? "udp" : "?"));
+
+		return string(buf);
+		}
+};
+
+/*
+enum DCE_RPC_PTYPE {
+	DCE_RPC_REQUEST, DCE_RPC_PING, DCE_RPC_RESPONSE, DCE_RPC_FAULT,
+	DCE_RPC_WORKING, DCE_RPC_NOCALL, DCE_RPC_REJECT, DCE_RPC_ACK,
+	DCE_RPC_CL_CANCEL, DCE_RPC_FACK, DCE_RPC_CANCEL_ACK, DCE_RPC_BIND,
+	DCE_RPC_BIND_ACK, DCE_RPC_BIND_NAK, DCE_RPC_ALTER_CONTEXT,
+	DCE_RPC_ALTER_CONTEXT_RESP, DCE_RPC_SHUTDOWN, DCE_RPC_CO_CANCEL,
+	DCE_RPC_ORPHANED,
+};
+*/
+
+#define DCE_RPC_HEADER_LENGTH 16
+
+class DCE_RPC_Header {
+public:
+	DCE_RPC_Header(Analyzer* a, const u_char* bytes);
+
+	BroEnum::dce_rpc_ptype PTYPE() const	{ return ptype; }
+	int FragLen() const		{ return frag_len; }
+	int LittleEndian() const	{ return bytes[4] >> 4; }
+	bool Fragmented() const		{ return fragmented; }
+
+	void Weird(const char* msg)	{ analyzer->Weird(msg); }
+	void SetBytes(const u_char* b)	{ bytes = b; }
+
+protected:
+	Analyzer* analyzer;
+	const u_char* bytes;
+	BroEnum::dce_rpc_ptype ptype;
+	int frag_len;
+	bool fragmented;
+};
+
+// Create a general DCE_RPC_Session class so that it can be used in
+// case the RPC conversation is tunneled through other connections,
+// e.g. through an SMB session.
+
+class DCE_RPC_Session {
+public:
+	DCE_RPC_Session(Analyzer* a);
+	virtual ~DCE_RPC_Session() {}
+	virtual void DeliverPDU(int is_orig, int len, const u_char* data);
+
+	static bool LooksLikeRPC(int len, const u_char* msg);
+	static bool any_dce_rpc_event()
+		{ return dce_rpc_message || dce_rpc_bind || dce_rpc_request; }
+
+protected:
+	void DeliverBind(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu);
+	void DeliverRequest(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu);
+	void DeliverResponse(const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu);
+
+	void DeliverEpmapperRequest(
+			const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu,
+			const binpac::DCE_RPC_Simple::DCE_RPC_Request* req);
+	void DeliverEpmapperResponse(
+			const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu,
+			const binpac::DCE_RPC_Simple::DCE_RPC_Response* resp);
+	void DeliverEpmapperMapResponse(
+			const binpac::DCE_RPC_Simple::DCE_RPC_PDU* pdu,
+			const binpac::DCE_RPC_Simple::DCE_RPC_Response* resp);
+
+	Analyzer* analyzer;
+	UUID if_uuid;
+	BroEnum::dce_rpc_if_id if_id;
+	int opnum;
+	struct {
+		dce_rpc_endpoint_addr addr;
+		UUID uuid;
+	} mapped;
+};
+
+class Contents_DCE_RPC_Analyzer : public TCP_SupportAnalyzer {
+public:
+	Contents_DCE_RPC_Analyzer(Connection* conn, bool orig, DCE_RPC_Session* session,
+		bool speculative);
+	~Contents_DCE_RPC_Analyzer();
+
+protected:
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual void DeliverPDU(int len, const u_char* data);
+
+	void InitState();
+
+	int speculation;
+	u_char* msg_buf;
+	int msg_len;
+	int buf_n;	// number of bytes in msg_buf
+	int buf_len;	// size off msg_buf
+	DCE_RPC_Header* hdr;
+
+	bool ParseHeader();
+
+	DCE_RPC_Session* session;
+};
+
+class DCE_RPC_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	DCE_RPC_Analyzer(Connection* conn, bool speculative = false);
+	~DCE_RPC_Analyzer();
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new DCE_RPC_Analyzer(conn); }
+
+	static bool Available()
+		{ return DCE_RPC_Session::any_dce_rpc_event(); }
+
+protected:
+	DCE_RPC_Session* session;
+	bool speculative;
+};
+
+#endif /* dce_rpc_h */
diff --git a/src/DFA.cc b/src/DFA.cc
new file mode 100644
index 0000000000..57ea87335e
--- /dev/null
+++ b/src/DFA.cc
@@ -0,0 +1,625 @@
+// $Id: DFA.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "EquivClass.h"
+#include "DFA.h"
+#include "md5.h"
+
+int dfa_state_cache_size = 10000;
+
+unsigned int DFA_State::transition_counter = 0;
+
+DFA_State::DFA_State(int arg_state_num, const EquivClass* ec,
+			NFA_state_list* arg_nfa_states,
+			AcceptingSet* arg_accept)
+	{
+	state_num = arg_state_num;
+	num_sym = ec->NumClasses();
+	nfa_states = arg_nfa_states;
+	accept = arg_accept;
+	mark = 0;
+	lock = 0;
+
+	SymPartition(ec);
+
+	xtions = new DFA_State_Handle*[num_sym];
+
+	for ( int i = 0; i < num_sym; ++i )
+		xtions[i] = DFA_UNCOMPUTED_STATE_PTR;
+	}
+
+DFA_State::~DFA_State()
+	{
+	for ( int i = 0; i < num_sym; ++i )
+		{
+		DFA_State_Handle* s = xtions[i];
+		if ( s && s != DFA_UNCOMPUTED_STATE_PTR )
+			StateUnref(s);
+		}
+
+	delete [] xtions;
+	delete nfa_states;
+	delete accept;
+	delete meta_ec;
+	}
+
+void DFA_State::AddXtion(int sym, DFA_State_Handle* next_state)
+	{
+	// The order is important here: first StateRef() the new,
+	// then StateUnref() the old.  Otherwise, we may get a problem
+	// if both are equal.
+
+	if ( next_state )
+		StateRef(next_state);
+
+	if ( xtions[sym] && xtions[sym] != DFA_UNCOMPUTED_STATE_PTR )
+		StateUnref(xtions[sym]);
+
+	xtions[sym] = next_state;
+	}
+
+void DFA_State::SymPartition(const EquivClass* ec)
+	{
+	// Partitioning is done by creating equivalence classes for those
+	// characters which have out-transitions from the given state.  Thus
+	// we are really creating equivalence classes of equivalence classes.
+	meta_ec = new EquivClass(ec->NumClasses());
+
+	assert(nfa_states);
+	for ( int i = 0; i < nfa_states->length(); ++i )
+		{
+		NFA_State* n = (*nfa_states)[i];
+		int sym = n->TransSym();
+
+		if ( sym == SYM_EPSILON )
+			continue;
+
+		if ( sym != SYM_CCL )
+			{ // character transition
+			if ( ec->IsRep(sym) )
+				{
+				sym = ec->SymEquivClass(sym);
+				meta_ec->UniqueChar(sym);
+				}
+			continue;
+			}
+
+		// Character class.
+		meta_ec->CCL_Use(n->TransCCL());
+		}
+
+	meta_ec->BuildECs();
+	}
+
+DFA_State_Handle* DFA_State::ComputeXtion(int sym, DFA_Machine* machine)
+	{
+	// Make sure we will not expire...
+	assert(IsLocked());
+
+	int equiv_sym = meta_ec->EquivRep(sym);
+	if ( xtions[equiv_sym] != DFA_UNCOMPUTED_STATE_PTR &&
+	     StateIsValid(xtions[equiv_sym]) )
+		{
+		AddXtion(sym, xtions[equiv_sym]);
+		return xtions[sym];
+		}
+
+	const EquivClass* ec = machine->EC();
+
+	DFA_State_Handle* next_d;
+
+	NFA_state_list* ns = SymFollowSet(equiv_sym, ec);
+	if ( ns->length() > 0 )
+		{
+		NFA_state_list* state_set = epsilon_closure(ns);
+		if ( ! machine->StateSetToDFA_State(state_set, next_d, ec) )
+			delete state_set;
+		}
+	else
+		{
+		delete ns;
+		next_d = 0;	// Jam
+		}
+
+	AddXtion(equiv_sym, next_d);
+	if ( sym != equiv_sym )
+		AddXtion(sym, next_d);
+
+	return xtions[sym];
+	}
+
+void DFA_State::AppendIfNew(int sym, int_list* sym_list)
+	{
+	for ( int i = 0; i < sym_list->length(); ++i )
+		if ( (*sym_list)[i] == sym )
+			return;
+
+	sym_list->append(sym);
+	}
+
+NFA_state_list* DFA_State::SymFollowSet(int ec_sym, const EquivClass* ec)
+	{
+	NFA_state_list* ns = new NFA_state_list;
+
+	assert(nfa_states);
+
+	for ( int i = 0; i < nfa_states->length(); ++i )
+		{
+		NFA_State* n = (*nfa_states)[i];
+
+		if ( n->TransSym() == SYM_CCL )
+			{ // it's a character class
+			CCL* ccl = n->TransCCL();
+			int_list* syms = ccl->Syms();
+
+			if ( ccl->IsNegated() )
+				{
+				int j;
+				for ( j = 0; j < syms->length(); ++j )
+					{
+					// Loop through (sorted) negated
+					// character class, which has
+					// presumably already been converted
+					// over to equivalence classes.
+					if ( (*syms)[j] >= ec_sym )
+						break;
+					}
+
+				if ( j >= syms->length() || (*syms)[j] > ec_sym )
+					// Didn't find ec_sym in ccl.
+					n->AddXtionsTo(ns);
+
+				continue;
+				}
+
+			for ( int j = 0; j < syms->length(); ++j )
+				{
+				if ( (*syms)[j] > ec_sym )
+					break;
+
+				if ( (*syms)[j] == ec_sym )
+					{
+					n->AddXtionsTo(ns);
+					break;
+					}
+				}
+			}
+
+		else if ( n->TransSym() == SYM_EPSILON )
+			{ // do nothing
+			}
+
+		else if ( ec->IsRep(n->TransSym()) )
+			{
+			if ( ec_sym == ec->SymEquivClass(n->TransSym()) )
+				n->AddXtionsTo(ns);
+			}
+		}
+
+	ns->resize(0);
+	return ns;
+	}
+
+void DFA_State::ClearMarks()
+	{
+	if ( mark )
+		{
+		SetMark(0);
+
+		for ( int i = 0; i < num_sym; ++i )
+			{
+			DFA_State_Handle* s = xtions[i];
+
+			if ( s && s != DFA_UNCOMPUTED_STATE_PTR )
+				(*xtions[i])->ClearMarks();
+			}
+		}
+	}
+
+void DFA_State::Describe(ODesc* d) const
+	{
+	d->Add("DFA state");
+	}
+
+void DFA_State::Dump(FILE* f, DFA_Machine* m)
+	{
+	if ( mark )
+		return;
+
+	fprintf(f, "\nDFA state %d:", StateNum());
+
+	if ( accept )
+		{
+		for ( int i = 0; i < accept->length(); ++i )
+			fprintf(f, "%s accept #%d",
+				i > 0 ? "," : "", int((*accept)[i]));
+		}
+
+	fprintf(f, "\n");
+
+	int num_trans = 0;
+	for ( int sym = 0; sym < num_sym; ++sym )
+		{
+		DFA_State_Handle* s = xtions[sym];
+
+		if ( ! s )
+			continue;
+
+		// Look ahead for compression.
+		int i;
+		for ( i = sym + 1; i < num_sym; ++i )
+			if ( xtions[i] != s )
+				break;
+
+		char xbuf[512];
+
+		int r = m->Rep(sym);
+		if ( ! r )
+			r = '.';
+
+		if ( i == sym + 1 )
+			sprintf(xbuf, "'%c'", r);
+		else
+			sprintf(xbuf, "'%c'-'%c'", r, m->Rep(i-1));
+
+		if ( s == DFA_UNCOMPUTED_STATE_PTR )
+			fprintf(f, "%stransition on %s to <uncomputed>",
+				++num_trans == 1 ? "\t" : "\n\t", xbuf);
+		else
+			fprintf(f, "%stransition on %s to state %d",
+				++num_trans == 1 ? "\t" : "\n\t", xbuf,
+				(*s)->StateNum());
+
+		sym = i - 1;
+		}
+
+	if ( num_trans > 0 )
+		fprintf(f, "\n");
+
+	SetMark(this);
+
+	for ( int sym = 0; sym < num_sym; ++sym )
+		{
+		DFA_State_Handle* s = xtions[sym];
+
+		if ( s && s != DFA_UNCOMPUTED_STATE_PTR )
+			(*s)->Dump(f, m);
+		}
+	}
+
+void DFA_State::Stats(unsigned int* computed, unsigned int* uncomputed)
+	{
+	for ( int sym = 0; sym < num_sym; ++sym )
+		{
+		DFA_State_Handle* s = xtions[sym];
+
+		if ( s == DFA_UNCOMPUTED_STATE_PTR )
+			(*uncomputed)++;
+		else
+			(*computed)++;
+		}
+	}
+
+unsigned int DFA_State::Size()
+	{
+	return sizeof(*this)
+		+ pad_size(sizeof(DFA_State*) * num_sym)
+		+ (accept ? pad_size(sizeof(int) * accept->length()) : 0)
+		+ (nfa_states ? pad_size(sizeof(NFA_State*) * nfa_states->length()) : 0)
+		+ (meta_ec ? meta_ec->Size() : 0)
+		+ (centry ? padded_sizeof(CacheEntry) : 0);
+	}
+
+
+DFA_State_Cache::DFA_State_Cache(int arg_maxsize)
+	{
+	maxsize = arg_maxsize;
+	head = tail = 0;
+	hits = misses = 0;
+	}
+
+DFA_State_Cache::~DFA_State_Cache()
+	{
+	IterCookie* i = states.InitForIteration();
+	CacheEntry* e;
+	while ( (e = (CacheEntry*) states.NextEntry(i)) )
+		{
+		assert(e->state);
+		StateInvalidate(e->state);
+		delete e->hash;
+		delete e;
+		}
+	}
+
+DFA_State_Handle* DFA_State_Cache::Lookup(const NFA_state_list& nfas,
+						HashKey** hash)
+	{
+	// We assume that state ID's don't exceed 10 digits, plus
+	// we allow one more character for the delimiter.
+	md5_byte_t id_tag[nfas.length() * 11 + 1];
+	md5_byte_t* p = id_tag;
+
+	for ( int i = 0; i < nfas.length(); ++i )
+		{
+		NFA_State* n = nfas[i];
+		if ( n->TransSym() != SYM_EPSILON || n->Accept() != NO_ACCEPT )
+			{
+			int id = n->ID();
+			do
+				{
+				*p++ = '0' + (char)(id % 10);
+				id /= 10;
+				}
+			while ( id > 0 );
+			*p++ = '&';
+			}
+		}
+
+	*p++ = '\0';
+
+	// We use the short MD5 instead of the full string for the
+	// HashKey because the data is copied into the key.
+	md5_state_t state;
+	md5_byte_t digest[16];
+
+	md5_init(&state);
+	md5_append(&state, id_tag, p - id_tag);
+	md5_finish(&state, digest);
+
+	*hash = new HashKey(&digest, sizeof(digest));
+	CacheEntry* e = states.Lookup(*hash);
+	if ( ! e )
+		{
+		++misses;
+		return 0;
+		}
+
+	delete *hash;
+	*hash = 0;
+
+	MoveToFront(e);
+
+	return e->state;
+	}
+
+DFA_State_Handle* DFA_State_Cache::Insert(DFA_State* state, HashKey* hash)
+	{
+	CacheEntry* e;
+
+#ifdef EXPIRE_DFA_STATES
+	if ( states.Length() == maxsize )
+		{
+		// Remove oldest unlocked entry.
+		for ( e = tail; e; e = e->prev )
+			if ( ! (*e->state)->lock )
+				break;
+		if ( e )
+			Remove(e);
+		}
+#endif
+
+	e = new CacheEntry;
+
+#ifdef EXPIRE_DFA_STATES
+	// Insert as head.
+	e->state = new DFA_State_Handle(state);
+	e->state->state->centry = e;
+#else
+	e->state = state;
+	e->state->centry = e;
+#endif
+	e->hash = hash;
+	e->prev = 0;
+	e->next = head;
+	if ( head )
+		head->prev = e;
+	head = e;
+	if ( ! tail )
+		tail = e;
+
+	states.Insert(hash, e);
+
+	return e->state;
+	}
+
+void DFA_State_Cache::Remove(CacheEntry* e)
+	{
+	if ( e == head )
+		{
+		head = e->next;
+		if ( head )
+			head->prev = 0;
+		}
+	else
+		e->prev->next = e->next;
+
+	if ( e == tail )
+		{
+		tail = e->prev;
+		if ( tail )
+			tail->next = 0;
+		}
+	else
+		e->next->prev = e->prev;
+
+	states.Remove(e->hash);
+
+	assert(e->state);
+	StateInvalidate(e->state);
+	delete e->hash;
+	delete e;
+	}
+
+void DFA_State_Cache::MoveToFront(CacheEntry* e)
+	{
+	++hits;
+
+	if ( e->prev )
+		{
+		e->prev->next = e->next;
+
+		if ( e->next )
+			e->next->prev = e->prev;
+		else
+			tail = e->prev;
+
+		e->prev = 0;
+		e->next = head;
+
+		head->prev = e;
+		head = e;
+		}
+	}
+
+void DFA_State_Cache::GetStats(Stats* s)
+	{
+	s->dfa_states = 0;
+	s->nfa_states = 0;
+	s->computed = 0;
+	s->uncomputed = 0;
+	s->mem = 0;
+	s->hits = hits;
+	s->misses = misses;
+
+	CacheEntry* e;
+
+	IterCookie* i = states.InitForIteration();
+	while ( (e = (CacheEntry*) states.NextEntry(i)) )
+		{
+		++s->dfa_states;
+		s->nfa_states += (*e->state)->NFAStateNum();
+		(*e->state)->Stats(&s->computed, &s->uncomputed);
+		s->mem += pad_size((*e->state)->Size()) + padded_sizeof(*e->state);
+		}
+	}
+
+DFA_Machine::DFA_Machine(NFA_Machine* n, EquivClass* arg_ec)
+	{
+	state_count = 0;
+
+	nfa = n; 
+	Ref(n);
+
+	ec = arg_ec;
+
+	dfa_state_cache = new DFA_State_Cache(dfa_state_cache_size);
+
+	NFA_state_list* ns = new NFA_state_list;
+	ns->append(n->FirstState());
+
+	if ( ns->length() > 0 )
+		{
+		NFA_state_list* state_set = epsilon_closure(ns);
+		(void) StateSetToDFA_State(state_set, start_state, ec);
+
+		StateRef(start_state);
+		StateLock(start_state);
+		}
+	else
+		start_state = 0; // Jam
+	}
+
+DFA_Machine::~DFA_Machine()
+	{
+	if ( start_state )
+		{
+		StateUnlock(start_state);
+		StateUnref(start_state);
+		}
+
+	delete dfa_state_cache;
+	Unref(nfa);
+	}
+
+void DFA_Machine::Describe(ODesc* d) const
+	{
+	d->Add("DFA machine");
+	}
+
+void DFA_Machine::Dump(FILE* f)
+	{
+	(*start_state)->Dump(f, this);
+	(*start_state)->ClearMarks();
+	}
+
+void DFA_Machine::DumpStats(FILE* f)
+	{
+	DFA_State_Cache::Stats stats;
+	dfa_state_cache->GetStats(&stats);
+
+	fprintf(f, "Computed dfa_states = %d; Classes = %d; Computed trans. = %d; Uncomputed trans. = %d\n",
+		stats.dfa_states, EC()->NumClasses(),
+		stats.computed, stats.uncomputed);
+
+	fprintf(f, "DFA cache hits = %d; misses = %d\n",
+		stats.hits, stats.misses);
+	}
+
+unsigned int DFA_Machine::MemoryAllocation() const
+	{
+	DFA_State_Cache::Stats s;
+	dfa_state_cache->GetStats(&s);
+
+	// FIXME: Count *ec?
+	return padded_sizeof(*this)
+		+ s.mem
+		+ padded_sizeof(*start_state)
+		+ nfa->MemoryAllocation();
+	}
+
+int DFA_Machine::StateSetToDFA_State(NFA_state_list* state_set,
+				DFA_State_Handle*& d, const EquivClass* ec)
+	{
+	HashKey* hash;
+	d = dfa_state_cache->Lookup(*state_set, &hash);
+
+	assert((! d) || StateIsValid(d));
+	if ( d )
+		return 0;
+
+	AcceptingSet* accept = new AcceptingSet;
+	for ( int i = 0; i < state_set->length(); ++i )
+		{
+		int acc = (*state_set)[i]->Accept();
+
+		if ( acc != NO_ACCEPT )
+			{
+			int j;
+			for ( j = 0; j < accept->length(); ++j )
+				if ( (*accept)[j] == acc )
+					break;
+
+			if ( j >= accept->length() )
+				// It's not already present.
+				accept->append(acc);
+			}
+		}
+
+	if ( accept->length() == 0 )
+		{
+		delete accept;
+		accept = 0;
+		}
+	else
+		{
+		accept->sort(int_list_cmp);
+		accept->resize(0);
+		}
+
+	DFA_State* ds = new DFA_State(state_count++, ec, state_set, accept);
+	d = dfa_state_cache->Insert(ds, hash);
+
+	return 1;
+	}
+
+int DFA_Machine::Rep(int sym)
+	{
+	for ( int i = 0; i < NUM_SYM; ++i )
+		if ( ec->SymEquivClass(i) == sym )
+			return i;
+
+	return -1;
+	}
diff --git a/src/DFA.h b/src/DFA.h
new file mode 100644
index 0000000000..6bf9fd640b
--- /dev/null
+++ b/src/DFA.h
@@ -0,0 +1,304 @@
+// $Id: DFA.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+
+#ifndef dfa_h
+#define dfa_h
+
+#include <assert.h>
+
+// It's possible to use a fixed size cache of computed states for each DFA.
+// If the number of DFA states reaches the given limit, old states are expired
+// on a least-recently-used basis. This may impact the performance significantly
+// if expired states have to be recalculated regularly, but it limits the
+// amount of memory taken by a DFA.
+//
+// Enable by configuring with --with-expire-dfa-states.
+
+class DFA_State;
+
+// The cache marks expired states as invalid.
+#define DFA_INVALID_STATE_PTR ((DFA_State*) -1)
+
+// Transitions to the uncomputed state indicate that we haven't yet
+// computed the state to go to.
+#define DFA_UNCOMPUTED_STATE -2
+#define DFA_UNCOMPUTED_STATE_PTR ((DFA_State_Handle*) DFA_UNCOMPUTED_STATE)
+
+#ifdef EXPIRE_DFA_STATES
+
+class DFA_State_Handle {
+public:
+	// The reference counting keeps track of this *handle* (not the state).
+	void Ref()	{ assert(state); ++refcount; }
+	void Unref()
+		{
+		if ( --refcount == 0 )
+			delete this;
+		}
+
+	inline void Invalidate();
+	bool IsValid() const		{ return state != DFA_INVALID_STATE_PTR; }
+
+	DFA_State* State() const	{ return state; }
+	DFA_State* operator->() const	{ return state; }
+
+protected:
+	friend class DFA_State_Cache;
+
+	DFA_State_Handle(DFA_State* arg_state)
+		{ state = arg_state; refcount = 1; }
+
+	inline ~DFA_State_Handle();
+
+	DFA_State* state;
+	int refcount;
+};
+
+#else
+typedef DFA_State DFA_State_Handle;
+#endif
+
+#include "NFA.h"
+
+extern int dfa_state_cache_size;
+
+class DFA_Machine;
+class DFA_State;
+struct CacheEntry;
+
+class DFA_State : public BroObj {
+public:
+	DFA_State(int state_num, const EquivClass* ec,
+			NFA_state_list* nfa_states, AcceptingSet* accept);
+	~DFA_State();
+
+	int StateNum() const		{ return state_num; }
+	int NFAStateNum() const		{ return nfa_states->length(); }
+	void AddXtion(int sym, DFA_State_Handle* next_state);
+
+	inline DFA_State_Handle* Xtion(int sym, DFA_Machine* machine);
+
+	const AcceptingSet* Accept() const	{ return accept; }
+	void SymPartition(const EquivClass* ec);
+
+	// ec_sym is an equivalence class, not a character.
+	NFA_state_list* SymFollowSet(int ec_sym, const EquivClass* ec);
+
+	void SetMark(DFA_State* m)	{ mark = m; }
+	DFA_State* Mark() const		{ return mark; }
+	void ClearMarks();
+
+	// Returns the equivalence classes of ec's corresponding to this state.
+	const EquivClass* MetaECs() const	{ return meta_ec; }
+
+	void Describe(ODesc* d) const;
+	void Dump(FILE* f, DFA_Machine* m);
+	void Stats(unsigned int* computed, unsigned int* uncomputed);
+	unsigned int Size();
+
+	// Locking a state will keep it from expiring from a cache.
+	void Lock()	{ ++lock; }
+	void Unlock()	{ --lock; }
+
+#ifdef EXPIRE_DFA_STATES
+	bool IsLocked()	{ return lock != 0; }
+#else
+	bool IsLocked()	{ return true; }
+	DFA_State* operator->(){ return this; }
+#endif
+
+protected:
+	friend class DFA_State_Cache;
+
+	DFA_State_Handle* ComputeXtion(int sym, DFA_Machine* machine);
+	void AppendIfNew(int sym, int_list* sym_list);
+
+	int state_num;
+	int num_sym;
+
+	DFA_State_Handle** xtions;
+
+	AcceptingSet* accept;
+	NFA_state_list* nfa_states;
+	EquivClass* meta_ec;	// which ec's make same transition
+	DFA_State* mark;
+	int lock;
+	CacheEntry* centry;
+
+	static unsigned int transition_counter;	// see Xtion()
+};
+
+struct CacheEntry {
+	DFA_State_Handle* state;
+	HashKey* hash;
+	CacheEntry* next;
+	CacheEntry* prev;
+};
+
+class DFA_State_Cache {
+public:
+	DFA_State_Cache(int maxsize);
+	~DFA_State_Cache();
+
+	// If the caller stores the handle, it has to call Ref() on it.
+	DFA_State_Handle* Lookup(const NFA_state_list& nfa_states,
+					HashKey** hash);
+
+	// Takes ownership of both; hash is the one returned by Lookup().
+	DFA_State_Handle* Insert(DFA_State* state, HashKey* hash);
+
+	void MoveToFront(DFA_State* state)	{ MoveToFront(state->centry); }
+
+	int NumEntries() const	{ return states.Length(); }
+
+	struct Stats {
+		unsigned int dfa_states;
+
+		// Sum over all NFA states per DFA state.
+		unsigned int nfa_states;
+		unsigned int computed;
+		unsigned int uncomputed;
+		unsigned int mem;
+		unsigned int hits;
+		unsigned int misses;
+	};
+
+	void GetStats(Stats* s);
+
+private:
+	void Remove(CacheEntry* e);
+	void MoveToFront(CacheEntry* e);
+
+	int maxsize;
+
+	int hits;	// Statistics
+	int misses;
+
+	declare(PDict,CacheEntry);
+
+	// Hash indexed by NFA states (MD5s of them, actually).
+	PDict(CacheEntry) states;
+
+	// List in LRU order.
+	CacheEntry* head;
+	CacheEntry* tail;
+};
+
+declare(PList,DFA_State);
+typedef PList(DFA_State) DFA_state_list;
+
+class DFA_Machine : public BroObj {
+public:
+	DFA_Machine(NFA_Machine* n, EquivClass* ec);
+	DFA_Machine(int** xtion_ptrs, int num_states, int num_ecs,
+			int* acc_array);
+	~DFA_Machine();
+
+	DFA_State_Handle* StartState() const	{ return start_state; }
+
+	int NumStates() const	{ return dfa_state_cache->NumEntries(); }
+
+	DFA_State_Cache* Cache()	{ return dfa_state_cache; }
+
+	int Rep(int sym);
+
+	void Describe(ODesc* d) const;
+	void Dump(FILE* f);
+	void DumpStats(FILE* f);
+
+	unsigned int MemoryAllocation() const;
+
+protected:
+	friend class DFA_State;	// for DFA_State::ComputeXtion
+	friend class DFA_State_Cache;
+
+	int state_count;
+
+	// The state list has to be sorted according to IDs.
+	int StateSetToDFA_State(NFA_state_list* state_set, DFA_State_Handle*& d,
+				const EquivClass* ec);
+	const EquivClass* EC() const	{ return ec; }
+
+	EquivClass* ec;	// equivalence classes corresponding to NFAs
+	DFA_State_Handle* start_state;
+	DFA_State_Cache* dfa_state_cache;
+
+	NFA_Machine* nfa;
+};
+
+#ifdef EXPIRE_DFA_STATES
+
+inline DFA_State_Handle* DFA_State::Xtion(int sym, DFA_Machine* machine)
+	{
+	Lock();
+
+	// This is just a clumsy form of sampling... Instead of moving
+	// the state to the front of our LRU cache on each transition (which
+	// would be quite often) we just do it on every nth transition
+	// (counted across all DFA states). This is based on the observation
+	// that a very few of all states are used most of time.
+	// (currently n=10000; should it be configurable?)
+	if ( transition_counter++ % 10000 == 0 )
+		machine->Cache()->MoveToFront(this);
+
+	DFA_State_Handle* h;
+
+	if ( xtions[sym] == DFA_UNCOMPUTED_STATE_PTR ||
+	     (xtions[sym] && ! xtions[sym]->IsValid()) )
+		h = ComputeXtion(sym, machine);
+	else
+		h = xtions[sym];
+
+	Unlock();
+
+	return h;
+	}
+
+inline DFA_State_Handle::~DFA_State_Handle()
+	{
+	if ( state != DFA_INVALID_STATE_PTR )
+		delete state;
+	}
+
+inline void DFA_State_Handle::Invalidate()
+	{
+	assert(state!=DFA_INVALID_STATE_PTR);
+	delete state;
+	state = DFA_INVALID_STATE_PTR;
+	Unref();
+	}
+
+// Not nice but helps avoiding some overhead in the non-expiration case.
+static inline void StateLock(DFA_State_Handle* s)	{ s->State()->Lock(); }
+static inline void StateUnlock(DFA_State_Handle* s)	{ s->State()->Unlock(); }
+static inline void StateRef(DFA_State_Handle* s)	{ s->Ref(); }
+static inline void StateUnref(DFA_State_Handle* s)	{ s->Unref(); }
+static inline void StateInvalidate(DFA_State_Handle* s)	{ s->Invalidate(); }
+
+static inline bool StateIsValid(DFA_State_Handle* s)
+	{
+	return ! s || s->IsValid();
+	}
+
+#else
+
+inline DFA_State_Handle* DFA_State::Xtion(int sym, DFA_Machine* machine)
+	{
+	if ( xtions[sym] == DFA_UNCOMPUTED_STATE_PTR )
+		return ComputeXtion(sym, machine);
+	else
+		return xtions[sym];
+	}
+
+static inline void StateLock(DFA_State_Handle* s)	{ }
+static inline void StateUnlock(DFA_State_Handle* s)	{ }
+static inline void StateRef(DFA_State_Handle* s)	{ }
+static inline void StateUnref(DFA_State_Handle* s)	{ }
+static inline void StateInvalidate(DFA_State_Handle* s)	{ }
+static inline bool StateIsValid(DFA_State_Handle* s)	{ return true; }
+
+#endif
+
+#endif
diff --git a/src/DHCP-binpac.cc b/src/DHCP-binpac.cc
new file mode 100644
index 0000000000..23149b7837
--- /dev/null
+++ b/src/DHCP-binpac.cc
@@ -0,0 +1,26 @@
+// $Id:$
+
+#include "DHCP-binpac.h"
+
+DHCP_Analyzer_binpac::DHCP_Analyzer_binpac(Connection* conn)
+: Analyzer(AnalyzerTag::DHCP_BINPAC, conn)
+	{
+	interp = new binpac::DHCP::DHCP_Conn(this);
+	}
+
+DHCP_Analyzer_binpac::~DHCP_Analyzer_binpac()
+	{
+	delete interp;
+	}
+
+void DHCP_Analyzer_binpac::Done()
+	{
+	Analyzer::Done();
+	}
+
+void DHCP_Analyzer_binpac::DeliverPacket(int len, const u_char* data,
+			bool orig, int seq, const IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+	interp->NewData(orig, data, data + len);
+	}
diff --git a/src/DHCP-binpac.h b/src/DHCP-binpac.h
new file mode 100644
index 0000000000..d0e93dcfc2
--- /dev/null
+++ b/src/DHCP-binpac.h
@@ -0,0 +1,30 @@
+// $Id:$
+
+#ifndef dhcp_binpac_h
+#define dhcp_binpac_h
+
+#include "UDP.h"
+
+#include "dhcp_pac.h"
+
+
+class DHCP_Analyzer_binpac : public Analyzer {
+public:
+	DHCP_Analyzer_binpac(Connection* conn);
+	virtual ~DHCP_Analyzer_binpac();
+
+	virtual void Done();
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new DHCP_Analyzer_binpac(conn); }
+
+	static bool Available()
+		{ return dhcp_request && FLAGS_use_binpac; }
+
+protected:
+	binpac::DHCP::DHCP_Conn* interp;
+};
+
+#endif
diff --git a/src/DNS-binpac.cc b/src/DNS-binpac.cc
new file mode 100644
index 0000000000..e06ef1ab19
--- /dev/null
+++ b/src/DNS-binpac.cc
@@ -0,0 +1,92 @@
+// $Id:$
+
+#include "DNS-binpac.h"
+#include "TCP_Reassembler.h"
+
+DNS_UDP_Analyzer_binpac::DNS_UDP_Analyzer_binpac(Connection* conn)
+: Analyzer(AnalyzerTag::DNS_UDP_BINPAC, conn)
+	{
+	interp = new binpac::DNS::DNS_Conn(this);
+	did_session_done = 0;
+	ADD_ANALYZER_TIMER(&DNS_UDP_Analyzer_binpac::ExpireTimer,
+			network_time + dns_session_timeout, 1, TIMER_DNS_EXPIRE);
+	}
+
+DNS_UDP_Analyzer_binpac::~DNS_UDP_Analyzer_binpac()
+	{
+	delete interp;
+	}
+
+void DNS_UDP_Analyzer_binpac::Done()
+	{
+	Analyzer::Done();
+
+	if ( ! did_session_done )
+		Event(udp_session_done);
+	}
+
+void DNS_UDP_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+	interp->NewData(orig, data, data + len);
+	}
+
+void DNS_UDP_Analyzer_binpac::ExpireTimer(double t)
+	{
+	// The - 1.0 in the following is to allow 1 second for the
+	// common case of a single request followed by a single reply,
+	// so we don't needlessly set the timer twice in that case.
+	if ( t - Conn()->LastTime() >= dns_session_timeout - 1.0 || terminating )
+		{
+		Event(connection_timeout);
+		sessions->Remove(Conn());
+		}
+	else
+		ADD_ANALYZER_TIMER(&DNS_UDP_Analyzer_binpac::ExpireTimer,
+				t + dns_session_timeout, 1, TIMER_DNS_EXPIRE);
+	}
+
+DNS_TCP_Analyzer_binpac::DNS_TCP_Analyzer_binpac(Connection* conn)
+: TCP_ApplicationAnalyzer(AnalyzerTag::DNS_TCP_BINPAC, conn)
+	{
+	interp = new binpac::DNS_on_TCP::DNS_TCP_Conn(this);
+	}
+
+DNS_TCP_Analyzer_binpac::~DNS_TCP_Analyzer_binpac()
+	{
+	delete interp;
+	}
+
+void DNS_TCP_Analyzer_binpac::Done()
+	{
+	TCP_ApplicationAnalyzer::Done();
+
+	interp->FlowEOF(true);
+	interp->FlowEOF(false);
+	}
+
+void DNS_TCP_Analyzer_binpac::EndpointEOF(TCP_Reassembler* endp)
+	{
+	TCP_ApplicationAnalyzer::EndpointEOF(endp);
+	interp->FlowEOF(endp->IsOrig());
+	}
+
+void DNS_TCP_Analyzer_binpac::DeliverStream(int len, const u_char* data,
+						bool orig)
+	{
+	TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+
+	assert(TCP());
+
+	if ( TCP()->IsPartial() || TCP()->HadGap(orig) )
+		// punt-on-partial or stop-on-gap.
+		return;
+
+	interp->NewData(orig, data, data + len);
+	}
+
+void DNS_TCP_Analyzer_binpac::Undelivered(int seq, int len, bool orig)
+	{
+	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	interp->NewGap(orig, len);
+	}
diff --git a/src/DNS-binpac.h b/src/DNS-binpac.h
new file mode 100644
index 0000000000..b43e3b6aae
--- /dev/null
+++ b/src/DNS-binpac.h
@@ -0,0 +1,62 @@
+// $Id:$
+
+#ifndef dns_binpac_h
+#define dns_binpac_h
+
+#include "UDP.h"
+#include "TCP.h"
+
+#include "dns_pac.h"
+
+// FIXME: As the binpac analyer for DNS-TCP and DNS-UDP are currently
+// structured, we cannot directly combine them into one analyzer. Can we
+// change that easily? (Ideally, the TCP preprocessing would become a
+// support-analyzer as it is done for the traditional DNS analyzer.)
+
+class DNS_UDP_Analyzer_binpac : public Analyzer {
+public:
+	DNS_UDP_Analyzer_binpac(Connection* conn);
+	virtual ~DNS_UDP_Analyzer_binpac();
+
+	virtual void Done();
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new DNS_UDP_Analyzer_binpac(conn); }
+
+	static bool Available()
+		{ return (dns_request || dns_full_request) && FLAGS_use_binpac; }
+
+protected:
+	friend class AnalyzerTimer;
+	void ExpireTimer(double t);
+
+	int did_session_done;
+
+	binpac::DNS::DNS_Conn* interp;
+};
+
+#include "dns_tcp_pac.h"
+
+class DNS_TCP_Analyzer_binpac : public TCP_ApplicationAnalyzer {
+public:
+	DNS_TCP_Analyzer_binpac(Connection* conn);
+	virtual ~DNS_TCP_Analyzer_binpac();
+
+	virtual void Done();
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void EndpointEOF(TCP_Reassembler* endp);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new DNS_TCP_Analyzer_binpac(conn); }
+
+	static bool Available()
+		{ return (dns_request || dns_full_request) && FLAGS_use_binpac; }
+
+protected:
+	binpac::DNS_on_TCP::DNS_TCP_Conn* interp;
+};
+
+#endif
diff --git a/src/DNS.cc b/src/DNS.cc
new file mode 100644
index 0000000000..1391794261
--- /dev/null
+++ b/src/DNS.cc
@@ -0,0 +1,1200 @@
+// $Id: DNS.cc 6885 2009-08-20 04:37:55Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <ctype.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+
+#include "NetVar.h"
+#include "DNS.h"
+#include "Sessions.h"
+#include "Event.h"
+#include "DNS_Rewriter.h"
+#include "TCP_Rewriter.h"
+
+DNS_Interpreter::DNS_Interpreter(Analyzer* arg_analyzer)
+	{
+	analyzer = arg_analyzer;
+	}
+
+int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
+	{
+	int hdr_len = sizeof(DNS_RawMsgHdr);
+
+	if ( len < hdr_len )
+		{
+		analyzer->Weird("DNS_truncated_len_lt_hdr_len");
+		return 0;
+		}
+
+	DNS_MsgInfo msg((DNS_RawMsgHdr*) data, is_query);
+
+	if ( dns_message )
+		{
+		val_list* vl = new val_list();
+		vl->append(analyzer->BuildConnVal());
+		vl->append(new Val(is_query, TYPE_BOOL));
+		vl->append(msg.BuildHdrVal());
+		vl->append(new Val(len, TYPE_COUNT));
+
+		analyzer->ConnectionEvent(dns_message, vl);
+		}
+
+	// There is a great deal of non-DNS traffic that runs on port 53.
+	// This should weed out most of it.
+	if ( dns_max_queries > 0 && msg.qdcount > dns_max_queries )
+		{
+		analyzer->Weird("DNS_Conn_count_too_large");
+		EndMessage(&msg);
+		return 0;
+		}
+
+	const u_char* msg_start = data;	// needed for interpreting compression
+
+	data += hdr_len;
+	len -= hdr_len;
+
+	if ( ! ParseQuestions(&msg, data, len, msg_start) )
+		{
+		EndMessage(&msg);
+		return 0;
+		}
+
+	if ( ! ParseAnswers(&msg, msg.ancount, DNS_ANSWER,
+				data, len, msg_start) )
+		{
+		EndMessage(&msg);
+		return 0;
+		}
+
+	AddrVal server(analyzer->Conn()->RespAddr());
+
+	int skip_auth = dns_skip_all_auth;
+	int skip_addl = dns_skip_all_addl;
+	if ( msg.ancount > 0 )
+		{ // We did an answer, so can potentially skip auth/addl.
+		skip_auth = skip_auth || msg.nscount == 0 ||
+				dns_skip_auth->Lookup(&server);
+		skip_addl = skip_addl || msg.arcount == 0 ||
+				dns_skip_addl->Lookup(&server);
+		}
+
+	if ( skip_auth && skip_addl )
+		{
+		// No point doing further work parsing the message.
+		EndMessage(&msg);
+		return 1;
+		}
+
+	msg.skip_event = skip_auth;
+	if ( ! ParseAnswers(&msg, msg.nscount, DNS_AUTHORITY,
+				data, len, msg_start) )
+		{
+		EndMessage(&msg);
+		return 0;
+		}
+
+	if ( skip_addl )
+		{
+		// No point doing further work parsing the message.
+		EndMessage(&msg);
+		return 1;
+		}
+
+	msg.skip_event = skip_addl;
+	if ( ! ParseAnswers(&msg, msg.arcount, DNS_ADDITIONAL,
+				data, len, msg_start) )
+		{
+		EndMessage(&msg);
+		return 0;
+		}
+
+	EndMessage(&msg);
+	return 1;
+	}
+
+int DNS_Interpreter::EndMessage(DNS_MsgInfo* msg)
+	{
+	val_list* vl = new val_list;
+
+	vl->append(analyzer->BuildConnVal());
+	vl->append(msg->BuildHdrVal());
+	analyzer->ConnectionEvent(dns_end, vl);
+
+	return 1;
+	}
+
+int DNS_Interpreter::ParseQuestions(DNS_MsgInfo* msg,
+				const u_char*& data, int& len,
+				const u_char* msg_start)
+	{
+	int n = msg->qdcount;
+
+	if ( n == 0 )
+		{
+		// Generate event here because we won't go into ParseQuestion.
+		EventHandlerPtr dns_event =
+			msg->rcode == DNS_CODE_OK ?
+				dns_query_reply : dns_rejected;
+		BroString* question_name = new BroString("<no query>");
+
+		SendReplyOrRejectEvent(msg, dns_event, data, len, question_name);
+		return 1;
+		}
+
+	while ( n > 0 && ParseQuestion(msg, data, len, msg_start) )
+		--n;
+	return n == 0;
+	}
+
+int DNS_Interpreter::ParseAnswers(DNS_MsgInfo* msg, int n, DNS_AnswerType atype,
+				const u_char*& data, int& len,
+				const u_char* msg_start)
+	{
+	msg->answer_type = atype;
+
+	while ( n > 0 && ParseAnswer(msg, data, len, msg_start) )
+		--n;
+
+	return n == 0;
+	}
+
+int DNS_Interpreter::ParseQuestion(DNS_MsgInfo* msg,
+				const u_char*& data, int& len,
+				const u_char* msg_start)
+	{
+	u_char name[513];
+	int name_len = sizeof(name) - 1;
+
+	u_char* name_end = ExtractName(data, len, name, name_len, msg_start);
+	if ( ! name_end )
+		return 0;
+
+	if ( len < int(sizeof(short)) * 2 )
+		{
+		analyzer->Weird("DNS_truncated_quest_too_short");
+		return 0;
+		}
+
+	EventHandlerPtr dns_event = 0;
+
+	if ( msg->QR == 0 )
+		dns_event = dns_request;
+
+	else if ( msg->QR == 1 &&
+		  msg->ancount == 0 && msg->nscount == 0 && msg->arcount == 0 )
+		// Service rejected in some fashion, and it won't be reported
+		// via a returned RR because there aren't any.
+		dns_event = dns_rejected;
+	else
+		dns_event = dns_query_reply;
+
+	if ( dns_event && ! msg->skip_event )
+		{
+		BroString* question_name =
+			new BroString(name, name_end - name, 1);
+		SendReplyOrRejectEvent(msg, dns_event, data, len, question_name);
+		}
+	else
+		{
+		// Consume the unused type/class.
+		(void) ExtractShort(data, len);
+		(void) ExtractShort(data, len);
+		}
+
+	return 1;
+	}
+
+int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
+				const u_char*& data, int& len,
+				const u_char* msg_start)
+	{
+	u_char name[513];
+	int name_len = sizeof(name) - 1;
+
+	u_char* name_end = ExtractName(data, len, name, name_len, msg_start);
+	if ( ! name_end )
+		return 0;
+
+	if ( len < int(sizeof(short)) * 2 )
+		{
+		analyzer->Weird("DNS_truncated_ans_too_short");
+		return 0;
+		}
+
+	// Note that the exact meaning of some of these fields will be
+	// re-interpreted by other, more adventurous RR types.
+
+	Unref(msg->query_name);
+	msg->query_name = new StringVal(new BroString(name, name_end - name, 1));
+	msg->atype = RR_Type(ExtractShort(data, len));
+	msg->aclass = ExtractShort(data, len);
+	msg->ttl = ExtractLong(data, len);
+
+	int rdlength = ExtractShort(data, len);
+	if ( rdlength > len )
+		{
+		analyzer->Weird("DNS_truncated_RR_rdlength_lt_len");
+		return 0;
+		}
+
+	int status;
+	switch ( msg->atype ) {
+		case TYPE_A:
+			status = ParseRR_A(msg, data, len, rdlength);
+			break;
+
+		case TYPE_A6:
+		case TYPE_AAAA:
+			status = ParseRR_AAAA(msg, data, len, rdlength);
+			break;
+
+		case TYPE_NS:
+		case TYPE_CNAME:
+		case TYPE_PTR:
+			status = ParseRR_Name(msg, data, len, rdlength, msg_start);
+			break;
+
+		case TYPE_SOA:
+			status = ParseRR_SOA(msg, data, len, rdlength, msg_start);
+			break;
+
+		case TYPE_WKS:
+			status = ParseRR_WKS(msg, data, len, rdlength);
+			break;
+
+		case TYPE_HINFO:
+			status = ParseRR_HINFO(msg, data, len, rdlength);
+			break;
+
+		case TYPE_MX:
+			status = ParseRR_MX(msg, data, len, rdlength, msg_start);
+			break;
+
+		case TYPE_TXT:
+			status = ParseRR_TXT(msg, data, len, rdlength, msg_start);
+			break;
+
+		case TYPE_NBS:
+			status = ParseRR_NBS(msg, data, len, rdlength, msg_start);
+			break;
+
+		case TYPE_SRV:
+			status = ParseRR_SRV(msg, data, len, rdlength, msg_start);
+			break;
+
+		case TYPE_EDNS:
+			status = ParseRR_EDNS(msg, data, len, rdlength, msg_start);
+			break;
+
+		case TYPE_TSIG:
+			status = ParseRR_TSIG(msg, data, len, rdlength, msg_start);
+			break;
+
+		default:
+			analyzer->Weird("DNS_RR_unknown_type");
+			data += rdlength;
+			len -= rdlength;
+			status = 1;
+			break;
+	}
+
+	return status;
+	}
+
+u_char* DNS_Interpreter::ExtractName(const u_char*& data, int& len,
+					u_char* name, int name_len,
+					const u_char* msg_start)
+	{
+	u_char* name_start = name;
+
+	while ( ExtractLabel(data, len, name, name_len, msg_start) )
+		;
+
+	int n = name - name_start;
+
+	if ( n >= 255 )
+		analyzer->Weird("DNS_NAME_too_long");
+
+	if ( n >= 2 && name[-1] == '.' )
+		{
+		// Remove trailing dot.
+		--name;
+		name[0] = 0;
+		}
+
+	// Convert labels to lower case for consistency.
+	for ( u_char* np = name_start; np < name; ++np )
+		if ( isupper(*np) )
+			*np = tolower(*np);
+
+	return name;
+	}
+
+int DNS_Interpreter::ExtractLabel(const u_char*& data, int& len,
+				u_char*& name, int& name_len,
+				const u_char* msg_start)
+	{
+	if ( len <= 0 )
+		return 0;
+
+	const u_char* orig_data = data;
+	int label_len = data[0];
+
+	++data;
+	--len;
+
+	if ( len <= 0 )
+		return 0;
+
+	if ( label_len == 0 )
+		// Found terminating label.
+		return 0;
+
+	if ( (label_len & 0xc0) == 0xc0 )
+		{
+		unsigned short offset = (label_len & ~0xc0) << 8;
+
+		offset |= *data;
+
+		++data;
+		--len;
+
+		if ( offset >= orig_data - msg_start )
+			{
+			// (You'd think that actually the offset should be
+			//  at least 6 bytes below our current position:
+			//  2 bytes for a non-trivial label, plus 4 bytes for
+			//  its class and type, which presumably are between
+			//  our current location and the instance of the label.
+			//  But actually this turns out not to be the case -
+			//  sometimes compression points to compression.)
+
+			analyzer->Weird("DNS_label_forward_compress_offset");
+			return 0;
+			}
+
+		// Recursively resolve name.
+		const u_char* recurse_data = msg_start + offset;
+		int recurse_max_len = orig_data - recurse_data;
+
+		u_char* name_end = ExtractName(recurse_data, recurse_max_len,
+						name, name_len, msg_start);
+
+		name_len -= name_end - name;
+		name = name_end;
+
+		return 0;
+		}
+
+	if ( label_len > len )
+		{
+		analyzer->Weird("DNS_label_len_gt_pkt");
+		data += len;	// consume the rest of the packet
+		len = 0;
+		return 0;
+		}
+
+	if ( label_len > 63 )
+		{
+		analyzer->Weird("DNS_label_too_long");
+		return 0;
+		}
+
+	if ( label_len >= name_len )
+		{
+		analyzer->Weird("DNS_label_len_gt_name_len");
+		return 0;
+		}
+
+	memcpy(name, data, label_len);
+	name[label_len] = '.';
+
+	name += label_len + 1;
+	name_len -= label_len + 1;
+
+	data += label_len;
+	len -= label_len;
+
+	return 1;
+	}
+
+uint16 DNS_Interpreter::ExtractShort(const u_char*& data, int& len)
+	{
+	if ( len < 2 )
+		return 0;
+
+	uint16 val;
+
+	val = data[0] << 8;
+
+	++data;
+	--len;
+
+	val |= data[0];
+
+	++data;
+	--len;
+
+	return val;
+	}
+
+uint32 DNS_Interpreter::ExtractLong(const u_char*& data, int& len)
+	{
+	if ( len < 4 )
+		return 0;
+
+	uint32 val;
+
+	val = data[0] << 24;
+	val |= data[1] << 16;
+	val |= data[2] << 8;
+	val |= data[3];
+
+	data += sizeof(val);
+	len -= sizeof(val);
+
+	return val;
+	}
+
+int DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start)
+	{
+	const u_char* data_start = data;
+
+	u_char name[513];
+	int name_len = sizeof(name) - 1;
+
+	u_char* name_end = ExtractName(data, len, name, name_len, msg_start);
+	if ( ! name_end )
+		return 0;
+
+	if ( data - data_start != rdlength )
+		{
+		analyzer->Weird("DNS_RR_length_mismatch");
+		}
+
+	EventHandlerPtr reply_event;
+	switch ( msg->atype ) {
+		case TYPE_NS:
+			reply_event = dns_NS_reply;
+			break;
+
+		case TYPE_CNAME:
+		case TYPE_AAAA:
+		case TYPE_A6:
+			reply_event = dns_CNAME_reply;
+			break;
+
+		case TYPE_PTR:
+			reply_event = dns_PTR_reply;
+			break;
+
+		default:
+			analyzer->Conn()->Internal("DNS_RR_bad_name");
+			reply_event = 0;
+	}
+
+	if ( reply_event && ! msg->skip_event )
+		{
+		val_list* vl = new val_list;
+
+		vl->append(analyzer->BuildConnVal());
+		vl->append(msg->BuildHdrVal());
+		vl->append(msg->BuildAnswerVal());
+		vl->append(new StringVal(new BroString(name, name_end - name, 1)));
+
+		analyzer->ConnectionEvent(reply_event, vl);
+		}
+
+	return 1;
+	}
+
+int DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start)
+	{
+	const u_char* data_start = data;
+
+	u_char mname[513];
+	int mname_len = sizeof(mname) - 1;
+
+	u_char* mname_end = ExtractName(data, len, mname, mname_len, msg_start);
+	if ( ! mname_end )
+		return 0;
+
+	u_char rname[513];
+	int rname_len = sizeof(rname) - 1;
+
+	u_char* rname_end = ExtractName(data, len, rname, rname_len, msg_start);
+	if ( ! rname_end )
+		return 0;
+
+	if ( len < 20 )
+		return 0;
+
+	uint32 serial = ExtractLong(data, len);
+	uint32 refresh = ExtractLong(data, len);
+	uint32 retry = ExtractLong(data, len);
+	uint32 expire = ExtractLong(data, len);
+	uint32 minimum = ExtractLong(data, len);
+
+	if ( data - data_start != rdlength )
+		analyzer->Weird("DNS_RR_length_mismatch");
+
+	if ( dns_SOA_reply && ! msg->skip_event )
+		{
+		val_list* vl = new val_list;
+
+		vl->append(analyzer->BuildConnVal());
+		vl->append(msg->BuildHdrVal());
+		vl->append(msg->BuildAnswerVal());
+
+		RecordVal* r = new RecordVal(dns_soa);
+
+		r->Assign(0, new StringVal(new BroString(mname, mname_end - mname, 1)));
+		r->Assign(1, new StringVal(new BroString(rname, rname_end - rname, 1)));
+		r->Assign(2, new Val(serial, TYPE_COUNT));
+		r->Assign(3, new IntervalVal(double(refresh), Seconds));
+		r->Assign(4, new IntervalVal(double(retry), Seconds));
+		r->Assign(5, new IntervalVal(double(expire), Seconds));
+		r->Assign(6, new IntervalVal(double(minimum), Seconds));
+
+		vl->append(r);
+
+		analyzer->ConnectionEvent(dns_SOA_reply, vl);
+		}
+
+	return 1;
+	}
+
+int DNS_Interpreter::ParseRR_MX(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start)
+	{
+	const u_char* data_start = data;
+
+	int preference = ExtractShort(data, len);
+
+	u_char name[513];
+	int name_len = sizeof(name) - 1;
+
+	u_char* name_end = ExtractName(data, len, name, name_len, msg_start);
+	if ( ! name_end )
+		return 0;
+
+	if ( data - data_start != rdlength )
+		analyzer->Weird("DNS_RR_length_mismatch");
+
+	if ( dns_MX_reply && ! msg->skip_event )
+		{
+		val_list* vl = new val_list;
+
+		vl->append(analyzer->BuildConnVal());
+		vl->append(msg->BuildHdrVal());
+		vl->append(msg->BuildAnswerVal());
+		vl->append(new StringVal(new BroString(name, name_end - name, 1)));
+		vl->append(new Val(preference, TYPE_COUNT));
+
+		analyzer->ConnectionEvent(dns_MX_reply, vl);
+		}
+
+	return 1;
+	}
+
+int DNS_Interpreter::ParseRR_NBS(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start)
+	{
+	data += rdlength;
+	len -= rdlength;
+	return 1;
+	}
+
+int DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start)
+	{
+	const u_char* data_start = data;
+
+	unsigned int priority = ExtractShort(data, len);
+	unsigned int weight = ExtractShort(data, len);
+	unsigned int port = ExtractShort(data, len);
+
+	u_char name[513];
+	int name_len = sizeof(name) - 1;
+
+	u_char* name_end = ExtractName(data, len, name, name_len, msg_start);
+	if ( ! name_end )
+		return 0;
+	*name_end = 0;	// terminate name so we can use it in snprintf()
+
+	if ( data - data_start != rdlength )
+		analyzer->Weird("DNS_RR_length_mismatch");
+
+	// The following is just a placeholder.
+	char buf[2048];
+	safe_snprintf(buf, sizeof(buf), "SRV %s priority=%d weight=%d port=%d",
+		      name, priority, weight, port);
+	return 1;
+	}
+
+int DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start)
+	{
+	// We need a pair-value set mechanism here to dump useful information
+	// out to the policy side of the house if rdlength > 0.
+
+	if ( dns_EDNS_addl && ! msg->skip_event )
+		{
+		val_list* vl = new val_list;
+
+		vl->append(analyzer->BuildConnVal());
+		vl->append(msg->BuildHdrVal());
+		vl->append(msg->BuildEDNS_Val());
+		analyzer->ConnectionEvent(dns_EDNS_addl, vl);
+		}
+
+	// Currently EDNS supports the movement of type:data pairs
+	// in the RR_DATA section.  Here's where we should put together
+	// a corresponding mechanism.
+	if ( rdlength > 0 )
+		{ // deal with data
+		data += rdlength;
+		len -= rdlength;
+		}
+	else
+		{ // no data, move on
+		data += rdlength;
+		len -= rdlength;
+		}
+
+	return 1;
+	}
+
+int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start)
+	{
+	const u_char* data_start = data;
+	u_char alg_name[1024];
+	int alg_name_len = sizeof(alg_name) - 1;
+
+	u_char* alg_name_end =
+		ExtractName(data, len, alg_name, alg_name_len, msg_start);
+
+	if ( ! alg_name_end )
+		return 0;
+
+	uint32 sign_time_sec = ExtractLong(data, len);
+	unsigned int sign_time_msec = ExtractShort(data, len);
+	unsigned int fudge = ExtractShort(data, len);
+
+	u_char request_MAC[16];
+	memcpy(request_MAC, data, sizeof(request_MAC));
+
+	// Here we adjust the size of the requested MAC + u_int16_t
+	// for length.  See RFC 2845, sec 2.3.
+	int n = sizeof(request_MAC) + sizeof(u_int16_t);
+	data += n;
+	len -= n;
+
+	unsigned int orig_id = ExtractShort(data, len);
+	unsigned int rr_error = ExtractShort(data, len);
+
+	msg->tsig = new TSIG_DATA;
+
+	msg->tsig->alg_name =
+		new BroString(alg_name, alg_name_end - alg_name, 1);
+	msg->tsig->sig = new BroString(request_MAC, sizeof(request_MAC), 1);
+	msg->tsig->time_s = sign_time_sec;
+	msg->tsig->time_ms = sign_time_msec;
+	msg->tsig->fudge = fudge;
+	msg->tsig->orig_id = orig_id;
+	msg->tsig->rr_error = rr_error;
+
+	val_list* vl = new val_list;
+
+	vl->append(analyzer->BuildConnVal());
+	vl->append(msg->BuildHdrVal());
+	vl->append(msg->BuildTSIG_Val());
+
+	analyzer->ConnectionEvent(dns_TSIG_addl, vl);
+
+	return 1;
+	}
+
+int DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength)
+	{
+	if ( rdlength != 4 )
+		{
+		analyzer->Weird("DNS_RR_bad_length");
+		return 0;
+		}
+
+	uint32 addr = ExtractLong(data, len);
+
+	if ( dns_A_reply && ! msg->skip_event )
+		{
+		val_list* vl = new val_list;
+
+		vl->append(analyzer->BuildConnVal());
+		vl->append(msg->BuildHdrVal());
+		vl->append(msg->BuildAnswerVal());
+		vl->append(new AddrVal(htonl(addr)));
+
+		analyzer->ConnectionEvent(dns_A_reply, vl);
+		}
+
+	return 1;
+	}
+
+int DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength)
+	{
+	// We need to parse an IPv6 address, high-order byte first.
+	// ### Currently, we fake an A reply rather than an AAAA reply,
+	// since for the latter we won't be able to express the full
+	// address (unless Bro was compiled for IPv6 addresses).  We do
+	// this fake by using just the bottom 4 bytes of the IPv6 address.
+	uint32 addr[4];
+	int i;
+
+	for ( i = 0; i < 4; ++i )
+		{
+		addr[i] = ntohl(ExtractLong(data, len));
+
+		if ( len < 0 )
+			{
+			analyzer->Weird("DNS_AAAA_neg_length");
+			return 0;
+			}
+		}
+
+	// Currently, dns_AAAA_reply is treated like dns_A_reply, since
+	// IPv6 addresses are not generally processed.  This needs to be
+	// fixed. ###
+	if ( dns_A_reply && ! msg->skip_event )
+		{
+		val_list* vl = new val_list;
+
+		vl->append(analyzer->BuildConnVal());
+		vl->append(msg->BuildHdrVal());
+		vl->append(msg->BuildAnswerVal());
+		vl->append(new AddrVal(htonl(addr[3])));
+
+		analyzer->ConnectionEvent(dns_A_reply, vl);
+		}
+
+#if 0
+alternative AAAA code from Chris
+	if ( dns_AAAA_reply && ! msg->skip_event )
+		{
+		val_list* vl = new val_list;
+
+		vl->append(analyzer->BuildConnVal());
+		vl->append(msg->BuildHdrVal());
+		vl->append(msg->BuildAnswerVal());
+#ifdef BROv6
+		// FIXME: might need to htonl the addr first
+		vl->append(new AddrVal(addr));
+#else
+		vl->append(new AddrVal((uint32)0x0000));
+#endif
+		char addrstr[INET6_ADDRSTRLEN];
+		inet_ntop(AF_INET6, addr, addrstr, INET6_ADDRSTRLEN);
+		vl->append(new StringVal(addrstr));
+
+		analyzer->ConnectionEvent(dns_AAAA_reply, vl);
+		}
+#endif
+
+	return 1;
+	}
+
+int DNS_Interpreter::ParseRR_WKS(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength)
+	{
+	data += rdlength;
+	len -= rdlength;
+
+	return 1;
+	}
+
+int DNS_Interpreter::ParseRR_HINFO(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength)
+	{
+	data += rdlength;
+	len -= rdlength;
+
+	return 1;
+	}
+
+int DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start)
+	{
+	int name_len = data[0];
+
+	char* name = new char[name_len];
+
+	memcpy(name, data+1, name_len);
+
+	data += rdlength;
+	len -= rdlength;
+
+	if ( dns_TXT_reply && ! msg->skip_event )
+		{
+		val_list* vl = new val_list;
+
+		vl->append(analyzer->BuildConnVal());
+		vl->append(msg->BuildHdrVal());
+		vl->append(msg->BuildAnswerVal());
+		vl->append(new StringVal(name_len, name));
+
+		analyzer->ConnectionEvent(dns_TXT_reply, vl);
+		}
+
+	delete [] name;
+
+	return 1;
+	}
+
+void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,
+						EventHandlerPtr event,
+						const u_char*& data, int& len,
+						BroString* question_name)
+	{
+	RR_Type qtype = RR_Type(ExtractShort(data, len));
+	int qclass = ExtractShort(data, len);
+
+	val_list* vl = new val_list;
+	vl->append(analyzer->BuildConnVal());
+	vl->append(msg->BuildHdrVal());
+	vl->append(new StringVal(question_name));
+	vl->append(new Val(qtype, TYPE_COUNT));
+	vl->append(new Val(qclass, TYPE_COUNT));
+
+	analyzer->ConnectionEvent(event, vl);
+	}
+
+
+DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, int arg_is_query)
+	{
+	//### Need to fix alignment if hdr is misaligned (not on a short
+	// boundary).
+	unsigned short flags = ntohs(hdr->flags);
+
+	QR = (flags & 0x8000) != 0;
+	opcode = (flags & 0x7800) >> 11;
+	AA = (flags & 0x0400) != 0;
+	TC = (flags & 0x0200) != 0;
+	RD = (flags & 0x0100) != 0;
+	RA = (flags & 0x0080) != 0;
+	Z = (flags & 0x0070) >> 4;
+	rcode = (flags & 0x000f);
+
+	qdcount = ntohs(hdr->qdcount);
+	ancount = ntohs(hdr->ancount);
+	nscount = ntohs(hdr->nscount);
+	arcount = ntohs(hdr->arcount);
+
+	id = ntohs(hdr->id);
+	is_query = arg_is_query;
+
+	query_name = 0;
+	atype = TYPE_ALL;
+	aclass = 0;
+	ttl = 0;
+
+	answer_type = DNS_QUESTION;
+	skip_event = 0;
+	}
+
+DNS_MsgInfo::~DNS_MsgInfo()
+	{
+	Unref(query_name);
+	}
+
+Val* DNS_MsgInfo::BuildHdrVal()
+	{
+	RecordVal* r = new RecordVal(dns_msg);
+
+	r->Assign(0, new Val(id, TYPE_COUNT));
+	r->Assign(1, new Val(opcode, TYPE_COUNT));
+	r->Assign(2, new Val(rcode, TYPE_COUNT));
+	r->Assign(3, new Val(QR, TYPE_BOOL));
+	r->Assign(4, new Val(AA, TYPE_BOOL));
+	r->Assign(5, new Val(TC, TYPE_BOOL));
+	r->Assign(6, new Val(RD, TYPE_BOOL));
+	r->Assign(7, new Val(RA, TYPE_BOOL));
+	r->Assign(8, new Val(Z, TYPE_COUNT));
+	r->Assign(9, new Val(qdcount, TYPE_COUNT));
+	r->Assign(10, new Val(ancount, TYPE_COUNT));
+	r->Assign(11, new Val(nscount, TYPE_COUNT));
+	r->Assign(12, new Val(arcount, TYPE_COUNT));
+
+	return r;
+	}
+
+Val* DNS_MsgInfo::BuildAnswerVal()
+	{
+	RecordVal* r = new RecordVal(dns_answer);
+
+	Ref(query_name);
+	r->Assign(0, new Val(int(answer_type), TYPE_COUNT));
+	r->Assign(1, query_name);
+	r->Assign(2, new Val(atype, TYPE_COUNT));
+	r->Assign(3, new Val(aclass, TYPE_COUNT));
+	r->Assign(4, new IntervalVal(double(ttl), Seconds));
+
+	return r;
+	}
+
+Val* DNS_MsgInfo::BuildEDNS_Val()
+	{
+	// We have to treat the additional record type in EDNS differently
+	// than a regular resource record.
+	RecordVal* r = new RecordVal(dns_edns_additional);
+
+	Ref(query_name);
+	r->Assign(0, new Val(int(answer_type), TYPE_COUNT));
+	r->Assign(1, query_name);
+
+	// type = 0x29 or 41 = EDNS
+	r->Assign(2, new Val(atype, TYPE_COUNT));
+
+	// sender's UDP payload size, per RFC 2671 4.3
+	r->Assign(3, new Val(aclass, TYPE_COUNT));
+
+	// Need to break the TTL field into three components:
+	// initial: [------------- ttl (32) ---------------------]
+	// after:   [DO][ ext rcode (7)][ver # (8)][ Z field (16)]
+
+	unsigned int ercode = (ttl >> 24) & 0xff;
+	unsigned int version = (ttl >> 16) & 0xff;
+	// unsigned int DO = ttl & 0x8000;	// "DNSSEC OK" - RFC 3225
+	unsigned int z = ttl & 0xffff;
+
+	unsigned int return_error = (ercode << 8) | rcode;
+
+	r->Assign(4, new Val(return_error, TYPE_COUNT));
+	r->Assign(5, new Val(version, TYPE_COUNT));
+	r->Assign(6, new Val(z, TYPE_COUNT));
+	r->Assign(7, new IntervalVal(double(ttl), Seconds));
+	r->Assign(8, new Val(is_query, TYPE_COUNT));
+
+	return r;
+	}
+
+Val* DNS_MsgInfo::BuildTSIG_Val()
+	{
+	RecordVal* r = new RecordVal(dns_tsig_additional);
+	double rtime = tsig->time_s + tsig->time_ms / 1000.0;
+
+	Ref(query_name);
+	// r->Assign(0, new Val(int(answer_type), TYPE_COUNT));
+	r->Assign(0, query_name);
+	r->Assign(1, new Val(int(answer_type), TYPE_COUNT));
+	r->Assign(2, new StringVal(tsig->alg_name));
+	r->Assign(3, new StringVal(tsig->sig));
+	r->Assign(4, new Val(rtime, TYPE_TIME));
+	r->Assign(5, new Val(double(tsig->fudge), TYPE_TIME));
+	r->Assign(6, new Val(tsig->orig_id, TYPE_COUNT));
+	r->Assign(7, new Val(tsig->rr_error, TYPE_COUNT));
+	r->Assign(8, new Val(is_query, TYPE_COUNT));
+
+	delete tsig;
+	tsig = 0;
+
+	return r;
+	}
+
+Contents_DNS::Contents_DNS(Connection* conn, bool orig,
+				DNS_Interpreter* arg_interp)
+: TCP_SupportAnalyzer(AnalyzerTag::Contents_DNS, conn, orig)
+	{
+	interp = arg_interp;
+
+	msg_buf = 0;
+	buf_n = msg_size = 0;
+	state = DNS_LEN_HI;
+	}
+
+Contents_DNS::~Contents_DNS()
+	{
+	delete msg_buf;
+	}
+
+void Contents_DNS::Flush()
+	{
+	if ( buf_n > 0 )
+		{ // Deliver partial message.
+		interp->ParseMessage(msg_buf, buf_n, true);
+		msg_size = 0;
+		}
+	}
+
+void Contents_DNS::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	if ( state == DNS_LEN_HI )
+		{
+		msg_size = (*data) << 8;
+		state = DNS_LEN_LO;
+
+		++data;
+		--len;
+
+		if ( len == 0 )
+			return;
+		}
+
+	if ( state == DNS_LEN_LO )
+		{
+		msg_size += *data;
+		state = DNS_MESSAGE_BUFFER;
+
+		buf_n = 0;
+
+		if ( msg_buf )
+			{
+			if ( buf_len < msg_size )
+				{
+				buf_len = msg_size;
+				msg_buf = (u_char*) safe_realloc((void*) msg_buf, buf_len);
+				}
+			}
+		else
+			{
+			buf_len = msg_size;
+			msg_buf = (u_char*) safe_malloc(buf_len);
+			}
+
+		++data;
+		--len;
+
+		if ( len == 0 )
+			return;
+		}
+
+	if ( state != DNS_MESSAGE_BUFFER )
+		Conn()->Internal("state inconsistency in Contents_DNS::DeliverStream");
+
+	int n;
+	for ( n = 0; buf_n < msg_size && n < len; ++n )
+		msg_buf[buf_n++] = data[n];
+
+	if ( buf_n < msg_size )
+		// Haven't filled up the message buffer yet, no more to do.
+		return;
+
+	ForwardPacket(msg_size, msg_buf, orig, -1, 0, 0);
+
+	buf_n = 0;
+	state = DNS_LEN_HI;
+
+	if ( n < len )
+		// More data to munch on.
+		DeliverStream(len - n, data + n, orig);
+	}
+
+DNS_Analyzer::DNS_Analyzer(Connection* conn)
+: TCP_ApplicationAnalyzer(AnalyzerTag::DNS, conn)
+	{
+	interp = new DNS_Interpreter(this);
+	contents_dns_orig = contents_dns_resp = 0;
+	did_session_done = 0;
+
+	if ( Conn()->ConnTransport() == TRANSPORT_TCP )
+		{
+		contents_dns_orig = new Contents_DNS(conn, true, interp);
+		contents_dns_resp = new Contents_DNS(conn, false, interp);
+		AddSupportAnalyzer(contents_dns_orig);
+		AddSupportAnalyzer(contents_dns_resp);
+		}
+	else
+		{
+		ADD_ANALYZER_TIMER(&DNS_Analyzer::ExpireTimer,
+					network_time + dns_session_timeout, 1,
+					TIMER_DNS_EXPIRE);
+		}
+	}
+
+DNS_Analyzer::~DNS_Analyzer()
+	{
+	delete interp;
+	}
+
+void DNS_Analyzer::Init()
+	{
+	if ( transformed_pkt_dump && RewritingTrace() &&
+	     Conn()->ConnTransport() == TRANSPORT_UDP )
+		Conn()->GetRootAnalyzer()->SetTraceRewriter(
+			new DNS_Rewriter(this, transformed_pkt_dump_MTU,
+			transformed_pkt_dump));
+	}
+
+void DNS_Analyzer::Done()
+	{
+	TCP_ApplicationAnalyzer::Done();
+
+	if ( Conn()->ConnTransport() == TRANSPORT_UDP && ! did_session_done )
+		Event(udp_session_done);
+	else
+		interp->Timeout();
+	}
+
+void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen)
+	{
+	TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+
+	if ( orig )
+		{
+		if ( ! interp->ParseMessage(data, len, 1) && non_dns_request )
+			{
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(len, (const char*) data));
+			ConnectionEvent(non_dns_request, vl);
+			}
+		}
+
+	else
+		interp->ParseMessage(data, len, 0);
+	}
+
+
+void DNS_Analyzer::ConnectionClosed(TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+					int gen_event)
+	{
+	TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event);
+
+	assert(contents_dns_orig && contents_dns_resp);
+	contents_dns_orig->Flush();
+	contents_dns_resp->Flush();
+	}
+
+void DNS_Analyzer::ExpireTimer(double t)
+	{
+	// The - 1.0 in the following is to allow 1 second for the
+	// common case of a single request followed by a single reply,
+	// so we don't needlessly set the timer twice in that case.
+	if ( t - Conn()->LastTime() >= dns_session_timeout - 1.0 || terminating )
+		{
+		Event(connection_timeout);
+		sessions->Remove(Conn());
+		}
+	else
+		ADD_ANALYZER_TIMER(&DNS_Analyzer::ExpireTimer,
+				t + dns_session_timeout, 1, TIMER_DNS_EXPIRE);
+	}
+
+#include "dns-rw.bif.func_def"
diff --git a/src/DNS.h b/src/DNS.h
new file mode 100644
index 0000000000..6a68bf5dbd
--- /dev/null
+++ b/src/DNS.h
@@ -0,0 +1,295 @@
+// $Id: DNS.h 6885 2009-08-20 04:37:55Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef dns_h
+#define dns_h
+
+#include "TCP.h"
+#include "binpac_bro.h"
+
+typedef enum {
+	DNS_OP_QUERY = 0,		///< standard query
+	DNS_OP_IQUERY = 1,		///< reverse query
+
+	// ### Is server status 2 or 3? RFC 1035 says it's 2
+	// DNS_OP_SERVER_STATUS = 3,	///< server status request
+	DNS_OP_SERVER_STATUS = 2,	///< server status request
+
+	// Netbios operations (query = 0).
+	NETBIOS_REGISTRATION = 5,
+	NETBIOS_RELEASE = 6,
+	NETBIOS_WACK = 7,		// wait for ACK
+	NETBIOS_REFRESH = 8,
+} DNS_Opcode;
+
+typedef enum {
+	DNS_CODE_OK = 0,		///< no error
+	DNS_CODE_FORMAT_ERR = 1,	///< format error
+	DNS_CODE_SERVER_FAIL = 2,	///< server failure
+	DNS_CODE_NAME_ERR = 3,		///< no such domain
+	DNS_CODE_NOT_IMPL = 4,		///< not implemented
+	DNS_CODE_REFUSED = 5,		///< refused
+} DNS_Code;
+
+typedef enum {
+	TYPE_A = 1,		///< host address
+	TYPE_NS = 2,		///< authoritative name server
+	TYPE_CNAME = 5,		///< canonical name
+	TYPE_SOA = 6,		///< start of authority
+	TYPE_WKS = 11,		///< well known service
+	TYPE_PTR = 12,		///< domain name pointer
+	TYPE_HINFO = 13,	///< host information
+	TYPE_MX = 15,		///< mail routing information
+	TYPE_TXT = 16,		///< text strings
+	TYPE_SIG = 24,		///< digital signature (RFC 2535)
+	TYPE_KEY = 25,		///< public key (RFC 2535)
+	TYPE_PX = 26,		///< pointer to X.400/RFC822 mapping info (RFC 1664)
+	TYPE_AAAA = 28,		///< IPv6 address (RFC 1886
+	TYPE_NBS = 32,		///< Netbios name (RFC 1002)
+	TYPE_SRV = 33,		///< service location (RFC 2052)
+	TYPE_NAPTR = 35,	///< naming authority pointer (RFC 2168)
+	TYPE_KX = 36,		///< Key Exchange (RFC 2230)
+	TYPE_CERT = 37,		///< Certificate (RFC 2538)
+	TYPE_A6 = 38,		///< IPv6 address with indirection (RFC 2874)
+	TYPE_DNAME = 39,	///< Non-terminal DNS name redirection (RFC 2672)
+	TYPE_EDNS = 41,		///< OPT pseudo-RR (RFC 2671)
+	TYPE_TKEY = 249,	///< Transaction Key (RFC 2930)
+	TYPE_TSIG = 250,	///< Transaction Signature (RFC 2845)
+
+	// The following are only valid in queries.
+	TYPE_AXFR = 252,
+	TYPE_ALL = 255,
+	TYPE_WINS = 65281,	///< Microsoft's WINS RR
+	TYPE_WINSR = 65282,	///< Microsoft's WINS-R RR
+} RR_Type;
+
+#define DNS_CLASS_IN 1
+#define DNS_CLASS_ANY 255
+
+typedef enum {
+	DNS_QUESTION,
+	DNS_ANSWER,
+	DNS_AUTHORITY,
+	DNS_ADDITIONAL,
+} DNS_AnswerType;
+
+
+struct DNS_RawMsgHdr {
+	unsigned short id;
+	unsigned short flags;
+	unsigned short qdcount;
+	unsigned short ancount;
+	unsigned short nscount;
+	unsigned short arcount;
+};
+
+struct EDNS_ADDITIONAL {		// size
+	unsigned short name;		// -
+	unsigned short type;		// 16 : ExtractShort(data, len)
+	unsigned short payload_size;	// 16
+	unsigned short extended_rcode;	// 8
+	unsigned short version;		// 8
+	unsigned short z;		// 16
+	unsigned short rdata_len;	// 16
+};
+
+struct TSIG_DATA {
+	BroString* alg_name;
+	unsigned long time_s;
+	unsigned short time_ms;
+	BroString* sig;
+	unsigned short fudge;
+	unsigned short orig_id;
+	unsigned short rr_error;
+};
+
+class DNS_MsgInfo {
+public:
+	DNS_MsgInfo(DNS_RawMsgHdr* hdr, int is_query);
+	~DNS_MsgInfo();
+
+	Val* BuildHdrVal();
+	Val* BuildAnswerVal();
+	Val* BuildEDNS_Val();
+	Val* BuildTSIG_Val();
+
+	int id;
+	int opcode;	///< query type, see DNS_Opcode
+	int rcode;	///< return code, see DNS_Code
+	int QR;		///< query record flag
+	int AA;		///< authoritiave answer flag
+	int TC;		///< truncated - size > 512 bytes for udp
+	int RD;		///< recursion desired
+	int RA;		///< recursion available
+	int  Z;		///< zero - this 3 bit field *must* be zero
+	int qdcount;	///< number of questions
+	int ancount;	///< number of answers
+	int nscount;	///< number of authority RRs
+	int arcount;	///< number of additional RRs
+	int is_query;	///< whether it came from the session initiator
+
+	StringVal* query_name;
+	RR_Type atype;
+	int aclass;	///< normally = 1, inet
+	int ttl;
+
+	DNS_AnswerType answer_type;
+	int skip_event;		///< if true, don't generate corresponding events
+	// int answer_count;	///< count of responders.  if >1 and not
+				///< identical answer, there may be problems
+	// uint32* addr;	///< cache value to pass back results
+				///< for forward lookups
+
+	// More values for spesific DNS types.
+	// struct EDNS_ADDITIONAL* edns;
+
+	int tsig_init;
+	struct TSIG_DATA* tsig;
+};
+
+
+class DNS_Interpreter {
+public:
+	DNS_Interpreter(Analyzer* analyzer);
+
+	int ParseMessage(const u_char* data, int len, int is_query);
+
+	void Timeout()	{ }
+
+protected:
+	int EndMessage(DNS_MsgInfo* msg);
+
+	int ParseQuestions(DNS_MsgInfo* msg,
+				const u_char*& data, int& len,
+				const u_char* start);
+	int ParseAnswers(DNS_MsgInfo* msg, int n, DNS_AnswerType answer_type,
+				const u_char*& data, int& len,
+				const u_char* start);
+
+	int ParseQuestion(DNS_MsgInfo* msg,
+			const u_char*& data, int& len, const u_char* start);
+	int ParseAnswer(DNS_MsgInfo* msg,
+			const u_char*& data, int& len, const u_char* start);
+
+	u_char* ExtractName(const u_char*& data, int& len,
+				u_char* label, int label_len,
+				const u_char* msg_start);
+	int ExtractLabel(const u_char*& data, int& len,
+			 u_char*& label, int& label_len,
+			 const u_char* msg_start);
+
+	uint16 ExtractShort(const u_char*& data, int& len);
+	uint32 ExtractLong(const u_char*& data, int& len);
+
+	int ParseRR_Name(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start);
+	int ParseRR_SOA(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start);
+	int ParseRR_MX(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start);
+	int ParseRR_NBS(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start);
+	int ParseRR_SRV(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start);
+	int ParseRR_EDNS(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start);
+	int ParseRR_A(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength);
+	int ParseRR_AAAA(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength);
+	int ParseRR_WKS(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength);
+	int ParseRR_HINFO(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength);
+	int ParseRR_TXT(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start);
+	int ParseRR_TSIG(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start);
+
+	void SendReplyOrRejectEvent(DNS_MsgInfo* msg, EventHandlerPtr event,
+					const u_char*& data, int& len,
+					BroString* question_name);
+
+	Analyzer* analyzer;
+};
+
+
+typedef enum {
+	DNS_LEN_HI,		///< looking for the high-order byte of the length
+	DNS_LEN_LO,		///< looking for the low-order byte of the length
+	DNS_MESSAGE_BUFFER,	///< building up the message in the buffer
+} TCP_DNS_state;
+
+// Support analyzer which chunks the TCP stream into "packets".
+// ### This should be merged with TCP_Contents_RPC.
+class Contents_DNS : public TCP_SupportAnalyzer {
+public:
+	Contents_DNS(Connection* c, bool orig, DNS_Interpreter* interp);
+	~Contents_DNS();
+
+	void Flush();		///< process any partially-received data
+
+	TCP_DNS_state State() const	{ return state; }
+
+protected:
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+
+	DNS_Interpreter* interp;
+
+	u_char* msg_buf;
+	int buf_n;		///< number of bytes in msg_buf
+	int buf_len;		///< size of msg_buf
+	int msg_size;		///< expected size of message
+	TCP_DNS_state state;
+};
+
+// Works for both TCP and UDP.
+class DNS_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	DNS_Analyzer(Connection* conn);
+	~DNS_Analyzer();
+
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen);
+
+	virtual void Init();
+	virtual void Done();
+	virtual void ConnectionClosed(TCP_Endpoint* endpoint,
+					TCP_Endpoint* peer, int gen_event);
+	virtual int RewritingTrace()
+		{
+		return rewriting_dns_trace ||
+			TCP_ApplicationAnalyzer::RewritingTrace();
+		}
+
+	void ExpireTimer(double t);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new DNS_Analyzer(conn); }
+
+	static bool Available()
+		{
+		return (dns_request || dns_full_request) &&
+			! FLAGS_use_binpac;
+		}
+
+protected:
+	DNS_Interpreter* interp;
+	Contents_DNS* contents_dns_orig;
+	Contents_DNS* contents_dns_resp;
+	int did_session_done;
+};
+
+// FIXME: Doesn't really fit into new analyzer structure. What to do?
+int IsReuse(double t, const u_char* pkt);
+
+#endif
diff --git a/src/DNS_Mgr.cc b/src/DNS_Mgr.cc
new file mode 100644
index 0000000000..c205b1f829
--- /dev/null
+++ b/src/DNS_Mgr.cc
@@ -0,0 +1,1119 @@
+// $Id: DNS_Mgr.cc 7073 2010-09-13 00:45:02Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#if TIME_WITH_SYS_TIME
+# include <sys/time.h>
+# include <time.h>
+#else
+# if HAVE_SYS_TIME_H
+#  include <sys/time.h>
+# else
+#  include <time.h>
+# endif
+#endif
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+#include <netinet/in.h>
+
+#include <errno.h>
+#ifdef HAVE_MEMORY_H
+#include <memory.h>
+#endif
+#include <stdlib.h>
+
+#include "DNS_Mgr.h"
+#include "Event.h"
+#include "Net.h"
+#include "Var.h"
+
+extern "C" {
+extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
+
+#include <netdb.h>
+
+#include "nb_dns.h"
+}
+
+
+class DNS_Mgr_Request {
+public:
+	DNS_Mgr_Request(const char* h)	{ host = copy_string(h); addr = 0; }
+	DNS_Mgr_Request(uint32 a)		{ addr = a; host = 0; }
+	~DNS_Mgr_Request()			{ delete [] host; }
+
+	// Returns nil if this was an address request.
+	const char* ReqHost() const	{ return host; }
+	uint32 ReqAddr() const		{ return addr; }
+
+#ifdef HAVE_NB_DNS
+	int MakeRequest(nb_dns_info* nb_dns);
+#endif
+	int RequestPending() const	{ return request_pending; }
+	void RequestDone()	{ request_pending = 0; }
+
+
+protected:
+	char* host;	// if non-nil, this is a host request
+	uint32 addr;
+	int request_pending;
+};
+
+#ifdef HAVE_NB_DNS
+int DNS_Mgr_Request::MakeRequest(nb_dns_info* nb_dns)
+	{
+	if ( ! nb_dns )
+		return 0;
+
+	request_pending = 1;
+
+	char err[NB_DNS_ERRSIZE];
+	if ( host )
+		return nb_dns_host_request(nb_dns, host, (void*) this, err) >= 0;
+	else
+		return nb_dns_addr_request(nb_dns, addr, (void*) this, err) >= 0;
+	}
+#endif
+
+class DNS_Mapping {
+public:
+	DNS_Mapping(const char* host, struct hostent* h);
+	DNS_Mapping(uint32 addr, struct hostent* h);
+	DNS_Mapping(FILE* f);
+
+	int NoMapping() const		{ return no_mapping; }
+	int InitFailed() const		{ return init_failed; }
+
+	~DNS_Mapping();
+
+	// Returns nil if this was an address request.
+	const char* ReqHost() const	{ return req_host; }
+	uint32 ReqAddr() const		{ return req_addr; }
+	const char* ReqStr() const
+		{ return req_host ? req_host : dotted_addr(ReqAddr());  }
+
+	ListVal* Addrs();
+	TableVal* AddrsSet();	// addresses returned as a set
+	StringVal* Host();
+
+	double CreationTime() const	{ return creation_time; }
+
+	void Save(FILE* f) const;
+
+	int Failed() const		{ return failed; }
+	int Valid() const		{ return ! failed; }
+
+protected:
+	friend class DNS_Mgr;
+
+	void Init(struct hostent* h);
+	void Clear();
+
+	int no_mapping;	// when initializing from a file, immediately hit EOF
+	int init_failed;
+
+	char* req_host;
+	uint32 req_addr;
+
+	int num_names;
+	char** names;
+	StringVal* host_val;
+
+	int num_addrs;
+	uint32* addrs;
+	ListVal* addrs_val;
+
+	int failed;
+	double creation_time;
+};
+
+void DNS_Mgr_mapping_delete_func(void* v)
+	{
+	delete (DNS_Mapping*) v;
+	}
+
+static TableVal* empty_addr_set()
+	{
+	BroType* addr_t = base_type(TYPE_ADDR);
+	TypeList* set_index = new TypeList(addr_t);
+	set_index->Append(addr_t);
+	SetType* s = new SetType(set_index, 0);
+	return new TableVal(s);
+	}
+
+DNS_Mapping::DNS_Mapping(const char* host, struct hostent* h)
+	{
+	Init(h);
+	req_host = copy_string(host);
+	req_addr = 0;
+
+	if ( names && ! names[0] )
+		names[0] = copy_string(host);
+	}
+
+DNS_Mapping::DNS_Mapping(uint32 addr, struct hostent* h)
+	{
+	Init(h);
+	req_addr = addr;
+	req_host = 0;
+	}
+
+DNS_Mapping::DNS_Mapping(FILE* f)
+	{
+	Clear();
+	init_failed = 1;
+
+	req_host = 0;
+	req_addr = 0;
+
+	char buf[512];
+
+	if ( ! fgets(buf, sizeof(buf), f) )
+		{
+		no_mapping = 1;
+		return;
+		}
+
+	char req_buf[512+1], name_buf[512+1];
+	int is_req_host;
+
+	if ( sscanf(buf, "%lf %d %512s %d %512s %d", &creation_time, &is_req_host,
+		    req_buf, &failed, name_buf, &num_addrs) != 6 )
+		return;
+
+	if ( is_req_host )
+		req_host = copy_string(req_buf);
+	else
+		req_addr = dotted_to_addr(req_buf);
+
+	num_names = 1;
+	names = new char*[num_names];
+	names[0] = copy_string(name_buf);
+
+	if ( num_addrs > 0 )
+		{
+		addrs = new uint32[num_addrs];
+
+		for ( int i = 0; i < num_addrs; ++i )
+			{
+			if ( ! fgets(buf, sizeof(buf), f) )
+				{
+				num_addrs = i;
+				return;
+				}
+
+			char* newline = strchr(buf, '\n');
+			if ( newline )
+				*newline = '\0';
+
+			addrs[i] = dotted_to_addr(buf);
+			}
+		}
+	else
+		addrs = 0;
+
+	init_failed = 0;
+	}
+
+DNS_Mapping::~DNS_Mapping()
+	{
+	delete [] req_host;
+
+	if ( names )
+		{
+		for ( int i = 0; i < num_names; ++i )
+			delete [] names[i];
+		delete [] names;
+		}
+
+	delete [] addrs;
+
+	Unref(host_val);
+	Unref(addrs_val);
+	}
+
+ListVal* DNS_Mapping::Addrs()
+	{
+	if ( failed )
+		return 0;
+
+	if ( ! addrs_val )
+		{
+		ListVal* hv = new ListVal(TYPE_ADDR);
+		for ( int i = 0; i < num_addrs; ++i )
+			hv->Append(new AddrVal(addrs[i]));
+		addrs_val = hv;
+		}
+
+	Ref(addrs_val);
+	return addrs_val;
+	}
+
+TableVal* DNS_Mapping::AddrsSet() {
+	ListVal* l = Addrs();
+	if ( l )
+		return l->ConvertToSet();
+	else
+		return empty_addr_set();
+	}
+
+StringVal* DNS_Mapping::Host()
+	{
+	if ( failed || num_names == 0 || ! names[0] )
+		return 0;
+
+	if ( ! host_val )
+		host_val = new StringVal(names[0]);
+
+	Ref(host_val);
+	return host_val;
+	}
+
+// Converts an array of 4 bytes in network order to the corresponding
+// 32-bit network long.
+static uint32 raw_bytes_to_addr(const unsigned char b[4])
+	{
+	uint32 l = (b[0] << 24) | (b[1] << 16) | (b[2] << 8) | b[3];
+	return uint32(htonl(l));
+	}
+
+void DNS_Mapping::Init(struct hostent* h)
+	{
+	no_mapping = 0;
+	init_failed = 0;
+	creation_time = current_time();
+	host_val = 0;
+	addrs_val = 0;
+
+	if ( ! h || h->h_addrtype != AF_INET || h->h_length != 4 )
+		{
+		Clear();
+		return;
+		}
+
+	num_names = 1;	// for now, just use official name
+	names = new char*[num_names];
+	names[0] = h->h_name ? copy_string(h->h_name) : 0;
+
+	for ( num_addrs = 0; h->h_addr_list[num_addrs]; ++num_addrs )
+		;
+
+	if ( num_addrs > 0 )
+		{
+		addrs = new uint32[num_addrs];
+		for ( int i = 0; i < num_addrs; ++i )
+			addrs[i] = raw_bytes_to_addr(
+					(unsigned char*)h->h_addr_list[i]);
+		}
+	else
+		addrs = 0;
+
+	failed = 0;
+	}
+
+void DNS_Mapping::Clear()
+	{
+	num_names = num_addrs = 0;
+	names = 0;
+	addrs = 0;
+	host_val = 0;
+	addrs_val = 0;
+	no_mapping = 0;
+	failed = 1;
+	}
+
+void DNS_Mapping::Save(FILE* f) const
+	{
+	fprintf(f, "%.0f %d %s %d %s %d\n", creation_time, req_host != 0,
+		req_host ? req_host : dotted_addr(req_addr),
+		failed, (names && names[0]) ? names[0] : "*",
+		num_addrs);
+
+	for ( int i = 0; i < num_addrs; ++i )
+		fprintf(f, "%s\n", dotted_addr(addrs[i]));
+	}
+
+
+DNS_Mgr::DNS_Mgr(DNS_MgrMode arg_mode)
+	{
+	did_init = 0;
+
+	mode = arg_mode;
+
+	host_mappings.SetDeleteFunc(DNS_Mgr_mapping_delete_func);
+	addr_mappings.SetDeleteFunc(DNS_Mgr_mapping_delete_func);
+
+#ifdef HAVE_NB_DNS
+	char err[NB_DNS_ERRSIZE];
+	nb_dns = nb_dns_init(err);
+
+	if ( ! nb_dns )
+		warn(fmt("problem initializing NB-DNS: %s", err));
+#endif
+
+	dns_mapping_valid = dns_mapping_unverified = dns_mapping_new_name =
+		dns_mapping_lost_name = dns_mapping_name_changed =
+			dns_mapping_altered =  0;
+
+	dm_rec = 0;
+	dns_fake_count = 0;
+
+	cache_name = dir = 0;
+
+	asyncs_pending = 0;
+	}
+
+DNS_Mgr::~DNS_Mgr()
+	{
+#ifdef HAVE_NB_DNS
+	if ( nb_dns )
+		nb_dns_finish(nb_dns);
+#endif
+
+	delete [] cache_name;
+	delete [] dir;
+	}
+
+bool DNS_Mgr::Init()
+	{
+	if ( did_init )
+		return true;
+
+	const char* cache_dir = dir ? dir : ".";
+
+	if ( mode == DNS_PRIME && ! ensure_dir(cache_dir) )
+		{
+		did_init = 0;
+		return false;
+		}
+
+	cache_name = new char[strlen(cache_dir) + 64];
+	sprintf(cache_name, "%s/%s", cache_dir, ".bro-dns-cache");
+
+	LoadCache(fopen(cache_name, "r"));
+
+	dns_mapping_valid = internal_handler("dns_mapping_valid");
+	dns_mapping_unverified = internal_handler("dns_mapping_unverified");
+	dns_mapping_new_name = internal_handler("dns_mapping_new_name");
+	dns_mapping_lost_name = internal_handler("dns_mapping_lost_name");
+	dns_mapping_name_changed = internal_handler("dns_mapping_name_changed");
+	dns_mapping_altered = internal_handler("dns_mapping_altered");
+
+	dm_rec = internal_type("dns_mapping")->AsRecordType();
+
+	did_init = 1;
+
+#ifdef HAVE_NB_DNS
+	io_sources.Register(this, true);
+
+	// We never set idle to false, having the main loop only calling us from
+	// time to time. If we're issuing more DNS requests than we can handle
+	// in this way, we are having problems anyway ...
+	idle = true;
+#endif
+
+	return true;
+	}
+
+TableVal* DNS_Mgr::LookupHost(const char* name)
+	{
+	if ( ! nb_dns )
+		return empty_addr_set();
+
+	if ( ! did_init )
+		Init();
+
+	if ( mode == DNS_FAKE )
+		{
+		ListVal* hv = new ListVal(TYPE_ADDR);
+		hv->Append(new AddrVal(uint32(++dns_fake_count)));
+		return hv->ConvertToSet();
+		}
+
+	if ( mode != DNS_PRIME )
+		{
+		DNS_Mapping* d = host_mappings.Lookup(name);
+
+		if ( d )
+			{
+			if ( d->Valid() )
+				return d->Addrs()->ConvertToSet();
+			else
+				{
+				warn("no such host:", name);
+				return empty_addr_set();
+				}
+			}
+		}
+
+	// Not found, or priming.
+	switch ( mode ) {
+	case DNS_PRIME:
+		requests.append(new DNS_Mgr_Request(name));
+		return empty_addr_set();
+
+	case DNS_FORCE:
+		internal_error("can't find DNS entry for %s in cache", name);
+		return 0;
+
+	case DNS_DEFAULT:
+		requests.append(new DNS_Mgr_Request(name));
+		Resolve();
+		return LookupHost(name);
+
+	default:
+		internal_error("bad mode in DNS_Mgr::LookupHost");
+		return 0;
+	}
+	}
+
+Val* DNS_Mgr::LookupAddr(uint32 addr)
+	{
+	if ( ! did_init )
+		Init();
+
+	if ( mode != DNS_PRIME )
+		{
+		HashKey h(&addr, 1);
+		DNS_Mapping* d = addr_mappings.Lookup(&h);
+
+		if ( d )
+			{
+			if ( d->Valid() )
+				return d->Host();
+			else
+				{
+				warn("can't resolve IP address:", dotted_addr(addr));
+				return new StringVal(dotted_addr(addr));
+				}
+			}
+		}
+
+	// Not found, or priming.
+	switch ( mode ) {
+	case DNS_PRIME:
+		requests.append(new DNS_Mgr_Request(addr));
+		return new StringVal("<none>");
+
+	case DNS_FORCE:
+		internal_error("can't find DNS entry for %s in cache",
+				dotted_addr(addr));
+		return 0;
+
+	case DNS_DEFAULT:
+		requests.append(new DNS_Mgr_Request(addr));
+		Resolve();
+		return LookupAddr(addr);
+
+	default:
+		internal_error("bad mode in DNS_Mgr::LookupHost");
+		return 0;
+	}
+	}
+
+void DNS_Mgr::Verify()
+	{
+	}
+
+#define MAX_PENDING_REQUESTS 20
+
+void DNS_Mgr::Resolve()
+	{
+	if ( ! nb_dns )
+		return;
+
+	int i;
+
+#ifdef HAVE_NB_DNS
+	int first_req = 0;
+	int num_pending = min(requests.length(), MAX_PENDING_REQUESTS);
+	int last_req = num_pending - 1;
+
+	// Prime with the initial requests.
+	for ( i = first_req; i <= last_req; ++i )
+		requests[i]->MakeRequest(nb_dns);
+
+	// Start resolving.  Each time an answer comes in, we can issue a
+	// new request, if we have more.
+	while ( num_pending > 0 )
+		{
+		int status = AnswerAvailable(DNS_TIMEOUT);
+
+		if ( status <= 0 )
+			{
+			// Error or timeout.  Process all pending requests as
+			// unanswered and reprime.
+			for ( i = first_req; i <= last_req; ++i )
+				{
+				DNS_Mgr_Request* dr = requests[i];
+				if ( dr->RequestPending() )
+					{
+					AddResult(dr, 0);
+					dr->RequestDone();
+					}
+				}
+
+			first_req = last_req + 1;
+			num_pending = min(requests.length() - first_req,
+						MAX_PENDING_REQUESTS);
+			last_req = first_req + num_pending - 1;
+
+			for ( i = first_req; i <= last_req; ++i )
+				requests[i]->MakeRequest(nb_dns);
+
+			continue;
+			}
+
+		char err[NB_DNS_ERRSIZE];
+		struct nb_dns_result r;
+		status = nb_dns_activity(nb_dns, &r, err);
+		if ( status < 0 )
+			internal_error(
+			    "NB-DNS error in DNS_Mgr::WaitForReplies (%s)",
+			    err);
+		else if ( status > 0 )
+			{
+			DNS_Mgr_Request* dr = (DNS_Mgr_Request*) r.cookie;
+			if ( dr->RequestPending() )
+				{
+				AddResult(dr, &r);
+				dr->RequestDone();
+				}
+
+			// Room for another, if we have it.
+			if ( last_req < requests.length() - 1 )
+				{
+				++last_req;
+				requests[last_req]->MakeRequest(nb_dns);
+				}
+			else
+				--num_pending;
+			}
+		}
+#endif
+
+	// All done with the list of requests.
+	for ( i = requests.length() - 1; i >= 0; --i )
+		delete requests.remove_nth(i);
+	}
+
+int DNS_Mgr::Save()
+	{
+	if ( ! cache_name )
+		return 0;
+
+	FILE* f = fopen(cache_name, "w");
+
+	if ( ! f )
+		return 0;
+
+	Save(f, host_mappings);
+	Save(f, addr_mappings);
+
+	fclose(f);
+
+	return 1;
+	}
+
+void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm, ListVal* l1, ListVal* l2)
+	{
+	if ( ! e )
+		return;
+
+	val_list* vl = new val_list;
+	vl->append(BuildMappingVal(dm));
+
+	if ( l1 )
+		{
+		vl->append(l1->ConvertToSet());
+		if ( l2 )
+			vl->append(l2->ConvertToSet());
+
+		Unref(l1);
+		Unref(l2);
+		}
+
+	mgr.QueueEvent(e, vl);
+	}
+
+void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm)
+	{
+	if ( ! e )
+		return;
+
+	val_list* vl = new val_list;
+	vl->append(BuildMappingVal(old_dm));
+	vl->append(BuildMappingVal(new_dm));
+	mgr.QueueEvent(e, vl);
+	}
+
+Val* DNS_Mgr::BuildMappingVal(DNS_Mapping* dm)
+	{
+	RecordVal* r = new RecordVal(dm_rec);
+
+	r->Assign(0, new Val(dm->CreationTime(), TYPE_TIME));
+	r->Assign(1, new StringVal(dm->ReqHost() ? dm->ReqHost() : ""));
+	r->Assign(2, new AddrVal(dm->ReqAddr()));
+	r->Assign(3, new Val(dm->Valid(), TYPE_BOOL));
+
+	Val* h = dm->Host();
+	r->Assign(4, h ? h : new StringVal("<none>"));
+	r->Assign(5, dm->AddrsSet());
+
+	return r;
+	}
+
+void DNS_Mgr::AddResult(DNS_Mgr_Request* dr, struct nb_dns_result* r)
+	{
+	struct hostent* h = (r && r->host_errno == 0) ? r->hostent : 0;
+
+	DNS_Mapping* new_dm;
+	DNS_Mapping* prev_dm;
+	int keep_prev = 0;
+
+	if ( dr->ReqHost() )
+		{
+		new_dm = new DNS_Mapping(dr->ReqHost(), h);
+		prev_dm = host_mappings.Insert(dr->ReqHost(), new_dm);
+
+		if ( new_dm->Failed() && prev_dm && prev_dm->Valid() )
+			{
+			// Put previous, valid entry back - CompareMappings
+			// will generate a corresponding warning.
+			(void) host_mappings.Insert(dr->ReqHost(), prev_dm);
+			++keep_prev;
+			}
+		}
+	else
+		{
+		new_dm = new DNS_Mapping(dr->ReqAddr(), h);
+		uint32 tmp_addr = dr->ReqAddr();
+		HashKey k(&tmp_addr, 1);
+		prev_dm = addr_mappings.Insert(&k, new_dm);
+
+		if ( new_dm->Failed() && prev_dm && prev_dm->Valid() )
+			{
+			uint32 tmp_addr = dr->ReqAddr();
+			HashKey k2(&tmp_addr, 1);
+			(void) addr_mappings.Insert(&k2, prev_dm);
+			++keep_prev;
+			}
+		}
+
+	if ( prev_dm )
+		CompareMappings(prev_dm, new_dm);
+
+	if ( keep_prev )
+		delete new_dm;
+	else
+		delete prev_dm;
+	}
+
+void DNS_Mgr::CompareMappings(DNS_Mapping* prev_dm, DNS_Mapping* new_dm)
+	{
+	if ( prev_dm->Failed() )
+		{
+		if ( new_dm->Failed() )
+			// Nothing changed.
+			return;
+
+		Event(dns_mapping_valid, new_dm);
+		return;
+		}
+
+	else if ( new_dm->Failed() )
+		{
+		Event(dns_mapping_unverified, prev_dm);
+		return;
+		}
+
+	StringVal* prev_s = prev_dm->Host();
+	StringVal* new_s = new_dm->Host();
+
+	if ( prev_s || new_s )
+		{
+		if ( ! prev_s )
+			Event(dns_mapping_new_name, new_dm);
+		else if ( ! new_s )
+			Event(dns_mapping_lost_name, prev_dm);
+		else if ( ! Bstr_eq(new_s->AsString(), prev_s->AsString()) )
+			Event(dns_mapping_name_changed, prev_dm, new_dm);
+
+		Unref(prev_s);
+		Unref(new_s);
+		}
+
+	ListVal* prev_a = prev_dm->Addrs();
+	ListVal* new_a = new_dm->Addrs();
+
+	if ( ! prev_a || ! new_a )
+		internal_error("confused in DNS_Mgr::CompareMappings");
+
+	ListVal* prev_delta = AddrListDelta(prev_a, new_a);
+	ListVal* new_delta = AddrListDelta(new_a, prev_a);
+
+	if ( prev_delta->Length() > 0 || new_delta->Length() > 0 )
+		Event(dns_mapping_altered, new_dm, prev_delta, new_delta);
+	else
+		{
+		Unref(prev_delta);
+		Unref(new_delta);
+		}
+	}
+
+ListVal* DNS_Mgr::AddrListDelta(ListVal* al1, ListVal* al2)
+	{
+	ListVal* delta = new ListVal(TYPE_ADDR);
+
+	for ( int i = 0; i < al1->Length(); ++i )
+		{
+		addr_type al1_i = al1->Index(i)->AsAddr();
+
+		int j;
+		for ( j = 0; j < al2->Length(); ++j )
+			{
+			addr_type al2_j = al2->Index(j)->AsAddr();
+#ifdef BROv6
+			if ( addr_eq(al1_i, al2_j) )
+#else
+			if ( al1_i == al2_j )
+#endif
+				break;
+			}
+
+		if ( j >= al2->Length() )
+			// Didn't find it.
+			delta->Append(al1->Index(i)->Ref());
+		}
+
+	return delta;
+	}
+
+void DNS_Mgr::DumpAddrList(FILE* f, ListVal* al)
+	{
+	for ( int i = 0; i < al->Length(); ++i )
+		{
+		addr_type al_i = al->Index(i)->AsAddr();
+		fprintf(f, "%s%s", i > 0 ? "," : "", dotted_addr(al_i));
+		}
+	}
+
+void DNS_Mgr::LoadCache(FILE* f)
+	{
+	if ( ! f )
+		return;
+
+	DNS_Mapping* m = new DNS_Mapping(f);
+	for ( ; ! m->NoMapping() && ! m->InitFailed(); m = new DNS_Mapping(f) )
+		{
+		if ( m->ReqHost() )
+			host_mappings.Insert(m->ReqHost(), m);
+		else
+			{
+			uint32 tmp_addr = m->ReqAddr();
+			HashKey h(&tmp_addr, 1);
+			addr_mappings.Insert(&h, m);
+			}
+		}
+
+	if ( ! m->NoMapping() )
+		internal_error("DNS cache corrupted");
+
+	delete m;
+	fclose(f);
+	}
+
+void DNS_Mgr::Save(FILE* f, PDict(DNS_Mapping)& m)
+	{
+	IterCookie* cookie = m.InitForIteration();
+	DNS_Mapping* dm;
+
+	while ( (dm = m.NextEntry(cookie)) )
+		dm->Save(f);
+	}
+
+const char* DNS_Mgr::LookupAddrInCache(dns_mgr_addr_type addr)
+	{
+	HashKey h(&addr, 1);
+	DNS_Mapping* d = dns_mgr->addr_mappings.Lookup(&h);
+	if ( ! d )
+		return 0;
+
+	// The escapes in the following strings are to avoid having it
+	// interpreted as a trigraph sequence.
+	return d->names ? d->names[0] : "<\?\?\?>";
+	}
+
+TableVal* DNS_Mgr::LookupNameInCache(string name)
+	{
+	DNS_Mapping* d = dns_mgr->host_mappings.Lookup(name.c_str());
+	if ( ! d || ! d->names )
+		return 0;
+
+	return d->AddrsSet();
+	}
+
+#ifdef HAVE_NB_DNS
+void DNS_Mgr::AsyncLookupAddr(dns_mgr_addr_type host, LookupCallback* callback)
+	{
+	if ( ! did_init )
+		Init();
+
+	// Do we already know the answer?
+	const char* name = LookupAddrInCache(host);
+	if ( name )
+		{
+		callback->Resolved(name);
+		delete callback;
+		return;
+		}
+
+	AsyncRequest* req = 0;
+
+	// Have we already a request waiting for this host?
+	AsyncRequestAddrMap::iterator i = asyncs_addrs.find(host);
+	if ( i != asyncs_addrs.end() )
+		req = i->second;
+	else
+		{
+		// A new one.
+		req = new AsyncRequest;
+		req->host = host;
+		asyncs_queued.push_back(req);
+		asyncs_addrs.insert(AsyncRequestAddrMap::value_type(host, req));
+		}
+
+	req->callbacks.push_back(callback);
+
+	IssueAsyncRequests();
+	}
+
+void DNS_Mgr::AsyncLookupName(string name, LookupCallback* callback)
+	{
+	if ( ! did_init )
+		Init();
+
+	// Do we already know the answer?
+	TableVal* addrs = LookupNameInCache(name);
+	if ( addrs )
+		{
+		callback->Resolved(addrs);
+		Unref(addrs);
+		delete callback;
+		return;
+		}
+
+	AsyncRequest* req = 0;
+
+	// Have we already a request waiting for this host?
+	AsyncRequestNameMap::iterator i = asyncs_names.find(name);
+	if ( i != asyncs_names.end() )
+		req = i->second;
+	else
+		{
+		// A new one.
+		req = new AsyncRequest;
+		req->name = name;
+		asyncs_queued.push_back(req);
+		asyncs_names.insert(AsyncRequestNameMap::value_type(name, req));
+		}
+
+	req->callbacks.push_back(callback);
+
+	IssueAsyncRequests();
+	}
+
+void DNS_Mgr::IssueAsyncRequests()
+	{
+	while ( asyncs_queued.size() && asyncs_pending < MAX_PENDING_REQUESTS )
+		{
+		AsyncRequest* req = asyncs_queued.front();
+		asyncs_queued.pop_front();
+
+		DNS_Mgr_Request* dr;
+		if ( req->IsAddrReq() )
+			dr = new DNS_Mgr_Request(req->host);
+		else
+			dr = new DNS_Mgr_Request(req->name.c_str());
+
+		if ( ! dr->MakeRequest(nb_dns) )
+			{
+			run_time("can't issue DNS request");
+			req->Timeout();
+			continue;
+			}
+
+		req->time = current_time();
+		asyncs_timeouts.push(req);
+
+		++asyncs_pending;
+		}
+	}
+#endif
+
+void  DNS_Mgr::GetFds(int* read, int* write, int* except)
+	{
+#ifdef HAVE_NB_DNS
+	*read = nb_dns_fd(nb_dns);
+#endif
+	}
+
+double DNS_Mgr::NextTimestamp(double* network_time)
+	{
+	// This is kind of cheating ...
+	return asyncs_timeouts.size() ? timer_mgr->Time() : -1.0;
+	}
+
+#ifdef HAVE_NB_DNS
+void DNS_Mgr::CheckAsyncAddrRequest(dns_mgr_addr_type addr, bool timeout)
+	{
+	// Note that this code is a mirror of that for CheckAsyncHostRequest.
+
+	// In the following, if it's not in the respective map anymore, we've
+	// already finished it earlier and don't have anything to do.
+	AsyncRequestAddrMap::iterator i = asyncs_addrs.find(addr);
+
+	if ( i != asyncs_addrs.end() )
+		{
+		const char* name = LookupAddrInCache(addr);
+		if ( name )
+			i->second->Resolved(name);
+
+		else if ( timeout )
+			i->second->Timeout();
+
+		else
+			return;
+
+		asyncs_addrs.erase(i);
+		--asyncs_pending;
+
+		// Don't delete the request.  That will be done once it
+		// eventually times out.
+		}
+
+	}
+
+void DNS_Mgr::CheckAsyncHostRequest(const char* host, bool timeout)
+	{
+	// Note that this code is a mirror of that for CheckAsyncAddrRequest.
+
+	AsyncRequestNameMap::iterator i = asyncs_names.find(host);
+
+	if ( i != asyncs_names.end() )
+		{
+		TableVal* addrs = LookupNameInCache(host);
+
+		if ( addrs )
+			{
+			i->second->Resolved(addrs);
+			Unref(addrs);
+			}
+
+		else if ( timeout )
+			i->second->Timeout();
+
+		else
+			return;
+
+		asyncs_names.erase(i);
+		--asyncs_pending;
+
+		// Don't delete the request.  That will be done once it
+		// eventually times out.
+		}
+	}
+#endif
+
+void  DNS_Mgr::Process()
+	{
+#ifndef HAVE_NB_DNS
+	internal_error("DNS_Mgr::Process(): should never be reached");
+#else
+
+	while ( asyncs_timeouts.size() > 0 )
+		{
+		AsyncRequest* req = asyncs_timeouts.top();
+
+		if ( req->time + DNS_TIMEOUT > current_time() )
+			break;
+
+		if ( req->IsAddrReq() )
+			CheckAsyncAddrRequest(req->host, true);
+		else
+			CheckAsyncHostRequest(req->name.c_str(), true);
+
+		asyncs_timeouts.pop();
+		delete req;
+		}
+
+	if ( asyncs_addrs.size() == 0 && asyncs_names.size() == 0 )
+		return;
+
+	if ( AnswerAvailable(0) <= 0 )
+		return;
+
+	char err[NB_DNS_ERRSIZE];
+	struct nb_dns_result r;
+
+	int status = nb_dns_activity(nb_dns, &r, err);
+
+	if ( status < 0 )
+		internal_error("NB-DNS error in DNS_Mgr::Process (%s)", err);
+
+	else if ( status > 0 )
+		{
+		DNS_Mgr_Request* dr = (DNS_Mgr_Request*) r.cookie;
+		if ( dr->RequestPending() )
+			{
+			AddResult(dr, &r);
+			dr->RequestDone();
+			}
+
+		if ( ! dr->ReqHost() )
+			CheckAsyncAddrRequest(dr->ReqAddr(), true);
+		else
+			CheckAsyncHostRequest(dr->ReqHost(), true);
+
+		IssueAsyncRequests();
+		}
+#endif
+	}
+#ifdef HAVE_NB_DNS
+int DNS_Mgr::AnswerAvailable(int timeout)
+	{
+	int fd = nb_dns_fd(nb_dns);
+	if ( fd < 0 )
+		internal_error("nb_dns_fd() failed in DNS_Mgr::WaitForReplies");
+
+	fd_set read_fds;
+
+	FD_ZERO(&read_fds);
+	FD_SET(fd, &read_fds);
+
+	struct timeval t;
+	t.tv_sec = timeout;
+	t.tv_usec = 0;
+
+	int status = select(fd+1, &read_fds, 0, 0, &t);
+
+	if ( status < 0 )
+		{
+		if ( errno == EINTR )
+			return -1;
+		internal_error("problem with DNS select");
+		}
+
+	if ( status > 1 )
+		internal_error("strange return from DNS select");
+
+	return status;
+	}
+#endif
diff --git a/src/DNS_Mgr.h b/src/DNS_Mgr.h
new file mode 100644
index 0000000000..7431f7d987
--- /dev/null
+++ b/src/DNS_Mgr.h
@@ -0,0 +1,215 @@
+// $Id: DNS_Mgr.h 6915 2009-09-22 05:04:17Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef dnsmgr_h
+#define dnsmgr_h
+
+#include <list>
+#include <map>
+#include <queue>
+
+#include "util.h"
+#include "BroList.h"
+#include "Dict.h"
+#include "EventHandler.h"
+#include "IOSource.h"
+
+class Val;
+class ListVal;
+class TableVal;
+class Func;
+class EventHandler;
+class RecordType;
+class DNS_Mgr_Request;
+
+struct nb_dns_info;
+struct nb_dns_result;
+
+declare(PDict,ListVal);
+
+class DNS_Mapping;
+declare(PDict,DNS_Mapping);
+
+enum DNS_MgrMode {
+	DNS_PRIME,	// used to prime the cache
+	DNS_FORCE,	// internal error if cache miss
+	DNS_DEFAULT,	// lookup names as they're requested
+	DNS_FAKE,	// don't look up names, just return dummy results
+};
+
+// Number of seconds we'll wait for a reply.
+#define DNS_TIMEOUT 5
+
+// ### For now, we don't support IPv6 lookups.  When we do, this
+// should become addr_type.
+typedef uint32 dns_mgr_addr_type;
+
+class DNS_Mgr : public IOSource {
+public:
+	DNS_Mgr(DNS_MgrMode mode);
+	virtual ~DNS_Mgr();
+
+	bool Init();
+
+	// Looks up the address or addresses of the given host, and returns
+	// a set of addr.
+	TableVal* LookupHost(const char* host);
+
+	Val* LookupAddr(uint32 addr);
+
+	// Define the directory where to store the data.
+	void SetDir(const char* arg_dir)	{ dir = copy_string(arg_dir); }
+
+	void Verify();
+	void Resolve();
+	int Save();
+
+	const char* LookupAddrInCache(dns_mgr_addr_type addr);
+	TableVal* LookupNameInCache(string name);
+
+	// Support for async lookups.
+	class LookupCallback {
+	public:
+		LookupCallback()	{ }
+		virtual ~LookupCallback()	{ }
+
+		virtual void Resolved(const char* name)	{ };
+		virtual void Resolved(TableVal* addrs)	{ };
+		virtual void Timeout() = 0;
+	};
+
+#ifdef HAVE_NB_DNS
+	void AsyncLookupAddr(dns_mgr_addr_type host, LookupCallback* callback);
+	void AsyncLookupName(string name, LookupCallback* callback);
+#endif
+
+protected:
+	friend class LookupCallback;
+	friend class DNS_Mgr_Request;
+
+	void Event(EventHandlerPtr e, DNS_Mapping* dm,
+			ListVal* l1 = 0, ListVal* l2 = 0);
+	void Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm);
+
+	Val* BuildMappingVal(DNS_Mapping* dm);
+
+	void AddResult(DNS_Mgr_Request* dr, struct nb_dns_result* r);
+	void CompareMappings(DNS_Mapping* prev_dm, DNS_Mapping* new_dm);
+	ListVal* AddrListDelta(ListVal* al1, ListVal* al2);
+	void DumpAddrList(FILE* f, ListVal* al);
+
+	void LoadCache(FILE* f);
+	void Save(FILE* f, PDict(DNS_Mapping)& m);
+
+#ifdef HAVE_NB_DNS
+	// Selects on the fd to see if there is an answer available (timeout is
+	// secs). Returns 0 on timeout, -1 on EINTR, and 1 if answer is ready.
+	int AnswerAvailable(int timeout);
+
+	// Issue as many queued async requests as slots are available.
+	void IssueAsyncRequests();
+
+	// Finish the request if we have a result.  If not, time it out if
+	// requested.
+	void CheckAsyncAddrRequest(dns_mgr_addr_type addr, bool timeout);
+	void CheckAsyncHostRequest(const char* host, bool timeout);
+
+#endif
+
+	// IOSource interface.
+	virtual void GetFds(int* read, int* write, int* except);
+	virtual double NextTimestamp(double* network_time);
+	virtual void Process();
+	virtual const char* Tag()	{ return "DNS_Mgr"; }
+
+	DNS_MgrMode mode;
+
+	PDict(ListVal) services;
+
+	PDict(DNS_Mapping) host_mappings;
+	PDict(DNS_Mapping) addr_mappings;
+
+	DNS_mgr_request_list requests;
+
+	nb_dns_info* nb_dns;
+	char* cache_name;
+	char* dir;	// directory in which cache_name resides
+
+	int did_init;
+
+	// DNS-related events.
+	EventHandlerPtr dns_mapping_valid;
+	EventHandlerPtr dns_mapping_unverified;
+	EventHandlerPtr dns_mapping_new_name;
+	EventHandlerPtr dns_mapping_lost_name;
+	EventHandlerPtr dns_mapping_name_changed;
+	EventHandlerPtr dns_mapping_altered;
+
+	RecordType* dm_rec;
+
+	int dns_fake_count;	// used to generate unique fake replies
+
+	typedef list<LookupCallback*> CallbackList;
+
+	struct AsyncRequest {
+		double time;
+		dns_mgr_addr_type host;
+		string name;
+		CallbackList callbacks;
+
+		bool IsAddrReq() const	{ return name.length() == 0; }
+
+		void Resolved(const char* name)
+			{
+			for ( CallbackList::iterator i = callbacks.begin();
+			      i != callbacks.end(); ++i )
+				{
+				(*i)->Resolved(name);
+				delete *i;
+				}
+			callbacks.clear();
+			}
+
+		void Resolved(TableVal* addrs)
+			{
+			for ( CallbackList::iterator i = callbacks.begin();
+			      i != callbacks.end(); ++i )
+				{
+				(*i)->Resolved(addrs);
+				delete *i;
+				}
+			callbacks.clear();
+			}
+
+		void Timeout()
+			{
+			for ( CallbackList::iterator i = callbacks.begin();
+			      i != callbacks.end(); ++i )
+				{
+				(*i)->Timeout();
+				delete *i;
+				}
+			callbacks.clear();
+			}
+
+	};
+
+	typedef map<dns_mgr_addr_type, AsyncRequest*> AsyncRequestAddrMap;
+	AsyncRequestAddrMap asyncs_addrs;
+
+	typedef map<string, AsyncRequest*> AsyncRequestNameMap;
+	AsyncRequestNameMap asyncs_names;
+
+	typedef list<AsyncRequest*> QueuedList;
+	QueuedList asyncs_queued;
+
+	typedef priority_queue<AsyncRequest*> TimeoutQueue;
+	TimeoutQueue asyncs_timeouts;
+
+	int asyncs_pending;
+};
+
+extern DNS_Mgr* dns_mgr;
+
+#endif
diff --git a/src/DNS_Rewriter.cc b/src/DNS_Rewriter.cc
new file mode 100644
index 0000000000..15a7fc1570
--- /dev/null
+++ b/src/DNS_Rewriter.cc
@@ -0,0 +1,587 @@
+// $Id:$
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <arpa/inet.h>
+#include <resolv.h>
+
+#include "NetVar.h"
+#include "DNS.h"
+#include "Val.h"
+#include "TCP.h"
+#include "Anon.h"
+#include "DNS_Rewriter.h"
+
+DNS_Rewriter::DNS_Rewriter(Analyzer* analyzer, int arg_MTU,
+				PacketDumper* dumper)
+: UDP_Rewriter(analyzer, arg_MTU, dumper)
+	{
+	pkt_size = 0;
+	current_pkt_id = 0;
+
+	pkt = new u_char[DNS_PKT_SIZE + DNS_HDR_SIZE];
+	}
+
+void DNS_Rewriter::DnsCopyHeader(Val* msg)
+	{
+	// New header - reset packet size.
+	pkt_size = 0;
+
+	// Move msg->AsRecordVal() to a RecordVal* to optimize.
+	const RecordVal* msg_rec = msg->AsRecordVal();
+	int id = msg_rec->Lookup(0)->AsCount();
+	int opcode = msg_rec->Lookup(1)->AsCount();
+	int rcode = msg_rec->Lookup(2)->AsCount();
+	int QR = msg_rec->Lookup(3)->AsBool();
+	int AA = msg_rec->Lookup(4)->AsBool();
+	int TC = msg_rec->Lookup(5)->AsBool();
+	int RD = msg_rec->Lookup(6)->AsBool();
+	int RA = msg_rec->Lookup(7)->AsBool();
+	int Z = msg_rec->Lookup(8)->AsCount();
+	int qdcount = msg_rec->Lookup(9)->AsCount();
+	int ancount = msg_rec->Lookup(10)->AsCount();
+	int nscount = msg_rec->Lookup(11)->AsCount();
+	int arcount = msg_rec->Lookup(12)->AsCount();
+
+	current_pkt_id = id;
+
+	// Set the DNS flags.
+	uint16 flags = (QR << 15) | (AA << 10) | (TC << 9) |
+			(RD << 8) | (RA << 7) | (Z << 4);
+
+	flags |= rcode | (opcode << 11);
+
+	(void) WriteShortVal(id);
+	(void) WriteShortVal(flags);
+	(void) WriteShortVal(qdcount);
+	(void) WriteShortVal(ancount);
+	(void) WriteShortVal(nscount);
+	(void) WriteShortVal(arcount);
+
+	// We've finished the header.
+	pkt_size = DNS_HDR_SIZE;
+
+	// Assign all the pointers for dn_comp().
+	dpp = dn_ptrs;
+	*dpp++ = pkt;
+	*dpp++ = 0;
+
+	last_dn_ptr = dn_ptrs + sizeof dn_ptrs / sizeof dn_ptrs[0];
+	}
+
+int DNS_Rewriter::DnsCopyQuery(Val* val)
+	{
+	const RecordVal* val_rec = val->AsRecordVal();
+
+	// int type = val_rec->Lookup(0)->AsCount();
+
+	const BroString* query = val_rec->Lookup(1)->AsString();
+	int atype = val_rec->Lookup(2)->AsCount();
+	int aclass = val_rec->Lookup(3)->AsCount();
+
+	return DnsCopyQuery(query, atype, aclass);
+	}
+
+// Copy the question part of the query into memory.
+// Return the number of bytes that the query string compressed to.
+int DNS_Rewriter::DnsCopyQuery(const BroString* query, uint32 qtype,
+				uint32 qclass)
+	{
+	int len = query->Len();
+	int psize = pkt_size;
+
+	// Encode the query string.
+	const char* dname = (char*) query->Bytes();
+	len = dn_comp(dname, pkt + pkt_size, DNS_PKT_SIZE - pkt_size,
+			dn_ptrs, last_dn_ptr);
+
+	// Can't encode in less than 2 bytes, or about to overwrite.
+	if ( len < 1 || pkt_size + len + 4 > DNS_PKT_SIZE )
+		{
+		warn("dn_comp couldn't encode name into packet");
+		return 0;
+		}
+
+	pkt_size += len;
+
+	// Set type.
+	if ( ! WriteShortVal(qtype) )
+		{
+		pkt_size = psize;
+		return 0;
+		}
+
+	// Set class.
+	if ( ! WriteShortVal(qclass) )
+		{
+		pkt_size = psize;
+		return 0;
+		}
+
+	return len;
+	}
+
+
+// PTR, NS and CNAME are all the same.
+void DNS_Rewriter::DnsCopyPTR(Val* ans, const BroString* name)
+	{
+	DnsCopyCNAME(ans, name);
+	}
+
+// Copy an NS RR into the packet.
+void DNS_Rewriter::DnsCopyNS( Val* ans, const BroString* name)
+	{
+	DnsCopyCNAME(ans, name);
+	}
+
+// Copy an A RR into the packet.
+void DNS_Rewriter::DnsCopyA(Val* ans, uint32 addr)
+	{
+	int psize = pkt_size;
+
+	// Put query part into packet.
+	int len = DnsCopyQuery(ans);
+
+	if ( ! len )
+		return;
+
+	double TTL = ans->AsRecordVal()->Lookup(4)->AsInterval();
+	if ( ! WriteDoubleAsInt(TTL) )
+		{
+		pkt_size = psize;
+		return;
+		}
+
+	// Now we put in how long the resource data is (A rec is always 4).
+	if ( ! WriteShortVal(4) )
+		{
+		pkt_size = psize;
+		return;
+		}
+
+	// Stick in the address (already in network byte order).
+	if ( ! WriteVal(uint32(ntohl(addr))) )
+		{
+		pkt_size = psize;
+		return;
+		}
+	}
+
+// Copy an AAAA RR into the packet.
+void DNS_Rewriter::DnsCopyAAAA(Val* ans, addr_type addr, const BroString* addrstr)
+	{
+	int psize = pkt_size;
+
+
+	// Put query part into packet.
+	int len = DnsCopyQuery(ans);
+	if ( ! len || pkt_size + 6 > DNS_PKT_SIZE )
+		return;
+
+	double TTL = ans->AsRecordVal()->Lookup(4)->AsInterval();
+	if ( ! WriteDoubleAsInt(TTL))
+		{
+		pkt_size = psize;
+		return;
+		}
+
+	// Now we put in how long the resource data is (AAAA rec is always 16).
+	if ( ! WriteShortVal(16) )
+		{
+		pkt_size = psize;
+		return;
+		}
+#ifdef BROv6
+	if ( ! WriteVal(addr) )
+		{
+		pkt_size = psize;
+		return;
+		}
+#else
+	uint32 addr_copy[4];
+	char* addr_tmp = addrstr->Render(BroString::ESC_NONE);
+	inet_pton(AF_INET6, addr_tmp, addr_copy);
+
+	if ( ! WriteVal(addr_copy) )
+		{
+		pkt_size = psize;
+		return;
+		}
+
+	delete addr_tmp;
+#endif
+
+	}
+
+// Copy a CNAME RR into the packet.
+void DNS_Rewriter::DnsCopyCNAME(Val* ans, const BroString* name)
+	{
+	int psize = pkt_size;
+
+	// Put query part into packet.
+	int len = DnsCopyQuery(ans);
+	if ( ! len || pkt_size + 6 > DNS_PKT_SIZE )
+		return;
+
+	double TTL = ans->AsRecordVal()->Lookup(4)->AsInterval();
+	if ( ! WriteDoubleAsInt(TTL))
+		{
+		pkt_size = psize;
+		return;
+		}
+
+	// Resource length (domain name length in packet).
+	// Have to skip till it's encoded, remember this spot.
+	u_char* resource_len = pkt + pkt_size;
+	pkt_size += 2;
+
+	// Encode the domain name.
+	const char* dname = (char*) name->CheckString();
+	len = dn_comp(dname, pkt + pkt_size, DNS_PKT_SIZE - pkt_size,
+			dn_ptrs, last_dn_ptr);
+
+	if ( len < 1 )
+		{
+		pkt_size = psize;
+		return;
+		}
+
+	pkt_size += len;
+
+	// Now we put in how long the name was to encode.
+	uint16 net_rdlen = htons(short(len));
+	memcpy(resource_len, &net_rdlen, sizeof(uint16));
+	}
+
+// Copy a CNAME RR into the packet.
+void DNS_Rewriter::DnsCopyTXT(Val* ans, const BroString* name)
+	{
+	int psize = pkt_size;
+
+	// Put query part into packet.
+	int len = DnsCopyQuery(ans);
+	if ( ! len || pkt_size + 6 > DNS_PKT_SIZE )
+		return;
+
+	double TTL = ans->AsRecordVal()->Lookup(4)->AsInterval();
+	if ( ! WriteDoubleAsInt(TTL))
+		{
+		pkt_size = psize;
+		return;
+		}
+
+	if ( ! WriteShortVal(name->Len()+1))
+		{
+		pkt_size = psize;
+		return;
+		}
+
+	if ( ! WriteVal(uint8(name->Len())))
+		{
+		pkt_size = psize;
+		return;
+		}
+
+	if ( ! WriteVal(name))
+		{
+		pkt_size = psize;
+		return;
+		}
+
+	}
+
+// Copy an MX RR into the packet.
+void DNS_Rewriter::DnsCopyMX(Val* ans, const BroString* name, uint32 preference)
+	{
+	int psize = pkt_size;
+
+	// Put query part into packet.
+	int len = DnsCopyQuery(ans);
+
+	if ( ! len || pkt_size + len + 6 > DNS_PKT_SIZE )
+		{
+		warn("DnsCopyMX: packet too large");
+		return;
+		}
+
+	double TTL = ans->AsRecordVal()->Lookup(4)->AsInterval();
+	if ( ! WriteDoubleAsInt(TTL) )
+		{
+		pkt_size = psize;
+		warn("DnsCopyMX: packet too large");
+		return;
+		}
+
+	// Resource length (domain name length in packet).
+	// Have to skip till it's, remember this spot.
+	u_char* resource_len = pkt + pkt_size;
+	pkt_size += 2;
+
+	if ( ! WriteShortVal(preference))
+		{
+		pkt_size = psize;
+		warn("DnsCopyMX: packet too large");
+		return;
+		}
+
+	// Encode the domain name.
+	const char* dname = (char*) name->CheckString();
+	len += dn_comp(dname, pkt + pkt_size, DNS_PKT_SIZE - pkt_size,
+			dn_ptrs, last_dn_ptr);
+
+	if ( len < 1 )
+		{
+		pkt_size = psize;
+		warn("DnsCopyMX: packet too large");
+		return;
+		}
+
+	pkt_size += len;
+
+	// 2 bytes for the preference size above.
+	len += 2;
+
+	// Now we put in how long the name was to encode.
+	uint16 net_rdlen = htons(short(len));
+	memcpy(resource_len, &net_rdlen, sizeof(uint16));
+	}
+
+// Copy an SOA RR into the packet.
+void DNS_Rewriter::DnsCopySOA(Val* ans, Val* soa)
+	{
+	u_char* resource_len;
+	int resource_offset = 0;
+	int psize = pkt_size;
+
+	const RecordVal* soa_rec = soa->AsRecordVal();
+
+	const BroString* mname = soa_rec->Lookup(0)->AsString();
+	const BroString* rname = soa_rec->Lookup(1)->AsString();
+	uint32 serial = soa_rec->Lookup(2)->AsCount();
+	double refresh = soa_rec->Lookup(3)->AsInterval();
+	double retry = soa_rec->Lookup(4)->AsInterval();
+	double expire = soa_rec->Lookup(5)->AsInterval();
+	double minimum = soa_rec->Lookup(6)->AsInterval();
+
+	// Put query part into packet.
+	int len = DnsCopyQuery(ans);
+
+	if ( ! len || len + 6 > DNS_PKT_SIZE )
+		return;
+
+	double TTL = ans->AsRecordVal()->Lookup(4)->AsInterval();
+	if ( ! WriteDoubleAsInt(TTL) )
+		{
+		pkt_size = psize;
+		return;
+		}
+
+	// Resource length: have to skip till it's encoded.
+	// Remember this spot and offset.
+	resource_len = pkt + pkt_size;
+	pkt_size += 2;
+
+	// Start counting from here (after rdlength).
+	resource_offset = pkt_size;
+
+	// Encode the domain name.
+	const char* dname = (char*) mname->CheckString();
+	len = dn_comp(dname, pkt + pkt_size, DNS_PKT_SIZE - pkt_size,
+			dn_ptrs, last_dn_ptr);
+
+	if ( len < 1 )
+		{
+		pkt_size = psize;
+		return;
+		}
+
+	pkt_size += len;
+
+	// Encode the domain name.
+	dname = (char*) rname->CheckString();
+	len = dn_comp(dname, pkt + pkt_size, DNS_PKT_SIZE - pkt_size,
+			dn_ptrs, last_dn_ptr);
+	if ( len < 1 )
+		{
+		pkt_size = psize;
+		return;
+		}
+
+	pkt_size += len;
+
+	if ( ! WriteVal(serial) || ! WriteDoubleAsInt(refresh) ||
+	     ! WriteDoubleAsInt(retry) || ! WriteDoubleAsInt(expire) ||
+	     ! WriteDoubleAsInt(minimum) )
+		{
+		pkt_size = psize;
+		return;
+		}
+
+	// Now we put in how long this packet was.
+	uint16 net_rdlen = htons(short(pkt_size - resource_offset));
+	memcpy(resource_len, &net_rdlen, sizeof(uint16));
+	}
+
+void DNS_Rewriter::DnsCopyEDNSaddl(Val* ans)
+	{
+	const RecordVal* ans_rec = ans->AsRecordVal();
+
+	int ans_type = ans_rec->Lookup(0)->AsCount();
+	// BroString* query_name = ans_rec->Lookup(1)->AsString();
+	int atype = ans_rec->Lookup(2)->AsCount();
+	int aclass = ans_rec->Lookup(3)->AsCount();
+	int return_error = ans_rec->Lookup(4)->AsCount();
+	int version = ans_rec->Lookup(5)->AsCount();
+	int z = ans_rec->Lookup(6)->AsCount();
+	double ttl = ans_rec->Lookup(7)->AsInterval();
+	int is_query = ans_rec->Lookup(8)->AsCount();
+
+	int rcode = return_error;
+	int ecode = 0;
+
+	int psize = pkt_size;
+
+	if ( return_error > 0xff )
+		{
+		rcode &= 0xff;
+		ecode = return_error >> 8;
+		}
+
+	// Stick the version onto the ecode.
+	ecode = (ecode << 8) | version;
+
+	// Write fixed part of OPT RR
+	// Name '0'.
+	memset(pkt + pkt_size, 0, 1);
+	++pkt_size;
+
+	// Type (either 29 or 41).
+	if ( ! WriteShortVal(atype) )
+		{
+		pkt_size = psize;
+		return;
+		}
+
+	// UDP playload size
+	if ( ! WriteShortVal(aclass) )
+		{
+		pkt_size = psize;
+		return;
+		}
+
+	// Extended rcode + version.
+	if ( ! WriteShortVal(ecode) )
+		{
+		pkt_size = psize;
+		return;
+		}
+
+	// Z field.
+	if ( ! WriteShortVal(z) )
+		{
+		pkt_size = psize;
+		return;
+		}
+
+	// Data length (XXX:for now its zero!).
+	if ( ! WriteShortVal(0) )
+		{
+		pkt_size = psize;
+		return;
+		}
+
+	// Don't write data (XXX:we don't have it!).
+	}
+
+// Does this packet match the current packet being worked on?
+int DNS_Rewriter::DnsPktMatch(Val* msg)
+	{
+	return msg->AsRecordVal()->Lookup(0)->AsInt() == current_pkt_id;
+	}
+
+// Supports copying of TXT values.
+int DNS_Rewriter::WriteVal(const BroString* val)
+	{
+	int n = val->Len();
+
+        if ( pkt_size + n > DNS_PKT_SIZE )
+		{
+		warn("WriteVal: couldn't write data into packet");
+		return 0;
+		}
+
+        char* new_val = val->Render(BroString::ESC_NONE);
+        memcpy(pkt + pkt_size, new_val, n);
+        pkt_size += n;
+
+        delete[] new_val;
+
+        return n;
+	}
+
+int DNS_Rewriter::WriteVal(const uint32* val)
+	{
+	if ( pkt_size + 16 > DNS_PKT_SIZE )
+		{
+		warn("WriteVal: couldn't write data into packet");
+		return 0;
+		}
+
+	memcpy(pkt + pkt_size, &val[0], sizeof(uint32)); pkt_size += 4;
+	memcpy(pkt + pkt_size, &val[1], sizeof(uint32)); pkt_size += 4;
+	memcpy(pkt + pkt_size, &val[2], sizeof(uint32)); pkt_size += 4;
+	memcpy(pkt + pkt_size, &val[3], sizeof(uint32)); pkt_size += 4;
+
+	return sizeof(uint32) * 4;
+	}
+
+// Write a 32 bit value given in host order to the packet.
+int DNS_Rewriter::WriteVal(uint32 val)
+	{
+	if ( pkt_size + 4 > DNS_PKT_SIZE )
+		{
+		warn("WriteVal: couldn't write data into packet");
+		return 0;
+		}
+
+	uint32 net_val = htonl(val);
+	memcpy(pkt + pkt_size, &net_val, sizeof(uint32));
+	pkt_size += 4;
+
+	return sizeof(uint32);
+	}
+
+// Write a 16 bit value given in host order to the packet.
+int DNS_Rewriter::WriteVal(uint16 val)
+	{
+	if ( pkt_size + 2 > DNS_PKT_SIZE )
+		{
+		warn("WriteShortVal: couldn't write data into packet");
+		return 0;
+		}
+
+	uint16 net_val = htons(val);
+	memcpy(pkt + pkt_size, &net_val, sizeof(uint16));
+	pkt_size += 2;
+
+	return sizeof(uint16);
+	}
+
+// Write a 8 bit value given in host order to the packet.
+int DNS_Rewriter::WriteVal(uint8 val)
+	{
+	if ( pkt_size + 1 > DNS_PKT_SIZE )
+		{
+		warn("WriteVal: couldn't write data into packet");
+		return 0;
+		}
+
+	memcpy(pkt + pkt_size, &val, sizeof(uint8));
+	pkt_size += sizeof(uint8);
+
+	return sizeof(uint8);
+	}
diff --git a/src/DNS_Rewriter.h b/src/DNS_Rewriter.h
new file mode 100644
index 0000000000..1a106b6f55
--- /dev/null
+++ b/src/DNS_Rewriter.h
@@ -0,0 +1,70 @@
+// $Id:$
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef dns_rewriter_h
+#define dns_rewriter_h
+
+#include "UDP.h"
+#include "UDP_Rewriter.h"
+#include "Rewriter.h"
+
+#define DNS_HDR_SIZE 12
+
+// DNS packets size. 512 is the *normal* size, but some packets are bigger
+// than this, and the anonymization process can expand packets, so we
+// pad this way out.
+#define DNS_PKT_SIZE (512*4)
+
+class DNS_Rewriter: public UDP_Rewriter {
+public:
+	DNS_Rewriter(Analyzer* analyzer, int arg_MTU, PacketDumper* dumper);
+	virtual ~DNS_Rewriter()	{ delete pkt;}
+
+	void DnsCopyHeader(Val* val);
+
+	int DnsCopyQuery(const BroString* query, uint32 qtype, uint32 qclass);
+	int DnsCopyQuery(Val* val);
+
+	void DnsCopyNS(Val* ans, const BroString* name);
+	void DnsCopyPTR(Val* ans, const BroString* name);
+	void DnsCopyCNAME(Val* ans, const BroString* name);
+	void DnsCopyTXT(Val* ans, const BroString* name);
+	void DnsCopyA(Val* ans, uint32 addr);
+
+	// AAAA is weird, because the address is an IPv4 type.
+	// If we don't have IPv6, and if it's IPv6, it's a pointer
+	// to valid data.
+	void DnsCopyAAAA(Val* ans, addr_type addr, const BroString* addrstr);
+
+	void DnsCopyMX(Val* ans, const BroString* name, uint32 preference);
+	void DnsCopySOA(Val* ans, Val* soa);
+	void DnsCopyEDNSaddl(Val* ans);
+
+	int DnsPktMatch(Val* val);
+	const u_char* Packet() const	{ return pkt; }
+	int PacketSize() const	{ return pkt_size; }
+	void SetOrig( int orig )	{ is_orig = orig; }
+	int IsOrig()			{ return is_orig; }
+
+	int WriteDoubleAsInt(double d)	{ return WriteVal(uint32(d)); }
+	int WriteShortVal(uint16 val)	{ return WriteVal(uint16(val)); }
+	int WriteVal(uint32 val);
+	int WriteVal(uint16 val);
+	int WriteVal(uint8 val);
+	int WriteVal(const uint32* val);
+	int WriteVal(const BroString* val);
+
+private:
+	u_char* pkt;		// the DNS packet
+	int pkt_size;		// size of the packet
+	int current_pkt_id;	// current ID (sanity checking)
+
+	int is_orig;
+
+	u_char* dn_ptrs[30];	// pointer to names in DNS packet
+	u_char** dpp;		// points to current position in DNS packet
+	u_char** last_dn_ptr;	// points to last entry in dn_ptrs
+};
+
+#endif
diff --git a/src/DPM.cc b/src/DPM.cc
new file mode 100644
index 0000000000..35111a38fa
--- /dev/null
+++ b/src/DPM.cc
@@ -0,0 +1,463 @@
+// $Id: DPM.cc,v 1.1.4.14 2006/06/01 17:18:10 sommer Exp $
+
+#include "DPM.h"
+#include "PIA.h"
+#include "Hash.h"
+#include "ICMP.h"
+#include "UDP.h"
+#include "TCP.h"
+#include "Val.h"
+#include "BackDoor.h"
+#include "InterConn.h"
+#include "SteppingStone.h"
+
+
+ExpectedConn::ExpectedConn(const uint32* _orig, const uint32* _resp,
+				uint16 _resp_p, uint16 _proto)
+	{
+	if ( orig )
+		copy_addr(_orig, orig);
+	else
+		{
+		for ( int i = 0; i < NUM_ADDR_WORDS; ++i )
+			orig[i] = 0;
+		}
+
+	copy_addr(_resp, resp);
+
+	resp_p = _resp_p;
+	proto = _proto;
+	}
+
+ExpectedConn::ExpectedConn(uint32 _orig, uint32 _resp,
+				uint16 _resp_p, uint16 _proto)
+	{
+#ifdef BROv6
+	// Use the IPv4-within-IPv6 convention, as this is what's
+	// needed when we mix uint32's (like in this construction)
+	// with addr_type's (for example, when looking up expected
+	// connections).
+
+	orig[0] = orig[1] = orig[2] = 0;
+	resp[0] = resp[1] = resp[2] = 0;
+	orig[3] = _orig;
+	resp[3] = _resp;
+#else
+	orig[0] = _orig;
+	resp[0] = _resp;
+#endif
+	resp_p = _resp_p;
+	proto = _proto;
+	}
+
+ExpectedConn::ExpectedConn(const ExpectedConn& c)
+	{
+	copy_addr(c.orig, orig);
+	copy_addr(c.resp, resp);
+	resp_p = c.resp_p;
+	proto = c.proto;
+	}
+
+
+DPM::DPM()
+: expected_conns_queue(AssignedAnalyzer::compare)
+	{
+	}
+
+DPM::~DPM()
+	{
+	delete [] active_analyzers;
+	}
+
+void DPM::PreScriptInit()
+	{
+	for ( int i = 1; i < int(AnalyzerTag::LastAnalyzer); i++ )
+		{
+		// Create IDs ANALYZER_*.
+		ID* id = install_ID(fmt("ANALYZER_%s",
+				Analyzer::analyzer_configs[i].name),
+					GLOBAL_MODULE_NAME, true, false);
+		assert(id);
+		id->SetVal(new Val(i, TYPE_COUNT));
+		id->SetType(id->ID_Val()->Type()->Ref());
+		}
+	}
+
+void DPM::PostScriptInit()
+	{
+	active_analyzers = new bool[int(AnalyzerTag::LastAnalyzer)];
+
+	for ( int i = 1; i < int(AnalyzerTag::LastAnalyzer); i++ )
+		{
+		if ( ! Analyzer::analyzer_configs[i].available )
+			continue;
+
+		active_analyzers[i] = Analyzer::analyzer_configs[i].available();
+		if ( active_analyzers[i] )
+			AddConfig(Analyzer::analyzer_configs[i]);
+		}
+	}
+
+void DPM::AddConfig(const Analyzer::Config& cfg)
+	{
+#ifdef USE_PERFTOOLS
+	HeapLeakChecker::Disabler disabler;
+#endif
+
+	Val* index = new Val(cfg.tag, TYPE_COUNT);
+	Val* v = dpd_config->Lookup(index);
+
+#ifdef DEBUG
+	ODesc desc;
+#endif
+	if ( v )
+		{
+		RecordVal* cfg_record = v->AsRecordVal();
+		Val* ports = cfg_record->Lookup(0);
+
+		if ( ports )
+			{
+			ListVal* plist = ports->AsTableVal()->ConvertToPureList();
+
+			for ( int i = 0; i< plist->Length(); ++i )
+				{
+				PortVal* port = plist->Index(i)->AsPortVal();
+
+				analyzer_map* ports =
+					port->IsTCP() ? &tcp_ports : &udp_ports;
+
+				analyzer_map::iterator j =
+					ports->find(port->Port());
+
+				if ( j == ports->end() )
+					{
+					tag_list* analyzers = new tag_list;
+					analyzers->push_back(cfg.tag);
+					ports->insert(analyzer_map::value_type(port->Port(), analyzers));
+					}
+				else
+					j->second->push_back(cfg.tag);
+
+#ifdef DEBUG
+				port->Describe(&desc);
+				desc.SP();
+#endif
+				}
+			}
+		}
+
+	DBG_LOG(DBG_DPD, "%s analyzer active on port(s) %s", cfg.name, desc.Description());
+
+	Unref(index);
+	}
+
+AnalyzerTag::Tag DPM::GetExpected(int proto, const Connection* conn)
+	{
+	if ( ! expected_conns.Length() )
+		return AnalyzerTag::Error;
+
+	ExpectedConn c(conn->OrigAddr(), conn->RespAddr(),
+			ntohs(conn->RespPort()), proto);
+
+	// Can't use sizeof(c) due to potential alignment issues.
+	// FIXME: I guess this is still not portable ...
+	HashKey key(&c, sizeof(c.orig) + sizeof(c.resp) +
+				sizeof(c.resp_p) + sizeof(c.proto));
+
+	AssignedAnalyzer* a = expected_conns.Lookup(&key);
+
+	if ( ! a )
+		{
+		// Wildcard for originator.
+		for ( int i = 0; i < NUM_ADDR_WORDS; ++i )
+			c.orig[i] = 0;
+
+		HashKey key(&c, sizeof(c.orig) + sizeof(c.resp) +
+				sizeof(c.resp_p) + sizeof(c.proto));
+
+		a = expected_conns.Lookup(&key);
+		}
+
+	if ( ! a )
+		return AnalyzerTag::Error;
+
+	// We don't delete it here.  It will be expired eventually.
+	return a->analyzer;
+	}
+
+bool DPM::BuildInitialAnalyzerTree(TransportProto proto, Connection* conn,
+					const u_char* data)
+	{
+	TCP_Analyzer* tcp = 0;
+	TransportLayerAnalyzer* root = 0;
+	AnalyzerTag::Tag expected = AnalyzerTag::Error;
+	analyzer_map* ports = 0;
+	PIA* pia = 0;
+	bool analyzed = false;
+
+	switch ( proto ) {
+
+	case TRANSPORT_TCP:
+		root = tcp = new TCP_Analyzer(conn);
+		pia = new PIA_TCP(conn);
+		expected = GetExpected(proto, conn);
+		ports = &tcp_ports;
+		DBG_DPD(conn, "activated TCP analyzer");
+		break;
+
+	case TRANSPORT_UDP:
+		root = new UDP_Analyzer(conn);
+		pia = new PIA_UDP(conn);
+		expected = GetExpected(proto, conn);
+		ports = &udp_ports;
+		DBG_DPD(conn, "activated UDP analyzer");
+		break;
+
+	case TRANSPORT_ICMP: {
+		const struct icmp* icmpp = (const struct icmp *) data;
+		switch ( icmpp->icmp_type ) {
+
+		case ICMP_ECHO:
+		case ICMP_ECHOREPLY:
+			if ( ICMP_Echo_Analyzer::Available() )
+				{
+				root = new ICMP_Echo_Analyzer(conn);
+				DBG_DPD(conn, "activated ICMP Echo analyzer");
+				}
+			break;
+
+		case ICMP_UNREACH:
+			if ( ICMP_Unreachable_Analyzer::Available() )
+				{
+				root = new ICMP_Unreachable_Analyzer(conn);
+				DBG_DPD(conn, "activated ICMP Unreachable analyzer");
+				}
+			break;
+
+		case ICMP_TIMXCEED:
+			if ( ICMP_TimeExceeded_Analyzer::Available() )
+				{
+				root = new ICMP_TimeExceeded_Analyzer(conn);
+				DBG_DPD(conn, "activated ICMP Time Exceeded analyzer");
+				}
+			break;
+		}
+
+		if ( ! root )
+			root = new ICMP_Analyzer(conn);
+
+		analyzed = true;
+		break;
+		}
+
+	default:
+		internal_error("unknown protocol");
+	}
+
+	if ( ! root )
+		{
+		DBG_DPD(conn, "cannot build analyzer tree");
+		return false;
+		}
+
+	// Any scheduled analyzer?
+	if ( expected != AnalyzerTag::Error )
+		{
+		Analyzer* analyzer =
+			Analyzer::InstantiateAnalyzer(expected, conn);
+		root->AddChildAnalyzer(analyzer, false);
+		DBG_DPD_ARGS(conn, "activated %s analyzer as scheduled",
+			Analyzer::GetTagName(expected));
+
+		// Hmm... Do we want *just* the expected analyzer, or all
+		// other potential analyzers as well?  For now we only take
+		// the scheduled one.
+		}
+
+	else
+		{ // Let's see if it's a port we know.
+		if ( ports && ! dpd_ignore_ports )
+			{
+			analyzer_map::const_iterator i =
+				ports->find(ntohs(conn->RespPort()));
+
+			if ( i != ports->end() )
+				{
+				tag_list* analyzers = i->second;
+				for ( tag_list::const_iterator j = analyzers->begin();
+				      j != analyzers->end(); j++ )
+					{
+					Analyzer* analyzer =
+					Analyzer::InstantiateAnalyzer(*j, conn);
+
+					root->AddChildAnalyzer(analyzer, false);
+					DBG_DPD_ARGS(conn, "activated %s analyzer due to port %d", Analyzer::GetTagName(*j), conn->RespPort());
+					}
+				}
+			}
+		}
+
+	if ( tcp )
+		{
+		// We have to decide whether to reassamble the stream.
+		// We turn it on right away if we already have an app-layer
+		// analyzer, reassemble_first_packets is true, or the user
+		// asks us to do so.  In all other cases, reassembly may
+		// be turned on later by the TCP PIA.
+
+		bool reass = root->GetChildren().size() ||
+				dpd_reassemble_first_packets ||
+				tcp_content_deliver_all_orig ||
+				tcp_content_deliver_all_resp;
+
+		if ( tcp_contents && ! reass )
+			{
+			PortVal dport(ntohs(conn->RespPort()), TRANSPORT_TCP);
+			Val* result;
+
+			if ( ! reass )
+				reass = tcp_content_delivery_ports_orig->Lookup(&dport);
+
+			if ( ! reass )
+				reass = tcp_content_delivery_ports_resp->Lookup(&dport);
+			}
+
+		if ( reass )
+			tcp->EnableReassembly();
+
+		// Add a BackDoor analyzer if requested.  This analyzer
+		// can handle both reassembled and non-reassembled input.
+		if ( BackDoor_Analyzer::Available() )
+			{
+			BackDoor_Analyzer* bd = new BackDoor_Analyzer(conn);
+			tcp->AddChildAnalyzer(bd, false);
+			}
+
+		// Add a InterConn analyzer if requested.  This analyzer
+		// can handle both reassembled and non-reassembled input.
+		if ( InterConn_Analyzer::Available() )
+			{
+			InterConn_Analyzer* bd = new InterConn_Analyzer(conn);
+			tcp->AddChildAnalyzer(bd, false);
+			}
+
+		// Add a SteppingStone analyzer if requested.  The port
+		// should really not be hardcoded here, but as it can
+		// handle non-reassembled data, it doesn't really fit into
+		// our general framing ...  Better would be to turn it
+		// on *after* we discover we have interactive traffic.
+		uint16 resp_port = ntohs(conn->RespPort());
+		if ( SteppingStone_Analyzer::Available() &&
+		     (resp_port == 22 || resp_port == 23 || resp_port == 513) )
+			{
+			AddrVal src(conn->OrigAddr());
+			if ( ! stp_skip_src->Lookup(&src) )
+				{
+				SteppingStone_Analyzer* bd =
+					new SteppingStone_Analyzer(conn);
+				tcp->AddChildAnalyzer(bd, false);
+				}
+			}
+
+		// Add TCPStats analyzer. This needs to see packets so
+		// we cannot add it as a normal child.
+		if ( TCPStats_Analyzer::Available() )
+			tcp->AddChildPacketAnalyzer(new TCPStats_Analyzer(conn));
+		}
+
+	if ( pia )
+		root->AddChildAnalyzer(pia->AsAnalyzer(), false);
+
+	if ( root->GetChildren().size() )
+		analyzed = true;
+
+	conn->SetRootAnalyzer(root, pia);
+	root->Init();
+	root->InitChildren();
+
+	if ( ! analyzed )
+		conn->SetLifetime(non_analyzed_lifetime);
+
+	if ( expected != AnalyzerTag::Error  )
+		conn->Event(expected_connection_seen, 0,
+				new Val(expected, TYPE_COUNT));
+	
+	return true;
+	}
+
+void DPM::ExpectConnection(addr_type orig, addr_type resp, uint16 resp_p,
+			TransportProto proto, AnalyzerTag::Tag analyzer,
+			double timeout, void* cookie)
+	{
+	// Use the chance to see if the oldest entry is already expired.
+	if ( expected_conns_queue.size() )
+		{
+		AssignedAnalyzer* a = expected_conns_queue.top();
+		if ( a->timeout < network_time )
+			{
+			if ( ! a->deleted )
+				{
+				HashKey* key = new HashKey(&a->conn,
+							sizeof(a->conn.orig) +
+							sizeof(a->conn.resp) +
+							sizeof(a->conn.resp_p) +
+							sizeof(a->conn.proto));
+				expected_conns.Remove(key);
+				delete key;
+				}
+
+			expected_conns_queue.pop();
+
+			DBG_LOG(DBG_DPD, "Expired expected %s analyzer for %s",
+				Analyzer::GetTagName(analyzer),
+				fmt_conn_id(a->conn.orig, 0,
+						a->conn.resp,
+						a->conn.resp_p));
+
+			delete a;
+			}
+		}
+
+	ExpectedConn c(orig, resp, resp_p, proto);
+
+	HashKey key(&c, sizeof(c.orig) + sizeof(c.resp) +
+			sizeof(c.resp_p) + sizeof(c.proto));
+
+	AssignedAnalyzer* a = expected_conns.Lookup(&key);
+
+	if ( a )
+		a->deleted = true;
+
+	a = new AssignedAnalyzer(c);
+
+	a->analyzer = analyzer;
+	a->cookie = cookie;
+	a->timeout = network_time + timeout;
+	a->deleted = false;
+
+	expected_conns.Insert(&key, a);
+	expected_conns_queue.push(a);
+	}
+
+void DPM::Done()
+	{
+	// Clean up expected-connection table.
+	while ( expected_conns_queue.size() )
+		{
+		AssignedAnalyzer* a = expected_conns_queue.top();
+		if ( ! a->deleted )
+			{
+			HashKey* key = new HashKey(&a->conn,
+					sizeof(a->conn.orig) +
+					sizeof(a->conn.resp) +
+					sizeof(a->conn.resp_p) +
+					sizeof(a->conn.proto));
+			expected_conns.Remove(key);
+			delete key;
+			}
+
+		expected_conns_queue.pop();
+		delete a;
+		}
+	}
+
diff --git a/src/DPM.h b/src/DPM.h
new file mode 100644
index 0000000000..056f6b25cc
--- /dev/null
+++ b/src/DPM.h
@@ -0,0 +1,139 @@
+// $Id:$
+//
+// The central management unit for dynamic analyzer selection.
+
+#ifndef DPM_H
+#define DPM_H
+
+#include <queue>
+
+#include "Analyzer.h"
+#include "Dict.h"
+#include "net_util.h"
+
+// DPM debug logging, which includes the connection id into the message.
+#ifdef DEBUG
+# define DBG_DPD(conn, txt) \
+	DBG_LOG(DBG_DPD, "%s " txt, \
+		fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \
+		conn->RespAddr(), ntohs(conn->RespPort())));
+# define DBG_DPD_ARGS(conn, fmt, args...) \
+	DBG_LOG(DBG_DPD, "%s " fmt, \
+		fmt_conn_id(conn->OrigAddr(), ntohs(conn->OrigPort()), \
+		conn->RespAddr(), ntohs(conn->RespPort())), ##args);
+#else
+# define DBG_DPD(conn, txt)
+# define DBG_DPD_ARGS(conn, fmt, args...)
+#endif
+
+// Map to assign expected connections to analyzers.
+class ExpectedConn {
+public:
+	// This form can be used for IPv6 as well as IPv4.
+	ExpectedConn(const uint32* _orig, const uint32* _resp,
+			uint16 _resp_p, uint16 _proto);
+
+	// This form only works for expecting an IPv4 connection.  Note
+	// that we do the right thing whether we're built IPv4-only or
+	// BROv6.
+	ExpectedConn(uint32 _orig, uint32 _resp, uint16 _resp_p, uint16 _proto);
+
+	ExpectedConn(const ExpectedConn& c);
+
+	uint32 orig[NUM_ADDR_WORDS];
+	uint32 resp[NUM_ADDR_WORDS];
+	uint16 resp_p;
+	uint16 proto;
+};
+
+// Associates an analyzer for an expected future connection.
+class AssignedAnalyzer {
+public:
+	AssignedAnalyzer(const ExpectedConn& c)
+	: conn(c)
+		{
+		}
+
+	ExpectedConn conn;
+	AnalyzerTag::Tag analyzer;
+	double timeout;
+	void* cookie;
+	bool deleted;
+
+	static bool compare(const AssignedAnalyzer* a1, const AssignedAnalyzer* a2)
+		{ return a1->timeout > a2->timeout; }
+};
+
+declare(PDict, AssignedAnalyzer);
+
+class DPM {
+public:
+	DPM();
+	~DPM();
+
+	// Setup analyzer config.
+	void PreScriptInit();	// To be called before scripts are parsed ...
+	void PostScriptInit();	// ... and after.
+
+	// Given info about the first packet, build initial analyzer tree.
+	//
+	// It would be more flexible if we simply pass in the IP header
+	// and then extract the information we need.  However, when this
+	// method is called from the session management, protocol and ports
+	// have already been extracted there and it would be a waste to do
+	// it again.
+	//
+	// Returns 0 if we can't build a tree (e.g., because the necessary
+	// analyzers have not been converted to the DPM framework yet...)
+
+	bool BuildInitialAnalyzerTree(TransportProto proto, Connection* conn,
+					const u_char* data);
+
+	// Schedules a particular analyzer for an upcoming connection.
+	// 0 acts as a wildcard for orig.  (Cookie is currently unused.
+	// Eventually, we may pass it on to the analyzer).
+	void ExpectConnection(addr_type orig, addr_type resp, uint16 resp_p,
+				TransportProto proto, AnalyzerTag::Tag analyzer,
+				double timeout, void* cookie);
+
+	// Activates signature matching for protocol detection. (Called when an
+	// DPM signatures is found.)
+	void ActivateSigs()		{ sigs_activated = true; }
+	bool SigsActivated() const	{ return sigs_activated; }
+
+	void Done();
+
+private:
+	// Convert script-level config into internal data structures.
+	void AddConfig(const Analyzer::Config& tag);
+
+	// Return analyzer if any has been scheduled with ExpectConnection()
+	// AnalyzerTag::::Error if none.
+	AnalyzerTag::Tag GetExpected(int proto, const Connection* conn);
+
+	// Mappings of destination port to analyzer.
+	typedef list<AnalyzerTag::Tag> tag_list;
+	typedef map<uint32, tag_list*> analyzer_map;
+	analyzer_map tcp_ports;
+	analyzer_map udp_ports;
+
+	// Array of bools indicating whether an analyzer is activated,
+	// indexed by AnalyzerTag::Tag.
+	bool* active_analyzers;
+
+	// True if signature-matching has been activated.
+	bool sigs_activated;
+
+	PDict(AssignedAnalyzer) expected_conns;
+
+	typedef priority_queue<
+			AssignedAnalyzer*,
+			vector<AssignedAnalyzer*>,
+			bool (*)(const AssignedAnalyzer*,
+					const AssignedAnalyzer*)> conn_queue;
+	conn_queue expected_conns_queue;
+};
+
+extern DPM* dpm;
+
+#endif
diff --git a/src/DbgBreakpoint.cc b/src/DbgBreakpoint.cc
new file mode 100644
index 0000000000..a71a6fc186
--- /dev/null
+++ b/src/DbgBreakpoint.cc
@@ -0,0 +1,355 @@
+// $Id: DbgBreakpoint.cc 1345 2005-09-08 07:42:11Z vern $
+
+// Implementation of breakpoints.
+
+#include "config.h"
+
+#include <assert.h>
+
+#include "ID.h"
+#include "Queue.h"
+#include "Debug.h"
+#include "Scope.h"
+#include "Func.h"
+#include "Stmt.h"
+#include "DbgBreakpoint.h"
+#include "Timer.h"
+
+
+// BreakpointTimer used for time-based breakpoints
+class BreakpointTimer : public Timer {
+public:
+	BreakpointTimer(DbgBreakpoint* arg_bp, double arg_t)
+		: Timer(arg_t, TIMER_BREAKPOINT)
+			{ bp = arg_bp; }
+
+	void Dispatch(double t, int is_expire);
+
+protected:
+	DbgBreakpoint* bp;
+};
+
+void BreakpointTimer::Dispatch(double t, int is_expire)
+	{
+	if ( is_expire )
+		return;
+
+	bp->ShouldBreak(t);
+	}
+
+
+DbgBreakpoint::DbgBreakpoint()
+	{
+	kind = BP_STMT;
+
+	enabled = temporary = false;
+	BPID = -1;
+
+	at_stmt = 0;
+	at_time = -1.0;
+
+	repeat_count = hit_count = 0;
+
+	description[0] = 0;
+	}
+
+DbgBreakpoint::~DbgBreakpoint()
+	{
+	SetEnable(false);	// clean up any active state
+	RemoveFromGlobalMap();
+	}
+
+bool DbgBreakpoint::SetEnable(bool do_enable)
+	{
+	bool old_value = enabled;
+	enabled = do_enable;
+
+	// Update statement counts.
+	if ( do_enable && ! old_value )
+		AddToStmt();
+
+	else if ( ! do_enable && old_value )
+		RemoveFromStmt();
+
+	return old_value;
+	}
+
+void DbgBreakpoint::AddToGlobalMap()
+	{
+	// Make sure it's not there already.
+	RemoveFromGlobalMap();
+
+	g_debugger_state.breakpoint_map.insert(BPMapType::value_type(at_stmt, this));
+	}
+
+void DbgBreakpoint::RemoveFromGlobalMap()
+	{
+	pair<BPMapType::iterator, BPMapType::iterator> p;
+	p = g_debugger_state.breakpoint_map.equal_range(at_stmt);
+
+	for ( BPMapType::iterator i = p.first; i != p.second; ++i )
+		{
+		if ( i->second == this )
+			g_debugger_state.breakpoint_map.erase(i);
+		}
+	}
+
+void DbgBreakpoint::AddToStmt()
+	{
+	if ( at_stmt )
+		at_stmt->IncrBPCount();
+	}
+
+void DbgBreakpoint::RemoveFromStmt()
+	{
+	if ( at_stmt )
+		at_stmt->DecrBPCount();
+	}
+
+
+bool DbgBreakpoint::SetLocation(ParseLocationRec plr, string loc_str)
+	{
+	if ( plr.type == plrUnknown )
+		{
+		debug_msg("Breakpoint specifier invalid or operation canceled.\n");
+		return false;
+		}
+
+	if ( plr.type == plrFileAndLine )
+		{
+		kind = BP_LINE;
+		source_filename = plr.filename;
+		source_line = plr.line;
+
+		if ( ! plr.stmt )
+			{
+			debug_msg("No statement at that line.\n");
+			return false;
+			}
+
+		at_stmt = plr.stmt;
+		safe_snprintf(description, sizeof(description), "%s:%d",
+			      source_filename, source_line);
+
+		debug_msg("Breakpoint %d set at %s\n", GetID(), Description());
+		}
+
+	else if ( plr.type == plrFunction )
+		{
+		kind = BP_FUNC;
+		function_name = make_full_var_name(current_module.c_str(),
+							loc_str.c_str());
+		at_stmt = plr.stmt;
+		const Location* loc = at_stmt->GetLocationInfo();
+		safe_snprintf(description, sizeof(description), "%s at %s:%d",
+			      function_name.c_str(), loc->filename, loc->last_line);
+
+		debug_msg("Breakpoint %d set at %s\n", GetID(), Description());
+		}
+
+	SetEnable(true);
+	AddToGlobalMap();
+	return true;
+	}
+
+bool DbgBreakpoint::SetLocation(Stmt* stmt)
+	{
+	if ( ! stmt )
+		return false;
+
+	kind = BP_STMT;
+	at_stmt = stmt;
+
+	SetEnable(true);
+	AddToGlobalMap();
+
+	const Location* loc = stmt->GetLocationInfo();
+	safe_snprintf(description, sizeof(description), "%s:%d",
+		      loc->filename, loc->last_line);
+
+	debug_msg("Breakpoint %d set at %s\n", GetID(), Description());
+
+	return true;
+	}
+
+bool DbgBreakpoint::SetLocation(double t)
+	{
+	debug_msg("SetLocation(time) has not been debugged.");
+	return false;
+
+	kind = BP_TIME;
+	at_time = t;
+
+	timer_mgr->Add(new BreakpointTimer(this, t));
+
+	debug_msg("Time-based breakpoints not yet supported.\n");
+	return false;
+	}
+
+bool DbgBreakpoint::Reset()
+	{
+	ParseLocationRec plr;
+
+	switch ( kind ) {
+	case BP_TIME:
+		debug_msg("Time-based breakpoints not yet supported.\n");
+		break;
+
+	case BP_FUNC:
+	case BP_STMT:
+	case BP_LINE:
+		plr.type = plrFunction;
+		//### How to deal with wildcards?
+		//### perhaps save user choices?--tough...
+		break;
+	}
+
+	internal_error("DbgBreakpoint::Reset function incomplete.");
+	}
+
+bool DbgBreakpoint::SetCondition(const string& new_condition)
+	{
+	condition = new_condition;
+	return true;
+	}
+
+bool DbgBreakpoint::SetRepeatCount(int count)
+	{
+	repeat_count = count;
+	return true;
+	}
+
+BreakCode DbgBreakpoint::HasHit()
+	{
+	if ( temporary )
+		{
+		SetEnable(false);
+		return bcHitAndDelete;
+		}
+
+	if ( condition.size() )
+		{
+		// TODO: ### evaluate using debugger frame too
+		Val* yes = dbg_eval_expr(condition.c_str());
+
+		if ( ! yes )
+			{
+			debug_msg("Breakpoint condition '%s' invalid, removing condition.\n",
+			condition.c_str());
+			SetCondition("");
+			PrintHitMsg();
+			return bcHit;
+			}
+
+		if ( ! IsIntegral(yes->Type()->Tag()) &&
+		     ! IsBool(yes->Type()->Tag()) )
+			{
+			PrintHitMsg();
+			debug_msg("Breakpoint condition should return an integral type");
+			return bcHitAndDelete;
+			}
+
+		yes->CoerceToInt();
+		if ( yes->IsZero() )
+			return bcNoHit;
+		}
+
+	int repcount = GetRepeatCount();
+	if ( repcount )
+		{
+		if ( ++hit_count == repcount )
+			{
+			hit_count = 0;
+			PrintHitMsg();
+			return bcHit;
+			}
+
+		return bcNoHit;
+		}
+
+	PrintHitMsg();
+	return bcHit;
+	}
+
+BreakCode DbgBreakpoint::ShouldBreak(Stmt* s)
+	{
+	if ( ! IsEnabled() )
+		return bcNoHit;
+
+	switch ( kind ) {
+	case BP_STMT:
+	case BP_FUNC:
+		if ( at_stmt != s )
+			return bcNoHit;
+		break;
+
+	case BP_LINE:
+		assert(s->GetLocationInfo()->first_line <= source_line &&
+		       s->GetLocationInfo()->last_line >= source_line);
+		break;
+
+	case BP_TIME:
+		assert(false);
+
+	default:
+		internal_error("Invalid breakpoint type in DbgBreakpoint::ShouldBreak");
+	}
+
+	// If we got here, that means that the breakpoint could hit,
+	// except potentially if it has a special condition or a repeat count.
+
+	BreakCode code = HasHit();
+	if ( code )
+		g_debugger_state.BreakBeforeNextStmt(true);
+
+	return code;
+	}
+
+
+BreakCode DbgBreakpoint::ShouldBreak(double t)
+	{
+	if ( kind != BP_TIME )
+		internal_error("Calling ShouldBreak(time) on a non-time breakpoint");
+
+	if ( t < at_time )
+		return bcNoHit;
+
+	if ( ! IsEnabled() )
+		return bcNoHit;
+
+	BreakCode code = HasHit();
+	if ( code )
+		g_debugger_state.BreakBeforeNextStmt(true);
+
+	return code;
+	}
+
+void DbgBreakpoint::PrintHitMsg()
+	{
+	switch ( kind ) {
+	case BP_STMT:
+	case BP_FUNC:
+	case BP_LINE:
+		{
+		ODesc d;
+		Frame* f = g_frame_stack.back();
+		const BroFunc* func = f->GetFunction();
+
+		if ( func )
+			func->DescribeDebug (&d, f->GetFuncArgs());
+
+		const Location* loc = at_stmt->GetLocationInfo();
+
+		debug_msg("Breakpoint %d, %s at %s:%d\n",
+			 GetID(), d.Description(),
+			 loc->filename, loc->first_line);
+		}
+		return;
+
+	case BP_TIME:
+		assert(false);
+
+	default:
+		internal_error("Missed a case in DbgBreakpoint::PrintHitMsg\n");
+	}
+	}
diff --git a/src/DbgBreakpoint.h b/src/DbgBreakpoint.h
new file mode 100644
index 0000000000..505d1389a4
--- /dev/null
+++ b/src/DbgBreakpoint.h
@@ -0,0 +1,83 @@
+// $Id: DbgBreakpoint.h 80 2004-07-14 20:15:50Z jason $
+
+// Structures and methods for implementing breakpoints in the Bro debugger.
+
+#ifndef DbgBreakpoint_h
+#define DbgBreakpoint_h
+
+#include "Debug.h"
+
+enum BreakCode { bcNoHit, bcHit, bcHitAndDelete };
+class DbgBreakpoint {
+	enum Kind { BP_STMT = 0, BP_FUNC, BP_LINE, BP_TIME };
+
+public:
+	DbgBreakpoint();
+	~DbgBreakpoint();
+
+	int GetID() const	{ return BPID; }
+	void SetID(int newID)	{ BPID = newID; }
+
+	// True if breakpoint could be set; false otherwise
+	bool SetLocation(ParseLocationRec plr, string loc_str);
+	bool SetLocation(Stmt* stmt);
+	bool SetLocation(double time);
+
+	bool Reset();	// cancel and re-apply bpt when restarting execution
+
+	// Temporary = disable (remove?) the breakpoint right after it's hit.
+	bool IsTemporary() const	{ return temporary; }
+	void SetTemporary(bool is_temporary)	{ temporary = is_temporary; }
+
+	// Feed it a Stmt* or a time and see if this breakpoint should
+	// hit.  bcHitAndDelete means that it has hit, and should now be
+	// deleted entirely.
+	//
+	// NOTE: If it returns a hit, the DbgBreakpoint object will take
+	// appropriate action (e.g., resetting counters).
+	BreakCode ShouldBreak(Stmt* s);
+	BreakCode ShouldBreak(double t);
+
+	const string& GetCondition() const	{ return condition; }
+	bool SetCondition(const string& new_condition);
+
+	int GetRepeatCount() const	{ return repeat_count; }
+	bool SetRepeatCount(int count); // implements function of ignore command in gdb
+
+	bool IsEnabled() const	{ return enabled; }
+	bool SetEnable(bool do_enable);
+
+	// e.g. "FooBar() at foo.c:23"
+	const char * Description() const	{ return description; }
+
+protected:
+	void AddToGlobalMap();
+	void RemoveFromGlobalMap();
+
+	void AddToStmt();
+	void RemoveFromStmt();
+
+	BreakCode HasHit();	// a breakpoint hit, update state, return proper code.
+	void PrintHitMsg();	// display reason when the breakpoint hits
+
+	Kind kind;
+	bool enabled;	// ### comment this and next
+	bool temporary;
+	int BPID;
+
+	char description[512];
+	string function_name;	// location
+	const char* source_filename;
+	int source_line;
+
+	Stmt* at_stmt;
+	double at_time;	// break when the virtual time is this
+
+	// Support for conditional and N'th time breakpoints.
+	int repeat_count;	// if positive, break after this many hits
+	int hit_count;	// how many times it's been hit (w/o breaking)
+
+	string condition;	// condition to evaluate; nil for none
+};
+
+#endif
diff --git a/src/DbgDisplay.h b/src/DbgDisplay.h
new file mode 100644
index 0000000000..033dac79e9
--- /dev/null
+++ b/src/DbgDisplay.h
@@ -0,0 +1,30 @@
+// $Id: DbgDisplay.h 80 2004-07-14 20:15:50Z jason $
+
+// Structures and methods for implementing watches in the Bro debugger.
+
+#ifndef dbg_display_h
+#define dbg_display_h
+
+#include "Debug.h"
+
+// Automatic displays: display these at each stoppage.
+class DbgDisplay {
+public:
+	DbgDisplay(Expr* expr_to_display);
+
+	bool IsEnabled()	{ return enabled; }
+	bool SetEnable(bool do_enable)
+		{
+		bool old_value = enabled;
+		enabled = do_enable;
+		return old_value;
+		}
+
+	const Expr* Expression() const	{ return expression; }
+
+protected:
+	bool enabled;
+	Expr* expression;
+	};
+
+#endif
diff --git a/src/DbgHelp.cc b/src/DbgHelp.cc
new file mode 100644
index 0000000000..accf7ce6f6
--- /dev/null
+++ b/src/DbgHelp.cc
@@ -0,0 +1,5 @@
+// Bro Debugger Help
+
+#include "config.h"
+
+#include "Debug.h"
diff --git a/src/DbgWatch.cc b/src/DbgWatch.cc
new file mode 100644
index 0000000000..75f9b9c4af
--- /dev/null
+++ b/src/DbgWatch.cc
@@ -0,0 +1,21 @@
+// Implementation of watches
+
+#include "config.h"
+
+#include "Debug.h"
+#include "DbgWatch.h"
+
+// Support classes
+DbgWatch::DbgWatch(BroObj* var_to_watch)
+	{
+	internal_error("DbgWatch unimplemented");
+	}
+
+DbgWatch::DbgWatch(Expr* expr_to_watch)
+	{
+	internal_error("DbgWatch unimplemented");
+	}
+
+DbgWatch::~DbgWatch()
+	{
+	}
diff --git a/src/DbgWatch.h b/src/DbgWatch.h
new file mode 100644
index 0000000000..ed85e88748
--- /dev/null
+++ b/src/DbgWatch.h
@@ -0,0 +1,21 @@
+// $Id: DbgWatch.h 80 2004-07-14 20:15:50Z jason $
+
+// Structures and methods for implementing watches in the Bro debugger.
+
+#ifndef dbgwatch_h
+#define dbgwatch_h
+
+#include "Debug.h"
+
+class DbgWatch {
+public:
+	DbgWatch(BroObj* var_to_watch);
+	DbgWatch(Expr* expr_to_watch);
+	~DbgWatch();
+
+protected:
+	BroObj* var;
+	Expr* expr;
+};
+
+#endif
diff --git a/src/Debug.cc b/src/Debug.cc
new file mode 100644
index 0000000000..da67c941e4
--- /dev/null
+++ b/src/Debug.cc
@@ -0,0 +1,988 @@
+// Debugging support for Bro policy files.
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <signal.h>
+#include <ctype.h>
+
+#include <string>
+using namespace std;
+
+#include "util.h"
+#include "Debug.h"
+#include "DebugCmds.h"
+#include "DbgBreakpoint.h"
+#include "Stmt.h"
+#include "Func.h"
+#include "Scope.h"
+#include "PolicyFile.h"
+
+#ifdef HAVE_READLINE
+#include <readline/readline.h>
+#include <readline/history.h>
+#endif
+
+bool g_policy_debug = false;
+DebuggerState g_debugger_state;
+TraceState g_trace_state;
+PDict(Filemap) g_dbgfilemaps;
+
+// These variables are used only to decide whether or not to print the
+// current context; you don't want to do it after a step or next
+// command unless you've exited a function.
+static bool step_or_next_pending = false;
+static Frame* last_frame;
+
+DebuggerState::DebuggerState()
+	{
+	next_bp_id = next_watch_id = next_display_id = 1;
+	BreakBeforeNextStmt(false);
+	curr_frame_idx = 0;
+	BreakFromSignal(false);
+
+	// ### Don't choose this arbitrary size! Extend Frame.
+	dbg_locals = new Frame(1024, /* func = */ 0, /* fn_args = */ 0);
+	}
+
+DebuggerState::~DebuggerState()
+	{
+	Unref(dbg_locals);
+	}
+
+bool StmtLocMapping::StartsAfter(const StmtLocMapping* m2)
+	{
+	if ( ! m2  )
+		internal_error("Assertion failed: %s", "m2 != 0");
+
+	return loc.first_line > m2->loc.first_line ||
+		(loc.first_line == m2->loc.first_line &&
+		 loc.first_column > m2->loc.first_column);
+	}
+
+
+// Generic debug message output.
+int debug_msg(const char* fmt, ...)
+	{
+	va_list args;
+	int retval;
+
+	va_start(args, fmt);
+	retval = vfprintf(stderr, fmt, args);
+	va_end(args);
+
+	return retval;
+	}
+
+
+// Trace message output
+
+FILE* TraceState::SetTraceFile(const char* filename)
+	{
+	FILE* newfile;
+
+	if ( streq(filename, "-") )
+		newfile = stderr;
+	else
+		newfile = fopen(filename, "w");
+
+	FILE* oldfile = trace_file;
+	if ( newfile )
+		{
+		trace_file = newfile;
+		}
+	else
+		{
+		fprintf(stderr, "Unable to open trace file %s\n", filename);
+		trace_file = 0;
+		}
+
+	return oldfile;
+	}
+
+void TraceState::TraceOn()
+	{
+	fprintf(stderr, "Execution tracing ON.\n");
+	dbgtrace = true;
+	}
+
+void TraceState::TraceOff()
+	{
+	fprintf(stderr, "Execution tracing OFF.\n");
+	dbgtrace = false;
+	}
+
+int TraceState::LogTrace(const char* fmt, ...)
+	{
+	va_list args;
+	int retval;
+
+	va_start(args, fmt);
+
+	// Prefix includes timestamp and file/line info.
+	fprintf(trace_file, "%.6f ", network_time);
+
+	const Stmt* stmt;
+	Location loc;
+	loc.filename = 0;
+
+	if ( g_frame_stack.size() > 0 && g_frame_stack.back() )
+		{
+		stmt = g_frame_stack.back()->GetNextStmt();
+		if ( stmt )
+			loc = *stmt->GetLocationInfo();
+		else
+			{
+			const BroFunc* f = g_frame_stack.back()->GetFunction();
+			if ( f )
+				loc = *f->GetLocationInfo();
+			}
+		}
+
+	if ( ! loc.filename )
+		{
+		loc.filename = "<no filename>";
+		loc.last_line = 0;
+		}
+
+	fprintf(trace_file, "%s:%d", loc.filename, loc.last_line);
+
+	// Each stack frame is indented.
+	for ( int i = 0; i < int(g_frame_stack.size()); ++i )
+		fprintf(trace_file, "\t");
+
+	retval = vfprintf(trace_file, fmt, args);
+
+	fflush(trace_file);
+	va_end(args);
+
+	return retval;
+	}
+
+
+// Helper functions.
+void get_first_statement(Stmt* list, Stmt*& first, Location& loc)
+	{
+	if ( ! list )
+		{
+		first = 0;
+		return;
+		}
+
+	first = list;
+	while ( first->Tag() == STMT_LIST )
+		{
+		if ( first->AsStmtList()->Stmts()[0] )
+			first = first->AsStmtList()->Stmts()[0];
+		else
+			break;
+		}
+
+	loc = *first->GetLocationInfo();
+	}
+
+static void parse_function_name(vector<ParseLocationRec>& result,
+				ParseLocationRec& plr, const string& s)
+	{ // function name
+	ID* id = lookup_ID(s.c_str(), current_module.c_str());
+	if ( ! id )
+		{
+		string fullname = make_full_var_name(current_module.c_str(), s.c_str());
+		debug_msg("Function %s not defined.\n", fullname.c_str());
+		plr.type = plrUnknown;
+		return;
+		}
+
+	FuncType* ftype;
+	if ( ! (ftype = id->Type()->AsFuncType()) )
+		{
+		debug_msg("Function %s not declared.\n", id->Name());
+		plr.type = plrUnknown;
+		return;
+		}
+
+	if ( ! id->HasVal() )
+		{
+		debug_msg("Function %s declared but not defined.\n", id->Name());
+		plr.type = plrUnknown;
+		return;
+		}
+
+	const Func* func = id->ID_Val()->AsFunc();
+	const vector<Func::Body>& bodies = func->GetBodies();
+
+	if ( bodies.size() == 0 )
+		{
+		debug_msg("Function %s is a built-in function\n", id->Name());
+		plr.type = plrUnknown;
+		return;
+		}
+
+	Stmt* body = 0;	// the particular body we care about; 0 = all
+
+	if ( bodies.size() == 1 )
+		body = bodies[0].stmts;
+	else
+		{
+		while ( 1 )
+			{
+			debug_msg("There are multiple definitions of that event handler.\n"
+				 "Please choose one of the following options:\n");
+			for ( unsigned int i = 0; i < bodies.size(); ++i )
+				{
+				Stmt* first;
+				Location stmt_loc;
+				get_first_statement(bodies[i].stmts, first,
+							stmt_loc);
+				debug_msg("[%d] %s:%d\n", i+1, stmt_loc.filename, stmt_loc.first_line);
+				}
+
+			debug_msg("[a] All of the above\n");
+			debug_msg("[n] None of the above\n");
+			debug_msg("Enter your choice: ");
+
+			char charinput[256];
+			if ( ! fgets(charinput, sizeof(charinput) - 1, stdin) )
+				{
+				plr.type = plrUnknown;
+				return;
+				}
+
+			if ( charinput[strlen(charinput) - 1] == '\n' )
+				charinput[strlen(charinput) - 1] = 0;
+
+			string input = charinput;
+
+			if ( input == "a" )
+				break;
+
+			if ( input == "n" )
+				{
+				plr.type = plrUnknown;
+				return;
+				}
+
+			int option = atoi(input.c_str());
+			if ( option > 0 && option <= (int) bodies.size() )
+				{
+				body = bodies[option - 1].stmts;
+				break;
+				}
+			}
+		}
+
+	plr.type = plrFunction;
+
+	// Find first atomic (non-STMT_LIST) statement
+	Stmt* first;
+	Location stmt_loc;
+
+	if ( body )
+		{
+		get_first_statement(body, first, stmt_loc);
+		if ( first )
+			{
+			plr.stmt = first;
+			plr.filename = stmt_loc.filename;
+			plr.line = stmt_loc.last_line;
+			}
+		}
+
+	else
+		{
+		result.pop_back();
+		ParseLocationRec plr;
+
+		for ( unsigned int i = 0; i < bodies.size(); ++i )
+			{
+			get_first_statement(bodies[i].stmts, first, stmt_loc);
+			if ( ! first )
+				continue;
+
+			plr.type = plrFunction;
+			plr.stmt = first;
+			plr.filename = stmt_loc.filename;
+			plr.line = stmt_loc.last_line;
+			result.push_back(plr);
+			}
+		}
+	}
+
+vector<ParseLocationRec> parse_location_string(const string& s)
+	{
+	vector<ParseLocationRec> result;
+	result.push_back(ParseLocationRec());
+	ParseLocationRec& plr = result[0];
+	const char* full_filename = 0;
+
+	// If plrFileAndLine, set this to the filename you want; for
+	// memory management reasons, the real filename is set when looking
+	// up the line number to find the corresponding statement.
+	const char* loc_filename = 0;
+
+	if ( sscanf(s.c_str(), "%d", &plr.line) )
+		{ // just a line number (implicitly referring to the current file)
+		loc_filename = g_debugger_state.last_loc.filename;
+		plr.type = plrFileAndLine;
+		}
+
+	else
+		{
+		string::size_type pos_colon = s.find(':');
+		string::size_type pos_dblcolon = s.find("::");
+
+		if ( pos_colon == string::npos || pos_dblcolon != string::npos )
+			parse_function_name(result, plr, s);
+		else
+			{ // file:line
+			string filename = s.substr(0, pos_colon);
+			string line_string = s.substr(pos_colon + 1, s.length() - pos_colon);
+
+			if ( ! sscanf(line_string.c_str(), "%d", &plr.line) )
+				plr.type = plrUnknown;
+
+			FILE* throwaway = search_for_file(filename.c_str(), "bro",
+								&full_filename);
+			if ( ! throwaway )
+				{
+				debug_msg("No such policy file: %s.\n", filename.c_str());
+				plr.type = plrUnknown;
+				return result;
+				}
+
+			fclose(throwaway);
+
+			loc_filename = full_filename;
+			plr.type = plrFileAndLine;
+			}
+		}
+
+	if ( plr.type == plrFileAndLine )
+		{
+		Filemap* map = g_dbgfilemaps.Lookup(loc_filename);
+		if ( ! map )
+			internal_error("Policy file %s should have been loaded\n",
+					loc_filename);
+
+		if ( plr.line > how_many_lines_in(loc_filename) )
+			{
+			debug_msg("No line %d in %s.\n", plr.line, loc_filename);
+			delete [] full_filename;
+			plr.type = plrUnknown;
+			return result;
+			}
+
+		StmtLocMapping* hit = 0;
+		loop_over_queue(*map, i)
+			{
+			StmtLocMapping* entry = (*map)[i];
+			plr.filename = (*map)[i]->Loc().filename;
+
+			if ( entry->Loc().first_line > plr.line )
+				break;
+
+			if ( plr.line >= entry->Loc().first_line &&
+			     plr.line <= entry->Loc().last_line )
+				{
+				hit = (*map)[i];
+				break;
+				}
+			}
+
+		if ( hit )
+			plr.stmt = hit->Statement();
+		else
+			plr.stmt = 0;
+		}
+
+	delete [] full_filename;
+	return result;
+	}
+
+
+// Interactive debugging console.
+
+static int dbg_dispatch_cmd(DebugCmd cmd_code, const vector<string>& args);
+
+#ifdef HAVE_READLINE
+
+void using_history(void);
+
+static bool init_readline()
+	{
+	// ### Set up custom completion.
+
+	rl_outstream = stderr;
+	using_history();
+
+	return false;
+	}
+
+#endif
+
+void break_signal(int)
+	{
+	g_debugger_state.BreakBeforeNextStmt(true);
+	g_debugger_state.BreakFromSignal(true);
+	}
+
+int dbg_init_debugger(const char* cmdfile)
+	{
+	if ( ! g_policy_debug )
+		return 0;	// probably shouldn't have been called
+
+	init_global_dbg_constants();
+
+	// Hit the debugger before running anything.
+	g_debugger_state.BreakBeforeNextStmt(true);
+
+	if ( cmdfile )
+		// ### Implement this
+		debug_msg("Command files not supported. Using interactive mode.\n");
+
+	// ### if ( interactive ) (i.e., not reading cmds from a file)
+#ifdef HAVE_READLINE
+	init_readline();
+#endif
+
+	signal(SIGINT, &break_signal);
+	signal(SIGTERM, break_signal);
+
+	return 1;
+	}
+
+int dbg_shutdown_debugger()
+	{
+	// ### TODO: Remove signal handlers
+	return 1;
+	}
+
+
+// Umesh: I stole this code from libedit; I modified it here to use
+// <string>s to avoid memory management problems. The main command is returned
+// by the operation argument; the additional arguments are put in the
+// supplied vector.
+//
+// Parse the string into individual tokens, similarily to how shell
+// would do it.
+
+void tokenize(const char* cstr, string& operation, vector<string>& arguments)
+	{
+	int num_tokens = 0;
+	char delim = '\0';
+	const string str(cstr);
+
+	for ( int i = 0; i < (signed int) str.length(); ++i )
+		{
+		while ( isspace((unsigned char) str[i]) )
+			++i;
+
+		int start = i;
+
+		for ( ; str[i]; ++i )
+			{
+			if ( str[i] == '\\' )
+				{
+				if ( i < (signed int) str.length() )
+					++i;
+				}
+
+			else if ( ! delim && (str[i] == '\'' || str[i] == '"') )
+				delim = str[i];
+
+			else if ( delim && str[i] == delim )
+				{
+				delim = '\0';
+				++i;
+				break;
+				}
+
+			else if ( ! delim && isspace(str[i]) )
+				break;
+			}
+
+		size_t len = i - start;
+
+		if ( ! num_tokens )
+			operation = string(str, start, len);
+		else
+			arguments.push_back(string(str, start, len));
+
+		++num_tokens;
+		}
+	}
+
+
+// Given a command string, parse it and send the command to be dispatched.
+int dbg_execute_command(const char* cmd)
+	{
+	bool matched_history = false;
+
+	if ( ! cmd )
+		return 0;
+
+	if ( streq(cmd, "") ) // do the GDB command completion
+		{
+#ifdef HAVE_READLINE
+		int i;
+		for ( i = history_length; i >= 1; --i )
+			{
+			HIST_ENTRY* entry = history_get(i);
+			if ( ! entry )
+				return 0;
+
+			const DebugCmdInfo* info =
+				(const DebugCmdInfo*) entry->data;
+
+			if ( info && info->Repeatable() )
+				{
+				cmd = entry->line;
+				matched_history = true;
+				break;
+				}
+			}
+#endif
+
+		if ( ! matched_history )
+			return 0;
+		}
+
+	char* localcmd = copy_string(cmd);
+
+	string opstring;
+	vector<string> arguments;
+	tokenize(localcmd, opstring, arguments);
+
+	delete [] localcmd;
+
+	// Make sure we know this op name.
+	const char* matching_cmds[num_debug_cmds()];
+	int num_matches = find_all_matching_cmds(opstring, matching_cmds);
+
+	if ( ! num_matches )
+		{
+		debug_msg("No Matching command for '%s'.\n", opstring.c_str());
+		return 0;
+		}
+
+	if ( num_matches > 1 )
+		{
+		debug_msg("Ambiguous command; could be\n");
+
+		for ( int i = 0; i < num_debug_cmds(); ++i )
+			if ( matching_cmds[i] )
+				debug_msg("\t%s\n", matching_cmds[i]);
+
+		return 0;
+		}
+
+	// Matched exactly one command: find out which one.
+	DebugCmd cmd_code = dcInvalid;
+	for ( int i = 0; i < num_debug_cmds(); ++i )
+		if ( matching_cmds[i] )
+			{
+			cmd_code = (DebugCmd) i;
+			break;
+			}
+
+#ifdef HAVE_READLINE
+	// Insert command into history.
+	if ( ! matched_history && cmd && *cmd )
+		{
+		/* The prototype for add_history(), at least under MacOS,
+		 * has it taking a char* rather than a const char*.
+		 * But documentation at 
+		 * http://tiswww.case.edu/php/chet/readline/history.html
+		 * suggests that it's safe to assume it's really const char*.
+		 */
+		add_history((char *) cmd);
+		HISTORY_STATE* state = history_get_history_state();
+		state->entries[state->length-1]->data = (histdata_t *) get_debug_cmd_info(cmd_code);
+		}
+#endif
+
+	if ( int(cmd_code) >= num_debug_cmds() )
+		internal_error("Assertion failed: %s", "int(cmd_code) < num_debug_cmds()");
+
+	// Dispatch to the op-specific handler (with args).
+	int retcode = dbg_dispatch_cmd(cmd_code, arguments);
+	if ( retcode < 0 )
+		return retcode;
+
+	const DebugCmdInfo* info = get_debug_cmd_info(cmd_code);
+	if ( ! info  )
+		internal_error("Assertion failed: %s", "info");
+
+	if ( ! info )
+		return -2;	// ### yuck, why -2?
+
+	return info->ResumeExecution();
+	}
+
+// Call the appropriate function for the command.
+static int dbg_dispatch_cmd(DebugCmd cmd_code, const vector<string>& args)
+	{
+	switch ( cmd_code ) {
+	case dcHelp:
+		dbg_cmd_help(cmd_code, args);
+		break;
+
+	case dcQuit:
+		debug_msg("Program Terminating\n");
+		exit(0);
+
+	case dcNext:
+		g_frame_stack.back()->BreakBeforeNextStmt(true);
+		step_or_next_pending = true;
+		last_frame = g_frame_stack.back();
+		break;
+
+	case dcStep:
+		g_debugger_state.BreakBeforeNextStmt(true);
+		step_or_next_pending = true;
+		last_frame = g_frame_stack.back();
+		break;
+
+	case dcContinue:
+		g_debugger_state.BreakBeforeNextStmt(false);
+		debug_msg("Continuing.\n");
+		break;
+
+	case dcFinish:
+		g_frame_stack.back()->BreakOnReturn(true);
+		g_debugger_state.BreakBeforeNextStmt(false);
+		break;
+
+	case dcBreak:
+		dbg_cmd_break(cmd_code, args);
+		break;
+
+	case dcBreakCondition:
+		dbg_cmd_break_condition(cmd_code, args);
+		break;
+
+	case dcDeleteBreak:
+	case dcClearBreak:
+	case dcDisableBreak:
+	case dcEnableBreak:
+	case dcIgnoreBreak:
+		dbg_cmd_break_set_state(cmd_code, args);
+		break;
+
+	case dcPrint:
+		dbg_cmd_print(cmd_code, args);
+		break;
+
+	case dcBacktrace:
+		return dbg_cmd_backtrace(cmd_code, args);
+
+	case dcFrame:
+	case dcUp:
+	case dcDown:
+		return dbg_cmd_frame(cmd_code, args);
+
+	case dcInfo:
+		return dbg_cmd_info(cmd_code, args);
+
+	case dcList:
+		return dbg_cmd_list(cmd_code, args);
+
+	case dcDisplay:
+	case dcUndisplay:
+		debug_msg("Command not yet implemented.\n");
+		break;
+
+	case dcTrace:
+		return dbg_cmd_trace(cmd_code, args);
+
+	default:
+		debug_msg("INTERNAL ERROR: "
+		"Got an unknown debugger command in DbgDispatchCmd: %d\n",
+		cmd_code);
+		return 0;
+	}
+
+	return 0;
+	}
+
+static char* get_prompt(bool reset_counter = false)
+	{
+	static char prompt[512];
+	static int counter = 0;
+
+	if ( reset_counter )
+		counter = 0;
+
+	safe_snprintf(prompt, sizeof(prompt), "(Bro [%d]) ", counter++);
+
+	return prompt;
+	}
+
+string get_context_description(const Stmt* stmt, const Frame* frame)
+	{
+	char buf[1024];
+	ODesc d;
+	const BroFunc* func = frame->GetFunction();
+
+	if ( func )
+		func->DescribeDebug(&d, frame->GetFuncArgs());
+	else
+		d.Add("<unknown function>", 0);
+
+	Location loc;
+	if ( stmt )
+		loc = *stmt->GetLocationInfo();
+	else
+		{
+		loc.filename = "<no filename>";
+		loc.last_line = 0;
+		}
+
+	safe_snprintf(buf, sizeof(buf), "In %s at %s:%d",
+		      d.Description(), loc.filename, loc.last_line);
+
+	return string(buf);
+	}
+
+int dbg_handle_debug_input()
+	{
+	static char* input_line = 0;
+	int status = 0;
+
+	if ( g_debugger_state.BreakFromSignal() )
+		{
+		debug_msg("Program received signal SIGINT: entering debugger\n");
+
+		g_debugger_state.BreakFromSignal(false);
+		}
+
+	Frame* curr_frame = g_frame_stack.back();
+	const BroFunc* func = curr_frame->GetFunction();
+	if ( func )
+		current_module = func->GetID()->ModuleName();
+	else
+		current_module = GLOBAL_MODULE_NAME;
+
+	const Stmt* stmt = curr_frame->GetNextStmt();
+	if ( ! stmt )
+		internal_error("Assertion failed: %s", "stmt != 0");
+
+	const Location loc = *stmt->GetLocationInfo();
+
+	if ( ! step_or_next_pending || g_frame_stack.back() != last_frame )
+		{
+		string context =
+			get_context_description(stmt, g_frame_stack.back());
+		debug_msg("%s\n", context.c_str());
+		}
+
+	step_or_next_pending = false;
+
+	PrintLines(loc.filename, loc.first_line,
+			loc.last_line - loc.first_line + 1, true);
+	g_debugger_state.last_loc = loc;
+
+	do
+		{
+		// readline returns a pointer to a buffer it allocates; it's
+		// freed at the bottom.
+#ifdef HAVE_READLINE
+		input_line = readline(get_prompt());
+#else
+		printf ("%s", get_prompt());
+
+		// readline uses malloc, and we want to be consistent
+		// with it.
+		input_line = (char*) safe_malloc(1024);
+		input_line[1023] = 0;
+		// ### Maybe it's not always stdin.
+		fgets(input_line, 1023, stdin);
+#endif
+
+		// ### Maybe not stdin; maybe do better cleanup.
+		if ( feof(stdin) )
+			exit(0);
+
+		status = dbg_execute_command(input_line);
+
+		if ( input_line )
+			{
+			free(input_line);	// this was malloc'ed
+			input_line = 0;
+			}
+		else
+			exit(0);
+		}
+	while ( status == 0 );
+
+	// Clear out some state. ### Is there a better place?
+	g_debugger_state.curr_frame_idx = 0;
+	g_debugger_state.already_did_list = false;
+
+	signal(SIGINT, &break_signal);
+	signal(SIGTERM, &break_signal);
+
+	return 0;
+	}
+
+
+// Return true to continue execution, false to abort.
+bool pre_execute_stmt(Stmt* stmt, Frame* f)
+	{
+	if ( ! g_policy_debug ||
+	     stmt->Tag() == STMT_LIST || stmt->Tag() == STMT_NULL )
+		return true;
+
+	if ( g_trace_state.DoTrace() )
+		{
+		ODesc d;
+		stmt->Describe(&d);
+
+		const char* desc = d.Description();
+		const char* s = strchr(desc, '\n');
+
+		int len;
+		if ( s )
+			len = s - desc;
+		else
+			len = strlen(desc);
+
+		g_trace_state.LogTrace("%*s\n", len, desc);
+		}
+
+	bool should_break = false;
+
+	if ( g_debugger_state.BreakBeforeNextStmt() ||
+	     f->BreakBeforeNextStmt() )
+		{
+		if ( g_debugger_state.BreakBeforeNextStmt() )
+			g_debugger_state.BreakBeforeNextStmt(false);
+
+		if ( f->BreakBeforeNextStmt() )
+			f->BreakBeforeNextStmt(false);
+
+		should_break = true;
+		}
+
+	if ( stmt->BPCount() )
+		{
+		pair<BPMapType::iterator, BPMapType::iterator> p;
+
+		p = g_debugger_state.breakpoint_map.equal_range(stmt);
+
+		if ( p.first == p.second )
+			internal_error("Breakpoint count nonzero, but no matching breakpoints");
+
+		for ( BPMapType::iterator i = p.first; i != p.second; ++i )
+			{
+			int break_code = i->second->ShouldBreak(stmt);
+			if ( break_code == 2 )	// ### 2?
+				{
+				i->second->SetEnable(false);
+				delete i->second;
+				}
+
+			should_break = should_break || break_code;
+			}
+		}
+
+	if ( should_break )
+		dbg_handle_debug_input();
+
+	return true;
+	}
+
+bool post_execute_stmt(Stmt* stmt, Frame* f, Val* result, stmt_flow_type* flow)
+	{
+	// Handle the case where someone issues a "next" debugger command,
+	// but we're at a return statement, so the next statement is in
+	// some other function.
+	if ( *flow == FLOW_RETURN && f->BreakBeforeNextStmt() )
+		g_debugger_state.BreakBeforeNextStmt(true);
+
+	// Handle "finish" commands.
+	if ( *flow == FLOW_RETURN && f->BreakOnReturn() )
+		{
+		if ( result )
+			{
+			ODesc d;
+			result->Describe(&d);
+			debug_msg("Return Value: '%s'\n", d.Description());
+			}
+		else
+			debug_msg("Return Value: <none>\n");
+
+		g_debugger_state.BreakBeforeNextStmt(true);
+		f->BreakOnReturn(false);
+		}
+
+	return true;
+	}
+
+
+// Evaluates the given expression in the context of the currently selected
+// frame.  Returns the resulting value, or nil if none (or there was an error).
+Expr* g_curr_debug_expr = 0;
+
+// ### fix this hardwired access to external variables etc.
+struct yy_buffer_state;
+typedef struct yy_buffer_state* YY_BUFFER_STATE;
+YY_BUFFER_STATE bro_scan_string(const char*);
+
+extern YYLTYPE yylloc;	// holds start line and column of token
+extern int line_number;
+extern const char* filename;
+
+Val* dbg_eval_expr(const char* expr)
+	{
+	// Push the current frame's associated scope.
+	// Note: g_debugger_state.curr_frame_idx is the user-visible number,
+	//       while the array index goes in the opposite direction
+	int frame_idx =
+		(g_frame_stack.size() - 1) - g_debugger_state.curr_frame_idx;
+
+	if ( ! (frame_idx >= 0 && (unsigned) frame_idx < g_frame_stack.size())  )
+		internal_error("Assertion failed: %s", "frame_idx >= 0 && (unsigned) frame_idx < g_frame_stack.size()");
+
+	Frame* frame = g_frame_stack[frame_idx];
+	if ( ! (frame)  )
+		internal_error("Assertion failed: %s", "frame");
+
+	const BroFunc* func = frame->GetFunction();
+	if ( func )
+		push_existing_scope(func->GetScope());
+
+	// ### Possibly push a debugger-local scope?
+
+	// Set up the lexer to read from the string.
+	string parse_string = string("@DEBUG ") + expr;
+	bro_scan_string(parse_string.c_str());
+
+	// Fix filename and line number for the lexer/parser, which record it.
+	filename = "<interactive>";
+	line_number = 1;
+	yylloc.filename = filename;
+	yylloc.first_line = yylloc.last_line = line_number = 1;
+
+	// Parse the thing into an expr.
+	Val* result = 0;
+	if ( yyparse() )
+		{
+		if ( g_curr_debug_expr )
+			{
+			delete g_curr_debug_expr;
+			g_curr_debug_expr = 0;
+			}
+		}
+	else
+		result = g_curr_debug_expr->Eval(frame);
+
+	if ( func )
+		pop_scope();
+
+	delete g_curr_debug_expr;
+	g_curr_debug_expr = 0;
+
+	return result;
+	}
diff --git a/src/Debug.h b/src/Debug.h
new file mode 100644
index 0000000000..ad82337b12
--- /dev/null
+++ b/src/Debug.h
@@ -0,0 +1,188 @@
+// $Id: Debug.h 80 2004-07-14 20:15:50Z jason $
+
+// Debugging support for Bro policy files.
+
+#ifndef debug_h
+#define debug_h
+
+#include <vector>
+#include <map>
+#include <string>
+using namespace std;
+
+
+class Stmt;
+
+// This needs to be defined before we do the includes that come after it.
+enum ParseLocationRecType { plrUnknown, plrFileAndLine, plrFunction };
+struct ParseLocationRec {
+	ParseLocationRecType type;
+	Stmt* stmt;
+	const char* filename;
+	int line;
+};
+
+#include "Expr.h"
+#include "Var.h"
+#include "Frame.h"
+#include "Queue.h"
+#include "Dict.h"
+#include "StmtEnums.h"
+#include "DbgBreakpoint.h"
+
+class StmtLocMapping;
+declare(PQueue,StmtLocMapping);
+typedef PQueue(StmtLocMapping) Filemap; // mapping for a single file
+declare(PDict,Filemap);
+
+class DbgBreakpoint;
+class DbgWatch;
+class DbgDisplay;
+class StmtHashFn;
+
+typedef map<int, DbgBreakpoint*> BPIDMapType;
+typedef multimap<const Stmt*, DbgBreakpoint*> BPMapType;
+
+extern string current_module;
+
+class TraceState {
+public:
+	TraceState()	{ dbgtrace = false; trace_file = stderr; }
+
+	// Returns previous filename.
+	FILE* SetTraceFile(const char* filename);
+
+	bool DoTrace() const	{ return dbgtrace; }
+	void TraceOn();
+	void TraceOff();
+
+	int LogTrace(const char* fmt, ...);
+
+protected:
+	bool dbgtrace;		// print an execution trace
+	FILE* trace_file;
+};
+
+extern TraceState g_trace_state;
+
+class DebuggerState {
+public:
+	DebuggerState();
+	~DebuggerState();
+
+	int NextBPID()		{ return next_bp_id++; }
+	int NextWatchID()	{ return next_watch_id++; }
+	int NextDisplayID()	{ return next_display_id++; }
+
+	bool BreakBeforeNextStmt() { return break_before_next_stmt; }
+	void BreakBeforeNextStmt(bool dobrk) { break_before_next_stmt = dobrk; }
+
+	bool BreakFromSignal() { return break_from_signal; }
+	void BreakFromSignal(bool dobrk) { break_from_signal = dobrk; }
+
+
+	// Temporary state: vanishes when execution resumes.
+
+	//### Umesh, why do these all need to be public? -- Vern
+
+	// Which frame we're looking at; 0 = the innermost frame.
+	int curr_frame_idx;
+
+	bool already_did_list;	// did we already do a 'list' command?
+
+	Location last_loc;	// used by 'list'; the last location listed
+
+	BPIDMapType breakpoints;	// BPID -> Breakpoint
+	vector<DbgWatch*> watches;
+	vector<DbgDisplay*> displays;
+	BPMapType breakpoint_map;	// maps Stmt -> Breakpoints on it
+
+protected:
+	bool break_before_next_stmt;	// trap into debugger (used for "step")
+	bool break_from_signal;		// was break caused by a signal?
+
+	int next_bp_id, next_watch_id, next_display_id;
+
+private:
+	Frame* dbg_locals; // unused
+};
+
+// Source line -> statement mapping.
+// (obj -> source line mapping available in object itself)
+class StmtLocMapping {
+public:
+	StmtLocMapping()	{ }
+	StmtLocMapping(const Location* l, Stmt* s)	{ loc = *l; stmt = s; }
+
+	bool StartsAfter(const StmtLocMapping* m2);
+	const Location& Loc() const	{ return loc; }
+	Stmt* Statement() const		{ return stmt; }
+
+protected:
+	Location loc;
+	Stmt* stmt;
+};
+
+
+extern bool g_policy_debug;		// enable debugging facility
+extern DebuggerState g_debugger_state;
+
+//
+// Helper functions
+//
+
+// parse_location_string() takes a string specifying a location by
+// filename and/or line number or function name and returns the
+// corresponding nearest statement, the actual filename and line
+// number specified (not the one corresponding to the nearest
+// statement) if applicable. The implicit filename is the one
+// containing the currently-debugged policy statement.
+// Multiple results can be returned depending on the input, but always
+// at least 1.
+
+vector<ParseLocationRec> parse_location_string(const string& s);
+
+// ### TODO: Add a bunch of hook functions for various events
+//   e.g. variable changed, breakpoint hit, etc.
+//
+//   Also add some hooks for UI? -- See GDB
+
+
+// Debugging hooks.
+
+// Return true to continue execution, false to abort.
+bool pre_execute_stmt(Stmt* stmt, Frame* f);
+bool post_execute_stmt(Stmt* stmt, Frame* f, Val* result, stmt_flow_type* flow);
+
+// Returns 1 if successful, 0 otherwise.
+// If cmdfile is non-nil, it contains the location of a file of commands
+// to be executed as debug commands.
+int dbg_init_debugger(const char* cmdfile = 0);
+int dbg_shutdown_debugger();
+
+// Returns 1 if successful, 0 otherwise.
+int dbg_handle_debug_input();	// read a line and then have it executed
+
+// Returns > 0 if execution should be resumed, 0 if another debug command
+// should be read, or < 0 if there was an error.
+int dbg_execute_command(const char* cmd);
+
+// Interactive expression evaluation.
+Val* dbg_eval_expr(const char* expr);
+
+// Extra debugging facilities.
+// TODO: current connections, memory allocated, other internal data structures.
+// ### Note: not currently defined.
+int dbg_read_internal_state();
+
+// Get line that looks like "In FnFoo(arg = val) at File:Line".
+string get_context_description(const Stmt* stmt, const Frame* frame);
+
+extern Frame* g_dbg_locals;	// variables created within debugger context
+
+extern PDict(Filemap) g_dbgfilemaps; // filename => filemap
+
+// Perhaps add a code/priority argument to do selective output.
+int debug_msg(const char* fmt, ...) __attribute__ ((format (printf, 1, 2)));
+
+#endif
diff --git a/src/DebugCmdInfoConstants.cc b/src/DebugCmdInfoConstants.cc
new file mode 100644
index 0000000000..13b83049ab
--- /dev/null
+++ b/src/DebugCmdInfoConstants.cc
@@ -0,0 +1,284 @@
+
+//
+// This file was automatically generated from ./DebugCmdInfoConstants.in
+// DO NOT EDIT.
+//
+
+#include "util.h"
+void init_global_dbg_constants () {
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	
+      };
+
+      info = new DebugCmdInfo (dcInvalid, names, 0, false, "This function should not be called",
+                               false);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"help"
+      };
+
+      info = new DebugCmdInfo (dcHelp, names, 1, false, "Get help with debugger commands",
+                               false);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"quit"
+      };
+
+      info = new DebugCmdInfo (dcQuit, names, 1, false, "Exit Bro",
+                               false);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"next"
+      };
+
+      info = new DebugCmdInfo (dcNext, names, 1, true, "Step to the following statement, skipping function calls",
+                               true);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"step",
+	"s"
+      };
+
+      info = new DebugCmdInfo (dcStep, names, 2, true, "Step to following statements, stepping in to function calls",
+                               true);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"continue",
+	"c"
+      };
+
+      info = new DebugCmdInfo (dcContinue, names, 2, true, "Resume execution of the policy script",
+                               true);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"finish"
+      };
+
+      info = new DebugCmdInfo (dcFinish, names, 1, true, "Run until the currently-executing function completes",
+                               true);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"break",
+	"b"
+      };
+
+      info = new DebugCmdInfo (dcBreak, names, 2, false, "Set a breakpoint",
+                               false);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"cond"
+      };
+
+      info = new DebugCmdInfo (dcBreakCondition, names, 1, false, "",
+                               false);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"delete",
+	"d"
+      };
+
+      info = new DebugCmdInfo (dcDeleteBreak, names, 2, false, "Delete the specified breakpoints; delete all if no arguments",
+                               false);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"clear"
+      };
+
+      info = new DebugCmdInfo (dcClearBreak, names, 1, false, "",
+                               false);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"disable",
+	"dis"
+      };
+
+      info = new DebugCmdInfo (dcDisableBreak, names, 2, false, "",
+                               false);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"enable"
+      };
+
+      info = new DebugCmdInfo (dcEnableBreak, names, 1, false, "",
+                               false);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"ignore"
+      };
+
+      info = new DebugCmdInfo (dcIgnoreBreak, names, 1, false, "",
+                               false);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"print",
+	"p",
+	"set"
+      };
+
+      info = new DebugCmdInfo (dcPrint, names, 3, false, "Evaluate an expression and print the result (also aliased as 'set')",
+                               true);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"backtrace",
+	"bt",
+	"where"
+      };
+
+      info = new DebugCmdInfo (dcBacktrace, names, 3, false, "Print a stack trace (with +- N argument, inner/outer N frames only)",
+                               false);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"frame"
+      };
+
+      info = new DebugCmdInfo (dcFrame, names, 1, false, "Select frame number N",
+                               false);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"up"
+      };
+
+      info = new DebugCmdInfo (dcUp, names, 1, false, "Select the stack frame one level up",
+                               false);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"down"
+      };
+
+      info = new DebugCmdInfo (dcDown, names, 1, false, "Select the stack frame one level down",
+                               false);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"info"
+      };
+
+      info = new DebugCmdInfo (dcInfo, names, 1, false, "Get information about the debugging environment",
+                               false);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"list",
+	"l"
+      };
+
+      info = new DebugCmdInfo (dcList, names, 2, false, "Print source lines surrounding specified context",
+                               true);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"display"
+      };
+
+      info = new DebugCmdInfo (dcDisplay, names, 1, false, "",
+                               false);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"undisplay"
+      };
+
+      info = new DebugCmdInfo (dcUndisplay, names, 1, false, "",
+                               false);
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"trace"
+      };
+
+      info = new DebugCmdInfo (dcTrace, names, 1, false, "Turn on or off execution tracing (with no arguments, prints current state.)",
+                               false);
+      g_DebugCmdInfos.push_back(info);
+   }
+   
+}
diff --git a/src/DebugCmdInfoConstants.h b/src/DebugCmdInfoConstants.h
new file mode 100644
index 0000000000..44330482d3
--- /dev/null
+++ b/src/DebugCmdInfoConstants.h
@@ -0,0 +1,205 @@
+void InitGlobalDbgConstants () {
+   {
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"help"
+      };
+
+      info = new DebugCmdInfo (dcHelp, names, 1, false, "Get help with debugger commands");
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"quit"
+      };
+
+      info = new DebugCmdInfo (dcQuit, names, 1, false, "");
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"next"
+      };
+
+      info = new DebugCmdInfo (dcNext, names, 1, true, "");
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"step"
+      };
+
+      info = new DebugCmdInfo (dcStep, names, 1, true, "");
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"continue"
+      };
+
+      info = new DebugCmdInfo (dcContinue, names, 1, true, "");
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"finish"
+      };
+
+      info = new DebugCmdInfo (dcFinish, names, 1, true, "");
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"break"
+      };
+
+      info = new DebugCmdInfo (dcBreak, names, 1, false, "");
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"cond"
+      };
+
+      info = new DebugCmdInfo (dcBreakCondition, names, 1, false, "");
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"delete"
+      };
+
+      info = new DebugCmdInfo (dcDeleteBreak, names, 1, false, "");
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"clear"
+      };
+
+      info = new DebugCmdInfo (dcClearBreak, names, 1, false, "");
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"disable"
+      };
+
+      info = new DebugCmdInfo (dcDisableBreak, names, 1, false, "");
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"enable"
+      };
+
+      info = new DebugCmdInfo (dcEnableBreak, names, 1, false, "");
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"ignore"
+      };
+
+      info = new DebugCmdInfo (dcIgnoreBreak, names, 1, false, "");
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"print"
+      };
+
+      info = new DebugCmdInfo (dcPrint, names, 1, false, "");
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"backtrace",
+	"bt"
+      };
+
+      info = new DebugCmdInfo (dcBacktrace, names, 2, false, "");
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"frame"
+      };
+
+      info = new DebugCmdInfo (dcFrame, names, 1, false, "");
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"info"
+      };
+
+      info = new DebugCmdInfo (dcInfo, names, 1, false, "");
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"list"
+      };
+
+      info = new DebugCmdInfo (dcList, names, 1, false, "");
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"display"
+      };
+
+      info = new DebugCmdInfo (dcDisplay, names, 1, false, "");
+      g_DebugCmdInfos.push_back(info);
+   }
+
+   {
+      DebugCmdInfo* info;
+      const char * const names[] = {
+	"undisplay"
+      };
+
+      info = new DebugCmdInfo (dcUndisplay, names, 1, false, "");
+      g_DebugCmdInfos.push_back(info);
+   }
+
+}
diff --git a/src/DebugCmdInfoConstants.in b/src/DebugCmdInfoConstants.in
new file mode 100644
index 0000000000..339733c645
--- /dev/null
+++ b/src/DebugCmdInfoConstants.in
@@ -0,0 +1,121 @@
+// This invalid entry should always be first
+cmd: dcInvalid
+names: 
+resume: false
+help: This function should not be called
+repeatable: false
+
+cmd: dcHelp
+names: help
+resume: false
+help: Get help with debugger commands
+
+cmd: dcQuit
+names: quit
+resume: false
+help: Exit Bro
+
+cmd: dcNext
+names: next
+resume: true
+repeatable: true
+help: Step to the following statement, skipping function calls
+
+cmd: dcStep
+names: step s
+resume: true
+repeatable: true
+help: Step to following statements, stepping in to function calls
+
+cmd: dcContinue
+names: continue c
+resume: true
+repeatable: true
+help: Resume execution of the policy script
+
+cmd: dcFinish
+names: finish
+resume: true
+repeatable: true
+help: Run until the currently-executing function completes
+
+cmd: dcBreak
+names: break b
+resume: false
+help: Set a breakpoint
+
+cmd: dcBreakCondition
+names: cond
+resume: false
+help: 
+
+cmd: dcDeleteBreak
+names: delete d
+resume: false
+help: Delete the specified breakpoints; delete all if no arguments
+
+cmd: dcClearBreak
+names: clear
+resume: false
+
+cmd: dcDisableBreak
+names: disable dis
+resume: false
+
+cmd: dcEnableBreak
+names: enable
+resume: false
+
+cmd: dcIgnoreBreak
+names: ignore
+resume: false
+
+cmd: dcPrint
+names: print p set
+resume: false
+repeatable: true
+help: Evaluate an expression and print the result (also aliased as 'set')
+
+cmd: dcBacktrace
+names: backtrace bt where
+resume: false
+help: Print a stack trace (with +- N argument, inner/outer N frames only)
+
+cmd: dcFrame
+names: frame
+resume: false
+help: Select frame number N
+
+cmd: dcUp
+names: up
+resume: false
+help: Select the stack frame one level up
+
+cmd: dcDown
+names: down
+resume: false
+help: Select the stack frame one level down
+
+cmd: dcInfo
+names: info
+resume: false
+help: Get information about the debugging environment
+
+cmd: dcList
+names: list l
+resume: false
+repeatable: true
+help: Print source lines surrounding specified context
+
+cmd: dcDisplay
+names: display
+resume: false
+
+cmd: dcUndisplay
+names: undisplay
+resume: false
+
+cmd: dcTrace
+names: trace
+resume: false
+help: Turn on or off execution tracing (with no arguments, prints current state.)
diff --git a/src/DebugCmds.cc b/src/DebugCmds.cc
new file mode 100644
index 0000000000..a26e6a9567
--- /dev/null
+++ b/src/DebugCmds.cc
@@ -0,0 +1,717 @@
+// Support routines to help deal with Bro debugging commands and
+// implementation of most commands.
+
+#include "config.h"
+
+#include <sys/types.h>
+
+#include <regex.h>
+#include <string.h>
+#include <assert.h>
+
+#include "Debug.h"
+#include "DebugCmds.h"
+#include "DebugCmdInfoConstants.cc"
+#include "DbgBreakpoint.h"
+#include "Func.h"
+#include "Stmt.h"
+#include "Scope.h"
+#include "PolicyFile.h"
+#include "util.h"
+
+//
+// Helper routines
+//
+bool string_is_regex(string s)
+	{
+	return strpbrk(s.c_str(), "?*\\+");
+	}
+
+void lookup_global_symbols_regex(const string& orig_regex, vector<ID*>& matches,
+					bool func_only = false)
+	{
+	if ( streq(orig_regex.c_str(), "") )
+		return;
+
+	string regex = "^";
+	int len = orig_regex.length();
+	for ( int i = 0; i < len; ++i )
+		{
+		if ( orig_regex[i] == '*' )
+			regex.push_back('.');
+		regex.push_back(orig_regex[i]);
+		}
+	regex.push_back('$');
+
+	regex_t re;
+	if ( regcomp(&re, regex.c_str(), REG_EXTENDED|REG_NOSUB) )
+		{
+		debug_msg("Invalid regular expression: %s\n", regex.c_str());
+		return;
+		}
+
+	Scope* global = global_scope();
+	PDict(ID)* syms = global->Vars();
+
+	ID* nextid;
+	IterCookie* cookie = syms->InitForIteration();
+	while ( (nextid = syms->NextEntry( cookie )) )
+		if ( ! func_only || nextid->Type()->Tag() == TYPE_FUNC )
+			if ( ! regexec (&re, nextid->Name(), 0, 0, 0) )
+				matches.push_back(nextid);
+	}
+
+void choose_global_symbols_regex(const string& regex, vector<ID*>& choices,
+					bool func_only = false)
+	{
+	lookup_global_symbols_regex(regex, choices, func_only);
+
+	if ( choices.size() <= 1 )
+		return;
+
+	while ( 1 )
+		{
+		debug_msg("There were multiple matches, please choose:\n");
+
+		for ( unsigned int i = 0; i < choices.size(); ++i )
+			debug_msg("[%d] %s\n", i+1, choices[i]->Name());
+
+		debug_msg("[a] All of the above\n");
+		debug_msg("[n] None of the above\n");
+		debug_msg("Enter your choice: ");
+
+		char charinput[256];
+		if ( ! fgets(charinput, sizeof(charinput) - 1, stdin) )
+			{
+			choices.clear();
+			return;
+			}
+		if ( charinput[strlen(charinput) - 1] == '\n' )
+			charinput[strlen(charinput) - 1] = 0;
+
+		string input = charinput;
+		if ( input == "a" )
+			return;
+
+		if ( input == "n" )
+			{
+			choices.clear();
+			return;
+			}
+		int option = atoi(input.c_str());
+		if ( option > 0 && option <= (int) choices.size() )
+			{
+			ID* choice = choices[option - 1];
+			choices.clear();
+			choices.push_back(choice);
+			return;
+			}
+		}
+	}
+
+
+//
+// DebugCmdInfo implementation
+//
+
+PQueue(DebugCmdInfo) g_DebugCmdInfos;
+
+DebugCmdInfo::DebugCmdInfo(const DebugCmdInfo& info)
+: cmd(info.cmd), helpstring(0)
+	{
+	num_names = info.num_names;
+	names = info.names;
+	resume_execution = info.resume_execution;
+	repeatable = info.repeatable;
+	}
+
+DebugCmdInfo::DebugCmdInfo(DebugCmd arg_cmd, const char* const* arg_names,
+				int arg_num_names, bool arg_resume_execution,
+				const char* const arg_helpstring,
+				bool arg_repeatable)
+: cmd(arg_cmd), helpstring(arg_helpstring)
+	{
+	num_names = arg_num_names;
+	resume_execution = arg_resume_execution;
+	repeatable = arg_repeatable;
+
+	for ( int i = 0; i < num_names; ++i )
+		names.push_back(arg_names[i]);
+	}
+
+
+const DebugCmdInfo* get_debug_cmd_info(DebugCmd cmd)
+	{
+	if ( (int) cmd < g_DebugCmdInfos.length() )
+		return g_DebugCmdInfos[(int) cmd];
+	else
+		return 0;
+	}
+
+int find_all_matching_cmds(const string& prefix, const char* array_of_matches[])
+	{
+	// Trivial implementation for now (### use hashing later).
+
+	unsigned int arglen = prefix.length();
+	int matches = 0;
+
+	for ( int i = 0; i < num_debug_cmds(); ++i )
+		{
+		array_of_matches[g_DebugCmdInfos[i]->Cmd()] = 0;
+
+		for ( int j = 0; j < g_DebugCmdInfos[i]->NumNames(); ++j )
+			{
+			const char* curr_name = g_DebugCmdInfos[i]->Names()[j];
+			if ( strncmp(curr_name, prefix.c_str(), arglen) )
+				continue;
+
+			// If exact match, then only return that one.
+			if ( ! prefix.compare(curr_name) )
+				{
+				for ( int k = 0; k < num_debug_cmds(); ++k )
+					array_of_matches[k] = 0;
+
+				array_of_matches[g_DebugCmdInfos[i]->Cmd()] = curr_name;
+				return 1;
+				}
+
+			array_of_matches[g_DebugCmdInfos[i]->Cmd()] = curr_name;
+			++matches;
+			}
+		}
+
+	return matches;
+	}
+
+//
+// ------------------------------------------------------------
+// Implementation of some debugger commands
+
+
+// Start, end bounds of which frame numbers to print
+static int dbg_backtrace_internal(int start, int end)
+	{
+	if ( start < 0 || end < 0 ||
+	     (unsigned) start >= g_frame_stack.size() ||
+	     (unsigned) end >= g_frame_stack.size() )
+		internal_error("Invalid stack frame index in DbgBacktraceInternal\n");
+
+	if ( start < end )
+		{
+		int temp = start;
+		start = end;
+		end = temp;
+		}
+
+	for ( int i = start; i >= end; --i )
+		{
+		const Frame* f = g_frame_stack[i];
+		const Stmt* stmt = f ? f->GetNextStmt() : 0;
+
+		string context = get_context_description(stmt, f);
+		debug_msg("#%d  %s\n",
+			 int(g_frame_stack.size() - 1 - i), context.c_str());
+		};
+
+	return 1;
+	}
+
+
+// Returns 0 for illegal arguments, or 1 on success.
+int dbg_cmd_backtrace(DebugCmd cmd, const vector<string>& args)
+	{
+	assert(cmd == dcBacktrace);
+	assert(g_frame_stack.size() > 0);
+
+	unsigned int start_iter;
+	int end_iter;
+
+	if ( args.size() > 0 )
+		{
+		int how_many;	// determines how we traverse the frames
+		int valid_arg = sscanf(args[0].c_str(), "%i", &how_many);
+		if ( ! valid_arg )
+			{
+			debug_msg("Argument to backtrace '%s' invalid: must be an integer\n", args[0].c_str());
+			return 0;
+			}
+
+		if ( how_many > 0 )
+			{ // innermost N frames
+			start_iter = g_frame_stack.size() - 1;
+			end_iter = start_iter - how_many + 1;
+			if ( end_iter < 0 )
+				end_iter = 0;
+			}
+		else
+			{ // outermost N frames
+			start_iter = how_many - 1;
+			if ( start_iter + 1 > g_frame_stack.size() )
+				start_iter = g_frame_stack.size() - 1;
+			end_iter = 0;
+			}
+		}
+	else
+		{
+		start_iter = g_frame_stack.size() - 1;
+		end_iter = 0;
+		}
+
+	return dbg_backtrace_internal(start_iter, end_iter);
+	}
+
+
+// Returns 0 if invalid args, else 1.
+int dbg_cmd_frame(DebugCmd cmd, const vector<string>& args)
+	{
+	assert(cmd == dcFrame || cmd == dcUp || cmd == dcDown);
+
+	if ( cmd == dcFrame )
+		{
+		int idx = 0;
+
+		if ( args.size() > 0 )
+			{
+			if ( args.size() > 1 )
+				{
+				debug_msg("Too many arguments: expecting frame number 'n'\n");
+				return 0;
+				}
+
+			if ( ! sscanf(args[0].c_str(), "%d", &idx) )
+				{
+				debug_msg("Argument to frame must be a positive integer\n");
+				return 0;
+				}
+
+			if ( idx < 0 ||
+			     (unsigned int) idx >= g_frame_stack.size() )
+				{
+				debug_msg("No frame %d", idx);
+				return 0;
+				}
+			}
+
+		g_debugger_state.curr_frame_idx = idx;
+		}
+
+	else if ( cmd == dcDown )
+		{
+		if ( g_debugger_state.curr_frame_idx == 0 )
+			{
+			debug_msg("Innermost frame already selected\n");
+			return 0;
+			}
+
+		g_debugger_state.curr_frame_idx--;
+		}
+
+	else if ( cmd == dcUp )
+		{
+		if ( (unsigned int)(g_debugger_state.curr_frame_idx + 1) ==
+		     g_frame_stack.size() )
+			{
+			debug_msg("Outermost frame already selected\n");
+			return 0;
+			}
+
+		++g_debugger_state.curr_frame_idx;
+		}
+
+	int user_frame_number =
+		g_frame_stack.size() - 1 - g_debugger_state.curr_frame_idx;
+
+	// Set the current location to the new frame being looked at
+	// for 'list', 'break', etc.
+	const Stmt* stmt = g_frame_stack[user_frame_number]->GetNextStmt();
+	if ( ! stmt )
+		internal_error("Assertion failed: %s", "stmt != 0");
+
+	const Location loc = *stmt->GetLocationInfo();
+	g_debugger_state.last_loc = loc;
+	g_debugger_state.already_did_list = false;
+
+	return dbg_backtrace_internal(user_frame_number, user_frame_number);
+	}
+
+int dbg_cmd_help(DebugCmd cmd, const vector<string>& args)
+	{
+	assert(cmd == dcHelp);
+
+	debug_msg("Help summary: \n\n");
+	for ( int i = 1; i < num_debug_cmds(); ++i )
+		{
+		const DebugCmdInfo* info = get_debug_cmd_info (DebugCmd(i));
+		debug_msg("%s -- %s\n", info->Names()[0], info->Helpstring());
+		}
+
+	return -1;
+	}
+
+
+int dbg_cmd_break(DebugCmd cmd, const vector<string>& args)
+	{
+	assert(cmd == dcBreak);
+
+	vector<DbgBreakpoint*> bps;
+
+	int cond_index = -1; // at which argument pos. does bp condition start?
+
+	if ( args.size() == 0 || args[0] == "if" )
+		{ // break on next stmt
+		int user_frame_number =
+			g_frame_stack.size() - 1 -
+				g_debugger_state.curr_frame_idx;
+
+		Stmt* stmt = g_frame_stack[user_frame_number]->GetNextStmt();
+		if ( ! stmt )
+			internal_error("Assertion failed: %s", "stmt != 0");
+
+		DbgBreakpoint* bp = new DbgBreakpoint();
+		bp->SetID(g_debugger_state.NextBPID());
+
+		if ( ! bp->SetLocation(stmt) )
+			{
+			debug_msg("Breakpoint not set.\n");
+			delete bp;
+			return 0;
+			}
+
+		if ( args.size() > 0 && args[0] == "if" )
+			cond_index = 1;
+
+		bps.push_back(bp);
+		}
+
+	else
+		{
+		vector<string> locstrings;
+		if ( string_is_regex(args[0]) )
+			{
+			vector<ID*> choices;
+			choose_global_symbols_regex(args[0], choices, true);
+			for ( unsigned int i = 0; i < choices.size(); ++i )
+				locstrings.push_back(choices[i]->Name());
+			}
+		else
+			locstrings.push_back(args[0].c_str());
+
+		for ( unsigned int strindex = 0; strindex < locstrings.size();
+		      ++strindex )
+			{
+			debug_msg("Setting breakpoint on %s:\n",
+				  locstrings[strindex].c_str());
+			vector<ParseLocationRec> plrs =
+				parse_location_string(locstrings[strindex]);
+			for ( unsigned int i = 0; i < plrs.size(); ++i )
+				{
+				DbgBreakpoint* bp = new DbgBreakpoint();
+				bp->SetID(g_debugger_state.NextBPID());
+				if ( ! bp->SetLocation(plrs[i], locstrings[strindex]) )
+					{
+					debug_msg("Breakpoint not set.\n");
+					delete bp;
+					}
+				else
+					bps.push_back(bp);
+				}
+			}
+
+		if ( args.size() > 1 && args[1] == "if" )
+			cond_index = 2;
+		}
+
+	// Is there a condition specified?
+	if ( cond_index >= 0 && bps.size() )
+		{
+		// ### Implement conditions
+		string cond;
+		for ( int i = cond_index; i < int(args.size()); ++i )
+			{
+			cond += args[i];
+			cond += "    ";
+			}
+		bps[0]->SetCondition(cond);
+		}
+
+	for ( unsigned int i = 0; i < bps.size(); ++i )
+		{
+		bps[i]->SetTemporary(false);
+		g_debugger_state.breakpoints[bps[i]->GetID()] = bps[i];
+		}
+
+	return 0;
+	}
+
+// Set a condition on an existing breakpoint.
+int dbg_cmd_break_condition(DebugCmd cmd, const vector<string>& args)
+	{
+	assert(cmd == dcBreakCondition);
+
+	if ( args.size() < 2 )
+		{
+		debug_msg("Arguments must specify breakpoint number and condition.\n");
+		return 0;
+		}
+
+	int idx = atoi(args[0].c_str());
+	DbgBreakpoint* bp = g_debugger_state.breakpoints[idx];
+
+	string expr;
+	for ( int i = 1; i < int(args.size()); ++i )
+		{
+		expr += args[i];
+		expr += " ";
+		}
+	bp->SetCondition(expr);
+
+	return 1;
+	}
+
+// Change the state of a breakpoint.
+int dbg_cmd_break_set_state(DebugCmd cmd, const vector<string>& args)
+	{
+	assert(cmd == dcDeleteBreak || cmd == dcClearBreak ||
+	       cmd == dcDisableBreak || cmd == dcEnableBreak ||
+	       cmd == dcIgnoreBreak);
+
+	if ( cmd == dcClearBreak || cmd == dcIgnoreBreak )
+		{
+		debug_msg("'clear' and 'ignore' commands not currently supported\n");
+		return 0;
+		}
+
+	if ( g_debugger_state.breakpoints.size() == 0 )
+		{
+		debug_msg ("No breakpoints currently set.\n");
+		return -1;
+		}
+
+	vector<int> bps_to_change;
+
+	if ( args.size() == 0 )
+		{
+		BPIDMapType::iterator iter;
+		for ( iter = g_debugger_state.breakpoints.begin();
+		      iter != g_debugger_state.breakpoints.end(); ++iter )
+			bps_to_change.push_back(iter->second->GetID());
+		}
+	else
+		{
+		for ( unsigned int i = 0; i < args.size(); ++i )
+			if ( int idx = atoi(args[i].c_str()) )
+				bps_to_change.push_back(idx);
+		}
+
+	for ( unsigned int i = 0; i < bps_to_change.size(); ++i )
+		{
+		int bp_change = bps_to_change[i];
+
+		BPIDMapType::iterator result =
+			g_debugger_state.breakpoints.find(bp_change);
+
+		if ( result != g_debugger_state.breakpoints.end() )
+			{
+			switch ( cmd ) {
+			case dcDisableBreak:
+				g_debugger_state.breakpoints[bp_change]->SetEnable(false);
+				debug_msg("Breakpoint %d disabled\n", bp_change);
+				break;
+
+			case dcEnableBreak:
+				g_debugger_state.breakpoints[bp_change]->SetEnable(true);
+				debug_msg("Breakpoint %d enabled\n", bp_change);
+				break;
+
+			case dcDeleteBreak:
+				delete g_debugger_state.breakpoints[bp_change];
+				g_debugger_state.breakpoints.erase(bp_change);
+				debug_msg("Breakpoint %d deleted\n", bp_change);
+				break;
+
+			default:
+				internal_error("Invalid command in DbgCmdBreakSetState\n");
+			}
+			}
+
+		else
+			debug_msg("Breakpoint %d does not exist\n", bp_change);
+		}
+
+	return -1;
+	}
+
+// Evaluate an expression and print the result.
+int dbg_cmd_print(DebugCmd cmd, const vector<string>& args)
+	{
+	assert(cmd == dcPrint);
+
+	// ### TODO: add support for formats
+
+	// Just concatenate all the 'args' into one expression.
+	string expr;
+	for ( int i = 0; i < int(args.size()); ++i )
+		{
+		expr += args[i];
+		expr += " ";
+		}
+
+	Val* val = dbg_eval_expr(expr.c_str());
+
+	if ( val )
+		{
+		ODesc d;
+		val->Describe(&d);
+		debug_msg("%s\n", d.Description());
+		}
+	else
+		{
+		// ### Print something?
+		// debug_msg("<expression has no value>\n");
+		}
+
+	return 1;
+	}
+
+
+// Get the debugger's state.
+// Allowed arguments are: break (breakpoints), watch, display, source.
+int dbg_cmd_info(DebugCmd cmd, const vector<string>& args)
+	{
+	assert(cmd == dcInfo);
+
+	if ( ! args.size() )
+		{
+		debug_msg("Syntax: info info-command\n");
+		debug_msg("List of info-commands:\n");
+		debug_msg("info breakpoints -- List of breakpoints and watches\n");
+		return 1;
+		}
+
+	if ( ! strncmp(args[0].c_str(), "breakpoints", args[0].size()) ||
+	     ! strncmp(args[0].c_str(), "watch", args[0].size()) )
+		{
+		debug_msg("Num Type           Disp Enb What\n");
+
+		BPIDMapType::iterator iter;
+		for ( iter = g_debugger_state.breakpoints.begin();
+		      iter != g_debugger_state.breakpoints.end();
+		      ++iter )
+			{
+			DbgBreakpoint* bp = (*iter).second;
+			debug_msg("%-4d%-15s%-5s%-4s%s\n",
+				bp->GetID(),
+				"breakpoint",
+				bp->IsTemporary() ? "del" : "keep",
+				bp->IsEnabled() ? "y" : "n",
+				bp->Description());
+			}
+		}
+
+	else
+		debug_msg("I don't have info for that yet.\n");
+
+	return 1;
+	}
+
+int dbg_cmd_list(DebugCmd cmd, const vector<string>& args)
+	{
+	assert(cmd == dcList);
+
+	// The constant 4 is to match the GDB behavior.
+	const unsigned int CENTER_IDX = 4; // 5th line is the 'interesting' one
+
+	int pre_offset = 0;
+	if ( args.size() > 1 )
+		{
+		debug_msg("Syntax: list [file:]line  OR  list function_name\n");
+		return 0;
+		}
+
+	if ( args.size() == 0 )
+		{
+		// Special case: if we just hit a breakpoint, then show
+		// that line without advancing first.
+		if ( g_debugger_state.already_did_list )
+			pre_offset = 10;
+		}
+
+	else if ( args[0] == "-" )
+		// Why -10 ?  Because that's what GDB does.
+		pre_offset = -10;
+
+	else if ( args[0][0] == '-' || args[0][0] == '+' )
+		{
+		int offset;
+		if ( ! sscanf(args[0].c_str(), "%d", &offset) )
+			{
+			debug_msg("Offset must be a number\n");
+			return false;
+			}
+
+		pre_offset = offset;
+		}
+
+	else
+		{
+		vector<ParseLocationRec> plrs = parse_location_string(args[0]);
+		ParseLocationRec plr = plrs[0];
+		if ( plr.type == plrUnknown )
+			{
+			debug_msg("Invalid location specifier\n");
+			return false;
+			}
+
+		g_debugger_state.last_loc.filename = plr.filename;
+		g_debugger_state.last_loc.first_line = plr.line;
+		pre_offset = 0;
+		}
+
+	if ( (int) pre_offset +
+	     (int) g_debugger_state.last_loc.first_line -
+	     (int) CENTER_IDX < 0 )
+		pre_offset = CENTER_IDX - g_debugger_state.last_loc.first_line;
+
+	g_debugger_state.last_loc.first_line += pre_offset;
+
+	int last_line_in_file =
+		how_many_lines_in(g_debugger_state.last_loc.filename);
+
+	if ( g_debugger_state.last_loc.first_line > last_line_in_file )
+		g_debugger_state.last_loc.first_line = last_line_in_file;
+
+	PrintLines(g_debugger_state.last_loc.filename,
+		   g_debugger_state.last_loc.first_line - CENTER_IDX,
+		   10, true);
+
+	g_debugger_state.already_did_list = true;
+
+	return 1;
+	}
+
+int dbg_cmd_trace(DebugCmd cmd, const vector<string>& args)
+	{
+	assert(cmd == dcTrace);
+
+	if ( args.size() == 0 )
+		{
+		debug_msg("Execution tracing is %s.\n",
+		g_trace_state.DoTrace() ? "on" : "off" );
+		return 1;
+		}
+
+	if ( args[0] == "on" )
+		{
+		g_trace_state.TraceOn();
+		return 1;
+		}
+
+	if ( args[0] == "off" )
+		{
+		g_trace_state.TraceOff();
+		return 1;
+		}
+
+	debug_msg("Invalid argument");
+	return 0;
+	}
diff --git a/src/DebugCmds.h b/src/DebugCmds.h
new file mode 100644
index 0000000000..a14990b918
--- /dev/null
+++ b/src/DebugCmds.h
@@ -0,0 +1,86 @@
+// $Id: DebugCmds.h 80 2004-07-14 20:15:50Z jason $
+//
+// Support routines to help deal with Bro debugging commands and
+// implementation of most commands.
+
+#ifndef debug_cmds_h
+#define debug_cmds_h
+
+#include <stdlib.h>
+#include <string>
+#include <vector>
+using namespace std;
+
+#include "Queue.h"
+#include "DebugCmdConstants.h"
+
+class DebugCmdInfo;
+declare(PQueue,DebugCmdInfo);
+
+class DebugCmdInfo {
+public:
+	DebugCmdInfo(const DebugCmdInfo& info);
+
+	DebugCmdInfo(DebugCmd cmd, const char* const* names, int num_names,
+			bool resume_execution, const char* const helpstring,
+			bool repeatable);
+
+	DebugCmdInfo() : helpstring(0) {}
+
+	int Cmd() const		{ return cmd; }
+	int NumNames() const	{ return num_names; }
+	const vector<const char *>& Names() const	{ return names; }
+	bool ResumeExecution() const	{ return resume_execution; }
+	const char* Helpstring() const	{ return helpstring; }
+	bool Repeatable() const	{ return repeatable; }
+
+protected:
+	DebugCmd cmd;
+
+	int num_names;
+	vector<const char*> names;
+
+	// Whether executing this should restart execution of the script.
+	bool resume_execution;
+
+	const char* const helpstring;
+
+	// Does entering a blank line repeat this command?
+	bool repeatable;
+};
+
+extern PQueue(DebugCmdInfo) g_DebugCmdInfos;
+
+void init_global_dbg_constants ();
+
+#define num_debug_cmds() (g_DebugCmdInfos.length())
+
+// Looks up the info record and returns it; if cmd is not found returns 0.
+const DebugCmdInfo* get_debug_cmd_info(DebugCmd cmd);
+
+// The argument array_of_matches is an array of char*; each element
+// is set equal to the command string that matches or nil depending
+// on whether or not the prefix supplied matches a name (DebugCmdString)
+// of the corresponding DebugCmd. The size of the array should be at
+// least NUM_DEBUG_CMDS. The total number of matches is returned.
+int find_all_matching_cmds(const string& prefix, const char* array_of_matches[]);
+
+// Implementation of debugging commands.
+//
+// These functions return <= 0 if failure, > 0 for success.
+// More particular return values are command-specific: see comments w/function.
+
+typedef int DbgCmdFn(DebugCmd cmd, const vector<string>& args);
+
+DbgCmdFn dbg_cmd_backtrace;
+DbgCmdFn dbg_cmd_frame;
+DbgCmdFn dbg_cmd_help;
+DbgCmdFn dbg_cmd_break;
+DbgCmdFn dbg_cmd_break_condition;
+DbgCmdFn dbg_cmd_break_set_state;
+DbgCmdFn dbg_cmd_print;
+DbgCmdFn dbg_cmd_info;
+DbgCmdFn dbg_cmd_list;
+DbgCmdFn dbg_cmd_trace;
+
+#endif
diff --git a/src/DebugLogger.cc b/src/DebugLogger.cc
new file mode 100644
index 0000000000..9ab0bde380
--- /dev/null
+++ b/src/DebugLogger.cc
@@ -0,0 +1,99 @@
+// $Id: DebugLogger.cc 4771 2007-08-11 05:50:24Z vern $
+
+#ifdef DEBUG
+
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "DebugLogger.h"
+#include "Net.h"
+
+DebugLogger debug_logger("debug");
+
+// Same order here as in DebugStream.
+DebugLogger::Stream DebugLogger::streams[NUM_DBGS] = {
+	{ "serial", 0, false }, { "rules", 0, false }, { "comm", 0, false },
+	{ "state", 0, false }, { "chunkedio", 0, false },
+	{ "compressor", 0, false }, {"string", 0, false },
+	{ "notifiers", 0, false },  { "main-loop", 0, false },
+	{ "dpd", 0, false }, { "tm", 0, false },
+};
+
+DebugLogger::DebugLogger(const char* filename)
+	{
+	if ( filename )
+		{
+		filename = log_file_name(filename);
+		
+		file = fopen(filename, "w");
+		if ( ! file )
+			{
+			fprintf(stderr, "Can't open '%s' for debugging output.", filename);
+			exit(1);
+			}
+
+		setvbuf(file, NULL, _IOLBF, 0);
+		}
+	else
+		file = stderr;
+
+	verbose = false;
+	}
+
+DebugLogger::~DebugLogger()
+	{
+	if ( file != stderr )
+		fclose(file);
+	}
+
+void DebugLogger::EnableStreams(const char* s)
+	{
+	char* tmp = copy_string(s);
+	char* brkt;
+	char* tok = strtok(tmp, ",");
+
+	while ( tok )
+		{
+		int i;
+		for ( i = 0; i < NUM_DBGS; ++i )
+			if ( strcasecmp(streams[i].prefix, tok) == 0 )
+				{
+				streams[i].enabled = true;
+				break;
+				}
+
+		if ( i == NUM_DBGS )
+			{
+			if ( strcasecmp("verbose", tok) == 0 )
+				verbose = true;
+			else
+				internal_error("unknown debug stream %s\n", tok);
+			}
+
+		tok = strtok(0, ",");
+		}
+	}
+
+void DebugLogger::Log(DebugStream stream, const char* fmt, ...)
+	{
+	Stream* g = &streams[int(stream)];
+
+	if ( ! g->enabled )
+		return;
+
+	fprintf(file, "%17.06f/%17.06f [%s] ",
+			network_time, current_time(true), g->prefix);
+
+	for ( int i = g->indent; i > 0; --i )
+		fputs("   ", file);
+
+	va_list ap;
+	va_start(ap, fmt);
+	vfprintf(file, fmt, ap);
+	va_end(ap);
+
+	fputc('\n', file);
+	fflush(file);
+	}
+
+#endif
diff --git a/src/DebugLogger.h b/src/DebugLogger.h
new file mode 100644
index 0000000000..3d8c1ac83f
--- /dev/null
+++ b/src/DebugLogger.h
@@ -0,0 +1,88 @@
+// $Id: DebugLogger.h 4771 2007-08-11 05:50:24Z vern $
+//
+// A logger for (selective) debugging output. Only compiled in if DEBUG is
+// defined.
+
+#ifndef debug_logger_h
+#define debug_logger_h
+
+#ifdef DEBUG
+
+#include <stdio.h>
+
+// To add a new debugging stream, add a constant here as well as
+// an entry to DebugLogger::streams in DebugLogger.cc.
+
+enum DebugStream {
+	DBG_SERIAL,	// Serialization
+	DBG_RULES,	// Signature matching
+	DBG_COMM,	// Remote communication
+	DBG_STATE,	// StateAccess logging
+	DBG_CHUNKEDIO,	// ChunkedIO logging
+	DBG_COMPRESSOR,	// Connection compressor
+	DBG_STRING,     // String code
+	DBG_NOTIFIERS,   // Notifiers (see StateAccess.h)
+	DBG_MAINLOOP,	// Main IOSource loop
+	DBG_DPD,	// Dynamic application detection framework
+	DBG_TM,	// Time-machine packet input via Brocolli
+
+	NUM_DBGS // Has to be last
+};
+
+#define DBG_LOG(args...) debug_logger.Log(args)
+#define DBG_LOG_VERBOSE(args...) \
+	if ( debug_logger.IsVerbose() ) \
+		debug_logger.Log(args)
+#define DBG_PUSH(stream) debug_logger.PushIndent(stream)
+#define DBG_POP(stream) debug_logger.PopIndent(stream)
+
+class DebugLogger {
+public:
+	// Output goes to stderr per default.
+	DebugLogger(const char* filename = 0);
+	~DebugLogger();
+
+	void Log(DebugStream stream, const char* fmt, ...);
+
+	void PushIndent(DebugStream stream)
+		{ ++streams[int(stream)].indent; }
+	void PopIndent(DebugStream stream)
+		{ --streams[int(stream)].indent; }
+
+	void EnableStream(DebugStream stream)
+		{ streams[int(stream)].enabled = true; }
+	void DisableStream(DebugStream stream)
+		{ streams[int(stream)].enabled = false; }
+
+	// Takes comma-seperated list of stream prefixes.
+	void EnableStreams(const char* streams);
+
+	bool IsEnabled(DebugStream stream) const
+		{ return streams[int(stream)].enabled; }
+
+	void SetVerbose(bool arg_verbose)	{ verbose = arg_verbose; }
+	bool IsVerbose() const			{ return verbose; }
+
+private:
+	FILE* file;
+	bool verbose;
+
+	struct Stream {
+		const char* prefix;
+		int indent;
+		bool enabled;
+	};
+
+	static Stream streams[NUM_DBGS];
+};
+
+extern DebugLogger debug_logger;
+
+#else
+#define DBG_LOG(args...)
+#define DBG_LOG_VERBOSE(args...)
+#define DBG_PUSH(stream)
+#define DBG_POP(stream)
+#endif
+
+#endif
diff --git a/src/Desc.cc b/src/Desc.cc
new file mode 100644
index 0000000000..0a494bcd9c
--- /dev/null
+++ b/src/Desc.cc
@@ -0,0 +1,240 @@
+// $Id: Desc.cc 6245 2008-10-07 00:56:59Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <stdlib.h>
+#include <errno.h>
+
+#include "Desc.h"
+#include "File.h"
+
+#define DEFAULT_SIZE 128
+#define SLOP 10
+
+ODesc::ODesc(desc_type t, BroFile* arg_f)
+	{
+	type = t;
+	style = STANDARD_STYLE;
+	f = arg_f;
+
+	if ( f == 0 )
+		{
+		size = DEFAULT_SIZE;
+		base = safe_malloc(size);
+		((char*) base)[0] = '\0';
+
+		offset = 0;
+
+		if ( ! base )
+			OutOfMemory();
+		}
+	else
+		{
+		offset = size = 0;
+		base = 0;
+		}
+
+	indent_level = 0;
+	is_short = 0;
+	want_quotes = 0;
+	do_flush = 1;
+	include_stats = 0;
+	}
+
+ODesc::~ODesc()
+	{
+	if ( f )
+		{
+		if ( do_flush )
+			f->Flush();
+		}
+	else if ( base )
+		free(base);
+	}
+
+void ODesc::PushIndent()
+	{
+	++indent_level;
+	NL();
+	}
+
+void ODesc::PopIndent()
+	{
+	if ( --indent_level < 0 )
+		internal_error("ODesc::PopIndent underflow");
+	NL();
+	}
+
+void ODesc::Add(const char* s, int do_indent)
+	{
+	unsigned int n = strlen(s);
+
+	if ( do_indent && IsReadable() && offset > 0 &&
+	     ((const char*) base)[offset - 1] == '\n' )
+		Indent();
+
+	if ( IsBinary() )
+		AddBytes(s, n+1);
+	else
+		AddBytes(s, n);
+	}
+
+void ODesc::Add(int i)
+	{
+	if ( IsBinary() )
+		AddBytes(&i, sizeof(i));
+	else
+		{
+		char tmp[256];
+		sprintf(tmp, "%d", i);
+		Add(tmp);
+		}
+	}
+
+void ODesc::Add(uint32 u)
+	{
+	if ( IsBinary() )
+		AddBytes(&u, sizeof(u));
+	else
+		{
+		char tmp[256];
+		sprintf(tmp, "%u", u);
+		Add(tmp);
+		}
+	}
+
+#ifdef USE_INT64
+void ODesc::Add(int64 i)
+	{
+	if ( IsBinary() )
+		AddBytes(&i, sizeof(i));
+	else
+		{
+		char tmp[256];
+		sprintf(tmp, "%lld", i);
+		Add(tmp);
+		}
+	}
+
+void ODesc::Add(uint64 u)
+	{
+	if ( IsBinary() )
+		AddBytes(&u, sizeof(u));
+	else
+		{
+		char tmp[256];
+		sprintf(tmp, "%llu", u);
+		Add(tmp);
+		}
+	}
+#endif
+
+void ODesc::Add(double d)
+	{
+	if ( IsBinary() )
+		AddBytes(&d, sizeof(d));
+	else
+		{
+		char tmp[256];
+		sprintf(tmp, IsReadable() ? "%.15g" : "%.17g", d);
+		Add(tmp);
+
+		if ( d == double(int(d)) )
+			// disambiguate from integer
+			Add(".0");
+		}
+	}
+
+void ODesc::AddCS(const char* s)
+	{
+	int n = strlen(s);
+	Add(n);
+	if ( ! IsBinary() )
+		Add(" ");
+	Add(s);
+	}
+
+void ODesc::AddBytes(const BroString* s)
+	{
+	if ( IsReadable() )
+		{
+		int render_style = BroString::EXPANDED_STRING;
+		if ( Style() == ALTERNATIVE_STYLE )
+			// Only change NULs, since we can't in any case
+			// cope with them.
+			render_style = BroString::ESC_NULL;
+
+		const char* str = s->Render(render_style);
+		Add(str);
+		delete [] str;
+		}
+	else
+		{
+		Add(s->Len());
+		if ( ! IsBinary() )
+			Add(" ");
+		AddBytes(s->Bytes(), s->Len());
+		}
+	}
+
+void ODesc::Indent()
+	{
+	for ( int i = 0; i < indent_level; ++i )
+		Add("\t", 0);
+	}
+
+
+void ODesc::AddBytes(const void* bytes, unsigned int n)
+	{
+	if ( n == 0 )
+		return;
+
+	if ( f )
+		{
+		static bool write_failed = false;
+
+		if ( ! f->Write((const char*) bytes, n) )
+			{
+			if ( ! write_failed )
+				// Most likely it's a "disk full" so report
+				// subsequent failures only once.
+				run_time(fmt("error writing to %s: %s", f->Name(), strerror(errno)));
+
+			write_failed = true;
+			return;
+			}
+
+		write_failed = false;
+		}
+
+	else
+		{
+		Grow(n);
+
+		// The following casting contortions are necessary because
+		// simply using &base[offset] generates complaints about
+		// using a void* for pointer arithemtic.
+		memcpy((void*) &((char*) base)[offset], bytes, n);
+		offset += n;
+
+		((char*) base)[offset] = '\0';	// ensure that always NUL-term.
+		}
+	}
+
+void ODesc::Grow(unsigned int n)
+	{
+	while ( offset + n + SLOP >= size )
+		{
+		size *= 2;
+		base = safe_realloc(base, size);
+		if ( ! base )
+			OutOfMemory();
+		}
+	}
+
+void ODesc::OutOfMemory()
+	{
+	internal_error("out of memory");
+	}
diff --git a/src/Desc.h b/src/Desc.h
new file mode 100644
index 0000000000..de09f12be4
--- /dev/null
+++ b/src/Desc.h
@@ -0,0 +1,142 @@
+// $Id: Desc.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef descriptor_h
+#define descriptor_h
+
+#include <stdio.h>
+#include "BroString.h"
+
+typedef enum {
+	DESC_READABLE,
+	DESC_PORTABLE,
+	DESC_BINARY,
+} desc_type;
+
+typedef enum {
+	STANDARD_STYLE,
+	ALTERNATIVE_STYLE,
+} desc_style;
+
+class BroFile;
+
+class ODesc {
+public:
+	ODesc(desc_type t=DESC_READABLE, BroFile* f=0);
+
+	~ODesc();
+
+	int IsReadable() const		{ return type == DESC_READABLE; }
+	int IsPortable() const		{ return type == DESC_PORTABLE; }
+	int IsBinary() const		{ return type == DESC_BINARY; }
+
+	int IsShort() const		{ return is_short; }
+	void SetShort()			{ is_short = 1; }
+	void SetShort(int s)		{ is_short = s; }
+
+	// Whether we want to have quotes around strings.
+	int WantQuotes() const	{ return want_quotes; }
+	void SetQuotes(int q)	{ want_quotes = q; }
+
+	// Whether we want to print statistics like access time and execution
+	// count where available.
+	int IncludeStats() const	{ return include_stats; }
+	void SetIncludeStats(int s)	{ include_stats = s; }
+
+	desc_style Style() const	{ return style; }
+	void SetStyle(desc_style s)	{ style = s; }
+
+	void SetFlush(int arg_do_flush)	{ do_flush = arg_do_flush; }
+
+	void PushIndent();
+	void PopIndent();
+	int GetIndentLevel() const	{ return indent_level; }
+
+	void Add(const char* s, int do_indent=1);
+	void AddN(const char* s, int len)	{ AddBytes(s, len); }
+	void Add(int i);
+	void Add(uint32 u);
+#ifdef USE_INT64
+	void Add(int64 i);
+	void Add(uint64 u);
+#endif
+	void Add(double d);
+
+	// Add s as a counted string.
+	void AddCS(const char* s);
+
+	void AddBytes(const BroString* s);
+
+	void Add(const char* s1, const char* s2)
+		{ Add(s1); Add(s2); }
+
+	void AddSP(const char* s1, const char* s2)
+		{ Add(s1); AddSP(s2); }
+
+	void AddSP(const char* s )
+		{ Add(s); SP(); }
+
+	void AddCount(bro_int_t n)
+		{
+		if ( ! IsReadable() )
+			{
+			Add(n);
+			SP();
+			}
+		}
+
+	void SP()	{
+			if ( ! IsBinary() )
+				Add(" ", 0);
+			}
+	void NL()	{
+			if ( ! IsBinary() && ! is_short )
+				Add("\n", 0);
+			}
+
+	// Returns the description as a string.
+	const char* Description() const		{ return (const char*) base; }
+
+	const u_char* Bytes() const	{ return (const u_char *) base; }
+	byte_vec TakeBytes()
+		{
+		const void* t = base;
+		base = 0;
+		size = 0;
+
+		// Don't clear offset, as we want to still support
+		// subsequent calls to Len().
+
+		return byte_vec(t);
+		}
+
+	int Len() const		{ return offset; }
+
+protected:
+	void Indent();
+
+	void AddBytes(const void* bytes, unsigned int n);
+
+	// Make buffer big enough for n bytes beyond bufp.
+	void Grow(unsigned int n);
+
+	void OutOfMemory();
+
+	desc_type type;
+	desc_style style;
+
+	void* base;		// beginning of buffer
+	unsigned int offset;	// where we are in the buffer
+	unsigned int size;	// size of buffer in bytes
+
+	BroFile* f;	// or the file we're using.
+
+	int indent_level;
+	int is_short;
+	int want_quotes;
+	int do_flush;
+	int include_stats;
+};
+
+#endif
diff --git a/src/Dict.cc b/src/Dict.cc
new file mode 100644
index 0000000000..642ceabbb4
--- /dev/null
+++ b/src/Dict.cc
@@ -0,0 +1,586 @@
+// $Id: Dict.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#ifdef HAVE_MEMORY_H
+#include <memory.h>
+#endif
+
+#include "Dict.h"
+
+// If the mean bucket length exceeds the following then Insert() will
+// increase the size of the hash table.
+#define DEFAULT_DENSITY_THRESH 3.0
+
+// Threshold above which we do not try to ensure that the hash size
+// is prime.
+#define PRIME_THRESH 1000
+
+class DictEntry {
+public:
+	DictEntry(void* k, int l, hash_t h, void* val)
+		{ key = k; len = l; hash = h; value = val; }
+
+	~DictEntry()
+		{
+		delete [] (char*) key;
+		}
+
+	void* key;
+	int len;
+	hash_t hash;
+	void* value;
+};
+
+// The value of an iteration cookie is the bucket and offset within the
+// bucket at which to start looking for the next value to return.
+class IterCookie {
+public:
+	IterCookie(int b, int o)
+		{
+		bucket = b;
+		offset = o;
+		ttbl = 0;
+		num_buckets_p = 0;
+		}
+
+	int bucket, offset;
+	PList(DictEntry)** ttbl;
+	const int* num_buckets_p;
+	PList(DictEntry) inserted;	// inserted while iterating
+};
+
+Dictionary::Dictionary(dict_order ordering, int initial_size)
+	{
+	Init(initial_size);
+	tbl2 = 0;
+
+	if ( ordering == ORDERED )
+		order = new PList(DictEntry);
+	else
+		order = 0;
+
+	SetDensityThresh(DEFAULT_DENSITY_THRESH);
+
+	delete_func = 0;
+	}
+
+Dictionary::~Dictionary()
+	{
+	for ( int i = 0; i < num_buckets; ++i )
+		if ( tbl[i] )
+			{
+			PList(DictEntry)* chain = tbl[i];
+			loop_over_list(*chain, j)
+				{
+				DictEntry* e = (*chain)[j];
+				if ( delete_func )
+					delete_func(e->value);
+				delete e;
+				}
+
+			delete chain;
+			}
+
+	delete [] tbl;
+	delete order;
+
+	if ( tbl2 == 0 )
+		return;
+
+	for ( int i = 0; i < num_buckets2; ++i )
+		if ( tbl2[i] )
+			{
+			PList(DictEntry)* chain = tbl2[i];
+			loop_over_list(*chain, j)
+				{
+				DictEntry* e = (*chain)[j];
+				if ( delete_func )
+					delete_func(e->value);
+				delete e;
+				}
+
+			delete chain;
+			}
+	delete [] tbl2;
+	}
+
+void* Dictionary::Lookup(const void* key, int key_size, hash_t hash) const
+	{
+	hash_t h;
+	PList(DictEntry)* chain;
+
+	// Figure out which hash table to look in.
+	h = hash % num_buckets;
+	if ( ! tbl2 || h >= tbl_next_ind )
+		chain = tbl[h];
+	else
+		chain = tbl2[hash % num_buckets2];
+
+	if ( chain )
+		{
+		for ( int i = 0; i < chain->length(); ++i )
+			{
+			DictEntry* entry = (*chain)[i];
+
+			if ( entry->hash == hash && entry->len == key_size &&
+			     ! memcmp(key, entry->key, key_size) )
+				return entry->value;
+			}
+		}
+
+	return 0;
+	}
+
+void* Dictionary::Insert(void* key, int key_size, hash_t hash, void* val,
+				int copy_key)
+	{
+	DictEntry* new_entry = new DictEntry(key, key_size, hash, val);
+	void* old_val = Insert(new_entry, copy_key);
+
+	if ( old_val )
+		{
+		// We didn't need the new DictEntry, the key was already
+		// present.
+		delete new_entry;
+		}
+	else if ( order )
+		order->append(new_entry);
+
+	// Resize logic.
+	if ( tbl2 )
+		MoveChains();
+	else if ( num_entries >= thresh_entries )
+		StartChangeSize(num_buckets * 2 + 1);
+
+	return old_val;
+	}
+
+void* Dictionary::Remove(const void* key, int key_size, hash_t hash,
+				bool dont_delete)
+	{
+	hash_t h;
+	PList(DictEntry)* chain;
+	int* num_entries_ptr;
+
+	// Figure out which hash table to look in
+	h = hash % num_buckets;
+	if ( ! tbl2 || h >= tbl_next_ind )
+		{
+		chain = tbl[h];
+		num_entries_ptr = &num_entries;
+		}
+	else
+		{
+		chain = tbl2[hash % num_buckets2];
+		num_entries_ptr = &num_entries2;
+		}
+
+	if ( ! chain )
+		return 0;
+
+	for ( int i = 0; i < chain->length(); ++i )
+		{
+		DictEntry* entry = (*chain)[i];
+
+		if ( entry->hash == hash && entry->len == key_size &&
+		     ! memcmp(key, entry->key, key_size) )
+			{
+			void* entry_value = DoRemove(entry, h, chain, i);
+
+			if ( dont_delete )
+				entry->key = 0;
+
+			delete entry;
+			--*num_entries_ptr;
+			return entry_value;
+			}
+		}
+
+	return 0;
+	}
+
+void* Dictionary::DoRemove(DictEntry* entry, hash_t h,
+				PList(DictEntry)* chain, int chain_offset)
+	{
+	void* entry_value = entry->value;
+
+	chain->remove_nth(chain_offset);
+	if ( order )
+		order->remove(entry);
+
+	// Adjust existing cookies.
+	loop_over_list(cookies, i)
+		{
+		IterCookie* c = cookies[i];
+
+		// Is the affected bucket the current one?
+		if ( (unsigned int) c->bucket == h )
+			{
+			if ( c->offset > chain_offset )
+				--c->offset;
+
+			// The only other important case here occurs when we
+			// are deleting the current entry which
+			// simultaniously happens to be the last one in this
+			// bucket. This means that we would have to move on
+			// to the next non-empty bucket. Fortunately,
+			// NextEntry() will do exactly the right thing in
+			// this case. :-)
+			}
+
+		// This item may have been inserted during this iteration.
+		if ( (unsigned int) c->bucket > h )
+			c->inserted.remove(entry);
+		}
+
+	return entry_value;
+	}
+
+void* Dictionary::NthEntry(int n, const void*& key, int& key_len) const
+	{
+	if ( ! order || n < 0 || n >= Length() )
+		return 0;
+
+	DictEntry* entry = (*order)[n];
+	key = entry->key;
+	key_len = entry->len;
+	return entry->value;
+	}
+
+IterCookie* Dictionary::InitForIteration() const
+	{
+	return new IterCookie(0, 0);
+	}
+
+void Dictionary::StopIteration(IterCookie* cookie) const
+	{
+	delete cookie;
+	}
+
+void* Dictionary::NextEntry(HashKey*& h, IterCookie*& cookie, int return_hash) const
+	{
+	// If there are any inserted entries, return them first.
+	// That keeps the list small and helps avoiding searching
+	// a large list when deleting an entry.
+
+	DictEntry* entry;
+
+	if ( cookie->inserted.length() )
+		{
+		// Return the last one. Order doesn't matter,
+		// and removing from the tail is cheaper.
+		entry = cookie->inserted.remove_nth(cookie->inserted.length()-1);
+		if ( return_hash )
+			h = new HashKey(entry->key, entry->len, entry->hash);
+
+		return entry->value;
+		}
+
+	int b = cookie->bucket;
+	int o = cookie->offset;
+	PList(DictEntry)** ttbl;
+	const int* num_buckets_p;
+
+	if ( ! cookie->ttbl )
+		{
+		// XXX maybe we could update cookie->b from tbl_next_ind here?
+		cookie->ttbl = tbl;
+		cookie->num_buckets_p = &num_buckets;
+		}
+
+	ttbl = cookie->ttbl;
+	num_buckets_p = cookie->num_buckets_p;
+
+	if ( ttbl[b] && ttbl[b]->length() > o )
+		{
+		entry = (*ttbl[b])[o];
+		++cookie->offset;
+		if ( return_hash )
+			h = new HashKey(entry->key, entry->len, entry->hash);
+		return entry->value;
+		}
+
+	++b;	// Move on to next non-empty bucket.
+	while ( b < *num_buckets_p && (! ttbl[b] || ttbl[b]->length() == 0) )
+		++b;
+
+	if ( b >= *num_buckets_p )
+		{
+		// If we're resizing, we need to search the 2nd table too.
+		if ( ttbl == tbl && tbl2 )
+			{
+			cookie->ttbl = tbl2;
+			cookie->num_buckets_p = &num_buckets2;
+			cookie->bucket = 0;
+			cookie->offset = 0;
+			return Dictionary::NextEntry(h, cookie, return_hash);
+			}
+
+		// All done.
+
+		// FIXME: I don't like removing the const here. But is there
+		// a better way?
+		const_cast<PList(IterCookie)*>(&cookies)->remove(cookie);
+		delete cookie;
+		cookie = 0;
+		return 0;
+		}
+
+	entry = (*ttbl[b])[0];
+	if ( return_hash )
+		h = new HashKey(entry->key, entry->len, entry->hash);
+
+	cookie->bucket = b;
+	cookie->offset = 1;
+
+	return entry->value;
+	}
+
+void Dictionary::Init(int size)
+	{
+	num_buckets = NextPrime(size);
+	tbl = new PList(DictEntry)*[num_buckets];
+
+	for ( int i = 0; i < num_buckets; ++i )
+		tbl[i] = 0;
+
+	max_num_entries = num_entries = 0;
+	}
+
+void Dictionary::Init2(int size)
+	{
+	num_buckets2 = NextPrime(size);
+	tbl2 = new PList(DictEntry)*[num_buckets2];
+
+	for ( int i = 0; i < num_buckets2; ++i )
+		tbl2[i] = 0;
+
+	max_num_entries2 = num_entries2 = 0;
+	}
+
+// private
+void* Dictionary::Insert(DictEntry* new_entry, int copy_key)
+	{
+	PList(DictEntry)** ttbl;
+	int* num_entries_ptr;
+	int* max_num_entries_ptr;
+	hash_t h = new_entry->hash % num_buckets;
+
+	// We must be careful when we are in the middle of resizing.
+	// If the new entry hashes to a bucket in the old table we
+	// haven't moved yet, we need to put it in the old table. If
+	// we didn't do it this way, we would sometimes have to
+	// search both tables which is probably more expensive.
+
+	if ( ! tbl2 || h >= tbl_next_ind )
+		{
+		ttbl = tbl;
+		num_entries_ptr = &num_entries;
+		max_num_entries_ptr = &max_num_entries;
+		}
+	else
+		{
+		ttbl = tbl2;
+		h = new_entry->hash % num_buckets2;
+		num_entries_ptr = &num_entries2;
+		max_num_entries_ptr = &max_num_entries2;
+		}
+
+	PList(DictEntry)* chain = ttbl[h];
+
+	int n = new_entry->len;
+
+	if ( chain )
+		{
+		for ( int i = 0; i < chain->length(); ++i )
+			{
+			DictEntry* entry = (*chain)[i];
+
+			if ( entry->hash == new_entry->hash &&
+			     entry->len == n &&
+			     ! memcmp(entry->key, new_entry->key, n) )
+				{
+				void* old_value = entry->value;
+				entry->value = new_entry->value;
+				return old_value;
+				}
+			}
+		}
+	else
+		// Create new chain.
+		chain = ttbl[h] = new PList(DictEntry);
+
+	// If we got this far, then we couldn't use an existing copy
+	// of the key, so make a new one if necessary.
+	if ( copy_key )
+		{
+		void* old_key = new_entry->key;
+		new_entry->key = (void*) new char[n];
+		memcpy(new_entry->key, old_key, n);
+		delete (char*) old_key;
+		}
+
+	// We happen to know (:-() that appending is more efficient
+	// on lists than prepending.
+	chain->append(new_entry);
+
+	if ( *max_num_entries_ptr < ++*num_entries_ptr )
+		*max_num_entries_ptr = *num_entries_ptr;
+
+	// For ongoing iterations: If we already passed the bucket where this
+	// entry was put, add it to the cookie's list of inserted entries.
+	loop_over_list(cookies, i)
+		{
+		IterCookie* c = cookies[i];
+		if ( h < (unsigned int) c->bucket )
+			c->inserted.append(new_entry);
+		}
+
+	return 0;
+	}
+
+int Dictionary::NextPrime(int n) const
+	{
+	if ( (n & 0x1) == 0 )
+		// Even.
+		++n;
+
+	if ( n > PRIME_THRESH )
+		// Too expensive to test for primality, just stick with it.
+		return n;
+
+	while ( ! IsPrime(n) )
+		n += 2;
+
+	return n;
+	}
+
+int Dictionary::IsPrime(int n) const
+	{
+	for ( int j = 3; j * j <= n; ++j )
+		if ( n % j == 0 )
+			return 0;
+
+	return 1;
+	}
+
+void Dictionary::StartChangeSize(int new_size)
+	{
+	// Only start resizing if there isn't any iteration in progress.
+	if ( cookies.length() > 0 )
+		return;
+
+	if ( tbl2 )
+		internal_error("Dictionary::StartChangeSize() tbl2 not NULL");
+
+	Init2(new_size);
+
+	tbl_next_ind = 0;
+
+	// Preserve threshold density
+	SetDensityThresh2(DensityThresh());
+	}
+
+void Dictionary::MoveChains()
+	{
+	// Do not change current distribution if there an ongoing iteration.
+	if ( cookies.length() > 0 )
+		return;
+
+	// Attempt to move this many entries (must do at least 2)
+	int num = 8;
+
+	do
+		{
+		PList(DictEntry)* chain = tbl[tbl_next_ind++];
+
+		if ( ! chain )
+			continue;
+
+		tbl[tbl_next_ind - 1] = 0;
+
+		for ( int j = 0; j < chain->length(); ++j )
+			{
+			Insert((*chain)[j], 0);
+			--num_entries;
+			--num;
+			}
+
+		delete chain;
+		}
+	while ( num > 0 && int(tbl_next_ind) < num_buckets );
+
+	if ( int(tbl_next_ind) >= num_buckets )
+		FinishChangeSize();
+	}
+
+void Dictionary::FinishChangeSize()
+	{
+	// Cheap safety check.
+	if ( num_entries != 0 )
+		internal_error(
+		    "Dictionary::FinishChangeSize: num_entries is %d\n",
+		    num_entries);
+
+	for ( int i = 0; i < num_buckets; ++i )
+		delete tbl[i];
+	delete [] tbl;
+
+	tbl = tbl2;
+	tbl2 = 0;
+
+	num_buckets = num_buckets2;
+	num_entries = num_entries2;
+	max_num_entries = max_num_entries2;
+	den_thresh = den_thresh2;
+	thresh_entries = thresh_entries2;
+
+	num_buckets2 = 0;
+	num_entries2 = 0;
+	max_num_entries2 = 0;
+	den_thresh2 = 0;
+	thresh_entries2 = 0;
+	}
+
+unsigned int Dictionary::MemoryAllocation() const
+	{
+	int size = padded_sizeof(*this);
+
+	for ( int i = 0; i < num_buckets; ++i )
+		if ( tbl[i] )
+			{
+			PList(DictEntry)* chain = tbl[i];
+			loop_over_list(*chain, j)
+				size += padded_sizeof(DictEntry) + pad_size((*chain)[j]->len);
+			size += chain->MemoryAllocation();
+			}
+
+	size += pad_size(num_buckets * sizeof(PList(DictEntry)*));
+
+	if ( order )
+		size += order->MemoryAllocation();
+
+	if ( tbl2 )
+		{
+		for ( int i = 0; i < num_buckets2; ++i )
+			if ( tbl2[i] )
+				{
+				PList(DictEntry)* chain = tbl2[i];
+				loop_over_list(*chain, j)
+					size += padded_sizeof(DictEntry) + pad_size((*chain)[j]->len);
+				size += chain->MemoryAllocation();
+				}
+
+		size += pad_size(num_buckets2 * sizeof(PList(DictEntry)*));
+		}
+
+	return size;
+	}
+
+void generic_delete_func(void* v)
+	{
+	free(v);
+	}
diff --git a/src/Dict.h b/src/Dict.h
new file mode 100644
index 0000000000..75ac82c827
--- /dev/null
+++ b/src/Dict.h
@@ -0,0 +1,228 @@
+// $Id: Dict.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef dict_h
+#define dict_h
+
+#include "List.h"
+#include "Hash.h"
+
+class Dictionary;
+class DictEntry;
+class IterCookie;
+
+declare(PList,DictEntry);
+declare(PList,IterCookie);
+
+// Default number of hash buckets in dictionary.  The dictionary will
+// increase the size of the hash table as needed.
+#define DEFAULT_DICT_SIZE 16
+
+// Type indicating whether the dictionary should keep track of the order
+// of insertions.
+typedef enum { ORDERED, UNORDERED } dict_order;
+
+// Type for function to be called when deleting elements.
+typedef void (*dict_delete_func)(void*);
+
+// A dict_delete_func that just calls delete.
+extern void generic_delete_func(void*);
+
+class Dictionary {
+public:
+	Dictionary(dict_order ordering = UNORDERED,
+			int initial_size = DEFAULT_DICT_SIZE);
+	virtual ~Dictionary();
+
+	// Member functions for looking up a key, inserting/changing its
+	// contents, and deleting it.  These come in two flavors: one
+	// which takes a HashKey, and the other which takes a raw key,
+	// its size, and its (unmodulated) hash.
+	void* Lookup(const HashKey* key) const
+		{ return Lookup(key->Key(), key->Size(), key->Hash()); }
+	void* Lookup(const void* key, int key_size, hash_t hash) const;
+
+	// Returns previous value, or 0 if none.
+	void* Insert(HashKey* key, void* val)
+		{
+		return Insert(key->TakeKey(), key->Size(), key->Hash(), val, 0);
+		}
+	// If copy_key is true, then the key is copied, otherwise it's assumed
+	// that it's a heap pointer that now belongs to the Dictionary to
+	// manage as needed.
+	void* Insert(void* key, int key_size, hash_t hash, void* val,
+			int copy_key);
+
+	// Removes the given element.  Returns a pointer to the element in
+	// case it needs to be deleted.  Returns 0 if no such element exists.
+	// If dontdelete is true, the key's bytes will not be deleted.
+	void* Remove(const HashKey* key)
+		{ return Remove(key->Key(), key->Size(), key->Hash()); }
+	void* Remove(const void* key, int key_size, hash_t hash,
+				bool dont_delete = false);
+
+	// Number of entries.
+	int Length() const
+		{ return tbl2 ? num_entries + num_entries2 : num_entries; }
+
+	// Largest it's ever been.
+	int MaxLength() const
+		{
+		return tbl2 ?
+			max_num_entries + max_num_entries2 : max_num_entries;
+		}
+
+	// True if the dictionary is ordered, false otherwise.
+	int IsOrdered() const		{ return order != 0; }
+
+	// If the dictionary is ordered then returns the n'th entry's value;
+	// the second method also returns the key.  The first entry inserted
+	// corresponds to n=0.
+	//
+	// Returns nil if the dictionary is not ordered or if "n" is out
+	// of range.
+	void* NthEntry(int n) const
+		{
+		const void* key;
+		int key_len;
+		return NthEntry(n, key, key_len);
+		}
+	void* NthEntry(int n, const void*& key, int& key_len) const;
+
+	// To iterate through the dictionary, first call InitForIteration()
+	// to get an "iteration cookie".  The cookie can then be handed
+	// to NextEntry() to get the next entry in the iteration and update
+	// the cookie.  If NextEntry() indicates no more entries, it will
+	// also delete the cookie, or the cookie can be manually deleted
+	// prior to this if no longer needed.
+	//
+	// Unexpected results will occur if the elements of
+	// the dictionary are changed between calls to NextEntry() without
+	// first calling InitForIteration().
+	//
+	// If return_hash is true, a HashKey for the entry is returned in h,
+	// which should be delete'd when no longer needed.
+	IterCookie* InitForIteration() const;
+	void* NextEntry(HashKey*& h, IterCookie*& cookie, int return_hash) const;
+	void* NextEntry(const void*& key, int& key_len, IterCookie*& cookie)
+		const;
+	void StopIteration(IterCookie* cookie) const;
+
+	void SetDeleteFunc(dict_delete_func f)		{ delete_func = f; }
+
+	// With a robust cookie, it is safe to change the dictionary while
+	// iterating. This means that (i) we will eventually visit all
+	// unmodified entries as well as all entries added during iteration,
+	// and (ii) we won't visit any still-unseen entries which are getting
+	// removed. (We don't get this for free, so only use it if
+	// necessary.)
+	void MakeRobustCookie(IterCookie* cookie)
+		{ cookies.append(cookie); }
+
+	unsigned int MemoryAllocation() const;
+
+private:
+	void Init(int size);
+	void Init2(int size);	// initialize second table for resizing
+
+	// Internal version of Insert().
+	void* Insert(DictEntry* entry, int copy_key);
+
+	void* DoRemove(DictEntry* entry, hash_t h,
+			PList(DictEntry)* chain, int chain_offset);
+
+	int NextPrime(int n) const;
+	int IsPrime(int n) const;
+	void StartChangeSize(int new_size);
+	void FinishChangeSize(void);
+	void MoveChains(void);
+
+	// The following get and set the "density" threshold - if the
+	// average hash chain length exceeds this threshold, the
+	// table will be resized.  The default value is 3.0.
+	double DensityThresh() const	{ return den_thresh; }
+
+	void SetDensityThresh(double thresh)
+		{
+		den_thresh = thresh;
+		thresh_entries = int(thresh * double(num_buckets));
+		}
+
+	// Same for the second table, when resizing.
+	void SetDensityThresh2(double thresh)
+		{
+		den_thresh2 = thresh;
+		thresh_entries2 = int(thresh * double(num_buckets2));
+		}
+
+	// Normally we only have tbl.
+	// When we're resizing, we'll have tbl (old) and tbl2 (new)
+	// tbl_next_ind keeps track of how much we've moved to tbl2
+	// (it's the next index we're going to move).
+	PList(DictEntry)** tbl;
+	int num_buckets;
+	int num_entries;
+	int max_num_entries;
+	double den_thresh;
+	int thresh_entries;
+
+	// Resizing table (replicates tbl above).
+	PList(DictEntry)** tbl2;
+	int num_buckets2;
+	int num_entries2;
+	int max_num_entries2;
+	double den_thresh2;
+	int thresh_entries2;
+
+	hash_t tbl_next_ind;
+
+	PList(DictEntry)* order;
+	dict_delete_func delete_func;
+
+	PList(IterCookie) cookies;
+};
+
+
+#define PDict(type) type ## PDict
+#define PDictdeclare(type)	\
+class PDict(type) : public Dictionary {	\
+public:	\
+	PDict(type)(dict_order ordering = UNORDERED,	\
+			int initial_size = DEFAULT_DICT_SIZE) :	\
+		Dictionary(ordering, initial_size) {}	\
+	type* Lookup(const char* key) const	\
+		{	\
+		HashKey h(key);	\
+		return (type*) Dictionary::Lookup(&h);	\
+		}	\
+	type* Lookup(const HashKey* key) const	\
+		{ return (type*) Dictionary::Lookup(key); }	\
+	type* Insert(const char* key, type* val)	\
+		{	\
+		HashKey h(key);	\
+		return (type*) Dictionary::Insert(&h, (void*) val);	\
+		}	\
+	type* Insert(HashKey* key, type* val)	\
+		{ return (type*) Dictionary::Insert(key, (void*) val); }\
+	type* NthEntry(int n) const	\
+		{ return (type*) Dictionary::NthEntry(n); }	\
+	type* NthEntry(int n, const char*& key) const	\
+		{	\
+		int key_len;	\
+		return (type*) Dictionary::NthEntry(n, (const void*&) key,\
+							key_len);	\
+		}	\
+	type* NextEntry(IterCookie*& cookie) const	\
+		{	\
+		HashKey* h; \
+		return (type*) Dictionary::NextEntry(h, cookie, 0);	\
+		} \
+	type* NextEntry(HashKey*& h, IterCookie*& cookie) const	\
+		{ return (type*) Dictionary::NextEntry(h, cookie, 1); } \
+	type* RemoveEntry(const HashKey* key)	\
+		{ return (type*) Remove(key->Key(), key->Size(),	\
+					key->Hash()); } \
+}
+
+#endif
diff --git a/src/Discard.cc b/src/Discard.cc
new file mode 100644
index 0000000000..e0dd8deed0
--- /dev/null
+++ b/src/Discard.cc
@@ -0,0 +1,196 @@
+// $Id: Discard.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "Net.h"
+#include "Var.h"
+#include "Discard.h"
+
+Discarder::Discarder()
+	{
+	ip_hdr = internal_type("ip_hdr")->AsRecordType();
+	tcp_hdr = internal_type("tcp_hdr")->AsRecordType();
+	udp_hdr = internal_type("udp_hdr")->AsRecordType();
+	icmp_hdr = internal_type("icmp_hdr")->AsRecordType();
+
+	check_ip = internal_func("discarder_check_ip");
+	check_tcp = internal_func("discarder_check_tcp");
+	check_udp = internal_func("discarder_check_udp");
+	check_icmp = internal_func("discarder_check_icmp");
+
+	discarder_maxlen = static_cast<int>(opt_internal_int("discarder_maxlen"));
+	}
+
+Discarder::~Discarder()
+	{
+	}
+
+int Discarder::IsActive()
+	{
+	return check_ip || check_tcp || check_udp || check_icmp;
+	}
+
+int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
+	{
+	int discard_packet = 0;
+
+	const struct ip* ip4 = ip->IP4_Hdr();
+
+	if ( check_ip )
+		{
+		val_list* args = new val_list;
+		args->append(BuildHeader(ip4));
+		discard_packet = check_ip->Call(args)->AsBool();
+		delete args;
+
+		if ( discard_packet )
+			return discard_packet;
+		}
+
+	int proto = ip4->ip_p;
+	if ( proto != IPPROTO_TCP && proto != IPPROTO_UDP &&
+	     proto != IPPROTO_ICMP )
+		// This is not a protocol we understand.
+		return 0;
+
+	// XXX shall we only check the first packet???
+	uint32 frag_field = ntohs(ip4->ip_off);
+	if ( (frag_field & 0x3fff) != 0 )
+		// Never check any fragment.
+		return 0;
+
+	int ip_hdr_len = ip4->ip_hl * 4;
+	len -= ip_hdr_len;	// remove IP header
+	caplen -= ip_hdr_len;
+
+	int is_tcp = (proto == IPPROTO_TCP);
+	int is_udp = (proto == IPPROTO_UDP);
+	int min_hdr_len = is_tcp ?
+		sizeof(struct tcphdr) :
+		(is_udp ? sizeof(struct udphdr) : sizeof(struct icmp));
+
+	if ( len < min_hdr_len || caplen < min_hdr_len )
+		// we don't have a complete protocol header
+		return 0;
+
+	// Where the data starts - if this is a protocol we know about,
+	// this gets advanced past the transport header.
+	const u_char* data = ((u_char*) ip4 + ip_hdr_len);
+
+	if ( is_tcp )
+		{
+		if ( check_tcp )
+			{
+			const struct tcphdr* tp = (const struct tcphdr*) data;
+			int th_len = tp->th_off * 4;
+
+			val_list* args = new val_list;
+			args->append(BuildHeader(ip4));
+			args->append(BuildHeader(tp, len));
+			args->append(BuildData(data, th_len, len, caplen));
+			discard_packet = check_tcp->Call(args)->AsBool();
+			delete args;
+			}
+		}
+
+	else if ( is_udp )
+		{
+		if ( check_udp )
+			{
+			const struct udphdr* up = (const struct udphdr*) data;
+			int uh_len = sizeof (struct udphdr);
+
+			val_list* args = new val_list;
+			args->append(BuildHeader(ip4));
+			args->append(BuildHeader(up));
+			args->append(BuildData(data, uh_len, len, caplen));
+			discard_packet = check_udp->Call(args)->AsBool();
+			delete args;
+			}
+		}
+
+	else
+		{
+		if ( check_icmp )
+			{
+			const struct icmp* ih = (const struct icmp*) data;
+
+			val_list* args = new val_list;
+			args->append(BuildHeader(ip4));
+			args->append(BuildHeader(ih));
+			discard_packet = check_icmp->Call(args)->AsBool();
+			delete args;
+			}
+		}
+
+	return discard_packet;
+	}
+
+Val* Discarder::BuildHeader(const struct ip* ip)
+	{
+	RecordVal* hdr = new RecordVal(ip_hdr);
+
+	hdr->Assign(0, new Val(ip->ip_hl * 4, TYPE_COUNT));
+	hdr->Assign(1, new Val(ip->ip_tos, TYPE_COUNT));
+	hdr->Assign(2, new Val(ntohs(ip->ip_len), TYPE_COUNT));
+	hdr->Assign(3, new Val(ntohs(ip->ip_id), TYPE_COUNT));
+	hdr->Assign(4, new Val(ip->ip_ttl, TYPE_COUNT));
+	hdr->Assign(5, new Val(ip->ip_p, TYPE_COUNT));
+	hdr->Assign(6, new AddrVal(ip->ip_src.s_addr));
+	hdr->Assign(7, new AddrVal(ip->ip_dst.s_addr));
+
+	return hdr;
+	}
+
+Val* Discarder::BuildHeader(const struct tcphdr* tp, int tcp_len)
+	{
+	RecordVal* hdr = new RecordVal(tcp_hdr);
+
+	hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP));
+	hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP));
+	hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT));
+	hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT));
+
+	int tcp_hdr_len = tp->th_off * 4;
+
+	hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT));
+	hdr->Assign(5, new Val(tcp_len - tcp_hdr_len, TYPE_COUNT));
+
+	hdr->Assign(6, new Val(tp->th_flags, TYPE_COUNT));
+	hdr->Assign(7, new Val(ntohs(tp->th_win), TYPE_COUNT));
+
+	return hdr;
+	}
+
+Val* Discarder::BuildHeader(const struct udphdr* up)
+	{
+	RecordVal* hdr = new RecordVal(udp_hdr);
+
+	hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP));
+	hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP));
+	hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT));
+
+	return hdr;
+	}
+
+Val* Discarder::BuildHeader(const struct icmp* icmp)
+	{
+	RecordVal* hdr = new RecordVal(icmp_hdr);
+
+	hdr->Assign(0, new Val(icmp->icmp_type, TYPE_COUNT));
+
+	return hdr;
+	}
+
+Val* Discarder::BuildData(const u_char* data, int hdrlen, int len, int caplen)
+	{
+	len -= hdrlen;
+	caplen -= hdrlen;
+	data += hdrlen;
+
+	len = max(min(min(len, caplen), discarder_maxlen), 0);
+
+	return new StringVal(new BroString(data, len, 1));
+	}
diff --git a/src/Discard.h b/src/Discard.h
new file mode 100644
index 0000000000..4ffcab39d1
--- /dev/null
+++ b/src/Discard.h
@@ -0,0 +1,50 @@
+// $Id: Discard.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef discard_h
+#define discard_h
+
+#include "IP.h"
+#include "Func.h"
+
+struct ip;
+struct tcphdr;
+struct udphdr;
+struct icmp;
+
+class Val;
+class RecordType;
+class Func;
+
+class Discarder {
+public:
+	Discarder();
+	~Discarder();
+
+	int IsActive();
+
+	int NextPacket(const IP_Hdr* ip, int len, int caplen);
+
+protected:
+	Val* BuildHeader(const struct ip* ip);
+	Val* BuildHeader(const struct tcphdr* tp, int tcp_len);
+	Val* BuildHeader(const struct udphdr* up);
+	Val* BuildHeader(const struct icmp* icmp);
+	Val* BuildData(const u_char* data, int hdrlen, int len, int caplen);
+
+	RecordType* ip_hdr;
+	RecordType* tcp_hdr;
+	RecordType* udp_hdr;
+	RecordType* icmp_hdr;
+
+	Func* check_ip;
+	Func* check_tcp;
+	Func* check_udp;
+	Func* check_icmp;
+
+	// Maximum amount of application data passed to filtering functions.
+	int discarder_maxlen;
+};
+
+#endif
diff --git a/src/EquivClass.cc b/src/EquivClass.cc
new file mode 100644
index 0000000000..ff5dc88603
--- /dev/null
+++ b/src/EquivClass.cc
@@ -0,0 +1,192 @@
+// $Id: EquivClass.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "EquivClass.h"
+
+EquivClass::EquivClass(int arg_size)
+	{
+	size = arg_size;
+	fwd = new int[size];
+	bck = new int[size];
+	equiv_class = new int[size];
+	rep = new int[size];
+	ccl_flags = 0;
+	num_ecs = 0;
+
+	ec_nil = no_class = no_rep = size + 1;
+
+	bck[0] = ec_nil;
+	fwd[size - 1] = ec_nil;
+
+	for ( int i = 0; i < size; ++i )
+		{
+		if ( i > 0 )
+			{
+			fwd[i - 1] = i;
+			bck[i] = i - 1;
+			}
+
+		equiv_class[i] = no_class;
+		rep[i] = no_rep;
+		}
+	}
+
+EquivClass::~EquivClass()
+	{
+	delete [] fwd;
+	delete [] bck;
+	delete [] equiv_class;
+	delete [] rep;
+	delete [] ccl_flags;
+	}
+
+void EquivClass::ConvertCCL(CCL* ccl)
+	{
+	// For each character in the class, add the character's
+	// equivalence class to the new "character" class we are
+	// creating.  Thus when we are all done, the character class
+	// will really consist of collections of equivalence classes
+	// instead of collections of characters.
+
+	int_list* c_syms = ccl->Syms();
+	int_list* new_syms = new int_list;
+
+	for ( int i = 0; i < c_syms->length(); ++i )
+		{
+		int sym = (*c_syms)[i];
+		if ( IsRep(sym) )
+			new_syms->append(SymEquivClass(sym));
+		}
+
+	ccl->ReplaceSyms(new_syms);
+	}
+
+int EquivClass::BuildECs()
+	{
+	// Create equivalence class numbers.  If bck[x] is nil,
+	// then x is the representative of its equivalence class.
+
+	for ( int i = 0; i < size; ++i )
+		if ( bck[i] == ec_nil )
+			{
+			equiv_class[i] = num_ecs++;
+			rep[i] = i;
+			for ( int j = fwd[i]; j != ec_nil; j = fwd[j] )
+				{
+				equiv_class[j] = equiv_class[i];
+				rep[j] = i;
+				}
+			}
+
+	return num_ecs;
+	}
+
+void EquivClass::CCL_Use(CCL* ccl)
+	{
+	// Note that it doesn't matter whether or not the character class is
+	// negated.  The same results will be obtained in either case.
+
+	if ( ! ccl_flags )
+		{
+		ccl_flags = new int[size];
+		for ( int i = 0; i < size; ++i )
+			ccl_flags[i] = 0;
+		}
+
+	int_list* csyms = ccl->Syms();
+	for ( int i = 0; i < csyms->length(); /* no increment */ )
+		{
+		int sym = (*csyms)[i];
+
+		int old_ec = bck[sym];
+		int new_ec = sym;
+
+		int j = i + 1;
+
+		for ( int k = fwd[sym]; k && k < size; k = fwd[k] )
+			{ // look for the symbol in the character class
+			for ( ; j < csyms->length(); ++j )
+				{
+				if ( (*csyms)[j] > k )
+					// Since the character class is sorted,
+					// we can stop.
+					break;
+
+				if ( (*csyms)[j] == k && ! ccl_flags[j] )
+					{
+					// We found an old companion of sym
+					// in the ccl.  Link it into the new
+					// equivalence class and flag it as
+					// having been processed.
+					bck[k] = new_ec;
+					fwd[new_ec] = k;
+					new_ec = k;
+
+					// Set flag so we don't reprocess.
+					ccl_flags[j] = 1;
+
+					// Get next equivalence class member.
+					break;
+					}
+				}
+
+			if ( j < csyms->length() && (*csyms)[j] == k )
+				// We broke out of the above loop by finding
+				// an old companion - go to the next symbol.
+				continue;
+
+			// Symbol isn't in character class.  Put it in the old
+			// equivalence class.
+			bck[k] = old_ec;
+			if ( old_ec != ec_nil )
+				fwd[old_ec] = k;
+
+			old_ec = k;
+			}
+
+		if ( bck[sym] != ec_nil || old_ec != bck[sym] )
+			{
+			bck[sym] = ec_nil;
+			fwd[old_ec] = ec_nil;
+			}
+
+		fwd[new_ec] = ec_nil;
+
+		// Find next ccl member to process.
+		for ( ++i; i < csyms->length() && ccl_flags[i]; ++i )
+			// Reset "doesn't need processing" flag.
+			ccl_flags[i] = 0;
+		}
+	}
+
+
+void EquivClass::UniqueChar(int sym)
+	{
+	// If until now the character has been a proper subset of
+	// an equivalence class, break it away to create a new ec.
+
+	if ( fwd[sym] != ec_nil )
+		bck[fwd[sym]] = bck[sym];
+
+	if ( bck[sym] != ec_nil )
+		fwd[bck[sym]] = fwd[sym];
+
+	fwd[sym] = ec_nil;
+	bck[sym] = ec_nil;
+	}
+
+void EquivClass::Dump(FILE* f)
+	{
+	fprintf(f, "%d symbols in EC yielded %d ecs\n", size, num_ecs);
+	for ( int i = 0; i < size; ++i )
+		if ( SymEquivClass(i) != 0 )	// skip usually huge default ec
+			fprintf(f, "map %d ('%c') -> %d\n", i, i, SymEquivClass(i));
+	}
+
+int EquivClass::Size() const
+	{
+	return padded_sizeof(*this) + pad_size(sizeof(int) * size * (ccl_flags ? 5 : 4));
+	}
diff --git a/src/EquivClass.h b/src/EquivClass.h
new file mode 100644
index 0000000000..9b35a9bb64
--- /dev/null
+++ b/src/EquivClass.h
@@ -0,0 +1,48 @@
+// $Id: EquivClass.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef equiv_class_h
+#define equiv_class_h
+
+#include <stdio.h>
+
+#include "CCL.h"
+
+class EquivClass {
+public:
+	EquivClass(int size);
+	~EquivClass();
+
+	void UniqueChar(int sym);
+	void CCL_Use(CCL* ccl);
+
+	// All done adding character usage info - generate equivalence
+	// classes.  Returns number of classes.
+	int BuildECs();
+
+	void ConvertCCL(CCL* ccl);
+
+	int IsRep(int sym) const		{ return rep[sym] == sym; }
+	int EquivRep(int sym) const		{ return rep[sym]; }
+	int SymEquivClass(int sym) const	{ return equiv_class[sym]; }
+	int* EquivClasses() const		{ return equiv_class; }
+
+	int NumSyms() const	{ return size; }
+	int NumClasses() const	{ return num_ecs; }
+
+	void Dump(FILE* f);
+	int Size() const;
+
+protected:
+	int size;	// size of character set
+	int num_ecs;	// size of equivalence classes
+	int* fwd;	// forward list of different classes
+	int* bck;	// backward list
+	int* equiv_class;	// symbol's equivalence class
+	int* rep;	// representative for symbol's equivalence class
+	int* ccl_flags;
+	int ec_nil, no_class, no_rep;
+};
+
+#endif
diff --git a/src/Event.cc b/src/Event.cc
new file mode 100644
index 0000000000..b5dd589f43
--- /dev/null
+++ b/src/Event.cc
@@ -0,0 +1,166 @@
+// $Id: Event.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "Event.h"
+#include "Func.h"
+#include "NetVar.h"
+#include "Trigger.h"
+
+EventMgr mgr;
+
+int num_events_queued = 0;
+int num_events_dispatched = 0;
+
+Event::Event(EventHandlerPtr arg_handler, val_list* arg_args,
+		SourceID arg_src, AnalyzerID arg_aid, TimerMgr* arg_mgr,
+		BroObj* arg_obj)
+	{
+	handler = arg_handler;
+	args = arg_args;
+	src = arg_src;
+	mgr = arg_mgr ? arg_mgr : timer_mgr; // default is global
+	aid = arg_aid;
+	obj = arg_obj;
+
+	if ( obj )
+		Ref(obj);
+
+	next_event = 0;
+	}
+
+Event::~Event()
+	{
+	// We don't Unref() the individual arguments by using delete_vals()
+	// here, because Func::Call already did that.
+	delete args;
+	}
+
+void Event::Describe(ODesc* d) const
+	{
+	if ( d->IsReadable() )
+		d->AddSP("event");
+
+	int s = d->IsShort();
+	d->SetShort();
+//	handler->Describe(d);
+	d->SetShort(s);
+
+	if ( ! d->IsBinary() )
+		d->Add("(");
+	describe_vals(args, d);
+	if ( ! d->IsBinary() )
+		d->Add("(");
+	}
+
+EventMgr::EventMgr()
+	{
+	head = tail = 0;
+	current_src = SOURCE_LOCAL;
+	current_mgr = timer_mgr;
+	current_aid = 0;
+	src_val = 0;
+	draining = 0;
+	}
+
+EventMgr::~EventMgr()
+	{
+	while ( head )
+		{
+		Event* n = head->NextEvent();
+		Unref(head);
+		head = n;
+		}
+
+	Unref(src_val);
+	}
+
+void EventMgr::QueueEvent(Event* event)
+	{
+	if ( ! head )
+		head = tail = event;
+	else
+		{
+		tail->SetNext(event);
+		tail = event;
+		}
+
+	++num_events_queued;
+	}
+
+void EventMgr::Dispatch()
+	{
+	if ( ! head )
+		internal_error("EventMgr underflow");
+
+	Event* current = head;
+
+	head = head->NextEvent();
+	if ( ! head )
+		tail = head;
+
+	current_src = current->Source();
+	current_mgr = current->Mgr();
+	current_aid = current->Analyzer();
+	current->Dispatch();
+	Unref(current);
+
+	++num_events_dispatched;
+	}
+
+void EventMgr::Drain()
+	{
+	SegmentProfiler(segment_logger, "draining-events");
+
+	draining = true;
+	while ( head )
+		Dispatch();
+
+	// Note: we might eventually need a general way to specify things to
+	// do after draining events.
+	extern void flush_rewriter_packet();
+	flush_rewriter_packet();
+
+	draining = false;
+
+	// We evaluate Triggers here. While this is somewhat unrelated to event
+	// processing, we ensure that it's done at a regular basis by checking
+	// them here.
+	Trigger::EvaluatePending();
+	}
+
+void EventMgr::Describe(ODesc* d) const
+	{
+	int n = 0;
+	Event* e;
+	for ( e = head; e; e = e->NextEvent() )
+		++n;
+
+	d->AddCount(n);
+
+	for ( e = head; e; e = e->NextEvent() )
+		{
+		e->Describe(d);
+		d->NL();
+		}
+	}
+
+RecordVal* EventMgr::GetLocalPeerVal()
+	{
+	if ( ! src_val )
+		{
+		src_val = new RecordVal(peer);
+		src_val->Assign(0, new Val(0, TYPE_COUNT));
+		src_val->Assign(1, new AddrVal("127.0.0.1"));
+		src_val->Assign(2, new PortVal(0));
+		src_val->Assign(3, new Val(true, TYPE_BOOL));
+
+		Ref(peer_description);
+		src_val->Assign(4, peer_description);
+		src_val->Assign(5, 0);	// class (optional).
+		}
+
+	return src_val;
+	}
diff --git a/src/Event.h b/src/Event.h
new file mode 100644
index 0000000000..9028ca5fab
--- /dev/null
+++ b/src/Event.h
@@ -0,0 +1,122 @@
+// $Id: Event.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef event_h
+#define event_h
+
+#include "EventRegistry.h"
+#include "Serializer.h"
+#include "AnalyzerTags.h"
+
+class EventMgr;
+
+class Event : public BroObj {
+public:
+	Event(EventHandlerPtr handler, val_list* args,
+		SourceID src = SOURCE_LOCAL, AnalyzerID aid = 0,
+		TimerMgr* mgr = 0, BroObj* obj = 0);
+	~Event();
+
+	void SetNext(Event* n)		{ next_event = n; }
+	Event* NextEvent() const	{ return next_event; }
+
+	SourceID Source() const		{ return src; }
+	AnalyzerID Analyzer() const	{ return aid; }
+	TimerMgr* Mgr() const		{ return mgr; }
+
+	void Describe(ODesc* d) const;
+
+protected:
+	friend class EventMgr;
+
+	// This method is protected to make sure that everybody goes through
+	// EventMgr::Dispatch().
+	void Dispatch(bool no_remote = false)
+		{
+		if ( event_serializer )
+			{
+			SerialInfo info(event_serializer);
+			event_serializer->Serialize(&info, handler->Name(), args);
+			}
+
+		handler->Call(args, no_remote);
+		if ( obj )
+			// obj->EventDone();
+			Unref(obj);
+		}
+
+	EventHandlerPtr handler;
+	val_list* args;
+	SourceID src;
+	AnalyzerID aid;
+	TimerMgr* mgr;
+	BroObj* obj;
+	Event* next_event;
+};
+
+extern int num_events_queued;
+extern int num_events_dispatched;
+
+class EventMgr : public BroObj {
+public:
+	EventMgr();
+	~EventMgr();
+
+	void QueueEvent(EventHandlerPtr h, val_list* vl,
+			SourceID src = SOURCE_LOCAL, AnalyzerID aid = 0,
+			TimerMgr* mgr = 0, BroObj* obj = 0)
+		{
+		if ( h )
+			QueueEvent(new Event(h, vl, src, aid, mgr, obj));
+		else
+			delete_vals(vl);
+		}
+
+	void Dispatch();
+
+	void Dispatch(Event* event, bool no_remote = false)
+		{
+		current_src = event->Source();
+		event->Dispatch(no_remote);
+		Unref(event);
+		}
+
+	void Drain();
+	bool IsDraining() const	{ return draining; }
+
+	int HasEvents() const	{ return head != 0; }
+
+	// Returns the source ID of last raised event.
+	SourceID CurrentSource() const	{ return current_src; }
+
+	// Returns the ID of the analyzer which raised the last event, or 0 if
+	// non-analyzer event.
+	AnalyzerID CurrentAnalyzer() const	{ return current_aid; }
+
+	// Returns the timer mgr associated with the last raised event.
+	TimerMgr* CurrentTimerMgr() const	{ return current_mgr; }
+
+	int Size() const
+		{ return num_events_queued - num_events_dispatched; }
+
+	// Returns a peer record describing the local Bro.
+	RecordVal* GetLocalPeerVal();
+
+	void Describe(ODesc* d) const;
+
+protected:
+	void QueueEvent(Event* event);
+
+	Event* head;
+	Event* tail;
+	SourceID current_src;
+	AnalyzerID current_aid;
+	TimerMgr* current_mgr;
+	RecordVal* src_val;
+	bool draining;
+};
+
+extern EventMgr mgr;
+
+#endif
diff --git a/src/EventHandler.cc b/src/EventHandler.cc
new file mode 100644
index 0000000000..9df18ab007
--- /dev/null
+++ b/src/EventHandler.cc
@@ -0,0 +1,104 @@
+// $Id: EventHandler.cc 5911 2008-07-03 22:59:01Z vern $
+
+#include "Event.h"
+#include "EventHandler.h"
+#include "Func.h"
+#include "Scope.h"
+#include "RemoteSerializer.h"
+
+EventHandler::EventHandler(const char* arg_name)
+	{
+	name = copy_string(arg_name);
+	used = false;
+	local = 0;
+	type = 0;
+	group = 0;
+	enabled = true;
+	}
+
+EventHandler::~EventHandler()
+	{
+	Unref(local);
+	delete [] name;
+	delete [] group;
+	}
+
+FuncType* EventHandler::FType()
+	{
+	if ( type )
+		return type;
+
+	ID* id = lookup_ID(name, current_module.c_str());
+
+	if ( ! id )
+		return 0;
+
+	if ( id->Type()->Tag() != TYPE_FUNC )
+		return 0;
+
+	return type = id->Type()->AsFuncType();
+	}
+
+void EventHandler::SetLocalHandler(Func* f)
+	{
+	if ( local )
+		Unref(local);
+
+	Ref(f);
+	local = f;
+	}
+
+void EventHandler::Call(val_list* vl, bool no_remote)
+	{
+#ifdef PROFILE_BRO_FUNCTIONS
+	DEBUG_MSG("Event: %s\n", Name());
+#endif
+
+	if ( ! no_remote )
+		{
+		loop_over_list(receivers, i)
+			{
+			SerialInfo info(remote_serializer);
+			remote_serializer->SendCall(&info, receivers[i], name, vl);
+			}
+		}
+
+	if ( local )
+		Unref(local->Call(vl));
+	else
+		{
+		loop_over_list(*vl, i)
+			Unref((*vl)[i]);
+		}
+	}
+
+void EventHandler::AddRemoteHandler(SourceID peer)
+	{
+	receivers.append(peer);
+	}
+
+void EventHandler::RemoveRemoteHandler(SourceID peer)
+	{
+	receivers.remove(peer);
+	}
+
+bool EventHandler::Serialize(SerialInfo* info) const
+	{
+	return SERIALIZE(name);
+	}
+
+EventHandler* EventHandler::Unserialize(UnserialInfo* info)
+	{
+	char* name;
+	if ( ! UNSERIALIZE_STR(&name, 0) )
+		return false;
+
+	EventHandler* h = event_registry->Lookup(name);
+	if ( ! h )
+		{
+		h = new EventHandler(name);
+		event_registry->Register(h);
+		}
+
+	return h;
+	}
diff --git a/src/EventHandler.h b/src/EventHandler.h
new file mode 100644
index 0000000000..de4d1a1458
--- /dev/null
+++ b/src/EventHandler.h
@@ -0,0 +1,88 @@
+// $Id: EventHandler.h 5911 2008-07-03 22:59:01Z vern $
+//
+// Capsulates local and remote event handlers.
+
+#ifndef EVENTHANDLER
+#define EVENTHANDLER
+
+#include <assert.h>
+
+#include "List.h"
+#include "BroList.h"
+#include "net_util.h"
+
+class Func;
+class FuncType;
+class Serializer;
+class SerialInfo;
+class UnserialInfo;
+
+class EventHandler {
+public:
+	EventHandler(const char* name);
+	~EventHandler();
+
+	const char* Name()	{ return name; }
+	Func* LocalHandler()	{ return local; }
+	FuncType* FType();
+
+	void SetLocalHandler(Func* f);
+
+	void AddRemoteHandler(SourceID peer);
+	void RemoveRemoteHandler(SourceID peer);
+
+	void Call(val_list* vl, bool no_remote = false);
+
+	// Returns true if there is at least one local or remote handler.
+	operator  bool() const
+		{ return enabled && (local || receivers.length()); }
+
+	void SetUsed()          { used = true; }
+	bool Used()             { return used; }
+
+	const char* Group()	{ return group; }
+	void SetGroup(const char* arg_group)
+				{ group = copy_string(arg_group); }
+
+	void SetEnable(bool arg_enable)	{ enabled = arg_enable; }
+
+	// We don't serialize the handler(s) itself here, but
+	// just the reference to it.
+	bool Serialize(SerialInfo* info) const;
+	static EventHandler* Unserialize(UnserialInfo* info);
+
+private:
+	const char* name;
+	const char* group;
+	Func* local;
+	FuncType* type;
+	bool used;		// this handler is indeed used somewhere
+	bool enabled;
+
+	declare(List, SourceID);
+	typedef List(SourceID) receiver_list;
+	receiver_list receivers;
+};
+
+// Encapsulates a ptr to an event handler to overload the boolean operator.
+class EventHandlerPtr {
+public:
+	EventHandlerPtr(EventHandler* p = 0)		{ handler = p; }
+	EventHandlerPtr(const EventHandlerPtr& h)	{ handler = h.handler; }
+
+	const EventHandlerPtr& operator=(EventHandler* p)
+		{ handler = p; return *this; }
+	const EventHandlerPtr& operator=(const EventHandlerPtr& h)
+		{ handler = h.handler; return *this; }
+
+	EventHandler* Ptr()	{ return handler; }
+
+	operator bool() const	{ return handler && *handler; }
+	EventHandler* operator->()	{ return handler; }
+	const EventHandler* operator->() const	{ return handler; }
+
+private:
+	EventHandler* handler;
+};
+
+#endif
diff --git a/src/EventLauncher.cc b/src/EventLauncher.cc
new file mode 100644
index 0000000000..1982d78c11
--- /dev/null
+++ b/src/EventLauncher.cc
@@ -0,0 +1,8 @@
+// $Id:$
+
+#include "Val.h"
+#include "Analyzer.h"
+#include "EventLauncher.h"
+#include "Event.h"
+
+#include "event.bif.func_def"
diff --git a/src/EventLauncher.h b/src/EventLauncher.h
new file mode 100644
index 0000000000..276f28ef75
--- /dev/null
+++ b/src/EventLauncher.h
@@ -0,0 +1,8 @@
+// $Id:$
+
+#ifndef event_launcher_h
+#define event_launcher_h
+
+#include "event.bif.func_h"
+
+#endif
diff --git a/src/EventRegistry.cc b/src/EventRegistry.cc
new file mode 100644
index 0000000000..d7f672c2e5
--- /dev/null
+++ b/src/EventRegistry.cc
@@ -0,0 +1,113 @@
+// $Id: EventRegistry.cc 6829 2009-07-09 09:12:59Z vern $
+
+#include "EventRegistry.h"
+#include "RE.h"
+#include "RemoteSerializer.h"
+
+void EventRegistry::Register(EventHandlerPtr handler)
+	{
+	HashKey key(handler->Name());
+	handlers.Insert(&key, handler.Ptr());
+	}
+
+EventHandler* EventRegistry::Lookup(const char* name)
+	{
+	HashKey key(name);
+	return handlers.Lookup(&key);
+	}
+
+EventRegistry::string_list* EventRegistry::Match(RE_Matcher* pattern)
+	{
+	string_list* names = new string_list;
+
+	IterCookie* c = handlers.InitForIteration();
+
+	HashKey* k;
+	EventHandler* v;
+	while ( (v = handlers.NextEntry(k, c)) )
+		{
+		if ( v->LocalHandler() && pattern->MatchExactly(v->Name()) )
+			names->append(v->Name());
+
+		delete k;
+		}
+
+	return names;
+	}
+
+EventRegistry::string_list* EventRegistry::UnusedHandlers()
+	{
+	string_list* names = new string_list;
+
+	IterCookie* c = handlers.InitForIteration();
+
+	HashKey* k;
+	EventHandler* v;
+	while ( (v = handlers.NextEntry(k, c)) )
+		{
+		if ( v->LocalHandler() && ! v->Used() )
+			names->append(v->Name());
+
+		delete k;
+		}
+
+	return names;
+	}
+
+EventRegistry::string_list* EventRegistry::UsedHandlers()
+	{
+	string_list* names = new string_list;
+
+	IterCookie* c = handlers.InitForIteration();
+
+	HashKey* k;
+	EventHandler* v;
+	while ( (v = handlers.NextEntry(k, c)) )
+		{
+		if ( v->LocalHandler() && v->Used() )
+			names->append(v->Name());
+
+		delete k;
+		}
+
+	return names;
+	}
+
+void EventRegistry::PrintDebug()
+	{
+	IterCookie* c = handlers.InitForIteration();
+
+	HashKey* k;
+	EventHandler* v;
+	while ( (v = handlers.NextEntry(k, c)) )
+		{
+		delete k;
+		fprintf(stderr, "Registered event %s (%s handler)\n", v->Name(),
+				v->LocalHandler()? "local" : "no");
+		}
+	}
+
+void EventRegistry::SetGroup(const char* name, const char* group)
+	{
+	EventHandler* eh = Lookup(name);
+	if ( ! eh )
+		internal_error("unknown event handler in SetGroup()");
+
+	eh->SetGroup(group);
+	}
+
+void EventRegistry::EnableGroup(const char* group, bool enable)
+	{
+	IterCookie* c = handlers.InitForIteration();
+
+	HashKey* k;
+	EventHandler* v;
+	while ( (v = handlers.NextEntry(k, c)) )
+		{
+		delete k;
+
+		if ( v->Group() && strcmp(v->Group(), group) == 0 )
+			v->SetEnable(enable);
+		}
+	}
+
diff --git a/src/EventRegistry.h b/src/EventRegistry.h
new file mode 100644
index 0000000000..980b8ea83f
--- /dev/null
+++ b/src/EventRegistry.h
@@ -0,0 +1,49 @@
+// $Id: EventRegistry.h 6829 2009-07-09 09:12:59Z vern $
+//
+// Each event raised/handled by Bro is registered in the EventRegistry.
+
+#ifndef EVENT_REGISTRY
+#define EVENT_REGISTRY
+
+#include "Func.h"
+#include "List.h"
+#include "Dict.h"
+#include "EventHandler.h"
+
+// The registry keeps track of all events that we provide or handle.
+class EventRegistry {
+public:
+	EventRegistry()		{ }
+	~EventRegistry()	{ }
+
+	void Register(EventHandlerPtr handler);
+
+	// Return nil if unknown.
+	EventHandler* Lookup(const char* name);
+
+	// Returns a list of all local handlers that match the given pattern.
+	// Passes ownership of list.
+	typedef const char constchar;	// PList doesn't like "const char"
+	declare(PList, constchar);
+	typedef PList(constchar) string_list;
+	string_list* Match(RE_Matcher* pattern);
+
+	// Associates a group with the given event.
+	void SetGroup(const char* name, const char* group);
+
+	// Enable/disable all members of the group.
+	void EnableGroup(const char* group, bool enable);
+
+	string_list* UnusedHandlers();
+	string_list* UsedHandlers();
+	void PrintDebug();
+
+private:
+	declare(PDict, EventHandler);
+	typedef PDict(EventHandler) handler_map;
+	handler_map handlers;
+};
+
+extern EventRegistry* event_registry;
+
+#endif
diff --git a/src/Expr.cc b/src/Expr.cc
new file mode 100644
index 0000000000..77466f2a55
--- /dev/null
+++ b/src/Expr.cc
@@ -0,0 +1,5613 @@
+// $Id: Expr.cc 6864 2009-08-16 23:30:39Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "Expr.h"
+#include "Event.h"
+#include "Frame.h"
+#include "Func.h"
+#include "RE.h"
+#include "Scope.h"
+#include "Stmt.h"
+#include "EventRegistry.h"
+#include "RemoteSerializer.h"
+#include "Net.h"
+#include "Traverse.h"
+#include "Trigger.h"
+
+const char* expr_name(BroExprTag t)
+	{
+	static char errbuf[512];
+
+	static const char* expr_names[int(NUM_EXPRS)] = {
+		"name", "const",
+		"(*)",
+		"++", "--", "!", "+", "-",
+		"+", "-", "+=", "-=", "*", "/", "%", "&&", "||",
+		"<", "<=", "==", "!=", ">=", ">", "?:", "ref",
+		"=", "~", "[]", "$", "?$", "[=]",
+		"table()", "set()", "vector()",
+		"$=", "in", "<<>>",
+		"()", "event", "schedule",
+		"coerce", "record_coerce", "table_coerce",
+		"sizeof", "flatten"
+	};
+
+	if ( int(t) >= NUM_EXPRS )
+		{
+		static char errbuf[512];
+
+		// This isn't quite right - we return a static buffer,
+		// so multiple calls to expr_name() could lead to confusion
+		// by overwriting the buffer.  But oh well.
+		snprintf(errbuf, sizeof(errbuf),
+				"%d: not an expression tag", int(t));
+		return errbuf;
+		}
+
+	return expr_names[int(t)];
+	}
+
+Expr::Expr(BroExprTag arg_tag)
+	{
+	tag = arg_tag;
+	type = 0;
+	paren = 0;
+
+	SetLocationInfo(&start_location, &end_location);
+	}
+
+Expr::~Expr()
+	{
+	Unref(type);
+	}
+
+int Expr::CanAdd() const
+	{
+	return 0;
+	}
+
+int Expr::CanDel() const
+	{
+	return 0;
+	}
+
+void Expr::Add(Frame* /* f */)
+	{
+	Internal("Expr::Delete called");
+	}
+
+void Expr::Delete(Frame* /* f */)
+	{
+	Internal("Expr::Delete called");
+	}
+
+Expr* Expr::MakeLvalue()
+	{
+	if ( ! IsError() )
+		ExprError("can't be assigned to");
+	return this;
+	}
+
+void Expr::EvalIntoAggregate(const BroType* /* t */, Val* /* aggr */,
+				Frame* /* f */) const
+	{
+	Internal("Expr::EvalIntoAggregate called");
+	}
+
+void Expr::Assign(Frame* /* f */, Val* /* v */, Opcode /* op */)
+	{
+	Internal("Expr::Assign called");
+	}
+
+BroType* Expr::InitType() const
+	{
+	return type->Ref();
+	}
+
+int Expr::IsRecordElement(TypeDecl* /* td */) const
+	{
+	return 0;
+	}
+
+int Expr::IsPure() const
+	{
+	return 1;
+	}
+
+Val* Expr::InitVal(const BroType* t, Val* aggr) const
+	{
+	if ( aggr )
+		{
+		Error("bad initializer");
+		return 0;
+		}
+
+	if ( IsError() )
+		return 0;
+
+	return check_and_promote(Eval(0), t, 1);
+	}
+
+void Expr::SetError(const char* msg)
+	{
+	Error(msg);
+	SetError();
+	}
+
+void Expr::Describe(ODesc* d) const
+	{
+	if ( IsParen() && ! d->IsBinary() )
+		d->Add("(");
+
+	if ( d->IsPortable() || d->IsBinary() )
+		AddTag(d);
+
+	ExprDescribe(d);
+
+	if ( IsParen() && ! d->IsBinary() )
+		d->Add(")");
+	}
+
+void Expr::AddTag(ODesc* d) const
+	{
+	if ( d->IsBinary() )
+		d->Add(int(Tag()));
+	else
+		d->AddSP(expr_name(Tag()));
+	}
+
+void Expr::Canonicize()
+	{
+	}
+
+void Expr::SetType(BroType* t)
+	{
+	if ( ! type || type->Tag() != TYPE_ERROR )
+		{
+		Unref(type);
+		type = t;
+		}
+	else
+		Unref(t);
+	}
+
+void Expr::ExprError(const char msg[])
+	{
+	Error(msg);
+	SetError();
+	}
+
+bool Expr::Serialize(SerialInfo* info) const
+	{
+	return SerialObj::Serialize(info);
+	}
+
+Expr* Expr::Unserialize(UnserialInfo* info, BroExprTag want)
+	{
+	Expr* e = (Expr*) SerialObj::Unserialize(info, SER_EXPR);
+
+	if ( ! e )
+		return 0;
+
+	if ( want != EXPR_ANY && e->tag != want )
+		{
+		info->s->Error("wrong expression type");
+		Unref(e);
+		return 0;
+		}
+
+	return e;
+	}
+
+bool Expr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_EXPR, BroObj);
+
+	if ( ! (SERIALIZE(char(tag)) && SERIALIZE(paren)) )
+		return false;
+
+	SERIALIZE_OPTIONAL(type);
+	return true;
+	}
+
+bool Expr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BroObj);
+
+	char c;
+	if ( ! (UNSERIALIZE(&c) && UNSERIALIZE(&paren)) )
+		return 0;
+
+	tag = BroExprTag(c);
+
+	UNSERIALIZE_OPTIONAL(type, BroType::Unserialize(info));
+	return true;
+	}
+
+
+NameExpr::NameExpr(ID* arg_id) : Expr(EXPR_NAME)
+	{
+	id = arg_id;
+	ReferenceID();
+	SetType(id->Type()->Ref());
+
+	EventHandler* h = event_registry->Lookup(id->Name());
+	if ( h )
+		h->SetUsed();
+	}
+
+NameExpr::~NameExpr()
+	{
+	Unref(id);
+	}
+
+void NameExpr::ReferenceID()
+	{
+	// ### This is a hack. We check whether one of the remote serializer's
+	// built-in functions is referenced. If so, we activate the serializer.
+	// A better solution would be to either (1) a generic mechanism in
+	// which have (internal) attributes associated with identifiers and
+	// as we see references to the identifiers, we do bookkeeping
+	// associated with their attribute (so in this case the attribute
+	// would be "flag that inter-Bro communication is being used"),
+	// or (2) after the parse is done, we'd query whether these
+	// particular identifiers were seen, rather than doing the test
+	// here for every NameExpr we create.
+	if ( id->Type()->Tag() == TYPE_FUNC )
+		{
+		const char* const* builtins = remote_serializer->GetBuiltins();
+		while( *builtins )
+			{
+			if ( streq(id->Name(), *builtins++) )
+				using_communication = true;
+			}
+		}
+	}
+
+Expr* NameExpr::Simplify(SimplifyType simp_type)
+	{
+	if ( simp_type != SIMPLIFY_LHS && id->IsConst() )
+		{
+		Val* v = Eval(0);
+		if ( v )
+			return new ConstExpr(v);
+		}
+
+	return this;
+	}
+
+Val* NameExpr::Eval(Frame* f) const
+	{
+	Val* v;
+
+	if ( id->AsType() )
+		RunTime("cannot evaluate type name");
+
+	if ( id->IsGlobal() )
+		v = id->ID_Val();
+
+	else if ( f )
+		v = f->NthElement(id->Offset());
+
+	else
+		// No frame - evaluating for Simplify() purposes
+		return 0;
+
+	if ( v )
+		return v->Ref();
+	else
+		{
+		RunTime("value used but not set");
+		return 0;
+		}
+	}
+
+Expr* NameExpr::MakeLvalue()
+	{
+	if ( id->AsType() )
+		ExprError("Type name is not an lvalue");
+
+	return new RefExpr(this);
+	}
+
+void NameExpr::Assign(Frame* f, Val* v, Opcode op)
+	{
+	if ( id->IsGlobal() )
+		id->SetVal(v, op);
+	else
+		f->SetElement(id->Offset(), v);
+	}
+
+int NameExpr::IsPure() const
+	{
+	return id->IsConst();
+	}
+
+TraversalCode NameExpr::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreExpr(this);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = id->Traverse(cb);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = cb->PostExpr(this);
+	HANDLE_TC_EXPR_POST(tc);
+	}
+
+
+void NameExpr::ExprDescribe(ODesc* d) const
+	{
+	if ( d->IsReadable() )
+		d->Add(id->Name());
+	else
+		{
+		if ( d->IsPortable() )
+			d->Add(id->Name());
+		else
+			d->AddCS(id->Name());
+		}
+	}
+
+IMPLEMENT_SERIAL(NameExpr, SER_NAME_EXPR);
+
+bool NameExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_NAME_EXPR, Expr);
+
+	// Write out just the name of the function if requested.
+	if ( info->globals_as_names && id->IsGlobal() )
+		return SERIALIZE('n') && SERIALIZE(id->Name());
+	else
+		return SERIALIZE('f') && id->Serialize(info);
+	}
+
+bool NameExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Expr);
+
+	char type;
+	if ( ! UNSERIALIZE(&type) )
+		return false;
+
+	if ( type == 'n' )
+		{
+		const char* name;
+		if ( ! UNSERIALIZE_STR(&name, 0) )
+			return false;
+
+		id = global_scope()->Lookup(name);
+		if ( id )
+			::Ref(id);
+		else
+			run_time("unserialized unknown global name");
+
+		delete [] name;
+		}
+	else
+		id = ID::Unserialize(info);
+
+	if ( ! id )
+		return false;
+
+	ReferenceID();
+
+	return true;
+	}
+
+ConstExpr::ConstExpr(Val* arg_val) : Expr(EXPR_CONST)
+	{
+	val = arg_val;
+
+	if ( val->Type()->Tag() == TYPE_LIST && val->AsListVal()->Length() == 1 )
+		{
+		val = val->AsListVal()->Index(0);
+		val->Ref();
+		Unref(arg_val);
+		}
+
+	SetType(val->Type()->Ref());
+	}
+
+ConstExpr::~ConstExpr()
+	{
+	Unref(val);
+	}
+
+void ConstExpr::ExprDescribe(ODesc* d) const
+	{
+	val->Describe(d);
+	}
+
+Expr* ConstExpr::Simplify(SimplifyType /* simp_type */)
+	{
+	return this;
+	}
+
+Val* ConstExpr::Eval(Frame* /* f */) const
+	{
+	return Value()->Ref();
+	}
+
+TraversalCode ConstExpr::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreExpr(this);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = cb->PostExpr(this);
+	HANDLE_TC_EXPR_POST(tc);
+	}
+
+IMPLEMENT_SERIAL(ConstExpr, SER_CONST_EXPR);
+
+bool ConstExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_CONST_EXPR, Expr);
+	return val->Serialize(info);
+	}
+
+bool ConstExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Expr);
+	val = Val::Unserialize(info);
+	return val != 0;
+	}
+
+
+UnaryExpr::UnaryExpr(BroExprTag arg_tag, Expr* arg_op) : Expr(arg_tag)
+	{
+	op = arg_op;
+	if ( op->IsError() )
+		SetError();
+	}
+
+UnaryExpr::~UnaryExpr()
+	{
+	Unref(op);
+	}
+
+Expr* UnaryExpr::Simplify(SimplifyType simp_type)
+	{
+	if ( IsError() )
+		return this;
+
+	op = simplify_expr(op, simp_type);
+	Canonicize();
+	return DoSimplify();
+	}
+
+Val* UnaryExpr::Eval(Frame* f) const
+	{
+	if ( IsError() )
+		return 0;
+
+	Val* v = op->Eval(f);
+
+	if ( ! v )
+		return 0;
+
+	if ( is_vector(v) )
+		{
+		VectorVal* v_op = v->AsVectorVal();
+		VectorVal* result = new VectorVal(Type()->AsVectorType());
+
+		for ( unsigned int i = VECTOR_MIN;
+		      i < v_op->Size() + VECTOR_MIN; ++i )
+			{
+			Val* v_i = v_op->Lookup(i);
+			result->Assign(i, v_i ? Fold(v_i) : 0, this);
+			}
+
+		Unref(v);
+		return result;
+		}
+	else
+		{
+		Val* result = Fold(v);
+		Unref(v);
+		return result;
+		}
+	}
+
+int UnaryExpr::IsPure() const
+	{
+	return op->IsPure();
+	}
+
+TraversalCode UnaryExpr::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreExpr(this);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = op->Traverse(cb);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = cb->PostExpr(this);
+	HANDLE_TC_EXPR_POST(tc);
+	}
+
+Expr* UnaryExpr::DoSimplify()
+	{
+	return this;
+	}
+
+Val* UnaryExpr::Fold(Val* v) const
+	{
+	return v->Ref();
+	}
+
+void UnaryExpr::ExprDescribe(ODesc* d) const
+	{
+	bool is_coerce =
+		Tag() == EXPR_ARITH_COERCE || Tag() == EXPR_RECORD_COERCE ||
+		Tag() == EXPR_TABLE_COERCE;
+
+	if ( d->IsReadable() )
+		{
+		if ( is_coerce )
+			d->Add("(coerce ");
+		else if ( Tag() == EXPR_FLATTEN )
+			d->Add("flatten ");
+		else if ( Tag() != EXPR_REF )
+			d->Add(expr_name(Tag()));
+		}
+
+	op->Describe(d);
+
+	if ( d->IsReadable() && is_coerce )
+		{
+		d->Add(" to ");
+		Type()->Describe(d);
+		d->Add(")");
+		}
+	}
+
+IMPLEMENT_SERIAL(UnaryExpr, SER_UNARY_EXPR);
+
+bool UnaryExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_UNARY_EXPR, Expr);
+	return op->Serialize(info);
+	}
+
+bool UnaryExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Expr);
+	op = Expr::Unserialize(info);
+	return op != 0;
+	}
+
+BinaryExpr::~BinaryExpr()
+	{
+	Unref(op1);
+	Unref(op2);
+	}
+
+Expr* BinaryExpr::Simplify(SimplifyType /* simp_type */)
+	{
+	if ( IsError() )
+		return this;
+
+	SimplifyOps();
+
+	if ( BothConst() )
+		return new ConstExpr(Fold(op1->ExprVal(), op2->ExprVal()));
+	else
+		return DoSimplify();
+	}
+
+Val* BinaryExpr::Eval(Frame* f) const
+	{
+	if ( IsError() )
+		return 0;
+
+	Val* v1 = op1->Eval(f);
+	if ( ! v1 )
+		return 0;
+
+	Val* v2 = op2->Eval(f);
+	if ( ! v2 )
+		{
+		Unref(v1);
+		return 0;
+		}
+
+	Val* result = 0;
+
+	int is_vec1 = is_vector(v1);
+	int is_vec2 = is_vector(v2);
+
+	if ( is_vec1 && is_vec2 )
+		{ // fold pairs of elements
+		VectorVal* v_op1 = v1->AsVectorVal();
+		VectorVal* v_op2 = v2->AsVectorVal();
+
+		if ( v_op1->Size() != v_op2->Size() )
+			{
+			RunTime("vector operands are of different sizes");
+			return 0;
+			}
+
+		VectorVal* v_result = new VectorVal(Type()->AsVectorType());
+
+		for ( unsigned int i = VECTOR_MIN;
+		      i < v_op1->Size() + VECTOR_MIN; ++i )
+			{
+			if ( v_op1->Lookup(i) && v_op2->Lookup(i) )
+				v_result->Assign(i,
+						 Fold(v_op1->Lookup(i),
+						      v_op2->Lookup(i)),
+						 this);
+			else
+				v_result->Assign(i, 0, this);
+			// SetError("undefined element in vector operation");
+			}
+
+		Unref(v1);
+		Unref(v2);
+		return v_result;
+		}
+
+	if ( is_vec1 || is_vec2 )
+		{ // fold vector against scalar
+		VectorVal* vv = (is_vec1 ? v1 : v2)->AsVectorVal();
+		VectorVal* v_result = new VectorVal(Type()->AsVectorType());
+
+		for ( unsigned int i = VECTOR_MIN;
+		      i < vv->Size() + VECTOR_MIN; ++i )
+			{
+			Val* vv_i = vv->Lookup(i);
+			if ( vv_i )
+				v_result->Assign(i,
+					 is_vec1 ?
+						 Fold(vv_i, v2) : Fold(v1, vv_i),
+					 this);
+			else
+				v_result->Assign(i, 0, this);
+
+			// SetError("Undefined element in vector operation");
+			}
+
+		Unref(v1);
+		Unref(v2);
+		return v_result;
+		}
+
+	// scalar op scalar
+	result = Fold(v1, v2);
+
+	Unref(v1);
+	Unref(v2);
+	return result;
+	}
+
+int BinaryExpr::IsPure() const
+	{
+	return op1->IsPure() && op2->IsPure();
+	}
+
+TraversalCode BinaryExpr::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreExpr(this);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = op1->Traverse(cb);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = op2->Traverse(cb);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = cb->PostExpr(this);
+	HANDLE_TC_EXPR_POST(tc);
+	}
+
+Expr* BinaryExpr::DoSimplify()
+	{
+	return this;
+	}
+
+void BinaryExpr::ExprDescribe(ODesc* d) const
+	{
+	op1->Describe(d);
+
+	d->SP();
+	if ( d->IsReadable() )
+		d->AddSP(expr_name(Tag()));
+
+	op2->Describe(d);
+	}
+
+void BinaryExpr::SimplifyOps()
+	{
+	op1 = simplify_expr(op1, SIMPLIFY_GENERAL);
+	op2 = simplify_expr(op2, SIMPLIFY_GENERAL);
+	Canonicize();
+	}
+
+Val* BinaryExpr::Fold(Val* v1, Val* v2) const
+	{
+	InternalTypeTag it = v1->Type()->InternalType();
+
+	if ( it == TYPE_INTERNAL_STRING )
+		return StringFold(v1, v2);
+
+	if ( it == TYPE_INTERNAL_ADDR )
+		return AddrFold(v1, v2);
+
+	if ( it == TYPE_INTERNAL_SUBNET )
+		return SubNetFold(v1, v2);
+
+	bro_int_t i1 = 0, i2 = 0, i3 = 0;
+	bro_uint_t u1 = 0, u2 = 0, u3 = 0;
+	double d1 = 0.0, d2 = 0.0, d3 = 0.0;
+	int is_integral = 0;
+	int is_unsigned = 0;
+
+	if ( it == TYPE_INTERNAL_INT )
+		{
+		i1 = v1->InternalInt();
+		i2 = v2->InternalInt();
+		++is_integral;
+		}
+	else if ( it == TYPE_INTERNAL_UNSIGNED )
+		{
+		u1 = v1->InternalUnsigned();
+		u2 = v2->InternalUnsigned();
+		++is_unsigned;
+		}
+	else if ( it == TYPE_INTERNAL_DOUBLE )
+		{
+		d1 = v1->InternalDouble();
+		d2 = v2->InternalDouble();
+		}
+	else
+		Internal("bad type in BinaryExpr::Fold");
+
+	switch ( tag ) {
+#define DO_INT_FOLD(op) \
+	if ( is_integral ) \
+		i3 = i1 op i2; \
+	else if ( is_unsigned ) \
+		u3 = u1 op u2; \
+	else \
+		Internal("bad type in BinaryExpr::Fold");
+
+#define DO_FOLD(op) \
+	if ( is_integral ) \
+		i3 = i1 op i2; \
+	else if ( is_unsigned ) \
+		u3 = u1 op u2; \
+	else \
+		d3 = d1 op d2;
+
+#define DO_INT_VAL_FOLD(op) \
+	if ( is_integral ) \
+		i3 = i1 op i2; \
+	else if ( is_unsigned ) \
+		i3 = u1 op u2; \
+	else \
+		i3 = d1 op d2;
+
+	case EXPR_ADD:		DO_FOLD(+); break;
+	case EXPR_ADD_TO:	DO_FOLD(+); break;
+	case EXPR_SUB:		DO_FOLD(-); break;
+	case EXPR_REMOVE_FROM:	DO_FOLD(-); break;
+	case EXPR_TIMES:	DO_FOLD(*); break;
+	case EXPR_DIVIDE:	DO_FOLD(/); break;
+
+	case EXPR_MOD:		DO_INT_FOLD(%); break;
+	case EXPR_AND:		DO_INT_FOLD(&&); break;
+	case EXPR_OR:		DO_INT_FOLD(||); break;
+
+	case EXPR_LT:		DO_INT_VAL_FOLD(<); break;
+	case EXPR_LE:		DO_INT_VAL_FOLD(<=); break;
+	case EXPR_EQ:		DO_INT_VAL_FOLD(==); break;
+	case EXPR_NE:		DO_INT_VAL_FOLD(!=); break;
+	case EXPR_GE:		DO_INT_VAL_FOLD(>=); break;
+	case EXPR_GT:		DO_INT_VAL_FOLD(>); break;
+
+	default:
+		BadTag("BinaryExpr::Fold", expr_name(tag));
+	}
+
+	BroType* ret_type = type;
+	if ( IsVector(ret_type->Tag()) )
+	     ret_type = ret_type->YieldType();
+
+	if ( ret_type->Tag() == TYPE_INTERVAL )
+		return new IntervalVal(d3, 1.0);
+	else if ( ret_type->InternalType() == TYPE_INTERNAL_DOUBLE )
+		return new Val(d3, ret_type->Tag());
+	else if ( ret_type->InternalType() == TYPE_INTERNAL_UNSIGNED )
+		return new Val(u3, ret_type->Tag());
+	else
+		return new Val(i3, ret_type->Tag());
+	}
+
+Val* BinaryExpr::StringFold(Val* v1, Val* v2) const
+	{
+	const BroString* s1 = v1->AsString();
+	const BroString* s2 = v2->AsString();
+	int result = 0;
+
+	switch ( tag ) {
+#undef DO_FOLD
+#define DO_FOLD(sense) { result = Bstr_cmp(s1, s2) sense 0; break; }
+
+	case EXPR_LT:		DO_FOLD(<)
+	case EXPR_LE:		DO_FOLD(<=)
+	case EXPR_EQ:		DO_FOLD(==)
+	case EXPR_NE:		DO_FOLD(!=)
+	case EXPR_GE:		DO_FOLD(>=)
+	case EXPR_GT:		DO_FOLD(>)
+
+	case EXPR_ADD:
+	case EXPR_ADD_TO:
+		{
+		vector<const BroString*> strings;
+		strings.push_back(s1);
+		strings.push_back(s2);
+
+		return new StringVal(concatenate(strings));
+		}
+
+	default:
+		BadTag("BinaryExpr::StringFold", expr_name(tag));
+	}
+
+	return new Val(result, TYPE_BOOL);
+	}
+
+Val* BinaryExpr::AddrFold(Val* v1, Val* v2) const
+	{
+	addr_type a1 = v1->AsAddr();
+	addr_type a2 = v2->AsAddr();
+	int result = 0;
+
+	switch ( tag ) {
+#undef DO_FOLD
+#ifdef BROv6
+#define DO_FOLD(sense) { result = memcmp(a1, a2, 16) sense 0; break; }
+#else
+#define DO_FOLD(sense)	\
+	{ \
+	a1 = ntohl(a1); \
+	a2 = ntohl(a2); \
+	result = (a1 < a2 ? -1 : (a1 == a2 ? 0 : 1)) sense 0; \
+	break; \
+	}
+#endif
+
+	case EXPR_LT:		DO_FOLD(<)
+	case EXPR_LE:		DO_FOLD(<=)
+	case EXPR_EQ:		DO_FOLD(==)
+	case EXPR_NE:		DO_FOLD(!=)
+	case EXPR_GE:		DO_FOLD(>=)
+	case EXPR_GT:		DO_FOLD(>)
+
+	default:
+		BadTag("BinaryExpr::AddrFold", expr_name(tag));
+	}
+
+	return new Val(result, TYPE_BOOL);
+	}
+
+Val* BinaryExpr::SubNetFold(Val* v1, Val* v2) const
+	{
+	subnet_type* n1 = v1->AsSubNet();
+	subnet_type* n2 = v2->AsSubNet();
+
+	if ( n1->width != n2->width )
+		return new Val(0, TYPE_BOOL);
+
+#ifdef BROv6
+	if ( memcmp(n1->net, n2->net, 16) )
+#else
+	if ( n1->net != n2->net )
+#endif
+		return new Val(0, TYPE_BOOL);
+
+	return new Val(1, TYPE_BOOL);
+	}
+
+void BinaryExpr::SwapOps()
+	{
+	// We could check here whether the operator is commutative.
+	Expr* t = op1;
+	op1 = op2;
+	op2 = t;
+	}
+
+void BinaryExpr::PromoteOps(TypeTag t)
+	{
+	TypeTag bt1 = op1->Type()->Tag();
+	TypeTag bt2 = op2->Type()->Tag();
+
+	if ( IsVector(bt1) )
+		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+	if ( IsVector(bt2) )
+		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
+
+	if ( bt1 != t )
+		op1 = new ArithCoerceExpr(op1, t);
+	if ( bt2 != t )
+		op2 = new ArithCoerceExpr(op2, t);
+	}
+
+void BinaryExpr::PromoteType(TypeTag t, bool is_vector)
+	{
+	PromoteOps(t);
+	SetType(is_vector ? new VectorType(base_type(t)) : base_type(t));
+	}
+
+IMPLEMENT_SERIAL(BinaryExpr, SER_BINARY_EXPR);
+
+bool BinaryExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_BINARY_EXPR, Expr);
+	return op1->Serialize(info) && op2->Serialize(info);
+	}
+
+bool BinaryExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Expr);
+
+	op1 = Expr::Unserialize(info);
+	if ( ! op1 )
+		return false;
+
+	op2 = Expr::Unserialize(info);
+	return op2 != 0;
+	}
+
+CloneExpr::CloneExpr(Expr* arg_op) : UnaryExpr(EXPR_CLONE, arg_op)
+	{
+	if ( IsError() )
+		return;
+
+	BroType* t = op->Type();
+	SetType(t->Ref());
+	}
+
+Val* CloneExpr::Eval(Frame* f) const
+	{
+	if ( IsError() )
+		return 0;
+
+	Val* v = op->Eval(f);
+
+	if ( ! v )
+		return 0;
+
+	Val* result = Fold(v);
+	Unref(v);
+
+	return result;
+	}
+
+Val* CloneExpr::Fold(Val* v) const
+	{
+	return v->Clone();
+	}
+
+IMPLEMENT_SERIAL(CloneExpr, SER_CLONE_EXPR);
+
+bool CloneExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_CLONE_EXPR, UnaryExpr);
+	return true;
+	}
+
+bool CloneExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return true;
+	}
+
+IncrExpr::IncrExpr(BroExprTag arg_tag, Expr* arg_op)
+: UnaryExpr(arg_tag, arg_op->MakeLvalue())
+	{
+	if ( IsError() )
+		return;
+
+	BroType* t = op->Type();
+
+	if ( IsVector(t->Tag()) )
+		{
+		if ( ! IsIntegral(t->AsVectorType()->YieldType()->Tag()) )
+			ExprError("vector elements must be integral for increment operator");
+		else
+			SetType(t->Ref());
+		}
+	else
+		{
+		if ( ! IsIntegral(t->Tag()) )
+			ExprError("requires an integral operand");
+		else
+			SetType(t->Ref());
+		}
+	}
+
+Val* IncrExpr::DoSingleEval(Frame* f, Val* v) const
+	 {
+	bro_int_t k = v->CoerceToInt();
+
+	if ( Tag() == EXPR_INCR )
+		++k;
+	else
+		{
+		--k;
+
+		if ( k < 0 &&
+		     v->Type()->InternalType() == TYPE_INTERNAL_UNSIGNED )
+			RunTime("count underflow");
+		}
+
+	 BroType* ret_type = Type();
+	 if ( IsVector(ret_type->Tag()) )
+		 ret_type = Type()->YieldType();
+
+	 return new Val(k, ret_type->Tag());
+	 }
+
+
+Val* IncrExpr::Eval(Frame* f) const
+	{
+	Val* v = op->Eval(f);
+	if ( ! v )
+		return 0;
+
+	if ( is_vector(v) )
+		{
+		VectorVal* v_vec = v->AsVectorVal();
+		for ( unsigned int i = VECTOR_MIN;
+		      i < v_vec->Size() + VECTOR_MIN; ++i )
+			{
+			Val* elt = v_vec->Lookup(i);
+			if ( elt )
+				{
+				Val* new_elt = DoSingleEval(f, elt);
+				v_vec->Assign(i, new_elt, this, OP_INCR);
+				Unref(new_elt); // was Ref()'d by Assign()
+				}
+			else
+				v_vec->Assign(i, 0, this, OP_INCR);
+			}
+		// FIXME: Is the next line needed?
+		op->Assign(f, v_vec, OP_INCR);
+		}
+
+	else
+		{
+		Val* old_v = v;
+		op->Assign(f, v = DoSingleEval(f, old_v), OP_INCR);
+		Unref(old_v);
+		}
+
+	return v->Ref();
+	}
+
+int IncrExpr::IsPure() const
+	{
+	return 0;
+	}
+
+IMPLEMENT_SERIAL(IncrExpr, SER_INCR_EXPR);
+
+bool IncrExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_INCR_EXPR, UnaryExpr);
+	return true;
+	}
+
+bool IncrExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return true;
+	}
+
+NotExpr::NotExpr(Expr* arg_op) : UnaryExpr(EXPR_NOT, arg_op)
+	{
+	if ( IsError() )
+		return;
+
+	BroType* t = op->Type();
+	if ( IsVector(t->Tag()) )
+		t = t->AsVectorType()->YieldType();
+
+	TypeTag bt = t->Tag();
+
+	if ( ! IsIntegral(bt) && bt != TYPE_BOOL )
+		ExprError("requires an integral or boolean operand");
+	else if ( IsVector(bt) )
+		SetType(new VectorType(base_type(TYPE_BOOL)));
+	else
+		SetType(base_type(TYPE_BOOL));
+	}
+
+Expr* NotExpr::DoSimplify()
+	{
+	op = simplify_expr(op, SIMPLIFY_GENERAL);
+	Canonicize();
+
+	if ( op->Tag() == EXPR_NOT )
+		// !!x == x
+		return ((NotExpr*) op)->Op()->Ref();
+
+	if ( op->IsConst() && ! is_vector(op->ExprVal()) )
+		return new ConstExpr(Fold(op->ExprVal()));
+
+	return this;
+	}
+
+Val* NotExpr::Fold(Val* v) const
+	{
+	return new Val(! v->InternalInt(), type->Tag());
+	}
+
+IMPLEMENT_SERIAL(NotExpr, SER_NOT_EXPR);
+
+bool NotExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_NOT_EXPR, UnaryExpr);
+	return true;
+	}
+
+bool NotExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return true;
+	}
+
+PosExpr::PosExpr(Expr* arg_op) : UnaryExpr(EXPR_POSITIVE, arg_op)
+	{
+	if ( IsError() )
+		return;
+
+	BroType* t = op->Type();
+	if ( IsVector(t->Tag()) )
+		t = t->AsVectorType()->YieldType();
+	TypeTag bt = t->Tag();
+
+	BroType* base_result_type = 0;
+
+	if ( IsIntegral(bt) )
+		// Promote count and counter to int.
+		base_result_type = base_type(TYPE_INT);
+	else if ( bt == TYPE_INTERVAL || bt == TYPE_DOUBLE )
+		base_result_type = t->Ref();
+	else
+		ExprError("requires an integral or double operand");
+
+	if ( is_vector(op) )
+		SetType(new VectorType(base_result_type));
+	else
+		SetType(base_result_type);
+	}
+
+Expr* PosExpr::DoSimplify()
+	{
+	op = simplify_expr(op, SIMPLIFY_GENERAL);
+	Canonicize();
+
+	TypeTag t = op->Type()->Tag();
+
+	if ( t == TYPE_DOUBLE || t == TYPE_INTERVAL || t == TYPE_INT )
+		return op->Ref();
+
+	if ( op->IsConst() && ! is_vector(op->ExprVal()) )
+		return new ConstExpr(Fold(op->ExprVal()));
+
+	return this;
+	}
+
+Val* PosExpr::Fold(Val* v) const
+	{
+	TypeTag t = v->Type()->Tag();
+
+	if ( t == TYPE_DOUBLE || t == TYPE_INTERVAL || t == TYPE_INT )
+		return v->Ref();
+	else
+		return new Val(v->CoerceToInt(), type->Tag());
+	}
+
+IMPLEMENT_SERIAL(PosExpr, SER_POS_EXPR);
+
+bool PosExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_POS_EXPR, UnaryExpr);
+	return true;
+	}
+
+bool PosExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return true;
+	}
+
+NegExpr::NegExpr(Expr* arg_op) : UnaryExpr(EXPR_NEGATE, arg_op)
+	{
+	if ( IsError() )
+		return;
+
+	BroType* t = op->Type();
+	if ( IsVector(t->Tag()) )
+		t = t->AsVectorType()->YieldType();
+	TypeTag bt = t->Tag();
+
+	BroType* base_result_type = 0;
+
+	if ( IsIntegral(bt) )
+		// Promote count and counter to int.
+		base_result_type = base_type(TYPE_INT);
+	else if ( bt == TYPE_INTERVAL || bt == TYPE_DOUBLE )
+		base_result_type = t->Ref();
+	else
+		ExprError("requires an integral or double operand");
+
+	if ( is_vector(op) )
+		SetType(new VectorType(base_result_type));
+	else
+		SetType(base_result_type);
+	}
+
+Expr* NegExpr::DoSimplify()
+	{
+	op = simplify_expr(op, SIMPLIFY_GENERAL);
+	Canonicize();
+
+	if ( op->Tag() == EXPR_NEGATE )
+		// -(-x) == x
+		return ((NegExpr*) op)->Op()->Ref();
+
+	if ( op->IsConst() && ! is_vector(op->ExprVal()) )
+		return new ConstExpr(Fold(op->ExprVal()));
+
+	if ( op->Tag() == EXPR_SUB )
+		{ // -(a-b) == b-a
+		SubExpr* s = (SubExpr*) op;
+		return new SubExpr(s->Op2()->Ref(), s->Op1()->Ref());
+		}
+
+	return this;
+	}
+
+Val* NegExpr::Fold(Val* v) const
+	{
+	if ( v->Type()->Tag() == TYPE_DOUBLE )
+		return new Val(- v->InternalDouble(), v->Type()->Tag());
+	else if ( v->Type()->Tag() == TYPE_INTERVAL )
+		return new IntervalVal(- v->InternalDouble(), 1.0);
+	else
+		return new Val(- v->CoerceToInt(), TYPE_INT);
+	}
+
+
+IMPLEMENT_SERIAL(NegExpr, SER_NEG_EXPR);
+
+bool NegExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_NEG_EXPR, UnaryExpr);
+	return true;
+	}
+
+bool NegExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return true;
+	}
+
+SizeExpr::SizeExpr(Expr* arg_op) : UnaryExpr(EXPR_SIZE, arg_op)
+	{
+	if ( IsError() )
+		return;
+
+	SetType(base_type(TYPE_COUNT));
+	}
+
+Val* SizeExpr::Eval(Frame* f) const
+	{
+	Val* v = op->Eval(f);
+	if ( ! v )
+		return 0;
+
+	Val* result = Fold(v);
+	Unref(v);
+	return result;
+	}
+
+Val* SizeExpr::Fold(Val* v) const
+	{
+	return v->SizeVal();
+	}
+
+IMPLEMENT_SERIAL(SizeExpr, SER_SIZE_EXPR);
+
+bool SizeExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_SIZE_EXPR, UnaryExpr);
+	return true;
+	}
+
+bool SizeExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return true;
+	}
+
+
+AddExpr::AddExpr(Expr* arg_op1, Expr* arg_op2)
+: BinaryExpr(EXPR_ADD, arg_op1, arg_op2)
+	{
+	if ( IsError() )
+		return;
+
+	TypeTag bt1 = op1->Type()->Tag();
+	if ( IsVector(bt1) )
+		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+
+	TypeTag bt2 = op2->Type()->Tag();
+	if ( IsVector(bt2) )
+		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
+
+	BroType* base_result_type = 0;
+
+	if ( bt1 == TYPE_TIME && bt2 == TYPE_INTERVAL )
+		base_result_type = base_type(bt1);
+	else if ( bt2 == TYPE_TIME && bt1 == TYPE_INTERVAL )
+		base_result_type = base_type(bt2);
+	else if ( bt1 == TYPE_INTERVAL && bt2 == TYPE_INTERVAL )
+		base_result_type = base_type(bt1);
+	else if ( BothArithmetic(bt1, bt2) )
+		PromoteType(max_type(bt1, bt2), is_vector(op1) || is_vector(op2));
+	else if ( BothString(bt1, bt2) )
+		base_result_type = base_type(bt1);
+	else
+		ExprError("requires arithmetic operands");
+
+	if ( base_result_type )
+		{
+		if ( is_vector(op1) || is_vector(op2) )
+			SetType(new VectorType(base_result_type));
+		else
+			SetType(base_result_type);
+		}
+	}
+
+Expr* AddExpr::DoSimplify()
+	{
+	// If there's a constant, then it's in op1, since Canonicize()
+	// makes sure of that.
+	if ( op1->IsZero() )
+		return op2->Ref();
+
+	else if ( op1->Tag() == EXPR_NEGATE )
+		// (-a)+b = b-a
+		return new AddExpr(op2->Ref(), ((NegExpr*) op1)->Op()->Ref());
+
+	else if ( op2->Tag() == EXPR_NEGATE )
+		// a+(-b) == a-b
+		return new SubExpr(op1->Ref(), ((NegExpr*) op2)->Op()->Ref());
+
+	return this;
+	}
+
+void AddExpr::Canonicize()
+	{
+	if ( expr_greater(op2, op1) ||
+	     (op1->Type()->Tag() == TYPE_INTERVAL &&
+	      op2->Type()->Tag() == TYPE_TIME) ||
+	     (op2->IsConst() && ! is_vector(op2->ExprVal()) && ! op1->IsConst()))
+		SwapOps();
+	}
+
+IMPLEMENT_SERIAL(AddExpr, SER_ADD_EXPR);
+
+bool AddExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_ADD_EXPR, BinaryExpr);
+	return true;
+	}
+
+bool AddExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BinaryExpr);
+	return true;
+	}
+
+AddToExpr::AddToExpr(Expr* arg_op1, Expr* arg_op2)
+: BinaryExpr(EXPR_ADD_TO, arg_op1, arg_op2)
+	{
+	if ( IsError() )
+		return;
+
+	TypeTag bt1 = op1->Type()->Tag();
+	TypeTag bt2 = op2->Type()->Tag();
+
+	if ( BothArithmetic(bt1, bt2) )
+		PromoteType(max_type(bt1, bt2), is_vector(op1) || is_vector(op2));
+	else if ( BothString(bt1, bt2) )
+		SetType(base_type(bt1));
+	else if ( BothInterval(bt1, bt2) )
+		SetType(base_type(bt1));
+	else
+		ExprError("requires two arithmetic or two string operands");
+	}
+
+Val* AddToExpr::Eval(Frame* f) const
+	{
+	Val* v1 = op1->Eval(f);
+	if ( ! v1 )
+		return 0;
+
+	Val* v2 = op2->Eval(f);
+	if ( ! v2 )
+		{
+		Unref(v1);
+		return 0;
+		}
+
+	Val* result = Fold(v1, v2);
+	Unref(v1);
+	Unref(v2);
+
+	if ( result )
+		{
+		op1->Assign(f, result);
+		return result->Ref();
+		}
+	else
+		return 0;
+	}
+
+IMPLEMENT_SERIAL(AddToExpr, SER_ADD_TO_EXPR);
+
+bool AddToExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_ADD_TO_EXPR, BinaryExpr);
+	return true;
+	}
+
+bool AddToExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BinaryExpr);
+	return true;
+	}
+
+SubExpr::SubExpr(Expr* arg_op1, Expr* arg_op2)
+: BinaryExpr(EXPR_SUB, arg_op1, arg_op2)
+	{
+	if ( IsError() )
+		return;
+
+	TypeTag bt1 = op1->Type()->Tag();
+	if ( IsVector(bt1) )
+		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+
+	TypeTag bt2 = op2->Type()->Tag();
+	if ( IsVector(bt2) )
+		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
+
+	BroType* base_result_type = 0;
+
+	if ( bt1 == TYPE_TIME && bt2 == TYPE_INTERVAL )
+		base_result_type = base_type(bt1);
+	else if ( bt1 == TYPE_TIME && bt2 == TYPE_TIME )
+		SetType(base_type(TYPE_INTERVAL));
+	else if ( bt1 == TYPE_INTERVAL && bt2 == TYPE_INTERVAL )
+		base_result_type = base_type(bt1);
+	else if ( BothArithmetic(bt1, bt2) )
+		PromoteType(max_type(bt1, bt2), is_vector(op1) || is_vector(op2));
+	else
+		ExprError("requires arithmetic operands");
+
+	if ( base_result_type )
+		{
+		if ( is_vector(op1) || is_vector(op2) )
+			SetType(new VectorType(base_result_type));
+		else
+			SetType(base_result_type);
+		}
+	}
+
+Expr* SubExpr::DoSimplify()
+	{
+	if ( op1->IsZero() )
+		return new NegExpr(op2->Ref());
+
+	else if ( op2->IsZero() )
+		return op1->Ref();
+
+	else if ( op2->Tag() == EXPR_NEGATE )
+		// a-(-b) = a+b
+		return new AddExpr(op1->Ref(), ((NegExpr*) op2)->Op()->Ref());
+
+	return this;
+	}
+
+IMPLEMENT_SERIAL(SubExpr, SER_SUB_EXPR);
+
+bool SubExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_SUB_EXPR, BinaryExpr);
+	return true;
+	}
+
+bool SubExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BinaryExpr);
+	return true;
+	}
+
+RemoveFromExpr::RemoveFromExpr(Expr* arg_op1, Expr* arg_op2)
+: BinaryExpr(EXPR_REMOVE_FROM, arg_op1, arg_op2)
+	{
+	if ( IsError() )
+		return;
+
+	TypeTag bt1 = op1->Type()->Tag();
+	TypeTag bt2 = op2->Type()->Tag();
+
+	if ( BothArithmetic(bt1, bt2) )
+		PromoteType(max_type(bt1, bt2), is_vector(op1) || is_vector(op2));
+	else
+		ExprError("requires two arithmetic operands");
+	}
+
+Val* RemoveFromExpr::Eval(Frame* f) const
+	{
+	Val* v1 = op1->Eval(f);
+	if ( ! v1 )
+		return 0;
+
+	Val* v2 = op2->Eval(f);
+	if ( ! v2 )
+		{
+		Unref(v1);
+		return 0;
+		}
+
+	Val* result = Fold(v1, v2);
+
+	Unref(v1);
+	Unref(v2);
+
+	if ( result )
+		{
+		op1->Assign(f, result);
+		return result->Ref();
+		}
+	else
+		return 0;
+	}
+
+IMPLEMENT_SERIAL(RemoveFromExpr, SER_REMOVE_FROM_EXPR);
+
+bool RemoveFromExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_REMOVE_FROM_EXPR, BinaryExpr);
+	return true;
+	}
+
+bool RemoveFromExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BinaryExpr);
+	return true;
+	}
+
+TimesExpr::TimesExpr(Expr* arg_op1, Expr* arg_op2)
+: BinaryExpr(EXPR_TIMES, arg_op1, arg_op2)
+	{
+	if ( IsError() )
+		return;
+
+	Canonicize();
+
+	TypeTag bt1 = op1->Type()->Tag();
+	if ( IsVector(bt1) )
+		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+
+	TypeTag bt2 = op2->Type()->Tag();
+	if ( IsVector(bt2) )
+		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
+
+	if ( bt1 == TYPE_INTERVAL || bt2 == TYPE_INTERVAL )
+		{
+		if ( IsArithmetic(bt1) || IsArithmetic(bt2) )
+			PromoteType(TYPE_INTERVAL, is_vector(op1) || is_vector(op2) );
+		else
+			ExprError("multiplication with interval requires arithmetic operand");
+		}
+	else if ( BothArithmetic(bt1, bt2) )
+		PromoteType(max_type(bt1, bt2), is_vector(op1) || is_vector(op2));
+	else
+		ExprError("requires arithmetic operands");
+	}
+
+Expr* TimesExpr::DoSimplify()
+	{
+	// If there's a constant, then it's in op1, since Canonicize()
+	// makes sure of that.
+	if ( op1->IsConst() )
+		{
+		if ( op1->IsZero() )
+			{
+			if ( IsVector(op2->Type()->Tag()) )
+				return this;
+			else
+				return make_zero(type);
+			}
+
+		else if ( op1->IsOne() )
+			return op2->Ref();
+		}
+
+	return this;
+	}
+
+void TimesExpr::Canonicize()
+	{
+	if ( expr_greater(op2, op1) || op2->Type()->Tag() == TYPE_INTERVAL ||
+	     (op2->IsConst() && ! is_vector(op2->ExprVal()) && ! op1->IsConst()) )
+		SwapOps();
+	}
+
+IMPLEMENT_SERIAL(TimesExpr, SER_TIMES_EXPR);
+
+bool TimesExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_TIMES_EXPR, BinaryExpr);
+	return true;
+	}
+
+bool TimesExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BinaryExpr);
+	return true;
+	}
+
+DivideExpr::DivideExpr(Expr* arg_op1, Expr* arg_op2)
+: BinaryExpr(EXPR_DIVIDE, arg_op1, arg_op2)
+	{
+	if ( IsError() )
+		return;
+
+	TypeTag bt1 = op1->Type()->Tag();
+	if ( IsVector(bt1) )
+		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+
+	TypeTag bt2 = op2->Type()->Tag();
+	if ( IsVector(bt2) )
+		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
+
+	if ( bt1 == TYPE_INTERVAL || bt2 == TYPE_INTERVAL )
+		{
+		if ( IsArithmetic(bt1) || IsArithmetic(bt2) )
+			PromoteType(TYPE_INTERVAL, is_vector(op1) || is_vector(op2));
+		else if ( bt1 == TYPE_INTERVAL && bt2 == TYPE_INTERVAL )
+			{
+			if ( is_vector(op1) || is_vector(op2) )
+				SetType(new VectorType(base_type(TYPE_DOUBLE)));
+			else
+				SetType(base_type(TYPE_DOUBLE));
+			}
+		else
+			ExprError("division of interval requires arithmetic operand");
+		}
+
+	else if ( BothArithmetic(bt1, bt2) )
+		PromoteType(max_type(bt1, bt2), is_vector(op1) || is_vector(op2));
+
+	else if ( bt1 == TYPE_ADDR && ! is_vector(op2) &&
+		  (bt2 == TYPE_COUNT || bt2 == TYPE_INT) )
+		SetType(base_type(TYPE_SUBNET));
+
+	else
+		ExprError("requires arithmetic operands");
+	}
+
+Val* DivideExpr::AddrFold(Val* v1, Val* v2) const
+	{
+	addr_type a1 = v1->AsAddr();
+
+	uint32 mask;
+	if ( v2->Type()->Tag() == TYPE_COUNT )
+		mask = static_cast<uint32>(v2->InternalUnsigned());
+	else
+		mask = static_cast<uint32>(v2->InternalInt());
+
+	return new SubNetVal(a1, mask);
+	}
+
+Expr* DivideExpr::DoSimplify()
+	{
+	if ( IsError() )
+		return this;
+
+	if ( op1->Type()->Tag() == TYPE_ADDR )
+		return this;
+
+	if ( is_vector(op1) || is_vector(op2) )
+		return this;
+
+	if ( op2->IsConst() )
+		{
+		if ( op2->IsOne() )
+			return op1->Ref();
+		else if ( op2->IsZero() )
+			Error("zero divisor");
+		}
+
+	else if ( same_expr(op1, op2) )
+		return make_one(type);
+
+	return this;
+	}
+
+IMPLEMENT_SERIAL(DivideExpr, SER_DIVIDE_EXPR);
+
+bool DivideExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_DIVIDE_EXPR, BinaryExpr);
+	return true;
+	}
+
+bool DivideExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BinaryExpr);
+	return true;
+	}
+
+ModExpr::ModExpr(Expr* arg_op1, Expr* arg_op2)
+: BinaryExpr(EXPR_MOD, arg_op1, arg_op2)
+	{
+	if ( IsError() )
+		return;
+
+	TypeTag bt1 = op1->Type()->Tag();
+	if ( IsVector(bt1) )
+		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+
+	TypeTag bt2 = op2->Type()->Tag();
+	if ( IsVector(bt2) )
+		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
+
+	if ( BothIntegral(bt1, bt2) )
+		PromoteType(max_type(bt1, bt2), is_vector(op1) || is_vector(op2));
+	else
+		ExprError("requires integral operands");
+	}
+
+Expr* ModExpr::DoSimplify()
+	{
+	if ( IsError() )
+		return this;
+
+	TypeTag bt1 = op1->Type()->Tag();
+	TypeTag bt2 = op2->Type()->Tag();
+
+	if ( IsVector(bt1) || IsVector(bt2) )
+		return this;
+
+	if ( op2->IsConst() )
+		{
+		if ( op2->IsOne() )
+			return make_zero(type);
+		else if ( op2->IsZero() )
+			Error("zero modulus");
+		}
+
+	else if ( same_expr(op1, op2) )
+		return make_zero(type);
+
+	return this;
+	}
+
+IMPLEMENT_SERIAL(ModExpr, SER_MOD_EXPR);
+
+bool ModExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_MOD_EXPR, BinaryExpr);
+	return true;
+	}
+
+bool ModExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BinaryExpr);
+	return true;
+	}
+
+BoolExpr::BoolExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
+: BinaryExpr(arg_tag, arg_op1, arg_op2)
+	{
+	if ( IsError() )
+		return;
+
+	TypeTag bt1 = op1->Type()->Tag();
+	if ( IsVector(bt1) )
+		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+
+	TypeTag bt2 = op2->Type()->Tag();
+	if ( IsVector(bt2) )
+		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
+
+	if ( BothBool(bt1, bt2) )
+		{
+		if ( is_vector(op1) || is_vector(op2) )
+			SetType(new VectorType(base_type(TYPE_BOOL)));
+		else
+			SetType(base_type(TYPE_BOOL));
+		}
+
+	else if ( bt1 == TYPE_PATTERN && bt2 == bt1 )
+		SetType(base_type(TYPE_PATTERN));
+
+	else
+		ExprError("requires boolean operands");
+	}
+
+Val* BoolExpr::DoSingleEval(Frame* f, Val* v1, Expr* op2) const
+	{
+	if ( ! v1 )
+		return 0;
+
+	if ( Type()->Tag() == TYPE_PATTERN )
+		{
+		Val* v2 = op2->Eval(f);
+		if ( ! v2 )
+			return 0;
+
+		RE_Matcher* re1 = v1->AsPattern();
+		RE_Matcher* re2 = v2->AsPattern();
+
+		RE_Matcher* res = tag == EXPR_AND ?
+			RE_Matcher_conjunction(re1, re2) :
+			RE_Matcher_disjunction(re1, re2);
+
+		return new PatternVal(res);
+		}
+
+	if ( tag == EXPR_AND )
+		{
+		if ( v1->IsZero() )
+			return v1;
+		else
+			{
+			Unref(v1);
+			return op2->Eval(f);
+			}
+		}
+
+	else
+		{
+		if ( v1->IsZero() )
+			{
+			Unref(v1);
+			return op2->Eval(f);
+			}
+		else
+			return v1;
+		}
+	}
+
+
+Val* BoolExpr::Eval(Frame* f) const
+	{
+	if ( IsError() )
+		return 0;
+
+	Val* v1 = op1->Eval(f);
+	if ( ! v1 )
+		return 0;
+
+	int is_vec1 = is_vector(op1);
+	int is_vec2 = is_vector(op2);
+
+	// Handle scalar op scalar
+	if ( ! is_vec1 && ! is_vec2 )
+		return DoSingleEval(f, v1, op2);
+
+	// Handle scalar op vector  or  vector op scalar
+	// We can't short-circuit everything since we need to eval
+	// a vector in order to find out its length.
+	if ( ! (is_vec1 && is_vec2) )
+		{ // Only one is a vector.
+		Val* scalar_v = 0;
+		VectorVal* vector_v = 0;
+
+		if ( is_vec1 )
+			{
+			scalar_v = op2->Eval(f);
+			vector_v = v1->AsVectorVal();
+			}
+		else
+			{
+			scalar_v = v1;
+			vector_v = op2->Eval(f)->AsVectorVal();
+			}
+
+		if ( ! scalar_v || ! vector_v )
+			return 0;
+
+		VectorVal* result = 0;
+
+		// It's either and EXPR_AND or an EXPR_OR.
+		bool is_and = (tag == EXPR_AND);
+
+		if ( scalar_v->IsZero() == is_and )
+			{
+			result = new VectorVal(Type()->AsVectorType());
+			result->Resize(vector_v->Size());
+			result->AssignRepeat(VECTOR_MIN, result->Size(),
+						scalar_v, this);
+			}
+		else
+			result = vector_v->Ref()->AsVectorVal();
+
+		Unref(scalar_v);
+		Unref(vector_v);
+
+		return result;
+		}
+
+	// Only case remaining: both are vectors.
+	Val* v2 = op2->Eval(f);
+	if ( ! v2 )
+		return 0;
+
+	VectorVal* vec_v1 = v1->AsVectorVal();
+	VectorVal* vec_v2 = v2->AsVectorVal();
+
+	if ( vec_v1->Size() != vec_v2->Size() )
+		{
+		RunTime("vector operands have different sizes");
+		return 0;
+		}
+
+	VectorVal* result = new VectorVal(Type()->AsVectorType());
+	result->Resize(vec_v1->Size());
+
+	for ( unsigned int i = VECTOR_MIN;
+	      i < vec_v1->Size() + VECTOR_MIN; ++i )
+		{
+		Val* op1 = vec_v1->Lookup(i);
+		Val* op2 = vec_v2->Lookup(i);
+		if ( op1 && op2 )
+			{
+			bool local_result = (tag == EXPR_AND) ?
+				(! op1->IsZero() && ! op2->IsZero()) :
+				(! op1->IsZero() || ! op2->IsZero());
+
+			result->Assign(i, new Val(local_result, TYPE_BOOL), this);
+			}
+		else
+			result->Assign(i, 0, this);
+		}
+
+	Unref(v1);
+	Unref(v2);
+
+	return result;
+	}
+
+Expr* BoolExpr::DoSimplify()
+	{
+	if ( op1->IsConst() && ! is_vector(op1) )
+		{
+		if ( op1->IsZero() )
+			// F && x  or  F || x
+			return (tag == EXPR_AND) ? make_zero(type) : op2->Ref();
+		else
+			// T && x  or  T || x
+			return (tag == EXPR_AND) ? op2->Ref() : make_one(type);
+		}
+
+	else if ( op2->IsConst() && ! is_vector(op2) )
+		{
+		if ( op1->IsZero() )
+			// x && F  or  x || F
+			return (tag == EXPR_AND) ? make_zero(type) : op1->Ref();
+		else
+			// x && T  or  x || T
+			return (tag == EXPR_AND) ? op1->Ref() : make_one(type);
+		}
+
+	else if ( same_expr(op1, op2) )
+		{
+		Warn("redundant boolean operation");
+		return op1->Ref();
+		}
+
+	return this;
+	}
+
+IMPLEMENT_SERIAL(BoolExpr, SER_BOOL_EXPR);
+
+bool BoolExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_BOOL_EXPR, BinaryExpr);
+	return true;
+	}
+
+bool BoolExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BinaryExpr);
+	return true;
+	}
+
+EqExpr::EqExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
+: BinaryExpr(arg_tag, arg_op1, arg_op2)
+	{
+	if ( IsError() )
+		return;
+
+	Canonicize();
+
+	TypeTag bt1 = op1->Type()->Tag();
+	if ( IsVector(bt1) )
+		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+
+	TypeTag bt2 = op2->Type()->Tag();
+	if ( IsVector(bt2) )
+		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
+
+	if ( is_vector(op1) || is_vector(op2) )
+		SetType(new VectorType(base_type(TYPE_BOOL)));
+	else
+		SetType(base_type(TYPE_BOOL));
+
+	if ( BothArithmetic(bt1, bt2) )
+		PromoteOps(max_type(bt1, bt2));
+
+	else if ( EitherArithmetic(bt1, bt2) &&
+		// Allow comparisons with zero.
+		  ((bt1 == TYPE_TIME && op2->IsZero()) ||
+		   (bt2 == TYPE_TIME && op1->IsZero())) )
+		PromoteOps(TYPE_TIME);
+
+	else if ( bt1 == bt2 )
+		{
+		switch ( bt1 ) {
+		case TYPE_BOOL:
+		case TYPE_TIME:
+		case TYPE_INTERVAL:
+		case TYPE_STRING:
+		case TYPE_PORT:
+		case TYPE_ADDR:
+		case TYPE_NET:
+		case TYPE_SUBNET:
+		case TYPE_ERROR:
+			break;
+
+		case TYPE_ENUM:
+			if ( ! same_type(op1->Type(), op2->Type()) )
+				ExprError("illegal enum comparison");
+			break;
+
+		default:
+			ExprError("illegal comparison");
+		}
+		}
+
+	else if ( bt1 == TYPE_PATTERN && bt2 == TYPE_STRING )
+		;
+
+	else
+		ExprError("type clash in comparison");
+	}
+
+void EqExpr::Canonicize()
+	{
+	if ( op2->Type()->Tag() == TYPE_PATTERN )
+		SwapOps();
+
+	else if ( op1->Type()->Tag() == TYPE_PATTERN )
+		;
+
+	else if ( expr_greater(op2, op1) )
+		SwapOps();
+	}
+
+Expr* EqExpr::DoSimplify()
+	{
+	if ( same_expr(op1, op2) && ! is_vector(op1) )
+		{
+		if ( ! optimize )
+			Warn("redundant comparison");
+
+		if ( tag == EXPR_EQ )
+			return make_one(type);
+		else
+			return make_zero(type);
+		}
+
+	return this;
+	}
+
+Val* EqExpr::Fold(Val* v1, Val* v2) const
+	{
+	if ( op1->Type()->Tag() == TYPE_PATTERN )
+		{
+		RE_Matcher* re = v1->AsPattern();
+		const BroString* s = v2->AsString();
+		if ( tag == EXPR_EQ )
+			return new Val(re->MatchExactly(s), TYPE_BOOL);
+		else
+			return new Val(! re->MatchExactly(s), TYPE_BOOL);
+		}
+
+	else
+		return BinaryExpr::Fold(v1, v2);
+	}
+
+IMPLEMENT_SERIAL(EqExpr, SER_EQ_EXPR);
+
+bool EqExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_EQ_EXPR, BinaryExpr);
+	return true;
+	}
+
+bool EqExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BinaryExpr);
+	return true;
+	}
+
+RelExpr::RelExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
+: BinaryExpr(arg_tag, arg_op1, arg_op2)
+	{
+	if ( IsError() )
+		return;
+
+	Canonicize();
+
+	TypeTag bt1 = op1->Type()->Tag();
+	if ( IsVector(bt1) )
+		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+
+	TypeTag bt2 = op2->Type()->Tag();
+	if ( IsVector(bt2) )
+		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
+
+	if ( is_vector(op1) || is_vector(op2) )
+		SetType(new VectorType(base_type(TYPE_BOOL)));
+	else
+		SetType(base_type(TYPE_BOOL));
+
+	if ( BothArithmetic(bt1, bt2) )
+		PromoteOps(max_type(bt1, bt2));
+
+	else if ( bt1 != bt2 )
+		ExprError("operands must be of the same type");
+
+	else if ( bt1 != TYPE_TIME && bt1 != TYPE_INTERVAL &&
+		  bt1 != TYPE_PORT && bt1 != TYPE_ADDR &&
+		  bt1 != TYPE_STRING )
+		ExprError("illegal comparison");
+	}
+
+Expr* RelExpr::DoSimplify()
+	{
+	if ( same_expr(op1, op2) )
+		{
+		Warn("redundant comparison");
+		// Here we use the fact that the canonical form of
+		// a RelExpr only uses EXPR_LE or EXPR_LT.
+		if ( tag == EXPR_LE )
+			return make_one(type);
+		else
+			return make_zero(type);
+		}
+
+	return this;
+	}
+
+void RelExpr::Canonicize()
+	{
+	if ( tag == EXPR_GT )
+		{
+		SwapOps();
+		tag = EXPR_LT;
+		}
+
+	else if ( tag == EXPR_GE )
+		{
+		SwapOps();
+		tag = EXPR_LE;
+		}
+	}
+
+IMPLEMENT_SERIAL(RelExpr, SER_REL_EXPR);
+
+bool RelExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_REL_EXPR, BinaryExpr);
+	return true;
+	}
+
+bool RelExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BinaryExpr);
+	return true;
+	}
+
+CondExpr::CondExpr(Expr* arg_op1, Expr* arg_op2, Expr* arg_op3)
+: Expr(EXPR_COND)
+	{
+	op1 = arg_op1;
+	op2 = arg_op2;
+	op3 = arg_op3;
+
+	TypeTag bt1 = op1->Type()->Tag();
+	if ( IsVector(bt1) )
+		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+
+	if ( op1->IsError() || op2->IsError() || op3->IsError() )
+		SetError();
+
+	else if ( bt1 != TYPE_BOOL )
+		ExprError("requires boolean conditional");
+
+	else
+		{
+		TypeTag bt2 = op2->Type()->Tag();
+		if ( is_vector(op2) )
+			bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
+
+		TypeTag bt3 = op3->Type()->Tag();
+		if ( IsVector(bt3) )
+			bt3 = op3->Type()->AsVectorType()->YieldType()->Tag();
+
+		if ( is_vector(op1) && ! (is_vector(op2) && is_vector(op3)) )
+			{
+			ExprError("vector conditional requires vector alternatives");
+			return;
+			}
+
+		if ( BothArithmetic(bt2, bt3) )
+			{
+			TypeTag t = max_type(bt2, bt3);
+			if ( bt2 != t )
+				op2 = new ArithCoerceExpr(op2, t);
+			if ( bt3 != t )
+				op3 = new ArithCoerceExpr(op3, t);
+
+			if ( is_vector(op2) )
+				SetType(new VectorType(base_type(t)));
+			else
+				SetType(base_type(t));
+			}
+
+		else if ( bt2 != bt3 )
+			ExprError("operands must be of the same type");
+
+		else
+			SetType(op2->Type()->Ref());
+		}
+	}
+
+CondExpr::~CondExpr()
+	{
+	Unref(op1);
+	Unref(op2);
+	Unref(op3);
+	}
+
+Expr* CondExpr::Simplify(SimplifyType /* simp_type */)
+	{
+	op1 = simplify_expr(op1, SIMPLIFY_GENERAL);
+	op2 = simplify_expr(op2, SIMPLIFY_GENERAL);
+	op3 = simplify_expr(op3, SIMPLIFY_GENERAL);
+
+	if ( op1->IsConst() && ! is_vector(op1) )
+		{
+		Val* v = op1->ExprVal();
+		return (v->IsZero() ? op3 : op2)->Ref();
+		}
+
+	if ( op1->Tag() == EXPR_NOT )
+		return new CondExpr(((NotExpr*) op1)->Op()->Ref(),
+					op3->Ref(), op2->Ref());
+
+	return this;
+	}
+
+Val* CondExpr::Eval(Frame* f) const
+	{
+	if ( ! is_vector(op1) )
+		{ // scalar is easy
+		Val* v = op1->Eval(f);
+		int false_eval = v->IsZero();
+		Unref(v);
+
+		return (false_eval ? op3 : op2)->Eval(f);
+		}
+
+	// Vector case: no mixed scalar/vector cases allowed
+	Val* v1 = op1->Eval(f);
+	if ( ! v1 )
+		return 0;
+
+	Val* v2 = op2->Eval(f);
+	if ( ! v2 )
+		return 0;
+
+	Val* v3 = op3->Eval(f);
+	if ( ! v3 )
+		return 0;
+
+	VectorVal* cond = v1->AsVectorVal();
+	VectorVal* a = v2->AsVectorVal();
+	VectorVal* b = v3->AsVectorVal();
+
+	if ( cond->Size() != a->Size() || a->Size() != b->Size() )
+		{
+		RunTime("vectors in conditional expression have different sizes");
+		return 0;
+		}
+
+	VectorVal* result = new VectorVal(Type()->AsVectorType());
+	result->Resize(cond->Size());
+
+	for ( unsigned int i = VECTOR_MIN; i < cond->Size() + VECTOR_MIN; ++i )
+		{
+		Val* local_cond = cond->Lookup(i);
+		if ( local_cond )
+			result->Assign(i,
+				       local_cond->IsZero() ?
+					       b->Lookup(i) : a->Lookup(i),
+				       this);
+		else
+			result->Assign(i, 0, this);
+		}
+
+	return result;
+	}
+
+int CondExpr::IsPure() const
+	{
+	return op1->IsPure() && op2->IsPure() && op3->IsPure();
+	}
+
+TraversalCode CondExpr::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreExpr(this);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = op1->Traverse(cb);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = op2->Traverse(cb);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = op3->Traverse(cb);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = cb->PostExpr(this);
+	HANDLE_TC_EXPR_POST(tc);
+	}
+
+void CondExpr::ExprDescribe(ODesc* d) const
+	{
+	op1->Describe(d);
+	d->AddSP(" ?");
+	op2->Describe(d);
+	d->AddSP(" :");
+	op3->Describe(d);
+	}
+
+IMPLEMENT_SERIAL(CondExpr, SER_COND_EXPR);
+
+bool CondExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_COND_EXPR, Expr);
+	return op1->Serialize(info) && op2->Serialize(info)
+			&& op3->Serialize(info);
+	}
+
+bool CondExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Expr);
+
+	op1 = Expr::Unserialize(info);
+	if ( ! op1 )
+		return false;
+
+	op2 = Expr::Unserialize(info);
+	if ( ! op2 )
+		return false;
+
+	op3 = Expr::Unserialize(info);
+
+	return op3 != 0;
+	}
+
+RefExpr::RefExpr(Expr* arg_op) : UnaryExpr(EXPR_REF, arg_op)
+	{
+	if ( IsError() )
+		return;
+
+	if ( ! is_assignable(op->Type()) )
+		ExprError("illegal assignment target");
+	else
+		SetType(op->Type()->Ref());
+	}
+
+Expr* RefExpr::MakeLvalue()
+	{
+	return this;
+	}
+
+Val* RefExpr::Eval(Val* v) const
+	{
+	return Fold(v);
+	}
+
+void RefExpr::Assign(Frame* f, Val* v, Opcode opcode)
+	{
+	op->Assign(f, v, opcode);
+	}
+
+IMPLEMENT_SERIAL(RefExpr, SER_REF_EXPR);
+
+bool RefExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_REF_EXPR, UnaryExpr);
+	return true;
+	}
+
+bool RefExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return true;
+	}
+
+AssignExpr::AssignExpr(Expr* arg_op1, Expr* arg_op2, int arg_is_init,
+			Val* arg_val)
+: BinaryExpr(EXPR_ASSIGN,
+		arg_is_init ? arg_op1 : arg_op1->MakeLvalue(), arg_op2)
+	{
+	is_init = arg_is_init;
+
+	if ( IsError() )
+		return;
+
+	SetType(arg_val ? arg_val->Type()->Ref() : op1->Type()->Ref());
+
+	if ( is_init )
+		{
+		SetLocationInfo(arg_op1->GetLocationInfo(),
+				arg_op2->GetLocationInfo());
+		return;
+		}
+
+	// We discard the status from TypeCheck since it has already
+	// generated error messages.
+	(void) TypeCheck();
+
+	val = arg_val ? arg_val->Ref() : 0;
+
+	SetLocationInfo(arg_op1->GetLocationInfo(), arg_op2->GetLocationInfo());
+	}
+
+bool AssignExpr::TypeCheck()
+	{
+	TypeTag bt1 = op1->Type()->Tag();
+	if ( IsVector(bt1) )
+		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+
+	TypeTag bt2 = op2->Type()->Tag();
+	if ( IsVector(bt2) )
+		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
+
+	if ( bt1 == TYPE_LIST && bt2 == TYPE_ANY )
+		// This is ok because we cannot explicitly declare lists on
+		// the script level.
+		return true;
+
+	if ( ((bt1 == TYPE_ENUM) ^ (bt2 == TYPE_ENUM)) )
+		{
+		ExprError("can't convert to/from enumerated type");
+		return false;
+		}
+
+	if ( IsArithmetic(bt1) )
+		return TypeCheckArithmetics(bt1, bt2);
+
+	if ( bt1 == TYPE_TIME && IsArithmetic(bt2) && op2->IsZero() )
+		{ // Allow assignments to zero as a special case.
+		op2 = new ArithCoerceExpr(op2, bt1);
+		return true;
+		}
+
+	if ( bt1 == TYPE_TABLE && bt2 == bt1 &&
+	     op2->Type()->AsTableType()->IsUnspecifiedTable() )
+		{
+		op2 = new TableCoerceExpr(op2, op1->Type()->AsTableType());
+		return true;
+		}
+
+	if ( ! same_type(op1->Type(), op2->Type()) )
+		{
+		if ( op1->Type()->Tag() == TYPE_RECORD &&
+		     op2->Type()->Tag() == TYPE_RECORD )
+			op2 = new RecordCoerceExpr(op2, op1->Type()->AsRecordType());
+		else
+			{
+			ExprError("type clash in assignment");
+			return false;
+			}
+		}
+
+	return true;
+	}
+
+bool AssignExpr::TypeCheckArithmetics(TypeTag bt1, TypeTag bt2)
+	{
+	if ( ! IsArithmetic(bt2) )
+		{
+		char err[512];
+		snprintf(err, sizeof(err),
+			"assignment of non-arithmetic value to arithmetic (%s/%s)",
+			 type_name(bt1), type_name(bt2));
+		ExprError(err);
+		return false;
+		}
+
+	if ( bt1 == TYPE_DOUBLE )
+		{
+		PromoteOps(TYPE_DOUBLE);
+		return true;
+		}
+
+	if ( bt2 == TYPE_DOUBLE )
+		{
+		Warn("dangerous assignment of double to integral");
+		op2 = new ArithCoerceExpr(op2, bt1);
+		bt2 = op2->Type()->Tag();
+		}
+
+	if ( bt1 == TYPE_INT )
+		PromoteOps(TYPE_INT);
+	else
+		{
+		if ( bt2 == TYPE_INT )
+			{
+			Warn("dangerous assignment of integer to count");
+			op2 = new ArithCoerceExpr(op2, bt1);
+			bt2 = op2->Type()->Tag();
+			}
+
+		// Assignment of count to counter or vice
+		// versa is allowed, and requires no
+		// coercion.
+		}
+
+	return true;
+	}
+
+
+Expr* AssignExpr::Simplify(SimplifyType /* simp_type */)
+	{
+	op1 = simplify_expr(op1, SIMPLIFY_LHS);
+	op2 = simplify_expr(op2, SIMPLIFY_GENERAL);
+	return this;
+	}
+
+Val* AssignExpr::Eval(Frame* f) const
+	{
+	if ( is_init )
+		{
+		Error("illegal assignment in initialization");
+		return 0;
+		}
+
+	Val* v = op2->Eval(f);
+
+	if ( v )
+		{
+		op1->Assign(f, v);
+		//### op1->SetAttribs();
+		return val ? val->Ref() : v->Ref();
+		}
+	else
+		return 0;
+	}
+
+BroType* AssignExpr::InitType() const
+	{
+	if ( op1->Tag() != EXPR_LIST )
+		{
+		Error("bad initializer");
+		return 0;
+		}
+
+	BroType* tl = op1->Type();
+	if ( tl->Tag() != TYPE_LIST )
+		Internal("inconsistent list expr in AssignExpr::InitType");
+
+	return new TableType(tl->Ref()->AsTypeList(), op2->Type()->Ref());
+	}
+
+void AssignExpr::EvalIntoAggregate(const BroType* t, Val* aggr, Frame* f) const
+	{
+	if ( IsError() )
+		return;
+
+	TypeDecl td(0, 0);
+	if ( IsRecordElement(&td) )
+		{
+		if ( t->Tag() != TYPE_RECORD )
+			{
+			Error("not a record initializer", t);
+			return;
+			}
+
+		const RecordType* rt = t->AsRecordType();
+		int field = rt->FieldOffset(td.id);
+
+		if ( field < 0 )
+			{
+			Error("no such field");
+			return;
+			}
+
+		RecordVal* aggr_r = aggr->AsRecordVal();
+
+		Val* v = op2->Eval(f);
+		if ( v )
+			aggr_r->Assign(field, v);
+
+		return;
+		}
+
+	if ( op1->Tag() != EXPR_LIST )
+		Error("bad table insertion");
+
+	TableVal* tv = aggr->AsTableVal();
+	const TableType* tt = tv->Type()->AsTableType();
+	const BroType* yt = tv->Type()->YieldType();
+
+	Val* index = op1->Eval(f);
+	Val* v = op2->Eval(f);
+	if ( ! index || ! v )
+		return;
+
+	if ( ! tv->Assign(index, v) )
+		Error("type clash in table assignment");
+
+	Unref(index);
+	}
+
+Val* AssignExpr::InitVal(const BroType* t, Val* aggr) const
+	{
+	if ( ! aggr )
+		{
+		Error("assignment in initialization");
+		return 0;
+		}
+
+	if ( IsError() )
+		return 0;
+
+	TypeDecl td(0, 0);
+	if ( IsRecordElement(&td) )
+		{
+		if ( t->Tag() != TYPE_RECORD )
+			{
+			Error("not a record initializer", t);
+			return 0;
+			}
+		const RecordType* rt = t->AsRecordType();
+		int field = rt->FieldOffset(td.id);
+
+		if ( field < 0 )
+			{
+			Error("no such field");
+			return 0;
+			}
+
+		if ( aggr->Type()->Tag() != TYPE_RECORD )
+			Internal("bad aggregate in AssignExpr::InitVal");
+		RecordVal* aggr_r = aggr->AsRecordVal();
+
+		Val* v = op2->InitVal(rt->FieldType(td.id), 0);
+		if ( ! v )
+			return 0;
+
+		aggr_r->Assign(field, v);
+		return v;
+		}
+
+	else if ( op1->Tag() == EXPR_LIST )
+		{
+		if ( t->Tag() != TYPE_TABLE )
+			{
+			Error("not a table initialization", t);
+			return 0;
+			}
+
+		if ( aggr->Type()->Tag() != TYPE_TABLE )
+			Internal("bad aggregate in AssignExpr::InitVal");
+
+		TableVal* tv = aggr->AsTableVal();
+		const TableType* tt = tv->Type()->AsTableType();
+		const BroType* yt = tv->Type()->YieldType();
+		Val* index = op1->InitVal(tt->Indices(), 0);
+		Val* v = op2->InitVal(yt, 0);
+		if ( ! index || ! v )
+			return 0;
+
+		if ( ! tv->ExpandAndInit(index, v) )
+			{
+			Unref(index);
+			Unref(tv);
+			return 0;
+			}
+
+		Unref(index);
+		return tv;
+		}
+
+	else
+		{
+		Error("illegal initializer");
+		return 0;
+		}
+	}
+
+int AssignExpr::IsRecordElement(TypeDecl* td) const
+	{
+	if ( op1->Tag() == EXPR_NAME )
+		{
+		if ( td )
+			{
+			const NameExpr* n = (const NameExpr*) op1;
+			td->type = op2->Type()->Ref();
+			td->id = copy_string(n->Id()->Name());
+			}
+
+		return 1;
+		}
+	else
+		return 0;
+	}
+
+int AssignExpr::IsPure() const
+	{
+	return 0;
+	}
+
+IMPLEMENT_SERIAL(AssignExpr, SER_ASSIGN_EXPR);
+
+bool AssignExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_ASSIGN_EXPR, BinaryExpr);
+	SERIALIZE_OPTIONAL(val);
+	return SERIALIZE(is_init);
+	}
+
+bool AssignExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BinaryExpr);
+	UNSERIALIZE_OPTIONAL(val, Val::Unserialize(info));
+	return UNSERIALIZE(&is_init);
+	}
+
+IndexExpr::IndexExpr(Expr* arg_op1, ListExpr* arg_op2)
+: BinaryExpr(EXPR_INDEX, arg_op1, arg_op2)
+	{
+	if ( IsError() )
+		return;
+
+	int match_type = op1->Type()->MatchesIndex(arg_op2);
+	if ( match_type == DOES_NOT_MATCH_INDEX )
+		SetError("not an index type");
+
+	else if ( ! op1->Type()->YieldType() )
+		// It's a set - so indexing it yields void.  We don't
+		// directly generate an error message, though, since this
+		// expression might be part of an add/delete statement,
+		// rather than yielding a value.
+		SetType(base_type(TYPE_VOID));
+
+	else if ( match_type == MATCHES_INDEX_SCALAR )
+		SetType(op1->Type()->YieldType()->Ref());
+
+	else if ( match_type == MATCHES_INDEX_VECTOR )
+		SetType(new VectorType(op1->Type()->YieldType()->Ref()));
+
+	else
+		ExprError("Unknown MatchesIndex() return value");
+
+	}
+
+int IndexExpr::CanAdd() const
+	{
+	if ( IsError() )
+		return 1;	// avoid cascading the error report
+
+	// "add" only allowed if our type is "set".
+	return op1->Type()->IsSet();
+	}
+
+int IndexExpr::CanDel() const
+	{
+	if ( IsError() )
+		return 1;	// avoid cascading the error report
+
+	return op1->Type()->Tag() == TYPE_TABLE;
+	}
+
+void IndexExpr::Add(Frame* f)
+	{
+	if ( IsError() )
+		return;
+
+	Val* v1 = op1->Eval(f);
+	if ( ! v1 )
+		return;
+
+	Val* v2 = op2->Eval(f);
+	if ( ! v2 )
+		{
+		Unref(v1);
+		return;
+		}
+
+	v1->AsTableVal()->Assign(v2, 0);
+
+	Unref(v1);
+	Unref(v2);
+	}
+
+void IndexExpr::Delete(Frame* f)
+	{
+	if ( IsError() )
+		return;
+
+	Val* v1 = op1->Eval(f);
+	if ( ! v1 )
+		return;
+
+	Val* v2 = op2->Eval(f);
+	if ( ! v2 )
+		{
+		Unref(v1);
+		return;
+		}
+
+	Unref(v1->AsTableVal()->Delete(v2));
+
+	Unref(v1);
+	Unref(v2);
+	}
+
+Expr* IndexExpr::MakeLvalue()
+	{
+	return new RefExpr(this);
+	}
+
+Expr* IndexExpr::Simplify(SimplifyType simp_type)
+	{
+	op1 = simplify_expr(op1, simp_type);
+	op2 = simplify_expr(op2, SIMPLIFY_GENERAL);
+	return this;
+	}
+
+Val* IndexExpr::Eval(Frame* f) const
+	{
+	Val* v1 = op1->Eval(f);
+	if ( ! v1 )
+		return 0;
+
+	Val* v2 = op2->Eval(f);
+	if ( ! v2 )
+		{
+		Unref(v1);
+		return 0;
+		}
+
+	Val* result;
+
+	Val* indv = v2->AsListVal()->Index(0);
+	if ( is_vector(indv) )
+		{
+		VectorVal* v_v1 = v1->AsVectorVal();
+		VectorVal* v_v2 = indv->AsVectorVal();
+		VectorVal* v_result = new VectorVal(Type()->AsVectorType());
+		result = v_result;
+
+		// Booleans select each element (or not).
+		if ( IsBool(v_v2->Type()->YieldType()->Tag()) )
+			{
+			if ( v_v1->Size() != v_v2->Size() )
+				{
+				RunTime("size mismatch, boolean index and vector");
+				return 0;
+				}
+
+			for ( unsigned int i = VECTOR_MIN;
+			      i < v_v2->Size() + VECTOR_MIN; ++i )
+				{
+				if ( v_v2->Lookup(i)->AsBool() )
+					v_result->Assign(v_result->Size() + 1, v_v1->Lookup(i), this);
+				}
+			}
+		else
+			{ // The elements are indices.
+			// ### Should handle negative indices here like
+			// S does, i.e., by excluding those elements.
+			// Probably only do this if *all* are negative.
+			v_result->Resize(v_v2->Size());
+			for ( unsigned int i = VECTOR_MIN;
+			      i < v_v2->Size() + VECTOR_MIN; ++i )
+				v_result->Assign(i, v_v1->Lookup(v_v2->Lookup(i)->CoerceToInt()), this);
+			}
+		}
+	else
+		result = Fold(v1, v2);
+
+	Unref(v1);
+	Unref(v2);
+	return result;
+	}
+
+Val* IndexExpr::Fold(Val* v1, Val* v2) const
+	{
+	if ( IsError() )
+		return 0;
+
+	if ( v1->Type()->Tag() == TYPE_VECTOR )
+		{
+		Val* v = v1->AsVectorVal()->Lookup(v2);
+		// ### dangerous - this can silently fail larger operations
+		// due to a missing element
+		return v ? v->Ref() : 0;
+		}
+
+	TableVal* v_tbl = v1->AsTableVal();
+	Val* v = v_tbl->Lookup(v2);
+
+	if ( v )
+		return v->Ref();
+
+	RunTime("no such index");
+	return 0;
+	}
+
+void IndexExpr::Assign(Frame* f, Val* v, Opcode op)
+	{
+	if ( IsError() )
+		return;
+
+	Val* v1 = op1->Eval(f);
+	if ( ! v1 )
+		return;
+
+	Val* v2 = op2->Eval(f);
+
+	if ( ! v1 || ! v2 )
+		{
+		Unref(v1);
+		Unref(v2);
+		return;
+		}
+
+	if ( v1->Type()->Tag() == TYPE_VECTOR )
+		{
+		if ( ! v1->AsVectorVal()->Assign(v2, v, this, op) )
+			Internal("assignment failed");
+		}
+
+	else if ( ! v1->AsTableVal()->Assign(v2, v, op) )
+		Internal("assignment failed");
+
+	Unref(v1);
+	Unref(v2);
+	}
+
+void IndexExpr::ExprDescribe(ODesc* d) const
+	{
+	op1->Describe(d);
+	if ( d->IsReadable() )
+		d->Add("[");
+
+	op2->Describe(d);
+	if ( d->IsReadable() )
+		d->Add("]");
+	}
+
+TraversalCode IndexExpr::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreExpr(this);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = op1->Traverse(cb);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = op2->Traverse(cb);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = cb->PostExpr(this);
+	HANDLE_TC_EXPR_POST(tc);
+	}
+
+
+IMPLEMENT_SERIAL(IndexExpr, SER_INDEX_EXPR);
+
+bool IndexExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_INDEX_EXPR, BinaryExpr);
+	return true;
+	}
+
+bool IndexExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BinaryExpr);
+	return true;
+	}
+
+FieldExpr::FieldExpr(Expr* arg_op, const char* arg_field_name)
+: UnaryExpr(EXPR_FIELD, arg_op)
+	{
+	field_name = copy_string(arg_field_name);
+	td = 0;
+	field = 0;
+
+	if ( IsError() )
+		return;
+
+	if ( streq(arg_field_name, "attr") )
+		{
+		field = -1;
+		SetType(op->Type()->AttributesType()->Ref());
+		return;
+		}
+
+	if ( ! IsRecord(op->Type()->Tag()) )
+		ExprError("not a record");
+	else
+		{
+		RecordType* rt = op->Type()->AsRecordType();
+		field = rt->FieldOffset(field_name);
+		td = rt->FieldDecl(field);
+
+		if ( field < 0 )
+			ExprError("no such field in record");
+		else
+			SetType(rt->FieldType(field)->Ref());
+		}
+	}
+
+FieldExpr::~FieldExpr()
+	{
+	delete [] field_name;
+	}
+
+Expr* FieldExpr::MakeLvalue()
+	{
+	return new RefExpr(this);
+	}
+
+Expr* FieldExpr::Simplify(SimplifyType simp_type)
+	{
+	op = simplify_expr(op, simp_type);
+	return this;
+	}
+
+void FieldExpr::Assign(Frame* f, Val* v, Opcode opcode)
+	{
+	if ( IsError() || ! v )
+		return;
+
+	if ( field < 0 )
+		{
+		Val* lhs = op->Eval(f);
+		lhs->SetAttribs(v->AsRecordVal());
+		Unref(lhs);
+		return;
+		}
+
+	Val* op_v = op->Eval(f);
+	if ( op_v )
+		{
+		RecordVal* r = op_v->AsRecordVal();
+		r->Assign(field, v, opcode);
+		Unref(r);
+		}
+	}
+
+Val* FieldExpr::Fold(Val* v) const
+	{
+	if ( field < 0 )
+		return v->GetAttribs(true)->Ref();
+
+	Val* result = v->AsRecordVal()->Lookup(field);
+	if ( result )
+		return result->Ref();
+
+	// Check for &default.
+	const Attr* def_attr = td ? td->FindAttr(ATTR_DEFAULT) : 0;
+	if ( def_attr )
+		return def_attr->AttrExpr()->Eval(0);
+	else
+		{
+		Internal("field value missing");
+		return 0;
+		}
+	}
+
+void FieldExpr::ExprDescribe(ODesc* d) const
+	{
+	op->Describe(d);
+	if ( d->IsReadable() )
+		d->Add("$");
+
+	if ( IsError() )
+		d->Add("<error>");
+	else if ( d->IsReadable() )
+		d->Add(field_name);
+	else
+		d->Add(field);
+	}
+
+IMPLEMENT_SERIAL(FieldExpr, SER_FIELD_EXPR);
+
+bool FieldExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_FIELD_EXPR, UnaryExpr);
+
+	if ( ! (SERIALIZE(field_name) && SERIALIZE(field) ) )
+		return false;
+
+	return td->Serialize(info);
+	}
+
+bool FieldExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+
+	if ( ! (UNSERIALIZE_STR(&field_name, 0) && UNSERIALIZE(&field) ) )
+		return false;
+
+	td = TypeDecl::Unserialize(info);
+	return td != 0;
+	}
+
+HasFieldExpr::HasFieldExpr(Expr* arg_op, const char* arg_field_name,
+			   bool arg_is_attr)
+: UnaryExpr(EXPR_HAS_FIELD, arg_op)
+	{
+	field_name = arg_field_name;
+	is_attr = arg_is_attr;
+	field = 0;
+
+	if ( IsError() )
+		return;
+
+	if ( ! is_attr && ! IsRecord(op->Type()->Tag()) )
+		ExprError("not a record");
+	else
+		{
+		RecordType* rt = is_attr ?
+					op->Type()->AttributesType() :
+					op->Type()->AsRecordType();
+		field = rt->FieldOffset(field_name);
+
+		if ( field < 0 )
+			ExprError("no such field in record");
+
+		SetType(base_type(TYPE_BOOL));
+		}
+	}
+
+HasFieldExpr::~HasFieldExpr()
+	{
+	delete field_name;
+	}
+
+Val* HasFieldExpr::Fold(Val* v) const
+	{
+	RecordVal* rec_to_look_at;
+
+	if ( is_attr )
+		rec_to_look_at = v->GetAttribs(false);
+	else
+		rec_to_look_at = v->AsRecordVal();
+
+	if ( ! rec_to_look_at )
+		return new Val(0, TYPE_BOOL);
+
+	RecordVal* r = rec_to_look_at->Ref()->AsRecordVal();
+	Val* ret = new Val(r->Lookup(field) != 0, TYPE_BOOL);
+	Unref(r);
+
+	return ret;
+	}
+
+void HasFieldExpr::ExprDescribe(ODesc* d) const
+	{
+	op->Describe(d);
+
+	if ( d->IsReadable() )
+		{
+		if ( is_attr )
+			d->Add("?$$");
+		else
+			d->Add("?$");
+		}
+
+	if ( IsError() )
+		d->Add("<error>");
+	else if ( d->IsReadable() )
+		d->Add(field_name);
+	else
+		d->Add(field);
+	}
+
+IMPLEMENT_SERIAL(HasFieldExpr, SER_HAS_FIELD_EXPR);
+
+bool HasFieldExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_HAS_FIELD_EXPR, UnaryExpr);
+	return SERIALIZE(is_attr) && SERIALIZE(field_name) && SERIALIZE(field);
+	}
+
+bool HasFieldExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return UNSERIALIZE(&is_attr) && UNSERIALIZE_STR(&field_name, 0) && UNSERIALIZE(&field);
+	}
+
+RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list)
+: UnaryExpr(EXPR_RECORD_CONSTRUCTOR, constructor_list)
+	{
+	if ( IsError() )
+		return;
+
+	// Spin through the list, which should be comprised of
+	// either record's or record-field-assign, and build up a
+	// record type to associate with this constructor.
+	type_decl_list* record_types = new type_decl_list;
+
+	const expr_list& exprs = constructor_list->Exprs();
+	loop_over_list(exprs, i)
+		{
+		Expr* e = exprs[i];
+		BroType* t = e->Type();
+
+		if ( e->Tag() == EXPR_FIELD_ASSIGN )
+			{
+			FieldAssignExpr* field = (FieldAssignExpr*) e;
+
+			BroType* field_type = field->Type()->Ref();
+			char* field_name = copy_string(field->FieldName());
+
+			record_types->append(new TypeDecl(field_type, field_name));
+			continue;
+			}
+
+		if ( t->Tag() != TYPE_RECORD )
+			{
+			Error("bad type in record constructor", e);
+			SetError();
+			continue;
+			}
+
+		// It's a record - add in its fields.
+		const RecordType* rt = t->AsRecordType();
+		int n = rt->NumFields();
+		for ( int j = 0; j < n; ++j )
+			{
+			const TypeDecl* td = rt->FieldDecl(j);
+			record_types->append(new TypeDecl(td->type->Ref(), td->id));
+			}
+		}
+
+	SetType(new RecordType(record_types));
+	}
+
+Val* RecordConstructorExpr::InitVal(const BroType* t, Val* aggr) const
+	{
+	if ( ! aggr )
+		aggr = new RecordVal(const_cast<RecordType*>(t->AsRecordType()));
+
+	if ( record_promotion_compatible(t->AsRecordType(), Type()->AsRecordType()) )
+		{
+		RecordVal* ar = aggr->AsRecordVal();
+		RecordType* ar_t = aggr->Type()->AsRecordType();
+
+		RecordVal* rv = Eval(0)->AsRecordVal();
+		RecordType* rv_t = rv->Type()->AsRecordType();
+
+		int i;
+		for ( i = 0; i < rv_t->NumFields(); ++i )
+			{
+			int t_i = ar_t->FieldOffset(rv_t->FieldName(i));
+
+			if ( t_i < 0 )
+				{
+				char buf[512];
+				safe_snprintf(buf, sizeof(buf),
+					      "orphan field \"%s\" in initialization",
+					      rv_t->FieldName(i));
+				Error(buf);
+				break;
+				}
+
+			else
+				ar->Assign(t_i, rv->Lookup(i)->Ref());
+			}
+
+		for ( i = 0; i < ar_t->NumFields(); ++i )
+			if ( ! ar->Lookup(i) &&
+			     ! ar_t->FieldDecl(i)->FindAttr(ATTR_OPTIONAL) )
+				{
+				char buf[512];
+				safe_snprintf(buf, sizeof(buf),
+					      "non-optional field \"%s\" missing in initialization", ar_t->FieldName(i));
+				Error(buf);
+				}
+
+		Unref(rv);
+
+		return ar;
+		}
+
+	else
+		{
+		Error("bad record initializer");
+		return 0;
+		}
+	}
+
+Val* RecordConstructorExpr::Fold(Val* v) const
+	{
+	ListVal* lv = v->AsListVal();
+	RecordType* rt = type->AsRecordType();
+
+	if ( lv->Length() != rt->NumFields() )
+		Internal("inconsistency evaluating record constructor");
+
+	RecordVal* rv = new RecordVal(rt);
+
+	for ( int i = 0; i < lv->Length(); ++i )
+		rv->Assign(i, lv->Index(i)->Ref());
+
+	return rv;
+	}
+
+void RecordConstructorExpr::ExprDescribe(ODesc* d) const
+	{
+	d->Add("[");
+	op->Describe(d);
+	d->Add("]");
+	}
+
+IMPLEMENT_SERIAL(RecordConstructorExpr, SER_RECORD_CONSTRUCTOR_EXPR);
+
+bool RecordConstructorExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_RECORD_CONSTRUCTOR_EXPR, UnaryExpr);
+	return true;
+	}
+
+bool RecordConstructorExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return true;
+	}
+
+TableConstructorExpr::TableConstructorExpr(ListExpr* constructor_list,
+						attr_list* arg_attrs)
+: UnaryExpr(EXPR_TABLE_CONSTRUCTOR, constructor_list)
+	{
+	if ( IsError() )
+		return;
+
+	if ( constructor_list->Exprs().length() == 0 )
+		SetType(new TableType(new TypeList(base_type(TYPE_ANY)), 0));
+	else
+		{
+		SetType(init_type(constructor_list));
+
+		if ( ! type )
+			SetError();
+
+		else if ( type->Tag() != TYPE_TABLE ||
+			  type->AsTableType()->IsSet() )
+			SetError("values in table(...) constructor do not specify a table");
+		}
+
+	attrs = arg_attrs ? new Attributes(arg_attrs, type) : 0;
+	}
+
+Val* TableConstructorExpr::Eval(Frame* f) const
+	{
+	if ( IsError() )
+		return 0;
+
+	Val* aggr = new TableVal(Type()->AsTableType(), attrs);
+	const expr_list& exprs = op->AsListExpr()->Exprs();
+
+	loop_over_list(exprs, i)
+		exprs[i]->EvalIntoAggregate(type, aggr, f);
+
+	return aggr;
+	}
+
+Val* TableConstructorExpr::InitVal(const BroType* t, Val* aggr) const
+	{
+	if ( IsError() )
+		return 0;
+
+	return op->InitVal(t, aggr);
+	}
+
+void TableConstructorExpr::ExprDescribe(ODesc* d) const
+	{
+	d->Add("table(");
+	op->Describe(d);
+	d->Add(")");
+	}
+
+IMPLEMENT_SERIAL(TableConstructorExpr, SER_TABLE_CONSTRUCTOR_EXPR);
+
+bool TableConstructorExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_TABLE_CONSTRUCTOR_EXPR, UnaryExpr);
+	SERIALIZE_OPTIONAL(attrs);
+	return true;
+	}
+
+bool TableConstructorExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	UNSERIALIZE_OPTIONAL(attrs, Attributes::Unserialize(info));
+	return true;
+	}
+
+SetConstructorExpr::SetConstructorExpr(ListExpr* constructor_list,
+					attr_list* arg_attrs)
+: UnaryExpr(EXPR_SET_CONSTRUCTOR, constructor_list)
+	{
+	if ( IsError() )
+		return;
+
+	if ( constructor_list->Exprs().length() == 0 )
+		SetType(new ::SetType(new TypeList(base_type(TYPE_ANY)), 0));
+	else
+		SetType(init_type(constructor_list));
+
+	if ( ! type )
+		SetError();
+
+	else if ( type->Tag() != TYPE_TABLE || ! type->AsTableType()->IsSet() )
+		SetError("values in set(...) constructor do not specify a set");
+
+	attrs = arg_attrs ? new Attributes(arg_attrs, type) : 0;
+	}
+
+Val* SetConstructorExpr::Eval(Frame* f) const
+	{
+	if ( IsError() )
+		return 0;
+
+	TableVal* aggr = new TableVal(type->AsTableType(), 0);
+	const expr_list& exprs = op->AsListExpr()->Exprs();
+
+	loop_over_list(exprs, i)
+		{
+		Val* element = exprs[i]->Eval(f);
+		aggr->Assign(element, 0);
+		}
+
+	aggr->AsTableVal()->SetAttrs(attrs);
+
+	return aggr;
+	}
+
+Val* SetConstructorExpr::InitVal(const BroType* t, Val* aggr) const
+	{
+	if ( IsError() )
+		return 0;
+
+	return op->InitVal(t, aggr);
+	}
+
+void SetConstructorExpr::ExprDescribe(ODesc* d) const
+	{
+	d->Add("set(");
+	op->Describe(d);
+	d->Add(")");
+	}
+
+IMPLEMENT_SERIAL(SetConstructorExpr, SER_SET_CONSTRUCTOR_EXPR);
+
+bool SetConstructorExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_SET_CONSTRUCTOR_EXPR, UnaryExpr);
+	SERIALIZE_OPTIONAL(attrs);
+	return true;
+	}
+
+bool SetConstructorExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	UNSERIALIZE_OPTIONAL(attrs, Attributes::Unserialize(info));
+	return true;
+	}
+
+VectorConstructorExpr::VectorConstructorExpr(ListExpr* constructor_list)
+: UnaryExpr(EXPR_VECTOR_CONSTRUCTOR, constructor_list)
+	{
+	if ( IsError() )
+		return;
+
+	BroType* t = merge_type_list(constructor_list);
+	if ( t )
+		{
+		SetType(new VectorType(t->Ref()));
+
+		if ( ! check_and_promote_exprs_to_type(constructor_list, t) )
+			ExprError("inconsistent types in vector constructor");
+
+		Unref(t);
+		}
+	else
+		SetError();
+	}
+
+Val* VectorConstructorExpr::Eval(Frame* f) const
+	{
+	if ( IsError() )
+		return 0;
+
+	VectorVal* vec = new VectorVal(Type()->AsVectorType());
+	const expr_list& exprs = op->AsListExpr()->Exprs();
+
+	loop_over_list(exprs, i)
+		{
+		Expr* e = exprs[i];
+		Val* v = e->Eval(f);
+		if ( ! vec->Assign(i + VECTOR_MIN, v, e) )
+			{
+			Error(fmt("type mismatch at index %d", i + VECTOR_MIN), e);
+			return 0;
+			}
+		}
+
+	return vec;
+	}
+
+Val* VectorConstructorExpr::InitVal(const BroType* t, Val* aggr) const
+	{
+	if ( IsError() )
+		return 0;
+
+	VectorVal* vec = aggr->AsVectorVal();
+	const BroType* vt = vec->Type()->AsVectorType()->YieldType();
+	const expr_list& exprs = op->AsListExpr()->Exprs();
+
+	loop_over_list(exprs, i)
+		{
+		Expr* e = exprs[i];
+		Val* v = check_and_promote(e->Eval(0), vt, 1);
+
+		if ( ! v || ! vec->Assign(i + VECTOR_MIN, v, e) )
+			{
+			Error(fmt("initialization type mismatch at index %d", i + VECTOR_MIN), e);
+			return 0;
+			}
+		}
+
+	return vec;
+	}
+
+void VectorConstructorExpr::ExprDescribe(ODesc* d) const
+	{
+	d->Add("vector(");
+	op->Describe(d);
+	d->Add(")");
+	}
+
+IMPLEMENT_SERIAL(VectorConstructorExpr, SER_VECTOR_CONSTRUCTOR_EXPR);
+
+bool VectorConstructorExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_VECTOR_CONSTRUCTOR_EXPR, UnaryExpr);
+	return true;
+	}
+
+bool VectorConstructorExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return true;
+	}
+
+FieldAssignExpr::FieldAssignExpr(const char* arg_field_name, Expr* value)
+: UnaryExpr(EXPR_FIELD_ASSIGN, value), field_name(arg_field_name)
+	{
+	op->Ref();
+	SetType(value->Type()->Ref());
+	}
+
+void FieldAssignExpr::EvalIntoAggregate(const BroType* t, Val* aggr, Frame* f)
+	const
+	{
+	if ( IsError() )
+		return;
+
+	RecordVal* rec = aggr->AsRecordVal();
+	const RecordType* rt = t->AsRecordType();
+	Val* v = op->Eval(f);
+
+	if ( v )
+		rec->Assign(rt->FieldOffset(field_name.c_str()), v);
+	}
+
+int FieldAssignExpr::IsRecordElement(TypeDecl* td) const
+	{
+	if ( td )
+		{
+		td->type = op->Type()->Ref();
+		td->id = copy_string(field_name.c_str());
+		}
+
+	return 1;
+	}
+
+void FieldAssignExpr::ExprDescribe(ODesc* d) const
+	{
+	d->Add("$");
+	d->Add(FieldName());
+	d->Add("=");
+	op->Describe(d);
+	}
+
+IMPLEMENT_SERIAL(FieldAssignExpr, SER_FIELD_ASSIGN_EXPR);
+
+bool FieldAssignExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_FIELD_ASSIGN_EXPR, UnaryExpr);
+	return true;
+	}
+
+bool FieldAssignExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return true;
+	}
+
+RecordMatchExpr::RecordMatchExpr(Expr* op1 /* record to match */,
+					Expr* op2 /* cases to match against */)
+: BinaryExpr(EXPR_MATCH, op1, op2)
+	{
+	BroType* result_type = 0;
+
+	// Make sure the second argument is of a suitable type.
+	if ( ! op2->Type()->IsSet() )
+		{
+		ExprError("matching must be done against a set of match records");
+		return;
+		}
+
+	type_list* elt_types = op2->Type()->AsSetType()->Indices()->Types();
+
+	if ( ! elt_types->length() ||
+	     (*elt_types)[0]->Tag() != TYPE_RECORD )
+		{
+		ExprError("matching must be done against a set of match records");
+		return;
+		}
+
+	RecordType* case_rec_type = (*elt_types)[0]->AsRecordType();
+
+	// NOTE: The "result" and "pred" field names are hardcoded here.
+	result_field_index = case_rec_type->FieldOffset("result");
+
+	if ( result_field_index < 0 )
+		{
+		ExprError("match records must have a $result field");
+		return;
+		}
+
+	result_type = case_rec_type->FieldType("result")->Ref();
+
+	// Check that pred exists, and that the first argument matches it.
+	if ( (pred_field_index = case_rec_type->FieldOffset("pred")) < 0 ||
+	     case_rec_type->FieldType("pred")->Tag() != TYPE_FUNC )
+		{
+		ExprError("match records must have a $pred' field of function type");
+		return;
+		}
+
+	FuncType* pred_type = case_rec_type->FieldType("pred")->AsFuncType();
+	type_list* pred_arg_types = pred_type->ArgTypes()->Types();
+	if ( pred_arg_types->length() != 1 ||
+	     ! check_and_promote_expr(op1, (*pred_arg_types)[0]) )
+		ExprError("record to match does not have the same type as predicate argument");
+
+	// NOTE: The "priority" field name is hardcoded here.
+	if ( (priority_field_index = case_rec_type->FieldOffset("priority")) >= 0 &&
+	     ! IsArithmetic(case_rec_type->FieldType("priority")->Tag()) )
+		ExprError("$priority field must have a numeric type");
+
+	SetType(result_type);
+	}
+
+void RecordMatchExpr::ExprDescribe(ODesc* d) const
+	{
+	if ( d->IsReadable() )
+		{
+		d->Add("match ");
+		op1->Describe(d);
+		d->Add(" using ");
+		op2->Describe(d);
+		}
+	}
+
+Val* RecordMatchExpr::Fold(Val* v1, Val* v2) const
+	{
+	TableVal* match_set = v2->AsTableVal();
+	if ( ! match_set )
+		Internal("non-table in RecordMatchExpr");
+
+	Val* return_val = 0;
+	double highest_priority = -1e100;
+
+	ListVal* match_recs = match_set->ConvertToList(TYPE_ANY);
+	for ( int i = 0; i < match_recs->Length(); ++i )
+		{
+		val_list args(1);
+		args.append(v1->Ref());
+
+		double this_priority = 0;
+
+		// ### Get rid of the double Index if TYPE_ANY->TYPE_RECORD.
+		Val* v = match_recs->Index(i)->AsListVal()->Index(0);
+
+		const RecordVal* match_rec = v->AsRecordVal();
+		if ( ! match_rec )
+			Internal("Element of match set is not a record");
+
+		if ( priority_field_index >= 0 )
+			{
+			this_priority =
+				match_rec->Lookup(priority_field_index)->CoerceToDouble();
+			if ( this_priority <= highest_priority )
+				{
+				Unref(v1);
+				continue;
+				}
+			}
+
+		Val* pred_val =
+			match_rec->Lookup(pred_field_index)->AsFunc()->Call(&args);
+		bool is_zero = pred_val->IsZero();
+		Unref(pred_val);
+
+		if ( ! is_zero )
+			{
+			Val* new_return_val =
+				match_rec->Lookup(result_field_index);
+
+			Unref(return_val);
+			return_val = new_return_val->Ref();
+
+			if ( priority_field_index >= 0 )
+				highest_priority = this_priority;
+			else
+				break;
+			}
+		}
+
+	Unref(match_recs);
+
+	return return_val;
+	}
+
+IMPLEMENT_SERIAL(RecordMatchExpr, SER_RECORD_MATCH_EXPR);
+
+bool RecordMatchExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_RECORD_MATCH_EXPR, BinaryExpr);
+	return SERIALIZE(pred_field_index) && SERIALIZE(result_field_index) &&
+		SERIALIZE(priority_field_index);
+	}
+
+bool RecordMatchExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BinaryExpr);
+	return UNSERIALIZE(&pred_field_index) && UNSERIALIZE(&result_field_index) &&
+		UNSERIALIZE(&priority_field_index);
+	}
+
+ArithCoerceExpr::ArithCoerceExpr(Expr* arg_op, TypeTag t)
+: UnaryExpr(EXPR_ARITH_COERCE, arg_op)
+	{
+	if ( IsError() )
+		return;
+
+	TypeTag bt = op->Type()->Tag();
+	TypeTag vbt = bt;
+
+	if ( IsVector(bt) )
+		{
+		SetType(new VectorType(base_type(t)));
+		vbt = op->Type()->AsVectorType()->YieldType()->Tag();
+		}
+	else
+		SetType(base_type(t));
+
+	if ( (bt == TYPE_ENUM) != (t == TYPE_ENUM) )
+		ExprError("can't convert to/from enumerated type");
+
+	else if ( ! IsArithmetic(t) && ! IsBool(t) &&
+		  t != TYPE_TIME && t != TYPE_INTERVAL )
+		ExprError("bad coercion");
+
+	else if ( ! IsArithmetic(bt) && ! IsBool(bt) &&
+		  ! IsArithmetic(vbt) && ! IsBool(vbt) )
+		ExprError("bad coercion value");
+	}
+
+Expr* ArithCoerceExpr::DoSimplify()
+	{
+	if ( is_vector(op) )
+		return this;
+
+	InternalTypeTag my_int = type->InternalType();
+	InternalTypeTag op_int = op->Type()->InternalType();
+
+	if ( my_int == TYPE_INTERNAL_UNSIGNED )
+		my_int = TYPE_INTERNAL_INT;
+	if ( op_int == TYPE_INTERNAL_UNSIGNED )
+		op_int = TYPE_INTERNAL_INT;
+
+	if ( my_int == op_int )
+		return op->Ref();
+
+	if ( op->IsConst() )
+		{
+		if ( my_int == TYPE_INTERNAL_INT )
+			{
+			if ( op_int != TYPE_INTERNAL_DOUBLE )
+				Internal("bad coercion in CoerceExpr::DoSimplify");
+			double d = op->ExprVal()->InternalDouble();
+			bro_int_t i = bro_int_t(d);
+
+			if ( i < 0 &&
+			     type->InternalType() == TYPE_INTERNAL_UNSIGNED )
+				Warn("coercion produces negative count value");
+
+			if ( d != double(i) )
+				Warn("coercion loses precision");
+
+			return new ConstExpr(new Val(i, type->Tag()));
+			}
+
+		if ( my_int == TYPE_INTERNAL_DOUBLE )
+			{
+			if ( op_int == TYPE_INTERNAL_INT )
+				{
+				bro_int_t i = op->ExprVal()->InternalInt();
+				double d = double(i);
+
+				if ( i != bro_int_t(d) )
+					Warn("coercion loses precision");
+
+				return new ConstExpr(new Val(d, type->Tag()));
+				}
+
+			if ( op_int == TYPE_INTERNAL_UNSIGNED )
+				{
+				bro_uint_t u = op->ExprVal()->InternalUnsigned();
+				double d = double(u);
+
+				if ( u != (bro_uint_t) (d) )
+					Warn("coercion loses precision");
+
+				return new ConstExpr(new Val(d, type->Tag()));
+				}
+
+			}
+
+		Internal("bad coercion in CoerceExpr::DoSimplify");
+		}
+
+	return this;
+	}
+
+Val* ArithCoerceExpr::FoldSingleVal(Val* v, InternalTypeTag t) const
+	{
+	switch ( t ) {
+	case TYPE_INTERNAL_DOUBLE:
+		return new Val(v->CoerceToDouble(), TYPE_DOUBLE);
+
+	case TYPE_INTERNAL_INT:
+		return new Val(v->CoerceToInt(), TYPE_INT);
+
+	case TYPE_INTERNAL_UNSIGNED:
+		return new Val(v->CoerceToUnsigned(), TYPE_COUNT);
+
+	default:
+		Internal("bad type in CoerceExpr::Fold");
+		return 0;
+	}
+	}
+
+Val* ArithCoerceExpr::Fold(Val* v) const
+	{
+	InternalTypeTag t = type->InternalType();
+
+	if ( ! is_vector(v) )
+		{
+		// Our result type might be vector, in which case this
+		// invocation is being done per-element rather than on
+		// the whole vector.  Correct the type tag if necessary.
+		if ( type->Tag() == TYPE_VECTOR )
+			t = Type()->AsVectorType()->YieldType()->InternalType();
+		return FoldSingleVal(v, t);
+		}
+
+	t = Type()->AsVectorType()->YieldType()->InternalType();
+
+	VectorVal* vv = v->AsVectorVal();
+	VectorVal* result = new VectorVal(Type()->AsVectorType());
+	for ( unsigned int i = VECTOR_MIN; i < vv->Size() + VECTOR_MIN; ++i )
+		{
+		Val* elt = vv->Lookup(i);
+		if ( elt )
+			result->Assign(i, FoldSingleVal(elt, t), this);
+		else
+			result->Assign(i, 0, this);
+		}
+
+	return result;
+	}
+
+IMPLEMENT_SERIAL(ArithCoerceExpr, SER_ARITH_COERCE_EXPR);
+
+bool ArithCoerceExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_ARITH_COERCE_EXPR, UnaryExpr);
+	return true;
+	}
+
+bool ArithCoerceExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return true;
+	}
+
+
+RecordCoerceExpr::RecordCoerceExpr(Expr* op, RecordType* r)
+: UnaryExpr(EXPR_RECORD_COERCE, op)
+	{
+	map_size = 0;
+	map = 0;
+
+	if ( IsError() )
+		return;
+
+	SetType(r->Ref());
+
+	if ( Type()->Tag() != TYPE_RECORD )
+		ExprError("coercion to non-record");
+
+	else if ( op->Type()->Tag() != TYPE_RECORD )
+		ExprError("coercion of non-record to record");
+
+	else
+		{
+		RecordType* t_r = type->AsRecordType();
+		RecordType* sub_r = op->Type()->AsRecordType();
+
+		map_size = t_r->NumFields();
+		map = new int[map_size];
+
+		int i;
+		for ( i = 0; i < map_size; ++i )
+			map[i] = -1;	// -1 = field is not mapped
+
+		for ( i = 0; i < sub_r->NumFields(); ++i )
+			{
+			int t_i = t_r->FieldOffset(sub_r->FieldName(i));
+			if ( t_i < 0 )
+				{
+				// Same as in RecordConstructorExpr::InitVal.
+				char buf[512];
+				safe_snprintf(buf, sizeof(buf),
+					      "orphan record field \"%s\"",
+					      sub_r->FieldName(i));
+				Error(buf);
+				continue;
+				}
+
+			BroType* sub_t_i = sub_r->FieldType(i);
+			BroType* sup_t_i = t_r->FieldType(t_i);
+
+			if ( ! same_type(sup_t_i, sub_t_i) )
+				{
+				char buf[512];
+				safe_snprintf(buf, sizeof(buf),
+					      "type clash for field \"%s\"", sub_r->FieldName(i));
+				Error(buf, sub_t_i);
+				SetError();
+				break;
+				}
+
+			map[t_i] = i;
+			}
+
+		for ( i = 0; i < map_size; ++i )
+			if ( map[i] == -1 &&
+			     ! t_r->FieldDecl(i)->FindAttr(ATTR_OPTIONAL) )
+				{
+				char buf[512];
+				safe_snprintf(buf, sizeof(buf),
+					      "non-optional field \"%s\" missing", t_r->FieldName(i));
+				Error(buf);
+				SetError();
+				break;
+				}
+		}
+	}
+
+RecordCoerceExpr::~RecordCoerceExpr()
+	{
+	delete [] map;
+	}
+
+Val* RecordCoerceExpr::Fold(Val* v) const
+	{
+	RecordVal* val = new RecordVal(Type()->Ref()->AsRecordType());
+	RecordVal* rv = v->AsRecordVal();
+
+	for ( int i = 0; i < map_size; ++i )
+		{
+		if ( map[i] >= 0 )
+			val->Assign(i, rv->Lookup(map[i])->Ref());
+		else
+			val->Assign(i, 0);
+		}
+
+	return val;
+	}
+
+IMPLEMENT_SERIAL(RecordCoerceExpr, SER_RECORD_COERCE_EXPR);
+
+bool RecordCoerceExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_RECORD_COERCE_EXPR, UnaryExpr);
+
+	if ( ! SERIALIZE(map_size) )
+		return false;
+
+	for ( int i = 0; i < map_size; ++i )
+		if ( ! SERIALIZE(map[i]) )
+			return false;
+
+	return true;
+	}
+
+bool RecordCoerceExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+
+	if ( ! UNSERIALIZE(&map_size) )
+		return false;
+
+	map = new int[map_size];
+
+	for ( int i = 0; i < map_size; ++i )
+		if ( ! UNSERIALIZE(&map[i]) )
+			return false;
+
+	return true;
+	}
+
+
+TableCoerceExpr::TableCoerceExpr(Expr* op, TableType* r)
+: UnaryExpr(EXPR_TABLE_COERCE, op)
+	{
+	if ( IsError() )
+		return;
+
+	SetType(r->Ref());
+
+	if ( Type()->Tag() != TYPE_TABLE )
+		ExprError("coercion to non-table");
+
+	else if ( op->Type()->Tag() != TYPE_TABLE )
+		ExprError("coercion of non-table/set to table/set");
+	}
+
+
+TableCoerceExpr::~TableCoerceExpr()
+	{
+	}
+
+Val* TableCoerceExpr::Fold(Val* v) const
+	{
+	TableVal* tv = v->AsTableVal();
+
+	if ( tv->Size() > 0 )
+		Internal("coercion of non-empty table/set");
+
+	return new TableVal(Type()->Ref()->AsTableType(), tv->Attrs());
+	}
+
+IMPLEMENT_SERIAL(TableCoerceExpr, SER_TABLE_COERCE_EXPR);
+
+bool TableCoerceExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_TABLE_COERCE_EXPR, UnaryExpr);
+	return true;
+	}
+
+bool TableCoerceExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return true;
+	}
+
+FlattenExpr::FlattenExpr(Expr* arg_op)
+: UnaryExpr(EXPR_FLATTEN, arg_op)
+	{
+	if ( IsError() )
+		return;
+
+	BroType* t = op->Type();
+	if ( t->Tag() != TYPE_RECORD )
+		Internal("bad type in FlattenExpr::FlattenExpr");
+
+	RecordType* rt = t->AsRecordType();
+	num_fields = rt->NumFields();
+
+	TypeList* tl = new TypeList();
+	for ( int i = 0; i < num_fields; ++i )
+		tl->Append(rt->FieldType(i)->Ref());
+
+	Unref(rt);
+	SetType(tl);
+	}
+
+Val* FlattenExpr::Fold(Val* v) const
+	{
+	RecordVal* rv = v->AsRecordVal();
+	ListVal* l = new ListVal(TYPE_ANY);
+
+	for ( int i = 0; i < num_fields; ++i )
+		{
+		Val* fv = rv->Lookup(i);
+
+		if ( fv )
+			{
+			l->Append(fv->Ref());
+			continue;
+			}
+
+		const RecordType* rv_t = rv->Type()->AsRecordType();
+		const Attr* fa = rv_t->FieldDecl(i)->FindAttr(ATTR_DEFAULT);
+		if ( fa )
+			l->Append(fa->AttrExpr()->Eval(0));
+
+		else
+			Internal("missing field value");
+		}
+
+	return l;
+	}
+
+IMPLEMENT_SERIAL(FlattenExpr, SER_FLATTEN_EXPR);
+
+bool FlattenExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_FLATTEN_EXPR, UnaryExpr);
+	return SERIALIZE(num_fields);
+	}
+
+bool FlattenExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return UNSERIALIZE(&num_fields);
+	}
+
+ScheduleTimer::ScheduleTimer(EventHandlerPtr arg_event, val_list* arg_args,
+				double t, TimerMgr* arg_tmgr)
+: Timer(t, TIMER_SCHEDULE)
+	{
+	event = arg_event;
+	args = arg_args;
+	tmgr = arg_tmgr;
+	}
+
+ScheduleTimer::~ScheduleTimer()
+	{
+	}
+
+void ScheduleTimer::Dispatch(double /* t */, int /* is_expire */)
+	{
+	mgr.QueueEvent(event, args, SOURCE_LOCAL, 0, tmgr);
+	}
+
+ScheduleExpr::ScheduleExpr(Expr* arg_when, EventExpr* arg_event)
+: Expr(EXPR_SCHEDULE)
+	{
+	when = arg_when;
+	event = arg_event;
+
+	if ( IsError() || when->IsError() || event->IsError() )
+		return;
+
+	TypeTag bt = when->Type()->Tag();
+	if ( bt != TYPE_TIME && bt != TYPE_INTERVAL )
+		ExprError("schedule expression requires a time or time interval");
+	else
+		SetType(base_type(TYPE_TIMER));
+	}
+
+ScheduleExpr::~ScheduleExpr()
+	{
+	Unref(when);
+	Unref(event);
+	}
+
+int ScheduleExpr::IsPure() const
+	{
+	return 0;
+	}
+
+Expr* ScheduleExpr::Simplify(SimplifyType simp_type)
+	{
+	when = when->Simplify(simp_type);
+	Expr* generic_event = event->Simplify(simp_type);
+
+	if ( ! generic_event )
+		return 0;
+
+	if ( generic_event->Tag() != EXPR_CALL )
+		Internal("bad event type in ScheduleExpr::Simplify");
+
+	event = (EventExpr*) generic_event;
+
+	return this;
+	}
+
+Val* ScheduleExpr::Eval(Frame* f) const
+	{
+	if ( terminating )
+		return 0;
+
+	Val* when_val = when->Eval(f);
+	if ( ! when_val )
+		return 0;
+
+	double dt = when_val->InternalDouble();
+	if ( when->Type()->Tag() == TYPE_INTERVAL )
+		dt += network_time;
+
+	val_list* args = eval_list(f, event->Args());
+
+	if ( args )
+		{
+		TimerMgr* tmgr = mgr.CurrentTimerMgr();
+		tmgr->Add(new ScheduleTimer(event->Handler(), args, dt, tmgr));
+		}
+
+	Unref(when_val);
+
+	return 0;
+	}
+
+TraversalCode ScheduleExpr::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreExpr(this);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = when->Traverse(cb);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = event->Traverse(cb);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = cb->PostExpr(this);
+	HANDLE_TC_EXPR_POST(tc);
+	}
+
+void ScheduleExpr::ExprDescribe(ODesc* d) const
+	{
+	if ( d->IsReadable() )
+		d->AddSP("schedule");
+
+	when->Describe(d);
+	d->SP();
+
+	if ( d->IsReadable() )
+		{
+		d->Add("{");
+		d->PushIndent();
+		event->Describe(d);
+		d->PopIndent();
+		d->Add("}");
+		}
+	else
+		event->Describe(d);
+	}
+
+IMPLEMENT_SERIAL(ScheduleExpr, SER_SCHEDULE_EXPR);
+
+bool ScheduleExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_SCHEDULE_EXPR, Expr);
+	return when->Serialize(info) && event->Serialize(info);
+	}
+
+bool ScheduleExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Expr);
+
+	when = Expr::Unserialize(info);
+	if ( ! when )
+		return false;
+
+	event = (EventExpr*) Expr::Unserialize(info, EXPR_EVENT);
+	return event != 0;
+	}
+
+InExpr::InExpr(Expr* arg_op1, Expr* arg_op2)
+: BinaryExpr(EXPR_IN, arg_op1, arg_op2)
+	{
+	if ( IsError() )
+		return;
+
+	if ( op1->Type()->Tag() == TYPE_PATTERN )
+		{
+		if ( op2->Type()->Tag() != TYPE_STRING )
+			{
+			op2->Type()->Error("pattern requires string index", op1);
+			SetError();
+			}
+		else
+			SetType(base_type(TYPE_BOOL));
+		}
+
+	else if ( op1->Type()->Tag() == TYPE_RECORD )
+		{
+		if ( op2->Type()->Tag() != TYPE_TABLE )
+			{
+			op2->Type()->Error("table/set required");
+			SetError();
+			}
+
+		else
+			{
+			const BroType* t1 = op1->Type();
+			const TypeList* it =
+				op2->Type()->AsTableType()->Indices();
+
+			if ( ! same_type(t1, it) )
+				{
+				t1->Error("indexing mismatch", op2->Type());
+				SetError();
+				}
+			else
+				SetType(base_type(TYPE_BOOL));
+			}
+		}
+
+	else if ( op1->Type()->Tag() == TYPE_STRING &&
+		  op2->Type()->Tag() == TYPE_STRING )
+		SetType(base_type(TYPE_BOOL));
+
+	else
+		{
+		// Check for:	<addr> in <subnet>
+		//		<addr> in set[subnet]
+		//		<addr> in table[subnet] of ...
+		if ( op1->Type()->Tag() == TYPE_ADDR )
+			{
+			if ( op2->Type()->Tag() == TYPE_SUBNET )
+				{
+				SetType(base_type(TYPE_BOOL));
+				return;
+				}
+
+			if ( op2->Type()->Tag() == TYPE_TABLE &&
+			     op2->Type()->AsTableType()->IsSubNetIndex() )
+				{
+				SetType(base_type(TYPE_BOOL));
+				return;
+				}
+			}
+
+		if ( op1->Tag() != EXPR_LIST )
+			op1 = new ListExpr(op1);
+
+		ListExpr* lop1 = op1->AsListExpr();
+
+		if ( ! op2->Type()->MatchesIndex(lop1) )
+			SetError("not an index type");
+		else
+			{
+			op1 = lop1;
+			SetType(base_type(TYPE_BOOL));
+			}
+		}
+	}
+
+Val* InExpr::Fold(Val* v1, Val* v2) const
+	{
+	if ( v1->Type()->Tag() == TYPE_PATTERN )
+		{
+		RE_Matcher* re = v1->AsPattern();
+		const BroString* s = v2->AsString();
+		return new Val(re->MatchAnywhere(s) != 0, TYPE_BOOL);
+		}
+
+	if ( v2->Type()->Tag() == TYPE_STRING )
+		{
+		const BroString* s1 = v1->AsString();
+		const BroString* s2 = v2->AsString();
+
+		// Could do better here - either roll our own, to deal with
+		// NULs, and/or Boyer-Moore if done repeatedly.
+		return new Val(strstr(s2->CheckString(), s1->CheckString()) != 0, TYPE_BOOL);
+		}
+
+	if ( v1->Type()->Tag() == TYPE_ADDR &&
+	     v2->Type()->Tag() == TYPE_SUBNET )
+		return new Val(v2->AsSubNetVal()->Contains(v1->AsAddr()), TYPE_BOOL);
+
+	TableVal* vt = v2->AsTableVal();
+	if ( vt->Lookup(v1, false) )
+		return new Val(1, TYPE_BOOL);
+	else
+		return new Val(0, TYPE_BOOL);
+	}
+
+IMPLEMENT_SERIAL(InExpr, SER_IN_EXPR);
+
+bool InExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_IN_EXPR, BinaryExpr);
+	return true;
+	}
+
+bool InExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BinaryExpr);
+	return true;
+	}
+
+CallExpr::CallExpr(Expr* arg_func, ListExpr* arg_args)
+: Expr(EXPR_CALL)
+	{
+	func = arg_func;
+	args = arg_args;
+
+	if ( func->IsError() || args->IsError() )
+		{
+		SetError();
+		return;
+		}
+
+	BroType* func_type = func->Type();
+	if ( ! IsFunc(func_type->Tag()) )
+		{
+		func->Error("not a function");
+		SetError();
+		return;
+		}
+
+	if ( ! func_type->MatchesIndex(args) )
+		SetError("argument type mismatch in function call");
+	else
+		{
+		BroType* yield = func_type->YieldType();
+
+		if ( ! yield )
+			{
+			Error("event called in expression");
+			SetError();
+			}
+		else
+			SetType(yield->Ref());
+
+		// Check for call to built-ins that can be statically
+		// analyzed.
+		Val* func_val;
+		if ( func->Tag() == EXPR_NAME &&
+		     // This is cheating, but without it processing gets
+		     // quite confused regarding "value used but not set"
+		     // run-time errors when we apply this analysis during
+		     // parsing.  Really we should instead do it after we've
+		     // parsed the entire set of scripts.
+		     streq(((NameExpr*) func)->Id()->Name(), "fmt") &&
+		     // The following is needed because fmt might not yet
+		     // be bound as a name.
+		     did_builtin_init &&
+		     (func_val = func->Eval(0)) )
+			{
+			::Func* f = func_val->AsFunc();
+			if ( f->GetKind() == Func::BUILTIN_FUNC &&
+			     ! check_built_in_call((BuiltinFunc*) f, this) )
+				SetError();
+			}
+		}
+	}
+
+CallExpr::~CallExpr()
+	{
+	Unref(func);
+	Unref(args);
+	}
+
+int CallExpr::IsPure() const
+	{
+	if ( IsError() )
+		return 1;
+
+	if ( ! func->IsPure() )
+		return 0;
+
+	Val* func_val = func->Eval(0);
+	if ( ! func_val )
+		return 0;
+
+	::Func* f = func_val->AsFunc();
+
+	// Only recurse for built-in functions, as recursing on script
+	// functions can lead to infinite recursion if the function being
+	// called here happens to be recursive (either directly
+	// or indirectly).
+	int pure = 0;
+	if ( f->GetKind() == Func::BUILTIN_FUNC )
+		pure = f->IsPure() && args->IsPure();
+	Unref(func_val);
+
+	return pure;
+	}
+
+Expr* CallExpr::Simplify(SimplifyType /* simp_type */)
+	{
+	if ( IsError() )
+		return this;
+
+	func = simplify_expr(func, SIMPLIFY_GENERAL);
+	args = simplify_expr_list(args, SIMPLIFY_GENERAL);
+
+	if ( IsPure() )
+		return new ConstExpr(Eval(0));
+	else
+		return this;
+	}
+
+Val* CallExpr::Eval(Frame* f) const
+	{
+	if ( IsError() )
+		return 0;
+
+	// If we are inside a trigger condition, we may have already been
+	// called, delayed, and then produced a result which is now cached.
+	// Check for that.
+	if ( f )
+		{
+		Trigger* trigger = f->GetTrigger();
+
+		if ( trigger )
+			{
+			Val* v = trigger->Lookup(this);
+			if ( v )
+				{
+				DBG_LOG(DBG_NOTIFIERS,
+					"%s: provides cached function result",
+					trigger->Name());
+				return v->Ref();
+				}
+			}
+		}
+
+	Val* ret = 0;
+	Val* func_val = func->Eval(f);
+	val_list* v = eval_list(f, args);
+
+	if ( func_val && v )
+		{
+		const ::Func* func = func_val->AsFunc();
+		calling_expr = this;
+
+		if ( f )
+			f->SetCall(this);
+		ret = func->Call(v, f);
+		if ( f )
+			f->ClearCall();
+		// Don't Unref() the arguments, as Func::Call already did that.
+		delete v;
+
+		calling_expr = 0;
+		}
+	else
+		delete_vals(v);
+
+	Unref(func_val);
+
+	return ret;
+	}
+
+TraversalCode CallExpr::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreExpr(this);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = func->Traverse(cb);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = args->Traverse(cb);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = cb->PostExpr(this);
+	HANDLE_TC_EXPR_POST(tc);
+	}
+
+void CallExpr::ExprDescribe(ODesc* d) const
+	{
+	func->Describe(d);
+	if ( d->IsReadable() || d->IsPortable() )
+		{
+		d->Add("(");
+		args->Describe(d);
+		d->Add(")");
+		}
+	else
+		args->Describe(d);
+	}
+
+IMPLEMENT_SERIAL(CallExpr, SER_CALL_EXPR);
+
+bool CallExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_CALL_EXPR, Expr);
+	return func->Serialize(info) && args->Serialize(info);
+	}
+
+bool CallExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Expr);
+
+	func = Expr::Unserialize(info);
+	if ( ! func )
+		return false;
+
+	args = (ListExpr*) Expr::Unserialize(info, EXPR_LIST);
+	return args != 0;
+	}
+
+EventExpr::EventExpr(const char* arg_name, ListExpr* arg_args)
+: Expr(EXPR_EVENT)
+	{
+	name = arg_name;
+	args = arg_args;
+
+	EventHandler* h = event_registry->Lookup(name.c_str());
+	if ( ! h )
+		{
+		h = new EventHandler(name.c_str());
+		event_registry->Register(h);
+		}
+
+	h->SetUsed();
+
+	handler = h;
+
+	if ( args->IsError() )
+		{
+		SetError();
+		return;
+		}
+
+	FuncType* func_type = h->FType();
+	if ( ! func_type )
+		{
+		Error("not an event");
+		SetError();
+		return;
+		}
+
+	if ( ! func_type->MatchesIndex(args) )
+		SetError("argument type mismatch in event invocation");
+	else
+		{
+		if ( func_type->YieldType() )
+			{
+			Error("function invoked as an event");
+			SetError();
+			}
+		}
+	}
+
+EventExpr::~EventExpr()
+	{
+	Unref(args);
+	}
+
+Expr* EventExpr::Simplify(SimplifyType /* simp_type */)
+	{
+	if ( ! IsError() )
+		args = simplify_expr_list(args, SIMPLIFY_GENERAL);
+
+	return this;
+	}
+
+Val* EventExpr::Eval(Frame* f) const
+	{
+	if ( IsError() )
+		return 0;
+
+	val_list* v = eval_list(f, args);
+	mgr.QueueEvent(handler, v);
+
+	return 0;
+	}
+
+TraversalCode EventExpr::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreExpr(this);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = args->Traverse(cb);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	tc = cb->PostExpr(this);
+	HANDLE_TC_EXPR_POST(tc);
+	}
+
+void EventExpr::ExprDescribe(ODesc* d) const
+	{
+	d->Add(name.c_str());
+	if ( d->IsReadable() || d->IsPortable() )
+		{
+		d->Add("(");
+		args->Describe(d);
+		d->Add(")");
+		}
+	else
+		args->Describe(d);
+	}
+
+IMPLEMENT_SERIAL(EventExpr, SER_EVENT_EXPR);
+
+bool EventExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_EVENT_EXPR, Expr);
+
+	if ( ! handler->Serialize(info) )
+		return false;
+
+	return SERIALIZE(name) && args->Serialize(info);
+	}
+
+bool EventExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Expr);
+
+	EventHandler* h = EventHandler::Unserialize(info);
+	if ( ! h )
+		return false;
+
+	handler = h;
+
+	if ( ! UNSERIALIZE(&name) )
+		return false;
+
+	args = (ListExpr*) Expr::Unserialize(info, EXPR_LIST);
+	return args;
+	}
+
+ListExpr::ListExpr() : Expr(EXPR_LIST)
+	{
+	SetType(new TypeList());
+	}
+
+ListExpr::ListExpr(Expr* e) : Expr(EXPR_LIST)
+	{
+	SetType(new TypeList());
+	Append(e);
+	}
+
+ListExpr::~ListExpr()
+	{
+	loop_over_list(exprs, i)
+		Unref(exprs[i]);
+	}
+
+void ListExpr::Append(Expr* e)
+	{
+	exprs.append(e);
+	((TypeList*) type)->Append(e->Type()->Ref());
+	}
+
+int ListExpr::IsPure() const
+	{
+	loop_over_list(exprs, i)
+		if ( ! exprs[i]->IsPure() )
+			return 0;
+
+	return 1;
+	}
+
+int ListExpr::AllConst() const
+	{
+	loop_over_list(exprs, i)
+		if ( ! exprs[i]->IsConst() )
+			return 0;
+
+	return 1;
+	}
+
+Expr* ListExpr::Simplify(SimplifyType /* simp_type */)
+	{
+	loop_over_list(exprs, i)
+		exprs.replace(i, simplify_expr(exprs[i], SIMPLIFY_GENERAL));
+
+	// Note that we do *not* simplify a list with one element
+	// to just that element.  The assumption that simplify_expr(ListExpr*)
+	// returns a ListExpr* is widespread.
+	return this;
+	}
+
+Val* ListExpr::Eval(Frame* f) const
+	{
+	ListVal* v = new ListVal(TYPE_ANY);
+
+	loop_over_list(exprs, i)
+		{
+		Val* ev = exprs[i]->Eval(f);
+		if ( ! ev )
+			{
+			RunTime("uninitialized list value");
+			return 0;
+			}
+
+		v->Append(ev);
+		}
+
+	return v;
+	}
+
+BroType* ListExpr::InitType() const
+	{
+	if ( exprs.length() == 0 )
+		{
+		Error("empty list in untyped initialization");
+		return 0;
+		}
+
+	if ( exprs[0]->IsRecordElement(0) )
+		{
+		type_decl_list* types = new type_decl_list;
+		loop_over_list(exprs, i)
+			{
+			TypeDecl* td = new TypeDecl(0, 0);
+			if ( ! exprs[i]->IsRecordElement(td) )
+				{
+				exprs[i]->Error("record element expected");
+				delete td;
+				delete types;
+				return 0;
+				}
+
+			types->append(td);
+			}
+
+		return new RecordType(types);
+		}
+
+	else
+		{
+		TypeList* tl = new TypeList();
+		loop_over_list(exprs, i)
+			{
+			Expr* e = exprs[i];
+			BroType* ti = e->Type();
+
+			// Collapse any embedded sets or lists.
+			if ( ti->IsSet() || ti->Tag() == TYPE_LIST )
+				{
+				TypeList* til = ti->IsSet() ?
+					ti->AsSetType()->Indices() :
+					ti->AsTypeList();
+
+				if ( ! til->IsPure() ||
+				     ! til->AllMatch(til->PureType(), 1) )
+					tl->Append(til->Ref());
+				else
+					tl->Append(til->PureType()->Ref());
+				}
+			else
+				tl->Append(ti->Ref());
+			}
+
+		return tl;
+		}
+	}
+
+Val* ListExpr::InitVal(const BroType* t, Val* aggr) const
+	{
+	// While fairly similar to the EvalIntoAggregate() code,
+	// we keep this separate since it also deals with initialization
+	// idioms such as embedded aggregates and cross-product
+	// expansion.
+	if ( IsError() )
+		return 0;
+
+	// Check whether each element of this list itself matches t,
+	// in which case we should expand as a ListVal.
+	if ( ! aggr && type->AsTypeList()->AllMatch(t, 1) )
+		{
+		ListVal* v = new ListVal(TYPE_ANY);
+
+		loop_over_list(exprs, i)
+			{
+			Val* vi = exprs[i]->InitVal(t, 0);
+			if ( ! vi )
+				{
+				Unref(v);
+				return 0;
+				}
+			v->Append(vi);
+			}
+		return v;
+		}
+
+	if ( t->Tag() == TYPE_LIST )
+		{
+		if ( aggr )
+			{
+			Error("bad use of list in initialization", t);
+			return 0;
+			}
+
+		const type_list* tl = t->AsTypeList()->Types();
+		if ( exprs.length() != tl->length() )
+			{
+			Error("index mismatch", t);
+			return 0;
+			}
+
+		ListVal* v = new ListVal(TYPE_ANY);
+		loop_over_list(exprs, i)
+			{
+			Val* vi = exprs[i]->InitVal((*tl)[i], 0);
+			if ( ! vi )
+				{
+				Unref(v);
+				return 0;
+				}
+			v->Append(vi);
+			}
+		return v;
+		}
+
+	if ( t->Tag() != TYPE_RECORD && t->Tag() != TYPE_TABLE &&
+	     t->Tag() != TYPE_VECTOR )
+		{
+		if ( exprs.length() == 1 )
+			// Allow "global x:int = { 5 }"
+			return exprs[0]->InitVal(t, aggr);
+		else
+			{
+			Error("aggregate initializer for scalar type", t);
+			return 0;
+			}
+		}
+
+	if ( ! aggr )
+		Internal("missing aggregate in ListExpr::InitVal");
+
+	if ( t->IsSet() )
+		return AddSetInit(t, aggr);
+
+	if ( t->Tag() == TYPE_VECTOR )
+		{
+		// v: vector = [10, 20, 30];
+		VectorVal* vec = aggr->AsVectorVal();
+
+		loop_over_list(exprs, i)
+			{
+			Expr* e = exprs[i];
+			Val* v = e->Eval(0);
+			if ( ! vec->Assign(i + VECTOR_MIN, v, e) )
+				{
+				e->Error(fmt("type mismatch at index %d",  i + VECTOR_MIN));
+				return 0;
+				}
+
+			Unref(v);
+			}
+
+		return aggr;
+		}
+
+	// If we got this far, then it's either a table or record
+	// initialization.  Both of those involve AssignExpr's, which
+	// know how to add themselves to a table or record.  Another
+	// possibility is an expression that evaluates itself to a
+	// table, which we can then add to the aggregate.
+	loop_over_list(exprs, i)
+		{
+		Expr* e = exprs[i];
+
+		if ( e->Tag() == EXPR_ASSIGN || e->Tag() == EXPR_FIELD_ASSIGN )
+			{
+			if ( ! e->InitVal(t, aggr) )
+				return 0;
+			}
+		else
+			{
+			if ( t->Tag() == TYPE_RECORD )
+				{
+				e->Error("bad record initializer", t);
+				return 0;
+				}
+
+			Val* v = e->Eval(0);
+			if ( ! same_type(v->Type(), t) )
+				{
+				v->Type()->Error("type clash in table initializer", t);
+				return 0;
+				}
+
+			if ( ! v->AsTableVal()->AddTo(aggr->AsTableVal(), 1) )
+				return 0;
+			}
+		}
+
+	return aggr;
+	}
+
+Val* ListExpr::AddSetInit(const BroType* t, Val* aggr) const
+	{
+	if ( aggr->Type()->Tag() != TYPE_TABLE )
+		Internal("bad aggregate in ListExpr::InitVal");
+
+	TableVal* tv = aggr->AsTableVal();
+	const TableType* tt = tv->Type()->AsTableType();
+	const TypeList* it = tt->Indices();
+
+	loop_over_list(exprs, i)
+		{
+		Val* element;
+
+		if ( exprs[i]->Type()->IsSet() )
+			// A set to flatten.
+			element = exprs[i]->Eval(0);
+		else if ( exprs[i]->Type()->Tag() == TYPE_LIST )
+			element = exprs[i]->InitVal(it, 0);
+		else
+			element = exprs[i]->InitVal((*it->Types())[0], 0);
+
+		if ( ! element )
+			return 0;
+
+		if ( element->Type()->IsSet() )
+			{
+			if ( ! same_type(element->Type(), t) )
+				{
+				element->Error("type clash in set initializer", t);
+				return 0;
+				}
+
+			if ( ! element->AsTableVal()->AddTo(tv, 1) )
+				return 0;
+
+			continue;
+			}
+
+		if ( exprs[i]->Type()->Tag() == TYPE_LIST )
+			element = check_and_promote(element, it, 1);
+		else
+			element = check_and_promote(element, (*it->Types())[0], 1);
+
+		if ( ! element )
+			return 0;
+
+		if ( ! tv->ExpandAndInit(element, 0) )
+			{
+			Unref(element);
+			Unref(tv);
+			return 0;
+			}
+
+		Unref(element);
+		}
+
+	return tv;
+	}
+
+void ListExpr::ExprDescribe(ODesc* d) const
+	{
+	d->AddCount(exprs.length());
+
+	loop_over_list(exprs, i)
+		{
+		if ( (d->IsReadable() || d->IsPortable()) && i > 0 )
+			d->Add(", ");
+
+		exprs[i]->Describe(d);
+		}
+	}
+
+Expr* ListExpr::MakeLvalue()
+	{
+	loop_over_list(exprs, i)
+		if ( exprs[i]->Tag() != EXPR_NAME )
+			ExprError("can only assign to list of identifiers");
+
+	return new RefExpr(this);
+	}
+
+void ListExpr::Assign(Frame* f, Val* v, Opcode op)
+	{
+	ListVal* lv = v->AsListVal();
+
+	if ( exprs.length() != lv->Vals()->length() )
+		ExprError("mismatch in list lengths");
+
+	loop_over_list(exprs, i)
+		exprs[i]->Assign(f, (*lv->Vals())[i]->Ref(), op);
+
+	Unref(lv);
+	}
+
+TraversalCode ListExpr::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreExpr(this);
+	HANDLE_TC_EXPR_PRE(tc);
+
+	loop_over_list(exprs, i)
+		{
+		exprs[i]->Traverse(cb);
+		HANDLE_TC_EXPR_PRE(tc);
+		}
+
+	tc = cb->PostExpr(this);
+	HANDLE_TC_EXPR_POST(tc);
+	}
+
+IMPLEMENT_SERIAL(ListExpr, SER_LIST_EXPR);
+
+bool ListExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_LIST_EXPR, Expr);
+
+	if ( ! SERIALIZE(exprs.length()) )
+		return false;
+
+	loop_over_list(exprs, i)
+		if ( ! exprs[i]->Serialize(info) )
+			return false;
+
+	return true;
+	}
+
+bool ListExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Expr);
+
+	int len;
+	if ( ! UNSERIALIZE(&len) )
+		return false;
+
+	while ( len-- )
+		{
+		Expr* e = Expr::Unserialize(info);
+		if ( ! e )
+			return false;
+
+		exprs.append(e);
+		}
+
+	return true;
+	}
+
+RecordAssignExpr::RecordAssignExpr(Expr* record, Expr* init_list, int is_init)
+	{
+	const expr_list& inits = init_list->AsListExpr()->Exprs();
+
+	RecordType* lhs = record->Type()->AsRecordType();
+
+	// The inits have two forms:
+	// 1) other records -- use all matching field names+types
+	// 2) a string indicating the field name, then (as the next element)
+	//    the value to use for that field.
+
+	for ( int i = 0; i < inits.length(); ++i )
+		{
+		if ( inits[i]->Type()->Tag() == TYPE_RECORD )
+			{
+			RecordType* t = inits[i]->Type()->AsRecordType();
+
+			for ( int j = 0; j < t->NumFields(); ++j )
+				{
+				const char* field_name = t->FieldName(j);
+				int field = lhs->FieldOffset(field_name);
+
+				if ( field >= 0 &&
+				     same_type(lhs->FieldType(field), t->FieldType(j)) )
+					{
+					FieldExpr* fe_lhs = new FieldExpr(record, field_name);
+					FieldExpr* fe_rhs = new FieldExpr(inits[i], field_name);
+					Append(get_assign_expr(fe_lhs->Ref(), fe_rhs->Ref(), is_init));
+					}
+				}
+			}
+
+		else if ( inits[i]->Tag() == EXPR_FIELD_ASSIGN )
+			{
+			FieldAssignExpr* rf = (FieldAssignExpr*) inits[i];
+			rf->Ref();
+
+			const char* field_name = ""; // rf->FieldName();
+			if ( lhs->HasField(field_name) )
+				{
+				FieldExpr* fe_lhs = new FieldExpr(record, field_name);
+				Expr* fe_rhs = rf->Op();
+				Append(get_assign_expr(fe_lhs->Ref(), fe_rhs, is_init));
+				}
+			else
+				{
+				string s = "No such field '";
+				s += field_name;
+				s += "'";
+				init_list->SetError(s.c_str());
+				}
+			}
+
+		else
+			{
+			init_list->SetError("bad record initializer");
+			return;
+			}
+		}
+	}
+
+IMPLEMENT_SERIAL(RecordAssignExpr, SER_RECORD_ASSIGN_EXPR);
+
+bool RecordAssignExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_RECORD_ASSIGN_EXPR, ListExpr);
+	return true;
+	}
+
+bool RecordAssignExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(ListExpr);
+	return true;
+	}
+
+Expr* get_assign_expr(Expr* op1, Expr* op2, int is_init)
+	{
+	if ( op1->Type()->Tag() == TYPE_RECORD &&
+	     op2->Type()->Tag() == TYPE_LIST )
+		return new RecordAssignExpr(op1, op2, is_init);
+	else
+		return new AssignExpr(op1, op2, is_init);
+	}
+
+
+int check_and_promote_expr(Expr*& e, BroType* t)
+	{
+	BroType* et = e->Type();
+	TypeTag e_tag = et->Tag();
+	TypeTag t_tag = t->Tag();
+
+	if ( t->Tag() == TYPE_ANY )
+		return 1;
+
+	if ( EitherArithmetic(t_tag, e_tag) )
+		{
+		if ( e_tag == t_tag )
+			return 1;
+
+		if ( ! BothArithmetic(t_tag, e_tag) )
+			{
+			t->Error("arithmetic mixed with non-arithmetic", e);
+			return 0;
+			}
+
+		TypeTag mt = max_type(t_tag, e_tag);
+		if ( mt != t_tag )
+			{
+			t->Error("over-promotion of arithmetic value", e);
+			return 0;
+			}
+
+		e = new ArithCoerceExpr(e, t_tag);
+		return 1;
+		}
+
+	else if ( ! same_type(t, et) )
+		{
+		if ( t->Tag() == TYPE_RECORD && et->Tag() == TYPE_RECORD )
+			{
+			RecordType* t_r = t->AsRecordType();
+			RecordType* et_r = et->AsRecordType();
+
+			if ( record_promotion_compatible(t_r, et_r) )
+				{
+				e = new RecordCoerceExpr(e, t_r);
+				return 1;
+				}
+			}
+
+		else if ( t->Tag() == TYPE_TABLE && et->Tag() == TYPE_TABLE &&
+			  et->AsTableType()->IsUnspecifiedTable() )
+			{
+			e = new TableCoerceExpr(e, t->AsTableType());
+			return 1;
+			}
+
+		t->Error("type clash", e);
+		return 0;
+		}
+
+	return 1;
+	}
+
+int check_and_promote_exprs(ListExpr*& elements, TypeList* types)
+	{
+	expr_list& el = elements->Exprs();
+	const type_list* tl = types->Types();
+
+	if ( tl->length() == 1 && (*tl)[0]->Tag() == TYPE_ANY )
+		return 1;
+
+	if ( el.length() != tl->length() )
+		{
+		types->Error("indexing mismatch", elements);
+		return 0;
+		}
+
+	loop_over_list(el, i)
+		{
+		Expr* e = el[i];
+		if ( ! check_and_promote_expr(e, (*tl)[i]) )
+			{
+			e->Error("type mismatch", (*tl)[i]);
+			return 0;
+			}
+
+		if ( e != el[i] )
+			el.replace(i, e);
+		}
+
+	return 1;
+	}
+
+int check_and_promote_exprs_to_type(ListExpr*& elements, BroType* type)
+	{
+	expr_list& el = elements->Exprs();
+
+	if ( type->Tag() == TYPE_ANY )
+		return 1;
+
+	loop_over_list(el, i)
+		{
+		Expr* e = el[i];
+		if ( ! check_and_promote_expr(e, type) )
+			{
+			e->Error("type mismatch", type);
+			return 0;
+			}
+
+		if ( e != el[i] )
+			el.replace(i, e);
+		}
+
+	return 1;
+	}
+
+Expr* simplify_expr(Expr* e, SimplifyType simp_type)
+	{
+	if ( ! e )
+		return 0;
+
+	for ( Expr* s = e->Simplify(simp_type); s != e; s = e->Simplify(simp_type) )
+		{
+		Unref(e);
+		e = s;
+		}
+
+	return e;
+	}
+
+ListExpr* simplify_expr_list(ListExpr* l, SimplifyType simp_type)
+	{
+	return (ListExpr*) simplify_expr(l, simp_type);
+	}
+
+val_list* eval_list(Frame* f, const ListExpr* l)
+	{
+	const expr_list& e = l->Exprs();
+	val_list* v = new val_list(e.length());
+
+	loop_over_list(e, i)
+		{
+		Val* ev = e[i]->Eval(f);
+		if ( ! ev )
+			break;
+		v->append(ev);
+		}
+
+	if ( i < e.length() )
+		{ // Failure.
+		loop_over_list(*v, j)
+			Unref((*v)[j]);
+		delete v;
+		return 0;
+		}
+
+	else
+		return v;
+	}
+
+int same_expr(const Expr* e1, const Expr* e2)
+	{
+	if ( e1 == e2 )
+		return 1;
+
+	if ( e1->Tag() != e2->Tag() || ! same_type(e1->Type(), e2->Type()) )
+		return 0;
+
+	if ( e1->IsError() || e2->IsError() )
+		return 0;
+
+	switch ( e1->Tag() ) {
+	case EXPR_NAME:
+		{
+		const NameExpr* n1 = (NameExpr*) e1;
+		const NameExpr* n2 = (NameExpr*) e2;
+		return n1->Id() == n2->Id();
+		}
+
+	case EXPR_CONST:
+		{
+		const ConstExpr* c1 = (ConstExpr*) e1;
+		const ConstExpr* c2 = (ConstExpr*) e2;
+		return same_val(c1->Value(), c2->Value());
+		}
+
+	case EXPR_INCR:
+	case EXPR_DECR:
+	case EXPR_NOT:
+	case EXPR_NEGATE:
+	case EXPR_POSITIVE:
+	case EXPR_REF:
+	case EXPR_RECORD_CONSTRUCTOR:
+	case EXPR_TABLE_CONSTRUCTOR:
+	case EXPR_SET_CONSTRUCTOR:
+	case EXPR_VECTOR_CONSTRUCTOR:
+	case EXPR_FIELD_ASSIGN:
+	case EXPR_ARITH_COERCE:
+	case EXPR_RECORD_COERCE:
+	case EXPR_TABLE_COERCE:
+	case EXPR_FLATTEN:
+		{
+		const UnaryExpr* u1 = (UnaryExpr*) e1;
+		const UnaryExpr* u2 = (UnaryExpr*) e2;
+		return same_expr(u1->Op(), u2->Op());
+		}
+
+	case EXPR_FIELD:
+		{
+		const FieldExpr* f1 = (FieldExpr*) e1;
+		const FieldExpr* f2 = (FieldExpr*) e2;
+		return same_expr(f1->Op(), f2->Op()) &&
+			f1->Field() == f2->Field();
+		}
+
+	case EXPR_SCHEDULE:
+		{
+		const ScheduleExpr* s1 = (ScheduleExpr*) e1;
+		const ScheduleExpr* s2 = (ScheduleExpr*) e2;
+		return same_expr(s1->When(), s2->When()) &&
+			same_expr(s1->Event(), s2->Event());
+		}
+
+	case EXPR_ADD:
+	case EXPR_ADD_TO:
+	case EXPR_SUB:
+	case EXPR_REMOVE_FROM:
+	case EXPR_TIMES:
+	case EXPR_DIVIDE:
+	case EXPR_MOD:
+	case EXPR_AND:
+	case EXPR_OR:
+	case EXPR_LT:
+	case EXPR_LE:
+	case EXPR_EQ:
+	case EXPR_NE:
+	case EXPR_GE:
+	case EXPR_GT:
+	case EXPR_ASSIGN:
+	case EXPR_MATCH:
+	case EXPR_INDEX:
+	case EXPR_IN:
+		{
+		const BinaryExpr* b1 = (BinaryExpr*) e1;
+		const BinaryExpr* b2 = (BinaryExpr*) e2;
+		return same_expr(b1->Op1(), b2->Op1()) &&
+			same_expr(b1->Op2(), b2->Op2());
+		}
+
+	case EXPR_LIST:
+		{
+		const ListExpr* l1 = (ListExpr*) e1;
+		const ListExpr* l2 = (ListExpr*) e2;
+
+		const expr_list& le1 = l1->Exprs();
+		const expr_list& le2 = l2->Exprs();
+
+		if ( le1.length() != le2.length() )
+			return 0;
+
+		loop_over_list(le1, i)
+			if ( ! same_expr(le1[i], le2[i]) )
+				return 0;
+
+		return 1;
+		}
+
+	case EXPR_CALL:
+		{
+		const CallExpr* c1 = (CallExpr*) e1;
+		const CallExpr* c2 = (CallExpr*) e2;
+
+		return same_expr(c1->Func(), c2->Func()) &&
+			c1->IsPure() && same_expr(c1->Args(), c2->Args());
+		}
+
+	default:
+		internal_error("bad tag in same_expr()");
+	}
+
+	return 0;
+	}
+
+int expr_greater(const Expr* e1, const Expr* e2)
+	{
+	return int(e1->Tag()) > int(e2->Tag());
+	}
+
+static Expr* make_constant(BroType* t, double d)
+	{
+	Val* v = 0;
+	switch ( t->InternalType() ) {
+	case TYPE_INTERNAL_INT:		v = new Val(bro_int_t(d), t->Tag()); break;
+	case TYPE_INTERNAL_UNSIGNED:	v = new Val(bro_uint_t(d), t->Tag()); break;
+	case TYPE_INTERNAL_DOUBLE:	v = new Val(double(d), t->Tag()); break;
+
+	default:
+		internal_error("bad type in make_constant()");
+	}
+
+	return new ConstExpr(v);
+	}
+
+Expr* make_zero(BroType* t)
+	{
+	return make_constant(t, 0.0);
+	}
+
+Expr* make_one(BroType* t)
+	{
+	return make_constant(t, 1.0);
+	}
diff --git a/src/Expr.h b/src/Expr.h
new file mode 100644
index 0000000000..c078d4651c
--- /dev/null
+++ b/src/Expr.h
@@ -0,0 +1,1129 @@
+// $Id: Expr.h 6916 2009-09-24 20:48:36Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef expr_h
+#define expr_h
+
+// BRO expressions.
+
+#include "BroList.h"
+#include "ID.h"
+#include "Timer.h"
+#include "Val.h"
+#include "Debug.h"
+#include "EventHandler.h"
+#include "TraverseTypes.h"
+
+typedef enum {
+	EXPR_ANY = -1,
+	EXPR_NAME, EXPR_CONST,
+	EXPR_CLONE,
+	EXPR_INCR, EXPR_DECR, EXPR_NOT, EXPR_POSITIVE, EXPR_NEGATE,
+	EXPR_ADD, EXPR_SUB, EXPR_ADD_TO, EXPR_REMOVE_FROM,
+	EXPR_TIMES, EXPR_DIVIDE, EXPR_MOD,
+	EXPR_AND, EXPR_OR,
+	EXPR_LT, EXPR_LE, EXPR_EQ, EXPR_NE, EXPR_GE, EXPR_GT,
+	EXPR_COND,
+	EXPR_REF,
+	EXPR_ASSIGN,
+	EXPR_MATCH,
+	EXPR_INDEX,
+	EXPR_FIELD, EXPR_HAS_FIELD,
+	EXPR_RECORD_CONSTRUCTOR,
+	EXPR_TABLE_CONSTRUCTOR,
+	EXPR_SET_CONSTRUCTOR,
+	EXPR_VECTOR_CONSTRUCTOR,
+	EXPR_FIELD_ASSIGN,
+	EXPR_IN,
+	EXPR_LIST,
+	EXPR_CALL,
+	EXPR_EVENT,
+	EXPR_SCHEDULE,
+	EXPR_ARITH_COERCE, EXPR_RECORD_COERCE, EXPR_TABLE_COERCE,
+	EXPR_SIZE,
+	EXPR_FLATTEN,
+#define NUM_EXPRS (int(EXPR_FLATTEN) + 1)
+} BroExprTag;
+
+typedef enum {
+	SIMPLIFY_GENERAL,	// regular simplification
+	SIMPLIFY_LHS,		// simplify as the LHS of an assignment
+} SimplifyType;
+
+extern const char* expr_name(BroExprTag t);
+
+class Stmt;
+class Frame;
+class ListExpr;
+class CallExpr;
+class EventExpr;
+
+
+class Expr : public BroObj {
+public:
+	BroType* Type() const		{ return type; }
+	BroExprTag Tag() const	{ return tag; }
+
+	virtual ~Expr();
+
+	Expr* Ref()			{ ::Ref(this); return this; }
+
+	// Returns a fully simplified version of the expression (this
+	// may be the same expression, or a newly created one).  simp_type
+	// gives the context of the simplification.
+	virtual Expr* Simplify(SimplifyType simp_type) = 0;
+
+	// Evaluates the expression and returns a corresponding Val*,
+	// or nil if the expression's value isn't fixed.
+	virtual Val* Eval(Frame* f) const = 0;
+
+	// Same, but the context is that we are adding an element
+	// into the given aggregate of the given type.  Note that
+	// return type is void since it's updating an existing
+	// value, rather than creating a new one.
+	virtual void EvalIntoAggregate(const BroType* t, Val* aggr, Frame* f)
+			const;
+
+	// Assign to the given value, if appropriate.
+	virtual void Assign(Frame* f, Val* v, Opcode op = OP_ASSIGN);
+
+	// Returns the type corresponding to this expression interpreted
+	// as an initialization.  The type should be Unref()'d when done
+	// using it.  Returns nil if the initialization is illegal.
+	virtual BroType* InitType() const;
+
+	// Returns true if this expression, interpreted as an initialization,
+	// constitutes a record element, false otherwise.  If the TypeDecl*
+	// is non-nil and the expression is a record element, fills in the
+	// TypeDecl with a description of the element.
+	virtual int IsRecordElement(TypeDecl* td) const;
+
+	// Returns a value corresponding to this expression interpreted
+	// as an initialization, or nil if the expression is inconsistent
+	// with the given type.  If "aggr" is non-nil, then this expression
+	// is an element of the given aggregate, and it is added to it
+	// accordingly.
+	virtual Val* InitVal(const BroType* t, Val* aggr) const;
+
+	// True if the expression has no side effects, false otherwise.
+	virtual int IsPure() const;
+
+	// True if the expression is a constant, false otherwise.
+	int IsConst() const	{ return tag == EXPR_CONST; }
+
+	// True if the expression is in error (to alleviate error propagation).
+	int IsError() const	{ return type && type->Tag() == TYPE_ERROR; }
+
+	// Mark expression as in error.
+	void SetError()		{ SetType(error_type()); }
+	void SetError(const char* msg);
+
+	// Returns the expression's constant value, or complains
+	// if it's not a constant.
+	inline Val* ExprVal() const;
+
+	// True if the expression is a constant zero, false otherwise.
+	int IsZero() const
+		{
+		return IsConst() && ExprVal()->IsZero();
+		}
+
+	// True if the expression is a constant one, false otherwise.
+	int IsOne() const
+		{
+		return IsConst() && ExprVal()->IsOne();
+		}
+
+	// True if the expression supports the "add" or "delete" operations,
+	// false otherwise.
+	virtual int CanAdd() const;
+	virtual int CanDel() const;
+
+	virtual void Add(Frame* f);	// perform add operation
+	virtual void Delete(Frame* f);	// perform delete operation
+
+	// Return the expression converted to L-value form.  If expr
+	// cannot be used as an L-value, reports an error and returns
+	// the current value of expr (this is the default method).
+	virtual Expr* MakeLvalue();
+
+	// Marks the expression as one requiring (or at least appearing
+	// with) parentheses.  Used for pretty-printing.
+	void MarkParen()		{ paren = 1; }
+	int IsParen() const		{ return paren; }
+
+	const ListExpr* AsListExpr() const
+		{
+		CHECK_TAG(tag, EXPR_LIST, "ExprVal::AsListExpr", expr_name)
+		return (const ListExpr*) this;
+		}
+	ListExpr* AsListExpr()
+		{
+		CHECK_TAG(tag, EXPR_LIST, "ExprVal::AsListExpr", expr_name)
+		return (ListExpr*) this;
+		}
+
+	void Describe(ODesc* d) const;
+
+	bool Serialize(SerialInfo* info) const;
+	static Expr* Unserialize(UnserialInfo* info, BroExprTag want = EXPR_ANY);
+
+	virtual TraversalCode Traverse(TraversalCallback* cb) const = 0;
+
+protected:
+	Expr()	{ type = 0; }
+	Expr(BroExprTag arg_tag);
+
+	virtual void ExprDescribe(ODesc* d) const = 0;
+	void AddTag(ODesc* d) const;
+
+	// Puts the expression in canonical form.
+	virtual void Canonicize();
+
+	void SetType(BroType* t);
+
+	// Reports the given error and sets the expression's type to
+	// TYPE_ERROR.
+	void ExprError(const char msg[]);
+
+	DECLARE_ABSTRACT_SERIAL(Expr);
+
+	BroExprTag tag;
+	BroType* type;
+
+	int paren;
+};
+
+class NameExpr : public Expr {
+public:
+	NameExpr(ID* id);
+	~NameExpr();
+
+	ID* Id() const		{ return id; }
+
+	Expr* Simplify(SimplifyType simp_type);
+	Val* Eval(Frame* f) const;
+	void Assign(Frame* f, Val* v, Opcode op = OP_ASSIGN);
+	Expr* MakeLvalue();
+	int IsPure() const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	friend class Expr;
+	NameExpr()	{ id = 0; }
+
+	void ReferenceID();
+	void ExprDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(NameExpr);
+
+	ID* id;
+};
+
+class ConstExpr : public Expr {
+public:
+	ConstExpr(Val* val);
+	~ConstExpr();
+
+	Val* Value() const	{ return val; }
+
+	Expr* Simplify(SimplifyType simp_type);
+	Val* Eval(Frame* f) const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	friend class Expr;
+	ConstExpr()	{ val = 0; }
+
+	void ExprDescribe(ODesc* d) const;
+	DECLARE_SERIAL(ConstExpr);
+
+	Val* val;
+};
+
+class UnaryExpr : public Expr {
+public:
+	Expr* Op() const	{ return op; }
+
+	// Simplifies the operand and calls DoSimplify().
+	virtual Expr* Simplify(SimplifyType simp_type);
+
+	// UnaryExpr::Eval correctly handles vector types.  Any child
+	// class that overrides Eval() should be modified to handle
+	// vectors correctly as necessary.
+	Val* Eval(Frame* f) const;
+
+	int IsPure() const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	friend class Expr;
+	UnaryExpr()	{ op = 0; }
+
+	UnaryExpr(BroExprTag arg_tag, Expr* arg_op);
+	virtual ~UnaryExpr();
+
+	void ExprDescribe(ODesc* d) const;
+
+	// Can be overridden by subclasses that want to take advantage
+	// of UnaryExpr's Simplify() method.
+	virtual Expr* DoSimplify();
+
+	// Returns the expression folded using the given constant.
+	virtual Val* Fold(Val* v) const;
+
+	DECLARE_SERIAL(UnaryExpr);
+
+	Expr* op;
+};
+
+class BinaryExpr : public Expr {
+public:
+	Expr* Op1() const	{ return op1; }
+	Expr* Op2() const	{ return op2; }
+
+	// Simplifies both operands, folds them if constant,
+	// otherwise calls DoSimplify().
+	virtual Expr* Simplify(SimplifyType simp_type);
+	int IsPure() const;
+
+	// BinaryExpr::Eval correctly handles vector types.  Any child
+	// class that overrides Eval() should be modified to handle
+	// vectors correctly as necessary.
+	Val* Eval(Frame* f) const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	friend class Expr;
+	BinaryExpr()	{ op1 = op2 = 0; }
+
+	BinaryExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
+		: Expr(arg_tag)
+		{
+		if ( ! (arg_op1 && arg_op2) )
+			return;
+		op1 = arg_op1;
+		op2 = arg_op2;
+		if ( op1->IsError() || op2->IsError() )
+			SetError();
+		}
+	virtual ~BinaryExpr();
+
+	// Can be overridden by subclasses that want to take advantage
+	// of BinaryExpr's Simplify() method.
+	virtual Expr* DoSimplify();
+
+	// Returns the expression folded using the given constants.
+	virtual Val* Fold(Val* v1, Val* v2) const;
+
+	// Same for when the constants are strings.
+	virtual Val* StringFold(Val* v1, Val* v2) const;
+
+	// Same for when the constants are addresses or subnets.
+	virtual Val* AddrFold(Val* v1, Val* v2) const;
+	virtual Val* SubNetFold(Val* v1, Val* v2) const;
+
+	int BothConst() const	{ return op1->IsConst() && op2->IsConst(); }
+
+	// Simplify both operands and canonicize.
+	void SimplifyOps();
+
+	// Exchange op1 and op2.
+	void SwapOps();
+
+	// Promote the operands to the given type tag, if necessary.
+	void PromoteOps(TypeTag t);
+
+	// Promote the expression to the given type tag (i.e., promote
+	// operands and also set expression's type).
+	void PromoteType(TypeTag t, bool is_vector);
+
+	void ExprDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(BinaryExpr);
+
+	Expr* op1;
+	Expr* op2;
+};
+
+class CloneExpr : public UnaryExpr {
+public:
+	CloneExpr(Expr* op);
+	Val* Eval(Frame* f) const;
+
+protected:
+	friend class Expr;
+	CloneExpr()	{ }
+
+	Val* Fold(Val* v) const;
+
+	DECLARE_SERIAL(CloneExpr);
+};
+
+class IncrExpr : public UnaryExpr {
+public:
+	IncrExpr(BroExprTag tag, Expr* op);
+
+	Val* Eval(Frame* f) const;
+	Val* DoSingleEval(Frame* f, Val* v) const;
+	int IsPure() const;
+
+protected:
+	friend class Expr;
+	IncrExpr()	{ }
+
+	DECLARE_SERIAL(IncrExpr);
+};
+
+class NotExpr : public UnaryExpr {
+public:
+	NotExpr(Expr* op);
+
+protected:
+	friend class Expr;
+	NotExpr()	{ }
+
+	Expr* DoSimplify();
+	Val* Fold(Val* v) const;
+
+	DECLARE_SERIAL(NotExpr);
+};
+
+class PosExpr : public UnaryExpr {
+public:
+	PosExpr(Expr* op);
+
+protected:
+	friend class Expr;
+	PosExpr()	{ }
+
+	Expr* DoSimplify();
+	Val* Fold(Val* v) const;
+
+	DECLARE_SERIAL(PosExpr);
+};
+
+class NegExpr : public UnaryExpr {
+public:
+	NegExpr(Expr* op);
+
+protected:
+	friend class Expr;
+	NegExpr()	{ }
+
+	Expr* DoSimplify();
+	Val* Fold(Val* v) const;
+
+	DECLARE_SERIAL(NegExpr);
+};
+
+class SizeExpr : public UnaryExpr {
+public:
+	SizeExpr(Expr* op);
+	Val* Eval(Frame* f) const;
+
+protected:
+	friend class Expr;
+	SizeExpr()	{ }
+
+	Val* Fold(Val* v) const;
+	DECLARE_SERIAL(SizeExpr);
+};
+
+class AddExpr : public BinaryExpr {
+public:
+	AddExpr(Expr* op1, Expr* op2);
+	void Canonicize();
+
+protected:
+	friend class Expr;
+	AddExpr()	{ }
+
+	Expr* DoSimplify();
+
+	DECLARE_SERIAL(AddExpr);
+
+};
+
+class AddToExpr : public BinaryExpr {
+public:
+	AddToExpr(Expr* op1, Expr* op2);
+	Val* Eval(Frame* f) const;
+
+protected:
+	friend class Expr;
+	AddToExpr()	{ }
+
+	DECLARE_SERIAL(AddToExpr);
+};
+
+class RemoveFromExpr : public BinaryExpr {
+public:
+	RemoveFromExpr(Expr* op1, Expr* op2);
+	Val* Eval(Frame* f) const;
+
+protected:
+	friend class Expr;
+	RemoveFromExpr()	{ }
+
+	DECLARE_SERIAL(RemoveFromExpr);
+};
+
+class SubExpr : public BinaryExpr {
+public:
+	SubExpr(Expr* op1, Expr* op2);
+
+protected:
+	friend class Expr;
+	SubExpr()	{ }
+
+	Expr* DoSimplify();
+
+	DECLARE_SERIAL(SubExpr);
+
+};
+
+class TimesExpr : public BinaryExpr {
+public:
+	TimesExpr(Expr* op1, Expr* op2);
+	void Canonicize();
+
+protected:
+	friend class Expr;
+	TimesExpr()	{ }
+
+	Expr* DoSimplify();
+
+	DECLARE_SERIAL(TimesExpr);
+
+};
+
+class DivideExpr : public BinaryExpr {
+public:
+	DivideExpr(Expr* op1, Expr* op2);
+
+protected:
+	friend class Expr;
+	DivideExpr()	{ }
+
+	Val* AddrFold(Val* v1, Val* v2) const;
+	Expr* DoSimplify();
+
+	DECLARE_SERIAL(DivideExpr);
+
+};
+
+class ModExpr : public BinaryExpr {
+public:
+	ModExpr(Expr* op1, Expr* op2);
+
+protected:
+	friend class Expr;
+	ModExpr()	{ }
+
+	Expr* DoSimplify();
+
+	DECLARE_SERIAL(ModExpr);
+};
+
+class BoolExpr : public BinaryExpr {
+public:
+	BoolExpr(BroExprTag tag, Expr* op1, Expr* op2);
+
+	Val* Eval(Frame* f) const;
+	Val* DoSingleEval(Frame* f, Val* v1, Expr* op2) const;
+
+protected:
+	friend class Expr;
+	BoolExpr()	{ }
+
+	Expr* DoSimplify();
+
+	DECLARE_SERIAL(BoolExpr);
+};
+
+class EqExpr : public BinaryExpr {
+public:
+	EqExpr(BroExprTag tag, Expr* op1, Expr* op2);
+	void Canonicize();
+
+protected:
+	friend class Expr;
+	EqExpr()	{ }
+
+	Expr* DoSimplify();
+
+	Val* Fold(Val* v1, Val* v2) const;
+
+	DECLARE_SERIAL(EqExpr);
+};
+
+class RelExpr : public BinaryExpr {
+public:
+	RelExpr(BroExprTag tag, Expr* op1, Expr* op2);
+	void Canonicize();
+
+protected:
+	friend class Expr;
+	RelExpr()	{ }
+
+	Expr* DoSimplify();
+
+	DECLARE_SERIAL(RelExpr);
+};
+
+class CondExpr : public Expr {
+public:
+	CondExpr(Expr* op1, Expr* op2, Expr* op3);
+	~CondExpr();
+
+	Expr* Simplify(SimplifyType simp_type);
+	Val* Eval(Frame* f) const;
+	int IsPure() const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	friend class Expr;
+	CondExpr()	{ op1 = op2 = op3 = 0; }
+
+	void ExprDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(CondExpr);
+
+	Expr* op1;
+	Expr* op2;
+	Expr* op3;
+};
+
+class RefExpr : public UnaryExpr {
+public:
+	RefExpr(Expr* op);
+
+	void Assign(Frame* f, Val* v, Opcode op = OP_ASSIGN);
+	Expr* MakeLvalue();
+
+	// Only overridden to avoid special vector handling which doesn't apply
+	// for this class.
+	Val* Eval(Val* v) const;
+
+protected:
+	friend class Expr;
+	RefExpr()	{ }
+
+	DECLARE_SERIAL(RefExpr);
+};
+
+class AssignExpr : public BinaryExpr {
+public:
+	// If val is given, evaluating this expression will always yield the val
+	// yet still perform the assignment.  Used for triggers.
+	AssignExpr(Expr* op1, Expr* op2, int is_init, Val* val = 0);
+	virtual ~AssignExpr()	{ Unref(val); }
+
+	Expr* Simplify(SimplifyType simp_type);
+	Val* Eval(Frame* f) const;
+	void EvalIntoAggregate(const BroType* t, Val* aggr, Frame* f) const;
+	BroType* InitType() const;
+	int IsRecordElement(TypeDecl* td) const;
+	Val* InitVal(const BroType* t, Val* aggr) const;
+	int IsPure() const;
+
+protected:
+	friend class Expr;
+	AssignExpr()	{ }
+
+	bool TypeCheck();
+	bool TypeCheckArithmetics(TypeTag bt1, TypeTag bt2);
+
+	DECLARE_SERIAL(AssignExpr);
+
+	int is_init;
+	Val* val;	// optional
+};
+
+class IndexExpr : public BinaryExpr {
+public:
+	IndexExpr(Expr* op1, ListExpr* op2);
+
+	int CanAdd() const;
+	int CanDel() const;
+
+	void Add(Frame* f);
+	void Delete(Frame* f);
+
+	Expr* Simplify(SimplifyType simp_type);
+	void Assign(Frame* f, Val* v, Opcode op = OP_ASSIGN);
+	Expr* MakeLvalue();
+
+	// Need to override Eval since it can take a vector arg but does
+	// not necessarily return a vector.
+	Val* Eval(Frame* f) const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	friend class Expr;
+	IndexExpr()	{ }
+
+	Val* Fold(Val* v1, Val* v2) const;
+
+	void ExprDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(IndexExpr);
+};
+
+class FieldExpr : public UnaryExpr {
+public:
+	FieldExpr(Expr* op, const char* field_name);
+	~FieldExpr();
+
+	int Field() const	{ return field; }
+
+	Expr* Simplify(SimplifyType simp_type);
+	void Assign(Frame* f, Val* v, Opcode op = OP_ASSIGN);
+
+	Expr* MakeLvalue();
+
+protected:
+	friend class Expr;
+	FieldExpr()	{ field_name = 0; td = 0; }
+
+	Val* Fold(Val* v) const;
+
+	void ExprDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(FieldExpr);
+
+	const char* field_name;
+	const TypeDecl* td;
+	int field; // -1 = attributes
+};
+
+// "rec?$fieldname" is true if the value of $fieldname in rec is not nil.
+// "rec?$$attrname" is true if the attribute attrname is not nil.
+class HasFieldExpr : public UnaryExpr {
+public:
+	HasFieldExpr(Expr* op, const char* field_name, bool is_attr);
+	~HasFieldExpr();
+
+protected:
+	friend class Expr;
+	HasFieldExpr()	{ field_name = 0; }
+
+	Val* Fold(Val* v) const;
+
+	void ExprDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(HasFieldExpr);
+
+	bool is_attr;
+	const char* field_name;
+	int field;
+};
+
+class RecordConstructorExpr : public UnaryExpr {
+public:
+	RecordConstructorExpr(ListExpr* constructor_list);
+
+protected:
+	friend class Expr;
+	RecordConstructorExpr()	{ }
+
+	Val* InitVal(const BroType* t, Val* aggr) const;
+	Val* Fold(Val* v) const;
+
+	void ExprDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(RecordConstructorExpr);
+};
+
+class TableConstructorExpr : public UnaryExpr {
+public:
+	TableConstructorExpr(ListExpr* constructor_list, attr_list* attrs);
+	~TableConstructorExpr()	{ Unref(attrs); }
+
+	Val* Eval(Frame* f) const;
+
+protected:
+	friend class Expr;
+	TableConstructorExpr()	{ }
+
+	Val* InitVal(const BroType* t, Val* aggr) const;
+
+	void ExprDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(TableConstructorExpr);
+
+	Attributes* attrs;
+};
+
+class SetConstructorExpr : public UnaryExpr {
+public:
+	SetConstructorExpr(ListExpr* constructor_list, attr_list* attrs);
+	~SetConstructorExpr()	{ Unref(attrs); }
+
+	Val* Eval(Frame* f) const;
+
+protected:
+	friend class Expr;
+	SetConstructorExpr()	{ }
+
+	Val* InitVal(const BroType* t, Val* aggr) const;
+
+	void ExprDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(SetConstructorExpr);
+
+	Attributes* attrs;
+};
+
+class VectorConstructorExpr : public UnaryExpr {
+public:
+	VectorConstructorExpr(ListExpr* constructor_list);
+
+	Val* Eval(Frame* f) const;
+
+protected:
+	friend class Expr;
+	VectorConstructorExpr()	{ }
+
+	Val* InitVal(const BroType* t, Val* aggr) const;
+
+	void ExprDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(VectorConstructorExpr);
+};
+
+class FieldAssignExpr : public UnaryExpr {
+public:
+	FieldAssignExpr(const char* field_name, Expr* value);
+
+	const char* FieldName() const	{ return field_name.c_str(); }
+
+	void EvalIntoAggregate(const BroType* t, Val* aggr, Frame* f) const;
+	int IsRecordElement(TypeDecl* td) const;
+
+protected:
+	friend class Expr;
+	FieldAssignExpr()	{ }
+
+	void ExprDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(FieldAssignExpr);
+
+	string field_name;
+};
+
+class RecordMatchExpr : public BinaryExpr {
+public:
+	RecordMatchExpr(Expr* op1 /* record to match */, 
+			Expr* op2 /* cases to match against */);	
+
+protected:
+	friend class Expr;
+	RecordMatchExpr()
+		{
+		pred_field_index = result_field_index =
+			priority_field_index = 0;
+		}
+
+	virtual Val* Fold(Val* v1, Val* v2) const;
+	void ExprDescribe(ODesc*) const;
+
+	DECLARE_SERIAL(RecordMatchExpr);
+
+	// The following are used to hold the field offset of
+	// $pred, $result, $priority, so the names only need to
+	// be looked up at compile-time.
+	int pred_field_index;
+	int result_field_index;
+	int priority_field_index;
+};
+
+class ArithCoerceExpr : public UnaryExpr {
+public:
+	ArithCoerceExpr(Expr* op, TypeTag t);
+
+protected:
+	friend class Expr;
+	ArithCoerceExpr()	{ }
+
+	Expr* DoSimplify();
+
+	Val* FoldSingleVal(Val* v, InternalTypeTag t) const;
+	Val* Fold(Val* v) const;
+
+	DECLARE_SERIAL(ArithCoerceExpr);
+};
+
+class RecordCoerceExpr : public UnaryExpr {
+public:
+	RecordCoerceExpr(Expr* op, RecordType* r);
+	~RecordCoerceExpr();
+
+protected:
+	friend class Expr;
+	RecordCoerceExpr()	{ map = 0; }
+
+	Val* Fold(Val* v) const;
+
+	DECLARE_SERIAL(RecordCoerceExpr);
+
+	// For each super-record slot, gives subrecord slot with which to
+	// fill it.
+	int* map;
+	int map_size;	// equivalent to Type()->AsRecordType()->NumFields()
+};
+
+class TableCoerceExpr : public UnaryExpr {
+public:
+	TableCoerceExpr(Expr* op, TableType* r);
+	~TableCoerceExpr();
+
+protected:
+	friend class Expr;
+	TableCoerceExpr()	{ }
+
+	Val* Fold(Val* v) const;
+
+	DECLARE_SERIAL(TableCoerceExpr);
+};
+
+// An internal operator for flattening array indices that are records
+// into a list of individual values.
+class FlattenExpr : public UnaryExpr {
+public:
+	FlattenExpr(Expr* op);
+
+protected:
+	friend class Expr;
+	FlattenExpr()	{ }
+
+	Val* Fold(Val* v) const;
+
+	DECLARE_SERIAL(FlattenExpr);
+
+	int num_fields;
+};
+
+class EventHandler;
+
+class ScheduleTimer : public Timer {
+public:
+	ScheduleTimer(EventHandlerPtr event, val_list* args, double t,
+			TimerMgr* tmgr);
+	~ScheduleTimer();
+
+	void Dispatch(double t, int is_expire);
+
+protected:
+	EventHandlerPtr event;
+	val_list* args;
+	TimerMgr* tmgr;
+};
+
+class ScheduleExpr : public Expr {
+public:
+	ScheduleExpr(Expr* when, EventExpr* event);
+	~ScheduleExpr();
+
+	int IsPure() const;
+
+	Expr* Simplify(SimplifyType simp_type);
+
+	Val* Eval(Frame* f) const;
+
+	Expr* When() const	{ return when; }
+	EventExpr* Event() const	{ return event; }
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	friend class Expr;
+	ScheduleExpr()	{ when = 0; event = 0; }
+
+	void ExprDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(ScheduleExpr);
+
+	Expr* when;
+	EventExpr* event;
+};
+
+class InExpr : public BinaryExpr {
+public:
+	InExpr(Expr* op1, Expr* op2);
+
+protected:
+	friend class Expr;
+	InExpr()	{ }
+
+	Val* Fold(Val* v1, Val* v2) const;
+
+	DECLARE_SERIAL(InExpr);
+
+};
+
+class CallExpr : public Expr {
+public:
+	CallExpr(Expr* func, ListExpr* args);
+	~CallExpr();
+
+	Expr* Func() const	{ return func; }
+	ListExpr* Args() const	{ return args; }
+
+	int IsPure() const;
+
+	Expr* Simplify(SimplifyType simp_type);
+	Val* Eval(Frame* f) const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	friend class Expr;
+	CallExpr()	{ func = 0; args = 0; }
+
+	void ExprDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(CallExpr);
+
+	Expr* func;
+	ListExpr* args;
+};
+
+class EventExpr : public Expr {
+public:
+	EventExpr(const char* name, ListExpr* args);
+	~EventExpr();
+
+	const char* Name() const	{ return name.c_str(); }
+	ListExpr* Args() const		{ return args; }
+	EventHandlerPtr Handler()  const	{ return handler; }
+
+	Expr* Simplify(SimplifyType simp_type);
+	Val* Eval(Frame* f) const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	friend class Expr;
+	EventExpr()	{ args = 0; }
+
+	void ExprDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(EventExpr);
+
+	string name;
+	EventHandlerPtr handler;
+	ListExpr* args;
+};
+
+class ListExpr : public Expr {
+public:
+	ListExpr();
+	ListExpr(Expr* e);
+	~ListExpr();
+
+	void Append(Expr* e);
+
+	const expr_list& Exprs() const	{ return exprs; }
+	expr_list& Exprs()		{ return exprs; }
+
+	// True if the entire list represents pure values.
+	int IsPure() const;
+
+	// True if the entire list represents constant values.
+	int AllConst() const;
+
+	Expr* Simplify(SimplifyType simp_type);
+	Val* Eval(Frame* f) const;
+
+	BroType* InitType() const;
+	Val* InitVal(const BroType* t, Val* aggr) const;
+	Expr* MakeLvalue();
+	void Assign(Frame* f, Val* v, Opcode op = OP_ASSIGN);
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	Val* AddSetInit(const BroType* t, Val* aggr) const;
+
+	void ExprDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(ListExpr);
+
+	expr_list exprs;
+};
+
+
+class RecordAssignExpr : public ListExpr {
+public:
+	RecordAssignExpr(Expr* record, Expr* init_list, int is_init);
+
+	Val* Eval(Frame* f) const	{ return ListExpr::Eval(f); }
+
+protected:
+	friend class Expr;
+	RecordAssignExpr()	{ }
+
+	DECLARE_SERIAL(RecordAssignExpr);
+};
+
+inline Val* Expr::ExprVal() const
+	{
+	if ( ! IsConst() )
+		BadTag("ExprVal::Val", expr_name(tag), expr_name(EXPR_CONST));
+	return ((ConstExpr*) this)->Value();
+	}
+
+// Decides whether to return an AssignExpr or a RecordAssignExpr.
+Expr* get_assign_expr(Expr* op1, Expr* op2, int is_init);
+
+// Type-check the given expression(s) against the given type(s).  Complain
+// if the expression cannot match the given type, returning 0.  If it can
+// match, promote it as necessary (modifying the ref parameter accordingly)
+// and return 1.
+//
+// The second and third forms are for promoting a list of
+// expressions (which is updated in place) to either match a list of
+// types or a single type.
+//
+// Note, the type is not "const" because it can be ref'd.
+extern int check_and_promote_expr(Expr*& e, BroType* t);
+extern int check_and_promote_exprs(ListExpr*& elements, TypeList* types);
+extern int check_and_promote_exprs_to_type(ListExpr*& elements, BroType* type);
+
+// Returns a fully simplified form of the expression.  Note that passed
+// expression and its subexpressions may be modified, Unref()'d, etc.
+Expr* simplify_expr(Expr* e, SimplifyType simp_type);
+
+// Returns a simplified ListExpr - guaranteed to still be a ListExpr,
+// even if it only contains one expr.
+ListExpr* simplify_expr_list(ListExpr* l, SimplifyType simp_type);
+
+// Returns a ListExpr simplified down to a list a values, or a nil
+// pointer if they couldn't all be reduced.
+val_list* eval_list(Frame* f, const ListExpr* l);
+
+// Returns true if two expressions are identical.
+extern int same_expr(const Expr* e1, const Expr* e2);
+
+// Returns true if e1 is "greater" than e2 - here "greater" is just
+// a heuristic, used with commutative operators to put them into
+// a canonical form.
+extern int expr_greater(const Expr* e1, const Expr* e2);
+
+// Return constants of the given type.
+Expr* make_zero(BroType* t);
+Expr* make_one(BroType* t);
+
+// True if the given Val* has a vector type
+inline bool is_vector(Expr* e)	{ return e->Type()->Tag() == TYPE_VECTOR; }
+
+#endif
diff --git a/src/FTP.cc b/src/FTP.cc
new file mode 100644
index 0000000000..79eb872d79
--- /dev/null
+++ b/src/FTP.cc
@@ -0,0 +1,173 @@
+// $Id: FTP.cc 6782 2009-06-28 02:19:03Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <stdlib.h>
+
+#include "NetVar.h"
+#include "FTP.h"
+#include "NVT.h"
+#include "Event.h"
+#include "TCP_Rewriter.h"
+
+FTP_Analyzer::FTP_Analyzer(Connection* conn)
+: TCP_ApplicationAnalyzer(AnalyzerTag::FTP, conn)
+	{
+	pending_reply = 0;
+
+	nvt_orig = new NVT_Analyzer(conn, true);
+	nvt_orig->SetIsNULSensitive(true);
+	nvt_orig->SetIsNULSensitive(true);
+	nvt_orig->SetCRLFAsEOL(LF_as_EOL);
+	nvt_orig->SetIsNULSensitive(LF_as_EOL);
+
+	nvt_resp = new NVT_Analyzer(conn, false);
+	nvt_resp->SetIsNULSensitive(true);
+	nvt_resp->SetIsNULSensitive(true);
+	nvt_resp->SetCRLFAsEOL(LF_as_EOL);
+	nvt_resp->SetIsNULSensitive(LF_as_EOL);
+
+	nvt_resp->SetPeer(nvt_orig);
+	nvt_orig->SetPeer(nvt_resp);
+
+	AddSupportAnalyzer(nvt_orig);
+	AddSupportAnalyzer(nvt_resp);
+	}
+
+void FTP_Analyzer::Done()
+	{
+	TCP_ApplicationAnalyzer::Done();
+
+	if ( nvt_orig->HasPartialLine() &&
+	     (TCP()->OrigState() == TCP_ENDPOINT_CLOSED ||
+	      TCP()->OrigPrevState() == TCP_ENDPOINT_CLOSED) )
+		// ### should include the partial text
+		Weird("partial_ftp_request");
+	}
+
+void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
+	{
+	TCP_ApplicationAnalyzer::DeliverStream(length, data, orig);
+
+	if ( (orig && ! ftp_request) || (! orig && ! ftp_reply) )
+		return;
+
+	// const char* orig_line = line;
+	const char* line = (const char*) data;
+	const char* end_of_line = line + length;
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+
+	EventHandlerPtr f;
+	if ( orig )
+		{
+		int cmd_len;
+		const char* cmd;
+		StringVal* cmd_str;
+
+		line = skip_whitespace(line, end_of_line);
+		get_word(length, line, cmd_len, cmd);
+		line = skip_whitespace(line + cmd_len, end_of_line);
+
+		if ( cmd_len == 0 )
+			{
+			// Weird("FTP command missing", end_of_line - orig_line, orig_line);
+			cmd_str = new StringVal("<missing>");
+			}
+		else
+			cmd_str = (new StringVal(cmd_len, cmd))->ToUpper();
+
+		vl->append(cmd_str);
+		vl->append(new StringVal(end_of_line - line, line));
+
+		f = ftp_request;
+		ProtocolConfirmation();
+
+		if ( strncmp((const char*) cmd_str->Bytes(),
+			     "AUTH", cmd_len) == 0 )
+			auth_requested = string(line, end_of_line - line);
+
+		if ( rule_matcher )
+			Conn()->Match(Rule::FTP, (const u_char *) cmd,
+				end_of_line - cmd, true, true, 1, true);
+		}
+	else
+		{
+		uint32 reply_code;
+		if ( length >= 3 &&
+		     isdigit(line[0]) && isdigit(line[1]) && isdigit(line[2]) )
+			{
+			reply_code = (line[0] - '0') * 100 +
+					(line[1] - '0') * 10 +
+					(line[2] - '0');
+			}
+		else
+			reply_code = 0;
+
+		int cont_resp;
+
+		if ( pending_reply )
+			{
+			if ( reply_code == pending_reply &&
+			     length > 3 && line[3] == ' ' )
+				{
+				// This is the end of the reply.
+				line = skip_whitespace(line + 3, end_of_line);
+				pending_reply = 0;
+				cont_resp = 0;
+				}
+			else
+				{
+				cont_resp = 1;	// not the end
+				reply_code = 0;	// flag as intermediary
+				}
+			}
+		else
+			{ // a new reply
+			if ( reply_code > 0 && length > 3 && line[3] == '-' )
+				{ // a continued reply
+				pending_reply = reply_code;
+				line = skip_whitespace(line + 4, end_of_line);
+				cont_resp = 1;
+				}
+			else
+				{ // a self-contained reply
+				if ( reply_code > 0 )
+					line += 3;
+				else
+					ProtocolViolation("non-numeric reply code",
+						(const char*) data, length);
+
+				if ( line < end_of_line )
+					line = skip_whitespace(line, end_of_line);
+				else
+					line = end_of_line;
+
+				if ( auth_requested.size() > 0 &&
+				     (reply_code == 234 || reply_code == 335) )
+					// Server accepted AUTH requested,
+					// which means that very likely we
+					// won't be able to parse the rest
+					// of the session, and thus we stop
+					// here.
+					SetSkip(true);
+
+				cont_resp = 0;
+				}
+			}
+
+		vl->append(new Val(reply_code, TYPE_COUNT));
+		vl->append(new StringVal(end_of_line - line, line));
+		vl->append(new Val(cont_resp, TYPE_BOOL));
+
+		f = ftp_reply;
+		}
+
+	ConnectionEvent(f, vl);
+	}
+
+
+#include "ftp-rw.bif.func_def"
diff --git a/src/FTP.h b/src/FTP.h
new file mode 100644
index 0000000000..f5d60fdf3b
--- /dev/null
+++ b/src/FTP.h
@@ -0,0 +1,40 @@
+// $Id: FTP.h 6782 2009-06-28 02:19:03Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef ftp_h
+#define ftp_h
+
+#include "NVT.h"
+#include "TCP.h"
+
+class FTP_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	FTP_Analyzer(Connection* conn);
+
+	virtual void Done();
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual int RewritingTrace()
+		{
+		return rewriting_ftp_trace ||
+			TCP_ApplicationAnalyzer::RewritingTrace();
+		}
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{
+		return new FTP_Analyzer(conn);
+		}
+
+	static bool Available()	{ return ftp_request || ftp_reply; }
+
+
+protected:
+	FTP_Analyzer()	{}
+
+	NVT_Analyzer* nvt_orig;
+	NVT_Analyzer* nvt_resp;
+	uint32 pending_reply;	// code associated with multi-line reply, or 0
+	string auth_requested;	// AUTH method requested
+};
+
+#endif
diff --git a/src/File.cc b/src/File.cc
new file mode 100644
index 0000000000..d72c67b4ef
--- /dev/null
+++ b/src/File.cc
@@ -0,0 +1,976 @@
+// $Id: File.cc 6942 2009-11-16 03:54:08Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <sys/types.h>
+#if TIME_WITH_SYS_TIME
+# include <sys/time.h>
+# include <time.h>
+#else
+# if HAVE_SYS_TIME_H
+#  include <sys/time.h>
+# else
+#  include <time.h>
+# endif
+#endif
+#include <sys/resource.h>
+#include <sys/stat.h>
+#include <errno.h>
+#include <unistd.h>
+
+#include "File.h"
+#include "Type.h"
+#include "Timer.h"
+#include "Expr.h"
+#include "NetVar.h"
+#include "Net.h"
+#include "Serializer.h"
+#include "Event.h"
+
+// Timer which on dispatching rotates the file.
+class RotateTimer : public Timer {
+public:
+	RotateTimer(double t, BroFile* f, bool arg_raise) : Timer(t, TIMER_ROTATE)
+		{ file = f; raise = arg_raise; name = copy_string(f->Name()); }
+	~RotateTimer();
+
+	void Dispatch(double t, int is_expire);
+
+protected:
+	BroFile* file;
+	bool raise;
+	const char* name;
+};
+
+RotateTimer::~RotateTimer()
+	{
+	if ( file->rotate_timer == this )
+		file->rotate_timer = 0;
+
+	delete [] name;
+	}
+
+void RotateTimer::Dispatch(double t, int is_expire)
+	{
+	file->rotate_timer = 0;
+
+	if ( ! is_expire )
+		{
+		if ( raise )
+			{
+			val_list* vl = new val_list;
+			Ref(file);
+			vl->append(new Val(file));
+			mgr.QueueEvent(rotate_interval, vl);
+			}
+
+		file->InstallRotateTimer();
+		}
+	}
+
+
+// The following could in principle be part of a "file manager" object.
+
+#define MAX_FILE_CACHE_SIZE 32
+static int num_files_in_cache = 0;
+static int max_files_in_cache = 0;
+static BroFile* head = 0;
+static BroFile* tail = 0;
+
+double BroFile::default_rotation_interval = 0;
+double BroFile::default_rotation_size = 0;
+
+// Maximizes the number of open file descriptors and returns the number
+// that we should use for the cache.
+static int maximize_num_fds()
+	{
+#ifdef NO_HAVE_SETRLIMIT
+	return MAX_FILE_CACHE_SIZE;
+#else
+	struct rlimit rl;
+	if ( getrlimit(RLIMIT_NOFILE, &rl) < 0 )
+		internal_error("maximize_num_fds(): getrlimit failed");
+
+	if ( rl.rlim_max == RLIM_INFINITY )
+		{
+		// Don't try raising the current limit.
+		if ( rl.rlim_cur == RLIM_INFINITY )
+			// Let's not be too ambitious.
+			return MAX_FILE_CACHE_SIZE;
+		else
+			return rl.rlim_cur / 2;
+		}
+
+	// See if we can raise the current to the maximum.
+	rl.rlim_cur = rl.rlim_max;
+
+	if ( setrlimit(RLIMIT_NOFILE, &rl) < 0 )
+		internal_error("maximize_num_fds(): setrlimit failed");
+
+	return rl.rlim_cur / 2;
+#endif
+	}
+
+
+BroFile::BroFile(FILE* arg_f)
+	{
+	Init();
+	f = arg_f;
+	name = access = 0;
+	t = base_type(TYPE_STRING);
+	is_open = (f != 0);
+
+	if ( f )
+		UpdateFileSize();
+	}
+
+BroFile::BroFile(FILE* arg_f, const char* arg_name, const char* arg_access)
+	{
+	Init();
+	f = arg_f;
+	name = copy_string(arg_name);
+	access = copy_string(arg_access);
+	t = base_type(TYPE_STRING);
+	is_open = (f != 0);
+
+	if ( f )
+		UpdateFileSize();
+	}
+
+BroFile::BroFile(const char* arg_name, const char* arg_access, BroType* arg_t)
+	{
+	Init();
+
+	name = copy_string(arg_name);
+	access = copy_string(arg_access);
+	t = arg_t ? arg_t : base_type(TYPE_STRING);
+	if ( ! Open() )
+		{
+		error(fmt("cannot open %s: %s", name, strerror(errno)));
+		is_open = 0;
+		okay_to_manage = 0;
+		}
+	}
+
+const char* BroFile::Name() const
+	{
+	if ( name )
+		return name;
+
+	if ( f == stdin )
+		return"/dev/stdin";
+
+	if ( f == stdout )
+		return "/dev/stdout";
+
+	if ( f == stderr )
+		return "/dev/stderr";
+
+	return 0;
+	}
+
+bool BroFile::Open(FILE* file)
+	{
+	open_time = network_time ? network_time : current_time();
+
+	if ( ! max_files_in_cache )
+		// Haven't initialized yet.
+		max_files_in_cache = maximize_num_fds();
+
+	if ( num_files_in_cache >= max_files_in_cache )
+		PurgeCache();
+
+	f = file;
+
+	if ( default_rotation_interval &&
+	     (! attrs || ! attrs->FindAttr(ATTR_ROTATE_INTERVAL)) )
+		rotate_interval = default_rotation_interval;
+
+	if ( default_rotation_size &&
+	     (! attrs || ! attrs->FindAttr(ATTR_ROTATE_SIZE)) )
+		rotate_size = default_rotation_size;
+
+	InstallRotateTimer();
+
+	if ( ! f )
+		{
+		f = fopen(name, access);
+		SetBuf(buffered);
+		}
+
+	if ( f )
+		{
+		// These are the only files we manage, because we open them
+		// ourselves and hence don't have any surprises regarding
+		// whether we're allowed to close them.
+		is_open = okay_to_manage = 1;
+
+		InsertAtBeginning();
+		UpdateFileSize();
+		}
+	else
+		{
+		// No point managing it.
+		is_open = okay_to_manage = 0;
+		return false;
+		}
+
+	val_list* vl = new val_list;
+	Ref(this);
+	vl->append(new Val(this));
+	Event* event = new ::Event(::file_opened, vl);
+	mgr.Dispatch(event, true);
+	return true;
+	}
+
+BroFile::~BroFile()
+	{
+	Close();
+	Unref(t);
+	Unref(attrs);
+
+	delete [] name;
+	delete [] access;
+
+#ifdef USE_OPENSSL
+	delete [] cipher_buffer;
+#endif
+
+#ifdef USE_PERFTOOLS
+	heap_checker->UnIgnoreObject(this);
+#endif
+	}
+
+void BroFile::Init()
+	{
+	is_open = okay_to_manage = is_in_cache = 0;
+	position = 0;
+	next = prev = 0;
+	rotate_timer = 0;
+	rotate_interval = 0.0;
+	rotate_size = current_size = 0.0;
+	open_time = 0;
+	attrs = 0;
+	buffered = true;
+	print_hook = true;
+	raw_output = false;
+	t = 0;
+
+#ifdef USE_OPENSSL
+	pub_key = 0;
+	cipher_ctx = 0;
+	cipher_buffer = 0;
+#endif
+
+#ifdef USE_PERFTOOLS
+	heap_checker->IgnoreObject(this);
+#endif
+	}
+
+FILE* BroFile::File()
+	{
+	if ( okay_to_manage && ! is_in_cache )
+		f = BringIntoCache();
+
+	return f;
+	}
+
+FILE* BroFile::BringIntoCache()
+	{
+	if ( f )
+		internal_error("BroFile non-nil non-open file");
+
+	if ( num_files_in_cache >= max_files_in_cache )
+		PurgeCache();
+
+	if ( position == 0 )
+		// Need to truncate it.
+		f = fopen(name, access);
+	else
+		// Don't clobber it.
+		f = fopen(name, "a");
+
+	if ( ! f )
+		{
+		run_time("can't open %s", this);
+
+		f = fopen("/dev/null", "w");
+
+		if ( ! f )
+			internal_error("out of file descriptors");
+
+		okay_to_manage = 0;
+		return f;
+		}
+
+	UpdateFileSize();
+
+	if ( fseek(f, position, SEEK_SET) < 0 )
+		run_time("reopen seek failed", this);
+
+	InsertAtBeginning();
+
+	return f;
+	}
+
+FILE* BroFile::Seek(long new_position)
+	{
+	if ( ! File() )
+		return 0;
+
+	if ( fseek(f, new_position, SEEK_SET) < 0 )
+		run_time("seek failed", this);
+
+	return f;
+	}
+
+void BroFile::SetBuf(bool arg_buffered)
+	{
+	if ( ! f )
+		return;
+
+	if ( setvbuf(f, NULL, arg_buffered ? _IOFBF : _IOLBF, 0) != 0 )
+		run_time("setvbuf failed", this);
+
+	buffered = arg_buffered;
+	}
+
+int BroFile::Close()
+	{
+	if ( rotate_timer )
+		{
+		timer_mgr->Cancel(rotate_timer);
+		rotate_timer = 0;
+		}
+
+	if ( ! is_open )
+		return 1;
+
+#ifdef USE_OPENSSL
+	FinishEncrypt();
+#endif
+
+	// Do not close stdout/stderr.
+	if ( f == stdout || f == stderr )
+		return 0;
+
+	if ( is_in_cache )
+		{
+		Unlink();
+		if ( f )
+			{
+			fclose(f);
+			f = 0;
+			open_time = 0;
+			}
+
+		is_open = 0;
+		okay_to_manage = 0; // no longer managed since will never reopen
+
+		return 1;
+		}
+
+	// Not managed.
+	if ( ! f )
+		return 0;
+
+	fclose(f);
+	f = 0;
+
+	return 1;
+	}
+
+void BroFile::Suspend()
+	{
+	if ( ! is_in_cache )
+		internal_error("BroFile::Suspend() called for non-cached file");
+	if ( ! is_open )
+		internal_error("BroFile::Suspend() called for non-open file");
+
+	Unlink();
+
+	if ( ! f )
+		internal_error("BroFile::Suspend() called for nil file");
+
+	if ( (position = ftell(f)) < 0 )
+		{
+		run_time("ftell failed", this);
+		position = 0;
+		}
+
+	fclose(f);
+	f = 0;
+	}
+
+void BroFile::PurgeCache()
+	{
+	if ( ! tail )
+		internal_error("BroFile purge of empty cache");
+
+	tail->Suspend();
+	}
+
+void BroFile::Unlink()
+	{
+	if ( is_in_cache )
+		{
+		if ( head == this )
+			head = Next();
+		else
+			Prev()->SetNext(next);
+
+		if ( tail == this )
+			tail = Prev();
+		else
+			Next()->SetPrev(prev);
+
+		if ( (head || tail) && ! (head && tail) )
+			internal_error("BroFile link list botch");
+
+		is_in_cache = 0;
+		prev = next = 0;
+
+		if ( --num_files_in_cache < 0 )
+			internal_error("BroFile underflow of file cache");
+		}
+	}
+
+void BroFile::InsertAtBeginning()
+	{
+	if ( ! head )
+		{
+		head = tail = this;
+		next = prev = 0;
+		}
+	else
+		{
+		SetNext(head);
+		SetPrev(0);
+		head->SetPrev(this);
+		head = this;
+		}
+
+	if ( ++num_files_in_cache > max_files_in_cache )
+		internal_error("BroFile overflow of file cache");
+
+	is_in_cache = 1;
+	}
+
+void BroFile::MoveToBeginning()
+	{
+	if ( head == this )
+		return;	// already at the beginning
+
+	if ( ! is_in_cache || ! prev )
+		internal_error("BroFile inconsistency in MoveToBeginning()");
+
+	Unlink();
+	InsertAtBeginning();
+	}
+
+void BroFile::Describe(ODesc* d) const
+	{
+	d->AddSP("file");
+
+	if ( name )
+		{
+		d->Add("\"");
+		d->Add(name);
+		d->AddSP("\"");
+		}
+
+	d->AddSP("of");
+	if ( t )
+		t->Describe(d);
+	else
+		d->Add("(no type)");
+	}
+
+void BroFile::SetAttrs(Attributes* arg_attrs)
+	{
+	if ( ! arg_attrs )
+		return;
+
+	attrs = arg_attrs;
+	Ref(attrs);
+
+	Attr* ef = attrs->FindAttr(ATTR_ROTATE_INTERVAL);
+	if ( ef )
+		rotate_interval = ef->AttrExpr()->ExprVal()->AsInterval();
+
+	ef = attrs->FindAttr(ATTR_ROTATE_SIZE);
+	if ( ef )
+		rotate_size = ef->AttrExpr()->ExprVal()->AsDouble();
+
+	ef = attrs->FindAttr(ATTR_ENCRYPT);
+	if ( ef )
+		{
+		if ( ef->AttrExpr() )
+			InitEncrypt(ef->AttrExpr()->ExprVal()->AsString()->CheckString());
+		else
+			InitEncrypt(log_encryption_key->AsString()->CheckString());
+		}
+
+	if ( attrs->FindAttr(ATTR_DISABLE_PRINT_HOOK) )
+		DisablePrintHook();
+
+	if ( attrs->FindAttr(ATTR_RAW_OUTPUT) )
+		EnableRawOutput();
+	
+	InstallRotateTimer();
+	}
+
+void BroFile::SetRotateInterval(double secs)
+	{
+	rotate_interval = secs;
+	InstallRotateTimer();
+	}
+
+RecordVal* BroFile::Rotate()
+	{
+	if ( ! is_open )
+		return 0;
+
+	if ( okay_to_manage && ! is_in_cache )
+		BringIntoCache();
+
+	RecordVal* info = new RecordVal(rotate_info);
+	FILE* newf = rotate_file(name, info);
+
+	if ( ! newf )
+		{
+		Unref(info);
+		return 0;
+		}
+
+	info->Assign(2, new Val(open_time, TYPE_TIME));
+
+	Unlink();
+ 	fclose(f);
+	f = 0;
+
+	Open(newf);
+	return info;
+	}
+
+void BroFile::InstallRotateTimer()
+	{
+	if ( terminating )
+		return;
+
+	if ( rotate_timer )
+		{
+		timer_mgr->Cancel(rotate_timer);
+		rotate_timer = 0;
+		}
+
+	if ( rotate_interval )
+		{
+		// When this is called for the first time, network_time can
+		// still be zero. If so, we set a timer which fires
+		// immediately but doesn't rotate when it expires.
+
+		if ( ! network_time )
+			rotate_timer = new RotateTimer(1, this, false);
+		else
+			{
+			if ( ! open_time )
+				open_time = network_time;
+
+			const char* base_time = log_rotate_base_time ?
+				log_rotate_base_time->AsString()->CheckString() : 0;
+
+			double delta_t =
+				calc_next_rotate(rotate_interval, base_time);
+			rotate_timer = new RotateTimer(network_time + delta_t,
+							this, true);
+			}
+
+		timer_mgr->Add(rotate_timer);
+		}
+	}
+
+void BroFile::SetDefaultRotation(double interval, double max_size)
+	{
+	for ( BroFile* f = head; f; f = f->next )
+		{
+		if ( ! (f->attrs && f->attrs->FindAttr(ATTR_ROTATE_INTERVAL)) )
+			{
+			f->rotate_interval = interval;
+			f->InstallRotateTimer();
+			}
+
+		if ( ! (f->attrs && f->attrs->FindAttr(ATTR_ROTATE_SIZE)) )
+			f->rotate_size = max_size;
+		}
+
+	default_rotation_interval = interval;
+	default_rotation_size = max_size;
+	}
+
+void BroFile::CloseCachedFiles()
+	{
+	BroFile* next;
+	for ( BroFile* f = head; f; f = next )
+		{
+		// Send final rotate events (immediately).
+		if ( f->rotate_interval )
+			{
+			val_list* vl = new val_list;
+			Ref(f);
+			vl->append(new Val(f));
+			Event* event = new Event(::rotate_interval, vl);
+			mgr.Dispatch(event, true);
+			}
+
+		if ( f->rotate_size )
+			{
+			val_list* vl = new val_list;
+			Ref(f);
+			vl->append(new Val(f));
+			Event* event = new ::Event(::rotate_size, vl);
+			mgr.Dispatch(event, true);
+			}
+
+		next = f->next;
+		if ( f->is_in_cache )
+			f->Close();
+		}
+	}
+
+#ifndef USE_OPENSSL
+
+void BroFile::InitEncrypt(const char* keyfile)
+	{
+	if ( keyfile )
+		{
+		error("file encryption requested, but OpenSSL support not compiled in.");
+		Close();
+		}
+	}
+
+#else
+
+void BroFile::InitEncrypt(const char* keyfile)
+	{
+	if ( ! (pub_key || keyfile) )
+		return;
+
+	if ( ! pub_key )
+		{
+		FILE* key = fopen(keyfile, "r");
+
+		if ( ! key )
+			{
+			error(fmt("can't open key file %s: %s", keyfile, strerror(errno)));
+			Close();
+			return;
+			}
+
+		pub_key = PEM_read_PUBKEY(key, 0, 0, 0);
+		if ( ! pub_key )
+			{
+			error(fmt("can't read key from %s: %s", keyfile,
+					ERR_error_string(ERR_get_error(), 0)));
+			Close();
+			return;
+			}
+		}
+
+	// Depending on the OpenSSL version, EVP_*_cbc()
+	// returns a const or a non-const.
+	EVP_CIPHER* cipher_type = (EVP_CIPHER*) EVP_bf_cbc();
+	cipher_ctx = new EVP_CIPHER_CTX;
+
+	unsigned char secret[EVP_PKEY_size(pub_key)];
+	unsigned char* psecret = secret;
+	unsigned long secret_len;
+
+	int iv_len = EVP_CIPHER_iv_length(cipher_type);
+	unsigned char iv[iv_len];
+
+	if ( ! EVP_SealInit(cipher_ctx, cipher_type, &psecret,
+				(int*) &secret_len, iv, &pub_key, 1) )
+		{
+		error(fmt("can't init cipher context for %s: %s", keyfile,
+				ERR_error_string(ERR_get_error(), 0)));
+		Close();
+		return;
+		}
+
+	secret_len = htonl(secret_len);
+
+	if ( ! (fwrite("BROENC1", 7, 1, f) &&
+		fwrite(&secret_len, sizeof(secret_len), 1, f) &&
+		fwrite(secret, ntohl(secret_len), 1, f) &&
+		fwrite(iv, iv_len, 1, f)) )
+		{
+		error(fmt("can't write header to log file %s: %s",
+				name, strerror(errno)));
+		Close();
+		return;
+		}
+
+	int buf_size = MIN_BUFFER_SIZE + EVP_CIPHER_block_size(cipher_type);
+	cipher_buffer = new unsigned char[buf_size];
+	}
+#endif
+
+void BroFile::FinishEncrypt()
+	{
+	if ( ! is_open )
+		return;
+
+#ifdef USE_OPENSSL
+	if ( ! pub_key )
+		return;
+
+	if ( cipher_ctx )
+		{
+		int outl;
+		EVP_SealFinal(cipher_ctx, cipher_buffer, &outl);
+
+		if ( outl && ! fwrite(cipher_buffer, outl, 1, f) )
+			{
+			run_time(fmt("write error for %s: %s",
+					name, strerror(errno)));
+			return;
+			}
+
+		delete cipher_ctx;
+		cipher_ctx = 0;
+		}
+#endif
+	}
+
+
+int BroFile::Write(const char* data, int len)
+	{
+	if ( ! is_open )
+		return 0;
+
+	if ( ! is_in_cache && okay_to_manage )
+		BringIntoCache();
+
+	if ( ! len )
+		len = strlen(data);
+
+#ifdef USE_OPENSSL
+	if ( cipher_ctx )
+		{
+		while ( len )
+			{
+			int outl;
+			int inl = min(MIN_BUFFER_SIZE, len);
+
+			if ( ! EVP_SealUpdate(cipher_ctx, cipher_buffer, &outl,
+						(unsigned char*)data, inl) )
+				{
+				run_time(fmt("encryption error for %s: %s",
+					name,
+					ERR_error_string(ERR_get_error(), 0)));
+				Close();
+				return 0;
+				}
+
+			if ( outl && ! fwrite(cipher_buffer, outl, 1, f) )
+				{
+				run_time(fmt("write error for %s: %s",
+						name, strerror(errno)));
+				Close();
+				return 0;
+				}
+
+			data += inl;
+			len -= inl;
+			}
+
+		return 1;
+		}
+#endif
+
+	len = fwrite(data, 1, len, f);
+	if ( len <= 0 )
+		return false;
+
+	if ( rotate_size && current_size < rotate_size && current_size + len >= rotate_size )
+		{
+		val_list* vl = new val_list;
+		vl->append(new Val(this));
+		mgr.QueueEvent(::rotate_size, vl);
+		}
+
+	// This does not work if we seek around. But none of the logs does that
+	// and we avoid stat()'ing the file all the time.
+	current_size += len;
+
+	return true;
+	}
+
+void BroFile::UpdateFileSize()
+	{
+	struct stat s;
+	if ( fstat(fileno(f), &s) < 0 )
+		{
+		run_time(fmt("can't stat fd for %s: %s", name, strerror(errno)));
+		current_size = 0;
+		return;
+		}
+
+	current_size = double(s.st_size);
+	}
+
+bool BroFile::Serialize(SerialInfo* info) const
+	{
+	return SerialObj::Serialize(info);
+	}
+
+BroFile* BroFile::GetFile(const char* name)
+	{
+	for ( BroFile* f = head; f; f = f->next )
+		{
+		if ( f->name && streq(name, f->name) )
+			return f;
+		}
+
+	return new BroFile(name, "w", 0);
+	}
+
+BroFile* BroFile::Unserialize(UnserialInfo* info)
+	{
+	BroFile* file = (BroFile*) SerialObj::Unserialize(info, SER_BRO_FILE);
+
+	if ( ! file )
+		return 0;
+
+	if ( file->is_open )
+		return file;
+
+	// If there is already an object for this file, return it.
+	if ( file->name )
+		{
+		for ( BroFile* f = head; f; f = f->next )
+			{
+			if ( f->name && streq(file->name, f->name) )
+				{
+				Unref(file);
+				Ref(f);
+				return f;
+				}
+			}
+		}
+
+	// Otherwise, open.
+	if ( ! file->Open() )
+		{
+		info->s->Error(fmt("cannot open %s: %s",
+					file->name, strerror(errno)));
+		return 0;
+		}
+
+	// Here comes a hack.  This method will return a pointer to a newly
+	// instantiated file object.  As soon as this pointer is Unref'ed, the
+	// file will be closed.  That means that when we unserialize the same
+	// file next time, we will re-open it and thereby delete the first one,
+	// i.e., we will be keeping to delete what we've written just before.
+	//
+	// To avoid this loop, we do an extra Ref here, i.e., this file will
+	// *never* be closed anymore (as long the file cache does not overflow).
+	Ref(file);
+
+	// We deliberately override log rotation attributes with our defaults.
+	file->rotate_interval = log_rotate_interval;
+	file->rotate_size = log_max_size;
+	file->InstallRotateTimer();
+	file->SetBuf(file->buffered);
+
+	return file;
+	}
+
+IMPLEMENT_SERIAL(BroFile, SER_BRO_FILE);
+
+bool BroFile::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_BRO_FILE, BroObj);
+
+	const char* s = name;
+
+	if ( ! okay_to_manage )
+		{
+		// We can handle stdin/stdout/stderr but no others.
+		if ( f == stdin )
+			s = "/dev/stdin";
+		else if ( f == stdout )
+			s = "/dev/stdout";
+		else if ( f == stderr )
+			s = "/dev/stderr";
+		else
+			{
+			// We don't manage the file, and therefore don't
+			// really know how to pass it on to the other side.
+			// However, in order to not abort communication
+			// when this happens, we still send the name if we
+			// have one; or if we don't, we create a special
+			// "dont-have-a-file" file to be created on the
+			// receiver side.
+			if ( ! s )
+				s = "unmanaged-bro-output-file.log";
+			}
+		}
+
+	if ( ! (SERIALIZE(s) && SERIALIZE(buffered)) )
+		return false;
+
+	SERIALIZE_OPTIONAL_STR(access);
+
+	if ( ! t->Serialize(info) )
+		return false;
+
+	SERIALIZE_OPTIONAL(attrs);
+	return true;
+	}
+
+bool BroFile::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BroObj);
+
+	if ( ! (UNSERIALIZE_STR(&name, 0) && UNSERIALIZE(&buffered)) )
+		return false;
+
+	UNSERIALIZE_OPTIONAL_STR(access);
+
+	t = BroType::Unserialize(info);
+	if ( ! t )
+		return false;
+
+	UNSERIALIZE_OPTIONAL(attrs, Attributes::Unserialize(info));
+
+	// Parse attributes.
+	SetAttrs(attrs);
+	// SetAttrs() has ref'ed attrs again.
+	Unref(attrs);
+
+	// Bind stdin/stdout/stderr.
+	FILE* file = 0;
+	is_open = false;
+	f = 0;
+
+	if ( streq(name, "/dev/stdin") )
+		file = stdin;
+	else if ( streq(name, "/dev/stdout") )
+		file = stdout;
+	else if ( streq(name, "/dev/stderr") )
+		file = stderr;
+
+	if ( file )
+		{
+		delete [] name;
+		name = 0;
+		f = file;
+		is_open = true;
+		}
+
+	return true;
+	}
diff --git a/src/File.h b/src/File.h
new file mode 100644
index 0000000000..aa76b665b6
--- /dev/null
+++ b/src/File.h
@@ -0,0 +1,162 @@
+// $Id: File.h 6888 2009-08-20 18:23:11Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef file_h
+#define file_h
+
+#include <fcntl.h>
+#include "util.h"
+#include "Obj.h"
+#include "Attr.h"
+
+#ifdef USE_OPENSSL
+# ifdef NEED_KRB5_H
+#  include <krb5.h>
+# endif // NEED_KRB5_H
+extern "C" {
+# include "openssl/evp.h"
+# include "openssl/pem.h"
+# include "openssl/err.h"
+}
+#endif
+
+class BroType;
+class RotateTimer;
+
+class BroFile : public BroObj {
+public:
+	BroFile(FILE* arg_f);
+	BroFile(FILE* arg_f, const char* filename, const char* access);
+	BroFile(const char* filename, const char* access, BroType* arg_t = 0);
+	virtual ~BroFile();
+
+	const char* Name() const;
+
+	// Returns false if an error occured.
+	int Write(const char* data, int len = 0);
+
+	void Flush()	{ fflush(f); }
+
+	FILE* Seek(long position);	// seek to absolute position
+
+	void SetBuf(bool buffered);	// false=line buffered, true=fully buffered
+
+	BroType* FType() const	{ return t; }
+
+	// Whether the file is open in a general sense; it might
+	// not be open as a Unix file due to our management of
+	// a finite number of FDs.
+	int IsOpen() const	{ return is_open; }
+
+	// Returns true if the close made sense, false if it was already
+	// closed, not active, or whatever.
+	int Close();
+
+	void Describe(ODesc* d) const;
+
+	void SetRotateInterval(double secs);
+
+	// Rotates the logfile. Returns rotate_info.
+	RecordVal* Rotate();
+
+	// Set &rotate_interval, &rotate_size, &postprocessor,
+	// &disable_print_hook, and &raw_output attributes.
+	void SetAttrs(Attributes* attrs);
+
+	// Returns the current size of the file, after fresh stat'ing.
+	double Size()	{ fflush(f); UpdateFileSize(); return current_size; }
+
+	// Set rotate/postprocessor for all files that don't define them
+	// by their own. (interval/max_size=0 for no rotation; size in bytes).
+	static void SetDefaultRotation(double interval, double max_size);
+
+	// Close all files which are managed by us.
+	static void CloseCachedFiles();
+
+	// Get the file with the given name, opening it if it doesn't yet exist.
+	static BroFile* GetFile(const char* name);
+
+	void DisablePrintHook() 	{ print_hook = false; }
+	bool IsPrintHookEnabled() const	{ return print_hook; }
+
+	void EnableRawOutput()		{ raw_output = true; }
+	bool IsRawOutput() const	{ return raw_output; }
+
+	bool Serialize(SerialInfo* info) const;
+	static BroFile* Unserialize(UnserialInfo* info);
+
+protected:
+	friend class RotateTimer;
+
+	BroFile()	{ Init(); }
+	void Init();
+	bool Open(FILE* f = 0);	// if file is given, it's an open file to use
+
+	BroFile* Prev()	{ return prev; }
+	BroFile* Next()	{ return next; }
+	void SetPrev(BroFile* f)	{ prev = f; }
+	void SetNext(BroFile* f)	{ next = f; }
+
+	void Suspend();
+	void PurgeCache();
+	void Unlink();
+	void InsertAtBeginning();
+	void MoveToBeginning();
+	void InstallRotateTimer();
+
+	// Returns nil if the file is not active, was in error, etc.
+	// (Protected because we do not want anyone to write directly
+	// to the file.)
+	FILE* File();
+	FILE* BringIntoCache();
+
+	// Stats the file to get its current size.
+	void UpdateFileSize();
+
+	// Initialize encryption with the given public key.
+	void InitEncrypt(const char* keyfile);
+	// Finalize encryption.
+	void FinishEncrypt();
+
+	DECLARE_SERIAL(BroFile);
+
+	FILE* f;
+	BroType* t;
+	char* name;
+	char* access;
+	int is_in_cache;	// whether it's currently in the open-file cache
+	int is_open;	// whether the file is open in a general sense
+	int okay_to_manage;	// we're allowed to cache/uncache
+	long position;	// only valid if ! is_in_cache
+	BroFile* next;	// doubly-linked list of cached files
+	BroFile* prev;
+	Attributes* attrs;
+	double rotate_interval;
+	bool buffered;
+
+	// Sizes are double's so that it's easy to specify large
+	// ones with scientific notation, and so they can exceed 4GB.
+	double rotate_size;
+	double current_size;
+
+	Timer* rotate_timer;
+	double open_time;
+	bool dont_rotate; // See InstallRotateTimer()
+	bool print_hook;
+	bool raw_output;
+
+	static double default_rotation_interval;
+	static double default_rotation_size;
+
+#ifdef USE_OPENSSL
+	EVP_PKEY* pub_key;
+	EVP_CIPHER_CTX* cipher_ctx;
+
+	static const int MIN_BUFFER_SIZE = 1024;
+	unsigned char* cipher_buffer;
+#endif
+
+};
+
+#endif
diff --git a/src/FileAnalyzer.cc b/src/FileAnalyzer.cc
new file mode 100644
index 0000000000..91645334ad
--- /dev/null
+++ b/src/FileAnalyzer.cc
@@ -0,0 +1,131 @@
+// $Id: FileAnalyzer.cc,v 1.1.4.2 2006/06/01 17:18:10 sommer Exp $
+
+#include "FileAnalyzer.h"
+
+#ifdef HAVE_LIBMAGIC
+magic_t File_Analyzer::magic = 0;
+magic_t File_Analyzer::magic_mime = 0;
+#endif
+
+#ifdef HAVE_LIBCLAMAV
+struct cl_node* File_Analyzer::clam_root = 0;
+#endif
+
+File_Analyzer::File_Analyzer(Connection* conn)
+: TCP_ApplicationAnalyzer(AnalyzerTag::File, conn)
+	{
+	buffer_len = 0;
+
+#ifdef HAVE_LIBMAGIC
+	if ( ! magic )
+		{
+		InitMagic(&magic, MAGIC_NONE);
+		InitMagic(&magic_mime, MAGIC_MIME);
+		}
+#endif
+
+#ifdef HAVE_LIBCLAMAV
+	if ( ! clam_root )
+		InitClamAV();
+#endif
+	}
+
+void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+
+	int n = min(len, BUFFER_SIZE - buffer_len);
+
+	if ( n )
+		{
+		strncpy(buffer + buffer_len, (const char*) data, n);
+		buffer_len += n;
+
+		if ( buffer_len == BUFFER_SIZE )
+			Identify();
+		}
+	return;
+	}
+
+void File_Analyzer::Done()
+	{
+	TCP_ApplicationAnalyzer::Done();
+
+	if ( buffer_len && buffer_len != BUFFER_SIZE )
+		Identify();
+	}
+
+void File_Analyzer::Identify()
+	{
+	const char* descr = 0;
+	const char* mime = 0;
+
+#ifdef HAVE_LIBMAGIC
+	if ( magic )
+		descr = magic_buffer(magic, buffer, buffer_len);
+
+	if ( magic_mime )
+		mime = magic_buffer(magic_mime, buffer, buffer_len);
+#endif
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+	vl->append(new StringVal(buffer_len, buffer));
+	vl->append(new StringVal(descr ? descr : "<unknown>"));
+	vl->append(new StringVal(mime ? mime : "<unknown>"));
+	ConnectionEvent(file_transferred, vl);
+
+#ifdef HAVE_LIBCLAMAV
+	const char* virname;
+	int ret = cl_scanbuff(buffer, buffer_len, &virname, clam_root);
+
+	if ( ret == CL_VIRUS )
+		{
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(virname));
+		ConnectionEvent(file_virus, vl);
+		}
+#endif
+	}
+
+#ifdef HAVE_LIBMAGIC
+void File_Analyzer::InitMagic(magic_t* magic, int flags)
+	{
+	*magic = magic_open(flags);
+
+	if ( ! *magic )
+		error(fmt("can't init libmagic: %s", magic_error(*magic)));
+
+	else if ( magic_load(*magic, 0) < 0 )
+		{
+		error(fmt("can't load magic file: %s", magic_error(*magic)));
+		magic_close(*magic);
+		*magic = 0;
+		}
+	}
+#endif
+
+#ifdef HAVE_LIBCLAMAV
+void File_Analyzer::InitClamAV()
+	{
+	unsigned int sigs;
+	int ret = cl_loaddbdir(cl_retdbdir(), &clam_root, &sigs);
+
+	if ( ret )
+		{
+		error(fmt("can't load ClamAV database: %s", cl_perror(ret)));
+		clam_root = 0;
+		return;
+		}
+
+	ret = cl_build(clam_root);
+	if ( ret )
+		{
+		error(fmt("can't init ClamAV database: %s", cl_perror(ret)));
+		cl_free(clam_root);
+		clam_root = 0;
+		return;
+		}
+	}
+#endif
diff --git a/src/FileAnalyzer.h b/src/FileAnalyzer.h
new file mode 100644
index 0000000000..a978181d57
--- /dev/null
+++ b/src/FileAnalyzer.h
@@ -0,0 +1,53 @@
+// $Id:$
+//
+// Analyzer for connections that transfer binary data.
+
+#ifndef FILEANALYZER_H
+#define FILEANALYZER_H
+
+#include "TCP.h"
+
+#ifdef HAVE_LIBMAGIC
+#include <magic.h>
+#endif
+
+#ifdef HAVE_LIBCLAMAV
+#include <clamav.h>
+#endif
+
+class File_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	File_Analyzer(Connection* conn);
+
+	virtual void Done();
+
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new File_Analyzer(conn); }
+
+	static bool Available()	{ return file_transferred; }
+
+protected:
+	File_Analyzer()	{}
+
+	void Identify();
+
+	static const int BUFFER_SIZE = 1024;
+	char buffer[BUFFER_SIZE];
+	int buffer_len;
+
+#ifdef HAVE_LIBMAGIC
+	static void InitMagic(magic_t* magic, int flags);
+
+	static magic_t magic;
+	static magic_t magic_mime;
+#endif
+
+#ifdef HAVE_LIBCLAMAV
+	static void InitClamAV();
+	static struct cl_node *clam_root;
+#endif
+};
+
+#endif
diff --git a/src/Finger.cc b/src/Finger.cc
new file mode 100644
index 0000000000..3f617b1c05
--- /dev/null
+++ b/src/Finger.cc
@@ -0,0 +1,91 @@
+// $Id: Finger.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <ctype.h>
+
+#include "NetVar.h"
+#include "Finger.h"
+#include "Event.h"
+#include "TCP_Rewriter.h"
+#include "ContentLine.h"
+
+Finger_Analyzer::Finger_Analyzer(Connection* conn)
+: TCP_ApplicationAnalyzer(AnalyzerTag::Finger, conn)
+	{
+	did_deliver = 0;
+	content_line_orig = new ContentLine_Analyzer(conn, true);
+	content_line_orig->SetIsNULSensitive(true);
+	content_line_resp = new ContentLine_Analyzer(conn, false);
+	AddSupportAnalyzer(content_line_orig);
+	AddSupportAnalyzer(content_line_resp);
+	}
+
+void Finger_Analyzer::Done()
+	{
+	TCP_ApplicationAnalyzer::Done();
+
+	if ( TCP() )
+		if ( (! did_deliver || content_line_orig->HasPartialLine()) &&
+		     (TCP()->OrigState() == TCP_ENDPOINT_CLOSED ||
+		      TCP()->OrigPrevState() == TCP_ENDPOINT_CLOSED) )
+			// ### should include the partial text
+			Weird("partial_finger_request");
+	}
+
+void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
+	{
+	const char* line = (const char*) data;
+	const char* end_of_line = line + length;
+
+	if ( is_orig )
+		{
+		
+		if ( ! finger_request )
+			return;
+
+		line = skip_whitespace(line, end_of_line);
+
+		// Check for /W.
+		int long_cnt = (line + 2 <= end_of_line && line[0] == '/' && toupper(line[1]) == 'W');
+		if ( long_cnt )
+			line = skip_whitespace(line+2, end_of_line);
+
+		const char* at = strchr_n(line, end_of_line, '@');
+		const char* host = 0;
+		if ( ! at )
+			at = host = end_of_line;
+		else
+			host = at + 1;
+
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new Val(long_cnt, TYPE_BOOL));
+		vl->append(new StringVal(at - line, line));
+		vl->append(new StringVal(end_of_line - host, host));
+
+		if ( finger_request )
+			ConnectionEvent(finger_request, vl);
+
+		Conn()->Match(Rule::FINGER, (const u_char *) line,
+			  end_of_line - line, true, true, 1, true);
+
+		did_deliver = 1;
+		}
+
+	else
+		{
+		if ( ! finger_reply )
+			return;
+
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(end_of_line - line, line));
+
+		ConnectionEvent(finger_reply, vl);
+		}
+	}
+
+#include "finger-rw.bif.func_def"
diff --git a/src/Finger.h b/src/Finger.h
new file mode 100644
index 0000000000..92fc5e6f82
--- /dev/null
+++ b/src/Finger.h
@@ -0,0 +1,34 @@
+// $Id: Finger.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef finger_h
+#define finger_h
+
+#include "TCP.h"
+
+class ContentLine_Analyzer;
+
+class Finger_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	Finger_Analyzer(Connection* conn);
+	virtual ~Finger_Analyzer()	{}
+
+	virtual void Done();
+	// Line-based input.
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual int RewritingTrace()
+		{ return rewriting_finger_trace || TCP_ApplicationAnalyzer::RewritingTrace(); }
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new Finger_Analyzer(conn); }
+
+	static bool Available()	{ return finger_request || finger_reply; }
+
+protected:
+	ContentLine_Analyzer* content_line_orig;
+	ContentLine_Analyzer* content_line_resp;
+	int did_deliver;
+};
+
+#endif
diff --git a/src/FlowSrc.cc b/src/FlowSrc.cc
new file mode 100644
index 0000000000..e97ad8eb25
--- /dev/null
+++ b/src/FlowSrc.cc
@@ -0,0 +1,229 @@
+/// $Id: FlowSrc.cc 4621 2007-07-10 13:37:13Z bager $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+//
+// Written by Bernhard Ager, TU Berlin (2006/2007).
+
+#include <stdio.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <netdb.h>
+
+#include "FlowSrc.h"
+#include "Net.h"
+#include "netflow_pac.h"
+
+FlowSrc::FlowSrc()
+	{ // TODO: v9.
+	idle = false;
+	data = 0;
+	current_timestamp = next_timestamp = 0.0;
+	netflow_analyzer = new binpac::NetFlow::NetFlow_Analyzer();
+	}
+
+FlowSrc::~FlowSrc()
+	{
+	delete netflow_analyzer;
+	}
+
+void FlowSrc::GetFds(int* read, int* write, int* except)
+	{
+#ifdef USE_SELECT_LOOP
+	if ( selectable_fd >= 0 )
+		*read = selectable_fd;
+#endif
+	}
+
+double FlowSrc::NextTimestamp(double* network_time)
+	{
+	if ( ! data && ! ExtractNextPDU() )
+		return -1.0;
+	else
+		return next_timestamp;
+	}
+
+void FlowSrc::Process()
+	{
+	if ( ! data && ! ExtractNextPDU() )
+		return;
+
+	// This is normally done by calling net_packet_dispatch(),
+	// but as we don't have a packet to dispatch ...
+	network_time = next_timestamp;
+	expire_timers();
+
+	netflow_analyzer->downflow()->set_exporter_ip(exporter_ip);
+
+	// We handle exceptions in NewData (might have changed w/ new binpac).
+	netflow_analyzer->NewData(0, data, data + pdu_len);
+	data = 0;
+	}
+
+void FlowSrc::Close()
+	{
+	close(selectable_fd);
+	}
+
+
+FlowSocketSrc::~FlowSocketSrc()
+	{
+	delete [] listenparms;
+	}
+
+int FlowSocketSrc::ExtractNextPDU()
+	{
+	sockaddr_in from;
+	socklen_t fromlen = sizeof(from);
+	pdu_len = recvfrom(selectable_fd, buffer, NF_MAX_PKT_SIZE, 0,
+				(struct sockaddr*) &from, &fromlen);
+	if ( pdu_len < 0 )
+		{
+		run_time("problem reading NetFlow data from socket");
+		data = 0;
+		next_timestamp = -1.0;
+		closed = 1;
+		return 0;
+		}
+
+	if ( fromlen != sizeof(from) )
+		{
+		run_time("malformed NetFlow PDU");
+		return 0;
+		}
+
+	data = buffer;
+	exporter_ip = from.sin_addr.s_addr;
+	next_timestamp = current_time();
+
+	if ( next_timestamp < current_timestamp )
+		next_timestamp = current_timestamp;
+	else
+		current_timestamp = next_timestamp;
+
+	return 1;
+	}
+
+FlowSocketSrc::FlowSocketSrc(const char* listen_parms)
+	{
+	int n = strlen(listen_parms) + 1;
+
+	char laddr[n], port[n], ident[n];
+	laddr[0] = port[0] = ident[0] = '\0';
+
+	int ret = sscanf(listen_parms, "%[^:]:%[^=]=%s", laddr, port, ident);
+	if ( ret < 2 )
+		{
+		snprintf(errbuf, BRO_FLOW_ERRBUF_SIZE,
+			"parsing your listen-spec went nuts: laddr='%s', port='%s'\n",
+			laddr[0] ? laddr : "", port[0] ? port : "");
+		closed = 1;
+		return;
+		}
+
+	const char* id = (ret == 3) ? ident : listen_parms;
+	netflow_analyzer->downflow()->set_identifier(id);
+
+	struct addrinfo aiprefs = {
+		0, PF_INET, SOCK_DGRAM, IPPROTO_UDP, 0, NULL, NULL, NULL
+	};
+	struct addrinfo* ainfo = 0;
+	if ( (ret = getaddrinfo(laddr, port, &aiprefs, &ainfo)) != 0 )
+		{
+		snprintf(errbuf, BRO_FLOW_ERRBUF_SIZE,
+				"getaddrinfo(%s, %s, ...): %s",
+				laddr, port, gai_strerror(ret));
+		closed = 1;
+		return;
+		}
+
+	if ( (selectable_fd = socket (PF_INET, SOCK_DGRAM, 0)) < 0 )
+		{
+		snprintf(errbuf, BRO_FLOW_ERRBUF_SIZE,
+				"socket: %s", strerror(errno));
+		closed = 1;
+		goto cleanup;
+		}
+
+	if ( bind (selectable_fd, ainfo->ai_addr, ainfo->ai_addrlen) < 0 )
+		{
+		snprintf(errbuf, BRO_FLOW_ERRBUF_SIZE,
+				"bind: %s", strerror(errno));
+		closed = 1;
+		goto cleanup;
+		}
+
+cleanup:
+	freeaddrinfo(ainfo);
+	}
+
+
+FlowFileSrc::~FlowFileSrc()
+	{
+	delete [] readfile;
+	}
+
+int FlowFileSrc::ExtractNextPDU()
+	{
+	FlowFileSrcPDUHeader pdu_header;
+
+	if ( read(selectable_fd, &pdu_header, sizeof(pdu_header)) <
+	     int(sizeof(pdu_header)) )
+		return Error(errno, "read header");
+
+	if ( pdu_header.pdu_length > NF_MAX_PKT_SIZE )
+		{
+		run_time("NetFlow packet too long");
+
+		// Safely skip over the too-long PDU.
+		if ( lseek(selectable_fd, pdu_header.pdu_length, SEEK_CUR) < 0 )
+			return Error(errno, "lseek");
+		return 0;
+		}
+
+	if ( read(selectable_fd, buffer, pdu_header.pdu_length) <
+	     pdu_header.pdu_length )
+		return Error(errno, "read data");
+
+	if ( next_timestamp < pdu_header.network_time )
+		{
+		next_timestamp = pdu_header.network_time;
+		current_timestamp = pdu_header.network_time;
+		}
+	else
+		current_timestamp = next_timestamp;
+
+	data = buffer;
+	pdu_len = pdu_header.pdu_length;
+	exporter_ip = pdu_header.ipaddr;
+
+	return 1;
+	}
+
+FlowFileSrc::FlowFileSrc(const char* readfile)
+	{
+	int n = strlen(readfile) + 1;
+	char ident[n];
+	this->readfile = new char[n];
+
+	int ret = sscanf(readfile, "%[^=]=%s", this->readfile, ident);
+	const char* id = (ret == 2) ? ident : this->readfile;
+	netflow_analyzer->downflow()->set_identifier(id);
+
+	selectable_fd = open(this->readfile, O_RDONLY);
+	if ( selectable_fd < 0 )
+		{
+		closed = 1;
+		snprintf(errbuf, BRO_FLOW_ERRBUF_SIZE,
+				"open: %s", strerror(errno));
+		}
+	}
+
+int FlowFileSrc::Error(int errlvl, const char* errmsg)
+	{
+	snprintf(errbuf, BRO_FLOW_ERRBUF_SIZE,
+			"%s: %s", errmsg, strerror(errlvl));
+	data = 0;
+	next_timestamp = -1.0;
+	closed = 1;
+	return 0;
+	}
diff --git a/src/FlowSrc.h b/src/FlowSrc.h
new file mode 100644
index 0000000000..3173badf66
--- /dev/null
+++ b/src/FlowSrc.h
@@ -0,0 +1,89 @@
+// $Id: FlowSrc.h 4618 2007-07-09 18:12:32Z bager $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+//
+// Written by Bernhard Ager, TU Berlin (2006/2007).
+
+#ifndef flowsrc_h
+#define flowsrc_h
+
+#include "IOSource.h"
+#include "NetVar.h"
+#include "binpac.h"
+
+#define BRO_FLOW_ERRBUF_SIZE 512
+
+// TODO: 1500 is enough for v5 - how about the others?
+// 65536 would be enough for any UDP packet.
+#define NF_MAX_PKT_SIZE 8192
+
+struct FlowFileSrcPDUHeader {
+	double network_time;
+	int pdu_length;
+	uint32 ipaddr;
+};
+
+// Avoid including netflow_pac.h by explicitly declaring the NetFlow_Analyzer.
+namespace binpac {
+	namespace NetFlow {
+		class NetFlow_Analyzer;
+	}
+}
+
+class FlowSrc : public IOSource {
+public:
+	virtual ~FlowSrc();
+
+	// IOSource interface:
+	bool IsReady();
+	void GetFds(int* read, int* write, int* except);
+	double NextTimestamp(double* network_time);
+	void Process();
+
+	const char* Tag()		{ return "FlowSrc"; }
+	const char* ErrorMsg() const	{ return errbuf; }
+
+protected:
+	FlowSrc();
+
+	virtual int ExtractNextPDU() = 0;
+	virtual void Close();
+
+	int selectable_fd;
+
+	double current_timestamp;
+	double next_timestamp;
+	binpac::NetFlow::NetFlow_Analyzer* netflow_analyzer;
+
+	u_char buffer[NF_MAX_PKT_SIZE];
+	u_char* data;
+	int pdu_len;
+	uint32 exporter_ip;	// in network byte order
+
+	char errbuf[BRO_FLOW_ERRBUF_SIZE];
+};
+
+class FlowSocketSrc : public FlowSrc {
+public:
+	FlowSocketSrc(const char* listen_parms);
+	virtual ~FlowSocketSrc();
+
+	int ExtractNextPDU();
+
+protected:
+	char* listenparms;
+};
+
+class FlowFileSrc : public FlowSrc {
+public:
+	FlowFileSrc(const char* readfile);
+	~FlowFileSrc();
+
+	int ExtractNextPDU();
+
+protected:
+	int Error(int errlvl, const char* errmsg);
+	char* readfile;
+};
+
+#endif
diff --git a/src/Frag.cc b/src/Frag.cc
new file mode 100644
index 0000000000..b8cc5b5776
--- /dev/null
+++ b/src/Frag.cc
@@ -0,0 +1,247 @@
+// $Id: Frag.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "util.h"
+#include "Hash.h"
+#include "Frag.h"
+#include "NetVar.h"
+#include "Sessions.h"
+
+#define MIN_ACCEPTABLE_FRAG_SIZE 64
+#define MAX_ACCEPTABLE_FRAG_SIZE 64000
+
+FragTimer::~FragTimer()
+	{
+	if ( f )
+		f->ClearTimer();
+	}
+
+void FragTimer::Dispatch(double t, int /* is_expire */)
+	{
+	if ( f )
+		f->Expire(t);
+	else
+		internal_error("fragment timer dispatched w/o reassembler");
+	}
+
+FragReassembler::FragReassembler(NetSessions* arg_s,
+			const IP_Hdr* ip, const u_char* pkt,
+			uint32 frag_field, HashKey* k, double t)
+: Reassembler(0, ip->DstAddr(), REASSEM_IP)
+	{
+	s = arg_s;
+	key = k;
+	const struct ip* ip4 = ip->IP4_Hdr();
+	proto_hdr_len = ip4->ip_hl * 4;
+	proto_hdr = (struct ip*) new u_char[64];	// max IP header + slop
+	// Don't do a structure copy - need to pick up options, too.
+	memcpy((void*) proto_hdr, (const void*) ip4, proto_hdr_len);
+
+	reassembled_pkt = 0;
+	frag_size = 0;	// flag meaning "not known"
+
+	AddFragment(t, ip, pkt, frag_field);
+
+	if ( frag_timeout != 0.0 )
+		{
+		expire_timer = new FragTimer(this, t + frag_timeout);
+		timer_mgr->Add(expire_timer);
+		}
+	else
+		expire_timer = 0;
+	}
+
+FragReassembler::~FragReassembler()
+	{
+	DeleteTimer();
+	delete [] proto_hdr;
+	delete reassembled_pkt;
+	delete key;
+	}
+
+void FragReassembler::AddFragment(double t, const IP_Hdr* ip, const u_char* pkt,
+				uint32 frag_field)
+	{
+	const struct ip* ip4 = ip->IP4_Hdr();
+
+	if ( ip4->ip_p != proto_hdr->ip_p || ip4->ip_hl != proto_hdr->ip_hl )
+		// || ip4->ip_tos != proto_hdr->ip_tos
+		// don't check TOS, there's at least one stack that actually
+		// uses different values, and it's hard to see an associated
+		// attack.
+		s->Weird("fragment_protocol_inconsistency", ip);
+
+	if ( frag_field & 0x4000 )
+		// Linux MTU discovery for UDP can do this, for example.
+		s->Weird("fragment_with_DF", ip);
+
+	int offset = (ntohs(ip4->ip_off) & 0x1fff) * 8;
+	int len = ntohs(ip4->ip_len);
+	int hdr_len = proto_hdr->ip_hl * 4;
+	int upper_seq = offset + len - hdr_len;
+
+	if ( (frag_field & 0x2000) == 0 )
+		{
+		// Last fragment.
+		if ( frag_size == 0 )
+			frag_size = upper_seq;
+
+		else if ( upper_seq != frag_size )
+			{
+			s->Weird("fragment_size_inconsistency", ip);
+
+			if ( upper_seq > frag_size )
+				frag_size = upper_seq;
+			}
+		}
+
+	else if ( len < MIN_ACCEPTABLE_FRAG_SIZE )
+		s->Weird("excessively_small_fragment", ip);
+
+	if ( upper_seq > MAX_ACCEPTABLE_FRAG_SIZE )
+		s->Weird("excessively_large_fragment", ip);
+
+	if ( frag_size && upper_seq > frag_size )
+		{
+		// This can happen if we receive a fragment that's *not*
+		// the last fragment, but still imputes a size that's
+		// larger than the size we derived from a previously-seen
+		// "last fragment".
+
+		s->Weird("fragment_size_inconsistency", ip);
+		frag_size = upper_seq;
+		}
+
+	// Do we need to check for consistent options?  That's tricky
+	// for things like LSRR that get modified in route.
+
+	// Remove header.
+	pkt += hdr_len;
+	len -= hdr_len;
+
+	NewBlock(network_time, offset, len, pkt);
+	}
+
+void FragReassembler::Overlap(const u_char* b1, const u_char* b2, int n)
+	{
+	IP_Hdr proto_h((const struct ip*) proto_hdr);
+
+	if ( memcmp((const void*) b1, (const void*) b2, n) )
+		s->Weird("fragment_inconsistency", &proto_h);
+	else
+		s->Weird("fragment_overlap", &proto_h);
+	}
+
+void FragReassembler::BlockInserted(DataBlock* /* start_block */)
+	{
+	if ( blocks->seq > 0 || ! frag_size )
+		// For sure don't have it all yet.
+		return;
+
+	// We might have it all - look for contiguous all the way.
+	DataBlock* b;
+	for ( b = blocks; b->next; b = b->next )
+		if ( b->upper != b->next->seq )
+			break;
+
+	if ( b->next )
+		{
+		// We have a hole.
+		if ( b->upper >= frag_size )
+			{
+			// We're stuck.  The point where we stopped is
+			// contiguous up through the expected end of
+			// the fragment, but there's more stuff still
+			// beyond it, which is not contiguous.  This
+			// can happen for benign reasons when we're
+			// intermingling parts of two fragmented packets.
+
+			IP_Hdr proto_h((const struct ip*) proto_hdr);
+			s->Weird("fragment_size_inconsistency", &proto_h);
+
+			// We decide to analyze the contiguous portion now.
+			// Extend the fragment up through the end of what
+			// we have.
+			frag_size = b->upper;
+			}
+		else
+			return;
+		}
+
+	else if ( last_block->upper > frag_size )
+		{
+		IP_Hdr proto_h((const struct ip*) proto_hdr);
+		s->Weird("fragment_size_inconsistency", &proto_h);
+		frag_size = last_block->upper;
+		}
+
+	else if ( last_block->upper < frag_size )
+		// Missing the tail.
+		return;
+
+	// We have it all.  Compute the expected size of the fragment.
+	int n = proto_hdr_len + frag_size;
+
+	// It's possible that we have blocks associated with this fragment
+	// that exceed this size, if we saw MF fragments (which don't lead
+	// to us setting frag_size) that went beyond the size indicated by
+	// the final, non-MF fragment.  This can happen for benign reasons
+	// due to intermingling of fragments from an older datagram with those
+	// for a more recent one.
+
+	u_char* pkt = new u_char[n];
+	memcpy((void*) pkt, (const void*) proto_hdr, proto_hdr_len);
+
+	struct ip* reassem4 = (struct ip*) pkt;
+	reassem4->ip_len = htons(frag_size + proto_hdr_len);
+
+	pkt += proto_hdr_len;
+
+	for ( b = blocks; b; b = b->next )
+		{
+		// If we're above a hole, stop.  This can happen because
+		// the logic above regarding a hole that's above the
+		// expected fragment size.
+		if ( b->prev && b->prev->upper < b->seq )
+			break;
+
+		if ( b->upper > n )
+			internal_error("bad fragment reassembly");
+
+		memcpy((void*) &pkt[b->seq], (const void*) b->block,
+			b->upper - b->seq);
+		}
+
+	delete reassembled_pkt;
+	reassembled_pkt = new IP_Hdr(reassem4);
+
+	DeleteTimer();
+	}
+
+void FragReassembler::Expire(double t)
+	{
+	while ( blocks )
+		{
+		DataBlock* b = blocks->next;
+		delete blocks;
+		blocks = b;
+		}
+
+	expire_timer->ClearReassembler();
+	expire_timer = 0;	// timer manager will delete it
+
+	sessions->Remove(this);
+	}
+
+void FragReassembler::DeleteTimer()
+	{
+	if ( expire_timer )
+		{
+		expire_timer->ClearReassembler();
+		timer_mgr->Cancel(expire_timer);
+		expire_timer = 0;	// timer manager will delete it
+		}
+	}
diff --git a/src/Frag.h b/src/Frag.h
new file mode 100644
index 0000000000..ddd5f73144
--- /dev/null
+++ b/src/Frag.h
@@ -0,0 +1,68 @@
+// $Id: Frag.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef frag_h
+#define frag_h
+
+#include "util.h"
+#include "IP.h"
+#include "Net.h"
+#include "Reassem.h"
+#include "Timer.h"
+
+class HashKey;
+class NetSessions;
+
+class FragReassembler;
+class FragTimer;
+
+typedef void (FragReassembler::*frag_timer_func)(double t);
+
+class FragReassembler : public Reassembler {
+public:
+	FragReassembler(NetSessions* s, const IP_Hdr* ip, const u_char* pkt,
+			uint32 frag_field, HashKey* k, double t);
+	~FragReassembler();
+
+	void AddFragment(double t, const IP_Hdr* ip, const u_char* pkt,
+				uint32 frag_field);
+
+	void Expire(double t);
+	void DeleteTimer();
+	void ClearTimer()	{ expire_timer = 0; }
+
+	const IP_Hdr* ReassembledPkt()	{ return reassembled_pkt; }
+	HashKey* Key() const	{ return key; }
+
+protected:
+	void BlockInserted(DataBlock* start_block);
+	void Overlap(const u_char* b1, const u_char* b2, int n);
+
+	struct ip* proto_hdr;
+	IP_Hdr* reassembled_pkt;
+	int proto_hdr_len;
+	NetSessions* s;
+	int frag_size;	// size of fully reassembled fragment
+	HashKey* key;
+
+	FragTimer* expire_timer;
+};
+
+class FragTimer : public Timer {
+public:
+	FragTimer(FragReassembler* arg_f, double arg_t)
+		: Timer(arg_t, TIMER_FRAG)
+			{ f = arg_f; }
+	~FragTimer();
+
+	void Dispatch(double t, int is_expire);
+
+	// Break the association between this timer and its creator.
+	void ClearReassembler()	{ f = 0; }
+
+protected:
+	FragReassembler* f;
+};
+
+#endif
diff --git a/src/Frame.cc b/src/Frame.cc
new file mode 100644
index 0000000000..4eeb7e1fcc
--- /dev/null
+++ b/src/Frame.cc
@@ -0,0 +1,101 @@
+// $Id: Frame.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "Frame.h"
+#include "Stmt.h"
+#include "Func.h"
+#include "Trigger.h"
+
+vector<Frame*> g_frame_stack;
+
+Frame::Frame(int arg_size, const BroFunc* func, const val_list* fn_args)
+	{
+	size = arg_size;
+	frame = new Val*[size];
+	function = func;
+	func_args = fn_args;
+
+	next_stmt = 0;
+	break_before_next_stmt = false;
+	break_on_return = false;
+
+	trigger = 0;
+	call = 0;
+	delayed = false;
+
+	Clear();
+	}
+
+Frame::~Frame()
+	{
+	Unref(trigger);
+	Release();
+	}
+
+void Frame::Release()
+	{
+	for ( int i = 0; i < size; ++i )
+		Unref(frame[i]);
+
+	delete [] frame;
+	}
+
+void Frame::Describe(ODesc* d) const
+	{
+	if ( ! d->IsBinary() )
+		d->AddSP("frame");
+
+	if ( ! d->IsReadable() )
+		{
+		d->Add(size);
+
+		for ( int i = 0; i < size; ++i )
+			 {
+			 d->Add(frame[i] != 0);
+			 d->SP();
+			 }
+		}
+
+	for ( int i = 0; i < size; ++i )
+		if ( frame[i] )
+			frame[i]->Describe(d);
+		else if ( d->IsReadable() )
+			d->Add("<nil>");
+	}
+
+void Frame::Clear()
+	{
+	for ( int i = 0; i < size; ++i )
+		frame[i] = 0;
+	}
+
+Frame* Frame::Clone()
+	{
+	Frame* f = new Frame(size, function, func_args);
+
+	for ( int i = 0; i < size; ++i )
+		f->frame[i] = frame[i] ? frame[i]->Clone() : 0;
+
+	if ( trigger )
+		Ref(trigger);
+	f->trigger = trigger;
+	f->call = call;
+
+	return f;
+	}
+
+void Frame::SetTrigger(Trigger* arg_trigger)
+	{
+	if ( arg_trigger )
+		Ref(arg_trigger);
+	trigger = arg_trigger;
+	}
+
+void Frame::ClearTrigger()
+	{
+	Unref(trigger);
+	trigger = 0;
+	}
diff --git a/src/Frame.h b/src/Frame.h
new file mode 100644
index 0000000000..34a4f63f89
--- /dev/null
+++ b/src/Frame.h
@@ -0,0 +1,88 @@
+// $Id: Frame.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef frame_h
+#define frame_h
+
+#include <vector>
+using namespace std;
+
+#include "Val.h"
+
+class BroFunc;
+class Trigger;
+class CallExpr;
+
+class Frame : public BroObj {
+public:
+	Frame(int size, const BroFunc* func, const val_list *fn_args);
+	~Frame();
+
+	Val* NthElement(int n)		{ return frame[n]; }
+	void SetElement(int n, Val* v)
+		{
+		Unref(frame[n]);
+		frame[n] = v;
+		}
+
+	void Release();
+
+	void Describe(ODesc* d) const;
+
+	// For which function is this stack frame.
+	const BroFunc* GetFunction() const	{ return function; }
+	const val_list* GetFuncArgs() const	{ return func_args; }
+
+	// Next statement to be executed in the context of this frame.
+	void SetNextStmt(Stmt* stmt)	{ next_stmt = stmt; }
+	Stmt* GetNextStmt() const	{ return next_stmt; }
+
+	// Used to implement "next" command in debugger.
+	void BreakBeforeNextStmt(bool should_break)
+		{ break_before_next_stmt = should_break; }
+	bool BreakBeforeNextStmt() const
+		{ return break_before_next_stmt; }
+
+	// Used to implement "finish" command in debugger.
+	void BreakOnReturn(bool should_break)
+		{ break_on_return = should_break; }
+	bool BreakOnReturn() const	{ return break_on_return; }
+
+	// Deep-copies values.
+	Frame* Clone();
+
+	// If the frame is run in the context of a trigger condition evaluation,
+	// the trigger needs to be registered.
+	void SetTrigger(Trigger* arg_trigger);
+	void ClearTrigger();
+	Trigger* GetTrigger() const		{ return trigger; }
+
+	void SetCall(const CallExpr* arg_call)	{ call = arg_call; }
+	void ClearCall()			{ call = 0; }
+	const CallExpr* GetCall() const		{ return call; }
+
+	void SetDelayed()	{ delayed = true; }
+	bool HasDelayed() const	{ return delayed; }
+
+protected:
+	void Clear();
+
+	Val** frame;
+	int size;
+
+	const BroFunc* function;
+	const val_list* func_args;
+	Stmt* next_stmt;
+
+	bool break_before_next_stmt;
+	bool break_on_return;
+
+	Trigger* trigger;
+	const CallExpr* call;
+	bool delayed;
+};
+
+extern vector<Frame*> g_frame_stack;
+
+#endif
diff --git a/src/Func.cc b/src/Func.cc
new file mode 100644
index 0000000000..0657cfa2c4
--- /dev/null
+++ b/src/Func.cc
@@ -0,0 +1,575 @@
+// $Id: Func.cc 6703 2009-05-13 22:27:44Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#if TIME_WITH_SYS_TIME
+# include <sys/time.h>
+# include <time.h>
+#else
+# if HAVE_SYS_TIME_H
+#  include <sys/time.h>
+# else
+#  include <time.h>
+# endif
+#endif
+#include <sys/resource.h>
+
+#include <netinet/in.h>
+
+#include <stdlib.h>
+#include <errno.h>
+#include <ctype.h>
+
+#include <sys/param.h>
+#include <netdb.h>
+#include <unistd.h>
+#include <signal.h>
+
+#include <algorithm>
+
+#include "md5.h"
+#include "Base64.h"
+#include "Stmt.h"
+#include "Scope.h"
+#include "Net.h"
+#include "NetVar.h"
+#include "File.h"
+#include "Func.h"
+#include "Frame.h"
+#include "Var.h"
+#include "Login.h"
+#include "Sessions.h"
+#include "RE.h"
+#include "Serializer.h"
+#include "RemoteSerializer.h"
+#include "Event.h"
+#include "Traverse.h"
+
+extern	RETSIGTYPE sig_handler(int signo);
+
+const Expr* calling_expr = 0;
+bool did_builtin_init = false;
+
+
+Func::~Func()
+	{
+	}
+
+void Func::AddBody(Stmt* /* new_body */, id_list* /* new_inits */,
+			int /* new_frame_size */, int /* priority */)
+	{
+	Internal("Func::AddBody called");
+	}
+
+bool Func::Serialize(SerialInfo* info) const
+	{
+	return SerialObj::Serialize(info);
+	}
+
+Func* Func::Unserialize(UnserialInfo* info)
+	{
+	Func* f = (Func*) SerialObj::Unserialize(info, SER_FUNC);
+
+	// For builtins, we return a reference to the (hopefully) already
+	// existing function.
+	if ( f && f->kind == BUILTIN_FUNC )
+		{
+		const char* name = ((BuiltinFunc*) f)->Name();
+		ID* id = global_scope()->Lookup(name);
+		if ( ! id )
+			{
+			info->s->Error(fmt("can't find built-in %s", name));
+			return 0;
+			}
+
+		if ( ! (id->HasVal() && id->ID_Val()->Type()->Tag() == TYPE_FUNC) )
+			{
+			info->s->Error(fmt("ID %s is not a built-in", name));
+			return false;
+			}
+
+		Unref(f);
+		f = id->ID_Val()->AsFunc();
+		Ref(f);
+		}
+
+	return f;
+	}
+
+bool Func::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_FUNC, BroObj);
+
+	if ( ! SERIALIZE(int(bodies.size())) )
+		return false;
+
+	for ( unsigned int i = 0; i < bodies.size(); ++i )
+		{
+		if ( ! bodies[i].stmts->Serialize(info) )
+			return false;
+		if ( ! SERIALIZE(bodies[i].priority) )
+			return false;
+		}
+
+	if ( ! SERIALIZE(char(kind) ) )
+		return false;
+
+	// We don't serialize scope as only global functions are considered here
+	// anyway.
+	return true;
+	}
+
+bool Func::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BroObj);
+
+	int len;
+	if ( ! UNSERIALIZE(&len) )
+		return false;
+
+	while ( len-- )
+		{
+		Body b;
+		b.stmts = Stmt::Unserialize(info);
+		if ( ! b.stmts )
+			return false;
+
+		if ( ! UNSERIALIZE(&b.priority) )
+			return false;
+
+		bodies.push_back(b);
+		}
+
+	char c;
+	if ( ! UNSERIALIZE(&c) )
+		return false;
+
+	kind = (Kind) c;
+	return true;
+	}
+
+void Func::DescribeDebug(ODesc* d, const val_list* args) const
+	{
+	id->Describe(d);
+	RecordType* func_args = FType()->Args();
+
+	if ( args )
+		{
+		d->Add("(");
+
+		for ( int i = 0; i < args->length(); ++i )
+			{
+			// Handle varargs case (more args than formals).
+			if ( i >= func_args->NumFields() )
+				{
+				d->Add("vararg");
+				d->Add(i - func_args->NumFields());
+				}
+			else
+				d->Add(func_args->FieldName(i));
+
+			d->Add(" = '");
+			(*args)[i]->Describe(d);
+
+			if ( i < args->length() - 1 )
+				d->Add("', ");
+			else
+				d->Add("'");
+			}
+
+		d->Add(")");
+		}
+	}
+
+void Func::SetID(ID *arg_id)
+	{
+	id = arg_id;
+
+	return_value =
+		new ID(string(string(id->Name()) + "_returnvalue").c_str(),
+			SCOPE_FUNCTION, false);
+	return_value->SetType(FType()->YieldType()->Ref());
+	}
+
+ID* Func::GetReturnValueID() const
+	{
+	return return_value;
+	}
+
+TraversalCode Func::Traverse(TraversalCallback* cb) const
+	{
+	// FIXME: Make a fake scope for builtins?
+	Scope* old_scope = cb->current_scope;
+	cb->current_scope = scope;
+
+	TraversalCode tc = cb->PreFunction(this);
+	HANDLE_TC_STMT_PRE(tc);
+
+	// FIXME: Traverse arguments to builtin functions, too.
+	if ( kind == BRO_FUNC )
+		{
+		tc = scope->Traverse(cb);
+		HANDLE_TC_STMT_PRE(tc);
+
+		if ( GetReturnValueID() )
+			{
+			tc = GetReturnValueID()->Traverse(cb);
+			HANDLE_TC_STMT_PRE(tc);
+			}
+
+		for ( unsigned int i = 0; i < bodies.size(); ++i )
+			{
+			tc = bodies[i].stmts->Traverse(cb);
+			HANDLE_TC_STMT_PRE(tc);
+			}
+		}
+
+	tc = cb->PostFunction(this);
+
+	cb->current_scope = old_scope;
+	HANDLE_TC_STMT_POST(tc);
+	}
+
+BroFunc::BroFunc(ID* arg_id, Stmt* arg_body, id_list* aggr_inits,
+		int arg_frame_size)
+: Func(BRO_FUNC)
+	{
+	id = arg_id;
+	Body b;
+	b.stmts = AddInits(arg_body, aggr_inits);
+	b.priority = 0;
+	bodies.push_back(b);
+	frame_size = arg_frame_size;
+	}
+
+BroFunc::~BroFunc()
+	{
+	Unref(id);
+	for ( unsigned int i = 0; i < bodies.size(); ++i )
+		Unref(bodies[i].stmts);
+	}
+
+int BroFunc::IsPure() const
+	{
+	for ( unsigned int i = 0; i < bodies.size(); ++i )
+		if ( ! bodies[i].stmts->IsPure() )
+			return 0;
+
+	return 1;
+	}
+
+Val* BroFunc::Call(val_list* args, Frame* parent) const
+	{
+#ifdef PROFILE_BRO_FUNCTIONS
+	DEBUG_MSG("Function: %s\n", id->Name());
+#endif
+	SegmentProfiler(segment_logger, location);
+	Frame* f = new Frame(frame_size, this, args);
+
+	// Hand down any trigger.
+	if ( parent )
+		{
+		f->SetTrigger(parent->GetTrigger());
+		f->SetCall(parent->GetCall());
+		}
+
+	g_frame_stack.push_back(f);	// used for backtracing
+
+	if ( g_trace_state.DoTrace() )
+		{
+		ODesc d;
+		DescribeDebug(&d, args);
+
+		g_trace_state.LogTrace("%s called: %s\n",
+			IsEvent() ? "event" : "function", d.Description());
+		}
+
+	loop_over_list(*args, i)
+		f->SetElement(i, (*args)[i]);
+
+	stmt_flow_type flow;
+
+	Val* result = 0;
+
+	if ( sample_logger )
+		sample_logger->FunctionSeen(this);
+
+	for ( unsigned int i = 0; i < bodies.size(); ++i )
+		{
+		if ( sample_logger )
+			sample_logger->LocationSeen(
+				bodies[i].stmts->GetLocationInfo());
+
+		Unref(result);
+		result = bodies[i].stmts->Exec(f, flow);
+
+		if ( f->HasDelayed() )
+			{
+			assert(! result);
+			assert(parent);
+			parent->SetDelayed();
+			break;
+			}
+		}
+
+	// Warn if the function returns something, but we returned from
+	// the function without an explicit return, or without a value.
+	if ( FType()->YieldType() && FType()->YieldType()->Tag() != TYPE_VOID &&
+	     (flow != FLOW_RETURN /* we fell off the end */ ||
+	      ! result /* explicit return with no result */) &&
+	     ! f->HasDelayed() )
+		warn("non-void function returns without a value:", id->Name());
+
+	if ( result && g_trace_state.DoTrace() )
+		{
+		ODesc d;
+		result->Describe(&d);
+
+		g_trace_state.LogTrace("Function return: %s\n", d.Description());
+		}
+
+	g_frame_stack.pop_back();
+	Unref(f);
+
+	return result;
+	}
+
+void BroFunc::AddBody(Stmt* new_body, id_list* new_inits, int new_frame_size,
+		int priority)
+	{
+	if ( new_frame_size > frame_size )
+		frame_size = new_frame_size;
+
+	new_body = AddInits(new_body, new_inits);
+
+	if ( ! IsEvent() )
+		{
+		// For functions, we replace the old body with the new one.
+		assert(bodies.size() <= 1);
+		for ( unsigned int i = 0; i < bodies.size(); ++i )
+			Unref(bodies[i].stmts);
+		bodies.clear();
+		}
+
+	Body b;
+	b.stmts = new_body;
+	b.priority = priority;
+
+	bodies.push_back(b);
+	sort(bodies.begin(), bodies.end());
+	}
+
+void BroFunc::Describe(ODesc* d) const
+	{
+	if ( id )
+		id->Describe(d);
+
+	d->NL();
+	d->AddCount(frame_size);
+	for ( unsigned int i = 0; i < bodies.size(); ++i )
+		{
+		bodies[i].stmts->AccessStats(d);
+		bodies[i].stmts->Describe(d);
+		}
+	}
+
+Stmt* BroFunc::AddInits(Stmt* body, id_list* inits)
+	{
+	if ( ! inits || inits->length() == 0 )
+		return body;
+
+	StmtList* stmt_series = new StmtList;
+	stmt_series->Stmts().append(new InitStmt(inits));
+	stmt_series->Stmts().append(body);
+
+	return stmt_series;
+	}
+
+IMPLEMENT_SERIAL(BroFunc, SER_BRO_FUNC);
+
+bool BroFunc::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_BRO_FUNC, Func);
+	return id->Serialize(info) && SERIALIZE(frame_size);
+	}
+
+bool BroFunc::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Func);
+	id = ID::Unserialize(info);
+	return id && UNSERIALIZE(&frame_size);
+	}
+
+BuiltinFunc::BuiltinFunc(built_in_func arg_func, const char* arg_name,
+			int arg_is_pure)
+: Func(BUILTIN_FUNC)
+	{
+	func = arg_func;
+	name = copy_string(make_full_var_name(GLOBAL_MODULE_NAME, arg_name).c_str());
+	is_pure = arg_is_pure;
+
+	id = lookup_ID(name, GLOBAL_MODULE_NAME, false);
+	if ( ! id )
+		internal_error("built-in function %s missing", name);
+	if ( id->HasVal() )
+		internal_error("built-in function %s multiply defined", name);
+
+	id->SetVal(new Val(this));
+	}
+
+BuiltinFunc::~BuiltinFunc()
+	{
+	}
+
+int BuiltinFunc::IsPure() const
+	{
+	return is_pure;
+	}
+
+Val* BuiltinFunc::Call(val_list* args, Frame* parent) const
+	{
+#ifdef PROFILE_BRO_FUNCTIONS
+	DEBUG_MSG("Function: %s\n", Name());
+#endif
+	SegmentProfiler(segment_logger, name);
+
+	if ( sample_logger )
+		sample_logger->FunctionSeen(this);
+
+	if ( g_trace_state.DoTrace() )
+		{
+		ODesc d;
+		DescribeDebug(&d, args);
+
+		g_trace_state.LogTrace("\tBuiltin Function called: %s\n", d.Description());
+		}
+
+	Val* result = func(parent, args);
+	loop_over_list(*args, i)
+		Unref((*args)[i]);
+
+	// Don't Unref() args, that's the caller's responsibility.
+	if ( result && g_trace_state.DoTrace() )
+		{
+		ODesc d;
+		result->Describe(&d);
+
+		g_trace_state.LogTrace("\tFunction return: %s\n", d.Description());
+		}
+
+	return result;
+	}
+
+void BuiltinFunc::Describe(ODesc* d) const
+	{
+	if ( id )
+	id->Describe(d);
+	d->AddCount(is_pure);
+	}
+
+IMPLEMENT_SERIAL(BuiltinFunc, SER_BUILTIN_FUNC);
+
+bool BuiltinFunc::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_BUILTIN_FUNC, Func);
+
+	// We ignore the ID. Func::Serialize() will rebind us anyway.
+	return SERIALIZE(name);
+	}
+
+bool BuiltinFunc::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Func);
+	id = 0;
+	return UNSERIALIZE_STR(&name, 0);
+	}
+
+void builtin_run_time(const char* msg, BroObj* arg)
+	{
+	if ( calling_expr )
+		calling_expr->RunTime(msg, arg);
+	else
+		run_time(msg, arg);
+	}
+
+#include "bro.bif.func_def"
+#include "strings.bif.func_def"
+
+void init_builtin_funcs()
+	{
+	ftp_port = internal_type("ftp_port")->AsRecordType();
+	bro_resources = internal_type("bro_resources")->AsRecordType();
+	matcher_stats = internal_type("matcher_stats")->AsRecordType();
+	var_sizes = internal_type("var_sizes")->AsTableType();
+	gap_info = internal_type("gap_info")->AsRecordType();
+
+#include "bro.bif.func_init"
+
+#include "common-rw.bif.func_init"
+#include "finger-rw.bif.func_init"
+#include "ftp-rw.bif.func_init"
+#include "http-rw.bif.func_init"
+#include "ident-rw.bif.func_init"
+#include "smtp-rw.bif.func_init"
+#include "strings.bif.func_init"
+#include "dns-rw.bif.func_init"
+
+	did_builtin_init = true;
+	}
+
+bool check_built_in_call(BuiltinFunc* f, CallExpr* call)
+	{
+	if ( f->TheFunc() != bro_fmt )
+		return true;
+
+	const expr_list& args = call->Args()->Exprs();
+	if ( args.length() == 0 )
+		{
+		// Empty calls are allowed, since you can't just
+		// use "print;" to get a blank line.
+		return true;
+		}
+
+	const Expr* fmt_str_arg = args[0];
+	if ( fmt_str_arg->Type()->Tag() != TYPE_STRING )
+		{
+		call->Error("first argument to fmt() needs to be a format string");
+		return false;
+		}
+
+	Val* fmt_str_val = fmt_str_arg->Eval(0);
+
+	if ( fmt_str_val )
+		{
+		const char* fmt_str = fmt_str_val->AsStringVal()->CheckString();
+
+		int num_fmt = 0;
+		while ( *fmt_str )
+			{
+			if ( *(fmt_str++) != '%' )
+				continue;
+
+			if ( ! *fmt_str )
+				{
+				call->Error("format string ends with bare '%'");
+				return false;
+				}
+
+			if ( *(fmt_str++) != '%' )
+				// Not a "%%" escape.
+				++num_fmt;
+			}
+
+		if ( args.length() != num_fmt + 1 )
+			{
+			call->Error("mismatch between format string to fmt() and number of arguments passed");
+			return false;
+			}
+		}
+
+	return true;
+	}
diff --git a/src/Func.h b/src/Func.h
new file mode 100644
index 0000000000..f82b9ee539
--- /dev/null
+++ b/src/Func.h
@@ -0,0 +1,146 @@
+// $Id: Func.h 6916 2009-09-24 20:48:36Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef func_h
+#define func_h
+
+#include "BroList.h"
+#include "Obj.h"
+#include "Debug.h"
+
+class Val;
+class ListExpr;
+class FuncType;
+class Stmt;
+class Frame;
+class ID;
+
+class Func : public BroObj {
+public:
+
+	enum Kind { BRO_FUNC, BUILTIN_FUNC };
+
+	Func(Kind arg_kind)
+		{ scope = 0; kind = arg_kind; id = 0; return_value = 0; }
+
+	virtual ~Func();
+
+	virtual int IsPure() const = 0;
+	int IsEvent() const	{ return FType()->IsEvent(); }
+
+	struct Body {
+		Stmt* stmts;
+		int priority;
+		bool operator<(const Body& other) const
+			{ return priority > other.priority; } // reverse sort
+	};
+
+	virtual const vector<Body>& GetBodies() const	{ return bodies; }
+
+	// virtual Val* Call(ListExpr* args) const = 0;
+	virtual Val* Call(val_list* args, Frame* parent = 0) const = 0;
+
+	// Add a new event handler to an existing function (event).
+	virtual void AddBody(Stmt* new_body, id_list* new_inits,
+				int new_frame_size, int priority = 0);
+
+	virtual void SetScope(Scope* newscope)	{ scope = newscope; }
+	virtual Scope* GetScope() const		{ return scope; }
+
+	virtual FuncType* FType() const
+		{
+		return (FuncType*) id->Type()->AsFuncType();
+		}
+
+	Kind GetKind() const	{ return kind; }
+
+	const ID* GetID() const { return id; }
+	void SetID(ID *arg_id);
+
+	virtual void Describe(ODesc* d) const = 0;
+	virtual void DescribeDebug(ODesc* d, const val_list* args) const;
+
+	// This (un-)serializes only a single body (as given in SerialInfo).
+	bool Serialize(SerialInfo* info) const;
+	static Func* Unserialize(UnserialInfo* info);
+
+	ID* GetReturnValueID() const;
+	virtual TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	Func()	{ scope = 0; id = 0; return_value = 0; }
+
+	DECLARE_ABSTRACT_SERIAL(Func);
+
+	vector<Body> bodies;
+	Scope* scope;
+	Kind kind;
+	ID* id;
+	ID* return_value;
+};
+
+
+class BroFunc : public Func {
+public:
+	BroFunc(ID* id, Stmt* body, id_list* inits, int frame_size);
+	~BroFunc();
+
+	int IsPure() const;
+	Val* Call(val_list* args, Frame* parent) const;
+
+	void AddBody(Stmt* new_body, id_list* new_inits, int new_frame_size,
+			int priority);
+
+	int FrameSize() const {	return frame_size; }
+
+	void Describe(ODesc* d) const;
+
+protected:
+	BroFunc() : Func(BRO_FUNC)	{}
+	Stmt* AddInits(Stmt* body, id_list* inits);
+
+	DECLARE_SERIAL(BroFunc);
+
+	int frame_size;
+};
+
+typedef Val* (*built_in_func)(Frame* frame, val_list* args);
+
+class BuiltinFunc : public Func {
+public:
+	BuiltinFunc(built_in_func func, const char* name, int is_pure);
+	~BuiltinFunc();
+
+	int IsPure() const;
+	Val* Call(val_list* args, Frame* parent) const;
+	const char* Name() const	{ return name; }
+	built_in_func TheFunc() const	{ return func; }
+
+	void Describe(ODesc* d) const;
+
+protected:
+	BuiltinFunc()	{ func = 0; name = 0; is_pure = 0; }
+
+	DECLARE_SERIAL(BuiltinFunc);
+
+	built_in_func func;
+	const char* name;
+	int is_pure;
+};
+
+
+extern void builtin_run_time(const char* msg, BroObj* arg = 0);
+extern void init_builtin_funcs();
+
+extern bool check_built_in_call(BuiltinFunc* f, CallExpr* call);
+
+// This global is set prior to the interpreter making a function call.
+// It's there so that built-in functions can access the location information
+// associated with a call when reporting error messages.
+extern const Expr* calling_expr;
+
+// This is set to true after the built-in functions have been initialized.
+extern bool did_builtin_init;
+
+#endif
diff --git a/src/Gnutella.cc b/src/Gnutella.cc
new file mode 100644
index 0000000000..01a10f2969
--- /dev/null
+++ b/src/Gnutella.cc
@@ -0,0 +1,341 @@
+// $Id: Gnutella.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <ctype.h>
+
+#include "NetVar.h"
+#include "HTTP.h"
+#include "Gnutella.h"
+#include "Event.h"
+#include "PIA.h"
+
+
+GnutellaMsgState::GnutellaMsgState()
+	{
+	buffer = "";
+	current_offset = 0;
+	headers = "";
+	msg_hops = 0;
+	msg_len = 0;
+	msg_pos = 0;
+	msg_type = 0;
+	msg_sent = 1;
+	msg_ttl = 0;
+	payload_left = 0;
+	got_CR = 0;
+	payload_len = 0;
+	}
+
+
+Gnutella_Analyzer::Gnutella_Analyzer(Connection* conn)
+: TCP_ApplicationAnalyzer(AnalyzerTag::Gnutella, conn)
+	{
+	state = 0;
+	new_state = 0;
+	sent_establish = 0;
+
+	ms = 0;
+
+	orig_msg_state = new GnutellaMsgState();
+	resp_msg_state = new GnutellaMsgState();
+	}
+
+void Gnutella_Analyzer::Done()
+	{
+	TCP_ApplicationAnalyzer::Done();
+
+	if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) )
+		{
+		val_list* vl = new val_list;
+
+		vl->append(BuildConnVal());
+
+		if ( Established() && gnutella_establish )
+			ConnectionEvent(gnutella_establish, vl);
+		else if ( ! Established () && gnutella_not_establish )
+			ConnectionEvent(gnutella_not_establish, vl);
+		}
+
+	if ( gnutella_partial_binary_msg )
+		{
+		GnutellaMsgState* p = orig_msg_state;
+
+		for ( int i = 0; i < 2; ++i, p = resp_msg_state )
+			{
+			if ( ! p->msg_sent && p->msg_pos )
+				{
+				val_list* vl = new val_list;
+
+				vl->append(BuildConnVal());
+				vl->append(new StringVal(p->msg));
+				vl->append(new Val((i == 0), TYPE_BOOL));
+				vl->append(new Val(p->msg_pos, TYPE_COUNT));
+
+				ConnectionEvent(gnutella_partial_binary_msg, vl);
+				}
+
+			else if ( ! p->msg_sent && p->payload_left )
+				SendEvents(p, (i == 0));
+			}
+		}
+	}
+
+
+int Gnutella_Analyzer::NextLine(const u_char* data, int len)
+	{
+	if ( ! ms )
+		return 0;
+
+	if ( Established() || ms->current_offset >= len )
+		return 0;
+
+	for ( ; ms->current_offset < len; ++ms->current_offset )
+		{
+		if ( data[ms->current_offset] == '\r' )
+			ms->got_CR = 1;
+
+		else if ( data[ms->current_offset] == '\n' && ms->got_CR )
+			{
+			ms->got_CR = 0;
+			++ms->current_offset;
+			return 1;
+			}
+		else
+			ms->buffer += data[ms->current_offset];
+		}
+
+	return 0;
+	}
+
+
+int Gnutella_Analyzer::IsHTTP(string header)
+	{
+	if ( header.find(" HTTP/1.") == string::npos )
+		return 0;
+
+	if ( gnutella_http_notify )
+		{
+		val_list* vl = new val_list;
+
+		vl->append(BuildConnVal());
+		ConnectionEvent(gnutella_http_notify, vl);
+		}
+
+	if ( HTTP_Analyzer::Available() )
+		{
+		Analyzer* a = new HTTP_Analyzer(Conn());
+		Parent()->AddChildAnalyzer(a);
+
+		if ( Parent()->GetTag() == AnalyzerTag::TCP )
+			{
+			// Replay buffered data.
+			PIA* pia = static_cast<TransportLayerAnalyzer *>(Parent())->GetPIA();
+			if ( pia )
+				static_cast<PIA_TCP *>(pia)->ReplayStreamBuffer(a);
+			}
+
+		Parent()->RemoveChildAnalyzer(this);
+		}
+
+	return 1;
+	}
+
+
+int Gnutella_Analyzer::GnutellaOK(string header)
+	{
+	if ( strncmp("GNUTELLA", header.data(), 8) )
+		return 0;
+
+	int codepos = header.find(' ') + 1;
+	if ( ! strncmp("200", header.data() + codepos, 3) )
+		return 1;
+
+	return 0;
+	}
+
+
+void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
+	{
+	if ( ! ms )
+		return;
+
+	while ( NextLine(data, len) )
+		{
+		if ( ms->buffer.length() )
+			{
+			if ( ms->headers.length() == 0 )
+				{
+				if ( IsHTTP(ms->buffer) )
+					return;
+				if ( GnutellaOK(ms->buffer) )
+					new_state |=
+						orig ? ORIG_OK : RESP_OK;
+				}
+
+			ms->headers = ms->headers + "\r\n" + ms->buffer;
+			ms->buffer = "";
+			}
+		else
+			{
+			if ( gnutella_text_msg )
+				{
+				val_list* vl = new val_list;
+
+				vl->append(BuildConnVal());
+				vl->append(new Val(orig, TYPE_BOOL));
+				vl->append(new StringVal(ms->headers.data()));
+
+				ConnectionEvent(gnutella_text_msg, vl);
+				}
+
+			ms->headers = "";
+			state |= new_state;
+
+			if ( Established () && gnutella_establish )
+				{
+				val_list* vl = new val_list;
+
+				sent_establish = 1;
+				vl->append(BuildConnVal());
+
+				ConnectionEvent(gnutella_establish, vl);
+				}
+			}
+		}
+	}
+
+void Gnutella_Analyzer::DissectMessage(char* msg)
+	{
+	if ( ! ms )
+		return;
+
+	ms->msg_type = msg[16];
+	ms->msg_ttl = msg[17];
+	ms->msg_hops = msg[18];
+
+	memcpy(&ms->msg_len, &msg[19], 4);
+	}
+
+
+void Gnutella_Analyzer::SendEvents(GnutellaMsgState* p, bool is_orig)
+	{
+	if ( p->msg_sent )
+		return;
+
+	if ( gnutella_binary_msg )
+		{
+		val_list* vl = new val_list;
+
+		vl->append(BuildConnVal());
+		vl->append(new Val(is_orig, TYPE_BOOL));
+		vl->append(new Val(p->msg_type, TYPE_COUNT));
+		vl->append(new Val(p->msg_ttl, TYPE_COUNT));
+		vl->append(new Val(p->msg_hops, TYPE_COUNT));
+		vl->append(new Val(p->msg_len, TYPE_COUNT));
+		vl->append(new StringVal(p->payload));
+		vl->append(new Val(p->payload_len, TYPE_COUNT));
+		vl->append(new Val((p->payload_len <
+				    min(p->msg_len, GNUTELLA_MAX_PAYLOAD)),
+				   TYPE_BOOL));
+		vl->append(new Val((p->payload_left == 0), TYPE_BOOL));
+
+		ConnectionEvent(gnutella_binary_msg, vl);
+		}
+	}
+
+
+void Gnutella_Analyzer::DeliverMessages(int len, const u_char* data, bool orig)
+	{
+	if ( ! ms )
+		return;
+
+	while ( ms->current_offset < len )
+		{
+		ms->msg_sent = 0;
+
+		unsigned int bytes_left = len - ms->current_offset;
+		unsigned int needed = 0;
+
+		if ( ms->msg_pos )
+			needed = GNUTELLA_MSG_SIZE - ms->msg_pos;
+
+		if ( (! ms->msg_pos && ! ms->payload_left &&
+		      (bytes_left >= GNUTELLA_MSG_SIZE)) ||
+		     (ms->msg_pos && (bytes_left >= needed)) )
+			{
+			int sz = ms->msg_pos ? needed : GNUTELLA_MSG_SIZE;
+
+			memcpy(&ms->msg[ms->msg_pos],
+				&data[ms->current_offset], sz);
+
+			ms->current_offset += sz;
+			DissectMessage(ms->msg);
+			ms->payload_left = ms->msg_len;
+			ms->msg_pos = 0;
+			if ( ms->msg_len == 0 )
+				SendEvents(ms, orig);
+			}
+
+		else if ( (! ms->msg_pos && ! ms->payload_left &&
+			   (bytes_left < GNUTELLA_MSG_SIZE)) ||
+			  (ms->msg_pos && (bytes_left < needed)) )
+			{
+			memcpy(&ms->msg[ms->msg_pos], &data[ms->current_offset],
+				bytes_left);
+			ms->current_offset += bytes_left;
+			ms->msg_pos += bytes_left;
+			}
+
+		else if ( ms->payload_left )
+			{
+			unsigned int space =
+				ms->payload_len >= GNUTELLA_MAX_PAYLOAD ?
+					0 : GNUTELLA_MAX_PAYLOAD - ms->payload_len;
+			unsigned int sz =
+				(bytes_left < space) ? bytes_left : space;
+
+			if ( space )
+				{
+				memcpy(&ms->payload[ms->payload_len],
+					&data[ms->current_offset], sz);
+				ms->payload_len += sz;
+				}
+
+			if ( ms->payload_left > bytes_left )
+				{
+				ms->current_offset += bytes_left;
+				ms->payload_left -= bytes_left;
+				}
+			else
+				{
+				ms->current_offset += ms->payload_left;
+				ms->payload_left = 0;
+				SendEvents(ms, orig);
+				}
+			}
+		}
+	}
+
+
+void Gnutella_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+
+	ms = orig ? orig_msg_state : resp_msg_state;
+	ms->current_offset = 0;
+	if ( ! Established() )
+		{
+		DeliverLines(len, data, orig);
+
+		if ( Established() && ms->current_offset < len &&
+			  gnutella_binary_msg )
+			DeliverMessages(len, data, orig);
+		}
+
+	else if ( gnutella_binary_msg )
+		DeliverMessages(len, data, orig);
+	}
+
diff --git a/src/Gnutella.h b/src/Gnutella.h
new file mode 100644
index 0000000000..74aed4523f
--- /dev/null
+++ b/src/Gnutella.h
@@ -0,0 +1,78 @@
+// $Id: Gnutella.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef gnutella_h
+#define gnutella_h
+
+#include "TCP.h"
+
+#define ORIG_OK               0x1
+#define RESP_OK               0x2
+
+#define GNUTELLA_MSG_SIZE     23
+#define GNUTELLA_MAX_PAYLOAD  1024
+
+class GnutellaMsgState {
+public:
+	GnutellaMsgState ();
+
+	string buffer;
+	int current_offset;
+	int got_CR;
+	string headers;
+	char msg[GNUTELLA_MSG_SIZE];
+	u_char msg_hops;
+	unsigned int msg_len;
+	int msg_pos;
+	int msg_sent;
+	u_char msg_type;
+	u_char msg_ttl;
+	char payload[GNUTELLA_MAX_PAYLOAD];
+	int payload_len;
+	unsigned int payload_left;
+};
+
+
+class Gnutella_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	Gnutella_Analyzer(Connection* conn);
+
+	virtual void Done ();
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new Gnutella_Analyzer(conn); }
+
+	static bool Available()
+		{
+		return gnutella_text_msg || gnutella_binary_msg ||
+			gnutella_partial_binary_msg || gnutella_establish ||
+			gnutella_not_establish || gnutella_http_notify;
+		}
+
+private:
+	int NextLine(const u_char* data, int len);
+
+	int GnutellaOK(string header);
+	int IsHTTP(string header);
+
+	int Established() const	{ return state == (ORIG_OK | RESP_OK); }
+
+	void DeliverLines(int len, const u_char* data, bool orig);
+
+	void SendEvents(GnutellaMsgState* p, bool is_orig);
+
+	void DissectMessage(char* msg);
+	void DeliverMessages(int len, const u_char* data, bool orig);
+
+	int state;
+	int new_state;
+	int sent_establish;
+
+	GnutellaMsgState* orig_msg_state;
+	GnutellaMsgState* resp_msg_state;
+	GnutellaMsgState* ms;
+};
+
+#endif
diff --git a/src/H3.h b/src/H3.h
new file mode 100644
index 0000000000..aeb0c0f38d
--- /dev/null
+++ b/src/H3.h
@@ -0,0 +1,115 @@
+// $Id: H3.h 3230 2006-06-08 02:19:25Z vern $
+
+// Copyright 2004, 2005
+// The Regents of the University of California
+// All Rights Reserved
+// 
+// Permission to use, copy, modify and distribute any part of this
+// h3.h file, without fee, and without a written agreement is hereby
+// granted, provided that the above copyright notice, this paragraph
+// and the following paragraphs appear in all copies.
+// 
+// IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY
+// PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL
+// DAMAGES, INCLUDING LOST PROFITS, ARISING OUT OF THE USE OF THIS
+// SOFTWARE, EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF
+// THE POSSIBILITY OF SUCH DAMAGE.
+// 
+// THE SOFTWARE PROVIDED HEREIN IS ON AN "AS IS" BASIS, AND THE
+// UNIVERSITY OF CALIFORNIA HAS NO OBLIGATION TO PROVIDE MAINTENANCE,
+// SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. THE UNIVERSITY
+// OF CALIFORNIA MAKES NO REPRESENTATIONS AND EXTENDS NO WARRANTIES
+// OF ANY KIND, EITHER IMPLIED OR EXPRESS, INCLUDING, BUT NOT LIMITED
+// TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
+// PARTICULAR PURPOSE, OR THAT THE USE OF THE SOFTWARE WILL NOT INFRINGE
+// ANY PATENT, TRADEMARK OR OTHER RIGHTS.
+// 
+// The h3.h file is developed by the CoralReef development team at the
+// University of California, San Diego under the Cooperative Association
+// for Internet Data Analysis (CAIDA) Program.  Support for this effort was
+// provided by the CAIDA grant NCR-9711092, DARPA NGI Contract
+// N66001-98-2-8922, DARPA NMS Grant N66001-01-1-8909, NSF Grant ANI-013710
+// and by CAIDA members.
+// 
+// Report bugs and suggestions to coral-bugs@caida.org.
+
+// H3 hash function family
+// C++ template implementation by Ken Keys (kkeys@caida.org)
+//
+// Usage:
+//    #include <h3.h>
+//    const H3<T, N> h;
+//    T hashval = h(data, size [, offset]);
+// (T) is the type to be returned by the hash function; must be an integral
+//     type, e.g. uint32_t.
+// (N) is the size of the data in bytes (if data is a struct, beware of
+//     padding).
+// The hash function hashes the (size) bytes of the data pointed to by (data),
+//     starting at (offset).  Note: offset affects the hash value, so
+//     h(data, size, offset) is not the same as h(data+offset, size, 0).
+//     Typically (size) is N and (offset) is 0, but other values can be used to
+//     hash a substring of the data.  Hashes of substrings can be bitwise-XOR'ed
+//     together to get the same result as hashing the full string.
+// Any number of hash functions can be created by creating new instances of H3,
+//     with the same or different template parameters.  The hash function is
+//     randomly generated using random(); you must call srandom() before the
+//     H3 constructor if you wish to seed it.
+
+
+#ifndef H3_H
+#define H3_H
+
+template<class T, int N> class H3 {
+    T byte_lookup[N][256];
+public:
+    H3();
+    ~H3() { free(byte_lookup); }
+    T operator()(const void* data, size_t size, size_t offset = 0) const
+    {
+	const unsigned char *p = static_cast<const unsigned char*>(data);
+	T result = 0;
+
+	// loop optmized with Duff's Device
+	register unsigned n = (size + 7) / 8;
+	switch (size % 8) {
+	case 0:	do { result ^= byte_lookup[offset++][*p++];
+	case 7:	     result ^= byte_lookup[offset++][*p++];
+	case 6:	     result ^= byte_lookup[offset++][*p++];
+	case 5:	     result ^= byte_lookup[offset++][*p++];
+	case 4:	     result ^= byte_lookup[offset++][*p++];
+	case 3:	     result ^= byte_lookup[offset++][*p++];
+	case 2:	     result ^= byte_lookup[offset++][*p++];
+	case 1:	     result ^= byte_lookup[offset++][*p++];
+		} while (--n > 0);
+	}
+
+	return result;
+    }
+};
+
+template<class T, int N>
+H3<T,N>::H3()
+{
+    T bit_lookup[N * 8];
+
+    for (size_t bit = 0; bit < N * 8; bit++) {
+	bit_lookup[bit] = 0;
+	for (size_t i = 0; i < sizeof(T)/2; i++) {
+	    // assume random() returns at least 16 random bits
+	    bit_lookup[bit] = (bit_lookup[bit] << 16) | (random() & 0xFFFF);
+	}
+    }
+
+    for (size_t byte = 0; byte < N; byte++) {
+        for (unsigned val = 0; val < 256; val++) {
+            byte_lookup[byte][val] = 0;
+            for (size_t bit = 0; bit < 8; bit++) {
+		// Does this mean byte_lookup[*][0] == 0? -RP
+	        if (val & (1 << bit))
+		    byte_lookup[byte][val] ^= bit_lookup[byte*8+bit];
+            }
+        }
+    }
+}
+
+#endif //H3_H
diff --git a/src/HTTP-binpac.cc b/src/HTTP-binpac.cc
new file mode 100644
index 0000000000..003d74d8e2
--- /dev/null
+++ b/src/HTTP-binpac.cc
@@ -0,0 +1,48 @@
+// $Id:$
+
+#include "HTTP-binpac.h"
+#include "TCP_Reassembler.h"
+
+HTTP_Analyzer_binpac::HTTP_Analyzer_binpac(Connection *c)
+: TCP_ApplicationAnalyzer(AnalyzerTag::HTTP_BINPAC, c)
+	{
+	interp = new binpac::HTTP::HTTP_Conn(this);
+	}
+
+HTTP_Analyzer_binpac::~HTTP_Analyzer_binpac()
+	{
+	delete interp;
+	}
+
+void HTTP_Analyzer_binpac::Done()
+	{
+	TCP_ApplicationAnalyzer::Done();
+
+	interp->FlowEOF(true);
+	interp->FlowEOF(false);
+	}
+
+void HTTP_Analyzer_binpac::EndpointEOF(TCP_Reassembler* endp)
+	{
+	TCP_ApplicationAnalyzer::EndpointEOF(endp);
+	interp->FlowEOF(endp->IsOrig());
+	}
+
+void HTTP_Analyzer_binpac::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+
+	assert(TCP());
+
+	if ( TCP()->IsPartial() )
+		// punt on partial.
+		return;
+
+	interp->NewData(orig, data, data + len);
+	}
+
+void HTTP_Analyzer_binpac::Undelivered(int seq, int len, bool orig)
+	{
+	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	interp->NewGap(orig, len);
+	}
diff --git a/src/HTTP-binpac.h b/src/HTTP-binpac.h
new file mode 100644
index 0000000000..9352515dc8
--- /dev/null
+++ b/src/HTTP-binpac.h
@@ -0,0 +1,30 @@
+// $Id:$
+
+#ifndef http_binpac_h
+#define http_binpac_h
+
+#include "TCP.h"
+
+#include "http_pac.h"
+
+class HTTP_Analyzer_binpac : public TCP_ApplicationAnalyzer {
+public:
+	HTTP_Analyzer_binpac(Connection* conn);
+	virtual ~HTTP_Analyzer_binpac();
+
+	virtual void Done();
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void EndpointEOF(TCP_Reassembler* endp);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new HTTP_Analyzer_binpac(conn); }
+
+	static bool Available()
+		{ return (http_request || http_reply) && FLAGS_use_binpac; }
+
+protected:
+	binpac::HTTP::HTTP_Conn* interp;
+};
+
+#endif
diff --git a/src/HTTP.cc b/src/HTTP.cc
new file mode 100644
index 0000000000..0cccf75103
--- /dev/null
+++ b/src/HTTP.cc
@@ -0,0 +1,1722 @@
+// $Id: HTTP.cc 7073 2010-09-13 00:45:02Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <ctype.h>
+#include <math.h>
+#include <stdlib.h>
+
+#include "NetVar.h"
+#include "HTTP.h"
+#include "Event.h"
+#include "MIME.h"
+#include "TCP_Rewriter.h"
+
+const bool DEBUG_http = false;
+
+enum {
+	EXPECT_REQUEST_LINE,
+	EXPECT_REQUEST_MESSAGE,
+	EXPECT_REQUEST_TRAILER,
+};
+
+enum {
+	EXPECT_REPLY_LINE,
+	EXPECT_REPLY_MESSAGE,
+	EXPECT_REPLY_TRAILER,
+};
+
+HTTP_Entity::HTTP_Entity(HTTP_Message *arg_message, MIME_Entity* parent_entity, int arg_expect_body)
+:MIME_Entity(arg_message, parent_entity)
+	{
+	http_message = arg_message;
+	expect_body = arg_expect_body;
+	chunked_transfer_state = NON_CHUNKED_TRANSFER;
+	content_length = -1;	// unspecified
+	expect_data_length = 0;
+	body_length = 0;
+	header_length = 0;
+	deliver_body = (http_entity_data != 0);
+	encoding = IDENTITY;
+#ifdef HAVE_LIBZ
+	zip = 0;
+#endif
+	}
+
+void HTTP_Entity::EndOfData()
+	{
+	if ( DEBUG_http )
+		DEBUG_MSG("%.6f: end of data\n", network_time);
+
+#ifdef HAVE_LIBZ
+	if ( zip )
+		{
+		zip->Done();
+		delete zip;
+		zip = 0;
+		encoding = IDENTITY;
+		}
+#endif
+
+	if ( body_length )
+		http_message->MyHTTP_Analyzer()->
+			ForwardEndOfData(http_message->IsOrig());
+
+	MIME_Entity::EndOfData();
+	}
+
+void HTTP_Entity::Deliver(int len, const char* data, int trailing_CRLF)
+	{
+	if ( DEBUG_http )
+		{
+		DEBUG_MSG("%.6f HTTP_Entity::Deliver len=%d, in_header=%d\n",
+		          network_time, len, in_header);
+		}
+
+	if ( end_of_data )
+		{
+		// Multipart entities may have trailers
+		if ( content_type != CONTENT_TYPE_MULTIPART )
+			IllegalFormat("data trailing the end of entity");
+		return;
+		}
+
+	if ( in_header )
+		{
+		ASSERT(trailing_CRLF);
+		header_length += len;
+		MIME_Entity::Deliver(len, data, trailing_CRLF);
+		return;
+		}
+
+	// Entity body.
+	if ( content_type == CONTENT_TYPE_MULTIPART ||
+	     content_type == CONTENT_TYPE_MESSAGE )
+		DeliverBody(len, data, trailing_CRLF);
+
+	else if ( chunked_transfer_state != NON_CHUNKED_TRANSFER )
+		{
+		switch ( chunked_transfer_state ) {
+		case EXPECT_CHUNK_SIZE:
+			ASSERT(trailing_CRLF);
+			if ( ! atoi_n(len, data, 0, 16, expect_data_length) )
+				{
+				http_message->Weird("HTTP_bad_chunk_size");
+				expect_data_length = 0;
+				}
+
+			if ( expect_data_length > 0 )
+				{
+				chunked_transfer_state = EXPECT_CHUNK_DATA;
+				SetPlainDelivery(expect_data_length);
+				}
+			else
+				{
+				// This is the last chunk
+				in_header = 1;
+				chunked_transfer_state = EXPECT_CHUNK_TRAILER;
+				}
+			break;
+
+		case EXPECT_CHUNK_DATA:
+			ASSERT(! trailing_CRLF);
+			ASSERT(len <= expect_data_length);
+			expect_data_length -= len;
+			if ( expect_data_length <= 0 )
+				{
+				SetPlainDelivery(0);
+				chunked_transfer_state = EXPECT_CHUNK_DATA_CRLF;
+				}
+			DeliverBody(len, data, 0);
+			break;
+
+		case EXPECT_CHUNK_DATA_CRLF:
+			ASSERT(trailing_CRLF);
+			if ( len > 0 )
+				IllegalFormat("inaccurate chunk size: data before <CR><LF>");
+			chunked_transfer_state = EXPECT_CHUNK_SIZE;
+			break;
+		}
+		}
+
+	else if ( content_length >= 0 )
+		{
+		ASSERT(! trailing_CRLF);
+		ASSERT(len <= expect_data_length);
+
+		DeliverBody(len, data, 0);
+
+		expect_data_length -= len;
+		if ( expect_data_length <= 0 )
+			{
+			SetPlainDelivery(0);
+			EndOfData();
+			}
+		}
+
+	else
+		DeliverBody(len, data, trailing_CRLF);
+	}
+
+class HTTP_Entity::UncompressedOutput : public Analyzer::OutputHandler {
+public:
+	UncompressedOutput(HTTP_Entity* e)	{ entity = e; }
+	virtual	~UncompressedOutput() { }
+	virtual void DeliverStream(int len, const u_char* data, bool orig)
+		{
+		entity->DeliverBodyClear(len, (char*) data, false);
+		}
+private:
+	HTTP_Entity* entity;
+};
+
+void HTTP_Entity::DeliverBody(int len, const char* data, int trailing_CRLF)
+	{
+#ifdef HAVE_LIBZ
+	if ( encoding == GZIP || encoding == DEFLATE )
+		{
+		ZIP_Analyzer::Method method =
+			encoding == GZIP ?
+				ZIP_Analyzer::GZIP : ZIP_Analyzer::DEFLATE;
+
+		if ( ! zip )
+			{
+			// We don't care about the direction here.
+			zip = new ZIP_Analyzer(
+				http_message->MyHTTP_Analyzer()->Conn(),
+						false, method);
+			zip->SetOutputHandler(new UncompressedOutput(this));
+			}
+
+		zip->NextStream(len, (const u_char*) data, false);
+		}
+	else
+#endif
+		DeliverBodyClear(len, data, trailing_CRLF);
+	}
+
+void HTTP_Entity::DeliverBodyClear(int len, const char* data, int trailing_CRLF)
+	{
+	bool new_data = (body_length == 0);
+
+	body_length += len;
+	if ( trailing_CRLF )
+		body_length += 2;
+
+	if ( deliver_body )
+		MIME_Entity::Deliver(len, data, trailing_CRLF);
+
+	Rule::PatternType rule =
+		http_message->IsOrig() ?
+			Rule::HTTP_REQUEST_BODY : Rule::HTTP_REPLY_BODY;
+
+	http_message->MyHTTP_Analyzer()->Conn()->
+		Match(rule, (const u_char*) data, len,
+			http_message->IsOrig(), new_data, false, new_data);
+
+	// FIXME: buffer data for forwarding (matcher might match later).
+	http_message->MyHTTP_Analyzer()->ForwardStream(len, (const u_char *) data,
+		http_message->IsOrig());
+	}
+
+// Returns 1 if the undelivered bytes are completely within the body,
+// otherwise returns 0.
+int HTTP_Entity::Undelivered(int len)
+	{
+	if ( DEBUG_http )
+		{
+		DEBUG_MSG("Content gap %d, expect_data_length %d\n",
+			  len, expect_data_length);
+		}
+
+	if ( end_of_data && in_header )
+		return 0;
+
+	if ( chunked_transfer_state != NON_CHUNKED_TRANSFER )
+		{
+		if ( chunked_transfer_state == EXPECT_CHUNK_DATA &&
+		     expect_data_length >= len )
+			{
+			body_length += len;
+			expect_data_length -= len;
+
+			SetPlainDelivery(expect_data_length);
+			if ( expect_data_length == 0 )
+				chunked_transfer_state = EXPECT_CHUNK_DATA_CRLF;
+
+			return 1;
+			}
+		else
+			return 0;
+		}
+
+	else if ( content_length >= 0 )
+		{
+		if ( expect_data_length >= len )
+			{
+			body_length += len;
+			expect_data_length -= len;
+
+			SetPlainDelivery(expect_data_length);
+
+			if ( expect_data_length <= 0 )
+				EndOfData();
+
+			return 1;
+			}
+
+		else
+			return 0;
+		}
+
+	return 0;
+	}
+
+void HTTP_Entity::SubmitData(int len, const char* buf)
+	{
+	if ( deliver_body )
+		MIME_Entity::SubmitData(len, buf);
+	}
+
+void HTTP_Entity::SetPlainDelivery(int length)
+	{
+	ASSERT(length >= 0);
+	ASSERT(length == 0 || ! in_header);
+
+	http_message->SetPlainDelivery(length);
+
+	// If we skip HTTP data, the skipped part will appear as
+	// 'undelivered' data, so we do not need to adjust
+	// expect_data_length.
+	}
+
+void HTTP_Entity::SubmitHeader(MIME_Header* h)
+	{
+	if ( strcasecmp_n(h->get_name(), "content-length") == 0 )
+		{
+		data_chunk_t vt = h->get_value_token();
+		if ( ! is_null_data_chunk(vt) )
+			{
+			int n;
+			if ( atoi_n(vt.length, vt.data, 0, 10, n) )
+				content_length = n;
+			else
+				content_length = 0;
+			}
+		}
+
+	else if ( strcasecmp_n(h->get_name(), "transfer-encoding") == 0 )
+		{
+		data_chunk_t vt = h->get_value_token();
+		if ( strcasecmp_n(vt, "chunked") == 0 )
+			chunked_transfer_state = BEFORE_CHUNK;
+		}
+
+	else if ( strcasecmp_n(h->get_name(), "content-encoding") == 0 )
+		{
+		data_chunk_t vt = h->get_value_token();
+		if ( strcasecmp_n(vt, "gzip") == 0 )
+			encoding = GZIP;
+		if ( strcasecmp_n(vt, "deflate") == 0 )
+			encoding = DEFLATE;
+		}
+
+	MIME_Entity::SubmitHeader(h);
+	}
+
+void HTTP_Entity::SubmitAllHeaders()
+	{
+	// in_header should be set to false when SubmitAllHeaders() is called.
+	ASSERT(! in_header);
+
+	if ( DEBUG_http )
+		DEBUG_MSG("%.6f end of headers\n", network_time);
+
+	// The presence of a message-body in a request is signaled by
+	// the inclusion of a Content-Length or Transfer-Encoding
+	// header field in the request's message-headers.
+	if ( chunked_transfer_state == EXPECT_CHUNK_TRAILER )
+		{
+		http_message->SubmitTrailingHeaders(headers);
+		chunked_transfer_state = EXPECT_NOTHING;
+		EndOfData();
+		return;
+		}
+
+	MIME_Entity::SubmitAllHeaders();
+
+	if ( expect_body == HTTP_BODY_NOT_EXPECTED )
+		{
+		EndOfData();
+		return;
+		}
+
+	if ( content_type == CONTENT_TYPE_MULTIPART ||
+	     content_type == CONTENT_TYPE_MESSAGE )
+		{
+		// Do nothing.
+		// Make sure that we check for multiple/message contents first,
+		// because we do not have to turn on .
+		if ( chunked_transfer_state != NON_CHUNKED_TRANSFER )
+			{
+			http_message->Weird(
+				"HTTP_chunked_transfer_for_multipart_message");
+			}
+		}
+
+	else if ( chunked_transfer_state != NON_CHUNKED_TRANSFER )
+		chunked_transfer_state = EXPECT_CHUNK_SIZE;
+
+	else if ( content_length >= 0 )
+		{
+		if ( content_length > 0 )
+			{
+			expect_data_length = content_length;
+			SetPlainDelivery(content_length);
+			}
+		else
+			EndOfData(); // handle the case that content-length = 0
+		}
+
+	// Turn plain delivery on permanently for compressed bodies without
+	// content-length headers or if connection is to be closed afterwards
+	// anyway.
+	else if ( http_message->MyHTTP_Analyzer()->IsConnectionClose ()
+#ifdef HAVE_LIBZ
+		  || encoding == GZIP || encoding == DEFLATE
+#endif
+		 )
+		{
+		// FIXME: Using INT_MAX is kind of a hack here.  Better
+		// would be to make -1 as special value interpreted as
+		// "until the end of the connection".
+		expect_data_length = INT_MAX;
+		SetPlainDelivery(INT_MAX);
+		}
+
+	else
+		{
+		if ( expect_body != HTTP_BODY_EXPECTED )
+			// there is no body
+			EndOfData();
+		}
+	}
+
+HTTP_Message::HTTP_Message(HTTP_Analyzer* arg_analyzer,
+				ContentLine_Analyzer* arg_cl, bool arg_is_orig,
+				int expect_body, int init_header_length)
+: MIME_Message (arg_analyzer)
+	{
+	analyzer = arg_analyzer;
+	content_line = arg_cl;
+	is_orig = arg_is_orig;
+
+	current_entity = 0;
+	top_level = new HTTP_Entity(this, 0, expect_body);
+	BeginEntity(top_level);
+
+	data_buffer = 0;
+	total_buffer_size = 0;
+
+	start_time = network_time;
+	body_length = 0;
+	content_gap_length = 0;
+	header_length = init_header_length;
+	}
+
+HTTP_Message::~HTTP_Message()
+	{
+	delete top_level;
+	}
+
+Val* HTTP_Message::BuildMessageStat(const int interrupted, const char* msg)
+	{
+	RecordVal* stat = new RecordVal(http_message_stat);
+	int field = 0;
+	stat->Assign(field++, new Val(start_time, TYPE_TIME));
+	stat->Assign(field++, new Val(interrupted, TYPE_BOOL));
+	stat->Assign(field++, new StringVal(msg));
+	stat->Assign(field++, new Val(body_length, TYPE_COUNT));
+	stat->Assign(field++, new Val(content_gap_length, TYPE_COUNT));
+	stat->Assign(field++, new Val(header_length, TYPE_COUNT));
+	return stat;
+	}
+
+void HTTP_Message::Done(const int interrupted, const char* detail)
+	{
+	if ( finished )
+		return;
+
+	MIME_Message::Done();
+
+	// DEBUG_MSG("%.6f HTTP message done.\n", network_time);
+	top_level->EndOfData();
+
+	if ( http_message_done )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(new Val(is_orig, TYPE_BOOL));
+		vl->append(BuildMessageStat(interrupted, detail));
+		GetAnalyzer()->ConnectionEvent(http_message_done, vl);
+		}
+
+	MyHTTP_Analyzer()->HTTP_MessageDone(is_orig, this);
+
+	delete_strings(buffers);
+
+	if ( data_buffer )
+		{
+		delete data_buffer;
+		data_buffer = 0;
+		}
+	}
+
+int HTTP_Message::Undelivered(int len)
+	{
+	if ( ! top_level )
+		return 0;
+
+	if ( ((HTTP_Entity*) top_level)->Undelivered(len) )
+		{
+		content_gap_length += len;
+		return 1;
+		}
+
+	return 0;
+	}
+
+void HTTP_Message::BeginEntity(MIME_Entity* entity)
+	{
+	if ( DEBUG_http )
+		DEBUG_MSG("%.6f: begin entity (%d)\n", network_time, is_orig);
+
+	current_entity = (HTTP_Entity*) entity;
+
+	if ( http_begin_entity )
+		{
+		val_list* vl = new val_list();
+		vl->append(analyzer->BuildConnVal());
+		vl->append(new Val(is_orig, TYPE_BOOL));
+		analyzer->ConnectionEvent(http_begin_entity, vl);
+		}
+	}
+
+void HTTP_Message::EndEntity(MIME_Entity* entity)
+	{
+	if ( DEBUG_http )
+		DEBUG_MSG("%.6f: end entity (%d)\n", network_time, is_orig);
+
+	body_length += ((HTTP_Entity*) entity)->BodyLength();
+	header_length += ((HTTP_Entity*) entity)->HeaderLength();
+
+	DeliverEntityData();
+
+	if ( http_end_entity )
+		{
+		val_list* vl = new val_list();
+		vl->append(analyzer->BuildConnVal());
+		vl->append(new Val(is_orig, TYPE_BOOL));
+		analyzer->ConnectionEvent(http_end_entity, vl);
+		}
+
+	current_entity = (HTTP_Entity*) entity->Parent();
+
+	// It is necessary to call Done when EndEntity is triggered by
+	// SubmitAllHeaders (through EndOfData).
+	if ( entity == top_level )
+		Done();
+	}
+
+void HTTP_Message::SubmitHeader(MIME_Header* h)
+	{
+	MyHTTP_Analyzer()->HTTP_Header(is_orig, h);
+	}
+
+void HTTP_Message::SubmitAllHeaders(MIME_HeaderList& hlist)
+	{
+	if ( http_all_headers )
+		{
+		val_list* vl = new val_list();
+		vl->append(analyzer->BuildConnVal());
+		vl->append(new Val(is_orig, TYPE_BOOL));
+		vl->append(BuildHeaderTable(hlist));
+		analyzer->ConnectionEvent(http_all_headers, vl);
+		}
+
+	if ( http_content_type )
+		{
+		StringVal* ty = current_entity->ContentType();
+		StringVal* subty = current_entity->ContentSubType();
+		ty->Ref();
+		subty->Ref();
+
+		val_list* vl = new val_list();
+		vl->append(analyzer->BuildConnVal());
+		vl->append(new Val(is_orig, TYPE_BOOL));
+		vl->append(ty);
+		vl->append(subty);
+		analyzer->ConnectionEvent(http_content_type, vl);
+		}
+	}
+
+void HTTP_Message::SubmitTrailingHeaders(MIME_HeaderList& /* hlist */)
+	{
+	// Do nothing for now.
+	}
+
+void HTTP_Message::SubmitData(int len, const char* buf)
+	{
+	if ( buf != (const char*) data_buffer->Bytes() + buffer_offset ||
+	     buffer_offset + len > buffer_size )
+		internal_error("buffer misalignment");
+
+	buffer_offset += len;
+	if ( buffer_offset >= buffer_size )
+		{
+		buffers.push_back(data_buffer);
+		data_buffer = 0;
+		}
+	}
+
+int HTTP_Message::RequestBuffer(int* plen, char** pbuf)
+	{
+	if ( ! http_entity_data )
+		return 0;
+
+	if ( ! data_buffer )
+		if ( ! InitBuffer(mime_segment_length) )
+			return 0;
+
+	*plen = data_buffer->Len() - buffer_offset;
+	*pbuf = (char*) data_buffer->Bytes() + buffer_offset;
+
+	return 1;
+	}
+
+void HTTP_Message::SubmitAllData()
+	{
+	// This marks the end of message
+	}
+
+void HTTP_Message::SubmitEvent(int event_type, const char* detail)
+	{
+	const char* category = "";
+
+	switch ( event_type ) {
+	case MIME_EVENT_ILLEGAL_FORMAT:
+		category = "illegal format";
+		break;
+
+	case MIME_EVENT_ILLEGAL_ENCODING:
+		category = "illegal encoding";
+		break;
+
+	case MIME_EVENT_CONTENT_GAP:
+		category = "content gap";
+		break;
+
+	default:
+		internal_error("unrecognized HTTP message event");
+	}
+
+	MyHTTP_Analyzer()->HTTP_Event(category, detail);
+	}
+
+void HTTP_Message::SetPlainDelivery(int length)
+	{
+	content_line->SetPlainDelivery(length);
+
+	if ( length > 0 && skip_http_data )
+		content_line->SkipBytesAfterThisLine(length);
+
+	if ( ! data_buffer )
+		InitBuffer(length);
+	}
+
+void HTTP_Message::SkipEntityData()
+	{
+	if ( current_entity )
+		current_entity->SkipBody();
+	}
+
+void HTTP_Message::DeliverEntityData()
+	{
+	if ( http_entity_data )
+		{
+		const BroString* entity_data = 0;
+
+		if ( data_buffer && buffer_offset > 0 )
+			{
+			if ( buffer_offset < buffer_size )
+				{
+				entity_data = new BroString(data_buffer->Bytes(), buffer_offset, 0);
+				delete data_buffer;
+				}
+			else
+				entity_data = data_buffer;
+
+			data_buffer = 0;
+
+			if ( buffers.empty() )
+				MyHTTP_Analyzer()->HTTP_EntityData(is_orig,
+								entity_data);
+			else
+				buffers.push_back(entity_data);
+
+			entity_data = 0;
+			}
+
+		if ( ! buffers.empty() )
+			{
+			if ( buffers.size() == 1 )
+				{
+				entity_data = buffers[0];
+				buffers.clear();
+				}
+			else
+				{
+				entity_data = concatenate(buffers);
+				delete_strings(buffers);
+				}
+
+			MyHTTP_Analyzer()->HTTP_EntityData(is_orig, entity_data);
+			}
+		}
+	else
+		{
+		delete_strings(buffers);
+
+		if ( data_buffer )
+			delete data_buffer;
+
+		data_buffer = 0;
+		}
+
+	total_buffer_size = 0;
+	}
+
+int HTTP_Message::InitBuffer(int length)
+	{
+	if ( length <= 0 )
+		return 0;
+
+	if ( total_buffer_size >= http_entity_data_delivery_size )
+		DeliverEntityData();
+
+	if ( total_buffer_size + length > http_entity_data_delivery_size )
+		{
+		length = http_entity_data_delivery_size - total_buffer_size;
+		if ( length <= 0 )
+			return 0;
+		}
+
+	u_char* b = new u_char[length];
+	data_buffer = new BroString(0, b, length);
+
+	buffer_size = length;
+	total_buffer_size += length;
+	buffer_offset = 0;
+
+	return 1;
+	}
+
+void HTTP_Message::Weird(const char* msg)
+	{
+	analyzer->Weird(msg);
+	}
+
+HTTP_Analyzer::HTTP_Analyzer(Connection* conn)
+	: TCP_ApplicationAnalyzer(AnalyzerTag::HTTP, conn)
+	{
+	num_requests = num_replies = 0;
+	num_request_lines = num_reply_lines = 0;
+	request_version = reply_version = 0.0;	// unknown version
+	keep_alive = 0;
+	connection_close = 0;
+
+	request_message = reply_message = 0;
+	request_state = EXPECT_REQUEST_LINE;
+	reply_state = EXPECT_REPLY_LINE;
+
+	request_ongoing = 0;
+	request_method = request_URI = 0;
+	unescaped_URI = 0;
+
+	reply_ongoing = 0;
+	reply_code = 0;
+	reply_reason_phrase = 0;
+
+	content_line_orig = new ContentLine_Analyzer(conn, true);
+	AddSupportAnalyzer(content_line_orig);
+
+	content_line_resp = new ContentLine_Analyzer(conn, false);
+	content_line_resp->SetSkipPartial(true);
+	AddSupportAnalyzer(content_line_resp);
+	}
+
+HTTP_Analyzer::~HTTP_Analyzer()
+	{
+	Unref(request_method);
+	Unref(request_URI);
+	Unref(unescaped_URI);
+	Unref(reply_reason_phrase);
+	}
+
+void HTTP_Analyzer::Done()
+	{
+	if ( IsFinished() )
+		return;
+
+	TCP_ApplicationAnalyzer::Done();
+
+	RequestMade(1, "message interrupted when connection done");
+	ReplyMade(1, "message interrupted when connection done");
+
+	delete request_message;
+	request_message = 0;
+
+	delete reply_message;
+	reply_message = 0;
+
+	GenStats();
+
+	while ( ! unanswered_requests.empty() )
+		{
+		Unref(unanswered_requests.front());
+		unanswered_requests.pop();
+		}
+	}
+
+void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
+	{
+	TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
+
+	if ( TCP() && TCP()->IsPartial() )
+		return;
+
+	const char* line = reinterpret_cast<const char*>(data);
+	const char* end_of_line = line + len;
+
+	ContentLine_Analyzer* content_line =
+		is_orig ? content_line_orig : content_line_resp;
+
+	if ( content_line->IsPlainDelivery() )
+		{
+		if ( is_orig )
+			{
+			if ( request_message )
+				request_message->Deliver(len, line, 0);
+			else
+				Weird("unexpected_client_HTTP_data");
+			}
+		else
+			{
+			if ( reply_message )
+				reply_message->Deliver(len, line, 0);
+			else
+				Weird("unexpected_server_HTTP_data");
+			}
+		return;
+		}
+
+	// HTTP_Event("HTTP line", new_string_val(length, line));
+
+	if ( is_orig )
+		{
+		++num_request_lines;
+
+		switch ( request_state ) {
+		case EXPECT_REQUEST_LINE:
+			if ( HTTP_RequestLine(line, end_of_line) )
+				{
+				++num_requests;
+
+				if ( ! keep_alive && num_requests > 1 )
+					Weird("unexpected_multiple_HTTP_requests");
+
+				request_state = EXPECT_REQUEST_MESSAGE;
+				request_ongoing = 1;
+				unanswered_requests.push(request_method->Ref());
+				HTTP_Request();
+				InitHTTPMessage(content_line, request_message,
+						is_orig, HTTP_BODY_MAYBE, len);
+				}
+
+			else
+				{
+				if ( ! RequestExpected() )
+					HTTP_Event("crud_trailing_HTTP_request",
+						   new_string_val(line, end_of_line));
+				else
+					ProtocolViolation("not a http request line");
+				}
+			break;
+
+		case EXPECT_REQUEST_MESSAGE:
+			request_message->Deliver(len, line, 1);
+			break;
+
+		case EXPECT_REQUEST_TRAILER:
+			break;
+		}
+		}
+	else
+		{ // HTTP reply
+		switch ( reply_state ) {
+		case EXPECT_REPLY_LINE:
+			if ( HTTP_ReplyLine(line, end_of_line) )
+				{
+				++num_replies;
+
+				if ( unanswered_requests.empty() )
+					Weird("unmatched_HTTP_reply");
+
+				reply_state = EXPECT_REPLY_MESSAGE;
+				reply_ongoing = 1;
+
+				HTTP_Reply();
+
+				InitHTTPMessage(content_line,
+						reply_message, is_orig,
+						ExpectReplyMessageBody(),
+						len);
+				}
+		    else
+				ProtocolViolation("not a http reply line");
+
+			break;
+
+		case EXPECT_REPLY_MESSAGE:
+			reply_message->Deliver(len, line, 1);
+			break;
+
+		case EXPECT_REPLY_TRAILER:
+			break;
+		}
+		}
+	}
+
+void HTTP_Analyzer::Undelivered(int seq, int len, bool is_orig)
+	{
+	TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
+
+	// DEBUG_MSG("Undelivered from %d: %d bytes\n", seq, length);
+
+	HTTP_Message* msg =
+		is_orig ? request_message : reply_message;
+
+	ContentLine_Analyzer* content_line =
+		is_orig ? content_line_orig : content_line_resp;
+
+	if ( ! content_line->IsSkippedContents(seq, len) )
+		{
+		if ( msg )
+			msg->SubmitEvent(MIME_EVENT_CONTENT_GAP,
+				fmt("seq=%d, len=%d", seq, len));
+		}
+
+	// Check if the content gap falls completely within a message body
+	if ( msg && msg->Undelivered(len) )
+		// If so, we are safe to skip the content and go on parsing
+		return;
+
+	// Otherwise stop parsing the connection
+	if ( is_orig )
+		{
+		// Stop parsing reply messages too, because whether a
+		// reply contains a body may depend on knowing the
+		// request method
+
+		RequestMade(1, "message interrupted by a content gap");
+		ReplyMade(1, "message interrupted by a content gap");
+
+		content_line->SetSkipDeliveries(1);
+		content_line->SetSkipDeliveries(1);
+		}
+	else
+		{
+		ReplyMade(1, "message interrupted by a content gap");
+		content_line->SetSkipDeliveries(1);
+		}
+	}
+
+void HTTP_Analyzer::EndpointEOF(bool is_orig)
+	{
+	TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+
+	// DEBUG_MSG("%.6f eof\n", network_time);
+
+	if ( is_orig )
+		RequestMade(0, "message ends as connection contents are completely delivered");
+	else
+		ReplyMade(0, "message ends as connection contents are completely delivered");
+	}
+
+void HTTP_Analyzer::ConnectionFinished(int half_finished)
+	{
+	TCP_ApplicationAnalyzer::ConnectionFinished(half_finished);
+
+	// DEBUG_MSG("%.6f connection finished\n", network_time);
+	RequestMade(1, "message ends as connection is finished");
+	ReplyMade(1, "message ends as connection is finished");
+	}
+
+void HTTP_Analyzer::ConnectionReset()
+	{
+	TCP_ApplicationAnalyzer::ConnectionReset();
+
+	RequestMade(1, "message interrupted by RST");
+	ReplyMade(1, "message interrupted by RST");
+	}
+
+void HTTP_Analyzer::PacketWithRST()
+	{
+	TCP_ApplicationAnalyzer::PacketWithRST();
+
+	RequestMade(1, "message interrupted by RST");
+	ReplyMade(1, "message interrupted by RST");
+	}
+
+void HTTP_Analyzer::GenStats()
+	{
+	if ( http_stats )
+		{
+		RecordVal* r = new RecordVal(http_stats_rec);
+		r->Assign(0, new Val(num_requests, TYPE_COUNT));
+		r->Assign(1, new Val(num_replies, TYPE_COUNT));
+		r->Assign(2, new Val(request_version, TYPE_DOUBLE));
+		r->Assign(3, new Val(reply_version, TYPE_DOUBLE));
+
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(r);
+
+		// DEBUG_MSG("%.6f http_stats\n", network_time);
+		ConnectionEvent(http_stats, vl);
+		}
+	}
+
+const char* HTTP_Analyzer::PrefixMatch(const char* line,
+				const char* end_of_line, const char* prefix)
+	{
+	while ( *prefix && line < end_of_line && *prefix == *line )
+		{
+		++prefix;
+		++line;
+		}
+
+	if ( *prefix )
+		// It didn't match.
+		return 0;
+
+	return line;
+	}
+
+const char* HTTP_Analyzer::PrefixWordMatch(const char* line,
+				const char* end_of_line, const char* prefix)
+	{
+	if ( (line = PrefixMatch(line, end_of_line, prefix)) == 0 )
+		return 0;
+
+	const char* orig_line = line;
+	line = skip_whitespace(line, end_of_line);
+
+	if ( line == orig_line )
+		// Word didn't end at prefix.
+		return 0;
+
+	return line;
+	}
+
+int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
+	{
+	const char* rest = 0;
+	static const char* http_methods[] = {
+		"GET", "POST", "HEAD",
+
+		"OPTIONS", "PUT", "DELETE", "TRACE", "CONNECT",
+
+		// HTTP methods for distributed authoring.
+		"PROPFIND", "PROPPATCH", "MKCOL", "DELETE", "PUT",
+		"COPY", "MOVE", "LOCK", "UNLOCK",
+
+		"SEARCH",
+
+		0,
+	};
+
+	int i;
+	for ( i = 0; http_methods[i]; ++i )
+		if ( (rest = PrefixWordMatch(line, end_of_line, http_methods[i])) != 0 )
+			break;
+
+	if ( ! http_methods[i] )
+		{
+		// Weird("HTTP_unknown_method");
+		if ( RequestExpected() )
+			HTTP_Event("unknown_HTTP_method", new_string_val(line, end_of_line));
+		return 0;
+		}
+
+	request_method = new StringVal(http_methods[i]);
+
+	if ( ! ParseRequest(rest, end_of_line) )
+		internal_error("HTTP ParseRequest failed");
+
+	Conn()->Match(Rule::HTTP_REQUEST,
+			(const u_char*) unescaped_URI->AsString()->Bytes(),
+			unescaped_URI->AsString()->Len(), true, true, true, true);
+
+	return 1;
+	}
+
+int HTTP_Analyzer::ParseRequest(const char* line, const char* end_of_line)
+	{
+	const char* end_of_uri;
+	const char* version_start;
+	const char* version_end;
+
+	for ( end_of_uri = line; end_of_uri < end_of_line; ++end_of_uri )
+		{
+		if ( ! is_reserved_URI_char(*end_of_uri) &&
+		     ! is_unreserved_URI_char(*end_of_uri) &&
+		     *end_of_uri != '%' )
+			break;
+		}
+
+	for ( version_start = end_of_uri; version_start < end_of_line; ++version_start )
+		{
+		end_of_uri = version_start;
+		version_start = skip_whitespace(version_start, end_of_line);
+		if ( PrefixMatch(version_start, end_of_line, "HTTP/") )
+			break;
+		}
+
+	if ( version_start >= end_of_line )
+		{
+		// If no version is found
+		SetVersion(request_version, 0.9);
+		}
+	else
+		{
+		if ( version_start + 8 <= end_of_line )
+			{
+			version_start += 5; // "HTTP/"
+			SetVersion(request_version,
+					HTTP_Version(end_of_line - version_start,
+							version_start));
+
+			version_end = version_start + 3;
+			if ( skip_whitespace(version_end, end_of_line) != end_of_line )
+				HTTP_Event("crud after HTTP version is ignored",
+					   new_string_val(line, end_of_line));
+			}
+		else
+			HTTP_Event("bad_HTTP_version", new_string_val(line, end_of_line));
+		}
+
+	// NormalizeURI(line, end_of_uri);
+
+	request_URI = new StringVal(end_of_uri - line, line);
+	unescaped_URI = new StringVal(unescape_URI((const u_char*) line,
+					(const u_char*) end_of_uri, this));
+
+	return 1;
+	}
+
+// Only recognize [0-9][.][0-9].
+double HTTP_Analyzer::HTTP_Version(int len, const char* data)
+	{
+	if ( len >= 3 &&
+	     data[0] >= '0' && data[0] <= '9' &&
+	     data[1] == '.' &&
+	     data[2] >= '0' && data[2] <= '9' )
+		{
+		return double(data[0] - '0') + 0.1 * double(data[2] - '0');
+		}
+	else
+		{
+	        HTTP_Event("bad_HTTP_version", new_string_val(len, data));
+		return 0;
+		}
+	}
+
+void HTTP_Analyzer::SetVersion(double& version, double new_version)
+	{
+	if ( version == 0.0 )
+		version = new_version;
+
+	else if ( version != new_version )
+		Weird("HTTP_version_mismatch");
+
+	if ( version > 1.05 )
+		keep_alive = 1;
+	}
+
+void HTTP_Analyzer::HTTP_Event(const char* category, const char* detail)
+	{
+	HTTP_Event(category, new StringVal(detail));
+	}
+
+void HTTP_Analyzer::HTTP_Event(const char* category, StringVal* detail)
+	{
+	if ( http_event )
+		{
+		val_list* vl = new val_list();
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(category));
+		vl->append(detail);
+
+		// DEBUG_MSG("%.6f http_event\n", network_time);
+		ConnectionEvent(http_event, vl);
+		}
+	else
+		delete detail;
+	}
+
+StringVal* HTTP_Analyzer::TruncateURI(StringVal* uri)
+	{
+	const BroString* str = uri->AsString();
+
+	if ( truncate_http_URI >= 0 && str->Len() > truncate_http_URI )
+		{
+		u_char* s = new u_char[truncate_http_URI + 4];
+		memcpy(s, str->Bytes(), truncate_http_URI);
+		memcpy(s + truncate_http_URI, "...", 4);
+		return new StringVal(new BroString(1, s, truncate_http_URI+3));
+		}
+	else
+		{
+		Ref(uri);
+		return uri;
+		}
+	}
+
+void HTTP_Analyzer::HTTP_Request()
+	{
+	ProtocolConfirmation();
+
+	if ( http_request )
+		{
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+
+		Ref(request_method);
+		vl->append(request_method);
+		vl->append(TruncateURI(request_URI->AsStringVal()));
+		vl->append(TruncateURI(unescaped_URI->AsStringVal()));
+
+		vl->append(new StringVal(fmt("%.1f", request_version)));
+		// DEBUG_MSG("%.6f http_request\n", network_time);
+		ConnectionEvent(http_request, vl);
+		}
+	}
+
+void HTTP_Analyzer::HTTP_Reply()
+	{
+	if ( http_reply )
+		{
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(fmt("%.1f", reply_version)));
+		vl->append(new Val(reply_code, TYPE_COUNT));
+		if ( reply_reason_phrase )
+			vl->append(reply_reason_phrase->Ref());
+		else
+			vl->append(new StringVal("<empty>"));
+		ConnectionEvent(http_reply, vl);
+		}
+	else
+		{
+		Unref(reply_reason_phrase);
+		reply_reason_phrase = 0;
+		}
+	}
+
+void HTTP_Analyzer::RequestMade(const int interrupted, const char* msg)
+	{
+	if ( ! request_ongoing )
+		return;
+
+	request_ongoing = 0;
+
+	if ( request_message )
+		request_message->Done(interrupted, msg);
+
+	// DEBUG_MSG("%.6f request made\n", network_time);
+
+	Unref(request_method);
+	Unref(unescaped_URI);
+	Unref(request_URI);
+
+	request_method = request_URI = unescaped_URI = 0;
+
+	num_request_lines = 0;
+
+	request_state = EXPECT_REQUEST_LINE;
+	}
+
+void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg)
+	{
+	if ( ! reply_ongoing )
+		return;
+
+	reply_ongoing = 0;
+
+	// DEBUG_MSG("%.6f reply made\n", network_time);
+
+	if ( reply_message )
+		reply_message->Done(interrupted, msg);
+
+	if ( ! unanswered_requests.empty() )
+		{
+		Unref(unanswered_requests.front());
+		unanswered_requests.pop();
+		}
+
+	reply_code = 0;
+
+	if ( reply_reason_phrase )
+		{
+		Unref(reply_reason_phrase);
+		reply_reason_phrase = 0;
+		}
+
+	reply_state = EXPECT_REPLY_LINE;
+	}
+
+void HTTP_Analyzer::RequestClash(Val* /* clash_val */)
+	{
+	Weird("multiple_HTTP_request_elements");
+
+	// Flush out old values.
+	RequestMade(1, "request clash");
+	}
+
+const BroString* HTTP_Analyzer::UnansweredRequestMethod()
+	{
+	return unanswered_requests.empty() ? 0 : unanswered_requests.front()->AsString();
+	}
+
+int HTTP_Analyzer::HTTP_ReplyLine(const char* line, const char* end_of_line)
+	{
+	const char* rest;
+
+	if ( ! (rest = PrefixMatch(line, end_of_line, "HTTP/")) )
+		{
+		// ##TODO: some server replies with an HTML document
+		// without a status line and a MIME header, when the
+		// request is malformed.
+		HTTP_Event("bad_HTTP_reply", new_string_val(line, end_of_line));
+		return 0;
+		}
+
+	SetVersion(reply_version, HTTP_Version(end_of_line - rest, rest));
+
+	for ( ; rest < end_of_line; ++rest )
+		if ( is_lws(*rest) )
+			break;
+
+	if ( rest >= end_of_line )
+		{
+		HTTP_Event("HTTP_reply_code_missing",
+				new_string_val(line, end_of_line));
+		return 0;
+		}
+
+	rest = skip_whitespace(rest, end_of_line);
+
+	if ( rest + 3 > end_of_line )
+		{
+		HTTP_Event("HTTP_reply_code_missing",
+			new_string_val(line, end_of_line));
+		return 0;
+		}
+
+	reply_code = HTTP_ReplyCode(rest);
+
+	for ( rest += 3; rest < end_of_line; ++rest )
+		if ( is_lws(*rest) )
+			break;
+
+	if ( rest >= end_of_line )
+		{
+		HTTP_Event("HTTP_reply_reason_phrase_missing",
+			new_string_val(line, end_of_line));
+		// Tolerate missing reason phrase?
+		return 1;
+		}
+
+	rest = skip_whitespace(rest, end_of_line);
+	reply_reason_phrase =
+		new StringVal(end_of_line - rest, (const char *) rest);
+
+	return 1;
+	}
+
+int HTTP_Analyzer::HTTP_ReplyCode(const char* code_str)
+	{
+	if ( isdigit(code_str[0]) && isdigit(code_str[1]) && isdigit(code_str[2]) )
+		return	(code_str[0] - '0') * 100 +
+			(code_str[1] - '0') * 10 +
+			(code_str[2] - '0');
+	else
+		return 0;
+	}
+
+int HTTP_Analyzer::ExpectReplyMessageBody()
+	{
+	// RFC 2616:
+	//
+	//     For response messages, whether or not a message-body is included with
+	//     a message is dependent on both the request method and the response
+	//     status code (section 6.1.1). All responses to the HEAD request method
+	//     MUST NOT include a message-body, even though the presence of entity-
+	//     header fields might lead one to believe they do. All 1xx
+	//     (informational), 204 (no content), and 304 (not modified) responses
+	//     MUST NOT include a message-body. All other responses do include a
+	//     message-body, although it MAY be of zero length.
+
+	const BroString* method = UnansweredRequestMethod();
+
+	if ( method && strcasecmp_n(method->Len(), (const char*) (method->Bytes()), "HEAD") == 0 )
+		return HTTP_BODY_NOT_EXPECTED;
+
+	if ( (reply_code >= 100 && reply_code < 200) ||
+	     reply_code == 204 || reply_code == 304 )
+		return HTTP_BODY_NOT_EXPECTED;
+
+	return HTTP_BODY_EXPECTED;
+	}
+
+void HTTP_Analyzer::HTTP_Header(int is_orig, MIME_Header* h)
+	{
+#if 0
+	// ### Only call ParseVersion if we're tracking versions:
+	if ( strcasecmp_n(h->get_name(), "server") == 0 )
+		ParseVersion(h->get_value(),
+				(is_orig ? Conn()->OrigAddr() : Conn()->RespAddr()), false);
+
+	else if ( strcasecmp_n(h->get_name(), "user-agent") == 0 )
+		ParseVersion(h->get_value(),
+				(is_orig ? Conn()->OrigAddr() : Conn()->RespAddr()), true);
+#endif
+
+	// To be "liberal", we only look at "keep-alive" on the client
+	// side, and if seen assume the connection to be persistent.
+	// This seems fairly safe - at worst, the client does indeed
+	// send additional requests, and the server ignores them.
+	if ( is_orig && strcasecmp_n(h->get_name(), "connection") == 0 )
+		{
+		if ( strcasecmp_n(h->get_value_token(), "keep-alive") == 0 )
+			keep_alive = 1;
+		}
+
+	if ( ! is_orig &&
+	     strcasecmp_n(h->get_name(), "connection") == 0 )
+	        {
+		if ( strcasecmp_n(h->get_value_token(), "close") == 0 )
+		        connection_close = 1;
+		}
+
+	if ( http_header )
+		{
+		Rule::PatternType rule =
+			is_orig ?  Rule::HTTP_REQUEST_HEADER :
+					Rule::HTTP_REPLY_HEADER;
+
+		data_chunk_t hd_name = h->get_name();
+		data_chunk_t hd_value = h->get_value();
+
+		Conn()->Match(rule, (const u_char*) hd_name.data, hd_name.length,
+				is_orig, true, false, true);
+		Conn()->Match(rule, (const u_char*) ": ", 2, is_orig,
+				false, false, false);
+		Conn()->Match(rule, (const u_char*) hd_value.data, hd_value.length,
+				is_orig, false, true, false);
+
+		val_list* vl = new val_list();
+		vl->append(BuildConnVal());
+		vl->append(new Val(is_orig, TYPE_BOOL));
+		vl->append(new_string_val(h->get_name())->ToUpper());
+		vl->append(new_string_val(h->get_value()));
+		if ( DEBUG_http )
+			DEBUG_MSG("%.6f http_header\n", network_time);
+		ConnectionEvent(http_header, vl);
+		}
+	}
+
+void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const uint32* host,
+				bool user_agent)
+	{
+	int len = ver.length;
+	const char* data = ver.data;
+
+	if ( software_unparsed_version_found )
+		Conn()->UnparsedVersionFoundEvent(host, data, len, this);
+
+	// The RFC defines:
+	//
+	//	product		= token ["/" product-version]
+	//	product-version = token
+	//	Server		= "Server" ":" 1*( product | comment )
+
+	int offset;
+	data_chunk_t product, product_version;
+	int num_version = 0;
+
+	while ( len > 0 )
+		{
+		// Skip white space.
+		while ( len && is_lws(*data) )
+			{
+			++data;
+			--len;
+			}
+
+		// See if a comment is coming next. For User-Agent,
+		// we parse it, too.
+		if ( user_agent && len && *data == '(' )
+			{
+			// Find end of comment.
+			const char* data_start = data;
+			const char* eoc =
+				data + MIME_skip_lws_comments(len, data);
+
+			// Split into parts.
+			// (This may get confused by nested comments,
+			// but we ignore this for now.)
+			const char* eot;
+			++data;
+			while ( 1 )
+				{
+				// Eat spaces.
+				while ( data < eoc && is_lws(*data) )
+					++data;
+
+				// Find end of token.
+				for ( eot = data;
+				      eot < eoc && *eot != ';' && *eot != ')';
+				      ++eot )
+					;
+
+				if ( eot == eoc )
+					break;
+
+				// Delete spaces at end of token.
+				for ( ; eot > data && is_lws(*(eot-1)); --eot )
+					;
+
+				if ( data != eot && software_version_found )
+					Conn()->VersionFoundEvent(host, data, eot - data, this);
+				data = eot + 1;
+				}
+
+			len -= eoc - data_start;
+			data = eoc;
+			continue;
+			}
+
+		offset = MIME_get_slash_token_pair(len, data,
+						&product, &product_version);
+		if ( offset < 0 )
+			{
+			// I guess version detection is best-effort,
+			// so we do not complain in the final version
+			if ( num_version == 0 )
+				HTTP_Event("bad_HTTP_version",
+						new_string_val(len, data));
+
+			// Try to simply skip next token.
+			offset = MIME_get_token(len, data, &product);
+			if ( offset < 0 )
+				break;
+
+			len -= offset;
+			data += offset;
+			}
+
+		else
+			{
+			len -= offset;
+			data += offset;
+
+			int version_len =
+				product.length + 1 + product_version.length;
+
+			char* version_str = new char[version_len+1];
+			char* s = version_str;
+
+			memcpy(s, product.data, product.length);
+
+			s += product.length;
+			*(s++) = '/';
+
+			memcpy(s, product_version.data, product_version.length);
+
+			s += product_version.length;
+			*s = 0;
+
+			if ( software_version_found )
+				Conn()->VersionFoundEvent(host,	version_str,
+							version_len, this);
+
+			delete [] version_str;
+			++num_version;
+			}
+		}
+	}
+
+void HTTP_Analyzer::HTTP_EntityData(int is_orig, const BroString* entity_data)
+	{
+	if ( http_entity_data )
+		{
+		val_list* vl = new val_list();
+		vl->append(BuildConnVal());
+		vl->append(new Val(is_orig, TYPE_BOOL));
+		vl->append(new Val(entity_data->Len(), TYPE_COUNT));
+		// FIXME: Make sure that removing the const here is indeed ok...
+		vl->append(new StringVal(const_cast<BroString*>(entity_data)));
+		ConnectionEvent(http_entity_data, vl);
+		}
+	else
+		delete entity_data;
+	}
+
+// Calls request/reply done
+void HTTP_Analyzer::HTTP_MessageDone(int is_orig, HTTP_Message* /* message */)
+	{
+	if ( is_orig )
+		RequestMade(0, "message ends normally");
+	else
+		ReplyMade(0, "message ends normally");
+	}
+
+void HTTP_Analyzer::InitHTTPMessage(ContentLine_Analyzer* cl, HTTP_Message*& message,
+		bool is_orig, int expect_body, int init_header_length)
+	{
+	if ( message )
+		{
+		if ( ! message->Finished() )
+			Weird("HTTP_overlapping_messages");
+
+		delete message;
+		}
+
+	// DEBUG_MSG("%.6f init http message\n", network_time);
+	message = new HTTP_Message(this, cl, is_orig, expect_body,
+					init_header_length);
+	}
+
+void HTTP_Analyzer::SkipEntityData(int is_orig)
+	{
+	HTTP_Message* msg = is_orig ? request_message : reply_message;
+
+	if ( msg )
+		msg->SkipEntityData();
+	}
+
+int is_reserved_URI_char(unsigned char ch)
+	{ // see RFC 2396 (definition of URI)
+	return strchr(";/?:@&=+$,", ch) != 0;
+	}
+
+int is_unreserved_URI_char(unsigned char ch)
+	{ // see RFC 2396 (definition of URI)
+	return isalnum(ch) || strchr("-_.!~*\'()", ch) != 0;
+	}
+
+void escape_URI_char(unsigned char ch, unsigned char*& p)
+	{
+	*p++ = '%';
+	*p++ = encode_hex((ch >> 4) & 0xf);
+	*p++ = encode_hex(ch & 0xf);
+	}
+
+BroString* unescape_URI(const u_char* line, const u_char* line_end,
+			Analyzer* analyzer)
+	{
+	byte_vec decoded_URI = new u_char[line_end - line + 1];
+	byte_vec URI_p = decoded_URI;
+
+	// An 'unescaped_special_char' here means a character that *should*
+	// be escaped, but isn't in the URI.  A control characters that
+	// appears directly in the URI would be an example.  The RFC implies
+	// that if we do not unescape the URI that we see in the trace, every
+	// character should be a printable one -- either reserved or unreserved
+	// (or '%').
+	//
+	// Counting the number of unescaped characters and generating a weird
+	// event on URI's with unescaped characters (which are rare) will
+	// let us locate strange-looking URI's in the trace -- those URI's
+	// are often interesting.
+	int unescaped_special_char = 0;
+
+	while ( line < line_end )
+		{
+		if ( *line == '%' )
+			{
+			++line;
+
+			if ( line == line_end )
+				{
+				// How to deal with % at end of line?
+				// *URI_p++ = '%';
+				if ( analyzer )
+					analyzer->Weird("illegal_%_at_end_of_URI");
+				break;
+				}
+
+			else if ( *line == '%' )
+				{
+				// Double '%' might be either due to
+				// software bug, or more likely, an
+				// evasion (e.g. used by Nimda).
+				// *URI_p++ = '%';
+				if ( analyzer )
+					analyzer->Weird("double_%_in_URI");
+				--line;	// ignore the first '%'
+				}
+
+			else if ( isxdigit(line[0]) && isxdigit(line[1]) )
+				{
+				*URI_p++ = (decode_hex(line[0]) << 4) +
+					   decode_hex(line[1]);
+				++line; // place line at the last hex digit
+				}
+
+			else
+				{
+				if ( analyzer )
+					analyzer->Weird("unescaped_%_in_URI");
+				*URI_p++ = '%';	// put back initial '%'
+				*URI_p++ = *line;	// take char w/o interp.
+				}
+			}
+
+		else
+			{
+			if ( ! is_reserved_URI_char(*line) &&
+			     ! is_unreserved_URI_char(*line) )
+				// Count these up as a way to compress
+				// the corresponding Weird event to a
+				// single instance.
+				++unescaped_special_char;
+			*URI_p++ = *line;
+			}
+
+		++line;
+		}
+
+	URI_p[0] = 0;
+
+	if ( unescaped_special_char && analyzer )
+		analyzer->Weird("unescaped_special_URI_char");
+
+	return new BroString(1, decoded_URI, URI_p - decoded_URI);
+	}
+
+#include "http-rw.bif.func_def"
diff --git a/src/HTTP.h b/src/HTTP.h
new file mode 100644
index 0000000000..2faa1791d1
--- /dev/null
+++ b/src/HTTP.h
@@ -0,0 +1,260 @@
+// $Id: HTTP.h 6942 2009-11-16 03:54:08Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef http_h
+#define http_h
+
+#include "TCP.h"
+#include "ContentLine.h"
+#include "MIME.h"
+#include "binpac_bro.h"
+#include "ZIP.h"
+
+enum CHUNKED_TRANSFER_STATE {
+	NON_CHUNKED_TRANSFER,
+	BEFORE_CHUNK,
+	EXPECT_CHUNK_SIZE,
+	EXPECT_CHUNK_DATA,
+	EXPECT_CHUNK_DATA_CRLF,
+	EXPECT_CHUNK_TRAILER,
+	EXPECT_NOTHING,
+};
+
+class HTTP_Entity;
+class HTTP_Message;
+class HTTP_Analyzer;
+
+class HTTP_Entity : public MIME_Entity {
+public:
+	HTTP_Entity(HTTP_Message* msg, MIME_Entity* parent_entity,
+			int expect_body);
+	~HTTP_Entity()
+		{
+#ifdef HAVE_LIBZ
+		if ( zip )
+			{ zip->Done(); delete zip; }
+#endif
+		}
+
+	void EndOfData();
+	void Deliver(int len, const char* data, int trailing_CRLF);
+	int Undelivered(int len);
+	int BodyLength() const 		{ return body_length; }
+	int HeaderLength() const 	{ return header_length; }
+	void SkipBody() 		{ deliver_body = 0; }
+
+protected:
+	class UncompressedOutput;
+	friend class UncompressedOutput;
+
+	HTTP_Message* http_message;
+	int chunked_transfer_state;
+	int content_length;
+	int expect_data_length;
+	int expect_body;
+	int body_length;
+	int header_length;
+	int deliver_body;
+	enum { IDENTITY, GZIP, COMPRESS, DEFLATE } encoding;
+#ifdef HAVE_LIBZ
+	ZIP_Analyzer* zip;
+#endif
+
+	MIME_Entity* NewChildEntity() { return new HTTP_Entity(http_message, this, 1); }
+
+	void DeliverBody(int len, const char* data, int trailing_CRLF);
+	void DeliverBodyClear(int len, const char* data, int trailing_CRLF);
+
+	void SubmitData(int len, const char* buf);
+
+	void SetPlainDelivery(int length);
+
+	void SubmitHeader(MIME_Header* h);
+	void SubmitAllHeaders();
+};
+
+enum {
+	HTTP_BODY_NOT_EXPECTED,
+	HTTP_BODY_EXPECTED,
+	HTTP_BODY_MAYBE,
+};
+
+// Finishing HTTP Messages:
+//
+// HTTP_Entity::SubmitAllHeaders	-> EndOfData (no body)
+// HTTP_Entity::Deliver	-> EndOfData (end of body)
+// HTTP_Analyzer::Done	-> {Request,Reply}Made (connection terminated)
+// {Request,Reply}Made	-> HTTP_Message::Done
+// HTTP_Message::Done	-> MIME_Message::Done, EndOfData, HTTP_MessageDone
+// MIME_Entity::EndOfData	-> Message::EndEntity
+// HTTP_Message::EndEntity	-> Message::Done
+// HTTP_MessageDone	-> {Request,Reply}Made
+
+class HTTP_Message : public MIME_Message {
+public:
+	HTTP_Message(HTTP_Analyzer* analyzer, ContentLine_Analyzer* cl,
+			 bool is_orig, int expect_body, int init_header_length);
+	~HTTP_Message();
+	void Done(const int interrupted, const char* msg);
+	void Done() { Done(0, "message ends normally"); }
+
+	int Undelivered(int len);
+
+	void BeginEntity(MIME_Entity* /* entity */);
+	void EndEntity(MIME_Entity* entity);
+	void SubmitHeader(MIME_Header* h);
+	void SubmitAllHeaders(MIME_HeaderList& /* hlist */);
+	void SubmitData(int len, const char* buf);
+	int RequestBuffer(int* plen, char** pbuf);
+	void SubmitAllData();
+	void SubmitEvent(int event_type, const char* detail);
+
+	void SubmitTrailingHeaders(MIME_HeaderList& /* hlist */);
+	void SetPlainDelivery(int length);
+	void SkipEntityData();
+
+	HTTP_Analyzer* MyHTTP_Analyzer() const
+		{ return (HTTP_Analyzer*) analyzer; }
+
+	void Weird(const char* msg);
+	bool IsOrig()	{ return is_orig; }
+
+protected:
+	HTTP_Analyzer* analyzer;
+	ContentLine_Analyzer* content_line;
+	bool is_orig;
+
+	vector<const BroString*> buffers;
+
+	// Controls the total buffer size within http_entity_data_delivery_size.
+	int total_buffer_size;
+
+	int buffer_offset, buffer_size;
+	BroString* data_buffer;
+
+	double start_time;
+
+	int body_length;	// total length of entity bodies
+	int header_length;	// total length of headers, including the request/reply line
+
+	// Total length of content gaps that are "successfully" skipped.
+	// Note: this might NOT include all content gaps!
+	int content_gap_length;
+
+	HTTP_Entity* current_entity;
+
+	int InitBuffer(int length);
+	void DeliverEntityData();
+
+	Val* BuildMessageStat(const int interrupted, const char* msg);
+};
+
+class HTTP_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	HTTP_Analyzer(Connection* conn);
+	~HTTP_Analyzer();
+
+	void Undelivered(TCP_Endpoint* sender, int seq, int len);
+
+	void HTTP_Header(int is_orig, MIME_Header* h);
+	void HTTP_EntityData(int is_orig, const BroString* entity_data);
+	void HTTP_MessageDone(int is_orig, HTTP_Message* message);
+	void HTTP_Event(const char* category, const char* detail);
+	void HTTP_Event(const char* category, StringVal *detail);
+
+	void SkipEntityData(int is_orig);
+
+	// Overriden from Analyzer.
+	virtual void Done();
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual void Undelivered(int seq, int len, bool orig);
+	virtual int RewritingTrace()
+		{ return rewriting_http_trace || TCP_ApplicationAnalyzer::RewritingTrace(); }
+
+	// Overriden from TCP_ApplicationAnalyzer
+	virtual void EndpointEOF(bool is_orig);
+	virtual void ConnectionFinished(int half_finished);
+	virtual void ConnectionReset();
+	virtual void PacketWithRST();
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new HTTP_Analyzer(conn); }
+
+	static bool Available()
+		{ return (http_request || http_reply) && !FLAGS_use_binpac; }
+
+	int IsConnectionClose()		{ return connection_close; }
+
+protected:
+	void GenStats();
+
+	int HTTP_RequestLine(const char* line, const char* end_of_line);
+	int HTTP_ReplyLine(const char* line, const char* end_of_line);
+
+	void InitHTTPMessage(ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig,
+				int expect_body, int init_header_length);
+
+	const char* PrefixMatch(const char* line, const char* end_of_line,
+				const char* prefix);
+	const char* PrefixWordMatch(const char* line, const char* end_of_line,
+				const char* prefix);
+
+	int ParseRequest(const char* line, const char* end_of_line);
+	double HTTP_Version(int len, const char* data);
+
+	void SetVersion(double& version, double new_version);
+
+	int RequestExpected() const { return num_requests == 0 || keep_alive; }
+
+	void HTTP_Request();
+	void HTTP_Reply();
+
+	void RequestMade(const int interrupted, const char* msg);
+	void ReplyMade(const int interrupted, const char* msg);
+	void RequestClash(Val* clash_val);
+
+	const BroString* UnansweredRequestMethod();
+
+	void ParseVersion(data_chunk_t ver, const uint32* host, bool user_agent);
+	int HTTP_ReplyCode(const char* code_str);
+	int ExpectReplyMessageBody();
+
+	StringVal* TruncateURI(StringVal* uri);
+
+	int request_state, reply_state;
+	int num_requests, num_replies;
+	int num_request_lines, num_reply_lines;
+	double request_version, reply_version;
+	int keep_alive;
+	int connection_close;
+	int request_ongoing, reply_ongoing;
+
+	Val* request_method;
+
+	// request_URI is in the original form (may contain '%<hex><hex>'
+	// sequences).
+	Val* request_URI;
+
+	// unescaped_URI does not contain escaped sequences.
+	Val* unescaped_URI;
+
+	std::queue<Val*> unanswered_requests;
+
+	int reply_code;
+	Val* reply_reason_phrase;
+
+	ContentLine_Analyzer* content_line_orig;
+	ContentLine_Analyzer* content_line_resp;
+
+	HTTP_Message* request_message;
+	HTTP_Message* reply_message;
+};
+
+extern int is_reserved_URI_char(unsigned char ch);
+extern int is_unreserved_URI_char(unsigned char ch);
+extern void escape_URI_char(unsigned char ch, unsigned char*& p);
+extern BroString* unescape_URI(const u_char* line, const u_char* line_end,
+				Analyzer* analyzer);
+
+#endif
diff --git a/src/Hash.cc b/src/Hash.cc
new file mode 100644
index 0000000000..47216a8d9d
--- /dev/null
+++ b/src/Hash.cc
@@ -0,0 +1,385 @@
+// $Id: Hash.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+// The hash function works as follows:
+//
+// 1) For short data we have a number of universal hash functions:
+// UHASH_CW (ax + b (mod p)), H3, Dietzfelbinger and UMAC_NH (UMAC_NH is
+// not as strongly universal as the others, but probably enough). All
+// these functions require number of random bits linear to the data
+// length. And we use them for data no longer than UHASH_KEY_SIZE.
+// They are faster than HMAC/MD5 used for longer data, and most hash
+// operations are on short data.
+//
+// 2) As a fall-back, we use HMAC/MD5 (keyed MD5) for data of arbitrary
+// length. MD5 is used as a scrambling scheme so that it is difficult
+// for the adversary to construct conflicts, though I do not know if
+// HMAC/MD5 is provably universal.
+
+#include "config.h"
+
+#include "Hash.h"
+
+// Define *one* of the following as the universal hash function family to use.
+
+// #define USE_DIETZFELBINGER	// TwoWise
+#define USE_H3
+// #define USE_UHASH_CW
+// #define USE_UMAC_NH
+
+int hash_cnt_all = 0, hash_cnt_uhash = 0;
+
+#if defined(USE_DIETZFELBINGER)
+
+#include "TwoWise.h"
+const TwoWise* two_wise = 0;
+
+#elif defined(USE_H3)
+
+#include "H3.h"
+const H3<hash_t, UHASH_KEY_SIZE>* h3;
+
+#elif defined(USE_UHASH_CW)
+
+// The Carter-Wegman family of universal hash functions.
+// f(x) = (sum(a_i * x_i) mod p) mod N
+// where p is a prime number between N and 2N.
+// Here N = 2^32.
+
+class UHashCW {
+	typedef uint32 word_t;
+public:
+	UHashCW(int arg_max_key_size)
+		{
+		max_num_words = (arg_max_key_size + sizeof(word_t) - 1) /
+				sizeof(word_t);
+
+		a = new word_t[max_num_words + 1];
+		x = new word_t[max_num_words + 1];
+
+		for ( int i = 0; i < max_num_words + 1; ++i )
+			a[i] = rand32bit();
+
+		b = rand64bit();
+		}
+
+	~UHashCW()
+		{
+		delete [] a;
+		delete [] x;
+		}
+
+	uint32 hash(int len, const u_char* data) const
+		{
+		int xlen = (len + sizeof(word_t) - 1) / sizeof(word_t);
+		ASSERT(xlen <= max_num_words);
+
+		x[xlen] = 0;
+		x[xlen-1] = 0;	// pad with 0
+
+		memcpy(static_cast<void *>(x), data, len);
+
+		uint64 h = b;
+		for ( int i = 0; i < xlen; ++i )
+			h += (static_cast<uint64>(x[i]) * a[i]);
+
+		h += static_cast<uint64>(len) * a[xlen];
+
+		// h = h % kPrime
+		//
+		// Here we use a trick given that h is a Mersenne prime:
+		//
+		// Let K = 2^61. Let h = a * K + b.
+		// Thus, h = a * (K-1) + (a + b).
+
+		h = (h & kPrime) + (h >> 61);
+		if ( h >= kPrime )
+			h -= kPrime;
+
+		// h = h % 2^32
+		return static_cast<uint32>(0xffffffffUL & h);
+		}
+
+protected:
+	static const uint64 kPrime = (static_cast<uint64>(1) << 61) - 1;
+
+	int max_num_words;
+	word_t* a;
+	uint64 b;
+	word_t* x;
+};
+
+const UHashCW* uhash_cw = 0;
+
+#elif defined(USE_UMAC_NH)
+
+// Use the NH hash function proposed in UMAC.
+// (See http://www.cs.ucdavis.edu/~rogaway/umac/)
+//
+// Essentially, it is computed as:
+//
+//	H = (x_0 +_16 k_0) * (x_1 +_16 k_1) +
+//		(x_2 +_16 k_2) * (x_3 +_16 k_3) + ...
+//
+// where {k_i} are keys for universal hashing,
+// {x_i} are data words, and +_16 means plus mod 2^16.
+//
+// This is faster than UHASH_CW because no modulo operation
+// is needed.  But note that it is 2^-16 universal, while the
+// other universal functions are (almost) 2^-32 universal.
+//
+// Note: UMAC now has a code release under a BSD-like license, and we may want
+// to consider using it instead of our home-grown code.
+
+#ifndef DEBUG
+#error "UMAC/NH is experimental code."
+#endif
+
+class UMacNH {
+	// NH uses 16-bit words
+	typedef uint16 word_t;
+public:
+	UMacNH(int arg_max_key_size)
+		{
+		max_num_words = (arg_max_key_size + sizeof(word_t) - 1) /
+				sizeof(word_t);
+
+		// Make max_num_words 2n+1
+		if ( max_num_words % 2 == 0 )
+			++max_num_words;
+
+		a = new word_t[max_num_words + 1];
+		x = new word_t[max_num_words + 1];
+
+		for ( int i = 0; i < max_num_words + 1; ++i )
+			a[i] = rand16bit();
+		}
+
+	~UMacNH()
+		{
+		delete [] a;
+		delete [] x;
+		}
+
+	uint32 hash(int len, const u_char* data) const
+		{
+		int xlen = (len + sizeof(word_t) - 1) / sizeof(word_t);
+		if ( xlen % 2 == 0 )
+			++xlen;
+
+		ASSERT(xlen <= max_num_words);
+
+		x[xlen] = len;
+		x[xlen-1] = 0;	// pad with 0
+		if ( xlen >= 2 )
+			x[xlen-2] = 0;
+
+		memcpy(static_cast<void *>(x), data, len);
+
+		uint32 h = 0;
+		for ( int i = 0; i <= xlen; i += 2 )
+			h += (static_cast<uint32>(x[i] + a[i]) *
+			      static_cast<uint32>(x[i+1] + a[i+1]));
+
+		return h;
+		}
+
+protected:
+	int max_num_words;
+	word_t* a;
+	word_t* x;
+};
+
+const UMacNH* umac_nh = 0;
+
+#else
+
+#ifdef DEBUG
+#error "No universal hash function is used."
+#endif
+
+#endif
+
+void init_hash_function()
+	{
+	// Make sure we have already called init_random_seed().
+	ASSERT(hmac_key_set);
+
+	// Both Dietzfelbinger and H3 use random() to generate keys
+	// -- is it strong enough?
+#if defined(USE_DIETZFELBINGER)
+	two_wise = new TwoWise((UHASH_KEY_SIZE + 3) >> 2);
+#elif defined(USE_H3)
+	h3 = new H3<hash_t, UHASH_KEY_SIZE>();
+#elif defined(USE_UHASH_CW)
+	uhash_cw = new UHashCW(UHASH_KEY_SIZE);
+#elif defined(USE_UMAC_NH)
+	umac_nh = new UMacNH(UHASH_KEY_SIZE);
+#endif
+	}
+
+HashKey::HashKey(bro_int_t i)
+	{
+	key_u.i = i;
+	key = (void*) &key_u;
+	size = sizeof(i);
+	hash = HashBytes(key, size);
+	is_our_dynamic = 0;
+	}
+
+HashKey::HashKey(bro_uint_t u)
+	{
+	key_u.i = bro_int_t(u);
+	key = (void*) &key_u;
+	size = sizeof(u);
+	hash = HashBytes(key, size);
+	is_our_dynamic = 0;
+	}
+
+#ifdef USE_INT64
+
+HashKey::HashKey(uint32 u)
+	{
+	key_u.u32 = u;
+	key = (void*) &key_u;
+	size = sizeof(u);
+	hash = HashBytes(key, size);
+	is_our_dynamic = 0;
+	}
+
+#endif // USE_INT64
+
+HashKey::HashKey(const uint32 u[], int n)
+	{
+	size = n * sizeof(u[0]);
+	key = (void*) u;
+	hash = HashBytes(key, size);
+	is_our_dynamic = 0;
+	}
+
+HashKey::HashKey(double d)
+	{
+	union {
+		double d;
+		int i[2];
+	} u;
+
+	key_u.d = u.d = d;
+	key = (void*) &key_u;
+	size = sizeof(d);
+	hash = HashBytes(key, size);
+	is_our_dynamic = 0;
+	}
+
+HashKey::HashKey(const void* p)
+	{
+	key_u.p = p;
+	key = (void*) &key_u;
+	size = sizeof(p);
+	hash = HashBytes(key, size);
+	is_our_dynamic = 0;
+	}
+
+HashKey::HashKey(const char* s)
+	{
+	size = strlen(s);	// note - skip final \0
+	key = (void*) s;
+	hash = HashBytes(key, size);
+	is_our_dynamic = 0;
+	}
+
+HashKey::HashKey(const BroString* s)
+	{
+	size = s->Len();
+	key = (void*) s->Bytes();
+	hash = HashBytes(key, size);
+	is_our_dynamic = 0;
+	}
+
+HashKey::HashKey(int copy_key, void* arg_key, int arg_size)
+	{
+	size = arg_size;
+	is_our_dynamic = 1;
+
+	if ( copy_key )
+		{
+		key = (void*) new char[size];
+		memcpy(key, arg_key, size);
+		}
+	else
+		key = arg_key;
+
+	hash = HashBytes(key, size);
+	}
+
+HashKey::HashKey(const void* arg_key, int arg_size, hash_t arg_hash)
+	{
+	size = arg_size;
+	hash = arg_hash;
+	key = CopyKey(arg_key, size);
+	is_our_dynamic = 1;
+	}
+
+HashKey::HashKey(const void* arg_key, int arg_size, hash_t arg_hash,
+		bool /* dont_copy */)
+	{
+	size = arg_size;
+	hash = arg_hash;
+	key = const_cast<void*>(arg_key);
+	is_our_dynamic = 0;
+	}
+
+HashKey::HashKey(const void* bytes, int arg_size)
+	{
+	size = arg_size;
+	key = CopyKey(bytes, size);
+	hash = HashBytes(key, size);
+	is_our_dynamic = 1;
+	}
+
+void* HashKey::TakeKey()
+	{
+	if ( is_our_dynamic )
+		{
+		is_our_dynamic = 0;
+		return key;
+		}
+	else
+		return CopyKey(key, size);
+	}
+
+void* HashKey::CopyKey(const void* k, int s) const
+	{
+	void* k_copy = (void*) new char[s];
+	memcpy(k_copy, k, s);
+	return k_copy;
+	}
+
+hash_t HashKey::HashBytes(const void* bytes, int size)
+	{
+	++hash_cnt_all;
+
+	if ( size <= UHASH_KEY_SIZE )
+		{
+		const uint8* b = reinterpret_cast<const uint8*>(bytes);
+		++hash_cnt_uhash;
+#if defined(USE_DIETZFELBINGER)
+		return two_wise->Hash(size, b);
+#elif defined(USE_H3)
+		// H3 doesn't check if size is zero
+		return ( size == 0 ) ? 0 : (*h3)(bytes, size);
+#elif defined(USE_UHASH_CW)
+		return uhash_cw->hash(size, b);
+#elif defined(USE_UMAC_NH)
+		return umac_nh->hash(size, b);
+#else
+		--hash_cnt_uhash;
+#endif
+		}
+
+	// Fall back to HMAC/MD5 for longer data (which is usually rare).
+	hash_t digest[16];
+	hmac_md5(size, (unsigned char*) bytes, (unsigned char*) digest);
+	return digest[0];
+	}
diff --git a/src/Hash.h b/src/Hash.h
new file mode 100644
index 0000000000..5ed41b05e9
--- /dev/null
+++ b/src/Hash.h
@@ -0,0 +1,96 @@
+// $Id: Hash.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef hash_h
+#define hash_h
+
+#include <stdlib.h>
+
+#include "BroString.h"
+
+#define UHASH_KEY_SIZE 32
+
+typedef unsigned int hash_t;
+
+typedef enum {
+	HASH_KEY_INT,
+	HASH_KEY_DOUBLE,
+	HASH_KEY_STRING
+#define NUM_HASH_KEYS (int(HASH_KEY_STRING) + 1)
+} HashKeyTag;
+
+class HashKey {
+public:
+	HashKey(bro_int_t i);
+	HashKey(bro_uint_t u);
+#ifdef USE_INT64
+	HashKey(uint32 u);
+#endif
+	HashKey(const uint32 u[], int n);
+	HashKey(double d);
+	HashKey(const void* p);
+	HashKey(const char* s);
+	HashKey(const BroString* s);
+	~HashKey()
+		{
+		if ( is_our_dynamic )
+			delete [] (char *) key;
+		}
+
+	// Create a HashKey given all of its components.  "key" is assumed
+	// to be dynamically allocated and to now belong to this HashKey
+	// (to delete upon destruct'ing).  If "copy_key" is true, it's
+	// first copied.
+	//
+	// The calling sequence here is unusual (normally key would be
+	// first) to avoid possible ambiguities with the next constructor,
+	// which is the more commonly used one.
+	HashKey(int copy_key, void* key, int size);
+
+	// Same, but automatically copies the key.
+	HashKey(const void* key, int size, hash_t hash);
+
+	// Builds a key from the given chunk of bytes.
+	HashKey(const void* bytes, int size);
+
+	// Create a Hashkey given all of its components *without*
+	// copying the key and *without* taking ownership.  Note that
+	// "dont_copy" is a type placeholder to differentiate this member
+	// function from the one above; its value is not used.
+	HashKey(const void* key, int size, hash_t hash, bool dont_copy);
+
+	// Hands over the key to the caller.  This means that if the
+	// key is our dynamic, we give it to the caller and mark it
+	// as not our dynamic.  If initially it's not our dynamic,
+	// we give them a copy of it.
+	void* TakeKey();
+
+	const void* Key() const	{ return key; }
+	int Size() const	{ return size; }
+	hash_t Hash() const	{ return hash; }
+
+	unsigned int MemoryAllocation() const	{ return padded_sizeof(*this) + pad_size(size); }
+
+	static hash_t HashBytes(const void* bytes, int size);
+protected:
+	void* CopyKey(const void* key, int size) const;
+
+	union {
+		bro_int_t i;
+#ifdef USE_INT64
+		uint32 u32;
+#endif
+		double d;
+		const void* p;
+	} key_u;
+
+	void* key;
+	int is_our_dynamic;
+	int size, hash;
+};
+
+extern int hash_cnt_all, hash_cnt_uhash;
+extern void init_hash_function();
+
+#endif
diff --git a/src/ICMP.cc b/src/ICMP.cc
new file mode 100644
index 0000000000..d73a9a781e
--- /dev/null
+++ b/src/ICMP.cc
@@ -0,0 +1,351 @@
+// $Id: ICMP.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "Net.h"
+#include "NetVar.h"
+#include "Event.h"
+#include "ICMP.h"
+
+ICMP_Analyzer::ICMP_Analyzer(Connection* c)
+: TransportLayerAnalyzer(AnalyzerTag::ICMP, c)
+	{
+	icmp_conn_val = 0;
+	c->SetInactivityTimeout(icmp_inactivity_timeout);
+	request_len = reply_len = -1;
+	}
+
+ICMP_Analyzer::ICMP_Analyzer(AnalyzerTag::Tag tag, Connection* c)
+: TransportLayerAnalyzer(tag, c)
+	{
+	icmp_conn_val = 0;
+	c->SetInactivityTimeout(icmp_inactivity_timeout);
+	request_len = reply_len = -1;
+	}
+
+void ICMP_Analyzer::Done()
+	{
+	TransportLayerAnalyzer::Done();
+	Unref(icmp_conn_val);
+	matcher_state.FinishEndpointMatcher();
+	}
+
+void ICMP_Analyzer::DeliverPacket(int arg_len, const u_char* data,
+			bool is_orig, int seq, const IP_Hdr* ip, int caplen)
+	{
+	assert(ip);
+
+	TransportLayerAnalyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
+
+	// We need the min() here because Ethernet frame padding can lead to
+	// caplen > len.
+	if ( packet_contents )
+		// Subtract off the common part of ICMP header.
+		PacketContents(data + 8, min(len, caplen) - 8);
+
+	const struct icmp* icmpp = (const struct icmp*) data;
+	len = arg_len;
+
+	if ( ! ignore_checksums && caplen >= len &&
+	     icmp_checksum(icmpp, len) != 0xffff )
+		{
+		Weird("bad_ICMP_checksum");
+		return;
+		}
+
+	Conn()->SetLastTime(current_timestamp);
+
+	if ( rule_matcher )
+		{
+		if ( ! matcher_state.MatcherInitialized(is_orig) )
+			matcher_state.InitEndpointMatcher(this, ip, len, is_orig, 0);
+		}
+
+	type = icmpp->icmp_type;
+	code = icmpp->icmp_code;
+
+	// Move past common portion of ICMP header.
+	data += 8;
+	caplen -= 8;
+	len -= 8;
+
+	int& len_stat = is_orig ? request_len : reply_len;
+	if ( len_stat < 0 )
+		len_stat = len;
+	else
+		len_stat += len;
+
+	NextICMP(current_timestamp, icmpp, len, caplen, data);
+
+	if ( rule_matcher )
+		matcher_state.Match(Rule::PAYLOAD, data, len, is_orig,
+					false, false, true);
+	}
+
+void ICMP_Analyzer::NextICMP(double /* t */, const struct icmp* /* icmpp */,
+				int /* len */, int /* caplen */,
+				const u_char*& /* data */)
+	{
+	ICMPEvent(icmp_sent);
+	}
+
+void ICMP_Analyzer::ICMPEvent(EventHandlerPtr f)
+	{
+	if ( ! f )
+		return;
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+	vl->append(BuildICMPVal());
+
+	ConnectionEvent(f, vl);
+	}
+
+RecordVal* ICMP_Analyzer::BuildICMPVal()
+	{
+	if ( ! icmp_conn_val )
+		{
+		icmp_conn_val = new RecordVal(icmp_conn);
+
+		icmp_conn_val->Assign(0, new AddrVal(Conn()->OrigAddr()));
+		icmp_conn_val->Assign(1, new AddrVal(Conn()->RespAddr()));
+		icmp_conn_val->Assign(2, new Val(type, TYPE_COUNT));
+		icmp_conn_val->Assign(3, new Val(code, TYPE_COUNT));
+		icmp_conn_val->Assign(4, new Val(len, TYPE_COUNT));
+		}
+
+	Ref(icmp_conn_val);
+
+	return icmp_conn_val;
+	}
+
+RecordVal* ICMP_Analyzer::ExtractICMPContext(int len, const u_char*& data)
+	{
+	const struct ip* ip = (const struct ip *) data;
+	uint32 ip_hdr_len = ip->ip_hl * 4;
+
+	uint32 ip_len, frag_offset;
+	TransportProto proto = TRANSPORT_UNKNOWN;
+	int DF, MF, bad_hdr_len, bad_checksum;
+	uint32 src_addr, dst_addr;
+	uint32 src_port, dst_port;
+
+	if ( ip_hdr_len < sizeof(struct ip) || ip_hdr_len > uint32(len) )
+		{ // We don't have an entire IP header.
+		bad_hdr_len = 1;
+		ip_len = frag_offset = 0;
+		DF = MF = bad_checksum = 0;
+		src_addr = dst_addr = 0;
+		src_port = dst_port = 0;
+		}
+
+	else
+		{
+		bad_hdr_len = 0;
+		ip_len = ntohs(ip->ip_len);
+		bad_checksum = ones_complement_checksum((void*) ip, ip_hdr_len, 0) != 0xffff;
+
+		src_addr = uint32(ip->ip_src.s_addr);
+		dst_addr = uint32(ip->ip_dst.s_addr);
+
+		switch ( ip->ip_p ) {
+		case 1:		proto = TRANSPORT_ICMP; break;
+		case 6:		proto = TRANSPORT_TCP; break;
+		case 17:	proto = TRANSPORT_UDP; break;
+
+		// Default uses TRANSPORT_UNKNOWN, per initialization above.
+		}
+
+		uint32 frag_field = ntohs(ip->ip_off);
+		DF = frag_field & 0x4000;
+		MF = frag_field & 0x2000;
+		frag_offset = frag_field & /* IP_OFFMASK not portable */ 0x1fff;
+		const u_char* transport_hdr = ((u_char *) ip + ip_hdr_len);
+
+		if ( uint32(len) < ip_hdr_len + 4 )
+			{
+			// 4 above is the magic number meaning that both
+			// port numbers are included in the ICMP.
+			bad_hdr_len = 1;
+			src_port = dst_port = 0;
+			}
+
+		switch ( proto ) {
+		case TRANSPORT_ICMP:
+			{
+			const struct icmp* icmpp =
+				(const struct icmp *) transport_hdr;
+			bool is_one_way;	// dummy
+			src_port = ntohs(icmpp->icmp_type);
+			dst_port = ntohs(ICMP_counterpart(icmpp->icmp_type,
+							icmpp->icmp_code,
+							is_one_way));
+			}
+			break;
+
+		case TRANSPORT_TCP:
+			{
+			const struct tcphdr* tp =
+				(const struct tcphdr *) transport_hdr;
+			src_port = ntohs(tp->th_sport);
+			dst_port = ntohs(tp->th_dport);
+			}
+			break;
+
+		case TRANSPORT_UDP:
+			{
+			const struct udphdr* up =
+				(const struct udphdr *) transport_hdr;
+			src_port = ntohs(up->uh_sport);
+			dst_port = ntohs(up->uh_dport);
+			}
+			break;
+
+		default:
+			src_port = dst_port = ntohs(0);
+		}
+		}
+
+	RecordVal* iprec = new RecordVal(icmp_context);
+	RecordVal* id_val = new RecordVal(conn_id);
+
+	id_val->Assign(0, new AddrVal(src_addr));
+	id_val->Assign(1, new PortVal(src_port, proto));
+	id_val->Assign(2, new AddrVal(dst_addr));
+	id_val->Assign(3, new PortVal(dst_port, proto));
+	iprec->Assign(0, id_val);
+
+	iprec->Assign(1, new Val(ip_len, TYPE_COUNT));
+	iprec->Assign(2, new Val(proto, TYPE_COUNT));
+	iprec->Assign(3, new Val(frag_offset, TYPE_COUNT));
+	iprec->Assign(4, new Val(bad_hdr_len, TYPE_BOOL));
+	iprec->Assign(5, new Val(bad_checksum, TYPE_BOOL));
+	iprec->Assign(6, new Val(MF, TYPE_BOOL));
+	iprec->Assign(7, new Val(DF, TYPE_BOOL));
+
+	return iprec;
+	}
+
+bool ICMP_Analyzer::IsReuse(double /* t */, const u_char* /* pkt */)
+	{
+	return 0;
+	}
+
+void ICMP_Analyzer::Describe(ODesc* d) const
+	{
+	d->Add(Conn()->StartTime());
+	d->Add("(");
+	d->Add(Conn()->LastTime());
+	d->AddSP(")");
+
+	d->Add(dotted_addr(Conn()->OrigAddr()));
+	d->Add(".");
+	d->Add(type);
+	d->Add(".");
+	d->Add(code);
+
+	d->SP();
+	d->AddSP("->");
+
+	d->Add(dotted_addr(Conn()->RespAddr()));
+	}
+
+void ICMP_Analyzer::UpdateEndpointVal(RecordVal* endp, int is_orig)
+	{
+	Conn()->EnableStatusUpdateTimer();
+
+	int size = is_orig ? request_len : reply_len;
+	if ( size < 0 )
+		{
+		endp->Assign(0, new Val(0, TYPE_COUNT));
+		endp->Assign(1, new Val(int(ICMP_INACTIVE), TYPE_COUNT));
+		}
+
+	else
+		{
+		endp->Assign(0, new Val(size, TYPE_COUNT));
+		endp->Assign(1, new Val(int(ICMP_ACTIVE), TYPE_COUNT));
+		}
+	}
+
+unsigned int ICMP_Analyzer::MemoryAllocation() const
+	{
+	return Analyzer::MemoryAllocation()
+		+ padded_sizeof(*this) - padded_sizeof(Connection)
+		+ (icmp_conn_val ? icmp_conn_val->MemoryAllocation() : 0);
+	}
+
+ICMP_Echo_Analyzer::ICMP_Echo_Analyzer(Connection* c)
+: ICMP_Analyzer(AnalyzerTag::ICMP_Echo, c)
+	{
+	}
+
+void ICMP_Echo_Analyzer::NextICMP(double t, const struct icmp* icmpp, int len,
+					 int caplen, const u_char*& data)
+	{
+	EventHandlerPtr f = type == ICMP_ECHO ? icmp_echo_request : icmp_echo_reply;
+	if ( ! f )
+		return;
+
+	int iid = ntohs(icmpp->icmp_hun.ih_idseq.icd_id);
+	int iseq = ntohs(icmpp->icmp_hun.ih_idseq.icd_seq);
+
+	BroString* payload = new BroString(data, caplen, 0);
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+	vl->append(BuildICMPVal());
+	vl->append(new Val(iid, TYPE_COUNT));
+	vl->append(new Val(iseq, TYPE_COUNT));
+	vl->append(new StringVal(payload));
+
+	ConnectionEvent(f, vl);
+	}
+
+
+void ICMP_Context_Analyzer::NextICMP(double t, const struct icmp* icmpp,
+				int len, int caplen, const u_char*& data)
+	{
+	EventHandlerPtr f = 0;
+	switch ( type ) {
+	case ICMP_UNREACH: f = icmp_unreachable; break;
+	case ICMP_TIMXCEED: f = icmp_time_exceeded; break;
+	}
+
+	if ( f )
+		{
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(BuildICMPVal());
+		vl->append(new Val(code, TYPE_COUNT));
+		vl->append(ExtractICMPContext(caplen, data));
+
+		ConnectionEvent(f, vl);
+		}
+	}
+
+
+int ICMP_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
+	{
+	is_one_way = false;
+
+	// return the counterpart type if one exists.  This allows us
+	// to track corresponding ICMP requests/replies.
+	// Note that for the two-way ICMP messages, icmp_code is
+	// always 0 (RFC 792).
+	switch ( icmp_type ) {
+	case ICMP_ECHO:			return ICMP_ECHOREPLY;
+	case ICMP_ECHOREPLY:		return ICMP_ECHO;
+	case ICMP_TSTAMP:		return ICMP_TSTAMPREPLY;
+	case ICMP_TSTAMPREPLY:		return ICMP_TSTAMP;
+	case ICMP_IREQ:			return ICMP_IREQREPLY;
+	case ICMP_IREQREPLY:		return ICMP_IREQ;
+	case ICMP_ROUTERSOLICIT:	return ICMP_ROUTERADVERT;
+	case ICMP_MASKREQ:		return ICMP_MASKREPLY;
+	case ICMP_MASKREPLY:		return ICMP_MASKREQ;
+
+	default:			is_one_way = true; return icmp_code;
+	}
+	}
diff --git a/src/ICMP.h b/src/ICMP.h
new file mode 100644
index 0000000000..43921f1aac
--- /dev/null
+++ b/src/ICMP.h
@@ -0,0 +1,118 @@
+// $Id: ICMP.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef icmp_h
+#define icmp_h
+
+#include "Analyzer.h"
+
+typedef enum {
+	ICMP_INACTIVE,	// no packet seen
+	ICMP_ACTIVE,	// packets seen
+} ICMP_EndpointState;
+
+// We do not have an PIA for ICMP (yet) and therefore derive from
+// RuleMatcherState to perform our own matching.
+class ICMP_Analyzer : public TransportLayerAnalyzer {
+public:
+	ICMP_Analyzer(Connection* conn);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new ICMP_Analyzer(conn); }
+
+	static bool Available()	{ return true; }
+
+protected:
+	ICMP_Analyzer()	{ }
+	ICMP_Analyzer(AnalyzerTag::Tag tag, Connection* conn);
+
+	virtual void Done();
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen);
+	virtual void UpdateEndpointVal(RecordVal* endp, int is_orig);
+	virtual bool IsReuse(double t, const u_char* pkt);
+	virtual unsigned int MemoryAllocation() const;
+
+	void ICMPEvent(EventHandlerPtr f);
+	void Describe(ODesc* d) const;
+
+	RecordVal* BuildICMPVal();
+
+	virtual void NextICMP(double t, const struct icmp* icmpp,
+				int len, int caplen, const u_char*& data);
+
+	RecordVal* ExtractICMPContext(int len, const u_char*& data);
+
+	RecordVal* icmp_conn_val;
+	int type;
+	int code;
+	int len;
+
+	int request_len, reply_len;
+
+	RuleMatcherState matcher_state;
+};
+
+class ICMP_Echo_Analyzer : public ICMP_Analyzer {
+public:
+	ICMP_Echo_Analyzer(Connection* conn);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new ICMP_Echo_Analyzer(conn); }
+
+	static bool Available()	{ return icmp_echo_request || icmp_echo_reply; }
+
+protected:
+	ICMP_Echo_Analyzer()	{ }
+
+	virtual void NextICMP(double t, const struct icmp* icmpp,
+	                      int len, int caplen, const u_char*& data);
+};
+
+class ICMP_Context_Analyzer : public ICMP_Analyzer {
+public:
+	ICMP_Context_Analyzer(AnalyzerTag::Tag tag, Connection* conn)
+		: ICMP_Analyzer(tag, conn)	{ }
+
+protected:
+	ICMP_Context_Analyzer()	{ }
+
+	virtual void NextICMP(double t, const struct icmp* icmpp,
+	                      int len, int caplen, const u_char*& data);
+};
+
+class ICMP_TimeExceeded_Analyzer : public ICMP_Context_Analyzer {
+public:
+	ICMP_TimeExceeded_Analyzer(Connection* conn)
+		: ICMP_Context_Analyzer(AnalyzerTag::ICMP_TimeExceeded, conn)	{ }
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new ICMP_TimeExceeded_Analyzer(conn); }
+
+	static bool Available() { return icmp_time_exceeded; }
+
+protected:
+	ICMP_TimeExceeded_Analyzer()	{ }
+};
+
+class ICMP_Unreachable_Analyzer : public ICMP_Context_Analyzer {
+public:
+	ICMP_Unreachable_Analyzer(Connection* conn)
+		: ICMP_Context_Analyzer(AnalyzerTag::ICMP_Unreachable, conn)	{ }
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new ICMP_Unreachable_Analyzer(conn); }
+
+	static bool Available() { return icmp_unreachable; }
+
+protected:
+	ICMP_Unreachable_Analyzer()	{ }
+};
+
+
+// Returns the counterpart type to the given type (e.g., the counterpart
+// to ICMP_ECHOREPLY is ICMP_ECHO).
+extern int ICMP_counterpart(int icmp_type, int icmp_code, bool& is_one_way);
+
+#endif
diff --git a/src/ID.cc b/src/ID.cc
new file mode 100644
index 0000000000..c908a8c3c4
--- /dev/null
+++ b/src/ID.cc
@@ -0,0 +1,617 @@
+// $Id: ID.cc 6724 2009-06-07 09:23:03Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "ID.h"
+#include "Expr.h"
+#include "Dict.h"
+#include "EventRegistry.h"
+#include "Func.h"
+#include "Scope.h"
+#include "File.h"
+#include "Serializer.h"
+#include "RemoteSerializer.h"
+#include "PersistenceSerializer.h"
+#include "Scope.h"
+#include "Traverse.h"
+
+ID::ID(const char* arg_name, IDScope arg_scope, bool arg_is_export)
+	{
+	name = copy_string(arg_name);
+	scope = arg_scope;
+	is_export = arg_is_export;
+	type = 0;
+	val = 0;
+	attrs = 0;
+	is_const = 0;
+	is_enum_const = 0;
+	is_type = 0;
+	offset = 0;
+
+	infer_return_type = false;
+	weak_ref = false;
+
+	SetLocationInfo(&start_location, &end_location);
+	}
+
+ID::~ID()
+	{
+	delete [] name;
+	Unref(type);
+	Unref(attrs);
+
+	if ( ! weak_ref )
+		Unref(val);
+	}
+
+string ID::ModuleName() const
+	{
+	return extract_module_name(name);
+	}
+
+void ID::ClearVal()
+	{
+	if ( ! weak_ref )
+		Unref(val);
+
+	val = 0;
+	}
+
+void ID::SetVal(Val* v, Opcode op, bool arg_weak_ref)
+	{
+	if ( op != OP_NONE )
+		{
+		if ( type && val && type->Tag() == TYPE_TABLE &&
+		     val->AsTableVal()->FindAttr(ATTR_MERGEABLE) &&
+		     v->AsTableVal()->FindAttr(ATTR_MERGEABLE) )
+			{
+			StateAccess::Log(new StateAccess(OP_ASSIGN, this,
+								v, val));
+			v->AsTableVal()->AddTo(val->AsTableVal(), 0, false);
+			return;
+			}
+
+		MutableVal::Properties props = 0;
+
+		if ( attrs && attrs->FindAttr(ATTR_SYNCHRONIZED) )
+			props |= MutableVal::SYNCHRONIZED;
+
+		if ( attrs && attrs->FindAttr(ATTR_PERSISTENT) )
+			props |= MutableVal::PERSISTENT;
+
+		if ( attrs && attrs->FindAttr(ATTR_TRACKED) )
+			props |= MutableVal::TRACKED;
+
+		if ( props )
+			{
+			if ( v->IsMutableVal() )
+				v->AsMutableVal()->AddProperties(props);
+			}
+
+#ifndef DEBUG
+		if ( props )
+#else
+		if ( debug_logger.IsVerbose() || props )
+#endif
+			StateAccess::Log(new StateAccess(op, this, v, val));
+		}
+
+	if ( ! weak_ref )
+		Unref(val);
+
+	val = v;
+	weak_ref = arg_weak_ref;
+
+#ifdef DEBUG
+	UpdateValID();
+#endif
+
+	if ( type && val &&
+	     type->Tag() == TYPE_FUNC && type->AsFuncType()->IsEvent() )
+		{
+		EventHandler* handler = event_registry->Lookup(name);
+		if ( ! handler )
+			{
+			handler = new EventHandler(name);
+			handler->SetLocalHandler(val->AsFunc());
+			event_registry->Register(handler);
+			}
+		else
+			{
+			// Otherwise, internally defined events cannot
+			// have local handler.
+			handler->SetLocalHandler(val->AsFunc());
+			}
+		}
+	}
+
+void ID::SetVal(Val* v, init_class c)
+	{
+	if ( c == INIT_NONE || c == INIT_FULL )
+		{
+		SetVal(v);
+		return;
+		}
+
+	if ( type->Tag() != TYPE_TABLE &&
+	     (type->Tag() != TYPE_PATTERN || c == INIT_REMOVE) )
+		{
+		if ( c == INIT_EXTRA )
+			Error("+= initializer only applies to tables, sets and patterns", v);
+		else
+			Error("-= initializer only applies to tables and sets", v);
+		}
+
+	else
+		{
+		if ( c == INIT_EXTRA )
+			{
+			if ( ! val )
+				{
+				SetVal(v);
+				return;
+				}
+			else
+				v->AddTo(val, 0);
+			}
+		else
+			{
+			if ( val )
+				v->RemoveFrom(val);
+			}
+		}
+
+	Unref(v);
+	}
+
+void ID::SetVal(Expr* ev, init_class c)
+	{
+	Attr* a = attrs->FindAttr(c == INIT_EXTRA ?
+					ATTR_ADD_FUNC : ATTR_DEL_FUNC);
+
+	if ( ! a )
+		Internal("no add/delete function in ID::SetVal");
+
+	EvalFunc(a->AttrExpr(), ev);
+	}
+
+void ID::SetAttrs(Attributes* a)
+	{
+	Unref(attrs);
+	attrs = 0;
+	AddAttrs(a);
+	}
+
+void ID::UpdateValAttrs()
+	{
+	if ( ! attrs )
+		return;
+
+	MutableVal::Properties props = 0;
+
+	if ( val && val->IsMutableVal() )
+		{
+		if ( attrs->FindAttr(ATTR_SYNCHRONIZED) )
+			props |= MutableVal::SYNCHRONIZED;
+
+		if ( attrs->FindAttr(ATTR_PERSISTENT) )
+			props |= MutableVal::PERSISTENT;
+
+		if ( attrs->FindAttr(ATTR_TRACKED) )
+			props |= MutableVal::TRACKED;
+
+		val->AsMutableVal()->AddProperties(props);
+		}
+
+	if ( ! IsInternalGlobal() )
+		{
+		if ( attrs->FindAttr(ATTR_SYNCHRONIZED) )
+			remote_serializer->Register(this);
+
+		if ( attrs->FindAttr(ATTR_PERSISTENT) )
+			persistence_serializer->Register(this);
+		}
+
+	if ( val && val->Type()->Tag() == TYPE_TABLE )
+		val->AsTableVal()->SetAttrs(attrs);
+
+	if ( val && val->Type()->Tag() == TYPE_FILE )
+		val->AsFile()->SetAttrs(attrs);
+
+	if ( Type()->Tag() == TYPE_FUNC )
+		{
+		Attr* attr = attrs->FindAttr(ATTR_GROUP);
+		if ( attr )
+			{
+			Val* group = attr->AttrExpr()->ExprVal();
+			if ( group )
+				{
+				if ( group->Type()->Tag() == TYPE_STRING )
+					event_registry->SetGroup(Name(), group->AsString()->CheckString());
+				else
+					Error("&group attribute takes string");
+				}
+			}
+		}
+	}
+
+void ID::AddAttrs(Attributes* a)
+	{
+	if ( attrs )
+		attrs->AddAttrs(a);
+	else
+		attrs = a;
+
+	UpdateValAttrs();
+	}
+
+void ID::RemoveAttr(attr_tag a)
+	{
+	if ( attrs )
+		attrs->RemoveAttr(a);
+
+	if ( val && val->IsMutableVal() )
+		{
+		MutableVal::Properties props = 0;
+
+		if ( a == ATTR_SYNCHRONIZED )
+			props |= MutableVal::SYNCHRONIZED;
+
+		if ( a == ATTR_PERSISTENT )
+			props |= MutableVal::PERSISTENT;
+
+		if ( a == ATTR_TRACKED )
+			props |= MutableVal::TRACKED;
+
+		val->AsMutableVal()->RemoveProperties(props);
+		}
+	}
+
+void ID::EvalFunc(Expr* ef, Expr* ev)
+	{
+	Expr* arg1 = new ConstExpr(val->Ref());
+	ListExpr* args = new ListExpr();
+	args->Append(arg1);
+	args->Append(ev->Ref());
+
+	CallExpr* ce = new CallExpr(ef->Ref(), args);
+
+	SetVal(ce->Eval(0));
+	Unref(ce);
+	}
+
+bool ID::Serialize(SerialInfo* info) const
+	{
+	return (ID*) SerialObj::Serialize(info);
+	}
+
+#if 0
+void ID::CopyFrom(const ID* id)
+	{
+	is_export = id->is_export;
+	is_const = id->is_const;
+	is_enum_const = id->is_enum_const;
+	is_type = id->is_type;
+	offset = id->offset ;
+	infer_return_type = id->infer_return_type;
+
+	if ( FindAttr(ATTR_PERSISTENT) )
+		persistence_serializer->Unregister(this);
+
+	if ( id->type )
+		Ref(id->type);
+	if ( id->val && ! id->weak_ref )
+		Ref(id->val);
+	if ( id->attrs )
+		Ref(id->attrs);
+
+	Unref(type);
+	Unref(attrs);
+	if ( ! weak_ref )
+		Unref(val);
+
+	type = id->type;
+	val = id->val;
+	attrs = id->attrs;
+	weak_ref = id->weak_ref;
+
+#ifdef DEBUG
+	UpdateValID();
+#endif
+
+	if ( FindAttr(ATTR_PERSISTENT) )
+		persistence_serializer->Unregister(this);
+	}
+#endif
+
+ID* ID::Unserialize(UnserialInfo* info)
+	{
+	ID* id = (ID*) SerialObj::Unserialize(info, SER_ID);
+	if ( ! id )
+		return 0;
+
+	if ( ! id->IsGlobal() )
+		return id;
+
+	// Globals.
+	ID* current = global_scope()->Lookup(id->name);
+
+	if ( ! current )
+		{
+		if ( ! info->install_globals )
+			{
+			info->s->Error("undefined");
+			Unref(id);
+			return 0;
+			}
+
+		Ref(id);
+		global_scope()->Insert(id->Name(), id);
+#ifdef USE_PERFTOOLS
+		heap_checker->IgnoreObject(id);
+#endif
+		}
+
+	else
+		{
+		if ( info->id_policy != UnserialInfo::InstantiateNew )
+			{
+			persistence_serializer->Unregister(current);
+			remote_serializer->Unregister(current);
+			}
+
+		switch ( info->id_policy ) {
+
+		case UnserialInfo::Keep:
+			Unref(id);
+			Ref(current);
+			id = current;
+			break;
+
+		case UnserialInfo::Replace:
+			Unref(current);
+			Ref(id);
+			global_scope()->Insert(id->Name(), id);
+			break;
+
+		case UnserialInfo::CopyNewToCurrent:
+			if ( ! same_type(current->type, id->type) )
+				{
+				info->s->Error("type mismatch");
+				Unref(id);
+				return 0;
+				}
+
+			if ( ! current->weak_ref )
+				Unref(current->val);
+
+			current->val = id->val;
+			current->weak_ref = id->weak_ref;
+			if ( current->val && ! current->weak_ref )
+				Ref(current->val);
+
+#ifdef DEBUG
+			current->UpdateValID();
+#endif
+
+			Unref(id);
+			Ref(current);
+			id = current;
+
+		break;
+
+		case UnserialInfo::CopyCurrentToNew:
+			if ( ! same_type(current->type, id->type) )
+				{
+				info->s->Error("type mismatch");
+				return 0;
+				}
+			if ( ! id->weak_ref )
+				Unref(id->val);
+			id->val = current->val;
+			id->weak_ref = current->weak_ref;
+			if ( id->val && ! id->weak_ref )
+				Ref(id->val);
+
+#ifdef DEBUG
+			id->UpdateValID();
+#endif
+
+			Unref(current);
+			Ref(id);
+			global_scope()->Insert(id->Name(), id);
+			break;
+
+		case UnserialInfo::InstantiateNew:
+			// Do nothing.
+			break;
+
+		default:
+			internal_error("unknown type for UnserialInfo::id_policy");
+
+		}
+		}
+
+	if ( id->FindAttr(ATTR_PERSISTENT) )
+		persistence_serializer->Register(id);
+
+	if ( id->FindAttr(ATTR_SYNCHRONIZED) )
+		remote_serializer->Register(id);
+
+	return id;
+
+	}
+
+IMPLEMENT_SERIAL(ID, SER_ID);
+
+bool ID::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE_WITH_SUSPEND(SER_ID, BroObj);
+
+	if ( info->cont.NewInstance() )
+		{
+		DisableSuspend suspend(info);
+
+		info->s->WriteOpenTag("ID");
+
+		if ( ! (SERIALIZE(name) &&
+			SERIALIZE(char(scope)) &&
+			SERIALIZE(is_export) &&
+			SERIALIZE(is_const) &&
+			SERIALIZE(is_enum_const) &&
+			SERIALIZE(is_type) &&
+			SERIALIZE(offset) &&
+			SERIALIZE(infer_return_type) &&
+			SERIALIZE(weak_ref) &&
+			type->Serialize(info)) )
+			return false;
+
+		SERIALIZE_OPTIONAL(attrs);
+		}
+
+	SERIALIZE_OPTIONAL(val);
+
+	return true;
+	}
+
+bool ID::DoUnserialize(UnserialInfo* info)
+	{
+	bool installed_tmp = false;
+
+	DO_UNSERIALIZE(BroObj);
+
+	char id_scope;
+
+	if ( ! (UNSERIALIZE_STR(&name, 0) &&
+		UNSERIALIZE(&id_scope) &&
+		UNSERIALIZE(&is_export) &&
+		UNSERIALIZE(&is_const) &&
+		UNSERIALIZE(&is_enum_const) &&
+		UNSERIALIZE(&is_type) &&
+		UNSERIALIZE(&offset) &&
+		UNSERIALIZE(&infer_return_type) &&
+		UNSERIALIZE(&weak_ref)
+	       ) )
+		return false;
+
+	scope = IDScope(id_scope);
+
+	info->s->SetErrorDescr(fmt("unserializing ID %s", name));
+
+	type = BroType::Unserialize(info);
+	if ( ! type )
+		return false;
+
+	UNSERIALIZE_OPTIONAL(attrs, Attributes::Unserialize(info));
+
+	// If it's a global function not currently known,
+	// we temporarily install it in global scope.
+	// This is necessary for recursive functions.
+	if ( IsGlobal() && Type()->Tag() == TYPE_FUNC )
+		{
+		ID* current = global_scope()->Lookup(name);
+		if ( ! current )
+			{
+			installed_tmp = true;
+			global_scope()->Insert(Name(), this);
+			}
+		}
+
+	UNSERIALIZE_OPTIONAL(val, Val::Unserialize(info));
+#ifdef DEBUG
+	UpdateValID();
+#endif
+
+	if ( weak_ref )
+		{
+		// At this point at least the serialization cache will hold a
+		// reference so this will not delete the val.
+		assert(val->RefCnt() > 1);
+		Unref(val);
+		}
+
+	if ( installed_tmp && ! global_scope()->Remove(name) )
+		internal_error("tmp id missing");
+
+	return true;
+	}
+
+TraversalCode ID::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreID(this);
+	HANDLE_TC_STMT_PRE(tc);
+
+	if ( is_type )
+		{
+		tc = cb->PreTypedef(this);
+		HANDLE_TC_STMT_PRE(tc);
+
+		tc = cb->PostTypedef(this);
+		HANDLE_TC_STMT_PRE(tc);
+		}
+
+	// FIXME: Perhaps we should be checking at other than global scope.
+	else if ( val && IsFunc(val->Type()->Tag()) &&
+		  cb->current_scope == global_scope() )
+		{
+		tc = val->AsFunc()->Traverse(cb);
+		HANDLE_TC_STMT_PRE(tc);
+		}
+
+	else if ( ! is_enum_const )
+		{
+		tc = cb->PreDecl(this);
+		HANDLE_TC_STMT_PRE(tc);
+
+		tc = cb->PostDecl(this);
+		HANDLE_TC_STMT_PRE(tc);
+		}
+
+	tc = cb->PostID(this);
+	HANDLE_TC_EXPR_POST(tc);
+	}
+
+void ID::Error(const char* msg, const BroObj* o2)
+	{
+	BroObj::Error(msg, o2, 1);
+	SetType(error_type());
+	}
+
+void ID::Describe(ODesc* d) const
+	{
+	d->Add(name);
+	}
+
+void ID::DescribeExtended(ODesc* d) const
+	{
+	d->Add(name);
+
+	if ( type )
+		{
+		d->Add(" : ");
+		type->Describe(d);
+		}
+
+	if ( val )
+		{
+		d->Add(" = ");
+		val->Describe(d);
+		}
+
+	if ( attrs )
+		{
+		d->Add(" ");
+		attrs->Describe(d);
+		}
+	}
+
+#ifdef DEBUG
+void ID::UpdateValID()
+	{
+	if ( IsGlobal() && val && name && name[0] != '#' )
+		val->SetID(this);
+	}
+#endif
+
diff --git a/src/ID.h b/src/ID.h
new file mode 100644
index 0000000000..f576232b0e
--- /dev/null
+++ b/src/ID.h
@@ -0,0 +1,122 @@
+// $Id: ID.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef id_h
+#define id_h
+
+#include "Type.h"
+#include "Attr.h"
+#include "StateAccess.h"
+#include "TraverseTypes.h"
+#include <string>
+
+class Val;
+class SerialInfo;
+
+typedef enum { INIT_NONE, INIT_FULL, INIT_EXTRA, INIT_REMOVE, } init_class;
+typedef enum { SCOPE_FUNCTION, SCOPE_MODULE, SCOPE_GLOBAL } IDScope;
+
+class ID : public BroObj {
+public:
+	ID(const char* name, IDScope arg_scope, bool arg_is_export);
+	~ID();
+
+	const char* Name() const	{ return name; }
+
+	int Scope() const		{ return scope; }
+	bool IsGlobal() const           { return scope != SCOPE_FUNCTION; }
+
+	bool IsExport() const           { return is_export; }
+
+	string ModuleName() const;
+
+	void SetType(BroType* t)	{ Unref(type); type = t; }
+	BroType* Type()			{ return type; }
+
+	void MakeType()			{ is_type = 1; }
+	BroType* AsType()		{ return is_type ? Type() : 0; }
+
+	// If weak_ref is false, the Val is assumed to be already ref'ed
+	// and will be deref'ed when the ID is deleted.
+	//
+	// If weak_ref is true, we store the Val but don't ref/deref it.
+	// That means that when the ID becomes the only one holding a
+	// reference to the Val, the Val will be destroyed (naturally,
+	// you have to take care that it will not be accessed via
+	// the ID afterwards).
+	void SetVal(Val* v, Opcode op = OP_ASSIGN, bool weak_ref = false);
+
+	void SetVal(Val* v, init_class c);
+	void SetVal(Expr* ev, init_class c);
+
+	int HasVal() const		{ return val != 0; }
+	Val* ID_Val()			{ return val; }
+	const Val* ID_Val() const	{ return val; }
+	void ClearVal();
+
+	void SetConst()			{ is_const = 1; }
+	int IsConst() const		{ return is_const; }
+
+	void SetEnumConst()		{ is_enum_const = 1; }
+	int IsEnumConst() const		{ return is_enum_const; }
+
+	void SetOffset(int arg_offset)	{ offset = arg_offset; }
+	int Offset() const		{ return offset; }
+
+	int IsRedefinable() const	{ return FindAttr(ATTR_REDEF) != 0; }
+
+	// Returns true if ID is one of those internal globally unique IDs
+	// to which MutableVals are bound (there name start with a '#').
+	bool IsInternalGlobal() const	{ return name && name[0] == '#'; }
+
+	void SetAttrs(Attributes* attr);
+	void AddAttrs(Attributes* attr);
+	void RemoveAttr(attr_tag a);
+	void UpdateValAttrs();
+	Attributes* Attrs() const	{ return attrs; }
+
+	Attr* FindAttr(attr_tag t) const
+		{ return attrs ? attrs->FindAttr(t) : 0; }
+
+	void Error(const char* msg, const BroObj* o2 = 0);
+
+	void Describe(ODesc* d) const;
+	// Adds type and value to description.
+	void DescribeExtended(ODesc* d) const;
+
+	bool Serialize(SerialInfo* info) const;
+	static ID* Unserialize(UnserialInfo* info);
+
+	bool DoInferReturnType()        { return infer_return_type; }
+	void SetInferReturnType(bool infer)
+	        { infer_return_type = infer; }
+
+	virtual TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	ID()	{ name = 0; type = 0; val = 0; attrs = 0; }
+
+	void CheckAttr(Attr* attr);
+	void EvalFunc(Expr* ef, Expr* ev);
+
+#ifdef DEBUG
+	void UpdateValID();
+#endif
+
+	DECLARE_SERIAL(ID);
+
+	const char* name;
+	IDScope scope;
+	bool is_export;
+	BroType* type;
+	int is_const, is_enum_const, is_type;
+	int offset;
+	Val* val;
+	Attributes* attrs;
+
+	bool infer_return_type;
+	bool weak_ref;
+};
+
+#endif
diff --git a/src/IOSource.cc b/src/IOSource.cc
new file mode 100644
index 0000000000..cc3ad8dbbd
--- /dev/null
+++ b/src/IOSource.cc
@@ -0,0 +1,176 @@
+// $Id: IOSource.cc 4771 2007-08-11 05:50:24Z vern $
+
+#include <sys/types.h>
+#include <sys/time.h>
+#include <unistd.h>
+#include <assert.h>
+
+#include "util.h"
+#include "IOSource.h"
+
+IOSourceRegistry io_sources;
+
+IOSourceRegistry::~IOSourceRegistry()
+	{
+	for ( SourceList::iterator i = sources.begin(); i != sources.end(); ++i )
+		delete *i;
+
+	sources.clear();
+	}
+
+void IOSourceRegistry::RemoveAll()
+	{
+	// We're cheating a bit here ...
+	dont_counts = sources.size();
+	}
+
+IOSource* IOSourceRegistry::FindSoonest(double* ts)
+	{
+	// Remove sources which have gone dry. For simplicity, we only
+	// remove at most one each time.
+	for ( SourceList::iterator i = sources.begin();
+	      i != sources.end(); ++i )
+		if ( ! (*i)->src->IsOpen() )
+			{
+			delete *i;
+			sources.erase(i);
+			break;
+			}
+
+	// Ideally, we would always call select on the fds to see which
+	// are ready, and return the soonest. Unfortunately, that'd mean
+	// one select-call per packet, which we can't afford in high-volume
+	// environments.  Thus, we call select only every SELECT_FREQUENCY
+	// call (or if all sources report that they are dry).
+
+	++call_count;
+
+	IOSource* soonest_src = 0;
+	double soonest_ts = 1e20;
+	double soonest_local_network_time = 1e20;
+	bool all_idle = true;
+
+	// Find soonest source of those which tell us they have something to
+	// process.
+	for ( SourceList::iterator i = sources.begin(); i != sources.end(); ++i )
+		{
+		if ( ! (*i)->src->IsIdle() )
+			{
+			all_idle = false;
+			double local_network_time = 0;
+			double ts = (*i)->src->NextTimestamp(&local_network_time);
+			if ( ts > 0 && ts < soonest_ts )
+				{
+				soonest_ts = ts;
+				soonest_src = (*i)->src;
+				soonest_local_network_time =
+					local_network_time ?
+						local_network_time : ts;
+				}
+			}
+		}
+
+	// If we found one and aren't going to select this time,
+	// return it.
+	int maxx = 0;
+
+	if ( soonest_src && (call_count % SELECT_FREQUENCY) != 0 )
+		goto finished;
+
+	// Select on the join of all file descriptors.
+	fd_set fd_read, fd_write, fd_except;
+
+	FD_ZERO(&fd_read);
+	FD_ZERO(&fd_write);
+	FD_ZERO(&fd_except);
+
+	for ( SourceList::iterator i = sources.begin();
+	      i != sources.end(); ++i )
+		{
+		Source* src = (*i);
+
+		if ( ! src->src->IsIdle() )
+			// No need to select on sources which we know to
+			// be ready.
+			continue;
+
+		src->fd_read = src->fd_write = src->fd_except = 0;
+		src->src->GetFds(&src->fd_read, &src->fd_write, &src->fd_except);
+
+		FD_SET(src->fd_read, &fd_read);
+		FD_SET(src->fd_write, &fd_write);
+		FD_SET(src->fd_except, &fd_except);
+
+		maxx = max(src->fd_read, maxx);
+		maxx = max(src->fd_write, maxx);
+		maxx = max(src->fd_except, maxx);
+		}
+
+	// We can't block indefinitely even when all sources are dry:
+	// we're doing some IOSource-independent stuff in the main loop,
+	// so we need to return from time to time. (Instead of no time-out
+	// at all, we use a very small one. This lets FreeBSD trigger a
+	// BPF buffer switch on the next read when the hold buffer is empty
+	// while the store buffer isn't filled yet.
+
+	struct timeval timeout;
+
+	if ( all_idle )
+		{
+		// Interesting: when all sources are dry, simply sleeping a
+		// bit *without* watching for any fd becoming ready may
+		// decrease CPU load. I guess that's because it allows
+		// the kernel's packet buffers to fill. - Robin
+		timeout.tv_sec = 0;
+		timeout.tv_usec = 20; // SELECT_TIMEOUT;
+		select(0, 0, 0, 0, &timeout);
+		}
+
+	if ( ! maxx )
+		// No selectable fd at all.
+		goto finished;
+
+	timeout.tv_sec = 0;
+	timeout.tv_usec = 0;
+
+	if ( select(maxx + 1, &fd_read, &fd_write, &fd_except, &timeout) > 0 )
+		{ // Find soonest.
+		for ( SourceList::iterator i = sources.begin();
+		      i != sources.end(); ++i )
+			{
+			Source* src = (*i);
+
+			if ( ! src->src->IsIdle() )
+				continue;
+
+			if ( FD_ISSET(src->fd_read, &fd_read) ||
+			     FD_ISSET(src->fd_write, &fd_write) ||
+			     FD_ISSET(src->fd_except, &fd_except) )
+				{
+				double local_network_time = 0;
+				double ts = src->src->NextTimestamp(&local_network_time);
+				if ( ts > 0.0 && ts < soonest_ts )
+					{
+					soonest_ts = ts;
+					soonest_src = src->src;
+					soonest_local_network_time =
+						local_network_time ?
+							local_network_time : ts;
+					}
+				}
+			}
+		}
+
+finished:
+	*ts = soonest_local_network_time;
+	return soonest_src;
+	}
+
+void IOSourceRegistry::Register(IOSource* src, bool dont_count)
+	{
+	Source* s = new Source;
+	s->src = src;
+	if ( dont_count )
+		++dont_counts;
+	return sources.push_back(s);
+	}
diff --git a/src/IOSource.h b/src/IOSource.h
new file mode 100644
index 0000000000..53057f3583
--- /dev/null
+++ b/src/IOSource.h
@@ -0,0 +1,105 @@
+// $Id: IOSource.h 6888 2009-08-20 18:23:11Z vern $
+//
+// Interface for classes providing/consuming data during Bro's main loop.
+
+#ifndef iosource_h
+#define iosource_h
+
+#include <list>
+#include "Timer.h"
+
+using namespace std;
+
+class IOSource {
+public:
+	IOSource()	{ idle = closed = false; }
+	virtual ~IOSource()	{}
+
+	// Returns true if source has nothing ready to process.
+	bool IsIdle() const	{ return idle; }
+
+	// Returns true if more data is to be expected in the future.
+	// Otherwise, source may be removed.
+	bool IsOpen() const	{ return ! closed; }
+
+	// Returns select'able fds (leaves args untouched if we don't have
+	// selectable fds).
+	virtual void GetFds(int* read, int* write, int* except) = 0;
+
+	// The following two methods are only called when either IsIdle()
+	// returns false or select() on one of the fds indicates that there's
+	// data to process.
+
+	// Returns timestamp (in global network time) associated with next
+	// data item.  If the source wants the data item to be processed
+	// with a local network time, it sets the argument accordingly.
+	virtual double NextTimestamp(double* network_time) = 0;
+
+	// Processes and consumes next data item.
+	virtual void Process() = 0;
+
+	// Returns tag of timer manager associated with last processed
+	// data item, nil for global timer manager.
+	virtual TimerMgr::Tag* GetCurrentTag()	{ return 0; }
+
+	// Returns a descriptual tag for debugging.
+	virtual const char* Tag() = 0;
+
+protected:
+	// Derived classed are to set this to true if they have gone dry
+	// temporarily.
+	bool idle;
+
+	// Derived classed are to set this to true if they have gone dry
+	// permanently.
+	bool closed;
+};
+
+class IOSourceRegistry {
+public:
+	IOSourceRegistry()	{ call_count = 0; dont_counts = 0; }
+	~IOSourceRegistry();
+
+	// If dont_count is true, this source does not contribute to the
+	// number of IOSources returned by Size().  The effect is that
+	// if all sources but the non-counting ones have gone dry,
+	// processing will shut down.
+	void Register(IOSource* src, bool dont_count = false);
+
+	// This may block for some time.
+	IOSource* FindSoonest(double* ts);
+
+	int Size() const	{ return sources.size() - dont_counts; }
+
+	// Terminate IOSource processing immediately by removing all
+	// sources (and therefore returning a Size() of zero).
+	void Terminate()	{ RemoveAll(); }
+
+protected:
+	// When looking for a source with something to process,
+	// every SELECT_FREQUENCY calls we will go ahead and
+	// block on a select().
+	static const int SELECT_FREQUENCY = 25;
+
+	// Microseconds to wait in an empty select if no source is ready.
+	static const int SELECT_TIMEOUT = 50;
+
+	void RemoveAll();
+
+	unsigned int call_count;
+	int dont_counts;
+
+	struct Source {
+		IOSource* src;
+		int fd_read;
+		int fd_write;
+		int fd_except;
+	};
+
+	typedef list<Source*> SourceList;
+	SourceList sources;
+};
+
+extern IOSourceRegistry io_sources;
+
+#endif
diff --git a/src/IP.h b/src/IP.h
new file mode 100644
index 0000000000..4f76ef50ed
--- /dev/null
+++ b/src/IP.h
@@ -0,0 +1,143 @@
+// $Id: IP.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef ip_h
+#define ip_h
+
+#include "config.h"
+
+#include <net_util.h>
+
+class IP_Hdr {
+public:
+	IP_Hdr(struct ip* arg_ip4)
+		{
+		ip4 = arg_ip4;
+		ip6 = 0;
+		del = 1;
+
+#ifdef BROv6
+		src_addr[0] = src_addr[1] = src_addr[2] = 0;
+		dst_addr[0] = dst_addr[1] = dst_addr[2] = 0;
+
+		src_addr[3] = ip4->ip_src.s_addr;
+		dst_addr[3] = ip4->ip_dst.s_addr;
+#endif
+		}
+
+	IP_Hdr(const struct ip* arg_ip4)
+		{
+		ip4 = arg_ip4;
+		ip6 = 0;
+		del = 0;
+
+#ifdef BROv6
+		src_addr[0] = src_addr[1] = src_addr[2] = 0;
+		dst_addr[0] = dst_addr[1] = dst_addr[2] = 0;
+
+		src_addr[3] = ip4->ip_src.s_addr;
+		dst_addr[3] = ip4->ip_dst.s_addr;
+#endif
+		}
+
+	IP_Hdr(struct ip6_hdr* arg_ip6)
+		{
+		ip4 = 0;
+		ip6 = arg_ip6;
+		del = 1;
+
+#ifdef BROv6
+		memcpy(src_addr, ip6->ip6_src.s6_addr, 16);
+		memcpy(dst_addr, ip6->ip6_dst.s6_addr, 16);
+#endif
+		}
+
+	IP_Hdr(const struct ip6_hdr* arg_ip6)
+		{
+		ip4 = 0;
+		ip6 = arg_ip6;
+		del = 0;
+
+#ifdef BROv6
+		memcpy(src_addr, ip6->ip6_src.s6_addr, 16);
+		memcpy(dst_addr, ip6->ip6_dst.s6_addr, 16);
+#endif
+		}
+
+	~IP_Hdr()
+		{
+		if ( del )
+			{
+			if ( ip4 )
+				delete [] (struct ip*) ip4;
+			else
+				delete [] (struct ip6_hdr*) ip6;
+			}
+		}
+
+	const struct ip* IP4_Hdr() const	{ return ip4; }
+	const struct ip6_hdr* IP6_Hdr() const	{ return ip6; }
+
+#ifdef BROv6
+	const uint32* SrcAddr() const	{ return src_addr; }
+	const uint32* DstAddr() const	{ return dst_addr; }
+#else
+	const uint32* SrcAddr() const
+		{ return ip4 ? &(ip4->ip_src.s_addr) : 0; }
+	const uint32* DstAddr() const
+		{ return ip4 ? &(ip4->ip_dst.s_addr) : 0; }
+#endif
+
+	uint32 SrcAddr4() const	{ return ip4->ip_src.s_addr; }
+	uint32 DstAddr4() const	{ return ip4->ip_dst.s_addr; }
+
+	uint16 ID4() const	{ return ip4 ? ip4->ip_id : 0; }
+
+	const u_char* Payload() const
+		{
+		if ( ip4 )
+			return ((const u_char*) ip4) + ip4->ip_hl * 4;
+		else
+			return ((const u_char*) ip6) + 40;
+		}
+
+	uint16 PayloadLen() const
+		{
+		if ( ip4 )
+			return ntohs(ip4->ip_len) - ip4->ip_hl * 4;
+		else
+			return ntohs(ip6->ip6_plen);
+		}
+
+	uint16 TotalLen() const
+		{
+		if ( ip4 )
+			return ntohs(ip4->ip_len);
+		else
+			return ntohs(ip6->ip6_plen) + 40;
+		}
+
+	uint16 HdrLen() const	{ return ip4 ? ip4->ip_hl * 4 : 40; }
+	unsigned char NextProto() const
+		{ return ip4 ? ip4->ip_p : ip6->ip6_nxt; }
+	unsigned char TTL() const
+		{ return ip4 ? ip4->ip_ttl : ip6->ip6_hlim; }
+	uint16 FragField() const
+		{ return ntohs(ip4 ? ip4->ip_off : 0); }
+	int DF() const
+		{ return ip4 ? ((ntohs(ip4->ip_off) & IP_DF) != 0) : 0; }
+	uint16 IP_ID() const
+		{ return ip4 ? (ntohs(ip4->ip_id)) : 0; }
+
+private:
+	const struct ip* ip4;
+	const struct ip6_hdr* ip6;
+#ifdef BROv6
+	uint32 src_addr[NUM_ADDR_WORDS];
+	uint32 dst_addr[NUM_ADDR_WORDS];
+#endif
+	int del;
+};
+
+#endif
diff --git a/src/IRC.cc b/src/IRC.cc
new file mode 100644
index 0000000000..78cc7b6edc
--- /dev/null
+++ b/src/IRC.cc
@@ -0,0 +1,1224 @@
+// $Id: IRC.cc 4582 2007-07-04 01:14:09Z vern $
+
+// An IRC analyzer contributed by Roland Gruber.
+
+#include <iostream>
+#include "IRC.h"
+#include "DPM.h"
+#include "ContentLine.h"
+#include "NetVar.h"
+#include "Event.h"
+#include "ZIP.h"
+
+
+IRC_Analyzer::IRC_Analyzer(Connection* conn)
+: TCP_ApplicationAnalyzer(AnalyzerTag::IRC, conn)
+	{
+	invalid_msg_count = 0;
+	invalid_msg_max_count = 20;
+	orig_status = WAIT_FOR_REGISTRATION;
+	resp_status = WAIT_FOR_REGISTRATION;
+	orig_zip_status = NO_ZIP;
+	resp_zip_status = NO_ZIP;
+	AddSupportAnalyzer(new ContentLine_Analyzer(conn, true));
+	AddSupportAnalyzer(new ContentLine_Analyzer(conn, false));
+	}
+
+bool IRC_Analyzer::Available()
+	{
+	static bool did_avail = false;
+	static bool avail = false;
+
+	if ( ! did_avail )
+		{
+		// It's a lot of events, but for consistency with other
+		// analyzers we need to check for all of them.
+		avail = irc_client || irc_server || irc_request || irc_reply ||
+			irc_message || irc_enter_message || irc_quit_message ||
+			irc_privmsg_message || irc_notice_message ||
+			irc_squery_message || irc_join_message ||
+			irc_part_message || irc_nick_message ||
+			irc_invalid_nick || irc_network_info ||
+			irc_server_info || irc_channel_info || irc_who_line ||
+			irc_who_message || irc_whois_message ||
+			irc_whois_user_line || irc_whois_operator_line ||
+			irc_whois_channel_line || irc_oper_message ||
+			irc_oper_response || irc_kick_message ||
+			irc_error_message || irc_invite_message ||
+			irc_mode_message || irc_squit_message ||
+			irc_names_info || irc_dcc_message ||
+			irc_global_users || irc_user_message ||
+			irc_channel_topic || irc_password_message;
+
+		did_avail = true;
+		}
+
+	return avail;
+	}
+
+void IRC_Analyzer::Done()
+	{
+	TCP_ApplicationAnalyzer::Done();
+	}
+
+void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
+	{
+	TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
+
+	// check line size
+	if ( length > 512 )
+		{
+		Weird("irc_line_size_exceeded");
+		return;
+		}
+
+	if ( length < 2 )
+		{
+		Weird("irc_line_too_short");
+		return;
+		}
+
+	string myline = string((const char*) line);
+
+	// Check for prefix.
+	string prefix = "";
+	if ( line[0] == ':' )
+		{ // find end of prefix and extract it
+		unsigned int pos = myline.find(' ');
+		if ( pos > (unsigned int) length )
+			{
+			Weird("irc_invalid_line");
+			return;
+			}
+
+		prefix = myline.substr(1, pos - 1);
+		myline = myline.substr(pos + 1);  // remove prefix from line
+		}
+
+
+	if ( orig )
+		{
+		ProtocolConfirmation();
+		if ( irc_client )
+			{
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(prefix.c_str()));
+			vl->append(new StringVal(myline.c_str()));
+			ConnectionEvent(irc_client, vl);
+			}
+		}
+	else
+		{
+		if ( irc_server )
+			{
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(prefix.c_str()));
+			vl->append(new StringVal(myline.c_str()));
+			ConnectionEvent(irc_server, vl);
+			}
+		}
+
+	int code = 0;
+	string command = "";
+
+	// Check if line is long enough to include status code or command.
+	if ( myline.size() < 4 )
+		{
+		Weird("irc_invalid_line");
+		ProtocolViolation("line too short");
+		return;
+		}
+
+	// Check if this is a server reply.
+	if ( isdigit(myline[0]) )
+		{
+		if ( isdigit(myline[1]) && isdigit(myline[2]) &&
+		     myline[3] == ' ')
+			{
+			code = (myline[0] - '0') * 100 +
+				(myline[1] - '0') * 10 + (myline[2] - '0');
+			myline = myline.substr(4);
+			}
+		else
+			{
+			Weird("irc_invalid_reply_number");
+			ProtocolViolation("invalid reply number");
+			return;
+			}
+		}
+	else
+		{ // get command
+		unsigned int pos = myline.find(' ');
+		if ( pos > (unsigned int) length )
+			{
+			Weird("irc_invalid_line");
+			return;
+			}
+
+		command = myline.substr(0, pos);
+		for ( unsigned int i = 0; i < command.size(); ++i )
+			command[i] = toupper(command[i]);
+
+		myline = myline.substr(pos + 1);
+		}
+
+	// Extract parameters.
+	string params = myline;
+
+	// Check for Server2Server - connections with ZIP enabled.
+	if ( orig && orig_status == WAIT_FOR_REGISTRATION )
+		{
+		if ( command == "PASS" )
+			{
+			vector<string> p = SplitWords(params,' ');
+			if ( p.size() > 3 &&
+			     (p[3].find('Z')<=p[3].size() ||
+			      p[3].find('z')<=p[3].size()) )
+				orig_zip_status = ACCEPT_ZIP;
+			else
+			        orig_zip_status = NO_ZIP;
+			}
+
+		// We do not check if SERVER command is successful, since
+		// the connection will be terminated by the server if
+		// authentication fails.
+		//
+		// (### This seems not quite prudent to me - VP)
+		if ( command == "SERVER" && prefix == "")
+		        {
+			orig_status = REGISTERED;
+			}
+		}
+
+	if ( ! orig && resp_status == WAIT_FOR_REGISTRATION )
+		{
+		if ( command == "PASS" )
+		        {
+			vector<string> p = SplitWords(params,' ');
+			if ( p.size() > 3 &&
+			     (p[3].find('Z')<=p[3].size() ||
+			      p[3].find('z')<=p[3].size()) )
+			        resp_zip_status = ACCEPT_ZIP;
+			else
+			        resp_zip_status = NO_ZIP;
+
+			}
+
+		// Again, don't bother checking whether SERVER command
+		// is successful.
+		if ( command == "SERVER" && prefix == "")
+			resp_status = REGISTERED;
+		}
+
+	// Analyze server reply messages.
+	if ( code > 0 )
+		{
+		switch ( code ) {
+		// Ignore unimportant messages.
+		case 1: // RPL_WELCOME
+		case 2: // RPL_YOURHOST
+		case 3: // RPL_CREATED
+		case 4: // RPL_MYINFO
+		case 5: // RPL_BOUNCE
+		case 252: // number of ops online
+		case 253: // number of unknown connections
+		case 265: // RPL_LOCALUSERS
+		case 312: // whois server reply
+		case 315: // end of who list
+		case 317: // whois idle reply
+		case 318: // end of whois list
+		case 366: // end of names list
+		case 372: // RPL_MOTD
+		case 375: // RPL_MOTDSTART
+		case 376: // RPL_ENDOFMOTD
+		case 331: // RPL_NOTOPIC
+			break;
+
+		// Count of users, services and servers in whole network.
+		case 251:
+			if ( ! irc_network_info )
+				break;
+
+			{
+			vector<string> parts = SplitWords(params, ' ');
+			int users = 0;
+			int services = 0;
+			int servers = 0;
+
+			for ( unsigned int i = 1; i < parts.size(); ++i )
+				{
+				if ( parts[i] == "users" )
+					users = atoi(parts[i-1].c_str());
+				else if ( parts[i] == "services" )
+					services = atoi(parts[i-1].c_str());
+				else if ( parts[i] == "servers" )
+					servers = atoi(parts[i-1].c_str());
+				// else ###
+				}
+
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new Val(users, TYPE_INT));
+			vl->append(new Val(services, TYPE_INT));
+			vl->append(new Val(servers, TYPE_INT));
+
+			ConnectionEvent(irc_network_info, vl);
+			}
+			break;
+
+		// List of users in a channel (names command).
+		case 353:
+			if ( ! irc_names_info )
+				break;
+
+			{
+			vector<string> parts = SplitWords(params, ' ');
+
+			// Remove nick name.
+			parts.erase(parts.begin());
+			if ( parts.size() < 2 )
+				{
+				Weird("irc_invalid_names_line");
+				return;
+				}
+
+			string type = parts[0];
+			string channel = parts[1];
+
+			// Remove type and channel.
+			parts.erase(parts.begin());
+			parts.erase(parts.begin());
+
+			if ( parts.size() > 0 && parts[0][0] == ':' )
+				parts[0] = parts[0].substr(1);
+
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(type.c_str()));
+			vl->append(new StringVal(channel.c_str()));
+
+			TableVal* set = new TableVal(string_set);
+			for ( unsigned int i = 0; i < parts.size(); ++i )
+				{
+				if ( parts[i][0] == '@' )
+					parts[i] = parts[i].substr(1);
+				set->Assign(new StringVal(parts[i].c_str()), 0);
+				}
+			vl->append(set);
+
+			ConnectionEvent(irc_names_info, vl);
+			}
+			break;
+
+		// Count of users and services on this server.
+		case 255:
+			if ( ! irc_server_info )
+				break;
+
+			{
+			vector<string> parts = SplitWords(params, ' ');
+			int users = 0;
+			int services = 0;
+			int servers = 0;
+
+			for ( unsigned int i = 1; i < parts.size(); ++i )
+				{
+				if ( parts[i] == "users," )
+					users = atoi(parts[i-1].c_str());
+				else if ( parts[i] == "clients" )
+					users = atoi(parts[i-1].c_str());
+				else if ( parts[i] == "services" )
+					services = atoi(parts[i-1].c_str());
+				else if ( parts[i] == "servers" )
+					servers = atoi(parts[i-1].c_str());
+				// else ###
+				}
+
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new Val(users, TYPE_INT));
+			vl->append(new Val(services, TYPE_INT));
+			vl->append(new Val(servers, TYPE_INT));
+
+			ConnectionEvent(irc_server_info, vl);
+			}
+			break;
+
+		// Count of channels.
+		case 254:
+			if ( ! irc_channel_info )
+				break;
+
+			{
+			vector<string> parts = SplitWords(params, ' ');
+			int channels = 0;
+			for ( unsigned int i = 1; i < parts.size(); ++i )
+				if ( parts[i] == ":channels" )
+					channels = atoi(parts[i - 1].c_str());
+
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new Val(channels, TYPE_INT));
+
+			ConnectionEvent(irc_channel_info, vl);
+			}
+			break;
+
+		// RPL_GLOBALUSERS
+		case 266:
+			{
+			// FIXME: We should really streamline all this
+			// parsing code ...
+			if ( ! irc_global_users )
+				break;
+
+			const char* prefix = params.c_str();
+
+			const char* eop = strchr(prefix, ' ');
+			if ( ! eop )
+				{
+				Weird("invalid_irc_global_users_reply");
+				break;
+				}
+
+			const char *msg = strchr(++eop, ':');
+			if ( ! msg )
+				{
+				Weird("invalid_irc_global_users_reply");
+				break;
+				}
+
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(eop - prefix, prefix));
+			vl->append(new StringVal(++msg));
+			ConnectionEvent(irc_global_users, vl);
+			break;
+			}
+
+		// WHOIS user reply line.
+		case 311:
+			if ( ! irc_whois_user_line )
+				break;
+
+			{
+			vector<string> parts = SplitWords(params, ' ');
+
+			if ( parts.size() > 1 )
+				parts.erase(parts.begin());
+			if ( parts.size() < 5 )
+				{
+				Weird("irc_invalid_whois_user_line");
+				return;
+				}
+
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(parts[0].c_str()));
+			vl->append(new StringVal(parts[1].c_str()));
+			vl->append(new StringVal(parts[2].c_str()));
+
+			parts.erase(parts.begin(), parts.begin() + 4);
+
+			string real_name = parts[0];
+			for ( unsigned int i = 1; i < parts.size(); ++i )
+				real_name = real_name + " " + parts[i];
+
+			if ( real_name[0] == ':' )
+				real_name = real_name.substr(1);
+
+			vl->append(new StringVal(real_name.c_str()));
+
+			ConnectionEvent(irc_whois_user_line, vl);
+			}
+			break;
+
+		// WHOIS operator reply line.
+		case 313:
+			if ( ! irc_whois_operator_line )
+				break;
+
+			{
+			vector<string> parts = SplitWords(params, ' ');
+
+			if ( parts.size() > 1 )
+				parts.erase(parts.begin());
+
+			if ( parts.size() < 2 )
+				{
+				Weird("irc_invalid_whois_operator_line");
+				return;
+				}
+
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(parts[0].c_str()));
+
+			ConnectionEvent(irc_whois_operator_line, vl);
+			}
+			break;
+
+		// WHOIS channel reply.
+		case 319:
+			if ( ! irc_whois_channel_line )
+				break;
+
+			{
+			vector<string> parts = SplitWords(params, ' ');
+
+			// Remove nick name.
+			parts.erase(parts.begin());
+			if ( parts.size() < 2 )
+				{
+				Weird("irc_invalid_whois_channel_line");
+				return;
+				}
+
+			string nick = parts[0];
+			parts.erase(parts.begin());
+
+			if ( parts.size() > 0 && parts[0][0] == ':' )
+				parts[0] = parts[0].substr(1);
+
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(nick.c_str()));
+			TableVal* set = new TableVal(string_set);
+			for ( unsigned int i = 0; i < parts.size(); ++i )
+				{
+				Val* idx = new StringVal(parts[i].c_str());
+				set->Assign(idx, 0);
+				Unref(idx);
+				}
+
+			vl->append(set);
+
+			ConnectionEvent(irc_whois_channel_line, vl);
+			}
+			break;
+
+		// RPL_TOPIC reply.
+		case 332:
+			{
+			if ( ! irc_channel_topic )
+				break;
+
+			vector<string> parts = SplitWords(params, ' ');
+			if ( parts.size() < 4 )
+				{
+				Weird("irc_invalid_topic_reply");
+				return;
+				}
+
+			unsigned int pos = params.find(':');
+			if ( pos < params.size() )
+				{
+				string topic = params.substr(pos + 1);
+				val_list* vl = new val_list;
+
+				vl->append(BuildConnVal());
+				vl->append(new StringVal(parts[1].c_str()));
+
+				const char* t = topic.c_str();
+				if ( *t == ':' )
+					++t;
+
+				vl->append(new StringVal(t));
+
+				ConnectionEvent(irc_channel_topic, vl);
+				}
+			else
+				{
+				Weird("irc_invalid_topic_reply");
+				return;
+				}
+			break;
+			}
+
+		// WHO reply line.
+		case 352:
+			if ( ! irc_who_line )
+				break;
+
+			{
+			vector<string> parts = SplitWords(params, ' ');
+			if ( parts.size() < 9 )
+				{
+				Weird("irc_invalid_who_line");
+				return;
+				}
+
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(parts[0].c_str()));
+			vl->append(new StringVal(parts[1].c_str()));
+			if ( parts[2][0] == '~' )
+				parts[2] = parts[2].substr(1);
+			vl->append(new StringVal(parts[2].c_str()));
+			vl->append(new StringVal(parts[3].c_str()));
+			vl->append(new StringVal(parts[4].c_str()));
+			vl->append(new StringVal(parts[5].c_str()));
+			vl->append(new StringVal(parts[6].c_str()));
+			if ( parts[7][0] == ':' )
+				parts[7] = parts[7].substr(1);
+			vl->append(new Val(atoi(parts[7].c_str()), TYPE_INT));
+			vl->append(new StringVal(parts[8].c_str()));
+
+			ConnectionEvent(irc_who_line, vl);
+			}
+			break;
+
+		// Invalid nick name.
+		case 431:
+		case 432:
+		case 433:
+		case 436:
+			if ( irc_invalid_nick )
+				{
+				val_list* vl = new val_list;
+				vl->append(BuildConnVal());
+				ConnectionEvent(irc_invalid_nick, vl);
+				}
+			break;
+
+		// Operator responses.
+		case 381:  // User is operator
+		case 491:  // user is not operator
+			if ( irc_oper_response )
+				{
+				val_list* vl = new val_list;
+				vl->append(BuildConnVal());
+				vl->append(new Val(code == 381, TYPE_BOOL));
+				ConnectionEvent(irc_oper_response, vl);
+				}
+			break;
+
+		// All other server replies.
+		default:
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(prefix.c_str()));
+			vl->append(new Val(code, TYPE_COUNT));
+			vl->append(new StringVal(params.c_str()));
+
+			ConnectionEvent(irc_reply, vl);
+			break;
+		}
+		return;
+		}
+
+	// Check if command is valid.
+	if ( command.size() > 20 )
+		{
+		Weird("irc_invalid_command");
+		if ( ++invalid_msg_count > invalid_msg_max_count )
+			{
+			Weird("irc_too_many_invalid");
+			ProtocolViolation("too many long lines");
+			return;
+			}
+		return;
+		}
+
+	else if ( irc_privmsg_message && command == "PRIVMSG")
+		{
+		unsigned int pos = params.find(' ');
+		if ( pos >= params.size() )
+			{
+			Weird("irc_invalid_privmsg_message_format");
+			return;
+			}
+
+		string target = params.substr(0, pos);
+		string message = params.substr(pos + 1);
+
+		if ( message.size() > 0 && message[0] == ':' )
+			message = message.substr(1);
+		if ( message.size() > 0 && message[0] == 1 )
+			message = message.substr(1); // DCC
+
+		// Check for DCC messages.
+		if ( message.size() > 3 && message.substr(0, 3) == "DCC" )
+			{
+			if ( message.size() > 0 &&
+			     message[message.size() - 1] == 1 )
+				message = message.substr(0, message.size() - 1);
+
+			vector<string> parts = SplitWords(message, ' ');
+			if ( parts.size() < 5 || parts.size() > 6 )
+				{
+				Weird("irc_invalid_dcc_message_format");
+				return;
+				}
+
+			// Calculate IP address.
+			uint32 raw_ip = 0;
+			for ( unsigned int i = 0; i < parts[3].size(); ++i )
+				{
+				string s = parts[3].substr(i, 1);
+				raw_ip = (10 * raw_ip) + atoi(s.c_str());
+				}
+
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(prefix.c_str()));
+			vl->append(new StringVal(target.c_str()));
+			vl->append(new StringVal(parts[1].c_str()));
+			vl->append(new StringVal(parts[2].c_str()));
+			vl->append(new AddrVal(htonl(raw_ip)));
+			vl->append(new Val(atoi(parts[4].c_str()), TYPE_INT));
+			if ( parts.size() == 6 )
+				vl->append(new Val(atoi(parts[5].c_str()),
+							TYPE_INT));
+			else
+				vl->append(new Val(0, TYPE_INT));
+
+			ConnectionEvent(irc_dcc_message, vl);
+			}
+
+		else
+			{
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(prefix.c_str()));
+			vl->append(new StringVal(target.c_str()));
+			vl->append(new StringVal(message.c_str()));
+
+			ConnectionEvent(irc_privmsg_message, vl);
+			}
+		}
+
+	else if ( irc_notice_message && command == "NOTICE" )
+		{
+		unsigned int pos = params.find(' ');
+		if ( pos >= params.size() )
+			{
+			Weird("irc_invalid_notice_message_format");
+			return;
+			}
+
+		string target = params.substr(0, pos);
+		string message = params.substr(pos + 1);
+		if ( message[0] == ':' )
+			message = message.substr(1);
+
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(prefix.c_str()));
+		vl->append(new StringVal(target.c_str()));
+		vl->append(new StringVal(message.c_str()));
+
+		ConnectionEvent(irc_notice_message, vl);
+		}
+
+	else if ( irc_squery_message && command == "SQUERY" )
+		{
+		unsigned int pos = params.find(' ');
+		if ( pos >= params.size() )
+			{
+			Weird("irc_invalid_squery_message_format");
+			return;
+			}
+
+		string target = params.substr(0, pos);
+		string message = params.substr(pos + 1);
+		if ( message[0] == ':' )
+			message = message.substr(1);
+
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(prefix.c_str()));
+		vl->append(new StringVal(target.c_str()));
+		vl->append(new StringVal(message.c_str()));
+
+		ConnectionEvent(irc_squery_message, vl);
+		}
+
+	else if ( irc_user_message && command == "USER" )
+		{
+		// extract username and real name
+		vector<string> parts = SplitWords(params, ' ');
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+
+		if ( parts.size() > 0 )
+			vl->append(new StringVal(parts[0].c_str()));
+		else vl->append(new StringVal(""));
+
+		if ( parts.size() > 1 )
+			vl->append(new StringVal(parts[1].c_str()));
+		else vl->append(new StringVal(""));
+
+		if ( parts.size() > 2 )
+			vl->append(new StringVal(parts[2].c_str()));
+		else vl->append(new StringVal(""));
+
+		string realname;
+		for ( unsigned int i = 3; i < parts.size(); i++ )
+			{
+			realname += parts[i];
+			if ( i > 3 )
+				realname += " ";
+			}
+
+		const char* name = realname.c_str();
+		vl->append(new StringVal(*name == ':' ? name + 1 : name));
+
+		ConnectionEvent(irc_user_message, vl);
+		}
+
+	else if ( irc_oper_message && command == "OPER" )
+		{
+		// extract username and password
+		vector<string> parts = SplitWords(params, ' ');
+		if ( parts.size() == 2 )
+			{
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(parts[0].c_str()));
+			vl->append(new StringVal(parts[1].c_str()));
+
+			ConnectionEvent(irc_oper_message, vl);
+			}
+
+		else
+			Weird("irc_invalid_oper_message_format");
+		}
+
+	else if ( irc_kick_message && command == "KICK" )
+		{
+		// Extract channels, users and comment.
+		vector<string> parts = SplitWords(params, ' ');
+		if ( parts.size() <= 1 )
+			{
+			Weird("irc_invalid_kick_message_format");
+			return;
+			}
+
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(prefix.c_str()));
+		vl->append(new StringVal(parts[0].c_str()));
+		vl->append(new StringVal(parts[1].c_str()));
+		if ( parts.size() > 2 )
+			{
+			string comment = parts[2];
+			for ( unsigned int i = 3; i < parts.size(); ++i )
+				comment += " " + parts[i];
+
+			if ( comment[0] == ':' )
+				comment = comment.substr(1);
+
+			vl->append(new StringVal(comment.c_str()));
+			}
+		else
+			vl->append(new StringVal(""));
+
+		ConnectionEvent(irc_kick_message, vl);
+		}
+
+	else if ( irc_join_message && command == "JOIN" )
+		{
+		if ( params[0] == ':' )
+			params = params.substr(1);
+
+		vector<string> parts = SplitWords(params, ' ');
+
+		if ( parts.size() < 1 )
+			{
+			Weird("irc_invalid_join_line");
+			return;
+			}
+
+		string nickname = "";
+		if ( prefix.size() > 0 )
+			{
+			unsigned int pos = prefix.find('!');
+			if ( pos < prefix.size() )
+				nickname = prefix.substr(0, pos);
+			}
+
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+
+		TableVal* list = new TableVal(irc_join_list);
+		vector<string> channels = SplitWords(parts[0], ',');
+		vector<string> passwords;
+
+		if ( parts.size() > 1 )
+			passwords = SplitWords(parts[1], ',');
+
+		string empty_string = "";
+		for ( unsigned int i = 0; i < channels.size(); ++i )
+			{
+			RecordVal* info = new RecordVal(irc_join_info);
+			info->Assign(0, new StringVal(nickname.c_str()));
+			info->Assign(1, new StringVal(channels[i].c_str()));
+			if ( i < passwords.size() )
+				info->Assign(2, new StringVal(passwords[i].c_str()));
+			else
+				info->Assign(2, new StringVal(empty_string.c_str()));
+			// User mode.
+			info->Assign(3, new StringVal(empty_string.c_str()));
+			list->Assign(info, 0);
+			Unref(info);
+			}
+
+		vl->append(list);
+
+		ConnectionEvent(irc_join_message, vl);
+		}
+
+	else if ( irc_join_message && command == "NJOIN" )
+		{
+		vector<string> parts = SplitWords(params, ' ');
+		if ( parts.size() != 2 )
+			{
+			Weird("irc_invalid_njoin_line");
+			return;
+			}
+
+		string channel = parts[0];
+		if ( parts[1][0] == ':' )
+			parts[1] = parts[1].substr(1);
+
+		vector<string> users = SplitWords(parts[1], ',');
+
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+
+		TableVal* list = new TableVal(irc_join_list);
+		string empty_string = "";
+
+		for ( unsigned int i = 0; i < users.size(); ++i )
+			{
+			RecordVal* info = new RecordVal(irc_join_info);
+			string nick = users[i];
+			string mode = "none";
+
+			if ( nick[0] == '@' )
+				{
+				if ( nick[1] == '@' )
+					{
+					nick = nick.substr(2);
+					mode = "creator";
+					}
+				else
+					{
+					nick = nick.substr(1);
+					mode = "operator";
+					}
+				}
+
+			else if ( nick[0] == '+' )
+				{
+				nick = nick.substr(1);
+				mode = "voice";
+				}
+
+			info->Assign(0, new StringVal(nick.c_str()));
+			info->Assign(1, new StringVal(channel.c_str()));
+			// Password:
+			info->Assign(2, new StringVal(empty_string.c_str()));
+			// User mode:
+			info->Assign(3, new StringVal(mode.c_str()));
+			list->Assign(info, 0);
+			Unref(info);
+			}
+
+		vl->append(list);
+
+		ConnectionEvent(irc_join_message, vl);
+		}
+
+	else if ( irc_part_message && command == "PART" )
+		{
+		string channels = params;
+		string message = "";
+		unsigned int pos = params.find(' ');
+
+		if ( pos < params.size() )
+			{
+			channels = params.substr(0, pos);
+			if ( params.size() > pos + 1 )
+				message = params.substr(pos + 1);
+			if ( message[0] == ':' )
+				message = message.substr(1);
+			}
+
+		string nick = prefix;
+		pos = nick.find('!');
+		if ( pos < nick.size() )
+			nick = nick.substr(0, pos);
+
+		vector<string> channelList = SplitWords(channels, ',');
+		TableVal* set = new TableVal(string_set);
+
+		for ( unsigned int i = 0; i < channelList.size(); ++i )
+			{
+			Val* idx = new StringVal(channelList[i].c_str());
+			set->Assign(idx, 0);
+			Unref(idx);
+			}
+
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(nick.c_str()));
+		vl->append(set);
+		vl->append(new StringVal(message.c_str()));
+
+		ConnectionEvent(irc_part_message, vl);
+		}
+
+	else if ( irc_quit_message && command == "QUIT" )
+		{
+		string message = params;
+		if ( message[0] == ':' )
+			message = message.substr(1);
+
+		string nickname = "";
+		if ( prefix.size() > 0 )
+			{
+			unsigned int pos = prefix.find('!');
+			if ( pos < prefix.size() )
+				nickname = prefix.substr(0, pos);
+			}
+
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(nickname.c_str()));
+		vl->append(new StringVal(message.c_str()));
+
+		ConnectionEvent(irc_quit_message, vl);
+		}
+
+	else if ( irc_nick_message && command == "NICK" )
+		{
+		string nick = params;
+		if ( nick[0] == ':' )
+			nick = nick.substr(1);
+
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(prefix.c_str()));
+		vl->append(new StringVal(nick.c_str()));
+
+		ConnectionEvent(irc_nick_message, vl);
+		}
+
+	else if ( irc_who_message && command == "WHO" )
+		{
+		vector<string> parts = SplitWords(params, ' ');
+		if ( parts.size() < 1 || parts.size() > 2 )
+			{
+			Weird("irc_invalid_who_message_format");
+			return;
+			}
+
+		bool oper = false;
+		if ( parts.size() == 2 && parts[1] == "o" )
+			oper = true;
+
+		// Remove ":" from mask.
+		if ( parts[0].size() > 0 && parts[0][0] == ':' )
+			parts[0] = parts[0].substr(1);
+
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(parts[0].c_str()));
+		vl->append(new Val(oper, TYPE_BOOL));
+
+		ConnectionEvent(irc_who_message, vl);
+		}
+
+	else if ( irc_whois_message && command == "WHOIS" )
+		{
+		vector<string> parts = SplitWords(params, ' ');
+		if ( parts.size() < 1 || parts.size() > 2 )
+			{
+			Weird("irc_invalid_whois_message_format");
+			return;
+			}
+
+		string server = "";
+		string users = "";
+
+		if ( parts.size() == 2 )
+			{
+			server = parts[0];
+			users = parts[1];
+			}
+		else
+			users = parts[0];
+
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(server.c_str()));
+		vl->append(new StringVal(users.c_str()));
+
+		ConnectionEvent(irc_whois_message, vl);
+		}
+
+	else if ( irc_error_message && command == "ERROR" )
+		{
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(prefix.c_str()));
+		if ( params[0] == ':' )
+			params = params.substr(1);
+		vl->append(new StringVal(params.c_str()));
+
+		ConnectionEvent(irc_error_message, vl);
+		}
+
+	else if ( irc_invite_message && command == "INVITE" )
+		{
+		vector<string> parts = SplitWords(params, ' ');
+		if ( parts.size() == 2 )
+			{ // remove ":" from channel
+			if ( parts[1].size() > 0 && parts[1][0] == ':' )
+				parts[1] = parts[1].substr(1);
+
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(prefix.c_str()));
+			vl->append(new StringVal(parts[0].c_str()));
+			vl->append(new StringVal(parts[1].c_str()));
+
+			ConnectionEvent(irc_invite_message, vl);
+			}
+		else
+			Weird("irc_invalid_invite_message_format");
+		}
+
+	else if ( irc_mode_message && command == "MODE" )
+		{
+		if ( params.size() > 0 )
+			{
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(prefix.c_str()));
+			vl->append(new StringVal(params.c_str()));
+
+			ConnectionEvent(irc_mode_message, vl);
+			}
+
+		else
+			Weird("irc_invalid_mode_message_format");
+		}
+
+	else if ( irc_password_message && command == "PASS" )
+		{
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(params.c_str()));
+		ConnectionEvent(irc_password_message, vl);
+		}
+
+	else if ( irc_squit_message && command == "SQUIT" )
+		{
+		string server = params;
+		string message = "";
+
+		unsigned int pos = params.find(' ');
+		if ( pos < params.size() )
+			{
+			server = params.substr(0, pos);
+			message = params.substr(pos + 1);
+			if ( message[0] == ':' )
+				message = message.substr(1);
+			}
+
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(prefix.c_str()));
+		vl->append(new StringVal(server.c_str()));
+		vl->append(new StringVal(message.c_str()));
+
+		ConnectionEvent(irc_squit_message, vl);
+		}
+
+
+	else if ( orig )
+		{
+		if ( irc_request )
+			{
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(prefix.c_str()));
+			vl->append(new StringVal(command.c_str()));
+			vl->append(new StringVal(params.c_str()));
+
+			ConnectionEvent(irc_request, vl);
+			}
+		}
+
+	else
+		{
+		if ( irc_message )
+			{
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(prefix.c_str()));
+			vl->append(new StringVal(command.c_str()));
+			vl->append(new StringVal(params.c_str()));
+
+			ConnectionEvent(irc_message, vl);
+			}
+		}
+
+	if ( orig_status == REGISTERED && resp_status == REGISTERED &&
+	     orig_zip_status == ACCEPT_ZIP && resp_zip_status == ACCEPT_ZIP )
+		{
+#ifdef HAVE_LIBZ
+		orig_zip_status = ZIP_LOADED;
+		resp_zip_status = ZIP_LOADED;
+		AddSupportAnalyzer(new ZIP_Analyzer(Conn(), true));
+		AddSupportAnalyzer(new ZIP_Analyzer(Conn(), false));
+#else
+		run_time("IRC analyzer lacking libz support");
+		Remove();
+#endif
+		}
+
+	return;
+	}
+
+vector<string> IRC_Analyzer::SplitWords(const string input, const char split)
+	{
+	vector<string> words;
+
+	if ( input.size() < 1 )
+		return words;
+
+	unsigned int start = 0;
+	unsigned int split_pos = 0;
+
+	// Ignore split-characters at the line beginning.
+	while ( input[start] == split )
+		{
+		++start;
+		++split_pos;
+		}
+
+	string word = "";
+	while ( (split_pos = input.find(split, start)) < input.size() )
+		{
+		word = input.substr(start, split_pos - start);
+		if ( word.size() > 0 && word[0] != split )
+			words.push_back(word);
+
+		start = split_pos + 1;
+		}
+
+	// Add line end if needed.
+	if ( start < input.size() )
+		{
+		word = input.substr(start, input.size() - start);
+		words.push_back(word);
+		}
+
+	return words;
+	}
diff --git a/src/IRC.h b/src/IRC.h
new file mode 100644
index 0000000000..fb6e9869ae
--- /dev/null
+++ b/src/IRC.h
@@ -0,0 +1,67 @@
+// $Id: IRC.h 4582 2007-07-04 01:14:09Z vern $
+
+// An IRC analyzer contributed by Roland Gruber.
+
+#ifndef irc_h
+#define irc_h
+#include "TCP.h"
+
+/**
+* \brief Main class for analyzing IRC traffic.
+*/
+class IRC_Analyzer : public TCP_ApplicationAnalyzer {
+	enum { WAIT_FOR_REGISTRATION, REGISTERED, };
+	enum { NO_ZIP, ACCEPT_ZIP, ZIP_LOADED, };
+public:
+	/**
+	* \brief Constructor, builds a new analyzer object.
+	*/
+	IRC_Analyzer(Connection* conn);
+
+	/**
+	* \brief Called when connection is closed.
+	*/
+	virtual void Done();
+
+	/**
+	* \brief New input line in network stream.
+	*
+	* \param len the line length
+	* \param data pointer to line start
+	* \param orig was this data sent from connection originator?
+	*/
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{
+		return new IRC_Analyzer(conn);
+		}
+
+	static bool Available();
+
+protected:
+	int orig_status;
+	int orig_zip_status;
+	int resp_status;
+	int resp_zip_status;
+
+private:
+	/** \brief counts number of invalid IRC messages */
+	int invalid_msg_count;
+
+	/** \brief maximum count of invalid IRC messages */
+	int invalid_msg_max_count;
+
+	/**
+	* \brief Splits a string into its words which are separated by
+	* the split character.
+	*
+	* \param input string which will be splitted
+	* \param split character which separates the words
+	* \return vector containing words
+	*/
+	vector<string> SplitWords(const string input, const char split);
+
+};
+
+#endif
diff --git a/src/Ident.cc b/src/Ident.cc
new file mode 100644
index 0000000000..d98c8891df
--- /dev/null
+++ b/src/Ident.cc
@@ -0,0 +1,250 @@
+// $Id: Ident.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <ctype.h>
+
+#include "NetVar.h"
+#include "Ident.h"
+#include "Event.h"
+#include "TCP_Rewriter.h"
+
+Ident_Analyzer::Ident_Analyzer(Connection* conn)
+: TCP_ApplicationAnalyzer(AnalyzerTag::Ident, conn)
+	{
+	did_bad_reply = did_deliver = 0;
+
+	orig_ident = new ContentLine_Analyzer(conn, true);
+	resp_ident = new ContentLine_Analyzer(conn, false);
+
+	orig_ident->SetIsNULSensitive(true);
+	resp_ident->SetIsNULSensitive(true);
+
+	AddSupportAnalyzer(orig_ident);
+	AddSupportAnalyzer(resp_ident);
+	}
+
+void Ident_Analyzer::Done()
+	{
+	TCP_ApplicationAnalyzer::Done();
+
+	if ( TCP() )
+		if ( (! did_deliver || orig_ident->HasPartialLine()) &&
+		     (TCP()->OrigState() == TCP_ENDPOINT_CLOSED ||
+		      TCP()->OrigPrevState() == TCP_ENDPOINT_CLOSED) &&
+		     TCP()->OrigPrevState() != TCP_ENDPOINT_PARTIAL &&
+		     TCP()->RespPrevState() != TCP_ENDPOINT_PARTIAL &&
+		     TCP()->OrigPrevState() != TCP_ENDPOINT_INACTIVE &&
+		     TCP()->RespPrevState() != TCP_ENDPOINT_INACTIVE )
+			Weird("partial_ident_request");
+	}
+
+void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
+	{
+	TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig);
+
+	int remote_port, local_port;
+	const char* line = (const char*) data;
+	const char* orig_line = line;
+	const char* end_of_line = line + length;
+
+	TCP_Endpoint* s = 0;
+
+	if ( TCP() )
+		s = is_orig ? TCP()->Orig() : TCP()->Resp();
+
+	if ( is_orig )
+		{
+		if ( ! ident_request )
+			return;
+
+		line = ParsePair(line, end_of_line, remote_port, local_port);
+		if ( ! line )
+			{
+			if ( s && s->state == TCP_ENDPOINT_CLOSED &&
+			     (s->prev_state == TCP_ENDPOINT_INACTIVE ||
+			      s->prev_state == TCP_ENDPOINT_PARTIAL) )
+				// not surprising the request is mangled.
+				return;
+
+			BadRequest(length, orig_line);
+			return;
+			}
+
+		if ( line != end_of_line )
+			Weird("ident_request_addendum", length, orig_line);
+
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new PortVal(local_port, TRANSPORT_TCP));
+		vl->append(new PortVal(remote_port, TRANSPORT_TCP));
+
+		ConnectionEvent(ident_request, vl);
+
+		did_deliver = 1;
+		}
+
+	else
+		{
+		if ( ! ident_reply )
+			return;
+
+		line = ParsePair(line, end_of_line, remote_port, local_port);
+
+		if ( ! line || line == end_of_line || line[0] != ':' )
+			{
+			if ( s && s->state == TCP_ENDPOINT_CLOSED &&
+			     (s->prev_state == TCP_ENDPOINT_INACTIVE ||
+			      s->prev_state == TCP_ENDPOINT_PARTIAL) )
+				// not surprising the request is mangled.
+				return;
+
+			BadReply(length, orig_line);
+			return;
+			}
+
+		line = skip_whitespace(line + 1, end_of_line);
+		int restlen = end_of_line - line;
+
+		int is_error;
+		if ( restlen >= 5 && ! strncmp(line, "ERROR", 5) )
+			{
+			is_error = 1;
+			line += 5;
+			}
+		else if ( restlen >= 6 && ! strncmp(line, "USERID", 6) )
+			{
+			is_error = 0;
+			line += 6;
+			}
+		else
+			{
+			BadReply(length, orig_line);
+			return;
+			}
+
+		line = skip_whitespace(line, end_of_line);
+
+		if ( line >= end_of_line || line[0] != ':' )
+			{
+			BadReply(length, orig_line);
+			return;
+			}
+
+		line = skip_whitespace(line + 1, end_of_line);
+
+		if ( is_error )
+			{
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new PortVal(local_port, TRANSPORT_TCP));
+			vl->append(new PortVal(remote_port, TRANSPORT_TCP));
+			vl->append(new StringVal(end_of_line - line, line));
+
+			ConnectionEvent(ident_error, vl);
+			}
+
+		else
+			{
+			const char* sys_type = line;
+			const char* colon = strchr_n(line, end_of_line, ':');
+			const char* comma = strchr_n(line, end_of_line, ',');
+			if ( ! colon )
+				{
+				BadReply(length, orig_line);
+				return;
+				}
+
+			const char* sys_end = (comma && comma < colon) ?
+						comma : colon;
+
+			while ( --sys_end > sys_type && isspace(*sys_end) )
+				;
+
+			BroString* sys_type_s =
+				new BroString((const u_char*) sys_type,
+						sys_end - sys_type + 1, 1);
+
+			line = skip_whitespace(colon + 1, end_of_line);
+
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new PortVal(local_port, TRANSPORT_TCP));
+			vl->append(new PortVal(remote_port, TRANSPORT_TCP));
+			vl->append(new StringVal(end_of_line - line, line));
+			vl->append(new StringVal(sys_type_s));
+
+			ConnectionEvent(ident_reply, vl);
+			}
+		}
+	}
+
+const char* Ident_Analyzer::ParsePair(const char* line, const char* end_of_line, int & p1, int& p2)
+	{
+	line = ParsePort(line, end_of_line, p1);
+	if ( ! line )
+		{
+		return 0;
+		}
+
+	if ( line >= end_of_line || line[0] != ',' )
+		return 0;
+
+	++line;
+
+	line = ParsePort(line, end_of_line, p2);
+	if ( ! line )
+		return 0;
+
+	return line;
+	}
+
+const char* Ident_Analyzer::ParsePort(const char* line, const char* end_of_line,
+				int& pn)
+	{
+	int n = 0;
+
+	line = skip_whitespace(line, end_of_line);
+	if ( ! isdigit(*line) )
+		return 0;
+
+	const char* l = line;
+
+	do
+		{
+		n = n * 10 + (*line - '0');
+		++line;
+		}
+	while ( isdigit(*line) );
+
+	line = skip_whitespace(line, end_of_line);
+
+	if ( n < 0 || n > 65535 )
+		{
+		Weird("bad_ident_port", l);
+		n = 0;
+		}
+
+	pn = n;
+
+	return line;
+	}
+
+void Ident_Analyzer::BadRequest(int length, const char* line)
+	{
+	Weird("bad_ident_request", length, line);
+	}
+
+void Ident_Analyzer::BadReply(int length, const char* line)
+	{
+	if ( ! did_bad_reply )
+		{
+		Weird("bad_ident_reply", length, line);
+		did_bad_reply = 1;
+		}
+	}
+
+#include "ident-rw.bif.func_def"
+
diff --git a/src/Ident.h b/src/Ident.h
new file mode 100644
index 0000000000..63bc64f560
--- /dev/null
+++ b/src/Ident.h
@@ -0,0 +1,45 @@
+// $Id: Ident.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef ident_h
+#define ident_h
+
+#include "TCP.h"
+#include "ContentLine.h"
+
+class Ident_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	Ident_Analyzer(Connection* conn);
+	virtual void Done();
+
+	virtual void DeliverStream(int length, const u_char* data, bool is_orig);
+	virtual int RewritingTrace()
+		{
+		return rewriting_ident_trace ||
+			TCP_ApplicationAnalyzer::RewritingTrace();
+		}
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new Ident_Analyzer(conn); }
+
+	static bool Available()
+		{ return ident_request || ident_reply || ident_error; }
+
+protected:
+	const char* ParsePair(const char* line, const char* end_of_line,
+				int& p1, int &p2);
+	const char* ParsePort(const char* line, const char* end_of_line,
+				int& pn);
+
+	void BadRequest(int length, const char* line);
+	void BadReply(int length, const char* line);
+
+	ContentLine_Analyzer* orig_ident;
+	ContentLine_Analyzer* resp_ident;
+
+	unsigned int did_deliver:1;
+	unsigned int did_bad_reply:1;
+};
+
+#endif
diff --git a/src/IntSet.cc b/src/IntSet.cc
new file mode 100644
index 0000000000..a6c176f829
--- /dev/null
+++ b/src/IntSet.cc
@@ -0,0 +1,23 @@
+// $Id: IntSet.cc 80 2004-07-14 20:15:50Z jason $
+
+#include "config.h"
+
+#ifdef HAVE_MEMORY_H
+#include <memory.h>
+#endif
+#include <stdlib.h>
+
+#include "IntSet.h"
+
+void IntSet::Expand(unsigned int i)
+	{
+	unsigned int newsize = i / 8 + 1;
+	unsigned char* newset = new unsigned char[newsize];
+
+	memset(newset, 0, newsize);
+	memcpy(newset, set, size);
+
+	delete [] set;
+	size = newsize;
+	set = newset;
+	}
diff --git a/src/IntSet.h b/src/IntSet.h
new file mode 100644
index 0000000000..412b06d418
--- /dev/null
+++ b/src/IntSet.h
@@ -0,0 +1,74 @@
+// $Id: IntSet.h 80 2004-07-14 20:15:50Z jason $
+
+// A simple but fast data structure for sets of integers.
+// Only supported operations are insert, remove and membership test.
+//
+// It's implemented via a bitmap so the memory usage increases linearly
+// with max(set).
+
+#ifndef intset_h
+#define intset_h
+
+#include <string.h>
+
+class IntSet {
+public:
+	// n is a hint for the value of the largest integer.
+	IntSet(unsigned int n = 1);
+	~IntSet();
+
+	void Insert(unsigned int i);
+	void Remove(unsigned int i);
+	bool Contains(unsigned int i) const;
+
+	void Clear();
+
+private:
+	void Expand(unsigned int i);
+
+	unsigned int size;
+	unsigned char* set;
+	};
+
+
+#define bzero(p, size) memset(p, 0, size)
+
+inline IntSet::IntSet(unsigned int n)
+	{
+	size = n / 8 + 1;
+	set = new unsigned char[size];
+	bzero(set, size);
+	}
+
+inline IntSet::~IntSet()
+	{
+	delete [] set;
+	}
+
+inline void IntSet::Insert(unsigned int i)
+	{
+	if ( i / 8 >= size )
+		Expand(i);
+
+	set[i / 8] |= (1 << (i % 8));
+	}
+
+inline void IntSet::Remove(unsigned int i)
+	{
+	if ( i / 8 >= size )
+		Expand(i);
+	else
+		set[i / 8] &= ~(1 << (i % 8));
+	}
+
+inline bool IntSet::Contains(unsigned int i) const
+	{
+	return i / 8 < size ? set[i / 8] & (1 << (i % 8)) : false;
+	}
+
+inline void IntSet::Clear()
+	{
+	bzero(set, size);
+	}
+
+#endif
diff --git a/src/InterConn.cc b/src/InterConn.cc
new file mode 100644
index 0000000000..664982fd02
--- /dev/null
+++ b/src/InterConn.cc
@@ -0,0 +1,274 @@
+// $Id: InterConn.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "InterConn.h"
+#include "Event.h"
+#include "Net.h"
+#include "TCP.h"
+
+InterConnEndpoint::InterConnEndpoint(TCP_Endpoint* e)
+	{
+	endp = e;
+	max_top_seq = 0;
+	num_pkts = num_keystrokes_two_in_a_row = num_normal_interarrivals =
+		num_8k0_pkts = num_8k4_pkts = num_bytes = num_7bit_ascii =
+			num_lines = num_normal_lines = 0;
+	is_partial = keystroke_just_seen = 0;
+	last_keystroke_time = 0.0;
+	}
+
+#define NORMAL_LINE_LENGTH 80
+
+int InterConnEndpoint::DataSent(double t, int seq, int len, int caplen,
+		const u_char* data, const IP_Hdr* /* ip */,
+		const struct tcphdr* /* tp */)
+	{
+	if ( caplen < len )
+		len = caplen;
+
+	if ( len <= 0 )
+		return 0;
+
+	if ( endp->state == TCP_ENDPOINT_PARTIAL )
+		is_partial = 1;
+
+	int ack = endp->AckSeq() - endp->StartSeq();
+	int top_seq = seq + len;
+
+	if ( top_seq <= ack || top_seq <= max_top_seq )
+		// There is no new data in this packet
+		return 0;
+
+	if ( seq < max_top_seq )
+		{ // Only consider new data
+		int amount_seen = max_top_seq - seq;
+		seq += amount_seen;
+		data += amount_seen;
+		len -= amount_seen;
+		}
+
+	if ( max_top_seq && seq > max_top_seq )
+		// We've got a pkt above a hole
+		num_pkts += EstimateGapPacketNum(seq - max_top_seq);
+
+	++num_pkts;
+	max_top_seq = top_seq;
+
+	// Count the bytes.
+	num_bytes += len;
+
+	int last_char = 0;
+	int offset = 0;	// where we consider the latest line to have begun
+
+	for ( int i = 0; i < len; ++i )
+		{
+		unsigned int c = data[i];
+
+		if ( c == '\n' && last_char == '\r' )
+			{
+			// Compress CRLF to just one line termination.
+			last_char = c;
+			continue;
+			}
+
+		if ( c == '\n' || c == '\r' )
+			{
+			++num_lines;
+			if ( i - offset <= NORMAL_LINE_LENGTH )
+				++num_normal_lines;
+			offset = i;
+			}
+
+		else if ( c != 0 && c < 128 )
+			++num_7bit_ascii;
+
+		last_char = c;
+		}
+
+	if ( IsPotentialKeystrokePacket(len) )
+		{
+		if ( keystroke_just_seen )
+			{
+			++num_keystrokes_two_in_a_row;
+
+			if ( IsNormalKeystrokeInterarrival(t - last_keystroke_time) )
+				++num_normal_interarrivals;
+			}
+		else
+			keystroke_just_seen = 1;
+
+		// Look for packets matching the SSH signature of
+		// being either 0 or 4 modulo 8.
+		switch ( len & 7 ) {
+		case 0:
+			if ( len >= 16 )
+				++num_8k0_pkts;
+			break;
+
+		case 4:
+			++num_8k4_pkts;
+			break;
+		}
+
+		last_keystroke_time = t;
+		}
+	else
+		keystroke_just_seen = 0;
+
+	return 1;
+	}
+
+RecordVal* InterConnEndpoint::BuildStats()
+	{
+	RecordVal* stats = new RecordVal(interconn_endp_stats);
+
+	stats->Assign(0, new Val(num_pkts, TYPE_COUNT));
+	stats->Assign(1, new Val(num_keystrokes_two_in_a_row, TYPE_COUNT));
+	stats->Assign(2, new Val(num_normal_interarrivals, TYPE_COUNT));
+	stats->Assign(3, new Val(num_8k0_pkts, TYPE_COUNT));
+	stats->Assign(4, new Val(num_8k4_pkts, TYPE_COUNT));
+	stats->Assign(5, new Val(is_partial, TYPE_BOOL));
+	stats->Assign(6, new Val(num_bytes, TYPE_COUNT));
+	stats->Assign(7, new Val(num_7bit_ascii, TYPE_COUNT));
+	stats->Assign(8, new Val(num_lines, TYPE_COUNT));
+	stats->Assign(9, new Val(num_normal_lines, TYPE_COUNT));
+
+	return stats;
+	}
+
+int InterConnEndpoint::EstimateGapPacketNum(int gap) const
+	{
+	return (gap + interconn_default_pkt_size - 1) / interconn_default_pkt_size;
+	}
+
+int InterConnEndpoint::IsPotentialKeystrokePacket(int len) const
+	{
+	return len <= interconn_max_keystroke_pkt_size;
+	}
+
+int InterConnEndpoint::IsNormalKeystrokeInterarrival(double t) const
+	{
+	return interconn_min_interarrival <= t && t <= interconn_max_interarrival;
+	}
+
+InterConn_Analyzer::InterConn_Analyzer(Connection* c)
+: TCP_ApplicationAnalyzer(AnalyzerTag::InterConn, c)
+	{
+	orig_endp = resp_endp = 0;
+	orig_stream_pos = resp_stream_pos = 1;
+
+	timeout = backdoor_stat_period;
+	backoff = backdoor_stat_backoff;
+
+	c->GetTimerMgr()->Add(new InterConnTimer(network_time + timeout, this));
+	}
+
+InterConn_Analyzer::~InterConn_Analyzer()
+	{
+	Unref(orig_endp);
+	Unref(resp_endp);
+	}
+
+void InterConn_Analyzer::Init()
+	{
+	TCP_ApplicationAnalyzer::Init();
+
+	assert(TCP());
+	orig_endp = new InterConnEndpoint(TCP()->Orig());
+	resp_endp = new InterConnEndpoint(TCP()->Resp());
+	}
+
+void InterConn_Analyzer::DeliverPacket(int len, const u_char* data,
+			bool is_orig, int seq, const IP_Hdr* ip, int caplen)
+	{
+	TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig,
+						seq, ip, caplen);
+
+	if ( is_orig )
+		orig_endp->DataSent(network_time, seq, len, caplen, data, 0, 0);
+	else
+		resp_endp->DataSent(network_time, seq, len, caplen, data, 0, 0);
+	}
+
+void InterConn_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
+	{
+	TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
+
+	if ( is_orig )
+		{
+		orig_endp->DataSent(network_time, orig_stream_pos, len, len, data, 0, 0);
+		orig_stream_pos += len;
+		}
+
+	else
+		{
+		resp_endp->DataSent(network_time, resp_stream_pos, len, len, data, 0, 0);
+		resp_stream_pos += len;
+		}
+	}
+
+void InterConn_Analyzer::Done()
+	{
+	if ( ! IsFinished() )
+		{
+		if ( ! Conn()->Skipping() )
+			StatEvent();
+
+		RemoveEvent();
+		}
+
+	TCP_ApplicationAnalyzer::Done();
+	}
+
+void InterConn_Analyzer::StatTimer(double t, int is_expire)
+	{
+	if ( IsFinished() || Conn()->Skipping() )
+		return;
+
+	StatEvent();
+
+	if ( ! is_expire )
+		{
+		timeout *= backoff;
+		timer_mgr->Add(new InterConnTimer(t + timeout, this));
+		}
+	}
+
+void InterConn_Analyzer::StatEvent()
+	{
+	val_list* vl = new val_list;
+	vl->append(Conn()->BuildConnVal());
+	vl->append(orig_endp->BuildStats());
+	vl->append(resp_endp->BuildStats());
+
+	Conn()->ConnectionEvent(interconn_stats, this, vl);
+	}
+
+void InterConn_Analyzer::RemoveEvent()
+	{
+	val_list* vl = new val_list;
+	vl->append(Conn()->BuildConnVal());
+
+	Conn()->ConnectionEvent(interconn_remove_conn, this, vl);
+	}
+
+InterConnTimer::InterConnTimer(double t, InterConn_Analyzer* a)
+: Timer(t, TIMER_INTERCONN)
+	{
+	analyzer = a;
+	// Make sure connection does not expire.
+	Ref(a->Conn());
+	}
+
+InterConnTimer::~InterConnTimer()
+	{
+	Unref(analyzer->Conn());
+	}
+
+void InterConnTimer::Dispatch(double t, int is_expire)
+	{
+	analyzer->StatTimer(t, is_expire);
+	}
diff --git a/src/InterConn.h b/src/InterConn.h
new file mode 100644
index 0000000000..1f9ee12f62
--- /dev/null
+++ b/src/InterConn.h
@@ -0,0 +1,88 @@
+// $Id: InterConn.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef interconn_h
+#define interconn_h
+
+#include "TCP.h"
+#include "Timer.h"
+#include "NetVar.h"
+
+class InterConnEndpoint : public BroObj {
+public:
+	InterConnEndpoint(TCP_Endpoint* e);
+
+	int DataSent(double t, int seq, int len, int caplen, const u_char* data,
+		     const IP_Hdr* ip, const struct tcphdr* tp);
+
+	RecordVal* BuildStats();
+
+protected:
+	int EstimateGapPacketNum(int gap) const;
+	int IsPotentialKeystrokePacket(int len) const;
+	int IsNormalKeystrokeInterarrival(double t) const;
+
+	TCP_Endpoint* endp;
+	double last_keystroke_time;
+	int max_top_seq;
+	uint32 num_pkts;
+	uint32 num_keystrokes_two_in_a_row;
+	uint32 num_normal_interarrivals;
+	uint32 num_8k4_pkts;
+	uint32 num_8k0_pkts;
+	uint32 num_bytes;
+	uint32 num_7bit_ascii;
+	uint32 num_lines;
+	uint32 num_normal_lines;
+	int is_partial;
+	int keystroke_just_seen;
+};
+
+
+class InterConn_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	InterConn_Analyzer(Connection* c);
+	~InterConn_Analyzer();
+
+	virtual void Init();
+	virtual void Done();
+	void StatTimer(double t, int is_expire);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new InterConn_Analyzer(conn); }
+
+	static bool Available()	{ return interconn_stats; }
+
+protected:
+	// We support both packet and stream input and can be put in place even
+	// if the TCP analyzer is not yet reassembling.
+	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
+					int seq, const IP_Hdr* ip, int caplen);
+	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
+
+	void StatEvent();
+	void RemoveEvent();
+
+	InterConnEndpoint* orig_endp;
+	InterConnEndpoint* resp_endp;
+
+	int orig_stream_pos;
+	int resp_stream_pos;
+
+	double timeout;
+	double backoff;
+};
+
+class InterConnTimer : public Timer {
+public:
+	InterConnTimer(double t, InterConn_Analyzer* a);
+	~InterConnTimer();
+
+	void Dispatch(double t, int is_expire);
+
+protected:
+	InterConn_Analyzer* analyzer;
+};
+
+#endif
diff --git a/src/List.cc b/src/List.cc
new file mode 100644
index 0000000000..2a28d4ae00
--- /dev/null
+++ b/src/List.cc
@@ -0,0 +1,234 @@
+// $Id: List.cc 1905 2005-12-14 03:27:33Z vern $
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "List.h"
+#include "util.h"
+
+static const int DEFAULT_CHUNK_SIZE = 10;
+
+BaseList::BaseList(int size)
+	{
+	chunk_size = DEFAULT_CHUNK_SIZE;
+
+	if ( size < 0 )
+		{
+		num_entries = max_entries = 0;
+		entry = 0;
+		}
+	else
+		{
+		if ( size > 0 )
+			chunk_size = size;
+
+		num_entries = 0;
+		entry = (ent *) safe_malloc(chunk_size * sizeof(ent));
+		max_entries = chunk_size;
+		}
+	}
+
+
+BaseList::BaseList(BaseList& b)
+	{
+	max_entries = b.max_entries;
+	chunk_size = b.chunk_size;
+	num_entries = b.num_entries;
+
+	if ( max_entries )
+		entry = (ent *) safe_malloc(max_entries * sizeof(ent));
+	else
+		entry = 0;
+
+	for ( int i = 0; i < num_entries; ++i )
+		entry[i] = b.entry[i];
+	}
+
+void BaseList::sort(list_cmp_func cmp_func)
+	{
+	qsort(entry, num_entries, sizeof(ent), cmp_func);
+	}
+
+void BaseList::operator=(BaseList& b)
+	{
+	if ( this == &b )
+		return;	// i.e., this already equals itself
+
+	if ( entry )
+		free(entry);
+
+	max_entries = b.max_entries;
+	chunk_size = b.chunk_size;
+	num_entries = b.num_entries;
+
+	if ( max_entries )
+		entry = (ent *) safe_malloc(max_entries * sizeof(ent));
+	else
+		entry = 0;
+
+	for ( int i = 0; i < num_entries; ++i )
+		entry[i] = b.entry[i];
+	}
+
+void BaseList::insert(ent a)
+	{
+	if ( num_entries == max_entries )
+		{
+		resize(max_entries + chunk_size);	// make more room
+		chunk_size *= 2;
+		}
+
+	for ( int i = num_entries; i > 0; --i )
+		entry[i] = entry[i-1];	// move all pointers up one
+
+	++num_entries;
+	entry[0] = a;
+	}
+
+#include <stdio.h>
+
+void BaseList::sortedinsert(ent a, list_cmp_func cmp_func)
+	{
+	// We optimize for the case that the new element is
+	// larger than most of the current entries.
+
+	// First append element.
+	if ( num_entries == max_entries )
+		{
+		resize(max_entries + chunk_size);
+		chunk_size *= 2;
+		}
+
+	entry[num_entries++] = a;
+
+	// Then move it to the correct place.
+	ent tmp;
+	for ( int i = num_entries - 1; i > 0; --i )
+		{
+		if ( cmp_func(entry[i],entry[i-1]) <= 0 )
+			break;
+
+		tmp = entry[i];
+		entry[i] = entry[i-1];
+		entry[i-1] = tmp;
+		}
+	}
+
+ent BaseList::remove(ent a)
+	{
+	int i;
+	for ( i = 0; i < num_entries && a != entry[i]; ++i )
+		;
+
+	return remove_nth(i);
+	}
+
+ent BaseList::remove_nth(int n)
+	{
+	if ( n < 0 || n >= num_entries )
+		return 0;
+
+	ent old_ent = entry[n];
+	--num_entries;
+
+	for ( ; n < num_entries; ++n )
+		entry[n] = entry[n+1];
+
+	entry[n] = 0;	// for debugging
+	return old_ent;
+	}
+
+void BaseList::append(ent a)
+	{
+	if ( num_entries == max_entries )
+		{
+		resize(max_entries + chunk_size);	// make more room
+		chunk_size *= 2;
+		}
+
+	entry[num_entries++] = a;
+	}
+
+// Get and remove from the end of the list.
+ent BaseList::get()
+	{
+	if ( num_entries == 0 )
+		return 0;
+
+	return entry[--num_entries];
+	}
+
+
+void BaseList::clear()
+	{
+	if ( entry )
+		{
+		free(entry);
+		entry = 0;
+		}
+
+	num_entries = max_entries = 0;
+	chunk_size = DEFAULT_CHUNK_SIZE;
+	}
+
+ent BaseList::replace(int ent_index, ent new_ent)
+	{
+	if ( ent_index < 0 )
+		return 0;
+
+	ent old_ent;
+
+	if ( ent_index > num_entries - 1 )
+		{ // replacement beyond the end of the list
+		resize(ent_index + 1);
+
+		for ( int i = num_entries; i < max_entries; ++i )
+			entry[i] = 0;
+		num_entries = max_entries;
+
+		old_ent = 0;
+		}
+	else
+		old_ent = entry[ent_index];
+
+	entry[ent_index] = new_ent;
+
+	return old_ent;
+	}
+
+int BaseList::resize(int new_size)
+	{
+	if ( new_size < num_entries )
+		new_size = num_entries;	// do not lose any entries
+
+	if ( new_size != max_entries )
+		{
+		entry = (ent*) safe_realloc((void*) entry, sizeof(ent) * new_size);
+		if ( entry )
+			max_entries = new_size;
+		else
+			max_entries = 0;
+		}
+
+	return max_entries;
+	}
+
+ent BaseList::is_member(ent e) const
+	{
+	int i;
+	for ( i = 0; i < length() && e != entry[i]; ++i )
+		;
+
+	return (i == length()) ? 0 : e;
+	}
+
+int BaseList::member_pos(ent e) const
+	{
+	int i;
+	for ( i = 0; i < length() && e != entry[i]; ++i )
+		;
+
+	return (i == length()) ? -1 : i;
+	}
diff --git a/src/List.h b/src/List.h
new file mode 100644
index 0000000000..38afad35c9
--- /dev/null
+++ b/src/List.h
@@ -0,0 +1,197 @@
+// $Id: List.h 463 2004-09-26 21:04:20Z vern $
+
+#ifndef list_h
+#define list_h
+
+// BaseList.h --
+//	Interface for class BaseList, current implementation is as an
+//	array of ent's.  This implementation was chosen to optimize
+//	getting to the ent's rather than inserting and deleting.
+//	Also pairs of append's and get's act like push's and pop's
+//	and are very efficient.  The only really expensive operations
+//	are inserting (but not appending), which requires pushing every
+//	element up, and resizing the list, which involves getting new space
+//	and moving the data.  Resizing occurs automatically when inserting
+//	more elements than the list can currently hold.  Automatic
+//	resizing is done one "chunk_size" of elements at a time and
+//	always increases the size of the list.  Resizing to zero
+//	(or to less than the current value of num_entries)
+//	will decrease the size of the list to the current number of
+//	elements.  Resize returns the new max_entries.
+//
+//	Entries must be either a pointer to the data or nonzero data with
+//	sizeof(data) <= sizeof(void*).
+
+#include <stdarg.h>
+#include "util.h"
+
+typedef void* ent;
+typedef int (*list_cmp_func)(const void* v1, const void* v2);
+
+class BaseList {
+public:
+	~BaseList()		{ clear(); }
+
+	void clear();		// remove all entries
+	int length() const	{ return num_entries; }
+	int chunk() const	{ return chunk_size; }
+	int max() const		{ return max_entries; }
+	int resize(int = 0);	// 0 => size to fit current number of entries
+
+	void sort(list_cmp_func cmp_func);
+
+	int MemoryAllocation() const
+		{ return padded_sizeof(*this) + pad_size(max_entries * sizeof(ent)); }
+
+protected:
+	BaseList(int = 0);
+	BaseList(BaseList&);
+
+	void insert(ent);	// add at head of list
+
+	// Assumes that the list is sorted and inserts at correct position.
+	void sortedinsert(ent, list_cmp_func cmp_func);
+
+	void append(ent);	// add to end of list
+	ent remove(ent);	// delete entry from list
+	ent remove_nth(int);	// delete nth entry from list
+	ent get();		// return and remove ent at end of list
+	ent last()		// return at end of list
+		{ return entry[num_entries-1]; }
+
+	// Return 0 if ent is not in the list, ent otherwise.
+	ent is_member(ent) const;
+
+	// Returns -1 if ent is not in the list, otherwise its position.
+	int member_pos(ent) const;
+
+	ent replace(int, ent);	// replace entry #i with a new value
+
+	// Return nth ent of list (do not remove).
+	ent operator[](int i) const
+		{
+#ifdef SAFE_LISTS
+		if ( i < 0 || i > num_entries-1 )
+			return 0;
+		else
+#endif
+			return entry[i];
+		}
+
+	void operator=(BaseList&);
+
+	ent* entry;
+	int chunk_size;		// increase size by this amount when necessary
+	int max_entries;
+	int num_entries;
+	};
+
+
+// List.h -- interface for class List
+//	Use:	to get a list of pointers to class foo you should:
+//		1) typedef foo* Pfoo; (the macros don't like explicit pointers)
+//		2) declare(List,Pfoo); (declare an interest in lists of Pfoo's)
+//		3) variables are declared like:
+//				List(Pfoo) bar;	(bar is of type list of Pfoo's)
+
+// For lists of "type".
+
+#define List(type) type ## List
+
+// For lists of pointers to "type"
+#define PList(type) type ## PList
+
+#define Listdeclare(type)						\
+struct List(type) : BaseList						\
+	{								\
+	List(type)(type ...);						\
+	List(type)() : BaseList(0) {}					\
+	List(type)(int sz) : BaseList(sz) {}				\
+	List(type)(List(type)& l) : BaseList((BaseList&)l) {}		\
+									\
+	void operator=(List(type)& l)					\
+		{ BaseList::operator=((BaseList&)l); }			\
+	void insert(type a)	{ BaseList::insert(ent(a)); }		\
+	void sortedinsert(type a, list_cmp_func cmp_func)		\
+		{ BaseList::sortedinsert(ent(a), cmp_func); }		\
+	void append(type a)	{ BaseList::append(ent(a)); }		\
+	type remove(type a)						\
+			{ return type(BaseList::remove(ent(a))); }	\
+	type remove_nth(int n)	{ return type(BaseList::remove_nth(n)); }\
+	type get()		{ return type(BaseList::get()); }	\
+	type last()		{ return type(BaseList::last()); }	\
+	type replace(int i, type new_type)				\
+		{ return type(BaseList::replace(i,ent(new_type))); }	\
+	type is_member(type e) const					\
+		{ return type(BaseList::is_member(ent(e))); }		\
+	int member_pos(type e) const					\
+		{ return BaseList::member_pos(ent(e)); }		\
+									\
+	type operator[](int i) const					\
+		{ return type(BaseList::operator[](i)); }		\
+	};								\
+
+#define Listimplement(type)						\
+List(type)::List(type)(type e1 ...) : BaseList()			\
+	{								\
+	append(e1);							\
+	va_list ap;							\
+	va_start(ap,e1);						\
+	for ( type e = va_arg(ap,type); e != 0; e = va_arg(ap,type) )	\
+		append(e);						\
+	resize();							\
+	}
+
+#define PListdeclare(type)						\
+struct PList(type) : BaseList						\
+	{								\
+	PList(type)(type* ...);						\
+	PList(type)() : BaseList(0) {}					\
+	PList(type)(int sz) : BaseList(sz) {}				\
+	PList(type)(PList(type)& l) : BaseList((BaseList&)l) {}		\
+									\
+	void operator=(PList(type)& l)					\
+		{ BaseList::operator=((BaseList&)l); }			\
+	void insert(type* a)	{ BaseList::insert(ent(a)); }		\
+	void sortedinsert(type* a, list_cmp_func cmp_func)		\
+		{ BaseList::sortedinsert(ent(a), cmp_func); }		\
+	void append(type* a)	{ BaseList::append(ent(a)); }		\
+	type* remove(type* a)						\
+		{ return (type*)BaseList::remove(ent(a)); }		\
+	type* remove_nth(int n)	{ return (type*)(BaseList::remove_nth(n)); }\
+	type* get()		{ return (type*)BaseList::get(); }	\
+	type* operator[](int i) const					\
+		{ return (type*)(BaseList::operator[](i)); }		\
+	type* replace(int i, type* new_type)				\
+		{ return (type*)BaseList::replace(i,ent(new_type)); }	\
+	type* is_member(type* e)					\
+		{ return (type*)BaseList::is_member(ent(e)); }		\
+	int member_pos(type* e)						\
+		{ return BaseList::member_pos(ent(e)); }		\
+	};								\
+
+#define PListimplement(type)						\
+PList(type)::PList(type)(type* ep1 ...) : BaseList()			\
+	{								\
+	append(ep1);							\
+	va_list ap;							\
+	va_start(ap,ep1);						\
+	for ( type* ep = va_arg(ap,type*); ep != 0;			\
+	      ep = va_arg(ap,type*) )					\
+		append(ep);						\
+	resize();							\
+	}
+
+
+#define declare(metatype,type) metatype ## declare (type)
+
+// Popular type of list: list of strings.
+declare(PList,char);
+typedef PList(char) name_list;
+
+// Macro to visit each list element in turn.
+#define loop_over_list(list, iterator)  \
+	int iterator;	\
+	for ( iterator = 0; iterator < (list).length(); ++iterator )
+
+#endif /* list_h */
diff --git a/src/Logger.cc b/src/Logger.cc
new file mode 100644
index 0000000000..ec1c48194d
--- /dev/null
+++ b/src/Logger.cc
@@ -0,0 +1,73 @@
+// $Id: Logger.cc 6916 2009-09-24 20:48:36Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <stdlib.h>
+#include <math.h>
+#include <ctype.h>
+#include <syslog.h>
+
+#include "config.h"
+#include "File.h"
+#include "Logger.h"
+
+#ifdef SYSLOG_INT
+extern "C" {
+int openlog(const char* ident, int logopt, int facility);
+int syslog(int priority, const char* message_fmt, ...);
+int closelog();
+}
+#endif
+
+Logger::Logger(const char* name, BroFile* arg_f)
+	{
+	openlog(name, 0, LOG_LOCAL5);
+	f = arg_f;
+	enabled = 1;
+	}
+
+Logger::~Logger()
+	{
+	closelog();
+	Unref(f);
+	}
+
+void Logger::Log(const char* msg)
+	{
+	int has_timestamp =
+		(fabs(atof(msg) - network_time) <= 30.0) ||
+		(msg[0] == 't' && msg[1] == '=' && isdigit(msg[2]));
+
+	if ( enabled )
+		{
+		const char* sub_msg = msg;
+		if ( has_timestamp )
+			{
+			// Don't include the timestamp in the logging,
+			// as it gets tacked on by syslog anyway.
+			sub_msg = strchr(sub_msg, ' ');
+			if ( sub_msg )
+				++sub_msg;	// skip over ' '
+			else
+				sub_msg = msg;
+			}
+
+		syslog(LOG_NOTICE, "%s", sub_msg);
+		}
+
+	if ( f )
+		{
+		if ( has_timestamp )
+			f->Write(fmt("%s\n", msg));
+		else
+			f->Write(fmt("%.6f %s\n", network_time, msg));
+
+		f->Flush();
+		}
+	}
+
+void Logger::Describe(ODesc* d) const
+	{
+	d->AddSP("logger");
+	f->Describe(d);
+	}
diff --git a/src/Logger.h b/src/Logger.h
new file mode 100644
index 0000000000..0c3f0d1ed7
--- /dev/null
+++ b/src/Logger.h
@@ -0,0 +1,33 @@
+// $Id: Logger.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef logger_h
+#define logger_h
+
+#include "util.h"
+#include "Obj.h"
+
+class BroFile;
+class Func;
+
+class Logger : public BroObj {
+public:
+	Logger(const char* name, BroFile* f = 0);
+	virtual ~Logger();
+
+	void Log(const char* msg);
+
+	void SetEnabled(int do_enabled)		{ enabled = do_enabled; }
+
+	void Describe(ODesc* d) const;
+
+protected:
+	BroFile* f;	// associated file
+	int enabled;	// if true, syslog'ing is done, otherwise just file log
+};
+
+extern Logger* bro_logger;
+extern Func* alarm_hook;
+
+#endif
diff --git a/src/Login.cc b/src/Login.cc
new file mode 100644
index 0000000000..7ad309458d
--- /dev/null
+++ b/src/Login.cc
@@ -0,0 +1,626 @@
+// $Id: Login.cc 6724 2009-06-07 09:23:03Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <ctype.h>
+#include <stdlib.h>
+
+#include "NetVar.h"
+#include "Login.h"
+#include "RE.h"
+#include "Event.h"
+
+static RE_Matcher* re_skip_authentication = 0;
+static RE_Matcher* re_direct_login_prompts;
+static RE_Matcher* re_login_prompts;
+static RE_Matcher* re_login_non_failure_msgs;
+static RE_Matcher* re_login_failure_msgs;
+static RE_Matcher* re_login_success_msgs;
+static RE_Matcher* re_login_timeouts;
+
+static RE_Matcher* init_RE(ListVal* l);
+
+Login_Analyzer::Login_Analyzer(AnalyzerTag::Tag tag, Connection* conn)
+: TCP_ApplicationAnalyzer(tag, conn)
+	{
+	state = LOGIN_STATE_AUTHENTICATE;
+	num_user_lines_seen = lines_scanned = 0;
+	// Set last_failure_num_user_lines so we will always generate
+	// at least one failure message, even if the user doesn't
+	// type anything (but we see, e.g., a timeout).
+	last_failure_num_user_lines = -1;
+	login_prompt_line = failure_line = 0;
+	user_text_first = 0;
+	user_text_last = MAX_USER_TEXT - 1;
+	num_user_text = 0;
+	client_name = username = 0;
+	saw_ploy = is_VMS = 0;
+
+	if ( ! re_skip_authentication )
+		{
+#ifdef USE_PERFTOOLS
+		HeapLeakChecker::Disabler disabler;
+#endif
+		re_skip_authentication = init_RE(skip_authentication);
+		re_direct_login_prompts = init_RE(direct_login_prompts);
+		re_login_prompts = init_RE(login_prompts);
+		re_login_non_failure_msgs = init_RE(login_non_failure_msgs);
+		re_login_failure_msgs = init_RE(login_failure_msgs);
+		re_login_success_msgs = init_RE(login_success_msgs);
+		re_login_timeouts = init_RE(login_timeouts);
+		}
+	}
+
+Login_Analyzer::~Login_Analyzer()
+	{
+	while ( num_user_text > 0 )
+		{
+		char* s = PopUserText();
+		delete [] s;
+		}
+
+	Unref(username);
+	Unref(client_name);
+	}
+
+void Login_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
+	{
+	TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
+
+	char* str = new char[length+1];
+
+	// Eliminate NUL characters.
+	int i, j;
+	for ( i = 0, j = 0; i < length; ++i )
+		if ( line[i] != '\0' )
+			str[j++] = line[i];
+		else
+			{
+			if ( Conn()->FlagEvent(NUL_IN_LINE) )
+				Weird("NUL_in_line");
+			}
+
+	str[j] = '\0';
+
+	NewLine(orig, str);
+	delete [] str;
+	}
+
+void Login_Analyzer::NewLine(bool orig, char* line)
+	{
+	if ( state == LOGIN_STATE_SKIP )
+		return;
+
+	if ( orig && login_input_line )
+		LineEvent(login_input_line, line);
+
+	if ( ! orig && login_output_line )
+		LineEvent(login_output_line, line);
+
+	if ( state == LOGIN_STATE_LOGGED_IN )
+		return;
+
+	if ( state == LOGIN_STATE_AUTHENTICATE )
+		{
+		if ( TCP()->OrigState() == TCP_ENDPOINT_PARTIAL ||
+		     TCP()->RespState() == TCP_ENDPOINT_PARTIAL )
+			state = LOGIN_STATE_CONFUSED;	// unknown login state
+		else
+			{
+			AuthenticationDialog(orig, line);
+			return;
+			}
+		}
+
+	if ( state != LOGIN_STATE_CONFUSED )
+		internal_error("bad state in Login_Analyzer::NewLine");
+
+	// When we're in "confused", we feed each user input line to
+	// login_confused_text, but also scan the text in the
+	// other direction for evidence of successful login.
+	if ( orig )
+		{
+		(void) IsPloy(line);
+		ConfusionText(line);
+		}
+
+	else if ( ! saw_ploy && IsSuccessMsg(line) )
+		{
+		LoginEvent(login_success, line, 1);
+		state = LOGIN_STATE_LOGGED_IN;
+		}
+	}
+
+void Login_Analyzer::AuthenticationDialog(bool orig, char* line)
+	{
+	if ( orig )
+		{
+		if ( is_VMS )
+			{
+#define VMS_REPEAT_SEQ "\x1b[A"
+			char* repeat_prev_line = strstr(line, VMS_REPEAT_SEQ);
+			if ( repeat_prev_line )
+				{
+				if ( repeat_prev_line[strlen(VMS_REPEAT_SEQ)] )
+					{
+					Confused("extra_repeat_text", line);
+					return;
+					}
+
+				// VMS repeats the username, not the last line
+				// typed (which presumably is the password).
+				if ( username )
+					{
+					line = (char*) username->AsString()->Bytes();
+					if ( strstr(line, VMS_REPEAT_SEQ) )
+						Confused("username_with_embedded_repeat", line);
+					else
+						NewLine(orig, line);
+					}
+
+				else
+					Confused("repeat_without_username", line);
+				return;
+				}
+			}
+
+		++num_user_lines_seen;
+
+		if ( ! IsPloy(line) )
+			AddUserText(line);
+
+		return;
+		}
+
+	// Ignore blank lines from the responder - some systems spew
+	// out a whole bunch of these.
+	if ( IsEmpty(line) )
+		return;
+
+	if ( ++lines_scanned > MAX_AUTHENTICATE_LINES &&
+	     login_prompt_line == 0 && failure_line == 0 )
+		Confused("no_login_prompt", line);
+
+	const char* prompt = IsLoginPrompt(line);
+	int is_timeout = IsTimeout(line);
+	if ( prompt && ! IsSuccessMsg(line) && ! is_timeout )
+		{
+		is_VMS = strstr(line, "Username:") != 0;
+
+		// If we see multiple login prompts, presume that
+		// each is consuming one line of typeahead.
+		//
+		// We can also get multiple login prompts spread
+		// across adjacent lines, for example if the user
+		// enters a blank line or a line that wasn't accepted
+		// (e.g., "foo^C").
+
+		int multi_line_prompt =
+			(login_prompt_line == lines_scanned - 1 &&
+			 // if login_prompt_line is the same as failure_line,
+			 // then we didn't actually see a login prompt
+			 // there, we're just remembering that as the
+			 // prompt line so we can count typeahead with
+			 // respect to it (see below).
+			 login_prompt_line != failure_line);
+
+		const char* next_prompt = 0;
+		while ( (*prompt != '\0' &&
+			 (next_prompt = IsLoginPrompt(prompt + 1))) ||
+			multi_line_prompt )
+			{
+			if ( ! HaveTypeahead() )
+				{
+				Confused("multiple_login_prompts", line);
+				break;
+				}
+
+			char* pop_str = PopUserText();
+			bool empty = IsEmpty(pop_str);
+			delete [] pop_str;
+
+			if ( multi_line_prompt )
+				break;
+
+			if ( ! empty )
+				{
+				Confused("non_empty_multi_login", line);
+				break;
+				}
+
+			prompt = next_prompt;
+			}
+
+		if ( state == LOGIN_STATE_CONFUSED )
+			return;
+
+		const char* user = GetUsername(prompt);
+		if ( user && ! IsEmpty(user) )
+			{
+			if ( ! HaveTypeahead() )
+				AddUserText(user);
+			}
+
+		login_prompt_line = lines_scanned;
+
+		if ( IsDirectLoginPrompt(line) )
+			{
+			LoginEvent(login_success, line, 1);
+			state = LOGIN_STATE_LOGGED_IN;
+			SetSkip(1);
+			return;
+			}
+		}
+
+	else if ( is_timeout || IsFailureMsg(line) )
+		{
+		if ( num_user_lines_seen > last_failure_num_user_lines )
+			{
+			// The user has typed something since we last
+			// generated a failure event, so it's worth
+			// recording another failure event.
+			//
+			// We can otherwise wind up generating multiple
+			// failure events for sequences like:
+			//
+			//	Error reading command input
+			//	Timeout period expired
+			if ( is_timeout )
+				AddUserText("<timeout>");
+			LoginEvent(login_failure, line);
+			}
+
+		// Set the login prompt line to be here, too, so
+		// that we require MAX_LOGIN_LOOKAHEAD beyond this
+		// point before deciding they've logged in.
+		login_prompt_line = failure_line = lines_scanned;
+		last_failure_num_user_lines = num_user_lines_seen;
+		}
+
+	else if ( IsSkipAuthentication(line) )
+		{
+		if ( authentication_skipped )
+			{
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			ConnectionEvent(authentication_skipped, vl);
+			}
+
+		state = LOGIN_STATE_SKIP;
+		SetSkip(1);
+		}
+
+	else if ( IsSuccessMsg(line) ||
+		  (login_prompt_line > 0 &&
+		   lines_scanned >
+		   login_prompt_line + MAX_LOGIN_LOOKAHEAD + num_user_text) )
+		{
+		LoginEvent(login_success, line);
+		state = LOGIN_STATE_LOGGED_IN;
+		}
+	}
+
+void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
+	{
+	if ( ! orig )
+		// Why is the responder transmitting its environment??
+		Confused("responder_environment", name);
+
+	else
+		{
+		if ( streq(name, "USER") )
+			{
+			if ( username )
+				{
+				const BroString* u = username->AsString();
+				const byte_vec ub = u->Bytes();
+				const char* us = (const char*) ub;
+				if ( ! streq(val, us) )
+					Confused("multiple_USERs", val);
+				Unref(username);
+				}
+
+			// "val" gets copied here.
+			username = new StringVal(val);
+			}
+
+		else if ( login_terminal && streq(name, "TERM") )
+			{
+			val_list* vl = new val_list;
+
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(val));
+
+			ConnectionEvent(login_terminal, vl);
+			}
+
+		else if ( login_display && streq(name, "DISPLAY") )
+			{
+			val_list* vl = new val_list;
+
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(val));
+
+			ConnectionEvent(login_display, vl);
+			}
+
+		else if ( login_prompt && streq(name, "TTYPROMPT") )
+			{
+			val_list* vl = new val_list;
+
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(val));
+
+			ConnectionEvent(login_prompt, vl);
+			}
+		}
+
+	delete [] name;
+	delete [] val;
+	}
+
+void Login_Analyzer::EndpointEOF(bool orig)
+	{
+	TCP_ApplicationAnalyzer::EndpointEOF(orig);
+
+	if ( state == LOGIN_STATE_AUTHENTICATE && HaveTypeahead() )
+		{
+		LoginEvent(login_success, "<EOF>", 1);
+		state = LOGIN_STATE_LOGGED_IN;
+		}
+	}
+
+void Login_Analyzer::LoginEvent(EventHandlerPtr f, const char* line,
+				int no_user_okay)
+	{
+	if ( ! f )
+		return;
+
+	if ( login_prompt_line > failure_line )
+		{
+		FlushEmptyTypeahead();
+
+		// We should've seen a username.
+		if ( ! HaveTypeahead() )
+			{
+			if ( no_user_okay )
+				{
+				Unref(username);
+				username = new StringVal("<none>");
+				}
+
+			else
+				{
+				Confused("no_username", line);
+				return;
+				}
+			}
+		else
+			{
+			Unref(username);
+			username = PopUserTextVal();
+			}
+		}
+
+	else
+		{
+		// Evidently the system reprompted for a password upon an
+		// earlier failure.  Use the previously-recorded username.
+		if ( ! username )
+			{
+			if ( no_user_okay )
+				{
+				Unref(username);
+				username = new StringVal("<none>");
+				}
+
+			else
+				{
+				Confused("no_username2", line);
+				return;
+				}
+			}
+		}
+
+	Val* password = HaveTypeahead() ?
+				PopUserTextVal() : new StringVal("<none>");
+
+	val_list* vl = new val_list;
+
+	vl->append(BuildConnVal());
+	vl->append(username->Ref());
+	vl->append(client_name ? client_name->Ref() : new StringVal(""));
+	vl->append(password);
+	vl->append(new StringVal(line));
+
+	ConnectionEvent(f, vl);
+	}
+
+const char* Login_Analyzer::GetUsername(const char* line) const
+	{
+	while ( isspace(*line) )
+		++line;
+
+	return line;
+	}
+
+void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line)
+	{
+	val_list* vl = new val_list;
+
+	vl->append(BuildConnVal());
+	vl->append(new StringVal(line));
+
+	ConnectionEvent(f, vl);
+	}
+
+
+void Login_Analyzer::Confused(const char* msg, const char* line)
+	{
+	state = LOGIN_STATE_CONFUSED;	// to suppress further messages
+
+	if ( login_confused )
+		{
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(msg));
+		vl->append(new StringVal(line));
+
+		ConnectionEvent(login_confused, vl);
+		}
+
+	if ( login_confused_text )
+		{
+		// Send all of the typeahead, and the current line, as
+		// confusion text.
+		while ( HaveTypeahead() )
+			{
+			char* s = PopUserText();
+			ConfusionText(s);
+			delete [] s;
+			}
+
+		ConfusionText(line);
+		}
+	}
+
+void Login_Analyzer::ConfusionText(const char* line)
+	{
+	if ( login_confused_text )
+		{
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(line));
+		ConnectionEvent(login_confused_text, vl);
+		}
+	}
+
+int Login_Analyzer::IsPloy(const char* line)
+	{
+	if ( IsLoginPrompt(line) || IsFailureMsg(line) || IsSuccessMsg(line) ||
+	     IsSkipAuthentication(line) )
+		{
+		saw_ploy = 1;
+		Confused("possible_login_ploy", line);
+		return 1;
+		}
+	else
+		return 0;
+	}
+
+int Login_Analyzer::IsSkipAuthentication(const char* line) const
+	{
+	return re_skip_authentication->MatchAnywhere(line);
+	}
+
+const char* Login_Analyzer::IsLoginPrompt(const char* line) const
+	{
+	int prompt_match = re_login_prompts->MatchAnywhere(line);
+	if ( ! prompt_match || IsFailureMsg(line) )
+		// IRIX can report "login: ERROR: Login incorrect"
+		return 0;
+
+	return &line[prompt_match];
+	}
+
+int Login_Analyzer::IsDirectLoginPrompt(const char* line) const
+	{
+	return re_direct_login_prompts->MatchAnywhere(line);
+	}
+
+int Login_Analyzer::IsFailureMsg(const char* line) const
+	{
+	return re_login_failure_msgs->MatchAnywhere(line) &&
+		! re_login_non_failure_msgs->MatchAnywhere(line);
+	}
+
+int Login_Analyzer::IsSuccessMsg(const char* line) const
+	{
+	return re_login_success_msgs->MatchAnywhere(line);
+	}
+
+int Login_Analyzer::IsTimeout(const char* line) const
+	{
+	return re_login_timeouts->MatchAnywhere(line);
+	}
+
+int Login_Analyzer::IsEmpty(const char* line) const
+	{
+	while ( *line && isspace(*line) )
+		++line;
+
+	return *line == '\0';
+	}
+
+void Login_Analyzer::AddUserText(const char* line)
+	{
+	if ( num_user_text >= MAX_USER_TEXT )
+		Confused("excessive_typeahead", line);
+	else
+		{
+		if ( ++user_text_last == MAX_USER_TEXT )
+			user_text_last = 0;
+
+		user_text[user_text_last] = copy_string(line);
+
+		++num_user_text;
+		}
+	}
+
+char* Login_Analyzer::PeekUserText() const
+	{
+	if ( num_user_text <= 0 )
+		internal_error("underflow in Login_Analyzer::PeekUserText()");
+
+	return user_text[user_text_first];
+	}
+
+char* Login_Analyzer::PopUserText()
+	{
+	char* s = PeekUserText();
+
+	if ( ++user_text_first == MAX_USER_TEXT )
+		user_text_first = 0;
+
+	--num_user_text;
+
+	return s;
+	}
+
+Val* Login_Analyzer::PopUserTextVal()
+	{
+	char* s = PopUserText();
+	BroString* bs = new BroString(1, byte_vec(s), strlen(s));
+	return new StringVal(bs);
+	}
+
+int Login_Analyzer::MatchesTypeahead(const char* line) const
+	{
+	for ( int i = user_text_first, n = 0; n < num_user_text; ++i, ++n )
+		{
+		if ( i == MAX_USER_TEXT )
+			i = 0;
+
+		if ( streq(user_text[i], line) )
+			return 1;
+		}
+
+	return 0;
+	}
+
+void Login_Analyzer::FlushEmptyTypeahead()
+	{
+	while ( HaveTypeahead() && IsEmpty(PeekUserText()) )
+		delete [] PopUserText();
+	}
+
+RE_Matcher* init_RE(ListVal* l)
+	{
+	RE_Matcher* re = l->BuildRE();
+	if ( re )
+		re->Compile();
+
+	return re;
+	}
diff --git a/src/Login.h b/src/Login.h
new file mode 100644
index 0000000000..4bcecb0634
--- /dev/null
+++ b/src/Login.h
@@ -0,0 +1,87 @@
+// $Id: Login.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef login_h
+#define login_h
+
+#include "TCP.h"
+
+typedef enum {
+	LOGIN_STATE_AUTHENTICATE,	// trying to authenticate
+
+	LOGIN_STATE_LOGGED_IN,	// successful authentication
+	LOGIN_STATE_SKIP,	// skip any further processing
+	LOGIN_STATE_CONFUSED,	// we're confused
+} login_state;
+
+// If no action by this many lines, we're definitely confused.
+#define MAX_AUTHENTICATE_LINES 50
+
+// Maximum # lines look after login for failure.
+#define MAX_LOGIN_LOOKAHEAD 10
+
+class Login_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	Login_Analyzer(AnalyzerTag::Tag tag, Connection* conn);
+	~Login_Analyzer();
+
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+
+	virtual void SetEnv(bool orig, char* name, char* val);
+
+	login_state LoginState() const		{ return state; }
+	void SetLoginState(login_state s)	{ state = s; }
+
+	virtual void EndpointEOF(bool is_orig);
+
+protected:
+	void NewLine(bool orig, char* line);
+	void AuthenticationDialog(bool orig, char* line);
+
+	void LoginEvent(EventHandlerPtr f, const char* line, int no_user_okay=0);
+	const char* GetUsername(const char* line) const;
+	void LineEvent(EventHandlerPtr f, const char* line);
+	void Confused(const char* msg, const char* addl);
+	void ConfusionText(const char* line);
+
+	int IsPloy(const char* line);
+	int IsSkipAuthentication(const char* line) const;
+	const char* IsLoginPrompt(const char* line) const;	// nil if not
+	int IsDirectLoginPrompt(const char* line) const;
+	int IsFailureMsg(const char* line) const;
+	int IsSuccessMsg(const char* line) const;
+	int IsTimeout(const char* line) const;
+	int IsEmpty(const char* line) const;
+
+	void AddUserText(const char* line);	// complains on overflow
+	char* PeekUserText() const;	// internal error on underflow
+	char* PopUserText();		// internal error on underflow
+	Val* PopUserTextVal();
+
+	int MatchesTypeahead(const char* line) const;
+	int HaveTypeahead() const	{ return num_user_text > 0; }
+	void FlushEmptyTypeahead();
+
+// If we have more user text than this unprocessed, we complain about
+// excessive typeahead.
+#define MAX_USER_TEXT 12
+	char* user_text[MAX_USER_TEXT];
+	int user_text_first, user_text_last;	// indices into user_text
+	int num_user_text;	// number of entries in user_text
+
+	Val* username;	// last username reported
+	Val* client_name;	// rlogin client name (or nil if none)
+
+	login_state state;
+	int lines_scanned;
+	int num_user_lines_seen;
+	int last_failure_num_user_lines;
+	int login_prompt_line;
+	int failure_line;
+
+	int is_VMS;
+	int saw_ploy;
+};
+
+#endif
diff --git a/src/MIME.cc b/src/MIME.cc
new file mode 100644
index 0000000000..44da01a91e
--- /dev/null
+++ b/src/MIME.cc
@@ -0,0 +1,1468 @@
+// $Id: MIME.cc 5906 2008-07-03 19:52:50Z vern $
+
+#include "config.h"
+
+#include "NetVar.h"
+#include "MIME.h"
+#include "Event.h"
+
+// Here are a few things to do:
+//
+// 1. Add a Bro internal function 'stop_deliver_data_of_entity' so
+// that the engine does not decode and deliver further data for the
+// entity (which may speed up the engine by avoiding copying).
+//
+// 2. Better support for structured header fields, in particular,
+// headers of form: <name>=<value>; <param_1>=<param_val_1>;
+// <param_2>=<param_val_2>; ... (so that
+
+static const data_chunk_t null_data_chunk = { 0, 0 };
+
+int is_null_data_chunk(data_chunk_t b)
+	{
+	return b.data == 0;
+	}
+
+int fputs(data_chunk_t b, FILE* fp)
+	{
+	for ( int i = 0; i < b.length; ++i )
+		if ( fputc(b.data[i], fp) == EOF )
+			return EOF;
+	return 0;
+	}
+
+StringVal* new_string_val(int length, const char* data)
+	{
+	return new StringVal(length, data);
+	}
+
+StringVal* new_string_val(const char* data, const char* end_of_data)
+	{
+	return new StringVal(end_of_data - data, data);
+	}
+
+StringVal* new_string_val(const data_chunk_t buf)
+	{
+	return new_string_val(buf.length, buf.data);
+	}
+
+data_chunk_t get_data_chunk(BroString* s)
+	{
+	data_chunk_t b;
+	b.length = s->Len();
+	b.data = (const char*) s->Bytes();
+	return b;
+	}
+
+int mime_header_only = 0;
+int mime_decode_data = 1;
+int mime_submit_data = 1;
+
+enum MIME_HEADER_FIELDS {
+	MIME_CONTENT_TYPE,
+	MIME_CONTENT_TRANSFER_ENCODING,
+	MIME_FIELD_OTHER,
+};
+
+enum MIME_CONTENT_SUBTYPE {
+	CONTENT_SUBTYPE_MIXED,		// for multipart
+	CONTENT_SUBTYPE_ALTERNATIVE,	// for multipart
+	CONTENT_SUBTYPE_DIGEST,		// for multipart
+
+	CONTENT_SUBTYPE_RFC822,		// for message
+	CONTENT_SUBTYPE_PARTIAL,	// for message
+	CONTENT_SUBTYPE_EXTERNAL_BODY,	// for message
+
+	CONTENT_SUBTYPE_PLAIN,		// for text
+
+	CONTENT_SUBTYPE_OTHER,
+};
+
+enum MIME_CONTENT_ENCODING {
+	CONTENT_ENCODING_7BIT,
+	CONTENT_ENCODING_8BIT,
+	CONTENT_ENCODING_BINARY,
+	CONTENT_ENCODING_QUOTED_PRINTABLE,
+	CONTENT_ENCODING_BASE64,
+	CONTENT_ENCODING_OTHER,
+};
+
+enum MIME_BOUNDARY_DELIMITER {
+	NOT_MULTIPART_BOUNDARY,
+	MULTIPART_BOUNDARY,
+	MULTIPART_CLOSING_BOUNDARY,
+};
+
+static const char* MIMEHeaderName[] = {
+	"content-type",
+	"content-transfer-encoding",
+	0,
+};
+
+static const char* MIMEContentTypeName[] = {
+	"MULTIPART",
+	"MESSAGE",
+	"TEXT",
+	0,
+};
+
+static const char* MIMEContentSubtypeName[] = {
+	"MIXED",		// for multipart
+	"ALTERNATIVE",		// for multipart
+	"DIGEST",		// for multipart
+
+	"RFC822",		// for message
+	"PARTIAL",		// for message
+	"EXTERNAL-BODY",	// for message
+
+	"PLAIN",		// for text
+
+	0,			// other
+};
+
+static const char* MIMEContentEncodingName[] = {
+	"7BIT",
+	"8BIT",
+	"BINARY",
+	"QUOTED-PRINTABLE",
+	"BASE64",
+	0,
+};
+
+
+MIME_Multiline::MIME_Multiline()
+	{
+	line = 0;
+	}
+
+MIME_Multiline::~MIME_Multiline()
+	{
+	delete line;
+	delete_strings(buffer);
+	}
+
+void MIME_Multiline::append(int len, const char* data)
+	{
+	buffer.push_back(new BroString((const u_char*) data, len, 1));
+	}
+
+BroString* MIME_Multiline::get_concatenated_line()
+	{
+	if ( buffer.size() == 0 )
+		return 0;
+
+	delete line;
+	line = concatenate(buffer);
+
+	return line;
+	}
+
+
+MIME_Header::MIME_Header(MIME_Multiline* hl)
+	{
+	lines = hl;
+	name = value = value_token = rest_value = null_data_chunk;
+
+	BroString* s = hl->get_concatenated_line();
+	int len = s->Len();
+	const char* data = (const char*) s->Bytes();
+
+	int offset = MIME_get_field_name(len, data, &name);
+	if ( offset < 0 )
+		return;
+
+	len -= offset; data += offset;
+	offset = MIME_skip_lws_comments(len, data);
+
+	if ( offset < len && data[offset] == ':' )
+		{
+		value.length = len - offset - 1;
+		value.data = data + offset + 1;
+		while ( value.length && isspace(*value.data) )
+			{
+			--value.length;
+			++value.data;
+			}
+		}
+	else
+		// malformed header line
+		name = null_data_chunk;
+	}
+
+MIME_Header::~MIME_Header()
+	{
+	delete lines;
+	}
+
+int MIME_Header::get_first_token()
+	{
+	if ( MIME_get_token(value.length, value.data, &value_token) >= 0 )
+		{
+		rest_value.data = value_token.data + value_token.length;
+		rest_value.length = value.data + value.length - rest_value.data;
+		return 1;
+		}
+	else
+		{
+		value_token = rest_value = null_data_chunk;
+		return 0;
+		}
+	}
+
+data_chunk_t MIME_Header::get_value_token()
+	{
+	if ( ! is_null_data_chunk(value_token) )
+		return value_token;
+	get_first_token();
+	return value_token;
+	}
+
+data_chunk_t MIME_Header::get_value_after_token()
+	{
+	if ( ! is_null_data_chunk(rest_value) )
+		return rest_value;
+	get_first_token();
+	return rest_value;
+	}
+
+MIME_Entity::MIME_Entity(MIME_Message* output_message, MIME_Entity* parent_entity)
+	{
+	init();
+	parent = parent_entity;
+	message = output_message;
+	if ( parent )
+		content_encoding = parent->ContentTransferEncoding();
+	}
+
+void MIME_Entity::init()
+	{
+	in_header = 1;
+	end_of_data = 0;
+
+	current_header_line = 0;
+	current_field_type = MIME_FIELD_OTHER;
+
+	need_to_parse_parameters = 0;
+
+	content_type_str = new StringVal("TEXT");
+	content_subtype_str = new StringVal("PLAIN");
+
+	content_encoding_str = 0;
+	multipart_boundary = 0;
+	content_type = CONTENT_TYPE_TEXT;
+	content_subtype = CONTENT_SUBTYPE_PLAIN;
+	content_encoding = CONTENT_ENCODING_OTHER;
+
+	parent = 0;
+	current_child_entity = 0;
+
+	base64_decoder = 0;
+
+	data_buf_length = 0;
+	data_buf_data = 0;
+	data_buf_offset = -1;
+
+	message = 0;
+	}
+
+MIME_Entity::~MIME_Entity()
+	{
+	if ( ! end_of_data )
+		internal_error("EndOfData must be called before delete a MIME_Entity");
+
+	delete current_header_line;
+	Unref(content_type_str);
+	Unref(content_subtype_str);
+	delete content_encoding_str;
+	delete multipart_boundary;
+
+	for ( unsigned int i = 0; i < headers.size(); ++i )
+		delete headers[i];
+	headers.clear();
+
+	delete base64_decoder;
+	}
+
+void MIME_Entity::Deliver(int len, const char* data, int trailing_CRLF)
+	{
+	if ( in_header )
+		{
+		if ( len == 0 || *data == '\0' )
+			{ // an empty line at the end of header fields
+			FinishHeader();
+			in_header = 0;
+			SubmitAllHeaders();
+
+			// Note: it's possible that we are in the
+			// trailer of a chunked transfer (see HTTP.cc).
+			// In this case, end_of_data will be set in
+			// HTTP_Entity::SubmitAllHeaders(), and we
+			// should not begin a new body.
+
+			if ( ! end_of_data )
+				BeginBody();
+			}
+
+		else if ( is_lws(*data) )
+			// linear whitespace - a continuing header line
+			ContHeader(len, data);
+		else
+			NewHeader(len, data);
+		}
+	else
+		{
+		if ( ! mime_header_only && data )
+			NewDataLine(len, data, trailing_CRLF);
+		}
+	}
+
+void MIME_Entity::BeginBody()
+	{
+	if ( content_encoding == CONTENT_ENCODING_BASE64 )
+		StartDecodeBase64();
+
+	if ( content_type == CONTENT_TYPE_MESSAGE )
+		BeginChildEntity();
+	}
+
+void MIME_Entity::EndOfData()
+	{
+	if ( end_of_data )
+		return;
+
+	end_of_data = 1;
+
+	if ( in_header )
+		{
+		FinishHeader();
+		in_header = 0;
+		SubmitAllHeaders();
+		message->SubmitEvent(MIME_EVENT_ILLEGAL_FORMAT,
+					"entity body missing");
+		}
+
+	else
+		{
+		if ( current_child_entity != 0 )
+			{
+			if ( content_type == CONTENT_TYPE_MULTIPART )
+				IllegalFormat("multipart closing boundary delimiter missing");
+			EndChildEntity();
+			}
+
+		if ( content_encoding == CONTENT_ENCODING_BASE64 )
+			FinishDecodeBase64();
+
+		if ( data_buf_offset > 0 )
+			{
+			SubmitData(data_buf_offset, data_buf_data);
+			data_buf_offset = -1;
+			}
+		}
+
+	message->EndEntity (this);
+	}
+
+void MIME_Entity::NewDataLine(int len, const char* data, int trailing_CRLF)
+	{
+	if ( content_type == CONTENT_TYPE_MULTIPART )
+		{
+		switch ( CheckBoundaryDelimiter(len, data) ) {
+			case MULTIPART_BOUNDARY:
+				if ( current_child_entity != 0 )
+					EndChildEntity();
+				BeginChildEntity();
+				return;
+
+			case MULTIPART_CLOSING_BOUNDARY:
+				if ( current_child_entity != 0 )
+					EndChildEntity();
+				EndOfData();
+				return;
+		}
+		}
+
+	if ( content_type == CONTENT_TYPE_MULTIPART ||
+	     content_type == CONTENT_TYPE_MESSAGE )
+		{
+		// Here we ignore the difference among 7bit, 8bit and
+		// binary encoding, and thus do not need to decode
+		// before passing the data to child.
+
+		if ( current_child_entity != 0 )
+			// Data before the first or after the last
+			// boundary delimiter are ignored
+			current_child_entity->Deliver(len, data, trailing_CRLF);
+		}
+	else
+		{
+		if ( mime_decode_data )
+			DecodeDataLine(len, data, trailing_CRLF);
+		}
+	}
+
+void MIME_Entity::NewHeader(int len, const char* data)
+	{
+	FinishHeader();
+
+	if ( len == 0 )
+		return;
+
+	ASSERT(! is_lws(*data));
+
+	current_header_line = new MIME_Multiline();
+	current_header_line->append(len, data);
+	}
+
+void MIME_Entity::ContHeader(int len, const char* data)
+	{
+	if ( current_header_line == 0 )
+		{
+		IllegalFormat("first header line starts with linear whitespace");
+
+		// shall we try it as a new header or simply ignore this line?
+		int ws = MIME_count_leading_lws(len, data);
+		NewHeader(len - ws, data + ws);
+		return;
+		}
+
+	current_header_line->append(len, data);
+	}
+
+void MIME_Entity::FinishHeader()
+	{
+	if ( current_header_line == 0 )
+		return;
+
+	MIME_Header* h = new MIME_Header(current_header_line);
+	current_header_line = 0;
+
+	if ( ! is_null_data_chunk(h->get_name()) )
+		{
+		ParseMIMEHeader(h);
+		SubmitHeader(h);
+		headers.push_back(h);
+		}
+	else
+		delete h;
+	}
+
+int MIME_Entity::LookupMIMEHeaderName(data_chunk_t name)
+	{
+	// A linear lookup should be fine for now.
+	// header names are case-insensitive (RFC 822, 2822, 2045).
+
+	for ( int i = 0; MIMEHeaderName[i] != 0; ++i )
+		if ( strcasecmp_n(name, MIMEHeaderName[i]) == 0 )
+			return i;
+	return -1;
+	}
+
+void MIME_Entity::ParseMIMEHeader(MIME_Header* h)
+	{
+	if ( h == 0 )
+		return;
+
+	current_field_type = LookupMIMEHeaderName(h->get_name());
+
+	switch ( current_field_type ) {
+		case MIME_CONTENT_TYPE:
+			ParseContentTypeField(h);
+			break;
+
+		case MIME_CONTENT_TRANSFER_ENCODING:
+			ParseContentEncodingField(h);
+			break;
+	}
+	}
+
+int MIME_Entity::ParseContentTypeField(MIME_Header* h)
+	{
+	data_chunk_t val = h->get_value();
+	int len = val.length;
+	const char* data = val.data;
+
+	data_chunk_t ty, subty;
+	int offset;
+
+	offset = MIME_get_slash_token_pair(len, data, &ty, &subty);
+	if ( offset < 0 )
+		{
+		IllegalFormat("media type/subtype not found in content type");
+		return 0;
+		}
+	data += offset;
+	len -= offset;
+
+	Unref(content_type_str);
+	content_type_str = (new StringVal(ty.length, ty.data))->ToUpper();
+	Unref(content_subtype_str);
+	content_subtype_str = (new StringVal(subty.length, subty.data))->ToUpper();
+
+	ParseContentType(ty, subty);
+
+	// Proceed to parameters.
+	if ( need_to_parse_parameters )
+		ParseFieldParameters(len, data);
+
+	if ( content_type == CONTENT_TYPE_MULTIPART && ! multipart_boundary )
+		{
+		IllegalFormat("boundary delimiter is not specified for a multipart entity -- content is treated as type application/octet-stream");
+		content_type = CONTENT_TYPE_OTHER;
+		content_subtype = CONTENT_SUBTYPE_OTHER;
+		}
+
+	return 1;
+	}
+
+int MIME_Entity::ParseContentEncodingField(MIME_Header* h)
+	{
+	data_chunk_t enc;
+
+	enc = h->get_value_token();
+	if ( is_null_data_chunk(enc) )
+		{
+		IllegalFormat("encoding type not found in content encoding");
+		return 0;
+		}
+
+	content_encoding_str = new BroString((const u_char*)enc.data, enc.length, 1);
+	ParseContentEncoding(enc);
+
+	if ( need_to_parse_parameters )
+		{
+		data_chunk_t val = h->get_value_after_token();
+		if ( ! is_null_data_chunk(val) )
+			ParseFieldParameters(val.length, val.data);
+		}
+
+	return 1;
+	}
+
+int MIME_Entity::ParseFieldParameters(int len, const char* data)
+	{
+	data_chunk_t attr;
+	BroString* val;
+
+	while ( 1 )
+		{
+		int offset = MIME_skip_lws_comments(len, data);
+		if ( offset < 0 || offset >= len || data[offset] != ';' )
+			break;
+
+		++offset;
+		data += offset;
+		len -= offset;
+
+		offset = MIME_get_token(len, data, &attr);
+		if ( offset < 0 )
+			{
+			IllegalFormat("attribute name not found in parameter specification");
+			return 0;
+			}
+
+		data += offset;
+		len -= offset;
+
+		offset = MIME_skip_lws_comments(len, data);
+		if ( offset < 0 || offset >= len || data[offset] != '=' )
+			{
+			IllegalFormat("= not found in parameter specification");
+			continue;
+			}
+
+		++offset;
+		data += offset;
+		len -= offset;
+
+		// token or quoted-string
+		offset = MIME_get_value(len, data, val);
+		if ( offset < 0 )
+			{
+			IllegalFormat("value not found in parameter specification");
+			continue;
+			}
+
+		data += offset;
+		len -= offset;
+
+		ParseParameter(attr, get_data_chunk(val));
+		delete val;
+		}
+
+	return 1;
+	}
+
+void MIME_Entity::ParseContentType(data_chunk_t type, data_chunk_t sub_type)
+	{
+	int i;
+	for ( i = 0; MIMEContentTypeName[i]; ++i )
+		if ( strcasecmp_n(type, MIMEContentTypeName[i]) == 0 )
+			break;
+
+	content_type = i;
+
+	for ( i = 0; MIMEContentSubtypeName[i]; ++i )
+		if ( strcasecmp_n(sub_type, MIMEContentSubtypeName[i]) == 0 )
+			break;
+
+	content_subtype = i;
+
+	switch ( content_type ) {
+		case CONTENT_TYPE_MULTIPART:
+		case CONTENT_TYPE_MESSAGE:
+			need_to_parse_parameters = 1;
+			break;
+
+		default:
+			need_to_parse_parameters = 0;
+			break;
+	}
+	}
+
+void MIME_Entity::ParseContentEncoding(data_chunk_t encoding_mechanism)
+	{
+	int i;
+	for ( i = 0; MIMEContentEncodingName[i]; ++i )
+		if ( strcasecmp_n(encoding_mechanism,
+					MIMEContentEncodingName[i]) == 0 )
+			break;
+
+	content_encoding = i;
+	}
+
+void MIME_Entity::ParseParameter(data_chunk_t attr, data_chunk_t val)
+	{
+	switch ( current_field_type ) {
+		case MIME_CONTENT_TYPE:
+			if ( content_type == CONTENT_TYPE_MULTIPART &&
+			     strcasecmp_n(attr, "boundary") == 0 )
+				multipart_boundary = new BroString((const u_char*)val.data, val.length, 1);
+			break;
+
+		case MIME_CONTENT_TRANSFER_ENCODING:
+			break;
+
+		default:
+			break;
+	}
+	}
+
+
+int MIME_Entity::CheckBoundaryDelimiter(int len, const char* data)
+	{
+	if ( ! multipart_boundary )
+		{
+		warn("boundary delimiter was not specified for a multipart message\n");
+		DEBUG_MSG("headers of the MIME entity for debug:\n");
+		DebugPrintHeaders();
+		return NOT_MULTIPART_BOUNDARY;
+		}
+
+	if ( len >= 2 && data[0] == '-' && data[1] == '-' )
+		{
+		len -= 2; data += 2;
+
+		data_chunk_t delim = get_data_chunk(multipart_boundary);
+
+		int i;
+		for ( i = 0; i < len && i < delim.length; ++i )
+			if ( data[i] != delim.data[i] )
+				return NOT_MULTIPART_BOUNDARY;
+
+		if ( i < delim.length )
+			return NOT_MULTIPART_BOUNDARY;
+
+		len -= i;
+		data += i;
+
+		if ( len >= 2 && data[0] == '-' && data[1] == '-' )
+			return MULTIPART_CLOSING_BOUNDARY;
+		else
+			return MULTIPART_BOUNDARY;
+		}
+
+	return NOT_MULTIPART_BOUNDARY;
+	}
+
+
+// trailing_CRLF indicates whether an implicit CRLF sequence follows data
+// (the CRLF sequence is not included in data).
+
+void MIME_Entity::DecodeDataLine(int len, const char* data, int trailing_CRLF)
+	{
+	if ( ! mime_submit_data )
+		return;
+
+	switch ( content_encoding ) {
+		case CONTENT_ENCODING_QUOTED_PRINTABLE:
+			DecodeQuotedPrintable(len, data);
+			break;
+
+		case CONTENT_ENCODING_BASE64:
+			DecodeBase64(len, data);
+			break;
+
+		case CONTENT_ENCODING_7BIT:
+		case CONTENT_ENCODING_8BIT:
+		case CONTENT_ENCODING_BINARY:
+		case CONTENT_ENCODING_OTHER:
+			DecodeBinary(len, data, trailing_CRLF);
+			break;
+	}
+	}
+
+void MIME_Entity::DecodeBinary(int len, const char* data, int trailing_CRLF)
+	{
+	DataOctets(len, data);
+
+	if ( trailing_CRLF )
+		{
+		DataOctet(CR);
+		DataOctet(LF);
+		}
+	}
+
+void MIME_Entity::DecodeQuotedPrintable(int len, const char* data)
+	{
+	// Ignore trailing HT and SP.
+	int i;
+	for ( i = len - 1; i >= 0; --i )
+		if ( data[i] != HT && data[i] != SP )
+			break;
+
+	int end_of_line = i;
+	int soft_line_break = 0;
+
+	for ( i = 0; i <= end_of_line; ++i )
+		{
+		if ( data[i] == '=' )
+			{
+			if ( i == end_of_line )
+				soft_line_break = 1;
+			else
+				{
+				int legal = 0;
+				if ( i + 2 < len )
+					{
+					int a, b;
+					a = decode_hex(data[i+1]);
+					b = decode_hex(data[i+2]);
+
+					if ( a >= 0 && b >= 0 )
+						{
+						DataOctet((a << 4) + b);
+						legal = 1;
+						}
+					}
+
+				if ( ! legal )
+					{
+					// Follows suggestions for a robust
+					// decoder. See RFC 2045 page 22.
+					IllegalEncoding("= is not followed by two hexadecimal digits in quoted-printable encoding");
+					DataOctet(data[i]);
+					}
+				}
+			}
+
+		else if ( (data[i] >= 33 && data[i] <= 60) ||
+			   // except controls, whitespace and '='
+			  (data[i] >= 62 && data[i] <= 126) )
+			DataOctet(data[i]);
+
+		else if ( data[i] == HT || data[i] == SP )
+			DataOctet(data[i]);
+
+		else
+			{
+			IllegalEncoding(fmt("control characters in quoted-printable encoding: %d", (int) (data[i])));
+			DataOctet(data[i]);
+			}
+		}
+
+	if ( ! soft_line_break )
+		{
+		DataOctet(CR);
+		DataOctet(LF);
+		}
+	}
+
+void MIME_Entity::DecodeBase64(int len, const char* data)
+	{
+	int rlen;
+	char rbuf[128];
+
+	while ( len > 0 )
+		{
+		rlen = 128;
+		char* prbuf = rbuf;
+		int decoded = base64_decoder->Decode(len, data, &rlen, &prbuf);
+		if ( prbuf != rbuf )
+			internal_error("buffer pointer modified in base64 decoding");
+		DataOctets(rlen, rbuf);
+		len -= decoded; data += decoded;
+		}
+	}
+
+void MIME_Entity::StartDecodeBase64()
+	{
+	if ( base64_decoder )
+		internal_error("previous Base64 decoder not released!");
+
+	base64_decoder = new Base64Decoder(message->GetAnalyzer());
+	}
+
+void MIME_Entity::FinishDecodeBase64()
+	{
+	if ( ! base64_decoder )
+		return;
+
+	int rlen = 128;
+	char rbuf[128];
+	char* prbuf = rbuf;
+
+	if ( base64_decoder->Done(&rlen, &prbuf) )
+		{ // some remaining data
+		if ( prbuf != rbuf )
+			internal_error("buffer pointer modified in base64 decoding");
+		if ( rlen > 0 )
+			DataOctets(rlen, rbuf);
+		}
+
+	delete base64_decoder;
+	base64_decoder = 0;
+	}
+
+int MIME_Entity::GetDataBuffer()
+	{
+	int ret = message->RequestBuffer(&data_buf_length, &data_buf_data);
+	if ( ! ret || data_buf_length == 0 || data_buf_data == 0 )
+		{
+		// internal_error("cannot get data buffer from MIME_Message", "");
+		return 0;
+		}
+
+	data_buf_offset = 0;
+	return 1;
+	}
+
+void MIME_Entity::DataOctet(char ch)
+	{
+	if ( data_buf_offset < 0 && ! GetDataBuffer() )
+		return;
+
+	data_buf_data[data_buf_offset] = ch;
+
+	++data_buf_offset;
+	if ( data_buf_offset == data_buf_length )
+		{
+		SubmitData(data_buf_length, data_buf_data);
+		data_buf_offset = -1;
+		}
+	}
+
+void MIME_Entity::SubmitData(int len, const char* buf)
+	{
+	message->SubmitData(len, buf);
+	}
+
+void MIME_Entity::DataOctets(int len, const char* data)
+	{
+	while ( len > 0 )
+		{
+		if ( data_buf_offset < 0 && ! GetDataBuffer() )
+			return;
+
+		while ( data_buf_offset < data_buf_length && len > 0 )
+			{
+			data_buf_data[data_buf_offset++] = *data;
+			++data; --len;
+			}
+
+		if ( data_buf_offset == data_buf_length )
+			{
+			SubmitData(data_buf_length, data_buf_data);
+			data_buf_offset = -1;
+			}
+		}
+	}
+
+void MIME_Entity::SubmitHeader(MIME_Header* h)
+	{
+	message->SubmitHeader(h);
+	}
+
+void MIME_Entity::SubmitAllHeaders()
+	{
+	message->SubmitAllHeaders(headers);
+	}
+
+void MIME_Entity::BeginChildEntity()
+	{
+	ASSERT(current_child_entity == 0);
+	current_child_entity = NewChildEntity();
+	message->BeginEntity(current_child_entity);
+	}
+
+void MIME_Entity::EndChildEntity()
+	{
+	ASSERT(current_child_entity != 0);
+
+	current_child_entity->EndOfData();
+	delete current_child_entity;
+	current_child_entity = 0;
+	}
+
+void MIME_Entity::IllegalFormat(const char* explanation)
+	{
+	message->SubmitEvent(MIME_EVENT_ILLEGAL_FORMAT, explanation);
+	}
+
+void MIME_Entity::IllegalEncoding(const char* explanation)
+	{
+	message->SubmitEvent(MIME_EVENT_ILLEGAL_ENCODING, explanation);
+	}
+
+void MIME_Entity::DebugPrintHeaders()
+	{
+#ifdef DEBUG_BRO
+	for ( unsigned int i = 0; i < headers.size(); ++i )
+		{
+		MIME_Header* h = headers[i];
+
+		DEBUG_fputs(h->get_name(), stderr);
+		DEBUG_MSG(":\"");
+		DEBUG_fputs(h->get_value(), stderr);
+		DEBUG_MSG("\"\n");
+		}
+#endif
+	}
+
+RecordVal* MIME_Message::BuildHeaderVal(MIME_Header* h)
+	{
+	RecordVal* header_record = new RecordVal(mime_header_rec);
+	header_record->Assign(0, new_string_val(h->get_name())->ToUpper());
+	header_record->Assign(1, new_string_val(h->get_value()));
+	return header_record;
+	}
+
+TableVal* MIME_Message::BuildHeaderTable(MIME_HeaderList& hlist)
+	{
+	TableVal* t = new TableVal(mime_header_list);
+
+	for ( unsigned int i = 0; i < hlist.size(); ++i )
+		{
+		Val* index = new Val(i+1, TYPE_COUNT);	// index starting from 1
+
+		MIME_Header* h = hlist[i];
+		RecordVal* header_record = BuildHeaderVal(h);
+
+		t->Assign(index, header_record);
+
+		Unref(index);
+		}
+
+	return t;
+	}
+
+MIME_Mail::MIME_Mail(Analyzer* mail_analyzer, int buf_size)
+: MIME_Message(mail_analyzer)
+	{
+	analyzer = mail_analyzer;
+
+	min_overlap_length = mime_segment_overlap_length;
+	max_chunk_length = mime_segment_length;
+	int length = buf_size;
+
+	if ( min_overlap_length < 0 )
+		min_overlap_length = 0;
+
+	if ( max_chunk_length < min_overlap_length + 32 )
+		max_chunk_length = min_overlap_length + 32;
+
+	if ( length < max_chunk_length )
+		length = max_chunk_length;
+
+	buffer_start = data_start = 0;
+	data_buffer = new BroString(1, new u_char[length+1], length);
+
+	if ( mime_content_hash )
+		{
+		compute_content_hash = 1;
+		content_hash_length = 0;
+		md5_init(&md5_hash);
+		}
+	else
+		compute_content_hash = 0;
+
+	top_level = new MIME_Entity(this, 0);	// to be changed to MIME_Mail
+	BeginEntity(top_level);
+	}
+
+void MIME_Mail::Done()
+	{
+	top_level->EndOfData();
+
+	SubmitAllData();
+
+	if ( compute_content_hash && mime_content_hash )
+		{
+		u_char* digest = new u_char[16];
+		md5_finish(&md5_hash, digest);
+
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(new Val(content_hash_length, TYPE_COUNT));
+		vl->append(new StringVal(new BroString(1, digest, 16)));
+		analyzer->ConnectionEvent(mime_content_hash, vl);
+		}
+
+	MIME_Message::Done();
+	}
+
+MIME_Mail::~MIME_Mail()
+	{
+	delete_strings(all_content);
+	delete data_buffer;
+	delete top_level;
+	}
+
+void MIME_Mail::BeginEntity(MIME_Entity* /* entity */)
+	{
+	if ( mime_begin_entity )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		analyzer->ConnectionEvent(mime_begin_entity, vl);
+		}
+	buffer_start = data_start = 0;
+	ASSERT(entity_content.size() == 0);
+	}
+
+void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
+	{
+	if ( mime_entity_data )
+		{
+		BroString* s = concatenate(entity_content);
+
+		val_list* vl = new val_list();
+		vl->append(analyzer->BuildConnVal());
+		vl->append(new Val(s->Len(), TYPE_COUNT));
+		vl->append(new StringVal(s));
+
+		analyzer->ConnectionEvent(mime_entity_data, vl);
+
+		if ( ! mime_all_data )
+			delete_strings(entity_content);
+		else
+			entity_content.clear();
+		}
+
+	if ( mime_end_entity )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		analyzer->ConnectionEvent(mime_end_entity, vl);
+		}
+	}
+
+void MIME_Mail::SubmitHeader(MIME_Header* h)
+	{
+	if ( mime_one_header )
+		{
+		val_list* vl = new val_list();
+		vl->append(analyzer->BuildConnVal());
+		vl->append(BuildHeaderVal(h));
+		analyzer->ConnectionEvent(mime_one_header, vl);
+		}
+	}
+
+void MIME_Mail::SubmitAllHeaders(MIME_HeaderList& hlist)
+	{
+	if ( mime_all_headers )
+		{
+		val_list* vl = new val_list();
+		vl->append(analyzer->BuildConnVal());
+		vl->append(BuildHeaderTable(hlist));
+		analyzer->ConnectionEvent(mime_all_headers, vl);
+		}
+	}
+
+void MIME_Mail::SubmitData(int len, const char* buf)
+	{
+	if ( buf != (char*) data_buffer->Bytes() + buffer_start )
+		internal_error("buffer misalignment");
+
+	if ( compute_content_hash )
+		{
+		content_hash_length += len;
+		md5_append(&md5_hash, (const u_char*) buf, len);
+		}
+
+	if ( mime_entity_data || mime_all_data )
+		{
+		BroString* s = new BroString((const u_char*) buf, len, 0);
+
+		if ( mime_entity_data )
+			entity_content.push_back(s);
+		if ( mime_all_data )
+			all_content.push_back(s);
+		}
+
+	if ( mime_segment_data )
+		{
+		const char* data = (char*) data_buffer->Bytes() + data_start;
+		int data_len = (buf + len) - data;
+
+		val_list* vl = new val_list();
+		vl->append(analyzer->BuildConnVal());
+		vl->append(new Val(data_len, TYPE_COUNT));
+		vl->append(new StringVal(data_len, data));
+		analyzer->ConnectionEvent(mime_segment_data, vl);
+		}
+
+	buffer_start = (buf + len) - (char*)data_buffer->Bytes();
+	}
+
+int MIME_Mail::RequestBuffer(int* plen, char** pbuf)
+	{
+	data_start = buffer_start - min_overlap_length;
+	if ( data_start < 0 )
+		data_start = 0;
+
+	int overlap = buffer_start - data_start;
+	int buffer_end = data_start + max_chunk_length;
+	if ( buffer_end > data_buffer->Len() )
+		{
+		// Copy every thing in [data_start, buffer_start) to
+		// [0, overlap).
+		if ( buffer_start > data_start )
+			memcpy(data_buffer->Bytes(),
+				data_buffer->Bytes() + data_start, overlap);
+		data_start = 0;
+		buffer_start = overlap;
+		}
+
+	*plen = max_chunk_length - overlap;
+	*pbuf = (char*) data_buffer->Bytes() + buffer_start;
+
+	return 1;
+	}
+
+void MIME_Mail::SubmitAllData()
+	{
+	if ( mime_all_data )
+		{
+		BroString* s = concatenate(all_content);
+		delete_strings(all_content);
+
+		val_list* vl = new val_list();
+		vl->append(analyzer->BuildConnVal());
+		vl->append(new Val(s->Len(), TYPE_COUNT));
+		vl->append(new StringVal(s));
+
+		analyzer->ConnectionEvent(mime_all_data, vl);
+		}
+	}
+
+void MIME_Mail::SubmitEvent(int event_type, const char* detail)
+	{
+	const char* category = "";
+
+	switch ( event_type ) {
+		case MIME_EVENT_ILLEGAL_FORMAT:
+			category = "illegal format";
+			break;
+
+		case MIME_EVENT_ILLEGAL_ENCODING:
+			category = "illegal encoding";
+			break;
+
+		default:
+			internal_error("unrecognized MIME_Mail event");
+	}
+
+	if ( mime_event )
+		{
+		val_list* vl = new val_list();
+		vl->append(analyzer->BuildConnVal());
+		vl->append(new StringVal(category));
+		vl->append(new StringVal(detail));
+		analyzer->ConnectionEvent(mime_event, vl);
+		}
+	}
+
+
+int strcasecmp_n(data_chunk_t s, const char* t)
+	{
+	return strcasecmp_n(s.length, s.data, t);
+	}
+
+int is_lws(char ch)
+	{
+	return ch == 9 || ch == 32;
+	}
+
+int MIME_count_leading_lws(int len, const char* data)
+	{
+	int i;
+	for ( i = 0; i < len; ++i )
+		if ( ! is_lws(data[i]) )
+			break;
+	return i;
+	}
+
+int MIME_count_trailing_lws(int len, const char* data)
+	{
+	int i;
+	for ( i = 0; i < len; ++i )
+		if ( ! is_lws(data[len - 1 - i]) )
+			break;
+	return i;
+	}
+
+// See RFC 2822, page 11
+int MIME_skip_comments(int len, const char* data)
+	{
+	if ( len == 0 || data[0] != '(' )
+		return 0;
+
+	int par = 0;
+	for ( int i = 0; i < len; ++i )
+		{
+		switch ( data[i] ) {
+		case '(':
+			++par;
+			break;
+
+		case ')':
+			--par;
+			if ( par == 0 )
+				return i + 1;
+			break;
+
+		case '\\':
+			++i;
+			break;
+		}
+		}
+
+	return len;
+	}
+
+// Skip over lws and comments, but not tspecials. Do not use this
+// function in quoted-string or comments.
+int MIME_skip_lws_comments(int len, const char* data)
+	{
+	int i = 0;
+	while ( i < len )
+		{
+		if ( is_lws(data[i]) )
+			++i;
+		else
+			{
+			if ( data[i] == '(' )
+				i += MIME_skip_comments(len - i, data + i);
+			else
+				return i;
+			}
+		}
+
+	return len;
+	}
+
+int MIME_get_field_name(int len, const char* data, data_chunk_t* name)
+	{
+	int i = MIME_skip_lws_comments(len, data);
+	while ( i < len )
+		{
+		int j;
+		if ( MIME_is_field_name_char(data[i]) )
+			{
+			name->data = data + i;
+
+			for ( j = i; j < len; ++j )
+				if ( ! MIME_is_field_name_char(data[j]) )
+					break;
+
+			name->length = j - i;
+			return j;
+			}
+
+		j = MIME_skip_lws_comments(len - i, data + i);
+		i += (j > 0) ? j : 1;
+		}
+
+	return -1;
+	}
+
+// See RFC 2045, page 12.
+int MIME_is_tspecial (char ch)
+	{
+	return ch == '(' || ch == ')' || ch == '<' || ch == '>' || ch == '@' ||
+	       ch == ',' || ch == ';' || ch == ':' || ch == '\\' || ch == '"' ||
+	       ch == '/' || ch == '[' || ch == ']' || ch == '?' || ch == '=';
+	}
+
+int MIME_is_field_name_char (char ch)
+	{
+	return ch >= 33 && ch <= 126 && ch != ':';
+	}
+
+int MIME_is_token_char (char ch)
+	{
+	return ch >= 33 && ch <= 126 && ! MIME_is_tspecial(ch);
+	}
+
+// See RFC 2045, page 12.
+// A token is composed of characters that are not SPACE, CTLs or tspecials
+int MIME_get_token(int len, const char* data, data_chunk_t* token)
+	{
+	int i = MIME_skip_lws_comments(len, data);
+	while ( i < len )
+		{
+		int j;
+
+		if ( MIME_is_token_char(data[i]) )
+			{
+			token->data = (data + i);
+			for ( j = i; j < len; ++j )
+				{
+				if ( ! MIME_is_token_char(data[j]) )
+					break;
+				}
+
+			token->length = j - i;
+			return j;
+			}
+
+		j = MIME_skip_lws_comments(len - i, data + i);
+		i += (j > 0) ? j : 1;
+		}
+
+	return -1;
+	}
+
+int MIME_get_slash_token_pair(int len, const char* data, data_chunk_t* first, data_chunk_t* second)
+	{
+	int offset;
+	const char* data_start = data;
+
+	offset = MIME_get_token(len, data, first);
+	if ( offset < 0 )
+		{
+		// DEBUG_MSG("first token missing in slash token pair");
+		return -1;
+		}
+
+	data += offset;
+	len -= offset;
+
+	offset = MIME_skip_lws_comments(len, data);
+	if ( offset < 0 || offset >= len || data[offset] != '/' )
+		{
+		// DEBUG_MSG("/ not found in slash token pair");
+		return -1;
+		}
+
+	++offset;
+	data += offset;
+	len -= offset;
+
+	offset = MIME_get_token(len, data, second);
+	if ( offset < 0 )
+		{
+		// DEBUG_MSG("second token missing in slash token pair");
+		return -1;
+		}
+
+	data += offset;
+	len -= offset;
+
+	return data - data_start;
+	}
+
+// See RFC 2822, page 13.
+int MIME_get_quoted_string(int len, const char* data, data_chunk_t* str)
+	{
+	int offset = MIME_skip_lws_comments(len, data);
+
+	len -= offset;
+	data += offset;
+
+	if ( len <= 0 || *data != '"' )
+		return -1;
+
+	for ( int i = 1; i < len; ++i )
+		{
+		switch ( data[i] ) {
+		case '"':
+			str->data = data + 1;
+			str->length = i - 1;
+			return offset + i + 1;
+
+		case '\\':
+			++i;
+			break;
+		}
+		}
+
+	return -1;
+	}
+
+int MIME_get_value(int len, const char* data, BroString*& buf)
+	{
+	int offset = MIME_skip_lws_comments(len, data);
+
+	len -= offset;
+	data += offset;
+
+	if ( len > 0 && *data == '"' )
+		{
+		data_chunk_t str;
+		int end = MIME_get_quoted_string(len, data, &str);
+		if ( end < 0 )
+			return -1;
+
+		buf = MIME_decode_quoted_pairs(str);
+		return offset + end;
+		}
+
+	else
+		{
+		data_chunk_t str;
+		int end = MIME_get_token(len, data, &str);
+		if ( end < 0 )
+			return -1;
+
+		buf = new BroString((const u_char*)str.data, str.length, 1);
+		return offset + end;
+		}
+	}
+
+// Decode each quoted-pair: a '\' followed by a character by the
+// quoted character. The decoded string is returned.
+
+BroString* MIME_decode_quoted_pairs(data_chunk_t buf)
+	{
+	const char* data = buf.data;
+	char* dest = new char[buf.length+1];
+	int j = 0;
+	for ( int i = 0; i < buf.length; ++i )
+		if ( data[i] == '\\' )
+			{
+			if ( ++i < buf.length )
+				dest[j++] = data[i];
+			else
+				{
+				// a trailing '\' -- don't know what
+				// to do with it -- ignore it.
+				}
+			}
+		else
+			dest[j++] = data[i];
+	dest[j] = 0;
+
+	return new BroString(1, (byte_vec) dest, j);
+	}
diff --git a/src/MIME.h b/src/MIME.h
new file mode 100644
index 0000000000..c55cdcb42b
--- /dev/null
+++ b/src/MIME.h
@@ -0,0 +1,278 @@
+// $Id: MIME.h 3526 2006-09-12 07:32:21Z vern $
+
+#ifndef mime_h
+#define mime_h
+
+#include <assert.h>
+
+#include <stdio.h>
+#include <vector>
+#include <queue>
+using namespace std;
+
+#include "md5.h"
+#include "Base64.h"
+#include "BroString.h"
+#include "Analyzer.h"
+
+// MIME: Multipurpose Internet Mail Extensions
+// Follows RFC 822 & 2822 (Internet Mail), 2045-2049 (MIME)
+// See related files: SMTP.h and SMTP.cc
+
+// MIME Constants
+
+#define HT	'\011'
+#define SP	'\040'
+#define CR	'\015'
+#define LF	'\012'
+
+enum MIME_CONTENT_TYPE {
+	CONTENT_TYPE_MULTIPART,
+	CONTENT_TYPE_MESSAGE,
+	CONTENT_TYPE_TEXT,
+	CONTENT_TYPE_OTHER,	// image | audio | video | application | <other>
+};
+
+enum MIME_EVENT_TYPE {
+	MIME_EVENT_ILLEGAL_FORMAT,
+	MIME_EVENT_ILLEGAL_ENCODING,
+	MIME_EVENT_CONTENT_GAP,
+	MIME_EVENT_OTHER,
+};
+
+
+
+// MIME data structures.
+
+class MIME_Multiline;
+class MIME_Header;
+class MIME_Body;
+class MIME_Entity;	// an "entity" contains headers and a body
+class MIME_Mail;
+class MIME_Message;
+
+class MIME_Multiline {
+public:
+	MIME_Multiline();
+	~MIME_Multiline();
+
+	void append(int len, const char* data);
+	BroString* get_concatenated_line();
+
+protected:
+	vector<const BroString*> buffer;
+	BroString* line;
+};
+
+class MIME_Header {
+public:
+	MIME_Header(MIME_Multiline* hl);
+	~MIME_Header();
+
+	data_chunk_t get_name() const	{ return name; }
+	data_chunk_t get_value() const	{ return value; }
+
+	data_chunk_t get_value_token();
+	data_chunk_t get_value_after_token();
+
+protected:
+	int get_first_token();
+
+	MIME_Multiline* lines;
+	data_chunk_t name;
+	data_chunk_t value;
+	data_chunk_t value_token, rest_value;
+};
+
+
+// declare(PList, MIME_Header);
+typedef vector<MIME_Header*> MIME_HeaderList;
+
+class MIME_Entity {
+public:
+	MIME_Entity(MIME_Message* output_message, MIME_Entity* parent_entity);
+	virtual ~MIME_Entity();
+
+	virtual void Deliver(int len, const char* data, int trailing_CRLF);
+	virtual void EndOfData();
+
+	MIME_Entity* Parent() const { return parent; }
+	StringVal* ContentType() const { return content_type_str; }
+	StringVal* ContentSubType() const { return content_subtype_str; }
+	int ContentTransferEncoding() const { return content_encoding; }
+
+protected:
+	void init();
+
+	// {begin, continuation, end} of a header.
+	void NewHeader(int len, const char* data);
+	void ContHeader(int len, const char* data);
+	void FinishHeader();
+
+	void ParseMIMEHeader(MIME_Header* h);
+	int LookupMIMEHeaderName(data_chunk_t name);
+	int ParseContentTypeField(MIME_Header* h);
+	int ParseContentEncodingField(MIME_Header* h);
+	int ParseFieldParameters(int len, const char* data);
+
+	void ParseContentType(data_chunk_t type, data_chunk_t sub_type);
+	void ParseContentEncoding(data_chunk_t encoding_mechanism);
+	void ParseParameter(data_chunk_t attr, data_chunk_t val);
+
+	void BeginBody();
+	void NewDataLine(int len, const char* data, int trailing_CRLF);
+
+	int CheckBoundaryDelimiter(int len, const char* data);
+	void DecodeDataLine(int len, const char* data, int trailing_CRLF);
+	void DecodeBinary(int len, const char* data, int trailing_CRLF);
+	void DecodeQuotedPrintable(int len, const char* data);
+	void DecodeBase64(int len, const char* data);
+	void StartDecodeBase64();
+	void FinishDecodeBase64();
+
+	int GetDataBuffer();
+	void DataOctet(char ch);
+	void DataOctets(int len, const char* data);
+	void SubmitData(int len, const char* buf);
+
+	virtual void SubmitHeader(MIME_Header* h);
+	// Submit all headers in member "headers".
+	virtual void SubmitAllHeaders();
+
+	virtual MIME_Entity* NewChildEntity() { return new MIME_Entity(message, this); }
+	void BeginChildEntity();
+	void EndChildEntity();
+
+	void IllegalFormat(const char* explanation);
+	void IllegalEncoding(const char* explanation);
+
+	void DebugPrintHeaders();
+
+	int in_header;
+	int end_of_data;
+	MIME_Multiline* current_header_line;
+	int current_field_type;
+	int need_to_parse_parameters;
+
+	StringVal* content_type_str;
+	StringVal* content_subtype_str;
+	BroString* content_encoding_str;
+	BroString* multipart_boundary;
+
+	int content_type, content_subtype, content_encoding;
+
+	MIME_HeaderList headers;
+	MIME_Entity* parent;
+	MIME_Entity* current_child_entity;
+
+	Base64Decoder* base64_decoder;
+
+	int data_buf_length;
+	char* data_buf_data;
+	int data_buf_offset;
+
+	MIME_Message* message;
+};
+
+// The reason I separate MIME_Message as an abstract class is to
+// present the *interface* separated from its implementation to
+// generate Bro events.
+
+class MIME_Message {
+public:
+	MIME_Message(Analyzer* arg_analyzer)
+		{
+		// Cannot initialize top_level entity because we do
+		// not know its type yet (MIME_Entity / MIME_Mail /
+		// etc.).
+		top_level = 0;
+		finished = 0;
+		analyzer = arg_analyzer;
+		}
+
+	virtual ~MIME_Message()
+		{
+		if ( ! finished )
+			internal_error("Done() must be called before destruction");
+		}
+
+	virtual void Done()	{ finished = 1; }
+
+	int Finished() const	{ return finished; }
+
+	virtual void Deliver(int len, const char* data, int trailing_CRLF)
+		{
+		top_level->Deliver(len, data, trailing_CRLF);
+		}
+
+	Analyzer* GetAnalyzer() const	{ return analyzer; }
+
+	// Events generated by MIME_Entity
+	virtual void BeginEntity(MIME_Entity*) = 0;
+	virtual void EndEntity(MIME_Entity*) = 0;
+	virtual void SubmitHeader(MIME_Header* h) = 0;
+	virtual void SubmitAllHeaders(MIME_HeaderList& hlist) = 0;
+	virtual void SubmitData(int len, const char* buf) = 0;
+	virtual int RequestBuffer(int* plen, char** pbuf) = 0;
+	virtual void SubmitEvent(int event_type, const char* detail) = 0;
+
+protected:
+	Analyzer* analyzer;
+
+	MIME_Entity* top_level;
+	int finished;
+
+	RecordVal* BuildHeaderVal(MIME_Header* h);
+	TableVal* BuildHeaderTable(MIME_HeaderList& hlist);
+};
+
+class MIME_Mail : public MIME_Message {
+public:
+	MIME_Mail(Analyzer* mail_conn, int buf_size = 0);
+	~MIME_Mail();
+	void Done();
+
+	void BeginEntity(MIME_Entity* entity);
+	void EndEntity(MIME_Entity* entity);
+	void SubmitHeader(MIME_Header* h);
+	void SubmitAllHeaders(MIME_HeaderList& hlist);
+	void SubmitData(int len, const char* buf);
+	int RequestBuffer(int* plen, char** pbuf);
+	void SubmitAllData();
+	void SubmitEvent(int event_type, const char* detail);
+
+protected:
+	int min_overlap_length;
+	int max_chunk_length;
+	int buffer_start;
+	int data_start;
+	int buffer_offset;
+	int compute_content_hash;
+	int content_hash_length;
+	md5_state_t md5_hash;
+	vector<const BroString*> entity_content;
+	vector<const BroString*> all_content;
+
+	BroString* data_buffer;
+};
+
+
+extern int is_null_data_chunk(data_chunk_t b);
+extern StringVal* new_string_val(int length, const char* data);
+extern StringVal* new_string_val(const char* data, const char* end_of_data);
+extern StringVal* new_string_val(const data_chunk_t buf);
+extern int fputs(data_chunk_t b, FILE* fp);
+extern int strcasecmp_n(data_chunk_t s, const char* t);
+extern int is_lws(char ch);
+extern int MIME_is_field_name_char(char ch);
+extern int MIME_count_leading_lws(int len, const char* data);
+extern int MIME_count_trailing_lws(int len, const char* data);
+extern int MIME_skip_comments(int len, const char* data);
+extern int MIME_skip_lws_comments(int len, const char* data);
+extern int MIME_get_token(int len, const char* data, data_chunk_t* token);
+extern int MIME_get_slash_token_pair(int len, const char* data, data_chunk_t* first, data_chunk_t* second);
+extern int MIME_get_value(int len, const char* data, BroString*& buf);
+extern int MIME_get_field_name(int len, const char* data, data_chunk_t* name);
+extern BroString* MIME_decode_quoted_pairs(data_chunk_t buf);
+
+#endif
diff --git a/src/Makefile.am b/src/Makefile.am
new file mode 100644
index 0000000000..48aa6536a8
--- /dev/null
+++ b/src/Makefile.am
@@ -0,0 +1,410 @@
+## Process this file with automake to produce Makefile.in
+#
+#  Copyright (c) 1997-2005
+#	The Regents of the University of California.  All rights reserved.
+#
+#  Redistribution and use in source and binary forms, with or without
+#  modification, are permitted provided that: (1) source code distributions
+#  retain the above copyright notice and this paragraph in its entirety, (2)
+#  distributions including binary code include the above copyright notice and
+#  this paragraph in its entirety in the documentation or other materials
+#  provided with the distribution, and (3) all advertising materials mentioning
+#  features or use of this software display the following acknowledgement:
+#  ``This product includes software developed by the University of California,
+#  Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
+#  the University nor the names of its contributors may be used to endorse
+#  or promote products derived from this software without specific prior
+#  written permission.
+#  THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
+#  WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+#  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+#
+#  $Id: Makefile.am 6588 2009-02-17 00:02:53Z vern $
+#
+#
+
+noinst_PROGRAMS = bifcl
+bin_PROGRAMS = bro
+
+bifcl_SOURCES = bif_lex.cc bif_parse.cc bif_arg.cc
+
+BINPAC_SRC = binpac-lib.pac binpac_bro-lib.pac bittorrent.pac \
+	dce_rpc.pac dce_rpc_simple.pac dhcp.pac dns.pac \
+	dns_tcp.pac http.pac ncp.pac netflow.pac rpc.pac smb.pac \
+	ssl.pac ssl-record-layer.pac
+
+BINPAC_H = $(BINPAC_SRC:.pac=_pac.h)
+BINPAC_CC = $(BINPAC_SRC:.pac=_pac.cc)
+BINPAC_AUXSRC = binpac.pac bro.pac binpac_bro.h
+
+BINPAC_RPC_AUXSRC = \
+	bittorrent-protocol.pac bittorrent-analyzer.pac \
+	dce_rpc-analyzer.pac dce_rpc-protocol.pac \
+	dhcp-analyzer.pac dhcp-protocol.pac \
+	dns-analyzer.pac dns-protocol.pac \
+	epmapper.pac \
+	http-analyzer.pac http-protocol.pac http.pac \
+	netflow-protocol.pac netflow-analyzer.pac \
+	portmap-protocol.pac portmap-analyzer.pac \
+	rpc-protocol.pac rpc-analyzer.pac \
+	smb-protocol.pac smb-mailslot.pac smb-pipe.pac \
+	ssl.pac ssl-analyzer.pac ssl-defs.pac \
+	ssl-protocol.pac ssl-record-layer.pac
+
+BINPAC = @BINPAC@
+BINPAC_FLAGS = -d $(top_builddir)/src -I $(srcdir)
+LIBBINPAC = $(top_builddir)/aux/binpac/lib/libbinpac.a
+LIBBINPAC_LIBS = -L$(top_builddir)/aux/binpac/lib -lbinpac
+
+# File locking helper to synchronize targets in parallel builds
+LOCK_FILE = $(top_builddir)/aux/scripts/lock_file
+
+# List all optionally built source files here.
+EXTRA_bro_SOURCES = X509.cc SSLCiphers.cc SSLInterpreter.cc SSLProxy.cc \
+	SSLv2.cc SSLv3.cc SSLv3Automaton.cc nb_dns.c malloc.c
+
+if USE_NBDNS
+dns_srcs = nb_dns.c
+endif
+
+if USE_OPENSSL
+openssl_srcs = X509.cc SSLCiphers.cc SSLInterpreter.cc SSLProxy.cc \
+	SSLv2.cc SSLv3.cc SSLv3Automaton.cc
+endif
+
+# this is much faster on FreeBSD
+if USE_NMALLOC
+malloc_srcs = malloc.c
+endif
+
+# Forces libedit, bifcl and all generated files to be done first.
+# NOTE: Order does matter here, bifcl needs to be before the generated files
+# to be correct, the generated files should depend on bifcl, but this causes
+# the whole tree to be rebuilt in some cases.
+#
+# Binpac handling: the main .pac files are explicitly listed in BINPAC_SRC,
+# with implicit lists for the corresponding _pac.cc/_pac.h files. We do not
+# list the _pac.cc files in bro_SOURCES, since then they'd become part of
+# DISTFILES and distcheck would try to build them before binpac exists.
+# (This would still work on a previously built tree, but not on a fresh
+# checkout.)  To mark the _pac.cc/_pac.h files as sources and ensure the
+# resulting object files are linked in, we use nodist_bro_SOURCES. Finally,
+# to ensure they're built first, we also list the _pac.cc files in
+# BUILT_SOURCES. --cpk
+#
+BUILT_SOURCES = bifcl $(BIF_FUNC_H) \
+	DebugCmdInfoConstants.cc DebugCmdConstants.h \
+	$(BINPAC_CC)
+
+EXTRA_DIST = $(BIFS) SMB_COM.def SMTP_cmd.def \
+	POP3_cmd.def bif_type.def builtin-func.y parse.y re-parse.y rule-parse.y \
+	make_parser.pl make_dbg_constants.pl parse.in scan.l \
+	re-scan.l rule-scan.l builtin-func.l DebugCmdInfoConstants.in \
+	$(BINPAC_SRC) $(BINPAC_AUXSRC) $(BINPAC_RPC_AUXSRC)
+
+nodist_bro_SOURCES = $(BINPAC_CC) $(BINPAC_H)
+
+bro_SOURCES = \
+	main.cc net_util.cc util.cc \
+	parse.cc scan.cc re-parse.cc re-scan.cc rule-parse.cc rule-scan.cc \
+	Active.cc Analyzer.cc Anon.cc ARP.cc Attr.cc \
+	BackDoor.cc Base64.cc BitTorrent.cc BitTorrentTracker.cc \
+	BPF_Program.cc BroString.cc \
+	CCL.cc ChunkedIO.cc CompHash.cc Conn.cc ConnCompressor.cc \
+	ContentLine.cc DCE_RPC.cc DFA.cc \
+	DHCP-binpac.cc DNS.cc DNS-binpac.cc DNS_Mgr.cc \
+	DbgBreakpoint.cc DbgHelp.cc DbgWatch.cc Debug.cc \
+	DebugCmds.cc DebugLogger.cc Desc.cc Dict.cc Discard.cc DPM.cc \
+	EquivClass.cc Event.cc EventHandler.cc EventLauncher.cc \
+	EventRegistry.cc \
+	Expr.cc FTP.cc File.cc FileAnalyzer.cc Finger.cc FlowSrc.cc Frag.cc \
+	Frame.cc Func.cc Gnutella.cc HTTP.cc HTTP-binpac.cc Hash.cc ICMP.cc \
+	ID.cc Ident.cc IntSet.cc InterConn.cc IOSource.cc IRC.cc \
+	List.cc Logger.cc Login.cc MIME.cc \
+	NCP.cc NFA.cc NFS.cc NTP.cc NVT.cc Net.cc NetVar.cc \
+	NetbiosSSN.cc Obj.cc OSFinger.cc \
+	PacketFilter.cc PacketSort.cc PersistenceSerializer.cc \
+	PktDagSrc.cc PktSrc.cc PIA.cc \
+	PolicyFile.cc POP3.cc Portmap.cc PrefixTable.cc PriorityQueue.cc \
+	Queue.cc RE.cc RPC.cc Reassem.cc RemoteSerializer.cc Rlogin.cc RSH.cc \
+	Rule.cc RuleAction.cc RuleCondition.cc RuleMatcher.cc \
+	ScriptAnaly.cc SmithWaterman.cc SMB.cc SMTP.cc \
+	SSH.cc SSL-binpac.cc \
+	Scope.cc SerializationFormat.cc SerialObj.cc Serializer.cc \
+	Sessions.cc StateAccess.cc Stats.cc SteppingStone.cc Stmt.cc \
+	TCP.cc TCP_Endpoint.cc TCP_Reassembler.cc TCP_Rewriter.cc \
+	Telnet.cc Timer.cc Traverse.cc Trigger.cc TwoWise.cc Type.cc UDP.cc \
+	Val.cc Var.cc XDR.cc ZIP.cc \
+	bsd-getopt-long.c cq.c md5.c patricia.c setsignal.c version.c \
+	UDP_Rewriter.cc DNS_Rewriter.cc PacketDumper.cc Rewriter.cc \
+	strsep.c $(dns_srcs) $(malloc_srcs) $(openssl_srcs)
+
+noinst_HEADERS = Active.h Analyzer.h AnalyzerTags.h Anon.h ARP.h Attr.h \
+	BPF_Program.h BackDoor.h Base64.h BitTorrent.h BitTorrentTracker.h \
+	BroList.h BroString.h \
+	CCL.h ChunkedIO.h CompHash.h Conn.h ConnCompressor.h ContentLine.h \
+	Continuation.h DCE_RPC.h DFA.h \
+	DHCP-binpac.h DNS.h DNS-binpac.h DNS_Mgr.h \
+	DbgBreakpoint.h DbgDisplay.h DbgWatch.h Debug.h \
+	DebugCmds.h DebugLogger.h Desc.h Dict.h DPM.h \
+	Discard.h EquivClass.h Event.h EventHandler.h EventLauncher.h \
+	EventRegistry.h Expr.h FTP.h File.h FileAnalyzer.h \
+	Finger.h FlowSrc.h Frag.h Frame.h Func.h Gnutella.h \
+	H3.h HTTP.h HTTP-binpac.h Hash.h ICMP.h ID.h IP.h Ident.h \
+	IntSet.h InterConn.h IOSource.h IRC.h List.h Logger.h \
+	Login.h MIME.h NCP.h NFA.h NFS.h NTP.h NVT.h Net.h NetVar.h \
+	NetbiosSSN.h Obj.h OSFinger.h Op.h \
+	PacketFilter.h PacketSort.h PersistenceSerializer.h \
+	PktDagSrc.h PktSrc.h PIA.h \
+	PolicyFile.h POP3.h Portmap.h PrefixTable.h PriorityQueue.h \
+	Queue.h RE.h \
+	RPC.h Reassem.h RemoteSerializer.h Rlogin.h RSH.h Rule.h RuleAction.h \
+	RuleCondition.h RuleMatcher.h \
+	ScriptAnaly.h SmithWaterman.h SMB.h SMTP.h \
+	SSL-binpac.h SSH.h SSLCiphers.h SSLDefines.h \
+	SSLInterpreter.h SSLProxy.h SSLv2.h SSLv3.h SSLv3Automaton.h Scope.h \
+	SerialInfo.h SerialObj.h SerialTypes.h \
+	SerializationFormat.h Serializer.h Sessions.h StateAccess.h \
+	Stats.h SteppingStone.h Stmt.h StmtEnums.h \
+	TCP.h TCP_Endpoint.h TCP_Reassembler.h TCP_Rewriter.h Telnet.h Timer.h \
+	Traverse.h TraverseTypes.h Trigger.h TwoWise.h Type.h UDP.h \
+	Val.h Var.h X509.h XDR.h ZIP.h \
+	bif_arg.h bif_parse.h broparse.h bsd-getopt-long.h cq.h input.h md5.h \
+	nb_dns.h net_util.h patricia.h re-parse.h rule-parse.h \
+	UDP_Rewriter.h DNS_Rewriter.h PacketDumper.h Rewriter.h \
+	setsignal.h util.h
+
+bro_LDADD = $(LIBIDMEF_LIBS) @LIBS@ -lm $(LIBBINPAC_LIBS)
+
+# Files we generate locally that need to be removed with make distclean,
+# mostly to keep distcheck happy.
+# 
+DISTCLEANFILES = DebugCmdInfoConstants.cc DebugCmdConstants.h \
+	DebugCmdConstants.cc DebugCmdConstants.h \
+	$(BINPAC_CC) $(BINPAC_H) $(BIF_BRO) y.output bif_lex.cc \
+	bif_parse.h bif_parse.cc parse.y scan.cc parse.cc broparse.h \
+	re-parse.cc re-parse.h re-scan.cc rule-parse.cc rule-parse.h \
+	rule-scan.cc version.c
+
+# Files created in the src dir.
+MOSTLYCLEANFILES = $(BIF_FUNC_H) $(BIF_FUNC_DEF) $(BIF_FUNC_INIT) \
+		   $(BIF_NETVAR_H) $(BIF_NETVAR_DEF) $(BIF_NETVAR_INIT) \
+		   $(BRO_BIF) \
+		   $(BINPAC_H) $(BINPAC_CC) \
+		   $(DISTCLEANFILES)
+
+POLICYDEST=${datadir}/bro
+
+CCOPT = @V_CCOPT@ -W -Wall -Wno-unused
+INCLS = @V_INCLS@
+
+YFLAGS = -d -t -v
+
+# Should use AM_ vars, but automake 1.5 errors out.
+#AM_LDFLAGS = @LDFLAGS@ 
+LDFLAGS = @LDFLAGS@
+
+#AM_CFLAGS = -I. -I.. -I$(top_srcdir)/src -I$(srcdir) -I$(top_builddir)
+AM_CFLAGS = -I. -I$(top_srcdir)/aux/binpac/lib -I$(top_srcdir)/src -I$(srcdir) -I$(top_builddir)
+
+#AM_CPPFLAGS = $(AM_CFLAGS) $(LIBIDMEF_INCL) $(INCLS) $(CCOPT) -I/usr/include
+AM_CPPFLAGS = $(AM_CFLAGS) $(LIBIDMEF_INCL) $(INCLS) $(CCOPT)
+
+BIFCL = ./bifcl
+BIFS =	bro.bif event.bif const.bif \
+	common-rw.bif finger-rw.bif ident-rw.bif \
+	dns-rw.bif ftp-rw.bif smtp-rw.bif http-rw.bif strings.bif \
+	smb-rw.bif
+
+BIF_FUNC_H = $(BIFS:.bif=.bif.func_h)
+BIF_FUNC_DEF = $(BIFS:.bif=.bif.func_def)
+BIF_FUNC_INIT = $(BIFS:.bif=.bif.func_init)
+BIF_NETVAR_H = $(BIFS:.bif=.bif.netvar_h)
+BIF_NETVAR_DEF = $(BIFS:.bif=.bif.netvar_def)
+BIF_NETVAR_INIT = $(BIFS:.bif=.bif.netvar_init)
+
+BIF_BRO = $(BIFS:.bif=.bif.bro)
+
+
+BIFOBJ = bif_arg.o bif_lex.o bif_parse.o
+BIFCLEAN = bifcl $(BIFOBJ) $(BIF_FUNC_DEF) $(BIF_NETVAR_DEF) policy/*.bif.bro
+
+PRIV = priv
+
+opt:
+	@$(MAKE) $(MFLAGS) CCOPT="`echo $(CCOPT) | sed -e 's/-O2//;s/$$/ -O3/'`"
+
+debug: 
+	@$(MAKE) $(MFLAGS) CCOPT="`echo $(CCOPT) | sed -e 's/-O2/-O0/g;s/$$/ -g -Wall -DDEBUG/'`"
+
+profile:
+	@$(MAKE) $(MFLAGS) CCOPT="`echo $(CCOPT) | sed -e 's/$$/ -O0 -pg/'`" LDFLAGS="`echo $(LDFLAGS) | sed -e 's/$$/ -pg/'`"
+
+mpatrol:
+	@$(MAKE) $(MFLAGS) LIBS="`echo $(LIBS) | sed -e 's/$$/ -lmpatrol/'`"
+
+version.c: $(top_srcdir)/VERSION
+	@rm -f $@
+	sed -e 's/.*/char version[] = "&";/' $(top_srcdir)/VERSION > $@
+
+DebugCmdInfoConstants.cc DebugCmdInfoConstants.h: DebugCmdInfoConstants.in
+	perl $(srcdir)/make_dbg_constants.pl $(srcdir)/DebugCmdInfoConstants.in
+
+DebugCmdConstants.cc DebugCmdConstants.h: DebugCmdInfoConstants.in
+	perl $(srcdir)/make_dbg_constants.pl $(srcdir)/DebugCmdInfoConstants.in
+
+# Should these be moved to $(destdir)/policy?
+finger-rw.bif.func_h finger-rw.bif.func_def finger-rw.bif.func_init: finger-rw.bif $(BIFCL)
+	$(BIFCL) $(srcdir)/finger-rw.bif
+	@cp finger-rw.bif.bro ../policy/
+
+ftp-rw.bif.func_h ftp-rw.bif.func_def ftp-rw.bif.func_init: ftp-rw.bif $(BIFCL)
+	$(BIFCL) $(srcdir)/ftp-rw.bif
+	@cp ftp-rw.bif.bro ../policy/
+
+smb-rw.bif.func_h smb-rw.bif.func_def smb-rw.bif.func_init: smb-rw.bif $(BIFCL)
+	$(BIFCL) $(srcdir)/smb-rw.bif
+	@cp smb-rw.bif.bro ../policy/
+
+dns-rw.bif.func_h dns-rw.bif.func_def dns-rw.bif.func_init: dns-rw.bif $(BIFCL)
+	$(BIFCL) $(srcdir)/dns-rw.bif
+	@cp dns-rw.bif.bro ../policy/
+
+bro.bif.func_h bro.bif.func_def bro.bif.func_init: bro.bif $(BIFCL)
+	$(BIFCL) $(srcdir)/bro.bif
+	@cp bro.bif.bro ../policy/
+
+ident-rw.bif.func_h ident-rw.bif.func_def ident-rw.bif.func_init: ident-rw.bif $(BIFCL)
+	$(BIFCL) $(srcdir)/ident-rw.bif
+	@cp ident-rw.bif.bro ../policy/
+
+event.bif.func_h event.bif.netvar_h event.bif.netvar_def event.bif.netvar_init: event.bif $(BIFCL)
+	$(BIFCL) $(srcdir)/event.bif
+	@cp event.bif.bro ../policy/
+
+const.bif.func_h const.bif.netvar_h const.bif.netvar_def const.bif.netvar_init: const.bif $(BIFCL)
+	$(BIFCL) $(srcdir)/const.bif
+	@cp const.bif.bro ../policy/
+
+binpac-lib_pac.h binpac-lib_pac.cc: binpac-lib.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR) $(LIBBINPAC)
+	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/binpac-lib.pac
+
+binpac_bro-lib_pac.h binpac_bro-lib_pac.cc: binpac_bro-lib.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR)
+	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/binpac_bro-lib.pac
+
+bittorrent_pac.h bittorrent_pac.cc: bittorrent.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR) bittorrent-protocol.pac bittorrent-analyzer.pac
+	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/bittorrent.pac
+
+dce_rpc_pac.h dce_rpc_pac.cc: dce_rpc.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR) dce_rpc-protocol.pac dce_rpc-analyzer.pac
+	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/dce_rpc.pac
+
+dce_rpc_simple_pac.h dce_rpc_simple_pac.cc: dce_rpc_simple.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR) dce_rpc-protocol.pac
+	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/dce_rpc_simple.pac
+
+dhcp_pac.h dhcp_pac.cc: dhcp.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR) dhcp-protocol.pac dhcp-analyzer.pac
+	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/dhcp.pac
+
+dns_pac.h dns_pac.cc: dns.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR) dns-protocol.pac dns-analyzer.pac
+	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/dns.pac
+
+dns_tcp_pac.h dns_tcp_pac.cc: dns_tcp.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR)
+	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/dns_tcp.pac
+
+http_pac.h http_pac.cc: http.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR) http-protocol.pac http-analyzer.pac
+	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/http.pac
+
+ncp_pac.h ncp_pac.cc: ncp.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR)
+	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/ncp.pac
+
+netflow_pac.h netflow_pac.cc: netflow.pac netflow-protocol.pac netflow-analyzer.pac Event.h $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR)
+	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/netflow.pac
+
+rpc_pac.h rpc_pac.cc: rpc.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR) $(BINPAC_RPC_AUXSRC)
+	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/rpc.pac
+
+smb_pac.h smb_pac.cc: smb.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR) smb-protocol.pac smb-mailslot.pac smb-pipe.pac
+	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/smb.pac
+
+ssl_pac.h ssl_pac.cc: ssl.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR) ssl-protocol.pac ssl-analyzer.pac
+	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/ssl.pac
+
+ssl-record-layer_pac.h ssl-record-layer_pac.cc: ssl-record-layer.pac $(BINPAC) $(BINPAC_AUXSRC) $(BINPAC_AUXHDR)
+	$(BINPAC) $(BINPAC_FLAGS) $(srcdir)/ssl-record-layer.pac
+
+patricia.o: patricia.c patricia.h
+	$(CC) $(CFLAGS) -c $(srcdir)/patricia.c
+
+smtp-rw.bif.func_h smtp-rw.bif.func_def smtp-rw.bif.func_init: smtp-rw.bif $(BIFCL)
+	$(BIFCL) $(srcdir)/smtp-rw.bif
+	@cp smtp-rw.bif.bro ../policy/
+
+http-rw.bif.func_h http-rw.bif.func_def http-rw.bif.func_init: http-rw.bif $(BIFCL)
+	$(BIFCL) $(srcdir)/http-rw.bif
+	@cp http-rw.bif.bro ../policy/
+
+common-rw.bif.func_h common-rw.bif.func_def common-rw.bif.func_init: common-rw.bif $(BIFCL)
+	$(BIFCL) $(srcdir)/common-rw.bif
+	@cp common-rw.bif.bro ../policy/
+
+strings.bif.func_h strings.bif.func_def strings.bif.func_init: strings.bif $(BIFCL)
+	$(BIFCL) $(srcdir)/strings.bif
+	@cp strings.bif.bro ../policy/
+
+broparse.h parse.cc: parse.y
+	$(LOCK_FILE) lock broparse || exit; \
+	test -e broparse.h && ( $(LOCK_FILE) unlock broparse; exit 0; ); \
+	$(YACC) $(YFLAGS) -o p.c parse.y; \
+	sed '/extern char.*getenv/d;s/yylex/brolex/' <p.c >parse.cc; \
+	mv p.h broparse.h; \
+	rm p.c; \
+	$(LOCK_FILE) unlock broparse
+
+parse.y: parse.in make_parser.pl
+	@rm -f parse.y
+	perl -w $(srcdir)/make_parser.pl $(srcdir) $(top_builddir)/src "$(YACC)"
+	chmod -w parse.y
+
+scan.cc: scan.l broparse.h
+	$(LEX) $(LFLAGS) -Pbro -oscan.cc $(srcdir)/scan.l
+
+bif_lex.cc: builtin-func.l bif_parse.h
+	$(LEX) -o$@ $(srcdir)/builtin-func.l
+
+re-parse.h re-parse.cc: re-parse.y
+	$(LOCK_FILE) lock reparse || exit; \
+	test -e re-parse.h && ( $(LOCK_FILE) unlock reparse; exit 0; ); \
+	$(YACC) $(YFLAGS) -o rep.c $(srcdir)/re-parse.y; \
+	sed '/extern char.*getenv/d;s/yylex/re_lex/;s/yy/RE_/g' <rep.c >re-parse.cc; \
+	mv rep.h re-parse.h; \
+	rm rep.c; \
+	$(LOCK_FILE) unlock reparse
+
+re-scan.cc: re-scan.l
+	$(LEX) $(LFLAGS) -Pre_ -ore-scan.cc $(srcdir)/re-scan.l
+
+rule-parse.h rule-parse.cc: rule-parse.y
+	$(LOCK_FILE) lock ruleparse || exit; \
+	test -e rule-parse.h && ( $(LOCK_FILE) unlock ruleparse; exit 0; ); \
+	$(YACC) $(YFLAGS) -o rup.c $(srcdir)/rule-parse.y; \
+	sed '/extern char.*getenv/d;s/yylex/rules_lex/;s/yy/rules_/g' <rup.c >rule-parse.cc; \
+	sed '/extern char.*getenv/d;s/yylex/rules_lex/;s/yy/rules_/g' <rup.h >rule-parse.h; \
+	rm rup.c rup.h; \
+	$(LOCK_FILE) unlock ruleparse
+
+rule-scan.cc: rule-scan.l
+	$(LEX) $(LFLAGS) -Prules_ -orule-scan.cc $(srcdir)/rule-scan.l
+
+bif_parse.h bif_parse.cc: builtin-func.y bif_arg.h bif_type.def
+	$(LOCK_FILE) lock bifparse || exit; \
+	test -e bif_parse.h && ( $(LOCK_FILE) unlock bifparse; exit 0; ); \
+	$(YACC) $(YFLAGS) -o bf.c $(top_srcdir)/src/builtin-func.y; \
+	mv bf.h bif_parse.h; \
+	mv bf.c bif_parse.cc; \
+	$(LOCK_FILE) unlock bifparse
+
+# Need this rule because of the POLICYDEST.
+util.o: util.cc util.h
+	$(CXX) $(AM_CPPFLAGS) -DPOLICYDEST=\"$(POLICYDEST)\" -c $(srcdir)/util.cc
+
+CHANGES: $(top_srcdir)/VERSION
+	@echo "You need to update CHANGES"
diff --git a/src/NCP.cc b/src/NCP.cc
new file mode 100644
index 0000000000..c065e48e87
--- /dev/null
+++ b/src/NCP.cc
@@ -0,0 +1,231 @@
+// $Id: NCP.cc 6916 2009-09-24 20:48:36Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <stdlib.h>
+#include <string>
+#include <map>
+
+using namespace std;
+
+#include "NCP.h"
+#include "Sessions.h"
+
+#define xbyte(b, n) (((const u_char*) (b))[n])
+#define extract_uint16(little_endian, bytes) \
+	((little_endian) ? \
+	 uint16(xbyte(bytes, 0)) | ((uint16(xbyte(bytes, 1))) << 8) : \
+	 uint16(xbyte(bytes, 1)) | ((uint16(xbyte(bytes, 0))) << 8))
+
+NCP_Session::NCP_Session(Analyzer* a)
+: analyzer(a)
+	{
+	req_frame_type = 0;
+	req_func = 0;
+	}
+
+void NCP_Session::Deliver(int is_orig, int len, const u_char* data)
+	{
+	try
+		{
+		binpac::NCP::ncp_over_tcpip_frame frame(is_orig);
+		frame.Parse(data, data + len);
+
+		DeliverFrame(frame.ncp());
+		}
+	catch ( const binpac::Exception& e )
+		{
+		analyzer->Weird(e.msg().c_str());
+		}
+	}
+
+void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame)
+	{
+	if ( frame->is_orig() )
+		{
+		req_frame_type = frame->frame_type();
+		req_func = frame->request()->function();
+		if ( req_func == 0x57 ) // enhanced FILE_DIR services
+			{
+			req_func = (req_func << 8) |
+					frame->request()->subfunction();
+			}
+		}
+
+	EventHandlerPtr f = frame->is_orig() ? ncp_request : ncp_reply;
+	if ( f )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(new Val(frame->frame_type(), TYPE_COUNT));
+		vl->append(new Val(frame->body_length(), TYPE_COUNT));
+
+		if ( frame->is_orig() )
+			vl->append(new Val(req_func, TYPE_COUNT));
+		else
+			{
+			vl->append(new Val(req_frame_type, TYPE_COUNT));
+			vl->append(new Val(req_func, TYPE_COUNT));
+			vl->append(new Val(frame->reply()->completion_code(),
+						TYPE_COUNT));
+			}
+
+		analyzer->ConnectionEvent(f, vl);
+		}
+	}
+
+FrameBuffer::FrameBuffer(int header_length)
+	{
+	hdr_len = header_length;
+	msg_buf = 0;
+	buf_len = 0;
+	Reset();
+	}
+
+FrameBuffer::~FrameBuffer()
+	{
+	delete [] msg_buf;
+	}
+
+void FrameBuffer::Reset()
+	{
+	// Allocate space for header.
+	if ( ! msg_buf )
+		{
+		buf_len = hdr_len;
+		msg_buf = new u_char[buf_len];
+		}
+
+	buf_n = 0;
+	msg_len = 0;
+	}
+
+// Returns true if we have a complete frame
+bool FrameBuffer::Deliver(int &len, const u_char* &data)
+	{
+	ASSERT(buf_len >= hdr_len);
+
+	if ( len == 0 )
+		return false;
+
+	if ( buf_n < hdr_len )
+		{
+		while ( buf_n < hdr_len && len > 0 )
+			{
+			ASSERT(buf_n < buf_len);
+			msg_buf[buf_n] = *data;
+			++buf_n; ++data; --len;
+			}
+
+		if ( buf_n < hdr_len )
+			return false;
+
+		compute_msg_length();
+
+		if ( msg_len > buf_len )
+			{
+			buf_len = msg_len * 2;
+			u_char* new_buf = new u_char[buf_len];
+			memcpy(new_buf, msg_buf, buf_n);
+			delete [] msg_buf;
+			msg_buf = new_buf;
+			}
+		}
+
+	while ( buf_n < msg_len && len > 0 )
+		{
+		msg_buf[buf_n] = *data;
+		++buf_n; ++data; --len;
+		}
+
+	return buf_n >= msg_len;
+	}
+
+void NCP_FrameBuffer::compute_msg_length()
+	{
+	const u_char* data = Data();
+	msg_len = 0;
+	for ( int i = 0; i < 4; ++i )
+		msg_len = (msg_len << 8) | data[4+i];
+	}
+
+Contents_NCP_Analyzer::Contents_NCP_Analyzer(Connection* conn, bool orig, NCP_Session* arg_session)
+: TCP_SupportAnalyzer(AnalyzerTag::Contents_NCP, conn, orig)
+	{
+	session = arg_session;
+	resync = true;
+
+	TCP_Analyzer* tcp = static_cast<TCP_ApplicationAnalyzer*>(Parent())->TCP();
+	if ( tcp )
+		resync = (orig ? tcp->OrigState() : tcp->RespState()) !=
+						TCP_ENDPOINT_ESTABLISHED;
+	}
+
+Contents_NCP_Analyzer::~Contents_NCP_Analyzer()
+	{
+	}
+
+void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	TCP_SupportAnalyzer::DeliverStream(len, data, orig);
+
+	TCP_Analyzer* tcp = static_cast<TCP_ApplicationAnalyzer*>(Parent())->TCP();
+
+	if ( tcp && tcp->HadGap(orig) )
+		return;
+
+	DEBUG_MSG("NCP deliver: len = %d resync = %d buffer.empty = %d\n",
+		len, resync, buffer.empty());
+
+	if ( buffer.empty() && resync )
+		{
+		// Assume NCP frames align with packet boundary.
+		if ( (IsOrig() && len < 22) || (! IsOrig() && len < 16) )
+			{ // ignore small fragmeents
+			DEBUG_MSG("NCP discard small pieces: %d\n", len);
+			return;
+			}
+
+		int frame_type_index = IsOrig() ? 16 : 8;
+		int frame_type = ((int) data[frame_type_index]) << 8 |
+					data[frame_type_index + 1];
+
+		if ( frame_type != 0x1111 && frame_type != 0x2222 &&
+		     frame_type != 0x3333 && frame_type != 0x5555 &&
+		     frame_type != 0x7777 && frame_type != 0x9999 )
+			// Skip this packet
+			return;
+
+		resync = false;
+		}
+
+	while ( buffer.Deliver(len, data) )
+		{
+		session->Deliver(IsOrig(), buffer.Len(), buffer.Data());
+		buffer.Reset();
+		}
+	}
+
+void Contents_NCP_Analyzer::Undelivered(int seq, int len, bool orig)
+	{
+	TCP_SupportAnalyzer::Undelivered(seq, len, orig);
+
+	buffer.Reset();
+	resync = true;
+	}
+
+NCP_Analyzer::NCP_Analyzer(Connection* conn)
+: TCP_ApplicationAnalyzer(AnalyzerTag::NCP, conn)
+	{
+	session = new NCP_Session(this);
+	o_ncp = new Contents_NCP_Analyzer(conn, true, session);
+	r_ncp = new Contents_NCP_Analyzer(conn, false, session);
+	}
+
+NCP_Analyzer::~NCP_Analyzer()
+	{
+	delete session;
+	}
+
diff --git a/src/NCP.h b/src/NCP.h
new file mode 100644
index 0000000000..714d1879f8
--- /dev/null
+++ b/src/NCP.h
@@ -0,0 +1,119 @@
+// $Id: NCP.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef ncp_h
+#define ncp_h
+
+// A very crude analyzer for NCP (Netware Core Protocol)
+//
+// For a brief introduction to NCP, take a look at:
+//
+//	 http://www.protocols.com/pbook/testcss.htm
+//
+// For list of function codes:
+//
+//	 http://faydoc.tripod.com/structures/20/2095.htm
+//
+// And for layout of individual request/reply packets, look at the following
+// pages under http://faydoc.tripod.com/structures/, such as:
+//
+//	http://faydoc.tripod.com/structures/21/2149.htm
+
+#include "NetVar.h"
+#include "TCP.h"
+
+#include "ncp_pac.h"
+
+// Create a general NCP_Session class so that it can be used in
+// case the RPC conversation is tunneled through other connections,
+// e.g., through an SMB session.
+
+class NCP_Session {
+public:
+	NCP_Session(Analyzer* analyzer);
+	virtual ~NCP_Session() {}
+
+	virtual void Deliver(int is_orig, int len, const u_char* data);
+
+	static bool any_ncp_event()
+		{
+		return ncp_request || ncp_reply;
+		}
+
+protected:
+	void DeliverFrame(const binpac::NCP::ncp_frame* frame);
+
+	Analyzer* analyzer;
+	int req_frame_type;
+	int req_func;
+};
+
+class FrameBuffer {
+public:
+	FrameBuffer(int header_length);
+	virtual ~FrameBuffer();
+
+	// Returns true if a frame is ready
+	bool Deliver(int& len, const u_char* &data);
+
+	void Reset();
+
+	const u_char* Data() const	{ return msg_buf; }
+	int Len() const			{ return msg_len; }
+	bool empty() const		{ return buf_n == 0; }
+
+protected:
+	virtual void compute_msg_length() = 0;
+
+	int hdr_len;
+	u_char* msg_buf;
+	int msg_len;
+	int buf_n;	// number of bytes in msg_buf
+	int buf_len;	// size off msg_buf
+};
+
+#define NCP_TCPIP_HEADER_LENGTH 8
+
+class NCP_FrameBuffer : public FrameBuffer {
+public:
+	NCP_FrameBuffer() : FrameBuffer(NCP_TCPIP_HEADER_LENGTH) {}
+
+protected:
+	void compute_msg_length();
+};
+
+class Contents_NCP_Analyzer : public TCP_SupportAnalyzer {
+public:
+	Contents_NCP_Analyzer(Connection* conn, bool orig, NCP_Session* session);
+	~Contents_NCP_Analyzer();
+
+protected:
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual void Undelivered(int seq, int len, bool orig);
+
+	NCP_FrameBuffer buffer;
+	NCP_Session* session;
+
+	// Re-sync for partial connections (or after a content gap).
+	bool resync;
+};
+
+class NCP_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	NCP_Analyzer(Connection* conn);
+	virtual ~NCP_Analyzer();
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new NCP_Analyzer(conn); }
+
+	static bool Available()	{ return NCP_Session::any_ncp_event(); }
+
+protected:
+
+	NCP_Session* session;
+	Contents_NCP_Analyzer * o_ncp;
+	Contents_NCP_Analyzer * r_ncp;
+};
+
+#endif /* ncp_h */
diff --git a/src/NCP_func.def b/src/NCP_func.def
new file mode 100644
index 0000000000..57bcb5896c
--- /dev/null
+++ b/src/NCP_func.def
@@ -0,0 +1,55 @@
+NCP_FUNCTION(NCP_FILE_SET_LOCK,			0x01)
+NCP_FUNCTION(NCP_FILE_RELEASE_LOCK,		0x02)
+NCP_FUNCTION(NCP_LOG_FILE,			0x03)
+NCP_FUNCTION(NCP_LOCK_FILE_SET,			0x04)
+NCP_FUNCTION(NCP_RELEASE_FILE,			0x05)
+NCP_FUNCTION(NCP_RELEASE_FILE_SET,		0x06)
+NCP_FUNCTION(NCP_CLEAR_FILE,			0x07)
+NCP_FUNCTION(NCP_CLEAR_FILE_SET,		0x08)
+NCP_FUNCTION(NCP_LOG_LOGICAL_RECORD,		0x09)
+NCP_FUNCTION(NCP_LOCK_LOGICAL_RECORD_SET,	0x0a)
+NCP_FUNCTION(NCP_CLEAR_LOGICAL_RECORD,		0x0b)
+NCP_FUNCTION(NCP_RELEASE_LOGICAL_RECORD,	0x0c)
+NCP_FUNCTION(NCP_RELEASE_LOGICAL_RECORD_SET,	0x0d)
+NCP_FUNCTION(NCP_CLEAR_LOGICAL_RECORD_SET,	0x0e)
+NCP_FUNCTION(NCP_ALLOC_RESOURCE,		0x0f)
+NCP_FUNCTION(NCP_DEALLOC_RESOURCE,		0x10)
+NCP_FUNCTION(NCP_PRINT,				0x11)
+NCP_FUNCTION(NCP_MESSAGE,			0x15)
+NCP_FUNCTION(NCP_DIRECTORY,			0x16)
+NCP_FUNCTION(NCP_BINDARY_AND_MISC,		0x17)
+NCP_FUNCTION(NCP_END_OF_JOB,			0x18)
+NCP_FUNCTION(NCP_LOGOUT,			0x19)
+NCP_FUNCTION(NCP_LOG_PHYSICAL_RECORD,		0x1a)
+NCP_FUNCTION(NCP_LOCK_PHYSICAL_RECORD_SET,	0x1b)
+NCP_FUNCTION(NCP_RELEASE_PHYSICAL_RECORD,	0x1c)
+NCP_FUNCTION(NCP_RELEASE_PHYSICAL_RECORD_SET,	0x1d)
+NCP_FUNCTION(NCP_CLEAR_PHYSICAL_RECORD,		0x1e)
+NCP_FUNCTION(NCP_CLEAR_PHYSICAL_RECORD_SET,	0x1f)
+NCP_FUNCTION(NCP_SEMAPHORE,			0x20)
+NCP_FUNCTION(NCP_TRANSACTION_TRACKING, 		0x22)
+NCP_FUNCTION(NCP_AFP, 				0x23)
+NCP_FUNCTION(NCP_CLOSE_FILE,			0x42)
+NCP_FUNCTION(NCP_GET_FILE_SIZE,			0x47)
+NCP_FUNCTION(NCP_READ_FILE,			0x48)
+NCP_FUNCTION(NCP_WRITE_FILE,			0x49)
+NCP_FUNCTION(NCP_EXT_ATTR,			0x56)
+NCP_FUNCTION(NCP_FILE_DIR,			0x57)
+NCP_FUNCTION(NCP_CREATE_FILE_DIR,		0x5701)
+NCP_FUNCTION(NCP_INIT_SEARCH,			0x5702)
+NCP_FUNCTION(NCP_SEARCH_FILE_DIR,		0x5703)
+NCP_FUNCTION(NCP_RENAME_FILE_DIR,		0x5704)
+NCP_FUNCTION(NCP_OBTAIN_FILE_DIR_INFO,		0x5706)
+NCP_FUNCTION(NCP_MODIFY_FILE_DIR_DOS_INFO,	0x5707)
+NCP_FUNCTION(NCP_DELETE_FILE_DIR,		0x5708)
+NCP_FUNCTION(NCP_SET_SHORT_DIR_HANDLE,		0x5709)
+NCP_FUNCTION(NCP_SEARCH_FOR_FILE_DIR_SET,	0x5714)
+NCP_FUNCTION(NCP_GET_NAME_SPACE_LOADED_LIST,	0x5718)
+NCP_FUNCTION(NCP_GET_CURRENT_SIZE_OF_FILE,	0x5742)
+NCP_FUNCTION(NCP_AUDITING,			0x58)
+NCP_FUNCTION(NCP_MIGRATION,			0x5a)
+NCP_FUNCTION(NCP_PNW,				0x60)
+NCP_FUNCTION(NCP_GET_MAX_PACKET_SIZE,		0x61)
+NCP_FUNCTION(NCP_NDS,				0x68)
+NCP_FUNCTION(NCP_SEMAPHORE_NEW,			0x6f)
+NCP_FUNCTION(NCP_7B,				0x7b)
diff --git a/src/NFA.cc b/src/NFA.cc
new file mode 100644
index 0000000000..74958823dc
--- /dev/null
+++ b/src/NFA.cc
@@ -0,0 +1,358 @@
+// $Id: NFA.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "NFA.h"
+#include "EquivClass.h"
+
+static int nfa_state_id = 0;
+
+NFA_State::NFA_State(int arg_sym, EquivClass* ec)
+	{
+	sym = arg_sym;
+	ccl = 0;
+	accept = NO_ACCEPT;
+	mark = 0;
+	epsclosure = 0;
+	id = ++nfa_state_id;
+
+	// Fix up equivalence classes based on this transition.  Note that any
+	// character which has its own transition gets its own equivalence
+	// class.  Thus only characters which are only in character classes
+	// have a chance at being in the same equivalence class.  E.g. "a|b"
+	// puts 'a' and 'b' into two different equivalence classes.  "[ab]"
+	// puts them in the same equivalence class (barring other differences
+	// elsewhere in the input).
+
+	if ( ec && sym != SYM_EPSILON /* no associated symbol */ )
+		ec->UniqueChar(sym);
+	}
+
+NFA_State::NFA_State(CCL* arg_ccl)
+	{
+	sym = SYM_CCL;
+	ccl = arg_ccl;
+	accept = NO_ACCEPT;
+	mark = 0;
+	id = ++nfa_state_id;
+	epsclosure = 0;
+	}
+
+NFA_State::~NFA_State()
+	{
+	for ( int i = 0; i < xtions.length(); ++i )
+		Unref(xtions[i]);
+	}
+
+void NFA_State::AddXtionsTo(NFA_state_list* ns)
+	{
+	for ( int i = 0; i < xtions.length(); ++i )
+		ns->append(xtions[i]);
+	}
+
+NFA_State* NFA_State::DeepCopy()
+	{
+	if ( mark )
+		return mark;
+
+	NFA_State* copy = ccl ? new NFA_State(ccl) : new NFA_State(sym, 0);
+	SetMark(copy);
+
+	for ( int i = 0; i < xtions.length(); ++i )
+		copy->AddXtion(xtions[i]->DeepCopy());
+
+	return copy;
+	}
+
+void NFA_State::ClearMarks()
+	{
+	if ( mark )
+		{
+		SetMark(0);
+		for ( int i = 0; i < xtions.length(); ++i )
+			xtions[i]->ClearMarks();
+		}
+	}
+
+NFA_state_list* NFA_State::EpsilonClosure()
+	{
+	if ( epsclosure )
+		return epsclosure;
+
+	epsclosure = new NFA_state_list;
+
+	NFA_state_list states;
+	states.append(this);
+	SetMark(this);
+
+	int i;
+	for ( i = 0; i < states.length(); ++i )
+		{
+		NFA_State* ns = states[i];
+		if ( ns->TransSym() == SYM_EPSILON )
+			{
+			NFA_state_list* x = ns->Transitions();
+			for ( int j = 0; j < x->length(); ++j )
+				{
+				NFA_State* nxt = (*x)[j];
+				if ( ! nxt->Mark() )
+					{
+					states.append(nxt);
+					nxt->SetMark(nxt);
+					}
+				}
+
+			if ( ns->Accept() != NO_ACCEPT )
+				epsclosure->append(ns);
+			}
+
+		else
+			// Non-epsilon transition - keep it.
+			epsclosure->append(ns);
+		}
+
+	// Clear out markers.
+	for ( i = 0; i < states.length(); ++i )
+		states[i]->SetMark(0);
+
+	// Make it fit.
+	epsclosure->resize(0);
+
+	return epsclosure;
+	}
+
+void NFA_State::Describe(ODesc* d) const
+	{
+	d->Add("NFA state");
+	}
+
+void NFA_State::Dump(FILE* f)
+	{
+	if ( mark )
+		return;
+
+	fprintf(f, "NFA state %d, sym = %d, accept = %d:\n", id, sym, accept);
+
+	for ( int i = 0; i < xtions.length(); ++i )
+		fprintf(f, "\ttransition to %d\n", xtions[i]->ID());
+
+	SetMark(this);
+	for ( int i = 0; i < xtions.length(); ++i )
+		xtions[i]->Dump(f);
+	}
+
+unsigned int NFA_State::TotalMemoryAllocation() const
+	{
+	return padded_sizeof(*this)
+		+ xtions.MemoryAllocation() - padded_sizeof(xtions)
+		+ (epsclosure ? epsclosure->MemoryAllocation() : 0);
+	}
+
+NFA_Machine::NFA_Machine(NFA_State* first, NFA_State* final)
+	{
+	first_state = first;
+	final_state = final ? final : first;
+	eol = bol = 0;
+	}
+
+NFA_Machine::~NFA_Machine()
+	{
+	Unref(first_state);
+	}
+
+void NFA_Machine::InsertEpsilon()
+	{
+	NFA_State* eps = new EpsilonState();
+	eps->AddXtion(first_state);
+	first_state = eps;
+	}
+
+void NFA_Machine::AppendEpsilon()
+	{
+	AppendState(new EpsilonState());
+	}
+
+void NFA_Machine::AddAccept(int accept_val)
+	{
+	// Hang the accepting number off an epsilon state.  If it is associated
+	// with a state that has a non-epsilon out-transition, then the state
+	// will accept BEFORE it makes that transition, i.e., one character
+	// too soon.
+
+	if ( final_state->TransSym() != SYM_EPSILON )
+		AppendState(new EpsilonState());
+
+	final_state->SetAccept(accept_val);
+	}
+
+void NFA_Machine::LinkCopies(int n)
+	{
+	if ( n <= 0 )
+		return;
+
+	// Make all the copies before doing any appending, otherwise
+	// subsequent DuplicateMachine()'s will include the extra
+	// copies!
+	NFA_Machine** copies = new NFA_Machine*[n];
+
+	int i;
+	for ( i = 0; i < n; ++i )
+		copies[i] = DuplicateMachine();
+
+	for ( i = 0; i < n; ++i )
+		AppendMachine(copies[i]);
+
+	delete [] copies;
+	}
+
+NFA_Machine* NFA_Machine::DuplicateMachine()
+	{
+	NFA_State* new_first_state = first_state->DeepCopy();
+	NFA_Machine* new_m = new NFA_Machine(new_first_state, final_state->Mark());
+	first_state->ClearMarks();
+
+	return new_m;
+	}
+
+void NFA_Machine::AppendState(NFA_State* s)
+	{
+	final_state->AddXtion(s);
+	final_state = s;
+	}
+
+void NFA_Machine::AppendMachine(NFA_Machine* m)
+	{
+	AppendEpsilon();
+	final_state->AddXtion(m->FirstState());
+	final_state = m->FinalState();
+
+	Ref(m->FirstState());	// so states stay around after the following
+	Unref(m);
+	}
+
+void NFA_Machine::MakeOptional()
+	{
+	InsertEpsilon();
+	AppendEpsilon();
+	first_state->AddXtion(final_state);
+	Ref(final_state);
+	}
+
+void NFA_Machine::MakePositiveClosure()
+	{
+	AppendEpsilon();
+	final_state->AddXtion(first_state);
+	Ref(first_state);
+	}
+
+void NFA_Machine::MakeRepl(int lower, int upper)
+	{
+	NFA_Machine* dup = 0;
+	if ( upper > lower || upper == NO_UPPER_BOUND )
+		dup = DuplicateMachine();
+
+	LinkCopies(lower - 1);
+
+	if ( upper == NO_UPPER_BOUND )
+		{
+		dup->MakeClosure();
+		AppendMachine(dup);
+		return;
+		}
+
+	while ( upper > lower )
+		{
+		NFA_Machine* dup2;
+		if ( --upper == lower )
+			// Don't need "dup" for any further copies
+			dup2 = dup;
+		else
+			dup2 = dup->DuplicateMachine();
+
+		dup2->MakeOptional();
+		AppendMachine(dup2);
+		}
+	}
+
+void NFA_Machine::Describe(ODesc* d) const
+	{
+	d->Add("NFA machine");
+	}
+
+void NFA_Machine::Dump(FILE* f)
+	{
+	first_state->Dump(f);
+	first_state->ClearMarks();
+	}
+
+void NFA_Machine::DumpStats(FILE* f)
+	{
+	fprintf(f, "highest NFA state ID is %d\n", nfa_state_id);
+	}
+
+NFA_Machine* make_alternate(NFA_Machine* m1, NFA_Machine* m2)
+	{
+	if ( ! m1 )
+		return m2;
+	if ( ! m2 )
+		return m1;
+
+	NFA_State* first = new EpsilonState();
+	NFA_State* last = new EpsilonState();
+
+	first->AddXtion(m1->FirstState());
+	first->AddXtion(m2->FirstState());
+
+	m1->AppendState(last);
+	m2->AppendState(last);
+	Ref(last);
+
+	return new NFA_Machine(first, last);
+	}
+
+
+NFA_state_list* epsilon_closure(NFA_state_list* states)
+	{
+	// We just keep one of this as it may get quite large.
+	static IntSet closuremap;
+	closuremap.Clear();
+
+	NFA_state_list* closure = new NFA_state_list;
+
+	for ( int i = 0; i < states->length(); ++i )
+		{
+		NFA_state_list* stateclosure = (*states)[i]->EpsilonClosure();
+
+		for ( int j = 0; j < stateclosure->length(); ++j )
+			{
+			NFA_State* ns = (*stateclosure)[j];
+			if ( ! closuremap.Contains(ns->ID()) )
+				{
+				closuremap.Insert(ns->ID());
+				closure->sortedinsert(ns, NFA_state_cmp_neg);
+				}
+			}
+		}
+
+	// Make it fit.
+	closure->resize(0);
+
+	delete states;
+
+	return closure;
+	}
+
+int NFA_state_cmp_neg(const void* v1, const void* v2)
+	{
+	const NFA_State* n1 = (const NFA_State*) v1;
+	const NFA_State* n2 = (const NFA_State*) v2;
+
+	if ( n1->ID() < n2->ID() )
+		return -1;
+	else if ( n1->ID() == n2->ID() )
+		return 0;
+	else
+		return 1;
+	}
diff --git a/src/NFA.h b/src/NFA.h
new file mode 100644
index 0000000000..9dcb435d61
--- /dev/null
+++ b/src/NFA.h
@@ -0,0 +1,133 @@
+// $Id: NFA.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef nfa_h
+#define nfa_h
+
+#include "RE.h"
+#include "IntSet.h"
+
+class NFA_State;
+class EquivClass;
+
+declare(PList,NFA_State);
+typedef PList(NFA_State) NFA_state_list;
+
+#define NO_ACCEPT 0
+
+#define NO_UPPER_BOUND -1
+
+#define SYM_BOL 256
+#define SYM_EOL 257
+#define NUM_SYM 258
+
+#define SYM_EPSILON 259
+#define SYM_CCL 260    
+
+
+class NFA_State : public BroObj  {
+public:
+	NFA_State(int sym, EquivClass* ec);
+	NFA_State(CCL* ccl);
+	~NFA_State();
+
+	void AddXtion(NFA_State* next_state)	{ xtions.append(next_state); }
+	NFA_state_list* Transitions()		{ return &xtions; }
+	void AddXtionsTo(NFA_state_list* ns);
+
+	void SetAccept(int accept_val)	{ accept = accept_val; }
+	int Accept() const		{ return accept; }
+
+	// Returns a deep copy of this NFA state and everything it points
+	// to.  Upon return, each state's marker is set to point to its
+	// copy.
+	NFA_State* DeepCopy();
+
+	void SetMark(NFA_State* m)	{ mark = m; }
+	NFA_State* Mark() const		{ return mark; }
+	void ClearMarks();
+
+	int TransSym() const	{ return sym; }
+	CCL* TransCCL() const	{ return ccl; }
+	int ID() const		{ return id; }
+
+	NFA_state_list* EpsilonClosure();
+
+	void Describe(ODesc* d) const;
+	void Dump(FILE* f);
+
+	// Recursivly count all the reachable states.
+	unsigned int TotalMemoryAllocation() const;
+
+protected:
+	int sym;	// if SYM_CCL, then use ccl
+	CCL* ccl;	// if nil, then use sym
+	int accept;
+	int id;	// number that uniquely identifies this state
+	NFA_state_list xtions;
+	NFA_state_list* epsclosure;
+	NFA_State* mark;
+};
+
+class EpsilonState : public NFA_State {
+public:
+	EpsilonState()	: NFA_State(SYM_EPSILON, 0)	{ }
+};
+
+class NFA_Machine : public BroObj {
+public:
+	NFA_Machine(NFA_State* first, NFA_State* final = 0);
+	~NFA_Machine();
+
+	NFA_State* FirstState() const	{ return first_state; }
+
+	void SetFinalState(NFA_State* final)	{ final_state = final; }
+	NFA_State* FinalState() const		{ return final_state; }
+
+	void AddAccept(int accept_val);
+
+	void MakeClosure()	{ MakePositiveClosure(); MakeOptional(); }
+	void MakeOptional();
+	void MakePositiveClosure();
+
+	// re{lower,upper}; upper can be NO_UPPER_BOUND = infinity.
+	void MakeRepl(int lower, int upper);
+
+	void MarkBOL()		{ bol = 1; }
+	void MarkEOL()		{ eol = 1; }
+
+	NFA_Machine* DuplicateMachine();
+	void LinkCopies(int n);
+	void InsertEpsilon();
+	void AppendEpsilon();
+
+	void AppendState(NFA_State* new_state);
+	void AppendMachine(NFA_Machine* new_mach);
+
+	void Describe(ODesc* d) const;
+	void Dump(FILE* f);
+	void DumpStats(FILE* f);
+
+	unsigned int MemoryAllocation() const
+		{ return padded_sizeof(*this) + first_state->TotalMemoryAllocation(); }
+
+protected:
+	NFA_State* first_state;
+	NFA_State* final_state;
+	int bol, eol;
+};
+
+extern NFA_Machine* make_alternate(NFA_Machine* m1, NFA_Machine* m2);
+
+// The epsilon closure is the set of all states reachable by an arbitrary
+// number of epsilon transitions, which themselves do not have epsilon
+// transitions going out, unioned with the set of states which have non-null
+// accepting numbers.  "states" is deleted by the call.  The return value
+// is the epsilon closure (sorted by state IDs()).
+extern NFA_state_list* epsilon_closure(NFA_state_list* states);
+
+// For sorting NFA states based on their ID fields (decreasing)
+extern int NFA_state_cmp_neg(const void* v1, const void* v2);
+
+#endif
diff --git a/src/NFS.cc b/src/NFS.cc
new file mode 100644
index 0000000000..8d7e920e2d
--- /dev/null
+++ b/src/NFS.cc
@@ -0,0 +1,287 @@
+// $Id: NFS.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "NetVar.h"
+#include "XDR.h"
+#include "NFS.h"
+#include "Event.h"
+
+#define NFS_PROC_NULL 		0
+#define NFS_PROC_GETATTR 	1
+#define NFS_PROC_SETATTR 	2
+#define NFS_PROC_LOOKUP 	3
+#define NFS_PROC_READ 		6
+#define NFS_PROC_WRITE 		7
+#define NFS_PROC_FSSTAT 	18
+
+int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
+	{
+	if ( c->Program() != 100003 )
+		Weird("bad_RPC_program");
+
+	uint32 proc = c->Proc();
+	switch ( proc ) {
+	case NFS_PROC_NULL:
+		break;
+
+	case NFS_PROC_GETATTR:
+		{
+		Val* v = ExtractFH(buf, n);
+		if ( ! v )
+			return 0;
+		c->AddVal(v);
+		}
+		break;
+
+	case NFS_PROC_LOOKUP:
+		{
+		StringVal* fh = ExtractFH(buf, n);
+
+		int name_len;
+		const u_char* name = extract_XDR_opaque(buf, n, name_len);
+
+		if ( ! fh || ! name )
+			return 0;
+
+		RecordVal* args = new RecordVal(nfs3_lookup_args);
+		args->Assign(0, fh);
+		args->Assign(1, new StringVal(new BroString(name, name_len, 0)));
+		c->AddVal(args);
+		}
+		break;
+
+	case NFS_PROC_FSSTAT:
+		{
+		Val* v = ExtractFH(buf, n);
+		if ( ! v )
+			return 0;
+		c->AddVal(v);
+		}
+		break;
+
+	case NFS_PROC_READ:
+		break;
+
+	default:
+		Weird(fmt("unknown_NFS_request(%u)", proc));
+
+		// Return 1 so that replies to unprocessed calls will still
+		// be processed, and the return status extracted
+		return 1;
+	}
+
+	return 1;
+	}
+
+int NFS_Interp::RPC_BuildReply(const RPC_CallInfo* c, int success,
+					const u_char*& buf, int& n,
+					EventHandlerPtr& event, Val*& reply)
+	{
+	reply = 0;
+	uint32 status = 0;
+	if ( success )
+		{
+		if ( n >= 4 )
+			status = extract_XDR_uint32(buf, n);
+		else
+			status = 0xffffffff;
+		}
+
+	if ( nfs_reply_status )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(new Val(status, TYPE_COUNT));
+		analyzer->ConnectionEvent(nfs_reply_status, vl);
+		}
+
+	switch ( c->Proc() ) {
+	case NFS_PROC_NULL:
+		event = success ? nfs_request_null : nfs_attempt_null;
+		break;
+
+	case NFS_PROC_GETATTR:
+		if ( success )
+			{
+			if ( ! buf || status != 0 )
+				return 0;
+
+			reply = ExtractAttrs(buf, n);
+			event = nfs_request_getattr;
+			}
+		else
+			event = nfs_attempt_getattr;
+
+		break;
+
+	case NFS_PROC_LOOKUP:
+		if ( success )
+			{
+			if ( ! buf || status != 0 )
+				return 0;
+
+			RecordVal* r = new RecordVal(nfs3_lookup_reply);
+			r->Assign(0, ExtractFH(buf, n));
+			r->Assign(1, ExtractOptAttrs(buf, n));
+			r->Assign(2, ExtractOptAttrs(buf, n));
+
+			reply = r;
+			event = nfs_request_lookup;
+			}
+		else
+			{
+			reply = ExtractOptAttrs(buf, n);
+			event = nfs_attempt_lookup;
+			}
+
+		break;
+
+	case NFS_PROC_FSSTAT:
+		if ( success )
+			{
+			if ( ! buf || status != 0 )
+				return 0;
+
+			RecordVal* r = new RecordVal(nfs3_fsstat);
+			r->Assign(0, ExtractOptAttrs(buf, n));
+			r->Assign(1, ExtractLongAsDouble(buf, n)); // tbytes
+			r->Assign(2, ExtractLongAsDouble(buf, n)); // fbytes
+			r->Assign(3, ExtractLongAsDouble(buf, n)); // abytes
+			r->Assign(4, ExtractLongAsDouble(buf, n)); // tfiles
+			r->Assign(5, ExtractLongAsDouble(buf, n)); // ffiles
+			r->Assign(6, ExtractLongAsDouble(buf, n)); // afiles
+			r->Assign(7, ExtractInterval(buf, n)); // invarsec
+
+			reply = r;
+			event = nfs_request_fsstat;
+			}
+		else
+			{
+			reply = ExtractOptAttrs(buf, n);
+			event = nfs_attempt_fsstat;
+			}
+
+		break;
+
+	default:
+		return 0;
+	}
+
+	return 1;
+	}
+
+StringVal* NFS_Interp::ExtractFH(const u_char*& buf, int& n)
+	{
+	int fh_n;
+	const u_char* fh = extract_XDR_opaque(buf, n, fh_n, 64);
+
+	if ( ! fh )
+		return 0;
+
+	return new StringVal(new BroString(fh, fh_n, 0));
+	}
+
+RecordVal* NFS_Interp::ExtractAttrs(const u_char*& buf, int& n)
+	{
+	RecordVal* attrs = new RecordVal(nfs3_attrs);
+	attrs->Assign(0, ExtractCount(buf, n));	// file type
+	attrs->Assign(1, ExtractCount(buf, n));	// mode
+	attrs->Assign(2, ExtractCount(buf, n));	// nlink
+	attrs->Assign(3, ExtractCount(buf, n));	// uid
+	attrs->Assign(4, ExtractCount(buf, n));	// gid
+	attrs->Assign(5, ExtractLongAsDouble(buf, n));	// size
+	attrs->Assign(6, ExtractLongAsDouble(buf, n));	// used
+	attrs->Assign(7, ExtractCount(buf, n));	// rdev1
+	attrs->Assign(8, ExtractCount(buf, n));	// rdev2
+	attrs->Assign(9, ExtractLongAsDouble(buf, n));	// fsid
+	attrs->Assign(10, ExtractLongAsDouble(buf, n));	// fileid
+	attrs->Assign(11, ExtractTime(buf, n));	// atime
+	attrs->Assign(12, ExtractTime(buf, n));	// mtime
+	attrs->Assign(13, ExtractTime(buf, n));	// ctime
+
+	return attrs;
+	}
+
+RecordVal* NFS_Interp::ExtractOptAttrs(const u_char*& buf, int& n)
+	{
+	int have_attrs = extract_XDR_uint32(buf, n);
+
+	RecordVal* opt_attrs = new RecordVal(nfs3_opt_attrs);
+	if ( buf && have_attrs )
+		opt_attrs->Assign(0, ExtractAttrs(buf, n));
+	else
+		opt_attrs->Assign(0, 0);
+
+	return opt_attrs;
+	}
+
+Val* NFS_Interp::ExtractCount(const u_char*& buf, int& n)
+	{
+	return new Val(extract_XDR_uint32(buf, n), TYPE_COUNT);
+	}
+
+Val* NFS_Interp::ExtractLongAsDouble(const u_char*& buf, int& n)
+	{
+	return new Val(extract_XDR_uint64_as_double(buf, n), TYPE_DOUBLE);
+	}
+
+Val* NFS_Interp::ExtractTime(const u_char*& buf, int& n)
+	{
+	return new Val(extract_XDR_time(buf, n), TYPE_TIME);
+	}
+
+Val* NFS_Interp::ExtractInterval(const u_char*& buf, int& n)
+	{
+	return new IntervalVal(double(extract_XDR_uint32(buf, n)), 1.0);
+	}
+
+void NFS_Interp::Event(EventHandlerPtr f, Val* request, int status, Val* reply)
+	{
+	if ( ! f )
+		{
+		Unref(request);
+		Unref(reply);
+		return;
+		}
+
+	val_list* vl = new val_list;
+
+	vl->append(analyzer->BuildConnVal());
+	if ( status == RPC_SUCCESS )
+		{
+		if ( request )
+			vl->append(request);
+		if ( reply )
+			vl->append(reply);
+		}
+	else
+		{
+		vl->append(new Val(status, TYPE_COUNT));
+		if ( request )
+			vl->append(request);
+		}
+
+	analyzer->ConnectionEvent(f, vl);
+	}
+
+NFS_Analyzer::NFS_Analyzer(Connection* conn)
+: RPC_Analyzer(AnalyzerTag::NFS, conn, new NFS_Interp(this))
+	{
+	orig_rpc = resp_rpc = 0;
+	}
+
+void NFS_Analyzer::Init()
+	{
+	RPC_Analyzer::Init();
+
+	if ( Conn()->ConnTransport() == TRANSPORT_TCP )
+		{
+		orig_rpc = new Contents_RPC(Conn(), true, interp);
+		resp_rpc = new Contents_RPC(Conn(), false, interp);
+		AddSupportAnalyzer(orig_rpc);
+		AddSupportAnalyzer(resp_rpc);
+		}
+	}
diff --git a/src/NFS.h b/src/NFS.h
new file mode 100644
index 0000000000..87a0d041e9
--- /dev/null
+++ b/src/NFS.h
@@ -0,0 +1,42 @@
+// $Id: NFS.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef nfs_h
+#define nfs_h
+
+#include "RPC.h"
+
+class NFS_Interp : public RPC_Interpreter {
+public:
+	NFS_Interp(Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
+
+protected:
+	int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n);
+	int RPC_BuildReply(const RPC_CallInfo* c, int success,
+				const u_char*& buf, int& n,
+				EventHandlerPtr& event, Val*& reply);
+
+	StringVal* ExtractFH(const u_char*& buf, int& n);
+	RecordVal* ExtractAttrs(const u_char*& buf, int& n);
+	RecordVal* ExtractOptAttrs(const u_char*& buf, int& n);
+	Val* ExtractCount(const u_char*& buf, int& n);
+	Val* ExtractLongAsDouble(const u_char*& buf, int& n);
+	Val* ExtractTime(const u_char*& buf, int& n);
+	Val* ExtractInterval(const u_char*& buf, int& n);
+
+	void Event(EventHandlerPtr f, Val* request, int status, Val* reply);
+};
+
+class NFS_Analyzer : public RPC_Analyzer {
+public:
+	NFS_Analyzer(Connection* conn);
+	virtual void Init();
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new NFS_Analyzer(conn); }
+
+	static bool Available()	{ return nfs_request_getattr || rpc_call; }
+};
+
+#endif
diff --git a/src/NTP.cc b/src/NTP.cc
new file mode 100644
index 0000000000..ac7d12fb6d
--- /dev/null
+++ b/src/NTP.cc
@@ -0,0 +1,111 @@
+// $Id: NTP.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "NetVar.h"
+#include "NTP.h"
+#include "Sessions.h"
+#include "Event.h"
+
+
+NTP_Analyzer::NTP_Analyzer(Connection* conn)
+	: Analyzer(AnalyzerTag::NTP, conn)
+	{
+	ADD_ANALYZER_TIMER(&NTP_Analyzer::ExpireTimer,
+				network_time + ntp_session_timeout, 1,
+				TIMER_NTP_EXPIRE);
+	}
+
+void NTP_Analyzer::Done()
+	{
+	Analyzer::Done();
+	Event(udp_session_done);
+	}
+
+void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
+
+	// Actually we could just get rid of the Request/Reply and simply use
+	// the code of Message().  But for now we use it as an example of how
+	// to convert an old-style UDP analyzer.
+	if ( is_orig )
+		Request(data, len);
+	else
+		Reply(data, len);
+	}
+
+int NTP_Analyzer::Request(const u_char* data, int len)
+	{
+	Message(data, len);
+	return 1;
+	}
+
+int NTP_Analyzer::Reply(const u_char* data, int len)
+	{
+	Message(data, len);
+	return 1;
+	}
+
+void NTP_Analyzer::Message(const u_char* data, int len)
+	{
+	if ( (unsigned) len < sizeof(struct ntpdata) )
+		{
+		Weird("truncated_NTP");
+		return;
+		}
+
+	struct ntpdata* ntp_data = (struct ntpdata *) data;
+	len -= sizeof *ntp_data;
+	data += sizeof *ntp_data;
+
+	RecordVal* msg = new RecordVal(ntp_msg);
+
+	unsigned int code = ntp_data->status & 0x7;
+
+	msg->Assign(0, new Val((unsigned int) (ntohl(ntp_data->refid)), TYPE_COUNT));
+	msg->Assign(1, new Val(code, TYPE_COUNT));
+	msg->Assign(2, new Val((unsigned int) ntp_data->stratum, TYPE_COUNT));
+	msg->Assign(3, new Val((unsigned int) ntp_data->ppoll, TYPE_COUNT));
+	msg->Assign(4, new Val((unsigned int) ntp_data->precision, TYPE_INT));
+	msg->Assign(5, new Val(ShortFloat(ntp_data->distance), TYPE_INTERVAL));
+	msg->Assign(6, new Val(ShortFloat(ntp_data->dispersion), TYPE_INTERVAL));
+	msg->Assign(7, new Val(LongFloat(ntp_data->reftime), TYPE_TIME));
+	msg->Assign(8, new Val(LongFloat(ntp_data->org), TYPE_TIME));
+	msg->Assign(9, new Val(LongFloat(ntp_data->rec), TYPE_TIME));
+	msg->Assign(10, new Val(LongFloat(ntp_data->xmt), TYPE_TIME));
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+	vl->append(msg);
+	vl->append(new StringVal(new BroString(data, len, 0)));
+
+	ConnectionEvent(ntp_message, vl);
+	}
+
+double NTP_Analyzer::ShortFloat(struct s_fixedpt fp)
+	{
+	return ConvertToDouble(ntohs(fp.int_part), ntohs(fp.fraction), 65536.0);
+	}
+
+double NTP_Analyzer::LongFloat(struct l_fixedpt fp)
+	{
+	double t = ConvertToDouble(ntohl(fp.int_part), ntohl(fp.fraction),
+				   4294967296.0);
+
+	return t ? t - JAN_1970 : 0.0;
+	}
+
+double NTP_Analyzer::ConvertToDouble(unsigned int int_part,
+				    unsigned int fraction, double frac_base)
+	{
+	return double(int_part) + double(fraction) / frac_base;
+	}
+
+void NTP_Analyzer::ExpireTimer(double /* t */)
+	{
+	Event(connection_timeout);
+	sessions->Remove(Conn());
+	}
diff --git a/src/NTP.h b/src/NTP.h
new file mode 100644
index 0000000000..c4ccdd644a
--- /dev/null
+++ b/src/NTP.h
@@ -0,0 +1,70 @@
+// $Id: NTP.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef ntp_h
+#define ntp_h
+
+#include "UDP.h"
+
+
+// The following are from the tcpdump distribution, credited there
+// to the U of MD implementation.
+
+#define JAN_1970	2208988800.0	/* 1970 - 1900 in seconds */
+
+struct l_fixedpt {
+	unsigned int int_part;
+	unsigned int fraction;
+};
+
+struct s_fixedpt {
+	unsigned short int_part;
+	unsigned short fraction;
+};
+
+struct ntpdata {
+	unsigned char status;	/* status of local clock and leap info */
+	unsigned char stratum;	/* Stratum level */
+	unsigned char ppoll;	/* poll value */
+	int precision:8;
+	struct s_fixedpt distance;
+	struct s_fixedpt dispersion;
+	unsigned int refid;
+	struct l_fixedpt reftime;
+	struct l_fixedpt org;
+	struct l_fixedpt rec;
+	struct l_fixedpt xmt;
+};
+
+class NTP_Analyzer : public Analyzer {
+public:
+	NTP_Analyzer(Connection* conn);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new NTP_Analyzer(conn); }
+
+	static bool Available()	{ return ntp_message; }
+
+protected:
+	virtual void Done();
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen);
+
+	int Request(const u_char* data, int len);
+	int Reply(const u_char* data, int len);
+
+	// NTP is a unidirectional protocol, so no notion of "requests"
+	// as separate from "replies".
+	void Message(const u_char* data, int len);
+
+	double ShortFloat(struct s_fixedpt fp);
+	double LongFloat(struct l_fixedpt fp);
+	double ConvertToDouble(unsigned int int_part, unsigned int fraction,
+				double frac_base);
+
+	friend class ConnectionTimer;
+	void ExpireTimer(double t);
+};
+
+#endif
diff --git a/src/NVT.cc b/src/NVT.cc
new file mode 100644
index 0000000000..66438a0589
--- /dev/null
+++ b/src/NVT.cc
@@ -0,0 +1,705 @@
+// $Id: NVT.cc 6916 2009-09-24 20:48:36Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <stdlib.h>
+
+#include "NVT.h"
+#include "NetVar.h"
+#include "Event.h"
+#include "TCP.h"
+
+#define IS_3_BYTE_OPTION(c) (c >= 251 && c <= 254)
+
+#define TELNET_OPT_SB 250
+#define TELNET_OPT_SE 240
+
+#define TELNET_OPT_IS 0
+#define TELNET_OPT_SEND 1
+
+#define TELNET_OPT_WILL 251
+#define TELNET_OPT_WONT 252
+#define TELNET_OPT_DO 253
+#define TELNET_OPT_DONT 254
+
+#define TELNET_IAC 255
+
+TelnetOption::TelnetOption(NVT_Analyzer* arg_endp, unsigned int arg_code)
+	{
+	endp = arg_endp;
+	code = arg_code;
+	flags = 0;
+	active = 0;
+	}
+
+void TelnetOption::RecvOption(unsigned int type)
+	{
+	TelnetOption* peer = endp->FindPeerOption(code);
+	if ( ! peer )
+		internal_error("option peer missing in TelnetOption::RecvOption");
+
+	// WILL/WONT/DO/DONT are messages we've *received* from our peer.
+	switch ( type ) {
+	case TELNET_OPT_WILL:
+		if ( SaidDont() || peer->SaidWont() || peer->IsActive() )
+			InconsistentOption(type);
+
+		peer->SetWill();
+
+		if ( SaidDo() )
+			peer->SetActive(1);
+		break;
+
+	case TELNET_OPT_WONT:
+		if ( peer->SaidWill() && ! SaidDont() )
+			InconsistentOption(type);
+
+		peer->SetWont();
+
+		if ( SaidDont() )
+			peer->SetActive(0);
+		break;
+
+	case TELNET_OPT_DO:
+		if ( SaidWont() || peer->SaidDont() || IsActive() )
+			InconsistentOption(type);
+
+		peer->SetDo();
+
+		if ( SaidWill() )
+			SetActive(1);
+		break;
+
+	case TELNET_OPT_DONT:
+		if ( peer->SaidDo() && ! SaidWont() )
+			InconsistentOption(type);
+
+		peer->SetDont();
+
+		if ( SaidWont() )
+			SetActive(0);
+		break;
+
+	default:
+		internal_error("bad option type in TelnetOption::RecvOption");
+	}
+	}
+
+void TelnetOption::RecvSubOption(u_char* /* data */, int /* len */)
+	{
+	}
+
+void TelnetOption::SetActive(int is_active)
+	{
+	active = is_active;
+	}
+
+void TelnetOption::InconsistentOption(unsigned int /* type */)
+	{
+	endp->Event(inconsistent_option);
+	}
+
+void TelnetOption::BadOption()
+	{
+	endp->Event(bad_option);
+	}
+
+
+void TelnetTerminalOption::RecvSubOption(u_char* data, int len)
+	{
+	if ( len <= 0 )
+		{
+		BadOption();
+		return;
+		}
+
+	if ( data[0] == TELNET_OPT_SEND )
+		return;
+
+	if ( data[0] != TELNET_OPT_IS )
+		{
+		BadOption();
+		return;
+		}
+
+	endp->SetTerminal(data + 1, len - 1);
+	}
+
+
+#define ENCRYPT_SET_ALGORITHM 0
+#define ENCRYPT_SUPPORT_ALGORITM 1
+#define ENCRYPT_REPLY 2
+#define ENCRYPT_STARTING_TO_ENCRYPT 3
+#define ENCRYPT_NO_LONGER_ENCRYPTING 4
+#define ENCRYPT_REQUEST_START_TO_ENCRYPT 5
+#define ENCRYPT_REQUEST_NO_LONGER_ENCRYPT 6
+#define ENCRYPT_ENCRYPT_KEY 7
+#define ENCRYPT_DECRYPT_KEY 8
+
+void TelnetEncryptOption::RecvSubOption(u_char* data, int len)
+	{
+	if ( ! active )
+		{
+		InconsistentOption(0);
+		return;
+		}
+
+	if ( len <= 0 )
+		{
+		BadOption();
+		return;
+		}
+
+	unsigned int opt = data[0];
+
+	if ( opt == ENCRYPT_REQUEST_START_TO_ENCRYPT )
+		++did_encrypt_request;
+
+	else if ( opt == ENCRYPT_STARTING_TO_ENCRYPT )
+		{
+		TelnetEncryptOption* peer =
+			(TelnetEncryptOption*) endp->FindPeerOption(code);
+
+		if ( ! peer )
+			internal_error("option peer missing in TelnetEncryptOption::RecvSubOption");
+
+		if ( peer->DidRequest() || peer->DoingEncryption() ||
+		     peer->Endpoint()->AuthenticationHasBeenAccepted() )
+			{
+			endp->SetEncrypting(1);
+			++doing_encryption;
+			}
+		else
+			InconsistentOption(0);
+		}
+	}
+
+#define HERE_IS_AUTHENTICATION 0
+#define SEND_ME_AUTHENTICATION 1
+#define AUTHENTICATION_STATUS 2
+#define AUTHENTICATION_NAME 3
+
+#define AUTH_REJECT 1
+#define AUTH_ACCEPT 2
+
+void TelnetAuthenticateOption::RecvSubOption(u_char* data, int len)
+	{
+	if ( len <= 0 )
+		{
+		BadOption();
+		return;
+		}
+
+	switch ( data[0] ) {
+	case HERE_IS_AUTHENTICATION:
+		{
+		TelnetAuthenticateOption* peer =
+			(TelnetAuthenticateOption*) endp->FindPeerOption(code);
+
+		if ( ! peer )
+			internal_error("option peer missing in TelnetAuthenticateOption::RecvSubOption");
+
+		if ( ! peer->DidRequestAuthentication() )
+			InconsistentOption(0);
+		}
+		break;
+
+	case SEND_ME_AUTHENTICATION:
+		++authentication_requested;
+		break;
+
+	case AUTHENTICATION_STATUS:
+		if ( len <= 1 )
+			{
+			BadOption();
+			return;
+			}
+
+		if ( data[1] == AUTH_REJECT )
+			endp->AuthenticationRejected();
+		else if ( data[1] == AUTH_ACCEPT )
+			endp->AuthenticationAccepted();
+		else
+			{
+			// Don't complain, there may be replies we don't
+			// know about.
+			}
+		break;
+
+	case AUTHENTICATION_NAME:
+		{
+		char* auth_name = new char[len];
+		safe_strncpy(auth_name, (char*) data + 1, len);
+		endp->SetAuthName(auth_name);
+		}
+		break;
+
+	default:
+		BadOption();
+	}
+	}
+
+#define ENVIRON_IS 0
+#define ENVIRON_SEND 1
+#define ENVIRON_INFO 2
+
+#define ENVIRON_VAR 0
+#define ENVIRON_VAL 1
+#define ENVIRON_ESC 2
+#define ENVIRON_USERVAR 3
+
+void TelnetEnvironmentOption::RecvSubOption(u_char* data, int len)
+	{
+	if ( len <= 0 )
+		{
+		BadOption();
+		return;
+		}
+
+	if ( data[0] == ENVIRON_SEND )
+		//### We should track the dialog and make sure both sides agree.
+		return;
+
+	if ( data[0] != ENVIRON_IS && data[0] != ENVIRON_INFO )
+		{
+		BadOption();
+		return;
+		}
+
+	--len;	// Discard code.
+	++data;
+
+	while ( len > 0 )
+		{
+		int code1, code2;
+		char* var_name = ExtractEnv(data, len, code1);
+		char* var_val = ExtractEnv(data, len, code2);
+
+		if ( ! var_name || ! var_val ||
+		     (code1 != ENVIRON_VAR && code1 != ENVIRON_USERVAR) ||
+		     code2 != ENVIRON_VAL )
+			{
+			// One of var_name/var_val might be set; avoid leak.
+			delete [] var_name;
+			delete [] var_val;
+
+			BadOption();
+			break;
+			}
+
+		static_cast<TCP_ApplicationAnalyzer*>
+			(endp->Parent())->SetEnv(endp->IsOrig(),
+							var_name, var_val);
+		}
+	}
+
+char* TelnetEnvironmentOption::ExtractEnv(u_char*& data, int& len, int& code)
+	{
+	code = data[0];
+
+	if ( code != ENVIRON_VAR && code != ENVIRON_VAL &&
+	     code != ENVIRON_USERVAR )
+		return 0;
+
+	// Move past code.
+	--len;
+	++data;
+
+	// Find the end of this piece of the option.
+	u_char* data_end = data + len;
+	u_char* d;
+	for ( d = data; d < data_end; ++d )
+		{
+		if ( *d == ENVIRON_VAR || *d == ENVIRON_VAL || *d == ENVIRON_USERVAR )
+			break;
+
+		if ( *d == ENVIRON_ESC )
+			{
+			++d;	// move past ESC
+			if ( d >= data_end )
+				return 0;
+			break;
+			}
+		}
+
+	int size = d - data;
+	char* env = new char[size+1];
+
+	// Now copy into env.
+	int d_ind = 0;
+	int i;
+	for ( i = 0; i < size; ++i )
+		{
+		if ( data[d_ind] == ENVIRON_ESC )
+			++d_ind;
+
+		env[i] = data[d_ind];
+		++d_ind;
+		}
+
+	env[i] = '\0';
+
+	data = d;
+	len -= size;
+
+	return env;
+	}
+
+void TelnetBinaryOption::SetActive(int is_active)
+	{
+	endp->SetBinaryMode(is_active);
+	active = is_active;
+	}
+
+void TelnetBinaryOption::InconsistentOption(unsigned int /* type */)
+	{
+	// I don't know why, but this gets turned on redundantly -
+	// doesn't do any harm, so ignore it.  Example is
+	// in ex/redund-binary-opt.trace.
+	}
+
+
+NVT_Analyzer::NVT_Analyzer(Connection* conn, bool orig)
+: ContentLine_Analyzer(AnalyzerTag::NVT, conn, orig)
+	{
+	peer = 0;
+	is_suboption = last_was_IAC = pending_IAC = 0;
+	IAC_pos = 0;
+	num_options = 0;
+	authentication_has_been_accepted = encrypting_mode = binary_mode = 0;
+	auth_name = 0;
+	}
+
+NVT_Analyzer::~NVT_Analyzer()
+	{
+	for ( int i = 0; i < num_options; ++i )
+		delete options[i];
+
+	delete [] auth_name;
+	}
+
+TelnetOption* NVT_Analyzer::FindOption(unsigned int code)
+	{
+	int i;
+	for ( i = 0; i < num_options; ++i )
+		if ( options[i]->Code() == code )
+			return options[i];
+
+	TelnetOption* opt = 0;
+	if ( i < NUM_TELNET_OPTIONS )
+		{ // Maybe we haven't created this option yet.
+		switch ( code ) {
+		case TELNET_OPTION_BINARY:
+			opt = new TelnetBinaryOption(this);
+			break;
+
+		case TELNET_OPTION_TERMINAL:
+			opt = new TelnetTerminalOption(this);
+			break;
+
+		case TELNET_OPTION_ENCRYPT:
+			opt = new TelnetEncryptOption(this);
+			break;
+
+		case TELNET_OPTION_AUTHENTICATE:
+			opt = new TelnetAuthenticateOption(this);
+			break;
+
+		case TELNET_OPTION_ENVIRON:
+			opt = new TelnetEnvironmentOption(this);
+			break;
+		}
+		}
+
+	if ( opt )
+		options[num_options++] = opt;
+
+	return opt;
+	}
+
+TelnetOption* NVT_Analyzer::FindPeerOption(unsigned int code)
+	{
+	assert(peer);
+	return peer->FindOption(code);
+	}
+
+void NVT_Analyzer::AuthenticationAccepted()
+	{
+	authentication_has_been_accepted = 1;
+	Event(authentication_accepted, PeerAuthName());
+	}
+
+void NVT_Analyzer::AuthenticationRejected()
+	{
+	authentication_has_been_accepted = 0;
+	Event(authentication_rejected, PeerAuthName());
+	}
+
+const char* NVT_Analyzer::PeerAuthName() const
+	{
+	assert(peer);
+	return peer->AuthName();
+	}
+
+void NVT_Analyzer::SetTerminal(const u_char* terminal, int len)
+	{
+	if ( login_terminal )
+		{
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(new BroString(terminal, len, 0)));
+
+		ConnectionEvent(login_terminal, vl);
+		}
+	}
+
+void NVT_Analyzer::SetEncrypting(int mode)
+	{
+	encrypting_mode = mode;
+	SetSkipDeliveries(mode);
+	if ( mode )
+		Event(activating_encryption);
+	}
+
+#define MAX_DELIVER_UNIT 128
+
+void NVT_Analyzer::DoDeliver(int len, const u_char* data)
+	{
+	// This code is very similar to that for TCP_ContentLine.  We
+	// don't virtualize out the differences because some of them
+	// would require per-character function calls, too expensive.
+	if ( pending_IAC )
+		{
+		ScanOption(seq, len, data);
+		return;
+		}
+
+	// Add data up to IAC or end.
+	for ( ; len > 0; --len, ++data )
+		{
+		if ( offset >= buf_len )
+			InitBuffer(buf_len * 2);
+
+		int c = data[0];
+
+		if ( binary_mode && c != TELNET_IAC )
+			c &= 0x7f;
+
+#define EMIT_LINE \
+	{ \
+	buf[offset] = '\0'; \
+	ForwardStream(offset, buf, IsOrig()); \
+	offset = 0; \
+	}
+
+		switch ( c ) {
+		case '\r':
+			if ( CRLFAsEOL() & CR_as_EOL )
+				EMIT_LINE
+			else
+				buf[offset++] = c;
+			break;
+
+		case '\n':
+			if ( last_char == '\r' )
+				{
+				if ( CRLFAsEOL() & CR_as_EOL )
+					// we already emited, skip
+					;
+				else
+					{
+					--offset; // remove '\r'
+					EMIT_LINE
+					}
+				}
+
+			else if ( CRLFAsEOL() & LF_as_EOL )
+				EMIT_LINE
+
+			else
+				{
+				if ( Conn()->FlagEvent(SINGULAR_LF) )
+					Conn()->Weird("line_terminated_with_single_LF");
+				buf[offset++] = c;
+				}
+			break;
+
+		case '\0':
+			if ( last_char == '\r' )
+				// Allow a NUL just after a \r - Solaris
+				// Telnet servers generate these, and they
+				// appear harmless.
+				;
+
+			else if ( flag_NULs )
+				CheckNUL();
+
+			else
+				buf[offset++] = c;
+			break;
+
+		case TELNET_IAC:
+			pending_IAC = 1;
+			IAC_pos = offset;
+			is_suboption = 0;
+			buf[offset++] = c;
+			ScanOption(seq, len - 1, data + 1);
+			return;
+
+		default:
+			buf[offset++] = c;
+			break;
+		}
+
+		if ( ! (CRLFAsEOL() & CR_as_EOL) &&
+		     last_char == '\r' && c != '\n' && c != '\0' )
+			{
+			if ( Conn()->FlagEvent(SINGULAR_CR) )
+				Weird("line_terminated_with_single_CR");
+			}
+
+		last_char = c;
+		}
+	}
+
+void NVT_Analyzer::ScanOption(int seq, int len, const u_char* data)
+	{
+	if ( len <= 0 )
+		return;
+
+	if ( IAC_pos == offset - 1 )
+		{ // All we've seen so far is the IAC.
+		unsigned int code = data[0];
+
+		if ( code == TELNET_IAC )
+			{
+			// An escaped 255, throw away the second
+			// instance and drop the IAC state.
+			pending_IAC = 0;
+			last_char = code;
+			}
+
+		else if ( code == TELNET_OPT_SB )
+			{
+			is_suboption = 1;
+			last_was_IAC = 0;
+			buf[offset++] = code;
+			}
+
+		else if ( IS_3_BYTE_OPTION(code) )
+			{
+			is_suboption = 0;
+			buf[offset++] = code;
+			}
+
+		else
+			{
+			// We've got the whole 2-byte option.
+			SawOption(code);
+
+			// Throw it and the IAC away.
+			--offset;
+			pending_IAC = 0;
+			}
+
+		// Recurse to munch on the remainder.
+		DeliverStream(len - 1, data + 1, IsOrig());
+		return;
+		}
+
+	if ( ! is_suboption )
+		{
+		// We now have the full 3-byte option.
+		SawOption(u_char(buf[offset-1]), data[0]);
+
+		// Delete the option.
+		offset -= 2;	// code + IAC
+		pending_IAC = 0;
+
+		DeliverStream(len - 1, data + 1, IsOrig());
+		return;
+		}
+
+	// A suboption.  Spin looking for end.
+	for ( ; len > 0; --len, ++data )
+		{
+		unsigned int code = data[0];
+
+		if ( last_was_IAC )
+			{
+			last_was_IAC = 0;
+
+			if ( code == TELNET_IAC )
+				{
+				// This is an escaped IAC, eat
+				// the second copy.
+				continue;
+				}
+
+			if ( code != TELNET_OPT_SE )
+				// BSD Telnet treats this case as terminating
+				// the suboption, so that's what we do here
+				// too.  Below we make sure to munch on the
+				// new IAC.
+				BadOptionTermination(code);
+
+			int opt_start = IAC_pos + 2;
+			int opt_stop = offset - 1;
+			int opt_len = opt_stop - opt_start;
+			SawSubOption((const char*)&buf[opt_start], opt_len);
+
+			// Delete suboption.
+			offset = IAC_pos;
+			pending_IAC = is_suboption = 0;
+
+			if ( code == TELNET_OPT_SE )
+				DeliverStream(len - 1, data + 1, IsOrig());
+			else
+				{
+				// Munch on the new (broken) option.
+				pending_IAC = 1;
+				IAC_pos = offset;
+				buf[offset++] = TELNET_IAC;
+				DeliverStream(len, data, IsOrig());
+				}
+			return;
+			}
+
+		else
+			{
+			buf[offset++] = code;
+			last_was_IAC = (code == TELNET_IAC);
+			}
+		}
+	}
+
+void NVT_Analyzer::SawOption(unsigned int /* code */)
+	{
+	}
+
+void NVT_Analyzer::SawOption(unsigned int code, unsigned int subcode)
+	{
+	TelnetOption* opt = FindOption(subcode);
+	if ( opt )
+		opt->RecvOption(code);
+	}
+
+void NVT_Analyzer::SawSubOption(const char* subopt, int len)
+	{
+	unsigned int subcode = u_char(subopt[0]);
+
+	++subopt;
+	--len;
+
+	TelnetOption* opt = FindOption(subcode);
+	if ( opt )
+		opt->RecvSubOption((u_char*) subopt, len);
+	}
+
+void NVT_Analyzer::BadOptionTermination(unsigned int /* code */)
+	{
+	Event(bad_option_termination);
+	}
+
diff --git a/src/NVT.h b/src/NVT.h
new file mode 100644
index 0000000000..63c0cc6620
--- /dev/null
+++ b/src/NVT.h
@@ -0,0 +1,175 @@
+// $Id: NVT.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef nvt_h
+#define nvt_h
+
+#include "ContentLine.h"
+
+
+#define TELNET_OPTION_BINARY 0
+#define TELNET_OPTION_TERMINAL 24
+#define TELNET_OPTION_AUTHENTICATE 37
+#define TELNET_OPTION_ENCRYPT 38
+#define TELNET_OPTION_ENVIRON 39
+#define NUM_TELNET_OPTIONS 5
+
+class NVT_Analyzer;
+
+
+class TelnetOption {
+public:
+	TelnetOption(NVT_Analyzer* endp, unsigned int code);
+	virtual ~TelnetOption() { }
+
+// Whether we told the other side WILL/WONT/DO/DONT.
+#define OPT_SAID_WILL 0x1
+#define OPT_SAID_WONT 0x2
+#define OPT_SAID_DO 0x4
+#define OPT_SAID_DONT 0x8
+
+	unsigned int Code() const	{ return code; }
+
+	int IsActive() const		{ return active; }
+
+	int SaidWill() const	{ return flags & OPT_SAID_WILL; }
+	int SaidWont() const	{ return flags & OPT_SAID_WONT; }
+	int SaidDo() const	{ return flags & OPT_SAID_DO; }
+	int SaidDont() const	{ return flags & OPT_SAID_DONT; }
+
+	void SetWill()	{ flags |= OPT_SAID_WILL; }
+	void SetWont()	{ flags |= OPT_SAID_WONT; }
+	void SetDo()	{ flags |= OPT_SAID_DO; }
+	void SetDont()	{ flags |= OPT_SAID_DONT; }
+
+	void RecvOption(unsigned int type);
+	virtual void RecvSubOption(u_char* data, int len);
+
+	virtual void SetActive(int is_active);
+
+	const NVT_Analyzer* Endpoint() const	{ return endp; }
+
+protected:
+	friend class NVT_Analyzer;
+	virtual void InconsistentOption(unsigned int type);
+	virtual void BadOption();
+
+	NVT_Analyzer* endp;
+	unsigned int code;
+	int flags;
+	int active;
+};
+
+class TelnetTerminalOption : public TelnetOption {
+public:
+	TelnetTerminalOption(NVT_Analyzer* arg_endp)
+		: TelnetOption(arg_endp, TELNET_OPTION_TERMINAL)	{ }
+
+	void RecvSubOption(u_char* data, int len);
+};
+
+class TelnetEncryptOption : public TelnetOption {
+public:
+	TelnetEncryptOption(NVT_Analyzer* arg_endp)
+		: TelnetOption(arg_endp, TELNET_OPTION_ENCRYPT)
+			{ did_encrypt_request = doing_encryption = 0; }
+
+	void RecvSubOption(u_char* data, int len);
+
+	int DidRequest() const		{ return did_encrypt_request; }
+	int DoingEncryption() const	{ return doing_encryption; }
+
+protected:
+	friend class NVT_Analyzer;
+	int did_encrypt_request, doing_encryption;
+};
+
+class TelnetAuthenticateOption : public TelnetOption {
+public:
+	TelnetAuthenticateOption(NVT_Analyzer* arg_endp)
+		: TelnetOption(arg_endp, TELNET_OPTION_AUTHENTICATE)
+			{ authentication_requested = 0; }
+
+	void RecvSubOption(u_char* data, int len);
+
+	int DidRequestAuthentication() const
+		{ return authentication_requested; }
+
+protected:
+	friend class NVT_Analyzer;
+	int authentication_requested;
+};
+
+class TelnetEnvironmentOption : public TelnetOption {
+public:
+	TelnetEnvironmentOption(NVT_Analyzer* arg_endp)
+		: TelnetOption(arg_endp, TELNET_OPTION_ENVIRON)
+			{ }
+
+	void RecvSubOption(u_char* data, int len);
+
+protected:
+	char* ExtractEnv(u_char*& data, int& len, int& code);
+};
+
+class TelnetBinaryOption : public TelnetOption {
+public:
+	TelnetBinaryOption(NVT_Analyzer* arg_endp)
+		: TelnetOption(arg_endp, TELNET_OPTION_BINARY)
+			{ }
+
+	void SetActive(int is_active);
+
+protected:
+	void InconsistentOption(unsigned int type);
+};
+
+class NVT_Analyzer : public ContentLine_Analyzer {
+public:
+	NVT_Analyzer(Connection* conn, bool orig);
+	~NVT_Analyzer();
+
+	TelnetOption* FindOption(unsigned int code);
+	TelnetOption* FindPeerOption(unsigned int code);
+
+	void SetPeer(NVT_Analyzer* arg_peer)	{ peer = arg_peer; }
+
+	void AuthenticationAccepted();
+	void AuthenticationRejected();
+
+	void SetTerminal(const u_char* terminal, int len);
+	void SetBinaryMode(int mode)	{ binary_mode = mode; }
+	void SetEncrypting(int mode);
+	void SetAuthName(char* arg_auth_name)	{ auth_name = arg_auth_name; }
+
+	const char* AuthName() const	{ return auth_name; }
+	int AuthenticationHasBeenAccepted() const
+		{ return authentication_has_been_accepted; }
+
+protected:
+	void DoDeliver(int len, const u_char* data);
+
+	void ScanOption(int seq, int len, const u_char* data);
+	virtual void SawOption(unsigned int code);
+	virtual void SawOption(unsigned int code, unsigned int subcode);
+	virtual void SawSubOption(const char* opt, int len);
+	virtual void BadOptionTermination(unsigned int code);
+	const char* PeerAuthName() const;
+
+	NVT_Analyzer* peer;
+
+	int pending_IAC;	// true if we're working on an option/IAC
+	int IAC_pos;		// where the IAC was seen
+	int is_suboption;	// true if current option is suboption
+	int last_was_IAC;	// for scanning suboptions
+
+	int binary_mode, encrypting_mode;
+	int authentication_has_been_accepted;	// if true, we accepted peer's authentication
+	char* auth_name;
+
+	TelnetOption* options[NUM_TELNET_OPTIONS];
+	int num_options;
+};
+
+#endif
diff --git a/src/Net.cc b/src/Net.cc
new file mode 100644
index 0000000000..73b02aa141
--- /dev/null
+++ b/src/Net.cc
@@ -0,0 +1,720 @@
+// $Id: Net.cc 6915 2009-09-22 05:04:17Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <sys/types.h>
+#if TIME_WITH_SYS_TIME
+# include <sys/time.h>
+# include <time.h>
+#else
+# if HAVE_SYS_TIME_H
+#  include <sys/time.h>
+# else
+#  include <time.h>
+# endif
+#endif
+
+#include <errno.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "NetVar.h"
+#include "Sessions.h"
+#include "Event.h"
+#include "Timer.h"
+#include "Var.h"
+#include "Logger.h"
+#include "Net.h"
+#include "TCP_Rewriter.h"
+#include "Anon.h"
+#include "PacketSort.h"
+#include "Serializer.h"
+#include "PacketDumper.h"
+
+#ifdef USE_DAG
+#include "PktDagSrc.h"
+#endif
+
+extern "C" {
+#include "setsignal.h"
+};
+
+extern "C" {
+extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
+}
+
+PList(PktSrc) pkt_srcs;
+
+// FIXME: We should really merge PktDumper and PacketDumper.
+// It's on my to-do [Robin].
+PktDumper* pkt_dumper = 0;
+PktDumper* pkt_transformed_dumper = 0;
+
+// For trace of rewritten packets
+PacketDumper* transformed_pkt_dump = 0;
+// For trace of original packets from selected connections
+PacketDumper* source_pkt_dump = 0;
+int transformed_pkt_dump_MTU = 1514;
+
+int reading_live = 0;
+int reading_traces = 0;
+int have_pending_timers = 0;
+double pseudo_realtime = 0.0;
+char* user_pcap_filter = 0;
+bool using_communication = false;
+
+double network_time = 0.0;	// time according to last packet timestamp
+				// (or current time)
+double processing_start_time = 0.0;	// time started working on current pkt
+double bro_start_time = 0.0; // time Bro started.
+double bro_start_network_time;	// timestamp of first packet
+double last_watchdog_proc_time = 0.0;	// value of above during last watchdog
+bool terminating = false;	// whether we're done reading and finishing up
+
+PacketSortGlobalPQ* packet_sorter = 0;
+
+const struct pcap_pkthdr* current_hdr = 0;
+const u_char* current_pkt = 0;
+int current_dispatched = 0;
+int current_hdr_size = 0;
+double current_timestamp = 0.0;
+PktSrc* current_pktsrc = 0;
+IOSource* current_iosrc;
+
+
+RETSIGTYPE watchdog(int /* signo */)
+	{
+	if ( processing_start_time != 0.0 )
+		{
+		// The signal arrived while we're processing a packet and/or
+		// its corresponding event queue.  Check whether we've been
+		// spending too much time, which we take to mean we've wedged.
+
+		// Note that it's subtle how exactly to test this.  In
+		// processing_start_time we have the timestamp of the packet
+		// we're currently working on.  But that *doesn't* mean that
+		// we began work on the packet at that time; we could have
+		// begun at a much later time, depending on how long the
+		// packet filter waited (to fill its buffer) before handing
+		// up this packet.  So what we require is that the current
+		// processing_start_time matches the processing_start_time we
+		// observed last time the watchdog went off.  If so, then
+		// we've been working on the current packet for at least
+		// watchdog_interval seconds.
+
+		if ( processing_start_time == last_watchdog_proc_time )
+			{
+			// snprintf() calls alloc/free routines if you use %f!
+			// We need to avoid doing that given we're in a single
+			// handler and the allocation routines are not
+			// reentrant.
+
+			double ct = current_time();
+
+			int int_ct = int(ct);
+			int frac_ct = int((ct - int_ct) * 1e6);
+
+			int int_pst = int(processing_start_time);
+			int frac_pst =
+				int((processing_start_time - int_pst) * 1e6);
+
+			char msg[512];
+			safe_snprintf(msg, sizeof(msg),
+				      "**watchdog timer expired, t = %d.%06d, start = %d.%06d, dispatched = %d",
+				      int_ct, frac_ct, int_pst, frac_pst,
+				      current_dispatched);
+
+			bro_logger->Log(msg);
+			run_time("watchdog timer expired");
+
+			if ( current_hdr )
+				{
+				if ( ! pkt_dumper )
+					{
+					// We aren't dumping packets; however,
+					// saving the packet which caused the
+					// watchdog to trigger may be helpful,
+					// so we'll save that one nevertheless.
+					pkt_dumper = new PktDumper("watchdog-pkt.pcap");
+					if ( pkt_dumper->IsError() )
+						{
+						fprintf(stderr, "watchdog: can't open watchdog-pkt.pcap for writing\n");
+						pkt_dumper = 0;
+						}
+					}
+
+				if ( pkt_dumper )
+					pkt_dumper->Dump(current_hdr, current_pkt);
+				}
+
+			net_get_final_stats();
+			net_finish(0);
+
+			abort();
+			exit(1);
+			}
+		}
+
+	last_watchdog_proc_time = processing_start_time;
+
+	(void) alarm(watchdog_interval);
+	return RETSIGVAL;
+	}
+
+void net_init(name_list& interfaces, name_list& readfiles, 
+	      name_list& netflows, name_list& flowfiles,
+	        const char* writefile, const char* transformed_writefile,
+	        const char* filter, const char* secondary_filter,
+		int do_watchdog)
+	{
+	init_net_var();
+
+	if ( readfiles.length() > 0 || flowfiles.length() > 0 )
+		{
+		reading_live = pseudo_realtime > 0.0;
+		reading_traces = 1;
+
+		for ( int i = 0; i < readfiles.length(); ++i )
+			{
+			PktFileSrc* ps = new PktFileSrc(readfiles[i], filter);
+
+			if ( ! ps->IsOpen() )
+				{
+				fprintf(stderr, "%s: problem with trace file %s - %s\n",
+					prog, readfiles[i], ps->ErrorMsg());
+				exit(1);
+				}
+			else
+				{
+				pkt_srcs.append(ps);
+				io_sources.Register(ps);
+				}
+
+			if ( secondary_filter )
+				{
+				// We use a second PktFileSrc for the
+				// secondary path.
+				PktFileSrc* ps = new PktFileSrc(readfiles[i],
+							secondary_filter,
+							TYPE_FILTER_SECONDARY);
+
+				if ( ! ps->IsOpen() )
+					{
+					fprintf(stderr, "%s: problem with trace file %s - %s\n",
+						prog, readfiles[i],
+						ps->ErrorMsg());
+					exit(1);
+					}
+				else
+					{
+					pkt_srcs.append(ps);
+					io_sources.Register(ps);
+					}
+
+				ps->AddSecondaryTablePrograms();
+				}
+			}
+
+		for ( int i = 0; i < flowfiles.length(); ++i )
+			{
+			FlowFileSrc* fs = new FlowFileSrc(flowfiles[i]);
+
+			if ( ! fs->IsOpen() )
+				{
+				fprintf(stderr, "%s: problem with netflow file %s - %s\n",
+					prog, flowfiles[i], fs->ErrorMsg());
+				exit(1);
+				}
+			else
+				{
+				io_sources.Register(fs);
+				}
+			}
+		}
+
+	else if ((interfaces.length() > 0 || netflows.length() > 0))
+		{
+		reading_live = 1;
+		reading_traces = 0;
+
+		for ( int i = 0; i < interfaces.length(); ++i )
+			{
+			PktSrc* ps;
+#ifdef USE_DAG
+			if ( strncmp(interfaces[i], "dag", 3) == 0 )
+				ps = new PktDagSrc(interfaces[i], filter);
+			else
+#endif
+				ps = new PktInterfaceSrc(interfaces[i], filter);
+
+			if ( ! ps->IsOpen() )
+				{
+				fprintf(stderr, "%s: problem with interface %s - %s\n",
+					prog, interfaces[i], ps->ErrorMsg());
+				exit(1);
+				}
+			else
+				{
+				pkt_srcs.append(ps);
+				io_sources.Register(ps);
+				}
+
+			if ( secondary_filter )
+				{
+				PktSrc* ps;
+#ifdef USE_DAG
+				if ( strncmp(interfaces[i], "dag", 3) == 0 )
+					ps = new PktDagSrc(interfaces[i],
+						filter, TYPE_FILTER_SECONDARY);
+				else
+#endif
+					ps = new PktInterfaceSrc(interfaces[i],
+						filter, TYPE_FILTER_SECONDARY);
+
+				if ( ! ps->IsOpen() )
+					{
+					fprintf(stderr, "%s: problem with interface %s - %s\n",
+						prog, interfaces[i],
+						ps->ErrorMsg());
+					exit(1);
+					}
+				else
+					{
+					pkt_srcs.append(ps);
+					io_sources.Register(ps);
+					}
+
+				ps->AddSecondaryTablePrograms();
+				}
+			}
+
+		for ( int i = 0; i < netflows.length(); ++i )
+			{
+			FlowSocketSrc* fs = new FlowSocketSrc(netflows[i]);
+
+			if ( ! fs->IsOpen() )
+				{
+				fprintf(stderr, "%s: problem with netflow socket %s - %s\n",
+					prog, netflows[i], fs->ErrorMsg());
+				exit(1);
+				}
+			else
+				{
+				io_sources.Register(fs);
+				}
+			}
+
+		}
+
+	else
+		// have_pending_timers = 1, possibly.  We don't set
+		// that here, though, because at this point we don't know
+		// whether the user's bro_init() event will indeed set
+		// a timer.
+		reading_traces = reading_live = 0;
+
+	if ( writefile )
+		{
+		// ### This will fail horribly if there are multiple
+		// interfaces with different-lengthed media.
+		pkt_dumper = new PktDumper(writefile);
+		if ( pkt_dumper->IsError() )
+			{
+			fprintf(stderr, "%s: can't open write file \"%s\" - %s\n",
+				prog, writefile, pkt_dumper->ErrorMsg());
+			exit(1);
+			}
+
+		ID* id = global_scope()->Lookup("trace_output_file");
+		if ( ! id )
+			run_time("trace_output_file not defined in bro.init");
+		else
+			id->SetVal(new StringVal(writefile));
+		}
+
+	if ( transformed_writefile )
+		{
+		pkt_transformed_dumper = new PktDumper(transformed_writefile);
+		if ( pkt_transformed_dumper->IsError() )
+			{
+			fprintf(stderr, "%s: can't open trace transformation write file \"%s\" - %s\n",
+				prog, writefile,
+				pkt_transformed_dumper->ErrorMsg());
+			exit(1);
+			}
+
+		transformed_pkt_dump =
+			new PacketDumper(pkt_transformed_dumper->PcapDumper());
+
+		// If both -A and -w are specified, -A will be the transformed
+		// trace file and -w will be the source packet trace file.
+		// Otherwise the packets will go to the same file.
+		if ( pkt_dumper )
+			source_pkt_dump =
+				new PacketDumper(pkt_dumper->PcapDumper());
+		}
+
+	else if ( pkt_dumper )
+		transformed_pkt_dump =
+			new PacketDumper(pkt_dumper->PcapDumper());
+
+	if ( anonymize_ip_addr )
+		init_ip_addr_anonymizers();
+	else
+		for ( int i = 0; i < NUM_ADDR_ANONYMIZATION_METHODS; ++i )
+			ip_anonymizer[i] = 0;
+
+	if ( packet_sort_window > 0 )
+		packet_sorter = new PacketSortGlobalPQ();
+
+	sessions = new NetSessions();
+
+	if ( do_watchdog )
+		{
+		// Set up the watchdog to make sure we don't wedge.
+		(void) setsignal(SIGALRM, watchdog);
+		(void) alarm(watchdog_interval);
+		}
+	}
+
+void expire_timers(PktSrc* src_ps)
+	{
+	SegmentProfiler(segment_logger, "expiring-timers");
+	TimerMgr* tmgr =
+		src_ps ? sessions->LookupTimerMgr(src_ps->GetCurrentTag())
+			: timer_mgr;
+
+	current_dispatched +=
+		tmgr->Advance(network_time,
+				max_timer_expires - current_dispatched);
+	}
+
+void net_packet_dispatch(double t, const struct pcap_pkthdr* hdr,
+			const u_char* pkt, int hdr_size,
+			PktSrc* src_ps, PacketSortElement* pkt_elem)
+	{
+	if ( ! bro_start_network_time )
+		bro_start_network_time = t;
+
+	TimerMgr* tmgr =
+		src_ps ? sessions->LookupTimerMgr(src_ps->GetCurrentTag())
+			: timer_mgr;
+
+	// network_time never goes back.
+	network_time = tmgr->Time() < t ? t : tmgr->Time();
+
+	current_pktsrc = src_ps;
+	current_iosrc = src_ps;
+	processing_start_time = t;
+
+	expire_timers(src_ps);
+
+	SegmentProfiler* sp = 0;
+
+	if ( load_sample )
+		{
+		static uint32 load_freq = 0;
+
+		if ( load_freq == 0 )
+			load_freq = uint32(0xffffffff) / uint32(load_sample_freq);
+
+		if ( uint32(random() & 0xffffffff) < load_freq )
+			{
+			// Drain the queued timer events so they're not
+			// charged against this sample.
+			mgr.Drain();
+
+			sample_logger = new SampleLogger();
+			sp = new SegmentProfiler(sample_logger, "load-samp");
+			}
+		}
+
+	sessions->DispatchPacket(t, hdr, pkt, hdr_size, src_ps, pkt_elem);
+	mgr.Drain();
+
+	if ( sp )
+		{
+		delete sp;
+		delete sample_logger;
+		sample_logger = 0;
+		}
+
+	processing_start_time = 0.0;	// = "we're not processing now"
+	current_dispatched = 0;
+	current_iosrc = 0;
+	current_pktsrc = 0;
+	}
+
+int process_packet_sorter(double latest_packet_time)
+	{
+	if ( ! packet_sorter )
+		return 0;
+
+	double min_t = latest_packet_time - packet_sort_window;
+
+	int num_pkts_dispatched = 0;
+	PacketSortElement* pkt_elem;
+
+	// Dispatch packets in the packet_sorter until timestamp min_t.
+	// It's possible that zero or multiple packets are dispatched.
+	while ( (pkt_elem = packet_sorter->RemoveMin(min_t)) != 0 )
+		{
+		net_packet_dispatch(pkt_elem->TimeStamp(),
+			pkt_elem->Hdr(), pkt_elem->Pkt(),
+			pkt_elem->HdrSize(), pkt_elem->Src(),
+			pkt_elem);
+		++num_pkts_dispatched;
+		delete pkt_elem;
+		}
+
+	return num_pkts_dispatched;
+	}
+
+void net_packet_arrival(double t, const struct pcap_pkthdr* hdr,
+			const u_char* pkt, int hdr_size,
+			PktSrc* src_ps)
+	{
+	if ( packet_sorter )
+		{
+		// Note that when we enable packet sorter, there will
+		// be a small window between the time packet arrives
+		// to Bro and when it is processed ("dispatched").  We
+		// define network_time to be the latest timestamp for
+		// packets *dispatched* so far (usually that's the
+		// timestamp of the current packet).
+
+		// Add the packet to the packet_sorter.
+		packet_sorter->Add(
+			new PacketSortElement(src_ps, t, hdr, pkt, hdr_size));
+
+		// Do we have any packets to dispatch from packet_sorter?
+		process_packet_sorter(t);
+		}
+	else
+		// Otherwise we dispatch the packet immediately
+		net_packet_dispatch(t, hdr, pkt, hdr_size, src_ps, 0);
+	}
+
+void net_run()
+	{
+	set_processing_status("RUNNING", "net_run");
+
+	while ( io_sources.Size() ||
+		(packet_sorter && ! packet_sorter->Empty()) )
+		{
+		double ts;
+		IOSource* src = io_sources.FindSoonest(&ts);
+
+#ifdef DEBUG
+		static int loop_counter = 0;
+
+		// If no source is ready, we log only every 100th cycle,
+		// starting with the first.
+		if ( src || loop_counter++ % 100 == 0 )
+			{
+			DBG_LOG(DBG_MAINLOOP, "realtime=%.6f iosrc=%s ts=%.6f",
+					current_time(), src ? src->Tag() : "<all dry>", src ? ts : -1);
+
+			if ( src )
+				loop_counter = 0;
+			}
+#endif
+		current_iosrc = src;
+
+		if ( src )
+			src->Process();	// which will call net_packet_arrival()
+
+		else if ( reading_live && ! pseudo_realtime)
+			{ // live but  no source is currently active
+			double ct = current_time();
+			if ( packet_sorter && ! packet_sorter->Empty() )
+				process_packet_sorter(ct);
+			else if ( ! net_is_processing_suspended() )
+				{
+				// Take advantage of the lull to get up to
+				// date on timers and events.
+				network_time = ct;
+				expire_timers();
+				}
+			}
+
+		else if ( packet_sorter && ! packet_sorter->Empty() )
+			{
+			// We are no longer reading live; done with all the
+			// sources.
+			// Drain packets remaining in the packet sorter.
+			process_packet_sorter(
+				network_time + packet_sort_window + 1000000);
+			}
+
+		else if ( (have_pending_timers || using_communication) &&
+			  ! pseudo_realtime )
+			{
+			// Take advantage of the lull to get up to
+			// date on timers and events.  Because we only
+			// have timers as sources, going to sleep here
+			// doesn't risk blocking on other inputs.
+			network_time = current_time();
+			expire_timers();
+
+			// Avoid busy-waiting - pause for 100 ms.
+			// We pick a sleep value of 100 msec that buys
+			// us a lot of idle time, but doesn't delay near-term
+			// timers too much.  (Delaying them somewhat is okay,
+			// since Bro timers are not high-precision anyway.)
+			if ( ! using_communication )
+				usleep(100000);
+
+			// Flawfinder says about usleep:
+			//
+			// This C routine is considered obsolete (as opposed
+			// to the shell command by the same name).   The
+			// interaction of this function with SIGALRM and
+			// other timer functions such as sleep(), alarm(),
+			// setitimer(), and nanosleep() is unspecified.
+			// Use nanosleep(2) or setitimer(2) instead.
+			}
+
+		mgr.Drain();
+
+		processing_start_time = 0.0;	// = "we're not processing now"
+		current_dispatched = 0;
+		current_iosrc = 0;
+
+		// Should we put the signal handling into an IOSource?
+		extern void termination_signal();
+
+		if ( signal_val == SIGTERM || signal_val == SIGINT )
+			// We received a signal while processing the
+			// current packet and its related events.
+			termination_signal();
+
+#ifdef DEBUG_COMMUNICATION
+		if ( signal_val == SIGPROF && remote_serializer )
+			remote_serializer->DumpDebugData();
+#endif
+
+		if ( ! reading_traces )
+			// Check whether we have timers scheduled for
+			// the future on which we need to wait.
+			have_pending_timers = timer_mgr->Size() > 0;
+		}
+
+	// Get the final statistics now, and not when net_finish() is
+	// called, since that might happen quite a bit in the future
+	// due to expiring pending timers, and we don't want to ding
+	// for any packets dropped beyond this point.
+	net_get_final_stats();
+	}
+
+void net_get_final_stats()
+	{
+	loop_over_list(pkt_srcs, i)
+		{
+		PktSrc* ps = pkt_srcs[i];
+
+		if ( ps->IsLive() )
+			{
+			struct PktSrc::Stats s;
+			ps->Statistics(&s);
+			fprintf(stderr, "%d packets received on interface %s, %d dropped\n",
+					s.received, ps->Interface(), s.dropped);
+			}
+		}
+	}
+
+void net_finish(int drain_events)
+	{
+	set_processing_status("TERMINATING", "net_finish");
+
+	if ( drain_events )
+		{
+		if ( sessions )
+			sessions->Drain();
+
+		mgr.Drain();
+
+		if ( sessions )
+			sessions->Done();
+		}
+
+	delete pkt_dumper;
+	delete pkt_transformed_dumper;
+
+	// fprintf(stderr, "uhash: %d/%d\n", hash_cnt_uhash, hash_cnt_all);
+
+#ifdef DEBUG
+	extern int reassem_seen_bytes, reassem_copied_bytes;
+	// DEBUG_MSG("Reassembly (TCP and IP/Frag): %d bytes seen, %d bytes copied\n",
+	// 	reassem_seen_bytes, reassem_copied_bytes);
+
+	extern int num_packets_held, num_packets_cleaned;
+	// DEBUG_MSG("packets clean up: %d/%d\n", num_packets_cleaned, num_packets_held);
+#endif
+	}
+
+void net_delete()
+	{
+	set_processing_status("TERMINATING", "net_delete");
+
+	delete sessions;
+	delete packet_sorter;
+
+	// Can't put this in net_finish() because packets might be
+	// dumped when connections are deleted.
+	if ( transformed_pkt_dump )
+		delete transformed_pkt_dump;
+
+	for ( int i = 0; i < NUM_ADDR_ANONYMIZATION_METHODS; ++i )
+		delete ip_anonymizer[i];
+	}
+
+// net_packet_match
+//
+// Description:
+//  - Checks if a packet matches a filter. It just wraps up a call to
+//    [pcap.h's] bpf_filter().
+//
+// Inputs:
+//  - fp: a BPF-compiled filter
+//  - pkt: a pointer to the packet
+//  - len: the original packet length
+//  - caplen: the captured packet length. This is pkt length
+//
+// Output:
+//  - return: 1 if the packet matches the filter, 0 otherwise
+
+int net_packet_match(BPF_Program* fp, const u_char* pkt,
+		     u_int len, u_int caplen)
+	{
+	// NOTE: I don't like too much un-const'ing the pkt variable.
+	return bpf_filter(fp->GetProgram()->bf_insns, (u_char*) pkt, len, caplen);
+	}
+
+
+int _processing_suspended = 0;
+
+static double suspend_start = 0;
+
+void net_suspend_processing()
+	{
+	if ( _processing_suspended == 0 )
+		bro_logger->Log("processing suspended");
+
+	++_processing_suspended;
+	}
+
+void net_continue_processing()
+	{
+	if ( _processing_suspended == 1 )
+		{
+		bro_logger->Log("processing continued");
+		loop_over_list(pkt_srcs, i)
+			pkt_srcs[i]->ContinueAfterSuspend();
+		}
+
+	--_processing_suspended;
+	}
diff --git a/src/Net.h b/src/Net.h
new file mode 100644
index 0000000000..87c0ce2499
--- /dev/null
+++ b/src/Net.h
@@ -0,0 +1,98 @@
+// $Id: Net.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef net_h
+#define net_h
+
+#include "net_util.h"
+#include "BPF_Program.h"
+#include "List.h"
+#include "PktSrc.h"
+#include "FlowSrc.h"
+#include "Func.h"
+#include "RemoteSerializer.h"
+
+extern void net_init(name_list& interfaces, name_list& readfiles,
+		name_list& netflows, name_list& flowfiles,
+		const char* writefile, const char* transformed_writefile,
+		const char* filter, const char* secondary_filter,
+		int do_watchdog);
+extern void net_run();
+extern void net_get_final_stats();
+extern void net_finish(int drain_events);
+extern void net_delete();	// Reclaim all memory, etc.
+extern void net_packet_arrival(double t, const struct pcap_pkthdr* hdr,
+			const u_char* pkt, int hdr_size,
+			PktSrc* src_ps);
+extern int net_packet_match(BPF_Program* fp, const u_char* pkt,
+			    u_int len, u_int caplen);
+extern void expire_timers(PktSrc* src_ps = 0);
+extern void termination_signal();
+
+// Functions to temporarily suspend processing of live input (network packets
+// and remote events/state). Turning this is on is sure to lead to data loss!
+extern void net_suspend_processing();
+extern void net_continue_processing();
+
+extern int _processing_suspended;	// don't access directly.
+inline bool net_is_processing_suspended()
+	{ return _processing_suspended > 0; }
+
+// Whether we're reading live traffic.
+extern int reading_live;
+
+// Same but for reading from traces instead.  We have two separate
+// variables because it's possible that neither is true, and we're
+// instead just running timers (per the variable after this one).
+extern int reading_traces;
+
+// True if we have timers scheduled for the future on which we need
+// to wait.  "Need to wait" here means that we're running live (though
+// perhaps not reading_live, but just running in real-time) as opposed
+// to reading a trace (in which case we don't want to wait in real-time
+// on future timers).
+extern int have_pending_timers;
+
+// If > 0, we are reading from traces but trying to mimic real-time behavior.
+// (In this case, both reading_traces and reading_live are true.)  The value
+// is the speedup (1 = real-time, 0.5 = half real-time, etc.).
+extern double pseudo_realtime;
+
+// Pcap filter supplied by the user on the command line (if any).
+extern char* user_pcap_filter;
+
+// When we started processing the current packet and corresponding event
+// queue.
+extern double processing_start_time;
+
+// When the Bro process was started.
+extern double bro_start_time;
+
+// Time at which the Bro process was started with respect to network time,
+// i.e. the timestamp of the first packet.
+extern double bro_start_network_time;
+
+// True if we're a in the process of cleaning-up just before termination.
+extern bool terminating;
+
+// True if the remote serializer is to be activated.
+extern bool using_communication;
+
+extern const struct pcap_pkthdr* current_hdr;
+extern const u_char* current_pkt;
+extern int current_dispatched;
+extern int current_hdr_size;
+extern double current_timestamp;
+extern PktSrc* current_pktsrc;
+extern IOSource* current_iosrc;
+
+declare(PList,PktSrc);
+extern PList(PktSrc) pkt_srcs;
+
+extern PktDumper* pkt_dumper;	// where to save packets
+extern PktDumper* pkt_transformed_dumper;
+
+extern char* writefile;
+
+#endif
diff --git a/src/NetVar.cc b/src/NetVar.cc
new file mode 100644
index 0000000000..2c817fdc17
--- /dev/null
+++ b/src/NetVar.cc
@@ -0,0 +1,563 @@
+// $Id: NetVar.cc 6887 2009-08-20 05:17:33Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "Var.h"
+#include "NetVar.h"
+
+RecordType* conn_id;
+RecordType* endpoint;
+RecordType* endpoint_stats;
+RecordType* connection_type;
+RecordType* icmp_conn;
+RecordType* icmp_context;
+RecordType* SYN_packet;
+RecordType* pcap_packet;
+RecordType* signature_state;
+EnumType* transport_proto;
+TableType* string_set;
+
+RecordType* net_stats;
+
+int watchdog_interval;
+double heartbeat_interval;
+
+int max_timer_expires;
+int max_remote_events_processed;
+
+int ignore_checksums;
+int partial_connection_ok;
+int tcp_SYN_ack_ok;
+int tcp_match_undelivered;
+
+int encap_hdr_size;
+int udp_tunnel_port;
+
+double frag_timeout;
+
+double tcp_SYN_timeout;
+double tcp_session_timer;
+double tcp_connection_linger;
+double tcp_attempt_delay;
+double tcp_close_delay;
+double tcp_reset_delay;
+double tcp_partial_close_delay;
+
+int tcp_max_initial_window;
+int tcp_max_above_hole_without_any_acks;
+int tcp_excessive_data_without_further_acks;
+
+int ssl_compare_cipherspecs;
+int ssl_analyze_certificates;
+int ssl_store_certificates;
+int ssl_verify_certificates;
+int ssl_store_key_material;
+int ssl_max_cipherspec_size;
+StringVal* ssl_store_cert_path;
+StringVal* x509_trusted_cert_path;
+TableType* cipher_suites_list;
+RecordType* x509_type;
+
+double non_analyzed_lifetime;
+double tcp_inactivity_timeout;
+double udp_inactivity_timeout;
+double icmp_inactivity_timeout;
+
+int tcp_storm_thresh;
+double tcp_storm_interarrival_thresh;
+
+TableVal* tcp_reassembler_ports_orig;
+TableVal* tcp_reassembler_ports_resp;
+
+TableVal* tcp_content_delivery_ports_orig;
+TableVal* tcp_content_delivery_ports_resp;
+bool tcp_content_deliver_all_orig;
+bool tcp_content_deliver_all_resp;
+
+TableVal* udp_content_delivery_ports_orig;
+TableVal* udp_content_delivery_ports_resp;
+bool udp_content_deliver_all_orig;
+bool udp_content_deliver_all_resp;
+
+double dns_session_timeout;
+double ntp_session_timeout;
+double rpc_timeout;
+
+ListVal* skip_authentication;
+ListVal* direct_login_prompts;
+ListVal* login_prompts;
+ListVal* login_non_failure_msgs;
+ListVal* login_failure_msgs;
+ListVal* login_success_msgs;
+ListVal* login_timeouts;
+
+int mime_segment_length;
+int mime_segment_overlap_length;
+RecordType* mime_header_rec;
+TableType* mime_header_list;
+
+int http_entity_data_delivery_size;
+RecordType* http_stats_rec;
+RecordType* http_message_stat;
+int truncate_http_URI;
+
+int pm_request;
+RecordType* pm_mapping;
+TableType* pm_mappings;
+RecordType* pm_port_request;
+RecordType* pm_callit_request;
+
+RecordType* nfs3_attrs;
+RecordType* nfs3_opt_attrs;
+RecordType* nfs3_lookup_args;
+RecordType* nfs3_lookup_reply;
+RecordType* nfs3_fsstat;
+
+RecordType* ntp_msg;
+
+TableVal* samba_cmds;
+RecordType* smb_hdr;
+RecordType* smb_trans;
+RecordType* smb_trans_data;
+RecordType* smb_tree_connect;
+TableType* smb_negotiate;
+
+RecordType* geo_location;
+
+TableType* dhcp_router_list;
+RecordType* dhcp_msg;
+
+RecordType* dns_msg;
+RecordType* dns_answer;
+RecordType* dns_soa;
+RecordType* dns_edns_additional;
+RecordType* dns_tsig_additional;
+TableVal* dns_skip_auth;
+TableVal* dns_skip_addl;
+int dns_skip_all_auth;
+int dns_skip_all_addl;
+int dns_max_queries;
+
+double stp_delta;
+double stp_idle_min;
+TableVal* stp_skip_src;
+
+double interconn_min_interarrival;
+double interconn_max_interarrival;
+int interconn_max_keystroke_pkt_size;
+int interconn_default_pkt_size;
+double interconn_stat_period;
+double interconn_stat_backoff;
+RecordType* interconn_endp_stats;
+
+double backdoor_stat_period;
+double backdoor_stat_backoff;
+
+RecordType* backdoor_endp_stats;
+
+RecordType* software;
+RecordType* software_version;
+RecordType* OS_version;
+EnumType* OS_version_inference;
+TableVal* generate_OS_version_event;
+
+double table_expire_interval;
+double table_expire_delay;
+int table_incremental_step;
+
+RecordType* packet_type;
+
+double packet_sort_window;
+
+double connection_status_update_interval;
+
+StringVal* state_dir;
+double state_write_delay;
+
+int orig_addr_anonymization, resp_addr_anonymization;
+int other_addr_anonymization;
+TableVal* preserve_orig_addr;
+TableVal* preserve_resp_addr;
+TableVal* preserve_other_addr;
+
+double log_rotate_interval;
+double log_max_size;
+RecordType* rotate_info;
+StringVal* log_encryption_key;
+StringVal* log_rotate_base_time;
+
+StringVal* peer_description;
+RecordType* peer;
+int forward_remote_state_changes;
+int forward_remote_events;
+int remote_check_sync_consistency;
+
+StringVal* ssl_ca_certificate;
+StringVal* ssl_private_key;
+StringVal* ssl_passphrase;
+
+StringVal* x509_crl_file;
+TableType* x509_extension;
+TableType* SSL_sessionID;
+
+Val* profiling_file;
+double profiling_interval;
+int expensive_profiling_multiple;
+int segment_profiling;
+int pkt_profile_mode;
+double pkt_profile_freq;
+Val* pkt_profile_file;
+
+int load_sample_freq;
+
+double gap_report_freq;
+RecordType* gap_info;
+
+int packet_filter_default;
+
+int sig_max_group_size;
+
+int enable_syslog;
+
+int use_connection_compressor;
+int cc_handle_resets;
+int cc_handle_only_syns;
+int cc_instantiate_on_data;
+
+TableType* irc_join_list;
+RecordType* irc_join_info;
+TableVal* irc_servers;
+
+TableVal* dpd_config;
+int dpd_reassemble_first_packets;
+int dpd_buffer_size;
+int dpd_match_only_beginning;
+int dpd_ignore_ports;
+
+TableVal* likely_server_ports;
+
+double remote_trace_sync_interval;
+int remote_trace_sync_peers;
+
+int check_for_unused_event_handlers;
+int dump_used_event_handlers;
+
+int suppress_local_output;
+
+double timer_mgr_inactivity_timeout;
+double expected_connection_timeout;
+
+int time_machine_profiling;
+
+StringVal* trace_output_file;
+
+int record_all_packets;
+
+RecordType* script_id;
+TableType* id_table;
+
+#include "const.bif.netvar_def"
+#include "event.bif.netvar_def"
+
+void init_event_handlers()
+	{
+#include "event.bif.netvar_init"
+	}
+
+void init_general_global_var()
+	{
+	table_expire_interval = opt_internal_double("table_expire_interval");
+	table_expire_delay = opt_internal_double("table_expire_delay");
+	table_incremental_step = opt_internal_int("table_incremental_step");
+
+	state_dir = internal_val("state_dir")->AsStringVal();
+	state_write_delay = opt_internal_double("state_write_delay");
+
+	log_rotate_interval = opt_internal_double("log_rotate_interval");
+	log_max_size = opt_internal_double("log_max_size");
+	rotate_info = internal_type("rotate_info")->AsRecordType();
+	log_encryption_key = opt_internal_string("log_encryption_key");
+	log_rotate_base_time = opt_internal_string("log_rotate_base_time");
+
+	peer_description =
+		internal_val("peer_description")->AsStringVal();
+	peer = internal_type("event_peer")->AsRecordType();
+	forward_remote_state_changes =
+		opt_internal_int("forward_remote_state_changes");
+	forward_remote_events = opt_internal_int("forward_remote_events");
+	remote_check_sync_consistency =
+		opt_internal_int("remote_check_sync_consistency");
+
+	ssl_ca_certificate = internal_val("ssl_ca_certificate")->AsStringVal();
+	ssl_private_key = internal_val("ssl_private_key")->AsStringVal();
+	ssl_passphrase = internal_val("ssl_passphrase")->AsStringVal();
+
+	packet_filter_default = opt_internal_int("packet_filter_default");
+	
+	sig_max_group_size = opt_internal_int("sig_max_group_size");
+	enable_syslog = opt_internal_int("enable_syslog");
+
+	check_for_unused_event_handlers =
+		opt_internal_int("check_for_unused_event_handlers");
+	dump_used_event_handlers =
+		opt_internal_int("dump_used_event_handlers");
+
+	suppress_local_output = opt_internal_int("suppress_local_output");
+
+	trace_output_file = internal_val("trace_output_file")->AsStringVal();
+
+	record_all_packets = opt_internal_int("record_all_packets");
+	}
+
+void init_net_var()
+	{
+#include "const.bif.netvar_init"
+
+	conn_id = internal_type("conn_id")->AsRecordType();
+	endpoint = internal_type("endpoint")->AsRecordType();
+	endpoint_stats = internal_type("endpoint_stats")->AsRecordType();
+	connection_type = internal_type("connection")->AsRecordType();
+	icmp_conn = internal_type("icmp_conn")->AsRecordType();
+	icmp_context = internal_type("icmp_context")->AsRecordType();
+	signature_state = internal_type("signature_state")->AsRecordType();
+	SYN_packet = internal_type("SYN_packet")->AsRecordType();
+	pcap_packet = internal_type("pcap_packet")->AsRecordType();
+	transport_proto = internal_type("transport_proto")->AsEnumType();
+	string_set = internal_type("string_set")->AsTableType();
+
+	ignore_checksums = opt_internal_int("ignore_checksums");
+	partial_connection_ok = opt_internal_int("partial_connection_ok");
+	tcp_SYN_ack_ok = opt_internal_int("tcp_SYN_ack_ok");
+	tcp_match_undelivered = opt_internal_int("tcp_match_undelivered");
+
+	encap_hdr_size = opt_internal_int("encap_hdr_size");
+
+	udp_tunnel_port = opt_internal_int("udp_tunnel_port") & ~UDP_PORT_MASK;
+
+	frag_timeout = opt_internal_double("frag_timeout");
+
+	tcp_SYN_timeout = opt_internal_double("tcp_SYN_timeout");
+	tcp_session_timer = opt_internal_double("tcp_session_timer");
+	tcp_connection_linger = opt_internal_double("tcp_connection_linger");
+	tcp_attempt_delay = opt_internal_double("tcp_attempt_delay");
+	tcp_close_delay = opt_internal_double("tcp_close_delay");
+	tcp_reset_delay = opt_internal_double("tcp_reset_delay");
+	tcp_partial_close_delay = opt_internal_double("tcp_partial_close_delay");
+
+	tcp_max_initial_window = opt_internal_int("tcp_max_initial_window");
+	tcp_max_above_hole_without_any_acks =
+		opt_internal_int("tcp_max_above_hole_without_any_acks");
+	tcp_excessive_data_without_further_acks =
+		opt_internal_int("tcp_excessive_data_without_further_acks");
+
+	ssl_compare_cipherspecs  = opt_internal_int("ssl_compare_cipherspecs");
+	ssl_analyze_certificates = opt_internal_int("ssl_analyze_certificates");
+	ssl_store_certificates   = opt_internal_int("ssl_store_certificates");
+	ssl_verify_certificates  = opt_internal_int("ssl_verify_certificates");
+	ssl_store_key_material = opt_internal_int("ssl_store_key_material");
+	ssl_max_cipherspec_size  = opt_internal_int("ssl_max_cipherspec_size");
+
+	x509_trusted_cert_path = opt_internal_string("X509_trusted_cert_path");
+	ssl_store_cert_path = opt_internal_string("ssl_store_cert_path");
+	x509_type = internal_type("X509")->AsRecordType();
+	cipher_suites_list = internal_type("cipher_suites_list")->AsTableType();
+	x509_crl_file = opt_internal_string("X509_crl_file");
+	x509_extension = internal_type("X509_extension")->AsTableType();
+	SSL_sessionID = internal_type("SSL_sessionID")->AsTableType();
+
+	non_analyzed_lifetime = opt_internal_double("non_analyzed_lifetime");
+	tcp_inactivity_timeout = opt_internal_double("tcp_inactivity_timeout");
+	udp_inactivity_timeout = opt_internal_double("udp_inactivity_timeout");
+	icmp_inactivity_timeout = opt_internal_double("icmp_inactivity_timeout");
+
+	tcp_storm_thresh = opt_internal_int("tcp_storm_thresh");
+	tcp_storm_interarrival_thresh =
+		opt_internal_double("tcp_storm_interarrival_thresh");
+
+	tcp_reassembler_ports_orig =
+		internal_val("tcp_reassembler_ports_orig")->AsTableVal();
+	tcp_reassembler_ports_resp =
+		internal_val("tcp_reassembler_ports_resp")->AsTableVal();
+
+	tcp_content_delivery_ports_orig =
+		internal_val("tcp_content_delivery_ports_orig")->AsTableVal();
+	tcp_content_delivery_ports_resp =
+		internal_val("tcp_content_delivery_ports_resp")->AsTableVal();
+	tcp_content_deliver_all_orig =
+		bool(internal_val("tcp_content_deliver_all_orig")->AsBool());
+	tcp_content_deliver_all_resp =
+		bool(internal_val("tcp_content_deliver_all_resp")->AsBool());
+
+	udp_content_delivery_ports_orig =
+		internal_val("udp_content_delivery_ports_orig")->AsTableVal();
+	udp_content_delivery_ports_resp =
+		internal_val("udp_content_delivery_ports_resp")->AsTableVal();
+	udp_content_deliver_all_orig =
+		bool(internal_val("udp_content_deliver_all_orig")->AsBool());
+	udp_content_deliver_all_resp =
+		bool(internal_val("udp_content_deliver_all_resp")->AsBool());
+
+	dns_session_timeout = opt_internal_double("dns_session_timeout");
+	ntp_session_timeout = opt_internal_double("ntp_session_timeout");
+	rpc_timeout = opt_internal_double("rpc_timeout");
+
+	net_stats = internal_type("net_stats")->AsRecordType();
+
+	watchdog_interval = int(opt_internal_double("watchdog_interval"));
+	heartbeat_interval = opt_internal_double("heartbeat_interval");
+
+	max_timer_expires = opt_internal_int("max_timer_expires");
+	max_remote_events_processed =
+		opt_internal_int("max_remote_events_processed");
+
+	skip_authentication = internal_list_val("skip_authentication");
+	direct_login_prompts = internal_list_val("direct_login_prompts");
+	login_prompts = internal_list_val("login_prompts");
+	login_non_failure_msgs = internal_list_val("login_non_failure_msgs");
+	login_failure_msgs = internal_list_val("login_failure_msgs");
+	login_success_msgs = internal_list_val("login_success_msgs");
+	login_timeouts = internal_list_val("login_timeouts");
+
+	mime_segment_length = opt_internal_int("mime_segment_length");
+	mime_segment_overlap_length = opt_internal_int("mime_segment_overlap_length");
+	mime_header_rec = internal_type("mime_header_rec")->AsRecordType();
+	mime_header_list = internal_type("mime_header_list")->AsTableType();
+
+	http_entity_data_delivery_size = opt_internal_int("http_entity_data_delivery_size");
+	http_stats_rec = internal_type("http_stats_rec")->AsRecordType();
+	http_message_stat = internal_type("http_message_stat")->AsRecordType();
+	truncate_http_URI = opt_internal_int("truncate_http_URI");
+
+	pm_request = pm_request_null || pm_request_set ||
+		pm_request_unset || pm_request_getport ||
+		pm_request_dump || pm_request_callit ||
+		pm_attempt_null || pm_attempt_set ||
+		pm_attempt_unset || pm_attempt_getport ||
+		pm_attempt_dump || pm_attempt_callit ||
+		pm_bad_port;
+
+	pm_mapping = internal_type("pm_mapping")->AsRecordType();
+	pm_mappings = internal_type("pm_mappings")->AsTableType();
+	pm_port_request = internal_type("pm_port_request")->AsRecordType();
+	pm_callit_request = internal_type("pm_callit_request")->AsRecordType();
+
+	nfs3_attrs = internal_type("nfs3_attrs")->AsRecordType();
+	nfs3_opt_attrs = internal_type("nfs3_opt_attrs")->AsRecordType();
+	nfs3_lookup_args = internal_type("nfs3_lookup_args")->AsRecordType();
+	nfs3_lookup_reply = internal_type("nfs3_lookup_reply")->AsRecordType();
+	nfs3_fsstat = internal_type("nfs3_fsstat")->AsRecordType();
+
+	ntp_msg = internal_type("ntp_msg")->AsRecordType();
+
+	samba_cmds = internal_val("samba_cmds")->AsTableVal();
+	smb_hdr = internal_type("smb_hdr")->AsRecordType();
+	smb_trans = internal_type("smb_trans")->AsRecordType();
+	smb_trans_data = internal_type("smb_trans_data")->AsRecordType();
+	smb_tree_connect = internal_type("smb_tree_connect")->AsRecordType();
+	smb_negotiate = internal_type("smb_negotiate")->AsTableType();
+
+	geo_location = internal_type("geo_location")->AsRecordType();
+
+	dhcp_router_list = internal_type("dhcp_router_list")->AsTableType();
+	dhcp_msg = internal_type("dhcp_msg")->AsRecordType();
+
+	dns_msg = internal_type("dns_msg")->AsRecordType();
+	dns_answer = internal_type("dns_answer")->AsRecordType();
+	dns_soa = internal_type("dns_soa")->AsRecordType();
+	dns_edns_additional =
+		internal_type("dns_edns_additional")->AsRecordType();
+	dns_tsig_additional =
+		internal_type("dns_tsig_additional")->AsRecordType();
+
+	dns_skip_auth = internal_val("dns_skip_auth")->AsTableVal();
+	dns_skip_addl = internal_val("dns_skip_addl")->AsTableVal();
+	dns_skip_all_auth = opt_internal_int("dns_skip_all_auth");
+	dns_skip_all_addl = opt_internal_int("dns_skip_all_addl");
+	dns_max_queries = opt_internal_int("dns_max_queries");
+
+	stp_delta = opt_internal_double("stp_delta");
+	stp_idle_min = opt_internal_double("stp_idle_min");
+	stp_skip_src = internal_val("stp_skip_src")->AsTableVal();
+
+	interconn_min_interarrival = opt_internal_double("interconn_min_interarrival");
+	interconn_max_interarrival = opt_internal_double("interconn_max_interarrival");
+	interconn_max_keystroke_pkt_size = opt_internal_int("interconn_max_keystroke_pkt_size");
+	interconn_default_pkt_size = opt_internal_int("interconn_default_pkt_size");
+	interconn_stat_period = opt_internal_double("interconn_stat_period");
+	interconn_stat_backoff = opt_internal_double("interconn_stat_backoff");
+	interconn_endp_stats = internal_type("interconn_endp_stats")->AsRecordType();
+
+	backdoor_stat_period = opt_internal_double("backdoor_stat_period");
+	backdoor_stat_backoff = opt_internal_double("backdoor_stat_backoff");
+	backdoor_endp_stats = internal_type("backdoor_endp_stats")->AsRecordType();
+
+	software = internal_type("software")->AsRecordType();
+	software_version = internal_type("software_version")->AsRecordType();
+	OS_version = internal_type("OS_version")->AsRecordType();
+	OS_version_inference = internal_type("OS_version_inference")->AsEnumType();
+	generate_OS_version_event =
+		opt_internal_table("generate_OS_version_event");
+
+	packet_type = internal_type("packet")->AsRecordType();
+
+	packet_sort_window = opt_internal_double("packet_sort_window");
+
+	orig_addr_anonymization = opt_internal_int("orig_addr_anonymization");
+	resp_addr_anonymization = opt_internal_int("resp_addr_anonymization");
+	other_addr_anonymization = opt_internal_int("other_addr_anonymization");
+
+	preserve_orig_addr = opt_internal_table("preserve_orig_addr");
+	preserve_resp_addr = opt_internal_table("preserve_resp_addr");
+	preserve_other_addr = opt_internal_table("preserve_other_addr");
+
+	connection_status_update_interval =
+		opt_internal_double("connection_status_update_interval");
+
+	profiling_file = internal_val("profiling_file");
+	expensive_profiling_multiple =
+		opt_internal_int("expensive_profiling_multiple");
+	profiling_interval = opt_internal_double("profiling_interval");
+	segment_profiling = opt_internal_int("segment_profiling");
+
+	pkt_profile_mode = opt_internal_int("pkt_profile_mode");
+	pkt_profile_freq = opt_internal_double("pkt_profile_freq");
+	pkt_profile_file = opt_internal_val("pkt_profile_file");
+
+	load_sample_freq = opt_internal_int("load_sample_freq");
+
+	gap_report_freq = opt_internal_double("gap_report_freq");
+
+	use_connection_compressor =
+		opt_internal_int("use_connection_compressor");
+	cc_handle_resets = opt_internal_int("cc_handle_resets");
+	cc_handle_only_syns = opt_internal_int("cc_handle_only_syns");
+	cc_instantiate_on_data = opt_internal_int("cc_instantiate_on_data");
+
+	irc_join_info = internal_type("irc_join_info")->AsRecordType();
+	irc_join_list = internal_type("irc_join_list")->AsTableType();
+	irc_servers = internal_val("irc_servers")->AsTableVal();
+
+	remote_trace_sync_interval =
+		opt_internal_double("remote_trace_sync_interval");
+	remote_trace_sync_peers = opt_internal_int("remote_trace_sync_peers");
+
+	dpd_config = internal_val("dpd_config")->AsTableVal();
+	dpd_reassemble_first_packets =
+		opt_internal_int("dpd_reassemble_first_packets");
+	dpd_buffer_size = opt_internal_int("dpd_buffer_size");
+	dpd_match_only_beginning = opt_internal_int("dpd_match_only_beginning");
+	dpd_ignore_ports = opt_internal_int("dpd_ignore_ports");
+
+	likely_server_ports = internal_val("likely_server_ports")->AsTableVal();
+
+	timer_mgr_inactivity_timeout =
+		opt_internal_double("timer_mgr_inactivity_timeout");
+	expected_connection_timeout =
+		opt_internal_double("expected_connection_timeout");
+	time_machine_profiling = opt_internal_int("time_machine_profiling");
+
+	script_id = internal_type("script_id")->AsRecordType();
+	id_table = internal_type("id_table")->AsTableType();
+	}
diff --git a/src/NetVar.h b/src/NetVar.h
new file mode 100644
index 0000000000..904bccdb77
--- /dev/null
+++ b/src/NetVar.h
@@ -0,0 +1,274 @@
+// $Id: NetVar.h 6887 2009-08-20 05:17:33Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef netvar_h
+#define netvar_h
+
+#include "Val.h"
+#include "Func.h"
+#include "EventRegistry.h"
+#include "Stats.h"
+
+extern RecordType* conn_id;
+extern RecordType* endpoint;
+extern RecordType* endpoint_stats;
+extern RecordType* connection_type;
+extern RecordType* icmp_conn;
+extern RecordType* icmp_context;
+extern RecordType* signature_state;
+extern RecordType* SYN_packet;
+extern RecordType* pcap_packet;
+extern EnumType* transport_proto;
+extern TableType* string_set;
+
+extern RecordType* net_stats;
+
+extern int watchdog_interval;
+extern double heartbeat_interval;
+
+extern int max_timer_expires;
+extern int max_remote_events_processed;
+
+extern int ignore_checksums;
+extern int partial_connection_ok;
+extern int tcp_SYN_ack_ok;
+extern int tcp_match_undelivered;
+
+extern int encap_hdr_size;
+extern int udp_tunnel_port;
+
+extern double frag_timeout;
+
+extern double tcp_SYN_timeout;
+extern double tcp_session_timer;
+extern double tcp_connection_linger;
+extern double tcp_attempt_delay;
+extern double tcp_close_delay;
+extern double tcp_partial_close_delay;
+extern double tcp_reset_delay;
+
+extern int tcp_max_initial_window;
+extern int tcp_max_above_hole_without_any_acks;
+extern int tcp_excessive_data_without_further_acks;
+
+// see policy/ssl.bro for details
+extern int ssl_compare_cipherspecs;
+extern int ssl_analyze_certificates;
+extern int ssl_store_certificates;
+extern int ssl_verify_certificates;
+extern int ssl_store_key_material;
+extern int ssl_max_cipherspec_size;
+extern StringVal* ssl_store_cert_path;
+extern StringVal* x509_trusted_cert_path;
+extern TableType* cipher_suites_list;
+extern RecordType* x509_type;
+extern StringVal* x509_crl_file;
+extern TableType* x509_extension;
+extern TableType* SSL_sessionID;
+
+extern double non_analyzed_lifetime;
+extern double tcp_inactivity_timeout;
+extern double udp_inactivity_timeout;
+extern double icmp_inactivity_timeout;
+
+extern int tcp_storm_thresh;
+extern double tcp_storm_interarrival_thresh;
+
+extern TableVal* tcp_reassembler_ports_orig;
+extern TableVal* tcp_reassembler_ports_resp;
+
+extern TableVal* tcp_content_delivery_ports_orig;
+extern TableVal* tcp_content_delivery_ports_resp;
+extern bool tcp_content_deliver_all_orig;
+extern bool tcp_content_deliver_all_resp;
+
+extern TableVal* udp_content_delivery_ports_orig;
+extern TableVal* udp_content_delivery_ports_resp;
+extern bool udp_content_deliver_all_orig;
+extern bool udp_content_deliver_all_resp;
+
+extern double dns_session_timeout;
+extern double ntp_session_timeout;
+extern double rpc_timeout;
+
+extern ListVal* skip_authentication;
+extern ListVal* direct_login_prompts;
+extern ListVal* login_prompts;
+extern ListVal* login_non_failure_msgs;
+extern ListVal* login_failure_msgs;
+extern ListVal* login_success_msgs;
+extern ListVal* login_timeouts;
+
+extern int mime_segment_length;
+extern int mime_segment_overlap_length;
+extern RecordType* mime_header_rec;
+extern TableType* mime_header_list;
+
+extern int http_entity_data_delivery_size;
+extern RecordType* http_stats_rec;
+extern RecordType* http_message_stat;
+extern int truncate_http_URI;
+
+extern int pm_request;
+extern RecordType* pm_mapping;
+extern TableType* pm_mappings;
+extern RecordType* pm_port_request;
+extern RecordType* pm_callit_request;
+
+extern RecordType* nfs3_attrs;
+extern RecordType* nfs3_opt_attrs;
+extern RecordType* nfs3_lookup_args;
+extern RecordType* nfs3_lookup_reply;
+extern RecordType* nfs3_fsstat;
+
+extern RecordType* ntp_msg;
+
+extern TableVal* samba_cmds;
+extern RecordType* smb_hdr;
+extern RecordType* smb_trans;
+extern RecordType* smb_trans_data;
+extern RecordType* smb_tree_connect;
+extern TableType* smb_negotiate;
+
+extern RecordType* geo_location;
+
+extern TableType* dhcp_router_list;
+extern RecordType* dhcp_msg;
+
+extern RecordType* dns_msg;
+extern RecordType* dns_answer;
+extern RecordType* dns_soa;
+extern RecordType* dns_edns_additional;
+extern RecordType* dns_tsig_additional;
+extern TableVal* dns_skip_auth;
+extern TableVal* dns_skip_addl;
+extern int dns_skip_all_auth;
+extern int dns_skip_all_addl;
+extern int dns_max_queries;
+
+extern double stp_delta;
+extern double stp_idle_min;
+extern TableVal* stp_skip_src;
+
+extern double interconn_min_interarrival;
+extern double interconn_max_interarrival;
+extern int interconn_max_keystroke_pkt_size;
+extern int interconn_default_pkt_size;
+extern double interconn_stat_period;
+extern double interconn_stat_backoff;
+extern RecordType* interconn_endp_stats;
+
+extern double backdoor_stat_period;
+extern double backdoor_stat_backoff;
+
+extern RecordType* backdoor_endp_stats;
+
+extern RecordType* software;
+extern RecordType* software_version;
+extern RecordType* OS_version;
+extern EnumType* OS_version_inference;
+extern TableVal* generate_OS_version_event;
+
+extern double table_expire_interval;
+extern double table_expire_delay;
+extern int table_incremental_step;
+
+extern RecordType* packet_type;
+
+extern double packet_sort_window;
+
+extern int orig_addr_anonymization, resp_addr_anonymization;
+extern int other_addr_anonymization;
+extern TableVal* preserve_orig_addr;
+extern TableVal* preserve_resp_addr;
+extern TableVal* preserve_other_addr;
+
+extern double connection_status_update_interval;
+
+extern StringVal* state_dir;
+extern double state_write_delay;
+
+extern double log_rotate_interval;
+extern double log_max_size;
+extern RecordType* rotate_info;
+extern StringVal* log_encryption_key;
+extern StringVal* log_rotate_base_time;
+
+extern StringVal* peer_description;
+extern RecordType* peer;
+extern int forward_remote_state_changes;
+extern int forward_remote_events;
+extern int remote_check_sync_consistency;
+
+extern StringVal* ssl_ca_certificate;
+extern StringVal* ssl_private_key;
+extern StringVal* ssl_passphrase;
+
+extern Val* profiling_file;
+extern double profiling_interval;
+extern int expensive_profiling_multiple;
+
+extern int segment_profiling;
+extern int pkt_profile_mode;
+extern double pkt_profile_freq;
+extern Val* pkt_profile_file;
+
+extern int load_sample_freq;
+
+extern double gap_report_freq;
+extern RecordType* gap_info;
+
+extern int packet_filter_default;
+
+extern int sig_max_group_size;
+
+extern int enable_syslog;
+
+extern int use_connection_compressor;
+extern int cc_handle_resets;
+extern int cc_handle_only_syns;
+extern int cc_instantiate_on_data;
+
+extern TableType* irc_join_list;
+extern RecordType* irc_join_info;
+extern TableVal* irc_servers;
+
+extern TableVal* dpd_config;
+extern int dpd_reassemble_first_packets;
+extern int dpd_buffer_size;
+extern int dpd_match_only_beginning;
+extern int dpd_ignore_ports;
+
+extern TableVal* likely_server_ports;
+
+extern double remote_trace_sync_interval;
+extern int remote_trace_sync_peers;
+
+extern int check_for_unused_event_handlers;
+extern int dump_used_event_handlers;
+
+extern int suppress_local_output;
+
+extern double timer_mgr_inactivity_timeout;
+extern double expected_connection_timeout;
+
+extern int time_machine_profiling;
+
+extern StringVal* trace_output_file;
+
+extern int record_all_packets;
+
+extern RecordType* script_id;
+extern TableType* id_table;
+
+// Initializes globals that don't pertain to network/event analysis.
+extern void init_general_global_var();
+
+extern void init_event_handlers();
+extern void init_net_var();
+
+#include "const.bif.netvar_h"
+#include "event.bif.netvar_h"
+
+#endif
diff --git a/src/NetbiosSSN.cc b/src/NetbiosSSN.cc
new file mode 100644
index 0000000000..0bb135f59d
--- /dev/null
+++ b/src/NetbiosSSN.cc
@@ -0,0 +1,540 @@
+// $Id: NetbiosSSN.cc 6916 2009-09-24 20:48:36Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <ctype.h>
+
+#include "NetVar.h"
+#include "NetbiosSSN.h"
+#include "Sessions.h"
+#include "Event.h"
+
+double netbios_ssn_session_timeout = 15.0;
+
+#define MAKE_INT16(dest, src) dest = *src; dest <<=8; src++; dest |= *src; src++;
+
+NetbiosSSN_RawMsgHdr::NetbiosSSN_RawMsgHdr(const u_char*& data, int& len)
+	{
+	type = *data; ++data, --len;
+	flags = *data; ++data, --len;
+	length = *data; ++data, --len;
+
+	length <<= 8;
+	length |= *data;
+	++data, --len;
+	}
+
+NetbiosDGM_RawMsgHdr::NetbiosDGM_RawMsgHdr(const u_char*& data, int& len)
+	{
+	type = *data; ++data, --len;
+	flags = *data; ++data, --len;
+
+	MAKE_INT16(id, data); len -= 2;
+
+	srcip = *data++ << 24;
+	srcip |= *data++ << 16;
+	srcip |= *data++ << 8;
+	srcip |= *data++;
+	len -=4;
+
+	MAKE_INT16(srcport, data); len -= 2;
+	MAKE_INT16(length, data); len -= 2;
+	MAKE_INT16(offset, data);; len -= 2;
+	}
+
+
+NetbiosSSN_Interpreter::NetbiosSSN_Interpreter(Analyzer* arg_analyzer,
+						SMB_Session* arg_smb_session)
+	{
+	analyzer = arg_analyzer;
+	smb_session = arg_smb_session;
+	}
+
+int NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags,
+				const u_char* data, int len, int is_query)
+	{
+	if ( netbios_session_message )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(new Val(is_query, TYPE_BOOL));
+		vl->append(new Val(type, TYPE_COUNT));
+		vl->append(new Val(len, TYPE_COUNT));
+		analyzer->ConnectionEvent(netbios_session_message, vl);
+		}
+
+	switch ( type ) {
+	case NETBIOS_SSN_MSG:
+		return ParseSessionMsg(data, len, is_query);
+
+	case NETBIOS_SSN_REQ:
+		return ParseSessionReq(data, len, is_query);
+
+	case NETBIOS_SSN_POS_RESP:
+		return ParseSessionPosResp(data, len, is_query);
+
+	case NETBIOS_SSN_NEG_RESP:
+		return ParseSessionNegResp(data, len, is_query);
+
+	case NETBIOS_SSN_RETARG_RESP:
+		return ParseRetArgResp(data, len, is_query);
+
+	case NETBIOS_SSN_KEEP_ALIVE:
+		return ParseKeepAlive(data, len, is_query);
+
+	case NETBIOS_DGM_DIRECT_UNIQUE:
+	case NETBIOS_DGM_DIRECT_GROUP:
+	case NETBIOS_DGM_BROADCAST:
+		return ParseBroadcast(data, len, is_query);
+
+	case NETBIOS_DGM_ERROR:
+	case NETBIOS_DGG_QUERY_REQ:
+	case NETBIOS_DGM_POS_RESP:
+	case NETBIOS_DGM_NEG_RESP:
+		return ParseDatagram(data, len, is_query);
+
+ 	default:
+		analyzer->Weird(fmt("unknown_netbios_type: 0x%x", type));
+ 		return 1;
+	}
+	}
+
+int NetbiosSSN_Interpreter::ParseDatagram(const u_char* data, int len,
+						int is_query)
+	{
+	if ( smb_session )
+		{
+		smb_session->Deliver(is_query, len, data);
+		return 0;
+		}
+
+	return 0;
+ 	}
+ 
+int NetbiosSSN_Interpreter::ParseBroadcast(const u_char* data, int len,
+						int is_query)
+ 	{
+	// FIND THE NUL-TERMINATED NAME STRINGS HERE!
+	// Not sure what's in them, so we don't keep them currently.
+
+	BroString* srcname = new BroString((char*) data);
+	data += srcname->Len()+1;
+	len -= srcname->Len();
+
+	BroString* dstname = new BroString((char*) data);
+	data += dstname->Len()+1;
+	len -= dstname->Len();
+
+	if ( smb_session )
+		{
+		smb_session->Deliver(is_query, len, data);
+		return 0;
+		}
+
+	return 0;
+	}
+
+int NetbiosSSN_Interpreter::ParseMessageTCP(const u_char* data, int len,
+						int is_query)
+	{
+	NetbiosSSN_RawMsgHdr hdr(data, len);
+
+	if ( hdr.length > unsigned(len) )
+		analyzer->Weird(fmt("excess_netbios_hdr_len (%d > %d)",
+					hdr.length, len));
+
+	else if ( hdr.length < unsigned(len) )
+		{
+		analyzer->Weird("deficit_netbios_hdr_len");
+		len = hdr.length;
+		}
+
+	return ParseMessage(hdr.type, hdr.flags, data, len, is_query);
+	}
+
+int NetbiosSSN_Interpreter::ParseMessageUDP(const u_char* data, int len,
+						int is_query)
+	{
+
+	NetbiosDGM_RawMsgHdr hdr(data, len);
+
+	if ( unsigned(hdr.length-14) > unsigned(len) )
+		analyzer->Weird(fmt("excess_netbios_hdr_len (%d > %d)",
+				hdr.length, len));
+
+	else if ( hdr.length < unsigned(len) )
+		{
+		analyzer->Weird(fmt("deficit_netbios_hdr_len (%d < %d)",
+				hdr.length, len));
+		len = hdr.length;
+		}
+
+	return ParseMessage(hdr.type, hdr.flags, data, len, is_query);
+	}
+
+
+int NetbiosSSN_Interpreter::ParseSessionMsg(const u_char* data, int len,
+						int is_query)
+	{
+	if ( len < 4 || strncmp((const char*) data, "\xffSMB", 4) )
+		{
+		// This should be an event, too.
+		analyzer->Weird("netbios_raw_session_msg");
+		Event(netbios_session_raw_message, data, len, is_query);
+		return 0;
+		}
+
+	if ( smb_session )
+		{
+		smb_session->Deliver(is_query, len, data);
+		return 0;
+		}
+	else
+		{
+		analyzer->Weird("no_smb_session_using_parsesambamsg");
+		data += 4;
+		len -= 4;
+		return ParseSambaMsg(data, len, is_query);
+		}
+	}
+
+int NetbiosSSN_Interpreter::ParseSambaMsg(const u_char* data, int len,
+						int is_query)
+	{
+	return 0;
+	}
+
+int NetbiosSSN_Interpreter::ConvertName(const u_char* name, int name_len,
+					u_char*& xname, int& xlen)
+	{
+	// Taken from tcpdump's smbutil.c.
+
+	xname = 0;
+
+	if ( name_len < 1 )
+		return 0;
+
+	int len = (*name++) / 2;
+	xlen = len;
+
+	if ( len > 30 || len < 1 || name_len < len )
+		return 0;
+
+	u_char* convert_name = new u_char[len + 1];
+	*convert_name = 0;
+	xname = convert_name;
+
+	while ( len-- )
+		{
+		if ( name[0] < 'A' || name[0] > 'P' ||
+		     name[1] < 'A' || name[1] > 'P' )
+			{
+			*convert_name = 0;
+			return 0;
+			}
+
+		*convert_name = ((name[0] - 'A') << 4) + (name[1] - 'A');
+		name += 2;
+		++convert_name;
+		}
+
+	*convert_name = 0;
+
+	return 1;
+	}
+
+int NetbiosSSN_Interpreter::ParseSessionReq(const u_char* data, int len,
+						int is_query)
+	{
+	if ( ! is_query )
+		analyzer->Weird("netbios_server_session_request");
+
+	u_char* xname;
+	int xlen;
+
+	if ( ConvertName(data, len, xname, xlen) )
+		Event(netbios_session_request, xname, xlen);
+
+	delete xname;
+
+	return 0;
+	}
+
+int NetbiosSSN_Interpreter::ParseSessionPosResp(const u_char* data, int len,
+						int is_query)
+	{
+	if ( is_query )
+		analyzer->Weird("netbios_client_session_reply");
+
+	Event(netbios_session_accepted, data, len);
+
+	return 0;
+	}
+
+int NetbiosSSN_Interpreter::ParseSessionNegResp(const u_char* data, int len,
+						int is_query)
+	{
+	if ( is_query )
+		analyzer->Weird("netbios_client_session_reply");
+
+	Event(netbios_session_rejected, data, len);
+
+#if 0
+	case 0x80:
+		printf("Not listening on called name\n");
+		break;
+	case 0x81:
+		printf("Not listening for calling name\n");
+		break;
+	case 0x82:
+		printf("Called name not present\n");
+		break;
+	case 0x83:
+		printf("Called name present, but insufficient resources\n");
+		break;
+	default:
+		printf("Unspecified error 0x%X\n",ecode);
+		break;
+#endif
+
+	return 0;
+	}
+
+int NetbiosSSN_Interpreter::ParseRetArgResp(const u_char* data, int len,
+						int is_query)
+	{
+	if ( is_query )
+		analyzer->Weird("netbios_client_session_reply");
+
+	Event(netbios_session_ret_arg_resp, data, len);
+
+	return 0;
+	}
+
+int NetbiosSSN_Interpreter::ParseKeepAlive(const u_char* data, int len,
+						int is_query)
+	{
+	Event(netbios_session_keepalive, data, len);
+
+	return 0;
+	}
+
+void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data,
+					int len, int is_orig)
+	{
+	if ( ! event )
+		return;
+
+	val_list* vl = new val_list;
+	vl->append(analyzer->BuildConnVal());
+	if ( is_orig >= 0 )
+		vl->append(new Val(is_orig, TYPE_BOOL));
+	vl->append(new StringVal(new BroString(data, len, 0)));
+
+	analyzer->ConnectionEvent(event, vl);
+	}
+
+
+Contents_NetbiosSSN::Contents_NetbiosSSN(Connection* conn, bool orig,
+					NetbiosSSN_Interpreter* arg_interp)
+: TCP_SupportAnalyzer(AnalyzerTag::Contents_NetbiosSSN, conn, orig)
+	{
+	interp = arg_interp;
+	type = flags = msg_size = 0;
+	msg_buf = 0;
+	buf_n = msg_size = 0;
+	state = NETBIOS_SSN_TYPE;
+	}
+
+Contents_NetbiosSSN::~Contents_NetbiosSSN()
+	{
+	delete [] msg_buf;
+	}
+
+void Contents_NetbiosSSN::Flush()
+	{
+	if ( buf_n > 0 )
+		{ // Deliver partial message.
+		interp->ParseMessage(type, flags, msg_buf, buf_n, IsOrig());
+		msg_size = 0;
+		}
+	}
+
+void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	TCP_SupportAnalyzer::DeliverStream(len, data, orig);
+
+	if ( state == NETBIOS_SSN_TYPE )
+		{
+		type = *data;
+		state = NETBIOS_SSN_FLAGS;
+
+		++data;
+		--len;
+
+		if ( len == 0 )
+			return;
+		}
+
+	if ( state == NETBIOS_SSN_FLAGS )
+		{
+		flags = *data;
+		state = NETBIOS_SSN_LEN_HI;
+
+		++data;
+		--len;
+
+		if ( len == 0 )
+			return;
+		}
+
+	if ( state == NETBIOS_SSN_LEN_HI )
+		{
+		msg_size = (*data) << 8;
+		state = NETBIOS_SSN_LEN_LO;
+
+		++data;
+		--len;
+
+		if ( len == 0 )
+			return;
+		}
+
+	if ( state == NETBIOS_SSN_LEN_LO )
+		{
+		msg_size += *data;
+		state = NETBIOS_SSN_BUF;
+
+		buf_n = 0;
+
+		if ( msg_buf )
+			{
+			if ( buf_len < msg_size )
+				{
+				delete [] msg_buf;
+				buf_len = msg_size;
+				msg_buf = new u_char[buf_len];
+				}
+			}
+		else
+			{
+			buf_len = msg_size;
+			if ( buf_len > 0 )
+				msg_buf = new u_char[buf_len];
+			}
+
+		++data;
+		--len;
+
+		if ( len == 0 && msg_size != 0 )
+			return;
+		}
+
+	if ( state != NETBIOS_SSN_BUF )
+		Conn()->Internal("state inconsistency in Contents_NetbiosSSN::Deliver");
+
+	int n;
+	for ( n = 0; buf_n < msg_size && n < len; ++n )
+		msg_buf[buf_n++] = data[n];
+
+	if ( buf_n < msg_size )
+		// Haven't filled up the message buffer yet, no more to do.
+		return;
+
+	(void) interp->ParseMessage(type, flags, msg_buf, msg_size, IsOrig());
+	buf_n = 0;
+
+	state = NETBIOS_SSN_TYPE;
+
+	if ( n < len )
+		// More data to munch on.
+		DeliverStream(len - n, data + n, orig);
+	}
+
+NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(Connection* conn)
+: TCP_ApplicationAnalyzer(AnalyzerTag::NetbiosSSN, conn)
+	{
+	smb_session = new SMB_Session(this);
+	interp = new NetbiosSSN_Interpreter(this, smb_session);
+	orig_netbios = resp_netbios = 0;
+	did_session_done = 0;
+
+	if ( Conn()->ConnTransport() == TRANSPORT_TCP )
+		{
+		orig_netbios = new Contents_NetbiosSSN(conn, true, interp);
+		resp_netbios = new Contents_NetbiosSSN(conn, false, interp);
+		AddSupportAnalyzer(orig_netbios);
+		AddSupportAnalyzer(resp_netbios);
+		}
+	else
+		{
+		ADD_ANALYZER_TIMER(&NetbiosSSN_Analyzer::ExpireTimer,
+				network_time + netbios_ssn_session_timeout, 1,
+				TIMER_NB_EXPIRE);
+		}
+	}
+
+NetbiosSSN_Analyzer::~NetbiosSSN_Analyzer()
+	{
+	delete interp;
+	delete smb_session;
+	}
+
+void NetbiosSSN_Analyzer::Done()
+	{
+	TCP_ApplicationAnalyzer::Done();
+	interp->Timeout();
+
+	if ( Conn()->ConnTransport() == TRANSPORT_UDP && ! did_session_done )
+		Event(udp_session_done);
+	else
+		interp->Timeout();
+	}
+
+void NetbiosSSN_Analyzer::EndpointEOF(bool orig)
+	{
+	TCP_ApplicationAnalyzer::EndpointEOF(orig);
+
+	(orig ? orig_netbios : resp_netbios)->Flush();
+	}
+
+void NetbiosSSN_Analyzer::ConnectionClosed(TCP_Endpoint* endpoint,
+				TCP_Endpoint* peer, int gen_event)
+	{
+	TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event);
+
+	// Question: Why do we flush *both* endpoints upon connection close?
+	// orig_netbios->Flush();
+	// resp_netbios->Flush();
+	}
+
+void NetbiosSSN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen)
+	{
+	TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+
+	if ( orig )
+		interp->ParseMessageUDP(data, len, 1);
+	else
+		interp->ParseMessageUDP(data, len, 0);
+	}
+
+void NetbiosSSN_Analyzer::ExpireTimer(double t)
+	{
+	// The - 1.0 in the following is to allow 1 second for the
+	// common case of a single request followed by a single reply,
+	// so we don't needlessly set the timer twice in that case.
+	if ( terminating ||
+	     network_time - Conn()->LastTime() >=
+		     netbios_ssn_session_timeout - 1.0 )
+		{
+		Event(connection_timeout);
+		sessions->Remove(Conn());
+		}
+	else
+		ADD_ANALYZER_TIMER(&NetbiosSSN_Analyzer::ExpireTimer,
+				t + netbios_ssn_session_timeout,
+				1, TIMER_NB_EXPIRE);
+	}
diff --git a/src/NetbiosSSN.h b/src/NetbiosSSN.h
new file mode 100644
index 0000000000..ba724fa2fb
--- /dev/null
+++ b/src/NetbiosSSN.h
@@ -0,0 +1,189 @@
+// $Id: NetbiosSSN.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef netbios_ssn_h
+#define netbios_ssn_h
+
+#include "UDP.h"
+#include "TCP.h"
+#include "SMB.h"
+
+typedef enum {
+	NETBIOS_SSN_MSG = 0x0,
+	NETBIOS_DGM_DIRECT_UNIQUE = 0x10,
+	NETBIOS_DGM_DIRECT_GROUP = 0x11,
+	NETBIOS_DGM_BROADCAST = 0x12,
+	NETBIOS_DGM_ERROR = 0x13,
+	NETBIOS_DGG_QUERY_REQ = 0x14,
+	NETBIOS_DGM_POS_RESP = 0x15,
+	NETBIOS_DGM_NEG_RESP = 0x16,
+	NETBIOS_SSN_REQ = 0x81,
+	NETBIOS_SSN_POS_RESP = 0x82,
+	NETBIOS_SSN_NEG_RESP = 0x83,
+	NETBIOS_SSN_RETARG_RESP = 0x84,
+	NETBIOS_SSN_KEEP_ALIVE = 0x85,
+} NetbiosSSN_Opcode;
+
+//  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// |      TYPE     |     FLAGS     |            LENGTH             |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+struct NetbiosSSN_RawMsgHdr {
+	NetbiosSSN_RawMsgHdr(const u_char*& data, int& len);
+
+	unsigned int type:8;
+	unsigned int flags:8;
+	unsigned int length:16;
+};
+
+//  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// |   MSG_TYPE    |     FLAGS     |           DGM_ID              |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// |                           SOURCE_IP                           |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// |          SOURCE_PORT          |          DGM_LENGTH           |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+// |         PACKET_OFFSET         |                               |
+// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               |
+
+struct NetbiosDGM_RawMsgHdr {
+	NetbiosDGM_RawMsgHdr(const u_char*& data, int& len);
+
+	unsigned int type:8;
+	unsigned int flags:8;
+	unsigned int id:16;
+	unsigned int srcip:32;
+	unsigned int srcport:16;
+	unsigned int length:16;
+	unsigned int offset:16;
+};
+
+
+class NetbiosSSN_Interpreter {
+public:
+	NetbiosSSN_Interpreter(Analyzer* analyzer, SMB_Session* smb_session);
+
+	int ParseMessage(unsigned int type, unsigned int flags,
+			const u_char* data, int len, int is_query);
+
+	// Version used when data points to type/flags/length.
+	int ParseMessageTCP(const u_char* data, int len, int is_query);
+	int ParseMessageUDP(const u_char* data, int len, int is_query);
+
+	void Timeout()	{ }
+
+	static bool any_netbios_ssn_event()
+		{
+		return netbios_session_message ||
+			netbios_session_request ||
+			netbios_session_accepted ||
+			netbios_session_rejected ||
+			netbios_session_raw_message ||
+			netbios_session_ret_arg_resp ||
+			netbios_session_keepalive;
+		}
+
+protected:
+	int ParseSessionMsg(const u_char* data, int len, int is_query);
+	int ParseSessionReq(const u_char* data, int len, int is_query);
+	int ParseSessionPosResp(const u_char* data, int len, int is_query);
+	int ParseSessionNegResp(const u_char* data, int len, int is_query);
+	int ParseRetArgResp(const u_char* data, int len, int is_query);
+	int ParseKeepAlive(const u_char* data, int len, int is_query);
+
+	// Datagram parsing
+	int ParseBroadcast(const u_char* data, int len, int is_query);
+	int ParseDatagram(const u_char* data, int len, int is_query);
+
+	int ParseSambaMsg(const u_char* data, int len, int is_query);
+
+	void Event(EventHandlerPtr event, const u_char* data, int len,
+			int is_orig = -1);
+
+	// Pass in name/length, returns in xname/xlen the converted
+	// name/length.  Returns 0 on failure; xname may still be
+	// allocated and hold partial results at that point.
+	int ConvertName(const u_char* name, int name_len,
+			u_char*& xname, int& xlen);
+
+protected:
+	Analyzer* analyzer;
+	SMB_Session* smb_session;
+};
+
+
+typedef enum {
+	NETBIOS_SSN_TYPE,	// looking for type field
+	NETBIOS_SSN_FLAGS,	// looking for flag field
+	NETBIOS_SSN_LEN_HI,	// looking for high-order byte of length
+	NETBIOS_SSN_LEN_LO,	// looking for low-order byte of length
+	NETBIOS_SSN_BUF,	// building up the message in the buffer
+} NetbiosSSN_State;
+
+// ### This should be merged with TCP_Contents_RPC, TCP_Contents_DNS.
+class Contents_NetbiosSSN : public TCP_SupportAnalyzer {
+public:
+	Contents_NetbiosSSN(Connection* conn, bool orig,
+				NetbiosSSN_Interpreter* interp);
+	~Contents_NetbiosSSN();
+
+	void Flush();	// process any partially-received data
+
+	NetbiosSSN_State State() const		{ return state; }
+
+protected:
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+
+	NetbiosSSN_Interpreter* interp;
+
+	unsigned int type;
+	unsigned int flags;
+
+	u_char* msg_buf;
+	int buf_n;	// number of bytes in msg_buf
+	int buf_len;	// size of msg_buf
+	int msg_size;	// expected size of message
+
+	NetbiosSSN_State state;
+};
+
+class NetbiosSSN_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	NetbiosSSN_Analyzer(Connection* conn);
+	~NetbiosSSN_Analyzer();
+
+	virtual void Done();
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new NetbiosSSN_Analyzer(conn); }
+
+	static bool Available()
+		{
+		return NetbiosSSN_Interpreter::any_netbios_ssn_event() ||
+			SMB_Session::any_smb_event() ||
+			DCE_RPC_Session::any_dce_rpc_event();
+		}
+
+protected:
+	virtual void ConnectionClosed(TCP_Endpoint* endpoint,
+					TCP_Endpoint* peer, int gen_event);
+	virtual void EndpointEOF(bool is_orig);
+
+	void ExpireTimer(double t);
+
+	NetbiosSSN_Interpreter* interp;
+	SMB_Session* smb_session;
+	Contents_NetbiosSSN* orig_netbios;
+	Contents_NetbiosSSN* resp_netbios;
+	int did_session_done;
+};
+
+// FIXME: Doesn't really fit into new analyzer structure. What to do?
+int IsReuse(double t, const u_char* pkt);
+
+#endif
diff --git a/src/OSFinger.cc b/src/OSFinger.cc
new file mode 100644
index 0000000000..8d3d2057bf
--- /dev/null
+++ b/src/OSFinger.cc
@@ -0,0 +1,688 @@
+// $Id: OSFinger.cc 5857 2008-06-26 23:00:03Z vern $
+
+/*
+  Taken with permission from:
+
+  p0f - passive OS fingerprinting (GNU LESSER GENERAL PUBLIC LICENSE)
+  -------------------------------------------------------------------
+
+  "If you sit down at a poker game and don't see a sucker,
+  get up. You're the sucker."
+
+  (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx>
+*/
+
+// To make it easier to upgrade this file to newer releases of p0f,
+// it remains in the coding style used by p0f rather than Bro.
+
+#include "OSFinger.h"
+#include "net_util.h"
+#include "util.h"
+#include "Var.h"
+#include <stdlib.h>
+#include <stdio.h>
+#include <ctype.h>
+
+
+void int_delete_func(void* v)
+	{
+	delete (int*) v;
+	}
+
+
+// Initializes data structures for fingerprinting in the given mode.
+OSFingerprint::OSFingerprint(FingerprintMode arg_mode)
+  {
+  err = 0;
+  mode = arg_mode;
+
+  sigcnt=gencnt=0;
+  problems=0;
+  char* fname;
+
+  memset(sig, 0, sizeof(struct fp_entry)*MAXSIGS);
+  memset(bh, 0, sizeof(struct fp_entry*)*OSHSIZE);
+
+  os_matches.SetDeleteFunc(int_delete_func);
+
+  if (mode == SYN_FINGERPRINT_MODE)
+    {
+    fname = copy_string(internal_val("passive_fingerprint_file")->AsString()->CheckString());
+    load_config(fname);
+    delete [] fname;
+    }
+  else if (mode == SYN_ACK_FINGERPRINT_MODE)
+    {//not yet supported
+    load_config("p0fsynack.sig");
+    }
+  else if (mode == RST_FINGERPRINT_MODE)
+    {//not yet supported
+    load_config("p0frst.sig");
+    }
+  else
+    {
+    Error("OS fingerprinting: unknown mode!");
+    }
+}
+
+bool OSFingerprint::CacheMatch(uint32 addr, int id)
+  {
+  HashKey key = HashKey(&addr, 1);
+  int* pid = new int;
+  *pid=id;
+  int* prev = os_matches.Insert(&key, pid);
+  bool ret = (prev ? *prev != id : 1);
+  if (prev)
+    delete prev;
+  return ret;
+  }
+
+
+// Determines whether the signature file had any collisions.
+void OSFingerprint::collide(uint32 id)
+  {
+  uint32 i,j;
+  uint32 cur;
+
+  if (sig[id].ttl % 32 && sig[id].ttl != 255 && sig[id].ttl % 30)
+    {
+    problems=1;
+    warn(fmt("OS fingerprinting: [!] Unusual TTL (%d) for signature '%s %s' (line %d).",
+          sig[id].ttl,sig[id].os,sig[id].desc,sig[id].line));
+    }
+
+  for (i=0;i<id;i++)
+    {
+    if (!strcmp(sig[i].os,sig[id].os) &&
+        !strcmp(sig[i].desc,sig[id].desc)) {
+      problems=1;
+      warn(fmt("OS fingerprinting: [!] Duplicate signature name: '%s %s' (line %d and %d).",
+            sig[i].os,sig[i].desc,sig[i].line,sig[id].line));
+    }
+
+    /* If TTLs are sufficiently away from each other, the risk of
+       a collision is lower. */
+    if (abs((int)sig[id].ttl - (int)sig[i].ttl) > 25) continue;
+
+    if (sig[id].df ^ sig[i].df) continue;
+    if (sig[id].zero_stamp ^ sig[i].zero_stamp) continue;
+
+    /* Zero means >= PACKET_BIG */
+    if (sig[id].size) { if (sig[id].size ^ sig[i].size) continue; }
+      else if (sig[i].size < PACKET_BIG) continue;
+
+    if (sig[id].optcnt ^ sig[i].optcnt) continue;
+    if (sig[id].quirks ^ sig[i].quirks) continue;
+
+    switch (sig[id].wsize_mod) {
+
+      case 0: /* Current: const */
+
+        cur=sig[id].wsize;
+
+do_const:
+
+        switch (sig[i].wsize_mod) {
+
+          case 0: /* Previous is also const */
+
+            /* A problem if values match */
+            if (cur ^ sig[i].wsize) continue;
+            break;
+
+          case MOD_CONST: /* Current: const, prev: modulo (or *) */
+
+            /* A problem if current value is a multiple of that modulo */
+            if (cur % sig[i].wsize) continue;
+            break;
+
+          case MOD_MSS: /* Current: const, prev: mod MSS */
+
+            if (sig[i].mss_mod || sig[i].wsize *
+	       (sig[i].mss ? sig[i].mss : 1460 ) != (int) cur)
+              continue;
+
+            break;
+
+          case MOD_MTU: /* Current: const, prev: mod MTU */
+
+            if (sig[i].mss_mod || sig[i].wsize * (
+	        (sig[i].mss ? sig[i].mss : 1460 )+40) != (int) cur)
+              continue;
+
+            break;
+
+        }
+
+        break;
+
+      case 1: /* Current signature is modulo something */
+
+        /* A problem only if this modulo is a multiple of the
+           previous modulo */
+
+        if (sig[i].wsize_mod != MOD_CONST) continue;
+        if (sig[id].wsize % sig[i].wsize) continue;
+
+        break;
+
+      case MOD_MSS: /* Current is modulo MSS */
+
+        /* There's likely a problem only if the previous one is close
+           to '*'; we do not check known MTUs, because this particular
+           signature can be made with some uncommon MTUs in mind. The
+           problem would also appear if current signature has a fixed
+           MSS. */
+
+        if (sig[i].wsize_mod != MOD_CONST || sig[i].wsize >= 8) {
+          if (!sig[id].mss_mod) {
+            cur = (sig[id].mss ? sig[id].mss : 1460 ) * sig[id].wsize;
+            goto do_const;
+          }
+          continue;
+        }
+
+        break;
+
+      case MOD_MTU: /* Current is modulo MTU */
+
+        if (sig[i].wsize_mod != MOD_CONST || sig[i].wsize <= 8) {
+          if (!sig[id].mss_mod) {
+            cur = ( (sig[id].mss ? sig[id].mss : 1460 ) +40) * sig[id].wsize;
+            goto do_const;
+          }
+          continue;
+        }
+
+        break;
+
+    }
+
+    /* Same for wsc */
+    switch (sig[id].wsc_mod) {
+
+      case 0: /* Current: const */
+
+        cur=sig[id].wsc;
+
+        switch (sig[i].wsc_mod) {
+
+          case 0: /* Previous is also const */
+
+            /* A problem if values match */
+            if (cur ^ sig[i].wsc) continue;
+            break;
+
+          case 1: /* Current: const, prev: modulo (or *) */
+
+            /* A problem if current value is a multiple of that modulo */
+            if (cur % sig[i].wsc) continue;
+            break;
+
+        }
+
+        break;
+
+      case MOD_CONST: /* Current signature is modulo something */
+
+        /* A problem only if this modulo is a multiple of the
+           previous modulo */
+
+        if (!sig[i].wsc_mod) continue;
+        if (sig[id].wsc % sig[i].wsc) continue;
+
+        break;
+
+     }
+
+    /* Same for mss */
+    switch (sig[id].mss_mod) {
+
+      case 0: /* Current: const */
+
+        cur=sig[id].mss;
+
+        switch (sig[i].mss_mod) {
+
+          case 0: /* Previous is also const */
+
+            /* A problem if values match */
+            if (cur ^ sig[i].mss) continue;
+            break;
+
+          case 1: /* Current: const, prev: modulo (or *) */
+
+            /* A problem if current value is a multiple of that modulo */
+            if (cur % sig[i].mss) continue;
+            break;
+
+        }
+
+        break;
+
+      case MOD_CONST: /* Current signature is modulo something */
+
+        /* A problem only if this modulo is a multiple of the
+           previous modulo */
+
+        if (!sig[i].mss_mod) continue;
+        if ((sig[id].mss ? sig[id].mss : 1460 ) %
+	    (sig[i].mss ? sig[i].mss : 1460 )) continue;
+
+        break;
+
+     }
+
+     /* Now check option sequence */
+
+    for (j=0;j<sig[id].optcnt;j++)
+      if (sig[id].opt[j] ^ sig[i].opt[j]) goto reloop;
+
+    problems=1;
+    warn(fmt("OS fingerprinting: [!] Signature '%s %s' (line %d)\n"
+          "    is already covered by '%s %s' (line %d).",
+          sig[id].os,sig[id].desc,sig[id].line,sig[i].os,sig[i].desc,
+          sig[i].line));
+
+reloop:
+    ;
+    }
+  }
+
+// Loads a given file into to classes data structures.
+void OSFingerprint::load_config(const char* file)
+  {
+  uint32 ln=0;
+  char buf[MAXLINE];
+  char* p;
+  FILE* c = search_for_file( file, "osf", 0);
+
+  if (!c)
+    {
+    Error("Can't open OS passive fingerprinting signature file", file);
+    return;
+    }
+  sigcnt=0; //every time we read config we reset it to 0;
+  while ((p=fgets(buf,sizeof(buf),c)))
+    {
+    uint32 l;
+
+    char obuf[MAXLINE],genre[MAXLINE],desc[MAXLINE],quirks[MAXLINE];
+    char w[MAXLINE],sb[MAXLINE];
+    char* gptr = genre;
+    uint32 t,d,s;
+    struct fp_entry* e;
+
+    ln++;
+
+    /* Remove leading and trailing blanks */
+    while (isspace(*p)) p++;
+    l=strlen(p);
+    while (l && isspace(*(p+l-1))) *(p+(l--)-1)=0;
+	
+    /* Skip empty lines and comments */
+    if (!l) continue;
+    if (*p == '#') continue;
+
+    if (sscanf(p,"%[0-9%*()ST]:%d:%d:%[0-9()*]:%[^:]:%[^ :]:%[^:]:%[^:]",
+                  w,         &t,&d,sb,     obuf, quirks,genre,desc) != 8)
+      Error("OS fingerprinting: Syntax error in p0f signature config line %d.\n",(uint32)ln);
+
+    gptr = genre;
+
+    if (*sb != '*') s = atoi(sb); else s = 0;
+
+reparse_ptr:
+
+    switch (*gptr)
+      {
+      case '-': sig[sigcnt].userland = 1; gptr++; goto reparse_ptr;
+      case '*': sig[sigcnt].no_detail = 1; gptr++; goto reparse_ptr;
+      case '@': sig[sigcnt].generic = 1; gptr++; gencnt++; goto reparse_ptr;
+      case 0: Error("OS fingerprinting: Empty OS genre in line",(uint32)ln);
+      }
+
+    sig[sigcnt].os     = strdup(gptr);
+    sig[sigcnt].desc   = strdup(desc);
+    sig[sigcnt].ttl    = t;
+    sig[sigcnt].size   = s;
+    sig[sigcnt].df     = d;
+ 
+    if (w[0] == '*')
+      {
+      sig[sigcnt].wsize = 1;
+      sig[sigcnt].wsize_mod = MOD_CONST;
+      }
+    else if (tolower(w[0]) == 's')
+      {
+      sig[sigcnt].wsize_mod = MOD_MSS;
+      if (!isdigit(*(w+1)))
+	Error("OS fingerprinting: Bad Snn value in WSS in line",(uint32)ln);
+      sig[sigcnt].wsize = atoi(w+1);
+      }
+    else if (tolower(w[0]) == 't')
+      {
+      sig[sigcnt].wsize_mod = MOD_MTU;
+      if (!isdigit(*(w+1)))
+	Error("OS fingerprinting: Bad Tnn value in WSS in line",(uint32)ln);
+      sig[sigcnt].wsize = atoi(w+1);
+      }
+    else if (w[0] == '%')
+      {
+      if (!(sig[sigcnt].wsize = atoi(w+1)))
+        Error("OS fingerprinting: Null modulo for window size in config line",(uint32)ln);
+      sig[sigcnt].wsize_mod = MOD_CONST;
+      }
+    else
+      sig[sigcnt].wsize = atoi(w);
+
+    /* Now let's parse options */
+
+    p=obuf;
+
+    sig[sigcnt].zero_stamp = 1;
+
+    if (*p=='.') p++;
+
+    while (*p)
+      {
+      uint8 optcnt = sig[sigcnt].optcnt;
+      switch (tolower(*p))
+	{
+        case 'n': sig[sigcnt].opt[optcnt] = TCPOPT_NOP;
+                  break;
+
+        case 'e': sig[sigcnt].opt[optcnt] = TCPOPT_EOL;
+                  if (*(p+1))
+                    Error("OS fingerprinting: EOL not the last option, line",(uint32)ln);
+                  break;
+
+        case 's': sig[sigcnt].opt[optcnt] = TCPOPT_SACK_PERMITTED;
+                  break;
+
+        case 't': sig[sigcnt].opt[optcnt] = TCPOPT_TIMESTAMP;
+                  if (*(p+1)!='0')
+		    {
+                    sig[sigcnt].zero_stamp=0;
+                    if (isdigit(*(p+1)))
+                      Error("OS fingerprinting: Bogus Tstamp specification in line",(uint32)ln);
+		    }
+                  break;
+
+        case 'w': sig[sigcnt].opt[optcnt] = TCPOPT_WINDOW;
+                  if (p[1] == '*')
+		    {
+                    sig[sigcnt].wsc = 1;
+                    sig[sigcnt].wsc_mod = MOD_CONST;
+		    }
+		  else if (p[1] == '%')
+		    {
+                    if (!(sig[sigcnt].wsc = atoi(p+2)))
+                      Error("OS fingerprinting: Null modulo for wscale in config line",(uint32)ln);
+                    sig[sigcnt].wsc_mod = MOD_CONST;
+		    }
+		  else if (!isdigit(*(p+1)))
+                    Error("OS fingerprinting: Incorrect W value in line",(uint32)ln);
+                  else sig[sigcnt].wsc = atoi(p+1);
+                  break;
+
+        case 'm': sig[sigcnt].opt[optcnt] = TCPOPT_MAXSEG;
+                  if (p[1] == '*')
+		    {
+                    sig[sigcnt].mss = 1;
+                    sig[sigcnt].mss_mod = MOD_CONST;
+		    }
+		  else if (p[1] == '%')
+		    {
+                    if (!(sig[sigcnt].mss = atoi(p+2)))
+                      Error("OS fingerprinting: Null modulo for MSS in config line",(uint32)ln);
+                    sig[sigcnt].mss_mod = MOD_CONST;
+		    }
+		  else if (!isdigit(*(p+1)))
+                    Error("OS fingerprinting: Incorrect M value in line",(uint32)ln);
+                  else sig[sigcnt].mss = atoi(p+1);
+                  break;
+
+        /* Yuck! */
+        case '?': if (!isdigit(*(p+1)))
+                    Error("OS fingerprinting: Bogus ?nn value in line",(uint32)ln);
+                  else sig[sigcnt].opt[optcnt] = atoi(p+1);
+                  break;
+
+        default: Error("OS fingerprinting: Unknown TCP option in config line",(uint32)ln);
+	}
+
+      if (++sig[sigcnt].optcnt >= MAXOPT)
+        Error("OS fingerprinting: Too many TCP options specified in config line",(uint32)ln);
+
+      /* Skip separators */
+      do { p++; } while (*p && !isalpha(*p) && *p != '?');
+
+    }
+ 
+    sig[sigcnt].line = ln;
+
+    p = quirks;
+
+    while (*p)
+      switch (toupper(*(p++)))
+	{
+        case 'E':
+          Error("OS fingerprinting: Quirk 'E' is obsolete. Remove it, append E to the options. Line",(uint32)ln);
+
+        case 'K':
+	  if ( mode != RST_FINGERPRINT_MODE )
+	    Error("OS fingerprinting: Quirk 'K' is valid only in RST+ (-R) mode (wrong config file?). Line",(uint32)ln);
+  	  sig[sigcnt].quirks |= QUIRK_RSTACK;
+	  break;
+
+        case 'Q': sig[sigcnt].quirks |= QUIRK_SEQEQ; break;
+        case '0': sig[sigcnt].quirks |= QUIRK_SEQ0; break;
+        case 'P': sig[sigcnt].quirks |= QUIRK_PAST; break;
+        case 'Z': sig[sigcnt].quirks |= QUIRK_ZEROID; break;
+        case 'I': sig[sigcnt].quirks |= QUIRK_IPOPT; break;
+        case 'U': sig[sigcnt].quirks |= QUIRK_URG; break;
+        case 'X': sig[sigcnt].quirks |= QUIRK_X2; break;
+        case 'A': sig[sigcnt].quirks |= QUIRK_ACK; break;
+        case 'T': sig[sigcnt].quirks |= QUIRK_T2; break;
+        case 'F': sig[sigcnt].quirks |= QUIRK_FLAGS; break;
+        case 'D': sig[sigcnt].quirks |= QUIRK_DATA; break;
+        case '!': sig[sigcnt].quirks |= QUIRK_BROKEN; break;
+        case '.': break;
+        default: Error("OS fingerprinting: Bad quirk in line",(uint32)ln);
+	}
+
+    e = bh[SIGHASH(s,sig[sigcnt].optcnt,sig[sigcnt].quirks,d)];
+
+    if (!e)
+      {
+      bh[SIGHASH(s,sig[sigcnt].optcnt,sig[sigcnt].quirks,d)] = &sig[sigcnt];
+      }
+    else
+      {
+      while (e->next) e = e->next;
+      e->next = &sig[sigcnt];
+      }
+
+    collide(sigcnt);
+    if (++sigcnt >= MAXSIGS)
+      Error("OS fingerprinting: Maximum signature count exceeded.\n");
+
+    }
+
+  fclose(c);
+
+  if (!sigcnt)
+    Error("OS fingerprinting: no signatures loaded from config file.");
+
+  }
+
+// Does the actual match between the packet and the signature database.
+// Modifies retval and contains OS Type and other useful information.
+// Returns config-file line of the matching signature as id.
+int OSFingerprint::FindMatch(struct os_type* retval, uint16 tot,uint8 df,
+			      uint8 ttl,uint16 wss,uint8 ocnt,uint8* op,
+			      uint16 mss,uint8 wsc,uint32 tstamp,
+			      uint32 quirks,uint8 ecn) const
+  {
+  uint32 j; //used for counter in loops
+  struct fp_entry* p;
+  uint8  orig_df  = df;
+
+  struct fp_entry* fuzzy = 0;
+  uint8 fuzzy_now = 0;
+  int id = 0; //return value: 0 indicates no match.
+
+  retval->os="UNKNOWN";
+  retval->desc=NULL;
+  retval->gadgets=0;
+  retval->match=0;
+  retval->uptime=0;
+
+re_lookup:
+
+  p = bh[SIGHASH(tot,ocnt,quirks,df)];
+
+  while (p)
+    {
+    /* Cheap and specific checks first... */
+    /* psize set to zero means >= PACKET_BIG */
+    if (p->size) { if (tot ^ p->size) { p = p->next; continue; } }
+      else if (tot < PACKET_BIG) { p = p->next; continue; }
+
+    if (ocnt ^ p->optcnt) { p = p->next; continue; }
+
+    if (p->zero_stamp ^ (!tstamp)) { p = p->next; continue; }
+    if (p->df ^ df) { p = p->next; continue; }
+    if (p->quirks ^ quirks) { p = p->next; continue; }
+
+    /* Check MSS and WSCALE... */
+    if (!p->mss_mod) {
+      if (mss ^ p->mss) { p = p->next; continue; }
+    } else if (mss % p->mss) { p = p->next; continue; }
+
+    if (!p->wsc_mod) {
+      if (wsc ^ p->wsc) { p = p->next; continue; }
+    } else if (wsc % p->wsc) { p = p->next; continue; }
+
+    /* Then proceed with the most complex WSS check... */
+    switch (p->wsize_mod)
+      {
+      case 0:
+        if (wss ^ p->wsize) { p = p->next; continue; }
+        break;
+      case MOD_CONST:
+        if (wss % p->wsize) { p = p->next; continue; }
+        break;
+      case MOD_MSS:
+        if (mss && !(wss % mss))
+	  {
+          if ((wss / mss) ^ p->wsize) { p = p->next; continue; }
+	  }
+	else if (!(wss % 1460))
+	  {
+          if ((wss / 1460) ^ p->wsize) { p = p->next; continue; }
+	  }
+	else { p = p->next; continue; }
+        break;
+      case MOD_MTU:
+        if (mss && !(wss % (mss+40)))
+	  {
+          if ((wss / (mss+40)) ^ p->wsize) { p = p->next; continue; }
+	  }
+	else if (!(wss % 1500))
+	  {
+          if ((wss / 1500) ^ p->wsize) { p = p->next; continue; }
+	  }
+	else { p = p->next; continue; }
+        break;
+      }
+
+    /* Numbers agree. Let's check options */
+    for (j=0;j<ocnt;j++)
+      if (p->opt[j] ^ op[j]) goto continue_search;
+
+    /* Check TTLs last because we might want to go fuzzy. */
+    if (p->ttl < ttl)
+      {
+      if ( mode != RST_FINGERPRINT_MODE )fuzzy = p;
+      p = p->next;
+      continue;
+      }
+
+    /* Naah... can't happen ;-) */
+    if (!p->no_detail)
+      if (p->ttl - ttl > MAXDIST)
+	{
+        if (mode != RST_FINGERPRINT_MODE ) fuzzy = p;
+        p = p->next;
+        continue;
+	}
+
+continue_fuzzy:
+
+    /* Match! */
+    id = p->line;
+    if (mss & wss)
+      {
+      if (p->wsize_mod == MOD_MSS)
+	{
+        if ((wss % mss) && !(wss % 1460)) retval->gadgets|=GADGETNAT;
+	}
+      else if (p->wsize_mod == MOD_MTU)
+	{
+        if ((wss % (mss+40)) && !(wss % 1500)) retval->gadgets|=GADGETNAT2;
+	}
+      }
+
+    retval->os=p->os;
+    retval->desc=p->desc;
+    retval->dist=p->ttl-ttl;
+
+    if (ecn) retval->gadgets|=GADGETECN;
+    if (orig_df ^ df) retval->gadgets|=GADGETFIREWALL;
+
+    if (p->generic) retval->match=MATCHGENERIC;
+    if (fuzzy_now) retval->match=MATCHFUZZY;
+
+    if (!p->no_detail && tstamp)
+      {
+      retval->uptime=tstamp/360000;
+      retval->gadgets|=GADGETUPTIME;
+      }
+
+    return id;
+
+continue_search:
+
+    p = p->next;
+
+    }
+
+  if (!df) { df = 1; goto re_lookup; } //not found with df=0 do df=1
+
+  if (fuzzy)
+    {
+    df = orig_df;
+    fuzzy_now = 1;
+    p = fuzzy;
+    fuzzy = 0;
+    goto continue_fuzzy;
+    }
+
+  if (mss & wss)
+    {
+    if ((wss % mss) && !(wss % 1460)) retval->gadgets|=GADGETNAT;
+    else if ((wss % (mss+40)) && !(wss % 1500)) retval->gadgets|=GADGETNAT2;
+    }
+
+  if (ecn) retval->gadgets|=GADGETECN;
+
+  if (tstamp)
+    {
+    retval->uptime=tstamp/360000;
+    retval->gadgets|=GADGETUPTIME;
+    }
+
+  return id;
+  }
diff --git a/src/OSFinger.h b/src/OSFinger.h
new file mode 100644
index 0000000000..ca040f609a
--- /dev/null
+++ b/src/OSFinger.h
@@ -0,0 +1,169 @@
+// $Id: OSFinger.h 5857 2008-06-26 23:00:03Z vern $
+
+// Taken with permission from:
+//
+// p0f - passive OS fingerprinting (GNU LESSER GENERAL PUBLIC LICENSE)
+// -------------------------------------------------------------------
+//
+// "If you sit down at a poker game and don't see a sucker,
+// get up. You're the sucker."
+//
+// (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx>
+
+#ifndef osfinger_h
+#define osfinger_h
+
+#include "util.h"
+#include "Dict.h"
+
+
+// Size limit for size wildcards.
+#define PACKET_BIG 100
+
+// Maximum number of signatures allowed in the config file.
+#define MAXSIGS 1024
+
+// Max signature line length.
+#define MAXLINE 1024
+
+// Maximum distance from a host to be taken seriously. Between 35 and 64
+// is sane. Making it too high might result in some (very rare) false
+// positives, too low will result in needless UNKNOWNs.
+#define MAXDIST 40
+
+// Maximum number of TCP options.  A TCP packet can have at most 64 bytes
+// of header, 20 of which are non-options.  Thus, if a single option
+// consumes 1 bytes (the minimum, there can only be 44 bytes of options.
+// We err on the safe side.
+#define MAXOPT 64
+
+declare(PDict,int);
+
+struct os_type {
+	const char* os;
+	char* desc;
+	uint8 dist;
+	uint16 gadgets;
+	uint16 match;
+	uint32 uptime;
+};
+
+struct fp_entry {
+	struct fp_entry* next;
+	char* os;		// OS genre
+	char* desc;		// OS description
+	uint8 no_detail;	// disable guesstimates
+	uint8 generic;		// generic hit
+	uint8 userland;		// userland stack
+	uint16 wsize;		// window size
+	uint8 wsize_mod;	// MOD_* for wsize
+	uint8 ttl;		// TTL
+	uint8 df;		// don't fragment bit
+	uint8 zero_stamp;	// timestamp option but zero value?
+	uint16 size;		// packet size
+	uint8 optcnt;		// option count
+	uint8 opt[MAXOPT];	// TCPOPT_*
+	uint16 wsc;		// window scaling option
+	uint16 mss;		// MSS option
+	uint8 wsc_mod;		// modulo for WSCALE (NONE or CONST)
+	uint8 mss_mod;		// modulo for MSS (NONE or CONST)
+	uint32 quirks;		// packet quirks and bugs
+	uint32 line;		// config file line
+};
+
+struct mtu_def {
+	uint16 mtu;
+	char* dev;
+};
+
+enum FingerprintMode {
+	SYN_FINGERPRINT_MODE, SYN_ACK_FINGERPRINT_MODE, RST_FINGERPRINT_MODE,
+};
+
+class OSFingerprint {
+public:
+	OSFingerprint(FingerprintMode mode);
+	~OSFingerprint()	{}
+
+	bool Error() const	{ return err; }
+
+	int FindMatch(struct os_type* retval, uint16 tot, uint8 DF_flag,
+		uint8 TTL, uint16 WSS, uint8 ocnt, uint8* op, uint16 MSS,
+		uint8 win_scale, uint32 tstamp, uint32 quirks, uint8 ECN) const;
+	bool CacheMatch(uint32 addr, int id);
+
+	int Get_OS_From_SYN(struct os_type* retval,
+			uint16 tot, uint8 DF_flag, uint8 TTL, uint16 WSS,
+			uint8 ocnt, uint8* op, uint16 MSS, uint8 win_scale,
+			uint32 tstamp, /* uint8 TOS, */ uint32 quirks,
+			uint8 ecn) const;
+
+	void load_config(const char* file);
+
+protected:
+	void collide(uint32 id);
+
+	void Error(const char* msg)
+		{
+		error(msg);
+		err = true;
+		}
+
+	void Error(const char* msg, int n)
+		{
+		error(msg, n);
+		err = true;
+		}
+
+	void Error(const char* msg, const char* s)
+		{
+		error(msg, s);
+		err = true;
+		}
+
+private:
+	bool err;	// if true, a fatal error has occurred
+	unsigned int mode;
+	uint32 sigcnt, gencnt;
+	uint8 problems;
+	struct fp_entry sig[MAXSIGS];
+
+	/* By hash */
+#define OSHSIZE 16
+	struct fp_entry* bh[OSHSIZE];
+
+	PDict(int) os_matches;
+};
+
+#define SIGHASH(tsize, optcnt, q, df) \
+	((uint8(((tsize) << 1) ^ ((optcnt) << 1) ^ (df) ^ (q) )) & 0x0f)
+
+#define MOD_NONE	0
+#define MOD_CONST	1
+#define MOD_MSS		2
+#define MOD_MTU		3
+
+#define QUIRK_PAST      0x1 /* P */
+#define QUIRK_ZEROID	0x2 /* Z */
+#define QUIRK_IPOPT	0x4 /* I */
+#define QUIRK_URG	0x8 /* U */
+#define QUIRK_X2	0x10 /* X */
+#define QUIRK_ACK	0x20 /* A */
+#define QUIRK_T2	0x40 /* T */
+#define QUIRK_FLAGS	0x80 /* F */
+#define QUIRK_DATA	0x100 /* D */
+#define QUIRK_BROKEN	0x200 /* ! */
+#define QUIRK_RSTACK	0x400 /* K */
+#define QUIRK_SEQEQ	0x800 /* Q */
+#define QUIRK_SEQ0      0x1000 /* 0 */
+
+#define GADGETNAT       0x1
+#define GADGETNAT2      0x2
+#define GADGETFIREWALL  0x4
+#define GADGETECN       0x8
+#define GADGETUPTIME    0x10
+
+#define MATCHGENERIC    0x1
+#define MATCHFUZZY      0x2
+
+#endif
diff --git a/src/Obj.cc b/src/Obj.cc
new file mode 100644
index 0000000000..d649b77b61
--- /dev/null
+++ b/src/Obj.cc
@@ -0,0 +1,270 @@
+// $Id: Obj.cc 6752 2009-06-14 04:24:52Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <stdlib.h>
+
+#include "Obj.h"
+#include "Serializer.h"
+#include "File.h"
+
+Location no_location("<no location>", 0, 0, 0, 0);
+Location start_location("<start uninitialized>", 0, 0, 0, 0);
+Location end_location("<end uninitialized>", 0, 0, 0, 0);
+
+bool Location::Serialize(SerialInfo* info) const
+	{
+	return SerialObj::Serialize(info);
+	}
+
+Location* Location::Unserialize(UnserialInfo* info)
+	{
+	return (Location*) SerialObj::Unserialize(info, SER_LOCATION);
+	}
+
+IMPLEMENT_SERIAL(Location, SER_LOCATION);
+
+bool Location::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_LOCATION, SerialObj);
+	info->s->WriteOpenTag("Location");
+	SERIALIZE(filename);
+	SERIALIZE(first_line);
+	SERIALIZE(last_line);
+	SERIALIZE(first_column);
+	SERIALIZE(last_column);
+	info->s->WriteCloseTag("Location");
+	return true;
+	}
+
+bool Location::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(SerialObj);
+
+	delete_data = true;
+
+	return UNSERIALIZE_STR(&filename, 0)
+		&& UNSERIALIZE(&first_line)
+		&& UNSERIALIZE(&last_line)
+		&& UNSERIALIZE(&first_column)
+		&& UNSERIALIZE(&last_column);
+	}
+
+bool Location::operator==(const Location& l) const
+	{
+	if ( filename == l.filename ||
+	     (filename && l.filename && streq(filename, l.filename)) )
+		return first_line == l.first_line && last_line == l.last_line;
+	else
+		return false;
+	}
+
+int BroObj::suppress_runtime = 0;
+
+BroObj::~BroObj()
+	{
+	delete location;
+	}
+
+void BroObj::Warn(const char* msg, const BroObj* obj2, int pinpoint_only) const
+	{
+	DoMsg("warning,", msg, obj2, pinpoint_only);
+	++nwarn;
+	}
+
+void BroObj::Error(const char* msg, const BroObj* obj2, int pinpoint_only) const
+	{
+	DoMsg("error,", msg, obj2, pinpoint_only);
+	++nerr;
+	}
+
+void BroObj::RunTime(const char* msg, const BroObj* obj2, int pinpoint_only) const
+	{
+	if ( ! suppress_runtime )
+		{
+		DoMsg("run-time error,", msg, obj2, pinpoint_only);
+		++nruntime;
+		}
+	}
+
+void BroObj::BadTag(const char* msg, const char* t1, const char* t2) const
+	{
+	char out[512];
+
+	if ( t2 )
+		snprintf(out, sizeof(out), "%s (%s/%s)", msg, t1, t2);
+	else if ( t1 )
+		snprintf(out, sizeof(out), "%s (%s)", msg, t1);
+	else
+		snprintf(out, sizeof(out), "%s", msg);
+
+	DoMsg("bad tag in", out);
+	Fatal();
+	}
+
+void BroObj::Internal(const char* msg) const
+	{
+	DoMsg("internal error:", msg);
+	Fatal();
+	}
+
+void BroObj::InternalWarning(const char* msg) const
+	{
+	DoMsg("internal warning:", msg);
+	}
+
+void BroObj::AddLocation(ODesc* d) const
+	{
+	if ( ! location )
+		{
+		d->Add("<no location>");
+		return;
+		}
+
+	if ( location->filename )
+		{
+		d->Add(location->filename);
+
+		if ( location->first_line == 0 )
+			return;
+
+		d->AddSP(",");
+		}
+
+	if ( location->last_line != location->first_line )
+		{
+		d->Add("lines ");
+		d->Add(location->first_line);
+		d->Add("-");
+		d->Add(location->last_line);
+		}
+	else
+		{
+		d->Add("line ");
+		d->Add(location->first_line);
+		}
+	}
+
+bool BroObj::SetLocationInfo(const Location* start, const Location* end)
+	{
+	if ( ! start || ! end )
+		return false;
+
+	if ( end->filename && ! streq(start->filename, end->filename) )
+		return false;
+
+	if ( location && (start == &no_location || end == &no_location) )
+		// We already have a better location, so don't use this one.
+		return true;
+
+	delete location;
+
+	location = new Location(start->filename,
+				start->first_line, end->last_line,
+				start->first_column, end->last_column);
+
+	return true;
+	}
+
+void BroObj::UpdateLocationEndInfo(const Location& end)
+	{
+	if ( ! location )
+		SetLocationInfo(&end, &end);
+
+	location->last_line = end.last_line;
+	location->last_column = end.last_column;
+	}
+
+void BroObj::DoMsg(const char s1[], const char s2[], const BroObj* obj2,
+			int pinpoint_only) const
+	{
+	ODesc d;
+	d.SetShort();
+
+	PinPoint(&d, obj2, pinpoint_only);
+	d.SP();
+	d.Add(s1);
+	d.SP();
+	d.Add(s2);
+	fprintf(stderr, "%s\n", d.Description());
+	}
+
+void BroObj::PinPoint(ODesc* d, const BroObj* obj2, int pinpoint_only) const
+	{
+	if ( network_time > 0.0 )
+		{
+		char time[256];
+		safe_snprintf(time, sizeof(time), "%.6f", network_time);
+		d->Add(time);
+		d->SP();
+		}
+
+	AddLocation(d);
+	if ( obj2 && obj2->GetLocationInfo() != &no_location &&
+	     *obj2->GetLocationInfo() != *GetLocationInfo() )
+		{
+		d->Add(" and ");
+		obj2->AddLocation(d);
+		d->Add("\n  ");
+		}
+
+	d->Add(" (");
+	Describe(d);
+	if ( obj2 && ! pinpoint_only )
+		{
+		d->Add(" and ");
+		obj2->Describe(d);
+		}
+
+	d->Add("):");
+	}
+
+void BroObj::Fatal() const
+	{
+#ifdef DEBUG_BRO
+	internal_error("BroObj::Fatal()");
+#endif
+	exit(1);
+	}
+
+bool BroObj::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_BRO_OBJ, SerialObj);
+
+	info->s->WriteOpenTag("Object");
+
+	Location* loc = info->include_locations ? location : 0;
+	SERIALIZE_OPTIONAL(loc);
+	info->s->WriteCloseTag("Object");
+
+	return true;
+	}
+
+bool BroObj::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(SerialObj);
+
+	UNSERIALIZE_OPTIONAL(location, Location::Unserialize(info));
+	return true;
+	}
+
+void print(const BroObj* obj)
+	{
+	static BroFile fstderr(stderr);
+	ODesc d(DESC_READABLE, &fstderr);
+	obj->Describe(&d);
+	d.Add("\n");
+	}
+
+void bad_ref(int type)
+	{
+	internal_error("bad reference count [%d]", type);
+	abort();
+	}
+
+void bro_obj_delete_func(void* v)
+	{
+	Unref((BroObj*) v);
+	}
diff --git a/src/Obj.h b/src/Obj.h
new file mode 100644
index 0000000000..7bfec745ba
--- /dev/null
+++ b/src/Obj.h
@@ -0,0 +1,230 @@
+// $Id: Obj.h 6781 2009-06-28 00:50:04Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef obj_h
+#define obj_h
+
+#include <limits.h>
+
+#include "input.h"
+#include "Desc.h"
+#include "SerialObj.h"
+
+class Serializer;
+class SerialInfo;
+
+class Location : SerialObj {
+public:
+	Location(const char* fname, int line_f, int line_l, int col_f, int col_l)
+		{
+		filename = fname;
+		first_line = line_f;
+		last_line = line_l;
+		first_column = col_f;
+		last_column = col_l;
+		delete_data = false;
+
+		timestamp = 0;
+		text = 0;
+		}
+
+	Location()
+		{
+		filename = 0;
+		first_line = last_line = first_column = last_column = 0;
+		delete_data = false;
+		timestamp = 0;
+		text = 0;
+		}
+
+	virtual ~Location()
+		{
+		if ( delete_data )
+			delete [] filename;
+		}
+
+	bool Serialize(SerialInfo* info) const;
+	static Location* Unserialize(UnserialInfo* info);
+
+	bool operator==(const Location& l) const;
+	bool operator!=(const Location& l) const
+		{ return ! (*this == l); }
+
+	const char* filename;
+	int first_line, last_line;
+	int first_column, last_column;
+	bool delete_data;
+
+	// Timestamp and text for compatibility with Bison's default yyltype.
+	int timestamp;
+	char* text;
+protected:
+	DECLARE_SERIAL(Location);
+};
+
+#define YYLTYPE yyltype
+typedef Location yyltype;
+YYLTYPE GetCurrentLocation();
+
+// Used to mean "no location associated with this object".
+extern Location no_location;
+
+// Current start/end location.
+extern Location start_location;
+extern Location end_location;
+
+// Used by parser to set the above.
+inline void set_location(const Location loc)
+	{
+	start_location = end_location = loc;
+	}
+
+inline void set_location(const Location start, const Location end)
+	{
+	start_location = start;
+	end_location = end;
+	}
+
+class BroObj : public SerialObj {
+public:
+	BroObj()
+		{
+		ref_cnt = 1;
+		in_ser_cache = false;
+
+		// A bit of a hack.  We'd like to associate location
+		// information with every object created when parsing,
+		// since for them, the location is generally well-defined.
+		// We could maintain a separate flag that tells us whether
+		// we're inside a parse, but the parser also sets the
+		// location to no_location when it's done, so it makes
+		// sense to just check for that.  *However*, start_location
+		// and end_location are maintained as their own objects
+		// rather than pointers or references, so we can't directly
+		// check them for equality with no_location.  So instead
+		// we check for whether start_location has a line number
+		// of 0, which should only happen if it's been assigned
+		// to no_location (or hasn't been initialized at all).
+		location = 0;
+		if ( start_location.first_line != 0 )
+			SetLocationInfo(&start_location, &end_location);
+		}
+
+	virtual ~BroObj();
+
+	// Report user warnings/errors.  If obj2 is given, then it's
+	// included in the message, though if pinpoint_only is non-zero,
+	// then obj2 is only used to pinpoint the location.
+	void Warn(const char* msg, const BroObj* obj2 = 0,
+			int pinpoint_only = 0) const;
+	void Error(const char* msg, const BroObj* obj2 = 0,
+			int pinpoint_only = 0) const;
+	void RunTime(const char* msg, const BroObj* obj2 = 0,
+			int pinpoint_only = 0) const;
+
+	// Report internal errors.
+	void BadTag(const char* msg, const char* t1 = 0,
+			const char* t2 = 0) const;
+#define CHECK_TAG(t1, t2, text, tag_to_text_func) \
+	{ \
+	if ( t1 != t2 ) \
+		BadTag(text, tag_to_text_func(t1), tag_to_text_func(t2)); \
+	}
+
+	void Internal(const char* msg) const;
+	void InternalWarning(const char* msg) const;
+
+	virtual void Describe(ODesc* d) const { /* FIXME: Add code */ };
+
+	void AddLocation(ODesc* d) const;
+
+	// Get location info for debugging.
+	const Location* GetLocationInfo() const
+		{ return location ? location : &no_location; }
+
+	virtual bool SetLocationInfo(const Location* loc)
+		{ return SetLocationInfo(loc, loc); }
+
+	// Location = range from start to end.
+	virtual bool SetLocationInfo(const Location* start, const Location* end);
+
+	// Set new end-of-location information.  This is used to
+	// extend compound objects such as statement lists.
+	virtual void UpdateLocationEndInfo(const Location& end);
+
+	int RefCnt() const	{ return ref_cnt; }
+
+	// Helper class to temporarily suppress run-time errors
+	// as long as there exist any instances.
+	class SuppressRunTimeErrors {
+	public:
+		SuppressRunTimeErrors()		{ ++BroObj::suppress_runtime; }
+		~SuppressRunTimeErrors()	{ --BroObj::suppress_runtime; }
+	};
+
+	bool in_ser_cache;
+
+protected:
+	friend class SerializationCache;
+
+	DECLARE_ABSTRACT_SERIAL(BroObj);
+
+	Location* location;	// all that matters in real estate
+
+private:
+	friend class SuppressRunTimeErrors;
+
+	void DoMsg(const char s1[], const char s2[], const BroObj* obj2 = 0,
+			int pinpoint_only = 0) const;
+	void PinPoint(ODesc* d, const BroObj* obj2 = 0,
+			int pinpoint_only = 0) const;
+	void Fatal() const;
+
+	friend inline void Ref(BroObj* o);
+	friend inline void Unref(BroObj* o);
+
+	int ref_cnt;
+
+	// If non-zero, do not print runtime errors.  Useful for
+	// speculative evaluation.
+	static int suppress_runtime;
+};
+
+// Prints obj to stderr, primarily for debugging.
+extern void print(const BroObj* obj);
+
+extern void bad_ref(int type);
+
+// Sometimes useful when dealing with BroObj subclasses that have their
+// own (protected) versions of Error.
+inline void Error(const BroObj* o, const char* msg)
+	{
+	o->Error(msg);
+	}
+
+inline void Ref(BroObj* o)
+	{
+	if ( ++o->ref_cnt <= 1 )
+		bad_ref(0);
+	if ( o->ref_cnt == INT_MAX )
+		bad_ref(1);
+	}
+
+inline void Unref(BroObj* o)
+	{
+	if ( o && --o->ref_cnt <= 0 )
+		{
+		if ( o->ref_cnt < 0 )
+			bad_ref(2);
+		delete o;
+
+		// We could do the following if o were passed by reference.
+		// o = (BroObj*) 0xcd;
+		}
+	}
+
+// A dict_delete_func that knows to Unref() dictionary entries.
+extern void bro_obj_delete_func(void* v);
+
+#endif
diff --git a/src/Op.h b/src/Op.h
new file mode 100644
index 0000000000..7c8d4afe38
--- /dev/null
+++ b/src/Op.h
@@ -0,0 +1,25 @@
+// $Id: Op.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef op_h
+#define op_h
+
+// BRO operations.
+
+typedef enum {
+	OP_INCR, OP_DECR, OP_NOT, OP_NEGATE,
+	OP_PLUS, OP_MINUS, OP_TIMES, OP_DIVIDE, OP_MOD,
+	OP_AND, OP_OR,
+	OP_LT, OP_LE, OP_EQ, OP_NE, OP_GE, OP_GT,
+	OP_MATCH,
+	OP_ASSIGN,
+	OP_INDEX, OP_FIELD,
+	OP_IN,
+	OP_LIST,
+	OP_CALL,
+	OP_SCHED,
+	OP_NAME, OP_CONST, OP_THIS
+} BroOP;
+
+#endif
diff --git a/src/PIA.cc b/src/PIA.cc
new file mode 100644
index 0000000000..a38cf608fc
--- /dev/null
+++ b/src/PIA.cc
@@ -0,0 +1,392 @@
+// $Id: PIA.cc,v 1.1.2.14 2006/05/31 23:19:07 sommer Exp $
+
+#include "PIA.h"
+#include "RuleMatcher.h"
+#include "TCP_Reassembler.h"
+
+PIA::PIA(Analyzer* arg_as_analyzer)
+	{
+	current_packet.data = 0;
+	as_analyzer = arg_as_analyzer;
+	}
+
+PIA::~PIA()
+	{
+	ClearBuffer(&pkt_buffer);
+	}
+
+void PIA::ClearBuffer(Buffer* buffer)
+	{
+	DataBlock* next = 0;
+	for ( DataBlock* b = buffer->head; b; b = next )
+		{
+		next = b->next;
+		delete [] b->data;
+		delete b;
+		}
+
+	buffer->head = buffer->tail = 0;
+	buffer->size = 0;
+	}
+
+void PIA::AddToBuffer(Buffer* buffer, int seq, int len, const u_char* data,
+			bool is_orig)
+	{
+	u_char* tmp = 0;
+
+	if ( data )
+		{
+		tmp = new u_char[len];
+		memcpy(tmp, data, len);
+		}
+
+	DataBlock* b = new DataBlock;
+	b->data = tmp;
+	b->is_orig = is_orig;
+	b->len = len;
+	b->seq = seq;
+	b->next = 0;
+
+	if ( buffer->tail )
+		{
+		buffer->tail->next = b;
+		buffer->tail = b;
+		}
+	else
+		buffer->head = buffer->tail = b;
+
+	buffer->size += len;
+	}
+
+void PIA::AddToBuffer(Buffer* buffer, int len, const u_char* data, bool is_orig)
+	{
+	AddToBuffer(buffer, -1, len, data, is_orig);
+	}
+
+void PIA::ReplayPacketBuffer(Analyzer* analyzer)
+	{
+	DBG_LOG(DBG_DPD, "PIA replaying %d total packet bytes", pkt_buffer.size);
+
+	for ( DataBlock* b = pkt_buffer.head; b; b = b->next )
+		analyzer->DeliverPacket(b->len, b->data, b->is_orig, -1, 0, 0);
+	}
+
+void PIA::PIA_Done()
+	{
+	FinishEndpointMatcher();
+	}
+
+void PIA::PIA_DeliverPacket(int len, const u_char* data, bool is_orig, int seq,
+				const IP_Hdr* ip, int caplen)
+	{
+	if ( pkt_buffer.state == SKIPPING )
+		return;
+
+	current_packet.data = data;
+	current_packet.len = len;
+	current_packet.seq = seq;
+	current_packet.is_orig = is_orig;
+
+	State new_state = pkt_buffer.state;
+
+	if ( pkt_buffer.state == INIT )
+		new_state = BUFFERING;
+
+	if ( (pkt_buffer.state == BUFFERING || new_state == BUFFERING) &&
+	     len > 0 )
+		{
+		AddToBuffer(&pkt_buffer, seq, len, data, is_orig);
+		if ( pkt_buffer.size > dpd_buffer_size )
+			new_state = dpd_match_only_beginning ?
+						SKIPPING : MATCHING_ONLY;
+		}
+
+	// FIXME: I'm not sure why it does not work with eol=true...
+	DoMatch(data, len, is_orig, true, false, false, ip);
+
+	pkt_buffer.state = new_state;
+
+	current_packet.data = 0;
+	}
+
+void PIA::Match(Rule::PatternType type, const u_char* data, int len,
+		bool is_orig, bool bol, bool eol, bool clear_state)
+	{
+	if ( ! MatcherInitialized(is_orig) )
+		InitEndpointMatcher(AsAnalyzer(), 0, 0, is_orig, this);
+
+	RuleMatcherState::Match(type, data, len, is_orig, bol, eol, clear_state);
+	}
+
+void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol,
+			bool clear_state, const IP_Hdr* ip)
+	{
+	if ( ! rule_matcher )
+		return;
+
+	if ( ! MatcherInitialized(is_orig) )
+		InitEndpointMatcher(AsAnalyzer(), ip, len, is_orig, this);
+
+	RuleMatcherState::Match(Rule::PAYLOAD, data, len, is_orig,
+				bol, eol, clear_state);
+	}
+
+void PIA_UDP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule)
+	{
+	if ( pkt_buffer.state == MATCHING_ONLY )
+		{
+		DBG_LOG(DBG_DPD, "analyzer found but buffer already exceeded");
+		// FIXME: This is where to check whether an analyzer
+		// supports partial connections once we get such.
+		return;
+		}
+
+	if ( Parent()->HasChildAnalyzer(tag) )
+		return;
+
+	Analyzer* a = Parent()->AddChildAnalyzer(tag);
+	a->SetSignature(rule);
+
+	if ( a )
+		ReplayPacketBuffer(a);
+	}
+
+void PIA_UDP::DeactivateAnalyzer(AnalyzerTag::Tag tag)
+	{
+	internal_error("PIA_UDP::Deact not implemented yet");
+	}
+
+//// TCP PIA
+
+PIA_TCP::~PIA_TCP()
+	{
+	ClearBuffer(&stream_buffer);
+	}
+
+void PIA_TCP::Init()
+	{
+	TCP_ApplicationAnalyzer::Init();
+
+	if ( Parent()->GetTag() == AnalyzerTag::TCP )
+		{
+		TCP_Analyzer* tcp = static_cast<TCP_Analyzer*>(Parent());
+		SetTCP(tcp);
+		tcp->SetPIA(this);
+		}
+	}
+
+void PIA_TCP::FirstPacket(bool is_orig, const IP_Hdr* ip)
+	{
+	static char dummy_packet[sizeof(struct ip) + sizeof(struct tcphdr)];
+	static struct ip* ip4 = 0;
+	static struct tcphdr* tcp4 = 0;
+	static IP_Hdr* ip4_hdr = 0;
+
+	DBG_LOG(DBG_DPD, "PIA_TCP[%d] FirstPacket(%s)", GetID(), (is_orig ? "T" : "F"));
+
+	if ( ! ip )
+		{
+		// Create a dummy packet.  Not very elegant, but everything
+		// else would be *really* ugly ...
+		if ( ! ip4_hdr )
+			{
+			ip4 = (struct ip*) dummy_packet;
+			tcp4 = (struct tcphdr*)
+				(dummy_packet + sizeof(struct ip));
+			ip4->ip_len = sizeof(struct ip) + sizeof(struct tcphdr);
+			ip4->ip_hl = sizeof(struct ip) >> 2;
+			ip4->ip_p = IPPROTO_TCP;
+
+			// Cast to const so that it doesn't delete it.
+			ip4_hdr = new IP_Hdr((const struct ip*) ip4);
+			}
+
+		if ( is_orig )
+			{
+			copy_addr(Conn()->OrigAddr(), &ip4->ip_src.s_addr);
+			copy_addr(Conn()->RespAddr(), &ip4->ip_dst.s_addr);
+			tcp4->th_sport = htons(Conn()->OrigPort());
+			tcp4->th_dport = htons(Conn()->RespPort());
+			}
+		else
+			{
+			copy_addr(Conn()->RespAddr(), &ip4->ip_src.s_addr);
+			copy_addr(Conn()->OrigAddr(), &ip4->ip_dst.s_addr);
+			tcp4->th_sport = htons(Conn()->RespPort());
+			tcp4->th_dport = htons(Conn()->OrigPort());
+			}
+
+		ip = ip4_hdr;
+		}
+
+	if ( ! MatcherInitialized(is_orig) )
+		DoMatch((const u_char*)"", 0, is_orig, true, false, false, ip);
+	}
+
+void PIA_TCP::DeliverStream(int len, const u_char* data, bool is_orig)
+	{
+	TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
+
+	if ( stream_buffer.state == SKIPPING )
+		return;
+
+	stream_mode = true;
+
+	State new_state = stream_buffer.state;
+
+	if ( stream_buffer.state == INIT )
+		{
+		// FIXME: clear payload-matching state here...
+		new_state = BUFFERING;
+		}
+
+	if ( stream_buffer.state == BUFFERING || new_state == BUFFERING )
+		{
+		AddToBuffer(&stream_buffer, len, data, is_orig);
+		if ( stream_buffer.size > dpd_buffer_size )
+			new_state = dpd_match_only_beginning ?
+						SKIPPING : MATCHING_ONLY;
+		}
+
+	DoMatch(data, len, is_orig, false, false, false, 0);
+
+	stream_buffer.state = new_state;
+	}
+
+void PIA_TCP::Undelivered(int seq, int len, bool is_orig)
+	{
+	TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
+
+	if ( stream_buffer.state == BUFFERING )
+		// We use data=nil to mark an undelivered.
+		AddToBuffer(&stream_buffer, seq, len, 0, is_orig);
+
+	// No check for buffer overrun here. I think that's ok.
+	}
+
+void PIA_TCP::ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule)
+	{
+	if ( stream_buffer.state == MATCHING_ONLY )
+		{
+		DBG_LOG(DBG_DPD, "analyzer found but buffer already exceeded");
+		// FIXME: This is where to check whether an analyzer supports
+		// partial connections once we get such.
+		return;
+		}
+
+	if ( Parent()->HasChildAnalyzer(tag) )
+		return;
+
+	Analyzer* a = Parent()->AddChildAnalyzer(tag);
+	a->SetSignature(rule);
+
+	// We have two cases here:
+	//
+	// (a) We have already got stream input.
+	//     => Great, somebody's already reassembling and we can just
+	//		replay our stream buffer to the new analyzer.
+	if ( stream_mode )
+		{
+		ReplayStreamBuffer(a);
+		return;
+		}
+
+	// (b) We have only got packet input so far (or none at all).
+	//     => We have to switch from packet-mode to stream-mode.
+	//
+	// Here's what we do:
+	//
+	//   (1) We create new TCP_Reassemblers and feed them the buffered
+	//       packets.
+	//
+	//   (2) The reassembler will give us their results via the
+	//       stream-interface and we buffer it as usual.
+	//
+	//   (3) We replay the now-filled stream-buffer to the analyzer.
+	//
+	//   (4) We hand the two reassemblers to the TCP Analyzer (our parent),
+	//       turning reassembly now on for all subsequent data.
+
+	DBG_LOG(DBG_DPD, "DPM_TCP switching from packet-mode to stream-mode");
+	stream_mode = true;
+
+	// FIXME: The reassembler will query the endpoint for state. Not sure
+	// if this is works in all cases...
+
+	if ( Parent()->GetTag() != AnalyzerTag::TCP )
+		{
+		// Our parent is not the TCP analyzer, which can only mean
+		// we have been inserted somewhere further down in the
+		// analyzer tree.  In this case, we will never have seen
+		// any input at this point (because we don't get packets).
+		assert(!pkt_buffer.head);
+		assert(!stream_buffer.head);
+		return;
+		}
+
+	TCP_Analyzer* tcp = (TCP_Analyzer*) Parent();
+
+	TCP_Reassembler* reass_orig =
+		new TCP_Reassembler(this, tcp, TCP_Reassembler::Direct,
+					true, tcp->Orig());
+
+	TCP_Reassembler* reass_resp =
+		new TCP_Reassembler(this, tcp, TCP_Reassembler::Direct,
+					false, tcp->Resp());
+
+	int orig_seq = 0;
+	int resp_seq = 0;
+
+	for ( DataBlock* b = pkt_buffer.head; b; b = b->next )
+		{
+		if ( b->is_orig )
+			reass_orig->DataSent(network_time, orig_seq = b->seq,
+						b->len, b->data, true);
+		else
+			reass_resp->DataSent(network_time, resp_seq = b->seq,
+						b->len, b->data, true);
+		}
+
+	// We also need to pass the current packet on.
+	DataBlock* current = CurrentPacket();
+	if ( current->data )
+		{
+		if ( current->is_orig )
+			reass_orig->DataSent(network_time,
+					orig_seq = current->seq,
+					current->len, current->data, true);
+		else
+			reass_resp->DataSent(network_time,
+					resp_seq = current->seq,
+					current->len, current->data, true);
+		}
+
+	ClearBuffer(&pkt_buffer);
+
+	ReplayStreamBuffer(a);
+	reass_orig->AckReceived(orig_seq);
+	reass_resp->AckReceived(resp_seq);
+
+	reass_orig->SetType(TCP_Reassembler::Forward);
+	reass_resp->SetType(TCP_Reassembler::Forward);
+
+	tcp->SetReassembler(reass_orig, reass_resp);
+	}
+
+void PIA_TCP::DeactivateAnalyzer(AnalyzerTag::Tag tag)
+	{
+	internal_error("PIA_TCP::Deact not implemented yet");
+	}
+
+void PIA_TCP::ReplayStreamBuffer(Analyzer* analyzer)
+	{
+	DBG_LOG(DBG_DPD, "PIA_TCP replaying %d total stream bytes", stream_buffer.size);
+
+	for ( DataBlock* b = stream_buffer.head; b; b = b->next )
+		{
+		if ( b->data )
+			analyzer->NextStream(b->len, b->data, b->is_orig);
+		else
+			analyzer->NextUndelivered(b->seq, b->len, b->is_orig);
+		}
+	}
diff --git a/src/PIA.h b/src/PIA.h
new file mode 100644
index 0000000000..8a1079f617
--- /dev/null
+++ b/src/PIA.h
@@ -0,0 +1,176 @@
+// $Id:$
+//
+// An analyzer for application-layer protocol-detection.
+
+#ifndef PIA_H
+#define PIA_H
+
+#include "Analyzer.h"
+#include "TCP.h"
+
+class RuleEndpointState;
+
+// Abstract PIA class providing common functionality for both TCP and UDP.
+// Accepts only packet input.
+//
+// Note that the PIA provides our main interface to the signature engine and
+// also keeps the matching state.  This is because (i) it needs to match
+// itself, and (ii) in case of tunnel-decapsulation we may have multiple
+// PIAs and then each needs its own matching-state.
+class PIA : public RuleMatcherState {
+public:
+	PIA(Analyzer* as_analyzer);
+	virtual ~PIA();
+
+	// Called when PIA wants to put an Analyzer in charge.  rule is the
+	// signature that triggered the activitation, if any.
+	virtual void ActivateAnalyzer(AnalyzerTag::Tag tag,
+					const Rule* rule = 0) = 0;
+
+	// Called when PIA wants to remove an Analyzer.
+	virtual void DeactivateAnalyzer(AnalyzerTag::Tag tag) = 0;
+
+	void Match(Rule::PatternType type, const u_char* data, int len,
+			bool is_orig, bool bol, bool eol, bool clear_state);
+
+	void ReplayPacketBuffer(Analyzer* analyzer);
+
+	// Children are also derived from Analyzer. Return this object
+	// as pointer to an Analyzer.
+	Analyzer* AsAnalyzer()	{ return as_analyzer; }
+
+	static bool Available()	{ return true; }
+
+protected:
+	void PIA_Done();
+	void PIA_DeliverPacket(int len, const u_char* data, bool is_orig,
+				int seq, const IP_Hdr* ip, int caplen);
+
+	enum State { INIT, BUFFERING, MATCHING_ONLY, SKIPPING } state;
+
+	// Buffers one chunk of data.  Used both for packet payload (incl.
+	// sequence numbers for TCP) and chunks of a reassembled stream.
+	struct DataBlock {
+		const u_char* data;
+		bool is_orig;
+		int len;
+		int seq;
+		DataBlock* next;
+	};
+
+	struct Buffer {
+		Buffer() { head = tail = 0; size = 0; state = INIT; }
+
+		DataBlock* head;
+		DataBlock* tail;
+		int size;
+		State state;
+	};
+
+	void AddToBuffer(Buffer* buffer, int seq, int len,
+				const u_char* data, bool is_orig);
+	void AddToBuffer(Buffer* buffer, int len,
+				const u_char* data, bool is_orig);
+	void ClearBuffer(Buffer* buffer);
+
+	DataBlock* CurrentPacket()	{ return &current_packet; }
+
+	void DoMatch(const u_char* data, int len, bool is_orig, bool bol,
+			bool eol, bool clear_state, const IP_Hdr* ip = 0);
+
+	void SetConn(Connection* c)	{ conn = c; }
+
+	Buffer pkt_buffer;
+
+private:
+	Analyzer* as_analyzer;
+	Connection* conn;
+	DataBlock current_packet;
+};
+
+// PIA for UDP.
+class PIA_UDP : public PIA, public Analyzer {
+public:
+	PIA_UDP(Connection* conn)
+	: PIA(this), Analyzer(AnalyzerTag::PIA_UDP, conn)
+		{ SetConn(conn); }
+	virtual ~PIA_UDP()	{ }
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new PIA_UDP(conn); }
+
+protected:
+	virtual void Done()
+		{
+		Analyzer::Done();
+		PIA_Done();
+		}
+
+	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
+					int seq, const IP_Hdr* ip, int caplen)
+		{
+		Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
+		PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen);
+		}
+
+	virtual void ActivateAnalyzer(AnalyzerTag::Tag tag, const Rule* rule);
+	virtual void DeactivateAnalyzer(AnalyzerTag::Tag tag);
+};
+
+// PIA for TCP.  Accepts both packet and stream input (and reassembles
+// packets before passing payload on to children).
+class PIA_TCP : public PIA, public TCP_ApplicationAnalyzer {
+public:
+	PIA_TCP(Connection* conn)
+	: PIA(this), TCP_ApplicationAnalyzer(AnalyzerTag::PIA_TCP, conn)
+		{ stream_mode = false; SetConn(conn); }
+
+	virtual ~PIA_TCP();
+
+	virtual void Init();
+
+	// The first packet for each direction of a connection is passed
+	// in here.
+	//
+	// (This is a bit crude as it doesn't really fit nicely into the
+	// analyzer interface.  Yet we need it for initializing the packet
+	// matcher in the case that we already get reassembled input,
+	// and making it part of the general analyzer interface seems
+	// to be unnecessary overhead.)
+	void FirstPacket(bool is_orig, const IP_Hdr* ip);
+
+	void ReplayStreamBuffer(Analyzer* analyzer);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new PIA_TCP(conn); }
+
+protected:
+	virtual void Done()
+		{
+		Analyzer::Done();
+		PIA_Done();
+		}
+
+	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
+					int seq, const IP_Hdr* ip, int caplen)
+		{
+		Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
+		PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen);
+		}
+
+	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
+	virtual void Undelivered(int seq, int len, bool is_orig);
+
+	virtual void ActivateAnalyzer(AnalyzerTag::Tag tag,
+					const Rule* rule = 0);
+	virtual void DeactivateAnalyzer(AnalyzerTag::Tag tag);
+
+private:
+	// FIXME: Not sure yet whether we need both pkt_buffer and stream_buffer.
+	// In any case, it's easier this way...
+	Buffer stream_buffer;
+
+	bool stream_mode;
+};
+
+#endif
diff --git a/src/POP3.cc b/src/POP3.cc
new file mode 100644
index 0000000000..4f1f2a5ea7
--- /dev/null
+++ b/src/POP3.cc
@@ -0,0 +1,889 @@
+// $Id: POP3.cc 6782 2009-06-28 02:19:03Z vern $
+
+// This code contributed to Bro by Florian Schimandl, Hugh Dollman and
+// Robin Sommer.
+
+#include "config.h"
+
+#include <stdlib.h>
+#include <iostream>
+#include <vector>
+#include <string>
+#include <ctype.h>
+
+#include "NetVar.h"
+#include "POP3.h"
+#include "Event.h"
+#include "NVT.h"
+
+#undef POP3_CMD_DEF
+#define POP3_CMD_DEF(cmd)	#cmd,
+
+static const char* pop3_cmd_word[] = {
+#include "POP3_cmd.def"
+};
+
+#define POP3_CMD_WORD(code) ((code >= 0) ? pop3_cmd_word[code] : "(UNKNOWN)")
+
+
+POP3_Analyzer::POP3_Analyzer(Connection* conn)
+: TCP_ApplicationAnalyzer(AnalyzerTag::POP3, conn)
+	{
+	masterState = POP3_START;
+	subState = POP3_WOK;
+	state = START;
+	lastState = START;
+
+	guessing = false;
+	waitingForAuthentication = false;
+	requestForMultiLine = false;
+	multiLine = false;
+	backOff = false;
+
+	mail = 0;
+
+	AddSupportAnalyzer(new ContentLine_Analyzer(conn, true));
+	AddSupportAnalyzer(new ContentLine_Analyzer(conn, false));
+	}
+
+POP3_Analyzer::~POP3_Analyzer()
+	{
+	}
+
+void POP3_Analyzer::Done()
+	{
+	TCP_ApplicationAnalyzer::Done();
+
+	if ( mail )
+		EndData();
+	}
+
+
+void POP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+
+	if ( (TCP() && TCP()->IsPartial()) || backOff )
+		return;
+
+	BroString terminated_string(data, len, 1);
+
+	if ( orig )
+		ProcessRequest(len, (char*) terminated_string.Bytes());
+	else
+		ProcessReply(len, (char*) terminated_string.Bytes());
+	}
+
+static string trim_whitespace(const char* in)
+	{
+	int n = strlen(in);
+	char out[n];
+	char* out_p = out;
+
+	in = skip_whitespace(in);
+
+	while ( *in )
+		{
+		// It might be better to use isspace() here, but the
+		// original code just compared with ' '.
+		if ( *in == ' ' )
+			{
+			// See if there is any following character.
+			++in;
+			while ( *in && *in == ' ' )
+				++in;
+
+			if ( ! *in )
+				break;
+
+			// There's a following character, so put in a
+			// single blank to represent the ones we
+			// compressed out.
+			*(out_p++) = ' ';
+			}
+
+		// If we get this far, then we have a non-blank
+		// character to copy.
+		*(out_p++) = *(in++);
+		}
+
+	*out_p = 0;
+
+	return string(out);
+	}
+
+void POP3_Analyzer::ProcessRequest(int length, const char* line)
+	{
+	if ( waitingForAuthentication )
+		{
+		++authLines;
+
+		BroString encoded(line);
+		BroString* decoded = decode_base64(&encoded);
+
+		if ( ! decoded )
+			{
+			Weird("pop3_bad_base64_encoding");
+			return;
+			}
+
+		switch ( state ) {
+		case AUTH_LOGIN:
+			// Format: Line 1 - User
+			//         Line 2 - Password
+			if ( authLines == 1 )
+				user = decoded->CheckString();
+
+			else if ( authLines == 2 )
+				password = decoded->CheckString();
+
+			break;
+
+		case AUTH_PLAIN:
+			{
+			// Format: "authorization identity<NUL>authentication
+			//		identity<NUL>password"
+			char* str = (char*) decoded->Bytes();
+			int len = decoded->Len();
+			char* end = str + len;
+			char* s;
+			char* e;
+
+			for ( s = str; s < end && *s; ++s )
+				;
+			++s;
+
+			for ( e = s; e < end && *e; ++e )
+				;
+
+			if ( e >= end )
+				{
+				Weird("pop3_malformed_auth_plain");
+				return;
+				}
+
+			user = s;
+			s = e + 1;
+
+			if ( s >= end )
+				{
+				Weird("pop3_malformed_auth_plain");
+				return;
+				}
+
+			char tmp[len];	// more than enough
+			int n = len - (s - str);
+			memcpy(tmp, s, n);
+			tmp[n] = '\0';
+			password = tmp;
+
+			break;
+			}
+
+		case AUTH_CRAM_MD5:
+			{ // Format: "user<space>password-hash"
+			char* s;
+			char* str = (char*) decoded->CheckString();
+
+			for ( s = str; *s && *s != '\t' && *s != ' '; ++s )
+				;
+			*s = '\0';
+
+			user = str;
+			password = "";
+
+			break;
+			}
+
+		case AUTH:
+			break;
+
+		default:
+			internal_error("unexpected authorization state");
+		}
+
+		delete decoded;
+		}
+
+	else
+		{
+		// Some clients pipeline their commands (i.e., keep sending
+		// without waiting for a server's responses). Therefore we
+		// keep a list of pending commands.
+		cmds.push_back(string(line));
+
+		if ( cmds.size() == 1 )
+			// Not waiting for another server response,
+			// so we can process it immediately.
+			ProcessClientCmd();
+		}
+
+	}
+
+static string commands[] = {
+	"OK", "ERR", "USER", "PASS", "APOP", "AUTH",
+	"STAT", "LIST", "RETR", "DELE", "RSET", "NOOP", "LAST", "QUIT",
+	"TOP", "CAPA", "UIDL", "STLS", "XSENDER",
+};
+
+void POP3_Analyzer::NotAllowed(const char* cmd, const char* state)
+	{
+	POP3Event(pop3_unexpected, true, cmd,
+		fmt("not allowed in other state than '%s'", state));
+	}
+
+void POP3_Analyzer::ProcessClientCmd()
+	{
+	if ( ! cmds.size() )
+		return;
+
+	string str = trim_whitespace(cmds.front().c_str());
+	vector<string> tokens = TokenizeLine(str, ' ');
+
+	int cmd_code = -1;
+	const char* cmd = "";
+
+	if ( tokens.size() > 0 )
+		cmd_code = ParseCmd(tokens[0]);
+
+	if ( cmd_code == -1 )
+		{
+		if ( ! waitingForAuthentication )
+			{
+			Weird("pop3_client_command_unknown");
+			if ( subState == POP3_WOK )
+				subState = POP3_OK;
+			}
+		return;
+		}
+
+	cmd = commands[cmd_code].c_str();
+
+	const char* message = tokens.size() > 1 ? tokens[1].c_str() : "";
+
+	switch ( cmd_code ) {
+	case POP3_CMD_ERR:
+	case POP3_CMD_OK:
+		Weird("pop3_client_sending_server_commands");
+		break;
+
+	case POP3_CMD_USER:
+		if ( masterState == POP3_AUTHORIZATION )
+			{
+			POP3Event(pop3_request, true, cmd, message);
+			state = USER;
+			subState = POP3_WOK;
+			user = message;
+			}
+		else
+			NotAllowed(cmd, "authorization");
+		break;
+
+	case POP3_CMD_PASS:
+		if ( masterState == POP3_AUTHORIZATION )
+			{
+			if ( state == USER )
+				{
+				POP3Event(pop3_request, true, cmd, message);
+				state = PASS;
+				subState = POP3_WOK;
+				password = message;
+				}
+			else
+				POP3Event(pop3_unexpected, true, cmd,
+					"pass must follow the command 'USER'");
+			}
+		else
+			NotAllowed(cmd, "authorization");
+		break;
+
+	case POP3_CMD_APOP:
+		if ( masterState == POP3_AUTHORIZATION )
+			{
+			POP3Event(pop3_request, true, cmd, message);
+			state = APOP;
+			subState = POP3_WOK;
+
+			char* arg1 = copy_string(message);
+			char* e;
+			for ( e = arg1; *e && *e != ' ' && *e != '\t'; ++e )
+				;
+			*e = '\0';
+			user = arg1;
+			delete [] arg1;
+			}
+		else
+			NotAllowed(cmd, "authorization");
+		break;
+
+	case POP3_CMD_AUTH:
+		if ( masterState == POP3_AUTHORIZATION )
+			{
+			POP3Event(pop3_request, true, cmd, message);
+			if ( ! *message )
+				{
+				requestForMultiLine = true;
+				state = AUTH;
+				subState = POP3_WOK;
+				}
+			else
+				{
+				if ( strstr(message, "LOGIN") )
+					state = AUTH_LOGIN;
+				else if ( strstr(message, "PLAIN") )
+					state = AUTH_PLAIN;
+				else if ( strstr(message, "CRAM-MD5") )
+					state = AUTH_CRAM_MD5;
+				else
+					{
+					state = AUTH;
+					POP3Event(pop3_unexpected, true, cmd,
+						fmt("unknown AUTH method %s", message));
+					}
+
+				subState = POP3_WOK;
+				waitingForAuthentication = true;
+				authLines = 0;
+				}
+			}
+		else
+			POP3Event(pop3_unexpected, true, cmd,
+				"pass must follow the command 'USER'");
+		break;
+
+	case POP3_CMD_STAT:
+		if ( masterState == POP3_TRANSACTION )
+			{
+			POP3Event(pop3_request, true, cmd, message);
+			subState = POP3_WOK;
+			state = STAT;
+			}
+		else
+			NotAllowed(cmd, "transaction");
+		break;
+
+	case POP3_CMD_LIST:
+		if ( masterState == POP3_TRANSACTION )
+			{
+			POP3Event(pop3_request, true, cmd, message);
+			if ( ! *message )
+				{
+				requestForMultiLine = true;
+				state = LIST;
+				subState = POP3_WOK;
+				}
+			else
+				{
+				state = LIST;
+				subState = POP3_WOK;
+				}
+			}
+		else
+			{
+			if ( ! *message )
+				requestForMultiLine = true;
+
+			guessing = true;
+			lastState = LIST;
+			NotAllowed(cmd, "transaction");
+			}
+		break;
+
+	case POP3_CMD_RETR:
+		requestForMultiLine = true;
+		if ( masterState == POP3_TRANSACTION )
+			{
+			POP3Event(pop3_request, true, cmd, message);
+			subState = POP3_WOK;
+			state = RETR;
+			}
+		else
+			{
+			guessing = true;
+			lastState = RETR;
+			NotAllowed(cmd, "transaction");
+			}
+		break;
+
+	case POP3_CMD_DELE:
+		if ( masterState == POP3_TRANSACTION )
+			{
+			POP3Event(pop3_request, true, cmd, message);
+			subState = POP3_WOK;
+			state = DELE;
+			}
+		else
+			{
+			guessing = true;
+			lastState = DELE;
+			NotAllowed(cmd, "transaction");
+			}
+		break;
+
+	case POP3_CMD_RSET:
+		if ( masterState == POP3_TRANSACTION )
+			{
+			POP3Event(pop3_request, true, cmd, message);
+			subState = POP3_WOK;
+			state = RSET;
+			}
+		else
+			{
+			guessing = true;
+			lastState = RSET;
+			NotAllowed(cmd, "transaction");
+			}
+		break;
+
+	case POP3_CMD_NOOP:
+		if ( masterState == POP3_TRANSACTION )
+			{
+			POP3Event(pop3_request, true, cmd, message);
+			subState = POP3_WOK;
+			state = NOOP;
+			}
+		else
+			{
+			guessing = true;
+			lastState = NOOP;
+			NotAllowed(cmd, "transaction");
+			}
+		break;
+
+	case POP3_CMD_LAST:
+		if ( masterState == POP3_TRANSACTION )
+			{
+			POP3Event(pop3_request, true, cmd, message);
+			subState = POP3_WOK;
+			state = LAST;
+			}
+		else
+			{
+			guessing = true;
+			lastState = LAST;
+			NotAllowed(cmd, "transaction");
+			}
+		break;
+
+	case POP3_CMD_QUIT:
+		if ( masterState == POP3_AUTHORIZATION ||
+		     masterState == POP3_TRANSACTION ||
+		     masterState == POP3_START )
+			{
+			POP3Event(pop3_request, true, cmd, message);
+			subState = POP3_WOK;
+			state = QUIT;
+			}
+		else
+			{
+			guessing = true;
+			lastState = LAST;
+			NotAllowed(cmd, "transaction");
+			}
+		break;
+
+	case POP3_CMD_TOP:
+		requestForMultiLine = true;
+
+		if ( masterState == POP3_TRANSACTION )
+			{
+			POP3Event(pop3_request, true, cmd, message);
+			subState = POP3_WOK;
+			state = TOP;
+			}
+		else
+			{
+			guessing = true;
+			lastState = TOP;
+			NotAllowed(cmd, "transaction");
+			}
+		break;
+
+	case POP3_CMD_CAPA:
+		POP3Event(pop3_request, true, cmd, message);
+		subState = POP3_WOK;
+		state = CAPA;
+		requestForMultiLine = true;
+		break;
+
+	case POP3_CMD_STLS:
+		POP3Event(pop3_request, true, cmd, message);
+		subState = POP3_WOK;
+		state = STLS;
+		break;
+
+	case POP3_CMD_UIDL:
+		if ( masterState == POP3_TRANSACTION )
+			{
+			POP3Event(pop3_request, true, cmd, message);
+			if ( ! *message )
+				{
+				requestForMultiLine = true;
+				state = UIDL;
+				subState = POP3_WOK;
+				}
+			else
+				{
+				state = UIDL;
+				subState = POP3_WOK;
+				}
+			}
+		else
+			{
+			if ( ! *message )
+				requestForMultiLine = true;
+
+			guessing = true;
+			lastState = UIDL;
+			NotAllowed(cmd, "transaction");
+			}
+		break;
+
+	case POP3_CMD_XSENDER:
+		if ( masterState == POP3_TRANSACTION )
+			{
+			POP3Event(pop3_request, true, cmd, message);
+			subState = POP3_WOK;
+			state = LAST;
+			}
+		else
+			{
+			guessing = true;
+			lastState = XSENDER;
+			NotAllowed(cmd, "transaction");
+			}
+		break;
+
+	default: 
+		internal_error("command not known");
+	}
+	}
+
+void POP3_Analyzer::FinishClientCmd()
+	{
+	if ( ! cmds.size() )
+		return;
+
+	cmds.pop_front();
+	ProcessClientCmd();
+	}
+
+void POP3_Analyzer::ProcessReply(int length, const char* line)
+	{
+	const char* end_of_line = line + length;
+	string str = trim_whitespace(line);
+
+	if ( multiLine == true )
+		{
+		bool terminator =
+			length > 1 && line[0] == '.' &&
+			(line[1] == '\n' ||
+			 (length > 2 && line[1] == '\r' && line[2] == '\n'));
+
+		if ( terminator )
+			{
+			requestForMultiLine = false;
+			multiLine = false;
+			if ( mail )
+				EndData();
+			FinishClientCmd();
+			}
+		else
+			{
+			if ( state == RETR || state == TOP )
+				{
+				int data_len = end_of_line - line;
+				ProcessData(data_len, line);
+				}
+
+			// ### It can be quite costly doing this per-line
+			// as opposed to amortized over large packets that
+			// contain many lines.
+			POP3Event(pop3_data, false, str.c_str());
+			}
+		return;
+		}
+
+	int cmd_code = -1;
+	const char* cmd = "";
+
+	vector<string> tokens = TokenizeLine(str, ' ');
+	if ( tokens.size() > 0 )
+		cmd_code = ParseCmd(tokens[0]);
+
+	if ( cmd_code == -1 )
+		{
+		if ( ! waitingForAuthentication )
+			{
+			ProtocolViolation(fmt("unknown server command (%s)",
+						(tokens.size() > 0 ?
+							tokens[0].c_str() :
+							"???")),
+						line, length);
+
+			Weird("pop3_server_command_unknown");
+			if ( subState == POP3_WOK )
+				subState = POP3_OK;
+			}
+		return;
+		}
+
+	cmd = commands[cmd_code].c_str();
+
+	const char* message = tokens.size() > 1 ? tokens[1].c_str() : "";
+
+	switch ( cmd_code ) {
+	case POP3_CMD_OK:
+		if ( subState == POP3_WOK )
+			subState = POP3_OK;
+
+		if ( guessing )
+			{
+			masterState = POP3_TRANSACTION;
+			guessing = false;
+			state = lastState;
+			POP3Event(pop3_unexpected, false, cmd,
+				"no auth required -> state changed to 'transaction'");
+			}
+
+		switch ( state ) {
+		case START:
+			masterState = POP3_AUTHORIZATION;
+			break;
+
+		case USER:
+			state = USER;
+			masterState = POP3_AUTHORIZATION;
+			ProtocolConfirmation();
+			break;
+
+		case PASS:
+		case APOP:
+		case NOOP:
+		case LAST:
+		case STAT:
+		case RSET:
+		case DELE:
+		case XSENDER:
+			if ( masterState == POP3_AUTHORIZATION )
+				AuthSuccessfull();
+			masterState = POP3_TRANSACTION;
+			break;
+
+		case AUTH:
+		case AUTH_PLAIN:
+		case AUTH_CRAM_MD5:
+		case AUTH_LOGIN:
+			if ( requestForMultiLine == true )
+				multiLine = true;
+			if ( waitingForAuthentication )
+				masterState = POP3_TRANSACTION;
+			waitingForAuthentication = false;
+			AuthSuccessfull();
+			break;
+
+		case TOP:
+		case RETR:
+			{
+			int data_len = end_of_line - line;
+			if ( ! mail ) 
+				BeginData();
+			ProcessData(data_len, line);
+			if ( requestForMultiLine == true )
+				multiLine = true;
+			break;
+			}
+
+		case UIDL:
+		case LIST:
+		case CAPA:
+			if (requestForMultiLine == true)
+				multiLine = true;
+			break;
+
+		case STLS:
+			backOff = true;
+			POP3Event(pop3_terminate, false, "Terminating due to TLS");
+			return;
+
+		case QUIT:
+			if ( masterState == POP3_AUTHORIZATION ||
+			     masterState == POP3_START )
+				masterState = POP3_FINISHED;
+
+			else if ( masterState == POP3_TRANSACTION )
+				masterState = POP3_UPDATE;
+
+			break;
+		}
+
+		POP3Event(pop3_reply, false, cmd, message);
+		// no else part, ignoring multiple OKs
+
+		if ( ! multiLine )
+			FinishClientCmd();
+		break;
+
+	case POP3_CMD_ERR:
+		if ( subState == POP3_WOK )
+			subState = POP3_OK;
+
+		multiLine = false;
+		requestForMultiLine = false;
+		guessing = false;
+		waitingForAuthentication = false;
+
+		switch ( state ) {
+		case START:
+			break;
+
+		case USER:
+		case PASS:
+		case APOP:
+		case AUTH:
+		case AUTH_LOGIN:
+		case AUTH_PLAIN:
+		case AUTH_CRAM_MD5:
+			masterState = POP3_AUTHORIZATION;
+			state = START;
+			waitingForAuthentication = false;
+
+			if ( user.size() )
+				POP3Event(pop3_login_failure, false,
+					user.c_str(), password.c_str());
+			break;
+
+		case NOOP:
+		case LAST:
+		case STAT:
+		case RSET:
+		case DELE:
+		case LIST:
+		case RETR:
+		case UIDL:
+		case TOP:
+		case XSENDER:
+			masterState = POP3_TRANSACTION;
+			break;
+
+		case CAPA:
+			break;
+
+		case QUIT:
+			if ( masterState == POP3_AUTHORIZATION ||
+			     masterState == POP3_TRANSACTION ||
+			     masterState == POP3_START )
+				masterState = POP3_FINISHED;
+			break;
+		}
+
+		POP3Event(pop3_reply, false, cmd, message);
+
+		if ( ! multiLine )
+			FinishClientCmd();
+		break;
+
+	default: 
+		Weird("pop3_server_sending_client_commands");
+		break;
+	}
+	}
+
+void POP3_Analyzer::AuthSuccessfull()
+	{
+	if ( user.size() )
+		POP3Event(pop3_login_success, false,
+				user.c_str(), password.c_str());
+	}
+
+void POP3_Analyzer::BeginData()
+	{
+	delete mail;
+	mail = new MIME_Mail(this);
+	}
+
+void POP3_Analyzer::EndData()
+	{
+	if ( ! mail )
+		warn("unmatched end of data");
+	else
+		{
+		mail->Done();
+		delete mail;
+		mail = 0;
+		}
+	}
+
+void POP3_Analyzer::ProcessData(int length, const char* line)
+	{
+	mail->Deliver(length, line, 1);
+	}
+
+int POP3_Analyzer::ParseCmd(string cmd)
+	{
+	if ( cmd.size() == 0 )
+		return -1;
+
+	for ( int code = POP3_CMD_OK; code <= POP3_CMD_END; ++code )
+		{
+		char c = cmd.c_str()[0];
+		if ( c == '+' || c == '-' )
+			cmd = cmd.substr(1);
+
+		for ( unsigned int i = 0; i < cmd.size(); ++i )
+			cmd[i] = toupper(cmd[i]);
+
+		if ( ! cmd.compare(pop3_cmd_word[code]) )
+			return code;
+		}
+
+	return -1;
+	}
+
+vector<string> POP3_Analyzer::TokenizeLine(const string input, const char split)
+	{
+	vector<string> tokens;
+
+	if ( input.size() < 1 )
+		return tokens;
+
+	int start = 0;
+	unsigned int splitPos = 0;
+	string token = "";
+
+	if ( input.find(split, 0) == string::npos )
+		{
+		tokens.push_back(input);
+		return tokens;
+		}
+
+	if ( (splitPos = input.find(split, 0)) < input.size() )
+		{
+		token = input.substr(start, splitPos);
+		if ( token.size() > 0 && token[0] != split )
+			tokens.push_back(token);
+
+		token = input.substr(splitPos+1, input.size() - splitPos);
+		tokens.push_back(token);
+		}
+
+	return tokens;
+	}
+
+void POP3_Analyzer::POP3Event(EventHandlerPtr event, bool is_orig,
+				const char* arg1, const char* arg2)
+	{
+	if ( ! event )
+		return;
+
+	val_list* vl = new val_list;
+
+	vl->append(BuildConnVal());
+	vl->append(new Val(is_orig, TYPE_BOOL));
+	if ( arg1 )
+		vl->append(new StringVal(arg1));
+	if ( arg2 )
+		vl->append(new StringVal(arg2));
+
+	ConnectionEvent(event, vl);
+	}
diff --git a/src/POP3.h b/src/POP3.h
new file mode 100644
index 0000000000..6ad0a7e755
--- /dev/null
+++ b/src/POP3.h
@@ -0,0 +1,120 @@
+// $Id: POP3.h 3526 2006-09-12 07:32:21Z vern $
+
+// This code contributed to Bro by Florian Schimandl and Hugh Dollman.
+//
+// An analyser for the POP3 protocol.
+
+#ifndef pop3_h
+#define pop3_h
+
+#include <vector>
+#include <string>
+#include <algorithm>
+
+#include "NVT.h"
+#include "TCP.h"
+#include "MIME.h"
+
+
+#undef POP3_CMD_DEF
+#define POP3_CMD_DEF(cmd)	POP3_CMD_##cmd,
+
+typedef enum {
+#include "POP3_cmd.def"
+} POP3_Cmd;
+
+typedef enum {
+	POP3_START,
+	POP3_AUTHORIZATION,
+	POP3_TRANSACTION,
+	POP3_UPDATE,
+	POP3_FINISHED,
+} POP3_MasterState;
+
+typedef enum {
+	START,
+	USER,
+	PASS,
+	APOP,
+	AUTH,
+	AUTH_PLAIN,
+	AUTH_LOGIN,
+	AUTH_CRAM_MD5,
+	NOOP,
+	LAST,
+	STAT,
+	LIST,
+	RETR,
+	DELE,
+	UIDL,
+	TOP,
+	QUIT,
+	RSET,
+	CAPA,
+	STLS,
+	XSENDER,
+	MISC,
+	END,
+} POP3_State;
+
+typedef enum {
+	POP3_OK,
+	POP3_WOK,
+} POP3_SubState;
+
+class POP3_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	POP3_Analyzer(Connection* conn);
+	~POP3_Analyzer();
+
+	virtual void Done();
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{
+		return new POP3_Analyzer(conn);
+		}
+
+	static bool Available()
+		{
+		return pop3_request || pop3_reply || pop3_data || pop3_unexpected;
+		}
+
+protected:
+	int masterState;
+	int subState;
+	int state;
+	int lastState;
+	bool multiLine;
+	bool guessing;
+	bool requestForMultiLine;
+	bool waitingForAuthentication;
+	int lastRequiredCommand;
+	int authLines;
+
+	string user;
+	string password;
+
+	void ProcessRequest(int length, const char* line);
+	void ProcessReply(int length, const char* line);
+	void NotAllowed(const char* cmd, const char* state);
+	void ProcessClientCmd();
+	void FinishClientCmd();
+	void BeginData();
+	void ProcessData(int length, const char* line);
+	void EndData();
+
+	vector<string> TokenizeLine(const string input, const char split);
+	int ParseCmd(string cmd);
+	void AuthSuccessfull();
+	void POP3Event(EventHandlerPtr event, bool is_orig,
+			const char* arg1 = 0, const char* arg2 = 0);
+
+	MIME_Mail* mail;
+	list<string> cmds;
+
+private:
+	bool backOff;
+};
+
+#endif
diff --git a/src/POP3_cmd.def b/src/POP3_cmd.def
new file mode 100644
index 0000000000..ea979bf140
--- /dev/null
+++ b/src/POP3_cmd.def
@@ -0,0 +1,45 @@
+// Definitions of POP3 commands (RFC 1939)
+
+// Server-side Status Indicators.
+POP3_CMD_DEF(OK)
+POP3_CMD_DEF(ERR)
+
+// ===========================================
+// AUTHORIZATION - State
+
+POP3_CMD_DEF(USER)
+POP3_CMD_DEF(PASS)
+
+// Additional commands (not required to be implemented).
+
+POP3_CMD_DEF(APOP)
+POP3_CMD_DEF(AUTH)
+
+// POP3_CMD_DEF(QUIT) - also possible here, but without entering UPDATE-state.
+
+// ===========================================
+// TRANSACTION - State
+
+POP3_CMD_DEF(STAT)
+POP3_CMD_DEF(LIST)
+POP3_CMD_DEF(RETR)
+POP3_CMD_DEF(DELE)
+POP3_CMD_DEF(RSET)
+POP3_CMD_DEF(NOOP)
+POP3_CMD_DEF(LAST)
+POP3_CMD_DEF(QUIT)
+
+// Additional commands (not required to be implemented).
+
+POP3_CMD_DEF(TOP)
+POP3_CMD_DEF(CAPA)
+POP3_CMD_DEF(UIDL)
+POP3_CMD_DEF(STLS)
+POP3_CMD_DEF(XSENDER)
+
+POP3_CMD_DEF(END)
+
+// ===========================================
+// UPDATE - State
+// no commands here
+
diff --git a/src/PacketDumper.cc b/src/PacketDumper.cc
new file mode 100644
index 0000000000..f11137ff08
--- /dev/null
+++ b/src/PacketDumper.cc
@@ -0,0 +1,44 @@
+// $Id:$
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+
+#include "config.h"
+
+#include <assert.h>
+#include <stdlib.h>
+
+#include "Event.h"
+#include "Net.h"
+#include "PacketDumper.h"
+
+PacketDumper::PacketDumper(pcap_dumper_t* arg_pkt_dump)
+	{
+	last_timestamp.tv_sec = last_timestamp.tv_usec = 0;
+
+	pkt_dump = arg_pkt_dump;
+	if ( ! pkt_dump )
+		internal_error("PacketDumper: nil dump file");
+	}
+
+void PacketDumper::DumpPacket(const struct pcap_pkthdr* hdr,
+				const u_char* pkt, int len)
+	{
+	if ( pkt_dump )
+		{
+		struct pcap_pkthdr h = *hdr;
+		h.caplen = len;
+		if ( h.caplen > hdr->caplen )
+			internal_error("bad modified caplen");
+
+		pcap_dump((u_char*) pkt_dump, &h, pkt);
+		}
+	}
+
+void PacketDumper::SortTimeStamp(struct timeval* timestamp)
+	{
+	if ( time_compare(&last_timestamp, timestamp) > 0 )
+		*timestamp = last_timestamp;
+	else
+		last_timestamp = *timestamp;
+	}
diff --git a/src/PacketDumper.h b/src/PacketDumper.h
new file mode 100644
index 0000000000..bc22dda41e
--- /dev/null
+++ b/src/PacketDumper.h
@@ -0,0 +1,48 @@
+// $Id:$
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef packetdumper_h
+#define packetdumper_h
+
+using namespace std;
+
+#include <queue>
+#include <set>
+
+#include <pcap.h>
+
+class PacketDumper {
+public:
+	PacketDumper(pcap_dumper_t* pkt_dump);
+
+	void DumpPacket(const struct pcap_pkthdr* hdr,
+			const u_char* pkt, int len);
+
+protected:
+	pcap_dumper_t* pkt_dump;
+	struct timeval last_timestamp;
+
+	void SortTimeStamp(struct timeval* timestamp);
+};
+
+struct IP_ID {
+	uint32 ip, id;
+};
+
+struct ltipid {
+	bool operator()(IP_ID id1, IP_ID id2) const
+		{
+		return id1.ip != id2.ip ? (id1.ip < id2.ip) :
+					  (id1.id < id2.id);
+		}
+};
+
+typedef set<IP_ID, ltipid> IP_IDSet;
+uint16 NextIP_ID(const uint32 src_addr, const uint16 id);
+
+extern PacketDumper* transformed_pkt_dump;
+extern PacketDumper* source_pkt_dump;
+extern int transformed_pkt_dump_MTU;
+
+#endif
diff --git a/src/PacketFilter.cc b/src/PacketFilter.cc
new file mode 100644
index 0000000000..7ff97fac46
--- /dev/null
+++ b/src/PacketFilter.cc
@@ -0,0 +1,106 @@
+// $Id: PacketFilter.cc 967 2005-01-03 07:19:06Z vern $
+
+#include "PacketFilter.h"
+
+void PacketFilter::AddSrc(addr_type src, uint32 tcp_flags, double probability)
+	{
+	Filter* f = new Filter;
+	f->tcp_flags = tcp_flags;
+	f->probability = uint32(probability * RAND_MAX);
+	src_filter.Insert(src, NUM_ADDR_WORDS * 32, f);
+	}
+
+void PacketFilter::AddSrc(Val* src, uint32 tcp_flags, double probability)
+	{
+	Filter* f = new Filter;
+	f->tcp_flags = tcp_flags;
+	f->probability = uint32(probability * RAND_MAX);
+	src_filter.Insert(src, f);
+	}
+
+void PacketFilter::AddDst(addr_type dst, uint32 tcp_flags, double probability)
+	{
+	Filter* f = new Filter;
+	f->tcp_flags = tcp_flags;
+	f->probability = uint32(probability * RAND_MAX);
+	dst_filter.Insert(dst, NUM_ADDR_WORDS * 32, f);
+	}
+
+void PacketFilter::AddDst(Val* dst, uint32 tcp_flags, double probability)
+	{
+	Filter* f = new Filter;
+	f->tcp_flags = tcp_flags;
+	f->probability = uint32(probability * RAND_MAX);
+	dst_filter.Insert(dst, f);
+	}
+
+bool PacketFilter::RemoveSrc(addr_type src)
+	{
+	return src_filter.Remove(src, NUM_ADDR_WORDS * 32) != 0;
+	}
+
+bool PacketFilter::RemoveSrc(Val* src)
+	{
+	return src_filter.Remove(src) != NULL;
+	}
+
+bool PacketFilter::RemoveDst(addr_type dst)
+	{
+	return dst_filter.Remove(dst, NUM_ADDR_WORDS * 32) != NULL;
+	}
+
+bool PacketFilter::RemoveDst(Val* dst)
+	{
+	return dst_filter.Remove(dst) != NULL;
+	}
+
+bool PacketFilter::Match(const IP_Hdr* ip, int len, int caplen)
+	{
+#ifdef BROv6
+	Filter* f = (Filter*) src_filter.Lookup(ip->SrcAddr(),
+						NUM_ADDR_WORDS * 32);
+#else
+	Filter* f = (Filter*) src_filter.Lookup(*ip->SrcAddr(),
+						NUM_ADDR_WORDS * 32);
+#endif
+	if ( f )
+		return MatchFilter(*f, *ip, len, caplen);
+
+#ifdef BROv6
+	f = (Filter*) dst_filter.Lookup(ip->DstAddr(), NUM_ADDR_WORDS * 32);
+#else
+	f = (Filter*) dst_filter.Lookup(*ip->DstAddr(), NUM_ADDR_WORDS * 32);
+#endif
+	if ( f )
+		return MatchFilter(*f, *ip, len, caplen);
+
+	return default_match;
+	}
+
+bool PacketFilter::MatchFilter(const Filter& f, const IP_Hdr& ip,
+				int len, int caplen)
+	{
+	if ( ip.NextProto() == IPPROTO_TCP && f.tcp_flags )
+		{
+		// Caution! The packet sanity checks have not been performed yet
+		const struct ip* ip4 = ip.IP4_Hdr();
+
+		int ip_hdr_len = ip4->ip_hl * 4;
+		len -= ip_hdr_len;	// remove IP header
+		caplen -= ip_hdr_len;
+
+		if ( (unsigned int) len < sizeof(struct tcphdr) ||
+		     (unsigned int) caplen < sizeof(struct tcphdr) )
+			// Packet too short, will be dropped anyway.
+			return false;
+
+		const struct tcphdr* tp =
+			(const struct tcphdr*) ((u_char*) ip4 + ip_hdr_len);
+
+		if ( tp->th_flags & f.tcp_flags )
+			 // At least one of the flags is set, so don't drop
+			return false;
+		}
+
+	return uint32(random()) < f.probability;
+	}
diff --git a/src/PacketFilter.h b/src/PacketFilter.h
new file mode 100644
index 0000000000..6a70504280
--- /dev/null
+++ b/src/PacketFilter.h
@@ -0,0 +1,47 @@
+// $Id: PacketFilter.h 80 2004-07-14 20:15:50Z jason $
+//
+// Provides some very limited but fast packet filter mechanisms
+
+#ifndef PACKETFILTER_H
+#define PACKETFILTER_H
+
+#include "IP.h"
+#include "PrefixTable.h"
+
+class PacketFilter {
+public:
+	PacketFilter(bool arg_default)	{ default_match = arg_default; }
+	~PacketFilter()	{}
+
+	// Drops all packets from a particular source (which may be given
+	// as an AddrVal or a SubnetVal) which hasn't any of TCP flags set
+	// (TH_*) with the given probability (from 0..MAX_PROB).
+	void AddSrc(addr_type src, uint32 tcp_flags, double probability);
+	void AddSrc(Val* src, uint32 tcp_flags, double probability);
+	void AddDst(addr_type src, uint32 tcp_flags, double probability);
+	void AddDst(Val* src, uint32 tcp_flags, double probability);
+
+	// Removes the filter entry for the given src/dst
+	// Returns false if filter doesn not exist.
+	bool RemoveSrc(addr_type src);
+	bool RemoveSrc(Val* dst);
+	bool RemoveDst(addr_type dst);
+	bool RemoveDst(Val* dst);
+
+	// Returns true if packet matches a drop filter
+	bool Match(const IP_Hdr* ip, int len, int caplen);
+
+private:
+	struct Filter {
+		uint32 tcp_flags;
+		uint32 probability;
+	};
+
+	bool MatchFilter(const Filter& f, const IP_Hdr& ip, int len, int caplen);
+
+	bool default_match;
+	PrefixTable src_filter;
+	PrefixTable dst_filter;
+};
+
+#endif
diff --git a/src/PacketSort.cc b/src/PacketSort.cc
new file mode 100644
index 0000000000..e2c18c4a4f
--- /dev/null
+++ b/src/PacketSort.cc
@@ -0,0 +1,360 @@
+// $Id: PacketSort.cc 3228 2006-06-08 02:12:03Z vern $
+
+#include "IP.h"
+#include "PacketSort.h"
+
+const bool DEBUG_packetsort = false;
+
+PacketSortElement::PacketSortElement(PktSrc* arg_src,
+			double arg_timestamp, const struct pcap_pkthdr* arg_hdr,
+			const u_char* arg_pkt, int arg_hdr_size)
+	{
+	src = arg_src;
+	timestamp = arg_timestamp;
+	hdr = *arg_hdr;
+	hdr_size = arg_hdr_size;
+
+	pkt = new u_char[hdr.caplen];
+	memcpy(pkt, arg_pkt, hdr.caplen);
+
+	is_tcp = 0;
+	ip_hdr = 0;
+	key = 0;
+
+	// Now check if it is a "parsable" TCP packet.
+	uint32 caplen = hdr.caplen;
+	uint32 tcp_offset;
+
+	if ( caplen >= sizeof(struct ip) + hdr_size )
+		{
+		const struct ip* ip = (const struct ip*) (pkt + hdr_size);
+		if ( ip->ip_v == 4 )
+			ip_hdr = new IP_Hdr(ip);
+		else
+			ip_hdr = new IP_Hdr((const struct ip6_hdr*) ip);
+
+		if ( ip_hdr->NextProto() == IPPROTO_TCP &&
+		      // Note: can't sort fragmented packets
+		     (ip_hdr->FragField() & 0x3fff) == 0 )
+			{
+			tcp_offset = hdr_size + ip_hdr->HdrLen();
+			if ( caplen >= tcp_offset + sizeof(struct tcphdr) )
+				{
+				const struct tcphdr* tp = (const struct tcphdr*)
+							(pkt + tcp_offset);
+
+				id.src_addr = ip_hdr->SrcAddr();
+				id.dst_addr = ip_hdr->DstAddr();
+				id.src_port = tp->th_sport;
+				id.dst_port = tp->th_dport;
+				id.is_one_way = 0;
+
+				endp = addr_port_canon_lt(id.src_addr,
+							  id.src_port,
+							  id.dst_addr,
+							  id.dst_port) ? 0 : 1;
+
+				seq[endp] = ntohl(tp->th_seq);
+
+				if ( tp->th_flags & TH_ACK )
+					seq[1-endp] = ntohl(tp->th_ack);
+				else
+					seq[1-endp] = 0;
+
+				tcp_flags = tp->th_flags;
+
+				// DEBUG_MSG("%.6f: %u, %u\n", timestamp, seq[0], seq[1]);
+
+				payload_length = ip_hdr->PayloadLen() - tp->th_off * 4;
+
+				key = id.BuildConnKey();
+
+				is_tcp = 1;
+				}
+			}
+		}
+
+	if ( DEBUG_packetsort && ! is_tcp )
+		DEBUG_MSG("%.6f non-TCP packet\n", timestamp);
+	}
+
+PacketSortElement::~PacketSortElement()
+	{
+	delete [] pkt;
+	delete ip_hdr;
+	delete key;
+	}
+
+int PacketSortPQ::Timestamp_Cmp(PacketSortElement* a, PacketSortElement* b)
+	{
+	double d = a->timestamp - b->timestamp;
+
+	if ( d > 0 ) return 1;
+	else if ( d < 0 ) return -1;
+	else return 0;
+	}
+
+int PacketSortPQ::UpdatePQ(PacketSortElement* prev_e, PacketSortElement* new_e)
+	{
+	int index = prev_e->pq_index[pq_level];
+
+	new_e->pq_index[pq_level] = index;
+	pq[index] = new_e;
+
+	if ( Cmp(prev_e, new_e) > 0 )
+		return FixUp(new_e, index);
+	else
+		{
+		FixDown(new_e, index);
+		return index == 0;
+		}
+	}
+
+int PacketSortPQ::AddToPQ(PacketSortElement* new_e)
+	{
+	int index = pq.size();
+
+	new_e->pq_index[pq_level] = index;
+	pq.push_back(new_e);
+
+	return FixUp(new_e, index);
+	}
+
+int PacketSortPQ::RemoveFromPQ(PacketSortElement* prev_e)
+	{
+	if ( pq.size() > 1 )
+		{
+		PacketSortElement* new_e = pq[pq.size() - 1];
+		pq.pop_back();
+		return UpdatePQ(prev_e, new_e);		
+		}
+	else
+		{
+		pq.pop_back();
+		return 1;
+		}
+	}
+
+void PacketSortPQ::Assign(int k, PacketSortElement* e)
+	{
+	pq[k] = e;
+	e->pq_index[pq_level] = k;
+	}
+
+PacketSortConnPQ::~PacketSortConnPQ()
+	{
+	// Delete elements only in ConnPQ (not in GlobalPQ) to avoid
+	// double delete.
+	for ( int i = 0; i < (int) pq.size(); ++i )
+		{
+		delete pq[i];
+		pq[i] = 0;
+		}
+	}
+
+int PacketSortConnPQ::Cmp(PacketSortElement* a, PacketSortElement* b)
+	{
+	// Note: here we do not distinguish between packets without
+	// an ACK and packets with seq/ack of 0. The later will sorted
+	// only by their timestamps.
+
+	if ( a->seq[0] && b->seq[0] && a->seq[0] != b->seq[0] )
+		return (a->seq[0] > b->seq[0]) ? 1 : -1;
+
+	else if ( a->seq[1] && b->seq[1] && a->seq[1] != b->seq[1] )
+		return (a->seq[1] > b->seq[1]) ? 1 : -1;
+
+	else
+		return Timestamp_Cmp(a, b);
+	}
+
+int PacketSortPQ::FixUp(PacketSortElement* e, int k)
+	{
+	if ( k == 0 )
+		{
+		Assign(0, e);
+		return 1;
+		}
+
+	int parent = (k-1) / 2;
+	if ( Cmp(pq[parent], e) > 0 )
+		{
+		Assign(k, pq[parent]);
+		return FixUp(e, parent);
+		}
+	else
+		{
+		Assign(k, e);
+		return 0;
+		}
+	}
+
+void PacketSortPQ::FixDown(PacketSortElement* e, int k)
+	{
+	uint32 kid = k * 2 + 1;
+
+	if ( kid >= pq.size() )
+		{
+		Assign(k, e);
+		return;
+		}
+
+	if ( kid + 1 < pq.size() && Cmp(pq[kid], pq[kid+1]) > 0 )
+		++kid;
+
+	if ( Cmp(e, pq[kid]) > 0 )
+		{
+		Assign(k, pq[kid]);
+		FixDown(e, kid);
+		}
+	else
+		Assign(k, e);
+	}
+
+
+int PacketSortConnPQ::Add(PacketSortElement* e)
+	{
+#if 0
+	int endp = e->endp;
+	uint32 end_seq = e->seq[endp] + e->payload_length;
+
+	int p = 1 - endp;
+	if ( (e->tcp_flags & TH_RST) && ! (e->tcp_flags & TH_ACK) )
+		{
+		DEBUG_MSG("%.6f %c: %u -> %u\n",
+			  e->TimeStamp(), (p == endp) ? 'S' : 'A',
+			  e->seq[p], next_seq[p]);
+		e->seq[p] = next_seq[p];
+		}
+
+	if ( end_seq > next_seq[endp] )
+		next_seq[endp] = end_seq;
+#endif
+
+	return AddToPQ(e);
+	}
+
+void PacketSortConnPQ::UpdateDeliveredSeq(int endp, int seq, int len, int ack)
+	{
+	if ( delivered_seq[endp] == 0 || delivered_seq[endp] == seq )
+		delivered_seq[endp] = seq + len;
+	if ( ack > delivered_seq[1 - endp] )
+		delivered_seq[endp] = ack;
+	}
+
+bool PacketSortConnPQ::IsContentGapSafe(PacketSortElement* e)
+	{
+	int ack = e->seq[1 - e->endp];
+	return ack <= delivered_seq[1 - e->endp];
+	}
+
+int PacketSortConnPQ::Remove(PacketSortElement* e)
+	{
+	int ret = RemoveFromPQ(e);
+	UpdateDeliveredSeq(e->endp, e->seq[e->endp], e->payload_length,
+				e->seq[1 - e->endp]);
+	return ret;
+	}
+
+static void DeleteConnPQ(void* p)
+	{
+	delete (PacketSortConnPQ*) p;
+	}
+
+PacketSortGlobalPQ::PacketSortGlobalPQ()
+	{
+	pq_level = GLOBAL_PQ;
+	conn_pq_table.SetDeleteFunc(DeleteConnPQ);
+	}
+
+PacketSortGlobalPQ::~PacketSortGlobalPQ()
+	{
+	// Destruction of PacketSortConnPQ will delete all conn_pq's.
+	}
+
+int PacketSortGlobalPQ::Add(PacketSortElement* e)
+	{
+	if ( e->is_tcp )
+		{
+		// TCP packets are sorted by sequence numbers
+		PacketSortConnPQ* conn_pq = FindConnPQ(e);
+		PacketSortElement* prev_min = conn_pq->Min();
+
+		if ( conn_pq->Add(e) )
+			{
+			ASSERT(conn_pq->Min() != prev_min);
+
+			if ( prev_min )
+				return UpdatePQ(prev_min, e);
+			else
+				return AddToPQ(e);
+			}
+
+		else
+			{
+			ASSERT(conn_pq->Min() == prev_min);
+			return 0;
+			}
+		}
+	else
+		return AddToPQ(e);
+	}
+
+PacketSortElement* PacketSortGlobalPQ::RemoveMin(double timestamp)
+	{
+	PacketSortElement* e = Min();
+
+	if ( ! e )
+		return 0;
+
+	if ( e->is_tcp )
+		{
+		PacketSortConnPQ* conn_pq = FindConnPQ(e);
+
+#if 0
+		// Note: the content gap safety check does not work
+		// because we remove the state for a connection once
+		// it has no packet in the priority queue.
+
+		// Do not deliver e if it arrives later than timestamp,
+		// and is not content-gap-safe.
+		if ( e->timestamp > timestamp &&
+		     ! conn_pq->IsContentGapSafe(e) )
+			return 0;
+#else
+		if ( e->timestamp > timestamp )
+			return 0;
+#endif
+
+		conn_pq->Remove(e);
+		PacketSortElement* new_e = conn_pq->Min();
+
+		if ( new_e )
+			UpdatePQ(e, new_e);
+		else
+			{
+			RemoveFromPQ(e);
+			conn_pq_table.Remove(e->key);
+			delete conn_pq;
+			}
+		}
+	else
+		RemoveFromPQ(e);
+
+	return e;
+	}
+
+PacketSortConnPQ* PacketSortGlobalPQ::FindConnPQ(PacketSortElement* e)
+	{
+	if ( ! e->is_tcp )
+		internal_error("cannot find a connection for an invalid id");
+	
+	PacketSortConnPQ* pq = (PacketSortConnPQ*) conn_pq_table.Lookup(e->key);
+	if ( ! pq )
+		{
+		pq = new PacketSortConnPQ();
+		conn_pq_table.Insert(e->key, pq);
+		}
+
+	return pq;
+	}
diff --git a/src/PacketSort.h b/src/PacketSort.h
new file mode 100644
index 0000000000..6c6a4f4994
--- /dev/null
+++ b/src/PacketSort.h
@@ -0,0 +1,134 @@
+// $Id: PacketSort.h 3228 2006-06-08 02:12:03Z vern $
+
+#ifndef packetsort_h
+#define packetsort_h
+
+// Timestamps can be imprecise and even inconsistent among packets
+// from different sources. This class tries to guess a "correct"
+// order by looking at TCP sequence numbers.
+//
+// In particular, it tries to eliminate "false" content gaps.
+
+#include "Dict.h"
+#include "Conn.h"
+
+enum {
+	CONN_PQ,
+	GLOBAL_PQ,
+	NUM_OF_PQ_LEVEL,
+};
+
+class PktSrc;
+
+class PacketSortElement {
+public:
+	PacketSortElement(PktSrc* src, double timestamp,
+				const struct pcap_pkthdr* hdr,
+				const u_char* pkt, int hdr_size);
+	~PacketSortElement();
+
+	PktSrc* Src() const			{ return src; }
+	double TimeStamp() const		{ return timestamp; }
+	const struct pcap_pkthdr* Hdr() const	{ return &hdr; }
+	const u_char* Pkt() const		{ return pkt; }
+	int HdrSize() const			{ return hdr_size; }
+	const IP_Hdr* IPHdr() const		{ return ip_hdr; }
+
+protected:
+	PktSrc* src;
+	double timestamp;
+	struct pcap_pkthdr hdr;
+	u_char* pkt;
+	int hdr_size;
+
+	IP_Hdr* ip_hdr;
+	int is_tcp;
+	ConnID id;
+	uint32 seq[2];	// indexed by endpoint
+	int tcp_flags;
+	int endp;	// 0 or 1
+	int payload_length;
+
+	HashKey* key;
+
+	int pq_index[NUM_OF_PQ_LEVEL];
+
+	friend class PacketSortPQ;
+	friend class PacketSortConnPQ;
+	friend class PacketSortGlobalPQ;
+};
+
+class PacketSortPQ {
+public:
+	PacketSortPQ()
+		{ pq_level = -1; }
+	virtual ~PacketSortPQ() {}
+
+	PacketSortElement* Min() const	{ return (pq.size() > 0) ? pq[0] : 0; }
+
+protected:
+	virtual int Cmp(PacketSortElement* a, PacketSortElement* b) = 0;
+	int Timestamp_Cmp(PacketSortElement* a, PacketSortElement* b);
+
+	int UpdatePQ(PacketSortElement* prev_e, PacketSortElement* new_e);
+	int AddToPQ(PacketSortElement* e);
+	int RemoveFromPQ(PacketSortElement* e);
+
+	void Assign(int k, PacketSortElement* e);
+	int FixUp(PacketSortElement* e, int k);
+	void FixDown(PacketSortElement* e, int k);
+
+	vector<PacketSortElement*> pq;
+	int pq_level;
+};
+
+// Sort by sequence numbers within a connection
+class PacketSortConnPQ : public PacketSortPQ {
+public:
+	PacketSortConnPQ()
+		{
+		pq_level = CONN_PQ;
+		delivered_seq[0] = delivered_seq[1] = 0;
+		}
+	~PacketSortConnPQ();
+
+	int Add(PacketSortElement* e);
+
+	int Remove(PacketSortElement* e);
+
+	bool IsContentGapSafe(PacketSortElement* e);
+
+protected:
+	int Cmp(PacketSortElement* a, PacketSortElement* b);
+	void UpdateDeliveredSeq(int endp, int seq, int len, int ack);
+
+	int delivered_seq[2];
+};
+
+declare(PDict, PacketSortConnPQ);
+
+// Sort by timestamps.
+class PacketSortGlobalPQ : public PacketSortPQ {
+public:
+	PacketSortGlobalPQ();
+	~PacketSortGlobalPQ();
+
+	int Add(PacketSortElement* e);
+
+	int Empty() const { return conn_pq_table.Length() == 0; }
+
+	// Returns the next packet to dispatch if it arrives earlier than the
+	// given timestamp, otherwise returns 0.
+	// The packet, if to be returned, is also removed from the
+	// priority queue.
+	PacketSortElement* RemoveMin(double timestamp);
+
+protected:
+	int Cmp(PacketSortElement* a, PacketSortElement* b)
+		{ return Timestamp_Cmp(a, b); }
+	PacketSortConnPQ* FindConnPQ(PacketSortElement* e);
+
+	PDict(PacketSortConnPQ) conn_pq_table;
+};
+
+#endif
diff --git a/src/PersistenceSerializer.cc b/src/PersistenceSerializer.cc
new file mode 100644
index 0000000000..f31fdb4d88
--- /dev/null
+++ b/src/PersistenceSerializer.cc
@@ -0,0 +1,574 @@
+// $Id: PersistenceSerializer.cc 6752 2009-06-14 04:24:52Z vern $
+
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+#include <time.h>
+#include <dirent.h>
+#include <libgen.h>
+#include <sys/time.h>
+#include <sys/stat.h>
+
+#include "PersistenceSerializer.h"
+#include "RemoteSerializer.h"
+#include "Conn.h"
+#include "Event.h"
+#include "Logger.h"
+#include "Net.h"
+
+class IncrementalWriteTimer : public Timer {
+public:
+	IncrementalWriteTimer(double t, PersistenceSerializer::SerialStatus* s)
+		: Timer(t, TIMER_INCREMENTAL_WRITE), status(s)	{}
+
+	void Dispatch(double t, int is_expire);
+
+	PersistenceSerializer::SerialStatus* status;
+};
+
+void IncrementalWriteTimer::Dispatch(double t, int is_expire)
+	{
+	// Never suspend when we're finishing up.
+	if ( terminating )
+		status->info.may_suspend = false;
+
+	persistence_serializer->RunSerialization(status);
+	}
+
+PersistenceSerializer::PersistenceSerializer()
+	{
+	dir = 0;
+	}
+
+PersistenceSerializer::~PersistenceSerializer()
+	{
+	}
+
+void PersistenceSerializer::Register(ID* id)
+	{
+	if ( id->Type()->Tag() == TYPE_FUNC )
+		{
+		Error("can't register functions as persistent ID");
+		return;
+		}
+
+	DBG_LOG(DBG_STATE, "&persistent %s", id->Name());
+
+	HashKey key(id->Name());
+	if ( persistent_ids.Lookup(&key) )
+		return;
+
+	Ref(id);
+	persistent_ids.Insert(&key, id);
+	}
+
+void PersistenceSerializer::Unregister(ID* id)
+	{
+	HashKey key(id->Name());
+	Unref((ID*) persistent_ids.Remove(&key));
+	}
+
+void PersistenceSerializer::Register(Connection* conn)
+	{
+	if ( persistent_conns.Lookup(conn->Key()) )
+		return;
+
+	Ref(conn);
+	HashKey* k = conn->Key();
+	HashKey* new_key = new HashKey(k->Key(), k->Size(), k->Hash());
+	persistent_conns.Insert(new_key, conn);
+	delete new_key;
+	}
+
+void PersistenceSerializer::Unregister(Connection* conn)
+	{
+	Unref(persistent_conns.RemoveEntry(conn->Key()));
+	}
+
+bool PersistenceSerializer::CheckTimestamp(const char* file)
+	{
+	struct stat s;
+	if ( stat(file, &s) < 0 )
+		return false;
+
+	if ( ! S_ISREG(s.st_mode) )
+		return false;
+
+	bool changed = true;
+
+	HashKey* key = new HashKey(file, strlen(file));
+	time_t* t = files.Lookup(key);
+
+	if ( ! t )
+		{
+		t = (time_t*) malloc(sizeof(time_t));
+		if ( ! t )
+			out_of_memory("saving file timestamp");
+		files.Insert(key, t);
+		}
+
+	else if ( *t >= s.st_mtime )
+		changed = false;
+
+	*t = s.st_mtime;
+
+	delete key;
+	return changed;
+	}
+
+bool PersistenceSerializer::CheckForFile(UnserialInfo* info, const char* file,
+						bool delete_file)
+	{
+	bool ret = true;
+	if ( CheckTimestamp(file) )
+		{
+		// Need to copy the filename here, as it may be passed
+		// in via fmt().
+		const char* f = copy_string(file);
+
+		bool ret = Read(info, f);
+
+		if ( delete_file && unlink(f) < 0 )
+			Error(fmt("can't delete file %s: %s", f, strerror(errno)));
+
+		delete [] f;
+		}
+
+	return ret;
+	}
+
+bool PersistenceSerializer::ReadAll(bool is_init, bool delete_files)
+	{
+#ifdef USE_PERFTOOLS
+	HeapLeakChecker::Disabler disabler;
+#endif
+
+	assert(dir);
+
+	UnserialInfo config_info(this);
+	config_info.id_policy = is_init ?
+			UnserialInfo::Replace : UnserialInfo::CopyCurrentToNew;
+
+	if ( ! CheckForFile(&config_info, fmt("%s/config.bst", dir),
+				delete_files) )
+		return false;
+
+	UnserialInfo state_info(this);
+	state_info.id_policy = UnserialInfo::CopyNewToCurrent;
+	if ( ! CheckForFile(&state_info, fmt("%s/state.bst", dir),
+				delete_files) )
+		return false;
+
+	return true;
+	}
+
+bool PersistenceSerializer::MoveFileUp(const char* dir, const char* file)
+	{
+	char oldname[PATH_MAX];
+	char newname[PATH_MAX];
+
+	safe_snprintf(oldname, PATH_MAX, "%s/.tmp/%s", dir, file );
+	safe_snprintf(newname, PATH_MAX, "%s/%s", dir, file );
+
+	if ( rename(oldname, newname) < 0 )
+		{
+		Error(fmt("can't move %s to %s: %s", oldname, newname,
+				strerror(errno)));
+		return false;
+		}
+
+	CheckTimestamp(newname);
+	return true;
+	}
+
+#if 0
+void PersistenceSerializer::RaiseFinishedSendState()
+	{
+	val_list* vl = new val_list;
+	vl->append(new AddrVal(htonl(remote_host)));
+	vl->append(new PortVal(remote_port));
+
+	mgr.QueueEvent(finished_send_state, vl);
+	bro_logger->Log("Serialization done.");
+	}
+#endif
+
+void PersistenceSerializer::GotEvent(const char* name, double time,
+					EventHandlerPtr event, val_list* args)
+	{
+	mgr.QueueEvent(event, args);
+	}
+
+void PersistenceSerializer::GotFunctionCall(const char* name, double time,
+					Func* func, val_list* args)
+	{
+	func->Call(args);
+	}
+
+void PersistenceSerializer::GotStateAccess(StateAccess* s)
+	{
+	s->Replay();
+	delete s;
+	}
+
+void PersistenceSerializer::GotTimer(Timer* s)
+	{
+	run_time("PersistenceSerializer::GotTimer not implemented");
+	}
+
+void PersistenceSerializer::GotConnection(Connection* c)
+	{
+	Unref(c);
+	}
+
+void PersistenceSerializer::GotID(ID* id, Val* /* val */)
+	{
+	Unref(id);
+	}
+
+void PersistenceSerializer::GotPacket(Packet* p)
+	{
+	run_time("PersistenceSerializer::GotPacket not implemented");
+	}
+
+bool PersistenceSerializer::LogAccess(const StateAccess& s)
+	{
+	if ( ! IsSerializationRunning() )
+		return true;
+
+	loop_over_list(running, i)
+		{
+		running[i]->accesses.append(new StateAccess(s));
+		}
+
+	return true;
+	}
+
+bool PersistenceSerializer::WriteState(bool may_suspend)
+	{
+	SerialStatus* status =
+		new SerialStatus(this, SerialStatus::WritingState);
+
+	status->info.may_suspend = may_suspend;
+
+	status->ids = &persistent_ids;
+	status->conns = &persistent_conns;
+	status->filename = "state.bst";
+
+	return RunSerialization(status);
+	}
+
+bool PersistenceSerializer::WriteConfig(bool may_suspend)
+	{
+	if ( mgr.IsDraining() && may_suspend )
+		// Events which trigger checkpoint are flushed. Ignore; we'll
+		// checkpoint at termination in any case.
+		return true;
+
+	SerialStatus* status =
+		new SerialStatus(this, SerialStatus::WritingConfig);
+
+	status->info.may_suspend = may_suspend;
+	status->info.clear_containers = true;
+	status->ids = global_scope()->GetIDs();
+	status->filename = "config.bst";
+
+	return RunSerialization(status);
+	}
+
+bool PersistenceSerializer::SendState(SourceID peer, bool may_suspend)
+	{
+	SerialStatus* status =
+		new SerialStatus(remote_serializer, SerialStatus::SendingState);
+
+	status->info.may_suspend = may_suspend;
+	status->ids = &persistent_ids;
+	status->conns = &persistent_conns;
+	status->peer = peer;
+
+	bro_logger->Log("Sending state...");
+
+	return RunSerialization(status);
+	}
+
+bool PersistenceSerializer::SendConfig(SourceID peer, bool may_suspend)
+	{
+	SerialStatus* status =
+		new SerialStatus(remote_serializer, SerialStatus::SendingConfig);
+
+	status->info.may_suspend = may_suspend;
+	status->info.clear_containers = true;
+	status->ids = global_scope()->GetIDs();
+	status->peer = peer;
+
+	bro_logger->Log("Sending config...");
+
+	return RunSerialization(status);
+	}
+
+bool PersistenceSerializer::RunSerialization(SerialStatus* status)
+	{
+	Continuation* cont = &status->info.cont;
+
+	if ( cont->NewInstance() )
+		{
+		// Serialization is starting. Initialize.
+
+		// See if there is already a serialization of this type running.
+		loop_over_list(running, i)
+			{
+			if ( running[i]->type == status->type )
+				{
+				// ### We don't report this anymore as it would go to stderr.
+				// Warning(fmt("Serialization of type %d already running.", status->type));
+				return false;
+				}
+			}
+
+		running.append(status);
+
+		// Initialize.
+		if ( ! (ensure_dir(dir) && ensure_dir(fmt("%s/.tmp", dir))) )
+			return false;
+
+		if ( ! OpenFile(fmt("%s/.tmp/%s", dir, status->filename), false) )
+			return false;
+
+		if ( ! PrepareForWriting() )
+			return false;
+
+		if ( status->ids )
+			{
+			status->id_cookie = status->ids->InitForIteration();
+			status->ids->MakeRobustCookie(status->id_cookie);
+			}
+
+		if ( status->conns )
+			{
+			status->conn_cookie = status->conns->InitForIteration();
+			status->conns->MakeRobustCookie(status->conn_cookie);
+			}
+
+		if ( status->info.may_suspend )
+			bro_logger->Log("Starting incremental serialization...");
+		}
+
+	else if ( cont->ChildSuspended() )
+		{
+		// One of our former Serialize() calls suspended itself.
+		// We have to call it again.
+
+		if ( status->id_cookie )
+			{
+			if ( ! DoIDSerialization(status, status->current.id) )
+				return false;
+
+			if ( cont->ChildSuspended() )
+				{
+				// Oops, it did it again.
+				timer_mgr->Add(new IncrementalWriteTimer(network_time + state_write_delay, status));
+				return true;
+				}
+			}
+
+		else if ( status->conn_cookie )
+			{
+			if ( ! DoConnSerialization(status, status->current.conn) )
+				return false;
+
+			if ( cont->ChildSuspended() )
+				{
+				// Oops, it did it again.
+				timer_mgr->Add(new IncrementalWriteTimer(network_time + state_write_delay, status));
+				return true;
+				}
+			}
+
+		else
+			internal_error("unknown suspend state");
+		}
+
+	else if ( cont->Resuming() )
+		cont->Resume();
+
+	else
+		internal_error("unknown continuation state");
+
+	if ( status->id_cookie )
+		{
+		ID* id;
+
+		while ( (id = status->ids->NextEntry(status->id_cookie)) )
+			{
+			ID* g = global_scope()->Lookup(id->Name());
+
+			if ( ! DoIDSerialization(status, id) )
+				return false;
+
+			if ( cont->ChildSuspended() )
+				{
+				timer_mgr->Add(new IncrementalWriteTimer(network_time + state_write_delay, status));
+				return true;
+				}
+
+			if ( status->info.may_suspend )
+				{
+				timer_mgr->Add(new IncrementalWriteTimer(network_time + state_write_delay, status));
+				cont->Suspend();
+				return true;
+				}
+			}
+
+		// Cookie has been set to 0 by NextEntry().
+		}
+
+	if ( status->conn_cookie )
+		{
+		Connection* conn;
+		while ( (conn = status->conns->NextEntry(status->conn_cookie)) )
+			{
+			if ( ! DoConnSerialization(status, conn) )
+				return false;
+
+			if ( cont->ChildSuspended() )
+				{
+				timer_mgr->Add(new IncrementalWriteTimer(network_time + state_write_delay, status));
+				return true;
+				}
+
+			if ( status->info.may_suspend )
+				{
+				timer_mgr->Add(new IncrementalWriteTimer(network_time + state_write_delay, status));
+				cont->Suspend();
+				return true;
+				}
+
+			}
+
+		// Cookie has been set to 0 by NextEntry().
+		}
+
+	DBG_LOG(DBG_STATE, "finished serialization; %d accesses pending",
+			status->accesses.length());
+
+	if ( status->accesses.length() )
+		{
+		// Serialize pending state accesses.
+		// FIXME: Does this need to suspend?
+		StateAccess* access;
+		loop_over_list(status->accesses, i)
+			{
+			// Serializing a StateAccess will not suspend.
+			if ( ! DoAccessSerialization(status, status->accesses[i]) )
+				return false;
+
+			delete status->accesses[i];
+			}
+		}
+
+	// Finalize.
+	CloseFile();
+
+	bool ret = MoveFileUp(dir, status->filename);
+
+	loop_over_list(running, i)
+		{
+		if ( running[i]->type == status->type )
+			{
+			running.remove_nth(i);
+			break;
+			}
+		}
+
+	if ( status->info.may_suspend )
+		bro_logger->Log("Finished incremental serialization.");
+
+	delete status;
+	return ret;
+	}
+
+bool PersistenceSerializer::DoIDSerialization(SerialStatus* status, ID* id)
+	{
+	bool success = false;
+	Continuation* cont = &status->info.cont;
+
+	status->current.id = id;
+
+	switch ( status->type ) {
+	case SerialStatus::WritingState:
+	case SerialStatus::WritingConfig:
+		cont->SaveContext();
+		success = Serialize(&status->info, *id);
+		cont->RestoreContext();
+		break;
+
+	case SerialStatus::SendingState:
+	case SerialStatus::SendingConfig:
+		cont->SaveContext();
+		success = remote_serializer->SendID(&status->info,
+							status->peer, *id);
+		cont->RestoreContext();
+		break;
+
+	default:
+		internal_error("unknown serialization type");
+	}
+
+	return success;
+	}
+
+bool PersistenceSerializer::DoConnSerialization(SerialStatus* status,
+						Connection* conn)
+	{
+	bool success = false;
+	Continuation* cont = &status->info.cont;
+
+	status->current.conn = conn;
+
+	switch ( status->type ) {
+	case SerialStatus::WritingState:
+	case SerialStatus::WritingConfig:
+		cont->SaveContext();
+		success = Serialize(&status->info, *conn);
+		cont->RestoreContext();
+		break;
+
+	case SerialStatus::SendingState:
+	case SerialStatus::SendingConfig:
+		cont->SaveContext();
+		success = remote_serializer->SendConnection(&status->info,
+							status->peer, *conn);
+		cont->RestoreContext();
+		break;
+
+	default:
+		internal_error("unknown serialization type");
+	}
+
+	return success;
+	}
+
+bool PersistenceSerializer::DoAccessSerialization(SerialStatus* status,
+							StateAccess* access)
+	{
+	bool success = false;
+	DisableSuspend suspend(&status->info);
+
+	switch ( status->type ) {
+	case SerialStatus::WritingState:
+	case SerialStatus::WritingConfig:
+		success = Serialize(&status->info, *access);
+		break;
+
+	case SerialStatus::SendingState:
+	case SerialStatus::SendingConfig:
+		success = remote_serializer->SendAccess(&status->info,
+							status->peer, *access);
+		break;
+
+	default:
+		internal_error("unknown serialization type");
+	}
+
+	return success;
+	}
diff --git a/src/PersistenceSerializer.h b/src/PersistenceSerializer.h
new file mode 100644
index 0000000000..572ab0238e
--- /dev/null
+++ b/src/PersistenceSerializer.h
@@ -0,0 +1,165 @@
+// $Id: PersistenceSerializer.h 2698 2006-04-03 05:50:52Z vern $
+//
+// Implements persistance for Bro's data structures.
+
+#ifndef persistence_serializer_h
+#define persistence_serializer_h
+
+#include "Serializer.h"
+#include "List.h"
+
+class StateAccess;
+
+class PersistenceSerializer : public FileSerializer {
+public:
+	PersistenceSerializer();
+	virtual ~PersistenceSerializer();
+
+	// Define the directory where to store the data.
+	void SetDir(const char* arg_dir)	{ dir = copy_string(arg_dir); }
+
+	// Register/unregister the ID/connection to be saved by WriteAll().
+	void Register(ID* id);
+	void Unregister(ID* id);
+	void Register(Connection* conn);
+	void Unregister(Connection* conn);
+
+	// Read all data that has been changed since last scan of directory.
+	// is_init should be true for the first read upon start-up. All existing
+	// state will be cleared. If delete_files is true, file which have been
+	// read are removed (even if the read was unsuccessful!).
+	bool ReadAll(bool is_init, bool delete_files);
+
+	// Each of the following four methods may suspend operation.
+	// If they do, they install a Timer which resumes after some
+	// amount of time. If a function is called again before it
+	// has completely finished its task, it will do nothing and
+	// return false.
+
+	bool WriteState(bool may_suspend);
+
+	// Writes Bro's configuration (w/o dynamic state).
+	bool WriteConfig(bool may_suspend);
+
+	// Sends all registered state to remote host
+	// (by leveraging the remote_serializer).
+	bool SendState(SourceID peer, bool may_suspend);
+
+	// Sends Bro's config to remote host
+	// (by leveraging the remote_serializer).
+	bool SendConfig(SourceID peer, bool may_suspend);
+
+	// Returns true if a serialization is currently running.
+	bool IsSerializationRunning() const	{ return running.length(); }
+
+	// Tells the serializer that this access was performed. If a
+	// serialization is going on, it may store it.  (Need only be called if
+	// IsSerializationRunning() returns true.)
+	bool LogAccess(const StateAccess& s);
+
+protected:
+	friend class RemoteSerializer;
+	friend class IncrementalWriteTimer;
+
+	virtual void GotID(ID* id, Val* val);
+	virtual void GotEvent(const char* name, double time,
+				EventHandlerPtr event, val_list* args);
+	virtual void GotFunctionCall(const char* name, double time,
+				Func* func, val_list* args) ;
+	virtual void GotStateAccess(StateAccess* s);
+	virtual void GotTimer(Timer* t);
+	virtual void GotConnection(Connection* c);
+	virtual void GotPacket(Packet* packet);
+
+	// If file has changed since last check, read it.
+	bool CheckForFile(UnserialInfo* info, const char* file,
+				bool delete_file);
+
+	// Returns true if it's a regular file and has a more recent timestamp
+	// than last time we checked it.
+	bool CheckTimestamp(const char* file);
+
+	// Move file from <dir>/tmp/<file> to <dir>/<file>. Afterwards, call
+	// CheckTimestamp() with <dir>/<file>.
+	bool MoveFileUp(const char* dir, const char* file);
+
+	// Generates an error message, terminates current serialization,
+	// and returns false.
+	bool SerialError(const char* msg);
+
+	// Start a new serialization.
+	struct SerialStatus;
+	bool RunSerialization(SerialStatus* status);
+
+	// Helpers for RunSerialization.
+	bool DoIDSerialization(SerialStatus* status, ID* id);
+	bool DoConnSerialization(SerialStatus* status, Connection* conn);
+	bool DoAccessSerialization(SerialStatus* status, StateAccess* access);
+
+	typedef PDict(ID) id_map;
+
+	declare(PDict, Connection);
+	typedef PDict(Connection) conn_map;
+
+	struct SerialStatus {
+		enum Type {
+			WritingState, WritingConfig,
+			SendingState, SendingConfig,
+		};
+
+		SerialStatus(Serializer* s, Type arg_type) : info(s)
+			{
+			type = arg_type;
+			ids = 0;
+			id_cookie = 0;
+			conns = 0;
+			conn_cookie = 0;
+			peer = SOURCE_LOCAL;
+			};
+
+		Type type;
+		SerialInfo info;
+
+		// IDs to serialize.
+		id_map* ids;
+		IterCookie* id_cookie;
+
+		// Connections to serialize.
+		conn_map* conns;
+		IterCookie* conn_cookie;
+
+		// Accesses performed while we're serializing.
+		declare(PList,StateAccess);
+		typedef PList(StateAccess) state_access_list;
+		state_access_list accesses;
+
+		// The ID/Conn we're currently serializing.
+		union {
+			ID* id;
+			Connection* conn;
+		} current;
+
+		// Only set if type is Writing{State,Config}.
+		const char* filename;
+
+		// Only set if type is Sending{State,Config}.
+		SourceID peer;
+	};
+
+	const char* dir;
+
+	declare(PList, SerialStatus);
+	PList(SerialStatus) running;
+
+	id_map persistent_ids;
+	conn_map persistent_conns;
+
+	// To keep track of files' modification times.
+	declare(PDict, time_t);
+	typedef PDict(time_t) file_map;
+	file_map files;
+};
+
+extern PersistenceSerializer* persistence_serializer;
+
+#endif
diff --git a/src/PktDagSrc.cc b/src/PktDagSrc.cc
new file mode 100644
index 0000000000..1a5c6573de
--- /dev/null
+++ b/src/PktDagSrc.cc
@@ -0,0 +1,294 @@
+// $Id: PktDagSrc.cc 6909 2009-09-10 19:42:19Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#ifdef USE_DAG
+
+extern "C" {
+#include <dagapi.h>
+#include <pcap.h>
+}
+#include <errno.h>
+
+#include <set>
+#include <string>
+
+#include "PktDagSrc.h"
+
+// Length of ERF Header before Ethernet header.
+#define DAG_ETH_ERFLEN 18
+
+static set<string> used_interfaces;
+
+PktDagSrc::PktDagSrc(const char* arg_interface, const char* filter,
+			PktSrc_Filter_Type ft)
+: PktSrc()
+	{
+	interface = copy_string(fmt("/dev/%s", arg_interface));
+	fd = -1;
+	closed = true;
+
+	if ( used_interfaces.find(interface) != used_interfaces.end() )
+		{
+		Error("DAG interface already in use, can't be used multiple times");
+		return;
+		}
+
+
+	// We only support Ethernet.
+	hdr_size = 14;
+	datalink = DLT_EN10MB;
+	filter_type = ft;
+	netmask = 0xffffff00;	// XXX does this make sense?
+
+	current_filter = 0;
+
+	// We open a dummy pcap file to get access to pcap data structures.
+	// Ideally, Bro's PktSrc would be less dependent on pcap ...
+
+	pd = pcap_open_dead(datalink, snaplen);
+	if ( ! pd )
+		{
+		// Note: errno not trustworthy, for example it's sometimes
+		// set by malloc inside pcap_open_dead().
+		Error("pcap_open_dead");
+		return;
+		}
+
+	fd = dag_open(interface);
+
+	// XXX Currently, the DAG fd is not selectable :-(.
+	selectable_fd = -1;
+
+	if ( fd < 0 )
+		{
+		Error("dag_open");
+		return;
+		}
+
+	int dag_recordtype = dag_linktype(fd);
+	if ( dag_recordtype < TYPE_MIN || dag_recordtype > TYPE_MAX )
+		{
+		Error("dag_linktype");
+		return;
+		}
+
+	if ( dag_recordtype != TYPE_ETH )
+		{
+		sprintf(errbuf, "unsupported DAG link type 0x%x", dag_recordtype);
+		return;
+		}
+
+	// long= is needed to prevent the DAG card from truncating jumbo frames.
+	char* dag_configure_string =
+		copy_string(fmt("slen=%d varlen long=%d",
+				snaplen, snaplen > 1500 ? snaplen : 1500));
+
+	fprintf(stderr, "Configuring %s with options \"%s\"...\n",
+		interface, dag_configure_string);
+
+	if ( dag_configure(fd, dag_configure_string) < 0 )
+		{
+		Error("dag_configure");
+		delete [] dag_configure_string;
+		return;
+		}
+
+	delete [] dag_configure_string;
+
+	if ( dag_attach_stream(fd, stream_num, 0, EXTRA_WINDOW_SIZE) < 0 )
+		{
+		Error("dag_attach_stream");
+		return;
+		}
+
+	if ( dag_start_stream(fd, stream_num) < 0 )
+		{
+		Error("dag_start_stream");
+		return;
+		}
+
+	struct timeval maxwait, poll;
+	maxwait.tv_sec = 0;	// arbitrary due to mindata == 0
+	maxwait.tv_usec = 0;
+	poll.tv_sec = 0;	// don't wait until more data arrives.
+	poll.tv_usec = 0;
+
+	// mindata == 0 for non-blocking.
+	if ( dag_set_stream_poll(fd, stream_num, 0, &maxwait, &poll) < 0 )
+		{
+		Error("dag_set_stream_poll");
+		return;
+		}
+
+	closed = false;
+
+	if ( PrecompileFilter(0, filter) && SetFilter(0) )
+		fprintf(stderr, "listening on DAG card on %s\n", interface);
+
+	stats.link = stats.received = stats.dropped = 0;
+	}
+
+PktDagSrc::~PktDagSrc()
+	{
+	}
+
+
+void PktDagSrc::Close()
+	{
+	if ( fd >= 0 )
+		{
+		PktSrc::Close();
+		dag_stop_stream(fd, stream_num);
+		dag_detach_stream(fd, stream_num);
+		dag_close(fd);
+		fd = -1;
+		}
+
+	closed = true;
+	used_interfaces.erase(interface);
+	}
+
+int PktDagSrc::ExtractNextPacket()
+	{
+	unsigned link_count = 0;	// # packets on link for this call
+
+	// As we can't use select() on the fd, we always have to pretend
+	// we're busy (in fact this is probably even true; otherwise
+	// we shouldn't be using such expensive monitoring hardware!).
+	idle = false;
+
+	struct bpf_insn* fcode = current_filter->bf_insns;
+	if ( ! fcode )
+		{
+		run_time("filter code not valid when extracting DAG packet");
+		return 0;
+		}
+
+	dag_record_t* r = 0;
+
+	do
+		{
+		r = (dag_record_t*) dag_rx_stream_next_record(fd, 0);
+
+		if ( ! r )
+			{
+			data = last_data = 0;	// make dataptr invalid
+
+			if ( errno != EAGAIN )
+				{
+				run_time(fmt("dag_rx_stream_next_record: %s",
+						strerror(errno)));
+				Close();
+				return 0;
+				}
+
+			else
+				{ // gone dry
+				idle = true;
+				return 0;
+				}
+			}
+
+		// Return after 20 unwanted packets on the link.
+		if ( ++link_count > 20 )
+			{
+			data = last_data = 0;
+			return 0;
+			}
+
+		hdr.len = ntohs(r->wlen);
+		hdr.caplen = ntohs(r->rlen) - DAG_ETH_ERFLEN;
+
+		// Locate start of the Ethernet header.
+		data = last_data = (const u_char*) r->rec.eth.dst;
+
+		++stats.link;
+		// lctr_sum += ntohs(r->lctr);
+		stats.dropped += ntohs(r->lctr);
+		}
+	while ( ! bpf_filter(fcode, (u_char*) data, hdr.len, hdr.caplen) );
+
+	++stats.received;
+
+	// Timestamp conversion taken from DAG programming manual.
+	unsigned long long lts = r->ts;
+	hdr.ts.tv_sec = lts >> 32;
+	lts = ((lts & 0xffffffffULL) * 1000 * 1000);
+	lts += (lts & 0x80000000ULL) << 1;
+	hdr.ts.tv_usec = lts >> 32;
+	if ( hdr.ts.tv_usec >= 1000000 )
+		{
+		hdr.ts.tv_usec -= 1000000;
+		hdr.ts.tv_sec += 1;
+		}
+
+	next_timestamp = hdr.ts.tv_sec + double(hdr.ts.tv_usec) / 1e6;
+
+	return 1;
+	}
+
+void PktDagSrc::GetFds(int* read, int* write, int* except)
+	{
+	// We don't have a selectable fd, but we take the opportunity to
+	// reset our idle flag if we have data now.
+	if ( ! data )
+		ExtractNextPacket();
+	}
+
+void PktDagSrc::Statistics(Stats* s)
+	{
+	s->received = stats.received;
+	s->dropped = stats.dropped;
+	s->link = stats.link + stats.dropped;
+	}
+
+int PktDagSrc::SetFilter(int index)
+	{
+	// We don't want load-level filters for the secondary path.
+	if ( filter_type == TYPE_FILTER_SECONDARY && index > 0 )
+		return 1;
+
+	HashKey* hash = new HashKey(HashKey(bro_int_t(index)));
+	BPF_Program* code = filters.Lookup(hash);
+	delete hash;
+
+	if ( ! code )
+		{
+		sprintf(errbuf, "No precompiled pcap filter for index %d",
+				index);
+		return 0;
+		}
+
+	current_filter = code->GetProgram();
+
+	// Reset counters.
+	stats.received = stats.dropped = stats.link = 0;
+
+	return 1;
+	}
+
+int PktDagSrc::SetNewFilter(const char* filter)
+	{
+	bpf_program* code = 0;
+
+	if ( pcap_compile(pd, code, (char*) filter, 1, netmask) < 0 )
+		{
+		snprintf(errbuf, sizeof(errbuf), "pcap_compile(%s): %s",
+				filter, pcap_geterr(pd));
+		errbuf[sizeof(errbuf) - 1] = '\0';
+		return 0;
+		}
+
+	current_filter = code;
+	return 1;
+	}
+
+void PktDagSrc::Error(const char *s)
+	{
+	snprintf(errbuf, PCAP_ERRBUF_SIZE, "%s: %s", s, strerror(errno));
+	Close();
+	}
+#endif
diff --git a/src/PktDagSrc.h b/src/PktDagSrc.h
new file mode 100644
index 0000000000..c7ea49e106
--- /dev/null
+++ b/src/PktDagSrc.h
@@ -0,0 +1,54 @@
+// $Id: PktDagSrc.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+//
+// Support for Endace's DAG interface card.
+//
+// Caveats:
+//    - No support for hardware-side filtering yet.
+//    - No support for secondary filter path yet.
+//    - No support for other media than Ethernet.
+//    - Mutex should be per interface
+//    - No support for multiple rx streams
+
+#ifndef PKTDAGSRC_H
+#define PKTDAGSRC_H
+
+#ifdef USE_DAG
+
+extern int snaplen;
+
+#include "PktSrc.h"
+
+class PktDagSrc : public PktSrc {
+public:
+	PktDagSrc(const char* interface, const char* filter,
+			PktSrc_Filter_Type ft = TYPE_FILTER_NORMAL);
+	virtual ~PktDagSrc();
+
+	// PktSrc interface:
+	virtual void Statistics(Stats* stats);
+	virtual int SetFilter(int index);
+	virtual int SetNewFilter(const char* filter);
+
+protected:
+	virtual int ExtractNextPacket();
+	virtual void GetFds(int* read, int* write, int* except);
+	virtual void Close();
+
+	void Error(const char* str);
+
+	static const unsigned int EXTRA_WINDOW_SIZE = 4 * 1024 * 1024;
+	static const int stream_num = 0;	// use receive stream 0
+
+	// Unfortunaly the DAG API has some problems with locking streams,
+	// so we do our own checks to ensure we don't use more than one
+	// stream.   In particular, the secondary filter won't work.
+	static int mutex;
+
+	int fd;
+	bpf_program* current_filter;
+};
+#endif
+
+#endif
diff --git a/src/PktSrc.cc b/src/PktSrc.cc
new file mode 100644
index 0000000000..bd92982722
--- /dev/null
+++ b/src/PktSrc.cc
@@ -0,0 +1,670 @@
+// $Id: PktSrc.cc 6951 2009-12-04 22:23:28Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <errno.h>
+#include <sys/stat.h>
+
+#include "config.h"
+
+#include "util.h"
+#include "PktSrc.h"
+#include "Hash.h"
+#include "Net.h"
+#include "Sessions.h"
+
+
+// ### This needs auto-confing.
+#ifdef HAVE_PCAP_INT_H
+#include <pcap-int.h>
+#endif
+
+int snaplen = 8192;	// really want "capture entire packet"
+
+
+PktSrc::PktSrc()
+	{
+	interface = readfile = 0;
+	data = last_data = 0;
+	hdr_size = 0;
+	datalink = 0;
+	netmask = 0xffffff00;
+	pd = 0;
+	idle = false;
+
+	next_sync_point = 0;
+	first_timestamp = current_timestamp = next_timestamp = 0.0;
+	first_wallclock = current_wallclock = 0;
+
+	stats.received = stats.dropped = stats.link = 0;
+	}
+
+PktSrc::~PktSrc()
+	{
+	Close();
+
+	loop_over_list(program_list, i)
+		delete program_list[i];
+
+	BPF_Program* code;
+	IterCookie* cookie = filters.InitForIteration();
+	while ( (code = filters.NextEntry(cookie)) )
+		delete code;
+
+	delete [] interface;
+	delete [] readfile;
+	}
+
+void PktSrc::GetFds(int* read, int* write, int* except)
+	{
+	if ( pseudo_realtime )
+		{
+		// Select would give erroneous results. But we simulate it
+		// by setting idle accordingly.
+		idle = CheckPseudoTime() == 0;
+		return;
+		}
+
+#ifdef USE_SELECT_LOOP
+	if ( selectable_fd >= 0 )
+		*read = selectable_fd;
+#endif
+	}
+
+int PktSrc::ExtractNextPacket()
+	{
+	// Don't return any packets if processing is suspended (except for the
+	// very first packet which we need to set up times).
+	if ( net_is_processing_suspended() && first_timestamp )
+		{
+		idle = true;
+		return 0;
+		}
+
+	data = last_data = pcap_next(pd, &hdr);
+	next_timestamp = hdr.ts.tv_sec + double(hdr.ts.tv_usec) / 1e6;
+
+	if ( pseudo_realtime )
+		current_wallclock = current_time(true);
+
+	if ( ! first_timestamp )
+		first_timestamp = next_timestamp;
+
+#ifdef USE_SELECT_LOOP
+	idle = (data == 0);
+#else
+	idle = false;
+#endif
+
+	if ( data )
+		++stats.received;
+
+	// Source has gone dry.  If it's a network interface, this just means
+	// it's timed out. If it's a file, though, then the file has been
+	// exhausted.
+	if ( ! data && ! IsLive() )
+		{
+		closed = true;
+
+		if ( pseudo_realtime && using_communication )
+			{
+			if ( remote_trace_sync_interval )
+				remote_serializer->SendFinalSyncPoint();
+			else
+				remote_serializer->Terminate();
+			}
+		}
+
+	return data != 0;
+	}
+
+double PktSrc::NextTimestamp(double* local_network_time)
+	{
+	if ( ! data && ! ExtractNextPacket() )
+		return -1.0;
+
+	if ( pseudo_realtime )
+		{
+		// Delay packet if necessary.
+		double packet_time = CheckPseudoTime();
+		if ( packet_time )
+			return packet_time;
+
+		idle = true;
+		return -1.0;
+		}
+
+	return next_timestamp;
+	}
+
+void PktSrc::ContinueAfterSuspend()
+	{
+	current_wallclock = current_time(true);
+	}
+
+double PktSrc::CurrentPacketWallClock()
+	{
+	// We stop time when we are suspended.
+	if ( net_is_processing_suspended() )
+		current_wallclock = current_time(true);
+
+	return current_wallclock;
+	}
+
+double PktSrc::CheckPseudoTime()
+	{
+	if ( ! data && ! ExtractNextPacket() )
+		return 0;
+
+	if ( ! current_timestamp )
+		return bro_start_time;
+
+	if ( remote_trace_sync_interval )
+		{
+		if ( next_sync_point == 0 || next_timestamp >= next_sync_point )
+			{
+			int n = remote_serializer->SendSyncPoint();
+			next_sync_point = first_timestamp +
+						n * remote_trace_sync_interval;
+			remote_serializer->Log(RemoteSerializer::LogInfo,
+				fmt("stopping at packet %.6f, next sync-point at %.6f",
+					current_timestamp, next_sync_point));
+
+			return 0;
+			}
+		}
+
+	double pseudo_time = next_timestamp - first_timestamp;
+	double ct = (current_time(true) - first_wallclock) * pseudo_realtime;
+
+	return pseudo_time <= ct ? bro_start_time + pseudo_time : 0;
+	}
+
+void PktSrc::Process()
+	{
+	if ( ! data && ! ExtractNextPacket() )
+		return;
+
+	current_timestamp = next_timestamp;
+
+	if ( pseudo_realtime )
+		{
+		current_pseudo = CheckPseudoTime();
+		net_packet_arrival(current_pseudo, &hdr, data, hdr_size, this);
+		if ( ! first_wallclock )
+			first_wallclock = current_time(true);
+		}
+
+	else
+		net_packet_arrival(current_timestamp, &hdr, data, hdr_size, this);
+
+	data = 0;
+	}
+
+bool PktSrc::GetCurrentPacket(const struct pcap_pkthdr** arg_hdr,
+				const u_char** arg_pkt)
+	{
+	if ( ! last_data )
+		return false;
+
+	*arg_hdr = &hdr;
+	*arg_pkt = last_data;
+	return true;
+	}
+
+int PktSrc::PrecompileFilter(int index, const char* filter)
+	{
+	// Compile filter.
+	BPF_Program* code = new BPF_Program();
+
+	if ( ! code->Compile(pd, filter, netmask, errbuf, sizeof(errbuf)) )
+		{
+		delete code;
+		return 0;
+		}
+
+	// Store it in hash.
+	HashKey* hash = new HashKey(HashKey(bro_int_t(index)));
+	BPF_Program* oldcode = filters.Lookup(hash);
+	if ( oldcode )
+		delete oldcode;
+
+	filters.Insert(hash, code);
+	delete hash;
+
+	return 1;
+	}
+
+int PktSrc::SetFilter(int index)
+	{
+	// We don't want load-level filters for the secondary path.
+	if ( filter_type == TYPE_FILTER_SECONDARY && index > 0 )
+		return 1;
+
+	HashKey* hash = new HashKey(HashKey(bro_int_t(index)));
+	BPF_Program* code = filters.Lookup(hash);
+	delete hash;
+
+	if ( ! code )
+		{
+		safe_snprintf(errbuf, sizeof(errbuf),
+			      "No precompiled pcap filter for index %d",
+			      index);
+		return 0;
+		}
+
+	if ( pcap_setfilter(pd, code->GetProgram()) < 0 )
+		{
+		safe_snprintf(errbuf, sizeof(errbuf),
+			      "pcap_setfilter(%d): %s",
+			      index, pcap_geterr(pd));
+		return 0;
+		}
+
+#ifndef HAVE_LINUX
+	// Linux doesn't clear counters when resetting filter.
+	stats.received = stats.dropped = stats.link = 0;
+#endif
+
+	return 1;
+	}
+
+void PktSrc::SetHdrSize()
+	{
+	int dl = pcap_datalink(pd);
+	hdr_size = get_link_header_size(dl);
+
+	if ( hdr_size < 0 )
+		{
+		safe_snprintf(errbuf, sizeof(errbuf),
+			 "unknown data link type 0x%x", dl);
+		Close();
+		}
+
+	datalink = dl;
+	}
+
+void PktSrc::Close()
+	{
+	if ( pd )
+		{
+		pcap_close(pd);
+		pd = 0;
+		closed = true;
+		}
+	}
+
+void PktSrc::AddSecondaryTablePrograms()
+	{
+	BPF_Program* program;
+
+	loop_over_list(secondary_path->EventTable(), i)
+		{
+		SecondaryEvent* se = secondary_path->EventTable()[i];
+		program = new BPF_Program();
+
+		if ( ! program->Compile(snaplen, datalink, se->Filter(),
+					netmask, errbuf, sizeof(errbuf)) )
+			{
+			delete program;
+			Close();
+			}
+
+		SecondaryProgram* sp = new SecondaryProgram(program, se);
+		program_list.append(sp);
+		}
+	}
+
+void PktSrc::Statistics(Stats* s)
+	{
+	struct pcap_stat pstat;
+
+	if ( reading_traces )
+		s->received = s->dropped = s->link = 0;
+
+	else if ( pcap_stats(pd, &pstat) < 0 )
+		{
+		run_time("problem getting packet filter statistics: %s",
+				ErrorMsg());
+		s->received = s->dropped = s->link = 0;
+		}
+
+	s->received = stats.received;
+	s->dropped = pstat.ps_drop;
+	s->link = pstat.ps_recv;
+
+	if ( pseudo_realtime )
+		s->dropped = 0;
+
+	stats.dropped = s->dropped;
+	}
+
+PktInterfaceSrc::PktInterfaceSrc(const char* arg_interface, const char* filter,
+					PktSrc_Filter_Type ft)
+: PktSrc()
+	{
+	char tmp_errbuf[PCAP_ERRBUF_SIZE];
+	filter_type = ft;
+
+	// Determine interface if not specified.
+	if ( ! arg_interface && ! (arg_interface = pcap_lookupdev(tmp_errbuf)) )
+		{
+		safe_snprintf(errbuf, sizeof(errbuf),
+			 "pcap_lookupdev: %s", tmp_errbuf);
+		return;
+		}
+
+	interface = copy_string(arg_interface);
+
+	// Determine network and netmask.
+	uint32 net;
+	if ( pcap_lookupnet(interface, &net, &netmask, tmp_errbuf) < 0 )
+		{
+		// ### The lookup can fail if no address is assigned to
+		// the interface; and libpcap doesn't have any useful notion
+		// of error codes, just error strings - how bogus - so we
+		// just kludge around the error :-(.
+		// sprintf(errbuf, "pcap_lookupnet %s", tmp_errbuf);
+		// return;
+		net = 0;
+		netmask = 0xffffff00;
+		}
+
+#ifdef USE_SELECT_LOOP
+	// We use the smallest time-out possible to return almost immediately if
+	// no packets are available. (We can't use set_nonblocking() as it's
+	// broken on FreeBSD: even when select() indicates that we can read
+	// something, we may get nothing if the store buffer hasn't filled up
+	// yet.)
+	pd = pcap_open_live(interface, snaplen, 1, 1, tmp_errbuf);
+#else
+	pd = pcap_open_live(interface, snaplen, 1, PCAP_TIMEOUT, tmp_errbuf);
+#endif
+
+	if ( ! pd )
+		{
+		safe_snprintf(errbuf, sizeof(errbuf),
+			 "pcap_open_live: %s", tmp_errbuf);
+		closed = true;
+		return;
+		}
+
+	// ### This needs autoconf'ing.
+#ifdef HAVE_PCAP_INT_H
+	fprintf(stderr, "pcap bufsize = %d\n", ((struct pcap *) pd)->bufsize);
+#endif
+
+#ifdef USE_SELECT_LOOP
+
+#ifdef HAVE_LINUX
+	if ( pcap_setnonblock(pd, 1, tmp_errbuf) < 0 )
+		{
+		safe_snprintf(errbuf, sizeof(errbuf),
+			 "pcap_setnonblock: %s", tmp_errbuf);
+		pcap_close(pd);
+		closed = true;
+		return;
+		}
+#endif
+	selectable_fd = pcap_fileno(pd);
+#endif
+
+	if ( PrecompileFilter(0, filter) && SetFilter(0) )
+		{
+		SetHdrSize();
+		fprintf(stderr, "listening on %s\n", interface);
+		}
+	else
+		closed = true;
+	}
+
+
+PktFileSrc::PktFileSrc(const char* arg_readfile, const char* filter,
+			PktSrc_Filter_Type ft)
+: PktSrc()
+	{
+	readfile = copy_string(arg_readfile);
+
+	filter_type = ft;
+
+	pd = pcap_open_offline((char*) readfile, errbuf);
+
+	if ( pd && PrecompileFilter(0, filter) && SetFilter(0) )
+		{
+		SetHdrSize();
+
+		if ( closed )
+			// Unknown link layer type.
+			return;
+
+#ifdef USE_SELECT_LOOP
+		// We don't put file sources into non-blocking mode as
+		// otherwise we would not be able to identify the EOF
+		// via next_packet().
+
+		selectable_fd = fileno(pcap_file(pd));
+
+		if ( selectable_fd < 0 )
+			internal_error("OS does not support selectable pcap fd");
+#endif
+		}
+	else
+		closed = true;
+	}
+
+
+SecondaryPath::SecondaryPath()
+	{
+	filter = 0;
+
+	// Glue together the secondary filter, if exists.
+	Val* secondary_fv = internal_val("secondary_filters");
+	if ( secondary_fv->AsTableVal()->Size() == 0 )
+		return;
+
+	int did_first = 0;
+	const TableEntryValPDict* v = secondary_fv->AsTable();
+	IterCookie* c = v->InitForIteration();
+	TableEntryVal* tv;
+	HashKey* h;
+
+	while ( (tv = v->NextEntry(h, c)) )
+		{
+		// Get the index values.
+		ListVal* index =
+			secondary_fv->AsTableVal()->RecoverIndex(h);
+
+		const char* str =
+			index->Index(0)->Ref()->AsString()->CheckString();
+
+		if ( ++did_first == 1 )
+			{
+			filter = copy_string(str);
+			}
+		else
+			{
+			if ( strlen(filter) > 0 )
+				{
+				char* tmp_f = new char[strlen(str) + strlen(filter) + 32];
+				if ( strlen(str) == 0 )
+					sprintf(tmp_f, "%s", filter);
+				else
+					sprintf(tmp_f, "(%s) or (%s)", filter, str);
+				delete [] filter;
+				filter = tmp_f;
+				}
+			}
+
+		// Build secondary_path event table item and link it.
+		SecondaryEvent* se =
+			new SecondaryEvent(index->Index(0)->Ref()->AsString()->CheckString(),
+				tv->Value()->AsFunc() );
+
+		event_list.append(se);
+
+		delete h;
+		}
+	}
+
+SecondaryPath::~SecondaryPath()
+	{
+	loop_over_list(event_list, i)
+		delete event_list[i];
+
+	delete [] filter;
+	}
+
+
+SecondaryProgram::~SecondaryProgram()
+	{
+	delete program;
+	}
+
+PktDumper::PktDumper(const char* arg_filename, bool arg_append)
+	{
+	filename[0] = '\0';
+	is_error = false;
+	append = arg_append;
+	dumper = 0;
+
+	// We need a pcap_t with a reasonable link-layer type. We try to get it
+	// from the packet sources. If not available, we fall back to Ethernet.
+	// FIXME: Perhaps we should make this configurable?
+	int linktype = -1;
+
+	if ( pkt_srcs.length() )
+		linktype = pkt_srcs[0]->LinkType();
+
+	if ( linktype < 0 )
+		linktype = DLT_EN10MB;
+
+	pd = pcap_open_dead(linktype, 8192);
+	if ( ! pd )
+		{
+		Error("error for pcap_open_dead");
+		return;
+		}
+
+	if ( arg_filename )
+		Open(arg_filename);
+	}
+
+bool PktDumper::Open(const char* arg_filename)
+	{
+	if ( ! arg_filename && ! *filename )
+		{
+		Error("no filename given");
+		return false;
+		}
+
+	if ( arg_filename )
+		{
+		if ( dumper && streq(arg_filename, filename) )
+			// Already open.
+			return true;
+
+		safe_strncpy(filename, arg_filename, FNBUF_LEN);
+		}
+
+	if ( dumper )
+		Close();
+
+	struct stat s;
+	int exists = 0;
+
+	if ( append )
+		{
+		// See if output file already exists (and is non-empty).
+		exists = stat(filename, &s); ;
+
+		if ( exists < 0 && errno != ENOENT )
+			{
+			Error(fmt("can't stat file %s: %s", filename, strerror(errno)));
+			return false;
+			}
+		}
+
+	if ( ! append || exists < 0 || s.st_size == 0 )
+		{
+		// Open new file.
+		dumper =  pcap_dump_open(pd, filename);
+		if ( ! dumper )
+			{
+			Error(pcap_geterr(pd));
+			return false;
+			}
+		}
+
+	else
+		{
+		// Old file and we need to append, which, unfortunately,
+		// is not supported by libpcap. So, we have to hack a
+		// little bit, knowing that pcap_dumpter_t is, in fact,
+		// a FILE ... :-(
+		dumper = (pcap_dumper_t*) fopen(filename, "a");
+		if ( ! dumper )
+			{
+			Error(fmt("can't open dump %s: %s", filename, strerror(errno)));
+			return false;
+			}
+		}
+
+	open_time = network_time;
+	is_error = false;
+	return true;
+	}
+
+bool PktDumper::Close()
+	{
+	if ( dumper )
+		{
+		pcap_dump_close(dumper);
+		dumper = 0;
+		is_error = false;
+		}
+
+	return true;
+	}
+
+bool PktDumper::Dump(const struct pcap_pkthdr* hdr, const u_char* pkt)
+	{
+	if ( ! dumper )
+		return false;
+
+	if ( ! open_time )
+		open_time = network_time;
+
+	pcap_dump((u_char*) dumper, hdr, pkt);
+
+	return true;
+	}
+
+void PktDumper::Error(const char* errstr)
+	{
+	safe_strncpy(errbuf, errstr, sizeof(errbuf));
+	is_error = true;
+	}
+
+int get_link_header_size(int dl)
+	{
+	switch ( dl ) {
+	case DLT_NULL:
+		return 4;
+
+	case DLT_EN10MB:
+		return 14;
+
+	case DLT_FDDI:
+		return 13 + 8;	// fddi_header + LLC
+
+#ifdef DLT_LINUX_SLL
+	case DLT_LINUX_SLL:
+		return 16;
+#endif
+
+	case DLT_RAW:
+		return 0;
+	}
+
+	return -1;
+	}
diff --git a/src/PktSrc.h b/src/PktSrc.h
new file mode 100644
index 0000000000..04524ec405
--- /dev/null
+++ b/src/PktSrc.h
@@ -0,0 +1,260 @@
+// $Id: PktSrc.h 6916 2009-09-24 20:48:36Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef pktsrc_h
+#define pktsrc_h
+
+#include "Dict.h"
+#include "Expr.h"
+#include "BPF_Program.h"
+#include "IOSource.h"
+#include "RemoteSerializer.h"
+
+#define BRO_PCAP_ERRBUF_SIZE   PCAP_ERRBUF_SIZE + 256
+
+extern "C" {
+#include <pcap.h>
+}
+
+declare(PDict,BPF_Program);
+
+// Whether a PktSrc object is used by the normal filter structure or the
+// secondary-path structure.
+typedef enum {
+	TYPE_FILTER_NORMAL,  // the normal filter
+	TYPE_FILTER_SECONDARY,  // the secondary-path filter
+} PktSrc_Filter_Type;
+
+
+// {filter,event} tuples conforming the secondary path.
+class SecondaryEvent {
+public:
+	SecondaryEvent(const char* arg_filter, Func* arg_event)
+		{
+		filter = arg_filter;
+		event = arg_event;
+		}
+
+	const char* Filter()	{ return filter; }
+	Func* Event()		{ return event; }
+
+private:
+	const char* filter;
+	Func* event;
+};
+
+declare(PList,SecondaryEvent);
+typedef PList(SecondaryEvent) secondary_event_list;
+
+
+
+class SecondaryPath {
+public:
+	SecondaryPath();
+	~SecondaryPath();
+
+	secondary_event_list& EventTable()	{ return event_list; }
+	const char* Filter()			{ return filter; }
+
+private:
+	secondary_event_list event_list;
+	// OR'ed union of all SecondaryEvent filters
+	char* filter;
+};
+
+// Main secondary-path object.
+extern SecondaryPath* secondary_path;
+
+
+// {program, {filter,event}} tuple table.
+class SecondaryProgram {
+public:
+	SecondaryProgram(BPF_Program* arg_program, SecondaryEvent* arg_event)
+		{
+		program = arg_program;
+		event = arg_event;
+		}
+
+	~SecondaryProgram();
+
+	BPF_Program* Program()  { return program; }
+	SecondaryEvent* Event()	{ return event; }
+
+private:
+	// Associated program.
+	BPF_Program *program;
+
+	// Event that is run in case the program is matched.
+	SecondaryEvent* event;
+};
+
+declare(PList,SecondaryProgram);
+typedef PList(SecondaryProgram) secondary_program_list;
+
+
+
+class PktSrc : public IOSource {
+public:
+	~PktSrc();
+
+	// IOSource interface
+	bool IsReady();
+	void GetFds(int* read, int* write, int* except);
+	double NextTimestamp(double* local_network_time);
+	void Process();
+	const char* Tag()	{ return "PktSrc"; }
+
+	const char* ErrorMsg() const	{ return errbuf; }
+	void ClearErrorMsg()		{ *errbuf ='\0'; }
+
+	// Returns the packet last processed; false if there is no
+	// current packet available.
+	bool GetCurrentPacket(const pcap_pkthdr** hdr, const u_char** pkt);
+
+	int HdrSize() const		{ return hdr_size; }
+	int DataLink() const		{ return datalink; }
+
+	void ConsumePacket()	{ data = 0; }
+
+	int IsLive() const		{ return interface != 0; }
+
+	pcap_t* PcapHandle() const	{ return pd; }
+	int LinkType() const		{ return pcap_datalink(pd); }
+
+	const char* ReadFile() const	{ return readfile; }
+	const char* Interface() const	{ return interface; }
+	PktSrc_Filter_Type FilterType() const	{ return filter_type; }
+	void AddSecondaryTablePrograms();
+	const secondary_program_list& ProgramTable() const
+		{ return program_list; }
+
+	// Signal packet source that processing was suspended and is now going
+	// to be continued.
+	void ContinueAfterSuspend();
+
+	// Only valid in pseudo-realtime mode.
+	double CurrentPacketTimestamp()	{ return current_pseudo; }
+	double CurrentPacketWallClock();
+
+	struct Stats {
+		unsigned int received;	// pkts received (w/o drops)
+		unsigned int dropped;	// pkts dropped
+		unsigned int link;	// total packets on link
+					// (not always not available)
+	};
+
+	virtual void Statistics(Stats* stats);
+
+	// Precompiles a filter and associates the given index with it.
+	// Returns true on success, 0 if a problem occurred.
+	virtual int PrecompileFilter(int index, const char* filter);
+
+	// Activates the filter with the given index.
+	// Returns true on success, 0 if a problem occurred.
+	virtual int SetFilter(int index);
+
+protected:
+	PktSrc();
+
+	static const int PCAP_TIMEOUT = 20;
+
+	void SetHdrSize();
+
+	virtual void Close();
+
+	// Returns 1 on success, 0 on time-out/gone dry.
+	virtual int ExtractNextPacket();
+
+	// Checks if the current packet has a pseudo-time <= current_time.
+	// If yes, returns pseudo-time, otherwise 0.
+	double CheckPseudoTime();
+
+	double current_timestamp;
+	double next_timestamp;
+
+	// Only set in pseudo-realtime mode.
+	double first_timestamp;
+	double first_wallclock;
+	double current_wallclock;
+	double current_pseudo;
+
+	struct pcap_pkthdr hdr;
+	const u_char* data;	// contents of current packet
+	const u_char* last_data;	// same, but unaffected by consuming
+	int hdr_size;
+	int datalink;
+	double next_sync_point; // For trace synchronziation in pseudo-realtime
+
+	char* interface;	// nil if not reading from an interface
+	char* readfile;		// nil if not reading from a file
+
+	pcap_t* pd;
+	int selectable_fd;
+	uint32 netmask;
+	char errbuf[BRO_PCAP_ERRBUF_SIZE];
+
+	Stats stats;
+
+	PDict(BPF_Program) filters; // precompiled filters
+
+	PktSrc_Filter_Type filter_type; // normal path or secondary path
+	secondary_program_list program_list;
+};
+
+class PktInterfaceSrc : public PktSrc {
+public:
+	PktInterfaceSrc(const char* interface, const char* filter,
+			PktSrc_Filter_Type ft=TYPE_FILTER_NORMAL);
+};
+
+class PktFileSrc : public PktSrc {
+public:
+	PktFileSrc(const char* readfile, const char* filter,
+			PktSrc_Filter_Type ft=TYPE_FILTER_NORMAL);
+};
+
+
+extern int get_link_header_size(int dl);
+
+class PktDumper {
+public:
+	PktDumper(const char* file = 0, bool append = false);
+	~PktDumper()	{ Close(); }
+
+	bool Open(const char* file = 0);
+	bool Close();
+	bool Dump(const struct pcap_pkthdr* hdr, const u_char* pkt);
+
+	pcap_dumper_t* PcapDumper() 	{ return dumper; }
+
+	const char* FileName() const	{ return filename; }
+	bool IsError() const		{ return is_error; }
+	const char* ErrorMsg() const	{ return errbuf; }
+
+	// This heuristic will horribly fail if we're using packets
+	// with different link layers.  (If we can't derive a reasonable value
+	// from the packet sources, our fall-back is Ethernet.)
+	int HdrSize() const
+		{ return get_link_header_size(pcap_datalink(pd)); }
+
+	// Network time when dump file was opened.
+	double OpenTime() const		{ return open_time; }
+
+private:
+	void InitPd();
+	void Error(const char* str);
+
+	static const int FNBUF_LEN = 1024;
+	char filename[FNBUF_LEN];
+
+	bool append;
+	pcap_dumper_t* dumper;
+	pcap_t* pd;
+	double open_time;
+
+	bool is_error;
+	char errbuf[BRO_PCAP_ERRBUF_SIZE];
+};
+
+#endif
diff --git a/src/PolicyFile.cc b/src/PolicyFile.cc
new file mode 100644
index 0000000000..dd1feaf498
--- /dev/null
+++ b/src/PolicyFile.cc
@@ -0,0 +1,168 @@
+// $Id: PolicyFile.cc 1473 2005-10-06 21:32:45Z vern $
+
+#include "config.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <assert.h>
+
+#include <map>
+#include <stdio.h>
+#include <string>
+#include <vector>
+
+using namespace std;
+
+#include "Debug.h"
+#include "util.h"
+#include "PolicyFile.h"
+
+struct PolicyFile {
+	PolicyFile ()	{ filedata = 0; lmtime = 0; }
+	~PolicyFile ()	{ delete [] filedata; filedata = 0; }
+
+	time_t lmtime;
+	char* filedata;
+	vector<const char*> lines;
+};
+
+typedef map<string, PolicyFile*> PolicyFileMap;
+static PolicyFileMap policy_files;
+
+int how_many_lines_in(const char* policy_filename)
+	{
+	if ( ! policy_filename )
+		internal_error("NULL value passed to how_many_lines_in\n");
+
+	FILE* throwaway = fopen(policy_filename, "r");
+	if ( ! throwaway )
+		{
+		debug_msg("No such policy file: %s.\n", policy_filename);
+		return -1;
+		}
+
+	fclose(throwaway);
+
+	PolicyFileMap::iterator match;
+	match = policy_files.find(policy_filename);
+
+	if ( match == policy_files.end() )
+		{
+		match = policy_files.find(policy_filename);
+		if ( match == policy_files.end() )
+			{
+			debug_msg("Policy file %s was not loaded.\n", policy_filename);
+			return -1;
+			}
+		}
+
+	PolicyFile* pf = match->second;
+	return pf->lines.size();
+	}
+
+bool LoadPolicyFileText(const char* policy_filename)
+	{
+	if ( ! policy_filename )
+		return true;
+
+	FILE* f = fopen(policy_filename, "r");
+
+	if ( ! f )
+		{
+		debug_msg("No such policy file: %s.\n", policy_filename);
+		return false;
+		}
+
+	PolicyFile* pf = new PolicyFile;
+
+	if ( policy_files.find(policy_filename) != policy_files.end() )
+		debug_msg("Policy file %s already loaded\n", policy_filename);
+
+	policy_files.insert(PolicyFileMap::value_type(policy_filename, pf));
+
+	struct stat st;
+	fstat(fileno(f), &st);
+
+	pf->lmtime = st.st_mtime;
+	off_t size = st.st_size;
+
+	// ### This code is not necessarily Unicode safe!
+	// (probably fine with UTF-8)
+	pf->filedata = new char[size+1];
+	fread(pf->filedata, size, 1, f);
+	pf->filedata[size] = 0;
+	fclose(f);
+
+	// Separate the string by newlines.
+	pf->lines.push_back(pf->filedata);
+	for ( char* iter = pf->filedata; *iter; ++iter )
+		{
+		if ( *iter == '\n' )
+			{
+			*iter = 0;
+			if ( *(iter + 1) )
+				pf->lines.push_back(iter + 1);
+			}
+		}
+
+	for ( int i = 0; i < int(pf->lines.size()); ++i )
+		assert(pf->lines[i][0] != '\n');
+
+	return true;
+	}
+
+// REMEMBER: line number arguments are indexed from 0.
+bool PrintLines(const char* policy_filename, unsigned int start_line,
+		unsigned int how_many_lines, bool show_numbers)
+	{
+	if ( ! policy_filename )
+		return true;
+
+	FILE* throwaway = fopen(policy_filename, "r");
+	if ( ! throwaway )
+		{
+		debug_msg("No such policy file: %s.\n", policy_filename);
+		return false;
+		}
+
+	fclose(throwaway);
+
+	PolicyFileMap::iterator match;
+	match = policy_files.find(policy_filename);
+
+	if ( match == policy_files.end() )
+		{
+		match = policy_files.find(policy_filename);
+		if ( match == policy_files.end() )
+			{
+			debug_msg("Policy file %s was not loaded.\n", policy_filename);
+			return false;
+			}
+		}
+
+	PolicyFile* pf = match->second;
+
+	if ( start_line < 1 )
+		start_line = 1;
+
+	if ( start_line > pf->lines.size() )
+		{
+		debug_msg("Line number %d out of range; %s has %d lines\n",
+			start_line, policy_filename, int(pf->lines.size()));
+		return false;
+		}
+
+	if ( start_line + how_many_lines - 1 > pf->lines.size() )
+		how_many_lines = pf->lines.size() - start_line + 1;
+
+	for ( unsigned int i = 0; i < how_many_lines; ++i )
+		{
+		if ( show_numbers )
+			debug_msg("%d\t", i + start_line);
+
+		const char* line = pf->lines[start_line + i - 1];
+		debug_msg("%s\n", line);
+		}
+
+	return true;
+	}
diff --git a/src/PolicyFile.h b/src/PolicyFile.h
new file mode 100644
index 0000000000..ac040d5584
--- /dev/null
+++ b/src/PolicyFile.h
@@ -0,0 +1,23 @@
+// $Id: PolicyFile.h 80 2004-07-14 20:15:50Z jason $
+
+// Functions for displaying the contents of policy files.
+// Mostly useful for debugging code that wants to show context.
+//
+// Summary:
+//	All files that are going to be accessed should be passed to LoadFile
+//	(probably in the lexer). Then later any function that so desires
+//	can call a relevant function. Note that since it caches the contents,
+//	changes to the policy files will not be reflected until restart,
+//	which is probably good since it'll always display the code that Bro
+//	is actually using.
+
+// policy_filename arguments should be absolute or relative paths;
+// no expansion is done.
+
+int how_many_lines_in(const char* policy_filename);
+
+bool LoadPolicyFileText(const char* policy_filename);
+
+// start_line is 1-based (the intuitive way)
+bool PrintLines(const char* policy_filename, unsigned int start_line,
+		unsigned int how_many_lines, bool show_numbers);
diff --git a/src/Portmap.cc b/src/Portmap.cc
new file mode 100644
index 0000000000..af9383297f
--- /dev/null
+++ b/src/Portmap.cc
@@ -0,0 +1,320 @@
+// $Id: Portmap.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "NetVar.h"
+#include "XDR.h"
+#include "Portmap.h"
+#include "Event.h"
+
+#define PMAPPROC_NULL 0
+#define PMAPPROC_SET 1
+#define PMAPPROC_UNSET 2
+#define PMAPPROC_GETPORT 3
+#define PMAPPROC_DUMP 4
+#define PMAPPROC_CALLIT 5
+
+int PortmapperInterp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
+	{
+	if ( c->Program() != 100000 )
+		Weird("bad_RPC_program");
+
+	switch ( c->Proc() ) {
+	case PMAPPROC_NULL:
+		break;
+
+	case PMAPPROC_SET:
+		{
+		Val* m = ExtractMapping(buf, n);
+		if ( ! m )
+			return 0;
+		c->AddVal(m);
+		}
+		break;
+
+	case PMAPPROC_UNSET:
+		{
+		Val* m = ExtractMapping(buf, n);
+		if ( ! m )
+			return 0;
+		c->AddVal(m);
+		}
+		break;
+
+	case PMAPPROC_GETPORT:
+		{
+		Val* pr = ExtractPortRequest(buf, n);
+		if ( ! pr )
+			return 0;
+		c->AddVal(pr);
+		}
+		break;
+
+	case PMAPPROC_DUMP:
+		break;
+
+	case PMAPPROC_CALLIT:
+		{
+		Val* call_it = ExtractCallItRequest(buf, n);
+		if ( ! call_it )
+			return 0;
+		c->AddVal(call_it);
+		}
+		break;
+
+	default:
+		return 0;
+	}
+
+	return 1;
+	}
+
+int PortmapperInterp::RPC_BuildReply(const RPC_CallInfo* c, int success,
+					const u_char*& buf, int& n,
+					EventHandlerPtr& event, Val*& reply)
+	{
+	reply = 0;
+
+	switch ( c->Proc() ) {
+	case PMAPPROC_NULL:
+		event = success ? pm_request_null : pm_attempt_null;
+		break;
+
+	case PMAPPROC_SET:
+		if ( success )
+			{
+			uint32 status = extract_XDR_uint32(buf, n);
+			if ( ! buf )
+				return 0;
+
+			reply = new Val(status, TYPE_BOOL);
+			event = pm_request_set;
+			}
+		else
+			event = pm_attempt_set;
+
+		break;
+
+	case PMAPPROC_UNSET:
+		if ( success )
+			{
+			uint32 status = extract_XDR_uint32(buf, n);
+			if ( ! buf )
+				return 0;
+
+			reply = new Val(status, TYPE_BOOL);
+			event = pm_request_unset;
+			}
+		else
+			event = pm_attempt_unset;
+
+		break;
+
+	case PMAPPROC_GETPORT:
+		if ( success )
+			{
+			uint32 port = extract_XDR_uint32(buf, n);
+			if ( ! buf )
+				return 0;
+
+			RecordVal* rv = c->RequestVal()->AsRecordVal();
+			Val* is_tcp = rv->Lookup(2);
+			reply = new PortVal(CheckPort(port),
+					is_tcp->IsOne() ?
+						TRANSPORT_TCP : TRANSPORT_UDP);
+			event = pm_request_getport;
+			}
+		else
+			event = pm_attempt_getport;
+		break;
+
+	case PMAPPROC_DUMP:
+		event = success ? pm_request_dump : pm_attempt_dump;
+		if ( success )
+			{
+			TableVal* mappings = new TableVal(pm_mappings);
+			uint32 nmap = 0;
+
+			// Each call in the loop test pulls the next "opted"
+			// element to see if there are more mappings.
+			while ( extract_XDR_uint32(buf, n) && buf )
+				{
+				Val* m = ExtractMapping(buf, n);
+				if ( ! m )
+					break;
+
+				Val* index = new Val(++nmap, TYPE_COUNT);
+				mappings->Assign(index, m);
+				Unref(index);
+				}
+
+			if ( ! buf )
+				{
+				Unref(mappings);
+				return 0;
+				}
+
+			reply = mappings;
+			event = pm_request_dump;
+			}
+		else
+			event = pm_attempt_dump;
+		break;
+
+	case PMAPPROC_CALLIT:
+		if ( success )
+			{
+			uint32 port = extract_XDR_uint32(buf, n);
+			int reply_n;
+			const u_char* opaque_reply =
+				extract_XDR_opaque(buf, n, reply_n);
+			if ( ! opaque_reply )
+				return 0;
+
+			reply = new PortVal(CheckPort(port), TRANSPORT_UDP);
+			event = pm_request_callit;
+			}
+		else
+			event = pm_attempt_callit;
+		break;
+
+	default:
+		return 0;
+	}
+
+	return 1;
+	}
+
+Val* PortmapperInterp::ExtractMapping(const u_char*& buf, int& len)
+	{
+	RecordVal* mapping = new RecordVal(pm_mapping);
+
+	mapping->Assign(0, new Val(extract_XDR_uint32(buf, len), TYPE_COUNT));
+	mapping->Assign(1, new Val(extract_XDR_uint32(buf, len), TYPE_COUNT));
+
+	int is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP;
+	uint32 port = extract_XDR_uint32(buf, len);
+	mapping->Assign(2, new PortVal(CheckPort(port),
+			is_tcp ? TRANSPORT_TCP : TRANSPORT_UDP));
+
+	if ( ! buf )
+		{
+		Unref(mapping);
+		return 0;
+		}
+
+	return mapping;
+	}
+
+Val* PortmapperInterp::ExtractPortRequest(const u_char*& buf, int& len)
+	{
+	RecordVal* pr = new RecordVal(pm_port_request);
+
+	pr->Assign(0, new Val(extract_XDR_uint32(buf, len), TYPE_COUNT));
+	pr->Assign(1, new Val(extract_XDR_uint32(buf, len), TYPE_COUNT));
+
+	int is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP;
+	pr->Assign(2, new Val(is_tcp, TYPE_BOOL));
+	(void) extract_XDR_uint32(buf, len);	// consume the bogus port
+
+	if ( ! buf )
+		{
+		Unref(pr);
+		return 0;
+		}
+
+	return pr;
+	}
+
+Val* PortmapperInterp::ExtractCallItRequest(const u_char*& buf, int& len)
+	{
+	RecordVal* c = new RecordVal(pm_callit_request);
+
+	c->Assign(0, new Val(extract_XDR_uint32(buf, len), TYPE_COUNT));
+	c->Assign(1, new Val(extract_XDR_uint32(buf, len), TYPE_COUNT));
+	c->Assign(2, new Val(extract_XDR_uint32(buf, len), TYPE_COUNT));
+
+	int arg_n;
+	(void) extract_XDR_opaque(buf, len, arg_n);
+	c->Assign(3, new Val(arg_n, TYPE_COUNT));
+
+	if ( ! buf )
+		{
+		Unref(c);
+		return 0;
+		}
+
+	return c;
+	}
+
+uint32 PortmapperInterp::CheckPort(uint32 port)
+	{
+	if ( port >= 65536 )
+		{
+		if ( pm_bad_port )
+			{
+			val_list* vl = new val_list;
+			vl->append(analyzer->BuildConnVal());
+			vl->append(new Val(port, TYPE_COUNT));
+			analyzer->ConnectionEvent(pm_bad_port, vl);
+			}
+
+		port = 0;
+		}
+
+	return port;
+	}
+
+void PortmapperInterp::Event(EventHandlerPtr f, Val* request, int status, Val* reply)
+	{
+	if ( ! f )
+		{
+		Unref(request);
+		Unref(reply);
+		return;
+		}
+
+	val_list* vl = new val_list;
+
+	vl->append(analyzer->BuildConnVal());
+	if ( status == RPC_SUCCESS )
+		{
+		if ( request )
+			vl->append(request);
+		if ( reply )
+			vl->append(reply);
+		}
+	else
+		{
+		vl->append(new EnumVal(status, enum_rpc_status));
+		if ( request )
+			vl->append(request);
+		}
+
+	analyzer->ConnectionEvent(f, vl);
+	}
+
+Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn)
+: RPC_Analyzer(AnalyzerTag::Portmapper, conn, new PortmapperInterp(this))
+	{
+	orig_rpc = resp_rpc = 0;
+	}
+
+Portmapper_Analyzer::~Portmapper_Analyzer()
+	{
+	}
+
+void Portmapper_Analyzer::Init()
+	{
+	RPC_Analyzer::Init();
+
+	if ( Conn()->ConnTransport() == TRANSPORT_TCP )
+		{
+		orig_rpc = new Contents_RPC(Conn(), true, interp);
+		resp_rpc = new Contents_RPC(Conn(), false, interp);
+		AddSupportAnalyzer(orig_rpc);
+		AddSupportAnalyzer(resp_rpc);
+		}
+	}
diff --git a/src/Portmap.h b/src/Portmap.h
new file mode 100644
index 0000000000..6595fc86d3
--- /dev/null
+++ b/src/Portmap.h
@@ -0,0 +1,41 @@
+// $Id: Portmap.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef portmap_h
+#define portmap_h
+
+#include "RPC.h"
+
+class PortmapperInterp : public RPC_Interpreter {
+public:
+	PortmapperInterp(Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
+
+protected:
+	int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n);
+	int RPC_BuildReply(const RPC_CallInfo* c, int success,
+				const u_char*& buf, int& n,
+				EventHandlerPtr& event, Val*& reply);
+	uint32 CheckPort(uint32 port);
+
+	void Event(EventHandlerPtr f, Val* request, int status, Val* reply);
+
+	Val* ExtractMapping(const u_char*& buf, int& len);
+	Val* ExtractPortRequest(const u_char*& buf, int& len);
+	Val* ExtractCallItRequest(const u_char*& buf, int& len);
+};
+
+class Portmapper_Analyzer : public RPC_Analyzer {
+public:
+	Portmapper_Analyzer(Connection* conn);
+	virtual ~Portmapper_Analyzer();
+	virtual void Init();
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new Portmapper_Analyzer(conn); }
+
+	static bool Available()
+		{ return pm_request || rpc_call; }
+};
+
+#endif
diff --git a/src/PrefixTable.cc b/src/PrefixTable.cc
new file mode 100644
index 0000000000..e654b8440e
--- /dev/null
+++ b/src/PrefixTable.cc
@@ -0,0 +1,184 @@
+// $Id: PrefixTable.cc 1016 2005-01-31 21:23:50Z vern $
+
+#include "PrefixTable.h"
+
+// IPv4 version.
+inline static prefix_t* make_prefix(const uint32 addr, int width)
+	{
+	prefix_t* prefix = (prefix_t*) safe_malloc(sizeof(prefix_t));
+
+	memcpy(&prefix->add.sin, &addr, sizeof(prefix->add.sin)) ;
+	prefix->family = AF_INET;
+	prefix->bitlen = width;
+	prefix->ref_count = 1;
+
+	return prefix;
+	}
+
+#ifdef BROv6
+inline static prefix_t* make_prefix(const uint32* addr, int width)
+	{
+	prefix_t* prefix = (prefix_t*) safe_malloc(sizeof(prefix_t));
+
+	memcpy(&prefix->add.sin6, addr, 4 * sizeof(uint32));
+	prefix->family = AF_INET6;
+	prefix->bitlen = width;
+	prefix->ref_count = 1;
+
+	return prefix;
+	}
+#endif
+
+void* PrefixTable::Insert(const_addr_type addr, int width, void* data)
+	{
+	prefix_t* prefix = make_prefix(addr, width);
+	patricia_node_t* node = patricia_lookup(tree, prefix);
+	Deref_Prefix(prefix);
+
+	if ( ! node )
+		internal_error("Cannot create node in patricia tree");
+
+	void* old = node->data;
+
+	// If there is no data to be associated with addr, we take the
+	// node itself.
+	node->data = data ? data : node;
+
+	return old;
+	}
+
+void* PrefixTable::Insert(const Val* value, void* data)
+	{
+	// [elem] -> elem
+	if ( value->Type()->Tag() == TYPE_LIST &&
+	     value->AsListVal()->Length() == 1 )
+		value = value->AsListVal()->Index(0);
+
+	switch ( value->Type()->Tag() ) {
+	case TYPE_ADDR:
+		return Insert(value->AsAddr(), NUM_ADDR_WORDS * 32, data);
+		break;
+
+	case TYPE_SUBNET:
+		return Insert(value->AsSubNet()->net,
+				value->AsSubNet()->width, data);
+		break;
+
+	default:
+		internal_error("Wrong index type for PrefixTable");
+		return 0;
+	}
+	}
+
+void* PrefixTable::Lookup(const_addr_type addr, int width, bool exact) const
+	{
+	prefix_t* prefix = make_prefix(addr, width);
+	patricia_node_t* node =
+		exact ? patricia_search_exact(tree, prefix) :
+			patricia_search_best(tree, prefix);
+
+	Deref_Prefix(prefix);
+	return node ? node->data : 0;
+	}
+
+void* PrefixTable::Lookup(const Val* value, bool exact) const
+	{
+	// [elem] -> elem
+	if ( value->Type()->Tag() == TYPE_LIST &&
+	     value->AsListVal()->Length() == 1 )
+		value = value->AsListVal()->Index(0);
+
+	switch ( value->Type()->Tag() ) {
+	case TYPE_ADDR:
+		return Lookup(value->AsAddr(), NUM_ADDR_WORDS * 32, exact);
+		break;
+
+	case TYPE_SUBNET:
+		return Lookup(value->AsSubNet()->net,
+				value->AsSubNet()->width, exact);
+		break;
+
+	default:
+		internal_error(fmt("Wrong index type %d for PrefixTable",
+					value->Type()->Tag()));
+		return 0;
+	}
+	}
+
+void* PrefixTable::Remove(const_addr_type addr, int width)
+	{
+	prefix_t* prefix = make_prefix(addr, width);
+	patricia_node_t* node = patricia_search_exact(tree, prefix);
+	Deref_Prefix(prefix);
+
+	if ( ! node )
+		return 0;
+
+	void* old = node->data;
+	patricia_remove(tree, node);
+
+	return old;
+	}
+
+void* PrefixTable::Remove(const Val* value)
+	{
+	// [elem] -> elem
+	if ( value->Type()->Tag() == TYPE_LIST &&
+	     value->AsListVal()->Length() == 1 )
+		value = value->AsListVal()->Index(0);
+
+	switch ( value->Type()->Tag() ) {
+	case TYPE_ADDR:
+		return Remove(value->AsAddr(), NUM_ADDR_WORDS * 32);
+		break;
+
+	case TYPE_SUBNET:
+		return Remove(value->AsSubNet()->net, value->AsSubNet()->width);
+		break;
+
+	default:
+		internal_error("Wrong index type for PrefixTable");
+		return 0;
+	}
+	}
+
+PrefixTable::iterator PrefixTable::InitIterator()
+	{
+	iterator i;
+	i.Xsp = i.Xstack;
+	i.Xrn = tree->head;
+	i.Xnode = 0;
+	return i;
+	}
+
+void* PrefixTable::GetNext(iterator* i)
+	{
+	while ( 1 )
+		{
+		i->Xnode = i->Xrn;
+		if ( ! i->Xnode )
+			return 0;
+
+		if ( i->Xrn->l )
+			{
+			if (i->Xrn->r)
+				*i->Xsp++ = i->Xrn->r;
+
+			i->Xrn = i->Xrn->l;
+			}
+
+		else if ( i->Xrn->r )
+			i->Xrn = i->Xrn->r;
+
+		else if (i->Xsp != i->Xstack)
+			i->Xrn = *(--i->Xsp);
+
+		else
+			i->Xrn = (patricia_node_t*) 0;
+
+		if ( i->Xnode->prefix )
+			return (void*) i->Xnode->data;
+		}
+
+	// Not reached.
+	}
diff --git a/src/PrefixTable.h b/src/PrefixTable.h
new file mode 100644
index 0000000000..b718b3c561
--- /dev/null
+++ b/src/PrefixTable.h
@@ -0,0 +1,52 @@
+// $Id: PrefixTable.h 969 2005-01-04 06:36:21Z vern $
+
+#ifndef PREFIXTABLE_H
+#define PREFIXTABLE_H
+
+#include "Val.h"
+#include "net_util.h"
+
+extern "C" {
+	#include "patricia.h"
+}
+
+class PrefixTable {
+private:
+	struct iterator {
+		patricia_node_t* Xstack[PATRICIA_MAXBITS+1];
+		patricia_node_t** Xsp;
+		patricia_node_t* Xrn;
+		patricia_node_t* Xnode;
+	};
+
+public:
+	PrefixTable()	{ tree = New_Patricia(128); }
+	~PrefixTable()	{ Destroy_Patricia(tree, 0); }
+
+	// Addr in network byte order. If data is zero, acts like a set.
+	// Returns ptr to old data if already existing.
+	// For existing items without data, returns non-nil if found.
+	void* Insert(const_addr_type addr, int width, void* data = 0);
+
+	// Value may be addr or subnet.
+	void* Insert(const Val* value, void* data = 0);
+
+	// Returns nil if not found, pointer to data otherwise.
+	// For items without data, returns non-nil if found.
+	// If exact is false, performs exact rather than longest-prefix match.
+	void* Lookup(const_addr_type addr, int width, bool exact = false) const;
+	void* Lookup(const Val* value, bool exact = false) const;
+
+	// Returns pointer to data or nil if not found.
+	void* Remove(const_addr_type addr, int width);
+	void* Remove(const Val* value);
+
+	void Clear()	{ Clear_Patricia(tree, 0); }
+
+	iterator InitIterator();
+	void* GetNext(iterator* i);
+
+	patricia_tree_t* tree;
+};
+
+#endif
diff --git a/src/PriorityQueue.cc b/src/PriorityQueue.cc
new file mode 100644
index 0000000000..2ed4d17d93
--- /dev/null
+++ b/src/PriorityQueue.cc
@@ -0,0 +1,138 @@
+// $Id: PriorityQueue.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "PriorityQueue.h"
+#include "util.h"
+
+PriorityQueue::PriorityQueue(int initial_size)
+	{
+	max_heap_size = initial_size;
+	heap = new PQ_Element*[max_heap_size];
+	peak_heap_size = heap_size = 0;
+	}
+
+PriorityQueue::~PriorityQueue()
+	{
+	for ( int i = 0; i < heap_size; ++i )
+		delete heap[i];
+
+	delete [] heap;
+	}
+
+PQ_Element* PriorityQueue::Remove()
+	{
+	if ( heap_size == 0 )
+		return 0;
+
+	PQ_Element* top = heap[0];
+
+	--heap_size;
+	SetElement(0, heap[heap_size]);
+	BubbleDown(0);
+
+	top->SetOffset(-1);	// = not in heap
+	return top;
+	}
+
+PQ_Element* PriorityQueue::Remove(PQ_Element* e)
+	{
+	if ( e->Offset() < 0 || e->Offset() >= heap_size ||
+	     heap[e->Offset()] != e )
+		return 0;	// not in heap
+
+	e->MinimizeTime();
+	BubbleUp(e->Offset());
+
+	PQ_Element* e2 = Remove();
+
+	if ( e != e2 )
+		internal_error("inconsistency in PriorityQueue::Remove");
+
+	return e2;
+	}
+
+int PriorityQueue::Add(PQ_Element* e)
+	{
+	SetElement(heap_size, e);
+
+	BubbleUp(heap_size);
+
+	if ( ++heap_size > peak_heap_size )
+		peak_heap_size = heap_size;
+
+	if ( heap_size >= max_heap_size )
+		return Resize(max_heap_size * 2);
+	else
+		return 1;
+	}
+
+int PriorityQueue::Resize(int new_size)
+	{
+	PQ_Element** tmp = new PQ_Element*[new_size];
+	for ( int i = 0; i < max_heap_size; ++i )
+		tmp[i] = heap[i];
+
+	delete [] heap;
+	heap = tmp;
+
+	max_heap_size = new_size;
+
+	return heap != 0;
+	}
+
+void PriorityQueue::BubbleUp(int bin)
+	{
+	if ( bin == 0 )
+		return;
+
+	int p = Parent(bin);
+	if ( heap[p]->Time() > heap[bin]->Time() )
+		{
+		Swap(p, bin);
+		BubbleUp(p);
+		}
+	}
+
+void PriorityQueue::BubbleDown(int bin)
+	{
+	double v = heap[bin]->Time();
+
+	int l = LeftChild(bin);
+	int r = RightChild(bin);
+
+	if ( l >= heap_size )
+		return;		// No children.
+
+	if ( r >= heap_size )
+		{ // Just a left child.
+		if ( heap[l]->Time() < v )
+			Swap(l, bin);
+		}
+
+	else
+		{
+		double lv = heap[l]->Time();
+		double rv = heap[r]->Time();
+
+		if ( lv < rv )
+			{
+			if ( lv < v )
+				{
+				Swap(l, bin);
+				BubbleDown(l);
+				}
+			}
+
+		else if ( rv < v )
+			{
+			Swap(r, bin);
+			BubbleDown(r);
+			}
+		}
+	}
diff --git a/src/PriorityQueue.h b/src/PriorityQueue.h
new file mode 100644
index 0000000000..45028553ce
--- /dev/null
+++ b/src/PriorityQueue.h
@@ -0,0 +1,99 @@
+// $Id: PriorityQueue.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef __PriorityQueue__
+#define __PriorityQueue__
+
+#include <math.h>
+
+class PriorityQueue;
+
+class PQ_Element {
+public:
+	PQ_Element(double t)	{ time = t; offset = -1; }
+	virtual ~PQ_Element()	{ }
+
+	double Time() const	{ return time; }
+
+	int Offset() const	{ return offset; }
+	void SetOffset(int off)	{ offset = off; }
+
+	void MinimizeTime()	{ time = -HUGE_VAL; }
+
+protected:
+	PQ_Element()		{ }
+	double time;
+	int offset;
+};
+
+class PriorityQueue {
+public:
+	PriorityQueue(int initial_size = 16);
+	~PriorityQueue();
+
+	// Returns the top of queue, or nil if the queue is empty.
+	PQ_Element* Top() const
+		{
+		if ( heap_size == 0 )
+			return 0;
+		else
+			return heap[0];
+		}
+
+	// Removes (and returns) top of queue.  Returns nil if the queue
+	// is empty.
+	PQ_Element* Remove();
+
+	// Removes element e.  Returns e, or nil if e wasn't in the queue.
+	// Note that e will be modified via MinimizeTime().
+	PQ_Element* Remove(PQ_Element* e);
+
+	// Add a new element to the queue.  Returns 0 on failure (not enough
+	// memory to add the element), 1 on success.
+	int Add(PQ_Element* e);
+
+	int Size() const	{ return heap_size; }
+	int PeakSize() const	{ return peak_heap_size; }
+
+protected:
+	int Resize(int new_size);
+
+	void BubbleUp(int bin);
+	void BubbleDown(int bin);
+
+	int Parent(int bin) const
+		{
+		return bin >> 1;
+		}
+
+	int LeftChild(int bin) const
+		{
+		return bin << 1;
+		}
+
+	int RightChild(int bin) const
+		{
+		return LeftChild(bin) + 1;
+		}
+
+	void SetElement(int bin, PQ_Element* e)
+		{
+		heap[bin] = e;
+		e->SetOffset(bin);
+		}
+
+	void Swap(int bin1, int bin2)
+		{
+		PQ_Element* t = heap[bin1];
+		SetElement(bin1, heap[bin2]);
+		SetElement(bin2, t);
+		}
+
+	PQ_Element** heap;
+	int heap_size;
+	int peak_heap_size;
+	int max_heap_size;
+};
+
+#endif
diff --git a/src/Queue.cc b/src/Queue.cc
new file mode 100644
index 0000000000..a0de35777b
--- /dev/null
+++ b/src/Queue.cc
@@ -0,0 +1,139 @@
+// $Id: Queue.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <string.h>
+
+#include "Queue.h"
+
+BaseQueue::BaseQueue(int size)
+	{
+	const int DEFAULT_CHUNK_SIZE = 10;
+
+	chunk_size = DEFAULT_CHUNK_SIZE;
+
+	head = tail = num_entries = 0;
+
+	if ( size < 0 )
+		{
+		entry = new ent[1];
+		max_entries = 0;
+		}
+	else
+		{
+		if ( (entry = new ent[chunk_size+1]) )
+			max_entries = chunk_size;
+		else
+			{
+			entry = new ent[1];
+			max_entries = 0;
+			}
+		}
+	}
+
+void BaseQueue::push_front(ent a)
+	{
+	if ( num_entries == max_entries )
+		{
+		resize(max_entries+chunk_size);	// make more room
+		chunk_size *= 2;
+		}
+
+	++num_entries;
+	if ( head )
+		entry[--head] = a;
+	else
+		{
+		head = max_entries;
+		entry[head] = a;
+		}
+	}
+
+void BaseQueue::push_back(ent a)
+	{
+	if ( num_entries == max_entries )
+		{
+		resize(max_entries+chunk_size);	// make more room
+		chunk_size *= 2;
+		}
+
+	++num_entries;
+	if ( tail < max_entries )
+		entry[tail++] = a;
+	else
+		{
+		entry[tail] = a;
+		tail = 0;
+		}
+	}
+
+ent BaseQueue::pop_front()
+	{
+	if ( ! num_entries )
+		return 0;
+
+	--num_entries;
+	if ( head < max_entries )
+		return entry[head++];
+	else
+		{
+		head = 0;
+		return entry[max_entries];
+		}
+	}
+
+ent BaseQueue::pop_back()
+	{
+	if ( ! num_entries )
+		return 0;
+
+	--num_entries;
+	if ( tail )
+		return entry[--tail];
+	else
+		{
+		tail = max_entries;
+		return entry[tail];
+		}
+	}
+
+int BaseQueue::resize(int new_size)
+	{
+	if ( new_size < num_entries )
+		new_size = num_entries; // do not lose any entries
+
+	if ( new_size != max_entries )
+		{
+		// Note, allocate extra space, so that we can always
+		// use the [max_entries] element.
+		// ### Yin, why not use realloc()?
+		ent* new_entry = new ent[new_size+1];
+
+		if ( new_entry )
+			{
+			if ( head <= tail )
+				memcpy( new_entry, entry + head,
+					sizeof(ent) * num_entries );
+			else
+				{
+				int len = num_entries - tail;
+				memcpy( new_entry, entry + head,
+					sizeof(ent) * len );
+				memcpy( new_entry + len, entry,
+					sizeof(ent) * tail );
+				}
+			delete [] entry;
+			entry = new_entry;
+			max_entries = new_size;
+			head = 0;
+			tail = num_entries;
+			}
+		else
+			{ // out of memory
+			}
+		}
+
+	return max_entries;
+	}
diff --git a/src/Queue.h b/src/Queue.h
new file mode 100644
index 0000000000..293d74ba7a
--- /dev/null
+++ b/src/Queue.h
@@ -0,0 +1,112 @@
+// $Id: Queue.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef queue_h
+#define queue_h
+
+// BaseQueue.h --
+//	Interface for class BaseQueue, current implementation is as an
+//	array of ent's.  This implementation was chosen to optimize
+//	getting to the ent's rather than inserting and deleting.
+//	Also push's and pop's from the front or the end of the queue
+//	are very efficient.  The only really expensive operation
+//	is resizing the list, which involves getting new space
+//	and moving the data.  Resizing occurs automatically when inserting
+//	more elements than the list can currently hold.  Automatic
+//	resizing is done one "chunk_size" of elements at a time and
+//	always increases the size of the list.  Resizing to zero
+//	(or to less than the current value of num_entries)
+//	will decrease the size of the list to the current number of
+//	elements.  Resize returns the new max_entries.
+//
+//	Entries must be either a pointer to the data or nonzero data with
+//	sizeof(data) <= sizeof(void*).
+
+#include "List.h"
+
+class BaseQueue {
+public:
+	~BaseQueue()		{ delete[] entry; }
+
+	int length() const	{ return num_entries; }
+	int resize(int = 0);	// 0 => size to fit current number of entries
+
+	// remove all entries without delete[] entry
+	void clear()		{ head = tail = num_entries = 0; }
+
+	// helper functions for iterating over queue
+	int front() const	{ return head; }
+	int back() const	{ return tail; }
+	void incr(int& index)	{ index < max_entries ? ++index : index = 0; }
+
+protected:
+	BaseQueue(int = 0);
+
+	void push_front(ent);	// add in front of queue
+	void push_back(ent);	// add at end of queue
+	ent pop_front();	// return and remove the front of queue
+	ent pop_back();		// return and remove the end of queue
+
+	// return nth *PHYSICAL* entry of queue (do not remove)
+	ent operator[](int i) const	{ return entry[i]; }
+
+	ent* entry;
+	int chunk_size;		// increase size by this amount when necessary
+	int max_entries;	// entry's index range: 0 .. max_entries
+	int num_entries;
+	int head;	// beginning of the queue in the ring
+	int tail;	// just beyond the end of the queue in the ring
+	};
+
+// Queue.h -- interface for class Queue
+//	Use:	to get a list of pointers to class foo you should:
+//		1) declare(PQueue,foo); (declare interest in lists of foo*'s)
+//		2) variables are declared like:
+//			PQueue(foo) bar; (bar is of type list of foo*'s)
+
+// For queues of "type"
+#define Queue(type) type ## Queue
+
+// For queues of pointers to "type"
+#define PQueue(type) type ## PQueue
+
+#define Queuedeclare(type)						\
+struct Queue(type) : BaseQueue						\
+	{								\
+	Queue(type)() : BaseQueue(0) {}					\
+	Queue(type)(int sz) : BaseQueue(sz) {}				\
+									\
+	void push_front(type a)	{ BaseQueue::push_front(ent(a)); }	\
+	void push_back(type a)	{ BaseQueue::push_back(ent(a)); }	\
+	type pop_front()	{ return type(BaseQueue::pop_front()); }\
+	type pop_back()		{ return type(BaseQueue::pop_back()); }	\
+									\
+	type operator[](int i) const					\
+		{ return type(BaseQueue::operator[](i)); }		\
+	};								\
+
+#define PQueuedeclare(type)						\
+struct PQueue(type) : BaseQueue						\
+	{								\
+	PQueue(type)() : BaseQueue(0) {}				\
+	PQueue(type)(int sz) : BaseQueue(sz) {}				\
+									\
+	void push_front(type* a){ BaseQueue::push_front(ent(a)); }	\
+	void push_back(type* a)	{ BaseQueue::push_back(ent(a)); }	\
+	type* pop_front()						\
+		{ return (type*)BaseQueue::pop_front(); }		\
+	type* pop_back()							\
+		{ return (type*)BaseQueue::pop_back(); }			\
+									\
+	type* operator[](int i) const					\
+		{ return (type*)BaseQueue::operator[](i); }		\
+	};								\
+
+// Macro to visit each queue element in turn.
+#define loop_over_queue(queue, iterator)				\
+	int iterator;							\
+	for ( iterator = (queue).front(); iterator != (queue).back();	\
+		(queue).incr(iterator) )				\
+
+#endif /* queue_h */
diff --git a/src/RE.cc b/src/RE.cc
new file mode 100644
index 0000000000..19cc5737aa
--- /dev/null
+++ b/src/RE.cc
@@ -0,0 +1,538 @@
+// $Id: RE.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <stdlib.h>
+
+#include "RE.h"
+#include "DFA.h"
+#include "CCL.h"
+#include "EquivClass.h"
+#include "Serializer.h"
+
+CCL* curr_ccl = 0;
+
+Specific_RE_Matcher* rem;
+NFA_Machine* nfa = 0;
+int case_insensitive = 0;
+
+extern int RE_parse(void);
+extern void RE_set_input(const char* str);
+
+// If true, the set-wise matching always returns false - for benchmarking.
+extern int rule_bench;
+
+Specific_RE_Matcher::Specific_RE_Matcher(match_type arg_mt, int arg_multiline)
+: equiv_class(NUM_SYM)
+	{
+	mt = arg_mt;
+	multiline = arg_multiline;
+	any_ccl = 0;
+	pattern_text = 0;
+	dfa = 0;
+	ecs = 0;
+	accepted = new AcceptingSet();
+	}
+
+Specific_RE_Matcher::~Specific_RE_Matcher()
+	{
+	for ( int i = 0; i < ccl_list.length(); ++i )
+		delete ccl_list[i];
+
+	Unref(dfa);
+	delete [] pattern_text;
+	delete accepted;
+	}
+
+CCL* Specific_RE_Matcher::AnyCCL()
+	{
+	if ( ! any_ccl )
+		{ // Create the '.' character class.
+		any_ccl = new CCL();
+		if ( ! multiline )
+			any_ccl->Add('\n');
+		any_ccl->Negate();
+		EC()->CCL_Use(any_ccl);
+		}
+
+	return any_ccl;
+	}
+
+void Specific_RE_Matcher::ConvertCCLs()
+	{
+	for ( int i = 0; i < ccl_list.length(); ++i )
+		equiv_class.ConvertCCL(ccl_list[i]);
+	}
+
+void Specific_RE_Matcher::AddPat(const char* new_pat)
+	{
+	if ( mt == MATCH_EXACTLY )
+		AddExactPat(new_pat);
+	else
+		AddAnywherePat(new_pat);
+	}
+
+void Specific_RE_Matcher::AddAnywherePat(const char* new_pat)
+	{
+	AddPat(new_pat, "^?(.|\\n)*(%s)", "(%s)|(^?(.|\\n)*(%s))");
+	}
+
+void Specific_RE_Matcher::AddExactPat(const char* new_pat)
+	{
+	AddPat(new_pat, "^?(%s)$?", "(%s)|(^?(%s)$?)");
+	}
+
+void Specific_RE_Matcher::AddPat(const char* new_pat,
+				const char* orig_fmt, const char* app_fmt)
+	{
+	int n = strlen(new_pat);
+
+	if ( pattern_text )
+		n += strlen(pattern_text) + strlen(app_fmt);
+	else
+		n += strlen(orig_fmt);
+
+	char* s = new char[n + 5 /* slop */];
+
+	if ( pattern_text )
+		sprintf(s, app_fmt, pattern_text, new_pat);
+	else
+		sprintf(s, orig_fmt, new_pat);
+
+	delete [] pattern_text;
+	pattern_text = s;
+	}
+
+int Specific_RE_Matcher::Compile(int lazy)
+	{
+	if ( ! pattern_text )
+		return 0;
+
+	rem = this;
+	RE_set_input(pattern_text);
+	if ( RE_parse() )
+		{
+		run_time("error compiling pattern /%s/", pattern_text);
+		return 0;
+		}
+
+	EC()->BuildECs();
+	ConvertCCLs();
+
+	dfa = new DFA_Machine(nfa, EC());
+
+	Unref(nfa); 
+	nfa = 0;
+
+	ecs = EC()->EquivClasses();
+
+	return 1;
+	}
+
+int Specific_RE_Matcher::CompileSet(const string_list& set, const int_list& idx)
+	{
+	if ( set.length() != idx.length() )
+		internal_error("compileset: lengths of sets differ");
+
+	rem = this;
+
+	NFA_Machine* set_nfa = 0;
+
+	loop_over_list(set, i)
+		{
+		RE_set_input(set[i]);
+		if ( RE_parse() )
+			{
+			run_time("error compiling pattern /%s/", set[i]);
+			return 0;
+			}
+
+		nfa->FinalState()->SetAccept(idx[i]);
+		set_nfa = set_nfa ? make_alternate(nfa, set_nfa) : nfa;
+		}
+
+	// Prefix the expression with a "^?".
+	nfa = new NFA_Machine(new NFA_State(SYM_BOL, rem->EC()));
+	nfa->MakeOptional();
+	if ( set_nfa )
+		nfa->AppendMachine( set_nfa );
+
+	EC()->BuildECs();
+	ConvertCCLs();
+
+	dfa = new DFA_Machine(nfa, EC());
+	ecs = EC()->EquivClasses();
+
+	return 1;
+	}
+
+const char* Specific_RE_Matcher::LookupDef(const char* def)
+	{
+	return defs.Lookup(def);
+	}
+
+int Specific_RE_Matcher::MatchAll(const char* s)
+	{
+	return MatchAll((const u_char*)(s), strlen(s));
+	}
+
+int Specific_RE_Matcher::MatchAll(const BroString* s)
+	{
+	// s->Len() does not include '\0'.
+	return MatchAll(s->Bytes(), s->Len());
+	}
+
+int Specific_RE_Matcher::Match(const char* s)
+	{
+	return Match((const u_char*)(s), strlen(s));
+	}
+
+int Specific_RE_Matcher::Match(const BroString* s)
+	{
+	return Match(s->Bytes(), s->Len());
+	}
+
+int Specific_RE_Matcher::LongestMatch(const char* s)
+	{
+	return LongestMatch((const u_char*)(s), strlen(s));
+	}
+
+int Specific_RE_Matcher::LongestMatch(const BroString* s)
+	{
+	return LongestMatch(s->Bytes(), s->Len());
+	}
+
+int Specific_RE_Matcher::MatchAll(const u_char* bv, int n)
+	{
+	if ( ! dfa )
+		// An empty pattern matches "all" iff what's being
+		// matched is empty.
+		return n == 0;
+
+	DFA_State_Handle* d = dfa->StartState();
+	d = (*d)->Xtion(ecs[SYM_BOL], dfa);
+
+	while ( d )
+		{
+		if ( --n < 0 )
+			break;
+
+		int ec = ecs[*(bv++)];
+		d = (*d)->Xtion(ec, dfa);
+		}
+
+	if ( d )
+		d = (*d)->Xtion(ecs[SYM_EOL], dfa);
+
+	return d && (*d)->Accept() != 0;
+	}
+
+
+int Specific_RE_Matcher::Match(const u_char* bv, int n)
+	{
+	if ( ! dfa )
+		// An empty pattern matches anything.
+		return 1;
+
+	DFA_State_Handle* d = dfa->StartState();
+
+	d = (*d)->Xtion(ecs[SYM_BOL], dfa);
+	if ( ! d ) return 0;
+
+	for ( int i = 0; i < n; ++i )
+		{
+		int ec = ecs[bv[i]];
+		d = (*d)->Xtion(ec, dfa);
+		if ( ! d )
+			break;
+
+		if ( (*d)->Accept() )
+			return i + 1;
+		}
+
+	if ( d )
+		{
+		d = (*d)->Xtion(ecs[SYM_EOL], dfa);
+		if ( d && (*d)->Accept() )
+			return n > 0 ? n : 1;	// we can't return 0 here for match...
+		}
+
+	return 0;
+	}
+
+
+void Specific_RE_Matcher::Dump(FILE* f)
+	{
+	dfa->Dump(f);
+	}
+
+RE_Match_State::~RE_Match_State()
+	{
+	if ( current_state )
+		StateUnref(current_state);
+	}
+
+bool RE_Match_State::Match(const u_char* bv, int n,
+				bool bol, bool eol, bool clear)
+	{
+	if ( rule_bench > 0 )
+		return false;
+
+	if ( current_pos == -1 )
+		{
+		// First call to Match().
+		if ( ! dfa )
+			return false;
+
+		// Initialize state and copy the accepting states of the start
+		// state into the acceptance set.
+		current_state = dfa->StartState();
+		StateRef(current_state);
+
+		const AcceptingSet* ac = (*current_state)->Accept();
+		if ( ac )
+			{
+			loop_over_list(*ac, i)
+				{
+				accepted.append((*ac)[i]);
+				match_pos.append(0);
+				}
+			}
+		}
+
+	else if ( clear )
+		{
+		if ( current_state )
+			StateUnref(current_state);
+
+		current_state = dfa->StartState();
+		StateRef(current_state);
+		}
+
+	if ( ! current_state )
+		return false;
+
+	else
+		(*current_state)->Unlock();
+
+	current_pos = 0;
+
+	int old_matches = accepted.length();
+
+	int ec;
+	int m = bol ? n + 1 : n;
+	int e = eol ? -1 : 0;
+
+	while ( --m >= e )
+		{
+		if ( m == n )
+			ec = ecs[SYM_BOL];
+		else if ( m == -1 )
+			ec = ecs[SYM_EOL];
+		else
+			ec = ecs[*(bv++)];
+
+		DFA_State_Handle* next_state = (*current_state)->Xtion(ec,dfa);
+
+		if ( ! next_state )
+			{
+			current_state = 0;
+			break;
+			}
+
+		if ( (*next_state)->Accept() )
+			{
+			const AcceptingSet* ac = (*next_state)->Accept();
+			loop_over_list(*ac, i)
+				{
+				if ( ! accepted.is_member((*ac)[i]) )
+					{
+					accepted.append((*ac)[i]);
+					match_pos.append(current_pos);
+					}
+				}
+			}
+
+		++current_pos;
+
+		StateRef(next_state);
+		StateUnref(current_state);
+		current_state = next_state;
+		}
+
+	// Make sure our state doesn't expire until we return.
+	if ( current_state )
+		(*current_state)->Lock();
+
+	return accepted.length() != old_matches;
+	}
+
+int Specific_RE_Matcher::LongestMatch(const u_char* bv, int n)
+	{
+	if ( ! dfa )
+		// An empty pattern matches anything.
+		return 0;
+
+	// Use -1 to indicate no match.
+	int last_accept = -1;
+	DFA_State_Handle* d = dfa->StartState();
+
+	d = (*d)->Xtion(ecs[SYM_BOL], dfa);
+	if ( ! d )
+		return -1;
+
+	if ( (*d)->Accept() )
+		last_accept = 0;
+
+	for ( int i = 0; i < n; ++i )
+		{
+		int ec = ecs[bv[i]];
+		d = (*d)->Xtion(ec, dfa);
+
+		if ( ! d )
+			break;
+
+		if ( (*d)->Accept() )
+			last_accept = i + 1;
+		}
+
+	if ( d )
+		{
+		d = (*d)->Xtion(ecs[SYM_EOL], dfa);
+		if ( d && (*d)->Accept() )
+			return n;
+		}
+
+	return last_accept;
+	}
+
+unsigned int Specific_RE_Matcher::MemoryAllocation() const
+	{
+	unsigned int size = 0;
+
+	for ( int i = 0; i < ccl_list.length(); ++i )
+		size += ccl_list[i]->MemoryAllocation();
+
+	return size + padded_sizeof(*this)
+		+ (pattern_text ? pad_size(strlen(pattern_text) + 1) : 0)
+		+ defs.MemoryAllocation() - padded_sizeof(defs) // FIXME: count content
+		+ ccl_dict.MemoryAllocation() - padded_sizeof(ccl_dict) // FIXME: count content
+		+ ccl_list.MemoryAllocation() - padded_sizeof(ccl_list)
+		+ equiv_class.Size() - padded_sizeof(EquivClass)
+		+ (dfa ? dfa->MemoryAllocation() : 0) // this is ref counted; consider the bytes here?
+		+ padded_sizeof(*any_ccl)
+		+ accepted->MemoryAllocation();
+	}
+
+RE_Matcher::RE_Matcher()
+	{
+	re_anywhere = new Specific_RE_Matcher(MATCH_ANYWHERE);
+	re_exact = new Specific_RE_Matcher(MATCH_EXACTLY);
+	}
+
+RE_Matcher::RE_Matcher(const char* pat)
+	{
+	re_anywhere = new Specific_RE_Matcher(MATCH_ANYWHERE);
+	re_exact = new Specific_RE_Matcher(MATCH_EXACTLY);
+
+	AddPat(pat);
+	}
+
+RE_Matcher::~RE_Matcher()
+	{
+	delete re_anywhere;
+	delete re_exact;
+	}
+
+void RE_Matcher::AddPat(const char* new_pat)
+	{
+	re_anywhere->AddPat(new_pat);
+	re_exact->AddPat(new_pat);
+	}
+
+int RE_Matcher::Compile(int lazy)
+	{
+	return re_anywhere->Compile(lazy) && re_exact->Compile(lazy);
+	}
+
+bool RE_Matcher::Serialize(SerialInfo* info) const
+	{
+	return SerialObj::Serialize(info);
+	}
+
+RE_Matcher* RE_Matcher::Unserialize(UnserialInfo* info)
+	{
+	return (RE_Matcher*) SerialObj::Unserialize(info, SER_RE_MATCHER);
+	}
+
+IMPLEMENT_SERIAL(RE_Matcher, SER_RE_MATCHER);
+
+bool RE_Matcher::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_RE_MATCHER, SerialObj);
+	return SERIALIZE(re_anywhere->PatternText())
+			&& SERIALIZE(re_exact->PatternText());
+	}
+
+bool RE_Matcher::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(SerialObj);
+
+	re_anywhere = new Specific_RE_Matcher(MATCH_ANYWHERE);
+	re_exact = new Specific_RE_Matcher(MATCH_EXACTLY);
+
+	const char* pat;
+	if ( ! UNSERIALIZE_STR(&pat, 0) )
+		return false;
+
+	re_anywhere->SetPat(pat);
+	if ( ! re_anywhere->Compile() )
+		{
+		info->s->Error(fmt("Can't compile regexp '%s'", pat));
+		return false;
+		}
+
+	if ( ! UNSERIALIZE_STR(&pat, 0) )
+		return false;
+
+	re_exact->SetPat(pat);
+	if ( ! re_exact->Compile() )
+		{
+		info->s->Error(fmt("Can't compile regexp '%s'", pat));
+		return false;
+		}
+
+	return true;
+	}
+
+
+static RE_Matcher* matcher_merge(const RE_Matcher* re1, const RE_Matcher* re2,
+				const char* merge_op)
+	{
+	const char* text1 = re1->PatternText();
+	const char* text2 = re2->PatternText();
+
+	int n = strlen(text1) + strlen(text2) + strlen(merge_op) + 32 /* slop */ ;
+
+	char* merge_text = new char[n];
+	safe_snprintf(merge_text, n, "(%s)%s(%s)", text1, merge_op, text2);
+
+	RE_Matcher* merge = new RE_Matcher(merge_text);
+	delete merge_text;
+
+	merge->Compile();
+
+	return merge;
+	}
+
+RE_Matcher* RE_Matcher_conjunction(const RE_Matcher* re1, const RE_Matcher* re2)
+	{
+	return matcher_merge(re1, re2, "");
+	}
+
+RE_Matcher* RE_Matcher_disjunction(const RE_Matcher* re1, const RE_Matcher* re2)
+	{
+	return matcher_merge(re1, re2, "|");
+	}
diff --git a/src/RE.h b/src/RE.h
new file mode 100644
index 0000000000..08da19c495
--- /dev/null
+++ b/src/RE.h
@@ -0,0 +1,237 @@
+// $Id: RE.h 6781 2009-06-28 00:50:04Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef re_h
+#define re_h
+
+#include "Obj.h"
+#include "Dict.h"
+#include "BroString.h"
+#include "CCL.h"
+#include "EquivClass.h"
+
+#include <ctype.h>
+typedef int (*cce_func)(int);
+
+class CCL;
+class NFA_Machine;
+class DFA_Machine;
+class Specific_RE_Matcher;
+class RE_Matcher;
+
+declare(PDict,char);
+declare(PDict,CCL);
+declare(PList,CCL);
+
+extern int case_insensitive;
+extern CCL* curr_ccl;
+extern NFA_Machine* nfa;
+extern Specific_RE_Matcher* rem;
+extern const char* RE_parse_input;
+
+extern int re_lex(void);
+extern int clower(int);
+extern void synerr(const char str[]);
+
+typedef int_list AcceptingSet;
+typedef name_list string_list;
+
+typedef enum { MATCH_ANYWHERE, MATCH_EXACTLY, } match_type;
+
+// A "specific" RE matcher will match one type of pattern: either
+// MATCH_ANYWHERE or MATCH_EXACTLY.
+
+class Specific_RE_Matcher {
+public:
+	Specific_RE_Matcher(match_type mt, int multiline=0);
+	~Specific_RE_Matcher();
+
+	void AddPat(const char* pat);
+
+	void SetPat(const char* pat)	{ pattern_text = copy_string(pat); }
+
+	int Compile(int lazy = 0);
+
+	// The following is vestigial from flex's use of "{name}" definitions.
+	// It's here because at some point we may want to support such
+	// functionality.
+	const char* LookupDef(const char* def);
+
+	void InsertCCL(const char* txt, CCL* ccl) { ccl_dict.Insert(txt, ccl); }
+	int InsertCCL(CCL* ccl)
+		{
+		ccl_list.append(ccl);
+		return ccl_list.length() - 1;
+		}
+	CCL* LookupCCL(const char* txt)	{ return ccl_dict.Lookup(txt); }
+	CCL* LookupCCL(int index)	{ return ccl_list[index]; }
+	CCL* AnyCCL();
+
+	void ConvertCCLs();
+
+	int MatchAll(const char* s);
+	int MatchAll(const BroString* s);
+
+	// Compiles a set of regular expressions simultaniously.
+	// 'idx' contains indizes associated with the expressions.
+	// On matching, the set of indizes is returned which correspond
+	// to the matching expressions.  (idx must not contain zeros).
+	int CompileSet(const string_list& set, const int_list& idx);
+
+	// Returns the position in s just beyond where the first match
+	// occurs, or 0 if there is no such position in s.  Note that
+	// if the pattern matches empty strings, matching continues
+	// in an attempt to match at least one character.
+	int Match(const char* s);
+	int Match(const BroString* s);
+
+	int LongestMatch(const char* s);
+	int LongestMatch(const BroString* s);
+	int LongestMatch(const u_char* bv, int n);
+
+	EquivClass* EC()		{ return &equiv_class; }
+
+	const char* PatternText() const	{ return pattern_text; }
+
+	DFA_Machine* DFA() const		{ return dfa; }
+
+	void Dump(FILE* f);
+
+	unsigned int MemoryAllocation() const;
+
+protected:
+	void AddAnywherePat(const char* pat);
+	void AddExactPat(const char* pat);
+
+	// Used by the above.  orig_fmt is the format to use when building
+	// up a new pattern_text from the given pattern; app_fmt is for when
+	// appending to an existing pattern_text.
+	void AddPat(const char* pat, const char* orig_fmt, const char* app_fmt);
+
+	int MatchAll(const u_char* bv, int n);
+	int Match(const u_char* bv, int n);
+
+	match_type mt;
+	int multiline;
+	char* pattern_text;
+
+	PDict(char) defs;
+	PDict(CCL) ccl_dict;
+	PList(CCL) ccl_list;
+	EquivClass equiv_class;
+	int* ecs;
+	DFA_Machine* dfa;
+	CCL* any_ccl;
+	AcceptingSet* accepted;
+};
+
+#ifdef EXPIRE_DFA_STATES
+	class DFA_State_Handle;
+#else
+	class DFA_State;
+	typedef DFA_State DFA_State_Handle;
+#endif
+
+class RE_Match_State {
+public:
+	RE_Match_State(Specific_RE_Matcher* matcher)
+		{
+		dfa = matcher->DFA() ? matcher->DFA() : 0;
+		ecs = matcher->EC()->EquivClasses();
+		current_pos = -1;
+		current_state = 0;
+		}
+
+	~RE_Match_State();
+
+	const AcceptingSet* Accepted() const	{ return &accepted; }
+	const int_list* MatchPositions() const	{ return &match_pos; }
+
+	// Returns the number of bytes feeded into the matcher so far
+	int Length()	{ return current_pos; }
+
+	// Returns true if this inputs leads to at least one new match.
+	// If clear is true, starts matching over.
+	bool Match(const u_char* bv, int n, bool bol, bool eol, bool clear);
+
+	void Clear()
+		{
+		current_pos = -1;
+		current_state = 0;
+		accepted.clear();
+		match_pos.clear();
+		}
+
+protected:
+	DFA_Machine* dfa;
+	int* ecs;
+
+	AcceptingSet accepted;
+	int_list match_pos;
+	DFA_State_Handle* current_state;
+	int current_pos;
+};
+
+class RE_Matcher : SerialObj {
+public:
+	RE_Matcher();
+	RE_Matcher(const char* pat);
+	virtual ~RE_Matcher();
+
+	void AddDef(const char* defn_name, const char* defn_val);
+	void AddPat(const char* pat);
+
+	int Compile(int lazy = 0);
+
+	// Returns true if s exactly matches the pattern, false otherwise.
+	int MatchExactly(const char* s)
+		{ return re_exact->MatchAll(s); }
+	int MatchExactly(const BroString* s)
+		{ return re_exact->MatchAll(s); }
+
+	// Returns the position in s just beyond where the first match
+	// occurs, or 0 if there is no such position in s.  Note that
+	// if the pattern matches empty strings, matching continues
+	// in an attempt to match at least one character.
+	int MatchAnywhere(const char* s)
+		{ return re_anywhere->Match(s); }
+	int MatchAnywhere(const BroString* s)
+		{ return re_anywhere->Match(s); }
+
+	// Note: it matches the *longest* prefix and returns the
+	// length of matched prefix. It returns -1 on mismatch.
+	int MatchPrefix(const char* s)
+		{ return re_exact->LongestMatch(s); }
+	int MatchPrefix(const BroString* s)
+		{ return re_exact->LongestMatch(s); }
+	int MatchPrefix(const u_char* s, int n)
+		{ return re_exact->LongestMatch(s, n); }
+
+	const char* PatternText() const	{ return re_exact->PatternText(); }
+	const char* AnywherePatternText() const	{ return re_anywhere->PatternText(); }
+
+	bool Serialize(SerialInfo* info) const;
+	static RE_Matcher* Unserialize(UnserialInfo* info);
+
+	unsigned int MemoryAllocation() const
+		{
+		return padded_sizeof(*this)
+			+ (re_anywhere ? re_anywhere->MemoryAllocation() : 0)
+			+ (re_exact ? re_exact->MemoryAllocation() : 0);
+		}
+
+protected:
+	DECLARE_SERIAL(RE_Matcher);
+
+	Specific_RE_Matcher* re_anywhere;
+	Specific_RE_Matcher* re_exact;
+};
+
+declare(PList, RE_Matcher);
+typedef PList(RE_Matcher) re_matcher_list;
+
+extern RE_Matcher* RE_Matcher_conjunction(const RE_Matcher* re1, const RE_Matcher* re2);
+extern RE_Matcher* RE_Matcher_disjunction(const RE_Matcher* re1, const RE_Matcher* re2);
+
+#endif
diff --git a/src/RPC.cc b/src/RPC.cc
new file mode 100644
index 0000000000..278f8bfee5
--- /dev/null
+++ b/src/RPC.cc
@@ -0,0 +1,605 @@
+// $Id: RPC.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <stdlib.h>
+
+#include "NetVar.h"
+#include "XDR.h"
+#include "RPC.h"
+#include "Sessions.h"
+
+namespace { // local namespace
+	const bool DEBUG_rpc_resync = false;
+}
+
+#define MAX_RPC_LEN 65536
+
+// The following correspond to the different RPC status values defined
+// in bro.init.
+// #define BRO_RPC_TIMEOUT 6
+// #define BRO_RPC_AUTH_ERROR 7
+// #define BRO_RPC_UNKNOWN_ERROR 8
+
+RPC_CallInfo::RPC_CallInfo(uint32 arg_xid, const u_char*& buf, int& n)
+	{
+	xid = arg_xid;
+
+	start_time = network_time;
+	call_n = n;
+	call_buf = new u_char[call_n];
+	memcpy((void*) call_buf, (const void*) buf, call_n);
+
+	rpc_version = extract_XDR_uint32(buf, n);
+	prog = extract_XDR_uint32(buf, n);
+	vers = extract_XDR_uint32(buf, n);
+	proc = extract_XDR_uint32(buf, n);
+	cred_flavor = skip_XDR_opaque_auth(buf, n);
+	verf_flavor = skip_XDR_opaque_auth(buf, n);
+
+	header_len = call_n - n;
+
+	valid_call = false;
+
+	v = 0;
+	}
+
+RPC_CallInfo::~RPC_CallInfo()
+	{
+	delete [] call_buf;
+	Unref(v);
+	}
+
+int RPC_CallInfo::CompareRexmit(const u_char* buf, int n) const
+	{
+	if ( n != call_n )
+		return 0;
+
+	return memcmp((const void*) call_buf, (const void*) buf, call_n) == 0;
+	}
+
+
+void rpc_callinfo_delete_func(void* v)
+	{
+	delete (RPC_CallInfo*) v;
+	}
+
+RPC_Interpreter::RPC_Interpreter(Analyzer* arg_analyzer)
+	{
+	analyzer = arg_analyzer;
+	calls.SetDeleteFunc(rpc_callinfo_delete_func);
+	}
+
+RPC_Interpreter::~RPC_Interpreter()
+	{
+	}
+
+int RPC_Interpreter::DeliverRPC(const u_char* buf, int n, int is_orig)
+	{
+	uint32 xid = extract_XDR_uint32(buf, n);
+	uint32 msg_type = extract_XDR_uint32(buf, n);
+
+	if ( ! buf )
+		return 0;
+
+	HashKey h(&xid, 1);
+	RPC_CallInfo* call = calls.Lookup(&h);
+
+	if ( msg_type == RPC_CALL )
+		{
+		if ( ! is_orig )
+			Weird("responder_RPC_call");
+
+		if ( call )
+			{
+			if ( ! call->CompareRexmit(buf, n) )
+				Weird("RPC_rexmit_inconsistency");
+
+			if ( call->HeaderLen() > n )
+				{
+				Weird("RPC_underflow");
+				return 0;
+				}
+
+			n -= call->HeaderLen();
+			buf += call->HeaderLen();
+			}
+
+		else
+			{
+			call = new RPC_CallInfo(xid, buf, n);
+			if ( ! buf )
+				{
+				delete call;
+				return 0;
+				}
+
+			calls.Insert(&h, call);
+			}
+
+		if ( RPC_BuildCall(call, buf, n) )
+			call->SetValidCall();
+		else
+			{
+			Weird("bad_RPC");
+			return 0;
+			}
+		}
+
+	else if ( msg_type == RPC_REPLY )
+		{
+		if ( is_orig )
+			Weird("originator_RPC_reply");
+
+		uint32 reply_stat = extract_XDR_uint32(buf, n);
+		if ( ! buf )
+			return 0;
+
+		uint32 status = BroEnum::RPC_UNKNOWN_ERROR;
+
+		if ( reply_stat == RPC_MSG_ACCEPTED )
+			{
+			(void) skip_XDR_opaque_auth(buf, n);
+			uint32 accept_stat = extract_XDR_uint32(buf, n);
+
+			// The first members of BroEnum::RPC_* correspond
+			// to accept_stat.
+			if ( accept_stat <= RPC_SYSTEM_ERR )
+				status = accept_stat;
+
+			if ( ! buf )
+				return 0;
+
+			if ( accept_stat == RPC_PROG_MISMATCH )
+				{
+				(void) extract_XDR_uint32(buf, n);
+				(void) extract_XDR_uint32(buf, n);
+
+				if ( ! buf )
+					return 0;
+				}
+			}
+
+		else if ( reply_stat == RPC_MSG_DENIED )
+			{
+			uint32 reject_stat = extract_XDR_uint32(buf, n);
+			if ( ! buf )
+				return 0;
+
+			if ( reject_stat == RPC_MISMATCH )
+				{
+				// Note that RPC_MISMATCH == 0 == RPC_SUCCESS.
+				status = BroEnum::RPC_VERS_MISMATCH;
+
+				(void) extract_XDR_uint32(buf, n);
+				(void) extract_XDR_uint32(buf, n);
+
+				if ( ! buf )
+					return 0;
+				}
+
+			else if ( reject_stat == RPC_AUTH_ERROR )
+				{
+				status = BroEnum::RPC_AUTH_ERROR;
+
+				(void) extract_XDR_uint32(buf, n);
+				if ( ! buf )
+					return 0;
+				}
+
+			else
+				{
+				status = BroEnum::RPC_UNKNOWN_ERROR;
+				Weird("bad_RPC");
+				}
+			}
+
+		else
+			Weird("bad_RPC");
+
+		if ( call )
+			{
+			int success = status == RPC_SUCCESS;
+
+			if ( ! call->IsValidCall() )
+				{
+				if ( success )
+					Weird("successful_RPC_reply_to_invalid_request");
+				// We can't process this further, even if
+				// it was successful, because the call
+				// info won't be fully set up.
+				}
+
+			else
+				{
+				EventHandlerPtr event;
+				Val* reply;
+				if ( ! RPC_BuildReply(call, success, buf,
+							n, event, reply) )
+					Weird("bad_RPC");
+				else
+					{
+					Event(event, call->TakeRequestVal(),
+						status, reply);
+					}
+				}
+
+			RPC_Event(call, status, n);
+
+			delete calls.RemoveEntry(&h);
+			}
+		else
+			{
+			Weird("unpaired_RPC_response");
+			n = 0;
+			}
+		}
+
+	else
+		Weird("bad_RPC");
+
+	if ( n > 0 )
+		{
+		// If it's just padded with zeroes, don't complain.
+		for ( ; n > 0; --n, ++buf )
+			if ( *buf != 0 )
+				break;
+
+		if ( n > 0 )
+			Weird("excess_RPC");
+		}
+
+	else if ( n < 0 )
+		internal_error("RPC underflow");
+
+	return 1;
+	}
+
+void RPC_Interpreter::Timeout()
+	{
+	IterCookie* cookie = calls.InitForIteration();
+	RPC_CallInfo* c;
+
+	while ( (c = calls.NextEntry(cookie)) )
+		{
+		RPC_Event(c, BroEnum::RPC_TIMEOUT, 0);
+		if ( c->IsValidCall() )
+			{
+			const u_char* buf;
+			int n = 0;
+			EventHandlerPtr event;
+			Val* reply;
+			if ( ! RPC_BuildReply(c, 0, buf, n, event, reply) )
+				Weird("bad_RPC");
+			else
+				{
+				Event(event, c->TakeRequestVal(),
+					BroEnum::RPC_TIMEOUT, reply);
+				}
+			}
+		}
+	}
+
+void RPC_Interpreter::RPC_Event(RPC_CallInfo* c, int status, int reply_len)
+	{
+	if ( rpc_call )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(new Val(c->Program(), TYPE_COUNT));
+		vl->append(new Val(c->Version(), TYPE_COUNT));
+		vl->append(new Val(c->Proc(), TYPE_COUNT));
+		vl->append(new Val(status, TYPE_COUNT));
+		vl->append(new Val(c->StartTime(), TYPE_TIME));
+		vl->append(new Val(c->CallLen(), TYPE_COUNT));
+		vl->append(new Val(reply_len, TYPE_COUNT));
+		analyzer->ConnectionEvent(rpc_call, vl);
+		}
+	}
+
+void RPC_Interpreter::Weird(const char* msg)
+	{
+	analyzer->Weird(msg);
+	}
+
+
+Contents_RPC::Contents_RPC(Connection* conn, bool orig,
+				RPC_Interpreter* arg_interp)
+: TCP_SupportAnalyzer(AnalyzerTag::Contents_RPC, conn, orig)
+	{
+	interp = arg_interp;
+	resync = false;
+	msg_buf = 0;
+	InitBuffer();
+	}
+
+void Contents_RPC::Init()
+	{
+	TCP_SupportAnalyzer::Init();
+
+	TCP_Analyzer* tcp =
+		static_cast<TCP_ApplicationAnalyzer*>(Parent())->TCP();
+	assert(tcp);
+
+	resync = (IsOrig() ? tcp->OrigState() : tcp->RespState()) !=
+						TCP_ENDPOINT_ESTABLISHED;
+	}
+
+void Contents_RPC::InitBuffer()
+	{
+	buf_len = 4;
+
+	// For record marker:
+	delete [] msg_buf;
+	msg_buf = new u_char[buf_len];
+
+	buf_n = 0;
+	last_frag = 0;
+	state = RPC_RECORD_MARKER;
+	}
+
+Contents_RPC::~Contents_RPC()
+	{
+	delete [] msg_buf;
+	}
+
+void Contents_RPC::Undelivered(int seq, int len, bool orig)
+	{
+	TCP_SupportAnalyzer::Undelivered(seq, len, orig);
+
+	// Re-sync after content gaps.
+	InitBuffer();
+	resync = true;
+	}
+
+void Contents_RPC::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	TCP_SupportAnalyzer::DeliverStream(len, data, orig);
+
+	if ( state == RPC_COMPLETE )
+		InitBuffer();
+
+	// This is an attempt to re-synchronize the stream with RPC
+	// frames after a content gap.  We try to look for the beginning
+	// of an RPC frame, assuming (1) RPC frames begin at packet
+	// boundaries (though they may span over multiple packets) and
+	// (2) the first piece is longer than 12 bytes. (If we see a
+	// piece shorter than 12 bytes, it is likely that it's the
+	// remaining piece of a previous RPC frame, so the code here
+	// skips that piece.)  It then checks if the frame type and length
+	// make any sense, and if so, it assumes that is beginning of
+	// a frame.
+	if ( resync && state == RPC_RECORD_MARKER && buf_n == 0 )
+		{
+		// Assuming RPC frames align with packet boundaries ...
+		if ( len < 12 )
+			{
+			// Ignore small fragmeents.
+			if ( len != 1 && DEBUG_rpc_resync )
+				{
+				// One-byte fragments are likely caused by
+				// TCP keep-alive retransmissions.
+				DEBUG_MSG("%.6f RPC resync: "
+				          "discard small pieces: %d\n",
+			                  network_time, len);
+				Conn()->Weird(
+					fmt("RPC resync: discard %d bytes\n",
+						len));
+				}
+			return;
+			}
+
+		const u_char* xdata = data;
+		int xlen = len;
+		uint32 frame_len = extract_XDR_uint32(xdata, xlen);
+		uint32 xid = extract_XDR_uint32(xdata, xlen);
+		uint32 frame_type = extract_XDR_uint32(xdata, xlen);
+
+		if ( (IsOrig() && frame_type != 0) ||
+		     (! IsOrig() && frame_type != 1) ||
+		     frame_len < 16 )
+			{
+			// Skip this packet.
+			if ( DEBUG_rpc_resync )
+				{
+				DEBUG_MSG("RPC resync: skipping %d bytes\n",
+				          len);
+				}
+			return;
+			}
+
+		resync = false;
+		}
+
+	int n;
+	for ( n = 0; buf_n < buf_len && n < len; ++n )
+		msg_buf[buf_n++] = data[n];
+
+	if ( buf_n < buf_len )
+		// Haven't filled up the message buffer yet, no more to do.
+		return;
+
+	switch ( state ) {
+	case RPC_RECORD_MARKER:
+		{ // Have the whole record marker.
+		int prev_frag_len = buf_len - 4;
+		const u_char* buf = &msg_buf[prev_frag_len];
+		int n = 4;
+
+		uint32 marker = extract_XDR_uint32(buf, n);
+		if ( ! buf )
+			internal_error("inconsistent RPC record marker extraction");
+
+		if ( prev_frag_len > 0 && last_frag )
+			internal_error("last_frag set but more fragments");
+
+		last_frag = (marker & 0x80000000) != 0;
+
+		marker &= 0x7fffffff;
+
+		if ( prev_frag_len > 0 )
+			// We're adding another fragment.
+			marker += prev_frag_len;
+
+		// Fragment length is now given by marker.  Sanity-check.
+		if ( marker > MAX_RPC_LEN )
+			{
+			Conn()->Weird("excessive_RPC_len");
+			marker = MAX_RPC_LEN;
+			}
+
+		// The new size is either the full record size (if this
+		// is the last fragment), or that plus 4 more bytes for
+		// the next fragment header.
+		int new_size = last_frag ? marker : marker + 4;
+
+		u_char* tmp = new u_char[new_size];
+		int msg_len = (unsigned int) buf_len < marker ? buf_len : marker;
+		for ( int i = 0; i < msg_len; ++i )
+			tmp[i] = msg_buf[i];
+
+		delete [] msg_buf;
+		msg_buf = tmp;
+
+		buf_len = marker;	// we only want to fill to here
+		buf_n = prev_frag_len;	// overwrite this fragment's header
+
+		state = RPC_MESSAGE_BUFFER;
+		}
+		break;
+
+	case RPC_MESSAGE_BUFFER:
+		{ // Have the whole fragment.
+		if ( ! last_frag )
+			{
+			// We earlier made sure to leave an extra 4 bytes
+			// at the end of the buffer - use them now for
+			// the new fragment header.
+			buf_len += 4;
+			state = RPC_RECORD_MARKER;
+			break;
+			}
+
+		if ( ! interp->DeliverRPC(msg_buf, buf_n, IsOrig()) )
+			Conn()->Weird("partial_RPC");
+
+		state = RPC_COMPLETE;
+		delete [] msg_buf;
+		msg_buf = 0;
+		}
+		break;
+
+	case RPC_COMPLETE:
+		internal_error("RPC state inconsistency");
+	}
+
+	if ( n < len )
+		// More data to munch on.
+		DeliverStream(len - n, data + n, orig);
+	}
+
+RPC_Analyzer::RPC_Analyzer(AnalyzerTag::Tag tag, Connection* conn,
+				RPC_Interpreter* arg_interp)
+: TCP_ApplicationAnalyzer(tag, conn)
+	{
+	interp = arg_interp;
+
+	if ( Conn()->ConnTransport() == TRANSPORT_UDP )
+		ADD_ANALYZER_TIMER(&RPC_Analyzer::ExpireTimer,
+			network_time + rpc_timeout, 1, TIMER_RPC_EXPIRE);
+	}
+
+RPC_Analyzer::~RPC_Analyzer()
+	{
+	delete interp;
+	}
+
+void RPC_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen)
+	{
+	TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+
+	if ( orig )
+		{
+		if ( ! interp->DeliverRPC(data, len, 1) )
+			Weird("bad_RPC");
+		}
+	else
+		{
+		if ( ! interp->DeliverRPC(data, len, 0) )
+			Weird("bad_RPC");
+		}
+	}
+
+void RPC_Analyzer::Done()
+	{
+	TCP_ApplicationAnalyzer::Done();
+
+	// This code was replicated in NFS.cc and Portmap.cc, so we factor
+	// it into here.  The semantics have slightly changed - it used
+	// to be we'd always execute interp->Timeout(), but now we only
+	// do for UDP.
+
+	if ( Conn()->ConnTransport() == TRANSPORT_TCP && TCP() )
+		{
+		if ( orig_rpc->State() != RPC_COMPLETE &&
+		     (TCP()->OrigState() == TCP_ENDPOINT_CLOSED ||
+		      TCP()->OrigPrevState() == TCP_ENDPOINT_CLOSED) &&
+		     // Sometimes things like tcpwrappers will immediately
+		     // close the connection, without any data having been
+		     // transferred.  Don't bother flagging these.
+		     TCP()->Orig()->Size() > 0 )
+			Weird("partial_RPC_request");
+		}
+	else
+		interp->Timeout();
+	}
+
+void RPC_Analyzer::ExpireTimer(double /* t */)
+	{
+	Event(connection_timeout);
+	sessions->Remove(Conn());
+	}
+
+// The binpac version of interpreter.
+#include "rpc_pac.h"
+
+RPC_UDP_Analyzer_binpac::RPC_UDP_Analyzer_binpac(Connection* conn)
+: Analyzer(AnalyzerTag::RPC_UDP_BINPAC, conn)
+	{
+	interp = new binpac::SunRPC::RPC_Conn(this);
+	ADD_ANALYZER_TIMER(&RPC_UDP_Analyzer_binpac::ExpireTimer,
+			network_time + rpc_timeout, 1, TIMER_RPC_EXPIRE);
+	}
+
+RPC_UDP_Analyzer_binpac::~RPC_UDP_Analyzer_binpac()
+	{
+	delete interp;
+	}
+
+void RPC_UDP_Analyzer_binpac::Done()
+	{
+	Analyzer::Done();
+	interp->Timeout();
+	}
+
+void RPC_UDP_Analyzer_binpac::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( binpac::Exception &e )
+		{
+		Weird(fmt("bad_RPC: %s", e.msg().c_str()));
+		}
+	}
+
+void RPC_UDP_Analyzer_binpac::ExpireTimer(double /* t */)
+	{
+	Event(connection_timeout);
+	sessions->Remove(Conn());
+	}
diff --git a/src/RPC.h b/src/RPC.h
new file mode 100644
index 0000000000..11acb68977
--- /dev/null
+++ b/src/RPC.h
@@ -0,0 +1,191 @@
+// $Id: RPC.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef rpc_h
+#define rpc_h
+
+#include "TCP.h"
+#include "UDP.h"
+
+enum {
+	RPC_CALL = 0,
+	RPC_REPLY = 1,
+};
+
+enum {
+	RPC_MSG_ACCEPTED = 0,
+	RPC_MSG_DENIED = 1,
+};
+
+enum {
+	RPC_SUCCESS = 0,
+	RPC_PROG_UNAVAIL = 1,
+	RPC_PROG_MISMATCH = 2,
+	RPC_PROC_UNAVAIL = 3,
+	RPC_GARBAGE_ARGS = 4,
+	RPC_SYSTEM_ERR = 5,
+};
+
+enum {
+	RPC_MISMATCH = 0,
+	RPC_AUTH_ERROR = 1,
+};
+
+enum {
+	RPC_AUTH_BADCRED = 1,
+	RPC_AUTH_REJECTEDCRED = 2,
+	RPC_AUTH_BADVERF = 3,
+	RPC_AUTH_REJECTEDVERF = 4,
+	RPC_AUTH_TOOWEAK = 5,
+};
+
+enum {
+	RPC_AUTH_NULL = 0,
+	RPC_AUTH_UNIX = 1,
+	RPC_AUTH_SHORT = 2,
+	RPC_AUTH_DES = 3,
+};
+
+class RPC_CallInfo {
+public:
+	RPC_CallInfo(uint32 xid, const u_char*& buf, int& n);
+	~RPC_CallInfo();
+
+	void AddVal(Val* arg_v)		{ Unref(v); v = arg_v; }
+	Val* RequestVal() const		{ return v; }
+	Val* TakeRequestVal()		{ Val* rv = v; v = 0; return rv; }
+
+	int CompareRexmit(const u_char* buf, int n) const;
+
+	uint32 Program() const		{ return prog; }
+	uint32 Version() const		{ return vers; }
+	uint32 Proc() const		{ return proc; }
+
+	double StartTime() const	{ return start_time; }
+	int CallLen() const		{ return call_n; }
+	int HeaderLen() const		{ return header_len; }
+
+	uint32 XID() const		{ return xid; }
+
+	void SetValidCall()		{ valid_call = true; }
+	bool IsValidCall() const	{ return valid_call; }
+
+protected:
+	uint32 xid, rpc_version, prog, vers, proc;
+	uint32 cred_flavor, verf_flavor;
+	u_char* call_buf;	// copy of original call buffer
+	double start_time;
+	int call_n;		// size of call buf
+	int header_len;		// size of data before the arguments
+	bool valid_call;	// whether call was well-formed
+
+	Val* v;		// single (perhaps compound) value corresponding to call
+};
+
+declare(PDict,RPC_CallInfo);
+
+class RPC_Interpreter {
+public:
+	RPC_Interpreter(Analyzer* analyzer);
+	virtual ~RPC_Interpreter();
+
+	// Delivers the given RPC.  Returns true if "len" bytes were
+	// enough, false otherwise.  "is_orig" is true if the data is
+	// from the originator of the connection.
+	int DeliverRPC(const u_char* data, int len, int is_orig);
+
+	void Timeout();
+
+protected:
+	virtual int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) = 0;
+	virtual int RPC_BuildReply(const RPC_CallInfo* c, int success,
+					const u_char*& buf, int& n,
+					EventHandlerPtr& event, Val*& reply) = 0;
+
+	virtual void Event(EventHandlerPtr f, Val* request, int status, Val* reply) = 0;
+
+	void RPC_Event(RPC_CallInfo* c, int status, int reply_len);
+
+	void Weird(const char* name);
+
+	PDict(RPC_CallInfo) calls;
+	Analyzer* analyzer;
+};
+
+typedef enum {
+	RPC_RECORD_MARKER,	// building up the stream record marker
+	RPC_MESSAGE_BUFFER,	// building up the message in the buffer
+	RPC_COMPLETE		// message fully built
+} TCP_RPC_state;
+
+class Contents_RPC : public TCP_SupportAnalyzer {
+public:
+	Contents_RPC(Connection* conn, bool orig, RPC_Interpreter* interp);
+	virtual ~Contents_RPC();
+
+	TCP_RPC_state State() const		{ return state; }
+
+protected:
+	virtual void Init();
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual void Undelivered(int seq, int len, bool orig);
+
+	virtual void InitBuffer();
+
+	RPC_Interpreter* interp;
+
+	u_char* msg_buf;
+	int buf_n;	// number of bytes in msg_buf
+	int buf_len;	// size off msg_buf
+	int last_frag;	// if this buffer corresponds to the last "fragment"
+	bool resync;
+
+	TCP_RPC_state state;
+};
+
+class RPC_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	RPC_Analyzer(AnalyzerTag::Tag tag, Connection* conn,
+			RPC_Interpreter* arg_interp);
+	virtual ~RPC_Analyzer();
+
+	virtual void Done();
+
+protected:
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen);
+
+	void ExpireTimer(double t);
+
+	RPC_Interpreter* interp;
+
+	Contents_RPC* orig_rpc;
+	Contents_RPC* resp_rpc;
+};
+
+#include "rpc_pac.h"
+
+class RPC_UDP_Analyzer_binpac : public Analyzer {
+public:
+	RPC_UDP_Analyzer_binpac(Connection* conn);
+	virtual ~RPC_UDP_Analyzer_binpac();
+
+	virtual void Done();
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new RPC_UDP_Analyzer_binpac(conn); }
+
+	static bool Available()
+		{ return pm_request || rpc_call; }
+
+protected:
+	friend class AnalyzerTimer;
+	void ExpireTimer(double t);
+
+	binpac::SunRPC::RPC_Conn* interp;
+};
+
+#endif
diff --git a/src/RSH.cc b/src/RSH.cc
new file mode 100644
index 0000000000..bfc78d04b7
--- /dev/null
+++ b/src/RSH.cc
@@ -0,0 +1,193 @@
+// $Id: RSH.cc 6219 2008-10-01 05:39:07Z vern $
+
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "NetVar.h"
+#include "Event.h"
+#include "RSH.h"
+
+
+// FIXME: this code should probably be merged with Rlogin.cc.
+
+Contents_Rsh_Analyzer::Contents_Rsh_Analyzer(Connection* conn, bool orig,
+						Rsh_Analyzer* arg_analyzer)
+: ContentLine_Analyzer(AnalyzerTag::Contents_Rsh, conn, orig)
+	{
+	num_bytes_to_scan = num_bytes_to_scan = 0;
+	analyzer = arg_analyzer;
+
+	if ( orig )
+		state = save_state = RSH_FIRST_NULL;
+	else
+		state = RSH_LINE_MODE;
+	}
+
+Contents_Rsh_Analyzer::~Contents_Rsh_Analyzer()
+	{
+	}
+
+void Contents_Rsh_Analyzer::DoDeliver(int len, const u_char* data)
+	{
+	TCP_Analyzer* tcp = static_cast<TCP_ApplicationAnalyzer*>(Parent())->TCP();
+	assert(tcp);
+
+	int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState();
+
+	for ( ; len > 0; --len, ++data )
+		{
+		if ( offset >= buf_len )
+			InitBuffer(buf_len * 2);
+
+		unsigned int c = data[0];
+
+		switch ( state ) {
+		case RSH_FIRST_NULL:
+			if ( endp_state == TCP_ENDPOINT_PARTIAL ||
+			     // We can be in closed if the data's due to
+			     // a dataful FIN being the first thing we see.
+			     endp_state == TCP_ENDPOINT_CLOSED )
+				{
+				state = RSH_UNKNOWN;
+				++len, --data;	// put back c and reprocess
+				continue;
+				}
+
+			if ( c >= '0' && c <= '9' )
+				; // skip stderr port number
+			else if ( c == '\0' )
+				state = RSH_CLIENT_USER_NAME;
+			else
+				BadProlog();
+
+			break;
+
+		case RSH_CLIENT_USER_NAME:
+		case RSH_SERVER_USER_NAME:
+			buf[offset++] = c;
+			if ( c == '\0' )
+				{
+				if ( state == RSH_CLIENT_USER_NAME )
+					{
+					analyzer->ClientUserName((const char*) buf);
+					state = RSH_SERVER_USER_NAME;
+					}
+
+				else if ( state == RSH_SERVER_USER_NAME &&
+					  offset > 1 )
+					{
+					analyzer->ServerUserName((const char*) buf);
+					save_state = state;
+					state = RSH_LINE_MODE;
+					}
+
+				offset = 0;
+				}
+			break;
+
+		case RSH_LINE_MODE:
+		case RSH_UNKNOWN:
+		case RSH_PRESUMED_REJECTED:
+			if ( state == RSH_LINE_MODE &&
+			     state == RSH_PRESUMED_REJECTED )
+				{
+				Conn()->Weird("rsh_text_after_rejected");
+				state = RSH_UNKNOWN;
+				}
+
+			if ( c == '\n' || c == '\r' )
+				{ // CR or LF (RFC 1282)
+				if ( c == '\n' && last_char == '\r' )
+					// Compress CRLF to just 1 termination.
+					;
+				else
+					{
+					buf[offset] = '\0';
+					ForwardStream(offset, buf, IsOrig()); \
+					save_state = RSH_LINE_MODE;
+					offset = 0;
+					break;
+					}
+				}
+
+			if ( c == '\0' )
+				{
+				buf[offset] = '\0';
+				ForwardStream(offset, buf, IsOrig()); \
+				save_state = RSH_LINE_MODE;
+				offset = 0;
+				break;
+				}
+
+			else
+				buf[offset++] = c;
+
+			last_char = c;
+			break;
+
+		default:
+			internal_error("bad state in Contents_Rsh_Analyzer::DoDeliver");
+			break;
+		}
+		}
+	}
+
+void Contents_Rsh_Analyzer::BadProlog()
+	{
+	Conn()->Weird("bad_rsh_prolog");
+	state = RSH_UNKNOWN;
+	}
+
+Rsh_Analyzer::Rsh_Analyzer(Connection* conn)
+: Login_Analyzer(AnalyzerTag::Rsh, conn)
+	{
+	contents_orig = new Contents_Rsh_Analyzer(conn, true, this);
+	contents_resp = new Contents_Rsh_Analyzer(conn, false, this);
+	AddSupportAnalyzer(contents_orig);
+	AddSupportAnalyzer(contents_resp);
+	}
+
+void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	Login_Analyzer::DeliverStream(len, data, orig);
+
+	const char* line = (const char*) data;
+	val_list* vl = new val_list;
+
+	line = skip_whitespace(line);
+	vl->append(BuildConnVal());
+	vl->append(client_name ? client_name->Ref() : new StringVal("<none>"));
+	vl->append(username ? username->Ref() : new StringVal("<none>"));
+	vl->append(new StringVal(line));
+
+	if ( orig && rsh_request )
+		{
+		if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME )
+			// First input
+			vl->append(new Val(true, TYPE_BOOL));
+		else
+			vl->append(new Val(false, TYPE_BOOL));
+
+		ConnectionEvent(rsh_request, vl);
+		}
+
+	else if ( rsh_reply )
+		ConnectionEvent(rsh_reply, vl);
+	}
+
+void Rsh_Analyzer::ClientUserName(const char* s)
+	{
+	if ( client_name )
+		internal_error("multiple rsh client names");
+
+	client_name = new StringVal(s);
+	}
+
+void Rsh_Analyzer::ServerUserName(const char* s)
+	{
+	if ( username )
+		internal_error("multiple rsh initial client names");
+
+	username = new StringVal(s);
+	}
diff --git a/src/RSH.h b/src/RSH.h
new file mode 100644
index 0000000000..8a6c5fde6f
--- /dev/null
+++ b/src/RSH.h
@@ -0,0 +1,62 @@
+// $Id: RSH.h 6219 2008-10-01 05:39:07Z vern $
+
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef rsh_h
+#define rsh_h
+
+#include "Login.h"
+#include "ContentLine.h"
+
+typedef enum {
+	RSH_FIRST_NULL,		// waiting to see first NUL
+	RSH_CLIENT_USER_NAME,	// scanning client user name up to NUL
+	RSH_SERVER_USER_NAME,	// scanning server user name up to NUL
+	RSH_INITIAL_CMD,	// scanning initial command up to NUL
+
+	RSH_LINE_MODE,		// switch to line-oriented processing
+
+	RSH_PRESUMED_REJECTED,	// apparently server said No Way
+
+	RSH_UNKNOWN,	// we don't know what state we're in
+} rsh_state;
+
+class Rsh_Analyzer;
+
+class Contents_Rsh_Analyzer : public ContentLine_Analyzer {
+public:
+	Contents_Rsh_Analyzer(Connection* conn, bool orig, Rsh_Analyzer* analyzer);
+	~Contents_Rsh_Analyzer();
+
+	rsh_state RshSaveState() const	{ return save_state; }
+
+protected:
+	virtual void DoDeliver(int len, const u_char* data);
+	void BadProlog();
+
+	rsh_state state, save_state;
+	int num_bytes_to_scan;
+
+	Rsh_Analyzer* analyzer;
+};
+
+class Rsh_Analyzer : public Login_Analyzer {
+public:
+	Rsh_Analyzer(Connection* conn);
+
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+
+	void ClientUserName(const char* s);
+	void ServerUserName(const char* s);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new Rsh_Analyzer(conn); }
+
+	static bool Available()
+		{ return login_failure || login_success || login_input_line || login_output_line; }
+
+	Contents_Rsh_Analyzer* contents_orig;
+	Contents_Rsh_Analyzer* contents_resp;
+};
+
+#endif
diff --git a/src/Reassem.cc b/src/Reassem.cc
new file mode 100644
index 0000000000..c6ec6a3420
--- /dev/null
+++ b/src/Reassem.cc
@@ -0,0 +1,383 @@
+// $Id: Reassem.cc 6703 2009-05-13 22:27:44Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "Reassem.h"
+#include "Serializer.h"
+
+const bool DEBUG_reassem = false;
+
+#ifdef DEBUG
+int reassem_seen_bytes = 0;
+int reassem_copied_bytes = 0;
+#endif
+
+DataBlock::DataBlock(const u_char* data, int size, int arg_seq,
+			DataBlock* arg_prev, DataBlock* arg_next)
+	{
+	seq = arg_seq;
+	upper = seq + size;
+
+	block = new u_char[size];
+	if ( ! block )
+		internal_error("out of memory");
+
+	memcpy((void*) block, (const void*) data, size);
+
+#ifdef DEBUG
+	reassem_copied_bytes += size;
+#endif
+
+	prev = arg_prev;
+	next = arg_next;
+
+	if ( prev )
+		prev->next = this;
+	if ( next )
+		next->prev = this;
+
+	Reassembler::total_size += pad_size(size) + padded_sizeof(DataBlock);
+	}
+
+unsigned int Reassembler::total_size = 0;
+
+Reassembler::Reassembler(int init_seq, const uint32* ip_addr,
+			ReassemblerType arg_type)
+	{
+	blocks = last_block = 0;
+	trim_seq = last_reassem_seq = init_seq;
+
+	const NumericData* host_profile;
+	get_map_result(ip_addr[0], host_profile);	// breaks for IPv6
+
+	policy = (arg_type == REASSEM_TCP) ?
+			host_profile->tcp_reassem : host_profile->ip_reassem;
+	}
+
+
+Reassembler::~Reassembler()
+	{
+	ClearBlocks();
+	}
+
+void Reassembler::NewBlock(double t, int seq, int len, const u_char* data)
+	{
+	if ( len == 0 )
+		return;
+
+#ifdef DEBUG
+	reassem_seen_bytes += len;
+#endif
+
+	int upper_seq = seq + len;
+
+	if ( seq_delta(upper_seq, trim_seq) <= 0 )
+		// Old data, don't do any work for it.
+		return;
+
+	if ( seq_delta(seq, trim_seq) < 0 )
+		{ // Partially old data, just keep the good stuff.
+		int amount_old = seq_delta(trim_seq, seq);
+
+		data += amount_old;
+		seq += amount_old;
+		len -= amount_old;
+		}
+
+	DataBlock* start_block;
+
+	if ( ! blocks )
+		blocks = last_block = start_block =
+			new DataBlock(data, len, seq, 0, 0);
+	else
+		start_block = AddAndCheck(blocks, seq, upper_seq, data);
+
+	BlockInserted(start_block);
+	}
+
+int Reassembler::TrimToSeq(int seq)
+	{
+	int num_missing = 0;
+
+	// Do this accounting before looking for Undelivered data,
+	// since that will alter last_reassem_seq.
+
+	if ( blocks )
+		{
+		if ( seq_delta(blocks->seq, last_reassem_seq) > 0 )
+			// An initial hole.
+			num_missing += seq_delta(blocks->seq, last_reassem_seq);
+		}
+
+	else if ( seq_delta(seq, last_reassem_seq) > 0 )
+		{ // Trimming data we never delivered.
+		if ( ! blocks )
+			// We won't have any accounting based on blocks
+			// for this hole.
+			num_missing += seq_delta(seq, last_reassem_seq);
+		}
+
+	if ( seq_delta(seq, last_reassem_seq) > 0 )
+		{
+		// We're trimming data we never delivered.
+		Undelivered(seq);
+		}
+
+	while ( blocks && seq_delta(blocks->upper, seq) <= 0 )
+		{
+		DataBlock* b = blocks->next;
+
+		if ( b && seq_delta(b->seq, seq) <= 0 )
+			{
+			if ( blocks->upper != b->seq )
+				num_missing += seq_delta(b->seq, blocks->upper);
+			}
+		else
+			{
+			// No more blocks - did this one make it to seq?
+			// Second half of test is for acks of FINs, which
+			// don't get entered into the sequence space.
+			if ( blocks->upper != seq && blocks->upper != seq - 1 )
+				num_missing += seq_delta(seq, blocks->upper);
+			}
+
+		delete blocks;
+
+		blocks = b;
+		}
+
+	if ( blocks )
+		{
+		blocks->prev = 0;
+
+		// If we skipped over some undeliverable data, then
+		// it's possible that this block is now deliverable.
+		// Give it a try.
+		if ( blocks->seq == last_reassem_seq )
+			BlockInserted(blocks);
+		}
+	else
+		last_block = 0;
+
+	if ( seq_delta(seq, trim_seq) > 0 )
+		// seq is further ahead in the sequence space.
+		trim_seq = seq;
+
+	return num_missing;
+	}
+
+void Reassembler::ClearBlocks()
+	{
+	while ( blocks )
+		{
+		DataBlock* b = blocks->next;
+		delete blocks;
+		blocks = b;
+		}
+
+	last_block = 0;
+	}
+
+int Reassembler::TotalSize() const
+	{
+	int size = 0;
+
+	for ( DataBlock* b = blocks; b; b = b->next )
+		size += b->Size();
+
+	return size;
+	}
+
+void Reassembler::Describe(ODesc* d) const
+	{
+	d->Add("reassembler");
+	}
+
+void Reassembler::Undelivered(int /* up_to_seq */)
+	{
+	}
+
+DataBlock* Reassembler::AddAndCheck(DataBlock* b, int seq, int upper,
+					const u_char* data)
+	{
+	if ( DEBUG_reassem )
+		{
+		DEBUG_MSG("%.6f Reassembler::AddAndCheck seq=%d, upper=%d\n",
+		          network_time, seq, upper);
+		}
+
+	// Special check for the common case of appending to the end.
+	if ( last_block && seq == last_block->upper )
+		{
+		last_block = new DataBlock(data, upper - seq, seq,
+						last_block, 0);
+		return last_block;
+		}
+
+	// Find the first block that doesn't come completely before the
+	// new data.
+	while ( b->next && seq_delta(b->upper, seq) <= 0 )
+		b = b->next;
+
+	if ( seq_delta(b->upper, seq) <= 0 )
+		{
+		// b is the last block, and it comes completely before
+		// the new block.
+		last_block = new DataBlock(data, upper - seq, seq, b, 0);
+		return last_block;
+		}
+
+	DataBlock* new_b = 0;
+
+	if ( seq_delta(upper, b->seq) <= 0 )
+		{
+		// The new block comes completely before b.
+		new_b = new DataBlock(data, seq_delta(upper, seq), seq,
+					b->prev, b);
+		if ( b == blocks )
+			blocks = new_b;
+		return new_b;
+		}
+
+	// The blocks overlap.
+
+#ifdef ACTIVE_MAPPING
+	if ( policy != RP_UNKNOWN )
+		{
+		if ( seq_delta(seq, b->seq) < 0 )
+			{ // The new block has a prefix that comes before b.
+			int prefix_len = seq_delta(b->seq, seq);
+			new_b = new DataBlock(data, prefix_len, seq, b->prev, b);
+			if ( b == blocks )
+				blocks = new_b;
+
+			data += prefix_len;
+			seq += prefix_len;
+			}
+
+		if ( policy == RP_LAST ||
+			     // After handling the prefix block, BSD takes the rest
+		     (policy == RP_BSD && new_b) ||
+			     // Similar, but overwrite for same seq number
+		     (policy == RP_LINUX && (new_b || seq == b->seq)) )
+			{
+			DataBlock* bprev = b->prev;
+			bool b_was_first = b == blocks;
+			while ( b && b->upper <= upper )
+				{
+				DataBlock* next = b->next;
+				delete b;
+				b = next;
+				}
+
+			new_b = new DataBlock(data, upper - seq, seq, bprev, b);
+			if ( b_was_first )
+				blocks = new_b;
+
+			// Trim the next block as needed.
+			if ( b && seq_delta(new_b->upper, b->seq) > 0 )
+				{
+				DataBlock* next_b =
+					new DataBlock(&b->block[upper - b->seq],
+							b->upper - upper, upper,
+							new_b, b->next);
+				if ( b == last_block )
+					last_block = next_b;
+
+				delete b;
+				}
+			}
+
+		else
+			{ // handle the piece that sticks out past b
+			new_b = b;
+			int len = upper - b->upper;
+			if ( len > 0 )
+				new_b = AddAndCheck(b, b->upper, upper, &data[b->upper - seq]);
+			}
+		}
+	else
+		{
+#endif
+	// Default behavior - complain about overlaps.
+	if ( seq_delta(seq, b->seq) < 0 )
+		{
+		// The new block has a prefix that comes before b.
+		int prefix_len = seq_delta(b->seq, seq);
+		new_b = new DataBlock(data, prefix_len, seq, b->prev, b);
+		if ( b == blocks )
+			blocks = new_b;
+
+		data += prefix_len;
+		seq += prefix_len;
+		}
+	else
+		new_b = b;
+
+	int overlap_start = seq;
+	int overlap_offset = seq_delta(overlap_start, b->seq);
+	int new_b_len = seq_delta(upper, seq);
+	int b_len = seq_delta(b->upper, overlap_start);
+	int overlap_len = min(new_b_len, b_len);
+
+	Overlap(&b->block[overlap_offset], data, overlap_len);
+
+	if ( overlap_len < new_b_len )
+		{
+		// Recurse to resolve remainder of the new data.
+		data += overlap_len;
+		seq += overlap_len;
+
+		if ( new_b == b )
+			new_b = AddAndCheck(b, seq, upper, data);
+		else
+			(void) AddAndCheck(b, seq, upper, data);
+		}
+
+#ifdef ACTIVE_MAPPING
+		}	// else branch, for RP_UNKNOWN behavior
+#endif
+
+	if ( new_b->prev == last_block )
+		last_block = new_b;
+
+	return new_b;
+	}
+
+bool Reassembler::Serialize(SerialInfo* info) const
+	{
+	return SerialObj::Serialize(info);
+	}
+
+Reassembler* Reassembler::Unserialize(UnserialInfo* info)
+	{
+	return (Reassembler*) SerialObj::Unserialize(info, SER_REASSEMBLER);
+	}
+
+bool Reassembler::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_REASSEMBLER, BroObj);
+
+	// I'm not sure if it makes sense to actually save the buffered data.
+	// For now, we just remember the seq numbers so that we don't get
+	// complaints about missing content.
+	return SERIALIZE(trim_seq) && SERIALIZE(int(policy));
+	}
+
+bool Reassembler::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BroObj);
+
+	blocks = last_block = 0;
+
+	int p;
+	if ( ! UNSERIALIZE(&trim_seq) || ! UNSERIALIZE(&p) )
+		return false;
+
+	policy = ReassemblyPolicy(p);
+	last_reassem_seq = trim_seq;
+
+	return  true;
+	}
diff --git a/src/Reassem.h b/src/Reassem.h
new file mode 100644
index 0000000000..0200f8577b
--- /dev/null
+++ b/src/Reassem.h
@@ -0,0 +1,88 @@
+// $Id: Reassem.h 6703 2009-05-13 22:27:44Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef reassem_h
+#define reassem_h
+
+#include "Active.h"
+#include "Obj.h"
+
+class DataBlock {
+public:
+	DataBlock(const u_char* data, int size, int seq,
+			DataBlock* next, DataBlock* prev);
+
+	~DataBlock();
+
+	int Size() const	{ return upper - seq; }
+
+	DataBlock* next;	// next block with higher seq #
+	DataBlock* prev;	// previous block with lower seq #
+	int seq, upper;
+	u_char* block;
+};
+
+
+enum ReassemblerType { REASSEM_IP, REASSEM_TCP };
+
+class Reassembler : public BroObj {
+public:
+	Reassembler(int init_seq, const uint32* ip_addr,
+			ReassemblerType arg_type);
+	virtual ~Reassembler();
+
+	void NewBlock(double t, int seq, int len, const u_char* data);
+
+	// Throws away all blocks up to seq.  Returns number of bytes
+	// if not all in-sequence, 0 if they were.
+	int TrimToSeq(int seq);
+
+	// Delete all held blocks.
+	void ClearBlocks();
+
+	int HasBlocks() const		{ return blocks != 0; }
+	int LastReassemSeq() const	{ return last_reassem_seq; }
+
+	int TotalSize() const;	// number of bytes buffered up
+
+	void Describe(ODesc* d) const;
+
+	bool Serialize(SerialInfo* info) const;
+	static Reassembler* Unserialize(UnserialInfo* info);
+
+	// Sum over all data buffered in some reassembler.
+	static unsigned int TotalMemoryAllocation()	{ return total_size; }
+
+protected:
+	Reassembler()	{ }
+
+	DECLARE_ABSTRACT_SERIAL(Reassembler);
+
+	friend class DataBlock;
+
+	virtual void Undelivered(int up_to_seq);
+
+	virtual void BlockInserted(DataBlock* b) = 0;
+	virtual void Overlap(const u_char* b1, const u_char* b2, int n) = 0;
+
+	DataBlock* AddAndCheck(DataBlock* b, int seq,
+				int upper, const u_char* data);
+
+	DataBlock* blocks;
+	DataBlock* last_block;
+	int last_reassem_seq;
+	int trim_seq;	// how far we've trimmed
+
+	ReassemblyPolicy policy;
+
+	static unsigned int total_size;
+};
+
+inline DataBlock::~DataBlock()
+	{
+	Reassembler::total_size -= pad_size(upper - seq) + padded_sizeof(DataBlock);
+	delete [] block;
+	}
+
+#endif
diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc
new file mode 100644
index 0000000000..203bcd04f5
--- /dev/null
+++ b/src/RemoteSerializer.cc
@@ -0,0 +1,3908 @@
+// $Id: RemoteSerializer.cc 6951 2009-12-04 22:23:28Z vern $
+//
+// Processes involved in the communication:
+//
+//	 (Local-Parent) <-> (Local-Child) <-> (Remote-Child) <-> (Remote-Parent)
+//
+// Message types (for parent<->child communication the CMsg's peer indicates
+// about whom we're talking).
+//
+// Communication protocol version
+//	VERSION <version> <cache_size> <data-format-version>
+//		<run-time> [<class:string>]
+//
+// Send serialization
+//	SERIAL <serialization>
+//
+// Terminate(d) connection
+//	CLOSE
+//
+// Close(d) all connections
+//	CLOSE_ALL
+//
+// Connect to remote side
+//	CONNECT_TO <id-of-new-peer> <ip> <port> <retry-interval> <use-ssl>
+//
+// Connected to remote side
+//	CONNECTED <ip> <port>
+//
+// Request events from remote side
+//	REQUEST_EVENTS <list of events>
+//
+// Request synchronization of IDs with remote side
+//	REQUEST_SYNC <authorative:bool>
+//
+// Listen for connection on ip/port (ip may be INADDR_ANY)
+//	LISTEN <ip> <port> <use_ssl>
+//
+// Close listen ports.
+//	LISTEN_STOP
+//
+// Error caused by host
+//	ERROR <msg>
+//
+// Some statistics about the given peer connection
+//	STATS <string>
+//
+// Requests to set a new capture_filter
+//	CAPTURE_FILTER <string>
+//
+// Ping to peer
+//  PING <struct ping_args>
+//
+// Pong from peer
+//  PONG <struct ping_args>
+//
+// Announce our capabilities
+//  CAPS <flags> <reserved> <reserved>
+//
+// Activate compression (parent->child)
+//  COMPRESS <level>
+//
+// Indicate that all following blocks are compressed (child->child)
+//  COMPRESS
+//
+// Synchronize for pseudo-realtime processing.
+// Signals that we have reached sync-point number <count>.
+//  SYNC_POINT <count>
+//
+// Signals the child that we want to terminate. Anything sent after this may
+// get lost. When the child answers with another TERMINATE it is safe to
+// shutdown.
+//  TERMINATE
+//
+// Debug-only: tell child to dump recently received/sent data to disk.
+//  DEBUG_DUMP
+//
+// Valid messages between processes:
+//
+//	Main -> Child
+//		CONNECT_TO
+//		REQUEST_EVENTS
+//		SERIAL
+//		CLOSE
+//		CLOSE_ALL
+//		LISTEN
+//		LISTEN_STOP
+//		CAPTURE_FILTER
+//		VERSION
+//		REQUEST_SYNC
+//		PHASE_DONE
+//		PING
+//		PONG
+//		CAPS
+//		COMPRESS
+//		SYNC_POINT
+//		DEBUG_DUMP
+//		REMOTE_PRINT
+//
+//	Child -> Main
+//		CONNECTED
+//		REQUEST_EVENTS
+//		SERIAL
+//		CLOSE
+//		ERROR
+//		STATS
+//		VERSION
+//		CAPTURE_FILTER
+//		REQUEST_SYNC
+//		PHASE_DONE
+//		PING
+//		PONG
+//		CAPS
+//		LOG
+//		SYNC_POINT
+//		REMOTE_PRINT
+//
+//	Child <-> Child
+//		VERSION
+//		SERIAL
+//		REQUEST_EVENTS
+//		CAPTURE_FILTER
+//		REQUEST_SYNC
+//		PHASE_DONE
+//		PING
+//		PONG
+//		CAPS
+//		COMPRESS
+//		SYNC_POINT
+//		REMOTE_PRINT
+//
+//  A connection between two peers has four phases:
+//
+//  Setup:
+//      Initial phase.
+//      VERSION messages must be exchanged.
+//      Ends when both peers have sent VERSION.
+//  Handshake:
+//      REQUEST_EVENTS/REQUEST_SYNC/CAPTURE_FILTER/CAPS/selected SERIALs
+//      may be exchanged.
+//      Phase ends when both peers have sent PHASE_DONE.
+//  State synchronization:
+//      Entered iff at least one of the peers has sent REQUEST_SYNC.
+//      The peer with the smallest runtime (incl. in VERSION msg) sends
+//      SERIAL messages compromising all of its state.
+//      Phase ends when peer sends another PHASE_DONE.
+//  Running:
+//      Peers exchange SERIAL (and PING/PONG) messages.
+//      Phase ends with connection tear-down by one of the peers.
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <errno.h>
+#include <signal.h>
+#include <arpa/inet.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <strings.h>
+#include <stdarg.h>
+
+#include "config.h"
+#if TIME_WITH_SYS_TIME
+# include <sys/time.h>
+# include <time.h>
+#else
+# if HAVE_SYS_TIME_H
+#  include <sys/time.h>
+# else
+#  include <time.h>
+# endif
+#endif
+#include <sys/resource.h>
+
+#include "RemoteSerializer.h"
+#include "Func.h"
+#include "EventRegistry.h"
+#include "Event.h"
+#include "Net.h"
+#include "NetVar.h"
+#include "Scope.h"
+#include "Sessions.h"
+#include "File.h"
+#include "Conn.h"
+
+extern "C" {
+#include "setsignal.h"
+};
+
+// Gets incremented each time there's an incompatible change
+// to the communication internals.
+static const unsigned short PROTOCOL_VERSION = 0x06;
+
+static const char MSG_NONE = 0x00;
+static const char MSG_VERSION = 0x01;
+static const char MSG_SERIAL = 0x02;
+static const char MSG_CLOSE = 0x03;
+static const char MSG_CLOSE_ALL = 0x04;
+static const char MSG_ERROR = 0x05;
+static const char MSG_CONNECT_TO = 0x06;
+static const char MSG_CONNECTED = 0x07;
+static const char MSG_REQUEST_EVENTS = 0x08;
+static const char MSG_LISTEN = 0x09;
+static const char MSG_LISTEN_STOP = 0x0a;
+static const char MSG_STATS = 0x0b;
+static const char MSG_CAPTURE_FILTER = 0x0c;
+static const char MSG_REQUEST_SYNC = 0x0d;
+static const char MSG_PHASE_DONE = 0x0e;
+static const char MSG_PING = 0x0f;
+static const char MSG_PONG = 0x10;
+static const char MSG_CAPS = 0x11;
+static const char MSG_COMPRESS = 0x12;
+static const char MSG_LOG = 0x13;
+static const char MSG_SYNC_POINT = 0x14;
+static const char MSG_TERMINATE = 0x15;
+static const char MSG_DEBUG_DUMP = 0x16;
+static const char MSG_REMOTE_PRINT = 0x17;
+
+// Update this one whenever adding a new ID:
+static const char MSG_ID_MAX = MSG_REMOTE_PRINT;
+
+static const uint32 FINAL_SYNC_POINT = /* UINT32_MAX */ 4294967295U;
+
+// Buffer size for remote-print data
+static const int PRINT_BUFFER_SIZE = 10 * 1024;
+static const int SOCKBUF_SIZE = 1024 * 1024;
+
+struct ping_args {
+	uint32 seq;
+	double time1; // Round-trip time parent1<->parent2
+	double time2; // Round-trip time child1<->parent2
+	double time3; // Round-trip time child2<->parent2
+};
+
+#ifdef DEBUG
+# define DEBUG_COMM(msg) DBG_LOG(DBG_COMM, msg)
+#else
+# define DEBUG_COMM(msg)
+#endif
+
+#define READ_CHUNK(i, c, do_if_eof) \
+	{ \
+	if ( ! i->Read(&c) ) \
+		{ \
+		if ( i->Eof() ) \
+			{ \
+			do_if_eof; \
+			} \
+		else \
+			Error(fmt("can't read data chunk: %s", io->Error()), i == io); \
+		return false; \
+		} \
+	\
+	if ( ! c ) \
+		return true; \
+	}
+
+#define READ_CHUNK_FROM_CHILD(c) \
+	{ \
+	if ( ! io->Read(&c) ) \
+		{ \
+		if ( io->Eof() ) \
+			ChildDied(); \
+		else \
+			Error(fmt("can't read data chunk: %s", io->Error())); \
+		return false; \
+		} \
+	\
+	if ( ! c ) \
+		{ \
+		idle = io->IsIdle();\
+		return true; \
+		} \
+	idle = false; \
+	}
+
+static const char* msgToStr(int msg)
+	{
+# define MSG_STR(x) case x: return #x;
+	switch ( msg ) {
+	MSG_STR(MSG_VERSION)
+	MSG_STR(MSG_NONE)
+	MSG_STR(MSG_SERIAL)
+	MSG_STR(MSG_CLOSE)
+	MSG_STR(MSG_CLOSE_ALL)
+	MSG_STR(MSG_ERROR)
+	MSG_STR(MSG_CONNECT_TO)
+	MSG_STR(MSG_CONNECTED)
+	MSG_STR(MSG_REQUEST_EVENTS)
+	MSG_STR(MSG_LISTEN)
+	MSG_STR(MSG_LISTEN_STOP)
+	MSG_STR(MSG_STATS)
+	MSG_STR(MSG_CAPTURE_FILTER)
+	MSG_STR(MSG_REQUEST_SYNC)
+	MSG_STR(MSG_PHASE_DONE)
+	MSG_STR(MSG_PING)
+	MSG_STR(MSG_PONG)
+	MSG_STR(MSG_CAPS)
+	MSG_STR(MSG_COMPRESS)
+	MSG_STR(MSG_LOG)
+	MSG_STR(MSG_SYNC_POINT)
+	MSG_STR(MSG_TERMINATE)
+	MSG_STR(MSG_DEBUG_DUMP)
+	MSG_STR(MSG_REMOTE_PRINT)
+	default:
+		return "UNKNOWN_MSG";
+	}
+	}
+
+// Start of every message between two processes. We do the low-level work
+// ourselves to make this 64-bit safe. (The actual layout is an artifact of
+// an earlier design that depended on how a 32-bit GCC lays out its structs ...)
+class CMsg {
+public:
+	CMsg(char type, RemoteSerializer::PeerID peer)
+		{
+		buffer[0] = type;
+		uint32 tmp = htonl(peer);
+		memcpy(buffer + 4, &tmp, sizeof(tmp));
+		}
+
+	char Type()	{ return buffer[0]; }
+	RemoteSerializer::PeerID Peer()
+		{
+		// Wow, is this ugly...
+		return ntohl(*(uint32*)(buffer + 4));
+		}
+
+	const char* Raw()	{ return buffer; }
+
+private:
+	char buffer[8];
+};
+
+static bool sendCMsg(ChunkedIO* io, char msg_type, RemoteSerializer::PeerID id)
+	{
+	// We use the new[] operator here to avoid mismatches
+	// when deleting the data.
+	CMsg* msg = (CMsg*) new char[sizeof(CMsg)];
+	new (msg) CMsg(msg_type, id);
+
+	ChunkedIO::Chunk* c = new ChunkedIO::Chunk;
+	c->len = sizeof(CMsg);
+	c->data = (char*) msg;
+
+	return io->Write(c);
+	}
+
+static ChunkedIO::Chunk* makeSerialMsg(RemoteSerializer::PeerID id)
+	{
+	// We use the new[] operator here to avoid mismatches
+	// when deleting the data.
+	CMsg* msg = (CMsg*) new char[sizeof(CMsg)];
+	new (msg) CMsg(MSG_SERIAL, id);
+
+	ChunkedIO::Chunk* c = new ChunkedIO::Chunk;
+	c->len = sizeof(CMsg);
+	c->data = (char*) msg;
+
+	return c;
+	}
+
+inline void RemoteSerializer::SetupSerialInfo(SerialInfo* info, Peer* peer)
+	{
+	info->chunk = makeSerialMsg(peer->id);
+	if ( peer->caps & Peer::NO_CACHING )
+		info->cache = false;
+
+	if ( ! (peer->caps & Peer::PID_64BIT) || peer->phase != Peer::RUNNING )
+		info->pid_32bit = true;
+
+	if ( (peer->caps & Peer::NEW_CACHE_STRATEGY) &&
+	     peer->phase == Peer::RUNNING )
+		info->new_cache_strategy = true;
+
+	info->include_locations = false;
+	}
+
+static bool sendToIO(ChunkedIO* io, ChunkedIO::Chunk* c)
+	{
+	if ( ! io->Write(c) )
+		{
+		warn(fmt("can't send chunk: %s", io->Error()));
+		return false;
+		}
+
+	return true;
+	}
+
+static bool sendToIO(ChunkedIO* io, char msg_type, RemoteSerializer::PeerID id,
+			const char* str, int len = -1)
+	{
+	if ( ! sendCMsg(io, msg_type, id) )
+		{
+		warn(fmt("can't send message of type %d: %s", msg_type, io->Error()));
+		return false;
+		}
+
+	ChunkedIO::Chunk* c = new ChunkedIO::Chunk;
+	c->len = len >= 0 ? len : strlen(str) + 1;
+	c->data = const_cast<char*>(str);
+	return sendToIO(io, c);
+	}
+
+static bool sendToIO(ChunkedIO* io, char msg_type, RemoteSerializer::PeerID id,
+			int nargs, va_list ap)
+	{
+	if ( ! sendCMsg(io, msg_type, id) )
+		{
+		warn(fmt("can't send message of type %d: %s", msg_type, io->Error()));
+		return false;
+		}
+
+	if ( nargs == 0 )
+		return true;
+
+	uint32* args = new uint32[nargs];
+
+	for ( int i = 0; i < nargs; i++ )
+		args[i] = htonl(va_arg(ap, uint32));
+
+	ChunkedIO::Chunk* c = new ChunkedIO::Chunk;
+	c->len = sizeof(uint32) * nargs;
+	c->data = (char*) args;
+
+	return sendToIO(io, c);
+	}
+
+#ifdef DEBUG
+static inline char* fmt_uint32s(int nargs, va_list ap)
+	{
+	static char buf[512];
+	char* p = buf;
+	*p = '\0';
+	for ( int i = 0; i < nargs; i++ )
+		p += snprintf(p, sizeof(buf) - (p - buf),
+				" 0x%08x", va_arg(ap, uint32));
+	buf[511] = '\0';
+	return buf;
+	}
+#endif
+
+
+static inline const char* ip2a(uint32 ip)
+	{
+	static char buffer[32];
+	struct in_addr addr;
+
+	addr.s_addr = htonl(ip);
+
+	return inet_ntop(AF_INET, &addr, buffer, 32);
+	}
+
+static pid_t child_pid = 0;
+
+// Return true if message type is sent by a peer (rather than the child
+// process itself).
+static inline bool is_peer_msg(int msg)
+	{
+	return msg == MSG_VERSION ||
+		msg == MSG_SERIAL ||
+		msg == MSG_REQUEST_EVENTS ||
+		msg == MSG_REQUEST_SYNC ||
+		msg == MSG_CAPTURE_FILTER ||
+		msg == MSG_PHASE_DONE ||
+		msg == MSG_PING ||
+		msg == MSG_PONG ||
+		msg == MSG_CAPS ||
+		msg == MSG_COMPRESS ||
+		msg == MSG_SYNC_POINT ||
+		msg == MSG_REMOTE_PRINT;
+	}
+
+bool RemoteSerializer::IsConnectedPeer(PeerID id)
+	{
+	if ( id == PEER_NONE )
+		return true;
+
+	return LookupPeer(id, true) != 0;
+	}
+
+class IncrementalSendTimer : public Timer {
+public:
+	IncrementalSendTimer(double t, RemoteSerializer::Peer* p, SerialInfo* i)
+		: Timer(t, TIMER_INCREMENTAL_SEND), info(i), peer(p)	{}
+	virtual void Dispatch(double t, int is_expire)
+		{
+		// Never suspend when we're finishing up.
+		if ( terminating )
+			info->may_suspend = false;
+
+		remote_serializer->SendAllSynchronized(peer, info);
+		}
+
+	SerialInfo* info;
+	RemoteSerializer::Peer* peer;
+};
+
+RemoteSerializer::RemoteSerializer()
+	{
+	initialized = false;
+	current_peer = 0;
+	msgstate = TYPE;
+	id_counter = 1;
+	listening = false;
+	ignore_accesses = false;
+	propagate_accesses = 1;
+	current_sync_point = 0;
+	syncing_times = false;
+	io = 0;
+	closed = false;
+	terminating = false;
+	in_sync = 0;
+	}
+
+RemoteSerializer::~RemoteSerializer()
+	{
+	if ( child_pid )
+		{
+		kill(child_pid, SIGKILL);
+		waitpid(child_pid, 0, 0);
+		}
+
+	delete io;
+	}
+
+void RemoteSerializer::Init()
+	{
+	if ( initialized )
+		return;
+
+	if ( reading_traces && ! pseudo_realtime )
+		{
+		using_communication = 0;
+		return;
+		}
+
+	Fork();
+
+	io_sources.Register(this);
+
+	Log(LogInfo, fmt("communication started, parent pid is %d, child pid is %d", getpid(), child_pid));
+	initialized = 1;
+	}
+
+void RemoteSerializer::Fork()
+	{
+	if ( child_pid )
+		return;
+
+	// If we are re-forking, remove old entries
+	loop_over_list(peers, i)
+		RemovePeer(peers[i]);
+
+	// Create pipe for communication between parent and child.
+	int pipe[2];
+
+	if ( socketpair(AF_UNIX, SOCK_STREAM, 0, pipe) < 0 )
+		{
+		Error(fmt("can't create pipe: %s", strerror(errno)));
+		return;
+		}
+
+	int bufsize;
+	socklen_t len = sizeof(bufsize);
+
+	if ( getsockopt(pipe[0], SOL_SOCKET, SO_SNDBUF, &bufsize, &len ) < 0 )
+		Log(LogInfo, fmt("warning: cannot get socket buffer size: %s", strerror(errno)));
+	else
+		Log(LogInfo, fmt("pipe's socket buffer size is %d, setting to %d", bufsize, SOCKBUF_SIZE));
+
+	bufsize = SOCKBUF_SIZE;
+
+	if ( setsockopt(pipe[0], SOL_SOCKET, SO_SNDBUF,
+			&bufsize, sizeof(bufsize) ) < 0 ||
+	     setsockopt(pipe[0], SOL_SOCKET, SO_RCVBUF,
+			&bufsize, sizeof(bufsize) ) < 0 ||
+	     setsockopt(pipe[1], SOL_SOCKET, SO_SNDBUF,
+			&bufsize, sizeof(bufsize) ) < 0 ||
+	     setsockopt(pipe[1], SOL_SOCKET, SO_RCVBUF,
+			&bufsize, sizeof(bufsize) ) < 0 )
+		Log(LogInfo, fmt("warning: cannot set socket buffer size to %dK: %s", bufsize / 1024, strerror(errno)));
+
+	child_pid = 0;
+
+	int pid = fork();
+
+	if ( pid < 0 )
+		{
+		Error(fmt("can't fork: %s", strerror(errno)));
+		return;
+		}
+
+	if ( pid > 0 )
+		{
+		// Parent
+		child_pid = pid;
+
+		io = new ChunkedIOFd(pipe[0], "parent->child", child_pid);
+		if ( ! io->Init() )
+			{
+			Error(fmt("can't init child io: %s", io->Error()));
+			exit(1); // FIXME: Better way to handle this?
+			}
+
+		close(pipe[1]);
+
+		return;
+		}
+	else
+		{ // child
+		SocketComm child;
+
+		ChunkedIOFd* io =
+			new ChunkedIOFd(pipe[1], "child->parent", getppid());
+		if ( ! io->Init() )
+			{
+			Error(fmt("can't init parent io: %s", io->Error()));
+			exit(1);
+			}
+
+		child.SetParentIO(io);
+		close(pipe[0]);
+
+		// Close file descriptors.
+		close(0);
+		close(1);
+		close(2);
+
+		// Be nice.
+		setpriority(PRIO_PROCESS, 0, 5);
+
+		child.Run();
+		internal_error("cannot be reached");
+		}
+	}
+
+RemoteSerializer::PeerID RemoteSerializer::Connect(addr_type ip, uint16 port,
+			const char* our_class, double retry, bool use_ssl)
+	{
+	if ( ! using_communication )
+		return true;
+
+	if ( ! initialized )
+		internal_error("remote serializer not initialized");
+
+#ifdef BROv6
+	if ( ! is_v4_addr(ip) )
+		Error("inter-Bro communication not supported over IPv6");
+
+	uint32 ip4 = to_v4_addr(ip);
+#else
+	uint32 ip4 = ip;
+#endif
+
+	ip4 = ntohl(ip4);
+
+	if ( ! child_pid )
+		Fork();
+
+	Peer* p = AddPeer(ip4, port);
+	p->orig = true;
+
+	if ( our_class )
+		p->our_class = our_class;
+
+	if ( ! SendToChild(MSG_CONNECT_TO, p, 5, p->id,
+				ip4, port, uint32(retry), use_ssl) )
+		{
+		RemovePeer(p);
+		return false;
+		}
+
+	p->state = Peer::PENDING;
+	return p->id;
+	}
+
+bool RemoteSerializer::CloseConnection(Peer* peer)
+	{
+	if ( peer->suspended_processing )
+		{
+		net_continue_processing();
+		current_peer->suspended_processing = false;
+		}
+
+	if ( peer->state == Peer::CLOSING )
+		return true;
+
+	FlushPrintBuffer(peer);
+
+	Log(LogInfo, "closing connection", peer);
+
+	peer->state = Peer::CLOSING;
+	return SendToChild(MSG_CLOSE, peer, 0);
+	}
+
+bool RemoteSerializer::RequestSync(PeerID id, bool auth)
+	{
+	if ( ! using_communication )
+		return true;
+
+	Peer* peer = LookupPeer(id, true);
+	if ( ! peer )
+		{
+		run_time(fmt("unknown peer id %d for request sync", int(id)));
+		return false;
+		}
+
+	if ( peer->phase != Peer::HANDSHAKE )
+		{
+		run_time(fmt("can't request sync from peer; wrong phase %d",
+				peer->phase));
+		return false;
+		}
+
+	if ( ! SendToChild(MSG_REQUEST_SYNC, peer, 1, auth ? 1 : 0) )
+		return false;
+
+	peer->sync_requested |= Peer::WE | (auth ? Peer::AUTH_WE : 0);
+
+	return true;
+	}
+
+bool RemoteSerializer::RequestEvents(PeerID id, RE_Matcher* pattern)
+	{
+	if ( ! using_communication )
+		return true;
+
+	Peer* peer = LookupPeer(id, true);
+	if ( ! peer )
+		{
+		run_time(fmt("unknown peer id %d for request sync", int(id)));
+		return false;
+		}
+
+	if ( peer->phase != Peer::HANDSHAKE )
+		{
+		run_time(fmt("can't request events from peer; wrong phase %d",
+				peer->phase));
+		return false;
+		}
+
+	EventRegistry::string_list* handlers = event_registry->Match(pattern);
+
+	// Concat the handlers' names.
+	int len = 0;
+	loop_over_list(*handlers, i)
+		len += strlen((*handlers)[i]) + 1;
+
+	if ( ! len )
+		{
+		Log(LogInfo, "warning: no events to request");
+		delete handlers;
+		return true;
+		}
+
+	char* data = new char[len];
+	char* d = data;
+	loop_over_list(*handlers, j)
+		{
+		for ( const char* p = (*handlers)[j]; *p; *d++ = *p++ )
+			;
+		*d++ = '\0';
+		}
+
+	delete handlers;
+
+	return SendToChild(MSG_REQUEST_EVENTS, peer, data, len);
+	}
+
+bool RemoteSerializer::SetAcceptState(PeerID id, bool accept)
+	{
+	Peer* p = LookupPeer(id, false);
+	if ( ! p )
+		return true;
+
+	p->accept_state = accept;
+	return true;
+	}
+
+bool RemoteSerializer::SetCompressionLevel(PeerID id, int level)
+	{
+	Peer* p = LookupPeer(id, false);
+	if ( ! p )
+		return true;
+
+	p->comp_level = level;
+	return true;
+	}
+
+bool RemoteSerializer::CompleteHandshake(PeerID id)
+	{
+	Peer* p = LookupPeer(id, false);
+	if ( ! p )
+		return true;
+
+	if ( p->phase != Peer::HANDSHAKE )
+		{
+		run_time(fmt("can't complete handshake; wrong phase %d",
+				p->phase));
+		return false;
+		}
+
+	p->handshake_done |= Peer::WE;
+
+	if ( ! SendToChild(MSG_PHASE_DONE, p, 0) )
+		return false;
+
+	if ( p->handshake_done == Peer::BOTH )
+		HandshakeDone(p);
+
+	return true;
+	}
+
+bool RemoteSerializer::SendCall(SerialInfo* info, PeerID id,
+					const char* name, val_list* vl)
+	{
+	if ( ! using_communication || terminating )
+		return true;
+
+	Peer* peer = LookupPeer(id, true);
+	if ( ! peer )
+		return false;
+
+	// Do not send events back to originating peer.
+	if ( current_peer == peer )
+		return true;
+
+	return SendCall(info, peer, name, vl);
+	}
+
+
+bool RemoteSerializer::SendCall(SerialInfo* info, Peer* peer,
+					const char* name, val_list* vl)
+	{
+	if ( peer->phase != Peer::RUNNING || terminating )
+		return false;
+
+	++stats.events.out;
+	SetCache(peer->cache_out);
+	SetupSerialInfo(info, peer);
+
+	if ( ! Serialize(info, name, vl) )
+		{
+		FatalError(io->Error());
+		return false;
+		}
+
+	return true;
+	}
+
+bool RemoteSerializer::SendCall(SerialInfo* info, const char* name,
+				val_list* vl)
+	{
+	if ( ! IsOpen() || ! PropagateAccesses() || terminating )
+		return true;
+
+	loop_over_list(peers, i)
+		{
+		// Do not send event back to originating peer.
+		if ( peers[i] == current_peer )
+			continue;
+
+		SerialInfo new_info(*info);
+		if ( ! SendCall(&new_info, peers[i], name, vl) )
+			return false;
+		}
+
+	return true;
+	}
+
+bool RemoteSerializer::SendAccess(SerialInfo* info, Peer* peer,
+					const StateAccess& access)
+	{
+	if ( ! (peer->sync_requested & Peer::PEER) || terminating )
+		return true;
+
+#ifdef DEBUG
+	ODesc desc;
+	access.Describe(&desc);
+	DBG_LOG(DBG_COMM, "Sending %s", desc.Description());
+#endif
+
+	++stats.accesses.out;
+	SetCache(peer->cache_out);
+	SetupSerialInfo(info, peer);
+	info->globals_as_names = true;
+
+	if ( ! Serialize(info, access) )
+		{
+		FatalError(io->Error());
+		return false;
+		}
+
+	return true;
+	}
+
+bool RemoteSerializer::SendAccess(SerialInfo* info, PeerID pid,
+					const StateAccess& access)
+	{
+	Peer* p = LookupPeer(pid, false);
+	if ( ! p )
+		return true;
+
+	return SendAccess(info, p, access);
+	}
+
+bool RemoteSerializer::SendAccess(SerialInfo* info, const StateAccess& access)
+	{
+	if ( ! IsOpen() || ! PropagateAccesses() || terminating )
+		return true;
+
+	// A real broadcast would be nice here. But the different peers have
+	// different serialization caches, so we cannot simply send the same
+	// serialization to all of them ...
+	loop_over_list(peers, i)
+		{
+		// Do not send access back to originating peer.
+		if ( peers[i] == source_peer )
+			continue;
+
+		// Only sent accesses for fully setup peers.
+		if ( peers[i]->phase != Peer::RUNNING )
+			continue;
+
+		SerialInfo new_info(*info);
+		if ( ! SendAccess(&new_info, peers[i], access) )
+			return false;
+		}
+
+	return true;
+	}
+
+bool RemoteSerializer::SendAllSynchronized(Peer* peer, SerialInfo* info)
+	{
+	// FIXME: When suspending ID serialization works, remove!
+	DisableSuspend suspend(info);
+
+	current_peer = peer;
+
+	Continuation* cont = &info->cont;
+	ptr_compat_int index;
+
+	if ( info->cont.NewInstance() )
+		{
+		Log(LogInfo, "starting to send full state", peer);
+		index = 0;
+		}
+
+	else
+		{
+		index = int(ptr_compat_int(cont->RestoreState()));
+		if ( ! cont->ChildSuspended() )
+			cont->Resume();
+		}
+
+	for ( ; index < sync_ids.length(); ++index )
+		{
+		cont->SaveContext();
+
+		StateAccess sa(OP_ASSIGN, sync_ids[index],
+				sync_ids[index]->ID_Val());
+		// FIXME: When suspending ID serialization works, we need to
+		//  addsupport to StateAccesses, too.
+		bool result = SendAccess(info, peer, sa);
+		cont->RestoreContext();
+
+		if ( ! result )
+			return false;
+
+		if ( cont->ChildSuspended() || info->may_suspend )
+			{
+			double t = network_time + state_write_delay;
+			timer_mgr->Add(new IncrementalSendTimer(t, peer, info));
+
+			cont->SaveState((void*) index);
+			if ( info->may_suspend )
+				cont->Suspend();
+
+			return true;
+			}
+		}
+
+	if ( ! SendToChild(MSG_PHASE_DONE, peer, 0) )
+		return false;
+
+	suspend.Release();
+	delete info;
+
+	Log(LogInfo, "done sending full state", peer);
+
+	return EnterPhaseRunning(peer);
+	}
+
+bool RemoteSerializer::SendID(SerialInfo* info, Peer* peer, const ID& id)
+	{
+	if ( terminating )
+		return true;
+
+	// FIXME: When suspending ID serialization works, remove!
+	DisableSuspend suspend(info);
+
+	if ( info->cont.NewInstance() )
+		++stats.ids.out;
+
+	SetCache(peer->cache_out);
+	SetupSerialInfo(info, peer);
+	info->cont.SaveContext();
+	bool result = Serialize(info, id);
+	info->cont.RestoreContext();
+
+	if ( ! result )
+		{
+		FatalError(io->Error());
+		return false;
+		}
+
+	return true;
+	}
+
+bool RemoteSerializer::SendID(SerialInfo* info, PeerID pid, const ID& id)
+	{
+	if ( ! using_communication || terminating )
+		return true;
+
+	Peer* peer = LookupPeer(pid, true);
+	if ( ! peer )
+		return false;
+
+	if ( peer->phase != Peer::RUNNING )
+		return false;
+
+	return SendID(info, peer, id);
+	}
+
+bool RemoteSerializer::SendConnection(SerialInfo* info, PeerID id,
+					const Connection& c)
+	{
+	if ( ! using_communication || terminating )
+		return true;
+
+	Peer* peer = LookupPeer(id, true);
+	if ( ! peer )
+		return false;
+
+	if ( peer->phase != Peer::RUNNING )
+		return false;
+
+	++stats.conns.out;
+	SetCache(peer->cache_out);
+	SetupSerialInfo(info, peer);
+
+	if ( ! Serialize(info, c) )
+				{
+		FatalError(io->Error());
+		return false;
+		}
+
+	return true;
+	}
+
+bool RemoteSerializer::SendCaptureFilter(PeerID id, const char* filter)
+	{
+	if ( ! using_communication || terminating )
+		return true;
+
+	Peer* peer = LookupPeer(id, true);
+	if ( ! peer )
+		return false;
+
+	if ( peer->phase != Peer::HANDSHAKE )
+		{
+		run_time(fmt("can't sent capture filter to peer; wrong phase %d", peer->phase));
+		return false;
+		}
+
+	return SendToChild(MSG_CAPTURE_FILTER, peer, copy_string(filter));
+	}
+
+bool RemoteSerializer::SendPacket(SerialInfo* info, const Packet& p)
+	{
+	if ( ! IsOpen() || !PropagateAccesses() || terminating )
+		return true;
+
+	loop_over_list(peers, i)
+		{
+		// Only sent packet for fully setup peers.
+		if ( peers[i]->phase != Peer::RUNNING )
+			continue;
+
+		SerialInfo new_info(*info);
+		if ( ! SendPacket(&new_info, peers[i], p) )
+			return false;
+		}
+
+	return true;
+	}
+
+bool RemoteSerializer::SendPacket(SerialInfo* info, PeerID id, const Packet& p)
+	{
+	if ( ! using_communication || terminating )
+		return true;
+
+	Peer* peer = LookupPeer(id, true);
+	if ( ! peer )
+		return false;
+
+	return SendPacket(info, peer, p);
+	}
+
+bool RemoteSerializer::SendPacket(SerialInfo* info, Peer* peer, const Packet& p)
+	{
+	++stats.packets.out;
+	SetCache(peer->cache_out);
+	SetupSerialInfo(info, peer);
+
+	if ( ! Serialize(info, p) )
+		{
+		FatalError(io->Error());
+		return false;
+		}
+
+	return true;
+	}
+
+bool RemoteSerializer::SendPing(PeerID id, uint32 seq)
+	{
+	if ( ! using_communication || terminating )
+		return true;
+
+	Peer* peer = LookupPeer(id, true);
+	if ( ! peer )
+		return false;
+
+	char* data = new char[sizeof(ping_args)];
+
+	ping_args* args = (ping_args*) data;
+	args->seq = htonl(seq);
+	args->time1 = htond(current_time(true));
+	args->time2 = 0;
+	args->time3 = 0;
+
+	return SendToChild(MSG_PING, peer, data, sizeof(ping_args));
+	}
+
+bool RemoteSerializer::SendCapabilities(Peer* peer)
+	{
+	if ( peer->phase != Peer::HANDSHAKE )
+		{
+		run_time(fmt("can't sent capabilties to peer; wrong phase %d",
+				peer->phase));
+		return false;
+		}
+
+	uint32 caps = 0;
+
+#ifdef HAVE_LIBZ
+	caps |= Peer::COMPRESSION;
+#endif
+
+	caps |= Peer::PID_64BIT;
+	caps |= Peer::NEW_CACHE_STRATEGY;
+
+	return caps ? SendToChild(MSG_CAPS, peer, 3, caps, 0, 0) : true;
+	}
+
+bool RemoteSerializer::Listen(addr_type ip, uint16 port, bool expect_ssl)
+	{
+	if ( ! using_communication )
+		return true;
+
+#ifndef USE_OPENSSL
+	if ( expect_ssl )
+		{
+		Error("listening for SSL connections requested, but SSL support is not compiled in");
+		return false;
+		}
+#endif
+
+	if ( ! initialized )
+		internal_error("remote serializer not initialized");
+
+#ifdef BROv6
+	if ( ! is_v4_addr(ip) )
+		Error("inter-Bro communication not supported over IPv6");
+
+	uint32 ip4 = to_v4_addr(ip);
+#else
+	uint32 ip4 = ip;
+#endif
+
+	ip4 = ntohl(ip4);
+
+	if ( ! SendToChild(MSG_LISTEN, 0, 3, ip4, port, expect_ssl) )
+		return false;
+
+	listening = true;
+	closed = false;
+	return true;
+	}
+
+void RemoteSerializer::SendSyncPoint(uint32 point)
+	{
+	if ( ! (remote_trace_sync_interval && pseudo_realtime) || terminating )
+		return;
+
+	current_sync_point = point;
+
+	loop_over_list(peers, i)
+		if ( peers[i]->phase == Peer::RUNNING &&
+		     ! SendToChild(MSG_SYNC_POINT, peers[i],
+					1, current_sync_point) )
+			return;
+
+	if ( ! syncing_times )
+		{
+		Log(LogInfo, "waiting for peers");
+		syncing_times = true;
+
+		loop_over_list(peers, i)
+			{
+			// Need to do this once per peer to correctly
+			// track the number of suspend calls.
+			net_suspend_processing();
+			peers[i]->suspended_processing = true;
+			}
+		}
+
+	CheckSyncPoints();
+	}
+
+uint32 RemoteSerializer::SendSyncPoint()
+	{
+	Log(LogInfo, fmt("reached sync-point %u", current_sync_point));
+	SendSyncPoint(current_sync_point + 1);
+	return current_sync_point;
+	}
+
+void RemoteSerializer::SendFinalSyncPoint()
+	{
+	Log(LogInfo, fmt("reached end of trace, sending final sync point"));
+	SendSyncPoint(FINAL_SYNC_POINT);
+	}
+
+bool RemoteSerializer::Terminate()
+	{
+	Log(LogInfo, fmt("terminating..."));
+	return terminating = SendToChild(MSG_TERMINATE, 0, 0);
+	}
+
+bool RemoteSerializer::StopListening()
+	{
+	if ( ! listening )
+		return true;
+
+	if ( ! SendToChild(MSG_LISTEN_STOP, 0, 0) )
+		return false;
+
+	listening = false;
+	closed = ! IsActive();
+	return true;
+	}
+
+void RemoteSerializer::Register(ID* id)
+	{
+	DBG_LOG(DBG_STATE, "&synchronized %s", id->Name());
+	Unregister(id);
+	Ref(id);
+	sync_ids.append(id);
+	}
+
+void RemoteSerializer::Unregister(ID* id)
+	{
+	loop_over_list(sync_ids, i)
+		if ( streq(sync_ids[i]->Name(), id->Name()) )
+			{
+			Unref(sync_ids[i]);
+			sync_ids.remove_nth(i);
+			break;
+			}
+	}
+
+void RemoteSerializer::GetFds(int* read, int* write, int* except)
+	{
+	*read = io->Fd();
+
+	if ( io->CanWrite() )
+		*write = io->Fd();
+	}
+
+double RemoteSerializer::NextTimestamp(double* local_network_time)
+	{
+	Poll(false);
+
+	double et = events.length() ? events[0]->time : -1;
+	double pt = packets.length() ? packets[0]->time : -1;
+
+	if ( ! et )
+		et = timer_mgr->Time();
+
+	if ( ! pt )
+		pt = timer_mgr->Time();
+
+	if ( packets.length() )
+		idle = false;
+
+	if ( et >= 0 && (et < pt || pt < 0) )
+		return et;
+
+	if ( pt >= 0 )
+		{
+		// Return packet time as network time.
+		*local_network_time = packets[0]->p->time;
+		return pt;
+		}
+
+	return -1;
+	}
+
+TimerMgr::Tag* RemoteSerializer::GetCurrentTag()
+	{
+	return packets.length() ? &packets[0]->p->tag : 0;
+	}
+
+void RemoteSerializer::Process()
+	{
+	Poll(false);
+
+	int i = 0;
+	while ( events.length() )
+		{
+		if ( max_remote_events_processed &&
+		     ++i > max_remote_events_processed )
+			break;
+
+		BufferedEvent* be = events[0];
+		::Event* event = new ::Event(be->handler, be->args, be->src);
+
+		Peer* old_current_peer = current_peer;
+		// Prevent the source peer from getting the event back.
+		current_peer = LookupPeer(be->src, true); // may be null.
+		mgr.Dispatch(event, ! forward_remote_events);
+		current_peer = old_current_peer;
+
+		assert(events[0] == be);
+		delete be;
+		events.remove_nth(0);
+		}
+
+	// We shouldn't pass along more than one packet, as otherwise the
+	// timer mgr will not advance.
+	if ( packets.length() )
+		{
+		BufferedPacket* bp = packets[0];
+		Packet* p = bp->p;
+
+		// FIXME: The following chunk of code is copied from
+		// net_packet_dispatch().  We should change that function
+		// to accept an IOSource instead of the PktSrc.
+		network_time = p->time;
+
+		SegmentProfiler(segment_logger, "expiring-timers");
+		TimerMgr* tmgr = sessions->LookupTimerMgr(GetCurrentTag());
+		current_dispatched =
+			tmgr->Advance(network_time, max_timer_expires);
+
+		current_hdr = p->hdr;
+		current_pkt = p->pkt;
+		current_pktsrc = 0;
+		current_iosrc = this;
+		sessions->NextPacket(p->time, p->hdr, p->pkt, p->hdr_size, 0);
+		mgr.Drain();
+
+		current_hdr = 0;	// done with these
+		current_pkt = 0;
+		current_iosrc = 0;
+
+		delete p;
+		delete bp;
+		packets.remove_nth(0);
+		}
+
+	if ( packets.length() )
+		idle = false;
+	}
+
+void RemoteSerializer::Finish()
+	{
+	if ( ! using_communication )
+		return;
+
+	do
+		Poll(true);
+	while ( io->CanWrite() );
+
+	loop_over_list(peers, i)
+		CloseConnection(peers[i]);
+	}
+
+bool RemoteSerializer::Poll(bool may_block)
+	{
+	if ( ! child_pid )
+		return true;
+
+	// See if there's any peer waiting for initial state synchronization.
+	if ( sync_pending.length() && ! in_sync )
+		{
+		Peer* p = sync_pending[0];
+		sync_pending.remove_nth(0);
+		HandshakeDone(p);
+		}
+
+	io->Flush();
+	idle = false;
+
+	switch ( msgstate ) {
+	case TYPE:
+		{
+		current_peer = 0;
+		current_msgtype = MSG_NONE;
+
+		// CMsg follows
+		ChunkedIO::Chunk* c;
+		READ_CHUNK_FROM_CHILD(c);
+
+		CMsg* msg = (CMsg*) c->data;
+		current_peer = LookupPeer(msg->Peer(), false);
+		current_id = msg->Peer();
+		current_msgtype = msg->Type();
+		current_args = 0;
+
+		delete [] c->data;
+		delete c;
+
+		switch ( current_msgtype ) {
+		case MSG_CLOSE:
+		case MSG_CLOSE_ALL:
+		case MSG_LISTEN_STOP:
+		case MSG_PHASE_DONE:
+		case MSG_TERMINATE:
+		case MSG_DEBUG_DUMP:
+			{
+			// No further argument chunk.
+			msgstate = TYPE;
+			return DoMessage();
+			}
+		case MSG_VERSION:
+		case MSG_SERIAL:
+		case MSG_ERROR:
+		case MSG_CONNECT_TO:
+		case MSG_CONNECTED:
+		case MSG_REQUEST_EVENTS:
+		case MSG_REQUEST_SYNC:
+		case MSG_LISTEN:
+		case MSG_STATS:
+		case MSG_CAPTURE_FILTER:
+		case MSG_PING:
+		case MSG_PONG:
+		case MSG_CAPS:
+		case MSG_COMPRESS:
+		case MSG_LOG:
+		case MSG_SYNC_POINT:
+		case MSG_REMOTE_PRINT:
+			{
+			// One further argument chunk.
+			msgstate = ARGS;
+			return Poll(may_block);
+			}
+
+		case MSG_NONE:
+			InternalCommError(fmt("unexpected msg type %d",
+						current_msgtype));
+			return true;
+
+		default:
+			InternalCommError(fmt("unknown msg type %d in Poll()",
+						current_msgtype));
+			return true;
+		}
+		}
+
+	case ARGS:
+		{
+		// Argument chunk follows.
+		ChunkedIO::Chunk* c;
+		READ_CHUNK_FROM_CHILD(c);
+
+		current_args = c;
+		msgstate = TYPE;
+		bool result = DoMessage();
+
+		delete [] current_args->data;
+		delete current_args;
+		current_args = 0;
+
+		return result;
+		}
+
+	default:
+		internal_error("unknown msgstate");
+	}
+
+	internal_error("cannot be reached");
+	}
+
+bool RemoteSerializer::DoMessage()
+	{
+	if ( current_peer &&
+	     (current_peer->state == Peer::CLOSING ||
+	      current_peer->state == Peer::CLOSED) &&
+	     is_peer_msg(current_msgtype) )
+		{
+		// We shut the connection to this peer down,
+		// so we ignore all further messages.
+		DEBUG_COMM(fmt("parent: ignoring %s due to shutdown of peer #%d",
+					msgToStr(current_msgtype),
+					current_peer ? current_peer->id : 0));
+		return true;
+		}
+
+	DEBUG_COMM(fmt("parent: %s from child; peer is #%d",
+			msgToStr(current_msgtype),
+			current_peer ? current_peer->id : 0));
+
+	if ( current_peer &&
+	     (current_msgtype < 0 || current_msgtype > MSG_ID_MAX) )
+		{
+		Log(LogError, "garbage message from peer, shutting down",
+			current_peer);
+		CloseConnection(current_peer);
+		return true;
+		}
+
+	// As long as we haven't finished the version
+	// handshake, no other messages than MSG_VERSION
+	// are allowed from peer.
+	if ( current_peer && current_peer->phase == Peer::SETUP &&
+	     is_peer_msg(current_msgtype) && current_msgtype != MSG_VERSION )
+		{
+		Log(LogError, "peer did not send version", current_peer);
+		CloseConnection(current_peer);
+		return true;
+		}
+
+	switch ( current_msgtype ) {
+	case MSG_CLOSE:
+		PeerDisconnected(current_peer);
+		return true;
+
+	case MSG_CONNECTED:
+		return ProcessConnected();
+
+	case MSG_SERIAL:
+		return ProcessSerialization();
+
+	case MSG_REQUEST_EVENTS:
+		return ProcessRequestEventsMsg();
+
+	case MSG_REQUEST_SYNC:
+		return ProcessRequestSyncMsg();
+
+	case MSG_PHASE_DONE:
+		return ProcessPhaseDone();
+
+	case MSG_ERROR:
+		return ProcessLogMsg(true);
+
+	case MSG_LOG:
+		return ProcessLogMsg(false);
+
+	case MSG_STATS:
+		return ProcessStatsMsg();
+
+	case MSG_CAPTURE_FILTER:
+		return ProcessCaptureFilterMsg();
+
+	case MSG_VERSION:
+		return ProcessVersionMsg();
+
+	case MSG_PING:
+		return ProcessPingMsg();
+
+	case MSG_PONG:
+		return ProcessPongMsg();
+
+	case MSG_CAPS:
+		return ProcessCapsMsg();
+
+	case MSG_SYNC_POINT:
+		return ProcessSyncPointMsg();
+
+	case MSG_TERMINATE:
+		assert(terminating);
+		io_sources.Terminate();
+		return true;
+
+	case MSG_REMOTE_PRINT:
+		return ProcessRemotePrint();
+
+	default:
+		DEBUG_COMM(fmt("unexpected msg type: %d",
+					int(current_msgtype)));
+		InternalCommError(fmt("unexpected msg type in DoMessage(): %d",
+					int(current_msgtype)));
+		return true; // keep going
+	}
+
+	internal_error("cannot be reached");
+	return false;
+	}
+
+void RemoteSerializer::PeerDisconnected(Peer* peer)
+	{
+	assert(peer);
+
+	if ( peer->state == Peer::CLOSED || peer->state == Peer::INIT )
+		return;
+
+	if ( peer->state == Peer::PENDING )
+		{
+		peer->state = Peer::CLOSED;
+		Log(LogError, "could not connect", peer);
+		return;
+		}
+
+	Log(LogInfo, "peer disconnected", peer);
+
+	if ( peer->phase != Peer::SETUP )
+		RaiseEvent(remote_connection_closed, peer);
+
+	if ( in_sync == peer )
+		in_sync = 0;
+
+	peer->state = Peer::CLOSED;
+	peer->phase = Peer::UNKNOWN;
+	peer->cache_in->Clear();
+	peer->cache_out->Clear();
+	UnregisterHandlers(peer);
+	}
+
+void RemoteSerializer::PeerConnected(Peer* peer)
+	{
+	if ( peer->state == Peer::CONNECTED )
+		return;
+
+	peer->state = Peer::CONNECTED;
+	peer->phase = Peer::SETUP;
+	peer->sent_version = Peer::NONE;
+	peer->sync_requested = Peer::NONE;
+	peer->handshake_done = Peer::NONE;
+
+	peer->cache_in->Clear();
+	peer->cache_out->Clear();
+	peer->our_runtime = int(current_time(true) - bro_start_time);
+	peer->sync_point = 0;
+
+	if ( ! SendCMsgToChild(MSG_VERSION, peer) )
+		return;
+
+	int len = 4 * sizeof(uint32) + peer->our_class.size() + 1;
+	char* data = new char[len];
+	uint32* args = (uint32*) data;
+
+	*args++ = htonl(PROTOCOL_VERSION);
+	*args++ = htonl(peer->cache_out->GetMaxCacheSize());
+	*args++ = htonl(DATA_FORMAT_VERSION);
+	*args++ = htonl(peer->our_runtime);
+	strcpy((char*) args, peer->our_class.c_str());
+
+	ChunkedIO::Chunk* c = new ChunkedIO::Chunk;
+	c->len = len;
+	c->data = data;
+
+	if ( peer->our_class.size() )
+		Log(LogInfo, fmt("sending class \"%s\"", peer->our_class.c_str()), peer);
+
+	if ( ! SendToChild(c) )
+		{
+		Log(LogError, "can't send version message");
+		CloseConnection(peer);
+		return;
+		}
+
+	peer->sent_version |= Peer::WE;
+	Log(LogInfo, "peer connected", peer);
+	Log(LogInfo, "phase: version", peer);
+	}
+
+RecordVal* RemoteSerializer::MakePeerVal(Peer* peer)
+	{
+	RecordVal* v = new RecordVal(::peer);
+	v->Assign(0, new Val(uint32(peer->id), TYPE_COUNT));
+	// Sic! Network order for AddrVal, host order for PortVal.
+	v->Assign(1, new AddrVal(htonl(peer->ip)));
+	v->Assign(2, new PortVal(peer->port, TRANSPORT_TCP));
+	v->Assign(3, new Val(false, TYPE_BOOL));
+	v->Assign(4, new StringVal(""));	// set when received
+	v->Assign(5, peer->peer_class.size() ?
+			new StringVal(peer->peer_class.c_str()) : 0);
+	return v;
+	}
+
+RemoteSerializer::Peer* RemoteSerializer::AddPeer(uint32 ip, uint16 port,
+							PeerID id)
+	{
+	Peer* peer = new Peer;
+	peer->id = id != PEER_NONE ? id : id_counter++;
+	peer->ip = ip;
+	peer->port = port;
+	peer->state = Peer::INIT;
+	peer->phase = Peer::UNKNOWN;
+	peer->sent_version = Peer::NONE;
+	peer->sync_requested = Peer::NONE;
+	peer->handshake_done = Peer::NONE;
+	peer->orig = false;
+	peer->accept_state = false;
+	peer->send_state = false;
+	peer->caps = 0;
+	peer->comp_level = 0;
+	peer->suspended_processing = false;
+	peer->caps = 0;
+	peer->val = MakePeerVal(peer);
+	peer->cache_in = new SerializationCache(MAX_CACHE_SIZE);
+	peer->cache_out = new SerializationCache(MAX_CACHE_SIZE);
+	peer->sync_point = 0;
+	peer->print_buffer = 0;
+	peer->print_buffer_used = 0;
+
+	peers.append(peer);
+	Log(LogInfo, "added peer", peer);
+
+	return peer;
+	}
+
+void RemoteSerializer::UnregisterHandlers(Peer* peer)
+	{
+	// Unregister the peers for the EventHandlers.
+	loop_over_list(peer->handlers, i)
+		{
+		peer->handlers[i]->RemoveRemoteHandler(peer->id);
+		}
+	}
+
+void RemoteSerializer::RemovePeer(Peer* peer)
+	{
+	peers.remove(peer);
+	UnregisterHandlers(peer);
+
+	Log(LogInfo, "removed peer", peer);
+
+	int id = peer->id;
+	Unref(peer->val);
+	delete [] peer->print_buffer;
+	delete peer->cache_in;
+	delete peer->cache_out;
+	delete peer;
+
+	closed = ! IsActive();
+
+	if ( in_sync == peer )
+		in_sync = 0;
+	}
+
+RemoteSerializer::Peer* RemoteSerializer::LookupPeer(PeerID id,
+							bool only_if_connected)
+	{
+	Peer* peer = 0;
+	loop_over_list(peers, i)
+		if ( peers[i]->id == id )
+			{
+			peer = peers[i];
+			break;
+			}
+
+	if ( ! only_if_connected || (peer && peer->state == Peer::CONNECTED) )
+		return peer;
+	else
+		return 0;
+	}
+
+bool RemoteSerializer::ProcessVersionMsg()
+	{
+	uint32* args = (uint32*) current_args->data;
+	uint32 version = ntohl(args[0]);
+	uint32 data_version = ntohl(args[2]);
+
+	if ( PROTOCOL_VERSION != version )
+		{
+		Log(LogError, fmt("remote protocol version mismatch: got %d, but expected %d",
+				version, PROTOCOL_VERSION), current_peer);
+		CloseConnection(current_peer);
+		return true;
+		}
+
+	// For backwards compatibility, data_version may be null.
+	if ( data_version && DATA_FORMAT_VERSION != data_version )
+		{
+		Log(LogError, fmt("remote data version mismatch: got %d, but expected %d",
+				data_version, DATA_FORMAT_VERSION),
+				current_peer);
+		CloseConnection(current_peer);
+		return true;
+		}
+
+	uint32 cache_size = ntohl(args[1]);
+	current_peer->cache_in->SetMaxCacheSize(cache_size);
+	current_peer->runtime = ntohl(args[3]);
+
+	current_peer->sent_version |= Peer::PEER;
+
+	if ( current_args->len > 4 * sizeof(uint32) )
+		{
+		// The peer sends us a class string.
+		const char* pclass = (const char*) &args[4];
+		current_peer->peer_class = pclass;
+		if ( *pclass )
+			Log(LogInfo, fmt("peer sent class \"%s\"", pclass), current_peer);
+		if ( current_peer->val )
+			current_peer->val->Assign(5, new StringVal(pclass));
+		}
+
+	assert(current_peer->sent_version == Peer::BOTH);
+	current_peer->phase = Peer::HANDSHAKE;
+	Log(LogInfo, "phase: handshake", current_peer);
+
+	if ( ! SendCapabilities(current_peer) )
+		return false;
+
+	RaiseEvent(remote_connection_established, current_peer);
+
+	return true;
+	}
+
+bool RemoteSerializer::EnterPhaseRunning(Peer* peer)
+	{
+	if ( in_sync == peer )
+		in_sync = 0;
+
+	current_peer->phase = Peer::RUNNING;
+	Log(LogInfo, "phase: running", peer);
+
+	RaiseEvent(remote_connection_handshake_done, current_peer);
+
+	if ( remote_trace_sync_interval )
+		{
+		loop_over_list(peers, i)
+			{
+			if ( ! SendToChild(MSG_SYNC_POINT, peers[i],
+						1, current_sync_point) )
+				return false;
+			}
+		}
+
+	return true;
+	}
+
+bool RemoteSerializer::ProcessConnected()
+	{
+	// IP and port follow.
+	uint32* args = (uint32*) current_args->data;
+	uint32 host = ntohl(args[0]);	// ### Fix: only works for IPv4
+	uint16 port = (uint16) ntohl(args[1]);
+
+	if ( ! current_peer )
+		{
+		// The other side connected to one of our listening ports.
+		current_peer = AddPeer(host, port, current_id);
+		current_peer->orig = false;
+		}
+	else if ( current_peer->orig )
+		{
+		// It's a successful retry.
+		current_peer->port = port;
+		current_peer->accept_state = false;
+		Unref(current_peer->val);
+		current_peer->val = MakePeerVal(current_peer);
+		}
+
+	PeerConnected(current_peer);
+
+	ID* descr = global_scope()->Lookup("peer_description");
+	if ( ! descr )
+		internal_error("peer_description not defined");
+
+	SerialInfo info(this);
+	SendID(&info, current_peer, *descr);
+
+	return true;
+	}
+
+bool RemoteSerializer::ProcessRequestEventsMsg()
+	{
+	if ( ! current_peer )
+		return false;
+
+	// Register new handlers.
+	char* p = current_args->data;
+	while ( p < current_args->data + current_args->len )
+		{
+		EventHandler* handler = event_registry->Lookup(p);
+		if ( handler )
+			{
+			handler->AddRemoteHandler(current_peer->id);
+			current_peer->handlers.append(handler);
+			RaiseEvent(remote_event_registered, current_peer, p);
+			Log(LogInfo, fmt("registered for event %s", p),
+					current_peer);
+
+			// If the other side requested the print_hook event,
+			// we initialize the buffer.
+			if ( current_peer->print_buffer == 0 &&
+			     streq(p, "print_hook") )
+				{
+				current_peer->print_buffer =
+					new char[PRINT_BUFFER_SIZE];
+				current_peer->print_buffer_used = 0;
+				Log(LogInfo, "initialized print buffer",
+					current_peer);
+				}
+			}
+		else
+			Log(LogInfo, fmt("request for unknown event %s", p),
+					current_peer);
+
+		p += strlen(p) + 1;
+		}
+
+	return true;
+	}
+
+bool RemoteSerializer::ProcessRequestSyncMsg()
+	{
+	if ( ! current_peer )
+		return false;
+
+	int auth = 0;
+	uint32* args = (uint32*) current_args->data;
+	if ( ntohl(args[0]) != 0 )
+		{
+		Log(LogInfo, "peer considers its state authoritative", current_peer);
+		auth = Peer::AUTH_PEER;
+		}
+
+	current_peer->sync_requested |= Peer::PEER | auth;
+	return true;
+	}
+
+bool RemoteSerializer::ProcessPhaseDone()
+	{
+	switch ( current_peer->phase ) {
+	case Peer::HANDSHAKE:
+		{
+		current_peer->handshake_done |= Peer::PEER;
+
+		if ( current_peer->handshake_done == Peer::BOTH )
+			HandshakeDone(current_peer);
+		break;
+		}
+
+	case Peer::SYNC:
+		{
+		// Make sure that the other side is supposed to sent us this.
+		if ( current_peer->send_state )
+			{
+			Log(LogError, "unexpected phase_done in sync phase from peer", current_peer);
+			CloseConnection(current_peer);
+			return false;
+			}
+
+		if ( ! EnterPhaseRunning(current_peer) )
+			{
+			if ( current_peer->suspended_processing )
+				{
+				net_continue_processing();
+				current_peer->suspended_processing = false;
+				}
+
+			return false;
+			}
+
+		if ( current_peer->suspended_processing )
+			{
+			net_continue_processing();
+			current_peer->suspended_processing = false;
+			}
+
+		break;
+		}
+
+	default:
+		Log(LogError, "unexpected phase_done", current_peer);
+	    CloseConnection(current_peer);
+	}
+
+	return true;
+	}
+
+bool RemoteSerializer::HandshakeDone(Peer* peer)
+	{
+#ifdef HAVE_LIBZ
+	if ( peer->caps & Peer::COMPRESSION && peer->comp_level > 0 )
+		if ( ! SendToChild(MSG_COMPRESS, peer, 1, peer->comp_level) )
+			return false;
+#endif
+
+	if ( ! (current_peer->caps & Peer::PID_64BIT) )
+		Log(LogInfo, "peer does not support 64bit PIDs; using compatibility mode", current_peer);
+
+	if ( (current_peer->caps & Peer::NEW_CACHE_STRATEGY) )
+		Log(LogInfo, "peer supports keep-in-cache; using that",
+			current_peer);
+
+	if ( peer->sync_requested != Peer::NONE )
+		{
+		if ( in_sync )
+			{
+			Log(LogInfo, "another sync in progress, waiting...",
+					peer);
+			sync_pending.append(peer);
+			return true;
+			}
+
+		if ( (peer->sync_requested & Peer::AUTH_PEER) &&
+		     (peer->sync_requested & Peer::AUTH_WE) )
+			{
+			Log(LogError, "misconfiguration: authoritative state on both sides",
+				current_peer);
+			CloseConnection(current_peer);
+			return false;
+			}
+
+		in_sync = peer;
+		peer->phase = Peer::SYNC;
+
+		// If only one side has requested state synchronization,
+		// it will get all the state from the peer.
+		//
+		// If both sides have shown interest, the one considering
+		// itself authoritative will send the state.  If none is
+		// authoritative, the peer which is running longest sends
+		// its state.
+		//
+		if ( (peer->sync_requested & Peer::BOTH) != Peer::BOTH )
+			{
+			// One side.
+			if ( peer->sync_requested & Peer::PEER )
+				peer->send_state = true;
+			else if ( peer->sync_requested & Peer::WE )
+				peer->send_state = false;
+			else
+				internal_error("illegal sync_requested value");
+			}
+		else
+			{
+			// Both.
+			if ( peer->sync_requested & Peer::AUTH_WE )
+				peer->send_state = true;
+			else if ( peer->sync_requested & Peer::AUTH_PEER )
+				peer->send_state = false;
+			else
+				{
+				if ( peer->our_runtime == peer->runtime )
+					peer->send_state = peer->orig;
+				else
+					peer->send_state = (peer->our_runtime >
+								peer->runtime);
+				}
+			}
+
+		Log(LogInfo, fmt("phase: sync (%s)", (peer->send_state ? "sender" : "receiver")), peer);
+
+		if ( peer->send_state )
+			{
+			SerialInfo* info = new SerialInfo(this);
+			SendAllSynchronized(peer, info);
+			}
+
+		else
+			{
+			// Suspend until we got everything.
+			net_suspend_processing();
+			peer->suspended_processing = true;
+			}
+		}
+	else
+		return EnterPhaseRunning(peer);
+
+	return true;
+	}
+
+bool RemoteSerializer::ProcessPingMsg()
+	{
+	if ( ! current_peer )
+		return false;
+
+	if ( ! SendToChild(MSG_PONG, current_peer,
+				current_args->data, current_args->len) )
+		return false;
+
+	return true;
+	}
+
+bool RemoteSerializer::ProcessPongMsg()
+	{
+	if ( ! current_peer )
+		return false;
+
+	ping_args* args = (ping_args*) current_args->data;
+
+	val_list* vl = new val_list;
+	vl->append(current_peer->val->Ref());
+	vl->append(new Val((unsigned int) ntohl(args->seq), TYPE_COUNT));
+	vl->append(new Val(current_time(true) - ntohd(args->time1),
+				TYPE_INTERVAL));
+	vl->append(new Val(ntohd(args->time2), TYPE_INTERVAL));
+	vl->append(new Val(ntohd(args->time3), TYPE_INTERVAL));
+	mgr.QueueEvent(remote_pong, vl);
+	return true;
+	}
+
+bool RemoteSerializer::ProcessCapsMsg()
+	{
+	if ( ! current_peer )
+		return false;
+
+	uint32* args = (uint32*) current_args->data;
+	current_peer->caps = ntohl(args[0]);
+	return true;
+	}
+
+bool RemoteSerializer::ProcessLogMsg(bool is_error)
+	{
+	Log(is_error ? LogError : LogInfo, current_args->data, 0, LogChild);
+	return true;
+	}
+
+bool RemoteSerializer::ProcessStatsMsg()
+	{
+	// Take the opportunity to log our stats, too.
+	LogStats();
+
+	// Split the concatenated child stats into indiviual log messages.
+	int count = 0;
+	for ( char* p = current_args->data;
+	      p < current_args->data + current_args->len; p += strlen(p) + 1 )
+		Log(LogInfo, fmt("child statistics: [%d] %s", count++, p),
+				current_peer);
+
+	return true;
+	}
+
+bool RemoteSerializer::ProcessCaptureFilterMsg()
+	{
+	if ( ! current_peer )
+		return false;
+
+	RaiseEvent(remote_capture_filter, current_peer, current_args->data);
+	return true;
+	}
+
+bool RemoteSerializer::CheckSyncPoints()
+	{
+	if ( ! current_sync_point )
+		return false;
+
+	int ready = 0;
+
+	loop_over_list(peers, i)
+		if ( peers[i]->sync_point >= current_sync_point )
+			ready++;
+
+	if ( ready < remote_trace_sync_peers )
+		return false;
+
+	if ( current_sync_point == FINAL_SYNC_POINT )
+		{
+		Log(LogInfo, fmt("all peers reached final sync-point, going to finish"));
+		Terminate();
+		}
+	else
+		Log(LogInfo, fmt("all peers reached sync-point %u",
+					current_sync_point));
+
+	if ( syncing_times )
+		{
+		loop_over_list(peers, i)
+			{
+			if ( peers[i]->suspended_processing )
+				{
+				net_continue_processing();
+				peers[i]->suspended_processing = false;
+				}
+			}
+
+		syncing_times = false;
+		}
+
+	return true;
+	}
+
+bool RemoteSerializer::ProcessSyncPointMsg()
+	{
+	if ( ! current_peer )
+		return false;
+
+	uint32* args = (uint32*) current_args->data;
+	uint32 count = ntohl(args[0]);
+
+	current_peer->sync_point = max(current_peer->sync_point, count);
+
+	if ( current_peer->sync_point == FINAL_SYNC_POINT )
+		Log(LogInfo, fmt("reached final sync-point"), current_peer);
+	else
+		Log(LogInfo, fmt("reached sync-point %u", current_peer->sync_point), current_peer);
+
+	if ( syncing_times )
+		CheckSyncPoints();
+
+	return true;
+	}
+
+bool RemoteSerializer::ProcessSerialization()
+	{
+	if ( current_peer->state == Peer::CLOSING )
+		return false;
+
+	SetCache(current_peer->cache_in);
+	UnserialInfo info(this);
+
+	bool accept_state = current_peer->accept_state;
+
+#if 0
+	// If processing is suspended, we unserialize the data but throw
+	// it away.
+	if ( current_peer->phase == Peer::RUNNING &&
+	     net_is_processing_suspended() )
+		 accept_state = false;
+#endif
+
+	assert(current_args);
+	info.chunk = current_args;
+
+	info.install_globals = accept_state;
+	info.install_conns = accept_state;
+	info.ignore_callbacks = ! accept_state;
+
+	if ( current_peer->phase != Peer::RUNNING )
+		info.id_policy = UnserialInfo::InstantiateNew;
+	else
+		info.id_policy = accept_state ?
+					UnserialInfo::CopyNewToCurrent :
+					UnserialInfo::Keep;
+
+	if ( ! (current_peer->caps & Peer::PID_64BIT) ||
+	     current_peer->phase != Peer::RUNNING )
+		info.pid_32bit = true;
+
+	if ( (current_peer->caps & Peer::NEW_CACHE_STRATEGY) &&
+	     current_peer->phase == Peer::RUNNING )
+		info.new_cache_strategy = true;
+
+	if ( ! forward_remote_state_changes )
+		ignore_accesses = true;
+
+	source_peer = current_peer;
+	int i = Unserialize(&info);
+	source_peer = 0;
+
+	if ( ! forward_remote_state_changes )
+		ignore_accesses = false;
+
+	if ( i < 0 )
+		{
+		Log(LogError, "unserialization error", current_peer);
+		CloseConnection(current_peer);
+		// Error
+		return false;
+		}
+
+	return true;
+	}
+
+bool RemoteSerializer::FlushPrintBuffer(Peer* p)
+	{
+	if ( p->state == Peer::CLOSING )
+		return false;
+
+	if ( ! p->print_buffer )
+		return true;
+
+	SendToChild(MSG_REMOTE_PRINT, p, p->print_buffer, p->print_buffer_used);
+
+	p->print_buffer = new char[PRINT_BUFFER_SIZE];
+	p->print_buffer_used = 0;
+	return true;
+	}
+
+bool RemoteSerializer::SendPrintHookEvent(BroFile* f, const char* txt)
+	{
+	loop_over_list(peers, i)
+		{
+		Peer* p = peers[i];
+
+		if ( ! p->print_buffer )
+			continue;
+
+		const char* fname = f->Name();
+		if ( ! fname )
+			continue; // not a managed file.
+
+		int len = strlen(txt);
+
+		// We cut off everything after the max buffer size.  That
+		// makes the code a bit easier, and we shouldn't have such
+		// long lines anyway.
+		len = min(len, PRINT_BUFFER_SIZE - strlen(fname) - 2);
+
+		// If there's not enough space in the buffer, flush it.
+
+		int need = strlen(fname) + 1 + len + 1;
+		if ( p->print_buffer_used + need > PRINT_BUFFER_SIZE )
+			{
+			if ( ! FlushPrintBuffer(p) )
+				return false;
+			}
+
+		assert(p->print_buffer_used + need <= PRINT_BUFFER_SIZE);
+
+		char* dst = p->print_buffer + p->print_buffer_used;
+		strcpy(dst, fname);
+		dst += strlen(fname) + 1;
+		memcpy(dst, txt, len);
+		dst += len;
+		*dst++ = '\0';
+
+		p->print_buffer_used = dst - p->print_buffer;
+		}
+
+	return true;
+	}
+
+bool RemoteSerializer::ProcessRemotePrint()
+	{
+	if ( current_peer->state == Peer::CLOSING )
+		return false;
+
+	const char* p = current_args->data;
+	while ( p < current_args->data + current_args->len )
+		{
+		const char* fname = p;
+		p += strlen(p) + 1;
+		const char* txt = p;
+		p += strlen(p) + 1;
+
+		val_list* vl = new val_list(2);
+		BroFile* f = BroFile::GetFile(fname);
+		Ref(f);
+		vl->append(new Val(f));
+		vl->append(new StringVal(txt));
+		GotEvent("print_hook", -1.0, print_hook, vl);
+		}
+
+	return true;
+	}
+
+
+void RemoteSerializer::GotEvent(const char* name, double time,
+				EventHandlerPtr event, val_list* args)
+	{
+	if ( time >= 0 )
+		{
+		// Marker for being called from ProcessRemotePrint().
+		DEBUG_COMM("parent: got event");
+		++stats.events.in;
+		}
+
+	if ( ! current_peer )
+		{
+		Error("unserialized event from unknown peer");
+		return;
+		}
+
+	BufferedEvent* e = new BufferedEvent;
+
+	// Our time, not the time when the event was generated.
+	e->time = pkt_srcs.length() ?
+			time_t(network_time) : time_t(timer_mgr->Time());
+
+	e->src = current_peer->id;
+	e->handler = event;
+	e->args = args;
+
+	events.append(e);
+	}
+
+void RemoteSerializer::GotFunctionCall(const char* name, double time,
+					Func* function, val_list* args)
+	{
+	DEBUG_COMM("parent: got function call");
+	++stats.events.in;
+
+	if ( ! current_peer )
+		{
+		Error("unserialized function from unknown peer");
+		return;
+		}
+
+	function->Call(args);
+	}
+
+void RemoteSerializer::GotID(ID* id, Val* val)
+	{
+	++stats.ids.in;
+
+	if ( ! current_peer )
+		{
+		Error("unserialized id from unknown peer");
+		Unref(id);
+		return;
+		}
+
+	if ( current_peer->phase == Peer::HANDSHAKE &&
+	     streq(id->Name(), "peer_description") )
+		{
+		if ( val->Type()->Tag() != TYPE_STRING )
+			{
+			Error("peer_description not a string");
+			Unref(id);
+			return;
+			}
+
+		const char* desc = val->AsString()->CheckString();
+		current_peer->val->Assign(4, new StringVal(desc));
+
+		Log(LogInfo, fmt("peer_description is %s",
+					(desc && *desc) ? desc : "not set"),
+			current_peer);
+
+		Unref(id);
+		return;
+		}
+
+	if ( id->Name()[0] == '#' )
+		{
+		// This is a globally unique, non-user-visible ID.
+
+		// Only MutableVals can be bound to names starting with '#'.
+		assert(val->IsMutableVal());
+
+		// It must be already installed in the global namespace:
+		// either we saw it before, or MutableVal::Unserialize()
+		// installed it.
+		assert(global_scope()->Lookup(id->Name()));
+
+		// Only synchronized values can arrive here.
+		assert(((MutableVal*) val)->GetProperties() & MutableVal::SYNCHRONIZED);
+
+		DBG_LOG(DBG_COMM, "got ID %s from peer\n", id->Name());
+		}
+
+	Unref(id);
+	}
+
+void RemoteSerializer::GotConnection(Connection* c)
+	{
+	++stats.conns.in;
+
+	// Nothing else to-do.  Connection will be installed automatically
+	// (if allowed).
+
+	Unref(c);
+	}
+
+void RemoteSerializer::GotStateAccess(StateAccess* s)
+	{
+	++stats.accesses.in;
+
+	ODesc d;
+	DBG_LOG(DBG_COMM, "got StateAccess: %s", (s->Describe(&d), d.Description()));
+
+	if ( ! current_peer )
+		{
+		Error("unserialized function from unknown peer");
+		return;
+		}
+
+	if ( current_peer->sync_requested & Peer::WE )
+		s->Replay();
+
+	delete s;
+	}
+
+void RemoteSerializer::GotTimer(Timer* s)
+	{
+	run_time("RemoteSerializer::GotTimer not implemented");
+	}
+
+void RemoteSerializer::GotPacket(Packet* p)
+	{
+	++stats.packets.in;
+
+	BufferedPacket* bp = new BufferedPacket;
+	bp->time = time_t(timer_mgr->Time());
+	bp->p = p;
+	packets.append(bp);
+	}
+
+void RemoteSerializer::Log(LogLevel level, const char* msg)
+	{
+	Log(level, msg, 0, LogParent);
+	}
+
+void RemoteSerializer::Log(LogLevel level, const char* msg, Peer* peer,
+				LogSrc src)
+	{
+	const int BUFSIZE = 1024;
+	char buffer[BUFSIZE];
+
+	int len = 0;
+
+	if ( peer )
+		len += snprintf(buffer + len, sizeof(buffer) - len,
+				"[#%d/%s:%d] ", int(peer->id), ip2a(peer->ip),
+				peer->port);
+
+	len += safe_snprintf(buffer + len, sizeof(buffer) - len, "%s", msg);
+
+	val_list* vl = new val_list();
+	vl->append(new Val(level, TYPE_COUNT));
+	vl->append(new Val(src, TYPE_COUNT));
+	vl->append(new StringVal(buffer));
+	mgr.QueueEvent(remote_log, vl);
+
+	DEBUG_COMM(fmt("parent: %.6f %s", current_time(), buffer));
+	}
+
+void RemoteSerializer::RaiseEvent(EventHandlerPtr event, Peer* peer,
+					const char* arg)
+	{
+	val_list* vl = new val_list;
+
+	if ( peer )
+		{
+		Ref(peer->val);
+		vl->append(peer->val);
+		}
+	else
+		{
+		Val* v = mgr.GetLocalPeerVal();
+		v->Ref();
+		vl->append(v);
+		}
+
+	if ( arg )
+		vl->append(new StringVal(arg));
+
+	// If we only have remote sources, the network time
+	// will not increase as long as no peers are connected.
+	// Therefore, we send these events immediately.
+	mgr.Dispatch(new Event(event, vl, PEER_LOCAL));
+	}
+
+void RemoteSerializer::LogStats()
+	{
+	if ( ! io )
+		return;
+
+	char buffer[512];
+	io->Stats(buffer, 512);
+	Log(LogInfo, fmt("parent statistics: %s events=%lu/%lu operations=%lu/%lu",
+		buffer, stats.events.in, stats.events.out,
+		stats.accesses.in, stats.accesses.out));
+	}
+
+RecordVal* RemoteSerializer::GetPeerVal(PeerID id)
+	{
+	Peer* peer = LookupPeer(id, true);
+	if ( ! peer )
+		return 0;
+
+	Ref(peer->val);
+	return peer->val;
+	}
+
+void RemoteSerializer::ChildDied()
+	{
+	Log(LogError, "child died");
+	closed = true;
+	child_pid = 0;
+
+	// Shut down the main process as well.
+	terminate_processing();
+	}
+
+bool RemoteSerializer::SendCMsgToChild(char msg_type, Peer* peer)
+	{
+	if ( ! sendCMsg(io, msg_type, peer ? peer->id : PEER_NONE) )
+		{
+		warn(fmt("can't send message of type %d: %s",
+				msg_type, io->Error()));
+		return false;
+		}
+	return true;
+	}
+
+bool RemoteSerializer::SendToChild(char type, Peer* peer, char* str, int len)
+	{
+	DEBUG_COMM(fmt("parent: (->child) %s (#%d, %s)", msgToStr(type), peer ? peer->id : PEER_NONE, str));
+
+	if ( ! child_pid )
+		return false;
+
+	if ( sendToIO(io, type, peer ? peer->id : PEER_NONE, str, len) )
+		return true;
+
+	if ( io->Eof() )
+		ChildDied();
+
+	FatalError(io->Error());
+	return false;
+	}
+
+bool RemoteSerializer::SendToChild(char type, Peer* peer, int nargs, ...)
+	{
+	va_list ap;
+
+	if ( ! child_pid )
+		return false;
+
+#ifdef DEBUG
+	va_start(ap, nargs);
+	DEBUG_COMM(fmt("parent: (->child) %s (#%d,%s)",
+			msgToStr(type), peer ? peer->id : PEER_NONE, fmt_uint32s(nargs, ap)));
+	va_end(ap);
+#endif
+
+	va_start(ap, nargs);
+	bool ret = sendToIO(io, type, peer ? peer->id : PEER_NONE, nargs, ap);
+	va_end(ap);
+
+	if ( ret )
+		return true;
+
+	if ( io->Eof() )
+		ChildDied();
+
+	FatalError(io->Error());
+	return false;
+	}
+
+bool RemoteSerializer::SendToChild(ChunkedIO::Chunk* c)
+	{
+	DEBUG_COMM(fmt("parent: (->child) chunk of size %d", c->len));
+
+	if ( ! child_pid )
+		return false;
+
+	if ( sendToIO(io, c) )
+		return true;
+
+	if ( io->Eof() )
+		ChildDied();
+
+	FatalError(io->Error());
+	return false;
+	}
+
+void RemoteSerializer::FatalError(const char* msg)
+	{
+	msg = fmt("fatal error, shutting down communication: %s", msg);
+	Log(LogError, msg);
+	error(msg);
+
+	closed = true;
+	kill(child_pid, SIGQUIT);
+	child_pid = 0;
+	using_communication = false;
+	io->Clear();
+	}
+
+bool RemoteSerializer::IsActive()
+	{
+	if ( listening )
+		return true;
+
+	loop_over_list(peers, i)
+		if ( peers[i]->state == Peer::PENDING ||
+		     peers[i]->state == Peer::CONNECTED )
+			return true;
+
+	return false;
+	}
+
+
+const char* const* RemoteSerializer::GetBuiltins() const
+	{
+	static const char* builtins[] = { "connect", "listen", 0 };
+	return builtins;
+	}
+
+void RemoteSerializer::ReportError(const char* msg)
+	{
+	if ( current_peer && current_peer->phase != Peer::SETUP )
+		RaiseEvent(remote_connection_error, current_peer, msg);
+	Log(LogError, msg, current_peer);
+	}
+
+void RemoteSerializer::InternalCommError(const char* msg)
+	{
+#ifdef DEBUG_COMMUNICATION
+	DumpDebugData();
+#else
+	internal_error(msg);
+#endif
+	}
+
+#ifdef DEBUG_COMMUNICATION
+
+void RemoteSerializer::DumpDebugData()
+	{
+	Log(LogError, "dumping debug data and terminating ...");
+	io->DumpDebugData("comm-dump.parent", true);
+	io->DumpDebugData("comm-dump.parent", false);
+	SendToChild(MSG_DEBUG_DUMP, 0, 0);
+	Terminate();
+	}
+
+static ChunkedIO* openDump(const char* file)
+	{
+	int fd = open(file, O_RDONLY, 0600);
+
+	if ( fd < 0 )
+		{
+		fprintf(stderr, "cannot open %s: %s\n", file, strerror(errno));
+		return 0;
+		}
+
+	return new ChunkedIOFd(fd, "dump-file");
+	}
+
+void RemoteSerializer::ReadDumpAsMessageType(const char* file)
+	{
+	ChunkedIO* io = openDump(file);
+	if ( ! io )
+		return;
+
+	ChunkedIO::Chunk* chunk;
+
+	if ( ! io->Read(&chunk, true ) )
+		{
+		fprintf(stderr, "cannot read %s: %s\n", file, strerror(errno));
+		return;
+		}
+
+	CMsg* msg = (CMsg*) chunk->data;
+
+	delete [] chunk->data;
+	delete io;
+	}
+
+void RemoteSerializer::ReadDumpAsSerialization(const char* file)
+	{
+	FileSerializer s;
+	UnserialInfo info(&s);
+	info.print = stdout;
+	info.install_uniques = info.ignore_callbacks = true;
+	s.Read(&info, file, false);
+	}
+
+#endif
+
+////////////////////////////
+
+// If true (set by signal handler), we will log some stats to parent.
+static bool log_stats = false;
+static bool log_prof = false;
+
+// How often stats are sent (in seconds).
+// Perhaps we should make this configurable...
+const int STATS_INTERVAL = 60;
+
+static RETSIGTYPE sig_handler_log(int signo)
+	{
+	// SIGALRM is the only one we get.
+	log_stats = true;
+	}
+
+static RETSIGTYPE sig_handler_prof(int signo)
+	{
+	log_prof = true;
+	}
+
+SocketComm::SocketComm()
+	{
+	io = 0;
+
+	// We start the ID counter high so that IDs assigned by us
+	// (hopefully) don't conflict with those of our parent.
+	id_counter = 10000;
+	parent_peer = 0;
+	parent_msgstate = TYPE;
+	shutting_conns_down = false;
+	terminating = false;
+	killing = false;
+
+	listen_fd_clear = -1;
+	listen_fd_ssl = -1;
+	listen_next_try = 0;
+
+	// We don't want to use the signal handlers of our parent.
+	(void) setsignal(SIGTERM, SIG_DFL);
+	(void) setsignal(SIGINT, SIG_DFL);
+	(void) setsignal(SIGUSR1, SIG_DFL);
+	(void) setsignal(SIGUSR2, SIG_DFL);
+	(void) setsignal(SIGCONT, SIG_DFL);
+	(void) setsignal(SIGCHLD, SIG_DFL);
+
+	// Raping SIGPROF for profiling
+	(void) setsignal(SIGPROF, sig_handler_prof);
+	(void) setsignal(SIGALRM, sig_handler_log);
+	alarm(STATS_INTERVAL);
+	}
+
+SocketComm::~SocketComm()
+	{
+	loop_over_list(peers, i)
+		delete peers[i]->io;
+
+	delete io;
+	close(listen_fd_clear);
+	close(listen_fd_ssl);
+	}
+
+static unsigned int first_rtime = 0;
+
+void SocketComm::Run()
+	{
+	first_rtime = (unsigned int) current_time(true);
+
+	while ( true )
+		{
+		// Logging signaled?
+		if ( log_stats )
+			LogStats();
+
+		// Termination signaled
+		if ( terminating )
+			CheckFinished();
+
+		// Build FDSets for select.
+		fd_set fd_read, fd_write, fd_except;
+
+		FD_ZERO(&fd_read);
+		FD_ZERO(&fd_write);
+		FD_ZERO(&fd_except);
+
+		int max_fd = 0;
+
+		FD_SET(io->Fd(), &fd_read);
+		max_fd = io->Fd();
+
+		loop_over_list(peers, i)
+			{
+			if ( peers[i]->connected )
+				{
+				FD_SET(peers[i]->io->Fd(), &fd_read);
+				if ( peers[i]->io->Fd() > max_fd )
+					max_fd = peers[i]->io->Fd();
+				}
+			else
+				{
+				if ( peers[i]->next_try > 0 &&
+				     time(0) > peers[i]->next_try )
+					// Try reconnect.
+					Connect(peers[i]);
+				}
+			}
+
+		if ( listen_next_try && time(0) > listen_next_try  )
+			Listen(listen_if, listen_port, listen_ssl);
+
+		if ( listen_fd_clear >= 0 )
+			{
+			FD_SET(listen_fd_clear, &fd_read);
+			if ( listen_fd_clear > max_fd )
+				max_fd = listen_fd_clear;
+			}
+
+		if ( listen_fd_ssl >= 0 )
+			{
+			FD_SET(listen_fd_ssl, &fd_read);
+			if ( listen_fd_ssl > max_fd )
+				max_fd = listen_fd_ssl;
+			}
+
+		if ( io->IsFillingUp() && ! shutting_conns_down )
+			{
+			Error("queue to parent filling up; shutting down heaviest connection");
+
+			const ChunkedIO::Statistics* stats = 0;
+			unsigned long max = 0;
+			Peer* max_peer = 0;
+
+			loop_over_list(peers, i)
+				{
+				if ( ! peers[i]->connected )
+					continue;
+
+				stats = peers[i]->io->Stats();
+				if ( stats->bytes_read > max )
+					{
+					max = stats->bytes_read;
+					max_peer = peers[i];
+					}
+				}
+
+			if ( max_peer )
+				CloseConnection(max_peer, true);
+
+			shutting_conns_down = true;
+			}
+
+		if ( ! io->IsFillingUp() && shutting_conns_down )
+			shutting_conns_down = false;
+
+		// We cannot rely solely on select() as the there may
+		// be some data left in our input/output queues. So, we use
+		// a small timeout for select and check for data
+		// manually afterwards.
+
+		static long selects = 0;
+		static long canwrites = 0;
+		static long timeouts = 0;
+
+		++selects;
+		if ( io->CanWrite() )
+			++canwrites;
+
+		// FIXME: Fine-tune this (timeouts, flush, etc.)
+		struct timeval small_timeout;
+		small_timeout.tv_sec = 0;
+		small_timeout.tv_usec =
+			io->CanWrite() || io->CanRead() ? 10 : 10000;
+
+		int a = select(max_fd + 1, &fd_read, &fd_write, &fd_except,
+				&small_timeout);
+
+		if ( a == 0 )
+			++timeouts;
+
+		if ( selects % 100000 == 0 )
+			Log(fmt("selects=%ld canwrites=%ld timeouts=%ld", selects, canwrites, timeouts));
+
+		if ( a < 0 )
+			// Ignore errors for now.
+			continue;
+
+		if ( io->CanRead() )
+			ProcessParentMessage();
+
+		io->Flush();
+
+		loop_over_list(peers, j)
+			{
+			// We have to be careful here as the peer may
+			// be removed when an error occurs.
+			Peer* current = peers[j];
+			int round = 0;
+			while ( ++round <= 10 && j < peers.length() &&
+				peers[j] == current && current->connected &&
+				current->io->CanRead() )
+				{
+				ProcessRemoteMessage(current);
+				}
+			}
+
+		if ( listen_fd_clear >= 0 &&
+		     FD_ISSET(listen_fd_clear, &fd_read) )
+			AcceptConnection(listen_fd_clear);
+
+		if ( listen_fd_ssl >= 0 && FD_ISSET(listen_fd_ssl, &fd_read) )
+			AcceptConnection(listen_fd_ssl);
+
+		// Hack to display CPU usage of the child, triggered via
+		// SIGPROF.
+		static unsigned int first_rtime = 0;
+		if ( first_rtime == 0 )
+			first_rtime = (unsigned int) current_time(true);
+
+		if ( log_prof )
+			{
+			LogProf();
+			log_prof = false;
+			}
+		}
+	}
+
+bool SocketComm::ProcessParentMessage()
+	{
+	switch ( parent_msgstate ) {
+	case TYPE:
+		{
+		parent_peer = 0;
+		parent_msgtype = MSG_NONE;
+
+		// CMsg follows
+		ChunkedIO::Chunk* c;
+		if ( ! io->Read(&c) )
+			{
+			if ( io->Eof() )
+				Error("parent died", true);
+
+			Error(fmt("can't read parent's cmsg: %s",
+					io->Error()), true);
+			return false;
+			}
+
+		if ( ! c )
+			return true;
+
+		CMsg* msg = (CMsg*) c->data;
+		parent_peer = LookupPeer(msg->Peer(), false);
+		parent_id = msg->Peer();
+		parent_msgtype = msg->Type();
+		parent_args = 0;
+
+		delete [] c->data;
+		delete c;
+
+		switch ( parent_msgtype ) {
+		case MSG_LISTEN_STOP:
+		case MSG_CLOSE:
+		case MSG_CLOSE_ALL:
+		case MSG_TERMINATE:
+		case MSG_PHASE_DONE:
+		case MSG_DEBUG_DUMP:
+			{
+			// No further argument chunk.
+			parent_msgstate = TYPE;
+			return DoParentMessage();
+			}
+
+		case MSG_LISTEN:
+		case MSG_CONNECT_TO:
+		case MSG_COMPRESS:
+		case MSG_PING:
+		case MSG_PONG:
+		case MSG_REQUEST_EVENTS:
+		case MSG_REQUEST_SYNC:
+		case MSG_SERIAL:
+		case MSG_CAPTURE_FILTER:
+		case MSG_VERSION:
+		case MSG_CAPS:
+		case MSG_SYNC_POINT:
+		case MSG_REMOTE_PRINT:
+			{
+			// One further argument chunk.
+			parent_msgstate = ARGS;
+			return ProcessParentMessage();
+			}
+
+		default:
+			internal_error(fmt("unknown msg type %d", parent_msgtype));
+			return true;
+		}
+
+		internal_error("cannot be reached");
+		}
+
+	case ARGS:
+		{
+		// Argument chunk follows.
+		ChunkedIO::Chunk* c = 0;
+		READ_CHUNK(io, c, Error("parent died", true));
+		parent_args = c;
+		parent_msgstate = TYPE;
+		bool result = DoParentMessage();
+
+		if ( parent_args )
+			{
+			delete [] parent_args->data;
+			delete parent_args;
+			parent_args = 0;
+			}
+
+		return result;
+		}
+
+	default:
+		internal_error("unknown msgstate");
+	}
+
+	internal_error("cannot be reached");
+	}
+
+bool SocketComm::DoParentMessage()
+	{
+	switch ( parent_msgtype ) {
+
+	case MSG_LISTEN_STOP:
+		{
+		if ( listen_fd_ssl >= 0 )
+			close(listen_fd_ssl);
+
+		if ( listen_fd_clear >= 0 )
+			close(listen_fd_clear);
+
+		listen_fd_clear = listen_fd_ssl = -1;
+		Log("stopped listening");
+
+		return true;
+		}
+
+	case MSG_CLOSE:
+		{
+		if ( parent_peer && parent_peer->connected )
+			CloseConnection(parent_peer, false);
+		return true;
+		}
+
+	case MSG_CLOSE_ALL:
+		{
+		loop_over_list(peers, i)
+			{
+			if ( peers[i]->connected )
+				CloseConnection(peers[i], false);
+			}
+		return true;
+		}
+
+	case MSG_TERMINATE:
+		{
+		terminating = true;
+		CheckFinished();
+		return true;
+		}
+
+	case MSG_DEBUG_DUMP:
+		{
+#ifdef DEBUG_COMMUNICATION
+		io->DumpDebugData("comm-dump.child.pipe", true);
+		io->DumpDebugData("comm-dump.child.pipe", false);
+
+		loop_over_list(peers, j)
+			{
+			RemoteSerializer::PeerID id = peers[j]->id;
+			peers[j]->io->DumpDebugData(fmt("comm-dump.child.peer.%d", id), true);
+			peers[j]->io->DumpDebugData(fmt("comm-dump.child.peer.%d", id), false);
+			}
+#else
+		internal_error("DEBUG_DUMP support not compiled in");
+#endif
+		return true;
+		}
+
+	case MSG_PHASE_DONE:
+		{
+		// No argument block follows.
+		if ( parent_peer && parent_peer->connected )
+			{
+			DEBUG_COMM("child: forwarding with MSG_PHASE_DONE to peer");
+			if ( ! SendToPeer(parent_peer, MSG_PHASE_DONE, 0) )
+				return false;
+			}
+		return true;
+		}
+
+	case MSG_LISTEN:
+		return ProcessListen();
+
+	case MSG_CONNECT_TO:
+		return ProcessConnectTo();
+
+	case MSG_COMPRESS:
+		return ProcessParentCompress();
+
+	case MSG_PING:
+		{
+		// Set time2.
+		assert(parent_args);
+		ping_args* args = (ping_args*) parent_args->data;
+		args->time2 = htond(current_time(true));
+		return ForwardChunkToPeer();
+		}
+
+	case MSG_PONG:
+		{
+		assert(parent_args);
+		// Calculate time delta.
+		ping_args* args = (ping_args*) parent_args->data;
+		args->time3 = htond(current_time(true) - ntohd(args->time3));
+		return ForwardChunkToPeer();
+		}
+
+	case MSG_REQUEST_EVENTS:
+	case MSG_REQUEST_SYNC:
+	case MSG_SERIAL:
+	case MSG_CAPTURE_FILTER:
+	case MSG_VERSION:
+	case MSG_CAPS:
+	case MSG_SYNC_POINT:
+	case MSG_REMOTE_PRINT:
+		assert(parent_args);
+		return ForwardChunkToPeer();
+
+	default:
+		internal_error("ProcessParentMessage: unexpected state");
+	}
+
+	internal_error("cannot be reached");
+	}
+
+bool SocketComm::ForwardChunkToPeer()
+	{
+	char state = parent_msgtype;
+
+	if ( parent_peer && parent_peer->connected )
+		{
+		DEBUG_COMM("child: forwarding with 1 arg to peer");
+
+		if ( ! SendToPeer(parent_peer, state, 0) )
+			return false;
+
+		if ( ! SendToPeer(parent_peer, parent_args) )
+			return false;
+
+		parent_args = 0;
+		}
+	else
+		{
+#ifdef DEBUG
+		if ( parent_peer )
+			DEBUG_COMM(fmt("child: not connected to #%d", parent_id));
+#endif
+		}
+
+	return true;
+	}
+
+bool SocketComm::ProcessConnectTo()
+	{
+	assert(parent_args);
+	uint32* args = (uint32*) parent_args->data;
+
+	Peer* peer = new Peer;
+	peer->id = ntohl(args[0]);
+	peer->ip = ntohl(args[1]);
+	peer->port = ntohl(args[2]);
+	peer->retry = ntohl(args[3]);
+	peer->ssl = ntohl(args[4]);
+
+	Connect(peer);
+	return true;
+	}
+
+bool SocketComm::ProcessListen()
+	{
+	assert(parent_args);
+	uint32* args = (uint32*) parent_args->data;
+
+	uint32 addr = ntohl(args[0]);
+	uint16 port = uint16(ntohl(args[1]));
+	uint32 ssl = ntohl(args[2]);
+
+	return Listen(addr, port, ssl);
+	}
+
+bool SocketComm::ProcessParentCompress()
+	{
+#ifndef HAVE_LIBZ
+	internal_error("supposed to enable compression but don't have zlib");
+	return false;
+#else
+
+	assert(parent_args);
+	uint32* args = (uint32*) parent_args->data;
+
+	uint32 level = ntohl(args[0]);
+
+	if ( ! parent_peer->compressor )
+		{
+		parent_peer->io = new CompressedChunkedIO(parent_peer->io);
+		parent_peer->io->Init();
+		parent_peer->compressor = true;
+		}
+
+	// Signal compression to peer.
+	if ( ! SendToPeer(parent_peer, MSG_COMPRESS, 0) )
+		return false;
+
+	// This cast is safe.
+	CompressedChunkedIO* comp_io = (CompressedChunkedIO*) parent_peer->io;
+	comp_io->EnableCompression(level);
+
+	Log(fmt("enabling compression (level %d)", level), parent_peer);
+
+	return true;
+#endif
+	}
+
+bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer)
+	{
+	assert(peer);
+
+	peer->io->Flush();
+
+	switch ( peer->state ) {
+	case MSG_NONE:
+		{ // CMsg follows
+		ChunkedIO::Chunk* c;
+		READ_CHUNK(peer->io, c,
+			(CloseConnection(peer, true), peer))
+
+		CMsg* msg = (CMsg*) c->data;
+
+		DEBUG_COMM(fmt("child: %s from peer #%d",
+				msgToStr(msg->Type()), peer->id));
+
+		switch ( msg->Type() ) {
+		case MSG_PHASE_DONE:
+			// No further argument block.
+			DEBUG_COMM("child: forwarding with 0 args to parent");
+			if ( ! SendToParent(msg->Type(), peer, 0) )
+				return false;
+			break;
+
+		default:
+			peer->state = msg->Type();
+		}
+
+		delete [] c->data;
+		delete c;
+
+		break;
+		}
+
+	case MSG_COMPRESS:
+		ProcessPeerCompress(peer);
+		break;
+
+	case MSG_PING:
+		{
+		// Messages with one further argument block which we simply
+		// forward to our parent.
+		ChunkedIO::Chunk* c;
+		READ_CHUNK(peer->io, c,
+			(CloseConnection(peer, true), peer))
+
+		// Set time3.
+		ping_args* args = (ping_args*) c->data;
+		args->time3 = htond(current_time(true));
+		return ForwardChunkToParent(peer, c);
+		}
+
+	case MSG_PONG:
+		{
+		// Messages with one further argument block which we simply
+		// forward to our parent.
+		ChunkedIO::Chunk* c;
+		READ_CHUNK(peer->io, c,
+			(CloseConnection(peer, true), peer))
+
+		// Calculate time delta.
+		ping_args* args = (ping_args*) c->data;
+		args->time2 = htond(current_time(true) - ntohd(args->time2));
+		return ForwardChunkToParent(peer, c);
+		}
+
+	case MSG_REQUEST_EVENTS:
+	case MSG_REQUEST_SYNC:
+	case MSG_SERIAL:
+	case MSG_CAPTURE_FILTER:
+	case MSG_VERSION:
+	case MSG_CAPS:
+	case MSG_SYNC_POINT:
+	case MSG_REMOTE_PRINT:
+		{
+		// Messages with one further argument block which we simply
+		// forward to our parent.
+		ChunkedIO::Chunk* c;
+		READ_CHUNK(peer->io, c,
+			(CloseConnection(peer, true), peer))
+
+		return ForwardChunkToParent(peer, c);
+		}
+
+	default:
+		internal_error("ProcessRemoteMessage: unexpected state");
+	}
+
+	return true;
+	}
+
+bool SocketComm::ForwardChunkToParent(Peer* peer, ChunkedIO::Chunk* c)
+	{
+	char state = peer->state;
+	peer->state = MSG_NONE;
+
+	DEBUG_COMM("child: forwarding message with 1 arg to parent");
+
+	if ( ! SendToParent(state, peer, 0) )
+		return false;
+
+	if ( ! SendToParent(c) )
+		return false;
+
+	io->Flush(); // FIXME: Needed?
+	return true;
+	}
+
+bool SocketComm::ProcessPeerCompress(Peer* peer)
+	{
+	peer->state = MSG_NONE;
+
+#ifndef HAVE_LIBZ
+	Error("peer compresses although we do not support it", peer);
+	return false;
+#else
+	if ( ! parent_peer->compressor )
+		{
+		parent_peer->io = new CompressedChunkedIO(parent_peer->io);
+		parent_peer->io->Init();
+		parent_peer->compressor = true;
+		}
+
+	// This cast is safe here.
+	((CompressedChunkedIO*) peer->io)->EnableDecompression();
+	Log("enabling decompression", peer);
+	return true;
+#endif
+	}
+
+bool SocketComm::Connect(Peer* peer)
+	{
+	struct sockaddr_in server;
+
+	int sockfd = socket(PF_INET, SOCK_STREAM, 0);
+	if ( sockfd < 0 )
+		{
+		Error(fmt("can't create socket, %s", strerror(errno)));
+		return false;
+		}
+
+	bzero(&server, sizeof(server));
+	server.sin_family = AF_INET;
+	server.sin_port = htons(peer->port);
+	server.sin_addr.s_addr = htonl(peer->ip);
+
+	bool connected = true;
+
+	if ( connect(sockfd, (sockaddr*) &server, sizeof(server)) < 0 )
+		{
+		Error(fmt("connect failed: %s", strerror(errno)), peer);
+		close(sockfd);
+		connected = false;
+		}
+
+	if ( ! (connected || peer->retry) )
+		{
+		CloseConnection(peer, false);
+		return false;
+		}
+
+	Peer* existing_peer = LookupPeer(peer->id, false);
+	if ( existing_peer )
+		{
+		*existing_peer = *peer;
+		peer = existing_peer;
+		}
+	else
+		peers.append(peer);
+
+	peer->connected = connected;
+	peer->next_try = connected ? 0 : time(0) + peer->retry;
+	peer->state = MSG_NONE;
+	peer->io = 0;
+	peer->compressor = false;
+
+	if ( connected )
+		{
+		if ( peer->ssl )
+			{
+#ifdef USE_OPENSSL
+			peer->io = new ChunkedIOSSL(sockfd, false);
+#else
+			run_time("SSL connection requested, but SSL support not compiled in");
+			CloseConnection(peer, false);
+			return 0;
+#endif
+			}
+		else
+			peer->io = new ChunkedIOFd(sockfd, "child->peer");
+
+		if ( ! peer->io->Init() )
+			{
+			Error(fmt("can't init peer io: %s",
+					peer->io->Error()), peer);
+			return 0;
+			}
+		}
+
+	if ( connected )
+		{
+		Log("connected", peer);
+		if ( ! SendToParent(MSG_CONNECTED, peer, 2, peer->ip, peer->port) )
+			return false;
+		}
+
+	return connected;
+	}
+
+bool SocketComm::CloseConnection(Peer* peer, bool reconnect)
+	{
+	if ( ! SendToParent(MSG_CLOSE, peer, 0) )
+		return false;
+
+	Log("connection closed", peer);
+
+	if ( ! peer->retry || ! reconnect )
+		{
+		peers.remove(peer);
+		delete peer->io; // This will close the fd.
+		delete peer;
+		}
+	else
+		{
+		delete peer->io; // This will close the fd.
+		peer->io = 0;
+		peer->connected = false;
+		peer->next_try = time(0) + peer->retry;
+		}
+
+	if ( parent_peer == peer )
+		{
+		parent_peer = 0;
+		parent_id = RemoteSerializer::PEER_NONE;
+		}
+
+	return true;
+	}
+
+bool SocketComm::Listen(uint32 ip, uint16 port, bool expect_ssl)
+	{
+	int* listen_fd = expect_ssl ? &listen_fd_ssl : &listen_fd_clear;
+
+	if ( *listen_fd >= 0 )
+		close(*listen_fd);
+
+	struct sockaddr_in server;
+
+	*listen_fd = socket(PF_INET, SOCK_STREAM, 0);
+	if ( *listen_fd < 0 )
+		{
+		Error(fmt("can't create listen socket, %s",
+				strerror(errno)));
+		return false;
+		}
+
+	// Set SO_REUSEADDR.
+	int turn_on = 1;
+	if ( setsockopt(*listen_fd, SOL_SOCKET, SO_REUSEADDR,
+			&turn_on, sizeof(turn_on)) < 0 )
+		{
+		Error(fmt("can't set SO_REUSEADDR, %s",
+				strerror(errno)));
+		return false;
+		}
+
+	bzero(&server, sizeof(server));
+	server.sin_family = AF_INET;
+	server.sin_port = htons(port);
+	server.sin_addr.s_addr = htonl(ip);
+
+	if ( bind(*listen_fd, (sockaddr*) &server, sizeof(server)) < 0 )
+		{
+		Error(fmt("can't bind to port %d, %s", port, strerror(errno)));
+		*listen_fd = -1;
+
+		if ( errno == EADDRINUSE )
+			{
+			listen_if = ip;
+			listen_port = port;
+			listen_ssl = expect_ssl;
+			// FIXME: Make this timeout configurable.
+			listen_next_try = time(0) + 30;
+			}
+		return false;
+		}
+
+	if ( listen(*listen_fd, 50) < 0 )
+		{
+		Error(fmt("can't listen, %s", strerror(errno)));
+		return false;
+		}
+
+	listen_next_try = 0;
+	Log(fmt("listening on %s:%d (%s)",
+		ip2a(ip), port, expect_ssl ? "ssl" : "clear"));
+	return true;
+	}
+
+bool SocketComm::AcceptConnection(int fd)
+	{
+	sockaddr_in client;
+	socklen_t len = sizeof(client);
+
+	int clientfd = accept(fd, (sockaddr*) &client, &len);
+	if ( clientfd < 0 )
+		{
+		Error(fmt("accept failed, %s %d",
+				strerror(errno), errno));
+		return false;
+		}
+
+	Peer* peer = new Peer;
+	peer->id = id_counter++;
+	peer->ip = ntohl(client.sin_addr.s_addr);
+	peer->port = ntohs(client.sin_port);
+	peer->connected = true;
+	peer->ssl = (fd == listen_fd_ssl);
+	peer->compressor = false;
+
+#ifdef USE_OPENSSL
+	if ( peer->ssl )
+		peer->io = new ChunkedIOSSL(clientfd, true);
+	else
+		peer->io = new ChunkedIOFd(clientfd, "child->peer");
+#else
+	assert(! peer->ssl);
+	peer->io = new ChunkedIOFd(clientfd, "child->peer");
+#endif
+
+	if ( ! peer->io->Init() )
+		{
+		Error(fmt("can't init peer io: %s",
+				  peer->io->Error()), peer);
+		return false;
+		}
+
+	peers.append(peer);
+
+	Log(fmt("accepted %s connection", peer->ssl ? "SSL" : "clear"), peer);
+
+	if ( ! SendToParent(MSG_CONNECTED, peer, 2, peer->ip, peer->port) )
+		return false;
+
+	return true;
+	}
+
+const char* SocketComm::MakeLogString(const char* msg, Peer* peer)
+	{
+	const int BUFSIZE = 1024;
+	static char* buffer = 0;
+
+	if ( ! buffer )
+		buffer = new char[BUFSIZE];
+
+	int len = 0;
+
+	if ( peer )
+		len = snprintf(buffer, BUFSIZE, "[#%d/%s:%d] ", int(peer->id),
+				ip2a(peer->ip), peer->port);
+
+	len += safe_snprintf(buffer + len, BUFSIZE - len, "%s", msg);
+	return buffer;
+	}
+
+void SocketComm::Error(const char* msg, bool kill_me)
+	{
+	if ( kill_me )
+		{
+		fprintf(stderr, "fatal error in child: %s\n", msg);
+		Kill();
+		}
+	else
+		{
+		if ( io->Eof() )
+			// Can't send to parent, so fall back to stderr.
+			fprintf(stderr, "error in child: %s", msg);
+		else
+			SendToParent(MSG_ERROR, 0, copy_string(msg));
+		}
+
+	DEBUG_COMM(fmt("child: %s", msg));
+	}
+
+bool SocketComm::Error(const char* msg, Peer* peer)
+	{
+	const char* buffer = MakeLogString(msg, peer);
+	Error(buffer);
+
+	// If a remote peer causes an error, we shutdown the connection
+	// as resynchronizing is in general not possible. But we may
+	// try again later.
+	if ( peer->connected )
+		CloseConnection(peer, true);
+
+	return true;
+	}
+
+void SocketComm::Log(const char* msg, Peer* peer)
+	{
+	const char* buffer = MakeLogString(msg, peer);
+	SendToParent(MSG_LOG, 0, copy_string(buffer));
+	DEBUG_COMM(fmt("child: %s", buffer));
+	}
+
+void SocketComm::Kill()
+	{
+	if ( killing )
+		// Ignore recursive calls.
+		return;
+
+	killing = true;
+
+	LogProf();
+	Log("terminating");
+
+	close(listen_fd_clear);
+	close(listen_fd_ssl);
+
+	kill(getpid(), SIGTERM);
+
+	while ( 1 )
+		; // loop until killed
+	}
+
+SocketComm::Peer* SocketComm::LookupPeer(RemoteSerializer::PeerID id,
+						bool only_if_connected)
+	{
+	loop_over_list(peers, i)
+		if ( peers[i]->id == id )
+			return ! only_if_connected ||
+				peers[i]->connected ? peers[i] : 0;
+	return 0;
+	}
+
+bool SocketComm::LogStats()
+	{
+	if ( ! peers.length() )
+		return true;
+
+	// Concat stats of all peers into single buffer.
+	char* buffer = new char[peers.length() * 512];
+	int pos = 0;
+
+	loop_over_list(peers, i)
+		{
+		if ( peers[i]->connected )
+			peers[i]->io->Stats(buffer+pos, 512);
+		else
+			strcpy(buffer+pos, "not connected");
+		pos += strlen(buffer+pos) + 1;
+		}
+
+	// Send it.
+	if ( ! SendToParent(MSG_STATS, 0, buffer, pos) )
+		return false;
+
+	log_stats = false;
+	alarm(STATS_INTERVAL);
+	return true;
+	}
+
+bool SocketComm::LogProf()
+	{
+	static struct rusage cld_res;
+	getrusage(RUSAGE_SELF, &cld_res);
+
+	double Utime = cld_res.ru_utime.tv_sec + cld_res.ru_utime.tv_usec / 1e6;
+	double Stime = cld_res.ru_stime.tv_sec + cld_res.ru_stime.tv_usec / 1e6;
+	double Rtime = current_time(true);
+
+	SocketComm::Log(fmt("CPU usage: user %.03f sys %.03f real %0.03f",
+				Utime, Stime, Rtime - first_rtime));
+
+	return true;
+	}
+
+void SocketComm::CheckFinished()
+	{
+	assert(terminating);
+
+	loop_over_list(peers, i)
+		{
+		if ( ! peers[i]->connected )
+			continue;
+		if ( ! peers[i]->io->IsIdle() )
+			return;
+		}
+
+	LogProf();
+	Log("terminating");
+
+	// All done.
+	SendToParent(MSG_TERMINATE, 0, 0);
+	}
+
+bool SocketComm::SendToParent(char type, Peer* peer, const char* str, int len)
+	{
+#ifdef DEBUG
+	// str  may already by constructed with fmt()
+	const char* tmp = copy_string(str);
+	DEBUG_COMM(fmt("child: (->parent) %s (#%d, %s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, tmp));
+	delete [] tmp;
+#endif
+	if ( sendToIO(io, type, peer ? peer->id : RemoteSerializer::PEER_NONE,
+			str, len) )
+		return true;
+
+	if ( io->Eof() )
+		Error("parent died", true);
+
+	return false;
+	}
+
+bool SocketComm::SendToParent(char type, Peer* peer, int nargs, ...)
+	{
+	va_list ap;
+
+#ifdef DEBUG
+	va_start(ap,nargs);
+	DEBUG_COMM(fmt("child: (->parent) %s (#%d,%s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, fmt_uint32s(nargs, ap)));
+	va_end(ap);
+#endif
+
+	va_start(ap, nargs);
+	bool ret = sendToIO(io, type,
+				peer ? peer->id : RemoteSerializer::PEER_NONE,
+				nargs, ap);
+	va_end(ap);
+
+	if ( ret )
+		return true;
+
+	if ( io->Eof() )
+		Error("parent died", true);
+
+	return false;
+	}
+
+bool SocketComm::SocketComm::SendToParent(ChunkedIO::Chunk* c)
+	{
+	DEBUG_COMM(fmt("child: (->parent) chunk of size %d", c->len));
+	if ( sendToIO(io, c) )
+		return true;
+
+	if ( io->Eof() )
+		Error("parent died", true);
+
+	return false;
+	}
+
+bool SocketComm::SendToPeer(Peer* peer, char type, const char* str, int len)
+	{
+#ifdef DEBUG
+	// str  may already by constructed with fmt()
+	const char* tmp = copy_string(str);
+	DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)", msgToStr(type), peer->id, tmp));
+	delete [] tmp;
+#endif
+
+	if ( ! sendToIO(peer->io, type, RemoteSerializer::PEER_NONE, str, len) )
+		{
+		Error(fmt("child: write error %s", io->Error()), peer);
+		return false;
+		}
+
+	return true;
+	}
+
+bool SocketComm::SendToPeer(Peer* peer, char type, int nargs, ...)
+	{
+	va_list ap;
+
+#ifdef DEBUG
+	va_start(ap,nargs);
+	DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)",
+			msgToStr(type), peer->id, fmt_uint32s(nargs, ap)));
+	va_end(ap);
+#endif
+
+	va_start(ap, nargs);
+	bool ret = sendToIO(peer->io, type, RemoteSerializer::PEER_NONE,
+				nargs, ap);
+	va_end(ap);
+
+	if ( ! ret )
+		{
+		Error(fmt("child: write error %s", io->Error()), peer);
+		return false;
+		}
+
+	return true;
+	}
+
+bool SocketComm::SendToPeer(Peer* peer, ChunkedIO::Chunk* c)
+	{
+	DEBUG_COMM(fmt("child: (->peer) chunk of size %d to #%d", c->len, peer->id));
+	if ( ! sendToIO(peer->io, c) )
+		{
+		Error(fmt("child: write error %s", io->Error()), peer);
+		return false;
+		}
+
+	return true;
+	}
diff --git a/src/RemoteSerializer.h b/src/RemoteSerializer.h
new file mode 100644
index 0000000000..a84a0619fa
--- /dev/null
+++ b/src/RemoteSerializer.h
@@ -0,0 +1,487 @@
+// $Id: RemoteSerializer.h 6951 2009-12-04 22:23:28Z vern $
+//
+// Communication between two Bro's.
+
+#ifndef REMOTE_SERIALIZER
+#define REMOTE_SERIALIZER
+
+#include "Dict.h"
+#include "List.h"
+#include "Serializer.h"
+#include "IOSource.h"
+#include "Stats.h"
+#include "File.h"
+
+// All IP arguments are in host byte-order.
+// FIXME: Change this to network byte order
+
+class IncrementalSendTimer;
+
+// This class handles the communication done in Bro's main loop.
+class RemoteSerializer : public Serializer, public IOSource {
+public:
+	RemoteSerializer();
+	virtual ~RemoteSerializer();
+
+	// Initialize the remote serializer (calling this will fork).
+	void Init();
+
+	// FIXME: Use SourceID directly (or rename everything to Peer*).
+	typedef SourceID PeerID;
+	static const PeerID PEER_LOCAL = SOURCE_LOCAL;
+	static const PeerID PEER_NONE = SOURCE_LOCAL;
+
+	// Connect to host (returns PEER_NONE on error).
+	PeerID Connect(addr_type ip, uint16 port, const char* our_class, double retry, bool use_ssl);
+
+	// Request all events matching pattern from remote side.
+	bool RequestEvents(PeerID peer, RE_Matcher* pattern);
+
+	// Request synchronization of IDs with remote side.  If auth is true,
+	// we consider our current state to authoritative and send it to
+	// the peer right after the handshake.
+	bool RequestSync(PeerID peer, bool auth);
+
+	// Sets flag whether we're accepting state from this peer
+	// (default: yes).
+	bool SetAcceptState(PeerID peer, bool accept);
+
+	// Sets compression level (0-9, 0 is defaults and means no compression)
+	bool SetCompressionLevel(PeerID peer, int level);
+
+	// Signal the other side that we have finished our part of
+	// the initial handshake.
+	bool CompleteHandshake(PeerID peer);
+
+	// Start to listen.
+	bool Listen(addr_type ip, uint16 port, bool expect_ssl);
+
+	// Stop it.
+	bool StopListening();
+
+	// Broadcast the event/function call.
+	bool SendCall(SerialInfo* info, const char* name, val_list* vl);
+
+	// Send the event/function call (only if handshake completed).
+	bool SendCall(SerialInfo* info, PeerID peer, const char* name, val_list* vl);
+
+	// Broadcasts the access (only if handshake completed).
+	bool SendAccess(SerialInfo* info, const StateAccess& access);
+
+	// Send the access.
+	bool SendAccess(SerialInfo* info, PeerID pid, const StateAccess& access);
+
+	// Sends ID.
+	bool SendID(SerialInfo* info, PeerID peer, const ID& id);
+
+	// Sends the internal connection state.
+	bool SendConnection(SerialInfo* info, PeerID peer, const Connection& c);
+
+	// Send capture filter.
+	bool SendCaptureFilter(PeerID peer, const char* filter);
+
+	// Send packet.
+	bool SendPacket(SerialInfo* info, PeerID peer, const Packet& p);
+
+	// Broadcast packet.
+	bool SendPacket(SerialInfo* info, const Packet& p);
+
+	// Broadcast ping.
+	bool SendPing(PeerID peer, uint32 seq);
+
+	// Broadcast remote print.
+	bool SendPrintHookEvent(BroFile* f, const char* txt);
+
+	// Synchronzizes time with all connected peers. Returns number of
+	// current sync-point, or -1 on error.
+	uint32 SendSyncPoint();
+	void SendFinalSyncPoint();
+
+	// Registers the ID to be &synchronized.
+	void Register(ID* id);
+	void Unregister(ID* id);
+
+	// Stop/restart propagating state updates.
+	void SuspendStateUpdates()	{ --propagate_accesses; }
+	void ResumeStateUpdates()	{ ++propagate_accesses; }
+
+	// Check for incoming events and queue them.
+	bool Poll(bool may_block);
+
+	// Returns the corresponding record (already ref'ed).
+	RecordVal* GetPeerVal(PeerID id);
+
+	// Log some statistics.
+	void LogStats();
+
+	// Return a 0-terminated array of built-in functions which,
+	// when referenced, trigger the remote serializer's initialization.
+	const char* const* GetBuiltins() const;
+
+	// Tries to sent out all remaining data.
+	// FIXME: Do we still need this?
+	void Finish();
+
+	// Overidden from IOSource:
+	virtual void GetFds(int* read, int* write, int* except);
+	virtual double NextTimestamp(double* local_network_time);
+	virtual void Process();
+	virtual TimerMgr::Tag* GetCurrentTag();
+	virtual const char* Tag()	{ return "RemoteSerializer"; }
+
+	// Gracefully finishes communication by first making sure that all
+	// remaining data (parent & child) has been sent out.
+	virtual bool Terminate();
+
+#ifdef DEBUG_COMMUNICATION
+	// Dump data recently read/written into files.
+	void DumpDebugData();
+
+	// Read dump file and interpret as message block.
+	void ReadDumpAsMessageType(const char* file);
+
+	// Read dump file and interpret as serialization.
+	void ReadDumpAsSerialization(const char* file);
+#endif
+
+	enum LogLevel { LogInfo = 1, LogError = 2, };
+	static void Log(LogLevel level, const char* msg);
+
+protected:
+	friend class PersistenceSerializer;
+	friend class IncrementalSendTimer;
+
+	// Maximum size of serialization caches.
+	static const unsigned int MAX_CACHE_SIZE = 3000;
+
+	// When syncing traces in pseudo-realtime mode, we wait this many
+	// seconds after the final sync-point to make sure that all
+	// remaining I/O gets propagated.
+	static const unsigned int FINAL_SYNC_POINT_DELAY = 5;
+
+	declare(PList, EventHandler);
+	typedef PList(EventHandler) handler_list;
+
+	struct Peer {
+		PeerID id; // Unique ID (non-zero) per peer.
+
+		// ### Fix: currently, we only work for IPv4.
+		// addr_type ip;
+		uint32 ip;
+
+		uint16 port;
+		handler_list handlers;
+		RecordVal* val;		// Record of type event_source.
+		SerializationCache* cache_in;	// One cache for each direction.
+		SerializationCache* cache_out;
+
+		// TCP-level state of the connection to the peer.
+		// State of the connection to the peer.
+		enum { INIT, PENDING, CONNECTED, CLOSING, CLOSED } state;
+
+		// Current protocol phase of the connection (see RemoteSerializer.cc)
+		enum { UNKNOWN, SETUP, HANDSHAKE, SYNC, RUNNING } phase;
+
+		// Capabilities.
+		static const int COMPRESSION = 1;
+		static const int NO_CACHING = 2;
+		static const int PID_64BIT = 4;
+		static const int NEW_CACHE_STRATEGY = 8;
+
+		// Constants to remember to who did something.
+		static const int NONE = 0;
+		static const int WE = 1;
+		static const int PEER = 2;
+		static const int BOTH = WE | PEER;
+
+		static const int AUTH_WE = 4;
+		static const int AUTH_PEER = 8;
+
+		int sent_version;	// Who has sent the VERSION.
+		int handshake_done;	// Who finished its handshake phase.
+		int sync_requested;	// Who requested sync'ed state.
+
+		bool orig;	// True if we connected to the peer.
+		bool accept_state;	// True if we accept state from peer.
+		bool send_state; // True if we're supposed to initially sent our state.
+		int comp_level; // Compression level.
+
+		// True if this peer triggered a net_suspend_processing().
+		bool suspended_processing;
+
+		uint32 caps;	// Capabilities announced by peer.
+		int runtime;	// Runtime we got from the peer.
+		int our_runtime;	// Our runtime as we told it to this peer.
+		string peer_class;	// Class from peer ("" = no class).
+		string our_class;	// Class we send the peer.
+		uint32 sync_point;	// Highest sync-point received so far
+		char* print_buffer;	// Buffer for remote print or null.
+		int print_buffer_used;	// Number of bytes used in buffer.
+	};
+
+	// Shuts down remote serializer.
+	void FatalError(const char* msg);
+
+	enum LogSrc { LogChild = 1, LogParent = 2, LogScript = 3, };
+
+	static void Log(LogLevel level, const char* msg, Peer* peer, LogSrc src = LogParent);
+
+	virtual void ReportError(const char* msg);
+
+	virtual void GotEvent(const char* name, double time,
+				EventHandlerPtr event, val_list* args);
+	virtual void GotFunctionCall(const char* name, double time,
+				Func* func, val_list* args);
+	virtual void GotID(ID* id, Val* val);
+	virtual void GotStateAccess(StateAccess* s);
+	virtual void GotTimer(Timer* t);
+	virtual void GotConnection(Connection* c);
+	virtual void GotPacket(Packet* packet);
+
+	void Fork();
+
+	bool DoMessage();
+	bool ProcessConnected();
+	bool ProcessSerialization();
+	bool ProcessRequestEventsMsg();
+	bool ProcessRequestSyncMsg();
+	bool ProcessVersionMsg();
+	bool ProcessLogMsg(bool is_error);
+	bool ProcessStatsMsg();
+	bool ProcessCaptureFilterMsg();
+	bool ProcessPhaseDone();
+	bool ProcessPingMsg();
+	bool ProcessPongMsg();
+	bool ProcessCapsMsg();
+	bool ProcessSyncPointMsg();
+	bool ProcessRemotePrint();
+
+	Peer* AddPeer(uint32 ip, uint16 port, PeerID id = PEER_NONE);
+	Peer* LookupPeer(PeerID id, bool only_if_connected);
+	void RemovePeer(Peer* peer);
+	bool IsConnectedPeer(PeerID id);
+	void PeerDisconnected(Peer* peer);
+	void PeerConnected(Peer* peer);
+	RecordVal* MakePeerVal(Peer* peer);
+	bool HandshakeDone(Peer* peer);
+	bool IsActive();
+	void SetupSerialInfo(SerialInfo* info, Peer* peer);
+	bool CheckSyncPoints();
+	void SendSyncPoint(uint32 syncpoint);
+	bool PropagateAccesses()
+		{
+		return ignore_accesses ?
+			propagate_accesses > 1 : propagate_accesses > 0;
+		}
+
+	bool CloseConnection(Peer* peer);
+
+	bool SendAllSynchronized(Peer* peer, SerialInfo* info);
+	bool SendCall(SerialInfo* info, Peer* peer, const char* name, val_list* vl);
+	bool SendAccess(SerialInfo* info, Peer* peer, const StateAccess& access);
+	bool SendID(SerialInfo* info, Peer* peer, const ID& id);
+	bool SendCapabilities(Peer* peer);
+	bool SendPacket(SerialInfo* info, Peer* peer, const Packet& p);
+
+	void UnregisterHandlers(Peer* peer);
+	void RaiseEvent(EventHandlerPtr event, Peer* peer, const char* arg = 0);
+	bool EnterPhaseRunning(Peer* peer);
+	bool FlushPrintBuffer(Peer* p);
+
+	void ChildDied();
+	void InternalCommError(const char* msg);
+
+	// Communication helpers
+	bool SendCMsgToChild(char msg_type, Peer* peer);
+	bool SendToChild(char type, Peer* peer, char* str, int len = -1);
+	bool SendToChild(char type, Peer* peer, int nargs, ...); // can send uints32 only
+	bool SendToChild(ChunkedIO::Chunk* c);
+
+private:
+	enum { TYPE, ARGS } msgstate;	// current state of reading comm.
+	Peer* current_peer;
+	PeerID current_id;
+	char current_msgtype;
+	ChunkedIO::Chunk* current_args;
+
+	id_list sync_ids;
+
+	// FIXME: Check which of these are necessary...
+	bool initialized;
+	bool listening;
+	int propagate_accesses;
+	bool ignore_accesses;
+	bool terminating;
+	Peer* source_peer;
+	PeerID id_counter;	// Keeps track of assigned IDs.
+	uint32 current_sync_point;
+	bool syncing_times;
+
+	declare(PList, Peer);
+	typedef PList(Peer) peer_list;
+	peer_list peers;
+
+	Peer* in_sync; // Peer we're currently syncing state with.
+	peer_list sync_pending; // List of peers waiting to sync state.
+
+	// Event buffer
+	struct BufferedEvent {
+		time_t time;
+		PeerID src;
+		EventHandlerPtr handler;
+		val_list* args;
+	};
+
+	declare(PList, BufferedEvent);
+	typedef PList(BufferedEvent) EventQueue;
+	EventQueue events;
+
+	// Packet buffer
+	struct BufferedPacket {
+		time_t time;
+		Packet* p;
+	};
+
+	declare(PList, BufferedPacket);
+	typedef PList(BufferedPacket) PacketQueue;
+	PacketQueue packets;
+
+	// Some stats
+	struct Statistics {
+		struct Pair {
+		Pair() : in(0), out(0)	{}
+			unsigned long in;
+			unsigned long out;
+			};
+
+		Pair events; // actually events and function calls
+		Pair accesses;
+		Pair conns;
+		Pair packets;
+		Pair ids;
+	} stats;
+
+};
+
+// This class handles the communication done in the forked child.
+class SocketComm {
+public:
+	SocketComm();
+	~SocketComm();
+
+	void SetParentIO(ChunkedIO* arg_io)	{ io = arg_io; }
+
+	void Run();	// does not return
+
+	// Log some statistics (via pipe to parent).
+	bool LogStats();
+
+	// Log CPU usage (again via pipe to parent).
+	bool LogProf();
+
+protected:
+	struct Peer {
+		Peer()
+			{
+			id = 0;
+			io = 0;
+			ip = 0;
+			port = 0;
+			state = 0;
+			connected = false;
+			ssl = false;
+			retry = 0;
+			next_try = 0;
+			compressor = false;
+			}
+
+		RemoteSerializer::PeerID id;
+		ChunkedIO* io;
+		uint32 ip;
+		uint16 port;
+		char state;
+		bool connected;
+		bool ssl;
+		// If we get disconnected, reconnect after this many seconds.
+		int retry;
+		// Time of next connection attempt (0 if none).
+		time_t next_try;
+		// True if io is a CompressedChunkedIO.
+		bool compressor;
+	};
+
+	bool Listen(uint32 ip, uint16 port, bool expect_ssl);
+	bool AcceptConnection(int listen_fd);
+	bool Connect(Peer* peer);
+	bool CloseConnection(Peer* peer, bool reconnect);
+
+	Peer* LookupPeer(RemoteSerializer::PeerID id, bool only_if_connected);
+
+	bool ProcessRemoteMessage(Peer* peer);
+	bool ProcessParentMessage();
+	bool DoParentMessage();
+
+	bool ProcessListen();
+	bool ProcessConnectTo();
+	bool ProcessCompress();
+
+	void Log(const char* msg, Peer* peer = 0);
+
+	// The connection to the peer will be closed.
+	bool Error(const char* msg, Peer* peer);
+
+	// If kill is true, this is a fatal error and we kill ourselves.
+	void Error(const char* msg, bool kill = false);
+
+	// Kill the current process.
+	void Kill();
+
+	// Check whether everything has been sent out.
+	void CheckFinished();
+
+	// Communication helpers.
+	bool SendToParent(char type, Peer* peer, const char* str, int len = -1);
+	bool SendToParent(char type, Peer* peer, int nargs, ...); // can send uints32 only
+	bool SendToParent(ChunkedIO::Chunk* c);
+	bool SendToPeer(Peer* peer, char type, const char* str, int len = -1);
+	bool SendToPeer(Peer* peer, char type, int nargs, ...); // can send uints32 only
+	bool SendToPeer(Peer* peer, ChunkedIO::Chunk* c);
+	bool ProcessParentCompress();
+	bool ProcessPeerCompress(Peer* peer);
+	bool ForwardChunkToParent(Peer* p, ChunkedIO::Chunk* c);
+	bool ForwardChunkToPeer();
+	const char* MakeLogString(const char* msg, Peer *peer);
+
+	// Peers we are communicating with:
+	declare(PList, Peer);
+	typedef PList(Peer) peer_list;
+
+	RemoteSerializer::PeerID id_counter;
+	peer_list peers;
+
+	ChunkedIO* io;	// I/O to parent
+
+	// Current state of reading from parent.
+	enum { TYPE, ARGS } parent_msgstate;
+	Peer* parent_peer;
+	RemoteSerializer::PeerID parent_id;
+	char parent_msgtype;
+	ChunkedIO::Chunk* parent_args;
+
+	int listen_fd_clear;
+	int listen_fd_ssl;
+
+	// If the port we're trying to bind to is already in use, we will retry
+	// it regularly.
+	uint32 listen_if;	// Fix: only supports IPv4
+	uint16 listen_port;
+	bool listen_ssl;
+	time_t listen_next_try;
+	bool shutting_conns_down;
+	bool terminating;
+	bool killing;
+};
+
+extern RemoteSerializer* remote_serializer;
+
+#endif
diff --git a/src/Rewriter.cc b/src/Rewriter.cc
new file mode 100644
index 0000000000..bfdb289de9
--- /dev/null
+++ b/src/Rewriter.cc
@@ -0,0 +1,35 @@
+// $Id:$
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "TCP_Rewriter.h"
+#include "UDP_Rewriter.h"
+
+// The following two are called from .bif's to obtain handle of Rewriter.
+Rewriter* get_trace_rewriter(Val* conn_val)
+	{
+	Connection* conn = (Connection*) conn_val->AsRecordVal()->GetOrigin();
+	return get_trace_rewriter(conn);
+	}
+
+Rewriter* get_trace_rewriter(Connection* conn)
+	{
+	if ( ! conn ||
+	     (conn->ConnTransport() != TRANSPORT_TCP &&
+	      conn->ConnTransport() != TRANSPORT_UDP) )
+		internal_error("connection for the trace rewriter does not exist");
+
+	Rewriter* rewriter = conn->TraceRewriter();
+	if ( rewriter )
+		return rewriter;
+
+	if ( ! transformed_pkt_dump )
+		return 0;	// okay if we don't have an output file
+
+	else if ( ! conn->RewritingTrace() )
+		builtin_run_time("flag rewriting_..._trace is not set properly");
+	else
+		internal_error("trace rewriter not initialized");
+
+	return 0;
+	}
diff --git a/src/Rewriter.h b/src/Rewriter.h
new file mode 100644
index 0000000000..91c36557ab
--- /dev/null
+++ b/src/Rewriter.h
@@ -0,0 +1,51 @@
+// $Id:$
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef rewriter_h
+#define rewriter_h
+
+class TracePacket;
+
+class Rewriter {
+public:
+	virtual ~Rewriter()	{};
+
+	virtual void Done()	{};
+
+	virtual void WriteData(int is_orig, int len, const u_char* data) = 0;
+	virtual void WriteData(int is_orig, const char* data) = 0;
+	virtual void WriteData(int is_orig, int len, const char* data) = 0;
+	virtual void WriteData(int is_orig, const BroString* str) = 0;
+
+	virtual void Push(int is_orig) = 0;
+
+	virtual void AbortPackets(int apply_to_future) = 0;
+	virtual void CommitPackets(int apply_to_future) = 0;
+
+	virtual unsigned int ReserveSlot() = 0;
+	virtual int SeekSlot(unsigned int slot) = 0;
+	virtual int ReturnFromSlot() = 0;
+	virtual int ReleaseSlot(unsigned int slot) = 0;
+
+	// Needed by all rewriters.
+	virtual TracePacket* CurrentPacket() const = 0;
+	virtual TracePacket* RewritePacket() const = 0;
+
+	// Whether to not anonymize client/server IP addresses.
+	virtual int LeaveAddrInTheClear(int is_orig) = 0;
+};
+
+extern Rewriter* get_trace_rewriter(Val* conn_val);
+extern Rewriter* get_trace_rewriter(Connection* conn);
+
+// This is the actual packet.
+class TracePacket {
+public:
+	virtual ~TracePacket()	{ }
+
+	virtual RecordVal* PacketVal() = 0;
+	virtual double TimeStamp() const = 0;
+};
+
+#endif
diff --git a/src/Rlogin.cc b/src/Rlogin.cc
new file mode 100644
index 0000000000..043baade7e
--- /dev/null
+++ b/src/Rlogin.cc
@@ -0,0 +1,249 @@
+// $Id: Rlogin.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "NetVar.h"
+#include "Event.h"
+#include "Rlogin.h"
+
+
+Contents_Rlogin_Analyzer::Contents_Rlogin_Analyzer(Connection* conn, bool orig, Rlogin_Analyzer* arg_analyzer)
+: ContentLine_Analyzer(AnalyzerTag::Contents_Rlogin, conn, orig)
+	{
+	num_bytes_to_scan = num_bytes_to_scan = 0;
+	analyzer = arg_analyzer;
+	peer = 0;
+
+	if ( orig )
+		state = save_state = RLOGIN_FIRST_NULL;
+	else
+		state = save_state = RLOGIN_SERVER_ACK;
+	}
+
+Contents_Rlogin_Analyzer::~Contents_Rlogin_Analyzer()
+	{
+	}
+
+void Contents_Rlogin_Analyzer::DoDeliver(int len, const u_char* data)
+	{
+	TCP_Analyzer* tcp = static_cast<TCP_ApplicationAnalyzer*>(Parent())->TCP();
+	assert(tcp);
+
+	int endp_state = IsOrig() ? tcp->OrigState() : tcp->RespState();
+
+	for ( ; len > 0; --len, ++data )
+		{
+		if ( offset >= buf_len )
+			InitBuffer(buf_len * 2);
+
+		unsigned int c = data[0];
+
+		switch ( state ) {
+		case RLOGIN_FIRST_NULL:
+			if ( endp_state == TCP_ENDPOINT_PARTIAL ||
+			     // We can be in closed if the data's due to
+			     // a dataful FIN being the first thing we see.
+			     endp_state == TCP_ENDPOINT_CLOSED )
+				{
+				state = RLOGIN_UNKNOWN;
+				++len, --data;	// put back c and reprocess
+				continue;
+				}
+
+			if ( c == '\0' )
+				state = RLOGIN_CLIENT_USER_NAME;
+			else
+				BadProlog();
+			break;
+
+		case RLOGIN_CLIENT_USER_NAME:
+		case RLOGIN_SERVER_USER_NAME:
+		case RLOGIN_TERMINAL_TYPE:
+			buf[offset++] = c;
+			if ( c == '\0' )
+				{
+				if ( state == RLOGIN_CLIENT_USER_NAME )
+					{
+					analyzer->ClientUserName((const char*) buf);
+					state = RLOGIN_SERVER_USER_NAME;
+					}
+
+				else if ( state == RLOGIN_SERVER_USER_NAME )
+					{
+					analyzer->ServerUserName((const char*) buf);
+					state = RLOGIN_TERMINAL_TYPE;
+					}
+
+				else if ( state == RLOGIN_TERMINAL_TYPE )
+					{
+					analyzer->TerminalType((const char*) buf);
+					state = RLOGIN_LINE_MODE;
+					}
+
+				offset = 0;
+				}
+			break;
+
+		case RLOGIN_SERVER_ACK:
+			if ( endp_state == TCP_ENDPOINT_PARTIAL ||
+			     // We can be in closed if the data's due to
+			     // a dataful FIN being the first thing we see.
+			     endp_state == TCP_ENDPOINT_CLOSED )
+				{
+				state = RLOGIN_UNKNOWN;
+				++len, --data;	// put back c and reprocess
+				continue;
+				}
+
+			if ( c == '\0' )
+				state = RLOGIN_LINE_MODE;
+			else
+				state = RLOGIN_PRESUMED_REJECTED;
+			break;
+
+		case RLOGIN_IN_BAND_CONTROL_FF2:
+			if ( c == 255 )
+				state = RLOGIN_WINDOW_CHANGE_S1;
+			else
+				{
+				// Put back the \ff that took us into
+				// this state.
+				buf[offset++] = 255;
+				state = save_state;
+				++len, --data;	// put back c and reprocess
+				continue;
+				}
+			break;
+
+		case RLOGIN_WINDOW_CHANGE_S1:
+		case RLOGIN_WINDOW_CHANGE_S2:
+			if ( c == 's' )
+				{
+				if ( state == RLOGIN_WINDOW_CHANGE_S1 )
+					state = RLOGIN_WINDOW_CHANGE_S2;
+				else
+					{
+					state = RLOGIN_WINDOW_CHANGE_REMAINDER;
+					num_bytes_to_scan = 8;
+					}
+				}
+			else
+				{ 
+				// Unknown control, or we're confused.
+				// Put back what we've consumed.
+				unsigned char buf[64];
+				int n = 0;
+				buf[n++] = '\xff';
+				buf[n++] = '\xff';
+
+				if ( state == RLOGIN_WINDOW_CHANGE_S2 )
+					buf[n++] = 's';
+
+				state = RLOGIN_UNKNOWN;
+
+				DoDeliver(n, buf);
+				}
+			break;
+
+		case RLOGIN_WINDOW_CHANGE_REMAINDER:
+			if ( --num_bytes_to_scan == 0 )
+				state = save_state;
+			break;
+
+		case RLOGIN_LINE_MODE:
+		case RLOGIN_UNKNOWN:
+		case RLOGIN_PRESUMED_REJECTED:
+			assert(peer);
+			if ( state == RLOGIN_LINE_MODE &&
+			     peer->state == RLOGIN_PRESUMED_REJECTED )
+				{
+				Conn()->Weird("rlogin_text_after_rejected");
+				state = RLOGIN_UNKNOWN;
+				}
+
+			if ( c == '\n' || c == '\r' ) // CR or LF (RFC 1282)
+				{
+				if ( c == '\n' && last_char == '\r' )
+					// Compress CRLF to just 1 termination.
+					;
+				else
+					{
+					buf[offset] = '\0';
+					ForwardStream(offset, buf, IsOrig()); \
+					offset = 0;
+					break;
+					}
+				}
+
+			else if ( c == 255 && IsOrig() &&
+				  state != RLOGIN_PRESUMED_REJECTED &&
+				  state != RLOGIN_UNKNOWN )
+				{
+				save_state = state;
+				state = RLOGIN_IN_BAND_CONTROL_FF2;
+				}
+
+			else
+				buf[offset++] = c;
+
+			last_char = c;
+			break;
+
+		default:
+			internal_error("bad state in Contents_Rlogin_Analyzer::DoDeliver");
+			break;
+		}
+		}
+	}
+
+void Contents_Rlogin_Analyzer::BadProlog()
+	{
+	Conn()->Weird("bad_rlogin_prolog");
+	state = RLOGIN_UNKNOWN;
+	}
+
+
+Rlogin_Analyzer::Rlogin_Analyzer(Connection* conn)
+: Login_Analyzer(AnalyzerTag::Rlogin, conn)
+	{
+	Contents_Rlogin_Analyzer* orig =
+		new Contents_Rlogin_Analyzer(conn, true, this);
+	Contents_Rlogin_Analyzer* resp =
+		new Contents_Rlogin_Analyzer(conn, false, this);
+
+	orig->SetPeer(resp);
+	resp->SetPeer(orig);
+
+	AddSupportAnalyzer(orig);
+	AddSupportAnalyzer(resp);
+	}
+
+void Rlogin_Analyzer::ClientUserName(const char* s)
+	{
+	if ( client_name )
+		internal_error("multiple rlogin client names");
+
+	client_name = new StringVal(s);
+	}
+
+void Rlogin_Analyzer::ServerUserName(const char* s)
+	{
+	++num_user_lines_seen;
+	++login_prompt_line;
+	AddUserText(s);
+	}
+
+void Rlogin_Analyzer::TerminalType(const char* s)
+	{
+	if ( login_terminal )
+		{
+		val_list* vl = new val_list;
+
+		vl->append(BuildConnVal());
+		vl->append(new StringVal(s));
+
+		ConnectionEvent(login_terminal, vl);
+		}
+	}
diff --git a/src/Rlogin.h b/src/Rlogin.h
new file mode 100644
index 0000000000..ae1946369c
--- /dev/null
+++ b/src/Rlogin.h
@@ -0,0 +1,75 @@
+// $Id: Rlogin.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef rlogin_h
+#define rlogin_h
+
+#include "Login.h"
+#include "ContentLine.h"
+
+typedef enum {
+	RLOGIN_FIRST_NULL,	// waiting to see first NUL
+	RLOGIN_CLIENT_USER_NAME,	// scanning client user name up to NUL
+	RLOGIN_SERVER_USER_NAME,	// scanning server user name up to NUL
+	RLOGIN_TERMINAL_TYPE,	// scanning terminal type & speed
+
+	RLOGIN_SERVER_ACK,	// waiting to see NUL from server to ack client
+
+	RLOGIN_IN_BAND_CONTROL_FF2,	// waiting to see the second FF
+
+	RLOGIN_WINDOW_CHANGE_S1,	// waiting to see the first 's'
+	RLOGIN_WINDOW_CHANGE_S2,	// waiting to see the second 's'
+	RLOGIN_WINDOW_CHANGE_REMAINDER,	// remaining "bytes_to_scan" bytes
+
+	RLOGIN_LINE_MODE,	// switch to line-oriented processing
+
+	RLOGIN_PRESUMED_REJECTED,	// apparently server said No Way
+
+	RLOGIN_UNKNOWN,	// we don't know what state we're in
+} rlogin_state;
+
+class Rlogin_Analyzer;
+
+class Contents_Rlogin_Analyzer : public ContentLine_Analyzer {
+public:
+	Contents_Rlogin_Analyzer(Connection* conn, bool orig,
+					Rlogin_Analyzer* analyzer);
+	~Contents_Rlogin_Analyzer();
+
+	void SetPeer(Contents_Rlogin_Analyzer* arg_peer)
+		{ peer = arg_peer; }
+
+	rlogin_state RloginState() const
+		{ return state; }
+
+protected:
+	void DoDeliver(int len, const u_char* data);
+	void BadProlog();
+
+	rlogin_state state, save_state;
+	int num_bytes_to_scan;
+
+	Contents_Rlogin_Analyzer* peer;
+	Rlogin_Analyzer* analyzer;
+};
+
+class Rlogin_Analyzer : public Login_Analyzer {
+public:
+	Rlogin_Analyzer(Connection* conn);
+
+	void ClientUserName(const char* s);
+	void ServerUserName(const char* s);
+	void TerminalType(const char* s);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new Rlogin_Analyzer(conn); }
+
+	static bool Available()
+		{
+		return login_failure || login_success ||
+			login_input_line || login_output_line;
+		}
+};
+
+#endif
diff --git a/src/Rule.cc b/src/Rule.cc
new file mode 100644
index 0000000000..f54a725320
--- /dev/null
+++ b/src/Rule.cc
@@ -0,0 +1,102 @@
+// $Id: Rule.cc 6914 2009-09-22 00:35:24Z vern $
+
+#include "config.h"
+
+#include "Rule.h"
+#include "RuleMatcher.h"
+
+// Start at one as we want search for this within a list,
+// and List's is_member returns zero for non-membership ...
+unsigned int Rule::rule_counter = 1;
+unsigned int Rule::pattern_counter = 0;
+rule_list Rule::rule_table;
+
+Rule::~Rule()
+	{
+	delete [] id;
+
+	loop_over_list(patterns, i)
+		{
+		delete [] patterns[i]->pattern;
+		delete patterns[i];
+		}
+
+	loop_over_list(hdr_tests, j)
+		delete hdr_tests[j];
+
+	loop_over_list(conditions, k)
+		delete conditions[k];
+
+	loop_over_list(actions, l)
+		delete actions[l];
+
+	loop_over_list(preconds, m)
+		{
+		delete [] preconds[m]->id;
+		delete preconds[m];
+		}
+	}
+
+const char* Rule::TypeToString(Rule::PatternType type)
+	{
+	static const char* labels[] = {
+		"Payload", "HTTP-REQUEST", "HTTP-REQUEST-BODY",
+		"HTTP-REQUEST-HEADER", "HTTP-REPLY-BODY",
+		"HTTP-REPLY-HEADER", "FTP", "Finger",
+	};
+	return labels[type];
+	}
+
+void Rule::PrintDebug()
+	{
+	fprintf(stderr, "Rule %s (%d) %s\n", id, idx, active ? "[active]" : "[disabled]");
+
+	loop_over_list(patterns, i)
+		{
+		fprintf(stderr, "	%-8s |%s| (%d) \n",
+			TypeToString(patterns[i]->type), patterns[i]->pattern,
+			patterns[i]->id);
+		}
+
+	loop_over_list(hdr_tests, j)
+		hdr_tests[j]->PrintDebug();
+
+	loop_over_list(conditions, k)
+		conditions[k]->PrintDebug();
+
+	loop_over_list(actions, l)
+		actions[l]->PrintDebug();
+
+	fputs("\n", stderr);
+	}
+
+void Rule::AddPattern(const char* str, Rule::PatternType type,
+			uint32 offset, uint32 depth)
+	{
+	Pattern* p = new Pattern;
+	p->pattern = copy_string(str);
+	p->type = type;
+	p->id = ++pattern_counter;
+	p->offset = offset;
+	p->depth = depth;
+	patterns.append(p);
+
+	rule_table.append(this);
+	}
+
+void Rule::AddRequires(const char* id, bool opposite_direction, bool negate)
+	{
+	Precond* p = new Precond;
+	p->id = copy_string(id);
+	p->rule = 0;
+	p->opposite_dir = opposite_direction;
+	p->negate = negate;
+
+	preconds.append(p);
+	}
+
+void Rule::SortHdrTests()
+	{
+	// FIXME: Do nothing for now - we may want to come up with
+	// something clever here.
+	}
diff --git a/src/Rule.h b/src/Rule.h
new file mode 100644
index 0000000000..e95dadc074
--- /dev/null
+++ b/src/Rule.h
@@ -0,0 +1,122 @@
+// $Id: Rule.h 6914 2009-09-22 00:35:24Z vern $
+
+#ifndef rule_h
+#define rule_h
+
+#include <limits.h>
+
+#include "Obj.h"
+#include "List.h"
+#include "Dict.h"
+#include "util.h"
+
+class RuleCondition;
+class RuleAction;
+class RuleHdrTest;
+
+class Rule;
+
+declare(PList, Rule);
+typedef PList(Rule) rule_list;
+
+declare(PDict, Rule);
+typedef PDict(Rule) rule_dict;
+
+class Rule {
+public:
+	Rule(const char* arg_id, const Location& arg_location)
+		{
+		id = copy_string(arg_id);
+		idx = rule_counter++;
+		location = arg_location;
+		active = true;
+		}
+
+	~Rule();
+
+	const char* ID() const		{ return id; }
+	unsigned int Index() const	{ return idx; }
+
+	enum PatternType {
+		PAYLOAD, HTTP_REQUEST, HTTP_REQUEST_BODY, HTTP_REQUEST_HEADER,
+		HTTP_REPLY_BODY, HTTP_REPLY_HEADER, FTP, FINGER, TYPES,
+	};
+
+	bool Active()	{ return active; }
+	void SetActiveStatus(bool new_status)	{ active = new_status; }
+	void AddAction(RuleAction* act)		{ actions.append(act); }
+	void AddCondition(RuleCondition* cond)	{ conditions.append(cond); }
+	void AddHdrTest(RuleHdrTest* hdr_test)	{ hdr_tests.append(hdr_test);	}
+	void AddPattern(const char* str, Rule::PatternType type,
+			uint32 offset = 0, uint32 depth = INT_MAX);
+	void AddRequires(const char* id, bool opposite_direction, bool negate);
+
+	const Location& GetLocation() const	{ return location; }
+
+	void PrintDebug();
+
+	static const char* TypeToString(Rule::PatternType type);
+
+private:
+	friend class RuleMatcher;
+
+	void SortHdrTests();
+
+	declare(PList, RuleAction);
+	typedef PList(RuleAction) rule_action_list;
+
+	declare(PList, RuleCondition);
+	typedef PList(RuleCondition) rule_condition_list;
+
+	declare(PList, RuleHdrTest);
+	typedef PList(RuleHdrTest) rule_hdr_test_list;
+
+	rule_hdr_test_list hdr_tests;
+	rule_condition_list conditions;
+	rule_action_list actions;
+
+	// Matching of this rule can depend on the state of other rules.
+	struct Precond {
+		const char* id;
+		Rule* rule;	// set by RuleMatcher
+		bool opposite_dir;	// if true, rule must match other dir.
+		bool negate;	// negate test
+	};
+
+	declare(PList, Precond);
+	typedef PList(Precond) precond_list;
+
+	precond_list preconds;
+	rule_list dependents;	// rules w/ us as a precondition
+				// (set by RuleMatcher)
+
+	const char* id;
+	unsigned int idx;	// unique index of this rule
+	bool active;	// set the active status of the rule, default true
+
+	struct Pattern {
+		char* pattern;	// the pattern itself
+		PatternType type;
+		int id;	// ID of pattern (for identifying it within regexps)
+		uint32 offset;
+		uint32 depth;
+	};
+
+	declare(PList, Pattern);
+	typedef PList(Pattern) pattern_list;
+	pattern_list patterns;
+
+	Rule* next;	// Linkage within RuleHdrTest tree:
+			// Ptr to next rule using the same RuleHdrTests
+
+	Location location;
+
+	// Rules and payloads are numbered individually.
+	static unsigned int rule_counter;
+	static unsigned int pattern_counter;
+
+	// Array of rules indexed by payloadid.
+	static rule_list rule_table;
+	};
+
+#endif
diff --git a/src/RuleAction.cc b/src/RuleAction.cc
new file mode 100644
index 0000000000..9fe807ffb2
--- /dev/null
+++ b/src/RuleAction.cc
@@ -0,0 +1,115 @@
+// $Id: RuleAction.cc 5906 2008-07-03 19:52:50Z vern $
+
+#include <string>
+using std::string;
+
+#include "config.h"
+
+#include "RuleAction.h"
+#include "RuleMatcher.h"
+#include "Conn.h"
+#include "Event.h"
+#include "NetVar.h"
+#include "DPM.h"
+#include "PIA.h"
+
+void RuleActionEvent::DoAction(const Rule* parent, RuleEndpointState* state,
+				const u_char* data, int len)
+	{
+	if ( signature_match )
+		{
+		val_list* vl = new val_list;
+		vl->append(rule_matcher->BuildRuleStateValue(parent, state));
+		vl->append(new StringVal(msg));
+
+		if ( data )
+			vl->append(new StringVal(len, (const char*)data));
+		else
+			vl->append(new StringVal(""));
+
+		mgr.QueueEvent(signature_match, vl);
+		}
+	}
+
+void RuleActionEvent::PrintDebug()
+	{
+	fprintf(stderr, "	RuleActionEvent: |%s|\n", msg);
+	}
+
+RuleActionDPM::RuleActionDPM(const char* arg_analyzer)
+	{
+	string str(arg_analyzer);
+	string::size_type pos = str.find(':');
+	string arg = str.substr(0, pos);
+	analyzer = Analyzer::GetTag(arg.c_str());
+
+	if ( pos != string::npos )
+		{
+		arg = str.substr(pos + 1);
+		child_analyzer = Analyzer::GetTag(arg.c_str());
+		}
+	else
+		child_analyzer = AnalyzerTag::Error;
+
+	if ( analyzer != AnalyzerTag::Error )
+		dpm->ActivateSigs();
+	}
+
+void RuleActionDPM::PrintDebug()
+	{
+	if ( child_analyzer == AnalyzerTag::Error )
+		fprintf(stderr, "|%s|\n", Analyzer::GetTagName(analyzer));
+	else
+		fprintf(stderr, "|%s:%s|\n",
+			Analyzer::GetTagName(analyzer),
+			Analyzer::GetTagName(child_analyzer));
+	}
+
+
+void RuleActionEnable::DoAction(const Rule* parent, RuleEndpointState* state,
+				const u_char* data, int len)
+	{
+	if ( ChildAnalyzer() == AnalyzerTag::Error )
+		{
+		if ( ! Analyzer::IsAvailable(Analyzer()) )
+			return;
+
+		if ( state->PIA() )
+			state->PIA()->ActivateAnalyzer(Analyzer(), parent);
+		}
+	else
+		{
+		if ( ! Analyzer::IsAvailable(ChildAnalyzer()) )
+			return;
+
+		// This is ugly and works only if there exists only one
+		// analyzer of each type.
+		state->PIA()->AsAnalyzer()->Conn()->FindAnalyzer(Analyzer())
+			->AddChildAnalyzer(ChildAnalyzer());
+		}
+	}
+
+void RuleActionEnable::PrintDebug()
+	{
+	fprintf(stderr, "  RuleActionEnable: ");
+	RuleActionDPM::PrintDebug();
+	}
+
+void RuleActionDisable::DoAction(const Rule* parent, RuleEndpointState* state,
+					const u_char* data, int len)
+	{
+	if ( ChildAnalyzer() == AnalyzerTag::Error )
+		{
+		if ( state->PIA() )
+			state->PIA()->DeactivateAnalyzer(Analyzer());
+		}
+	else
+		state->GetAnalyzer()->AddChildAnalyzer(
+			state->GetAnalyzer()->FindChild(ChildAnalyzer()));
+	}
+
+void RuleActionDisable::PrintDebug()
+	{
+	fprintf(stderr, "  RuleActionDisable: ");
+	RuleActionDPM::PrintDebug();
+	}
diff --git a/src/RuleAction.h b/src/RuleAction.h
new file mode 100644
index 0000000000..33d37bc6e2
--- /dev/null
+++ b/src/RuleAction.h
@@ -0,0 +1,80 @@
+// $Id: RuleAction.h 5880 2008-06-30 17:42:45Z vern $
+
+#ifndef ruleaction_h
+#define ruleaction_h
+
+#include "AnalyzerTags.h"
+#include "BroString.h"
+#include "List.h"
+#include "util.h"
+
+class Rule;
+class RuleEndpointState;
+
+// Base class of all rule actions.
+class RuleAction {
+public:
+	RuleAction()	{ }
+	virtual ~RuleAction()	{ }
+
+	virtual void DoAction(const Rule* parent, RuleEndpointState* state,
+				const u_char* data, int len) = 0;
+	virtual void PrintDebug() = 0;
+};
+
+// Implements the "event" keyword.
+class RuleActionEvent : public RuleAction {
+public:
+	RuleActionEvent(const char* arg_msg)	{ msg = copy_string(arg_msg); }
+	virtual ~RuleActionEvent()	{ delete [] msg; }
+
+	virtual void DoAction(const Rule* parent, RuleEndpointState* state,
+				const u_char* data, int len);
+
+	virtual void PrintDebug();
+
+private:
+	const char* msg;
+};
+
+// Base class for DPM enable/disable actions.
+class RuleActionDPM : public RuleAction {
+public:
+	RuleActionDPM(const char* analyzer);
+
+	virtual void DoAction(const Rule* parent, RuleEndpointState* state,
+			      const u_char* data, int len) = 0;
+
+	virtual void PrintDebug();
+
+	AnalyzerTag::Tag Analyzer() const { return analyzer; }
+	AnalyzerTag::Tag ChildAnalyzer() const { return child_analyzer; }
+
+private:
+	// FIXME: This is in fact an AnalyzerID but we can't include "Analyzer.h"
+	// at this point due to circular dependenides. Fix that!
+	AnalyzerTag::Tag analyzer;
+	AnalyzerTag::Tag child_analyzer;
+};
+
+class RuleActionEnable : public RuleActionDPM {
+public:
+	RuleActionEnable(const char* analyzer) : RuleActionDPM(analyzer)	{}
+
+	virtual void DoAction(const Rule* parent, RuleEndpointState* state,
+				const u_char* data, int len);
+
+	virtual void PrintDebug();
+};
+
+class RuleActionDisable : public RuleActionDPM {
+public:
+	RuleActionDisable(const char* analyzer) : RuleActionDPM(analyzer)	{}
+
+	virtual void DoAction(const Rule* parent, RuleEndpointState* state,
+				const u_char* data, int len);
+
+	virtual void PrintDebug();
+};
+
+#endif
diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc
new file mode 100644
index 0000000000..9067b39fb9
--- /dev/null
+++ b/src/RuleCondition.cc
@@ -0,0 +1,165 @@
+// $Id: RuleCondition.cc 6008 2008-07-23 00:24:22Z vern $
+
+#include "config.h"
+
+#include "RuleCondition.h"
+#include "TCP.h"
+#include "Scope.h"
+
+static inline bool is_established(const TCP_Endpoint* e)
+	{
+	// We more or less follow Snort here: an established session
+	// is one for which the initial handshake has succeded (but we
+	// add partial connections).  The connection tear-down is part
+	// of the connection.
+	return e->state != TCP_ENDPOINT_INACTIVE &&
+	       e->state != TCP_ENDPOINT_SYN_SENT &&
+	       e->state != TCP_ENDPOINT_SYN_ACK_SENT;
+	}
+
+bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state,
+					const u_char* data, int len)
+	{
+	Analyzer* root = state->GetAnalyzer()->Conn()->GetRootAnalyzer();
+
+	if ( ! root || root->GetTag() != AnalyzerTag::TCP )
+		return false;
+
+	TCP_Analyzer* ta = static_cast<TCP_Analyzer*>(root);
+
+	if ( tcpstates & STATE_STATELESS )
+		return true;
+
+	if ( (tcpstates & STATE_ORIG) && ! state->IsOrig() )
+		return false;
+
+	if ( (tcpstates & STATE_RESP) && state->IsOrig() )
+		return false;
+
+	if ( (tcpstates & STATE_ESTABLISHED ) &&
+		! (is_established(ta->Orig()) &&
+		   is_established(ta->Resp())))
+		return false;
+
+	return true;
+	}
+
+void RuleConditionTCPState::PrintDebug()
+	{
+	fprintf(stderr, "	RuleConditionTCPState: 0x%x\n", tcpstates);
+	}
+
+void RuleConditionIPOptions::PrintDebug()
+	{
+	fprintf(stderr, "	RuleConditionIPOptions: 0x%x\n", options);
+	}
+
+bool RuleConditionIPOptions::DoMatch(Rule* rule, RuleEndpointState* state,
+					const u_char* data, int len)
+	{
+	// FIXME: Not implemented yet
+	return false;
+	}
+
+void RuleConditionSameIP::PrintDebug()
+	{
+	fprintf(stderr, "	RuleConditionSameIP\n");
+	}
+
+bool RuleConditionSameIP::DoMatch(Rule* rule, RuleEndpointState* state,
+					const u_char* data, int len)
+	{
+	return state->GetAnalyzer()->Conn()->OrigAddr() ==
+		state->GetAnalyzer()->Conn()->RespAddr();
+	}
+
+void RuleConditionPayloadSize::PrintDebug()
+	{
+	fprintf(stderr, "	RuleConditionPayloadSize %d\n", val);
+	}
+
+bool RuleConditionPayloadSize::DoMatch(Rule* rule, RuleEndpointState* state,
+					const u_char* data, int len)
+	{
+#ifdef MATCHER_PRINT_DEBUG
+	fprintf(stderr, "%.06f PayloadSize check: val = %d, payload_size = %d\n",
+		network_time, val, state->PayloadSize());
+#endif
+
+	if ( state->PayloadSize() < 0 )
+		// The size has not been set yet, i.e. we're matching
+		// on the pure rules now.
+		return false;
+
+	uint32 payload_size = uint32(state->PayloadSize());
+
+	switch ( comp ) {
+	case RULE_EQ:
+		return payload_size == val;
+
+	case RULE_NE:
+		return payload_size != val;
+
+	case RULE_LT:
+		return payload_size < val;
+
+	case RULE_GT:
+		return payload_size > val;
+
+	case RULE_LE:
+		return payload_size <= val;
+
+	case RULE_GE:
+		return payload_size >= val;
+
+	default:
+		internal_error("unknown comparision type");
+	}
+
+	// Should not be reached
+	return false;
+	}
+
+RuleConditionEval::RuleConditionEval(const char* func)
+	{
+	id = global_scope()->Lookup(func);
+	if ( ! id )
+		{
+		rules_error("unknown identifier", func);
+		return;
+		}
+	}
+
+bool RuleConditionEval::DoMatch(Rule* rule, RuleEndpointState* state,
+					const u_char* data, int len)
+	{
+	if ( ! id->HasVal() )
+		{
+		run_time("undefined value");
+		return false;
+		}
+
+	if ( id->Type()->Tag() != TYPE_FUNC )
+		return id->ID_Val()->AsBool();
+
+	// Call function with a signature_state value as argument.
+	val_list args;
+	args.append(rule_matcher->BuildRuleStateValue(rule, state));
+
+	if ( data )
+		args.append(new StringVal(len, (const char*) data));
+	else
+		args.append(new StringVal(""));
+
+	Val* val = id->ID_Val()->AsFunc()->Call(&args);
+	bool result = val->AsBool();
+	Unref(val);
+
+	return result;
+	}
+
+void RuleConditionEval::PrintDebug()
+	{
+	fprintf(stderr, "	RuleConditionEval: %s\n", id->Name());
+	}
+
diff --git a/src/RuleCondition.h b/src/RuleCondition.h
new file mode 100644
index 0000000000..a092543d62
--- /dev/null
+++ b/src/RuleCondition.h
@@ -0,0 +1,121 @@
+// $Id: RuleCondition.h 80 2004-07-14 20:15:50Z jason $
+
+#ifndef rulecondition_h
+#define rulecondition_h
+
+#include "BroString.h"
+#include "Func.h"
+#include "List.h"
+#include "util.h"
+
+class Rule;
+class RuleEndpointState;
+
+// Base class for all rule conditions except patterns and "header".
+class RuleCondition {
+public:
+	RuleCondition()	{ }
+	virtual ~RuleCondition()	{ }
+
+	virtual bool DoMatch(Rule* rule, RuleEndpointState* state,
+				const u_char* data, int len) = 0;
+
+	virtual void PrintDebug() = 0;
+};
+
+// Implements the "tcp-state" keyword.
+class RuleConditionTCPState : public RuleCondition {
+public:
+	enum TCPState {
+		STATE_ESTABLISHED = 1,
+		STATE_ORIG = 2,
+		STATE_RESP = 4,
+		STATE_STATELESS = 8
+	};
+
+	RuleConditionTCPState(int arg_tcpstates)
+		{ tcpstates = arg_tcpstates; }
+
+	virtual ~RuleConditionTCPState()	{ }
+
+	virtual bool DoMatch(Rule* rule, RuleEndpointState* state,
+				const u_char* data, int len);
+
+	virtual void PrintDebug();
+
+private:
+	int tcpstates;
+};
+
+
+// Implements "ip-options".
+class RuleConditionIPOptions : public RuleCondition {
+public:
+	enum Options {
+		OPT_LSRR = 1,
+		OPT_LSRRE = 2,
+		OPT_RR = 4,
+		OPT_SSRR = 8,
+	};
+
+	RuleConditionIPOptions(int arg_options)	{ options = arg_options; }
+	virtual ~RuleConditionIPOptions()	{ }
+
+	virtual bool DoMatch(Rule* rule, RuleEndpointState* state,
+				const u_char* data, int len);
+
+	virtual void PrintDebug();
+
+private:
+	int options;
+};
+
+// Implements "same-ip".
+class RuleConditionSameIP : public RuleCondition {
+public:
+	RuleConditionSameIP()	{ }
+	virtual ~RuleConditionSameIP()	{}
+
+	virtual bool DoMatch(Rule* rule, RuleEndpointState* state,
+				const u_char* data, int len);
+
+	virtual void PrintDebug();
+};
+
+// Implements "payload-size".
+class RuleConditionPayloadSize : public RuleCondition {
+public:
+	enum Comp { RULE_LE, RULE_GE, RULE_LT, RULE_GT, RULE_EQ, RULE_NE };
+
+	RuleConditionPayloadSize(uint32 arg_val, Comp arg_comp)
+		{ val = arg_val; comp = arg_comp; }
+
+	virtual ~RuleConditionPayloadSize()	{}
+
+	virtual bool DoMatch(Rule* rule, RuleEndpointState* state,
+				const u_char* data, int len);
+
+	virtual void PrintDebug();
+
+private:
+	uint32 val;
+	Comp comp;
+};
+
+// Implements "eval" which evaluates the given Bro identifier.
+class RuleConditionEval : public RuleCondition {
+public:
+	RuleConditionEval(const char* func);
+	virtual ~RuleConditionEval() {}
+
+	virtual bool DoMatch(Rule* rule, RuleEndpointState* state,
+				const u_char* data, int len);
+
+	virtual void PrintDebug();
+private:
+	ID* id;
+};
+
+
+
+#endif
diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc
new file mode 100644
index 0000000000..02eef0aad9
--- /dev/null
+++ b/src/RuleMatcher.cc
@@ -0,0 +1,1235 @@
+// $Id: RuleMatcher.cc 6724 2009-06-07 09:23:03Z vern $
+
+#include "config.h"
+
+#include "Analyzer.h"
+#include "RuleMatcher.h"
+#include "DFA.h"
+#include "NetVar.h"
+#include "Scope.h"
+#include "File.h"
+
+// FIXME: Things that are not fully implemented/working yet:
+//
+//		  - "ip-options" always evaluates to false
+//		  - offsets for payload patterns are ignored
+//			(but simulated by snort2bro by leading dots)
+//		  - if a rule contains "PayloadSize" and application
+//			specific patterns (like HTTP), but no "payload" patterns,
+//			it may fail to match. Work-around: Insert an always
+//			matching "payload" pattern (not done in snort2bro yet)
+//		  - tcp-state always evaluates to true
+//			(implemented but deactivated for comparision to Snort)
+
+uint32 RuleHdrTest::idcounter = 0;
+
+RuleHdrTest::RuleHdrTest(Prot arg_prot, uint32 arg_offset, uint32 arg_size,
+				Comp arg_comp, maskedvalue_list* arg_vals)
+	{
+	prot = arg_prot;
+	offset = arg_offset;
+	size = arg_size;
+	comp = arg_comp;
+	vals = arg_vals;
+	sibling = 0;
+	child = 0;
+	pattern_rules = 0;
+	pure_rules = 0;
+	ruleset = new IntSet;
+	id = ++idcounter;
+	level = 0;
+	}
+
+Val* RuleMatcher::BuildRuleStateValue(const Rule* rule,
+					const RuleEndpointState* state) const
+	{
+	RecordVal* val = new RecordVal(signature_state);
+	val->Assign(0, new StringVal(rule->ID()));
+	val->Assign(1, state->GetAnalyzer()->BuildConnVal());
+	val->Assign(2, new Val(state->is_orig, TYPE_BOOL));
+	val->Assign(3, new Val(state->payload_size, TYPE_COUNT));
+	return val;
+	}
+
+RuleHdrTest::RuleHdrTest(RuleHdrTest& h)
+	{
+	prot = h.prot;
+	offset = h.offset;
+	size = h.size;
+	comp = h.comp;
+
+	vals = new maskedvalue_list;
+	loop_over_list(*h.vals, i)
+		vals->append(new MaskedValue(*(*h.vals)[i]));
+
+	for ( int j = 0; j < Rule::TYPES; ++j )
+		{
+		loop_over_list(h.psets[j], k)
+			{
+			PatternSet* orig_set = h.psets[j][k];
+			PatternSet* copied_set = new PatternSet;
+			copied_set->re = 0;
+			copied_set->ids = orig_set->ids;
+			loop_over_list(orig_set->patterns, l)
+				copied_set->patterns.append(copy_string(orig_set->patterns[l]));
+			}
+		}
+
+	sibling = 0;
+	child = 0;
+	pattern_rules = 0;
+	pure_rules = 0;
+	ruleset = new IntSet;
+	id = ++idcounter;
+	level = 0;
+	}
+
+RuleHdrTest::~RuleHdrTest()
+	{
+	loop_over_list(*vals, i)
+		delete (*vals)[i];
+	delete vals;
+
+	for ( int i = 0; i < Rule::TYPES; ++i )
+		{
+		loop_over_list(psets[i], j)
+			delete psets[i][j]->re;
+		}
+
+	delete ruleset;
+	}
+
+bool RuleHdrTest::operator==(const RuleHdrTest& h)
+	{
+	if ( prot != h.prot || offset != h.offset || size != h.size ||
+	     comp != h.comp || vals->length() != h.vals->length() )
+		return false;
+
+	loop_over_list(*vals, i)
+		if ( (*vals)[i]->val != (*h.vals)[i]->val ||
+		     (*vals)[i]->mask != (*h.vals)[i]->mask )
+			return false;
+
+	return true;
+	}
+
+void RuleHdrTest::PrintDebug()
+	{
+	static const char* str_comp[] = { "<=", ">=", "<", ">", "==", "!=" };
+	static const char* str_prot[] = { "", "ip", "icmp", "tcp", "udp" };
+
+	fprintf(stderr, "	RuleHdrTest %s[%d:%d] %s",
+			str_prot[prot], offset, size, str_comp[comp]);
+
+	loop_over_list(*vals, i)
+		fprintf(stderr, " 0x%08x/0x%08x",
+				(*vals)[i]->val, (*vals)[i]->mask);
+
+	fprintf(stderr, "\n");
+	}
+
+RuleEndpointState::RuleEndpointState(Analyzer* arg_analyzer, bool arg_is_orig,
+					  RuleEndpointState* arg_opposite,
+					  ::PIA* arg_PIA)
+	{
+	payload_size = -1;
+	analyzer = arg_analyzer;
+	is_orig = arg_is_orig;
+
+	opposite = arg_opposite;
+	if ( opposite )
+		opposite->opposite = this;
+
+	pia = arg_PIA;
+	}
+
+RuleEndpointState::~RuleEndpointState()
+	{
+	loop_over_list(matchers, i)
+		{
+		delete matchers[i]->state;
+		delete matchers[i];
+		}
+
+	loop_over_list(matched_text, j)
+		delete matched_text[j];
+	}
+
+RuleMatcher::RuleMatcher(int arg_RE_level)
+	{
+	root = new RuleHdrTest(RuleHdrTest::NOPROT, 0, 0, RuleHdrTest::EQ,
+				new maskedvalue_list);
+	RE_level = arg_RE_level;
+	}
+
+RuleMatcher::~RuleMatcher()
+	{
+#ifdef MATCHER_PRINT_STATS
+	DumpStats(stderr);
+#endif
+	Delete(root);
+
+	loop_over_list(rules, i)
+		delete rules[i];
+	}
+
+void RuleMatcher::Delete(RuleHdrTest* node)
+	{
+	RuleHdrTest* next;
+	for ( RuleHdrTest* h = node->child; h; h = next )
+		{
+		next = h->sibling;
+		Delete(h);
+		}
+
+	delete node;
+	}
+
+bool RuleMatcher::ReadFiles(const name_list& files)
+	{
+#ifdef USE_PERFTOOLS
+	HeapLeakChecker::Disabler disabler;
+#endif
+
+	parse_error = false;
+
+	for ( int i = 0; i < files.length(); ++i )
+		{
+		rules_in = search_for_file( files[i], "sig", 0);
+		if ( ! rules_in )
+			{
+			error("Can't open signature file", files[i]);
+			return false;
+			}
+
+		rules_line_number = 0;
+		current_rule_file = files[i];
+		rules_parse();
+		}
+
+	if ( parse_error )
+		return false;
+
+	BuildRulesTree();
+
+	string_list exprs[Rule::TYPES];
+	int_list ids[Rule::TYPES];
+	BuildRegEx(root, exprs, ids);
+
+	return ! parse_error;
+	}
+
+void RuleMatcher::AddRule(Rule* rule)
+	{
+	if ( rules_by_id.Lookup(rule->ID()) )
+		{
+		rules_error("rule defined twice");
+		return;
+		}
+
+	rules.append(rule);
+	rules_by_id.Insert(rule->ID(), rule);
+	}
+
+void RuleMatcher::BuildRulesTree()
+	{
+	loop_over_list(rules, r)
+		{
+		if ( ! rules[r]->Active() )
+			continue;
+
+		rules[r]->SortHdrTests();
+		InsertRuleIntoTree(rules[r], 0, root, 0);
+		}
+	}
+
+void RuleMatcher::InsertRuleIntoTree(Rule* r, int testnr,
+					RuleHdrTest* dest, int level)
+	{
+	// Initiliaze the preconditions
+	loop_over_list(r->preconds, i)
+		{
+		Rule::Precond* pc = r->preconds[i];
+
+		Rule* pc_rule = rules_by_id.Lookup(pc->id);
+		if ( ! pc_rule )
+			{
+			rules_error(r, "unknown rule referenced");
+			return;
+			}
+
+		pc->rule = pc_rule;
+		pc_rule->dependents.append(r);
+		}
+
+	// All tests in tree already?
+	if ( testnr >= r->hdr_tests.length() )
+		{ // then insert it into the right list of the test
+		if ( r->patterns.length() )
+			{
+			r->next = dest->pattern_rules;
+			dest->pattern_rules = r;
+			}
+		else
+			{
+			r->next = dest->pure_rules;
+			dest->pure_rules = r;
+			}
+
+		dest->ruleset->Insert(r->Index());
+		return;
+		}
+
+	// Look for matching child.
+	for ( RuleHdrTest* h = dest->child; h; h = h->sibling )
+		if ( *h == *r->hdr_tests[testnr] )
+			{
+			InsertRuleIntoTree(r, testnr + 1, h, level + 1);
+			return;
+			}
+
+	// Insert new child.
+	RuleHdrTest* newtest = new RuleHdrTest(*r->hdr_tests[testnr]);
+	newtest->sibling = dest->child;
+	newtest->level = level + 1;
+	dest->child = newtest;
+
+	InsertRuleIntoTree(r, testnr + 1, newtest, level + 1);
+	}
+
+void RuleMatcher::BuildRegEx(RuleHdrTest* hdr_test, string_list* exprs,
+				int_list* ids)
+	{
+	// For each type, get all patterns on this node.
+	for ( Rule* r = hdr_test->pattern_rules; r; r = r->next )
+		{
+		loop_over_list(r->patterns, j)
+			{
+			Rule::Pattern* p = r->patterns[j];
+			exprs[p->type].append(p->pattern);
+			ids[p->type].append(p->id);
+			}
+		}
+
+	// If we're above the RE_level, these patterns will form the regexprs.
+	if ( hdr_test->level < RE_level )
+		{
+		for ( int i = 0; i < Rule::TYPES; ++i )
+			if ( exprs[i].length() )
+				BuildPatternSets(&hdr_test->psets[i], exprs[i], ids[i]);
+		}
+
+	// Get the patterns on all of our children.
+	for ( RuleHdrTest* h = hdr_test->child; h; h = h->sibling )
+		{
+		string_list child_exprs[Rule::TYPES];
+		int_list child_ids[Rule::TYPES];
+
+		BuildRegEx(h, child_exprs, child_ids);
+
+		for ( int i = 0; i < Rule::TYPES; ++i )
+			{
+			loop_over_list(child_exprs[i], j)
+				{
+				exprs[i].append(child_exprs[i][j]);
+				ids[i].append(child_ids[i][j]);
+				}
+			}
+		}
+
+	// If we're on the RE_level, all patterns gathered now
+	// form the regexprs.
+	if ( hdr_test->level == RE_level )
+		{
+		for ( int i = 0; i < Rule::TYPES; ++i )
+			if ( exprs[i].length() )
+				BuildPatternSets(&hdr_test->psets[i], exprs[i], ids[i]);
+		}
+
+	// If we're below the RE_level, the regexprs remains empty.
+	}
+
+void RuleMatcher::BuildPatternSets(RuleHdrTest::pattern_set_list* dst,
+				const string_list& exprs, const int_list& ids)
+	{
+	assert(exprs.length() == ids.length());
+
+	// We build groups of at most sig_max_group_size regexps.
+
+	string_list group_exprs;
+	int_list group_ids;
+
+	for ( int i = 0; i < exprs.length() + 1 /* sic! */; i++ )
+		{
+		if ( i < exprs.length() )
+			{
+			group_exprs.append(exprs[i]);
+			group_ids.append(ids[i]);
+			}
+
+		if ( group_exprs.length() > sig_max_group_size ||
+		     i == exprs.length() )
+			{
+			RuleHdrTest::PatternSet* set =
+				new RuleHdrTest::PatternSet;
+			set->re = new Specific_RE_Matcher(MATCH_EXACTLY, 1);
+			set->re->CompileSet(group_exprs, group_ids);
+			set->patterns = group_exprs;
+			set->ids = group_ids;
+			dst->append(set);
+
+			group_exprs.clear();
+			group_ids.clear();
+			}
+		}
+	}
+
+// Get a 8/16/32-bit value from the given position in the packet header
+static inline uint32 getval(const u_char* data, int size)
+	{
+	switch ( size ) {
+	case 1:
+		return *(uint8*) data;
+
+	case 2:
+		return ntohs(*(uint16*) data);
+
+	case 4:
+		return ntohl(*(uint32*) data);
+
+	default:
+		internal_error("illegal HdrTest size");
+	}
+
+	// Should not be reached.
+	return 0;
+	}
+
+
+// A line which can be inserted into the macros below for debugging
+// fprintf(stderr, "%.06f %08x & %08x %s %08x\n", network_time, v, (mvals)[i]->mask, #op, (mvals)[i]->val);
+
+// Evaluate a value list (matches if at least one value matches).
+#define DO_MATCH_OR( mvals, v, op )	\
+	{	\
+	loop_over_list((mvals), i)	\
+		{	\
+		if ( ((v) & (mvals)[i]->mask) op (mvals)[i]->val )	\
+			goto match;	\
+		}	\
+	goto no_match;	\
+	}
+
+// Evaluate a value list (doesn't match if any value matches).
+#define DO_MATCH_NOT_AND( mvals, v, op )	\
+	{	\
+	loop_over_list((mvals), i)	\
+		{	\
+		if ( ((v) & (mvals)[i]->mask) op (mvals)[i]->val )	\
+			goto no_match;	\
+		}	\
+	goto match;	\
+	}
+
+RuleEndpointState* RuleMatcher::InitEndpoint(Analyzer* analyzer,
+						const IP_Hdr* ip, int caplen,
+						RuleEndpointState* opposite,
+						bool from_orig, PIA* pia)
+	{
+	RuleEndpointState* state =
+		new RuleEndpointState(analyzer, from_orig, opposite, pia);
+
+	if ( rule_bench == 3 )
+		return state;
+
+	rule_hdr_test_list tests;
+	tests.append(root);
+
+	loop_over_list(tests, h)
+		{
+		RuleHdrTest* hdr_test = tests[h];
+
+		DBG_LOG(DBG_RULES, "HdrTest %d matches (%s%s)", hdr_test->id,
+				hdr_test->pattern_rules ? "+" : "-",
+				hdr_test->pure_rules ? "+" : "-");
+
+		// Current HdrTest node matches the packet, so remember it
+		// if we have any rules on it.
+		if ( hdr_test->pattern_rules || hdr_test->pure_rules )
+			state->hdr_tests.append(hdr_test);
+
+		// Evaluate all rules on this node which don't contain
+		// any patterns.
+		for ( Rule* r = hdr_test->pure_rules; r; r = r->next )
+			if ( EvalRuleConditions(r, state, 0, 0, 0) )
+				ExecRuleActions(r, state, 0, 0, 0);
+
+		// If we're on or above the RE_level, we may have some
+		// pattern matching to do.
+		if ( hdr_test->level <= RE_level )
+			{
+			for ( int i = 0; i < Rule::TYPES; ++i )
+				{
+				loop_over_list(hdr_test->psets[i], j)
+					{
+					RuleHdrTest::PatternSet* set =
+						hdr_test->psets[i][j];
+
+					assert(set->re);
+
+					RuleEndpointState::Matcher* m =
+						new RuleEndpointState::Matcher;
+					m->state = new RE_Match_State(set->re);
+					m->type = (Rule::PatternType) i;
+					state->matchers.append(m);
+					}
+				}
+			}
+
+		if ( ip )
+			{
+			// Get start of transport layer.
+			const u_char* transport = ip->Payload();
+
+			// Descend the RuleHdrTest tree further.
+			for ( RuleHdrTest* h = hdr_test->child; h;
+			      h = h->sibling )
+				{
+				const u_char* data;
+
+				// Evaluate the header test.
+				switch ( h->prot ) {
+				case RuleHdrTest::IP:
+					data = (const u_char*) ip->IP4_Hdr();
+					break;
+
+				case RuleHdrTest::ICMP:
+				case RuleHdrTest::TCP:
+				case RuleHdrTest::UDP:
+					data = transport;
+					break;
+
+				default:
+					data = 0;
+					internal_error("unknown protocol");
+				}
+
+				// ### data can be nil here if it's an
+				// IPv6 packet and we're doing an IP test.
+				if ( ! data )
+					continue;
+
+				// Sorry for the hidden gotos :-)
+				switch ( h->comp ) {
+					case RuleHdrTest::EQ:
+						DO_MATCH_OR(*h->vals, getval(data + h->offset, h->size), ==);
+
+					case RuleHdrTest::NE:
+						DO_MATCH_NOT_AND(*h->vals, getval(data + h->offset, h->size), ==);
+
+					case RuleHdrTest::LT:
+						DO_MATCH_OR(*h->vals, getval(data + h->offset, h->size), <);
+
+					case RuleHdrTest::GT:
+						DO_MATCH_OR(*h->vals, getval(data + h->offset, h->size), >);
+
+					case RuleHdrTest::LE:
+						DO_MATCH_OR(*h->vals, getval(data + h->offset, h->size), <=);
+
+					case RuleHdrTest::GE:
+						DO_MATCH_OR(*h->vals, getval(data + h->offset, h->size), >=);
+
+					default:
+						internal_error("unknown comparision type");
+				}
+
+no_match:
+				continue;
+
+match:
+				tests.append(h);
+				}
+			}
+		}
+	// Save some memory.
+	state->hdr_tests.resize(0);
+	state->matchers.resize(0);
+
+	// Send BOL to payload matchers.
+	Match(state, Rule::PAYLOAD, (const u_char *) "", 0, true, false, false);
+
+	return state;
+	}
+
+void RuleMatcher::Match(RuleEndpointState* state, Rule::PatternType type,
+			const u_char* data, int data_len,
+			bool bol, bool eol, bool clear)
+	{
+	if ( ! state )
+		{
+		warn("RuleEndpointState not initialized yet.");
+		return;
+		}
+
+	// FIXME: There is probably some room for performance improvements
+	// in this method.  For example, it *may* help to use an IntSet
+	// for 'accepted' (that depends on the average number of matching
+	// patterns).
+
+	if ( rule_bench >= 2 )
+		return;
+
+	bool newmatch = false;
+
+#ifdef DEBUG
+	if ( debug_logger.IsEnabled(DBG_RULES) )
+		{
+		const char* s =
+			fmt_bytes((const char *) data, min(40, data_len));
+
+		DBG_LOG(DBG_RULES, "Matching %s rules [%d,%d] on |%s%s|",
+				Rule::TypeToString(type), bol, eol, s,
+				data_len > 40 ? "..." : "");
+		}
+#endif
+
+	// Remember size of first non-null data.
+	if ( type == Rule::PAYLOAD )
+		{
+		bol = state->payload_size < 0;
+
+		if ( state->payload_size <= 0 && data_len )
+			state->payload_size = data_len;
+
+		else if ( state->payload_size < 0 )
+			state->payload_size = 0;
+		}
+
+	// Feed data into all relevant matchers.
+	loop_over_list(state->matchers, x)
+		{
+		RuleEndpointState::Matcher* m = state->matchers[x];
+		if ( m->type == type &&
+		     m->state->Match((const u_char*) data, data_len,
+					bol, eol, clear) )
+			newmatch = true;
+		}
+
+	// If no new match found, we're already done.
+	if ( ! newmatch )
+		return;
+
+	DBG_LOG(DBG_RULES, "New pattern match found");
+
+	// Build a joined AcceptingSet.
+	AcceptingSet accepted;
+	int_list matchpos;
+
+	loop_over_list(state->matchers, y)
+		{
+		RuleEndpointState::Matcher* m = state->matchers[y];
+		const AcceptingSet* ac = m->state->Accepted();
+
+		loop_over_list(*ac, k)
+			{
+			if ( ! accepted.is_member((*ac)[k]) )
+				{
+				accepted.append((*ac)[k]);
+				matchpos.append((*m->state->MatchPositions())[k]);
+				}
+			}
+		}
+
+	// Determine the rules for which all patterns have matched.
+	// This code should be fast enough as long as there are only very few
+	// matched patterns per connection (which is a plausible assumption).
+
+	rule_list matched;
+
+	loop_over_list(accepted, i)
+		{
+		Rule* r = Rule::rule_table[accepted[i] - 1];
+
+		DBG_LOG(DBG_RULES, "Checking rule: %s", r->id);
+
+		// Check whether all patterns of the rule have matched.
+		loop_over_list(r->patterns, j)
+			{
+			if ( ! accepted.is_member(r->patterns[j]->id) )
+				goto next_pattern;
+
+			// See if depth is satisfied.
+			if ( (unsigned int) matchpos[i] >
+			     r->patterns[j]->offset + r->patterns[j]->depth )
+				goto next_pattern;
+
+			DBG_LOG(DBG_RULES, "All patterns of rule satisfied");
+
+			// FIXME: How to check for offset ??? ###
+			}
+
+		// If not already in the list of matching rules, add it.
+		if ( ! matched.is_member(r) )
+			matched.append(r);
+
+next_pattern:
+		continue;
+		}
+
+	// Check which of the matching rules really belong to any of our nodes.
+
+	loop_over_list(matched, j)
+		{
+		Rule* r = matched[j];
+
+		DBG_LOG(DBG_RULES, "Accepted rule: %s", r->id);
+
+		loop_over_list(state->hdr_tests, k)
+			{
+			RuleHdrTest* h = state->hdr_tests[k];
+
+			DBG_LOG(DBG_RULES, "Checking for accepted rule on HdrTest %d", h->id);
+
+			// Skip if rule does not belong to this node.
+			if ( ! h->ruleset->Contains(r->Index()) )
+				continue;
+
+			DBG_LOG(DBG_RULES, "On current node");
+
+			// Skip if rule already fired for this connection.
+			if ( state->matched_rules.is_member(r->Index()) )
+				continue;
+
+			// Remember that all patterns have matched.
+			if ( ! state->matched_by_patterns.is_member(r) )
+				{
+				state->matched_by_patterns.append(r);
+				BroString* s = new BroString(data, data_len, 0);
+				state->matched_text.append(s);
+				}
+
+			DBG_LOG(DBG_RULES, "And has not already fired");
+			// Eval additional conditions.
+			if ( ! EvalRuleConditions(r, state, data, data_len, 0) )
+				continue;
+
+			// Found a match.
+			ExecRuleActions(r, state, data, data_len, 0);
+			}
+		}
+	}
+
+void RuleMatcher::FinishEndpoint(RuleEndpointState* state)
+	{
+	if ( rule_bench == 3 )
+		return;
+
+	// Send EOL to payload matchers.
+	Match(state, Rule::PAYLOAD, (const u_char *) "", 0, false, true, false);
+
+	// Some of the pure rules may match at the end of the connection,
+	// although they have not matched at the beginning. So, we have
+	// to test the candidates here.
+
+	ExecPureRules(state, 1);
+
+	loop_over_list(state->matched_by_patterns, i)
+		ExecRulePurely(state->matched_by_patterns[i],
+				state->matched_text[i], state, 1);
+	}
+
+void RuleMatcher::ExecPureRules(RuleEndpointState* state, bool eos)
+	{
+	loop_over_list(state->hdr_tests, i)
+		{
+		RuleHdrTest* hdr_test = state->hdr_tests[i];
+		for ( Rule* r = hdr_test->pure_rules; r; r = r->next )
+			ExecRulePurely(r, 0, state, eos);
+		}
+	}
+
+bool RuleMatcher::ExecRulePurely(Rule* r, BroString* s,
+				 RuleEndpointState* state, bool eos)
+	{
+	if ( state->matched_rules.is_member(r->Index()) )
+		return false;
+
+	DBG_LOG(DBG_RULES, "Checking rule %s purely", r->ID());
+
+	if ( EvalRuleConditions(r, state, 0, 0, eos) )
+		{
+		DBG_LOG(DBG_RULES, "MATCH!");
+
+		if ( s )
+			ExecRuleActions(r, state, s->Bytes(), s->Len(), eos);
+		else
+			ExecRuleActions(r, state, 0, 0, eos);
+
+		return true;
+		}
+
+	return false;
+	}
+
+bool RuleMatcher::EvalRuleConditions(Rule* r, RuleEndpointState* state,
+		const u_char* data, int len, bool eos)
+	{
+	DBG_LOG(DBG_RULES, "Evaluating conditions for rule %s", r->ID());
+
+	// Check for other rules which have to match first.
+	loop_over_list(r->preconds, i)
+		{
+		Rule::Precond* pc = r->preconds[i];
+
+		RuleEndpointState* pc_state = state;
+
+		if ( pc->opposite_dir )
+			{
+			if ( ! state->opposite )
+				// No rule matching for other direction yet.
+				return false;
+
+			pc_state = state->opposite;
+			}
+
+		if ( ! pc->negate )
+			{
+			if ( ! pc_state->matched_rules.is_member(pc->rule->Index()) )
+				// Precond rule has not matched yet.
+				return false;
+			}
+		else
+			{
+			// Only at eos can we decide about negated conditions.
+			if ( ! eos )
+				return false;
+
+			if ( pc_state->matched_rules.is_member(pc->rule->Index()) )
+				return false;
+			}
+		}
+
+	loop_over_list(r->conditions, l)
+		if ( ! r->conditions[l]->DoMatch(r, state, data, len) )
+			return false;
+
+	DBG_LOG(DBG_RULES, "Conditions met: MATCH! %s", r->ID());
+	return true;
+	}
+
+void RuleMatcher::ExecRuleActions(Rule* r, RuleEndpointState* state,
+				const u_char* data, int len, bool eos)
+	{
+	if ( state->opposite &&
+	     state->opposite->matched_rules.is_member(r->Index()) )
+		// We have already executed the actions.
+		return;
+
+	state->matched_rules.append(r->Index());
+
+	loop_over_list(r->actions, i)
+		r->actions[i]->DoAction(r, state, data, len);
+
+	// This rule may trigger some other rules; check them.
+	loop_over_list(r->dependents, j)
+		{
+		Rule* dep = (r->dependents)[j];
+		ExecRule(dep, state, eos);
+		if ( state->opposite )
+			ExecRule(dep, state->opposite, eos);
+		}
+	}
+
+void RuleMatcher::ExecRule(Rule* rule, RuleEndpointState* state, bool eos)
+	{
+	// Nothing to do if it has already matched.
+	if ( state->matched_rules.is_member(rule->Index()) )
+		return;
+
+	loop_over_list(state->hdr_tests, i)
+		{
+		RuleHdrTest* h = state->hdr_tests[i];
+
+		// Is it on this HdrTest at all?
+		if ( ! h->ruleset->Contains(rule->Index()) )
+			continue;
+
+		// Is it a pure rule?
+		for ( Rule* r = h->pure_rules; r; r = r->next )
+			if ( r == rule )
+				{ // found, so let's evaluate it
+				ExecRulePurely(rule, 0, state, eos);
+				return;
+				}
+
+		// It must be a non-pure rule. It can only match right now if
+		// all its patterns are satisfied already.
+		int pos = state->matched_by_patterns.member_pos(rule);
+		if ( pos >= 0 )
+			{ // they are, so let's evaluate it
+			ExecRulePurely(rule, state->matched_text[pos], state, eos);
+			return;
+			}
+		}
+	}
+
+void RuleMatcher::ClearEndpointState(RuleEndpointState* state)
+	{
+	if ( rule_bench == 3 )
+		return;
+
+	ExecPureRules(state, 1);
+	state->payload_size = -1;
+	state->matched_by_patterns.clear();
+	loop_over_list(state->matched_text, i)
+		delete state->matched_text[i];
+	state->matched_text.clear();
+
+	loop_over_list(state->matchers, j)
+		state->matchers[j]->state->Clear();
+	}
+
+void RuleMatcher::PrintDebug()
+	{
+	loop_over_list(rules, i)
+		rules[i]->PrintDebug();
+
+	fprintf(stderr, "\n---------------\n");
+
+	PrintTreeDebug(root);
+	}
+
+static inline void indent(int level)
+	{
+	for ( int i = level * 2; i; --i )
+		fputc(' ', stderr);
+	}
+
+void RuleMatcher::PrintTreeDebug(RuleHdrTest* node)
+	{
+	for ( int i = 0; i < Rule::TYPES; ++i )
+		{
+		indent(node->level);
+		loop_over_list(node->psets[i], j)
+			{
+			RuleHdrTest::PatternSet* set = node->psets[i][j];
+
+			fprintf(stderr,
+				"[%d patterns in %s group %d from %d rules]\n",
+				set->patterns.length(),
+				Rule::TypeToString((Rule::PatternType) i), j,
+				set->ids.length());
+			}
+		}
+
+	for ( Rule* r = node->pattern_rules; r; r = r->next )
+		{
+		indent(node->level);
+		fprintf(stderr, "Pattern rule %s (%d/%d)\n", r->id, r->idx,
+				node->ruleset->Contains(r->Index()));
+		}
+
+	for ( Rule* r = node->pure_rules; r; r = r->next )
+		{
+		indent(node->level);
+		fprintf(stderr, "Pure rule %s (%d/%d)\n", r->id, r->idx,
+				node->ruleset->Contains(r->Index()));
+		}
+
+	for ( RuleHdrTest* h = node->child; h; h = h->sibling )
+		{
+		indent(node->level);
+		fprintf(stderr, "Test %4d\n", h->id);
+		PrintTreeDebug(h);
+		}
+	}
+
+void RuleMatcher::GetStats(Stats* stats, RuleHdrTest* hdr_test)
+	{
+	if ( ! hdr_test )
+		{
+		stats->matchers = 0;
+		stats->dfa_states = 0;
+		stats->computed = 0;
+		stats->mem = 0;
+		stats->hits = 0;
+		stats->misses = 0;
+		stats->avg_nfa_states = 0;
+		hdr_test = root;
+		}
+
+	DFA_State_Cache::Stats cstats;
+
+	for ( int i = 0; i < Rule::TYPES; ++i )
+		{
+		loop_over_list(hdr_test->psets[i], j)
+			{
+			RuleHdrTest::PatternSet* set = hdr_test->psets[i][j];
+			assert(set->re);
+
+			++stats->matchers;
+			set->re->DFA()->Cache()->GetStats(&cstats);
+
+			stats->dfa_states += cstats.dfa_states;
+			stats->computed += cstats.computed;
+			stats->mem += cstats.mem;
+			stats->hits += cstats.hits;
+			stats->misses += cstats.misses;
+			stats->avg_nfa_states += cstats.nfa_states;
+			}
+		}
+
+	if (  stats->dfa_states )
+		stats->avg_nfa_states /= stats->dfa_states;
+	else
+		stats->avg_nfa_states = 0;
+
+	for ( RuleHdrTest* h = hdr_test->child; h; h = h->sibling )
+		GetStats(stats, h);
+	}
+
+void RuleMatcher::DumpStats(BroFile* f)
+	{
+	Stats stats;
+	GetStats(&stats);
+
+	f->Write(fmt("%.6f computed dfa states = %d; classes = ??; "
+			"computed trans. = %d; matchers = %d; mem = %d\n",
+			network_time, stats.dfa_states, stats.computed,
+			stats.matchers, stats.mem));
+	f->Write(fmt("%.6f DFA cache hits = %d; misses = %d\n", network_time,
+			stats.hits, stats.misses));
+
+	DumpStateStats(f, root);
+	}
+
+void RuleMatcher::DumpStateStats(BroFile* f, RuleHdrTest* hdr_test)
+	{
+	if ( ! hdr_test )
+		return;
+
+	for ( int i = 0; i < Rule::TYPES; i++ )
+		{
+		loop_over_list(hdr_test->psets[i], j)
+			{
+			RuleHdrTest::PatternSet* set = hdr_test->psets[i][j];
+			assert(set->re);
+
+			f->Write(fmt("%.6f %d DFA states in %s group %d from sigs ", network_time,
+					 set->re->DFA()->NumStates(),
+					 Rule::TypeToString((Rule::PatternType)i), j));
+
+			loop_over_list(set->ids, k)
+				{
+				Rule* r = Rule::rule_table[set->ids[k] - 1];
+				f->Write(fmt("%s ", r->ID()));
+				}
+			
+			f->Write("\n");
+			}
+		}
+
+	for ( RuleHdrTest* h = hdr_test->child; h; h = h->sibling )
+		DumpStateStats(f, h);
+	}
+
+static Val* get_bro_val(const char* label)
+	{
+	ID* id = lookup_ID(label, GLOBAL_MODULE_NAME, false);
+	if ( ! id )
+		{
+		rules_error("unknown script-level identifier", label);
+		return 0;
+		}
+
+	return id->ID_Val();
+	}
+
+
+// Converts an atomic Val and appends it to the list
+static bool val_to_maskedval(Val* v, maskedvalue_list* append_to)
+	{
+	MaskedValue* mval = new MaskedValue;
+
+	switch ( v->Type()->Tag() ) {
+		case TYPE_PORT:
+			mval->val = v->AsPortVal()->Port();
+			mval->mask = 0xffffffff;
+			break;
+
+		case TYPE_BOOL:
+		case TYPE_COUNT:
+		case TYPE_ENUM:
+		case TYPE_INT:
+			mval->val = v->CoerceToUnsigned();
+			mval->mask = 0xffffffff;
+			break;
+
+		case TYPE_SUBNET:
+#ifdef BROv6
+			{
+			uint32* n = v->AsSubNet()->net;
+			uint32* m = v->AsSubNetVal()->Mask();
+			bool is_v4_mask = m[0] == 0xffffffff &&
+						m[1] == m[0] && m[2] == m[0];
+
+			if ( is_v4_addr(n) && is_v4_mask )
+				{
+				mval->val = ntohl(to_v4_addr(n));
+				mval->mask = m[3];
+				}
+
+			else
+				{
+				rules_error("IPv6 subnets not supported");
+				mval->val = 0;
+				mval->mask = 0;
+				}
+			}
+#else
+			mval->val = ntohl(v->AsSubNet()->net);
+			mval->mask = v->AsSubNetVal()->Mask();
+#endif
+			break;
+
+		default:
+			rules_error("Wrong type of identifier");
+			return false;
+	}
+
+	append_to->append(mval);
+
+	return true;
+	}
+
+void id_to_maskedvallist(const char* id, maskedvalue_list* append_to)
+	{
+	Val* v = get_bro_val(id);
+	if ( ! v )
+		return;
+
+	if ( v->Type()->Tag() == TYPE_TABLE )
+		{
+		val_list* vals = v->AsTableVal()->ConvertToPureList()->Vals();
+		loop_over_list(*vals, i )
+			if ( ! val_to_maskedval((*vals)[i], append_to) )
+				return;
+		}
+
+	else
+		val_to_maskedval(v, append_to);
+	}
+
+char* id_to_str(const char* id)
+	{
+	const BroString* src;
+	char* dst;
+
+	Val* v = get_bro_val(id);
+	if ( ! v )
+		goto error;
+
+	if ( v->Type()->Tag() != TYPE_STRING )
+		{
+		rules_error("Identifier must refer to string");
+		goto error;
+		}
+
+	src = v->AsString();
+	dst = new char[src->Len()+1];
+	memcpy(dst, src->Bytes(), src->Len());
+	*(dst+src->Len()) = '\0';
+	return dst;
+
+error:
+	char* dummy = copy_string("<error>");
+	return dummy;
+	}
+
+uint32 id_to_uint(const char* id)
+	{
+	Val* v = get_bro_val(id);
+	if ( ! v )
+		return 0;
+
+	TypeTag t = v->Type()->Tag();
+
+	if ( t == TYPE_BOOL || t == TYPE_COUNT || t == TYPE_ENUM ||
+	     t == TYPE_INT || t == TYPE_PORT )
+		return v->CoerceToUnsigned();
+
+	rules_error("Identifier must refer to integer");
+	return 0;
+	}
+
+void RuleMatcherState::InitEndpointMatcher(Analyzer* analyzer, const IP_Hdr* ip,
+					int caplen, bool from_orig, PIA* pia)
+	{
+	if ( ! rule_matcher )
+		return;
+
+	if ( from_orig )
+		{
+		if ( orig_match_state )
+			{
+			rule_matcher->FinishEndpoint(orig_match_state);
+			delete orig_match_state;
+			}
+
+		orig_match_state =
+			rule_matcher->InitEndpoint(analyzer, ip, caplen,
+					resp_match_state, from_orig, pia);
+		}
+
+	else
+		{
+		if ( resp_match_state )
+			{
+			rule_matcher->FinishEndpoint( resp_match_state );
+			delete resp_match_state;
+			}
+
+		resp_match_state =
+			rule_matcher->InitEndpoint(analyzer, ip, caplen,
+					orig_match_state, from_orig, pia);
+		}
+	}
+
+void RuleMatcherState::FinishEndpointMatcher()
+	{
+	if ( ! rule_matcher )
+		return;
+
+	if ( orig_match_state )
+		rule_matcher->FinishEndpoint(orig_match_state);
+
+	if ( resp_match_state )
+		rule_matcher->FinishEndpoint(resp_match_state);
+
+	delete orig_match_state;
+	delete resp_match_state;
+
+	orig_match_state = resp_match_state = 0;
+	}
+
+void RuleMatcherState::Match(Rule::PatternType type, const u_char* data,
+				int data_len, bool from_orig,
+				bool bol, bool eol, bool clear)
+	{
+	if ( ! rule_matcher )
+		return;
+
+	rule_matcher->Match(from_orig ? orig_match_state : resp_match_state,
+					type, data, data_len, bol, eol, clear);
+	}
+
+void RuleMatcherState::ClearMatchState(bool orig)
+	{
+	if ( ! rule_matcher )
+		return;
+
+	if ( orig_match_state )
+		rule_matcher->ClearEndpointState(orig_match_state);
+	if ( resp_match_state )
+		rule_matcher->ClearEndpointState(resp_match_state);
+	}
diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h
new file mode 100644
index 0000000000..085253c16e
--- /dev/null
+++ b/src/RuleMatcher.h
@@ -0,0 +1,329 @@
+// $Id: RuleMatcher.h 3526 2006-09-12 07:32:21Z vern $
+
+#ifndef sigs_h
+#define sigs_h
+
+#include <limits.h>
+
+#include "BroString.h"
+#include "List.h"
+#include "RE.h"
+#include "Net.h"
+#include "Sessions.h"
+#include "IntSet.h"
+#include "util.h"
+#include "Rule.h"
+#include "RuleAction.h"
+#include "RuleCondition.h"
+
+//#define MATCHER_PRINT_STATS
+
+extern int rule_bench;
+
+// Parser interface:
+
+extern void rules_error(const char* msg);
+extern void rules_error(const char* msg, const char* addl);
+extern void rules_error(Rule* id, const char* msg);
+extern int rules_lex(void);
+extern int rules_parse(void);
+extern "C" int rules_wrap(void);
+extern FILE* rules_in;
+extern int rules_line_number;
+extern const char* current_rule_file;
+
+class RuleMatcher;
+extern RuleMatcher* rule_matcher;
+
+class Analyzer;
+class PIA;
+
+// RuleHdrTest and associated things:
+
+// Given a header expression like "ip[offset:len] & mask = val", we parse
+// it into a Range and a MaskedValue.
+struct Range {
+	uint32 offset;
+	uint32 len;
+};
+
+struct MaskedValue {
+	uint32 val;
+	uint32 mask;
+};
+
+declare(PList, MaskedValue);
+typedef PList(MaskedValue) maskedvalue_list;
+
+typedef PList(char) string_list;
+
+declare(PList, BroString);
+typedef PList(BroString) bstr_list;
+
+// Get values from Bro's script-level variables.
+extern void id_to_maskedvallist(const char* id, maskedvalue_list* append_to);
+extern char* id_to_str(const char* id);
+extern uint32 id_to_uint(const char* id);
+
+class RuleHdrTest {
+public:
+	enum Comp { LE, GE, LT, GT, EQ, NE };
+	enum Prot { NOPROT, IP, ICMP, TCP, UDP };
+
+	RuleHdrTest(Prot arg_prot, uint32 arg_offset, uint32 arg_size,
+			Comp arg_comp, maskedvalue_list* arg_vals);
+	~RuleHdrTest();
+
+	void PrintDebug();
+
+private:
+	// The constructor does not copy those attributes which are set
+	// by RuleMatcher::BuildRulesTree() (see below).
+	RuleHdrTest(RuleHdrTest& h);
+		// should be const, but lists don't have const version
+
+	// Likewise, the operator== checks only for same test semantics.
+	bool operator==(const RuleHdrTest& h);
+
+	Prot prot;
+	Comp comp;
+	maskedvalue_list* vals;
+	uint32 offset;
+	uint32 size;
+
+	uint32 id;	// For debugging, each HdrTest gets an unique ID
+	static uint32 idcounter;
+
+	// The following are all set by RuleMatcher::BuildRulesTree().
+	friend class RuleMatcher;
+
+	struct PatternSet {
+		PatternSet() {}
+
+		// If we're above the 'RE_level' (see RuleMatcher), this
+		// expr contains all patterns on this node. If we're on
+		// 'RE_level', it additionally contains all patterns
+		// of any of its children.
+		Specific_RE_Matcher* re;
+
+		// All the patterns and their rule indices.
+		string_list patterns;
+		int_list ids;	// (only needed for debugging)
+	};
+
+	declare(PList, PatternSet);
+	typedef PList(PatternSet) pattern_set_list;
+	pattern_set_list psets[Rule::TYPES];
+
+	// List of rules belonging to this node.
+	Rule* pattern_rules;	// rules w/ at least one pattern of any type
+	Rule* pure_rules;	// rules containing no patterns at all
+
+	IntSet* ruleset;	// set of all rules belonging to this node
+				// (for fast membership test)
+
+	RuleHdrTest* sibling;	// linkage within HdrTest tree
+	RuleHdrTest* child;
+
+	int level;	// level within the tree
+};
+
+declare(PList, RuleHdrTest);
+typedef PList(RuleHdrTest) rule_hdr_test_list;
+
+// RuleEndpointState keeps the per-stream matching state of one
+// connection endpoint.
+class RuleEndpointState {
+public:
+	~RuleEndpointState();
+
+	Analyzer* GetAnalyzer()	const	{ return analyzer; }
+	bool IsOrig()		{ return is_orig; }
+
+	// For flipping roles.
+	void FlipIsOrig()	{ is_orig = ! is_orig; }
+
+	// Returns the size of the first non-empty chunk of
+	//   data feed into the RULE_PAYLOAD matcher.
+	// Returns 0 zero iff only empty chunks have been fed.
+	// Returns -1 if no chunk has been fed yet at all.
+	int PayloadSize()	{ return payload_size; }
+
+	::PIA* PIA() const	{ return pia; }
+
+private:
+	friend class RuleMatcher;
+
+	// Constructor is private; use RuleMatcher::InitEndpoint()
+	// for creating an instance.
+	RuleEndpointState(Analyzer* arg_analyzer, bool arg_is_orig,
+			  RuleEndpointState* arg_opposite, ::PIA* arg_PIA);
+
+	struct Matcher {
+		RE_Match_State* state;
+		Rule::PatternType type;
+	};
+
+	declare(PList, Matcher);
+	typedef PList(Matcher) matcher_list;
+
+	bool is_orig;
+	Analyzer* analyzer;
+	RuleEndpointState* opposite;
+	::PIA* pia;
+
+	matcher_list matchers;
+	rule_hdr_test_list hdr_tests;
+
+	// The follow tracks which rules for which all patterns have matched,
+	// and in a parallel list the (first instance of the) corresponding
+	// matched text.
+	rule_list matched_by_patterns;
+	bstr_list matched_text;
+
+	int payload_size;
+
+	int_list matched_rules;		// Rules for which all conditions have matched
+};
+
+
+// RuleMatcher is the main class which builds up the data structures
+// and performs the actual matching.
+
+class RuleMatcher {
+public:
+	// Argument is tree level on which we build combined regexps
+	// (Level 0 is root).
+	RuleMatcher(int RE_level = 4);
+	~RuleMatcher();
+
+	// Parse the given files and built up data structures.
+	bool ReadFiles(const name_list& files);
+
+	// Initialize the matching state for a endpoind of a connection based on
+	// the given packet (which should be the first packet encountered for
+	// this endpoint). If the matching is triggered by an PIA, a pointer to
+	// it needs to be given.
+	RuleEndpointState* InitEndpoint(Analyzer* analyzer, const IP_Hdr* ip,
+		int caplen, RuleEndpointState* opposite, bool is_orig, PIA* pia);
+
+	// Finish matching for this stream.
+	void FinishEndpoint(RuleEndpointState* state);
+
+	// Perform the actual pattern matching on the given data.
+	// bol/eol should be set to false for type Rule::PAYLOAD; they're
+	// deduced automatically.
+	void Match(RuleEndpointState* state, Rule::PatternType type,
+			const u_char* data, int data_len,
+			bool bol, bool eol, bool clear);
+
+	// Reset the state of the pattern matcher for this endpoint.
+	void ClearEndpointState(RuleEndpointState* state);
+
+	void PrintDebug();
+
+	// Interface to parser
+	void AddRule(Rule* rule);
+	void SetParseError()		{ parse_error = true; }
+
+	// Interface to for getting some statistics
+	struct Stats {
+		unsigned int matchers;	// # distinct RE matchers
+
+		// # DFA states across all matchers
+		unsigned int dfa_states;
+		unsigned int computed;	// # computed DFA state transitions
+		unsigned int mem;	// #  bytes used by DFA states
+
+		// # cache hits (sampled, multiply by MOVE_TO_FRONT_SAMPLE_SIZE)
+		unsigned int hits;
+		unsigned int misses;	// # cache misses
+
+		// Average # NFA states per DFA state.
+		unsigned int avg_nfa_states;
+	};
+
+	Val* BuildRuleStateValue(const Rule* rule,
+					const RuleEndpointState* state) const;
+
+	void GetStats(Stats* stats, RuleHdrTest* hdr_test = 0);
+	void DumpStats(BroFile* f);
+
+private:
+	// Delete node and all children.
+	void Delete(RuleHdrTest* node);
+
+	// Build tree containing all added rules.
+	void BuildRulesTree();
+
+	// Insert one rule into the current tree.
+	void InsertRuleIntoTree(Rule* r, int testnr, RuleHdrTest* dest,
+				int level);
+
+	// Traverse tree building the combined regular expressions.
+	void BuildRegEx(RuleHdrTest* hdr_test, string_list* exprs, int_list* ids);
+
+	// Build groups of regular epxressions.
+	void BuildPatternSets(RuleHdrTest::pattern_set_list* dst,
+				const string_list& exprs, const int_list& ids);
+
+	// Check an arbitrary rule if it's satisfied right now.
+	// eos signals end of stream
+	void ExecRule(Rule* rule, RuleEndpointState* state, bool eos);
+
+	// Evaluate all rules which do not depend on any matched patterns.
+	void ExecPureRules(RuleEndpointState* state, bool eos);
+
+	// Eval a rule under the assumption that all its patterns
+	// have already matched.  s holds the text the rule matched,
+	// or nil if N/A.
+	bool ExecRulePurely(Rule* r, BroString* s,
+		RuleEndpointState* state, bool eos);
+
+	// Execute the actions associated with a rule.
+	void ExecRuleActions(Rule* r, RuleEndpointState* state,
+				const u_char* data, int len, bool eos);
+
+	// Evaluate all rule conditions except patterns and "header".
+	bool EvalRuleConditions(Rule* r, RuleEndpointState* state,
+				const u_char* data, int len, bool eos);
+
+	void PrintTreeDebug(RuleHdrTest* node);
+
+	void DumpStateStats(BroFile* f, RuleHdrTest* hdr_test);
+
+	int RE_level;
+	bool parse_error;
+	RuleHdrTest* root;
+	rule_list rules;
+	rule_dict rules_by_id;
+};
+
+// Keeps bi-directional matching-state.
+class RuleMatcherState {
+public:
+	RuleMatcherState()	{ orig_match_state = resp_match_state = 0; }
+	~RuleMatcherState()
+		{ delete orig_match_state; delete resp_match_state; }
+
+	// ip may be nil.
+	void InitEndpointMatcher(Analyzer* analyzer, const IP_Hdr* ip,
+				int caplen, bool from_orig, PIA* pia = 0);
+
+	// bol/eol should be set to false for type Rule::PAYLOAD; they're
+	// deduced automatically.
+	void Match(Rule::PatternType type, const u_char* data, int data_len,
+			bool from_orig, bool bol, bool eol, bool clear_state);
+
+	void FinishEndpointMatcher();
+	void ClearMatchState(bool orig);
+
+	bool MatcherInitialized(bool orig)
+		{ return orig ? orig_match_state : resp_match_state; }
+
+private:
+	RuleEndpointState* orig_match_state;
+	RuleEndpointState* resp_match_state;
+};
+
+#endif
diff --git a/src/SMB.cc b/src/SMB.cc
new file mode 100644
index 0000000000..7ee6986d3d
--- /dev/null
+++ b/src/SMB.cc
@@ -0,0 +1,1237 @@
+// $Id: SMB.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "NetVar.h"
+#include "SMB.h"
+#include "smb_pac.h"
+#include "Val.h"
+
+namespace {
+	const bool DEBUG_smb_ipc = true;
+}
+
+#define BYTEORDER_SWAP16(n) ((256 * ((n) & 0xff)) + ((n) >> 8))
+
+enum SMB_Command {
+#define SMB_COMMAND(name, value) name = value,
+#include "SMB_COM.def"
+#undef SMB_COMMAND
+};
+
+enum SMB_Transaction_Command {
+	HOST_ANNOUNCEMENT = 1,
+	ANNOUCEMENT_REQUEST = 2,
+	REQUEST_ELECTION = 8,
+	GET_BACKUP_LIST_REQUEST = 9,
+	GET_BACKUP_LIST_RESPONSE = 10,
+	BECOME_BACKUP_REQUEST = 11,
+	DOMAIN_ANNOUNCEMENT = 12,
+	MASTER_ANNOUNCEMENT = 13,
+	RESET_BROWSER_STATE = 14,
+	LOCAL_MASTER_ANNOUNCEMENT = 15,
+};
+
+const char* SMB_command_name[256];
+StringVal* SMB_command_str[256];
+const char* SMB_trans_command_name[256];
+StringVal* SMB_trans_command_str[256];
+
+static void init_SMB_command_name()
+	{
+	static int initialized = 0;
+	if ( initialized )
+		return;
+
+	initialized = 1;
+
+	for ( int i = 0; i < 256; ++i )
+		{
+		SMB_command_name[i] = "<unknown>";
+		SMB_command_str[i] = 0;
+		}
+
+#define SMB_COMMAND(name, value) SMB_command_name[value] = #name;
+#include "SMB_COM.def"
+#undef SMB_COMMAND
+#define SMB_COMMAND(name, value) SMB_trans_command_name[value] = #name;
+	SMB_COMMAND(HOST_ANNOUNCEMENT, 1)
+	SMB_COMMAND(ANNOUCEMENT_REQUEST, 2)
+	SMB_COMMAND(REQUEST_ELECTION, 8)
+	SMB_COMMAND(GET_BACKUP_LIST_REQUEST, 9)
+	SMB_COMMAND(GET_BACKUP_LIST_RESPONSE, 10)
+	SMB_COMMAND(BECOME_BACKUP_REQUEST, 11)
+	SMB_COMMAND(DOMAIN_ANNOUNCEMENT, 12)
+	SMB_COMMAND(MASTER_ANNOUNCEMENT, 13)
+	SMB_COMMAND(RESET_BROWSER_STATE, 14)
+	SMB_COMMAND(LOCAL_MASTER_ANNOUNCEMENT, 15)
+
+	}
+
+StringVal* get_SMB_command_str(int cmd)
+	{
+	if ( ! SMB_command_str[cmd] )
+		SMB_command_str[cmd] = new StringVal(SMB_command_name[cmd]);
+
+	return SMB_command_str[cmd];
+	}
+
+// ### TODO: the list of IPC pipes needs a lot of expansion.
+static int lookup_IPC_name(BroString* name)
+	{
+	static const char* IPC_pipe_names[] = {
+		"\\locator", "\\epmapper", "\\samr", "\\lsarpc", 0
+	};
+
+	for ( int i = 0; IPC_pipe_names[i]; ++i )
+		{
+		if ( size_t(name->Len()) == strlen(IPC_pipe_names[i]) &&
+		     strncmp((const char*) name->Bytes(),
+			     IPC_pipe_names[i], name->Len()) == 0 )
+			return i + 1;
+		}
+
+	return IPC_NONE;
+	}
+
+SMB_Session::SMB_Session(Analyzer* arg_analyzer)
+	{
+	analyzer = arg_analyzer;
+	dce_rpc_session = 0;
+	init_SMB_command_name();
+
+	// Strangely, one does not have to connect to IPC$ before
+	// making DCE/RPC calls. So we assume that it's always IPC
+	// unless confirmed otherwise.
+
+	is_IPC = true;
+	IPC_pipe = IPC_NONE;
+
+	transaction_name = 0;
+	transaction_subcmd = 0;
+
+	andx_[0] = andx_[1] = 0;
+	set_andx(0, 0);
+	set_andx(1, 0);
+
+	}
+
+SMB_Session::~SMB_Session()
+	{
+	binpac::Unref(andx_[0]);
+	binpac::Unref(andx_[1]);
+	Unref(transaction_name);
+	delete dce_rpc_session;
+	}
+
+void SMB_Session::set_andx(int is_orig, binpac::SMB::SMB_andx* andx)
+	{
+	int ind = is_orig ? 1 : 0;
+	if ( andx )
+		andx->Ref();
+
+	binpac::Unref(andx_[ind]);
+
+	andx_[ind] = andx;
+	}
+
+void SMB_Session::Deliver(int is_orig, int len, const u_char* data)
+	{
+	if ( len == 0 )
+		return;
+
+	try
+		{
+		const u_char* data_start = data;
+		const u_char* data_end = data + len;
+
+		binpac::SMB::SMB_header hdr;
+		int hdr_len = hdr.Parse(data, data_end);
+
+		data += hdr_len;
+
+		int next_command = hdr.command();
+
+		while ( data < data_end )
+			{
+			SMB_Body body(data, data_end);
+			set_andx(is_orig, 0);
+			ParseMessage(is_orig, next_command, hdr, body);
+
+			int next = AndxOffset(is_orig, next_command);
+			if ( next <= 0 )
+				break;
+
+			//Weird(fmt("ANDX! at %d", next));
+			const u_char* tmp = data_start + next;
+			if ( data_start + next < data + body.length() )
+				{
+				Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %d", next, data + body.length() - data_start));
+				break;
+				}
+
+			data = data_start + next;
+			}
+		}
+	catch ( const binpac::Exception& e )
+		{
+		analyzer->Weird(e.msg().c_str());
+		}
+	}
+
+void SMB_Session::ParseMessage(int is_orig, int cmd,
+				binpac::SMB::SMB_header const& hdr,
+				SMB_Body const& body)
+	{
+	if ( smb_message )
+		{
+		val_list* vl = new val_list;
+		StringVal* cmd_str = get_SMB_command_str(cmd);
+		Ref(cmd_str);
+
+		vl->append(analyzer->BuildConnVal());
+		vl->append(BuildHeaderVal(hdr));
+		vl->append(new Val(is_orig, TYPE_BOOL));
+		vl->append(cmd_str);
+		vl->append(new Val(body.length(), TYPE_COUNT));
+		vl->append(new StringVal(body.length(),
+					(const char*) body.data()));
+
+		analyzer->ConnectionEvent(smb_message, vl);
+		}
+
+	if ( is_orig )
+		req_cmd = cmd;
+
+	// What if there's an error?
+	// if ( hdr.status->status() || hdr.status->dos_error() )
+	// The command code in the header might be right, but
+	// the response is probably mangled :-(.
+
+	int ci = hdr.status()->val_case_index();
+	if ( (ci == 1 && hdr.status()->status()) ||
+	     (ci == 0 && (hdr.status()->dos_error()->error_class() ||
+			  hdr.status()->dos_error()->error())) )
+		{
+		unsigned int error = 0;
+
+		switch ( ci ) {
+		case 0:
+			error = hdr.status()->dos_error()->error_class() << 24 ||
+				hdr.status()->dos_error()->error();
+			break;
+		case 1:
+			error = hdr.status()->status();
+			break;
+		}
+
+		val_list* vl = new val_list;
+		StringVal* cmd_str = get_SMB_command_str(cmd);
+		Ref(cmd_str);
+
+		vl->append(analyzer->BuildConnVal());
+		vl->append(BuildHeaderVal(hdr));
+		vl->append(new Val(cmd, TYPE_COUNT));
+		vl->append(cmd_str);
+		vl->append(new StringVal(body.length(),
+					(const char*) body.data()));
+
+		analyzer->ConnectionEvent(smb_error, vl);
+
+		// Is this the right behavior?
+		return;
+		}
+
+	int ret = 0;
+	switch ( cmd ) {
+	case SMB_COM_TREE_CONNECT_ANDX:
+		if ( is_orig )
+			ret = ParseTreeConnectAndx(hdr, body);
+		else
+			ret = ParseAndx(is_orig, hdr, body);
+		break;
+
+	case SMB_COM_NT_CREATE_ANDX:
+		if ( is_orig )
+			ret = ParseNtCreateAndx(hdr, body);
+		else
+			ret = ParseAndx(is_orig, hdr, body);
+		break;
+
+	case SMB_COM_TRANSACTION:
+	case SMB_COM_TRANSACTION2:
+	case SMB_COM_TRANSACTION_SECONDARY:
+	case SMB_COM_TRANSACTION2_SECONDARY:
+		ret = ParseTransaction(is_orig, cmd, hdr, body);
+		break;
+
+	case SMB_COM_READ_ANDX:
+		if ( is_orig )
+			ret = ParseReadAndx(hdr, body);
+		else
+			ret = ParseReadAndxResponse(hdr, body);
+		break;
+
+	case SMB_COM_WRITE_ANDX:
+		if ( is_orig )
+			ret = ParseWriteAndx(hdr, body);
+		else
+			ret = ParseWriteAndxResponse(hdr, body);
+		break;
+
+	case SMB_COM_NEGOTIATE:
+		if ( is_orig )
+			ret = ParseNegotiate(hdr, body);
+		else
+			ret = ParseNegotiateResponse(hdr, body);
+		break;
+
+	case SMB_COM_CLOSE:
+		ret = ParseClose(is_orig, hdr, body);
+		break;
+
+	case SMB_COM_TREE_DISCONNECT:
+		ret = ParseTreeDisconnect(is_orig, hdr, body);
+		break;
+
+	case SMB_COM_LOGOFF_ANDX:
+		if ( is_orig )
+			ret = ParseLogoffAndx(is_orig, hdr, body);
+		else
+			ret = ParseAndx(is_orig, hdr, body);
+		break;
+
+	case SMB_COM_SESSION_SETUP_ANDX:
+		if ( is_orig )
+			ret = ParseSetupAndx(is_orig, hdr, body);
+		else
+			ret = ParseAndx(is_orig, hdr, body);
+		break;
+
+	default:
+		Weird(fmt("unknown_SMB_command(0x%x)", cmd));
+		break;
+	}
+
+	if ( ret == -1 )
+		Weird("SMB_parsing_error");
+	}
+
+int SMB_Session::ParseNegotiate(binpac::SMB::SMB_header const& hdr,
+				SMB_Body const& body)
+	{
+	binpac::SMB::SMB_negotiate msg;
+	msg.Parse(body.data(), body.data() + body.length());
+
+	if ( smb_com_negotiate )
+		{
+		TableVal* t = new TableVal(smb_negotiate);
+		for ( int i = 0; i < int(msg.dialects()->size()); ++i )
+			{
+			binpac::SMB::SMB_dialect* d = (*msg.dialects())[i];
+			BroString* tmp = ExtractString(d->dialectname());
+			t->Assign(new Val(i, TYPE_COUNT), new StringVal(tmp));
+			}
+
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(BuildHeaderVal(hdr));
+		vl->append(t);
+
+		analyzer->ConnectionEvent(smb_com_negotiate, vl);
+		}
+
+	return 0;
+	}
+
+int SMB_Session::ParseNegotiateResponse(binpac::SMB::SMB_header const& hdr,
+					SMB_Body const& body)
+	{
+	binpac::SMB::SMB_negotiate_response msg;
+	msg.Parse(body.data(), body.data() + body.length());
+
+	if ( smb_com_negotiate_response )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(BuildHeaderVal(hdr));
+		vl->append(new Val(msg.dialect_index(), TYPE_COUNT));
+
+		analyzer->ConnectionEvent(smb_com_negotiate_response, vl);
+		}
+
+	return 0;
+	}
+
+int SMB_Session::ParseSetupAndx(int is_orig, binpac::SMB::SMB_header const& hdr,
+				SMB_Body const& body)
+ 	{
+	// The binpac type depends on the negotiated server settings -
+	// possibly we can just pick the "right" format here, and use that?
+
+	if ( hdr.flags2() && 0x0800 )
+		{
+		binpac::SMB::SMB_setup_andx_ext msg(hdr.unicode());
+		msg.Parse(body.data(), body.data() + body.length());
+		set_andx(1, msg.andx());
+		}
+	else
+		{
+		binpac::SMB::SMB_setup_andx_basic msg(hdr.unicode());
+		msg.Parse(body.data(), body.data() + body.length());
+		set_andx(1, msg.andx());
+		}
+
+	if ( smb_com_setup_andx )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(BuildHeaderVal(hdr));
+
+		analyzer->ConnectionEvent(smb_com_setup_andx, vl);
+		}
+
+	return 0;
+	}
+
+int SMB_Session::ParseClose(int is_orig, binpac::SMB::SMB_header const& hdr,
+				SMB_Body const& body)
+	{
+	if ( smb_com_close )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(BuildHeaderVal(hdr));
+
+		analyzer->ConnectionEvent(smb_com_close, vl);
+		}
+
+	return 0;
+	}
+
+int SMB_Session::ParseLogoffAndx(int is_orig,
+					binpac::SMB::SMB_header const& hdr,
+					SMB_Body const& body)
+	{
+ 	binpac::SMB::SMB_generic_andx msg;
+ 	msg.Parse(body.data(), body.data() + body.length());
+ 	if ( msg.word_count() > 0 )
+		set_andx(is_orig, msg.andx());
+
+	if ( smb_com_logoff_andx )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(BuildHeaderVal(hdr));
+
+		analyzer->ConnectionEvent(smb_com_logoff_andx, vl);
+		}
+
+ 	return 0;
+ 	}
+ 
+int SMB_Session::ParseAndx(int is_orig, binpac::SMB::SMB_header const& hdr,
+				SMB_Body const& body)
+	{
+	// This is a generic ANDX event generator.  It passes the header
+	// and the ANDX data out to the policy.
+	try
+		{
+		binpac::SMB::SMB_generic_andx msg;
+		msg.Parse(body.data(), body.data() + body.length());
+		if ( msg.word_count() > 0 )
+			set_andx(is_orig, msg.andx());
+
+		if ( smb_com_generic_andx )
+			{
+			val_list* vl = new val_list;
+			vl->append(analyzer->BuildConnVal());
+			vl->append(BuildHeaderVal(hdr));
+			vl->append(new StringVal(msg.data().length(),
+					(char *) msg.data().begin()));
+
+			analyzer->ConnectionEvent(smb_com_generic_andx, vl);
+			}
+		}
+	catch ( const binpac::Exception& )
+		{
+		Weird("smb_andx_command_failed_to_parse");
+		}
+
+	return 0;
+	}
+
+int SMB_Session::ParseTreeConnectAndx(binpac::SMB::SMB_header const& hdr,
+					SMB_Body const& body)
+	{
+	binpac::SMB::SMB_tree_connect_andx req(hdr.unicode());
+
+	req.Parse(body.data(), body.data() + body.length());
+	set_andx(1, req.andx());
+
+	BroString* path = ExtractString(req.path());
+	BroString* service = ExtractString(req.service());
+
+	// Replicate path.
+	BroString* norm_path = new BroString(path->Bytes(), path->Len(), 1);
+	norm_path->ToUpper();
+
+	RecordVal* r = new RecordVal(smb_tree_connect);
+	r->Assign(0, new Val(req.flags(), TYPE_COUNT));
+	r->Assign(1, new StringVal(req.password_length(),
+					(const char*) req.password()));
+	r->Assign(3, new StringVal(path));
+	r->Assign(4, new StringVal(service));
+
+	if ( strstr_n(norm_path->Len(), norm_path->Bytes(), 5,
+		      (const u_char*) "\\IPC$") != -1 )
+		is_IPC = true;	// TODO: change is_IPC to 0 on tree_disconnect
+	else
+		is_IPC = false;
+
+	delete norm_path;
+
+	if ( smb_com_tree_connect_andx )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(BuildHeaderVal(hdr));
+		vl->append(r);
+
+		analyzer->ConnectionEvent(smb_com_tree_connect_andx, vl);
+		}
+	else
+		{
+		delete path;
+		delete service;
+		}
+
+	return 0;
+	}
+
+int SMB_Session::ParseTreeDisconnect(int is_orig,
+					binpac::SMB::SMB_header const& hdr,
+					SMB_Body const& body)
+	{
+	binpac::SMB::SMB_tree_disconnect msg(hdr.unicode());
+	msg.Parse(body.data(), body.data() + body.length());
+
+	if ( smb_com_nt_create_andx )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(BuildHeaderVal(hdr));
+
+		analyzer->ConnectionEvent(smb_com_tree_disconnect, vl);
+		}
+
+	return 0;
+	}
+
+int SMB_Session::ParseNtCreateAndx(binpac::SMB::SMB_header const& hdr,
+					SMB_Body const& body)
+	{
+	binpac::SMB::SMB_nt_create_andx req(hdr.unicode());
+	req.Parse(body.data(), body.data() + body.length());
+	set_andx(1, req.andx());
+
+	BroString* name = ExtractString(req.name());
+
+	IPC_pipe = (enum IPC_named_pipe) lookup_IPC_name(name);
+
+	if ( smb_com_nt_create_andx )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(BuildHeaderVal(hdr));
+		vl->append(new StringVal(name));
+
+		analyzer->ConnectionEvent(smb_com_nt_create_andx, vl);
+		}
+	else
+		delete name;
+
+	return 0;
+	}
+
+int SMB_Session::ParseReadAndx(binpac::SMB::SMB_header const& hdr,
+				SMB_Body const& body)
+	{
+	binpac::SMB::SMB_read_andx req;
+	req.Parse(body.data(), body.data() + body.length());
+	set_andx(1, req.andx());
+
+	if ( smb_com_read_andx )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(BuildHeaderVal(hdr));
+		vl->append(new StringVal(""));
+
+		analyzer->ConnectionEvent(smb_com_read_andx, vl);
+		}
+
+	return 0;
+	}
+
+int SMB_Session::ParseReadAndxResponse(binpac::SMB::SMB_header const& hdr,
+					SMB_Body const& body)
+	{
+	binpac::SMB::SMB_read_andx_response resp;
+	resp.Parse(body.data(), body.data() + body.length());
+	set_andx(0, resp.andx());
+
+	int data_count = resp.data_length();
+	const u_char* data = resp.data().begin();
+
+	if ( smb_com_read_andx )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(BuildHeaderVal(hdr));
+		vl->append(new StringVal(data_count, (const char*) data));
+
+		analyzer->ConnectionEvent(smb_com_read_andx, vl);
+		}
+
+	CheckRPC(0, data_count, data);
+
+	return 0;
+	}
+
+int SMB_Session::ParseWriteAndx(binpac::SMB::SMB_header const& hdr,
+				SMB_Body const& body)
+	{
+	binpac::SMB::SMB_write_andx req;
+	req.Parse(body.data(), body.data() + body.length());
+	set_andx(1, req.andx());
+
+	int data_count = req.data_length();
+	const u_char* data = req.data().begin();
+
+	if ( smb_com_write_andx )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(BuildHeaderVal(hdr));
+		vl->append(new StringVal(data_count, (const char*) data));
+
+		analyzer->ConnectionEvent(smb_com_write_andx, vl);
+		}
+
+	CheckRPC(1, data_count, data);
+
+	return 0;
+	}
+
+int SMB_Session::ParseWriteAndxResponse(binpac::SMB::SMB_header const& hdr,
+					SMB_Body const& body)
+	{
+	binpac::SMB::SMB_write_andx_response resp;
+	resp.Parse(body.data(), body.data() + body.length());
+	set_andx(0, resp.andx());
+
+	if ( smb_com_write_andx )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(BuildHeaderVal(hdr));
+		vl->append(new StringVal(""));
+
+		analyzer->ConnectionEvent(smb_com_write_andx, vl);
+		}
+
+	return 0;
+	}
+
+int SMB_Session::TransactionEvent(EventHandlerPtr f, int is_orig,
+				binpac::SMB::SMB_header const &hdr,
+				binpac::SMB::SMB_transaction const &trans,
+				int data_count,
+				binpac::SMB::SMB_transaction_data* data)
+	{
+	if ( f )
+		{
+		val_list* vl = new val_list;
+
+		vl->append(analyzer->BuildConnVal());
+		vl->append(BuildHeaderVal(hdr));
+		vl->append(BuildTransactionVal(trans));
+		vl->append(BuildTransactionDataVal(data));
+		vl->append(new Val(is_orig, TYPE_BOOL));
+
+		analyzer->ConnectionEvent(f, vl);
+		}
+
+	else if ( smb_com_transaction )
+		{ // generic transaction
+		}
+
+	return 0;
+	}
+
+int SMB_Session::TransactionEvent(EventHandlerPtr f, int is_orig,
+			binpac::SMB::SMB_header const &hdr,
+			binpac::SMB::SMB_transaction_secondary const &trans,
+			int data_count, binpac::SMB::SMB_transaction_data* data)
+	{
+	if ( f )
+		{
+		val_list* vl = new val_list;
+
+		vl->append(analyzer->BuildConnVal());
+		vl->append(BuildHeaderVal(hdr));
+		vl->append(BuildTransactionVal(trans));
+		vl->append(BuildTransactionDataVal(data));
+		vl->append(new Val(is_orig, TYPE_BOOL));
+
+		analyzer->ConnectionEvent(f, vl);
+		}
+
+	else if ( smb_com_transaction )
+		{ // generic transaction
+		}
+
+	return 0;
+	}
+
+int SMB_Session::TransactionEvent(EventHandlerPtr f, int is_orig,
+			binpac::SMB::SMB_header const &hdr,
+			binpac::SMB::SMB_transaction_response const &trans,
+			int data_count, binpac::SMB::SMB_transaction_data* data)
+	{
+	if ( f )
+		{
+		val_list* vl = new val_list;
+
+		vl->append(analyzer->BuildConnVal());
+		vl->append(BuildHeaderVal(hdr));
+		vl->append(BuildTransactionVal(trans));
+		vl->append(BuildTransactionDataVal(data));
+		vl->append(new Val(is_orig, TYPE_BOOL));
+
+		analyzer->ConnectionEvent(f, vl);
+		}
+
+	else if ( smb_com_transaction )
+		{ // generic transaction
+		}
+
+	return 0;
+	}
+
+int SMB_Session::ParseTransaction(int is_orig, int cmd,
+					binpac::SMB::SMB_header const& hdr,
+					SMB_Body const& body)
+	{
+	switch ( cmd ) {
+	case SMB_COM_TRANSACTION:
+	case SMB_COM_TRANSACTION2:
+	case SMB_COM_TRANSACTION_SECONDARY:
+	case SMB_COM_TRANSACTION2_SECONDARY:
+		break;
+
+	default:
+		internal_error("command mismatch for ParseTransaction");
+	}
+
+	int ret;
+	if ( is_orig )
+		{
+		if ( cmd == SMB_COM_TRANSACTION || cmd == SMB_COM_TRANSACTION2 )
+			ret = ParseTransactionRequest(cmd, hdr, body);
+
+		else if ( cmd == SMB_COM_TRANSACTION_SECONDARY ||
+		          cmd == SMB_COM_TRANSACTION2_SECONDARY )
+			ret = ParseTransactionSecondaryRequest(cmd, hdr, body);
+
+		else
+			ret = 0;
+		}
+	else
+		ret = ParseTransactionResponse(cmd, hdr, body);
+
+	return ret;
+	}
+
+int SMB_Session::ParseTransactionRequest(int cmd,
+					binpac::SMB::SMB_header const& hdr,
+					SMB_Body const& body)
+	{
+	binpac::SMB::SMB_transaction trans(cmd == SMB_COM_TRANSACTION ? 1 : 2,
+						hdr.unicode());
+
+	trans.Parse(body.data(), body.data() + body.length());
+
+	if ( transaction_name )
+		{
+		Unref(transaction_name);
+		transaction_name = 0;
+		}
+
+	if ( cmd == SMB_COM_TRANSACTION )
+		{
+		binpac::SMB::SMB_transaction_data* trans_data = trans.data();
+
+		//transaction_name = new StringVal(ExtractString(trans.name()));
+		//if ( is_orig )
+		//	Weird(fmt("smb_transaction subcmd: 0x%x", transaction_subcmd));
+
+		if ( trans_data->val_case_index() ==
+			binpac::SMB::SMB_MAILSLOT_BROWSE &&
+		     trans_data->mailslot() )
+			{ // Mailslot transaction event
+			return TransactionEvent(smb_com_trans_mailslot, true,
+				hdr, trans, trans.data_count(), trans.data());
+			}
+
+		else if ( trans_data->val_case_index() ==
+				binpac::SMB::SMB_PIPE && trans_data->pipe() )
+			{ // Pipe
+			return TransactionEvent(smb_com_trans_pipe, true, hdr,
+				trans, trans.data_count(), trans.data());
+			}
+
+		else if ( trans_data->val_case_index() ==
+				binpac::SMB::SMB_RAP && trans_data->rap() )
+			{ // Remote Administration Protocol
+			return TransactionEvent(smb_com_trans_rap, true, hdr,
+				trans, trans.data_count(), trans.data());
+			}
+
+		else
+			{
+			// SOME UNKNOWN TRANSACTION TYPE - COULD BE RPC STILL!
+			if ( trans.data_count() > 0 && trans.setup_count() == 2 )
+				{
+				if ( CheckRPC(true, trans.data_count(),
+					trans_data->pipe()->data().begin()) )
+					{
+					if ( cmd != SMB_COM_TRANSACTION ||
+					     transaction_subcmd != 0x26 )
+						Weird(fmt("RPC through unknown command: 0x%x/0x%x", cmd, transaction_subcmd));
+					}
+				}
+			}
+		}
+
+	if ( cmd == SMB_COM_TRANSACTION2 )
+		{
+		switch ( transaction_subcmd ) {
+		case 0x3: // QueryFSInfo
+		case 0x5: // QueryPathInfo
+		case 0x7: // QueryFileInfo
+		case 0x8: // SetFileInfo
+			break;
+
+		case 0x10:
+			// if ( is_orig )
+			return ParseGetDFSReferral(hdr, trans.param_count(),
+						trans.parameters().begin());
+
+		default:
+			// if ( is_orig )
+			Weird(fmt("Unknown smb_transaction2 subcmd: 0x%x",
+					transaction_subcmd));
+			break;
+		}
+		}
+
+	if ( smb_com_transaction )
+		return TransactionEvent(smb_com_transaction, true, hdr,
+					trans, trans.data_count(),
+					trans.data());
+	else
+		return 0;
+
+#if 0
+	// TODO: LANMAN transaction uses the first u_short of
+	// parameters as subcmd
+
+	if ( trans.setup_count() > 0 )
+		transaction_subcmd = (*trans.setup())[0];
+
+	else if ( strncmp( transaction_name->CheckString(), "\\PIPE\\", 6 ) == 0 )
+		transaction_subcmd = 0;
+
+	else if ( strncmp( transaction_name->CheckString(), "\\MAILSLOT\\", 10 ) == 0 )
+		transaction_subcmd = 0;
+
+	else
+		Weird("transaction_subcmd_missing");
+#endif
+	}
+
+int SMB_Session::ParseTransactionSecondaryRequest(int cmd,
+					binpac::SMB::SMB_header const& hdr,
+					SMB_Body const& body)
+	{
+	binpac::SMB::SMB_transaction_secondary trans(hdr.unicode());
+	trans.Parse(body.data(), body.data() + body.length());
+
+	return TransactionEvent(smb_com_transaction2, true, hdr,
+				trans, trans.data_count(), trans.data());
+	}
+
+int SMB_Session::ParseTransactionResponse(int cmd,
+					binpac::SMB::SMB_header const& hdr,
+					SMB_Body const& body)
+	{
+	binpac::SMB::SMB_transaction_response trans(hdr.unicode());
+	trans.Parse(body.data(), body.data() + body.length());
+
+	if ( body.word_count() == 0 )
+		{ // interim response
+		// Does the transaction get parsed correctly?!
+		return TransactionEvent(smb_com_transaction, false, hdr,
+					trans, 0, NULL);
+		}
+
+	return TransactionEvent(smb_com_transaction, false, hdr,
+				trans, trans.data_count(), trans.data());
+	}
+
+int SMB_Session::ParseGetDFSReferral(binpac::SMB::SMB_header const& hdr,
+					int param_count, const u_char* param)
+	{
+	binpac::SMB::SMB_get_dfs_referral req(hdr.unicode());
+	req.Parse(param, param + param_count);
+
+	if ( smb_get_dfs_referral )
+		{
+		val_list* vl = new val_list;
+		vl->append(analyzer->BuildConnVal());
+		vl->append(BuildHeaderVal(hdr));
+		vl->append(new Val(req.max_referral_level(), TYPE_COUNT));
+		vl->append(new StringVal(ExtractString(req.file_name())));
+
+		analyzer->ConnectionEvent(smb_get_dfs_referral, vl);
+		}
+
+	return 0;
+	}
+
+int SMB_Session::AndxOffset(int is_orig, int& next_command) const
+	{
+	if ( ! andx(is_orig) )
+		return -1;
+
+	next_command = andx(is_orig)->command();
+	if ( next_command != 0xff )
+		return andx(is_orig)->offset();
+	else
+		return -1;
+	}
+
+void SMB_Session::Weird(const char* msg)
+	{
+	analyzer->Weird(msg);
+	}
+
+// Extract a NUL-terminated string from [data, data+len-1]. The
+// input can be in Unicode (little endian), and the returned string
+// will be in ASCII.  Note, Unicode strings have NUL characters
+// at the end of them already.  Adding an additional NUL byte at
+// the end leads to embedded-NUL warnings (CheckString() run_time error).
+
+BroString* SMB_Session::ExtractString(binpac::SMB::SMB_string const* s)
+	{
+	return s->unicode() ? ExtractString(s->u()) : ExtractString(s->a());
+	}
+
+BroString* SMB_Session::ExtractString(binpac::SMB::SMB_ascii_string const* s)
+	{
+	bool add_NUL = true;
+	int n = s->size();
+
+	if ( n > 0 && (*s)[n - 1] == '\0' )
+		add_NUL = false;	// already has a NUL
+
+	if ( add_NUL )
+		++n;
+
+	u_char* b = new u_char[n];
+	int i;
+	for ( i = 0; i < int(s->size()); ++i )
+		b[i] = (*s)[i];
+
+	if ( add_NUL )
+		b[i] = '\0';
+
+	return new BroString(1, b, n - 1);
+	}
+
+BroString* SMB_Session::ExtractString(binpac::SMB::SMB_unicode_string const* s)
+	{
+	bool add_NUL = true;
+	int n = s->s()->size();
+
+	if ( n > 0 && ((*s->s())[n - 1] & 0xff) == '\0' )
+		add_NUL = false;	// already has a NUL
+
+	if ( add_NUL )
+		++n;
+
+	u_char* b = new u_char[n];
+
+	int i;
+	for ( i = 0; i < int(s->s()->size()); ++i )
+		{
+		uint16 x = (*s->s())[i];
+		if ( x & 0xff00 )
+			Weird(fmt("unicode string confusion: 0x%04x", x));
+
+		b[i] = u_char(x & 0xff);
+		}
+
+	if ( add_NUL )
+		b[i] = '\0';
+
+	return new BroString(1, b, n - 1);
+	}
+
+Val* SMB_Session::BuildHeaderVal(binpac::SMB::SMB_header const& hdr)
+	{
+	RecordVal* r = new RecordVal(smb_hdr);
+
+	unsigned int status = 0;
+
+	try
+		{
+		// FIXME: does this work?  We need to catch exceptions :-(
+		// or use guard functions.
+		status = hdr.status()->status() ||
+			    hdr.status()->dos_error()->error_class() << 24 ||
+			    hdr.status()->dos_error()->error();
+		}
+	catch ( const binpac::Exception& )
+		{ // do nothing
+		}
+
+	r->Assign(0, new Val(hdr.command(), TYPE_COUNT));
+	r->Assign(1, new Val(status, TYPE_COUNT));
+	r->Assign(2, new Val(hdr.flags(), TYPE_COUNT));
+	r->Assign(3, new Val(hdr.flags2(), TYPE_COUNT));
+	r->Assign(4, new Val(hdr.tid(), TYPE_COUNT));
+	r->Assign(5, new Val(hdr.pid(), TYPE_COUNT));
+	r->Assign(6, new Val(hdr.uid(), TYPE_COUNT));
+	r->Assign(7, new Val(hdr.mid(), TYPE_COUNT));
+
+	return r;
+	}
+
+Val* SMB_Session::BuildTransactionVal(binpac::SMB::SMB_transaction const& trans)
+	{
+	RecordVal* r = new RecordVal(smb_trans);
+
+	// r->Assign(0, new Val(variable, type));
+
+	return r;
+	}
+
+Val* SMB_Session::BuildTransactionVal(binpac::SMB::SMB_transaction_secondary const& trans)
+	{
+	RecordVal* r = new RecordVal(smb_trans);
+
+	// r->Assign(0, new Val(variable, type));
+
+	return r;
+	}
+
+Val* SMB_Session::BuildTransactionVal(binpac::SMB::SMB_transaction_response const& trans)
+	{
+	RecordVal* r = new RecordVal(smb_trans);
+
+	// r->Assign(0, new Val(variable, type));
+
+	return r;
+	}
+
+Val* SMB_Session::BuildTransactionDataVal(binpac::SMB::SMB_transaction_data *data)
+	{
+	RecordVal* r = new RecordVal(smb_trans_data);
+
+	// r->Assign(0, new Val(variable, type));
+
+	return r;
+	}
+
+bool SMB_Session::LooksLikeRPC(int len, const u_char* msg)
+	{
+	try
+		{
+		binpac::DCE_RPC_Simple::DCE_RPC_Header h;
+		h.Parse(msg, msg + len);
+
+		if ( h.rpc_vers() == 5 && h.rpc_vers_minor() == 0 )
+			{
+			unsigned short frag_len = h.frag_length();
+			if ( frag_len == len ||
+			     BYTEORDER_SWAP16(frag_len) == len )
+				{
+				if ( ! is_IPC && DEBUG_smb_ipc )
+					analyzer->Weird("TreeConnect to IPC missing");
+				return true;
+				}
+			else
+				{
+				analyzer->Weird(fmt("endianness %d", h.byteorder()));
+				analyzer->Weird(fmt("length mismatch: %d != %d",
+					h.frag_length(), len));
+				return false;
+				}
+			}
+		}
+	catch ( const binpac::Exception& )
+		{ // do nothing
+		}
+
+	return false;
+	}
+
+bool SMB_Session::CheckRPC(int is_orig, int data_count, const u_char *data)
+	{
+	if ( LooksLikeRPC(data_count, data) )
+		{
+		if ( ! dce_rpc_session )
+			dce_rpc_session = new DCE_RPC_Session(analyzer);
+
+		dce_rpc_session->DeliverPDU(is_orig, data_count, data);
+
+		return true;
+		}
+
+	return false;
+	}
+
+Contents_SMB::Contents_SMB(Connection* conn, bool orig, SMB_Session* s)
+: TCP_SupportAnalyzer(AnalyzerTag::Contents_SMB, conn, orig)
+	{
+	smb_session = s;
+	msg_buf = 0;
+	msg_len = 0;
+	buf_len = 0;
+	buf_n = 0;
+	}
+
+void Contents_SMB::InitMsgBuf()
+	{
+	delete [] msg_buf;
+	msg_buf = new u_char[msg_len];
+	buf_len = msg_len;
+	buf_n = 0;
+	}
+
+Contents_SMB::~Contents_SMB()
+	{
+	delete [] msg_buf;
+	}
+
+void Contents_SMB::DeliverSMB(int len, const u_char* data)
+	{
+	// Check the 4-byte header.
+	if ( strncmp((const char*) data, "\xffSMB", 4) )
+		{
+		Conn()->Weird(fmt("SMB-over-TCP header error: %02x%02x%02x%02x, \\x%02x%c%c%c",
+			dshdr[0], dshdr[1], dshdr[2], dshdr[3],
+			data[0], data[1], data[2], data[3]));
+		SetSkip(1);
+		}
+	else
+		smb_session->Deliver(IsOrig(), len, data);
+
+	buf_n = 0;
+	msg_len = 0;
+	}
+
+void Contents_SMB::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	TCP_SupportAnalyzer::DeliverStream(len, data, orig);
+
+	while ( len > 0 )
+		{
+		if ( ! msg_len )
+			{
+			// Get the SMB-over-TCP header (4 bytes).
+			while ( buf_n < 4 && len > 0 )
+				{
+				dshdr[buf_n] = *data;
+				++buf_n; ++data; --len;
+				}
+
+			if ( buf_n < 4 )
+				return;
+
+			buf_n = 0;
+			for ( int i = 1; i < 4; ++i )
+				msg_len = ( msg_len << 8 ) + dshdr[i];
+
+			if ( dshdr[0] != 0 )
+				{
+				// Netbios header indicates this is NOT
+				// a session message ...
+				//	0x81 = session request
+				//	0x82 = positive response
+				//	0x83 = neg response
+				//	0x84 = retarget(?)
+				//	0x85 = keepalive
+				// Maybe we should just generate a Netbios
+				// event and die?
+				Conn()->Weird("SMB checked Netbios type and found != 0");
+				SetSkip(1);
+				return;
+				}
+
+			else if ( msg_len <= 4 )
+				{
+				Conn()->Weird("SMB message length error");
+				SetSkip(1);
+				return;
+				}
+			}
+
+		if ( buf_n == 0 && msg_len <= len )
+			{
+			// The fast lane:
+			// Keep msg_len -- it will be changed in DeliverSMB
+			int mlen = msg_len;
+			DeliverSMB(msg_len, data);
+			len -= mlen;
+			data += mlen;
+			}
+
+		else
+			{
+			if ( buf_len < msg_len )
+				InitMsgBuf();
+
+			while ( buf_n < msg_len && len > 0 )
+				{
+				msg_buf[buf_n] = *data;
+				++buf_n;
+				++data;
+				--len;
+				}
+
+			if ( buf_n < msg_len )
+				return;
+
+			DeliverSMB(msg_len, msg_buf);
+			}
+		}
+	}
+
+SMB_Analyzer::SMB_Analyzer(Connection* conn)
+: TCP_ApplicationAnalyzer(AnalyzerTag::SMB, conn)
+	{
+	smb_session = new SMB_Session(this);
+	o_smb = new Contents_SMB(conn, true, smb_session);
+	r_smb = new Contents_SMB(conn, false, smb_session);
+	AddSupportAnalyzer(o_smb);
+	AddSupportAnalyzer(r_smb);
+	}
+
+SMB_Analyzer::~SMB_Analyzer()
+	{
+	delete smb_session;
+	}
diff --git a/src/SMB.h b/src/SMB.h
new file mode 100644
index 0000000000..d41ef7f9e0
--- /dev/null
+++ b/src/SMB.h
@@ -0,0 +1,217 @@
+// $Id: SMB.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef smb_h
+#define smb_h
+
+// SMB (CIFS) analyzer.
+// Reference: http://www.snia.org/tech_activities/CIFS/CIFS-TR-1p00_FINAL.pdf
+
+#include "TCP.h"
+#include "DCE_RPC.h"
+#include "smb_pac.h"
+
+enum IPC_named_pipe {
+	IPC_NONE,
+	IPC_LOCATOR,
+	IPC_EPMAPPER,
+	IPC_SAMR,	// Security Account Manager
+};
+
+class SMB_Body : public binpac::SMB::SMB_body {
+public:
+	SMB_Body(const u_char* data, const u_char* data_end)
+		: binpac::SMB::SMB_body()
+		{
+		data_ = data;
+		Parse(data, data_end);
+		data_length_ = body_length();
+		if ( data + data_length_ > data_end )
+			data_length_ = data_end - data;
+		}
+
+	const u_char* data() const	{ return data_; }
+	int length() const 		{ return data_length_; }
+
+protected:
+	const u_char* data_;
+	int data_length_;
+};
+
+class SMB_Session {
+public:
+	SMB_Session(Analyzer* analyzer);
+	~SMB_Session();
+
+	void Deliver(int is_orig, int len, const u_char* msg);
+
+	static bool any_smb_event()
+		{
+		return smb_message ||
+			smb_com_tree_connect_andx ||
+			smb_com_nt_create_andx || smb_com_transaction ||
+			smb_com_transaction2 || smb_com_read_andx ||
+			smb_com_write_andx;
+		}
+
+protected:
+	void ParseMessage(int is_orig, int cmd,
+				binpac::SMB::SMB_header const &hdr,
+				SMB_Body const &body);
+
+	int ParseNegotiate(binpac::SMB::SMB_header const &hdr,
+				SMB_Body const &body);
+
+	int ParseNegotiateResponse(binpac::SMB::SMB_header const &hdr,
+				SMB_Body const &body);
+
+	int ParseAndx(int is_orig, binpac::SMB::SMB_header const &hdr,
+				SMB_Body const &body);
+
+	int ParseClose(int is_orig, binpac::SMB::SMB_header const &hdr,
+				SMB_Body const &body);
+
+	int ParseLogoffAndx(int is_orig, binpac::SMB::SMB_header const &hdr,
+				SMB_Body const &body);
+
+	int ParseSetupAndx(int is_orig, binpac::SMB::SMB_header const &hdr,
+				SMB_Body const &body);
+
+	int ParseTreeConnectAndx(binpac::SMB::SMB_header const &hdr,
+				SMB_Body const &body);
+
+	int ParseTreeDisconnect(int is_orig, binpac::SMB::SMB_header const &hdr,
+				SMB_Body const &body);
+
+	int ParseNtCreateAndx(binpac::SMB::SMB_header const &hdr,
+				SMB_Body const &body);
+
+	int ParseReadAndx(binpac::SMB::SMB_header const &hdr,
+				SMB_Body const &body);
+
+	int ParseReadAndxResponse(binpac::SMB::SMB_header const &hdr,
+				SMB_Body const &body);
+
+	int ParseWriteAndx(binpac::SMB::SMB_header const &hdr,
+				SMB_Body const &body);
+
+	int ParseWriteAndxResponse(binpac::SMB::SMB_header const &hdr,
+				SMB_Body const &body);
+
+	int ParseTransaction(int is_orig, int cmd,
+				binpac::SMB::SMB_header const &hdr,
+				SMB_Body const &body);
+
+	int TransactionEvent(EventHandlerPtr f, int is_orig,
+				binpac::SMB::SMB_header const &hdr,
+				binpac::SMB::SMB_transaction const &trans,
+				int data_count,
+				binpac::SMB::SMB_transaction_data* data);
+
+	int TransactionEvent(EventHandlerPtr f, int is_orig,
+				binpac::SMB::SMB_header const &hdr,
+				binpac::SMB::SMB_transaction_secondary const &trans,
+				int data_count,
+				binpac::SMB::SMB_transaction_data* data);
+
+	int TransactionEvent(EventHandlerPtr f, int is_orig,
+				binpac::SMB::SMB_header const &hdr,
+				binpac::SMB::SMB_transaction_response const &trans,
+				int data_count,
+				binpac::SMB::SMB_transaction_data* data);
+
+	int ParseTransactionRequest(int cmd,
+				binpac::SMB::SMB_header const &hdr,
+				SMB_Body const &body);
+
+	int ParseTransactionSecondaryRequest(int cmd,
+				binpac::SMB::SMB_header const &hdr,
+				SMB_Body const &body);
+
+	int ParseTransactionResponse(int cmd,
+				binpac::SMB::SMB_header const &hdr,
+				SMB_Body const &body);
+
+	int ParseGetDFSReferral(binpac::SMB::SMB_header const &hdr,
+				int param_count, const u_char* param);
+
+	BroString* ExtractString(binpac::SMB::SMB_string const* s);
+	BroString* ExtractString(binpac::SMB::SMB_ascii_string const* s);
+	BroString* ExtractString(binpac::SMB::SMB_unicode_string const* s);
+
+	bool LooksLikeRPC(int len, const u_char* msg);
+	bool CheckRPC(int is_orig, int len, const u_char* msg);
+
+	int AndxOffset(int is_orig, int &next_command) const;
+
+	void Weird(const char* msg);
+
+	const binpac::SMB::SMB_andx* const andx(int is_orig) const
+		{
+		return is_orig ? andx_[1] : andx_[0];
+		}
+
+	void set_andx(int is_orig, binpac::SMB::SMB_andx* andx);
+	 
+	Val* BuildHeaderVal(binpac::SMB::SMB_header const &hdr);
+	Val* BuildTransactionVal(binpac::SMB::SMB_transaction const &trans);
+	Val* BuildTransactionVal(binpac::SMB::SMB_transaction_secondary const &trans);
+	Val* BuildTransactionVal(binpac::SMB::SMB_transaction_response const &trans);
+	Val* BuildTransactionDataVal(binpac::SMB::SMB_transaction_data* data);
+
+	Analyzer* analyzer;
+	DCE_RPC_Session* dce_rpc_session;
+	enum IPC_named_pipe IPC_pipe;
+	int is_IPC;
+	int req_cmd;
+	uint16 transaction_subcmd;
+	bool smb_mailslot_prot;
+	bool smb_pipe_prot;
+	StringVal* transaction_name;
+	binpac::SMB::SMB_andx* andx_[2];
+};
+
+class Contents_SMB : public TCP_SupportAnalyzer {
+public:
+	Contents_SMB(Connection* conn, bool orig, SMB_Session* smb_session);
+	~Contents_SMB();
+
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+
+protected:
+	void InitMsgBuf();
+
+	void DeliverSMB(int len, const u_char* data);
+
+	SMB_Session* smb_session;
+	u_char dshdr[4];
+	u_char* msg_buf;
+	int msg_len;
+	int buf_n;	// number of bytes in msg_buf
+	int buf_len;	// size off msg_buf
+};
+
+class SMB_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	SMB_Analyzer(Connection* conn);
+	~SMB_Analyzer();
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new SMB_Analyzer(conn); }
+
+	static bool Available()
+		{
+		return SMB_Session::any_smb_event() ||
+			DCE_RPC_Session::any_dce_rpc_event();
+		}
+
+	int RewritingTrace()	{ return rewriting_smb_trace; }
+
+protected:
+	SMB_Session* smb_session;
+	Contents_SMB* o_smb;
+	Contents_SMB* r_smb;
+};
+
+#endif
diff --git a/src/SMB_COM.def b/src/SMB_COM.def
new file mode 100644
index 0000000000..c9b04bc380
--- /dev/null
+++ b/src/SMB_COM.def
@@ -0,0 +1,75 @@
+SMB_COMMAND(SMB_COM_CREATE_DIRECTORY, 0x00)
+SMB_COMMAND(SMB_COM_DELETE_DIRECTORY, 0x01)
+SMB_COMMAND(SMB_COM_OPEN, 0x02)
+SMB_COMMAND(SMB_COM_CREATE, 0x03)
+SMB_COMMAND(SMB_COM_CLOSE, 0x04)
+SMB_COMMAND(SMB_COM_FLUSH, 0x05)
+SMB_COMMAND(SMB_COM_DELETE, 0x06)
+SMB_COMMAND(SMB_COM_RENAME, 0x07)
+SMB_COMMAND(SMB_COM_QUERY_INFORMATION, 0x08)
+SMB_COMMAND(SMB_COM_SET_INFORMATION, 0x09)
+SMB_COMMAND(SMB_COM_READ, 0x0A)
+SMB_COMMAND(SMB_COM_WRITE, 0x0B)
+SMB_COMMAND(SMB_COM_LOCK_BYTE_RANGE, 0x0C)
+SMB_COMMAND(SMB_COM_UNLOCK_BYTE_RANGE, 0x0D)
+SMB_COMMAND(SMB_COM_CREATE_TEMPORARY, 0x0E)
+SMB_COMMAND(SMB_COM_CREATE_NEW, 0x0F)
+SMB_COMMAND(SMB_COM_CHECK_DIRECTORY, 0x10)
+SMB_COMMAND(SMB_COM_PROCESS_EXIT, 0x11)
+SMB_COMMAND(SMB_COM_SEEK, 0x12)
+SMB_COMMAND(SMB_COM_LOCK_AND_READ, 0x13)
+SMB_COMMAND(SMB_COM_WRITE_AND_UNLOCK, 0x14)
+SMB_COMMAND(SMB_COM_READ_RAW, 0x1A)
+SMB_COMMAND(SMB_COM_READ_MPX, 0x1B)
+SMB_COMMAND(SMB_COM_READ_MPX_SECONDARY, 0x1C)
+SMB_COMMAND(SMB_COM_WRITE_RAW, 0x1D)
+SMB_COMMAND(SMB_COM_WRITE_MPX, 0x1E)
+SMB_COMMAND(SMB_COM_WRITE_MPX_SECONDARY, 0x1F)
+SMB_COMMAND(SMB_COM_WRITE_COMPLETE, 0x20)
+SMB_COMMAND(SMB_COM_QUERY_SERVER, 0x21)
+SMB_COMMAND(SMB_COM_SET_INFORMATION2, 0x22)
+SMB_COMMAND(SMB_COM_QUERY_INFORMATION2, 0x23)
+SMB_COMMAND(SMB_COM_LOCKING_ANDX, 0x24)
+SMB_COMMAND(SMB_COM_TRANSACTION, 0x25)
+SMB_COMMAND(SMB_COM_TRANSACTION_SECONDARY, 0x26)
+SMB_COMMAND(SMB_COM_IOCTL, 0x27)
+SMB_COMMAND(SMB_COM_IOCTL_SECONDARY, 0x28)
+SMB_COMMAND(SMB_COM_COPY, 0x29)
+SMB_COMMAND(SMB_COM_MOVE, 0x2A)
+SMB_COMMAND(SMB_COM_ECHO, 0x2B)
+SMB_COMMAND(SMB_COM_WRITE_AND_CLOSE, 0x2C)
+SMB_COMMAND(SMB_COM_OPEN_ANDX, 0x2D)
+SMB_COMMAND(SMB_COM_READ_ANDX, 0x2E)
+SMB_COMMAND(SMB_COM_WRITE_ANDX, 0x2F)
+SMB_COMMAND(SMB_COM_NEW_FILE_SIZE, 0x30)
+SMB_COMMAND(SMB_COM_CLOSE_AND_TREE_DISC, 0x31)
+SMB_COMMAND(SMB_COM_TRANSACTION2, 0x32)
+SMB_COMMAND(SMB_COM_TRANSACTION2_SECONDARY, 0x33)
+SMB_COMMAND(SMB_COM_FIND_CLOSE2, 0x34)
+SMB_COMMAND(SMB_COM_FIND_NOTIFY_CLOSE, 0x35)
+
+// Used by Xenix/Unix 0x60 - 0x6E.
+
+SMB_COMMAND(SMB_COM_TREE_CONNECT, 0x70)
+SMB_COMMAND(SMB_COM_TREE_DISCONNECT, 0x71)
+SMB_COMMAND(SMB_COM_NEGOTIATE, 0x72)
+SMB_COMMAND(SMB_COM_SESSION_SETUP_ANDX, 0x73)
+SMB_COMMAND(SMB_COM_LOGOFF_ANDX, 0x74)
+SMB_COMMAND(SMB_COM_TREE_CONNECT_ANDX, 0x75)
+SMB_COMMAND(SMB_COM_QUERY_INFORMATION_DISK, 0x80)
+SMB_COMMAND(SMB_COM_SEARCH, 0x81)
+SMB_COMMAND(SMB_COM_FIND, 0x82)
+SMB_COMMAND(SMB_COM_FIND_UNIQUE, 0x83)
+SMB_COMMAND(SMB_COM_FIND_CLOSE, 0x84)
+SMB_COMMAND(SMB_COM_NT_TRANSACT, 0xA0)
+SMB_COMMAND(SMB_COM_NT_TRANSACT_SECONDARY, 0xA1)
+SMB_COMMAND(SMB_COM_NT_CREATE_ANDX, 0xA2)
+SMB_COMMAND(SMB_COM_NT_CANCEL, 0xA4)
+SMB_COMMAND(SMB_COM_NT_RENAME, 0xA5)
+SMB_COMMAND(SMB_COM_OPEN_PRINT_FILE, 0xC0)
+SMB_COMMAND(SMB_COM_WRITE_PRINT_FILE, 0xC1)
+SMB_COMMAND(SMB_COM_CLOSE_PRINT_FILE, 0xC2)
+SMB_COMMAND(SMB_COM_GET_PRINT_QUEUE, 0xC3)
+SMB_COMMAND(SMB_COM_READ_BULK, 0xD8)
+SMB_COMMAND(SMB_COM_WRITE_BULK, 0xD9)
+SMB_COMMAND(SMB_COM_WRITE_BULK_DATA, 0xDA)
diff --git a/src/SMTP.cc b/src/SMTP.cc
new file mode 100644
index 0000000000..f16dc8ae2e
--- /dev/null
+++ b/src/SMTP.cc
@@ -0,0 +1,889 @@
+// $Id: SMTP.cc 6782 2009-06-28 02:19:03Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <stdlib.h>
+
+#include "NetVar.h"
+#include "SMTP.h"
+#include "Event.h"
+#include "ContentLine.h"
+#include "TCP_Rewriter.h"
+
+#undef SMTP_CMD_DEF
+#define SMTP_CMD_DEF(cmd)	#cmd,
+
+static const char* smtp_cmd_word[] = {
+#include "SMTP_cmd.def"
+};
+
+#define SMTP_CMD_WORD(code) ((code >= 0) ? smtp_cmd_word[code] : "(UNKNOWN)")
+
+
+SMTP_Analyzer::SMTP_Analyzer(Connection* conn)
+: TCP_ApplicationAnalyzer(AnalyzerTag::SMTP, conn)
+	{
+	expect_sender = 0;
+	expect_recver = 1;
+	state = SMTP_CONNECTED;
+	last_replied_cmd = -1;
+	first_cmd = SMTP_CMD_CONN_ESTABLISHMENT;
+	pending_reply = 0;
+
+	// Some clients appear to assume pipelining is always enabled
+	// and do not bother to check whether "PIPELINING" appears in
+	// the server reply to EHLO.
+	pipelining = 1;
+
+	skip_data = 0;
+	orig_is_sender = true;
+	line_after_gap = 0;
+	mail = 0;
+	UpdateState(first_cmd, 0);
+	ContentLine_Analyzer* cl_orig = new ContentLine_Analyzer(conn, true);
+	cl_orig->SetIsNULSensitive(true);
+	cl_orig->SetSkipPartial(true);
+	AddSupportAnalyzer(cl_orig);
+
+	ContentLine_Analyzer* cl_resp = new ContentLine_Analyzer(conn, false);
+	cl_resp->SetIsNULSensitive(true);
+	cl_resp->SetSkipPartial(true);
+	AddSupportAnalyzer(cl_resp);
+	}
+
+void SMTP_Analyzer::ConnectionFinished(int half_finished)
+	{
+	TCP_ApplicationAnalyzer::ConnectionFinished(half_finished);
+
+	if ( ! half_finished && mail )
+		EndData();
+	}
+
+SMTP_Analyzer::~SMTP_Analyzer()
+	{
+	delete line_after_gap;
+	}
+
+void SMTP_Analyzer::Done()
+	{
+	TCP_ApplicationAnalyzer::Done();
+
+	if ( mail )
+		EndData();
+	}
+
+void SMTP_Analyzer::Undelivered(int seq, int len, bool is_orig)
+	{
+	TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
+
+	if ( len <= 0 )
+		return;
+
+	const char* buf = fmt("seq = %d, len = %d", seq, len);
+	int buf_len = strlen(buf);
+
+	Unexpected(is_orig, "content gap", buf_len, buf);
+
+	if ( state == SMTP_IN_DATA )
+		// Record the SMTP data gap and terminate the
+		// ongoing mail transaction.
+		EndData();
+
+	if ( line_after_gap )
+		{
+		delete line_after_gap;
+		line_after_gap = 0;
+		}
+
+	pending_cmd_q.clear();
+
+	first_cmd = last_replied_cmd = -1;
+
+	// Missing either the sender's packets or their replies
+	// (e.g. code 354) is critical, so we set state to SMTP_AFTER_GAP
+	// in both cases
+	state = SMTP_AFTER_GAP;
+	}
+
+void SMTP_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
+	{
+	TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
+
+	// NOTE: do not use IsOrig() here, because of TURN command.
+	int is_sender = orig_is_sender ? orig : ! orig;
+
+#if 0
+	###
+	if ( line[length] != '\r' || line[length+1] != '\n' )
+		Unexpected(is_sender, "line does not end with <CR><LF>", length, line);
+#endif
+
+	// Some weird client uses '\r\r\n' for end-of-line sequence
+	// So we make a compromise here to allow /(\r)*\n/ as end-of-line sequences
+	if ( length > 0 && line[length-1] == '\r' )
+		{
+		Unexpected(is_sender, "more than one <CR> at the end of line", length, (const char*) line);
+		do
+			--length;
+		while ( length > 0 && line[length-1] == '\r' );
+		}
+
+	for ( int i = 0; i < length; ++i )
+		if ( line[i] == '\r' || line[i] == '\n' )
+			{
+			Unexpected(is_sender, "Bare <CR> or <LF> appears in the middle of line",
+				   length, (const char*) line);
+			break;
+			}
+
+	ProcessLine(length, (const char*) line, orig);
+	}
+
+
+void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
+	{
+	const char* end_of_line = line + length;
+	if ( state == SMTP_IN_TLS )
+		// Do not try to parse contents after STARTTLS/220.
+		return;
+
+	int cmd_len = 0;
+	const char* cmd = "";
+
+	// NOTE: do not use IsOrig() here, because of TURN command.
+	int is_sender = orig_is_sender ? orig : ! orig;
+
+	if ( ! pipelining &&
+	     ((is_sender && ! expect_sender) ||
+	      (! is_sender && ! expect_recver)) )
+		Unexpected(is_sender, "out of order", length, line);
+
+	if ( is_sender )
+		{
+		int cmd_code = -1;
+
+		if ( state == SMTP_AFTER_GAP )
+			{
+			// Don't know whether it is a command line or
+			// a data line.
+			if ( line_after_gap )
+				delete line_after_gap;
+
+			line_after_gap =
+				new BroString((const u_char *) line, length, 1);
+			}
+
+		else if ( state == SMTP_IN_DATA && line[0] == '.' && length == 1 )
+			{
+			cmd = ".";
+			cmd_len = 1;
+			cmd_code = SMTP_CMD_END_OF_DATA;
+			NewCmd(cmd_code);
+
+			expect_sender = 0;
+			expect_recver = 1;
+			}
+
+		else if ( state == SMTP_IN_DATA )
+			{
+			// Check "." for end of data.
+			expect_recver = 0; // ?? MAY server respond to mail data?
+
+			if ( line[0] == '.' )
+				++line;
+
+			int data_len = end_of_line - line;
+
+			if ( ! mail )
+				// This can happen if we're already shut
+				// down the connection due to seeing a RST
+				// but are now processing packets sent
+				// afterwards (because, e.g., the RST was
+				// dropped or ignored).
+				BeginData();
+
+			ProcessData(data_len, line);
+
+			if ( smtp_data && ! skip_data )
+				{
+				val_list* vl = new val_list;
+				vl->append(BuildConnVal());
+				vl->append(new Val(orig, TYPE_BOOL));
+				vl->append(new StringVal(data_len, line));
+				ConnectionEvent(smtp_data, vl);
+				}
+			}
+
+		else if ( state == SMTP_IN_AUTH )
+			{
+			cmd = "***";
+			cmd_len = 2;
+			cmd_code = SMTP_CMD_AUTH_ANSWER;
+			NewCmd(cmd_code);
+			}
+
+		else
+			{
+			expect_sender = 0;
+			expect_recver = 1;
+
+			get_word(length, line, cmd_len, cmd);
+			line = skip_whitespace(line + cmd_len, end_of_line);
+			cmd_code = ParseCmd(cmd_len, cmd);
+
+			if ( cmd_code == -1 )
+				{
+				Unexpected(1, "unknown command", cmd_len, cmd);
+				cmd = 0;
+				}
+			else
+				NewCmd(cmd_code);
+			}
+
+		// Generate smtp_request event
+		if ( cmd_code >= 0 )
+			{
+			// In order for all MIME events nested
+			// between SMTP command DATA and END_OF_DATA,
+			// we need to call UpdateState(), which in
+			// turn calls BeginData() and EndData(),  and
+			// RequestEvent() in different orders for the
+			// two commands.
+			if ( cmd_code == SMTP_CMD_END_OF_DATA )
+				UpdateState(cmd_code, 0);
+
+			if ( smtp_request )
+				{
+				int data_len = end_of_line - line;
+				RequestEvent(cmd_len, cmd, data_len, line);
+				}
+
+			if ( cmd_code != SMTP_CMD_END_OF_DATA )
+				UpdateState(cmd_code, 0);
+			}
+		}
+
+	else
+		{
+		int reply_code;
+
+		if ( length >= 3 &&
+		     isdigit(line[0]) && isdigit(line[1]) && isdigit(line[2]) )
+			{
+			reply_code = (line[0] - '0') * 100 +
+					(line[1] - '0') * 10 +
+					(line[2] - '0');
+			}
+		else
+			reply_code = -1;
+
+		// The first digit of reply code must be between 1 and 5,
+		// and the second between 0 and 5 (RFC 2821).  But sometimes
+		// we see 5xx codes larger than 559, so we still tolerate that.
+		if ( reply_code < 100 || reply_code > 599 )
+			{
+			reply_code = -1;
+			Unexpected(is_sender, "reply code out of range", length, line);
+			ProtocolViolation(fmt("reply code %d out of range",
+						reply_code), line, length);
+			}
+
+		else
+			{ // Valid reply code.
+			if ( pending_reply && reply_code != pending_reply )
+				{
+				Unexpected(is_sender, "reply code does not match the continuing reply", length, line);
+				pending_reply = 0;
+				}
+
+			if ( ! pending_reply && reply_code >= 0 )
+				// It is not a continuation.
+				NewReply(reply_code);
+
+			// Update pending_reply.
+			if ( reply_code >= 0 && length > 3 && line[3] == '-' )
+				{ // A continued reply.
+				pending_reply = reply_code;
+				line = skip_whitespace(line+4, end_of_line);
+				}
+
+			else
+				{ // This is the end of the reply.
+				line = skip_whitespace(line+3, end_of_line);
+
+				pending_reply = 0;
+				expect_sender = 1;
+				expect_recver = 0;
+				}
+
+			// Generate events.
+			if ( smtp_reply && reply_code >= 0 )
+				{
+				const int cmd_code = last_replied_cmd;
+				switch ( cmd_code ) {
+					case SMTP_CMD_CONN_ESTABLISHMENT:
+						cmd = ">";
+						break;
+
+					case SMTP_CMD_END_OF_DATA:
+						cmd = ".";
+						break;
+
+					default:
+						cmd = SMTP_CMD_WORD(cmd_code);
+						break;
+				}
+
+				val_list* vl = new val_list;
+				vl->append(BuildConnVal());
+				vl->append(new Val(orig, TYPE_BOOL));
+				vl->append(new Val(reply_code, TYPE_COUNT));
+				vl->append(new StringVal(cmd));
+				vl->append(new StringVal(end_of_line - line, line));
+				vl->append(new Val((pending_reply > 0), TYPE_BOOL));
+
+				ConnectionEvent(smtp_reply, vl);
+				}
+			}
+
+		// Process SMTP extensions, e.g. PIPELINING.
+		if ( last_replied_cmd == SMTP_CMD_EHLO && reply_code == 250 )
+			{
+			const char* ext;
+			int ext_len;
+
+			get_word(end_of_line - line, line, ext_len, ext);
+			line = skip_whitespace(line + ext_len, end_of_line);
+			ProcessExtension(ext_len, ext);
+			}
+		}
+	}
+
+void SMTP_Analyzer::NewCmd(const int cmd_code)
+	{
+	if ( pipelining )
+		{
+		if ( first_cmd < 0 )
+			first_cmd = cmd_code;
+		else
+			pending_cmd_q.push_back(cmd_code);
+		}
+	else
+		first_cmd = cmd_code;
+	}
+
+
+// Here we keep a SMTP state machine and update it on each reply.
+// However, the purpose is NOT to check correctness of SMTP commands
+// and replies, but to guess the state of the SMTP session and,
+// particularly, to know when we are in the SMTP_IN_DATA state.
+//
+// That is why state transition does not depend on the previous state,
+// but only depend on the <command, reply> pair.
+//
+// Why not simply have two-state machine, IN_DATA/NOT_IN_DATA?  Because
+// we want to understand the behavior of SMTP and check how far it may
+// deviate from our knowledge.
+
+void SMTP_Analyzer::NewReply(const int reply_code)
+	{
+	if ( state == SMTP_AFTER_GAP && reply_code > 0 )
+		{
+		state = SMTP_GAP_RECOVERY;
+		const char* unknown_cmd = SMTP_CMD_WORD(-1);
+		RequestEvent(strlen(unknown_cmd), unknown_cmd, 0, "");
+		/*
+		if ( line_after_gap )
+			ProcessLine(sender, line_after_gap->Len(), (const char *) line_after_gap->Bytes());
+		*/
+		}
+
+	// Make all parameters constants.
+	const int cmd_code = first_cmd;
+
+	// To recover from a gap, we detect replies -- the critical
+	// assumptions here are 1) receiver does not reply during a DATA
+	// session; 2) there is no TURN in the gap.
+
+	last_replied_cmd = first_cmd;
+	first_cmd = -1;
+
+	if ( pipelining && pending_cmd_q.size() > 0 )
+		{
+		first_cmd = pending_cmd_q.front();
+		pending_cmd_q.pop_front();
+		}
+
+	UpdateState(cmd_code, reply_code);
+	}
+
+// Note: reply_code == 0 means we haven't seen the reply, in which case we
+// still update the state as if the command will succeed, and later
+// adjust the state if it turns out otherwise. This is because some
+// clients are really aggressive in pipelining (beyond the restrictions
+// in the RPC), and as a result we have to update the state following
+// the commands in addition to the replies.
+
+void SMTP_Analyzer::UpdateState(const int cmd_code, const int reply_code)
+	{
+	const int st = state;
+
+	if ( st == SMTP_QUIT && reply_code == 0 )
+		UnexpectedCommand(cmd_code, reply_code);
+
+	switch ( cmd_code ) {
+	case SMTP_CMD_CONN_ESTABLISHMENT:
+		switch ( reply_code ) {
+		case 0:
+			if ( st != SMTP_CONNECTED )
+				{
+				// Impossible state, because the command
+				// CONN_ESTABLISHMENT should only appear
+				// in the very beginning.
+				UnexpectedCommand(cmd_code, reply_code);
+				}
+			state = SMTP_INITIATED;
+			break;
+
+		case 220:
+			break;
+
+		case 421:
+		case 554:
+			state = SMTP_NOT_AVAILABLE;
+			break;
+
+		default:
+			UnexpectedReply(cmd_code, reply_code);
+			break;
+		}
+		break;
+
+	case SMTP_CMD_EHLO:
+	case SMTP_CMD_HELO:
+		switch ( reply_code ) {
+			case 0:
+				if ( st != SMTP_INITIATED )
+					UnexpectedCommand(cmd_code, reply_code);
+				state = SMTP_READY;
+				break;
+
+			case 250:
+				break;
+
+			case 421:
+			case 500:
+			case 501:
+			case 504:
+			case 550:
+				state = SMTP_INITIATED;
+				break;
+
+			default:
+				UnexpectedReply(cmd_code, reply_code);
+				break;
+		}
+		break;
+
+	case SMTP_CMD_MAIL:
+	case SMTP_CMD_SEND:
+	case SMTP_CMD_SOML:
+	case SMTP_CMD_SAML:
+		switch ( reply_code ) {
+			case 0:
+				if ( st != SMTP_READY )
+					UnexpectedCommand(cmd_code, reply_code);
+				state = SMTP_MAIL_OK;
+				break;
+
+			case 250:
+				break;
+
+			case 421:
+			case 451:
+			case 452:
+			case 500:
+			case 501:
+			case 503:
+			case 550:
+			case 552:
+			case 553:
+				if ( state != SMTP_IN_DATA )
+					state = SMTP_READY;
+				break;
+
+			default:
+				UnexpectedReply(cmd_code, reply_code);
+				break;
+		}
+		break;
+
+	case SMTP_CMD_RCPT:
+		switch ( reply_code ) {
+			case 0:
+				if ( st != SMTP_MAIL_OK && st != SMTP_RCPT_OK )
+					UnexpectedCommand(cmd_code, reply_code);
+				state = SMTP_RCPT_OK;
+				break;
+
+			case 250:
+			case 251: // ?? Shall we catch 251? (RFC 2821)
+				break;
+
+			case 421:
+			case 450:
+			case 451:
+			case 452:
+			case 500:
+			case 501:
+			case 503:
+			case 550:
+			case 551: // ?? Shall we catch 551?
+			case 552:
+			case 553:
+			case 554: // = transaction failed/recipient refused
+				break;
+
+			default:
+				UnexpectedReply(cmd_code, reply_code);
+				break;
+		}
+		break;
+
+	case SMTP_CMD_DATA:
+		switch ( reply_code ) {
+			case 0:
+				if ( state != SMTP_RCPT_OK )
+					UnexpectedCommand(cmd_code, reply_code);
+				BeginData();
+				break;
+
+			case 354:
+				break;
+
+			case 421:
+				if ( state == SMTP_IN_DATA )
+					EndData();
+				state = SMTP_QUIT;
+				break;
+
+			case 500:
+			case 501:
+			case 503:
+			case 451:
+			case 554:
+				if ( state == SMTP_IN_DATA )
+					EndData();
+				state = SMTP_READY;
+				break;
+
+			default:
+				UnexpectedReply(cmd_code, reply_code);
+				if ( state == SMTP_IN_DATA )
+					EndData();
+				state = SMTP_READY;
+				break;
+		}
+		break;
+
+	case SMTP_CMD_END_OF_DATA:
+		switch ( reply_code ) {
+			case 0:
+				if ( st != SMTP_IN_DATA )
+					UnexpectedCommand(cmd_code, reply_code);
+					EndData();
+				state = SMTP_AFTER_DATA;
+				break;
+
+			case 250:
+				break;
+
+			case 421:
+			case 451:
+			case 452:
+			case 552:
+			case 554:
+				break;
+
+			default:
+				UnexpectedReply(cmd_code, reply_code);
+				break;
+		}
+
+		if ( reply_code > 0 )
+			state = SMTP_READY;
+		break;
+
+	case SMTP_CMD_RSET:
+		switch ( reply_code ) {
+			case 0:
+				state = SMTP_READY;
+				break;
+
+			case 250:
+				break;
+
+			default:
+				UnexpectedReply(cmd_code, reply_code);
+				break;
+		}
+
+		break;
+
+	case SMTP_CMD_QUIT:
+		switch ( reply_code ) {
+			case 0:
+				state = SMTP_QUIT;
+				break;
+
+			case 221:
+				break;
+
+			default:
+				UnexpectedReply(cmd_code, reply_code);
+				break;
+		}
+
+		break;
+
+	case SMTP_CMD_AUTH:
+		if ( st != SMTP_READY )
+			UnexpectedCommand(cmd_code, reply_code);
+
+		switch ( reply_code ) {
+			case 0:
+				// Here we wait till there's a reply.
+				break;
+
+			case 334:
+				state = SMTP_IN_AUTH;
+				break;
+
+			case 235:
+				state = SMTP_INITIATED;
+				break;
+
+			case 432:
+			case 454:
+			case 501:
+			case 503:
+			case 504:
+			case 534:
+			case 535:
+			case 538:
+			default:
+				state = SMTP_INITIATED;
+				break;
+		}
+		break;
+
+	case SMTP_CMD_AUTH_ANSWER:
+		if ( st != SMTP_IN_AUTH )
+			UnexpectedCommand(cmd_code, reply_code);
+
+		switch ( reply_code ) {
+			case 0:
+				// Here we wait till there's a reply.
+				break;
+
+			case 334:
+				state = SMTP_IN_AUTH;
+				break;
+
+			case 235:
+			case 535:
+			default:
+				state = SMTP_INITIATED;
+				break;
+		}
+		break;
+
+	case SMTP_CMD_TURN:
+		if ( st != SMTP_READY )
+			UnexpectedCommand(cmd_code, reply_code);
+
+		switch ( reply_code ) {
+			case 0:
+				// Here we wait till there's a reply.
+				break;
+
+			case 250:
+				// flip-side
+				orig_is_sender = ! orig_is_sender;
+
+				state = SMTP_CONNECTED;
+				expect_sender = 0;
+				expect_recver = 1;
+				break;
+
+			case 502:
+			default:
+				break;
+		}
+		break;
+
+	case SMTP_CMD_STARTTLS:
+		if ( st != SMTP_READY )
+			UnexpectedCommand(cmd_code, reply_code);
+
+		switch ( reply_code ) {
+			case 0:
+				// Here we wait till there's a reply.
+				break;
+
+			case 220:
+				state = SMTP_IN_TLS;
+				expect_sender = expect_recver = 1;
+				break;
+
+			case 454:
+			case 501:
+			default:
+				break;
+		}
+		break;
+
+	case SMTP_CMD_VRFY:
+	case SMTP_CMD_EXPN:
+	case SMTP_CMD_HELP:
+	case SMTP_CMD_NOOP:
+		// These commands do not affect state.
+		// ?? However, later we may want to add reply
+		// and state check code.
+
+	default:
+		if ( st == SMTP_GAP_RECOVERY && reply_code == 354 )
+			{
+			BeginData();
+			}
+		break;
+	}
+
+	// A hack: whenever the server makes a valid reply during a DATA
+	// section, we assume that the DATA section has ended (the end
+	// of data line might have been lost due to gaps in trace).  Note,
+	// BeginData() won't be called till the next DATA command.
+#if 0
+	if ( state == SMTP_IN_DATA && reply_code >= 400 )
+		{
+		EndData();
+		state = SMTP_READY;
+		}
+#endif
+	}
+
+void SMTP_Analyzer::ProcessExtension(int ext_len, const char* ext)
+	{
+	if ( ! ext )
+		return;
+
+	if ( ! strcasecmp_n(ext_len, ext, "PIPELINING") )
+		pipelining = 1;
+	}
+
+int SMTP_Analyzer::ParseCmd(int cmd_len, const char* cmd)
+	{
+	if ( ! cmd )
+		return -1;
+
+	for ( int code = SMTP_CMD_EHLO; code < SMTP_CMD_LAST; ++code )
+		if ( ! strcasecmp_n(cmd_len, cmd, smtp_cmd_word[code - SMTP_CMD_EHLO]) )
+			return code;
+
+	return -1;
+	}
+
+void SMTP_Analyzer::RequestEvent(int cmd_len, const char* cmd,
+				int arg_len, const char* arg)
+	{
+	ProtocolConfirmation();
+	val_list* vl = new val_list;
+
+	vl->append(BuildConnVal());
+	vl->append(new Val(orig_is_sender, TYPE_BOOL));
+	vl->append((new StringVal(cmd_len, cmd))->ToUpper());
+	vl->append(new StringVal(arg_len, arg));
+
+	ConnectionEvent(smtp_request, vl);
+	}
+
+void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg,
+				int detail_len, const char* detail)
+	{
+	// Either party can send a line after an unexpected line.
+	expect_sender = expect_recver = 1;
+
+	if ( smtp_unexpected )
+		{
+		val_list* vl = new val_list;
+		int is_orig = is_sender;
+		if ( ! orig_is_sender )
+			is_orig = ! is_orig;
+
+		vl->append(BuildConnVal());
+		vl->append(new Val(is_orig, TYPE_BOOL));
+		vl->append(new StringVal(msg));
+		vl->append(new StringVal(detail_len, detail));
+
+		ConnectionEvent(smtp_unexpected, vl);
+		}
+	}
+
+void SMTP_Analyzer::UnexpectedCommand(const int cmd_code, const int reply_code)
+	{
+	// If this happens, please fix the SMTP state machine!
+	// ### Eventually, these should be turned into "weird" events.
+	static char buf[512];
+	int len = safe_snprintf(buf, sizeof(buf),
+				"%s reply = %d state = %d",
+				SMTP_CMD_WORD(cmd_code), reply_code, state);
+	if ( len > (int) sizeof(buf) )
+		len = sizeof(buf);
+	Unexpected (1, "unexpected command", len, buf);
+	}
+
+void SMTP_Analyzer::UnexpectedReply(const int cmd_code, const int reply_code)
+	{
+	// If this happens, please fix the SMTP state machine!
+	// ### Eventually, these should be turned into "weird" events.
+	static char buf[512];
+	int len = safe_snprintf(buf, sizeof(buf),
+				"%d state = %d, last command = %s",
+				reply_code, state, SMTP_CMD_WORD(cmd_code));
+	Unexpected (1, "unexpected reply", len, buf);
+	}
+
+void SMTP_Analyzer::ProcessData(int length, const char* line)
+	{
+	mail->Deliver(length, line, 1 /* trailing_CRLF */);
+	}
+
+void SMTP_Analyzer::BeginData()
+	{
+	state = SMTP_IN_DATA;
+	skip_data = 0; // reset the flag at the beginning of the mail
+	if ( mail != 0 )
+		{
+		warn("nested mail transaction");
+		mail->Done();
+		delete mail;
+		}
+
+	mail = new MIME_Mail(this);
+	}
+
+void SMTP_Analyzer::EndData()
+	{
+	if ( ! mail )
+		warn("Unmatched end of data");
+	else
+		{
+		mail->Done();
+		delete mail;
+		mail = 0;
+		}
+	}
+
+#include "smtp-rw.bif.func_def"
diff --git a/src/SMTP.h b/src/SMTP.h
new file mode 100644
index 0000000000..6e3ad6cc29
--- /dev/null
+++ b/src/SMTP.h
@@ -0,0 +1,103 @@
+// $Id: SMTP.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef smtp_h
+#define smtp_h
+
+#include <list>
+using namespace std;
+
+#include "TCP.h"
+#include "MIME.h"
+
+
+#undef SMTP_CMD_DEF
+#define SMTP_CMD_DEF(cmd)	SMTP_CMD_##cmd,
+
+typedef enum {
+#include "SMTP_cmd.def"
+} SMTP_Cmd;
+
+// State is updated on every SMTP reply.
+typedef enum {
+	SMTP_CONNECTED,		// 0: before the opening message
+	SMTP_INITIATED,		// 1: after opening message 220, EHLO/HELO expected
+	SMTP_NOT_AVAILABLE,	// 2: after opening message 554, etc.
+	SMTP_READY,		// 3: after EHLO/HELO and reply 250
+	SMTP_MAIL_OK,		// 4: after MAIL/SEND/SOML/SAML and 250, RCPT expected
+	SMTP_RCPT_OK,		// 5: after one successful RCPT, DATA or more RCPT expected
+	SMTP_IN_DATA,		// 6: after DATA
+	SMTP_AFTER_DATA,	// 7: after . and before reply
+	SMTP_IN_AUTH,		// 8: after AUTH and 334
+	SMTP_IN_TLS,		// 9: after STARTTLS and 220
+	SMTP_QUIT,		// 10: after QUIT
+	SMTP_AFTER_GAP,		// 11: after a gap is detected
+	SMTP_GAP_RECOVERY,	// 12: after the first reply after a gap
+} SMTP_State;
+
+
+class SMTP_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	SMTP_Analyzer(Connection* conn);
+	~SMTP_Analyzer();
+
+	virtual void Done();
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual void ConnectionFinished(int half_finished);
+	virtual void Undelivered(int seq, int len, bool orig);
+	virtual int RewritingTrace()
+		{ return rewriting_smtp_trace || TCP_ApplicationAnalyzer::RewritingTrace(); }
+
+	void SkipData()	{ skip_data = 1; }	// skip delivery of data lines
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{
+		return new SMTP_Analyzer(conn);
+		}
+
+	static bool Available()
+		{
+		return smtp_request || smtp_reply ||
+			smtp_data || smtp_unexpected;
+		}
+
+protected:
+
+	void ProcessLine(int length, const char* line, bool orig);
+	void NewCmd(const int cmd_code);
+	void NewReply(const int reply_code);
+	void ProcessExtension(int ext_len, const char* ext);
+	void ProcessData(int length, const char* line);
+
+	void UpdateState(const int cmd_code, const int reply_code);
+
+	void BeginData();
+	void EndData();
+
+	int ParseCmd(int cmd_len, const char* cmd);
+
+	void RequestEvent(int cmd_len, const char* cmd,
+				int arg_len, const char* arg);
+	void Unexpected(const int is_orig, const char* msg,
+				int detail_len, const char* detail);
+	void UnexpectedCommand(const int cmd_code, const int reply_code);
+	void UnexpectedReply(const int cmd_code, const int reply_code);
+
+	bool orig_is_sender;
+	int expect_sender, expect_recver;
+	int state;
+	int last_replied_cmd;
+	int first_cmd;			// first un-replied SMTP cmd, or -1
+	int pending_reply;		// code assoc. w/ multi-line reply, or 0
+	int pipelining;			// whether pipelining is supported
+	list<int> pending_cmd_q;	// to support pipelining
+	int skip_data;			// whether to skip message body
+	int orig_record_contents;	// keep the original record_contents
+	BroString* line_after_gap;	// last line before the first reply
+					// after a gap
+
+	MIME_Mail* mail;
+};
+
+#endif
diff --git a/src/SMTP_cmd.def b/src/SMTP_cmd.def
new file mode 100644
index 0000000000..79667ba7bd
--- /dev/null
+++ b/src/SMTP_cmd.def
@@ -0,0 +1,40 @@
+// $Id: SMTP_cmd.def 80 2004-07-14 20:15:50Z jason $
+//
+// Definitions of SMTP commands.
+
+SMTP_CMD_DEF(EHLO)
+SMTP_CMD_DEF(HELO)		// EHLO is preferred over HELO
+SMTP_CMD_DEF(MAIL)
+SMTP_CMD_DEF(RCPT)
+SMTP_CMD_DEF(DATA)
+SMTP_CMD_DEF(QUIT)
+SMTP_CMD_DEF(RSET)
+SMTP_CMD_DEF(VRFY)
+SMTP_CMD_DEF(EXPN)
+SMTP_CMD_DEF(HELP)
+SMTP_CMD_DEF(NOOP)
+
+// The following two commands never explicitly appear in user input.
+SMTP_CMD_DEF(CONN_ESTABLISHMENT)	// not an explicit SMTP command
+SMTP_CMD_DEF(END_OF_DATA)	// not an explicit SMTP command
+
+// Following commands are specified in RFC 821, but will
+// become deprecated (RFC 2821).
+// Client SHOULD NOT use SEND/SOML/SAML
+
+SMTP_CMD_DEF(SEND)		
+SMTP_CMD_DEF(SOML)
+SMTP_CMD_DEF(SAML)
+
+// System SHOULD NOT support TURN in absence of authentication.
+SMTP_CMD_DEF(TURN)		
+
+// SMTP extensions not supported yet.
+SMTP_CMD_DEF(STARTTLS)	// RFC 2487
+SMTP_CMD_DEF(BDAT)		// RFC 3030
+SMTP_CMD_DEF(ETRN)		// RFC 1985
+SMTP_CMD_DEF(AUTH)		// RFC 2554
+SMTP_CMD_DEF(AUTH_ANSWER)	// not an explicit SMTP command
+
+// LAST is not an SMTP command.
+SMTP_CMD_DEF(LAST)
diff --git a/src/SSH.cc b/src/SSH.cc
new file mode 100644
index 0000000000..b4ca9aa153
--- /dev/null
+++ b/src/SSH.cc
@@ -0,0 +1,102 @@
+// $Id: SSH.cc 6782 2009-06-28 02:19:03Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <ctype.h>
+
+#include "NetVar.h"
+#include "SSH.h"
+#include "Event.h"
+#include "ContentLine.h"
+
+SSH_Analyzer::SSH_Analyzer(Connection* c)
+: TCP_ApplicationAnalyzer(AnalyzerTag::SSH, c)
+	{
+	orig = new ContentLine_Analyzer(c, true);
+	orig->SetSkipPartial(true);
+	orig->SetCRLFAsEOL(LF_as_EOL);
+	AddSupportAnalyzer(orig);
+
+	resp = new ContentLine_Analyzer(c, false);
+	resp->SetSkipPartial(true);
+	resp->SetCRLFAsEOL(LF_as_EOL);
+	AddSupportAnalyzer(resp);
+	}
+
+void SSH_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
+	{
+	TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig);
+
+	// We're all done processing this endpoint - flag it as such,
+	// before we even determine whether we have any event generation
+	// work to do, to make sure we don't do any further work on it.
+	if ( is_orig )
+		orig->SetSkipDeliveries(true);
+	else
+		resp->SetSkipDeliveries(true);
+
+	if ( TCP() )
+		{
+		// Don't try to parse version if there has already been a gap.
+		TCP_Endpoint* endp = is_orig ? TCP()->Orig() : TCP()->Resp();
+		if ( endp->HadGap() )
+			return;
+		}
+
+	const char* line = (const char*) data;
+
+	// The SSH identification looks like this:
+	//
+	//     SSH-<protocolmajor>.<protocolminor>-<version>\n
+	//
+	// We're interested in the "version" part here.
+	
+	if ( length < 4 || memcmp(line, "SSH-", 4) != 0 )
+		{
+		Weird("malformed_ssh_identification");
+		ProtocolViolation("malformed ssh identification", line, length);
+		return;
+		}
+	
+	int i;
+	for ( i = 4; i < length && line[i] != '-'; ++i )
+		;
+	
+	if ( TCP() )
+		{
+		if ( length >= i )
+			{
+			const uint32* dst;
+			if ( is_orig )
+				dst = TCP()->Orig()->dst_addr;
+			else
+				dst = TCP()->Resp()->dst_addr;
+
+			if ( Conn()->VersionFoundEvent(dst, line + i,
+							length - i) )
+				ProtocolConfirmation();
+			else
+				ProtocolViolation("malformed ssh version",
+							line, length);
+			}
+		else
+			{
+			Weird("malformed_ssh_version");
+			ProtocolViolation("malformed ssh version", line, length);
+			}
+		}
+
+	// Generate SSH events.
+	EventHandlerPtr event = is_orig ?
+				ssh_client_version : ssh_server_version;
+	if ( ! event )
+		return;
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+	vl->append(new StringVal(length, line));
+
+	ConnectionEvent(event, vl);
+	}
diff --git a/src/SSH.h b/src/SSH.h
new file mode 100644
index 0000000000..503b1abcbe
--- /dev/null
+++ b/src/SSH.h
@@ -0,0 +1,28 @@
+// $Id: SSH.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef ssh_h
+#define ssh_h
+
+#include "TCP.h"
+#include "ContentLine.h"
+
+class SSH_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	SSH_Analyzer(Connection* conn);
+
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new SSH_Analyzer(conn); }
+
+	static bool Available()
+		{ return  ssh_client_version || ssh_server_version; }
+
+private:
+	ContentLine_Analyzer* orig;
+	ContentLine_Analyzer* resp;
+};
+
+#endif
diff --git a/src/SSL-binpac.cc b/src/SSL-binpac.cc
new file mode 100644
index 0000000000..73f2852aa7
--- /dev/null
+++ b/src/SSL-binpac.cc
@@ -0,0 +1,80 @@
+// $Id:$
+
+#include "SSL-binpac.h"
+#include "TCP_Reassembler.h"
+#include "util.h"
+
+
+bool SSL_Analyzer_binpac::warnings_generated = false;
+
+SSL_Analyzer_binpac::SSL_Analyzer_binpac(Connection* c)
+: TCP_ApplicationAnalyzer(AnalyzerTag::SSL_BINPAC, c)
+	{
+	ssl = new binpac::SSL::SSLAnalyzer;
+	ssl->set_bro_analyzer(this);
+
+	records = new binpac::SSLRecordLayer::SSLRecordLayerAnalyzer;
+	records->set_ssl_analyzer(ssl);
+
+	if ( ! warnings_generated )
+		generate_warnings();
+	}
+
+SSL_Analyzer_binpac::~SSL_Analyzer_binpac()
+	{
+	delete records;
+	delete ssl;
+	}
+
+void SSL_Analyzer_binpac::Done()
+	{
+	TCP_ApplicationAnalyzer::Done();
+
+	records->FlowEOF(true);
+	records->FlowEOF(false);
+	}
+
+void SSL_Analyzer_binpac::EndpointEOF(TCP_Reassembler* endp)
+	{
+	TCP_ApplicationAnalyzer::EndpointEOF(endp);
+	records->FlowEOF(endp->IsOrig());
+	ssl->FlowEOF(endp->IsOrig());
+	}
+
+void SSL_Analyzer_binpac::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+
+	assert(TCP());
+
+	if ( TCP()->IsPartial() )
+		return;
+
+	records->NewData(orig, data, data + len);
+	}
+
+void SSL_Analyzer_binpac::Undelivered(int seq, int len, bool orig)
+	{
+	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	records->NewGap(orig, len);
+	}
+
+void SSL_Analyzer_binpac::warn_(const char* msg)
+	{
+	warn("SSL_Analyzer_binpac: ", msg);
+	}
+
+void SSL_Analyzer_binpac::generate_warnings()
+	{
+	if ( ssl_store_certificates )
+		warn_("storage of certificates (ssl_store_certificates) not supported");
+	if ( ssl_store_key_material )
+		warn_("storage of key material (ssl_store_key_material) not supported");
+
+#ifndef USE_OPENSSL
+	if ( ssl_verify_certificates )
+		warn_("verification of certificates (ssl_verify_certificates) not supported due to non-existing OpenSSL support");
+#endif
+
+	warnings_generated = true;
+	}
diff --git a/src/SSL-binpac.h b/src/SSL-binpac.h
new file mode 100644
index 0000000000..79b8b4d7fa
--- /dev/null
+++ b/src/SSL-binpac.h
@@ -0,0 +1,42 @@
+// $Id:$
+
+#ifndef ssl_binpac_h
+#define ssl_binpac_h
+
+#include "TCP.h"
+
+#include "ssl_pac.h"
+#include "ssl-record-layer_pac.h"
+
+class SSL_Analyzer_binpac : public TCP_ApplicationAnalyzer {
+public:
+	SSL_Analyzer_binpac(Connection* conn);
+	virtual ~SSL_Analyzer_binpac();
+
+	virtual void Done();
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void EndpointEOF(TCP_Reassembler* endp);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new SSL_Analyzer_binpac(conn); }
+
+	static bool Available()
+		{
+		return FLAGS_use_binpac &&
+			(ssl_certificate_seen || ssl_certificate ||
+			 ssl_conn_attempt || ssl_conn_server_reply ||
+			 ssl_conn_established || ssl_conn_reused ||
+			 ssl_conn_alert);
+		}
+
+	static bool warnings_generated;
+	static void warn_(const char* msg);
+	static void generate_warnings();
+
+protected:
+	binpac::SSLRecordLayer::SSLRecordLayerAnalyzer* records;
+	binpac::SSL::SSLAnalyzer* ssl;
+};
+
+#endif
diff --git a/src/SSLCiphers.cc b/src/SSLCiphers.cc
new file mode 100644
index 0000000000..1eaf3898e2
--- /dev/null
+++ b/src/SSLCiphers.cc
@@ -0,0 +1,598 @@
+// $Id: SSLCiphers.cc 1678 2005-11-08 19:16:37Z vern $
+
+#include "SSLCiphers.h"
+
+PDict(SSL_CipherSpec) SSL_CipherSpecDict;
+
+// --- definitions for ssl cipher handling ------------------------------------
+
+SSL_CipherSpec SSL_CipherSpecs[] = {
+	// --- SSL 2.0 cipher specs
+	{ SSL_CK_RC4_128_WITH_MD5,
+		SSL_CIPHER_TYPE_STREAM,
+		SSL_FLAG_SSLv20,
+		SSL_CIPHER_RC4,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		128,
+		128
+	},
+	{ SSL_CK_RC4_128_EXPORT40_WITH_MD5,
+		SSL_CIPHER_TYPE_STREAM,
+		SSL_FLAG_EXPORT | SSL_FLAG_SSLv20,
+		SSL_CIPHER_RC4,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
+		88,
+		40,
+		128
+	},
+	{ SSL_CK_RC2_128_CBC_WITH_MD5,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv20,
+		SSL_CIPHER_RC2,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		128,
+		128
+	},
+	{ SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_EXPORT | SSL_FLAG_SSLv20,
+		SSL_CIPHER_RC2,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
+		88,
+		40,
+		128
+	},
+	{ SSL_CK_IDEA_128_CBC_WITH_MD5,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv20,
+		SSL_CIPHER_IDEA,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		128,
+		128
+	},
+	{ SSL_CK_DES_64_CBC_WITH_MD5,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv20,
+		SSL_CIPHER_DES,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		64,
+		128
+	},
+	{ SSL_CK_DES_192_EDE3_CBC_WITH_MD5,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv20,
+		SSL_CIPHER_3DES,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		192,
+		128
+	},
+	{ SSL_CK_RC4_64_WITH_MD5,
+		SSL_CIPHER_TYPE_STREAM,
+		SSL_FLAG_SSLv20,
+		SSL_CIPHER_RC4,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		64,
+		128
+	},
+	// --- SSL 3.0 / 3.1 cipher specs
+	{ TLS_NULL_WITH_NULL_NULL,
+		SSL_CIPHER_TYPE_NULL,
+		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_NULL,
+		SSL_MAC_NULL,
+		SSL_KEY_EXCHANGE_NULL,
+		0,
+		0,
+		0
+	},
+	{ TLS_RSA_WITH_NULL_MD5,
+		SSL_CIPHER_TYPE_NULL,
+		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_NULL,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		0,
+		128
+	},
+	{ TLS_RSA_WITH_NULL_SHA,
+		SSL_CIPHER_TYPE_NULL,
+		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_NULL,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		0,
+		160
+	},
+	{ TLS_RSA_EXPORT_WITH_RC4_40_MD5,
+		SSL_CIPHER_TYPE_STREAM,
+		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_RC4,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA_EXPORT,
+		0,
+		40,
+		128
+	},
+	{ TLS_RSA_WITH_RC4_128_MD5,
+		SSL_CIPHER_TYPE_STREAM,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_RC4,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		128,
+		128
+	},
+	{ TLS_RSA_WITH_RC4_128_SHA,
+		SSL_CIPHER_TYPE_STREAM,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_RC4,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_RC2,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_RSA_EXPORT,
+		0,
+		40,
+		128
+	},
+	{ TLS_RSA_WITH_IDEA_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_IDEA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_DES40,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_RSA_EXPORT,
+		0,
+		40,
+		160
+	},
+	{ TLS_RSA_WITH_DES_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		56,
+		160
+	},
+	{ TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_3DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		168,
+		160
+	},
+	{ TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_DES40,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_DSS_EXPORT,
+		0,
+		40,
+		160
+	},
+	{ TLS_DH_DSS_WITH_DES_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_DSS,
+		0,
+		56,
+		160
+	},
+	{ TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_3DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_DSS,
+		0,
+		168,
+		160
+	},
+	{ TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_DES40,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_RSA_EXPORT,
+		0,
+		168,
+		160
+	},
+	{ TLS_DH_RSA_WITH_DES_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_RSA,
+		0,
+		56,
+		160
+	},
+	{ TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_3DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_RSA,
+		0,
+		168,
+		160
+	},
+	{ TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_DES40,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_DSS_EXPORT,
+		0,
+		40,
+		160
+	},
+	{ TLS_DHE_DSS_WITH_DES_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_DSS,
+		0,
+		56,
+		160
+	},
+	{ TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_3DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_DSS,
+		0,
+		168,
+		160
+	},
+	{ TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_DES40,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_RSA_EXPORT,
+		0,
+		40,
+		160
+	},
+	{ TLS_DHE_RSA_WITH_DES_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_RSA,
+		0,
+		56,
+		160
+	},
+	{ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_3DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_RSA,
+		0,
+		168,
+		160
+	},
+	{ TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5,
+		SSL_CIPHER_TYPE_STREAM,
+		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_RC4,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_DH_ANON_EXPORT,
+		0,
+		40,
+		128
+	},
+	{ TLS_DH_ANON_WITH_RC4_128_MD5,
+		SSL_CIPHER_TYPE_STREAM,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_RC4,
+		SSL_MAC_MD5,
+		SSL_KEY_EXCHANGE_DH_ANON,
+		0,
+		128,
+		128
+	},
+	{ TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_DES40,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_ANON,
+		0,
+		40,
+		160
+	},
+	{ TLS_DH_ANON_WITH_DES_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_ANON,
+		0,
+		56,
+		160
+	},
+	{ TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_3DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_ANON,
+		0,
+		168,
+		160
+	},
+	{ SSL_FORTEZZA_KEA_WITH_NULL_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30,
+		SSL_CIPHER_NULL,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_FORTEZZA_KEA,
+		0,
+		0,
+		160
+	},
+	{ SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30,
+		SSL_CIPHER_FORTEZZA,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_FORTEZZA_KEA,
+		0,
+		96,
+		160
+	},
+	{ SSL_FORTEZZA_KEA_WITH_RC4_128_SHA,
+		SSL_CIPHER_TYPE_STREAM,
+		SSL_FLAG_SSLv30,
+		SSL_CIPHER_RC4,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_FORTEZZA_KEA,
+		0,
+		128,
+		160
+	},
+	// --- special SSLv3 FIPS ciphers
+	{ SSL_RSA_FIPS_WITH_DES_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		56,
+		160
+	},
+	{ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_3DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		168,
+		160
+	},
+	// --- new 56 bit export ciphers
+	{ TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_RSA_EXPORT1024,
+		0,
+		56,
+		160
+	},
+	{ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
+		SSL_CIPHER_TYPE_STREAM,
+		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_RC4,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_RSA_EXPORT1024,
+		0,
+		56,
+		160
+	},
+	{ TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_DES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024,
+		0,
+		56,
+		160
+	},
+	{ TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
+		SSL_CIPHER_TYPE_STREAM,
+		SSL_FLAG_EXPORT | SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_RC4,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024,
+		0,
+		56,
+		160
+	},
+	{ TLS_DHE_DSS_WITH_RC4_128_SHA,
+		SSL_CIPHER_TYPE_STREAM,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_RC4,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_DSS,
+		0,
+		128,
+		160
+	},
+	// --- new AES ciphers
+	{ TLS_RSA_WITH_AES_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_DH_DSS_WITH_AES_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_DSS,
+		0,
+		128,
+		160
+	},
+	{ TLS_DH_RSA_WITH_AES_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_DSS,
+		0,
+		128,
+		160
+	},
+	{ TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_RSA,
+		0,
+		128,
+		160
+	},
+	{ TLS_DH_ANON_WITH_AES_128_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_ANON,
+		0,
+		128,
+		160
+	},
+	{ TLS_RSA_WITH_AES_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_RSA,
+		0,
+		256,
+		160
+	},
+	{ TLS_DH_DSS_WITH_AES_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_DSS,
+		0,
+		256,
+		160
+	},
+	{ TLS_DH_RSA_WITH_AES_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_RSA,
+		0,
+		256,
+		160
+	},
+	{ TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_DSS,
+		0,
+		256,
+		160
+	},
+	{ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DHE_RSA,
+		0,
+		256,
+		160
+	},
+	{ TLS_DH_ANON_WITH_AES_256_CBC_SHA,
+		SSL_CIPHER_TYPE_BLOCK,
+		SSL_FLAG_SSLv30 | SSL_FLAG_SSLv31,
+		SSL_CIPHER_AES,
+		SSL_MAC_SHA,
+		SSL_KEY_EXCHANGE_DH_ANON,
+		0,
+		256,
+		160
+	}
+};
+
+const uint SSL_CipherSpecs_Count =
+	sizeof(SSL_CipherSpecs) / sizeof(SSL_CipherSpec);
diff --git a/src/SSLCiphers.h b/src/SSLCiphers.h
new file mode 100644
index 0000000000..389c4d1992
--- /dev/null
+++ b/src/SSLCiphers.h
@@ -0,0 +1,174 @@
+// $Id: SSLCiphers.h 1678 2005-11-08 19:16:37Z vern $
+
+#ifndef SSL_CIPHERS_H
+#define SSL_CIPHERS_H
+
+#include "Dict.h"
+
+// --- definitions for sslv3x cipher handling ---------------------------------
+
+/*!
+ * In SSLv2, a cipher spec consists of three bytes.
+ */
+enum SSLv2_CipherSpec {
+	// --- standard SSLv2 ciphers
+	SSL_CK_RC4_128_WITH_MD5              = 0x010080,
+	SSL_CK_RC4_128_EXPORT40_WITH_MD5     = 0x020080,
+	SSL_CK_RC2_128_CBC_WITH_MD5          = 0x030080,
+	SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 = 0x040080,
+	SSL_CK_IDEA_128_CBC_WITH_MD5         = 0x050080,
+	SSL_CK_DES_64_CBC_WITH_MD5           = 0x060040,
+	SSL_CK_DES_192_EDE3_CBC_WITH_MD5     = 0x0700C0,
+	SSL_CK_RC4_64_WITH_MD5		     = 0x080080
+};
+
+
+/*!
+ * In SSLv3x, a cipher spec consists of two bytes.
+ */
+enum SSL3_1_CipherSpec {
+	// --- standard SSLv3x ciphers
+	TLS_NULL_WITH_NULL_NULL                = 0x0000,
+	TLS_RSA_WITH_NULL_MD5                  = 0x0001,
+	TLS_RSA_WITH_NULL_SHA                  = 0x0002,
+	TLS_RSA_EXPORT_WITH_RC4_40_MD5         = 0x0003,
+	TLS_RSA_WITH_RC4_128_MD5               = 0x0004,
+	TLS_RSA_WITH_RC4_128_SHA               = 0x0005,
+	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5     = 0x0006,
+	TLS_RSA_WITH_IDEA_CBC_SHA              = 0x0007,
+	TLS_RSA_EXPORT_WITH_DES40_CBC_SHA      = 0x0008,
+	TLS_RSA_WITH_DES_CBC_SHA               = 0x0009,
+	TLS_RSA_WITH_3DES_EDE_CBC_SHA          = 0x000A,
+	TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA   = 0x000B,
+	TLS_DH_DSS_WITH_DES_CBC_SHA            = 0x000C,
+	TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA       = 0x000D,
+	TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA   = 0x000E,
+	TLS_DH_RSA_WITH_DES_CBC_SHA            = 0x000F,
+	TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA       = 0x0010,
+	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA  = 0x0011,
+	TLS_DHE_DSS_WITH_DES_CBC_SHA           = 0x0012,
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA      = 0x0013,
+	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA  = 0x0014,
+	TLS_DHE_RSA_WITH_DES_CBC_SHA           = 0x0015,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA      = 0x0016,
+	TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5     = 0x0017,
+	TLS_DH_ANON_WITH_RC4_128_MD5           = 0x0018,
+	TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA  = 0x0019,
+	TLS_DH_ANON_WITH_DES_CBC_SHA           = 0x001A,
+	TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA      = 0x001B,
+	// --- special SSLv3 ciphers
+	SSL_FORTEZZA_KEA_WITH_NULL_SHA         = 0x001C,
+	SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = 0x001D,
+	SSL_FORTEZZA_KEA_WITH_RC4_128_SHA      = 0x001E,
+	// --- special SSLv3 FIPS ciphers
+	SSL_RSA_FIPS_WITH_DES_CBC_SHA		   = 0xFEFE,
+	SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA	   = 0XFEFF,
+	// --- new 56 bit export ciphers
+	TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA     = 0x0062,
+	TLS_RSA_EXPORT1024_WITH_RC4_56_SHA      = 0x0064,
+	TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063,
+	TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA  = 0x0065,
+	TLS_DHE_DSS_WITH_RC4_128_SHA            = 0x0066,
+	// --- new AES ciphers
+	TLS_RSA_WITH_AES_128_CBC_SHA      = 0x002F,
+	TLS_DH_DSS_WITH_AES_128_CBC_SHA   = 0x0030,
+	TLS_DH_RSA_WITH_AES_128_CBC_SHA   = 0x0031,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA  = 0x0032,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA  = 0x0033,
+	TLS_DH_ANON_WITH_AES_128_CBC_SHA  = 0x0034,
+	TLS_RSA_WITH_AES_256_CBC_SHA      = 0x0035,
+	TLS_DH_DSS_WITH_AES_256_CBC_SHA   = 0x0036,
+	TLS_DH_RSA_WITH_AES_256_CBC_SHA   = 0x0037,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA  = 0x0038,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA  = 0x0039,
+	TLS_DH_ANON_WITH_AES_256_CBC_SHA  = 0x003A
+};
+
+enum SSL_CipherType {
+	SSL_CIPHER_TYPE_STREAM,
+	SSL_CIPHER_TYPE_BLOCK,
+	SSL_CIPHER_TYPE_NULL
+};
+
+enum SSL_BulkCipherAlgorithm {
+	SSL_CIPHER_NULL,
+	SSL_CIPHER_RC4,
+	SSL_CIPHER_RC2,
+	SSL_CIPHER_DES,
+	SSL_CIPHER_3DES,
+	SSL_CIPHER_DES40,
+	SSL_CIPHER_FORTEZZA,
+	SSL_CIPHER_IDEA,
+	SSL_CIPHER_AES
+};
+
+enum SSL_MACAlgorithm {
+	SSL_MAC_NULL,
+	SSL_MAC_MD5,
+	SSL_MAC_SHA
+};
+
+enum SSL_KeyExchangeAlgorithm {
+	SSL_KEY_EXCHANGE_NULL,
+	SSL_KEY_EXCHANGE_RSA,
+	SSL_KEY_EXCHANGE_RSA_EXPORT,
+	SSL_KEY_EXCHANGE_DH,
+	SSL_KEY_EXCHANGE_DH_DSS,
+	SSL_KEY_EXCHANGE_DH_DSS_EXPORT,
+	SSL_KEY_EXCHANGE_DH_RSA,
+	SSL_KEY_EXCHANGE_DH_RSA_EXPORT,
+	SSL_KEY_EXCHANGE_DHE_DSS,
+	SSL_KEY_EXCHANGE_DHE_DSS_EXPORT,
+	SSL_KEY_EXCHANGE_DHE_RSA,
+	SSL_KEY_EXCHANGE_DHE_RSA_EXPORT,
+	SSL_KEY_EXCHANGE_DH_ANON,
+	SSL_KEY_EXCHANGE_DH_ANON_EXPORT,
+	SSL_KEY_EXCHANGE_FORTEZZA_KEA,
+	// --- new 56 bit export ciphers
+	SSL_KEY_EXCHANGE_RSA_EXPORT1024,
+	SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024
+};
+
+#if 0
+struct SSL_CipherSpecImprove {
+	uint32 identifier;
+
+	// SSL_CipherType cipherType;
+	SSL_BulkCipherAlgorithm encryptionAlgorithm;
+	SSL_BulkCipherAlgorithm authenticationAlgorithm;
+	SSL_BulkCipherAlgorithm keyAlgorithm;
+	SSL_MACAlgorithm        macAlgorithm;
+
+	int clearkeySize;
+	int encryptedkeySize;
+	uint32 flags;	// IsExportable IsSSLv2 IsSSLv30 IsSSLv31
+	const char* fullName = "TLS_WITH_NULL_NULL";
+
+};
+#endif
+
+struct SSL_CipherSpec {
+	uint32 identifier; ///< type code of the CIPHER-SPEC (2 or 3 Bytes)
+
+	SSL_CipherType cipherType;
+	uint32 flags;
+	SSL_BulkCipherAlgorithm bulkCipherAlgorithm;
+	SSL_MACAlgorithm macAlgorithm;
+	SSL_KeyExchangeAlgorithm keyExchangeAlgorithm;
+
+	int clearKeySize;     ///< size in bits of plaintext part of master key
+	int encryptedKeySize; ///< size in bits of encrypted part of master key
+	int hashSize;
+};
+
+const uint32 SSL_FLAG_EXPORT = 0x0001; ///< set if exportable cipher
+const uint32 SSL_FLAG_SSLv20 = 0x0002; ///< set if cipher defined for SSLv20
+const uint32 SSL_FLAG_SSLv30 = 0x0004; ///< set if cipher defined for SSLv30
+const uint32 SSL_FLAG_SSLv31 = 0x0008; ///< set if cipher defined for SSLv31
+
+declare(PDict, SSL_CipherSpec);
+extern PDict(SSL_CipherSpec) SSL_CipherSpecDict;
+extern SSL_CipherSpec SSL_CipherSpecs[];
+extern const uint SSL_CipherSpecs_Count;
+
+#endif
diff --git a/src/SSLDefines.h b/src/SSLDefines.h
new file mode 100644
index 0000000000..331a03157a
--- /dev/null
+++ b/src/SSLDefines.h
@@ -0,0 +1,48 @@
+// $Id: SSLDefines.h 80 2004-07-14 20:15:50Z jason $
+
+// Defines the states and transitions in the ssl-protocol-machine.
+
+#ifndef SSL_DEFINES_H
+#define SSL_DEFINES_H
+
+const int SSL3_1_NUM_STATES = 20;
+enum SSL3_1_States {
+	SSL3_1_STATE_ERROR = 0,
+	SSL3_1_STATE_INIT  = 1,
+	SSL3_1_STATE_SERVER_HELLO_REQ_SENT = 2,
+	SSL3_1_STATE_CLIENT_HELLO_SENT = 3,
+	SSL3_1_STATE_SERVER_HELLO_SENT = 4,
+	SSL3_1_STATE_SERVER_CERT_SENT = 5,
+	SSL3_1_STATE_SERVER_KEY_EXCHANGE_SENT = 6,
+	SSL3_1_STATE_SERVER_CERT_REQ_SENT = 7,
+	SSL3_1_STATE_SERVER_HELLO_DONE_SENT_A = 8,
+	SSL3_1_STATE_SERVER_HELLO_DONE_SENT_B = 9,
+	SSL3_1_STATE_CLIENT_KEY_EXCHANGE_SENT_A = 10,
+	SSL3_1_STATE_CLIENT_KEY_EXCHANGE_SENT_B = 11,
+	SSL3_1_STATE_CLIENT_CERT_SENT = 12,
+	SSL3_1_STATE_CLIENT_CERT_VERIFY_SENT = 13,
+	SSL3_1_STATE_CLIENT_FIN_SENT_A = 14,
+	SSL3_1_STATE_SERVER_FIN_SENT_A = 15,
+	SSL3_1_STATE_CLIENT_FIN_SENT_B = 16,
+	SSL3_1_STATE_SERVER_FIN_SENT_B = 17,
+	SSL3_1_STATE_HS_FIN_A = 18,
+	SSL3_1_STATE_HS_FIN_B = 19
+};
+
+const int SSL3_1_NUM_TRANS = 11;
+enum SSL_3_1_Transitions {
+	SSL3_1_TRANS_SERVER_HELLO_REQ = 0,
+	SSL3_1_TRANS_CLIENT_HELLO = 1,
+	SSL3_1_TRANS_SERVER_HELLO = 2,
+	SSL3_1_TRANS_SERVER_CERT = 3,
+	SSL3_1_TRANS_SERVER_KEY_EXCHANGE = 4,
+	SSL3_1_TRANS_SERVER_CERT_REQ = 5,
+	SSL3_1_TRANS_SERVER_HELLO_DONE = 6,
+	SSL3_1_TRANS_CLIENT_CERT = 3,
+	SSL3_1_TRANS_CLIENT_KEY_EXCHANGE = 7,
+	SSL3_1_TRANS_CLIENT_CERT_VERIFY = 8,
+	SSL3_1_TRANS_CLIENT_FIN = 9,
+	SSL3_1_TRANS_SERVER_FIN = 10
+};
+
+#endif
diff --git a/src/SSLInterpreter.cc b/src/SSLInterpreter.cc
new file mode 100644
index 0000000000..0f12915ef5
--- /dev/null
+++ b/src/SSLInterpreter.cc
@@ -0,0 +1,560 @@
+// $Id: SSLInterpreter.cc 5988 2008-07-19 07:02:12Z vern $
+
+#include "SSLInterpreter.h"
+#include "SSLv2.h"
+
+#ifdef USE_OPENSSL
+#include "X509.h"
+#endif
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+declare(PDict, CertStore);
+PDict(CertStore) cert_states;
+
+// --- Initalization of static variables --------------------------------------
+
+uint32 SSL_Interpreter::analyzedCertificates = 0;
+uint32 SSL_Interpreter::verifiedCertificates = 0;
+uint32 SSL_Interpreter::failedCertificates = 0;
+uint32 SSL_Interpreter::certificateChains = 0;
+
+// --- SSL_Interpreter --------------------------------------------------------
+
+/*!
+ * The constructor.
+ *
+ * \param proxy Pointer to the SSLProxy_Analyzer which created this instance.
+ */
+SSL_Interpreter::SSL_Interpreter(SSLProxy_Analyzer* proxy)
+	{
+	this->proxy = proxy;
+	}
+
+/*!
+ * The destructor.
+ */
+SSL_Interpreter::~SSL_Interpreter()
+	{
+	delete orig;
+	delete resp;
+	}
+
+/*!
+ * Analogous to TCP_Connection::Init(), this method calls
+ * BuildInterpreterEndpoints() to create the corresponding endpoints.
+ */
+void SSL_Interpreter::Init()
+	{
+	BuildInterpreterEndpoints();
+	orig->SetPeer(resp);
+	resp->SetPeer(orig);
+	}
+
+/*!
+ * This method analyzes a given certificate (chain), using the OpenSSL library.
+ *
+ * \param s Pointer to the SSL_InterpreterEndpoint which received the
+ *          cerificate (chain).
+ * \param data Pointer to the data block which contains the certificate (chain).
+ * \param length Size of the data block.
+ * \param type the certificate type
+ * \param isChain false if data is pointing to a single certificate,
+ *                true if data is pointing to a certificate chain
+ * mod by scott in:
+ *       uint32 ip_address = *(s->proxyEndpoint->Endpoint()->dst_addr);
+ *       uint16 port = (uint16) s->proxyEndpoint->Endpoint()->conn->RespPort();
+ * inserting endpoint
+ */
+void SSL_Interpreter::analyzeCertificate(SSL_InterpreterEndpoint* s,
+			const u_char* data, int length, uint8 type, bool isChain)
+	{
+	// See if we should continue with this certificate.
+	if ( ssl_certificate_seen )
+		{
+		val_list* vl = new val_list;
+		vl->append(proxy->BuildConnVal());
+		vl->append(new Val(! s->IsOrig(), TYPE_BOOL));
+		proxy->ConnectionEvent(ssl_certificate_seen, vl);
+		}
+
+	++analyzedCertificates;
+
+	const u_char* pCert = data;
+	uint32 certLength = length;
+	uint certCount = 0;
+
+	if ( isChain )
+		{
+		++certificateChains;
+
+		// Sum of all cert sizes has to match certListLength.
+		int tempLength = 0;
+		while ( tempLength < length )
+			{
+			++certCount;
+			uint32 certLength =
+				uint32((data[tempLength + 0] << 16) |
+					data[tempLength + 1] << 8) |
+				data[tempLength + 2];
+
+			tempLength += certLength + 3;
+			}
+
+		if ( tempLength > length )
+			{
+			Weird( "SSLv3x: sum of size of certificates doesn't match size of certificate chain" );
+			return;
+			}
+
+		// Get the first certificate.
+		pCert = data + 3;
+		certLength = uint32((data[0] << 16) | data[1] << 8) | data[2];
+		}
+
+	// Create a hashsum of the current certificate.
+	hash_t hashsum = HashKey::HashBytes(pCert, certLength);
+
+	if ( ! proxy->TCP() )
+		return;
+
+	TCP_Endpoint* endp = s->IsOrig() ? proxy->TCP()->Orig() : proxy->TCP()->Resp();
+
+	// Check if we've seen a certificate from this addr/port before.
+	uint8 key[6];
+	// ### Won't work for IPv6.
+	uint32 ip_address = *(endp->dst_addr);
+	uint16 port = uint16(proxy->Conn()->RespPort());
+	memcpy(key, &ip_address, 4);
+	memcpy(&key[4], &port, 2);
+
+	HashKey h(key, sizeof(key));
+	CertStore* pCertState = 0;
+	pCertState = (CertStore*) cert_states.Lookup(&h);
+	if ( ! pCertState )
+		{ // new address
+		pCertState = new CertStore(ip_address, port, hashsum, certLength);
+		cert_states.Insert(&h, pCertState);
+		}
+	else
+		{
+		// We've seen this address/certificate before.  Check if
+		// certificate changed.
+		if ( ! pCertState->isSameCert(hashsum, certLength) )
+			{
+			// This shouldn't happen; ### make a stronger error.
+			Weird("SSL: Certificate changed for this ip+port !!!");
+
+			// Update status.
+			++pCertState->changes;
+			pCertState->certHash = hashsum;
+			pCertState->certSize = certLength;
+			pCertState->isValid = -1;
+			}
+		else
+			{ // cert didn't change
+			if ( pCertState->isValid == 0 )
+				{
+				// This is an invalid cert, but we
+				// warned before.
+				}
+
+			// Save time - don't analyze it any further.
+			return;
+			}
+		}
+
+	// Certificate verification.
+	if ( ssl_verify_certificates != 0 )
+		{
+		++verifiedCertificates;
+		int invalid = 0;
+		switch ( type ) {
+		case SSLv2_CT_X509_CERTIFICATE:
+#ifdef USE_OPENSSL
+			if ( ! isChain )
+				invalid = X509_Cert::verify(s->GetProxyEndpoint(),
+							pCert, certLength);
+			else
+				invalid = X509_Cert::verifyChain(s->GetProxyEndpoint(),
+							data, length);
+#else
+			proxy->Weak("SSL: Could not verify certificate (missing OpenSSL support)!");
+			invalid = 0;
+#endif
+			break;
+
+		default:
+			Weird("SSL: Unknown CERTIFICATE-TYPE!");
+			invalid = 1; // quick 'n dirty :)
+			break;
+		}
+
+		if ( invalid )
+			{
+			proxy->Weak("SSL: Certificate check FAILED!");
+			pCertState->isValid = 0;
+			++failedCertificates;
+			}
+		else
+			pCertState->isValid = 1;
+		}
+
+	// Store the certificate.
+	if ( ssl_store_certificates != 0 )
+		{
+		// Let's hope the address is currently in network byte order!
+		in_addr addr;
+		addr.s_addr = ip_address;
+		char* pDummy = inet_ntoa(addr);
+		char sFileName[PATH_MAX];
+
+		if ( ssl_store_cert_path && 
+		     ssl_store_cert_path->AsString()->Len() > 0 )
+			{
+			const BroString* pString = ssl_store_cert_path->AsString();
+			safe_snprintf(sFileName, PATH_MAX, "%s/cert.%s-server-c%i.der",
+				      pString->Bytes(), pDummy, pCertState->changes);
+			}
+		else
+			safe_snprintf(sFileName, PATH_MAX, "cert.%s-server-c%i.der",
+				      pDummy, pCertState->changes);
+
+		FILE* certFile = fopen(sFileName, "wb");
+		if ( ! certFile )
+			{
+			Weird(fmt("SSL_Interpreter::analyzeCertificate(): Error opening '%s'!\n", sFileName));
+			return;
+			}
+
+		fwrite(pCert, 1, certLength, certFile);
+		fclose(certFile);
+		}
+
+	// TODO: test if cert is valid for the address we got it from.
+	}
+
+
+/*!
+ * \return the originating SSL_InterpreterEndpoint
+ */
+SSL_InterpreterEndpoint* SSL_Interpreter::Orig() const
+	{
+	return orig;
+	}
+
+/*!
+ * \return the responding SSL_InterpreterEndpoint
+ */
+SSL_InterpreterEndpoint* SSL_Interpreter::Resp() const
+	{
+	return resp;
+	}
+
+/*!
+ * \param p Pointer to an SSL_InterpreterEndpoint to test
+ *
+ * \return true if p is the originating SSL_InterpreterEndpoint,
+ *         false otherwise
+ */
+int SSL_Interpreter::Is_Orig(SSL_InterpreterEndpoint* p) const
+	{
+	return p == orig;
+	}
+
+/*!
+ * \return the responding SSL_InterpreterEndpoint
+ */
+SSLProxy_Analyzer* SSL_Interpreter::Proxy() const
+	{
+	return proxy;
+	}
+
+/*!
+ * This methods prints a string into the "weird" log file.
+ *
+ * \param name String to log into the "weird" file.
+ */
+void SSL_Interpreter::Weird(const char* name) const
+	{
+	proxy->Weird(name);
+	}
+
+/*!
+ * Prints some counters.
+ */
+void SSL_Interpreter::printStats()
+	{
+	printf("SSL_Interpreter:\n");
+	printf("analyzedCertificates = %u\n", analyzedCertificates);
+	printf("verifiedCertificates = %u\n", verifiedCertificates);
+	printf("failedCertificates = %u\n", failedCertificates);
+	printf("certificateChains = %u\n", certificateChains);
+	}
+
+/*!
+ * Wrapper function for the event ssl_conn_attempt.
+ *
+ * \param sslVersion the SSL version for which the event occured
+ *
+ * \see SSLProxy_Analyzer::SSL_Versions
+ */
+void SSL_Interpreter::fire_ssl_conn_attempt(uint16 sslVersion,
+						TableVal* currentCipherSuites)
+	{
+	EventHandlerPtr event = ssl_conn_attempt;
+	if ( event )
+		{
+		val_list* vl = new val_list;
+		vl->append(proxy->BuildConnVal());
+		vl->append(new Val(sslVersion, TYPE_INT));
+		vl->append(currentCipherSuites);
+
+		proxy->ConnectionEvent(event, vl);
+		}
+	}
+
+/*!
+ * Wrapper function for the event ssl_conn_server_reply.
+ *
+ * \param sslVersion the SSL version for which the event occured
+ *
+ * \see SSLProxy_Analyzer::SSL_Versions
+ */
+void SSL_Interpreter::fire_ssl_conn_server_reply(uint16 sslVersion,
+						TableVal* currentCipherSuites)
+	{
+	EventHandlerPtr event = ssl_conn_server_reply;
+	if ( event )
+		{
+		val_list* vl = new val_list;
+		vl->append(proxy->BuildConnVal());
+		vl->append(new Val(sslVersion, TYPE_INT));
+		vl->append(currentCipherSuites);
+
+		proxy->ConnectionEvent(event, vl);
+		}
+	}
+
+/*!
+ * Wrapper function for the event ssl_conn_established.
+ *
+ * \param sslVersion the SSL version for which the event occured
+ * \param cipherSuite constant indicating the used SSL cipher suite
+ *
+ * \see SSLProxy_Analyzer::SSL_Versions, SSLv2_CipherSpecs and SSL3_1_CipherSpec.
+ */
+void SSL_Interpreter::fire_ssl_conn_established(uint16 sslVersion,
+						uint32 cipherSuite)
+	{
+	EventHandlerPtr event = ssl_conn_established;
+	if ( event )
+		{
+		val_list* vl = new val_list;
+		vl->append(proxy->BuildConnVal());
+		vl->append(new Val(sslVersion, TYPE_INT));
+		vl->append(new Val(cipherSuite, TYPE_COUNT));
+
+		proxy->ConnectionEvent(event, vl);
+		}
+
+	}
+
+/*!
+ * Wrapper function for the event ssl_conn_reused
+ *
+ * \param pData Pointer to a SSL_DataBlock which contains the SSL session ID
+ *        of the originating ssl session.
+ */
+void SSL_Interpreter::fire_ssl_conn_reused(const SSL_DataBlock* pData)
+	{
+	EventHandlerPtr event = ssl_conn_reused;
+	if ( event )
+		{
+		val_list* vl = new val_list;
+		vl->append(proxy->BuildConnVal());
+		vl->append(MakeSessionID(pData->data, pData->len));
+		proxy->ConnectionEvent(event, vl);
+		}
+	}
+
+/*!
+ * Wrapper function for the event ssl_conn_alert
+ *
+ * \param sslVersion the SSL version for which the event occured
+ * \param level constant indicating the level of severity
+ * \param description constant indicating the type of alert/error
+ *
+ * \see SSLProxy_Analyzer::SSL_Versions, SSL3x_AlertLevel, SSL3_1_AlertDescription
+ *      and SSLv2_ErrorCodes.
+ */
+void SSL_Interpreter::fire_ssl_conn_alert(uint16 sslVersion, uint16 level,
+						uint16 description)
+	{
+	if ( ssl_conn_alert )
+		{
+		EventHandlerPtr event = ssl_conn_alert;
+		if ( event )
+			{
+			val_list* vl = new val_list;
+			vl->append(proxy->BuildConnVal());
+			vl->append(new Val(sslVersion, TYPE_INT));
+			vl->append(new Val(level, TYPE_COUNT));
+			vl->append(new Val(description, TYPE_COUNT));
+
+			proxy->ConnectionEvent(event, vl);
+			}
+		}
+	}
+
+// Generate a session ID table.  Returns an empty table
+// if len is zero.
+TableVal* SSL_Interpreter::MakeSessionID(const u_char* data, int len)
+	{
+	TableVal* sessionIDTable = new TableVal(SSL_sessionID);
+
+	if ( ! len )
+		return sessionIDTable;
+
+	for ( int i = 0; i < len; i += 4 )
+		{
+		uint32 temp = (data[i] << 24) | (data[i + 1] << 16) |
+			      (data[i + 2] << 8) | data[i + 3];
+
+		Val* index = new Val(i / 4, TYPE_COUNT);
+
+		sessionIDTable->Assign(index, new Val(temp, TYPE_COUNT));
+
+		Unref(index);
+		}
+
+	return sessionIDTable;
+	}
+
+
+//--- SSL_InterpreterEndpoint -------------------------------------------------
+
+/*!
+ * The constructor.
+ *
+ * \param interpreter Pointer to the instance of an SSL_Interpreter to which
+ *                    this endpoint belongs to.
+ * \param is_orig true if this endpoint is the originator of the connection,
+ *                false otherwise
+ * SC: an adjustment was made here since the endpoints are now assosciated with
+ * TCP_Contents base objects rather than TCP_Endpoint.
+ */
+SSL_InterpreterEndpoint::SSL_InterpreterEndpoint(SSL_Interpreter* arg_interpreter,
+							bool arg_is_orig )
+	{
+	interpreter = arg_interpreter;
+	is_orig = arg_is_orig;
+	proxyEndpoint = new Contents_SSL(interpreter->Proxy()->Conn(), is_orig);
+	ourProxyEndpoint = true;
+	}
+
+/*!
+ * The destructor.
+ */
+SSL_InterpreterEndpoint::~SSL_InterpreterEndpoint()
+	{
+	SetProxyEndpoint(0);
+	}
+
+/*!
+ * \return true if there's currently data pending for this endpoint,
+ *         false otherwise
+ */
+bool SSL_InterpreterEndpoint::isDataPending()
+	{
+	return proxyEndpoint->isDataPending();
+	}
+
+/*!
+ * Sets the peer of this endpoint.
+ *
+ * \param p Pointer to an interpreter endpoint which will be set as the peer
+ *          of this endpoint.
+ */
+void SSL_InterpreterEndpoint::SetPeer(SSL_InterpreterEndpoint* p)
+	{
+	peer = p;
+	}
+
+/*!
+ * Sets the proxy endpoint of this endpoint.
+ *
+ * \param p Pointer to a Contents_SSL analyzer which will be set as the proxy endpoint
+ *          of this endpoint.
+ */
+void SSL_InterpreterEndpoint::SetProxyEndpoint(Contents_SSL* p)
+	{
+	if ( ourProxyEndpoint )
+		{
+		proxyEndpoint->Done();
+		delete proxyEndpoint;
+		ourProxyEndpoint = false;
+		}
+
+	proxyEndpoint = p;
+	}
+
+/*!
+ * \return is_orig true if this endpoint is the originator of the connection,
+ *                 false otherwise
+ */
+int SSL_InterpreterEndpoint::IsOrig() const
+	{
+	return is_orig;
+	}
+
+/*!
+ * \return the peer of this endpoint
+ */
+SSL_InterpreterEndpoint* SSL_InterpreterEndpoint::Peer() const
+	{
+	return peer;
+	}
+
+/*!
+ * \return the interpreter of this endpoint
+ */
+SSL_Interpreter* SSL_InterpreterEndpoint::Interpreter() const
+	{
+	return interpreter;
+	}
+
+// --- CertStore --------------------------------------------------------------
+
+/*
+ * The constructor.
+ *
+ * \param ip ip adress where this certificate came from
+ * \param port port number where this certificate came from
+ * \param hash hahssum for this certificate
+ * \param size of this certificate in bytes
+ */
+CertStore::CertStore(uint32 ip, uint32 arg_port, hash_t hash, int size)
+	{
+	ip_addr = ip;
+	certHash = hash;
+	certSize = size;
+	isValid = -1;
+	changes = 0;
+	port = arg_port;
+	}
+
+/*
+ * This method can be used to compare certificates by certain criterias.
+ *
+ * \param hash hashsum of the certificate to compare
+ * \param size size of the certificate to compare
+ *
+ * \return true if the criterias match, false otherwise
+ */
+bool CertStore::isSameCert(hash_t hash, int length)
+	{
+	return hash == certHash && length == certSize;
+	}
diff --git a/src/SSLInterpreter.h b/src/SSLInterpreter.h
new file mode 100644
index 0000000000..27ef2500d5
--- /dev/null
+++ b/src/SSLInterpreter.h
@@ -0,0 +1,142 @@
+// $Id: SSLInterpreter.h 5988 2008-07-19 07:02:12Z vern $
+
+#ifndef sslinterpreter_h
+#define sslinterpreter_h
+
+#include "util.h"
+#include "SSLProxy.h"
+
+// --- forward declarations ----------------------------------------------------
+
+class SSLProxy_Analyzer;
+class Contents_SSL;
+class SSL_InterpreterEndpoint;
+class SSL_DataBlock;
+
+// --- SSL_Interpreter --------------------------------------------------------
+
+/*!
+ * \brief This class is the abstract base-class for the different ssl
+ *        interpreters used for the different ssl versions.
+ *
+ * Since there is currently no support in Bro for a change of the connection
+ * type (IMAP -> TLS, for example), we decided not to inherit from the class
+ * Connection. This way, we can easily switch to SSLv3x after we've seen (and
+ * analyzed) a SSLv2 client hello record with a version number > SSLv2.
+ *
+ * There currently two (non-abstract) interpreters: SSLv2_Interpreter and
+ * SSLv3_Interpreter. The first one supports SSL 2.0, the second one supports
+ * both SSL 3.0 and SSL 3.1/TLS 1.0.
+ *
+ * See SSLProxy_Analyzer for additional information.
+ */
+class SSL_Interpreter {
+public:
+	SSL_Interpreter(SSLProxy_Analyzer* proxy);
+	virtual ~SSL_Interpreter();
+
+	static uint32 analyzedCertificates; ///< how often analyzeCertificate() has been called
+	static uint32 verifiedCertificates; ///< how many certificates have actually been verified
+	static uint32 failedCertificates;   ///< how many certificates have failed verification
+	static uint32 certificateChains;    ///< counter for certificate chains
+
+	// In order to initialize the correct SSL_InterpreterEndpoints,
+	// override it in the corresponding subclass.
+	virtual void BuildInterpreterEndpoints() = 0;
+	virtual void Init();
+
+	SSL_InterpreterEndpoint* Orig() const;
+	SSL_InterpreterEndpoint* Resp() const;
+	SSLProxy_Analyzer* Proxy() const;
+	int Is_Orig(SSL_InterpreterEndpoint* p) const;
+
+	virtual void analyzeCertificate(SSL_InterpreterEndpoint* s,
+					 const u_char* data, int length,
+					 uint8 type, bool isChain);
+
+	void Weird(const char* name) const;
+
+	static void printStats();
+
+	void fire_ssl_conn_attempt(uint16 sslVersion,
+					TableVal* currentCipherSuites);
+	void fire_ssl_conn_server_reply(uint16 sslVersion,
+					TableVal* currentCipherSuites);
+	void fire_ssl_conn_established(uint16 sslVersion, uint32 cipherSuite);
+	void fire_ssl_conn_reused(const SSL_DataBlock* pData);
+	void fire_ssl_conn_alert(uint16 sslVersion, uint16 level,
+					uint16 description);
+
+protected:
+	TableVal* MakeSessionID(const u_char* data, int len);
+
+	SSLProxy_Analyzer* proxy;
+	SSL_InterpreterEndpoint* orig;
+	SSL_InterpreterEndpoint* resp;
+};
+
+// --- SSL_InterpreterEndpoint ------------------------------------------------
+
+/*!
+ * \brief This abstract class represents the SSL_InterpreterEndpoints for the
+ *        SSL_Interpreter.
+ *
+ * The key-method is Deliver() which receives the ssl records
+ * from the SSLProxy_Analyzer. So overwrite the Deliver()-method and do
+ * whatever analysis on the record content (and/or pass it to the corresponding
+ * SSL_Interpreter).
+ */
+class SSL_InterpreterEndpoint {
+public:
+	SSL_InterpreterEndpoint(SSL_Interpreter* interpreter, bool is_orig);
+	virtual ~SSL_InterpreterEndpoint();
+
+	/**This method is called by corresponding SSLProxy_Analyzer and
+	 * delivers the data.
+	 * @param t time, when the segment was received by bro (?)
+	 * @param len length of TCP-Segment
+	 * @param data content of TCP-Segment
+	 */
+	virtual void Deliver(int len, const u_char* data) = 0;
+	bool isDataPending();
+	void SetPeer(SSL_InterpreterEndpoint* p);
+	int IsOrig() const;
+	SSL_InterpreterEndpoint* Peer() const;
+	SSL_Interpreter* Interpreter() const;
+
+	Contents_SSL* GetProxyEndpoint()	{ return proxyEndpoint; }
+
+	void SetProxyEndpoint(Contents_SSL* proxyEndpoint);
+
+protected:
+	SSL_Interpreter* interpreter;  ///< Pointer to the SSL_Interpreter to which this endpoint belongs to
+	SSL_InterpreterEndpoint* peer; ///< Pointer to the peer of this endpoint
+	Contents_SSL* proxyEndpoint; ///< Pointer to the corresponding Contents_SSL
+	bool ourProxyEndpoint;	// true if we need to delete the proxyEndpoint
+	int is_orig;                   ///< true if this endpoint is the originator of the connection, false otherwise
+};
+
+// --- class CertStore --------------------------------------------------------
+/*!
+ * \brief This class is used to store some information about a X509 certificate.
+ *
+ * To save memory, we only store some characteristic criterias about a
+ * certificate, that's currently it's size and a hashsum.
+ *
+ * \note This class is currently <b>experimental</b>.
+ */
+class CertStore {
+public:
+	uint32 ip_addr; ///< ip address where this certificate is from
+	uint32 port;    ///< port number where this certificate is from
+
+	int certSize;    ///< size of the certificate in bytes
+	hash_t certHash; ///< hashsum obver the entire certificate
+	int isValid;     ///< boolean value indicating if the certificate is valid
+	int changes;     ///< counter for how often this certificate has changed for the above ip + port number
+
+	CertStore(uint32 ip, uint32 port, hash_t hash, int size);
+	bool isSameCert(hash_t hash, int length);
+};
+
+#endif
diff --git a/src/SSLProxy.cc b/src/SSLProxy.cc
new file mode 100644
index 0000000000..a0cf73b8fb
--- /dev/null
+++ b/src/SSLProxy.cc
@@ -0,0 +1,832 @@
+// $Id: SSLProxy.cc 6008 2008-07-23 00:24:22Z vern $
+
+#include "SSLProxy.h"
+#include "SSLv3.h"
+#include "SSLv2.h"
+
+// --- Initalization of static variables --------------------------------------
+
+uint SSLProxy_Analyzer::totalPackets = 0;
+uint SSLProxy_Analyzer::totalRecords = 0;
+uint SSLProxy_Analyzer::nonSSLConnections = 0;
+
+// --- SSL_DataBlock --------------------------------------------------------
+
+/*!
+ * This constructor will allocate a block of data on the heap. If min_len is
+ * given, it will determine the minimum size of the new block. The data block
+ * referenced by data will be then be copied into the new block.
+ *
+ * \param data    Pointer to the data which will be copied into the newly
+ *                allocated heap block.
+ * \param len     Length of the data block to copy.
+ * \param min_len The minimum size of data to allocate on the heap, can be omitted.
+ */
+
+SSL_DataBlock::SSL_DataBlock(const u_char* arg_data, int len, int min_len)
+	{
+	// For performance reasons, we allocate at least min_len.
+	if ( len < min_len )
+		{
+		data = new u_char[min_len];
+		size = min_len;
+		}
+	else
+		{
+		data = new u_char[len];
+		this->size = len;
+		}
+
+	memcpy(data, arg_data, len);
+	this->len = len;
+	next = 0;
+	}
+
+/*!
+ * This is an experimental function which will print the contents of the
+ * internal data block in a human-readable fashion to a stream.
+ *
+ * \param stream The stream for printing the data block to.
+ */
+
+void SSL_DataBlock::toStream(FILE* stream) const
+	{
+	if ( len <= 0 )
+		return;
+
+	int idx;
+	for ( idx = 0; idx < len-1; ++idx )
+		fprintf(stream, "%02X:", data[idx]);
+
+	fprintf(stream, "%02X", data[idx]);
+	}
+
+/*!
+ * This is an experimental function which will print the contents of the
+ * internal data block in a human-readable fashion to a string.
+ *
+ * \return A string which has to be freed by the caller.
+ */
+
+char* SSL_DataBlock::toString() const
+	{
+	if ( len <= 0 )
+		{
+		// Currently, we return an empty string if data block is empty.
+		char* pDummy = new char[1];
+		pDummy[0] = '\0';
+		return pDummy;
+		}
+
+	char* pString = new char[len*3];
+	char* pItx = pString;
+
+	int idx;
+	for ( idx = 0; idx < len-1; ++idx )
+		{
+		sprintf(pItx, "%02X:", data[idx]);
+		pItx += 3;
+		}
+
+	sprintf(pItx, "%02X", data[idx]);
+
+	return pString;
+	}
+
+// --- SSL_RecordBuilder ------------------------------------------------------
+
+uint SSL_RecordBuilder::maxAllocCount = 0;
+uint SSL_RecordBuilder::maxFragmentCount = 0;
+uint SSL_RecordBuilder::fragmentedHeaders = 0;
+
+/*!
+ * The constructor takes an Contents_SSL as parameter. Whenever a SSL
+ * record has been reassembled, the DoDeliver() function of this
+ * Contents_SSL will be called.
+ *
+ * \param sslEndpoint The Contents_SSL to which this instance of
+ *        SSL_RecordBuilder is bound.
+ */
+
+SSL_RecordBuilder::SSL_RecordBuilder(Contents_SSL* arg_sslEndpoint)
+	{
+	head = tail = 0;
+	currentSize = 0;
+	expectedSize = -1; // -1 means we don't know yet
+	hasPendingData = false;
+	fragmentCounter = 0;
+	neededSize = 5;  // we need at least 5 bytes to determine version
+
+	sslEndpoint = arg_sslEndpoint;
+	}
+
+/*!
+ * The destructor frees the chain of SSL_DataBlocks.
+ */
+
+SSL_RecordBuilder::~SSL_RecordBuilder()
+	{
+	// Free the data chain.
+	SSL_DataBlock* idx = head;
+	SSL_DataBlock* rm;
+
+	while ( idx )
+		{
+		rm  = idx;
+		idx = idx->next;
+		delete rm;
+		}
+	}
+
+/*!
+ * This function is the main entry point of the class. Call it with a segment
+ * of data to process.
+ *
+ * \param data   pointer to a data segment that will be reassembled
+ * \param length length of the data segment to be reassembled
+ *
+ * \return true if succesfull, false otherwise
+ */
+
+bool SSL_RecordBuilder::addSegment(const u_char* data, int length)
+	{
+	while ( length > 0 )
+		{
+		if ( ! head )
+			{
+			// This is the first fragment of a SSLv2 record,
+			// so we analyze the header.
+
+			// Special case: SSL header has been fragmented.
+			if ( length < neededSize )
+				{
+				// We can't determine the record size yet,
+				// so we just add this stuff.
+				++fragmentedHeaders;
+				head = tail = new SSL_DataBlock(data, length,
+								MIN_ALLOC_SIZE);
+				currentSize += length;
+				expectedSize = -1;	// special meaning
+				break;
+				}
+
+			// Get the expected length of this record.
+			if ( ! computeExpectedSize(data, length) )
+				return false;
+
+			// Insert weird here replacing assert.
+			if ( neededSize > expectedSize )
+				{
+				sslEndpoint->Weird("SSL_RecordBuilder::addSegment neededSize > expectedSize");
+				return false;
+				}
+
+			if ( tail != 0 )
+				{
+				sslEndpoint->Parent()->Weird("SSL_RecordBuilder::addSegment tail != 0");
+				return false;
+				}
+
+			if ( length > expectedSize )
+				{
+				// No fragmentation -> no memory-reallocation.
+				// We have additional data pending.
+				hasPendingData = true;
+				sslEndpoint->DoDeliver(expectedSize, data);
+				length -= expectedSize;
+				data += expectedSize;
+				expectedSize = -1;
+				}
+
+			else if ( length == expectedSize )
+				{
+				// No fragmentation -> no memory-reallocation.
+				// No additional data pending.
+				hasPendingData = false;
+				sslEndpoint->DoDeliver(expectedSize, data);
+				length -= expectedSize;
+				data += expectedSize;
+				expectedSize = -1;
+				break;
+				}
+			else
+
+				{
+				// First fragment of a record.
+				head = tail = new SSL_DataBlock(data, length,
+								MIN_ALLOC_SIZE);
+				currentSize += length;
+				break;
+				}
+
+			continue;
+			}
+
+		// ! head.
+		// We already have some data, so add the current
+		// segment special case.
+		if ( expectedSize < 0 )
+			{
+			// We don't know the expected size of
+			// this record yet.
+			if ( currentSize + length < neededSize )
+				{
+				// We still can't determine the expected size,
+				// so we just add the current fragment.
+				addData(data, length);
+				break;
+				}
+
+			// Now we can determine the expected size the
+			// header has been fragmented, so we have to
+			// reassemble it.
+			uint8 Header[neededSize];
+			memcpy(Header, head->data, head->len);
+			memcpy(Header + head->len, data, neededSize - head->len);
+			if ( ! computeExpectedSize(Header, neededSize) )
+				{
+				// Since neededSize <= MIN_ALLOC_SIZE,
+				// we free only head.
+				delete head;
+				head = tail = 0;
+				return false;
+				}
+
+			if ( neededSize > expectedSize )
+				{
+				sslEndpoint->Parent()->Weird("SSL_RecordBuilder::addSegment neededSize > expectedSize");
+				return false;
+				}
+
+			// No break, go on with this packet.
+			}
+
+		if ( currentSize + length == expectedSize )
+			{ // this is exactly the last segment of the record
+			hasPendingData = false;
+
+			// Create a continuous data structure and call
+			// DoDeliver().
+			u_char* pBlock = assembleBlocks(data, length);
+			sslEndpoint->DoDeliver(expectedSize, pBlock);
+			delete [] pBlock;
+			expectedSize = -1;
+			break;
+			}
+
+		else if ( currentSize + length < expectedSize )
+			{ // another (middle) segment
+			if ( length <= MIN_FRAGMENT_SIZE )
+				sslEndpoint->Parent()->Weird( "SSLProxy: Excessive small TCP Segment!" );
+
+			addData(data, length);
+			break;
+			}
+
+		else
+			{
+			// This is the last fragment of the current record,
+			// but there's more data in this segment.
+			int deltaSize = expectedSize - currentSize;
+			hasPendingData = true;
+
+			// Create a continuous data structure and call
+			// DoDeliver().
+			u_char* pBlock = assembleBlocks(data, deltaSize);
+			sslEndpoint->DoDeliver(expectedSize, pBlock);
+			delete [] pBlock;
+			expectedSize = -1;
+
+			// Process the rest.
+			length -= deltaSize;
+			data += deltaSize;
+			}
+		} // while
+
+	return true;
+	}
+
+/*!
+ * This function is called internally by addSegment(), and add's a new SSL
+ * record fragment to the internally used list of SSL_DataBlocks. Note that
+ * the data will be copied!
+ *
+ * \param data   pointer to the data that will be added
+ * \param length length of the data that will be added
+ */
+
+inline void SSL_RecordBuilder::addData(const u_char* data, int length)
+	{
+	++fragmentCounter;
+
+	// Check if there's some space left in the last datablock.
+	int bytesLeft = tail->size - tail->len;
+	if ( bytesLeft > 0 )
+		{
+		// There's some space left in the last data block.
+		if ( bytesLeft >= length )
+			{
+			// We can store all bytes in the last data block.
+			memcpy(tail->data + tail->len, data, length);
+			tail->len += length;
+			currentSize += length;
+			}
+		else
+			{
+			// We cannot store all bytes in the last data block,
+			// so we also need to add a new one.
+			memcpy(tail->data + tail->len, data, bytesLeft);
+			tail->len = tail->size;
+			currentSize += length;
+
+			data += bytesLeft;
+			length -= bytesLeft;
+
+			tail->next = new SSL_DataBlock(data, length, MIN_ALLOC_SIZE);
+			tail = tail->next;
+			}
+		}
+
+	else
+		{
+		// Last data block is full.
+		tail->next = new SSL_DataBlock(data, length, MIN_ALLOC_SIZE);
+		tail = tail->next;
+		currentSize += length;
+		}
+	}
+
+/*!
+ * This function is called internally by addSegment(), whenever a SSL record
+ * has been fully received. It creates a single data block from the list of
+ * SSL record fragments while freeing them.
+ *
+ * \param data   pointer to the last SSL record fragment
+ * \param length size of the last SSL record fragment
+ *
+ * \return pointer to a data block which contains the reassembled SSL record
+ */
+
+u_char* SSL_RecordBuilder::assembleBlocks(const u_char* data, int length)
+	{
+	// We don't store the last SSL record fragment in a DataBlock,
+	// instead we get it directly as parameter.
+	u_char* dataptr = new u_char[currentSize + length];
+	u_char* nextseg = dataptr;
+
+	SSL_DataBlock* idx = head;
+	SSL_DataBlock* rm;
+	uint allocCounter = 0;
+
+	while ( idx )
+		{
+		++allocCounter;
+		memcpy(nextseg, idx->data, idx->len);
+		nextseg += idx->len;
+		rm = idx;
+		idx = idx->next;
+		delete rm;
+		}
+
+	// The last fragment isn't stored in a datablock.
+	memcpy(nextseg, data, length);
+
+	// The first and last fragments aren't counted.
+	fragmentCounter += 2;
+
+	// Update statistics.
+	if ( allocCounter > maxAllocCount )
+		maxAllocCount = allocCounter;
+
+	if ( fragmentCounter > maxFragmentCount )
+		maxFragmentCount = fragmentCounter;
+
+	fragmentCounter = 0;
+	currentSize = 0;
+	head = tail = 0;
+
+	return dataptr;
+	}
+
+/*!
+ * This method is called internally by computeExpectedSize(), when the SSL
+ * record format has not been determined yet. It tries to do so by using
+ * heuristics, since there's no definitive way to distinguish SSLv2 vs. SSLv3
+ * record headers.
+ *
+ * \param data   pointer to a data block containing the SSL record to analyze
+ * \param length length of the SSL record to analyze, has to be >= neededSize!
+ *
+ * \return
+ *         -  2 for SSLv2 record format
+ *         -  3 for SSLv3 record format
+ *         - -1 if an error occurred
+ */
+
+int SSL_RecordBuilder::analyzeSSLRecordFormat(const u_char* data, int length)
+	{
+	// We have to use heuristics for this one.
+
+	if ( length < neededSize )
+		{
+		sslEndpoint->Parent()->Weird("SSLProxy: analyzeSSLRecordFormat length < neededSize");
+		return -1;
+		}
+
+	bool found_ssl3x = 0;
+	bool found_ssl2x = 0;
+
+	// SSLv3x-check.
+	SSL3_1_ContentType ct = SSL3_1_ContentType(uint8(*data));
+	switch ( ct ) {
+	case SSL3_1_TYPE_CHANGE_CIPHER_SPEC:
+	case SSL3_1_TYPE_ALERT:
+	case SSL3_1_TYPE_HANDSHAKE:
+	case SSL3_1_TYPE_APPLICATION_DATA:
+		{
+		sslEndpoint->sslVersion = ((data[1]) << 8) | data[2];
+		uint16 v = sslEndpoint->sslVersion;
+		if ( v == uint16(SSLProxy_Analyzer::SSLv30) ||
+		     v == uint16(SSLProxy_Analyzer::SSLv31) )
+			found_ssl3x = true;
+		break;
+		}
+	}
+
+	// SSLv2 check.
+	// We look for CLIENT-HELLOs, SERVER-HELLOs and ERRORs.
+	const u_char* pContents = data;
+	uint offset = 0;
+	uint16 size = 0;
+	if ( (data[0] & 0x80) > 0 )
+		{ // we have a two-byte record header
+		offset = 2;
+		size = (((data[0] & 0x7f) << 8) | data[1]) + 2;
+		}
+	else
+		{ // we have a three-byte record header
+		offset = 3;
+		size = (((data[0] & 0x3f) << 8) | data[1]) + 3;
+		}
+	pContents += offset;
+
+	switch ( SSLv2_MessageTypes(pContents[0]) ) {
+	case SSLv2_MT_ERROR:
+		if ( size == SSLv2_ERROR_RECORD_SIZE + offset)
+			{
+			found_ssl2x = true;
+			sslEndpoint->sslVersion =
+				uint16(SSLProxy_Analyzer::SSLv20);
+			}
+		break;
+
+	case SSLv2_MT_CLIENT_HELLO:
+		{
+		sslEndpoint->sslVersion =
+			uint16(pContents[1] << 8) | pContents[2];
+		uint16 v = sslEndpoint->sslVersion;
+
+		if ( v == SSLProxy_Analyzer::SSLv20 ||
+		     v == SSLProxy_Analyzer::SSLv30 ||
+		     v == SSLProxy_Analyzer::SSLv31 )
+			found_ssl2x = true;
+		break;
+		}
+
+	case SSLv2_MT_SERVER_HELLO:
+		{
+		sslEndpoint->sslVersion =
+			uint16(pContents[3] << 8) | pContents[4];
+		uint16 v = sslEndpoint->sslVersion;
+
+		if ( v == SSLProxy_Analyzer::SSLv20 ||
+		     v == SSLProxy_Analyzer::SSLv30 ||
+		     v == SSLProxy_Analyzer::SSLv31 )
+			found_ssl2x = true;
+		break;
+		}
+
+	default:
+		break;
+	}
+
+	// Consistency checks.
+	if ( (found_ssl3x || found_ssl2x) == false )
+		{
+		sslEndpoint->Parent()->Weird("SSLProxy: Could not determine SSL version!");
+		return -1;
+		}
+
+	if ( (found_ssl3x && found_ssl2x) == true )
+		{
+		sslEndpoint->Parent()->Weird("SSLProxy: Found ambigous SSL version!");
+		return -1;
+		}
+
+	if ( found_ssl2x )
+		return 2;
+	else
+		return 3;
+	}
+
+/*!
+ * This method is called internally by addSegment() to determine the expected
+ * size of a SSL record.
+ *
+ * \param data   pointer to the SSL record to analyze
+ * \param length length of the SSL record to analyze
+ *
+ * \return true if succesfull, false otherwise
+ */
+
+bool SSL_RecordBuilder::computeExpectedSize(const u_char* data, int length)
+	{
+	if ( sslEndpoint->sslRecordVersion < 0 )
+		{
+		// We don't know the ssl record format yet, so we try
+		// to find out.
+		sslEndpoint->sslRecordVersion =
+			analyzeSSLRecordFormat(data, length);
+
+		if ( sslEndpoint->sslRecordVersion != 2 &&
+		     sslEndpoint->sslRecordVersion != 3 )
+			// We could not determine the ssl record version.
+			return false;
+		}
+
+	// Get the expected length of this record.
+	if ( sslEndpoint->sslRecordVersion == 2 )
+		{
+		if ( (data[0] & 0x80) > 0 )
+			// We have a two-byte record header.
+			expectedSize = (((data[0] & 0x7f) << 8) | data[1]) + 2;
+		else
+			// We have a three-byte record header.
+			expectedSize = (((data[0] & 0x3f) << 8) | data[1]) + 3;
+		}
+
+	else if ( sslEndpoint->sslRecordVersion == 3 )
+		expectedSize = ((data[3] << 8) | data[4]) + 5;
+
+	if ( expectedSize < neededSize )
+		{
+		// This should never happen (otherwise: UNTESTED).
+		sslEndpoint->Parent()->Weird( "SSLProxy: expectedSize < neededSize in RecordBuilder!" );
+		return false;
+		}
+
+	return true;
+	}
+
+
+// --- SSL_Connection_Proxy ---------------------------------------------------
+
+bool SSLProxy_Analyzer::bInited = false;
+
+SSLProxy_Analyzer::SSLProxy_Analyzer(Connection* conn)
+: TCP_ApplicationAnalyzer(AnalyzerTag::SSL, conn)
+	{
+	sSLv2Interpreter = new SSLv2_Interpreter(this);
+	sSLv3xInterpreter = new SSLv3_Interpreter(this);
+	sSLInterpreter = 0;
+	bPassThrough = false;
+	if ( ! bInited )
+		{
+		BuildCipherDict();
+		bInited = true;
+		}
+
+	AddSupportAnalyzer(sslpeo = new Contents_SSL(conn, true));
+	AddSupportAnalyzer(sslper = new Contents_SSL(conn, false));
+	}
+
+SSLProxy_Analyzer::~SSLProxy_Analyzer()
+	{
+	delete sSLv2Interpreter;
+	delete sSLv3xInterpreter;
+	}
+
+void SSLProxy_Analyzer::Init()
+	{
+	TCP_ApplicationAnalyzer::Init();
+
+	sSLv2Interpreter->Init();
+	sSLv3xInterpreter->Init();
+
+	sSLv2Interpreter->Orig()
+		->SetProxyEndpoint(sSLv3xInterpreter->Orig()->GetProxyEndpoint());
+	sSLv2Interpreter->Resp()
+		->SetProxyEndpoint(sSLv3xInterpreter->Resp()->GetProxyEndpoint());
+	}
+
+void SSLProxy_Analyzer::BuildCipherDict()
+	{
+	for ( uint idx = 0; idx < SSL_CipherSpecs_Count; ++idx )
+		{
+		HashKey h(static_cast<bro_uint_t>(SSL_CipherSpecs[idx].identifier));
+		SSL_CipherSpecDict.Insert(&h, &SSL_CipherSpecs[idx]);
+		}
+	}
+
+void SSLProxy_Analyzer::NewSSLRecord(Contents_SSL* endp,
+					int len, const u_char* data)
+	{
+	// This is to extract only SSLv2 traffic.
+	if ( recordSSLv2Traffic )
+		{
+		uint16 sslVersion = 0;
+		if ( (data[0] & 0x80) > 0 )
+			// We have a two-byte record header.
+			sslVersion = (data[3] << 8) | data[4];
+		else
+			// We have a three-byte record header.
+			sslVersion = (data[4] << 8) | data[5];
+
+		if ( ! endp->IsSSLv2Record() ||
+		     sslVersion != SSLProxy_Analyzer::SSLv20 )
+			{
+			SetSkip(1);
+			Conn()->SetRecordPackets(0);
+			Conn()->SetRecordContents(0);
+			// FIXME: Could do memory cleanup here.
+			}
+		else
+			// No analysis - only recording.
+			SetSkip(1);
+
+		return;
+		}
+
+	if ( bPassThrough )
+		{
+		DoDeliver(len, data, endp->IsOrig());
+		return;
+		}
+
+	if ( ! endp->IsSSLv2Record() )
+		{
+		// It's TLS or SSLv3, so we are done ...
+		sSLInterpreter = sSLv3xInterpreter;
+		bPassThrough = true;
+		// Tell the other record builder we have SSLv3x.
+		endp->sslRecordVersion = 3;
+		DoDeliver(len, data, endp->IsOrig());
+		}
+
+	else
+		{ // we have a SSLv2 record ...
+		sSLInterpreter = sSLv2Interpreter;
+
+		// Check whether it's the first or second we've seen ...
+		if ( sslpeo->VersionRecognized() &&
+		     sslper->VersionRecognized() )
+			{
+			// Second record we've seen.
+			// O.K. Both endpoints recognized the version.
+			// So this needs to be an SSLv2-Connection ...
+			bPassThrough = true;
+			DoDeliver(len, data, endp->IsOrig());
+			}
+
+		// First record we see.
+		// The next one may be SSLv2 or SSLv3x,
+		// we don't know yet ...
+		else if ( endp->sslVersion == SSLv20 )
+			{
+			// The client supports only SSLv2, so we're done.
+			bPassThrough = true;
+			endp->sslRecordVersion = 2;
+			endp->sslVersion = SSLv20;
+			DoDeliver(len, data, endp->IsOrig());
+			}
+
+		else
+			{
+			bPassThrough = false;
+			DoDeliver(len, data, endp->IsOrig());
+
+			// Transfer the state of the SSLv2-Interpreter
+			// to the state of the SSLv3x-Interpreter ...
+			if ( ((SSLv2_Interpreter*) sSLInterpreter)->ConnState() == CLIENT_HELLO_SEEN )
+				((SSLv3_Interpreter*) sSLv3xInterpreter)->SetState(SSL3_1_STATE_CLIENT_HELLO_SENT);
+			}
+		}
+	}
+
+void SSLProxy_Analyzer::DoDeliver(int len, const u_char* data, bool orig)
+	{
+	if ( orig )
+		sSLInterpreter->Orig()->Deliver(len, data);
+	else
+		sSLInterpreter->Resp()->Deliver(len, data);
+	}
+
+void SSLProxy_Analyzer::printStats()
+	{
+	printf("SSLProxy_Analyzer::totalPackets = %u\n", totalPackets);
+	printf("SSLProxy_Analyzer::totalRecords = %u\n", totalRecords);
+	printf("SSLProxy_Analyzer::nonSSLConnections = %u\n", nonSSLConnections);
+	}
+
+
+void SSLProxy_Analyzer::Weak(const char* name)
+	{
+	if ( ssl_conn_weak )
+		Event(ssl_conn_weak, name);
+	}
+
+// --- Contents_SSL ------------------------------------------------------
+
+/*!
+ * mod Contents_SSL::Contents_SSL( TCP_Endpoint* arg_endpt, int stop_on_gap )
+ *	: TCP_Contents( arg_conn, stop_on_gap, punt_on_partial )
+ */
+
+Contents_SSL::Contents_SSL(Connection* conn, bool orig)
+: TCP_SupportAnalyzer(AnalyzerTag::Contents_SSL, conn, orig)
+	{
+	sslRecordBuilder = new SSL_RecordBuilder(this);
+	bVersionRecognized = false;
+	bIsSSLv2Record = false;
+
+	sslRecordVersion = -1;	// -1 means we don't know yet
+	sslVersion =  0;	// 0 means we don't know yet
+	}
+
+Contents_SSL::~Contents_SSL()
+	{
+	delete sslRecordBuilder;
+	}
+
+bool Contents_SSL::isDataPending()
+	{
+	return sslRecordBuilder->isDataPending();
+	}
+
+void Contents_SSL::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	TCP_SupportAnalyzer::DeliverStream(len, data, orig);
+
+	TCP_Analyzer* tcp = static_cast<TCP_ApplicationAnalyzer *>(Parent())->TCP();
+	assert(tcp);
+
+	if ( tcp->HadGap(orig) || tcp->IsPartial() )
+		 return;
+
+	++SSLProxy_Analyzer::totalPackets;
+
+	TCP_Endpoint* endp = orig ? tcp->Orig() : tcp->Resp();
+
+#if 0
+	// FIXME: What's this???
+	int ack = endp->AckSeq() - endp->StartSeq();
+	int top_seq = seq + len;
+
+	if ( top_seq <= ack )
+		// There is no new data in this packet.
+		return;
+#endif
+
+	if ( len <= 0 )
+		return;
+
+	// No further processing if we have a partial connection.
+	if ( endp->state == TCP_ENDPOINT_PARTIAL ||
+	     endp->peer->state == TCP_ENDPOINT_PARTIAL )
+		{
+		Parent()->SetSkip(1);
+		Conn()->SetRecordPackets(0);
+		return;
+		}
+
+	if ( ! sslRecordBuilder->addSegment(data, len) )
+		{
+		// The RecordBuilder failed to determine the SSL record version,
+		// so we can't analyze this connection any further.
+		++SSLProxy_Analyzer::nonSSLConnections;
+		Parent()->Weird("SSL: Skipping connection (not an SSL connection?!)!");
+		Parent()->SetSkip(1);
+	    Conn()->SetRecordPackets(0);
+		}
+	}
+
+// Called by the RecordBuilder with a complete SSL record.
+void Contents_SSL::DoDeliver(int len, const u_char* data)
+	{
+	++SSLProxy_Analyzer::totalRecords;
+
+	bIsSSLv2Record = sslRecordVersion == 2;
+	bVersionRecognized = true;
+
+	((SSLProxy_Analyzer*) Parent())->NewSSLRecord(this, len, data);
+	}
+
+bool Contents_SSL::IsSSLv2Record()
+	{
+	return bIsSSLv2Record;
+	}
+
+bool Contents_SSL::VersionRecognized()
+	{
+	return bVersionRecognized;
+	}
diff --git a/src/SSLProxy.h b/src/SSLProxy.h
new file mode 100644
index 0000000000..e2d2567d52
--- /dev/null
+++ b/src/SSLProxy.h
@@ -0,0 +1,287 @@
+// $Id: SSLProxy.h 5952 2008-07-13 19:45:15Z vern $
+
+#ifndef SSLPROXY_H
+#define SSLPROXY_H
+
+#include "TCP.h"
+#include "SSLInterpreter.h"
+#include "binpac_bro.h"
+
+// --- forward declarations ---------------------------------------------------
+
+class SSL_Interpreter;
+class SSL_RecordBuilder;
+class Contents_SSL;
+
+// --- class SSL_DataBlock ----------------------------------------------------
+
+/*!
+ * \brief This class is used to store a block of data on the heap, which is
+ *        allocated and copied by the constructor, and freed by the destructor.
+ *
+ * It is mainly used by the SSL_RecordBuilder to store the received data. To
+ * reduce heap operations (HeapOps), which can be quite expensive, it is
+ * possible to let the constructor allocate a minimum heap block size. The
+ * class members keep track of how much data has been allocated and how much of
+ * it has been used. Plus, there's a pointer to the next SSL_DataBlock, for
+ * easy creation of a single-linked list.
+ */
+
+class SSL_DataBlock {
+public:
+	SSL_DataBlock(const u_char* data, int len, int min_len = 0);
+
+	int len;	///< The <b>used</b> size of the reserved heap block.
+	int size;	///< The <b>allocated</b> size of the reserved heap block.
+	u_char* data;	///< Pointer to the allocated heap block.
+	SSL_DataBlock* next;	///< Pointer to the next SSL_Datablock in the chain.
+
+	/*!
+	 * The destructor will free the allocated data block.
+	 */
+	~SSL_DataBlock() { delete [] data; }
+
+	void toStream(FILE* stream) const;
+	char* toString() const;
+};
+
+// --- class SSL_RecordBuilder ------------------------------------------------
+
+/*!
+ * \brief This class is used to reassemble SSL records from a stream of data.
+ *
+ * It supports both SSLv2 and SSLv3 record formats at the same time. The record
+ * builder has been designed to be robust, efficient and hard to attack. To add
+ * a segments of data, call addSegment(). Whenever a SSL record has been
+ * reassembled, the DoDeliver() function of the corresponding Contents_SSL
+ * will be called.
+ *
+ * Two forms of attack have been taken into consideration:
+ * -# The "fake size" attack, where the actual size of the SSL record is much
+ *    smaller then the size given in the record header. This way, an attacker
+ *    could force Bro to allocate a huge amount of memory and make it crash.
+ * -# The "small fragment" attack, where an attacker sends huge SSL records
+ *    in very small (1 byte or so) TCP segments. This could lead to a huge
+ *    amount of very small memory blocks allocated by Bro. After the last byte
+ *    of an SSL record has been received, all allocated blocks have to be
+ *    freed. Freeing something like 32K blocks of memory can be quite expensive,
+ *    so packet drops may occur, which could prevent Bro from detecting an
+ *    attacker.
+ *
+ * The current implementation always allocates a minimum size of data on the
+ * heap, which is MIN_ALLOC_SIZE. The processed SSL record fragments are stored
+ * in a single-linked list of type SSL_DataBlock.
+ *
+ * The following assumptions are made:
+ * - neededSize <= min( expectedSize )
+ * - neededSize <= MIN_ALLOC_SIZE, so the data needed to determine the SSL
+ *   record version fits in one SSL_DataBlock
+ */
+
+class SSL_RecordBuilder {
+public:
+	SSL_RecordBuilder(Contents_SSL* sslEndpoint);
+	~SSL_RecordBuilder();
+
+	static const uint MIN_ALLOC_SIZE = 16;	///< min. size of memory to alloc
+	static const int MIN_FRAGMENT_SIZE = 100;	///< min. size of a middle TCP Segment
+	static uint maxAllocCount;	///< max. number of allocated data blocks for an instance of a reassembler
+	static uint maxFragmentCount;	///< max. number of fragments for a ssl record
+	static uint fragmentedHeaders;	///< counter for the number of fragmented headers (header=neededSize)
+
+	bool addSegment(const u_char* data, int length);
+
+	/*!
+	 * Calls this method to see if there's currently data in the
+	 * record builder pending.
+	 * \return true if there's data pending, false otherwise
+	 */
+	bool isDataPending() { return hasPendingData; };
+
+protected:
+	u_char* assembleBlocks(const u_char* data, int length);
+	int analyzeSSLRecordFormat(const u_char* data, int length);
+	bool computeExpectedSize (const u_char* data, int length);
+	void addData(const u_char* data, int length);
+
+	SSL_DataBlock* head;	///< pointer to the first element in the linked list of SSL_DataBlocks
+	SSL_DataBlock* tail;	///< pointer to the last element in the linked list of SSL_DataBlocks
+	Contents_SSL*  sslEndpoint;	///< pointer to the containing Contents_SSL
+	int  expectedSize;	///< expected size of SSLv2 record including header
+	int  currentSize;	///< current bytes stored in data blocks (that is, processed size of actual record)
+	int  neededSize;	///< min. size in bytes so that the length of the current record can be determinded
+	bool hasPendingData;	///< true if there's data following in the current tcp segment
+	uint fragmentCounter;	///< counter for the number of tcp segments for the current record
+};
+
+
+// --- class SSLProxy_Analyzer ----------------------------------------------
+
+/** This class represents an SSL_Connection with two SSL_ConnectionEndpoints.
+ * Note, that this class acts as a proxy, because there are different versions
+ * of the SSL protocol in use and you don't know in advance which SSL version
+ * really will be used. This depends on the first two messages of the SSL handshake
+ * process. Because Bro offers no possibility for switching connections we
+ * decided only to inherit this proxy from TCP_Connection.
+ * The different SSL versions are implemented in classed derived from
+ * SSL_Interpreter/SSL_InterpreterEndpoint and so, we can easily switch the flow
+ * of data to the appropriate SSL Interpreter.
+ * Currently, we support SSL Version 2.0 and 3.0/3.1(TLS)(@see SSLv2_Interpreter and @see
+ * SSLv3_Interpreter).
+ * This class holds an instance of both SSLv2- and SSLv3_Interpreter. The version
+ * of the SSL that is used for a connection is negotiated within the first
+ * two records (SSL messages): client hello and server hello.
+ * So after scanning this two records (which is mainly done in @see SSL_RecordBuilder and
+ * @see Contents_SSL) and determing the versions, it is clear which
+ * SSL version will be used for the succeding SSL records. From now
+ * on, they can be directly passed through to the appropriate SSL_Interpreter.
+ *
+ * FIXME: Now we have a dynamic analyzer framework so this could be restructured.
+ */
+class SSLProxy_Analyzer: public TCP_ApplicationAnalyzer {
+public:
+	SSLProxy_Analyzer(Connection* conn);
+	virtual ~SSLProxy_Analyzer();
+
+	static uint totalPackets;	///< counter for total ssl packets seen
+	static uint totalRecords;	///< counter for total ssl records seen
+	static uint nonSSLConnections;	///< counter for connections where we couldn't reassemble a ssl record
+
+	static const bool recordSSLv2Traffic = false;	///< if true, only recording of SSLv2 connections is done (no analysis)
+
+	static bool bInited;
+
+	enum SSL_Versions {
+		SSLv20 = 0x0002,
+		SSLv30 = 0x0300,
+		SSLv31 = 0x0301  // = TLS 1.0
+	};
+
+	/* This method is called from the corresponding Contents_SSL to
+	 * deliver the data to the SSL_ProxyConnection. It decides which
+	 * SSL_Interpreter (Version 2 or Version 3x) gets the record or
+	 * directly passes it through, if it's already clear which version
+	 * this SSL connection uses.
+	 * @param endp the sending endpoint
+	 * @param len length of SSL record
+	 * @param data the SSL record
+	 *
+	 * SC mod  - pass a TCP_Contents rather than endpoint in terms of an actual
+	 * Contents_SSL.  There is much less overall work to do since we
+	 * have already done the assosciation.
+	 */
+	void NewSSLRecord(Contents_SSL* endp, int len, const u_char* data);
+
+	// Initialises the SSLv2- and SSLv3_Interpreters.
+	virtual void Init();
+
+	// This method is used for passing messages to Bro that contain
+	// information about weaknesses in the choosen SSL encryption
+	// (short keys, unverifyable certificates, ...)
+	// @param name the name of the weakness.
+	void Weak(const char* name);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new SSLProxy_Analyzer(conn); }
+
+	static bool Available()
+		{
+		return (ssl_certificate_seen || ssl_certificate ||
+			ssl_conn_attempt || ssl_conn_server_reply ||
+			ssl_conn_established || ssl_conn_reused ||
+			ssl_conn_alert)
+			&& ! FLAGS_use_binpac;
+		}
+
+	static void printStats();
+
+protected:
+	bool bPassThrough;	///< whether it is clear which SSL version the connection will use
+
+	SSL_Interpreter* sSLv2Interpreter;	///< Interpreter for SSL version 2
+	SSL_Interpreter* sSLv3xInterpreter;	///< Interpreter for SSL version 3.0 and 3.1
+	SSL_Interpreter* sSLInterpreter;	///< Pointer to the interpreter currently in use
+
+	Contents_SSL* sslpeo;
+	Contents_SSL* sslper;
+
+	/** Internally called from this class Deliver()-method.
+	 * It delivers the data to the correct corresponding
+	 * SSL_InterpreterEndpoint.
+	 * @param endp the sending endpoint
+	 * @param t time, when the segment was received by bro (not used)
+	 * @param seq relative sequenze number (from Endpoint::start_seq) (not used)
+	 * @param len length of SSL record
+	 * @param data the SSL record
+	 */
+	void DoDeliver(int len, const u_char* data, bool orig);
+
+	// Initialises the dictionary where the SSL cipher specs are stored.
+	// It needs only to be called once for a whole bro. @see SSLDefines.h
+	void BuildCipherDict();
+};
+
+// --- class Contents_SSL ------------------------------------------------
+
+/** This class represents an endpoint of a SSLProxy_Analyzer.
+ * It receives the new data (TCP segments) within the Deliver()-method, does
+ * some basic checks on the segment and passes it on to the SSL_RecordBuilder,
+ * which reassembles the segments into SSL records and determines the
+ * versions of the records. If the SSL_RecordBuilder was able to determine
+ * the versions of the records it delivers the reassembled records back tho this
+ * Contents_SSL by calling the DoDeliver()-method.
+ * The Contents_SSL then hands the record over to the corresponding
+ * SSLProxy_Analyzer by invoking it's NewSSLRecord()-method.
+ *
+ * SC mod: change class Contents_SSL: public TCP_EndpointContents
+ * to class Contents_SSL: public TCP_Contents
+ * this is done since the class uses the Deliver() method to take care of data.
+ *
+ */
+class Contents_SSL: public TCP_SupportAnalyzer {
+public:
+	/* The constructor builds up and initialises the Contents_SSL.
+	 * @param conn the corresponding Connection
+	 * @param whether this is the originator
+	 */
+	Contents_SSL(Connection* conn, bool orig);
+	~Contents_SSL();
+
+	int sslRecordVersion;	///< record version of the first SSL record seen (set by SSLProxy_Analyzer and SSL_RecordBuilder)
+	uint16 sslVersion;	///< SSL version of the SSL record seen (set by SSL_RecordBuilder)
+
+	/** Via this method, this Contents_SSL receives the
+	 * TCP segments.
+	 * @param len length of TCP-Segment
+	 * @param data content of TCP-Segment
+	 * @param orig whether sending endpoint is originator
+	 */
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+
+	/** This method is called by the corresponding SSL_RecordBuilder
+	 * upon delivering a new reassembled SSL record.
+	 * @param len the length of the record
+	 * @param data the record
+	 */
+	void DoDeliver(int len, const u_char* data);
+
+	/* @return whether we have already seen the first record of the connection of this endpoint yet
+	 */
+	bool VersionRecognized();
+
+	/* @return whether the first record was of SSL version 2.0
+	 */
+	bool IsSSLv2Record();
+
+	/* @return whether the corresponding SSL_RecordBuilder has pending data
+	 */
+	bool isDataPending(); // should be inline
+
+	SSL_RecordBuilder* sslRecordBuilder;
+
+protected:
+	bool bVersionRecognized;	///< False, if we haven't seen the first record of the connection of this endpoint yet
+	bool bIsSSLv2Record;	///< Was the first record of SSL version 2.0
+};
+
+#endif
diff --git a/src/SSLv2.cc b/src/SSLv2.cc
new file mode 100644
index 0000000000..0252e4cb15
--- /dev/null
+++ b/src/SSLv2.cc
@@ -0,0 +1,946 @@
+// $Id: SSLv2.cc 5988 2008-07-19 07:02:12Z vern $
+
+#include "SSLv2.h"
+#include "SSLv3.h"
+
+// --- Initalization of static variables --------------------------------------
+
+uint SSLv2_Interpreter::totalConnections = 0;
+uint SSLv2_Interpreter::analyzedConnections = 0;
+uint SSLv2_Interpreter::openedConnections = 0;
+uint SSLv2_Interpreter::failedConnections = 0;
+uint SSLv2_Interpreter::weirdConnections = 0;
+uint SSLv2_Interpreter::totalRecords = 0;
+uint SSLv2_Interpreter::clientHelloRecords = 0;
+uint SSLv2_Interpreter::serverHelloRecords = 0;
+uint SSLv2_Interpreter::clientMasterKeyRecords = 0;
+uint SSLv2_Interpreter::errorRecords = 0;
+
+
+// --- SSLv2_Interpreter -------------------------------------------------------
+
+/*!
+ * The Constructor.
+ *
+ * \param proxy Pointer to the SSLProxy_Analyzer who created this instance.
+ */
+SSLv2_Interpreter::SSLv2_Interpreter(SSLProxy_Analyzer* proxy)
+: SSL_Interpreter(proxy)
+	{
+	++totalConnections;
+	records = 0;
+	bAnalyzedCounted = false;
+	connState = START;
+
+	pServerCipherSpecs = 0;
+	pClientCipherSpecs = 0;
+	bClientWantsCachedSession = false;
+	usedCipherSpec = (SSLv2_CipherSpec) 0;
+
+	pConnectionId = 0;
+	pChallenge = 0;
+	pSessionId = 0;
+	pMasterClearKey = 0;
+	pMasterEncryptedKey = 0;
+	pClientReadKey = 0;
+	pServerReadKey = 0;
+	}
+
+/*!
+ * The Destructor.
+ */
+SSLv2_Interpreter::~SSLv2_Interpreter()
+	{
+	if ( connState != CLIENT_MASTERKEY_SEEN &&
+	     connState != CACHED_SESSION &&
+	     connState != START &&	// we only complain if we saw some data
+	     connState != ERROR_SEEN )
+		++failedConnections;
+
+	if ( connState != CLIENT_MASTERKEY_SEEN && connState != CACHED_SESSION )
+		++weirdConnections;
+
+	delete pServerCipherSpecs;
+	delete pClientCipherSpecs;
+	delete pConnectionId;
+	delete pChallenge;
+	delete pSessionId;
+	delete pMasterClearKey;
+	delete pMasterEncryptedKey;
+	delete pClientReadKey;
+	delete pServerReadKey;
+	}
+
+/*!
+ * This method implements SSL_Interpreter::BuildInterpreterEndpoints()
+ */
+void SSLv2_Interpreter::BuildInterpreterEndpoints()
+	{
+	orig = new SSLv2_Endpoint(this, 1);
+	resp = new SSLv2_Endpoint(this, 0);
+	}
+
+/*!
+ * This method prints some counters.
+ */
+void SSLv2_Interpreter::printStats()
+	{
+	printf("SSLv2:\n");
+	printf("totalConnections    = %u\n", totalConnections);
+	printf("analyzedConnections = %u\n", analyzedConnections);
+	printf("openedConnections   = %u\n", openedConnections);
+	printf("failedConnections   = %u\n", failedConnections);
+	printf("weirdConnections   = %u\n", weirdConnections);
+
+	printf("totalRecords            = %u\n", totalRecords);
+	printf("clientHelloRecords      = %u\n", clientHelloRecords);
+	printf("serverHelloRecords      = %u\n", serverHelloRecords);
+	printf("clientMasterKeyRecords  = %u\n", clientMasterKeyRecords);
+	printf("errorRecords            = %u\n", errorRecords);
+
+	printf("SSL_RecordBuilder::maxAllocCount     = %u\n", SSL_RecordBuilder::maxAllocCount);
+	printf("SSL_RecordBuilder::maxFragmentCount  = %u\n", SSL_RecordBuilder::maxFragmentCount);
+	printf("SSL_RecordBuilder::fragmentedHeaders = %u\n", SSL_RecordBuilder::fragmentedHeaders);
+	}
+
+/*!
+ * \return the current state of the ssl connection
+ */
+SSLv2_States SSLv2_Interpreter::ConnState()
+	{
+	return connState;
+	}
+
+/*!
+ * This method is called by SSLv2_Endpoint::Deliver(). It is the main entry
+ * point of this class. The header of the given SSLV2 record is analyzed and
+ * its contents are then passed to the corresponding analyzer method. After
+ * the record has been analyzed, the ssl connection state is updated.
+ *
+ * \param s Pointer to the endpoint which sent the record
+ * \param length length of SSLv2 record
+ * \param data pointer to SSLv2 record to analyze
+ */
+void SSLv2_Interpreter::NewSSLRecord(SSL_InterpreterEndpoint* s,
+					int length, const u_char* data)
+	{
+	++records;
+	++totalRecords;
+
+	if ( ! bAnalyzedCounted )
+		{
+		++analyzedConnections;
+		bAnalyzedCounted = true;
+		}
+
+	// We should see a maximum of 4 cleartext records.
+	if ( records == 5 )
+		{ // so this should never happen
+		Weird("SSLv2: Saw more than 4 records, skipping connection...");
+		proxy->SetSkip(1);
+		return;
+		}
+
+	// SSLv2 record header analysis
+	uint32 recordLength = 0; // data length of SSLv2 record
+	bool isEscape = false;
+	uint8 padding = 0;
+	const u_char* contents;
+
+	if ( (data[0] & 0x80) > 0 )
+		{ // we have a two-byte record header
+		recordLength = ((data[0] & 0x7f) << 8) | data[1];
+		contents = data + 2;
+		if (  recordLength + 2 != uint32(length)  )
+			{
+			// This should never happen, otherwise
+			// we have a bug in the SSL_RecordBuilder.
+			Weird("SSLv2: FATAL: recordLength doesn't match data block length!");
+			connState = ERROR_REQUIRED;
+			proxy->SetSkip(1);
+			return;
+			}
+		}
+	else
+		{ // We have a three-byte record header.
+		recordLength = ((data[0] & 0x3f) << 8) | data[1];
+		isEscape = (data[0] & 0x40) != 0;
+		padding = data[2];
+		contents = data + 3;
+		if ( recordLength + 3 != uint32(length) )
+			{
+			// This should never happen, otherwise
+			// we have a bug in the SSL_RecordBuilder.
+			Weird("SSLv2: FATAL: recordLength doesn't match data block length!");
+			connState = ERROR_REQUIRED;
+			proxy->SetSkip(1);
+			return;
+			}
+
+		if ( padding == 0 && ! isEscape )
+			Weird("SSLv2: 3 Byte record header, but no escape, no padding!");
+		}
+
+	if ( recordLength == 0 )
+		{
+		Weird("SSLv2: Record length is zero (no record data)!");
+		return;
+		}
+
+	if ( isEscape )
+		Weird("SSLv2: Record has escape bit set (security escape)!");
+
+	if  ( padding > 0 && connState != CACHED_SESSION &&
+	      connState != CLIENT_MASTERKEY_SEEN )
+		Weird("SSLv2 record with padding > 0 in cleartext!");
+
+	// MISSING:
+	// A final consistency check is done when a block cipher is used
+	// and the protocol is using encryption. The amount of data present
+	// in a record (RECORD-LENGTH))must be a multiple of the cipher's
+	// block size.  If the received record is not a multiple of the
+	// cipher's block size then the record is considered damaged, and it
+	// is to be treated as if an "I/O Error" had occurred (i.e. an
+	// unrecoverable error is asserted and the connection is closed).
+
+	switch ( connState ) {
+	case START:
+		// Only CLIENT-HELLLOs allowed here.
+		if ( contents[0] != SSLv2_MT_CLIENT_HELLO )
+			{
+			Weird("SSLv2: First packet is not a CLIENT-HELLO!");
+			analyzeRecord(s, recordLength, contents);
+			connState = ERROR_REQUIRED;
+			}
+		else
+			connState = ClientHelloRecord(s, recordLength, contents);
+		break;
+
+	case CLIENT_HELLO_SEEN:
+		// Only SERVER-HELLOs or ERRORs allowed here.
+		if ( contents[0] == SSLv2_MT_SERVER_HELLO )
+			connState = ServerHelloRecord(s, recordLength, contents);
+		else if ( contents[0] == SSLv2_MT_ERROR )
+			connState = ErrorRecord(s, recordLength, contents);
+		else
+			{
+			Weird("SSLv2: State violation in CLIENT_HELLO_SEEN!");
+			analyzeRecord(s, recordLength, contents);
+			connState = ERROR_REQUIRED;
+			}
+		break;
+
+	case NEW_SESSION:
+		// We expect a client master key.
+		if ( contents[0] == SSLv2_MT_CLIENT_MASTER_KEY )
+			connState = ClientMasterKeyRecord(s, recordLength, contents);
+		else if ( contents[0] == SSLv2_MT_ERROR )
+			connState = ErrorRecord(s, recordLength, contents);
+		else
+			{
+			Weird("SSLv2: State violation in NEW_SESSION or encrypted record!");
+			analyzeRecord(s, recordLength, contents);
+			connState = ERROR_REQUIRED;
+			}
+
+		delete pServerCipherSpecs;
+		pServerCipherSpecs = 0;
+		break;
+
+	case CACHED_SESSION:
+		delete pServerCipherSpecs;
+		pServerCipherSpecs = 0;
+		// No break here.
+
+	case CLIENT_MASTERKEY_SEEN:
+		// If no error record, no further analysis.
+		if ( contents[0] == SSLv2_MT_ERROR &&
+		     recordLength == SSLv2_ERROR_RECORD_SIZE )
+			connState = ErrorRecord(s, recordLength, contents);
+		else
+			{
+			// So we finished the cleartext handshake.
+			// Skip all further data.
+
+			proxy->SetSkip(1);
+			++openedConnections;
+			}
+		break;
+
+	case ERROR_REQUIRED:
+		if ( contents[0] == SSLv2_MT_ERROR )
+			connState = ErrorRecord(s, recordLength, contents);
+		else
+			{
+			// We lost tracking: this should not happen.
+			Weird("SSLv2: State inconsistency in ERROR_REQUIRED (lost tracking!)!");
+			analyzeRecord(s, recordLength, contents);
+			connState = ERROR_REQUIRED;
+			}
+		break;
+
+	case ERROR_SEEN:
+		// We don't have recoverable errors in cleartext phase,
+		// so we shouldn't see anymore packets.
+		Weird("SSLv2: Traffic after error record!");
+		analyzeRecord(s, recordLength, contents);
+		break;
+
+	default:
+		internal_error("SSLv2: unknown state");
+		break;
+	}
+	}
+
+/*!
+ * This method is called whenever the connection tracking failed. It calls
+ * the corresponding analyzer method for the given SSLv2 record, but does not
+ * update the ssl connection state.
+ *
+ * \param s Pointer to the endpoint which sent the record
+ * \param length length of SSLv2 record
+ * \param data pointer to SSLv2 record to analyze
+ */
+void SSLv2_Interpreter::analyzeRecord(SSL_InterpreterEndpoint* s,
+					int length, const u_char* data)
+	{
+	switch ( data[0] ) {
+	case SSLv2_MT_ERROR:
+		ErrorRecord(s, length, data);
+		break;
+
+	case SSLv2_MT_CLIENT_HELLO:
+		ClientHelloRecord(s, length, data);
+		break;
+
+	case SSLv2_MT_CLIENT_MASTER_KEY:
+		ClientMasterKeyRecord(s, length, data);
+		break;
+
+	case SSLv2_MT_SERVER_HELLO:
+		ServerHelloRecord(s, length, data);
+		break;
+
+	case SSLv2_MT_CLIENT_FINISHED:
+	case SSLv2_MT_SERVER_VERIFY:
+	case SSLv2_MT_SERVER_FINISHED:
+	case SSLv2_MT_REQUEST_CERTIFICATE:
+	case SSLv2_MT_CLIENT_CERTIFICATE:
+		Weird("SSLv2: Encrypted record type seems to be in cleartext");
+		break;
+
+	default:
+		// Unknown record type.
+		Weird("SSLv2: Unknown record type or encrypted record");
+		break;
+	}
+	}
+
+/*!
+ * This method analyses a SSLv2 CLIENT-HELLO record.
+ *
+ * \param s Pointer to the endpoint which sent the record
+ * \param length length of SSLv2 CLIENT-HELLO record
+ * \param data pointer to SSLv2 CLIENT-HELLO record to analyze
+ *
+ * \return the updated state of the current ssl connection
+ */
+SSLv2_States SSLv2_Interpreter::ClientHelloRecord(SSL_InterpreterEndpoint* s,
+					int recordLength, const u_char* recordData)
+	{
+	// This method gets the record's data (without the header).
+	++clientHelloRecords;
+
+	if ( s != orig )
+		Weird("SSLv2: CLIENT-HELLO record from server!");
+
+	// There should not be any pending data in the SSLv2 reassembler,
+	// because the client should wait for a server response.
+	if ( ((SSLv2_Endpoint*) s)->isDataPending() )
+		Weird("SSLv2: Pending data in SSL_RecordBuilder after CLIENT-HELLO!");
+
+	// Client hello minimum header size check.
+	if ( recordLength < SSLv2_CLIENT_HELLO_HEADER_SIZE )
+		{
+		Weird("SSLv2: CLIENT-HELLO is too small!");
+		return ERROR_REQUIRED;
+		}
+
+	// Extract the data of the client hello header.
+	SSLv2_ClientHelloHeader ch;
+	ch.clientVersion = uint16(recordData[1] << 8) | recordData[2];
+	ch.cipherSpecLength = uint16(recordData[3] << 8) | recordData[4];
+	ch.sessionIdLength = uint16(recordData[5] << 8) | recordData[6];
+	ch.challengeLength = uint16(recordData[7] << 8) | recordData[8];
+
+	if ( ch.clientVersion != SSLProxy_Analyzer::SSLv20 &&
+	     ch.clientVersion != SSLProxy_Analyzer::SSLv30 &&
+	     ch.clientVersion != SSLProxy_Analyzer::SSLv31 )
+		{
+		Weird("SSLv2: Unsupported SSL-Version in CLIENT-HELLO");
+		return ERROR_REQUIRED;
+		}
+
+	if ( ch.challengeLength + ch.cipherSpecLength + ch.sessionIdLength +
+	     SSLv2_CLIENT_HELLO_HEADER_SIZE != recordLength )
+		{
+		Weird("SSLv2: Size inconsistency in CLIENT-HELLO");
+		return ERROR_REQUIRED;
+		}
+
+	// The CIPHER-SPECS-LENGTH must be > 0 and a multiple of 3.
+	if ( ch.cipherSpecLength == 0 || ch.cipherSpecLength % 3 != 0 )
+		{
+		Weird("SSLv2: Nonconform CIPHER-SPECS-LENGTH in CLIENT-HELLO.");
+		return ERROR_REQUIRED;
+		}
+
+	// The SESSION-ID-LENGTH must either be zero or 16.
+	if ( ch.sessionIdLength != 0 && ch.sessionIdLength != 16 )
+		Weird("SSLv2: Nonconform SESSION-ID-LENGTH in CLIENT-HELLO.");
+
+	if ( (ch.challengeLength < 16) || (ch.challengeLength > 32))
+		Weird("SSLv2: Nonconform CHALLENGE-LENGTH in CLIENT-HELLO.");
+
+	const u_char* ptr = recordData;
+	ptr += SSLv2_CLIENT_HELLO_HEADER_SIZE + ch.cipherSpecLength;
+
+	pSessionId = new SSL_DataBlock(ptr, ch.sessionIdLength);
+
+	// If decrypting, store the challenge.
+	if ( ssl_store_key_material && ch.challengeLength <= 32 )
+		pChallenge = new SSL_DataBlock(ptr, ch.challengeLength);
+
+	bClientWantsCachedSession = ch.sessionIdLength != 0;
+
+	TableVal* currentCipherSuites =
+		analyzeCiphers(s, ch.cipherSpecLength,
+			recordData + SSLv2_CLIENT_HELLO_HEADER_SIZE);
+
+	fire_ssl_conn_attempt(ch.clientVersion, currentCipherSuites);
+
+	return CLIENT_HELLO_SEEN;
+	}
+
+/*!
+ * This method analyses a SSLv2 SERVER-HELLO record.
+ *
+ * \param s Pointer to the endpoint which sent the record
+ * \param length length of SSLv2 SERVER-HELLO record
+ * \param data pointer to SSLv2 SERVER-HELLO record to analyze
+ *
+ * \return the updated state of the current ssl connection
+ */
+SSLv2_States SSLv2_Interpreter::ServerHelloRecord(SSL_InterpreterEndpoint* s,
+					int recordLength, const u_char* recordData)
+	{
+	++serverHelloRecords;
+	TableVal* currentCipherSuites = NULL;
+
+	if ( s != resp )
+		Weird("SSLv2: SERVER-HELLO from client!");
+
+	if ( recordLength < SSLv2_SERVER_HELLO_HEADER_SIZE )
+		{
+		Weird("SSLv2: SERVER-HELLO is too small!");
+		return ERROR_REQUIRED;
+		}
+
+	// Extract the data of the client hello header.
+	SSLv2_ServerHelloHeader sh;
+	sh.sessionIdHit = recordData[1];
+	sh.certificateType = recordData[2];
+	sh.serverVersion = uint16(recordData[3] << 8) | recordData[4];
+	sh.certificateLength = uint16(recordData[5] << 8) | recordData[6];
+	sh.cipherSpecLength = uint16(recordData[7] << 8) | recordData[8];
+	sh.connectionIdLength = uint16(recordData[9] << 8) | recordData[10];
+
+	if ( sh.serverVersion != SSLProxy_Analyzer::SSLv20 )
+		{
+		Weird("SSLv2: Unsupported SSL-Version in SERVER-HELLO");
+		return ERROR_REQUIRED;
+		}
+
+	if ( sh.certificateLength + sh.cipherSpecLength +
+	     sh.connectionIdLength +
+	     SSLv2_SERVER_HELLO_HEADER_SIZE != recordLength )
+		{
+		Weird("SSLv2: Size inconsistency in SERVER-HELLO");
+		return ERROR_REQUIRED;
+		}
+
+	// The length of the CONNECTION-ID must be between 16 and 32 bytes.
+	if ( sh.connectionIdLength < 16 || sh.connectionIdLength > 32 )
+		Weird("SSLv2: Nonconform CONNECTION-ID-LENGTH in SERVER-HELLO");
+
+	// If decrypting, store the connection ID.
+	if ( ssl_store_key_material && sh.connectionIdLength <= 32 )
+		{
+		const u_char* ptr = recordData;
+
+		ptr += SSLv2_SERVER_HELLO_HEADER_SIZE + sh.cipherSpecLength +
+		       sh.certificateLength;
+
+		pConnectionId = new SSL_DataBlock(ptr, sh.connectionIdLength);
+		}
+
+	if  ( sh.sessionIdHit == 0  )
+		{
+		// Generating reusing-connection event.
+		EventHandlerPtr event = ssl_session_insertion;
+
+		if ( event )
+			{
+			TableVal* sessionIDTable =
+				MakeSessionID(
+					recordData +
+						SSLv2_SERVER_HELLO_HEADER_SIZE +
+						sh.certificateLength +
+						sh.cipherSpecLength,
+					sh.connectionIdLength);
+
+			val_list* vl = new val_list;
+			vl->append(proxy->BuildConnVal());
+			vl->append(sessionIDTable);
+
+			proxy->ConnectionEvent(ssl_session_insertion, vl);
+			}
+		}
+
+	SSLv2_States nextState;
+
+	if ( sh.sessionIdHit != 0 )
+		{ // we're using a cached session
+
+		// There should not be any pending data in the SSLv2
+		// reassembler, because the server should wait for a
+		// client response.
+		if ( ((SSLv2_Endpoint*) s)->isDataPending() )
+			{
+			// But turns out some SSL Implementations do this
+			// when using a cached session.
+			}
+
+		// Consistency check for SESSION-ID-HIT.
+		if ( ! bClientWantsCachedSession )
+			Weird("SSLv2: SESSION-ID hit in SERVER-HELLO, but no SESSION-ID in CLIENT-HELLO!");
+
+		// If the SESSION-ID-HIT flag is non-zero then the
+		// CERTIFICATE-TYPE, CERTIFICATE-LENGTH and
+		// CIPHER-SPECS-LENGTH fields will be zero.
+		if ( sh.certificateType != 0 || sh.certificateLength != 0 ||
+		     sh.cipherSpecLength != 0 )
+			Weird("SSLv2: SESSION-ID-HIT, but session data in SERVER-HELLO");
+
+		// Generate reusing-connection event.
+		if ( pSessionId )
+			{
+			fire_ssl_conn_reused(pSessionId);
+			delete pSessionId;
+			pSessionId = 0;
+			}
+
+		nextState = CACHED_SESSION;
+		}
+	else
+		{ // we're starting a new session
+
+		// There should not be any pending data in the SSLv2
+		// reassembler, because the server should wait for
+		// a client response.
+		if ( ((SSLv2_Endpoint*) s)->isDataPending() )
+			Weird("SSLv2: Pending data in SSL_RecordBuilder after SERVER-HELLO (new session)!");
+
+		// TODO: check certificate length ???
+		if ( sh.certificateLength == 0 )
+			Weird("SSLv2: No certificate in SERVER-HELLO!");
+
+		// The CIPHER-SPECS-LENGTH must be > zero and a multiple of 3.
+		if ( sh.cipherSpecLength == 0 )
+			Weird("SSLv2: No CIPHER-SPECS in SERVER-HELLO!");
+
+		if ( sh.cipherSpecLength % 3 != 0 )
+			{
+			Weird("SSLv2: Nonconform CIPHER-SPECS-LENGTH in SERVER-HELLO");
+			return ERROR_REQUIRED;
+			}
+
+		const u_char* ptr = recordData;
+		ptr += sh.certificateLength + SSLv2_SERVER_HELLO_HEADER_SIZE;
+		currentCipherSuites = analyzeCiphers(s, sh.cipherSpecLength, ptr);
+
+		nextState = NEW_SESSION;
+		}
+
+	// Check if at least one cipher is supported by the client.
+	if ( pClientCipherSpecs && pServerCipherSpecs )
+		{
+		bool bFound = false;
+		for ( int i = 0; i < pClientCipherSpecs->len; i += 3 )
+			{
+			for ( int j = 0; j < pServerCipherSpecs->len; j += 3 )
+				{
+				if ( memcmp(pClientCipherSpecs + i,
+					    pServerCipherSpecs + j, 3) == 0 )
+					{
+					bFound = true;
+					i = pClientCipherSpecs->len;
+					break;
+					}
+				}
+			}
+
+		if ( ! bFound )
+			{
+			Weird("SSLv2: Client's and server's CIPHER-SPECS don't match!");
+			nextState = ERROR_REQUIRED;
+			}
+
+		delete pClientCipherSpecs;
+		pClientCipherSpecs = 0;
+		}
+
+	// Certificate analysis.
+	if ( sh.certificateLength > 0 && ssl_analyze_certificates != 0 )
+		{
+		analyzeCertificate(s, recordData + SSLv2_SERVER_HELLO_HEADER_SIZE,
+			sh.certificateLength, sh.certificateType, false);
+		}
+
+	if ( nextState == NEW_SESSION )
+		// generate server-reply event
+		fire_ssl_conn_server_reply(sh.serverVersion, currentCipherSuites);
+
+	else if ( nextState == CACHED_SESSION )
+		{ // generate server-reply event
+		fire_ssl_conn_server_reply(sh.serverVersion, currentCipherSuites);
+		// Generate a connection-established event with a dummy
+		// cipher suite, since we can't remember session information
+		// (yet).
+		// Note: A new session identifier is sent encrypted in SSLv2!
+		fire_ssl_conn_established(sh.serverVersion, 0xABCD);
+		}
+	else
+		// Unref, since the table is not delivered to any event.
+	        Unref(currentCipherSuites);
+
+	return nextState;
+	}
+
+/*!
+ * This method analyses a SSLv2 CLIENT-MASTER-KEY record.
+ *
+ * \param s Pointer to the endpoint which sent the record
+ * \param length length of SSLv2 CLIENT-MASTER-KEY record
+ * \param data pointer to SSLv2 CLIENT-MASTER-KEY record to analyze
+ *
+ * \return the updated state of the current ssl connection
+ */
+SSLv2_States SSLv2_Interpreter::
+	ClientMasterKeyRecord(SSL_InterpreterEndpoint* s, int recordLength,
+				const u_char* recordData)
+	{
+	++clientMasterKeyRecords;
+	SSLv2_States nextState = CLIENT_MASTERKEY_SEEN;
+
+	if ( s != orig )
+		Weird("SSLv2: CLIENT-MASTER-KEY from server!");
+
+	if ( recordLength < SSLv2_CLIENT_MASTER_KEY_HEADER_SIZE )
+		{
+		Weird("SSLv2: CLIENT-MASTER-KEY is too small!");
+		return ERROR_REQUIRED;
+		}
+
+	// Extract the data of the client master key header.
+	SSLv2_ClientMasterKeyHeader cmk;
+	cmk.cipherKind =
+		((recordData[1] << 16) | recordData[2] << 8) | recordData[3];
+	cmk.clearKeyLength = uint16(recordData[4] << 8) | recordData[5];
+	cmk.encryptedKeyLength = uint16(recordData[6] << 8) | recordData[7];
+	cmk.keyArgLength = uint16(recordData[8] << 8) | recordData[9];
+
+	if ( cmk.clearKeyLength + cmk.encryptedKeyLength + cmk.keyArgLength +
+	     SSLv2_CLIENT_MASTER_KEY_HEADER_SIZE != recordLength )
+		{
+		Weird("SSLv2: Size inconsistency in CLIENT-MASTER-KEY");
+		return ERROR_REQUIRED;
+		}
+
+	// Check if cipher is supported by the server.
+	if ( pServerCipherSpecs )
+		{
+		bool bFound = false;
+		for ( int i = 0; i < pServerCipherSpecs->len; i += 3 )
+			{
+			uint32 cipherSpec =
+				((pServerCipherSpecs->data[i] << 16) |
+				 pServerCipherSpecs->data[i+1] << 8) |
+				pServerCipherSpecs->data[i+2];
+
+			if ( cmk.cipherKind == cipherSpec )
+				{
+				bFound = true;
+				break;
+				}
+			}
+
+		if ( ! bFound )
+			{
+			Weird("SSLv2: Client chooses unadvertised cipher in CLIENT-MASTER-KEY!");
+			nextState = ERROR_REQUIRED;
+			}
+		else
+			nextState = CLIENT_MASTERKEY_SEEN;
+
+		delete pServerCipherSpecs;
+		pServerCipherSpecs = 0;
+		}
+
+	// TODO: check if cipher has been advertised before.
+
+	SSL_CipherSpec* pCipherSpecTemp = 0;
+
+	HashKey h(static_cast<bro_uint_t>(cmk.cipherKind));
+	pCipherSpecTemp = (SSL_CipherSpec*) SSL_CipherSpecDict.Lookup(&h);
+	if ( ! pCipherSpecTemp || ! (pCipherSpecTemp->flags & SSL_FLAG_SSLv20) )
+		Weird("SSLv2: Unknown CIPHER-SPEC in CLIENT-MASTER-KEY!");
+	else
+		{ // check for conistency of clearKeyLength
+		if ( cmk.clearKeyLength * 8 != pCipherSpecTemp->clearKeySize )
+			{
+			Weird("SSLv2: Inconsistency of clearKeyLength in CLIENT-MASTER-KEY!");
+			// nextState = ERROR_REQUIRED;
+			}
+
+		// TODO: check for consistency of encryptedKeyLength.
+		// TODO: check for consistency of keyArgLength.
+//		switch ( cmk.cipherKind )
+//			{
+//			case SSL_CK_RC4_128_WITH_MD5:
+//			case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
+//				if ( cmk.keyArgLength != 0 )
+//					{
+//					Weird("SSLv2: Inconsistency of keyArgLength in CLIENT-MASTER-KEY!");
+//					//nextState = ERROR_REQUIRED;
+//					}
+//			break;
+//			case SSL_CK_DES_64_CBC_WITH_MD5:
+//			case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
+//			case SSL_CK_RC2_128_CBC_WITH_MD5:
+//				case SSL_CK_IDEA_128_CBC_WITH_MD5:
+//			case SSL_CK_DES_192_EDE3_CBC_WITH_MD5:
+//				if ( cmk.keyArgLength != 8 )
+//					{
+//					Weird("SSLv2: Inconsistency of keyArgLength in CLIENT-MASTER-KEY!");
+//					}
+//			break;
+//			}
+		}
+
+	// Remember the used cipher spec.
+	usedCipherSpec = SSLv2_CipherSpec(cmk.cipherKind);
+
+	// If decrypting, store the clear key part of the master key.
+	if ( ssl_store_key_material /* && cmk.clearKeyLength == 11 */ )
+		{
+		pMasterClearKey =
+			new SSL_DataBlock((recordData + SSLv2_CLIENT_MASTER_KEY_HEADER_SIZE), cmk.clearKeyLength);
+
+		pMasterEncryptedKey =
+			new SSL_DataBlock((recordData + SSLv2_CLIENT_MASTER_KEY_HEADER_SIZE + cmk.clearKeyLength ), cmk.encryptedKeyLength);
+		}
+
+	if ( nextState == CLIENT_MASTERKEY_SEEN )
+		fire_ssl_conn_established(SSLProxy_Analyzer::SSLv20,
+						cmk.cipherKind);
+
+	return nextState;
+	}
+
+
+/*!
+ * This method analyses a SSLv2 ERROR record.
+ *
+ * \param s Pointer to the endpoint which sent the record
+ * \param length length of SSLv2 ERROR record
+ * \param data pointer to SSLv2 ERROR record to analyze
+ *
+ * \return the updated state of the current ssl connection
+ */
+SSLv2_States SSLv2_Interpreter::ErrorRecord(SSL_InterpreterEndpoint* s,
+					int recordLength, const u_char* recordData)
+	{
+	++errorRecords;
+
+	if ( unsigned(recordLength) != SSLv2_ERROR_RECORD_SIZE )
+		{
+		Weird("SSLv2: Size mismatch in Error Record!");
+		return ERROR_REQUIRED;
+		}
+
+	SSLv2_ErrorRecord er;
+	er.errorCode = (recordData[1] << 8) | recordData[2];
+	SSL3x_AlertLevel al = SSL3x_AlertLevel(255);
+
+	switch ( er.errorCode ) {
+	case SSLv2_PE_NO_CIPHER:
+		// The client doesn't support a cipher which the server
+		// supports.  Only from client to server and not recoverable!
+		al = SSL3x_ALERT_LEVEL_FATAL;
+		break;
+
+	case SSLv2_PE_NO_CERTIFICATE:
+		if ( s == orig )
+			// from client to server: not recoverable
+			al = SSL3x_ALERT_LEVEL_FATAL;
+		else
+			// from server to client: recoverable
+			al = SSL3x_ALERT_LEVEL_WARNING;
+		break;
+
+	case SSLv2_PE_BAD_CERTIFICATE:
+		if ( s == orig )
+			// from client to server: not recoverable
+			al = SSL3x_ALERT_LEVEL_FATAL;
+		else
+			// from server to client: recoverable
+			al = SSL3x_ALERT_LEVEL_WARNING;
+		break;
+
+	case SSLv2_PE_UNSUPPORTED_CERTIFICATE_TYPE:
+		if ( s == orig )
+			// from client to server: not recoverable
+			al = SSL3x_ALERT_LEVEL_FATAL;
+		else
+			// from server to client: recoverable
+			al = SSL3x_ALERT_LEVEL_WARNING;
+		break;
+
+	default:
+		al = SSL3x_ALERT_LEVEL_FATAL;
+		break;
+	}
+
+	fire_ssl_conn_alert(SSLProxy_Analyzer::SSLv20, al, er.errorCode);
+
+	return ERROR_SEEN;
+	}
+
+/*!
+ * This method analyses a set of SSLv2 cipher suites.
+ *
+ * \param s Pointer to the endpoint which sent the cipher suites
+ * \param length length of cipher suites
+ * \param data pointer to cipher suites to analyze
+ *
+ * \return a pointer to a Bro TableVal (of type cipher_suites_list) which contains
+ *         the cipher suites list of the current analyzed record
+ */
+TableVal* SSLv2_Interpreter::analyzeCiphers(SSL_InterpreterEndpoint* s,
+						int length, const u_char* data)
+	{
+	if ( length > MAX_CIPHERSPEC_SIZE )
+		{
+		if ( s == orig )
+			Weird("SSLv2: Client has CipherSpecs > MAX_CIPHERSPEC_SIZE");
+		else
+			Weird("SSLv2: Server has CipherSpecs > MAX_CIPHERSPEC_SIZE");
+		}
+	else
+		{ // cipher specs are not too big
+		if ( ssl_compare_cipherspecs )
+			{ // store cipher specs for state analysis
+			if ( s == resp )
+				pServerCipherSpecs =
+					new SSL_DataBlock(data, length);
+			else
+				pClientCipherSpecs =
+					new SSL_DataBlock(data, length);
+			}
+		}
+
+	const u_char* pCipher = data;
+	bool bExtractCipherSuite = false;
+	TableVal* pCipherTable = 0;
+
+	// We only extract the cipher suite when the corresponding
+	// ssl events are defined (otherwise we do work for nothing
+	// and suffer a memory leak).
+	// FIXME: This check needs to be done only once!
+	if ( (s == orig && ssl_conn_attempt) ||
+	     (s == resp && ssl_conn_server_reply) )
+		{
+		pCipherTable = new TableVal(cipher_suites_list);
+		bExtractCipherSuite = true;
+		}
+
+	for ( int i = 0; i < length; i += 3 )
+		{
+		SSL_CipherSpec* pCurrentCipherSpec;
+		uint32 cipherSpecID =
+			((pCipher[0] << 16) | pCipher[1] << 8) | pCipher[2];
+
+		// Check for unknown cipher specs.
+		HashKey h(static_cast<bro_uint_t>(cipherSpecID));
+		pCurrentCipherSpec =
+			(SSL_CipherSpec*) SSL_CipherSpecDict.Lookup(&h);
+
+		if ( ! pCurrentCipherSpec )
+			{
+			if ( s == orig )
+				Weird("SSLv2: Unknown CIPHER-SPEC in CLIENT-HELLO!");
+			else
+				Weird("SSLv2: Unknown CIPHER-SPEC in SERVER-HELLO!");
+			}
+
+		if ( bExtractCipherSuite )
+			{
+			Val* index = new Val(cipherSpecID, TYPE_COUNT);
+			pCipherTable->Assign(index, 0);
+			Unref(index);
+			}
+
+		pCipher += 3;
+		}
+
+	return pCipherTable;
+	}
+
+// --- SSLv2_EndPoint ---------------------------------------------------------
+
+/*!
+ * The constructor.
+ *
+ * \param interpreter Pointer to the SSLv2 interpreter to whom this endpoint belongs to
+ * \param is_orig true if this is the originating endpoint of the ssl connection,
+ *                false otherwise
+ */
+SSLv2_Endpoint::SSLv2_Endpoint(SSLv2_Interpreter* interpreter, int is_orig)
+: SSL_InterpreterEndpoint(interpreter, is_orig)
+	{
+	sentRecords = 0;
+	}
+
+/*!
+ * The destructor.
+ */
+SSLv2_Endpoint::~SSLv2_Endpoint()
+	{
+	}
+
+/*!
+ * This method is called by the SSLProxy_Analyzer with a complete reassembled
+ * SSLv2 record. It passes the record to SSLv2_Interpreter::NewSSLRecord().
+ *
+ * \param t <b>reserved</b> (always zero)
+ * \param seq <b>reserved</b> (always zero)
+ * \param len length of the data block containing the ssl record
+ * \param data pointer to the data block containing the ssl record
+ */
+void SSLv2_Endpoint::Deliver(int len, const u_char* data)
+	{
+	++((SSLv2_Endpoint*)peer)->sentRecords;
+
+	((SSLv2_Interpreter*)interpreter)->NewSSLRecord(this, len, data);
+	}
diff --git a/src/SSLv2.h b/src/SSLv2.h
new file mode 100644
index 0000000000..d4719a20c6
--- /dev/null
+++ b/src/SSLv2.h
@@ -0,0 +1,239 @@
+// $Id: SSLv2.h 3526 2006-09-12 07:32:21Z vern $
+
+#ifndef SSLV2_H
+#define SSLV2_H
+
+#include "SSLInterpreter.h"
+#include "SSLCiphers.h"
+
+// --- constants for SSLv2 ---------------------------------------------------
+
+/*!
+ * In SSLv2, each record is of a special message type. Note that the message
+ * type is encrypted if the record has been encrypted, so we can determine
+ * the message type only if we have a cleartext record.
+ */
+enum SSLv2_MessageTypes {
+	SSLv2_MT_ERROR = 0,	///< can be in cleartext or encrypted
+	SSLv2_MT_CLIENT_HELLO = 1,	///< always in cleartext
+	SSLv2_MT_CLIENT_MASTER_KEY = 2,	///< always in cleartext
+	SSLv2_MT_CLIENT_FINISHED = 3,	///< always encrypted
+	SSLv2_MT_SERVER_HELLO = 4,	///< always in cleartext
+	SSLv2_MT_SERVER_VERIFY = 5,	///< always encrypted
+	SSLv2_MT_SERVER_FINISHED = 6,	///< always encrypted
+	SSLv2_MT_REQUEST_CERTIFICATE = 7,	///< always encrypted
+	SSLv2_MT_CLIENT_CERTIFICATE = 8,	///< always encrypted
+};
+
+// Certificate Type Codes.
+//
+// Authentication Type Codes
+// #define SSL_AT_MD5_WITH_RSA_ENCRYPTION		0x01
+// Upper/Lower Bounds
+// #define SSL_MAX_MASTER_KEY_LENGTH_IN_BITS	256
+// #define SSL_MAX_SESSION_ID_LENGTH_IN_BYTES	16
+// #define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES	64
+// #define SSL_MAX_RECORD_LENGTH_2_BYTE_HEADER	32767
+// #define SSL_MAX_RECORD_LENGTH_3_BYTE_HEADER	16383
+
+const uint8 SSLv2_CT_X509_CERTIFICATE = 0x01;
+
+/*!
+ * Error codes used in the error record.
+ */
+enum SSLv2_ErrorCodes {
+	SSLv2_PE_NO_CIPHER                    = 0x0001,
+	SSLv2_PE_NO_CERTIFICATE               = 0x0002,
+	SSLv2_PE_BAD_CERTIFICATE              = 0x0004,
+	SSLv2_PE_UNSUPPORTED_CERTIFICATE_TYPE = 0x0006
+};
+
+// --- structs ----------------------------------------------------------------
+
+const int SSLv2_CLIENT_HELLO_HEADER_SIZE = 9;
+struct SSLv2_ClientHelloHeader {
+	uint8  messageType;
+	uint16 clientVersion;
+	uint16 cipherSpecLength;
+	uint16 sessionIdLength;
+	uint16 challengeLength;
+};
+
+const int SSLv2_SERVER_HELLO_HEADER_SIZE = 11;
+struct SSLv2_ServerHelloHeader {
+	uint8  messageType;
+	uint8  sessionIdHit;
+	uint8  certificateType;
+	uint16 serverVersion;
+	uint16 certificateLength;
+	uint16 cipherSpecLength;
+	uint16 connectionIdLength;
+};
+
+const int SSLv2_CLIENT_MASTER_KEY_HEADER_SIZE = 10;
+struct SSLv2_ClientMasterKeyHeader {
+	uint8  messageType;
+	uint32 cipherKind; // caution: is an uint24
+	uint16 clearKeyLength;
+	uint16 encryptedKeyLength;
+	uint16 keyArgLength;
+};
+
+const unsigned int SSLv2_ERROR_RECORD_SIZE = 3;
+struct SSLv2_ErrorRecord {
+	uint8  messageType;
+	uint16 errorCode;
+};
+
+const unsigned int SSLv2_CLIENT_FINISHED_HEADER_SIZE = 1;
+struct SSLv2_ClientFinished {
+	uint8 messageType;
+	//char CONNECTION-ID[N-1]
+};
+
+struct SSLv2_ServerVerify {
+	uint8 messageType;
+	//char CHALLENGE-DATA[N-1]
+};
+
+struct SSLv2_ServerFinished {
+	uint8 messageType;
+	//char SESSION-ID-DATA[N-1]
+};
+
+// MISSING:
+// CLIENT-CERTIFICATE
+// REQUEST-CERTIFICATE
+
+/*!
+ * States used by the internal SSLv2 automaton.
+ */
+enum SSLv2_States {
+	START,                 ///< start state, no data seen yet
+	CLIENT_HELLO_SEEN,     ///< client hello flew by
+	NEW_SESSION,           ///< server hello with sessionIdHit == 0 seen
+	CACHED_SESSION,        ///< server hello with sessionIdHit != 0 seen
+	CLIENT_MASTERKEY_SEEN, ///< we saw a client master key record
+	ERROR_SEEN,            ///< we saw an error record
+	ERROR_REQUIRED         ///< one of our critical checks failed, so we think we should see an error record
+};
+
+
+// --- forward declarations ---------------------------------------------------
+
+class SSLv2_Interpreter;
+class SSLv2_Endpoint;
+class SSLv2_Record;
+class SSL_DataBlock;
+class SSL_RecordBuilder;
+
+// --- class SSLv2_Interpreter ------------------------------------------------
+
+/*!
+ * \brief This class is used to analyze SSLv2 connections.
+ *
+ * Since there's currently no support for decrypting ssl connections, analysis
+ * stops when a connection switches to encrypted communication.
+ * The interpreter does several checks, both record- and connection-orientated.
+ *
+ * The record checks mainly consist of consistency checks, where the correct
+ * use of the SSL 2.0 specification is checked. Furthermore, the CIPHER-SPECS
+ * of the client and the server can be compared to detect non-intersecting sets.
+ *
+ * The connection check monitors the handshaking process for invalid transitions,
+ * until the end of the cleartext phase.
+ *
+ * Several events are thrown for BroScript, including client connection attempt,
+ * server reply, ssl connection establishment/reuse of former connection, proposed
+ * cipher suites and certificates seen.
+ *
+ * \see SSLv2_Endpoint
+ */
+class SSLv2_Interpreter : public SSL_Interpreter {
+public:
+	SSLv2_Interpreter(SSLProxy_Analyzer* proxy);
+	~SSLv2_Interpreter();
+
+	void NewSSLRecord(SSL_InterpreterEndpoint* s, int length, const u_char* data);
+	void analyzeRecord(SSL_InterpreterEndpoint* s, int length, const u_char* data);
+	SSLv2_States ClientHelloRecord(SSL_InterpreterEndpoint* s,
+	                                int recordLength,
+	                                const u_char* recordData);
+	SSLv2_States ServerHelloRecord(SSL_InterpreterEndpoint* s,
+	                                int recordLength, const u_char* recordData);
+	SSLv2_States ClientMasterKeyRecord(SSL_InterpreterEndpoint* s,
+	                                    int recordLength,
+	                                    const u_char* recordData);
+	SSLv2_States ErrorRecord(SSL_InterpreterEndpoint* s,
+	                          int recordLength,
+	                          const u_char* recordData);
+
+	TableVal* analyzeCiphers(SSL_InterpreterEndpoint* s,
+					int length, const u_char* data);
+	SSLv2_States ConnState();
+
+	static void printStats();
+
+#define MAX_CIPHERSPEC_SIZE ssl_max_cipherspec_size
+
+	// Global connection counters.
+	static uint totalConnections;	///< counter for total sslv2 connections
+	static uint analyzedConnections;	///< counter for analyzed (=not partial) connections
+	static uint openedConnections;	///< counter for SSLv2 connections with complete handshake
+	static uint failedConnections;	///< counter for SSLv2 connections with failed but correct handshake
+	static uint weirdConnections;	///< counter for SSLv2 connections with failed and weird handshake
+
+	// Global record counters.
+	static uint totalRecords;	///< counter for total SSLv2 records seen
+	static uint clientHelloRecords;	///< counter for SSLv2 CLIENT-HELLOs seen
+	static uint serverHelloRecords;	///< counter for SSLv2 SERVER-HELLOs seen
+	static uint clientMasterKeyRecords;	///< counter for SSLv2 CLIENT-MASTER-KEYSs seen
+	static uint errorRecords;	///< counter for SSLv2 ERRORs seen
+
+	// Counters for this instance.
+	uint32 records;	///< counter for SSLv2 records of this connection
+	SSLv2_States connState;	///< state of connection
+
+	bool bAnalyzedCounted;	///< flag for counting analyzedConnections
+
+	// FIXME: this should be states.
+	bool bClientWantsCachedSession;	///< true if the client wants a cached session, false otherwise
+
+
+protected:
+	void BuildInterpreterEndpoints();
+
+	SSL_DataBlock* pClientCipherSpecs;	///< the CIPHER-SPECs from the client
+	SSL_DataBlock* pServerCipherSpecs;	///< the CIPHER-SPECs from the server
+	SSLv2_CipherSpec usedCipherSpec;	///< the used CIPHER-SPEC for this connection
+
+	// Currently experimental:
+	SSL_DataBlock* pConnectionId;	// 16 <= ConnectionId <= 32
+	SSL_DataBlock* pChallenge;	// 16 <= Challenge <= 32
+	SSL_DataBlock* pSessionId;	// has to be 16 Bytes
+	SSL_DataBlock* pMasterClearKey;
+	SSL_DataBlock* pMasterEncryptedKey;
+	SSL_DataBlock* pClientReadKey;
+	SSL_DataBlock* pServerReadKey;
+};
+
+// --- class SSLv2_Endpoint ---------------------------------------------------
+
+/*!
+ * \brief This class represents an endpoint of an SSLv2 connection.
+ *
+ * Fully reassembled SSLv2 records are passed to its Deliver() function.
+ * There, some counters are updated and the record is then passed to
+ * SSLv2_Interpreter::NewSSLRecord().
+ */
+class SSLv2_Endpoint: public SSL_InterpreterEndpoint {
+public:
+	SSLv2_Endpoint(SSLv2_Interpreter* interpreter, int is_orig);
+	virtual ~SSLv2_Endpoint();
+
+	void Deliver(int len, const u_char* data);
+
+	uint32 sentRecords; ///< counter for sent records of this endpoint
+};
+
+#endif
diff --git a/src/SSLv3.cc b/src/SSLv3.cc
new file mode 100644
index 0000000000..4d89f27ad8
--- /dev/null
+++ b/src/SSLv3.cc
@@ -0,0 +1,1471 @@
+// $Id: SSLv3.cc 5988 2008-07-19 07:02:12Z vern $
+
+#include "SSLv3.h"
+#include "SSLCiphers.h"
+
+// --- Initalization of static variables --------------------------------------
+
+bool SSLv3_Interpreter::bInited = false;
+
+uint SSLv3_Interpreter::totalConnections = 0;
+uint SSLv3_Interpreter::openedConnections = 0;
+uint SSLv3_Interpreter::totalRecords = 0;
+uint SSLv3_Interpreter::handshakeRecords = 0;
+uint SSLv3_Interpreter::clientHelloRecords = 0;
+uint SSLv3_Interpreter::serverHelloRecords = 0;
+uint SSLv3_Interpreter::alertRecords = 0;
+uint SSLv3_Interpreter::changeCipherRecords = 0;
+
+
+// ---SSLv3_Interpreter--------------------------------------------------------
+
+// Initialize static:
+SSLv3_Automaton SSLv3_Interpreter::sslAutomaton(SSL3_1_NUM_STATES,
+					SSL3_1_NUM_TRANS, SSL3_1_STATE_ERROR);
+
+SSLv3_Interpreter::SSLv3_Interpreter(SSLProxy_Analyzer* proxy)
+: SSL_Interpreter(proxy)
+	{
+	pCipherSuite = 0;
+	cipherSuiteIdentifier = 0;
+	pClientCipherSpecs = 0;
+	clientSessionID = 0;
+	serverSessionID = 0;
+	clientRandom = 0;
+	serverRandom = 0;
+	serverRSApars = 0;
+	serverDHPars = 0;
+	encryptedPreSecret = 0;
+	clientDHpublic = 0;
+	// keyXAlgorithm = SSL_KEY_EXCHANGE_NULL;
+	change_cipher_client_seen = false;
+	change_cipher_server_seen = false;
+	fin_client_seen = false;
+	fin_server_seen = false;
+	helloRequestValid = true;
+
+	if ( ! bInited )
+		{
+		BuildAutomaton();
+		// BuildCipherDict();
+		bInited = true;
+		}
+
+	currentState = SSL3_1_STATE_INIT;
+	++totalConnections;
+	}
+
+SSLv3_Interpreter::~SSLv3_Interpreter()
+	{
+	delete pClientCipherSpecs;
+	delete clientSessionID;
+	delete serverSessionID;
+
+	if ( ssl_store_key_material )
+		{
+		if ( clientRandom )
+			delete clientRandom->random_bytes;
+		delete clientRandom;
+		if ( serverRandom )
+			delete serverRandom->random_bytes;
+		delete serverRandom;
+		delete serverRSApars;
+		delete serverDHPars;
+		delete encryptedPreSecret;
+		delete clientDHpublic;
+		}
+	}
+
+void SSLv3_Interpreter::BuildInterpreterEndpoints()
+	{
+	orig = new SSLv3_Endpoint(this, 1);
+	resp = new SSLv3_Endpoint(this, 0);
+	}
+
+void SSLv3_Interpreter::BuildAutomaton()
+	{
+	sslAutomaton.addTrans(SSL3_1_STATE_INIT, SSL3_1_TRANS_SERVER_HELLO_REQ,
+		SSL3_1_STATE_SERVER_HELLO_REQ_SENT);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_HELLO_REQ_SENT,
+		SSL3_1_TRANS_CLIENT_HELLO, SSL3_1_STATE_CLIENT_HELLO_SENT);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_INIT, SSL3_1_TRANS_CLIENT_HELLO,
+		SSL3_1_STATE_CLIENT_HELLO_SENT);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_HELLO_SENT,
+		SSL3_1_TRANS_SERVER_HELLO, SSL3_1_STATE_SERVER_HELLO_SENT);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_HELLO_SENT,
+		SSL3_1_TRANS_SERVER_CERT, SSL3_1_STATE_SERVER_CERT_SENT);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_HELLO_SENT,
+		SSL3_1_TRANS_SERVER_KEY_EXCHANGE,
+		SSL3_1_STATE_SERVER_KEY_EXCHANGE_SENT);
+
+	// Server key-exchange and/or server requests cert from client.
+	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_CERT_SENT,
+		SSL3_1_TRANS_SERVER_KEY_EXCHANGE,
+		SSL3_1_STATE_SERVER_KEY_EXCHANGE_SENT);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_KEY_EXCHANGE_SENT,
+		SSL3_1_TRANS_SERVER_HELLO_DONE,
+		SSL3_1_STATE_SERVER_HELLO_DONE_SENT_A);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_KEY_EXCHANGE_SENT,
+		SSL3_1_TRANS_SERVER_CERT_REQ,
+		SSL3_1_STATE_SERVER_CERT_REQ_SENT);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_CERT_SENT,
+		SSL3_1_TRANS_SERVER_CERT_REQ,
+		SSL3_1_STATE_SERVER_CERT_REQ_SENT);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_CERT_REQ_SENT,
+		SSL3_1_TRANS_SERVER_HELLO_DONE,
+		SSL3_1_STATE_SERVER_HELLO_DONE_SENT_B);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_HELLO_DONE_SENT_B,
+		SSL3_1_TRANS_CLIENT_CERT, SSL3_1_STATE_CLIENT_CERT_SENT);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_CERT_SENT,
+		SSL3_1_TRANS_CLIENT_KEY_EXCHANGE,
+		SSL3_1_STATE_CLIENT_KEY_EXCHANGE_SENT_B);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_KEY_EXCHANGE_SENT_B,
+		SSL3_1_TRANS_CLIENT_CERT_VERIFY,
+		SSL3_1_STATE_CLIENT_CERT_VERIFY_SENT);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_KEY_EXCHANGE_SENT_B,
+		SSL3_1_TRANS_CLIENT_FIN, SSL3_1_STATE_CLIENT_FIN_SENT_A);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_CERT_VERIFY_SENT,
+		SSL3_1_TRANS_CLIENT_FIN, SSL3_1_STATE_CLIENT_FIN_SENT_A);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_FIN_SENT_A,
+		SSL3_1_TRANS_SERVER_FIN, SSL3_1_STATE_HS_FIN_A);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_KEY_EXCHANGE_SENT_B,
+		SSL3_1_TRANS_SERVER_FIN, SSL3_1_STATE_SERVER_FIN_SENT_A);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_CERT_VERIFY_SENT,
+		SSL3_1_TRANS_SERVER_FIN, SSL3_1_STATE_SERVER_FIN_SENT_A);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_FIN_SENT_A,
+		SSL3_1_TRANS_CLIENT_FIN, SSL3_1_STATE_HS_FIN_A);
+
+	// Server hello done after server cert sent.
+	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_CERT_SENT,
+		SSL3_1_TRANS_SERVER_HELLO_DONE,
+		SSL3_1_STATE_SERVER_HELLO_DONE_SENT_A);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_HELLO_DONE_SENT_A,
+		SSL3_1_TRANS_CLIENT_KEY_EXCHANGE,
+		SSL3_1_STATE_CLIENT_KEY_EXCHANGE_SENT_A);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_KEY_EXCHANGE_SENT_A,
+		SSL3_1_TRANS_CLIENT_FIN, SSL3_1_STATE_CLIENT_FIN_SENT_A);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_KEY_EXCHANGE_SENT_A,
+		SSL3_1_TRANS_SERVER_FIN, SSL3_1_STATE_SERVER_FIN_SENT_A);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_FIN_SENT_A,
+		SSL3_1_TRANS_SERVER_FIN, SSL3_1_STATE_HS_FIN_A);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_FIN_SENT_A,
+		SSL3_1_TRANS_CLIENT_FIN, SSL3_1_STATE_HS_FIN_A);
+
+	// When reestablishing a session:
+	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_HELLO_SENT,
+		SSL3_1_TRANS_CLIENT_FIN, SSL3_1_STATE_CLIENT_FIN_SENT_B);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_HELLO_SENT,
+		SSL3_1_TRANS_SERVER_FIN, SSL3_1_STATE_SERVER_FIN_SENT_B);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_CLIENT_FIN_SENT_B,
+		SSL3_1_TRANS_SERVER_FIN, SSL3_1_STATE_HS_FIN_B);
+
+	sslAutomaton.addTrans(SSL3_1_STATE_SERVER_FIN_SENT_B,
+		SSL3_1_TRANS_CLIENT_FIN, SSL3_1_STATE_HS_FIN_B);
+
+	sslAutomaton.setStartState(SSL3_1_STATE_INIT);
+	}
+
+void SSLv3_Interpreter::printStats()
+	{
+	printf( "SSLv3x:\n" );
+	printf( "Note: Because handshake messages may be coalesced into a \n");
+	printf( "      single SSLv3x record, the number of total messages for SSLv3x plus \n");
+	printf( "      the number of total records seen for SSLv2 won't match \n");
+	printf( "      SSLProxy_Analyzer::totalRecords! \n");
+	printf( "total connections			= %u\n", totalConnections );
+	printf( "opened connections (complete handshake)	= %u\n", openedConnections );
+
+	printf( "total messages seen			= %u\n", totalRecords );
+	printf( "handshake messages seen			= %u\n", handshakeRecords );
+	printf( "alert records seen			= %u\n", alertRecords );
+	printf( "change cipher records seen		= %u\n", changeCipherRecords );
+	printf( "client hello messages seen		= %u\n", clientHelloRecords );
+	printf( "server hello messages seen		= %u\n", serverHelloRecords );
+	}
+
+int SSLv3_Interpreter::HandshakeType2Trans(int type)
+	{
+	switch ( SSL3_1_HandshakeType(type) ) {
+	case SSL3_1_HELLO_REQUEST: return SSL3_1_TRANS_SERVER_HELLO_REQ;
+	case SSL3_1_CLIENT_HELLO: return SSL3_1_TRANS_CLIENT_HELLO;
+	case SSL3_1_SERVER_HELLO: return SSL3_1_TRANS_SERVER_HELLO;
+
+	case SSL3_1_CERTIFICATE:
+		// Client- and server certificate handshake records lead
+		// to the same transition in the SSL automaton
+		// (see SSLDefines.h)
+		return SSL3_1_TRANS_SERVER_CERT;
+
+	case SSL3_1_SERVER_KEY_EXCHANGE: return SSL3_1_TRANS_SERVER_KEY_EXCHANGE;
+	case SSL3_1_CERTIFICATE_REQUEST: return SSL3_1_TRANS_SERVER_CERT_REQ;
+	case SSL3_1_SERVER_HELLO_DONE: return SSL3_1_TRANS_SERVER_HELLO_DONE;
+	case SSL3_1_CERTIFICATE_VERIFY: return SSL3_1_TRANS_CLIENT_CERT_VERIFY;
+	case SSL3_1_CLIENT_KEY_EXCHANGE: return SSL3_1_TRANS_CLIENT_KEY_EXCHANGE;
+
+	case SSL3_1_FINISHED:
+		// Client- and server certificate handshake records lead
+		// to the same transition in the SSL automaton
+		// (see SSLDefines.h)
+		return SSL3_1_TRANS_CLIENT_FIN;
+	default:
+		return -1;
+	}
+	}
+
+void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec)
+	{
+	++SSLv3_Interpreter::totalRecords;
+	++SSLv3_Interpreter::handshakeRecords;
+
+	TableVal* currentCipherSuites = 0;
+
+	// First: consistency checks.
+	// Special treatment for finished messages, because they are
+	// already encrypted (encrypted handshake message).
+	if ( (change_cipher_client_seen && (rec->endp)->IsOrig() &&
+	      ! fin_client_seen) ||
+	     (change_cipher_server_seen && ! rec->endp->IsOrig() &&
+	      ! fin_server_seen) )
+		{
+		// no checks can be performed due encryption...
+		}
+	else
+		{
+		SSL3_1_HandshakeType ht = SSL3_1_HandshakeType(rec->type);
+		switch ( ht ) {
+		case SSL3_1_HELLO_REQUEST:
+			if ( rec->length != 0 )
+				Weird("SSLv3x: Hello request too long!");
+			if ( ! helloRequestValid )
+				Weird("SSLv3x: Received hello request during handshake!");
+			// There should only be sent one hello request at a
+			// time.
+			helloRequestValid = false;
+			break;
+
+		case SSL3_1_CLIENT_HELLO:
+			{
+			++SSLv3_Interpreter::clientHelloRecords;
+
+			// During the handshaking phase, we don't want any
+			// more hello requests.
+			helloRequestValid = false;
+
+			if ( rec->checkClientHello() == 0 )
+				return;
+
+			const u_char* pTemp = rec->data;
+			uint8 sessionIDLength = uint8(pTemp[38]);
+			clientSessionID =
+				new SSL_DataBlock((pTemp + 39), sessionIDLength);
+			uint16 cipherSuiteLength =
+				uint16(pTemp[39 + sessionIDLength] << 8 ) |
+				pTemp[40 + sessionIDLength];
+
+			currentCipherSuites =
+				analyzeCiphers(rec->endp, cipherSuiteLength,
+					rec->data + 41 + sessionIDLength,
+					rec->sslVersion);
+
+			if ( ssl_store_key_material )
+				{
+				clientRandom = new SSLv3x_Random();
+				clientRandom->random_bytes = 0;
+				clientRandom->gmt_unix_time =
+					uint32(((pTemp[6] << 24) |
+						pTemp[7] << 16) |
+					       pTemp[8] << 8) | pTemp[9];
+
+				clientRandom->random_bytes =
+					new SSL_DataBlock(pTemp + 10, 28);
+				}
+			break;
+			}
+
+		case SSL3_1_SERVER_HELLO:
+			{
+			++SSLv3_Interpreter::serverHelloRecords;
+			if ( rec->checkServerHello() == 0)
+				return;
+
+			const u_char* pTemp = rec->data;
+			uint8 sessionIDLength = uint8(pTemp[38]);
+			serverSessionID =
+				new SSL_DataBlock(pTemp + 39, sessionIDLength);
+			currentCipherSuites =
+				analyzeCiphers(rec->endp, 2,
+					rec->data + 39 + sessionIDLength,
+					rec->sslVersion);
+
+			// Check whether the cipher suite the server choose
+			// was included in the cipher suites the client
+			// anounced.
+			if ( pClientCipherSpecs && pCipherSuite )
+				{
+				bool bFound = false;
+				uint16 tempClientCipher;
+				for ( int i = 0; i < pClientCipherSpecs->len;
+				      i += 2 )
+					{
+					tempClientCipher =
+						(pClientCipherSpecs->data[i] << 8) |
+						pClientCipherSpecs->data[i+1];
+
+					if ( tempClientCipher ==
+					     pCipherSuite->identifier )
+						{
+						bFound = true;
+						i = pClientCipherSpecs->len;
+						}
+					}
+
+				if ( ! bFound )
+					Weird("SSLv3x: Server choosed cipher spec that client didn't anounce!");
+
+				delete pClientCipherSpecs;
+				pClientCipherSpecs = 0;
+				}
+
+			if ( ssl_store_key_material )
+				{
+				serverRandom = new SSLv3x_Random();
+				serverRandom->gmt_unix_time =
+					uint32(((pTemp[6] << 8) |
+						pTemp[7] << 8) |
+					       pTemp[8] << 8) | pTemp[9];
+				serverRandom->random_bytes =
+					new SSL_DataBlock(pTemp + 10, 28);
+				}
+
+			// Insert session injection into here.
+
+			if ( ! ssl_session_insertion )
+				break; // in place of below
+
+			TableVal* sessionIDTable =
+				serverSessionID ?
+					MakeSessionID(serverSessionID->data,
+							serverSessionID->len) :
+					MakeSessionID(0, 0);
+
+			val_list* vl = new val_list;
+			vl->append(proxy->BuildConnVal());
+			vl->append(sessionIDTable);
+
+			proxy->ConnectionEvent(ssl_session_insertion, vl);
+			break;
+			}
+
+		case SSL3_1_CERTIFICATE:
+			{
+			if ( rec->length >= 3 )
+				{
+				const u_char* pData = rec->data;
+				uint32 certListLength =
+					uint32((pData[4] << 16) |
+					       pData[5] << 8) | pData[6];
+
+				// Size consistency checks.
+				if ( certListLength + 3 != uint32(rec->length) )
+					{
+					if ( rec->endp->IsOrig() )
+						Weird("SSLv3x: Corrupt length field in client certificate list!");
+					else
+						Weird("SSLv3x: Corrupt length field in server certificate list!");
+					return;
+					}
+
+				// Sum of all cert sizes has to match
+				// certListLength.
+				uint tempLength = 0;
+				uint certCount = 0;
+				while ( tempLength < certListLength )
+					{
+					if ( tempLength + 3 <= certListLength )
+						{
+						++certCount;
+						uint32 certLength =
+							uint32((pData[tempLength + 7] << 16) | pData[tempLength + 8] << 8) | pData[tempLength + 9];
+						tempLength += certLength + 3;
+						}
+					else
+						{
+						Weird("SSLv3x: Corrupt length field in certificate list!");
+						return;
+						}
+					}
+
+				if ( tempLength > certListLength )
+					{
+					Weird("SSLv3x: sum of size of certificates doesn't match size of certificate chain");
+					return;
+					}
+
+				SSL_InterpreterEndpoint* pEp =
+					(SSL_InterpreterEndpoint*) rec->endp;
+
+				if ( certCount == 0 )
+					{ // we don't have a certificate...
+					if ( rec->endp->IsOrig() )
+						{
+						Weird("SSLv3x: Client certificate is missing!");
+						break;
+						}
+					else
+						{
+						Weird("SSLv3x: Server certificate is missing!");
+						break;
+						}
+					}
+
+				if ( certCount > 1 )
+					{ // we have a chain
+					analyzeCertificate(pEp,
+						rec->data + 7,
+						certListLength, 1, true);
+					}
+				else
+					{
+					// We have a single certificate.
+					// FIXME.
+					analyzeCertificate(pEp,
+						rec->data + 10,
+						certListLength-3, 1, false);
+					}
+
+				}
+			else
+				Weird("SSLv3x: Certificate record too small!" );
+			break;
+			}
+
+		case SSL3_1_SERVER_KEY_EXCHANGE:
+			{
+			/*
+			switch (cipherSuite)
+				{
+				// It would be necessary to have the RSA key length
+				// out of the server's certificate. If the cipher suite
+				// is EXPORT, than a RSA key length larger than 512 bits
+				// is not allowed for encryption and thus, the server needs
+				// to send a key-exchange-message in order to negotiate the
+				// pre-master secret (see rfc 2246 page 39)
+				case TLS_RSA_WITH_NULL_MD5:
+				case TLS_RSA_WITH_NULL_SHA:
+				// case TLS_RSA_EXPORT_WITH_RC4_40_MD5: //see comment above
+				case TLS_RSA_WITH_RC4_128_MD5:
+				case TLS_RSA_WITH_RC4_128_SHA:
+				// case TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: //see comment above
+				case TLS_RSA_WITH_IDEA_CBC_SHA:
+				// case TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: //see comment above
+				case TLS_RSA_WITH_DES_CBC_SHA:
+				case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
+				case TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:
+				case TLS_DH_DSS_WITH_DES_CBC_SHA:
+				case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
+				case TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:
+				case TLS_DH_RSA_WITH_DES_CBC_SHA:
+				case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
+					{
+					Weird("SSLv3x: Sending server-key-exchange not allowed for this cipher suite!");
+					return;
+					break;
+					}
+				default:
+					break;
+				}
+			*/
+
+			if ( ! pCipherSuite )
+				// If we have an unknown CIPHER-SPEC,
+				// we can't do our weird checks.
+				break;
+
+			SSL_KeyExchangeAlgorithm keyXAlgorithm =
+				pCipherSuite->keyExchangeAlgorithm;
+
+			if ( keyXAlgorithm == SSL_KEY_EXCHANGE_RSA ||
+			     keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS ||
+			     keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA )
+				{
+				Weird("SSLv3x: Sending server-key-exchange not allowed for this cipher suite!");
+				return;
+
+				}
+			// FIXME: check where DHE_RSA etc. belongs to
+			const u_char* pTemp = rec->data;
+			if ( ssl_store_key_material )
+				{
+				if ( keyXAlgorithm == SSL_KEY_EXCHANGE_RSA ||
+				     keyXAlgorithm == SSL_KEY_EXCHANGE_RSA ||
+				     keyXAlgorithm == SSL_KEY_EXCHANGE_RSA_EXPORT1024 )
+					{ // some weird checks
+					if ( rec->length < 2 )
+						{
+						Weird("SSLv3x: server-key-exchange empty!");
+						return;
+						}
+
+					uint16 modulusLength = uint16(pTemp[4] << 8 ) | pTemp[5];
+					if ( modulusLength + 4 > rec->length )
+						{
+						Weird("SSLv3x: Corrupt length fields in server-key-exchange!");
+						break;
+						}
+
+					uint16 exponentLength = uint16(pTemp[6 + modulusLength] << 8 ) | pTemp[7 + modulusLength];
+					if ( modulusLength + exponentLength + 4 > rec->length )
+						{
+						Weird("SSLv3x: Corrupt length fields in server-key-exchange!");
+						return;
+						}
+
+					serverRSApars =
+						new SSLv3x_ServerRSAParams;
+					serverRSApars->rsa_modulus =
+						new SSL_DataBlock(pTemp + 6, modulusLength);
+					serverRSApars->rsa_exponent =
+						new SSL_DataBlock( pTemp + 8 + modulusLength, exponentLength);
+					}
+				else
+					{
+					if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 )
+						{
+						if ( rec->length < 2 )
+							{
+							Weird("SSLv3x: server-key-exchange empty!");
+							return;
+							}
+
+						uint16 dh_pLength = (uint16) (pTemp[4] << 8 ) | pTemp[5];
+						if ( dh_pLength + 4 > rec->length )
+							{
+							Weird("SSLv3x: Corrupt length fields in server-key-exchange!");
+							break;
+							}
+
+						uint16 dh_gLength = uint16(pTemp[6 + dh_pLength] << 8 ) | pTemp[7 + dh_pLength];
+						uint16 dh_YsLength = uint16(pTemp[8 + dh_pLength + dh_gLength] << 8 ) | pTemp[9 + dh_pLength + dh_gLength];
+						if ( dh_pLength + dh_gLength + dh_YsLength + 6 > rec->length )
+							{
+							Weird("SSLv3x: Corrupt length fields in server-key-exchange!");
+							printf("xxx %u > %u \n", (dh_pLength + dh_gLength + dh_YsLength + 6), rec->length);
+							return;
+							}
+
+						serverDHPars = new SSLv3x_ServerDHParams;
+						serverDHPars->dh_p = new SSL_DataBlock(pTemp + 6 , dh_pLength);
+						serverDHPars->dh_g = new SSL_DataBlock(pTemp + 8 + dh_pLength, dh_gLength);
+						serverDHPars->dh_Ys = new SSL_DataBlock(pTemp + 10 + dh_pLength + dh_gLength, dh_YsLength);
+						}
+					}
+				}
+			break;
+			}
+
+		case SSL3_1_CERTIFICATE_REQUEST:
+			{
+			// Only if server not anonymous
+			/*
+			switch (cipherSuite)
+				{
+				case TLS_NULL_WITH_NULL_NULL:
+				case TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5:
+				case TLS_DH_ANON_WITH_RC4_128_MD5:
+				case TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA:
+				case TLS_DH_ANON_WITH_DES_CBC_SHA:
+				case TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA:
+					{
+					Weird("SSLv3x: Sending certificate-request not allowed for anonymous servers!");
+					break;
+					}
+				default:
+					{
+					break;
+					}
+				}
+			*/
+
+			if ( ! pCipherSuite )
+				{
+				// if we have an unknown CIPHER-SPEC,
+				// we can't do our weird checks.
+				break;
+				}
+
+			if ( pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_ANON || pCipherSuite->keyExchangeAlgorithm == SSL_KEY_EXCHANGE_DH_ANON_EXPORT )
+				Weird("SSLv3x: Sending certificate-request not allowed for anonymous servers!");
+
+			// FIXME: Insert weird checks!
+			break;
+			}
+
+		case SSL3_1_SERVER_HELLO_DONE:
+			{
+			if ( rec->length != 0 )
+				Weird("SSLv3x: Server hello too long!");
+			break;
+			}
+
+		case SSL3_1_CLIENT_KEY_EXCHANGE:
+			{
+			if ( ! pCipherSuite )
+				// if we have an unknown CIPHER-SPEC,
+				// we can't do our weird checks
+				break;
+
+			const u_char* pTemp = rec->data;
+			if ( ssl_store_key_material )
+				{
+				SSL_KeyExchangeAlgorithm keyXAlgorithm =
+					pCipherSuite->keyExchangeAlgorithm;
+
+				if ( keyXAlgorithm == SSL_KEY_EXCHANGE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA )
+					{
+					encryptedPreSecret =
+						new SSLv3x_EncryptedPremasterSecret;
+					encryptedPreSecret->encryptedSecret =
+						new SSL_DataBlock( pTemp + 4, rec->length);
+					}
+				else
+					{
+					if ( keyXAlgorithm == SSL_KEY_EXCHANGE_DH || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_RSA_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON || keyXAlgorithm == SSL_KEY_EXCHANGE_DH_ANON_EXPORT || keyXAlgorithm == SSL_KEY_EXCHANGE_DHE_DSS_EXPORT1024 )
+						{
+						if ( rec->length < 2 )
+							{
+							// This can happen (see RFC 2246, p. 45).
+							return;
+							}
+
+						uint16 DHpublicLength =
+							uint16(pTemp[4] << 8) | pTemp[5];
+						if ( DHpublicLength + 2 < rec->length )
+							{
+							Weird("SSLv3x: Corrupt length fields in client-key-exchange!");
+							return;
+							}
+
+						clientDHpublic = new SSLv3x_ClientDHPublic;
+						clientDHpublic->dh_Yc = new SSL_DataBlock(pTemp + 6, DHpublicLength);
+						}
+					}
+
+				}
+			break;
+			}
+
+		case SSL3_1_CERTIFICATE_VERIFY:
+			{
+			// FIXME: Insert Weird checks!
+			break;
+			}
+
+		case SSL3_1_FINISHED:
+			{
+			// We won't get here, because finished messages
+			// are already encrypted, so we can't get
+			// the content type of this handshake-message...
+			break;
+			}
+
+		default:
+			{
+			if ( currentState == SSL3_1_STATE_SERVER_FIN_SENT_A ||
+			     currentState == SSL3_1_STATE_CLIENT_FIN_SENT_B )
+				{
+				Weird("SSLv3x: Handshake message (unknown type) after finished message!");
+				return;
+				}
+			else
+				{
+				Weird("SSLv3x: Invalid HandshakeType! Maybe finished message without predecessing change-cipher-message!");
+				return; }
+			}
+		}
+		}
+
+	int oldState = currentState;
+	bool alreadySwitchedState = false;
+
+	// First: Special handling of finished messages. They must be
+	// sent immediately after a change cipher message - already encrypted.
+	// from client?
+	if ( rec->endp->IsOrig() && change_cipher_client_seen )
+		{
+		if ( ! fin_client_seen )
+			{
+			// This must be a (valid) client finished.
+			// We assume it to be one, because the predecessing
+			// message was a change cipher.
+			fin_client_seen = true;
+			change_cipher_client_seen = false;
+			alreadySwitchedState = true;
+			currentState = sslAutomaton.getNextState(currentState,
+						SSL3_1_TRANS_CLIENT_FIN);
+			}
+		else
+			{
+			// We already saw a client finished (should not be
+			// possible).
+			Weird("SSLv3x: Already received client finished message!");
+			currentState = sslAutomaton.getNextState(currentState,
+						SSL3_1_TRANS_CLIENT_FIN);
+			fin_client_seen = true;
+			change_cipher_client_seen = false;
+			alreadySwitchedState = true;
+			}
+		}
+
+	// from server
+	else if ( ! rec->endp->IsOrig() && change_cipher_server_seen )
+		{
+		if ( ! fin_server_seen )
+			{
+			// This must be a (valid) server finished.
+			// We assume it to be one, because the predecessing
+			// message was a change cipher.
+			fin_server_seen = true;
+			change_cipher_server_seen = false;
+			alreadySwitchedState = true;
+			currentState = sslAutomaton.getNextState(currentState,
+				SSL3_1_TRANS_SERVER_FIN);
+			}
+		else
+			{
+			// We already saw a server-finished (should not be
+			// possible).
+			Weird("SSLv3x: Already received server finished message!");
+			currentState = sslAutomaton.getNextState(currentState,
+						SSL3_1_TRANS_SERVER_FIN);
+			alreadySwitchedState = true;
+			fin_server_seen = true;
+			change_cipher_server_seen = false;
+			}
+		}
+
+	if ( ! alreadySwitchedState )
+		{
+		// Check whether we are already finished with the
+		// handshaking process...
+		switch ( currentState ) {
+		case SSL3_1_STATE_HS_FIN_A:
+		case SSL3_1_STATE_HS_FIN_B:
+			Weird("SSLv3x: Received handshake message after finishing handshake!");
+			break;
+
+		default:
+			// It's a "normal" handshake message...
+			currentState = sslAutomaton.getNextState(currentState,
+				HandshakeType2Trans(rec->type));
+			break;
+		}
+		}
+
+	if ( currentState == SSL3_1_STATE_ERROR )
+		{
+		// proxy->SetSkip(1);
+		}
+
+	// Only if we changed the currentState, we need to call GenerateEvents
+	// because event generation in GenerateEvents() is based on
+	// currentState.
+	if ( oldState != currentState )
+		GenerateEvents(rec, currentCipherSuites);
+	else
+		Unref(currentCipherSuites);
+	}
+
+void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_AlertRecord* rec)
+	{
+	++SSLv3_Interpreter::totalRecords;
+	++SSLv3_Interpreter::alertRecords;
+
+	// First: consistency-checks.
+	// Only if handshake not already finished.
+	// Otherwise alerts may be encrypted, so we could do nothing...
+	if ( currentState == SSL3_1_STATE_SERVER_FIN_SENT_A ||
+	     currentState == SSL3_1_STATE_CLIENT_FIN_SENT_B ||
+	     currentState == SSL3_1_STATE_CLIENT_FIN_SENT_A ||
+	     currentState == SSL3_1_STATE_SERVER_FIN_SENT_B ||
+	     currentState == SSL3_1_STATE_HS_FIN_A ||
+	     currentState == SSL3_1_STATE_HS_FIN_B ||
+	     change_cipher_client_seen || change_cipher_server_seen )
+		return;
+
+	if ( rec->level != SSL3x_ALERT_LEVEL_WARNING &&
+	     rec->level != SSL3x_ALERT_LEVEL_FATAL )
+		Weird("SSLv3x: Unknown ssl alert level");
+
+	SSL3_1_AlertDescription ad = SSL3_1_AlertDescription(rec->description);
+	switch ( ad ) {
+	case SSL3_1_CLOSE_NOTIFY:
+	case SSL3_1_UNEXPECTED_MESSAGE:
+	case SSL3_1_BAD_RECORD_MAC:
+	case SSL3_1_DECRYPTION_FAILED:
+	case SSL3_1_RECORD_OVERFLOW:
+	case SSL3_1_DECOMPRESSION_FAILURE:
+	case SSL3_1_HANDSHAKE_FAILURE:
+		break;
+
+	case SSL3_0_NO_CERTIFICATE:
+		// This may happen ONLY in SSLv3.0 when the server sends
+		// a certificate request but the client has none.
+		if ( rec->sslVersion == SSLProxy_Analyzer::SSLv30 )
+			currentState = SSL3_1_STATE_SERVER_HELLO_DONE_SENT_A;
+		else
+			Weird("SSLv3x: No certificate alert not defined for SSL 3.1!");
+		break;
+
+	case SSL3_1_BAD_CERTIFICATE:
+	case SSL3_1_UNSUPPORTED_CERTIFICATE:
+	case SSL3_1_CERTIFICATE_REVOKED:
+	case SSL3_1_CERTIFICATE_EXPIRED:
+	case SSL3_1_CERTIFICATE_UNKNOWN:
+	case SSL3_1_ILLEGAL_PARAMETER:
+	case SSL3_1_UNKNOWN_CA:
+	case SSL3_1_ACCESS_DENIED:
+	case SSL3_1_DECODE_ERROR:
+	case SSL3_1_DECRYPT_ERROR:
+	case SSL3_1_EXPORT_RESTRICTION:
+	case SSL3_1_PROTOCOL_VERSION:
+	case SSL3_1_INSUFFICIENT_SECURITY:
+	case SSL3_1_INTERNAL_ERROR:
+	case SSL3_1_USER_CANCELED:
+	case SSL3_1_NO_RENEGOTIATION:
+		break;
+
+	default:
+		Weird(" SSLv3x: Unknown ssl alert description!" );
+		break;
+	}
+
+	if ( rec->level == 2 )
+		// Fatal alert!
+		currentState = SSL3_1_STATE_INIT;
+
+	if ( rec->level == 1 && ad == SSL3_1_CLOSE_NOTIFY )
+		currentState = SSL3_1_STATE_INIT;
+
+	fire_ssl_conn_alert(rec->sslVersion, rec->level, rec->description);
+	}
+
+void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_ChangeCipherRecord* rec)
+	{
+	++SSLv3_Interpreter::totalRecords;
+	++SSLv3_Interpreter::changeCipherRecords;
+
+	if ( rec->type != 1 )
+		Weird("SSLv3x: Unknown change cipher type!");
+	if ( rec->recordLength != 1 )
+		Weird("SSLv3x: Change cipher message too long!");
+
+	// After receiving a change cipher spec message, the next message sent
+	// MUST be a finished message. So we set the appropriate flag:
+	// change_cipher_client/server_seen.
+	if ( rec->endp->IsOrig())
+		{
+		if ( change_cipher_client_seen )
+			Weird("SSLv3x: Received multiple change cipher message from client!");
+		change_cipher_client_seen = true;
+		fin_client_seen = false;
+		}
+	else
+		{
+		if ( change_cipher_server_seen )
+			Weird("SSLv3x: Received multiple change cipher message from server!");
+		change_cipher_server_seen = true;
+		fin_server_seen = false;
+		}
+
+	if ( currentState == SSL3_1_STATE_ERROR )
+		{
+		// proxy->SetSkip(1);
+		}
+
+	// We don't need a GenerateEvents here, because we didn't change
+	// the currentState of the SSL automaton.  (Event generation
+	// in GenerateEvents() is done based on currentState.)
+	// GenerateEvents(rec);
+	}
+
+void SSLv3_Interpreter::DeliverSSLv3_Record(SSLv3_ApplicationRecord* rec)
+	{
+	++SSLv3_Interpreter::totalRecords;
+
+	if ( currentState == SSL3_1_STATE_HS_FIN_A ||
+	     currentState == SSL3_1_STATE_HS_FIN_B )
+		// O.K., sending application data is valid
+		// this was the last record we analyzed...
+		proxy->SetSkip(1);
+	else
+		{
+		// Sending application data now is not valid, so the SSL
+		// connection is probably already established and we
+		// didn't get the handshake.
+		Weird("SSLv3_data_without_full_handshake");
+		currentState = SSL3_1_STATE_ERROR;
+		GenerateEvents(rec, 0);
+		}
+	}
+
+TableVal* SSLv3_Interpreter::analyzeCiphers(const SSLv3_Endpoint* s, int length,
+					const u_char* data, uint16 version)
+	{
+	int is_orig = (SSL_InterpreterEndpoint*) s == orig;
+
+	if ( length > ssl_max_cipherspec_size )
+		{
+		if ( is_orig )
+			Weird("SSLv2: Client has CipherSpecs > ssl_max_cipherspec_size");
+		else
+			Weird("SSLv2: Server has CipherSpecs > ssl_max_cipherspec_size");
+		}
+
+	const u_char* pCipher = data;
+	SSL_CipherSpec* pCipherSuiteTemp = 0;
+	uint16 cipherSuite;
+	for ( int i = 0; i < length; i += 2 )
+		{
+		cipherSuite = uint16(pCipher[0+i] << 8) | pCipher[1+i];
+		HashKey h(static_cast<bro_uint_t>(cipherSuite));
+
+		pCipherSuiteTemp =
+			(SSL_CipherSpec*) SSL_CipherSpecDict.Lookup(&h);
+		if ( ! pCipherSuiteTemp )
+			{
+			if ( is_orig )
+				proxy->Weird("SSLv3x: Unknown CIPHER-SPEC in CLIENT-HELLO");
+			else
+				proxy->Weird("SSLv3x: Unknown CIPHER-SPEC in SERVER-HELLO");
+			}
+		}
+
+	// Store server's cipher specs.
+	if ( ! is_orig )
+		{
+		pCipherSuite = pCipherSuiteTemp;
+		if ( ! pCipherSuite )
+			{
+			// Special case: we store the identifier directly
+			// for unknown cipher-specs.
+			cipherSuiteIdentifier =
+				uint16(pCipher[0] << 8) | pCipher[1];
+			}
+		}
+
+	if ( ssl_compare_cipherspecs && length <= ssl_max_cipherspec_size )
+		{
+		// Store cipher specs for analysis: was the choosen
+		// server cipher suite announced by the client?
+		if ( is_orig )
+			{
+			pClientCipherSpecs =
+				new SSL_DataBlock(data, length);
+			}
+		}
+
+	if ( (! is_orig && ssl_conn_server_reply) ||
+	     (is_orig && ssl_conn_attempt) )
+		{
+		TableVal* pCipherTable = new TableVal(cipher_suites_list);
+		for ( int i = 0; i < length; i += 2 )
+			{
+			uint32 cipherSpec = (pCipher[0] << 8) | pCipher[1];
+			Val* index = new Val(cipherSpec, TYPE_COUNT);
+			pCipherTable->Assign(index, 0);
+			Unref(index);
+			pCipher += 2;
+			}
+
+		return pCipherTable;
+		}
+
+	else
+		return 0;
+	}
+
+void SSLv3_Interpreter::GenerateEvents(SSLv3_Record* rec, TableVal* curCipherSuites)
+	{
+	if ( curCipherSuites &&
+	     currentState != SSL3_1_STATE_CLIENT_HELLO_SENT &&
+	     currentState != SSL3_1_STATE_SERVER_HELLO_SENT )
+	        // Unref here, since the events won't do so in this case.
+	        Unref(curCipherSuites);
+
+	switch ( currentState ) {
+	case SSL3_1_STATE_CLIENT_HELLO_SENT:
+		fire_ssl_conn_attempt(rec->sslVersion, curCipherSuites);
+		break;
+
+	case SSL3_1_STATE_SERVER_HELLO_SENT:
+		fire_ssl_conn_server_reply(rec->sslVersion, curCipherSuites);
+		break;
+
+	case SSL3_1_STATE_HS_FIN_A:
+	case SSL3_1_STATE_HS_FIN_B:
+		++SSLv3_Interpreter::openedConnections;
+		fire_ssl_conn_established(rec->sslVersion,
+					  pCipherSuite ?
+						pCipherSuite->identifier : 0);
+
+		// We finished handshake.  Skip all further data.
+		proxy->SetSkip(1);
+		helloRequestValid = true;
+		break;
+
+	case SSL3_1_STATE_SERVER_FIN_SENT_B:
+		// First, check for session-ID match.
+		if ( clientSessionID && serverSessionID &&
+		     memcmp(clientSessionID->data, serverSessionID->data,
+			    clientSessionID->len) != 0 )
+			Weird("SSLv3x: Reusing session but session ID mismatch!");
+		fire_ssl_conn_reused(serverSessionID);
+		break;
+
+	case SSL3_1_STATE_ERROR:
+		Weird("unexpected_SSLv3_record");
+		proxy->SetSkip(1);
+	}
+	}
+
+void SSLv3_Interpreter::SetState(int i)
+	{
+	if ( i >= 0 && i < SSL3_1_NUM_STATES )
+		currentState = i;
+	}
+
+// ---SSLv3_Endpoint--------------------------------------------------------------
+
+SSLv3_Endpoint::SSLv3_Endpoint(SSL_Interpreter* interpreter, int is_orig)
+: SSL_InterpreterEndpoint(interpreter, is_orig)
+	{
+	sslVersion = 0;
+	}
+
+SSLv3_Endpoint::~SSLv3_Endpoint()
+	{
+	}
+
+void SSLv3_Endpoint::Deliver(int len, const u_char* data)
+	{
+	if ( SSL3_1_LENGTHOFFSET + sizeof(uint16) <= unsigned(len) )
+		{
+		currentMessage_length =
+			uint16(data[SSL3_1_LENGTHOFFSET] << 8) |
+			data[SSL3_1_LENGTHOFFSET+1];
+
+		// ### where does this magic number come from?
+		if ( currentMessage_length > 18432 )
+			interpreter->Weird("SSLv3x: Message length too long!");
+		}
+	else
+		{
+		interpreter->Weird("SSLv3x: Could not determine message length!");
+		return;
+		}
+
+	if ( currentMessage_length + 2 + SSL3_1_LENGTHOFFSET != len )
+		{
+		// This should never happen; otherwise there is a bug in the
+		// SSL_RecordBuilder.
+		interpreter->Weird("SSLv3x: FATAL: recordLength doesn't match data block length!");
+		interpreter->Proxy()->SetSkip(1);
+		return;
+		}
+
+	ProcessMessage(data, len);
+	}
+
+void SSLv3_Endpoint::ProcessMessage(const u_char* data, int len)
+	{
+	SSL3_1_ContentType ct = ExtractContentType(data, len);
+	if ( ! ExtractVersion(data, len) )
+		return;
+
+	switch ( ct ) {
+	case SSL3_1_TYPE_CHANGE_CIPHER_SPEC:
+		{
+		SSLv3_ChangeCipherRecord* rec = new
+			SSLv3_ChangeCipherRecord(data + SSL3_1_HEADERLENGTH,
+				len - SSL3_1_HEADERLENGTH, sslVersion, this);
+
+		// Multiple handshake messages may be coalesced into
+		// a single record.
+		rec->Deliver((SSLv3_Interpreter*) interpreter);
+		Unref(rec);
+		break;
+		}
+
+	case SSL3_1_TYPE_ALERT:
+		{
+		SSLv3_AlertRecord* rec = new
+			SSLv3_AlertRecord(data + SSL3_1_HEADERLENGTH,
+				len - SSL3_1_HEADERLENGTH, sslVersion, this);
+		rec->Deliver((SSLv3_Interpreter*) interpreter);
+		Unref(rec);
+		break;
+		}
+
+	case SSL3_1_TYPE_HANDSHAKE:
+		{
+		SSLv3_HandshakeRecord* rec =
+			new SSLv3_HandshakeRecord(data + SSL3_1_HEADERLENGTH,
+				len - SSL3_1_HEADERLENGTH, sslVersion, this);
+		rec->Deliver((SSLv3_Interpreter*) interpreter);
+		Unref(rec);
+		break;
+		}
+
+	case SSL3_1_TYPE_APPLICATION_DATA:
+		{
+		SSLv3_ApplicationRecord* rec =
+			new SSLv3_ApplicationRecord(data + SSL3_1_HEADERLENGTH,
+				len - SSL3_1_HEADERLENGTH, sslVersion, this);
+		rec->Deliver((SSLv3_Interpreter*) interpreter);
+		Unref(rec);
+		break;
+		}
+
+	default:
+		{
+		interpreter->Weird("SSLv3x: Could not determine content type!");
+		break;
+		}
+	}
+	}
+
+SSL3_1_ContentType SSLv3_Endpoint::ExtractContentType(const u_char* data,
+							int len)
+	{
+	return SSL3_1_ContentType(uint8(*(data + SSL3_1_CONTENTTYPEOFFSET)));
+	}
+
+int SSLv3_Endpoint::ExtractVersion(const u_char* data, int len)
+	{
+	sslVersion = uint16(data[SSL3_1_VERSIONTYPEOFFSET] << 8) |
+		     data[SSL3_1_VERSIONTYPEOFFSET + 1];
+
+	if ( sslVersion != SSLProxy_Analyzer::SSLv30 &&
+	     sslVersion != SSLProxy_Analyzer::SSLv31 )
+		{
+		interpreter->Weird("SSLv3x: Unsupported SSL-Version (not SSLv3x)!");
+		return 0;
+		}
+	else
+		return 1;
+	}
+
+// ---SSLv3_Record----------------------------------------------------------------
+
+SSLv3_Record::SSLv3_Record(const u_char* data, int len,
+			uint16 version, SSLv3_Endpoint const* e)
+	{
+	recordLength = len;
+	sslVersion = version;
+	endp = e;
+	this->data = data;
+	}
+
+SSLv3_Record::~SSLv3_Record()
+	{
+	// The memory for data is deleted after processing the ssl record
+	// in the common ssl reassembler.
+	}
+
+void SSLv3_Record::Describe(ODesc* d) const
+	{
+	d->Add("sslrecord");
+	}
+
+SSLv3_Endpoint const* SSLv3_Record::GetEndpoint() const
+	{
+	return endp;
+	}
+
+const u_char* SSLv3_Record::GetData() const
+	{
+	return data;
+	}
+
+int SSLv3_Record::ExtractInt24(const u_char* data, int len, int offset)
+	{
+	if ( offset + int(sizeof(unsigned long)) - 1 > len)
+		return 0;
+
+	uint32 val;
+
+	val = 0;
+	val = uint32(*(data + offset + 2));
+	val |= uint32(*(data + offset + 1)) << 8;
+	val |= uint32(*(data + offset)) << 16;
+
+	return val;
+	}
+
+int SSLv3_Record::GetRecordLength() const
+	{
+	return recordLength;
+	}
+
+SSLv3_HandshakeRecord::SSLv3_HandshakeRecord(const u_char* data, int len,
+				uint16 version, SSLv3_Endpoint const* e)
+: SSLv3_Record(data, len, version, e)
+	{
+	// Weird-check for minimum handshake length header.
+	if ( len < 4 )
+		{
+		e->Interpreter()->Weird("SSLv3x: Handshake-header-length too small!");
+		type = 255;
+		length = 0;
+		next = 0;
+		return;
+		}
+
+	// Don't analyze encrypted client handshake messages.
+	if ( e->IsOrig() &&
+	     ((SSLv3_Interpreter*) e->Interpreter())->change_cipher_client_seen &&
+	     ! ((SSLv3_Interpreter*) e->Interpreter())->fin_client_seen )
+		{
+		type = 255;
+		length = 0;
+		next = 0;
+		return;
+		}
+
+	// Don't analyze encrypted server handshake messages.
+	if ( ! e->IsOrig() &&
+	     ((SSLv3_Interpreter*) e->Interpreter())->change_cipher_server_seen &&
+	     ! ((SSLv3_Interpreter*) e->Interpreter())->fin_server_seen )
+		{
+		type = 255;
+		length = 0;
+		next = 0;
+		return;
+		}
+
+	type = uint8(*(this->data));
+	length = ExtractInt24(data, len, 1);
+	if ( length + 4 < len )
+		next = new SSLv3_HandshakeRecord(data + length + 4,
+					len - (length + 4), version, e);
+	else if ( length + 4 > len )
+		{
+		e->Interpreter()->Weird("SSLv3x: Handshake-header-length inconsistent (too big)");
+		next = 0;
+		}
+	else
+		next = 0;
+	}
+
+SSLv3_HandshakeRecord::~SSLv3_HandshakeRecord()
+	{
+	if ( next )
+		{
+		delete next;
+		}
+	}
+
+void SSLv3_HandshakeRecord::Deliver(SSLv3_Interpreter* conn)
+	{
+	SSLv3_HandshakeRecord* it = this;
+	while ( it != 0)
+		{
+		conn->DeliverSSLv3_Record(it);
+		it = it->GetNext();
+		}
+	}
+
+int SSLv3_HandshakeRecord::GetType() const
+	{
+	return type;
+	}
+
+int SSLv3_HandshakeRecord::GetLength() const
+	{
+	return length;
+	}
+
+SSLv3_HandshakeRecord* SSLv3_HandshakeRecord::GetNext()
+	{
+	return next;
+	}
+
+int SSLv3_HandshakeRecord::checkClientHello()
+	{
+	if ( recordLength < 42 )
+		{
+		endp->Interpreter()->Weird("SSLv3x: Client hello too small!");
+		return 0;
+		}
+
+	uint16 version = uint16(data[4] << 8 ) | data[5];
+	if ( version != SSLProxy_Analyzer::SSLv30 &&
+	     version != SSLProxy_Analyzer::SSLv31 )
+		endp->Interpreter()->Weird("SSLv3x: Corrupt version information in Client hello!");
+
+	uint8 sessionIDLength = uint8(data[38]);
+	if ( sessionIDLength > 32 )
+		{
+		endp->Interpreter()->Weird("SSLv3x: SessionID too long in Client hello!");
+		return 0;
+		}
+
+	uint16 cipherSuiteLength =
+		uint16(data[39 + sessionIDLength] << 8 ) |
+		data[40 + sessionIDLength];
+
+	if ( cipherSuiteLength < 2 )
+		endp->Interpreter()->Weird("SSLv3x: CipherSuite length too small!");
+
+	if ( cipherSuiteLength + sessionIDLength + 41 > recordLength )
+		{
+		endp->Interpreter()->Weird("SSLv3x: Client hello too small, corrupt length fields!");
+		return 0;
+		}
+
+	uint8 compressionMethodLength =
+		uint8(data[41 + sessionIDLength + cipherSuiteLength]);
+
+	if ( compressionMethodLength < 1 )
+		endp->Interpreter()->Weird("SSLv3x: CompressionMethod length too small!");
+
+	if ( sessionIDLength + cipherSuiteLength +
+	     compressionMethodLength + 38 != length )
+		{
+		endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Client hello!");
+		return 0;
+		}
+
+	return 1;
+	}
+
+int SSLv3_HandshakeRecord::checkServerHello()
+	{
+	if ( recordLength < 42 )
+		{
+		endp->Interpreter()->Weird("SSLv3x: Server hello too small!");
+		return 0;
+		}
+
+	uint16 version = uint16(data[4] << 8) | data[5];
+	if ( version != SSLProxy_Analyzer::SSLv30 &&
+	     version != SSLProxy_Analyzer::SSLv31 )
+		endp->Interpreter()->Weird("SSLv3x: Corrupt version information in Server hello!");
+
+	uint8 sessionIDLength = uint8(data[38]);
+	if ( sessionIDLength > 32 )
+		{
+		endp->Interpreter()->Weird("SSLv3x: SessionID too long in Server hello!");
+		return 0;
+		}
+
+	if ( (sessionIDLength + 38) != length )
+		{
+		endp->Interpreter()->Weird("SSLv3x: Corrupt length fields in Server hello!");
+		return 0;
+		}
+
+	return 1;
+	}
+
+SSLv3_AlertRecord::SSLv3_AlertRecord(const u_char* data, int len,
+				uint16 version, SSLv3_Endpoint const* e)
+: SSLv3_Record(data, len, version, e)
+	{
+	if ( len < 2 )
+		{
+		e->Interpreter()->Weird("SSLv3x: Alert header length too small!");
+		level = 255;
+		description = 255;
+		}
+
+	// No further consistency-check, because alerts may be
+	// already encrypted.
+	level = uint8(*((this->data) + SSL3_1_ALERT_LEVEL_OFFSET));
+	description = uint8(*((this->data) + SSL3_1_ALERT_DESCRIPTION_OFFSET));
+	}
+
+SSLv3_AlertRecord::~SSLv3_AlertRecord()
+	{
+	}
+
+int SSLv3_AlertRecord::GetDescription() const
+	{
+	return description;
+	}
+
+int SSLv3_AlertRecord::GetLevel() const
+	{
+	return level;
+	}
+
+void SSLv3_AlertRecord::Deliver(SSLv3_Interpreter* conn)
+	{
+	conn->DeliverSSLv3_Record(this);
+	}
+
+SSLv3_ChangeCipherRecord::SSLv3_ChangeCipherRecord(const u_char* data, int len,
+				uint16 version, SSLv3_Endpoint const* e)
+: SSLv3_Record(data, len, version, e)
+	{
+	if ( len < 1 )
+		{
+		e->Interpreter()->Weird("SSLv3x: Change cipher header length too small!");
+		type = 255;
+		}
+	else
+		type = uint8(*((this->data) + SSL3_1_CHANGE_CIPHER_TYPE_OFFSET));
+	}
+
+SSLv3_ChangeCipherRecord::~SSLv3_ChangeCipherRecord()
+	{
+	}
+
+int SSLv3_ChangeCipherRecord::GetType() const
+	{
+	return type;
+	}
+
+void SSLv3_ChangeCipherRecord::Deliver(SSLv3_Interpreter* conn)
+	{
+	conn->DeliverSSLv3_Record(this);
+	}
+
+SSLv3_ApplicationRecord::SSLv3_ApplicationRecord(const u_char* data, int len, uint16 version, SSLv3_Endpoint const* e)
+: SSLv3_Record(data, len, version, e)
+	{
+	}
+
+SSLv3_ApplicationRecord::~SSLv3_ApplicationRecord()
+	{
+	}
+
+void SSLv3_ApplicationRecord::Deliver(SSLv3_Interpreter* conn)
+	{
+	conn->DeliverSSLv3_Record(this);
+	}
diff --git a/src/SSLv3.h b/src/SSLv3.h
new file mode 100644
index 0000000000..c3c3f4634e
--- /dev/null
+++ b/src/SSLv3.h
@@ -0,0 +1,590 @@
+// $Id: SSLv3.h 3526 2006-09-12 07:32:21Z vern $
+
+#ifndef sslv3_h
+#define sslv3_h
+
+#include "SSLInterpreter.h"
+#include "SSLProxy.h"
+#include "SSLv3Automaton.h"
+#include "SSLDefines.h"
+
+// Offsets in SSL record layer header.
+const int SSL3_1_CONTENTTYPEOFFSET = 0;
+const int SSL3_1_VERSIONTYPEOFFSET = 1;
+const int SSL3_1_LENGTHOFFSET = 3;
+const int SSL3_1_HEADERLENGTH = 5;
+
+// --- forward declarations ---------------------------------------------------
+
+class SSL_Interpreter;
+class SSL_InterpreterEndpoint;
+class SSLProxy_Analyzer;
+class SSLv3_Endpoint;
+class SSLv3_Record;
+class SSLv3_HandshakeRecord;
+class SSLv3_AlertRecord;
+class SSLv3_ApplicationRecord;
+class SSLv3_ChangeCipherRecord;
+class CertStore;
+struct SSL_CipherSpec;
+
+// --- enums for SSLv3.0/3.1 message handling ---------------------------------
+
+enum SSL3_1_ContentType {
+	SSL3_1_TYPE_CHANGE_CIPHER_SPEC = 20,
+	SSL3_1_TYPE_ALERT = 21,
+	SSL3_1_TYPE_HANDSHAKE = 22,
+	SSL3_1_TYPE_APPLICATION_DATA = 23
+};
+
+enum SSL3_1_HandshakeType {
+	SSL3_1_HELLO_REQUEST = 0,
+	SSL3_1_CLIENT_HELLO = 1,
+	SSL3_1_SERVER_HELLO = 2,
+	SSL3_1_CERTIFICATE = 11,
+	SSL3_1_SERVER_KEY_EXCHANGE = 12,
+	SSL3_1_CERTIFICATE_REQUEST = 13,
+	SSL3_1_SERVER_HELLO_DONE = 14,
+	SSL3_1_CERTIFICATE_VERIFY = 15,
+	SSL3_1_CLIENT_KEY_EXCHANGE = 16,
+	SSL3_1_FINISHED = 20
+};
+
+enum SSL3_1_AlertDescription {
+	SSL3_1_CLOSE_NOTIFY = 0,
+	SSL3_1_UNEXPECTED_MESSAGE = 10,
+	SSL3_1_BAD_RECORD_MAC = 20,
+	SSL3_1_DECRYPTION_FAILED = 21,
+	SSL3_1_RECORD_OVERFLOW = 22,
+	SSL3_1_DECOMPRESSION_FAILURE = 30,
+	SSL3_1_HANDSHAKE_FAILURE = 40,
+	SSL3_0_NO_CERTIFICATE = 41,
+	SSL3_1_BAD_CERTIFICATE = 42,
+	SSL3_1_UNSUPPORTED_CERTIFICATE = 43,
+	SSL3_1_CERTIFICATE_REVOKED = 44,
+	SSL3_1_CERTIFICATE_EXPIRED = 45,
+	SSL3_1_CERTIFICATE_UNKNOWN = 46,
+	SSL3_1_ILLEGAL_PARAMETER = 47,
+	SSL3_1_UNKNOWN_CA = 48,
+	SSL3_1_ACCESS_DENIED = 49,
+	SSL3_1_DECODE_ERROR = 50,
+	SSL3_1_DECRYPT_ERROR = 51,
+	SSL3_1_EXPORT_RESTRICTION = 60,
+	SSL3_1_PROTOCOL_VERSION = 70,
+	SSL3_1_INSUFFICIENT_SECURITY = 71,
+	SSL3_1_INTERNAL_ERROR = 80,
+	SSL3_1_USER_CANCELED = 90,
+	SSL3_1_NO_RENEGOTIATION = 100
+};
+
+enum SSL3x_AlertLevel {
+	SSL3x_ALERT_LEVEL_WARNING = 1,
+	SSL3x_ALERT_LEVEL_FATAL = 2
+};
+
+// --- structs ----------------------------------------------------------------
+
+struct SSLv3x_Random {
+	uint32 gmt_unix_time;
+	SSL_DataBlock* random_bytes;	// 28-bytes
+};
+
+struct SSLv3x_ServerRSAParams {
+	SSL_DataBlock* rsa_modulus;	// <1..2^16-1>
+	SSL_DataBlock* rsa_exponent;	// <1..2^16-1>
+};
+
+struct SSLv3x_ServerDHParams{
+	SSL_DataBlock* dh_p;	// <1..2^16-1>
+	SSL_DataBlock* dh_g;	// <1..2^16-1>
+	SSL_DataBlock* dh_Ys;	// <1..2^16-1>
+};
+
+struct SSLv3x_EncryptedPremasterSecret{
+	SSL_DataBlock* encryptedSecret;
+};
+
+struct SSLv3x_ClientDHPublic{
+	SSL_DataBlock* dh_Yc;	// <1..2^16-1>
+};
+
+// ----------------------------------------------------------------------------
+
+/**
+ * Class SSLv3_Interpreter is the implementation for a SSLv3.0/SSLv3.1 connection
+ * interpreter (derived from the abstract class SSL_Interpreter).
+ *
+ * The corresponding SSLProxy_Analyzer creates an instance of this class and
+ * properly initialises the corresponding SSLv3_Endpoints by calling the
+ * SSL_Interpreter's Init() method which then invokes the BuildInterpreterEndpoints() method
+ * (of the SSLv3_Interpreter) which causes the SSLv3_Endpoints to be created properly.
+ *
+ * The SSLv3_Interpreter receives the four various SSLv3_Records:
+ * - SSLv3_HandshakeRecord
+ * - SSLv3_AlertRecord
+ * - SSLv3_ChangeCipherRecord
+ * - SSLv3_ApplicationRecord
+ * via the DeliverSSLv3_Record() methods from the two corresponding SSLv3_Endpoints
+ * (which get fed by the SSLProxy_Analyzer).
+ *
+ * There is one global static SSLv3_Automaton which describes the possible transitions
+ * in the SSLv3.0/SSLv3.1 state machine for the handshaking phase. This automaton
+ * is initialised once, when Bro sees the first SSL connection. By the attribute
+ * currentState every instance of SSLv3_Interpreter holds the automaton state it
+ * is currently in and so is able
+ * to track the correctness of the SSL handshaking process. It weird-checks and verifies
+ * all arriving SSL records up to the point where handshaking is finished or an
+ * error occures caused by weird SSL records or not allowed transitions in the
+ * state machine. Information that was negotiated between the client and server
+ * during the handshaking phase is/may also be stored. That is:
+ * - used SSL version
+ * - negotiated cipher suite
+ * - session ID
+ * - client/server random
+ * - key exchange algorithms
+ * - cryptographic parameters
+ * - encrypted pre-master secret
+ *
+ * The certificates are verified using the analyzeCertificate() method of the
+ * SSL_Interpreter class.
+ * Events for Bro scripting are thrown for client connection attempt, server reply,
+ * ssl connection establishment/reuse of former connection, proposed cipher suites and
+ * seen certificates.
+ *
+ * @see SSLv3_Endpoint
+ */
+class SSLv3_Interpreter : public SSL_Interpreter {
+public:
+	/** The constructor takes the SSLProxy_Analyzer as argument,
+	 * that created this SSLv3_Interpreter.
+	 *
+	 * @param proxy the creating SSL_ConectionProxy
+	 */
+	SSLv3_Interpreter(SSLProxy_Analyzer* proxy);
+	~SSLv3_Interpreter();
+
+	/** Delivers an SSLv3_HandshakeRecord to the SSLv3_Interpreter.
+	 * The record gets verified and it is checked whether it is allowed
+	 * in the current phase of the handshaking process.
+	 *
+	 * @param rec the SSLv3_HandshakeRecord
+	 */
+	void DeliverSSLv3_Record(SSLv3_HandshakeRecord* rec);
+
+	/** Delivers an SSLv3_AlertRecord to the SSLv3_Interpreter.
+	 * The record gets verified and weird checked.
+	 *
+	 * @param rec the SSLv3_AlertRecord
+	 */
+	void DeliverSSLv3_Record(SSLv3_AlertRecord* rec);
+
+	/** Delivers an SSLv3_ChangeCipherRecord to the SSLv3_Interpreter.
+	 * The record gets verified and weird checked. If a change cipher
+	 * record is received the next record from this endpoint needs
+	 * to be a finished message.
+	 *
+	 * @param rec the SSLv3_ChangeCipherRecord
+	 */
+	void DeliverSSLv3_Record(SSLv3_ChangeCipherRecord* rec);
+
+	/** Delivers a SSLv3_ApplicationRecord to the SSLv3_Interpreter.
+	 * It is checked, whether handshaking phase is already finished
+	 * and sending application data is valid (the normal case is,
+	 * that after finishing the handshaking phase, all further data
+	 * is skipped).
+	 *
+	 * @param rec the SSLv3_AlertRecord
+	 */
+	void DeliverSSLv3_Record(SSLv3_ApplicationRecord* rec);
+
+	/** This method sets the currentState variable of this SSLv3_Interpreter
+	 * and so sets the SSLv3.0/SSLv3.1 state machine to the state passed
+	 * as parameter.It is invoked in the SSLProxy_Analyzer to enable
+	 * this SSLv3_Interpreter to start work without having seen the first
+	 * handshake record.  This happens, when the client hello is sent in
+	 * SSLv2 format and processed by the SSLv2_Interpreter but the further
+	 * SSL connection taking place as a SSLv3.0/SSLv3.1 session.
+	 *
+	 * @param i the new state of the sslAutomaton
+	 */
+	void SetState(int i);
+
+	static void printStats();
+
+	// Total SSLv3x connections.
+	static uint totalConnections;
+
+	// Total SSLv3x connections with <b>complete</b> handshake.
+	static uint openedConnections;
+
+	static uint totalRecords; ///< counter for total SSLv3x records seen
+	static uint handshakeRecords; ///< counter for SSLv3x handshake records seen
+	static uint clientHelloRecords; ///< counter for SSLv3x client hellos seen
+	static uint serverHelloRecords; ///< counter for SSLv3x server hellos seen
+	static uint alertRecords; ///< counter for SSLv3x alert records seen
+	static uint changeCipherRecords; ///< counter for SSLv3x change cipher records seen
+
+	/**Flags for handling the change-cipher-messages and fin-handshake-
+	 * messages
+	 */
+	bool change_cipher_client_seen; ///< whether a client change cipher record was seen
+	bool change_cipher_server_seen; ///< whether a server change cipher record was seen
+	bool fin_client_seen; ///< whether a client finished handshake message was seen (must immediately follow the client change cipher)
+	bool fin_server_seen; ///< whether a server finished handshake message was seen (must immediately follow the server change cipher)
+
+protected:
+	static SSLv3_Automaton sslAutomaton; ///< represents the SSLv3.0/SSLv3.1 automaton
+	static bool bInited; ///< whether the automaton is already initialised (has to be only done once)
+	int currentState; ///< the current state of the SSL automaton in this SSLv3_Interpreter instance
+
+	// uint16 cipherSuite; ///< the cipher spec client and server agreed upon
+	SSL_DataBlock* pClientCipherSpecs; ///< the CIPHER-SPECs from the client
+	SSL_CipherSpec* pCipherSuite; ///< pointer to the cipher spec definition client and server agreed upon
+	uint32 cipherSuiteIdentifier; ///< only used for unknown cipher-specs
+	SSL_DataBlock* clientSessionID; ///< the session ID of the client hello record
+	SSL_DataBlock* serverSessionID; ///< the session ID for this SSL session
+
+	/**Attributes for cryptographic computations*/
+	SSLv3x_Random* clientRandom;
+	SSLv3x_Random* serverRandom;
+	//SSL_KeyExchangeAlgorithm keyXAlgorithm;
+	SSLv3x_ServerRSAParams* serverRSApars;
+	SSLv3x_ServerDHParams* serverDHPars;
+	SSLv3x_EncryptedPremasterSecret* encryptedPreSecret;
+	SSLv3x_ClientDHPublic* clientDHpublic;
+
+	bool helloRequestValid; ///< Whether sending a hello request is valid (normally after handshaking phase)
+
+	/** This method builds the corresponding SSLv3_Endpoints for this SSLv3_Interpreter.
+	 * It is called in the SSL_Interpreter's Init() method.
+	 */
+	void BuildInterpreterEndpoints();
+
+	/** This method initialises the SSL state automaton; sets the states and transitions.
+	 * It needs only to be called once for a whole bro. @see SSLDefines.h
+	 */
+	void BuildAutomaton();
+
+	/** This helper method translates the handshake types included in the SSL handshake
+	 * records to the corresponding transition of the SSL automaton. It is invoked within
+	 * the DeliverSSLv3_Record(SSLv3_HandshakeRecord*) method.
+	 *
+	 * @param type the handshake type of the handshake record
+	 */
+	int HandshakeType2Trans(int type);
+
+	/** This method is used for event generation during the handshaking phase and
+	 * generates the connection-attempt, server-reply, connection-established, connection-reused
+	 * events dependant on the currentState of the SSL Automaton.
+	 * It calls the appropriate fire_* methods of the SSL_Interpreter for this.
+	 * The method is called within the the DeliverSSLv3_Record() methods.
+	 *
+	 * @param rec the SSLv3_Record which is currently processed
+	 */
+	void GenerateEvents(SSLv3_Record* rec, TableVal* curCipherSuites);
+
+	/** This method analyzes the cipher suites the client and server offer
+	 * each other during handshaking phase. It checks, whether it's a 'common'
+	 * cipher suite and sets the pCipherSuite attribute according to the
+	 * cipher suite client and server agreed on.
+	 *
+	 * @param s the SSLv3_Endpoint which sent the SSL record with the cipher suite(s) to be analyzed
+	 * @param length length of data
+	 * @param data pointer to where the cipher suites can be found
+	 * @param version SSL version of the SSL record that contained the cipher suite(s)
+	 * @return a pointer to a Bro TableVal (of type cipher_suites_list) which contains
+	 *	the cipher suites list of the current analyzed record
+	 */
+	 TableVal* analyzeCiphers(const SSLv3_Endpoint* s, int length, const u_char* data, uint16 version);
+
+};
+
+// ----------------------------------------------------------------------------
+
+/** Class SSLv3_Endpoint is the implementation for SSLv3.0/SSLv3.1 connection
+ * endpoints (derived from the abstract class SSL_InterpreterEndpoint).
+ *
+ * A SSLv3_Endpoint gets completely reassembled ssl records via the method
+ * Deliver(), which is invoked in this Endpoint's corresponding SSLProxy_Analyzer.
+ * The defragmentation and reassembling already took place in the
+ * SSLProxy_Analyzer's SSL_RecordBuilder.
+ * The Deliver()-method does some basic weird checks and then calls
+ * ProcessMessage() which determines the content type of the ssl record
+ * and, dependant on that, creates an instance of the appropriate SSLv3_Record.
+ * This is passed on to this endpoint's corresponding SSLv3_Interpreter via
+ * the DeliverSSLv3_Record()-method.
+ */
+class SSLv3_Endpoint : public SSL_InterpreterEndpoint {
+public:
+	/** The constructor takes the corresponding SSL_Interpreter as argument.
+	 * is_orig sets this endpoint as originator of the connection (1), and
+	 * responder otherwise (0).
+	 *
+	 * @param interpreter the SSL_Interpreter this endpoint is bound to.
+	 * @param is_orig whether this endpoint is the originator (1) of the
+	 *			connection or not (0).
+	 */
+	SSLv3_Endpoint(SSL_Interpreter* interpreter, int is_orig);
+	virtual ~SSLv3_Endpoint();
+
+	/** This method is invoked by this endpoint's corresponding
+	 * SSLProxy_Analyzer and receives completely reassembled SSL
+	 * records (by the data argument).
+	 *
+	 * @param t time is always 0 (former: when the segment was received
+	 *	by bro (?))
+	 * @param len length of SSL record
+	 * @param data content of SSL record
+	 */
+	void Deliver(int len, const u_char* data);
+
+protected:
+	uint16 sslVersion; ///< holds the version of the just delivered SSL record
+	uint16 currentMessage_length; ///< the length of the just delivered SSL record
+
+	/** This method extracts the content type of the SSL record passed
+	 * in the first parameter.
+	 *
+	 * @param data the SSL record
+	 * @param len length of the record
+	 * @return SSL3_1_ContentType of SSL record
+	 */
+	SSL3_1_ContentType ExtractContentType(const u_char* data, int len);
+
+	/** This method determines the version of the SSL record passed to it.
+	 * It sets the field sslVersion of this endpoint an is called within
+	 * the method ProcessMessage().
+	 *
+	 * @param data the SSL record
+	 * @param len length of the record
+	 * @return 0 if version is NOT 3.0/3.1, 1 otherwise
+	*/
+	int ExtractVersion(const u_char* data, int len);
+
+	/** This method processes a complete SSL record. It
+	 * determines the content type of the SSL record
+	 * (handshake, alert, change-cipher-spec, application),
+	 * cuts away the SSL record layer header and generates
+	 * the appropriate SSLv3_Record. Then it calls the SSLv3_Record's
+	 * Deliver() method, which manages the delivery of the record
+	 * to the corresponding SSLv3_Interpreter
+	 *
+	 * @param data the complete SSL record
+	 * @param len data's (record's) length
+	 */
+	void ProcessMessage(const u_char* data, int len);
+};
+
+// ----------------------------------------------------------------------------
+
+// Offsets are now relative to the end of the SSL record layer header
+#define SSL3_1_CHANGE_CIPHER_TYPE_OFFSET (SSL3_1_HEADERLENGTH - 5)
+#define SSL3_1_ALERT_LEVEL_OFFSET (SSL3_1_HEADERLENGTH - 5)
+#define SSL3_1_ALERT_DESCRIPTION_OFFSET (SSL3_1_HEADERLENGTH - 4)
+#define SSL3_1_SESSION_ID_LENGTH_OFFSET 38
+#define SSL3_1_SESSION_ID_OFFSET 39
+
+/** This class is an abstract base class for the four different
+ * SSLv3.0/SSLv3.1 record types (handshake, alert, change-cipher-spec,
+ * application).
+ *
+ * It contains a pointer to the data of the SSL record <b>without</b>
+ * the SSL record layer header, it's length and the version information, which
+ * was present in the now cut away SSL record layer header.
+ *
+ * (Note: the version field of the SSL record layer header may differ from
+ * the version of the record format that was used when sending the record.
+ * (e.g. a client may send a SSLv2 record including
+ * a version field containing 3.1 (for SSLv3.1) to show, that he supports
+ * version 3.1.))
+ *
+ * Every subclass of SSLv3_Record implements the Deliver() method, which
+ * manages the delivery of the record to the corresponding SSLv3_Interpreter.
+ * Instances of SSLv3_Record (resp. it's subclasses) are created within
+ * the ProcessMessage() method of a SSLv3_Endpoint.
+ * */
+class SSLv3_Record : public BroObj{
+public:
+	/** The constructor gets a pointer to the SSL record without the
+	 * record layer header, it's length, the version information
+	 * contained in the record layer header and a pointer to the
+	 * SSLv3_Endpoint that created this instance of SSLv3_Record.
+	 *
+	 * @param data pointer to the SSL record without record layer header
+	 * @param data's length
+	 * @param version version information contained in the SSL record layer header
+	 * @param e the SSLv3_Endpoint that created this instance
+	 */
+	SSLv3_Record(const u_char* data, int len, uint16 version,
+			SSLv3_Endpoint const* e);
+	~SSLv3_Record();
+
+	void Describe(ODesc* d) const;
+
+	int GetRecordLength() const;
+	const u_char* GetData() const;
+	uint16 GetVersion() const;
+	SSLv3_Endpoint const* GetEndpoint() const;
+
+	/** This abstract method is implemented by the various SSLv3_Record
+	 * subclasses for handshake, alert, change cipher spec and application
+	 * records.  It manages the delivery of the SSLv3_Record to the
+	 * SSLv3_Interpreter passed as argument.
+	 * SSLv3_Records are created within the ProcessMessage() method of the
+	 * SSLv3_Endpoint which then calls the just created SSLv3_Records
+	 * Deliver() method with it's corresponding SSLv3_Interpreter as
+	 * argument which then receives the (evtl. preprocessed) SSLv3_Record
+	 * (via the method(s) DeliverSSLv3_Record()).
+	 *
+	 * @param conn the SSLv3_Interpreter to which this SSLv3_Record should be deliverd
+	 */
+	virtual void Deliver(SSLv3_Interpreter* conn) =0;
+
+	/** Helper function that converts from 24-bit big endian integer
+	 * starting at offset to 32 bit integer in little endian format.
+	 *
+	 * @param data the ssl-record
+	 * @param len length of data (record)
+	 * @param offset where the 24 bit big endian starts
+	 * @return 32 bit little endian
+	 */
+	int ExtractInt24(const u_char* data, int len, int offset);
+
+	int recordLength; ///< total length of the SSL record <b>without</b> the record layer header
+	const u_char* data; ///< pointer to the SSL record without the record layer header
+	SSLv3_Endpoint const* endp; ///< pointer to the SSLv3_Endpoint that created this instance of SSLv3_Record
+	uint16 sslVersion; ///< version information of the SSL record layer header
+};
+
+// ----------------------------------------------------------------------------
+
+/* This class represents a handshake record used in SSLv3.0/SSLv3.1.
+ *
+ * Handshake records in SSLv3.0/SSLv3.1 need a special treatment,
+ * because it is possible that multiple handshake messages are coalesced into
+ * a single SSLv3.0/SSLv3.1 record.
+ * I think, this only can happen to
+ * handshake records (even RFC2246 page 16 generally talks about all
+ * messages of a same content type), because only handshake records
+ * have got an own length descriptor within and thus make de-coalescing
+ * possible.
+ * So when generating a new instance of a SSLv3_HandshakeRecord, it is checked whether there
+ * are more handshake records within data.
+ * If so, they are put apart and linked together to a chain by using
+ * the next-pointer.
+ * The Deliver() method takes this into account and delivers every single
+ * handshake record one by one to the SSLv3_Interpreter.
+ */
+class SSLv3_HandshakeRecord : public SSLv3_Record{
+public:
+	SSLv3_HandshakeRecord(const u_char* data, int len, uint16 version,
+				SSLv3_Endpoint const* e);
+	~SSLv3_HandshakeRecord();
+
+	int GetType() const;
+	int GetLength() const;
+
+	/** This method delivers the SSLv3_HandshakeRecord(s) to the
+	 * SSLv3_Interpreter passed as argument. The method follows
+	 * the next-pointer and delivers every SSLv3_HandshakeRecord
+	 * contained in this list to the SSLv3_Interpreter.
+	 *
+	 * @param conn the SSLv3_Interpreter to which this SSLv3_HandshakeRecord should be deliverd
+	 */
+	void Deliver(SSLv3_Interpreter* conn);
+
+	/* This method is invoked within the SSLv3_Interpreter and does lots of
+	 * weird and consistency checks on a client hello SSL handshake record.
+	 *
+	 * @return 0 if further processing of this client hello is not
+	 * possible due to inconsistency and 1 otherwise.
+	 */
+	int checkClientHello();
+
+	/* This method is invoked within the SSLv3_Interpreter and does lots of
+	 * weird and consistency checks on a server hello SSL handshake record.
+	 *
+	 * @return 0 if further processing of this server hello is not
+	 * possible due to inconsistency and 1 otherwise.
+	 */
+	int checkServerHello();
+
+	int type;	///< holds the handshake type of the handshake record (first byte)
+	int length;	///< holds the length of this handshake record (which is needed due to coalesced handshake messages)
+
+private:
+	SSLv3_HandshakeRecord* next;	///< pointer to the next ssl handshake record if they are coalesced into a single record
+
+	SSLv3_HandshakeRecord* GetNext();
+};
+
+// ----------------------------------------------------------------------------
+
+/** This class represents an alert record used in SSLv3.0/SSLv3.1.
+ *
+ * description holds the SSL alert description and level the alert level.
+ */
+class SSLv3_AlertRecord : public SSLv3_Record {
+public:
+	SSLv3_AlertRecord(const u_char* data, int len, uint16 version,
+				SSLv3_Endpoint const* e);
+	~SSLv3_AlertRecord();
+
+	int GetDescription() const;
+	int GetLevel() const;
+
+	/** This method delivers the SSLv3_AlertRecord to the SSLv3_Interpreter passed as
+	 * argument.
+	 *
+	 * @param conn the SSLv3_Interpreter to which this SSLv3_AlertRecord should be deliverd
+	 */
+	void Deliver(SSLv3_Interpreter* conn);
+
+	int description;	///< holds the alert description
+	int level;	///< holds the alert level
+};
+
+// ----------------------------------------------------------------------------
+
+/** This class represents a change cipher record used in SSLv3.0/SSLv3.1.
+ *
+ *  type holds the change cipher type used (currently only 1 is valid (rfc 2246))
+ */
+class SSLv3_ChangeCipherRecord : public SSLv3_Record{
+public:
+	SSLv3_ChangeCipherRecord(const u_char* data, int len, uint16 version,
+				SSLv3_Endpoint const* e);
+	~SSLv3_ChangeCipherRecord();
+	int GetType() const;
+
+	/** This method delivers the SSLv3_ChangeCipherRecord to the
+	 * SSLv3_Interpreter passed as argument.
+	 *
+	 * @param conn the SSLv3_Interpreter to which this
+	 * SSLv3_ChangeCipherRecord should be delivered
+	 */
+	void Deliver(SSLv3_Interpreter* conn);
+
+	int type;	///< holds the change cipher type
+};
+
+// ----------------------------------------------------------------------------
+
+/** This class represents an application record used in SSLv3.0/SSLv3.1.
+ */
+class SSLv3_ApplicationRecord : public SSLv3_Record {
+public:
+	SSLv3_ApplicationRecord(const u_char* data, int len, uint16 version,
+				SSLv3_Endpoint const* e);
+	~SSLv3_ApplicationRecord();
+
+	/** This method delivers the SSLv3_ApplicationRecord to the
+	 * SSLv3_Interpreter passed as argument.
+	 *
+	 * @param conn the SSLv3_Interpreter to which this
+	 * SSLv3_ApplicationRecord should be deliverd
+	 */
+	void Deliver(SSLv3_Interpreter* conn);
+};
+
+#endif
diff --git a/src/SSLv3Automaton.cc b/src/SSLv3Automaton.cc
new file mode 100644
index 0000000000..a79c81bd7c
--- /dev/null
+++ b/src/SSLv3Automaton.cc
@@ -0,0 +1,83 @@
+// $Id: SSLv3Automaton.cc 80 2004-07-14 20:15:50Z jason $
+
+// ---SSLv3_Automaton----------------------------------------------------------
+
+#include "SSLv3Automaton.h"
+
+SSLv3_Automaton::SSLv3_Automaton(int arg_num_states, int num_trans,
+					int error_state)
+	{
+	num_states = arg_num_states;
+	states = new SSLv3_State*[num_states];
+	for ( int i = 0; i < num_states; ++i )
+		states[i] = new SSLv3_State(num_trans, error_state);
+	}
+
+SSLv3_Automaton::~SSLv3_Automaton()
+	{
+	for ( int i = 0; i < num_states; ++i )
+		delete states[i];
+	delete [] states;
+	}
+
+void SSLv3_Automaton::Describe(ODesc* d) const
+	{
+	d->Add("sslAutomaton");
+	}
+
+void SSLv3_Automaton::setStartState(int state)
+	{
+	if ( state < num_states )
+		startState = state;
+	}
+
+void SSLv3_Automaton::addTrans(int state1, int trans, int state2)
+	{
+	if ( state1 < num_states && state2 < num_states )
+		states[state1]->addTrans(trans, state2);
+	}
+
+int SSLv3_Automaton::getNextState(int state, int trans)
+	{
+	if ( state < num_states )
+		return states[state]->getNextState(trans);
+	else
+		return 0;
+	}
+
+int SSLv3_Automaton::getStartState()
+	{
+	if (startState >= 0)
+		return startState;
+	else
+		return -1;
+	}
+
+// ---SSLv3_State--------------------------------------------------------------
+
+SSLv3_State::SSLv3_State(int num_trans, int error_state)
+	{
+	this->num_trans = num_trans;
+	transitions = new int[num_trans];
+	for ( int i = 0; i < num_trans; ++i )
+		transitions[i] = error_state;
+	}
+
+SSLv3_State::~SSLv3_State()
+	{
+	delete [] transitions;
+	}
+
+void SSLv3_State::addTrans(int trans, int state)
+	{
+	if ( trans < num_trans )
+		transitions[trans] = state;
+	}
+
+int SSLv3_State::getNextState(int trans)
+	{
+	if ( trans < num_trans )
+		return transitions[trans];
+	else
+		return 0;
+	}
diff --git a/src/SSLv3Automaton.h b/src/SSLv3Automaton.h
new file mode 100644
index 0000000000..f581edbde2
--- /dev/null
+++ b/src/SSLv3Automaton.h
@@ -0,0 +1,107 @@
+// $Id: SSLv3Automaton.h 80 2004-07-14 20:15:50Z jason $
+
+#ifndef ssl_v3_automaton_h
+#define ssl_v3_automaton_h
+
+#include "Obj.h"
+#include "SSLDefines.h"
+
+class SSLv3_State;
+
+/** Class SSLv3_Automaton is there for holding the transitions of a state machine.
+ * The States are simply Integer Constants >= 0. Same for the transitions.
+ * The SSLv3_Automaton holds a pointer to an array of pointers to the
+ * states of the automaton. The array is indexed by the integer that
+ * represents the corresponding state.
+ * By default, the automaton is initialized with every transition leading to
+ * the error_state.
+ * By calling addTrans() (done in the SSLv3_Interpreter's BuildAutomaton()-method)
+ * the proper transitions for the SSL automaton are created.
+ * When calling getNextState(state, trans), you get the next state of the
+ * automaton, according to state and trans.
+ * */
+class SSLv3_Automaton : public BroObj {
+public:
+	/* The constructor initialises the states 2-dim. array
+	 * (which's size depends on num_states and num_trans).
+	 * By default, every transition from every state leads to the error_state.
+	 * @param num_states how many states the automaton has
+	 * @param num_trans how many different transitions the automaton has
+	 * @param error_state which Integer the error_state has
+	 */
+	SSLv3_Automaton(int num_states, int num_trans, int error_state);
+	~SSLv3_Automaton();
+	void Describe(ODesc* d) const;
+
+	/* Sets the start state of the automaton.
+	 * @param state the start state
+	 */
+	void setStartState(int state);
+
+	/* This method is used for building up the automaton and defining
+	 * from which state you get to which state which what transition.
+	 * @param state1 the state from which the transition starts
+	 * @param trans the transition itself
+	 * @param to which state the transition leads
+	 */
+	void addTrans(int state1, int trans, int state2);
+
+	/* Used for determinig into which state the automaton gets by using the
+	 * given transition in the given state.
+	 * @param state the state from which the transition starts
+	 * @param trans the transition itself
+	 * @return the state to which the transition leads
+	 */
+	int getNextState(int state, int trans);
+	int getStartState();
+	int OutRef()
+		{
+		return RefCnt();
+		}
+
+protected:
+	int num_states;	///< how many states the automaton has
+	SSLv3_State** states;	///< the pointer to the array of pointers that holds the states
+	int startState;	///< the start state of the automaton
+
+};
+
+// ----------------------------------------------------------------------------
+
+/** This class represents a state of the SSLv3_Automaton.
+ * It holds a pointer to an array of integers, which corresponds to the
+ * succeeding states of this state when "taking" a transition.
+ * The transition array is indexed by the integer-values corresponding to
+ * the transitions of the automaton.
+ * */
+class SSLv3_State {
+public:
+	/* The constructor initialises the state. By default, every transition
+	 * of the automaton leads to the error_state.
+	 * @param num_trans how many different transitions the automaton has
+	 * @param error_state how many different transitions the automaton has
+	 */
+	SSLv3_State(int num_trans, int error_state);
+	~SSLv3_State();
+
+	/* This method is used for building up the automaton and is invoked by
+	 * the SSLv3_Automaton's addTrans()-method. It defines the successing state
+	 * of the automaton by taking the transition trans in this state.
+	 * @param trans the transition,
+	 * @param that leads to the state
+	 */
+	void addTrans(int trans, int state);
+
+	/* Used for determinig into which state the automaton gets by using the
+	 * given transition in the this state.
+	 * @param trans which transition is to be taken
+	 * @return the resulting state of the automaton
+	 */
+	int getNextState(int trans);
+
+protected:
+	int num_trans;	///< how many transitions the automaton has
+	int* transitions;	///< the array of successing states of this state by taking the transition that indexes this array
+};
+
+#endif
diff --git a/src/Scope.cc b/src/Scope.cc
new file mode 100644
index 0000000000..f8fa9f4883
--- /dev/null
+++ b/src/Scope.cc
@@ -0,0 +1,258 @@
+// $Id: Scope.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "ID.h"
+#include "Val.h"
+#include "Scope.h"
+
+static scope_list scopes;
+static Scope* top_scope;
+
+extern const char* GLOBAL_MODULE_NAME = "GLOBAL";
+
+
+// Returns it without trailing "::".
+string extract_module_name(const char* name)
+	{
+	string module_name = name;
+	string::size_type pos = module_name.rfind("::");
+
+	if ( pos == string::npos )
+		return string(GLOBAL_MODULE_NAME);
+
+	module_name.erase(pos);
+
+	return module_name;
+	}
+
+string normalized_module_name(const char* module_name)
+	{
+	int mod_len;
+	if ( (mod_len = strlen(module_name)) >= 2 &&
+	     ! strcmp(module_name + mod_len - 2, "::") )
+		mod_len -= 2;
+
+	return string(module_name, mod_len);
+	}
+
+string make_full_var_name(const char* module_name, const char* var_name)
+	{
+	if ( ! module_name || streq(module_name, GLOBAL_MODULE_NAME) ||
+	     strstr(var_name, "::") )
+		return string(var_name);
+
+	string full_name = normalized_module_name(module_name);
+	full_name += "::";
+	full_name += var_name;
+
+	return full_name;
+	}
+
+Scope::Scope(ID* id)
+	{
+	scope_id = id;
+	return_type = 0;
+
+	local = new PDict(ID)(ORDERED);
+	inits = new id_list;
+
+	if ( id )
+		{
+		BroType* id_type = id->Type();
+
+		if ( id_type->Tag() == TYPE_ERROR )
+			return;
+		else if ( id_type->Tag() != TYPE_FUNC )
+			internal_error("bad scope id");
+
+		Ref(id);
+
+		FuncType* ft = id->Type()->AsFuncType();
+		return_type = ft->YieldType();
+		if ( return_type )
+			Ref(return_type);
+		}
+	}
+
+Scope::~Scope()
+	{
+	for ( int i = 0; i < local->Length(); ++i )
+		Unref(local->NthEntry(i));
+
+	Unref(scope_id);
+	Unref(return_type);
+	delete local;
+	delete inits;
+	}
+
+ID* Scope::GenerateTemporary(const char* name)
+	{
+	return new ID(copy_string(name), SCOPE_FUNCTION, false);
+	}
+
+id_list* Scope::GetInits()
+	{
+	id_list* ids = inits;
+	inits = 0;
+	return ids;
+	}
+
+void Scope::Describe(ODesc* d) const
+	{
+	if ( d->IsReadable() )
+		d->AddSP("scope");
+
+	else
+		{
+		d->Add(scope_id != 0);
+		d->SP();
+		d->Add(return_type != 0);
+		d->SP();
+		d->Add(local->Length());
+		d->SP();
+		}
+
+	if ( scope_id )
+		{
+		scope_id->Describe(d);
+		d->NL();
+		}
+
+	if ( return_type )
+		{
+		return_type->Describe(d);
+		d->NL();
+		}
+
+	for ( int i = 0; i < local->Length(); ++i )
+		{
+		ID* id = local->NthEntry(i);
+		id->Describe(d);
+		d->NL();
+		}
+	}
+
+TraversalCode Scope::Traverse(TraversalCallback* cb) const
+	{
+	PDict(ID)* ids = GetIDs();
+	IterCookie* iter = ids->InitForIteration();
+
+	HashKey* key;
+	ID* id;
+	while ( (id = ids->NextEntry(key, iter)) )
+		{
+		TraversalCode tc = id->Traverse(cb);
+		HANDLE_TC_STMT_PRE(tc);
+		}
+
+	return TC_CONTINUE;
+	}
+
+
+ID* lookup_ID(const char* name, const char* curr_module, bool no_global)
+	{
+	string fullname = make_full_var_name(curr_module, name);
+	string ID_module = extract_module_name(fullname.c_str());
+	bool need_export = ID_module != GLOBAL_MODULE_NAME &&
+				ID_module != curr_module;
+
+	for ( int i = scopes.length() - 1; i >= 0; --i )
+		{
+		ID* id = scopes[i]->Lookup(fullname.c_str());
+		if ( id )
+			{
+			if ( need_export && ! id->IsExport() && ! in_debug )
+				error("identifier is not exported:",
+				      fullname.c_str());
+
+			Ref(id);
+			return id;
+			}
+		}
+
+	if ( ! no_global )
+		{
+		string globalname = make_full_var_name(GLOBAL_MODULE_NAME, name);
+		ID* id = global_scope()->Lookup(globalname.c_str());
+		if ( id )
+			{
+			Ref(id);
+			return id;
+			}
+		}
+
+	return 0;
+	}
+
+ID* install_ID(const char* name, const char* module_name,
+		bool is_global, bool is_export)
+	{
+	if ( scopes.length() == 0 && ! is_global )
+		internal_error("local identifier in global scope");
+
+	IDScope scope;
+	if ( is_export || ! module_name ||
+	     (is_global &&
+	      normalized_module_name(module_name) == GLOBAL_MODULE_NAME) )
+		scope = SCOPE_GLOBAL;
+	else if ( is_global )
+		scope = SCOPE_MODULE;
+	else
+		scope = SCOPE_FUNCTION;
+
+	string full_name_str = make_full_var_name(module_name, name);
+	char* full_name = copy_string(full_name_str.c_str());
+
+	ID* id = new ID(full_name, scope, is_export);
+	if ( SCOPE_FUNCTION != scope )
+		global_scope()->Insert(full_name, id);
+	else
+		{
+		id->SetOffset(top_scope->Length());
+		top_scope->Insert(full_name, id);
+		}
+
+	return id;
+	}
+
+void push_existing_scope(Scope* scope)
+	{
+	scopes.append(scope);
+	}
+
+void push_scope(ID* id)
+	{
+	top_scope = new Scope(id);
+	scopes.append(top_scope);
+	}
+
+Scope* pop_scope()
+	{
+	int n = scopes.length() - 1;
+	if ( n < 0 )
+		internal_error("scope underflow");
+	scopes.remove_nth(n);
+
+	Scope* old_top = top_scope;
+	// Don't delete the scope; keep it around for later name resolution
+	// in the debugger.
+	// ### SERIOUS MEMORY LEAK!?
+	// delete top_scope;
+
+	top_scope = n == 0 ? 0 : scopes[n-1];
+
+	return old_top;
+	}
+
+Scope* current_scope()
+	{
+	return top_scope;
+	}
+
+Scope* global_scope()
+	{
+	return scopes[0];
+	}
diff --git a/src/Scope.h b/src/Scope.h
new file mode 100644
index 0000000000..19b37ef600
--- /dev/null
+++ b/src/Scope.h
@@ -0,0 +1,90 @@
+// $Id: Scope.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef scope_h
+#define scope_h
+
+#include <string>
+
+#include "Dict.h"
+#include "Obj.h"
+#include "BroList.h"
+#include "TraverseTypes.h"
+
+class ID;
+class BroType;
+class ListVal;
+
+declare(PDict,ID);
+
+class Scope : public BroObj {
+public:
+	Scope(ID* id);
+	~Scope();
+
+	ID* Lookup(const char* name) const	{ return local->Lookup(name); }
+	void Insert(const char* name, ID* id)	{ local->Insert(name, id); }
+	ID* Remove(const char* name)
+		{
+		HashKey key(name);
+		return (ID*) local->Remove(&key);
+		}
+
+	ID* ScopeID() const		{ return scope_id; }
+	BroType* ReturnType() const	{ return return_type; }
+
+	int Length() const		{ return local->Length(); }
+	PDict(ID)* Vars() const		{ return local; }
+
+	ID* GenerateTemporary(const char* name);
+
+	PDict(ID)* GetIDs() const	{ return local; }
+
+	// Returns the list of variables needing initialization, and
+	// removes it from this Scope.
+	id_list* GetInits();
+
+	// Adds a variable to the list.
+	void AddInit(ID* id)		{ inits->append(id); }
+
+	void Describe(ODesc* d) const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	ID* scope_id;
+	BroType* return_type;
+	PDict(ID)* local;
+	id_list* inits;
+};
+
+extern const char* GLOBAL_MODULE_NAME;
+
+extern string extract_module_name(const char* name);
+extern string normalized_module_name(const char* module_name); // w/o ::
+
+// Concatenates module_name::var_name unless var_name is already fully
+// qualified, in which case it is returned unmodified.
+extern string make_full_var_name(const char* module_name, const char* var_name);
+
+extern bool in_debug;
+
+// If no_global is true, don't search in the default "global" namespace.
+extern ID* lookup_ID(const char* name, const char* module,
+			bool no_global = false);
+extern ID* install_ID(const char* name, const char* module_name,
+			bool is_global, bool is_export);
+
+extern void push_scope(ID* id);
+extern void push_existing_scope(Scope* scope);
+
+// Returns the one popped off; it's not deleted.
+extern Scope* pop_scope();
+extern Scope* current_scope();
+extern Scope* global_scope();
+
+// Current module (identified by its name).
+extern string current_module;
+
+#endif
diff --git a/src/ScriptAnaly.cc b/src/ScriptAnaly.cc
new file mode 100644
index 0000000000..700c0ed4e8
--- /dev/null
+++ b/src/ScriptAnaly.cc
@@ -0,0 +1,86 @@
+// $Id: ScriptAnaly.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "Dict.h"
+#include "Expr.h"
+#include "Traverse.h"
+#include "ScriptAnaly.h"
+
+typedef const char cchar;
+declare(PDict, cchar);
+
+
+class FindNoteCallback : public TraversalCallback {
+public:
+	FindNoteCallback()	{ note_expr = 0; }
+
+	virtual TraversalCode PreExpr(const Expr* e);
+
+	Expr* note_expr;
+};
+
+TraversalCode FindNoteCallback::PreExpr(const Expr* e)
+	{
+	if ( e->Tag() == EXPR_FIELD_ASSIGN )
+		{
+		const FieldAssignExpr* fae =
+			dynamic_cast<const FieldAssignExpr*>(e);
+
+		if ( ! streq(fae->FieldName(), "note") )
+			return TC_CONTINUE;
+
+		note_expr = fae->Op();
+		return TC_ABORTALL;
+		}
+
+	return TC_CONTINUE;
+	}
+
+
+class NoticeCallback : public TraversalCallback {
+public:
+	virtual TraversalCode PreExpr(const Expr* e);
+
+	PDict(cchar) notices;
+};
+
+TraversalCode NoticeCallback::PreExpr(const Expr* e)
+	{
+	if ( e->Tag() != EXPR_CALL )
+		return TC_CONTINUE;
+
+	const CallExpr* ce = dynamic_cast<const CallExpr*>(e);
+
+	if ( ce->Func()->Tag() != EXPR_NAME ||
+	     ! streq(((NameExpr*) ce->Func())->Id()->Name(), "NOTICE") )
+		return TC_CONTINUE;
+
+	FindNoteCallback fnc;
+	ce->Traverse(&fnc);
+	if ( fnc.note_expr )
+		{
+		ODesc d;
+		fnc.note_expr->Describe(&d);
+		if ( ! notices.Lookup(d.Description()) )
+			{
+			const char* desc = strdup(d.Description());
+			notices.Insert(desc, desc);
+			}
+		}
+
+	return TC_CONTINUE;
+	}
+
+
+void notice_analysis()
+	{
+	NoticeCallback cb;
+	traverse_all(&cb);
+
+	const cchar* notice = 0;
+	IterCookie* iter = cb.notices.InitForIteration();
+
+	while ( (notice = cb.notices.NextEntry(iter)) )
+		printf("Found NOTICE: %s\n", notice);
+	}
diff --git a/src/ScriptAnaly.h b/src/ScriptAnaly.h
new file mode 100644
index 0000000000..180971e769
--- /dev/null
+++ b/src/ScriptAnaly.h
@@ -0,0 +1,10 @@
+// $Id: ScriptAnaly.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef scriptanaly_h
+#define scriptanaly_h
+
+void notice_analysis();
+
+#endif
diff --git a/src/SerialInfo.h b/src/SerialInfo.h
new file mode 100644
index 0000000000..3ed2e91d26
--- /dev/null
+++ b/src/SerialInfo.h
@@ -0,0 +1,169 @@
+// $Id: SerialInfo.h 6752 2009-06-14 04:24:52Z vern $
+//
+// Helper classes to pass data between serialization methods.
+
+#ifndef serialinfo_h
+#define serialinfo_h
+
+class SerialInfo {
+public:
+	SerialInfo(Serializer* arg_s)
+		{
+		chunk = 0;
+		s = arg_s;
+		may_suspend = clear_containers = false;
+		cache = globals_as_names = true;
+		type = SER_NONE;
+		pid_32bit = false;
+		include_locations = true;
+		new_cache_strategy = false;
+		}
+
+	SerialInfo(const SerialInfo& info)
+		{
+		s = info.s;
+		may_suspend = info.may_suspend;
+		cache = info.cache;
+		type = info.type;
+		clear_containers = info.clear_containers;
+		globals_as_names = info.globals_as_names;
+		pid_32bit = info.pid_32bit;
+		include_locations = info.include_locations;
+		new_cache_strategy = info.new_cache_strategy;
+		}
+
+	// Parameters that control serialization.
+	Serializer* s;	// serializer to use
+	bool cache;	// true if object caching is ok
+	bool may_suspend;	// if true, suspending serialization is ok
+	bool clear_containers;	// if true, store container values as empty
+	bool include_locations;	// if true, include locations in serialization
+
+	// If true, for NameExpr's serialize just the names of globals, just
+	// their value.
+	bool globals_as_names;
+
+	bool pid_32bit;	// if true, use old-style 32-bit permanent IDs
+
+	// If true, we support keeping objs in cache permanently.
+	bool new_cache_strategy;
+
+	ChunkedIO::Chunk* chunk; // chunk written right before the serialization
+
+	// Attributes set during serialization.
+	SerialType type;	// type of currently serialized object
+
+	// State for suspending/resuming serialization
+	Continuation cont;
+};
+
+class UnserialInfo {
+public:
+	UnserialInfo(Serializer* arg_s)
+		{
+		s = arg_s;
+		cache = true;
+		type = SER_NONE;
+		chunk = 0;
+		install_globals = install_conns = true;
+		install_uniques = false;
+		ignore_callbacks = false;
+		id_policy = Replace;
+		print = 0;
+		pid_32bit = false;
+		new_cache_strategy = false;
+		}
+
+	UnserialInfo(const UnserialInfo& info)
+		{
+		s = info.s;
+		cache = info.cache;
+		type = info.type;
+		chunk = info.chunk;
+		install_globals = info.install_globals;
+		install_uniques = info.install_uniques;
+		install_conns = info.install_conns;
+		ignore_callbacks = info.ignore_callbacks;
+		id_policy = info.id_policy;
+		print = info.print;
+		pid_32bit = info.pid_32bit;
+		new_cache_strategy = info.new_cache_strategy;
+		}
+
+	// Parameters that control unserialization.
+	Serializer* s;	// serializer to use
+	bool cache;	// if true,  object caching is ok
+	FILE* print;	// print read objects to given file (human-readable)
+
+	ChunkedIO::Chunk* chunk; // chunk to parse (rather than reading one)
+
+	bool install_globals;	// if true, install unknown globals
+				// in global scope
+	bool install_conns;	// if true, add connections to session table
+	bool install_uniques;	// if true, install unknown globally
+				// unique IDs in global scope
+	bool ignore_callbacks;	// if true, don't call Got*() callbacks
+	bool pid_32bit; // if true, use old-style 32-bit permanent IDs.
+
+	// If true, we support keeping objs in cache permanently.
+	bool new_cache_strategy;
+
+	// If a global ID already exits, of these policies is used.
+	enum {
+		Keep,	// keep the old ID and ignore the new
+		Replace,	// install the new ID (default)
+
+		// Keep current ID instance but copy the new value into it
+		// (types have to match).
+		CopyNewToCurrent,
+
+		// Install the new ID instance but replace its value
+		// with that of the old one (types have to match).
+		CopyCurrentToNew,
+
+		// Instantiate a new ID, but do not insert it into the global
+		// space.
+		InstantiateNew,
+	} id_policy;
+
+	// Attributes set during unserialization.
+	SerialType type;	// type of currently unserialized object
+};
+
+// Helper class to temporarily disable suspending for all next-level calls
+// using the given SerialInfo.  It saves the current value of info.may_suspend
+// and then sets it to false.  When it goes out of scope, the original value
+// is restored.
+//
+// We need this because not all classes derived from SerialObj are
+// suspension-aware yet, i.e., they don't work correctly if one of the
+// next-level functions suspends. Eventually this may change, but actually
+// it's not very important: most classes don't need to suspend anyway as
+// their data volume is very small.  We have to make sure though that those
+// which do (e.g. TableVals) support suspension.
+class DisableSuspend {
+public:
+	DisableSuspend(SerialInfo* arg_info)
+		{
+		info = arg_info;
+		old_may_suspend = info->may_suspend;
+		info->may_suspend = false;
+		}
+
+	~DisableSuspend()	{ Restore(); }
+
+	void Release()	{ info = 0; }
+
+	// Restores the suspension-state to its original value.
+	void Restore()
+		{
+		if ( info )
+			info->may_suspend = old_may_suspend;
+		}
+
+private:
+	SerialInfo* info;
+	bool old_may_suspend;
+};
+
+#endif
diff --git a/src/SerialObj.cc b/src/SerialObj.cc
new file mode 100644
index 0000000000..02c312c1e7
--- /dev/null
+++ b/src/SerialObj.cc
@@ -0,0 +1,279 @@
+// $Id: SerialObj.cc 7075 2010-09-13 02:39:38Z vern $
+
+#include "SerialObj.h"
+#include "Serializer.h"
+
+TransientID::ID TransientID::counter = 0;
+
+SerialObj::FactoryMap* SerialObj::factories = 0;
+SerialObj::ClassNameMap* SerialObj::names = 0;
+uint64 SerialObj::time_counter = NEVER + ALWAYS + 1;
+
+SerialObj* SerialObj::Instantiate(SerialType type)
+	{
+	FactoryMap::iterator f = factories->find(type & SER_TYPE_MASK_EXACT);
+	if ( f != factories->end() )
+		{
+		SerialObj* o = (SerialObj*) (*f->second)();
+#ifdef DEBUG
+		o->serial_type = o->GetSerialType();
+#endif
+		return o;
+		}
+
+	run_time(fmt("Unknown object type 0x%08x", type));
+	return 0;
+	}
+
+const char* SerialObj::ClassName(SerialType type)
+	{
+	ClassNameMap::iterator f = names->find(type);
+	if ( f != names->end() )
+		return f->second;
+
+	run_time(fmt("Unknown object type 0x%08x", type));
+	return "<no-class-name>";
+	}
+
+void SerialObj::Register(SerialType type, FactoryFunc f, const char* name)
+	{
+	if ( ! factories )
+		{
+		factories = new FactoryMap;
+		names = new ClassNameMap;
+		}
+
+	type = type & SER_TYPE_MASK_EXACT;
+
+	FactoryMap::iterator i = factories->find(type);
+	if ( i != factories->end() )
+		internal_error("SerialType 0x%08x registered twice", type);
+
+	(*factories)[type] = f;
+	(*names)[type] = name;
+	}
+
+inline bool SerializePID(SerialInfo* info, bool full, SerializationCache::PermanentID pid)
+	{
+	if ( ! SERIALIZE(full) )
+		return false;
+
+	if ( ! info->pid_32bit )
+		return SERIALIZE(pid);
+
+	// Broccoli compatibility mode with 32bit pids.
+	uint32 tmp = uint32(pid);
+	return SERIALIZE(tmp);
+	}
+
+bool SerialObj::Serialize(SerialInfo* info) const
+	{
+	assert(info);
+
+	if ( info->cont.NewInstance() )
+		{
+		SerializationCache::PermanentID pid = SerializationCache::NONE;
+
+		const TransientID* tid = GetTID();
+
+		if ( ! tid )
+			internal_error("no tid - missing DECLARE_SERIAL?");
+
+		if ( info->cache )
+			pid = info->s->Cache()->Lookup(*tid);
+
+		if ( pid != SerializationCache::NONE && info->cache )
+			{
+			DBG_LOG(DBG_SERIAL, "%s [%p, ref pid %lld, tid %lld]", __PRETTY_FUNCTION__, this, (long long) pid, tid->Value() );
+
+			DBG_LOG(DBG_SERIAL, "-- Caching");
+			DBG_PUSH(DBG_SERIAL);
+
+			if ( ! SerializePID(info, false, pid) )
+				{
+				DBG_POP(DBG_SERIAL);
+				return false;
+				}
+
+			DBG_POP(DBG_SERIAL);
+			return true;
+			}
+
+		if ( info->cache )
+			pid = info->s->Cache()->Register(this,
+						SerializationCache::NONE,
+						info->new_cache_strategy);
+
+		DBG_LOG(DBG_SERIAL, "%s [%p, new pid %lld, tid %lld]", __PRETTY_FUNCTION__, this, (long long) pid, tid->Value() );
+		DBG_LOG(DBG_SERIAL, "-- Caching");
+		DBG_PUSH(DBG_SERIAL);
+
+		if ( ! SerializePID(info, true, pid) )
+			{
+			DBG_POP(DBG_SERIAL);
+			return false;
+			}
+
+		info->type = SER_NONE;
+		DBG_POP(DBG_SERIAL);
+		}
+
+	DBG_PUSH(DBG_SERIAL);
+	info->cont.SaveContext();
+	bool ret = DoSerialize(info);
+	info->cont.RestoreContext();
+	DBG_POP(DBG_SERIAL);
+
+	if ( info->cont.ChildSuspended() )
+		return ret;
+
+#ifdef DEBUG
+	if ( debug_logger.IsEnabled(DBG_SERIAL) && IsBroObj(serial_type) )
+		{
+		ODesc desc(DESC_READABLE);
+		((BroObj*)this)->Describe(&desc);
+		DBG_LOG(DBG_SERIAL, "-- Desc: %s", desc.Description());
+		}
+#endif
+
+	return ret;
+	}
+
+SerialObj* SerialObj::Unserialize(UnserialInfo* info, SerialType type)
+	{
+	SerializationCache::PermanentID pid = SerializationCache::NONE;
+
+	DBG_LOG(DBG_SERIAL, "%s", __PRETTY_FUNCTION__);
+
+	bool full_obj;
+
+	DBG_LOG(DBG_SERIAL, "-- Caching");
+	DBG_PUSH(DBG_SERIAL);
+
+	bool result;
+
+	if ( ! info->pid_32bit )
+		result = UNSERIALIZE(&full_obj) && UNSERIALIZE(&pid);
+	else
+		{
+		// Broccoli compatibility mode with 32bit pids.
+		uint32 tmp;
+		result = UNSERIALIZE(&full_obj) && UNSERIALIZE(&tmp);
+		pid = tmp;
+		}
+
+	if ( ! result )
+		{
+		DBG_POP(DBG_SERIAL);
+		return false;
+		}
+
+	DBG_POP(DBG_SERIAL);
+
+	DBG_LOG(DBG_SERIAL, "-- [%s pid %lld]", full_obj ? "obj" : "ref", (long long) pid);
+
+	if ( ! full_obj )
+		{
+		// FIXME: Yet another const_cast to check eventually...
+		SerialObj* obj =
+			const_cast<SerialObj*>(info->s->Cache()->Lookup(pid));
+		if ( obj )
+			{
+			if ( obj->IsBroObj() )
+				Ref((BroObj*) obj);
+			return obj;
+			}
+
+		// In the following we'd like the format specifier to match
+		// the type of pid; but pid is uint64, for which there's
+		// no portable format specifier.  So we upcast it to long long,
+		// which is at least that size, and use a matching format.
+		info->s->Error(fmt("unknown object %lld referenced",
+				(long long) pid));
+		return 0;
+		}
+
+	uint16 stype;
+	if ( ! UNSERIALIZE(&stype) )
+		return 0;
+
+	SerialObj* obj = Instantiate(SerialType(stype));
+
+	if ( ! obj )
+		{
+		info->s->Error("unknown object type");
+		return 0;
+		}
+
+#ifdef DEBUG
+	obj->serial_type = stype;
+#endif
+
+	const TransientID* tid = obj->GetTID();
+	if ( ! tid )
+		internal_error("no tid - missing DECLARE_SERIAL?");
+
+	if ( info->cache )
+		info->s->Cache()->Register(obj, pid, info->new_cache_strategy);
+
+	info->type = stype;
+
+	DBG_PUSH(DBG_SERIAL);
+	if ( ! obj->DoUnserialize(info) )
+		{
+		DBG_POP(DBG_SERIAL);
+		return 0;
+		}
+
+	DBG_POP(DBG_SERIAL);
+
+	if ( ! SerialObj::CheckTypes(stype, type) )
+		{
+		info->s->Error("type mismatch");
+		return 0;
+		}
+
+#ifdef DEBUG
+	if ( debug_logger.IsEnabled(DBG_SERIAL) && IsBroObj(stype) )
+		{
+		ODesc desc(DESC_READABLE);
+		((BroObj*)obj)->Describe(&desc);
+		DBG_LOG(DBG_SERIAL, "-- Desc: %s", desc.Description());
+		}
+#endif
+
+	assert(obj);
+	return obj;
+	}
+
+bool SerialObj::DoSerialize(SerialInfo* info) const
+	{
+	assert(info->type != SER_NONE);
+
+#ifdef DEBUG
+	const_cast<SerialObj*>(this)->serial_type = info->type;
+#endif
+
+	DBG_LOG(DBG_SERIAL, __PRETTY_FUNCTION__);
+	DBG_PUSH(DBG_SERIAL);
+
+	uint16 stype = uint16(info->type);
+
+	if ( ! info->new_cache_strategy )
+		{
+		// This is a bit unfortunate: to make sure we're sending
+		// out the same types as in the past, we need to strip out
+		// the new cache stable bit.
+		stype &= ~SER_IS_CACHE_STABLE;
+		}
+
+	bool ret = SERIALIZE(stype);
+	DBG_POP(DBG_SERIAL);
+	return ret;
+	}
+
+bool SerialObj::DoUnserialize(UnserialInfo* info)
+	{
+	DBG_LOG(DBG_SERIAL, __PRETTY_FUNCTION__);
+	return true;
+	}
diff --git a/src/SerialObj.h b/src/SerialObj.h
new file mode 100644
index 0000000000..9c02b21e5b
--- /dev/null
+++ b/src/SerialObj.h
@@ -0,0 +1,356 @@
+// $Id: SerialObj.h 6752 2009-06-14 04:24:52Z vern $
+//
+// Infrastructure for serializable objects.
+//
+// How to make objects of class Foo serializable:
+//
+//    1. Derive Foo (directly or indirectly) from SerialObj.
+//    2. Add a SER_FOO constant to SerialTypes below.
+//    3. Add DECLARE_SERIAL(Foo) into class definition.
+//    4. Add a (preferably protected) default ctor if it doesn't already exist.
+//    5. For non-abstract classes, add IMPLEMENT_SERIAL(Foo, SER_FOO) to *.cc
+//    6. Add two methods like this to *.cc (keep names of arguments!)
+//
+//       bool Foo::DoSerialize(SerialInfo* info) const
+//           {
+//           DO_SERIALIZE(SER_FOO, ParentClassOfFoo);
+//           <... serialize class members via methods in Serializer ...>
+//           return true if everything ok;
+//	     }
+//
+//       bool Foo::DoUnserialize(UnserialInfo* info)
+//           {
+//           DO_UNSERIALIZE(ParentClassOfFoo);
+//           <... unserialize class members via methods in Serializer ...>
+//           return true if everything ok;
+//           }
+//
+//   (7. If no parent class of Foo already contains Serialize()/Unserialize()
+//       methods, these need to be added somewhere too. But most of the various
+//       parts of the class hierarchy already have them.)
+
+
+#ifndef SERIALOBJ_H
+#define SERIALOBJ_H
+
+#include <map>
+#include <util.h>
+
+#include "DebugLogger.h"
+#include "Continuation.h"
+#include "SerialTypes.h"
+#include "config.h"
+
+#if SIZEOF_LONG_LONG < 8
+# error "Serialization requires that sizeof(long long) is at least 8. (Remove this message only if you know what you're doing.)"
+#endif
+
+class Serializer;
+class SerialInfo;
+class UnserialInfo;
+class SerializationCache;
+
+// Per-process unique ID.
+class TransientID {
+public:
+	TransientID()	{ id = ++counter; }
+
+	typedef unsigned long long ID;
+	ID Value() const	{ return id; }
+
+private:
+	ID id;
+	static ID counter;
+};
+
+// Abstract base class for serializable objects.
+class SerialObj {
+public:
+	virtual ~SerialObj()	{ }
+
+	virtual const TransientID* GetTID() const	{ return 0; }
+
+	virtual SerialType GetSerialType() const	{ return 0; }
+
+	bool IsBroObj() const { return IsBroObj(GetSerialType()); }
+	bool IsCacheStable() const { return IsCacheStable(GetSerialType()); }
+
+	static const uint64 NEVER = 0;
+	static const uint64 ALWAYS = 1;
+
+	// Returns time of last modification. This "time" is a monotonically
+	// increasing counter which is incremented each time a modification is
+	// performed (more precisely: each time an object is modified which
+	// returns something different than NEVER). Such times can thus be
+	// compared to see whether some modification took place before another.
+	//
+	// There are two special values:
+	//    NEVER:  This object will never change.
+	//    ALWAYS: Always consider this object as changed, i.e., don't
+	//            cache it.
+	virtual uint64 LastModified() const	{ return NEVER; }
+
+	// Instantiate an object of the given type. Return nil
+	// if unknown.
+	static SerialObj* Instantiate(SerialType type);
+
+	static const char* ClassName(SerialType type);
+
+	// Associate a "factory" function with the given type.
+	// A factory is a class or function that creates instances
+	// of a certain type.
+
+	typedef SerialObj* (*FactoryFunc)();
+	static void Register(SerialType type, FactoryFunc f,
+			const char* class_name);
+
+	static bool IsBroObj(SerialType type)
+		{ return type & SER_IS_BRO_OBJ; }
+
+	static bool IsCacheStable(SerialType type)
+		{ return type & SER_IS_CACHE_STABLE; }
+
+	static bool CheckTypes(SerialType type1, SerialType type2)
+		{ return (type1 & SER_TYPE_MASK_PARENT) ==
+			 (type2 & SER_TYPE_MASK_PARENT); }
+
+protected:
+	friend class SerializationCache;
+
+	SerialObj()
+		{
+#ifdef DEBUG
+		serial_type = 0;
+#endif
+		}
+
+	// Serializes this object. If info->cache is false, we can use
+	// DECLARE_NON_CACHEABLE_SERIAL (instead of DECLARE_SERIAL) which
+	// avoids storing a per-object id.
+	bool Serialize(SerialInfo* info) const;
+
+	// Unserializes next object.
+	static SerialObj* Unserialize(UnserialInfo* info,
+					SerialType type);
+
+	virtual bool DoSerialize(SerialInfo* info) const;
+	virtual bool DoUnserialize(UnserialInfo* info);
+
+	typedef std::map<SerialType, FactoryFunc> FactoryMap;
+	static FactoryMap* factories;
+
+	typedef std::map<SerialType, const char*> ClassNameMap;
+	static ClassNameMap* names;
+
+	static uint64 time_counter;
+	static uint64 IncreaseTimeCounter()	{ return ++time_counter; }
+	static uint64 GetTimeCounter()	{ return time_counter; }
+
+#ifdef DEBUG
+	SerialType serial_type;
+#endif
+};
+
+// A class that registers a factory function upon instantiation.
+class SerialTypeRegistrator {
+public:
+	SerialTypeRegistrator(SerialType type, SerialObj::FactoryFunc func,
+			const char* class_name)
+		{
+		SerialObj::Register(type, func, class_name);
+		}
+};
+
+
+// Macro helpers.
+
+#define DECLARE_ABSTRACT_SERIAL(classname) \
+	virtual bool DoSerialize(SerialInfo*) const; \
+	virtual bool DoUnserialize(UnserialInfo*); \
+
+#define DECLARE_SERIAL(classname) \
+	static classname* Instantiate(); \
+	static SerialTypeRegistrator register_type; \
+	virtual bool DoSerialize(SerialInfo*) const; \
+	virtual bool DoUnserialize(UnserialInfo*); \
+	virtual const TransientID*  GetTID() const	{ return &tid; } \
+	virtual SerialType GetSerialType() const; \
+	TransientID tid;
+
+// Only needed (and usable) for non-abstract classes.
+#define IMPLEMENT_SERIAL(classname, classtype) \
+	SerialTypeRegistrator classname::register_type(classtype, \
+			FactoryFunc(&classname::Instantiate), #classname); \
+	SerialType classname::GetSerialType() const { return classtype; }; \
+	classname* classname::Instantiate()	{ return new classname(); } \
+
+// Pushes debug level on instantiation and pops when it goes out of scope.
+class AutoPush {
+public:
+	AutoPush()	{ DBG_PUSH(DBG_SERIAL); }
+	~AutoPush()	{ DBG_POP(DBG_SERIAL); }
+};
+
+// Note that by default we disable suspending.  Use DO_SERIALIZE_WITH_SUSPEND
+// to enable, but be careful to make sure that whomever calls us is aware of
+// the fact (or has already disabled suspension itself).
+#define DO_SERIALIZE(classtype, super) \
+	DBG_LOG(DBG_SERIAL, __PRETTY_FUNCTION__); \
+	if ( info->type == SER_NONE ) \
+		info->type = classtype; \
+	DisableSuspend suspend(info); \
+	AutoPush auto_push; \
+	if ( ! super::DoSerialize(info) ) \
+		return false;
+
+// Unfortunately, this is getting quite long. :-(
+#define DO_SERIALIZE_WITH_SUSPEND(classtype, super) \
+	DBG_LOG(DBG_SERIAL, __PRETTY_FUNCTION__); \
+	if ( info->type == SER_NONE ) \
+		info->type = classtype; \
+	AutoPush auto_push; \
+	\
+	bool call_super = info->cont.NewInstance(); \
+	\
+	if ( info->cont.ChildSuspended() ) \
+		{ \
+		void* user_ptr = info->cont.RestoreState(); \
+		if ( user_ptr == &call_super ) \
+			call_super = true; \
+		} \
+	\
+	if ( call_super ) \
+		{ \
+		info->cont.SaveState(&call_super); \
+		info->cont.SaveContext(); \
+		bool result = super::DoSerialize(info); \
+		info->cont.RestoreContext(); \
+		if ( ! result ) \
+			return false; \
+		if ( info->cont.ChildSuspended() ) \
+			return true; \
+		info->cont.SaveState(0); \
+		} \
+
+#define DO_UNSERIALIZE(super) \
+	DBG_LOG(DBG_SERIAL, __PRETTY_FUNCTION__); \
+	AutoPush auto_push; \
+	if ( ! super::DoUnserialize(info) ) \
+		return false;
+
+#define SERIALIZE(x) \
+	info->s->Write(x, #x)
+
+#define SERIALIZE_STR(x, y) \
+	info->s->Write(x, y, #x)
+
+#define SERIALIZE_BIT(bit) \
+	info->s->Write(bool(bit), #bit)
+
+#define UNSERIALIZE(x) \
+	info->s->Read(x, #x)
+
+#define UNSERIALIZE_STR(x, y) \
+	info->s->Read(x, y, #x)
+
+#define UNSERIALIZE_BIT(bit) \
+	{ \
+	bool tmp; \
+	if ( ! info->s->Read(&tmp, #bit) ) \
+		return false; \
+	bit = (unsigned int) tmp; \
+	}
+
+// Some helpers for pointers which may be nil.
+#define SERIALIZE_OPTIONAL(ptr) \
+	{	\
+	if ( ptr )	\
+		{	\
+		if ( ! info->cont.ChildSuspended() )	\
+			if ( ! info->s->Write(true, "has_" #ptr) )	\
+				return false;	\
+		\
+		info->cont.SaveContext();	\
+		bool result = ptr->Serialize(info);	\
+		info->cont.RestoreContext();	\
+		if ( ! result )	\
+			return false;	\
+		\
+		if ( info->cont.ChildSuspended() )	\
+			return true;	\
+		}	\
+	\
+	else if ( ! info->s->Write(false, "has_" #ptr) )	\
+		return false;	\
+	}
+
+#define SERIALIZE_OPTIONAL_STR(str) \
+	{	\
+	if ( str )	\
+		{	\
+		if ( ! (info->s->Write(true, "has_" #str) && info->s->Write(str, "str")) )	\
+			return false;	\
+		}	\
+	\
+	else if ( ! info->s->Write(false, "has_" #str) )	\
+		return false;	\
+	}
+
+#define UNSERIALIZE_OPTIONAL(dst, unserialize)	\
+	{	\
+	bool has_it;	\
+	if ( ! info->s->Read(&has_it, "has_" #dst) )	\
+		return false;	\
+	\
+	if ( has_it )	\
+		{	\
+		dst = unserialize;	\
+		if ( ! dst )	\
+			return false;	\
+		}	\
+	\
+	else	\
+		dst = 0;	\
+	}
+
+#define UNSERIALIZE_OPTIONAL_STR(dst)	\
+	{	\
+	bool has_it;	\
+	if ( ! info->s->Read(&has_it, "has_" #dst) )	\
+		return false;	\
+	\
+	if ( has_it )	\
+		{	\
+		info->s->Read(&dst, 0, "has_" #dst);	\
+		if ( ! dst )	\
+			return false;	\
+		}	\
+	\
+	else	\
+		dst = 0;	\
+	}
+
+#define UNSERIALIZE_OPTIONAL_STATIC(dst, unserialize, del)	\
+	{	\
+	bool has_it;	\
+	if ( ! info->s->Read(&has_it, "has_" #dst) )	\
+		{	\
+		delete del;	\
+		return 0;	\
+		}	\
+	\
+	if ( has_it )	\
+		{	\
+		dst = unserialize;	\
+		if ( ! dst )	\
+			{	\
+			delete del;	\
+			return 0;	\
+			}	\
+		}	\
+	\
+	else	\
+		dst = 0;	\
+	}
+
+#endif
diff --git a/src/SerialTypes.h b/src/SerialTypes.h
new file mode 100644
index 0000000000..a33b026fae
--- /dev/null
+++ b/src/SerialTypes.h
@@ -0,0 +1,200 @@
+// $Id: SerialTypes.h 6752 2009-06-14 04:24:52Z vern $
+
+#ifndef serialtypes_h
+#define serialtypes_h
+
+// Each serializable class gets a type.
+//
+// The type enables a form of poor man's type-checking:
+//     Bit 0-7:  Number (unique relative to main parent (see below)).
+//     Bit 8-12: Main parent class (SER_IS_*)
+//     Bit 13:   unused
+//     Bit 14:   1 if preference is to keep in cache.
+//     Bit 15:   1 if derived from BroObj.
+
+typedef uint16 SerialType;
+
+static const SerialType SER_TYPE_MASK_EXACT = 0x1fff;
+static const SerialType SER_TYPE_MASK_PARENT = 0x1f00;
+static const SerialType SER_IS_CACHE_STABLE = 0x4000;
+static const SerialType SER_IS_BRO_OBJ = 0x8000;
+
+#define SERIAL_CONST(name, val, type) \
+	const SerialType SER_ ## name = val | SER_IS_ ## type;
+
+#define SERIAL_CONST2(name) SERIAL_CONST(name, 1, name)
+
+#define SERIAL_IS(name, val) \
+	static const SerialType SER_IS_ ## name = val;
+#define SERIAL_IS_BO(name, val) \
+	static const SerialType SER_IS_ ## name = val | SER_IS_BRO_OBJ;
+#define SERIAL_IS_BO_AND_CACHE_STABLE(name, val) \
+	static const SerialType SER_IS_ ## name = val | (SER_IS_BRO_OBJ | SER_IS_CACHE_STABLE);
+
+SERIAL_IS_BO(CONNECTION, 0x0100)
+SERIAL_IS(TIMER, 0x0200)
+SERIAL_IS(TCP_ENDPOINT, 0x0300)
+SERIAL_IS_BO(TCP_ANALYZER, 0x0400)
+SERIAL_IS_BO(TCP_ENDPOINT_ANALYZER, 0x0500)
+SERIAL_IS(TCP_CONTENTS, 0x0600)
+SERIAL_IS(REASSEMBLER, 0x0700)
+SERIAL_IS_BO(VAL, 0x0800)
+SERIAL_IS_BO_AND_CACHE_STABLE(EXPR, 0x0900)
+SERIAL_IS_BO_AND_CACHE_STABLE(BRO_TYPE, 0x0a00)
+SERIAL_IS_BO_AND_CACHE_STABLE(STMT, 0x0b00)
+SERIAL_IS_BO_AND_CACHE_STABLE(ATTRIBUTES, 0x0c00)
+SERIAL_IS_BO_AND_CACHE_STABLE(EVENT_HANDLER, 0x0d00)
+SERIAL_IS_BO_AND_CACHE_STABLE(BRO_FILE, 0x0e00)
+SERIAL_IS_BO_AND_CACHE_STABLE(FUNC, 0x0f00)
+SERIAL_IS_BO(ID, 0x1000)
+SERIAL_IS(STATE_ACCESS, 0x1100)
+SERIAL_IS_BO(CASE, 0x1200)
+SERIAL_IS(LOCATION, 0x1300)
+SERIAL_IS(RE_MATCHER, 0x1400)
+
+// These are the externally visible types.
+const SerialType SER_NONE = 0;
+
+SERIAL_CONST2(BRO_OBJ)
+
+#define SERIAL_CONN(name, val) SERIAL_CONST(name, val, CONNECTION)
+SERIAL_CONN(CONNECTION, 1)
+SERIAL_CONN(ICMP_ANALYZER, 2)
+// We use ICMP_Echo here rather than ICMP_ECHO because the latter gets
+// macro expanded :-(.
+SERIAL_CONN(ICMP_Echo, 3)
+SERIAL_CONN(ICMP_CONTEXT, 4)
+SERIAL_CONN(TCP_CONNECTION, 5)
+SERIAL_CONN(TCP_CONNECTION_CONTENTS, 6)
+SERIAL_CONN(FTP_CONN, 7)
+SERIAL_CONN(UDP_CONNECTION, 8)
+
+#define SERIAL_TIMER(name, val) SERIAL_CONST(name, val, TIMER)
+SERIAL_TIMER(TIMER, 1)
+SERIAL_TIMER(CONNECTION_TIMER, 2)
+
+SERIAL_CONST2(TCP_ENDPOINT)
+SERIAL_CONST2(TCP_ANALYZER)
+SERIAL_CONST2(TCP_ENDPOINT_ANALYZER)
+
+#define SERIAL_TCP_CONTENTS(name, val) SERIAL_CONST(name, val, TCP_CONTENTS)
+SERIAL_TCP_CONTENTS(TCP_CONTENTS, 1)
+SERIAL_TCP_CONTENTS(TCP_CONTENT_LINE, 2)
+SERIAL_TCP_CONTENTS(TCP_NVT, 3)
+
+#define SERIAL_REASSEMBLER(name, val) SERIAL_CONST(name, val, REASSEMBLER)
+SERIAL_REASSEMBLER(REASSEMBLER, 1)
+SERIAL_REASSEMBLER(TCP_REASSEMBLER, 2)
+
+#define SERIAL_VAL(name, val) SERIAL_CONST(name, val, VAL)
+SERIAL_VAL(VAL, 1)
+SERIAL_VAL(INTERVAL_VAL,  2)
+SERIAL_VAL(PORT_VAL, 3)
+SERIAL_VAL(ADDR_VAL, 4)
+SERIAL_VAL(NET_VAL, 5)
+SERIAL_VAL(SUBNET_VAL, 6)
+SERIAL_VAL(STRING_VAL, 7)
+SERIAL_VAL(PATTERN_VAL, 8)
+SERIAL_VAL(LIST_VAL, 9)
+SERIAL_VAL(TABLE_VAL, 10)
+SERIAL_VAL(RECORD_VAL, 11)
+SERIAL_VAL(ENUM_VAL, 12)
+SERIAL_VAL(VECTOR_VAL, 13)
+SERIAL_VAL(MUTABLE_VAL, 14)
+
+#define SERIAL_EXPR(name, val) SERIAL_CONST(name, val, EXPR)
+SERIAL_EXPR(EXPR, 1)
+SERIAL_EXPR(NAME_EXPR, 2)
+SERIAL_EXPR(CONST_EXPR, 3)
+SERIAL_EXPR(UNARY_EXPR, 4)
+SERIAL_EXPR(BINARY_EXPR, 5)
+SERIAL_EXPR(INCR_EXPR, 6)
+SERIAL_EXPR(NOT_EXPR, 7)
+SERIAL_EXPR(POS_EXPR, 8)
+SERIAL_EXPR(NEG_EXPR, 9)
+SERIAL_EXPR(ADD_EXPR, 10)
+SERIAL_EXPR(SUB_EXPR, 11)
+SERIAL_EXPR(TIMES_EXPR, 12)
+SERIAL_EXPR(DIVIDE_EXPR, 13)
+SERIAL_EXPR(MOD_EXPR, 14)
+SERIAL_EXPR(BOOL_EXPR, 15)
+SERIAL_EXPR(EQ_EXPR, 16)
+SERIAL_EXPR(REL_EXPR, 17)
+SERIAL_EXPR(COND_EXPR, 18)
+SERIAL_EXPR(REF_EXPR, 19)
+SERIAL_EXPR(ASSIGN_EXPR, 20)
+SERIAL_EXPR(INDEX_EXPR, 21)
+SERIAL_EXPR(FIELD_EXPR, 22)
+SERIAL_EXPR(HAS_FIELD_EXPR, 23)
+SERIAL_EXPR(RECORD_CONSTRUCTOR_EXPR, 24)
+SERIAL_EXPR(FIELD_ASSIGN_EXPR, 25)
+SERIAL_EXPR(RECORD_MATCH_EXPR, 26)
+SERIAL_EXPR(ARITH_COERCE_EXPR, 27)
+SERIAL_EXPR(RECORD_COERCE_EXPR, 28)
+SERIAL_EXPR(FLATTEN_EXPR, 29)
+SERIAL_EXPR(SCHEDULE_EXPR, 30)
+SERIAL_EXPR(IN_EXPR, 31)
+SERIAL_EXPR(CALL_EXPR, 32)
+SERIAL_EXPR(EVENT_EXPR, 33)
+SERIAL_EXPR(LIST_EXPR, 34)
+SERIAL_EXPR(RECORD_ASSIGN_EXPR, 35)
+SERIAL_EXPR(ADD_TO_EXPR, 36)
+SERIAL_EXPR(REMOVE_FROM_EXPR, 37)
+SERIAL_EXPR(SIZE_EXPR, 38)
+SERIAL_EXPR(CLONE_EXPR, 39)
+SERIAL_EXPR(TABLE_CONSTRUCTOR_EXPR, 40)
+SERIAL_EXPR(SET_CONSTRUCTOR_EXPR, 41)
+SERIAL_EXPR(VECTOR_CONSTRUCTOR_EXPR, 42)
+SERIAL_EXPR(TABLE_COERCE_EXPR, 43)
+
+#define SERIAL_STMT(name, val) SERIAL_CONST(name, val, STMT)
+SERIAL_STMT(STMT, 1)
+SERIAL_STMT(EXPR_LIST_STMT, 2)
+SERIAL_STMT(ALARM_STMT, 3)
+SERIAL_STMT(PRINT_STMT, 4)
+SERIAL_STMT(EXPR_STMT, 5)
+SERIAL_STMT(IF_STMT, 6)
+SERIAL_STMT(SWITCH_STMT, 7)
+SERIAL_STMT(ADD_STMT, 8)
+SERIAL_STMT(DEL_STMT, 9)
+SERIAL_STMT(EVENT_STMT, 10)
+SERIAL_STMT(FOR_STMT, 11)
+SERIAL_STMT(NEXT_STMT, 12)
+SERIAL_STMT(BREAK_STMT, 13)
+SERIAL_STMT(RETURN_STMT, 14)
+SERIAL_STMT(STMT_LIST, 15)
+SERIAL_STMT(EVENT_BODY_LIST, 16)
+SERIAL_STMT(INIT_STMT, 17)
+SERIAL_STMT(NULL_STMT, 18)
+SERIAL_STMT(WHEN_STMT, 19)
+
+#define SERIAL_TYPE(name, val) SERIAL_CONST(name, val, BRO_TYPE)
+SERIAL_TYPE(BRO_TYPE, 1)
+SERIAL_TYPE(TYPE_LIST, 2)
+SERIAL_TYPE(INDEX_TYPE, 3)
+SERIAL_TYPE(TABLE_TYPE, 4)
+SERIAL_TYPE(SET_TYPE, 5)
+SERIAL_TYPE(FUNC_TYPE, 6)
+SERIAL_TYPE(RECORD_TYPE, 7)
+SERIAL_TYPE(SUBNET_TYPE, 8)
+SERIAL_TYPE(FILE_TYPE, 9)
+SERIAL_TYPE(ENUM_TYPE, 10)
+SERIAL_TYPE(VECTOR_TYPE, 11)
+
+SERIAL_CONST2(ATTRIBUTES)
+SERIAL_CONST2(EVENT_HANDLER)
+SERIAL_CONST2(BRO_FILE)
+
+#define SERIAL_FUNC(name, val) SERIAL_CONST(name, val, FUNC)
+SERIAL_FUNC(FUNC, 1)
+SERIAL_FUNC(BRO_FUNC, 2)
+SERIAL_FUNC(DEBUG_FUNC, 3)
+SERIAL_FUNC(BUILTIN_FUNC, 4)
+
+SERIAL_CONST2(ID)
+SERIAL_CONST2(STATE_ACCESS)
+SERIAL_CONST2(CASE)
+SERIAL_CONST2(LOCATION)
+SERIAL_CONST2(RE_MATCHER)
+
+#endif
diff --git a/src/SerializationFormat.cc b/src/SerializationFormat.cc
new file mode 100644
index 0000000000..d49233ec92
--- /dev/null
+++ b/src/SerializationFormat.cc
@@ -0,0 +1,497 @@
+// $Id: SerializationFormat.cc 5873 2008-06-28 19:25:03Z vern $
+
+#include <ctype.h>
+
+#include "net_util.h"
+#include "SerializationFormat.h"
+#include "Serializer.h"
+
+SerializationFormat::SerializationFormat()
+	{
+	output = 0;
+	}
+
+SerializationFormat::~SerializationFormat()
+	{
+	delete [] output;
+	}
+
+void SerializationFormat::StartRead(char* data, uint32 arg_len)
+	{
+	input = data;
+	input_len = arg_len;
+	input_pos = 0;
+	}
+
+void SerializationFormat::EndRead()
+	{
+	input = 0;
+	}
+
+void SerializationFormat::StartWrite()
+	{
+	if ( output && output_size > INITIAL_SIZE )
+		{
+		delete [] output;
+		output = 0;
+		}
+
+	if ( ! output )
+		{
+		output = new char[INITIAL_SIZE];
+		output_size = INITIAL_SIZE;
+		}
+
+	output_pos = 0;
+	bytes_written = 0;
+	}
+
+uint32 SerializationFormat::EndWrite(char** data)
+	{
+	*data = new char[output_pos];
+	memcpy(*data, output, output_pos);
+	return output_pos;
+	}
+
+bool SerializationFormat::ReadData(void* b, size_t count)
+	{
+	if ( input_pos + count > input_len )
+		{
+		error("data underflow during read in binary format");
+		abort();
+		return false;
+		}
+
+	memcpy(b, input + input_pos, count);
+	input_pos += count;
+	return true;
+	}
+
+bool SerializationFormat::WriteData(const void* b, size_t count)
+	{
+	// Increase buffer if necessary.
+	while ( output_pos + count > output_size )
+		{
+		output_size = output_pos + count + INITIAL_SIZE;
+		char* tmp = new char[output_size];
+		memcpy(tmp, output, output_pos);
+		delete [] output;
+		output = tmp;
+		}
+
+	memcpy(output + output_pos, b, count);
+	output_pos += count;
+	bytes_written += count;
+
+	return true;
+	}
+
+BinarySerializationFormat::BinarySerializationFormat()
+	{
+	}
+
+BinarySerializationFormat::~BinarySerializationFormat()
+	{
+	}
+
+bool BinarySerializationFormat::Read(int* v, const char* tag)
+	{
+	uint32 tmp;
+	if ( ! ReadData(&tmp, sizeof(tmp)) )
+		return false;
+
+	*v = (int) ntohl(tmp);
+	DBG_LOG(DBG_SERIAL, "Read int %d [%s]", *v, tag);
+	return true;
+	}
+
+bool BinarySerializationFormat::Read(uint16* v, const char* tag)
+	{
+	if ( ! ReadData(v, sizeof(*v)) )
+		return false;
+
+	*v = ntohs(*v);
+	DBG_LOG(DBG_SERIAL, "Read uint16 %hu [%s]", *v, tag);
+	return true;
+	}
+
+bool BinarySerializationFormat::Read(uint32* v, const char* tag)
+	{
+	if ( ! ReadData(v, sizeof(*v)) )
+		return false;
+
+	*v = ntohl(*v);
+	DBG_LOG(DBG_SERIAL, "Read uint32 %ld [%s]", *v, tag);
+	return true;
+	}
+
+
+bool BinarySerializationFormat::Read(int64* v, const char* tag)
+	{
+	uint32 x[2];
+	if ( ! ReadData(x, sizeof(x)) )
+		return false;
+
+	*v = ((int64(ntohl(x[0]))) << 32) | ntohl(x[1]);
+	DBG_LOG(DBG_SERIAL, "Read int64 %lld [%s]", *v, tag);
+	return true;
+	}
+
+bool BinarySerializationFormat::Read(uint64* v, const char* tag)
+	{
+	uint32 x[2];
+	if ( ! ReadData(x, sizeof(x)) )
+		return false;
+
+	*v = ((uint64(ntohl(x[0]))) << 32) | ntohl(x[1]);
+	DBG_LOG(DBG_SERIAL, "Read uint64 %llu [%s]", *v, tag);
+	return true;
+	}
+
+bool BinarySerializationFormat::Read(bool* v, const char* tag)
+	{
+	char c;
+	if ( ! ReadData(&c, 1) )
+		return false;
+
+	*v = c == '\1' ? true : false;
+	DBG_LOG(DBG_SERIAL, "Read bool %s [%s]", *v ? "true" : "false", tag);
+	return true;
+	}
+
+bool BinarySerializationFormat::Read(double* d, const char* tag)
+	{
+	if ( ! ReadData(d, sizeof(*d)) )
+		return false;
+
+	*d = ntohd(*d);
+	DBG_LOG(DBG_SERIAL, "Read double %.6f [%s]", *d, tag);
+	return true;
+	}
+
+bool BinarySerializationFormat::Read(char* v, const char* tag)
+	{
+	bool ret = ReadData(v, 1);
+	DBG_LOG(DBG_SERIAL, "Read char %s [%s]", fmt_bytes(v, 1), tag);
+	return ret;
+	}
+
+bool BinarySerializationFormat::Read(char** str, int* len, const char* tag)
+	{
+	int l;
+	if ( ! ReadData(&l, sizeof(l)) )
+		return false;
+
+	l = ntohl(l);
+	char* s = new char[l + 1];
+
+	if ( ! ReadData(s, l) )
+		{
+		delete [] s;
+		*str = 0;
+		return false;
+		}
+
+	if ( len )
+		*len = l;
+	else
+		{
+		// If len isn't given, make sure that the string
+		// doesn't contain any nulls.
+		for ( int i = 0; i < l; i++ )
+			if ( ! s[i] )
+				{
+				error("binary Format: string contains null; replaced by '_'");
+				s[i] = '_';
+				}
+		}
+
+	s[l] = '\0';
+
+	*str = s;
+
+	DBG_LOG(DBG_SERIAL, "Read %d bytes |%s| [%s]", l, fmt_bytes(*str, l), tag);
+	return true;
+	}
+
+bool BinarySerializationFormat::Write(char v, const char* tag)
+	{
+	DBG_LOG(DBG_SERIAL, "Write char %s [%s]", fmt_bytes(&v, 1), tag);
+	return WriteData(&v, 1);
+	}
+
+bool BinarySerializationFormat::Write(uint16 v, const char* tag)
+	{
+	DBG_LOG(DBG_SERIAL, "Write uint16 %hu [%s]", v, tag);
+	v = htons(v);
+	return WriteData(&v, sizeof(v));
+	}
+
+bool BinarySerializationFormat::Write(uint32 v, const char* tag)
+	{
+	DBG_LOG(DBG_SERIAL, "Write uint32 %ld [%s]", v, tag);
+	v = htonl(v);
+	return WriteData(&v, sizeof(v));
+	}
+
+bool BinarySerializationFormat::Write(int v, const char* tag)
+	{
+	DBG_LOG(DBG_SERIAL, "Write int %d [%s]", v, tag);
+	uint32 tmp = htonl((uint32) v);
+	return WriteData(&tmp, sizeof(tmp));
+	}
+
+bool BinarySerializationFormat::Write(uint64 v, const char* tag)
+	{
+	DBG_LOG(DBG_SERIAL, "Write uint64 %lu [%s]", v, tag);
+	uint32 x[2];
+	x[0] = htonl(v >> 32);
+	x[1] = htonl(v & 0xffffffff);
+	return WriteData(x, sizeof(x));
+	}
+
+bool BinarySerializationFormat::Write(int64 v, const char* tag)
+	{
+	DBG_LOG(DBG_SERIAL, "Write int64 %ld [%s]", v, tag);
+	uint32 x[2];
+	x[0] = htonl(v >> 32);
+	x[1] = htonl(v & 0xffffffff);
+	return WriteData(x, sizeof(x));
+	}
+
+bool BinarySerializationFormat::Write(double d, const char* tag)
+	{
+	DBG_LOG(DBG_SERIAL, "Write double %.6f [%s]", d, tag);
+	d = htond(d);
+	return WriteData(&d, sizeof(d));
+	}
+
+bool BinarySerializationFormat::Write(bool v, const char* tag)
+	{
+	DBG_LOG(DBG_SERIAL, "Write bool %s [%s]", v ? "true" : "false", tag);
+	char c = v ? '\1' : '\0';
+	return WriteData(&c, 1);
+	}
+
+bool BinarySerializationFormat::Write(const char* s, const char* tag)
+	{
+	return Write(s, strlen(s), tag);
+	}
+
+bool BinarySerializationFormat::WriteOpenTag(const char* tag)
+	{
+	return true;
+	}
+
+bool BinarySerializationFormat::WriteCloseTag(const char* tag)
+	{
+	return true;
+	}
+
+bool BinarySerializationFormat::WriteSeparator()
+	{
+	return true;
+	}
+
+bool BinarySerializationFormat::Write(const char* buf, int len, const char* tag)
+	{
+	DBG_LOG(DBG_SERIAL, "Write bytes |%s| [%s]", fmt_bytes(buf, len), tag);
+	uint32 l = htonl(len);
+	return WriteData(&l, sizeof(l)) && WriteData(buf, len);
+	}
+
+XMLSerializationFormat::XMLSerializationFormat()
+	{
+	}
+
+XMLSerializationFormat::~XMLSerializationFormat()
+	{
+	}
+
+bool XMLSerializationFormat::Read(int* v, const char* tag)
+	{
+	internal_error("no reading of xml");
+	return false;
+	}
+
+bool XMLSerializationFormat::Read(uint16* v, const char* tag)
+	{
+	internal_error("no reading of xml");
+	return false;
+	}
+
+bool XMLSerializationFormat::Read(uint32* v, const char* tag)
+	{
+	internal_error("no reading of xml");
+	return false;
+	}
+
+bool XMLSerializationFormat::Read(int64* v, const char* tag)
+	{
+	internal_error("no reading of xml");
+	return false;
+	}
+
+bool XMLSerializationFormat::Read(uint64* v, const char* tag)
+	{
+	internal_error("no reading of xml");
+	return false;
+	}
+
+bool XMLSerializationFormat::Read(bool* v, const char* tag)
+	{
+	internal_error("no reading of xml");
+	return false;
+	}
+
+bool XMLSerializationFormat::Read(double* d, const char* tag)
+	{
+	internal_error("no reading of xml");
+	return false;
+	}
+
+bool XMLSerializationFormat::Read(char* v, const char* tag)
+	{
+	internal_error("no reading of xml");
+	return false;
+	}
+
+bool XMLSerializationFormat::Read(char** str, int* len, const char* tag)
+	{
+	internal_error("no reading of xml");
+	return false;
+	}
+
+bool XMLSerializationFormat::Write(char v, const char* tag)
+	{
+	return WriteElem(tag, "char", &v, 1);
+	}
+
+bool XMLSerializationFormat::Write(uint16 v, const char* tag)
+	{
+	const char* tmp = fmt("%u", v);
+	return WriteElem(tag, "uint16", tmp, strlen(tmp));
+	}
+
+bool XMLSerializationFormat::Write(uint32 v, const char* tag)
+	{
+	const char* tmp = fmt("%u", v);
+	return WriteElem(tag, "uint32", tmp, strlen(tmp));
+	}
+
+bool XMLSerializationFormat::Write(uint64 v, const char* tag)
+	{
+	const char* tmp = fmt("%llu", v);
+	return WriteElem(tag, "uint64", tmp, strlen(tmp));
+	}
+
+bool XMLSerializationFormat::Write(int64 v, const char* tag)
+	{
+	const char* tmp = fmt("%lld", v);
+	return WriteElem(tag, "int64", tmp, strlen(tmp));
+	}
+
+bool XMLSerializationFormat::Write(int v, const char* tag)
+	{
+	const char* tmp = fmt("%d", v);
+	return WriteElem(tag, "int", tmp, strlen(tmp));
+	}
+
+bool XMLSerializationFormat::Write(double d, const char* tag)
+	{
+	const char* tmp = fmt("%f", d);
+	return WriteElem(tag, "double", tmp, strlen(tmp));
+	}
+
+bool XMLSerializationFormat::Write(bool v, const char* tag)
+	{
+	if ( v )
+		return WriteElem(tag, "bool", "true", 4);
+	else
+		return WriteElem(tag, "bool", "false", 5);
+	}
+
+bool XMLSerializationFormat::Write(const char* s, const char* tag)
+	{
+	return WriteElem(tag, "string", s, strlen(s));
+	}
+
+bool XMLSerializationFormat::WriteOpenTag(const char* tag)
+	{
+	return WriteData("<", 1) && WriteData(tag, strlen(tag) && WriteData(">", 1));
+	}
+
+bool XMLSerializationFormat::WriteCloseTag(const char* tag)
+	{
+	return WriteData("</", 2) && WriteData(tag, strlen(tag))
+		&& WriteData(">", 1);
+	}
+
+bool XMLSerializationFormat::WriteSeparator()
+	{
+	return WriteData("\n", 1);
+	}
+
+bool XMLSerializationFormat::Write(const char* buf, int len, const char* tag)
+	{
+	return WriteElem(tag, "string", buf, len);
+	}
+
+bool XMLSerializationFormat::WriteEncodedString(const char* s, int len)
+	{
+	while ( len-- )
+		{
+		int success = false;
+		if ( ! isprint(*s) )
+			{
+			const char* tmp = fmt("%.4x", (int)* s++);
+			success = WriteData("&#x", 3) && WriteData(tmp, 4) &&
+			WriteData(";", 1);
+			}
+		else
+			{
+			switch ( *s ) {
+			case '"':
+				success = WriteData("&quot;", 6);
+				break;
+			case '&':
+				success = WriteData("&amp;", 5);
+				break;
+			case '<':
+				success = WriteData("&lt;", 4);
+				break;
+			case '>':
+				success = WriteData("&gt;", 4);
+				break;
+			default:
+				success = WriteData(s, 1);
+			}
+
+			if ( ! success )
+				return false;
+
+			++s;
+			}
+		}
+	return true;
+	}
+
+bool XMLSerializationFormat::WriteElem(const char* tag, const char* type,
+					const char* content, int len)
+	{
+	if ( ! tag )
+		return true;
+
+	return WriteData("<", 1) &&
+		WriteData(tag, strlen(tag)) &&
+#if 0
+		WriteData(" type=\"", 7) &&
+		WriteData(type, strlen(type)) &&
+		WriteData("\"", 1) &&
+#endif
+		WriteData(">", 1) &&
+		WriteEncodedString(content, len) &&
+		WriteData("</", 2) &&
+		WriteData(tag, strlen(tag)) &&
+		WriteData(">", 1);
+	}
diff --git a/src/SerializationFormat.h b/src/SerializationFormat.h
new file mode 100644
index 0000000000..8127343274
--- /dev/null
+++ b/src/SerializationFormat.h
@@ -0,0 +1,139 @@
+// $Id: SerializationFormat.h 5873 2008-06-28 19:25:03Z vern $
+//
+// Implements different data formats for serialization.
+
+#ifndef SERIALIZATION_FORMAT
+#define SERIALIZATION_FORMAT
+
+#include "util.h"
+
+// Abstract base class.
+class SerializationFormat {
+public:
+	SerializationFormat();
+	virtual ~SerializationFormat();
+
+	// Unserialization.
+	virtual void StartRead(char* data, uint32 len);
+	virtual void EndRead();
+
+	virtual bool Read(int* v, const char* tag) = 0;
+	virtual bool Read(uint16* v, const char* tag) = 0;
+	virtual bool Read(uint32* v, const char* tag) = 0;
+	virtual bool Read(int64* v, const char* tag) = 0;
+	virtual bool Read(uint64* v, const char* tag) = 0;
+	virtual bool Read(char* v, const char* tag) = 0;
+	virtual bool Read(bool* v, const char* tag) = 0;
+	virtual bool Read(double* d, const char* tag) = 0;
+
+	// Passes ownership of string.
+	virtual bool Read(char** str, int* len, const char* tag) = 0;
+
+	// Serialization.
+	virtual void StartWrite();
+	virtual uint32 EndWrite(char** data);	// passes ownership
+
+	virtual bool Write(int v, const char* tag) = 0;
+	virtual bool Write(uint16 v, const char* tag) = 0;
+	virtual bool Write(uint32 v, const char* tag) = 0;
+	virtual bool Write(int64 v, const char* tag) = 0;
+	virtual bool Write(uint64 v, const char* tag) = 0;
+	virtual bool Write(char v, const char* tag) = 0;
+	virtual bool Write(bool v, const char* tag) = 0;
+	virtual bool Write(double d, const char* tag) = 0;
+	virtual bool Write(const char* s, const char* tag) = 0;
+	virtual bool Write(const char* buf, int len, const char* tag) = 0;
+
+	virtual bool WriteOpenTag(const char* tag) = 0;
+	virtual bool WriteCloseTag(const char* tag) = 0;
+	virtual bool WriteSeparator() = 0;
+
+	// Returns number of raw bytes written since last call to StartWrite().
+	int BytesWritten() const	{ return bytes_written; }
+
+protected:
+	bool ReadData(void* buf, size_t count);
+	bool WriteData(const void* buf, size_t count);
+
+	static const uint32 INITIAL_SIZE = 65536;
+	char* output;
+	uint32 output_size;
+	uint32 output_pos;
+
+	char* input;
+	uint32 input_len;
+	uint32 input_pos;
+
+	int bytes_written;
+};
+
+class BinarySerializationFormat : public SerializationFormat {
+public:
+	BinarySerializationFormat();
+	virtual ~BinarySerializationFormat();
+
+	virtual bool Read(int* v, const char* tag);
+	virtual bool Read(uint16* v, const char* tag);
+	virtual bool Read(uint32* v, const char* tag);
+	virtual bool Read(int64* v, const char* tag);
+	virtual bool Read(uint64* v, const char* tag);
+	virtual bool Read(char* v, const char* tag);
+	virtual bool Read(bool* v, const char* tag);
+	virtual bool Read(double* d, const char* tag);
+	virtual bool Read(char** str, int* len, const char* tag);
+	virtual bool Write(int v, const char* tag);
+	virtual bool Write(uint16 v, const char* tag);
+	virtual bool Write(uint32 v, const char* tag);
+	virtual bool Write(int64 v, const char* tag);
+	virtual bool Write(uint64 v, const char* tag);
+	virtual bool Write(char v, const char* tag);
+	virtual bool Write(bool v, const char* tag);
+	virtual bool Write(double d, const char* tag);
+	virtual bool Write(const char* s, const char* tag);
+	virtual bool Write(const char* buf, int len, const char* tag);
+	virtual bool WriteOpenTag(const char* tag);
+	virtual bool WriteCloseTag(const char* tag);
+	virtual bool WriteSeparator();
+};
+
+class XMLSerializationFormat:public SerializationFormat {
+public:
+	XMLSerializationFormat();
+	virtual ~ XMLSerializationFormat();
+
+	// We don't write anything if tag is nil.
+	virtual bool Write(int v, const char* tag);
+	virtual bool Write(uint16 v, const char* tag);
+	virtual bool Write(uint32 v, const char* tag);
+	virtual bool Write(int64 v, const char* tag);
+	virtual bool Write(uint64 v, const char* tag);
+	virtual bool Write(char v, const char* tag);
+	virtual bool Write(bool v, const char* tag);
+	virtual bool Write(double d, const char* tag);
+	virtual bool Write(const char* s, const char* tag);
+	virtual bool Write(const char* buf, int len, const char* tag);
+	virtual bool WriteOpenTag(const char* tag);
+	virtual bool WriteCloseTag(const char* tag);
+	virtual bool WriteSeparator();
+
+	// Not implemented.
+	virtual bool Read(int* v, const char* tag);
+	virtual bool Read(uint16* v, const char* tag);
+	virtual bool Read(uint32* v, const char* tag);
+	virtual bool Read(int64* v, const char* tag);
+	virtual bool Read(uint64* v, const char* tag);
+	virtual bool Read(char* v, const char* tag);
+	virtual bool Read(bool* v, const char* tag);
+	virtual bool Read(double* d, const char* tag);
+	virtual bool Read(char** str, int* len, const char* tag);
+
+private:
+	// Encodes non-printable characters.
+	bool WriteEncodedString(const char* str, int len);
+
+	// Write an elment including type and encoding.
+	bool WriteElem(const char* tag, const char* type,
+				   const char* content, int len);
+};
+
+#endif
diff --git a/src/Serializer.cc b/src/Serializer.cc
new file mode 100644
index 0000000000..c6a065f28f
--- /dev/null
+++ b/src/Serializer.cc
@@ -0,0 +1,1194 @@
+// $Id: Serializer.cc 6752 2009-06-14 04:24:52Z vern $
+
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+#include <time.h>
+#include <dirent.h>
+#include <libgen.h>
+#include <sys/time.h>
+#include <sys/stat.h>
+
+#include "Serializer.h"
+#include "Scope.h"
+#include "Stmt.h"
+#include "Logger.h"
+#include "Func.h"
+#include "Event.h"
+#include "EventRegistry.h"
+#include "SerializationFormat.h"
+#include "NetVar.h"
+#include "Conn.h"
+#include "Timer.h"
+#include "RemoteSerializer.h"
+
+Serializer::Serializer(SerializationFormat* arg_format)
+	{
+	if ( arg_format )
+		format = arg_format;
+	else
+		format = new BinarySerializationFormat();
+
+	io = 0;
+	error_descr = 0;
+	current_cache = 0;
+	}
+
+Serializer::~Serializer()
+	{
+	delete format;
+	delete [] error_descr;
+	}
+
+bool Serializer::Read(string* s, const char* tag)
+	{
+	char* cstr;
+	int len;
+	if ( format->Read(&cstr, &len, tag) )
+		{
+		s->assign(cstr, len);
+		delete [] cstr;
+		return true;
+		}
+	else
+		return false;
+	}
+
+bool Serializer::StartSerialization(SerialInfo* info, const char* descr,
+					char tag)
+	{
+	format->StartWrite();
+	assert(current_cache);
+	SetErrorDescr(fmt("serializing %s", descr));
+	if ( ! Write(tag, "tag") )
+		{
+		Error(io->Error());
+		return false;
+		}
+
+	current_cache->Begin(info->new_cache_strategy);
+	return true;
+	}
+
+bool Serializer::EndSerialization(SerialInfo* info)
+	{
+	ChunkedIO::Chunk* chunk = new ChunkedIO::Chunk;
+	chunk->len = format->EndWrite(&chunk->data);
+
+	if ( info->chunk )
+		{
+
+		if ( ! io->Write(info->chunk) )
+			{
+			Error(io->Error());
+			return false;
+			}
+		}
+
+	if ( ! io->Write(chunk) )
+		{
+		Error(io->Error());
+		return false;
+		}
+
+	current_cache->End(info->new_cache_strategy);
+	return true;
+	}
+
+bool Serializer::Serialize(SerialInfo* info, const ID& id)
+	{
+	if ( info->cont.NewInstance() )
+		{
+		if ( ! (id.IsGlobal() || id.IsEnumConst()) )
+			{
+			Error("non-global identifiers cannot be serialized");
+			return false;
+			}
+
+		if ( ! StartSerialization(info, "ID", 'i') )
+			return false;
+		}
+
+	info->cont.SaveContext();
+	bool result = id.Serialize(info);
+	info->cont.RestoreContext();
+
+	if ( ! result )
+		{
+		Error("failed");
+		return false;
+		}
+
+	if ( info->cont.ChildSuspended() )
+		return true;
+
+	WriteSeparator();
+	return EndSerialization(info);
+	}
+
+bool Serializer::Serialize(SerialInfo* info, const char* func, val_list* args)
+	{
+	DisableSuspend suspend(info);
+
+	if ( ! StartSerialization(info, "call", 'e') )
+		return false;
+
+	WriteOpenTag("call");
+	int a = args->length();
+	Write(func, "name");
+	Write(network_time, "time");
+	Write(a, "len");
+
+	loop_over_list(*args, i) (*args)[i]->Serialize(info);
+
+	WriteCloseTag("call");
+	WriteSeparator();
+
+	return EndSerialization(info);
+	}
+
+bool Serializer::Serialize(SerialInfo* info, const StateAccess& s)
+	{
+	DisableSuspend suspend(info);
+
+	if ( ! StartSerialization(info, "state access", 's') )
+		return false;
+
+	if ( ! s.Serialize(info) )
+		{
+		Error("failed");
+		return false;
+		}
+
+	return EndSerialization(info);
+	}
+
+bool Serializer::Serialize(SerialInfo* info, const Timer& t)
+	{
+	DisableSuspend suspend(info);
+
+	if ( ! StartSerialization(info, "timer", 't') )
+		return false;
+
+	if ( ! t.Serialize(info) )
+		{
+		Error("failed");
+		return false;
+		}
+
+	return EndSerialization(info);
+	}
+
+bool Serializer::Serialize(SerialInfo* info, const Connection& c)
+	{
+	DisableSuspend suspend(info);
+
+	if ( ! StartSerialization(info, "connection", 'c') )
+		return false;
+
+	if ( ! c.Serialize(info) )
+		{
+		Error("failed");
+		return false;
+		}
+
+	return EndSerialization(info);
+	}
+
+bool Serializer::Serialize(SerialInfo* info, const Packet& p)
+	{
+	DisableSuspend suspend(info);
+
+	if ( ! StartSerialization(info, "packet", 'p') )
+		return false;
+
+	if ( ! p.Serialize(info) )
+		{
+		Error("failed");
+		return false;
+		}
+
+	return EndSerialization(info);
+	}
+
+int Serializer::Unserialize(UnserialInfo* info, bool block)
+	{
+	assert(current_cache);
+
+	SetErrorDescr("unserializing");
+
+	current_cache->Begin(info->new_cache_strategy);
+
+	ChunkedIO::Chunk* chunk = info->chunk;
+
+	while ( ! chunk )
+		{
+		if ( ! io->Read(&chunk) )
+			{
+			if ( io->Eof() )
+				return 0;
+			Error(io->Error());
+			return -1;
+			}
+
+		if ( ! chunk && ! block )
+			return 0;
+		}
+
+	format->StartRead(chunk->data, chunk->len);
+
+	char type;
+	if ( ! format->Read(&type, "tag") )
+		return -1;
+
+//	DEBUG(fmt("parent: serialization of size %d", );
+
+	bool result;
+	switch ( type ) {
+	case 'i':
+		result = UnserializeID(info);
+		break;
+
+	case 'e':
+		result = UnserializeCall(info);
+		break;
+
+	case 's':
+		result = UnserializeStateAccess(info);
+		break;
+
+	case 'c':
+		result = UnserializeConnection(info);
+		break;
+
+	case 't':
+		result = UnserializeTimer(info);
+		break;
+
+	case 'p':
+		result = UnserializePacket(info);
+		break;
+
+	default:
+		Error(fmt("unknown serialization type %x", (int) type));
+		result = false;
+	}
+
+	format->EndRead();
+
+	if ( ! info->chunk )
+		{ // only delete if we allocated it ourselves
+		delete [] chunk->data;
+		delete chunk;
+		}
+
+	current_cache->End(info->new_cache_strategy);
+
+	return result ? 1 : -1;
+	}
+
+bool Serializer::UnserializeID(UnserialInfo* info)
+	{
+	SetErrorDescr("unserializing ID");
+
+	ID* id = ID::Unserialize(info);
+
+	if ( ! id )
+		return false;
+
+	if ( info->print )
+		{
+		ODesc d;
+		d.SetQuotes(true);
+		d.SetIncludeStats(true);
+		d.SetShort();
+		id->DescribeExtended(&d);
+		fprintf(info->print, "ID %s\n", d.Description());
+		}
+
+	if ( ! info->ignore_callbacks )
+		GotID(id, id->ID_Val());
+	else
+		Unref(id);
+
+	return true;
+	}
+
+bool Serializer::UnserializeCall(UnserialInfo* info)
+	{
+	char* name;
+	int len;
+	double time;
+
+	if ( ! (UNSERIALIZE_STR(&name, 0) && UNSERIALIZE(&time) && UNSERIALIZE(&len)) )
+		return false;
+
+	SetErrorDescr(fmt("unserializing event/function %s", name));
+
+	bool ignore = false;
+	FuncType* functype = 0;
+	type_list* types = 0;
+
+	ID* id = global_scope()->Lookup(name);
+
+	if ( id )
+		{
+		if ( id->Type()->Tag() == TYPE_FUNC )
+			{
+			functype = id->Type()->AsFuncType();
+			types = functype->ArgTypes()->Types();
+			if ( types->length() != len )
+				{
+				Error("wrong number of arguments, ignoring");
+				ignore = true;
+				}
+			}
+		else
+			{
+			Error("not a function/event, ignoring");
+			ignore = true;
+			}
+		}
+	else
+		{
+		Error("unknown event/function, ignoring");
+		ignore = true;
+		}
+
+	ODesc d;
+	d.SetQuotes(true);
+	d.SetIncludeStats(true);
+	d.SetShort();
+
+	val_list* args = new val_list;
+	for ( int i = 0; i < len; ++i )
+		{
+		Val* v = Val::Unserialize(info);
+
+		if ( ! v )
+			{
+			delete [] name;
+			return false;
+			}
+
+		if ( ! ignore )
+			{
+			if ( v->Type()->Tag() != (*types)[i]->Tag() &&
+			     (*types)[i]->Tag() != TYPE_ANY )
+				{
+				Error("mismatch in argument types; ignoring");
+				ignore = true;
+				}
+
+			if ( info->print && types && ! ignore )
+				v->Describe(&d);
+			}
+
+		args->append(v);
+		}
+
+	if ( ! ignore  )
+		{
+		if ( info->print )
+			fprintf(info->print, "%s [%.06f] %s(%s)\n",
+				functype->IsEvent() ? "Event" : "Function call",
+				time, name, types ? d.Description() : "<ignored>");
+
+		if ( functype->IsEvent() )
+			{
+			EventHandler* handler = event_registry->Lookup(name);
+			assert(handler);
+			if ( ! info->ignore_callbacks )
+				GotEvent(name, time, handler, args);
+			}
+		else
+			if ( ! info->ignore_callbacks )
+				GotFunctionCall(name, time, id->ID_Val()->AsFunc(), args);
+
+		if ( info->ignore_callbacks )
+			delete_vals(args);
+
+		}
+	else
+		delete_vals(args);
+
+	delete [] name;
+
+	return true;
+	}
+
+bool Serializer::UnserializeStateAccess(UnserialInfo* info)
+	{
+	SetErrorDescr("unserializing state acess");
+
+	StateAccess* s = StateAccess::Unserialize(info);
+
+	if ( ! s )
+		return false;
+
+	if ( info->print )
+		{
+		ODesc d;
+		d.SetQuotes(true);
+		d.SetIncludeStats(true);
+		d.SetShort();
+		s->Describe(&d);
+		fprintf(info->print, "State access: %s\n", d.Description());
+		}
+
+	if ( ! info->ignore_callbacks )
+		GotStateAccess(s);
+	else
+		delete s;
+
+	return true;
+	}
+
+bool Serializer::UnserializeTimer(UnserialInfo* info)
+	{
+	SetErrorDescr("unserializing timer");
+
+	Timer* t = Timer::Unserialize(info);
+
+	if ( ! t )
+		return false;
+
+	if ( info->print )
+		{
+		ODesc d;
+		d.SetQuotes(true);
+		d.SetIncludeStats(true);
+		d.SetShort();
+		t->Describe(&d);
+		fprintf(info->print, "Timer: %s\n", d.Description());
+		}
+
+	if ( ! info->ignore_callbacks )
+		GotTimer(t);
+
+	return true;
+	}
+
+bool Serializer::UnserializeConnection(UnserialInfo* info)
+	{
+	SetErrorDescr("unserializing connection");
+
+	Connection* c = Connection::Unserialize(info);
+
+	if ( ! c )
+		return false;
+
+	if ( info->print )
+		{
+		ODesc d;
+		d.SetQuotes(true);
+		d.SetIncludeStats(true);
+		d.SetShort();
+		c->Describe(&d);
+		fprintf(info->print, "Connection: %s", d.Description());
+		}
+
+	if ( info->install_conns )
+		{
+		if ( c->IsPersistent() && c->Key() )
+			persistence_serializer->Register(c);
+		Ref(c);
+		sessions->Insert(c);
+		}
+	else
+		// We finish the connection here because it's not part
+		// of the standard processing and most likely to be
+		// discarded pretty soon.
+		// Without the Done(), some cleanup may not take place.
+		c->Done();
+
+	if ( ! info->ignore_callbacks )
+		GotConnection(c);
+	else
+		Unref(c);
+
+	return true;
+	}
+
+bool Serializer::UnserializePacket(UnserialInfo* info)
+	{
+	SetErrorDescr("unserializing packet");
+
+	Packet* p = Packet::Unserialize(info);
+
+	if ( ! p )
+		return false;
+
+	if ( info->print )
+		{
+		ODesc d;
+		d.SetQuotes(true);
+		d.SetIncludeStats(true);
+		d.SetShort();
+		p->Describe(&d);
+		fprintf(info->print, "Packet: %s", d.Description());
+		}
+
+	if ( ! info->ignore_callbacks )
+		GotPacket(p);
+	else
+		delete p;
+
+	return true;
+	}
+
+void Serializer::Error(const char* str)
+	{
+	char buffer[1024];
+	safe_snprintf(buffer, sizeof(buffer), "%s%s%s",
+		      error_descr ? error_descr : "", error_descr ? ": " : "", str);
+	ReportError(buffer);
+	}
+
+void Serializer::Warning(const char* str)
+	{
+	// We ignore these as there's no good place to report them.
+	}
+
+SerializationCache::SerializationCache(unsigned int arg_max_cache_size)
+	{
+	max_cache_size = arg_max_cache_size;
+	next_id = 1;
+	cache_stable.head = cache_stable.tail = 0;
+	cache_unstable.head = cache_unstable.tail = 0;
+	cache_stable.size = cache_unstable.size = 0;
+	}
+
+SerializationCache::~SerializationCache()
+	{
+	Clear();
+	}
+
+SerializationCache::PermanentID
+SerializationCache::Register(const SerialObj* obj, PermanentID pid,
+				bool new_cache_strategy)
+	{
+	if ( pid == NONE )
+		pid = next_id++;
+
+	PIDMap::iterator i = pid_map.find(pid);
+	assert(i == pid_map.end());
+
+	CacheList* cache =
+		(new_cache_strategy && obj->IsCacheStable()) ?
+			&cache_stable : &cache_unstable;
+
+	CacheEntry* entry = new CacheEntry;
+	entry->obj.serial = obj;
+	entry->is_bro_obj = obj->IsBroObj();
+	entry->pid = pid;
+	entry->tid = obj->GetTID()->Value();
+	entry->time = SerialObj::GetTimeCounter();
+	entry->prev = cache->tail;
+	entry->next = 0;
+	entry->cache = cache;
+	entry->stype = obj->GetSerialType();
+
+	if ( cache->tail )
+		cache->tail->next = entry;
+	if ( ! cache->head )
+		cache->head = entry;
+
+	cache->tail = entry;
+	++(cache->size);
+
+	// This is a bit weird. If the TID is already contained in the map (i.e.
+	// we're re-registering), TIDMap::insert() will *not* override the old
+	// entry but set the bool to false and return it.
+	pair<TIDMap::iterator, bool> old = tid_map.insert(TIDMap::value_type(entry->tid, entry));
+	if ( ! old.second )
+		{
+		// Already existed.
+		old.first->second->tid = 0;	// invalidate
+		old.first->second = entry;	// replace
+		}
+
+	pid_map.insert(PIDMap::value_type(pid, entry));
+
+	if ( entry->is_bro_obj )
+		Ref(const_cast<BroObj*>(entry->obj.bro));
+	else
+		{
+		// Make sure it goes into unstable.
+		assert(! obj->IsCacheStable());
+
+		volatiles.push_back(entry);
+		}
+
+	return entry->pid;
+	}
+
+void SerializationCache::UnlinkEntry(CacheEntry* e)
+	{
+	assert(e);
+
+	// Remove from double-linked list.
+	if ( e == e->cache->head )
+		{
+		e->cache->head = e->next;
+		if ( e->cache->head )
+			e->cache->head->prev = 0;
+		}
+	else
+		e->prev->next = e->next;
+
+	if ( e == e->cache->tail )
+		{
+		e->cache->tail = e->prev;
+		if ( e->cache->tail )
+			e->cache->tail->next = 0;
+		}
+	else
+		e->next->prev = e->prev;
+
+	e->prev = e->next = 0;
+	}
+
+void SerializationCache::RemoveEntry(CacheEntry* e)
+	{
+	assert(e);
+	UnlinkEntry(e);
+
+	if ( e->tid )
+		tid_map.erase(e->tid);
+
+	pid_map.erase(e->pid);
+
+	if ( e->is_bro_obj )
+		Unref(const_cast<BroObj*>(e->obj.bro));
+
+	e->obj.serial = 0; // for debugging
+	--(e->cache->size);
+	delete e;
+	}
+
+void SerializationCache::MoveEntryToTail(CacheEntry* e)
+	{
+	assert(e);
+	UnlinkEntry(e);
+	e->prev = e->cache->tail;
+	e->next = 0;
+
+	if ( e->cache->tail )
+		e->cache->tail->next = e;
+	if ( ! e->cache->head )
+		e->cache->head = e;
+
+	e->cache->tail = e;
+	}
+
+void SerializationCache::Clear()
+	{
+	tid_map.clear();
+	pid_map.clear();
+	volatiles.clear();
+
+	while ( cache_stable.head )
+		RemoveEntry(cache_stable.head);
+
+	while ( cache_unstable.head )
+		RemoveEntry(cache_unstable.head);
+
+	assert(cache_stable.size == 0);
+	assert(cache_unstable.size == 0);
+	}
+
+void SerializationCache::End(bool new_cache_strategy)
+	{
+	// Remove objects not-derived from BroObj (they aren't ref'counted
+	// so it's not safe to keep them).
+	for ( VolatileList::iterator i = volatiles.begin();
+	      i != volatiles.end(); i++ )
+		{
+		assert(*i);
+		RemoveEntry(*i);
+		}
+
+	volatiles.clear();
+
+	if ( new_cache_strategy )
+		{
+		while ( max_cache_size && cache_stable.head &&
+				cache_stable.size > max_cache_size )
+			RemoveEntry(cache_stable.head);
+
+		while ( max_cache_size && cache_unstable.head &&
+				cache_unstable.size > max_cache_size )
+			RemoveEntry(cache_unstable.head);
+		}
+
+	else
+		{
+		while ( max_cache_size && pid_map.size() > max_cache_size )
+			RemoveEntry(cache_unstable.head);
+		}
+	}
+
+FileSerializer::FileSerializer(SerializationFormat* format)
+: Serializer(format), cache(100)
+	{
+	file = 0;
+	fd = -1;
+	io = 0;
+	SetCache(&cache);
+	}
+
+FileSerializer::~FileSerializer()
+	{
+	if ( io )
+		io->Flush();
+
+	delete [] file;
+	delete io;
+
+	if ( fd >= 0 )
+		close(fd);
+	}
+
+bool FileSerializer::Open(const char* file, bool pure)
+	{
+	if ( ! OpenFile(file, false) )
+		return false;
+
+	if ( pure )
+		io->MakePure();
+
+	if ( ! PrepareForWriting() )
+		return false;
+
+	return true;
+	}
+
+bool FileSerializer::Close()
+	{
+	CloseFile();
+	return true;
+	}
+
+bool FileSerializer::OpenFile(const char* arg_file, bool readonly, bool should_exist)
+	{
+	CloseFile();
+
+	cache.Clear();
+
+	file = copy_string(arg_file);
+	fd = open(file, readonly ? O_RDONLY : O_WRONLY | O_CREAT | O_TRUNC, 0600);
+
+	if ( fd < 0 )
+		{
+		if ( readonly && errno == ENOENT )
+			{
+			// Only an error if we expect to exist.
+			if ( should_exist )
+				{
+				Error(fmt("%s does not exist", file));
+				return false;
+				}
+
+			CloseFile();
+			return true;
+			}
+
+		Error(fmt("can't open file %s for %s: %s",
+				file, (readonly ? "reading" : "writing"),
+				strerror(errno)));
+		return false;
+		}
+
+	io = new ChunkedIOFd(fd, "file");
+
+	return io != 0;
+	}
+
+void FileSerializer::CloseFile()
+	{
+	if ( io )
+		io->Flush();
+
+	if ( fd >= 0 )
+		close(fd);
+	fd = -1;
+
+	delete [] file;
+	file = 0;
+
+	delete io;
+	io = 0;
+
+	cache.Clear();
+	}
+
+bool FileSerializer::PrepareForWriting()
+	{
+	if ( ! io->IsPure() )
+		{
+		// Write file header.
+		uint32 magic = htonl(MAGIC);
+		uint16 version = htons(DATA_FORMAT_VERSION);
+		uint32 time = htonl(uint32(::time(0)));
+
+		if ( write(fd, &magic, sizeof(magic)) != sizeof(magic ) ||
+		     write(fd, &version, sizeof(version)) != sizeof(version) ||
+		     write(fd, &time, sizeof(time)) != sizeof(time))
+			{
+			Error(fmt("can't write file header to %s: %s",
+					file, strerror(errno)));
+			return false;
+			}
+		}
+
+	return true;
+	}
+
+bool FileSerializer::ReadHeader(UnserialInfo* info)
+	{
+	uint32 magic;
+	uint16 version;
+	uint32 time;
+
+	if ( read(fd, &magic, sizeof(magic)) != sizeof(magic ) ||
+	     read(fd, &version, sizeof(version)) != sizeof(version) ||
+	     read(fd, &time, sizeof(time)) != sizeof(time) )
+		{
+		Error(fmt("can't read file header from %s: %s",
+				file, strerror(errno)));
+		return false;
+		}
+
+	version = ntohs(version);
+	time = ntohl(time);
+
+	if ( info && info->print )
+		{
+		time_t teatime = (time_t) time;
+		fprintf(stderr, "Date: %s", ctime(&teatime));
+		}
+
+	if ( magic != htonl(MAGIC) )
+		{
+		Error(fmt("%s is not a bro state file", file));
+		CloseFile();
+		return false;
+		}
+
+	if ( version != DATA_FORMAT_VERSION )
+		{
+		Error(fmt("wrong data format, expected version %d but got version %d", DATA_FORMAT_VERSION, version));
+		CloseFile();
+		return false;
+		}
+
+	return true;
+	}
+
+bool FileSerializer::Read(UnserialInfo* info, const char* file, bool header)
+	{
+	if ( ! OpenFile(file, true, info->print) )
+		return false;
+
+	// fprintf( stderr, "Reading %s\n", file );
+
+	if ( fd < 0 )
+		// Not existent, but that's ok.
+		return true;
+
+	if ( header && ! ReadHeader(info) )
+		return false;
+
+	int i;
+	while ( (i = Unserialize(info, true)) > 0 )
+		;
+
+	CloseFile();
+
+	return i == 0;
+	}
+
+void FileSerializer::ReportError(const char* str)
+	{
+	run_time(str);
+	}
+
+void FileSerializer::GotID(ID* id, Val* val)
+	{
+	// Do nothing.
+	Unref(id);
+	}
+
+void FileSerializer::GotStateAccess(StateAccess* s)
+	{
+	delete s;
+	}
+
+void FileSerializer::GotEvent(const char* name, double time,
+				EventHandlerPtr event, val_list* args)
+	{
+	// Do nothing.
+	delete_vals(args);
+	}
+
+void FileSerializer::GotFunctionCall(const char* name, double time,
+				Func* func, val_list* args)
+	{
+	// Do nothing.
+	delete_vals(args);
+	}
+
+void FileSerializer::GotTimer(Timer* t)
+	{
+	// Do nothing.
+	delete t;
+	}
+
+void FileSerializer::GotConnection(Connection* c)
+	{
+	// Do nothing.
+	Unref(c);
+	}
+
+void FileSerializer::GotPacket(Packet* p)
+	{
+	// Do nothing.
+	delete p;
+	}
+
+ConversionSerializer::ConversionSerializer(SerializationFormat* in,
+						SerializationFormat* out)
+: FileSerializer(in)
+	{
+	serout = new FileSerializer(out);
+	}
+
+ConversionSerializer::~ConversionSerializer()
+	{
+	delete serout;
+	}
+
+bool ConversionSerializer::Convert(const char* file_in, const char* file_out)
+	{
+	internal_error("Error: Printing as XML is broken.");
+
+	if ( ! serout->Open(file_out, true) )
+		return false;
+
+	UnserialInfo info_in(this);
+	if ( ! Read(&info_in, file_in) )
+		return false;
+
+	if ( ! serout->Close() )
+		return false;
+
+	return true;
+	}
+
+void ConversionSerializer::GotEvent(const char* name, double time,
+					EventHandlerPtr event, val_list* args)
+	{
+	SerialInfo info(serout);
+	serout->Serialize(&info, name, args);
+	delete_vals(args);
+	}
+
+void ConversionSerializer::GotFunctionCall(const char* name, double time,
+					Func* func, val_list* args)
+	{
+	SerialInfo info(serout);
+	serout->Serialize(&info, name, args);
+	delete_vals(args);
+	}
+
+void ConversionSerializer::GotID(ID* id, Val* val)
+	{
+	warn("ConversionSerializer::GotID not implemented");
+	Unref(id);
+	}
+
+void ConversionSerializer::GotStateAccess(StateAccess* s)
+	{
+	warn("ConversionSerializer::GotID not implemented");
+	delete s;
+	}
+
+void ConversionSerializer::GotPacket(Packet* p)
+	{
+	warn("ConversionSerializer::GotPacket not implemented");
+	delete p;
+	}
+
+EventPlayer::EventPlayer(const char* file)
+	{
+	if ( ! OpenFile(file, true) || fd < 0 )
+		Error(fmt("event replayer: cannot open %s", file));
+
+	if ( ReadHeader() )
+		io_sources.Register(this);
+	}
+
+EventPlayer::~EventPlayer()
+	{
+	CloseFile();
+	}
+
+void EventPlayer::GotEvent(const char* name, double time,
+		EventHandlerPtr event, val_list* args)
+	{
+	ne_time = time;
+	ne_handler = event;
+	ne_args = args;
+	}
+
+void EventPlayer::GotFunctionCall(const char* name, double time,
+		Func* func, val_list* args)
+	{
+	// We don't replay function calls.
+	}
+
+void EventPlayer::GetFds(int* read, int* write, int* except)
+	{
+	*read = fd;
+	}
+
+double EventPlayer::NextTimestamp(double* local_network_time)
+	{
+	if ( ne_time )
+		return ne_time;
+
+	if ( ! io )
+		return 0;
+
+	// Read next event if we don't have one waiting.
+	if ( ! ne_time )
+		{
+		UnserialInfo info(this);
+		Unserialize(&info);
+		closed = io->Eof();
+		}
+
+	if ( ! ne_time )
+		return 0;
+
+	if ( ! network_time )
+		{
+		// Network time not initialized yet.
+		stream_time = replay_time = ne_time;
+		return ne_time;
+		}
+
+	if ( ! stream_time )
+		{
+		// Init base times.
+		stream_time = ne_time;
+		replay_time = network_time;
+		}
+
+	// Scale time.
+	ne_time = ne_time - stream_time + network_time;
+	return ne_time;
+	}
+
+void EventPlayer::Process()
+	{
+	if ( ! (io && ne_time) )
+		return;
+
+	Event* event = new Event(ne_handler, ne_args);
+	mgr.Dispatch(event);
+
+	ne_time = 0;
+	}
+
+void Packet::Describe(ODesc* d) const
+	{
+	const IP_Hdr ip = IP();
+	d->Add(dotted_addr(ip.SrcAddr()));
+	d->Add("->");
+	d->Add(dotted_addr(ip.DstAddr()));
+	}
+
+bool Packet::Serialize(SerialInfo* info) const
+	{
+	return SERIALIZE(uint32(hdr->ts.tv_sec)) &&
+		SERIALIZE(uint32(hdr->ts.tv_usec)) &&
+		SERIALIZE(uint32(hdr->len)) &&
+		SERIALIZE(link_type) &&
+		info->s->Write(tag.c_str(), 0, "tag") &&
+		info->s->Write((const char*) pkt, hdr->caplen, "data");
+	}
+
+static BroFile* profiling_output = 0;
+
+#ifdef DEBUG
+static PktDumper* dump = 0;
+#endif
+
+Packet* Packet::Unserialize(UnserialInfo* info)
+	{
+	Packet* p = new Packet("", true);
+	pcap_pkthdr* hdr = new pcap_pkthdr;
+
+	uint32 tv_sec, tv_usec, len;
+
+	if ( ! (UNSERIALIZE(&tv_sec) &&
+		UNSERIALIZE(&tv_usec) &&
+		UNSERIALIZE(&len) &&
+		UNSERIALIZE(&p->link_type)) )
+		return 0;
+
+	hdr->ts.tv_sec = tv_sec;
+	hdr->ts.tv_usec = tv_usec;
+	hdr->len = len;
+
+	char* tag;
+	if ( ! info->s->Read((char**) &tag, 0, "tag") )
+		return 0;
+
+	u_char* pkt;
+	int caplen;
+	if ( ! info->s->Read((char**) &pkt, &caplen, "data") )
+		{
+		delete [] tag;
+		return 0;
+		}
+
+	hdr->caplen = uint32(caplen);
+	p->hdr = hdr;
+	p->pkt = pkt;
+	p->tag = tag;
+	p->hdr_size = get_link_header_size(p->link_type);
+
+	delete [] tag;
+
+	// For the global timer manager, we take the global network_time as the
+	// packet's timestamp for feeding it into our packet loop.
+	if ( p->tag == "" )
+		p->time = timer_mgr->Time();
+	else
+		p->time = p->hdr->ts.tv_sec + double(p->hdr->ts.tv_usec) / 1e6;
+
+	if ( time_machine_profiling )
+		{
+		if ( ! profiling_output )
+			profiling_output =
+				new BroFile("tm-prof.packets.log", "w");
+
+		profiling_output->Write(fmt("%.6f %s %d\n", current_time(),
+			(p->tag != "" ? p->tag.c_str() : "-"), hdr->len));
+		}
+
+#ifdef DEBUG
+	if ( debug_logger.IsEnabled(DBG_TM) )
+		{
+		if ( ! dump )
+			dump = new PktDumper("tm.pcap");
+
+		dump->Dump(p->hdr, p->pkt);
+		}
+#endif
+
+	return p;
+	}
diff --git a/src/Serializer.h b/src/Serializer.h
new file mode 100644
index 0000000000..c8f9284b53
--- /dev/null
+++ b/src/Serializer.h
@@ -0,0 +1,437 @@
+// $Id: Serializer.h 6752 2009-06-14 04:24:52Z vern $
+
+#ifndef SERIALIZER_H
+#define SERIALIZER_H
+
+#include <map>
+#include <list>
+#include <pcap.h>
+
+#include "ID.h"
+#include "List.h"
+#include "Expr.h"
+#include "ChunkedIO.h"
+#include "SerializationFormat.h"
+#include "StateAccess.h"
+#include "PriorityQueue.h"
+#include "SerialInfo.h"
+#include "IP.h"
+#include "Timer.h"
+#include "IOSource.h"
+
+class SerializationCache;
+class SerialInfo;
+
+class Connection;
+class Timer;
+class Packet;
+
+class Serializer {
+public:
+	// Currently ID serialization is the only method which may suspend.
+	bool Serialize(SerialInfo* info, const ID& id);
+	bool Serialize(SerialInfo* info, const char* func, val_list* args);
+	bool Serialize(SerialInfo* info, const StateAccess& s);
+	bool Serialize(SerialInfo* info, const Connection& c);
+	bool Serialize(SerialInfo* info, const Timer& t);
+	bool Serialize(SerialInfo* info, const Packet& p);
+
+	// Access to the current cache.
+	SerializationCache* Cache()	{ return current_cache; }
+	void SetCache(SerializationCache* cache)
+		{ current_cache = cache; }
+
+	// Input/output methods.
+
+#define DECLARE_READ(type) \
+	bool Read(type* v, const char* tag)	{ return format->Read(v, tag); }
+
+#define DECLARE_WRITE(type) \
+	bool Write(type v, const char* tag)	\
+		{ return format->Write(v, tag); }
+
+#define DECLARE_IO(type)	\
+	DECLARE_READ(type)	\
+	DECLARE_WRITE(type)
+
+	DECLARE_IO(int)
+	DECLARE_IO(uint16)
+	DECLARE_IO(uint32)
+	DECLARE_IO(int64)
+	DECLARE_IO(uint64)
+	DECLARE_IO(char)
+	DECLARE_IO(bool)
+	DECLARE_IO(double)
+
+	bool Read(char** str, int* len, const char* tag)
+		{ return format->Read(str, len, tag); }
+	bool Read(const char** str, int* len, const char* tag)
+		// This cast is ok.
+		{ return format->Read(const_cast<char**>(str), len, tag); }
+
+	bool Read(string* s, const char* tag);
+
+	bool Write(const char* s, const char* tag)
+		{ return format->Write(s, tag); }
+	bool Write(const char* buf, int len, const char* tag)
+		{ return format->Write(buf, len, tag); }
+	bool Write(const string& s, const char* tag)
+		{ return format->Write(s.data(), s.size(), tag); }
+
+	bool WriteOpenTag(const char* tag)
+		{ return format->WriteOpenTag(tag); }
+	bool WriteCloseTag(const char* tag)
+		{ return format->WriteCloseTag(tag); }
+
+	bool WriteSeparator()	{ return format->WriteSeparator(); }
+
+	void Error(const char* msg);
+	void Warning(const char* msg);
+
+	void SetErrorDescr(const char* descr)
+		{ delete [] error_descr; error_descr = copy_string(descr); }
+
+protected:
+	// Format defaults to binary serialization.
+	Serializer(SerializationFormat* format = 0);
+	virtual ~Serializer();
+
+	// Reads next object.
+	// If 'block' is true, wait until an object can be read.
+	// Returns 0 if no more object available, -1 on error.
+	int Unserialize(UnserialInfo* info, bool block = false);
+
+	// Callback for error messages.
+	virtual void ReportError(const char* msg) = 0;
+
+	// Callbacks for unserialized objects.
+
+	// id points to ID in global scope, val is unserialized value.
+	virtual void GotID(ID* id, Val* val) = 0;
+	virtual void GotEvent(const char* name, double time,
+				EventHandlerPtr event, val_list* args) = 0;
+	virtual void GotFunctionCall(const char* name, double time,
+				Func* func, val_list* args) = 0;
+	virtual void GotStateAccess(StateAccess* s) = 0;
+	virtual void GotTimer(Timer* t) = 0;
+	virtual void GotConnection(Connection* c) = 0;
+	virtual void GotPacket(Packet* packet) = 0;
+
+	// Magic to recognize state files.
+	static const uint32 MAGIC = 0x42525354;
+
+	// This will be increased whenever there is an incompatible change
+	// in the data format.
+	static const uint32 DATA_FORMAT_VERSION = 18;
+
+	ChunkedIO* io;
+
+private:
+	bool StartSerialization(SerialInfo* info, const char* descr, char tag);
+	bool EndSerialization(SerialInfo* info);
+
+	bool UnserializeID(UnserialInfo* info);
+	bool UnserializeCall(UnserialInfo* info);
+	bool UnserializeStateAccess(UnserialInfo* info);
+	bool UnserializeTimer(UnserialInfo* info);
+	bool UnserializeConnection(UnserialInfo* info);
+	bool UnserializePacket(UnserialInfo* info);
+
+	SerializationFormat* format;
+	SerializationCache* current_cache;
+	const char* error_descr;	// used in error messages
+};
+
+
+
+// We maintain an LRU-cache for some of the objects which have already been
+// serialized. For the cache, we need two types of IDs: TransientIDs (defined
+// in SerialObj.cc) uniquely reference an object during the lifetime of a
+// process.  PermanentIDs uniquely reference an object within a serialization.
+
+class SerializationCache {
+public:
+	typedef uint64 PermanentID;
+	static const PermanentID NONE = 0;
+
+	// If max_cache_size is greater than zero, we'll remove old entries
+	// automatically if limit is reached (LRU expiration).
+	SerializationCache(unsigned int max_cache_size = 0);
+	~SerializationCache();
+
+	PermanentID Register(const SerialObj* obj, PermanentID pid,
+				bool new_cache_strategy);
+
+	const SerialObj* Lookup(PermanentID pid)
+		{
+		PIDMap::const_iterator i = pid_map.find(pid);
+		if ( i == pid_map.end() )
+			return 0;
+
+		assert(i->second);
+		MoveEntryToTail(i->second);
+		return i->second->obj.serial;
+		}
+
+	PermanentID Lookup(const TransientID& tid)
+		{
+		TIDMap::const_iterator i = tid_map.find(tid.Value());
+		if ( i == tid_map.end() )
+			return 0;
+
+		uint64 modified = i->second->obj.serial->LastModified();
+		if ( modified == SerialObj::ALWAYS || modified > i->second->time )
+			return 0;
+
+		assert(i->second);
+		MoveEntryToTail(i->second);
+		return i->second->pid;
+		}
+
+	unsigned int GetMaxCacheSize() const	{ return max_cache_size; }
+	void SetMaxCacheSize(unsigned int size)	{ max_cache_size = size; }
+
+	// These methods have to be called at the start/end of the
+	// serialization of an entity. The cache guarentees that objects
+	// registered after Begin() remain valid until End() is called.
+	// After End(), objects which are not derived from BroObj are
+	// discarded; others *may* remain valid.
+	void Begin(bool can_keep_in_cache)	{ End(can_keep_in_cache); }
+	void End(bool can_keep_in_cache);
+
+	void Clear();
+
+private:
+
+	struct CacheList;
+
+	struct CacheEntry {
+		union {
+			const SerialObj* serial;
+			const BroObj* bro;
+		} obj;
+
+		bool is_bro_obj;
+		PermanentID pid;
+		TransientID::ID tid;
+		uint64 time;
+		struct CacheList* cache;
+		CacheEntry* prev;
+		CacheEntry* next;
+
+		SerialType stype;	// primarily for debugging
+	};
+
+	// We maintain two LRU-sorted lists, one for often-changing objects and
+	// one for only rarely changing objects;
+	struct CacheList {
+		CacheEntry* head;
+		CacheEntry* tail;
+		unsigned int size;
+	};
+
+	void RemoveEntry(CacheEntry* e);
+	void UnlinkEntry(CacheEntry* e);
+	void MoveEntryToTail(CacheEntry* e);
+
+	unsigned int max_cache_size;
+
+	typedef map<PermanentID, CacheEntry*> PIDMap;
+	typedef map<TransientID::ID, CacheEntry*> TIDMap;
+
+	TIDMap tid_map;
+	PIDMap pid_map;
+
+	CacheList cache_stable;
+	CacheList cache_unstable;
+
+	// Objects in the cache which aren't derived from BroObj. These are
+	// always stored in the unstable cache.
+	typedef list<CacheEntry*> VolatileList;
+	VolatileList volatiles;
+
+	PermanentID next_id;
+};
+
+// A serializer for cloning objects.  Objects can be serialized into
+// the serializer and unserialized into new objects.  An absolutely
+// minimal implementation of Serializer!
+class CloneSerializer : public Serializer {
+public:
+	CloneSerializer(SerializationFormat* format = 0) : Serializer(format) { }
+	virtual ~CloneSerializer()	{ }
+
+protected:
+	virtual void ReportError(const char* msg)	{ run_time(msg); }
+	virtual void GotID(ID* id, Val* val)	{ }
+	virtual void GotEvent(const char* name, double time,
+				EventHandlerPtr event, val_list* args)	{ }
+	virtual void GotFunctionCall(const char* name, double time,
+				Func* func, val_list* args)	{ }
+	virtual void GotStateAccess(StateAccess* s)	{ delete s; }
+	virtual void GotTimer(Timer* t)	{ }
+	virtual void GotConnection(Connection* c)	{ }
+	virtual void GotPacket(Packet* packet)	{ }
+};
+
+// Write values/events to file or fd.
+class FileSerializer : public Serializer {
+public:
+	FileSerializer(SerializationFormat* format = 0);
+	virtual ~FileSerializer();
+
+	// Opens the file for serialization.
+	bool Open(const char* file, bool pure = false);
+	bool Close();
+
+	// Reads the file.
+	bool Read(UnserialInfo* info, const char* file, bool header = true);
+
+protected:
+	virtual void ReportError(const char* msg);
+	virtual void GotID(ID* id, Val* val);
+	virtual void GotEvent(const char* name, double time,
+				EventHandlerPtr event, val_list* args);
+	virtual void GotFunctionCall(const char* name, double time,
+				Func* func, val_list* args);
+	virtual void GotStateAccess(StateAccess* s);
+	virtual void GotTimer(Timer* t);
+	virtual void GotConnection(Connection* c);
+	virtual void GotPacket(Packet* packet);
+
+	bool OpenFile(const char* file, bool readonly, bool should_exist = false);
+	void CloseFile();
+	bool ReadFile(const char* file);
+	bool PrepareForWriting();
+	bool ReadHeader(UnserialInfo* info = 0);
+
+	SerializationCache cache;
+	const char* file;
+	int fd;
+};
+
+// Converts from one serialization format into another.
+class ConversionSerializer:public FileSerializer {
+public:
+	ConversionSerializer(SerializationFormat* in, SerializationFormat* out);
+	virtual ~ConversionSerializer();
+
+	bool Convert(const char* file_in, const char* file_out);
+
+protected:
+	virtual void GotID(ID* id, Val* val);
+	virtual void GotEvent(const char* name, double time,
+				EventHandlerPtr event, val_list* args);
+	virtual void GotFunctionCall(const char* name, double time,
+				Func* func, val_list* args);
+	virtual void GotStateAccess(StateAccess* s);
+	virtual void GotPacket(Packet* packet);
+
+	FileSerializer* serout;
+};
+
+
+// Abstract interface class for external sources providing a stream of events.
+class EventSource {
+public:
+	virtual ~EventSource() { }
+
+	// Returns time of the oldest event (0 if none available).
+	virtual double NextTimestamp(double* local_network_time) = 0;
+
+	// Dispatches the oldest event and removes it.
+	virtual void DispatchNextEvent() = 0;
+
+	// Returns true if there are more events to expect from this source.
+	virtual bool IsActive() = 0;
+};
+
+// Plays a file of events back.
+class EventPlayer : public FileSerializer, public IOSource {
+public:
+	EventPlayer(const char* file);
+	virtual ~EventPlayer();
+
+	virtual void GetFds(int* read, int* write, int* except);
+	virtual double NextTimestamp(double* local_network_time);
+	virtual void Process();
+	virtual const char* Tag()	{ return "EventPlayer"; }
+
+protected:
+	virtual void GotID(ID* id, Val* val)	{}
+	virtual void GotEvent(const char* name, double time,
+				EventHandlerPtr event, val_list* args);
+	virtual void GotFunctionCall(const char* name, double time,
+				Func* func, val_list* args);
+
+	double stream_time;	// time of first captured event
+	double replay_time;	// network time of replay start
+
+	// Next event waiting to be dispatched.
+	double ne_time;
+	EventHandlerPtr ne_handler;
+	val_list* ne_args;
+
+};
+
+
+// A link-layer packet.
+//
+// Eventually we should use something like this consistently throughout Bro,
+// replacing the current packet arguments in functions like *::NextPacket().
+// Before doing this, though, we should consider provisioning for packet
+// formats other than just libpcap by designing a more abstract interface.
+//
+// Note that for serialization we don't use much of the support provided by
+// the serialization framework. Serialize/Unserialize do all the work by
+// themselves. In particular, Packets aren't derived from SerialObj. They are
+// completely seperate and self-contained entities, and we don't need any of
+// the sophisticated features like object caching.
+
+class Packet {
+public:
+	// Argument is whether we should delete associatd memory upon
+	// destruction.
+	Packet(TimerMgr::Tag arg_tag, bool arg_free = false)
+		{
+		time = 0.0;
+		hdr = 0;
+		pkt = 0;
+		hdr_size = 0;
+		free = arg_free;
+		tag = arg_tag;
+		}
+
+	~Packet()
+		{
+		if ( free )
+			{
+			delete hdr;
+			delete [] pkt;
+			}
+		}
+
+	const IP_Hdr IP() const
+		{ return IP_Hdr((struct ip *) (pkt + hdr_size)); }
+
+	void Describe(ODesc* d) const;
+
+	bool Serialize(SerialInfo* info) const;
+	static Packet* Unserialize(UnserialInfo* info);
+
+	const struct pcap_pkthdr* hdr;
+	const u_char* pkt;
+	TimerMgr::Tag tag;
+	uint32 link_type;
+
+	double time;
+	int hdr_size;
+
+private:
+	bool free;
+};
+
+extern FileSerializer* event_serializer;
+extern FileSerializer* state_serializer;
+
+#endif
diff --git a/src/Sessions.cc b/src/Sessions.cc
new file mode 100644
index 0000000000..fd443d4dcc
--- /dev/null
+++ b/src/Sessions.cc
@@ -0,0 +1,1469 @@
+// $Id: Sessions.cc 7075 2010-09-13 02:39:38Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+
+#include "config.h"
+
+#include <arpa/inet.h>
+
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "Net.h"
+#include "Event.h"
+#include "Timer.h"
+#include "NetVar.h"
+#include "Sessions.h"
+#include "Active.h"
+#include "OSFinger.h"
+
+#include "ICMP.h"
+#include "UDP.h"
+
+#include "DNS-binpac.h"
+#include "HTTP-binpac.h"
+
+#include "SteppingStone.h"
+#include "BackDoor.h"
+#include "InterConn.h"
+#include "Discard.h"
+#include "RuleMatcher.h"
+#include "ConnCompressor.h"
+#include "DPM.h"
+
+#include "PacketSort.h"
+
+// These represent NetBIOS services on ephemeral ports.  They're numbered
+// so that we can use a single int to hold either an actual TCP/UDP server
+// port or one of these.
+enum NetBIOS_Service {
+	NETBIOS_SERVICE_START = 0x10000L,	// larger than any port
+	NETBIOS_SERVICE_DCE_RPC,
+};
+
+NetSessions* sessions;
+
+
+class NetworkTimer : public Timer {
+public:
+	NetworkTimer(NetSessions* arg_sess, double arg_t)
+		: Timer(arg_t, TIMER_NETWORK)
+		{ sess = arg_sess; }
+
+	void Dispatch(double t, int is_expire);
+
+protected:
+	NetSessions* sess;
+};
+
+void NetworkTimer::Dispatch(double t, int is_expire)
+	{
+	if ( is_expire )
+		return;
+
+	sess->HeartBeat(t);
+	}
+
+void TimerMgrExpireTimer::Dispatch(double t, int is_expire)
+	{
+	if ( mgr->LastAdvance() + timer_mgr_inactivity_timeout < timer_mgr->Time() )
+		{
+		// Expired.
+		DBG_LOG(DBG_TM, "TimeMgr %p has timed out", mgr);
+		mgr->Expire();
+
+		// Make sure events are executed.  They depend on the TimerMgr.
+		::mgr.Drain();
+
+		sessions->timer_mgrs.erase(mgr->GetTag());
+		delete mgr;
+		}
+	else
+		{
+		// Reinstall timer.
+		if ( ! is_expire )
+			{
+			double n = mgr->LastAdvance() +
+					timer_mgr_inactivity_timeout;
+			timer_mgr->Add(new TimerMgrExpireTimer(n, mgr));
+			}
+		}
+	}
+
+NetSessions::NetSessions()
+	{
+	TypeList* t = new TypeList();
+	t->Append(base_type(TYPE_COUNT));	// source IP address
+	t->Append(base_type(TYPE_COUNT));	// dest IP address
+	t->Append(base_type(TYPE_COUNT));	// source and dest ports
+
+	ch = new CompositeHash(t);
+
+	Unref(t);
+
+	tcp_conns.SetDeleteFunc(bro_obj_delete_func);
+	udp_conns.SetDeleteFunc(bro_obj_delete_func);
+	fragments.SetDeleteFunc(bro_obj_delete_func);
+
+	if ( (reading_live || pseudo_realtime) && net_stats_update )
+		timer_mgr->Add(new NetworkTimer(this, 1.0));
+
+	if ( stp_correlate_pair )
+		stp_manager = new SteppingStoneManager();
+	else
+		stp_manager = 0;
+
+	discarder = new Discarder();
+	if ( ! discarder->IsActive() )
+		{
+		delete discarder;
+		discarder = 0;
+		}
+
+	packet_filter = 0;
+
+	build_backdoor_analyzer =
+		backdoor_stats || rlogin_signature_found ||
+		telnet_signature_found || ssh_signature_found ||
+		root_backdoor_signature_found || ftp_signature_found ||
+		napster_signature_found || kazaa_signature_found ||
+		http_signature_found || http_proxy_signature_found;
+
+	dump_this_packet = 0;
+	num_packets_processed = 0;
+
+	if ( OS_version_found )
+		{
+		SYN_OS_Fingerprinter = new OSFingerprint(SYN_FINGERPRINT_MODE);
+		if ( SYN_OS_Fingerprinter->Error() )
+			exit(1);
+		}
+	else
+		SYN_OS_Fingerprinter = 0;
+
+	if ( pkt_profile_mode && pkt_profile_freq > 0 && pkt_profile_file )
+		pkt_profiler = new PacketProfiler(pkt_profile_mode,
+				pkt_profile_freq, pkt_profile_file->AsFile());
+	else
+		pkt_profiler = 0;
+
+	if ( arp_request || arp_reply || bad_arp )
+		arp_analyzer = new ARP_Analyzer();
+	else
+		arp_analyzer = 0;
+	}
+
+NetSessions::~NetSessions()
+	{
+	delete ch;
+	delete packet_filter;
+	delete SYN_OS_Fingerprinter;
+	delete pkt_profiler;
+	Unref(arp_analyzer);
+	}
+
+void NetSessions::Done()
+	{
+	delete stp_manager;
+	delete discarder;
+	}
+
+namespace	// private namespace
+	{
+	bool looks_like_IPv4_packet(int len, const struct ip* ip_hdr)
+		{
+		if ( len < int(sizeof(struct ip)) )
+			return false;
+		return ip_hdr->ip_v == 4 && ntohs(ip_hdr->ip_len) == len;
+		}
+	}
+
+void NetSessions::DispatchPacket(double t, const struct pcap_pkthdr* hdr,
+			const u_char* pkt, int hdr_size,
+			PktSrc* src_ps, PacketSortElement* pkt_elem)
+	{
+	const struct ip* ip_hdr = 0;
+	const u_char* ip_data = 0;
+	int proto = 0;
+
+	if ( hdr->caplen >= hdr_size + sizeof(struct ip) )
+		{
+		ip_hdr = reinterpret_cast<const struct ip*>(pkt + hdr_size);
+		if ( hdr->caplen >= unsigned(hdr_size + (ip_hdr->ip_hl << 2)) )
+			ip_data = pkt + hdr_size + (ip_hdr->ip_hl << 2);
+		}
+
+	if ( encap_hdr_size > 0 && ip_data )
+		{
+		// We're doing tunnel encapsulation.  Check whether there's
+		// a particular associated port.
+		//
+		// Should we discourage the use of encap_hdr_size for UDP
+		// tunnneling?  It is probably better handled by enabling
+		// parse_udp_tunnels instead of specifying a fixed
+		// encap_hdr_size.
+		if ( udp_tunnel_port > 0 )
+			{
+			ASSERT(ip_hdr);
+			if ( ip_hdr->ip_p == IPPROTO_UDP )
+				{
+				const struct udphdr* udp_hdr =
+					reinterpret_cast<const struct udphdr*>
+					(ip_data);
+
+				if ( ntohs(udp_hdr->uh_dport) == udp_tunnel_port )
+					{
+					// A match.
+					hdr_size += encap_hdr_size;
+					}
+				}
+			}
+
+		else
+			// Blanket encapsulation (e.g., for VLAN).
+			hdr_size += encap_hdr_size;
+		}
+
+	// Check IP packets encapsulated through UDP tunnels.
+	// Specifying a udp_tunnel_port is optional but recommended (to avoid
+	// the cost of checking every UDP packet).
+	else if ( parse_udp_tunnels && ip_data && ip_hdr->ip_p == IPPROTO_UDP )
+		{
+		const struct udphdr* udp_hdr =
+			reinterpret_cast<const struct udphdr*>(ip_data);
+
+		if ( udp_tunnel_port == 0 || // 0 matches any port
+		     udp_tunnel_port == ntohs(udp_hdr->uh_dport) )
+			{
+			const u_char* udp_data =
+				ip_data + sizeof(struct udphdr);
+			const struct ip* ip_encap =
+				reinterpret_cast<const struct ip*>(udp_data);
+			const int ip_encap_len =
+				ntohs(udp_hdr->uh_ulen) - sizeof(struct udphdr);
+			const int ip_encap_caplen =
+				hdr->caplen - (udp_data - pkt);
+
+			if ( looks_like_IPv4_packet(ip_encap_len, ip_encap) )
+				hdr_size = udp_data - pkt;
+			}
+		}
+
+	if ( src_ps->FilterType() == TYPE_FILTER_NORMAL )
+		NextPacket(t, hdr, pkt, hdr_size, pkt_elem);
+	else
+		NextPacketSecondary(t, hdr, pkt, hdr_size, src_ps);
+	}
+
+void NetSessions::NextPacket(double t, const struct pcap_pkthdr* hdr,
+			     const u_char* const pkt, int hdr_size,
+			     PacketSortElement* pkt_elem)
+	{
+	SegmentProfiler(segment_logger, "processing-packet");
+	if ( pkt_profiler )
+		pkt_profiler->ProfilePkt(t, hdr->caplen);
+
+	++num_packets_processed;
+
+	dump_this_packet = 0;
+
+	if ( record_all_packets )
+		DumpPacket(hdr, pkt);
+
+	if ( pkt_elem && pkt_elem->IPHdr() )
+		// Fast path for "normal" IP packets if an IP_Hdr is
+		// already extracted when doing PacketSort. Otherwise
+		// the code below tries to extract the IP header, the
+		// difference here is that header extraction in
+		// PacketSort does not generate Weird events.
+
+		DoNextPacket(t, hdr, pkt_elem->IPHdr(), pkt, hdr_size);
+
+	else
+		{
+		// ### The following isn't really correct.  What we *should*
+		// do is understanding the different link layers in order to
+		// find the network-layer protocol ID.  That's a big
+		// portability pain, though, unless we just assume everything's
+		// Ethernet .... not great, given the potential need to deal
+		// with PPP or FDDI (for some older traces).  So instead
+		// we look to see if what we have is consistent with an
+		// IPv4 packet.  If not, it's either ARP or IPv6 or weird.
+
+		uint32 caplen = hdr->caplen - hdr_size;
+		if ( caplen < sizeof(struct ip) )
+			{
+			Weird("truncated_IP", hdr, pkt);
+			return;
+			}
+
+		const struct ip* ip = (const struct ip*) (pkt + hdr_size);
+		if ( ip->ip_v == 4 )
+			{
+			IP_Hdr ip_hdr(ip);
+			DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size);
+			}
+
+		else if ( arp_analyzer && arp_analyzer->IsARP(pkt, hdr_size) )
+			arp_analyzer->NextPacket(t, hdr, pkt, hdr_size);
+
+		else
+			{
+#ifdef BROv6
+			IP_Hdr ip_hdr((const struct ip6_hdr*) (pkt + hdr_size));
+			DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size);
+#else
+			Weird("non_IPv4_packet", hdr, pkt);
+			return;
+#endif
+			}
+		}
+
+	if ( dump_this_packet && ! record_all_packets )
+		DumpPacket(hdr, pkt);
+	}
+
+void NetSessions::NextPacketSecondary(double /* t */, const struct pcap_pkthdr* hdr,
+				const u_char* const pkt, int hdr_size,
+				const PktSrc* src_ps)
+	{
+	SegmentProfiler(segment_logger, "processing-secondary-packet");
+
+	++num_packets_processed;
+
+	uint32 caplen = hdr->caplen - hdr_size;
+	if ( caplen < sizeof(struct ip) )
+		{
+		Weird("truncated_IP", hdr, pkt);
+		return;
+		}
+
+	const struct ip* ip = (const struct ip*) (pkt + hdr_size);
+	if ( ip->ip_v == 4 )
+		{
+		const secondary_program_list& spt = src_ps->ProgramTable();
+
+		loop_over_list(spt, i)
+			{
+			SecondaryProgram* sp = spt[i];
+			if ( ! net_packet_match(sp->Program(), pkt,
+						hdr->len, hdr->caplen) )
+				continue;
+
+			val_list* args = new val_list;
+			StringVal* cmd_val =
+				new StringVal(sp->Event()->Filter());
+			args->append(cmd_val);
+			args->append(BuildHeader(ip));
+			// ### Need to queue event here.
+			sp->Event()->Event()->Call(args);
+			delete args;
+			}
+		}
+	}
+
+int NetSessions::CheckConnectionTag(Connection* conn)
+	{
+	if ( current_iosrc->GetCurrentTag() )
+		{
+		// Packet is tagged.
+		if ( conn->GetTimerMgr() == timer_mgr )
+			{
+			// Connection uses global timer queue.  But the
+			// packet has a tag that means we got it externally,
+			// probably from the Time Machine.
+			DBG_LOG(DBG_TM, "got packet with tag %s for already"
+					"known connection, reinstantiating",
+					current_iosrc->GetCurrentTag()->c_str());
+			return 0;
+			}
+		else
+			{
+			// Connection uses local timer queue.
+			TimerMgrMap::iterator i =
+				timer_mgrs.find(*current_iosrc->GetCurrentTag());
+			if ( i != timer_mgrs.end() &&
+			     conn->GetTimerMgr() != i->second )
+				{
+				// Connection uses different local queue
+				// than the tag for the current packet
+				// indicates.
+				//
+				// This can happen due to:
+				//     (1) getting same packets with
+				//		different tags
+				//     (2) timer mgr having already expired
+				DBG_LOG(DBG_TM, "packet ignored due old/inconsistent tag");
+				return -1;
+				}
+
+			return 1;
+			}
+		}
+
+	// Packet is not tagged.
+	if ( conn->GetTimerMgr() != timer_mgr )
+		{
+		// Connection does not use the global timer queue.  That
+		// means that this is a live packet belonging to a
+		// connection for which we have already switched to
+		// processing external input.
+		DBG_LOG(DBG_TM, "packet ignored due to processing it in external data");
+		return -1;
+		}
+
+	return 1;
+	}
+
+
+static bool looks_like_IPv4_packet(int len, const struct ip* ip_hdr)
+	{
+	if ( (unsigned int) len < sizeof(struct ip) )
+		return false;
+
+	if ( ip_hdr->ip_v == 4 && ntohs(ip_hdr->ip_len) == len )
+		return true;
+	else
+		return false;
+	}
+
+void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
+				const IP_Hdr* ip_hdr, const u_char* const pkt,
+				int hdr_size)
+	{
+	uint32 caplen = hdr->caplen - hdr_size;
+	const struct ip* ip4 = ip_hdr->IP4_Hdr();
+
+	uint32 len = ip_hdr->TotalLen();
+	if ( hdr->len < len + hdr_size )
+		{
+		Weird("truncated_IP", hdr, pkt);
+		return;
+		}
+
+	// Ignore if packet matches packet filter.
+	if ( packet_filter && packet_filter->Match(ip_hdr, len, caplen) )
+		 return;
+
+	int ip_hdr_len = ip_hdr->HdrLen();
+	if ( ! ignore_checksums && ip4 &&
+	     ones_complement_checksum((void*) ip4, ip_hdr_len, 0) != 0xffff )
+		{
+		Weird("bad_IP_checksum", hdr, pkt);
+		return;
+		}
+
+	if ( discarder && discarder->NextPacket(ip_hdr, len, caplen) )
+		return;
+
+	int proto = ip_hdr->NextProto();
+	if ( proto != IPPROTO_TCP && proto != IPPROTO_UDP &&
+	     proto != IPPROTO_ICMP )
+		{
+		dump_this_packet = 1;
+		return;
+		}
+
+	// Check for TTL/MTU problems from Active Mapping
+#ifdef ACTIVE_MAPPING
+	const NumericData* numeric = 0;
+	if ( ip4 )
+		{
+		get_map_result(ip4->ip_dst.s_addr, numeric);
+
+		if ( numeric->hops && ip4->ip_ttl < numeric->hops )
+			{
+			debug_msg("Packet destined for %s had ttl %d but there are %d hops to host.\n",
+			inet_ntoa(ip4->ip_dst), ip4->ip_ttl, numeric->hops);
+			return;
+			}
+		}
+#endif
+
+	FragReassembler* f = 0;
+	uint32 frag_field = ip_hdr->FragField();
+
+#ifdef ACTIVE_MAPPING
+	if ( ip4 && numeric && numeric->path_MTU && (frag_field & IP_DF) )
+		{
+		if ( htons(ip4->ip_len) > numeric->path_MTU )
+			{
+			debug_msg("Packet destined for %s has DF flag but its size %d is greater than pmtu of %d\n",
+			inet_ntoa(ip4->ip_dst), htons(ip4->ip_len), numeric->path_MTU);
+			return;
+			}
+		}
+#endif
+
+	if ( (frag_field & 0x3fff) != 0 )
+		{
+		dump_this_packet = 1;	// always record fragments
+
+		if ( caplen < len )
+			{
+			Weird("incompletely_captured_fragment", ip_hdr);
+
+			// Don't try to reassemble, that's doomed.
+			// Discard all except the first fragment (which
+			// is useful in analyzing header-only traces)
+			if ( (frag_field & 0x1fff) != 0 )
+				return;
+			}
+		else
+			{
+			f = NextFragment(t, ip_hdr, pkt + hdr_size, frag_field);
+			const IP_Hdr* ih = f->ReassembledPkt();
+			if ( ! ih )
+				// It didn't reassemble into anything yet.
+				return;
+
+			ip4 = ih->IP4_Hdr();
+			ip_hdr = ih;
+
+			caplen = len = ip_hdr->TotalLen();
+			ip_hdr_len = ip_hdr->HdrLen();
+			}
+		}
+
+	len -= ip_hdr_len;	// remove IP header
+	caplen -= ip_hdr_len;
+
+	uint32 min_hdr_len = (proto == IPPROTO_TCP) ?  sizeof(struct tcphdr) :
+		(proto == IPPROTO_UDP ? sizeof(struct udphdr) : ICMP_MINLEN);
+
+	if ( len < min_hdr_len )
+		{
+		Weird("truncated_header", hdr, pkt);
+		if ( f )
+			Remove(f);	// ###
+		return;
+		}
+	if ( caplen < min_hdr_len )
+		{
+		Weird("internally_truncated_header", hdr, pkt);
+		if ( f )
+			Remove(f);	// ###
+		return;
+		}
+
+	const u_char* data = ip_hdr->Payload();
+
+	ConnID id;
+	id.src_addr = ip_hdr->SrcAddr();
+	id.dst_addr = ip_hdr->DstAddr();
+	Dictionary* d = 0;
+	bool pass_to_conn_compressor = false;
+
+	switch ( proto ) {
+	case IPPROTO_TCP:
+		{
+		const struct tcphdr* tp = (const struct tcphdr *) data;
+		id.src_port = tp->th_sport;
+		id.dst_port = tp->th_dport;
+		id.is_one_way = 0;
+		d = &tcp_conns;
+		pass_to_conn_compressor = ip4 && use_connection_compressor;
+		break;
+		}
+
+	case IPPROTO_UDP:
+		{
+		const struct udphdr* up = (const struct udphdr *) data;
+		id.src_port = up->uh_sport;
+		id.dst_port = up->uh_dport;
+		id.is_one_way = 0;
+		d = &udp_conns;
+		break;
+		}
+
+	case IPPROTO_ICMP:
+		{
+		const struct icmp* icmpp = (const struct icmp *) data;
+
+		id.src_port = icmpp->icmp_type;
+		id.dst_port = ICMP_counterpart(icmpp->icmp_type,
+						icmpp->icmp_code,
+						id.is_one_way);
+
+		id.src_port = htons(id.src_port);
+		id.dst_port = htons(id.dst_port);
+
+		d = &icmp_conns;
+		break;
+		}
+
+	default:
+		Weird(fmt("unknown_protocol %d", proto), hdr, pkt);
+		return;
+	}
+
+	HashKey* h = id.BuildConnKey();
+	if ( ! h )
+		internal_error("hash computation failed");
+
+	Connection* conn = 0;
+
+	// FIXME: The following is getting pretty complex. Need to split up
+	// into separate functions.
+	if ( pass_to_conn_compressor )
+		conn = conn_compressor->NextPacket(t, h, ip_hdr, hdr, pkt);
+	else
+		{
+		conn = (Connection*) d->Lookup(h);
+		if ( ! conn )
+			{
+			conn = NewConn(h, t, &id, data, proto);
+			if ( conn )
+				d->Insert(h, conn);
+			}
+		else
+			{
+			// We already know that connection.
+			int consistent = CheckConnectionTag(conn);
+			if ( consistent < 0 )
+				{
+				delete h;
+				return;
+				}
+
+			if ( ! consistent || conn->IsReuse(t, data) )
+				{
+				if ( consistent )
+					conn->Event(connection_reused, 0);
+
+				Remove(conn);
+				conn = NewConn(h, t, &id, data, proto);
+				if ( conn )
+					d->Insert(h, conn);
+				}
+			else
+				delete h;
+			}
+
+		if ( ! conn )
+			delete h;
+		}
+
+	if ( ! conn )
+		return;
+
+	int record_packet = 1;	// whether to record the packet at all
+	int record_content = 1;	// whether to record its data
+
+	int is_orig = addr_eq(id.src_addr, conn->OrigAddr()) &&
+			id.src_port == conn->OrigPort();
+
+	if ( new_packet && ip4 )
+		conn->Event(new_packet, 0, BuildHeader(ip4));
+
+	conn->NextPacket(t, is_orig, ip_hdr, len, caplen, data,
+				record_packet, record_content,
+			        hdr, pkt, hdr_size);
+
+	// Override content record setting according to
+	// flags set by the policy script.
+	if ( dump_original_packets_if_not_rewriting )
+		record_packet = record_content = 1;
+	if ( dump_selected_source_packets )
+		record_packet = record_content = 0;
+
+	if ( f )
+		{
+		// Above we already recorded the fragment in its entirety.
+		f->DeleteTimer();
+		Remove(f);	// ###
+		}
+
+	else if ( record_packet && ! conn->RewritingTrace() )
+		{
+		if ( record_content )
+			dump_this_packet = 1;	// save the whole thing
+
+		else
+			{
+			int hdr_len = data - pkt;
+			DumpPacket(hdr, pkt, hdr_len);	// just save the header
+			}
+		}
+	}
+
+Val* NetSessions::BuildHeader(const struct ip* ip)
+	{
+	static RecordType* pkt_hdr_type = 0;
+	static RecordType* ip_hdr_type = 0;
+	static RecordType* tcp_hdr_type = 0;
+	static RecordType* udp_hdr_type = 0;
+	static RecordType* icmp_hdr_type;
+
+	if ( ! pkt_hdr_type )
+		{
+		pkt_hdr_type = internal_type("pkt_hdr")->AsRecordType();
+		ip_hdr_type = internal_type("ip_hdr")->AsRecordType();
+		tcp_hdr_type = internal_type("tcp_hdr")->AsRecordType();
+		udp_hdr_type = internal_type("udp_hdr")->AsRecordType();
+		icmp_hdr_type = internal_type("icmp_hdr")->AsRecordType();
+		}
+
+	RecordVal* pkt_hdr = new RecordVal(pkt_hdr_type);
+
+	RecordVal* ip_hdr = new RecordVal(ip_hdr_type);
+
+	int ip_hdr_len = ip->ip_hl * 4;
+	int ip_pkt_len = ntohs(ip->ip_len);
+
+	ip_hdr->Assign(0, new Val(ip->ip_hl * 4, TYPE_COUNT));
+	ip_hdr->Assign(1, new Val(ip->ip_tos, TYPE_COUNT));
+	ip_hdr->Assign(2, new Val(ip_pkt_len, TYPE_COUNT));
+	ip_hdr->Assign(3, new Val(ntohs(ip->ip_id), TYPE_COUNT));
+	ip_hdr->Assign(4, new Val(ip->ip_ttl, TYPE_COUNT));
+	ip_hdr->Assign(5, new Val(ip->ip_p, TYPE_COUNT));
+	ip_hdr->Assign(6, new AddrVal(ip->ip_src.s_addr));
+	ip_hdr->Assign(7, new AddrVal(ip->ip_dst.s_addr));
+
+	pkt_hdr->Assign(0, ip_hdr);
+
+	// L4 header.
+	const u_char* data = ((const u_char*) ip) + ip_hdr_len;
+
+	int proto = ip->ip_p;
+	switch ( proto ) {
+	case IPPROTO_TCP:
+		{
+		const struct tcphdr* tp = (const struct tcphdr*) data;
+		RecordVal* tcp_hdr = new RecordVal(tcp_hdr_type);
+
+		int tcp_hdr_len = tp->th_off * 4;
+		int data_len = ip_pkt_len - ip_hdr_len - tcp_hdr_len;
+
+		tcp_hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP));
+		tcp_hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP));
+		tcp_hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT));
+		tcp_hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT));
+		tcp_hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT));
+		tcp_hdr->Assign(5, new Val(data_len, TYPE_COUNT));
+		tcp_hdr->Assign(6, new Val(tp->th_flags, TYPE_COUNT));
+		tcp_hdr->Assign(7, new Val(ntohs(tp->th_win), TYPE_COUNT));
+
+		pkt_hdr->Assign(1, tcp_hdr);
+		break;
+		}
+
+	case IPPROTO_UDP:
+		{
+		const struct udphdr* up = (const struct udphdr*) data;
+		RecordVal* udp_hdr = new RecordVal(udp_hdr_type);
+
+		udp_hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP));
+		udp_hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP));
+		udp_hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT));
+
+		pkt_hdr->Assign(2, udp_hdr);
+		break;
+		}
+
+	case IPPROTO_ICMP:
+		{
+		const struct icmp* icmpp = (const struct icmp *) data;
+		RecordVal* icmp_hdr = new RecordVal(icmp_hdr_type);
+
+		icmp_hdr->Assign(0, new Val(icmpp->icmp_type, TYPE_COUNT));
+
+		pkt_hdr->Assign(3, icmp_hdr);
+		break;
+		}
+
+	default:
+		{
+		// This is not a protocol we understand.
+		}
+	}
+
+	return pkt_hdr;
+	}
+
+FragReassembler* NetSessions::NextFragment(double t, const IP_Hdr* ip,
+					const u_char* pkt, uint32 frag_field)
+	{
+	uint32 src_addr = uint32(ip->SrcAddr4());
+	uint32 dst_addr = uint32(ip->DstAddr4());
+	uint32 frag_id = ntohs(ip->ID4());	// we actually could skip conv.
+
+	ListVal* key = new ListVal(TYPE_ANY);
+	key->Append(new Val(src_addr, TYPE_COUNT));
+	key->Append(new Val(dst_addr, TYPE_COUNT));
+	key->Append(new Val(frag_id, TYPE_COUNT));
+
+	HashKey* h = ch->ComputeHash(key, 1);
+	if ( ! h )
+		internal_error("hash computation failed");
+
+	FragReassembler* f = fragments.Lookup(h);
+	if ( ! f )
+		{
+		f = new FragReassembler(this, ip, pkt, frag_field, h, t);
+		fragments.Insert(h, f);
+		Unref(key);
+		return f;
+		}
+
+	delete h;
+	Unref(key);
+
+	f->AddFragment(t, ip, pkt, frag_field);
+	return f;
+	}
+
+int NetSessions::Get_OS_From_SYN(struct os_type* retval,
+		  uint16 tot, uint8 DF_flag, uint8 TTL, uint16 WSS,
+		  uint8 ocnt, uint8* op, uint16 MSS, uint8 win_scale,
+		  uint32 tstamp, /* uint8 TOS, */ uint32 quirks,
+		  uint8 ECN) const
+	{
+	return SYN_OS_Fingerprinter ?
+		SYN_OS_Fingerprinter->FindMatch(retval, tot, DF_flag, TTL,
+				WSS, ocnt, op, MSS, win_scale, tstamp,
+				quirks, ECN) : 0;
+	}
+
+bool NetSessions::CompareWithPreviousOSMatch(uint32 addr, int id) const
+	{
+	return SYN_OS_Fingerprinter ?
+		SYN_OS_Fingerprinter->CacheMatch(addr, id) : 0;
+	}
+
+Connection* NetSessions::FindConnection(Val* v)
+	{
+	BroType* vt = v->Type();
+	if ( ! IsRecord(vt->Tag()) )
+		return 0;
+
+	RecordType* vr = vt->AsRecordType();
+	const val_list* vl = v->AsRecord();
+
+	int orig_h, orig_p;	// indices into record's value list
+	int resp_h, resp_p;
+
+	if ( vr == conn_id )
+		{
+		orig_h = 0;
+		orig_p = 1;
+		resp_h = 2;
+		resp_p = 3;
+		}
+
+	else
+		{
+		// While it's not a conn_id, it may have equivalent fields.
+		orig_h = vr->FieldOffset("orig_h");
+		resp_h = vr->FieldOffset("resp_h");
+		orig_p = vr->FieldOffset("orig_p");
+		resp_p = vr->FieldOffset("resp_p");
+
+		if ( orig_h < 0 || resp_h < 0 || orig_p < 0 || resp_p < 0 )
+			return 0;
+
+		// ### we ought to check that the fields have the right
+		// types, too.
+		}
+
+	addr_type orig_addr = (*vl)[orig_h]->AsAddr();
+	addr_type resp_addr = (*vl)[resp_h]->AsAddr();
+
+	PortVal* orig_portv = (*vl)[orig_p]->AsPortVal();
+	PortVal* resp_portv = (*vl)[resp_p]->AsPortVal();
+
+	ConnID id;
+
+#ifdef BROv6
+	id.src_addr = orig_addr;
+	id.dst_addr = resp_addr;
+#else
+	id.src_addr = &orig_addr;
+	id.dst_addr = &resp_addr;
+#endif
+
+	id.src_port = htons((unsigned short) orig_portv->Port());
+	id.dst_port = htons((unsigned short) resp_portv->Port());
+
+	id.is_one_way = 0;	// ### incorrect for ICMP connections
+
+	HashKey* h = id.BuildConnKey();
+	if ( ! h )
+		internal_error("hash computation failed");
+
+	Dictionary* d;
+
+	if ( orig_portv->IsTCP() )
+		{
+		if ( use_connection_compressor )
+			{
+			Connection* conn = conn_compressor->Lookup(h);
+			delete h;
+			return conn;
+			}
+		else
+			d = &tcp_conns;
+		}
+	else if ( orig_portv->IsUDP() )
+		d = &udp_conns;
+	else if ( orig_portv->IsICMP() )
+		d = &icmp_conns;
+	else
+		{
+		// This can happen due to pseudo-connections we
+		// construct, for example for packet headers embedded
+		// in ICMPs.
+		delete h;
+		return 0;
+		}
+
+	Connection* conn = (Connection*) d->Lookup(h);
+
+	delete h;
+
+	return conn;
+	}
+
+void NetSessions::Remove(Connection* c)
+	{
+	HashKey* k = c->Key();
+	if ( k )
+		{
+		c->CancelTimers();
+
+		TCP_Analyzer* ta = (TCP_Analyzer*) c->GetRootAnalyzer();
+		if ( ta && c->ConnTransport() == TRANSPORT_TCP )
+			{
+			assert(ta->GetTag() == AnalyzerTag::TCP);
+			TCP_Endpoint* to = ta->Orig();
+			TCP_Endpoint* tr = ta->Resp();
+
+			tcp_stats.StateLeft(to->state, tr->state);
+			}
+
+		if ( c->IsPersistent() )
+			persistence_serializer->Unregister(c);
+
+		c->Done();
+
+		if ( connection_state_remove )
+			c->Event(connection_state_remove, 0);
+
+		// Zero out c's copy of the key, so that if c has been Ref()'d
+		// up, we know on a future call to Remove() that it's no
+		// longer in the dictionary.
+		c->ClearKey();
+
+		switch ( c->ConnTransport() ) {
+		case TRANSPORT_TCP:
+			if ( use_connection_compressor &&
+			     conn_compressor->Remove(k) )
+				// Note, if the Remove() returned false
+				// then the compressor doesn't know about
+				// this connection, which *should* mean that
+				// we never gave it the connection in the
+				// first place, and thus we should check
+				// the regular TCP table instead.
+				;
+
+			else if ( ! tcp_conns.RemoveEntry(k) )
+				internal_error("connection missing");
+			break;
+
+		case TRANSPORT_UDP:
+			if ( ! udp_conns.RemoveEntry(k) )
+				internal_error("connection missing");
+			break;
+
+		case TRANSPORT_ICMP:
+			if ( ! icmp_conns.RemoveEntry(k) )
+				internal_error("connection missing");
+			break;
+
+		case TRANSPORT_UNKNOWN:
+			internal_error("unknown transport when removing connection");
+			break;
+		}
+
+		Unref(c);
+		delete k;
+		}
+	}
+
+void NetSessions::Remove(FragReassembler* f)
+	{
+	HashKey* k = f->Key();
+	if ( ! k )
+		internal_error("fragment block not in dictionary");
+
+	if ( ! fragments.RemoveEntry(k) )
+		internal_error("fragment block missing");
+
+	Unref(f);
+	}
+
+void NetSessions::Insert(Connection* c)
+	{
+	assert(c->Key());
+
+	Connection* old = 0;
+
+	switch ( c->ConnTransport() ) {
+	// Remove first. Otherwise the dictioanry would still
+	// reference the old key for already existing connections.
+
+	case TRANSPORT_TCP:
+		if ( use_connection_compressor )
+			old = conn_compressor->Insert(c);
+		else
+			{
+			old = (Connection*) tcp_conns.Remove(c->Key());
+			tcp_conns.Insert(c->Key(), c);
+			}
+		break;
+
+	case TRANSPORT_UDP:
+		old = (Connection*) udp_conns.Remove(c->Key());
+		udp_conns.Insert(c->Key(), c);
+		break;
+
+	case TRANSPORT_ICMP:
+		old = (Connection*) icmp_conns.Remove(c->Key());
+		icmp_conns.Insert(c->Key(), c);
+		break;
+
+	default:
+		internal_error("unknown connection type");
+	}
+
+	if ( old && old != c )
+		{
+		// Some clean-ups similar to those in Remove() (but invisible
+		// to the script layer).
+		old->CancelTimers();
+		if ( old->IsPersistent() )
+			persistence_serializer->Unregister(old);
+		delete old->Key();
+		old->ClearKey();
+		Unref(old);
+		}
+	}
+
+void NetSessions::Drain()
+	{
+	if ( use_connection_compressor )
+		conn_compressor->Drain();
+
+	IterCookie* cookie = tcp_conns.InitForIteration();
+	Connection* tc;
+
+	while ( (tc = tcp_conns.NextEntry(cookie)) )
+		{
+		tc->Done();
+		tc->Event(connection_state_remove, 0);
+		}
+
+	cookie = udp_conns.InitForIteration();
+	Connection* uc;
+
+	while ( (uc = udp_conns.NextEntry(cookie)) )
+		{
+		uc->Done();
+		uc->Event(connection_state_remove, 0);
+		}
+
+	cookie = icmp_conns.InitForIteration();
+	Connection* ic;
+
+	while ( (ic = icmp_conns.NextEntry(cookie)) )
+		{
+		ic->Done();
+		ic->Event(connection_state_remove, 0);
+		}
+
+	ExpireTimerMgrs();
+	}
+
+void NetSessions::HeartBeat(double t)
+	{
+	unsigned int recv = 0;
+	unsigned int drop = 0;
+	unsigned int link = 0;
+
+	loop_over_list(pkt_srcs, i)
+		{
+		PktSrc* ps = pkt_srcs[i];
+
+		struct PktSrc::Stats stat;
+		ps->Statistics(&stat);
+		recv += stat.received;
+		drop += stat.dropped;
+		link += stat.link;
+		}
+
+	val_list* vl = new val_list;
+
+	vl->append(new Val(t, TYPE_TIME));
+
+	RecordVal* ns = new RecordVal(net_stats);
+	ns->Assign(0, new Val(recv, TYPE_COUNT));
+	ns->Assign(1, new Val(drop, TYPE_COUNT));
+	ns->Assign(2, new Val(link, TYPE_COUNT));
+
+	vl->append(ns);
+
+	mgr.QueueEvent(net_stats_update, vl);
+
+	timer_mgr->Add(new NetworkTimer(this, t + heartbeat_interval));
+	}
+
+void NetSessions::GetStats(SessionStats& s) const
+	{
+	s.num_TCP_conns = tcp_conns.Length();
+	s.num_UDP_conns = udp_conns.Length();
+	s.num_ICMP_conns = icmp_conns.Length();
+	s.num_fragments = fragments.Length();
+	s.num_packets = num_packets_processed;
+	s.num_timers = timer_mgr->Size();
+	s.num_events_queued = num_events_queued;
+	s.num_events_dispatched = num_events_dispatched;
+
+	s.max_TCP_conns = tcp_conns.MaxLength();
+	s.max_UDP_conns = udp_conns.MaxLength();
+	s.max_ICMP_conns = icmp_conns.MaxLength();
+	s.max_fragments = fragments.MaxLength();
+	s.max_timers = timer_mgr->PeakSize();
+	}
+
+Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
+					const u_char* data, int proto)
+	{
+	// FIXME: This should be cleaned up a bit, it's too protocol-specific.
+	// But I'm not yet sure what the right abstraction for these things is.
+	int src_h = ntohs(id->src_port);
+	int dst_h = ntohs(id->dst_port);
+	int flags = 0;
+
+	// Hmm... This is not great.
+	TransportProto tproto;
+	switch ( proto ) {
+		case IPPROTO_ICMP:
+			tproto = TRANSPORT_ICMP;
+			break;
+		case IPPROTO_TCP:
+			tproto = TRANSPORT_TCP;
+			break;
+		case IPPROTO_UDP:
+			tproto = TRANSPORT_UDP;
+			break;
+		default:
+			internal_error("unknown transport protocol");
+			break;
+	};
+
+	if ( tproto == TRANSPORT_TCP )
+		{
+		const struct tcphdr* tp = (const struct tcphdr*) data;
+		flags = tp->th_flags;
+		}
+
+	bool flip = false;
+
+	if ( ! WantConnection(src_h, dst_h, tproto, flags, flip) )
+		return 0;
+
+	if ( flip )
+		{
+		// Make a guess that we're seeing the tail half of
+		// an analyzable connection.
+		ConnID flip_id = *id;
+
+		const uint32* ta = flip_id.src_addr;
+		flip_id.src_addr = flip_id.dst_addr;
+		flip_id.dst_addr = ta;
+
+		uint32 t = flip_id.src_port;
+		flip_id.src_port = flip_id.dst_port;
+		flip_id.dst_port = t;
+
+		id = &flip_id;
+		}
+
+	Connection* conn = new Connection(this, k, t, id);
+	conn->SetTransport(tproto);
+	dpm->BuildInitialAnalyzerTree(tproto, conn, data);
+
+	bool external = conn->IsExternal();
+
+	if ( external )
+		conn->AppendAddl(fmt("tag=%s",
+					conn->GetTimerMgr()->GetTag().c_str()));
+
+	// If the connection compressor is active, it takes care of the
+	// new_connection/connection_external events for TCP connections.
+	if ( new_connection &&
+	     (tproto != TRANSPORT_TCP || ! use_connection_compressor) )
+		{
+		conn->Event(new_connection, 0);
+
+		if ( external )
+			{
+			val_list* vl = new val_list(2);
+			vl->append(conn->BuildConnVal());
+			vl->append(new StringVal(conn->GetTimerMgr()->GetTag().c_str()));
+			conn->ConnectionEvent(connection_external, 0, vl);
+			}
+		}
+
+	return conn;
+	}
+
+bool NetSessions::IsLikelyServerPort(uint32 port, TransportProto proto) const
+	{
+	// We keep a cached in-core version of the table to speed up the lookup.
+	static set<bro_uint_t> port_cache;
+	static bool have_cache = false;
+
+	if ( ! have_cache )
+		{
+		ListVal* lv = likely_server_ports->ConvertToPureList();
+		for ( int i = 0; i < lv->Length(); i++ )
+			port_cache.insert(lv->Index(i)->InternalUnsigned());
+		have_cache = true;
+		Unref(lv);
+		}
+
+	// We exploit our knowledge of PortVal's internal storage mechanism
+	// here.
+	if ( proto == TRANSPORT_TCP )
+		port |= TCP_PORT_MASK;
+	else if ( proto == TRANSPORT_UDP )
+		port |= UDP_PORT_MASK;
+	else if ( proto == TRANSPORT_ICMP )
+		port |= ICMP_PORT_MASK;
+
+	return port_cache.find(port) != port_cache.end();
+	}
+
+bool NetSessions::WantConnection(uint16 src_port, uint16 dst_port,
+					TransportProto transport_proto,
+					uint8 tcp_flags, bool& flip_roles)
+	{
+	flip_roles = false;
+
+	if ( transport_proto == TRANSPORT_TCP )
+		{
+		if ( ! (tcp_flags & TH_SYN) || (tcp_flags & TH_ACK) )
+			{
+			// The new connection is starting either without a SYN,
+			// or with a SYN ack. This means it's a partial connection.
+			if ( ! partial_connection_ok )
+				return false;
+
+			if ( tcp_flags & TH_SYN && ! tcp_SYN_ack_ok )
+				return false;
+
+			// Try to guess true responder by the port numbers.
+			// (We might also think that for SYN acks we could
+			// safely flip the roles, but that doesn't work
+			// for stealth scans.)
+			if ( IsLikelyServerPort(src_port, TRANSPORT_TCP) )
+				{ // connection is a candidate for flipping
+				if ( IsLikelyServerPort(dst_port, TRANSPORT_TCP) )
+					// Hmmm, both source and destination
+					// are plausible.  Heuristic: flip only
+					// if (1) this isn't a SYN ACK (to avoid
+					// confusing stealth scans) and
+					// (2) dest port > src port (to favor
+					// more plausible servers).
+					flip_roles = ! (tcp_flags & TH_SYN) && src_port < dst_port;
+				else
+					// Source is plausible, destination isn't.
+					flip_roles = true;
+				}
+			}
+		}
+
+	else if ( transport_proto == TRANSPORT_UDP )
+		flip_roles =
+			IsLikelyServerPort(src_port, TRANSPORT_UDP) &&
+			! IsLikelyServerPort(dst_port, TRANSPORT_UDP);
+
+	return true;
+	}
+
+TimerMgr* NetSessions::LookupTimerMgr(const TimerMgr::Tag* tag, bool create)
+	{
+	if ( ! tag )
+		{
+		DBG_LOG(DBG_TM, "no tag, using global timer mgr %p", timer_mgr);
+		return timer_mgr;
+		}
+
+	TimerMgrMap::iterator i = timer_mgrs.find(*tag);
+	if ( i != timer_mgrs.end() )
+		{
+		DBG_LOG(DBG_TM, "tag %s, using non-global timer mgr %p", tag->c_str(), i->second);
+		return i->second;
+		}
+	else
+		{
+		if ( ! create )
+			return 0;
+
+		// Create new queue for tag.
+		TimerMgr* mgr = new CQ_TimerMgr(*tag);
+		DBG_LOG(DBG_TM, "tag %s, creating new non-global timer mgr %p", tag->c_str(), mgr);
+		timer_mgrs.insert(TimerMgrMap::value_type(*tag, mgr));
+		double t = timer_mgr->Time() + timer_mgr_inactivity_timeout;
+		timer_mgr->Add(new TimerMgrExpireTimer(t, mgr));
+		return mgr;
+		}
+	}
+
+void NetSessions::ExpireTimerMgrs()
+	{
+	for ( TimerMgrMap::iterator i = timer_mgrs.begin();
+	      i != timer_mgrs.end(); ++i )
+		{
+		i->second->Expire();
+		delete i->second;
+		}
+	}
+
+void NetSessions::DumpPacket(const struct pcap_pkthdr* hdr,
+				const u_char* pkt, int len)
+	{
+	if ( ! pkt_dumper )
+		return;
+
+	if ( len == 0 )
+		pkt_dumper->Dump(hdr, pkt);
+	else
+		{
+		struct pcap_pkthdr h = *hdr;
+		h.caplen = len;
+		if ( h.caplen > hdr->caplen )
+			internal_error("bad modified caplen");
+		pkt_dumper->Dump(&h, pkt);
+		}
+	}
+
+void NetSessions::Internal(const char* msg, const struct pcap_pkthdr* hdr,
+				const u_char* pkt)
+	{
+	DumpPacket(hdr, pkt);
+	internal_error(msg);
+	}
+
+void NetSessions::Weird(const char* name,
+			const struct pcap_pkthdr* hdr, const u_char* pkt)
+	{
+	if ( hdr )
+		dump_this_packet = 1;
+
+	if ( net_weird )
+		{
+		val_list* vl = new val_list;
+		vl->append(new StringVal(name));
+		mgr.QueueEvent(net_weird, vl);
+		}
+	else
+		fprintf(stderr, "weird: %.06f %s\n", network_time, name);
+	}
+
+void NetSessions::Weird(const char* name, const IP_Hdr* ip)
+	{
+	if ( flow_weird )
+		{
+		val_list* vl = new val_list;
+		vl->append(new StringVal(name));
+		vl->append(new AddrVal(ip->SrcAddr4()));
+		vl->append(new AddrVal(ip->DstAddr4()));
+		mgr.QueueEvent(flow_weird, vl);
+		}
+	else
+		fprintf(stderr, "weird: %.06f %s\n", network_time, name);
+	}
+
+unsigned int NetSessions::ConnectionMemoryUsage()
+	{
+	unsigned int mem = 0;
+
+	if ( terminating )
+		// Connections have been flushed already.
+		return 0;
+
+	IterCookie* cookie = tcp_conns.InitForIteration();
+	Connection* tc;
+
+	while ( (tc = tcp_conns.NextEntry(cookie)) )
+		mem += tc->MemoryAllocation();
+
+	cookie = udp_conns.InitForIteration();
+	Connection* uc;
+
+	while ( (uc = udp_conns.NextEntry(cookie)) )
+		mem += uc->MemoryAllocation();
+
+	cookie = icmp_conns.InitForIteration();
+	Connection* ic;
+
+	while ( (ic = icmp_conns.NextEntry(cookie)) )
+		mem += ic->MemoryAllocation();
+
+	return mem;
+	}
+
+unsigned int NetSessions::ConnectionMemoryUsageConnVals()
+	{
+	unsigned int mem = 0;
+
+	if ( terminating )
+		// Connections have been flushed already.
+		return 0;
+
+	IterCookie* cookie = tcp_conns.InitForIteration();
+	Connection* tc;
+
+	while ( (tc = tcp_conns.NextEntry(cookie)) )
+		mem += tc->MemoryAllocationConnVal();
+
+	cookie = udp_conns.InitForIteration();
+	Connection* uc;
+
+	while ( (uc = udp_conns.NextEntry(cookie)) )
+		mem += uc->MemoryAllocationConnVal();
+
+	cookie = icmp_conns.InitForIteration();
+	Connection* ic;
+
+	while ( (ic = icmp_conns.NextEntry(cookie)) )
+		mem += ic->MemoryAllocationConnVal();
+
+	return mem;
+	}
+
+unsigned int NetSessions::MemoryAllocation()
+	{
+	if ( terminating )
+		// Connections have been flushed already.
+		return 0;
+
+	return ConnectionMemoryUsage()
+		+ padded_sizeof(*this)
+		+ ch->MemoryAllocation()
+		// must take care we don't count the HaskKeys twice.
+		+ tcp_conns.MemoryAllocation() - padded_sizeof(tcp_conns) -
+		// 12 is sizeof(Key) from ConnID::BuildConnKey();
+		// it can't be (easily) accessed here. :-(
+			(tcp_conns.Length() * pad_size(12))
+		+ udp_conns.MemoryAllocation() - padded_sizeof(udp_conns) -
+			(udp_conns.Length() * pad_size(12))
+		+ icmp_conns.MemoryAllocation() - padded_sizeof(icmp_conns) -
+			(icmp_conns.Length() * pad_size(12))
+		+ fragments.MemoryAllocation() - padded_sizeof(fragments)
+		// FIXME: MemoryAllocation() not implemented for rest.
+		;
+	}
diff --git a/src/Sessions.h b/src/Sessions.h
new file mode 100644
index 0000000000..a85af005f4
--- /dev/null
+++ b/src/Sessions.h
@@ -0,0 +1,229 @@
+// $Id: Sessions.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef sessions_h
+#define sessions_h
+
+#include "Dict.h"
+#include "CompHash.h"
+#include "IP.h"
+#include "ARP.h"
+#include "Frag.h"
+#include "PacketFilter.h"
+#include "Stats.h"
+#include "NetVar.h"
+
+struct pcap_pkthdr;
+
+class Connection;
+class ConnID;
+class OSFingerprint;
+class ConnCompressor;
+
+declare(PDict,Connection);
+declare(PDict,FragReassembler);
+
+class Discarder;
+class SteppingStoneManager;
+class PacketFilter;
+
+class PacketSortElement;
+
+struct SessionStats {
+	int num_TCP_conns;
+	int num_UDP_conns;
+	int num_ICMP_conns;
+	int num_fragments;
+	int num_packets;
+	int num_timers;
+	int num_events_queued;
+	int num_events_dispatched;
+
+	int max_TCP_conns;
+	int max_UDP_conns;
+	int max_ICMP_conns;
+	int max_fragments;
+	int max_timers;
+};
+
+// Drains and deletes a timer manager if it hasn't seen any advances
+// for an interval timer_mgr_inactivity_timeout.
+class TimerMgrExpireTimer : public Timer {
+public:
+	TimerMgrExpireTimer(double t, TimerMgr* arg_mgr)
+		: Timer(t, TIMER_TIMERMGR_EXPIRE)
+		{
+		mgr = arg_mgr;
+		}
+
+	virtual void Dispatch(double t, int is_expire);
+
+protected:
+	double interval;
+	TimerMgr* mgr;
+};
+
+class NetSessions {
+public:
+	NetSessions();
+	~NetSessions();
+
+	// Main entry point for packet processing. Dispatches the packet
+	// either through NextPacket() or NextPacketSecondary(), optionally
+	// employing the packet sorter first.
+	void DispatchPacket(double t, const struct pcap_pkthdr* hdr,
+			const u_char* const pkt, int hdr_size,
+			PktSrc* src_ps, PacketSortElement* pkt_elem);
+	
+	void Done();	// call to drain events before destructing
+
+	// Returns a reassembled packet, or nil if there are still
+	// some missing fragments.
+	FragReassembler* NextFragment(double t, const IP_Hdr* ip,
+				const u_char* pkt, uint32 frag_field);
+
+	int Get_OS_From_SYN(struct os_type* retval,
+			uint16 tot, uint8 DF_flag, uint8 TTL, uint16 WSS,
+			uint8 ocnt, uint8* op, uint16 MSS, uint8 win_scale,
+			uint32 tstamp, /* uint8 TOS, */ uint32 quirks,
+			uint8 ECN) const;
+
+	bool CompareWithPreviousOSMatch(uint32 addr, int id) const;
+
+	// Looks up the connection referred to by the given Val,
+	// which should be a conn_id record.  Returns nil if there's
+	// no such connection or the Val is ill-formed.
+	Connection* FindConnection(Val* v);
+
+	void Remove(Connection* c);
+	void Remove(FragReassembler* f);
+
+	void Insert(Connection* c);
+
+	// Generating connection_pending events for all connections
+	// that are still active.
+	void Drain();
+
+	// Called periodically to generate statistics reports.
+	void HeartBeat(double t);
+
+	void GetStats(SessionStats& s) const;
+
+	void Weird(const char* name,
+		const struct pcap_pkthdr* hdr, const u_char* pkt);
+	void Weird(const char* name, const IP_Hdr* ip);
+
+	PacketFilter* GetPacketFilter()
+		{
+		if ( ! packet_filter )
+			packet_filter = new PacketFilter(packet_filter_default);
+		return packet_filter;
+		}
+
+	// Looks up timer manager associated with tag.  If tag is unknown and
+	// "create" is true, creates new timer manager and stores it.  Returns
+	// global timer manager if tag is nil.
+	TimerMgr* LookupTimerMgr(const TimerMgr::Tag* tag, bool create = true);
+
+	void ExpireTimerMgrs();
+
+	SteppingStoneManager* GetSTPManager()	{ return stp_manager; }
+
+	unsigned int CurrentConnections()
+		{
+		return tcp_conns.Length() + udp_conns.Length() +
+			icmp_conns.Length();
+		}
+
+	unsigned int ConnectionMemoryUsage();
+	unsigned int ConnectionMemoryUsageConnVals();
+	unsigned int MemoryAllocation();
+	TCPStateStats tcp_stats;	// keeps statistics on TCP states
+
+protected:
+	friend class RemoteSerializer;
+	friend class ConnCompressor;
+	friend class TimerMgrExpireTimer;
+
+	Connection* NewConn(HashKey* k, double t, const ConnID* id,
+			const u_char* data, int proto);
+
+	// Check whether the tag of the current packet is consistent with
+	// the given connection.  Returns:
+	//    -1   if current packet is to be completely ignored.
+	//     0   if tag is not consistent and new conn should be instantiated.
+	//     1   if tag is consistent, i.e., packet is part of connection.
+	int CheckConnectionTag(Connection* conn);
+
+	// Returns true if the port corresonds to an application
+	// for which there's a Bro analyzer (even if it might not
+	// be used by the present policy script), or it's more
+	// generally a likely server port, false otherwise.
+	//
+	// Note, port is in host order.
+	bool IsLikelyServerPort(uint32 port,
+				TransportProto transport_proto) const;
+
+	// Upon seeing the first packet of a connection, checks whether
+	// we want to analyze it (e.g., we may not want to look at partial
+	// connections), and, if yes, whether we should flip the roles of
+	// originator and responder (based on known ports or such).
+	// Use tcp_flags=0 for non-TCP.
+	bool WantConnection(uint16 src_port, uint16 dest_port,
+				TransportProto transport_proto,
+				uint8 tcp_flags, bool& flip_roles);
+
+	void NextPacket(double t, const struct pcap_pkthdr* hdr,
+			const u_char* const pkt, int hdr_size,
+			PacketSortElement* pkt_elem);
+		
+	void DoNextPacket(double t, const struct pcap_pkthdr* hdr,
+			const IP_Hdr* ip_hdr, const u_char* const pkt,
+			int hdr_size);
+
+	void NextPacketSecondary(double t, const struct pcap_pkthdr* hdr,
+			const u_char* const pkt, int hdr_size,
+			const PktSrc* src_ps);
+	
+	// Record the given packet (if a dumper is active).  If len=0
+	// then the whole packet is recorded, otherwise just the first
+	// len bytes.
+	void DumpPacket(const struct pcap_pkthdr* hdr, const u_char* pkt,
+			int len=0);
+
+	void Internal(const char* msg, const struct pcap_pkthdr* hdr,
+			const u_char* pkt);
+
+	// Builds a record encapsulating a packet.  This should be more
+	// general, including the equivalent of a union of tcp/udp/icmp
+	// headers .
+	Val* BuildHeader(const struct ip* ip);
+
+	CompositeHash* ch;
+	PDict(Connection) tcp_conns;
+	PDict(Connection) udp_conns;
+	PDict(Connection) icmp_conns;
+	PDict(FragReassembler) fragments;
+
+	ARP_Analyzer* arp_analyzer;
+
+	SteppingStoneManager* stp_manager;
+	Discarder* discarder;
+	PacketFilter* packet_filter;
+	OSFingerprint* SYN_OS_Fingerprinter;
+	int build_backdoor_analyzer;
+	int dump_this_packet;	// if true, current packet should be recorded
+	int num_packets_processed;
+	PacketProfiler* pkt_profiler;
+
+	// We may use independent timer managers for different sets of related
+	// activity.  The managers are identified by an unique tag.
+	typedef std::map<TimerMgr::Tag, TimerMgr*> TimerMgrMap;
+	TimerMgrMap timer_mgrs;
+};
+
+// Manager for the currently active sessions.
+extern NetSessions* sessions;
+
+#endif
diff --git a/src/SmithWaterman.cc b/src/SmithWaterman.cc
new file mode 100644
index 0000000000..34ca4bc87b
--- /dev/null
+++ b/src/SmithWaterman.cc
@@ -0,0 +1,579 @@
+// $Id: SmithWaterman.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <algorithm>
+#include <ctype.h>
+
+#include "SmithWaterman.h"
+#include "Var.h"
+#include "util.h"
+
+BroSubstring::BroSubstring(const BroSubstring& bst)
+: BroString((const BroString&) bst), _new(bst._new)
+	{
+	for ( BSSAlignVecCIt it = bst._aligns.begin(); it != bst._aligns.end(); ++it )
+		_aligns.push_back(*it);
+	}
+
+const BroSubstring& BroSubstring::operator=(const BroSubstring& bst)
+	{
+	BroString::operator=(bst);
+
+	_aligns.clear();
+
+	for ( BSSAlignVecCIt it = bst._aligns.begin(); it != bst._aligns.end(); ++it )
+		_aligns.push_back(*it);
+
+	_new = bst._new;
+
+	return *this;
+	}
+
+void BroSubstring::AddAlignment(const BroString* str, int index)
+	{
+	_aligns.push_back(BSSAlign(str, index));
+	}
+
+bool BroSubstring::DoesCover(const BroSubstring* bst) const
+	{
+	if ( _aligns.size() != bst->_aligns.size() )
+		return false;
+
+	BSSAlignVecCIt it_bst = bst->_aligns.begin();
+
+	for ( BSSAlignVecCIt it = _aligns.begin(); it != _aligns.end(); ++it, ++it_bst )
+		{
+		const BSSAlign& a = *it;
+		const BSSAlign& a_bst = *it_bst;
+
+		if (a.index > a_bst.index || a.index + Len() < a_bst.index + bst->Len())
+			return false;
+		}
+
+	return true;
+	}
+
+VectorVal* BroSubstring::VecToPolicy(Vec* vec)
+	{
+	RecordType* sw_substring_type =
+		internal_type("sw_substring")->AsRecordType();
+	if ( ! sw_substring_type )
+		return 0;
+
+	RecordType* sw_align_type =
+		internal_type("sw_align")->AsRecordType();
+	if ( ! sw_align_type )
+		return 0;
+
+	VectorType* sw_align_vec_type =
+		internal_type("sw_align_vec")->AsVectorType();
+	if ( ! sw_align_vec_type )
+		return 0;
+
+	VectorVal* result =
+		new VectorVal(internal_type("sw_substring_vec")->AsVectorType());
+	if ( ! result )
+		return 0;
+
+	if ( vec )
+		{
+		for ( unsigned int i = 0; i < vec->size(); ++i )
+			{
+			BroSubstring* bst = (*vec)[i];
+
+			RecordVal* st_val = new RecordVal(sw_substring_type);
+			st_val->Assign(0, new StringVal(new BroString(*bst)));
+
+			VectorVal* aligns = new VectorVal(sw_align_vec_type);
+
+			for ( unsigned int j = 0; j < bst->GetNumAlignments(); ++j )
+				{
+				const BSSAlign& align = (bst->GetAlignments())[j];
+
+				RecordVal* align_val = new RecordVal(sw_align_type);
+				align_val->Assign(0, new StringVal(new BroString(*align.string)));
+				align_val->Assign(1, new Val(align.index, TYPE_COUNT));
+
+				aligns->Assign(j+1, align_val, 0);
+				}
+
+			st_val->Assign(1, aligns);
+			st_val->Assign(2, new Val(bst->IsNewAlignment(), TYPE_BOOL));
+			result->Assign(i+1, st_val, 0);
+			}
+		}
+
+	return result;
+	}
+
+BroSubstring::Vec* BroSubstring::VecFromPolicy(VectorVal* vec)
+	{
+	Vec* result = new Vec();
+
+	// VectorVals start at index 1!
+	for ( unsigned int i = 1; i <= vec->Size(); ++i )
+		{
+		Val* v = vec->Lookup(i);	// get the RecordVal
+		if ( ! v )
+			continue;
+
+		const BroString* str = v->AsRecordVal()->Lookup(0)->AsString();
+		BroSubstring* substr = new BroSubstring(*str);
+
+		const VectorVal* aligns = v->AsRecordVal()->Lookup(1)->AsVectorVal();
+		for ( unsigned int j = 1; j <= aligns->Size(); ++j )
+			{
+			const RecordVal* align = aligns->AsVectorVal()->Lookup(j)->AsRecordVal();
+			const BroString* str = align->Lookup(0)->AsString();
+			int index = align->Lookup(1)->AsCount();
+			substr->AddAlignment(str, index);
+			}
+
+		bool new_alignment = v->AsRecordVal()->Lookup(2)->AsBool();
+		substr->MarkNewAlignment(new_alignment);
+
+		result->push_back(substr);
+		}
+
+	return result;
+	}
+
+char* BroSubstring::VecToString(Vec* vec)
+	{
+	string result("[");
+
+	for ( BroSubstring::VecIt it = vec->begin(); it != vec->end(); ++it )
+		{
+		result += (*it)->CheckString();
+		result += ",";
+		}
+
+	result += "]";
+	return strdup(result.c_str());
+	}
+
+BroString::IdxVec* BroSubstring::GetOffsetsVec(const Vec* vec, unsigned int index)
+	{
+	BroString::IdxVec* result = new BroString::IdxVec();
+
+	for ( VecCIt it = vec->begin(); it != vec->end(); ++it )
+		{
+		int start, end;
+		const BroSubstring* bst = (*it);
+
+		if ( bst->_aligns.size() <= index )
+			continue;
+
+		const BSSAlign& align = bst->_aligns[index];
+		start = align.index;
+		end = start + bst->Len();
+
+		result->push_back(start);
+		result->push_back(end);
+		}
+
+	return result;
+	}
+
+
+bool BroSubstringCmp::operator()(const BroSubstring* bst1,
+				 const BroSubstring* bst2) const
+	{
+	if ( _index >= bst1->GetNumAlignments() ||
+	     _index >= bst2->GetNumAlignments() )
+		{
+		warn("BroSubstringCmp::operator(): invalid index for input strings.\n");
+		return false;
+		}
+
+	if ( bst1->GetAlignments()[_index].index <=
+	     bst2->GetAlignments()[_index].index )
+		return true;
+
+	return false;
+	}
+
+// A node in Smith-Waterman's dynamic programming matrix.  Each node
+// contains the byte it represents in the case of a match, the score
+// at this point, and a pointer to the previous cell. Previous means
+// one up and left in case of a match, or a jump somewhere above and
+// left in case of a gap.
+//
+struct SWNode {
+	// ID field for the cell, for debugging purposes.
+	int id;
+
+	u_char swn_byte;
+	bool swn_byte_assigned;
+	bool swn_visited;
+
+	// The score in this cell. The cell with the globally best score
+	// marks the end of the alignment.
+	int swn_score;
+
+	// Pointer to previous match, walking back yields subsequence.
+	SWNode* swn_prev;
+};
+
+// A matrix of Smith-Waterman nodes.
+//
+class SWNodeMatrix {
+public:
+	SWNodeMatrix(const BroString* s1, const BroString* s2)
+	: _s1(s1), _s2(s2), _rows(s1->Len() + 1), _cols(s2->Len() + 1)
+		{
+		_nodes = new SWNode[_cols * _rows];
+		memset(_nodes, 0, sizeof(SWNode) * _cols * _rows);
+		}
+
+	~SWNodeMatrix()	{ delete [] _nodes; }
+
+	SWNode* operator()(int row, int col)
+		{
+		// Make sure access is in allowed range.
+		if ( row < 0 || row >= _rows )
+			return 0;
+		if ( col < 0 || col >= _cols )
+			return 0;
+
+		return &(_nodes[row * _cols + col]);
+		}
+
+	const BroString* GetRowsString() const	{ return _s1; }
+	const BroString* GetColsString() const	{ return _s2; }
+
+	int GetHeight() const	{ return _rows; }
+	int GetWidth() const	{ return _cols; }
+
+	// Quick helper function that calculates the coordinates of a
+	// node in the matrix via pointer arithmetic.
+	//
+	void GetNodeIndices(SWNode* node, int& row, int& col)
+		{
+		SWNode* base = &_nodes[0];
+		int offset = (node - base);
+		col = (offset % _cols);
+		row = (offset / _cols);
+		}
+
+private:
+	const BroString* _s1;
+	const BroString* _s2;
+
+	int _rows, _cols;
+	SWNode* _nodes;
+};
+
+// Returns the common subsequence starting from a given node.
+// @result: vector holding results on return.
+// @matrix: SW matrix.
+// @node: starting node.
+// @params: SW parameters.
+//
+static void sw_collect_single(BroSubstring::Vec* result, SWNodeMatrix& matrix,
+			      SWNode* node, SWParams& params)
+	{
+	string substring("");
+	int row = 0, col = 0;
+
+	while ( node )
+		{
+//		printf("NODE: %i\n", node->id);
+		node->swn_visited = true;
+
+		// Once we hit a gap, terminate the string and prepend
+		// it to our result vector, IF it has at least the length
+		// requested through the params._min_toklen parameter.
+		//
+		if ( node->swn_byte_assigned )
+			{
+			matrix.GetNodeIndices(node, row, col);
+			substring += node->swn_byte;
+//			printf("SUBSTRING: %s\n", substring.c_str());
+			}
+		else
+			{
+//			printf("GAP\n");
+			if ( substring.size() >= params._min_toklen )
+				{
+				reverse(substring.begin(), substring.end());
+				BroSubstring* bst = new BroSubstring(substring);
+				bst->AddAlignment(matrix.GetRowsString(), row-1);
+				bst->AddAlignment(matrix.GetColsString(), col-1);
+				result->push_back(bst);
+				}
+
+			substring = "";
+			}
+
+		node = node->swn_prev;
+		}
+
+	// Anything left over now is the first string of an alignment and is
+	// manually added and marked as the beginning of a new alignment.
+	//
+	if ( substring.size() > 0 )
+		{
+		reverse(substring.begin(), substring.end());
+		BroSubstring* bst = new BroSubstring(substring);
+		bst->AddAlignment(matrix.GetRowsString(), row-1);
+		bst->AddAlignment(matrix.GetColsString(), col-1);
+		result->push_back(bst);
+		}
+
+	if ( result->size() > 0 )
+		result->back()->MarkNewAlignment(true);
+	}
+
+// Returns repeated common-subsequence alignments.
+// @result: vector holding results on return.
+// @matrix: SW matrix.
+// @params: SW parameters.
+//
+// The approach taken is to essentially follow back from all starting points of
+// common subsequences while tracking which nodes were visited earlier and which
+// substrings are redundant (i.e., fully covered by a larger common substring).
+//
+static void sw_collect_multiple(BroSubstring::Vec* result,
+				SWNodeMatrix& matrix, SWParams& params)
+	{
+	vector<BroSubstring::Vec*> als;
+
+	for ( int i = matrix.GetHeight() - 1; i > 0; --i )
+		{
+		for ( int j = matrix.GetWidth() - 1; j > 0; --j )
+			{
+			SWNode* node = matrix(i, j);
+
+			if ( ! (node->swn_byte_assigned && ! node->swn_visited) )
+				continue;
+
+			BroSubstring::Vec* new_al = new BroSubstring::Vec();
+			sw_collect_single(new_al, matrix, node, params);
+
+			for ( vector<BroSubstring::Vec*>::iterator it = als.begin();
+			      it != als.end(); ++it )
+				{
+				BroSubstring::Vec* old_al = *it;
+
+				if ( old_al == 0 )
+					continue;
+
+				for ( BroSubstring::VecIt it2 = old_al->begin();
+				      it2 != old_al->end(); ++it2 )
+					{
+					for ( BroSubstring::VecIt it3 = new_al->begin();
+					      it3 != new_al->end(); ++it3 )
+						{
+						if ( (*it2)->DoesCover(*it3) )
+							{
+							delete_each(new_al);
+							delete new_al;
+							new_al = 0;
+							goto end_loop;
+							}
+
+						if ( (*it3)->DoesCover(*it2) )
+							{
+							delete_each(old_al);
+							delete old_al;
+							*it = 0;
+							goto end_loop;
+							}
+						}
+					}
+				}
+
+end_loop:
+			if ( new_al )
+				als.push_back(new_al);
+			}
+		}
+
+	for ( vector<BroSubstring::Vec*>::iterator it = als.begin();
+	      it != als.end(); ++it )
+		{
+		BroSubstring::Vec* al = *it;
+
+		if ( al == 0 )
+			continue;
+
+		for ( BroSubstring::VecIt it2 = al->begin();
+		      it2 != al->end(); ++it2 )
+			result->push_back(*it2);
+
+		delete al;
+		}
+	}
+
+// The main Smith-Waterman algorithm.
+//
+BroSubstring::Vec* smith_waterman(const BroString* s1, const BroString* s2,
+					SWParams& params)
+	{
+	BroSubstring::Vec* result = new BroSubstring::Vec();
+
+	if ( ! s1 || s1->Len() < int(params._min_toklen) ||
+	     ! s2 || s2->Len() < int(params._min_toklen) )
+		return result;
+
+	// Length of both strings, plus one because SW needs
+	// an extra row and column.
+	//
+	int i, len1 = s1->Len() + 1;
+	int j, len2 = s2->Len() + 1;
+
+	int row = 0, col = 0;
+
+	byte_vec string1 = s1->Bytes();
+	byte_vec string2 = s2->Bytes();
+
+	SWNodeMatrix matrix(s1, s2);	// dynamic programming matrix.
+	SWNode* node_max = 0;	// pointer to the best score's node
+	SWNode* node_br_max = 0;	// pointer to lowest-right matching node
+
+	// The highest score in the matrix, globally.  We initialize to 1
+	// because we are only interested in real scores (initializing to
+	// -infty would mean 0 is larger, and would complicate the link
+	// structure in the matrix).
+	//
+	int matrix_max = 1;
+	int br_max_r = 0;
+	int br_max_b = 0;
+
+
+	// Matrix initialization ----------------------------------------------
+
+	// Assign IDs to each cell -- this is only for debugging purposes
+	// and can go later.
+
+	int counter = 1;
+
+	for ( i = 1; i < len1; ++i )
+		for ( j = 1; j < len2; ++j )
+			matrix(i, j)->id = counter++;
+
+	// Subsequence calculation --------------------------------------------
+
+	for ( i = 1; i < len1; ++i )
+		{
+		for ( j = 1; j < len2; ++j )
+			{
+			// Current node, top/left neighbours.
+			//
+			SWNode* current = matrix(i, j);
+			SWNode* node_tl = matrix(i-1, j-1);
+			SWNode* node_l  = matrix(i, j-1);
+			SWNode* node_t  = matrix(i-1, j);
+
+			// Scores of neighbouring nodes.
+			//
+			int score_t = node_t->swn_score;
+			int score_l = node_l->swn_score;
+			int score_tl = node_tl->swn_score;
+
+			// If strings at current indices match, assign new
+			// score to current node.  Minus-one adjustments
+			// are necessary since matrix has one extra
+			// row + column.
+			//
+			if ( string1[i-1] == string2[j-1] )
+				{
+				// We have a match: improve previous score.
+				//
+				score_tl += 1;
+
+				// If we're continuing a chain of matches, rate
+				// higher.  This favours longer consecutive
+				// substrings.
+				//
+				if ( node_tl->swn_byte_assigned )
+					score_tl += 99;
+
+				// Store the byte we've matched in the node for
+				// easier access.
+				//
+				current->swn_byte = string1[i-1];
+				current->swn_byte_assigned = true;
+				}
+
+			// Pick the score among the neighbours that is now highest.
+			// This is the core of Smith-Waterman.
+			//
+			if ( current->swn_byte_assigned )
+				current->swn_score = score_tl;
+			else
+				current->swn_score = max(max(score_t, score_l), score_tl);
+
+			// Establish predecessor chain according to neighbor
+			// with best score.
+			//
+			if ( current->swn_score == score_tl &&
+			     current->swn_byte_assigned )
+				{
+				// If we had matched bytes (*and* it's the
+				// best neighbor), marke the node accordingly
+				//
+				if ( i >= br_max_b && j >= br_max_r )
+					{
+					node_br_max = current;
+					br_max_b = i;
+					br_max_r = j;
+					}
+
+				current->swn_prev = node_tl;
+				}
+			else if ( current->swn_score == score_t )
+				current->swn_prev = node_t;
+			else
+				current->swn_prev = node_l;
+
+			// Check if we have a new global maximum -- we
+			// specifically track the node that is the global
+			// maximum so we now from where to backtrack at
+			// the end of the matrix iteration.
+			//
+			if ( current->swn_score > matrix_max )
+				{
+				node_max = current;
+				matrix_max = current->swn_score;
+				}
+
+#if 0
+			printf("%4i/%.5i%c/%.5i[%c%c] ",
+				current->swn_score,
+		 		current->id,
+				current->swn_byte_assigned ? '*' : ' ',
+		 		current->swn_prev ? current->swn_prev->id : 0,
+			       string1[i-1], string2[j-1]);
+#endif
+			//printf("%.5i ", current->swn_score); 
+			}
+
+#if 0
+		printf("\n");
+#endif
+		}
+
+	// Result generation.
+
+	// How we do this depends on the mode we operate in.  In SW_SINGLE, we
+	// follow the path from the best node until there is no predecessor
+	// (that is, when we hit a node in row 0), and stop.  In SW_MULTIPLE,
+	// we collect all non-redundant common subsequences.
+
+	if ( params._sw_variant == SW_MULTIPLE )
+		sw_collect_multiple(result, matrix, params);
+	else
+		sw_collect_single(result, matrix, node_max, params);
+
+	if ( len1 > len2 )
+		sort(result->begin(), result->end(), BroSubstringCmp(0));
+	else
+		sort(result->begin(), result->end(), BroSubstringCmp(1));
+
+	return result;
+	}
diff --git a/src/SmithWaterman.h b/src/SmithWaterman.h
new file mode 100644
index 0000000000..c8c80d09af
--- /dev/null
+++ b/src/SmithWaterman.h
@@ -0,0 +1,159 @@
+// $Id: SmithWaterman.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef smith_waterman_h
+#define smith_waterman_h
+
+#include "BroString.h"
+#include <map>
+using namespace std;
+
+// BroSubstrings are essentially BroStrings, augmented with indexing
+// information required for the Smith-Waterman algorithm.  Each substring
+// can be marked as being a common substring of arbitrarily many strings,
+// for each of which we store where the substring starts.
+//
+//
+class BroSubstring : public BroString {
+
+public:
+	typedef vector<BroSubstring*> Vec;
+	typedef Vec::iterator VecIt;
+	typedef Vec::const_iterator VecCIt;
+
+	// An alignment to another string.
+	//
+	struct BSSAlign {
+
+		BSSAlign(const BroString* string, int index)
+			{ this->string = string; this->index = index; }
+
+		// The other string
+		//
+		const BroString* string;
+
+		// Offset in the string that substring
+		// starts at, counting from 0.
+		//
+		int index;
+	};
+
+	typedef vector<BSSAlign> BSSAlignVec;
+	typedef BSSAlignVec::iterator BSSAlignVecIt;
+	typedef BSSAlignVec::const_iterator BSSAlignVecCIt;
+
+	BroSubstring(const string& string)
+		: BroString(string), _new(false) { }
+
+	BroSubstring(const BroString& string)
+		: BroString(string), _new(false) { }
+
+	BroSubstring(const BroSubstring& bst);
+
+	const BroSubstring& operator=(const BroSubstring& bst);
+
+	// Returns true if this string completely covers the given one.
+	// "Covering" means that the substring must be at least as long
+	// as the one compared to, and completely covers the range occupied
+	// by the given one.
+	//
+	bool DoesCover(const BroSubstring* bst) const;
+
+	void AddAlignment(const BroString* string, int index);
+	const BSSAlignVec& GetAlignments() const	{ return _aligns; }
+	unsigned int GetNumAlignments() const	{ return _aligns.size(); }
+
+	void SetNum(int num)	{ _num = num; }
+	int GetNum() const	{ return _num; }
+
+	void MarkNewAlignment(bool mark) { _new = mark; }
+	bool IsNewAlignment()	{ return _new; }
+
+	// Helper methods for vectors:
+	//
+	static VectorVal* VecToPolicy(Vec* vec);
+	static Vec* VecFromPolicy(VectorVal* vec);
+	static char* VecToString(Vec* vec);
+	static BroString::IdxVec* GetOffsetsVec(const Vec* vec,
+						unsigned int index);
+
+private:
+	typedef map<string, void*> DataMap;
+	typedef DataMap::iterator DataMapIt;
+
+	BroSubstring();
+
+	// The alignments registered for this substring.
+	BSSAlignVec _aligns;
+
+	// Every substring can have a numerical label.
+	int _num;
+
+	// True if this node marks the start of a new alignment.
+	bool _new;
+};
+
+// A comparison class that sorts BroSubstrings according to the string
+// offset value of the nth input string, where "nth" starts from 0.
+//
+class BroSubstringCmp {
+public:
+	BroSubstringCmp(unsigned int index)	{ _index = index; }
+	bool operator()(const BroSubstring* bst1, const BroSubstring* bst2) const;
+
+ private:
+	unsigned int _index;
+};
+
+// Smith-Waterman Implementation
+// ---------------------------------------------------------------------
+//
+
+// We support two modes of operation: finding a single optimal alignment,
+// and repeated alignments.
+//
+enum SWVariant {
+	SW_SINGLE   = 0,	// return a single, optimum alignment
+	SW_MULTIPLE = 1,	// find repeated, non-overlapping alignments
+};
+
+// Parameters for Smith-Waterman are stored in this simple record.
+//
+struct SWParams {
+	SWParams(unsigned int min_toklen = 3, SWVariant sw_variant = SW_SINGLE)
+		{
+		_min_toklen = min_toklen;
+		_sw_variant = sw_variant;
+		}
+
+	// The minimum string size to report.  For example, min_toklen = 2
+	// won't report any common single-letter subsequences.
+	unsigned int _min_toklen;
+
+	SWVariant _sw_variant;
+};
+
+
+// The smith_waterman() algorithm finds the longest common subsequence(s)
+// of two strings, also known as the best local alignment.  A subsequence
+// is a sequence of common substrings.
+//
+//  s1:         first input string
+//  s2:         second input string
+//  params:     Smith-Waterman parameters.
+//
+// Subsequences of a string are any strings based on the original one
+// with individual characters left out. Note that this is different
+// from the longest common substring problem.
+//
+// The function returns a vector consisting of all substrings comprising
+// the subsequence.  With each string you also get the indices of both
+// input strings where the string occurs.  On error, or if no common
+// subsequence exists, an empty vector is returned.
+//
+extern BroSubstring::Vec* smith_waterman(const BroString* s1,
+					 const BroString* s2,
+					 SWParams& params);
+
+#endif
diff --git a/src/StateAccess.cc b/src/StateAccess.cc
new file mode 100644
index 0000000000..17f702f07e
--- /dev/null
+++ b/src/StateAccess.cc
@@ -0,0 +1,1017 @@
+// $Id: StateAccess.cc 6888 2009-08-20 18:23:11Z vern $
+
+#include "Val.h"
+#include "StateAccess.h"
+#include "Serializer.h"
+#include "Event.h"
+#include "NetVar.h"
+#include "DebugLogger.h"
+#include "RemoteSerializer.h"
+#include "PersistenceSerializer.h"
+
+int StateAccess::replaying = 0;
+
+StateAccess::StateAccess(Opcode arg_opcode,
+		const MutableVal* arg_target, const Val* arg_op1,
+		const Val* arg_op2, const Val* arg_op3)
+	{
+	opcode = arg_opcode;
+	target.val = const_cast<MutableVal*>(arg_target);
+	target_type = TYPE_MVAL;
+	op1.val = const_cast<Val*>(arg_op1);
+	op1_type = TYPE_VAL;
+	op2 = const_cast<Val*>(arg_op2);
+	op3 = const_cast<Val*>(arg_op3);
+	delete_op1_key = false;
+
+	RefThem();
+	}
+
+StateAccess::StateAccess(Opcode arg_opcode,
+		const ID* arg_target, const Val* arg_op1,
+		const Val* arg_op2, const Val* arg_op3)
+	{
+	opcode = arg_opcode;
+	target.id = const_cast<ID*>(arg_target);
+	target_type = TYPE_ID;
+	op1.val = const_cast<Val*>(arg_op1);
+	op1_type = TYPE_VAL;
+	op2 = const_cast<Val*>(arg_op2);
+	op3 = const_cast<Val*>(arg_op3);
+	delete_op1_key = false;
+
+	RefThem();
+	}
+
+StateAccess::StateAccess(Opcode arg_opcode,
+		const ID* arg_target, const HashKey* arg_op1,
+		const Val* arg_op2, const Val* arg_op3)
+	{
+	opcode = arg_opcode;
+	target.id = const_cast<ID*>(arg_target);
+	target_type = TYPE_ID;
+	op1.key = new HashKey(arg_op1->Key(), arg_op1->Size(), arg_op1->Hash());
+	op1_type = TYPE_KEY;
+	op2 = const_cast<Val*>(arg_op2);
+	op3 = const_cast<Val*>(arg_op3);
+	delete_op1_key = true;
+
+	RefThem();
+	}
+
+StateAccess::StateAccess(Opcode arg_opcode,
+		const MutableVal* arg_target, const HashKey* arg_op1,
+		const Val* arg_op2, const Val* arg_op3)
+	{
+	opcode = arg_opcode;
+	target.val = const_cast<MutableVal*>(arg_target);
+	target_type = TYPE_MVAL;
+	op1.key = new HashKey(arg_op1->Key(), arg_op1->Size(), arg_op1->Hash());
+	op1_type = TYPE_KEY;
+	op2 = const_cast<Val*>(arg_op2);
+	op3 = const_cast<Val*>(arg_op3);
+	delete_op1_key = true;
+
+	RefThem();
+	}
+
+StateAccess::StateAccess(const StateAccess& sa)
+: SerialObj()
+	{
+	opcode = sa.opcode;
+	target_type = sa.target_type;
+	op1_type = sa.op1_type;
+	delete_op1_key = false;
+
+	if ( target_type == TYPE_ID )
+		target.id = sa.target.id;
+	else
+		target.val = sa.target.val;
+
+	if ( op1_type == TYPE_VAL )
+		op1.val = sa.op1.val;
+	else
+		{
+		// We need to copy the key as the pointer may not be
+		// valid anymore later.
+		op1.key = new HashKey(sa.op1.key->Key(), sa.op1.key->Size(),
+					sa.op1.key->Hash());
+		delete_op1_key = true;
+		}
+
+	op2 = sa.op2;
+	op3 = sa.op3;
+
+	RefThem();
+	}
+
+StateAccess::~StateAccess()
+	{
+	if ( target_type == TYPE_ID )
+		Unref(target.id);
+	else
+		Unref(target.val);
+
+	if ( op1_type == TYPE_VAL )
+		Unref(op1.val);
+	else if ( delete_op1_key )
+		delete op1.key;
+
+	Unref(op2);
+	Unref(op3);
+	}
+
+void StateAccess::RefThem()
+	{
+	if ( target_type == TYPE_ID )
+		Ref(target.id);
+	else
+		Ref(target.val);
+
+	if ( op1_type == TYPE_VAL && op1.val )
+		Ref(op1.val);
+
+	if ( op2 )
+		Ref(op2);
+	if ( op3 )
+		Ref(op3);
+	}
+
+bool StateAccess::CheckOld(const char* op, ID* id, Val* index,
+				Val* should, Val* is)
+	{
+	if ( ! remote_check_sync_consistency )
+		return true;
+
+	if ( ! should && ! is )
+		return true;
+
+	// 'should == index' means that 'is' should be non-nil.
+	if ( should == index && is )
+		return true;
+
+	if ( should && is )
+		{
+		// There's no general comparision for non-atomic vals currently.
+		if ( ! (is_atomic_val(is) && is_atomic_val(should)) )
+			return true;
+
+		if ( same_atomic_val(should, is) )
+			return true;
+		}
+
+	Val* arg1;
+	Val* arg2;
+	Val* arg3;
+
+	if ( index )
+		{
+		ODesc d;
+		d.SetShort();
+		index->Describe(&d);
+		arg1 = new StringVal(fmt("%s[%s]", id->Name(), d.Description()));
+		}
+	else
+		arg1 = new StringVal(id->Name());
+
+	if ( should )
+		{
+		ODesc d;
+		d.SetShort();
+		should->Describe(&d);
+		arg2 = new StringVal(d.Description());
+		}
+	else
+		arg2 = new StringVal("<none>");
+
+	if ( is )
+		{
+		ODesc d;
+		d.SetShort();
+		is->Describe(&d);
+		arg3 = new StringVal(d.Description());
+		}
+	else
+		arg3 = new StringVal("<none>");
+
+	val_list* args = new val_list;
+	args->append(new StringVal(op));
+	args->append(arg1);
+	args->append(arg2);
+	args->append(arg3);
+	mgr.QueueEvent(remote_state_inconsistency, args);
+
+	return false;
+	}
+
+bool StateAccess::CheckOldSet(const char* op, ID* id, Val* index,
+				bool should, bool is)
+	{
+	if ( ! remote_check_sync_consistency )
+		return true;
+
+	if ( should == is )
+		return true;
+
+	ODesc d;
+	d.SetShort();
+	index->Describe(&d);
+
+	Val* arg1 = new StringVal(fmt("%s[%s]", id->Name(), d.Description()));
+	Val* arg2 = new StringVal(should ? "set" : "not set");
+	Val* arg3 = new StringVal(is ? "set" : "not set");
+
+	val_list* args = new val_list;
+	args->append(new StringVal(op));
+	args->append(arg1);
+	args->append(arg2);
+	args->append(arg3);
+	mgr.QueueEvent(remote_state_inconsistency, args);
+
+	return false;
+	}
+
+bool StateAccess::MergeTables(TableVal* dst, Val* src)
+	{
+	if ( ! src->Type()->Tag() == TYPE_TABLE )
+		{
+		run_time("type mismatch while merging tables");
+		return false;
+		}
+
+	if ( ! src->AsTableVal()->FindAttr(ATTR_MERGEABLE) )
+		return false;
+
+	DBG_LOG(DBG_STATE, "merging tables %s += %s", dst->UniqueID()->Name(),
+			src->AsTableVal()->UniqueID()->Name());
+
+	src->AsTableVal()->AddTo(dst, 0);
+
+	// We need to make sure that the resulting table is accessible by
+	// the new name (while keeping the old as an alias).
+	dst->TransferUniqueID(src->AsMutableVal());
+
+	return true;
+	}
+
+void StateAccess::Replay()
+	{
+	// For simplicity we assume that we only replay unserialized accesses.
+	assert(target_type == TYPE_ID && op1_type == TYPE_VAL);
+
+	if ( ! target.id )
+		return;
+
+	Val* v = target.id->ID_Val();
+	TypeTag t = v ? v->Type()->Tag() : TYPE_VOID;
+		
+	if ( opcode != OP_ASSIGN && ! v )
+		{
+		// FIXME: I think this warrants an internal error,
+		// but let's check that first ...
+		// internal_error("replay id lacking a value");
+		run_time("replay id lacks a value");
+		return;
+		}
+
+	++replaying;
+
+	switch ( opcode ) {
+	case OP_ASSIGN:
+		assert(op1.val);
+		// There mustn't be a direct assignment to a unique ID.
+		assert(target.id->Name()[0] != '#');
+		CheckOld("assign", target.id, 0, op2, v);
+
+		if ( t == TYPE_TABLE && v &&
+		     v->AsTableVal()->FindAttr(ATTR_MERGEABLE) )
+			if ( MergeTables(v->AsTableVal(), op1.val) )
+				break;
+
+		target.id->SetVal(op1.val->Ref());
+		break;
+
+	case OP_INCR:
+		if ( IsIntegral(t) )
+			{
+			assert(op1.val && op2);
+			// We derive the amount as difference between old
+			// and new value.
+			bro_int_t amount =
+				op1.val->CoerceToInt() - op2->CoerceToInt();
+
+			target.id->SetVal(new Val(v->CoerceToInt() + amount, t),
+						OP_INCR);
+			}
+		break;
+
+	case OP_ASSIGN_IDX:
+		assert(op1.val);
+
+		if ( t == TYPE_TABLE )
+			{
+			assert(op2);
+
+			BroType* yt = v->Type()->AsTableType()->YieldType();
+
+			if ( yt && yt->Tag() == TYPE_TABLE )
+				{
+				TableVal* tv = v->AsTableVal();
+				Val* w = tv->Lookup(op1.val);
+				if ( w && w->AsTableVal()->FindAttr(ATTR_MERGEABLE) )
+					if ( MergeTables(w->AsTableVal(), op2) )
+						break;
+				}
+
+			CheckOld("index assign", target.id, op1.val, op3,
+					v->AsTableVal()->Lookup(op1.val));
+
+			v->AsTableVal()->Assign(op1.val, op2 ? op2->Ref() : 0);
+			}
+
+		else if ( t == TYPE_RECORD )
+			{
+			const char* field = op1.val->AsString()->CheckString();
+			int idx = v->Type()->AsRecordType()->FieldOffset(field);
+
+			if ( idx >= 0 )
+				{
+				BroType* ft = v->Type()->AsRecordType()->FieldType(field);
+
+				if ( ft && ft->Tag() == TYPE_TABLE )
+					{
+					RecordVal* rv = v->AsRecordVal();
+					Val* w = rv->Lookup(idx);
+					if ( w && w->AsTableVal()->FindAttr(ATTR_MERGEABLE) )
+						if ( MergeTables(w->AsTableVal(), op2) )
+							break;
+					}
+
+				CheckOld("index assign", target.id, op1.val, op3,
+					v->AsRecordVal()->Lookup(idx));
+				v->AsRecordVal()->Assign(idx, op2 ? op2->Ref() : 0);
+				}
+			else
+				run_time(fmt("access replay: unknown record field %s for assign", field));
+			}
+
+		else if ( t == TYPE_VECTOR )
+			{
+			assert(op2);
+			bro_uint_t index = op1.val->AsCount();
+
+			BroType* yt = v->Type()->AsVectorType()->YieldType();
+
+			if ( yt && yt->Tag() == TYPE_TABLE )
+				{
+				VectorVal* vv = v->AsVectorVal();
+				Val* w = vv->Lookup(index);
+				if ( w && w->AsTableVal()->FindAttr(ATTR_MERGEABLE) )
+					if ( MergeTables(w->AsTableVal(), op2) )
+						break;
+				}
+
+			CheckOld("index assign", target.id, op1.val, op3,
+					v->AsVectorVal()->Lookup(index));
+			v->AsVectorVal()->Assign(index, op2 ? op2->Ref() : 0, 0);
+			}
+
+		else
+			internal_error("unknown type in replaying index assign");
+
+		break;
+
+	case OP_INCR_IDX:
+		{
+		assert(op1.val && op2 && op3);
+
+		// We derive the amount as the difference between old
+		// and new value.
+		bro_int_t amount = op2->CoerceToInt() - op3->CoerceToInt();
+
+		if ( t == TYPE_TABLE )
+			{
+			t = v->Type()->AsTableType()->YieldType()->Tag();
+			Val* lookup_op1 = v->AsTableVal()->Lookup(op1.val);
+			int delta = lookup_op1->CoerceToInt() + amount;
+			Val* new_val = new Val(delta, t);
+			v->AsTableVal()->Assign(op1.val, new_val, OP_INCR );
+			}
+
+		else if ( t == TYPE_RECORD )
+			{
+			const char* field = op1.val->AsString()->CheckString();
+			int idx = v->Type()->AsRecordType()->FieldOffset(field);
+			if ( idx >= 0 )
+				{
+				t = v->Type()->AsRecordType()->FieldType(idx)->Tag();
+				Val* lookup_field =
+					v->AsRecordVal()->Lookup(idx);
+				bro_int_t delta =
+					lookup_field->CoerceToInt() + amount;
+				Val* new_val = new Val(delta, t);
+				v->AsRecordVal()->Assign(idx, new_val, OP_INCR);
+				}
+			else
+				run_time(fmt("access replay: unknown record field %s for assign", field));
+			}
+
+		else if ( t == TYPE_VECTOR )
+			{
+			bro_uint_t index = op1.val->AsCount();
+			t = v->Type()->AsVectorType()->YieldType()->Tag();
+			Val* lookup_op1 = v->AsVectorVal()->Lookup(index);
+			int delta = lookup_op1->CoerceToInt() + amount;
+			Val* new_val = new Val(delta, t);
+			v->AsVectorVal()->Assign(index, new_val, 0);
+			}
+
+		else
+			internal_error("unknown type in replaying index increment");
+
+		break;
+		}
+
+	case OP_ADD:
+		assert(op1.val);
+		if ( t == TYPE_TABLE )
+			{
+			CheckOldSet("add", target.id, op1.val, op2 != 0,
+					v->AsTableVal()->Lookup(op1.val) != 0);
+			v->AsTableVal()->Assign(op1.val, 0);
+			}
+		break;
+
+	case OP_DEL:
+		assert(op1.val);
+		if ( t == TYPE_TABLE )
+			{
+			if ( v->Type()->AsTableType()->IsSet() )
+				CheckOldSet("delete", target.id, op1.val, op2 != 0,
+					v->AsTableVal()->Lookup(op1.val) != 0);
+			else
+				CheckOld("delete", target.id, op1.val, op2,
+					v->AsTableVal()->Lookup(op1.val));
+
+			Unref(v->AsTableVal()->Delete(op1.val));
+			}
+		break;
+
+	case OP_EXPIRE:
+		assert(op1.val);
+		if ( t == TYPE_TABLE )
+			{
+			// No old check for expire.  It may have already
+			// been deleted by ourselves.  Furthermore, we
+			// ignore the expire_func's return value.
+			TableVal* tv = v->AsTableVal();
+			if ( tv->Lookup(op1.val, false) )
+				{
+				// We want to propagate state updates which
+				// are performed in the expire_func.
+				StateAccess::ResumeReplay();
+
+				if ( remote_serializer )
+					remote_serializer->ResumeStateUpdates();
+
+				tv->CallExpireFunc(op1.val->Ref());
+
+				if ( remote_serializer )
+					remote_serializer->SuspendStateUpdates();
+
+				StateAccess::SuspendReplay();
+
+				Unref(tv->AsTableVal()->Delete(op1.val));
+				}
+			}
+
+		break;
+
+	case OP_PRINT:
+		assert(op1.val);
+		internal_error("access replay for print not implemented");
+		break;
+
+	case OP_READ_IDX:
+		if ( t == TYPE_TABLE )
+			{
+			assert(op1.val);
+			TableVal* tv = v->AsTableVal();
+
+			// Update the timestamp if we have a read_expire.
+			if ( tv->FindAttr(ATTR_EXPIRE_READ) )
+				{
+				if ( ! tv->UpdateTimestamp(op1.val) &&
+				     remote_check_sync_consistency )
+					{
+					ODesc d;
+					d.SetShort();
+					op1.val->Describe(&d);
+
+					val_list* args = new val_list;
+					args->append(new StringVal("read"));
+					args->append(new StringVal(fmt("%s[%s]", target.id->Name(), d.Description())));
+					args->append(new StringVal("existent"));
+					args->append(new StringVal("not existent"));
+					mgr.QueueEvent(remote_state_inconsistency, args);
+					}
+				}
+			}
+		else
+			run_time("read for non-table");
+		break;
+
+	default:
+		internal_error("access replay: unknown opcode for StateAccess");
+		break;
+		}
+
+	--replaying;
+
+	if ( remote_state_access_performed )
+		{
+		val_list* vl = new val_list;
+		vl->append(new StringVal(target.id->Name()));
+		vl->append(target.id->ID_Val()->Ref());
+		mgr.QueueEvent(remote_state_access_performed, vl);
+		}
+	}
+
+ID* StateAccess::Target() const
+	{
+	return target_type == TYPE_ID ? target.id : target.val->UniqueID();
+	}
+
+bool StateAccess::Serialize(SerialInfo* info) const
+	{
+	return SerialObj::Serialize(info);
+	}
+
+StateAccess* StateAccess::Unserialize(UnserialInfo* info)
+	{
+	StateAccess* sa =
+		(StateAccess*) SerialObj::Unserialize(info, SER_STATE_ACCESS);
+	return sa;
+	}
+
+IMPLEMENT_SERIAL(StateAccess, SER_STATE_ACCESS);
+
+bool StateAccess::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_STATE_ACCESS, SerialObj);
+
+	if ( ! SERIALIZE(char(opcode)) )
+		return false;
+
+	const ID* id =
+		target_type == TYPE_ID ? target.id : target.val->UniqueID();
+
+	if ( ! SERIALIZE(id->Name()) )
+		 return false;
+
+	if ( op1_type == TYPE_KEY )
+		{
+		Val* index =
+			id->ID_Val()->AsTableVal()->RecoverIndex(this->op1.key);
+
+		if ( ! index )
+			return false;
+		if ( ! index->Serialize(info) )
+			return false;
+
+		Unref(index);
+		}
+
+	else if ( ! op1.val->Serialize(info) )
+		return false;
+
+	// Don't send the "old" operand if we don't want consistency checks.
+	// Unfortunately, it depends on the opcode which operand that actually
+	// is.
+
+	const Val* null = 0;
+
+	if ( remote_check_sync_consistency )
+		{
+		SERIALIZE_OPTIONAL(op2);
+		SERIALIZE_OPTIONAL(op3);
+		}
+
+	else
+		{
+		switch ( opcode ) {
+		case OP_PRINT:
+		case OP_EXPIRE:
+		case OP_READ_IDX:
+			// No old.
+			SERIALIZE_OPTIONAL(null);
+			SERIALIZE_OPTIONAL(null);
+			break;
+
+		case OP_INCR:
+		case OP_INCR_IDX:
+			// Always need old.
+			SERIALIZE_OPTIONAL(op2);
+			SERIALIZE_OPTIONAL(op3);
+			break;
+
+		case OP_ASSIGN:
+		case OP_ADD:
+		case OP_DEL:
+			// Op2 is old.
+			SERIALIZE_OPTIONAL(null);
+			SERIALIZE_OPTIONAL(null);
+			break;
+
+		case OP_ASSIGN_IDX:
+			// Op3 is old.
+			SERIALIZE_OPTIONAL(op2);
+			SERIALIZE_OPTIONAL(null);
+			break;
+
+		default:
+			internal_error("StateAccess::DoSerialize: unknown opcode");
+		}
+		}
+
+		return true;
+	}
+
+bool StateAccess::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(SerialObj);
+
+	char c;
+	if ( ! UNSERIALIZE(&c) )
+		return false;
+
+	opcode = Opcode(c);
+
+	const char* name;
+	if ( ! UNSERIALIZE_STR(&name, 0) )
+		return false;
+
+	target_type = TYPE_ID;
+	target.id = global_scope()->Lookup(name);
+
+	if ( target.id )
+		// Otherwise, we'll delete it below.
+		delete [] name;
+
+	op1_type = TYPE_VAL;
+	op1.val = Val::Unserialize(info);
+	if ( ! op1.val )
+		return false;
+
+	UNSERIALIZE_OPTIONAL(op2, Val::Unserialize(info));
+	UNSERIALIZE_OPTIONAL(op3, Val::Unserialize(info));
+
+	if ( target.id )
+		Ref(target.id);
+	else
+		{
+		// This may happen as long as we haven't agreed on the
+		// unique name for an ID during initial synchronization, or if
+		// the local peer has already deleted the ID.
+		DBG_LOG(DBG_STATE, "state access referenced unknown id %s", name);
+
+		if ( info->install_uniques )
+			{
+			target.id = new ID(name, SCOPE_GLOBAL, true);
+			Ref(target.id);
+			global_scope()->Insert(name, target.id);
+#ifdef USE_PERFTOOLS
+			heap_checker->IgnoreObject(target.id);
+#endif
+			}
+
+		delete [] name;
+		}
+
+	return true;
+	}
+
+void StateAccess::Describe(ODesc* d) const
+	{
+	const ID* id;
+	const char* id_str = "";
+	const char* unique_str = "";
+
+	d->SetShort();
+
+	if ( target_type == TYPE_ID )
+		{
+		id = target.id;
+
+		if ( ! id )
+			{
+			d->Add("(unknown id)");
+			return;
+			}
+
+		id_str = id->Name();
+
+		if ( id->ID_Val() && id->ID_Val()->IsMutableVal() &&
+		     id->Name()[0] != '#' )
+			unique_str = fmt(" [id] (%s)", id->ID_Val()->AsMutableVal()->UniqueID()->Name());
+		}
+	else
+		{
+		id = target.val->UniqueID();
+
+#ifdef DEBUG
+		if ( target.val->GetID() )
+			{
+			id_str = target.val->GetID()->Name();
+			unique_str = fmt(" [val] (%s)", id->Name());
+			}
+		else
+#endif
+			id_str = id->Name();
+		}
+
+	const Val* op1 = op1_type == TYPE_VAL ?
+		this->op1.val :
+		id->ID_Val()->AsTableVal()->RecoverIndex(this->op1.key);
+
+	switch ( opcode ) {
+	case OP_ASSIGN:
+		assert(op1);
+		d->Add(id_str);
+		d->Add(" = ");
+		op1->Describe(d);
+		if ( op2 )
+			{
+			d->Add(" (");
+			op2->Describe(d);
+			d->Add(")");
+			}
+		d->Add(unique_str);
+		break;
+
+	case OP_INCR:
+		assert(op1 && op2);
+		d->Add(id_str);
+		d->Add(" += ");
+		d->Add(op1->CoerceToInt() - op2->CoerceToInt());
+		d->Add(unique_str);
+		break;
+
+	case OP_ASSIGN_IDX:
+		assert(op1);
+		d->Add(id_str);
+		d->Add("[");
+		op1->Describe(d);
+		d->Add("]");
+		d->Add(" = ");
+		if ( op2 )
+			op2->Describe(d);
+		else
+			d->Add("(null)");
+		if ( op3 )
+			{
+			d->Add(" (");
+			op3->Describe(d);
+			d->Add(")");
+			}
+		d->Add(unique_str);
+		break;
+
+	case OP_INCR_IDX:
+		assert(op1 && op2 && op3);
+		d->Add(id_str);
+		d->Add("[");
+		op1->Describe(d);
+		d->Add("]");
+		d->Add(" += ");
+		d->Add(op2->CoerceToInt() - op3->CoerceToInt());
+		d->Add(unique_str);
+		break;
+
+	case OP_ADD:
+		assert(op1);
+		d->Add("add ");
+		d->Add(id_str);
+		d->Add("[");
+		op1->Describe(d);
+		d->Add("]");
+		if ( op2 )
+			{
+			d->Add(" (");
+			op2->Describe(d);
+			d->Add(")");
+			}
+		d->Add(unique_str);
+		break;
+
+	case OP_DEL:
+		assert(op1);
+		d->Add("del ");
+		d->Add(id_str);
+		d->Add("[");
+		op1->Describe(d);
+		d->Add("]");
+		if ( op2 )
+			{
+			d->Add(" (");
+			op2->Describe(d);
+			d->Add(")");
+			}
+		d->Add(unique_str);
+		break;
+
+	case OP_EXPIRE:
+		assert(op1);
+		d->Add("expire ");
+		d->Add(id_str);
+		d->Add("[");
+		op1->Describe(d);
+		d->Add("]");
+		if ( op2 )
+			{
+			d->Add(" (");
+			op2->Describe(d);
+			d->Add(")");
+			}
+		d->Add(unique_str);
+		break;
+
+	case OP_PRINT:
+		assert(op1);
+		d->Add("print ");
+		d->Add(id_str);
+		op1->Describe(d);
+		d->Add(unique_str);
+		break;
+
+	case OP_READ_IDX:
+		assert(op1);
+		d->Add("read ");
+		d->Add(id_str);
+		d->Add("[");
+		op1->Describe(d);
+		d->Add("]");
+		break;
+
+	default:
+		internal_error("unknown opcode for StateAccess");
+		break;
+		}
+
+	if ( op1_type != TYPE_VAL )
+		Unref(const_cast<Val*>(op1));
+	}
+
+void StateAccess::Log(StateAccess* access)
+	{
+	bool synchronized = false;
+	bool persistent = false;
+	bool tracked = false;
+
+	if ( access->target_type == TYPE_ID )
+		{
+		if ( access->target.id->FindAttr(ATTR_SYNCHRONIZED) )
+			synchronized = true;
+
+		if ( access->target.id->FindAttr(ATTR_PERSISTENT) )
+			persistent = true;
+
+		if ( access->target.id->FindAttr(ATTR_TRACKED) )
+			tracked = true;
+		}
+	else
+		{
+		if ( access->target.val->GetProperties() & MutableVal::SYNCHRONIZED )
+			synchronized = true;
+
+		if ( access->target.val->GetProperties() & MutableVal::PERSISTENT )
+			persistent = true;
+
+		if ( access->target.val->GetProperties() & MutableVal::TRACKED )
+			tracked = true;
+		}
+
+	if ( synchronized )
+		{
+		if ( state_serializer )
+			{
+			SerialInfo info(state_serializer);
+			state_serializer->Serialize(&info, *access);
+			}
+
+		SerialInfo info(remote_serializer);
+		remote_serializer->SendAccess(&info, *access);
+		}
+
+	if ( persistent && persistence_serializer->IsSerializationRunning() )
+		persistence_serializer->LogAccess(*access);
+
+	if ( tracked )
+		notifiers.AccessPerformed(*access);
+
+#ifdef DEBUG
+	ODesc desc;
+	access->Describe(&desc);
+	DBG_LOG(DBG_STATE, "operation: %s%s [%s%s]",
+			desc.Description(), replaying > 0 ? " (replay)" : "",
+			persistent ? "P" : "", synchronized ? "S" : "");
+#endif
+
+	delete access;
+
+	}
+
+NotifierRegistry notifiers;
+
+void NotifierRegistry::Register(ID* id, NotifierRegistry::Notifier* notifier)
+	{
+	DBG_LOG(DBG_NOTIFIERS, "registering ID %s for notifier %s",
+		id->Name(), notifier->Name());
+
+	if ( id->Attrs() )
+		id->Attrs()->AddAttr(new Attr(ATTR_TRACKED));
+	else
+		{
+		attr_list* a = new attr_list;
+		Attr* attr = new Attr(ATTR_TRACKED);
+		a->append(attr);
+		id->SetAttrs(new Attributes(a, id->Type()));
+		Unref(attr);
+		}
+
+	NotifierMap::iterator i = ids.find(id->Name());
+
+	if ( i != ids.end() )
+		i->second->insert(notifier);
+	else
+		{
+		NotifierSet* s = new NotifierSet;
+		s->insert(notifier);
+		ids.insert(NotifierMap::value_type(id->Name(), s));
+		}
+
+	Ref(id);
+	}
+
+void NotifierRegistry::Register(Val* val, NotifierRegistry::Notifier* notifier)
+	{
+	if ( val->IsMutableVal() )
+		Register(val->AsMutableVal()->UniqueID(), notifier);
+	}
+
+void NotifierRegistry::Unregister(ID* id, NotifierRegistry::Notifier* notifier)
+	{
+	DBG_LOG(DBG_NOTIFIERS, "unregistering ID %s for notifier %s",
+		id->Name(), notifier->Name());
+
+	NotifierMap::iterator i = ids.find(id->Name());
+
+	if ( i == ids.end() )
+		return;
+
+	id->Attrs()->RemoveAttr(ATTR_TRACKED);
+
+	NotifierSet* s = i->second;
+	s->erase(notifier);
+
+	if ( s->size() == 0 )
+		{
+		delete s;
+		ids.erase(i);
+		}
+
+	Unref(id);
+	}
+
+void NotifierRegistry::Unregister(Val* val, NotifierRegistry::Notifier* notifier)
+	{
+	if ( val->IsMutableVal() )
+		Unregister(val->AsMutableVal()->UniqueID(), notifier);
+	}
+
+void NotifierRegistry::AccessPerformed(const StateAccess& sa)
+	{
+	ID* id = sa.Target();
+
+	NotifierMap::iterator i = ids.find(id->Name());
+
+	if ( i == ids.end() )
+		return;
+
+	DBG_LOG(DBG_NOTIFIERS, "modification to tracked ID %s", id->Name());
+
+	NotifierSet* s = i->second;
+
+	if ( id->IsInternalGlobal() )
+		for ( NotifierSet::iterator j = s->begin(); j != s->end(); j++ )
+			(*j)->Access(id->ID_Val(), sa);
+	else
+		for ( NotifierSet::iterator j = s->begin(); j != s->end(); j++ )
+			(*j)->Access(id, sa);
+	}
+
+const char* NotifierRegistry::Notifier::Name() const
+	{
+	return fmt("%p", this);
+	}
+
diff --git a/src/StateAccess.h b/src/StateAccess.h
new file mode 100644
index 0000000000..1154756c83
--- /dev/null
+++ b/src/StateAccess.h
@@ -0,0 +1,152 @@
+// $Id: StateAccess.h 6781 2009-06-28 00:50:04Z vern $
+//
+// A class describing a state-modyfing access to a Value or an ID.
+
+#ifndef STATEACESSS_H
+#define STATEACESSS_H
+
+#include <set>
+#include <map>
+#include <string>
+
+#include "SerialObj.h"
+
+class Val;
+class ID;
+class MutableVal;
+class HashKey;
+class ODesc;
+class Serializer;
+class TableVal;
+
+enum Opcode {	// Op1	Op2 Op3 (Vals)
+	OP_NONE,
+	OP_ASSIGN,	// new	old
+	OP_ASSIGN_IDX,	// idx new  old
+	OP_ADD,		// idx  old
+	OP_INCR,	// idx  new old
+	OP_INCR_IDX,	// idx  new old
+	OP_DEL,		// idx  old
+	OP_PRINT,	// args
+	OP_EXPIRE,	// idx
+	OP_READ_IDX,	// idx
+};
+
+class StateAccess : public SerialObj {
+public:
+	StateAccess(Opcode opcode, const ID* target, const Val* op1,
+			const Val* op2 = 0, const Val* op3 = 0);
+	StateAccess(Opcode opcode, const MutableVal* target, const Val* op1,
+			const Val* op2 = 0, const Val* op3 = 0);
+
+	// For tables, the idx operand may be given as an index HashKey.
+	// This is for efficiency. While we need to reconstruct the index
+	// if we are actually going to serialize the access, we can at
+	// least skip it if we don't.
+	StateAccess(Opcode opcode, const ID* target, const HashKey* op1,
+			const Val* op2 = 0, const Val* op3 = 0);
+	StateAccess(Opcode opcode, const MutableVal* target, const HashKey* op1,
+			const Val* op2 = 0, const Val* op3 = 0);
+
+	StateAccess(const StateAccess& sa);
+
+	virtual ~StateAccess();
+
+	// Replays this access in the our environment.
+	void Replay();
+
+	// Returns target ID which may be an internal one for unbound vals.
+	ID* Target() const;
+
+	void Describe(ODesc* d) const;
+
+	bool Serialize(SerialInfo* info) const;
+	static StateAccess* Unserialize(UnserialInfo* info);
+
+	// Main entry point when StateAcesses are performed.
+	// For every state-changing operation, this has to be called.
+	static void Log(StateAccess* access);
+
+	// If we're going to make additional non-replaying accesses during a
+	// Replay(), we have to call these.
+	static void SuspendReplay()	{ --replaying; }
+	static void ResumeReplay()	{ ++replaying; }
+
+private:
+	StateAccess()	{ target.id = 0; op1.val = op2 = op3 = 0; }
+	void RefThem();
+
+	bool CheckOld(const char* op, ID* id, Val* index, Val* should, Val* is);
+	bool CheckOldSet(const char* op, ID* id, Val* index, bool should, bool is);
+	bool MergeTables(TableVal* dst, Val* src);
+
+	DECLARE_SERIAL(StateAccess);
+
+	Opcode opcode;
+	union {
+		ID* id;
+		MutableVal* val;
+	} target;
+
+	union {
+		Val* val;
+		const HashKey* key;
+	} op1;
+
+	Val* op2;
+	Val* op3;
+
+	enum Type { TYPE_ID, TYPE_VAL, TYPE_MVAL, TYPE_KEY };
+	Type target_type;
+	Type op1_type;
+	bool delete_op1_key;
+
+	static int replaying;
+};
+
+// We provide a notifier framework to inform interested parties of
+// modifications to selected global IDs/Vals. To get notified about a change,
+// derive a class from Notifier and register the interesting IDs/Vals with
+// the NotifierRegistry.
+//
+// Note: For containers (e.g., tables), notifications are only issued if the
+// container itself is modified, *not* for changes to the values contained
+// therein.
+
+class NotifierRegistry {
+public:
+	class Notifier {
+	public:
+		virtual ~Notifier()	{ }
+
+		// Called when a change is being performed. Note that when these
+		// methods are called, it is undefined whether the change has
+		// already been done or is just going to be performed soon.
+		virtual void Access(ID* id, const StateAccess& sa) = 0;
+		virtual void Access(Val* val, const StateAccess& sa) = 0;
+		virtual const char* Name() const;	// for debugging
+	};
+
+	NotifierRegistry()	{ }
+	~NotifierRegistry()	{ }
+
+	// Inform the given notifier if ID/Val changes.
+	void Register(ID* id, Notifier* notifier);
+	void Register(Val* val, Notifier* notifier);
+
+	// Cancel notification for this ID/Val.
+	void Unregister(ID* id, Notifier* notifier);
+	void Unregister(Val* val, Notifier* notifier);
+
+private:
+	friend class StateAccess;
+	void AccessPerformed(const StateAccess& sa);
+
+	typedef std::set<Notifier*> NotifierSet;
+	typedef std::map<std::string, NotifierSet*> NotifierMap;
+	NotifierMap ids;
+};
+
+extern NotifierRegistry notifiers;
+
+#endif
diff --git a/src/Stats.cc b/src/Stats.cc
new file mode 100644
index 0000000000..28c0b38c22
--- /dev/null
+++ b/src/Stats.cc
@@ -0,0 +1,525 @@
+// $Id: Stats.cc 7008 2010-03-25 02:42:20Z vern $
+
+#include "Conn.h"
+#include "File.h"
+#include "Event.h"
+#include "NetVar.h"
+#include "Sessions.h"
+#include "Stats.h"
+#include "Scope.h"
+#include "cq.h"
+#include "ConnCompressor.h"
+
+
+int killed_by_inactivity = 0;
+
+uint32 tot_ack_events = 0;
+uint32 tot_ack_bytes = 0;
+uint32 tot_gap_events = 0;
+uint32 tot_gap_bytes = 0;
+
+
+class ProfileTimer : public Timer {
+public:
+	ProfileTimer(double t, ProfileLogger* l, double i)
+	: Timer(t, TIMER_PROFILE)
+		{
+		logger = l;
+		interval = i;
+		}
+
+	void Dispatch(double t, int is_expire);
+
+protected:
+	double interval;
+	ProfileLogger* logger;
+};
+
+void ProfileTimer::Dispatch(double t, int is_expire)
+	{
+	logger->Log();
+
+	// Reinstall timer.
+	if ( ! is_expire )
+		timer_mgr->Add(new ProfileTimer(network_time + interval,
+						logger, interval));
+	}
+
+
+ProfileLogger::ProfileLogger(BroFile* arg_file, double interval)
+: SegmentStatsReporter()
+	{
+	file = arg_file;
+	log_count = 0;
+	timer_mgr->Add(new ProfileTimer(1, this, interval));
+	}
+
+ProfileLogger::~ProfileLogger()
+	{
+	file->Close();
+	}
+
+void ProfileLogger::Log()
+	{
+	if ( terminating )
+		// Connections have been flushed already.
+		return;
+
+	file->Write(fmt("%.06f ------------------------\n", network_time));
+
+	// Do expensive profiling only occasionally.
+	bool expensive = false;
+
+	if ( expensive_profiling_multiple )
+		expensive = (++log_count) % expensive_profiling_multiple == 0;
+
+	// Memory information.
+	struct rusage r;
+	getrusage(RUSAGE_SELF, &r);
+	struct timeval tv_utime = r.ru_utime;
+	struct timeval tv_stime = r.ru_stime;
+
+	unsigned int total, malloced;
+	get_memory_usage(&total, &malloced);
+
+	static unsigned int first_total = 0;
+	static double first_rtime = 0;
+	static double first_utime = 0;
+	static double first_stime = 0;
+
+	double rtime = current_time();
+	double utime = double(tv_utime.tv_sec) + double(tv_utime.tv_usec) / 1e6;
+	double stime = double(tv_stime.tv_sec) + double(tv_stime.tv_usec) / 1e6;
+
+	if ( first_total == 0 )
+		{
+		first_total = total;
+		first_rtime = rtime;
+		first_utime = utime;
+		first_stime = stime;
+
+		file->Write(fmt("%.06f Command line: ", network_time ));
+		for ( int i = 0; i < bro_argc; i++ )
+			{
+			file->Write(bro_argv[i]);
+			file->Write(" ");
+			}
+		file->Write(fmt("\n%.06f ------------------------\n", network_time));
+		}
+
+	file->Write(fmt("%.06f Memory: total=%dK total_adj=%dK malloced: %dK\n",
+		network_time, total / 1024, (total - first_total) / 1024,
+		malloced / 1024));
+
+	file->Write(fmt("%.06f Run-time: user+sys=%.1f user=%.1f sys=%.1f real=%.1f\n",
+		network_time, (utime + stime) - (first_utime + first_stime),
+		utime - first_utime, stime - first_stime, rtime - first_rtime));
+
+	int conn_mem_use = expensive ? sessions->ConnectionMemoryUsage() : 0;
+
+	file->Write(fmt("%.06f Conns: total=%d current=%d/%d ext=%d mem=%dK avg=%.1f table=%dK connvals=%dK\n",
+		network_time,
+		Connection::TotalConnections(),
+		Connection::CurrentConnections(),
+		sessions->CurrentConnections(),
+		Connection::CurrentExternalConnections(),
+		conn_mem_use,
+		expensive ? (conn_mem_use / double(sessions->CurrentConnections())) : 0,
+		expensive ? sessions->MemoryAllocation() / 1024 : 0,
+		expensive ? sessions->ConnectionMemoryUsageConnVals() / 1024 : 0
+		));
+
+	const ConnCompressor::Sizes& cs = conn_compressor->Size();
+
+	file->Write(fmt("%.6f ConnCompressor: pending=%d pending_in_mem=%d full_conns=%d pending+real=%d mem=%dK avg=%.1f/%.1f\n",
+		network_time,
+		cs.pending_valid,
+		cs.pending_in_mem,
+		cs.connections,
+		cs.hash_table_size,
+		cs.memory / 1024,
+		cs.memory / double(cs.pending_valid),
+		cs.memory / double(cs.pending_in_mem)
+		));
+
+	SessionStats s;
+	sessions->GetStats(s);
+
+	file->Write(fmt("%.06f Conns: tcp=%d/%d udp=%d/%d icmp=%d/%d\n",
+		network_time,
+		s.num_TCP_conns, s.max_TCP_conns,
+		s.num_UDP_conns, s.max_UDP_conns,
+		s.num_ICMP_conns, s.max_ICMP_conns
+		));
+
+	sessions->tcp_stats.PrintStats(file,
+			fmt("%.06f TCP-States:", network_time));
+
+	// Alternatively, if you prefer more compact output...
+	/*
+	file->Write(fmt("%.8f TCP-States: I=%d S=%d SA=%d SR=%d E=%d EF=%d ER=%d F=%d P=%d\n",
+		       network_time,
+		       sessions->tcp_stats.StateInactive(),
+		       sessions->tcp_stats.StateRequest(),
+		       sessions->tcp_stats.StateSuccRequest(),
+		       sessions->tcp_stats.StateRstRequest(),
+		       sessions->tcp_stats.StateEstablished(),
+		       sessions->tcp_stats.StateHalfClose(),
+		       sessions->tcp_stats.StateHalfRst(),
+		       sessions->tcp_stats.StateClosed(),
+		       sessions->tcp_stats.StatePartial()
+		       ));
+	*/
+
+	file->Write(fmt("%.06f Connections expired due to inactivity: %d\n",
+		network_time, killed_by_inactivity));
+
+	file->Write(fmt("%.06f Total reassembler data: %dK\n", network_time,
+		Reassembler::TotalMemoryAllocation() / 1024));
+
+	// Signature engine.
+	if ( expensive && rule_matcher )
+		{
+		RuleMatcher::Stats stats;
+		rule_matcher->GetStats(&stats);
+
+		file->Write(fmt("%06f RuleMatcher: matchers=%d dfa_states=%d ncomputed=%d "
+			"mem=%dK avg_nfa_states=%d\n", network_time, stats.matchers,
+			stats.dfa_states, stats.computed, stats.mem / 1024, stats.avg_nfa_states));
+		}
+
+	file->Write(fmt("%.06f Timers: current=%d max=%d mem=%dK lag=%.2fs\n",
+		network_time,
+		timer_mgr->Size(), timer_mgr->PeakSize(),
+		int(cq_memory_allocation() +
+		    (timer_mgr->Size() * padded_sizeof(ConnectionTimer))) / 1024,
+		network_time - timer_mgr->LastTimestamp()));
+
+	unsigned int* current_timers = TimerMgr::CurrentTimers();
+	for ( int i = 0; i < NUM_TIMER_TYPES; ++i )
+		{
+		if ( current_timers[i] )
+			file->Write(fmt("%.06f         %s = %d\n", network_time,
+					timer_type_to_string((TimerType) i),
+					current_timers[i]));
+		}
+
+	// Script-level state.
+	unsigned int size, mem = 0;
+	PDict(ID)* globals = global_scope()->Vars();
+
+	if ( expensive )
+		{
+		int total_table_entries = 0;
+		int total_table_rentries = 0;
+
+		file->Write(fmt("%.06f Global_sizes > 100k: %dK\n",
+				network_time, mem / 1024));
+
+		ID* id;
+		IterCookie* c = globals->InitForIteration();
+
+		while ( (id = globals->NextEntry(c)) )
+			// We don't show/count internal globals as they are always
+			// contained in some other global user-visible container.
+			if ( id->HasVal() && ! id->IsInternalGlobal() )
+				{
+				Val* v = id->ID_Val();
+
+				size = id->ID_Val()->MemoryAllocation();
+				mem += size;
+
+				bool print = false;
+				int entries = -1;
+				int rentries = -1;
+
+				if ( size > 100 * 1024 )
+					print = true;
+
+				if ( v->Type()->Tag() == TYPE_TABLE )
+					{
+					entries = v->AsTable()->Length();
+					total_table_entries += entries;
+
+					// ### 100 shouldn't be hardwired
+					// in here.
+					if ( entries >= 100 )
+						print = true;
+
+					rentries = v->AsTableVal()->RecursiveSize();
+					total_table_rentries += rentries;
+					if ( rentries >= 100 )	// ### or here
+						print = true;
+					}
+
+				if ( print )
+					{
+					file->Write(fmt("%.06f                %s = %dK",
+						network_time, id->Name(),
+						size / 1024));
+
+					if ( entries >= 0 )
+						file->Write(fmt(" (%d/%d entries)\n",
+							entries, rentries));
+					else
+						file->Write("\n");
+					}
+				}
+
+		file->Write(fmt("%.06f Global_sizes total: %dK\n",
+				network_time, mem / 1024));
+		file->Write(fmt("%.06f Total number of table entries: %d/%d\n",
+				network_time,
+				total_table_entries, total_table_rentries));
+		}
+
+	// Create an event so that scripts can log their information, too.
+	// (and for consistency we dispatch it *now*)
+	if ( profiling_update )
+		{
+		val_list* vl = new val_list;
+		Ref(file);
+		vl->append(new Val(file));
+		vl->append(new Val(expensive, TYPE_BOOL));
+		mgr.Dispatch(new Event(profiling_update, vl));
+		}
+	}
+
+void ProfileLogger::SegmentProfile(const char* name, const Location* loc,
+					double dtime, int dmem)
+	{
+	if ( name )
+		file->Write(fmt("%.06f segment-%s dt=%.06f dmem=%d\n",
+				network_time, name, dtime, dmem));
+	else if ( loc )
+		file->Write(fmt("%.06f segment-%s:%d dt=%.06f dmem=%d\n",
+				network_time,
+				loc->filename ? loc->filename : "nofile",
+				loc->first_line,
+				dtime, dmem));
+	else
+		file->Write(fmt("%.06f segment-XXX dt=%.06f dmem=%d\n",
+				network_time, dtime, dmem));
+	}
+
+
+SampleLogger::SampleLogger()
+	{
+	static TableType* load_sample_info = 0;
+
+	if ( ! load_sample_info )
+		load_sample_info = internal_type("load_sample_info")->AsTableType();
+
+	load_samples = new TableVal(load_sample_info);
+	}
+
+SampleLogger::~SampleLogger()
+	{
+	Unref(load_samples);
+	}
+
+void SampleLogger::FunctionSeen(const Func* func)
+	{
+	load_samples->Assign(new StringVal(func->GetID()->Name()), 0);
+	}
+
+void SampleLogger::LocationSeen(const Location* loc)
+	{
+	load_samples->Assign(new StringVal(loc->filename), 0);
+	}
+
+void SampleLogger::SegmentProfile(const char* /* name */,
+					const Location* /* loc */,
+					double dtime, int dmem)
+	{
+	val_list* vl = new val_list(2);
+	vl->append(load_samples->Ref());
+	vl->append(new IntervalVal(dtime, Seconds));
+	vl->append(new Val(dmem, TYPE_INT));
+
+	mgr.QueueEvent(load_sample, vl);
+	}
+
+void SegmentProfiler::Init()
+	{
+	getrusage(RUSAGE_SELF, &initial_rusage);
+	}
+
+void SegmentProfiler::Report()
+	{
+	struct rusage final_rusage;
+	getrusage(RUSAGE_SELF, &final_rusage);
+
+	double start_time =
+		double(initial_rusage.ru_utime.tv_sec) +
+		double(initial_rusage.ru_utime.tv_usec) / 1e6 +
+		double(initial_rusage.ru_stime.tv_sec) +
+		double(initial_rusage.ru_stime.tv_usec) / 1e6;
+
+	double stop_time =
+		double(final_rusage.ru_utime.tv_sec) +
+		double(final_rusage.ru_utime.tv_usec) / 1e6 +
+		double(final_rusage.ru_stime.tv_sec) +
+		double(final_rusage.ru_stime.tv_usec) / 1e6;
+
+	int start_mem = initial_rusage.ru_maxrss * 1024;
+	int stop_mem = initial_rusage.ru_maxrss * 1024;
+
+	double dtime = stop_time - start_time;
+	int dmem = stop_mem - start_mem;
+
+	reporter->SegmentProfile(name, loc, dtime, dmem);
+	}
+
+
+TCPStateStats::TCPStateStats()
+	{
+	for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i )
+		for ( int j = 0; j < TCP_ENDPOINT_RESET + 1; ++j )
+			state_cnt[i][j] = 0;
+	}
+
+void TCPStateStats::ChangeState(EndpointState o_prev, EndpointState o_now,
+				EndpointState r_prev, EndpointState r_now)
+	{
+	--state_cnt[o_prev][r_prev];
+	++state_cnt[o_now][r_now];
+	}
+
+void TCPStateStats::FlipState(EndpointState orig, EndpointState resp)
+	{
+	--state_cnt[orig][resp];
+	++state_cnt[resp][orig];
+	}
+
+unsigned int TCPStateStats::NumStatePartial() const
+	{
+	unsigned int sum = 0;
+	for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i )
+		{
+		sum += state_cnt[TCP_ENDPOINT_PARTIAL][i];
+		sum += state_cnt[i][TCP_ENDPOINT_PARTIAL];
+		}
+
+	return sum;
+	}
+
+void TCPStateStats::PrintStats(BroFile* file, const char* prefix)
+	{
+	file->Write(prefix);
+	file->Write("        Inact.  Syn.    SA      Part.   Est.    Fin.    Rst.\n");
+
+	for ( int i = 0; i < TCP_ENDPOINT_RESET + 1; ++i )
+		{
+		file->Write(prefix);
+
+		switch ( i ) {
+#define STATE_STRING(state, str) \
+	case state: \
+		file->Write(str); \
+		break;
+
+		STATE_STRING(TCP_ENDPOINT_INACTIVE, "Inact.");
+		STATE_STRING(TCP_ENDPOINT_SYN_SENT, "Syn.  ");
+		STATE_STRING(TCP_ENDPOINT_SYN_ACK_SENT, "SA    ");
+		STATE_STRING(TCP_ENDPOINT_PARTIAL, "Part. ");
+		STATE_STRING(TCP_ENDPOINT_ESTABLISHED, "Est.  ");
+		STATE_STRING(TCP_ENDPOINT_CLOSED, "Fin.  ");
+		STATE_STRING(TCP_ENDPOINT_RESET, "Rst.  ");
+
+		}
+
+		file->Write("  ");
+
+		for ( int j = 0; j < TCP_ENDPOINT_RESET + 1; ++j )
+			{
+			unsigned int n = state_cnt[i][j];
+			if ( n > 0 )
+				{
+				char buf[32];
+				safe_snprintf(buf, sizeof(buf), "%-8d", state_cnt[i][j]);
+				file->Write(buf);
+				}
+			else
+				file->Write("        ");
+			}
+
+		file->Write("\n");
+		}
+	}
+
+
+PacketProfiler::PacketProfiler(unsigned int mode, double freq,
+				BroFile* arg_file)
+	{
+	update_mode = mode;
+	update_freq = freq;
+	file = arg_file;
+
+	last_Utime = last_Stime = last_Rtime = 0.0;
+	last_timestamp = time = 0.0;
+	pkt_cnt = byte_cnt = 0;
+
+	file->Write("time dt npkts nbytes dRtime dUtime dStime dmem\n");
+	}
+
+PacketProfiler::~PacketProfiler()
+	{
+	file->Close();
+	}
+
+void PacketProfiler::ProfilePkt(double t, unsigned int bytes)
+	{
+	if ( last_timestamp == 0.0 )
+		{
+		struct rusage res;
+		struct timeval ptimestamp;
+		getrusage(RUSAGE_SELF, &res);
+		gettimeofday(&ptimestamp, 0);
+
+		get_memory_usage(&last_mem, 0);
+		last_Utime = res.ru_utime.tv_sec + res.ru_utime.tv_usec / 1e6;
+		last_Stime = res.ru_stime.tv_sec + res.ru_stime.tv_usec / 1e6;
+		last_Rtime = ptimestamp.tv_sec + ptimestamp.tv_usec / 1e6;
+		last_timestamp = t;
+		}
+
+	if ( (update_mode == MODE_TIME && t > last_timestamp+update_freq) ||
+	     (update_mode == MODE_PACKET && double(pkt_cnt) > update_freq) ||
+	     (update_mode == MODE_VOLUME && double(pkt_cnt) > update_freq) )
+		{
+		struct rusage res;
+		struct timeval ptimestamp;
+		getrusage(RUSAGE_SELF, &res);
+		gettimeofday(&ptimestamp, 0);
+
+		double curr_Utime =
+			res.ru_utime.tv_sec + res.ru_utime.tv_usec / 1e6;
+		double curr_Stime =
+			res.ru_stime.tv_sec + res.ru_stime.tv_usec / 1e6;
+		double curr_Rtime =
+			ptimestamp.tv_sec + ptimestamp.tv_usec / 1e6;
+
+		unsigned int curr_mem;
+		get_memory_usage(&curr_mem, 0);
+
+		file->Write(fmt("%.06f %.03f %d %d %.03f %.03f %.03f %d\n",
+				t, time-last_timestamp, pkt_cnt, byte_cnt,
+				curr_Rtime - last_Rtime,
+				curr_Utime - last_Utime,
+				curr_Stime - last_Stime,
+				curr_mem - last_mem));
+
+		last_Utime = curr_Utime;
+		last_Stime = curr_Stime;
+		last_Rtime = curr_Rtime;
+		last_mem = curr_mem;
+		last_timestamp = t;
+		pkt_cnt = 0;
+		byte_cnt = 0;
+		}
+
+	++pkt_cnt;
+	byte_cnt += bytes;
+	time = t;
+	}
diff --git a/src/Stats.h b/src/Stats.h
new file mode 100644
index 0000000000..8acb7ef190
--- /dev/null
+++ b/src/Stats.h
@@ -0,0 +1,209 @@
+// $Id: Stats.h 6703 2009-05-13 22:27:44Z vern $
+//
+// Classes that collect and report statistics.
+
+#ifndef STATS_H
+#define STATS_H
+
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+
+#include "TCP_Endpoint.h"
+
+
+// Object called by SegmentProfiler when it is done and reports its
+// cumulative CPU/memory statistics.
+class SegmentStatsReporter {
+public:
+	SegmentStatsReporter()	{ }
+	virtual ~SegmentStatsReporter()	{ }
+
+	virtual void SegmentProfile(const char* name, const Location* loc,
+					double dtime, int dmem) = 0;
+};
+
+
+// A SegmentProfiler tracks how much CPU and memory is consumed
+// across its lifetime.
+//
+// ### This needs porting to Linux.  It could also be improved by
+// better efforts at measuring its own overhead.
+class SegmentProfiler {
+public:
+	// The constructor takes some way of identifying the segment.
+	SegmentProfiler(SegmentStatsReporter* arg_reporter,
+				const char* arg_name)
+		{
+		reporter = arg_reporter;
+		if ( reporter )
+			{
+			name = arg_name;
+			loc = 0;
+			Init();
+			}
+		}
+
+	SegmentProfiler(SegmentStatsReporter* arg_reporter,
+				const Location* arg_loc)
+		{
+		reporter = arg_reporter;
+		if ( reporter )
+			{
+			name = 0;
+			loc = arg_loc;
+			Init();
+			}
+		}
+
+	~SegmentProfiler()
+		{
+		if ( reporter )
+			Report();
+		}
+
+protected:
+	void Init();
+	void Report();
+
+	SegmentStatsReporter* reporter;
+	const char* name;
+	const Location* loc;
+	struct rusage initial_rusage;
+};
+
+
+class ProfileLogger : public SegmentStatsReporter {
+public:
+	ProfileLogger(BroFile* file, double interval);
+	~ProfileLogger();
+
+	void Log();
+	BroFile* File()	{ return file; }
+
+protected:
+	void SegmentProfile(const char* name, const Location* loc,
+				double dtime, int dmem);
+
+private:
+	BroFile* file;
+	unsigned int log_count;
+};
+
+
+// Generates load_sample() events.
+class SampleLogger : public SegmentStatsReporter {
+public:
+	SampleLogger();
+	~SampleLogger();
+
+	// These are called to report that a given function or location
+	// has been seen during the sampling.
+	void FunctionSeen(const Func* func);
+	void LocationSeen(const Location* loc);
+
+protected:
+	void SegmentProfile(const char* name, const Location* loc,
+				double dtime, int dmem);
+
+	TableVal* load_samples;
+};
+
+
+extern ProfileLogger* profiling_logger;
+extern ProfileLogger* segment_logger;
+extern SampleLogger* sample_logger;
+
+// Connection statistics.
+extern int killed_by_inactivity;
+
+// Content gap statistics.
+extern uint32 tot_ack_events;
+extern uint32 tot_ack_bytes;
+extern uint32 tot_gap_events;
+extern uint32 tot_gap_bytes;
+
+
+// A TCPStateStats object tracks the distribution of TCP states for
+// the currently active connections.  
+class TCPStateStats {
+public:
+	TCPStateStats();
+	~TCPStateStats() { }
+
+	void ChangeState(EndpointState o_prev, EndpointState o_now,
+				EndpointState r_prev, EndpointState r_now);
+	void FlipState(EndpointState orig, EndpointState resp);
+
+	void StateEntered (EndpointState o_state, EndpointState r_state)
+		{ ++state_cnt[o_state][r_state]; }
+	void StateLeft (EndpointState o_state, EndpointState r_state)
+		{ --state_cnt[o_state][r_state]; }
+
+	unsigned int Cnt(EndpointState state) const
+		{ return Cnt(state, state); }
+	unsigned int Cnt(EndpointState state1, EndpointState state2) const
+		{ return state_cnt[state1][state2]; }
+
+	unsigned int NumStateEstablished() const
+		{ return Cnt(TCP_ENDPOINT_ESTABLISHED); }
+	unsigned int NumStateHalfClose() const
+		{ // corresponds to S2,S3
+		return Cnt(TCP_ENDPOINT_ESTABLISHED, TCP_ENDPOINT_CLOSED) +
+			Cnt(TCP_ENDPOINT_CLOSED, TCP_ENDPOINT_ESTABLISHED);
+		}
+	unsigned int NumStateHalfRst() const
+		{
+		return Cnt(TCP_ENDPOINT_ESTABLISHED, TCP_ENDPOINT_RESET) +
+			Cnt(TCP_ENDPOINT_RESET, TCP_ENDPOINT_ESTABLISHED);
+		}
+	unsigned int NumStateClosed() const
+		{ return Cnt(TCP_ENDPOINT_CLOSED); }
+	unsigned int NumStateRequest() const
+		{
+		assert(Cnt(TCP_ENDPOINT_INACTIVE, TCP_ENDPOINT_SYN_SENT)==0);
+		return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_INACTIVE);
+		}
+	unsigned int NumStateSuccRequest() const
+		{
+		return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_SYN_ACK_SENT) +
+			Cnt(TCP_ENDPOINT_SYN_ACK_SENT, TCP_ENDPOINT_SYN_SENT);
+		}
+	unsigned int NumStateRstRequest() const
+		{
+		return Cnt(TCP_ENDPOINT_SYN_SENT, TCP_ENDPOINT_RESET) +
+			Cnt(TCP_ENDPOINT_RESET, TCP_ENDPOINT_SYN_SENT);
+		}
+	unsigned int NumStateInactive() const
+		{ return Cnt(TCP_ENDPOINT_INACTIVE); }
+	unsigned int NumStatePartial() const;
+
+	void PrintStats(BroFile* file, const char* prefix);
+
+private:
+	unsigned int state_cnt[TCP_ENDPOINT_RESET+1][TCP_ENDPOINT_RESET+1];
+};
+
+class PacketProfiler {
+public:
+	PacketProfiler(unsigned int mode, double freq, BroFile* arg_file);
+	~PacketProfiler();
+
+	static const unsigned int MODE_TIME = 1;
+	static const unsigned int MODE_PACKET = 2;
+	static const unsigned int MODE_VOLUME = 3;
+
+	void ProfilePkt(double t, unsigned int bytes);
+
+protected:
+	BroFile* file;
+	unsigned int update_mode;
+	double update_freq;
+	double last_Utime, last_Stime, last_Rtime;
+	double last_timestamp, time;
+	unsigned int last_mem;
+	unsigned int pkt_cnt;
+	unsigned int byte_cnt;
+};
+
+#endif
diff --git a/src/SteppingStone.cc b/src/SteppingStone.cc
new file mode 100644
index 0000000000..96652456bf
--- /dev/null
+++ b/src/SteppingStone.cc
@@ -0,0 +1,221 @@
+// $Id: SteppingStone.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <stdlib.h>
+
+#include "Event.h"
+#include "Net.h"
+#include "NetVar.h"
+#include "TCP.h"
+#include "SteppingStone.h"
+#include "util.h"
+
+SteppingStoneEndpoint::SteppingStoneEndpoint(TCP_Endpoint* e, SteppingStoneManager* m)
+	{
+	endp = e;
+	stp_max_top_seq = 0;
+	stp_last_time = stp_resume_time = 0.0;
+	stp_manager = m;
+	stp_id = stp_manager->NextID();
+	stp_key = new HashKey(bro_int_t(stp_id));
+
+	CreateEndpEvent(e->IsOrig());
+
+	// Make sure the connection does not get deleted.
+	Ref(endp->TCP()->Conn());
+	}
+
+SteppingStoneEndpoint::~SteppingStoneEndpoint()
+	{
+	delete stp_key;
+	Unref(endp->TCP()->Conn());
+	}
+
+void SteppingStoneEndpoint::Done()
+	{
+	if ( RefCnt() > 1 )
+		return;
+
+	SteppingStoneEndpoint* ep;
+	IterCookie* cookie;
+
+	cookie = stp_inbound_endps.InitForIteration();
+	while ( (ep = stp_inbound_endps.NextEntry(cookie)) )
+		{
+		ep->stp_outbound_endps.Remove(stp_key);
+		Event(stp_remove_pair, ep->stp_id, stp_id);
+		Unref(ep);
+		}
+
+	cookie = stp_outbound_endps.InitForIteration();
+	while ( (ep = stp_outbound_endps.NextEntry(cookie)) )
+		{
+		ep->stp_inbound_endps.Remove(stp_key);
+		Event(stp_remove_pair, stp_id, ep->stp_id);
+		Unref(ep);
+		}
+
+	Event(stp_remove_endp, stp_id);
+	}
+
+int SteppingStoneEndpoint::DataSent(double t, int seq, int len, int caplen,
+		const u_char* data, const IP_Hdr* /* ip */,
+		const struct tcphdr* tp)
+	{
+	if ( caplen < len )
+		len = caplen;
+
+	if ( len <= 0 )
+		return 0;
+
+	double tmin = t - stp_delta;
+
+	while ( stp_manager->OrderedEndpoints().length() > 0 )
+		{
+		int f = stp_manager->OrderedEndpoints().front();
+
+		if ( stp_manager->OrderedEndpoints()[f]->stp_resume_time < tmin )
+			{
+			SteppingStoneEndpoint* e =
+				stp_manager->OrderedEndpoints().pop_front();
+			e->Done();
+			Unref(e);
+			}
+		else
+			break;
+		}
+
+	int ack = endp->AckSeq() - endp->StartSeq();
+	int top_seq = seq + len;
+
+	if ( top_seq <= ack || top_seq <= stp_max_top_seq )
+		// There is no new data in this packet
+		return 0;
+
+	stp_max_top_seq = top_seq;
+
+	if ( stp_last_time && t <= stp_last_time + stp_idle_min )
+		{
+		stp_last_time = t;
+		return 1;
+		}
+
+	// Either just starts, or resumes from an idle period.
+	stp_last_time = stp_resume_time = t;
+
+	Event(stp_resume_endp, stp_id);
+	loop_over_queue(stp_manager->OrderedEndpoints(), i)
+		{
+		SteppingStoneEndpoint* ep = stp_manager->OrderedEndpoints()[i];
+		if ( ep->endp->TCP() != endp->TCP() )
+			{
+			Ref(ep);
+			Ref(this);
+
+			stp_inbound_endps.Insert(ep->stp_key, ep);
+			ep->stp_outbound_endps.Insert(stp_key, this);
+
+			Event(stp_correlate_pair, ep->stp_id, stp_id);
+			}
+
+		else
+			{ // ep and this belong to same connection
+			}
+		}
+
+	stp_manager->OrderedEndpoints().push_back(this);
+	Ref(this);
+
+	return 1;
+	}
+
+void SteppingStoneEndpoint::Event(EventHandlerPtr f, int id1, int id2)
+	{
+	if ( ! f )
+		return;
+
+	val_list* vl = new val_list;
+
+	vl->append(new Val(id1, TYPE_INT));
+
+	if ( id2 >= 0 )
+		vl->append(new Val(id2, TYPE_INT));
+
+	endp->TCP()->ConnectionEvent(f, vl);
+	}
+
+void SteppingStoneEndpoint::CreateEndpEvent(int is_orig)
+	{
+	val_list* vl = new val_list;
+
+	vl->append(endp->TCP()->BuildConnVal());
+	vl->append(new Val(stp_id, TYPE_INT));
+	vl->append(new Val(is_orig, TYPE_BOOL));
+
+	endp->TCP()->ConnectionEvent(stp_create_endp, vl);
+	}
+
+SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c)
+: TCP_ApplicationAnalyzer(AnalyzerTag::SteppingStone, c)
+	{
+	stp_manager = sessions->GetSTPManager();
+
+	orig_endp = resp_endp = 0;
+	orig_stream_pos = resp_stream_pos = 1;
+	}
+
+void SteppingStone_Analyzer::Init()
+	{
+	TCP_ApplicationAnalyzer::Init();
+
+	assert(TCP());
+	orig_endp = new SteppingStoneEndpoint(TCP()->Orig(), stp_manager);
+	resp_endp = new SteppingStoneEndpoint(TCP()->Resp(), stp_manager);
+	}
+
+void SteppingStone_Analyzer::DeliverPacket(int len, const u_char* data,
+						bool is_orig, int seq,
+						const IP_Hdr* ip, int caplen)
+	{
+	TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq,
+						ip, caplen);
+
+	if ( is_orig )
+		orig_endp->DataSent(network_time, seq, len, caplen, data, 0, 0);
+	else
+		resp_endp->DataSent(network_time, seq, len, caplen, data, 0, 0);
+	}
+
+void SteppingStone_Analyzer::DeliverStream(int len, const u_char* data,
+						bool is_orig)
+	{
+	TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
+
+	if ( is_orig )
+		{
+		orig_endp->DataSent(network_time, orig_stream_pos, len, len,
+					data, 0, 0);
+		orig_stream_pos += len;
+		}
+
+	else
+		{
+		resp_endp->DataSent(network_time, resp_stream_pos, len, len,
+					data, 0, 0);
+		resp_stream_pos += len;
+		}
+	}
+
+void SteppingStone_Analyzer::Done()
+	{
+	TCP_ApplicationAnalyzer::Done();
+
+	orig_endp->Done();
+	resp_endp->Done();
+
+	Unref(orig_endp);
+	Unref(resp_endp);
+	}
diff --git a/src/SteppingStone.h b/src/SteppingStone.h
new file mode 100644
index 0000000000..15165387f9
--- /dev/null
+++ b/src/SteppingStone.h
@@ -0,0 +1,92 @@
+// $Id: SteppingStone.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef steppingstone_h
+#define steppingstone_h
+
+#include "Queue.h"
+#include "TCP.h"
+
+class NetSessions;
+
+class SteppingStoneEndpoint;
+class SteppingStoneManager;
+
+declare(PQueue,SteppingStoneEndpoint);
+declare(PDict,SteppingStoneEndpoint);
+
+class SteppingStoneEndpoint : public BroObj {
+public:
+	SteppingStoneEndpoint(TCP_Endpoint* e, SteppingStoneManager* m);
+	~SteppingStoneEndpoint();
+	void Done();
+
+	int DataSent(double t, int seq, int len, int caplen, const u_char* data,
+		     const IP_Hdr* ip, const struct tcphdr* tp);
+
+protected:
+	void Event(EventHandlerPtr f, int id1, int id2 = -1);
+	void CreateEndpEvent(int is_orig);
+
+	TCP_Endpoint* endp;
+	int stp_max_top_seq;
+	double stp_last_time;
+	double stp_resume_time;
+	SteppingStoneManager* stp_manager;
+
+	// Hashes for inbound/outbound endpoints that are correlated
+	// at least once with this endpoint.  They are necessary for
+	// removing correlated endpoint pairs in Bro, since there is
+	// no LOOP in Bro language.
+	int stp_id;
+	HashKey* stp_key;
+	PDict(SteppingStoneEndpoint) stp_inbound_endps;
+	PDict(SteppingStoneEndpoint) stp_outbound_endps;
+};
+
+class SteppingStone_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	SteppingStone_Analyzer(Connection* c);
+	virtual ~SteppingStone_Analyzer() {};
+
+	virtual void Init();
+	virtual void Done();
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new SteppingStone_Analyzer(conn); }
+
+	static bool Available()	{ return stp_correlate_pair; }
+
+protected:
+	// We support both packet and stream input and can be put in place even
+	// if the TCP analyzer is not yet reassebmling.
+	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
+					int seq, const IP_Hdr* ip, int caplen);
+	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
+
+	int orig_stream_pos;
+	int resp_stream_pos;
+
+	SteppingStoneManager* stp_manager;
+	SteppingStoneEndpoint* orig_endp;
+	SteppingStoneEndpoint* resp_endp;
+};
+
+// Manages ids for the possible stepping stone connections.
+class SteppingStoneManager {
+public:
+	SteppingStoneManager()		{ endp_cnt = 0; }
+
+	PQueue(SteppingStoneEndpoint)& OrderedEndpoints()
+		{ return ordered_endps; }
+
+	// Use postfix ++, since the first ID needs to be even.
+	int NextID()			{ return endp_cnt++; }
+
+protected:
+	PQueue(SteppingStoneEndpoint) ordered_endps;
+	int endp_cnt;
+};
+
+#endif /* steppingstone_h */
diff --git a/src/Stmt.cc b/src/Stmt.cc
new file mode 100644
index 0000000000..7064e82635
--- /dev/null
+++ b/src/Stmt.cc
@@ -0,0 +1,2108 @@
+// $Id: Stmt.cc 6916 2009-09-24 20:48:36Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "Expr.h"
+#include "Event.h"
+#include "Frame.h"
+#include "File.h"
+#include "Logger.h"
+#include "NetVar.h"
+#include "Stmt.h"
+#include "Scope.h"
+#include "Var.h"
+#include "Debug.h"
+#include "Traverse.h"
+#include "Trigger.h"
+#include "RemoteSerializer.h"
+
+const char* stmt_name(BroStmtTag t)
+	{
+	static const char* stmt_names[int(NUM_STMTS)] = {
+		"alarm", "print", "event", "expr", "if", "when", "switch",
+		"for", "next", "break", "return", "add", "delete",
+		"list", "bodylist",
+		"<init>",
+		"null",
+	};
+
+	return stmt_names[int(t)];
+	}
+
+Stmt::Stmt(BroStmtTag arg_tag)
+	{
+	tag = arg_tag;
+	breakpoint_count = 0;
+	last_access = 0;
+	access_count = 0;
+
+	SetLocationInfo(&start_location, &end_location);
+	}
+
+Stmt::~Stmt()
+	{
+	}
+
+bool Stmt::SetLocationInfo(const Location* start, const Location* end)
+	{
+	if ( ! BroObj::SetLocationInfo(start, end) )
+		return false;
+
+	// Update the Filemap of line number -> statement mapping for
+	// breakpoints (Debug.h).
+	Filemap* map_ptr = (Filemap*) g_dbgfilemaps.Lookup(location->filename);
+	if ( ! map_ptr )
+		return false;
+
+	Filemap& map = *map_ptr;
+
+	StmtLocMapping* new_mapping = new StmtLocMapping(GetLocationInfo(), this);
+
+	// Optimistically just put it at the end.
+	map.push_back(new_mapping);
+
+	int curr_idx = map.length() - 1;
+	if ( curr_idx == 0 )
+		return true;
+
+	// In case it wasn't actually lexically last, bubble it to the
+	// right place.
+	while ( map[curr_idx - 1]->StartsAfter(map[curr_idx]) )
+		{
+		StmtLocMapping t = *map[curr_idx - 1];
+		*map[curr_idx - 1] = *map[curr_idx];
+		*map[curr_idx] = t;
+		curr_idx--;
+		}
+
+	return true;
+	}
+
+Stmt* Stmt::Simplify()
+	{
+	return this;
+	}
+
+int Stmt::IsPure() const
+	{
+	return 0;
+	}
+
+void Stmt::Describe(ODesc* d) const
+	{
+	if ( ! d->IsReadable() || Tag() != STMT_EXPR )
+		AddTag(d);
+	}
+
+void Stmt::AddTag(ODesc* d) const
+	{
+	if ( d->IsBinary() )
+		d->Add(int(Tag()));
+	else
+		d->Add(stmt_name(Tag()));
+	d->SP();
+	}
+
+void Stmt::DescribeDone(ODesc* d) const
+	{
+	if ( d->IsReadable() && ! d->IsShort() )
+		d->Add(";");
+	}
+
+void Stmt::AccessStats(ODesc* d) const
+	{
+	if ( d->IncludeStats() )
+		{
+		d->Add("(@");
+		d->Add(last_access ? fmt_access_time(last_access) : "<never>");
+		d->Add(" #");
+		d->Add(access_count);
+		d->Add(")");
+		d->NL();
+		}
+	}
+
+bool Stmt::Serialize(SerialInfo* info) const
+	{
+	return SerialObj::Serialize(info);
+	}
+
+Stmt* Stmt::Unserialize(UnserialInfo* info, BroStmtTag want)
+	{
+	Stmt* stmt = (Stmt*) SerialObj::Unserialize(info, SER_STMT);
+
+	if ( want != STMT_ANY && stmt->tag != want )
+		{
+		info->s->Error("wrong stmt type");
+		Unref(stmt);
+		return 0;
+		}
+
+	return stmt;
+	}
+
+bool Stmt::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_STMT, BroObj);
+
+	return SERIALIZE(char(tag)) && SERIALIZE(last_access)
+			&& SERIALIZE(access_count);
+	}
+
+bool Stmt::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BroObj);
+
+	char c;
+	if ( ! UNSERIALIZE(&c) )
+		return 0;
+
+	tag = BroStmtTag(c);
+
+	return UNSERIALIZE(&last_access) && UNSERIALIZE(&access_count);
+	}
+
+
+ExprListStmt::ExprListStmt(BroStmtTag t, ListExpr* arg_l)
+: Stmt(t)
+	{
+	l = arg_l;
+
+	const expr_list& e = l->Exprs();
+	loop_over_list(e, i)
+		{
+		const BroType* t = e[i]->Type();
+		if ( ! t || t->Tag() == TYPE_VOID )
+			Error("value of type void illegal");
+		}
+
+	SetLocationInfo(arg_l->GetLocationInfo());
+	}
+
+ExprListStmt::~ExprListStmt()
+	{
+	Unref(l);
+	}
+
+Val* ExprListStmt::Exec(Frame* f, stmt_flow_type& flow) const
+	{
+	last_access = network_time;
+	flow = FLOW_NEXT;
+
+	val_list* vals = eval_list(f, l);
+	if ( vals )
+		{
+		Val* result = DoExec(vals, flow);
+		delete_vals(vals);
+		return result;
+		}
+	else
+		return 0;
+	}
+
+Stmt* ExprListStmt::Simplify()
+	{
+	l = simplify_expr_list(l, SIMPLIFY_GENERAL);
+	DoSimplify();
+	return this;
+	}
+
+Stmt* ExprListStmt::DoSimplify()
+	{
+	return this;
+	}
+
+void ExprListStmt::Describe(ODesc* d) const
+	{
+	Stmt::Describe(d);
+	l->Describe(d);
+	DescribeDone(d);
+	}
+
+void ExprListStmt::PrintVals(ODesc* d, val_list* vals, int offset) const
+	{
+	describe_vals(vals, d, offset);
+	}
+
+bool ExprListStmt::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_EXPR_LIST_STMT, Stmt);
+	return l->Serialize(info);
+	}
+
+bool ExprListStmt::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Stmt);
+	l = (ListExpr*) Expr::Unserialize(info, EXPR_LIST);
+	return l != 0;
+	}
+
+TraversalCode ExprListStmt::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreStmt(this);
+	HANDLE_TC_STMT_PRE(tc);
+
+	const expr_list& e = l->Exprs();
+	loop_over_list(e, i)
+		{
+		tc = e[i]->Traverse(cb);
+		HANDLE_TC_STMT_PRE(tc);
+		}
+
+	tc = cb->PostStmt(this);
+	HANDLE_TC_STMT_POST(tc);
+	}
+
+Val* AlarmStmt::DoExec(val_list* vals, stmt_flow_type& /* flow */) const
+	{
+	ODesc d;
+	PrintVals(&d, vals, 0);
+
+	if ( alarm_hook )
+		{
+		ListExpr* args = new ListExpr();
+		args->Append(new ConstExpr(new StringVal(d.Description())));
+
+		CallExpr* ce =
+			new CallExpr(new ConstExpr(new Val(alarm_hook)), args);
+
+		Val* hook_eval = ce->Eval(0);
+		int do_log = hook_eval->IsOne();
+
+		Unref(ce);
+		Unref(hook_eval);
+
+		if ( ! do_log )
+			return 0;
+		}
+
+	bro_logger->Log(d.Description());
+	return 0;
+	}
+
+IMPLEMENT_SERIAL(AlarmStmt, SER_ALARM_STMT);
+
+bool AlarmStmt::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_ALARM_STMT, ExprListStmt);
+	return true;
+	}
+
+bool AlarmStmt::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(ExprListStmt);
+	return true;
+	}
+
+static BroFile* print_stdout = 0;
+
+Val* PrintStmt::DoExec(val_list* vals, stmt_flow_type& /* flow */) const
+	{
+	if ( ! print_stdout )
+		print_stdout = new BroFile(stdout);
+
+	BroFile* f = print_stdout;
+	int offset = 0;
+
+	if ( vals->length() > 0 && (*vals)[0]->Type()->Tag() == TYPE_FILE )
+		{
+		f = (*vals)[0]->AsFile();
+		if ( ! f->IsOpen() )
+			return 0;
+
+		++offset;
+		}
+
+	bool ph = print_hook && f->IsPrintHookEnabled();
+
+	desc_style style = f->IsRawOutput() ? ALTERNATIVE_STYLE : STANDARD_STYLE;
+
+	if ( ! (suppress_local_output && ph) )
+		{
+		ODesc d(DESC_READABLE, f);
+		d.SetFlush(0);
+		d.SetStyle(style);
+
+		PrintVals(&d, vals, offset);
+		f->Write("\n", 1);
+		}
+
+	if ( ph )
+		{
+		ODesc d(DESC_READABLE);
+		d.SetStyle(style);
+		PrintVals(&d, vals, offset);
+
+		if ( print_hook )
+			{
+			val_list* vl = new val_list(2);
+			::Ref(f);
+			vl->append(new Val(f));
+			vl->append(new StringVal(d.Description()));
+
+			// Note, this doesn't do remote printing.
+			mgr.Dispatch(new Event(print_hook, vl), true);
+			}
+
+		if ( remote_serializer )
+			remote_serializer->SendPrintHookEvent(f, d.Description());
+		}
+
+	return 0;
+	}
+
+IMPLEMENT_SERIAL(PrintStmt, SER_PRINT_STMT);
+
+bool PrintStmt::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_PRINT_STMT, ExprListStmt);
+	return true;
+	}
+
+bool PrintStmt::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(ExprListStmt);
+	return true;
+	}
+
+ExprStmt::ExprStmt(Expr* arg_e) : Stmt(STMT_EXPR)
+	{
+	e = arg_e;
+	if ( e && e->IsPure() )
+		Warn("expression value ignored");
+
+	SetLocationInfo(arg_e->GetLocationInfo());
+	}
+
+ExprStmt::ExprStmt(BroStmtTag t, Expr* arg_e) : Stmt(t)
+	{
+	e = arg_e;
+
+	if ( e )
+		SetLocationInfo(e->GetLocationInfo());
+	}
+
+ExprStmt::~ExprStmt()
+	{
+	Unref(e);
+	}
+
+Val* ExprStmt::Exec(Frame* f, stmt_flow_type& flow) const
+	{
+	RegisterAccess();
+	flow = FLOW_NEXT;
+
+	Val* v = e->Eval(f);
+
+	if ( v )
+		{
+		Val* ret_val = DoExec(f, v, flow);
+		Unref(v);
+		return ret_val;
+		}
+	else
+		return 0;
+	}
+
+Val* ExprStmt::DoExec(Frame* /* f */, Val* /* v */, stmt_flow_type& /* flow */) const
+	{
+	return 0;
+	}
+
+Stmt* ExprStmt::Simplify()
+	{
+	e = simplify_expr(e, SIMPLIFY_GENERAL);
+	return DoSimplify();
+	}
+
+Stmt* ExprStmt::DoSimplify()
+	{
+	return this;
+	}
+
+int ExprStmt::IsPure() const
+	{
+	return ! e || e->IsPure();
+	}
+
+void ExprStmt::Describe(ODesc* d) const
+	{
+	Stmt::Describe(d);
+
+	if ( d->IsReadable() && Tag() == STMT_IF )
+		d->Add("(");
+	e->Describe(d);
+
+	if ( Tag() == STMT_IF || Tag() == STMT_SWITCH )
+		{
+		if ( d->IsReadable() )
+			{
+			if ( Tag() == STMT_IF )
+				d->Add(")");
+			d->SP();
+			}
+		}
+	else
+		DescribeDone(d);
+	}
+
+TraversalCode ExprStmt::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreStmt(this);
+	HANDLE_TC_STMT_PRE(tc);
+
+	if ( e )
+		{
+		tc = e->Traverse(cb);
+		HANDLE_TC_STMT_PRE(tc);
+		}
+
+	tc = cb->PostStmt(this);
+	HANDLE_TC_STMT_POST(tc);
+	}
+
+IMPLEMENT_SERIAL(ExprStmt, SER_EXPR_STMT);
+
+bool ExprStmt::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_EXPR_STMT, Stmt);
+	SERIALIZE_OPTIONAL(e);
+	return true;
+	}
+
+bool ExprStmt::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Stmt);
+	UNSERIALIZE_OPTIONAL(e, Expr::Unserialize(info));
+	return true;
+	}
+
+IfStmt::IfStmt(Expr* test, Stmt* arg_s1, Stmt* arg_s2) : ExprStmt(STMT_IF, test)
+	{
+	s1 = arg_s1;
+	s2 = arg_s2;
+
+	if ( ! e->IsError() && ! IsBool(e->Type()->Tag()) )
+		e->Error("conditional in test must be boolean");
+
+	const Location* loc1 = arg_s1->GetLocationInfo();
+	const Location* loc2 = arg_s2->GetLocationInfo();
+	SetLocationInfo(loc1, loc2);
+	}
+
+IfStmt::~IfStmt()
+	{
+	Unref(s1);
+	Unref(s2);
+	}
+
+Val* IfStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
+	{
+	// Treat 0 as false, but don't require 1 for true.
+	Stmt* do_stmt = v->IsZero() ? s2 : s1;
+
+	f->SetNextStmt(do_stmt);
+
+	if ( ! pre_execute_stmt(do_stmt, f) )
+		{ // ### Abort or something
+		}
+
+	Val* result = do_stmt->Exec(f, flow);
+
+	if ( ! post_execute_stmt(do_stmt, f, result, &flow) )
+		{ // ### Abort or something
+		}
+
+	return result;
+	}
+
+Stmt* IfStmt::DoSimplify()
+	{
+	s1 = simplify_stmt(s1);
+	s2 = simplify_stmt(s2);
+
+	if ( e->IsConst() )
+		{
+		if ( ! optimize )
+			Warn("constant in conditional");
+
+		return e->IsZero() ? s2->Ref() : s1->Ref();
+		}
+
+	if ( e->Tag() == EXPR_NOT )
+		{
+		Stmt* t = s1;
+		s1 = s2;
+		s2 = t;
+
+		e = new NotExpr(e);
+
+		return Simplify();
+		}
+
+	return this;
+	}
+
+int IfStmt::IsPure() const
+	{
+	return e->IsPure() && s1->IsPure() && s2->IsPure();
+	}
+
+void IfStmt::Describe(ODesc* d) const
+	{
+	ExprStmt::Describe(d);
+
+	d->PushIndent();
+	s1->AccessStats(d);
+	s1->Describe(d);
+	d->PopIndent();
+
+	if ( d->IsReadable() )
+		{
+		if ( s2->Tag() != STMT_NULL )
+			{
+			d->Add("else");
+			d->PushIndent();
+			s2->AccessStats(d);
+			s2->Describe(d);
+			d->PopIndent();
+			}
+		}
+	else
+		s2->Describe(d);
+	}
+
+TraversalCode IfStmt::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreStmt(this);
+	HANDLE_TC_STMT_PRE(tc);
+
+	// Condition is stored in base class's "e" field.
+	tc = e->Traverse(cb);
+	HANDLE_TC_STMT_PRE(tc);
+
+	tc = TrueBranch()->Traverse(cb);
+	HANDLE_TC_STMT_PRE(tc);
+
+	tc = FalseBranch()->Traverse(cb);
+	HANDLE_TC_STMT_PRE(tc);
+
+	tc = cb->PostStmt(this);
+	HANDLE_TC_STMT_POST(tc);
+	}
+
+IMPLEMENT_SERIAL(IfStmt, SER_IF_STMT);
+
+bool IfStmt::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_IF_STMT, ExprStmt);
+	return s1->Serialize(info) && s2->Serialize(info);
+	}
+
+bool IfStmt::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(ExprStmt);
+	s1 = Stmt::Unserialize(info);
+	if ( ! s1 )
+		return false;
+
+	s2 = Stmt::Unserialize(info);
+	return s2 != 0;
+	}
+
+Case::~Case()
+	{
+	Unref(cases);
+	Unref(s);
+	}
+
+void Case::Describe(ODesc* d) const
+	{
+	const expr_list& e = Cases()->Exprs();
+
+	if ( ! d->IsBinary() )
+		d->Add("case");
+
+	d->AddCount(e.length());
+
+	loop_over_list(e, j)
+		{
+		if ( j > 0 && ! d->IsReadable() )
+			d->Add(",");
+
+		d->SP();
+		e[j]->Describe(d);
+		}
+
+	if ( d->IsReadable() )
+		d->Add(":");
+
+	d->PushIndent();
+	Body()->AccessStats(d);
+	Body()->Describe(d);
+	d->PopIndent();
+	}
+
+TraversalCode Case::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cases->Traverse(cb);
+	HANDLE_TC_STMT_PRE(tc);
+
+	tc = s->Traverse(cb);
+	HANDLE_TC_STMT_PRE(tc);
+
+	return TC_CONTINUE;
+	}
+
+bool Case::Serialize(SerialInfo* info) const
+	{
+	return SerialObj::Serialize(info);
+	}
+
+Case* Case::Unserialize(UnserialInfo* info)
+	{
+	return (Case*) SerialObj::Unserialize(info, SER_CASE);
+	}
+
+IMPLEMENT_SERIAL(Case, SER_CASE);
+
+bool Case::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_CASE, BroObj);
+	return cases->Serialize(info) && this->s->Serialize(info);
+	}
+
+bool Case::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BroObj);
+
+	cases = (ListExpr*) Expr::Unserialize(info, EXPR_LIST);
+	if ( ! cases )
+		return false;
+
+	this->s = Stmt::Unserialize(info);
+	return this->s != 0;
+	}
+
+SwitchStmt::SwitchStmt(Expr* index, case_list* arg_cases) :
+	ExprStmt(STMT_SWITCH, index)
+	{
+	cases = arg_cases;
+
+	//### need to loop over cases and make sure their type matches
+	//### the index, and they're constant and not redundant
+	}
+
+SwitchStmt::~SwitchStmt()
+	{
+	loop_over_list(*cases, i)
+		Unref((*cases)[i]);
+
+	delete cases;
+	}
+
+Val* SwitchStmt::DoExec(Frame* /* f */, Val* /* v */, stmt_flow_type& /* flow */) const
+	{
+	printf("switch statement not implemented\n");
+	return 0;
+	}
+
+Stmt* SwitchStmt::DoSimplify()
+	{
+	loop_over_list(*cases, i)
+		{
+		Case* c = (*cases)[i];
+		ListExpr* new_cases = simplify_expr_list(c->Cases(), SIMPLIFY_GENERAL);
+		Stmt* new_body = simplify_stmt(c->Body());
+
+		if ( new_cases != c->Cases() || new_body != c->Body() )
+			{
+			cases->replace(i, new Case(new_cases, new_body));
+			Unref(c);
+			}
+		}
+
+	if ( e->IsConst() )
+		{ // ### go through cases and pull out the one it matches
+		if ( ! optimize )
+			Warn("constant in switch");
+		}
+
+	return this;
+	}
+
+int SwitchStmt::IsPure() const
+	{
+	if ( ! e->IsPure() )
+		return 0;
+
+	loop_over_list(*cases, i)
+		{
+		Case* c = (*cases)[i];
+		if ( ! c->Cases()->IsPure() || ! c->Body()->IsPure() )
+			return 0;
+		}
+
+	return 1;
+	}
+
+void SwitchStmt::Describe(ODesc* d) const
+	{
+	ExprStmt::Describe(d);
+
+	if ( ! d->IsBinary() )
+		d->Add("{");
+
+	d->PushIndent();
+	d->AddCount(cases->length());
+	loop_over_list(*cases, i)
+		(*cases)[i]->Describe(d);
+	d->PopIndent();
+
+	if ( ! d->IsBinary() )
+		d->Add("}");
+	d->NL();
+	}
+
+TraversalCode SwitchStmt::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreStmt(this);
+	HANDLE_TC_STMT_PRE(tc);
+
+	// Index is stored in base class's "e" field.
+	tc = e->Traverse(cb);
+	HANDLE_TC_STMT_PRE(tc);
+
+	loop_over_list(*cases, i)
+		{
+		tc = (*cases)[i]->Traverse(cb);
+		HANDLE_TC_STMT_PRE(tc);
+		}
+
+	tc = cb->PostStmt(this);
+	HANDLE_TC_STMT_POST(tc);
+	}
+
+IMPLEMENT_SERIAL(SwitchStmt, SER_SWITCH_STMT);
+
+bool SwitchStmt::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_SWITCH_STMT, ExprStmt);
+
+	if ( ! SERIALIZE(cases->length()) )
+		return false;
+
+	loop_over_list((*cases), i)
+		if ( ! (*cases)[i]->Serialize(info) )
+			return false;
+
+	return true;
+	}
+
+bool SwitchStmt::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(ExprStmt);
+
+	int len;
+	if ( ! UNSERIALIZE(&len) )
+		return false;
+
+	while ( len-- )
+		{
+		Case* c = Case::Unserialize(info);
+		if ( ! c )
+			return false;
+
+		cases->append(c);
+		}
+
+	return true;
+	}
+
+AddStmt::AddStmt(Expr* arg_e) : ExprStmt(STMT_ADD, arg_e)
+	{
+	if ( ! e->CanAdd() )
+		Error("illegal add statement");
+	}
+
+int AddStmt::IsPure() const
+	{
+	return 0;
+	}
+
+Val* AddStmt::Exec(Frame* f, stmt_flow_type& flow) const
+	{
+	RegisterAccess();
+	flow = FLOW_NEXT;
+	e->Add(f);
+	return 0;
+	}
+
+
+TraversalCode AddStmt::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreStmt(this);
+	HANDLE_TC_STMT_PRE(tc);
+
+	// Argument is stored in base class's "e" field.
+	tc = e->Traverse(cb);
+	HANDLE_TC_STMT_PRE(tc);
+
+	tc = cb->PostStmt(this);
+	HANDLE_TC_STMT_POST(tc);
+	}
+
+IMPLEMENT_SERIAL(AddStmt, SER_ADD_STMT);
+
+bool AddStmt::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_ADD_STMT, ExprStmt);
+	return true;
+	}
+
+bool AddStmt::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(ExprStmt);
+	return true;
+	}
+
+DelStmt::DelStmt(Expr* arg_e) : ExprStmt(STMT_DELETE, arg_e)
+	{
+	if ( ! e->CanDel() )
+		Error("illegal delete statement");
+	}
+
+int DelStmt::IsPure() const
+	{
+	return 0;
+	}
+
+Val* DelStmt::Exec(Frame* f, stmt_flow_type& flow) const
+	{
+	RegisterAccess();
+	flow = FLOW_NEXT;
+	e->Delete(f);
+	return 0;
+	}
+
+TraversalCode DelStmt::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreStmt(this);
+	HANDLE_TC_STMT_PRE(tc);
+
+	// Argument is stored in base class's "e" field.
+	tc = e->Traverse(cb);
+	HANDLE_TC_STMT_PRE(tc);
+
+	tc = cb->PostStmt(this);
+	HANDLE_TC_STMT_POST(tc);
+	}
+
+IMPLEMENT_SERIAL(DelStmt, SER_DEL_STMT);
+
+bool DelStmt::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_DEL_STMT, ExprStmt);
+	return true;
+	}
+
+bool DelStmt::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(ExprStmt);
+	return true;
+	}
+
+EventStmt::EventStmt(EventExpr* arg_e) : ExprStmt(STMT_EVENT, arg_e)
+	{
+	event_expr = arg_e;
+	}
+
+Val* EventStmt::Exec(Frame* f, stmt_flow_type& flow) const
+	{
+	RegisterAccess();
+	val_list* args = eval_list(f, event_expr->Args());
+
+	if ( args )
+		mgr.QueueEvent(event_expr->Handler(), args);
+
+	flow = FLOW_NEXT;
+
+	return 0;
+	}
+
+TraversalCode EventStmt::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreStmt(this);
+	HANDLE_TC_STMT_PRE(tc);
+
+	// Event is stored in base class's "e" field.
+	tc = e->Traverse(cb);
+	HANDLE_TC_STMT_PRE(tc);
+
+	tc = cb->PostStmt(this);
+	HANDLE_TC_STMT_POST(tc);
+	}
+
+IMPLEMENT_SERIAL(EventStmt, SER_EVENT_STMT);
+
+bool EventStmt::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_EVENT_STMT, ExprStmt);
+	return event_expr->Serialize(info);
+	}
+
+bool EventStmt::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(ExprStmt);
+
+	event_expr = (EventExpr*) Expr::Unserialize(info, EXPR_EVENT);
+	return event_expr != 0;
+	}
+
+ForStmt::ForStmt(id_list* arg_loop_vars, Expr* loop_expr)
+: ExprStmt(STMT_FOR, loop_expr)
+	{
+	loop_vars = arg_loop_vars;
+	body = 0;
+
+	if ( e->Type()->Tag() == TYPE_TABLE )
+		{
+		const type_list* indices = e->Type()->AsTableType()->IndexTypes();
+		if ( indices->length() != loop_vars->length() )
+			e->Error("wrong index size");
+
+		for ( int i = 0; i < indices->length(); i++ )
+			{
+			BroType* ind_type = (*indices)[i]->Ref();
+
+			if ( (*loop_vars)[i]->Type() )
+				{
+				if ( ! same_type((*loop_vars)[i]->Type(), ind_type) )
+					(*loop_vars)[i]->Type()->Error("type clash in iteration", ind_type);
+				}
+
+			else
+				{
+				delete add_local((*loop_vars)[i],
+						ind_type->Ref(), INIT_NONE,
+						0, 0, VAR_REGULAR);
+				}
+			}
+		}
+
+	else if ( e->Type()->Tag() == TYPE_VECTOR )
+		{
+		if ( loop_vars->length() != 1 )
+			{
+			e->Error("iterating over a vector requires only a single index type");
+			return;
+			}
+
+		BroType* t = (*loop_vars)[0]->Type();
+		if ( ! t )
+			delete add_local((*loop_vars)[0], base_type(TYPE_INT),
+						INIT_NONE, 0, 0, VAR_REGULAR);
+
+		else if ( ! IsIntegral(t->Tag()) )
+			{
+			e->Error("vector index in \"for\" loop must be integral");
+			return;
+			}
+		}
+
+	else if ( e->Type()->Tag() == TYPE_STRING )
+		{
+		if ( loop_vars->length() != 1 )
+			{
+			e->Error("iterating over a string requires only a single index type");
+			return;
+			}
+
+		BroType* t = (*loop_vars)[0]->Type();
+		if ( ! t )
+			delete add_local((*loop_vars)[0],
+					base_type(TYPE_STRING),
+					INIT_NONE, 0, 0, VAR_REGULAR);
+
+		else if ( t->Tag() != TYPE_STRING )
+			{
+			e->Error("string index in \"for\" loop must be string");
+			return;
+			}
+		}
+	else
+		e->Error("target to iterate over must be a table, set, vector, or string");
+	}
+
+ForStmt::~ForStmt()
+	{
+	loop_over_list(*loop_vars, i)
+		Unref((*loop_vars)[i]);
+	delete loop_vars;
+
+	Unref(body);
+	}
+
+Val* ForStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
+	{
+	Val* ret = 0;
+
+	if ( v->Type()->Tag() == TYPE_TABLE )
+		{
+		TableVal* tv = v->AsTableVal();
+		const PDict(TableEntryVal)* loop_vals = tv->AsTable();
+
+		HashKey* k;
+		TableEntryVal* iter_val;
+		IterCookie* c = loop_vals->InitForIteration();
+		while ( (iter_val = loop_vals->NextEntry(k, c)) )
+			{
+			ListVal* ind_lv = tv->RecoverIndex(k);
+			delete k;
+
+			for ( int i = 0; i < ind_lv->Length(); i++ )
+				f->SetElement((*loop_vars)[i]->Offset(), ind_lv->Index(i)->Ref());
+			Unref(ind_lv);
+
+			flow = FLOW_NEXT;
+			ret = body->Exec(f, flow);
+
+			if ( flow == FLOW_BREAK || flow == FLOW_RETURN )
+				{
+				// If we broke or returned from inside a for loop,
+				// the cookie may still exist.
+				loop_vals->StopIteration(c);
+				break;
+				}
+			}
+		}
+
+	else if ( v->Type()->Tag() == TYPE_VECTOR )
+		{
+		VectorVal* vv = v->AsVectorVal();
+
+		for ( int i = 0; i <= int(vv->Size()); ++i )
+			{
+			// Skip unassigned vector indices.
+			if ( ! vv->Lookup(i) )
+				continue;
+
+			// Set the loop variable to the current index, and make
+			// another pass over the loop body.
+			f->SetElement((*loop_vars)[0]->Offset(),
+					new Val(i, TYPE_INT));
+			flow = FLOW_NEXT;
+			ret = body->Exec(f, flow);
+
+			if ( flow == FLOW_BREAK || flow == FLOW_RETURN )
+				break;
+			}
+		}
+	else if ( v->Type()->Tag() == TYPE_STRING )
+		{
+		StringVal* sval = v->AsStringVal();
+
+		for ( int i = 0; i < sval->Len(); ++i )
+			{
+			f->SetElement((*loop_vars)[0]->Offset(),
+					new StringVal(1, (const char*) sval->Bytes() + i));
+			flow = FLOW_NEXT;
+			ret = body->Exec(f, flow);
+
+			if ( flow == FLOW_BREAK || flow == FLOW_RETURN )
+				break;
+			}
+		}
+
+	else
+		e->Error("Invalid type in for-loop execution");
+
+	if ( flow == FLOW_LOOP )
+		flow = FLOW_NEXT;	// last iteration exited with a "next"
+
+	if ( flow == FLOW_BREAK )
+		flow = FLOW_NEXT;	// we've now finished the "break"
+
+	return ret;
+	}
+
+Stmt* ForStmt::DoSimplify()
+	{
+	body = simplify_stmt(body);
+
+	if ( e->IsConst() )
+		{
+		const PDict(TableEntryVal)* vt = e->ExprVal()->AsTable();
+
+		if ( vt->Length() == 0 )
+			return new NullStmt();
+		}
+
+	return this;
+	}
+
+int ForStmt::IsPure() const
+	{
+	return e->IsPure() && body->IsPure();
+	}
+
+void ForStmt::Describe(ODesc* d) const
+	{
+	Stmt::Describe(d);
+
+	if ( d->IsReadable() )
+		d->Add("(");
+
+	if ( loop_vars->length() )
+		d->Add("[");
+
+	loop_over_list(*loop_vars, i)
+		{
+		(*loop_vars)[i]->Describe(d);
+		if ( i > 0 )
+			d->Add(",");
+		}
+	
+	if ( loop_vars->length() )
+		d->Add("]");
+
+	if ( d->IsReadable() )
+		d->Add(" in ");
+
+	e->Describe(d);
+
+	if ( d->IsReadable() )
+		d->Add(")");
+
+	d->SP();
+
+	d->PushIndent();
+	body->AccessStats(d);
+	body->Describe(d);
+	d->PopIndent();
+	}
+
+TraversalCode ForStmt::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreStmt(this);
+	HANDLE_TC_STMT_PRE(tc);
+
+	loop_over_list(*loop_vars, i)
+		{
+		tc = (*loop_vars)[i]->Traverse(cb);
+		HANDLE_TC_STMT_PRE(tc);
+		}
+
+	tc = LoopExpr()->Traverse(cb);
+	HANDLE_TC_STMT_PRE(tc);
+
+	tc = LoopBody()->Traverse(cb);
+	HANDLE_TC_STMT_PRE(tc);
+
+	tc = cb->PostStmt(this);
+	HANDLE_TC_STMT_POST(tc);
+	}
+
+IMPLEMENT_SERIAL(ForStmt, SER_FOR_STMT);
+
+bool ForStmt::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_FOR_STMT, ExprStmt);
+
+	if ( ! SERIALIZE(loop_vars->length()) )
+		return false;
+
+	loop_over_list((*loop_vars), i)
+		{
+		if ( ! (*loop_vars)[i]->Serialize(info) )
+			return false;
+		}
+
+	return body->Serialize(info);
+	}
+
+bool ForStmt::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(ExprStmt);
+
+	int len;
+	if ( ! UNSERIALIZE(&len) )
+		return false;
+
+	loop_vars = new id_list;
+
+	while ( len-- )
+		{
+		ID* id = ID::Unserialize(info);
+		if ( ! id )
+			return false;
+
+		loop_vars->append(id);
+		}
+
+	body = Stmt::Unserialize(info);
+	return body != 0;
+	}
+
+Val* NextStmt::Exec(Frame* /* f */, stmt_flow_type& flow) const
+	{
+	RegisterAccess();
+	flow = FLOW_LOOP;
+	return 0;
+	}
+
+int NextStmt::IsPure() const
+	{
+	return 1;
+	}
+
+void NextStmt::Describe(ODesc* d) const
+	{
+	Stmt::Describe(d);
+	Stmt::DescribeDone(d);
+	}
+
+TraversalCode NextStmt::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreStmt(this);
+	HANDLE_TC_STMT_PRE(tc);
+
+	tc = cb->PostStmt(this);
+	HANDLE_TC_STMT_POST(tc);
+	}
+
+IMPLEMENT_SERIAL(NextStmt, SER_NEXT_STMT);
+
+bool NextStmt::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_NEXT_STMT, Stmt);
+	return true;
+	}
+
+bool NextStmt::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Stmt);
+	return true;
+	}
+
+Val* BreakStmt::Exec(Frame* /* f */, stmt_flow_type& flow) const
+	{
+	RegisterAccess();
+	flow = FLOW_BREAK;
+	return 0;
+	}
+
+int BreakStmt::IsPure() const
+	{
+	return 1;
+	}
+
+void BreakStmt::Describe(ODesc* d) const
+	{
+	Stmt::Describe(d);
+	Stmt::DescribeDone(d);
+	}
+
+TraversalCode BreakStmt::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreStmt(this);
+	HANDLE_TC_STMT_PRE(tc);
+
+	tc = cb->PostStmt(this);
+	HANDLE_TC_STMT_POST(tc);
+	}
+
+IMPLEMENT_SERIAL(BreakStmt, SER_BREAK_STMT);
+
+bool BreakStmt::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_BREAK_STMT, Stmt);
+	return true;
+	}
+
+bool BreakStmt::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Stmt);
+	return true;
+	}
+
+ReturnStmt::ReturnStmt(Expr* arg_e) : ExprStmt(STMT_RETURN, arg_e)
+	{
+	Scope* s = current_scope();
+
+	if ( ! s || ! s->ScopeID() )
+		{
+		Error("return statement outside of function/event");
+		return;
+		}
+
+	FuncType* ft = s->ScopeID()->Type()->AsFuncType();
+	BroType* yt = ft->YieldType();
+
+	if ( s->ScopeID()->DoInferReturnType() )
+		{
+		if ( e )
+			{
+			ft->SetYieldType(e->Type());
+			s->ScopeID()->SetInferReturnType(false);
+			}
+		}
+
+	else if ( ! yt || yt->Tag() == TYPE_VOID )
+		{
+		if ( e )
+			Error("return statement cannot have an expression");
+		}
+
+	else if ( ! e )
+		Error("return statement needs expression");
+
+	else
+		(void) check_and_promote_expr(e, yt);
+	}
+
+Val* ReturnStmt::Exec(Frame* f, stmt_flow_type& flow) const
+	{
+	RegisterAccess();
+	flow = FLOW_RETURN;
+
+	if ( e )
+		return e->Eval(f);
+	else
+		return 0;
+	}
+
+void ReturnStmt::Describe(ODesc* d) const
+	{
+	Stmt::Describe(d);
+	if ( ! d->IsReadable() )
+		d->Add(e != 0);
+
+	if ( e )
+		{
+		if ( ! d->IsBinary() )
+			d->Add("(");
+		e->Describe(d);
+		if ( ! d->IsBinary() )
+			d->Add(")");
+		}
+
+	DescribeDone(d);
+	}
+
+IMPLEMENT_SERIAL(ReturnStmt, SER_RETURN_STMT);
+
+bool ReturnStmt::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_RETURN_STMT, ExprStmt);
+	return true;
+	}
+
+bool ReturnStmt::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(ExprStmt);
+	return true;
+	}
+
+StmtList::StmtList() : Stmt(STMT_LIST)
+	{
+	}
+
+StmtList::~StmtList()
+	{
+	loop_over_list(stmts, i)
+		Unref(stmts[i]);
+	}
+
+Val* StmtList::Exec(Frame* f, stmt_flow_type& flow) const
+	{
+	RegisterAccess();
+	flow = FLOW_NEXT;
+
+	loop_over_list(stmts, i)
+		{
+		f->SetNextStmt(stmts[i]);
+
+		if ( ! pre_execute_stmt(stmts[i], f) )
+			{ // ### Abort or something
+			}
+
+		Val* result = stmts[i]->Exec(f, flow);
+
+		if ( ! post_execute_stmt(stmts[i], f, result, &flow) )
+			{ // ### Abort or something
+			}
+
+		if ( flow != FLOW_NEXT || result || f->HasDelayed() )
+			return result;
+		}
+
+	return 0;
+	}
+
+Stmt* StmtList::Simplify()
+	{
+	if ( stmts.length() == 0 )
+		return new NullStmt();
+
+	if ( stmts.length() == 1 )
+		return stmts[0]->Ref();
+
+	loop_over_list(stmts, i)
+		stmts.replace(i, simplify_stmt(stmts[i]));
+
+	return this;
+	}
+
+int StmtList::IsPure() const
+	{
+	loop_over_list(stmts, i)
+		if ( ! stmts[i]->IsPure() )
+			return 0;
+	return 1;
+	}
+
+void StmtList::Describe(ODesc* d) const
+	{
+	if ( ! d->IsReadable() )
+		{
+		AddTag(d);
+		d->AddCount(stmts.length());
+		}
+
+	if ( stmts.length() == 0 )
+		DescribeDone(d);
+
+	else
+		{
+		if ( ! d->IsBinary() )
+			{
+			d->Add("{ ");
+			d->NL();
+			}
+
+		loop_over_list(stmts, i)
+			{
+			stmts[i]->Describe(d);
+			d->NL();
+			}
+
+		if ( ! d->IsBinary() )
+			d->Add("}");
+		}
+	}
+
+TraversalCode StmtList::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreStmt(this);
+	HANDLE_TC_STMT_PRE(tc);
+
+	loop_over_list(stmts, i)
+		{
+		tc = stmts[i]->Traverse(cb);
+		HANDLE_TC_STMT_PRE(tc);
+		}
+
+	tc = cb->PostStmt(this);
+	HANDLE_TC_STMT_POST(tc);
+	}
+
+IMPLEMENT_SERIAL(StmtList, SER_STMT_LIST);
+
+bool StmtList::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_STMT_LIST, Stmt);
+
+	if ( ! SERIALIZE(stmts.length()) )
+		return false;
+
+	loop_over_list(stmts, i)
+		if ( ! stmts[i]->Serialize(info) )
+			return false;
+
+	return true;
+	}
+
+bool StmtList::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Stmt);
+
+	int len;
+	if ( ! UNSERIALIZE(&len) )
+		return false;
+
+	while ( len-- )
+		{
+		Stmt* stmt = Stmt::Unserialize(info);
+		if ( ! stmt )
+			return false;
+
+		stmts.append(stmt);
+		}
+
+	return true;
+	}
+
+
+Val* EventBodyList::Exec(Frame* f, stmt_flow_type& flow) const
+	{
+	RegisterAccess();
+	flow = FLOW_NEXT;
+
+	loop_over_list(stmts, i)
+		{
+		f->SetNextStmt(stmts[i]);
+
+		// Ignore the return value, since there shouldn't be
+		// any; and ignore the flow, since we still execute
+		// all of the event bodies even if one of them does
+		// a FLOW_RETURN.
+		if ( ! pre_execute_stmt(stmts[i], f) )
+			{ // ### Abort or something
+			}
+
+		Val* result = stmts[i]->Exec(f, flow);
+
+		if ( ! post_execute_stmt(stmts[i], f, result, &flow) )
+			{ // ### Abort or something
+			}
+		}
+
+	// Simulate a return so the hooks operate properly.
+	stmt_flow_type ft = FLOW_RETURN;
+	(void) post_execute_stmt(f->GetNextStmt(), f, 0, &ft);
+
+	return 0;
+	}
+
+Stmt* EventBodyList::Simplify()
+	{
+	if ( stmts.length() <= 1 )
+		// Don't simplify these, we don't want to lose our
+		// "execute even across returns" property.
+		return this;
+
+	else
+		return StmtList::Simplify();
+	}
+
+void EventBodyList::Describe(ODesc* d) const
+	{
+	if ( d->IsReadable() && stmts.length() > 0 )
+		{
+		loop_over_list(stmts, i)
+			{
+			if ( ! d->IsBinary() )
+				{
+				d->Add("{");
+				d->PushIndent();
+				stmts[i]->AccessStats(d);
+				}
+
+			stmts[i]->Describe(d);
+
+			if ( ! d->IsBinary() )
+				{
+				d->Add("}");
+				d->PopIndent();
+				}
+			}
+		}
+
+	else
+		StmtList::Describe(d);
+	}
+
+IMPLEMENT_SERIAL(EventBodyList, SER_EVENT_BODY_LIST);
+
+bool EventBodyList::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_EVENT_BODY_LIST, StmtList);
+	return SERIALIZE(topmost);
+	}
+
+bool EventBodyList::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(StmtList);
+	return UNSERIALIZE(&topmost);
+	}
+
+InitStmt::~InitStmt()
+	{
+	loop_over_list(*inits, i)
+		Unref((*inits)[i]);
+
+	delete inits;
+	}
+
+Val* InitStmt::Exec(Frame* f, stmt_flow_type& flow) const
+	{
+	RegisterAccess();
+	flow = FLOW_NEXT;
+
+	loop_over_list(*inits, i)
+		{
+		ID* aggr = (*inits)[i];
+		BroType* t = aggr->Type();
+
+		Val* v;
+		if ( t->Tag() == TYPE_RECORD )
+			v = new RecordVal(t->AsRecordType());
+		else if ( aggr->Type()->Tag() == TYPE_VECTOR )
+			v = new VectorVal(t->AsVectorType());
+		else
+			v = new TableVal(t->AsTableType(), aggr->Attrs());
+
+		f->SetElement(aggr->Offset(), v);
+		}
+
+	return 0;
+	}
+
+void InitStmt::Describe(ODesc* d) const
+	{
+	AddTag(d);
+
+	if ( ! d->IsReadable() )
+		d->AddCount(inits->length());
+
+	loop_over_list(*inits, i)
+		{
+		if ( ! d->IsBinary() && i > 0 )
+			d->AddSP(",");
+
+		(*inits)[i]->Describe(d);
+		}
+
+	DescribeDone(d);
+	}
+
+TraversalCode InitStmt::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreStmt(this);
+	HANDLE_TC_STMT_PRE(tc);
+
+	loop_over_list(*inits, i)
+		{
+		tc = (*inits)[i]->Traverse(cb);
+		HANDLE_TC_STMT_PRE(tc);
+		}
+
+	tc = cb->PostStmt(this);
+	HANDLE_TC_STMT_POST(tc);
+	}
+
+IMPLEMENT_SERIAL(InitStmt, SER_INIT_STMT);
+
+bool InitStmt::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_INIT_STMT, Stmt);
+
+	if ( ! SERIALIZE(inits->length()) )
+		return false;
+
+	loop_over_list((*inits), i)
+		{
+		if ( ! (*inits)[i]->Serialize(info) )
+			return false;
+		}
+
+	return true;
+	}
+
+bool InitStmt::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Stmt);
+
+	int len;
+	if ( ! UNSERIALIZE(&len) )
+		return false;
+
+	inits = new id_list;
+
+	while ( len-- )
+		{
+		ID* id = ID::Unserialize(info);
+		if ( ! id )
+			return false;
+		inits->append(id);
+		}
+	return true;
+	}
+
+
+Val* NullStmt::Exec(Frame* /* f */, stmt_flow_type& flow) const
+	{
+	RegisterAccess();
+	flow = FLOW_NEXT;
+	return 0;
+	}
+
+int NullStmt::IsPure() const
+	{
+	return 1;
+	}
+
+void NullStmt::Describe(ODesc* d) const
+	{
+	if ( d->IsReadable() )
+		DescribeDone(d);
+	else
+		AddTag(d);
+	}
+
+TraversalCode NullStmt::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreStmt(this);
+	HANDLE_TC_STMT_PRE(tc);
+
+	tc = cb->PostStmt(this);
+	HANDLE_TC_STMT_POST(tc);
+	}
+
+IMPLEMENT_SERIAL(NullStmt, SER_NULL_STMT);
+
+bool NullStmt::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_NULL_STMT, Stmt);
+	return true;
+	}
+
+bool NullStmt::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Stmt);
+	return true;
+	}
+
+WhenStmt::WhenStmt(Expr* arg_cond, Stmt* arg_s1, Stmt* arg_s2,
+			Expr* arg_timeout, bool arg_is_return)
+: Stmt(STMT_WHEN)
+	{
+	assert(arg_cond);
+	assert(arg_s1);
+
+	cond = arg_cond;
+	s1 = arg_s1;
+	s2 = arg_s2;
+	timeout = arg_timeout;
+	is_return = arg_is_return;
+
+	if ( ! cond->IsError() && ! IsBool(cond->Type()->Tag()) )
+		cond->Error("conditional in test must be boolean");
+
+	if ( timeout )
+		{
+		if ( timeout->IsError() )
+			return;
+
+		TypeTag bt = timeout->Type()->Tag();
+		if ( bt != TYPE_TIME && bt != TYPE_INTERVAL )
+			cond->Error("when timeout requires a time or time interval");
+		}
+	}
+
+WhenStmt::~WhenStmt()
+	{
+	Unref(cond);
+	Unref(s1);
+	Unref(s2);
+	}
+
+Val* WhenStmt::Exec(Frame* f, stmt_flow_type& flow) const
+	{
+	RegisterAccess();
+	flow = FLOW_NEXT;
+
+	::Ref(cond);
+	::Ref(s1);
+	if ( s2 )
+		::Ref(s2);
+	if ( timeout )
+		::Ref(timeout);
+
+	// The new trigger object will take care of its own deletion.
+	new Trigger(cond, s1, s2, timeout, f, is_return, location);
+
+	return 0;
+	}
+
+Stmt* WhenStmt::Simplify()
+	{
+	cond = simplify_expr(cond, SIMPLIFY_GENERAL);
+	s1 = simplify_stmt(s1);
+	if ( s2 )
+		s2 = simplify_stmt(s2);
+
+	if ( cond->IsPure() )
+		Warn("non-varying expression in when clause");
+
+	return this;
+	}
+
+int WhenStmt::IsPure() const
+	{
+	return cond->IsPure() && s1->IsPure() && (! s2 || s2->IsPure());
+	}
+
+void WhenStmt::Describe(ODesc* d) const
+	{
+	Stmt::Describe(d);
+
+	if ( d->IsReadable() )
+		d->Add("(");
+
+	cond->Describe(d);
+
+	if ( d->IsReadable() )
+		d->Add(")");
+
+	d->SP();
+	d->PushIndent();
+	s1->AccessStats(d);
+	s1->Describe(d);
+	d->PopIndent();
+
+	if ( s2 )
+		{
+		if ( d->IsReadable() )
+			{
+			d->SP();
+			d->Add("timeout");
+			d->SP();
+			timeout->Describe(d);
+			d->SP();
+			d->PushIndent();
+			s2->AccessStats(d);
+			s2->Describe(d);
+			d->PopIndent();
+			}
+		else
+			s2->Describe(d);
+		}
+	}
+
+TraversalCode WhenStmt::Traverse(TraversalCallback* cb) const
+	{
+	TraversalCode tc = cb->PreStmt(this);
+	HANDLE_TC_STMT_PRE(tc);
+
+	tc = cond->Traverse(cb);
+	HANDLE_TC_STMT_PRE(tc);
+
+	tc = s1->Traverse(cb);
+	HANDLE_TC_STMT_PRE(tc);
+
+	if ( s2 )
+		{
+		tc = s2->Traverse(cb);
+		HANDLE_TC_STMT_PRE(tc);
+		}
+
+	tc = cb->PostStmt(this);
+	HANDLE_TC_STMT_POST(tc);
+	}
+
+IMPLEMENT_SERIAL(WhenStmt, SER_WHEN_STMT);
+
+bool WhenStmt::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_WHEN_STMT, Stmt);
+
+	if ( cond->Serialize(info) && s1->Serialize(info) )
+		return false;
+
+	SERIALIZE_OPTIONAL(s2);
+	SERIALIZE_OPTIONAL(timeout);
+
+	return true;
+	}
+
+bool WhenStmt::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Stmt);
+
+	cond = Expr::Unserialize(info);
+	if ( ! cond )
+		return false;
+
+	s1 = Stmt::Unserialize(info);
+	if ( ! s1 )
+		return false;
+
+	UNSERIALIZE_OPTIONAL(s2, Stmt::Unserialize(info));
+	UNSERIALIZE_OPTIONAL(timeout, Expr::Unserialize(info));
+
+	return true;
+	}
+
+Stmt* simplify_stmt(Stmt* s)
+	{
+	for ( Stmt* ss = s->Simplify(); ss != s; ss = s->Simplify() )
+		{
+		Unref(s);
+		s = ss;
+		}
+
+	return s;
+	}
+
+int same_stmt(const Stmt* s1, const Stmt* s2)
+	{
+	if ( s1 == s2 )
+		return 1;
+
+	if ( s1->Tag() != s2->Tag() )
+		return 0;
+
+	switch ( s1->Tag() ) {
+	case STMT_ALARM:
+	case STMT_PRINT:
+		{
+		const ListExpr* l1 = ((const ExprListStmt*) s1)->ExprList();
+		const ListExpr* l2 = ((const ExprListStmt*) s2)->ExprList();
+		return same_expr(l1, l2);
+		}
+
+	case STMT_ADD:
+	case STMT_DELETE:
+	case STMT_RETURN:
+	case STMT_EXPR:
+	case STMT_EVENT:
+		{
+		const ExprStmt* e1 = (const ExprStmt*) s1;
+		const ExprStmt* e2 = (const ExprStmt*) s2;
+		return same_expr(e1->StmtExpr(), e2->StmtExpr());
+		}
+
+	case STMT_FOR:
+		{
+		const ForStmt* f1 = (const ForStmt*) s1;
+		const ForStmt* f2 = (const ForStmt*) s2;
+
+		return f1->LoopVar() == f2->LoopVar() &&
+			same_expr(f1->LoopExpr(), f2->LoopExpr()) &&
+			same_stmt(f1->LoopBody(), f2->LoopBody());
+		}
+
+	case STMT_IF:
+		{
+		const IfStmt* i1 = (const IfStmt*) s1;
+		const IfStmt* i2 = (const IfStmt*) s2;
+
+		if ( ! same_expr(i1->StmtExpr(), i2->StmtExpr()) )
+			return 0;
+
+		if ( i1->TrueBranch() || i2->TrueBranch() )
+			{
+			if ( ! i1->TrueBranch() || ! i2->TrueBranch() )
+				return 0;
+			if ( ! same_stmt(i1->TrueBranch(), i2->TrueBranch()) )
+				return 0;
+			}
+
+		if ( i1->FalseBranch() || i2->FalseBranch() )
+			{
+			if ( ! i1->FalseBranch() || ! i2->FalseBranch() )
+				return 0;
+			if ( ! same_stmt(i1->FalseBranch(), i2->FalseBranch()) )
+				return 0;
+			}
+
+		return 1;
+		}
+
+	case STMT_SWITCH:
+		{
+		const SwitchStmt* sw1 = (const SwitchStmt*) s1;
+		const SwitchStmt* sw2 = (const SwitchStmt*) s2;
+
+		if ( ! same_expr(sw1->StmtExpr(), sw2->StmtExpr()) )
+			return 0;
+
+		const case_list* c1 = sw1->Cases();
+		const case_list* c2 = sw1->Cases();
+
+		if ( c1->length() != c2->length() )
+			return 0;
+
+		loop_over_list(*c1, i)
+			{
+			if ( ! same_expr((*c1)[i]->Cases(), (*c2)[i]->Cases()) )
+				return 0;
+			if ( ! same_stmt((*c1)[i]->Body(), (*c2)[i]->Body()) )
+				return 0;
+			}
+
+		return 1;
+		}
+
+	case STMT_LIST:
+	case STMT_EVENT_BODY_LIST:
+		{
+		const stmt_list& l1 = ((const StmtList*) s1)->Stmts();
+		const stmt_list& l2 = ((const StmtList*) s2)->Stmts();
+
+		if ( l1.length() != l2.length() )
+			return 0;
+
+		loop_over_list(l1, i)
+			if ( ! same_stmt(l1[i], l2[i]) )
+				return 0;
+
+		return 1;
+		}
+
+	case STMT_INIT:
+		{
+		const id_list* i1 = ((const InitStmt*) s1)->Inits();
+		const id_list* i2 = ((const InitStmt*) s2)->Inits();
+
+		if ( i1->length() != i2->length() )
+			return 0;
+
+		loop_over_list(*i1, i)
+			if ( (*i1)[i] != (*i2)[i] )
+				return 0;
+
+		return 1;
+		}
+
+	case STMT_WHEN:
+		{
+		const WhenStmt* w1 = (const WhenStmt*) s1;
+		const WhenStmt* w2 = (const WhenStmt*) s2;
+
+		if ( ! same_expr(w1->Cond(), w2->Cond()) )
+			return 0;
+
+		if ( ! same_stmt(w1->Body(), w2->Body()) )
+			return 0;
+
+		if ( w1->TimeoutBody() || w2->TimeoutBody() )
+			{
+			if ( ! w1->TimeoutBody() || ! w2->TimeoutBody() )
+				return 0;
+
+			if ( ! same_expr(w1->TimeoutExpr(), w2->TimeoutExpr()) )
+				return 0;
+
+			if ( ! same_stmt(w1->TimeoutBody(), w2->TimeoutBody()) )
+				return 0;
+			}
+
+		return 1;
+		}
+
+	case STMT_NEXT:
+	case STMT_BREAK:
+	case STMT_NULL:
+		return 1;
+
+	default:
+		error("bad tag in same_stmt()");
+	}
+
+	return 0;
+	}
diff --git a/src/Stmt.h b/src/Stmt.h
new file mode 100644
index 0000000000..4909ff9da5
--- /dev/null
+++ b/src/Stmt.h
@@ -0,0 +1,498 @@
+// $Id: Stmt.h 6916 2009-09-24 20:48:36Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef stmt_h
+#define stmt_h
+
+// BRO statements.
+
+#include "BroList.h"
+#include "Obj.h"
+#include "Expr.h"
+
+#include "StmtEnums.h"
+
+#include "TraverseTypes.h"
+
+class StmtList;
+class ForStmt;
+
+class Stmt : public BroObj {
+public:
+	BroStmtTag Tag() const	{ return tag; }
+
+	virtual ~Stmt();
+
+	virtual Val* Exec(Frame* f, stmt_flow_type& flow) const = 0;
+
+	Stmt* Ref()			{ ::Ref(this); return this; }
+
+	bool SetLocationInfo(const Location* loc)
+		{ return Stmt::SetLocationInfo(loc, loc); }
+	bool SetLocationInfo(const Location* start, const Location* end);
+
+	// Returns a fully simplified version of the statement (this
+	// may be the same statement, or a newly created one).
+	virtual Stmt* Simplify();
+
+	// True if the statement has no side effects, false otherwise.
+	virtual int IsPure() const;
+
+	StmtList* AsStmtList()
+		{
+		CHECK_TAG(tag, STMT_LIST, "Stmt::AsStmtList", stmt_name)
+		return (StmtList*) this;
+		}
+
+	ForStmt* AsForStmt()
+		{
+		CHECK_TAG(tag, STMT_FOR, "Stmt::AsForStmt", stmt_name)
+		return (ForStmt*) this;
+		}
+
+	void RegisterAccess() const	{ last_access = network_time; access_count++; }
+	void AccessStats(ODesc* d) const;
+
+	virtual void Describe(ODesc* d) const;
+
+	virtual void IncrBPCount()	{ ++breakpoint_count; }
+	virtual void DecrBPCount()
+		{
+		if ( breakpoint_count )
+			--breakpoint_count;
+		else
+			internal_error("breakpoint count decremented below 0");
+		}
+
+	virtual unsigned int BPCount() const	{ return breakpoint_count; }
+
+	bool Serialize(SerialInfo* info) const;
+	static Stmt* Unserialize(UnserialInfo* info, BroStmtTag want = STMT_ANY);
+
+	virtual TraversalCode Traverse(TraversalCallback* cb) const = 0;
+
+protected:
+	Stmt()	{}
+	Stmt(BroStmtTag arg_tag);
+
+	void AddTag(ODesc* d) const;
+	void DescribeDone(ODesc* d) const;
+
+	DECLARE_ABSTRACT_SERIAL(Stmt);
+
+	BroStmtTag tag;
+	int breakpoint_count;	// how many breakpoints on this statement
+
+	// FIXME: Learn the exact semantics of mutable.
+	mutable double last_access;	// time of last execution
+	mutable uint32 access_count;	// number of executions
+};
+
+class ExprListStmt : public Stmt {
+public:
+	const ListExpr* ExprList() const	{ return l; }
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	ExprListStmt()	{ l = 0; }
+	ExprListStmt(BroStmtTag t, ListExpr* arg_l);
+
+	virtual ~ExprListStmt();
+
+	Val* Exec(Frame* f, stmt_flow_type& flow) const;
+	virtual Val* DoExec(val_list* vals, stmt_flow_type& flow) const = 0;
+
+	Stmt* Simplify();
+	virtual Stmt* DoSimplify();
+
+	void Describe(ODesc* d) const;
+	void PrintVals(ODesc* d, val_list* vals, int offset) const;
+
+	DECLARE_ABSTRACT_SERIAL(ExprListStmt);
+
+	ListExpr* l;
+};
+
+class AlarmStmt : public ExprListStmt {
+public:
+	AlarmStmt(ListExpr* l) : ExprListStmt(STMT_ALARM, l)	{ }
+
+protected:
+	friend class Stmt;
+	AlarmStmt()	{}
+
+	Val* DoExec(val_list* vals, stmt_flow_type& flow) const;
+
+	DECLARE_SERIAL(AlarmStmt);
+};
+
+class PrintStmt : public ExprListStmt {
+public:
+	PrintStmt(ListExpr* l) : ExprListStmt(STMT_PRINT, l)	{ }
+
+protected:
+	friend class Stmt;
+	PrintStmt()	{}
+
+	Val* DoExec(val_list* vals, stmt_flow_type& flow) const;
+
+	DECLARE_SERIAL(PrintStmt);
+};
+
+class ExprStmt : public Stmt {
+public:
+	ExprStmt(Expr* e);
+	virtual ~ExprStmt();
+
+	Val* Exec(Frame* f, stmt_flow_type& flow) const;
+
+	const Expr* StmtExpr() const	{ return e; }
+
+	void Describe(ODesc* d) const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	friend class Stmt;
+	ExprStmt()	{ e = 0; }
+	ExprStmt(BroStmtTag t, Expr* e);
+
+	virtual Val* DoExec(Frame* f, Val* v, stmt_flow_type& flow) const;
+
+	Stmt* Simplify();
+	int IsPure() const;
+
+	// Called by Simplify(), after the expression's been simplified.
+	virtual Stmt* DoSimplify();
+
+	DECLARE_SERIAL(ExprStmt);
+
+	Expr* e;
+};
+
+class IfStmt : public ExprStmt {
+public:
+	IfStmt(Expr* test, Stmt* s1, Stmt* s2);
+	~IfStmt();
+
+	const Stmt* TrueBranch() const	{ return s1; }
+	const Stmt* FalseBranch() const	{ return s2; }
+
+	void Describe(ODesc* d) const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	friend class Stmt;
+	IfStmt()	{ s1 = s2 = 0; }
+
+	Val* DoExec(Frame* f, Val* v, stmt_flow_type& flow) const;
+	Stmt* DoSimplify();
+	int IsPure() const;
+
+	DECLARE_SERIAL(IfStmt);
+
+	Stmt* s1;
+	Stmt* s2;
+};
+
+class Case : public BroObj {
+public:
+	Case(ListExpr* c, Stmt* arg_s)	{ cases = c; s = arg_s; }
+	~Case();
+
+	const ListExpr* Cases() const	{ return cases; }
+	ListExpr* Cases()		{ return cases; }
+
+	const Stmt* Body() const	{ return s; }
+	Stmt* Body()			{ return s; }
+
+	void Describe(ODesc* d) const;
+
+	bool Serialize(SerialInfo* info) const;
+	static Case* Unserialize(UnserialInfo* info);
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	friend class Stmt;
+	Case()	{ cases = 0; s = 0; }
+
+	DECLARE_SERIAL(Case);
+
+	ListExpr* cases;
+	Stmt* s;
+};
+
+class SwitchStmt : public ExprStmt {
+public:
+	SwitchStmt(Expr* index, case_list* cases);
+	~SwitchStmt();
+
+	const case_list* Cases() const	{ return cases; }
+
+	void Describe(ODesc* d) const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	friend class Stmt;
+	SwitchStmt()	{ cases = 0; }
+
+	Val* DoExec(Frame* f, Val* v, stmt_flow_type& flow) const;
+	Stmt* DoSimplify();
+	int IsPure() const;
+
+	DECLARE_SERIAL(SwitchStmt);
+
+	case_list* cases;
+};
+
+class AddStmt : public ExprStmt {
+public:
+	AddStmt(Expr* e);
+
+	int IsPure() const;
+	Val* Exec(Frame* f, stmt_flow_type& flow) const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	friend class Stmt;
+	AddStmt()	{}
+
+	DECLARE_SERIAL(AddStmt);
+};
+
+class DelStmt : public ExprStmt {
+public:
+	DelStmt(Expr* e);
+
+	int IsPure() const;
+	Val* Exec(Frame* f, stmt_flow_type& flow) const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	friend class Stmt;
+	DelStmt()	{}
+
+	DECLARE_SERIAL(DelStmt);
+};
+
+class EventStmt : public ExprStmt {
+public:
+	EventStmt(EventExpr* e);
+
+	Val* Exec(Frame* f, stmt_flow_type& flow) const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	friend class Stmt;
+	EventStmt()	{ event_expr = 0; }
+
+	DECLARE_SERIAL(EventStmt);
+
+	EventExpr* event_expr;
+};
+
+class ForStmt : public ExprStmt {
+public:
+	ForStmt(id_list* loop_vars, Expr* loop_expr);
+	~ForStmt();
+
+	void AddBody(Stmt* arg_body)	{ body = arg_body; }
+
+	const id_list* LoopVar() const	{ return loop_vars; }
+	const Expr* LoopExpr() const	{ return e; }
+	const Stmt* LoopBody() const	{ return body; }
+
+	int IsPure() const;
+
+	void Describe(ODesc* d) const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	friend class Stmt;
+	ForStmt()	{ loop_vars = 0; body = 0; }
+
+	Val* DoExec(Frame* f, Val* v, stmt_flow_type& flow) const;
+	Stmt* DoSimplify();
+
+	DECLARE_SERIAL(ForStmt);
+
+	id_list* loop_vars;
+	Stmt* body;
+};
+
+class NextStmt : public Stmt {
+public:
+	NextStmt() : Stmt(STMT_NEXT)	{ }
+
+	Val* Exec(Frame* f, stmt_flow_type& flow) const;
+	int IsPure() const;
+
+	void Describe(ODesc* d) const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	DECLARE_SERIAL(NextStmt);
+};
+
+class BreakStmt : public Stmt {
+public:
+	BreakStmt() : Stmt(STMT_BREAK)	{ }
+
+	Val* Exec(Frame* f, stmt_flow_type& flow) const;
+	int IsPure() const;
+
+	void Describe(ODesc* d) const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	DECLARE_SERIAL(BreakStmt);
+};
+
+class ReturnStmt : public ExprStmt {
+public:
+	ReturnStmt(Expr* e);
+
+	Val* Exec(Frame* f, stmt_flow_type& flow) const;
+
+	void Describe(ODesc* d) const;
+
+protected:
+	friend class Stmt;
+	ReturnStmt()	{}
+
+	DECLARE_SERIAL(ReturnStmt);
+};
+
+class StmtList : public Stmt {
+public:
+	StmtList();
+	~StmtList();
+
+	Val* Exec(Frame* f, stmt_flow_type& flow) const;
+
+	const stmt_list& Stmts() const	{ return stmts; }
+	stmt_list& Stmts()		{ return stmts; }
+
+	void Describe(ODesc* d) const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	Stmt* Simplify();
+	int IsPure() const;
+
+	DECLARE_SERIAL(StmtList);
+
+	stmt_list stmts;
+};
+
+class EventBodyList : public StmtList {
+public:
+	EventBodyList() : StmtList()
+		{ topmost = false; tag = STMT_EVENT_BODY_LIST; }
+
+	Val* Exec(Frame* f, stmt_flow_type& flow) const;
+
+	void Describe(ODesc* d) const;
+
+	// "Topmost" means that this is the main body of a function or event.
+	// void SetTopmost(bool is_topmost)	{ topmost = is_topmost; }
+	// bool IsTopmost()	{ return topmost; }
+
+protected:
+	Stmt* Simplify();
+
+	DECLARE_SERIAL(EventBodyList);
+
+	bool topmost;
+};
+
+class InitStmt : public Stmt {
+public:
+	InitStmt(id_list* arg_inits) : Stmt(STMT_INIT)
+		{
+		inits = arg_inits;
+		if ( arg_inits && arg_inits->length() )
+			SetLocationInfo((*arg_inits)[0]->GetLocationInfo());
+		}
+
+	~InitStmt();
+
+	Val* Exec(Frame* f, stmt_flow_type& flow) const;
+
+	const id_list* Inits() const	{ return inits; }
+
+	void Describe(ODesc* d) const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	friend class Stmt;
+	InitStmt()	{ inits = 0; }
+
+	DECLARE_SERIAL(InitStmt);
+
+	id_list* inits;
+};
+
+class NullStmt : public Stmt {
+public:
+	NullStmt() : Stmt(STMT_NULL)	{ }
+
+	Val* Exec(Frame* f, stmt_flow_type& flow) const;
+	int IsPure() const;
+
+	void Describe(ODesc* d) const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	DECLARE_SERIAL(NullStmt);
+};
+
+class WhenStmt : public Stmt {
+public:
+	// s2 is null if no timeout block given.
+	WhenStmt(Expr* cond, Stmt* s1, Stmt* s2, Expr* timeout, bool is_return);
+	~WhenStmt();
+
+	Val* Exec(Frame* f, stmt_flow_type& flow) const;
+	int IsPure() const;
+	Stmt* Simplify();
+
+	const Expr* Cond() const	{ return cond; }
+	const Stmt* Body() const	{ return s1; }
+	const Expr* TimeoutExpr() const	{ return timeout; }
+	const Stmt* TimeoutBody() const	{ return s2; }
+
+	void Describe(ODesc* d) const;
+
+	TraversalCode Traverse(TraversalCallback* cb) const;
+
+protected:
+	WhenStmt()	{ cond = 0; s1 = s2 = 0; timeout = 0; is_return = 0; }
+
+	DECLARE_SERIAL(WhenStmt);
+
+	Expr* cond;
+	Stmt* s1;
+	Stmt* s2;
+	Expr* timeout;
+	bool is_return;
+};
+
+extern Stmt* simplify_stmt(Stmt* s);
+extern int same_stmt(const Stmt* s1, const Stmt* s2);
+
+#endif
diff --git a/src/StmtEnums.h b/src/StmtEnums.h
new file mode 100644
index 0000000000..0a7f88e40e
--- /dev/null
+++ b/src/StmtEnums.h
@@ -0,0 +1,33 @@
+// $Id: StmtEnums.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+
+#ifndef stmt_enums_h
+#define stmt_enums_h
+
+// These are in a separate file to break circular dependences 
+typedef enum {
+	STMT_ANY = -1,
+	STMT_ALARM, STMT_PRINT, STMT_EVENT,
+	STMT_EXPR,
+	STMT_IF, STMT_WHEN, STMT_SWITCH,
+	STMT_FOR, STMT_NEXT, STMT_BREAK,
+	STMT_RETURN,
+	STMT_ADD, STMT_DELETE,
+	STMT_LIST, STMT_EVENT_BODY_LIST,
+	STMT_INIT,
+	STMT_NULL
+#define NUM_STMTS (int(STMT_NULL) + 1)
+} BroStmtTag;
+
+typedef enum {
+	FLOW_NEXT,		// continue on to next statement
+	FLOW_LOOP,		// go to top of loop
+	FLOW_BREAK,		// break out of loop
+	FLOW_RETURN		// return from function
+} stmt_flow_type;
+
+extern const char* stmt_name(BroStmtTag t);
+
+#endif
diff --git a/src/TCP.cc b/src/TCP.cc
new file mode 100644
index 0000000000..ec84df9720
--- /dev/null
+++ b/src/TCP.cc
@@ -0,0 +1,2174 @@
+// $Id: TCP.cc 6916 2009-09-24 20:48:36Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+
+#include "Active.h"
+#include "PIA.h"
+#include "File.h"
+#include "TCP.h"
+#include "TCP_Reassembler.h"
+#include "TCP_Rewriter.h"
+#include "OSFinger.h"
+#include "Event.h"
+
+namespace { // local namespace
+	const bool DEBUG_tcp_data_sent = false;
+	const bool DEBUG_tcp_connection_close = false;
+}
+
+// The following are not included in all systems' tcp.h.
+
+#ifndef TH_ECE
+#define TH_ECE  0x40
+#endif
+
+#ifndef TH_CWR
+#define TH_CWR  0x80
+#endif
+
+
+#define TOO_LARGE_SEQ_DELTA 1048576
+
+static const int ORIG = 1;
+static const int RESP = 2;
+
+TCP_Analyzer::TCP_Analyzer(Connection* conn)
+: TransportLayerAnalyzer(AnalyzerTag::TCP, conn)
+	{
+	// Set a timer to eventually time out this connection.
+	ADD_ANALYZER_TIMER(&TCP_Analyzer::ExpireTimer,
+				network_time + tcp_SYN_timeout, 0,
+				TIMER_TCP_EXPIRE);
+
+	deferred_gen_event = close_deferred = 0;
+
+	seen_first_ACK = 0;
+	is_active = 1;
+	finished = 0;
+	reassembling = 0;
+	first_packet_seen = 0;
+	src_pkt_writer = 0;
+
+	orig = new TCP_Endpoint(this, 1);
+	resp = new TCP_Endpoint(this, 0);
+
+	orig->SetPeer(resp);
+	resp->SetPeer(orig);
+
+	if ( dump_selected_source_packets )
+		{
+		if ( source_pkt_dump )
+			src_pkt_writer =
+				new TCP_SourcePacketWriter(this, source_pkt_dump);
+		else if ( transformed_pkt_dump )
+			src_pkt_writer =
+				new TCP_SourcePacketWriter(this, transformed_pkt_dump);
+		}
+	}
+
+TCP_Analyzer::~TCP_Analyzer()
+	{
+	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
+		delete *i;
+
+	delete orig;
+	delete resp;
+	delete src_pkt_writer;
+	}
+
+void TCP_Analyzer::Init()
+	{
+	Analyzer::Init();
+	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
+		(*i)->Init();
+
+	// Can't put this in construction because RewritingTrace() is virtual.
+	if ( transformed_pkt_dump && Conn()->RewritingTrace() )
+		SetTraceRewriter(new TCP_Rewriter(this, transformed_pkt_dump,
+						transformed_pkt_dump_MTU,
+						requires_trace_commitment));
+	}
+
+void TCP_Analyzer::Done()
+	{
+	Analyzer::Done();
+
+	if ( connection_pending && is_active && ! BothClosed() )
+		Event(connection_pending);
+
+	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
+		(*i)->Done();
+
+	orig->Done();
+	resp->Done();
+
+	finished = 1;
+	}
+
+void TCP_Analyzer::EnableReassembly()
+	{
+	SetReassembler(new TCP_Reassembler(this, this,
+					TCP_Reassembler::Forward, true, orig),
+		       new TCP_Reassembler(this, this,
+					TCP_Reassembler::Forward, false, resp));
+
+	reassembling = 1;
+
+	if ( new_connection_contents )
+		Event(new_connection_contents);
+	}
+
+void TCP_Analyzer::SetReassembler(TCP_Reassembler* rorig,
+					TCP_Reassembler* rresp)
+	{
+	orig->AddReassembler(rorig);
+	rorig->SetDstAnalyzer(this);
+	resp->AddReassembler(rresp);
+	rresp->SetDstAnalyzer(this);
+
+	reassembling = 1;
+
+	if ( new_connection_contents )
+		Event(new_connection_contents);
+	}
+
+const struct tcphdr* TCP_Analyzer::ExtractTCP_Header(const u_char*& data, 
+							int& len, int& caplen)
+	{
+	const struct tcphdr* tp = (const struct tcphdr*) data;
+	uint32 tcp_hdr_len = tp->th_off * 4;
+
+	if ( tcp_hdr_len < sizeof(struct tcphdr) )
+		{
+		Weird("bad_TCP_header_len");
+		return 0;
+		}
+
+	if ( tcp_hdr_len > uint32(len) ||
+	     sizeof(struct tcphdr) > uint32(caplen) )
+		{
+		// This can happen even with the above test, due to TCP
+		// options.
+		Weird("truncated_header");
+		return 0;
+		}
+
+	len -= tcp_hdr_len;	// remove TCP header
+	caplen -= tcp_hdr_len;
+	data += tcp_hdr_len;
+
+	return tp;
+	}
+
+bool TCP_Analyzer::ValidateChecksum(const struct tcphdr* tp,
+				TCP_Endpoint* endpoint, int len, int caplen)
+	{
+	if ( ! ignore_checksums && caplen >= len &&
+	     ! endpoint->ValidChecksum(tp, len) )
+		{
+		Weird("bad_TCP_checksum");
+		endpoint->CheckHistory(HIST_CORRUPT_PKT, 'C');
+		return false;
+		}
+	else
+		return true;
+	}
+
+void TCP_Analyzer::CheckFlagCombos(TCP_Flags flags, TCP_Endpoint* endpoint,
+					uint32 base_seq, int len, int dst_port)
+	{
+	bool is_orig = endpoint->IsOrig();
+
+	if ( is_orig && ! (first_packet_seen & ORIG) )
+		is_partial = ! flags.SYN() || flags.ACK();
+
+	if ( ! is_orig && ! (first_packet_seen & RESP) && ! is_partial )
+		is_partial = ! flags.SYN();
+
+	int bits_set = (flags.SYN() ? 1 : 0) + (flags.FIN() ? 1 : 0) +
+			(flags.RST() ? 1 : 0);
+	if ( bits_set > 1 )
+		{
+		if ( flags.FIN() && flags.RST() )
+			endpoint->CheckHistory(HIST_FIN_RST_PKT, 'I');
+		else
+			endpoint->CheckHistory(HIST_MULTI_FLAG_PKT, 'Q');
+		}
+
+	else if ( bits_set == 1 )
+		{
+		if ( flags.SYN() )
+			{
+			char code = flags.ACK() ? 'H' : 'S';
+
+			if ( endpoint->CheckHistory(HIST_SYN_PKT, code) &&
+			     base_seq != endpoint->hist_last_SYN )
+				endpoint->AddHistory(code);
+
+			endpoint->hist_last_SYN = base_seq;
+			}
+
+		if ( flags.FIN() )
+			{
+			// For FIN's, the sequence number comes at the
+			// end of (any data in) the packet, not the
+			// beginning as for SYNs and RSTs.
+			if ( endpoint->CheckHistory(HIST_FIN_PKT, 'F') &&
+			     base_seq + len != endpoint->hist_last_FIN )
+				endpoint->AddHistory('F');
+
+			endpoint->hist_last_FIN = base_seq + len;
+			}
+
+		if ( flags.RST() )
+			{
+			if ( endpoint->CheckHistory(HIST_RST_PKT, 'R') &&
+			     base_seq != endpoint->hist_last_RST )
+				endpoint->AddHistory('R');
+
+			endpoint->hist_last_RST = base_seq;
+			}
+		}
+
+	else
+		{ // bits_set == 0
+		if ( len )
+			endpoint->CheckHistory(HIST_DATA_PKT, 'D');
+
+		else if ( flags.ACK() )
+			endpoint->CheckHistory(HIST_ACK_PKT, 'A');
+		}
+	}
+
+void TCP_Analyzer::UpdateWindow(TCP_Endpoint* endpoint, unsigned int window,
+				uint32 base_seq, uint32 ack_seq,
+				TCP_Flags flags)
+	{
+	// Note, the offered window on an initial SYN is unscaled, even
+	// if the SYN includes scaling, so we need to do the following
+	// test *before* updating the scaling information below.  (Hmmm,
+	// how does this work for windows on SYN/ACKs? ###)
+	int scale = endpoint->window_scale;
+	window = window << scale;
+
+	// Don't analyze window values off of SYNs, they're sometimes
+	// immediately rescinded.
+	if ( ! flags.SYN() )
+		{
+		// ### Decide whether to accept new window based on Active
+		// Mapping policy.
+		if ( int(base_seq - endpoint->window_seq) >= 0 &&
+		     int(ack_seq - endpoint->window_ack_seq) >= 0 )
+			{
+			uint32 new_edge = ack_seq + window;
+			uint32 old_edge = endpoint->window_ack_seq + endpoint->window;
+			int advance = new_edge - old_edge;
+
+			if ( advance < 0 )
+				{
+				// A window recision.  We don't report these
+				// for FINs or RSTs, or if the connection
+				// has already been partially closed, since
+				// such recisions occur frequently in practice,
+				// probably as the receiver loses buffer memory
+				// due to its process going away.
+				//
+				// We also, for window scaling, allow a bit
+				// of slop ###.  This is because sometimes
+				// there will be an apparent recision due
+				// to the granularity of the scaling.
+				if ( ! flags.FIN() && ! flags.RST() &&
+				     endpoint->state != TCP_ENDPOINT_CLOSED &&
+				     endpoint->state != TCP_ENDPOINT_RESET &&
+				     (-advance) >= (1 << scale) )
+					Weird("window_recision");
+				}
+
+			endpoint->window = window;
+			endpoint->window_ack_seq = ack_seq;
+			endpoint->window_seq = base_seq;
+			}
+		}
+	}
+
+void TCP_Analyzer::ProcessSYN(const IP_Hdr* ip, const struct tcphdr* tp,
+				uint32 tcp_hdr_len, int& seq_len,
+				TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+				uint32 base_seq, uint32 ack_seq,
+				const uint32* orig_addr,
+				int is_orig, TCP_Flags flags)
+	{
+	int len = seq_len;
+
+	++seq_len;	// SYN consumes a byte of sequence space
+
+	if ( flags.RST() )
+		Weird("TCP_christmas");
+
+	if ( flags.URG() )
+		Weird("baroque_SYN");
+
+	if ( len > 0 )
+		// T/TCP definitely complicates this.
+		Weird("SYN_with_data");
+
+	RecordVal* SYN_vals = BuildSYNPacketVal(is_orig, ip, tp)->AsRecordVal();
+
+	// ### In the following, we could be fooled by an
+	// inconsistent SYN retransmission.  Where's a normalizer
+	// when you need one?
+
+	// ### We know that field 5 is the window scaling ....
+	int scale = int(SYN_vals->Lookup(5)->CoerceToInt());
+
+	if ( scale < 0 )
+		{ // no window scaling option
+		if ( flags.ACK() )
+			{ // window scaling not negotiated
+			endpoint->window_scale = 0;
+			peer->window_scale = 0;
+			}
+		else
+			// We're not offering window scaling.
+			// Ideally, we'd remember this fact so that
+			// if the SYN/ACK *does* include window
+			// scaling, we know it won't be negotiated.
+			// But it's a pain to track that, and hard
+			// to see how an adversarial responder could
+			// use it to evade.  Also, if we *do* want
+			// to track it, we could do so using
+			// connection_SYN_packet.
+			endpoint->window_scale = 0;
+		}
+	else
+		{
+		endpoint->window_scale = scale;
+		endpoint->window_seq = base_seq;
+		endpoint->window_ack_seq = ack_seq;
+
+		peer->window_seq = ack_seq;
+		peer->window_ack_seq = base_seq;
+		}
+
+	if ( connection_SYN_packet )
+		{
+		val_list* vl = new val_list;
+		vl->append(BuildConnVal());
+		vl->append(SYN_vals);
+		ConnectionEvent(connection_SYN_packet, vl);
+		}
+	else
+		Unref(SYN_vals);
+
+	// Passive fingerprinting.
+	//
+	// is_orig will be removed once we can do SYN-ACK fingerprinting.
+	if ( OS_version_found && is_orig )
+		{
+		Val src_addr_val(orig_addr, TYPE_ADDR);
+		if ( generate_OS_version_event->Size() == 0 ||
+		     generate_OS_version_event->Lookup(&src_addr_val) )
+			{
+			RecordVal* OS_val =
+				BuildOSVal(is_orig, ip, tp, tcp_hdr_len);
+			if ( OS_val )
+				{ // found new OS version
+				val_list* vl = new val_list;
+				vl->append(BuildConnVal());
+				vl->append(new AddrVal(orig_addr));
+				vl->append(OS_val);
+				ConnectionEvent(OS_version_found, vl);
+				}
+			}
+		}
+	}
+
+void TCP_Analyzer::ProcessFIN(double t, TCP_Endpoint* endpoint,
+				int& seq_len, uint32 base_seq)
+	{
+	if ( endpoint->FIN_cnt == 0 )
+		{
+		++seq_len;	// FIN consumes a byte of sequence space
+		++endpoint->FIN_cnt;	// remember that we've seen a FIN
+		}
+
+	else if ( t < endpoint->last_time + tcp_storm_interarrival_thresh &&
+		  ++endpoint->FIN_cnt == tcp_storm_thresh )
+		Weird("FIN_storm");
+
+	// Remember the relative seq in FIN_seq.
+	endpoint->FIN_seq = base_seq - endpoint->StartSeq() + seq_len;
+	}
+
+bool TCP_Analyzer::ProcessRST(double t, TCP_Endpoint* endpoint,
+				const IP_Hdr* ip, uint32 base_seq,
+				int len, int& seq_len)
+	{
+	if ( t < endpoint->last_time + tcp_storm_interarrival_thresh &&
+	     ++endpoint->RST_cnt == tcp_storm_thresh )
+		Weird("RST_storm");
+
+	else if ( endpoint->RST_cnt == 0 )
+		++endpoint->RST_cnt;	// Remember we've seen a RST
+
+#ifdef ACTIVE_MAPPING
+//		if ( peer->state == TCP_ENDPOINT_INACTIVE )
+//		    debug_msg("rst while inactive\n"); // ### Cold-start: what to do?
+//		else
+
+	const NumericData* AM_policy;
+	get_map_result(ip->DstAddr4(), AM_policy);
+
+	if ( base_seq == endpoint->AckSeq() )
+		;	 // everyone should accept a RST in sequence
+
+	else if ( endpoint->window == 0 )
+		; // ### Cold Start: we don't know the window,
+		  // so just go along for now
+
+	else
+		{
+		uint32 right_edge = endpoint->AckSeq() +
+			(endpoint->window << endpoint->window_scale);
+
+		if ( base_seq < right_edge  )
+			{
+			if ( ! AM_policy->accepts_rst_in_window )
+				{
+#if 0
+				debug_msg("Machine does not accept RST merely in window; ignoring. t=%.6f,base=%u, ackseq=%u, window=%hd \n",
+					network_time, base_seq, endpoint->AckSeq(), window);
+#endif
+				return false;
+				}
+			}
+
+		else if ( ! AM_policy->accepts_rst_outside_window )
+			{
+#if 0
+			debug_msg("Machine does not accept RST outside window; ignoring. t=%.6f,base=%u, ackseq=%u, window=%hd \n",
+				network_time, base_seq, endpoint->AckSeq(), window);
+#endif
+			return false;
+			}
+		}
+#endif
+
+	if ( len > 0 )
+		{
+		// This now happens often enough that it's
+		// not in the least interesting.
+		// Weird("RST_with_data");
+
+		// Don't include the data in the computation of
+		// the sequence space for this connection, as
+		// it's not in fact part of the TCP stream.
+		seq_len = 0;
+		}
+
+	PacketWithRST();
+
+	return true;
+	}
+
+int TCP_Analyzer::ProcessFlags(double t,
+				const IP_Hdr* ip, const struct tcphdr* tp,
+				uint32 tcp_hdr_len, int len, int& seq_len,
+				TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+				uint32 base_seq, uint32 ack_seq,
+				const uint32* orig_addr,
+				int is_orig, TCP_Flags flags)
+	{
+	if ( flags.SYN() )
+		ProcessSYN(ip, tp, tcp_hdr_len, seq_len, endpoint, peer,
+				base_seq, ack_seq, orig_addr, is_orig, flags);
+
+	if ( flags.FIN() )
+		ProcessFIN(t, endpoint, seq_len, base_seq);
+
+	if ( flags.RST() &&
+	     ! ProcessRST(t, endpoint, ip, base_seq, len, seq_len) )
+		return 0;
+
+	if ( flags.ACK() )
+		ProcessACK(endpoint, peer, ack_seq, is_orig, flags);
+
+	return 1;
+	}
+
+void TCP_Analyzer::TransitionFromInactive(double t, TCP_Endpoint* endpoint,
+						uint32 base_seq,
+						uint32 last_seq, int SYN)
+	{
+	if ( SYN )
+		{
+		// ## endpoint->AckSeq() = endpoint->start_seq = base_seq;
+		endpoint->InitAckSeq(base_seq);
+		endpoint->InitStartSeq(base_seq);
+		}
+	else
+		{
+		// This is a partial connection - set up the
+		// initial sequence numbers as though we saw
+		// a SYN, to keep the relative byte numbering
+		// consistent.
+		// ## endpoint->AckSeq() = endpoint->start_seq = base_seq - 1;
+		endpoint->InitAckSeq(base_seq - 1);
+		endpoint->InitStartSeq(base_seq - 1);
+		}
+
+	// ## endpoint->last_seq = last_seq;
+	endpoint->InitLastSeq(last_seq);
+	endpoint->start_time = t;
+	}
+
+int TCP_Analyzer::UpdateLastSeq(TCP_Endpoint* endpoint, uint32 last_seq,
+					TCP_Flags flags)
+	{
+	int delta_last = seq_delta(last_seq, endpoint->LastSeq());
+
+	if ( (flags.SYN() || flags.RST()) &&
+	     (delta_last > TOO_LARGE_SEQ_DELTA ||
+	      delta_last < -TOO_LARGE_SEQ_DELTA) )
+		// ### perhaps trust RST seq #'s if initial and not too
+		// outlandish, but not if they're coming after the other
+		// side has sent a FIN - trust the FIN ack instead
+		;
+
+	else if ( flags.FIN() &&
+		  endpoint->LastSeq() == endpoint->StartSeq() + 1 )
+		// Update last_seq based on the FIN even if delta_last < 0.
+		// This is to accommodate > 2 GB connections for which
+		// we've only seen the SYN and the FIN (hence the check
+		// for last_seq == start_seq + 1).
+		endpoint->UpdateLastSeq(last_seq);
+
+	else if ( endpoint->state == TCP_ENDPOINT_RESET )
+		// don't trust any subsequent sequence numbers
+		;
+
+	else if ( delta_last > 0 )
+		// ### check for large jumps here.
+		// ## endpoint->last_seq = last_seq;
+		endpoint->UpdateLastSeq(last_seq);
+
+	else if ( delta_last <= 0 )
+		{ // ### ++retransmit, unless this is a pure ack
+		}
+
+	return delta_last;
+	}
+
+void TCP_Analyzer::ProcessACK(TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+				uint32 ack_seq, int is_orig,
+				TCP_Flags flags)
+	{
+	if ( is_orig && ! seen_first_ACK &&
+	     (endpoint->state == TCP_ENDPOINT_ESTABLISHED ||
+	      endpoint->state == TCP_ENDPOINT_SYN_SENT) )
+		{
+		seen_first_ACK = 1;
+		Event(connection_first_ACK);
+		}
+
+	if ( peer->state == TCP_ENDPOINT_INACTIVE )
+		{
+		if ( ! flags.SYN() && ! flags.FIN() && ! flags.RST() )
+			{
+			if ( endpoint->state == TCP_ENDPOINT_SYN_SENT ||
+			     endpoint->state == TCP_ENDPOINT_SYN_ACK_SENT ||
+			     endpoint->state == TCP_ENDPOINT_ESTABLISHED )
+				{
+				// We've already sent a SYN, but that
+				// hasn't roused the other end, yet we're
+				// ack'ing their data.
+
+				if ( ! Conn()->DidWeird() )
+					Weird("possible_split_routing");
+				}
+			}
+
+		// Start the sequence numbering as if there was an initial
+		// SYN, so the relative numbering of subsequent data packets
+		// stays consistent.
+		// ## peer->start_seq = peer->AckSeq() = peer->last_seq =
+		// ## 	ack_seq - 1;
+		peer->InitStartSeq(ack_seq - 1);
+		peer->InitAckSeq(ack_seq - 1);
+		peer->InitLastSeq(ack_seq - 1);
+		}
+
+	else if ( ! flags.RST() )
+		{ // don't trust ack's in RST packets
+		int delta_ack = seq_delta(ack_seq, peer->AckSeq());
+		if ( ack_seq == 0 && delta_ack > TOO_LARGE_SEQ_DELTA )
+			// More likely that this is a broken ack than a
+			// large connection that happens to land on 0 in the
+			// sequence space.
+			;
+
+		else if ( delta_ack > 0 )
+			peer->UpdateAckSeq(ack_seq);
+		}
+
+	peer->AckReceived(ack_seq - peer->StartSeq());
+	}
+
+void TCP_Analyzer::UpdateInactiveState(double t,
+			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+			uint32 base_seq, uint32 ack_seq,
+			int len, int is_orig, TCP_Flags flags,
+			int& do_close, int& gen_event)
+	{
+	if ( flags.SYN() )
+		{
+		if ( is_orig )
+			{
+			if ( flags.ACK() )
+				{
+				Weird("connection_originator_SYN_ack");
+				endpoint->SetState(TCP_ENDPOINT_SYN_ACK_SENT);
+				}
+			else
+				endpoint->SetState(TCP_ENDPOINT_SYN_SENT);
+
+			if ( connection_attempt )
+				ADD_ANALYZER_TIMER(&TCP_Analyzer::AttemptTimer,
+					t + tcp_attempt_delay, 1,
+					TIMER_TCP_ATTEMPT);
+			}
+		else
+			{
+			if ( flags.ACK() )
+				{
+				if ( peer->state != TCP_ENDPOINT_INACTIVE &&
+				     peer->state != TCP_ENDPOINT_PARTIAL &&
+				     ! seq_between(ack_seq, peer->StartSeq(), peer->LastSeq()) )
+					Weird("bad_SYN_ack");
+				}
+
+			else if ( peer->state == TCP_ENDPOINT_SYN_ACK_SENT &&
+				  base_seq == endpoint->StartSeq() )
+				{
+				// This is a SYN/SYN-ACK reversal,
+				// per the discussion in IsReuse.
+				// Flip the endpoints and establish
+				// the connection.
+				Conn()->FlipRoles();
+				peer->SetState(TCP_ENDPOINT_ESTABLISHED);
+				}
+
+			else
+				Weird("simultaneous_open");
+
+			if ( peer->state == TCP_ENDPOINT_SYN_SENT )
+				peer->SetState(TCP_ENDPOINT_ESTABLISHED);
+			else if ( peer->state == TCP_ENDPOINT_INACTIVE )
+				{
+				// If we were to ignore SYNs and
+				// only instantiate state on SYN
+				// acks, then we'd do:
+				//    peer->SetState(TCP_ENDPOINT_ESTABLISHED);
+				// here.
+				Weird("unsolicited_SYN_response");
+				}
+
+			endpoint->SetState(TCP_ENDPOINT_ESTABLISHED);
+
+			if ( peer->state != TCP_ENDPOINT_PARTIAL )
+				{
+				Event(connection_established);
+				Conn()->EnableStatusUpdateTimer();
+				}
+			}
+		}
+
+	if ( flags.FIN() )
+		{
+		endpoint->SetState(TCP_ENDPOINT_CLOSED);
+		do_close = gen_event = 1;
+		if ( peer->state != TCP_ENDPOINT_PARTIAL && ! flags.SYN() )
+			Weird("spontaneous_FIN");
+		}
+
+	if ( flags.RST() )
+		{
+		endpoint->SetState(TCP_ENDPOINT_RESET);
+
+		int is_reject = 0;
+
+		if ( is_orig )
+			{
+			// If our peer is established then we saw
+			// a SYN-ack but not SYN - so a reverse
+			// scan, and we should treat this as a
+			// reject.
+			if ( peer->state == TCP_ENDPOINT_ESTABLISHED )
+				is_reject = 1;
+			}
+
+		else if ( peer->state == TCP_ENDPOINT_SYN_SENT ||
+			  peer->state == TCP_ENDPOINT_SYN_ACK_SENT )
+			// We're rejecting an initial SYN.
+			is_reject = 1;
+
+		do_close = 1;
+		gen_event = ! is_reject;
+
+		if ( is_reject )
+			Event(connection_rejected);
+
+		else if ( peer->state == TCP_ENDPOINT_INACTIVE )
+			Weird("spontaneous_RST");
+		}
+
+	if ( endpoint->state == TCP_ENDPOINT_INACTIVE )
+		{ // No control flags to change the state.
+		if ( ! is_orig && len == 0 &&
+		     orig->state == TCP_ENDPOINT_SYN_SENT )
+			// Some eccentric TCP's will ack an initial
+			// SYN prior to sending a SYN reply (hello,
+			// ftp.microsoft.com).  For those, don't
+			// consider the ack as forming a partial
+			// connection.
+			;
+		else
+			{
+			endpoint->SetState(TCP_ENDPOINT_PARTIAL);
+			Conn()->EnableStatusUpdateTimer();
+			
+			if ( peer->state == TCP_ENDPOINT_PARTIAL )
+				// We've seen both sides of a partial
+				// connection, report it.
+				Event(partial_connection);
+			}
+		}
+	}
+
+void TCP_Analyzer::UpdateSYN_SentState(double t,
+			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+			uint32 base_seq, uint32 last_seq,
+			int len, int is_orig, TCP_Flags flags,
+			int& do_close, int& gen_event)
+	{
+	if ( flags.SYN() )
+		{
+		if ( is_orig )
+			{
+			if ( flags.ACK() && ! flags.FIN() && ! flags.RST() &&
+			     endpoint->state != TCP_ENDPOINT_SYN_ACK_SENT )
+				Weird("repeated_SYN_with_ack");
+			}
+		else
+			{
+			if ( ! flags.ACK() &&
+			     endpoint->state != TCP_ENDPOINT_SYN_SENT )
+				Weird("repeated_SYN_reply_wo_ack");
+			}
+
+		if ( base_seq != endpoint->StartSeq() )
+			{
+			Weird("SYN_seq_jump");
+			// ## endpoint->AckSeq() = endpoint->start_seq = base_seq;
+			// ## endpoint->last_seq = last_seq;
+			endpoint->InitStartSeq(base_seq);
+			endpoint->InitAckSeq(base_seq);
+			endpoint->InitLastSeq(last_seq);
+			}
+		}
+
+	if ( flags.FIN() )
+		{
+		if ( peer->state == TCP_ENDPOINT_INACTIVE ||
+		     peer->state == TCP_ENDPOINT_SYN_SENT )
+			Weird("inappropriate_FIN");
+
+		endpoint->SetState(TCP_ENDPOINT_CLOSED);
+		do_close = gen_event = 1;
+		}
+
+	if ( flags.RST() )
+		{
+		endpoint->SetState(TCP_ENDPOINT_RESET);
+		ConnectionReset();
+		do_close = 1;
+		}
+
+	else if ( len > 0 )
+		Weird("data_before_established");
+	}
+
+void TCP_Analyzer::UpdateEstablishedState(double t,
+			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+			uint32 base_seq, uint32 last_seq,
+			int is_orig, TCP_Flags flags,
+			int& do_close, int& gen_event)
+	{
+	if ( flags.SYN() )
+		{
+		if ( endpoint->state == TCP_ENDPOINT_PARTIAL &&
+		     peer->state == TCP_ENDPOINT_INACTIVE && ! flags.ACK() )
+			{
+			Weird("SYN_after_partial");
+			endpoint->SetState(TCP_ENDPOINT_SYN_SENT);
+			}
+
+		if ( endpoint->Size() > 0 )
+			Weird("SYN_inside_connection");
+
+		if ( base_seq != endpoint->StartSeq() )
+			Weird("SYN_seq_jump");
+
+		// Make a guess that somehow the connection didn't
+		// get established, and this SYN will be the
+		// one that actually sets it up.
+		// ## endpoint->AckSeq() = endpoint->start_seq = base_seq;
+		// ## endpoint->last_seq = last_seq;
+		endpoint->InitStartSeq(base_seq);
+		endpoint->InitAckSeq(base_seq);
+		endpoint->InitLastSeq(last_seq);
+		}
+
+	if ( flags.FIN() && ! flags.RST() )	// ###
+		{ // should check sequence/ack numbers here ###
+		endpoint->SetState(TCP_ENDPOINT_CLOSED);
+
+		if ( peer->state == TCP_ENDPOINT_RESET &&
+		     peer->prev_state == TCP_ENDPOINT_CLOSED )
+			// The peer sent a FIN followed by a RST.
+			// Turn it back into CLOSED state, because
+			// this was actually normal termination.
+			peer->SetState(TCP_ENDPOINT_CLOSED);
+
+		do_close = gen_event = 1;
+		}
+
+	if ( flags.RST() )
+		{
+		endpoint->SetState(TCP_ENDPOINT_RESET);
+		do_close = 1;
+
+		if ( peer->state != TCP_ENDPOINT_RESET ||
+		     peer->prev_state != TCP_ENDPOINT_ESTABLISHED )
+			ConnectionReset();
+		}
+	}
+
+void TCP_Analyzer::UpdateClosedState(double t, TCP_Endpoint* endpoint,
+				int delta_last, TCP_Flags flags, int& do_close)
+	{
+	if ( flags.SYN() )
+		Weird("SYN_after_close");
+
+	if ( flags.FIN() && delta_last > 0 )
+		// Probably should also complain on FIN recision.
+		// That requires an extra state variable to avoid
+		// generating slews of weird's when a TCP gets
+		// seriously confused (this from experience).
+		Weird("FIN_advanced_last_seq");
+
+	// Previously, our state was CLOSED, since we sent a FIN.
+	// If our peer was also closed, then don't change our state
+	// now on a RST, since this connection has already seen a FIN
+	// exchange.
+	if ( flags.RST() && endpoint->peer->state != TCP_ENDPOINT_CLOSED )
+		{
+		endpoint->SetState(TCP_ENDPOINT_RESET);
+
+		if ( ! endpoint->did_close )
+			// RST after FIN.
+			do_close = 1;
+
+		if ( connection_reset )
+			ADD_ANALYZER_TIMER(&TCP_Analyzer::ResetTimer,
+					t + tcp_reset_delay, 1,
+					TIMER_TCP_RESET);
+		}
+	}
+
+void TCP_Analyzer::UpdateResetState(int len, TCP_Flags flags)
+	{
+	if ( flags.SYN() )
+		Weird("SYN_after_reset");
+	if ( flags.FIN() )
+		Weird("FIN_after_reset");
+
+	if ( len > 0 && ! flags.RST() )
+		Weird("data_after_reset");
+	}
+
+void TCP_Analyzer::UpdateStateMachine(double t,
+			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+			uint32 base_seq, uint32 ack_seq, uint32 last_seq,
+			int len, int delta_last, int is_orig, TCP_Flags flags,
+			int& do_close, int& gen_event)
+	{
+	do_close = 0;	// whether to report the connection as closed
+	gen_event = 0;	// if so, whether to generate an event
+
+	switch ( endpoint->state ) {
+
+	case TCP_ENDPOINT_INACTIVE:
+		UpdateInactiveState(t, endpoint, peer, base_seq, ack_seq,
+					len, is_orig, flags,
+					do_close, gen_event);
+		break;
+
+	case TCP_ENDPOINT_SYN_SENT:
+	case TCP_ENDPOINT_SYN_ACK_SENT:
+		UpdateSYN_SentState(t, endpoint, peer, base_seq, last_seq,
+					len, is_orig, flags,
+					do_close, gen_event);
+		break;
+
+	case TCP_ENDPOINT_ESTABLISHED:
+	case TCP_ENDPOINT_PARTIAL:
+		UpdateEstablishedState(t, endpoint, peer, base_seq, last_seq,
+					is_orig, flags, do_close, gen_event);
+		break;
+
+	case TCP_ENDPOINT_CLOSED:
+		UpdateClosedState(t, endpoint, delta_last, flags, do_close);
+		break;
+
+	case TCP_ENDPOINT_RESET:
+		UpdateResetState(len, flags);
+		break;
+	}
+	}
+
+void TCP_Analyzer::GeneratePacketEvent(TCP_Endpoint* endpoint,
+					TCP_Endpoint* peer,
+					uint32 base_seq, uint32 ack_seq,
+					const u_char* data, int len, int caplen,
+					int is_orig, TCP_Flags flags)
+	{
+	char tcp_flags[256];
+	int tcp_flag_len = 0;
+
+	if ( flags.SYN() ) tcp_flags[tcp_flag_len++] = 'S';
+	if ( flags.FIN() ) tcp_flags[tcp_flag_len++] = 'F';
+	if ( flags.RST() ) tcp_flags[tcp_flag_len++] = 'R';
+	if ( flags.ACK() ) tcp_flags[tcp_flag_len++] = 'A';
+	if ( flags.PUSH() ) tcp_flags[tcp_flag_len++] = 'P';
+	if ( flags.URG() ) tcp_flags[tcp_flag_len++] = 'U';
+
+	tcp_flags[tcp_flag_len] = '\0';
+
+	val_list* vl = new val_list();
+
+	vl->append(BuildConnVal());
+	vl->append(new Val(is_orig, TYPE_BOOL));
+	vl->append(new StringVal(tcp_flags));
+	vl->append(new Val(base_seq - endpoint->StartSeq(), TYPE_COUNT));
+	vl->append(new Val(flags.ACK() ?
+			ack_seq - peer->StartSeq() : 0, TYPE_COUNT));
+	vl->append(new Val(len, TYPE_COUNT));
+
+	// We need the min() here because Ethernet padding can lead to
+	// caplen > len.
+	vl->append(new StringVal(min(caplen, len), (const char*) data));
+
+	ConnectionEvent(tcp_packet, vl);
+	}
+
+int TCP_Analyzer::DeliverData(double t, const u_char* data, int len, int caplen,
+				const IP_Hdr* ip, const struct tcphdr* tp,
+				TCP_Endpoint* endpoint, uint32 base_seq,
+				int is_orig, TCP_Flags flags)
+	{
+	int data_seq = base_seq - endpoint->StartSeq();
+	if ( flags.SYN() )
+		++data_seq;	// skip over SYN octet
+
+	int need_contents = endpoint->DataSent(t, data_seq,
+					len, caplen, data, ip, tp);
+
+	LOOP_OVER_GIVEN_CHILDREN(i, packet_children)
+		(*i)->NextPacket(len, data, is_orig, data_seq, ip, caplen);
+
+	return need_contents;
+	}
+
+void TCP_Analyzer::CheckRecording(int need_contents, TCP_Flags flags)
+	{
+	bool record_current_content = need_contents || Conn()->RecordContents();
+	bool record_current_packet =
+		Conn()->RecordPackets() ||
+		flags.SYN() || flags.FIN() || flags.RST();
+
+	Conn()->SetRecordCurrentContent(record_current_content);
+	Conn()->SetRecordCurrentPacket(record_current_packet);
+	}
+
+void TCP_Analyzer::CheckPIA_FirstPacket(int is_orig, const IP_Hdr* ip)
+	{
+	if ( is_orig && ! (first_packet_seen & ORIG) )
+		{
+		PIA_TCP* pia = static_cast<PIA_TCP*>(Conn()->GetPrimaryPIA());
+		if ( pia )
+			pia->FirstPacket(is_orig, ip);
+		first_packet_seen |= ORIG;
+		}
+
+	if ( ! is_orig && ! (first_packet_seen & RESP) )
+		{
+		PIA_TCP* pia = static_cast<PIA_TCP*>(Conn()->GetPrimaryPIA());
+		if ( pia )
+			pia->FirstPacket(is_orig, ip);
+		first_packet_seen |= RESP;
+		}
+	}
+
+void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
+					int seq, const IP_Hdr* ip, int caplen)
+	{
+	TransportLayerAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+
+	const struct tcphdr* tp = ExtractTCP_Header(data, len, caplen);
+	if ( ! tp )
+		return;
+
+	// We need the min() here because Ethernet frame padding can lead to
+	// caplen > len.
+	if ( packet_contents )
+		PacketContents(data, min(len, caplen));
+
+	TCP_Endpoint* endpoint = is_orig ? orig : resp;
+	TCP_Endpoint* peer = endpoint->peer;
+
+	if ( ! ValidateChecksum(tp, endpoint, len, caplen) )
+		return;
+
+	TCP_Flags flags(tp);
+
+	uint32 base_seq = ntohl(tp->th_seq);
+	uint32 ack_seq = ntohl(tp->th_ack);
+
+	CheckFlagCombos(flags, endpoint, base_seq, len, ntohs(tp->th_dport));
+
+	UpdateWindow(endpoint, ntohs(tp->th_win), base_seq, ack_seq, flags);
+
+	double t = current_timestamp;
+
+	if ( ! orig->did_close || ! resp->did_close )
+		Conn()->SetLastTime(t);
+
+	const uint32* orig_addr = Conn()->OrigAddr();
+	const uint32* resp_addr = Conn()->RespAddr();
+
+	uint32 tcp_hdr_len = data - (const u_char*) tp;
+
+	int seq_len = len;	// length in terms of sequence space
+
+	if ( ! ProcessFlags(t, ip, tp, tcp_hdr_len, len, seq_len,
+				endpoint, peer, base_seq, ack_seq,
+				orig_addr, is_orig, flags) )
+		return;
+
+	uint32 last_seq = base_seq + seq_len;
+
+	if ( endpoint->state == TCP_ENDPOINT_INACTIVE )
+		TransitionFromInactive(t, endpoint, base_seq, last_seq,
+					flags.SYN());
+
+	int delta_last = UpdateLastSeq(endpoint, last_seq, flags);
+
+	endpoint->last_time = t;
+
+	int do_close;
+	int gen_event;
+	UpdateStateMachine(t, endpoint, peer, base_seq, ack_seq, last_seq,
+				len, delta_last, is_orig, flags,
+				do_close, gen_event);
+
+	if ( tcp_packet )
+		GeneratePacketEvent(endpoint, peer, base_seq, ack_seq,
+					data, len, caplen, is_orig, flags);
+
+	if ( tcp_option && tcp_hdr_len > sizeof(*tp) &&
+	     tcp_hdr_len <= uint32(caplen) )
+		ParseTCPOptions(tp, TCPOptionEvent, this, is_orig, 0);
+
+	if ( TraceRewriter() && current_hdr )
+		{
+		TCP_Rewriter* r = (TCP_Rewriter*) TraceRewriter();
+		r->NextPacket(is_orig, t, current_hdr, current_pkt,
+				current_hdr_size, ip->IP4_Hdr(), tp);
+		}
+
+	if ( src_pkt_writer && current_hdr )
+		src_pkt_writer->NextPacket(current_hdr, current_pkt);
+
+	if ( DEBUG_tcp_data_sent )
+		{
+		DEBUG_MSG("%.6f before DataSent: len=%d caplen=%d skip=%d\n",
+			  network_time, len, caplen, Skipping());
+		}
+
+	int need_contents = 0;
+	if ( len > 0 && (caplen >= len || packet_children.size()) &&
+	     ! flags.RST() && ! Skipping() )
+		need_contents = DeliverData(t, data, len, caplen, ip, tp,
+						endpoint, base_seq,
+						is_orig, flags);
+
+	endpoint->CheckEOF();
+
+	if ( do_close )
+		{
+		// We need to postpone doing this until after we process
+		// DataSent, so we don't generate a connection_finished event
+		// until after data perhaps included with the FIN is processed.
+		ConnectionClosed(endpoint, peer, gen_event);
+		}
+
+	CheckRecording(need_contents, flags);
+
+	if ( ! reassembling )
+		ForwardPacket(len, data, is_orig,
+				base_seq - endpoint->StartSeq(), ip, caplen);
+
+	CheckPIA_FirstPacket(is_orig, ip);
+	}
+
+void TCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	Analyzer::DeliverStream(len, data, orig);
+	}
+
+void TCP_Analyzer::Undelivered(int seq, int len, bool is_orig)
+	{
+	Analyzer::Undelivered(seq, len, orig);
+	}
+
+void TCP_Analyzer::FlipRoles()
+	{
+	Analyzer::FlipRoles();
+
+	sessions->tcp_stats.FlipState(orig->state, resp->state);
+	TCP_Endpoint* tmp_ep = resp;
+	resp = orig;
+	orig = tmp_ep;
+	orig->is_orig = !orig->is_orig;
+	resp->is_orig = !resp->is_orig;
+	}
+
+void TCP_Analyzer::UpdateEndpointVal(RecordVal* endp, int is_orig)
+	{
+	TCP_Endpoint* s = is_orig ? orig : resp;
+	endp->Assign(0, new Val(s->Size(), TYPE_COUNT));
+	endp->Assign(1, new Val(int(s->state), TYPE_COUNT));
+	}
+
+Val* TCP_Analyzer::BuildSYNPacketVal(int is_orig, const IP_Hdr* ip,
+					const struct tcphdr* tcp)
+	{
+	int winscale = -1;
+	int MSS = 0;
+	int SACK = 0;
+
+	// Parse TCP options.
+	u_char* options = (u_char*) tcp + sizeof(struct tcphdr);
+	u_char* opt_end = (u_char*) tcp + tcp->th_off * 4;
+
+	while ( options < opt_end )
+		{
+		unsigned int opt = options[0];
+
+		if ( opt == TCPOPT_EOL )
+			// All done - could flag if more junk left over ....
+			break;
+
+		if ( opt == TCPOPT_NOP )
+			{
+			++options;
+			continue;
+			}
+
+		if ( options + 1 >= opt_end )
+			// We've run off the end, no room for the length.
+			break;
+
+		unsigned int opt_len = options[1];
+
+		if ( options + opt_len > opt_end )
+			// No room for rest of option.
+			break;
+
+		if ( opt_len == 0 )
+			// Trashed length field.
+			break;
+
+		switch ( opt ) {
+		case TCPOPT_SACK_PERMITTED:
+			SACK = 1;
+			break;
+
+		case TCPOPT_MAXSEG:
+			if ( opt_len < 4 )
+				break;	// bad length
+
+			MSS = (options[2] << 8) | options[3];
+			break;
+
+		case 3: // TCPOPT_WSCALE
+			if ( opt_len < 3 )
+				break;	// bad length
+
+			winscale = options[2];
+			break;
+
+		default:	// just skip over
+			break;
+		}
+
+		options += opt_len;
+		}
+
+	RecordVal* v = new RecordVal(SYN_packet);
+
+	v->Assign(0, new Val(is_orig, TYPE_BOOL));
+	v->Assign(1, new Val(int(ip->DF()), TYPE_BOOL));
+	v->Assign(2, new Val(int(ip->TTL()), TYPE_INT));
+	v->Assign(3, new Val((ip->TotalLen()), TYPE_INT));
+	v->Assign(4, new Val(ntohs(tcp->th_win), TYPE_INT));
+	v->Assign(5, new Val(winscale, TYPE_INT));
+	v->Assign(6, new Val(MSS, TYPE_INT));
+	v->Assign(7, new Val(SACK, TYPE_BOOL));
+
+	return v;
+	}
+
+RecordVal* TCP_Analyzer::BuildOSVal(int is_orig, const IP_Hdr* ip,
+			const struct tcphdr* tcp, uint32 tcp_hdr_len)
+	{
+	if ( ! is_orig )
+		// Later we might use SYN-ACK fingerprinting here.
+		return 0;
+
+	// Passive OS fingerprinting wants to know a lot about IP and TCP
+	// options: how many options there are, and in which order.
+	int winscale = 0;
+	int MSS = 0;
+	int optcount = 0;
+	uint32 quirks = 0;
+	uint32 tstamp = 0;
+	uint8 op[MAXOPT];
+
+	if ( ip->HdrLen() > 20 )
+		quirks |= QUIRK_IPOPT;
+
+	if ( ip->IP_ID() == 0 )
+		quirks |= QUIRK_ZEROID;
+
+	if ( tcp->th_seq == 0 )
+		quirks |= QUIRK_SEQ0;
+
+	if ( tcp->th_seq == tcp->th_ack )
+		quirks |= QUIRK_SEQEQ;
+
+	if ( tcp->th_flags & ~(TH_SYN|TH_ACK|TH_RST|TH_ECE|TH_CWR) )
+		quirks |= QUIRK_FLAGS;
+
+	if ( ip->TotalLen() - ip->HdrLen() - tcp_hdr_len > 0 )
+		quirks |= QUIRK_DATA;	// SYN with data
+
+	if ( tcp->th_ack )
+		quirks |= QUIRK_ACK;
+	if ( tcp->th_urp )
+		quirks |= QUIRK_URG;
+	if ( tcp->th_x2 )
+		quirks |= QUIRK_X2;
+
+	// Parse TCP options.
+	u_char* options = (u_char*) tcp + sizeof(struct tcphdr);
+	u_char* opt_end = (u_char*) tcp + tcp_hdr_len;
+
+	while ( options < opt_end )
+		{
+		unsigned int opt = options[0];
+
+		if ( opt == TCPOPT_EOL )
+			{
+			op[optcount++] = TCPOPT_EOL;
+			if ( ++options < opt_end )
+				quirks |= QUIRK_PAST;
+
+			// All done - could flag if more junk left over ....
+			break;
+			}
+
+		if ( opt == TCPOPT_NOP )
+			{
+			op[optcount++] = TCPOPT_NOP;
+			++options;
+			continue;
+			}
+
+		if ( options + 1 >= opt_end )
+			{
+			// We've run off the end, no room for the length.
+			quirks |= QUIRK_BROKEN;
+			break;
+			}
+
+		unsigned int opt_len = options[1];
+
+		if ( options + opt_len > opt_end )
+			{
+			// No room for rest of the options.
+			quirks |= QUIRK_BROKEN;
+			break;
+			}
+
+		if ( opt_len == 0 )
+			// Trashed length field.
+			break;
+
+		switch ( opt ) {
+		case TCPOPT_SACK_PERMITTED:
+			// SACKOK LEN
+			op[optcount] = TCPOPT_SACK_PERMITTED;
+			break;
+
+		case TCPOPT_MAXSEG:
+			// MSS LEN D0 D1
+			if ( opt_len < 4 )
+				break;	// bad length
+
+			op[optcount] = TCPOPT_MAXSEG;
+			MSS = (options[2] << 8) | options[3];
+			break;
+
+		case TCPOPT_WINDOW:
+			// WSCALE LEN D0
+			if ( opt_len < 3 )
+				break;	// bad length
+
+			op[optcount] = TCPOPT_WINDOW;
+			winscale = options[2];
+			break;
+
+		case TCPOPT_TIMESTAMP:
+			// TSTAMP LEN T0 T1 T2 T3 A0 A1 A2 A3
+			if ( opt_len < 10 )
+				break;	// bad length
+
+			op[optcount] = TCPOPT_TIMESTAMP;
+
+			tstamp = ntohl(extract_uint32(options + 2));
+
+			if ( extract_uint32(options + 6) )
+				quirks |= QUIRK_T2;
+			break;
+
+		default:	// just skip over
+			op[optcount]=opt;
+			break;
+		}
+
+		if ( optcount < MAXOPT - 1 )
+			++optcount;
+		else
+			quirks |= QUIRK_BROKEN;
+
+		options += opt_len;
+		}
+
+	struct os_type os_from_print;
+	int id = sessions->Get_OS_From_SYN(&os_from_print,
+			uint16(ip->TotalLen()),
+			uint8(ip->DF()), uint8(ip->TTL()),
+			uint16(ntohs(tcp->th_win)),
+			uint8(optcount), op,
+			uint16(MSS), uint8(winscale),
+			tstamp, quirks,
+			uint8(tcp->th_flags & (TH_ECE|TH_CWR)));
+
+	if ( sessions->CompareWithPreviousOSMatch(ip->SrcAddr4(), id) )
+		{
+		RecordVal* os = new RecordVal(OS_version);
+
+		os->Assign(0, new StringVal(os_from_print.os));
+
+		if ( os_from_print.desc )
+			os->Assign(1, new StringVal(os_from_print.desc));
+		else
+			os->Assign(1, new StringVal(""));
+
+		os->Assign(2, new Val(os_from_print.dist, TYPE_COUNT));
+		os->Assign(3, new EnumVal(os_from_print.match, OS_version_inference));
+
+		return os;
+		}
+
+	return 0;
+	}
+
+int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp,
+					proc_tcp_option_t proc,
+					TCP_Analyzer* analyzer,
+					bool is_orig, void* cookie)
+	{
+	// Parse TCP options.
+	const u_char* options = (const u_char*) tcp + sizeof(struct tcphdr);
+	const u_char* opt_end = (const u_char*) tcp + tcp->th_off * 4;
+
+	while ( options < opt_end )
+		{
+		unsigned int opt = options[0];
+
+		unsigned int opt_len;
+
+		if ( opt < 2 )
+			opt_len = 1;
+
+		else if ( options + 1 >= opt_end )
+			// We've run off the end, no room for the length.
+			return -1;
+
+		else
+			opt_len = options[1];
+
+		if ( opt_len == 0 )
+			return -1;	// trashed length field
+
+		if ( options + opt_len > opt_end )
+			// No room for rest of option.
+			return -1;
+
+		if ( (*proc)(opt, opt_len, options, analyzer, is_orig, cookie) == -1 )
+			return -1;
+
+		options += opt_len;
+
+		if ( opt == TCPOPT_EOL )
+			// All done - could flag if more junk left over ....
+			break;
+		}
+
+	return 0;
+	}
+
+int TCP_Analyzer::TCPOptionEvent(unsigned int opt,
+					unsigned int optlen,
+					const u_char* /* option */,
+					TCP_Analyzer* analyzer,
+					bool is_orig, void* cookie)
+	{
+	if ( tcp_option )
+		{
+		val_list* vl = new val_list();
+
+		vl->append(analyzer->BuildConnVal());
+		vl->append(new Val(is_orig, TYPE_BOOL));
+		vl->append(new Val(opt, TYPE_COUNT));
+		vl->append(new Val(optlen, TYPE_COUNT));
+
+		analyzer->ConnectionEvent(tcp_option, vl);
+		}
+
+	return 0;
+	}
+
+void TCP_Analyzer::AttemptTimer(double /* t */)
+	{
+	if ( ! is_active )
+		return;
+
+	if ( (orig->state == TCP_ENDPOINT_SYN_SENT ||
+	      orig->state == TCP_ENDPOINT_SYN_ACK_SENT) &&
+	     resp->state == TCP_ENDPOINT_INACTIVE )
+		{
+		Event(connection_attempt);
+		is_active = 0;
+
+		// All done with this connection.
+		sessions->Remove(Conn());
+		}
+	}
+
+void TCP_Analyzer::PartialCloseTimer(double /* t */)
+	{
+	if ( ! is_active )
+		return;
+
+	if ( orig->state != TCP_ENDPOINT_INACTIVE &&
+	     resp->state != TCP_ENDPOINT_INACTIVE &&
+	     (! orig->did_close || ! resp->did_close) )
+		{
+		if ( orig->state == TCP_ENDPOINT_RESET ||
+		     resp->state == TCP_ENDPOINT_RESET )
+			// Presumably the RST is what caused the partial
+			// close.  Don't report it.
+			return;
+
+		Event(connection_partial_close);
+		sessions->Remove(Conn());
+		}
+	}
+
+void TCP_Analyzer::ExpireTimer(double t)
+	{
+	if ( ! is_active )
+		return;
+
+	if ( Conn()->LastTime() + tcp_connection_linger < t )
+		{
+		if ( orig->did_close || resp->did_close )
+			{
+			// No activity for tcp_connection_linger seconds, and
+			// at least one side has closed.  See whether
+			// connection has likely terminated.
+			if ( (orig->did_close && resp->did_close) ||
+			     (orig->state == TCP_ENDPOINT_RESET ||
+			      resp->state == TCP_ENDPOINT_RESET) ||
+			     (orig->state == TCP_ENDPOINT_INACTIVE ||
+			      resp->state == TCP_ENDPOINT_INACTIVE) )
+				{
+				// Either both closed, or one RST,
+				// or half-closed.
+
+				// The Timer has Ref()'d us and won't Unref()
+				// us until we return, so it's safe to have
+				// the session remove and Unref() us here.
+				Event(connection_timeout);
+				is_active = 0;
+				sessions->Remove(Conn());
+				return;
+				}
+			}
+
+		if ( resp->state == TCP_ENDPOINT_INACTIVE )
+			{
+			if ( (orig->state == TCP_ENDPOINT_SYN_SENT ||
+			      orig->state == TCP_ENDPOINT_SYN_ACK_SENT) )
+				{
+				if ( ! connection_attempt )
+					{
+					// Time out the connection attempt,
+					// since the AttemptTimer isn't going
+					// to do it for us, and we don't want
+					// to clog the data structures with
+					// old, failed attempts.
+					Event(connection_timeout);
+					is_active = 0;
+					sessions->Remove(Conn());
+					return;
+					}
+				}
+
+			else if ( orig->state == TCP_ENDPOINT_INACTIVE )
+				{
+				// Nothing ever happened on this connection.
+				// This can occur when we see a trashed
+				// packet - it's discarded by NextPacket
+				// before setting up an attempt timer,
+				// so we need to clean it up here.
+				Event(connection_timeout);
+				sessions->Remove(Conn());
+				return;
+				}
+			}
+		}
+
+	// Connection still active, so reschedule timer.
+	// ### if PQ_Element's were BroObj's, could just Ref the timer
+	// and adjust its value here, instead of creating a new timer.
+	ADD_ANALYZER_TIMER(&TCP_Analyzer::ExpireTimer, t + tcp_session_timer,
+			0, TIMER_TCP_EXPIRE);
+	}
+
+void TCP_Analyzer::ResetTimer(double /* t */)
+	{
+	if ( ! is_active )
+		return;
+
+	if ( ! BothClosed() )
+		ConnectionReset();
+
+	sessions->Remove(Conn());
+	}
+
+void TCP_Analyzer::DeleteTimer(double /* t */)
+	{
+	sessions->Remove(Conn());
+	}
+
+
+// The following need to be consistent with bro.init.
+#define CONTENTS_NONE 0
+#define CONTENTS_ORIG 1
+#define CONTENTS_RESP 2
+#define CONTENTS_BOTH 3
+
+void TCP_Analyzer::SetContentsFile(unsigned int direction, BroFile* f)
+	{
+	if ( direction == CONTENTS_NONE )
+		{
+		orig->SetContentsFile(0);
+		resp->SetContentsFile(0);
+		}
+
+	else
+		{
+		if ( direction == CONTENTS_ORIG || direction == CONTENTS_BOTH )
+			orig->SetContentsFile(f);
+		if ( direction == CONTENTS_RESP || direction == CONTENTS_BOTH )
+			resp->SetContentsFile(f);
+		}
+	}
+
+BroFile* TCP_Analyzer::GetContentsFile(unsigned int direction) const
+	{
+	switch ( direction ) {
+	case CONTENTS_NONE:
+		return 0;
+
+	case CONTENTS_ORIG:
+		return orig->GetContentsFile();
+
+	case CONTENTS_RESP:
+		return resp->GetContentsFile();
+
+	case CONTENTS_BOTH:
+		if ( orig->GetContentsFile() != resp->GetContentsFile())
+			// This is an "error".
+			return 0;
+		else
+			return orig->GetContentsFile();
+
+	default:
+		break;
+	}
+	internal_error("inconsistency in TCP_Analyzer::GetContentsFile");
+	return 0;
+	}
+
+void TCP_Analyzer::ConnectionClosed(TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+					int gen_event)
+	{
+	const analyzer_list& children(GetChildren());
+	LOOP_OVER_CONST_CHILDREN(i)
+		// Using this type of cast here is nasty (will crash if
+		// we inadvertantly have a child analyzer that's not a
+		// TCP_ApplicationAnalyzer), but we have to ...
+		static_cast<TCP_ApplicationAnalyzer*>
+			(*i)->ConnectionClosed(endpoint, peer, gen_event);
+
+	if ( DataPending(endpoint) )
+		{
+		// Don't close out the connection yet, there's still data to
+		// deliver.
+		close_deferred = 1;
+		if ( ! deferred_gen_event )
+			deferred_gen_event = gen_event;
+		return;
+		}
+
+	close_deferred = 0;
+
+	if ( endpoint->did_close )
+		return;	// nothing new to report
+
+	endpoint->did_close = 1;
+
+	int close_complete =
+		endpoint->state == TCP_ENDPOINT_RESET ||
+					peer->did_close ||
+					peer->state == TCP_ENDPOINT_INACTIVE;
+
+	if ( DEBUG_tcp_connection_close )
+		{
+		DEBUG_MSG("%.6f close_complete=%d tcp_close_delay=%f\n",
+				network_time, close_complete, tcp_close_delay);
+		}
+
+	if ( close_complete )
+		{
+		if ( endpoint->prev_state != TCP_ENDPOINT_INACTIVE ||
+		     peer->state != TCP_ENDPOINT_INACTIVE )
+			{
+			if ( deferred_gen_event )
+				{
+				gen_event = 1;
+				deferred_gen_event = 0;	// clear flag
+				}
+
+			// We have something interesting to report.
+			if ( gen_event )
+				{
+				if ( peer->state == TCP_ENDPOINT_INACTIVE )
+					ConnectionFinished(1);
+				else
+					ConnectionFinished(0);
+				}
+			}
+
+		CancelTimers();
+
+		// Note, even if tcp_close_delay is zero, we can't
+		// simply do:
+		//
+		//	sessions->Remove(this);
+		//
+		// here, because that would cause the object to be
+		// deleted out from under us.
+		if ( tcp_close_delay != 0.0 )
+			ADD_ANALYZER_TIMER(&TCP_Analyzer::ConnDeleteTimer,
+				Conn()->LastTime() + tcp_close_delay, 0,
+				TIMER_CONN_DELETE);
+		else
+			ADD_ANALYZER_TIMER(&TCP_Analyzer::DeleteTimer, Conn()->LastTime(), 0,
+					TIMER_TCP_DELETE);
+		}
+
+	else
+		{ // We haven't yet seen a full close.
+		if ( endpoint->prev_state == TCP_ENDPOINT_INACTIVE )
+			{ // First time we've seen anything from this side.
+			if ( connection_partial_close )
+				ADD_ANALYZER_TIMER(&TCP_Analyzer::PartialCloseTimer,
+					Conn()->LastTime() + tcp_partial_close_delay, 0,
+					TIMER_TCP_PARTIAL_CLOSE );
+			}
+
+		else
+			{
+			// Create a timer to look for the other side closing,
+			// too.
+			ADD_ANALYZER_TIMER(&TCP_Analyzer::ExpireTimer,
+					Conn()->LastTime() + tcp_session_timer, 0,
+					TIMER_TCP_EXPIRE);
+			}
+		}
+	}
+
+void TCP_Analyzer::ConnectionFinished(int half_finished)
+	{
+	const analyzer_list& children(GetChildren());
+	LOOP_OVER_CONST_CHILDREN(i)
+		// Again, nasty - see TCP_Analyzer::ConnectionClosed.
+		static_cast<TCP_ApplicationAnalyzer*>
+			(*i)->ConnectionFinished(half_finished);
+
+	if ( half_finished )
+		Event(connection_half_finished);
+	else
+		Event(connection_finished);
+
+	is_active = 0;
+	}
+
+void TCP_Analyzer::ConnectionReset()
+	{
+	Event(connection_reset);
+
+	const analyzer_list& children(GetChildren());
+	LOOP_OVER_CONST_CHILDREN(i)
+		static_cast<TCP_ApplicationAnalyzer*>(*i)->ConnectionReset();
+
+	is_active = 0;
+	}
+
+bool TCP_Analyzer::HadGap(bool is_orig) const
+	{
+	TCP_Endpoint* endp = is_orig ? orig : resp;
+	return endp && endp->HadGap();
+	}
+
+int TCP_Analyzer::DataPending(TCP_Endpoint* closing_endp)
+	{
+	if ( Skipping() )
+		return 0;
+
+	return closing_endp->DataPending();
+	}
+
+void TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp)
+	{
+	if ( connection_EOF )
+		{
+		val_list* vl = new val_list();
+		vl->append(BuildConnVal());
+		vl->append(new Val(endp->IsOrig(), TYPE_BOOL));
+		ConnectionEvent(connection_EOF, vl);
+		}
+
+	const analyzer_list& children(GetChildren());
+	LOOP_OVER_CONST_CHILDREN(i)
+		static_cast<TCP_ApplicationAnalyzer*>(*i)->EndpointEOF(endp->IsOrig());
+
+	TraceRewriterEOF(endp);
+
+	if ( close_deferred )
+		{
+		if ( DataPending(endp->Endpoint()) )
+			{
+			if ( BothClosed() )
+				Weird("pending_data_when_closed");
+
+			// Defer further, until the other endpoint
+			// EOF's, too.
+			}
+
+		ConnectionClosed(endp->Endpoint(), endp->Endpoint()->peer,
+					deferred_gen_event);
+		close_deferred = 0;
+		}
+	}
+
+void TCP_Analyzer::TraceRewriterEOF(TCP_Reassembler* endp)
+	{
+	const analyzer_list& children(GetChildren());
+	LOOP_OVER_CONST_CHILDREN(i)
+		static_cast<TCP_ApplicationAnalyzer*>(*i)->TraceRewriterEOF(endp->IsOrig());
+
+	TCP_Rewriter* r = (TCP_Rewriter*) TraceRewriter();
+	if ( r )
+		{
+		// Add a FIN packet if there is one in the original trace.
+		int FIN_cnt = endp->IsOrig() ?
+				endp->GetTCPAnalyzer()->Orig()->FIN_cnt :
+				endp->GetTCPAnalyzer()->Resp()->FIN_cnt;
+
+		if ( FIN_cnt > 0 )
+			r->ScheduleFIN(endp->IsOrig());
+		}
+	}
+
+void TCP_Analyzer::PacketWithRST()
+	{
+	const analyzer_list& children(GetChildren());
+	LOOP_OVER_CONST_CHILDREN(i)
+		static_cast<TCP_ApplicationAnalyzer *>(*i)->PacketWithRST();
+	}
+
+bool TCP_Analyzer::IsReuse(double t, const u_char* pkt)
+	{
+	const struct tcphdr* tp = (const struct tcphdr*) pkt;
+
+	if ( unsigned(tp->th_off) < sizeof(struct tcphdr) / 4 )
+		// Bogus header, don't interpret further.
+		return false;
+
+	TCP_Endpoint* conn_orig = orig;
+
+	// Reuse only occurs on initial SYN's, except for half connections
+	// it can occur on SYN-acks.
+	if ( ! (tp->th_flags & TH_SYN) )
+		return false;
+
+	if ( (tp->th_flags & TH_ACK) )
+		{
+		if ( orig->state != TCP_ENDPOINT_INACTIVE )
+			// Not a half connection.
+			return false;
+
+		conn_orig = resp;
+		}
+
+	if ( ! IsClosed() )
+		{
+		uint32 base_seq = ntohl(tp->th_seq);
+		if ( base_seq == conn_orig->StartSeq() )
+			return false;
+
+		if ( (tp->th_flags & TH_ACK) == 0 &&
+		     conn_orig->state == TCP_ENDPOINT_SYN_ACK_SENT &&
+		     resp->state == TCP_ENDPOINT_INACTIVE &&
+		     base_seq == resp->StartSeq() )
+			{
+			// This is an initial SYN with the right sequence
+			// number, and the state is consistent with the
+			// SYN & the SYN-ACK being flipped (e.g., due to
+			// reading from two interfaces w/ interrupt
+			// coalescence).  Don't treat this as a reuse.
+			// NextPacket() will flip set the connection
+			// state correctly
+			return false;
+			}
+
+		if ( conn_orig->state == TCP_ENDPOINT_SYN_SENT )
+			Weird("SYN_seq_jump");
+		else
+			Weird("active_connection_reuse");
+		}
+
+	else if ( (orig->IsActive() || resp->IsActive()) &&
+		  orig->state != TCP_ENDPOINT_RESET &&
+		  resp->state != TCP_ENDPOINT_RESET )
+		Weird("active_connection_reuse");
+
+	else if ( t - Conn()->LastTime() < tcp_connection_linger &&
+		  orig->state != TCP_ENDPOINT_RESET &&
+		  resp->state != TCP_ENDPOINT_RESET )
+		Weird("premature_connection_reuse");
+
+	return true;
+	}
+
+void TCP_ApplicationAnalyzer::Init()
+	{
+	Analyzer::Init();
+
+	if ( Parent()->GetTag() == AnalyzerTag::TCP )
+		SetTCP(static_cast<TCP_Analyzer*>(Parent()));
+	}
+
+void TCP_ApplicationAnalyzer::ProtocolViolation(const char* reason,
+						const char* data, int len)
+	{
+	TCP_Analyzer* tcp = TCP();
+
+	if ( tcp &&
+	     (tcp->IsPartial() || tcp->HadGap(false) || tcp->HadGap(true)) )
+		// Filter out incomplete connections.  Parsing them is
+		// too unreliable.
+		return;
+
+	Analyzer::ProtocolViolation(reason, data, len);
+	}
+
+void TCP_ApplicationAnalyzer::DeliverPacket(int len, const u_char* data,
+						bool is_orig, int seq,
+						const IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
+	DBG_LOG(DBG_DPD, "TCP_ApplicationAnalyzer ignoring DeliverPacket(%d, %s, %d, %p, %d) [%s%s]",
+			len, is_orig ? "T" : "F", seq, ip, caplen,
+			fmt_bytes((const char*) data, min(40, len)), len > 40 ? "..." : "");
+	}
+
+void TCP_ApplicationAnalyzer::SetEnv(bool /* is_orig */, char* name, char* val)
+	{
+	delete [] name;
+	delete [] val;
+	}
+
+void TCP_ApplicationAnalyzer::EndpointEOF(bool is_orig)
+	{
+	SupportAnalyzer* sa = is_orig ? orig_supporters : resp_supporters;
+	for ( ; sa; sa = sa->Sibling() )
+		static_cast<TCP_SupportAnalyzer*>(sa)->EndpointEOF(is_orig);
+	}
+
+void TCP_ApplicationAnalyzer::TraceRewriterEOF(bool is_orig)
+	{
+	SupportAnalyzer* sa = is_orig ? orig_supporters : resp_supporters;
+	for ( ; sa; sa = sa->Sibling() )
+		static_cast<TCP_SupportAnalyzer*>(sa)->TraceRewriterEOF(is_orig);
+	}
+
+void TCP_ApplicationAnalyzer::ConnectionClosed(TCP_Endpoint* endpoint,
+					TCP_Endpoint* peer, int gen_event)
+	{
+	SupportAnalyzer* sa =
+		endpoint->IsOrig() ? orig_supporters : resp_supporters;
+
+	for ( ; sa; sa = sa->Sibling() )
+		static_cast<TCP_SupportAnalyzer*>(sa)
+			->ConnectionClosed(endpoint, peer, gen_event);
+	}
+
+void TCP_ApplicationAnalyzer::ConnectionFinished(int half_finished)
+	{
+	for ( SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() )
+		static_cast<TCP_SupportAnalyzer*>(sa)
+			->ConnectionFinished(half_finished);
+
+	for ( SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() )
+		static_cast<TCP_SupportAnalyzer*>(sa)
+			->ConnectionFinished(half_finished);
+	}
+
+void TCP_ApplicationAnalyzer::ConnectionReset()
+	{
+	for ( SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() )
+		static_cast<TCP_SupportAnalyzer*>(sa)->ConnectionReset();
+
+	for ( SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() )
+		static_cast<TCP_SupportAnalyzer*>(sa)->ConnectionReset();
+	}
+
+void TCP_ApplicationAnalyzer::PacketWithRST()
+	{
+	for ( SupportAnalyzer* sa = orig_supporters; sa; sa = sa->Sibling() )
+		static_cast<TCP_SupportAnalyzer*>(sa)->PacketWithRST();
+
+	for ( SupportAnalyzer* sa = resp_supporters; sa; sa = sa->Sibling() )
+		static_cast<TCP_SupportAnalyzer*>(sa)->PacketWithRST();
+	}
+
+TCPStats_Endpoint::TCPStats_Endpoint(TCP_Endpoint* e)
+	{
+	endp = e;
+	num_pkts = 0;
+	num_rxmit = 0;
+	num_rxmit_bytes = 0;
+	num_in_order = 0;
+	num_OO = 0;
+	num_repl = 0;
+	max_top_seq = 0;
+	last_id = 0;
+	endian_type = ENDIAN_UNKNOWN;
+	}
+
+int endian_flip(int n)
+	{
+	return ((n & 0xff) << 8) | ((n & 0xff00) >> 8);
+	}
+
+int TCPStats_Endpoint::DataSent(double /* t */, int seq, int len, int caplen,
+			const u_char* /* data */,
+			const IP_Hdr* ip, const struct tcphdr* /* tp */)
+	{
+	if ( ++num_pkts == 1 )
+		{ // First packet.
+		last_id = ntohs(ip->ID4());
+		return 0;
+		}
+
+	int id = ntohs(ip->ID4());
+
+	if ( id == last_id )
+		{
+		++num_repl;
+		return 0;
+		}
+
+	short id_delta = id - last_id;
+	short id_endian_delta = endian_flip(id) - endian_flip(last_id);
+
+	int abs_id_delta = id_delta > 0 ? id_delta : -id_delta;
+	int abs_id_endian_delta =
+		id_endian_delta > 0 ? id_endian_delta : -id_endian_delta;
+
+	int final_id_delta;
+
+	if ( abs_id_delta < abs_id_endian_delta )
+		{ // Consistent with big-endian.
+		if ( endian_type == ENDIAN_UNKNOWN )
+			endian_type = ENDIAN_BIG;
+		else if ( endian_type == ENDIAN_BIG )
+			;
+		else
+			endian_type = ENDIAN_CONFUSED;
+
+		final_id_delta = id_delta;
+		}
+	else
+		{ // Consistent with little-endian.
+		if ( endian_type == ENDIAN_UNKNOWN )
+			endian_type = ENDIAN_LITTLE;
+		else if ( endian_type == ENDIAN_LITTLE )
+			;
+		else
+			endian_type = ENDIAN_CONFUSED;
+
+		final_id_delta = id_endian_delta;
+		}
+
+	if ( final_id_delta < 0 && final_id_delta > -256 )
+		{
+		++num_OO;
+		return 0;
+		}
+
+	last_id = id;
+
+	++num_in_order;
+
+	int top_seq = seq + len;
+
+	int data_in_flight = endp->LastSeq() - endp->AckSeq();
+	if ( data_in_flight < 0 )
+		data_in_flight = 0;
+
+	int seq_delta = top_seq - max_top_seq;
+	if ( seq_delta <= 0 )
+		{
+		if ( ! ignore_keep_alive_rexmit || len > 1 || data_in_flight > 0 )
+			{
+			++num_rxmit;
+			num_rxmit_bytes += len;
+			}
+
+		DEBUG_MSG("%.6f rexmit %d + %d <= %d data_in_flight = %d\n",
+		 	network_time, seq, len, max_top_seq, data_in_flight);
+
+		if ( tcp_rexmit )
+			{
+			val_list* vl = new val_list();
+			vl->append(endp->TCP()->BuildConnVal());
+			vl->append(new Val(endp->IsOrig(), TYPE_BOOL));
+			vl->append(new Val(seq, TYPE_COUNT));
+			vl->append(new Val(len, TYPE_COUNT));
+			vl->append(new Val(data_in_flight, TYPE_COUNT));
+			vl->append(new Val(endp->peer->window, TYPE_COUNT));
+
+			endp->TCP()->ConnectionEvent(tcp_rexmit, vl);
+			}
+		}
+	else
+		max_top_seq = top_seq;
+
+	return 0;
+	}
+
+RecordVal* TCPStats_Endpoint::BuildStats()
+	{
+	RecordVal* stats = new RecordVal(endpoint_stats);
+
+	stats->Assign(0, new Val(num_pkts,TYPE_COUNT));
+	stats->Assign(1, new Val(num_rxmit,TYPE_COUNT));
+	stats->Assign(2, new Val(num_rxmit_bytes,TYPE_COUNT));
+	stats->Assign(3, new Val(num_in_order,TYPE_COUNT));
+	stats->Assign(4, new Val(num_OO,TYPE_COUNT));
+	stats->Assign(5, new Val(num_repl,TYPE_COUNT));
+	stats->Assign(6, new Val(endian_type,TYPE_COUNT));
+
+	return stats;
+	}
+
+TCPStats_Analyzer::TCPStats_Analyzer(Connection* c)
+: TCP_ApplicationAnalyzer(AnalyzerTag::TCPStats, c)
+	{
+	}
+
+TCPStats_Analyzer::~TCPStats_Analyzer()
+	{
+	delete orig_stats;
+	delete resp_stats;
+	}
+
+void TCPStats_Analyzer::Init()
+	{
+	TCP_ApplicationAnalyzer::Init();
+
+	orig_stats = new TCPStats_Endpoint(TCP()->Orig());
+	resp_stats = new TCPStats_Endpoint(TCP()->Resp());
+	}
+
+void TCPStats_Analyzer::Done()
+	{
+	TCP_ApplicationAnalyzer::Done();
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+	vl->append(orig_stats->BuildStats());
+	vl->append(resp_stats->BuildStats());
+	ConnectionEvent(conn_stats, vl);
+	}
+
+void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, int seq, const IP_Hdr* ip, int caplen)
+	{
+	TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
+
+	if ( is_orig )
+		orig_stats->DataSent(network_time, seq, len, caplen, data, ip, 0);
+	else
+		resp_stats->DataSent(network_time, seq, len, caplen, data, ip, 0);
+	}
diff --git a/src/TCP.h b/src/TCP.h
new file mode 100644
index 0000000000..d7faae6a3d
--- /dev/null
+++ b/src/TCP.h
@@ -0,0 +1,387 @@
+// $Id: TCP.h 6782 2009-06-28 02:19:03Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef TCP_H
+#define TCP_H
+
+#include "Analyzer.h"
+#include "TCP.h"
+#include "Rewriter.h"
+#include "PacketDumper.h"
+
+// We define two classes here:
+// - TCP_Analyzer is the analyzer for the TCP protocol itself.
+// - TCP_ApplicationAnalyzer is an abstract base class for analyzers for a
+//   protocol running on top of TCP.
+
+class PIA_TCP;
+class TCP_ApplicationAnalyzer;
+class TCP_Reassembler;
+class TCP_Rewriter;
+class TCP_SourcePacketWriter;
+
+class TCP_Flags {
+public:
+	TCP_Flags(const struct tcphdr* tp)	{ flags = tp->th_flags; }
+
+	bool SYN()	{ return flags & TH_SYN; }
+	bool FIN()	{ return flags & TH_FIN; }
+	bool RST()	{ return flags & TH_RST; }
+	bool ACK()	{ return flags & TH_ACK; }
+	bool URG()	{ return flags & TH_URG; }
+	bool PUSH()	{ return flags & TH_PUSH; }
+
+protected:
+	u_char flags;
+};
+
+class TCP_Analyzer : public TransportLayerAnalyzer {
+public:
+	TCP_Analyzer(Connection* conn);
+	virtual ~TCP_Analyzer();
+
+	void EnableReassembly();
+
+	// Add a child analyzer that will always get the packets,
+	// independently of whether we do any reassembly.
+	void AddChildPacketAnalyzer(Analyzer* a)
+		{ packet_children.push_back(a); a->SetParent(this); }
+
+	// True if the connection has closed in some sense, false otherwise.
+	int IsClosed() const	{ return orig->did_close || resp->did_close; }
+	int BothClosed() const	{ return orig->did_close && resp->did_close; }
+
+	int IsPartial() const	{ return is_partial; }
+
+	bool HadGap(bool orig) const;
+
+	TCP_Endpoint* Orig() const	{ return orig; }
+	TCP_Endpoint* Resp() const	{ return resp; }
+	int OrigState() const	{ return orig->state; }
+	int RespState() const	{ return resp->state; }
+	int OrigPrevState() const	{ return orig->prev_state; }
+	int RespPrevState() const	{ return resp->prev_state; }
+	uint32 OrigSeq() const	{ return orig->LastSeq(); }
+	uint32 RespSeq() const	{ return resp->LastSeq(); }
+
+	// True if either endpoint still has pending data.  closing_endp
+	// is an endpoint that has indicated it is closing (i.e., for
+	// which we have seen a FIN) - for it, data is pending unless
+	// everything's been delivered up to the FIN.  For its peer,
+	// the test is whether it has any outstanding, un-acked data.
+	int DataPending(TCP_Endpoint* closing_endp);
+
+	virtual void SetContentsFile(unsigned int direction, BroFile* f);
+	virtual BroFile* GetContentsFile(unsigned int direction) const;
+
+	TCP_SourcePacketWriter* SourcePacketWriter() const
+		{ return src_pkt_writer; }
+
+	// Callback to process a TCP option.
+	typedef int (*proc_tcp_option_t)(unsigned int opt, unsigned int optlen,
+			const u_char* option, TCP_Analyzer* analyzer,
+			bool is_orig, void* cookie);
+
+	// Needs to be static because it's passed as a pointer-to-function
+	// rather than pointer-to-member-function.
+	static int ParseTCPOptions(const struct tcphdr* tcp,
+			proc_tcp_option_t proc, TCP_Analyzer* analyzer,
+			bool is_orig, void* cookie);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new TCP_Analyzer(conn); }
+
+	static bool Available()	{ return true; }
+
+protected:
+	friend class TCP_ApplicationAnalyzer;
+	friend class TCP_Reassembler;
+	friend class PIA_TCP;
+
+	// Analyzer interface.
+	virtual void Init();
+	virtual void Done();
+	virtual void DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen);
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual void Undelivered(int seq, int len, bool orig);
+	virtual void FlipRoles();
+	virtual void UpdateEndpointVal(RecordVal* endp, int is_orig);
+	virtual bool IsReuse(double t, const u_char* pkt);
+
+	// Returns the TCP header pointed to by data (which we assume is
+	// aligned), updating data, len & caplen.  Returns nil if the header
+	// isn't fully present.
+	const struct tcphdr* ExtractTCP_Header(const u_char*& data, int& len,
+						int& caplen);
+
+	// Returns true if the checksum is valid, false if not (and in which
+	// case also updates the status history of the endpoint).
+	bool ValidateChecksum(const struct tcphdr* tp, TCP_Endpoint* endpoint,
+				int len, int caplen);
+
+	// Update analysis based on flag combinations.  The endpoint, base_seq
+	// and len are needed for tracking various history information.
+	// dst_port is needed for trimming of FIN packets.
+	void CheckFlagCombos(TCP_Flags flags, TCP_Endpoint* endpoint,
+				uint32 base_seq, int len, int dst_port);
+
+	void UpdateWindow(TCP_Endpoint* endpoint, unsigned int window,
+					uint32 base_seq, uint32 ack_seq,
+					TCP_Flags flags);
+
+	void ProcessSYN(const IP_Hdr* ip, const struct tcphdr* tp,
+			uint32 tcp_hdr_len, int& seq_len,
+			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+			uint32 base_seq, uint32 ack_seq,
+			const uint32* orig_addr,
+			int is_orig, TCP_Flags flags);
+
+	void ProcessFIN(double t, TCP_Endpoint* endpoint, int& seq_len,
+			uint32 base_seq);
+
+	bool ProcessRST(double t, TCP_Endpoint* endpoint, const IP_Hdr* ip,
+			uint32 base_seq, int len, int& seq_len);
+
+	void ProcessACK(TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+			uint32 ack_seq, int is_orig, TCP_Flags flags);
+
+	int ProcessFlags(double t, const IP_Hdr* ip, const struct tcphdr* tp,
+			uint32 tcp_hdr_len, int len, int& seq_len,
+			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+			uint32 base_seq, uint32 ack_seq,
+			const uint32* orig_addr,
+			int is_orig, TCP_Flags flags);
+
+	void TransitionFromInactive(double t, TCP_Endpoint* endpoint,
+					uint32 base_seq, uint32 last_seq,
+					int SYN);
+
+	// Update the state machine of the TCPs based on the activity.  This
+	// includes our pseudo-states such as TCP_ENDPOINT_PARTIAL.
+	//
+	// On return, do_close is true if we should consider the connection
+	// as closed, and gen_event if we shouuld generate an event about
+	// this fact.
+	void UpdateStateMachine(double t,
+			TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+			uint32 base_seq, uint32 ack_seq, uint32 last_seq,
+			int len, int delta_last, int is_orig, TCP_Flags flags,
+			int& do_close, int& gen_event);
+
+	void UpdateInactiveState(double t,
+				TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+				uint32 base_seq, uint32 ack_seq,
+				int len, int is_orig, TCP_Flags flags,
+				int& do_close, int& gen_event);
+
+	void UpdateSYN_SentState(double t,
+				TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+				uint32 base_seq, uint32 last_seq,
+				int len, int is_orig, TCP_Flags flags,
+				int& do_close, int& gen_event);
+
+	void UpdateEstablishedState(double t,
+				TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+				uint32 base_seq, uint32 last_seq,
+				int is_orig, TCP_Flags flags,
+				int& do_close, int& gen_event);
+
+	void UpdateClosedState(double t, TCP_Endpoint* endpoint,
+				int delta_last, TCP_Flags flags,
+				int& do_close);
+
+	void UpdateResetState(int len, TCP_Flags flags);
+
+	void GeneratePacketEvent(TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+					uint32 base_seq, uint32 ack_seq,
+					const u_char* data, int len, int caplen,
+					int is_orig, TCP_Flags flags);
+
+	int DeliverData(double t, const u_char* data, int len, int caplen,
+			const IP_Hdr* ip, const struct tcphdr* tp,
+			TCP_Endpoint* endpoint, uint32 base_seq,
+			int is_orig, TCP_Flags flags);
+
+	void CheckRecording(int need_contents, TCP_Flags flags);
+	void CheckPIA_FirstPacket(int is_orig, const IP_Hdr* ip);
+
+	// Returns the difference between last_seq and the last sequence
+	// seen by the endpoint (may be negative).
+	int UpdateLastSeq(TCP_Endpoint* endpoint, uint32 last_seq,
+				TCP_Flags flags);
+
+	friend class ConnectionTimer;
+	void AttemptTimer(double t);
+	void PartialCloseTimer(double t);
+	void ExpireTimer(double t);
+	void ResetTimer(double t);
+	void DeleteTimer(double t);
+	void ConnDeleteTimer(double t)	{ Conn()->DeleteTimer(t); }
+
+	void EndpointEOF(TCP_Reassembler* endp);
+	void TraceRewriterEOF(TCP_Reassembler* endp);
+	void ConnectionClosed(TCP_Endpoint* endpoint,
+					TCP_Endpoint* peer, int gen_event);
+	void ConnectionFinished(int half_finished);
+	void ConnectionReset();
+	void PacketWithRST();
+
+	void SetReassembler(TCP_Reassembler* rorig, TCP_Reassembler* rresp);
+
+	Val* BuildSYNPacketVal(int is_orig,
+				const IP_Hdr* ip, const struct tcphdr* tcp);
+
+	RecordVal* BuildOSVal(int is_orig, const IP_Hdr* ip,
+				const struct tcphdr* tcp, uint32 tcp_hdr_len);
+
+	// Needs to be static because it's passed as a pointer-to-function
+	// rather than pointer-to-member-function.
+	static int TCPOptionEvent(unsigned int opt, unsigned int optlen,
+				const u_char* option, TCP_Analyzer* analyzer,
+				  bool is_orig, void* cookie);
+
+private:
+	TCP_Endpoint* orig;
+	TCP_Endpoint* resp;
+
+	analyzer_list packet_children;
+
+	TCP_SourcePacketWriter* src_pkt_writer;
+
+	unsigned int first_packet_seen: 2;
+	unsigned int reassembling: 1;
+	unsigned int is_partial: 1;
+	unsigned int is_active: 1;
+	unsigned int finished: 1;
+
+	// Whether we're waiting on final data delivery before closing
+	// this connection.
+	unsigned int close_deferred: 1;
+
+	// Whether to generate an event when we finally do close it.
+	unsigned int deferred_gen_event: 1;
+
+	// Whether we have seen the first ACK from the originator.
+	unsigned int seen_first_ACK: 1;
+};
+
+class TCP_ApplicationAnalyzer : public Analyzer {
+public:
+	TCP_ApplicationAnalyzer(AnalyzerTag::Tag tag, Connection* conn)
+	: Analyzer(tag, conn)
+		{ tcp = 0; }
+
+	virtual ~TCP_ApplicationAnalyzer()	{ }
+
+	// This may be nil if we are not directly associated with a TCP
+	// analyzer (e.g., we're part of a tunnel decapsulation pipeline).
+	TCP_Analyzer* TCP()
+		{
+		return tcp ?
+			tcp :
+			static_cast<TCP_Analyzer*>(
+				Conn()->FindAnalyzer(AnalyzerTag::TCP));
+		}
+
+	void SetTCP(TCP_Analyzer* arg_tcp)	{ tcp = arg_tcp; }
+
+	// The given endpoint's data delivery is complete.
+	virtual void EndpointEOF(bool is_orig);
+	virtual void TraceRewriterEOF(bool is_orig);
+
+	// Called whenever an end enters TCP_ENDPOINT_CLOSED or
+	// TCP_ENDPOINT_RESET.  If gen_event is true and the connection
+	// is now fully closed, a connection_finished event will be
+	// generated; otherwise not.
+	virtual void ConnectionClosed(TCP_Endpoint* endpoint,
+					TCP_Endpoint* peer, int gen_event);
+	virtual void ConnectionFinished(int half_finished);
+	virtual void ConnectionReset();
+
+	// Called whenever a RST packet is seen - sometimes the invocation
+	// of ConnectionReset is delayed.
+	virtual void PacketWithRST();
+
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen);
+	virtual void Init();
+
+	// This suppresses violations if the TCP connection wasn't
+	// fully established.
+	virtual void ProtocolViolation(const char* reason,
+					const char* data = 0, int len = 0);
+
+	// "name" and "val" both now belong to this object, which needs to
+	//  delete them when done with them.
+	virtual void SetEnv(bool orig, char* name, char* val);
+
+protected:
+   	TCP_ApplicationAnalyzer() 	{ };
+
+private:
+	TCP_Analyzer* tcp;
+};
+
+class TCP_SupportAnalyzer : public SupportAnalyzer {
+public:
+	TCP_SupportAnalyzer(AnalyzerTag::Tag tag, Connection* conn, bool arg_orig)
+		: SupportAnalyzer(tag, conn, arg_orig)	{ }
+
+	virtual ~TCP_SupportAnalyzer() {}
+
+	// These are passed on from TCP_Analyzer.
+	virtual void EndpointEOF(bool is_orig)	{ }
+	virtual void TraceRewriterEOF(bool is_orig)	{ }
+	virtual void ConnectionClosed(TCP_Endpoint* endpoint,
+					TCP_Endpoint* peer, int gen_event) 	{ }
+	virtual void ConnectionFinished(int half_finished)	{ }
+	virtual void ConnectionReset()	{ }
+	virtual void PacketWithRST()	{ }
+};
+
+
+class TCPStats_Endpoint {
+public:
+	TCPStats_Endpoint(TCP_Endpoint* endp);
+
+	int DataSent(double t, int seq, int len, int caplen, const u_char* data,
+			const IP_Hdr* ip, const struct tcphdr* tp);
+
+	RecordVal* BuildStats();
+
+protected:
+	TCP_Endpoint* endp;
+	int num_pkts;
+	int num_rxmit;
+	int num_rxmit_bytes;
+	int num_in_order;
+	int num_OO;
+	int num_repl;
+	int max_top_seq;
+	int last_id;
+	int endian_type;
+};
+
+class TCPStats_Analyzer : public TCP_ApplicationAnalyzer {
+public:
+	TCPStats_Analyzer(Connection* c);
+	~TCPStats_Analyzer();
+
+	virtual void Init();
+	virtual void Done();
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new TCPStats_Analyzer(conn); }
+
+	static bool Available()	{ return conn_stats || tcp_rexmit; }
+
+protected:
+	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
+					int seq, const IP_Hdr* ip, int caplen);
+
+	TCPStats_Endpoint* orig_stats;
+	TCPStats_Endpoint* resp_stats;
+};
+
+#endif
diff --git a/src/TCP_Endpoint.cc b/src/TCP_Endpoint.cc
new file mode 100644
index 0000000000..826c7f5636
--- /dev/null
+++ b/src/TCP_Endpoint.cc
@@ -0,0 +1,277 @@
+// $Id: TCP_Endpoint.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "Net.h"
+#include "NetVar.h"
+#include "TCP.h"
+#include "TCP_Rewriter.h"
+#include "TCP_Reassembler.h"
+#include "Sessions.h"
+#include "Event.h"
+#include "File.h"
+#include "Val.h"
+
+TCP_Endpoint::TCP_Endpoint(TCP_Analyzer* arg_analyzer, int arg_is_orig)
+	{
+	contents_processor = 0;
+	prev_state = state = TCP_ENDPOINT_INACTIVE;
+	peer = 0;
+	start_time = last_time = 0.0;
+	start_seq = last_seq = ack_seq = 0;
+	last_seq_high = ack_seq_high = 0;
+	window = 0;
+	window_scale = 0;
+	window_seq = window_ack_seq = 0;
+	contents_start_seq = 0;
+	SYN_cnt = FIN_cnt = RST_cnt = 0;
+	did_close = 0;
+	contents_file = 0;
+	tcp_analyzer = arg_analyzer;
+	is_orig = arg_is_orig;
+
+	src_addr = is_orig ? tcp_analyzer->Conn()->RespAddr() :
+				tcp_analyzer->Conn()->OrigAddr();
+	dst_addr = is_orig ? tcp_analyzer->Conn()->OrigAddr() :
+				tcp_analyzer->Conn()->RespAddr();
+
+#ifdef BROv6
+	checksum_base = ones_complement_checksum((void*) src_addr, 16, 0);
+	checksum_base = ones_complement_checksum((void*) dst_addr, 16, checksum_base);
+#else
+	checksum_base = ones_complement_checksum((void*) src_addr, 4, 0);
+	checksum_base = ones_complement_checksum((void*) dst_addr, 4, checksum_base);
+#endif
+	// Note, for IPv6, strictly speaking this field is 32 bits
+	// rather than 16 bits.  But because the upper bits are all zero,
+	// we get the same checksum either way.  The same applies to
+	// later when we add in the data length in ValidChecksum().
+	checksum_base += htons(IPPROTO_TCP);
+	}
+
+TCP_Endpoint::~TCP_Endpoint()
+	{
+	delete contents_processor;
+	Unref(contents_file);
+	}
+
+void TCP_Endpoint::Done()
+	{
+	if ( contents_processor )
+		contents_processor->Done();
+	}
+
+void TCP_Endpoint::SetPeer(TCP_Endpoint* p)
+	{
+	peer = p;
+	if ( IsOrig() )
+		// Only one Endpoint adds the initial state to the counter.
+		sessions->tcp_stats.StateEntered(state, peer->state);
+	}
+
+int TCP_Endpoint::HadGap() const
+	{
+	return contents_processor && contents_processor->HadGap();
+	}
+
+void TCP_Endpoint::AddReassembler(TCP_Reassembler* arg_contents_processor)
+	{
+	if ( contents_processor != arg_contents_processor )
+		delete contents_processor;
+	contents_processor = arg_contents_processor;
+
+	if ( contents_file )
+		contents_processor->SetContentsFile(contents_file);
+	}
+
+int TCP_Endpoint::DataPending() const
+	{
+	if ( contents_processor )
+		return contents_processor->DataPending();
+	else
+		return 0;
+	}
+
+int TCP_Endpoint::HasUndeliveredData() const
+	{
+	if ( contents_processor )
+		return contents_processor->HasUndeliveredData();
+	else
+		return 0;
+	}
+
+void TCP_Endpoint::CheckEOF()
+	{
+	if ( contents_processor )
+		contents_processor->CheckEOF();
+	}
+
+void TCP_Endpoint::SizeBufferedData(int& waiting_on_hole, int& waiting_on_ack)
+	{
+	if ( contents_processor )
+		contents_processor->SizeBufferedData(waiting_on_hole, waiting_on_ack);
+	else
+		waiting_on_hole = waiting_on_ack = 0;
+	}
+
+int TCP_Endpoint::ValidChecksum(const struct tcphdr* tp, int len) const
+	{
+	uint32 sum = checksum_base;
+	int tcp_len = tp->th_off * 4 + len;
+
+	if ( len % 2 == 1 )
+		// Add in pad byte.
+		sum += htons(((const u_char*) tp)[tcp_len - 1] << 8);
+
+	sum += htons((unsigned short) tcp_len);	// fill out pseudo header
+	sum = ones_complement_checksum((void*) tp, tcp_len, sum);
+
+	return sum == 0xffff;
+	}
+
+static inline bool is_handshake(EndpointState state)
+	{
+	return state == TCP_ENDPOINT_INACTIVE ||
+		state == TCP_ENDPOINT_SYN_SENT ||
+		state == TCP_ENDPOINT_SYN_ACK_SENT;
+	}
+
+void TCP_Endpoint::SetState(EndpointState new_state)
+	{
+	if ( new_state != state )
+		{
+		// Activate inactivity timer if this transition finishes the
+		// handshake.
+		if ( ! is_handshake(new_state) )
+			if ( is_handshake(state) && is_handshake(peer->state) )
+				tcp_analyzer->Conn()->SetInactivityTimeout(tcp_inactivity_timeout);
+
+		prev_state = state;
+		state = new_state;
+		if ( IsOrig() )
+			sessions->tcp_stats.ChangeState(prev_state, state,
+						peer->state, peer->state);
+		else
+			sessions->tcp_stats.ChangeState(peer->state, peer->state,
+						prev_state, state);
+		}
+	}
+
+bro_int_t TCP_Endpoint::Size() const
+	{
+	bro_int_t size;
+
+#ifdef USE_INT64
+
+	uint64 last_seq_64 = (uint64(last_seq_high) << 32) | last_seq;
+	uint64 ack_seq_64 = (uint64(ack_seq_high) << 32) | ack_seq;
+	if ( last_seq_64 > ack_seq_64 )
+		size = last_seq_64 - start_seq;
+	else
+		size = ack_seq_64 - start_seq;
+
+#else
+
+	if ( seq_delta(last_seq, ack_seq) > 0 || ack_seq == start_seq + 1 )
+		// Either last_seq corresponds to more data sent than we've
+		// seen ack'd, or we haven't seen any data ack'd (in which
+		// case we should trust last_seq anyway).  This last test
+		// matters for the case in which the connection has
+		// transferred > 2 GB of data, in which case we will find
+		// seq_delta(last_seq, ack_seq) < 0 even if ack_seq
+		// corresponds to no data transferred.
+		size = last_seq - start_seq;
+
+	else
+		// It could be that ack_seq > last_seq, if we've seen an
+		// ack for the connection (say in a FIN) without seeing
+		// the corresponding data.
+		size = ack_seq - start_seq;
+
+#endif
+
+	// Don't include SYN octet in sequence space.  For partial connections
+	// (no SYN seen), we're still careful to adjust start_seq as though
+	// there was an initial SYN octet, because if we don't then the
+	// packet reassembly code gets confused.
+	if ( size != 0 )
+		--size;
+
+	if ( FIN_cnt > 0 && size != 0 )
+		--size;	// don't include FIN octet.
+
+	return size;
+	}
+
+int TCP_Endpoint::DataSent(double t, int seq, int len, int caplen,
+				const u_char* data,
+				const IP_Hdr* ip, const struct tcphdr* tp)
+	{
+	int status = 0;
+
+	if ( contents_processor && caplen >= len )
+		status = contents_processor->DataSent(t, seq, len, data);
+
+	if ( caplen <= 0 )
+		return status;
+
+	if ( contents_file && ! contents_processor && 
+	     seq + len > contents_start_seq )
+		{
+		int under_seq = contents_start_seq - seq;
+		if ( under_seq > 0 )
+			{
+			seq += under_seq;
+			data += under_seq;
+			len -= under_seq;
+			}
+
+		// DEBUG_MSG("%d: seek %d, data=%02x len=%d\n", IsOrig(), seq - contents_start_seq, *data, len);
+		FILE* f = contents_file->Seek(seq - contents_start_seq);
+
+		if ( fwrite(data, 1, len, f) < unsigned(len) )
+			// ### this should really generate an event
+			internal_error("contents write failed");
+		}
+
+	return status;
+	}
+
+void TCP_Endpoint::AckReceived(int seq)
+	{
+	if ( contents_processor )
+		contents_processor->AckReceived(seq);
+	}
+
+void TCP_Endpoint::SetContentsFile(BroFile* f)
+	{
+	Ref(f);
+	contents_file = f;
+	contents_start_seq = last_seq - start_seq;
+
+	if ( contents_start_seq == 0 )
+		contents_start_seq = 1;	// skip SYN
+
+	if ( contents_processor )
+		contents_processor->SetContentsFile(contents_file);
+	}
+
+int TCP_Endpoint::CheckHistory(uint32 mask, char code)
+	{
+	if ( ! IsOrig() )
+		{
+		mask <<= 16;
+		code = tolower(code);
+		}
+
+	return tcp_analyzer->Conn()->CheckHistory(mask, code);
+	}
+
+void TCP_Endpoint::AddHistory(char code)
+	{
+	if ( ! IsOrig() )
+		code = tolower(code);
+
+	tcp_analyzer->Conn()->AddHistory(code);
+	}
+
diff --git a/src/TCP_Endpoint.h b/src/TCP_Endpoint.h
new file mode 100644
index 0000000000..baae2037c4
--- /dev/null
+++ b/src/TCP_Endpoint.h
@@ -0,0 +1,160 @@
+// $Id: TCP_Endpoint.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef tcpendpoint_h
+#define tcpendpoint_h
+
+typedef enum {
+	TCP_ENDPOINT_INACTIVE,	// no SYN (or other packets) seen for this side
+	TCP_ENDPOINT_SYN_SENT,	// SYN seen, but no ack
+	TCP_ENDPOINT_SYN_ACK_SENT,	// SYN ack seen, no initial SYN
+	TCP_ENDPOINT_PARTIAL,	// data seen, but no SYN
+	TCP_ENDPOINT_ESTABLISHED,	// SYN ack seen (implicit for SYN
+					// sent by responder)
+	TCP_ENDPOINT_CLOSED,	// FIN seen
+	TCP_ENDPOINT_RESET	// RST seen
+} EndpointState;
+
+class Connection;
+class TCP_Reassembler;
+class IP_Hdr;
+class TCP_Analyzer;
+
+// One endpoint of a TCP connection.
+class TCP_Endpoint {
+public:
+	TCP_Endpoint(TCP_Analyzer* analyzer, int is_orig);
+	~TCP_Endpoint();
+
+	void Done();
+
+	TCP_Analyzer* TCP()	{ return tcp_analyzer; }
+
+	void SetPeer(TCP_Endpoint* p);
+
+	EndpointState State() const 	{ return state; }
+	void SetState(EndpointState new_state);
+	bro_int_t Size() const;
+	int IsActive() const
+		{ return state != TCP_ENDPOINT_INACTIVE && ! did_close; }
+
+	double StartTime() const	{ return start_time; }
+	double LastTime() const		{ return last_time; }
+
+	uint32 StartSeq() const		{ return start_seq; }
+	uint32 LastSeq() const		{ return last_seq; }
+	uint32 AckSeq() const		{ return ack_seq; }
+
+	void InitStartSeq(uint32 seq) 	{ start_seq = seq; }
+	void InitLastSeq(uint32 seq) 	{ last_seq = seq; }
+	void InitAckSeq(uint32 seq) 	{ ack_seq = seq; }
+
+	void UpdateLastSeq(uint32 seq)
+		{
+		if ( seq < last_seq )
+			++last_seq_high;
+		last_seq = seq;
+		}
+
+	void UpdateAckSeq(uint32 seq)
+		{
+		if ( seq < ack_seq )
+			++ack_seq_high;
+		ack_seq = seq;
+		}
+
+	// True if none of this endpoint's data has been acknowledged.
+	// We allow for possibly one octet being ack'd in the case of
+	// an initial SYN exchange.
+	int NoDataAcked() const
+		{ return ack_seq == start_seq || ack_seq == start_seq + 1; }
+
+	Connection* Conn() const;
+
+	int HasContents() const		{ return contents_processor != 0; }
+	int HadGap() const;
+
+	inline int IsOrig() const		{ return is_orig; }
+
+	int HasDoneSomething() const	{ return last_time != 0.0; }
+
+	void AddReassembler(TCP_Reassembler* contents_processor);
+
+	int DataPending() const;
+	int HasUndeliveredData() const;
+	void CheckEOF();
+
+	// Returns the volume of data buffered in the reassembler.
+	// First parameter returns data that is above a hole, and thus is
+	// waiting on the hole being filled.  Second parameter returns
+	// data that has been processed but is awaiting an ACK to free
+	// it up.
+	//
+	// If we're not processing contents, then naturally each of
+	// these is empty.
+	void SizeBufferedData(int& waiting_on_hole, int& waiting_on_ack);
+
+	int ValidChecksum(const struct tcphdr* tp, int len) const;
+
+	// Returns true if the data was used (and hence should be recorded
+	// in the save file), false otherwise.
+	int DataSent(double t, int seq, int len, int caplen, const u_char* data,
+			const IP_Hdr* ip, const struct tcphdr* tp);
+
+	void AckReceived(int seq);
+
+	void SetContentsFile(BroFile* f);
+	BroFile* GetContentsFile() const	{ return contents_file; }
+
+	// Codes used for tracking history.  For responders, we shift these
+	// over by 16 bits in order to fit both originator and responder
+	// into a Connection's hist_seen field.
+#define HIST_SYN_PKT 0x1
+#define HIST_FIN_PKT 0x2
+#define HIST_RST_PKT 0x4
+#define HIST_FIN_RST_PKT 0x8
+#define HIST_DATA_PKT 0x10
+#define HIST_ACK_PKT 0x20
+#define HIST_MULTI_FLAG_PKT 0x40
+#define HIST_CORRUPT_PKT 0x80
+	int CheckHistory(uint32 mask, char code);
+	void AddHistory(char code);
+
+	//### combine into a set of flags:
+	EndpointState state, prev_state;
+	TCP_Endpoint* peer;
+	TCP_Reassembler* contents_processor;
+	TCP_Analyzer* tcp_analyzer;
+	BroFile* contents_file;
+	uint32 checksum_base;
+
+	double start_time, last_time;
+	const uint32* src_addr; // the other endpoint
+	const uint32* dst_addr; // this endpoint
+	uint32 window; // current congestion window (*scaled*, not pre-scaling)
+	int window_scale;  // from the TCP option
+	uint32 window_ack_seq; // at which ack_seq number did we record 'window'
+	uint32 window_seq; // at which sending sequence number did we record 'window'
+	int contents_start_seq;	// relative seq # where contents file starts
+	int FIN_seq;		// relative seq # to start_seq
+	int SYN_cnt, FIN_cnt, RST_cnt;
+	int did_close;		// whether we've reported it closing
+	int is_orig;
+
+	// Sequence numbers associated with last control packets.
+	// Used to determine whether ones seen again are interesting,
+	// for tracking history.
+	uint32 hist_last_SYN, hist_last_FIN, hist_last_RST;
+
+protected:
+	uint32 start_seq, last_seq, ack_seq;	// in host order
+	uint32 last_seq_high, ack_seq_high;
+};
+
+#define ENDIAN_UNKNOWN 0
+#define ENDIAN_LITTLE 1
+#define ENDIAN_BIG 2
+#define ENDIAN_CONFUSED 3
+
+#endif
diff --git a/src/TCP_Reassembler.cc b/src/TCP_Reassembler.cc
new file mode 100644
index 0000000000..c6adec2294
--- /dev/null
+++ b/src/TCP_Reassembler.cc
@@ -0,0 +1,650 @@
+// $Id: TCP_Reassembler.cc,v 1.1.2.8 2006/05/31 01:52:02 sommer Exp $
+
+#include "Analyzer.h"
+#include "TCP_Reassembler.h"
+#include "TCP.h"
+#include "TCP_Endpoint.h"
+#include "TCP_Rewriter.h"
+
+// Only needed for gap_report events.
+#include "Event.h"
+
+const bool DEBUG_tcp_contents = false;
+const bool DEBUG_tcp_connection_close = false;
+const bool DEBUG_tcp_match_undelivered = false;
+
+static double last_gap_report = 0.0;
+static uint32 last_ack_events = 0;
+static uint32 last_ack_bytes = 0;
+static uint32 last_gap_events = 0;
+static uint32 last_gap_bytes = 0;
+
+TCP_Reassembler::TCP_Reassembler(Analyzer* arg_dst_analyzer,
+				TCP_Analyzer* arg_tcp_analyzer,
+				TCP_Reassembler::Type arg_type,
+				bool arg_is_orig, TCP_Endpoint* arg_endp)
+: Reassembler(1, arg_endp->dst_addr, REASSEM_TCP)
+	{
+	dst_analyzer = arg_dst_analyzer;
+	tcp_analyzer = arg_tcp_analyzer;
+	type = arg_type;
+	is_orig = arg_is_orig;
+	endp = arg_endp;
+	had_gap = false;
+	record_contents_file = 0;
+	deliver_tcp_contents = 0;
+	skip_deliveries = 0;
+	did_EOF = 0;
+	seq_to_skip = 0;
+	in_delivery = false;
+
+	if ( tcp_contents )
+		{
+		// Val dst_port_val(ntohs(Conn()->RespPort()), TYPE_PORT);
+		PortVal dst_port_val(ntohs(tcp_analyzer->Conn()->RespPort()),
+					TRANSPORT_TCP);
+		TableVal* ports = IsOrig() ?
+			tcp_content_delivery_ports_orig :
+			tcp_content_delivery_ports_resp;
+		Val* result = ports->Lookup(&dst_port_val);
+
+		if ( (IsOrig() && tcp_content_deliver_all_orig) ||
+		     (! IsOrig() && tcp_content_deliver_all_resp) ||
+		     (result && result->AsBool()) )
+			deliver_tcp_contents = 1;
+		}
+	}
+
+TCP_Reassembler::~TCP_Reassembler()
+	{
+	Unref(record_contents_file);
+	}
+
+void TCP_Reassembler::Done()
+	{
+	MatchUndelivered(-1);
+
+	if ( record_contents_file )
+		{ // Record any undelivered data.
+		if ( blocks &&
+		     seq_delta(last_reassem_seq, last_block->upper) < 0 )
+			RecordToSeq(last_reassem_seq, last_block->upper,
+					record_contents_file);
+
+		record_contents_file->Close();
+		}
+	}
+
+void TCP_Reassembler::SizeBufferedData(int& waiting_on_hole,
+					int& waiting_on_ack) const
+	{
+	waiting_on_hole = waiting_on_ack = 0;
+	for ( DataBlock* b = blocks; b; b = b->next )
+		{
+		if ( seq_delta(b->seq, last_reassem_seq) <= 0 )
+			// We must have delivered this block, but
+			// haven't yet trimmed it.
+			waiting_on_ack += b->Size();
+		else
+			waiting_on_hole += b->Size();
+		}
+	}
+
+void TCP_Reassembler::SetContentsFile(BroFile* f)
+	{
+	if ( ! f->IsOpen() )
+		{
+		run_time("no such file \"%s\"", f->Name());
+		return;
+		}
+
+	if ( record_contents_file )
+		// We were already recording, no need to catch up.
+		Unref(record_contents_file);
+	else
+		{
+		if ( blocks )
+			RecordToSeq(blocks->seq, last_reassem_seq, f);
+		}
+
+	// Don't want rotation on these files.
+	f->SetRotateInterval(0);
+
+	Ref(f);
+	record_contents_file = f;
+	}
+
+
+void TCP_Reassembler::Undelivered(int up_to_seq)
+	{
+	TCP_Endpoint* endpoint = endp;
+	TCP_Endpoint* peer = endpoint->peer;
+
+	if ( up_to_seq <= 2 && tcp_analyzer->IsPartial() )
+		// Since it was a partial connection, we faked up its
+		// initial sequence numbers as though we'd seen a SYN.
+		// We've now received the first ack and are getting a
+		// complaint that either that data is missing (if
+		// up_to_seq is 1), or one octet beyond it is missing
+		// (if up_to_seq is 2).  The latter can occur when the
+		// first packet we saw instantiating the partial connection
+		// was a keep-alive.  So, in either case, just ignore it.
+		return;
+
+#if 0
+	if ( endpoint->FIN_cnt > 0 )
+		{
+		// Make sure we're not worrying about undelivered
+		// FIN control octets!
+		int FIN_seq = endpoint->FIN_seq - endpoint->start_seq;
+		if ( seq_delta(up_to_seq, FIN_seq) >= 0 )
+			up_to_seq = FIN_seq - 1;
+		}
+#endif
+
+	if ( DEBUG_tcp_contents )
+		{
+		DEBUG_MSG("%.6f Undelivered: up_to_seq=%d, last_reassm=%d, "
+		          "endp: FIN_cnt=%d, RST_cnt=%d, "
+		          "peer: FIN_cnt=%d, RST_cnt=%d\n",
+		          network_time, up_to_seq, last_reassem_seq,
+		          endpoint->FIN_cnt, endpoint->RST_cnt,
+		          peer->FIN_cnt, peer->RST_cnt);
+		}
+
+	if ( seq_delta(up_to_seq, last_reassem_seq) <= 0 )
+		return;
+
+	if ( last_reassem_seq == 1 &&
+	     (endpoint->FIN_cnt > 0 || endpoint->RST_cnt > 0 ||
+	      peer->FIN_cnt > 0 || peer->RST_cnt > 0) )
+		{
+		// We could be running on a SYN/FIN/RST-filtered trace - don't
+		// complain about data missing at the end of the connection.
+		//
+		// ### However, note that the preceding test is not a precise
+		// one for filtered traces, and may fail, for example, when
+		// the SYN packet carries data.
+		//
+		// Note, this check will confuse the EOF checker (and cause a
+		// missing FIN in the rewritten trace) when the content gap
+		// in the middle is discovered only after the FIN packet.
+
+		// Skip the undelivered part without reporting to the endpoint.
+		skip_deliveries = 1;
+		}
+	else
+		{
+		if ( DEBUG_tcp_contents )
+			{
+			DEBUG_MSG("%.6f Undelivered: seq=%d, len=%d, "
+					  "skip_deliveries=%d\n",
+					  network_time, last_reassem_seq,
+					  seq_delta(up_to_seq, last_reassem_seq),
+					  skip_deliveries);
+			}
+
+		if ( ! skip_deliveries )
+			{
+			// This can happen because we're processing a trace
+			// that's been filtered.  For example, if it's just
+			// SYN/FIN data, then there can be data in the FIN
+			// packet, but it's undelievered because it's out of
+			// sequence.
+
+			int seq = last_reassem_seq;
+			int len = seq_delta(up_to_seq, last_reassem_seq);
+
+			// Only report on content gaps for connections that
+			// are in a cleanly established state.  In other
+			// states, these can arise falsely due to things
+			// like sequence number mismatches in RSTs, or
+			// unseen previous packets in partial connections.
+			// The one opportunity we lose here is on clean FIN
+			// handshakes, but Oh Well.
+
+			if ( content_gap &&
+			     endpoint->state == TCP_ENDPOINT_ESTABLISHED &&
+			     peer->state == TCP_ENDPOINT_ESTABLISHED )
+				{
+				val_list* vl = new val_list;
+				vl->append(dst_analyzer->BuildConnVal());
+				vl->append(new Val(is_orig, TYPE_BOOL));
+				vl->append(new Val(seq, TYPE_COUNT));
+				vl->append(new Val(len, TYPE_COUNT));
+
+				dst_analyzer->ConnectionEvent(content_gap, vl);
+				}
+
+			TCP_Rewriter* r = (TCP_Rewriter*)
+				dst_analyzer->Conn()->TraceRewriter();
+			if ( r )
+				r->ContentGap(is_orig, len);
+
+			if ( type == Direct )
+				dst_analyzer->NextUndelivered(last_reassem_seq,
+								len, is_orig);
+			else
+				{
+				dst_analyzer->ForwardUndelivered(last_reassem_seq,
+								len, is_orig);
+				}
+			}
+
+		had_gap = true;
+		}
+
+	// We should record and match undelivered even if we are skipping
+	// content gaps between SYN and FIN, because FIN may carry some data.
+	//
+	if ( record_contents_file )
+		RecordToSeq(last_reassem_seq, up_to_seq, record_contents_file);
+
+	if ( tcp_match_undelivered )
+		MatchUndelivered(up_to_seq);
+
+	// But we need to re-adjust last_reassem_seq in either case.
+	last_reassem_seq = up_to_seq;	// we've done our best ...
+	}
+
+void TCP_Reassembler::MatchUndelivered(int up_to_seq)
+	{
+	if ( ! blocks || ! rule_matcher )
+		return;
+
+	ASSERT(last_block);
+	if ( up_to_seq == -1 )
+		up_to_seq = last_block->upper;
+
+	// ### Note: the original code did not check whether blocks have
+	// already been delivered, but not ACK'ed, and therefore still
+	// must be kept in the reassember.
+
+	// We are to match any undelivered data, from last_reassem_seq to
+	// min(last_block->upper, up_to_seq).
+	// Is there such data?
+	if ( seq_delta(up_to_seq, last_reassem_seq) <= 0 ||
+	     seq_delta(last_block->upper, last_reassem_seq) <= 0 )
+		return;
+
+	// Skip blocks that are already delivered (but not ACK'ed).
+	// Question: shall we instead keep a pointer to the first undelivered
+	// block?
+	DataBlock* b;
+	for ( b = blocks; b && seq_delta(b->upper, last_reassem_seq) <= 0;
+	      b = b->next )
+	      tcp_analyzer->Conn()->Match(Rule::PAYLOAD, b->block, b->Size(),
+						false, false, is_orig, false);
+
+	ASSERT(b);
+	}
+
+void TCP_Reassembler::RecordToSeq(int start_seq, int stop_seq, BroFile* f)
+	{
+	DataBlock* b = blocks;
+	// Skip over blocks up to the start seq.
+	while ( b && seq_delta(b->upper, start_seq) <= 0 )
+		b = b->next;
+
+	if ( ! b )
+		return;
+
+	int last_seq = start_seq;
+	while ( b && seq_delta(b->upper, stop_seq) <= 0 )
+		{
+		if ( seq_delta(b->seq, last_seq) > 0 )
+			RecordGap(last_seq, b->seq, f);
+
+		RecordBlock(b, f);
+		last_seq = b->upper;
+		b = b->next;
+		}
+
+	if ( b )
+		// Check for final gap.
+		if ( seq_delta(last_seq, stop_seq) < 0 )
+			RecordGap(last_seq, stop_seq, f);
+	}
+
+void TCP_Reassembler::RecordBlock(DataBlock* b, BroFile* f)
+	{
+	unsigned int len = b->Size();
+	if ( ! f->Write((const char*) b->block, len) )
+		// ### this should really generate an event
+		internal_error("contents write failed");
+	}
+
+void TCP_Reassembler::RecordGap(int start_seq, int upper_seq, BroFile* f)
+	{
+	if ( ! f->Write(fmt("\n<<gap %d>>\n", seq_delta(upper_seq, start_seq))) )
+		// ### this should really generate an event
+		internal_error("contents gap write failed");
+	}
+
+void TCP_Reassembler::BlockInserted(DataBlock* start_block)
+	{
+	if ( seq_delta(start_block->seq, last_reassem_seq) > 0 ||
+	     seq_delta(start_block->upper, last_reassem_seq) <= 0 )
+		return;
+
+	// We've filled a leading hole.  Deliver as much as possible.
+	// Note that the new block may include both some old stuff
+	// and some new stuff.  AddAndCheck() will have split the
+	// new stuff off into its own block(s), but in the following
+	// loop we have to take care not to deliver already-delivered
+	// data.
+	for ( DataBlock* b = start_block;
+	      b && seq_delta(b->seq, last_reassem_seq) <= 0; b = b->next )
+		{
+		if ( b->seq == last_reassem_seq )
+			{ // New stuff.
+			int len = b->Size();
+			int seq = last_reassem_seq;
+
+			last_reassem_seq += len;
+
+			if ( record_contents_file )
+				RecordBlock(b, record_contents_file);
+
+			DeliverBlock(seq, len, b->block);
+			}
+		}
+
+	TCP_Endpoint* e = endp;
+
+	if ( ! e->peer->HasContents() )
+		// Our endpoint's peer doesn't do reassembly and so
+		// (presumably) isn't processing acks.  So don't hold
+		// the now-delivered data.
+		TrimToSeq(last_reassem_seq);
+
+	else if ( e->NoDataAcked() && tcp_max_initial_window &&
+		  e->Size() > tcp_max_initial_window )
+		// We've sent quite a bit of data, yet none of it has
+		// been acked.  Presume that we're not seeing the peer's
+		// acks (perhaps due to filtering or split routing) and
+		// don't hang onto the data further, as we may wind up
+		// carrying it all the way until this connection ends.
+		TrimToSeq(last_reassem_seq);
+
+	// Note: don't make an EOF check here, because then we'd miss it
+	// for FIN packets that don't carry any payload (and thus
+	// endpoint->DataSent is not called).  Instead, do the check in
+	// TCP_Connection::NextPacket.
+	}
+
+void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, int n)
+	{
+	if ( DEBUG_tcp_contents )
+		DEBUG_MSG("%.6f TCP contents overlap: %d\n", network_time,  n);
+
+	if ( rexmit_inconsistency &&
+	     memcmp((const void*) b1, (const void*) b2, n) &&
+	     // The following weeds out keep-alives for which that's all
+	     // we've ever seen for the connection.
+	     (n > 1 || endp->peer->HasDoneSomething()) )
+		{
+		BroString* b1_s = new BroString((const u_char*) b1, n, 0);
+		BroString* b2_s = new BroString((const u_char*) b2, n, 0);
+		tcp_analyzer->Event(rexmit_inconsistency,
+					new StringVal(b1_s), new StringVal(b2_s));
+		}
+	}
+
+IMPLEMENT_SERIAL(TCP_Reassembler, SER_TCP_REASSEMBLER);
+
+bool TCP_Reassembler::DoSerialize(SerialInfo* info) const
+	{
+	internal_error("TCP_Reassembler::DoSerialize not implemented");
+	}
+
+bool TCP_Reassembler::DoUnserialize(UnserialInfo* info)
+	{
+	internal_error("TCP_Reassembler::DoUnserialize not implemented");
+	}
+
+void TCP_Reassembler::Deliver(int seq, int len, const u_char* data)
+	{
+	if ( type == Direct )
+		dst_analyzer->NextStream(len, data, is_orig);
+	else
+		dst_analyzer->ForwardStream(len, data, is_orig);
+	}
+
+int TCP_Reassembler::DataSent(double t, int seq, int len,
+				const u_char* data, bool replaying)
+	{
+	int ack = seq_delta(endp->AckSeq(), endp->StartSeq());
+	int upper_seq = seq + len;
+
+	if ( DEBUG_tcp_contents )
+		{
+		DEBUG_MSG("%.6f DataSent: seq=%d upper=%d ack=%d\n",
+		          network_time, seq, upper_seq, ack);
+		}
+
+	if ( skip_deliveries )
+		return 0;
+
+	if ( seq_delta(seq, ack) < 0 && ! replaying )
+		{
+		if ( seq_delta(upper_seq, ack) <= 0 )
+			// We've already delivered this and it's been acked.
+			return 0;
+
+		// We've seen an ack for part of this packet, but not the
+		// whole thing.  This can happen when, for example, a previous
+		// packet held [a, a+b) and this packet holds [a, a+c) for c>b
+		// (which some TCP's will do when retransmitting).  Trim the
+		// packet to just the unacked data.
+		int amount_acked = seq_delta(ack, seq);
+		seq += amount_acked;
+		data += amount_acked;
+		len -= amount_acked;
+		}
+
+	NewBlock(t, seq, len, data);
+
+	if ( Endpoint()->NoDataAcked() && tcp_max_above_hole_without_any_acks &&
+	     NumUndeliveredBytes() > tcp_max_above_hole_without_any_acks )
+		{
+		tcp_analyzer->Weird("above_hole_data_without_any_acks");
+		ClearBlocks();
+		skip_deliveries = 1;
+		}
+
+	if ( tcp_excessive_data_without_further_acks &&
+	     NumUndeliveredBytes() > tcp_excessive_data_without_further_acks )
+		{
+		tcp_analyzer->Weird("excessive_data_without_further_acks");
+		ClearBlocks();
+		skip_deliveries = 1;
+		}
+
+	return 1;
+	}
+
+
+void TCP_Reassembler::AckReceived(int seq)
+	{
+	if ( endp->FIN_cnt > 0 && seq_delta(seq, endp->FIN_seq) >= 0 )
+		// TrimToSeq: FIN_seq - 1
+		seq = endp->FIN_seq - 1;
+
+	int bytes_covered = seq_delta(seq, trim_seq);
+
+	if ( bytes_covered <= 0 )
+		// Zero, or negative in sequence-space terms.  Nothing to do.
+		return;
+
+	bool test_active =
+	     ! skip_deliveries && ! tcp_analyzer->Skipping() &&
+	     endp->state == TCP_ENDPOINT_ESTABLISHED &&
+	     endp->peer->state == TCP_ENDPOINT_ESTABLISHED;
+
+	int num_missing = TrimToSeq(seq);
+
+	if ( test_active )
+		{
+		++tot_ack_events;
+		tot_ack_bytes += bytes_covered;
+
+		if ( num_missing > 0 )
+			{
+			++tot_gap_events;
+			tot_gap_bytes += num_missing;
+			tcp_analyzer->Event(ack_above_hole);
+			}
+
+		double dt = network_time - last_gap_report;
+
+		if ( gap_report && gap_report_freq > 0.0 &&
+		     dt >= gap_report_freq )
+			{
+			int devents = tot_ack_events - last_ack_events;
+			int dbytes = tot_ack_bytes - last_ack_bytes;
+			int dgaps = tot_gap_events - last_gap_events;
+			int dgap_bytes = tot_gap_bytes - last_gap_bytes;
+
+			RecordVal* r = new RecordVal(gap_info);
+			r->Assign(0, new Val(devents, TYPE_COUNT));
+			r->Assign(1, new Val(dbytes, TYPE_COUNT));
+			r->Assign(2, new Val(dgaps, TYPE_COUNT));
+			r->Assign(3, new Val(dgap_bytes, TYPE_COUNT));
+
+			val_list* vl = new val_list;
+			vl->append(new IntervalVal(dt, Seconds));
+			vl->append(r);
+
+			mgr.QueueEvent(gap_report, vl);
+
+			last_gap_report = network_time;
+			last_ack_events = tot_ack_events;
+			last_ack_bytes = tot_ack_bytes;
+			last_gap_events = tot_gap_events;
+			last_gap_bytes = tot_gap_bytes;
+			}
+		}
+
+	// Check EOF here because t_reassem->LastReassemSeq() may have
+	// changed after calling TrimToSeq().
+	CheckEOF();
+	}
+
+void TCP_Reassembler::CheckEOF()
+	{
+	// It is important that the check on whether we have pending data here
+	// is consistent with the check in TCP_Connection::ConnnectionClosed().
+	//
+	// If we choose to call EndpointEOF here because, for example, we
+	// are already skipping deliveries, ConnnectionClosed() might decide
+	// that there is still DataPending, because it does not check
+	// SkipDeliveries(), and the connection will not be closed until
+	// timeout, since the did_EOF flag makes sure that EndpointEOF will
+	// be called only once.
+	//
+	// Now both places call TCP_Reassembler::DataPending(), which checks
+	// whether we are skipping deliveries.
+
+	if ( ! did_EOF &&
+	     (endp->FIN_cnt > 0 || endp->state == TCP_ENDPOINT_CLOSED ||
+	                           endp->state == TCP_ENDPOINT_RESET) &&
+	     ! DataPending() )
+		{
+		// We've now delivered all of the data.
+		if ( DEBUG_tcp_connection_close )
+			{
+			DEBUG_MSG("%.6f EOF for %d\n",
+			          network_time, endp->IsOrig());
+			}
+
+		did_EOF = 1;
+		tcp_analyzer->EndpointEOF(this);
+		}
+	}
+
+// DeliverBlock is basically a relay to function Deliver. But unlike
+// Deliver, DeliverBlock is not virtual, and this allows us to insert
+// operations that apply to all connections using TCP_Contents.
+
+void TCP_Reassembler::DeliverBlock(int seq, int len, const u_char* data)
+	{
+	if ( seq_delta(seq + len, seq_to_skip) <= 0 )
+		return;
+
+	if ( seq_delta(seq, seq_to_skip) < 0 )
+		{
+		int to_skip = seq_delta(seq_to_skip, seq);
+		len -= to_skip;
+		data += to_skip;
+		seq = seq_to_skip;
+		}
+
+	if ( deliver_tcp_contents )
+		{
+		val_list* vl = new val_list();
+		vl->append(tcp_analyzer->BuildConnVal());
+		vl->append(new Val(IsOrig(), TYPE_BOOL));
+		vl->append(new Val(seq, TYPE_COUNT));
+		vl->append(new StringVal(len, (const char*) data));
+
+		tcp_analyzer->ConnectionEvent(tcp_contents, vl);
+		}
+
+	// Q. Can we say this because it is already checked in DataSent()?
+	// ASSERT(!Conn()->Skipping() && !SkipDeliveries());
+	//
+	// A. No, because TrimToSeq() can deliver some blocks after
+	// skipping the undelivered.
+
+	if ( skip_deliveries )
+		return;
+
+	in_delivery = true;
+	Deliver(seq, len, data);
+	in_delivery = false;
+
+	if ( seq_delta(seq + len, seq_to_skip) < 0 )
+		SkipToSeq(seq_to_skip);
+	}
+
+void TCP_Reassembler::SkipToSeq(int seq)
+	{
+	if ( seq_delta(seq, seq_to_skip) > 0 )
+		{
+		seq_to_skip = seq;
+		if ( ! in_delivery )
+			TrimToSeq(seq);
+		}
+	}
+
+int TCP_Reassembler::DataPending() const
+	{
+	// If we are skipping deliveries, the reassembler will not get called
+	// in DataSent(), and DataSeq() will not be updated.
+	if ( skip_deliveries )
+		return 0;
+
+	uint32 delivered_seq = Endpoint()->StartSeq() + DataSeq();
+
+	// Q. Can we say that?
+	// ASSERT(delivered_seq <= Endpoint()->LastSeq());
+	//
+	// A. Yes, but only if we express it with 64-bit comparison
+	// to handle sequence wrapping around.  (Or perhaps seq_delta
+	// is enough here?)
+
+	// We've delivered everything if we're up to the penultimate
+	// sequence number (since a FIN consumes an octet in the
+	// sequence space), or right at it (because a RST does not).
+	if ( delivered_seq != Endpoint()->LastSeq() - 1 &&
+	     delivered_seq != Endpoint()->LastSeq() )
+		return 1;
+
+	// If we've sent RST, then we can't send ACKs any more.
+	if ( Endpoint()->state != TCP_ENDPOINT_RESET &&
+	     Endpoint()->peer->HasUndeliveredData() )
+		return 1;
+
+	return 0;
+	}
diff --git a/src/TCP_Reassembler.h b/src/TCP_Reassembler.h
new file mode 100644
index 0000000000..3e8426c9fb
--- /dev/null
+++ b/src/TCP_Reassembler.h
@@ -0,0 +1,125 @@
+// $Id: TCP_Reassembler.h,v 1.1.2.8 2006/05/31 01:52:02 sommer Exp $
+
+#ifndef TCP_REASSEMBLER_H
+#define TCP_REASSEMBLER_H
+
+#include "Reassem.h"
+#include "TCP_Endpoint.h"
+
+class BroFile;
+class Connection;
+class TCP_Analyzer;
+class Analyzer;
+
+const int STOP_ON_GAP = 1;
+const int PUNT_ON_PARTIAL = 1;
+
+class TCP_Reassembler : public Reassembler {
+public:
+	enum Type {
+		Direct,		// deliver to destination analyzer itself
+		Forward,	// forward to destination analyzer's children
+	};
+
+	TCP_Reassembler(Analyzer* arg_dst_analyzer,
+			TCP_Analyzer* arg_tcp_analyzer, Type arg_type,
+			bool arg_is_orig, TCP_Endpoint* arg_endp);
+
+	virtual ~TCP_Reassembler();
+
+	void Done();
+
+	void SetDstAnalyzer(Analyzer* analyzer)	{ dst_analyzer = analyzer; }
+	void SetType(Type arg_type)	{ type = arg_type; }
+
+	TCP_Analyzer* GetTCPAnalyzer()	{ return tcp_analyzer; }
+
+	// Returns the volume of data buffered in the reassembler.
+	// First parameter returns data that is above a hole, and thus is
+	// waiting on the hole being filled.  Second parameter returns
+	// data that has been processed but is awaiting an ACK to free
+	// it up.
+	//
+	// If we're not processing contents, then naturally each of
+	// these is empty.
+	void SizeBufferedData(int& waiting_on_hole, int& waiting_on_ack) const;
+
+	// How much data is pending delivery since it's not yet reassembled.
+	// Includes the data due to holes (so this value is a bit different
+	// from waiting_on_hole above; and is computed in a different fashion).
+	int NumUndeliveredBytes() const
+		{
+		if ( last_block )
+			return last_block->upper - last_reassem_seq;
+		else
+			return 0;
+		}
+
+	void SetContentsFile(BroFile* f);
+	BroFile* GetContentsFile() const	{ return record_contents_file; }
+
+	void MatchUndelivered(int up_to_seq = -1);
+
+	// Skip up to seq, as if there's a content gap.
+	// Can be used to skip HTTP data for performance considerations.
+	void SkipToSeq(int seq);
+
+	int DataSent(double t, int seq, int len, const u_char* data,
+			bool replaying=true);
+	void AckReceived(int seq);
+
+	// Checks if we have delivered all contents that we can possibly
+	// deliver for this endpoint.  Calls TCP_Analyzer::EndpointEOF()
+	// when so.
+	void CheckEOF();
+
+	int HasUndeliveredData() const	{ return HasBlocks(); }
+	int HadGap() const	{ return had_gap; }
+	int DataPending() const;
+	int DataSeq() const		{ return LastReassemSeq(); }
+
+	void DeliverBlock(int seq, int len, const u_char* data);
+	virtual void Deliver(int seq, int len, const u_char* data);
+
+	TCP_Endpoint* Endpoint()		{ return endp; }
+	const TCP_Endpoint* Endpoint() const	{ return endp; }
+
+	int IsOrig() const	{ return endp->IsOrig(); }
+
+	bool IsSkippedContents(int seq, int length) const
+		{ return seq + length <= seq_to_skip; }
+
+private:
+	TCP_Reassembler()	{ }
+
+	DECLARE_SERIAL(TCP_Reassembler);
+
+	void Undelivered(int up_to_seq);
+
+	void RecordToSeq(int start_seq, int stop_seq, BroFile* f);
+	void RecordBlock(DataBlock* b, BroFile* f);
+	void RecordGap(int start_seq, int upper_seq, BroFile* f);
+
+	void BlockInserted(DataBlock* b);
+	void Overlap(const u_char* b1, const u_char* b2, int n);
+
+	TCP_Endpoint* endp;
+
+	unsigned int deliver_tcp_contents:1;
+	unsigned int had_gap:1;
+	unsigned int did_EOF:1;
+	unsigned int skip_deliveries:1;
+
+	int seq_to_skip;
+	bool in_delivery;
+
+	BroFile* record_contents_file;	// file on which to reassemble contents
+
+	Analyzer* dst_analyzer;
+	TCP_Analyzer* tcp_analyzer;
+
+	Type type;
+	bool is_orig;
+};
+
+#endif
diff --git a/src/TCP_Rewriter.cc b/src/TCP_Rewriter.cc
new file mode 100644
index 0000000000..3a8ca8b7b6
--- /dev/null
+++ b/src/TCP_Rewriter.cc
@@ -0,0 +1,1575 @@
+// $Id: TCP_Rewriter.cc 6008 2008-07-23 00:24:22Z vern $
+
+//  Overview of TCP trace rewriter:
+//
+//  1. Timestamp: Consider every packet arrival at a certain endpoint
+//  in the original trace as a tick for the endpoint; a packet will be
+//  dumped into the new trace (possibly with different content) in the
+//  tick (enforced by flush_rewriter_packet). When the user writes data
+//  into the new trace, the packet will carry a timestamp of the
+//  current tick, or the next tick if data is generated between
+//  ticks. Users may also choose to Push data, in which case the packet
+//  carries a timestamp of current network time. This gives us the
+//  'freshness' of timestamps.
+//
+//  2. Ordering of contents: user may choose to push contents in order
+//  to enforce ordering of contents between two directions, however,
+//  contents MIGHT be already dumped BEFORE they are pushed, once they
+//  are written into the trace. (similar to PUSH in TCP)
+//
+//  3. Acknowledgements: when a packet is dumped at a time when there
+//  is no corresponding packet in the original trace, an articial
+//  acknowledgement is generated from the peer with the same
+//  timestamp. This guarantees that additional packets will have
+//  acknowledgements. For those packets dumped at 'ticks', there
+//  should be corresponding acknowledgement packets in the original
+//  trace already, so we do not generate further artificial
+//  acknowledgement packets.
+//
+//  4. SYN, RST, FIN: SYN/RST packets in the new trace do not carry
+//  payloads -- additional packets may be generated for payloads. FIN
+//  packets are generated only when user calls ScheduleFIN, which by
+//  default corresponds to the moment that contents of the flow is
+//  completely delivered, which is usually when the FIN appears in the
+//  original trace. Change: now we will try to allow SYN/RST packets
+//  to carry payloads if they originally do.
+
+#include "config.h"
+
+#include <assert.h>
+#include <stdlib.h>
+
+#include "Event.h"
+#include "Net.h"
+#include "TCP_Rewriter.h"
+
+#define MSG_PREFIX	"TCP trace rewriter: "
+#define DEBUG_MSG_A(x...)
+// #define DEBUG_MSG_A	DEBUG_MSG
+
+static IP_IDSet* ip_id_set = 0;	// <IP, IP-ID> pairs in the output trace
+int num_packets_held, num_packets_cleaned;
+
+TCP_TracePacket::TCP_TracePacket(TCP_Rewriter* arg_trace_rewriter,
+				 int arg_packet_seq, double t, int arg_is_orig,
+				 const struct pcap_pkthdr* arg_hdr,
+				 int MTU, int initial_size)
+	{
+	trace_rewriter = arg_trace_rewriter;
+	pcap_hdr = *arg_hdr;
+	packet_seq = arg_packet_seq;
+	timestamp = t;
+	is_orig = arg_is_orig;
+	mtu = MTU;
+	pkt = new u_char[initial_size];
+	buffer_size = initial_size;
+
+	buffer_offset = 0;
+	ip_offset = tcp_offset = data_offset = -1;
+	reuse = 0;
+	FIN_scheduled = 0;
+	on_hold = 0;
+	seq_gap = 0;
+	packet_val = 0;
+	packet_val = PacketVal();
+	has_reserved_slot = 0;
+	predicted_as_empty_place_holder = 0;
+	}
+
+TCP_TracePacket::~TCP_TracePacket()
+	{
+	packet_val->SetOrigin(0);
+	Unref(packet_val);
+	if ( pkt )
+		delete [] pkt;
+	}
+
+int TCP_TracePacket::AppendLinkHeader(const u_char* chunk, int len)
+	{
+	if ( ip_offset >= 0 && ip_offset != buffer_offset )
+		internal_error(MSG_PREFIX "link header must be appended before IP header");
+
+	if ( ! Append(chunk, len) )
+		return 0;
+
+	ip_offset = buffer_offset;
+	return 1;
+	}
+
+int TCP_TracePacket::AppendIPHeader(const u_char* chunk, int len)
+	{
+	if ( tcp_offset >= 0 && tcp_offset != buffer_offset )
+		internal_error(MSG_PREFIX "IP header must be appended before tcp header");
+
+	if ( ! Append(chunk, len) )
+		return 0;
+
+	tcp_offset = buffer_offset;
+	return 1;
+	}
+
+int TCP_TracePacket::AppendTCPHeader(const u_char* chunk, int len)
+	{
+	if ( data_offset >= 0 && data_offset != buffer_offset )
+		internal_error(MSG_PREFIX "tcp header must be appended before payload");
+
+	if ( tcp_offset == buffer_offset )
+		{ // first TCP header chunk
+		int extra = (tcp_offset - ip_offset) % 4;
+		if ( extra )
+			{
+			DEBUG_MSG(MSG_PREFIX "padding IP header");
+			if ( ! AppendIPHeader(0, 4 - extra) )
+				return 0;
+			}
+		}
+
+	if ( ! Append(chunk, len) )
+		return 0;
+
+	data_offset = buffer_offset;
+	return 1;
+	}
+
+int TCP_TracePacket::AppendData(const u_char* chunk, int len)
+	{
+	// All headers must be appended before any data.
+	ASSERT(ip_offset >= 0 && tcp_offset >= 0 && data_offset >= 0);
+
+	if ( data_offset == buffer_offset )
+		{ // first data chunk
+		int extra = (data_offset - tcp_offset) % 4;
+		if ( extra )
+			{
+			DEBUG_MSG(MSG_PREFIX "%.6f padding tcp header -- original header range: %d - %d\n",
+					network_time, tcp_offset, data_offset);
+			if ( ! AppendTCPHeader(0, 4 - extra) )
+				return 0;
+			}
+		}
+
+	if ( ! Append(chunk, len) )
+		return 0;
+
+	return 1;
+	}
+
+int TCP_TracePacket::Append(const u_char* chunk, int len)
+	{
+	if ( buffer_offset + len > buffer_size )
+		{
+		if ( buffer_offset + len > mtu )
+			return 0;
+
+		u_char* tmp = new u_char[mtu];
+		for ( int i = 0 ; i < buffer_size; ++i )
+			tmp[i] = pkt[i];
+
+		delete [] pkt;
+		pkt = tmp;
+		buffer_size = mtu;
+		}
+
+	ASSERT(buffer_offset + len <= buffer_size);
+
+	if ( chunk )
+		{
+		if ( pkt + buffer_offset != chunk )
+			memcpy(pkt + buffer_offset, chunk, len);
+		}
+	else
+		// Fill with 0.
+		memset(pkt + buffer_offset, 0, len);
+
+	buffer_offset += len;
+	return 1;
+	}
+
+uint32 TCP_TracePacket::GetSeq() const
+	{
+	ASSERT(tcp_offset >= ip_offset + int(sizeof(struct ip)) &&
+	       buffer_offset >= tcp_offset + int(sizeof(struct tcphdr)));
+
+	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
+	return ntohl(tp->th_seq);
+	}
+
+void TCP_TracePacket::SetSeq(uint32 seq)
+	{
+	ASSERT(tcp_offset >= ip_offset + int(sizeof(struct ip)) &&
+	       buffer_offset >= tcp_offset + int(sizeof(struct tcphdr)));
+
+	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
+	tp->th_seq = htonl(seq);
+	}
+
+uint32 TCP_TracePacket::GetAck() const
+	{
+	ASSERT(tcp_offset >= ip_offset + int(sizeof(struct ip)) &&
+	       buffer_offset >= tcp_offset + int(sizeof(struct tcphdr)));
+
+	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
+	return ntohl(tp->th_ack);
+	}
+
+void TCP_TracePacket::SetAck(uint32 ack)
+	{
+	ASSERT(tcp_offset >= ip_offset + int(sizeof(struct ip)) &&
+	       buffer_offset >= tcp_offset + int(sizeof(struct tcphdr)));
+
+	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
+	tp->th_ack = htonl(ack);
+	}
+
+int TCP_TracePacket::GetTCP_Flag(int which) const
+	{
+	ASSERT(tcp_offset >= ip_offset + int(sizeof(struct ip)) &&
+	       buffer_offset >= tcp_offset + int(sizeof(struct tcphdr)));
+
+	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
+	return tp->th_flags & which;
+	}
+
+void TCP_TracePacket::SetTCP_Flag(int which, int value)
+	{
+	ASSERT(tcp_offset >= ip_offset + int(sizeof(struct ip)) &&
+	       buffer_offset >= tcp_offset + int(sizeof(struct tcphdr)));
+
+	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
+
+	if ( value )
+		tp->th_flags |= which;
+	else
+		tp->th_flags &= (~which);
+	}
+
+int TCP_TracePacket::PayloadLength() const
+	{
+	if ( data_offset < 0 )
+		return 0;
+
+	return buffer_offset - data_offset;
+	}
+
+int TCP_TracePacket::SeqLength() const
+	{
+	int len = PayloadLength();
+	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
+
+	if ( tp->th_flags & TH_SYN )
+		++len;
+
+	if ( tp->th_flags & TH_FIN )
+		++len;
+
+	return len;
+	}
+
+int TCP_TracePacket::Finish(struct pcap_pkthdr*& hdr,
+			    const u_char*& arg_pkt, int& length,
+			    ipaddr32_t anon_src, ipaddr32_t anon_dst)
+	{
+	// Set length fields in headers and compute checksums.
+	if ( tcp_offset < ip_offset + int(sizeof(struct ip)) ||
+	     data_offset < tcp_offset + int(sizeof(struct tcphdr)) )
+		return 0;
+
+	struct ip* ip = (struct ip*) (pkt + ip_offset);
+	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
+
+	// TCP header.
+	ASSERT((data_offset - tcp_offset) % 4 == 0);
+
+	tp->th_off = (data_offset - tcp_offset) >> 2;
+	tp->th_x2 = 0;
+
+	// Shall we instead let URG flag&point stay?
+	// tp->th_flags &= (~TH_URG);	// set URG to 0
+	// tp->th_urp = 0;		// clear urgent pointer
+
+	// Fix IP addresses before computing the TCP checksum
+	if ( anonymize_ip_addr )
+		{
+		ip->ip_src.s_addr = anon_src;
+		ip->ip_dst.s_addr = anon_dst;
+		}
+
+	tp->th_sum = 0;
+	tp->th_sum = 0xffff - tcp_checksum(ip, tp, PayloadLength());
+
+	// IP header.
+
+	// What to do with ip_id? One way is to choose a pseudo-random
+	// number as the new id. We try to keep the original ID unless
+	// it would cause a conflict, in which case we increment the
+	// ID till there is no conflict.
+	//
+	// This is too expensive -- and ID conflicts do not really
+	// matter because there will never be fragmentation.
+	// Fix: just keep the original ID.
+	// ip->ip_id = NextIP_ID(ip->ip_src.s_addr, ip->ip_id);
+
+	ASSERT((tcp_offset - ip_offset) % 4 == 0);
+	ip->ip_hl = (tcp_offset - ip_offset) >> 2;
+	ip->ip_len = htons(buffer_offset - ip_offset);
+	ip->ip_off = 0;		// DF = 0, MF = 0, offset = 0
+	ip->ip_sum = 0;
+	ip->ip_sum = 0xffff - ones_complement_checksum((const void*) ip, tcp_offset - ip_offset, 0);
+
+	// Link level header:
+	// Question: what to do with the link level header? Currently we just
+	// keep the original header, even though the length field can
+	// be incorrect. ###
+
+	if ( timestamp < trace_rewriter->RewritePacket()->TimeStamp() )
+		// For out of order rewriting.
+		timestamp = trace_rewriter->RewritePacket()->TimeStamp();
+
+	// The below works around a potential type incompatibility
+	// on systems where pcap's timeval is different from the
+	// system-wide one. --cpk
+	//
+	timeval tv_tmp = double_to_timeval(timestamp);
+	pcap_hdr.ts.tv_sec = tv_tmp.tv_sec;
+	pcap_hdr.ts.tv_usec = tv_tmp.tv_usec;
+	pcap_hdr.caplen = pcap_hdr.len = buffer_offset;
+
+	hdr = &pcap_hdr;
+	arg_pkt = pkt;
+	length = buffer_offset;
+
+	return 1;
+	}
+
+void TCP_TracePacket::Reuse()
+	{
+	reuse = 1;
+
+	timestamp = trace_rewriter->RewritePacket()->TimeStamp();
+
+	// Question 1: Shall we keep TCP options in the header? Note
+	// that the TCP header of a packet is sometimes replicated in
+	// the rewritten trace (because we reuse headers). When an
+	// option have idempotent semantics, it is safe to keep the
+	// option; otherwise we should include the option only in the
+	// first one among replicated copies. Currently we keep
+	// options for simplicity and wait for things to happen. ###
+
+	struct tcphdr* tp = (struct tcphdr*) (pkt + tcp_offset);
+	tp->th_flags = 0;
+
+	// Clear all TCP options.
+	unsigned int prev_data_offset = data_offset;
+	buffer_offset = data_offset = tcp_offset + sizeof(struct tcphdr);
+	if ( prev_data_offset - tcp_offset > sizeof(*tp) )
+		TCP_Analyzer::ParseTCPOptions(tp,
+					TCP_Rewriter::RewriteTCPOption,
+					trace_rewriter->Analyzer(), is_orig, this);
+	}
+
+RecordVal* TCP_TracePacket::PacketVal()
+	{
+	if ( ! packet_val )
+		{
+		packet_val = new RecordVal(packet_type);
+		packet_val->Assign(0, TraceRewriter()->Analyzer()->BuildConnVal());
+		packet_val->Assign(1, new Val(IsOrig(), TYPE_BOOL));
+		packet_val->Assign(2, new Val(PacketSeq(), TYPE_COUNT));
+		packet_val->Assign(3, new Val(TimeStamp(), TYPE_TIME));
+		packet_val->SetOrigin(this);
+		}
+	else
+		Ref(packet_val);
+
+	return packet_val;
+	}
+
+uint16 NextIP_ID(const uint32 src_addr, const uint16 id)
+	{
+	if ( ip_id_set == 0 )
+		ip_id_set = new IP_IDSet();
+
+	IP_ID ipid;
+	ipid.ip = src_addr;
+	ipid.id = id;
+
+	while ( ip_id_set->find(ipid) != ip_id_set->end() )
+		{
+		ipid.id = (ipid.id + 1) & 0xffff;
+
+		if ( ipid.id == id )
+			{ // clear all entries of the IP
+			IP_ID first_id, last_id;
+			first_id.ip = last_id.ip = src_addr;
+			first_id.id = 0; last_id.id = 0xffff;
+			ip_id_set->erase(ip_id_set->find(first_id),
+						ip_id_set->find(last_id));
+			}
+		}
+
+	ip_id_set->insert(ipid);
+
+	return uint16(ipid.id & 0xffff);
+	}
+
+TCP_RewriterEndpoint::TCP_RewriterEndpoint(TCP_Rewriter* arg_rewriter)
+	{
+	rewriter = arg_rewriter;
+	next_packet = 0;
+	endp = 0;
+	established = 0;
+	end_of_data = 0;
+	peer = 0;
+	last_ack = 0;
+	last_packet_time = -1;
+	please_flush = 0;
+	flushed = 1;
+	flush_scheduled = 0;
+	there_is_a_gap = 0;
+	}
+
+TCP_RewriterEndpoint::~TCP_RewriterEndpoint()
+	{
+	if ( ! prolog.empty() )
+		{
+		if ( ! next_packet )
+			Weird(MSG_PREFIX "end point has data, but hasn't got any packet till destruction.");
+		else
+			internal_error(MSG_PREFIX "prolog should've been purged on the very first packet.");
+
+		while ( ! prolog.empty() )
+			{
+			delete prolog.front();
+			prolog.pop();
+			}
+		}
+
+	if ( ! end_of_data && next_packet && ! next_packet->IsEmpty() )
+		Weird(fmt(MSG_PREFIX "end of data missing before deleting the connection: %.6f",
+			  next_packet->TimeStamp()));
+
+	if ( next_packet )
+		Unref(next_packet);
+	}
+
+void TCP_RewriterEndpoint::Init()
+	{
+	// This cannot be put into the constructor because it requires
+	// existence of the peer.
+	peer = rewriter->GetPeer(this);
+	}
+
+// NextPacket sets 'ticks' of packet dumping according to packet
+// arrival in the original sequence.
+void TCP_RewriterEndpoint::NextPacket(TCP_TracePacket* p)
+	{
+	please_flush = 1;
+	flushed = 0;
+	last_packet_time = p->TimeStamp();
+
+	if ( ! endp )
+		endp = rewriter->GetEndpoint(this);
+
+	if ( endp->state == TCP_ENDPOINT_ESTABLISHED )
+		established = 1;
+
+	if ( ! next_packet || p->GetTCP_Flag(TH_SYN) )
+		{
+		if ( ! p->GetTCP_Flag(TH_SYN | TH_RST) &&
+		     ! rewriter->Analyzer()->IsPartial() )
+			Weird(MSG_PREFIX "first packet is not SYN or RST");
+
+		start_seq = next_seq = p->GetSeq();
+		}
+
+	SetNextPacket(p);
+	ScheduleFlush();
+	}
+
+void TCP_RewriterEndpoint::WriteData(int len, const u_char* data)
+	{
+	if ( end_of_data & (END_BY_FIN | END_BY_RST) )
+		Weird(MSG_PREFIX "write after end of data");
+
+	if ( ! next_packet )
+		{
+		// Till anybody really wants to use the prolog ...
+		run_time(fmt("pushing %d bytes into prolog", len));
+		prolog.push(new BroString(data, len, 0));
+		}
+	else
+		{
+		// Originally we did not send data along with SYN or RST.
+		// if ( next_packet->GetTCP_Flag(TH_SYN | TH_RST) )
+		//	internal_error("SYN/RST packet not immediately flushed");
+
+		// Question: shall we send data along with the ACK in the
+		// connection's three way handshake? Here it may do so.
+
+		DoWriteData(len, data);
+
+		if ( please_flush )
+			ScheduleFlush();
+		}
+	}
+
+void TCP_RewriterEndpoint::SkipGap(int len)
+	{
+	next_seq += len;
+	there_is_a_gap = 1;
+
+	if ( next_packet )
+		next_packet->SetSeqGap(0);
+	}
+
+void TCP_RewriterEndpoint::Push()
+	{
+	if ( ! next_packet )
+		return;
+
+	next_packet->SetTCP_Flag(TH_PUSH, 1);
+	PushPacket();
+	}
+
+void TCP_RewriterEndpoint::ReqAck()
+	{
+	if ( ! next_packet )
+		return;
+
+	PushPacket();
+	}
+
+void TCP_RewriterEndpoint::Flush()
+	{
+	if ( ! next_packet || next_packet->OnHold() )
+		// This may happen after the code change in
+		// TCP_Connection::NextPacket -- not every packet
+		// reaches the TCP rewriter.  Also, do not dump a packet
+		// on hold -- the packet will be flushed later.
+		// internal_error(MSG_PREFIX "flush before packet arrival");
+		return;
+
+	DEBUG_MSG_A("preparing to flush packet %d (%.6f)\n", next_packet->PacketSeq(), next_packet->TimeStamp());
+	if ( next_packet->FINScheduled() )
+		GenerateFIN();
+
+	if ( please_flush )
+		{
+		DEBUG_MSG_A("Flush packet %d (%.6f)\n", next_packet->PacketSeq(), next_packet->TimeStamp());
+		PushPacket();
+		}
+
+	if ( ! next_packet->IsEmpty() )
+		{
+		internal_error(MSG_PREFIX "packet is not empty after flushing");
+		}
+
+	flush_scheduled = 0;
+	}
+
+void TCP_RewriterEndpoint::ScheduleFlush()
+	{
+	if ( ! flush_scheduled )
+		{
+		schedule_flush(this);
+		flush_scheduled = 1;
+		DEBUG_MSG_A("%.6f flush scheduled for packet %d (%.6f)\n", network_time, next_packet->PacketSeq(), next_packet->TimeStamp());
+		}
+	}
+
+void TCP_RewriterEndpoint::GenerateFIN()
+	{
+	if ( end_of_data & END_BY_FIN )
+		return;
+
+	DEBUG_MSG_A("FIN at %.6f\n", next_packet->TimeStamp());
+	end_of_data |= END_BY_FIN;
+
+	if ( ! next_packet )
+		// Weird(MSG_PREFIX "FIN before packet arrival");
+		internal_error(MSG_PREFIX "FIN before packet arrival");
+	else
+		{
+		next_packet->ScheduleFIN(0);
+		next_packet->SetTCP_Flag(TH_FIN, 1);
+		please_flush = 1;
+		}
+	}
+
+void TCP_RewriterEndpoint::Reset(int self)
+	{
+	DEBUG_MSG_A("%.6f end by RST (empty = %d)\n", network_time, next_packet ? next_packet->IsEmpty() : -1);
+	if ( self )
+		end_of_data |= END_BY_RST;
+	else
+		end_of_data |= END_BY_PEER_RST;
+	}
+
+void TCP_RewriterEndpoint::SetNextPacket(TCP_TracePacket* p)
+	{
+	if ( next_packet )
+		{
+		if ( ! next_packet->IsEmpty() || next_packet->OnHold() )
+			internal_error(MSG_PREFIX "next packet (%.6f) arrives before the previous packet (%.6f) is flushed", p->TimeStamp(), next_packet->TimeStamp());
+			// PushPacket();
+
+		Unref(next_packet);
+		}
+
+	next_packet = p;
+
+	if ( next_packet->SeqGap() > 0 )
+		peer->SkipGap(next_packet->SeqGap());
+
+	// next_packet->SetTCP_Flag(TH_PUSH, 0);
+
+	// Do not send FIN at this moment because FIN may arrive out
+	// of order -- wait till all contents are delivered
+	next_packet->SetTCP_Flag(TH_FIN, 0);
+
+	if ( ! prolog.empty() )
+		{
+		// Do not put prolog into SYN/RST packets
+		if ( next_packet->GetTCP_Flag(TH_SYN | TH_RST) )
+			PushPacket();
+		PurgeProlog();
+		}
+	}
+
+void TCP_RewriterEndpoint::PurgeProlog()
+	{
+	while ( ! prolog.empty() )
+		{
+		BroString* s = prolog.front();
+		WriteData(s->Len(), s->Bytes());
+		prolog.pop();
+		delete s;
+		}
+	}
+
+void TCP_RewriterEndpoint::DoWriteData(int len, const u_char* data)
+	{
+	ASSERT(next_packet);
+
+	while ( len > 0 )
+		{
+		int left = next_packet->Space();
+
+		if ( ! left )
+			{
+			PushPacket();
+			left = next_packet->Space();
+			}
+
+		if ( left > len )
+			left = len;
+
+		if ( ! next_packet->AppendData(data, left) )
+			ASSERT(0);
+
+		data += left;
+		len -= left;
+		please_flush = 1;
+		}
+	}
+
+int TCP_RewriterEndpoint::IsPlaceHolderPacket(TCP_TracePacket* p)
+	{
+	return p->SeqLength() == 0 &&
+	       ! p->GetTCP_Flag(TH_SYN | TH_RST | TH_FIN | TH_URG ) &&
+	       ! (p->GetTCP_Flag(TH_ACK) && p->GetAck() > last_ack);
+	}
+
+void TCP_RewriterEndpoint::PushPacket()
+	{
+	if ( ! next_packet )
+		{
+		internal_error(MSG_PREFIX "cannot push packet before packet arrival");
+		return;
+		}
+
+	// Set sequence number ...
+	next_packet->SetSeq(next_seq);
+	int seq_len = next_packet->SeqLength();
+
+	next_seq += seq_len;
+
+	// ... and acknowledge peer's recently dumped packet.
+	if ( next_packet->GetTCP_Flag(TH_SYN | TH_RST) &&
+	     ! next_packet->GetTCP_Flag(TH_ACK) )
+		{
+		next_packet->SetTCP_Flag(TH_ACK, 0);
+		next_packet->SetAck(0);
+		}
+	else
+		{
+		next_packet->SetTCP_Flag(TH_ACK, 1);
+		if ( peer->HasPacket() )
+			next_packet->SetAck(peer->NextSeq());
+		}
+
+	int RST = next_packet->GetTCP_Flag(TH_RST);
+
+#if 0
+	// With the feature of reserve_rewrite_slot, packet dumping can
+	// be delayed.
+
+	// Enforce the order of timestamps; but delayed FIN is OK
+	// when there is a gap.
+	if ( next_packet->TimeStamp() < network_time &&
+	     ! (next_packet->GetTCP_Flag(TH_FIN) && there_is_a_gap) )
+		{
+		Weird(MSG_PREFIX "delayed packet");
+		Weird(fmt(MSG_PREFIX "packet time %.6f, dumping time %.6f\n",
+			 next_packet->TimeStamp(), network_time));
+		}
+#endif
+
+	if ( ! IsPlaceHolderPacket(next_packet) ||
+	     ! omit_rewrite_place_holder )
+		{
+		if ( next_packet->PredictedAsEmptyPlaceHolder() )
+			{
+			DEBUG_MSG("The packet to dump (%.6f, %d, %d, %s%s%s%s, %u > %u) was predicted to be an empty place holder.",
+				next_packet->TimeStamp(), next_packet->SeqLength(), next_packet->PayloadLength(),
+				next_packet->GetTCP_Flag(TH_SYN) ? "S" : "",
+				next_packet->GetTCP_Flag(TH_RST) ? "R" : "",
+				next_packet->GetTCP_Flag(TH_FIN) ? "F" : "",
+				next_packet->GetTCP_Flag(TH_URG) ? "U" : "",
+				next_packet->GetAck(), last_ack);
+			}
+
+		rewriter->DumpPacket(this, next_packet);
+		}
+
+	if ( next_packet->GetTCP_Flag(TH_ACK) &&
+	     next_packet->GetAck() > last_ack )
+		last_ack = next_packet->GetAck();
+
+	// Reuse the packet headers.
+	next_packet->Reuse();
+
+	if ( ! next_packet->FINScheduled() )
+		{
+		please_flush = 0;
+		if ( ! next_packet->IsEmpty() )
+			internal_error("should have been cleared");
+		}
+
+	if ( RST )
+		{
+		Reset(1);	// itself ...
+		peer->Reset(0); // ... and peer
+		return;
+		}
+
+	// Question: do we need to request an ACK? Yes, if the packet
+	// is an artificially generated packet.
+	if ( seq_len > 0 &&
+	     next_packet->TimeStamp() < rewriter->RewritePacket()->TimeStamp() )
+		peer->ReqAck();
+	}
+
+void TCP_RewriterEndpoint::Weird(const char* name) const
+	{
+#ifdef DEBUG_BRO
+	rewriter->Weird(name);
+#endif
+	}
+
+TCP_Rewriter::TCP_Rewriter(TCP_Analyzer* arg_analyzer, PacketDumper* arg_dumper,
+				int arg_MTU, int arg_wait_for_commitment)
+	{
+	analyzer = arg_analyzer;
+	dumper = arg_dumper;
+	MTU = arg_MTU;
+	wait_for_commitment = arg_wait_for_commitment;
+	discard_packets = 0;	// till AbortPackets(1);
+
+	packets_rewritten = 0;
+	next_packet_seq = 0;
+	pending_content_gap = 0;
+
+	orig = new TCP_RewriterEndpoint(this);
+	resp = new TCP_RewriterEndpoint(this);
+
+	orig->Init();
+	resp->Init();
+
+	anon_addr[0] = anon_addr[1] = 0;
+
+	if ( anonymize_ip_addr )
+		{
+		anon_addr[0] = anonymize_ip(to_v4_addr(analyzer->Conn()->OrigAddr()),
+						ORIG_ADDR);
+		anon_addr[1] = anonymize_ip(to_v4_addr(analyzer->Conn()->RespAddr()),
+						RESP_ADDR);
+		}
+
+	holding_packets = 0;
+	current_packet = next_packet = 0;
+
+	current_slot = first_slot = last_slot = 0;
+	highest_slot_number = 0;
+	answered[0] = answered[1] = 0;
+	}
+
+void TCP_Rewriter::Done()
+	{
+	// The wrap-up work needs to be done *after* event processing,
+	// therefore we schedule a funeral to be held right before
+	// packets are flushed.
+	schedule_funeral(this);
+	}
+
+void TCP_Rewriter::Funeral()
+	{
+	if ( ! uncommited_packet_queue.empty() )
+		{
+		warn(fmt(MSG_PREFIX
+			 "rewriter gets neither commit or abort, "
+			 "and %d packets will be discarded",
+			 int(uncommited_packet_queue.size())));
+		AbortPackets(0);
+		}
+
+	if ( ! slot_queue.empty() )
+		{
+		run_time("reserved slots are not completely released at the end of rewriter %s", analyzer->Conn());
+		for ( slot_map_t::iterator it = reserved_slots.begin();
+			it != reserved_slots.end();
+			++it )
+			{
+			TCP_RewriteSlot* slot = it->second;
+			run_time(fmt("unreleased slot: %d", slot->Number()));
+			}
+
+		while ( ! slot_queue.empty() )
+			{
+			TCP_RewriteSlot* slot = slot_queue.front();
+			slot_queue.pop_front();
+			slot->Dump();
+			delete slot;
+			}
+
+		reserved_slots.clear();
+		ReleasePacketsOnHold();
+		}
+
+	if ( ! packets_on_hold.empty() )
+		{
+		run_time("packets on hold at the end of rewriter %s", analyzer->Conn());
+		ReleasePacketsOnHold();
+		// And release the last one.
+		Endp(next_packet->IsOrig())->Flush();
+		}
+	}
+
+TCP_Rewriter::~TCP_Rewriter()
+	{
+	delete orig;
+	delete resp;
+	}
+
+void TCP_Rewriter::NextPacket(int is_orig, double t,
+			      const struct pcap_pkthdr* pcap_hdr,
+			      const u_char* pcap_pkt, int hdr_size,
+			      const struct ip* ip,
+			      const struct tcphdr* tp)
+	{
+	unsigned int ip_hdr_len = ip->ip_hl * 4;
+	unsigned int tcp_hdr_len = tp->th_off * 4;
+
+	TCP_TracePacket* p =
+		new TCP_TracePacket(this, ++next_packet_seq, t,
+					is_orig, pcap_hdr, MTU,
+					hdr_size + ip_hdr_len + tcp_hdr_len);
+
+	if ( ! p->AppendLinkHeader(pcap_pkt, hdr_size) )
+		internal_error(MSG_PREFIX "cannot append headers -- check MTU");
+
+	if ( ! p->AppendIPHeader((const u_char*)ip, sizeof(*ip)) )
+		internal_error(MSG_PREFIX "cannot append headers -- check MTU");
+
+	if ( ip_hdr_len > sizeof(*ip) )
+		{
+		// TODO: re-write IP options.
+		}
+
+	if ( ! p->AppendTCPHeader((const u_char*)tp, sizeof(*tp)) )
+		internal_error(MSG_PREFIX "cannot append headers -- check MTU");
+
+	// Rewrite TCP options.
+	if ( tcp_hdr_len > sizeof(*tp) )
+		TCP_Analyzer::ParseTCPOptions(tp, RewriteTCPOption,
+						analyzer, is_orig, p);
+
+	// Pad the TCP header.
+	p->AppendData(0, 0);
+
+	// Before setting current_packet to p, first clean up empty
+	// place holders to save memory space.
+	if ( omit_rewrite_place_holder && holding_packets )
+		CleanUpEmptyPlaceHolders();
+
+	current_packet = p;
+
+	if ( pending_content_gap )
+		{
+		// A packet triggers a content gap only in the other
+		// direction.
+		if ( current_packet->IsOrig() )
+			pending_content_gap = -pending_content_gap;
+
+		if ( pending_content_gap < 0 )
+			internal_error("content gap out of sync with packet");
+
+		current_packet->SetSeqGap(pending_content_gap);
+		pending_content_gap = 0;
+		}
+
+	if ( current_slot )
+		add_slot();
+
+	if ( ! holding_packets )
+		{
+		next_packet = p;
+		Endp(is_orig)->NextPacket(p);
+		}
+	else
+		{
+		DEBUG_MSG_A("packet %d (%.6f) on hold\n",
+				p->PacketSeq(), p->TimeStamp());
+		packets_on_hold.push_back(p);
+		++num_packets_held;
+		}
+	}
+
+void TCP_Rewriter::ContentGap(int is_orig, int len)
+	{
+	if ( is_orig )
+		pending_content_gap = len;
+	else
+		pending_content_gap = -len;
+	}
+
+void TCP_Rewriter::ScheduleFIN(int is_orig)
+	{
+	if ( current_packet && current_packet->IsOrig() == is_orig )
+		current_packet->ScheduleFIN();
+
+	// Otherwise just ignore the FIN.
+	// Endp(is_orig)->ScheduleFIN();
+	}
+
+void TCP_Rewriter::WriteData(int is_orig, int len, const u_char* data)
+	{
+	if ( ! current_slot )
+		DoWriteData(is_orig, len, data);
+	else
+		current_slot->WriteData(is_orig, len, data);
+	}
+
+void TCP_Rewriter::DoWriteData(int is_orig, int len, const u_char* data)
+	{
+	if ( is_orig != next_packet->IsOrig() )
+		{
+		// Weird(fmt("%.6f rewriting packet on the opposite direction", network_time));
+		}
+
+	Endp(is_orig)->WriteData(len, data);
+	}
+
+void TCP_Rewriter::Push(int is_orig)
+	{
+	Endp(is_orig)->Push();
+	}
+
+void TCP_Rewriter::DumpPacket(TCP_RewriterEndpoint* endp, TCP_TracePacket* p)
+	{
+	struct pcap_pkthdr* hdr;
+	const u_char* pkt;
+	int length;
+	ipaddr32_t anon_src, anon_dst;		// anonymized IP addresses
+
+	if ( discard_packets )
+		return;
+
+	if ( endp == orig )
+		{
+		anon_src = anon_addr[0];
+		anon_dst = anon_addr[1];
+		}
+	else
+		{
+		anon_src = anon_addr[1];
+		anon_dst = anon_addr[0];
+		}
+
+	if ( p->Finish(hdr, pkt, length, anon_src, anon_dst) )
+		{
+		DEBUG_MSG_A("Packet %d (%.6f) dumped at %.6f\n", p->PacketSeq(), p->TimeStamp(), network_time);
+		++packets_rewritten;
+
+		if ( ! wait_for_commitment )
+			dumper->DumpPacket(hdr, pkt, length);
+		else
+			{
+			char* b = new char[sizeof(struct pcap_pkthdr) + length];
+			uncommited_packet_queue.push(b);
+
+			memcpy(b, hdr, sizeof(struct pcap_pkthdr));
+
+			b += sizeof(struct pcap_pkthdr);
+			memcpy(b, pkt, length);
+			}
+		}
+	else
+		internal_error(MSG_PREFIX "ill formed packet for dumping");
+	}
+
+void TCP_Rewriter::ReleaseNextPacket()
+	{
+	if ( packets_on_hold.empty() )
+		{
+		internal_error("there is no packet on hold to release");
+		return;
+		}
+
+	next_packet->SetOnHold(0);
+	Endp(next_packet->IsOrig())->Flush();
+	packets_on_hold.pop_front();
+
+	if ( ! packets_on_hold.empty() )
+		{
+		next_packet = packets_on_hold.front();
+		Endp(next_packet->IsOrig())->NextPacket(next_packet);
+		}
+	else
+		next_packet = 0;
+	}
+
+void TCP_Rewriter::HoldPacket(TCP_TracePacket* p)
+	{
+	if ( ! next_packet )
+		{
+		internal_error("should not try to hold a packet before packet arrival");
+		return;
+		}
+
+	holding_packets = 1;
+
+	while ( next_packet && next_packet->PacketSeq() < p->PacketSeq() )
+		ReleaseNextPacket();
+
+	if ( ! next_packet ||
+	     next_packet->PacketSeq() != p->PacketSeq() )
+		{
+		internal_error("packet sequence not found for hold_packet: %d",
+		    p->PacketSeq());
+		return;
+		}
+
+	next_packet->SetOnHold(1);
+	if ( packets_on_hold.empty() )
+		{
+		packets_on_hold.push_back(next_packet);
+		++num_packets_held;
+		answered[0] = answered[1] = 0;
+		}
+	}
+
+void TCP_Rewriter::ReleasePacketsOnHold()
+	{
+	holding_packets = 0;
+	if ( packets_on_hold.empty() )
+		return;
+
+	while ( packets_on_hold.size() > 1 )
+		ReleaseNextPacket();
+
+	next_packet->SetOnHold(0);
+	packets_on_hold.pop_front();
+	}
+
+void TCP_Rewriter::AbortPackets(int apply_to_future)
+	{
+	while ( ! uncommited_packet_queue.empty() )
+		{
+		char* p = uncommited_packet_queue.front();
+		uncommited_packet_queue.pop();
+		delete [] p;
+		}
+
+	if ( apply_to_future )
+		discard_packets = 1;
+	}
+
+void TCP_Rewriter::CommitPackets(int apply_to_future)
+	{
+	while ( ! uncommited_packet_queue.empty() )
+		{
+		struct pcap_pkthdr* hdr =
+			(struct pcap_pkthdr*) uncommited_packet_queue.front();
+
+		uncommited_packet_queue.pop();
+
+		dumper->DumpPacket(hdr,
+				((u_char*)hdr) + sizeof(struct pcap_pkthdr),
+				int((hdr->caplen)));
+
+		delete [] (char*) hdr;
+		}
+
+	if ( apply_to_future )
+		{ // dump all future packets immediately
+		wait_for_commitment = 0;
+		discard_packets = 0;
+		}
+	}
+
+void TCP_Rewriter::CleanUpEmptyPlaceHolders()
+	{
+	if ( ! last_slot )
+		return;
+
+	if ( last_slot->Packet() != current_packet )
+		internal_error("Mismatch: last_slot->packet != current_packet");
+
+	if ( packets_on_hold.empty() ||
+	     packets_on_hold.back() != current_packet )
+		internal_error("Mismatch: packets_on_hold.back() != current_packet");
+
+	int is_orig = current_packet->IsOrig() ? 1 : 0;
+
+	if ( current_packet->SeqGap() > 0 )
+		// This packet signals a sequence gap (on the opposite flow).
+		answered[is_orig] = 0;
+
+	// Is the current packet an empty placeholder packet?
+	int current_packet_is_empty =
+		last_slot->isEmpty() &&
+		current_packet->SeqLength() == 0 &&
+		! current_packet->GetTCP_Flag(TH_SYN|TH_RST|TH_FIN|TH_URG) &&
+		! current_packet->HasReservedSlot();
+
+	if ( current_packet_is_empty )
+		{
+		if ( answered[is_orig] )
+			{
+// #define DO_NOT_CLEAN_UP_ONLY_PREDICT
+#ifdef DO_NOT_CLEAN_UP_ONLY_PREDICT
+			// for debugging
+			current_packet->PredictAsEmptyPlaceHolder();
+#else
+			++num_packets_cleaned;
+			packets_on_hold.pop_back();
+			Unref(current_packet);
+			current_packet = 0;
+			slot_queue.pop_back();
+			delete last_slot;
+			last_slot = slot_queue.back();
+#endif
+			}
+		}
+	else
+		// Current packet may not be empty ...
+		answered[1 - is_orig] = 0;
+
+	answered[is_orig] = 1;
+	}
+
+int TCP_Rewriter::LeaveAddrInTheClear(int is_orig)
+	{
+	if ( packets_rewritten > 0 )
+		return 0;
+
+	if ( is_orig )
+		anon_addr[0] = to_v4_addr(analyzer->Conn()->OrigAddr());
+	else
+		anon_addr[1] = to_v4_addr(analyzer->Conn()->RespAddr());
+
+	return 1;
+	}
+
+TCP_Endpoint* TCP_Rewriter::GetEndpoint(TCP_RewriterEndpoint* endp)
+	{
+	if ( endp == orig )
+		return analyzer->Orig();
+	else
+		return analyzer->Resp();
+	}
+
+TCP_RewriterEndpoint* TCP_Rewriter::GetPeer(TCP_RewriterEndpoint* endp)
+	{
+	if ( endp == orig )
+		return resp;
+
+	else if ( endp == resp )
+		return orig;
+
+	else
+		return 0;
+	}
+
+#define KEEP_ORIG	1
+#define REUSE_OPT	1
+#define TO_NOP		0
+#define MAX_TCP_OPTION_REWRITING	9
+
+struct TCPOptionRewriting {
+	int keep_orig;
+	int reuse;
+} tcp_option_rewriting[MAX_TCP_OPTION_REWRITING] = {
+	//  0        -    End of Option List                 [RFC793]
+	{KEEP_ORIG, REUSE_OPT},
+
+	//  1        -    No-Operation                       [RFC793]
+	{KEEP_ORIG, REUSE_OPT},
+
+	//  2        4    Maximum Segment Size               [RFC793]
+	{KEEP_ORIG, REUSE_OPT},
+
+	//  3        3    WSOPT - Window Scale              [RFC1323]
+	{KEEP_ORIG, REUSE_OPT},
+
+	//  4        2    SACK Permitted                    [RFC2018]
+	{KEEP_ORIG, REUSE_OPT},
+
+	//  5        N    SACK                              [RFC2018]
+	{TO_NOP, TO_NOP},
+
+	//  6        6    Echo (obsoleted by option 8)      [RFC1072]
+	{TO_NOP, TO_NOP},
+
+	//  7        6    Echo Reply (obsoleted by option 8)[RFC1072]
+	{TO_NOP, TO_NOP},
+
+	//  8       10    TSOPT - Time Stamp Option         [RFC1323]
+	{KEEP_ORIG, REUSE_OPT},
+
+	// ** the rest is left for future work **
+	//  9        2    Partial Order Connection Permitted[RFC1693]
+	// 10        3    Partial Order Service Profile     [RFC1693]
+	// 11             CC                                [RFC1644]
+	// 12             CC.NEW                            [RFC1644]
+	// 13             CC.ECHO                           [RFC1644]
+	// 14         3   TCP Alternate Checksum Request    [RFC1146]
+	// 15         N   TCP Alternate Checksum Data       [RFC1146]
+	// 16             Skeeter                           [Knowles]
+	// 17             Bubba                             [Knowles]
+	// 18         3   Trailer Checksum Option    [Subbu & Monroe]
+	// 19        18   MD5 Signature Option              [RFC2385]
+	// 20             SCPS Capabilities                   [Scott]
+	// 21		Selective Negative Acknowledgements [Scott]
+	// 22		Record Boundaries                   [Scott]
+	// 23		Corruption experienced              [Scott]
+	// 24		SNAP				 [Sukonnik]
+	// 25		Unassigned (released 12/18/00)
+	// 26             TCP Compression Filter           [Bellovin]
+};
+
+int TCP_Rewriter::RewriteTCPOption(unsigned int opt, unsigned int optlen,
+				const u_char* option, TCP_Analyzer* analyzer,
+				bool is_orig, void* cookie)
+	{
+	TCP_TracePacket* p = (TCP_TracePacket*) cookie;
+
+	if ( opt < MAX_TCP_OPTION_REWRITING &&
+	     ( (! p->IsReuse() && tcp_option_rewriting[opt].keep_orig) ||
+	       (p->IsReuse() && tcp_option_rewriting[opt].reuse) ) )
+		// copy/reuse the TCP option
+		p->AppendTCPHeader(option, optlen);
+
+	else
+		{ // replace it with nop
+		static const u_char nop[16] = {
+			1, 1, 1, 1,  1, 1, 1, 1,  1, 1, 1, 1,  1, 1, 1, 1
+		};
+
+		while ( optlen > 0 )
+			{
+			int k = optlen > 16 ? 16 : optlen;
+			p->AppendTCPHeader(nop, k);
+			optlen -= k;
+			}
+		}
+
+	return 0;
+	}
+
+TCP_RewriteSlot* TCP_Rewriter::add_slot()
+	{
+	++highest_slot_number;
+
+	DEBUG_MSG_A("add slot %u\n", highest_slot_number);
+
+	last_slot = current_slot =
+		new TCP_RewriteSlot(current_packet, highest_slot_number);
+
+	slot_queue.push_back(current_slot);
+
+	return current_slot;
+	}
+
+TCP_RewriteSlot* TCP_Rewriter::find_slot(unsigned int slot)
+	{
+	// DEBUG_MSG_A("%d slots reserved\n", reserved_slots.size());
+	slot_map_t::iterator it = reserved_slots.find(slot);
+	if ( it == reserved_slots.end() )
+		return 0;
+
+	return it->second;
+	}
+
+unsigned int TCP_Rewriter::ReserveSlot()
+	{
+	if ( ! current_packet )
+		{
+		run_time("cannot reserve a rewrite slot before packet arrival");
+		return 0;
+		}
+
+	if ( ! current_slot )
+		{
+		first_slot = add_slot();
+		HoldPacket(current_packet);
+		}
+
+	if ( current_slot != last_slot )
+		{
+		run_time("cannot reserve a slot within a reserved slot");
+		return 0;
+		}
+
+	int slot_number = current_slot->Number();
+	DEBUG_MSG_A("reserved slot %d\n", slot_number);
+
+	reserved_slots[slot_number] = current_slot;
+	add_slot();
+	current_packet->AddReservedSlot();
+
+	return slot_number;
+	}
+
+int TCP_Rewriter::SeekSlot(unsigned int slot)
+	{
+	TCP_RewriteSlot* s = find_slot(slot);
+	if ( ! s )
+		return 0;
+
+	current_slot = s;
+	return 1;
+	}
+
+int TCP_Rewriter::ReturnFromSlot()
+	{
+	current_slot = last_slot;
+	return 1;
+	}
+
+int TCP_Rewriter::ReleaseSlot(unsigned int slot)
+	{
+	slot_map_t::iterator it = reserved_slots.find(slot);
+	if ( it == reserved_slots.end() )
+		{
+		run_time(fmt("cannot find slot %u", slot));
+		return 0;
+		}
+
+	TCP_RewriteSlot* s = it->second;
+	reserved_slots.erase(it);
+
+	if ( s == current_slot )
+		ReturnFromSlot();
+
+	DEBUG_MSG_A("release slot %u, slot [%u, %u]\n", s->Number(), first_slot->Number(), last_slot->Number());
+	if ( s == first_slot )
+		{
+		do	// release slots till we get to the next *reserved* slot
+			{
+			DEBUG_MSG_A("dump slot %d %.6f\n", first_slot->Number(), first_slot->Packet()->TimeStamp());
+
+			first_slot->Dump();
+			slot_queue.pop_front();
+			delete first_slot;
+
+			if ( slot_queue.empty() )
+				{
+				first_slot = last_slot = current_slot = 0;
+				DEBUG_MSG_A("release all packets on hold\n");
+				ReleasePacketsOnHold();
+				break;
+				}
+
+			first_slot = slot_queue.front();
+			HoldPacket(first_slot->Packet());
+			DEBUG_MSG_A("move on to packet %d (%.6f)\n", first_slot->Packet()->PacketSeq(), first_slot->Packet()->TimeStamp());
+			}
+		while ( ! find_slot(first_slot->Number()) );
+		}
+
+	return 1;
+	}
+
+TCP_RewriteSlot::TCP_RewriteSlot(TCP_TracePacket* p, unsigned int number)
+	{
+	packet = p;
+	slot_number = number;
+	rewriter = packet->TraceRewriter();
+	}
+
+void TCP_RewriteSlot::WriteData(int is_orig, int len, const u_char* data)
+	{
+	if ( is_orig != packet->IsOrig() )
+		{
+		run_time("writing data to a slot of wrong direction %s",
+			rewriter->analyzer->Conn());
+
+		BroString* tmp = new BroString(data, len, 1);
+		char* tmp_s = tmp->Render();
+		run_time(fmt("further info: dir = %s, len = %d, data = \"%s\"",
+				is_orig ? "orig" : "resp", len, tmp_s));
+		delete tmp_s;
+		delete tmp;
+		return;
+		}
+
+	BroString* s = new BroString((const u_char*) data, len, 1);
+	buf.push(s);
+	}
+
+void TCP_RewriteSlot::Dump()
+	{
+	while ( ! buf.empty() )
+		{
+		BroString* s = buf.front();
+		buf.pop();
+		DEBUG_MSG_A("dump: \"%s\"\n", s->Bytes());
+		rewriter->DoWriteData(packet->IsOrig(), s->Len(), s->Bytes());
+		delete s;
+		}
+	}
+
+static std::queue<TCP_Rewriter*> rewriter_funerals;
+static std::queue<TCP_RewriterEndpoint*> rewriters_to_flush;
+
+void schedule_funeral(TCP_Rewriter* rewriter)
+	{
+	Ref(rewriter->Analyzer()->Conn());
+	rewriter_funerals.push(rewriter);
+	}
+
+void schedule_flush(TCP_RewriterEndpoint* endp)
+	{
+	Ref(endp->Analyzer()->Conn());
+	rewriters_to_flush.push(endp);
+	}
+
+void flush_rewriter_packet()
+	{
+	while ( ! rewriter_funerals.empty() )
+		{
+		TCP_Rewriter* rewriter = rewriter_funerals.front();
+		rewriter_funerals.pop();
+		rewriter->Funeral();
+		Unref(rewriter->Analyzer()->Conn());
+		}
+
+	while ( ! rewriters_to_flush.empty() )
+		{
+		TCP_RewriterEndpoint* endp = rewriters_to_flush.front();
+		rewriters_to_flush.pop();
+
+		if ( endp )
+			{
+			endp->Flush();
+			Unref(endp->Analyzer()->Conn());
+			}
+		}
+
+	if ( mgr.HasEvents() )
+		internal_error("flushing packets generates additional events!");
+	}
+
+TCP_SourcePacket::TCP_SourcePacket(const struct pcap_pkthdr* pcap_hdr, const u_char* pcap_pkt)
+	{
+	hdr = *pcap_hdr;
+	if ( pcap_pkt )
+		{
+		pkt = new u_char[hdr.caplen];
+		memcpy(pkt, pcap_pkt, hdr.caplen);
+		}
+	else
+		{
+		hdr.caplen = 0;
+		pkt = 0;
+		}
+	}
+
+TCP_SourcePacket::~TCP_SourcePacket()
+	{
+	delete [] pkt;
+	}
+
+TCP_SourcePacketWriter::TCP_SourcePacketWriter(TCP_Analyzer* analyzer, PacketDumper* arg_dumper)
+	{
+	dumper = arg_dumper;
+	}
+
+TCP_SourcePacketWriter::~TCP_SourcePacketWriter()
+	{
+	// By default discard all packets of the connection
+	// if they are not explicitly dumped.
+	Purge(false);
+	}
+
+void TCP_SourcePacketWriter::NextPacket(const struct pcap_pkthdr* pcap_hdr,
+					const u_char* pcap_pkt)
+	{
+	source_packets.push(new TCP_SourcePacket(pcap_hdr, pcap_pkt));
+	}
+
+void TCP_SourcePacketWriter::Purge(bool dump)
+	{
+	while ( ! source_packets.empty() )
+		{
+		TCP_SourcePacket* p = source_packets.front();
+		if ( dump )
+			dumper->DumpPacket(p->Hdr(), p->Pkt(), p->Len());
+		source_packets.pop();
+		delete p;
+		}
+	}
+
+void TCP_SourcePacketWriter::Dump()
+	{
+	Purge(true);
+	}
+
+void TCP_SourcePacketWriter::Abort()
+	{
+	Purge(false);
+	}
+
+TCP_SourcePacketWriter* get_src_pkt_writer(TCP_Analyzer* analyzer)
+	{
+	if ( ! analyzer || analyzer->Conn()->ConnTransport() != TRANSPORT_TCP )
+		internal_error("connection for the trace rewriter does not exist");
+
+	TCP_SourcePacketWriter* writer = analyzer->SourcePacketWriter();
+	if ( ! writer )
+		{
+		if ( ! pkt_dumper )
+			return 0;	// don't complain if no output file
+		else if ( ! dump_selected_source_packets )
+			builtin_run_time("flag dump_source_packets is not set");
+		else
+			internal_error("source packet writer not initialized");
+		}
+
+	return writer;
+	}
+
+
+#include "common-rw.bif.func_def"
diff --git a/src/TCP_Rewriter.h b/src/TCP_Rewriter.h
new file mode 100644
index 0000000000..27bf6a15fe
--- /dev/null
+++ b/src/TCP_Rewriter.h
@@ -0,0 +1,401 @@
+// $Id: TCP_Rewriter.h 6916 2009-09-24 20:48:36Z vern $
+
+#ifndef tcp_rewriter_h
+#define tcp_rewriter_h
+
+#include <queue>
+#include <set>
+using namespace std;
+
+#include <pcap.h>
+
+#include "Val.h"
+#include "TCP.h"
+#include "Anon.h"
+#include "Analyzer.h"
+
+#include "PacketDumper.h"
+#include "Rewriter.h"
+
+class TCP_Rewriter;
+
+class TCP_TracePacket : public BroObj, virtual public TracePacket {
+public:
+	TCP_TracePacket(TCP_Rewriter* trace_rewriter,
+			int packet_seq, double t, int is_orig,
+			const struct pcap_pkthdr* hdr,
+			int MTU, int initial_size);
+	~TCP_TracePacket();
+
+	int AppendLinkHeader(const u_char* chunk, int len);
+	int AppendIPHeader(const u_char* chunk, int len);
+	int AppendTCPHeader(const u_char* chunk, int len);
+	int AppendData(const u_char* chunk, int len);
+
+	// Finish() is called before dumping the packet. It sets length
+	// fields and computes checksums in TCP/IP headers.
+	int Finish(struct pcap_pkthdr*& hdr, const u_char*& pkt, int& length,
+		   ipaddr32_t anon_src, ipaddr32_t anon_dst);
+
+	void Reuse();
+	int IsReuse() const	{ return reuse; }
+
+	double TimeStamp() const	{ return timestamp; }
+	int IsOrig() const	{ return is_orig; }
+
+	const struct pcap_pkthdr* Header() const	{ return &pcap_hdr; }
+
+	const u_char* Buffer() const	{ return pkt; }
+	int Length() const	{ return buffer_offset; }
+
+	// Note that Space() does not depend on buffer_size, but depends on MTU.
+	int Space() const		{ return mtu - buffer_offset; }
+	int IsEmpty() const
+		{ return SeqLength() == 0 && ! GetTCP_Flag(TH_RST); }
+
+	uint32 GetSeq() const;
+	void SetSeq(uint32 seq);
+
+	uint32 GetAck() const;
+	void SetAck(uint32 ack);
+
+	int GetTCP_Flag(int which) const;
+	void SetTCP_Flag(int which, int value);
+
+	int SeqLength() const;
+	int PayloadLength() const;
+
+	int FINScheduled() const	{ return FIN_scheduled; }
+	void ScheduleFIN(int fin = 1)	{ FIN_scheduled = fin; }
+
+	int OnHold() const	{ return on_hold; }
+	void SetOnHold(int x)	{ on_hold = x; }
+
+	int HasReservedSlot() const	{ return has_reserved_slot; }
+	void AddReservedSlot()		{ ++has_reserved_slot; }
+
+	int PredictedAsEmptyPlaceHolder() const
+		{ return predicted_as_empty_place_holder; }
+	void PredictAsEmptyPlaceHolder()
+		{ predicted_as_empty_place_holder = 1; }
+
+	// Whether the ACK on this packet confirms a content gap on
+	// the opposite direction.
+	int SeqGap() const	{ return seq_gap; }
+	void SetSeqGap(int len)	{ seq_gap = len; }
+
+	int PacketSeq() const		{ return packet_seq; }
+	TCP_Rewriter* TraceRewriter() const	{ return trace_rewriter; }
+
+	RecordVal* PacketVal();
+	void Describe(ODesc* d) const	{ packet_val->Describe(d); }
+
+protected:
+	int Append(const u_char* chunk, int len);
+
+	RecordVal* packet_val;
+	TCP_Rewriter* trace_rewriter;
+	double timestamp;
+	int packet_seq;
+	int is_orig;
+	struct pcap_pkthdr pcap_hdr;
+	int mtu;
+	u_char* pkt;	// of maximal length MTU
+	int ip_offset, tcp_offset, data_offset;
+	int buffer_size;
+	int buffer_offset;
+	int reuse;	// whether it is an artificially replicated packet
+	int FIN_scheduled;
+	int on_hold;	// do not dump it in Flush()
+	int seq_gap;
+	int has_reserved_slot;
+	int predicted_as_empty_place_holder;
+};
+
+// How a unidirectional flow ends.
+#define	END_BY_FIN	1
+#define	END_BY_RST	2
+#define	END_BY_PEER_RST	4
+
+class TCP_RewriterEndpoint {
+public:
+	TCP_RewriterEndpoint(TCP_Rewriter* rewriter);
+	~TCP_RewriterEndpoint();
+
+	void Init();
+
+	// A packet that contains a TCP segment.
+	void NextPacket(TCP_TracePacket* p);
+	void WriteData(int len, const u_char* data);
+	void SkipGap(int len);
+
+	void Push();
+	void ReqAck();
+	void Flush();
+	void Reset(int self);
+
+	uint32 NextSeq() const	{ return next_seq; }
+	int HasPacket() const	{ return next_packet != 0; }
+	inline TCP_Analyzer* Analyzer() const;
+
+protected:
+	TCP_Rewriter* rewriter;		// TCP rewriter for the connection
+	TCP_RewriterEndpoint* peer;	// the peer TCP rewriter endpoint
+	TCP_Endpoint* endp;		// the corresponding TCP endpoint
+
+	TCP_TracePacket* next_packet;
+	std::queue<BroString*> prolog;
+
+	double last_packet_time;
+	uint32 start_seq;	// start seq -- sent in SYN
+	uint32 next_seq;	// seq of next packet
+	uint32 last_ack;	// last acknowledgement seq
+
+	int please_flush;
+	int flush_scheduled;
+	int flushed;
+	int established;
+	int end_of_data;	// is it really useful?
+	int there_is_a_gap;
+
+	// Move onto the next packet header.
+	void SetNextPacket(TCP_TracePacket* p);
+
+	void PurgeProlog();
+
+	// Pour data into the current packet (next_packet).
+	void DoWriteData(int len, const u_char* data);
+
+	// Push the current packet (next_packet) to dumper.
+	void PushPacket();
+
+	// Please flush this endpoint after draining events.
+	void ScheduleFlush();
+
+	void GenerateFIN();
+
+	// Whether the packet is a "place holder" packet, i.e. it's
+	// harmless to omit the packet (except missing the timestamp
+	// it contains).
+	int IsPlaceHolderPacket(TCP_TracePacket* p);
+
+	void Weird(const char* name) const;
+};
+
+class TCP_RewriteSlot {
+public:
+	TCP_RewriteSlot(TCP_TracePacket* p, unsigned int slot_number);
+
+	void WriteData(int is_orig, int len, const u_char* data);
+
+	void Dump();
+
+	unsigned int Number() const	{ return slot_number; }
+	TCP_TracePacket* Packet() const	{ return packet; }
+
+	bool isEmpty() const	{ return buf.empty(); }
+protected:
+	TCP_Rewriter* rewriter;
+	TCP_TracePacket* packet;
+	unsigned int slot_number;
+	std::queue<BroString*> buf;
+};
+
+class TCP_Rewriter : public Rewriter {
+public:
+	TCP_Rewriter(TCP_Analyzer* analyzer, PacketDumper* dumper, int MTU,
+			int wait_for_commitment = 0);
+	virtual ~TCP_Rewriter();
+	virtual void Done();
+	void Funeral();
+
+	// Phase 1 methods: called in packet processing.
+
+	// A TCP/IP packet.
+	void NextPacket(int is_orig, double t,
+			const struct pcap_pkthdr* pcap_hdr,
+			const u_char* pcap_pkt,	// link level header
+			int hdr_size,		// link level header size
+			const struct ip* ip,
+			const struct tcphdr* tp);
+	void ContentGap(int is_orig, int len);
+	void ScheduleFIN(int is_orig);
+
+
+	// Phase 2 methods: called in event processing.
+
+	void WriteData(int is_orig, int len, const u_char* data);
+	void WriteData(int is_orig, const char* data)
+		{ WriteData(is_orig, strlen(data), data); }
+	void WriteData(int is_orig, int len, const char* data)
+		{ WriteData(is_orig, len, (const u_char*) data); }
+	void WriteData(int is_orig, const BroString* str)
+		{ WriteData(is_orig, str->Len(), str->Bytes()); }
+	void WriteData(int is_orig, StringVal* str)
+		{ WriteData(is_orig, str->AsString()); }
+	void Push(int is_orig);
+
+	// When wait_for_commitment = 1, packets are not dumped until
+	//   CommitPackets().
+	// When apply_to_future = 1, the same decision holds for future
+	//   packets as well.
+	//
+	// Regarding why AbortPackets() takes an apply_to_future flag:
+	//
+	//	The model is that there can be multiple commit/abort stages
+	//	during the course of a connection.  At the end of each
+	//	stage, a commit or abort decision is made for packets
+	//	generated during the stage.  A possible scenario is that
+	//	user may want to delete a middle part of a conversation
+	//	while keeping the parts before and after intact, and cannot
+	//	make the decision until the end of the middle part.
+
+	void AbortPackets(int apply_to_future);
+	void CommitPackets(int apply_to_future);
+
+	unsigned int ReserveSlot();
+	int SeekSlot(unsigned int slot);
+	int ReturnFromSlot();
+	int ReleaseSlot(unsigned int slot);
+
+	// Do not anonymize client/server IP address
+	int LeaveAddrInTheClear(int is_orig);
+
+
+	// Phase 3 methods: called in flushing after events.
+	// (None, because flushing is done through accessing endpoints directly.)
+
+	// Other methods.
+
+	void DumpPacket(TCP_RewriterEndpoint* endp, TCP_TracePacket* p);
+
+	void Weird(const char* name) const	{ analyzer->Weird(name); }
+	TCP_Analyzer* Analyzer() const	{ return analyzer; }
+
+	TCP_Endpoint* GetEndpoint(TCP_RewriterEndpoint* endp);
+	TCP_RewriterEndpoint* GetPeer(TCP_RewriterEndpoint* endp);
+
+	TracePacket* CurrentPacket() const	{ return current_packet; }
+	TracePacket* RewritePacket() const	{ return next_packet; }
+
+	// Needs to be static because it's passed as a pointer-to-function
+	// rather than pointer-to-member-function.
+	static int RewriteTCPOption(unsigned int opt, unsigned int optlen,
+				const u_char* option, TCP_Analyzer* analyzer,
+				bool is_orig, void* cookie);
+
+protected:
+	// Under normal circumstances, we always rewrite into the
+	// "current packet" of the connection. However, sometimes we'd
+	// want to look a few packets ahead before deciding what to
+	// rewrite, in which case we may use {hold,release}_packet to
+	// specify the packet we are writing to.
+
+	// rewrite_packet (next_packet) always equals to
+	// current_packet under *normal mode*. hold_packet(p) dumps
+	// all packets *before* p, fixes rewrite_packet at p and turns
+	// the connection into *look-ahead* mode. Under look-ahead
+	// mode, release_packet(c) dumps all packets of on hold
+	// connection and makes the connection returns to normal mode
+	// so that rewrite_packet changes along with current_packet.
+
+	// When a packet is held, it is illegal to write to packets on
+	// the other half of the connection.
+
+	// Release next_packet
+	void ReleaseNextPacket();
+
+	// Hold packet p and release all packets before p.
+	void HoldPacket(TCP_TracePacket* p);
+
+	// Release all packets on hold and dump all the packets except
+	// the last one, which will be flushed at the end of the event.
+	void ReleasePacketsOnHold();
+
+	void CleanUpEmptyPlaceHolders();
+	void DoWriteData(int is_orig, int len, const u_char* data);
+
+	TCP_RewriterEndpoint* Endp(int is_orig) const
+		{ return is_orig ? orig : resp; }
+
+	TCP_Analyzer* analyzer;
+	PacketDumper* dumper;
+	TCP_RewriterEndpoint* orig;
+	TCP_RewriterEndpoint* resp;
+	int MTU;
+	int wait_for_commitment;
+	int discard_packets;
+	std::queue<char*> uncommited_packet_queue;
+	int next_packet_seq;
+	int packets_rewritten;
+	ipaddr32_t anon_addr[2];
+	int pending_content_gap;
+
+	TCP_TracePacket* current_packet;
+	TCP_TracePacket* next_packet;
+	std::deque<TCP_TracePacket*> packets_on_hold;
+	int holding_packets;
+
+	TCP_RewriteSlot* current_slot;
+	TCP_RewriteSlot* first_slot;
+	TCP_RewriteSlot* last_slot;
+	std::deque<TCP_RewriteSlot*> slot_queue;
+	typedef map<unsigned int, TCP_RewriteSlot*> slot_map_t;
+	slot_map_t reserved_slots;
+	int highest_slot_number;
+
+	TCP_RewriteSlot* add_slot();
+	TCP_RewriteSlot* find_slot(unsigned int slot);
+
+	friend class TCP_RewriteSlot;
+	int answered[2];
+};
+
+inline TCP_Analyzer* TCP_RewriterEndpoint::Analyzer() const
+	{
+	return rewriter->Analyzer();
+	}
+
+// "Please flush the rewriter endpoint after event processing."
+extern void schedule_flush(TCP_RewriterEndpoint* endp);
+
+// "Please call rewriter->Funeral() after event processing."
+extern void schedule_funeral(TCP_Rewriter* rewriter);
+
+extern void flush_rewriter_packet();
+
+class TCP_SourcePacket {
+public:
+	TCP_SourcePacket(const struct pcap_pkthdr* pcap_hdr, const u_char* pcap_pkt);
+	~TCP_SourcePacket();
+
+	int Len() const	{ return hdr.caplen; }
+	const u_char* Pkt() const	{ return pkt; }
+	const struct pcap_pkthdr* Hdr() const	{ return &hdr; }
+
+protected:
+	struct pcap_pkthdr hdr;
+	u_char* pkt;
+};
+
+// Write selected original packets to the trace
+class TCP_SourcePacketWriter {
+public:
+	TCP_SourcePacketWriter(TCP_Analyzer* /* analyzer */,
+				PacketDumper* arg_dumper);
+	~TCP_SourcePacketWriter();
+
+	void NextPacket(const struct pcap_pkthdr* pcap_hdr,
+				const u_char* pcap_pkt);
+	void Dump();
+	void Abort();
+
+protected:
+	PacketDumper* dumper;
+	std::queue<TCP_SourcePacket*> source_packets;
+	void Purge(bool dump);
+};
+
+extern TCP_SourcePacketWriter* get_src_pkt_writer(TCP_Analyzer* analyzer);
+
+#endif
diff --git a/src/Telnet.cc b/src/Telnet.cc
new file mode 100644
index 0000000000..91151fe735
--- /dev/null
+++ b/src/Telnet.cc
@@ -0,0 +1,22 @@
+// $Id: Telnet.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "Telnet.h"
+#include "NVT.h"
+
+Telnet_Analyzer::Telnet_Analyzer(Connection* conn)
+: Login_Analyzer(AnalyzerTag::Telnet, conn)
+	{
+	NVT_Analyzer* nvt_orig = new NVT_Analyzer(conn, true);
+	NVT_Analyzer* nvt_resp = new NVT_Analyzer(conn, false);
+
+	nvt_resp->SetPeer(nvt_orig);
+	nvt_orig->SetPeer(nvt_resp);
+
+	AddSupportAnalyzer(nvt_orig);
+	AddSupportAnalyzer(nvt_resp);
+	}
+
diff --git a/src/Telnet.h b/src/Telnet.h
new file mode 100644
index 0000000000..89150bcbc7
--- /dev/null
+++ b/src/Telnet.h
@@ -0,0 +1,25 @@
+// $Id: Telnet.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef telnet_h
+#define telnet_h
+
+#include "Login.h"
+
+class Telnet_Analyzer : public Login_Analyzer {
+public:
+	Telnet_Analyzer(Connection* conn);
+	virtual ~Telnet_Analyzer()	{}
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new Telnet_Analyzer(conn); }
+
+	static bool Available()
+		{
+		return login_failure || login_success ||
+			login_input_line || login_output_line;
+		}
+};
+
+#endif
diff --git a/src/Timer.cc b/src/Timer.cc
new file mode 100644
index 0000000000..1349d1d488
--- /dev/null
+++ b/src/Timer.cc
@@ -0,0 +1,263 @@
+// $Id: Timer.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "util.h"
+#include "Timer.h"
+#include "Desc.h"
+#include "Serializer.h"
+
+// Names of timers in same order than in TimerType.
+const char* TimerNames[] = {
+	"BackdoorTimer",
+	"BreakpointTimer",
+	"ConnectionDeleteTimer",
+	"ConnectionExpireTimer",
+	"ConnectionInactivityTimer",
+	"ConnectionStatusUpdateTimer",
+	"DNSExpireTimer",
+	"FragTimer",
+	"IncrementalSendTimer",
+	"IncrementalWriteTimer",
+	"InterconnTimer",
+	"NetbiosExpireTimer",
+	"NetworkTimer",
+	"NTPExpireTimer",
+	"ProfileTimer",
+	"RotateTimer",
+	"RemoveConnection",
+	"RPCExpireTimer",
+	"ScheduleTimer",
+	"TableValTimer",
+	"TCPConnectionAttemptTimer",
+	"TCPConnectionDeleteTimer",
+	"TCPConnectionExpireTimer",
+	"TCPConnectionPartialClose",
+	"TCPConnectionResetTimer",
+	"TriggerTimer",
+	"TimerMgrExpireTimer",
+};
+
+const char* timer_type_to_string(TimerType type)
+	{
+	return TimerNames[type];
+	}
+
+void Timer::Describe(ODesc* d) const
+	{
+	d->Add(TimerNames[type]);
+	d->Add(" at " );
+	d->Add(Time());
+	}
+
+bool Timer::Serialize(SerialInfo* info) const
+	{
+	return SerialObj::Serialize(info);
+	}
+
+Timer* Timer::Unserialize(UnserialInfo* info)
+	{
+	Timer* timer = (Timer*) SerialObj::Unserialize(info, SER_TIMER);
+	if ( ! timer )
+		return 0;
+
+	timer_mgr->Add(timer);
+
+	return timer;
+	}
+
+bool Timer::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_TIMER, SerialObj);
+	char tmp = type;
+	return SERIALIZE(tmp) && SERIALIZE(time);
+	}
+
+bool Timer::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(SerialObj);
+
+	char tmp;
+	if ( ! UNSERIALIZE(&tmp) )
+		return false;
+	type = tmp;
+
+	return UNSERIALIZE(&time);
+	}
+
+unsigned int TimerMgr::current_timers[NUM_TIMER_TYPES];
+
+TimerMgr::~TimerMgr()
+	{
+	DBG_LOG(DBG_TM, "deleting timer mgr %p", this);
+	}
+
+int TimerMgr::Advance(double arg_t, int max_expire)
+	{
+	DBG_LOG(DBG_TM, "advancing %stimer mgr %p to %.6f",
+		this == timer_mgr ? "global " : "", this, arg_t);
+
+	t = arg_t;
+	last_timestamp = 0;
+	num_expired = 0;
+	last_advance = timer_mgr->Time();
+
+	return DoAdvance(t, max_expire);
+	}
+
+
+PQ_TimerMgr::PQ_TimerMgr(const Tag& tag) : TimerMgr(tag)
+	{
+	q = new PriorityQueue;
+	}
+
+PQ_TimerMgr::~PQ_TimerMgr()
+	{
+	delete q;
+	}
+
+void PQ_TimerMgr::Add(Timer* timer)
+	{
+	DBG_LOG(DBG_TM, "Adding timer %s to TimeMgr %p",
+			timer_type_to_string(timer->Type()), this);
+
+	// Add the timer even if it's already expired - that way, if
+	// multiple already-added timers are added, they'll still
+	// execute in sorted order.
+	if ( ! q->Add(timer) )
+		internal_error("out of memory");
+
+	++current_timers[timer->Type()];
+	}
+
+void PQ_TimerMgr::Expire()
+	{
+	Timer* timer;
+	while ( (timer = Remove()) )
+		{
+		DBG_LOG(DBG_TM, "Dispatching timer %s in TimeMgr %p",
+				timer_type_to_string(timer->Type()), this);
+		timer->Dispatch(t, 1);
+		--current_timers[timer->Type()];
+		delete timer;
+		}
+	}
+
+int PQ_TimerMgr::DoAdvance(double new_t, int max_expire)
+	{
+	Timer* timer = Top();
+	for ( num_expired = 0; (num_expired < max_expire || max_expire == 0) &&
+		     timer && timer->Time() <= new_t; ++num_expired )
+		{
+		last_timestamp = timer->Time();
+		--current_timers[timer->Type()];
+
+		// Remove it before dispatching, since the dispatch
+		// can otherwise delete it, and then we won't know
+		// whether we should delete it too.
+		(void) Remove();
+
+		DBG_LOG(DBG_TM, "Dispatching timer %s in TimeMgr %p",
+				timer_type_to_string(timer->Type()), this);
+		timer->Dispatch(new_t, 0);
+		delete timer;
+
+		timer = Top();
+		}
+
+	return num_expired;
+	}
+
+void PQ_TimerMgr::Remove(Timer* timer)
+	{
+	if ( ! q->Remove(timer) )
+		internal_error("asked to remove a missing timer");
+
+	--current_timers[timer->Type()];
+	delete timer;
+	}
+
+CQ_TimerMgr::CQ_TimerMgr(const Tag& tag) : TimerMgr(tag)
+	{
+	cq = cq_init(60.0, 1.0);
+	if ( ! cq )
+		internal_error("could not initialize calendar queue");
+	}
+
+CQ_TimerMgr::~CQ_TimerMgr()
+	{
+	cq_destroy(cq);
+	}
+
+void CQ_TimerMgr::Add(Timer* timer)
+	{
+	DBG_LOG(DBG_TM, "Adding timer %s to TimeMgr %p",
+			timer_type_to_string(timer->Type()), this);
+
+	// Add the timer even if it's already expired - that way, if
+	// multiple already-added timers are added, they'll still
+	// execute in sorted order.
+	double t = timer->Time();
+
+	if ( t <= 0.0 )
+		// Illegal time, which cq_enqueue won't like.  For our
+		// purposes, just treat it as an old time that's already
+		// expired.
+		t = network_time;
+
+	if ( cq_enqueue(cq, t, timer) < 0 )
+		internal_error("problem queueing timer");
+
+	++current_timers[timer->Type()];
+	}
+
+void CQ_TimerMgr::Expire()
+	{
+	double huge_t = 1e20;	// larger than any Unix timestamp
+	for ( Timer* timer = (Timer*) cq_dequeue(cq, huge_t);
+	      timer; timer = (Timer*) cq_dequeue(cq, huge_t) )
+		{
+		DBG_LOG(DBG_TM, "Dispatching timer %s in TimeMgr %p",
+				timer_type_to_string(timer->Type()), this);
+		timer->Dispatch(huge_t, 1);
+		--current_timers[timer->Type()];
+		delete timer;
+		}
+	}
+
+int CQ_TimerMgr::DoAdvance(double new_t, int max_expire)
+	{
+	Timer* timer;
+	while ( (num_expired < max_expire || max_expire == 0) &&
+		(timer = (Timer*) cq_dequeue(cq, new_t)) )
+		{
+		last_timestamp = timer->Time();
+		DBG_LOG(DBG_TM, "Dispatching timer %s in TimeMgr %p",
+				timer_type_to_string(timer->Type()), this);
+		timer->Dispatch(new_t, 0);
+		--current_timers[timer->Type()];
+		delete timer;
+		++num_expired;
+		}
+
+	return num_expired;
+	}
+
+unsigned int CQ_TimerMgr::MemoryUsage() const
+	{
+	// FIXME.
+	return 0;
+	}
+
+void CQ_TimerMgr::Remove(Timer* timer)
+	{
+	// This may fail if we cancel a timer which has already been removed.
+	// That's ok, but then we mustn't delete the timer.
+	if ( cq_remove(cq, timer->Time(), timer) )
+		{
+		--current_timers[timer->Type()];
+		delete timer;
+		}
+	}
diff --git a/src/Timer.h b/src/Timer.h
new file mode 100644
index 0000000000..c98aeefc22
--- /dev/null
+++ b/src/Timer.h
@@ -0,0 +1,184 @@
+// $Id: Timer.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef timer_h
+#define timer_h
+
+#include <string>
+
+#include <string>
+#include "SerialObj.h"
+#include "PriorityQueue.h"
+
+extern "C" {
+#include "cq.h"
+}
+
+// If you add a timer here, adjust TimerNames in Timer.cc.
+enum TimerType {
+	TIMER_BACKDOOR,
+	TIMER_BREAKPOINT,
+	TIMER_CONN_DELETE,
+	TIMER_CONN_EXPIRE,
+	TIMER_CONN_INACTIVITY,
+	TIMER_CONN_STATUS_UPDATE,
+	TIMER_DNS_EXPIRE,
+	TIMER_FRAG,
+	TIMER_INCREMENTAL_SEND,
+	TIMER_INCREMENTAL_WRITE,
+	TIMER_INTERCONN,
+	TIMER_NB_EXPIRE,
+	TIMER_NETWORK,
+	TIMER_NTP_EXPIRE,
+	TIMER_PROFILE,
+	TIMER_ROTATE,
+	TIMER_REMOVE_CONNECTION,
+	TIMER_RPC_EXPIRE,
+	TIMER_SCHEDULE,
+	TIMER_TABLE_VAL,
+	TIMER_TCP_ATTEMPT,
+	TIMER_TCP_DELETE,
+	TIMER_TCP_EXPIRE,
+	TIMER_TCP_PARTIAL_CLOSE,
+	TIMER_TCP_RESET,
+	TIMER_TRIGGER,
+	TIMER_TIMERMGR_EXPIRE,
+};
+const int NUM_TIMER_TYPES = int(TIMER_TIMERMGR_EXPIRE) + 1;
+
+extern const char* timer_type_to_string(TimerType type);
+
+class Serializer;
+class ODesc;
+
+class Timer : public SerialObj, public PQ_Element {
+public:
+	Timer(double t, TimerType arg_type) : PQ_Element(t)
+		{ type = (char) arg_type; }
+	virtual ~Timer()	{ }
+
+	TimerType Type() const	{ return (TimerType) type; }
+
+	// t gives the dispatch time.  is_expire is true if the
+	// timer is being dispatched because we're expiring all
+	// pending timers.
+	virtual void Dispatch(double t, int is_expire) = 0;
+
+	void Describe(ODesc* d) const;
+
+	bool Serialize(SerialInfo* info) const;
+	static Timer* Unserialize(UnserialInfo* info);
+
+protected:
+	Timer()	{}
+
+	DECLARE_ABSTRACT_SERIAL(Timer);
+
+	unsigned int type:8;
+};
+
+class TimerMgr {
+public:
+	virtual ~TimerMgr();
+
+	virtual void Add(Timer* timer) = 0;
+
+	// Advance the clock to time t, expiring at most max_expire timers.
+	// Returns number of timers expired.
+	int Advance(double t, int max_expire);
+
+	// Returns the number of timers expired (so far) during the current
+	// or most recent advance.
+	int NumExpiredDuringCurrentAdvance()	{ return num_expired; }
+
+	// Expire all timers.
+	virtual void Expire() = 0;
+
+	// Cancel() is a method separate from Remove because
+	// (1) Remove is protected, but, more importantly, (2) in some
+	// timer schemes we have wound up separating timer cancelation
+	// from removing it from the manager's data structures, because
+	// the manager lacked an efficient way to find it.
+	void Cancel(Timer* timer)	{ Remove(timer); }
+
+	double Time() const		{ return t ? t : 1; }	// 1 > 0
+
+ 	typedef std::string Tag;
+ 	const Tag& GetTag() const 	{ return tag; }
+
+	virtual int Size() const = 0;
+	virtual int PeakSize() const = 0;
+
+	double LastTimestamp() const	{ return last_timestamp; }
+	// Returns time of last advance in global network time.
+	double LastAdvance() const	{ return last_advance; }
+	
+	static unsigned int* CurrentTimers()	{ return current_timers; }
+
+protected:
+ 	TimerMgr(const Tag& arg_tag)
+ 		{
+ 		t = 0.0;
+ 		num_expired = 0;
+ 		last_advance = last_timestamp = 0;
+ 		tag = arg_tag;
+ 		}
+
+	virtual int DoAdvance(double t, int max_expire) = 0;
+	virtual void Remove(Timer* timer) = 0;
+
+	double t;
+	double last_timestamp;
+	double last_advance;
+	Tag tag;
+
+	int num_expired;
+
+	static unsigned int current_timers[NUM_TIMER_TYPES];
+};
+
+class PQ_TimerMgr : public TimerMgr {
+public:
+	PQ_TimerMgr(const Tag& arg_tag);
+	~PQ_TimerMgr();
+
+	void Add(Timer* timer);
+	void Expire();
+
+	int Size() const	{ return q->Size(); }
+	int PeakSize() const	{ return q->PeakSize(); }
+	unsigned int MemoryUsage() const;
+
+protected:
+	int DoAdvance(double t, int max_expire);
+	void Remove(Timer* timer);
+
+	Timer* Remove()			{ return (Timer*) q->Remove(); }
+	Timer* Top()			{ return (Timer*) q->Top(); }
+
+	PriorityQueue* q;
+};
+
+class CQ_TimerMgr : public TimerMgr {
+public:
+	CQ_TimerMgr(const Tag& arg_tag);
+	~CQ_TimerMgr();
+
+	void Add(Timer* timer);
+	void Expire();
+
+	int Size() const	{ return cq_size(cq); }
+	int PeakSize() const	{ return cq_max_size(cq); }
+	unsigned int MemoryUsage() const;
+
+protected:
+	int DoAdvance(double t, int max_expire);
+	void Remove(Timer* timer);
+
+	struct cq_handle *cq;
+};
+
+extern TimerMgr* timer_mgr;
+
+#endif
diff --git a/src/Traverse.cc b/src/Traverse.cc
new file mode 100644
index 0000000000..733ceb450c
--- /dev/null
+++ b/src/Traverse.cc
@@ -0,0 +1,21 @@
+// $Id: Traverse.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "Scope.h"
+#include "Traverse.h"
+#include "input.h"
+
+TraversalCode traverse_all(TraversalCallback* cb)
+	{
+	if ( ! global_scope() )
+		return TC_CONTINUE;
+
+	cb->current_scope = global_scope();
+
+	TraversalCode tc = global_scope()->Traverse(cb);
+
+	HANDLE_TC_STMT_PRE(tc);
+	tc = stmts->Traverse(cb);
+	HANDLE_TC_STMT_POST(tc);
+	}
diff --git a/src/Traverse.h b/src/Traverse.h
new file mode 100644
index 0000000000..ea300fad18
--- /dev/null
+++ b/src/Traverse.h
@@ -0,0 +1,44 @@
+// $Id: Traverse.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef traverse_h
+#define traverse_h
+
+#include "Obj.h"
+#include "Stmt.h"
+#include "Expr.h"
+#include "ID.h"
+#include "Scope.h"
+
+#include "TraverseTypes.h"
+
+class TraversalCallback {
+public:
+	TraversalCallback()	{ current_scope = 0; }
+	virtual ~TraversalCallback() {}
+
+	virtual TraversalCode PreFunction(const Func*) { return TC_CONTINUE; }
+	virtual TraversalCode PostFunction(const Func*) { return TC_CONTINUE; }
+
+	virtual TraversalCode PreStmt(const Stmt*) { return TC_CONTINUE; }
+	virtual TraversalCode PostStmt(const Stmt*) { return TC_CONTINUE; }
+
+	virtual TraversalCode PreExpr(const Expr*) { return TC_CONTINUE; }
+	virtual TraversalCode PostExpr(const Expr*) { return TC_CONTINUE; }
+
+	virtual TraversalCode PreID(const ID*) { return TC_CONTINUE; }
+	virtual TraversalCode PostID(const ID*) { return TC_CONTINUE; }
+
+	virtual TraversalCode PreTypedef(const ID*) { return TC_CONTINUE; }
+	virtual TraversalCode PostTypedef(const ID*) { return TC_CONTINUE; }
+
+	virtual TraversalCode PreDecl(const ID*) { return TC_CONTINUE; }
+	virtual TraversalCode PostDecl(const ID*) { return TC_CONTINUE; }
+
+	Scope* current_scope;
+};
+
+TraversalCode traverse_all(TraversalCallback* cb);
+
+#endif
diff --git a/src/TraverseTypes.h b/src/TraverseTypes.h
new file mode 100644
index 0000000000..0cba17a5a9
--- /dev/null
+++ b/src/TraverseTypes.h
@@ -0,0 +1,41 @@
+// $Id: TraverseTypes.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef statictypes_h
+#define statictypes_h
+
+enum TraversalCode {
+	TC_CONTINUE = 0,
+	TC_ABORTALL = 1,
+	TC_ABORTSTMT = 2,
+};
+
+#define HANDLE_TC_STMT_PRE(code) \
+	{ \
+	if ( (code) == TC_ABORTALL || (code) == TC_ABORTSTMT ) \
+		return (code); \
+	}
+
+#define HANDLE_TC_STMT_POST(code) \
+	{ \
+	if ( (code) == TC_ABORTALL ) \
+		return (code); \
+	else if ( (code) == TC_ABORTSTMT ) \
+		return TC_CONTINUE; \
+	else \
+		return (code); \
+	}
+
+#define HANDLE_TC_EXPR_PRE(code) \
+	{ \
+	if ( (code) != TC_CONTINUE ) \
+		return (code); \
+	}
+
+#define HANDLE_TC_EXPR_POST(code) \
+	return (code);
+
+class TraversalCallback;
+
+#endif
diff --git a/src/Trigger.cc b/src/Trigger.cc
new file mode 100644
index 0000000000..c9e236f1fa
--- /dev/null
+++ b/src/Trigger.cc
@@ -0,0 +1,411 @@
+// $Id: Trigger.cc 2359 2005-12-21 23:55:32Z vern $
+
+#include <algorithm>
+
+#include "Trigger.h"
+#include "Traverse.h"
+
+// Callback class to traverse an expression, registering all relevant IDs and
+// Vals for change notifications.
+
+class TriggerTraversalCallback : public TraversalCallback {
+public:
+	TriggerTraversalCallback(Trigger *arg_trigger)
+		{ Ref(arg_trigger); trigger = arg_trigger; }
+
+	~TriggerTraversalCallback()
+		{ Unref(trigger); }
+
+	virtual TraversalCode PreExpr(const Expr*);
+
+private:
+	Trigger* trigger;
+};
+
+TraversalCode TriggerTraversalCallback::PreExpr(const Expr* expr)
+	{
+	// We catch all expressions here which in some way reference global
+	// state.
+
+	switch ( expr->Tag() ) {
+	case EXPR_NAME:
+		{
+		const NameExpr* e = static_cast<const NameExpr*>(expr);
+		if ( e->Id()->IsGlobal() )
+			trigger->Register(e->Id());
+
+		Val* v = e->Id()->ID_Val();
+		if ( v && v->IsMutableVal() )
+			trigger->Register(v);
+		break;
+		};
+
+	case EXPR_INDEX:
+		{
+		const IndexExpr* e = static_cast<const IndexExpr*>(expr);
+		BroObj::SuppressRunTimeErrors no_errors;
+		Val* v = e->Eval(trigger->frame);
+		if ( v )
+			trigger->Register(v);
+		break;
+		}
+
+	default:
+		// All others are uninteresting.
+		break;
+	}
+
+	return TC_CONTINUE;
+	}
+
+class TriggerTimer : public Timer {
+public:
+	TriggerTimer(double arg_timeout, Trigger* arg_trigger)
+	: Timer(network_time + arg_timeout, TIMER_TRIGGER)
+		{
+		Ref(arg_trigger);
+		trigger = arg_trigger;
+		timeout = arg_timeout;
+		time = network_time;
+		}
+
+	~TriggerTimer()
+		{ Unref(trigger); }
+
+	void Dispatch(double t, int is_expire)
+		{
+		// The network_time may still have been zero when the
+		// timer was instantiated.  In this case, it fires
+		// immediately and we simply restart it.
+		if ( time )
+			trigger->Timeout();
+		else
+			{
+			TriggerTimer* timer = new TriggerTimer(timeout, trigger);
+			timer_mgr->Add(timer);
+			trigger->timer = timer;
+			}
+		}
+
+protected:
+	Trigger* trigger;
+	double timeout;
+	double time;
+};
+
+Trigger::Trigger(Expr* arg_cond, Stmt* arg_body, Stmt* arg_timeout_stmts,
+			Expr* arg_timeout, Frame* arg_frame,
+			bool arg_is_return, const Location* arg_location)
+	{
+	if ( ! pending )
+		pending = new list<Trigger*>;
+
+	cond = arg_cond;
+	body = arg_body;
+	timeout_stmts = arg_timeout_stmts;
+	timeout = arg_timeout;
+	frame = arg_frame->Clone();
+	timer = 0;
+	delayed = false;
+	disabled = false;
+	attached = 0;
+	is_return = arg_is_return;
+	location = arg_location;
+
+	DBG_LOG(DBG_NOTIFIERS, "%s: instantiating", Name());
+
+	if ( is_return )
+		{
+		Trigger* parent = frame->GetTrigger();
+		if ( ! parent )
+			{
+			run_time("return trigger in context which does not allow delaying result");
+			Unref(this);
+			return;
+			}
+
+		parent->Attach(this);
+		arg_frame->SetDelayed();
+		}
+
+	Val* timeout = arg_timeout ? arg_timeout->ExprVal() : 0;
+
+	if ( ! Eval() && timeout )
+		{
+		timer = new TriggerTimer(timeout->AsInterval(), this);
+		timer_mgr->Add(timer);
+		}
+	}
+
+Trigger::~Trigger()
+	{
+	DBG_LOG(DBG_NOTIFIERS, "%s: deleting", Name());
+
+	for ( ValCache::iterator i = cache.begin(); i != cache.end(); ++i )
+		Unref(i->second);
+
+	Unref(frame);
+	UnregisterAll();
+
+	Unref(attached);
+	// Due to ref'counting, "this" cannot be part of pending at this
+	// point.
+	}
+
+void Trigger::Init()
+	{
+	assert(! disabled);
+	UnregisterAll();
+	TriggerTraversalCallback cb(this);
+	cond->Traverse(&cb);
+	}
+
+Trigger::TriggerList* Trigger::pending = 0;
+
+bool Trigger::Eval()
+	{
+	if ( disabled )
+		return true;
+
+	DBG_LOG(DBG_NOTIFIERS, "%s: evaluating", Name());
+
+	if ( delayed )
+		{
+		DBG_LOG(DBG_NOTIFIERS, "%s: skipping eval due to delayed call",
+				Name());
+		return false;
+		}
+
+	// It's unfortunate that we have to copy the frame again here but
+	// otherwise changes to any of the locals would propagate to later
+	// evaluations.
+	//
+	// An alternative approach to copying the frame would be to deep-copy
+	// the expression itself, replacing all references to locals with
+	// constants.
+	Frame* f = frame->Clone();
+	f->SetTrigger(this);
+	Val* v = cond->Eval(f);
+	f->ClearTrigger();
+
+	if ( f->HasDelayed() )
+		{
+		DBG_LOG(DBG_NOTIFIERS, "%s: eval has delayed", Name());
+		assert(!v);
+		Unref(f);
+		return false;
+		}
+
+	if ( v->IsZero() )
+		{
+		// Not true. Perhaps next time...
+		DBG_LOG(DBG_NOTIFIERS, "%s: trigger condition is false", Name());
+		Unref(v);
+		Unref(f);
+		Init();
+		return false;
+		}
+
+	DBG_LOG(DBG_NOTIFIERS, "%s: trigger condition is true, executing",
+			Name());
+
+	Unref(v);
+	stmt_flow_type flow;
+	v = body->Exec(f, flow);
+
+	if ( is_return )
+		{
+		Trigger* trigger = frame->GetTrigger();
+		assert(trigger);
+		assert(frame->GetCall());
+		assert(trigger->attached == this);
+
+#ifdef DEBUG
+		const char* pname = copy_string(trigger->Name());
+		DBG_LOG(DBG_NOTIFIERS, "%s: trigger has parent %s, caching result", Name(), pname);
+		delete [] pname;
+#endif
+
+		trigger->Cache(frame->GetCall(), v);
+		trigger->Release();
+		}
+
+	Unref(v);
+	Unref(f);
+
+	if ( timer )
+		timer_mgr->Cancel(timer);
+
+	Disable();
+	Unref(this);
+
+	return true;
+	}
+
+void Trigger::QueueTrigger(Trigger* trigger)
+	{
+	assert(! trigger->disabled);
+	assert(pending);
+	if ( std::find(pending->begin(), pending->end(), trigger) == pending->end() )
+		{
+		Ref(trigger);
+		pending->push_back(trigger);
+		}
+	}
+
+void Trigger::EvaluatePending()
+	{
+	DBG_LOG(DBG_NOTIFIERS, "evaluating all pending triggers");
+
+	if ( ! pending )
+		return;
+
+	// While we iterate over the list, executing statements, we may
+	// in fact trigger new triggers and thereby modify the list.
+	// Therefore, we create a new temporary list which will receive
+	// triggers triggered during this time.
+	TriggerList* orig = pending;
+	TriggerList tmp;
+	pending = &tmp;
+
+	for ( TriggerList::iterator i = orig->begin(); i != orig->end(); ++i )
+		{
+		Trigger* t = *i;
+		(*i)->Eval();
+		Unref(t);
+		}
+
+	pending = orig;
+	orig->clear();
+
+	// Sigh... Is this really better than a for-loop?
+	std::copy(tmp.begin(), tmp.end(),
+		insert_iterator<TriggerList>(*pending, pending->begin()));
+	}
+
+void Trigger::Timeout()
+	{
+	if ( disabled )
+		return;
+
+	DBG_LOG(DBG_NOTIFIERS, "%s: timeout", Name());
+	if ( timeout_stmts )
+		{
+		stmt_flow_type flow;
+		Frame* f = frame->Clone();
+		Val* v = timeout_stmts->Exec(f, flow);
+
+		if ( is_return )
+			{
+			Trigger* trigger = frame->GetTrigger();
+			assert(trigger);
+			assert(frame->GetCall());
+			assert(trigger->attached == this);
+
+#ifdef DEBUG
+			const char* pname = copy_string(trigger->Name());
+			DBG_LOG(DBG_NOTIFIERS, "%s: trigger has parent %s, caching timeout result", Name(), pname);
+			delete [] pname;
+#endif
+			trigger->Cache(frame->GetCall(), v);
+			trigger->Release();
+			}
+
+		Unref(v);
+		Unref(f);
+		}
+
+	Disable();
+	Unref(this);
+	}
+
+void Trigger::Register(ID* id)
+	{
+	assert(! disabled);
+	notifiers.Register(id, this);
+
+	Ref(id);
+	ids.insert(id);
+	}
+
+void Trigger::Register(Val* val)
+	{
+	assert(! disabled);
+	notifiers.Register(val, this);
+
+	Ref(val);
+	vals.insert(val);
+	}
+
+void Trigger::UnregisterAll()
+	{
+	loop_over_list(ids, i)
+		{
+		notifiers.Unregister(ids[i], this);
+		Unref(ids[i]);
+		}
+
+	ids.clear();
+
+	loop_over_list(vals, j)
+		{
+		notifiers.Unregister(vals[j], this);
+		Unref(vals[j]);
+		}
+
+	vals.clear();
+	}
+
+void Trigger::Attach(Trigger *trigger)
+	{
+	assert(! disabled);
+	assert(! trigger->disabled);
+	assert(! trigger->delayed);
+
+#ifdef DEBUG
+	const char* pname = copy_string(trigger->Name());
+	DBG_LOG(DBG_NOTIFIERS, "%s: attaching to %s", Name(), pname);
+	delete [] pname;
+#endif
+
+	Ref(trigger);
+	attached = trigger;
+	Hold();
+	}
+
+void Trigger::Cache(const CallExpr* expr, Val* v)
+	{
+	if ( disabled )
+		return;
+
+	ValCache::iterator i = cache.find(expr);
+
+	if ( i != cache.end() )
+		{
+		Unref(i->second);
+		i->second = v;
+		}
+
+	else
+		cache.insert(ValCache::value_type(expr, v));
+
+	Ref(v);
+
+	QueueTrigger(this);
+	}
+
+
+Val* Trigger::Lookup(const CallExpr* expr)
+	{
+	assert(! disabled);
+
+	ValCache::iterator i = cache.find(expr);
+	return (i != cache.end()) ? i->second : 0;
+	}
+
+const char* Trigger::Name()
+	{
+	assert(location);
+	return fmt("%s:%d-%d", location->filename,
+			location->first_line, location->last_line);
+	}
diff --git a/src/Trigger.h b/src/Trigger.h
new file mode 100644
index 0000000000..7f9931b033
--- /dev/null
+++ b/src/Trigger.h
@@ -0,0 +1,106 @@
+// $Id: Trigger.h 2359 2005-12-21 23:55:32Z vern $
+
+#ifndef TRIGGER_H
+#define TRIGGER_H
+
+#include <list>
+#include <map>
+
+#include "StateAccess.h"
+#include "Traverse.h"
+
+// Triggers are the heart of "when" statements: expressions that when
+// they become true execute a body of statements.
+
+class TriggerTimer;
+class TriggerTraversalCallback;
+
+class Trigger : public NotifierRegistry::Notifier, public BroObj {
+public:
+	// Don't access Trigger objects; they take care of themselves after
+	// instantiation.  Note that if the condition is already true, the
+	// statements are executed immediately and the object is deleted
+	// right away.
+	Trigger(Expr* cond, Stmt* body, Stmt* timeout_stmts, Expr* timeout,
+		Frame* f, bool is_return, const Location* loc);
+	~Trigger();
+
+	// Evaluates the condition. If true, executes the body and deletes
+	// the object deleted.
+	//
+	// Returns the state of condition.
+	bool Eval();
+
+	// Executes timeout code and deletes the object.
+	void Timeout();
+
+	// Called if another entity needs to complete its operations first
+	// in any case before this trigger can proceed.
+	void Hold()	{ delayed = true; }
+
+	// Complement of Hold().
+	void Release()	{ delayed = false; }
+
+	// If we evaluate to true, our return value will be passed on
+	// to the given trigger.  Note, automatically calls Hold().
+	void Attach(Trigger* trigger);
+
+	// Cache for return values of delayed function calls.
+	void Cache(const CallExpr* expr, Val* val);
+	Val* Lookup(const CallExpr*);
+
+	// Disable this trigger completely. Needed because Unref'ing the trigger
+	// may not immediately delete it as other references may still exist.
+	void Disable()	{ disabled = true; }
+
+	virtual void Describe(ODesc* d) const { d->Add("<trigger>"); }
+
+	// Overidden from Notifier.  We queue the trigger and evaluate it
+	// later to avoid race conditions.
+	virtual void Access(ID* id, const StateAccess& sa)
+		{ QueueTrigger(this); }
+	virtual void Access(Val* val, const StateAccess& sa)
+		{ QueueTrigger(this); }
+
+	virtual const char* Name();
+
+	static void QueueTrigger(Trigger* trigger);
+
+	// Evaluates all queued Triggers.
+	static void EvaluatePending();
+
+private:
+	friend class TriggerTraversalCallback;
+	friend class TriggerTimer;
+
+	void Init();
+	void DeleteTrigger();
+	void Register(ID* id);
+	void Register(Val* val);
+	void UnregisterAll();
+
+	Expr* cond;
+	Stmt* body;
+	Stmt* timeout_stmts;
+	Expr* timeout;
+	Frame* frame;
+	bool is_return;
+	const Location* location;
+
+	TriggerTimer* timer;
+	Trigger* attached;
+
+	bool delayed; // true if a function call is currently being delayed
+	bool disabled;
+
+	val_list vals;
+	id_list ids;
+
+	typedef map<const CallExpr*, Val*> ValCache;
+	ValCache cache;
+
+	typedef list<Trigger*> TriggerList;
+	static TriggerList* pending;
+};
+
+#endif
diff --git a/src/TwoWise.cc b/src/TwoWise.cc
new file mode 100644
index 0000000000..af86b1db71
--- /dev/null
+++ b/src/TwoWise.cc
@@ -0,0 +1,59 @@
+/* -*-  Mode:C++; c-basic-offset:8; tab-width:8; indent-tabs-mode:t -*- */
+// $Id: TwoWise.cc 1386 2005-09-14 21:42:13Z vern $
+//
+// Implementation of 2-wise independent hash functions.  Contributed
+// by Yin Zhang.
+//
+
+#include <stdlib.h>
+
+#include "TwoWise.h"
+
+TwoWise::TwoWise(int arg_dim)
+	{
+	dim = arg_dim;
+	int n = dim > 2 ? dim : 2;
+
+	a = new uint64[n];
+	b = new uint64[n];
+	c = new uint32[n];
+
+	for ( int i = 0; i < n; ++i )
+		{
+		a[i] = rand64bit() & ~(1ULL);
+		b[i] = rand64bit() & ~(1ULL);
+		c[i] = 0;
+		}
+
+	a0 = a[0];
+	b0 = b[0];
+	a1 = a[1];
+	b1 = b[1];
+	}
+
+TwoWise::~TwoWise()
+	{
+	delete[] a;
+	delete[] b;
+	delete[] c;
+	}
+
+void TwoWise::TestSpeed(uint32 N)
+	{
+	uint32 x = 0, i;
+
+	double start_time = current_time();
+	for ( i = 0; i < N; ++i )
+		x ^= Hash(i);
+	double end_time = current_time();
+	double time0 = end_time - start_time;
+
+	start_time = current_time();
+	for ( i = 0; i < N; ++i )
+		x ^= Hash(i, i);
+	end_time = current_time();
+	double time1 = end_time - start_time;
+
+	fprintf(stderr, "time0=%.6f time1=%.6f x=%u\n",
+		time0, time1, x);
+	}
diff --git a/src/TwoWise.h b/src/TwoWise.h
new file mode 100644
index 0000000000..08b8f8944a
--- /dev/null
+++ b/src/TwoWise.h
@@ -0,0 +1,92 @@
+/* -*-  Mode:C++; c-basic-offset:8; tab-width:8; indent-tabs-mode:t -*- */
+// $Id: TwoWise.h 2809 2006-04-23 20:26:07Z vern $
+//
+// Implementation of 2-wise independent hash functions.  Contributed
+// by Yin Zhang.
+//
+
+#ifndef twowise_h
+#define twowise_h
+
+#include "util.h"
+
+typedef union {
+	uint64 as_int64;
+	uint32 as_int32s[2];
+	uint32 as_int16s[4];
+} int64views;
+
+#ifdef WORDS_BIGENDIAN
+#define TOP32BITS(h) h.as_int32s[0]
+#else
+#define TOP32BITS(h) h.as_int32s[1]
+#endif
+
+typedef union {
+	uint32 as_int32;
+	uint16 as_int16s[2];
+	uint16 as_int8s[4];
+} int32views;
+
+class TwoWise {
+public:
+	TwoWise(int dim = 0);
+	~TwoWise();
+
+	uint32 Hash(uint32 k) const
+		{
+		int64views h;
+		h.as_int64 = a0*k + b0;
+		return TOP32BITS(h);
+		}
+
+	uint32 Hash(uint32 k0, uint32 k1) const
+		{
+		int64views h;
+		h.as_int64 = (a0*k0+b0) ^ (a1*k1+b1);
+		return TOP32BITS(h);
+		}
+
+	uint32 Hash(const uint32* k) const
+		{
+		int64views h;
+		h.as_int64 = (a0*k[0]+b0);
+
+		for ( int i = 1; i < dim; ++i )
+			h.as_int64 ^= (a[i]*k[i] + b[i]);
+
+		return TOP32BITS(h);
+		}
+
+	uint32 Hash(int size, const uint8* data) const
+		{
+		if ( size == 0 )
+			return 0;
+
+		// Copy data to c to resolve any potential alignment problem.
+		int num_words = (size + 3) >> 2;
+		c[num_words - 1] = 0;	// pad with 0
+		memcpy(c, data, size);
+
+		int64views h;
+		h.as_int64 = (a0*c[0]+b0);
+
+		for ( int i = 1; i < num_words; ++i )
+			h.as_int64 ^= (a[i]*c[i] + b[i]);
+
+		return TOP32BITS(h);
+		}
+
+	void TestSpeed(uint32 N = 1000000);
+
+private:
+
+	// Coefficients in Dietzfelbinger scheme.
+	uint64 a0, b0, a1, b1;	// for 1-d and 2-d case
+	uint64 *a, *b;		// for N-d case
+	uint32 *c;
+
+	int dim;
+};
+
+#endif // twowise_h
diff --git a/src/Type.cc b/src/Type.cc
new file mode 100644
index 0000000000..1f5c22d58b
--- /dev/null
+++ b/src/Type.cc
@@ -0,0 +1,1930 @@
+// $Id: Type.cc 6916 2009-09-24 20:48:36Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "Type.h"
+#include "Attr.h"
+#include "Expr.h"
+#include "Scope.h"
+#include "Serializer.h"
+
+RecordType* init_global_attrs();
+
+bool in_global_attr_decl = false;
+RecordType* global_attributes_type = init_global_attrs();
+
+RecordType* init_global_attrs()
+	{
+	in_global_attr_decl = true;
+	RecordType* rt = new RecordType(new type_decl_list);
+	in_global_attr_decl = false;
+	rt->MakeGlobalAttributeType();
+	return rt;
+	}
+
+const char* type_name(TypeTag t)
+	{
+	static char errbuf[512];
+
+	static const char* type_names[int(NUM_TYPES)] = {
+		"void",
+		"bool", "int", "count", "counter",
+		"double", "time", "interval",
+		"string", "pattern",
+		"enum",
+		"timer",
+		"port", "addr", "net", "subnet",
+		"any",
+		"table", "union", "record", "types",
+		"func",
+		"file",
+		"vector",
+		"error",
+	};
+
+	if ( int(t) >= NUM_TYPES )
+		{
+		snprintf(errbuf, sizeof(errbuf), "%d: not a type tag", int(t));
+		return errbuf;
+		}
+
+	return type_names[int(t)];
+	}
+
+BroType::BroType(TypeTag t, bool arg_base_type)
+	{
+	tag = t;
+	is_network_order = 0;
+	base_type = arg_base_type;
+	is_global_attributes_type = false;
+
+	switch ( tag ) {
+	case TYPE_VOID:
+		internal_tag = TYPE_INTERNAL_VOID;
+		break;
+
+	case TYPE_BOOL:
+	case TYPE_INT:
+	case TYPE_ENUM:
+		internal_tag = TYPE_INTERNAL_INT;
+		break;
+
+	case TYPE_COUNT:
+	case TYPE_COUNTER:
+		internal_tag = TYPE_INTERNAL_UNSIGNED;
+		break;
+
+	case TYPE_PORT:
+		internal_tag = TYPE_INTERNAL_UNSIGNED;
+		is_network_order = 1;
+		break;
+
+	case TYPE_DOUBLE:
+	case TYPE_TIME:
+	case TYPE_INTERVAL:
+		internal_tag = TYPE_INTERNAL_DOUBLE;
+		break;
+
+	case TYPE_STRING:
+		internal_tag = TYPE_INTERNAL_STRING;
+		break;
+
+	case TYPE_ADDR:
+	case TYPE_NET:
+		internal_tag = TYPE_INTERNAL_ADDR;
+		break;
+
+	case TYPE_SUBNET:
+		internal_tag = TYPE_INTERNAL_SUBNET;
+		break;
+
+	case TYPE_PATTERN:
+	case TYPE_TIMER:
+	case TYPE_ANY:
+	case TYPE_TABLE:
+	case TYPE_UNION:
+	case TYPE_RECORD:
+	case TYPE_LIST:
+	case TYPE_FUNC:
+	case TYPE_FILE:
+	case TYPE_VECTOR:
+		internal_tag = TYPE_INTERNAL_OTHER;
+		break;
+
+	case TYPE_ERROR:
+		internal_tag = TYPE_INTERNAL_ERROR;
+		break;
+	}
+
+	// Kind of hacky; we don't want an error while we're defining
+	// the global attrs!
+	if ( in_global_attr_decl )
+		{
+		attributes_type = 0;
+		return;
+		}
+
+	if ( ! global_attributes_type )
+		SetError();
+	else
+		attributes_type = global_attributes_type;
+	}
+
+bool BroType::SetAttributesType(type_decl_list* attr_types)
+	{
+	TypeList* global = new TypeList();
+	global->Append(global_attributes_type);
+
+	attributes_type = refine_type(global, attr_types)->AsRecordType();
+
+	return (attributes_type != 0);
+	}
+
+int BroType::MatchesIndex(ListExpr*& /* index */) const
+	{
+	return DOES_NOT_MATCH_INDEX;
+	}
+
+BroType* BroType::YieldType()
+	{
+	return 0;
+	}
+
+int BroType::HasField(const char* /* field */) const
+	{
+	return 0;
+	}
+
+BroType* BroType::FieldType(const char* /* field */) const
+	{
+	return 0;
+	}
+
+void BroType::Describe(ODesc* d) const
+	{
+	if ( d->IsBinary() )
+		d->Add(int(Tag()));
+	else
+		{
+		TypeTag t = Tag();
+		if ( IsSet() )
+			d->Add("set");
+		else
+			d->Add(type_name(t));
+		}
+	}
+
+void BroType::SetError()
+	{
+	tag = TYPE_ERROR;
+	}
+
+unsigned int BroType::MemoryAllocation() const
+	{
+	return padded_sizeof(*this);
+	}
+
+bool BroType::Serialize(SerialInfo* info) const
+	{
+	// We always send full types (see below).
+	SERIALIZE(true);
+
+	bool ret = SerialObj::Serialize(info);
+	return ret;
+	}
+
+BroType* BroType::Unserialize(UnserialInfo* info, TypeTag want)
+	{
+	// To avoid external Broccoli clients needing to always send full type
+	// objects, we allow them to give us only the name of a type. To
+	// differentiate between the two cases, we exchange a flag first.
+	bool full_type = true;;
+	if ( ! UNSERIALIZE(&full_type) )
+		return 0;
+
+	if ( ! full_type )
+		{
+		const char* name;
+		if ( ! UNSERIALIZE_STR(&name, 0) )
+			return 0;
+
+		ID* id = global_scope()->Lookup(name);
+		if ( ! id )
+			{
+			info->s->Error(fmt("unknown type %s", name));
+			return 0;
+			}
+
+		BroType* t = id->AsType();
+		if ( ! t )
+			{
+			info->s->Error(fmt("%s is not a type", name));
+			return 0;
+			}
+
+		return t->Ref();
+		}
+
+	BroType* t = (BroType*) SerialObj::Unserialize(info, SER_BRO_TYPE);
+
+	if ( ! t )
+		return 0;
+
+	// For base types, we return our current instance.
+	if ( t->base_type )
+		{
+		BroType* t2 = ::base_type(TypeTag(t->tag));
+		Unref(t);
+		assert(t2);
+		return t2;
+		}
+
+	// For the global_attribute_type, we also return our current instance.
+	if ( t->is_global_attributes_type )
+		{
+		BroType* t2 = global_attributes_type;
+		Unref(t);
+		t2->Ref();
+		assert(t2);
+		return t2;
+		}
+
+	assert(t);
+	return t;
+	}
+
+IMPLEMENT_SERIAL(BroType, SER_BRO_TYPE)
+
+bool BroType::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_BRO_TYPE, BroObj);
+
+	info->s->WriteOpenTag("Type");
+
+	if ( ! (SERIALIZE(char(tag)) && SERIALIZE(char(internal_tag))) )
+		return false;
+
+	if ( ! (SERIALIZE(is_network_order) && SERIALIZE(base_type) &&
+		SERIALIZE(is_global_attributes_type)) )
+		return false;
+
+	SERIALIZE_OPTIONAL(attributes_type);
+
+	info->s->WriteCloseTag("Type");
+
+	return true;
+	}
+
+bool BroType::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BroObj);
+
+	char c1, c2;
+	if ( ! (UNSERIALIZE(&c1) && UNSERIALIZE(&c2) ) )
+		return 0;
+
+	tag = (TypeTag) c1;
+	internal_tag = (InternalTypeTag) c2;
+
+	if ( ! (UNSERIALIZE(&is_network_order) && UNSERIALIZE(&base_type)
+			&& UNSERIALIZE(&is_global_attributes_type)) )
+		return 0;
+
+	BroType* type;
+	UNSERIALIZE_OPTIONAL(type, BroType::Unserialize(info, TYPE_RECORD));
+	attributes_type = (RecordType*) type;
+
+	return true;
+	}
+
+TypeList::~TypeList()
+	{
+	loop_over_list(types, i)
+		Unref(types[i]);
+
+	Unref(pure_type);
+	}
+
+int TypeList::AllMatch(const BroType* t, int is_init) const
+	{
+	loop_over_list(types, i)
+		if ( ! same_type(types[i], t, is_init) )
+			return 0;
+	return 1;
+	}
+
+void TypeList::Append(BroType* t)
+	{
+	if ( pure_type && ! same_type(t, pure_type) )
+		internal_error("pure type-list violation");
+
+	types.append(t);
+	}
+
+void TypeList::AppendEvenIfNotPure(BroType* t)
+	{
+	if ( pure_type && ! same_type(t, pure_type) )
+		{
+		Unref(pure_type);
+		pure_type = 0;
+		}
+
+	types.append(t);
+	}
+
+void TypeList::Describe(ODesc* d) const
+	{
+	if ( d->IsReadable() )
+		d->AddSP("list of");
+	else
+		{
+		d->Add(int(Tag()));
+		d->Add(IsPure());
+		if ( IsPure() )
+			pure_type->Describe(d);
+		d->Add(types.length());
+		}
+
+	if ( IsPure() )
+		pure_type->Describe(d);
+	else
+		{
+		loop_over_list(types, i)
+			{
+			if ( i > 0 && ! d->IsBinary() )
+				d->Add(",");
+
+			types[i]->Describe(d);
+			}
+		}
+	}
+
+IMPLEMENT_SERIAL(TypeList, SER_TYPE_LIST);
+
+bool TypeList::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_TYPE_LIST, BroType);
+
+	SERIALIZE_OPTIONAL(pure_type);
+
+	if ( ! SERIALIZE(types.length()) )
+		return false;
+
+	loop_over_list(types, j)
+		{
+		if ( ! types[j]->Serialize(info) )
+			return false;
+		}
+
+	return true;
+	}
+
+bool TypeList::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BroType);
+
+	UNSERIALIZE_OPTIONAL(pure_type, BroType::Unserialize(info));
+
+	int len;
+	if ( ! UNSERIALIZE(&len) )
+		return false;
+
+	while ( len-- )
+		{
+		BroType* t = BroType::Unserialize(info);
+		if ( ! t )
+			return false;
+
+		types.append(t);
+		}
+	return true;
+	}
+
+IndexType::~IndexType()
+	{
+	Unref(indices);
+	Unref(yield_type);
+	}
+
+int IndexType::MatchesIndex(ListExpr*& index) const
+	{
+	// If we have a type indexed by subnets, addresses are ok.
+	const type_list* types = indices->Types();
+	const expr_list& exprs = index->Exprs();
+
+	if ( types->length() == 1 && (*types)[0]->Tag() == TYPE_SUBNET &&
+	     exprs.length() == 1 && exprs[0]->Type()->Tag() == TYPE_ADDR )
+		return MATCHES_INDEX_SCALAR;
+
+	return check_and_promote_exprs(index, Indices()) ?
+			MATCHES_INDEX_SCALAR : DOES_NOT_MATCH_INDEX;
+	}
+
+BroType* IndexType::YieldType()
+	{
+	return yield_type;
+	}
+
+void IndexType::Describe(ODesc* d) const
+	{
+	BroType::Describe(d);
+	if ( ! d->IsBinary() )
+		d->Add("[");
+	loop_over_list(*IndexTypes(), i)
+		{
+		if ( ! d->IsBinary() && i > 0 )
+			d->Add(",");
+		(*IndexTypes())[i]->Describe(d);
+		}
+	if ( ! d->IsBinary() )
+		d->Add("]");
+
+	if ( yield_type )
+		{
+		if ( ! d->IsBinary() )
+			d->Add(" of ");
+		yield_type->Describe(d);
+		}
+	}
+
+bool IndexType::IsSubNetIndex() const
+	{
+	const type_list* types = indices->Types();
+	if ( types->length() == 1 && (*types)[0]->Tag() == TYPE_SUBNET )
+		return true;
+	return false;
+	}
+
+IMPLEMENT_SERIAL(IndexType, SER_INDEX_TYPE);
+
+bool IndexType::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_INDEX_TYPE, BroType);
+
+	SERIALIZE_OPTIONAL(yield_type);
+	return indices->Serialize(info);
+	}
+
+bool IndexType::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BroType);
+
+	UNSERIALIZE_OPTIONAL(yield_type, BroType::Unserialize(info));
+	indices = (TypeList*) BroType::Unserialize(info, TYPE_LIST);
+	return indices != 0;
+	}
+
+TableType::TableType(TypeList* ind, BroType* yield)
+: IndexType(TYPE_TABLE, ind, yield)
+	{
+	if ( ! indices )
+		return;
+
+	type_list* tl = indices->Types();
+
+	loop_over_list(*tl, i)
+		{
+		BroType* tli = (*tl)[i];
+		InternalTypeTag t = tli->InternalType();
+
+		if ( t == TYPE_INTERNAL_ERROR )
+			break;
+
+		// Allow functions, since they can be compared
+		// for Func* pointer equality.
+		if ( t == TYPE_INTERNAL_OTHER && tli->Tag() != TYPE_FUNC &&
+		     tli->Tag() != TYPE_RECORD )
+			{
+			tli->Error("bad index type");
+			SetError();
+			break;
+			}
+		}
+	}
+
+bool TableType::IsUnspecifiedTable() const
+	{
+	// Unspecified types have an empty list of indices.
+	return indices->Types()->length() == 0;
+	}
+
+TypeList* TableType::ExpandRecordIndex(RecordType* rt) const
+	{
+	TypeList* tl = new TypeList();
+
+	int n = rt->NumFields();
+	for ( int i = 0; i < n; ++i )
+		{
+		TypeDecl* td = rt->FieldDecl(i);
+		tl->Append(td->type->Ref());
+		}
+
+	return tl;
+	}
+
+SetType::SetType(TypeList* ind, ListExpr* arg_elements) : TableType(ind, 0)
+	{
+	elements = arg_elements;
+	if ( elements )
+		{
+		if ( indices )
+			{ // We already have a type.
+			if ( ! check_and_promote_exprs(elements, indices) )
+				SetError();
+			}
+		else
+			{
+			TypeList* tl_type = elements->Type()->AsTypeList();
+			type_list* tl = tl_type->Types();
+
+			if ( tl->length() < 1 )
+				{
+				Error("no type given for set");
+				SetError();
+				}
+
+			else if ( tl->length() == 1 )
+				{
+				BroType* t = flatten_type((*tl)[0]->Ref());
+				indices = new TypeList(t);
+				indices->Append(t->Ref());
+				}
+
+			else
+				{
+				BroType* t = merge_types((*tl)[0], (*tl)[1]);
+
+				for ( int i = 2; t && i < tl->length(); ++i )
+					{
+					BroType* t_new =
+						merge_types(t, (*tl)[i]);
+					Unref(t);
+					t = t_new;
+					}
+
+				if ( ! t )
+					{
+					Error("bad set type");
+					return;
+					}
+
+				indices = new TypeList(t);
+				indices->Append(t);
+				}
+			}
+		}
+	}
+
+IMPLEMENT_SERIAL(TableType, SER_TABLE_TYPE);
+
+bool TableType::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_TABLE_TYPE, IndexType);
+	return true;
+	}
+
+bool TableType::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(IndexType);
+	return true;
+	}
+
+SetType::~SetType()
+	{
+	Unref(elements);
+	}
+
+IMPLEMENT_SERIAL(SetType, SER_SET_TYPE);
+
+bool SetType::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_SET_TYPE, TableType);
+
+	SERIALIZE_OPTIONAL(elements);
+	return true;
+	}
+
+bool SetType::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(TableType);
+
+	UNSERIALIZE_OPTIONAL(elements, (ListExpr*) Expr::Unserialize(info, EXPR_LIST));
+	return true;
+	}
+
+FuncType::FuncType(RecordType* arg_args, BroType* arg_yield, int arg_is_event)
+: BroType(TYPE_FUNC)
+	{
+	args = arg_args;
+	yield = arg_yield;
+	is_event = arg_is_event;
+
+	arg_types = new TypeList();
+
+	for ( int i = 0; i < args->NumFields(); ++i )
+		arg_types->Append(args->FieldType(i)->Ref());
+	}
+
+FuncType::~FuncType()
+	{
+	Unref(arg_types);
+	}
+
+BroType* FuncType::YieldType()
+	{
+	return yield;
+	}
+
+int FuncType::MatchesIndex(ListExpr*& index) const
+	{
+	return check_and_promote_exprs(index, arg_types) ?
+			MATCHES_INDEX_SCALAR : DOES_NOT_MATCH_INDEX;
+	}
+
+int FuncType::CheckArgs(const type_list* args) const
+	{
+	const type_list* my_args = arg_types->Types();
+
+	if ( my_args->length() != args->length() )
+		return 0;
+
+	for ( int i = 0; i < my_args->length(); ++i )
+		if ( ! same_type((*args)[i], (*my_args)[i]) )
+			return 0;
+
+	return 1;
+	}
+
+void FuncType::Describe(ODesc* d) const
+	{
+	if ( d->IsReadable() )
+		{
+		d->Add(is_event ? "event" : "function");
+		d->Add("(");
+		args->DescribeFields(d);
+		d->Add(")");
+
+		if ( yield )
+			{
+			d->AddSP(" :");
+			yield->Describe(d);
+			}
+		}
+	else
+		{
+		d->Add(int(Tag()));
+		d->Add(is_event);
+		d->Add(yield != 0);
+		args->DescribeFields(d);
+		if ( yield )
+			yield->Describe(d);
+		}
+	}
+
+IMPLEMENT_SERIAL(FuncType, SER_FUNC_TYPE);
+
+bool FuncType::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_FUNC_TYPE, BroType);
+
+	assert(args);
+	assert(arg_types);
+
+	SERIALIZE_OPTIONAL(yield);
+
+	return args->Serialize(info) &&
+		arg_types->Serialize(info) &&
+		SERIALIZE(is_event);
+	}
+
+bool FuncType::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BroType);
+
+	UNSERIALIZE_OPTIONAL(yield, BroType::Unserialize(info));
+
+	args = (RecordType*) BroType::Unserialize(info, TYPE_RECORD);
+	if ( ! args )
+		return false;
+
+	arg_types = (TypeList*) BroType::Unserialize(info, TYPE_LIST);
+	if ( ! arg_types )
+		return false;
+
+	return UNSERIALIZE(&is_event);
+	}
+
+TypeDecl::TypeDecl(BroType* t, const char* i, attr_list* arg_attrs)
+	{
+	type = t;
+	attrs = arg_attrs ? new Attributes(arg_attrs, t) : 0;
+	id = i;
+
+	if ( in_global_attr_decl && ! attrs->FindAttr(ATTR_DEFAULT) )
+		error("global attribute types must have default values");
+	}
+
+TypeDecl::~TypeDecl()
+	{
+	Unref(type);
+	Unref(attrs);
+	delete [] id;
+	}
+
+bool TypeDecl::Serialize(SerialInfo* info) const
+	{
+	assert(type);
+	assert(id);
+
+	SERIALIZE_OPTIONAL(attrs);
+
+	return type->Serialize(info) && SERIALIZE(id);
+	}
+
+TypeDecl* TypeDecl::Unserialize(UnserialInfo* info)
+	{
+	TypeDecl* t = new TypeDecl(0, 0, 0);
+
+	UNSERIALIZE_OPTIONAL_STATIC(t->attrs, Attributes::Unserialize(info), t);
+	t->type = BroType::Unserialize(info);
+
+	if ( ! (t->type && UNSERIALIZE_STR(&t->id, 0)) )
+		{
+		delete t;
+		return 0;
+		}
+
+	return t;
+	}
+
+RecordField::RecordField(int arg_base, int arg_offset, int arg_total_offset)
+	{
+	base = arg_base;
+	offset = arg_offset;
+	total_offset = arg_total_offset;
+	}
+
+RecordType::RecordType(type_decl_list* arg_types) : BroType(TYPE_RECORD)
+	{
+	types = arg_types;
+	base = 0;
+	fields = 0;
+	num_fields = types ? types->length() : 0;
+	}
+
+RecordType::RecordType(TypeList* arg_base, type_decl_list* refinements)
+: BroType(TYPE_RECORD)
+	{
+	if ( refinements )
+		arg_base->Append(new RecordType(refinements));
+
+	Init(arg_base);
+	}
+
+void RecordType::Init(TypeList* arg_base)
+	{
+	base = arg_base;
+
+	if ( ! base )
+		Internal("empty RecordType");
+
+	fields = new PDict(RecordField)(ORDERED);
+	types = 0;
+
+	type_list* t = base->Types();
+	loop_over_list(*t, i)
+		{
+		BroType* ti = (*t)[i];
+		if ( ti->Tag() != TYPE_RECORD )
+			(*t)[i]->Error("non-record in base type list");
+
+		RecordType* rti = ti->AsRecordType();
+		int n = rti->NumFields();
+
+		for ( int j = 0; j < n; ++j )
+			{
+			const TypeDecl* tdij = rti->FieldDecl(j);
+			if ( fields->Lookup(tdij->id) )
+				{
+				error("duplicate field", tdij->id);
+				continue;
+				}
+
+			RecordField* rf = new RecordField(i, j, fields->Length());
+			if ( fields->Insert(tdij->id, rf) )
+				Internal("duplicate field when constructing record");
+			}
+		}
+
+	num_fields = fields->Length();
+	}
+
+RecordType::~RecordType()
+	{
+	if ( types )
+		{
+		loop_over_list(*types, i)
+			delete (*types)[i];
+		delete types;
+		}
+
+	delete fields;
+	Unref(base);
+	}
+
+int RecordType::HasField(const char* field) const
+	{
+	return FieldOffset(field) >= 0;
+	}
+
+BroType* RecordType::FieldType(const char* field) const
+	{
+	int offset = FieldOffset(field);
+	return offset >= 0 ? FieldType(offset) : 0;
+	}
+
+BroType* RecordType::FieldType(int field) const
+	{
+	if ( types )
+		return (*types)[field]->type;
+	else
+		{
+		RecordField* rf = fields->NthEntry(field);
+		if ( ! rf )
+			Internal("missing field in RecordType::FieldType");
+		BroType* bt = (*base->Types())[rf->base];
+		RecordType* rbt = bt->AsRecordType();
+		return rbt->FieldType(rf->offset);
+		}
+	}
+
+int RecordType::FieldOffset(const char* field) const
+	{
+	if ( types )
+		{
+		loop_over_list(*types, i)
+			{
+			TypeDecl* td = (*types)[i];
+			if ( streq(td->id, field) )
+				return i;
+			}
+
+		return -1;
+		}
+
+	else
+		{
+		RecordField* rf = fields->Lookup(field);
+		if ( ! rf )
+			return -1;
+		else
+			return rf->total_offset;
+		}
+	}
+
+const char* RecordType::FieldName(int field) const
+	{
+	return FieldDecl(field)->id;
+	}
+
+const TypeDecl* RecordType::FieldDecl(int field) const
+	{
+	if ( types )
+		return (*types)[field];
+	else
+		{
+		RecordField* rf = fields->NthEntry(field);
+		if ( ! rf )
+			internal_error("missing field in RecordType::FieldDecl");
+
+		BroType* bt = (*base->Types())[rf->base];
+		RecordType* rbt = bt->AsRecordType();
+		return rbt->FieldDecl(rf->offset);
+		}
+	}
+
+TypeDecl* RecordType::FieldDecl(int field)
+	{
+	if ( types )
+		return (*types)[field];
+	else
+		{
+		RecordField* rf = fields->NthEntry(field);
+		if ( ! rf )
+			Internal("missing field in RecordType::FieldDecl");
+		BroType* bt = (*base->Types())[rf->base];
+		RecordType* rbt = bt->AsRecordType();
+		return rbt->FieldDecl(rf->offset);
+		}
+	}
+
+void RecordType::Describe(ODesc* d) const
+	{
+	if ( d->IsReadable() )
+		{
+		d->AddSP("record {");
+		DescribeFields(d);
+		d->SP();
+		d->Add("}");
+		}
+
+	else
+		{
+		d->Add(int(Tag()));
+		DescribeFields(d);
+		}
+	}
+
+void RecordType::DescribeFields(ODesc* d) const
+	{
+	if ( d->IsReadable() )
+		{
+		for ( int i = 0; i < num_fields; ++i )
+			{
+			if ( i > 0 )
+				d->SP();
+
+			const TypeDecl* td = FieldDecl(i);
+			d->Add(td->id);
+			d->Add(":");
+			td->type->Describe(d);
+			d->Add(";");
+			}
+		}
+
+	else
+		{
+		if ( types )
+			{
+			d->AddCount(0);
+			d->AddCount(types->length());
+			loop_over_list(*types, i)
+				{
+				(*types)[i]->type->Describe(d);
+				d->SP();
+				d->Add((*types)[i]->id);
+				d->SP();
+				}
+			}
+		else
+			{
+			d->AddCount(1);
+			base->Describe(d);
+			}
+		}
+	}
+
+IMPLEMENT_SERIAL(RecordType, SER_RECORD_TYPE)
+
+bool RecordType::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_RECORD_TYPE, BroType);
+
+	if ( ! SERIALIZE(num_fields) )
+		return false;
+
+	if ( types )
+		{
+		if ( ! (SERIALIZE(true) && SERIALIZE(types->length())) )
+			return false;
+
+		loop_over_list(*types, i)
+			{
+			if ( ! (*types)[i]->Serialize(info) )
+				return false;
+			}
+		}
+
+	else if ( ! SERIALIZE(false) )
+		return false;
+
+	SERIALIZE_OPTIONAL(base);
+
+	// We don't serialize the fields as we can reconstruct them.
+	return true;
+	}
+
+bool RecordType::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BroType);
+
+	if ( ! UNSERIALIZE(&num_fields) )
+		return false;
+
+	bool has_it;
+	if ( ! UNSERIALIZE(&has_it) )
+		return false;
+
+	if ( has_it )
+		{
+		int len;
+		if ( ! UNSERIALIZE(&len) )
+			return false;
+
+		types = new type_decl_list(len);
+
+		while ( len-- )
+			{
+			TypeDecl* t = TypeDecl::Unserialize(info);
+			if ( ! t )
+				return false;
+
+			types->append(t);
+			}
+		}
+	else
+		types = 0;
+
+	BroType* type;
+	UNSERIALIZE_OPTIONAL(type, BroType::Unserialize(info, TYPE_LIST));
+	base = (TypeList*) type;
+
+	if ( base )
+		Init(base);
+
+	return true;
+	}
+
+SubNetType::SubNetType() : BroType(TYPE_SUBNET)
+	{
+	}
+
+void SubNetType::Describe(ODesc* d) const
+	{
+	if ( d->IsReadable() )
+		d->Add("subnet");
+	else
+		d->Add(int(Tag()));
+	}
+
+IMPLEMENT_SERIAL(SubNetType, SER_SUBNET_TYPE);
+
+bool SubNetType::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_SUBNET_TYPE, BroType);
+	return true;
+	}
+
+bool SubNetType::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BroType);
+	return true;
+	}
+
+FileType::FileType(BroType* yield_type)
+: BroType(TYPE_FILE)
+	{
+	yield = yield_type;
+	}
+
+FileType::~FileType()
+	{
+	Unref(yield);
+	}
+
+BroType* FileType::YieldType()
+	{
+	return yield;
+	}
+
+void FileType::Describe(ODesc* d) const
+	{
+	if ( d->IsReadable() )
+		{
+		d->AddSP("file of");
+		yield->Describe(d);
+		}
+	else
+		{
+		d->Add(int(Tag()));
+		yield->Describe(d);
+		}
+	}
+
+IMPLEMENT_SERIAL(FileType, SER_FILE_TYPE);
+
+bool FileType::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_FILE_TYPE, BroType);
+
+	assert(yield);
+	return yield->Serialize(info);
+	}
+
+bool FileType::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BroType);
+
+	yield = BroType::Unserialize(info);
+	return yield != 0;
+	}
+
+EnumType::EnumType(bool arg_is_export)
+: BroType(TYPE_ENUM)
+	{
+	is_export = arg_is_export;
+	counter = 0;
+	}
+
+EnumType::~EnumType()
+	{
+	for ( NameMap::iterator iter = names.begin(); iter != names.end(); ++iter )
+		delete [] iter->first;
+	}
+
+int EnumType::AddName(const string& module_name, const char* name)
+	{
+	ID* id = lookup_ID(name, module_name.c_str());
+	if ( ! id )
+		{
+		id = install_ID(name, module_name.c_str(), true, is_export);
+		id->SetType(this->Ref());
+		id->SetEnumConst();
+		}
+	else
+		{
+		debug_msg("identifier already exists: %s\n", name);
+		return -1;
+		}
+
+	string fullname = make_full_var_name(module_name.c_str(), name);
+	names[copy_string(fullname.c_str())] = counter;
+	return counter++;
+	}
+
+int EnumType::AddNamesFrom(const string& module_name, EnumType* et)
+	{
+	int last_added = counter;
+	for ( NameMap::iterator iter = et->names.begin();
+	      iter != et->names.end(); ++iter )
+		{
+		ID* id = lookup_ID(iter->first, module_name.c_str());
+		id->SetType(this->Ref());
+		names[copy_string(id->Name())] = counter;
+		last_added = counter++;
+		}
+
+	return last_added;
+	}
+
+int EnumType::Lookup(const string& module_name, const char* name)
+	{
+	NameMap::iterator pos =
+		names.find(make_full_var_name(module_name.c_str(), name).c_str());
+
+	if ( pos == names.end() )
+		return -1;
+	else
+		return pos->second;
+	}
+
+const char* EnumType::Lookup(int value)
+	{
+	for ( NameMap::iterator iter = names.begin();
+	      iter != names.end(); ++iter )
+		if ( iter->second == value )
+			return iter->first;
+
+	return 0;
+	}
+
+IMPLEMENT_SERIAL(EnumType, SER_ENUM_TYPE);
+
+bool EnumType::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_ENUM_TYPE, BroType);
+
+	// I guess we don't really need both ...
+	if ( ! (SERIALIZE(counter) && SERIALIZE((unsigned int) names.size()) &&
+		SERIALIZE(is_export)) )
+		return false;
+
+	for ( NameMap::const_iterator iter = names.begin();
+	      iter != names.end(); ++iter )
+		{
+		if ( ! SERIALIZE(iter->first) || ! SERIALIZE(iter->second) )
+			return false;
+		}
+
+	return true;
+	}
+
+bool EnumType::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BroType);
+
+	unsigned int len;
+	if ( ! UNSERIALIZE(&counter) ||
+	     ! UNSERIALIZE(&len) ||
+	     ! UNSERIALIZE(&is_export) )
+		return false;
+
+	while ( len-- )
+		{
+		const char* name;
+		int val;
+		if ( ! (UNSERIALIZE_STR(&name, 0) && UNSERIALIZE(&val)) )
+			return false;
+
+		names[name] = val;
+		}
+
+	return true;
+	}
+
+VectorType::VectorType(BroType* element_type)
+: BroType(TYPE_VECTOR)
+	{
+	if ( element_type )
+		yield_type = element_type;
+	}
+
+VectorType::~VectorType()
+	{
+	Unref(yield_type);
+	}
+
+int VectorType::MatchesIndex(ListExpr*& index) const
+	{
+	expr_list& el = index->Exprs();
+
+	if ( el.length() != 1 )
+		return DOES_NOT_MATCH_INDEX;
+
+	if ( el[0]->Type()->Tag() == TYPE_VECTOR )
+		return (IsIntegral(el[0]->Type()->YieldType()->Tag()) ||
+			 IsBool(el[0]->Type()->YieldType()->Tag())) ?
+				MATCHES_INDEX_VECTOR : DOES_NOT_MATCH_INDEX;
+	else
+		return (IsIntegral(el[0]->Type()->Tag()) ||
+			 IsBool(el[0]->Type()->Tag())) ?
+				MATCHES_INDEX_SCALAR : DOES_NOT_MATCH_INDEX;
+	}
+
+IMPLEMENT_SERIAL(VectorType, SER_VECTOR_TYPE);
+
+bool VectorType::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_VECTOR_TYPE, BroType);
+	return yield_type->Serialize(info);
+	}
+
+bool VectorType::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BroType);
+	yield_type = BroType::Unserialize(info);
+	return yield_type != 0;
+	}
+
+BroType* refine_type(TypeList* base, type_decl_list* refinements)
+	{
+	type_list* t = base->Types();
+
+	if ( t->length() == 1 && ! refinements )
+		{ // Just a direct reference to a single type.
+		BroType* rt = (*t)[0]->Ref();
+		Unref(base);
+		return rt;
+		}
+
+	return new RecordType(base, refinements);
+	}
+
+
+BroType* base_type(TypeTag tag)
+	{
+	static BroType* base_types[NUM_TYPES];
+
+	// We could check here that "tag" actually corresponds to a BRO
+	// basic type.
+
+	int t = int(tag);
+	if ( ! base_types[t] )
+		{
+		base_types[t] = new BroType(tag, true);
+		// Give the base types a pseudo-location for easier identification.
+		Location l(type_name(tag), 0, 0, 0, 0);
+		base_types[t]->SetLocationInfo(&l);
+		}
+
+	return base_types[t]->Ref();
+	}
+
+
+// Returns true if t1 is initialization-compatible with t2 (i.e., if an
+// initializer with type t1 can be used to initialize a value with type t2),
+// false otherwise.  Assumes that t1's tag is different from t2's.  Note
+// that the test is in only one direction - we don't check whether t2 is
+// initialization-compatible with t1.
+static int is_init_compat(const BroType* t1, const BroType* t2)
+	{
+	if ( t1->Tag() == TYPE_LIST )
+		{
+		if ( t2->Tag() == TYPE_RECORD )
+			return 1;
+		else
+			return t1->AsTypeList()->AllMatch(t2, 1);
+		}
+
+	if ( t1->IsSet() )
+		return same_type(t1->AsSetType()->Indices(), t2, 1);
+
+	return 0;
+	}
+
+int same_type(const BroType* t1, const BroType* t2, int is_init)
+	{
+	if ( t1 == t2 )
+		return 1;
+
+	t1 = flatten_type(t1);
+	t2 = flatten_type(t2);
+	if ( t1 == t2 )
+		return 1;
+
+	if ( t1->Tag() != t2->Tag() )
+		{
+		if ( is_init )
+			return is_init_compat(t1, t2) || is_init_compat(t2, t1);
+
+		return 0;
+		}
+
+	switch ( t1->Tag() ) {
+	case TYPE_VOID:
+	case TYPE_BOOL:
+	case TYPE_INT:
+	case TYPE_COUNT:
+	case TYPE_COUNTER:
+	case TYPE_DOUBLE:
+	case TYPE_TIME:
+	case TYPE_INTERVAL:
+	case TYPE_STRING:
+	case TYPE_PATTERN:
+	case TYPE_TIMER:
+	case TYPE_PORT:
+	case TYPE_ADDR:
+	case TYPE_NET:
+	case TYPE_SUBNET:
+	case TYPE_ANY:
+	case TYPE_ERROR:
+		return 1;
+
+	case TYPE_ENUM:
+		// We should probably check to see whether all of the
+		// enumerations are present and in the same location.
+		// FIXME: Yes, but perhaps we should better return
+		// true per default?
+		return 1;
+
+	case TYPE_TABLE:
+		{
+		const IndexType* it1 = (const IndexType*) t1;
+		const IndexType* it2 = (const IndexType*) t2;
+
+		TypeList* tl1 = it1->Indices();
+		TypeList* tl2 = it2->Indices();
+
+		if ( tl1 || tl2 )
+			{
+			if ( ! tl1 || ! tl2 || ! same_type(tl1, tl2, is_init) )
+				return 0;
+			}
+
+		const BroType* y1 = t1->YieldType();
+		const BroType* y2 = t2->YieldType();
+
+		if ( y1 || y2 )
+			{
+			if ( ! y1 || ! y2 || ! same_type(y1, y2, is_init) )
+				return 0;
+			}
+
+		return 1;
+		}
+
+	case TYPE_FUNC:
+		{
+		const FuncType* ft1 = (const FuncType*) t1;
+		const FuncType* ft2 = (const FuncType*) t2;
+
+		if ( ft1->IsEvent() != ft2->IsEvent() )
+			return 0;
+
+		if ( t1->YieldType() || t2->YieldType() )
+			{
+			if ( ! t1->YieldType() || ! t2->YieldType() ||
+			     ! same_type(t1->YieldType(), t2->YieldType(), is_init) )
+				return 0;
+			}
+
+		return same_type(ft1->Args(), ft2->Args(), is_init);
+		}
+
+	case TYPE_RECORD:
+		{
+		const RecordType* rt1 = (const RecordType*) t1;
+		const RecordType* rt2 = (const RecordType*) t2;
+
+		if ( rt1->NumFields() != rt2->NumFields() )
+			return 0;
+
+		for ( int i = 0; i < rt1->NumFields(); ++i )
+			{
+			const TypeDecl* td1 = rt1->FieldDecl(i);
+			const TypeDecl* td2 = rt2->FieldDecl(i);
+
+			if ( ! streq(td1->id, td2->id) ||
+			     ! same_type(td1->type, td2->type, is_init) )
+				return 0;
+			}
+
+		return 1;
+		}
+
+	case TYPE_LIST:
+		{
+		const type_list* tl1 = t1->AsTypeList()->Types();
+		const type_list* tl2 = t2->AsTypeList()->Types();
+
+		if ( tl1->length() != tl2->length() )
+			return 0;
+
+		loop_over_list(*tl1, i)
+			if ( ! same_type((*tl1)[i], (*tl2)[i], is_init) )
+				return 0;
+
+		return 1;
+		}
+
+	case TYPE_VECTOR:
+	case TYPE_FILE:
+		return same_type(t1->YieldType(), t2->YieldType(), is_init);
+
+	case TYPE_UNION:
+		error("union type in same_type()");
+	}
+	return 0;
+	}
+
+int record_promotion_compatible(const RecordType* /* super_rec */,
+				const RecordType* /* sub_rec */)
+	{
+#if 0
+	int n = sub_rec->NumFields();
+
+	for ( int i = 0; i < n; ++i )
+		{
+		if ( ! super_rec->HasField(sub_rec->FieldName(i)) )
+			return 0;
+		}
+#endif
+
+	return 1;
+	}
+
+const BroType* flatten_type(const BroType* t)
+	{
+	if ( t->Tag() != TYPE_LIST )
+		return t;
+
+	const TypeList* tl = t->AsTypeList();
+
+	if ( tl->IsPure() )
+		return tl->PureType();
+
+	const type_list* types = tl->Types();
+
+	if ( types->length() == 0 )
+		internal_error("empty type list in flatten_type");
+
+	const BroType* ft = (*types)[0];
+	if ( types->length() == 1 || tl->AllMatch(ft, 0) )
+		return ft;
+
+	return t;
+	}
+
+BroType* flatten_type(BroType* t)
+	{
+	return (BroType*) flatten_type((const BroType*) t);
+	}
+
+int is_assignable(BroType* t)
+	{
+	switch ( t->Tag() ) {
+	case TYPE_BOOL:
+	case TYPE_INT:
+	case TYPE_COUNT:
+	case TYPE_COUNTER:
+	case TYPE_DOUBLE:
+	case TYPE_TIME:
+	case TYPE_INTERVAL:
+	case TYPE_STRING:
+	case TYPE_PATTERN:
+	case TYPE_ENUM:
+	case TYPE_TIMER:
+	case TYPE_PORT:
+	case TYPE_ADDR:
+	case TYPE_NET:
+	case TYPE_SUBNET:
+	case TYPE_RECORD:
+	case TYPE_FUNC:
+	case TYPE_ANY:
+	case TYPE_ERROR:
+	case TYPE_LIST:
+		return 1;
+
+	case TYPE_VECTOR:
+	case TYPE_FILE:
+	case TYPE_TABLE:
+		return 1;
+
+	case TYPE_VOID:
+		return 0;
+
+	case TYPE_UNION:
+		error("union type in is_assignable()");
+	}
+
+	return 0;
+	}
+
+TypeTag max_type(TypeTag t1, TypeTag t2)
+	{
+	if ( t1 == TYPE_INTERVAL || t1 == TYPE_TIME )
+		t1 = TYPE_DOUBLE;
+	if ( t2 == TYPE_INTERVAL || t2 == TYPE_TIME )
+		t2 = TYPE_DOUBLE;
+
+	if ( BothArithmetic(t1, t2) )
+		{
+#define CHECK_TYPE(t) \
+	if ( t1 == t || t2 == t ) \
+		return t;
+
+		CHECK_TYPE(TYPE_DOUBLE);
+		CHECK_TYPE(TYPE_INT);
+		CHECK_TYPE(TYPE_COUNT);
+
+		// Note - mixing two TYPE_COUNTER's still promotes to
+		// a TYPE_COUNT.
+		return TYPE_COUNT;
+		}
+	else
+		{
+		internal_error("non-arithmetic tags in max_type()");
+		return TYPE_ERROR;
+		}
+	}
+
+BroType* merge_types(const BroType* t1, const BroType* t2)
+	{
+	t1 = flatten_type(t1);
+	t2 = flatten_type(t2);
+
+	TypeTag tg1 = t1->Tag();
+	TypeTag tg2 = t2->Tag();
+
+	if ( BothArithmetic(tg1, tg2) )
+		return base_type(max_type(tg1, tg2));
+
+	if ( tg1 != tg2 )
+		{
+		t1->Error("incompatible types", t2);
+		return 0;
+		}
+
+	switch ( tg1 ) {
+	case TYPE_TIME:
+	case TYPE_INTERVAL:
+	case TYPE_STRING:
+	case TYPE_PATTERN:
+	case TYPE_TIMER:
+	case TYPE_PORT:
+	case TYPE_ADDR:
+	case TYPE_NET:
+	case TYPE_SUBNET:
+	case TYPE_ANY:
+	case TYPE_ERROR:
+		return base_type(tg1);
+
+	case TYPE_TABLE:
+		{
+		const IndexType* it1 = (const IndexType*) t1;
+		const IndexType* it2 = (const IndexType*) t2;
+
+		const type_list* tl1 = it1->IndexTypes();
+		const type_list* tl2 = it2->IndexTypes();
+		TypeList* tl3 = 0;
+
+		if ( tl1 || tl2 )
+			{
+			if ( ! tl1 || ! tl2 || tl1->length() != tl2->length() )
+				{
+				t1->Error("incompatible types", t2);
+				return 0;
+				}
+
+			tl3 = new TypeList();
+
+			loop_over_list(*tl1, i)
+				{
+				BroType* tl3_i = merge_types((*tl1)[i], (*tl2)[i]);
+				if ( ! tl3_i )
+					{
+					Unref(tl3);
+					return 0;
+					}
+
+				tl3->Append(tl3_i);
+				}
+			}
+
+		const BroType* y1 = t1->YieldType();
+		const BroType* y2 = t2->YieldType();
+		BroType* y3 = 0;
+
+		if ( y1 || y2 )
+			{
+			if ( ! y1 || ! y2 )
+				{
+				t1->Error("incompatible types", t2);
+				return 0;
+				}
+
+			y3 = merge_types(y1, y2);
+			if ( ! y3 )
+				{
+				Unref(tl3);
+				return 0;
+				}
+			}
+
+		if ( t1->IsSet() )
+			return new SetType(tl3, 0);
+		else if ( tg1 == TYPE_TABLE )
+			return new TableType(tl3, y3);
+		else
+			{
+			internal_error("bad tag in merge_types");
+			return 0;
+			}
+		}
+
+	case TYPE_FUNC:
+		{
+		if ( ! same_type(t1, t2) )
+			{
+			t1->Error("incompatible types", t2);
+			return 0;
+			}
+
+		const FuncType* ft1 = (const FuncType*) t1;
+		const FuncType* ft2 = (const FuncType*) t1;
+		BroType* args = merge_types(ft1->Args(), ft2->Args());
+		BroType* yield = t1->YieldType() ?
+			merge_types(t1->YieldType(), t2->YieldType()) : 0;
+
+		return new FuncType(args->AsRecordType(), yield, ft1->IsEvent());
+		}
+
+	case TYPE_RECORD:
+		{
+		const RecordType* rt1 = (const RecordType*) t1;
+		const RecordType* rt2 = (const RecordType*) t2;
+
+		if ( rt1->NumFields() != rt2->NumFields() )
+			return 0;
+
+		type_decl_list* tdl3 = new type_decl_list;
+
+		for ( int i = 0; i < rt1->NumFields(); ++i )
+			{
+			const TypeDecl* td1 = rt1->FieldDecl(i);
+			const TypeDecl* td2 = rt2->FieldDecl(i);
+			BroType* tdl3_i = merge_types(td1->type, td2->type);
+
+			if ( ! streq(td1->id, td2->id) || ! tdl3_i )
+				{
+				t1->Error("incompatible record fields", t2);
+				delete tdl3;
+				Unref(tdl3_i);
+				return 0;
+				}
+
+			tdl3->append(new TypeDecl(tdl3_i, copy_string(td1->id)));
+			}
+
+		return new RecordType(tdl3);
+		}
+
+	case TYPE_LIST:
+		{
+		const TypeList* tl1 = t1->AsTypeList();
+		const TypeList* tl2 = t2->AsTypeList();
+
+		if ( tl1->IsPure() != tl2->IsPure() )
+			{
+			tl1->Error("incompatible lists", tl2);
+			return 0;
+			}
+
+		const type_list* l1 = tl1->Types();
+		const type_list* l2 = tl2->Types();
+
+		if ( l1->length() == 0 || l2->length() == 0 )
+			{
+			if ( l1->length() == 0 )
+				tl1->Error("empty list");
+			else
+				tl2->Error("empty list");
+			return 0;
+			}
+
+		if ( tl1->IsPure() )
+			{
+			// We will be expanding the pure list when converting
+			// the initialization expression into a set of values.
+			// So the merge type of the list is the type of one
+			// of the elements, providing they're consistent.
+			return merge_types((*l1)[0], (*l2)[0]);
+			}
+
+		// Impure lists - must have the same size and match element
+		// by element.
+		if ( l1->length() != l2->length() )
+			{
+			tl1->Error("different number of indices", tl2);
+			return 0;
+			}
+
+		TypeList* tl3 = new TypeList();
+		loop_over_list(*l1, i)
+			tl3->Append(merge_types((*l1)[i], (*l2)[i]));
+
+		return tl3;
+		}
+
+	case TYPE_VECTOR:
+		if ( ! same_type(t1->YieldType(), t2->YieldType()) )
+			{
+			t1->Error("incompatible types", t2);
+			return 0;
+			}
+
+		return new VectorType(merge_types(t1->YieldType(), t2->YieldType()));
+
+	case TYPE_FILE:
+		if ( ! same_type(t1->YieldType(), t2->YieldType()) )
+			{
+			t1->Error("incompatible types", t2);
+			return 0;
+			}
+
+		return new FileType(merge_types(t1->YieldType(), t2->YieldType()));
+
+	case TYPE_UNION:
+		internal_error("union type in merge_types()");
+		return 0;
+
+	default:
+		internal_error("bad type in merge_types()");
+		return 0;
+	}
+	}
+
+BroType* merge_type_list(ListExpr* elements)
+	{
+	TypeList* tl_type = elements->Type()->AsTypeList();
+	type_list* tl = tl_type->Types();
+
+	if ( tl->length() < 1 )
+		{
+		error("no type can be inferred for empty list");
+		return 0;
+		}
+
+	BroType* t = (*tl)[0]->Ref();
+
+	if ( tl->length() == 1 )
+		return t;
+
+	for ( int i = 1; t && i < tl->length(); ++i )
+		{
+		BroType* t_new = merge_types(t, (*tl)[i]);
+		Unref(t);
+		t = t_new;
+		}
+
+	if ( ! t )
+		error("inconsistent types in list");
+
+	return t;
+	}
+
+// Reduces an aggregate type.
+static BroType* reduce_type(BroType* t)
+	{
+	if ( t->Tag() == TYPE_LIST )
+		return flatten_type(t);
+
+	else if ( t->IsSet() )
+		{
+		TypeList* tl = t->AsTableType()->Indices();
+		if ( tl->Types()->length() == 1 )
+			return (*tl->Types())[0];
+		else
+			return tl;
+		}
+
+	else
+		return t;
+	}
+
+BroType* init_type(Expr* init)
+	{
+	if ( init->Tag() != EXPR_LIST )
+		{
+		BroType* t = init->InitType();
+		if ( ! t )
+			return 0;
+
+		if ( t->Tag() == TYPE_LIST &&
+		     t->AsTypeList()->Types()->length() != 1 )
+			{
+			init->Error("list used in scalar initialization");
+			Unref(t);
+			return 0;
+			}
+
+		return t;
+		}
+
+	ListExpr* init_list = init->AsListExpr();
+	const expr_list& el = init_list->Exprs();
+
+	if ( el.length() == 0 )
+		{
+		init->Error("empty list in untyped initialization");
+		return 0;
+		}
+
+	// Could be a record, a set, or a list of table elements.
+	Expr* e0 = el[0];
+	if ( e0->IsRecordElement(0) )
+		// ListExpr's know how to build a record from their
+		// components.
+		return init_list->InitType();
+
+	BroType* t = e0->InitType();
+	if ( t )
+		t = reduce_type(t);
+	if ( ! t )
+		return 0;
+
+	for ( int i = 1; t && i < el.length(); ++i )
+		{
+		BroType* el_t = el[i]->InitType();
+		BroType* ti = el_t ? reduce_type(el_t) : 0;
+		if ( ! ti )
+			{
+			Unref(t);
+			return 0;
+			}
+
+		if ( same_type(t, ti) )
+			{
+			Unref(ti);
+			continue;
+			}
+
+		BroType* t_merge = merge_types(t, ti);
+		Unref(t);
+		Unref(ti);
+		t = t_merge;
+		}
+
+	if ( ! t )
+		{
+		init->Error("type error in initialization");
+		return 0;
+		}
+
+	if ( t->Tag() == TYPE_TABLE && ! t->AsTableType()->IsSet() )
+		// A list of table elements.
+		return t;
+
+	// A set.  If the index type isn't yet a type list, make
+	// it one, as that's what's required for creating a set type.
+	if ( t->Tag() != TYPE_LIST )
+		{
+		TypeList* tl = new TypeList(t);
+		tl->Append(t);
+		t = tl;
+		}
+
+	return new SetType(t->AsTypeList(), 0);
+	}
diff --git a/src/Type.h b/src/Type.h
new file mode 100644
index 0000000000..7778fabc1e
--- /dev/null
+++ b/src/Type.h
@@ -0,0 +1,609 @@
+// $Id: Type.h 6916 2009-09-24 20:48:36Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef type_h
+#define type_h
+
+#include <string>
+#include <map>
+
+#include "Obj.h"
+#include "Attr.h"
+#include "BroList.h"
+#include "Dict.h"
+
+// BRO types.
+
+typedef enum {
+	TYPE_VOID,
+	TYPE_BOOL, TYPE_INT, TYPE_COUNT, TYPE_COUNTER, TYPE_DOUBLE,
+	TYPE_TIME, TYPE_INTERVAL,
+	TYPE_STRING, TYPE_PATTERN,
+	TYPE_ENUM,
+	TYPE_TIMER,
+	TYPE_PORT, TYPE_ADDR, TYPE_NET, TYPE_SUBNET,
+	TYPE_ANY,
+	TYPE_TABLE,
+	TYPE_UNION,
+	TYPE_RECORD,
+	TYPE_LIST,
+	TYPE_FUNC,
+	TYPE_FILE,
+	TYPE_VECTOR,
+	TYPE_ERROR
+#define NUM_TYPES (int(TYPE_ERROR) + 1)
+} TypeTag;
+
+typedef enum { FUNC_FLAVOR_FUNCTION, FUNC_FLAVOR_EVENT } function_flavor;
+
+typedef enum {
+	TYPE_INTERNAL_VOID,
+	TYPE_INTERNAL_INT, TYPE_INTERNAL_UNSIGNED, TYPE_INTERNAL_DOUBLE,
+	TYPE_INTERNAL_STRING, TYPE_INTERNAL_ADDR, TYPE_INTERNAL_SUBNET,
+	TYPE_INTERNAL_OTHER, TYPE_INTERNAL_ERROR
+} InternalTypeTag;
+
+// Returns the name of the type.
+extern const char* type_name(TypeTag t);
+
+class Expr;
+class Attributes;
+class TypeList;
+class TableType;
+class SetType;
+class RecordType;
+class SubNetType;
+class FuncType;
+class ListExpr;
+class EnumType;
+class Serializer;
+class VectorType;
+
+extern bool in_global_attr_decl;
+extern RecordType* global_attributes_type;
+
+const int DOES_NOT_MATCH_INDEX = 0;
+const int MATCHES_INDEX_SCALAR = 1;
+const int MATCHES_INDEX_VECTOR = 2;
+
+class BroType : public BroObj {
+public:
+	BroType(TypeTag tag, bool base_type = false);
+
+	TypeTag Tag() const		{ return tag; }
+	InternalTypeTag InternalType() const	{ return internal_tag; }
+
+	// Type for the attributes (metadata) on this type.
+	RecordType* AttributesType()
+		{
+		if ( ! attributes_type )
+			attributes_type = global_attributes_type;
+		return attributes_type;
+		}
+	bool SetAttributesType(type_decl_list* attr_types);
+
+	// Whether it's stored in network order.
+	int IsNetworkOrder() const	{ return is_network_order; }
+
+	// Type-checks the given expression list, returning
+	// MATCHES_INDEX_SCALAR = 1 if it matches this type's index
+	// and produces a scalar result (and promoting its
+	// subexpressions as necessary); MATCHES_INDEX_VECTOR = 2
+	// if it matches and produces a vector result; and
+	// DOES_NOT_MATCH_INDEX = 0 if it can't match (or the type
+	// is not an indexable type).
+	virtual int MatchesIndex(ListExpr*& index) const;
+
+	// Returns the type yielded by this type.  For example, if
+	// this type is a table[string] of port, then returns the "port"
+	// type.  Returns nil if this is not an index type.
+	virtual BroType* YieldType();
+	const BroType* YieldType() const
+		{ return ((BroType*) this)->YieldType(); }
+
+	// Returns true if this type is a record and contains the
+	// given field, false otherwise.
+	virtual int HasField(const char* field) const;
+
+	// Returns the type of the given field, or nil if no such field.
+	virtual BroType* FieldType(const char* field) const;
+
+#define CHECK_TYPE_TAG(tag_type, func_name) \
+	CHECK_TAG(tag, tag_type, func_name, type_name)
+
+	const TypeList* AsTypeList() const
+		{
+		CHECK_TYPE_TAG(TYPE_LIST, "BroType::AsTypeList");
+		return (const TypeList*) this;
+		}
+	TypeList* AsTypeList()
+		{
+		CHECK_TYPE_TAG(TYPE_LIST, "BroType::AsTypeList");
+		return (TypeList*) this;
+		}
+
+	const TableType* AsTableType() const
+		{
+		CHECK_TYPE_TAG(TYPE_TABLE, "BroType::AsTableType");
+		return (const TableType*) this;
+		}
+	TableType* AsTableType()
+		{
+		CHECK_TYPE_TAG(TYPE_TABLE, "BroType::AsTableType");
+		return (TableType*) this;
+		}
+
+	SetType* AsSetType()
+		{
+		if ( ! IsSet() )
+			BadTag("BroType::AsSetType", type_name(tag));
+		return (SetType*) this;
+		}
+	const SetType* AsSetType() const
+		{
+		if ( ! IsSet() )
+			BadTag("BroType::AsSetType", type_name(tag));
+		return (const SetType*) this;
+		}
+
+	const RecordType* AsRecordType() const
+		{
+		CHECK_TYPE_TAG(TYPE_RECORD, "BroType::AsRecordType");
+		return (const RecordType*) this;
+		}
+	RecordType* AsRecordType()
+		{
+		CHECK_TYPE_TAG(TYPE_RECORD, "BroType::AsRecordType");
+		return (RecordType*) this;
+		}
+
+	const SubNetType* AsSubNetType() const
+		{
+		CHECK_TYPE_TAG(TYPE_SUBNET, "BroType::AsSubNetType");
+		return (const SubNetType*) this;
+		}
+	SubNetType* AsSubNetType()
+		{
+		CHECK_TYPE_TAG(TYPE_SUBNET, "BroType::AsSubNetType");
+		return (SubNetType*) this;
+		}
+
+	const FuncType* AsFuncType() const
+		{
+		CHECK_TYPE_TAG(TYPE_FUNC, "BroType::AsFuncType");
+		return (const FuncType*) this;
+		}
+	FuncType* AsFuncType()
+		{
+		CHECK_TYPE_TAG(TYPE_FUNC, "BroType::AsFuncType");
+		return (FuncType*) this;
+		}
+
+	const EnumType* AsEnumType() const
+		{
+		CHECK_TYPE_TAG(TYPE_ENUM, "BroType::AsEnumType");
+		return (EnumType*) this;
+		}
+
+	EnumType* AsEnumType()
+		{
+		CHECK_TYPE_TAG(TYPE_ENUM, "BroType::AsEnumType");
+		return (EnumType*) this;
+		}
+
+	const VectorType* AsVectorType() const
+	        {
+		CHECK_TYPE_TAG(TYPE_VECTOR, "BroType::AsVectorType");
+		return (VectorType*) this;
+		}
+
+	VectorType* AsVectorType()
+	        {
+		CHECK_TYPE_TAG(TYPE_VECTOR, "BroType::AsVectorType");
+		return (VectorType*) this;
+		}
+
+	int IsSet() const
+		{
+		return tag == TYPE_TABLE && (YieldType() == 0);
+		}
+
+	BroType* Ref()		{ ::Ref(this); return this; }
+
+	void MakeGlobalAttributeType()	{ is_global_attributes_type = true; }
+
+	virtual void Describe(ODesc* d) const;
+
+	virtual unsigned MemoryAllocation() const;
+
+	bool Serialize(SerialInfo* info) const;
+	static BroType* Unserialize(UnserialInfo* info, TypeTag want = TYPE_ANY);
+
+protected:
+	BroType()	{ attributes_type = 0; }
+
+	void SetError();
+
+	DECLARE_SERIAL(BroType)
+
+private:
+	TypeTag tag;
+	InternalTypeTag internal_tag;
+	bool is_network_order;
+	bool base_type;
+	bool is_global_attributes_type;
+	RecordType* attributes_type;
+};
+
+class TypeList : public BroType {
+public:
+	TypeList(BroType* arg_pure_type = 0) : BroType(TYPE_LIST)
+		{
+		pure_type = arg_pure_type;
+		if ( pure_type )
+			pure_type->Ref();
+		}
+	~TypeList();
+
+	const type_list* Types() const	{ return &types; }
+	type_list* Types()		{ return &types; }
+
+	int IsPure() const		{ return pure_type != 0; }
+
+	// Returns the underlying pure type, or nil if the list
+	// is not pure or is empty.
+	BroType* PureType()		{ return pure_type; }
+	const BroType* PureType() const	{ return pure_type; }
+
+	// True if all of the types match t, false otherwise.  If
+	// is_init is true, then the matching is done in the context
+	// of an initialization.
+	int AllMatch(const BroType* t, int is_init) const;
+
+	void Append(BroType* t);
+	void AppendEvenIfNotPure(BroType* t);
+
+	void Describe(ODesc* d) const;
+
+	unsigned int MemoryAllocation() const
+		{
+		return BroType::MemoryAllocation()
+			+ padded_sizeof(*this) - padded_sizeof(BroType)
+			+ types.MemoryAllocation() - padded_sizeof(types);
+		}
+
+protected:
+	DECLARE_SERIAL(TypeList)
+
+	BroType* pure_type;
+	type_list types;
+};
+
+class IndexType : public BroType {
+public:
+	int MatchesIndex(ListExpr*& index) const;
+
+	TypeList* Indices() const		{ return indices; }
+	const type_list* IndexTypes() const	{ return indices->Types(); }
+	BroType* YieldType();
+
+	void Describe(ODesc* d) const;
+
+	// Returns true if this table is solely indexed by subnet.
+	bool IsSubNetIndex() const;
+
+protected:
+	IndexType(){ indices = 0; yield_type = 0; }
+	IndexType(TypeTag t, TypeList* arg_indices, BroType* arg_yield_type) :
+		BroType(t)
+		{
+		indices = arg_indices;
+		yield_type = arg_yield_type;
+		}
+	~IndexType();
+
+	DECLARE_SERIAL(IndexType)
+
+	TypeList* indices;
+	BroType* yield_type;
+};
+
+class TableType : public IndexType {
+public:
+	TableType(TypeList* ind, BroType* yield);
+
+	// Returns true if this table type is "unspecified", which is
+	// what one gets using an empty "set()" or "table()" constructor.
+	bool IsUnspecifiedTable() const;
+
+protected:
+	TableType()	{}
+
+	TypeList* ExpandRecordIndex(RecordType* rt) const;
+
+	DECLARE_SERIAL(TableType)
+};
+
+class SetType : public TableType {
+public:
+	SetType(TypeList* ind, ListExpr* arg_elements);
+	~SetType();
+
+	ListExpr* SetElements() const	{ return elements; }
+
+protected:
+	SetType()	{}
+
+	ListExpr* elements;
+
+	DECLARE_SERIAL(SetType)
+};
+
+class FuncType : public BroType {
+public:
+	FuncType(RecordType* args, BroType* yield, int is_event);
+
+	~FuncType();
+
+	RecordType* Args() const	{ return args; }
+	BroType* YieldType();
+	void SetYieldType(BroType* arg_yield)	{ yield = arg_yield; }
+	int IsEvent() const		{ return is_event; }
+
+	// Used to convert a function type to an event type.
+	void ClearYieldType()
+		{ Unref(yield); yield = 0; is_event = 1; }
+
+	int MatchesIndex(ListExpr*& index) const;
+	int CheckArgs(const type_list* args) const;
+
+	TypeList* ArgTypes()	{ return arg_types; }
+
+	ID* GetReturnValueID() const;
+
+	void Describe(ODesc* d) const;
+
+protected:
+	FuncType()	{ args = 0; arg_types = 0; yield = 0; return_value = 0; }
+	DECLARE_SERIAL(FuncType)
+
+	RecordType* args;
+	TypeList* arg_types;
+	BroType* yield;
+	int is_event;
+	ID* return_value;
+};
+
+class TypeDecl {
+public:
+	TypeDecl(BroType* t, const char* i, attr_list* attrs = 0);
+	~TypeDecl();
+
+	const Attr* FindAttr(attr_tag a) const
+		{ return attrs ? attrs->FindAttr(a) : 0; }
+
+	bool Serialize(SerialInfo* info) const;
+	static TypeDecl* Unserialize(UnserialInfo* info);
+
+	BroType* type;
+	Attributes* attrs;
+	const char* id;
+};
+
+class RecordField {
+public:
+	RecordField(int arg_base, int arg_offset, int arg_total_offset);
+
+	int base;	// which base element it belongs to
+	int offset;	// where it is in that base
+	int total_offset;	// where it is in the aggregate record
+};
+declare(PDict,RecordField);
+
+class RecordType : public BroType {
+public:
+	RecordType(type_decl_list* types);
+	RecordType(TypeList* base, type_decl_list* refinements);
+
+	~RecordType();
+
+	int HasField(const char* field) const;
+	BroType* FieldType(const char* field) const;
+	BroType* FieldType(int field) const;
+
+	// A field's offset is its position in the type_decl_list,
+	// starting at 0.  Returns negative if the field doesn't exist.
+	int FieldOffset(const char* field) const;
+
+	// Given an offset, returns the field's name.
+	const char* FieldName(int field) const;
+
+	// Given an offset, returns the field's TypeDecl.
+	const TypeDecl* FieldDecl(int field) const;
+	TypeDecl* FieldDecl(int field);
+
+	int NumFields() const			{ return num_fields; }
+
+	void Describe(ODesc* d) const;
+	void DescribeFields(ODesc* d) const;
+
+protected:
+	RecordType() { fields = 0; base = 0; types = 0; }
+
+	void Init(TypeList* arg_base);
+
+	DECLARE_SERIAL(RecordType)
+
+	int num_fields;
+	PDict(RecordField)* fields;
+	TypeList* base;
+	type_decl_list* types;
+};
+
+class SubNetType : public BroType {
+public:
+	SubNetType();
+	void Describe(ODesc* d) const;
+protected:
+	DECLARE_SERIAL(SubNetType)
+};
+
+class FileType : public BroType {
+public:
+	FileType(BroType* yield_type);
+	~FileType();
+
+	BroType* YieldType();
+
+	void Describe(ODesc* d) const;
+
+protected:
+	FileType()	{ yield = 0; }
+
+	DECLARE_SERIAL(FileType)
+
+	BroType* yield;
+};
+
+class EnumType : public BroType {
+public:
+	EnumType(bool arg_is_export);
+	~EnumType();
+
+	// The value of this name is next counter value, which is returned.
+	// A return value of -1 means that the identifier already existed
+	// (and thus could not be used).
+	int AddName(const string& module_name, const char* name);
+
+	// Add in names from the suppled EnumType; the return value is
+	// the value of the last enum added.
+	int AddNamesFrom(const string& module_name, EnumType* et);
+
+	// -1 indicates not found.
+	int Lookup(const string& module_name, const char* name);
+	const char* Lookup(int value); // Returns 0 if not found
+
+protected:
+	EnumType()	{}
+
+	DECLARE_SERIAL(EnumType)
+
+	typedef std::map< const char*, int, ltstr > NameMap;
+	NameMap names;
+	int counter;
+	bool is_export;
+};
+
+class VectorType : public BroType {
+public:
+	VectorType(BroType* t);
+	virtual ~VectorType();
+	BroType* YieldType()	{ return yield_type; }
+
+	int MatchesIndex(ListExpr*& index) const;
+
+protected:
+	VectorType()	{ yield_type = 0; }
+
+	DECLARE_SERIAL(VectorType)
+
+	BroType* yield_type;
+};
+
+
+// Returns the given type refinement, or error_type() if it's illegal.
+extern BroType* refine_type(TypeList* base, type_decl_list* refinements);
+
+// Returns the BRO basic (non-parameterized) type with the given type.
+extern BroType* base_type(TypeTag tag);
+
+// Returns the BRO basic error type.
+inline BroType* error_type()	{ return base_type(TYPE_ERROR); }
+
+// True if the two types are equivalent.  If is_init is true then the
+// test is done in the context of an initialization.
+extern int same_type(const BroType* t1, const BroType* t2, int is_init=0);
+
+// Returns true if the record sub_rec can be promoted to the record
+// super_rec.
+extern int record_promotion_compatible(const RecordType* super_rec,
+					const RecordType* sub_rec);
+
+// If the given BroType is a TypeList with just one element, returns
+// that element, otherwise returns the type.
+extern const BroType* flatten_type(const BroType* t);
+extern BroType* flatten_type(BroType* t);
+
+// Returns the "maximum" of two type tags, in a type-promotion sense.
+extern TypeTag max_type(TypeTag t1, TypeTag t2);
+
+// Given two types, returns the "merge", in which promotable types
+// are promoted to the maximum of the two.  Returns nil (and generates
+// an error message) if the types are incompatible.
+extern BroType* merge_types(const BroType* t1, const BroType* t2);
+
+// Given a list of expressions, returns a (ref'd) type reflecting
+// a merged type consistent across all of them, or nil if this
+// cannot be done.
+BroType* merge_type_list(ListExpr* elements);
+
+// Given an expression, infer its type when used for an initialization.
+extern BroType* init_type(Expr* init);
+
+// True if the given type tag corresponds to an integral type.
+#define IsIntegral(t)	(t == TYPE_INT || t == TYPE_COUNT || t == TYPE_COUNTER)
+
+// True if the given type tag corresponds to an arithmetic type.
+#define IsArithmetic(t)	(IsIntegral(t) || t == TYPE_DOUBLE)
+
+// True if the given type tag corresponds to a boolean type.
+#define IsBool(t)	(t == TYPE_BOOL)
+
+// True if the given type tag corresponds to an interval type.
+#define IsInterval(t)	(t == TYPE_INTERVAL)
+
+// True if the given type tag corresponds to a record type.
+#define IsRecord(t)	(t == TYPE_RECORD || t == TYPE_UNION)
+
+// True if the given type tag corresponds to a function type.
+#define IsFunc(t)	(t == TYPE_FUNC)
+
+// True if the given type tag corresponds to mutable type.
+#define IsMutable(t)	\
+	(t == TYPE_RECORD || t == TYPE_TABLE || t == TYPE_VECTOR)
+
+// True if the given type type is a vector.
+#define IsVector(t)	(t == TYPE_VECTOR)
+
+// True if the given type type is a string.
+#define IsString(t)	(t == TYPE_STRING)
+
+// True if the given type tag corresponds to type that can be assigned to.
+extern int is_assignable(BroType* t);
+
+// True if the given type tag corresponds to the error type.
+#define IsErrorType(t)	(t == TYPE_ERROR)
+
+// True if both tags are integral types.
+#define BothIntegral(t1, t2) (IsIntegral(t1) && IsIntegral(t2))
+
+// True if both tags are arithmetic types.
+#define BothArithmetic(t1, t2) (IsArithmetic(t1) && IsArithmetic(t2))
+
+// True if either tags is an arithmetic type.
+#define EitherArithmetic(t1, t2) (IsArithmetic(t1) || IsArithmetic(t2))
+
+// True if both tags are boolean types.
+#define BothBool(t1, t2) (IsBool(t1) && IsBool(t2))
+
+// True if both tags are interval types.
+#define BothInterval(t1, t2) (IsInterval(t1) && IsInterval(t2))
+
+// True if both tags are string types.
+#define BothString(t1, t2) (IsString(t1) && IsString(t2))
+
+// True if either tag is the error type.
+#define EitherError(t1, t2) (IsErrorType(t1) || IsErrorType(t2))
+
+#endif
diff --git a/src/UDP.cc b/src/UDP.cc
new file mode 100644
index 0000000000..fc697bf105
--- /dev/null
+++ b/src/UDP.cc
@@ -0,0 +1,207 @@
+// $Id: UDP.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "Net.h"
+#include "NetVar.h"
+#include "UDP.h"
+#include "UDP_Rewriter.h"
+
+UDP_Analyzer::UDP_Analyzer(Connection* conn)
+: TransportLayerAnalyzer(AnalyzerTag::UDP, conn)
+	{
+	conn->EnableStatusUpdateTimer();
+	conn->SetInactivityTimeout(udp_inactivity_timeout);
+	request_len = reply_len = -1;	// -1 means "haven't seen any activity"
+	}
+
+UDP_Analyzer::~UDP_Analyzer()
+	{
+	// XXX: need to implement this!
+	// delete src_pkt_writer;
+	}
+
+void UDP_Analyzer::Init()
+	{
+	if ( transformed_pkt_dump && RewritingTrace() )
+		SetTraceRewriter(new UDP_Rewriter(this, transformed_pkt_dump_MTU,
+					transformed_pkt_dump));
+	}
+
+void UDP_Analyzer::Done()
+	{
+	Analyzer::Done();
+	}
+
+void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
+					int seq, const IP_Hdr* ip, int caplen)
+	{
+	assert(ip);
+
+	Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
+
+	const struct udphdr* up = (const struct udphdr*) data;
+
+	// Increment data before checksum check so that data will
+	// point to UDP payload even if checksum fails. Particularly,
+	// it allows event packet_contents to get to the data.
+	data += sizeof(struct udphdr);
+
+	// We need the min() here because Ethernet frame padding can lead to
+	// caplen > len.
+	if ( packet_contents )
+		PacketContents(data, min(len, caplen) - sizeof(struct udphdr));
+
+	int chksum = up->uh_sum;
+
+	if ( ! ignore_checksums && caplen >= len )
+		{
+		bool bad = false;
+
+		if ( ip->IP4_Hdr() && chksum &&
+		     udp_checksum(ip->IP4_Hdr(), up, len) != 0xffff )
+			bad = true;
+
+#ifdef BROv6
+		if ( ip->IP6_Hdr() && /* checksum is not optional for IPv6 */
+		     udp6_checksum(ip->IP6_Hdr(), up, len) != 0xffff )
+			bad = true;
+#endif
+
+		if ( bad )
+			{
+			Weird("bad_UDP_checksum");
+
+			if ( is_orig )
+				Conn()->CheckHistory(HIST_ORIG_CORRUPT_PKT, 'C');
+			else
+				Conn()->CheckHistory(HIST_RESP_CORRUPT_PKT, 'c');
+
+			return;
+			}
+		}
+
+	int ulen = ntohs(up->uh_ulen);
+	if ( ulen != len )
+		Weird(fmt("UDP_datagram_length_mismatch(%d!=%d)", ulen, len));
+
+	len -= sizeof(struct udphdr);
+	ulen -= sizeof(struct udphdr);
+	caplen -= sizeof(struct udphdr);
+
+	Conn()->SetLastTime(current_timestamp);
+
+	if ( udp_contents )
+		{
+		PortVal port_val(ntohs(up->uh_dport), TRANSPORT_UDP);
+		Val* result = 0;
+		bool do_udp_contents = false;
+
+		if ( is_orig )
+			{
+			result = udp_content_delivery_ports_orig->Lookup(
+								&port_val);
+			if ( udp_content_deliver_all_orig ||
+			     (result && result->AsBool()) )
+				do_udp_contents = true;
+			}
+		else
+			{
+			result = udp_content_delivery_ports_resp->Lookup(
+								&port_val);
+			if ( udp_content_deliver_all_resp ||
+			     (result && result->AsBool()) )
+				do_udp_contents = true;
+			}
+
+		if ( do_udp_contents )
+			{
+			val_list* vl = new val_list;
+			vl->append(BuildConnVal());
+			vl->append(new Val(is_orig, TYPE_BOOL));
+			vl->append(new StringVal(len, (const char*) data));
+			ConnectionEvent(udp_contents, vl);
+			}
+		}
+
+	if ( is_orig )
+		{
+		Conn()->CheckHistory(HIST_ORIG_DATA_PKT, 'D');
+
+		if ( request_len < 0 )
+			request_len = ulen;
+		else
+			{
+			request_len += ulen;
+#ifdef DEBUG
+			if ( request_len < 0 )
+				warn("wrapping around for UDP request length");
+#endif
+			}
+
+		Event(udp_request);
+		}
+
+	else
+		{
+		Conn()->CheckHistory(HIST_RESP_DATA_PKT, 'd');
+
+		if ( reply_len < 0 )
+			reply_len = ulen;
+		else
+			{
+			reply_len += ulen;
+#ifdef DEBUG
+			if ( reply_len < 0 )
+				warn("wrapping around for UDP reply length");
+#endif
+			}
+
+		Event(udp_reply);
+		}
+
+	if ( caplen >= len )
+		ForwardPacket(len, data, is_orig, seq, ip, caplen);
+
+	if ( TraceRewriter() && current_hdr )
+		((UDP_Rewriter*) TraceRewriter())->NextPacket(is_orig,
+					current_timestamp, current_hdr, current_pkt,
+					current_hdr_size, ip->IP4_Hdr(), up);
+
+#if 0
+		// XXX: needs to be implemented fully!
+	if ( src_pkt_writer && current_hdr )
+		src_pkt_writer->NextPacket(current_hdr, current_pkt);
+#endif
+	}
+
+void UDP_Analyzer::UpdateEndpointVal(RecordVal* endp, int is_orig)
+	{
+	bro_int_t size = is_orig ? request_len : reply_len;
+	if ( size < 0 )
+		{
+		endp->Assign(0, new Val(0, TYPE_COUNT));
+		endp->Assign(1, new Val(int(UDP_INACTIVE), TYPE_COUNT));
+		}
+
+	else
+		{
+		endp->Assign(0, new Val(size, TYPE_COUNT));
+		endp->Assign(1, new Val(int(UDP_ACTIVE), TYPE_COUNT));
+		}
+	}
+
+bool UDP_Analyzer::IsReuse(double /* t */, const u_char* /* pkt */)
+	{
+	return 0;
+	}
+
+unsigned int UDP_Analyzer::MemoryAllocation() const
+	{
+	// A rather low lower bound....
+	return Analyzer::MemoryAllocation() + padded_sizeof(*this) - 24;
+	}
+
+
diff --git a/src/UDP.h b/src/UDP.h
new file mode 100644
index 0000000000..6666be998a
--- /dev/null
+++ b/src/UDP.h
@@ -0,0 +1,50 @@
+// $Id: UDP.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef udp_h
+#define udp_h
+
+#include "Analyzer.h"
+#include "Rewriter.h"
+
+class UDP_Rewriter;
+
+typedef enum {
+	UDP_INACTIVE,	// no packet seen
+	UDP_ACTIVE,	// packets seen
+} UDP_EndpointState;
+
+class UDP_Analyzer : public TransportLayerAnalyzer {
+public:
+	UDP_Analyzer(Connection* conn);
+	virtual ~UDP_Analyzer();
+
+	virtual void Init();
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new UDP_Analyzer(conn); }
+
+	static bool Available() { return true; }
+
+	// -- XXX -- only want to return yes if the protocol flag is
+	//  on similar to TCP. (e.g. FTP_Connection etc.) /mc
+	int RewritingTrace() const	{ return 0; }
+
+protected:
+	virtual void Done();
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen);
+	virtual void UpdateEndpointVal(RecordVal* endp, int is_orig);
+	virtual bool IsReuse(double t, const u_char* pkt);
+	virtual unsigned int MemoryAllocation() const;
+
+	bro_int_t request_len, reply_len;
+
+#define HIST_ORIG_DATA_PKT 0x1
+#define HIST_RESP_DATA_PKT 0x2
+#define HIST_ORIG_CORRUPT_PKT 0x4
+#define HIST_RESP_CORRUPT_PKT 0x8
+};
+
+#endif
diff --git a/src/UDP_Rewriter.cc b/src/UDP_Rewriter.cc
new file mode 100644
index 0000000000..967f2087f1
--- /dev/null
+++ b/src/UDP_Rewriter.cc
@@ -0,0 +1,362 @@
+// $Id:$
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+
+#include "config.h"
+
+#include <assert.h>
+#include <stdlib.h>
+
+#include "Event.h"
+#include "Net.h"
+#include "UDP_Rewriter.h"
+
+#define MSG_PREFIX	"UDP trace rewriter: "
+#define DEBUG_MSG_A(x...)
+// #define DEBUG_MSG_A	DEBUG_MSG
+
+
+UDP_Rewriter::UDP_Rewriter(Analyzer* arg_analyzer, int arg_MTU,
+				PacketDumper* arg_dumper)
+	{
+	analyzer = arg_analyzer;
+	MTU = arg_MTU;
+	dumper = arg_dumper;
+	packets_rewritten = 0;
+	current_packet = next_packet = 0;
+
+	if ( anonymize_ip_addr )
+		{
+		anon_addr[0] = anonymize_ip(to_v4_addr(analyzer->Conn()->OrigAddr()),
+						ORIG_ADDR);
+		anon_addr[1] = anonymize_ip(to_v4_addr(analyzer->Conn()->RespAddr()),
+						RESP_ADDR);
+		}
+	else
+		anon_addr[0] = anon_addr[1] = 0;
+	}
+
+void UDP_Rewriter::Done()
+	{
+	}
+
+UDP_Rewriter::~UDP_Rewriter()
+	{
+	delete current_packet;
+	}
+
+void UDP_Rewriter::WriteData(int is_orig, int len, const u_char* data)
+	{
+	DoWriteData(is_orig, len, data);
+	}
+
+void UDP_Rewriter::DoWriteData(int is_orig, int len, const u_char* data)
+	{
+ 	struct pcap_pkthdr* hdr;
+	int length = len;
+	ipaddr32_t src = 0, dst = 0;
+
+	current_packet->AppendData(data,len);
+	// Mark data to be written.
+	current_packet->SetModified();
+	}
+
+// Compose the packet so it can be written.
+// Compute UDP/IP checksums, lengths, addresses.
+int UDP_TracePacket::BuildPacket(struct pcap_pkthdr*& hdr,
+				const u_char*& arg_pkt, int& length,
+				ipaddr32_t anon_src, ipaddr32_t anon_dst)
+	{
+	struct ip* ip = (struct ip*) (pkt + ip_offset);
+	struct udphdr* up = (struct udphdr*) (pkt + udp_offset);
+	uint32 sum = 0;
+
+	// Fix IP addresses before computing the UDP checksum
+	if ( anonymize_ip_addr )
+		{
+		ip->ip_src.s_addr = anon_src;
+		ip->ip_dst.s_addr = anon_dst;
+		}
+
+	// Create the IP header.
+	ip->ip_off = 0;
+	ip->ip_sum = 0;
+	ip->ip_hl = (udp_offset - ip_offset) >> 2;
+	ip->ip_len = htons(buffer_offset - ip_offset);
+	ip->ip_off = 0;	// DF = 0, MF = 0, offset = 0
+	ip->ip_sum = 0;
+	ip->ip_sum = 0xffff - ones_complement_checksum((const void*) ip,
+						(udp_offset-ip_offset), sum);
+
+	pcap_hdr.caplen = pcap_hdr.len = buffer_offset;
+
+	hdr = &pcap_hdr;
+	arg_pkt = pkt;
+	length = buffer_offset;
+
+	// Create the UDP header.
+	up->uh_ulen = htons(buffer_offset - udp_offset);
+	up->uh_sum = 0;
+	up->uh_sum = 0xffff - udp_checksum(ip, up, buffer_offset - udp_offset);
+
+	// Create the pcap header.
+	//
+	// The below works around a potential type incompatibility
+	// on systems where pcap's timeval is different from the
+	// system-wide one. --cpk
+	//
+	timeval tv_tmp = double_to_timeval(timestamp);
+	pcap_hdr.ts.tv_sec = tv_tmp.tv_sec;
+	pcap_hdr.ts.tv_usec = tv_tmp.tv_usec;
+	pcap_hdr.caplen = pcap_hdr.len = buffer_offset;
+
+	hdr = &pcap_hdr;
+	arg_pkt = pkt;
+	length = buffer_offset;
+
+	return 1;
+	}
+
+void UDP_Rewriter::NextPacket(int is_orig, double t,
+				const struct pcap_pkthdr* pcap_hdr,
+				const u_char* pcap_pkt, int hdr_size,
+				const struct ip* ip, const struct udphdr* up)
+	{
+	unsigned int ip_hdr_len = ip->ip_hl * 4;
+
+	// Cache the packet ....
+	UDP_TracePacket* p = new UDP_TracePacket(this, t, is_orig,
+				pcap_hdr, /*MTU */ 1024,
+				hdr_size + ip_hdr_len + sizeof(struct udphdr));
+
+	if ( ! p->AppendLinkHeader(pcap_pkt, hdr_size) )
+		internal_error(MSG_PREFIX "cannot append headers -- check MTU");
+
+	if ( ! p->AppendIPHeader((const u_char*) ip, sizeof(*ip)) )
+		internal_error(MSG_PREFIX "cannot append headers -- check MTU");
+
+	if ( ! p->AppendUDPHeader((const u_char*) up, sizeof(*up)) )
+		internal_error(MSG_PREFIX "cannot append headers -- check MTU");
+
+	// We only ever use one packet in UDP.
+	// ### This is potentially a leak.
+	next_packet = current_packet = p;
+	}
+
+void UDP_Rewriter::Push(int)
+	{
+	internal_error("UDP_Rewriter::Push not implemented");
+	}
+
+void UDP_Rewriter::AbortPackets(int)
+	{
+	internal_error("UDP_Rewriter::AbortPackets not implemented");
+	}
+
+unsigned int UDP_Rewriter::ReserveSlot()
+	{
+	internal_error("UDP_Rewriter::ReserveSlot not implemented");
+	return 0;
+	}
+
+int UDP_Rewriter::SeekSlot(unsigned int)
+	{
+	internal_error("UDP_Rewriter::SeekSlot not implemented");
+	return 0;
+	}
+
+int UDP_Rewriter::ReturnFromSlot()
+	{
+	internal_error("UDP_Rewriter::ReturnFromSlot not implemented");
+	return 0;
+	}
+int UDP_Rewriter::ReleaseSlot(unsigned int)
+	{
+	internal_error("UDP_Rewriter::ReleaseSlot not implemented");
+	return 0;
+	}
+
+int UDP_Rewriter::LeaveAddrInTheClear(int is_orig)
+	{
+	internal_error("UDP_Rewriter::LeaveAddrInTheClear not implemented");
+	return 0;
+	}
+
+void UDP_Rewriter::CommitPackets(int commit)
+	{
+	if ( current_packet && current_packet->IsModified() )
+		{
+		ipaddr32_t anon_src = 0, anon_dst = 0;
+
+		if ( current_packet->IsOrig() )
+			{
+			anon_src = anon_addr[0];
+			anon_dst = anon_addr[1];
+			}
+		else
+			{
+			anon_src = anon_addr[1];
+			anon_dst = anon_addr[0];
+			}
+
+		struct pcap_pkthdr* hdr;
+		const u_char* pkt;
+		int len;
+		current_packet->BuildPacket(hdr, pkt, len, anon_src, anon_dst);
+
+		dumper->DumpPacket(hdr, pkt, hdr->caplen);
+		}
+
+	delete current_packet;
+	next_packet = current_packet = 0;
+
+	++packets_rewritten;
+	}
+
+UDP_TracePacket::UDP_TracePacket(UDP_Rewriter* arg_trace_rewriter,
+					double t, int arg_is_orig,
+					const struct pcap_pkthdr* arg_hdr,
+					int MTU, int initial_size)
+	{
+	trace_rewriter = arg_trace_rewriter;
+	pcap_hdr = *arg_hdr;
+	// packet_seq = arg_packet_seq;
+	timestamp = t;
+	is_orig = arg_is_orig;
+	mtu = MTU;
+	buffer_size = initial_size;
+	buffer_offset = 0;
+
+	pkt = new u_char[buffer_size];
+
+	ip_offset = udp_offset = data_offset = -1;
+
+	reuse = 0;
+	on_hold = 0;
+	modified = 0;
+	seq_gap = 0;
+
+	packet_val = 0;
+	packet_val = PacketVal();
+	}
+
+UDP_TracePacket::~UDP_TracePacket()
+	{
+	packet_val->SetOrigin(0);
+	Unref(packet_val);
+	delete [] pkt;
+	}
+
+RecordVal* UDP_TracePacket::PacketVal()
+	{
+	if ( packet_val )
+		Ref(packet_val);
+	else
+		{
+		packet_val = new RecordVal(packet_type);
+		packet_val->Assign(0, TraceRewriter()->GetAnalyzer()->BuildConnVal());
+		packet_val->Assign(1, new Val(IsOrig(), TYPE_BOOL));
+		packet_val->Assign(2, new Val(TimeStamp(), TYPE_TIME));
+		packet_val->SetOrigin(this);
+		}
+
+	return packet_val;
+	}
+
+int UDP_TracePacket::AppendLinkHeader(const u_char* chunk, int len)
+	{
+	if ( ip_offset >= 0 && ip_offset != buffer_offset )
+		internal_error(MSG_PREFIX "link header must be appended before IP header");
+
+	if ( ! Append(chunk, len) )
+		return 0;
+
+	ip_offset = buffer_offset;
+	return 1;
+	}
+
+int UDP_TracePacket::AppendIPHeader(const u_char* chunk, int len)
+	{
+	if ( udp_offset >= 0 && udp_offset != buffer_offset )
+		internal_error(MSG_PREFIX "IP header must be appended before udp header");
+
+	if ( ! Append(chunk, len) )
+		return 0;
+
+	udp_offset = buffer_offset;
+	return 1;
+	}
+
+int UDP_TracePacket::AppendUDPHeader(const u_char* chunk, int len)
+	{
+	if ( data_offset >= 0 && data_offset != buffer_offset )
+		internal_error(MSG_PREFIX "tcp header must be appended before payload");
+
+	if ( udp_offset == buffer_offset )
+		{ // first UDP header chunk
+		int extra = (udp_offset - ip_offset) % 4;
+		if ( extra )
+			{
+			DEBUG_MSG(MSG_PREFIX "padding IP header");
+			if ( ! AppendIPHeader(0, 4 - extra) )
+				return 0;
+			}
+		}
+
+	if ( ! Append(chunk, len) )
+		return 0;
+
+	data_offset = buffer_offset;
+	return 1;
+	}
+
+int UDP_TracePacket::AppendData(const u_char* chunk, int len)
+	{
+	// All headers must be appended before any data.
+	ASSERT(ip_offset >= 0 && udp_offset >= 0 && data_offset >= 0);
+
+	if ( data_offset == buffer_offset )
+		{ // first data chunk
+		int extra = (data_offset - udp_offset) % 4;
+		if ( extra )
+			{
+			if ( ! AppendUDPHeader(0, 4 - extra) )
+				return 0;
+			}
+		}
+
+	if ( ! Append(chunk, len) )
+		return 0;
+
+	return 1;
+	}
+
+int UDP_TracePacket::Append(const u_char* chunk, int len)
+	{
+	if ( buffer_offset + len > buffer_size )
+		{
+		if ( buffer_offset + len > mtu )
+			return 0;
+
+		u_char* tmp = new u_char[mtu];
+		for ( int i = 0 ; i < buffer_size; ++i )
+			tmp[i] = pkt[i];
+
+		delete [] pkt;
+		pkt = tmp;
+		buffer_size = mtu;
+		}
+
+	ASSERT(buffer_offset + len <= buffer_size);
+
+	if ( chunk )
+		memcpy(pkt + buffer_offset, chunk, len);
+	else
+		// Fill with 0.
+		memset(pkt + buffer_offset, 0, len);
+
+	buffer_offset += len;
+
+	return 1;
+	}
diff --git a/src/UDP_Rewriter.h b/src/UDP_Rewriter.h
new file mode 100644
index 0000000000..5fdfd9e5c1
--- /dev/null
+++ b/src/UDP_Rewriter.h
@@ -0,0 +1,138 @@
+// $Id:$
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef udp_rewriter_h
+#define udp_rewriter_h
+
+using namespace std;
+
+#include <queue>
+#include <set>
+
+#include <pcap.h>
+
+#include "Val.h"
+#include "UDP.h"
+#include "Anon.h"
+#include "Rewriter.h"
+#include "PacketDumper.h"
+
+class UDP_TracePacket : public BroObj, virtual public TracePacket {
+public:
+	UDP_TracePacket(UDP_Rewriter* trace_rewriter, double t, int is_orig,
+		    const struct pcap_pkthdr* hdr, int MTU, int initial_size);
+	~UDP_TracePacket();
+
+	int AppendLinkHeader(const u_char* chunk, int len);
+	int AppendIPHeader(const u_char* chunk, int len);
+	int AppendUDPHeader(const u_char* chunk, int len);
+	int AppendData(const u_char* chunk, int len);
+
+	void Reuse();
+	int IsReuse() const	{ return reuse; }
+
+	double TimeStamp() const	{ return timestamp; }
+	int IsOrig() const	{ return is_orig; }
+
+	const struct pcap_pkthdr* Header() const	{ return &pcap_hdr; }
+
+	const u_char* Buffer() const	{ return pkt; }
+	int Length() const	{ return buffer_offset; }
+
+	// Note that Space() does not depend on buffer_size, but depends on MTU.
+	int Space() const	{ return mtu - buffer_offset; }
+
+	void Describe(ODesc* d) const	{ packet_val->Describe(d); }
+	RecordVal* PacketVal();
+	UDP_Rewriter* TraceRewriter() const	{ return trace_rewriter;}
+
+	// has the packet been written to?
+	int IsModified() const	{ return modified; }
+	void SetModified()		{ modified = 1; }
+
+	// BuildPacket() is called before dumping the packet. It sets length
+	// fields and computes checksums in UDP/IP headers.
+	int BuildPacket(struct pcap_pkthdr*& hdr, const u_char*& arg_pkt,
+			int& length, ipaddr32_t anon_src, ipaddr32_t anon_dst);
+
+private:
+	int Append(const u_char* chunk, int len);
+
+	RecordVal* packet_val;
+	UDP_Rewriter* trace_rewriter;
+	double timestamp;
+	int packet_seq;
+	int is_orig;
+	struct pcap_pkthdr pcap_hdr;
+	int mtu;
+	u_char* pkt;	// of maximal length MTU
+	int ip_offset, udp_offset, data_offset;
+	int buffer_size;
+	int buffer_offset;
+	int reuse;	// whether it is an artificially replicated packet
+	int on_hold;	// do not dump it in Flush()
+	int seq_gap;
+	int modified;
+};
+
+class UDP_Rewriter: public Rewriter {
+public:
+	UDP_Rewriter(Analyzer* analyzer, int arg_MTU, PacketDumper* dumper);
+
+	virtual ~UDP_Rewriter();
+
+	void Done();
+
+	// these are the virt funcs in Rewriter....
+	void WriteData(int is_orig, int len, const u_char* data);
+
+	void WriteData(int is_orig, const char* data)
+		{ WriteData(is_orig, strlen(data), data); }
+
+	void WriteData(int is_orig, int len, const char* data)
+		{ WriteData(is_orig, len, (const u_char*) data); }
+
+	void WriteData(int is_orig, const BroString* str)
+		{ WriteData(is_orig, str->Len(), str->Bytes()); }
+
+	Analyzer* GetAnalyzer() const	{ return analyzer; }
+
+	// Not need for udp, but declared in the virtual
+	// and might be useful
+	void Push(int);
+	void AbortPackets(int);
+	void CommitPackets(int);
+	unsigned int ReserveSlot();
+	int SeekSlot(unsigned int);
+	int ReturnFromSlot();
+	int ReleaseSlot(unsigned int);
+
+	TracePacket* CurrentPacket() const	{ return current_packet; };
+	TracePacket* RewritePacket() const	{ return next_packet; };
+
+	// A UDP/IP packet.
+	void NextPacket(int is_orig, double t,
+			const struct pcap_pkthdr* pcap_hdr,
+			const u_char* pcap_pkt,	// link level header
+			int hdr_size,		// link level header size
+			const struct ip* ip, const struct udphdr* tp);
+
+	// Do not anonymize client/server IP address.
+	int LeaveAddrInTheClear(int is_orig);
+
+protected:
+	void DoWriteData(int is_orig, int len, const u_char* data);
+
+	Analyzer* analyzer;
+	PacketDumper* dumper;
+
+	int packets_rewritten;
+	int MTU;
+	ipaddr32_t anon_addr[2];
+
+	UDP_TracePacket* current_packet;
+	UDP_TracePacket* next_packet;
+};
+
+#endif
diff --git a/src/Val.cc b/src/Val.cc
new file mode 100644
index 0000000000..91c0159158
--- /dev/null
+++ b/src/Val.cc
@@ -0,0 +1,3454 @@
+// $Id: Val.cc 6945 2009-11-27 19:25:10Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <netinet/in.h>
+#include <netdb.h>
+#include <unistd.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "Val.h"
+#include "Net.h"
+#include "File.h"
+#include "Func.h"
+#include "RE.h"
+#include "Scope.h"
+#include "NetVar.h"
+#include "Expr.h"
+#include "Serializer.h"
+#include "RemoteSerializer.h"
+#include "PrefixTable.h"
+#include "Conn.h"
+#include "Logger.h"
+
+
+Val::Val(Func* f)
+	{
+	val.func_val = f;
+	type = f->FType()->Ref();
+	attribs = 0;
+#ifdef DEBUG
+	bound_id = 0;
+#endif
+	}
+
+Val::Val(BroFile* f)
+	{
+	static FileType* string_file_type = 0;
+	if ( ! string_file_type )
+		string_file_type = new FileType(base_type(TYPE_STRING));
+
+	val.file_val = f;
+
+	assert(f->FType()->Tag() == TYPE_STRING);
+	type = string_file_type->Ref();
+
+	attribs = 0;
+#ifdef DEBUG
+	bound_id = 0;
+#endif
+	}
+
+Val::~Val()
+	{
+	if ( type->InternalType() == TYPE_INTERNAL_STRING )
+		delete val.string_val;
+
+	else if ( type->Tag() == TYPE_FILE )
+		Unref(val.file_val);
+
+	Unref(type);
+#ifdef DEBUG
+	Unref(bound_id);
+#endif
+	}
+
+Val* Val::Clone() const
+	{
+	SerializationFormat* form = new BinarySerializationFormat();
+	form->StartWrite();
+
+	CloneSerializer ss(form);
+	SerialInfo sinfo(&ss);
+	sinfo.cache = false;
+
+	this->Serialize(&sinfo);
+	char* data;
+	uint32 len = form->EndWrite(&data);
+	form->StartRead(data, len);
+
+	UnserialInfo uinfo(&ss);
+	uinfo.cache = false;
+	Val* clone = Unserialize(&uinfo, type);
+
+	delete [] data;
+
+	return clone;
+	}
+
+bool Val::Serialize(SerialInfo* info) const
+	{
+	return SerialObj::Serialize(info);
+	}
+
+Val* Val::Unserialize(UnserialInfo* info, TypeTag type, const BroType* exact_type)
+	{
+	Val* v = (Val*) SerialObj::Unserialize(info, SER_VAL);
+	if ( ! v )
+		return 0;
+
+	if ( type != TYPE_ANY && (v->Type()->Tag() != type
+		|| (exact_type && ! same_type(exact_type, v->Type()))) )
+		{
+		info->s->Error("type mismatch for value");
+		Unref(v);
+		return 0;
+		}
+
+	// For MutableVals, we may get a value which, by considering the
+	// globally unique ID, we already know. To keep references correct,
+	// we have to bind to the local version. (FIXME: This is not the
+	// nicest solution.  Ideally, DoUnserialize() should be able to pass
+	// us an alternative ptr to the correct object.)
+	if ( v->IsMutableVal() )
+		{
+		MutableVal* mv = v->AsMutableVal();
+		if ( mv->HasUniqueID() )
+			{
+			ID* current =
+				global_scope()->Lookup(mv->UniqueID()->Name());
+
+			if ( current && current != mv->UniqueID() )
+				{
+				DBG_LOG(DBG_STATE, "binding to already existing ID %s\n", current->Name());
+				assert(current->ID_Val());
+
+				// Need to unset the ID here.  Otherwise,
+				// when the SerializationCache destroys
+				// the value, the global name will disappear.
+				mv->SetID(0);
+				Unref(v);
+				return current->ID_Val()->Ref();
+				}
+			}
+		}
+
+	// An enum may be bound to a different internal number remotely than we
+	// do for the same identifier. Check if this is the case, and, if yes,
+	// rebind to our value.
+	if ( v->Type()->Tag() == TYPE_ENUM )
+		{
+		int rv = v->AsEnum();
+		EnumType* rt = v->Type()->AsEnumType();
+
+		const char* name = rt->Lookup(rv);
+		if ( name )
+			{
+			// See if we know the enum locally.
+			ID* local = global_scope()->Lookup(name);
+			if ( local && local->IsEnumConst() )
+				{
+				EnumType* lt = local->Type()->AsEnumType();
+				int lv = lt->Lookup(local->ModuleName(),
+							local->Name());
+
+				// Compare.
+				if ( rv != lv )
+					{
+					// Different, so let's bind the val
+					// to the local type.
+					v->val.int_val = lv;
+					Unref(rt);
+					v->type = lt;
+					::Ref(lt);
+					}
+				}
+			}
+
+		}
+
+	return v;
+	}
+
+IMPLEMENT_SERIAL(Val, SER_VAL);
+
+bool Val::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_VAL, BroObj);
+
+	if ( ! type->Serialize(info) )
+		return false;
+
+	SERIALIZE_OPTIONAL(attribs);
+
+	switch ( type->InternalType() ) {
+	case TYPE_INTERNAL_VOID:
+		info->s->Error("type is void");
+		return false;
+
+	case TYPE_INTERNAL_INT:
+		return SERIALIZE(val.int_val);
+
+	case TYPE_INTERNAL_UNSIGNED:
+		return SERIALIZE(val.uint_val);
+
+	case TYPE_INTERNAL_DOUBLE:
+		return SERIALIZE(val.double_val);
+
+	case TYPE_INTERNAL_STRING:
+		return SERIALIZE_STR((const char*) val.string_val->Bytes(),
+				val.string_val->Len());
+
+	case TYPE_INTERNAL_ADDR:
+		return SERIALIZE(NUM_ADDR_WORDS)
+#ifdef BROv6
+			&& SERIALIZE(uint32(ntohl(val.addr_val[0])))
+			&& SERIALIZE(uint32(ntohl(val.addr_val[1])))
+			&& SERIALIZE(uint32(ntohl(val.addr_val[2])))
+			&& SERIALIZE(uint32(ntohl(val.addr_val[3])));
+#else
+			&& SERIALIZE(uint32(ntohl(val.addr_val)));
+#endif
+
+	case TYPE_INTERNAL_SUBNET:
+		return info->s->WriteOpenTag("subnet")
+			&& SERIALIZE(NUM_ADDR_WORDS)
+#ifdef BROv6
+			&& SERIALIZE(uint32(ntohl(val.subnet_val.net[0])))
+			&& SERIALIZE(uint32(ntohl(val.subnet_val.net[1])))
+			&& SERIALIZE(uint32(ntohl(val.subnet_val.net[2])))
+			&& SERIALIZE(uint32(ntohl(val.subnet_val.net[3])))
+#else
+			&& SERIALIZE(uint32(ntohl(val.subnet_val.net)))
+#endif
+			&& SERIALIZE(val.subnet_val.width)
+			&& info->s->WriteCloseTag("subnet");
+
+	case TYPE_INTERNAL_OTHER:
+		// Derived classes are responsible for this.
+		// Exception: Functions and files. There aren't any derived
+		// classes.
+		if ( type->Tag() == TYPE_FUNC )
+			if ( ! AsFunc()->Serialize(info) )
+				return false;
+
+		if ( type->Tag() == TYPE_FILE )
+			if ( ! AsFile()->Serialize(info) )
+				return false;
+		return true;
+
+	case TYPE_INTERNAL_ERROR:
+		info->s->Error("type is error");
+		return false;
+
+	default:
+		info->s->Error("type is out of range");
+		return false;
+	}
+
+	internal_error("should not be reached");
+	return false;
+	}
+
+bool Val::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BroObj);
+
+	if ( type )
+		Unref(type);
+
+	if ( ! (type = BroType::Unserialize(info)) )
+		return false;
+
+	UNSERIALIZE_OPTIONAL(attribs,
+		(RecordVal*) Val::Unserialize(info, TYPE_RECORD));
+
+	switch ( type->InternalType() ) {
+	case TYPE_INTERNAL_VOID:
+		info->s->Error("type is void");
+		return false;
+
+	case TYPE_INTERNAL_INT:
+		return UNSERIALIZE(&val.int_val);
+
+	case TYPE_INTERNAL_UNSIGNED:
+		return UNSERIALIZE(&val.uint_val);
+
+	case TYPE_INTERNAL_DOUBLE:
+		return UNSERIALIZE(&val.double_val);
+
+	case TYPE_INTERNAL_STRING:
+		const char* str;
+		int len;
+		if ( ! UNSERIALIZE_STR(&str, &len) )
+			return false;
+
+		val.string_val = new BroString((u_char*) str, len, 1);
+		delete [] str;
+		return true;
+
+	case TYPE_INTERNAL_ADDR:
+		{
+		int num_words;
+		if ( ! UNSERIALIZE(&num_words) )
+			return false;
+
+		if ( num_words != 1 && num_words != 4 )
+			{
+			info->s->Error("bad address type");
+			return false;
+			}
+
+		uint32 a[4];	// big enough to hold either
+
+		for ( int i = 0; i < num_words; ++i )
+			{
+			if ( ! UNSERIALIZE(&a[i]) )
+				return false;
+
+			a[i] = htonl(a[i]);
+			}
+
+#ifndef BROv6
+		if ( num_words == 4 )
+			{
+			if ( a[0] || a[1] || a[2] )
+				info->s->Warning("received IPv6 address, ignoring");
+			((AddrVal*) this)->Init(a[3]);
+			}
+		else
+			((AddrVal*) this)->Init(a[0]);
+#else
+		if ( num_words == 1 )
+			((AddrVal*) this)->Init(a[0]);
+		else
+			((AddrVal*) this)->Init(a);
+#endif
+		}
+		return true;
+
+	case TYPE_INTERNAL_SUBNET:
+		{
+		int num_words;
+		if ( ! UNSERIALIZE(&num_words) )
+			return false;
+
+		if ( num_words != 1 && num_words != 4 )
+			{
+			info->s->Error("bad subnet type");
+			return false;
+			}
+
+		uint32 a[4];	// big enough to hold either
+
+		for ( int i = 0; i < num_words; ++i )
+			{
+			if ( ! UNSERIALIZE(&a[i]) )
+				return false;
+
+			a[i] = htonl(a[i]);
+			}
+
+		int width;
+		if ( ! UNSERIALIZE(&width) )
+			return false;
+
+#ifdef BROv6
+		if ( num_words == 1 )
+			{
+			a[3] = a[0];
+			a[0] = a[1] = a[2] = 0;
+			}
+
+		((SubNetVal*) this)->Init(a, width);
+
+#else
+		if ( num_words == 4 )
+			{
+			if ( a[0] || a[1] || a[2] )
+				info->s->Warning("received IPv6 subnet, ignoring");
+			a[0] = a[3];
+
+			if ( width > 32 )
+				width -= 96;
+			}
+
+		((SubNetVal*) this)->Init(a[0], width);
+#endif
+		}
+		return true;
+
+	case TYPE_INTERNAL_OTHER:
+		// Derived classes are responsible for this.
+		// Exception: Functions and files. There aren't any derived
+		// classes.
+		if ( type->Tag() == TYPE_FUNC )
+			{
+			val.func_val = Func::Unserialize(info);
+			return val.func_val != 0;
+			}
+		else if ( type->Tag() == TYPE_FILE )
+			{
+			val.file_val = BroFile::Unserialize(info);
+			return val.file_val != 0;
+			}
+		return true;
+
+	case TYPE_INTERNAL_ERROR:
+		info->s->Error("type is error");
+		return false;
+
+	default:
+		info->s->Error("type out of range");
+		return false;
+	}
+
+	internal_error("should not be reached");
+	return false;
+	}
+
+RecordVal* Val::GetAttribs(bool instantiate)
+	{
+	if ( ! instantiate || attribs )
+		return attribs;
+
+	attribs = new RecordVal(type->AttributesType());
+	return attribs;
+	}
+
+int Val::IsZero() const
+	{
+	switch ( type->InternalType() ) {
+	case TYPE_INTERNAL_INT:		return val.int_val == 0;
+	case TYPE_INTERNAL_UNSIGNED:	return val.uint_val == 0;
+	case TYPE_INTERNAL_DOUBLE:	return val.double_val == 0.0;
+
+	default:			return 0;
+	}
+	}
+
+int Val::IsOne() const
+	{
+	switch ( type->InternalType() ) {
+	case TYPE_INTERNAL_INT:		return val.int_val == 1;
+	case TYPE_INTERNAL_UNSIGNED:	return val.uint_val == 1;
+	case TYPE_INTERNAL_DOUBLE:	return val.double_val == 1.0;
+
+	default:			return 0;
+	}
+	}
+
+bro_int_t Val::InternalInt() const
+	{
+	if ( type->InternalType() == TYPE_INTERNAL_INT )
+		return val.int_val;
+	else if ( type->InternalType() == TYPE_INTERNAL_UNSIGNED )
+		// ### should check here for overflow
+		return static_cast<bro_int_t>(val.uint_val);
+	else
+		InternalWarning("bad request for InternalInt");
+
+	return 0;
+	}
+
+bro_uint_t Val::InternalUnsigned() const
+	{
+	if ( type->InternalType() == TYPE_INTERNAL_UNSIGNED )
+		return val.uint_val;
+	else
+		InternalWarning("bad request for InternalUnsigned");
+
+	return 0;
+	}
+
+double Val::InternalDouble() const
+	{
+	if ( type->InternalType() == TYPE_INTERNAL_DOUBLE )
+		return val.double_val;
+	else
+		InternalWarning("bad request for InternalDouble");
+
+	return 0.0;
+	}
+
+bro_int_t Val::CoerceToInt() const
+	{
+	if ( type->InternalType() == TYPE_INTERNAL_INT )
+		return val.int_val;
+	else if ( type->InternalType() == TYPE_INTERNAL_UNSIGNED )
+		return static_cast<bro_int_t>(val.uint_val);
+	else if ( type->InternalType() == TYPE_INTERNAL_DOUBLE )
+		return static_cast<bro_int_t>(val.double_val);
+	else
+		InternalWarning("bad request for CoerceToInt");
+
+	return 0;
+	}
+
+bro_uint_t Val::CoerceToUnsigned() const
+	{
+	if ( type->InternalType() == TYPE_INTERNAL_UNSIGNED )
+		return val.uint_val;
+	else if ( type->InternalType() == TYPE_INTERNAL_INT )
+		return static_cast<bro_uint_t>(val.int_val);
+	else if ( type->InternalType() == TYPE_INTERNAL_DOUBLE )
+		return static_cast<bro_uint_t>(val.double_val);
+	else
+		InternalWarning("bad request for CoerceToUnsigned");
+
+	return 0;
+	}
+
+double Val::CoerceToDouble() const
+	{
+	if ( type->InternalType() == TYPE_INTERNAL_DOUBLE )
+		return val.double_val;
+	else if ( type->InternalType() == TYPE_INTERNAL_INT )
+		return static_cast<double>(val.int_val);
+	else if ( type->InternalType() == TYPE_INTERNAL_UNSIGNED )
+		return static_cast<double>(val.uint_val);
+	else
+		InternalWarning("bad request for CoerceToDouble");
+
+	return 0.0;
+	}
+
+Val* Val::SizeVal() const
+	{
+	switch ( type->InternalType() ) {
+	case TYPE_INTERNAL_INT:
+		return new Val(abs(val.int_val), TYPE_COUNT);
+
+	case TYPE_INTERNAL_UNSIGNED:
+		return new Val(val.uint_val, TYPE_COUNT);
+
+	case TYPE_INTERNAL_DOUBLE:
+		return new Val(fabs(val.double_val), TYPE_DOUBLE);
+
+	case TYPE_INTERNAL_OTHER:
+		if ( type->Tag() == TYPE_FUNC )
+			return new Val(val.func_val->FType()->ArgTypes()->Types()->length(), TYPE_COUNT);
+
+		if ( type->Tag() == TYPE_FILE )
+			return new Val(val.file_val->Size(), TYPE_DOUBLE);
+		break;
+
+	default:
+		break;
+	}
+
+	return new Val(0, TYPE_COUNT);
+	}
+
+unsigned int Val::MemoryAllocation() const
+	{
+	return padded_sizeof(*this);
+	}
+
+int Val::AddTo(Val* v, int is_first_init) const
+	{
+	Error("+= initializer only applies to aggregate values");
+	return 0;
+	}
+
+int Val::RemoveFrom(Val* v) const
+	{
+	Error("-= initializer only applies to aggregate values");
+	return 0;
+	}
+
+void Val::Describe(ODesc* d) const
+	{
+	if ( d->IsBinary() || d->IsPortable() )
+		{
+		type->Describe(d);
+		d->SP();
+		}
+
+	if ( d->IsReadable() )
+		ValDescribe(d);
+	else
+		Val::ValDescribe(d);
+	}
+
+void Val::ValDescribe(ODesc* d) const
+	{
+	if ( d->IsReadable() && type->Tag() == TYPE_BOOL )
+		{
+		d->Add(CoerceToInt() ? "T" : "F");
+		return;
+		}
+
+	switch ( type->InternalType() ) {
+	case TYPE_INTERNAL_INT:		d->Add(val.int_val); break;
+	case TYPE_INTERNAL_UNSIGNED:	d->Add(val.uint_val); break;
+	case TYPE_INTERNAL_DOUBLE:	d->Add(val.double_val); break;
+	case TYPE_INTERNAL_STRING:	d->AddBytes(val.string_val); break;
+	case TYPE_INTERNAL_ADDR:	d->Add(dotted_addr(val.addr_val)); break;
+
+	case TYPE_INTERNAL_SUBNET:
+		d->Add(dotted_addr(val.subnet_val.net));
+		d->Add("/");
+		d->Add(val.subnet_val.width);
+		break;
+
+	case TYPE_INTERNAL_ERROR:	d->AddCS("error"); break;
+	case TYPE_INTERNAL_OTHER:
+		if ( type->Tag() == TYPE_FUNC )
+			AsFunc()->Describe(d);
+		else if ( type->Tag() == TYPE_FILE )
+			AsFile()->Describe(d);
+		else
+			d->Add("<no value description>");
+		break;
+
+	case TYPE_INTERNAL_VOID:
+		d->Add("<void value description>");
+		break;
+
+	default:
+		// Don't call Internal(), that'll loop!
+		internal_error("Val description unavailable");
+	}
+	}
+
+MutableVal::~MutableVal()
+	{
+	for ( list<ID*>::iterator i = aliases.begin(); i != aliases.end(); ++i )
+		{
+		global_scope()->Remove((*i)->Name());
+		(*i)->ClearVal();	// just to make sure.
+		Unref((*i));
+		}
+
+	if ( id )
+		{
+		global_scope()->Remove(id->Name());
+		id->ClearVal(); // just to make sure.
+		Unref(id);
+		}
+	}
+
+bool MutableVal::AddProperties(Properties arg_props)
+	{
+	if ( (props | arg_props) == props )
+		// No change.
+		return false;
+
+	props |= arg_props;
+
+	if ( ! id )
+		Bind();
+
+	return true;
+	}
+
+
+bool MutableVal::RemoveProperties(Properties arg_props)
+	{
+	if ( (props & ~arg_props) == props )
+		// No change.
+		return false;
+
+	props &= ~arg_props;
+
+	return true;
+	}
+
+ID* MutableVal::Bind() const
+	{
+	static bool initialized = false;
+
+	assert(!id);
+
+	static unsigned int id_counter = 0;
+	static const int MAX_NAME_SIZE = 128;
+	static char name[MAX_NAME_SIZE];
+	static char* end_of_static_str = 0;
+
+	if ( ! initialized )
+		{
+		// Get local IP.
+		char host[MAXHOSTNAMELEN];
+		strcpy(host, "localhost");
+		gethostname(host, MAXHOSTNAMELEN);
+		host[MAXHOSTNAMELEN-1] = '\0';
+#if 0
+		// We ignore errors.
+		struct hostent* ent = gethostbyname(host);
+
+		uint32 ip;
+		if ( ent && ent->h_addr_list[0] )
+			ip = *(uint32*) ent->h_addr_list[0];
+		else
+			ip = htonl(0x7f000001);	// 127.0.0.1
+
+		safe_snprintf(name, MAX_NAME_SIZE, "#%s#%d#",
+			      dotted_addr(ip), getpid());
+#else
+		safe_snprintf(name, MAX_NAME_SIZE, "#%s#%d#", host, getpid());
+#endif
+
+		end_of_static_str = name + strlen(name);
+
+		initialized = true;
+		}
+
+	safe_snprintf(end_of_static_str, MAX_NAME_SIZE - (end_of_static_str - name),
+		      "%u", ++id_counter);
+	name[MAX_NAME_SIZE-1] = '\0';
+
+//	DBG_LOG(DBG_STATE, "new unique ID %s", name);
+
+	id = new ID(name, SCOPE_GLOBAL, true);
+	id->SetType(const_cast<MutableVal*>(this)->Type()->Ref());
+
+	global_scope()->Insert(name, id);
+
+	id->SetVal(const_cast<MutableVal*>(this), OP_NONE, true);
+
+	return id;
+	}
+
+void MutableVal::TransferUniqueID(MutableVal* mv)
+	{
+	const char* new_name = mv->UniqueID()->Name();
+
+	if ( ! id )
+		Bind();
+
+	DBG_LOG(DBG_STATE, "transfering ID (new %s, old/alias %s)", new_name, id->Name());
+
+	// Keep old name as alias.
+	aliases.push_back(id);
+
+	id = new ID(new_name, SCOPE_GLOBAL, true);
+	id->SetType(const_cast<MutableVal*>(this)->Type()->Ref());
+	global_scope()->Insert(new_name, id);
+	id->SetVal(const_cast<MutableVal*>(this), OP_NONE, true);
+
+	Unref(mv->id);
+	mv->id = 0;
+	}
+
+IMPLEMENT_SERIAL(MutableVal, SER_MUTABLE_VAL);
+
+bool MutableVal::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_MUTABLE_VAL, Val);
+
+	if ( ! SERIALIZE(props) )
+		return false;
+
+	// Don't use ID::Serialize here, that would loop.  All we
+	// need is the name, anyway.
+	const char* name = id ? id->Name() : "";
+	if ( ! SERIALIZE(name) )
+		return false;
+
+	return true;
+	}
+
+bool MutableVal::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Val);
+
+	if ( ! UNSERIALIZE(&props) )
+		 return false;
+
+	id = 0;
+
+	const char* name;
+	if ( ! UNSERIALIZE_STR(&name, 0) )
+		return false;
+
+	if ( *name )
+		{
+		id = new ID(name, SCOPE_GLOBAL, true);
+		id->SetVal(this, OP_NONE, true);
+
+		ID* current = global_scope()->Lookup(name);
+		if ( ! current )
+			{
+			global_scope()->Insert(name, id);
+			DBG_LOG(DBG_STATE, "installed formerly unknown ID %s", id->Name());
+			}
+		else
+			{
+			DBG_LOG(DBG_STATE, "got already known ID %s", current->Name());
+			// This means that we already know the value and
+			// that in fact we should bind to the local value.
+			// Val::Unserialize() will take care of this.
+			}
+		}
+
+	delete [] name;
+	return true;
+	}
+
+IntervalVal::IntervalVal(double quantity, double units) :
+	Val(quantity * units, TYPE_INTERVAL)
+	{
+	}
+
+void IntervalVal::ValDescribe(ODesc* d) const
+	{
+	double v = val.double_val;
+
+	if ( v == 0.0 )
+		{
+		d->Add("0 secs");
+		return;
+		}
+
+	int did_one = 0;
+
+#define DO_UNIT(unit, name) \
+	if ( v >= unit || v <= -unit ) \
+		{ \
+		double num = double(int(v / unit)); \
+		if ( num != 0.0 ) \
+			{ \
+			if ( did_one++ ) \
+				d->SP(); \
+			d->Add(num); \
+			d->SP(); \
+			d->Add(name); \
+			if ( num != 1.0 && num != -1.0 ) \
+				d->Add("s"); \
+			v -= num * unit; \
+			} \
+		}
+
+	DO_UNIT(Days, "day")
+	DO_UNIT(Hours, "hr")
+	DO_UNIT(Minutes, "min")
+	DO_UNIT(Seconds, "sec")
+	DO_UNIT(Milliseconds, "msec")
+	DO_UNIT(Microseconds, "usec")
+	}
+
+IMPLEMENT_SERIAL(IntervalVal, SER_INTERVAL_VAL);
+
+bool IntervalVal::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_INTERVAL_VAL, Val);
+	return true;
+	}
+
+bool IntervalVal::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Val);
+	return true;
+	}
+
+PortVal::PortVal(uint32 p, TransportProto port_type) : Val(TYPE_PORT)
+	{
+	// Note, for ICMP one-way connections:
+	// src_port = icmp_type, dst_port = icmp_code.
+
+	if ( p >= 65536 )
+		{
+		InternalWarning("bad port number");
+		p = 0;
+		}
+
+	switch ( port_type ) {
+	case TRANSPORT_TCP:
+		p |= TCP_PORT_MASK;
+		break;
+
+	case TRANSPORT_UDP:
+		p |= UDP_PORT_MASK;
+		break;
+
+	case TRANSPORT_ICMP:
+		p |= ICMP_PORT_MASK;
+		break;
+
+	default:
+		break;	// "other"
+	}
+
+	val.uint_val = static_cast<bro_uint_t>(p);
+	}
+
+PortVal::PortVal(uint32 p) : Val(TYPE_PORT)
+	{
+	if ( p >= 65536 * NUM_PORT_SPACES )
+		{
+		InternalWarning("bad port number");
+		p = 0;
+		}
+
+	val.uint_val = static_cast<bro_uint_t>(p);
+	}
+
+uint32 PortVal::Port() const
+	{
+	uint32 p = static_cast<uint32>(val.uint_val);
+	return p & ~PORT_SPACE_MASK;
+	}
+
+int PortVal::IsTCP() const
+	{
+	return (val.uint_val & PORT_SPACE_MASK) == TCP_PORT_MASK;
+	}
+
+int PortVal::IsUDP() const
+	{
+	return (val.uint_val & PORT_SPACE_MASK) == UDP_PORT_MASK;
+	}
+
+int PortVal::IsICMP() const
+	{
+	return (val.uint_val & PORT_SPACE_MASK) == ICMP_PORT_MASK;
+	}
+
+void PortVal::ValDescribe(ODesc* d) const
+	{
+	uint32 p = static_cast<uint32>(val.uint_val);
+	d->Add(p & ~PORT_SPACE_MASK);
+	if ( IsUDP() )
+		d->Add("/udp");
+	else if ( IsTCP() )
+		d->Add("/tcp");
+	else if ( IsICMP() )
+		d->Add("/icmp");
+	else
+		d->Add("/unknown");
+	}
+
+IMPLEMENT_SERIAL(PortVal, SER_PORT_VAL);
+
+bool PortVal::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_PORT_VAL, Val);
+	return true;
+	}
+
+bool PortVal::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Val);
+	return true;
+	}
+
+AddrVal::AddrVal(const char* text) : Val(TYPE_ADDR)
+	{
+	const char* colon = strchr(text, ':');
+
+	if ( colon )
+		{
+#ifdef BROv6
+		Init(dotted_to_addr6(text));
+#else
+		error("bro wasn't compiled with IPv6 support");
+		Init(uint32(0));
+#endif
+		}
+
+	else
+		Init(dotted_to_addr(text));
+	}
+
+AddrVal::AddrVal(uint32 addr) : Val(TYPE_ADDR)
+	{
+	// ### perhaps do gethostbyaddr here?
+	Init(addr);
+	}
+
+AddrVal::AddrVal(const uint32* addr) : Val(TYPE_ADDR)
+	{
+	Init(addr);
+	}
+
+AddrVal::~AddrVal()
+	{
+#ifdef BROv6
+	delete [] val.addr_val;
+#endif
+	}
+
+Val* AddrVal::SizeVal() const
+	{
+	uint32 addr;
+
+#ifdef BROv6
+	if ( ! is_v4_addr(val.addr_val) )
+		{
+		RunTime("|addr| for IPv6 addresses not supported");
+		return new Val(0, TYPE_COUNT);
+		}
+
+	addr = to_v4_addr(val.addr_val);
+#else
+	addr = val.addr_val;
+#endif
+
+	addr = ntohl(addr);
+
+	return new Val(addr, TYPE_COUNT);
+	}
+
+void AddrVal::Init(uint32 addr)
+	{
+#ifdef BROv6
+	val.addr_val = new uint32[4];
+	val.addr_val[0] = val.addr_val[1] = val.addr_val[2] = 0;
+	val.addr_val[3] = addr;
+#else
+	val.addr_val = addr;
+#endif
+	}
+
+void AddrVal::Init(const uint32* addr)
+	{
+#ifdef BROv6
+	val.addr_val = new uint32[4];
+	val.addr_val[0] = addr[0];
+	val.addr_val[1] = addr[1];
+	val.addr_val[2] = addr[2];
+	val.addr_val[3] = addr[3];
+#else
+	val.addr_val = addr[0];
+#endif
+	}
+
+unsigned int AddrVal::MemoryAllocation() const
+	{
+#ifdef BROv6
+		return padded_sizeof(*this) + pad_size(4 * sizeof(uint32));
+#else
+		return padded_sizeof(*this);
+#endif
+	}
+
+IMPLEMENT_SERIAL(AddrVal, SER_ADDR_VAL);
+
+bool AddrVal::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_ADDR_VAL, Val);
+	return true;
+	}
+
+bool AddrVal::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Val);
+	return true;
+	}
+
+static uint32 parse_dotted(const char* text, int& dots)
+	{
+	int addr[4];
+	uint32 a = 0;
+	dots = 0;
+
+	if ( sscanf(text, "%d.%d.%d.%d", addr+0, addr+1, addr+2, addr+3) == 4 )
+		{
+		a = (addr[0] << 24) | (addr[1] << 16) |
+			(addr[2] << 8) | addr[3];
+		dots = 3;
+		}
+
+	else if ( sscanf(text, "%d.%d.%d", addr+0, addr+1, addr+2) == 3 )
+		{
+		a = (addr[0] << 24) | (addr[1] << 16) | (addr[2] << 8);
+		dots = 2;
+		}
+
+	else if ( sscanf(text, "%d.%d", addr+0, addr+1) == 2 )
+		{
+		a = (addr[0] << 24) | (addr[1] << 16);
+		dots = 1;
+		}
+
+	else
+		internal_error("scanf failed in parse_dotted()");
+
+	for ( int i = 0; i <= dots; ++i )
+		{
+		if ( addr[i] < 0 || addr[i] > 255 )
+			{
+			error("bad dotted address", text);
+			break;
+			}
+		}
+
+	return a;
+	}
+
+NetVal::NetVal(const char* text) : AddrVal(TYPE_NET)
+	{
+	int dots;
+	uint32 a = parse_dotted(text, dots);
+
+	if ( addr_to_net(a) != a )
+		error("bad net address", text);
+
+	Init(uint32(htonl(a)));
+	}
+
+NetVal::NetVal(uint32 addr) : AddrVal(TYPE_NET)
+	{
+	Init(addr);
+	}
+
+#ifdef BROv6
+NetVal::NetVal(const uint32* addr) : AddrVal(TYPE_NET)
+	{
+	Init(addr);
+	}
+#endif
+
+Val* NetVal::SizeVal() const
+	{
+	uint32 addr;
+
+#ifdef BROv6
+	if ( ! is_v4_addr(val.addr_val) )
+		{
+		RunTime("|net| for IPv6 addresses not supported");
+		return new Val(0.0, TYPE_DOUBLE);
+		}
+
+	addr = to_v4_addr(val.addr_val);
+#else
+	addr = val.addr_val;
+#endif
+	addr = ntohl(addr);
+
+	if ( (addr & 0xFFFFFFFF) == 0L )
+		return new Val(4294967296.0, TYPE_DOUBLE);
+
+	if ( (addr & 0x00FFFFFF) == 0L )
+		return new Val(double(0xFFFFFF + 1), TYPE_DOUBLE);
+
+	if ( (addr & 0x0000FFFF) == 0L )
+		return new Val(double(0xFFFF + 1), TYPE_DOUBLE);
+
+	if ( (addr & 0x000000FF) == 0L )
+		return new Val(double(0xFF + 1), TYPE_DOUBLE);
+
+	return new Val(1.0, TYPE_DOUBLE);
+	}
+
+void NetVal::ValDescribe(ODesc* d) const
+	{
+#ifdef BROv6
+	d->Add(dotted_net6(val.addr_val));
+#else
+	d->Add(dotted_net(val.addr_val));
+#endif
+	}
+
+IMPLEMENT_SERIAL(NetVal, SER_NET_VAL);
+
+bool NetVal::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_NET_VAL, AddrVal);
+	return true;
+	}
+
+bool NetVal::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(AddrVal);
+	return true;
+	}
+
+SubNetVal::SubNetVal(const char* text) : Val(TYPE_SUBNET)
+	{
+	const char* sep = strchr(text, '/');
+	if ( ! sep )
+		Internal("separator missing in SubNetVal::SubNetVal");
+
+	Init(text, atoi(sep+1));
+	}
+
+SubNetVal::SubNetVal(const char* text, int width) : Val(TYPE_SUBNET)
+	{
+	Init(text, width);
+	}
+
+SubNetVal::SubNetVal(uint32 addr, int width) : Val(TYPE_SUBNET)
+	{
+	Init(addr, width);
+	}
+
+#ifdef BROv6
+SubNetVal::SubNetVal(const uint32* addr, int width) : Val(TYPE_SUBNET)
+	{
+	Init(addr, width);
+	}
+#endif
+
+void SubNetVal::Init(const char* text, int width)
+	{
+#ifdef BROv6
+	if ( width <= 0 || width > 128 )
+#else
+	if ( width <= 0 || width > 32 )
+#endif
+		Error("bad subnet width");
+
+	int dots;
+	uint32 a = parse_dotted(text, dots);
+
+	Init(uint32(htonl(a)), width);
+	}
+
+
+void SubNetVal::Init(uint32 addr, int width)
+	{
+#ifdef BROv6
+	Internal("SubNetVal::Init called on 4-byte address w/ BROv6");
+#else
+	val.subnet_val.net = mask_addr(addr, uint32(width));
+	val.subnet_val.width = width;
+#endif
+	}
+
+void SubNetVal::Init(const uint32* addr, int width)
+	{
+#ifdef BROv6
+	const uint32* a = mask_addr(addr, uint32(width));
+
+	val.subnet_val.net[0] = a[0];
+	val.subnet_val.net[1] = a[1];
+	val.subnet_val.net[2] = a[2];
+	val.subnet_val.net[3] = a[3];
+
+	if ( is_v4_addr(addr) && width <= 32 )
+		val.subnet_val.width = width + 96;
+	else
+		val.subnet_val.width = width;
+#else
+	Internal("SubNetVal::Init called on 16-byte address w/o BROv6");
+#endif
+	}
+
+Val* SubNetVal::SizeVal() const
+	{
+	int retained;
+#ifdef BROv6
+	retained = 128 - Width();
+#else
+	retained = 32 - Width();
+#endif
+
+	return new Val(pow(2.0, double(retained)), TYPE_DOUBLE);
+	}
+
+void SubNetVal::ValDescribe(ODesc* d) const
+	{
+	d->Add(dotted_addr(val.subnet_val.net, d->Style() == ALTERNATIVE_STYLE));
+	d->Add("/");
+#ifdef BROv6
+	if ( is_v4_addr(val.subnet_val.net) )
+		d->Add(val.subnet_val.width - 96);
+	else
+#endif
+	d->Add(val.subnet_val.width);
+	}
+
+addr_type SubNetVal::Mask() const
+	{
+	if ( val.subnet_val.width == 0 )
+		{
+		// We need to special-case a mask width of zero, since
+		// the compiler doesn't guarantee that 1 << 32 yields 0.
+#ifdef BROv6
+		uint32* m = new uint32[4];
+		for ( int i = 0; i < 4; ++i )
+			m[i] = 0;
+
+		return m;
+#else
+		return 0;
+#endif
+		}
+
+#ifdef BROv6
+	uint32* m = new uint32[4];
+	uint32* mp = m;
+
+	uint32 w;
+	for ( w = val.subnet_val.width; w >= 32; w -= 32 )
+		*(mp++) = 0xffffffff;
+
+	*mp = ~((1 << (32 - w)) - 1);
+
+	while ( ++mp < m + 4 )
+		*mp = 0;
+
+	return m;
+
+#else
+	return ~((1 << (32 - val.subnet_val.width)) - 1);
+#endif
+	}
+
+bool SubNetVal::Contains(const uint32 addr) const
+	{
+#ifdef BROv6
+	Internal("SubNetVal::Contains called on 4-byte address w/ BROv6");
+	return false;
+#else
+	return ntohl(val.subnet_val.net) == (ntohl(addr) & Mask());
+#endif
+	}
+
+bool SubNetVal::Contains(const uint32* addr) const
+	{
+#ifdef BROv6
+	const uint32* net = val.subnet_val.net;
+	const uint32* a = addr;
+	uint32 m;
+
+	for ( m = val.subnet_val.width; m > 32; m -= 32 )
+		{
+		if ( *net != *a )
+			return false;
+
+		++net;
+		++a;
+		}
+
+	uint32 mask = ~((1 << (32 - m)) - 1);
+	return ntohl(*net) == (ntohl(*a) & mask);
+#else
+	return Contains(addr[3]);
+#endif
+	}
+
+IMPLEMENT_SERIAL(SubNetVal, SER_SUBNET_VAL);
+
+bool SubNetVal::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_SUBNET_VAL, Val);
+	return true;
+	}
+
+bool SubNetVal::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Val);
+	return true;
+	}
+
+StringVal::StringVal(BroString* s) : Val(TYPE_STRING)
+	{
+	val.string_val = s;
+	}
+
+StringVal::StringVal(int length, const char* s) : Val(TYPE_STRING)
+	{
+	// The following adds a NUL at the end.
+	val.string_val = new BroString((const u_char*)  s, length, 1);
+	}
+
+StringVal::StringVal(const char* s) : Val(TYPE_STRING)
+	{
+	val.string_val = new BroString(s);
+	}
+
+StringVal* StringVal::ToUpper()
+	{
+	val.string_val->ToUpper();
+	return this;
+	}
+
+void StringVal::ValDescribe(ODesc* d) const
+	{
+	// Should reintroduce escapes ? ###
+	if ( d->WantQuotes() )
+		d->Add("\"");
+	d->AddBytes(val.string_val);
+	if ( d->WantQuotes() )
+		d->Add("\"");
+	}
+
+unsigned int StringVal::MemoryAllocation() const
+	{
+	return padded_sizeof(*this) + val.string_val->MemoryAllocation();
+	}
+
+IMPLEMENT_SERIAL(StringVal, SER_STRING_VAL);
+
+bool StringVal::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_STRING_VAL, Val);
+	return true;
+	}
+
+bool StringVal::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Val);
+	return true;
+	}
+
+PatternVal::PatternVal(RE_Matcher* re) : Val(base_type(TYPE_PATTERN))
+	{
+	val.re_val = re;
+	}
+
+PatternVal::~PatternVal()
+	{
+	delete AsPattern();
+	Unref(type);	// base_type() ref'd it, so did our base constructor
+	}
+
+int PatternVal::AddTo(Val* v, int /* is_first_init */) const
+	{
+	if ( v->Type()->Tag() != TYPE_PATTERN )
+		{
+		v->Error("not a pattern");
+		return 0;
+		}
+
+	PatternVal* pv = v->AsPatternVal();
+
+	RE_Matcher* re = new RE_Matcher(AsPattern()->PatternText());
+	re->AddPat(pv->AsPattern()->PatternText());
+	re->Compile();
+
+	pv->SetMatcher(re);
+
+	return 1;
+	}
+
+void PatternVal::SetMatcher(RE_Matcher* re)
+	{
+	delete AsPattern();
+	val.re_val = re;
+	}
+
+void PatternVal::ValDescribe(ODesc* d) const
+	{
+	d->Add("/");
+	d->Add(AsPattern()->PatternText());
+	d->Add("/");
+	}
+
+unsigned int PatternVal::MemoryAllocation() const
+	{
+	return padded_sizeof(*this) + val.re_val->MemoryAllocation();
+	}
+
+IMPLEMENT_SERIAL(PatternVal, SER_PATTERN_VAL);
+
+bool PatternVal::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_PATTERN_VAL, Val);
+	return AsPattern()->Serialize(info);
+	}
+
+bool PatternVal::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Val);
+
+	val.re_val = RE_Matcher::Unserialize(info);
+	return val.re_val != 0;
+	}
+
+ListVal::ListVal(TypeTag t)
+: Val(new TypeList(t == TYPE_ANY ? 0 : base_type(t)))
+	{
+	tag = t;
+	}
+
+ListVal::~ListVal()
+	{
+	loop_over_list(vals, i)
+		Unref(vals[i]);
+	Unref(type);
+	}
+
+const char* ListVal::IncludedInString(const char* str) const
+	{
+	if ( tag != TYPE_STRING )
+		Internal("non-string list in ListVal::IncludedInString");
+
+	loop_over_list(vals, i)
+		{
+		const char* vs = (const char*) (vals[i]->AsString()->Bytes());
+
+		const char* embedded = strstr(str, vs);
+		if ( embedded )
+			return embedded;
+		}
+
+	return 0;
+	}
+
+RE_Matcher* ListVal::BuildRE() const
+	{
+	if ( tag != TYPE_STRING )
+		Internal("non-string list in ListVal::IncludedInString");
+
+	RE_Matcher* re = new RE_Matcher();
+	loop_over_list(vals, i)
+		{
+		const char* vs = (const char*) (vals[i]->AsString()->Bytes());
+		re->AddPat(vs);
+		}
+
+	return re;
+	}
+
+void ListVal::Append(Val* v)
+	{
+	if ( type->AsTypeList()->IsPure() )
+		{
+		if ( v->Type()->Tag() != tag )
+			Internal("heterogeneous list in ListVal::Append");
+		}
+
+	vals.append(v);
+	type->AsTypeList()->Append(v->Type()->Ref());
+	}
+
+TableVal* ListVal::ConvertToSet() const
+	{
+	if ( tag == TYPE_ANY )
+		Internal("conversion of heterogeneous list to set");
+
+	TypeList* set_index = new TypeList(type->AsTypeList()->PureType());
+	set_index->Append(base_type(tag));
+	SetType* s = new SetType(set_index, 0);
+	TableVal* t = new TableVal(s);
+
+	loop_over_list(vals, i)
+		t->Assign(vals[i], 0);
+
+	return t;
+	}
+
+void ListVal::Describe(ODesc* d) const
+	{
+	if ( d->IsBinary() || d->IsPortable() )
+		{
+		type->Describe(d);
+		d->SP();
+		d->Add(vals.length());
+		d->SP();
+		}
+
+	loop_over_list(vals, i)
+		{
+		if ( i > 0 )
+			{
+			if ( d->IsReadable() || d->IsPortable() )
+				{
+				d->Add(",");
+				d->SP();
+				}
+			}
+
+		vals[i]->Describe(d);
+		}
+	}
+
+IMPLEMENT_SERIAL(ListVal, SER_LIST_VAL);
+
+bool ListVal::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_LIST_VAL, Val);
+
+	if ( ! (SERIALIZE(char(tag)) && SERIALIZE(vals.length())) )
+		return false;
+
+	loop_over_list(vals, i)
+		{
+		if ( ! vals[i]->Serialize(info) )
+			return false;
+		}
+
+	return true;
+	}
+
+bool ListVal::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Val);
+
+	char t;
+	int len;
+
+	if ( ! (UNSERIALIZE(&t) && UNSERIALIZE(&len)) )
+		return false;
+
+	tag = TypeTag(t);
+
+	while ( len-- )
+		{
+		Val* v = Val::Unserialize(info, TYPE_ANY);
+		if ( ! v )
+			return false;
+
+		vals.append(v);
+		}
+
+	// Our dtor will do Unref(type) in addition to Val's dtor.
+	if ( type )
+		type->Ref();
+
+	return true;
+	}
+
+unsigned int ListVal::MemoryAllocation() const
+	{
+	unsigned int size = 0;
+	loop_over_list(vals, i)
+		size += vals[i]->MemoryAllocation();
+
+	return size + padded_sizeof(*this) + vals.MemoryAllocation() - padded_sizeof(vals)
+		+ type->MemoryAllocation();
+	}
+
+
+TableValTimer::TableValTimer(TableVal* val, double t) : Timer(t, TIMER_TABLE_VAL)
+	{
+	table = val;
+	}
+
+TableValTimer::~TableValTimer()
+	{
+	table->ClearTimer(this);
+	}
+
+void TableValTimer::Dispatch(double t, int is_expire)
+	{
+	if ( ! is_expire )
+		{
+		table->ClearTimer(this);
+		table->DoExpire(t);
+		}
+	}
+
+static void table_entry_val_delete_func(void* val)
+	{
+	TableEntryVal* tv = (TableEntryVal*) val;
+	tv->Unref();
+	delete tv;
+	}
+
+TableVal::TableVal(TableType* t, Attributes* a) : MutableVal(t)
+	{
+	Init(t);
+	SetAttrs(a);
+	}
+
+void TableVal::Init(TableType* t)
+	{
+	table_type = t;
+	expire_expr = 0;
+	expire_time = 0;
+	expire_cookie = 0;
+	timer = 0;
+	def_val = 0;
+
+	if ( t->IsSubNetIndex() )
+		subnets = new PrefixTable;
+	else
+		subnets = 0;
+
+	table_hash = new CompositeHash(table_type->Indices());
+	val.table_val = new PDict(TableEntryVal);
+	val.table_val->SetDeleteFunc(table_entry_val_delete_func);
+	}
+
+TableVal::~TableVal()
+	{
+	if ( timer )
+		timer_mgr->Cancel(timer);
+
+	delete table_hash;
+	delete AsTable();
+	delete subnets;
+	Unref(attrs);
+	Unref(def_val);
+	Unref(expire_expr);
+	}
+
+void TableVal::RemoveAll()
+	{
+	// Here we take the brute force approach.
+	delete AsTable();
+	val.table_val = new PDict(TableEntryVal);
+	val.table_val->SetDeleteFunc(table_entry_val_delete_func);
+	}
+
+int TableVal::RecursiveSize() const
+	{
+	int n = AsTable()->Length();
+
+	if ( Type()->IsSet() ||
+	     const_cast<TableType*>(Type()->AsTableType())->YieldType()->Tag()
+			!= TYPE_TABLE )
+		return n;
+
+	PDict(TableEntryVal)* v = val.table_val;
+	IterCookie* c = v->InitForIteration();
+
+	TableEntryVal* tv;
+	while ( (tv = v->NextEntry(c)) )
+		{
+		if ( tv->Value() )
+			n += tv->Value()->AsTableVal()->RecursiveSize();
+		}
+
+	return n;
+	}
+
+void TableVal::SetAttrs(Attributes* a)
+	{
+	attrs = a;
+
+	if ( ! a )
+		return;
+
+	::Ref(attrs);
+
+	CheckExpireAttr(ATTR_EXPIRE_READ);
+	CheckExpireAttr(ATTR_EXPIRE_WRITE);
+	CheckExpireAttr(ATTR_EXPIRE_CREATE);
+
+	Attr* ef = attrs->FindAttr(ATTR_EXPIRE_FUNC);
+	if ( ef )
+		{
+		expire_expr = ef->AttrExpr();
+		expire_expr->Ref();
+		}
+	}
+
+void TableVal::CheckExpireAttr(attr_tag at)
+	{
+	Attr* a = attrs->FindAttr(at);
+
+	if ( a )
+		{
+		Val* timeout = a->AttrExpr()->Eval(0);
+		if ( ! timeout )
+			{
+			a->AttrExpr()->Error("value of timeout not fixed");
+			return;
+			}
+		
+		expire_time = timeout->AsInterval();
+
+		if ( timer )
+			timer_mgr->Cancel(timer);
+
+		// As network_time is not necessarily initialized yet,
+		// we set a timer which fires immediately.
+		timer = new TableValTimer(this, 1);
+		timer_mgr->Add(timer);
+		}
+	}
+
+int TableVal::Assign(Val* index, Val* new_val, Opcode op)
+	{
+	HashKey* k = ComputeHash(index);
+	if ( ! k )
+		{
+		Unref(new_val);
+		index->Error("index type doesn't match table", table_type->Indices());
+		return 0;
+		}
+
+	return Assign(index, k, new_val, op);
+	}
+
+int TableVal::Assign(Val* index, HashKey* k, Val* new_val, Opcode op)
+	{
+	int is_set = table_type->IsSet();
+
+	if ( (is_set && new_val) || (! is_set && ! new_val) )
+		InternalWarning("bad set/table in TableVal::Assign");
+
+	BroType* yt = Type()->AsTableType()->YieldType();
+
+	if ( yt && yt->Tag() == TYPE_TABLE &&
+	     new_val->AsTableVal()->FindAttr(ATTR_MERGEABLE) )
+		{
+		// Join two mergeable sets.
+		Val* old = Lookup(index, false);
+		if ( old && old->AsTableVal()->FindAttr(ATTR_MERGEABLE) )
+			{
+			if ( LoggingAccess() && op != OP_NONE )
+				StateAccess::Log(new StateAccess(OP_ASSIGN_IDX,
+						this, index, new_val, old));
+			new_val->AsTableVal()->AddTo(old->AsTableVal(), 0, false);
+			Unref(new_val);
+			return 1;
+			}
+		}
+
+	TableEntryVal* new_entry_val = new TableEntryVal(new_val);
+	TableEntryVal* old_entry_val = AsNonConstTable()->Insert(k, new_entry_val);
+
+	if ( subnets )
+		{
+		if ( ! index )
+			{
+			Val* v = RecoverIndex(k);
+			subnets->Insert(v, new_entry_val);
+			Unref(v);
+			}
+		else
+			subnets->Insert(index, new_entry_val);
+		}
+
+	if ( LoggingAccess() && op != OP_NONE )
+		{
+		Val* rec_index = 0;
+		if ( ! index )
+			index = rec_index = RecoverIndex(k);
+
+		if ( new_val )
+			{
+			// A table.
+			if ( new_val->IsMutableVal() )
+				new_val->AsMutableVal()->AddProperties(GetProperties());
+
+			bool unref_old_val = false;
+			Val* old_val = old_entry_val ?
+					old_entry_val->Value() : 0;
+			if ( op == OP_INCR && ! old_val )
+				// If it's an increment, somebody has already
+				// checked that the index is there.  If it's
+				// not, that can only be due to using the
+				// default.
+				{
+				old_val = Default(index);
+				unref_old_val = true;
+				}
+
+			assert(op != OP_INCR || old_val);
+
+			StateAccess::Log(
+				new StateAccess(
+					op == OP_INCR ?
+						OP_INCR_IDX : OP_ASSIGN_IDX,
+					this, index, new_val, old_val));
+
+			if ( unref_old_val )
+				Unref(old_val);
+			}
+
+		else
+			{
+			// A set.
+			if ( old_entry_val && remote_check_sync_consistency )
+				{
+				Val* has_old_val = new Val(1, TYPE_INT);
+				StateAccess::Log(
+					new StateAccess(OP_ADD, this, index,
+							has_old_val));
+				Unref(has_old_val);
+				}
+			else
+				StateAccess::Log(
+					new StateAccess(OP_ADD, this,
+							index, 0, 0));
+			}
+
+		if ( rec_index )
+			Unref(rec_index);
+		}
+
+	// Keep old expiration time if necessary.
+	if ( old_entry_val && attrs && attrs->FindAttr(ATTR_EXPIRE_CREATE) )
+		new_entry_val->SetExpireAccess(old_entry_val->ExpireAccessTime());
+
+	delete k;
+	if ( old_entry_val )
+		{
+		old_entry_val->Unref();
+		delete old_entry_val;
+		}
+
+	Modified();
+	return 1;
+	}
+
+int TableVal::AddTo(Val* val, int is_first_init) const
+	{
+	return AddTo(val, is_first_init, true);
+	}
+
+int TableVal::AddTo(Val* val, int is_first_init, bool propagate_ops) const
+	{
+	if ( val->Type()->Tag() != TYPE_TABLE )
+		{
+		val->Error("not a table");
+		return 0;
+		}
+
+	TableVal* t = val->AsTableVal();
+
+	if ( ! same_type(type, t->Type()) )
+		{
+		type->Error("table type clash", t->Type());
+		return 0;
+		}
+
+	const PDict(TableEntryVal)* tbl = AsTable();
+	IterCookie* c = tbl->InitForIteration();
+
+	HashKey* k;
+	TableEntryVal* v;
+	while ( (v = tbl->NextEntry(k, c)) )
+		{
+		if ( is_first_init && t->AsTable()->Lookup(k) )
+			{
+			Val* key = table_hash->RecoverVals(k);
+			// ### Shouldn't complain if their values are equal.
+			key->Warn("multiple initializations for index");
+			Unref(key);
+			continue;
+			}
+
+		if ( type->IsSet() )
+			{
+			if ( ! t->Assign(v->Value(), k, 0,
+					propagate_ops ? OP_ASSIGN : OP_NONE) )
+				 return 0;
+			}
+		else
+			{
+			v->Ref();
+			if ( ! t->Assign(0, k, v->Value(),
+					propagate_ops ? OP_ASSIGN : OP_NONE) )
+				 return 0;
+			}
+		}
+
+	return 1;
+	}
+
+int TableVal::RemoveFrom(Val* val) const
+	{
+	if ( val->Type()->Tag() != TYPE_TABLE )
+		{
+		val->Error("not a table");
+		return 0;
+		}
+
+	TableVal* t = val->AsTableVal();
+
+	if ( ! same_type(type, t->Type()) )
+		{
+		type->Error("table type clash", t->Type());
+		return 0;
+		}
+
+	const PDict(TableEntryVal)* tbl = AsTable();
+	IterCookie* c = tbl->InitForIteration();
+
+	HashKey* k;
+	TableEntryVal* v;
+	while ( (v = tbl->NextEntry(k, c)) )
+		{
+		Val* index = RecoverIndex(k);
+		Unref(index);
+		Unref(t->Delete(k));
+		delete k;
+		}
+
+	return 1;
+	}
+
+int TableVal::ExpandAndInit(Val* index, Val* new_val)
+	{
+	BroType* index_type = index->Type();
+
+	if ( index_type->IsSet() )
+		{
+		Val* new_index = index->AsTableVal()->ConvertToList();
+		Unref(index);
+		return ExpandAndInit(new_index, new_val);
+		}
+
+	if ( index_type->Tag() != TYPE_LIST )
+		// Nothing to expand.
+		return CheckAndAssign(index, new_val);
+
+	ListVal* iv = index->AsListVal();
+	if ( iv->BaseTag() != TYPE_ANY )
+		{
+		if ( table_type->Indices()->Types()->length() != 1 )
+			internal_error("bad singleton list index");
+
+		for ( int i = 0; i < iv->Length(); ++i )
+			if ( ! ExpandAndInit(iv->Index(i), new_val ? new_val->Ref() : 0) )
+				return 0;
+
+		Unref(new_val);
+		return 1;
+		}
+
+	else
+		{ // Compound table.
+		val_list* vl = iv->Vals();
+		loop_over_list(*vl, i)
+			{
+			// ### if CompositeHash::ComputeHash did flattening
+			// of 1-element lists (like ComputeSingletonHash does),
+			// then we could optimize here.
+			BroType* t = (*vl)[i]->Type();
+			if ( t->IsSet() || t->Tag() == TYPE_LIST )
+				break;
+			}
+
+		if ( i >= vl->length() )
+			// Nothing to expand.
+			return CheckAndAssign(index, new_val);
+		else
+			{
+			int result = ExpandCompoundAndInit(vl, i, new_val);
+			Unref(new_val);
+			return result;
+			}
+		}
+	}
+
+
+Val* TableVal::Default(Val* index)
+	{
+	Attr* def_attr = FindAttr(ATTR_DEFAULT);
+
+	if ( ! def_attr )
+		return 0;
+
+	if ( ! def_val )
+		def_val = def_attr->AttrExpr()->Eval(0);
+
+	if ( ! def_val )
+		{
+		RunTime("non-constant default attribute");
+		return 0;
+		}
+
+	if ( def_val->Type()->Tag() != TYPE_FUNC ||
+	     same_type(def_val->Type(), Type()->YieldType()) )
+		return def_val->Ref();
+
+	const Func* f = def_val->AsFunc();
+	val_list* vl = new val_list();
+
+	if ( index->Type()->Tag() == TYPE_LIST )
+		{
+		const val_list* vl0 = index->AsListVal()->Vals();
+		loop_over_list(*vl0, i)
+			vl->append((*vl0)[i]->Ref());
+		}
+	else
+		vl->append(index->Ref());
+
+	Val* result = f->Call(vl);
+	delete vl;
+
+	if ( ! result )
+		{
+		RunTime("no value returned from &default function");
+		return 0;
+		}
+
+	return result;
+	}
+
+Val* TableVal::Lookup(Val* index, bool use_default_val)
+	{
+	static Val* last_default = 0;
+
+	if ( last_default )
+		{
+		Unref(last_default);
+		last_default = 0;
+		}
+
+	if ( subnets )
+		{
+		TableEntryVal* v = (TableEntryVal*) subnets->Lookup(index);
+		if ( v )
+			return v->Value() ? v->Value() : this;
+
+		if ( ! use_default_val )
+			return 0;
+
+		Val* def = Default(index);
+		last_default = def;
+
+		return def;
+		}
+
+	const PDict(TableEntryVal)* tbl = AsTable();
+
+	if ( tbl->Length() > 0 )
+		{
+		HashKey* k = ComputeHash(index);
+		if ( k )
+			{
+			TableEntryVal* v = AsTable()->Lookup(k);
+			delete k;
+
+			if ( v )
+				{
+				if ( attrs &&
+				     ! (attrs->FindAttr(ATTR_EXPIRE_WRITE) ||
+					attrs->FindAttr(ATTR_EXPIRE_CREATE)) )
+					{
+					v->SetExpireAccess(network_time);
+					if ( LoggingAccess() && expire_time )
+						ReadOperation(index, v);
+					}
+
+				return v->Value() ? v->Value() : this;
+				}
+			}
+		}
+
+	if ( ! use_default_val )
+		return 0;
+
+	Val* def = Default(index);
+
+	last_default = def;
+	return def;
+	}
+
+bool TableVal::UpdateTimestamp(Val* index)
+	{
+	TableEntryVal* v;
+
+	if ( subnets )
+		v = (TableEntryVal*) subnets->Lookup(index);
+	else
+		{
+		HashKey* k = ComputeHash(index);
+		if ( ! k )
+			return false;
+
+		v = AsTable()->Lookup(k);
+
+		delete k;
+		}
+
+	if ( ! v )
+		return false;
+
+	v->SetExpireAccess(network_time);
+	if ( attrs->FindAttr(ATTR_EXPIRE_READ) )
+		ReadOperation(index, v);
+
+	return true;
+	}
+
+ListVal* TableVal::RecoverIndex(const HashKey* k) const
+	{
+	return table_hash->RecoverVals(k);
+	}
+
+Val* TableVal::Delete(const Val* index)
+	{
+	HashKey* k = ComputeHash(index);
+	TableEntryVal* v = k ? AsNonConstTable()->RemoveEntry(k) : 0;
+	Val* va = v ? (v->Value() ? v->Value() : this->Ref()) : 0;
+
+	if ( subnets && ! subnets->Remove(index) )
+		internal_error( "index not in prefix table" );
+
+	if ( LoggingAccess() )
+		{
+		if ( v )
+			{
+			if ( v->Value() && remote_check_sync_consistency )
+				// A table.
+				StateAccess::Log(
+					new StateAccess(OP_DEL, this,
+							index, v->Value()));
+			else
+				{
+				// A set.
+				Val* has_old_val = new Val(1, TYPE_INT);
+				StateAccess::Log(
+					new StateAccess(OP_DEL, this, index,
+							has_old_val));
+				Unref(has_old_val);
+				}
+			}
+		else
+			StateAccess::Log(
+				new StateAccess(OP_DEL, this, index, 0));
+		}
+
+	delete k;
+	delete v;
+
+	Modified();
+	return va;
+	}
+
+Val* TableVal::Delete(const HashKey* k)
+	{
+	TableEntryVal* v = AsNonConstTable()->RemoveEntry(k);
+	Val* va = v ? (v->Value() ? v->Value() : this->Ref()) : 0;
+
+	if ( subnets )
+		{
+		Val* index = table_hash->RecoverVals(k);
+		if ( ! subnets->Remove(index) )
+			internal_error( "index not in prefix table" );
+		Unref(index);
+		}
+
+	delete v;
+
+	if ( LoggingAccess() )
+		StateAccess::Log(new StateAccess(OP_DEL, this, k));
+
+	Modified();
+	return va;
+	}
+
+ListVal* TableVal::ConvertToList(TypeTag t) const
+	{
+	ListVal* l = new ListVal(t);
+
+	const PDict(TableEntryVal)* tbl = AsTable();
+	IterCookie* c = tbl->InitForIteration();
+
+	HashKey* k;
+	TableEntryVal* v;
+	while ( (v = tbl->NextEntry(k, c)) )
+		{
+		ListVal* index = table_hash->RecoverVals(k);
+
+		if ( t == TYPE_ANY )
+			l->Append(index);
+		else
+			{
+			// We're expecting a pure list, flatten the
+			// ListVal.
+			if ( index->Length() != 1 )
+				InternalWarning("bad index in TableVal::ConvertToList");
+			Val* flat_v = index->Index(0)->Ref();
+			Unref(index);
+			l->Append(flat_v);
+			}
+
+		delete k;
+		}
+
+	return l;
+	}
+
+ListVal* TableVal::ConvertToPureList() const
+	{
+	type_list* tl = table_type->Indices()->Types();
+	if ( tl->length() != 1 )
+		InternalWarning("bad index type in TableVal::ConvertToPureList");
+
+	return ConvertToList((*tl)[0]->Tag());
+	}
+
+void TableVal::Describe(ODesc* d) const
+	{
+	const PDict(TableEntryVal)* tbl = AsTable();
+	int n = tbl->Length();
+
+	if ( d->IsBinary() || d->IsPortable() )
+		{
+		table_type->Describe(d);
+		d->SP();
+		d->Add(n);
+		d->SP();
+		}
+
+	if ( d->IsPortable() || d->IsReadable() )
+		{
+		d->Add("{");
+		d->PushIndent();
+		}
+
+	IterCookie* c = tbl->InitForIteration();
+
+	for ( int i = 0; i < n; ++i )
+		{
+		HashKey* k;
+		TableEntryVal* v = tbl->NextEntry(k, c);
+
+		if ( ! v )
+			internal_error("hash table underflow in TableVal::Describe");
+
+		ListVal* vl = table_hash->RecoverVals(k);
+		int dim = vl->Length();
+
+		if ( i > 0 )
+			{
+			if ( ! d->IsBinary() )
+				d->Add(",");
+
+			d->NL();
+			}
+
+		if ( d->IsReadable() )
+			{
+			if ( dim != 1 || ! table_type->IsSet() )
+				d->Add("[");
+			}
+		else
+			{
+			d->Add(dim);
+			d->SP();
+			}
+
+		vl->Describe(d);
+
+		delete k;
+		Unref(vl);
+
+		if ( table_type->IsSet() )
+			{ // We're a set, not a table.
+			if ( d->IsReadable() )
+				if ( dim != 1 )
+					d->AddSP("]");
+			}
+		else
+			{
+			if ( d->IsReadable() )
+				d->AddSP("] =");
+			if ( v->Value() )
+				v->Value()->Describe(d);
+			}
+
+		if ( d->IsReadable() && ! d->IsShort() && d->IncludeStats() )
+			{
+			d->Add(" @");
+			d->Add(fmt_access_time(v->ExpireAccessTime()));
+			}
+		}
+
+	if ( tbl->NextEntry(c) )
+		internal_error("hash table overflow in TableVal::Describe");
+
+	if ( d->IsPortable() || d->IsReadable() )
+		{
+		d->PopIndent();
+		d->Add("}");
+		}
+	}
+
+int TableVal::ExpandCompoundAndInit(val_list* vl, int k, Val* new_val)
+	{
+	Val* ind_k_v = (*vl)[k];
+	ListVal* ind_k = ind_k_v->Type()->IsSet() ?
+				ind_k_v->AsTableVal()->ConvertToList() :
+				ind_k_v->AsListVal();
+
+	for ( int i = 0; i < ind_k->Length(); ++i )
+		{
+		Val* ind_k_i = ind_k->Index(i);
+		ListVal* expd = new ListVal(TYPE_ANY);
+		loop_over_list(*vl, j)
+			{
+			if ( j == k )
+				expd->Append(ind_k_i->Ref());
+			else
+				expd->Append((*vl)[j]->Ref());
+			}
+
+		int success = ExpandAndInit(expd, new_val ? new_val->Ref() : 0);
+		Unref(expd);
+
+		if ( ! success )
+			return 0;
+		}
+
+	if ( ind_k_v->Type()->IsSet() )
+		Unref(ind_k);
+
+	return 1;
+	}
+
+int TableVal::CheckAndAssign(Val* index, Val* new_val, Opcode op)
+	{
+	Val* v = 0;
+	if ( subnets )
+		// We need an exact match here.
+		v = (Val*) subnets->Lookup(index, true);
+	else
+		v = Lookup(index, false);
+
+	if ( v )
+		index->Warn("multiple initializations for index");
+
+	return Assign(index, new_val, op);
+	}
+
+void TableVal::InitTimer(double delay)
+	{
+	timer = new TableValTimer(this, network_time + delay);
+	timer_mgr->Add(timer);
+	}
+
+void TableVal::DoExpire(double t)
+	{
+	if ( ! type )
+		return; // FIX ME ###
+
+	PDict(TableEntryVal)* tbl = AsNonConstTable();
+
+	if ( ! expire_cookie )
+		{
+		expire_cookie = tbl->InitForIteration();
+		tbl->MakeRobustCookie(expire_cookie);
+		}
+
+	HashKey* k = 0;
+	TableEntryVal* v = 0;
+
+	for ( int i = 0; i < table_incremental_step &&
+			 (v = tbl->NextEntry(k, expire_cookie)); ++i )
+		{
+		if ( v->ExpireAccessTime() == 0 )
+			// This happens when we insert val while network_time
+			// hasn't been initialized yet (e.g. in bro_init()).
+			// We correct the timestamp now.
+			v->SetExpireAccess(network_time);
+
+		else if ( v->ExpireAccessTime() + expire_time < t )
+			{
+			Val* val = v ? v->Value() : 0;
+
+			if ( expire_expr )
+				{
+				Val* idx = RecoverIndex(k);
+				double secs = CallExpireFunc(idx);
+
+				// It's possible that the user-provided
+				// function modified or deleted the table
+				// value, so look it up again.
+				v = tbl->Lookup(k);
+
+				if ( ! v )
+					{ // user-provided function deleted it
+					delete k;
+					continue;
+					}
+
+				if ( secs > 0 )
+					{
+					// User doesn't want us to expire
+					// this now.
+					v->SetExpireAccess(network_time - expire_time + secs);
+					delete k;
+					continue;
+					}
+
+				}
+
+			if ( subnets )
+				{
+				Val* index = RecoverIndex(k);
+				if ( ! subnets->Remove(index) )
+					internal_error( "index not in prefix table" );
+				Unref(index);
+				}
+
+			if ( LoggingAccess() )
+				StateAccess::Log(
+					new StateAccess(OP_EXPIRE, this, k));
+
+			tbl->RemoveEntry(k);
+			delete v;
+			Unref(val);
+			Modified();
+			}
+
+		delete k;
+		}
+
+	if ( ! v )
+		{
+		expire_cookie = 0;
+		InitTimer(table_expire_interval);
+		}
+	else
+		InitTimer(table_expire_delay);
+	}
+
+double TableVal::CallExpireFunc(Val* idx)
+	{
+	if ( ! expire_expr )
+		{
+		Unref(idx);
+		return 0;
+		}
+
+	val_list* vl = new val_list;
+	vl->append(Ref());
+
+	// Flatten lists of a single element.
+	if ( idx->Type()->Tag() == TYPE_LIST &&
+	     idx->AsListVal()->Length() == 1 )
+		{
+		Val* old = idx;
+		idx = idx->AsListVal()->Index(0);
+		idx->Ref();
+		Unref(old);
+		}
+
+	vl->append(idx);
+
+	Val* vs = expire_expr->Eval(0)->AsFunc()->Call(vl);
+	double secs = vs->AsInterval();
+	Unref(vs);
+	delete vl;
+
+	return secs;
+	}
+
+void TableVal::ReadOperation(Val* index, TableEntryVal* v)
+	{
+	// In theory we need to only propagate one update per &read_expire
+	// interval to prevent peers from expiring intervals. To account for
+	// practical issues such as latency, we send one update every half
+	// &read_expire.
+	if ( network_time - v->LastReadUpdate() > expire_time / 2 )
+		{
+		StateAccess::Log(new StateAccess(OP_READ_IDX, this, index));
+		v->SetLastReadUpdate(network_time);
+		}
+	}
+
+IMPLEMENT_SERIAL(TableVal, SER_TABLE_VAL);
+
+// This is getting rather complex due to the ability to suspend even within
+// deeply-nested values.
+bool TableVal::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE_WITH_SUSPEND(SER_TABLE_VAL, MutableVal);
+
+	// The current state of the serialization.
+	struct State {
+		IterCookie* c;
+		TableEntryVal* v;	// current value
+		bool did_index;	// already wrote the val's index
+	}* state;
+
+	PDict(TableEntryVal)* tbl =
+		const_cast<TableVal*>(this)->AsNonConstTable();
+
+	if ( info->cont.NewInstance() )
+		{
+		// For simplicity, we disable suspension for the objects
+		// serialized here.  (In fact we know that *currently*
+		// they won't even try).
+		DisableSuspend suspend(info);
+
+		state = new State;
+		state->c = tbl->InitForIteration();
+		tbl->MakeRobustCookie(state->c);
+		state->v = 0;
+		state->did_index = false;
+		info->s->WriteOpenTag(table_type->IsSet() ? "set" : "table");
+
+		if ( ! SERIALIZE(expire_time) )
+			return false;
+
+		SERIALIZE_OPTIONAL(attrs);
+		SERIALIZE_OPTIONAL(expire_expr);
+
+		// Make sure nobody kills us in between.
+		const_cast<TableVal*>(this)->Ref();
+		}
+
+	else if ( info->cont.ChildSuspended() )
+		state = (State*) info->cont.RestoreState();
+
+	else if ( info->cont.Resuming() )
+		{
+		info->cont.Resume();
+		state = (State*) info->cont.RestoreState();
+		}
+	else
+		internal_error("unknown continuation state");
+
+	HashKey* k;
+	int count = 0;
+
+	assert((!info->cont.ChildSuspended()) || state->v);
+
+	while ( true )
+		{
+		if ( ! state->v )
+			{
+			state->v = tbl->NextEntry(k, state->c);
+			if ( ! state->c )
+				{
+				// No next one.
+				SERIALIZE(false);
+				break;
+				}
+
+			// There's a value coming.
+			SERIALIZE(true);
+
+			if ( state->v->Value() )
+				state->v->Ref();
+
+			state->did_index = false;
+			}
+
+		// Serialize index.
+		if ( ! state->did_index )
+			{
+			// Indices are rather small, so we disable suspension
+			// here again.
+			DisableSuspend suspend(info);
+			info->s->WriteOpenTag("key");
+			ListVal* index = table_hash->RecoverVals(k)->AsListVal();
+			delete k;
+
+			if ( ! index->Serialize(info) )
+				return false;
+
+			Unref(index);
+			info->s->WriteCloseTag("key");
+
+			state->did_index = true;
+
+			// Start serializing data.
+			if ( ! type->IsSet() )
+				info->s->WriteOpenTag("value");
+			}
+
+		if ( ! type->IsSet() )
+			{
+			info->cont.SaveState(state);
+			info->cont.SaveContext();
+			bool result = state->v->val->Serialize(info);
+			info->cont.RestoreContext();
+
+			if ( ! result )
+				return false;
+
+			if ( info->cont.ChildSuspended() )
+				return true;
+			}
+
+		double eat = state->v->ExpireAccessTime();
+
+		if ( ! (SERIALIZE(state->v->last_access_time) &&
+			SERIALIZE(eat)) )
+			return false;
+
+		info->s->WriteCloseTag("value");
+
+		if ( state->v->Value() )
+			state->v->Unref();
+		state->v = 0; // Next value.
+
+		// Suspend if we've done enough for now (which means we
+		// have serialized more than table_incremental_step entries
+		// in a row; if an entry has suspended itself in between,
+		// we start counting from 0).
+		if ( info->may_suspend && ++count > table_incremental_step)
+			{
+			info->cont.SaveState(state);
+			info->cont.Suspend();
+			bro_logger->Log("TableVals serialization suspended right in the middle.");
+			return true;
+			}
+		}
+
+	info->s->WriteCloseTag(table_type->IsSet() ? "set" : "table");
+	delete state;
+
+	Unref(const_cast<TableVal*>(this));
+	return true;
+	}
+
+bool TableVal::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(MutableVal);
+
+	if ( ! UNSERIALIZE(&expire_time) )
+		return false;
+
+	Init((TableType*) type);
+
+	UNSERIALIZE_OPTIONAL(attrs, Attributes::Unserialize(info));
+	UNSERIALIZE_OPTIONAL(expire_expr, Expr::Unserialize(info));
+
+	while ( true )
+		{
+		// Anymore?
+		bool next;
+		if ( ! UNSERIALIZE(&next) )
+			return false;
+
+		if ( ! next )
+			break;
+
+		// Unserialize index.
+		ListVal* index =
+			(ListVal*) Val::Unserialize(info, table_type->Indices());
+		if ( ! index )
+			return false;
+
+		// Unserialize data.
+		Val* entry;
+		if ( ! table_type->IsSet() )
+			{
+			entry = Val::Unserialize(info, type->YieldType());
+			if ( ! entry )
+				return false;
+			}
+		else
+			entry = 0;
+
+		TableEntryVal* entry_val = new TableEntryVal(entry);
+
+		double eat;
+
+		if ( ! UNSERIALIZE(&entry_val->last_access_time) ||
+		     ! UNSERIALIZE(&eat) )
+			return false;
+
+		entry_val->SetExpireAccess(eat);
+
+		HashKey* key = ComputeHash(index);
+		TableEntryVal* old_entry_val =
+			AsNonConstTable()->Insert(key, entry_val);
+		assert(! old_entry_val);
+
+		delete key;
+
+		if ( subnets )
+			subnets->Insert(index, entry_val);
+
+		Unref(index);
+		}
+
+	// If necessary, activate the expire timer.
+	if ( attrs)
+		{
+		CheckExpireAttr(ATTR_EXPIRE_READ);
+		CheckExpireAttr(ATTR_EXPIRE_WRITE);
+		CheckExpireAttr(ATTR_EXPIRE_CREATE);
+		}
+
+	return true;
+	}
+
+bool TableVal::AddProperties(Properties arg_props)
+	{
+	if ( ! MutableVal::AddProperties(arg_props) )
+		return false;
+
+	if ( Type()->IsSet() || ! RecursiveProps(arg_props) )
+		return true;
+
+	// For a large table, this could get expensive. So, let's hope
+	// that nobody creates such a table *before* making it persistent
+	// (for example by inserting it into another table).
+	TableEntryVal* v;
+	PDict(TableEntryVal)* tbl = val.table_val;
+	IterCookie* c = tbl->InitForIteration();
+	while ( (v = tbl->NextEntry(c)) )
+		if ( v->Value()->IsMutableVal() )
+			v->Value()->AsMutableVal()->AddProperties(RecursiveProps(arg_props));
+
+	return true;
+	}
+
+bool TableVal::RemoveProperties(Properties arg_props)
+	{
+	if ( ! MutableVal::RemoveProperties(arg_props) )
+		return false;
+
+	if ( Type()->IsSet() || ! RecursiveProps(arg_props) )
+		return true;
+
+	// For a large table, this could get expensive.  So, let's hope
+	// that nobody creates such a table *before* making it persistent
+	// (for example by inserting it into another table).
+	TableEntryVal* v;
+	PDict(TableEntryVal)* tbl = val.table_val;
+	IterCookie* c = tbl->InitForIteration();
+	while ( (v = tbl->NextEntry(c)) )
+		if ( v->Value()->IsMutableVal() )
+			v->Value()->AsMutableVal()->RemoveProperties(RecursiveProps(arg_props));
+
+	return true;
+	}
+
+unsigned int TableVal::MemoryAllocation() const
+	{
+	unsigned int size = 0;
+
+	PDict(TableEntryVal)* v = val.table_val;
+	IterCookie* c = v->InitForIteration();
+
+	TableEntryVal* tv;
+	while ( (tv = v->NextEntry(c)) )
+		{
+		if ( tv->Value() )
+			size += tv->Value()->MemoryAllocation();
+		size += padded_sizeof(TableEntryVal);
+		}
+
+	return size + padded_sizeof(*this) + val.table_val->MemoryAllocation()
+		+ table_hash->MemoryAllocation();
+	}
+
+RecordVal::RecordVal(RecordType* t) : MutableVal(t)
+	{
+	record_type = t;
+	int n = record_type->NumFields();
+	val_list* vl = val.val_list_val = new val_list(n);
+
+	// Initialize to default values from RecordType (which are nil
+	// by default).
+	for ( int i = 0; i < n; ++i )
+		{
+		Attributes* a = record_type->FieldDecl(i)->attrs;
+		Attr* def_attr = a ? a->FindAttr(ATTR_DEFAULT) : 0;
+		Val* def = def_attr ? def_attr->AttrExpr()->Eval(0) : 0;
+
+		if ( ! def && ! (a && a->FindAttr(ATTR_OPTIONAL)) )
+			{
+			BroType* type = record_type->FieldDecl(i)->type;
+			TypeTag tag = type->Tag();
+
+			if ( tag == TYPE_RECORD )
+				def = new RecordVal(type->AsRecordType());
+
+			else if ( tag == TYPE_TABLE )
+				def = new TableVal(type->AsTableType(), a);
+
+			else if ( t->Tag() == TYPE_VECTOR )
+				def = new VectorVal(type->AsVectorType());
+			}
+
+		vl->append(def ? def->Ref() : 0);
+
+		Unref(def);
+		}
+	}
+
+RecordVal::~RecordVal()
+	{
+	delete_vals(AsNonConstRecord());
+	}
+
+void RecordVal::Assign(int field, Val* new_val, Opcode op)
+	{
+	if ( Lookup(field) &&
+	     record_type->FieldType(field)->Tag() == TYPE_TABLE &&
+	     new_val->AsTableVal()->FindAttr(ATTR_MERGEABLE) )
+		{
+		// Join two mergeable sets.
+		Val* old = Lookup(field);
+		if ( old->AsTableVal()->FindAttr(ATTR_MERGEABLE) )
+			{
+			if ( LoggingAccess() && op != OP_NONE )
+				{
+				StringVal* index = new StringVal(Type()->AsRecordType()->FieldName(field));
+				StateAccess::Log(new StateAccess(OP_ASSIGN_IDX, this, index, new_val, old));
+				Unref(index);
+				}
+
+			new_val->AsTableVal()->AddTo(old->AsTableVal(), 0, false);
+			Unref(new_val);
+			return;
+			}
+		}
+
+	Val* old_val = AsNonConstRecord()->replace(field, new_val);
+
+	if ( LoggingAccess() && op != OP_NONE )
+		{
+		if ( new_val && new_val->IsMutableVal() )
+			new_val->AsMutableVal()->AddProperties(GetProperties());
+
+		StringVal* index = new StringVal(Type()->AsRecordType()->FieldName(field));
+		StateAccess::Log(
+			new StateAccess(
+				op == OP_INCR ? OP_INCR_IDX : OP_ASSIGN_IDX,
+				this, index, new_val, old_val));
+		Unref(index); // The logging may keep a cached copy.
+		}
+
+	Unref(old_val);
+	Modified();
+	}
+
+Val* RecordVal::Lookup(int field) const
+	{
+	return (*AsRecord())[field];
+	}
+
+void RecordVal::Describe(ODesc* d) const
+	{
+	const val_list* vl = AsRecord();
+	int n = vl->length();
+
+	if ( d->IsBinary() || d->IsPortable() )
+		{
+		record_type->Describe(d);
+		d->SP();
+		d->Add(n);
+		d->SP();
+		}
+	else
+		d->Add("[");
+
+	loop_over_list(*vl, i)
+		{
+		if ( ! d->IsBinary() && i > 0 )
+			d->Add(", ");
+
+		d->Add(record_type->FieldName(i));
+
+		if ( ! d->IsBinary() )
+			d->Add("=");
+
+		Val* v = (*vl)[i];
+		if ( v )
+			v->Describe(d);
+		else
+			d->Add("<uninitialized>");
+		}
+
+	if ( d->IsReadable() )
+		d->Add("]");
+	}
+
+IMPLEMENT_SERIAL(RecordVal, SER_RECORD_VAL);
+
+bool RecordVal::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_RECORD_VAL, MutableVal);
+
+	// We could use the type name as a tag here.
+	info->s->WriteOpenTag("record");
+
+	// We don't need to serialize record_type as it's simply the
+	// casted table_type.
+	// FIXME: What about origin?
+
+	if ( ! SERIALIZE(val.val_list_val->length()) )
+		return false;
+
+	loop_over_list(*val.val_list_val, i)
+		{
+		info->s->WriteOpenTag(record_type->FieldName(i));
+		Val* v = (*val.val_list_val)[i];
+		SERIALIZE_OPTIONAL(v);
+		info->s->WriteCloseTag(record_type->FieldName(i));
+		}
+
+	info->s->WriteCloseTag("record");
+
+	return true;
+	}
+
+bool RecordVal::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(MutableVal);
+
+	record_type = (RecordType*) type;
+	origin = 0;
+
+	int len;
+	if ( ! UNSERIALIZE(&len) )
+		{
+		val.val_list_val = new val_list;
+		return false;
+		}
+
+	val.val_list_val = new val_list(len);
+
+	for ( int i = 0; i < len; ++i )
+		{
+		Val* v;
+		UNSERIALIZE_OPTIONAL(v, Val::Unserialize(info));
+		AsNonConstRecord()->append(v);	// correct for v==0, too.
+		}
+
+	return true;
+	}
+
+bool RecordVal::AddProperties(Properties arg_props)
+	{
+	if ( ! MutableVal::AddProperties(arg_props) )
+		return false;
+
+	if ( ! RecursiveProps(arg_props) )
+		return true;
+
+	loop_over_list(*val.val_list_val, i)
+		{
+		Val* v = (*val.val_list_val)[i];
+		if ( v && v->IsMutableVal() )
+			v->AsMutableVal()->AddProperties(RecursiveProps(arg_props));
+		}
+	return true;
+	}
+
+
+bool RecordVal::RemoveProperties(Properties arg_props)
+	{
+	if ( ! MutableVal::RemoveProperties(arg_props) )
+		return false;
+
+	if ( ! RecursiveProps(arg_props) )
+		return true;
+
+	loop_over_list(*val.val_list_val, i)
+		{
+		Val* v = (*val.val_list_val)[i];
+		if ( v && v->IsMutableVal() )
+			v->AsMutableVal()->RemoveProperties(RecursiveProps(arg_props));
+		}
+	return true;
+	}
+
+unsigned int RecordVal::MemoryAllocation() const
+	{
+	unsigned int size = 0;
+
+	for ( int i = 0; i < type->AsRecordType()->NumFields(); ++i )
+		{
+		Val* v = (*val.val_list_val)[i];
+
+		// v might be nil for records that don't wind
+		// up being set to a value.
+		if ( v )
+			size += v->MemoryAllocation();
+		}
+
+	return size + padded_sizeof(*this) + val.val_list_val->MemoryAllocation();
+	}
+
+void EnumVal::ValDescribe(ODesc* d) const
+	{
+	const char* ename = type->AsEnumType()->Lookup(val.int_val);
+
+	if ( ! ename )
+		ename = "<undefined>";
+
+	const char* module_offset = strstr(ename, "::");
+	if ( module_offset )
+		ename = module_offset + 2;
+
+	d->Add(ename);
+	}
+
+IMPLEMENT_SERIAL(EnumVal, SER_ENUM_VAL);
+
+bool EnumVal::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_ENUM_VAL, Val);
+	return true;
+	}
+
+bool EnumVal::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(Val);
+	return true;
+	}
+
+VectorVal::VectorVal(VectorType* t) : MutableVal(t)
+	{
+	vector_type = t->Ref()->AsVectorType();
+	val.vector_val = new vector<Val*>();
+	}
+
+VectorVal::~VectorVal()
+	{
+	for ( unsigned int i = 0; i < val.vector_val->size(); ++i )
+		Unref((*val.vector_val)[i]);
+
+	Unref(vector_type);
+
+	delete val.vector_val;
+	}
+
+bool VectorVal::Assign(unsigned int index, Val* element, const Expr* assigner,
+			Opcode op)
+	{
+	if ( element &&
+	     ! same_type(element->Type(), vector_type->YieldType(), 0) )
+		{
+		Unref(element);
+		return false;
+		}
+
+	if ( index == 0 || index > (1 << 30) )
+		{
+		if ( assigner )
+			assigner->Error(fmt("index (%d) must be positive",
+						index));
+		Unref(element);
+		return true;	// true = "no fatal error"
+		}
+
+	BroType* yt = Type()->AsVectorType()->YieldType();
+
+	if ( yt && yt->Tag() == TYPE_TABLE &&
+	     element->AsTableVal()->FindAttr(ATTR_MERGEABLE) )
+		{
+		// Join two mergeable sets.
+		Val* old = Lookup(index);
+		if ( old && old->AsTableVal()->FindAttr(ATTR_MERGEABLE) )
+			{
+			if ( LoggingAccess() && op != OP_NONE )
+				{
+				Val* ival = new Val(index, TYPE_COUNT);
+				StateAccess::Log(new StateAccess(OP_ASSIGN_IDX,
+						this, ival, element,
+						(*val.vector_val)[index - 1]));
+				Unref(ival);
+				}
+
+			element->AsTableVal()->AddTo(old->AsTableVal(), 0, false);
+			Unref(element);
+			return true;
+			}
+		}
+
+	if ( index <= val.vector_val->size() )
+		Unref((*val.vector_val)[index - 1]);
+	else
+		val.vector_val->resize(index);
+
+	if ( LoggingAccess() && op != OP_NONE )
+		{
+		if ( element->IsMutableVal() )
+			element->AsMutableVal()->AddProperties(GetProperties());
+
+		Val* ival = new Val(index, TYPE_COUNT);
+
+		StateAccess::Log(new StateAccess(op == OP_INCR ?
+				OP_INCR_IDX : OP_ASSIGN_IDX,
+				this, ival, element, (*val.vector_val)[index - 1]));
+		Unref(ival);
+		}
+
+	// Note: we do *not* Ref() the element, if any, at this point.
+	// AssignExpr::Eval() already does this; other callers must remember
+	// to do it similarly.
+	(*val.vector_val)[index - 1] = element;
+
+	Modified();
+	return true;
+	}
+
+bool VectorVal::AssignRepeat(unsigned int index, unsigned int how_many,
+				Val* element, const Expr* assigner)
+	{
+	ResizeAtLeast(index + how_many - 1);
+
+	for ( unsigned int i = index; i < index + how_many; ++i )
+		if ( ! Assign(i, element, assigner) )
+			return false;
+
+	return true;
+	}
+
+
+Val* VectorVal::Lookup(unsigned int index) const
+	{
+	if ( index == 0 || index > val.vector_val->size() )
+		return 0;
+
+	return (*val.vector_val)[index - 1];
+	}
+
+unsigned int VectorVal::Resize(unsigned int new_num_elements)
+	{
+	unsigned int oldsize = val.vector_val->size();
+	val.vector_val->reserve(new_num_elements);
+	val.vector_val->resize(new_num_elements);
+	return oldsize;
+	}
+
+unsigned int VectorVal::ResizeAtLeast(unsigned int new_num_elements)
+	 {
+	 unsigned int old_size = val.vector_val->size();
+	 if ( new_num_elements <= old_size )
+		 return old_size;
+
+	 return Resize(new_num_elements);
+	 }
+
+bool VectorVal::AddProperties(Properties arg_props)
+	{
+	if ( ! MutableVal::AddProperties(arg_props) )
+		return false;
+
+	if ( ! RecursiveProps(arg_props) )
+		return true;
+
+	for ( unsigned int i = 0; i < val.vector_val->size(); ++i )
+		if ( (*val.vector_val)[i]->IsMutableVal() )
+			(*val.vector_val)[i]->AsMutableVal()->AddProperties(RecursiveProps(arg_props));
+
+	return true;
+	}
+
+bool VectorVal::RemoveProperties(Properties arg_props)
+	{
+	if ( ! MutableVal::RemoveProperties(arg_props) )
+		return false;
+
+	if ( ! RecursiveProps(arg_props) )
+		return true;
+
+	for ( unsigned int i = 0; i < val.vector_val->size(); ++i )
+		if ( (*val.vector_val)[i]->IsMutableVal() )
+			(*val.vector_val)[i]->AsMutableVal()->RemoveProperties(RecursiveProps(arg_props));
+
+	return true;
+	}
+
+IMPLEMENT_SERIAL(VectorVal, SER_VECTOR_VAL);
+
+bool VectorVal::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_VECTOR_VAL, MutableVal);
+
+	info->s->WriteOpenTag("vector");
+
+	if ( ! SERIALIZE(unsigned(val.vector_val->size())) )
+		return false;
+
+	for ( unsigned int i = 0; i < val.vector_val->size(); ++i )
+		{
+		info->s->WriteOpenTag("value");
+		Val* v = (*val.vector_val)[i];
+		SERIALIZE_OPTIONAL(v);
+		info->s->WriteCloseTag("value");
+		}
+
+	info->s->WriteCloseTag("vector");
+
+	return true;
+	}
+
+bool VectorVal::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(MutableVal);
+
+	val.vector_val = new vector<Val*>;
+	vector_type = type->Ref()->AsVectorType();
+
+	int len;
+	if ( ! UNSERIALIZE(&len) )
+		return false;
+
+	for ( int i = 0; i < len; ++i )
+		{
+		Val* v;
+		UNSERIALIZE_OPTIONAL(v, Val::Unserialize(info, TYPE_ANY));
+		Assign(i + VECTOR_MIN, v, 0);
+		}
+
+	return true;
+	}
+
+void VectorVal::ValDescribe(ODesc* d) const
+	{
+	d->Add("[");
+
+	if ( val.vector_val->size() > 0 )
+		for ( unsigned int i = 0; i < (val.vector_val->size() - 1); ++i )
+			{
+			if ( (*val.vector_val)[i] )
+				(*val.vector_val)[i]->Describe(d);
+			d->Add(", ");
+			}
+
+	if ( val.vector_val->size() &&
+	     (*val.vector_val)[val.vector_val->size() - 1] )
+		(*val.vector_val)[val.vector_val->size() - 1]->Describe(d);
+
+	d->Add("]");
+	}
+
+
+Val* check_and_promote(Val* v, const BroType* t, int is_init)
+	{
+	BroType* vt = v->Type();
+
+	vt = flatten_type(vt);
+	t = flatten_type(t);
+
+	TypeTag t_tag = t->Tag();
+	TypeTag v_tag = vt->Tag();
+
+	if ( ! EitherArithmetic(t_tag, v_tag) ||
+	     /* allow sets as initializers */
+	     (is_init && v_tag == TYPE_TABLE) )
+		{
+		if ( same_type(t, vt, is_init) )
+			return v;
+
+		t->Error("type clash", v);
+		Unref(v);
+		return 0;
+		}
+
+	if ( ! BothArithmetic(t_tag, v_tag) &&
+	     (! IsArithmetic(v_tag) || t_tag != TYPE_TIME || ! v->IsZero()) )
+		{
+		if ( t_tag == TYPE_LIST || v_tag == TYPE_LIST )
+			t->Error("list mixed with scalar", v);
+		else
+			t->Error("arithmetic mixed with non-arithmetic", v);
+		Unref(v);
+		return 0;
+		}
+
+	if ( v_tag == t_tag )
+		return v;
+
+	if ( t_tag != TYPE_TIME )
+		{
+		TypeTag mt = max_type(t_tag, v_tag);
+		if ( mt != t_tag )
+			{
+			t->Error("over-promotion of arithmetic value", v);
+			Unref(v);
+			return 0;
+			}
+		}
+
+	// Need to promote v to type t.
+	InternalTypeTag it = t->InternalType();
+	InternalTypeTag vit = vt->InternalType();
+
+	if ( it == vit )
+		// Already has the right internal type.
+		return v;
+
+	Val* promoted_v;
+	switch ( it ) {
+	case TYPE_INTERNAL_INT:
+		promoted_v = new Val(v->CoerceToInt(), t_tag);
+		break;
+
+	case TYPE_INTERNAL_UNSIGNED:
+		promoted_v = new Val(v->CoerceToUnsigned(), t_tag);
+		break;
+
+	case TYPE_INTERNAL_DOUBLE:
+		promoted_v = new Val(v->CoerceToDouble(), t_tag);
+		break;
+
+	default:
+		internal_error("bad internal type in check_and_promote()");
+		Unref(v);
+		return 0;
+	}
+
+	Unref(v);
+	return promoted_v;
+	}
+
+int same_val(const Val* /* v1 */, const Val* /* v2 */)
+	{
+	internal_error("same_val not implemented");
+	return 0;
+	}
+
+bool is_atomic_val(const Val* v)
+	{
+	switch ( v->Type()->InternalType() ) {
+	case TYPE_INTERNAL_INT:
+	case TYPE_INTERNAL_UNSIGNED:
+	case TYPE_INTERNAL_DOUBLE:
+	case TYPE_INTERNAL_STRING:
+	case TYPE_INTERNAL_ADDR:
+	case TYPE_INTERNAL_SUBNET:
+		return true;
+	default:
+		return false;
+	}
+	}
+
+int same_atomic_val(const Val* v1, const Val* v2)
+	{
+	// This is a very preliminary implementation of same_val(),
+	// true only for equal, simple atomic values of same type.
+	if ( v1->Type()->Tag() != v2->Type()->Tag() )
+		return 0;
+
+	switch ( v1->Type()->InternalType() ) {
+	case TYPE_INTERNAL_INT:
+		return v1->InternalInt() == v2->InternalInt();
+	case TYPE_INTERNAL_UNSIGNED:
+		return v1->InternalUnsigned() == v2->InternalUnsigned();
+	case TYPE_INTERNAL_DOUBLE:
+		return v1->InternalDouble() == v2->InternalDouble();
+	case TYPE_INTERNAL_STRING:
+		return Bstr_eq(v1->AsString(), v2->AsString());
+
+	case TYPE_INTERNAL_ADDR:
+		{
+		const addr_type& a1 = v1->AsAddr();
+		const addr_type& a2 = v2->AsAddr();
+#ifdef BROv6
+		return addr_eq(a1, a2);
+#else
+		return addr_eq(&a1, &a2);
+#endif
+		}
+
+	case TYPE_INTERNAL_SUBNET:
+		return subnet_eq(v1->AsSubNet(), v2->AsSubNet());
+
+	default:
+		internal_error("same_atomic_val called for non-atomic value");
+		return 0;
+	}
+
+	return 0;
+	}
+
+void describe_vals(const val_list* vals, ODesc* d, int offset)
+	{
+	if ( ! d->IsReadable() )
+		{
+		d->Add(vals->length());
+		d->SP();
+		}
+
+	for ( int i = offset; i < vals->length(); ++i )
+		{
+		if ( i > offset && d->IsReadable() )
+			d->Add(", ");
+
+		(*vals)[i]->Describe(d);
+		}
+	}
+
+void delete_vals(val_list* vals)
+	{
+	if ( vals )
+		{
+		loop_over_list(*vals, i)
+			Unref((*vals)[i]);
+		delete vals;
+		}
+	}
diff --git a/src/Val.h b/src/Val.h
new file mode 100644
index 0000000000..925015c9c1
--- /dev/null
+++ b/src/Val.h
@@ -0,0 +1,1056 @@
+// $Id: Val.h 6916 2009-09-24 20:48:36Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef val_h
+#define val_h
+
+// BRO values.
+
+#include <vector>
+#include <list>
+
+#include "net_util.h"
+#include "Type.h"
+#include "Dict.h"
+#include "CompHash.h"
+#include "BroString.h"
+#include "Attr.h"
+#include "Timer.h"
+#include "ID.h"
+#include "Scope.h"
+#include "StateAccess.h"
+
+class Val;
+class Func;
+class BroFile;
+class RE_Matcher;
+class PrefixTable;
+class SerialInfo;
+
+class PortVal;
+class AddrVal;
+class NetVal;
+class SubNetVal;
+
+class IntervalVal;
+class PatternVal;
+class TableVal;
+class RecordVal;
+class ListVal;
+class StringVal;
+class MutableVal;
+
+class StateAccess;
+
+class VectorVal;
+
+class TableEntryVal;
+declare(PDict,TableEntryVal);
+
+typedef union {
+	// Used for bool, int, enum.
+	bro_int_t int_val;
+
+	// Used for count, counter, port, subnet.
+	bro_uint_t uint_val;
+
+	// Used for addr, net
+	addr_type addr_val;
+
+	// Used for subnet
+	subnet_type subnet_val;
+
+	// Used for double, time, interval.
+	double double_val;
+
+	BroString* string_val;
+	Func* func_val;
+	BroFile* file_val;
+	RE_Matcher* re_val;
+	PDict(TableEntryVal)* table_val;
+	val_list* val_list_val;
+
+	vector<Val*>* vector_val;
+
+} BroValUnion;
+
+class Val : public BroObj {
+public:
+	Val(bool b, TypeTag t)
+		{
+		val.int_val = b;
+		type = base_type(t);
+		attribs = 0;
+#ifdef DEBUG
+		bound_id = 0;
+#endif
+		}
+
+	Val(int i, TypeTag t)
+		{
+		val.int_val = bro_int_t(i);
+		type = base_type(t);
+		attribs = 0;
+#ifdef DEBUG
+		bound_id = 0;
+#endif
+		}
+
+	Val(long i, TypeTag t)
+		{
+		val.int_val = bro_int_t(i);
+		type = base_type(t);
+		attribs = 0;
+#ifdef DEBUG
+		bound_id = 0;
+#endif
+		}
+
+	Val(unsigned int u, TypeTag t)
+		{
+		val.uint_val = bro_uint_t(u);
+		type = base_type(t);
+		attribs = 0;
+#ifdef DEBUG
+		bound_id = 0;
+#endif
+		}
+
+	Val(unsigned long u, TypeTag t)
+		{
+		val.uint_val = bro_uint_t(u);
+		type = base_type(t);
+		attribs = 0;
+#ifdef DEBUG
+		bound_id = 0;
+#endif
+		}
+
+#ifdef USE_INT64
+	Val(int64 i, TypeTag t)
+		{
+		val.int_val = i;
+		type = base_type(t);
+		attribs = 0;
+#ifdef DEBUG
+		bound_id = 0;
+#endif
+		}
+
+	Val(uint64 u, TypeTag t)
+		{
+		val.uint_val = u;
+		type = base_type(t);
+		attribs = 0;
+#ifdef DEBUG
+		bound_id = 0;
+#endif
+		}
+#endif // USE_INT64
+
+	Val(double d, TypeTag t)
+		{
+		val.double_val = d;
+		type = base_type(t);
+		attribs = 0;
+#ifdef DEBUG
+		bound_id = 0;
+#endif
+		}
+
+	Val(Func* f);
+
+	// Note, will unref 'f' when it's done, closing it unless
+	// class has ref'd it.
+	Val(BroFile* f);
+
+	Val()
+		{
+		val.int_val = 0;
+		type = base_type(TYPE_ERROR);
+		attribs = 0;
+#ifdef DEBUG
+		bound_id = 0;
+#endif
+		}
+
+	virtual ~Val();
+
+	Val* Ref()			{ ::Ref(this); return this; }
+	virtual Val* Clone() const;
+
+	RecordVal* GetAttribs(bool instantiate);
+	void SetAttribs(RecordVal* arg_attribs)
+		{
+		Unref((Val*) attribs);
+		attribs = arg_attribs;
+		}
+
+	int IsZero() const;
+	int IsOne() const;
+
+	bro_int_t InternalInt() const;
+	bro_uint_t InternalUnsigned() const;
+	double InternalDouble() const;
+
+	bro_int_t CoerceToInt() const;
+	bro_uint_t CoerceToUnsigned() const;
+	double CoerceToDouble() const;
+
+	// Returns a new Val with the "size" of this Val.  What constitutes
+	// size depends on the Val's type.
+	virtual Val* SizeVal() const;
+
+	// Bytes in total value object.
+	virtual unsigned int MemoryAllocation() const;
+
+	// Add this value to the given value (if appropriate).
+	// Returns true if succcessful.  is_first_init is true only if
+	// this is the *first* initialization of the value, not
+	// if it's a subsequent += initialization.
+	virtual int AddTo(Val* v, int is_first_init) const;
+
+	// Remove this value from the given value (if appropriate).
+	virtual int RemoveFrom(Val* v) const;
+
+	BroType* Type()			{ return type; }
+	const BroType* Type() const	{ return type; }
+
+#define CONST_ACCESSOR(tag, ctype, accessor, name) \
+	const ctype name() const \
+		{ \
+		CHECK_TAG(type->Tag(), tag, "Val::CONST_ACCESSOR", type_name) \
+		return val.accessor; \
+		}
+
+	// Needed for g++ 4.3's pickiness.
+#define CONST_ACCESSOR2(tag, ctype, accessor, name) \
+	ctype name() const \
+		{ \
+		CHECK_TAG(type->Tag(), tag, "Val::CONST_ACCESSOR", type_name) \
+		return val.accessor; \
+		}
+
+	CONST_ACCESSOR2(TYPE_BOOL, bool, int_val, AsBool)
+	CONST_ACCESSOR2(TYPE_INT, bro_int_t, int_val, AsInt)
+	CONST_ACCESSOR2(TYPE_COUNT, bro_uint_t, uint_val, AsCount)
+	CONST_ACCESSOR2(TYPE_COUNTER, bro_uint_t, uint_val, AsCounter)
+	CONST_ACCESSOR2(TYPE_DOUBLE, double, double_val, AsDouble)
+	CONST_ACCESSOR2(TYPE_TIME, double, double_val, AsTime)
+	CONST_ACCESSOR2(TYPE_INTERVAL, double, double_val, AsInterval)
+	CONST_ACCESSOR2(TYPE_ENUM, int, int_val, AsEnum)
+	CONST_ACCESSOR(TYPE_STRING, BroString*, string_val, AsString)
+	CONST_ACCESSOR(TYPE_FUNC, Func*, func_val, AsFunc)
+	CONST_ACCESSOR(TYPE_TABLE, PDict(TableEntryVal)*, table_val, AsTable)
+	CONST_ACCESSOR(TYPE_RECORD, val_list*, val_list_val, AsRecord)
+	CONST_ACCESSOR(TYPE_FILE, BroFile*, file_val, AsFile)
+	CONST_ACCESSOR(TYPE_PATTERN, RE_Matcher*, re_val, AsPattern)
+	CONST_ACCESSOR(TYPE_VECTOR, vector<Val*>*, vector_val, AsVector)
+
+	const subnet_type* AsSubNet() const
+		{
+		CHECK_TAG(type->Tag(), TYPE_SUBNET, "Val::SubNet", type_name)
+		return &val.subnet_val;
+		}
+
+	// ... in network byte order
+	const addr_type AsAddr() const
+		{
+		if ( type->Tag() != TYPE_ADDR && type->Tag() != TYPE_NET )
+			BadTag("Val::AsAddr", type_name(type->Tag()));
+		return val.addr_val;
+		}
+
+#define ACCESSOR(tag, ctype, accessor, name) \
+	ctype name() \
+		{ \
+		CHECK_TAG(type->Tag(), tag, "Val::ACCESSOR", type_name) \
+		return val.accessor; \
+		}
+
+	// Accessors for mutable values are called AsNonConst* and
+	// are protected to avoid external state changes.
+	// ACCESSOR(TYPE_STRING, BroString*, string_val, AsString)
+	ACCESSOR(TYPE_FUNC, Func*, func_val, AsFunc)
+	ACCESSOR(TYPE_FILE, BroFile*, file_val, AsFile)
+	ACCESSOR(TYPE_PATTERN, RE_Matcher*, re_val, AsPattern)
+	ACCESSOR(TYPE_VECTOR, vector<Val*>*, vector_val, AsVector)
+
+	subnet_type* AsSubNet()
+		{
+		CHECK_TAG(type->Tag(), TYPE_SUBNET, "Val::SubNet", type_name)
+		return &val.subnet_val;
+		}
+
+	// Gives fast access to the bits of something that is one of
+	// bool, int, count, or counter.
+	bro_int_t ForceAsInt() const		{ return val.int_val; }
+	bro_uint_t ForceAsUInt() const		{ return val.uint_val; }
+
+#define CONVERTER(tag, ctype, name) \
+	ctype name() \
+		{ \
+		CHECK_TAG(type->Tag(), tag, "Val::CONVERTER", type_name) \
+		return (ctype)(this); \
+		}
+
+	CONVERTER(TYPE_PATTERN, PatternVal*, AsPatternVal)
+	CONVERTER(TYPE_PORT, PortVal*, AsPortVal)
+	CONVERTER(TYPE_NET, NetVal*, AsNetVal)
+	CONVERTER(TYPE_SUBNET, SubNetVal*, AsSubNetVal)
+	CONVERTER(TYPE_TABLE, TableVal*, AsTableVal)
+	CONVERTER(TYPE_RECORD, RecordVal*, AsRecordVal)
+	CONVERTER(TYPE_LIST, ListVal*, AsListVal)
+	CONVERTER(TYPE_STRING, StringVal*, AsStringVal)
+	CONVERTER(TYPE_VECTOR, VectorVal*, AsVectorVal)
+
+#define CONST_CONVERTER(tag, ctype, name) \
+	const ctype name() const \
+		{ \
+		CHECK_TAG(type->Tag(), tag, "Val::CONVERTER", type_name) \
+		return (const ctype)(this); \
+		}
+
+	CONST_CONVERTER(TYPE_PATTERN, PatternVal*, AsPatternVal)
+	CONST_CONVERTER(TYPE_PORT, PortVal*, AsPortVal)
+	CONST_CONVERTER(TYPE_NET, NetVal*, AsNetVal)
+	CONST_CONVERTER(TYPE_SUBNET, SubNetVal*, AsSubNetVal)
+	CONST_CONVERTER(TYPE_TABLE, TableVal*, AsTableVal)
+	CONST_CONVERTER(TYPE_RECORD, RecordVal*, AsRecordVal)
+	CONST_CONVERTER(TYPE_LIST, ListVal*, AsListVal)
+	CONST_CONVERTER(TYPE_STRING, StringVal*, AsStringVal)
+	CONST_CONVERTER(TYPE_VECTOR, VectorVal*, AsVectorVal)
+
+	bool IsMutableVal() const
+		{
+		return IsMutable(type->Tag());
+		}
+
+	const MutableVal* AsMutableVal() const
+		{
+		if ( ! IsMutableVal() )
+			BadTag("Val::AsMutableVal", type_name(type->Tag()));
+		return (MutableVal*) this;
+		}
+
+	MutableVal* AsMutableVal()
+		{
+		if ( ! IsMutableVal() )
+			BadTag("Val::AsMutableVal", type_name(type->Tag()));
+		return (MutableVal*) this;
+		}
+
+	void Describe(ODesc* d) const;
+
+	bool Serialize(SerialInfo* info) const;
+	static Val* Unserialize(UnserialInfo* info, TypeTag type = TYPE_ANY)
+		{ return Unserialize(info, type, 0); }
+	static Val* Unserialize(UnserialInfo* info, const BroType* exact_type)
+		{ return Unserialize(info, exact_type->Tag(), exact_type); }
+
+	DECLARE_SERIAL(Val);
+
+#ifdef DEBUG
+	// For debugging, we keep a reference to the global ID to which a
+	// value has been bound *last*.
+	ID* GetID() const	{ return bound_id; }
+	void SetID(ID* id)
+		{
+		if ( bound_id )
+			::Unref(bound_id);
+		bound_id = id;
+		::Ref(bound_id);
+		}
+#endif
+
+protected:
+	Val(BroString* s, TypeTag t)
+		{
+		val.string_val = s;
+		type = base_type(t);
+		attribs = 0;
+#ifdef DEBUG
+		bound_id = 0;
+#endif
+		}
+
+	virtual void ValDescribe(ODesc* d) const;
+
+	Val(TypeTag t)
+		{
+		type = base_type(t);
+		attribs = 0;
+#ifdef DEBUG
+		bound_id = 0;
+#endif
+		}
+
+	Val(BroType* t)
+		{
+		type = t->Ref();
+		attribs = 0;
+#ifdef DEBUG
+		bound_id = 0;
+#endif
+		}
+
+	ACCESSOR(TYPE_TABLE, PDict(TableEntryVal)*, table_val, AsNonConstTable)
+	ACCESSOR(TYPE_RECORD, val_list*, val_list_val, AsNonConstRecord)
+
+	// Just an internal helper.
+	static Val* Unserialize(UnserialInfo* info, TypeTag type,
+			const BroType* exact_type);
+
+	BroValUnion val;
+	BroType* type;
+	RecordVal* attribs;
+
+#ifdef DEBUG
+	// For debugging, we keep the ID to which a Val is bound.
+	ID* bound_id;
+#endif
+
+};
+
+class MutableVal : public Val {
+public:
+	// Each MutableVal gets a globally unique ID that can be used to
+	// reference it no matter if it's directly bound to any user-visible
+	// ID. This ID is inserted into the global namespace.
+	ID* UniqueID() const	{ return id ? id : Bind(); }
+
+	// Returns true if we've already generated a unique ID.
+	bool HasUniqueID() const	{ return id; }
+
+	// Transfers the unique ID of the given value to this value. We keep our
+	// old ID as an alias.
+	void TransferUniqueID(MutableVal* mv);
+
+	// MutableVals can have properties (let's refrain from calling them
+	// attributes!).  Most properties are recursive.  If a derived object
+	// can contain MutableVals itself, the object has to override
+	// {Add,Remove}Properties(). RecursiveProp(state) masks out all non-
+	// recursive properties. If this is non-null, an overriden method must
+	// call itself with RecursiveProp(state) as argument for all contained
+	// values.  (In any case, don't forget to call the parent's method.)
+	typedef char Properties;
+
+	static const int PERSISTENT = 0x01;
+	static const int SYNCHRONIZED = 0x02;
+
+	// Tracked by NotifierRegistry, not recursive.
+	static const int TRACKED = 0x04;
+
+	int RecursiveProps(int prop) const	{ return prop & ~TRACKED; }
+
+	Properties GetProperties() const	{ return props; }
+	virtual bool AddProperties(Properties state);
+	virtual bool RemoveProperties(Properties state);
+
+	// Whether StateAccess:LogAccess needs to be called.
+	bool LoggingAccess() const
+		{
+#ifndef DEBUG
+		return props & (SYNCHRONIZED|PERSISTENT|TRACKED);
+#else
+		return debug_logger.IsVerbose() ||
+			(props & (SYNCHRONIZED|PERSISTENT|TRACKED));
+#endif
+		}
+
+	virtual uint64 LastModified() const 	{ return last_modified; }
+
+	// Mark value as changed.
+	void Modified()
+		{
+		last_modified = IncreaseTimeCounter();
+		}
+
+protected:
+	MutableVal(BroType* t) : Val(t)
+		{ props = 0; id = 0; last_modified = SerialObj::ALWAYS; }
+	MutableVal()	{ id = 0; last_modified = SerialObj::ALWAYS; }
+	~MutableVal();
+
+	friend class ID;
+	friend class Val;
+
+	void SetID(ID* arg_id)	{ Unref(id); id = arg_id; }
+
+	DECLARE_SERIAL(MutableVal);
+
+private:
+	ID* Bind() const;
+
+	mutable ID* id;
+	list<ID*> aliases;
+	Properties props;
+	uint64 last_modified;
+};
+
+#define Microseconds 1e-6
+#define Milliseconds 1e-3
+#define Seconds 1.0
+#define Minutes (60*Seconds)
+#define Hours (60*Minutes)
+#define Days (24*Hours)
+
+class IntervalVal : public Val {
+public:
+	IntervalVal(double quantity, double units);
+
+protected:
+	IntervalVal()	{}
+
+	void ValDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(IntervalVal);
+};
+
+
+// We have four different port name spaces: TCP, UDP, ICMP, and UNKNOWN.
+// We distinguish between them based on the bits specified in the *_PORT_MASK
+// entries specified below.
+#define NUM_PORT_SPACES 4
+#define PORT_SPACE_MASK 0x30000
+
+#define TCP_PORT_MASK  0x10000
+#define UDP_PORT_MASK  0x20000
+#define ICMP_PORT_MASK 0x30000
+
+typedef enum {
+	TRANSPORT_UNKNOWN, TRANSPORT_TCP, TRANSPORT_UDP, TRANSPORT_ICMP,
+} TransportProto;
+
+class PortVal : public Val {
+public:
+	// Constructors - both take the port number in host order.
+	PortVal(uint32 p, TransportProto port_type);
+	PortVal(uint32 p);	// used for already-massaged port value.
+
+	Val* SizeVal() const	{ return new Val(val.uint_val, TYPE_INT); }
+
+	// Returns the port number in host order (not including the mask).
+	uint32 Port() const;
+
+	// Tests for protocol types.
+	int IsTCP() const;
+	int IsUDP() const;
+	int IsICMP() const;
+
+	TransportProto PortType() const
+		{
+		if ( IsTCP() )
+			return TRANSPORT_TCP;
+		else if ( IsUDP() )
+			return TRANSPORT_UDP;
+		else if ( IsICMP() )
+			return TRANSPORT_ICMP;
+		else
+			return TRANSPORT_UNKNOWN;
+		}
+
+protected:
+	friend class Val;
+	PortVal()	{}
+
+	void ValDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(PortVal);
+};
+
+class AddrVal : public Val {
+public:
+	AddrVal(const char* text);
+	~AddrVal();
+
+	Val* SizeVal() const;
+
+	// Constructor for address already in network order.
+	AddrVal(uint32 addr);
+	AddrVal(const uint32* addr);
+
+	unsigned int MemoryAllocation() const;
+
+protected:
+	friend class Val;
+	AddrVal()	{}
+	AddrVal(TypeTag t) : Val(t)	{ }
+	AddrVal(BroType* t) : Val(t)	{ }
+
+	void Init(uint32 addr);
+	void Init(const uint32* addr);
+
+	DECLARE_SERIAL(AddrVal);
+};
+
+class NetVal : public AddrVal {
+public:
+	NetVal(const char* text);
+	NetVal(uint32 addr);
+	NetVal(const uint32* addr);
+
+	Val* SizeVal() const;
+
+protected:
+	friend class Val;
+	NetVal()	{}
+
+	void ValDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(NetVal);
+};
+
+class SubNetVal : public Val {
+public:
+	SubNetVal(const char* text);
+	SubNetVal(const char* text, int width);
+	SubNetVal(uint32 addr, int width);	// for address already massaged
+	SubNetVal(const uint32* addr, int width);	// ditto
+
+	Val* SizeVal() const;
+
+	int Width() const	{ return val.subnet_val.width; }
+	addr_type Mask() const; // returns host byte order
+
+	bool Contains(const uint32 addr) const;
+	bool Contains(const uint32* addr) const;
+
+	unsigned int MemoryAllocation() const
+		{
+		return Val::MemoryAllocation() + padded_sizeof(*this) - padded_sizeof(Val);
+		}
+
+protected:
+	friend class Val;
+	SubNetVal()	{}
+
+	void Init(const char* text, int width);
+	void Init(uint32 addr, int width);
+	void Init(const uint32 *addr, int width);
+
+	void ValDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(SubNetVal);
+};
+
+class StringVal : public Val {
+public:
+	StringVal(BroString* s);
+	StringVal(const char* s);
+	StringVal(int length, const char* s);
+
+	Val* SizeVal() const
+		{ return new Val(val.string_val->Len(), TYPE_COUNT); }
+
+	int Len()		{ return AsString()->Len(); }
+	const u_char* Bytes()	{ return AsString()->Bytes(); }
+	const char* CheckString() { return AsString()->CheckString(); }
+
+	// Note that one needs to de-allocate the return value of
+	// ExpandedString() to avoid a memory leak.
+	// char* ExpandedString(int format = BroString::EXPANDED_STRING)
+	// 	{ return AsString()->ExpandedString(format); }
+
+	StringVal* ToUpper();
+
+	unsigned int MemoryAllocation() const;
+
+protected:
+	friend class Val;
+	StringVal()	{}
+
+	void ValDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(StringVal);
+};
+
+class PatternVal : public Val {
+public:
+	PatternVal(RE_Matcher* re);
+	~PatternVal();
+
+	int AddTo(Val* v, int is_first_init) const;
+
+	void SetMatcher(RE_Matcher* re);
+
+	unsigned int MemoryAllocation() const;
+
+protected:
+	friend class Val;
+	PatternVal()	{}
+
+	void ValDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(PatternVal);
+};
+
+class ListVal : public Val {
+public:
+	ListVal(TypeTag t);
+	~ListVal();
+
+	TypeTag BaseTag() const		{ return tag; }
+
+	Val* SizeVal() const	{ return new Val(vals.length(), TYPE_COUNT); }
+
+	int Length() const		{ return vals.length(); }
+	Val* Index(const int n)		{ return vals[n]; }
+	const Val* Index(const int n) const	{ return vals[n]; }
+
+	// Returns offset of where str includes one of the strings in this
+	// ListVal (which had better be a list of strings), nil if none.
+	//
+	// Assumes that all of the strings in the list are NUL-terminated
+	// and do not have any embedded NULs.
+	const char* IncludedInString(const char* str) const;
+
+	// Returns an RE_Matcher() that will match any string that
+	// includes embedded within it one of the patterns listed
+	// (as a string, e.g., "foo|bar") in this ListVal.
+	//
+	// Assumes that all of the strings in the list are NUL-terminated
+	// and do not have any embedded NULs.
+	//
+	// The return RE_Matcher has not yet been compiled.
+	RE_Matcher* BuildRE() const;
+
+	void Append(Val* v);
+
+	// Returns a Set representation of the list (which must be homogeneous).
+	TableVal* ConvertToSet() const;
+
+	const val_list* Vals() const	{ return &vals; }
+	val_list* Vals()		{ return &vals; }
+
+	void Describe(ODesc* d) const;
+
+	unsigned int MemoryAllocation() const;
+
+protected:
+	friend class Val;
+	ListVal()	{}
+
+	DECLARE_SERIAL(ListVal);
+
+	val_list vals;
+	TypeTag tag;
+};
+
+extern double bro_start_network_time;
+
+class TableEntryVal {
+public:
+	TableEntryVal(Val* v)
+		{
+		val = v;
+		last_access_time = network_time;
+		expire_access_time = last_read_update =
+			int(network_time - bro_start_network_time);
+		}
+	~TableEntryVal()	{ }
+
+	Val* Value()	{ return val; }
+	void Ref()	{ val->Ref(); }
+	void Unref()	{ ::Unref(val); }
+
+	// Returns/sets time of last expiration relevant access to this value.
+	double ExpireAccessTime() const
+		{ return bro_start_network_time + expire_access_time; }
+	void SetExpireAccess(double time)
+		{ expire_access_time = int(time - bro_start_network_time); }
+
+	// Returns/sets time of when we propagated the last OP_READ_IDX
+	// for this item.
+	double LastReadUpdate() const
+		{ return bro_start_network_time + last_read_update; }
+	void SetLastReadUpdate(double time)
+		{ last_read_update = int(time - bro_start_network_time); }
+
+protected:
+	friend class TableVal;
+
+	Val* val;
+	double last_access_time;
+
+	// The next two entries store seconds since Bro's start.  We use
+	// ints here to save a few bytes, as we do not need a high resolution
+	// for these anyway.
+	int expire_access_time;
+	int last_read_update;
+};
+
+class TableValTimer : public Timer {
+public:
+	TableValTimer(TableVal* val, double t);
+	~TableValTimer();
+
+	virtual void Dispatch(double t, int is_expire);
+
+	TableVal* Table()	{ return table; }
+
+protected:
+	TableVal* table;
+};
+
+class CompositeHash;
+class TableVal : public MutableVal {
+public:
+	TableVal(TableType* t, Attributes* attrs = 0);
+	~TableVal();
+
+	// Returns true if the assignment typechecked, false if not.
+	// Second version takes a HashKey and Unref()'s it when done.
+	// If we're a set, new_val has to be nil.
+	// If we aren't a set, index may be nil in the second version.
+	int Assign(Val* index, Val* new_val, Opcode op = OP_ASSIGN);
+	int Assign(Val* index, HashKey* k, Val* new_val, Opcode op = OP_ASSIGN);
+
+	Val* SizeVal() const	{ return new Val(Size(), TYPE_COUNT); }
+
+	// Add the entire contents of the table to the given value,
+	// which must also be a TableVal.
+	// Returns true if the addition typechecked, false if not.
+	// If is_first_init is true, then this is the *first* initialization
+	// (and so should be strictly adding new elements).
+	int AddTo(Val* v, int is_first_init) const;
+
+	// Same but allows suppression of state operations.
+	int AddTo(Val* v, int is_first_init, bool propagate_ops) const;
+
+	// Remove the entire contents.
+	void RemoveAll();
+
+	// Remove the entire contents of the table from the given value.
+	// which must also be a TableVal.
+	// Returns true if the addition typechecked, false if not.
+	int RemoveFrom(Val* v) const;
+
+	// Expands any lists in the index into multiple initializations.
+	// Returns true if the initializations typecheck, false if not.
+	int ExpandAndInit(Val* index, Val* new_val);
+
+	// Returns the element's value if it exists in the table,
+	// nil otherwise.  Note, "index" is not const because we
+	// need to Ref/Unref it when calling the default function.
+	Val* Lookup(Val* index, bool use_default_val = true);
+
+	// Sets the timestamp for the given index to network time.
+	// Returns false if index does not exist.
+	bool UpdateTimestamp(Val* index);
+
+	// Returns the index corresponding to the given HashKey.
+	ListVal* RecoverIndex(const HashKey* k) const;
+
+	// Returns the element if it was in the table, false otherwise.
+	Val* Delete(const Val* index);
+	Val* Delete(const HashKey* k);
+
+	// Returns a ListVal representation of the table (which must be a set).
+	ListVal* ConvertToList(TypeTag t=TYPE_ANY) const;
+	ListVal* ConvertToPureList() const;	// must be single index type
+
+	void SetAttrs(Attributes* attrs);
+	Attr* FindAttr(attr_tag t) const
+		{ return attrs ? attrs->FindAttr(t) : 0; }
+	Attributes* Attrs()	{ return attrs; }
+
+	// Returns the size of the table.
+	int Size() const	{ return AsTable()->Length(); }
+	int RecursiveSize() const;
+
+	void Describe(ODesc* d) const;
+
+	void InitTimer(double delay);
+	void DoExpire(double t);
+
+	unsigned int MemoryAllocation() const;
+
+	void ClearTimer(Timer* t)
+		{
+		if ( timer == t )
+			timer = 0;
+		}
+
+protected:
+	friend class Val;
+	friend class StateAccess;
+	TableVal()	{}
+
+	void Init(TableType* t);
+
+	void CheckExpireAttr(attr_tag at);
+	int ExpandCompoundAndInit(val_list* vl, int k, Val* new_val);
+	int CheckAndAssign(Val* index, Val* new_val, Opcode op = OP_ASSIGN);
+	HashKey* ComputeHash(const Val* index) const
+		{ return table_hash->ComputeHash(index, 1); }
+
+	bool AddProperties(Properties arg_state);
+	bool RemoveProperties(Properties arg_state);
+
+	// Calculates default value for index.  Returns 0 if none.
+	Val* Default(Val* index);
+
+	// Calls &expire_func and returns its return interval;
+	// takes ownership of the reference.
+	double CallExpireFunc(Val *idx);
+
+	// Propagates a read operation if necessary.
+	void ReadOperation(Val* index, TableEntryVal *v);
+
+	DECLARE_SERIAL(TableVal);
+
+	const TableType* table_type;
+	CompositeHash* table_hash;
+	Attributes* attrs;
+	double expire_time;
+	Expr* expire_expr;
+	TableValTimer* timer;
+	IterCookie* expire_cookie;
+	PrefixTable* subnets;
+	Val* def_val;
+};
+
+class RecordVal : public MutableVal {
+public:
+	RecordVal(RecordType* t);
+	~RecordVal();
+
+	Val* SizeVal() const
+		{ return new Val(record_type->NumFields(), TYPE_COUNT); }
+
+	void Assign(int field, Val* new_val, Opcode op = OP_ASSIGN);
+	Val* Lookup(int field) const;
+
+	void Describe(ODesc* d) const;
+
+	// This is an experiment to associate a BroObj within the
+	// event engine to a record value in bro script.
+	void SetOrigin(BroObj* o)	{ origin = o; }
+	BroObj* GetOrigin() const	{ return origin; }
+
+	unsigned int MemoryAllocation() const;
+
+protected:
+	friend class Val;
+	RecordVal()	{}
+
+	bool AddProperties(Properties arg_state);
+	bool RemoveProperties(Properties arg_state);
+
+	DECLARE_SERIAL(RecordVal);
+
+	RecordType* record_type;
+	BroObj* origin;
+};
+
+class EnumVal : public Val {
+public:
+	EnumVal(int i, EnumType* t) : Val(t)
+		{
+		val.int_val = i;
+		type = t;
+		attribs = 0;
+		}
+
+	Val* SizeVal() const	{ return new Val(val.int_val, TYPE_INT); }
+
+protected:
+	friend class Val;
+	EnumVal()	{}
+
+	void ValDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(EnumVal);
+};
+
+
+// The minimum index for vectors (0 or 1).
+const int VECTOR_MIN = 1;
+
+class VectorVal : public MutableVal {
+public:
+	VectorVal(VectorType* t);
+	~VectorVal();
+
+	Val* SizeVal() const
+		{ return new Val(uint32(val.vector_val->size()), TYPE_COUNT); }
+
+	// Returns false if the type of the argument was wrong.
+	// The vector will automatically grow to accomodate the index.
+	// 'assigner" is the expression that is doing the assignment;
+	// it's just used for pinpointing errors.
+	//
+	// Note: does NOT Ref() the element! Remember to do so unless
+	//       the element was just created and thus has refcount 1.
+	//
+	bool Assign(unsigned int index, Val* element, const Expr* assigner,
+			Opcode op = OP_ASSIGN);
+	bool Assign(Val* index, Val* element, const Expr* assigner,
+			Opcode op = OP_ASSIGN)
+		{
+		return Assign(index->AsListVal()->Index(0)->CoerceToUnsigned(),
+				element, assigner, op);
+		}
+
+	// Assigns the value to how_many locations starting at index.
+	bool AssignRepeat(unsigned int index, unsigned int how_many,
+			  Val* element, const Expr* assigner);
+
+	// Returns nil if no element was at that value.
+	// Lookup does NOT grow the vector to this size.
+	// The Val* variant assumes that the index Val* has been type-checked.
+	Val* Lookup(unsigned int index) const;
+	Val* Lookup(Val* index)
+		{
+		bro_uint_t i = index->AsListVal()->Index(0)->CoerceToUnsigned();
+		return Lookup(static_cast<unsigned int>(i));
+		}
+
+	unsigned int Size() const { return val.vector_val->size(); }
+
+	// Is there any way to reclaim previously-allocated memory when you
+	// shrink a vector?  The return value is the old size.
+	unsigned int Resize(unsigned int new_num_elements);
+
+	// Won't shrink size.
+	unsigned int ResizeAtLeast(unsigned int new_num_elements);
+
+protected:
+	friend class Val;
+	VectorVal()	{ }
+
+	bool AddProperties(Properties arg_state);
+	bool RemoveProperties(Properties arg_state);
+	void ValDescribe(ODesc* d) const;
+
+	DECLARE_SERIAL(VectorVal);
+
+	VectorType* vector_type;
+};
+
+
+// Checks the given value for consistency with the given type.  If an
+// exact match, returns it.  If promotable, returns the promoted version,
+// Unref()'ing the original.  If not a match, generates an error message
+// and returns nil, also Unref()'ing v.  If is_init is true, then
+// the checking is done in the context of an initialization.
+extern Val* check_and_promote(Val* v, const BroType* t, int is_init);
+
+// Given a pointer to where a Val's core (i.e., its BRO value) resides,
+// returns a corresponding newly-created or Ref()'d Val.  ptr must already
+// be properly aligned.  Returns the size of the core in bytes in 'n'.
+// If t corresponds to a variable-length type, n must give the size on entry.
+Val* recover_val(void* ptr, BroType* t, int& n);
+
+extern int same_val(const Val* v1, const Val* v2);
+extern int same_atomic_val(const Val* v1, const Val* v2);
+extern bool is_atomic_val(const Val* v);
+extern void describe_vals(const val_list* vals, ODesc* d, int offset=0);
+extern void delete_vals(val_list* vals);
+
+// True if the given Val* has a vector type.
+inline bool is_vector(Val* v)	{ return  v->Type()->Tag() == TYPE_VECTOR; }
+
+#endif
diff --git a/src/Var.cc b/src/Var.cc
new file mode 100644
index 0000000000..b107156b3a
--- /dev/null
+++ b/src/Var.cc
@@ -0,0 +1,443 @@
+// $Id: Var.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "Var.h"
+#include "Func.h"
+#include "Stmt.h"
+#include "Scope.h"
+#include "Serializer.h"
+#include "RemoteSerializer.h"
+#include "EventRegistry.h"
+
+static Val* init_val(Expr* init, const BroType* t, Val* aggr)
+	{
+	return init->InitVal(t, aggr);
+	}
+
+static void make_var(ID* id, BroType* t, init_class c, Expr* init,
+			attr_list* attr, decl_type dt, int do_init)
+	{
+	if ( id->Type() )
+		{
+		if ( id->IsRedefinable() || (! init && attr) )
+			{
+			BroObj* redef_obj = init ? (BroObj*) init : (BroObj*) t;
+			if ( dt != VAR_REDEF )
+				id->Warn("redefinition requires \"redef\"", redef_obj, 1);
+			}
+
+		else if ( dt != VAR_REDEF || init || ! attr )
+			{
+			id->Error("already defined", init);
+			return;
+			}
+		}
+
+	if ( dt == VAR_REDEF )
+		{
+		if ( ! id->Type() )
+			{
+			id->Error("\"redef\" used but not previously defined");
+			return;
+			}
+
+		if ( ! t )
+			t = id->Type();
+		}
+
+	if ( id->Type() && id->Type()->Tag() != TYPE_ERROR )
+		{
+		if ( dt != VAR_REDEF &&
+		     (! init || ! do_init || (! t && ! (t = init_type(init)))) )
+			{
+			id->Error("already defined", init);
+			return;
+			}
+
+		// Allow redeclaration in order to initialize.
+		if ( ! same_type(t, id->Type()) )
+			{
+			id->Error("redefinition changes type", init);
+			return;
+			}
+		}
+
+	if ( init && optimize )
+		init = init->Simplify(SIMPLIFY_GENERAL);
+
+	if ( t && t->IsSet() )
+		{ // Check for set with explicit elements.
+		SetType* st = t->AsTableType()->AsSetType();
+		ListExpr* elements = st->SetElements();
+
+		if ( elements )
+			{
+			if ( init )
+				{
+				id->Error("double initialization", init);
+				return;
+				}
+
+			Ref(elements);
+			init = elements;
+			}
+		}
+
+	if ( ! t )
+		{ // Take type from initialization.
+		if ( ! init )
+			{
+			id->Error("no type given");
+			return;
+			}
+
+		t = init_type(init);
+		if ( ! t )
+			{
+			id->SetType(error_type());
+			return;
+			}
+		}
+	else
+		Ref(t);
+
+	id->SetType(t);
+
+	if ( attr )
+		id->AddAttrs(new Attributes(attr, t));
+
+	if ( id->FindAttr(ATTR_PERSISTENT) || id->FindAttr(ATTR_SYNCHRONIZED) )
+		{
+		if ( dt == VAR_CONST )
+			{
+			id->Error("&persistant/synchronized with constant");
+			return;
+			}
+
+		if ( ! id->IsGlobal() )
+			{
+			id->Error("&persistant/synchronized with non-global");
+			return;
+			}
+		}
+
+	if ( do_init )
+		{
+		if ( (c == INIT_EXTRA && id->FindAttr(ATTR_ADD_FUNC)) ||
+		     (c == INIT_REMOVE && id->FindAttr(ATTR_DEL_FUNC)) )
+			// Just apply the function.
+			id->SetVal(init, c);
+
+		else if ( dt != VAR_REDEF || init || ! attr )
+			{
+			Val* aggr;
+			if ( t->Tag() == TYPE_RECORD )
+				aggr = new RecordVal(t->AsRecordType());
+
+			else if ( t->Tag() == TYPE_TABLE )
+				aggr = new TableVal(t->AsTableType(), id->Attrs());
+
+			else if ( t->Tag() == TYPE_VECTOR )
+				aggr = new VectorVal(t->AsVectorType());
+
+			else
+				aggr = 0;
+
+			Val* v = 0;
+			if ( init )
+				{
+				v = init_val(init, t, aggr);
+				if ( ! v )
+					return;
+				}
+
+			if ( aggr )
+				id->SetVal(aggr, c);
+			else if ( v )
+				id->SetVal(v, c);
+			}
+		}
+
+	if ( dt == VAR_CONST )
+		{
+		if ( ! init && ! id->IsRedefinable() )
+			id->Error("const variable must be initialized");
+
+		id->SetConst();
+		}
+
+	id->UpdateValAttrs();
+	}
+
+
+void add_global(ID* id, BroType* t, init_class c, Expr* init,
+		attr_list* attr, decl_type dt)
+	{
+	make_var(id, t, c, init, attr, dt, 1);
+	}
+
+Stmt* add_local(ID* id, BroType* t, init_class c, Expr* init,
+		attr_list* attr, decl_type dt)
+	{
+	make_var(id, t, c, init, attr, dt, 0);
+
+	if ( init )
+		{
+		if ( c != INIT_FULL )
+			id->Error("can't use += / -= for initializations of local variables");
+
+		Ref(id);
+
+		Stmt* stmt =
+			new ExprStmt(new AssignExpr(new NameExpr(id), init, 0));
+		stmt->SetLocationInfo(init->GetLocationInfo());
+
+		return stmt;
+		}
+
+	else
+		{
+		if ( t->Tag() == TYPE_RECORD || t->Tag() == TYPE_TABLE ||
+		     t->Tag() == TYPE_VECTOR )
+			current_scope()->AddInit(id);
+
+		return new NullStmt;
+		}
+	}
+
+extern Expr* add_and_assign_local(ID* id, Expr* init, Val* val)
+	{
+	make_var(id, 0, INIT_FULL, init, 0, VAR_REGULAR, 0);
+	Ref(id);
+	return new AssignExpr(new NameExpr(id), init, 0, val);
+	}
+
+void add_type(ID* id, BroType* t, attr_list* attr, int /* is_event */)
+	{
+	id->SetType(t);
+	id->MakeType();
+
+	if ( attr )
+		id->SetAttrs(new Attributes(attr, t));
+	}
+
+void begin_func(ID* id, const char* module_name, function_flavor flavor,
+		int is_redef, FuncType* t)
+	{
+	if ( flavor == FUNC_FLAVOR_EVENT )
+		{
+		const BroType* yt = t->YieldType();
+
+		if ( yt && yt->Tag() != TYPE_VOID )
+			id->Error("event cannot yield a value", t);
+
+		t->ClearYieldType();
+		}
+
+	if ( id->Type() )
+		{
+		if ( ! same_type(id->Type(), t) )
+			id->Type()->Error("incompatible types", t);
+		}
+
+	else if ( is_redef )
+		id->Error("redef of not-previously-declared value");
+
+	if ( id->HasVal() )
+		{
+		int id_is_event = id->ID_Val()->AsFunc()->IsEvent();
+
+		if ( id_is_event != (flavor == FUNC_FLAVOR_EVENT) )
+			id->Error("inconsistency between event and function", t);
+		if ( id_is_event )
+			{
+			if ( is_redef )
+				// Clear out value so it will be replaced.
+				id->SetVal(0);
+			}
+		else
+			{
+			if ( ! id->IsRedefinable() )
+				id->Error("already defined");
+			}
+		}
+	else
+		id->SetType(t);
+
+	push_scope(id);
+
+	RecordType* args = t->Args();
+	int num_args = args->NumFields();
+	for ( int i = 0; i < num_args; ++i )
+		{
+		TypeDecl* arg_i = args->FieldDecl(i);
+		ID* arg_id = lookup_ID(arg_i->id, module_name);
+
+		if ( arg_id && ! arg_id->IsGlobal() )
+			arg_id->Error("argument name used twice");
+
+		arg_id = install_ID(copy_string(arg_i->id), module_name,
+					false, false);
+		arg_id->SetType(arg_i->type->Ref());
+		}
+	}
+
+void end_func(Stmt* body, attr_list* attrs)
+	{
+	int frame_size = current_scope()->Length();
+	id_list* inits = current_scope()->GetInits();
+
+	Scope* scope = pop_scope();
+	ID* id = scope->ScopeID();
+
+	int priority = 0;
+	if ( attrs )
+		{
+		loop_over_list(*attrs, i)
+			{
+			Attr* a = (*attrs)[i];
+			if ( a->Tag() != ATTR_PRIORITY )
+				{
+				a->Error("illegal attribute for function body");
+				continue;
+				}
+
+			Val* v = a->AttrExpr()->Eval(0);
+			if ( ! v )
+				{
+				a->Error("cannot evaluate attribute expression");
+				continue;
+				}
+
+			if ( ! IsIntegral(v->Type()->Tag()) )
+				{
+				a->Error("expression is not of integral type");
+				continue;
+				}
+
+			priority = v->InternalInt();
+			}
+		}
+
+	if ( id->HasVal() )
+		id->ID_Val()->AsFunc()->AddBody(body, inits, frame_size, priority);
+	else
+		{
+		Func* f = new BroFunc(id, body, inits, frame_size);
+		id->SetVal(new Val(f));
+		id->SetConst();
+		}
+
+	id->ID_Val()->AsFunc()->SetScope(scope);
+	}
+
+Val* internal_val(const char* name)
+	{
+	ID* id = lookup_ID(name, GLOBAL_MODULE_NAME);
+	if ( ! id )
+		internal_error("internal variable %s missing", name);
+
+	return id->ID_Val();
+	}
+
+Val* opt_internal_val(const char* name)
+	{
+	ID* id = lookup_ID(name, GLOBAL_MODULE_NAME);
+	return id ? id->ID_Val() : 0;
+	}
+
+double opt_internal_double(const char* name)
+	{
+	Val* v = opt_internal_val(name);
+	return v ? v->InternalDouble() : 0.0;
+	}
+
+bro_int_t opt_internal_int(const char* name)
+	{
+	Val* v = opt_internal_val(name);
+	return v ? v->InternalInt() : 0;
+	}
+
+bro_uint_t opt_internal_unsigned(const char* name)
+	{
+	Val* v = opt_internal_val(name);
+	return v ? v->InternalUnsigned() : 0;
+	}
+
+StringVal* opt_internal_string(const char* name)
+	{
+	Val* v = opt_internal_val(name);
+	return v ? v->AsStringVal() : 0;
+	}
+
+TableVal* opt_internal_table(const char* name)
+	{
+	Val* v = opt_internal_val(name);
+	return v ? v->AsTableVal() : 0;
+	}
+
+ListVal* internal_list_val(const char* name)
+	{
+	ID* id = lookup_ID(name, GLOBAL_MODULE_NAME);
+	if ( ! id )
+		return 0;
+
+	Val* v = id->ID_Val();
+	if ( v )
+		{
+		if ( v->Type()->Tag() == TYPE_LIST )
+			return (ListVal*) v;
+
+		else if ( v->Type()->IsSet() )
+			{
+			TableVal* tv = v->AsTableVal();
+			ListVal* lv = tv->ConvertToPureList();
+			return lv;
+			}
+
+		else
+			internal_error("internal variable %s is not a list", name);
+		}
+
+	return 0;
+	}
+
+BroType* internal_type(const char* name)
+	{
+	ID* id = lookup_ID(name, GLOBAL_MODULE_NAME);
+	if ( ! id )
+		internal_error("internal type %s missing", name);
+
+	return id->Type();
+	}
+
+Func* internal_func(const char* name)
+	{
+	Val* v = internal_val(name);
+	if ( v )
+		return v->AsFunc();
+	else
+		return 0;
+	}
+
+EventHandlerPtr internal_handler(const char* name)
+	{
+	// If there already is an entry in the registry, we have a
+	// local handler on the script layer.
+	EventHandler* h = event_registry->Lookup(name);
+	if ( h )
+		{
+		h->SetUsed();
+		return h;
+		}
+
+	h = new EventHandler(name);
+	event_registry->Register(h);
+
+	h->SetUsed();
+
+	return h;
+	}
diff --git a/src/Var.h b/src/Var.h
new file mode 100644
index 0000000000..3be8ecc079
--- /dev/null
+++ b/src/Var.h
@@ -0,0 +1,44 @@
+// $Id: Var.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef var_h
+#define var_h
+
+#include "ID.h"
+#include "Expr.h"
+#include "Type.h"
+
+class Func;
+class EventHandlerPtr;
+
+typedef enum { VAR_REGULAR, VAR_CONST, VAR_REDEF, } decl_type;
+
+extern void add_global(ID* id, BroType* t, init_class c, Expr* init,
+			attr_list* attr, decl_type dt);
+extern Stmt* add_local(ID* id, BroType* t, init_class c, Expr* init,
+			attr_list* attr, decl_type dt);
+extern Expr* add_and_assign_local(ID* id, Expr* init, Val* val = 0);
+
+extern void add_type(ID* id, BroType* t, attr_list* attr, int is_event);
+
+extern void begin_func(ID* id, const char* module_name, function_flavor flavor,
+		       int is_redef, FuncType* t);
+extern void end_func(Stmt* body, attr_list* attrs = 0);
+
+extern Val* internal_val(const char* name);
+extern Val* opt_internal_val(const char* name);	// returns nil if not defined
+extern double opt_internal_double(const char* name);
+extern bro_int_t opt_internal_int(const char* name);
+extern bro_uint_t opt_internal_unsigned(const char* name);
+extern StringVal* opt_internal_string(const char* name);
+extern TableVal* opt_internal_table(const char* name);	// nil if not defined
+extern ListVal* internal_list_val(const char* name);
+extern BroType* internal_type(const char* name);
+extern Func* internal_func(const char* name);
+extern EventHandlerPtr internal_handler(const char* name);
+
+extern EventHandlerPtr bro_signal;
+extern int signal_val;	// 0 if no signal pending
+
+#endif
diff --git a/src/X509.cc b/src/X509.cc
new file mode 100644
index 0000000000..c8975cc581
--- /dev/null
+++ b/src/X509.cc
@@ -0,0 +1,265 @@
+// $Id: X509.cc 6724 2009-06-07 09:23:03Z vern $
+
+#include <openssl/err.h>
+
+#include "X509.h"
+#include "config.h"
+
+// ### NOTE: while d2i_X509 does not take a const u_char** pointer,
+// here we assume d2i_X509 does not write to <data>, so it is safe to
+// convert data to a non-const pointer.  Could some X509 guru verify
+// this?
+
+X509* d2i_X509_(X509** px, const u_char** in, int len)
+	{
+#ifdef OPENSSL_D2I_X509_USES_CONST_CHAR
+	  return d2i_X509(px, in, len);
+#else
+	  return d2i_X509(px, (u_char**)in, len);
+#endif
+	}
+
+X509_STORE* X509_Cert::ctx = 0;
+X509_LOOKUP* X509_Cert::lookup = 0;
+X509_STORE_CTX X509_Cert::csc;
+bool X509_Cert::bInited = false;
+
+// TODO: Check if Key < 768 Bits => Weakness!
+// FIXME: Merge verify and verifyChain.
+
+void X509_Cert::sslCertificateEvent(Contents_SSL* e, X509* pCert)
+	{
+	EventHandlerPtr event = ssl_certificate;
+	if ( ! event )
+		return;
+
+	char tmp[256];
+	RecordVal* pX509Cert = new RecordVal(x509_type);
+
+	X509_NAME_oneline(X509_get_issuer_name(pCert), tmp, sizeof tmp);
+	pX509Cert->Assign(0, new StringVal(tmp));
+	X509_NAME_oneline(X509_get_subject_name(pCert), tmp, sizeof tmp);
+	pX509Cert->Assign(1, new StringVal(tmp));
+	pX509Cert->Assign(2, new AddrVal(e->Conn()->OrigAddr()));
+
+	val_list* vl = new val_list;
+	vl->append(e->BuildConnVal());
+	vl->append(pX509Cert);
+	vl->append(new Val(e->IsOrig(), TYPE_BOOL));
+
+	e->Conn()->ConnectionEvent(event, e, vl);
+	}
+
+void X509_Cert::sslCertificateError(Contents_SSL* e, int error_numbe)
+	{
+	Val* err_str = new StringVal(X509_verify_cert_error_string(csc.error));
+	val_list* vl = new val_list;
+
+	vl->append(e->BuildConnVal());
+	vl->append(new Val(csc.error, TYPE_INT));
+	vl->append(err_str);
+
+	e->Conn()->ConnectionEvent(ssl_X509_error, e, vl);
+	}
+
+int X509_Cert::init()
+	{
+#if 0
+	OpenSSL_add_all_algorithms();
+#endif
+
+	ctx = X509_STORE_new();
+	int flag = 0;
+	int ret = 0;
+
+	if ( x509_trusted_cert_path &&
+	     x509_trusted_cert_path->AsString()->Len() > 0 )
+		{ // add the path(s) for the local CA's certificates
+		const BroString* pString = x509_trusted_cert_path->AsString();
+
+		lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_hash_dir());
+		if ( ! lookup )
+			{
+			fprintf(stderr, "X509_Cert::init(): initing lookup failed\n");
+			flag = 1;
+			}
+
+		int i = X509_LOOKUP_add_dir(lookup,
+				(const char*) pString->Bytes(),
+				X509_FILETYPE_PEM);
+		if ( ! i )
+			{
+			fprintf( stderr, "X509_Cert::init(): error adding lookup directory\n" );
+			ret = 0;
+			}
+		}
+	else
+		{
+		printf("X509: Using the default trusted cert path.\n");
+		X509_STORE_set_default_paths(ctx);
+		}
+
+	// Add crl functionality - will only add if defined and
+	// X509_STORE_add_lookup was successful.
+	if ( ! flag && x509_crl_file && x509_crl_file->AsString()->Len() > 0 )
+		{
+		const BroString* rString = x509_crl_file->AsString();
+
+		if ( X509_load_crl_file(lookup, (const char*) rString->Bytes(),
+					X509_FILETYPE_PEM) != 1 )
+			{
+			fprintf(stderr, "X509_Cert::init(): error reading CRL file\n");
+			ret = 1;
+			}
+
+#if 0
+		// Note, openssl version must be > 0.9.7(a).
+		X509_STORE_set_flags(ctx,
+			X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
+#endif
+		}
+
+	bInited = true;
+	return ret;
+	}
+
+int X509_Cert::verify(Contents_SSL* e, const u_char* data, uint32 len)
+	{
+	if ( ! bInited )
+		init();
+
+	X509* pCert = d2i_X509_(NULL, &data, len);
+	if ( ! pCert )
+		{
+		// 5 = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
+		sslCertificateError(e, 5);
+		return -1;
+		}
+
+	sslCertificateEvent(e, pCert);
+
+	X509_STORE_CTX_init(&csc, ctx, pCert, 0);
+	X509_STORE_CTX_set_time(&csc, 0, (time_t) network_time);
+	int i = X509_verify_cert(&csc);
+	X509_STORE_CTX_cleanup(&csc);
+	int ret = 0;
+
+	int ext = X509_get_ext_count(pCert);
+
+	if ( ext > 0 )
+		{
+		TableVal* x509ex = new TableVal(x509_extension);
+		val_list* vl = new val_list;
+		char buf[256];
+
+		for ( int k = 0; k < ext; ++k )
+			{
+			X509_EXTENSION* ex = X509_get_ext(pCert, k);
+			ASN1_OBJECT* obj = X509_EXTENSION_get_object(ex);
+			i2t_ASN1_OBJECT(buf, sizeof(buf), obj);
+
+			Val* index = new Val(k+1, TYPE_COUNT);
+			Val* value = new StringVal(strlen(buf), buf);
+			x509ex->Assign(index, value);
+			Unref(index);
+			// later we can do critical extensions like:
+			// X509_EXTENSION_get_critical(ex);
+			}
+
+		vl->append(e->BuildConnVal());
+		vl->append(x509ex);
+		e->Conn()->ConnectionEvent(process_X509_extensions, e, vl);
+		}
+
+	if ( ! i )
+		{
+		sslCertificateError(e, csc.error);
+		ret = csc.error;
+		}
+	else
+		ret = 0;
+
+	delete pCert;
+	return ret;
+	}
+
+int X509_Cert::verifyChain(Contents_SSL* e, const u_char* data, uint32 len)
+	{
+	if ( ! bInited )
+		init();
+
+	// Gets an ssl3x cert chain (could be one single cert, too,
+	// but in chain format).
+
+	// Init the stack.
+	STACK_OF(X509)* untrustedCerts = sk_new_null();
+	if ( ! untrustedCerts )
+		{
+		// Internal error allocating stack of untrusted certs.
+		// 11 = X509_V_ERR_OUT_OF_MEM
+		sslCertificateError(e, 11);
+		return -1;
+		}
+
+	// NOT AGAIN!!!
+	// Extract certificates and put them into an OpenSSL Stack.
+	uint tempLength = 0;
+	int certCount = 0;
+	X509* pCert = 0; // base cert, this one is to be verified
+
+	while ( tempLength < len )
+		{
+		++certCount;
+		uint32 certLength =
+			uint32((data[tempLength + 0] << 16) |
+			       data[tempLength + 1] << 8) |
+			data[tempLength + 2];
+
+		// Points to current cert.
+		const u_char* pCurrentCert = &data[tempLength+3];
+
+		X509* pTemp = d2i_X509_(0, &pCurrentCert, certLength);
+		if ( ! pTemp )
+			{ // error is somewhat of a misnomer
+			// 5 = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
+			sslCertificateError(e, 5);
+			//FIXME: free ptrs
+			return -1;
+			}
+
+		if ( certCount == 1 )
+			// The first certificate goes directly into the ctx.
+			pCert = pTemp;
+		else
+			// The remaining certificates (if any) are put into
+			// the list of untrusted certificates
+			sk_push(untrustedCerts, (char*) pTemp);
+
+		tempLength += certLength + 3;
+		}
+
+	sslCertificateEvent(e, pCert);
+
+	X509_STORE_CTX_init(&csc, ctx, pCert, untrustedCerts);
+	X509_STORE_CTX_set_time(&csc, 0, (time_t) network_time);
+	int i = X509_verify_cert(&csc);
+	X509_STORE_CTX_cleanup(&csc);
+	//X509_STORE_CTX_free(&csc);
+	int ret = 0;
+
+	if ( ! i )
+		{
+		sslCertificateError(e, csc.error);
+		ret = csc.error;
+		}
+	else
+		ret = 0;
+
+	delete pCert;
+	// Free the stack, incuding. contents.
+
+	// FIXME: could this break Bro's memory tracking?
+	sk_pop_free(untrustedCerts, free);
+
+	return ret;
+	}
diff --git a/src/X509.h b/src/X509.h
new file mode 100644
index 0000000000..284fd3512c
--- /dev/null
+++ b/src/X509.h
@@ -0,0 +1,33 @@
+// $Id: X509.h 3526 2006-09-12 07:32:21Z vern $
+
+#ifndef X509_H
+#define X509_H
+
+#include <sys/types.h>
+#include <openssl/x509.h>
+#include <openssl/x509_vfy.h>
+
+#include "SSLProxy.h"
+
+class X509_Cert {
+public:
+	static X509_STORE* ctx;
+	static X509_LOOKUP* lookup;
+	static X509_STORE_CTX csc;
+	static bool bInited;
+
+	// Initializes the OpenSSL library, which is used for verify().
+	static int init();
+
+	// Wrapper for X.509 error event.
+	static void sslCertificateError(Contents_SSL* e, int error_numbe);
+
+	// Retrieves a DER-encoded X.509 certificate.  Returns 0 on failure.
+	static int verify(Contents_SSL* e, const u_char* data, uint32 len);
+	static int verifyChain(Contents_SSL* e, const u_char* data, uint32 len);
+
+	// Wrapper for the ssl_certificate event.
+	static void sslCertificateEvent(Contents_SSL* e, X509* pCert);
+};
+
+#endif
diff --git a/src/XDR.cc b/src/XDR.cc
new file mode 100644
index 0000000000..4e6a05ff10
--- /dev/null
+++ b/src/XDR.cc
@@ -0,0 +1,88 @@
+// $Id: XDR.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include "XDR.h"
+
+uint32 extract_XDR_uint32(const u_char*& buf, int& len)
+	{
+	if ( ! buf )
+		return 0;
+
+	if ( len < 4 )
+		{
+		buf = 0;
+		return 0;
+		}
+
+	uint32 bits32 = XDR_aligned(buf) ? *(uint32*) buf :
+		((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]);
+
+	buf += 4;
+	len -= 4;
+
+	return ntohl(bits32);
+	}
+
+double extract_XDR_uint64_as_double(const u_char*& buf, int& len)
+	{
+	if ( ! buf || len < 8 )
+		{
+		buf = 0;
+		return 0.0;
+		}
+
+	uint32 uhi = extract_XDR_uint32(buf, len);
+	uint32 ulo = extract_XDR_uint32(buf, len);
+
+	return double(uhi) * 4294967296.0 + double(ulo);
+	}
+
+double extract_XDR_time(const u_char*& buf, int& len)
+	{
+	if ( ! buf || len < 8 )
+		{
+		buf = 0;
+		return 0.0;
+		}
+
+	uint32 uhi = extract_XDR_uint32(buf, len);
+	uint32 ulo = extract_XDR_uint32(buf, len);
+
+	return double(uhi) + double(ulo) / 1e9;
+	}
+
+const u_char* extract_XDR_opaque(const u_char*& buf, int& len, int& n, int max_len)
+	{
+	n = int(extract_XDR_uint32(buf, len));
+	if ( ! buf )
+		return 0;
+
+	if ( n < 0 || n > len || n > max_len )
+		{ // ### Should really flag this as a different sort of error.
+		buf = 0;
+		return 0;
+		}
+
+	int n4 = ((n + 3) >> 2) << 2;	// n rounded up to next multiple of 4
+
+	len -= n4;
+	const u_char* opaque = buf;
+	buf += n4;
+
+	return opaque;
+	}
+
+uint32 skip_XDR_opaque_auth(const u_char*& buf, int& len)
+	{
+	uint32 auth_flavor = extract_XDR_uint32(buf, len);
+	if ( ! buf )
+		return 0;
+
+	int n;
+	(void) extract_XDR_opaque(buf, len, n, 400);
+
+	return auth_flavor;
+	}
diff --git a/src/XDR.h b/src/XDR.h
new file mode 100644
index 0000000000..070e13ee6c
--- /dev/null
+++ b/src/XDR.h
@@ -0,0 +1,25 @@
+// $Id: XDR.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef xdr_h
+#define xdr_h
+
+#include <sys/types.h>
+#include <netinet/in.h>
+
+#include "util.h"
+
+inline int XDR_aligned(const u_char* buf)
+	{
+	return (((unsigned long) buf) & 0x3) == 0;
+	}
+
+extern uint32 extract_XDR_uint32(const u_char*& buf, int& len);
+extern double extract_XDR_uint64_as_double(const u_char*& buf, int& len);
+extern double extract_XDR_time(const u_char*& buf, int& len);
+extern const u_char* extract_XDR_opaque(const u_char*& buf, int& len,
+					int& n, int max_len=8192);
+extern uint32 skip_XDR_opaque_auth(const u_char*& buf, int& len);
+
+#endif
diff --git a/src/ZIP.cc b/src/ZIP.cc
new file mode 100644
index 0000000000..84643c2874
--- /dev/null
+++ b/src/ZIP.cc
@@ -0,0 +1,94 @@
+// $Id: ZIP.cc,v 1.1.4.2 2006/05/31 21:49:29 sommer Exp $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "ZIP.h"
+
+#ifdef HAVE_LIBZ
+
+ZIP_Analyzer::ZIP_Analyzer(Connection* conn, bool orig, Method arg_method)
+: TCP_SupportAnalyzer(AnalyzerTag::Zip, conn, orig)
+	{
+	zip = 0;
+	zip_status = Z_OK;
+	method = arg_method;
+
+	zip = new z_stream;
+	zip->zalloc = 0;
+	zip->zfree = 0;
+	zip->opaque = 0;
+	zip->next_out = 0;
+	zip->avail_out = 0;
+	zip->next_in = 0;
+	zip->avail_in = 0;
+
+	// "15" here means maximum compression.  "32" is a gross overload
+	// hack that means "check it for whether it's a gzip file".  Sheesh.
+	zip_status = inflateInit2(zip, 15 + 32);
+	if ( zip_status != Z_OK )
+		{
+		Weird("inflate_init_failed");
+		delete zip;
+		zip = 0;
+		}
+	}
+
+ZIP_Analyzer::~ZIP_Analyzer()
+	{
+	delete zip;
+	}
+
+void ZIP_Analyzer::Done()
+	{
+	Analyzer::Done();
+
+	if ( zip )
+		inflateEnd(zip);
+	}
+
+void ZIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	TCP_SupportAnalyzer::DeliverStream(len, data, orig);
+
+	if ( ! len || zip_status != Z_OK )
+		return;
+
+	static unsigned int unzip_size = 4096;
+	Bytef unzipbuf[unzip_size];
+
+	zip->next_in = (Bytef*) data;
+	zip->avail_in = len;
+
+	do
+		{
+		zip->next_out = unzipbuf;
+		zip->avail_out = unzip_size;
+
+		zip_status = inflate(zip, Z_SYNC_FLUSH);
+
+		if ( zip_status != Z_STREAM_END &&
+		     zip_status != Z_OK &&
+		     zip_status != Z_BUF_ERROR )
+			{
+			Weird("inflate_failed");
+			inflateEnd(zip);
+			break;
+			}
+
+		int have = unzip_size - zip->avail_out;
+		if ( have )
+			ForwardStream(have, unzipbuf, IsOrig());
+
+		if ( zip_status == Z_STREAM_END )
+			{
+			inflateEnd(zip);
+			delete zip;
+			zip = 0;
+			break;
+			}
+
+		zip_status = Z_OK;
+		}
+	while ( zip->avail_out == 0 );
+	}
+#endif
diff --git a/src/ZIP.h b/src/ZIP.h
new file mode 100644
index 0000000000..3debb6c3c8
--- /dev/null
+++ b/src/ZIP.h
@@ -0,0 +1,34 @@
+// $Id: ZIP.h,v 1.1.4.2 2006/05/31 21:49:29 sommer Exp $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef zip_h
+#define zip_h
+
+#include "config.h"
+
+#ifdef HAVE_LIBZ
+
+#include "zlib.h"
+#include "TCP.h"
+
+class ZIP_Analyzer : public TCP_SupportAnalyzer {
+public:
+	enum Method { GZIP, DEFLATE };
+
+	ZIP_Analyzer(Connection* conn, bool orig, Method method = GZIP);
+	~ZIP_Analyzer();
+
+	virtual void Done();
+
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+
+protected:
+	enum { NONE, ZIP_OK, ZIP_FAIL };
+	z_stream* zip;
+	int zip_status;
+	Method method;
+};
+
+#endif
+#endif
diff --git a/src/bif_arg.cc b/src/bif_arg.cc
new file mode 100644
index 0000000000..2befed495a
--- /dev/null
+++ b/src/bif_arg.cc
@@ -0,0 +1,95 @@
+// $Id: bif_arg.cc 3234 2006-06-08 02:38:11Z vern $
+
+#include "config.h"
+
+#include <set>
+#include <string>
+using namespace std;
+
+#include <string.h>
+
+#include "bif_arg.h"
+
+static struct {
+	const char* bif_type;
+	const char* bro_type;
+	const char* c_type;
+	const char* accessor;
+	const char* constructor;
+} builtin_func_arg_type[] = {
+#define DEFINE_BIF_TYPE(id, bif_type, bro_type, c_type, accessor, constructor) \
+	{bif_type, bro_type, c_type, accessor, constructor},
+#include "bif_type.def"
+#undef DEFINE_BIF_TYPE
+};
+
+extern const char* arg_list_name;
+extern set<string> enum_types;
+
+BuiltinFuncArg::BuiltinFuncArg(const char* arg_name, int arg_type)
+	{
+	name = arg_name;
+	type = arg_type;
+	type_str = "";
+	}
+
+BuiltinFuncArg::BuiltinFuncArg(const char* arg_name, const char* arg_type_str)
+	{
+	name = arg_name;
+	type = TYPE_OTHER;
+	type_str = arg_type_str;
+
+	for ( int i = 0; builtin_func_arg_type[i].bif_type[0] != '\0'; ++i )
+		if ( ! strcmp(builtin_func_arg_type[i].bif_type, arg_type_str) )
+			{
+			type = i;
+			type_str = "";
+			}
+
+	if ( enum_types.find(type_str) != enum_types.end() )
+		type = TYPE_ENUM;
+	}
+
+void BuiltinFuncArg::PrintBro(FILE* fp)
+	{
+	fprintf(fp, "%s: %s%s", name, builtin_func_arg_type[type].bro_type, type_str);
+	}
+
+void BuiltinFuncArg::PrintCDef(FILE* fp, int n)
+	{
+	fprintf(fp,
+		"\t%s %s = (%s) (",
+		builtin_func_arg_type[type].c_type,
+		name,
+		builtin_func_arg_type[type].c_type);
+
+	char buf[1024];
+	snprintf(buf, sizeof(buf), "(*%s)[%d]", arg_list_name, n);
+	// Print the accessor expression.
+	fprintf(fp, builtin_func_arg_type[type].accessor, buf);
+
+	fprintf(fp, ");\n");
+	}
+
+void BuiltinFuncArg::PrintCArg(FILE* fp, int n)
+	{
+	const char* ctype = builtin_func_arg_type[type].c_type;
+	char buf[1024];
+	if ( type == TYPE_ENUM )
+		{
+		snprintf(buf, sizeof(buf),
+			builtin_func_arg_type[type].c_type, type_str);
+		ctype = buf;
+		}
+
+	fprintf(fp, "%s %s", ctype, name);
+	}
+
+void BuiltinFuncArg::PrintBroValConstructor(FILE* fp)
+	{
+	if ( type == TYPE_ENUM )
+		fprintf(fp, builtin_func_arg_type[type].constructor,
+			name, type_str);
+	else
+		fprintf(fp, builtin_func_arg_type[type].constructor, name);
+	}
diff --git a/src/bif_arg.h b/src/bif_arg.h
new file mode 100644
index 0000000000..0462f6e173
--- /dev/null
+++ b/src/bif_arg.h
@@ -0,0 +1,46 @@
+// $Id: bif_arg.h 3234 2006-06-08 02:38:11Z vern $
+
+#ifndef bif_arg_h
+#define bif_arg_h
+
+#include <stdio.h>
+
+enum builtin_func_arg_type {
+#define DEFINE_BIF_TYPE(id, bif_type, bro_type, c_type, accessor, constructor) \
+	id,
+#include "bif_type.def"
+#undef DEFINE_BIF_TYPE
+/*
+	TYPE_ANY,
+	TYPE_BOOL,
+	TYPE_COUNT,
+	TYPE_INT,
+	TYPE_STRING,
+	TYPE_PATTERN,
+	TYPE_PORT,
+	TYPE_OTHER,
+*/
+};
+
+extern const char* builtin_func_arg_type_bro_name[];
+
+class BuiltinFuncArg {
+public:
+	BuiltinFuncArg(const char* arg_name, int arg_type);
+	BuiltinFuncArg(const char* arg_name, const char* arg_type_str);
+
+	const char* Name() const	{ return name; }
+	int Type() const		{ return type; }
+
+	void PrintBro(FILE* fp);
+	void PrintCDef(FILE* fp, int n);
+	void PrintCArg(FILE* fp, int n);
+	void PrintBroValConstructor(FILE* fp);
+
+protected:
+	const char* name;
+	int type;
+	const char* type_str;
+};
+
+#endif
diff --git a/src/bif_type.def b/src/bif_type.def
new file mode 100644
index 0000000000..94e12997e8
--- /dev/null
+++ b/src/bif_type.def
@@ -0,0 +1,26 @@
+// $Id: bif_type.def 5083 2007-11-28 17:42:58Z vern $
+
+// DEFINE_BIF_TYPE(id, bif_type, bro_type, c_type, accessor, constructor)
+
+DEFINE_BIF_TYPE(TYPE_ADDR, 	"addr", "addr", "addr_type", 		"%s->AsAddr()", 	"new AddrVal(%s)")
+DEFINE_BIF_TYPE(TYPE_ANY, 	"any", "any", "Val*", 			"%s", 			"%s")
+DEFINE_BIF_TYPE(TYPE_BOOL, 	"bool", "bool", "int", 			"%s->AsBool()", 	"new Val(%s, TYPE_BOOL)")
+DEFINE_BIF_TYPE(TYPE_CONN_ID, 	"conn_id", "conn_id", "Val*", 		"%s", 			"%s")
+DEFINE_BIF_TYPE(TYPE_CONNECTION, "connection", "connection", "Connection*", "%s->AsRecordVal()->GetOrigin()", "%s->BuildConnVal()")
+DEFINE_BIF_TYPE(TYPE_COUNT, 	"count", "count", "bro_uint_t", 	"%s->AsCount()", 	"new Val(%s, TYPE_COUNT)")
+DEFINE_BIF_TYPE(TYPE_DOUBLE, 	"double", "double", "double", 		"%s->AsDouble()", 	"new Val(%s, TYPE_DOUBLE)")
+DEFINE_BIF_TYPE(TYPE_FILE, 	"file", "file", "BroFile*", 		"%s->AsFile()", 	"new Val(%s)")
+DEFINE_BIF_TYPE(TYPE_INT, 	"int", "int", "bro_int_t", 		"%s->AsInt()", 		"new Val(%s, TYPE_BOOL)")
+DEFINE_BIF_TYPE(TYPE_INTERVAL, 	"interval", "interval", "double", 	"%s->AsInterval()", 	"new IntervalVal(%s, Seconds)")
+DEFINE_BIF_TYPE(TYPE_NET, 	"net", "net", "addr_type", 		"%s->AsAddr()",		"new NetVal(%s)")
+DEFINE_BIF_TYPE(TYPE_PACKET, 	"packet", "packet", "TCP_TracePacket*", "%s->AsRecordVal()->GetOrigin()", "%s->PacketVal()")
+DEFINE_BIF_TYPE(TYPE_PATTERN, 	"pattern", "pattern", "RE_Matcher*", 	"%s->AsPattern()",	"new PatternVal(%s)")
+// DEFINE_BIF_TYPE(TYPE_PORT, 	"port", "port", "uint32", 		"%s->AsPortVal()->Port()", "incomplete data")
+DEFINE_BIF_TYPE(TYPE_PORT, 	"port", "port", "PortVal*", 		"%s->AsPortVal()",	"%s")
+DEFINE_BIF_TYPE(TYPE_PORTVAL, 	"portval", "port", "PortVal*", 		"%s->AsPortVal()",	"%s")
+DEFINE_BIF_TYPE(TYPE_STRING, 	"string", "string", "StringVal*", 	"%s->AsStringVal()",	"%s")
+// DEFINE_BIF_TYPE(TYPE_STRING, 	"string", "string", "BroString*", 	"%s->AsString()",	"new StringVal(%s)")
+DEFINE_BIF_TYPE(TYPE_SUBNET, 	"subnet", "subnet", "SubNetVal*", 	"%s->AsSubNetVal()",	"%s")
+DEFINE_BIF_TYPE(TYPE_TIME, 	"time", "time", "double", 		"%s->AsTime()", 	"new Val(%s, TYPE_TIME)")
+DEFINE_BIF_TYPE(TYPE_ENUM, 	"", "", "BroEnum::%s", 			"%s->InternalInt()",	"new EnumVal(%s, enum_%s)")
+DEFINE_BIF_TYPE(TYPE_OTHER, 	"", "", "Val*", 			"%s", 			"%s")
diff --git a/src/binpac-lib.pac b/src/binpac-lib.pac
new file mode 100644
index 0000000000..4e95a1a3db
--- /dev/null
+++ b/src/binpac-lib.pac
@@ -0,0 +1,32 @@
+# $Id:$
+
+%extern{
+#include <string.h>
+
+#include "binpac_bytestring.h"
+%}
+
+function bytestring_casecmp(s1: const_bytestring, s2: const_charptr): int
+	%{
+	int r = strncasecmp((const char*) s1.begin(), s2, s1.length());
+	if ( r == 0 )
+		return s2[s1.length()] == '\0' ? 0 : -1;
+	else
+		return r;
+	%}
+
+# True if s2 is a (case-insensitive) prefix of s1.
+function bytestring_caseprefix(s1: const_bytestring, s2: const_charptr): bool
+	%{
+	return strncasecmp((const char*) s1.begin(), s2, strlen(s2)) == 0;
+	%}
+
+function bytestring_to_int(s: const_bytestring, base: int): int
+	%{
+	return strtol((const char*) std_str(s).c_str(), 0, base);
+	%}
+
+function bytestring_to_double(s: const_bytestring): double
+	%{
+	return atof((const char*) std_str(s).c_str());
+	%}
diff --git a/src/binpac.pac b/src/binpac.pac
new file mode 100644
index 0000000000..8704fb5a61
--- /dev/null
+++ b/src/binpac.pac
@@ -0,0 +1,11 @@
+# $Id:$
+
+# Prototypes for functions implemented in binpac-lib.pac.
+
+function bytestring_to_int(s: const_bytestring, base: int): int;
+function bytestring_to_double(s: const_bytestring): double;
+
+function bytestring_casecmp(s1: const_bytestring, s2: const_charptr): int;
+
+# True if s2 is a (case-insensitive) prefix of s1.
+function bytestring_caseprefix(s1: const_bytestring, s2: const_charptr): bool;
diff --git a/src/binpac_bro-lib.pac b/src/binpac_bro-lib.pac
new file mode 100644
index 0000000000..20648e2d4f
--- /dev/null
+++ b/src/binpac_bro-lib.pac
@@ -0,0 +1,11 @@
+# $Id:$
+
+%extern{
+#include "util.h"
+%}
+
+function network_time(): double
+	%{
+	return ::network_time;
+	%}
+
diff --git a/src/binpac_bro.h b/src/binpac_bro.h
new file mode 100644
index 0000000000..ffeb4ff28d
--- /dev/null
+++ b/src/binpac_bro.h
@@ -0,0 +1,38 @@
+// $Id:$
+
+#ifndef binpac_bro_h
+#define binpac_bro_h
+
+class Analyzer;
+class Val;
+class PortVal;
+
+#include "util.h"
+#include "Analyzer.h"
+#include "Val.h"
+#include "event.bif.func_h"
+
+#include "binpac.h"
+
+namespace binpac {
+
+typedef Analyzer* BroAnalyzer;
+typedef Val* BroVal;
+typedef PortVal* BroPortVal;
+typedef StringVal* BroStringVal;
+
+inline StringVal* string_to_val(string const &str)
+	{
+	return new StringVal(str.c_str());
+	}
+
+inline StringVal* bytestring_to_val(const_bytestring const &str)
+	{
+	return new StringVal(str.length(), (const char*) str.begin());
+	}
+
+} // namespace binpac
+
+extern int FLAGS_use_binpac;
+
+#endif
diff --git a/src/bittorrent-analyzer.pac b/src/bittorrent-analyzer.pac
new file mode 100644
index 0000000000..f159588f0b
--- /dev/null
+++ b/src/bittorrent-analyzer.pac
@@ -0,0 +1,247 @@
+# $Id:$
+#
+# This code contributed by Nadi Sarrar.
+
+connection BitTorrent_Conn(bro_analyzer: BroAnalyzer) {
+	upflow = BitTorrent_Flow(true);
+	downflow = BitTorrent_Flow(false);
+};
+
+flow BitTorrent_Flow(is_orig: bool) {
+	flowunit = BitTorrent_PDU withcontext (connection, this);
+
+	%member{
+		bool handshake_ok;
+		uint64 _next_message_offset;
+	%}
+
+	%init{
+		handshake_ok = false;
+		_next_message_offset = 0;
+	%}
+
+	function next_message_offset(): uint64
+		%{
+		return &_next_message_offset;
+		%}
+
+	function increment_next_message_offset(go: bool, len: uint32): bool
+		%{
+		if ( go )
+			_next_message_offset += len;
+		return true;
+		%}
+
+	function is_handshake_delivered(): bool
+		%{
+		return handshake_ok;
+		%}
+
+	function validate_handshake(pstrlen: uint8, pstr: const_bytestring): bool
+		%{
+		if ( pstrlen != 19 ||
+		     memcmp("BitTorrent protocol", pstr.begin(), 19) )
+			{
+			connection()->bro_analyzer()->Weird(fmt("BitTorrent: invalid handshake (pstrlen: %hhu, pstr: %.*s)", pstrlen, 19, pstr.begin()));
+			throw Exception("invalid handshake");
+			}
+
+		return true;
+		%}
+
+	function validate_message_length(len: uint32): bool
+		%{
+		if ( len > MSGLEN_LIMIT )
+			throw Exception(fmt("message length prefix exceeds limit: %u > %u",
+					len, MSGLEN_LIMIT));
+		return true;
+		%}
+
+	function deliver_handshake(reserved: const_bytestring,
+					info_hash: const_bytestring,
+					peer_id: const_bytestring): bool
+		%{
+		handshake_ok = true;
+		if ( ::bittorrent_peer_handshake )
+			{
+			bro_event_bittorrent_peer_handshake(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(),
+				bytestring_to_val(reserved),
+				bytestring_to_val(info_hash),
+				bytestring_to_val(peer_id));
+			}
+
+		connection()->bro_analyzer()->ProtocolConfirmation();
+
+		return true;
+		%}
+
+	function deliver_keep_alive(): bool
+		%{
+		if ( ::bittorrent_peer_keep_alive )
+			{
+			bro_event_bittorrent_peer_keep_alive(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig());
+			}
+
+		return true;
+		%}
+
+	function deliver_choke(): bool
+		%{
+		if ( ::bittorrent_peer_choke )
+			{
+			bro_event_bittorrent_peer_choke(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig());
+			}
+
+		return true;
+		%}
+
+	function deliver_unchoke(): bool
+		%{
+		if ( ::bittorrent_peer_unchoke )
+			{
+			bro_event_bittorrent_peer_unchoke(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig());
+			}
+
+		return true;
+		%}
+
+	function deliver_interested(): bool
+		%{
+		if ( ::bittorrent_peer_interested )
+			{
+			bro_event_bittorrent_peer_interested(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig());
+			}
+
+		return true;
+		%}
+
+	function deliver_not_interested(): bool
+		%{
+		if ( ::bittorrent_peer_not_interested )
+			{
+			bro_event_bittorrent_peer_not_interested(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig());
+			}
+
+		return true;
+		%}
+
+	function deliver_have(piece_index: uint32): bool
+		%{
+		if ( ::bittorrent_peer_have )
+			{
+			bro_event_bittorrent_peer_have(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(),
+				piece_index);
+			}
+
+		return true;
+		%}
+
+	function deliver_bitfield(bitfield: const_bytestring): bool
+		%{
+		if ( ::bittorrent_peer_bitfield )
+			{
+			bro_event_bittorrent_peer_bitfield(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(),
+				bytestring_to_val(bitfield));
+			}
+
+		return true;
+		%}
+
+	function deliver_request(index: uint32, begin: uint32,
+					length: uint32): bool
+		%{
+		if ( ::bittorrent_peer_request )
+			{
+			bro_event_bittorrent_peer_request(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(),
+				index, begin, length);
+			}
+
+		return true;
+		%}
+
+	function deliver_piece(index: uint32, begin: uint32,
+				piece_length: uint32): bool
+		%{
+		if ( ::bittorrent_peer_piece )
+			{
+			bro_event_bittorrent_peer_piece(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(),
+				index, begin, piece_length);
+			}
+
+		return true;
+		%}
+
+	function deliver_cancel(index: uint32, begin: uint32,
+				length: uint32): bool
+		%{
+		if ( ::bittorrent_peer_cancel )
+			{
+			bro_event_bittorrent_peer_cancel(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(),
+				index, begin, length);
+			}
+
+		return true;
+		%}
+
+	function deliver_port(listen_port: uint16): bool
+		%{
+		if ( ::bittorrent_peer_port )
+			{
+			bro_event_bittorrent_peer_port(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(),
+				new PortVal(listen_port, TRANSPORT_TCP));
+			}
+
+		return true;
+		%}
+
+	function deliver_unknown(id: uint8, data: const_bytestring): bool
+		%{
+		if ( ::bittorrent_peer_unknown )
+			{
+			bro_event_bittorrent_peer_unknown(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(),
+				id,
+				bytestring_to_val(data));
+			}
+
+		return true;
+		%}
+};
diff --git a/src/bittorrent-protocol.pac b/src/bittorrent-protocol.pac
new file mode 100644
index 0000000000..8bd1652cfa
--- /dev/null
+++ b/src/bittorrent-protocol.pac
@@ -0,0 +1,147 @@
+# $Id:$
+#
+# This code contributed by Nadi Sarrar.
+
+enum BitTorrent_peer_msg_type {
+	TYPE_CHOKE           = 0,
+	TYPE_UNCHOKE         = 1,
+	TYPE_INTERESTED      = 2,
+	TYPE_NOT_INTERESTED  = 3,
+	TYPE_HAVE            = 4,
+	TYPE_BITFIELD        = 5,
+	TYPE_REQUEST         = 6,
+	TYPE_PIECE           = 7,
+	TYPE_CANCEL          = 8,
+	TYPE_PORT            = 9,
+};
+
+type BitTorrent_Handshake = record {
+	pstrlen:   uint8;
+	pstr:      bytestring &length = 19;
+	reserved:  bytestring &length = 8;
+	info_hash: bytestring &length = 20;
+	peer_id:   bytestring &length = 20;
+
+} &length = 68, &let {
+	validate: bool = $context.flow.validate_handshake(pstrlen, pstr);
+	incoffsetffset: bool =
+		$context.flow.increment_next_message_offset(true, 68);
+	deliver: bool =
+		$context.flow.deliver_handshake(reserved, info_hash, peer_id);
+};
+
+type BitTorrent_KeepAlive = empty &let {
+	deliver: bool = $context.flow.deliver_keep_alive();
+};
+
+type BitTorrent_Choke = empty &let {
+	deliver: bool = $context.flow.deliver_choke();
+};
+
+type BitTorrent_Unchoke = empty &let {
+	deliver: bool = $context.flow.deliver_unchoke();
+};
+
+type BitTorrent_Interested = empty &let {
+	deliver: bool = $context.flow.deliver_interested();
+};
+
+type BitTorrent_NotInterested = empty &let {
+	deliver: bool = $context.flow.deliver_not_interested();
+};
+
+type BitTorrent_Have = record {
+	piece_index: uint32;
+} &let {
+	deliver: bool = $context.flow.deliver_have(piece_index);
+};
+
+type BitTorrent_Bitfield(len: uint32) = record {
+	bitfield: bytestring &length = len;
+} &let {
+	deliver: bool = $context.flow.deliver_bitfield(bitfield);
+};
+
+type BitTorrent_Request = record {
+	index:  uint32;
+	begin:  uint32;
+	length: uint32;
+} &let {
+	deliver: bool = $context.flow.deliver_request(index, begin, length);
+};
+
+type BitTorrent_PieceHeader(len: uint32) = record {
+	index: uint32;
+	begin: uint32;
+} &let {
+	incoffset: bool =
+		$context.flow.increment_next_message_offset(true, len + 5);
+};
+
+type BitTorrent_Piece(len: uint32) = record {
+	header: BitTorrent_PieceHeader(len);
+	:       bytestring &length = len - 8;
+} &let {
+	deliver: bool = $context.flow.deliver_piece(header.index,
+							header.begin, len - 8);
+};
+
+type BitTorrent_Cancel = record {
+	index:  uint32;
+	begin:  uint32;
+	length: uint32;
+} &let {
+	deliver: bool = $context.flow.deliver_cancel(index, begin, length);
+};
+
+type BitTorrent_Port = record {
+	listen_port: uint16;
+} &let {
+	deliver: bool = $context.flow.deliver_port(listen_port);
+};
+
+type BitTorrent_Unknown(id: uint8, len: uint32) = record {
+	data: bytestring &length = len;
+} &let {
+	deliver: bool = $context.flow.deliver_unknown(id, data);
+};
+
+type BitTorrent_MessageID(len: uint32) = record {
+	id:   uint8;
+	data: case id of {
+		TYPE_CHOKE          -> choke: BitTorrent_Choke;
+		TYPE_UNCHOKE        -> unchoke: BitTorrent_Unchoke;
+		TYPE_INTERESTED     -> interested: BitTorrent_Interested;
+		TYPE_NOT_INTERESTED -> not_interested: BitTorrent_NotInterested;
+		TYPE_HAVE           -> have: BitTorrent_Have;
+		TYPE_BITFIELD       -> bitfield: BitTorrent_Bitfield(len - 1);
+		TYPE_REQUEST        -> request: BitTorrent_Request;
+		TYPE_PIECE          -> piece: BitTorrent_Piece(len - 1);
+		TYPE_CANCEL         -> cancel: BitTorrent_Cancel;
+		TYPE_PORT           -> port: BitTorrent_Port;
+		default             -> unknown: BitTorrent_Unknown(id, len - 1);
+	};
+};
+
+type BitTorrent_MessageLength = record {
+	len: uint32;
+} &let {
+	validate: bool = $context.flow.validate_message_length(len);
+};
+
+type BitTorrent_Message = record {
+	len:  BitTorrent_MessageLength;
+	data: case len.len of {
+		0       -> keep_alive: BitTorrent_KeepAlive;
+		default -> message_id: BitTorrent_MessageID(len.len);
+	};
+} &length = 4 + len.len, &let {
+	incoffset: bool = $context.flow.increment_next_message_offset(
+				len.len == 0 || message_id.id != TYPE_PIECE,
+				4 + len.len);
+};
+
+type BitTorrent_PDU = case $context.flow.is_handshake_delivered() of {
+	false -> handshake: BitTorrent_Handshake;
+	true  -> message: BitTorrent_Message;
+} &byteorder = bigendian;
diff --git a/src/bittorrent.pac b/src/bittorrent.pac
new file mode 100644
index 0000000000..f6255902dd
--- /dev/null
+++ b/src/bittorrent.pac
@@ -0,0 +1,17 @@
+# This code contributed to Bro by Nadi Sarrar.
+
+%include binpac.pac
+%include bro.pac
+
+%extern{
+#define MSGLEN_LIMIT 0x40000
+%}
+
+analyzer BitTorrent withcontext {
+	connection:	BitTorrent_Conn;
+	flow:		BitTorrent_Flow;
+};
+
+%include bittorrent-protocol.pac
+%include bittorrent-analyzer.pac
+
diff --git a/src/bro.bif b/src/bro.bif
new file mode 100644
index 0000000000..a4111bb041
--- /dev/null
+++ b/src/bro.bif
@@ -0,0 +1,3218 @@
+# $Id: bro.bif 7075 2010-09-13 02:39:38Z vern $
+#
+# Definitions of Bro built-in functions.
+
+%%{ // C segment
+#include <math.h>
+
+#include <vector>
+#include <algorithm>
+#include <cmath>
+#include <sys/stat.h>
+
+
+using namespace std;
+
+RecordType* ftp_port;
+RecordType* bro_resources;
+RecordType* matcher_stats;
+TableType* var_sizes;
+
+// This one is extern, since it's used beyond just built-ins,
+// and hence it's declared in NetVar.{h,cc}.
+extern RecordType* gap_info;
+
+static PktDumper* addl_pkt_dumper = 0;
+
+bro_int_t parse_int(const char*& fmt)
+	{
+	bro_int_t k = 0;
+	while ( isdigit(*fmt) )
+		{
+		k = k * 10 + (*fmt - '0');
+		++fmt;
+		}
+
+	return k;
+	}
+
+static TypeTag ok_d_fmt[] = {
+	TYPE_BOOL, TYPE_ENUM, TYPE_INT, TYPE_COUNT, TYPE_COUNTER, TYPE_PORT,
+	TYPE_SUBNET,
+	TYPE_ERROR
+};
+static TypeTag ok_f_fmt[] = {
+	TYPE_DOUBLE, TYPE_TIME, TYPE_INTERVAL,
+	TYPE_ERROR
+};
+
+static int check_fmt_type(TypeTag t, TypeTag ok[])
+	{
+	for ( int i = 0; ok[i] != TYPE_ERROR; ++i )
+		if ( ok[i] == t )
+			return 1;
+
+	return 0;
+	}
+
+static void do_fmt(const char*& fmt, Val* v, ODesc* d)
+	{
+	TypeTag t = v->Type()->Tag();
+	InternalTypeTag it = v->Type()->InternalType();
+
+	bool zero_pad = false;
+	bool left_just = false;
+	int field_width = -1;
+
+	// Left-align, if requested.
+	if ( *fmt == '-' )
+		{
+		left_just = true;
+		++fmt;
+		}
+
+	// Parse field width, if given.
+	if ( isdigit(*fmt) )
+		{
+		// If field width starts with zero, do zero-padding.
+		if ( *fmt == '0' )
+			{
+			zero_pad = true;
+			++fmt;
+			}
+
+		field_width = parse_int(fmt);
+		}
+
+	int precision = -1;
+	if ( *fmt == '.' )
+		{
+		++fmt;
+		precision = parse_int(fmt);
+		}
+
+	if ( field_width > 128 || precision > 128 )
+		{
+		builtin_run_time("excessive field width or precision");
+		return;
+		}
+
+	// Create the numerical format string.
+	char num_fmt[64];
+	num_fmt[0] = '\0';
+
+	if ( field_width >= 0 )
+		{
+		// Like sprintf(), ignore '0' if '-' is given.
+		const char* align = left_just ? "-" : (zero_pad ? "0" : "");
+		snprintf(num_fmt, sizeof(num_fmt), "%s%d", align, field_width);
+		}
+
+	if ( precision >= 0 )
+		snprintf(num_fmt + strlen(num_fmt),
+			sizeof(num_fmt) - strlen(num_fmt), ".%d", precision);
+
+	char fmt_buf[512];
+	char out_buf[512];
+
+	ODesc s;
+
+	if ( *fmt == 'A' )
+		{
+		s.SetStyle(ALTERNATIVE_STYLE);
+		++fmt;
+		}
+
+	if ( precision >= 0 && *fmt != 'e' && *fmt != 'f' && *fmt != 'g' )
+		builtin_run_time("precision specified for non-floating point");
+
+	switch ( *fmt ) {
+	case 'D':
+	case 'T':	// ISO Timestamp with microsecond precision.
+		{
+		if ( t != TYPE_TIME )
+			{
+			builtin_run_time("bad type for Date/Time format", v);
+			break;
+			}
+
+		time_t time = time_t(v->InternalDouble());
+		int is_time_fmt = *fmt == 'T';
+
+		if ( ! strftime(out_buf, sizeof(out_buf),
+				is_time_fmt ?
+					"%Y-%m-%d-%H:%M" : "%Y-%m-%d-%H:%M:%S",
+				localtime(&time)) )
+			s.AddSP("<bad time>");
+
+		else
+			{
+			s.Add(out_buf);
+
+			if ( is_time_fmt )
+				{
+				double secs = v->CoerceToUnsigned() % 60;
+
+				secs += v->InternalDouble();
+				secs -= v->CoerceToUnsigned();
+
+				snprintf(out_buf, sizeof(out_buf),
+					":%012.9f", secs);
+				s.Add(out_buf);
+				}
+			}
+		}
+		break;
+
+	case 'd':
+	case 'x':
+		{
+		if ( *fmt == 'x' && it == TYPE_INTERNAL_ADDR )
+			{
+			// Deficiency: we don't support num_fmt in this case.
+			// This makes only a very slight difference, so not
+			// clear it would e worth the hassle.
+
+			addr_type u = v->AsAddr();
+#ifdef BROv6
+			// We explicitly convert the address to host order
+			// in a copy, because if we just call ntohl() for
+			// our invocation on snprintf() below, on some systems
+			// it turns a 32-bit value (Linux), whereas on
+			// others it returns a long (FreeBSD); the latter
+			// gets us in trouble if we have longs > 32 bits,
+			// because then the format specifier needs to be %lx
+			// rather than %x ....... what a pain!
+			//
+			// Also note that we don't change u in-place because
+			// that would alter the byte order of the underlying
+			// value.  (Speaking of which, I'm not clear on why
+			// we're allowed to assign a const addr_type to an
+			// addr_type above, both g++ allows it.)
+			uint32 host_order_u[4];
+			host_order_u[0] = ntohl(u[0]);
+			host_order_u[1] = ntohl(u[1]);
+			host_order_u[2] = ntohl(u[2]);
+			host_order_u[3] = ntohl(u[3]);
+
+			snprintf(out_buf, sizeof(out_buf), "%08x%08x%08x%08x",
+					host_order_u[0], host_order_u[1],
+					host_order_u[2], host_order_u[3]);
+#else
+			u = ntohl(u);
+			snprintf(out_buf, sizeof(out_buf), "%08x", u);
+#endif
+			}
+
+		else if ( ! check_fmt_type(t, ok_d_fmt) )
+			{
+			builtin_run_time("bad type for %d/%x format", v);
+			break;
+			}
+
+		else if ( it == TYPE_INTERNAL_UNSIGNED )
+			{
+			bro_uint_t u = v->CoerceToUnsigned();
+
+			if ( v->Type()->IsNetworkOrder() )
+				{
+				if ( v->Type()->Tag() == TYPE_PORT )
+					u = v->AsPortVal()->Port();
+				else
+					u = ntohl(uint32(u));
+				}
+
+#ifdef USE_INT64
+			snprintf(fmt_buf, sizeof(fmt_buf), "%%%s%s", num_fmt,
+					*fmt == 'd' ? "llu" : "llx");
+#else
+			snprintf(fmt_buf, sizeof(fmt_buf), "%%%s%c", num_fmt,
+					*fmt == 'd' ? 'u' : 'x');
+#endif
+			snprintf(out_buf, sizeof(out_buf), fmt_buf, u);
+			}
+
+		else
+			{
+#ifdef USE_INT64
+			snprintf(fmt_buf, sizeof(fmt_buf), "%%%s%s", num_fmt,
+					*fmt == 'd' ? "lld" : "llx");
+#else
+			snprintf(fmt_buf, sizeof(fmt_buf), "%%%s%c", num_fmt,
+					*fmt == 'd' ? 'd' : 'x');
+#endif
+			snprintf(out_buf, sizeof(out_buf), fmt_buf,
+					v->CoerceToInt());
+			}
+
+		s.Add(out_buf);
+		}
+		break;
+
+	case 's':
+		v->Describe(&s);
+		break;
+
+	case 'e':
+	case 'f':
+	case 'g':
+		{
+		if ( ! check_fmt_type(t, ok_f_fmt) )
+			{
+			builtin_run_time("bad type for floating-point format", v);
+			break;
+			}
+
+		snprintf(fmt_buf, sizeof(fmt_buf), "%%%s%c", num_fmt, *fmt);
+		snprintf(out_buf, sizeof(out_buf), fmt_buf, v->CoerceToDouble());
+		s.Add(out_buf);
+		}
+		break;
+
+	default:
+		builtin_run_time("bad format");
+	}
+
+	// Left-padding with whitespace, if any.
+	if ( field_width > 0 && ! left_just )
+		{
+		int sl = strlen(s.Description());
+		while ( ++sl <= field_width )
+			d->Add(" ");
+		}
+
+	d->Add(s.Description());
+
+	// Right-padding with whitespace, if any.
+	if ( field_width > 0 && left_just )
+		{
+		int sl = strlen(s.Description());
+		while ( ++sl <= field_width )
+			d->Add(" ");
+		}
+
+	++fmt;
+	}
+
+static int next_fmt(const char*& fmt, val_list* args, ODesc* d, int& n)
+	{
+	const char* fp = fmt;
+
+	// Skip up to next format indicator.
+	while ( *fp && *fp != '%' )
+		++fp;
+
+	d->AddN(fmt, fp - fmt);
+
+	if ( *fp == '\0' )
+		// No more to do.
+		return 0;
+
+	fmt = fp + 1;
+	if ( *fmt == '%' )
+		{
+		// "%%" -> '%'
+		d->Add("%");
+		++fmt;
+		return next_fmt(fmt, args, d, n);
+		}
+
+	if ( ++n >= args->length() )
+		return 0;
+
+	do_fmt(fmt, (*args)[n], d);
+
+	return *fmt != '\0';
+	}
+%%}
+
+function length%(v: any%): count
+	%{
+	TableVal* tv = v->Type()->Tag() == TYPE_TABLE ? v->AsTableVal() : 0;
+
+	if ( tv )
+		return new Val(tv->Size(), TYPE_COUNT);
+
+	else if ( v->Type()->Tag() == TYPE_VECTOR )
+		return new Val(v->AsVectorVal()->Size(), TYPE_COUNT);
+
+	else
+		{
+		builtin_run_time("length() requires a table/set/vector argument");
+		return new Val(0, TYPE_COUNT);
+		}
+	%}
+
+function same_object%(o1: any, o2: any%): bool
+	%{
+	return new Val(o1 == o2, TYPE_BOOL);
+	%}
+
+function clear_table%(v: any%): any
+	%{
+	if ( v->Type()->Tag() == TYPE_TABLE )
+		v->AsTableVal()->RemoveAll();
+	else
+		builtin_run_time("clear_table() requires a table/set argument");
+
+	return 0;
+	%}
+
+function cat%(...%): string
+	%{
+	ODesc d;
+	loop_over_list(@ARG@, i)
+		@ARG@[i]->Describe(&d);
+
+	BroString* s = new BroString(1, d.TakeBytes(), d.Len());
+	s->SetUseFreeToDelete(true);
+
+	return new StringVal(s);
+	%}
+
+function cat_sep%(sep: string, def: string, ...%): string
+	%{
+	ODesc d;
+	int pre_size = 0;
+
+	loop_over_list(@ARG@, i)
+		{
+		// Skip named parameters.
+		if ( i < 2 )
+			continue;
+
+		if ( i > 2 )
+			d.Add(sep->CheckString(), 0);
+
+		Val* v = @ARG@[i];
+		if ( v->Type()->Tag() == TYPE_STRING && ! v->AsString()->Len() )
+			v = def;
+
+		v->Describe(&d);
+		}
+
+	BroString* s = new BroString(1, d.TakeBytes(), d.Len());
+	s->SetUseFreeToDelete(true);
+
+	return new StringVal(s);
+	%}
+
+function fmt%(...%): string
+	%{
+	if ( @ARGC@ == 0 )
+		return new StringVal("");
+
+	Val* fmt_v = @ARG@[0];
+	if ( fmt_v->Type()->Tag() != TYPE_STRING )
+		return bro_cat(frame, @ARGS@);
+
+	const char* fmt = fmt_v->AsString()->CheckString();
+	ODesc d;
+	int n = 0;
+
+	while ( next_fmt(fmt, @ARGS@, &d, n) )
+		;
+
+	if ( n < @ARGC@ - 1 )
+		builtin_run_time("too many arguments for format", fmt_v);
+
+	else if ( n >= @ARGC@ )
+		builtin_run_time("too few arguments for format", fmt_v);
+
+	BroString* s = new BroString(1, d.TakeBytes(), d.Len());
+	s->SetUseFreeToDelete(true);
+
+	return new StringVal(s);
+	%}
+
+function type_name%(t: any%): string
+	%{
+	ODesc d;
+	t->Type()->Describe(&d);
+
+	BroString* s = new BroString(1, d.TakeBytes(), d.Len());
+	s->SetUseFreeToDelete(true);
+
+	return new StringVal(s);
+	%}
+
+function to_int%(str: string%): int
+	%{
+	const char* s = str->CheckString();
+	char* end_s;
+
+	long l = strtol(s, &end_s, 10);
+	int i = int(l);
+
+#if 0
+	// Not clear we should complain.  For example, is " 205 "
+	// a legal conversion?
+	if ( s[0] == '\0' || end_s[0] != '\0' )
+		builtin_run_time("bad conversion to integer", @ARG@[0]);
+#endif
+
+	return new Val(i, TYPE_INT);
+	%}
+
+function int_to_count%(n: int%): count
+	%{
+	if ( n < 0 )
+		{
+		builtin_run_time("bad conversion to count", @ARG@[0]);
+		n = 0;
+		}
+	return new Val(n, TYPE_COUNT);
+	%}
+
+function double_to_count%(d: double%): count
+	%{
+	if ( d < 0.0 )
+		builtin_run_time("bad conversion to count", @ARG@[0]);
+
+	return new Val(bro_uint_t(rint(d)), TYPE_COUNT);
+	%}
+
+function to_count%(str: string%): count
+	%{
+	const char* s = str->CheckString();
+	char* end_s;
+
+	long l = strtol(s, &end_s, 10);
+	uint32 u = uint32(l);
+
+#if 0
+	if ( s[0] == '\0' || end_s[0] != '\0' )
+		builtin_run_time("bad conversion to count", @ARGS@[0]);
+#endif
+
+	return new Val(u, TYPE_COUNT);
+	%}
+
+function interval_to_double%(i: interval%): double
+	%{
+	return new Val(i, TYPE_DOUBLE);
+	%}
+
+function time_to_double%(t: time%): double
+	%{
+	return new Val(t, TYPE_DOUBLE);
+	%}
+
+function double_to_time%(d: double%): time
+	%{
+	return new Val(d, TYPE_TIME);
+	%}
+
+function double_to_interval%(d: double%): interval
+	%{
+	return new Val(d, TYPE_INTERVAL);
+	%}
+
+function addr_to_count%(a: addr%): count
+	%{
+#ifdef BROv6
+	if ( ! is_v4_addr(a) )
+		{
+		builtin_run_time("conversion of non-IPv4 address to count", @ARG@[0]);
+		return new Val(0, TYPE_COUNT);
+		}
+
+	uint32 addr = to_v4_addr(a);
+#else
+	uint32 addr = a;
+#endif
+	return new Val(ntohl(addr), TYPE_COUNT);
+	%}
+
+function port_to_count%(p: port%): count
+	%{
+	return new Val(p->Port(), TYPE_COUNT);
+	%}
+
+function count_to_port%(c: count, t: transport_proto%): port
+	%{
+	return new PortVal(c, (TransportProto)(t->InternalInt()));
+	%}
+
+function floor%(d: double%): double
+	%{
+	return new Val(floor(d), TYPE_DOUBLE);
+	%}
+
+function to_addr%(ip: string%): addr
+	%{
+	char* s = ip->AsString()->Render();
+	Val* ret = new AddrVal(s);
+	delete [] s;
+	return ret;
+	%}
+
+# Interprets the first 4 bytes of 'b' as an IPv4 address in network order.
+function raw_bytes_to_v4_addr%(b: string%): addr
+	%{
+	uint32 a = 0;
+
+	if ( b->Len() < 4 )
+		builtin_run_time("too short a string as input to raw_bytes_to_v4_addr()");
+
+	else
+		{
+		const u_char* bp = b->Bytes();
+		a = (bp[0] << 24) | (bp[1] << 16) | (bp[2] << 8) | bp[3];
+		}
+
+	return new AddrVal(htonl(a));
+	%}
+
+function to_net%(a: addr%): net
+	%{
+#ifdef BROv6
+	if ( ! is_v4_addr(a) )
+		{
+		builtin_run_time("conversion of non-IPv4 address to net", @ARG@[0]);
+		return new NetVal(uint32(0));
+		}
+
+	uint32 addr = to_v4_addr(a);
+#else
+	uint32 addr = a;
+#endif
+
+	addr = htonl(addr_to_net(ntohl(addr)));
+
+	return new NetVal(addr);
+	%}
+
+function net_to_subnet%(a: net%): subnet
+	%{
+#ifdef BROv6
+	if ( ! is_v4_addr(a) )
+		{
+		builtin_run_time("conversion of non-IPv4 address to subnet", @ARG@[0]);
+		return new SubNetVal(uint32(0), 0);
+		}
+
+	uint32 addr = to_v4_addr(a);
+#else
+	uint32 addr = a;
+#endif
+
+	switch ( addr_to_class(ntohl(addr)) ) {
+	case 'A':
+		return new SubNetVal(addr, 8);
+	case 'B':
+		return new SubNetVal(addr, 16);
+	case 'C':
+	case 'D':
+		return new SubNetVal(addr, 24);
+
+	default:
+		return new SubNetVal(addr, 0);
+	}
+	%}
+
+function to_port%(num: count, proto: transport_proto%): port
+	%{
+	return new PortVal(num, (TransportProto)proto->AsEnum());
+	%}
+
+function mask_addr%(a: addr, top_bits_to_keep: count%): addr
+	%{
+	return new AddrVal(mask_addr(a, top_bits_to_keep));
+	%}
+
+# Take some top bits (e.g. subnet address) from a1 and the other
+# bits (intra-subnet part) from a2 and merge them to get a new address.
+# This is useful for anonymizing at subnet level while preserving
+# serial scans.
+function remask_addr%(a1: addr, a2: addr, top_bits_from_a1: count%): addr
+	%{
+#ifdef BROv6
+	if ( ! is_v4_addr(a1) || ! is_v4_addr(a2) )
+		{
+		builtin_run_time("cannot use remask_addr on IPv6 addresses");
+		return new AddrVal(a1);
+		}
+
+	uint32 x1 = to_v4_addr(a1);
+	uint32 x2 = to_v4_addr(a2);
+#else
+	uint32 x1 = a1;
+	uint32 x2 = a2;
+#endif
+	return new AddrVal(
+		mask_addr(x1, top_bits_from_a1) |
+		(x2 ^ mask_addr(x2, top_bits_from_a1)) );
+	%}
+
+function is_tcp_port%(p: port%): bool
+	%{
+	return new Val(p->IsTCP(), TYPE_BOOL);
+	%}
+
+function is_udp_port%(p: port%): bool
+	%{
+	return new Val(p->IsUDP(), TYPE_BOOL);
+	%}
+
+function is_icmp_port%(p: port%): bool
+	%{
+	return new Val(p->IsICMP(), TYPE_BOOL);
+	%}
+
+function reading_live_traffic%(%): bool
+	%{
+	return new Val(reading_live, TYPE_BOOL);
+	%}
+
+function reading_traces%(%): bool
+	%{
+	return new Val(reading_traces, TYPE_BOOL);
+	%}
+
+function open%(f: string%): file
+	%{
+	const char* file = f->CheckString();
+
+	if ( streq(file, "-") )
+		return new Val(new BroFile(stdout, "-", "w"));
+	else
+		return new Val(new BroFile(file, "w"));
+	%}
+
+function open_for_append%(f: string%): file
+	%{
+	return new Val(new BroFile(f->CheckString(), "a"));
+	%}
+
+function close%(f: file%): bool
+	%{
+	return new Val(f->Close(), TYPE_BOOL);
+	%}
+
+function write_file%(f: file, data: string%): bool
+	%{
+	if ( ! f )
+		return new Val(0, TYPE_BOOL);
+
+	return new Val(f->Write((const char*) data->Bytes(), data->Len()),
+			TYPE_BOOL);
+	%}
+
+function set_buf%(f: file, buffered: bool%): any
+	%{
+	f->SetBuf(buffered);
+	return new Val(0, TYPE_VOID);
+	%}
+
+function flush_all%(%): bool
+	%{
+	return new Val(fflush(0) == 0, TYPE_BOOL);
+	%}
+
+function mkdir%(f: string%): bool
+	%{
+	const char* filename = f->CheckString();
+	if ( mkdir(filename, 0777) < 0 && errno != EEXIST )
+		{
+		builtin_run_time("cannot create directory", @ARG@[0]);
+		return new Val(0, TYPE_BOOL);
+		}
+	else
+		return new Val(1, TYPE_BOOL);
+	%}
+
+function active_file%(f: file%): bool
+	%{
+	return new Val(f->IsOpen(), TYPE_BOOL);
+	%}
+
+function active_connection%(id: conn_id%): bool
+	%{
+	Connection* c = sessions->FindConnection(id);
+	return new Val(c ? 1 : 0, TYPE_BOOL);
+	%}
+
+# Note, you *must* first make sure that the connection is active
+# (e.g., by calling active_connection()) before invoking this.
+function connection_record%(cid: conn_id%): connection
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	if ( c )
+		return c->BuildConnVal();
+	else
+		{
+		// Hard to recover from this until we have union types ...
+		builtin_run_time("connection ID not a known connection (fatal)", cid);
+		exit(0);
+		return 0;
+		}
+	%}
+
+%%{
+EnumVal* map_conn_type(TransportProto tp)
+	{
+	switch ( tp ) {
+	case TRANSPORT_UNKNOWN:
+		return new EnumVal(0, transport_proto);
+		break;
+
+	case TRANSPORT_TCP:
+		return new EnumVal(1, transport_proto);
+		break;
+
+	case TRANSPORT_UDP:
+		return new EnumVal(2, transport_proto);
+		break;
+
+	case TRANSPORT_ICMP:
+		return new EnumVal(3, transport_proto);
+		break;
+
+	default:
+		internal_error("bad connection type in map_conn_type()");
+	}
+	}
+%%}
+
+function get_conn_transport_proto%(cid: conn_id%): transport_proto
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	if ( ! c )
+		{
+		builtin_run_time("unknown connection id in get_conn_transport_proto()", cid);
+		return new EnumVal(0, transport_proto);
+		}
+
+	return map_conn_type(c->ConnTransport());
+	%}
+
+function get_port_transport_proto%(p: port%): transport_proto
+	%{
+	return map_conn_type(p->PortType());
+	%}
+
+function current_time%(%): time
+	%{
+	return new Val(current_time(), TYPE_TIME);
+	%}
+
+function network_time%(%): time
+	%{
+	return new Val(network_time, TYPE_TIME);
+	%}
+
+function getenv%(var: string%): string
+	%{
+	const char* env_val = getenv(var->CheckString());
+	if ( ! env_val )
+		env_val = "";	// ###
+	return new StringVal(env_val);
+	%}
+
+function sqrt%(x: double%): double
+	%{
+	if ( x < 0 )
+		{
+		run_time("negative sqrt argument");
+		return new Val(-1.0, TYPE_DOUBLE);
+		}
+
+	return new Val(sqrt(x), TYPE_DOUBLE);
+	%}
+
+function exp%(d: double%): double
+	%{
+	return new Val(exp(d), TYPE_DOUBLE);
+	%}
+
+# Natural log.
+function ln%(d: double%): double
+	%{
+	return new Val(log(d), TYPE_DOUBLE);
+	%}
+
+# Common log.
+function log10%(d: double%): double
+	%{
+	return new Val(log10(d), TYPE_DOUBLE);
+	%}
+
+function exit%(%): int
+	%{
+	exit(0);
+	return 0;
+	%}
+
+function terminate%(%): bool
+	%{
+	if ( terminating )
+		return new Val(0, TYPE_BOOL);
+
+	terminate_processing();
+	return new Val(1, TYPE_BOOL);
+	%}
+
+%%{
+// Turns the table into environment variables (if 'set' is true) or removes
+// all environment variables previously generated from this table (if 'set'
+// is false).
+static bool prepare_environment(TableVal* tbl, bool set)
+	{
+	ListVal* idxs = tbl->ConvertToPureList();
+
+	for ( int i = 0; i < idxs->Length(); ++i )
+		{
+		Val* key = idxs->Index(i);
+		Val* val = tbl->Lookup(key, false);
+
+		if ( key->Type()->Tag() != TYPE_STRING ||
+		     val->Type()->Tag() != TYPE_STRING )
+			{
+			builtin_run_time("system_env() needs a table[string] of string");
+			return false;
+			}
+
+		char* tmp = copy_string(key->AsString()->CheckString());
+		to_upper(tmp);
+		const char* var = fmt("BRO_ARG_%s", tmp);
+		delete [] tmp;
+
+		if ( set )
+			setenv(var, val->AsString()->CheckString(), 1);
+		else
+			unsetenv(var);
+		}
+
+	return true;
+	}
+
+static int do_system(const char* s)
+	{
+	const char* system_fmt = "(%s) 1>&2 &";	// output to stderr
+	char* cmd = new char[strlen(system_fmt) + strlen(s) + 1];
+
+	sprintf(cmd, system_fmt, s);
+	int status = system(cmd);
+	delete [] cmd;
+
+	return status;
+	}
+%%}
+
+function system%(str: string%): int
+	%{
+	int result = do_system(str->CheckString());
+	return new Val(result, TYPE_INT);
+	%}
+
+function system_env%(str: string, env: any%): int
+	%{
+	if ( env->Type()->Tag() != TYPE_TABLE )
+		{
+		builtin_run_time("system_env() requires a table/set argument");
+		return new Val(-1, TYPE_INT);
+		}
+
+	if ( ! prepare_environment(env->AsTableVal(), true) )
+		return new Val(-1, TYPE_INT);
+
+	int result = do_system(str->CheckString());
+
+	prepare_environment(env->AsTableVal(), false);
+
+	return new Val(result, TYPE_INT);
+	%}
+
+
+%%{
+static Val* parse_eftp(const char* line)
+	{
+	RecordVal* r = new RecordVal(ftp_port);
+
+	int net_proto = 0;	// currently not used
+	uint32 addr = 0;
+	int port = 0;
+	int good = 0;
+
+	if ( line )
+		{
+		while ( isspace(*line) )	// skip whitespace
+			++line;
+
+		char delimiter = *line;
+		good = 1;
+		char* next_delim;
+
+		++line;	// cut off delimiter
+		net_proto = strtol(line, &next_delim, 10);	// currently ignored
+		if ( *next_delim != delimiter )
+			good = 0;
+
+		line = next_delim + 1;
+		if ( *line != delimiter )	// default of 0 is ok
+			{
+			addr = dotted_to_addr(line);
+			if ( addr == 0 )
+				good = 0;
+			}
+
+		// FIXME: check for garbage between IP and delimiter.
+		line = strchr(line, delimiter);
+
+		++line;	// now the port
+		port = strtol(line, &next_delim, 10);
+		if ( *next_delim != delimiter )
+			good = 0;
+		}
+
+	r->Assign(0, new AddrVal(addr));
+	r->Assign(1, new PortVal(port, TRANSPORT_TCP));
+	r->Assign(2, new Val(good, TYPE_BOOL));
+
+	return r;
+	}
+%%}
+
+%%{
+static Val* parse_port(const char* line)
+	{
+	RecordVal* r = new RecordVal(ftp_port);
+
+	int bytes[6];
+	if ( line && sscanf(line, "%d,%d,%d,%d,%d,%d",
+			&bytes[0], &bytes[1], &bytes[2],
+			&bytes[3], &bytes[4], &bytes[5]) == 6 )
+		{
+		int good = 1;
+
+		for ( int i = 0; i < 6; ++i )
+			if ( bytes[i] < 0 || bytes[i] > 255 )
+				{
+				good = 0;
+				break;
+				}
+
+		uint32 addr = (bytes[0] << 24) | (bytes[1] << 16) |
+				(bytes[2] << 8) | bytes[3];
+		uint32 port = (bytes[4] << 8) | bytes[5];
+
+		// Since port is unsigned, no need to check for < 0.
+		if ( port > 65535 )
+			{
+			port = 0;
+			good = 0;
+			}
+
+		r->Assign(0, new AddrVal(htonl(addr)));
+		r->Assign(1, new PortVal(port, TRANSPORT_TCP));
+		r->Assign(2, new Val(good, TYPE_BOOL));
+		}
+	else
+		{
+		r->Assign(0, new AddrVal(uint32(0)));
+		r->Assign(1, new PortVal(0, TRANSPORT_TCP));
+		r->Assign(2, new Val(0, TYPE_BOOL));
+		}
+
+	return r;
+	}
+%%}
+
+# Returns true if the given connection exists, false otherwise.
+function connection_exists%(c: conn_id%): bool
+	%{
+	if ( sessions->FindConnection(c) )
+		return new Val(1, TYPE_BOOL);
+	else
+		return new Val(0, TYPE_BOOL);
+	%}
+
+# For a given connection ID, returns the corresponding "connection" record.
+# Generates a run-time error and returns a dummy value if the connection
+# doesn't exist.
+function lookup_connection%(cid: conn_id%): connection
+	%{
+	Connection* conn = sessions->FindConnection(cid);
+	if ( conn )
+		return conn->BuildConnVal();
+
+	builtin_run_time("connection ID not a known connection", cid);
+
+	// Return a dummy connection record.
+	RecordVal* c = new RecordVal(connection_type);
+
+	RecordVal* id_val = new RecordVal(conn_id);
+	id_val->Assign(0, new AddrVal((unsigned int) 0));
+	id_val->Assign(1, new PortVal(ntohs(0), TRANSPORT_UDP));
+	id_val->Assign(2, new AddrVal((unsigned int) 0));
+	id_val->Assign(3, new PortVal(ntohs(0), TRANSPORT_UDP));
+	c->Assign(0, id_val);
+
+	RecordVal* orig_endp = new RecordVal(endpoint);
+	orig_endp->Assign(0, new Val(0, TYPE_COUNT));
+	orig_endp->Assign(1, new Val(int(0), TYPE_COUNT));
+
+	RecordVal* resp_endp = new RecordVal(endpoint);
+	resp_endp->Assign(0, new Val(0, TYPE_COUNT));
+	resp_endp->Assign(1, new Val(int(0), TYPE_COUNT));
+
+	c->Assign(1, orig_endp);
+	c->Assign(2, resp_endp);
+
+	c->Assign(3, new Val(network_time, TYPE_TIME));
+	c->Assign(4, new Val(0.0, TYPE_INTERVAL));
+	c->Assign(5, new TableVal(string_set));	// service
+	c->Assign(6, new StringVal(""));	// addl
+	c->Assign(7, new Val(0, TYPE_COUNT));	// hot
+	c->Assign(8, new StringVal(""));	// history
+
+	return c;
+	%}
+
+function skip_further_processing%(cid: conn_id%): bool
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	if ( ! c )
+		return new Val(0, TYPE_BOOL);
+
+	c->SetSkip(1);
+	return new Val(1, TYPE_BOOL);
+	%}
+
+function set_record_packets%(cid: conn_id, do_record: bool%): bool
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	if ( ! c )
+		return new Val(0, TYPE_BOOL);
+
+	c->SetRecordPackets(do_record);
+	return new Val(1, TYPE_BOOL);
+	%}
+
+function set_contents_file%(cid: conn_id, direction: count, f: file%): bool
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	if ( ! c )
+		return new Val(0, TYPE_BOOL);
+
+	c->GetRootAnalyzer()->SetContentsFile(direction, f);
+	return new Val(1, TYPE_BOOL);
+	%}
+
+function get_contents_file%(cid: conn_id, direction: count%): file
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	BroFile* f = c ? c->GetRootAnalyzer()->GetContentsFile(direction) : 0;
+
+	if ( f )
+		{
+		Ref(f);
+		return new Val(f);
+		}
+
+	// Return some sort of error value.
+	if ( ! c )
+		builtin_run_time("unknown connection id in get_contents_file()", cid);
+	else
+		builtin_run_time("no contents file for given direction");
+
+	return new Val(new BroFile(stderr, "-", "w"));
+	%}
+
+function get_file_name%(f: file%): string
+	%{
+	if ( ! f )
+		return new StringVal("");
+
+	return new StringVal(f->Name());
+	%}
+
+# Set an individual inactivity timeout for this connection
+# (overrides the global inactivity_timeout).  Returns previous
+# timeout interval.
+function set_inactivity_timeout%(cid: conn_id, t: interval%): interval
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	if ( ! c )
+		return new Val(0, TYPE_INTERVAL);
+
+	double old_timeout = c->InactivityTimeout();
+	c->SetInactivityTimeout(t);
+
+	return new Val(old_timeout, TYPE_INTERVAL);
+	%}
+
+function get_login_state%(cid: conn_id%): count
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	if ( ! c )
+		return new Val(0, TYPE_BOOL);
+
+	Analyzer* la = c->FindAnalyzer(AnalyzerTag::Login);
+	if ( ! la )
+		return new Val(0, TYPE_BOOL);
+
+	return new Val(int(static_cast<Login_Analyzer*>(la)->LoginState()),
+			TYPE_COUNT);
+	%}
+
+function set_login_state%(cid: conn_id, new_state: count%): bool
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	if ( ! c )
+		return new Val(0, TYPE_BOOL);
+
+	Analyzer* la = c->FindAnalyzer(AnalyzerTag::Login);
+	if ( ! la )
+		return new Val(0, TYPE_BOOL);
+
+	static_cast<Login_Analyzer*>(la)->SetLoginState(login_state(new_state));
+	return new Val(1, TYPE_BOOL);
+	%}
+
+%%{
+#include "TCP.h"
+%%}
+
+function get_orig_seq%(cid: conn_id%): count
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	if ( ! c )
+		return new Val(0, TYPE_COUNT);
+
+	if ( c->ConnTransport() != TRANSPORT_TCP )
+		return new Val(0, TYPE_COUNT);
+
+	Analyzer* tc = c->FindAnalyzer(AnalyzerTag::TCP);
+	if ( tc )
+		return new Val(static_cast<TCP_Analyzer*>(tc)->OrigSeq(),
+				TYPE_COUNT);
+	else
+		{
+		run_time("connection does not have TCP analyzer");
+		return new Val(0, TYPE_COUNT);
+		}
+	%}
+
+function get_resp_seq%(cid: conn_id%): count
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	if ( ! c )
+		return new Val(0, TYPE_COUNT);
+
+	if ( c->ConnTransport() != TRANSPORT_TCP )
+		return new Val(0, TYPE_COUNT);
+
+	Analyzer* tc = c->FindAnalyzer(AnalyzerTag::TCP);
+	if ( tc )
+		return new Val(static_cast<TCP_Analyzer*>(tc)->RespSeq(),
+				TYPE_COUNT);
+	else
+		{
+		run_time("connection does not have TCP analyzer");
+		return new Val(0, TYPE_COUNT);
+		}
+	%}
+
+# These convert addresses <-> n3.n2.n1.n0.in-addr.arpa
+function ptr_name_to_addr%(s: string%): addr
+	%{
+	int a[4];
+	uint32 addr;
+
+	if ( sscanf(s->CheckString(),
+			"%d.%d.%d.%d.in-addr.arpa",
+			a, a+1, a+2, a+3) != 4 )
+		{
+		builtin_run_time("bad PTR name", @ARG@[0]);
+		addr = 0;
+		}
+	else
+		addr = (a[3] << 24) | (a[2] << 16) | (a[1] << 8) | a[0];
+
+	return new AddrVal(htonl(addr));
+	%}
+
+function addr_to_ptr_name%(a: addr%): string
+	%{
+	// ## Question:
+	// uint32 addr = ntohl((*args)[0]->InternalUnsigned());
+	uint32 addr;
+#ifdef BROv6
+	if ( is_v4_addr(a) )
+		addr = a[3];
+	else
+		{
+		builtin_run_time("conversion of non-IPv4 address to net", @ARG@[0]);
+		addr = 0;
+		}
+#else
+	addr = a;
+#endif
+
+	addr = ntohl(addr);
+	uint32 a3 = (addr >> 24) & 0xff;
+	uint32 a2 = (addr >> 16) & 0xff;
+	uint32 a1 = (addr >> 8) & 0xff;
+	uint32 a0 = addr & 0xff;
+
+	char buf[256];
+	sprintf(buf, "%u.%u.%u.%u.in-addr.arpa", a0, a1, a2, a3);
+
+	return new StringVal(buf);
+	%}
+
+# Transforms n0.n1.n2.n3 -> addr.
+function parse_dotted_addr%(s: string%): addr
+	%{
+	return new AddrVal(dotted_to_addr(s->CheckString()));
+	%}
+
+function parse_ftp_port%(s: string%): ftp_port
+	%{
+	return parse_port(s->CheckString());
+	%}
+
+function parse_eftp_port%(s: string%): ftp_port
+	%{
+	return parse_eftp(s->CheckString());
+	%}
+
+function parse_ftp_pasv%(str: string%): ftp_port
+	%{
+	const char* s = str->CheckString();
+	const char* line = strchr(s, '(');
+	if ( line )
+		++line;	// move past '('
+	else if ( (line = strstr(s, "PORT")) )
+		line += 5;	// Skip over
+	else if ( (line = strchr(s, ',')) )
+		{ // Look for comma-separated list.
+		while ( --line >= s && isdigit(*line) )
+			;	// Back up over preceding digits.
+		++line;	// now points to first digit, or beginning of s
+		}
+
+	return parse_port(line);
+	%}
+
+function parse_ftp_epsv%(str: string%): ftp_port
+	%{
+	const char* s = str->CheckString();
+	const char* line = strchr(s, '(');
+	if ( line )
+		++line; // move past '('
+	return parse_eftp(line);
+	%}
+
+function fmt_ftp_port%(a: addr, p: port%): string
+	%{
+#ifdef BROv6
+	if ( ! is_v4_addr(a) )
+		builtin_run_time("conversion of non-IPv4 address to net", @ARG@[0]);
+
+	uint32 addr = to_v4_addr(a);
+#else
+	uint32 addr = a;
+#endif
+	addr = ntohl(addr);
+	uint32 pn = p->Port();
+	return new StringVal(fmt("%d,%d,%d,%d,%d,%d",
+					addr >> 24, (addr >> 16) & 0xff,
+					(addr >> 8) & 0xff, addr & 0xff,
+					pn >> 8, pn & 0xff));
+	%}
+
+function decode_netbios_name%(name: string%): string
+	%{
+	char buf[16];
+	char result[32];
+	const u_char* s = name->Bytes();
+	int i, j;
+
+	for ( i = 0, j = 0; i < 16; ++i )
+		{
+		char c0 = (j < name->Len()) ? toupper(s[j++]) : 'A';
+		char c1 = (j < name->Len()) ? toupper(s[j++]) : 'A';
+		buf[i] = ((c0 - 'A') << 4) + (c1 - 'A');
+		}
+
+	for ( i = 0; i < 15; ++i )
+		if ( isalnum(buf[i]) || ispunct(buf[i]) )
+			result[i] = buf[i];
+		else
+			break;
+
+	// The last byte denotes the name type.
+	snprintf(result + i, sizeof(result) - i, "<%02x>", buf[15]);
+
+	return new StringVal(result);
+	%}
+
+%%{
+#include "HTTP.h"
+
+const char* conn_id_string(Val* c)
+	{
+	Val* id = (*(c->AsRecord()))[0];
+	const val_list* vl = id->AsRecord();
+
+	addr_type orig_h = (*vl)[0]->AsAddr();
+	uint32 orig_p = (*vl)[1]->AsPortVal()->Port();
+	addr_type resp_h = (*vl)[2]->AsAddr();
+	uint32 resp_p = (*vl)[3]->AsPortVal()->Port();
+
+	return fmt("%s/%u -> %s/%u\n", dotted_addr(orig_h), orig_p, dotted_addr(resp_h), resp_p);
+	}
+%%}
+
+# Skip data of the HTTP entity on the connection
+function skip_http_entity_data%(c: connection, is_orig: bool%): any
+	%{
+	AnalyzerID id = mgr.CurrentAnalyzer();
+	if ( id )
+		{
+		Analyzer* ha = c->FindAnalyzer(id);
+
+		if ( ha->GetTag() == AnalyzerTag::HTTP )
+			static_cast<HTTP_Analyzer*>(ha)->SkipEntityData(is_orig);
+		else
+			run_time("non-HTTP analyzer associated with connection record");
+		}
+
+	else
+		run_time("no analyzer associated with connection record");
+
+	return 0;
+	%}
+
+# Unescape all characters in the URI, i.e. decode every %xx group.
+#
+# Note that unescaping reserved characters may cause loss of
+# information (see below).
+#
+# RFC 2396: A URI is always in an "escaped" form, since escaping or
+# unescaping a completed URI might change its semantics.  Normally,
+# the only time escape encodings can safely be made is when the URI
+# is being created from its component parts.
+
+function unescape_URI%(URI: string%): string
+	%{
+	const u_char* line = URI->Bytes();
+	const u_char* const line_end = line + URI->Len();
+
+	return new StringVal(unescape_URI(line, line_end, 0));
+	%}
+
+%%{
+#include "SMTP.h"
+%%}
+
+# Skip smtp_data till next mail
+function skip_smtp_data%(c: connection%): any
+	%{
+	Analyzer* sa = c->FindAnalyzer(AnalyzerTag::SMTP);
+	if ( sa )
+		static_cast<SMTP_Analyzer*>(sa)->SkipData();
+	return 0;
+	%}
+
+
+function bytestring_to_hexstr%(bytestring: string%): string
+	%{
+	bro_uint_t len = bytestring->AsString()->Len();
+	const u_char* bytes = bytestring->AsString()->Bytes();
+	char hexstr[(2 * len) + 1];
+
+	hexstr[0] = 0;
+	for ( bro_uint_t i = 0; i < len; ++i )
+		snprintf(hexstr + (2 * i), 3, "%.2hhx", bytes[i]);
+
+	return new StringVal(hexstr);
+	%}
+
+%%{
+extern const char* bro_version();
+%%}
+
+function resource_usage%(%): bro_resources
+	%{
+	struct rusage r;
+
+	if ( getrusage(RUSAGE_SELF, &r) < 0 )
+		internal_error("getrusage() failed in bro_resource_usage()");
+
+	double elapsed_time = current_time() - bro_start_time;
+
+	double user_time =
+		double(r.ru_utime.tv_sec) + double(r.ru_utime.tv_usec) / 1e6;
+	double system_time =
+		double(r.ru_stime.tv_sec) + double(r.ru_stime.tv_usec) / 1e6;
+
+	RecordVal* res = new RecordVal(bro_resources);
+	int n = 0;
+
+	res->Assign(n++, new StringVal(bro_version()));
+
+#ifdef DEBUG
+	res->Assign(n++, new Val(1, TYPE_COUNT));
+#else
+	res->Assign(n++, new Val(0, TYPE_COUNT));
+#endif
+
+	res->Assign(n++, new Val(bro_start_time, TYPE_TIME));
+
+	res->Assign(n++, new IntervalVal(elapsed_time, Seconds));
+	res->Assign(n++, new IntervalVal(user_time, Seconds));
+	res->Assign(n++, new IntervalVal(system_time, Seconds));
+
+	unsigned int total_mem;
+	get_memory_usage(&total_mem, 0);
+	res->Assign(n++, new Val(unsigned(total_mem), TYPE_COUNT));
+
+	res->Assign(n++, new Val(unsigned(r.ru_minflt), TYPE_COUNT));
+	res->Assign(n++, new Val(unsigned(r.ru_majflt), TYPE_COUNT));
+	res->Assign(n++, new Val(unsigned(r.ru_nswap), TYPE_COUNT));
+	res->Assign(n++, new Val(unsigned(r.ru_inblock), TYPE_COUNT));
+	res->Assign(n++, new Val(unsigned(r.ru_oublock), TYPE_COUNT));
+	res->Assign(n++, new Val(unsigned(r.ru_nivcsw), TYPE_COUNT));
+
+	SessionStats s;
+	if ( sessions )
+		sessions->GetStats(s);
+
+#define ADD_STAT(x) \
+	res->Assign(n++, new Val(unsigned(sessions ? x : 0), TYPE_COUNT));
+
+	ADD_STAT(s.num_TCP_conns);
+	ADD_STAT(s.num_UDP_conns);
+	ADD_STAT(s.num_ICMP_conns);
+	ADD_STAT(s.num_fragments);
+	ADD_STAT(s.num_packets);
+	ADD_STAT(s.num_timers);
+	ADD_STAT(s.num_events_queued);
+	ADD_STAT(s.num_events_dispatched);
+	ADD_STAT(s.max_TCP_conns);
+	ADD_STAT(s.max_UDP_conns);
+	ADD_STAT(s.max_ICMP_conns);
+	ADD_STAT(s.max_fragments);
+	ADD_STAT(s.max_timers);
+
+	return res;
+	%}
+
+function get_matcher_stats%(%): matcher_stats
+	%{
+	RuleMatcher::Stats s;
+	memset(&s, 0, sizeof(s));
+
+	if ( rule_matcher )
+		rule_matcher->GetStats(&s);
+
+	RecordVal* r = new RecordVal(matcher_stats);
+	r->Assign(0, new Val(s.matchers, TYPE_COUNT));
+	r->Assign(1, new Val(s.dfa_states, TYPE_COUNT));
+	r->Assign(2, new Val(s.computed, TYPE_COUNT));
+	r->Assign(3, new Val(s.mem, TYPE_COUNT));
+	r->Assign(4, new Val(s.hits, TYPE_COUNT));
+	r->Assign(5, new Val(s.misses, TYPE_COUNT));
+	r->Assign(6, new Val(s.avg_nfa_states, TYPE_COUNT));
+
+	return r;
+	%}
+
+function get_gap_summary%(%): gap_info
+	%{
+	RecordVal* r = new RecordVal(gap_info);
+	r->Assign(0, new Val(tot_ack_events, TYPE_COUNT));
+	r->Assign(1, new Val(tot_ack_bytes, TYPE_COUNT));
+	r->Assign(2, new Val(tot_gap_events, TYPE_COUNT));
+	r->Assign(3, new Val(tot_gap_bytes, TYPE_COUNT));
+
+	return r;
+	%}
+
+function val_size%(v: any%): count
+	%{
+	return new Val(v->MemoryAllocation(), TYPE_COUNT);
+	%}
+
+function global_sizes%(%): var_sizes
+	%{
+	TableVal* sizes = new TableVal(var_sizes);
+	PDict(ID)* globals = global_scope()->Vars();
+	IterCookie* c = globals->InitForIteration();
+
+	ID* id;
+	while ( (id = globals->NextEntry(c)) )
+		if ( id->HasVal() && ! id->IsInternalGlobal() )
+			{
+			Val* id_name = new StringVal(id->Name());
+			Val* id_size = new Val(id->ID_Val()->MemoryAllocation(),
+						TYPE_COUNT);
+			sizes->Assign(id_name, id_size);
+			Unref(id_name);
+			}
+
+	return sizes;
+	%}
+
+function global_ids%(%): id_table
+	%{
+	TableVal* ids = new TableVal(id_table);
+	PDict(ID)* globals = global_scope()->Vars();
+	IterCookie* c = globals->InitForIteration();
+
+	ID* id;
+	while ( (id = globals->NextEntry(c)) )
+		{
+		if ( id->IsInternalGlobal() )
+			continue;
+
+		RecordVal* rec = new RecordVal(script_id);
+		rec->Assign(0, new StringVal(type_name(id->Type()->Tag())));
+		rec->Assign(1, new Val(id->IsExport(), TYPE_BOOL));
+		rec->Assign(2, new Val(id->IsConst(), TYPE_BOOL));
+		rec->Assign(3, new Val(id->IsEnumConst(), TYPE_BOOL));
+		rec->Assign(4, new Val(id->IsRedefinable(), TYPE_BOOL));
+
+		if ( id->HasVal() )
+			{
+			Val* val = id->ID_Val();
+			Ref(val);
+			rec->Assign(5, val);
+			}
+
+		Val* id_name = new StringVal(id->Name());
+		ids->Assign(id_name, rec);
+		Unref(id_name);
+		}
+
+	return ids;
+	%}
+
+%%{
+#include "TCP_Rewriter.h"
+
+// Trace rewriting functions.
+class PacketDumper;
+extern PacketDumper* transformed_pkt_dump;
+extern void commit_trace(Val* conn_val, int commit, int future);
+%%}
+
+# True if we're rewriting (anonymizing), false otherwise.
+function rewriting_trace%(%): bool
+	%{
+	return new Val(transformed_pkt_dump != 0, TYPE_BOOL);
+	%}
+
+%%{
+#include "Anon.h"
+%%}
+
+# Preserve prefix as original one in anonymization.
+function preserve_prefix%(a: addr, width: count%): any
+	%{
+	AnonymizeIPAddr* ip_anon = ip_anonymizer[PREFIX_PRESERVING_A50];
+	if ( ip_anon )
+		{
+#ifdef BROv6
+		if ( ! is_v4_addr(a) )
+			builtin_run_time("preserve_prefix() not supported for IPv6 addresses");
+		else
+			ip_anon->PreservePrefix(a[3], width);
+#else
+		ip_anon->PreservePrefix(a, width);
+#endif
+		}
+
+
+	return 0;
+	%}
+
+function preserve_subnet%(a: subnet%): any
+	%{
+	DEBUG_MSG("%s/%d\n", dotted_addr(a->AsAddr()), a->Width());
+	AnonymizeIPAddr* ip_anon = ip_anonymizer[PREFIX_PRESERVING_A50];
+	if ( ip_anon )
+		{
+#ifdef BROv6
+		if ( ! is_v4_addr(a->AsAddr()) )
+			builtin_run_time("preserve_subnet() not supported for IPv6 addresses");
+		else
+			ip_anon->PreservePrefix(a->AsAddr()[3], a->Width());
+#else
+		ip_anon->PreservePrefix(a->AsAddr(), a->Width());
+#endif
+		}
+
+	return 0;
+	%}
+
+function preserve_net%(a: net%): any
+	%{
+#ifdef BROv6
+	builtin_run_time("preserve_net() not supported with --enable-BROv6");
+#else
+	AnonymizeIPAddr* ip_anon = ip_anonymizer[PREFIX_PRESERVING_A50];
+	if ( ip_anon )
+		ip_anon->PreserveNet(a);
+#endif
+
+	return 0;
+	%}
+
+# Anonymize given IP address.
+function anonymize_addr%(a: addr, cl: IPAddrAnonymizationClass%): addr
+	%{
+	int anon_class = cl->InternalInt();
+	if ( anon_class < 0 || anon_class >= NUM_ADDR_ANONYMIZATION_CLASSES )
+		builtin_run_time("anonymize_addr(): invalid ip addr anonymization class");
+
+#ifdef BROv6
+	if ( ! is_v4_addr(a) )
+		{
+		builtin_run_time("anonymize_addr() not supported for IPv6 addresses");
+		return 0;
+		}
+	else
+		return new AddrVal(anonymize_ip(a[3],
+			(enum ip_addr_anonymization_class_t) anon_class));
+#else
+	return new AddrVal(anonymize_ip(a,
+		(enum ip_addr_anonymization_class_t) anon_class));
+#endif
+	%}
+
+%%{
+static void hash_md5_val(val_list& vlist, unsigned char digest[16])
+	{
+	md5_state_s h;
+
+	md5_init(&h);
+	loop_over_list(vlist, i)
+		{
+		Val* v = vlist[i];
+		if ( v->Type()->Tag() == TYPE_STRING )
+			{
+			const BroString* str = v->AsString();
+			md5_append(&h, str->Bytes(), str->Len());
+			}
+		else
+			{
+			ODesc d(DESC_BINARY);
+			v->Describe(&d);
+			md5_append(&h, (const md5_byte_t *) d.Bytes(), d.Len());
+			}
+		}
+	md5_finish(&h, digest);
+	}
+
+static void hmac_md5_val(val_list& vlist, unsigned char digest[16])
+	{
+	hash_md5_val(vlist, digest);
+	for ( int i = 0; i < 16; ++i )
+		digest[i] = digest[i] ^ shared_hmac_md5_key[i];
+	hash_md5(16, digest, digest);
+	}
+%%}
+
+function md5_hash%(...%): string
+	%{
+	unsigned char digest[16];
+	hash_md5_val(@ARG@, digest);
+	return new StringVal(md5_digest_print(digest));
+	%}
+
+function md5_hmac%(...%): string
+	%{
+	unsigned char digest[16];
+	hmac_md5_val(@ARG@, digest);
+	return new StringVal(md5_digest_print(digest));
+	%}
+
+%%{
+static map<BroString, md5_state_s> md5_states;
+
+BroString* convert_md5_index_to_string(Val* index)
+	{
+	ODesc d;
+	index->Describe(&d);
+	return new BroString(1, d.TakeBytes(), d.Len());
+	}
+%%}
+
+function md5_hash_init%(index: any%): bool
+	%{
+	BroString* s = convert_md5_index_to_string(index);
+	int status = 0;
+
+	if ( md5_states.count(*s) < 1 )
+		{
+		md5_state_s h;
+		md5_init(&h);
+		md5_states[*s] = h;
+		status = 1;
+		}
+
+	delete s;
+	return new Val(status, TYPE_BOOL);
+	%}
+
+function md5_hash_update%(index: any, data: string%): bool
+	%{
+	BroString* s = convert_md5_index_to_string(index);
+	int status = 0;
+
+	if ( md5_states.count(*s) > 0 )
+		{
+		md5_append(&md5_states[*s], data->Bytes(), data->Len());
+		status = 1;
+		}
+
+	delete s;
+	return new Val(status, TYPE_BOOL);
+	%}
+
+function md5_hash_finish%(index: any%): string
+	%{
+	BroString* s = convert_md5_index_to_string(index);
+	StringVal* printable_digest;
+
+	if ( md5_states.count(*s) > 0 )
+		{
+		unsigned char digest[16];
+		md5_finish(&md5_states[*s], digest);
+		md5_states.erase(*s);
+		printable_digest = new StringVal(md5_digest_print(digest));
+		}
+	else
+		printable_digest = new StringVal("");
+
+	delete s;
+	return printable_digest;
+	%}
+
+# Wrappings for rand() and srand()
+function rand%(max: count%): count
+	%{
+	int result;
+	result = bro_uint_t(double(max) * double(rand()) / (RAND_MAX + 1.0));
+	return new Val(result, TYPE_COUNT);
+	%}
+
+function srand%(seed: count%): any
+	%{
+	srand(seed);
+	return 0;
+	%}
+
+function decode_base64%(s: string%): string
+	%{
+	BroString* t = decode_base64(s->AsString());
+	if ( t )
+		return new StringVal(t);
+	else
+		{
+		run_time("error in decoding string %s", @ARG@[0]);
+		return new StringVal("");
+		}
+	%}
+
+%%{
+#include "DCE_RPC.h"
+
+typedef struct {
+	uint32 time_low;
+	uint16 time_mid;
+	uint16 time_hi_and_version;
+	uint8 clock_seq_hi_and_reserved;
+	uint8 clock_seq_low;
+	uint8 node[6];
+} bro_uuid_t;
+%%}
+
+function uuid_to_string%(uuid: string%): string
+	%{
+	if ( uuid->Len() != 16 )
+		return new StringVal("<Invalid UUID>");
+
+	bro_uuid_t* id = (bro_uuid_t*) uuid->Bytes();
+
+	static char s[1024];
+	char* sp = s;
+
+	sp += snprintf(sp, s + sizeof(s) - sp,
+		"%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
+		id->time_low, id->time_mid, id->time_hi_and_version,
+		id->clock_seq_hi_and_reserved, id->clock_seq_low,
+		id->node[0],
+		id->node[1],
+		id->node[2],
+		id->node[3],
+		id->node[4],
+		id->node[5]);
+
+	return new StringVal(s);
+	%}
+
+
+# The following functions are attempts to convert strings into
+# patterns at run-time. These attempts were later *abandoned* because
+# NFA and DFA cannot be cleanly deallocated.
+
+function merge_pattern%(p1: pattern, p2: pattern%): pattern
+	%{
+	if ( reading_live )
+		{
+		builtin_run_time("should not call merge_pattern while reading live traffic");
+		return 0;
+		}
+
+	RE_Matcher* re = new RE_Matcher();
+	re->AddPat(p1->PatternText());
+	re->AddPat(p2->PatternText());
+	re->Compile();
+	return new PatternVal(re);
+	%}
+
+%%{
+char* to_pat_str(int sn, const char* ss)
+	{
+	const char special_re_char[] = "^$-:\"\\/|*+?.(){}[]";
+
+	char* pat = new char[sn * 4 + 1];
+	int pat_len = 0;
+
+	for ( int i = 0; i < sn; ++i )
+		{
+		if ( ! strchr(special_re_char, ss[i]) )
+			pat[pat_len++] = ss[i];
+		else
+			{
+			pat[pat_len++] = '\\';
+			pat[pat_len++] = ss[i];
+			}
+		}
+	pat[pat_len] = '\0';
+	return pat;
+	}
+%%}
+
+function convert_for_pattern%(s: string%): string
+	%{
+	char* t = to_pat_str(s->Len(), (const char*)(s->Bytes()));
+	StringVal* ret = new StringVal(t);
+	delete [] t;
+	return ret;
+	%}
+
+function string_to_pattern%(s: string, convert: bool%): pattern
+	%{
+	if ( reading_live )
+		{
+		builtin_run_time("should not call merge_pattern while reading live traffic");
+		return 0;
+		}
+
+	const char* ss = (const char*) (s->Bytes());
+	int sn = s->Len();
+	char* pat;
+
+	if ( convert )
+		pat = to_pat_str(sn, ss);
+	else
+		{
+		pat = new char[sn+1];
+		memcpy(pat, ss, sn);
+		pat[sn] = '\0';
+		}
+
+	RE_Matcher* re = new RE_Matcher(pat);
+	delete [] pat;
+	re->Compile();
+	return new PatternVal(re);
+	%}
+
+# Precompile a pcap filter.
+function precompile_pcap_filter%(id: PcapFilterID, s: string%): bool
+	%{
+	bool success = true;
+
+	loop_over_list(pkt_srcs, i)
+		{
+		pkt_srcs[i]->ClearErrorMsg();
+
+		if ( ! pkt_srcs[i]->PrecompileFilter(id->ForceAsInt(),
+							s->CheckString()) )
+			{
+			run_time( "precompile_pcap_filter: %s",
+				pkt_srcs[i]->ErrorMsg() );
+			success = false;
+			}
+		}
+
+	return new Val(success, TYPE_BOOL);
+	%}
+
+# Install precompiled pcap filter.
+function install_pcap_filter%(id: PcapFilterID%): bool
+	%{
+	// Don't allow the script-level to change the filter when
+	// the user has specified one on the command line.
+	if ( user_pcap_filter )
+		return new Val(0, TYPE_BOOL);
+
+	bool success = true;
+
+	loop_over_list(pkt_srcs, i)
+		{
+		pkt_srcs[i]->ClearErrorMsg();
+
+		if ( ! pkt_srcs[i]->SetFilter(id->ForceAsInt()) )
+			success = false;
+		}
+
+	return new Val(success, TYPE_BOOL);
+	%}
+
+# If last pcap function failed, returns a descriptive error message
+function pcap_error%(%): string
+	%{
+	loop_over_list(pkt_srcs, i)
+		{
+		const char* err = pkt_srcs[i]->ErrorMsg();
+		if ( *err )
+			return new StringVal(err);
+		}
+
+	return new StringVal("no error");
+	%}
+
+# Install filter to drop packets from a source (addr/subnet) with a given
+# probability (0.0-1.0) if none of the given TCP flags is set.
+function install_src_addr_filter%(ip: addr, tcp_flags: count, prob: double%) : bool
+	%{
+	sessions->GetPacketFilter()->AddSrc(ip, tcp_flags, prob);
+	return new Val(1, TYPE_BOOL);
+	%}
+
+function install_src_net_filter%(snet: subnet, tcp_flags: count, prob: double%) : bool
+	%{
+	sessions->GetPacketFilter()->AddSrc(snet, tcp_flags, prob);
+	return new Val(1, TYPE_BOOL);
+	%}
+
+# Remove the filter for the source.
+function uninstall_src_addr_filter%(ip: addr%) : bool
+	%{
+	return new Val(sessions->GetPacketFilter()->RemoveSrc(ip), TYPE_BOOL);
+	%}
+
+function uninstall_src_net_filter%(snet: subnet%) : bool
+	%{
+	return new Val(sessions->GetPacketFilter()->RemoveSrc(snet), TYPE_BOOL);
+	%}
+
+# Same for destination.
+function install_dst_addr_filter%(ip: addr, tcp_flags: count, prob: double%) : bool
+	%{
+	sessions->GetPacketFilter()->AddDst(ip, tcp_flags, prob);
+	return new Val(1, TYPE_BOOL);
+	%}
+
+function install_dst_net_filter%(snet: subnet, tcp_flags: count, prob: double%) : bool
+	%{
+	sessions->GetPacketFilter()->AddDst(snet, tcp_flags, prob);
+	return new Val(1, TYPE_BOOL);
+	%}
+
+function uninstall_dst_addr_filter%(ip: addr%) : bool
+	%{
+	return new Val(sessions->GetPacketFilter()->RemoveDst(ip), TYPE_BOOL);
+	%}
+
+function uninstall_dst_net_filter%(snet: subnet%) : bool
+	%{
+	return new Val(sessions->GetPacketFilter()->RemoveDst(snet), TYPE_BOOL);
+	%}
+
+function checkpoint_state%(%) : bool
+	%{
+	return new Val(persistence_serializer->WriteState(true), TYPE_BOOL);
+	%}
+
+function dump_config%(%) : bool
+	%{
+	return new Val(persistence_serializer->WriteConfig(true), TYPE_BOOL);
+	%}
+
+function rescan_state%(%) : bool
+	%{
+	return new Val(persistence_serializer->ReadAll(false, true), TYPE_BOOL);
+	%}
+
+function capture_events%(filename: string%) : bool
+	%{
+	if ( ! event_serializer )
+		event_serializer = new FileSerializer();
+	else
+		event_serializer->Close();
+
+	return new Val(event_serializer->Open(
+		(const char*) filename->CheckString()), TYPE_BOOL);
+	%}
+
+function capture_state_updates%(filename: string%) : bool
+	%{
+	if ( ! state_serializer )
+		state_serializer = new FileSerializer();
+	else
+		state_serializer->Close();
+
+	return new Val(state_serializer->Open(
+		(const char*) filename->CheckString()), TYPE_BOOL);
+	%}
+
+function connect%(ip: addr, p: port, our_class: string, retry: interval, ssl: bool%) : count
+	%{
+	return new Val(uint32(remote_serializer->Connect(ip, p->Port(),
+				our_class->CheckString(), retry, ssl)),
+			TYPE_COUNT);
+	%}
+
+function request_remote_events%(p: event_peer, handlers: pattern%) : bool
+	%{
+	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
+	return new Val(remote_serializer->RequestEvents(id, handlers),
+			TYPE_BOOL);
+	%}
+
+function request_remote_sync%(p: event_peer, auth: bool%) : bool
+	%{
+	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
+	return new Val(remote_serializer->RequestSync(id, auth), TYPE_BOOL);
+	%}
+
+function set_accept_state%(p: event_peer, accept: bool%) : bool
+	%{
+	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
+	return new Val(remote_serializer->SetAcceptState(id, accept),
+			TYPE_BOOL);
+	%}
+
+function set_compression_level%(p: event_peer, level: count%) : bool
+	%{
+	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
+	return new Val(remote_serializer->SetCompressionLevel(id, level),
+			TYPE_BOOL);
+	%}
+
+function listen%(ip: addr, p: port, ssl: bool %) : bool
+	%{
+	return new Val(remote_serializer->Listen(ip, p->Port(), ssl), TYPE_BOOL);
+	%}
+
+function is_remote_event%(%) : bool
+	%{
+	return new Val(mgr.CurrentSource() != SOURCE_LOCAL, TYPE_BOOL);
+	%}
+
+function send_state%(p: event_peer%) : bool
+	%{
+	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
+	return new Val(persistence_serializer->SendState(id, true), TYPE_BOOL);
+	%}
+
+# Send the value of the given global ID to the peer (which might
+# then install it locally).
+function send_id%(p: event_peer, id: string%) : bool
+	%{
+	RemoteSerializer::PeerID pid = p->AsRecordVal()->Lookup(0)->AsCount();
+
+	ID* i = global_scope()->Lookup(id->CheckString());
+	if ( ! i )
+		{
+		run_time(fmt("send_id: no global id %s", id->CheckString()));
+		return new Val(0, TYPE_BOOL);
+		}
+
+	SerialInfo info(remote_serializer);
+	return new Val(remote_serializer->SendID(&info, pid, *i), TYPE_BOOL);
+	%}
+
+# Gracely shut down communication.
+function terminate_communication%(%) : bool
+	%{
+	return new Val(remote_serializer->Terminate(), TYPE_BOOL);
+	%}
+
+function complete_handshake%(p: event_peer%) : bool
+	%{
+	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
+	return new Val(remote_serializer->CompleteHandshake(id), TYPE_BOOL);
+	%}
+
+function send_ping%(p: event_peer, seq: count%) : bool
+	%{
+	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
+	return new Val(remote_serializer->SendPing(id, seq), TYPE_BOOL);
+	%}
+
+function send_current_packet%(p: event_peer%) : bool
+	%{
+	Packet pkt("");
+
+	if ( ! current_pktsrc ||
+	     ! current_pktsrc->GetCurrentPacket(&pkt.hdr, &pkt.pkt) )
+		return new Val(0, TYPE_BOOL);
+
+	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
+
+	pkt.time = pkt.hdr->ts.tv_sec + double(pkt.hdr->ts.tv_usec) / 1e6;
+	pkt.hdr_size = current_pktsrc->HdrSize();
+	pkt.link_type = current_pktsrc->LinkType();
+
+	SerialInfo info(remote_serializer);
+	return new Val(remote_serializer->SendPacket(&info, id, pkt), TYPE_BOOL);
+	%}
+
+function do_profiling%(%) : bool
+	%{
+	if ( profiling_logger )
+		profiling_logger->Log();
+
+	return new Val(1, TYPE_BOOL);
+	%}
+
+function get_event_peer%(%) : event_peer
+	%{
+	SourceID src = mgr.CurrentSource();
+
+	if ( src == SOURCE_LOCAL )
+		{
+		RecordVal* p = mgr.GetLocalPeerVal();
+		Ref(p);
+		return p;
+		}
+
+	if ( ! remote_serializer )
+		internal_error("remote_serializer not initialized");
+
+	Val* v = remote_serializer->GetPeerVal(src);
+	if ( ! v )
+		{
+		run_time(fmt("peer %d does not exist anymore", int(src)));
+		RecordVal* p = mgr.GetLocalPeerVal();
+		Ref(p);
+		return p;
+		}
+
+	return v;
+	%}
+
+function get_local_event_peer%(%) : event_peer
+	%{
+	RecordVal* p = mgr.GetLocalPeerVal();
+	Ref(p);
+	return p;
+	%}
+
+
+function send_capture_filter%(p: event_peer, s: string%) : bool
+	%{
+	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
+	return new Val(remote_serializer->SendCaptureFilter(id, s->CheckString()), TYPE_BOOL);
+	%}
+
+function make_connection_persistent%(c: connection%) : bool
+	%{
+	c->MakePersistent();
+	return new Val(1, TYPE_BOOL);
+	%}
+
+function is_local_interface%(ip: addr%) : bool
+	%{
+	static uint32* addrs;
+	static int len = -1;
+
+	if ( len < 0 )
+		{
+		char host[MAXHOSTNAMELEN];
+
+		strcpy(host, "localhost");
+		gethostname(host, MAXHOSTNAMELEN);
+		host[MAXHOSTNAMELEN-1] = '\0';
+
+		struct hostent* ent = gethostbyname(host);
+
+		for ( len = 0; ent->h_addr_list[len]; ++len )
+			;
+
+		addrs = new uint32[len + 1];
+		for ( int i = 0; i < len; i++ )
+			addrs[i] = *(uint32*) ent->h_addr_list[i];
+
+		addrs[len++] = 0x0100007f; // 127.0.0.1
+		}
+
+#ifdef BROv6
+	if ( ! is_v4_addr(ip) )
+		{
+		builtin_run_time("is_local_interface() only supports IPv4 addresses");
+		return new Val(0, TYPE_BOOL);
+		}
+
+	uint32 ip4 = to_v4_addr(ip);
+#else
+	uint32 ip4 = ip;
+#endif
+
+	for ( int i = 0; i < len; i++ )
+		if ( addrs[i] == ip4 )
+			return new Val(1, TYPE_BOOL);
+
+	return new Val(0, TYPE_BOOL);
+	%}
+
+function dump_current_packet%(file_name: string%) : bool
+	%{
+	const struct pcap_pkthdr* hdr;
+	const u_char* pkt;
+
+	if ( ! current_pktsrc ||
+	     ! current_pktsrc->GetCurrentPacket(&hdr, &pkt) )
+		return new Val(0, TYPE_BOOL);
+
+	if ( ! addl_pkt_dumper )
+		addl_pkt_dumper = new PktDumper(0, true);
+
+	addl_pkt_dumper->Open(file_name->CheckString());
+	addl_pkt_dumper->Dump(hdr, pkt);
+
+	return new Val(! addl_pkt_dumper->IsError(), TYPE_BOOL);
+	%}
+
+function get_current_packet%(%) : pcap_packet
+	%{
+	const struct pcap_pkthdr* hdr;
+	const u_char* data;
+	RecordVal* pkt = new RecordVal(pcap_packet);
+
+	if ( ! current_pktsrc ||
+	     ! current_pktsrc->GetCurrentPacket(&hdr, &data) )
+		{
+		pkt->Assign(0, new Val(0, TYPE_COUNT));
+		pkt->Assign(1, new Val(0, TYPE_COUNT));
+		pkt->Assign(2, new Val(0, TYPE_COUNT));
+		pkt->Assign(3, new Val(0, TYPE_COUNT));
+		pkt->Assign(4, new StringVal(""));
+		return pkt;
+		}
+
+	pkt->Assign(0, new Val(uint32(hdr->ts.tv_sec), TYPE_COUNT));
+	pkt->Assign(1, new Val(uint32(hdr->ts.tv_usec), TYPE_COUNT));
+	pkt->Assign(2, new Val(hdr->caplen, TYPE_COUNT));
+	pkt->Assign(3, new Val(hdr->len, TYPE_COUNT));
+	pkt->Assign(4, new StringVal(hdr->caplen, (const char*) data));
+
+	return pkt;
+	%}
+
+function dump_packet%(pkt: pcap_packet, file_name: string%) : bool
+	%{
+	struct pcap_pkthdr hdr;
+	const val_list* pkt_vl = pkt->AsRecord();
+
+	hdr.ts.tv_sec = (*pkt_vl)[0]->AsCount();
+	hdr.ts.tv_usec = (*pkt_vl)[1]->AsCount();
+	hdr.caplen = (*pkt_vl)[2]->AsCount();
+	hdr.len = (*pkt_vl)[3]->AsCount();
+
+	if ( ! addl_pkt_dumper )
+		addl_pkt_dumper = new PktDumper(0, true);
+
+	addl_pkt_dumper->Open(file_name->CheckString());
+	addl_pkt_dumper->Dump(&hdr, (*pkt_vl)[4]->AsString()->Bytes());
+
+	return new Val(addl_pkt_dumper->IsError(), TYPE_BOOL);
+	%}
+
+# The return value is the old size of the vector.
+# ### Need better type checking on the argument here and in subsequent
+# vector builtins -- probably need to update "bif" code generator.
+function resize%(aggr: any, newsize: count%) : count
+	%{
+	if ( aggr->Type()->Tag() != TYPE_VECTOR )
+		{
+		builtin_run_time("resize() operates on vectors");
+		return 0;
+		}
+
+	return new Val(aggr->AsVectorVal()->Resize(newsize), TYPE_COUNT);
+	%}
+
+# Returns true if any element is T.
+function any_set%(v: any%) : bool
+	%{
+	if ( v->Type()->Tag() != TYPE_VECTOR ||
+	     v->Type()->YieldType()->Tag() != TYPE_BOOL )
+		{
+		builtin_run_time("any_set() requires vector of bool");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	VectorVal* vv = v->AsVectorVal();
+	for ( unsigned int i = VECTOR_MIN; i < vv->Size() + VECTOR_MIN; ++i )
+		if ( vv->Lookup(i) && vv->Lookup(i)->AsBool() )
+			return new Val(true, TYPE_BOOL);
+
+	return new Val(false, TYPE_BOOL);
+	%}
+
+# Returns true if all elements are T (missing counts as F).
+function all_set%(v: any%) : bool
+	%{
+	if ( v->Type()->Tag() != TYPE_VECTOR ||
+	     v->Type()->YieldType()->Tag() != TYPE_BOOL )
+		{
+		builtin_run_time("all_set() requires vector of bool");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	VectorVal* vv = v->AsVectorVal();
+	for ( unsigned int i = VECTOR_MIN; i < vv->Size() + VECTOR_MIN; ++i )
+		if ( ! vv->Lookup(i) || ! vv->Lookup(i)->AsBool() )
+			return new Val(false, TYPE_BOOL);
+
+	return new Val(true, TYPE_BOOL);
+	%}
+
+# sort() takes a vector and comparison function on the elements and
+# sorts the vector in place.  It returns the original vector.
+
+%%{
+static Func* sort_function_comp = 0;
+static Val** index_map = 0;	// used for indirect sorting to support order()
+
+bool sort_function(Val* a, Val* b)
+	{
+	// Sort missing values as "high".
+	if ( ! a )
+		return 0;
+	if ( ! b )
+		return 1;
+
+	val_list sort_func_args;
+	sort_func_args.append(a->Ref());
+	sort_func_args.append(b->Ref());
+
+	Val* result = sort_function_comp->Call(&sort_func_args);
+	int int_result = result->CoerceToInt();
+	Unref(result);
+
+	sort_func_args.remove_nth(1);
+	sort_func_args.remove_nth(0);
+
+	return int_result < 0;
+	}
+
+bool indirect_sort_function(int a, int b)
+	{
+	return sort_function(index_map[a], index_map[b]);
+	}
+
+bool int_sort_function (Val* a, Val* b)
+	{
+	if ( ! a )
+		return 0;
+	if ( ! b )
+		return 1;
+
+	int ia = a->CoerceToInt();
+	int ib = b->CoerceToInt();
+
+	return ia < ib;
+	}
+
+bool indirect_int_sort_function(int a, int b)
+	{
+	return int_sort_function(index_map[a], index_map[b]);
+	}
+%%}
+
+function sort%(v: any, ...%) : any
+	%{
+	v->Ref();	// we always return v
+
+	if ( v->Type()->Tag() != TYPE_VECTOR )
+		{
+		builtin_run_time("sort() requires vector");
+		return v;
+		}
+
+	BroType* elt_type = v->Type()->YieldType();
+	Func* comp = 0;
+
+	if ( @ARG@.length() > 2 )
+		builtin_run_time("sort() called with extraneous argument");
+
+	if ( @ARG@.length() == 2 )
+		{
+		Val* comp_val = @ARG@[1];
+		if ( ! IsFunc(comp_val->Type()->Tag()) )
+			{
+			builtin_run_time("second argument to sort() needs to be comparison function");
+			return v;
+			}
+
+		comp = comp_val->AsFunc();
+		}
+
+	if ( ! comp && ! IsIntegral(elt_type->Tag()) )
+		builtin_run_time("comparison function required for sort() with non-integral types");
+
+	vector<Val*>& vv = *v->AsVector();
+
+	if ( comp )
+		{
+		FuncType* comp_type = comp->FType()->AsFuncType();
+		if ( comp_type->YieldType()->Tag() != TYPE_INT ||
+		     ! comp_type->ArgTypes()->AllMatch(elt_type, 0) )
+			{
+			builtin_run_time("invalid comparison function in call to sort()");
+			return v;
+			}
+
+		sort_function_comp = comp;
+
+		sort(vv.begin(), vv.end(), sort_function);
+		}
+	else
+		sort(vv.begin(), vv.end(), int_sort_function);
+
+	return v;
+	%}
+
+function order%(v: any, ...%) : index_vec
+	%{
+	VectorVal* result_v =
+		new VectorVal(new VectorType(base_type(TYPE_COUNT)));
+
+	if ( v->Type()->Tag() != TYPE_VECTOR )
+		{
+		builtin_run_time("order() requires vector");
+		return result_v;
+		}
+
+	BroType* elt_type = v->Type()->YieldType();
+	Func* comp = 0;
+
+	if ( @ARG@.length() > 2 )
+		builtin_run_time("order() called with extraneous argument");
+
+	if ( @ARG@.length() == 2 )
+		{
+		Val* comp_val = @ARG@[1];
+		if ( ! IsFunc(comp_val->Type()->Tag()) )
+			{
+			builtin_run_time("second argument to order() needs to be comparison function");
+			return v;
+			}
+
+		comp = comp_val->AsFunc();
+		}
+
+	if ( ! comp && ! IsIntegral(elt_type->Tag()) )
+		builtin_run_time("comparison function required for sort() with non-integral types");
+
+	vector<Val*>& vv = *v->AsVector();
+	int n = vv.size();
+
+	// Set up initial mapping of indices directly to corresponding
+	// elements.  We stay zero-based until after the sorting.
+	vector<int> ind_vv(n);
+	index_map = new Val*[n];
+	int i;
+	for ( i = 0; i < n; ++i )
+		{
+		ind_vv[i] = i;
+		index_map[i] = vv[i];
+		}
+
+	if ( comp )
+		{
+		FuncType* comp_type = comp->FType()->AsFuncType();
+		if ( comp_type->YieldType()->Tag() != TYPE_INT ||
+		     ! comp_type->ArgTypes()->AllMatch(elt_type, 0) )
+			{
+			builtin_run_time("invalid comparison function in call to sort()");
+			return v;
+			}
+
+		sort_function_comp = comp;
+
+		sort(ind_vv.begin(), ind_vv.end(), indirect_sort_function);
+		}
+	else
+		sort(ind_vv.begin(), ind_vv.end(), indirect_int_sort_function);
+
+	delete [] index_map;
+	index_map = 0;
+
+	// Now spin through ind_vv to read out the rearrangement,
+	// adjusting indices as we do so.
+	for ( i = 0; i < n; ++i )
+		{
+		int ind = ind_vv[i] + VECTOR_MIN;
+		result_v->Assign(i + VECTOR_MIN, new Val(ind, TYPE_COUNT), 0);
+		}
+
+	return result_v;
+	%}
+
+%%{
+// Experimental code to add support for IDMEF XML output based on
+// notices.  For now, we're implementing it as a builtin you can call on an
+// notices record.
+
+#ifdef USE_IDMEF
+extern "C" {
+#include <libidmef/idmefxml.h>
+}
+#endif
+
+#include <sys/socket.h>
+
+char* port_to_string(PortVal* port)
+	{
+	char buf[256];	// to hold sprintf results on port numbers
+	snprintf(buf, sizeof(buf), "%u", port->Port());
+	return copy_string(buf);
+	}
+
+%%}
+
+function generate_idmef%(src_ip: addr, src_port: port,
+				dst_ip: addr, dst_port: port%) : bool
+	%{
+#ifdef USE_IDMEF
+	xmlNodePtr message =
+		newIDMEF_Message(newAttribute("version","1.0"),
+			newAlert(newCreateTime(NULL),
+			newSource(
+				newNode(newAddress(
+					newAttribute("category","ipv4-addr"),
+					newSimpleElement("address",
+					copy_string(dotted_addr(src_ip))),
+					NULL), NULL),
+				newService(
+					newSimpleElement("port",
+						port_to_string(src_port)),
+					NULL), NULL),
+			newTarget(
+				newNode(newAddress(
+					newAttribute("category","ipv4-addr"),
+					newSimpleElement("address",
+					copy_string(dotted_addr(dst_ip))),
+					NULL), NULL),
+				newService(
+					newSimpleElement("port",
+						port_to_string(dst_port)),
+					NULL), NULL), NULL), NULL);
+
+	// if ( validateCurrentDoc() )
+	printCurrentMessage(stderr);
+	return new Val(1, TYPE_BOOL);
+#else
+	builtin_run_time("Bro was not configured for IDMEF support");
+	return new Val(0, TYPE_BOOL);
+#endif
+	%}
+
+function dump_rule_stats%(f: file%): bool
+	%{
+	if ( rule_matcher )
+		rule_matcher->DumpStats(f);
+
+	return new Val(1, TYPE_BOOL);
+	%}
+
+function bro_is_terminating%(%): bool
+	%{
+	return new Val(terminating, TYPE_BOOL);
+	%}
+
+function rotate_file%(f: file%): rotate_info
+	%{
+	RecordVal* info = f->Rotate();
+	if ( info )
+		return info;
+
+	// Record indicating error.
+	info = new RecordVal(rotate_info);
+	info->Assign(0, new StringVal(""));
+	info->Assign(1, new StringVal(""));
+	info->Assign(2, new Val(0, TYPE_TIME));
+	info->Assign(3, new Val(0, TYPE_TIME));
+
+	return info;
+	%}
+
+function rotate_file_by_name%(f: string%): rotate_info
+	%{
+	RecordVal* info = new RecordVal(rotate_info);
+
+	bool is_pkt_dumper = false;
+	bool is_addl_pkt_dumper = false;
+
+	// Special case: one of current dump files.
+	if ( pkt_dumper && streq(pkt_dumper->FileName(), f->CheckString()) )
+		{
+		is_pkt_dumper = true;
+		pkt_dumper->Close();
+		}
+
+	if ( addl_pkt_dumper &&
+	     streq(addl_pkt_dumper->FileName(), f->CheckString()) )
+		{
+		is_addl_pkt_dumper = true;
+		addl_pkt_dumper->Close();
+		}
+
+	FILE* file = rotate_file(f->CheckString(), info);
+	if ( ! file )
+		{
+		// Record indicating error.
+		info->Assign(0, new StringVal(""));
+		info->Assign(1, new StringVal(""));
+		info->Assign(2, new Val(0, TYPE_TIME));
+		info->Assign(3, new Val(0, TYPE_TIME));
+		return info;
+		}
+
+	fclose(file);
+
+	if ( is_pkt_dumper )
+		{
+		info->Assign(2, new Val(pkt_dumper->OpenTime(), TYPE_TIME));
+		pkt_dumper->Open();
+		}
+
+	if ( is_addl_pkt_dumper )
+		info->Assign(2, new Val(addl_pkt_dumper->OpenTime(), TYPE_TIME));
+
+	return info;
+	%}
+
+function calc_next_rotate%(i: interval%) : interval
+	%{
+	const char* base_time = log_rotate_base_time ?
+		log_rotate_base_time->AsString()->CheckString() : 0;
+	return new Val(calc_next_rotate(i, base_time), TYPE_INTERVAL);
+	%}
+
+function file_size%(f: string%) : double
+	%{
+	struct stat s;
+
+	if ( stat(f->CheckString(), &s) < 0 )
+		return new Val(-1.0, TYPE_DOUBLE);
+
+	return new Val(double(s.st_size), TYPE_DOUBLE);
+	%}
+
+function strftime%(fmt: string, d: time%) : string
+	%{
+	static char buffer[128];
+
+	time_t t = time_t(d);
+
+	if ( strftime(buffer, 128, fmt->CheckString(), localtime(&t)) == 0 )
+		return new StringVal("<strftime error>");
+
+	return new StringVal(buffer);
+	%}
+
+function match_signatures%(c: connection, pattern_type: int, s: string,
+				bol: bool, eol: bool,
+				from_orig: bool, clear: bool%) : bool
+	%{
+	if ( ! rule_matcher )
+		return new Val(0, TYPE_BOOL);
+
+	c->Match((Rule::PatternType) pattern_type, s->Bytes(), s->Len(),
+			from_orig, bol, eol, clear);
+
+	return new Val(1, TYPE_BOOL);
+	%}
+
+function gethostname%(%) : string
+	%{
+	char buffer[MAXHOSTNAMELEN];
+	if ( gethostname(buffer, MAXHOSTNAMELEN) < 0 )
+		strcpy(buffer, "<unknown>");
+
+	buffer[MAXHOSTNAMELEN-1] = '\0';
+	return new StringVal(buffer);
+	%}
+
+%%{
+#include "DNS_Mgr.h"
+#include "Trigger.h"
+
+class LookupHostCallback : public DNS_Mgr::LookupCallback {
+public:
+	LookupHostCallback(Trigger* arg_trigger, const CallExpr* arg_call,
+				bool arg_lookup_name)
+		{
+		Ref(arg_trigger);
+		trigger = arg_trigger;
+		call = arg_call;
+		lookup_name = arg_lookup_name;
+		}
+
+	~LookupHostCallback()
+		{
+		Unref(trigger);
+		}
+
+	// Overridden from DNS_Mgr:Lookup:Callback.
+	virtual void Resolved(const char* name)
+		{
+		trigger->Cache(call, new StringVal(name));
+		trigger->Release();
+		}
+
+	virtual void Resolved(TableVal* addrs)
+		{
+		Ref(addrs);
+		trigger->Cache(call, addrs);
+		trigger->Release();
+		}
+
+	virtual void Timeout()
+		{
+		if ( lookup_name )
+			trigger->Cache(call, new StringVal("<\?\?\?>"));
+		else
+			{
+			ListVal* lv = new ListVal(TYPE_ADDR);
+			lv->Append(new AddrVal("0.0.0.0"));
+			trigger->Cache(call, lv->ConvertToSet());
+			Unref(lv);
+			}
+
+		trigger->Release();
+		}
+
+private:
+	Trigger* trigger;
+	const CallExpr* call;
+	bool lookup_name;
+};
+%%}
+
+# These two functions issue DNS lookups asynchronously and delay the
+# function result.  Therefore, they can only be called inside a when-condition.
+function lookup_addr%(host: addr%) : string
+	%{
+#ifndef HAVE_NB_DNS
+	run_time("lookup_addr(): not configured for asynchronous DNS lookups");
+	return new StringVal("<error>");
+#else
+	// FIXME: Is should be easy to adapt the function to synchronous
+	// lookups if we're reading a trace.
+	Trigger* trigger = frame->GetTrigger();
+
+	if ( ! trigger)
+		{
+		builtin_run_time("lookup_addr() can only be called inside a when-condition");
+		return new StringVal("<error>");
+		}
+
+	frame->SetDelayed();
+	trigger->Hold();
+
+#ifdef BROv6
+	if ( ! is_v4_addr(host) )
+		{
+		builtin_run_time("lookup_addr() only supports IPv4 addresses");
+		return new StringVal("<ipv6-address>");
+		}
+
+	dns_mgr->AsyncLookupAddr(to_v4_addr(host),
+			new LookupHostCallback(trigger, frame->GetCall(), true));
+#else
+	dns_mgr->AsyncLookupAddr(host,
+			new LookupHostCallback(trigger, frame->GetCall(), true));
+#endif
+	return 0;
+#endif
+	%}
+
+function lookup_hostname%(host: string%) : addr_set
+	%{
+#ifndef HAVE_NB_DNS
+	run_time("lookup_hostname(): not configured for asynchronous DNS lookups");
+	return new StringVal("<error>");
+#else
+	// FIXME: Is should be easy to adapt the function to synchronous
+	// lookups if we're reading a trace.
+	Trigger* trigger = frame->GetTrigger();
+
+	if ( ! trigger)
+		{
+		builtin_run_time("lookup_hostname() can only be called inside a when-condition");
+		return new StringVal("<error>");
+		}
+
+	frame->SetDelayed();
+	trigger->Hold();
+
+	dns_mgr->AsyncLookupName(host->CheckString(),
+			new LookupHostCallback(trigger, frame->GetCall(), false));
+	return 0;
+#endif
+	%}
+
+# Stop Bro's packet processing.
+function suspend_processing%(%) : any
+	%{
+	net_suspend_processing();
+	return 0;
+	%}
+
+# Resume Bro's packet processing.
+function continue_processing%(%) : any
+	%{
+	net_continue_processing();
+	return 0;
+	%}
+
+%%{
+#include "DPM.h"
+%%}
+
+# Schedule analyzer for a future connection.
+function expect_connection%(orig: addr, resp: addr, resp_p: port,
+				analyzer: count, tout: interval%) : bool
+	%{
+	dpm->ExpectConnection(orig, resp, resp_p->Port(), resp_p->PortType(),
+				(AnalyzerTag::Tag) analyzer, tout, 0);
+	return new Val(1, TYPE_BOOL);
+	%}
+
+# Disables the analyzer which raised the current event (if the analyzer
+# belongs to the given connection).
+function disable_analyzer%(cid: conn_id, aid: count%) : bool
+	%{
+	Connection* c = sessions->FindConnection(cid);
+	if ( ! c )
+		{
+		run_time("cannot find connection");
+		return new Val(0, TYPE_BOOL);
+		}
+
+	Analyzer* a = c->FindAnalyzer(aid);
+	if ( ! a )
+		{
+		run_time("connection does not have analyzer specified to disable");
+		return new Val(0, TYPE_BOOL);
+		}
+
+	a->Remove();
+	return new Val(1, TYPE_BOOL);
+	%}
+
+# Translate analyzer type into an ASCII string.
+function analyzer_name%(aid: count%) : string
+	%{
+	return new StringVal(Analyzer::GetTagName((AnalyzerTag::Tag) aid));
+	%}
+
+function lookup_ID%(id: string%) : any
+	%{
+	ID* i = global_scope()->Lookup(id->CheckString());
+	if ( ! i )
+		return new StringVal("<unknown id>");
+
+	if ( ! i->ID_Val() )
+		return new StringVal("<no ID value>");
+
+	return i->ID_Val()->Ref();
+	%}
+
+# Stop propagating &synchronized accesses.
+function suspend_state_updates%(%) : any
+	%{
+	if ( remote_serializer )
+		remote_serializer->SuspendStateUpdates();
+	return 0;
+	%}
+
+# Resume propagating &synchronized accesses.
+function resume_state_updates%(%) : any
+	%{
+	if ( remote_serializer )
+		remote_serializer->ResumeStateUpdates();
+	return 0;
+	%}
+
+# Return ID of analyzer which raised current event, or 0 if none.
+function current_analyzer%(%) : count
+	%{
+	return new Val(mgr.CurrentAnalyzer(), TYPE_COUNT);
+	%}
+
+# Returns Bro's process id.
+function getpid%(%) : count
+	%{
+	return new Val(getpid(), TYPE_COUNT);
+	%}
+%%{
+#include <syslog.h>
+%%}
+
+function syslog%(s: string%): any
+	%{
+	syslog(LOG_NOTICE, "%s", s->CheckString());
+	return 0;
+	%}
+
+%%{
+#ifdef USE_GEOIP
+extern "C" {
+#include <GeoIPCity.h>
+}
+#endif
+%%}
+
+# Return a record with the city, region, and country of an IPv4 address.
+function lookup_location%(a: addr%) : geo_location
+	%{
+	RecordVal* location = new RecordVal(geo_location);
+
+#ifdef USE_GEOIP
+	static GeoIP* geoip = 0;
+	static GeoIP* geoip_v6 = 0;
+	static bool geoip_initialized = false;
+	GeoIPRecord* gir = 0;
+
+	if ( ! geoip_initialized )
+		{
+		geoip_initialized = true;
+		geoip = GeoIP_open_type(GEOIP_CITY_EDITION_REV0,
+					GEOIP_MEMORY_CACHE);
+		if ( ! geoip )
+			{
+			builtin_run_time("can't initialize GeoIP City database.. trying Country version");
+			geoip = GeoIP_open_type(GEOIP_COUNTRY_EDITION,
+						GEOIP_MEMORY_CACHE);
+			if ( ! geoip )
+				builtin_run_time("can't initialize GeoIP Country database");
+			}
+
+#ifdef BROv6
+#ifdef GEOIP_COUNTRY_EDITION_V6
+		geoip_v6 = GeoIP_open_type(GEOIP_COUNTRY_EDITION_V6,
+						GEOIP_MEMORY_CACHE);
+		if ( ! geoip_v6 )
+			builtin_run_time("can't initialize the GeoIPv6 Country database");
+#endif
+#endif
+		}
+
+#ifdef BROv6
+#ifdef GEOIP_COUNTRY_EDITION_V6
+	if ( geoip_v6 && ! is_v4_addr(a) )
+		gir = GeoIP_record_by_ipnum_v6(geoip_v6, geoipv6_t(a));
+	else 
+#endif
+	if ( geoip && is_v4_addr(a) )
+		{
+		uint32 addr = to_v4_addr(a);
+		gir = GeoIP_record_by_ipnum(geoip, ntohl(addr));
+		}
+#else
+	if ( geoip )
+		gir = GeoIP_record_by_ipnum(geoip, ntohl(a));
+#endif
+
+	if ( gir )
+		{
+		if ( gir->country_code )
+			location->Assign(0, new StringVal(gir->country_code));
+		else
+			location->Assign(0, new StringVal(""));
+
+		if ( gir->region )
+			location->Assign(1, new StringVal(gir->region));
+		else
+			location->Assign(1, new StringVal(""));
+
+		if ( gir->city )
+			location->Assign(2, new StringVal(gir->city));
+		else
+			location->Assign(2, new StringVal(""));
+
+		if ( gir->latitude )
+			location->Assign(3, new Val(gir->latitude,
+							TYPE_DOUBLE));
+		else
+			location->Assign(3, new Val(0.0, TYPE_DOUBLE));
+
+		if ( gir->longitude )
+			location->Assign(4, new Val(gir->longitude,
+						TYPE_DOUBLE));
+		else
+			location->Assign(4, new Val(0.0, TYPE_DOUBLE));
+
+		GeoIPRecord_delete(gir);
+
+		return location;
+		}
+
+#else
+	builtin_run_time("Bro was not configured for GeoIP support");
+#endif
+
+	// We can get here even if we have GeoIP support if we weren't
+	// able to initialize it or it didn't return any information for
+	// the address.
+	location->Assign(0, new StringVal(""));
+	location->Assign(1, new StringVal(""));
+	location->Assign(2, new StringVal(""));
+	location->Assign(3, new Val(0.0, TYPE_DOUBLE));
+	location->Assign(4, new Val(0.0, TYPE_DOUBLE));
+
+	return location;
+	%}
+
+function lookup_asn%(a: addr%) : count
+	%{
+#ifdef USE_GEOIP
+	static GeoIP* geoip_asn = 0;
+	static bool geoip_asn_initialized = false;
+	char* gir = 0;
+
+	if ( ! geoip_asn_initialized )
+		{
+		geoip_asn_initialized = true;
+		geoip_asn = GeoIP_open_type(GEOIP_ASNUM_EDITION,
+						GEOIP_MEMORY_CACHE);
+		if ( ! geoip_asn )
+			builtin_run_time("can't initialize GeoIP ASNUM database");
+		}
+
+	if ( geoip_asn )
+		{
+#ifdef BROv6
+
+// IPv6 support showed up in 1.4.5.
+#ifdef GEOIP_COUNTRY_EDITION_V6
+		if ( ! is_v4_addr(a) )
+			gir = GeoIP_name_by_ipnum_v6(geoip_asn, geoipv6_t(a));
+		else
+#endif
+		if ( is_v4_addr(a) ) 
+			{
+			uint32 addr = to_v4_addr(a);
+			gir = GeoIP_name_by_ipnum(geoip_asn, ntohl(addr));
+			}
+#else
+		gir = GeoIP_name_by_ipnum(geoip_asn, ntohl(a));
+#endif
+		}
+
+	if ( gir )
+		{
+		// Move the pointer +2 so we don't return 
+		// the first two characters: "AS".
+		return new Val(atoi(gir+2), TYPE_COUNT);
+		}
+#else
+	builtin_run_time("Bro was not configured for GeoIP ASN support");
+#endif
+
+	// We can get here even if we have GeoIP support, if we weren't
+	// able to initialize it or it didn't return any information for
+	// the address.
+	return new Val(0, TYPE_COUNT);
+	%}
+
+# Returns true if connection has been received externally.
+function is_external_connection%(c: connection%) : bool
+	%{
+	return new Val(c && c->IsExternal(), TYPE_BOOL);
+	%}
+
+# Function equivalent of the &disable_print_hook attribute.
+function disable_print_hook%(f: file%): any
+	%{
+	f->DisablePrintHook();
+	return 0;
+	%}
+
+# Function equivalent of the &raw_output attribute.
+function enable_raw_output%(f: file%): any
+	%{
+	f->EnableRawOutput();
+	return 0;
+	%}
+
+%%{
+#ifdef HAVE_LIBMAGIC
+extern "C" {
+#include <magic.h>
+}
+#endif
+%%}
+
+function identify_data%(data: string, return_mime: bool%): string
+	%{
+	const char* descr = "";
+
+#ifdef HAVE_LIBMAGIC
+	static magic_t magic_mime = 0;
+	static magic_t magic_descr = 0;
+
+	magic_t* magic = return_mime ? &magic_mime : &magic_descr;
+
+	if( ! *magic )
+		{
+		*magic = magic_open(return_mime ? MAGIC_MIME : MAGIC_NONE);
+
+		if ( ! *magic )
+			{
+			error(fmt("can't init libmagic: %s", magic_error(*magic)));
+			return new StringVal("");
+			}
+
+		if ( magic_load(*magic, 0) < 0 )
+			{
+			error(fmt("can't load magic file: %s", magic_error(*magic)));
+			magic_close(*magic);
+			*magic = 0;
+			return new StringVal("");
+			}
+		}
+
+	descr = magic_buffer(*magic, data->Bytes(), data->Len());
+#endif
+
+	return new StringVal(descr);
+	%}
+
+function enable_event_group%(group: string%) : any
+	%{
+	event_registry->EnableGroup(group->CheckString(), true);
+	return 0;
+	%}
+
+function disable_event_group%(group: string%) : any
+	%{
+	event_registry->EnableGroup(group->CheckString(), false);
+	return 0;
+	%}
diff --git a/src/bro.pac b/src/bro.pac
new file mode 100644
index 0000000000..169f7c27ef
--- /dev/null
+++ b/src/bro.pac
@@ -0,0 +1,12 @@
+# $Id:$
+
+%extern{
+#include "binpac_bro.h"
+%}
+
+extern type BroAnalyzer;
+extern type BroVal;
+extern type BroPortVal;
+extern type BroStringVal;
+
+function network_time(): double;
diff --git a/src/bsd-getopt-long.c b/src/bsd-getopt-long.c
new file mode 100644
index 0000000000..5b3cc093b0
--- /dev/null
+++ b/src/bsd-getopt-long.c
@@ -0,0 +1,526 @@
+/* $Id: bsd-getopt-long.c 1362 2005-09-12 19:49:08Z vern $ */
+
+/*    $OpenBSD: getopt_long.c,v 1.17 2004/06/03 18:46:52 millert Exp $    */
+/*    $NetBSD: getopt_long.c,v 1.15 2002/01/31 22:43:40 tv Exp $    */
+
+/*
+ * Copyright (c) 2002 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND TODD C. MILLER DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TODD C. MILLER BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+/*-
+ * Copyright (c) 2000 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Dieter Baron and Thomas Klausner.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *        This product includes software developed by the NetBSD
+ *        Foundation, Inc. and its contributors.
+ * 4. Neither the name of The NetBSD Foundation nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#define IN_GETOPT_LONG_C 1
+
+#include <config.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+
+#ifndef HAVE_GETOPT_LONG
+
+# include "bsd-getopt-long.h"
+
+# ifdef WITH_DMALLOC
+#  include <dmalloc.h>
+# endif
+
+int    pure_opterr = 1;        /* if error message should be printed */
+int    pure_optind = 1;        /* index into parent argv vector */
+int    pure_optopt = '?';        /* character checked for validity */
+int    pure_optreset;        /* reset getopt */
+const char    *pure_optarg;        /* argument associated with option */
+
+# define PRINT_ERROR    ((pure_opterr) && (*options != ':'))
+
+# define FLAG_PERMUTE    0x01    /* permute non-options to the end of argv */
+# define FLAG_ALLARGS    0x02    /* treat non-options as args to option "-1" */
+# define FLAG_LONGONLY   0x04    /* operate as pure_getopt_long_only */
+
+/* return values */
+# define    BADCH       (int)'?'
+# define    BADARG      ((*options == ':') ? (int)':' : (int)'?')
+# define    INORDER     (int)1
+
+# define    EMSG        ""
+
+static int pure_getopt_internal(int, char * const *, const char *,
+                                const struct pure_option *, int *, int);
+static int pure_parse_long_options(char * const *, const char *,
+                                   const struct pure_option *, int *, int);
+static int pure_gcd(int, int);
+static void pure_permute_args(int, int, int, char * const *);
+
+static const char *pure_place = EMSG; /* option letter processing */
+
+/* XXX: set pure_optreset to 1 rather than these two */
+static int nonopt_start = -1; /* first non option argument (for permute) */
+static int nonopt_end = -1;   /* first option after non options (for permute) */
+
+/* Error messages */
+static const char *recargchar = "option requires an argument -- %c\n";
+static const char *recargstring = "option requires an argument -- %s\n";
+static const char *ambig = "ambiguous option -- %.*s\n";
+static const char *noarg = "option doesn't take an argument -- %.*s\n";
+static const char *illoptchar = "unknown option -- %c\n";
+static const char *illoptstring = "unknown option -- %s\n";
+
+/*
+ * Compute the greatest common divisor of a and b.
+ */
+static int pure_gcd(int a, int b)
+{
+    int c;
+    
+    c = a % b;
+    while (c != 0) {
+        a = b;
+        b = c;
+        c = a % b;
+    }    
+    return b;
+}
+
+/*
+ * Exchange the block from nonopt_start to nonopt_end with the block
+ * from nonopt_end to opt_end (keeping the same order of arguments
+ * in each block).
+ */
+static void pure_permute_args(int panonopt_start, int panonopt_end, 
+                              int opt_end, char * const *nargv)
+{
+    int cstart, cyclelen, i, j, ncycle, nnonopts, nopts, pos;
+    char *swap;
+    
+    /*
+     * compute lengths of blocks and number and size of cycles
+     */
+    nnonopts = panonopt_end - panonopt_start;
+    nopts = opt_end - panonopt_end;
+    ncycle = pure_gcd(nnonopts, nopts);
+    cyclelen = (opt_end - panonopt_start) / ncycle;
+    
+    for (i = 0; i < ncycle; i++) {
+        cstart = panonopt_end+i;
+        pos = cstart;
+        for (j = 0; j < cyclelen; j++) {
+            if (pos >= panonopt_end)
+                pos -= nnonopts;
+            else
+                pos += nopts;
+            swap = nargv[pos];
+            /* LINTED const cast */
+            ((char **) nargv)[pos] = nargv[cstart];
+            /* LINTED const cast */
+            ((char **)nargv)[cstart] = swap;
+        }
+    }
+}
+
+/*
+ * pure_parse_long_options --
+ *    Parse long options in argc/argv argument vector.
+ * Returns -1 if short_too is set and the option does not match long_options.
+ */
+static int pure_parse_long_options(char * const *nargv, const char *options,
+                                   const struct pure_option *long_options,
+                                   int *idx, int short_too)
+{
+    const char *current_argv, *has_equal;
+    size_t current_argv_len;
+    int i, match;
+    
+    current_argv = pure_place;
+    match = -1;
+    
+    pure_optind++;
+    
+    if ((has_equal = strchr(current_argv, '=')) != NULL) {
+        /* argument found (--option=arg) */
+        current_argv_len = has_equal - current_argv;
+        has_equal++;
+    } else
+        current_argv_len = strlen(current_argv);
+    
+    for (i = 0; long_options[i].name; i++) {
+        /* find matching long option */
+        if (strncmp(current_argv, long_options[i].name,
+            current_argv_len))
+            continue;
+        
+        if (strlen(long_options[i].name) == current_argv_len) {
+            /* exact match */
+            match = i;
+            break;
+        }
+        /*
+         * If this is a known short option, don't allow
+         * a partial match of a single character.
+         */
+        if (short_too && current_argv_len == 1)
+            continue;
+        
+        if (match == -1)    /* partial match */
+            match = i;
+        else {
+            /* ambiguous abbreviation */
+            if (PRINT_ERROR)
+                fprintf(stderr, ambig, (int)current_argv_len,
+                        current_argv);
+            pure_optopt = 0;
+            return BADCH;
+        }
+    }
+    if (match != -1) {        /* option found */
+        if (long_options[match].has_arg == no_argument
+            && has_equal) {
+            if (PRINT_ERROR)
+                fprintf(stderr, noarg, (int)current_argv_len,
+                        current_argv);
+            /*
+             * XXX: GNU sets pure_optopt to val regardless of flag
+             */
+            if (long_options[match].flag == NULL)
+                pure_optopt = long_options[match].val;
+            else
+                pure_optopt = 0;
+            return BADARG;
+        }
+        if (long_options[match].has_arg == required_argument ||
+            long_options[match].has_arg == optional_argument) {
+            if (has_equal)
+                pure_optarg = has_equal;
+            else if (long_options[match].has_arg ==
+                     required_argument) {
+                /*
+                 * optional argument doesn't use next nargv
+                 */
+                pure_optarg = nargv[pure_optind++];
+            }
+        }
+        if ((long_options[match].has_arg == required_argument)
+            && (pure_optarg == NULL)) {
+            /*
+             * Missing argument; leading ':' indicates no error
+             * should be generated.
+             */
+            if (PRINT_ERROR)
+                fprintf(stderr, recargstring,
+                        current_argv);
+            /*
+             * XXX: GNU sets pure_optopt to val regardless of flag
+             */
+            if (long_options[match].flag == NULL)
+                pure_optopt = long_options[match].val;
+            else
+                pure_optopt = 0;
+            --pure_optind;
+            return BADARG;
+        }
+    } else {            /* unknown option */
+        if (short_too) {
+            --pure_optind;
+            return -1;
+        }
+        if (PRINT_ERROR)
+            fprintf(stderr, illoptstring, current_argv);
+        pure_optopt = 0;
+        return BADCH;
+    }
+    if (idx)
+        *idx = match;
+    if (long_options[match].flag) {
+        *long_options[match].flag = long_options[match].val;
+        return 0;
+    } else
+        return long_options[match].val;
+}
+
+/*
+ * getopt_internal --
+ *    Parse argc/argv argument vector.  Called by user level routines.
+ */
+static int pure_getopt_internal(int nargc, char * const *nargv,
+                                const char *options,
+                                const struct pure_option *long_options,
+                                int *idx, int flags)
+{
+    char *oli;                /* option letter list index */
+    int optchar, short_too;
+    static int posixly_correct = -1;
+    
+    if (options == NULL)
+        return -1;
+    
+    /*
+     * Disable GNU extensions if POSIXLY_CORRECT is set or options
+     * string begins with a '+'.
+     */
+    if (posixly_correct == -1)
+        posixly_correct = (getenv("POSIXLY_CORRECT") != NULL);
+    if (posixly_correct || *options == '+')
+        flags &= ~FLAG_PERMUTE;
+    else if (*options == '-')
+        flags |= FLAG_ALLARGS;
+    if (*options == '+' || *options == '-')
+        options++;
+    
+    /*
+     * XXX Some GNU programs (like cvs) set pure_optind to 0 instead of
+     * XXX using pure_optreset.  Work around this braindamage.
+     */
+    if (pure_optind == 0)
+        pure_optind = pure_optreset = 1;
+    
+    pure_optarg = NULL;
+    if (pure_optreset)
+        nonopt_start = nonopt_end = -1;
+    start:
+    if (pure_optreset || !*pure_place) {        /* update scanning pointer */
+        pure_optreset = 0;
+        if (pure_optind >= nargc) {          /* end of argument vector */
+            pure_place = EMSG;
+            if (nonopt_end != -1) {
+                /* do permutation, if we have to */
+                pure_permute_args(nonopt_start, nonopt_end,
+                                  pure_optind, nargv);
+                pure_optind -= nonopt_end - nonopt_start;
+            }
+            else if (nonopt_start != -1) {
+                /*
+                 * If we skipped non-options, set pure_optind
+                 * to the first of them.
+                 */
+                pure_optind = nonopt_start;
+            }
+            nonopt_start = nonopt_end = -1;
+            return -1;
+        }
+        if (*(pure_place = nargv[pure_optind]) != '-' ||
+            (pure_place[1] == '\0' && strchr(options, '-') == NULL)) {
+            pure_place = EMSG;        /* found non-option */
+            if (flags & FLAG_ALLARGS) {
+                /*
+                 * GNU extension:
+                 * return non-option as argument to option 1
+                 */
+                pure_optarg = nargv[pure_optind++];
+                return INORDER;
+            }
+            if (!(flags & FLAG_PERMUTE)) {
+                /*
+                 * If no permutation wanted, stop parsing
+                 * at first non-option.
+                 */
+                return -1;
+            }
+            /* do permutation */
+            if (nonopt_start == -1)
+                nonopt_start = pure_optind;
+            else if (nonopt_end != -1) {
+                pure_permute_args(nonopt_start, nonopt_end,
+                                  pure_optind, nargv);
+                nonopt_start = pure_optind -
+                    (nonopt_end - nonopt_start);
+                nonopt_end = -1;
+            }
+            pure_optind++;
+            /* process next argument */
+            goto start;
+        }
+        if (nonopt_start != -1 && nonopt_end == -1)
+            nonopt_end = pure_optind;
+
+        /*
+         * Check for "--" or "--foo" with no long options
+         * but if pure_place is simply "-" leave it unmolested.
+         */
+
+        if (pure_place[1] != '\0' && *++pure_place == '-' &&
+            (pure_place[1] == '\0' || long_options == NULL)) {
+            pure_optind++;
+            pure_place = EMSG;
+            /*
+             * We found an option (--), so if we skipped
+             * non-options, we have to permute.
+             */
+            if (nonopt_end != -1) {
+                pure_permute_args(nonopt_start, nonopt_end,
+                                  pure_optind, nargv);
+                pure_optind -= nonopt_end - nonopt_start;
+            }
+            nonopt_start = nonopt_end = -1;
+            return -1;
+        }
+    }
+    
+    /*
+     * Check long options if:
+     *  1) we were passed some
+     *  2) the arg is not just "-"
+     *  3) either the arg starts with -- we are pure_getopt_long_only()
+     */
+    if (long_options != NULL && pure_place != nargv[pure_optind] &&
+        (*pure_place == '-' || (flags & FLAG_LONGONLY))) {
+        short_too = 0;
+        if (*pure_place == '-')
+            pure_place++;        /* --foo long option */
+        else if (*pure_place != ':' && strchr(options, *pure_place) != NULL)
+            short_too = 1;        /* could be short option too */
+        
+        optchar = pure_parse_long_options(nargv, options, long_options,
+                                          idx, short_too);
+        if (optchar != -1) {
+            pure_place = EMSG;
+            return optchar;
+        }
+    }
+    
+    if ((optchar = (int) *pure_place++) == ':' ||
+        (optchar == '-' && *pure_place != '\0') ||        
+        (oli = strchr(options, optchar)) == NULL) { 
+         /*
+          * If the user specified "-" and '-' isn't listed in
+          * options, return -1 (non-option) as per POSIX.
+          * Otherwise, it is an unknown option character (or :').
+          */
+        if (optchar == '-' && *pure_place == '\0')
+            return -1;
+        if (!*pure_place)
+            ++pure_optind;
+        if (PRINT_ERROR)
+            fprintf(stderr, illoptchar, optchar);
+        pure_optopt = optchar;
+        return BADCH;
+    }
+    if (long_options != NULL && optchar == 'W' && oli[1] == ';') {
+        /* -W long-option */
+        if (*pure_place)            /* no space */
+            /* NOTHING */;
+        else if (++pure_optind >= nargc) {    /* no arg */
+            pure_place = EMSG;
+            if (PRINT_ERROR)
+                fprintf(stderr, recargchar, optchar);
+            pure_optopt = optchar;
+            return BADARG;
+        } else                /* white space */
+            pure_place = nargv[pure_optind];
+        optchar = pure_parse_long_options(nargv, options, long_options,
+                                          idx, 0);
+        pure_place = EMSG;
+        return optchar;
+    }
+    if (*++oli != ':') {            /* doesn't take argument */
+        if (!*pure_place)
+            ++pure_optind;
+    } else {                /* takes (optional) argument */
+        pure_optarg = NULL;
+        if (*pure_place)            /* no white space */
+            pure_optarg = pure_place;
+        /* XXX: disable test for :: if PC? (GNU doesn't) */
+        else if (oli[1] != ':') {    /* arg not optional */
+            if (++pure_optind >= nargc) {    /* no arg */
+                pure_place = EMSG;
+                if (PRINT_ERROR)
+                    fprintf(stderr, recargchar, optchar);
+                pure_optopt = optchar;
+                return BADARG;
+            } else {
+                pure_optarg = nargv[pure_optind];
+            }
+        }
+        pure_place = EMSG;
+        ++pure_optind;
+    }
+    /* dump back option letter */
+    return optchar;
+}
+
+/*
+ * getopt --
+ *    Parse argc/argv argument vector.
+ */
+int pure_getopt(int nargc, char * const *nargv, const char *options)
+{
+    
+    /*
+     * We dont' pass FLAG_PERMUTE to pure_getopt_internal() since
+     * the BSD getopt(3) (unlike GNU) has never done this.
+     *
+     * Furthermore, since many privileged programs call getopt()
+     * before dropping privileges it makes sense to keep things
+     * as simple (and bug-free) as possible.
+     */
+    return pure_getopt_internal(nargc, nargv, options, NULL, NULL, 0);
+}
+
+/*
+ * pure_getopt_long --
+ *    Parse argc/argv argument vector.
+ */
+int pure_getopt_long(int nargc, char * const *nargv, const char *options,
+                     const struct pure_option *long_options, int *idx)
+{
+    return pure_getopt_internal(nargc, nargv, options, long_options, idx,
+                                FLAG_PERMUTE);
+}
+
+/*
+ * pure_getopt_long_only --
+ *    Parse argc/argv argument vector.
+ */
+int pure_getopt_long_only(int nargc, char * const *nargv,
+                               const char *options,
+                               const struct pure_option *long_options,
+                               int *idx)
+{
+    return pure_getopt_internal(nargc, nargv, options, long_options, idx,
+                                FLAG_PERMUTE|FLAG_LONGONLY);
+}
+
+#endif
diff --git a/src/bsd-getopt-long.h b/src/bsd-getopt-long.h
new file mode 100644
index 0000000000..e2c381f3b7
--- /dev/null
+++ b/src/bsd-getopt-long.h
@@ -0,0 +1,132 @@
+/* $Id: bsd-getopt-long.h 1361 2005-09-12 19:48:26Z vern $ */
+
+/*    $OpenBSD: getopt_long.c,v 1.13 2003/06/03 01:52:40 millert Exp $    */
+/*    $NetBSD: getopt_long.c,v 1.15 2002/01/31 22:43:40 tv Exp $    */
+
+/*
+ * Copyright (c) 2002 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND TODD C. MILLER DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TODD C. MILLER BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+/*-
+ * Copyright (c) 2000 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Dieter Baron and Thomas Klausner.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *        This product includes software developed by the NetBSD
+ *        Foundation, Inc. and its contributors.
+ * 4. Neither the name of The NetBSD Foundation nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __BSD_GETOPT_LONG_H__
+#define __BSD_GETOPT_LONG_H__
+
+#ifndef HAVE_GETOPT_LONG
+
+/*
+ * GNU-like getopt_long() and 4.4BSD getsubopt()/optreset extensions
+ */
+# ifndef no_argument
+#  define no_argument        0
+# endif
+# ifndef required_argument
+#  define required_argument  1
+# endif
+# ifndef optional_argument
+#  define optional_argument  2
+# endif
+
+struct pure_option {
+    /* name of long option */
+    const char *name;
+    /*
+     * one of no_argument, required_argument, and optional_argument:
+     * whether option takes an argument
+     */
+    int has_arg;
+    /* if not NULL, set *flag to val when option found */
+    int *flag;
+    /* if flag not NULL, value to set *flag to; else return value */
+    int val;
+};
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+int pure_getopt_long(int nargc, char * const *nargv, const char *options,
+                     const struct pure_option *long_options, int *idx);
+
+int pure_getopt_long_only(int nargc, char * const *nargv,
+                          const char *options,
+                          const struct pure_option *long_options,
+                          int *idx);
+
+int pure_getopt(int nargc, char * const *nargv, const char *options);
+
+#ifdef __cplusplus
+}
+#endif
+
+/* prefix+macros just to avoid clashes with existing getopt() implementations */
+
+# ifndef IN_GETOPT_LONG_C
+#  undef option
+#  define option pure_option
+#  undef getopt_long
+#  define getopt_long(A, B, C, D, E) pure_getopt_long(A, B, C, D, E)
+#  undef getopt_long_only
+#  define getopt_long_only(A, B, C, D, E) pure_getopt_long_only(A, B, C, D, E)
+#  undef getopt
+#  define getopt(A, B, C) pure_getopt(A, B, C)
+#  undef optarg
+#  define optarg pure_optarg
+#  undef opterr
+#  define opterr pure_opterr
+#  undef optind
+#  define optind pure_optind
+#  undef optopt
+#  define optopt pure_optopt
+#  undef optreset
+#  define optreset pure_optreset
+# endif
+
+#endif
+
+#endif
diff --git a/src/builtin-func.l b/src/builtin-func.l
new file mode 100644
index 0000000000..ca7923b852
--- /dev/null
+++ b/src/builtin-func.l
@@ -0,0 +1,185 @@
+%{
+// $Id: builtin-func.l 6015 2008-07-23 05:42:37Z vern $
+
+#include <string.h>
+#include "bif_arg.h"
+#include "bif_parse.h"
+
+char* copy_string(const char* s)
+	{
+	char* c = new char[strlen(s)+1];
+	strcpy(c, s);
+	return c;
+	}
+
+int line_number = 1;
+
+extern int in_c_code;
+
+int check_c_mode(int t)
+	{
+	if ( ! in_c_code )
+		return t;
+
+	yylval.str = copy_string(yytext);
+	return TOK_C_TOKEN;
+	}
+%}
+
+WS	[ \t]+
+ID	[A-Za-z_][A-Za-z_0-9]*
+ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
+
+%option nodefault
+
+%%
+
+#.*	{
+	yylval.str = copy_string(yytext);
+	return TOK_COMMENT;
+	}
+
+\n	{
+	++line_number;
+	return TOK_LF;
+	}
+
+{WS}	{
+	yylval.str = copy_string(yytext);
+	return TOK_WS;
+	}
+
+[=,:;]	return check_c_mode(yytext[0]);
+
+"%{"	return TOK_LPB;
+"%}"	return TOK_RPB;
+"%%{"	return TOK_LPPB;
+"%%}"	return TOK_RPPB;
+
+"%("		return check_c_mode(TOK_LPP);
+"%)"		return check_c_mode(TOK_RPP);
+"..."		return check_c_mode(TOK_VAR_ARG);
+"function"	return check_c_mode(TOK_FUNCTION);
+"rewriter"	return check_c_mode(TOK_REWRITER);
+"event"		return check_c_mode(TOK_EVENT);
+"const"		return check_c_mode(TOK_CONST);
+"enum"		return check_c_mode(TOK_ENUM);
+"declare"	return check_c_mode(TOK_DECLARE);
+
+"@ARG@"		return TOK_ARG;
+"@ARGS@"	return TOK_ARGS;
+"@ARGC@"	return TOK_ARGC;
+
+"@WRITE@"	return TOK_WRITE;
+"@PUSH@"	return TOK_PUSH;
+"@EOF@"		return TOK_EOF;
+"@TRACE@"	return TOK_TRACE;
+
+"T"	yylval.val = 1; return TOK_BOOL;
+"F"	yylval.val = 0; return TOK_BOOL;
+
+{ID}	{
+	yylval.str = copy_string(yytext);
+	return TOK_ID;
+	}
+
+&{ID}	{
+	int t = check_c_mode(TOK_ATTR);
+
+	if ( t == TOK_ATTR )
+		{
+		yylval.str = copy_string(yytext);
+		return TOK_ATTR;
+		}
+	else
+		return t;
+	}
+
+\"([^\\\n\"]|{ESCSEQ})*\"	{
+	yylval.str = copy_string(yytext);
+	return TOK_CSTR;
+	}
+
+\'([^\\\n\']|{ESCSEQ})*\'	{
+	yylval.str = copy_string(yytext);
+	return TOK_CSTR;
+	}
+
+.	{
+	yylval.val = yytext[0];
+	return TOK_ATOM;
+	}
+%%
+
+int yywrap()
+	{
+	yy_delete_buffer(YY_CURRENT_BUFFER);
+	return 1;
+	}
+
+extern int yyparse();
+char* input_filename = 0;
+
+FILE* fp_bro_init;
+FILE* fp_func_def;
+FILE* fp_func_h;
+FILE* fp_func_init;
+FILE* fp_netvar_h;
+FILE* fp_netvar_def;
+FILE* fp_netvar_init;
+
+FILE* open_output_file(const char* surfix)
+	{
+	char fn[1024];
+	FILE* fp;
+
+	snprintf(fn, sizeof(fn), "%s.%s", input_filename, surfix);
+	if ( (fp = fopen(fn, "w")) == NULL )
+		{
+		fprintf(stderr, "Error: cannot open file: %s\n", fn);
+		exit(1);
+		}
+
+	return fp;
+	}
+
+int main(int argc, char* argv[])
+	{
+	for ( int i = 1; i < argc; i++ )
+		{
+		FILE* fp_input;
+		char* slash;
+
+		input_filename = argv[i];
+		slash = strrchr(input_filename, '/');
+
+		if ( (fp_input = fopen(input_filename, "r")) == NULL )
+			{
+			fprintf(stderr, "Error: cannot open file: %s\n", input_filename);
+			exit(1);
+			}
+
+		if ( slash )
+			input_filename = slash + 1;
+
+		fp_bro_init = open_output_file("bro");
+		fp_func_h = open_output_file("func_h");
+		fp_func_def = open_output_file("func_def");
+		fp_func_init = open_output_file("func_init");
+		fp_netvar_h = open_output_file("netvar_h");
+		fp_netvar_def = open_output_file("netvar_def");
+		fp_netvar_init = open_output_file("netvar_init");
+
+		yy_switch_to_buffer(yy_create_buffer(fp_input, YY_BUF_SIZE));
+		yyparse();
+
+		fclose(fp_input);
+		fclose(fp_bro_init);
+		fclose(fp_func_h);
+		fclose(fp_func_def);
+		fclose(fp_func_init);
+		fclose(fp_netvar_h);
+		fclose(fp_netvar_def);
+		fclose(fp_netvar_init);
+		}
+	}
diff --git a/src/builtin-func.y b/src/builtin-func.y
new file mode 100644
index 0000000000..268288bc39
--- /dev/null
+++ b/src/builtin-func.y
@@ -0,0 +1,611 @@
+%{
+#include <vector>
+#include <set>
+#include <string>
+#include <cstring>
+
+using namespace std;
+
+#include <stdio.h>
+#include <stdlib.h>
+
+extern int line_number;
+extern char* input_filename;
+
+#define print_line_directive(fp) fprintf(fp, "\n#line %d \"%s\"\n", line_number, input_filename)
+
+extern FILE* fp_bro_init;
+extern FILE* fp_func_def;
+extern FILE* fp_func_h;
+extern FILE* fp_func_init;
+extern FILE* fp_netvar_h;
+extern FILE* fp_netvar_def;
+extern FILE* fp_netvar_init;
+
+int in_c_code = 0;
+int definition_type;
+const char* bro_prefix;
+const char* c_prefix;
+
+enum {
+	C_SEGMENT_DEF,
+	FUNC_DEF,
+	REWRITER_DEF,
+	EVENT_DEF,
+};
+
+void set_definition_type(int type)
+	{
+	definition_type = type;
+	switch ( type ) {
+	case FUNC_DEF:
+		bro_prefix = "";
+		c_prefix = "bro_";
+		break;
+
+	case REWRITER_DEF:
+		bro_prefix = "rewrite_";
+		c_prefix = "bro_rewrite_";
+		break;
+
+	case EVENT_DEF:
+		bro_prefix = "";
+		c_prefix = "bro_event_";
+		break;
+
+	case C_SEGMENT_DEF:
+		break;
+	}
+	}
+
+const char* arg_list_name = "BiF_ARGS";
+const char* trace_rewriter_name = "trace_rewriter";
+
+#include "bif_arg.h"
+
+extern const char* decl_name;
+int var_arg; // whether the number of arguments is variable
+std::vector<BuiltinFuncArg*> args;
+
+// enum types declared by "declare enum <id>"
+set<string> enum_types;
+
+extern int yyerror(const char[]);
+extern int yywarn(const char msg[]);
+extern int yylex();
+
+char* concat(const char* str1, const char* str2)
+	{
+	int len1 = strlen(str1);
+	int len2 = strlen(str2);
+
+	char* s = new char[len1 + len2 +1];
+
+	memcpy(s, str1, len1);
+	memcpy(s + len1, str2, len2);
+
+	s[len1+len2] = '\0';
+
+	return s;
+	}
+
+// Print the bro_event_* function prototype in C++, without the ending ';'
+void print_event_c_prototype(FILE *fp)
+	{
+	fprintf(fp, "void %s%s(Analyzer* analyzer%s", c_prefix, decl_name,
+			args.size() ? ", " : "" );
+	for ( int i = 0; i < (int) args.size(); ++i )
+		{
+		if ( i > 0 )
+			fprintf(fp, ", ");
+		args[i]->PrintCArg(fp, i);
+		}
+	fprintf(fp, ")");
+	}
+
+// Print the bro_event_* function body in C++.
+void print_event_c_body(FILE *fp)
+	{
+	fprintf(fp, "\t{\n");
+	fprintf(fp, "\t// Note that it is intentional that here we do not\n");
+	fprintf(fp, "\t// check if %s is NULL, which should happen *before*\n",
+		decl_name);
+	fprintf(fp, "\t// bro_event_%s is called to avoid unnecessary Val\n",
+		decl_name);
+	fprintf(fp, "\t// allocation.\n");
+	fprintf(fp, "\n");
+
+	fprintf(fp, "\tval_list* vl = new val_list;\n\n");
+	BuiltinFuncArg *connection_arg = 0;
+
+	for ( int i = 0; i < (int) args.size(); ++i )
+		{
+		fprintf(fp, "\t");
+		fprintf(fp, "vl->append(");
+		args[i]->PrintBroValConstructor(fp);
+		fprintf(fp, ");\n");
+
+		if ( args[i]->Type() == TYPE_CONNECTION )
+			{
+			if ( connection_arg == 0 )
+				connection_arg = args[i];
+			else
+				{
+				// We are seeing two connection type arguments.
+				yywarn("Warning: with more than connection-type "
+				       "event arguments, bifcl only passes "
+				       "the first one to EventMgr as cookie.");
+				}
+			}
+		}
+
+	fprintf(fp, "\n");
+	fprintf(fp, "\tmgr.QueueEvent(%s, vl, SOURCE_LOCAL, analyzer->GetID(), timer_mgr",
+		decl_name);
+
+	if ( connection_arg )
+		// Pass the connection to the EventMgr as the "cookie"
+		fprintf(fp, ", %s", connection_arg->Name());
+
+	fprintf(fp, ");\n");
+	fprintf(fp, "\t} // event generation\n");
+	}
+%}
+
+%token TOK_LPP TOK_RPP TOK_LPB TOK_RPB TOK_LPPB TOK_RPPB TOK_VAR_ARG
+%token TOK_BOOL
+%token TOK_FUNCTION TOK_REWRITER TOK_EVENT TOK_CONST TOK_ENUM TOK_DECLARE
+%token TOK_WRITE TOK_PUSH TOK_EOF TOK_TRACE
+%token TOK_ARGS TOK_ARG TOK_ARGC
+%token TOK_ID TOK_ATTR TOK_CSTR TOK_LF TOK_WS TOK_COMMENT
+%token TOK_ATOM TOK_C_TOKEN
+
+%left ',' ':'
+
+%type <str> TOK_C_TOKEN TOK_ID TOK_CSTR TOK_WS TOK_COMMENT TOK_ATTR opt_ws
+%type <val> TOK_ATOM TOK_BOOL
+
+%union	{
+	const char* str;
+	int val;
+}
+
+%%
+
+definitions:	definitions definition opt_ws
+			{ fprintf(fp_func_def, "%s", $3); }
+	|	opt_ws
+			{
+			int n = 1024 + strlen(input_filename);
+			char auto_gen_comment[n];
+
+			snprintf(auto_gen_comment, n,
+				"This file was automatically generated by bifcl from %s.",
+				input_filename);
+
+			fprintf(fp_bro_init, "# %s\n\n", auto_gen_comment);
+			fprintf(fp_func_def, "// %s\n\n", auto_gen_comment);
+			fprintf(fp_func_h, "// %s\n\n", auto_gen_comment);
+			fprintf(fp_func_init, "// %s\n\n", auto_gen_comment);
+			fprintf(fp_netvar_def, "// %s\n\n", auto_gen_comment);
+			fprintf(fp_netvar_h, "// %s\n\n", auto_gen_comment);
+			fprintf(fp_netvar_init, "// %s\n\n", auto_gen_comment);
+
+			fprintf(fp_func_def, "%s", $1);
+			}
+	;
+
+definition:	event_def
+	|	func_def
+	|	rewriter_def
+	|	c_code_segment
+	|	enum_def
+	|	const_def
+	|	declare_def
+	;
+
+declare_def:	TOK_DECLARE opt_ws TOK_ENUM opt_ws TOK_ID opt_ws ';'
+			{
+			enum_types.insert($5);
+			}
+	;
+
+event_def:	event_prefix opt_ws plain_head opt_attr end_of_head ';'
+			{
+			print_event_c_prototype(fp_func_h);
+			fprintf(fp_func_h, ";\n");
+			print_event_c_prototype(fp_func_def);
+			fprintf(fp_func_def, "\n");
+			print_event_c_body(fp_func_def);
+			}
+	;
+
+func_def:	func_prefix opt_ws typed_head end_of_head body
+	;
+
+rewriter_def:	rewriter_prefix opt_ws plain_head end_of_head body
+	;
+
+enum_def:	enum_def_1 enum_list TOK_RPB
+			{
+			// First, put an end to the enum type decl.
+			fprintf(fp_bro_init, "};\n");
+			fprintf(fp_netvar_h, "}; }\n");
+
+			// Now generate the netvar's.
+			fprintf(fp_netvar_h,
+				"extern EnumType* enum_%s;\n", decl_name);
+			fprintf(fp_netvar_def,
+				"EnumType* enum_%s;\n", decl_name);
+			fprintf(fp_netvar_init,
+				"\tenum_%s = internal_type(\"%s\")->AsEnumType();\n",
+				decl_name, decl_name);
+			}
+	;
+
+enum_def_1:	TOK_ENUM opt_ws TOK_ID opt_ws TOK_LPB opt_ws
+			{
+			decl_name = $3;
+			fprintf(fp_bro_init, "type %s: enum %s{%s", $3, $4, $6);
+			fprintf(fp_netvar_h, "namespace BroEnum { ");
+			fprintf(fp_netvar_h, "enum %s {\n", $3);
+			}
+	;
+
+enum_list:	enum_list TOK_ID opt_ws ',' opt_ws
+			{
+			fprintf(fp_bro_init, "%s%s,%s", $2, $3, $5);
+			fprintf(fp_netvar_h, "\t%s,\n", $2);
+			}
+	|	/* nothing */
+	;
+
+const_def:	const_def_1 const_init opt_attr ';'
+			{
+			fprintf(fp_bro_init, ";\n");
+			fprintf(fp_netvar_h, "extern int %s;\n", decl_name);
+			fprintf(fp_netvar_def, "int %s;\n", decl_name);
+			fprintf(fp_netvar_init, "\t%s = internal_val(\"%s\")->AsBool();\n",
+				decl_name, decl_name);
+			}
+	;
+
+const_def_1:	TOK_CONST opt_ws TOK_ID opt_ws
+			{
+			decl_name = $3;
+			fprintf(fp_bro_init, "const%s", $2);
+			fprintf(fp_bro_init, "%s: bool%s", $3, $4);
+			}
+	;
+
+opt_const_init:	/* nothing */
+	|	const_init
+	;
+
+/* Currently support only boolean and string values */
+const_init:	'=' opt_ws TOK_BOOL opt_ws
+			{
+			fprintf(fp_bro_init, "=%s%c%s", $2, ($3) ? 'T' : 'F', $4);
+			}
+	|	'=' opt_ws TOK_CSTR opt_ws
+			{ fprintf(fp_bro_init, "=%s%s%s", $2, $3, $4); }
+	;
+
+opt_attr:	/* nothing */
+	|	opt_attr TOK_ATTR { fprintf(fp_bro_init, "%s", $2); }
+		opt_ws opt_const_init
+	;
+
+func_prefix:	TOK_FUNCTION
+			{ set_definition_type(FUNC_DEF); }
+	;
+
+rewriter_prefix: TOK_REWRITER
+			{ set_definition_type(REWRITER_DEF); }
+	;
+
+event_prefix:	TOK_EVENT
+			{ set_definition_type(EVENT_DEF); }
+	;
+
+end_of_head:	/* nothing */
+			{
+			fprintf(fp_bro_init, ";\n");
+			}
+	;
+
+typed_head:	plain_head return_type
+			{
+			}
+	;
+
+plain_head:	head_1 args arg_end opt_ws
+			{
+			if ( var_arg )
+				fprintf(fp_bro_init, "va_args: any");
+			else
+				{
+				if ( definition_type == REWRITER_DEF )
+					fprintf(fp_bro_init, "c: connection");
+
+				for ( int i = 0; i < (int) args.size(); ++i )
+					{
+					if ( i > 0 || definition_type == REWRITER_DEF )
+						fprintf(fp_bro_init, ", ");
+					args[i]->PrintBro(fp_bro_init);
+					}
+				}
+
+			fprintf(fp_bro_init, ")");
+
+			fprintf(fp_bro_init, "%s", $4);
+			fprintf(fp_func_def, "%s", $4);
+			}
+	;
+
+head_1:		TOK_ID opt_ws arg_begin
+			{
+			const char* method_type = 0;
+			decl_name = $1;
+
+			if ( definition_type == FUNC_DEF || definition_type == REWRITER_DEF )
+				{
+				method_type = "function";
+				print_line_directive(fp_func_def);
+				}
+			else if ( definition_type == EVENT_DEF )
+				method_type = "event";
+
+			if ( method_type )
+				fprintf(fp_bro_init,
+					"global %s%s: %s%s(",
+					bro_prefix, decl_name, method_type, $2);
+
+			if ( definition_type == FUNC_DEF || definition_type == REWRITER_DEF )
+				{
+				fprintf(fp_func_init,
+					"\textern Val* %s%s(Frame* frame, val_list*);\n",
+					c_prefix, decl_name);
+
+				fprintf(fp_func_init,
+					"\t(void) new BuiltinFunc(%s%s, \"%s%s\", 0);\n",
+					c_prefix, decl_name, bro_prefix, decl_name);
+
+				fprintf(fp_func_h,
+					"extern Val* %s%s(Frame* frame, val_list*);\n",
+					c_prefix, decl_name);
+
+				fprintf(fp_func_def,
+					"Val* %s%s(Frame* frame, val_list* %s)",
+					c_prefix, decl_name, arg_list_name);
+				}
+			else if ( definition_type == EVENT_DEF )
+				{
+				fprintf(fp_netvar_h,
+					"extern EventHandlerPtr %s;\n",
+					decl_name);
+
+				fprintf(fp_netvar_def,
+					"EventHandlerPtr %s;\n",
+					decl_name);
+
+				fprintf(fp_netvar_init,
+					"\t%s = internal_handler(\"%s\");\n",
+					decl_name, decl_name);
+
+				// C++ prototypes of bro_event_* functions will
+				// be generated later.
+				}
+			}
+	;
+
+arg_begin:	TOK_LPP
+			{ args.clear(); var_arg = 0; }
+	;
+
+arg_end:	TOK_RPP
+	;
+
+args:		args_1
+	|	opt_ws
+			{ /* empty, to avoid yacc complaint about type clash */ }
+	;
+
+args_1:		args_1 ',' opt_ws arg opt_ws
+	|	opt_ws arg opt_ws
+			{ /* empty */ }
+	;
+
+arg:		TOK_ID opt_ws ':' opt_ws TOK_ID
+			{ args.push_back(new BuiltinFuncArg($1, $5)); }
+	|	TOK_VAR_ARG
+			{
+			if ( definition_type == EVENT_DEF )
+				yyerror("events cannot have variable arguments");
+			var_arg = 1;
+			}
+	;
+
+return_type:	':' opt_ws TOK_ID opt_ws
+			{
+			BuiltinFuncArg* ret = new BuiltinFuncArg("", $3);
+			ret->PrintBro(fp_bro_init);
+			delete ret;
+			fprintf(fp_func_def, "%s", $4);
+			}
+	;
+
+body:		body_start c_body body_end
+			{
+			fprintf(fp_func_def, " // end of %s\n", decl_name);
+			print_line_directive(fp_func_def);
+			}
+	;
+
+c_code_begin:	/* empty */
+			{
+			in_c_code = 1;
+			print_line_directive(fp_func_def);
+			}
+	;
+
+c_code_end:	/* empty */
+			{ in_c_code = 0; }
+	;
+
+body_start:	TOK_LPB c_code_begin
+			{
+			int implicit_arg = 0;
+			int argc = args.size();
+
+			fprintf(fp_func_def, "{");
+			if ( definition_type == REWRITER_DEF )
+				{
+				implicit_arg = 1;
+				++argc;
+				}
+
+			if ( argc > 0 || ! var_arg )
+				fprintf(fp_func_def, "\n");
+
+			if ( ! var_arg )
+				{
+				fprintf(fp_func_def, "\tif ( %s->length() != %d )\n", arg_list_name, argc);
+				fprintf(fp_func_def, "\t\t{\n");
+				fprintf(fp_func_def,
+					"\t\trun_time(\"%s() takes exactly %d argument(s)\");\n",
+					decl_name, argc);
+				fprintf(fp_func_def, "\t\treturn 0;\n");
+				fprintf(fp_func_def, "\t\t}\n");
+				}
+			else if ( argc > 0 )
+				{
+				fprintf(fp_func_def, "\tif ( %s->length() < %d )\n", arg_list_name, argc);
+				fprintf(fp_func_def, "\t\t{\n");
+				fprintf(fp_func_def,
+					"\t\trun_time(\"%s() takes at least %d argument(s)\");\n",
+					decl_name, argc);
+				fprintf(fp_func_def, "\t\treturn 0;\n");
+				fprintf(fp_func_def, "\t\t}\n");
+				}
+
+			if ( definition_type == REWRITER_DEF )
+				{
+				fprintf(fp_func_def,
+					"\tRewriter* %s = get_trace_rewriter((*%s)[0]);\n",
+					trace_rewriter_name,
+					arg_list_name);
+				fprintf(fp_func_def, "\tif ( ! trace_rewriter )\n");
+				fprintf(fp_func_def, "\t\treturn 0;\n");
+				}
+			for ( int i = 0; i < (int) args.size(); ++i )
+				args[i]->PrintCDef(fp_func_def, i + implicit_arg);
+			print_line_directive(fp_func_def);
+			}
+	;
+
+body_end:	TOK_RPB c_code_end
+			{
+			if ( definition_type == REWRITER_DEF )
+				fprintf(fp_func_def, "\n\treturn 0;\n");
+			fprintf(fp_func_def, "}");
+			}
+	;
+
+c_code_segment: TOK_LPPB c_code_begin c_body c_code_end TOK_RPPB
+	;
+
+c_body:		opt_ws
+			{ fprintf(fp_func_def, "%s", $1); }
+	|	c_body c_atom opt_ws
+			{ fprintf(fp_func_def, "%s", $3); }
+	;
+
+c_atom:		TOK_ID
+			{ fprintf(fp_func_def, "%s", $1); }
+	|	TOK_C_TOKEN
+			{ fprintf(fp_func_def, "%s", $1); }
+	|	TOK_ARG
+			{ fprintf(fp_func_def, "(*%s)", arg_list_name); }
+	|	TOK_ARGS
+			{ fprintf(fp_func_def, "%s", arg_list_name); }
+	|	TOK_ARGC
+			{ fprintf(fp_func_def, "%s->length()", arg_list_name); }
+	|	TOK_TRACE
+			{ fprintf(fp_func_def, "%s", trace_rewriter_name); }
+	|	TOK_WRITE
+			{ fprintf(fp_func_def, "%s->WriteData", trace_rewriter_name); }
+	|	TOK_PUSH
+			{ fprintf(fp_func_def, "%s->Push", trace_rewriter_name); }
+	|	TOK_EOF
+			{ fprintf(fp_func_def, "%s->EndOfData", trace_rewriter_name); }
+	|	TOK_CSTR
+			{ fprintf(fp_func_def, "%s", $1); }
+	|	TOK_ATOM
+			{ fprintf(fp_func_def, "%c", $1); }
+	;
+
+opt_ws:		opt_ws TOK_WS
+			{ $$ = concat($1, $2); }
+	|	opt_ws TOK_LF
+			{ $$ = concat($1, "\n"); }
+	|	opt_ws TOK_COMMENT
+			{
+			if ( in_c_code )
+				$$ = concat($1, $2);
+			else
+				$$ = $1;
+			}
+	|	/* empty */
+			{ $$ = ""; }
+	;
+
+%%
+
+extern char* yytext;
+extern char* input_filename;
+extern int line_number;
+const char* decl_name;
+
+void print_msg(const char msg[])
+	{
+	int msg_len = strlen(msg) + strlen(yytext) + 64;
+	char* msgbuf = new char[msg_len];
+
+	if ( yytext[0] == '\n' )
+		snprintf(msgbuf, msg_len, "%s, on previous line", msg);
+
+	else if ( yytext[0] == '\0' )
+		snprintf(msgbuf, msg_len, "%s, at end of file", msg);
+
+	else
+		snprintf(msgbuf, msg_len, "%s, at or near \"%s\"", msg, yytext);
+
+	/*
+	extern int column;
+	sprintf(msgbuf, "%*s\n%*s\n", column, "^", column, msg);
+	*/
+
+	if ( input_filename )
+		fprintf(stderr, "%s:%d: ", input_filename, line_number);
+	else
+		fprintf(stderr, "line %d: ", line_number);
+	fprintf(stderr, "%s\n", msgbuf);
+
+	delete [] msgbuf;
+	}
+
+int yywarn(const char msg[])
+	{
+	print_msg(msg);
+	return 0;
+	}
+
+int yyerror(const char msg[])
+	{
+	print_msg(msg);
+
+	abort();
+	exit(1);
+	return 0;
+	}
diff --git a/src/common-rw.bif b/src/common-rw.bif
new file mode 100644
index 0000000000..6554c4355d
--- /dev/null
+++ b/src/common-rw.bif
@@ -0,0 +1,107 @@
+%%{
+#include "TCP_Rewriter.h"
+%%}
+
+rewriter commit_trace%(commit: bool, future: bool%)
+	%{
+	if ( commit )
+		@TRACE@->CommitPackets(future);
+	else
+		@TRACE@->AbortPackets(future);
+	%}
+
+rewriter push_packet%(is_orig: bool%)
+	%{
+	@PUSH@(is_orig);
+	%}
+
+rewriter leave_addr_in_the_clear%(is_orig: bool%)
+	%{
+	if ( ! @TRACE@->LeaveAddrInTheClear(is_orig) )
+		builtin_run_time("cannot leave IP address in the clear"
+			" (probably because some packets have already been rewritten before this call)");
+	%}
+
+function current_packet%(c: connection%): packet
+	%{
+	Rewriter* rewriter = get_trace_rewriter(c);
+	if ( ! rewriter )
+		{
+		builtin_run_time("current_packet is not supported without specifying an output file");
+		return 0;
+		}
+
+	return rewriter->CurrentPacket()->PacketVal();	
+	%}
+
+function current_rewrite_packet%(c: connection%): packet
+	%{
+	Rewriter* rewriter = get_trace_rewriter(c);
+	if ( ! rewriter )
+		{
+		builtin_run_time("current_rewrite_packet is not supported without specifying an output file");
+		return 0;
+		}
+
+	return rewriter->RewritePacket()->PacketVal();
+	%}
+
+# Reserve a slot in the current packet of the trace so that the
+# slot can be filled later by seeking to it.
+function reserve_rewrite_slot%(c: connection%): count
+	%{
+	Rewriter* rewriter = get_trace_rewriter(c);
+	if ( ! rewriter )
+		return new Val(0, TYPE_COUNT);
+
+	unsigned int slot = rewriter->ReserveSlot();
+	if ( slot == 0 )
+		builtin_run_time("reserve_rewrite_slot returning 0");
+
+	return new Val(slot, TYPE_COUNT);
+	%}
+
+# Seek to a previously reserved slot so that rewrites afterwards
+# will go into the slot instead of the current packet.
+function seek_rewrite_slot%(c: connection, slot: count%): any
+	%{
+	Rewriter* rewriter = get_trace_rewriter(c);
+	if ( ! rewriter->SeekSlot(slot) )
+		builtin_run_time("cannot seek the rewrite slot");
+
+	return 0;
+	%}
+
+# Return from any reserved slot to bring the rewrite pointer back to
+# the current packet.
+function return_from_rewrite_slot%(c: connection%): any
+	%{
+	Rewriter* rewriter = get_trace_rewriter(c);
+	rewriter->ReturnFromSlot();
+	return 0;
+	%}
+
+# Release a rewrite slot and dump the slot to the trace (it cannot be
+# seek'd again). If the rewrite pointer is currently at the slot, it
+# will return to the current packet.
+function release_rewrite_slot%(c: connection, slot: count%): any
+	%{
+	Rewriter* rewriter = get_trace_rewriter(c);
+	rewriter->ReleaseSlot(slot);
+	return 0;
+	%}
+
+# Dump original packets on the connection up to this point to the
+# output trace, if any.
+function dump_packets_of_connection%(c: connection%): any
+	%{
+	Analyzer* tc = c->FindAnalyzer(AnalyzerTag::TCP);
+	if ( ! tc )
+		run_time("connection does not have TCP analyzer");
+
+	TCP_SourcePacketWriter* pkt_writer = get_src_pkt_writer((TCP_Analyzer*) tc);
+	if ( pkt_writer )
+		pkt_writer->Dump();
+
+	return 0;
+	%}
diff --git a/src/const.bif b/src/const.bif
new file mode 100644
index 0000000000..2c4f2d1f1c
--- /dev/null
+++ b/src/const.bif
@@ -0,0 +1,97 @@
+# $Id: const.bif 3929 2007-01-14 00:37:59Z vern $
+
+# Some connections (e.g., SSH) retransmit the acknowledged last
+# byte to keep the connection alive. If ignore_keep_alive_rexmit
+# is set to T, such retransmissions will be excluded in the rexmit
+# counter in conn_stats.
+const ignore_keep_alive_rexmit = F &redef;
+
+# Skip HTTP data portions for performance considerations (the skipped
+# portion will not go through TCP reassembly).
+const skip_http_data = F &redef;
+
+# Whether the analysis engine parses IP packets encapsulated in
+# UDP tunnels. See also: udp_tunnel_port, policy/udp-tunnel.bro.
+const parse_udp_tunnels = F &redef;
+
+# Whether a commitment is required before writing the transformed
+# trace for a connection into the dump file.
+const requires_trace_commitment = F &redef;
+
+# Whether IP address anonymization is enabled.
+const anonymize_ip_addr = F &redef;
+
+# Whether to omit place holder packets when rewriting.
+const omit_rewrite_place_holder = T &redef;
+
+# Whether trace of various protocols is being rewritten.
+const rewriting_http_trace = F &redef;
+const rewriting_smtp_trace = F &redef;
+const rewriting_ftp_trace = F &redef;
+const rewriting_ident_trace = F &redef;
+const rewriting_finger_trace = F &redef;
+const rewriting_dns_trace = F &redef;
+const rewriting_smb_trace = F &redef;
+
+# Whether we dump selected original packets to the output trace.
+const dump_selected_source_packets = F &redef;
+
+# If true, we dump original packets to the output trace *if and only if*
+# the connection is not rewritten; if false, the policy script can decide
+# whether to dump a particular connection by calling dump_packets_of_connection.
+#
+# NOTE: DO NOT SET THIS TO TRUE WHEN ANONYMIZING A TRACE! 
+# (TODO: this variable should be disabled when using '-A' option)
+const dump_original_packets_if_not_rewriting = F &redef;
+
+enum dce_rpc_ptype %{
+	DCE_RPC_REQUEST,
+	DCE_RPC_PING,
+	DCE_RPC_RESPONSE,
+	DCE_RPC_FAULT,
+	DCE_RPC_WORKING,
+	DCE_RPC_NOCALL,
+	DCE_RPC_REJECT,
+	DCE_RPC_ACK,
+	DCE_RPC_CL_CANCEL,
+	DCE_RPC_FACK,
+	DCE_RPC_CANCEL_ACK,
+	DCE_RPC_BIND,
+	DCE_RPC_BIND_ACK,
+	DCE_RPC_BIND_NAK,
+	DCE_RPC_ALTER_CONTEXT,
+	DCE_RPC_ALTER_CONTEXT_RESP,
+	DCE_RPC_SHUTDOWN,
+	DCE_RPC_CO_CANCEL,
+	DCE_RPC_ORPHANED,
+%}
+
+enum dce_rpc_if_id %{
+	DCE_RPC_unknown_if,
+	DCE_RPC_epmapper,
+	DCE_RPC_lsarpc,
+	DCE_RPC_lsa_ds,
+	DCE_RPC_mgmt,
+	DCE_RPC_netlogon,
+	DCE_RPC_samr,
+	DCE_RPC_srvsvc,
+	DCE_RPC_spoolss,
+	DCE_RPC_drs,
+	DCE_RPC_winspipe,
+	DCE_RPC_wkssvc,
+	DCE_RPC_oxid,
+	DCE_RPC_ISCMActivator,
+%}
+
+enum rpc_status %{
+	RPC_SUCCESS,
+	RPC_PROG_UNAVAIL,
+	RPC_PROG_MISMATCH,
+	RPC_PROC_UNAVAIL,
+	RPC_GARBAGE_ARGS,
+	RPC_SYSTEM_ERR,
+	RPC_TIMEOUT,
+	RPC_VERS_MISMATCH,
+	RPC_AUTH_ERROR,
+	RPC_UNKNOWN_ERROR,
+%}
diff --git a/src/cq.c b/src/cq.c
new file mode 100644
index 0000000000..63e4275369
--- /dev/null
+++ b/src/cq.c
@@ -0,0 +1,686 @@
+/*
+ * See the file "COPYING" in the main distribution directory for copyright.
+ */
+
+#ifndef lint
+static const char rcsid[] =
+    "@(#) $Id: cq.c 6219 2008-10-01 05:39:07Z vern $ (LBL)";
+#endif
+
+#include <sys/types.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_MEMORY_H
+#include <memory.h>
+#endif
+#include <math.h>
+
+#ifdef CQ_DEVELOPMENT
+#include <lbl/gnuc.h>
+#include <lbl/os-proto.h>
+#endif
+
+#include "cq.h"
+
+/* Priority to virtual bucket (int) */
+#define PRI2VBUCKET(hp, p) ((int)((p) / (hp)->bwidth))
+
+/* Priority to bucket (int) */
+#define PRI2BUCKET(hp, p) \
+    ((int)fmod((p) / (hp)->bwidth, (double)((hp)->nbuckets)))
+
+/* Priority to bucket top (double) */
+#define PRI2BUCKETTOP(hp, p) ((hp)->bwidth * (((p) / (hp)->bwidth) + 1.5))
+
+/* True if bucket is in use */
+#define BUCKETINUSE(bp) ((bp)->cookie != NULL)
+
+/* Private data */
+struct cq_handle {
+	int nbuckets;			/* number of buckets */
+	int qlen;			/* number of queued entries */
+	int max_qlen;			/* max. number of queued entries */
+	int himark;			/* high bucket threshold */
+	int lowmark;			/* low bucket threshold */
+	int nextbucket;			/* next bucket to check */
+	int noresize;			/* don't resize while we're resizing */
+	double lastpri;			/* last priority */
+	double ysize;			/* length of a year */
+	double bwidth;			/* width of each bucket */
+	double buckettop;		/* priority of top of current bucket */
+	struct cq_bucket *buckets;	/* array of buckets */
+};
+
+struct cq_bucket {
+	double pri;
+	void *cookie;
+	struct cq_bucket *next;
+};
+
+#ifdef DEBUG
+#ifdef CQ_DEVELOPMENT
+extern int debug;
+#else
+int debug = 0;
+#endif
+#endif
+
+static unsigned int memory_allocation = 0;
+
+static struct cq_bucket *free_list = 0;
+
+/* Forwards */
+static int cq_resize(struct cq_handle *, int);
+static void cq_destroybuckets(struct cq_bucket *, int);
+#ifdef DEBUG
+static int cq_debugbucket(struct cq_handle *, struct cq_bucket *);
+void cq_debug(struct cq_handle *, int);
+#endif
+
+
+/* Initialize a calendar queue */
+struct cq_handle *
+cq_init(register double ysize, register double placebo)
+{
+	register struct cq_handle *hp;
+
+#ifdef DEBUG
+	if (debug > 1)
+		fprintf(stderr, "cq_init(%f)\n", ysize);
+#endif
+	/* The year size be positive */
+	if (ysize <= 0.0) {
+		errno = EINVAL;
+		return (NULL);
+	}
+
+	/* Allocate handle */
+	hp = (struct cq_handle *)malloc(sizeof(*hp));
+	memory_allocation += sizeof(*hp);
+	if (hp == NULL)
+		return (NULL);
+	memset(hp, 0, sizeof(*hp));
+
+	/* Initialize handle */
+	hp->ysize = ysize;
+	hp->max_qlen = 0;
+
+	/* Allocate initial buckets and finish handle initialization */
+	if (cq_resize(hp, 0) < 0) {
+		free(hp);
+		memory_allocation -= sizeof(*hp);
+		return (NULL);
+	}
+	return (hp);
+}
+
+/* Returns zero on success, -1 on error (with errno set) */
+int
+cq_enqueue(register struct cq_handle *hp, register double pri,
+    register void *cookie)
+{
+	register struct cq_bucket *bp, *bp2;
+#ifdef DEBUG
+	register int q1, q2;
+	register struct cq_bucket *buckethead;
+#endif
+
+#ifdef DEBUG
+	if (debug > 1)
+		fprintf(stderr, "cq_enqueue(%f)\n", pri);
+#endif
+
+	/* The priority must be positive and the cookie non-null */
+	if (pri <= 0.0 || cookie == NULL) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	/* We might as well resize now if we're going to need to */
+	if (hp->qlen + 1 > hp->himark && cq_resize(hp, 1) < 0)
+		return (-1);
+
+	bp = hp->buckets + PRI2BUCKET(hp, pri);
+#ifdef DEBUG
+	if (debug) {
+		buckethead = bp;
+		q1 = cq_debugbucket(hp, buckethead);
+	} else {
+		buckethead = NULL;
+		q1 = 0;
+	}
+#endif
+	if (BUCKETINUSE(bp)) {
+		/* Allocate chained bucket */
+		if (free_list) {
+			bp2 = free_list;
+			free_list = free_list->next;
+		} else {
+			bp2 = (struct cq_bucket *)malloc(sizeof(*bp2));
+			memory_allocation += sizeof(*bp2);
+			if (bp2 == NULL)
+				return (-1);
+		}
+		memset(bp2, 0, sizeof(*bp2));
+		if (pri < bp->pri) {
+			/* Insert new bucket at head of queue */
+			*bp2 = *bp;
+			bp->next = bp2;
+		} else {
+			/* Insert entry in order (fifo when pri's are equal) */
+			while (bp->next != NULL && pri >= bp->next->pri)
+				bp = bp->next;
+			bp2->next = bp->next;
+			bp->next = bp2;
+			bp = bp2;
+		}
+	}
+	bp->pri = pri;
+	bp->cookie = cookie;
+	if (++hp->qlen > hp->max_qlen)
+		hp->max_qlen = hp->qlen;
+#ifdef DEBUG
+	if (debug) {
+		q2 = cq_debugbucket(hp, buckethead);
+		if (q1 + 1 != q2) {
+			fprintf(stderr, "enqueue length wrong\n");
+			cq_dump(hp);
+			abort();
+		}
+	}
+#endif
+
+	/* If new priority is old, we need to recalculate nextbucket */
+	if (hp->lastpri == 0.0 || hp->lastpri > pri) {
+		hp->lastpri = pri;
+		hp->nextbucket = PRI2BUCKET(hp, hp->lastpri);
+		hp->buckettop = PRI2BUCKETTOP(hp, hp->lastpri);
+	}
+#ifdef notdef
+	if (debug)
+		cq_debug(hp, 0);
+#endif
+	return (0);
+}
+
+void *
+cq_dequeue(register struct cq_handle *hp, double pri)
+{
+	register int n;
+	register struct cq_bucket *bp, *bp2, *lowbp;
+	register void *cookie;
+
+#ifdef DEBUG
+	if (debug > 1)
+		fprintf(stderr, "cq_dequeue(%f)\n", pri);
+#endif
+	if (pri < hp->lastpri)
+		/* For sure nothing to do. */
+		return (NULL);
+
+	lowbp = NULL;
+	for (n = hp->nbuckets, bp = hp->buckets + hp->nextbucket; n > 0; --n) {
+		/* Check bucket if it contains an entry (in the current year) */
+		if (BUCKETINUSE(bp)) {
+			if (bp->pri < hp->buckettop) {
+				/* Check first entry in this bucket */
+				if (pri >= bp->pri) {
+					cookie = bp->cookie;
+					hp->lastpri = bp->pri;
+					/* Shouldn't nextbucket now point here?? */
+					hp->nextbucket = PRI2BUCKET(hp, hp->lastpri);
+					hp->buckettop = PRI2BUCKETTOP(hp, hp->lastpri);
+					if (bp->next == NULL) {
+						/* Zero out first entry */
+						bp->pri = 0.0;
+						bp->cookie = NULL;
+					} else {
+						/* Update 1st entry with next */
+						bp2 = bp->next;
+						*bp = *bp2;
+						bp2->next = free_list;
+						free_list = bp2;
+						/* free(bp2); */
+					}
+					--hp->qlen;
+					if (hp->qlen < hp->lowmark)
+						(void)cq_resize(hp, 0);
+#ifdef notdef
+					if (debug)
+						cq_debug(hp, 0);
+#endif
+					return (cookie);
+				}
+
+				/* The first entry is in the current year
+				 * but comes after pri.  This means we're
+				 * not going to find *any* subsequent entries
+				 * that come before pri.  So we're done.
+				 */
+				hp->lastpri = bp->pri;
+				hp->nextbucket = PRI2BUCKET(hp, hp->lastpri);
+				hp->buckettop = PRI2BUCKETTOP(hp, hp->lastpri);
+				return (NULL);
+#if 0
+				/* Search linked list */
+				/* Why is this necessary?  Since the list
+				 * is sorted, and we already know that the
+				 * first entry has too high a priority,
+				 * none of the others can be ready to
+				 * dequeue, right??
+				 */
+				for (bp2 = bp; (bp3 = bp2->next) != NULL;
+				    bp2 = bp3) {
+					/* Don't look past end of bucket */
+					if (bp3->pri >= hp->buckettop)
+						break;
+					if (pri >= bp3->pri) {
+						/* Unlink entry */
+						cookie = bp3->cookie;
+						hp->lastpri = bp->pri;
+						bp2->next = bp3->next;
+						free(bp3);
+						memory_allocation -= sizeof(*bp3);
+						--hp->qlen;
+						if (hp->qlen < hp->lowmark)
+							(void)cq_resize(hp, 0);
+						return (cookie);
+					}
+				}
+#endif
+			}
+
+			/* Keep track of lowest priority bucket */
+			if (lowbp == NULL || lowbp->pri > bp->pri)
+				lowbp = bp;
+		}
+
+		/* Step to next bucket */
+		hp->buckettop += hp->bwidth;
+		++hp->nextbucket;
+		if (hp->nextbucket < hp->nbuckets)
+			++bp;
+		else {
+			bp = hp->buckets;
+			hp->nextbucket = 0;
+		}
+	}
+
+	/*
+	 * If we got here, we checked all the buckets but came up
+	 * empty. This can happen when the queued priorities are
+	 * really sparse (e.g. when there is more than a year
+	 * between two adjacent entries).
+	 *
+	 * If there was at least one bucket in use, check to see
+	 * if it's the one we're looking for. Also, update nextbucket
+	 * (and buckettop) with this bucket.
+	 */
+	if (lowbp != NULL) {
+		cookie = NULL;
+		bp = lowbp;
+		if (pri >= bp->pri) {
+			cookie = bp->cookie;
+			if (bp->next == NULL) {
+				/* Zero out first entry */
+				bp->pri = 0.0;
+				bp->cookie = NULL;
+			} else {
+				/* Update 1st entry with next */
+				bp2 = bp->next;
+				*bp = *bp2;
+				bp2->next = free_list;
+				free_list = bp2;
+				/* free(bp2); */
+			}
+			--hp->qlen;
+			/* If we resize, we don't need to update */
+			if (hp->qlen < hp->lowmark) {
+				(void)cq_resize(hp, 0);
+				return (cookie);
+			}
+		}
+		hp->lastpri = lowbp->pri;
+		hp->nextbucket = PRI2BUCKET(hp, hp->lastpri);
+		hp->buckettop = PRI2BUCKETTOP(hp, hp->lastpri);
+		if (cookie != NULL)
+			return (cookie);
+	}
+
+	/* Checked all buckets */
+	return (NULL);
+}
+
+void *
+cq_remove(register struct cq_handle *hp, register double pri,
+		            register void *cookie)
+{
+	register struct cq_bucket *bp, *bp2;
+
+	/* The priority must be positive and the cookie non-null */
+	if (pri <= 0.0 || cookie == NULL)
+		return (-0);
+
+	bp = hp->buckets + PRI2BUCKET(hp, pri);
+	if (! BUCKETINUSE(bp))
+		return (0);
+
+	for ( bp2 = 0; bp && cookie != bp->cookie; bp = bp->next ) {
+		if ( pri < bp->pri )
+			return (0);
+		bp2 = bp;
+		}
+
+	if ( ! bp )
+		return (-0);
+
+	/* Unlink entry */
+	if ( ! bp2 ) {
+		/* Remove first element */
+		if ( ! bp->next ) {
+			/* Zero out first entry */
+			bp->pri = 0.0;
+			bp->cookie = NULL;
+		} else {
+			/* Update 1st entry with next */
+			bp2 = bp->next;
+			*bp = *bp2;
+			bp2->next = free_list;
+			free_list = bp2;
+		}
+	}
+	else {
+		/* Remove not-first element */
+		bp2->next = bp->next;
+		bp->next = free_list;
+		free_list = bp;
+	}
+	--hp->qlen;
+
+	if (hp->qlen < hp->lowmark)
+		(void)cq_resize(hp, 0);
+
+	/* buckettop etc. don't need to be updated, right? */
+	return cookie;
+}
+
+int
+cq_size(struct cq_handle *hp)
+{
+	return hp->qlen;
+}
+
+int
+cq_max_size(struct cq_handle *hp)
+{
+	return hp->max_qlen;
+}
+
+/* Return without doing anything if we fail to allocate a new bucket array */
+static int
+cq_resize(register struct cq_handle *hp, register int grow)
+{
+	register int n, nbuckets, oldnbuckets;
+	register size_t size;
+	register struct cq_bucket *bp, *bp2, *buckets, *oldbuckets;
+	struct cq_handle savedhandle;
+
+	if (hp->noresize)
+		return (0);
+#ifdef DEBUG
+	if (debug)
+		cq_debug(hp, 0);
+#endif
+
+	/* Save old bucket array */
+	oldnbuckets = hp->nbuckets;
+	oldbuckets = hp->buckets;
+
+	/* If no old buckets, we're initializing */
+	if (oldbuckets == NULL)
+		nbuckets = 2;
+	else if (grow)
+		nbuckets = oldnbuckets * 2;
+	else
+		nbuckets = oldnbuckets / 2;
+
+	/* XXX could check that nbuckets is a power of 2 */
+
+	size = sizeof(*buckets) * nbuckets;
+	buckets = (struct cq_bucket *)malloc(size);
+	memory_allocation += size;
+
+	if (buckets == NULL)
+		return (-1);
+	memset(buckets, 0, size);
+
+	/* Save a copy of the handle in case we have dynamic memory problems */
+	savedhandle = *hp;
+
+	/* Install new bucket array */
+	hp->nbuckets = nbuckets;
+	hp->buckets = buckets;
+
+	/* Initialize other parameters */
+	hp->himark = hp->nbuckets * 1.5;
+	hp->lowmark = (hp->nbuckets / 2) - 2;
+	hp->bwidth = hp->ysize / (double)hp->nbuckets;
+
+	/* Tell cq_enqueue() to update nextbucket and buckettop */
+	hp->lastpri = 0.0;
+
+#ifdef DEBUG
+	if (debug > 1)
+		fprintf(stderr,
+		    "buckets 0x%lx, nbuckets %d, bwidth %f, buckettop %f\n",
+		    (u_long)hp->buckets,
+		    hp->nbuckets,
+		    hp->bwidth, hp->buckettop);
+#endif
+
+	/* We're done if we were just initializing */
+	if (oldbuckets == NULL)
+		return (0);
+
+	/* Insert entries from old bucket array into new one */
+	++hp->noresize;
+	hp->qlen = 0;
+	for (bp = oldbuckets, n = oldnbuckets; n > 0; --n, ++bp)
+		if (BUCKETINUSE(bp))
+			for (bp2 = bp; bp2 != NULL; bp2 = bp2->next) {
+				if (cq_enqueue(hp, bp2->pri, bp2->cookie) < 0) {
+					/* Bummer! */
+					*hp = savedhandle;
+					/* hp->resize restored */
+					cq_destroybuckets(buckets, nbuckets);
+					free(buckets);
+					memory_allocation -= size;
+					return (-1);
+				}
+			}
+	--hp->noresize;
+
+	cq_destroybuckets(oldbuckets, oldnbuckets);
+	free(oldbuckets);
+	memory_allocation -= sizeof(*buckets) * oldnbuckets;
+#ifdef DEBUG
+	if (debug)
+		cq_debug(hp, 0);
+#endif
+	return (0);
+}
+
+static void
+cq_destroybuckets(register struct cq_bucket *buckets, register int n)
+{
+	register struct cq_bucket *bp, *bp2, *bp3;
+
+	for (bp = buckets; n > 0; --n, ++bp) {
+		bp2 = bp->next;
+		while (bp2 != NULL) {
+			bp3 = bp2->next;
+			bp2->next = free_list;
+			free_list = bp2;
+			/* free(bp2); */
+			bp2 = bp3;
+		}
+	}
+}
+
+/* Destroy a calendar queue */
+void
+cq_destroy(register struct cq_handle *hp)
+{
+
+	cq_destroybuckets(hp->buckets, hp->nbuckets);
+	while (free_list) {
+		struct cq_bucket *next_free = free_list->next;
+		free(free_list);
+		free_list = next_free;
+	}
+	memory_allocation -= sizeof(struct cq_bucket) * hp->nbuckets;
+	free(hp->buckets);
+	free(hp);
+	memory_allocation -= sizeof(*hp);
+}
+
+unsigned int
+cq_memory_allocation(void)
+{
+	return memory_allocation;
+}
+
+#ifdef DEBUG
+static int
+cq_debugbucket(register struct cq_handle *hp,
+    register struct cq_bucket *buckets)
+{
+	register int qlen;
+	register struct cq_bucket *bp, *bp2;
+	double pri;
+
+	qlen = 0;
+	pri = 0.0;
+	for (bp = buckets; bp != NULL; bp = bp->next) {
+		if (BUCKETINUSE(bp)) {
+			++qlen;
+			bp2 = hp->buckets + PRI2BUCKET(hp, bp->pri);
+			if (bp2 != buckets) {
+				fprintf(stderr,
+				    "%f in wrong bucket! (off by %d)\n",
+				    bp->pri, bp2 - buckets);
+				cq_dump(hp);
+				abort();
+			}
+			if (bp->pri < pri) {
+				fprintf(stderr,
+				    "bad pri order %f < %f (qlen %d)\n",
+				    bp->pri, pri, qlen);
+				cq_dump(hp);
+				abort();
+			}
+			pri = bp->pri;
+		}
+	}
+	return (qlen);
+}
+
+void
+cq_debug(register struct cq_handle *hp, register int print)
+{
+	register int n, qlen, xnextbucket, nextbucket;
+	register struct cq_bucket *bp, *lowbp;
+	register double xbuckettop, buckettop;
+
+	qlen = 0;
+	lowbp = NULL;
+	bp = hp->buckets + hp->nextbucket;
+	for (n = hp->nbuckets; n > 0; --n) {
+		if (BUCKETINUSE(bp) && (lowbp == NULL || lowbp->pri > bp->pri))
+			lowbp = bp;
+
+		qlen += cq_debugbucket(hp, bp);
+
+		/* Step to next bucket */
+		++bp;
+		if (bp >= hp->buckets + hp->nbuckets)
+			bp = hp->buckets;
+	}
+
+	if (lowbp != NULL) {
+		/* We expect lastpri gt or eq to the lowest queued priority */
+		if (lowbp->pri < hp->lastpri) {
+			fprintf(stderr, "lastpri wacked (%f < %f)\n",
+			    lowbp->pri, hp->lastpri);
+			cq_dump(hp);
+			abort();
+		}
+
+		/* Must search for the next entry just as cq_dequeue() would */
+		nextbucket = hp->nextbucket;
+		buckettop = hp->buckettop;
+		bp = hp->buckets + nextbucket;
+		for (n = hp->nbuckets; n > 0; --n) {
+			if (BUCKETINUSE(bp) && bp->pri < buckettop)
+				break;
+
+			/* Step to next bucket */
+			++bp;
+			++nextbucket;
+			buckettop += hp->bwidth;
+			if (bp >= hp->buckets + hp->nbuckets) {
+				bp = hp->buckets;
+				nextbucket = 0;
+			}
+		}
+
+		xnextbucket = PRI2BUCKET(hp, lowbp->pri);
+		if (xnextbucket != nextbucket) {
+			fprintf(stderr, "nextbucket wacked (%d != %d)\n",
+			     xnextbucket, nextbucket);
+			cq_dump(hp);
+			abort();
+		}
+
+		xbuckettop = PRI2BUCKETTOP(hp, lowbp->pri);
+		if (xbuckettop != buckettop) {
+			fprintf(stderr, "buckettop wacked (%f != %f)\n",
+			    xbuckettop, buckettop);
+			cq_dump(hp);
+			abort();
+		}
+	}
+	if (qlen != hp->qlen) {
+		fprintf(stderr, "qlen wacked (%d != %d)\n", qlen, hp->qlen);
+		cq_dump(hp);
+		abort();
+	}
+}
+
+void
+cq_dump(register struct cq_handle *hp)
+{
+	// ### FIXME
+	register struct cq_bucket *bp, *bp2;
+	register int n;
+
+	fprintf(stderr,
+	    "\ncq_dump(): nbucket %d, qlen %d, nextbucket %d, lastpri %f\n",
+	    hp->nbuckets, hp->qlen, hp->nextbucket, hp->lastpri);
+	fprintf(stderr, "\tysize %f, bwidth %f, buckettop %f\n",
+	    hp->ysize, hp->bwidth, hp->buckettop);
+
+	bp = hp->buckets;
+	for (n = 0, bp = hp->buckets; n < hp->nbuckets; ++n, ++bp) {
+		fprintf(stderr, "  %c %2d: %f (0x%lx)\n",
+		    (n == hp->nextbucket) ? '+' : ' ', n,
+		    bp->pri, (u_long)bp->cookie);
+		for (bp2 = bp->next; bp2 != NULL; bp2 = bp2->next)
+			fprintf(stderr, "        %f (0x%lx)\n",
+			    bp2->pri, (u_long)bp2->cookie);
+	}
+}
+#endif
diff --git a/src/cq.h b/src/cq.h
new file mode 100644
index 0000000000..38c5204f0c
--- /dev/null
+++ b/src/cq.h
@@ -0,0 +1,14 @@
+/* @(#) $Id: cq.h 80 2004-07-14 20:15:50Z jason $ (LBL) */
+
+struct cq_handle *cq_init(double, double);
+void cq_destroy(struct cq_handle *);
+int cq_enqueue(struct cq_handle *, double, void *);
+void *cq_dequeue(struct cq_handle *, double);
+void *cq_remove(struct cq_handle *, double, void *);
+int cq_size(struct cq_handle *);
+int cq_max_size(struct cq_handle *);
+unsigned int cq_memory_allocation(void);
+#ifdef DEBUG
+void cq_debug(struct cq_handle *, int);
+void cq_dump(struct cq_handle *);
+#endif
diff --git a/src/dce_rpc-analyzer.pac b/src/dce_rpc-analyzer.pac
new file mode 100644
index 0000000000..8f412401f7
--- /dev/null
+++ b/src/dce_rpc-analyzer.pac
@@ -0,0 +1,136 @@
+# $Id:$
+
+# DCE/RPC protocol data unit.
+
+type DCE_RPC_PDU = record {
+	# Set header's byteorder to little-endian (or big-endian) to
+	# avoid cyclic dependency.
+	header	: DCE_RPC_Header;
+	frag	: bytestring &length = body_length;
+	auth	: DCE_RPC_Auth(header);
+} &let {
+	body_length: int =
+		 header.frag_length - sizeof(header) - header.auth_length;
+	frag_reassembled: bool =
+		$context.flow.reassemble_fragment(frag, header.lastfrag);
+	body:	DCE_RPC_Body(header)
+		withinput $context.flow.reassembled_body()
+		&if frag_reassembled;
+} &byteorder = header.byteorder,
+  &length = header.frag_length;	# length of the PDU
+
+
+connection DCE_RPC_Conn(bro_analyzer: BroAnalyzer) {
+	upflow = DCE_RPC_Flow(true);
+	downflow = DCE_RPC_Flow(false);
+
+	function get_cont_id_opnum_map(cont_id: uint16): uint16
+		%{
+		return cont_id_opnum_map[cont_id];
+		%}
+
+	function set_cont_id_opnum_map(cont_id: uint16, opnum: uint16): bool
+		%{
+		cont_id_opnum_map[cont_id] = opnum;
+		return true;
+		%}
+
+	%member{
+	map<uint16, uint16> cont_id_opnum_map;
+	%}
+};
+
+
+flow DCE_RPC_Flow(is_orig: bool) {
+	flowunit = DCE_RPC_PDU withcontext (connection, this);
+
+	%member{
+	FlowBuffer frag_reassembler_;
+	%}
+
+	# Fragment reassembly.
+	function reassemble_fragment(frag: bytestring, lastfrag: bool): bool
+		%{
+		int orig_data_length = frag_reassembler_.data_length();
+
+		frag_reassembler_.NewData(frag.begin(), frag.end());
+
+		int new_frame_length = orig_data_length + frag.length();
+		if ( orig_data_length == 0 )
+			frag_reassembler_.NewFrame(new_frame_length, false);
+		else
+			frag_reassembler_.GrowFrame(new_frame_length);
+
+		return lastfrag;
+		%}
+
+	function reassembled_body(): const_bytestring
+		%{
+		return const_bytestring(
+			frag_reassembler_.begin(),
+			frag_reassembler_.end());
+		%}
+
+	# Bind.
+	function process_dce_rpc_bind(bind: DCE_RPC_Bind): bool
+		%{
+		$const_def{bind_elems = bind.p_context_elem};
+
+		if ( ${bind_elems.n_context_elem} > 1 ) {
+			${connection.bro_analyzer}->Weird(
+				"DCE_RPC_bind_to_multiple_interfaces");
+		}
+
+		if ( dce_rpc_bind ) {
+			// Go over the elements, each having a UUID
+			for ( int i = 0; i < ${bind_elems.n_context_elem}; ++i ) {
+				$const_def{if_uuid =
+					bind_elems.p_cont_elem[i].abstract_syntax.if_uuid};
+
+				// Queue the event
+				bro_event_dce_rpc_bind(
+					${connection.bro_analyzer},
+					${connection.bro_analyzer}->Conn(),
+					bytestring_to_val(${if_uuid}));
+
+				// Set the connection's UUID
+				// ${connection}->set_uuid(${if_uuid});
+			}
+		}
+
+		return ${bind_elems.n_context_elem} > 0;
+		%}
+
+	# Request.
+	function process_dce_rpc_request(req: DCE_RPC_Request): bool
+		%{
+		if ( dce_rpc_request )
+			{
+			bro_event_dce_rpc_request(
+				${connection.bro_analyzer},
+				${connection.bro_analyzer}->Conn(),
+				${req.opnum},
+				bytestring_to_val(${req.stub}));
+			}
+
+		${connection}->set_cont_id_opnum_map(${req.p_cont_id},
+							${req.opnum});
+
+		return true;
+		%}
+
+	# Response.
+	function process_dce_rpc_response(resp: DCE_RPC_Response): bool
+		%{
+		if ( dce_rpc_response )
+			{
+			bro_event_dce_rpc_response(
+				${connection.bro_analyzer},
+				${connection.bro_analyzer}->Conn(),
+				${connection}->get_cont_id_opnum_map(${resp.p_cont_id}),
+				bytestring_to_val(${resp.stub}));
+			}
+
+		return true;
+		%}
+};
diff --git a/src/dce_rpc-protocol.pac b/src/dce_rpc-protocol.pac
new file mode 100644
index 0000000000..77c7aaff62
--- /dev/null
+++ b/src/dce_rpc-protocol.pac
@@ -0,0 +1,127 @@
+# $Id: dce_rpc-protocol.pac,v 1.1.4.2 2006/06/02 15:13:09 rpang Exp $
+#
+# Definitions for DCE RPC.
+
+enum dce_rpc_ptype {
+	DCE_RPC_REQUEST,
+	DCE_RPC_PING,
+	DCE_RPC_RESPONSE,
+	DCE_RPC_FAULT,
+	DCE_RPC_WORKING,
+	DCE_RPC_NOCALL,
+	DCE_RPC_REJECT,
+	DCE_RPC_ACK,
+	DCE_RPC_CL_CANCEL,
+	DCE_RPC_FACK,
+	DCE_RPC_CANCEL_ACK,
+	DCE_RPC_BIND,
+	DCE_RPC_BIND_ACK,
+	DCE_RPC_BIND_NAK,
+	DCE_RPC_ALTER_CONTEXT,
+	DCE_RPC_ALTER_CONTEXT_RESP,
+	DCE_RPC_SHUTDOWN,
+	DCE_RPC_CO_CANCEL,
+	DCE_RPC_ORPHANED,
+};
+
+type uuid = bytestring &length = 16;
+
+type context_handle = record {
+	cxt_attributes:		uint32;
+	cxt_uuid:		uuid;
+};
+
+type rpc_if_id_t = record {
+	if_uuid		: uuid;
+	vers_major	: uint16;
+	vers_minor	: uint16;
+};
+
+type NDR_Format = record {
+	intchar		: uint8;
+	floatspec	: uint8;
+	reserved	: padding[2];
+} &let {
+	byteorder = (intchar >> 4) ? littleendian : bigendian;
+};
+
+#### There might be a endianness problem here: the frag_length
+# causes problems despite the NDR_Format having a byteorder set.
+
+type DCE_RPC_Header = record {
+	rpc_vers	: uint8 &check(rpc_vers == 5);
+	rpc_vers_minor	: uint8;
+	PTYPE		: uint8;
+	pfc_flags	: uint8;
+	packed_drep	: NDR_Format;
+	frag_length	: uint16;
+	auth_length	: uint16;
+	call_id		: uint32;
+} &let {
+	frag = pfc_flags & 4;
+	lastfrag = (! frag) || (pfc_flags & 2);
+} &byteorder = packed_drep.byteorder;
+
+type p_context_id_t = uint16;
+
+type p_syntax_id_t = record {
+	if_uuid		: uuid;
+	if_version	: uint32;
+};
+
+type p_cont_elem_t = record {
+	p_cont_id	: p_context_id_t;
+	n_transfer_syn	: uint8;
+	reserved	: padding[1];
+	abstract_syntax	: p_syntax_id_t;
+	transfer_syntaxes : p_syntax_id_t[n_transfer_syn];
+};
+
+type p_cont_list_t = record {
+	n_context_elem	: uint8;
+	reserved	: padding[3];
+	p_cont_elem	: p_cont_elem_t[n_context_elem];
+};
+
+type DCE_RPC_Bind = record {
+	max_xmit_frag	: uint16;
+	max_recv_frag	: uint16;
+	assoc_group_id	: uint32;
+	p_context_elem	: p_cont_list_t;
+};
+
+type DCE_RPC_AlterContext = record {
+	max_xmit_frag	: uint16;
+	max_recv_frag	: uint16;
+	assoc_group_id	: uint32;
+	p_context_elem	: p_cont_list_t;
+};
+
+type DCE_RPC_Request = record {
+	alloc_hint	: uint32;
+	p_cont_id	: p_context_id_t;
+	opnum		: uint16;
+	# object	: uuid;
+	# stub_pad_0	: padding align 8;
+	stub		: bytestring &restofdata;
+};
+
+type DCE_RPC_Response = record {
+	alloc_hint	: uint32;
+	p_cont_id	: p_context_id_t;
+	cancel_count	: uint8;
+	reserved	: uint8;
+	# stub_pad_0	: padding align 8;
+	stub		: bytestring &restofdata;
+};
+
+type DCE_RPC_Body(header: DCE_RPC_Header) = case header.PTYPE of {
+	DCE_RPC_BIND	 -> bind	: DCE_RPC_Bind;
+	DCE_RPC_REQUEST	 -> request	: DCE_RPC_Request;
+	DCE_RPC_RESPONSE -> response	: DCE_RPC_Response;
+	default		 -> other	: bytestring &restofdata;
+};
+
+type DCE_RPC_Auth(header: DCE_RPC_Header) = uint8[header.auth_length];
+
+%include epmapper.pac
diff --git a/src/dce_rpc.pac b/src/dce_rpc.pac
new file mode 100644
index 0000000000..0aa689b532
--- /dev/null
+++ b/src/dce_rpc.pac
@@ -0,0 +1,12 @@
+# $Id: dce_rpc.pac 4608 2007-07-05 18:23:58Z vern $
+
+%include binpac.pac
+%include bro.pac
+
+analyzer DCE_RPC withcontext {
+	connection: DCE_RPC_Conn;
+	flow: DCE_RPC_Flow;
+};
+
+%include "dce_rpc-protocol.pac"
+%include "dce_rpc-analyzer.pac"
diff --git a/src/dce_rpc_simple.pac b/src/dce_rpc_simple.pac
new file mode 100644
index 0000000000..ff495a2e2b
--- /dev/null
+++ b/src/dce_rpc_simple.pac
@@ -0,0 +1,18 @@
+# $Id:$
+
+%include bro.pac
+
+analyzer DCE_RPC_Simple withcontext {};
+
+%include dce_rpc-protocol.pac
+
+type DCE_RPC_PDU = record {
+	# Set header's byteorder to little-endian (or big-endian) to
+	# avoid cyclic dependency.
+	header	: DCE_RPC_Header;
+	body	: DCE_RPC_Body(header)
+		 &length = header.frag_length - sizeof(header) -
+				header.auth_length;
+	auth	: DCE_RPC_Auth(header);
+} &byteorder = header.byteorder,
+  &length = header.frag_length;
diff --git a/src/dhcp-analyzer.pac b/src/dhcp-analyzer.pac
new file mode 100644
index 0000000000..4bebc0ba4f
--- /dev/null
+++ b/src/dhcp-analyzer.pac
@@ -0,0 +1,286 @@
+# $Id:$
+
+connection DHCP_Conn(bro_analyzer: BroAnalyzer) {
+	upflow = DHCP_Flow(true);
+	downflow = DHCP_Flow(false);
+};
+
+flow DHCP_Flow(is_orig: bool) {
+	datagram = DHCP_Message withcontext(connection, this);
+
+	%member{
+		BroVal dhcp_msg_val_;
+		BroAnalyzer interp;
+	%}
+
+	%init{
+		dhcp_msg_val_ = 0;
+		interp = connection->bro_analyzer();
+	%}
+
+	%cleanup{
+		Unref(dhcp_msg_val_);
+		dhcp_msg_val_ = 0;
+	%}
+
+	function get_dhcp_msgtype(options: DHCP_Option[]): uint8
+		%{
+		vector<DHCP_Option*>::const_iterator ptr;
+		uint8 type = 0;
+
+		// Leave the for loop if the message type is found.
+		bool parsed = false;
+
+		for ( ptr = options->begin();
+		      ptr != options->end() && ! (*ptr)->last(); ++ptr )
+			{
+			// We use a switch for future expandability.
+			switch ( (*ptr)->code() ) {
+			case MSG_TYPE_OPTION:
+				type = (*ptr)->info()->msg_type();
+				parsed = true;
+				break;
+			}
+
+			if ( parsed )
+				break;
+			}
+
+		if ( type == 0 )
+			interp->Weird("DHCP_no_type_option");
+
+		return type;
+		%}
+
+	function parse_request(options: DHCP_Option[], type: uint8): bool
+		%{
+		vector<DHCP_Option*>::const_iterator ptr;
+
+		// Requested IP address to the server.
+#ifdef BROv6
+		::uint32 req_addr[4], serv_addr[4];
+
+		req_addr[0] = req_addr[1] = req_addr[2] = req_addr[3] = 0;
+		serv_addr[0] = serv_addr[1] = serv_addr[2] = serv_addr[3] = 0;
+#else
+		addr_type req_addr = 0, serv_addr = 0;
+#endif
+
+		for ( ptr = options->begin();
+		       ptr != options->end() && ! (*ptr)->last(); ++ptr )
+			{
+			switch ( (*ptr)->code() ) {
+			case REQ_IP_OPTION:
+#ifdef BROv6
+				req_addr[3] = htonl((*ptr)->info()->req_addr());
+#else
+				req_addr = htonl((*ptr)->info()->req_addr());
+#endif
+				break;
+
+			case SERV_ID_OPTION:
+#ifdef BROv6
+				serv_addr[3] = htonl((*ptr)->info()->serv_addr());
+#else
+				serv_addr = htonl((*ptr)->info()->serv_addr());
+#endif
+				break;
+			}
+			}
+
+		switch ( type )
+		{
+		case DHCPDISCOVER:
+			bro_event_dhcp_discover(connection()->bro_analyzer(),
+					connection()->bro_analyzer()->Conn(),
+					dhcp_msg_val_->Ref(), req_addr);
+			break;
+
+		case DHCPREQUEST:
+			bro_event_dhcp_request(connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				dhcp_msg_val_->Ref(), req_addr, serv_addr);
+			break;
+
+		case DHCPDECLINE:
+			bro_event_dhcp_decline(connection()->bro_analyzer(),
+					connection()->bro_analyzer()->Conn(),
+					dhcp_msg_val_->Ref());
+			break;
+
+		case DHCPRELEASE:
+			bro_event_dhcp_release(connection()->bro_analyzer(),
+					connection()->bro_analyzer()->Conn(),
+					dhcp_msg_val_->Ref());
+			break;
+
+		case DHCPINFORM:
+			bro_event_dhcp_inform(connection()->bro_analyzer(),
+					connection()->bro_analyzer()->Conn(),
+					dhcp_msg_val_->Ref());
+			break;
+		}
+
+		return true;
+		%}
+
+	function parse_reply(options: DHCP_Option[], type: uint8): bool
+		%{
+		vector<DHCP_Option*>::const_iterator ptr;
+
+		// RFC 1533 allows a list of router addresses.
+		TableVal* router_list = 0;
+
+#ifdef BROv6
+		::uint32 subnet_mask[4], serv_addr[4];
+
+		subnet_mask[0] = subnet_mask[1] =
+			subnet_mask[2] = subnet_mask[3] = 0;
+		serv_addr[0] = serv_addr[1] = serv_addr[2] = serv_addr[3] = 0;
+#else
+		addr_type subnet_mask = 0, serv_addr = 0;
+#endif
+
+		uint32 lease = 0;
+
+		for ( ptr = options->begin();
+		      ptr != options->end() && ! (*ptr)->last(); ++ptr )
+			{
+			switch ( (*ptr)->code() ) {
+			case  SUBNET_OPTION:
+#ifdef BROv6
+				subnet_mask[0] =
+					subnet_mask[1] = subnet_mask[2] = 0;
+				subnet_mask[3] = htonl((*ptr)->info()->mask());
+#else
+				subnet_mask = htonl((*ptr)->info()->mask());
+#endif
+				break;
+
+			case  ROUTER_OPTION:
+				// Let's hope there aren't multiple
+				// such options.
+				Unref(router_list);
+				router_list = new TableVal(dhcp_router_list);
+
+				{
+				int num_routers =
+					(*ptr)->info()->router_list()->size();
+
+				for ( int i = 0; i < num_routers; ++i )
+					{
+					vector<uint32>* rlist =
+						(*ptr)->info()->router_list();
+					uint32 raddr = (*rlist)[i];
+#ifdef BROv6
+					::uint32 tmp_addr[4];
+					tmp_addr[0] = tmp_addr[1] = tmp_addr[2] = 0;
+					tmp_addr[3] = htonl(raddr);
+#else
+					::uint32 tmp_addr;
+					tmp_addr = htonl(raddr);
+#endif
+					// index starting from 1
+					Val* index = new Val(i + 1, TYPE_COUNT);
+					router_list->Assign(index, new AddrVal(tmp_addr));
+					Unref(index);
+					}
+				}
+				break;
+
+			case  LEASE_OPTION:
+				lease = (*ptr)->info()->lease();
+				break;
+
+			case  SERV_ID_OPTION:
+#ifdef BROv6
+				serv_addr[3] = htonl((*ptr)->info()->serv_addr());
+#else
+				serv_addr = htonl((*ptr)->info()->serv_addr());
+#endif
+				break;
+			}
+			}
+
+		switch ( type ) {
+		case DHCPOFFER:
+			bro_event_dhcp_offer(connection()->bro_analyzer(),
+					connection()->bro_analyzer()->Conn(),
+					dhcp_msg_val_->Ref(), subnet_mask,
+					router_list, lease, serv_addr);
+			break;
+
+		case DHCPACK:
+			bro_event_dhcp_ack(connection()->bro_analyzer(),
+					connection()->bro_analyzer()->Conn(),
+					dhcp_msg_val_->Ref(), subnet_mask,
+					router_list, lease, serv_addr);
+			break;
+
+		case DHCPNAK:
+			bro_event_dhcp_nak(connection()->bro_analyzer(),
+					connection()->bro_analyzer()->Conn(),
+					dhcp_msg_val_->Ref());
+			break;
+
+		}
+
+		return true;
+
+		%}
+
+	function process_dhcp_message(msg: DHCP_Message): bool
+		%{
+		// Check whether the options in the message conform to
+		// DHCP or BOOTP.  If not, we are unable to interpret
+		// the message options.
+		if ( ${msg.cookie} != 0x63825363 )
+			return false;
+
+		Unref(dhcp_msg_val_);
+		RecordVal* r = new RecordVal(dhcp_msg);
+
+		r->Assign(0, new Val(${msg.op}, TYPE_COUNT));
+		r->Assign(1, new Val(${msg.type}, TYPE_COUNT));
+		r->Assign(2, new Val(${msg.xid}, TYPE_COUNT));
+
+		// We want only 6 bytes for Ethernet address.
+		r->Assign(3, new StringVal(6, (const char*) ${msg.chaddr}.begin()));
+
+		r->Assign(4, new AddrVal(${msg.ciaddr}));
+		r->Assign(5, new AddrVal(${msg.yiaddr}));
+
+		dhcp_msg_val_ = r;
+
+		switch ( ${msg.op} ) {
+		case BOOTREQUEST:	// presumablye from client to server
+			if ( ${msg.type} == DHCPDISCOVER ||
+			     ${msg.type} == DHCPREQUEST ||
+			     ${msg.type} == DHCPDECLINE ||
+			     ${msg.type} == DHCPRELEASE ||
+			     ${msg.type} == DHCPINFORM )
+				parse_request(${msg.options}, ${msg.type});
+			else
+				interp->Weird("DHCP_wrong_msg_type");
+			break;
+
+		case BOOTREPLY:		// presumably from server to client
+			if ( ${msg.type} == DHCPOFFER ||
+			     ${msg.type} == DHCPACK || ${msg.type} == DHCPNAK )
+				parse_reply(${msg.options}, ${msg.type});
+			else
+				interp->Weird("DHCP_wrong_msg_type");
+			break;
+
+		default:
+			interp->Weird("DHCP_wrong_op_type");
+			break;
+		}
+
+		return true;
+		%}
+};
+
+refine typeattr DHCP_Message += &let {
+	proc_dhcp_message = $context.flow.process_dhcp_message(this);
+};
diff --git a/src/dhcp-protocol.pac b/src/dhcp-protocol.pac
new file mode 100644
index 0000000000..46cceb56c6
--- /dev/null
+++ b/src/dhcp-protocol.pac
@@ -0,0 +1,118 @@
+# $Id:$
+
+# DHCP Message Type according to RFC 1533.
+
+# Refer to RFC 2131 for op types.
+enum OP_type {
+	BOOTREQUEST	= 1,
+	BOOTREPLY	= 2,
+};
+
+# Refer to RFC 1533 for option types.
+# The option types are by no means complete.
+# Anyone can add a new option type in RFC 1533 to be parsed here.
+enum OPTION_type {
+	SUBNET_OPTION	= 1,
+	ROUTER_OPTION	= 3,
+	REQ_IP_OPTION	= 50,
+	LEASE_OPTION	= 51,
+	MSG_TYPE_OPTION = 53,	
+	SERV_ID_OPTION	= 54,	# Server address, actually :)
+	END_OPTION	= 255,
+};
+
+# Refer to RFC 1533 for message types (with option = 53).
+enum DHCP_message_type {
+	DHCPDISCOVER	= 1,
+	DHCPOFFER	= 2,
+	DHCPREQUEST	= 3,
+	DHCPDECLINE	= 4,
+	DHCPACK		= 5,
+	DHCPNAK		= 6,
+	DHCPRELEASE	= 7,
+	DHCPINFORM	= 8,
+};
+
+type Option_Info(code: uint8)  = record {
+	length		: uint8;
+	value		: case code of {
+		SUBNET_OPTION   -> mask	: uint32;
+		ROUTER_OPTION   -> router_list: uint32[length/4];
+		REQ_IP_OPTION   -> req_addr	: uint32;
+		LEASE_OPTION    -> lease	: uint32;
+		MSG_TYPE_OPTION -> msg_type : uint8;
+		SERV_ID_OPTION  -> serv_addr: uint32;
+		default		-> other: bytestring &length = length;
+	};
+};
+
+type DHCP_Option = record {
+	code		: uint8;
+	data		: case code of {
+		0, 255	->	none	: empty;
+		default	->	info	: Option_Info(code);	
+	};
+} &let {
+	last: bool	= (code == 255);   # Mark the end of a list of options
+};
+
+#    Message format according to RFC 2131
+#
+#                           1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 3
+#     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2
+#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#    |     op (1)    |   htype (1)   |    hlen (1)   |     hops (1)    |
+#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#    |				   xid (4)			       |
+#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#    |		  secs (2)	     |		  flags (2)	       |
+#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#    |				  ciaddr (4)			       |
+#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#    |				  yiaddr (4)			       |
+#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#    |				  siaddr (4)			       |
+#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#    |				  giaddr (4)			       |
+#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#    |								       |
+#    |				  chaddr (16)			       |
+#    /								       /
+#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#    |								       |
+#    |				   sname (64)			       |
+#    /								       /
+#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#    |								       |
+#    |				   file  (128)			       |
+#    /								       /
+#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+#    |								       |
+#    |				 options (variable)		       |
+#    /								       /
+#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+type DHCP_Message = record {
+	op	: uint8;
+	htype	: uint8;
+	hlen	: uint8;
+	hops	: uint8;
+	xid	: uint32;
+	secs	: uint16;
+	flags	: uint16;
+	ciaddr	: uint32;
+	yiaddr	: uint32;
+	siaddr	: uint32;
+	giaddr	: uint32;
+	chaddr  : bytestring &length = 16;
+	sname	: bytestring &length = 64;
+	file	: bytestring &length = 128;
+
+	# Cookie belongs to options in RFC 2131, but we separate
+	# them here for easy parsing.
+	cookie  : uint32;
+
+	options	: DHCP_Option[] &until($element.last);
+} &let {
+	type	: uint8 = $context.flow.get_dhcp_msgtype(options);
+} &byteorder = bigendian;
diff --git a/src/dhcp.pac b/src/dhcp.pac
new file mode 100644
index 0000000000..852433a410
--- /dev/null
+++ b/src/dhcp.pac
@@ -0,0 +1,11 @@
+# $Id:$
+
+%include bro.pac
+
+analyzer DHCP withcontext {
+	connection:	DHCP_Conn;
+	flow:		DHCP_Flow;
+};
+
+%include dhcp-protocol.pac
+%include dhcp-analyzer.pac
diff --git a/src/dns-analyzer.pac b/src/dns-analyzer.pac
new file mode 100644
index 0000000000..2e9a6496c3
--- /dev/null
+++ b/src/dns-analyzer.pac
@@ -0,0 +1,347 @@
+# $Id:$
+
+%extern{
+#include <set>
+%}
+
+%code{
+int add_to_name_buffer(DNS_name* name, char* buf, const int buf_n, int buf_i)
+	{
+	for ( int i = 0; i < int(name->labels()->size()); ++i )
+		{
+		DNS_label* label = (*name->labels())[i];
+		if ( label->label_type() == 0 )
+			{
+			bytestring const &label_str = label->label();
+			if ( buf_i > 0 && buf_i < buf_n )
+				buf[buf_i++] = '.';
+			BINPAC_ASSERT(buf_i + label_str.length() <= buf_n);
+			memcpy(buf + buf_i, label_str.begin(),
+				label_str.length());
+			buf_i += label_str.length();
+			}
+		else if ( label->label_type() == 3 )
+			{
+			return add_to_name_buffer(label->ptr(), buf,
+							buf_n, buf_i);
+			}
+		}
+
+	return buf_i;
+	}
+
+StringVal* name_to_val(DNS_name* name)
+	{
+	char name_buf[520];
+	int n = add_to_name_buffer(name, name_buf, sizeof(name_buf), 0);
+	if ( n > 0 )
+		--n;  // remove the trailing '.'
+
+	BINPAC_ASSERT(n < int(sizeof(name_buf)));
+
+	name_buf[n] = 0;
+	for ( int i = 0; i < n; ++i )
+		if ( isupper(name_buf[i]) )
+			name_buf[i] = tolower(name_buf[i]);
+
+	return new StringVal(name_buf);
+	}
+%}
+
+connection DNS_Conn(bro_analyzer: BroAnalyzer)
+{
+	upflow = DNS_Flow;
+	downflow = DNS_Flow;
+};
+
+flow DNS_Flow
+{
+	datagram = DNS_message withcontext(connection, this);
+
+	%member{
+		set<int> pointer_set;
+		BroVal dns_msg_val_;
+	%}
+
+	%init{
+		dns_msg_val_ = 0;
+	%}
+
+	%cleanup{
+		Unref(dns_msg_val_);
+		dns_msg_val_ = 0;
+	%}
+
+	# Return a byte segment starting at <offset> in the original message.
+	function get_pointer(msgdata: const_bytestring,
+				offset: int): const_bytestring
+		%{
+		if ( offset < 0 || offset >= msgdata.length() )
+			return const_bytestring(0, 0);
+
+		if ( pointer_set.find(offset) != pointer_set.end() )
+			throw Exception("DNS pointer loop!");
+
+		pointer_set.insert(offset);
+		return const_bytestring(msgdata.begin() + offset, msgdata.end());
+		%}
+
+	function reset_pointer_set(): bool
+		%{
+		pointer_set.clear();
+		return true;
+		%}
+
+	function process_dns_header(hdr: DNS_header): bool
+		%{
+		Unref(dns_msg_val_);
+
+		RecordVal* r = new RecordVal(dns_msg);
+
+		r->Assign(0, new Val(${hdr.id}, TYPE_COUNT));
+		r->Assign(1, new Val(${hdr.opcode}, TYPE_COUNT));
+		r->Assign(2, new Val(${hdr.rcode}, TYPE_COUNT));
+		r->Assign(3, new Val(${hdr.qr}, TYPE_BOOL));
+		r->Assign(4, new Val(${hdr.aa}, TYPE_BOOL));
+		r->Assign(5, new Val(${hdr.tc}, TYPE_BOOL));
+		r->Assign(6, new Val(${hdr.rd}, TYPE_BOOL));
+		r->Assign(7, new Val(${hdr.ra}, TYPE_BOOL));
+		r->Assign(8, new Val(${hdr.z}, TYPE_COUNT));
+
+		r->Assign(9, new Val(${hdr.qdcount}, TYPE_COUNT));
+		r->Assign(10, new Val(${hdr.ancount}, TYPE_COUNT));
+		r->Assign(11, new Val(${hdr.nscount}, TYPE_COUNT));
+		r->Assign(12, new Val(${hdr.arcount}, TYPE_COUNT));
+
+		dns_msg_val_ = r;
+
+		return true;
+		%}
+
+	function process_dns_question(question: DNS_question): bool
+		%{
+		DNS_message* msg = question->msg();
+
+		if ( msg->header()->qr() == 0 )
+			{
+			bro_event_dns_request(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				dns_msg_val_->Ref(),
+				name_to_val(question->qname()),
+				question->qtype(),
+				question->qclass());
+			}
+
+		else if ( msg->header()->ancount() == 0 &&
+		          msg->header()->nscount() == 0 &&
+		          msg->header()->arcount() == 0 )
+			{
+			bro_event_dns_rejected(
+				connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				dns_msg_val_->Ref(),
+				name_to_val(question->qname()),
+				question->qtype(),
+				question->qclass());
+			}
+
+		return true;
+		%}
+
+	function build_dns_answer(rr: DNS_rr): BroVal
+		%{
+		RecordVal* r = new RecordVal(dns_answer);
+
+		r->Assign(0, new Val(rr->answer_type(), TYPE_COUNT));
+		r->Assign(1, name_to_val(rr->rr_name()));
+		r->Assign(2, new Val(rr->rr_type(), TYPE_COUNT));
+		r->Assign(3, new Val(rr->rr_class(), TYPE_COUNT));
+		r->Assign(4, new IntervalVal(double(rr->rr_ttl()), Seconds));
+
+		return r;
+		%}
+
+	function build_dns_soa(soa: DNS_rdata_SOA): BroVal
+		%{
+		RecordVal* r = new RecordVal(dns_soa);
+
+		r->Assign(0, name_to_val(soa->mname()));
+		r->Assign(1, name_to_val(soa->rname()));
+		r->Assign(2, new Val(soa->serial(), TYPE_COUNT));
+		r->Assign(3, new IntervalVal(double(soa->refresh()), Seconds));
+		r->Assign(4, new IntervalVal(double(soa->retry()), Seconds));
+		r->Assign(5, new IntervalVal(double(soa->expire()), Seconds));
+		r->Assign(6, new IntervalVal(double(soa->minimum()), Seconds));
+
+		return r;
+		%}
+
+	function build_edns_additional(rr: DNS_rr): BroVal
+		%{
+		// We have to treat the additional record type in EDNS
+		// differently than a regular resource record.
+		RecordVal* r = new RecordVal(dns_edns_additional);
+
+		r->Assign(0, new Val(int(rr->answer_type()), TYPE_COUNT));
+		r->Assign(1, name_to_val(rr->rr_name()));
+
+		// Type = 0x29 or 41 = EDNS
+		r->Assign(2, new Val(rr->rr_type(), TYPE_COUNT));
+
+		// Sender's UDP payload size, per RFC 2671 4.3
+		r->Assign(3, new Val(rr->rr_class(), TYPE_COUNT));
+
+		// Need to break the TTL field into three components:
+		// initial: [------------- ttl (32) ---------------------]
+		// after:   [DO][ ext rcode (7)][ver # (8)][ Z field (16)]
+
+		unsigned int ercode =  (rr->rr_ttl() & 0xff000000) >> 24;
+		unsigned int version = (rr->rr_ttl() & 0x00ff0000) >> 16;
+		unsigned int z =       (rr->rr_ttl() & 0x0000ffff);
+
+		int rcode = rr->msg()->header()->rcode();
+		unsigned int return_error = (ercode << 8) | rcode;
+
+		r->Assign(4, new Val(return_error, TYPE_COUNT));
+		r->Assign(5, new Val(version, TYPE_COUNT));
+		r->Assign(6, new Val(z, TYPE_COUNT));
+		r->Assign(7, new IntervalVal(double(rr->rr_ttl()), Seconds));
+		r->Assign(8, new Val(rr->msg()->header()->qr() == 0, TYPE_COUNT));
+
+		return r;
+		%}
+
+	function process_dns_rr(rr: DNS_rr): bool
+		%{
+		const DNS_rdata* rd = rr->rr_rdata();
+
+		switch ( rr->rr_type() ) {
+		case TYPE_A:
+		case TYPE_A6:
+		case TYPE_AAAA:
+			if ( ! dns_A_reply )
+				break;
+
+#ifdef BROv6
+			::uint32 addr[4];
+#else
+			addr_type addr;
+#endif
+
+			if ( rr->rr_type() == TYPE_A )
+				{
+#ifdef BROv6
+				addr[0] = addr[1] = addr[2] = 0;
+				addr[3] = htonl(rd->type_a());
+#else
+				addr = htonl(rd->type_a());
+#endif
+				}
+
+			else
+				{
+#ifdef BROv6
+				for ( int i = 0; i < 4; ++i )
+					addr[i] = htonl((*rd->type_aaaa())[i]);
+#else
+				addr = htonl((*rd->type_aaaa())[3]);
+#endif
+				}
+
+			// For now, we treat A6 and AAAA as A's.  Given the
+			// above fixes for BROv6, we can probably now introduce
+			// their own events.  (It's not clear A6 is needed -
+			// do we actually encounter it in practice?)
+			bro_event_dns_A_reply(connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				dns_msg_val_->Ref(), build_dns_answer(rr), addr);
+			break;
+
+		case TYPE_NS:
+			if ( dns_NS_reply )
+				{
+				bro_event_dns_NS_reply(connection()->bro_analyzer(),
+					connection()->bro_analyzer()->Conn(),
+					dns_msg_val_->Ref(),
+					build_dns_answer(rr),
+					name_to_val(rr->rr_rdata()->type_ns()));
+				}
+			break;
+
+		case TYPE_CNAME:
+			if ( dns_CNAME_reply )
+				{
+				bro_event_dns_CNAME_reply(
+					connection()->bro_analyzer(),
+					connection()->bro_analyzer()->Conn(),
+					dns_msg_val_->Ref(),
+					build_dns_answer(rr),
+					name_to_val(rr->rr_rdata()->type_cname()));
+				}
+			break;
+
+		case TYPE_SOA:
+			if ( dns_SOA_reply )
+				{
+				bro_event_dns_SOA_reply(
+					connection()->bro_analyzer(),
+					connection()->bro_analyzer()->Conn(),
+					dns_msg_val_->Ref(),
+					build_dns_answer(rr),
+					build_dns_soa(rr->rr_rdata()->type_soa()));
+				}
+			break;
+
+		case TYPE_PTR:
+			if ( dns_PTR_reply )
+				{
+				bro_event_dns_PTR_reply(
+					connection()->bro_analyzer(),
+					connection()->bro_analyzer()->Conn(),
+					dns_msg_val_->Ref(),
+					build_dns_answer(rr),
+					name_to_val(rr->rr_rdata()->type_ptr()));
+				}
+			break;
+
+		case TYPE_MX:
+			if ( dns_MX_reply )
+				{
+				bro_event_dns_MX_reply(
+					connection()->bro_analyzer(),
+					connection()->bro_analyzer()->Conn(),
+					dns_msg_val_->Ref(),
+					build_dns_answer(rr),
+					name_to_val(rr->rr_rdata()->type_mx()->name()),
+					rr->rr_rdata()->type_mx()->preference());
+				}
+			break;
+
+		case TYPE_EDNS:
+			if ( dns_EDNS_addl )
+				{
+				bro_event_dns_EDNS_addl(
+					connection()->bro_analyzer(),
+					connection()->bro_analyzer()->Conn(),
+					dns_msg_val_->Ref(),
+					build_edns_additional(rr));
+				}
+			break;
+		}
+
+		return true;
+		%}
+};
+
+refine typeattr DNS_header += &let {
+	proc_dns_header = $context.flow.process_dns_header(this);
+};
+
+refine typeattr DNS_question += &let {
+	proc_dns_question = $context.flow.process_dns_question(this);
+};
+
+refine typeattr DNS_rr += &let {
+	proc_dns_rr = $context.flow.process_dns_rr(this);
+};
diff --git a/src/dns-protocol.pac b/src/dns-protocol.pac
new file mode 100644
index 0000000000..d5b8036e11
--- /dev/null
+++ b/src/dns-protocol.pac
@@ -0,0 +1,217 @@
+# $Id:$
+
+enum DNS_answer_type {
+	DNS_QUESTION,
+	DNS_ANSWER,
+	DNS_AUTHORITY,
+	DNS_ADDITIONAL,
+};
+
+enum DNS_rdata_type {
+	TYPE_A		= 1,
+	TYPE_NS		= 2,
+	TYPE_MD		= 3,
+	TYPE_MF		= 4,
+	TYPE_CNAME	= 5,
+	TYPE_SOA	= 6,
+	TYPE_MB		= 7,
+	TYPE_MG		= 8,
+	TYPE_MR		= 9,
+	TYPE_NULL	= 10,
+	TYPE_WKS	= 11,
+	TYPE_PTR	= 12,
+	TYPE_HINFO	= 13,
+	TYPE_MINFO	= 14,
+	TYPE_MX		= 15,
+	TYPE_TXT	= 16,
+	TYPE_AAAA	= 28,  # IPv6 (RFC 1886)
+	TYPE_NBS	= 32,  # Netbios name (RFC 1002)
+	TYPE_A6		= 38,  # IPv6 with indirection (RFC 2874)
+	TYPE_EDNS	= 41,  # < OPT pseudo-RR (RFC 2671)
+};
+
+#                                    1  1  1  1  1  1
+#      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+#    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+#    |                      ID                       |
+#    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+#    |QR|   Opcode  |AA|TC|RD|RA|   Z    |   RCODE   |
+#    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+#    |                    QDCOUNT                    |
+#    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+#    |                    ANCOUNT                    |
+#    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+#    |                    NSCOUNT                    |
+#    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+#    |                    ARCOUNT                    |
+#    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+type DNS_header = record {
+	id	: uint16;
+	qrop	: uint16;
+	qdcount	: uint16;
+	ancount	: uint16;
+	nscount	: uint16;
+	arcount	: uint16;
+} &let {
+	qr: bool	= qrop >> 15;
+	opcode: uint8 	= (qrop >> 11) & 0xf;
+	aa: bool 	= (qrop >> 10) & 0x1;
+	tc: bool 	= (qrop >> 9) & 0x1;
+	rd: bool 	= (qrop >> 8) & 0x1;
+	ra: bool 	= (qrop >> 7) & 0x1;
+	z: uint8 	= (qrop >> 4) & 0x7;
+	rcode: uint8 	= qrop & 0xf;
+};
+
+type DNS_label(msg: DNS_message) = record {
+	length:		uint8;
+	data: 		case label_type of {
+		0 ->	label: 	bytestring &length = length;
+		3 ->	ptr_lo:	uint8;
+	};
+} &let {
+	label_type: uint8 	= length >> 6;
+	last: bool		= (length == 0) || (label_type == 3);
+
+	# A name pointer.
+	ptr: DNS_name(msg)
+		withinput $context.flow.get_pointer(msg.sourcedata,
+			((length & 0x3f) << 8) | ptr_lo)
+		&if(label_type == 3);
+
+	clear_pointer_set: bool = $context.flow.reset_pointer_set()
+		&if(last);
+};
+
+type DNS_name(msg: DNS_message) = record {
+	labels:		DNS_label(msg)[] &until($element.last);
+};
+
+type DNS_char_string = record {
+	length:		uint8;
+	data:		bytestring &length = length;
+};
+
+#                                    1  1  1  1  1  1
+#      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+#    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+#    |                                               |
+#    /                     QNAME                     /
+#    /                                               /
+#    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+#    |                     QTYPE                     |
+#    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+#    |                     QCLASS                    |
+#    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+type DNS_question(msg: DNS_message) = record {
+	qname:	DNS_name(msg);
+	qtype:	uint16;
+	qclass:	uint16;
+};
+
+type DNS_rdata_MX(msg: DNS_message) = record {
+	preference:	uint16;
+	name:		DNS_name(msg);
+};
+
+type DNS_rdata_SOA(msg: DNS_message) = record {
+	mname:		DNS_name(msg);
+	rname:		DNS_name(msg);
+	serial:		uint32;
+	refresh:	uint32;
+	retry:		uint32;
+	expire:		uint32;
+	minimum:	uint32;
+};
+
+type DNS_rdata_WKS = record {
+	address:	uint32;
+	protocol:	uint8;
+	bitmap:		bytestring &restofdata;
+};
+
+type DNS_rdata_HINFO = record {
+	cpu:		DNS_char_string;
+	os:		DNS_char_string;
+};
+
+type DNS_rdata(msg: DNS_message,
+		rr_type: uint16,
+		rr_class: uint16) = case rr_type of {
+
+	TYPE_A 	   -> type_a: 	  uint32 &check(rr_class == CLASS_IN);
+	TYPE_NS    -> type_ns:	  DNS_name(msg);
+	TYPE_CNAME -> type_cname: DNS_name(msg);
+	TYPE_SOA   -> type_soa:	  DNS_rdata_SOA(msg);
+	TYPE_PTR   -> type_ptr:	  DNS_name(msg);
+	TYPE_MX    -> type_mx:	  DNS_rdata_MX(msg);
+	TYPE_AAAA, TYPE_A6
+	           -> type_aaaa:  uint32[4];
+
+	# TYPE_WKS   -> type_wks:   DNS_rdata_WKS;
+	# TYPE_HINFO -> type_hinfo: DNS_rdata_HINFO;
+	# TYPE_TXT   -> type_txt:   bytestring &restofdata;
+
+	# 3 -> type_md:		DNS_rdata_MD;
+	# 4 -> type_mf:		DNS_rdata_MF;
+	# 7 -> type_mb:		DNS_rdata_MB;
+	# 8 -> type_mg:		DNS_rdata_MG;
+	# 9 -> type_mr:		DNS_rdata_MR;
+	# 10 -> type_null:	DNS_rdata_NULL;
+	# 14 -> type_minfo:	DNS_rdata_MINFO;
+	# 32 -> type_nbs:	  DNS_rdata_NBS;
+
+	default -> unknown:	bytestring &restofdata;
+};
+
+#                                    1  1  1  1  1  1
+#      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+#    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+#    |                                               |
+#    /                                               /
+#    /                      NAME                     /
+#    |                                               |
+#    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+#    |                      TYPE                     |
+#    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+#    |                     CLASS                     |
+#    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+#    |                      TTL                      |
+#    |                                               |
+#    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+#    |                   RDLENGTH                    |
+#    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
+#    /                     RDATA                     /
+#    /                                               /
+#    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+type DNS_rr(msg: DNS_message, answer_type: DNS_answer_type) = record {
+	rr_name:	DNS_name(msg);
+	rr_type:	uint16;
+	rr_class:	uint16;
+	rr_ttl:		uint32;
+	rr_rdlength:	uint16;
+	rr_rdata:	DNS_rdata(msg, rr_type, rr_class) &length = rr_rdlength;
+};
+
+#    +---------------------+
+#    |        Header       |
+#    +---------------------+
+#    |       Question      | the question for the name server
+#    +---------------------+
+#    |        Answer       | RRs answering the question
+#    +---------------------+
+#    |      Authority      | RRs pointing toward an authority
+#    +---------------------+
+#    |      Additional     | RRs holding additional information
+#    +---------------------+
+
+type DNS_message = record {
+	header:		DNS_header;
+	question:	DNS_question(this)[header.qdcount];
+	answer:		DNS_rr(this, DNS_ANSWER)[header.ancount];
+	authority:	DNS_rr(this, DNS_AUTHORITY)[header.nscount];
+	additional:	DNS_rr(this, DNS_ADDITIONAL)[header.arcount];
+} &byteorder = bigendian, &exportsourcedata;
diff --git a/src/dns-rw.bif b/src/dns-rw.bif
new file mode 100644
index 0000000000..07e03172c0
--- /dev/null
+++ b/src/dns-rw.bif
@@ -0,0 +1,99 @@
+# $Id: dns-rw.bif,v 1.1.2.6 2006/01/11 21:20:09 jason Exp $
+
+# This is called for every message - snake out the header.
+rewriter dns_message%(is_orig: bool, msg: dns_msg, len: count%)
+	%{
+	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
+	dnsrewriter->SetOrig(is_orig);
+	dnsrewriter->DnsCopyHeader(msg);
+	%}
+
+# Rewrite an DNS request.
+rewriter dns_request%(query: string, msg: dns_msg, qtype: count, qclass: count%)
+	%{
+	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
+	dnsrewriter->DnsCopyQuery(query->AsString(), qtype, qclass);
+	%}
+
+# Called for every reply, contains the query part.
+rewriter dns_reply_question%(msg: dns_msg,
+				qname: string, qtype: count, qclass: count%)
+	%{
+	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
+	dnsrewriter->DnsCopyQuery(qname->AsString(), qtype, qclass);
+	%}
+
+
+# Rewrite an DNS NS reply.
+rewriter dns_NS_reply%(msg: dns_msg, dns_ans: dns_answer, name: string%)
+	%{
+	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
+	dnsrewriter->DnsCopyNS(dns_ans, name->AsString());
+	%}
+
+
+rewriter dns_A_reply%(msg: dns_msg, ans: dns_answer, a: addr%)
+	%{
+	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
+#ifdef BROv6
+	dnsrewriter->DnsCopyA(ans, to_v4_addr(a));
+#else
+	dnsrewriter->DnsCopyA(ans, a);
+#endif
+	%}
+
+rewriter dns_AAAA_reply%(msg: dns_msg, ans: dns_answer, a: addr, astr: string%)
+	%{
+	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
+	dnsrewriter->DnsCopyAAAA(ans, a, astr->AsString());
+	%}
+
+rewriter dns_CNAME_reply%(msg: dns_msg, ans: dns_answer, name: string%)
+	%{
+	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
+	dnsrewriter->DnsCopyCNAME(ans, name->AsString());
+	%}
+
+rewriter dns_TXT_reply%(msg: dns_msg, ans: dns_answer, content: string%)
+	%{
+	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
+	dnsrewriter->DnsCopyTXT(ans, content->AsString());
+	%}
+
+rewriter dns_PTR_reply%(msg: dns_msg, ans: dns_answer, name: string%)
+	%{
+	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
+	dnsrewriter->DnsCopyPTR(ans, name->AsString());
+	%}
+
+rewriter dns_MX_reply%(msg: dns_msg, ans: dns_answer,
+			name: string, preference: count%)
+	%{
+	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
+	dnsrewriter->DnsCopyMX(ans, name->AsString(), preference);
+	%}
+
+rewriter dns_SOA_reply%(msg: dns_msg, ans: dns_answer, soa: dns_soa%)
+	%{
+	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
+	dnsrewriter->DnsCopySOA(ans, soa);
+	%}
+
+rewriter dns_EDNS_addl%(msg: dns_msg, ans: dns_edns_additional%)
+	%{
+	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
+	dnsrewriter->DnsCopyEDNSaddl(ans);
+	%}
+
+
+# Call this at end of processing a DNS packet.
+rewriter dns_end%(commit: bool%)
+	%{
+	DNS_Rewriter* dnsrewriter = ((DNS_Rewriter*) @TRACE@);
+
+	// We have been building the packet in the DNS rewriter, now
+	// write the whole packet here at once, then commit it.
+	@WRITE@(dnsrewriter->IsOrig(), dnsrewriter->PacketSize(),
+		(const u_char*) dnsrewriter->Packet());
+	@TRACE@->CommitPackets(commit);
+	%}
diff --git a/src/dns.pac b/src/dns.pac
new file mode 100644
index 0000000000..dc5ca586f8
--- /dev/null
+++ b/src/dns.pac
@@ -0,0 +1,11 @@
+# $Id:$
+
+%include bro.pac
+
+analyzer DNS withcontext {
+	connection:	DNS_Conn;
+	flow:		DNS_Flow;
+};
+
+%include dns-protocol.pac
+%include dns-analyzer.pac
diff --git a/src/dns_tcp.pac b/src/dns_tcp.pac
new file mode 100644
index 0000000000..f2c7f5f523
--- /dev/null
+++ b/src/dns_tcp.pac
@@ -0,0 +1,47 @@
+# $Id:$
+
+%extern{
+#include "dns_pac.h"	// for DNS_Conn
+%}
+
+%include bro.pac
+
+analyzer DNS_on_TCP withcontext {
+	connection:	DNS_TCP_Conn;
+	flow:		DNS_TCP_Flow;
+};
+
+type DNS_TCP_PDU(is_orig: bool) = record {
+	msglen:		uint16;
+	msg:		bytestring &length = msglen;
+} &byteorder = bigendian, &length = 2 + msglen, &let {
+	deliver: bool = $context.connection.deliver_dns_message(is_orig, msg);
+};
+
+connection DNS_TCP_Conn(bro_analyzer: BroAnalyzer) {
+	upflow = DNS_TCP_Flow(true);
+	downflow = DNS_TCP_Flow(false);
+
+	%member{
+		DNS::DNS_Conn *abstract_dns_connection_;
+	%}
+
+	%init{
+		abstract_dns_connection_ = new DNS::DNS_Conn(bro_analyzer);
+	%}
+
+	%cleanup{
+		delete abstract_dns_connection_;
+		abstract_dns_connection_ = 0;
+	%}
+
+	function deliver_dns_message(is_orig: bool, msg: const_bytestring): bool
+		%{
+		abstract_dns_connection_->NewData(is_orig, msg.begin(), msg.end());
+		return true;
+		%}
+};
+
+flow DNS_TCP_Flow(is_orig: bool) {
+	flowunit = DNS_TCP_PDU(is_orig) withcontext(connection, this);
+};
diff --git a/src/epmapper.pac b/src/epmapper.pac
new file mode 100644
index 0000000000..c9eea3c139
--- /dev/null
+++ b/src/epmapper.pac
@@ -0,0 +1,92 @@
+# $Id:$
+
+type epmapper_lookup_req = record {
+	inquiry_type	: uint32;
+	# object	: uuid_p_t;
+	object		: uint32;
+	# interface_id	: rpc_if_id_p_t;
+	interface_id	: uint32;
+	vers_option	: uint32;
+	entry_handle	: context_handle;
+};
+
+type epmapper_map_req = record {
+};
+
+type epm_uuid 	= record {
+	if_uuid		: uuid;
+	if_version	: uint16;
+} &byteorder = littleendian;
+
+type epm_port 	= uint16 &byteorder = bigendian;
+type epm_ip 	= uint32 &byteorder = bigendian;
+
+enum epm_protocol {
+	EPM_PROTOCOL_TCP	= 0x07,
+	EPM_PROTOCOL_UDP	= 0x08,
+	EPM_PROTOCOL_IP		= 0x09,
+	EPM_PROTOCOL_UUID	= 0x0d,
+};
+
+type epm_lhs_data(length: uint16, protocol: uint8) = case protocol of {
+	EPM_PROTOCOL_UUID 	-> uuid : epm_uuid;
+	default			-> other: bytestring &length = length;
+};
+
+type epm_rhs_data(length: uint16, protocol: uint8) = case protocol of {
+	EPM_PROTOCOL_TCP	-> tcp: 	epm_port;
+	EPM_PROTOCOL_UDP	-> udp: 	epm_port;
+	EPM_PROTOCOL_IP		-> ip: 		epm_ip;
+	default			-> other: 	bytestring &length = length;
+};
+
+type epm_lhs = record {
+	length		: uint16;
+	protocol	: uint8;
+	data		: epm_lhs_data(length - 1, protocol);
+} &byteorder = littleendian;
+
+type epm_rhs(protocol: uint8) = record {
+	length		: uint16;
+	data		: epm_rhs_data(length, protocol);
+} &byteorder = littleendian;
+
+type epm_floor = record {
+	lhs		: epm_lhs;
+	rhs		: epm_rhs(protocol);
+} &let {
+	protocol = lhs.protocol;
+};
+
+type epm_tower = record {
+	num_floors	: uint16;
+	floors		: epm_floor[num_floors];
+} &byteorder = littleendian;
+
+type epm_twr_p = record {
+	# What's the difference between length and tower_length?
+	# Why have both?
+	ref		: uint32;
+	length		: uint32;
+	tower_length	: uint32;
+	tower		: epm_tower &length = tower_length;
+};
+
+type epm_tower_array = record {
+	# A lot of questions here ...
+	# Why does the array include max_count, offset, and actual_count?
+	# Is it because it's a "conformant varying array"?
+	# How long should the towers be? actual_count or offset + actual_count?
+
+	max_count	: uint32;
+	offset		: uint32;
+	actual_count	: uint32;
+	towers		: epm_twr_p[actual_count];
+};
+
+type epmapper_map_resp = record {
+	entry_handle	: context_handle;
+	num_towers	: uint32;
+	towers		: epm_tower_array;
+	return_code	: uint32;
+};
diff --git a/src/event.bif b/src/event.bif
new file mode 100644
index 0000000000..3171b02dde
--- /dev/null
+++ b/src/event.bif
@@ -0,0 +1,468 @@
+# $Id: event.bif 6942 2009-11-16 03:54:08Z vern $
+
+# Declare to bifcl the following types as enum types.
+declare enum dce_rpc_ptype;
+declare enum dce_rpc_if_id;
+declare enum rpc_status;
+
+event bro_init%(%);
+event bro_done%(%);
+
+# bro_signal is initiated in main.cc
+# event bro_signal%(signal: count%);
+
+event dns_mapping_valid%(dm: dns_mapping%);
+event dns_mapping_unverified%(dm: dns_mapping%);
+event dns_mapping_new_name%(dm: dns_mapping%);
+event dns_mapping_lost_name%(dm: dns_mapping%);
+event dns_mapping_name_changed%(old_dm: dns_mapping, new_dm: dns_mapping%);
+event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%);
+
+event new_connection%(c: connection%);
+event new_connection_contents%(c: connection%);
+event new_packet%(c: connection, p: pkt_hdr%);
+event connection_attempt%(c: connection%);
+event connection_established%(c: connection%);
+event partial_connection%(c: connection%);
+event connection_partial_close%(c: connection%);
+event connection_finished%(c: connection%);
+event connection_half_finished%(c: connection%);
+event connection_rejected%(c: connection%);
+event connection_reset%(c: connection%);
+event connection_pending%(c: connection%);
+event connection_state_remove%(c: connection%);
+event connection_SYN_packet%(c: connection, pkt: SYN_packet%);
+event connection_first_ACK%(c: connection%);
+event connection_timeout%(c: connection%);
+event connection_reused%(c: connection%);
+event connection_status_update%(c: connection%);
+event connection_EOF%(c: connection, is_orig: bool%);
+event connection_external%(c: connection, tag: string%);
+event expected_connection_seen%(c: connection, a: count%);
+
+event protocol_confirmation%(c: connection, atype: count, aid: count%);
+event protocol_violation%(c: connection, atype: count, aid: count, reason: string%);
+
+event packet_contents%(c: connection, contents: string%);
+event tcp_packet%(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string%);
+event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%);
+event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%);
+event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%);
+event udp_request%(u: connection%);
+event udp_reply%(u: connection%);
+event udp_contents%(u: connection, is_orig: bool, contents: string%);
+event udp_session_done%(u: connection%);
+event icmp_sent%(c: connection, icmp: icmp_conn%);
+event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%);
+event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%);
+event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
+event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
+event net_stats_update%(t: time, ns: net_stats%);
+event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%);
+event conn_weird%(name: string, c: connection%);
+event conn_weird_addl%(name: string, c: connection, addl: string%);
+event flow_weird%(name: string, src: addr, dst: addr%);
+event net_weird%(name: string%);
+event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%);
+event rexmit_inconsistency%(c: connection, t1: string, t2: string%);
+event ack_above_hole%(c: connection%);
+event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
+event gap_report%(dt: interval, info: gap_info%);
+event inconsistent_option%(c: connection%);
+event bad_option%(c: connection%);
+event bad_option_termination%(c: connection%);
+
+event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
+			TPA: addr, THA: string%);
+event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
+			TPA: addr, THA: string%);
+event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%);
+
+event bittorrent_peer_handshake%(c: connection, is_orig: bool,
+			reserved: string, info_hash: string, peer_id: string%);
+event bittorrent_peer_keep_alive%(c: connection, is_orig: bool%);
+event bittorrent_peer_choke%(c: connection, is_orig: bool%);
+event bittorrent_peer_unchoke%(c: connection, is_orig: bool%);
+event bittorrent_peer_interested%(c: connection, is_orig: bool%);
+event bittorrent_peer_not_interested%(c: connection, is_orig: bool%);
+event bittorrent_peer_have%(c: connection, is_orig: bool, piece_index: count%);
+event bittorrent_peer_bitfield%(c: connection, is_orig: bool, bitfield: string%);
+event bittorrent_peer_request%(c: connection, is_orig: bool, index: count,
+				begin: count, length: count%);
+event bittorrent_peer_piece%(c: connection, is_orig: bool, index: count,
+				begin: count, piece_length: count%);
+event bittorrent_peer_cancel%(c: connection, is_orig: bool, index: count,
+				begin: count, length: count%);
+event bittorrent_peer_port%(c: connection, is_orig: bool, listen_port: port%);
+event bittorrent_peer_unknown%(c: connection, is_orig: bool, message_id: count,
+				data: string%);
+event bittorrent_peer_weird%(c: connection, is_orig: bool, msg: string%);
+event bt_tracker_request%(c: connection, uri: string,
+				headers: bt_tracker_headers%);
+event bt_tracker_response%(c: connection, status: count,
+					headers: bt_tracker_headers,
+					peers: bittorrent_peer_set,
+					benc: bittorrent_benc_dir%);
+event bt_tracker_response_not_ok%(c: connection, status: count,
+					headers: bt_tracker_headers%);
+event bt_tracker_weird%(c: connection, is_orig: bool, msg: string%);
+
+event finger_request%(c: connection, full: bool, username: string, hostname: string%);
+event finger_reply%(c: connection, reply_line: string%);
+
+event gnutella_text_msg%(c: connection, orig: bool, headers: string%);
+event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count,
+				ttl: count, hops: count, msg_len: count,
+				payload: string, payload_len: count,
+				trunc: bool, complete: bool%);
+event gnutella_partial_binary_msg%(c: connection, orig: bool,
+					msg: string, len: count%);
+event gnutella_establish%(c: connection%);
+event gnutella_not_establish%(c: connection%);
+event gnutella_http_notify%(c: connection%);
+
+event ident_request%(c: connection, lport: port, rport: port%);
+event ident_reply%(c: connection, lport: port, rport: port, user_id: string, system: string%);
+event ident_error%(c: connection, lport: port, rport: port, line: string%);
+
+event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%);
+event login_success%(c: connection, user: string, client_user: string, password: string, line: string%);
+event login_input_line%(c: connection, line: string%);
+event login_output_line%(c: connection, line: string%);
+event login_confused%(c: connection, msg: string, line: string%);
+event login_confused_text%(c: connection, line: string%);
+event login_terminal%(c: connection, terminal: string%);
+event login_display%(c: connection, display: string%);
+event login_prompt%(c: connection, prompt: string%);
+event rsh_request%(c: connection, client_user: string, server_user: string, line: string, new_session: bool%);
+event rsh_reply%(c: connection, client_user: string, server_user: string, line: string%);
+event excessive_line%(c: connection%);
+event authentication_accepted%(name: string, c: connection%);
+event authentication_rejected%(name: string, c: connection%);
+event authentication_skipped%(c: connection%);
+event activating_encryption%(c: connection%);
+
+event ftp_request%(c: connection, command: string, arg: string%) &group="ftp";
+event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%) &group="ftp";
+
+event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%) &group="smtp";
+event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%) &group="smtp";
+event smtp_data%(c: connection, is_orig: bool, data: string%) &group="smtp";
+event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%) &group="smtp";
+
+event mime_begin_entity%(c: connection%);
+event mime_next_entity%(c: connection%);
+event mime_end_entity%(c: connection%);
+event mime_one_header%(c: connection, h: mime_header_rec%);
+event mime_all_headers%(c: connection, hlist: mime_header_list%);
+event mime_segment_data%(c: connection, length: count, data: string%);
+event mime_entity_data%(c: connection, length: count, data: string%);
+event mime_all_data%(c: connection, length: count, data: string%);
+event mime_event%(c: connection, event_type: string, detail: string%);
+event mime_content_hash%(c: connection, content_len: count, hash_value: string%);
+
+event rpc_call%(c: connection, prog: count, ver: count, proc: count, status: count, start_time: time, call_len: count, reply_len: count%);
+
+event pm_request_null%(r: connection%);
+event pm_request_set%(r: connection, m: pm_mapping, success: bool%);
+event pm_request_unset%(r: connection, m: pm_mapping, success: bool%);
+event pm_request_getport%(r: connection, pr: pm_port_request, p: port%);
+event pm_request_dump%(r: connection, m: pm_mappings%);
+event pm_request_callit%(r: connection, call: pm_callit_request, p: port%);
+event pm_attempt_null%(r: connection, status: rpc_status%);
+event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%);
+event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%);
+event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request%);
+event pm_attempt_dump%(r: connection, status: rpc_status%);
+event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%);
+event pm_bad_port%(r: connection, bad_p: count%);
+
+event nfs_request_null%(n: connection%);
+event nfs_request_getattr%(n: connection, fh: string, attrs: nfs3_attrs%);
+event nfs_request_lookup%(n: connection, req: nfs3_lookup_args, rep: nfs3_lookup_reply%);
+event nfs_request_fsstat%(n: connection, root_fh: string, stat: nfs3_fsstat%);
+event nfs_attempt_null%(n: connection, status: count%);
+event nfs_attempt_getattr%(n: connection, status: count, fh: string%);
+event nfs_attempt_lookup%(n: connection, status: count, req: nfs3_lookup_args%);
+event nfs_attempt_fsstat%(n: connection, status: count, root_fh: string%);
+event nfs_reply_status%(n: connection, status: count%);
+
+event ntp_message%(u: connection, msg: ntp_msg, excess: string%);
+
+event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%);
+event netbios_session_request%(c: connection, msg: string%);
+event netbios_session_accepted%(c: connection, msg: string%);
+event netbios_session_rejected%(c: connection, msg: string%);
+event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%);
+event netbios_session_ret_arg_resp%(c: connection, msg: string%);
+event netbios_session_keepalive%(c: connection, msg: string%);
+
+event smb_message%(c: connection, hdr: smb_hdr, is_orig: bool, cmd: string, body_length: count, body: string%);
+event smb_com_tree_connect_andx%(c: connection, hdr: smb_hdr, path: string, service: string%);
+event smb_com_tree_disconnect%(c: connection, hdr: smb_hdr%);
+event smb_com_nt_create_andx%(c: connection, hdr: smb_hdr, name: string%);
+event smb_com_transaction%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%);
+event smb_com_transaction2%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%);
+event smb_com_trans_mailslot%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%);
+event smb_com_trans_rap%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%);
+event smb_com_trans_pipe%(c: connection, hdr: smb_hdr, trans: smb_trans, data: smb_trans_data, is_orig: bool%);
+event smb_com_read_andx%(c: connection, hdr: smb_hdr, data: string%);
+event smb_com_write_andx%(c: connection, hdr: smb_hdr, data: string%);
+event smb_get_dfs_referral%(c: connection, hdr: smb_hdr, max_referral_level: count, file_name: string%);
+event smb_com_negotiate%(c: connection, hdr: smb_hdr%);
+event smb_com_negotiate_response%(c: connection, hdr: smb_hdr, dialect_index: count%);
+event smb_com_setup_andx%(c: connection, hdr: smb_hdr%);
+event smb_com_generic_andx%(c: connection, hdr: smb_hdr%);
+event smb_com_close%(c: connection, hdr: smb_hdr%);
+event smb_com_logoff_andx%(c: connection, hdr: smb_hdr%);
+event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data: string%);
+
+event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%) &group="dns";
+event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns";
+event dns_full_request%(%) &group="dns";
+event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns";
+event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns";
+event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr, astr: string%) &group="dns";
+event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns";
+event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns";
+event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns";
+event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%) &group="dns";
+event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns";
+event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns";
+event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%) &group="dns";
+event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%) &group="dns";
+event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns";
+event dns_EDNS%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns";
+event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%) &group="dns";
+event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%) &group="dns";
+
+# Generated at the end of processing a DNS packet.
+event dns_end%(c: connection, msg: dns_msg%) &group="dns";
+
+event dns_query_reply%(c: connection, msg: dns_msg, query: string,
+			qtype: count, qclass: count%) &group="dns";
+
+# Generated when a port 53 UDP message cannot be parsed as a DNS request.
+event non_dns_request%(c: connection, msg: string%) &group="dns";
+
+event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%);
+event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%);
+event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr%);
+event dhcp_decline%(c: connection, msg: dhcp_msg%);
+event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%);
+event dhcp_nak%(c: connection, msg: dhcp_msg%);
+event dhcp_release%(c: connection, msg: dhcp_msg%);
+event dhcp_inform%(c: connection, msg: dhcp_msg%);
+
+event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%) &group="http-request";
+event http_reply%(c: connection, version: string, code: count, reason: string%) &group="http-reply";
+event http_header%(c: connection, is_orig: bool, name: string, value: string%) &group="http-header";
+event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%) &group="http-header";
+event http_begin_entity%(c: connection, is_orig: bool%) &group="http-body";
+event http_end_entity%(c: connection, is_orig: bool%) &group="http-body";
+event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%) &group="http-body";
+event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%) &group="http-body";
+event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%) &group="http-body";
+event http_event%(c: connection, event_type: string, detail: string%);
+event http_stats%(c: connection, stats: http_stats_rec%);
+
+event ssh_client_version%(c: connection, version: string%);
+event ssh_server_version%(c: connection, version: string%);
+
+event ssl_certificate_seen%(c: connection, is_server: bool%);
+event ssl_certificate%(c: connection, cert: X509, is_server: bool%);
+event ssl_conn_attempt%(c: connection, version: count, ciphers: cipher_suites_list%);
+event ssl_conn_server_reply%(c: connection, version: count, ciphers: cipher_suites_list%);
+event ssl_conn_established%(c: connection, version: count, cipher_suite: count%);
+event ssl_conn_reused%(c: connection, session_id: SSL_sessionID%);
+event ssl_conn_alert%(c: connection, version: count, level: count,
+			description: count%);
+event ssl_conn_weak%(name: string, c: connection%);
+
+event ssl_session_insertion%(c: connection, id: SSL_sessionID%);
+event process_X509_extensions%(c: connection, ex: X509_extension%);
+event ssl_X509_error%(c: connection, err: int, err_string: string%);
+
+event stp_create_endp%(c: connection, e: int, is_orig: bool%);
+event stp_resume_endp%(e: int%);
+event stp_correlate_pair%(e1: int, e2: int%);
+event stp_remove_pair%(e1: int, e2: int%);
+event stp_remove_endp%(e: int%);
+
+event dce_rpc_message%(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string%);
+event dce_rpc_bind%(c: connection, uuid: string%);
+event dce_rpc_request%(c: connection, opnum: count, stub: string%);
+event dce_rpc_response%(c: connection, opnum: count, stub: string%);
+
+# DCE/RPC endpoint mapper events.
+event epm_map_response%(c: connection, uuid: string, p: port, h: addr%);
+
+# "length" is the length of body (not including the frame header)
+event ncp_request%(c: connection, frame_type: count, length: count, func: count%);
+event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count%);
+
+event interconn_stats%(c: connection, os: interconn_endp_stats, rs: interconn_endp_stats%);
+event interconn_remove_conn%(c: connection%);
+
+event backdoor_stats%(c: connection, os: backdoor_endp_stats, rs: backdoor_endp_stats%);
+event backdoor_remove_conn%(c: connection%);
+event ssh_signature_found%(c: connection, is_orig: bool%);
+event telnet_signature_found%(c: connection, is_orig: bool, len: count%);
+event rlogin_signature_found%(c: connection, is_orig: bool, num_null: count, len: count%);
+event root_backdoor_signature_found%(c: connection%);
+event ftp_signature_found%(c: connection%);
+event napster_signature_found%(c: connection%);
+event gnutella_signature_found%(c: connection%);
+event kazaa_signature_found%(c: connection%);
+event http_signature_found%(c: connection%);
+event http_proxy_signature_found%(c: connection%);
+event smtp_signature_found%(c: connection%);
+event irc_signature_found%(c: connection%);
+event gaobot_signature_found%(c: connection%);
+
+event pop3_request%(c: connection, is_orig: bool,
+			command: string, arg: string%);
+event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%);
+event pop3_data%(c: connection, is_orig: bool, data: string%);
+event pop3_unexpected%(c: connection, is_orig: bool,
+			msg: string, detail: string%);
+event pop3_terminate%(c: connection, is_orig: bool, msg: string%);
+event pop3_login_success%(c: connection, is_orig: bool,
+				user: string, password: string%);
+event pop3_login_failure%(c: connection, is_orig: bool,
+				user: string, password: string%);
+
+event irc_client%(c: connection, prefix: string, data: string%);
+event irc_server%(c: connection, prefix: string, data: string%);
+event irc_request%(c: connection, prefix: string,
+			command: string, arguments: string%);
+event irc_reply%(c: connection, prefix: string,
+			code: count, params: string%);
+event irc_message%(c: connection, prefix: string,
+			command: string, message: string%);
+event irc_enter_message%(c: connection, nick: string, real_name: string%);
+event irc_quit_message%(c: connection, nick: string, message: string%);
+event irc_privmsg_message%(c: connection, source: string,
+				target: string, message: string%);
+event irc_notice_message%(c: connection, source: string,
+				target: string, message: string%);
+event irc_squery_message%(c: connection, source: string,
+				target: string, message: string%);
+event irc_join_message%(c: connection, info_list: irc_join_list%);
+event irc_part_message%(c: connection, nick: string,
+				chans: string_set, message: string%);
+event irc_nick_message%(c: connection, who: string, newnick: string%);
+event irc_invalid_nick%(c: connection%);
+event irc_network_info%(c: connection, users: count,
+				services: count, servers: count%);
+event irc_server_info%(c: connection, users: count,
+				services: count, servers: count%);
+event irc_channel_info%(c: connection, chans: count%);
+event irc_who_line%(c: connection, target_nick: string,
+				channel: string, user: string, host: string,
+				server: string, nick: string, params: string,
+				hops: count, real_name: string%);
+event irc_who_message%(c: connection, mask: string, oper: bool%);
+event irc_whois_message%(c: connection, server: string, users: string%);
+event irc_whois_user_line%(c: connection, nick: string,
+				user: string, host: string, real_name: string%);
+event irc_whois_operator_line%(c: connection, nick: string%);
+event irc_whois_channel_line%(c: connection, nick: string,
+				chans: string_set%);
+event irc_oper_message%(c: connection, user: string, password: string%);
+event irc_oper_response%(c: connection, got_oper: bool%);
+event irc_kick_message%(c: connection, prefix: string,
+			chans: string, users: string, comment: string%);
+event irc_error_message%(c: connection, prefix: string, message: string%);
+event irc_invite_message%(c: connection, prefix: string,
+				nickname: string, channel: string%);
+event irc_mode_message%(c: connection, prefix: string, params: string%);
+event irc_squit_message%(c: connection, prefix: string,
+				server: string, message: string%);
+event irc_names_info%(c: connection, c_type: string,
+				channel: string, users: string_set%);
+event irc_dcc_message%(c: connection, prefix: string, target: string,
+				dcc_type: string, argument: string,
+				address: addr, dest_port: count, size: count%);
+event irc_global_users%(c: connection, prefix: string, msg: string%);
+event irc_user_message%(c: connection, user: string, host: string, server: string, real_name: string%);
+event irc_channel_topic%(c: connection, channel: string, topic: string%);
+event irc_password_message%(c: connection, password: string%);
+
+event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%);
+event file_virus%(c: connection, virname: string%);
+
+event signature_match%(state: signature_state, msg: string, data: string%);
+
+# Generated if a handler finds an identification of the software
+# used on a system.
+event software_version_found%(c: connection, host: addr,
+				s: software, descr: string%);
+
+# Generated if a handler finds a version but cannot parse it.
+event software_parse_error%(c: connection, host: addr, descr: string%);
+
+# Generated once for each raw (unparsed) software identification.
+event software_unparsed_version_found%(c: connection, host: addr, str: string%);
+
+# Generated when an operating system has been fingerprinted.
+event OS_version_found%(c: connection, host: addr, OS: OS_version%);
+
+# Generated when an IP address gets mapped for the first time.
+event anonymization_mapping%(orig: addr, mapped: addr%);
+
+# Generated when a connection to a remote Bro has been established.
+event remote_connection_established%(p: event_peer%);
+
+# Generated when a connection to a remote Bro has been closed.
+event remote_connection_closed%(p: event_peer%);
+
+# Generated when a remote connection's handshake has been completed.
+event remote_connection_handshake_done%(p: event_peer%);
+
+# Generated for each event registered by a remote peer.
+event remote_event_registered%(p: event_peer, name: string%);
+
+# Generated when a connection to a remote Bro causes some error.
+event remote_connection_error%(p: event_peer, reason: string%);
+
+# Generated when a remote peer sends us some capture filter.
+event remote_capture_filter%(p: event_peer, filter: string%);
+
+# Generated after a call to send_state() when all data has been successfully
+# sent to the remote side.
+event finished_send_state%(p: event_peer%);
+
+# Generated if state synchronization detects an inconsistency.
+event remote_state_inconsistency%(operation: string, id: string,
+				  expected_old: string, real_old: string%);
+
+# Generated for communication log message.
+event remote_log%(level: count, src: count, msg: string%);
+
+# Generated when a remote peer has answered to our ping.
+event remote_pong%(p: event_peer, seq: count,
+			d1: interval, d2: interval, d3: interval%);
+
+# Generated each time a remote state access has been replayed locally
+# (primarily for debugging).
+event remote_state_access_performed%(id: string, v: any%);
+
+# Generated each time profiling_file is updated.  "expensive" means that
+# this event corresponds to heavier-weight profiling as indicated by the
+# expensive_profiling_multiple variable.
+event profiling_update%(f: file, expensive: bool%);
+
+event file_opened%(f: file%);
+
+# Each print statement generates an event.
+event print_hook%(f:file, s: string%);
+
+# Generated for &rotate_interval.
+event rotate_interval%(f: file%);
+
+# Generated for &rotate_size.
+event rotate_size%(f: file%);
+
+event netflow_v5_header%(h: nf_v5_header%);
+event netflow_v5_record%(r: nf_v5_record%);
diff --git a/src/finger-rw.bif b/src/finger-rw.bif
new file mode 100644
index 0000000000..a32d9b30c6
--- /dev/null
+++ b/src/finger-rw.bif
@@ -0,0 +1,22 @@
+# Write a finger request to trace.
+rewriter finger_request %(full: bool, username: string, hostpart: string%)
+	%{
+	const int is_orig = 1;
+	if ( full )
+		@WRITE@(is_orig, "/W ");
+	@WRITE@(is_orig, username->AsString());
+	if ( hostpart->Len() > 0 )
+		{
+		@WRITE@(is_orig, "@");
+		@WRITE@(is_orig, hostpart->AsString());
+		}
+	@WRITE@(is_orig, "\r\n");
+	%}
+
+# Write a finger reply to trace.
+rewriter finger_reply %(reply: string%)
+	%{
+	const int is_orig = 0;
+	@WRITE@(is_orig, reply->AsString());
+	@WRITE@(is_orig, "\r\n");
+	%}
diff --git a/src/ftp-rw.bif b/src/ftp-rw.bif
new file mode 100644
index 0000000000..f12931ab28
--- /dev/null
+++ b/src/ftp-rw.bif
@@ -0,0 +1,27 @@
+# Rewrite an FTP request.
+rewriter ftp_request%(command: string, arg: string%)
+	%{
+	const int is_orig = 1;
+	@WRITE@(is_orig, command->AsString());
+	if ( command->Len() > 0 && arg->Len() > 0 )
+		@WRITE@(is_orig, " ");
+	@WRITE@(is_orig, arg->AsString());
+	@WRITE@(is_orig, "\r\n");
+	%}
+
+# Rewrite an FTP reply.
+rewriter ftp_reply%(code: count, msg: string, cont_resp: bool%)
+	%{
+	const int is_orig = 0;
+
+	if ( code > 0 )
+		{
+		@WRITE@(is_orig, fmt("%03lu", (unsigned long) code));
+		if ( cont_resp )
+			@WRITE@(is_orig, "-");
+		else
+			@WRITE@(is_orig, " ");
+		}
+	@WRITE@(is_orig, msg->AsString());
+	@WRITE@(is_orig, "\r\n");
+	%}
diff --git a/src/http-analyzer.pac b/src/http-analyzer.pac
new file mode 100644
index 0000000000..38402a9d67
--- /dev/null
+++ b/src/http-analyzer.pac
@@ -0,0 +1,432 @@
+# $Id:$
+
+%extern{
+#include <ctype.h>
+
+// Used by unescape_URI().
+extern int is_reserved_URI_char(unsigned char ch);
+extern int is_unreserved_URI_char(unsigned char ch);
+%}
+
+# Remember to call bytestring::free() on the result.
+function to_upper(s: const_bytestring): bytestring
+	%{
+	char* buf = new char[s.length() + 1];
+	const char* sp = (const char*) s.begin();
+
+	for ( int i = 0; i < s.length(); ++i )
+		if ( islower(sp[i]) )
+			buf[i] = toupper(sp[i]);
+		else
+			buf[i] = sp[i];
+
+	buf[s.length()] = '\0';
+
+	return bytestring((uint8*) buf, s.length());
+	%}
+
+connection HTTP_Conn(bro_analyzer: BroAnalyzer) {
+	upflow = HTTP_Flow(true);
+	downflow = HTTP_Flow(false);
+};
+
+flow HTTP_Flow(is_orig: bool) {
+	flowunit = HTTP_PDU(is_orig) withcontext (connection, this);
+
+	# States.
+	%member{
+		int content_length_;
+		DeliveryMode delivery_mode_;
+		bytestring end_of_multipart_;
+
+		double msg_start_time_;
+		int msg_begin_seq_;
+		int msg_header_end_seq_;
+
+		bool build_headers_;
+		vector<BroVal> headers_;
+	%}
+
+	%init{
+		content_length_ = 0;
+		delivery_mode_ = UNKNOWN_DELIVERY_MODE;
+
+		msg_start_time_ = 0;
+		msg_begin_seq_ = 0;
+		msg_header_end_seq_ = -1;
+
+		build_headers_ = (::http_all_headers != 0);
+	%}
+
+	%cleanup{
+		end_of_multipart_.free();
+	%}
+
+	function content_length(): int
+		%{
+		return content_length_;
+		%}
+
+	function delivery_mode(): DeliveryMode
+		%{
+		return delivery_mode_;
+		%}
+
+	function end_of_multipart(): const_bytestring
+		%{
+		return end_of_multipart_;
+		%}
+
+	# Methods.
+	function http_request(method: const_bytestring, uri: const_bytestring,
+				vers: HTTP_Version): bool
+		%{
+		if ( ::http_request )
+			{
+			bytestring unescaped_uri = unescape_uri(uri);
+			bro_event_http_request(connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				bytestring_to_val(method),
+				bytestring_to_val(uri),
+				bytestring_to_val(unescaped_uri),
+				bytestring_to_val(${vers.vers_str}));
+			unescaped_uri.free();
+			}
+
+		http_message_begin();
+
+		return true;
+		%}
+
+	function http_reply(vers: HTTP_Version, code: int,
+				reason: const_bytestring): bool
+		%{
+		if ( ::http_reply )
+			{
+			bro_event_http_reply(connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				bytestring_to_val(${vers.vers_str}), code,
+				bytestring_to_val(reason));
+			}
+
+		http_message_begin();
+
+		return true;
+		%}
+
+	function build_http_header_val(name: const_bytestring,
+	                               value: const_bytestring): BroVal
+		%{
+		RecordVal* header_record = new RecordVal(mime_header_rec);
+
+		StringVal* name_val = 0;
+		if ( name.length() > 0 )
+			{
+			// Make it all uppercase.
+			name_val = new StringVal(name.length(),
+						(const char*) name.begin());
+			name_val->ToUpper();
+			}
+		else
+			name_val = new StringVal("");
+
+		header_record->Assign(0, name_val);
+		header_record->Assign(1, bytestring_to_val(value));
+
+		return header_record;
+		%}
+
+	function extract_boundary(value: const_bytestring): bytestring
+		%{
+		const char* boundary_prefix = "boundary=";
+		const char* boundary_begin = strcasestr(
+						(const char*) value.begin(),
+						boundary_prefix);
+
+		if ( ! boundary_begin )
+			return bytestring();
+
+		boundary_begin += 9;
+
+		const char* boundary_end = strcasestr(boundary_begin, ";");
+		if ( ! boundary_end )
+			boundary_end = (const char*) value.end();
+
+		return bytestring((const uint8*) boundary_begin,
+					(const uint8*) boundary_end);
+		%}
+
+	function is_end_of_multipart(line: const_bytestring): bool
+		%{
+		if ( line.length() < 4 + end_of_multipart_.length() )
+			return false;
+
+		int len = end_of_multipart_.length();
+
+		// line =?= "--" end_of_multipart_ "--"
+		return ( line[0] == '-' && line[1] == '-' &&
+			 line[len + 2] == '-' && line[len + 3] == '-' &&
+			 strncmp((const char*) line.begin() + 2,
+				(const char*) end_of_multipart_.begin(),
+				len) == 0 );
+		%}
+
+	function http_header(name_colon: const_bytestring,
+	                     value: const_bytestring): bool
+		%{
+		const_bytestring name(
+			name_colon.begin(),
+			name_colon.length() > 0 ?
+				name_colon.end() - 1 :
+				name_colon.end());
+
+		if ( bytestring_casecmp(name, "CONTENT-LENGTH") == 0 )
+			{
+			content_length_ = bytestring_to_int(value, 10);
+			delivery_mode_ = CONTENT_LENGTH;
+			}
+
+		else if ( bytestring_casecmp(name, "TRANSFER-ENCODING") == 0 )
+			{
+			if ( bytestring_caseprefix(value, "CHUNKED") )
+				delivery_mode_ = CHUNKED;
+			}
+
+		else if ( bytestring_casecmp(name, "CONTENT-TYPE") == 0 )
+			{
+			if ( bytestring_caseprefix(value, "MULTIPART") )
+				{
+				end_of_multipart_.free();
+				end_of_multipart_ = extract_boundary(value);
+				if ( end_of_multipart_.length() > 0 )
+					delivery_mode_ = MULTIPART;
+				}
+			}
+
+		if ( ::http_header )
+			{
+			bro_event_http_header(connection()->bro_analyzer(),
+				connection()->bro_analyzer()->Conn(),
+				is_orig(),
+				bytestring_to_val(name)->ToUpper(),
+				bytestring_to_val(value));
+			}
+
+		if ( build_headers_ )
+			headers_.push_back(build_http_header_val(name, value));
+
+		return true;
+		%}
+
+	function build_http_headers_val(): BroVal
+		%{
+		TableVal* t = new TableVal(mime_header_list);
+
+		for ( unsigned int i = 0; i < headers_.size(); ++i )
+			{ // index starting from 1
+			Val* index = new Val(i + 1, TYPE_COUNT);
+			t->Assign(index, headers_[i]);
+			Unref(index);
+			}
+
+		return t;
+		%}
+
+	function gen_http_all_headers(): void
+		%{
+		if ( ::http_all_headers )
+			{
+			bro_event_http_all_headers(connection()->bro_analyzer(),
+						connection()->bro_analyzer()->Conn(),
+						is_orig(),
+						build_http_headers_val());
+			}
+
+		headers_.clear();
+		%}
+
+	function http_end_of_headers(headers: HTTP_Headers): bool
+		%{
+		if ( delivery_mode_ != CHUNKED && build_headers_ )
+			gen_http_all_headers();
+
+		// Check if this is the first set of headers
+		// (i.e. not headers after chunks).
+		if ( msg_header_end_seq_ == -1 )
+			msg_header_end_seq_ = flow_buffer_->data_seq();
+
+		return true;
+		%}
+
+	function http_message_begin(): void
+		%{
+		msg_start_time_ = network_time();
+		if ( ::http_begin_entity )
+			{
+			bro_event_http_begin_entity(connection()->bro_analyzer(),
+							connection()->bro_analyzer()->Conn(), is_orig());
+			}
+		%}
+
+	function build_http_message_stat(): BroVal
+		%{
+		int msg_header_length = msg_header_end_seq_ - msg_begin_seq_;
+		int msg_body_length =
+			flow_buffer_->data_seq() - msg_header_end_seq_;
+
+		bool msg_interrupted = false;
+
+		RecordVal* stat = new RecordVal(http_message_stat);
+		int field = 0;
+		stat->Assign(field++, new Val(msg_start_time_, TYPE_TIME));
+		stat->Assign(field++, new Val(msg_interrupted, TYPE_BOOL));
+		stat->Assign(field++, new StringVal(""));
+		stat->Assign(field++, new Val(msg_body_length, TYPE_COUNT));
+		stat->Assign(field++, new Val(0, TYPE_COUNT));
+		stat->Assign(field++, new Val(msg_header_length, TYPE_COUNT));
+
+		return stat;
+		%}
+
+	function http_message_done(pdu: HTTP_PDU): bool
+		%{
+		if ( ! headers_.empty() )
+			gen_http_all_headers();
+
+		if ( ::http_end_entity )
+			{
+			bro_event_http_end_entity(connection()->bro_analyzer(),
+							connection()->bro_analyzer()->Conn(), is_orig());
+			}
+
+		if ( ::http_message_done )
+			{
+			bro_event_http_message_done(connection()->bro_analyzer(),
+					connection()->bro_analyzer()->Conn(),
+					is_orig(), build_http_message_stat());
+			}
+
+		end_of_multipart_.free();
+
+		// Initialize for next message.
+		msg_begin_seq_ = flow_buffer_->data_seq();
+		msg_header_end_seq_ = -1;
+
+		return true;
+		%}
+
+	# Remember to call bytestring::free() on the result
+	function unescape_uri(uri: const_bytestring): bytestring
+		%{
+		const u_char* line = uri.begin();
+		const u_char* line_end = uri.end();
+		BroAnalyzer a = connection()->bro_analyzer();
+
+		// ### Copied from HTTP.cc
+		byte_vec decoded_URI = new u_char[line_end - line + 1];
+		byte_vec URI_p = decoded_URI;
+
+		// An 'unescaped_special_char' here means a character that
+		// *should* be escaped, but isn't in the URI.  A control
+		// character that appears directly in the URI would be an
+		// example.  The RFC implies that if we do not unescape the
+		// URI that we see in the trace, every character should be a
+		// printable one -- either reserved or unreserved (or '%').
+		//
+		// Counting the number of unescaped characters and generating
+		// a weird event on URI's with unescaped characters (which
+		// are rare) will let us locate strange-looking URI's in the
+		// trace -- those URI's are often interesting.
+
+		int unescaped_special_char = 0;
+
+		while ( line < line_end )
+			{
+			if ( *line == '%' )
+				{
+				++line;
+
+				if ( line == line_end )
+					{
+					// How to deal with % at end of line?
+					// *URI_p++ = '%';
+					if ( a )
+						a->Weird("illegal_%_at_end_of_URI");
+					break;
+					}
+
+				else if ( *line == '%' )
+					{
+					// Double '%' might be either due to
+					// software bug, or, more likely, an
+					// evasion (e.g., used by Nimda).
+					// *URI_p++ = '%';
+					if ( a )
+						a->Weird("double_%_in_URI");
+					--line;	// ignore the first '%'
+					}
+
+				else if ( isxdigit(line[0]) && isxdigit(line[1]) )
+					{
+					*URI_p++ = (decode_hex(line[0]) << 4) +
+						   decode_hex(line[1]);
+					++line; // place line at last hex digit
+					}
+
+				else
+					{
+					if ( a )
+						a->Weird("unescaped_%_in_URI");
+					*URI_p++ = '%';	// put back initial '%'
+					// Take char. without interpretation..
+					*URI_p++ = *line;
+					}
+				}
+
+			else
+				{
+				if ( ! is_reserved_URI_char(*line) &&
+				     ! is_unreserved_URI_char(*line) )
+					// Count these up as a way to compress
+					// the corresponding Weird event to a
+					// single instance.
+					++unescaped_special_char;
+				*URI_p++ = *line;
+				}
+
+			++line;
+			}
+
+		URI_p[0] = 0;
+
+		if ( unescaped_special_char && a )
+			a->Weird("unescaped_special_URI_char");
+
+		return bytestring(decoded_URI, URI_p - decoded_URI);
+		%}
+};
+
+refine typeattr HTTP_RequestLine += &let {
+	process_request: bool =
+		$context.flow.http_request(method, uri, version);
+};
+
+refine typeattr HTTP_ReplyLine += &let {
+	process_reply: bool =
+		$context.flow.http_reply(version, status.stat_num, reason);
+};
+
+refine typeattr HTTP_Header += &let {
+	process_header: bool =
+		$context.flow.http_header(name, value);
+};
+
+refine typeattr HTTP_Headers += &let {
+	process_end_of_headers: bool =
+		$context.flow.http_end_of_headers(this);
+};
+
+refine typeattr HTTP_PDU += &let {
+	process_message: bool =
+		$context.flow.http_message_done(this);
+};
diff --git a/src/http-protocol.pac b/src/http-protocol.pac
new file mode 100644
index 0000000000..1c9f4b4c17
--- /dev/null
+++ b/src/http-protocol.pac
@@ -0,0 +1,142 @@
+# $Id:$
+
+enum ExpectBody {
+	BODY_EXPECTED,
+	BODY_NOT_EXPECTED,
+	BODY_MAYBE,
+};
+
+enum DeliveryMode {
+	UNKNOWN_DELIVERY_MODE,
+	CONTENT_LENGTH,
+	CHUNKED,
+	MULTIPART,
+};
+
+##       token          = 1*<any CHAR except CTLs or separators>
+##       separators     = "(" | ")" | "<" | ">" | "@"
+##                      | "," | ";" | ":" | "\" | <">
+##                      | "/" | "[" | "]" | "?" | "="
+##                      | "{" | "}" | SP | HT
+##      reserved    = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" |
+##                    "$" | ","
+
+type HTTP_TOKEN	= RE/[^()<>@,;:\\"\/\[\]?={} \t]+/;
+type HTTP_WS	= RE/[ \t]*/;
+type HTTP_URI	= RE/[[:alnum:][:punct:]]+/;
+
+type HTTP_PDU(is_orig: bool) = case is_orig of {
+	true ->		request:	HTTP_Request;
+	false ->	reply:		HTTP_Reply;
+};
+
+type HTTP_Request = record {
+	request:	HTTP_RequestLine;
+	msg:		HTTP_Message(BODY_MAYBE);
+};
+
+function expect_reply_body(reply_status: int): ExpectBody
+	%{
+	// TODO: check if the request is "HEAD"
+	if ( (reply_status >= 100 && reply_status < 200) ||
+	     reply_status == 204 || reply_status == 304 )
+		return BODY_NOT_EXPECTED;
+	return BODY_EXPECTED;
+	%}
+
+type HTTP_Reply = record {
+	reply:		HTTP_ReplyLine;
+	msg:		HTTP_Message(expect_reply_body(reply.status.stat_num));
+};
+
+type HTTP_RequestLine = record {
+	method:		HTTP_TOKEN;
+	:		HTTP_WS;
+	uri:		HTTP_URI;
+	:		HTTP_WS;
+	version:	HTTP_Version;
+} &oneline;
+
+type HTTP_ReplyLine = record {
+	version:	HTTP_Version;
+	:		HTTP_WS;
+	status:		HTTP_Status;
+	:		HTTP_WS;
+	reason:		bytestring &restofdata;
+} &oneline;
+
+type HTTP_Status = record {
+	stat_str:	RE/[0-9]{3}/;
+} &let {
+	stat_num: int = bytestring_to_int(stat_str, 10);
+};
+
+type HTTP_Version = record {
+	:		"HTTP/";
+	vers_str:	RE/[0-9]+\.[0-9]+/;
+} &let {
+	vers_num: double = bytestring_to_double(vers_str);
+};
+
+type HTTP_Headers = HTTP_Header[] &until($input.length() == 0);
+
+type HTTP_Message(expect_body: ExpectBody) = record {
+	headers:	HTTP_Headers;
+	body_or_not:	case expect_body of {
+		BODY_NOT_EXPECTED	-> none:	empty;
+		default			-> body:	HTTP_Body(expect_body);
+	};
+};
+
+# Multi-line headers are supported by allowing header names to be
+# empty.
+#
+type HTTP_HEADER_NAME = RE/|([^: \t]+:)/;
+type HTTP_Header = record {
+	name:		HTTP_HEADER_NAME &transient;
+	:		HTTP_WS;
+	value:		bytestring &restofdata &transient;
+} &oneline;
+
+type MIME_Line = record {
+	line:	bytestring &restofdata &transient;
+} &oneline;
+
+type MIME_Lines = MIME_Line[]
+	&until($context.flow.is_end_of_multipart($input));
+
+# TODO: parse multipart message according to MIME
+type HTTP_Body(expect_body: ExpectBody) =
+		case $context.flow.delivery_mode() of {
+
+	CONTENT_LENGTH	-> body: bytestring
+				&length = $context.flow.content_length(),
+				&chunked;
+
+	CHUNKED		-> chunks: HTTP_Chunks;
+
+	MULTIPART	-> multipart: MIME_Lines;
+
+	default		-> unknown: HTTP_UnknownBody(expect_body);
+};
+
+type HTTP_UnknownBody(expect_body: ExpectBody) = case expect_body of {
+	BODY_MAYBE, BODY_NOT_EXPECTED	-> maybenot: empty;
+	BODY_EXPECTED			-> rest: bytestring &restofflow &chunked;
+};
+
+type HTTP_Chunks = record {
+	chunks:		HTTP_Chunk[] &until($element.chunk_length == 0);
+	headers:	HTTP_Headers;
+};
+
+type HTTP_Chunk = record {
+	length_line:	bytestring &oneline;
+	data:		bytestring &length = chunk_length &chunked;
+	opt_crlf:	case chunk_length of {
+		0	-> none: empty;
+		default	-> crlf: bytestring &oneline &check(trailing_crlf == "");
+	};
+} &let {
+	chunk_length: int = bytestring_to_int(length_line, 16);
+};
diff --git a/src/http-rw.bif b/src/http-rw.bif
new file mode 100644
index 0000000000..c839dcaf2a
--- /dev/null
+++ b/src/http-rw.bif
@@ -0,0 +1,61 @@
+%%{
+#include "HTTP.h"
+
+BroString* encode_URI(BroString* URI)
+	{
+	byte_vec encoded_URI = new unsigned char[URI->Len() * 3 + 1];
+	byte_vec end_of_URI = URI->Bytes() + URI->Len();
+
+	byte_vec q = encoded_URI;
+	for ( byte_vec p = URI->Bytes(); p < end_of_URI; ++p )
+		{
+		if ( is_reserved_URI_char(*p) ||
+		     is_unreserved_URI_char(*p) || *p == '%' )
+			*q++ = *p;
+		else
+			escape_URI_char(*p, q);
+		}
+	*q = '\0';
+	return new BroString(1, encoded_URI, q - encoded_URI);
+	}
+%%}
+
+rewriter http_request%(method: string, URI: string, version: string%)
+	%{
+	const int is_orig = 1;
+
+	@WRITE@(is_orig, method->AsString());
+	@WRITE@(is_orig, " ");
+
+	@WRITE@(is_orig, URI->AsString());
+
+	@WRITE@(is_orig, " HTTP/");
+	@WRITE@(is_orig, version->AsString());
+	@WRITE@(is_orig, "\r\n");
+	%}
+
+rewriter http_reply%(version: string, code: count, reason: string%)
+	%{
+	const int is_orig = 0;
+
+	@WRITE@(is_orig, "HTTP/");
+	@WRITE@(is_orig, version->AsString());
+	@WRITE@(is_orig, " ");
+	@WRITE@(is_orig, fmt("%lu", (unsigned long) code));
+	@WRITE@(is_orig, " ");
+	@WRITE@(is_orig, reason->AsString());
+	@WRITE@(is_orig, "\r\n");
+	%}
+
+rewriter http_header%(is_orig: bool, name: string, value: string%)
+	%{
+	@WRITE@(is_orig, name->AsString());
+	@WRITE@(is_orig, ":");
+	@WRITE@(is_orig, value->AsString());
+	@WRITE@(is_orig, "\r\n");
+	%}
+
+rewriter http_data%(is_orig: bool, data: string%)
+	%{
+	@WRITE@(is_orig, data->AsString());
+	%}
diff --git a/src/http.pac b/src/http.pac
new file mode 100644
index 0000000000..217215e998
--- /dev/null
+++ b/src/http.pac
@@ -0,0 +1,12 @@
+# $Id:$
+
+%include binpac.pac
+%include bro.pac
+
+analyzer HTTP withcontext {
+	connection:	HTTP_Conn;
+	flow:		HTTP_Flow;
+};
+
+%include http-protocol.pac
+%include http-analyzer.pac
diff --git a/src/ident-rw.bif b/src/ident-rw.bif
new file mode 100644
index 0000000000..290cbe6b34
--- /dev/null
+++ b/src/ident-rw.bif
@@ -0,0 +1,23 @@
+rewriter ident_request %(lport: port, rport: port%)
+	%{
+	const int is_orig = 1;
+	@WRITE@(is_orig, fmt("%u, %u\r\n", rport->Port(), lport->Port()));
+	%}
+
+rewriter ident_reply %(lport: port, rport: port, sys_str: string, id_str: string%)
+	%{
+	const int is_orig = 0;
+	@WRITE@(is_orig, fmt("%u, %u : USERID : ", rport->Port(), lport->Port()));
+	@WRITE@(is_orig, sys_str->AsString());
+	@WRITE@(is_orig, " : ");
+	@WRITE@(is_orig, id_str->AsString());
+	@WRITE@(is_orig, "\r\n");
+	%}
+
+rewriter ident_error %(lport: port, rport: port, msg_str: string%)
+	%{ 
+	const int is_orig = 0;
+	@WRITE@(is_orig, fmt("%u, %u : ERROR : ", rport->Port(), lport->Port()));
+	@WRITE@(is_orig, msg_str->AsString());
+	@WRITE@(is_orig, "\r\n");
+	%}
diff --git a/src/input.h b/src/input.h
new file mode 100644
index 0000000000..004d366748
--- /dev/null
+++ b/src/input.h
@@ -0,0 +1,54 @@
+// $Id: input.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef input_h
+#define input_h
+
+#include <vector>
+#include <string>
+using namespace std;
+
+#include "BroList.h"
+
+extern int yyparse();
+extern int yydebug;
+extern int brolex();
+extern char last_tok[128];
+
+extern void add_input_file(const char* file);
+
+// Adds the substrings (using the given delimiter) in a string to the
+// given namelist.
+extern void add_to_name_list(char* s, char delim, name_list& nl);
+
+extern void begin_RE();
+extern void end_RE();
+
+extern void do_atif(Expr* expr);
+extern void do_atifdef(const char* id);
+extern void do_atifndef(const char* id);
+extern void do_atelse();
+extern void do_atendif();
+
+extern int line_number;
+extern const char* filename;
+
+extern int bro_argc;
+extern char** bro_argv;
+extern const char* prog;
+
+extern name_list prefixes;	// -p flag
+extern char* command_line_policy;	// -e flag
+extern vector<string> params;
+
+class Stmt;
+extern Stmt* stmts;	// global statements
+
+extern int optimize;
+
+extern int nwarn;
+extern int nerr;
+extern int nruntime;
+
+#endif
diff --git a/src/main.cc b/src/main.cc
new file mode 100644
index 0000000000..21b8166267
--- /dev/null
+++ b/src/main.cc
@@ -0,0 +1,1018 @@
+// $Id: main.cc 6829 2009-07-09 09:12:59Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+#ifdef HAVE_GETOPT_H
+#include <getopt.h>
+#endif
+
+#ifdef USE_IDMEF
+extern "C" {
+#include <libidmef/idmefxml.h>
+}
+#endif
+
+#ifdef USE_OPENSSL
+extern "C" void OPENSSL_add_all_algorithms_conf(void);
+#endif
+
+#include "bsd-getopt-long.h"
+#include "input.h"
+#include "Active.h"
+#include "ScriptAnaly.h"
+#include "DNS_Mgr.h"
+#include "Frame.h"
+#include "Scope.h"
+#include "Event.h"
+#include "File.h"
+#include "Logger.h"
+#include "Net.h"
+#include "NetVar.h"
+#include "Var.h"
+#include "Timer.h"
+#include "Stmt.h"
+#include "Debug.h"
+#include "DFA.h"
+#include "RuleMatcher.h"
+#include "Anon.h"
+#include "Serializer.h"
+#include "RemoteSerializer.h"
+#include "PersistenceSerializer.h"
+#include "EventRegistry.h"
+#include "Stats.h"
+#include "ConnCompressor.h"
+#include "DPM.h"
+
+#include "binpac_bro.h"
+
+#ifndef HAVE_STRSEP
+extern "C" {
+char* strsep(char**, const char*);
+};
+#endif
+
+extern "C" {
+#include "setsignal.h"
+};
+
+#ifdef USE_PERFTOOLS
+HeapLeakChecker* heap_checker = 0;
+int perftools_leaks = 0;
+int perftools_profile = 0;
+#endif
+
+const char* prog;
+char* writefile = 0;
+name_list prefixes;
+DNS_Mgr* dns_mgr;
+TimerMgr* timer_mgr;
+Logger* bro_logger;
+Func* alarm_hook = 0;
+Stmt* stmts;
+EventHandlerPtr bro_signal = 0;
+EventHandlerPtr net_done = 0;
+RuleMatcher* rule_matcher = 0;
+PersistenceSerializer* persistence_serializer = 0;
+FileSerializer* event_serializer = 0;
+FileSerializer* state_serializer = 0;
+RemoteSerializer* remote_serializer = 0;
+EventPlayer* event_player = 0;
+EventRegistry* event_registry = 0;
+ProfileLogger* profiling_logger = 0;
+ProfileLogger* segment_logger = 0;
+SampleLogger* sample_logger = 0;
+int signal_val = 0;
+DPM* dpm = 0;
+int optimize = 0;
+int do_notice_analysis = 0;
+int rule_bench = 0;
+int print_loaded_scripts = 0;
+SecondaryPath* secondary_path = 0;
+ConnCompressor* conn_compressor = 0;
+extern char version[];
+char* command_line_policy = 0;
+vector<string> params;
+char* proc_status_file = 0;
+
+int FLAGS_use_binpac = false;
+
+// Keep copy of command line
+int bro_argc;
+char** bro_argv;
+
+const char* bro_version()
+	{
+#ifdef DEBUG
+	static char* debug_version = 0;
+
+	if ( ! debug_version )
+		{
+		int n = strlen(version) + sizeof("-debug") + 1;
+		debug_version = new char[n];
+		snprintf(debug_version, n, "%s%s", version, "-debug");
+		}
+
+	return debug_version;
+#else
+	return version;
+#endif
+	}
+
+void usage()
+	{
+	fprintf(stderr, "bro version %s\n", bro_version());
+	fprintf(stderr, "usage: %s [options] [file ...]\n", prog);
+	fprintf(stderr, "    <file>                         | policy file, or read stdin\n");
+#ifdef ACTIVE_MAPPING
+	fprintf(stderr, "    -a|--active-mapping <mapfile>  | use active mapping results\n");
+#endif
+	fprintf(stderr, "    -d|--debug-policy              | activate policy file debugging\n");
+	fprintf(stderr, "    -e|--exec <bro code>           | augment loaded policies by given code\n");
+	fprintf(stderr, "    -f|--filter <filter>           | tcpdump filter\n");
+	fprintf(stderr, "    -g|--dump-config               | dump current config into .state dir\n");
+	fprintf(stderr, "    -h|--help|-?                   | command line help\n");
+	fprintf(stderr, "    -i|--iface <interface>         | read from given interface\n");
+	fprintf(stderr, "    -l|--print-scripts             | print all loaded scripts\n");
+	fprintf(stderr, "    -p|--prefix <prefix>           | add given prefix to policy file resolution\n");
+	fprintf(stderr, "    -r|--readfile <readfile>       | read from given tcpdump file\n");
+	fprintf(stderr, "    -y|--flowfile <file>[=<ident>] | read from given flow file\n");
+	fprintf(stderr, "    -Y|--netflow <ip>:<prt>[=<id>] | read flow from socket\n");
+	fprintf(stderr, "    -s|--rulefile <rulefile>       | read rules from given file\n");
+	fprintf(stderr, "    -t|--tracefile <tracefile>     | activate execution tracing\n");
+	fprintf(stderr, "    -w|--writefile <writefile>     | write to given tcpdump file\n");
+	fprintf(stderr, "    -v|--version                   | print version and exit\n");
+	fprintf(stderr, "    -x|--print-state <file.bst>    | print contents of state file\n");
+	fprintf(stderr, "    -z|--analyze <analysis>        | run the specified policy file analysis\n");
+	fprintf(stderr, "    -A|--transfile <writefile>     | write transformed trace to given tcpdump file\n");
+#ifdef DEBUG
+	fprintf(stderr, "    -B|--debug <dbgstreams>        | Enable debugging output for selected streams\n");
+#endif
+	fprintf(stderr, "    -C|--no-checksums              | ignore checksums\n");
+	fprintf(stderr, "    -D|--dfa-size <size>           | DFA state cache size\n");
+	fprintf(stderr, "    -F|--force-dns                 | force DNS\n");
+	fprintf(stderr, "    -I|--print-id <ID name>        | print out given ID\n");
+	fprintf(stderr, "    -K|--md5-hashkey <hashkey>     | set key for MD5-keyed hashing\n");
+	fprintf(stderr, "    -L|--rule-benchmark            | benchmark for rules\n");
+	fprintf(stderr, "    -O|--optimize                  | optimize policy script\n");
+	fprintf(stderr, "    -P|--prime-dns                 | prime DNS\n");
+	fprintf(stderr, "    -R|--replay <events.bst>       | replay events\n");
+	fprintf(stderr, "    -S|--debug-rules               | enable rule debugging\n");
+	fprintf(stderr, "    -T|--re-level <level>          | set 'RE_level' for rules\n");
+	fprintf(stderr, "    -U|--status-file <file>        | Record process status in file\n");
+	fprintf(stderr, "    -W|--watchdog                  | activate watchdog timer\n");
+
+#ifdef USE_PERFTOOLS
+	fprintf(stderr, "    -m|--mem-leaks                 | show leaks  [perftools]\n");
+	fprintf(stderr, "    -M|--mem-profile               | record heap [perftools]\n");
+#endif
+#if 0 // Broken
+	fprintf(stderr, "    -X <file.bst>                  | print contents of state file as XML\n");
+#endif
+	fprintf(stderr, "    --pseudo-realtime[=<speedup>]  | enable pseudo-realtime for performance evaluation (default 1)\n");
+	fprintf(stderr, "    --load-seeds <file>            | load seeds from given file\n");
+	fprintf(stderr, "    --save-seeds <file>            | save seeds to given file\n");
+
+#ifdef USE_IDMEF
+	fprintf(stderr, "    -n|--idmef-dtd <idmef-msg.dtd> | specify path to IDMEF DTD file\n");
+#endif
+
+	fprintf(stderr, "    --use-binpac                   | use new-style BinPAC parsers when available\n");
+
+	fprintf(stderr, "    $BROPATH                       | file search path (%s)\n", bro_path());
+	fprintf(stderr, "    $BRO_PREFIXES                  | prefix list (%s)\n", bro_prefixes());
+
+	exit(1);
+	}
+
+void done_with_network()
+	{
+	set_processing_status("TERMINATING", "done_with_network");
+
+	// Release the port, which is important for checkpointing Bro.
+	if ( remote_serializer )
+		remote_serializer->StopListening();
+
+	// Cancel any pending alarms (watchdog, in particular).
+	(void) alarm(0);
+
+	if ( net_done )
+		{
+		val_list* args = new val_list;
+		args->append(new Val(timer_mgr->Time(), TYPE_TIME));
+		mgr.Drain();
+
+		// Don't propagate this event to remote clients.
+		mgr.Dispatch(new Event(net_done, args), true);
+		}
+
+	// Save state before expiring the remaining events/timers.
+	persistence_serializer->WriteState(false);
+
+	if ( profiling_logger )
+		profiling_logger->Log();
+
+	terminating = true;
+
+	dpm->Done();
+	timer_mgr->Expire();
+	mgr.Drain();
+
+	if ( remote_serializer )
+		remote_serializer->Finish();
+
+	net_finish(1);
+
+#ifdef USE_PERFTOOLS
+
+		if ( perftools_profile )
+			{
+			HeapProfilerDump("post net_run");
+			HeapProfilerStop();
+			}
+
+		if ( heap_checker && ! heap_checker->NoLeaks() )
+			{
+			fprintf(stderr, "Memory leaks - aborting.\n");
+			abort();
+			}
+#endif
+	}
+
+void terminate_bro()
+	{
+	set_processing_status("TERMINATING", "terminate_bro");
+
+	terminating = true;
+
+	EventHandlerPtr bro_done = internal_handler("bro_done");
+	if ( bro_done )
+		mgr.QueueEvent(bro_done, new val_list);
+
+	timer_mgr->Expire();
+	mgr.Drain();
+
+	if ( profiling_logger )
+		{
+		// FIXME: There are some occasional crashes in the memory
+		// allocation code when killing Bro.  Disabling this for now.
+		if ( ! (signal_val == SIGTERM || signal_val == SIGINT) )
+			profiling_logger->Log();
+
+		delete profiling_logger;
+		}
+
+	if ( remote_serializer )
+		remote_serializer->LogStats();
+
+	delete timer_mgr;
+	delete bro_logger;
+	delete dns_mgr;
+	delete persistence_serializer;
+	delete event_player;
+	delete event_serializer;
+	delete state_serializer;
+	delete event_registry;
+	delete secondary_path;
+	delete conn_compressor;
+	delete remote_serializer;
+	delete dpm;
+	}
+
+void termination_signal()
+	{
+	set_processing_status("TERMINATING", "termination_signal");
+
+	Val sval(signal_val, TYPE_COUNT);
+	message("received termination signal");
+	net_get_final_stats();
+	done_with_network();
+	net_delete();
+
+	terminate_bro();
+
+	// Close files after net_delete(), because net_delete()
+	// might write to connection content files.
+	BroFile::CloseCachedFiles();
+
+	delete rule_matcher;
+
+	exit(0);
+	}
+
+RETSIGTYPE sig_handler(int signo)
+	{
+	set_processing_status("TERMINATING", "sig_handler");
+	signal_val = signo;
+	return RETSIGVAL;
+	}
+
+static void atexit_handler()
+	{
+	set_processing_status("TERMINATED", "atexit");
+	}
+
+static void bro_new_handler()
+	{
+	out_of_memory("new");
+	}
+
+int main(int argc, char** argv)
+	{
+	bro_argc = argc;
+	bro_argv = new char* [argc];
+
+	for ( int i = 0; i < argc; i++ )
+		bro_argv[i] = copy_string(argv[i]);
+
+	name_list interfaces;
+	name_list read_files;
+	name_list netflows;
+	name_list flow_files;
+	name_list rule_files;
+	char* transformed_writefile = 0;
+	char* bst_file = 0;
+	char* id_name = 0;
+	char* events_file = 0;
+	char* seed_load_file = 0;
+	char* seed_save_file = 0;
+	int seed = 0;
+	int dump_cfg = false;
+	int to_xml = 0;
+	int do_watchdog = 0;
+	int override_ignore_checksums = 0;
+	int rule_debug = 0;
+	int RE_level = 4;
+
+	static struct option long_opts[] = {
+		{"debug-policy",	no_argument,		0,	'd'},
+		{"dump-config",		no_argument,		0,	'g'},
+		{"exec",		required_argument,	0,	'e'},
+		{"filter",		required_argument,	0,	'f'},
+		{"help",		no_argument,		0,	'h'},
+		{"iface",		required_argument,	0,	'i'},
+		{"print-scripts",	no_argument,		0,	'l'},
+		{"prefix",		required_argument,	0,	'p'},
+		{"readfile",		required_argument,	0,	'r'},
+		{"flowfile",		required_argument,	0,	'y'},
+		{"netflow",		required_argument,	0,	'Y'},
+		{"rulefile",		required_argument,	0,	's'},
+		{"tracefile",		required_argument,	0,	't'},
+		{"writefile",		required_argument,	0,	'w'},
+		{"version",		no_argument,		0,	'v'},
+		{"print-state",		required_argument,	0,	'x'},
+		{"analyze",		required_argument,	0,	'z'},
+		{"transfile",		required_argument,	0,	'A'},
+		{"no-checksums",	no_argument,		0,	'C'},
+		{"dfa-cache",		required_argument,	0,	'D'},
+		{"force-dns",		no_argument,		0,	'F'},
+		{"load-seeds",		required_argument,	0,	'G'},
+		{"save-seeds",		required_argument,	0,	'H'},
+		{"set-seed",		required_argument,	0,	'J'},
+		{"md5-hashkey",		required_argument,	0,	'K'},
+		{"rule-benchmark",	no_argument,		0,	'L'},
+		{"optimize",		no_argument,		0,	'O'},
+		{"prime-dns",		no_argument,		0,	'P'},
+		{"replay",		required_argument,	0,	'R'},
+		{"debug-rules",		no_argument,		0,	'S'},
+		{"re-level",		required_argument,	0,	'R'},
+		{"watchdog",		no_argument,		0,	'W'},
+		{"print-id",		required_argument,	0,	'I'},
+		{"status-file",		required_argument,	0,	'U'},
+
+#ifdef	ACTIVE_MAPPING
+		{"active-mapping",	no_argument,		0,	'a'},
+#endif
+#ifdef	DEBUG
+		{"debug",		required_argument,	0,	'B'},
+#endif
+#ifdef	USE_IDMEF
+		{"idmef-dtd",		required_argument,	0,	'n'},
+#endif
+#ifdef	USE_PERFTOOLS
+		{"mem-leaks",	no_argument,		0,	'm'},
+		{"mem-profile",	no_argument,		0,	'M'},
+#endif
+
+		{"pseudo-realtime",	optional_argument, 0,	'E'},
+
+		{"use-binpac",		no_argument, 		&FLAGS_use_binpac, 1},
+
+		{0,			0,			0,	0},
+	};
+
+	enum DNS_MgrMode dns_type = DNS_DEFAULT;
+
+#ifdef HAVE_NB_DNS
+	dns_type = getenv("BRO_DNS_FAKE") ? DNS_FAKE : DNS_DEFAULT;
+#else
+	dns_type = DNS_FAKE;
+#endif
+
+	RETSIGTYPE (*oldhandler)(int);
+
+	prog = argv[0];
+
+	prefixes.append("");	// "" = "no prefix"
+
+	char* p = getenv("BRO_PREFIXES");
+	if ( p )
+		add_to_name_list(p, ':', prefixes);
+
+	string active_file;
+
+#ifdef USE_IDMEF
+	string libidmef_dtd_path = "idmef-message.dtd";
+#endif
+
+	extern char* optarg;
+	extern int optind, opterr;
+
+	int long_optsind;
+	opterr = 0;
+
+	char opts[256];
+	safe_strncpy(opts, "A:a:B:D:e:f:I:i:K:n:p:R:r:s:T:t:U:w:x:X:y:Y:z:CFGHLOPSWdghlv",
+		     sizeof(opts));
+
+#ifdef USE_PERFTOOLS
+	strncat(opts, "mM", 2);
+#endif
+
+	int op;
+	while ( (op = getopt_long(argc, argv, opts, long_opts, &long_optsind)) != EOF )
+		switch ( op ) {
+		case 'a':
+#ifdef ACTIVE_MAPPING
+			fprintf(stderr, "Using active mapping file %s.\n", optarg);
+			active_file = optarg;
+#else
+			fprintf(stderr, "Bro not compiled for active mapping.\n");
+			exit(1);
+#endif
+			break;
+
+		case 'd':
+			fprintf(stderr, "Policy file debugging ON.\n");
+			g_policy_debug = true;
+			break;
+
+		case 'e':
+			command_line_policy = optarg;
+			break;
+
+		case 'f':
+			user_pcap_filter = optarg;
+			break;
+
+		case 'g':
+			dump_cfg = true;
+			break;
+
+		case 'i':
+			interfaces.append(optarg);
+			break;
+
+		case 'l':
+			print_loaded_scripts = 1;
+			break;
+
+		case 'p':
+			prefixes.append(optarg);
+			break;
+
+		case 'r':
+			read_files.append(optarg);
+			break;
+
+		case 's':
+			rule_files.append(optarg);
+			break;
+
+		case 't':
+			g_trace_state.SetTraceFile(optarg);
+			g_trace_state.TraceOn();
+			break;
+
+		case 'w':
+			writefile = optarg;
+			break;
+
+		case 'y':
+			flow_files.append(optarg);
+			break;
+
+		case 'z':
+			if ( streq(optarg, "notice") )
+				do_notice_analysis = 1;
+			else
+				{
+				fprintf(stderr, "Unknown analysis type: %s\n", optarg);
+				exit(1);
+				}
+			break;
+
+		case 'A':
+			transformed_writefile = optarg;
+			break;
+
+		case 'C':
+			override_ignore_checksums = 1;
+			break;
+
+		case 'D':
+			dfa_state_cache_size = atoi(optarg);
+			break;
+
+		case 'E':
+			pseudo_realtime = 1.0;
+			if ( optarg )
+				pseudo_realtime = atof(optarg);
+			break;
+
+		case 'F':
+			if ( dns_type != DNS_DEFAULT )
+				usage();
+			dns_type = DNS_FORCE;
+			break;
+
+		case 'G':
+			seed_load_file = optarg;
+			break;
+
+		case 'H':
+			seed_save_file = optarg;
+			break;
+
+		case 'I':
+			id_name = optarg;
+			break;
+
+		case 'J':
+			seed = atoi(optarg);
+			break;
+
+		case 'K':
+			hash_md5(strlen(optarg), (const u_char*) optarg,
+				 shared_hmac_md5_key);
+			hmac_key_set = 1;
+			break;
+
+		case 'L':
+			++rule_bench;
+			break;
+
+		case 'O':
+			optimize = 1;
+			break;
+
+		case 'P':
+			if ( dns_type != DNS_DEFAULT )
+				usage();
+			dns_type = DNS_PRIME;
+			break;
+
+		case 'R':
+			events_file = optarg;
+			break;
+
+		case 'S':
+			rule_debug = 1;
+			break;
+
+		case 'T':
+			RE_level = atoi(optarg);
+			break;
+
+		case 'U':
+			proc_status_file = optarg;
+			break;
+
+		case 'W':
+			do_watchdog = 1;
+			break;
+
+		case 'Y':
+			netflows.append(optarg);
+			break;
+
+		case 'h':
+			usage();
+			break;
+
+		case 'v':
+			fprintf(stderr, "%s version %s\n", prog, bro_version());
+			exit(0);
+			break;
+
+#ifdef USE_PERFTOOLS
+		case 'm':
+			perftools_leaks = 1;
+			break;
+
+		case 'M':
+			perftools_profile = 1;
+			break;
+#endif
+
+		case 'x':
+			bst_file = optarg;
+			break;
+#if 0 // broken
+		case 'X':
+			bst_file = optarg;
+			to_xml = 1;
+			break;
+#endif
+
+#ifdef USE_IDMEF
+		case 'n':
+			fprintf(stderr, "Using IDMEF XML DTD from %s\n", optarg);
+			libidmef_dtd_path = optarg;
+			break;
+#endif
+
+		case 'B':
+#ifdef DEBUG
+			debug_logger.EnableStreams(optarg);
+#endif
+			break;
+
+		case 0:
+			// This happens for long options that don't have
+			// a short-option equivalent.
+			break;
+
+		case '?':
+		default:
+			usage();
+			break;
+		}
+
+	atexit(atexit_handler);
+	set_processing_status("INITIALIZING", "main");
+
+	bro_start_time = current_time(true);
+
+	init_random_seed(seed, seed_load_file, seed_save_file);
+	// DEBUG_MSG("HMAC key: %s\n", md5_digest_print(shared_hmac_md5_key));
+	init_hash_function();
+
+#ifdef USE_OPENSSL
+	ERR_load_crypto_strings();
+	OPENSSL_add_all_algorithms_conf();
+	SSL_library_init();
+	SSL_load_error_strings();
+
+	// FIXME: On systems that don't provide /dev/urandom, OpenSSL doesn't
+	// seed the PRNG. We should do this here (but at least Linux, FreeBSD
+	// and Solaris provide /dev/urandom).
+#endif
+
+	if ( (interfaces.length() > 0 || netflows.length() > 0) && 
+	     (read_files.length() > 0 || flow_files.length() > 0 ))
+		usage();
+
+#ifdef USE_IDMEF
+	char* libidmef_dtd_path_cstr = new char[libidmef_dtd_path.length() + 1];
+	safe_strncpy(libidmef_dtd_path_cstr, libidmef_dtd_path.c_str(),
+		     libidmef_dtd_path.length());
+	globalsInit(libidmef_dtd_path_cstr);	// Init LIBIDMEF globals
+	createCurrentDoc("1.0");		// Set a global XML document
+#endif
+
+	timer_mgr = new PQ_TimerMgr("<GLOBAL>");
+	// timer_mgr = new CQ_TimerMgr();
+
+	add_input_file("bro.init");
+
+	if ( optind == argc &&
+	     read_files.length() == 0 && flow_files.length() == 0 &&
+	     ! (id_name || bst_file) && ! command_line_policy )
+		add_input_file("-");
+
+	// Process remaining arguments.  X=Y arguments indicate script
+	// variable/parameter assignments.  The remainder are treated
+	// as scripts to load.
+	while ( optind < argc )
+		{
+		if ( strchr(argv[optind], '=') )
+			params.push_back(argv[optind++]);
+		else
+			add_input_file(argv[optind++]);
+		}
+
+	if ( ! load_mapping_table(active_file.c_str()) )
+		{
+		fprintf(stderr, "Could not load active mapping file %s\n",
+			active_file.c_str());
+		exit(1);
+		}
+
+	dns_mgr = new DNS_Mgr(dns_type);
+
+	// It would nice if this were configurable.  This is similar to the
+	// chicken and the egg problem.  It would be configurable by parsing
+	// policy, but we can't parse policy without DNS resolution.
+	dns_mgr->SetDir(".state");
+
+	persistence_serializer = new PersistenceSerializer();
+	remote_serializer = new RemoteSerializer();
+	event_registry = new EventRegistry;
+
+	if ( events_file )
+		event_player = new EventPlayer(events_file);
+
+	init_event_handlers();
+
+	push_scope(0);
+
+	dpm = new DPM;
+	dpm->PreScriptInit();
+
+	// The leak-checker tends to produce some false
+	// positives (memory which had already been
+	// allocated before we start the checking is
+	// nevertheless reported; see perftools docs), thus
+	// we suppress some messages here.
+
+#ifdef USE_PERFTOOLS
+	{
+	HeapLeakChecker::Disabler disabler;
+#endif
+
+	yyparse();
+
+#ifdef USE_PERFTOOLS
+	}
+#endif
+
+	if ( nerr > 0 )
+		{
+		delete dns_mgr;
+		exit(1);
+		}
+
+	init_general_global_var();
+
+	// Parse rule files defined on the script level.
+	char* script_rule_files =
+		copy_string(internal_val("signature_files")->AsString()->CheckString());
+
+	char* tmp = script_rule_files;
+	char* s;
+	while ( (s = strsep(&tmp, " \t")) )
+		if ( *s )
+			rule_files.append(s);
+
+	if ( rule_files.length() > 0 )
+		{
+		rule_matcher = new RuleMatcher(RE_level);
+		if ( ! rule_matcher->ReadFiles(rule_files) )
+			{
+			delete dns_mgr;
+			exit(1);
+			}
+
+		if ( rule_debug )
+			rule_matcher->PrintDebug();
+		}
+
+	delete [] script_rule_files;
+
+	conn_compressor = new ConnCompressor();
+
+	if ( g_policy_debug )
+		// ### Add support for debug command file.
+		dbg_init_debugger(0);
+
+	Val* bro_alarm_file = internal_val("bro_alarm_file");
+	bro_logger = new Logger("bro",
+			bro_alarm_file ?
+				bro_alarm_file->AsFile() : new BroFile(stderr));
+
+	if ( (flow_files.length() == 0 || read_files.length() == 0) && 
+	     (netflows.length() == 0 || interfaces.length() == 0) )
+		{
+		Val* interfaces_val = internal_val("interfaces");
+		if ( interfaces_val )
+			{
+			char* interfaces_str =
+				interfaces_val->AsString()->Render();
+
+			if ( interfaces_str[0] != '\0' )
+				add_to_name_list(interfaces_str, ' ', interfaces);
+
+			delete [] interfaces_str;
+			}
+		}
+
+	// Initialize the secondary path, if it's needed.
+	secondary_path = new SecondaryPath();
+
+	if ( dns_type != DNS_PRIME )
+		net_init(interfaces, read_files, netflows, flow_files,
+			writefile, transformed_writefile,
+			user_pcap_filter ? user_pcap_filter : "tcp or udp",
+			secondary_path->Filter(), do_watchdog);
+
+	if ( ! reading_traces )
+		// Only enable actual syslog'ing for live input.
+		bro_logger->SetEnabled(enable_syslog);
+	else
+		bro_logger->SetEnabled(0);
+
+	BroFile::SetDefaultRotation(log_rotate_interval, log_max_size);
+
+	alarm_hook = internal_func("alarm_hook");
+	bro_signal = internal_handler("bro_signal");
+	net_done = internal_handler("net_done");
+
+	if ( ! g_policy_debug )
+		{
+		(void) setsignal(SIGTERM, sig_handler);
+		(void) setsignal(SIGINT, sig_handler);
+		(void) setsignal(SIGPIPE, SIG_IGN);
+		}
+
+	// Cooperate with nohup(1).
+	if ( (oldhandler = setsignal(SIGHUP, sig_handler)) != SIG_DFL )
+		(void) setsignal(SIGHUP, oldhandler);
+
+	if ( dns_type == DNS_PRIME )
+		{
+		dns_mgr->Verify();
+		dns_mgr->Resolve();
+
+		if ( ! dns_mgr->Save() )
+			{
+			bro_logger->Log("**Can't update DNS cache");
+			exit(1);
+			}
+
+		mgr.Drain();
+		delete dns_mgr;
+		exit(0);
+		}
+
+	// Just read state file from disk.
+	if ( bst_file )
+		{
+		if ( to_xml )
+			{
+			BinarySerializationFormat* b =
+				new BinarySerializationFormat();
+			XMLSerializationFormat* x = new XMLSerializationFormat();
+			ConversionSerializer s(b, x);
+			s.Convert(bst_file, "/dev/stdout");
+			}
+		else
+			{
+			FileSerializer s;
+			UnserialInfo info(&s);
+			info.print = stdout;
+			info.install_uniques = true;
+			s.Read(&info, bst_file);
+			}
+
+		exit(0);
+		}
+
+	if ( using_communication )
+		remote_serializer->Init();
+
+	persistence_serializer->SetDir((const char *)state_dir->AsString()->CheckString());
+
+	// Print the ID.
+	if ( id_name )
+		{
+		persistence_serializer->ReadAll(true, false);
+
+		ID* id = global_scope()->Lookup(id_name);
+		if ( ! id )
+			{
+			fprintf(stderr, "No such ID: %s\n", id_name);
+			exit(1);
+			}
+
+		ODesc desc;
+		desc.SetQuotes(true);
+		desc.SetIncludeStats(true);
+		id->DescribeExtended(&desc);
+
+		fprintf(stdout, "%s\n", desc.Description());
+		exit(0);
+		}
+
+	persistence_serializer->ReadAll(true, true);
+
+	if ( dump_cfg )
+		{
+		persistence_serializer->WriteConfig(false);
+		exit(0);
+		}
+
+	if ( profiling_interval > 0 )
+		{
+		profiling_logger = new ProfileLogger(profiling_file->AsFile(),
+			profiling_interval);
+
+		if ( segment_profiling )
+			segment_logger = profiling_logger;
+		}
+
+	if ( ! reading_live && ! reading_traces )
+		// Set up network_time to track real-time, since
+		// we don't have any other source for it.
+		network_time = current_time();
+
+	EventHandlerPtr bro_init = internal_handler("bro_init");
+	if ( bro_init )	//### this should be a function
+		mgr.QueueEvent(bro_init, new val_list);
+
+	EventRegistry::string_list* dead_handlers =
+		event_registry->UnusedHandlers();
+
+	if ( dead_handlers->length() > 0 && check_for_unused_event_handlers )
+		{
+		warn("event handlers never invoked:");
+		for ( int i = 0; i < dead_handlers->length(); ++i )
+			warn("\t", (*dead_handlers)[i]);
+		}
+
+	delete dead_handlers;
+
+	EventRegistry::string_list* alive_handlers =
+		event_registry->UsedHandlers();
+
+	if ( alive_handlers->length() > 0 && dump_used_event_handlers )
+		{
+		message("invoked event handlers:");
+		for ( int i = 0; i < alive_handlers->length(); ++i )
+			message((*alive_handlers)[i]);
+		}
+
+	delete alive_handlers;
+
+	if ( do_notice_analysis )
+		notice_analysis();
+
+	if ( stmts )
+		{
+		stmt_flow_type flow;
+		Frame f(current_scope()->Length(), 0, 0);
+		g_frame_stack.push_back(&f);
+		stmts->Exec(&f, flow);
+		g_frame_stack.pop_back();
+		}
+
+	if ( override_ignore_checksums )
+		ignore_checksums = 1;
+
+	dpm->PostScriptInit();
+
+	mgr.Drain();
+
+	have_pending_timers = ! reading_traces && timer_mgr->Size() > 0;
+
+	if ( io_sources.Size() > 0 || have_pending_timers )
+		{
+		if ( profiling_logger )
+			profiling_logger->Log();
+
+#ifdef USE_PERFTOOLS
+		if ( perftools_leaks )
+			heap_checker = new HeapLeakChecker("net_run");
+
+		if ( perftools_profile )
+			{
+			HeapProfilerStart("heap");
+			HeapProfilerDump("pre net_run");
+			}
+
+#endif
+		net_run();
+		done_with_network();
+		net_delete();
+
+		terminate_bro();
+
+		// Close files after net_delete(), because net_delete()
+		// might write to connection content files.
+		BroFile::CloseCachedFiles();
+		}
+	else
+		{
+		persistence_serializer->WriteState(false);
+		terminate_bro();
+		}
+
+	delete rule_matcher;
+
+	return 0;
+	}
diff --git a/src/make_dbg_constants.pl b/src/make_dbg_constants.pl
new file mode 100644
index 0000000000..d4781dccf6
--- /dev/null
+++ b/src/make_dbg_constants.pl
@@ -0,0 +1,145 @@
+# $Id: make_dbg_constants.pl 80 2004-07-14 20:15:50Z jason $
+#
+# Build the DebugCmdConstants.h and DebugCmdInfoConstants.h files from the
+# DebugCmdInfoConstants.in file.
+#
+# We do this via a script rather than maintaining them directly because
+# the struct is a little complicated, so has to be initialized from code,
+# plus we want to make adding new constants somewhat less painful.
+#
+# The input filename should be supplied as an argument
+#
+# DebugCmds are printed to DebugCmdConstants.h
+# DebugCmdInfos are printed to DebugCmdInfoConstants.h
+#
+# The input format is:
+#
+#	cmd: [DebugCmd]
+#	names: [space delimited names of cmd]
+#	resume: ['true' or 'false': should execution resume after this command?]
+#	help: [some help text]
+#
+# Blank lines are skipped.
+# Comments should start with // and should be on a line by themselves.
+
+use strict;
+
+open INPUT, $ARGV[0] or die "Input file $ARGV[0] not found.";
+open DEBUGCMDS, ">DebugCmdConstants.h"
+  or die "Unable to open DebugCmdConstants.h";
+open DEBUGCMDINFOS, ">DebugCmdInfoConstants.cc"
+  or die "Unable to open DebugCmdInfoConstants.cc";
+
+my $init_tmpl =
+'
+   {
+      DebugCmdInfo* info;
+      @@name_init
+      info = new DebugCmdInfo (@@cmd, names, @@num_names, @@resume, "@@help",
+                               @@repeatable);
+      g_DebugCmdInfos.push_back(info);
+   }
+';
+
+my $enum_str = "
+//
+// This file was automatically generated from $ARGV[0]
+// DO NOT EDIT.
+//
+enum DebugCmd {
+";
+
+my $init_str = "
+//
+// This file was automatically generated from $ARGV[0]
+// DO NOT EDIT.
+//
+
+#include \"util.h\"
+void init_global_dbg_constants () {
+";
+
+my %dbginfo;
+# { cmd, num_names, \@names, name_init, resume, help, repeatable }
+
+no strict "refs";
+sub OutputRecord {
+  $dbginfo{name_init} .= "const char * const names[] = {\n\t";
+  $_ = "\"$_\"" foreach @{$dbginfo{names}};	# put quotes around the strings
+  my $name_strs = join ",\n\t", @{$dbginfo{names}};
+  $dbginfo{name_init} .= "$name_strs\n      };\n";
+
+  $dbginfo{num_names} = scalar @{$dbginfo{names}};
+
+  # substitute into template
+  my $init = $init_tmpl;
+  $init =~ s/(\@\@(\w+))/defined $dbginfo{$2} ? $dbginfo{$2} : ""/eg;
+
+  $init_str .= $init;
+
+  $enum_str .= "\t$dbginfo{cmd},\n";
+}
+use strict "refs";
+
+sub InitDbginfo
+  {
+    my $dbginfo = shift;
+    %$dbginfo = ( num_names => 0, names => [], resume => 'false', help => '',
+		  repeatable => 'false' );
+  }
+
+
+InitDbginfo(\%dbginfo);
+
+while (<INPUT>) {
+  chomp ($_);
+  next if $_ =~ /^\s*$/;	# skip blank
+  next if $_ =~ /^\s*\/\//;	# skip comments
+
+  $_ =~ /^\s*([a-z]+):\s*(.*)$/ or
+    die "Error in debug constant file on line: $_";
+
+  if ($1 eq 'cmd')
+    {
+      my $newcmd = $2;
+      if (defined $dbginfo{cmd}) { # output the previous record	
+	OutputRecord();
+	InitDbginfo(\%dbginfo);
+      }
+
+      $dbginfo{cmd} = $newcmd;
+    }
+  elsif ($1 eq 'names')
+    {
+      my @names = split / /, $2;
+      $dbginfo{names} = \@names;
+    }
+  elsif ($1 eq 'resume')
+    {
+      $dbginfo{resume} = $2;
+    }
+  elsif ($1 eq 'help')
+    {
+      $dbginfo{help} = $2;
+      $dbginfo{help} =~ s{\"}{\\\"}g;	# escape quotation marks
+    }
+  elsif ($1 eq 'repeatable')
+    {
+      $dbginfo{repeatable} = $2;
+    }
+  else {
+    die "Unknown command: $_\n";
+  }
+}
+
+# output the last record
+OutputRecord();
+
+$init_str .= "   \n}\n";
+$enum_str .= "   dcLast\n};\n";
+
+print DEBUGCMDS $enum_str;
+close DEBUGCMDS;
+
+print DEBUGCMDINFOS $init_str;
+close DEBUGCMDINFOS;
diff --git a/src/make_parser.pl b/src/make_parser.pl
new file mode 100644
index 0000000000..63cb432ed6
--- /dev/null
+++ b/src/make_parser.pl
@@ -0,0 +1,44 @@
+#
+# Generate the yacc/bison grammar file parse.y from parse.in
+#
+# Importantly, it will eliminate the dependence on the internal location stack
+# if it is not supported.
+#
+
+use strict;
+
+
+# figure out which yacc-like thing is used
+# ### Kind of a hack since it uses the Makefile
+
+my $srcdir = $ARGV[0];
+my $builddir = $ARGV[1];
+my $yacc = $ARGV[2];
+
+my $is_bison = ($yacc =~ /bison/);
+
+if ($is_bison)
+  {
+    system ("cp $srcdir/parse.in $builddir/parse.y") == 0 or die "Could not make parse.y: $!\n";
+  }
+else
+  {
+    make_parser();
+  }
+
+
+sub make_parser
+{
+  open PARSE_OUT, ">$builddir/parse.y" or die "Could not open $builddir/parse.y: $!";
+  open PARSE_IN, "$srcdir/parse.in" or die "Could not open $srcdir/parse.in: $!";
+
+  while (<PARSE_IN>)
+    {
+      $_ =~ s/\@\d+/GetCurrentLocation\(\)/g;
+      print PARSE_OUT $_;
+    }
+
+  # yylloc needs to be non-extern for non-bison systems, so stick it here
+  print PARSE_OUT "\n/* Non-extern yylloc needed for non-bison system */\n",
+    "YYLTYPE yylloc;\n"
+}
diff --git a/src/malloc.c b/src/malloc.c
new file mode 100644
index 0000000000..809e19aa4e
--- /dev/null
+++ b/src/malloc.c
@@ -0,0 +1,5061 @@
+/*
+  This is a version (aka dlmalloc) of malloc/free/realloc written by
+  Doug Lea and released to the public domain, as explained at
+  http://creativecommons.org/licenses/publicdomain.  Send questions,
+  comments, complaints, performance data, etc to dl@cs.oswego.edu
+
+* Version 2.8.3 Thu Sep 22 11:16:15 2005  Doug Lea  (dl at gee)
+
+   Note: There may be an updated version of this malloc obtainable at
+           ftp://gee.cs.oswego.edu/pub/misc/malloc.c
+         Check before installing!
+
+* Quickstart
+
+  This library is all in one file to simplify the most common usage:
+  ftp it, compile it (-O3), and link it into another program. All of
+  the compile-time options default to reasonable values for use on
+  most platforms.  You might later want to step through various
+  compile-time and dynamic tuning options.
+
+  For convenience, an include file for code using this malloc is at:
+     ftp://gee.cs.oswego.edu/pub/misc/malloc-2.8.3.h
+  You don't really need this .h file unless you call functions not
+  defined in your system include files.  The .h file contains only the
+  excerpts from this file needed for using this malloc on ANSI C/C++
+  systems, so long as you haven't changed compile-time options about
+  naming and tuning parameters.  If you do, then you can create your
+  own malloc.h that does include all settings by cutting at the point
+  indicated below. Note that you may already by default be using a C
+  library containing a malloc that is based on some version of this
+  malloc (for example in linux). You might still want to use the one
+  in this file to customize settings or to avoid overheads associated
+  with library versions.
+
+* Vital statistics:
+
+  Supported pointer/size_t representation:       4 or 8 bytes
+       size_t MUST be an unsigned type of the same width as
+       pointers. (If you are using an ancient system that declares
+       size_t as a signed type, or need it to be a different width
+       than pointers, you can use a previous release of this malloc
+       (e.g. 2.7.2) supporting these.)
+
+  Alignment:                                     8 bytes (default)
+       This suffices for nearly all current machines and C compilers.
+       However, you can define MALLOC_ALIGNMENT to be wider than this
+       if necessary (up to 128bytes), at the expense of using more space.
+
+  Minimum overhead per allocated chunk:   4 or  8 bytes (if 4byte sizes)
+                                          8 or 16 bytes (if 8byte sizes)
+       Each malloced chunk has a hidden word of overhead holding size
+       and status information, and additional cross-check word
+       if FOOTERS is defined.
+
+  Minimum allocated size: 4-byte ptrs:  16 bytes    (including overhead)
+                          8-byte ptrs:  32 bytes    (including overhead)
+
+       Even a request for zero bytes (i.e., malloc(0)) returns a
+       pointer to something of the minimum allocatable size.
+       The maximum overhead wastage (i.e., number of extra bytes
+       allocated than were requested in malloc) is less than or equal
+       to the minimum size, except for requests >= mmap_threshold that
+       are serviced via mmap(), where the worst case wastage is about
+       32 bytes plus the remainder from a system page (the minimal
+       mmap unit); typically 4096 or 8192 bytes.
+
+  Security: static-safe; optionally more or less
+       The "security" of malloc refers to the ability of malicious
+       code to accentuate the effects of errors (for example, freeing
+       space that is not currently malloc'ed or overwriting past the
+       ends of chunks) in code that calls malloc.  This malloc
+       guarantees not to modify any memory locations below the base of
+       heap, i.e., static variables, even in the presence of usage
+       errors.  The routines additionally detect most improper frees
+       and reallocs.  All this holds as long as the static bookkeeping
+       for malloc itself is not corrupted by some other means.  This
+       is only one aspect of security -- these checks do not, and
+       cannot, detect all possible programming errors.
+
+       If FOOTERS is defined nonzero, then each allocated chunk
+       carries an additional check word to verify that it was malloced
+       from its space.  These check words are the same within each
+       execution of a program using malloc, but differ across
+       executions, so externally crafted fake chunks cannot be
+       freed. This improves security by rejecting frees/reallocs that
+       could corrupt heap memory, in addition to the checks preventing
+       writes to statics that are always on.  This may further improve
+       security at the expense of time and space overhead.  (Note that
+       FOOTERS may also be worth using with MSPACES.)
+
+       By default detected errors cause the program to abort (calling
+       "abort()"). You can override this to instead proceed past
+       errors by defining PROCEED_ON_ERROR.  In this case, a bad free
+       has no effect, and a malloc that encounters a bad address
+       caused by user overwrites will ignore the bad address by
+       dropping pointers and indices to all known memory. This may
+       be appropriate for programs that should continue if at all
+       possible in the face of programming errors, although they may
+       run out of memory because dropped memory is never reclaimed.
+
+       If you don't like either of these options, you can define
+       CORRUPTION_ERROR_ACTION and USAGE_ERROR_ACTION to do anything
+       else. And if if you are sure that your program using malloc has
+       no errors or vulnerabilities, you can define INSECURE to 1,
+       which might (or might not) provide a small performance improvement.
+
+  Thread-safety: NOT thread-safe unless USE_LOCKS defined
+       When USE_LOCKS is defined, each public call to malloc, free,
+       etc is surrounded with either a pthread mutex or a win32
+       spinlock (depending on WIN32). This is not especially fast, and
+       can be a major bottleneck.  It is designed only to provide
+       minimal protection in concurrent environments, and to provide a
+       basis for extensions.  If you are using malloc in a concurrent
+       program, consider instead using ptmalloc, which is derived from
+       a version of this malloc. (See http://www.malloc.de).
+
+  System requirements: Any combination of MORECORE and/or MMAP/MUNMAP
+       This malloc can use unix sbrk or any emulation (invoked using
+       the CALL_MORECORE macro) and/or mmap/munmap or any emulation
+       (invoked using CALL_MMAP/CALL_MUNMAP) to get and release system
+       memory.  On most unix systems, it tends to work best if both
+       MORECORE and MMAP are enabled.  On Win32, it uses emulations
+       based on VirtualAlloc. It also uses common C library functions
+       like memset.
+
+  Compliance: I believe it is compliant with the Single Unix Specification
+       (See http://www.unix.org). Also SVID/XPG, ANSI C, and probably
+       others as well.
+
+* Overview of algorithms
+
+  This is not the fastest, most space-conserving, most portable, or
+  most tunable malloc ever written. However it is among the fastest
+  while also being among the most space-conserving, portable and
+  tunable.  Consistent balance across these factors results in a good
+  general-purpose allocator for malloc-intensive programs.
+
+  In most ways, this malloc is a best-fit allocator. Generally, it
+  chooses the best-fitting existing chunk for a request, with ties
+  broken in approximately least-recently-used order. (This strategy
+  normally maintains low fragmentation.) However, for requests less
+  than 256bytes, it deviates from best-fit when there is not an
+  exactly fitting available chunk by preferring to use space adjacent
+  to that used for the previous small request, as well as by breaking
+  ties in approximately most-recently-used order. (These enhance
+  locality of series of small allocations.)  And for very large requests
+  (>= 256Kb by default), it relies on system memory mapping
+  facilities, if supported.  (This helps avoid carrying around and
+  possibly fragmenting memory used only for large chunks.)
+
+  All operations (except malloc_stats and mallinfo) have execution
+  times that are bounded by a constant factor of the number of bits in
+  a size_t, not counting any clearing in calloc or copying in realloc,
+  or actions surrounding MORECORE and MMAP that have times
+  proportional to the number of non-contiguous regions returned by
+  system allocation routines, which is often just 1.
+
+  The implementation is not very modular and seriously overuses
+  macros. Perhaps someday all C compilers will do as good a job
+  inlining modular code as can now be done by brute-force expansion,
+  but now, enough of them seem not to.
+
+  Some compilers issue a lot of warnings about code that is
+  dead/unreachable only on some platforms, and also about intentional
+  uses of negation on unsigned types. All known cases of each can be
+  ignored.
+
+  For a longer but out of date high-level description, see
+     http://gee.cs.oswego.edu/dl/html/malloc.html
+
+* MSPACES
+  If MSPACES is defined, then in addition to malloc, free, etc.,
+  this file also defines mspace_malloc, mspace_free, etc. These
+  are versions of malloc routines that take an "mspace" argument
+  obtained using create_mspace, to control all internal bookkeeping.
+  If ONLY_MSPACES is defined, only these versions are compiled.
+  So if you would like to use this allocator for only some allocations,
+  and your system malloc for others, you can compile with
+  ONLY_MSPACES and then do something like...
+    static mspace mymspace = create_mspace(0,0); // for example
+    #define mymalloc(bytes)  mspace_malloc(mymspace, bytes)
+
+  (Note: If you only need one instance of an mspace, you can instead
+  use "USE_DL_PREFIX" to relabel the global malloc.)
+
+  You can similarly create thread-local allocators by storing
+  mspaces as thread-locals. For example:
+    static __thread mspace tlms = 0;
+    void*  tlmalloc(size_t bytes) {
+      if (tlms == 0) tlms = create_mspace(0, 0);
+      return mspace_malloc(tlms, bytes);
+    }
+    void  tlfree(void* mem) { mspace_free(tlms, mem); }
+
+  Unless FOOTERS is defined, each mspace is completely independent.
+  You cannot allocate from one and free to another (although
+  conformance is only weakly checked, so usage errors are not always
+  caught). If FOOTERS is defined, then each chunk carries around a tag
+  indicating its originating mspace, and frees are directed to their
+  originating spaces.
+
+ -------------------------  Compile-time options ---------------------------
+
+Be careful in setting #define values for numerical constants of type
+size_t. On some systems, literal values are not automatically extended
+to size_t precision unless they are explicitly casted.
+
+WIN32                    default: defined if _WIN32 defined
+  Defining WIN32 sets up defaults for MS environment and compilers.
+  Otherwise defaults are for unix.
+
+MALLOC_ALIGNMENT         default: (size_t)8
+  Controls the minimum alignment for malloc'ed chunks.  It must be a
+  power of two and at least 8, even on machines for which smaller
+  alignments would suffice. It may be defined as larger than this
+  though. Note however that code and data structures are optimized for
+  the case of 8-byte alignment.
+
+MSPACES                  default: 0 (false)
+  If true, compile in support for independent allocation spaces.
+  This is only supported if HAVE_MMAP is true.
+
+ONLY_MSPACES             default: 0 (false)
+  If true, only compile in mspace versions, not regular versions.
+
+USE_LOCKS                default: 0 (false)
+  Causes each call to each public routine to be surrounded with
+  pthread or WIN32 mutex lock/unlock. (If set true, this can be
+  overridden on a per-mspace basis for mspace versions.)
+
+FOOTERS                  default: 0
+  If true, provide extra checking and dispatching by placing
+  information in the footers of allocated chunks. This adds
+  space and time overhead.
+
+INSECURE                 default: 0
+  If true, omit checks for usage errors and heap space overwrites.
+
+USE_DL_PREFIX            default: NOT defined
+  Causes compiler to prefix all public routines with the string 'dl'.
+  This can be useful when you only want to use this malloc in one part
+  of a program, using your regular system malloc elsewhere.
+
+ABORT                    default: defined as abort()
+  Defines how to abort on failed checks.  On most systems, a failed
+  check cannot die with an "assert" or even print an informative
+  message, because the underlying print routines in turn call malloc,
+  which will fail again.  Generally, the best policy is to simply call
+  abort(). It's not very useful to do more than this because many
+  errors due to overwriting will show up as address faults (null, odd
+  addresses etc) rather than malloc-triggered checks, so will also
+  abort.  Also, most compilers know that abort() does not return, so
+  can better optimize code conditionally calling it.
+
+PROCEED_ON_ERROR           default: defined as 0 (false)
+  Controls whether detected bad addresses cause them to bypassed
+  rather than aborting. If set, detected bad arguments to free and
+  realloc are ignored. And all bookkeeping information is zeroed out
+  upon a detected overwrite of freed heap space, thus losing the
+  ability to ever return it from malloc again, but enabling the
+  application to proceed. If PROCEED_ON_ERROR is defined, the
+  static variable malloc_corruption_error_count is compiled in
+  and can be examined to see if errors have occurred. This option
+  generates slower code than the default abort policy.
+
+DEBUG                    default: NOT defined
+  The DEBUG setting is mainly intended for people trying to modify
+  this code or diagnose problems when porting to new platforms.
+  However, it may also be able to better isolate user errors than just
+  using runtime checks.  The assertions in the check routines spell
+  out in more detail the assumptions and invariants underlying the
+  algorithms.  The checking is fairly extensive, and will slow down
+  execution noticeably. Calling malloc_stats or mallinfo with DEBUG
+  set will attempt to check every non-mmapped allocated and free chunk
+  in the course of computing the summaries.
+
+ABORT_ON_ASSERT_FAILURE   default: defined as 1 (true)
+  Debugging assertion failures can be nearly impossible if your
+  version of the assert macro causes malloc to be called, which will
+  lead to a cascade of further failures, blowing the runtime stack.
+  ABORT_ON_ASSERT_FAILURE cause assertions failures to call abort(),
+  which will usually make debugging easier.
+
+MALLOC_FAILURE_ACTION     default: sets errno to ENOMEM, or no-op on win32
+  The action to take before "return 0" when malloc fails to be able to
+  return memory because there is none available.
+
+HAVE_MORECORE             default: 1 (true) unless win32 or ONLY_MSPACES
+  True if this system supports sbrk or an emulation of it.
+
+MORECORE                  default: sbrk
+  The name of the sbrk-style system routine to call to obtain more
+  memory.  See below for guidance on writing custom MORECORE
+  functions. The type of the argument to sbrk/MORECORE varies across
+  systems.  It cannot be size_t, because it supports negative
+  arguments, so it is normally the signed type of the same width as
+  size_t (sometimes declared as "intptr_t").  It doesn't much matter
+  though. Internally, we only call it with arguments less than half
+  the max value of a size_t, which should work across all reasonable
+  possibilities, although sometimes generating compiler warnings.  See
+  near the end of this file for guidelines for creating a custom
+  version of MORECORE.
+
+MORECORE_CONTIGUOUS       default: 1 (true)
+  If true, take advantage of fact that consecutive calls to MORECORE
+  with positive arguments always return contiguous increasing
+  addresses.  This is true of unix sbrk. It does not hurt too much to
+  set it true anyway, since malloc copes with non-contiguities.
+  Setting it false when definitely non-contiguous saves time
+  and possibly wasted space it would take to discover this though.
+
+MORECORE_CANNOT_TRIM      default: NOT defined
+  True if MORECORE cannot release space back to the system when given
+  negative arguments. This is generally necessary only if you are
+  using a hand-crafted MORECORE function that cannot handle negative
+  arguments.
+
+HAVE_MMAP                 default: 1 (true)
+  True if this system supports mmap or an emulation of it.  If so, and
+  HAVE_MORECORE is not true, MMAP is used for all system
+  allocation. If set and HAVE_MORECORE is true as well, MMAP is
+  primarily used to directly allocate very large blocks. It is also
+  used as a backup strategy in cases where MORECORE fails to provide
+  space from system. Note: A single call to MUNMAP is assumed to be
+  able to unmap memory that may have be allocated using multiple calls
+  to MMAP, so long as they are adjacent.
+
+HAVE_MREMAP               default: 1 on linux, else 0
+  If true realloc() uses mremap() to re-allocate large blocks and
+  extend or shrink allocation spaces.
+
+MMAP_CLEARS               default: 1 on unix
+  True if mmap clears memory so calloc doesn't need to. This is true
+  for standard unix mmap using /dev/zero.
+
+USE_BUILTIN_FFS            default: 0 (i.e., not used)
+  Causes malloc to use the builtin ffs() function to compute indices.
+  Some compilers may recognize and intrinsify ffs to be faster than the
+  supplied C version. Also, the case of x86 using gcc is special-cased
+  to an asm instruction, so is already as fast as it can be, and so
+  this setting has no effect. (On most x86s, the asm version is only
+  slightly faster than the C version.)
+
+malloc_getpagesize         default: derive from system includes, or 4096.
+  The system page size. To the extent possible, this malloc manages
+  memory from the system in page-size units.  This may be (and
+  usually is) a function rather than a constant. This is ignored
+  if WIN32, where page size is determined using getSystemInfo during
+  initialization.
+
+USE_DEV_RANDOM             default: 0 (i.e., not used)
+  Causes malloc to use /dev/random to initialize secure magic seed for
+  stamping footers. Otherwise, the current time is used.
+
+NO_MALLINFO                default: 0
+  If defined, don't compile "mallinfo". This can be a simple way
+  of dealing with mismatches between system declarations and
+  those in this file.
+
+MALLINFO_FIELD_TYPE        default: size_t
+  The type of the fields in the mallinfo struct. This was originally
+  defined as "int" in SVID etc, but is more usefully defined as
+  size_t. The value is used only if  HAVE_USR_INCLUDE_MALLOC_H is not set
+
+REALLOC_ZERO_BYTES_FREES    default: not defined
+  This should be set if a call to realloc with zero bytes should 
+  be the same as a call to free. Some people think it should. Otherwise, 
+  since this malloc returns a unique pointer for malloc(0), so does 
+  realloc(p, 0).
+
+LACKS_UNISTD_H, LACKS_FCNTL_H, LACKS_SYS_PARAM_H, LACKS_SYS_MMAN_H
+LACKS_STRINGS_H, LACKS_STRING_H, LACKS_SYS_TYPES_H,  LACKS_ERRNO_H
+LACKS_STDLIB_H                default: NOT defined unless on WIN32
+  Define these if your system does not have these header files.
+  You might need to manually insert some of the declarations they provide.
+
+DEFAULT_GRANULARITY        default: page size if MORECORE_CONTIGUOUS,
+                                system_info.dwAllocationGranularity in WIN32,
+                                otherwise 64K.
+      Also settable using mallopt(M_GRANULARITY, x)
+  The unit for allocating and deallocating memory from the system.  On
+  most systems with contiguous MORECORE, there is no reason to
+  make this more than a page. However, systems with MMAP tend to
+  either require or encourage larger granularities.  You can increase
+  this value to prevent system allocation functions to be called so
+  often, especially if they are slow.  The value must be at least one
+  page and must be a power of two.  Setting to 0 causes initialization
+  to either page size or win32 region size.  (Note: In previous
+  versions of malloc, the equivalent of this option was called
+  "TOP_PAD")
+
+DEFAULT_TRIM_THRESHOLD    default: 2MB
+      Also settable using mallopt(M_TRIM_THRESHOLD, x)
+  The maximum amount of unused top-most memory to keep before
+  releasing via malloc_trim in free().  Automatic trimming is mainly
+  useful in long-lived programs using contiguous MORECORE.  Because
+  trimming via sbrk can be slow on some systems, and can sometimes be
+  wasteful (in cases where programs immediately afterward allocate
+  more large chunks) the value should be high enough so that your
+  overall system performance would improve by releasing this much
+  memory.  As a rough guide, you might set to a value close to the
+  average size of a process (program) running on your system.
+  Releasing this much memory would allow such a process to run in
+  memory.  Generally, it is worth tuning trim thresholds when a
+  program undergoes phases where several large chunks are allocated
+  and released in ways that can reuse each other's storage, perhaps
+  mixed with phases where there are no such chunks at all. The trim
+  value must be greater than page size to have any useful effect.  To
+  disable trimming completely, you can set to MAX_SIZE_T. Note that the trick
+  some people use of mallocing a huge space and then freeing it at
+  program startup, in an attempt to reserve system memory, doesn't
+  have the intended effect under automatic trimming, since that memory
+  will immediately be returned to the system.
+
+DEFAULT_MMAP_THRESHOLD       default: 256K
+      Also settable using mallopt(M_MMAP_THRESHOLD, x)
+  The request size threshold for using MMAP to directly service a
+  request. Requests of at least this size that cannot be allocated
+  using already-existing space will be serviced via mmap.  (If enough
+  normal freed space already exists it is used instead.)  Using mmap
+  segregates relatively large chunks of memory so that they can be
+  individually obtained and released from the host system. A request
+  serviced through mmap is never reused by any other request (at least
+  not directly; the system may just so happen to remap successive
+  requests to the same locations).  Segregating space in this way has
+  the benefits that: Mmapped space can always be individually released
+  back to the system, which helps keep the system level memory demands
+  of a long-lived program low.  Also, mapped memory doesn't become
+  `locked' between other chunks, as can happen with normally allocated
+  chunks, which means that even trimming via malloc_trim would not
+  release them.  However, it has the disadvantage that the space
+  cannot be reclaimed, consolidated, and then used to service later
+  requests, as happens with normal chunks.  The advantages of mmap
+  nearly always outweigh disadvantages for "large" chunks, but the
+  value of "large" may vary across systems.  The default is an
+  empirically derived value that works well in most systems. You can
+  disable mmap by setting to MAX_SIZE_T.
+
+*/
+
+#ifndef WIN32
+#ifdef _WIN32
+#define WIN32 1
+#endif  /* _WIN32 */
+#endif  /* WIN32 */
+#ifdef WIN32
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+#define HAVE_MMAP 1
+#define HAVE_MORECORE 0
+#define LACKS_UNISTD_H
+#define LACKS_SYS_PARAM_H
+#define LACKS_SYS_MMAN_H
+#define LACKS_STRING_H
+#define LACKS_STRINGS_H
+#define LACKS_SYS_TYPES_H
+#define LACKS_ERRNO_H
+#define MALLOC_FAILURE_ACTION
+#define MMAP_CLEARS 0 /* WINCE and some others apparently don't clear */
+#endif  /* WIN32 */
+
+#if defined(DARWIN) || defined(_DARWIN)
+/* Mac OSX docs advise not to use sbrk; it seems better to use mmap */
+#ifndef HAVE_MORECORE
+#define HAVE_MORECORE 0
+#define HAVE_MMAP 1
+#endif  /* HAVE_MORECORE */
+#endif  /* DARWIN */
+
+#ifndef LACKS_SYS_TYPES_H
+#include <sys/types.h>  /* For size_t */
+#endif  /* LACKS_SYS_TYPES_H */
+
+/* The maximum possible size_t value has all bits set */
+#define MAX_SIZE_T           (~(size_t)0)
+
+#ifndef ONLY_MSPACES
+#define ONLY_MSPACES 0
+#endif  /* ONLY_MSPACES */
+#ifndef MSPACES
+#if ONLY_MSPACES
+#define MSPACES 1
+#else   /* ONLY_MSPACES */
+#define MSPACES 0
+#endif  /* ONLY_MSPACES */
+#endif  /* MSPACES */
+#ifndef MALLOC_ALIGNMENT
+#define MALLOC_ALIGNMENT ((size_t)8U)
+#endif  /* MALLOC_ALIGNMENT */
+#ifndef FOOTERS
+#define FOOTERS 0
+#endif  /* FOOTERS */
+#ifndef ABORT
+#define ABORT  abort()
+#endif  /* ABORT */
+#ifndef ABORT_ON_ASSERT_FAILURE
+#define ABORT_ON_ASSERT_FAILURE 1
+#endif  /* ABORT_ON_ASSERT_FAILURE */
+#ifndef PROCEED_ON_ERROR
+#define PROCEED_ON_ERROR 0
+#endif  /* PROCEED_ON_ERROR */
+#ifndef USE_LOCKS
+#define USE_LOCKS 0
+#endif  /* USE_LOCKS */
+#ifndef INSECURE
+#define INSECURE 0
+#endif  /* INSECURE */
+#ifndef HAVE_MMAP
+#define HAVE_MMAP 1
+#endif  /* HAVE_MMAP */
+#ifndef MMAP_CLEARS
+#define MMAP_CLEARS 1
+#endif  /* MMAP_CLEARS */
+#ifndef HAVE_MREMAP
+#ifdef linux
+#define HAVE_MREMAP 1
+#else   /* linux */
+#define HAVE_MREMAP 0
+#endif  /* linux */
+#endif  /* HAVE_MREMAP */
+#ifndef MALLOC_FAILURE_ACTION
+#define MALLOC_FAILURE_ACTION  errno = ENOMEM;
+#endif  /* MALLOC_FAILURE_ACTION */
+#ifndef HAVE_MORECORE
+#if ONLY_MSPACES
+#define HAVE_MORECORE 0
+#else   /* ONLY_MSPACES */
+#define HAVE_MORECORE 1
+#endif  /* ONLY_MSPACES */
+#endif  /* HAVE_MORECORE */
+#if !HAVE_MORECORE
+#define MORECORE_CONTIGUOUS 0
+#else   /* !HAVE_MORECORE */
+#ifndef MORECORE
+#define MORECORE sbrk
+#endif  /* MORECORE */
+#ifndef MORECORE_CONTIGUOUS
+#define MORECORE_CONTIGUOUS 1
+#endif  /* MORECORE_CONTIGUOUS */
+#endif  /* HAVE_MORECORE */
+#ifndef DEFAULT_GRANULARITY
+#if MORECORE_CONTIGUOUS
+#define DEFAULT_GRANULARITY (0)  /* 0 means to compute in init_mparams */
+#else   /* MORECORE_CONTIGUOUS */
+#define DEFAULT_GRANULARITY ((size_t)64U * (size_t)1024U)
+#endif  /* MORECORE_CONTIGUOUS */
+#endif  /* DEFAULT_GRANULARITY */
+#ifndef DEFAULT_TRIM_THRESHOLD
+#ifndef MORECORE_CANNOT_TRIM
+#define DEFAULT_TRIM_THRESHOLD ((size_t)2U * (size_t)1024U * (size_t)1024U)
+#else   /* MORECORE_CANNOT_TRIM */
+#define DEFAULT_TRIM_THRESHOLD MAX_SIZE_T
+#endif  /* MORECORE_CANNOT_TRIM */
+#endif  /* DEFAULT_TRIM_THRESHOLD */
+#ifndef DEFAULT_MMAP_THRESHOLD
+#if HAVE_MMAP
+#define DEFAULT_MMAP_THRESHOLD ((size_t)256U * (size_t)1024U)
+#else   /* HAVE_MMAP */
+#define DEFAULT_MMAP_THRESHOLD MAX_SIZE_T
+#endif  /* HAVE_MMAP */
+#endif  /* DEFAULT_MMAP_THRESHOLD */
+#ifndef USE_BUILTIN_FFS
+#define USE_BUILTIN_FFS 0
+#endif  /* USE_BUILTIN_FFS */
+#ifndef USE_DEV_RANDOM
+#define USE_DEV_RANDOM 0
+#endif  /* USE_DEV_RANDOM */
+#ifndef NO_MALLINFO
+#define NO_MALLINFO 0
+#endif  /* NO_MALLINFO */
+#ifndef MALLINFO_FIELD_TYPE
+#define MALLINFO_FIELD_TYPE size_t
+#endif  /* MALLINFO_FIELD_TYPE */
+
+/*
+  mallopt tuning options.  SVID/XPG defines four standard parameter
+  numbers for mallopt, normally defined in malloc.h.  None of these
+  are used in this malloc, so setting them has no effect. But this
+  malloc does support the following options.
+*/
+
+#define M_TRIM_THRESHOLD     (-1)
+#define M_GRANULARITY        (-2)
+#define M_MMAP_THRESHOLD     (-3)
+
+/* ------------------------ Mallinfo declarations ------------------------ */
+
+#if !NO_MALLINFO
+/*
+  This version of malloc supports the standard SVID/XPG mallinfo
+  routine that returns a struct containing usage properties and
+  statistics. It should work on any system that has a
+  /usr/include/malloc.h defining struct mallinfo.  The main
+  declaration needed is the mallinfo struct that is returned (by-copy)
+  by mallinfo().  The malloinfo struct contains a bunch of fields that
+  are not even meaningful in this version of malloc.  These fields are
+  are instead filled by mallinfo() with other numbers that might be of
+  interest.
+
+  HAVE_USR_INCLUDE_MALLOC_H should be set if you have a
+  /usr/include/malloc.h file that includes a declaration of struct
+  mallinfo.  If so, it is included; else a compliant version is
+  declared below.  These must be precisely the same for mallinfo() to
+  work.  The original SVID version of this struct, defined on most
+  systems with mallinfo, declares all fields as ints. But some others
+  define as unsigned long. If your system defines the fields using a
+  type of different width than listed here, you MUST #include your
+  system version and #define HAVE_USR_INCLUDE_MALLOC_H.
+*/
+
+/* #define HAVE_USR_INCLUDE_MALLOC_H */
+
+#ifdef HAVE_USR_INCLUDE_MALLOC_H
+#include "/usr/include/malloc.h"
+#else /* HAVE_USR_INCLUDE_MALLOC_H */
+
+struct mallinfo {
+  MALLINFO_FIELD_TYPE arena;    /* non-mmapped space allocated from system */
+  MALLINFO_FIELD_TYPE ordblks;  /* number of free chunks */
+  MALLINFO_FIELD_TYPE smblks;   /* always 0 */
+  MALLINFO_FIELD_TYPE hblks;    /* always 0 */
+  MALLINFO_FIELD_TYPE hblkhd;   /* space in mmapped regions */
+  MALLINFO_FIELD_TYPE usmblks;  /* maximum total allocated space */
+  MALLINFO_FIELD_TYPE fsmblks;  /* always 0 */
+  MALLINFO_FIELD_TYPE uordblks; /* total allocated space */
+  MALLINFO_FIELD_TYPE fordblks; /* total free space */
+  MALLINFO_FIELD_TYPE keepcost; /* releasable (via malloc_trim) space */
+};
+
+#endif /* HAVE_USR_INCLUDE_MALLOC_H */
+#endif /* NO_MALLINFO */
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+#if !ONLY_MSPACES
+
+/* ------------------- Declarations of public routines ------------------- */
+
+#ifndef USE_DL_PREFIX
+#define dlcalloc               calloc
+#define dlfree                 free
+#define dlmalloc               malloc
+#define dlmemalign             memalign
+#define dlrealloc              realloc
+#define dlvalloc               valloc
+#define dlpvalloc              pvalloc
+#define dlmallinfo             mallinfo
+#define dlmallopt              mallopt
+#define dlmalloc_trim          malloc_trim
+#define dlmalloc_stats         malloc_stats
+#define dlmalloc_usable_size   malloc_usable_size
+#define dlmalloc_footprint     malloc_footprint
+#define dlmalloc_max_footprint malloc_max_footprint
+#define dlindependent_calloc   independent_calloc
+#define dlindependent_comalloc independent_comalloc
+#endif /* USE_DL_PREFIX */
+
+
+/*
+  malloc(size_t n)
+  Returns a pointer to a newly allocated chunk of at least n bytes, or
+  null if no space is available, in which case errno is set to ENOMEM
+  on ANSI C systems.
+
+  If n is zero, malloc returns a minimum-sized chunk. (The minimum
+  size is 16 bytes on most 32bit systems, and 32 bytes on 64bit
+  systems.)  Note that size_t is an unsigned type, so calls with
+  arguments that would be negative if signed are interpreted as
+  requests for huge amounts of space, which will often fail. The
+  maximum supported value of n differs across systems, but is in all
+  cases less than the maximum representable value of a size_t.
+*/
+void* dlmalloc(size_t);
+
+/*
+  free(void* p)
+  Releases the chunk of memory pointed to by p, that had been previously
+  allocated using malloc or a related routine such as realloc.
+  It has no effect if p is null. If p was not malloced or already
+  freed, free(p) will by default cause the current program to abort.
+*/
+void  dlfree(void*);
+
+/*
+  calloc(size_t n_elements, size_t element_size);
+  Returns a pointer to n_elements * element_size bytes, with all locations
+  set to zero.
+*/
+void* dlcalloc(size_t, size_t);
+
+/*
+  realloc(void* p, size_t n)
+  Returns a pointer to a chunk of size n that contains the same data
+  as does chunk p up to the minimum of (n, p's size) bytes, or null
+  if no space is available.
+
+  The returned pointer may or may not be the same as p. The algorithm
+  prefers extending p in most cases when possible, otherwise it
+  employs the equivalent of a malloc-copy-free sequence.
+
+  If p is null, realloc is equivalent to malloc.
+
+  If space is not available, realloc returns null, errno is set (if on
+  ANSI) and p is NOT freed.
+
+  if n is for fewer bytes than already held by p, the newly unused
+  space is lopped off and freed if possible.  realloc with a size
+  argument of zero (re)allocates a minimum-sized chunk.
+
+  The old unix realloc convention of allowing the last-free'd chunk
+  to be used as an argument to realloc is not supported.
+*/
+
+void* dlrealloc(void*, size_t);
+
+/*
+  memalign(size_t alignment, size_t n);
+  Returns a pointer to a newly allocated chunk of n bytes, aligned
+  in accord with the alignment argument.
+
+  The alignment argument should be a power of two. If the argument is
+  not a power of two, the nearest greater power is used.
+  8-byte alignment is guaranteed by normal malloc calls, so don't
+  bother calling memalign with an argument of 8 or less.
+
+  Overreliance on memalign is a sure way to fragment space.
+*/
+void* dlmemalign(size_t, size_t);
+
+/*
+  valloc(size_t n);
+  Equivalent to memalign(pagesize, n), where pagesize is the page
+  size of the system. If the pagesize is unknown, 4096 is used.
+*/
+void* dlvalloc(size_t);
+
+/*
+  mallopt(int parameter_number, int parameter_value)
+  Sets tunable parameters The format is to provide a
+  (parameter-number, parameter-value) pair.  mallopt then sets the
+  corresponding parameter to the argument value if it can (i.e., so
+  long as the value is meaningful), and returns 1 if successful else
+  0.  SVID/XPG/ANSI defines four standard param numbers for mallopt,
+  normally defined in malloc.h.  None of these are use in this malloc,
+  so setting them has no effect. But this malloc also supports other
+  options in mallopt. See below for details.  Briefly, supported
+  parameters are as follows (listed defaults are for "typical"
+  configurations).
+
+  Symbol            param #  default    allowed param values
+  M_TRIM_THRESHOLD     -1   2*1024*1024   any   (MAX_SIZE_T disables)
+  M_GRANULARITY        -2     page size   any power of 2 >= page size
+  M_MMAP_THRESHOLD     -3      256*1024   any   (or 0 if no MMAP support)
+*/
+int dlmallopt(int, int);
+
+/*
+  malloc_footprint();
+  Returns the number of bytes obtained from the system.  The total
+  number of bytes allocated by malloc, realloc etc., is less than this
+  value. Unlike mallinfo, this function returns only a precomputed
+  result, so can be called frequently to monitor memory consumption.
+  Even if locks are otherwise defined, this function does not use them,
+  so results might not be up to date.
+*/
+size_t dlmalloc_footprint(void);
+
+/*
+  malloc_max_footprint();
+  Returns the maximum number of bytes obtained from the system. This
+  value will be greater than current footprint if deallocated space
+  has been reclaimed by the system. The peak number of bytes allocated
+  by malloc, realloc etc., is less than this value. Unlike mallinfo,
+  this function returns only a precomputed result, so can be called
+  frequently to monitor memory consumption.  Even if locks are
+  otherwise defined, this function does not use them, so results might
+  not be up to date.
+*/
+size_t dlmalloc_max_footprint(void);
+
+#if !NO_MALLINFO
+/*
+  mallinfo()
+  Returns (by copy) a struct containing various summary statistics:
+
+  arena:     current total non-mmapped bytes allocated from system
+  ordblks:   the number of free chunks
+  smblks:    always zero.
+  hblks:     current number of mmapped regions
+  hblkhd:    total bytes held in mmapped regions
+  usmblks:   the maximum total allocated space. This will be greater
+                than current total if trimming has occurred.
+  fsmblks:   always zero
+  uordblks:  current total allocated space (normal or mmapped)
+  fordblks:  total free space
+  keepcost:  the maximum number of bytes that could ideally be released
+               back to system via malloc_trim. ("ideally" means that
+               it ignores page restrictions etc.)
+
+  Because these fields are ints, but internal bookkeeping may
+  be kept as longs, the reported values may wrap around zero and
+  thus be inaccurate.
+*/
+struct mallinfo dlmallinfo(void);
+#endif /* NO_MALLINFO */
+
+/*
+  independent_calloc(size_t n_elements, size_t element_size, void* chunks[]);
+
+  independent_calloc is similar to calloc, but instead of returning a
+  single cleared space, it returns an array of pointers to n_elements
+  independent elements that can hold contents of size elem_size, each
+  of which starts out cleared, and can be independently freed,
+  realloc'ed etc. The elements are guaranteed to be adjacently
+  allocated (this is not guaranteed to occur with multiple callocs or
+  mallocs), which may also improve cache locality in some
+  applications.
+
+  The "chunks" argument is optional (i.e., may be null, which is
+  probably the most typical usage). If it is null, the returned array
+  is itself dynamically allocated and should also be freed when it is
+  no longer needed. Otherwise, the chunks array must be of at least
+  n_elements in length. It is filled in with the pointers to the
+  chunks.
+
+  In either case, independent_calloc returns this pointer array, or
+  null if the allocation failed.  If n_elements is zero and "chunks"
+  is null, it returns a chunk representing an array with zero elements
+  (which should be freed if not wanted).
+
+  Each element must be individually freed when it is no longer
+  needed. If you'd like to instead be able to free all at once, you
+  should instead use regular calloc and assign pointers into this
+  space to represent elements.  (In this case though, you cannot
+  independently free elements.)
+
+  independent_calloc simplifies and speeds up implementations of many
+  kinds of pools.  It may also be useful when constructing large data
+  structures that initially have a fixed number of fixed-sized nodes,
+  but the number is not known at compile time, and some of the nodes
+  may later need to be freed. For example:
+
+  struct Node { int item; struct Node* next; };
+
+  struct Node* build_list() {
+    struct Node** pool;
+    int n = read_number_of_nodes_needed();
+    if (n <= 0) return 0;
+    pool = (struct Node**)(independent_calloc(n, sizeof(struct Node), 0);
+    if (pool == 0) die();
+    // organize into a linked list...
+    struct Node* first = pool[0];
+    for (i = 0; i < n-1; ++i)
+      pool[i]->next = pool[i+1];
+    free(pool);     // Can now free the array (or not, if it is needed later)
+    return first;
+  }
+*/
+void** dlindependent_calloc(size_t, size_t, void**);
+
+/*
+  independent_comalloc(size_t n_elements, size_t sizes[], void* chunks[]);
+
+  independent_comalloc allocates, all at once, a set of n_elements
+  chunks with sizes indicated in the "sizes" array.    It returns
+  an array of pointers to these elements, each of which can be
+  independently freed, realloc'ed etc. The elements are guaranteed to
+  be adjacently allocated (this is not guaranteed to occur with
+  multiple callocs or mallocs), which may also improve cache locality
+  in some applications.
+
+  The "chunks" argument is optional (i.e., may be null). If it is null
+  the returned array is itself dynamically allocated and should also
+  be freed when it is no longer needed. Otherwise, the chunks array
+  must be of at least n_elements in length. It is filled in with the
+  pointers to the chunks.
+
+  In either case, independent_comalloc returns this pointer array, or
+  null if the allocation failed.  If n_elements is zero and chunks is
+  null, it returns a chunk representing an array with zero elements
+  (which should be freed if not wanted).
+
+  Each element must be individually freed when it is no longer
+  needed. If you'd like to instead be able to free all at once, you
+  should instead use a single regular malloc, and assign pointers at
+  particular offsets in the aggregate space. (In this case though, you
+  cannot independently free elements.)
+
+  independent_comallac differs from independent_calloc in that each
+  element may have a different size, and also that it does not
+  automatically clear elements.
+
+  independent_comalloc can be used to speed up allocation in cases
+  where several structs or objects must always be allocated at the
+  same time.  For example:
+
+  struct Head { ... }
+  struct Foot { ... }
+
+  void send_message(char* msg) {
+    int msglen = strlen(msg);
+    size_t sizes[3] = { sizeof(struct Head), msglen, sizeof(struct Foot) };
+    void* chunks[3];
+    if (independent_comalloc(3, sizes, chunks) == 0)
+      die();
+    struct Head* head = (struct Head*)(chunks[0]);
+    char*        body = (char*)(chunks[1]);
+    struct Foot* foot = (struct Foot*)(chunks[2]);
+    // ...
+  }
+
+  In general though, independent_comalloc is worth using only for
+  larger values of n_elements. For small values, you probably won't
+  detect enough difference from series of malloc calls to bother.
+
+  Overuse of independent_comalloc can increase overall memory usage,
+  since it cannot reuse existing noncontiguous small chunks that
+  might be available for some of the elements.
+*/
+void** dlindependent_comalloc(size_t, size_t*, void**);
+
+
+/*
+  pvalloc(size_t n);
+  Equivalent to valloc(minimum-page-that-holds(n)), that is,
+  round up n to nearest pagesize.
+ */
+void*  dlpvalloc(size_t);
+
+/*
+  malloc_trim(size_t pad);
+
+  If possible, gives memory back to the system (via negative arguments
+  to sbrk) if there is unused memory at the `high' end of the malloc
+  pool or in unused MMAP segments. You can call this after freeing
+  large blocks of memory to potentially reduce the system-level memory
+  requirements of a program. However, it cannot guarantee to reduce
+  memory. Under some allocation patterns, some large free blocks of
+  memory will be locked between two used chunks, so they cannot be
+  given back to the system.
+
+  The `pad' argument to malloc_trim represents the amount of free
+  trailing space to leave untrimmed. If this argument is zero, only
+  the minimum amount of memory to maintain internal data structures
+  will be left. Non-zero arguments can be supplied to maintain enough
+  trailing space to service future expected allocations without having
+  to re-obtain memory from the system.
+
+  Malloc_trim returns 1 if it actually released any memory, else 0.
+*/
+int  dlmalloc_trim(size_t);
+
+/*
+  malloc_usable_size(void* p);
+
+  Returns the number of bytes you can actually use in
+  an allocated chunk, which may be more than you requested (although
+  often not) due to alignment and minimum size constraints.
+  You can use this many bytes without worrying about
+  overwriting other allocated objects. This is not a particularly great
+  programming practice. malloc_usable_size can be more useful in
+  debugging and assertions, for example:
+
+  p = malloc(n);
+  assert(malloc_usable_size(p) >= 256);
+*/
+size_t dlmalloc_usable_size(void*);
+
+/*
+  malloc_stats();
+  Prints on stderr the amount of space obtained from the system (both
+  via sbrk and mmap), the maximum amount (which may be more than
+  current if malloc_trim and/or munmap got called), and the current
+  number of bytes allocated via malloc (or realloc, etc) but not yet
+  freed. Note that this is the number of bytes allocated, not the
+  number requested. It will be larger than the number requested
+  because of alignment and bookkeeping overhead. Because it includes
+  alignment wastage as being in use, this figure may be greater than
+  zero even when no user-level chunks are allocated.
+
+  The reported current and maximum system memory can be inaccurate if
+  a program makes other calls to system memory allocation functions
+  (normally sbrk) outside of malloc.
+
+  malloc_stats prints only the most commonly interesting statistics.
+  More information can be obtained by calling mallinfo.
+*/
+void  dlmalloc_stats(void);
+
+#endif /* ONLY_MSPACES */
+
+#if MSPACES
+
+/*
+  mspace is an opaque type representing an independent
+  region of space that supports mspace_malloc, etc.
+*/
+typedef void* mspace;
+
+/*
+  create_mspace creates and returns a new independent space with the
+  given initial capacity, or, if 0, the default granularity size.  It
+  returns null if there is no system memory available to create the
+  space.  If argument locked is non-zero, the space uses a separate
+  lock to control access. The capacity of the space will grow
+  dynamically as needed to service mspace_malloc requests.  You can
+  control the sizes of incremental increases of this space by
+  compiling with a different DEFAULT_GRANULARITY or dynamically
+  setting with mallopt(M_GRANULARITY, value).
+*/
+mspace create_mspace(size_t capacity, int locked);
+
+/*
+  destroy_mspace destroys the given space, and attempts to return all
+  of its memory back to the system, returning the total number of
+  bytes freed. After destruction, the results of access to all memory
+  used by the space become undefined.
+*/
+size_t destroy_mspace(mspace msp);
+
+/*
+  create_mspace_with_base uses the memory supplied as the initial base
+  of a new mspace. Part (less than 128*sizeof(size_t) bytes) of this
+  space is used for bookkeeping, so the capacity must be at least this
+  large. (Otherwise 0 is returned.) When this initial space is
+  exhausted, additional memory will be obtained from the system.
+  Destroying this space will deallocate all additionally allocated
+  space (if possible) but not the initial base.
+*/
+mspace create_mspace_with_base(void* base, size_t capacity, int locked);
+
+/*
+  mspace_malloc behaves as malloc, but operates within
+  the given space.
+*/
+void* mspace_malloc(mspace msp, size_t bytes);
+
+/*
+  mspace_free behaves as free, but operates within
+  the given space.
+
+  If compiled with FOOTERS==1, mspace_free is not actually needed.
+  free may be called instead of mspace_free because freed chunks from
+  any space are handled by their originating spaces.
+*/
+void mspace_free(mspace msp, void* mem);
+
+/*
+  mspace_realloc behaves as realloc, but operates within
+  the given space.
+
+  If compiled with FOOTERS==1, mspace_realloc is not actually
+  needed.  realloc may be called instead of mspace_realloc because
+  realloced chunks from any space are handled by their originating
+  spaces.
+*/
+void* mspace_realloc(mspace msp, void* mem, size_t newsize);
+
+/*
+  mspace_calloc behaves as calloc, but operates within
+  the given space.
+*/
+void* mspace_calloc(mspace msp, size_t n_elements, size_t elem_size);
+
+/*
+  mspace_memalign behaves as memalign, but operates within
+  the given space.
+*/
+void* mspace_memalign(mspace msp, size_t alignment, size_t bytes);
+
+/*
+  mspace_independent_calloc behaves as independent_calloc, but
+  operates within the given space.
+*/
+void** mspace_independent_calloc(mspace msp, size_t n_elements,
+                                 size_t elem_size, void* chunks[]);
+
+/*
+  mspace_independent_comalloc behaves as independent_comalloc, but
+  operates within the given space.
+*/
+void** mspace_independent_comalloc(mspace msp, size_t n_elements,
+                                   size_t sizes[], void* chunks[]);
+
+/*
+  mspace_footprint() returns the number of bytes obtained from the
+  system for this space.
+*/
+size_t mspace_footprint(mspace msp);
+
+/*
+  mspace_max_footprint() returns the peak number of bytes obtained from the
+  system for this space.
+*/
+size_t mspace_max_footprint(mspace msp);
+
+
+#if !NO_MALLINFO
+/*
+  mspace_mallinfo behaves as mallinfo, but reports properties of
+  the given space.
+*/
+struct mallinfo mspace_mallinfo(mspace msp);
+#endif /* NO_MALLINFO */
+
+/*
+  mspace_malloc_stats behaves as malloc_stats, but reports
+  properties of the given space.
+*/
+void mspace_malloc_stats(mspace msp);
+
+/*
+  mspace_trim behaves as malloc_trim, but
+  operates within the given space.
+*/
+int mspace_trim(mspace msp, size_t pad);
+
+/*
+  An alias for mallopt.
+*/
+int mspace_mallopt(int, int);
+
+#endif /* MSPACES */
+
+#ifdef __cplusplus
+};  /* end of extern "C" */
+#endif /* __cplusplus */
+
+/*
+  ========================================================================
+  To make a fully customizable malloc.h header file, cut everything
+  above this line, put into file malloc.h, edit to suit, and #include it
+  on the next line, as well as in programs that use this malloc.
+  ========================================================================
+*/
+
+/* #include "malloc.h" */
+
+/*------------------------------ internal #includes ---------------------- */
+
+#ifdef WIN32
+#pragma warning( disable : 4146 ) /* no "unsigned" warnings */
+#endif /* WIN32 */
+
+#include <stdio.h>       /* for printing in malloc_stats */
+
+#ifndef LACKS_ERRNO_H
+#include <errno.h>       /* for MALLOC_FAILURE_ACTION */
+#endif /* LACKS_ERRNO_H */
+#if FOOTERS
+#include <time.h>        /* for magic initialization */
+#endif /* FOOTERS */
+#ifndef LACKS_STDLIB_H
+#include <stdlib.h>      /* for abort() */
+#endif /* LACKS_STDLIB_H */
+#ifdef DEBUG
+#if ABORT_ON_ASSERT_FAILURE
+#define assert(x) if(!(x)) ABORT
+#else /* ABORT_ON_ASSERT_FAILURE */
+#include <assert.h>
+#endif /* ABORT_ON_ASSERT_FAILURE */
+#else  /* DEBUG */
+#define assert(x)
+#endif /* DEBUG */
+#ifndef LACKS_STRING_H
+#include <string.h>      /* for memset etc */
+#endif  /* LACKS_STRING_H */
+#if USE_BUILTIN_FFS
+#ifndef LACKS_STRINGS_H
+#include <strings.h>     /* for ffs */
+#endif /* LACKS_STRINGS_H */
+#endif /* USE_BUILTIN_FFS */
+#if HAVE_MMAP
+#ifndef LACKS_SYS_MMAN_H
+#include <sys/mman.h>    /* for mmap */
+#endif /* LACKS_SYS_MMAN_H */
+#ifndef LACKS_FCNTL_H
+#include <fcntl.h>
+#endif /* LACKS_FCNTL_H */
+#endif /* HAVE_MMAP */
+#if HAVE_MORECORE
+#ifndef LACKS_UNISTD_H
+#include <unistd.h>     /* for sbrk */
+#else /* LACKS_UNISTD_H */
+#if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__NetBSD__)
+extern void*     sbrk(ptrdiff_t);
+#endif /* FreeBSD etc */
+#endif /* LACKS_UNISTD_H */
+#endif /* HAVE_MMAP */
+
+#ifndef WIN32
+#ifndef malloc_getpagesize
+#  ifdef _SC_PAGESIZE         /* some SVR4 systems omit an underscore */
+#    ifndef _SC_PAGE_SIZE
+#      define _SC_PAGE_SIZE _SC_PAGESIZE
+#    endif
+#  endif
+#  ifdef _SC_PAGE_SIZE
+#    define malloc_getpagesize sysconf(_SC_PAGE_SIZE)
+#  else
+#    if defined(BSD) || defined(DGUX) || defined(HAVE_GETPAGESIZE)
+       extern size_t getpagesize();
+#      define malloc_getpagesize getpagesize()
+#    else
+#      ifdef WIN32 /* use supplied emulation of getpagesize */
+#        define malloc_getpagesize getpagesize()
+#      else
+#        ifndef LACKS_SYS_PARAM_H
+#          include <sys/param.h>
+#        endif
+#        ifdef EXEC_PAGESIZE
+#          define malloc_getpagesize EXEC_PAGESIZE
+#        else
+#          ifdef NBPG
+#            ifndef CLSIZE
+#              define malloc_getpagesize NBPG
+#            else
+#              define malloc_getpagesize (NBPG * CLSIZE)
+#            endif
+#          else
+#            ifdef NBPC
+#              define malloc_getpagesize NBPC
+#            else
+#              ifdef PAGESIZE
+#                define malloc_getpagesize PAGESIZE
+#              else /* just guess */
+#                define malloc_getpagesize ((size_t)4096U)
+#              endif
+#            endif
+#          endif
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
+#endif
+
+/* ------------------- size_t and alignment properties -------------------- */
+
+/* The byte and bit size of a size_t */
+#define SIZE_T_SIZE         (sizeof(size_t))
+#define SIZE_T_BITSIZE      (sizeof(size_t) << 3)
+
+/* Some constants coerced to size_t */
+/* Annoying but necessary to avoid errors on some plaftorms */
+#define SIZE_T_ZERO         ((size_t)0)
+#define SIZE_T_ONE          ((size_t)1)
+#define SIZE_T_TWO          ((size_t)2)
+#define TWO_SIZE_T_SIZES    (SIZE_T_SIZE<<1)
+#define FOUR_SIZE_T_SIZES   (SIZE_T_SIZE<<2)
+#define SIX_SIZE_T_SIZES    (FOUR_SIZE_T_SIZES+TWO_SIZE_T_SIZES)
+#define HALF_MAX_SIZE_T     (MAX_SIZE_T / 2U)
+
+/* The bit mask value corresponding to MALLOC_ALIGNMENT */
+#define CHUNK_ALIGN_MASK    (MALLOC_ALIGNMENT - SIZE_T_ONE)
+
+/* True if address a has acceptable alignment */
+#define is_aligned(A)       (((size_t)((A)) & (CHUNK_ALIGN_MASK)) == 0)
+
+/* the number of bytes to offset an address to align it */
+#define align_offset(A)\
+ ((((size_t)(A) & CHUNK_ALIGN_MASK) == 0)? 0 :\
+  ((MALLOC_ALIGNMENT - ((size_t)(A) & CHUNK_ALIGN_MASK)) & CHUNK_ALIGN_MASK))
+
+/* -------------------------- MMAP preliminaries ------------------------- */
+
+/*
+   If HAVE_MORECORE or HAVE_MMAP are false, we just define calls and
+   checks to fail so compiler optimizer can delete code rather than
+   using so many "#if"s.
+*/
+
+
+/* MORECORE and MMAP must return MFAIL on failure */
+#define MFAIL                ((void*)(MAX_SIZE_T))
+#define CMFAIL               ((char*)(MFAIL)) /* defined for convenience */
+
+#if !HAVE_MMAP
+#define IS_MMAPPED_BIT       (SIZE_T_ZERO)
+#define USE_MMAP_BIT         (SIZE_T_ZERO)
+#define CALL_MMAP(s)         MFAIL
+#define CALL_MUNMAP(a, s)    (-1)
+#define DIRECT_MMAP(s)       MFAIL
+
+#else /* HAVE_MMAP */
+#define IS_MMAPPED_BIT       (SIZE_T_ONE)
+#define USE_MMAP_BIT         (SIZE_T_ONE)
+
+#ifndef WIN32
+#define CALL_MUNMAP(a, s)    munmap((a), (s))
+#define MMAP_PROT            (PROT_READ|PROT_WRITE)
+#if !defined(MAP_ANONYMOUS) && defined(MAP_ANON)
+#define MAP_ANONYMOUS        MAP_ANON
+#endif /* MAP_ANON */
+#ifdef MAP_ANONYMOUS
+#define MMAP_FLAGS           (MAP_PRIVATE|MAP_ANONYMOUS)
+#define CALL_MMAP(s)         mmap(0, (s), MMAP_PROT, MMAP_FLAGS, -1, 0)
+#else /* MAP_ANONYMOUS */
+/*
+   Nearly all versions of mmap support MAP_ANONYMOUS, so the following
+   is unlikely to be needed, but is supplied just in case.
+*/
+#define MMAP_FLAGS           (MAP_PRIVATE)
+static int dev_zero_fd = -1; /* Cached file descriptor for /dev/zero. */
+#define CALL_MMAP(s) ((dev_zero_fd < 0) ? \
+           (dev_zero_fd = open("/dev/zero", O_RDWR), \
+            mmap(0, (s), MMAP_PROT, MMAP_FLAGS, dev_zero_fd, 0)) : \
+            mmap(0, (s), MMAP_PROT, MMAP_FLAGS, dev_zero_fd, 0))
+#endif /* MAP_ANONYMOUS */
+
+#define DIRECT_MMAP(s)       CALL_MMAP(s)
+#else /* WIN32 */
+
+/* Win32 MMAP via VirtualAlloc */
+static void* win32mmap(size_t size) {
+  void* ptr = VirtualAlloc(0, size, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
+  return (ptr != 0)? ptr: MFAIL;
+}
+
+/* For direct MMAP, use MEM_TOP_DOWN to minimize interference */
+static void* win32direct_mmap(size_t size) {
+  void* ptr = VirtualAlloc(0, size, MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN,
+                           PAGE_READWRITE);
+  return (ptr != 0)? ptr: MFAIL;
+}
+
+/* This function supports releasing coalesed segments */
+static int win32munmap(void* ptr, size_t size) {
+  MEMORY_BASIC_INFORMATION minfo;
+  char* cptr = ptr;
+  while (size) {
+    if (VirtualQuery(cptr, &minfo, sizeof(minfo)) == 0)
+      return -1;
+    if (minfo.BaseAddress != cptr || minfo.AllocationBase != cptr ||
+        minfo.State != MEM_COMMIT || minfo.RegionSize > size)
+      return -1;
+    if (VirtualFree(cptr, 0, MEM_RELEASE) == 0)
+      return -1;
+    cptr += minfo.RegionSize;
+    size -= minfo.RegionSize;
+  }
+  return 0;
+}
+
+#define CALL_MMAP(s)         win32mmap(s)
+#define CALL_MUNMAP(a, s)    win32munmap((a), (s))
+#define DIRECT_MMAP(s)       win32direct_mmap(s)
+#endif /* WIN32 */
+#endif /* HAVE_MMAP */
+
+#if HAVE_MMAP && HAVE_MREMAP
+#define CALL_MREMAP(addr, osz, nsz, mv) mremap((addr), (osz), (nsz), (mv))
+#else  /* HAVE_MMAP && HAVE_MREMAP */
+#define CALL_MREMAP(addr, osz, nsz, mv) MFAIL
+#endif /* HAVE_MMAP && HAVE_MREMAP */
+
+#if HAVE_MORECORE
+#define CALL_MORECORE(S)     MORECORE(S)
+#else  /* HAVE_MORECORE */
+#define CALL_MORECORE(S)     MFAIL
+#endif /* HAVE_MORECORE */
+
+/* mstate bit set if continguous morecore disabled or failed */
+#define USE_NONCONTIGUOUS_BIT (4U)
+
+/* segment bit set in create_mspace_with_base */
+#define EXTERN_BIT            (8U)
+
+
+/* --------------------------- Lock preliminaries ------------------------ */
+
+#if USE_LOCKS
+
+/*
+  When locks are defined, there are up to two global locks:
+
+  * If HAVE_MORECORE, morecore_mutex protects sequences of calls to
+    MORECORE.  In many cases sys_alloc requires two calls, that should
+    not be interleaved with calls by other threads.  This does not
+    protect against direct calls to MORECORE by other threads not
+    using this lock, so there is still code to cope the best we can on
+    interference.
+
+  * magic_init_mutex ensures that mparams.magic and other
+    unique mparams values are initialized only once.
+*/
+
+#ifndef WIN32
+/* By default use posix locks */
+#include <pthread.h>
+#define MLOCK_T pthread_mutex_t
+#define INITIAL_LOCK(l)      pthread_mutex_init(l, NULL)
+#define ACQUIRE_LOCK(l)      pthread_mutex_lock(l)
+#define RELEASE_LOCK(l)      pthread_mutex_unlock(l)
+
+#if HAVE_MORECORE
+static MLOCK_T morecore_mutex = PTHREAD_MUTEX_INITIALIZER;
+#endif /* HAVE_MORECORE */
+
+static MLOCK_T magic_init_mutex = PTHREAD_MUTEX_INITIALIZER;
+
+#else /* WIN32 */
+/*
+   Because lock-protected regions have bounded times, and there
+   are no recursive lock calls, we can use simple spinlocks.
+*/
+
+#define MLOCK_T long
+static int win32_acquire_lock (MLOCK_T *sl) {
+  for (;;) {
+#ifdef InterlockedCompareExchangePointer
+    if (!InterlockedCompareExchange(sl, 1, 0))
+      return 0;
+#else  /* Use older void* version */
+    if (!InterlockedCompareExchange((void**)sl, (void*)1, (void*)0))
+      return 0;
+#endif /* InterlockedCompareExchangePointer */
+    Sleep (0);
+  }
+}
+
+static void win32_release_lock (MLOCK_T *sl) {
+  InterlockedExchange (sl, 0);
+}
+
+#define INITIAL_LOCK(l)      *(l)=0
+#define ACQUIRE_LOCK(l)      win32_acquire_lock(l)
+#define RELEASE_LOCK(l)      win32_release_lock(l)
+#if HAVE_MORECORE
+static MLOCK_T morecore_mutex;
+#endif /* HAVE_MORECORE */
+static MLOCK_T magic_init_mutex;
+#endif /* WIN32 */
+
+#define USE_LOCK_BIT               (2U)
+#else  /* USE_LOCKS */
+#define USE_LOCK_BIT               (0U)
+#define INITIAL_LOCK(l)
+#endif /* USE_LOCKS */
+
+#if USE_LOCKS && HAVE_MORECORE
+#define ACQUIRE_MORECORE_LOCK()    ACQUIRE_LOCK(&morecore_mutex);
+#define RELEASE_MORECORE_LOCK()    RELEASE_LOCK(&morecore_mutex);
+#else /* USE_LOCKS && HAVE_MORECORE */
+#define ACQUIRE_MORECORE_LOCK()
+#define RELEASE_MORECORE_LOCK()
+#endif /* USE_LOCKS && HAVE_MORECORE */
+
+#if USE_LOCKS
+#define ACQUIRE_MAGIC_INIT_LOCK()  ACQUIRE_LOCK(&magic_init_mutex);
+#define RELEASE_MAGIC_INIT_LOCK()  RELEASE_LOCK(&magic_init_mutex);
+#else  /* USE_LOCKS */
+#define ACQUIRE_MAGIC_INIT_LOCK()
+#define RELEASE_MAGIC_INIT_LOCK()
+#endif /* USE_LOCKS */
+
+
+/* -----------------------  Chunk representations ------------------------ */
+
+/*
+  (The following includes lightly edited explanations by Colin Plumb.)
+
+  The malloc_chunk declaration below is misleading (but accurate and
+  necessary).  It declares a "view" into memory allowing access to
+  necessary fields at known offsets from a given base.
+
+  Chunks of memory are maintained using a `boundary tag' method as
+  originally described by Knuth.  (See the paper by Paul Wilson
+  ftp://ftp.cs.utexas.edu/pub/garbage/allocsrv.ps for a survey of such
+  techniques.)  Sizes of free chunks are stored both in the front of
+  each chunk and at the end.  This makes consolidating fragmented
+  chunks into bigger chunks fast.  The head fields also hold bits
+  representing whether chunks are free or in use.
+
+  Here are some pictures to make it clearer.  They are "exploded" to
+  show that the state of a chunk can be thought of as extending from
+  the high 31 bits of the head field of its header through the
+  prev_foot and PINUSE_BIT bit of the following chunk header.
+
+  A chunk that's in use looks like:
+
+   chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+           | Size of previous chunk (if P = 1)                             |
+           +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |P|
+         | Size of this chunk                                         1| +-+
+   mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+         |                                                               |
+         +-                                                             -+
+         |                                                               |
+         +-                                                             -+
+         |                                                               :
+         +-      size - sizeof(size_t) available payload bytes          -+
+         :                                                               |
+ chunk-> +-                                                             -+
+         |                                                               |
+         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1|
+       | Size of next chunk (may or may not be in use)               | +-+
+ mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+    And if it's free, it looks like this:
+
+   chunk-> +-                                                             -+
+           | User payload (must be in use, or we would have merged!)       |
+           +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |P|
+         | Size of this chunk                                         0| +-+
+   mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+         | Next pointer                                                  |
+         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+         | Prev pointer                                                  |
+         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+         |                                                               :
+         +-      size - sizeof(struct chunk) unused bytes               -+
+         :                                                               |
+ chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+         | Size of this chunk                                            |
+         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0|
+       | Size of next chunk (must be in use, or we would have merged)| +-+
+ mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+       |                                                               :
+       +- User payload                                                -+
+       :                                                               |
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+                                                                     |0|
+                                                                     +-+
+  Note that since we always merge adjacent free chunks, the chunks
+  adjacent to a free chunk must be in use.
+
+  Given a pointer to a chunk (which can be derived trivially from the
+  payload pointer) we can, in O(1) time, find out whether the adjacent
+  chunks are free, and if so, unlink them from the lists that they
+  are on and merge them with the current chunk.
+
+  Chunks always begin on even word boundaries, so the mem portion
+  (which is returned to the user) is also on an even word boundary, and
+  thus at least double-word aligned.
+
+  The P (PINUSE_BIT) bit, stored in the unused low-order bit of the
+  chunk size (which is always a multiple of two words), is an in-use
+  bit for the *previous* chunk.  If that bit is *clear*, then the
+  word before the current chunk size contains the previous chunk
+  size, and can be used to find the front of the previous chunk.
+  The very first chunk allocated always has this bit set, preventing
+  access to non-existent (or non-owned) memory. If pinuse is set for
+  any given chunk, then you CANNOT determine the size of the
+  previous chunk, and might even get a memory addressing fault when
+  trying to do so.
+
+  The C (CINUSE_BIT) bit, stored in the unused second-lowest bit of
+  the chunk size redundantly records whether the current chunk is
+  inuse. This redundancy enables usage checks within free and realloc,
+  and reduces indirection when freeing and consolidating chunks.
+
+  Each freshly allocated chunk must have both cinuse and pinuse set.
+  That is, each allocated chunk borders either a previously allocated
+  and still in-use chunk, or the base of its memory arena. This is
+  ensured by making all allocations from the the `lowest' part of any
+  found chunk.  Further, no free chunk physically borders another one,
+  so each free chunk is known to be preceded and followed by either
+  inuse chunks or the ends of memory.
+
+  Note that the `foot' of the current chunk is actually represented
+  as the prev_foot of the NEXT chunk. This makes it easier to
+  deal with alignments etc but can be very confusing when trying
+  to extend or adapt this code.
+
+  The exceptions to all this are
+
+     1. The special chunk `top' is the top-most available chunk (i.e.,
+        the one bordering the end of available memory). It is treated
+        specially.  Top is never included in any bin, is used only if
+        no other chunk is available, and is released back to the
+        system if it is very large (see M_TRIM_THRESHOLD).  In effect,
+        the top chunk is treated as larger (and thus less well
+        fitting) than any other available chunk.  The top chunk
+        doesn't update its trailing size field since there is no next
+        contiguous chunk that would have to index off it. However,
+        space is still allocated for it (TOP_FOOT_SIZE) to enable
+        separation or merging when space is extended.
+
+     3. Chunks allocated via mmap, which have the lowest-order bit
+        (IS_MMAPPED_BIT) set in their prev_foot fields, and do not set
+        PINUSE_BIT in their head fields.  Because they are allocated
+        one-by-one, each must carry its own prev_foot field, which is
+        also used to hold the offset this chunk has within its mmapped
+        region, which is needed to preserve alignment. Each mmapped
+        chunk is trailed by the first two fields of a fake next-chunk
+        for sake of usage checks.
+
+*/
+
+struct malloc_chunk {
+  size_t               prev_foot;  /* Size of previous chunk (if free).  */
+  size_t               head;       /* Size and inuse bits. */
+  struct malloc_chunk* fd;         /* double links -- used only if free. */
+  struct malloc_chunk* bk;
+};
+
+typedef struct malloc_chunk  mchunk;
+typedef struct malloc_chunk* mchunkptr;
+typedef struct malloc_chunk* sbinptr;  /* The type of bins of chunks */
+typedef unsigned int bindex_t;         /* Described below */
+typedef unsigned int binmap_t;         /* Described below */
+typedef unsigned int flag_t;           /* The type of various bit flag sets */
+
+/* ------------------- Chunks sizes and alignments ----------------------- */
+
+#define MCHUNK_SIZE         (sizeof(mchunk))
+
+#if FOOTERS
+#define CHUNK_OVERHEAD      (TWO_SIZE_T_SIZES)
+#else /* FOOTERS */
+#define CHUNK_OVERHEAD      (SIZE_T_SIZE)
+#endif /* FOOTERS */
+
+/* MMapped chunks need a second word of overhead ... */
+#define MMAP_CHUNK_OVERHEAD (TWO_SIZE_T_SIZES)
+/* ... and additional padding for fake next-chunk at foot */
+#define MMAP_FOOT_PAD       (FOUR_SIZE_T_SIZES)
+
+/* The smallest size we can malloc is an aligned minimal chunk */
+#define MIN_CHUNK_SIZE\
+  ((MCHUNK_SIZE + CHUNK_ALIGN_MASK) & ~CHUNK_ALIGN_MASK)
+
+/* conversion from malloc headers to user pointers, and back */
+#define chunk2mem(p)        ((void*)((char*)(p)       + TWO_SIZE_T_SIZES))
+#define mem2chunk(mem)      ((mchunkptr)((char*)(mem) - TWO_SIZE_T_SIZES))
+/* chunk associated with aligned address A */
+#define align_as_chunk(A)   (mchunkptr)((A) + align_offset(chunk2mem(A)))
+
+/* Bounds on request (not chunk) sizes. */
+#define MAX_REQUEST         ((-MIN_CHUNK_SIZE) << 2)
+#define MIN_REQUEST         (MIN_CHUNK_SIZE - CHUNK_OVERHEAD - SIZE_T_ONE)
+
+/* pad request bytes into a usable size */
+#define pad_request(req) \
+   (((req) + CHUNK_OVERHEAD + CHUNK_ALIGN_MASK) & ~CHUNK_ALIGN_MASK)
+
+/* pad request, checking for minimum (but not maximum) */
+#define request2size(req) \
+  (((req) < MIN_REQUEST)? MIN_CHUNK_SIZE : pad_request(req))
+
+
+/* ------------------ Operations on head and foot fields ----------------- */
+
+/*
+  The head field of a chunk is or'ed with PINUSE_BIT when previous
+  adjacent chunk in use, and or'ed with CINUSE_BIT if this chunk is in
+  use. If the chunk was obtained with mmap, the prev_foot field has
+  IS_MMAPPED_BIT set, otherwise holding the offset of the base of the
+  mmapped region to the base of the chunk.
+*/
+
+#define PINUSE_BIT          (SIZE_T_ONE)
+#define CINUSE_BIT          (SIZE_T_TWO)
+#define INUSE_BITS          (PINUSE_BIT|CINUSE_BIT)
+
+/* Head value for fenceposts */
+#define FENCEPOST_HEAD      (INUSE_BITS|SIZE_T_SIZE)
+
+/* extraction of fields from head words */
+#define cinuse(p)           ((p)->head & CINUSE_BIT)
+#define pinuse(p)           ((p)->head & PINUSE_BIT)
+#define chunksize(p)        ((p)->head & ~(INUSE_BITS))
+
+#define clear_pinuse(p)     ((p)->head &= ~PINUSE_BIT)
+#define clear_cinuse(p)     ((p)->head &= ~CINUSE_BIT)
+
+/* Treat space at ptr +/- offset as a chunk */
+#define chunk_plus_offset(p, s)  ((mchunkptr)(((char*)(p)) + (s)))
+#define chunk_minus_offset(p, s) ((mchunkptr)(((char*)(p)) - (s)))
+
+/* Ptr to next or previous physical malloc_chunk. */
+#define next_chunk(p) ((mchunkptr)( ((char*)(p)) + ((p)->head & ~INUSE_BITS)))
+#define prev_chunk(p) ((mchunkptr)( ((char*)(p)) - ((p)->prev_foot) ))
+
+/* extract next chunk's pinuse bit */
+#define next_pinuse(p)  ((next_chunk(p)->head) & PINUSE_BIT)
+
+/* Get/set size at footer */
+#define get_foot(p, s)  (((mchunkptr)((char*)(p) + (s)))->prev_foot)
+#define set_foot(p, s)  (((mchunkptr)((char*)(p) + (s)))->prev_foot = (s))
+
+/* Set size, pinuse bit, and foot */
+#define set_size_and_pinuse_of_free_chunk(p, s)\
+  ((p)->head = (s|PINUSE_BIT), set_foot(p, s))
+
+/* Set size, pinuse bit, foot, and clear next pinuse */
+#define set_free_with_pinuse(p, s, n)\
+  (clear_pinuse(n), set_size_and_pinuse_of_free_chunk(p, s))
+
+#define is_mmapped(p)\
+  (!((p)->head & PINUSE_BIT) && ((p)->prev_foot & IS_MMAPPED_BIT))
+
+/* Get the internal overhead associated with chunk p */
+#define overhead_for(p)\
+ (is_mmapped(p)? MMAP_CHUNK_OVERHEAD : CHUNK_OVERHEAD)
+
+/* Return true if malloced space is not necessarily cleared */
+#if MMAP_CLEARS
+#define calloc_must_clear(p) (!is_mmapped(p))
+#else /* MMAP_CLEARS */
+#define calloc_must_clear(p) (1)
+#endif /* MMAP_CLEARS */
+
+/* ---------------------- Overlaid data structures ----------------------- */
+
+/*
+  When chunks are not in use, they are treated as nodes of either
+  lists or trees.
+
+  "Small"  chunks are stored in circular doubly-linked lists, and look
+  like this:
+
+    chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+            |             Size of previous chunk                            |
+            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    `head:' |             Size of chunk, in bytes                         |P|
+      mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+            |             Forward pointer to next chunk in list             |
+            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+            |             Back pointer to previous chunk in list            |
+            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+            |             Unused space (may be 0 bytes long)                .
+            .                                                               .
+            .                                                               |
+nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    `foot:' |             Size of chunk, in bytes                           |
+            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+  Larger chunks are kept in a form of bitwise digital trees (aka
+  tries) keyed on chunksizes.  Because malloc_tree_chunks are only for
+  free chunks greater than 256 bytes, their size doesn't impose any
+  constraints on user chunk sizes.  Each node looks like:
+
+    chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+            |             Size of previous chunk                            |
+            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    `head:' |             Size of chunk, in bytes                         |P|
+      mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+            |             Forward pointer to next chunk of same size        |
+            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+            |             Back pointer to previous chunk of same size       |
+            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+            |             Pointer to left child (child[0])                  |
+            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+            |             Pointer to right child (child[1])                 |
+            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+            |             Pointer to parent                                 |
+            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+            |             bin index of this chunk                           |
+            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+            |             Unused space                                      .
+            .                                                               |
+nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    `foot:' |             Size of chunk, in bytes                           |
+            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+  Each tree holding treenodes is a tree of unique chunk sizes.  Chunks
+  of the same size are arranged in a circularly-linked list, with only
+  the oldest chunk (the next to be used, in our FIFO ordering)
+  actually in the tree.  (Tree members are distinguished by a non-null
+  parent pointer.)  If a chunk with the same size an an existing node
+  is inserted, it is linked off the existing node using pointers that
+  work in the same way as fd/bk pointers of small chunks.
+
+  Each tree contains a power of 2 sized range of chunk sizes (the
+  smallest is 0x100 <= x < 0x180), which is is divided in half at each
+  tree level, with the chunks in the smaller half of the range (0x100
+  <= x < 0x140 for the top nose) in the left subtree and the larger
+  half (0x140 <= x < 0x180) in the right subtree.  This is, of course,
+  done by inspecting individual bits.
+
+  Using these rules, each node's left subtree contains all smaller
+  sizes than its right subtree.  However, the node at the root of each
+  subtree has no particular ordering relationship to either.  (The
+  dividing line between the subtree sizes is based on trie relation.)
+  If we remove the last chunk of a given size from the interior of the
+  tree, we need to replace it with a leaf node.  The tree ordering
+  rules permit a node to be replaced by any leaf below it.
+
+  The smallest chunk in a tree (a common operation in a best-fit
+  allocator) can be found by walking a path to the leftmost leaf in
+  the tree.  Unlike a usual binary tree, where we follow left child
+  pointers until we reach a null, here we follow the right child
+  pointer any time the left one is null, until we reach a leaf with
+  both child pointers null. The smallest chunk in the tree will be
+  somewhere along that path.
+
+  The worst case number of steps to add, find, or remove a node is
+  bounded by the number of bits differentiating chunks within
+  bins. Under current bin calculations, this ranges from 6 up to 21
+  (for 32 bit sizes) or up to 53 (for 64 bit sizes). The typical case
+  is of course much better.
+*/
+
+struct malloc_tree_chunk {
+  /* The first four fields must be compatible with malloc_chunk */
+  size_t                    prev_foot;
+  size_t                    head;
+  struct malloc_tree_chunk* fd;
+  struct malloc_tree_chunk* bk;
+
+  struct malloc_tree_chunk* child[2];
+  struct malloc_tree_chunk* parent;
+  bindex_t                  index;
+};
+
+typedef struct malloc_tree_chunk  tchunk;
+typedef struct malloc_tree_chunk* tchunkptr;
+typedef struct malloc_tree_chunk* tbinptr; /* The type of bins of trees */
+
+/* A little helper macro for trees */
+#define leftmost_child(t) ((t)->child[0] != 0? (t)->child[0] : (t)->child[1])
+
+/* ----------------------------- Segments -------------------------------- */
+
+/*
+  Each malloc space may include non-contiguous segments, held in a
+  list headed by an embedded malloc_segment record representing the
+  top-most space. Segments also include flags holding properties of
+  the space. Large chunks that are directly allocated by mmap are not
+  included in this list. They are instead independently created and
+  destroyed without otherwise keeping track of them.
+
+  Segment management mainly comes into play for spaces allocated by
+  MMAP.  Any call to MMAP might or might not return memory that is
+  adjacent to an existing segment.  MORECORE normally contiguously
+  extends the current space, so this space is almost always adjacent,
+  which is simpler and faster to deal with. (This is why MORECORE is
+  used preferentially to MMAP when both are available -- see
+  sys_alloc.)  When allocating using MMAP, we don't use any of the
+  hinting mechanisms (inconsistently) supported in various
+  implementations of unix mmap, or distinguish reserving from
+  committing memory. Instead, we just ask for space, and exploit
+  contiguity when we get it.  It is probably possible to do
+  better than this on some systems, but no general scheme seems
+  to be significantly better.
+
+  Management entails a simpler variant of the consolidation scheme
+  used for chunks to reduce fragmentation -- new adjacent memory is
+  normally prepended or appended to an existing segment. However,
+  there are limitations compared to chunk consolidation that mostly
+  reflect the fact that segment processing is relatively infrequent
+  (occurring only when getting memory from system) and that we
+  don't expect to have huge numbers of segments:
+
+  * Segments are not indexed, so traversal requires linear scans.  (It
+    would be possible to index these, but is not worth the extra
+    overhead and complexity for most programs on most platforms.)
+  * New segments are only appended to old ones when holding top-most
+    memory; if they cannot be prepended to others, they are held in
+    different segments.
+
+  Except for the top-most segment of an mstate, each segment record
+  is kept at the tail of its segment. Segments are added by pushing
+  segment records onto the list headed by &mstate.seg for the
+  containing mstate.
+
+  Segment flags control allocation/merge/deallocation policies:
+  * If EXTERN_BIT set, then we did not allocate this segment,
+    and so should not try to deallocate or merge with others.
+    (This currently holds only for the initial segment passed
+    into create_mspace_with_base.)
+  * If IS_MMAPPED_BIT set, the segment may be merged with
+    other surrounding mmapped segments and trimmed/de-allocated
+    using munmap.
+  * If neither bit is set, then the segment was obtained using
+    MORECORE so can be merged with surrounding MORECORE'd segments
+    and deallocated/trimmed using MORECORE with negative arguments.
+*/
+
+struct malloc_segment {
+  char*        base;             /* base address */
+  size_t       size;             /* allocated size */
+  struct malloc_segment* next;   /* ptr to next segment */
+  flag_t       sflags;           /* mmap and extern flag */
+};
+
+#define is_mmapped_segment(S)  ((S)->sflags & IS_MMAPPED_BIT)
+#define is_extern_segment(S)   ((S)->sflags & EXTERN_BIT)
+
+typedef struct malloc_segment  msegment;
+typedef struct malloc_segment* msegmentptr;
+
+/* ---------------------------- malloc_state ----------------------------- */
+
+/*
+   A malloc_state holds all of the bookkeeping for a space.
+   The main fields are:
+
+  Top
+    The topmost chunk of the currently active segment. Its size is
+    cached in topsize.  The actual size of topmost space is
+    topsize+TOP_FOOT_SIZE, which includes space reserved for adding
+    fenceposts and segment records if necessary when getting more
+    space from the system.  The size at which to autotrim top is
+    cached from mparams in trim_check, except that it is disabled if
+    an autotrim fails.
+
+  Designated victim (dv)
+    This is the preferred chunk for servicing small requests that
+    don't have exact fits.  It is normally the chunk split off most
+    recently to service another small request.  Its size is cached in
+    dvsize. The link fields of this chunk are not maintained since it
+    is not kept in a bin.
+
+  SmallBins
+    An array of bin headers for free chunks.  These bins hold chunks
+    with sizes less than MIN_LARGE_SIZE bytes. Each bin contains
+    chunks of all the same size, spaced 8 bytes apart.  To simplify
+    use in double-linked lists, each bin header acts as a malloc_chunk
+    pointing to the real first node, if it exists (else pointing to
+    itself).  This avoids special-casing for headers.  But to avoid
+    waste, we allocate only the fd/bk pointers of bins, and then use
+    repositioning tricks to treat these as the fields of a chunk.
+
+  TreeBins
+    Treebins are pointers to the roots of trees holding a range of
+    sizes. There are 2 equally spaced treebins for each power of two
+    from TREE_SHIFT to TREE_SHIFT+16. The last bin holds anything
+    larger.
+
+  Bin maps
+    There is one bit map for small bins ("smallmap") and one for
+    treebins ("treemap).  Each bin sets its bit when non-empty, and
+    clears the bit when empty.  Bit operations are then used to avoid
+    bin-by-bin searching -- nearly all "search" is done without ever
+    looking at bins that won't be selected.  The bit maps
+    conservatively use 32 bits per map word, even if on 64bit system.
+    For a good description of some of the bit-based techniques used
+    here, see Henry S. Warren Jr's book "Hacker's Delight" (and
+    supplement at http://hackersdelight.org/). Many of these are
+    intended to reduce the branchiness of paths through malloc etc, as
+    well as to reduce the number of memory locations read or written.
+
+  Segments
+    A list of segments headed by an embedded malloc_segment record
+    representing the initial space.
+
+  Address check support
+    The least_addr field is the least address ever obtained from
+    MORECORE or MMAP. Attempted frees and reallocs of any address less
+    than this are trapped (unless INSECURE is defined).
+
+  Magic tag
+    A cross-check field that should always hold same value as mparams.magic.
+
+  Flags
+    Bits recording whether to use MMAP, locks, or contiguous MORECORE
+
+  Statistics
+    Each space keeps track of current and maximum system memory
+    obtained via MORECORE or MMAP.
+
+  Locking
+    If USE_LOCKS is defined, the "mutex" lock is acquired and released
+    around every public call using this mspace.
+*/
+
+/* Bin types, widths and sizes */
+#define NSMALLBINS        (32U)
+#define NTREEBINS         (32U)
+#define SMALLBIN_SHIFT    (3U)
+#define SMALLBIN_WIDTH    (SIZE_T_ONE << SMALLBIN_SHIFT)
+#define TREEBIN_SHIFT     (8U)
+#define MIN_LARGE_SIZE    (SIZE_T_ONE << TREEBIN_SHIFT)
+#define MAX_SMALL_SIZE    (MIN_LARGE_SIZE - SIZE_T_ONE)
+#define MAX_SMALL_REQUEST (MAX_SMALL_SIZE - CHUNK_ALIGN_MASK - CHUNK_OVERHEAD)
+
+struct malloc_state {
+  binmap_t   smallmap;
+  binmap_t   treemap;
+  size_t     dvsize;
+  size_t     topsize;
+  char*      least_addr;
+  mchunkptr  dv;
+  mchunkptr  top;
+  size_t     trim_check;
+  size_t     magic;
+  mchunkptr  smallbins[(NSMALLBINS+1)*2];
+  tbinptr    treebins[NTREEBINS];
+  size_t     footprint;
+  size_t     max_footprint;
+  flag_t     mflags;
+#if USE_LOCKS
+  MLOCK_T    mutex;     /* locate lock among fields that rarely change */
+#endif /* USE_LOCKS */
+  msegment   seg;
+};
+
+typedef struct malloc_state*    mstate;
+
+/* ------------- Global malloc_state and malloc_params ------------------- */
+
+/*
+  malloc_params holds global properties, including those that can be
+  dynamically set using mallopt. There is a single instance, mparams,
+  initialized in init_mparams.
+*/
+
+struct malloc_params {
+  size_t magic;
+  size_t page_size;
+  size_t granularity;
+  size_t mmap_threshold;
+  size_t trim_threshold;
+  flag_t default_mflags;
+};
+
+static struct malloc_params mparams;
+
+/* The global malloc_state used for all non-"mspace" calls */
+static struct malloc_state _gm_;
+#define gm                 (&_gm_)
+#define is_global(M)       ((M) == &_gm_)
+#define is_initialized(M)  ((M)->top != 0)
+
+/* -------------------------- system alloc setup ------------------------- */
+
+/* Operations on mflags */
+
+#define use_lock(M)           ((M)->mflags &   USE_LOCK_BIT)
+#define enable_lock(M)        ((M)->mflags |=  USE_LOCK_BIT)
+#define disable_lock(M)       ((M)->mflags &= ~USE_LOCK_BIT)
+
+#define use_mmap(M)           ((M)->mflags &   USE_MMAP_BIT)
+#define enable_mmap(M)        ((M)->mflags |=  USE_MMAP_BIT)
+#define disable_mmap(M)       ((M)->mflags &= ~USE_MMAP_BIT)
+
+#define use_noncontiguous(M)  ((M)->mflags &   USE_NONCONTIGUOUS_BIT)
+#define disable_contiguous(M) ((M)->mflags |=  USE_NONCONTIGUOUS_BIT)
+
+#define set_lock(M,L)\
+ ((M)->mflags = (L)?\
+  ((M)->mflags | USE_LOCK_BIT) :\
+  ((M)->mflags & ~USE_LOCK_BIT))
+
+/* page-align a size */
+#define page_align(S)\
+ (((S) + (mparams.page_size)) & ~(mparams.page_size - SIZE_T_ONE))
+
+/* granularity-align a size */
+#define granularity_align(S)\
+  (((S) + (mparams.granularity)) & ~(mparams.granularity - SIZE_T_ONE))
+
+#define is_page_aligned(S)\
+   (((size_t)(S) & (mparams.page_size - SIZE_T_ONE)) == 0)
+#define is_granularity_aligned(S)\
+   (((size_t)(S) & (mparams.granularity - SIZE_T_ONE)) == 0)
+
+/*  True if segment S holds address A */
+#define segment_holds(S, A)\
+  ((char*)(A) >= S->base && (char*)(A) < S->base + S->size)
+
+/* Return segment holding given address */
+static msegmentptr segment_holding(mstate m, char* addr) {
+  msegmentptr sp = &m->seg;
+  for (;;) {
+    if (addr >= sp->base && addr < sp->base + sp->size)
+      return sp;
+    if ((sp = sp->next) == 0)
+      return 0;
+  }
+}
+
+/* Return true if segment contains a segment link */
+static int has_segment_link(mstate m, msegmentptr ss) {
+  msegmentptr sp = &m->seg;
+  for (;;) {
+    if ((char*)sp >= ss->base && (char*)sp < ss->base + ss->size)
+      return 1;
+    if ((sp = sp->next) == 0)
+      return 0;
+  }
+}
+
+#ifndef MORECORE_CANNOT_TRIM
+#define should_trim(M,s)  ((s) > (M)->trim_check)
+#else  /* MORECORE_CANNOT_TRIM */
+#define should_trim(M,s)  (0)
+#endif /* MORECORE_CANNOT_TRIM */
+
+/*
+  TOP_FOOT_SIZE is padding at the end of a segment, including space
+  that may be needed to place segment records and fenceposts when new
+  noncontiguous segments are added.
+*/
+#define TOP_FOOT_SIZE\
+  (align_offset(chunk2mem(0))+pad_request(sizeof(struct malloc_segment))+MIN_CHUNK_SIZE)
+
+
+/* -------------------------------  Hooks -------------------------------- */
+
+/*
+  PREACTION should be defined to return 0 on success, and nonzero on
+  failure. If you are not using locking, you can redefine these to do
+  anything you like.
+*/
+
+#if USE_LOCKS
+
+/* Ensure locks are initialized */
+#define GLOBALLY_INITIALIZE() (mparams.page_size == 0 && init_mparams())
+
+#define PREACTION(M)  ((GLOBALLY_INITIALIZE() || use_lock(M))? ACQUIRE_LOCK(&(M)->mutex) : 0)
+#define POSTACTION(M) { if (use_lock(M)) RELEASE_LOCK(&(M)->mutex); }
+#else /* USE_LOCKS */
+
+#ifndef PREACTION
+#define PREACTION(M) (0)
+#endif  /* PREACTION */
+
+#ifndef POSTACTION
+#define POSTACTION(M)
+#endif  /* POSTACTION */
+
+#endif /* USE_LOCKS */
+
+/*
+  CORRUPTION_ERROR_ACTION is triggered upon detected bad addresses.
+  USAGE_ERROR_ACTION is triggered on detected bad frees and
+  reallocs. The argument p is an address that might have triggered the
+  fault. It is ignored by the two predefined actions, but might be
+  useful in custom actions that try to help diagnose errors.
+*/
+
+#if PROCEED_ON_ERROR
+
+/* A count of the number of corruption errors causing resets */
+int malloc_corruption_error_count;
+
+/* default corruption action */
+static void reset_on_error(mstate m);
+
+#define CORRUPTION_ERROR_ACTION(m)  reset_on_error(m)
+#define USAGE_ERROR_ACTION(m, p)
+
+#else /* PROCEED_ON_ERROR */
+
+#ifndef CORRUPTION_ERROR_ACTION
+#define CORRUPTION_ERROR_ACTION(m) ABORT
+#endif /* CORRUPTION_ERROR_ACTION */
+
+#ifndef USAGE_ERROR_ACTION
+#define USAGE_ERROR_ACTION(m,p) ABORT
+#endif /* USAGE_ERROR_ACTION */
+
+#endif /* PROCEED_ON_ERROR */
+
+/* -------------------------- Debugging setup ---------------------------- */
+
+#if ! DEBUG
+
+#define check_free_chunk(M,P)
+#define check_inuse_chunk(M,P)
+#define check_malloced_chunk(M,P,N)
+#define check_mmapped_chunk(M,P)
+#define check_malloc_state(M)
+#define check_top_chunk(M,P)
+
+#else /* DEBUG */
+#define check_free_chunk(M,P)       do_check_free_chunk(M,P)
+#define check_inuse_chunk(M,P)      do_check_inuse_chunk(M,P)
+#define check_top_chunk(M,P)        do_check_top_chunk(M,P)
+#define check_malloced_chunk(M,P,N) do_check_malloced_chunk(M,P,N)
+#define check_mmapped_chunk(M,P)    do_check_mmapped_chunk(M,P)
+#define check_malloc_state(M)       do_check_malloc_state(M)
+
+static void   do_check_any_chunk(mstate m, mchunkptr p);
+static void   do_check_top_chunk(mstate m, mchunkptr p);
+static void   do_check_mmapped_chunk(mstate m, mchunkptr p);
+static void   do_check_inuse_chunk(mstate m, mchunkptr p);
+static void   do_check_free_chunk(mstate m, mchunkptr p);
+static void   do_check_malloced_chunk(mstate m, void* mem, size_t s);
+static void   do_check_tree(mstate m, tchunkptr t);
+static void   do_check_treebin(mstate m, bindex_t i);
+static void   do_check_smallbin(mstate m, bindex_t i);
+static void   do_check_malloc_state(mstate m);
+static int    bin_find(mstate m, mchunkptr x);
+static size_t traverse_and_check(mstate m);
+#endif /* DEBUG */
+
+/* ---------------------------- Indexing Bins ---------------------------- */
+
+#define is_small(s)         (((s) >> SMALLBIN_SHIFT) < NSMALLBINS)
+#define small_index(s)      ((s)  >> SMALLBIN_SHIFT)
+#define small_index2size(i) ((i)  << SMALLBIN_SHIFT)
+#define MIN_SMALL_INDEX     (small_index(MIN_CHUNK_SIZE))
+
+/* addressing by index. See above about smallbin repositioning */
+#define smallbin_at(M, i)   ((sbinptr)((char*)&((M)->smallbins[(i)<<1])))
+#define treebin_at(M,i)     (&((M)->treebins[i]))
+
+/* assign tree index for size S to variable I */
+#if defined(__GNUC__) && defined(i386)
+#define compute_tree_index(S, I)\
+{\
+  size_t X = S >> TREEBIN_SHIFT;\
+  if (X == 0)\
+    I = 0;\
+  else if (X > 0xFFFF)\
+    I = NTREEBINS-1;\
+  else {\
+    unsigned int K;\
+    __asm__("bsrl %1,%0\n\t" : "=r" (K) : "rm"  (X));\
+    I =  (bindex_t)((K << 1) + ((S >> (K + (TREEBIN_SHIFT-1)) & 1)));\
+  }\
+}
+#else /* GNUC */
+#define compute_tree_index(S, I)\
+{\
+  size_t X = S >> TREEBIN_SHIFT;\
+  if (X == 0)\
+    I = 0;\
+  else if (X > 0xFFFF)\
+    I = NTREEBINS-1;\
+  else {\
+    unsigned int Y = (unsigned int)X;\
+    unsigned int N = ((Y - 0x100) >> 16) & 8;\
+    unsigned int K = (((Y <<= N) - 0x1000) >> 16) & 4;\
+    N += K;\
+    N += K = (((Y <<= K) - 0x4000) >> 16) & 2;\
+    K = 14 - N + ((Y <<= K) >> 15);\
+    I = (K << 1) + ((S >> (K + (TREEBIN_SHIFT-1)) & 1));\
+  }\
+}
+#endif /* GNUC */
+
+/* Bit representing maximum resolved size in a treebin at i */
+#define bit_for_tree_index(i) \
+   (i == NTREEBINS-1)? (SIZE_T_BITSIZE-1) : (((i) >> 1) + TREEBIN_SHIFT - 2)
+
+/* Shift placing maximum resolved bit in a treebin at i as sign bit */
+#define leftshift_for_tree_index(i) \
+   ((i == NTREEBINS-1)? 0 : \
+    ((SIZE_T_BITSIZE-SIZE_T_ONE) - (((i) >> 1) + TREEBIN_SHIFT - 2)))
+
+/* The size of the smallest chunk held in bin with index i */
+#define minsize_for_tree_index(i) \
+   ((SIZE_T_ONE << (((i) >> 1) + TREEBIN_SHIFT)) |  \
+   (((size_t)((i) & SIZE_T_ONE)) << (((i) >> 1) + TREEBIN_SHIFT - 1)))
+
+
+/* ------------------------ Operations on bin maps ----------------------- */
+
+/* bit corresponding to given index */
+#define idx2bit(i)              ((binmap_t)(1) << (i))
+
+/* Mark/Clear bits with given index */
+#define mark_smallmap(M,i)      ((M)->smallmap |=  idx2bit(i))
+#define clear_smallmap(M,i)     ((M)->smallmap &= ~idx2bit(i))
+#define smallmap_is_marked(M,i) ((M)->smallmap &   idx2bit(i))
+
+#define mark_treemap(M,i)       ((M)->treemap  |=  idx2bit(i))
+#define clear_treemap(M,i)      ((M)->treemap  &= ~idx2bit(i))
+#define treemap_is_marked(M,i)  ((M)->treemap  &   idx2bit(i))
+
+/* index corresponding to given bit */
+
+#if defined(__GNUC__) && defined(i386)
+#define compute_bit2idx(X, I)\
+{\
+  unsigned int J;\
+  __asm__("bsfl %1,%0\n\t" : "=r" (J) : "rm" (X));\
+  I = (bindex_t)J;\
+}
+
+#else /* GNUC */
+#if  USE_BUILTIN_FFS
+#define compute_bit2idx(X, I) I = ffs(X)-1
+
+#else /* USE_BUILTIN_FFS */
+#define compute_bit2idx(X, I)\
+{\
+  unsigned int Y = X - 1;\
+  unsigned int K = Y >> (16-4) & 16;\
+  unsigned int N = K;        Y >>= K;\
+  N += K = Y >> (8-3) &  8;  Y >>= K;\
+  N += K = Y >> (4-2) &  4;  Y >>= K;\
+  N += K = Y >> (2-1) &  2;  Y >>= K;\
+  N += K = Y >> (1-0) &  1;  Y >>= K;\
+  I = (bindex_t)(N + Y);\
+}
+#endif /* USE_BUILTIN_FFS */
+#endif /* GNUC */
+
+/* isolate the least set bit of a bitmap */
+#define least_bit(x)         ((x) & -(x))
+
+/* mask with all bits to left of least bit of x on */
+#define left_bits(x)         ((x<<1) | -(x<<1))
+
+/* mask with all bits to left of or equal to least bit of x on */
+#define same_or_left_bits(x) ((x) | -(x))
+
+
+/* ----------------------- Runtime Check Support ------------------------- */
+
+/*
+  For security, the main invariant is that malloc/free/etc never
+  writes to a static address other than malloc_state, unless static
+  malloc_state itself has been corrupted, which cannot occur via
+  malloc (because of these checks). In essence this means that we
+  believe all pointers, sizes, maps etc held in malloc_state, but
+  check all of those linked or offsetted from other embedded data
+  structures.  These checks are interspersed with main code in a way
+  that tends to minimize their run-time cost.
+
+  When FOOTERS is defined, in addition to range checking, we also
+  verify footer fields of inuse chunks, which can be used guarantee
+  that the mstate controlling malloc/free is intact.  This is a
+  streamlined version of the approach described by William Robertson
+  et al in "Run-time Detection of Heap-based Overflows" LISA'03
+  http://www.usenix.org/events/lisa03/tech/robertson.html The footer
+  of an inuse chunk holds the xor of its mstate and a random seed,
+  that is checked upon calls to free() and realloc().  This is
+  (probablistically) unguessable from outside the program, but can be
+  computed by any code successfully malloc'ing any chunk, so does not
+  itself provide protection against code that has already broken
+  security through some other means.  Unlike Robertson et al, we
+  always dynamically check addresses of all offset chunks (previous,
+  next, etc). This turns out to be cheaper than relying on hashes.
+*/
+
+#if !INSECURE
+/* Check if address a is at least as high as any from MORECORE or MMAP */
+#define ok_address(M, a) ((char*)(a) >= (M)->least_addr)
+/* Check if address of next chunk n is higher than base chunk p */
+#define ok_next(p, n)    ((char*)(p) < (char*)(n))
+/* Check if p has its cinuse bit on */
+#define ok_cinuse(p)     cinuse(p)
+/* Check if p has its pinuse bit on */
+#define ok_pinuse(p)     pinuse(p)
+
+#else /* !INSECURE */
+#define ok_address(M, a) (1)
+#define ok_next(b, n)    (1)
+#define ok_cinuse(p)     (1)
+#define ok_pinuse(p)     (1)
+#endif /* !INSECURE */
+
+#if (FOOTERS && !INSECURE)
+/* Check if (alleged) mstate m has expected magic field */
+#define ok_magic(M)      ((M)->magic == mparams.magic)
+#else  /* (FOOTERS && !INSECURE) */
+#define ok_magic(M)      (1)
+#endif /* (FOOTERS && !INSECURE) */
+
+
+/* In gcc, use __builtin_expect to minimize impact of checks */
+#if !INSECURE
+#if defined(__GNUC__) && __GNUC__ >= 3
+#define RTCHECK(e)  __builtin_expect(e, 1)
+#else /* GNUC */
+#define RTCHECK(e)  (e)
+#endif /* GNUC */
+#else /* !INSECURE */
+#define RTCHECK(e)  (1)
+#endif /* !INSECURE */
+
+/* macros to set up inuse chunks with or without footers */
+
+#if !FOOTERS
+
+#define mark_inuse_foot(M,p,s)
+
+/* Set cinuse bit and pinuse bit of next chunk */
+#define set_inuse(M,p,s)\
+  ((p)->head = (((p)->head & PINUSE_BIT)|s|CINUSE_BIT),\
+  ((mchunkptr)(((char*)(p)) + (s)))->head |= PINUSE_BIT)
+
+/* Set cinuse and pinuse of this chunk and pinuse of next chunk */
+#define set_inuse_and_pinuse(M,p,s)\
+  ((p)->head = (s|PINUSE_BIT|CINUSE_BIT),\
+  ((mchunkptr)(((char*)(p)) + (s)))->head |= PINUSE_BIT)
+
+/* Set size, cinuse and pinuse bit of this chunk */
+#define set_size_and_pinuse_of_inuse_chunk(M, p, s)\
+  ((p)->head = (s|PINUSE_BIT|CINUSE_BIT))
+
+#else /* FOOTERS */
+
+/* Set foot of inuse chunk to be xor of mstate and seed */
+#define mark_inuse_foot(M,p,s)\
+  (((mchunkptr)((char*)(p) + (s)))->prev_foot = ((size_t)(M) ^ mparams.magic))
+
+#define get_mstate_for(p)\
+  ((mstate)(((mchunkptr)((char*)(p) +\
+    (chunksize(p))))->prev_foot ^ mparams.magic))
+
+#define set_inuse(M,p,s)\
+  ((p)->head = (((p)->head & PINUSE_BIT)|s|CINUSE_BIT),\
+  (((mchunkptr)(((char*)(p)) + (s)))->head |= PINUSE_BIT), \
+  mark_inuse_foot(M,p,s))
+
+#define set_inuse_and_pinuse(M,p,s)\
+  ((p)->head = (s|PINUSE_BIT|CINUSE_BIT),\
+  (((mchunkptr)(((char*)(p)) + (s)))->head |= PINUSE_BIT),\
+ mark_inuse_foot(M,p,s))
+
+#define set_size_and_pinuse_of_inuse_chunk(M, p, s)\
+  ((p)->head = (s|PINUSE_BIT|CINUSE_BIT),\
+  mark_inuse_foot(M, p, s))
+
+#endif /* !FOOTERS */
+
+/* ---------------------------- setting mparams -------------------------- */
+
+/* Initialize mparams */
+static int init_mparams(void) {
+  if (mparams.page_size == 0) {
+    size_t s;
+
+    mparams.mmap_threshold = DEFAULT_MMAP_THRESHOLD;
+    mparams.trim_threshold = DEFAULT_TRIM_THRESHOLD;
+#if MORECORE_CONTIGUOUS
+    mparams.default_mflags = USE_LOCK_BIT|USE_MMAP_BIT;
+#else  /* MORECORE_CONTIGUOUS */
+    mparams.default_mflags = USE_LOCK_BIT|USE_MMAP_BIT|USE_NONCONTIGUOUS_BIT;
+#endif /* MORECORE_CONTIGUOUS */
+
+#if (FOOTERS && !INSECURE)
+    {
+#if USE_DEV_RANDOM
+      int fd;
+      unsigned char buf[sizeof(size_t)];
+      /* Try to use /dev/urandom, else fall back on using time */
+      if ((fd = open("/dev/urandom", O_RDONLY)) >= 0 &&
+          read(fd, buf, sizeof(buf)) == sizeof(buf)) {
+        s = *((size_t *) buf);
+        close(fd);
+      }
+      else
+#endif /* USE_DEV_RANDOM */
+        s = (size_t)(time(0) ^ (size_t)0x55555555U);
+
+      s |= (size_t)8U;    /* ensure nonzero */
+      s &= ~(size_t)7U;   /* improve chances of fault for bad values */
+
+    }
+#else /* (FOOTERS && !INSECURE) */
+    s = (size_t)0x58585858U;
+#endif /* (FOOTERS && !INSECURE) */
+    ACQUIRE_MAGIC_INIT_LOCK();
+    if (mparams.magic == 0) {
+      mparams.magic = s;
+      /* Set up lock for main malloc area */
+      INITIAL_LOCK(&gm->mutex);
+      gm->mflags = mparams.default_mflags;
+    }
+    RELEASE_MAGIC_INIT_LOCK();
+
+#ifndef WIN32
+    mparams.page_size = malloc_getpagesize;
+    mparams.granularity = ((DEFAULT_GRANULARITY != 0)?
+                           DEFAULT_GRANULARITY : mparams.page_size);
+#else /* WIN32 */
+    {
+      SYSTEM_INFO system_info;
+      GetSystemInfo(&system_info);
+      mparams.page_size = system_info.dwPageSize;
+      mparams.granularity = system_info.dwAllocationGranularity;
+    }
+#endif /* WIN32 */
+
+    /* Sanity-check configuration:
+       size_t must be unsigned and as wide as pointer type.
+       ints must be at least 4 bytes.
+       alignment must be at least 8.
+       Alignment, min chunk size, and page size must all be powers of 2.
+    */
+    if ((sizeof(size_t) != sizeof(char*)) ||
+        (MAX_SIZE_T < MIN_CHUNK_SIZE)  ||
+        (sizeof(int) < 4)  ||
+        (MALLOC_ALIGNMENT < (size_t)8U) ||
+        ((MALLOC_ALIGNMENT    & (MALLOC_ALIGNMENT-SIZE_T_ONE))    != 0) ||
+        ((MCHUNK_SIZE         & (MCHUNK_SIZE-SIZE_T_ONE))         != 0) ||
+        ((mparams.granularity & (mparams.granularity-SIZE_T_ONE)) != 0) ||
+        ((mparams.page_size   & (mparams.page_size-SIZE_T_ONE))   != 0))
+      ABORT;
+  }
+  return 0;
+}
+
+/* support for mallopt */
+static int change_mparam(int param_number, int value) {
+  size_t val = (size_t)value;
+  init_mparams();
+  switch(param_number) {
+  case M_TRIM_THRESHOLD:
+    mparams.trim_threshold = val;
+    return 1;
+  case M_GRANULARITY:
+    if (val >= mparams.page_size && ((val & (val-1)) == 0)) {
+      mparams.granularity = val;
+      return 1;
+    }
+    else
+      return 0;
+  case M_MMAP_THRESHOLD:
+    mparams.mmap_threshold = val;
+    return 1;
+  default:
+    return 0;
+  }
+}
+
+#if DEBUG
+/* ------------------------- Debugging Support --------------------------- */
+
+/* Check properties of any chunk, whether free, inuse, mmapped etc  */
+static void do_check_any_chunk(mstate m, mchunkptr p) {
+  assert((is_aligned(chunk2mem(p))) || (p->head == FENCEPOST_HEAD));
+  assert(ok_address(m, p));
+}
+
+/* Check properties of top chunk */
+static void do_check_top_chunk(mstate m, mchunkptr p) {
+  msegmentptr sp = segment_holding(m, (char*)p);
+  size_t  sz = chunksize(p);
+  assert(sp != 0);
+  assert((is_aligned(chunk2mem(p))) || (p->head == FENCEPOST_HEAD));
+  assert(ok_address(m, p));
+  assert(sz == m->topsize);
+  assert(sz > 0);
+  assert(sz == ((sp->base + sp->size) - (char*)p) - TOP_FOOT_SIZE);
+  assert(pinuse(p));
+  assert(!next_pinuse(p));
+}
+
+/* Check properties of (inuse) mmapped chunks */
+static void do_check_mmapped_chunk(mstate m, mchunkptr p) {
+  size_t  sz = chunksize(p);
+  size_t len = (sz + (p->prev_foot & ~IS_MMAPPED_BIT) + MMAP_FOOT_PAD);
+  assert(is_mmapped(p));
+  assert(use_mmap(m));
+  assert((is_aligned(chunk2mem(p))) || (p->head == FENCEPOST_HEAD));
+  assert(ok_address(m, p));
+  assert(!is_small(sz));
+  assert((len & (mparams.page_size-SIZE_T_ONE)) == 0);
+  assert(chunk_plus_offset(p, sz)->head == FENCEPOST_HEAD);
+  assert(chunk_plus_offset(p, sz+SIZE_T_SIZE)->head == 0);
+}
+
+/* Check properties of inuse chunks */
+static void do_check_inuse_chunk(mstate m, mchunkptr p) {
+  do_check_any_chunk(m, p);
+  assert(cinuse(p));
+  assert(next_pinuse(p));
+  /* If not pinuse and not mmapped, previous chunk has OK offset */
+  assert(is_mmapped(p) || pinuse(p) || next_chunk(prev_chunk(p)) == p);
+  if (is_mmapped(p))
+    do_check_mmapped_chunk(m, p);
+}
+
+/* Check properties of free chunks */
+static void do_check_free_chunk(mstate m, mchunkptr p) {
+  size_t sz = p->head & ~(PINUSE_BIT|CINUSE_BIT);
+  mchunkptr next = chunk_plus_offset(p, sz);
+  do_check_any_chunk(m, p);
+  assert(!cinuse(p));
+  assert(!next_pinuse(p));
+  assert (!is_mmapped(p));
+  if (p != m->dv && p != m->top) {
+    if (sz >= MIN_CHUNK_SIZE) {
+      assert((sz & CHUNK_ALIGN_MASK) == 0);
+      assert(is_aligned(chunk2mem(p)));
+      assert(next->prev_foot == sz);
+      assert(pinuse(p));
+      assert (next == m->top || cinuse(next));
+      assert(p->fd->bk == p);
+      assert(p->bk->fd == p);
+    }
+    else  /* markers are always of size SIZE_T_SIZE */
+      assert(sz == SIZE_T_SIZE);
+  }
+}
+
+/* Check properties of malloced chunks at the point they are malloced */
+static void do_check_malloced_chunk(mstate m, void* mem, size_t s) {
+  if (mem != 0) {
+    mchunkptr p = mem2chunk(mem);
+    size_t sz = p->head & ~(PINUSE_BIT|CINUSE_BIT);
+    do_check_inuse_chunk(m, p);
+    assert((sz & CHUNK_ALIGN_MASK) == 0);
+    assert(sz >= MIN_CHUNK_SIZE);
+    assert(sz >= s);
+    /* unless mmapped, size is less than MIN_CHUNK_SIZE more than request */
+    assert(is_mmapped(p) || sz < (s + MIN_CHUNK_SIZE));
+  }
+}
+
+/* Check a tree and its subtrees.  */
+static void do_check_tree(mstate m, tchunkptr t) {
+  tchunkptr head = 0;
+  tchunkptr u = t;
+  bindex_t tindex = t->index;
+  size_t tsize = chunksize(t);
+  bindex_t idx;
+  compute_tree_index(tsize, idx);
+  assert(tindex == idx);
+  assert(tsize >= MIN_LARGE_SIZE);
+  assert(tsize >= minsize_for_tree_index(idx));
+  assert((idx == NTREEBINS-1) || (tsize < minsize_for_tree_index((idx+1))));
+
+  do { /* traverse through chain of same-sized nodes */
+    do_check_any_chunk(m, ((mchunkptr)u));
+    assert(u->index == tindex);
+    assert(chunksize(u) == tsize);
+    assert(!cinuse(u));
+    assert(!next_pinuse(u));
+    assert(u->fd->bk == u);
+    assert(u->bk->fd == u);
+    if (u->parent == 0) {
+      assert(u->child[0] == 0);
+      assert(u->child[1] == 0);
+    }
+    else {
+      assert(head == 0); /* only one node on chain has parent */
+      head = u;
+      assert(u->parent != u);
+      assert (u->parent->child[0] == u ||
+              u->parent->child[1] == u ||
+              *((tbinptr*)(u->parent)) == u);
+      if (u->child[0] != 0) {
+        assert(u->child[0]->parent == u);
+        assert(u->child[0] != u);
+        do_check_tree(m, u->child[0]);
+      }
+      if (u->child[1] != 0) {
+        assert(u->child[1]->parent == u);
+        assert(u->child[1] != u);
+        do_check_tree(m, u->child[1]);
+      }
+      if (u->child[0] != 0 && u->child[1] != 0) {
+        assert(chunksize(u->child[0]) < chunksize(u->child[1]));
+      }
+    }
+    u = u->fd;
+  } while (u != t);
+  assert(head != 0);
+}
+
+/*  Check all the chunks in a treebin.  */
+static void do_check_treebin(mstate m, bindex_t i) {
+  tbinptr* tb = treebin_at(m, i);
+  tchunkptr t = *tb;
+  int empty = (m->treemap & (1U << i)) == 0;
+  if (t == 0)
+    assert(empty);
+  if (!empty)
+    do_check_tree(m, t);
+}
+
+/*  Check all the chunks in a smallbin.  */
+static void do_check_smallbin(mstate m, bindex_t i) {
+  sbinptr b = smallbin_at(m, i);
+  mchunkptr p = b->bk;
+  unsigned int empty = (m->smallmap & (1U << i)) == 0;
+  if (p == b)
+    assert(empty);
+  if (!empty) {
+    for (; p != b; p = p->bk) {
+      size_t size = chunksize(p);
+      mchunkptr q;
+      /* each chunk claims to be free */
+      do_check_free_chunk(m, p);
+      /* chunk belongs in bin */
+      assert(small_index(size) == i);
+      assert(p->bk == b || chunksize(p->bk) == chunksize(p));
+      /* chunk is followed by an inuse chunk */
+      q = next_chunk(p);
+      if (q->head != FENCEPOST_HEAD)
+        do_check_inuse_chunk(m, q);
+    }
+  }
+}
+
+/* Find x in a bin. Used in other check functions. */
+static int bin_find(mstate m, mchunkptr x) {
+  size_t size = chunksize(x);
+  if (is_small(size)) {
+    bindex_t sidx = small_index(size);
+    sbinptr b = smallbin_at(m, sidx);
+    if (smallmap_is_marked(m, sidx)) {
+      mchunkptr p = b;
+      do {
+        if (p == x)
+          return 1;
+      } while ((p = p->fd) != b);
+    }
+  }
+  else {
+    bindex_t tidx;
+    compute_tree_index(size, tidx);
+    if (treemap_is_marked(m, tidx)) {
+      tchunkptr t = *treebin_at(m, tidx);
+      size_t sizebits = size << leftshift_for_tree_index(tidx);
+      while (t != 0 && chunksize(t) != size) {
+        t = t->child[(sizebits >> (SIZE_T_BITSIZE-SIZE_T_ONE)) & 1];
+        sizebits <<= 1;
+      }
+      if (t != 0) {
+        tchunkptr u = t;
+        do {
+          if (u == (tchunkptr)x)
+            return 1;
+        } while ((u = u->fd) != t);
+      }
+    }
+  }
+  return 0;
+}
+
+/* Traverse each chunk and check it; return total */
+static size_t traverse_and_check(mstate m) {
+  size_t sum = 0;
+  if (is_initialized(m)) {
+    msegmentptr s = &m->seg;
+    sum += m->topsize + TOP_FOOT_SIZE;
+    while (s != 0) {
+      mchunkptr q = align_as_chunk(s->base);
+      mchunkptr lastq = 0;
+      assert(pinuse(q));
+      while (segment_holds(s, q) &&
+             q != m->top && q->head != FENCEPOST_HEAD) {
+        sum += chunksize(q);
+        if (cinuse(q)) {
+          assert(!bin_find(m, q));
+          do_check_inuse_chunk(m, q);
+        }
+        else {
+          assert(q == m->dv || bin_find(m, q));
+          assert(lastq == 0 || cinuse(lastq)); /* Not 2 consecutive free */
+          do_check_free_chunk(m, q);
+        }
+        lastq = q;
+        q = next_chunk(q);
+      }
+      s = s->next;
+    }
+  }
+  return sum;
+}
+
+/* Check all properties of malloc_state. */
+static void do_check_malloc_state(mstate m) {
+  bindex_t i;
+  size_t total;
+  /* check bins */
+  for (i = 0; i < NSMALLBINS; ++i)
+    do_check_smallbin(m, i);
+  for (i = 0; i < NTREEBINS; ++i)
+    do_check_treebin(m, i);
+
+  if (m->dvsize != 0) { /* check dv chunk */
+    do_check_any_chunk(m, m->dv);
+    assert(m->dvsize == chunksize(m->dv));
+    assert(m->dvsize >= MIN_CHUNK_SIZE);
+    assert(bin_find(m, m->dv) == 0);
+  }
+
+  if (m->top != 0) {   /* check top chunk */
+    do_check_top_chunk(m, m->top);
+    assert(m->topsize == chunksize(m->top));
+    assert(m->topsize > 0);
+    assert(bin_find(m, m->top) == 0);
+  }
+
+  total = traverse_and_check(m);
+  assert(total <= m->footprint);
+  assert(m->footprint <= m->max_footprint);
+}
+#endif /* DEBUG */
+
+/* ----------------------------- statistics ------------------------------ */
+
+#if !NO_MALLINFO
+static struct mallinfo internal_mallinfo(mstate m) {
+  struct mallinfo nm = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
+  if (!PREACTION(m)) {
+    check_malloc_state(m);
+    if (is_initialized(m)) {
+      size_t nfree = SIZE_T_ONE; /* top always free */
+      size_t mfree = m->topsize + TOP_FOOT_SIZE;
+      size_t sum = mfree;
+      msegmentptr s = &m->seg;
+      while (s != 0) {
+        mchunkptr q = align_as_chunk(s->base);
+        while (segment_holds(s, q) &&
+               q != m->top && q->head != FENCEPOST_HEAD) {
+          size_t sz = chunksize(q);
+          sum += sz;
+          if (!cinuse(q)) {
+            mfree += sz;
+            ++nfree;
+          }
+          q = next_chunk(q);
+        }
+        s = s->next;
+      }
+
+      nm.arena    = sum;
+      nm.ordblks  = nfree;
+      nm.hblkhd   = m->footprint - sum;
+      nm.usmblks  = m->max_footprint;
+      nm.uordblks = m->footprint - mfree;
+      nm.fordblks = mfree;
+      nm.keepcost = m->topsize;
+    }
+
+    POSTACTION(m);
+  }
+  return nm;
+}
+#endif /* !NO_MALLINFO */
+
+static void internal_malloc_stats(mstate m) {
+  if (!PREACTION(m)) {
+    size_t maxfp = 0;
+    size_t fp = 0;
+    size_t used = 0;
+    check_malloc_state(m);
+    if (is_initialized(m)) {
+      msegmentptr s = &m->seg;
+      maxfp = m->max_footprint;
+      fp = m->footprint;
+      used = fp - (m->topsize + TOP_FOOT_SIZE);
+
+      while (s != 0) {
+        mchunkptr q = align_as_chunk(s->base);
+        while (segment_holds(s, q) &&
+               q != m->top && q->head != FENCEPOST_HEAD) {
+          if (!cinuse(q))
+            used -= chunksize(q);
+          q = next_chunk(q);
+        }
+        s = s->next;
+      }
+    }
+
+    fprintf(stderr, "max system bytes = %10lu\n", (unsigned long)(maxfp));
+    fprintf(stderr, "system bytes     = %10lu\n", (unsigned long)(fp));
+    fprintf(stderr, "in use bytes     = %10lu\n", (unsigned long)(used));
+
+    POSTACTION(m);
+  }
+}
+
+/* ----------------------- Operations on smallbins ----------------------- */
+
+/*
+  Various forms of linking and unlinking are defined as macros.  Even
+  the ones for trees, which are very long but have very short typical
+  paths.  This is ugly but reduces reliance on inlining support of
+  compilers.
+*/
+
+/* Link a free chunk into a smallbin  */
+#define insert_small_chunk(M, P, S) {\
+  bindex_t I  = small_index(S);\
+  mchunkptr B = smallbin_at(M, I);\
+  mchunkptr F = B;\
+  assert(S >= MIN_CHUNK_SIZE);\
+  if (!smallmap_is_marked(M, I))\
+    mark_smallmap(M, I);\
+  else if (RTCHECK(ok_address(M, B->fd)))\
+    F = B->fd;\
+  else {\
+    CORRUPTION_ERROR_ACTION(M);\
+  }\
+  B->fd = P;\
+  F->bk = P;\
+  P->fd = F;\
+  P->bk = B;\
+}
+
+/* Unlink a chunk from a smallbin  */
+#define unlink_small_chunk(M, P, S) {\
+  mchunkptr F = P->fd;\
+  mchunkptr B = P->bk;\
+  bindex_t I = small_index(S);\
+  assert(P != B);\
+  assert(P != F);\
+  assert(chunksize(P) == small_index2size(I));\
+  if (F == B)\
+    clear_smallmap(M, I);\
+  else if (RTCHECK((F == smallbin_at(M,I) || ok_address(M, F)) &&\
+                   (B == smallbin_at(M,I) || ok_address(M, B)))) {\
+    F->bk = B;\
+    B->fd = F;\
+  }\
+  else {\
+    CORRUPTION_ERROR_ACTION(M);\
+  }\
+}
+
+/* Unlink the first chunk from a smallbin */
+#define unlink_first_small_chunk(M, B, P, I) {\
+  mchunkptr F = P->fd;\
+  assert(P != B);\
+  assert(P != F);\
+  assert(chunksize(P) == small_index2size(I));\
+  if (B == F)\
+    clear_smallmap(M, I);\
+  else if (RTCHECK(ok_address(M, F))) {\
+    B->fd = F;\
+    F->bk = B;\
+  }\
+  else {\
+    CORRUPTION_ERROR_ACTION(M);\
+  }\
+}
+
+/* Replace dv node, binning the old one */
+/* Used only when dvsize known to be small */
+#define replace_dv(M, P, S) {\
+  size_t DVS = M->dvsize;\
+  if (DVS != 0) {\
+    mchunkptr DV = M->dv;\
+    assert(is_small(DVS));\
+    insert_small_chunk(M, DV, DVS);\
+  }\
+  M->dvsize = S;\
+  M->dv = P;\
+}
+
+/* ------------------------- Operations on trees ------------------------- */
+
+/* Insert chunk into tree */
+#define insert_large_chunk(M, X, S) {\
+  tbinptr* H;\
+  bindex_t I;\
+  compute_tree_index(S, I);\
+  H = treebin_at(M, I);\
+  X->index = I;\
+  X->child[0] = X->child[1] = 0;\
+  if (!treemap_is_marked(M, I)) {\
+    mark_treemap(M, I);\
+    *H = X;\
+    X->parent = (tchunkptr)H;\
+    X->fd = X->bk = X;\
+  }\
+  else {\
+    tchunkptr T = *H;\
+    size_t K = S << leftshift_for_tree_index(I);\
+    for (;;) {\
+      if (chunksize(T) != S) {\
+        tchunkptr* C = &(T->child[(K >> (SIZE_T_BITSIZE-SIZE_T_ONE)) & 1]);\
+        K <<= 1;\
+        if (*C != 0)\
+          T = *C;\
+        else if (RTCHECK(ok_address(M, C))) {\
+          *C = X;\
+          X->parent = T;\
+          X->fd = X->bk = X;\
+          break;\
+        }\
+        else {\
+          CORRUPTION_ERROR_ACTION(M);\
+          break;\
+        }\
+      }\
+      else {\
+        tchunkptr F = T->fd;\
+        if (RTCHECK(ok_address(M, T) && ok_address(M, F))) {\
+          T->fd = F->bk = X;\
+          X->fd = F;\
+          X->bk = T;\
+          X->parent = 0;\
+          break;\
+        }\
+        else {\
+          CORRUPTION_ERROR_ACTION(M);\
+          break;\
+        }\
+      }\
+    }\
+  }\
+}
+
+/*
+  Unlink steps:
+
+  1. If x is a chained node, unlink it from its same-sized fd/bk links
+     and choose its bk node as its replacement.
+  2. If x was the last node of its size, but not a leaf node, it must
+     be replaced with a leaf node (not merely one with an open left or
+     right), to make sure that lefts and rights of descendents
+     correspond properly to bit masks.  We use the rightmost descendent
+     of x.  We could use any other leaf, but this is easy to locate and
+     tends to counteract removal of leftmosts elsewhere, and so keeps
+     paths shorter than minimally guaranteed.  This doesn't loop much
+     because on average a node in a tree is near the bottom.
+  3. If x is the base of a chain (i.e., has parent links) relink
+     x's parent and children to x's replacement (or null if none).
+*/
+
+#define unlink_large_chunk(M, X) {\
+  tchunkptr XP = X->parent;\
+  tchunkptr R;\
+  if (X->bk != X) {\
+    tchunkptr F = X->fd;\
+    R = X->bk;\
+    if (RTCHECK(ok_address(M, F))) {\
+      F->bk = R;\
+      R->fd = F;\
+    }\
+    else {\
+      CORRUPTION_ERROR_ACTION(M);\
+    }\
+  }\
+  else {\
+    tchunkptr* RP;\
+    if (((R = *(RP = &(X->child[1]))) != 0) ||\
+        ((R = *(RP = &(X->child[0]))) != 0)) {\
+      tchunkptr* CP;\
+      while ((*(CP = &(R->child[1])) != 0) ||\
+             (*(CP = &(R->child[0])) != 0)) {\
+        R = *(RP = CP);\
+      }\
+      if (RTCHECK(ok_address(M, RP)))\
+        *RP = 0;\
+      else {\
+        CORRUPTION_ERROR_ACTION(M);\
+      }\
+    }\
+  }\
+  if (XP != 0) {\
+    tbinptr* H = treebin_at(M, X->index);\
+    if (X == *H) {\
+      if ((*H = R) == 0) \
+        clear_treemap(M, X->index);\
+    }\
+    else if (RTCHECK(ok_address(M, XP))) {\
+      if (XP->child[0] == X) \
+        XP->child[0] = R;\
+      else \
+        XP->child[1] = R;\
+    }\
+    else\
+      CORRUPTION_ERROR_ACTION(M);\
+    if (R != 0) {\
+      if (RTCHECK(ok_address(M, R))) {\
+        tchunkptr C0, C1;\
+        R->parent = XP;\
+        if ((C0 = X->child[0]) != 0) {\
+          if (RTCHECK(ok_address(M, C0))) {\
+            R->child[0] = C0;\
+            C0->parent = R;\
+          }\
+          else\
+            CORRUPTION_ERROR_ACTION(M);\
+        }\
+        if ((C1 = X->child[1]) != 0) {\
+          if (RTCHECK(ok_address(M, C1))) {\
+            R->child[1] = C1;\
+            C1->parent = R;\
+          }\
+          else\
+            CORRUPTION_ERROR_ACTION(M);\
+        }\
+      }\
+      else\
+        CORRUPTION_ERROR_ACTION(M);\
+    }\
+  }\
+}
+
+/* Relays to large vs small bin operations */
+
+#define insert_chunk(M, P, S)\
+  if (is_small(S)) insert_small_chunk(M, P, S)\
+  else { tchunkptr TP = (tchunkptr)(P); insert_large_chunk(M, TP, S); }
+
+#define unlink_chunk(M, P, S)\
+  if (is_small(S)) unlink_small_chunk(M, P, S)\
+  else { tchunkptr TP = (tchunkptr)(P); unlink_large_chunk(M, TP); }
+
+
+/* Relays to internal calls to malloc/free from realloc, memalign etc */
+
+#if ONLY_MSPACES
+#define internal_malloc(m, b) mspace_malloc(m, b)
+#define internal_free(m, mem) mspace_free(m,mem);
+#else /* ONLY_MSPACES */
+#if MSPACES
+#define internal_malloc(m, b)\
+   (m == gm)? dlmalloc(b) : mspace_malloc(m, b)
+#define internal_free(m, mem)\
+   if (m == gm) dlfree(mem); else mspace_free(m,mem);
+#else /* MSPACES */
+#define internal_malloc(m, b) dlmalloc(b)
+#define internal_free(m, mem) dlfree(mem)
+#endif /* MSPACES */
+#endif /* ONLY_MSPACES */
+
+/* -----------------------  Direct-mmapping chunks ----------------------- */
+
+/*
+  Directly mmapped chunks are set up with an offset to the start of
+  the mmapped region stored in the prev_foot field of the chunk. This
+  allows reconstruction of the required argument to MUNMAP when freed,
+  and also allows adjustment of the returned chunk to meet alignment
+  requirements (especially in memalign).  There is also enough space
+  allocated to hold a fake next chunk of size SIZE_T_SIZE to maintain
+  the PINUSE bit so frees can be checked.
+*/
+
+/* Malloc using mmap */
+static void* mmap_alloc(mstate m, size_t nb) {
+  size_t mmsize = granularity_align(nb + SIX_SIZE_T_SIZES + CHUNK_ALIGN_MASK);
+  if (mmsize > nb) {     /* Check for wrap around 0 */
+    char* mm = (char*)(DIRECT_MMAP(mmsize));
+    if (mm != CMFAIL) {
+      size_t offset = align_offset(chunk2mem(mm));
+      size_t psize = mmsize - offset - MMAP_FOOT_PAD;
+      mchunkptr p = (mchunkptr)(mm + offset);
+      p->prev_foot = offset | IS_MMAPPED_BIT;
+      (p)->head = (psize|CINUSE_BIT);
+      mark_inuse_foot(m, p, psize);
+      chunk_plus_offset(p, psize)->head = FENCEPOST_HEAD;
+      chunk_plus_offset(p, psize+SIZE_T_SIZE)->head = 0;
+
+      if (mm < m->least_addr)
+        m->least_addr = mm;
+      if ((m->footprint += mmsize) > m->max_footprint)
+        m->max_footprint = m->footprint;
+      assert(is_aligned(chunk2mem(p)));
+      check_mmapped_chunk(m, p);
+      return chunk2mem(p);
+    }
+  }
+  return 0;
+}
+
+/* Realloc using mmap */
+static mchunkptr mmap_resize(mstate m, mchunkptr oldp, size_t nb) {
+  size_t oldsize = chunksize(oldp);
+  if (is_small(nb)) /* Can't shrink mmap regions below small size */
+    return 0;
+  /* Keep old chunk if big enough but not too big */
+  if (oldsize >= nb + SIZE_T_SIZE &&
+      (oldsize - nb) <= (mparams.granularity << 1))
+    return oldp;
+  else {
+    size_t offset = oldp->prev_foot & ~IS_MMAPPED_BIT;
+    size_t oldmmsize = oldsize + offset + MMAP_FOOT_PAD;
+    size_t newmmsize = granularity_align(nb + SIX_SIZE_T_SIZES +
+                                         CHUNK_ALIGN_MASK);
+    char* cp = (char*)CALL_MREMAP((char*)oldp - offset,
+                                  oldmmsize, newmmsize, 1);
+    if (cp != CMFAIL) {
+      mchunkptr newp = (mchunkptr)(cp + offset);
+      size_t psize = newmmsize - offset - MMAP_FOOT_PAD;
+      newp->head = (psize|CINUSE_BIT);
+      mark_inuse_foot(m, newp, psize);
+      chunk_plus_offset(newp, psize)->head = FENCEPOST_HEAD;
+      chunk_plus_offset(newp, psize+SIZE_T_SIZE)->head = 0;
+
+      if (cp < m->least_addr)
+        m->least_addr = cp;
+      if ((m->footprint += newmmsize - oldmmsize) > m->max_footprint)
+        m->max_footprint = m->footprint;
+      check_mmapped_chunk(m, newp);
+      return newp;
+    }
+  }
+  return 0;
+}
+
+/* -------------------------- mspace management -------------------------- */
+
+/* Initialize top chunk and its size */
+static void init_top(mstate m, mchunkptr p, size_t psize) {
+  /* Ensure alignment */
+  size_t offset = align_offset(chunk2mem(p));
+  p = (mchunkptr)((char*)p + offset);
+  psize -= offset;
+
+  m->top = p;
+  m->topsize = psize;
+  p->head = psize | PINUSE_BIT;
+  /* set size of fake trailing chunk holding overhead space only once */
+  chunk_plus_offset(p, psize)->head = TOP_FOOT_SIZE;
+  m->trim_check = mparams.trim_threshold; /* reset on each update */
+}
+
+/* Initialize bins for a new mstate that is otherwise zeroed out */
+static void init_bins(mstate m) {
+  /* Establish circular links for smallbins */
+  bindex_t i;
+  for (i = 0; i < NSMALLBINS; ++i) {
+    sbinptr bin = smallbin_at(m,i);
+    bin->fd = bin->bk = bin;
+  }
+}
+
+#if PROCEED_ON_ERROR
+
+/* default corruption action */
+static void reset_on_error(mstate m) {
+  int i;
+  ++malloc_corruption_error_count;
+  /* Reinitialize fields to forget about all memory */
+  m->smallbins = m->treebins = 0;
+  m->dvsize = m->topsize = 0;
+  m->seg.base = 0;
+  m->seg.size = 0;
+  m->seg.next = 0;
+  m->top = m->dv = 0;
+  for (i = 0; i < NTREEBINS; ++i)
+    *treebin_at(m, i) = 0;
+  init_bins(m);
+}
+#endif /* PROCEED_ON_ERROR */
+
+/* Allocate chunk and prepend remainder with chunk in successor base. */
+static void* prepend_alloc(mstate m, char* newbase, char* oldbase,
+                           size_t nb) {
+  mchunkptr p = align_as_chunk(newbase);
+  mchunkptr oldfirst = align_as_chunk(oldbase);
+  size_t psize = (char*)oldfirst - (char*)p;
+  mchunkptr q = chunk_plus_offset(p, nb);
+  size_t qsize = psize - nb;
+  set_size_and_pinuse_of_inuse_chunk(m, p, nb);
+
+  assert((char*)oldfirst > (char*)q);
+  assert(pinuse(oldfirst));
+  assert(qsize >= MIN_CHUNK_SIZE);
+
+  /* consolidate remainder with first chunk of old base */
+  if (oldfirst == m->top) {
+    size_t tsize = m->topsize += qsize;
+    m->top = q;
+    q->head = tsize | PINUSE_BIT;
+    check_top_chunk(m, q);
+  }
+  else if (oldfirst == m->dv) {
+    size_t dsize = m->dvsize += qsize;
+    m->dv = q;
+    set_size_and_pinuse_of_free_chunk(q, dsize);
+  }
+  else {
+    if (!cinuse(oldfirst)) {
+      size_t nsize = chunksize(oldfirst);
+      unlink_chunk(m, oldfirst, nsize);
+      oldfirst = chunk_plus_offset(oldfirst, nsize);
+      qsize += nsize;
+    }
+    set_free_with_pinuse(q, qsize, oldfirst);
+    insert_chunk(m, q, qsize);
+    check_free_chunk(m, q);
+  }
+
+  check_malloced_chunk(m, chunk2mem(p), nb);
+  return chunk2mem(p);
+}
+
+
+/* Add a segment to hold a new noncontiguous region */
+static void add_segment(mstate m, char* tbase, size_t tsize, flag_t mmapped) {
+  /* Determine locations and sizes of segment, fenceposts, old top */
+  char* old_top = (char*)m->top;
+  msegmentptr oldsp = segment_holding(m, old_top);
+  char* old_end = oldsp->base + oldsp->size;
+  size_t ssize = pad_request(sizeof(struct malloc_segment));
+  char* rawsp = old_end - (ssize + FOUR_SIZE_T_SIZES + CHUNK_ALIGN_MASK);
+  size_t offset = align_offset(chunk2mem(rawsp));
+  char* asp = rawsp + offset;
+  char* csp = (asp < (old_top + MIN_CHUNK_SIZE))? old_top : asp;
+  mchunkptr sp = (mchunkptr)csp;
+  msegmentptr ss = (msegmentptr)(chunk2mem(sp));
+  mchunkptr tnext = chunk_plus_offset(sp, ssize);
+  mchunkptr p = tnext;
+  int nfences = 0;
+
+  /* reset top to new space */
+  init_top(m, (mchunkptr)tbase, tsize - TOP_FOOT_SIZE);
+
+  /* Set up segment record */
+  assert(is_aligned(ss));
+  set_size_and_pinuse_of_inuse_chunk(m, sp, ssize);
+  *ss = m->seg; /* Push current record */
+  m->seg.base = tbase;
+  m->seg.size = tsize;
+  m->seg.sflags = mmapped;
+  m->seg.next = ss;
+
+  /* Insert trailing fenceposts */
+  for (;;) {
+    mchunkptr nextp = chunk_plus_offset(p, SIZE_T_SIZE);
+    p->head = FENCEPOST_HEAD;
+    ++nfences;
+    if ((char*)(&(nextp->head)) < old_end)
+      p = nextp;
+    else
+      break;
+  }
+  assert(nfences >= 2);
+
+  /* Insert the rest of old top into a bin as an ordinary free chunk */
+  if (csp != old_top) {
+    mchunkptr q = (mchunkptr)old_top;
+    size_t psize = csp - old_top;
+    mchunkptr tn = chunk_plus_offset(q, psize);
+    set_free_with_pinuse(q, psize, tn);
+    insert_chunk(m, q, psize);
+  }
+
+  check_top_chunk(m, m->top);
+}
+
+/* -------------------------- System allocation -------------------------- */
+
+/* Get memory from system using MORECORE or MMAP */
+static void* sys_alloc(mstate m, size_t nb) {
+  char* tbase = CMFAIL;
+  size_t tsize = 0;
+  flag_t mmap_flag = 0;
+
+  init_mparams();
+
+  /* Directly map large chunks */
+  if (use_mmap(m) && nb >= mparams.mmap_threshold) {
+    void* mem = mmap_alloc(m, nb);
+    if (mem != 0)
+      return mem;
+  }
+
+  /*
+    Try getting memory in any of three ways (in most-preferred to
+    least-preferred order):
+    1. A call to MORECORE that can normally contiguously extend memory.
+       (disabled if not MORECORE_CONTIGUOUS or not HAVE_MORECORE or
+       or main space is mmapped or a previous contiguous call failed)
+    2. A call to MMAP new space (disabled if not HAVE_MMAP).
+       Note that under the default settings, if MORECORE is unable to
+       fulfill a request, and HAVE_MMAP is true, then mmap is
+       used as a noncontiguous system allocator. This is a useful backup
+       strategy for systems with holes in address spaces -- in this case
+       sbrk cannot contiguously expand the heap, but mmap may be able to
+       find space.
+    3. A call to MORECORE that cannot usually contiguously extend memory.
+       (disabled if not HAVE_MORECORE)
+  */
+
+  if (MORECORE_CONTIGUOUS && !use_noncontiguous(m)) {
+    char* br = CMFAIL;
+    msegmentptr ss = (m->top == 0)? 0 : segment_holding(m, (char*)m->top);
+    size_t asize = 0;
+    ACQUIRE_MORECORE_LOCK();
+
+    if (ss == 0) {  /* First time through or recovery */
+      char* base = (char*)CALL_MORECORE(0);
+      if (base != CMFAIL) {
+        asize = granularity_align(nb + TOP_FOOT_SIZE + SIZE_T_ONE);
+        /* Adjust to end on a page boundary */
+        if (!is_page_aligned(base))
+          asize += (page_align((size_t)base) - (size_t)base);
+        /* Can't call MORECORE if size is negative when treated as signed */
+        if (asize < HALF_MAX_SIZE_T &&
+            (br = (char*)(CALL_MORECORE(asize))) == base) {
+          tbase = base;
+          tsize = asize;
+        }
+      }
+    }
+    else {
+      /* Subtract out existing available top space from MORECORE request. */
+      asize = granularity_align(nb - m->topsize + TOP_FOOT_SIZE + SIZE_T_ONE);
+      /* Use mem here only if it did continuously extend old space */
+      if (asize < HALF_MAX_SIZE_T &&
+          (br = (char*)(CALL_MORECORE(asize))) == ss->base+ss->size) {
+        tbase = br;
+        tsize = asize;
+      }
+    }
+
+    if (tbase == CMFAIL) {    /* Cope with partial failure */
+      if (br != CMFAIL) {    /* Try to use/extend the space we did get */
+        if (asize < HALF_MAX_SIZE_T &&
+            asize < nb + TOP_FOOT_SIZE + SIZE_T_ONE) {
+          size_t esize = granularity_align(nb + TOP_FOOT_SIZE + SIZE_T_ONE - asize);
+          if (esize < HALF_MAX_SIZE_T) {
+            char* end = (char*)CALL_MORECORE(esize);
+            if (end != CMFAIL)
+              asize += esize;
+            else {            /* Can't use; try to release */
+              CALL_MORECORE(-asize);
+              br = CMFAIL;
+            }
+          }
+        }
+      }
+      if (br != CMFAIL) {    /* Use the space we did get */
+        tbase = br;
+        tsize = asize;
+      }
+      else
+        disable_contiguous(m); /* Don't try contiguous path in the future */
+    }
+
+    RELEASE_MORECORE_LOCK();
+  }
+
+  if (HAVE_MMAP && tbase == CMFAIL) {  /* Try MMAP */
+    size_t req = nb + TOP_FOOT_SIZE + SIZE_T_ONE;
+    size_t rsize = granularity_align(req);
+    if (rsize > nb) { /* Fail if wraps around zero */
+      char* mp = (char*)(CALL_MMAP(rsize));
+      if (mp != CMFAIL) {
+        tbase = mp;
+        tsize = rsize;
+        mmap_flag = IS_MMAPPED_BIT;
+      }
+    }
+  }
+
+  if (HAVE_MORECORE && tbase == CMFAIL) { /* Try noncontiguous MORECORE */
+    size_t asize = granularity_align(nb + TOP_FOOT_SIZE + SIZE_T_ONE);
+    if (asize < HALF_MAX_SIZE_T) {
+      char* br = CMFAIL;
+      char* end = CMFAIL;
+      ACQUIRE_MORECORE_LOCK();
+      br = (char*)(CALL_MORECORE(asize));
+      end = (char*)(CALL_MORECORE(0));
+      RELEASE_MORECORE_LOCK();
+      if (br != CMFAIL && end != CMFAIL && br < end) {
+        size_t ssize = end - br;
+        if (ssize > nb + TOP_FOOT_SIZE) {
+          tbase = br;
+          tsize = ssize;
+        }
+      }
+    }
+  }
+
+  if (tbase != CMFAIL) {
+
+    if ((m->footprint += tsize) > m->max_footprint)
+      m->max_footprint = m->footprint;
+
+    if (!is_initialized(m)) { /* first-time initialization */
+      m->seg.base = m->least_addr = tbase;
+      m->seg.size = tsize;
+      m->seg.sflags = mmap_flag;
+      m->magic = mparams.magic;
+      init_bins(m);
+      if (is_global(m)) 
+        init_top(m, (mchunkptr)tbase, tsize - TOP_FOOT_SIZE);
+      else {
+        /* Offset top by embedded malloc_state */
+        mchunkptr mn = next_chunk(mem2chunk(m));
+        init_top(m, mn, (size_t)((tbase + tsize) - (char*)mn) -TOP_FOOT_SIZE);
+      }
+    }
+
+    else {
+      /* Try to merge with an existing segment */
+      msegmentptr sp = &m->seg;
+      while (sp != 0 && tbase != sp->base + sp->size)
+        sp = sp->next;
+      if (sp != 0 &&
+          !is_extern_segment(sp) &&
+          (sp->sflags & IS_MMAPPED_BIT) == mmap_flag &&
+          segment_holds(sp, m->top)) { /* append */
+        sp->size += tsize;
+        init_top(m, m->top, m->topsize + tsize);
+      }
+      else {
+        if (tbase < m->least_addr)
+          m->least_addr = tbase;
+        sp = &m->seg;
+        while (sp != 0 && sp->base != tbase + tsize)
+          sp = sp->next;
+        if (sp != 0 &&
+            !is_extern_segment(sp) &&
+            (sp->sflags & IS_MMAPPED_BIT) == mmap_flag) {
+          char* oldbase = sp->base;
+          sp->base = tbase;
+          sp->size += tsize;
+          return prepend_alloc(m, tbase, oldbase, nb);
+        }
+        else
+          add_segment(m, tbase, tsize, mmap_flag);
+      }
+    }
+
+    if (nb < m->topsize) { /* Allocate from new or extended top space */
+      size_t rsize = m->topsize -= nb;
+      mchunkptr p = m->top;
+      mchunkptr r = m->top = chunk_plus_offset(p, nb);
+      r->head = rsize | PINUSE_BIT;
+      set_size_and_pinuse_of_inuse_chunk(m, p, nb);
+      check_top_chunk(m, m->top);
+      check_malloced_chunk(m, chunk2mem(p), nb);
+      return chunk2mem(p);
+    }
+  }
+
+  MALLOC_FAILURE_ACTION;
+  return 0;
+}
+
+/* -----------------------  system deallocation -------------------------- */
+
+/* Unmap and unlink any mmapped segments that don't contain used chunks */
+static size_t release_unused_segments(mstate m) {
+  size_t released = 0;
+  msegmentptr pred = &m->seg;
+  msegmentptr sp = pred->next;
+  while (sp != 0) {
+    char* base = sp->base;
+    size_t size = sp->size;
+    msegmentptr next = sp->next;
+    if (is_mmapped_segment(sp) && !is_extern_segment(sp)) {
+      mchunkptr p = align_as_chunk(base);
+      size_t psize = chunksize(p);
+      /* Can unmap if first chunk holds entire segment and not pinned */
+      if (!cinuse(p) && (char*)p + psize >= base + size - TOP_FOOT_SIZE) {
+        tchunkptr tp = (tchunkptr)p;
+        assert(segment_holds(sp, (char*)sp));
+        if (p == m->dv) {
+          m->dv = 0;
+          m->dvsize = 0;
+        }
+        else {
+          unlink_large_chunk(m, tp);
+        }
+        if (CALL_MUNMAP(base, size) == 0) {
+          released += size;
+          m->footprint -= size;
+          /* unlink obsoleted record */
+          sp = pred;
+          sp->next = next;
+        }
+        else { /* back out if cannot unmap */
+          insert_large_chunk(m, tp, psize);
+        }
+      }
+    }
+    pred = sp;
+    sp = next;
+  }
+  return released;
+}
+
+static int sys_trim(mstate m, size_t pad) {
+  size_t released = 0;
+  if (pad < MAX_REQUEST && is_initialized(m)) {
+    pad += TOP_FOOT_SIZE; /* ensure enough room for segment overhead */
+
+    if (m->topsize > pad) {
+      /* Shrink top space in granularity-size units, keeping at least one */
+      size_t unit = mparams.granularity;
+      size_t extra = ((m->topsize - pad + (unit - SIZE_T_ONE)) / unit -
+                      SIZE_T_ONE) * unit;
+      msegmentptr sp = segment_holding(m, (char*)m->top);
+
+      if (!is_extern_segment(sp)) {
+        if (is_mmapped_segment(sp)) {
+          if (HAVE_MMAP &&
+              sp->size >= extra &&
+              !has_segment_link(m, sp)) { /* can't shrink if pinned */
+            size_t newsize = sp->size - extra;
+            /* Prefer mremap, fall back to munmap */
+            if ((CALL_MREMAP(sp->base, sp->size, newsize, 0) != MFAIL) ||
+                (CALL_MUNMAP(sp->base + newsize, extra) == 0)) {
+              released = extra;
+            }
+          }
+        }
+        else if (HAVE_MORECORE) {
+          if (extra >= HALF_MAX_SIZE_T) /* Avoid wrapping negative */
+            extra = (HALF_MAX_SIZE_T) + SIZE_T_ONE - unit;
+          ACQUIRE_MORECORE_LOCK();
+          {
+            /* Make sure end of memory is where we last set it. */
+            char* old_br = (char*)(CALL_MORECORE(0));
+            if (old_br == sp->base + sp->size) {
+              char* rel_br = (char*)(CALL_MORECORE(-extra));
+              char* new_br = (char*)(CALL_MORECORE(0));
+              if (rel_br != CMFAIL && new_br < old_br)
+                released = old_br - new_br;
+            }
+          }
+          RELEASE_MORECORE_LOCK();
+        }
+      }
+
+      if (released != 0) {
+        sp->size -= released;
+        m->footprint -= released;
+        init_top(m, m->top, m->topsize - released);
+        check_top_chunk(m, m->top);
+      }
+    }
+
+    /* Unmap any unused mmapped segments */
+    if (HAVE_MMAP) 
+      released += release_unused_segments(m);
+
+    /* On failure, disable autotrim to avoid repeated failed future calls */
+    if (released == 0)
+      m->trim_check = MAX_SIZE_T;
+  }
+
+  return (released != 0)? 1 : 0;
+}
+
+/* ---------------------------- malloc support --------------------------- */
+
+/* allocate a large request from the best fitting chunk in a treebin */
+static void* tmalloc_large(mstate m, size_t nb) {
+  tchunkptr v = 0;
+  size_t rsize = -nb; /* Unsigned negation */
+  tchunkptr t;
+  bindex_t idx;
+  compute_tree_index(nb, idx);
+
+  if ((t = *treebin_at(m, idx)) != 0) {
+    /* Traverse tree for this bin looking for node with size == nb */
+    size_t sizebits = nb << leftshift_for_tree_index(idx);
+    tchunkptr rst = 0;  /* The deepest untaken right subtree */
+    for (;;) {
+      tchunkptr rt;
+      size_t trem = chunksize(t) - nb;
+      if (trem < rsize) {
+        v = t;
+        if ((rsize = trem) == 0)
+          break;
+      }
+      rt = t->child[1];
+      t = t->child[(sizebits >> (SIZE_T_BITSIZE-SIZE_T_ONE)) & 1];
+      if (rt != 0 && rt != t)
+        rst = rt;
+      if (t == 0) {
+        t = rst; /* set t to least subtree holding sizes > nb */
+        break;
+      }
+      sizebits <<= 1;
+    }
+  }
+
+  if (t == 0 && v == 0) { /* set t to root of next non-empty treebin */
+    binmap_t leftbits = left_bits(idx2bit(idx)) & m->treemap;
+    if (leftbits != 0) {
+      bindex_t i;
+      binmap_t leastbit = least_bit(leftbits);
+      compute_bit2idx(leastbit, i);
+      t = *treebin_at(m, i);
+    }
+  }
+
+  while (t != 0) { /* find smallest of tree or subtree */
+    size_t trem = chunksize(t) - nb;
+    if (trem < rsize) {
+      rsize = trem;
+      v = t;
+    }
+    t = leftmost_child(t);
+  }
+
+  /*  If dv is a better fit, return 0 so malloc will use it */
+  if (v != 0 && rsize < (size_t)(m->dvsize - nb)) {
+    if (RTCHECK(ok_address(m, v))) { /* split */
+      mchunkptr r = chunk_plus_offset(v, nb);
+      assert(chunksize(v) == rsize + nb);
+      if (RTCHECK(ok_next(v, r))) {
+        unlink_large_chunk(m, v);
+        if (rsize < MIN_CHUNK_SIZE)
+          set_inuse_and_pinuse(m, v, (rsize + nb));
+        else {
+          set_size_and_pinuse_of_inuse_chunk(m, v, nb);
+          set_size_and_pinuse_of_free_chunk(r, rsize);
+          insert_chunk(m, r, rsize);
+        }
+        return chunk2mem(v);
+      }
+    }
+    CORRUPTION_ERROR_ACTION(m);
+  }
+  return 0;
+}
+
+/* allocate a small request from the best fitting chunk in a treebin */
+static void* tmalloc_small(mstate m, size_t nb) {
+  tchunkptr t, v;
+  size_t rsize;
+  bindex_t i;
+  binmap_t leastbit = least_bit(m->treemap);
+  compute_bit2idx(leastbit, i);
+
+  v = t = *treebin_at(m, i);
+  rsize = chunksize(t) - nb;
+
+  while ((t = leftmost_child(t)) != 0) {
+    size_t trem = chunksize(t) - nb;
+    if (trem < rsize) {
+      rsize = trem;
+      v = t;
+    }
+  }
+
+  if (RTCHECK(ok_address(m, v))) {
+    mchunkptr r = chunk_plus_offset(v, nb);
+    assert(chunksize(v) == rsize + nb);
+    if (RTCHECK(ok_next(v, r))) {
+      unlink_large_chunk(m, v);
+      if (rsize < MIN_CHUNK_SIZE)
+        set_inuse_and_pinuse(m, v, (rsize + nb));
+      else {
+        set_size_and_pinuse_of_inuse_chunk(m, v, nb);
+        set_size_and_pinuse_of_free_chunk(r, rsize);
+        replace_dv(m, r, rsize);
+      }
+      return chunk2mem(v);
+    }
+  }
+
+  CORRUPTION_ERROR_ACTION(m);
+  return 0;
+}
+
+/* --------------------------- realloc support --------------------------- */
+
+static void* internal_realloc(mstate m, void* oldmem, size_t bytes) {
+  if (bytes >= MAX_REQUEST) {
+    MALLOC_FAILURE_ACTION;
+    return 0;
+  }
+  if (!PREACTION(m)) {
+    mchunkptr oldp = mem2chunk(oldmem);
+    size_t oldsize = chunksize(oldp);
+    mchunkptr next = chunk_plus_offset(oldp, oldsize);
+    mchunkptr newp = 0;
+    void* extra = 0;
+
+    /* Try to either shrink or extend into top. Else malloc-copy-free */
+
+    if (RTCHECK(ok_address(m, oldp) && ok_cinuse(oldp) &&
+                ok_next(oldp, next) && ok_pinuse(next))) {
+      size_t nb = request2size(bytes);
+      if (is_mmapped(oldp))
+        newp = mmap_resize(m, oldp, nb);
+      else if (oldsize >= nb) { /* already big enough */
+        size_t rsize = oldsize - nb;
+        newp = oldp;
+        if (rsize >= MIN_CHUNK_SIZE) {
+          mchunkptr remainder = chunk_plus_offset(newp, nb);
+          set_inuse(m, newp, nb);
+          set_inuse(m, remainder, rsize);
+          extra = chunk2mem(remainder);
+        }
+      }
+      else if (next == m->top && oldsize + m->topsize > nb) {
+        /* Expand into top */
+        size_t newsize = oldsize + m->topsize;
+        size_t newtopsize = newsize - nb;
+        mchunkptr newtop = chunk_plus_offset(oldp, nb);
+        set_inuse(m, oldp, nb);
+        newtop->head = newtopsize |PINUSE_BIT;
+        m->top = newtop;
+        m->topsize = newtopsize;
+        newp = oldp;
+      }
+    }
+    else {
+      USAGE_ERROR_ACTION(m, oldmem);
+      POSTACTION(m);
+      return 0;
+    }
+
+    POSTACTION(m);
+
+    if (newp != 0) {
+      if (extra != 0) {
+        internal_free(m, extra);
+      }
+      check_inuse_chunk(m, newp);
+      return chunk2mem(newp);
+    }
+    else {
+      void* newmem = internal_malloc(m, bytes);
+      if (newmem != 0) {
+        size_t oc = oldsize - overhead_for(oldp);
+        memcpy(newmem, oldmem, (oc < bytes)? oc : bytes);
+        internal_free(m, oldmem);
+      }
+      return newmem;
+    }
+  }
+  return 0;
+}
+
+/* --------------------------- memalign support -------------------------- */
+
+static void* internal_memalign(mstate m, size_t alignment, size_t bytes) {
+  if (alignment <= MALLOC_ALIGNMENT)    /* Can just use malloc */
+    return internal_malloc(m, bytes);
+  if (alignment <  MIN_CHUNK_SIZE) /* must be at least a minimum chunk size */
+    alignment = MIN_CHUNK_SIZE;
+  if ((alignment & (alignment-SIZE_T_ONE)) != 0) {/* Ensure a power of 2 */
+    size_t a = MALLOC_ALIGNMENT << 1;
+    while (a < alignment) a <<= 1;
+    alignment = a;
+  }
+  
+  if (bytes >= MAX_REQUEST - alignment) {
+    if (m != 0)  { /* Test isn't needed but avoids compiler warning */
+      MALLOC_FAILURE_ACTION;
+    }
+  }
+  else {
+    size_t nb = request2size(bytes);
+    size_t req = nb + alignment + MIN_CHUNK_SIZE - CHUNK_OVERHEAD;
+    char* mem = (char*)internal_malloc(m, req);
+    if (mem != 0) {
+      void* leader = 0;
+      void* trailer = 0;
+      mchunkptr p = mem2chunk(mem);
+
+      if (PREACTION(m)) return 0;
+      if ((((size_t)(mem)) % alignment) != 0) { /* misaligned */
+        /*
+          Find an aligned spot inside chunk.  Since we need to give
+          back leading space in a chunk of at least MIN_CHUNK_SIZE, if
+          the first calculation places us at a spot with less than
+          MIN_CHUNK_SIZE leader, we can move to the next aligned spot.
+          We've allocated enough total room so that this is always
+          possible.
+        */
+        char* br = (char*)mem2chunk((size_t)(((size_t)(mem +
+                                                       alignment -
+                                                       SIZE_T_ONE)) &
+                                             -alignment));
+        char* pos = ((size_t)(br - (char*)(p)) >= MIN_CHUNK_SIZE)?
+          br : br+alignment;
+        mchunkptr newp = (mchunkptr)pos;
+        size_t leadsize = pos - (char*)(p);
+        size_t newsize = chunksize(p) - leadsize;
+
+        if (is_mmapped(p)) { /* For mmapped chunks, just adjust offset */
+          newp->prev_foot = p->prev_foot + leadsize;
+          newp->head = (newsize|CINUSE_BIT);
+        }
+        else { /* Otherwise, give back leader, use the rest */
+          set_inuse(m, newp, newsize);
+          set_inuse(m, p, leadsize);
+          leader = chunk2mem(p);
+        }
+        p = newp;
+      }
+
+      /* Give back spare room at the end */
+      if (!is_mmapped(p)) {
+        size_t size = chunksize(p);
+        if (size > nb + MIN_CHUNK_SIZE) {
+          size_t remainder_size = size - nb;
+          mchunkptr remainder = chunk_plus_offset(p, nb);
+          set_inuse(m, p, nb);
+          set_inuse(m, remainder, remainder_size);
+          trailer = chunk2mem(remainder);
+        }
+      }
+
+      assert (chunksize(p) >= nb);
+      assert((((size_t)(chunk2mem(p))) % alignment) == 0);
+      check_inuse_chunk(m, p);
+      POSTACTION(m);
+      if (leader != 0) {
+        internal_free(m, leader);
+      }
+      if (trailer != 0) {
+        internal_free(m, trailer);
+      }
+      return chunk2mem(p);
+    }
+  }
+  return 0;
+}
+
+/* ------------------------ comalloc/coalloc support --------------------- */
+
+static void** ialloc(mstate m,
+                     size_t n_elements,
+                     size_t* sizes,
+                     int opts,
+                     void* chunks[]) {
+  /*
+    This provides common support for independent_X routines, handling
+    all of the combinations that can result.
+
+    The opts arg has:
+    bit 0 set if all elements are same size (using sizes[0])
+    bit 1 set if elements should be zeroed
+  */
+
+  size_t    element_size;   /* chunksize of each element, if all same */
+  size_t    contents_size;  /* total size of elements */
+  size_t    array_size;     /* request size of pointer array */
+  void*     mem;            /* malloced aggregate space */
+  mchunkptr p;              /* corresponding chunk */
+  size_t    remainder_size; /* remaining bytes while splitting */
+  void**    marray;         /* either "chunks" or malloced ptr array */
+  mchunkptr array_chunk;    /* chunk for malloced ptr array */
+  flag_t    was_enabled;    /* to disable mmap */
+  size_t    size;
+  size_t    i;
+
+  /* compute array length, if needed */
+  if (chunks != 0) {
+    if (n_elements == 0)
+      return chunks; /* nothing to do */
+    marray = chunks;
+    array_size = 0;
+  }
+  else {
+    /* if empty req, must still return chunk representing empty array */
+    if (n_elements == 0)
+      return (void**)internal_malloc(m, 0);
+    marray = 0;
+    array_size = request2size(n_elements * (sizeof(void*)));
+  }
+
+  /* compute total element size */
+  if (opts & 0x1) { /* all-same-size */
+    element_size = request2size(*sizes);
+    contents_size = n_elements * element_size;
+  }
+  else { /* add up all the sizes */
+    element_size = 0;
+    contents_size = 0;
+    for (i = 0; i != n_elements; ++i)
+      contents_size += request2size(sizes[i]);
+  }
+
+  size = contents_size + array_size;
+
+  /*
+     Allocate the aggregate chunk.  First disable direct-mmapping so
+     malloc won't use it, since we would not be able to later
+     free/realloc space internal to a segregated mmap region.
+  */
+  was_enabled = use_mmap(m);
+  disable_mmap(m);
+  mem = internal_malloc(m, size - CHUNK_OVERHEAD);
+  if (was_enabled)
+    enable_mmap(m);
+  if (mem == 0)
+    return 0;
+
+  if (PREACTION(m)) return 0;
+  p = mem2chunk(mem);
+  remainder_size = chunksize(p);
+
+  assert(!is_mmapped(p));
+
+  if (opts & 0x2) {       /* optionally clear the elements */
+    memset((size_t*)mem, 0, remainder_size - SIZE_T_SIZE - array_size);
+  }
+
+  /* If not provided, allocate the pointer array as final part of chunk */
+  if (marray == 0) {
+    size_t  array_chunk_size;
+    array_chunk = chunk_plus_offset(p, contents_size);
+    array_chunk_size = remainder_size - contents_size;
+    marray = (void**) (chunk2mem(array_chunk));
+    set_size_and_pinuse_of_inuse_chunk(m, array_chunk, array_chunk_size);
+    remainder_size = contents_size;
+  }
+
+  /* split out elements */
+  for (i = 0; ; ++i) {
+    marray[i] = chunk2mem(p);
+    if (i != n_elements-1) {
+      if (element_size != 0)
+        size = element_size;
+      else
+        size = request2size(sizes[i]);
+      remainder_size -= size;
+      set_size_and_pinuse_of_inuse_chunk(m, p, size);
+      p = chunk_plus_offset(p, size);
+    }
+    else { /* the final element absorbs any overallocation slop */
+      set_size_and_pinuse_of_inuse_chunk(m, p, remainder_size);
+      break;
+    }
+  }
+
+#if DEBUG
+  if (marray != chunks) {
+    /* final element must have exactly exhausted chunk */
+    if (element_size != 0) {
+      assert(remainder_size == element_size);
+    }
+    else {
+      assert(remainder_size == request2size(sizes[i]));
+    }
+    check_inuse_chunk(m, mem2chunk(marray));
+  }
+  for (i = 0; i != n_elements; ++i)
+    check_inuse_chunk(m, mem2chunk(marray[i]));
+
+#endif /* DEBUG */
+
+  POSTACTION(m);
+  return marray;
+}
+
+
+/* -------------------------- public routines ---------------------------- */
+
+#if !ONLY_MSPACES
+
+void* dlmalloc(size_t bytes) {
+  /*
+     Basic algorithm:
+     If a small request (< 256 bytes minus per-chunk overhead):
+       1. If one exists, use a remainderless chunk in associated smallbin.
+          (Remainderless means that there are too few excess bytes to
+          represent as a chunk.)
+       2. If it is big enough, use the dv chunk, which is normally the
+          chunk adjacent to the one used for the most recent small request.
+       3. If one exists, split the smallest available chunk in a bin,
+          saving remainder in dv.
+       4. If it is big enough, use the top chunk.
+       5. If available, get memory from system and use it
+     Otherwise, for a large request:
+       1. Find the smallest available binned chunk that fits, and use it
+          if it is better fitting than dv chunk, splitting if necessary.
+       2. If better fitting than any binned chunk, use the dv chunk.
+       3. If it is big enough, use the top chunk.
+       4. If request size >= mmap threshold, try to directly mmap this chunk.
+       5. If available, get memory from system and use it
+
+     The ugly goto's here ensure that postaction occurs along all paths.
+  */
+
+  if (!PREACTION(gm)) {
+    void* mem;
+    size_t nb;
+    if (bytes <= MAX_SMALL_REQUEST) {
+      bindex_t idx;
+      binmap_t smallbits;
+      nb = (bytes < MIN_REQUEST)? MIN_CHUNK_SIZE : pad_request(bytes);
+      idx = small_index(nb);
+      smallbits = gm->smallmap >> idx;
+
+      if ((smallbits & 0x3U) != 0) { /* Remainderless fit to a smallbin. */
+        mchunkptr b, p;
+        idx += ~smallbits & 1;       /* Uses next bin if idx empty */
+        b = smallbin_at(gm, idx);
+        p = b->fd;
+        assert(chunksize(p) == small_index2size(idx));
+        unlink_first_small_chunk(gm, b, p, idx);
+        set_inuse_and_pinuse(gm, p, small_index2size(idx));
+        mem = chunk2mem(p);
+        check_malloced_chunk(gm, mem, nb);
+        goto postaction;
+      }
+
+      else if (nb > gm->dvsize) {
+        if (smallbits != 0) { /* Use chunk in next nonempty smallbin */
+          mchunkptr b, p, r;
+          size_t rsize;
+          bindex_t i;
+          binmap_t leftbits = (smallbits << idx) & left_bits(idx2bit(idx));
+          binmap_t leastbit = least_bit(leftbits);
+          compute_bit2idx(leastbit, i);
+          b = smallbin_at(gm, i);
+          p = b->fd;
+          assert(chunksize(p) == small_index2size(i));
+          unlink_first_small_chunk(gm, b, p, i);
+          rsize = small_index2size(i) - nb;
+          /* Fit here cannot be remainderless if 4byte sizes */
+          if (SIZE_T_SIZE != 4 && rsize < MIN_CHUNK_SIZE)
+            set_inuse_and_pinuse(gm, p, small_index2size(i));
+          else {
+            set_size_and_pinuse_of_inuse_chunk(gm, p, nb);
+            r = chunk_plus_offset(p, nb);
+            set_size_and_pinuse_of_free_chunk(r, rsize);
+            replace_dv(gm, r, rsize);
+          }
+          mem = chunk2mem(p);
+          check_malloced_chunk(gm, mem, nb);
+          goto postaction;
+        }
+
+        else if (gm->treemap != 0 && (mem = tmalloc_small(gm, nb)) != 0) {
+          check_malloced_chunk(gm, mem, nb);
+          goto postaction;
+        }
+      }
+    }
+    else if (bytes >= MAX_REQUEST)
+      nb = MAX_SIZE_T; /* Too big to allocate. Force failure (in sys alloc) */
+    else {
+      nb = pad_request(bytes);
+      if (gm->treemap != 0 && (mem = tmalloc_large(gm, nb)) != 0) {
+        check_malloced_chunk(gm, mem, nb);
+        goto postaction;
+      }
+    }
+
+    if (nb <= gm->dvsize) {
+      size_t rsize = gm->dvsize - nb;
+      mchunkptr p = gm->dv;
+      if (rsize >= MIN_CHUNK_SIZE) { /* split dv */
+        mchunkptr r = gm->dv = chunk_plus_offset(p, nb);
+        gm->dvsize = rsize;
+        set_size_and_pinuse_of_free_chunk(r, rsize);
+        set_size_and_pinuse_of_inuse_chunk(gm, p, nb);
+      }
+      else { /* exhaust dv */
+        size_t dvs = gm->dvsize;
+        gm->dvsize = 0;
+        gm->dv = 0;
+        set_inuse_and_pinuse(gm, p, dvs);
+      }
+      mem = chunk2mem(p);
+      check_malloced_chunk(gm, mem, nb);
+      goto postaction;
+    }
+
+    else if (nb < gm->topsize) { /* Split top */
+      size_t rsize = gm->topsize -= nb;
+      mchunkptr p = gm->top;
+      mchunkptr r = gm->top = chunk_plus_offset(p, nb);
+      r->head = rsize | PINUSE_BIT;
+      set_size_and_pinuse_of_inuse_chunk(gm, p, nb);
+      mem = chunk2mem(p);
+      check_top_chunk(gm, gm->top);
+      check_malloced_chunk(gm, mem, nb);
+      goto postaction;
+    }
+
+    mem = sys_alloc(gm, nb);
+
+  postaction:
+    POSTACTION(gm);
+    return mem;
+  }
+
+  return 0;
+}
+
+void dlfree(void* mem) {
+  /*
+     Consolidate freed chunks with preceeding or succeeding bordering
+     free chunks, if they exist, and then place in a bin.  Intermixed
+     with special cases for top, dv, mmapped chunks, and usage errors.
+  */
+
+  if (mem != 0) {
+    mchunkptr p  = mem2chunk(mem);
+#if FOOTERS
+    mstate fm = get_mstate_for(p);
+    if (!ok_magic(fm)) {
+      USAGE_ERROR_ACTION(fm, p);
+      return;
+    }
+#else /* FOOTERS */
+#define fm gm
+#endif /* FOOTERS */
+    if (!PREACTION(fm)) {
+      check_inuse_chunk(fm, p);
+      if (RTCHECK(ok_address(fm, p) && ok_cinuse(p))) {
+        size_t psize = chunksize(p);
+        mchunkptr next = chunk_plus_offset(p, psize);
+        if (!pinuse(p)) {
+          size_t prevsize = p->prev_foot;
+          if ((prevsize & IS_MMAPPED_BIT) != 0) {
+            prevsize &= ~IS_MMAPPED_BIT;
+            psize += prevsize + MMAP_FOOT_PAD;
+            if (CALL_MUNMAP((char*)p - prevsize, psize) == 0)
+              fm->footprint -= psize;
+            goto postaction;
+          }
+          else {
+            mchunkptr prev = chunk_minus_offset(p, prevsize);
+            psize += prevsize;
+            p = prev;
+            if (RTCHECK(ok_address(fm, prev))) { /* consolidate backward */
+              if (p != fm->dv) {
+                unlink_chunk(fm, p, prevsize);
+              }
+              else if ((next->head & INUSE_BITS) == INUSE_BITS) {
+                fm->dvsize = psize;
+                set_free_with_pinuse(p, psize, next);
+                goto postaction;
+              }
+            }
+            else
+              goto erroraction;
+          }
+        }
+
+        if (RTCHECK(ok_next(p, next) && ok_pinuse(next))) {
+          if (!cinuse(next)) {  /* consolidate forward */
+            if (next == fm->top) {
+              size_t tsize = fm->topsize += psize;
+              fm->top = p;
+              p->head = tsize | PINUSE_BIT;
+              if (p == fm->dv) {
+                fm->dv = 0;
+                fm->dvsize = 0;
+              }
+              if (should_trim(fm, tsize))
+                sys_trim(fm, 0);
+              goto postaction;
+            }
+            else if (next == fm->dv) {
+              size_t dsize = fm->dvsize += psize;
+              fm->dv = p;
+              set_size_and_pinuse_of_free_chunk(p, dsize);
+              goto postaction;
+            }
+            else {
+              size_t nsize = chunksize(next);
+              psize += nsize;
+              unlink_chunk(fm, next, nsize);
+              set_size_and_pinuse_of_free_chunk(p, psize);
+              if (p == fm->dv) {
+                fm->dvsize = psize;
+                goto postaction;
+              }
+            }
+          }
+          else
+            set_free_with_pinuse(p, psize, next);
+          insert_chunk(fm, p, psize);
+          check_free_chunk(fm, p);
+          goto postaction;
+        }
+      }
+    erroraction:
+      USAGE_ERROR_ACTION(fm, p);
+    postaction:
+      POSTACTION(fm);
+    }
+  }
+#if !FOOTERS
+#undef fm
+#endif /* FOOTERS */
+}
+
+void* dlcalloc(size_t n_elements, size_t elem_size) {
+  void* mem;
+  size_t req = 0;
+  if (n_elements != 0) {
+    req = n_elements * elem_size;
+    if (((n_elements | elem_size) & ~(size_t)0xffff) &&
+        (req / n_elements != elem_size))
+      req = MAX_SIZE_T; /* force downstream failure on overflow */
+  }
+  mem = dlmalloc(req);
+  if (mem != 0 && calloc_must_clear(mem2chunk(mem)))
+    memset(mem, 0, req);
+  return mem;
+}
+
+void* dlrealloc(void* oldmem, size_t bytes) {
+  if (oldmem == 0)
+    return dlmalloc(bytes);
+#ifdef REALLOC_ZERO_BYTES_FREES
+  if (bytes == 0) {
+    dlfree(oldmem);
+    return 0;
+  }
+#endif /* REALLOC_ZERO_BYTES_FREES */
+  else {
+#if ! FOOTERS
+    mstate m = gm;
+#else /* FOOTERS */
+    mstate m = get_mstate_for(mem2chunk(oldmem));
+    if (!ok_magic(m)) {
+      USAGE_ERROR_ACTION(m, oldmem);
+      return 0;
+    }
+#endif /* FOOTERS */
+    return internal_realloc(m, oldmem, bytes);
+  }
+}
+
+void* dlmemalign(size_t alignment, size_t bytes) {
+  return internal_memalign(gm, alignment, bytes);
+}
+
+void** dlindependent_calloc(size_t n_elements, size_t elem_size,
+                                 void* chunks[]) {
+  size_t sz = elem_size; /* serves as 1-element array */
+  return ialloc(gm, n_elements, &sz, 3, chunks);
+}
+
+void** dlindependent_comalloc(size_t n_elements, size_t sizes[],
+                                   void* chunks[]) {
+  return ialloc(gm, n_elements, sizes, 0, chunks);
+}
+
+void* dlvalloc(size_t bytes) {
+  size_t pagesz;
+  init_mparams();
+  pagesz = mparams.page_size;
+  return dlmemalign(pagesz, bytes);
+}
+
+void* dlpvalloc(size_t bytes) {
+  size_t pagesz;
+  init_mparams();
+  pagesz = mparams.page_size;
+  return dlmemalign(pagesz, (bytes + pagesz - SIZE_T_ONE) & ~(pagesz - SIZE_T_ONE));
+}
+
+int dlmalloc_trim(size_t pad) {
+  int result = 0;
+  if (!PREACTION(gm)) {
+    result = sys_trim(gm, pad);
+    POSTACTION(gm);
+  }
+  return result;
+}
+
+size_t dlmalloc_footprint(void) {
+  return gm->footprint;
+}
+
+size_t dlmalloc_max_footprint(void) {
+  return gm->max_footprint;
+}
+
+#if !NO_MALLINFO
+struct mallinfo dlmallinfo(void) {
+  return internal_mallinfo(gm);
+}
+#endif /* NO_MALLINFO */
+
+void dlmalloc_stats() {
+  internal_malloc_stats(gm);
+}
+
+size_t dlmalloc_usable_size(void* mem) {
+  if (mem != 0) {
+    mchunkptr p = mem2chunk(mem);
+    if (cinuse(p))
+      return chunksize(p) - overhead_for(p);
+  }
+  return 0;
+}
+
+int dlmallopt(int param_number, int value) {
+  return change_mparam(param_number, value);
+}
+
+#endif /* !ONLY_MSPACES */
+
+/* ----------------------------- user mspaces ---------------------------- */
+
+#if MSPACES
+
+static mstate init_user_mstate(char* tbase, size_t tsize) {
+  size_t msize = pad_request(sizeof(struct malloc_state));
+  mchunkptr mn;
+  mchunkptr msp = align_as_chunk(tbase);
+  mstate m = (mstate)(chunk2mem(msp));
+  memset(m, 0, msize);
+  INITIAL_LOCK(&m->mutex);
+  msp->head = (msize|PINUSE_BIT|CINUSE_BIT);
+  m->seg.base = m->least_addr = tbase;
+  m->seg.size = m->footprint = m->max_footprint = tsize;
+  m->magic = mparams.magic;
+  m->mflags = mparams.default_mflags;
+  disable_contiguous(m);
+  init_bins(m);
+  mn = next_chunk(mem2chunk(m));
+  init_top(m, mn, (size_t)((tbase + tsize) - (char*)mn) - TOP_FOOT_SIZE);
+  check_top_chunk(m, m->top);
+  return m;
+}
+
+mspace create_mspace(size_t capacity, int locked) {
+  mstate m = 0;
+  size_t msize = pad_request(sizeof(struct malloc_state));
+  init_mparams(); /* Ensure pagesize etc initialized */
+
+  if (capacity < (size_t) -(msize + TOP_FOOT_SIZE + mparams.page_size)) {
+    size_t rs = ((capacity == 0)? mparams.granularity :
+                 (capacity + TOP_FOOT_SIZE + msize));
+    size_t tsize = granularity_align(rs);
+    char* tbase = (char*)(CALL_MMAP(tsize));
+    if (tbase != CMFAIL) {
+      m = init_user_mstate(tbase, tsize);
+      m->seg.sflags = IS_MMAPPED_BIT;
+      set_lock(m, locked);
+    }
+  }
+  return (mspace)m;
+}
+
+mspace create_mspace_with_base(void* base, size_t capacity, int locked) {
+  mstate m = 0;
+  size_t msize = pad_request(sizeof(struct malloc_state));
+  init_mparams(); /* Ensure pagesize etc initialized */
+
+  if (capacity > msize + TOP_FOOT_SIZE &&
+      capacity < (size_t) -(msize + TOP_FOOT_SIZE + mparams.page_size)) {
+    m = init_user_mstate((char*)base, capacity);
+    m->seg.sflags = EXTERN_BIT;
+    set_lock(m, locked);
+  }
+  return (mspace)m;
+}
+
+size_t destroy_mspace(mspace msp) {
+  size_t freed = 0;
+  mstate ms = (mstate)msp;
+  if (ok_magic(ms)) {
+    msegmentptr sp = &ms->seg;
+    while (sp != 0) {
+      char* base = sp->base;
+      size_t size = sp->size;
+      flag_t flag = sp->sflags;
+      sp = sp->next;
+      if ((flag & IS_MMAPPED_BIT) && !(flag & EXTERN_BIT) &&
+          CALL_MUNMAP(base, size) == 0)
+        freed += size;
+    }
+  }
+  else {
+    USAGE_ERROR_ACTION(ms,ms);
+  }
+  return freed;
+}
+
+/*
+  mspace versions of routines are near-clones of the global
+  versions. This is not so nice but better than the alternatives.
+*/
+
+
+void* mspace_malloc(mspace msp, size_t bytes) {
+  mstate ms = (mstate)msp;
+  if (!ok_magic(ms)) {
+    USAGE_ERROR_ACTION(ms,ms);
+    return 0;
+  }
+  if (!PREACTION(ms)) {
+    void* mem;
+    size_t nb;
+    if (bytes <= MAX_SMALL_REQUEST) {
+      bindex_t idx;
+      binmap_t smallbits;
+      nb = (bytes < MIN_REQUEST)? MIN_CHUNK_SIZE : pad_request(bytes);
+      idx = small_index(nb);
+      smallbits = ms->smallmap >> idx;
+
+      if ((smallbits & 0x3U) != 0) { /* Remainderless fit to a smallbin. */
+        mchunkptr b, p;
+        idx += ~smallbits & 1;       /* Uses next bin if idx empty */
+        b = smallbin_at(ms, idx);
+        p = b->fd;
+        assert(chunksize(p) == small_index2size(idx));
+        unlink_first_small_chunk(ms, b, p, idx);
+        set_inuse_and_pinuse(ms, p, small_index2size(idx));
+        mem = chunk2mem(p);
+        check_malloced_chunk(ms, mem, nb);
+        goto postaction;
+      }
+
+      else if (nb > ms->dvsize) {
+        if (smallbits != 0) { /* Use chunk in next nonempty smallbin */
+          mchunkptr b, p, r;
+          size_t rsize;
+          bindex_t i;
+          binmap_t leftbits = (smallbits << idx) & left_bits(idx2bit(idx));
+          binmap_t leastbit = least_bit(leftbits);
+          compute_bit2idx(leastbit, i);
+          b = smallbin_at(ms, i);
+          p = b->fd;
+          assert(chunksize(p) == small_index2size(i));
+          unlink_first_small_chunk(ms, b, p, i);
+          rsize = small_index2size(i) - nb;
+          /* Fit here cannot be remainderless if 4byte sizes */
+          if (SIZE_T_SIZE != 4 && rsize < MIN_CHUNK_SIZE)
+            set_inuse_and_pinuse(ms, p, small_index2size(i));
+          else {
+            set_size_and_pinuse_of_inuse_chunk(ms, p, nb);
+            r = chunk_plus_offset(p, nb);
+            set_size_and_pinuse_of_free_chunk(r, rsize);
+            replace_dv(ms, r, rsize);
+          }
+          mem = chunk2mem(p);
+          check_malloced_chunk(ms, mem, nb);
+          goto postaction;
+        }
+
+        else if (ms->treemap != 0 && (mem = tmalloc_small(ms, nb)) != 0) {
+          check_malloced_chunk(ms, mem, nb);
+          goto postaction;
+        }
+      }
+    }
+    else if (bytes >= MAX_REQUEST)
+      nb = MAX_SIZE_T; /* Too big to allocate. Force failure (in sys alloc) */
+    else {
+      nb = pad_request(bytes);
+      if (ms->treemap != 0 && (mem = tmalloc_large(ms, nb)) != 0) {
+        check_malloced_chunk(ms, mem, nb);
+        goto postaction;
+      }
+    }
+
+    if (nb <= ms->dvsize) {
+      size_t rsize = ms->dvsize - nb;
+      mchunkptr p = ms->dv;
+      if (rsize >= MIN_CHUNK_SIZE) { /* split dv */
+        mchunkptr r = ms->dv = chunk_plus_offset(p, nb);
+        ms->dvsize = rsize;
+        set_size_and_pinuse_of_free_chunk(r, rsize);
+        set_size_and_pinuse_of_inuse_chunk(ms, p, nb);
+      }
+      else { /* exhaust dv */
+        size_t dvs = ms->dvsize;
+        ms->dvsize = 0;
+        ms->dv = 0;
+        set_inuse_and_pinuse(ms, p, dvs);
+      }
+      mem = chunk2mem(p);
+      check_malloced_chunk(ms, mem, nb);
+      goto postaction;
+    }
+
+    else if (nb < ms->topsize) { /* Split top */
+      size_t rsize = ms->topsize -= nb;
+      mchunkptr p = ms->top;
+      mchunkptr r = ms->top = chunk_plus_offset(p, nb);
+      r->head = rsize | PINUSE_BIT;
+      set_size_and_pinuse_of_inuse_chunk(ms, p, nb);
+      mem = chunk2mem(p);
+      check_top_chunk(ms, ms->top);
+      check_malloced_chunk(ms, mem, nb);
+      goto postaction;
+    }
+
+    mem = sys_alloc(ms, nb);
+
+  postaction:
+    POSTACTION(ms);
+    return mem;
+  }
+
+  return 0;
+}
+
+void mspace_free(mspace msp, void* mem) {
+  if (mem != 0) {
+    mchunkptr p  = mem2chunk(mem);
+#if FOOTERS
+    mstate fm = get_mstate_for(p);
+#else /* FOOTERS */
+    mstate fm = (mstate)msp;
+#endif /* FOOTERS */
+    if (!ok_magic(fm)) {
+      USAGE_ERROR_ACTION(fm, p);
+      return;
+    }
+    if (!PREACTION(fm)) {
+      check_inuse_chunk(fm, p);
+      if (RTCHECK(ok_address(fm, p) && ok_cinuse(p))) {
+        size_t psize = chunksize(p);
+        mchunkptr next = chunk_plus_offset(p, psize);
+        if (!pinuse(p)) {
+          size_t prevsize = p->prev_foot;
+          if ((prevsize & IS_MMAPPED_BIT) != 0) {
+            prevsize &= ~IS_MMAPPED_BIT;
+            psize += prevsize + MMAP_FOOT_PAD;
+            if (CALL_MUNMAP((char*)p - prevsize, psize) == 0)
+              fm->footprint -= psize;
+            goto postaction;
+          }
+          else {
+            mchunkptr prev = chunk_minus_offset(p, prevsize);
+            psize += prevsize;
+            p = prev;
+            if (RTCHECK(ok_address(fm, prev))) { /* consolidate backward */
+              if (p != fm->dv) {
+                unlink_chunk(fm, p, prevsize);
+              }
+              else if ((next->head & INUSE_BITS) == INUSE_BITS) {
+                fm->dvsize = psize;
+                set_free_with_pinuse(p, psize, next);
+                goto postaction;
+              }
+            }
+            else
+              goto erroraction;
+          }
+        }
+
+        if (RTCHECK(ok_next(p, next) && ok_pinuse(next))) {
+          if (!cinuse(next)) {  /* consolidate forward */
+            if (next == fm->top) {
+              size_t tsize = fm->topsize += psize;
+              fm->top = p;
+              p->head = tsize | PINUSE_BIT;
+              if (p == fm->dv) {
+                fm->dv = 0;
+                fm->dvsize = 0;
+              }
+              if (should_trim(fm, tsize))
+                sys_trim(fm, 0);
+              goto postaction;
+            }
+            else if (next == fm->dv) {
+              size_t dsize = fm->dvsize += psize;
+              fm->dv = p;
+              set_size_and_pinuse_of_free_chunk(p, dsize);
+              goto postaction;
+            }
+            else {
+              size_t nsize = chunksize(next);
+              psize += nsize;
+              unlink_chunk(fm, next, nsize);
+              set_size_and_pinuse_of_free_chunk(p, psize);
+              if (p == fm->dv) {
+                fm->dvsize = psize;
+                goto postaction;
+              }
+            }
+          }
+          else
+            set_free_with_pinuse(p, psize, next);
+          insert_chunk(fm, p, psize);
+          check_free_chunk(fm, p);
+          goto postaction;
+        }
+      }
+    erroraction:
+      USAGE_ERROR_ACTION(fm, p);
+    postaction:
+      POSTACTION(fm);
+    }
+  }
+}
+
+void* mspace_calloc(mspace msp, size_t n_elements, size_t elem_size) {
+  void* mem;
+  size_t req = 0;
+  mstate ms = (mstate)msp;
+  if (!ok_magic(ms)) {
+    USAGE_ERROR_ACTION(ms,ms);
+    return 0;
+  }
+  if (n_elements != 0) {
+    req = n_elements * elem_size;
+    if (((n_elements | elem_size) & ~(size_t)0xffff) &&
+        (req / n_elements != elem_size))
+      req = MAX_SIZE_T; /* force downstream failure on overflow */
+  }
+  mem = internal_malloc(ms, req);
+  if (mem != 0 && calloc_must_clear(mem2chunk(mem)))
+    memset(mem, 0, req);
+  return mem;
+}
+
+void* mspace_realloc(mspace msp, void* oldmem, size_t bytes) {
+  if (oldmem == 0)
+    return mspace_malloc(msp, bytes);
+#ifdef REALLOC_ZERO_BYTES_FREES
+  if (bytes == 0) {
+    mspace_free(msp, oldmem);
+    return 0;
+  }
+#endif /* REALLOC_ZERO_BYTES_FREES */
+  else {
+#if FOOTERS
+    mchunkptr p  = mem2chunk(oldmem);
+    mstate ms = get_mstate_for(p);
+#else /* FOOTERS */
+    mstate ms = (mstate)msp;
+#endif /* FOOTERS */
+    if (!ok_magic(ms)) {
+      USAGE_ERROR_ACTION(ms,ms);
+      return 0;
+    }
+    return internal_realloc(ms, oldmem, bytes);
+  }
+}
+
+void* mspace_memalign(mspace msp, size_t alignment, size_t bytes) {
+  mstate ms = (mstate)msp;
+  if (!ok_magic(ms)) {
+    USAGE_ERROR_ACTION(ms,ms);
+    return 0;
+  }
+  return internal_memalign(ms, alignment, bytes);
+}
+
+void** mspace_independent_calloc(mspace msp, size_t n_elements,
+                                 size_t elem_size, void* chunks[]) {
+  size_t sz = elem_size; /* serves as 1-element array */
+  mstate ms = (mstate)msp;
+  if (!ok_magic(ms)) {
+    USAGE_ERROR_ACTION(ms,ms);
+    return 0;
+  }
+  return ialloc(ms, n_elements, &sz, 3, chunks);
+}
+
+void** mspace_independent_comalloc(mspace msp, size_t n_elements,
+                                   size_t sizes[], void* chunks[]) {
+  mstate ms = (mstate)msp;
+  if (!ok_magic(ms)) {
+    USAGE_ERROR_ACTION(ms,ms);
+    return 0;
+  }
+  return ialloc(ms, n_elements, sizes, 0, chunks);
+}
+
+int mspace_trim(mspace msp, size_t pad) {
+  int result = 0;
+  mstate ms = (mstate)msp;
+  if (ok_magic(ms)) {
+    if (!PREACTION(ms)) {
+      result = sys_trim(ms, pad);
+      POSTACTION(ms);
+    }
+  }
+  else {
+    USAGE_ERROR_ACTION(ms,ms);
+  }
+  return result;
+}
+
+void mspace_malloc_stats(mspace msp) {
+  mstate ms = (mstate)msp;
+  if (ok_magic(ms)) {
+    internal_malloc_stats(ms);
+  }
+  else {
+    USAGE_ERROR_ACTION(ms,ms);
+  }
+}
+
+size_t mspace_footprint(mspace msp) {
+  size_t result;
+  mstate ms = (mstate)msp;
+  if (ok_magic(ms)) {
+    result = ms->footprint;
+  }
+  USAGE_ERROR_ACTION(ms,ms);
+  return result;
+}
+
+
+size_t mspace_max_footprint(mspace msp) {
+  size_t result;
+  mstate ms = (mstate)msp;
+  if (ok_magic(ms)) {
+    result = ms->max_footprint;
+  }
+  USAGE_ERROR_ACTION(ms,ms);
+  return result;
+}
+
+
+#if !NO_MALLINFO
+struct mallinfo mspace_mallinfo(mspace msp) {
+  mstate ms = (mstate)msp;
+  if (!ok_magic(ms)) {
+    USAGE_ERROR_ACTION(ms,ms);
+  }
+  return internal_mallinfo(ms);
+}
+#endif /* NO_MALLINFO */
+
+int mspace_mallopt(int param_number, int value) {
+  return change_mparam(param_number, value);
+}
+
+#endif /* MSPACES */
+
+/* -------------------- Alternative MORECORE functions ------------------- */
+
+/*
+  Guidelines for creating a custom version of MORECORE:
+
+  * For best performance, MORECORE should allocate in multiples of pagesize.
+  * MORECORE may allocate more memory than requested. (Or even less,
+      but this will usually result in a malloc failure.)
+  * MORECORE must not allocate memory when given argument zero, but
+      instead return one past the end address of memory from previous
+      nonzero call.
+  * For best performance, consecutive calls to MORECORE with positive
+      arguments should return increasing addresses, indicating that
+      space has been contiguously extended.
+  * Even though consecutive calls to MORECORE need not return contiguous
+      addresses, it must be OK for malloc'ed chunks to span multiple
+      regions in those cases where they do happen to be contiguous.
+  * MORECORE need not handle negative arguments -- it may instead
+      just return MFAIL when given negative arguments.
+      Negative arguments are always multiples of pagesize. MORECORE
+      must not misinterpret negative args as large positive unsigned
+      args. You can suppress all such calls from even occurring by defining
+      MORECORE_CANNOT_TRIM,
+
+  As an example alternative MORECORE, here is a custom allocator
+  kindly contributed for pre-OSX macOS.  It uses virtually but not
+  necessarily physically contiguous non-paged memory (locked in,
+  present and won't get swapped out).  You can use it by uncommenting
+  this section, adding some #includes, and setting up the appropriate
+  defines above:
+
+      #define MORECORE osMoreCore
+
+  There is also a shutdown routine that should somehow be called for
+  cleanup upon program exit.
+
+  #define MAX_POOL_ENTRIES 100
+  #define MINIMUM_MORECORE_SIZE  (64 * 1024U)
+  static int next_os_pool;
+  void *our_os_pools[MAX_POOL_ENTRIES];
+
+  void *osMoreCore(int size)
+  {
+    void *ptr = 0;
+    static void *sbrk_top = 0;
+
+    if (size > 0)
+    {
+      if (size < MINIMUM_MORECORE_SIZE)
+         size = MINIMUM_MORECORE_SIZE;
+      if (CurrentExecutionLevel() == kTaskLevel)
+         ptr = PoolAllocateResident(size + RM_PAGE_SIZE, 0);
+      if (ptr == 0)
+      {
+        return (void *) MFAIL;
+      }
+      // save ptrs so they can be freed during cleanup
+      our_os_pools[next_os_pool] = ptr;
+      next_os_pool++;
+      ptr = (void *) ((((size_t) ptr) + RM_PAGE_MASK) & ~RM_PAGE_MASK);
+      sbrk_top = (char *) ptr + size;
+      return ptr;
+    }
+    else if (size < 0)
+    {
+      // we don't currently support shrink behavior
+      return (void *) MFAIL;
+    }
+    else
+    {
+      return sbrk_top;
+    }
+  }
+
+  // cleanup any allocated memory pools
+  // called as last thing before shutting down driver
+
+  void osCleanupMem(void)
+  {
+    void **ptr;
+
+    for (ptr = our_os_pools; ptr < &our_os_pools[MAX_POOL_ENTRIES]; ptr++)
+      if (*ptr)
+      {
+         PoolDeallocate(*ptr);
+         *ptr = 0;
+      }
+  }
+
+*/
+
+
+/* -----------------------------------------------------------------------
+History:
+    V2.8.3 Thu Sep 22 11:16:32 2005  Doug Lea  (dl at gee)
+      * Add max_footprint functions
+      * Ensure all appropriate literals are size_t
+      * Fix conditional compilation problem for some #define settings
+      * Avoid concatenating segments with the one provided
+        in create_mspace_with_base
+      * Rename some variables to avoid compiler shadowing warnings
+      * Use explicit lock initialization.
+      * Better handling of sbrk interference.
+      * Simplify and fix segment insertion, trimming and mspace_destroy
+      * Reinstate REALLOC_ZERO_BYTES_FREES option from 2.7.x
+      * Thanks especially to Dennis Flanagan for help on these.
+
+    V2.8.2 Sun Jun 12 16:01:10 2005  Doug Lea  (dl at gee)
+      * Fix memalign brace error.
+
+    V2.8.1 Wed Jun  8 16:11:46 2005  Doug Lea  (dl at gee)
+      * Fix improper #endif nesting in C++
+      * Add explicit casts needed for C++
+
+    V2.8.0 Mon May 30 14:09:02 2005  Doug Lea  (dl at gee)
+      * Use trees for large bins
+      * Support mspaces
+      * Use segments to unify sbrk-based and mmap-based system allocation,
+        removing need for emulation on most platforms without sbrk.
+      * Default safety checks
+      * Optional footer checks. Thanks to William Robertson for the idea.
+      * Internal code refactoring
+      * Incorporate suggestions and platform-specific changes.
+        Thanks to Dennis Flanagan, Colin Plumb, Niall Douglas,
+        Aaron Bachmann,  Emery Berger, and others.
+      * Speed up non-fastbin processing enough to remove fastbins.
+      * Remove useless cfree() to avoid conflicts with other apps.
+      * Remove internal memcpy, memset. Compilers handle builtins better.
+      * Remove some options that no one ever used and rename others.
+
+    V2.7.2 Sat Aug 17 09:07:30 2002  Doug Lea  (dl at gee)
+      * Fix malloc_state bitmap array misdeclaration
+
+    V2.7.1 Thu Jul 25 10:58:03 2002  Doug Lea  (dl at gee)
+      * Allow tuning of FIRST_SORTED_BIN_SIZE
+      * Use PTR_UINT as type for all ptr->int casts. Thanks to John Belmonte.
+      * Better detection and support for non-contiguousness of MORECORE.
+        Thanks to Andreas Mueller, Conal Walsh, and Wolfram Gloger
+      * Bypass most of malloc if no frees. Thanks To Emery Berger.
+      * Fix freeing of old top non-contiguous chunk im sysmalloc.
+      * Raised default trim and map thresholds to 256K.
+      * Fix mmap-related #defines. Thanks to Lubos Lunak.
+      * Fix copy macros; added LACKS_FCNTL_H. Thanks to Neal Walfield.
+      * Branch-free bin calculation
+      * Default trim and mmap thresholds now 256K.
+
+    V2.7.0 Sun Mar 11 14:14:06 2001  Doug Lea  (dl at gee)
+      * Introduce independent_comalloc and independent_calloc.
+        Thanks to Michael Pachos for motivation and help.
+      * Make optional .h file available
+      * Allow > 2GB requests on 32bit systems.
+      * new WIN32 sbrk, mmap, munmap, lock code from <Walter@GeNeSys-e.de>.
+        Thanks also to Andreas Mueller <a.mueller at paradatec.de>,
+        and Anonymous.
+      * Allow override of MALLOC_ALIGNMENT (Thanks to Ruud Waij for
+        helping test this.)
+      * memalign: check alignment arg
+      * realloc: don't try to shift chunks backwards, since this
+        leads to  more fragmentation in some programs and doesn't
+        seem to help in any others.
+      * Collect all cases in malloc requiring system memory into sysmalloc
+      * Use mmap as backup to sbrk
+      * Place all internal state in malloc_state
+      * Introduce fastbins (although similar to 2.5.1)
+      * Many minor tunings and cosmetic improvements
+      * Introduce USE_PUBLIC_MALLOC_WRAPPERS, USE_MALLOC_LOCK
+      * Introduce MALLOC_FAILURE_ACTION, MORECORE_CONTIGUOUS
+        Thanks to Tony E. Bennett <tbennett@nvidia.com> and others.
+      * Include errno.h to support default failure action.
+
+    V2.6.6 Sun Dec  5 07:42:19 1999  Doug Lea  (dl at gee)
+      * return null for negative arguments
+      * Added Several WIN32 cleanups from Martin C. Fong <mcfong at yahoo.com>
+         * Add 'LACKS_SYS_PARAM_H' for those systems without 'sys/param.h'
+          (e.g. WIN32 platforms)
+         * Cleanup header file inclusion for WIN32 platforms
+         * Cleanup code to avoid Microsoft Visual C++ compiler complaints
+         * Add 'USE_DL_PREFIX' to quickly allow co-existence with existing
+           memory allocation routines
+         * Set 'malloc_getpagesize' for WIN32 platforms (needs more work)
+         * Use 'assert' rather than 'ASSERT' in WIN32 code to conform to
+           usage of 'assert' in non-WIN32 code
+         * Improve WIN32 'sbrk()' emulation's 'findRegion()' routine to
+           avoid infinite loop
+      * Always call 'fREe()' rather than 'free()'
+
+    V2.6.5 Wed Jun 17 15:57:31 1998  Doug Lea  (dl at gee)
+      * Fixed ordering problem with boundary-stamping
+
+    V2.6.3 Sun May 19 08:17:58 1996  Doug Lea  (dl at gee)
+      * Added pvalloc, as recommended by H.J. Liu
+      * Added 64bit pointer support mainly from Wolfram Gloger
+      * Added anonymously donated WIN32 sbrk emulation
+      * Malloc, calloc, getpagesize: add optimizations from Raymond Nijssen
+      * malloc_extend_top: fix mask error that caused wastage after
+        foreign sbrks
+      * Add linux mremap support code from HJ Liu
+
+    V2.6.2 Tue Dec  5 06:52:55 1995  Doug Lea  (dl at gee)
+      * Integrated most documentation with the code.
+      * Add support for mmap, with help from
+        Wolfram Gloger (Gloger@lrz.uni-muenchen.de).
+      * Use last_remainder in more cases.
+      * Pack bins using idea from  colin@nyx10.cs.du.edu
+      * Use ordered bins instead of best-fit threshhold
+      * Eliminate block-local decls to simplify tracing and debugging.
+      * Support another case of realloc via move into top
+      * Fix error occuring when initial sbrk_base not word-aligned.
+      * Rely on page size for units instead of SBRK_UNIT to
+        avoid surprises about sbrk alignment conventions.
+      * Add mallinfo, mallopt. Thanks to Raymond Nijssen
+        (raymond@es.ele.tue.nl) for the suggestion.
+      * Add `pad' argument to malloc_trim and top_pad mallopt parameter.
+      * More precautions for cases where other routines call sbrk,
+        courtesy of Wolfram Gloger (Gloger@lrz.uni-muenchen.de).
+      * Added macros etc., allowing use in linux libc from
+        H.J. Lu (hjl@gnu.ai.mit.edu)
+      * Inverted this history list
+
+    V2.6.1 Sat Dec  2 14:10:57 1995  Doug Lea  (dl at gee)
+      * Re-tuned and fixed to behave more nicely with V2.6.0 changes.
+      * Removed all preallocation code since under current scheme
+        the work required to undo bad preallocations exceeds
+        the work saved in good cases for most test programs.
+      * No longer use return list or unconsolidated bins since
+        no scheme using them consistently outperforms those that don't
+        given above changes.
+      * Use best fit for very large chunks to prevent some worst-cases.
+      * Added some support for debugging
+
+    V2.6.0 Sat Nov  4 07:05:23 1995  Doug Lea  (dl at gee)
+      * Removed footers when chunks are in use. Thanks to
+        Paul Wilson (wilson@cs.texas.edu) for the suggestion.
+
+    V2.5.4 Wed Nov  1 07:54:51 1995  Doug Lea  (dl at gee)
+      * Added malloc_trim, with help from Wolfram Gloger
+        (wmglo@Dent.MED.Uni-Muenchen.DE).
+
+    V2.5.3 Tue Apr 26 10:16:01 1994  Doug Lea  (dl at g)
+
+    V2.5.2 Tue Apr  5 16:20:40 1994  Doug Lea  (dl at g)
+      * realloc: try to expand in both directions
+      * malloc: swap order of clean-bin strategy;
+      * realloc: only conditionally expand backwards
+      * Try not to scavenge used bins
+      * Use bin counts as a guide to preallocation
+      * Occasionally bin return list chunks in first scan
+      * Add a few optimizations from colin@nyx10.cs.du.edu
+
+    V2.5.1 Sat Aug 14 15:40:43 1993  Doug Lea  (dl at g)
+      * faster bin computation & slightly different binning
+      * merged all consolidations to one part of malloc proper
+         (eliminating old malloc_find_space & malloc_clean_bin)
+      * Scan 2 returns chunks (not just 1)
+      * Propagate failure in realloc if malloc returns 0
+      * Add stuff to allow compilation on non-ANSI compilers
+          from kpv@research.att.com
+
+    V2.5 Sat Aug  7 07:41:59 1993  Doug Lea  (dl at g.oswego.edu)
+      * removed potential for odd address access in prev_chunk
+      * removed dependency on getpagesize.h
+      * misc cosmetics and a bit more internal documentation
+      * anticosmetics: mangled names in macros to evade debugger strangeness
+      * tested on sparc, hp-700, dec-mips, rs6000
+          with gcc & native cc (hp, dec only) allowing
+          Detlefs & Zorn comparison study (in SIGPLAN Notices.)
+
+    Trial version Fri Aug 28 13:14:29 1992  Doug Lea  (dl at g.oswego.edu)
+      * Based loosely on libg++-1.2X malloc. (It retains some of the overall
+         structure of old version,  but most details differ.)
+ 
+*/
diff --git a/src/md5.c b/src/md5.c
new file mode 100644
index 0000000000..941c0d37e5
--- /dev/null
+++ b/src/md5.c
@@ -0,0 +1,381 @@
+/*
+  Copyright (C) 1999, 2000, 2002 Aladdin Enterprises.  All rights reserved.
+
+  This software is provided 'as-is', without any express or implied
+  warranty.  In no event will the authors be held liable for any damages
+  arising from the use of this software.
+
+  Permission is granted to anyone to use this software for any purpose,
+  including commercial applications, and to alter it and redistribute it
+  freely, subject to the following restrictions:
+
+  1. The origin of this software must not be misrepresented; you must not
+     claim that you wrote the original software. If you use this software
+     in a product, an acknowledgment in the product documentation would be
+     appreciated but is not required.
+  2. Altered source versions must be plainly marked as such, and must not be
+     misrepresented as being the original software.
+  3. This notice may not be removed or altered from any source distribution.
+
+  L. Peter Deutsch
+  ghost@aladdin.com
+
+ */
+/* $Id: md5.c 80 2004-07-14 20:15:50Z jason $ */
+/*
+  Independent implementation of MD5 (RFC 1321).
+
+  This code implements the MD5 Algorithm defined in RFC 1321, whose
+  text is available at
+	http://www.ietf.org/rfc/rfc1321.txt
+  The code is derived from the text of the RFC, including the test suite
+  (section A.5) but excluding the rest of Appendix A.  It does not include
+  any code or documentation that is identified in the RFC as being
+  copyrighted.
+
+  The original and principal author of md5.c is L. Peter Deutsch
+  <ghost@aladdin.com>.  Other authors are noted in the change history
+  that follows (in reverse chronological order):
+
+  2002-04-13 lpd Clarified derivation from RFC 1321; now handles byte order
+	either statically or dynamically; added missing #include <string.h>
+	in library.
+  2002-03-11 lpd Corrected argument list for main(), and added int return
+	type, in test program and T value program.
+  2002-02-21 lpd Added missing #include <stdio.h> in test program.
+  2000-07-03 lpd Patched to eliminate warnings about "constant is
+	unsigned in ANSI C, signed in traditional"; made test program
+	self-checking.
+  1999-11-04 lpd Edited comments slightly for automatic TOC extraction.
+  1999-10-18 lpd Fixed typo in header comment (ansi2knr rather than md5).
+  1999-05-03 lpd Original version.
+ */
+
+#include "md5.h"
+#include <string.h>
+
+#undef BYTE_ORDER	/* 1 = big-endian, -1 = little-endian, 0 = unknown */
+#ifdef ARCH_IS_BIG_ENDIAN
+#  define BYTE_ORDER (ARCH_IS_BIG_ENDIAN ? 1 : -1)
+#else
+#  define BYTE_ORDER 0
+#endif
+
+#define T_MASK ((md5_word_t)~0)
+#define T1 /* 0xd76aa478 */ (T_MASK ^ 0x28955b87)
+#define T2 /* 0xe8c7b756 */ (T_MASK ^ 0x173848a9)
+#define T3    0x242070db
+#define T4 /* 0xc1bdceee */ (T_MASK ^ 0x3e423111)
+#define T5 /* 0xf57c0faf */ (T_MASK ^ 0x0a83f050)
+#define T6    0x4787c62a
+#define T7 /* 0xa8304613 */ (T_MASK ^ 0x57cfb9ec)
+#define T8 /* 0xfd469501 */ (T_MASK ^ 0x02b96afe)
+#define T9    0x698098d8
+#define T10 /* 0x8b44f7af */ (T_MASK ^ 0x74bb0850)
+#define T11 /* 0xffff5bb1 */ (T_MASK ^ 0x0000a44e)
+#define T12 /* 0x895cd7be */ (T_MASK ^ 0x76a32841)
+#define T13    0x6b901122
+#define T14 /* 0xfd987193 */ (T_MASK ^ 0x02678e6c)
+#define T15 /* 0xa679438e */ (T_MASK ^ 0x5986bc71)
+#define T16    0x49b40821
+#define T17 /* 0xf61e2562 */ (T_MASK ^ 0x09e1da9d)
+#define T18 /* 0xc040b340 */ (T_MASK ^ 0x3fbf4cbf)
+#define T19    0x265e5a51
+#define T20 /* 0xe9b6c7aa */ (T_MASK ^ 0x16493855)
+#define T21 /* 0xd62f105d */ (T_MASK ^ 0x29d0efa2)
+#define T22    0x02441453
+#define T23 /* 0xd8a1e681 */ (T_MASK ^ 0x275e197e)
+#define T24 /* 0xe7d3fbc8 */ (T_MASK ^ 0x182c0437)
+#define T25    0x21e1cde6
+#define T26 /* 0xc33707d6 */ (T_MASK ^ 0x3cc8f829)
+#define T27 /* 0xf4d50d87 */ (T_MASK ^ 0x0b2af278)
+#define T28    0x455a14ed
+#define T29 /* 0xa9e3e905 */ (T_MASK ^ 0x561c16fa)
+#define T30 /* 0xfcefa3f8 */ (T_MASK ^ 0x03105c07)
+#define T31    0x676f02d9
+#define T32 /* 0x8d2a4c8a */ (T_MASK ^ 0x72d5b375)
+#define T33 /* 0xfffa3942 */ (T_MASK ^ 0x0005c6bd)
+#define T34 /* 0x8771f681 */ (T_MASK ^ 0x788e097e)
+#define T35    0x6d9d6122
+#define T36 /* 0xfde5380c */ (T_MASK ^ 0x021ac7f3)
+#define T37 /* 0xa4beea44 */ (T_MASK ^ 0x5b4115bb)
+#define T38    0x4bdecfa9
+#define T39 /* 0xf6bb4b60 */ (T_MASK ^ 0x0944b49f)
+#define T40 /* 0xbebfbc70 */ (T_MASK ^ 0x4140438f)
+#define T41    0x289b7ec6
+#define T42 /* 0xeaa127fa */ (T_MASK ^ 0x155ed805)
+#define T43 /* 0xd4ef3085 */ (T_MASK ^ 0x2b10cf7a)
+#define T44    0x04881d05
+#define T45 /* 0xd9d4d039 */ (T_MASK ^ 0x262b2fc6)
+#define T46 /* 0xe6db99e5 */ (T_MASK ^ 0x1924661a)
+#define T47    0x1fa27cf8
+#define T48 /* 0xc4ac5665 */ (T_MASK ^ 0x3b53a99a)
+#define T49 /* 0xf4292244 */ (T_MASK ^ 0x0bd6ddbb)
+#define T50    0x432aff97
+#define T51 /* 0xab9423a7 */ (T_MASK ^ 0x546bdc58)
+#define T52 /* 0xfc93a039 */ (T_MASK ^ 0x036c5fc6)
+#define T53    0x655b59c3
+#define T54 /* 0x8f0ccc92 */ (T_MASK ^ 0x70f3336d)
+#define T55 /* 0xffeff47d */ (T_MASK ^ 0x00100b82)
+#define T56 /* 0x85845dd1 */ (T_MASK ^ 0x7a7ba22e)
+#define T57    0x6fa87e4f
+#define T58 /* 0xfe2ce6e0 */ (T_MASK ^ 0x01d3191f)
+#define T59 /* 0xa3014314 */ (T_MASK ^ 0x5cfebceb)
+#define T60    0x4e0811a1
+#define T61 /* 0xf7537e82 */ (T_MASK ^ 0x08ac817d)
+#define T62 /* 0xbd3af235 */ (T_MASK ^ 0x42c50dca)
+#define T63    0x2ad7d2bb
+#define T64 /* 0xeb86d391 */ (T_MASK ^ 0x14792c6e)
+
+
+static void
+md5_process(md5_state_t *pms, const md5_byte_t *data /*[64]*/)
+{
+    md5_word_t
+	a = pms->abcd[0], b = pms->abcd[1],
+	c = pms->abcd[2], d = pms->abcd[3];
+    md5_word_t t;
+#if BYTE_ORDER > 0
+    /* Define storage only for big-endian CPUs. */
+    md5_word_t X[16];
+#else
+    /* Define storage for little-endian or both types of CPUs. */
+    md5_word_t xbuf[16];
+    const md5_word_t *X;
+#endif
+
+    {
+#if BYTE_ORDER == 0
+	/*
+	 * Determine dynamically whether this is a big-endian or
+	 * little-endian machine, since we can use a more efficient
+	 * algorithm on the latter.
+	 */
+	static const int w = 1;
+
+	if (*((const md5_byte_t *)&w)) /* dynamic little-endian */
+#endif
+#if BYTE_ORDER <= 0		/* little-endian */
+	{
+	    /*
+	     * On little-endian machines, we can process properly aligned
+	     * data without copying it.
+	     */
+	    if (!((data - (const md5_byte_t *)0) & 3)) {
+		/* data are properly aligned */
+		X = (const md5_word_t *)data;
+	    } else {
+		/* not aligned */
+		memcpy(xbuf, data, 64);
+		X = xbuf;
+	    }
+	}
+#endif
+#if BYTE_ORDER == 0
+	else			/* dynamic big-endian */
+#endif
+#if BYTE_ORDER >= 0		/* big-endian */
+	{
+	    /*
+	     * On big-endian machines, we must arrange the bytes in the
+	     * right order.
+	     */
+	    const md5_byte_t *xp = data;
+	    int i;
+
+#  if BYTE_ORDER == 0
+	    X = xbuf;		/* (dynamic only) */
+#  else
+#    define xbuf X		/* (static only) */
+#  endif
+	    for (i = 0; i < 16; ++i, xp += 4)
+		xbuf[i] = xp[0] + (xp[1] << 8) + (xp[2] << 16) + (xp[3] << 24);
+	}
+#endif
+    }
+
+#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
+
+    /* Round 1. */
+    /* Let [abcd k s i] denote the operation
+       a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s). */
+#define F(x, y, z) (((x) & (y)) | (~(x) & (z)))
+#define SET(a, b, c, d, k, s, Ti)\
+  t = a + F(b,c,d) + X[k] + Ti;\
+  a = ROTATE_LEFT(t, s) + b
+    /* Do the following 16 operations. */
+    SET(a, b, c, d,  0,  7,  T1);
+    SET(d, a, b, c,  1, 12,  T2);
+    SET(c, d, a, b,  2, 17,  T3);
+    SET(b, c, d, a,  3, 22,  T4);
+    SET(a, b, c, d,  4,  7,  T5);
+    SET(d, a, b, c,  5, 12,  T6);
+    SET(c, d, a, b,  6, 17,  T7);
+    SET(b, c, d, a,  7, 22,  T8);
+    SET(a, b, c, d,  8,  7,  T9);
+    SET(d, a, b, c,  9, 12, T10);
+    SET(c, d, a, b, 10, 17, T11);
+    SET(b, c, d, a, 11, 22, T12);
+    SET(a, b, c, d, 12,  7, T13);
+    SET(d, a, b, c, 13, 12, T14);
+    SET(c, d, a, b, 14, 17, T15);
+    SET(b, c, d, a, 15, 22, T16);
+#undef SET
+
+     /* Round 2. */
+     /* Let [abcd k s i] denote the operation
+          a = b + ((a + G(b,c,d) + X[k] + T[i]) <<< s). */
+#define G(x, y, z) (((x) & (z)) | ((y) & ~(z)))
+#define SET(a, b, c, d, k, s, Ti)\
+  t = a + G(b,c,d) + X[k] + Ti;\
+  a = ROTATE_LEFT(t, s) + b
+     /* Do the following 16 operations. */
+    SET(a, b, c, d,  1,  5, T17);
+    SET(d, a, b, c,  6,  9, T18);
+    SET(c, d, a, b, 11, 14, T19);
+    SET(b, c, d, a,  0, 20, T20);
+    SET(a, b, c, d,  5,  5, T21);
+    SET(d, a, b, c, 10,  9, T22);
+    SET(c, d, a, b, 15, 14, T23);
+    SET(b, c, d, a,  4, 20, T24);
+    SET(a, b, c, d,  9,  5, T25);
+    SET(d, a, b, c, 14,  9, T26);
+    SET(c, d, a, b,  3, 14, T27);
+    SET(b, c, d, a,  8, 20, T28);
+    SET(a, b, c, d, 13,  5, T29);
+    SET(d, a, b, c,  2,  9, T30);
+    SET(c, d, a, b,  7, 14, T31);
+    SET(b, c, d, a, 12, 20, T32);
+#undef SET
+
+     /* Round 3. */
+     /* Let [abcd k s t] denote the operation
+          a = b + ((a + H(b,c,d) + X[k] + T[i]) <<< s). */
+#define H(x, y, z) ((x) ^ (y) ^ (z))
+#define SET(a, b, c, d, k, s, Ti)\
+  t = a + H(b,c,d) + X[k] + Ti;\
+  a = ROTATE_LEFT(t, s) + b
+     /* Do the following 16 operations. */
+    SET(a, b, c, d,  5,  4, T33);
+    SET(d, a, b, c,  8, 11, T34);
+    SET(c, d, a, b, 11, 16, T35);
+    SET(b, c, d, a, 14, 23, T36);
+    SET(a, b, c, d,  1,  4, T37);
+    SET(d, a, b, c,  4, 11, T38);
+    SET(c, d, a, b,  7, 16, T39);
+    SET(b, c, d, a, 10, 23, T40);
+    SET(a, b, c, d, 13,  4, T41);
+    SET(d, a, b, c,  0, 11, T42);
+    SET(c, d, a, b,  3, 16, T43);
+    SET(b, c, d, a,  6, 23, T44);
+    SET(a, b, c, d,  9,  4, T45);
+    SET(d, a, b, c, 12, 11, T46);
+    SET(c, d, a, b, 15, 16, T47);
+    SET(b, c, d, a,  2, 23, T48);
+#undef SET
+
+     /* Round 4. */
+     /* Let [abcd k s t] denote the operation
+          a = b + ((a + I(b,c,d) + X[k] + T[i]) <<< s). */
+#define I(x, y, z) ((y) ^ ((x) | ~(z)))
+#define SET(a, b, c, d, k, s, Ti)\
+  t = a + I(b,c,d) + X[k] + Ti;\
+  a = ROTATE_LEFT(t, s) + b
+     /* Do the following 16 operations. */
+    SET(a, b, c, d,  0,  6, T49);
+    SET(d, a, b, c,  7, 10, T50);
+    SET(c, d, a, b, 14, 15, T51);
+    SET(b, c, d, a,  5, 21, T52);
+    SET(a, b, c, d, 12,  6, T53);
+    SET(d, a, b, c,  3, 10, T54);
+    SET(c, d, a, b, 10, 15, T55);
+    SET(b, c, d, a,  1, 21, T56);
+    SET(a, b, c, d,  8,  6, T57);
+    SET(d, a, b, c, 15, 10, T58);
+    SET(c, d, a, b,  6, 15, T59);
+    SET(b, c, d, a, 13, 21, T60);
+    SET(a, b, c, d,  4,  6, T61);
+    SET(d, a, b, c, 11, 10, T62);
+    SET(c, d, a, b,  2, 15, T63);
+    SET(b, c, d, a,  9, 21, T64);
+#undef SET
+
+     /* Then perform the following additions. (That is increment each
+        of the four registers by the value it had before this block
+        was started.) */
+    pms->abcd[0] += a;
+    pms->abcd[1] += b;
+    pms->abcd[2] += c;
+    pms->abcd[3] += d;
+}
+
+void
+md5_init(md5_state_t *pms)
+{
+    pms->count[0] = pms->count[1] = 0;
+    pms->abcd[0] = 0x67452301;
+    pms->abcd[1] = /*0xefcdab89*/ T_MASK ^ 0x10325476;
+    pms->abcd[2] = /*0x98badcfe*/ T_MASK ^ 0x67452301;
+    pms->abcd[3] = 0x10325476;
+}
+
+void
+md5_append(md5_state_t *pms, const md5_byte_t *data, int nbytes)
+{
+    const md5_byte_t *p = data;
+    int left = nbytes;
+    int offset = (pms->count[0] >> 3) & 63;
+    md5_word_t nbits = (md5_word_t)(nbytes << 3);
+
+    if (nbytes <= 0)
+	return;
+
+    /* Update the message length. */
+    pms->count[1] += nbytes >> 29;
+    pms->count[0] += nbits;
+    if (pms->count[0] < nbits)
+	pms->count[1]++;
+
+    /* Process an initial partial block. */
+    if (offset) {
+	int copy = (offset + nbytes > 64 ? 64 - offset : nbytes);
+
+	memcpy(pms->buf + offset, p, copy);
+	if (offset + copy < 64)
+	    return;
+	p += copy;
+	left -= copy;
+	md5_process(pms, pms->buf);
+    }
+
+    /* Process full blocks. */
+    for (; left >= 64; p += 64, left -= 64)
+	md5_process(pms, p);
+
+    /* Process a final partial block. */
+    if (left)
+	memcpy(pms->buf, p, left);
+}
+
+void
+md5_finish(md5_state_t *pms, md5_byte_t digest[16])
+{
+    static const md5_byte_t pad[64] = {
+	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+    };
+    md5_byte_t data[8];
+    int i;
+
+    /* Save the length before padding. */
+    for (i = 0; i < 8; ++i)
+	data[i] = (md5_byte_t)(pms->count[i >> 2] >> ((i & 3) << 3));
+    /* Pad to 56 bytes mod 64. */
+    md5_append(pms, pad, ((55 - (pms->count[0] >> 3)) & 63) + 1);
+    /* Append the length. */
+    md5_append(pms, data, 8);
+    for (i = 0; i < 16; ++i)
+	digest[i] = (md5_byte_t)(pms->abcd[i >> 2] >> ((i & 3) << 3));
+}
diff --git a/src/md5.h b/src/md5.h
new file mode 100644
index 0000000000..8cff20d0af
--- /dev/null
+++ b/src/md5.h
@@ -0,0 +1,91 @@
+/*
+  Copyright (C) 1999, 2002 Aladdin Enterprises.  All rights reserved.
+
+  This software is provided 'as-is', without any express or implied
+  warranty.  In no event will the authors be held liable for any damages
+  arising from the use of this software.
+
+  Permission is granted to anyone to use this software for any purpose,
+  including commercial applications, and to alter it and redistribute it
+  freely, subject to the following restrictions:
+
+  1. The origin of this software must not be misrepresented; you must not
+     claim that you wrote the original software. If you use this software
+     in a product, an acknowledgment in the product documentation would be
+     appreciated but is not required.
+  2. Altered source versions must be plainly marked as such, and must not be
+     misrepresented as being the original software.
+  3. This notice may not be removed or altered from any source distribution.
+
+  L. Peter Deutsch
+  ghost@aladdin.com
+
+ */
+/* $Id: md5.h 80 2004-07-14 20:15:50Z jason $ */
+/*
+  Independent implementation of MD5 (RFC 1321).
+
+  This code implements the MD5 Algorithm defined in RFC 1321, whose
+  text is available at
+	http://www.ietf.org/rfc/rfc1321.txt
+  The code is derived from the text of the RFC, including the test suite
+  (section A.5) but excluding the rest of Appendix A.  It does not include
+  any code or documentation that is identified in the RFC as being
+  copyrighted.
+
+  The original and principal author of md5.h is L. Peter Deutsch
+  <ghost@aladdin.com>.  Other authors are noted in the change history
+  that follows (in reverse chronological order):
+
+  2002-04-13 lpd Removed support for non-ANSI compilers; removed
+	references to Ghostscript; clarified derivation from RFC 1321;
+	now handles byte order either statically or dynamically.
+  1999-11-04 lpd Edited comments slightly for automatic TOC extraction.
+  1999-10-18 lpd Fixed typo in header comment (ansi2knr rather than md5);
+	added conditionalization for C++ compilation from Martin
+	Purschke <purschke@bnl.gov>.
+  1999-05-03 lpd Original version.
+ */
+
+#ifndef md5_INCLUDED
+#  define md5_INCLUDED
+
+/*
+ * This package supports both compile-time and run-time determination of CPU
+ * byte order.  If ARCH_IS_BIG_ENDIAN is defined as 0, the code will be
+ * compiled to run only on little-endian CPUs; if ARCH_IS_BIG_ENDIAN is
+ * defined as non-zero, the code will be compiled to run only on big-endian
+ * CPUs; if ARCH_IS_BIG_ENDIAN is not defined, the code will be compiled to
+ * run on either big- or little-endian CPUs, but will run slightly less
+ * efficiently on either one than if ARCH_IS_BIG_ENDIAN is defined.
+ */
+
+typedef unsigned char md5_byte_t; /* 8-bit byte */
+typedef unsigned int md5_word_t; /* 32-bit word */
+
+/* Define the state of the MD5 Algorithm. */
+typedef struct md5_state_s {
+    md5_word_t count[2];	/* message length in bits, lsw first */
+    md5_word_t abcd[4];		/* digest buffer */
+    md5_byte_t buf[64];		/* accumulate block */
+} md5_state_t;
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+/* Initialize the algorithm. */
+void md5_init(md5_state_t *pms);
+
+/* Append a string to the message. */
+void md5_append(md5_state_t *pms, const md5_byte_t *data, int nbytes);
+
+/* Finish the message and return the digest. */
+void md5_finish(md5_state_t *pms, md5_byte_t digest[16]);
+
+#ifdef __cplusplus
+}  /* end extern "C" */
+#endif
+
+#endif /* md5_INCLUDED */
diff --git a/src/nb_dns.c b/src/nb_dns.c
new file mode 100644
index 0000000000..c2092a8b5b
--- /dev/null
+++ b/src/nb_dns.c
@@ -0,0 +1,612 @@
+/*
+ * See the file "COPYING" in the main distribution directory for copyright.
+ */
+#ifndef lint
+static const char rcsid[] =
+    "@(#) $Id: nb_dns.c 6219 2008-10-01 05:39:07Z vern $ (LBL)";
+#endif
+/*
+ * nb_dns - non-blocking dns routines
+ *
+ * This version works with BIND 9
+ *
+ * Note: The code here is way more complicated than it should be but
+ * although the interface to send requests is public, the routine to
+ * crack reply buffers is private.
+ */
+
+#include "config.h"			/* must appear before first ifdef */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#ifdef NEED_NAMESER_COMPAT_H
+#include <arpa/nameser_compat.h>
+#endif
+
+#include <errno.h>
+#ifdef HAVE_MEMORY_H
+#include <memory.h>
+#endif
+#include <netdb.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#ifdef notdef
+#include "gnuc.h"
+#ifdef HAVE_OS_PROTO_H
+#include "os-proto.h"
+#endif
+#endif
+
+#include "nb_dns.h"
+
+#if PACKETSZ > 1024
+#define MAXPACKET	PACKETSZ
+#else
+#define MAXPACKET	1024
+#endif
+
+#ifdef DO_SOCK_DECL
+extern int socket(int, int, int);
+extern int connect(int, const struct sockaddr *, int);
+extern int send(int, const void *, int, int);
+extern int recvfrom(int, void *, int, int, struct sockaddr *, int *);
+#endif
+
+/* Private data */
+struct nb_dns_entry {
+	struct nb_dns_entry *next;
+	char name[NS_MAXDNAME + 1];
+	int qtype;			/* query type */
+	int atype;			/* address family */
+	int asize;			/* address size */
+	u_short id;
+	void *cookie;
+};
+
+#ifndef MAXALIASES
+#define MAXALIASES	35
+#endif
+#ifndef MAXADDRS
+#define MAXADDRS	35
+#endif
+
+struct nb_dns_hostent {
+	struct hostent hostent;
+	int numaliases;
+	int numaddrs;
+	char *host_aliases[MAXALIASES + 1];
+	char *h_addr_ptrs[MAXADDRS + 1];
+	char hostbuf[8 * 1024];
+};
+
+struct nb_dns_info {
+	int s;				/* Resolver file descriptor */
+	struct sockaddr_in server;	/* server address to bind to */
+	struct nb_dns_entry *list;	/* outstanding requests */
+	struct nb_dns_hostent dns_hostent;
+};
+
+/* Forwards */
+static int _nb_dns_mkquery(struct nb_dns_info *, const char *, int, int,
+    void *, char *);
+static int _nb_dns_cmpsockaddr(struct sockaddr *, struct sockaddr *, char *);
+
+static char *
+my_strerror(int errnum)
+{
+#if HAVE_STRERROR
+	extern char *strerror(int);
+	return strerror(errnum);
+#else
+	static char errnum_buf[32];
+	snprintf(errnum_buf, sizeof(errnum_buf), "errno %d", errnum);
+	return errnum_buf;
+#endif
+}
+
+struct nb_dns_info *
+nb_dns_init(char *errstr)
+{
+	register struct nb_dns_info *nd;
+
+	nd = (struct nb_dns_info *)malloc(sizeof(*nd));
+	if (nd == NULL) {
+		snprintf(errstr, NB_DNS_ERRSIZE, "nb_dns_init: malloc(): %s",
+		    my_strerror(errno));
+		return (NULL);
+	}
+	memset(nd, 0, sizeof(*nd));
+	nd->s = -1;
+
+	/* XXX should be able to init static hostent struct some other way */
+	(void)gethostbyname("localhost.");
+
+	if ((_res.options & RES_INIT) == 0 && res_init() == -1) {
+		snprintf(errstr, NB_DNS_ERRSIZE, "res_init() failed");
+		free(nd);
+		return (NULL);
+	}
+	nd->s = socket(PF_INET, SOCK_DGRAM, 0);
+	if (nd->s < 0) {
+		snprintf(errstr, NB_DNS_ERRSIZE, "socket(): %s",
+		    my_strerror(errno));
+		free(nd);
+		return (NULL);
+	}
+
+	/* XXX should use resolver config */
+	nd->server = _res.nsaddr_list[0];
+
+	if (connect(nd->s, (struct sockaddr *)&nd->server,
+	    sizeof(struct sockaddr)) < 0) {
+		snprintf(errstr, NB_DNS_ERRSIZE, "connect(%s): %s",
+		    inet_ntoa(nd->server.sin_addr), my_strerror(errno));
+		close(nd->s);
+		free(nd);
+		return (NULL);
+	}
+
+	return (nd);
+}
+
+void
+nb_dns_finish(struct nb_dns_info *nd)
+{
+	register struct nb_dns_entry *ne, *ne2;
+
+	ne = nd->list;
+	while (ne != NULL) {
+		ne2 = ne;
+		ne = ne->next;
+		free(ne2);
+	}
+	close(nd->s);
+	free(nd);
+}
+
+int
+nb_dns_fd(struct nb_dns_info *nd)
+{
+
+	return (nd->s);
+}
+
+static int
+_nb_dns_cmpsockaddr(register struct sockaddr *sa1,
+    register struct sockaddr *sa2, register char *errstr)
+{
+	register struct sockaddr_in *sin1, *sin2;
+#ifdef AF_INET6
+	register struct sockaddr_in6 *sin6a, *sin6b;
+#endif
+	static const char serr[] = "answer from wrong nameserver (%d)";
+
+	if (sa1->sa_family != sa1->sa_family) {
+		snprintf(errstr, NB_DNS_ERRSIZE, serr, 1);
+		return (-1);
+	}
+	switch (sa1->sa_family) {
+
+	case AF_INET:
+		sin1 = (struct sockaddr_in *)sa1;
+		sin2 = (struct sockaddr_in *)sa2;
+		if (sin1->sin_port != sin2->sin_port) {
+			snprintf(errstr, NB_DNS_ERRSIZE, serr, 2);
+			return (-1);
+		}
+		if (sin1->sin_addr.s_addr != sin2->sin_addr.s_addr) {
+			snprintf(errstr, NB_DNS_ERRSIZE, serr, 3);
+			return (-1);
+		}
+		break;
+
+#ifdef AF_INET6
+	case AF_INET6:
+		sin6a = (struct sockaddr_in6 *)sa1;
+		sin6b = (struct sockaddr_in6 *)sa2;
+		if (sin6a->sin6_port != sin6b->sin6_port) {
+			snprintf(errstr, NB_DNS_ERRSIZE, serr, 2);
+			return (-1);
+		}
+		if (memcmp(&sin6a->sin6_addr, &sin6b->sin6_addr,
+		    sizeof(sin6a->sin6_addr)) != 0) {
+			snprintf(errstr, NB_DNS_ERRSIZE, serr, 3);
+			return (-1);
+		}
+		break;
+#endif
+
+	default:
+		snprintf(errstr, NB_DNS_ERRSIZE, serr, 4);
+		return (-1);
+	}
+	return (0);
+}
+
+static int
+_nb_dns_mkquery(register struct nb_dns_info *nd, register const char *name,
+    register int atype, register int qtype, register void * cookie,
+    register char *errstr)
+{
+	register struct nb_dns_entry *ne;
+	register HEADER *hp;
+	register int n;
+	u_long msg[MAXPACKET / sizeof(u_long)];
+
+	/* Allocate an entry */
+	ne = (struct nb_dns_entry *)malloc(sizeof(*ne));
+	if (ne == NULL) {
+		snprintf(errstr, NB_DNS_ERRSIZE, "malloc(): %s",
+		    my_strerror(errno));
+		return (-1);
+	}
+	memset(ne, 0, sizeof(*ne));
+	strncpy(ne->name, name, sizeof(ne->name));
+	ne->name[sizeof(ne->name) - 1] = '\0';
+	ne->qtype = qtype;
+	ne->atype = atype;
+	switch (atype) {
+
+	case AF_INET:
+		ne->asize = NS_INADDRSZ;
+		break;
+
+#ifdef AF_INET6
+	case AF_INET6:
+		ne->asize = NS_IN6ADDRSZ;
+		break;
+#endif
+
+	default:
+		snprintf(errstr, NB_DNS_ERRSIZE,
+		    "_nb_dns_mkquery: bad family %d", atype);
+		return (-1);
+	}
+
+	/* Build the request */
+	n = res_mkquery(
+	    ns_o_query,			/* op code (query) */
+	    name,			/* domain name */
+	    ns_c_in,			/* query class (internet) */
+	    qtype,			/* query type */
+	    NULL,			/* data */
+	    0,				/* length of data */
+	    NULL,			/* new rr */
+	    (u_char *)msg,		/* buffer */
+	    sizeof(msg));		/* size of buffer */
+	if (n < 0) {
+		snprintf(errstr, NB_DNS_ERRSIZE, "res_mkquery() failed");
+		free(ne);
+		return (-1);
+	}
+
+	hp = (HEADER *)msg;
+	ne->id = htons(hp->id);
+
+	if (send(nd->s, (char *)msg, n, 0) != n) {
+		snprintf(errstr, NB_DNS_ERRSIZE, "send(): %s",
+		    my_strerror(errno));
+		free(ne);
+		return (-1);
+	}
+
+	ne->next = nd->list;
+	ne->cookie = cookie;
+	nd->list = ne;
+
+	return(0);
+}
+
+int
+nb_dns_host_request(register struct nb_dns_info *nd, register const char *name,
+    register void *cookie, register char *errstr)
+{
+
+	return (nb_dns_host_request2(nd, name, AF_INET, cookie, errstr));
+}
+
+int
+nb_dns_host_request2(register struct nb_dns_info *nd, register const char *name,
+    register int af, register void *cookie, register char *errstr)
+{
+	register int qtype;
+
+	switch (af) {
+
+	case AF_INET:
+		qtype = T_A;
+		break;
+
+#ifdef AF_INET6
+	case AF_INET6:
+		qtype = T_AAAA;
+		break;
+#endif
+
+	default:
+		snprintf(errstr, NB_DNS_ERRSIZE,
+		    "nb_dns_host_request2(): uknown address family %d", af);
+		return (-1);
+	}
+	return (_nb_dns_mkquery(nd, name, af, qtype, cookie, errstr));
+}
+
+int
+nb_dns_addr_request(register struct nb_dns_info *nd, nb_uint32_t addr,
+    register void *cookie, register char *errstr)
+{
+
+	return (nb_dns_addr_request2(nd, (char *)&addr, AF_INET,
+	    cookie, errstr));
+}
+
+int
+nb_dns_addr_request2(register struct nb_dns_info *nd, char *addrp,
+    register int af, register void *cookie, register char *errstr)
+{
+#ifdef AF_INET6
+	register char *cp;
+	register int n, i;
+	register size_t size;
+#endif
+	register u_char *uaddr;
+	char name[NS_MAXDNAME + 1];
+
+	switch (af) {
+
+	case AF_INET:
+		uaddr = (u_char *)addrp;
+		snprintf(name, sizeof(name), "%u.%u.%u.%u.in-addr.arpa",
+		    (uaddr[3] & 0xff),
+		    (uaddr[2] & 0xff),
+		    (uaddr[1] & 0xff),
+		    (uaddr[0] & 0xff));
+		break;
+
+#ifdef AF_INET6
+	case AF_INET6:
+		uaddr = (u_char *)addrp;
+		cp = name;
+		size = sizeof(name);
+		for (n = NS_IN6ADDRSZ - 1; n >= 0; --n) {
+			snprintf(cp, size, "%x.%x.",
+			    (uaddr[n] & 0xf),
+			    (uaddr[n] >> 4) & 0xf);
+			i = strlen(cp);
+			size -= i;
+			cp += i;
+		}
+		snprintf(cp, size, "ip6.int");
+		break;
+#endif
+
+	default:
+		snprintf(errstr, NB_DNS_ERRSIZE,
+		    "nb_dns_addr_request2(): uknown address family %d", af);
+		return (-1);
+	}
+
+	return (_nb_dns_mkquery(nd, name, af, T_PTR, cookie, errstr));
+}
+
+int
+nb_dns_abort_request(struct nb_dns_info *nd, void *cookie)
+{
+	register struct nb_dns_entry *ne, *lastne;
+
+	/* Try to find this request on the outstanding request list */
+	lastne = NULL;
+	for (ne = nd->list; ne != NULL; ne = ne->next) {
+		if (ne->cookie == cookie)
+			break;
+		lastne = ne;
+	}
+
+	/* Not a currently pending request */
+	if (ne == NULL)
+		return (-1);
+
+	/* Unlink this entry */
+	if (lastne == NULL)
+		nd->list = ne->next;
+	else
+		lastne->next = ne->next;
+	ne->next = NULL;
+
+	return (0);
+}
+
+/* Returns 1 with an answer, 0 when reply was old, -1 on fatal errors */
+int
+nb_dns_activity(struct nb_dns_info *nd, struct nb_dns_result *nr, char *errstr)
+{
+	register int msglen, qtype, atype, n, i;
+	register struct nb_dns_entry *ne, *lastne;
+	socklen_t fromlen;
+	struct sockaddr from;
+	u_long msg[MAXPACKET / sizeof(u_long)];
+	register char *bp, *ep;
+	register char **ap, **hap;
+	register u_int16_t id;
+	register const u_char *rdata;
+	register struct hostent *he;
+	register size_t rdlen;
+	ns_msg handle;
+	ns_rr rr;
+
+	/* This comes from the second half of do_query() */
+	fromlen = sizeof(from);
+	msglen = recvfrom(nd->s, (char *)msg, sizeof(msg), 0, &from, &fromlen);
+	if (msglen <= 0) {
+		snprintf(errstr, NB_DNS_ERRSIZE, "recvfrom(): %s",
+		    my_strerror(errno));
+		return (-1);
+	}
+	if (msglen < HFIXEDSZ) {
+		snprintf(errstr, NB_DNS_ERRSIZE, "recvfrom(): undersized: %d",
+		    msglen);
+		return (-1);
+	}
+	if (ns_initparse((u_char *)msg, msglen, &handle) < 0) {
+		snprintf(errstr, NB_DNS_ERRSIZE, "ns_initparse(): %s",
+		    my_strerror(errno));
+		nr->host_errno = NO_RECOVERY;
+		return (-1);
+	}
+
+	/* RES_INSECURE1 style check */
+	if (_nb_dns_cmpsockaddr((struct sockaddr *)&nd->server, &from,
+	    errstr) < 0) {
+		nr->host_errno = NO_RECOVERY;
+		return (-1);
+	}
+
+	/* Search for this request */
+	lastne = NULL;
+	id = ns_msg_id(handle);
+	for (ne = nd->list; ne != NULL; ne = ne->next) {
+		if (ne->id == id)
+			break;
+		lastne = ne;
+	}
+
+	/* Not an answer to a question we care about anymore */
+	if (ne == NULL)
+		return (0);
+
+	/* Unlink this entry */
+	if (lastne == NULL)
+		nd->list = ne->next;
+	else
+		lastne->next = ne->next;
+	ne->next = NULL;
+
+	/* RES_INSECURE2 style check */
+	/* XXX not implemented */
+
+	/* Initialize result struct */
+	memset(nr, 0, sizeof(*nr));
+	nr->cookie = ne->cookie;
+	qtype = ne->qtype;
+
+	/* Deal with various errors */
+	switch (ns_msg_getflag(handle, ns_f_rcode)) {
+
+	case ns_r_nxdomain:
+		nr->host_errno = HOST_NOT_FOUND;
+		free(ne);
+		return (1);
+
+	case ns_r_servfail:
+		nr->host_errno = TRY_AGAIN;
+		free(ne);
+		return (1);
+
+	case ns_r_noerror:
+		break;
+
+	case ns_r_formerr:
+	case ns_r_notimpl:
+	case ns_r_refused:
+	default:
+		nr->host_errno = NO_RECOVERY;
+		free(ne);
+		return (1);
+	}
+
+	/* Loop through records in packet */
+	memset(&rr, 0, sizeof(rr));
+	memset(&nd->dns_hostent, 0, sizeof(nd->dns_hostent));
+	he = &nd->dns_hostent.hostent;
+	/* XXX no support for aliases */
+	he->h_aliases = nd->dns_hostent.host_aliases;
+	he->h_addr_list = nd->dns_hostent.h_addr_ptrs;
+	he->h_addrtype = ne->atype;
+	he->h_length = ne->asize;
+	free(ne);
+
+	bp = nd->dns_hostent.hostbuf;
+	ep = bp + sizeof(nd->dns_hostent.hostbuf);
+	hap = he->h_addr_list;
+	ap = he->h_aliases;
+
+	for (i = 0; i < ns_msg_count(handle, ns_s_an); i++) {
+		/* Parse next record */
+		if (ns_parserr(&handle, ns_s_an, i, &rr) < 0) {
+			if (errno != ENODEV) {
+				nr->host_errno = NO_RECOVERY;
+				return (1);
+			}
+			/* All done */
+			break;
+		}
+
+		/* Ignore records that don't answer our query (e.g. CNAMEs) */
+		atype = ns_rr_type(rr);
+		if (atype != qtype)
+			continue;
+
+		rdata = ns_rr_rdata(rr);
+		rdlen = ns_rr_rdlen(rr);
+		switch (atype) {
+
+		case T_A:
+		case T_AAAA:
+			if (rdlen != (unsigned int) he->h_length) {
+				snprintf(errstr, NB_DNS_ERRSIZE,
+				    "nb_dns_activity(): bad rdlen %d",
+				    (int) rdlen);
+				nr->host_errno = NO_RECOVERY;
+				return (-1);
+			}
+
+			if (bp + rdlen >= ep) {
+				snprintf(errstr, NB_DNS_ERRSIZE,
+				    "nb_dns_activity(): overflow 1");
+				nr->host_errno = NO_RECOVERY;
+				return (-1);
+			}
+			if (nd->dns_hostent.numaddrs + 1 >= MAXADDRS) {
+				snprintf(errstr, NB_DNS_ERRSIZE,
+				    "nb_dns_activity(): overflow 2");
+				nr->host_errno = NO_RECOVERY;
+				return (-1);
+			}
+			memcpy(bp, rdata, rdlen);
+			*hap++ = bp;
+			bp += rdlen;
+			++nd->dns_hostent.numaddrs;
+
+			/* Keep looking for more A records */
+			break;
+
+		case T_PTR:
+			n = dn_expand((const u_char *)msg,
+			    (const u_char *)msg + msglen, rdata, bp, ep - bp);
+			if (n < 0) {
+				/* XXX return -1 here ??? */
+				nr->host_errno = NO_RECOVERY;
+				return (1);
+			}
+			he->h_name = bp;
+			/* XXX check for overflow */
+			bp += n;		/* returned len includes EOS */
+
+			/* "Find first satisfactory answer" */
+			nr->hostent = he;
+			return (1);
+		}
+	}
+
+	nr->hostent = he;
+	return (1);
+}
diff --git a/src/nb_dns.h b/src/nb_dns.h
new file mode 100644
index 0000000000..41b5946e48
--- /dev/null
+++ b/src/nb_dns.h
@@ -0,0 +1,35 @@
+/* @(#) $Id: nb_dns.h 6219 2008-10-01 05:39:07Z vern $ (LBL)
+ *
+ * See the file "COPYING" in the main distribution directory for copyright.
+ */
+
+/* Private data */
+struct nb_dns_info;
+
+/* Public data */
+struct nb_dns_result {
+	void *cookie;
+	int host_errno;
+	struct hostent *hostent;
+};
+
+typedef unsigned int nb_uint32_t;
+
+/* Public routines */
+struct nb_dns_info *nb_dns_init(char *);
+void nb_dns_finish(struct nb_dns_info *);
+
+int nb_dns_fd(struct nb_dns_info *);
+
+int nb_dns_host_request(struct nb_dns_info *, const char *, void *, char *);
+int nb_dns_host_request2(struct nb_dns_info *, const char *, int,
+				void *, char *);
+
+int nb_dns_addr_request(struct nb_dns_info *, nb_uint32_t, void *, char *);
+int nb_dns_addr_request2(struct nb_dns_info *, char *, int, void *, char *);
+
+int nb_dns_abort_request(struct nb_dns_info *, void *);
+
+int nb_dns_activity(struct nb_dns_info *, struct nb_dns_result *, char *);
+
+#define NB_DNS_ERRSIZE 256
diff --git a/src/ncp.pac b/src/ncp.pac
new file mode 100644
index 0000000000..8a3fcf1478
--- /dev/null
+++ b/src/ncp.pac
@@ -0,0 +1,58 @@
+# $Id: ncp.pac 4608 2007-07-05 18:23:58Z vern $
+#
+# Netware Core Protocol
+
+%include bro.pac
+
+analyzer NCP withcontext {};
+
+type ncp_request(length: uint32) = record {
+	data		: uint8[length];
+} &let {
+	function	= length > 0 ? data[0] : 0;
+	subfunction	= length > 1 ? data[1] : 0;
+};
+
+type ncp_reply(length: uint32) = record {
+	completion_code	: uint8;
+	conn_status 	: uint8;
+	data		: uint8[length - 2];
+};
+
+type ncp_frame(is_orig: bool, length: uint32) = record {
+	frame_type	: uint16;
+	seq		: uint8;
+	conn_low	: uint8;
+	task		: uint8;
+	conn_high	: uint8;
+	body		: case is_orig of
+		{
+		true -> request	: ncp_request(body_length);
+		false -> reply	: ncp_reply(body_length);
+		} &requires(body_length);
+} &let {
+	body_length = length - offsetof(body);
+};
+
+type ncp_over_tcpip_req_hdr = record {
+	version		: uint32;
+	reply_buf_size	: uint32;
+};
+
+type ncp_over_tcpip_frame(is_orig: bool) = record {
+	signature	: uint32;
+	length		: uint32;
+	aux		: case is_orig of
+		{
+		true -> aux_req		: ncp_over_tcpip_req_hdr;
+		false -> aux_reply	: empty;
+		};
+	ncp		: ncp_frame(is_orig, length - offsetof(ncp));
+} &byteorder = bigendian,
+  &length = length,
+  &check( ncp.frame_type == 0x1111 ||
+          ncp.frame_type == 0x2222 ||
+          ncp.frame_type == 0x3333 ||
+          ncp.frame_type == 0x5555 ||
+          ncp.frame_type == 0x7777 ||
+          ncp.frame_type == 0x9999 );
diff --git a/src/net_util.cc b/src/net_util.cc
new file mode 100644
index 0000000000..e49d575fa0
--- /dev/null
+++ b/src/net_util.cc
@@ -0,0 +1,375 @@
+// $Id: net_util.cc 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#ifdef BROv6
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+
+#include <arpa/inet.h>
+#endif
+
+#include "net_util.h"
+
+// - adapted from tcpdump
+// Returns the ones-complement checksum of a chunk of b short-aligned bytes.
+int ones_complement_checksum(const void* p, int b, uint32 sum)
+	{
+	const u_short* sp = (u_short*) p;	// better be aligned!
+
+	b /= 2;	// convert to count of short's
+
+	/* No need for endian conversions. */
+	while ( --b >= 0 )
+		sum += *sp++;
+
+	while ( sum > 0xffff )
+		sum = (sum & 0xffff) + (sum >> 16);
+
+	return sum;
+	}
+
+int tcp_checksum(const struct ip* ip, const struct tcphdr* tp, int len)
+	{
+	// ### Note, this is only correct for IPv4.  This routine is only
+	// used by the connection compressor (which we turn off for IPv6
+	// traffic) and trace rewriting (which currently doesn't support
+	// IPv6 either).
+
+	int tcp_len = tp->th_off * 4 + len;
+	uint32 sum;
+
+	if ( len % 2 == 1 )
+		// Add in pad byte.
+		sum = htons(((const u_char*) tp)[tcp_len - 1] << 8);
+	else
+		sum = 0;
+
+	sum = ones_complement_checksum((void*) &ip->ip_src.s_addr, 4, sum);
+	sum = ones_complement_checksum((void*) &ip->ip_dst.s_addr, 4, sum);
+
+	uint32 addl_pseudo =
+		(htons(IPPROTO_TCP) << 16) | htons((unsigned short) tcp_len);
+
+	sum = ones_complement_checksum((void*) &addl_pseudo, 4, sum);
+	sum = ones_complement_checksum((void*) tp, tcp_len, sum);
+
+	return sum;
+	}
+
+int udp_checksum(const struct ip* ip, const struct udphdr* up, int len)
+	{
+	uint32 sum;
+
+	if ( len % 2 == 1 )
+		// Add in pad byte.
+		sum = htons(((const u_char*) up)[len - 1] << 8);
+	else
+		sum = 0;
+
+	sum = ones_complement_checksum((void*) &ip->ip_src.s_addr, 4, sum);
+	sum = ones_complement_checksum((void*) &ip->ip_dst.s_addr, 4, sum);
+
+	uint32 addl_pseudo =
+		(htons(IPPROTO_UDP) << 16) | htons((unsigned short) len);
+
+	sum = ones_complement_checksum((void*) &addl_pseudo, 4, sum);
+	sum = ones_complement_checksum((void*) up, len, sum);
+
+	return sum;
+	}
+
+#ifdef BROv6
+int udp6_checksum(const struct ip6_hdr* ip6, const struct udphdr* up, int len)
+	{
+	uint32 sum;
+
+	if ( len % 2 == 1 )
+		// Add in pad byte.
+		sum = htons(((const u_char*) up)[len - 1] << 8);
+	else
+		sum = 0;
+
+	sum = ones_complement_checksum((void*) ip6->ip6_src.s6_addr, 16, sum);
+	sum = ones_complement_checksum((void*) ip6->ip6_dst.s6_addr, 16, sum);
+
+	sum = ones_complement_checksum((void*) &len, 4, sum);
+	uint32 addl_pseudo = htons(IPPROTO_UDP);
+	sum = ones_complement_checksum((void*) &addl_pseudo, 4, sum);
+	sum = ones_complement_checksum((void*) up, len, sum);
+
+	return sum;
+	}
+#endif
+
+int icmp_checksum(const struct icmp* icmpp, int len)
+	{
+	uint32 sum;
+
+	if ( len % 2 == 1 )
+		// Add in pad byte.
+		sum = htons(((const u_char*) icmpp)[len - 1] << 8);
+	else
+		sum = 0;
+
+	sum = ones_complement_checksum((void*) icmpp, len, sum);
+
+	return sum;
+	}
+
+
+#define CLASS_A 0x00000000
+#define CLASS_B 0x80000000
+#define CLASS_C 0xc0000000
+#define CLASS_D 0xe0000000
+#define CLASS_E 0xf0000000
+
+#define CHECK_CLASS(addr,class) (((addr) & (class)) == (class))
+char addr_to_class(uint32 addr)
+	{
+	if ( CHECK_CLASS(addr, CLASS_E) )
+		return 'E';
+	else if ( CHECK_CLASS(addr, CLASS_D) )
+		return 'D';
+	else if ( CHECK_CLASS(addr, CLASS_C) )
+		return 'C';
+	else if ( CHECK_CLASS(addr, CLASS_B) )
+		return 'B';
+	else
+		return 'A';
+	}
+
+uint32 addr_to_net(uint32 addr)
+	{
+	if ( CHECK_CLASS(addr, CLASS_D) )
+		; // class D's are left alone ###
+	else if ( CHECK_CLASS(addr, CLASS_C) )
+		addr = addr & 0xffffff00;
+	else if ( CHECK_CLASS(addr, CLASS_B) )
+		addr = addr & 0xffff0000;
+	else
+		addr = addr & 0xff000000;
+
+	return addr;
+	}
+
+const char* dotted_addr(uint32 addr, int alternative)
+	{
+	addr = ntohl(addr);
+	const char* fmt = alternative ? "%d,%d.%d.%d" : "%d.%d.%d.%d";
+
+	static char buf[32];
+	snprintf(buf, sizeof(buf), fmt,
+		addr >> 24, (addr >> 16) & 0xff,
+		(addr >> 8) & 0xff, addr & 0xff);
+
+	return buf;
+	}
+
+const char* dotted_addr(const uint32* addr, int alternative)
+	{
+#ifdef BROv6
+	if ( is_v4_addr(addr) )
+		return dotted_addr(addr[3], alternative);
+
+	static char buf[256];
+
+	if ( inet_ntop(AF_INET6, addr, buf, sizeof buf) == NULL )
+		return "<bad IPv6 address conversion>";
+
+	return buf;
+
+#else
+	return dotted_addr(to_v4_addr(addr), alternative);
+#endif
+	}
+
+const char* dotted_net(uint32 addr)
+	{
+	addr = ntohl(addr);
+
+	static char buf[32];
+
+	if ( CHECK_CLASS(addr, CLASS_D) )
+		sprintf(buf, "%d.%d.%d.%d",
+			addr >> 24, (addr >> 16) & 0xff,
+			(addr >> 8) & 0xff, addr & 0xff);
+
+	else if ( CHECK_CLASS(addr, CLASS_C) )
+		sprintf(buf, "%d.%d.%d",
+			addr >> 24, (addr >> 16) & 0xff, (addr >> 8) & 0xff);
+
+	else
+		// Same for class A's and B's.
+		sprintf(buf, "%d.%d", addr >> 24, (addr >> 16) & 0xff);
+
+	return buf;
+	}
+
+#ifdef BROv6
+const char* dotted_net6(const uint32* addr)
+	{
+	if ( is_v4_addr(addr) )
+		return dotted_net(to_v4_addr(addr));
+	else
+		// ### this isn't right, but net's should go away eventually ...
+		return dotted_addr(addr);
+	}
+#endif
+
+uint32 dotted_to_addr(const char* addr_text)
+	{
+	int addr[4];
+
+	if ( sscanf(addr_text,
+		    "%d.%d.%d.%d", addr+0, addr+1, addr+2, addr+3) != 4 )
+		{
+		error("bad dotted address:", addr_text );
+		return 0;
+		}
+
+	if ( addr[0] < 0 || addr[1] < 0 || addr[2] < 0 || addr[3] < 0 ||
+	     addr[0] > 255 || addr[1] > 255 || addr[2] > 255 || addr[3] > 255 )
+		{
+		error("bad dotted address:", addr_text);
+		return 0;
+		}
+
+	uint32 a = (addr[0] << 24) | (addr[1] << 16) | (addr[2] << 8) | addr[3];
+
+	// ### perhaps do gethostbyaddr here?
+
+	return uint32(htonl(a));
+	}
+
+#ifdef BROv6
+uint32* dotted_to_addr6(const char* addr_text)
+	{
+	uint32* addr = new uint32[4];
+	if ( inet_pton(AF_INET6, addr_text, addr) <= 0 )
+		{
+		error("bad IPv6 address:", addr_text );
+		addr[0] = addr[1] = addr[2] = addr[3] = 0;
+		}
+
+	return addr;
+	}
+
+#endif
+
+#ifdef BROv6
+int is_v4_addr(const uint32 addr[4])
+	{
+	return addr[0] == 0 && addr[1] == 0 && addr[2] == 0;
+	}
+#endif
+
+uint32 to_v4_addr(const uint32* addr)
+	{
+#ifdef BROv6
+	if ( ! is_v4_addr(addr) )
+		internal_error("conversion of non-IPv4 address to IPv4 address");
+	return addr[3];
+#else
+	return addr[0];
+#endif
+	}
+
+uint32 mask_addr(uint32 a, uint32 top_bits_to_keep)
+	{
+	if ( top_bits_to_keep > 32 )
+		{
+		error("bad address mask value", top_bits_to_keep);
+		return a;
+		}
+
+	if ( top_bits_to_keep == 0 )
+		// The shifts below don't have any effect with 0, i.e.,
+		// 1 << 32 does not yield 0; either due to compiler
+		// misoptimization or language semantics.
+		return 0;
+
+	uint32 addr = ntohl(a);
+
+	int shift = 32 - top_bits_to_keep;
+	addr >>= shift;
+	addr <<= shift;
+
+	return htonl(addr);
+	}
+
+const uint32* mask_addr(const uint32* a, uint32 top_bits_to_keep)
+	{
+#ifdef BROv6
+	static uint32 addr[4];
+
+	addr[0] = a[0];
+	addr[1] = a[1];
+	addr[2] = a[2];
+	addr[3] = a[3];
+
+	// This is a bit dicey: if it's a v4 address, then we interpret
+	// the mask as being with respect to 32 bits total, even though
+	// strictly speaking, the v4 address comprises the least-significant
+	// bits out of 128, rather than the most significant.  However,
+	// we only do this if the mask itself is consistent for a 32-bit
+	// address.
+	uint32 max_bits = (is_v4_addr(a) && top_bits_to_keep <= 32) ? 32 : 128;
+
+	if ( top_bits_to_keep == 0 || top_bits_to_keep > max_bits )
+		{
+		error("bad address mask value", top_bits_to_keep);
+		return addr;
+		}
+
+	int word = 3;	// start zeroing out with word #3
+	int bits_to_chop = max_bits - top_bits_to_keep;	// bits to discard
+	while ( bits_to_chop >= 32 )
+		{ // there's an entire word to discard
+		addr[word] = 0;
+		--word;	// move on to next, more significant word
+		bits_to_chop -= 32;	// we just go rid of 32 bits
+		}
+
+	// All that's left to work with now is the word pointed to by "word".
+	uint32 addr32 = ntohl(addr[word]);
+	addr32 >>= bits_to_chop;
+	addr32 <<= bits_to_chop;
+	addr[word] = htonl(addr32);
+
+	return addr;
+#else
+	return a;
+#endif
+	}
+
+const char* fmt_conn_id(const uint32* src_addr, uint32 src_port,
+			const uint32* dst_addr, uint32 dst_port)
+	{
+	char addr1[128], addr2[128];
+	static char buffer[512];
+
+	strcpy(addr1, dotted_addr(src_addr));
+	strcpy(addr2, dotted_addr(dst_addr));
+
+	safe_snprintf(buffer, sizeof(buffer), "%s:%d > %s:%d",
+			addr1, src_port, addr2, dst_port);
+
+	return buffer;
+	}
+
+uint32 extract_uint32(const u_char* data)
+	{
+	uint32 val;
+
+	val = data[0] << 24;
+	val |= data[1] << 16;
+	val |= data[2] << 8;
+	val |= data[3];
+
+	return val;
+	}
diff --git a/src/net_util.h b/src/net_util.h
new file mode 100644
index 0000000000..4628fa0014
--- /dev/null
+++ b/src/net_util.h
@@ -0,0 +1,207 @@
+// $Id: net_util.h 6219 2008-10-01 05:39:07Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef netutil_h
+#define netutil_h
+
+#include "config.h"
+
+#include <assert.h>
+#include <sys/types.h>
+
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <arpa/inet.h>
+
+#ifdef LINUX
+	/* sigh */
+#define source uh_sport 
+#define dest uh_dport 
+#define len uh_ulen   
+#define check uh_sum
+#endif
+
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+#include <netinet/udp.h>
+#include <netinet/ip_icmp.h>
+
+#include "util.h"
+
+#ifdef HAVE_NETINET_IP6_H
+#include <netinet/ip6.h>
+#else
+struct ip6_hdr {
+	uint16		ip6_plen;
+	uint8		ip6_nxt;
+	uint8		ip6_hlim;
+};
+#endif
+
+#include "util.h"
+
+#ifdef BROv6
+typedef uint32* addr_type;	// a pointer to 4 uint32's
+typedef const uint32* const_addr_type;
+#define NUM_ADDR_WORDS 4
+
+typedef struct {
+	uint32 net[4];
+	uint32 width;
+} subnet_type;
+
+#else
+typedef uint32 addr_type;
+typedef const uint32 const_addr_type;
+#define NUM_ADDR_WORDS 1
+
+typedef struct {
+	uint32 net;
+	uint32 width;
+} subnet_type;
+
+#endif
+
+// For Solaris.
+#if !defined(TCPOPT_WINDOW) && defined(TCPOPT_WSCALE)
+#define	TCPOPT_WINDOW TCPOPT_WSCALE
+#endif
+
+#if !defined(TCPOPT_TIMESTAMP) && defined(TCPOPT_TSTAMP)
+#define	TCPOPT_TIMESTAMP TCPOPT_TSTAMP
+#endif
+
+// True if sequence # a is between b and c (b <= a <= c).  It must be true
+// that b <= c in the sequence space.
+inline int seq_between(uint32 a, uint32 b, uint32 c)
+	{
+	if ( b <= c )
+		return a >= b && a <= c;
+	else
+		return a >= b || a <= c;
+	}
+
+// Returns a - b, adjusted for sequence wraparound.
+inline int seq_delta(uint32 a, uint32 b)
+	{
+	return int(a-b);
+	}
+
+// Returns the ones-complement checksum of a chunk of b short-aligned bytes.
+extern int ones_complement_checksum(const void* p, int b, uint32 sum);
+
+extern int tcp_checksum(const struct ip* ip, const struct tcphdr* tp, int len);
+extern int udp_checksum(const struct ip* ip, const struct udphdr* up, int len);
+#ifdef BROv6
+extern int udp6_checksum(const struct ip6_hdr* ip, const struct udphdr* up,
+				int len);
+#endif
+extern int icmp_checksum(const struct icmp* icmpp, int len);
+
+// Given an address in host order, returns its "classical network prefix",
+// also in host order.
+extern uint32 addr_to_net(uint32 addr);
+// Returns 'A', 'B', 'C' or 'D'
+extern char addr_to_class(uint32 addr);
+
+// Returns a pointer to static storage giving the ASCII dotted representation
+// of the given address, which should be passed in network order.
+extern const char* dotted_addr(uint32 addr, int alternative=0);
+extern const char* dotted_addr(const uint32* addr, int alternative=0);
+
+// Same, but for the network prefix.
+extern const char* dotted_net(uint32 addr);
+extern const char* dotted_net6(const uint32* addr);
+
+// Given an ASCII dotted representation, returns the corresponding address
+// in network order.
+extern uint32 dotted_to_addr(const char* addr_text);
+extern uint32* dotted_to_addr6(const char* addr_text);
+
+extern int is_v4_addr(const uint32 addr[4]);
+extern uint32 to_v4_addr(const uint32* addr);
+
+extern uint32 mask_addr(uint32 a, uint32 top_bits_to_keep);
+extern const uint32* mask_addr(const uint32* a, uint32 top_bits_to_keep);
+
+extern const char* fmt_conn_id(const uint32* src_addr, uint32 src_port,
+				const uint32* dst_addr, uint32 dst_port);
+
+inline void copy_addr(const uint32* src_a, uint32* dst_a)
+	{
+#ifdef BROv6
+	dst_a[0] = src_a[0];
+	dst_a[1] = src_a[1];
+	dst_a[2] = src_a[2];
+	dst_a[3] = src_a[3];
+#else
+	dst_a[0] = src_a[0];
+#endif
+	}
+
+inline int addr_eq(const uint32* a1, const uint32* a2)
+	{
+#ifdef BROv6
+	return a1[0] == a2[0] &&
+		a1[1] == a2[1] &&
+		a1[2] == a2[2] &&
+		a1[3] == a2[3];
+#else
+	return a1[0] == a2[0];
+#endif
+	}
+
+inline int subnet_eq(const subnet_type* s1, const subnet_type* s2)
+	{
+#ifdef BROv6
+	return s1->net[0] == s2->net[0] &&
+		s1->net[1] == s2->net[1] &&
+		s1->net[2] == s2->net[2] &&
+		s1->net[3] == s2->net[3] &&
+		s1->width == s2->width;
+#else
+	return s1->net == s2->net && s1->width == s2->width;
+#endif
+	}
+
+// Read 4 bytes from data and return in network order.
+extern uint32 extract_uint32(const u_char* data);
+
+// Endian conversions for double.
+// This is certainly not a very clean solution but should work on the
+// major platforms. Alternativly, we could use a string format or the
+// XDR library.
+
+#ifdef WORDS_BIGENDIAN
+
+inline double ntohd(double d)	{ return d; }
+inline double htond(double d)	{ return d; }
+
+#else
+
+inline double ntohd(double d)
+	{
+	assert(sizeof(d) == 8);
+
+	double tmp;
+	char* src = (char*) &d;
+	char* dst = (char*) &tmp;
+
+	dst[0] = src[7];
+	dst[1] = src[6];
+	dst[2] = src[5];
+	dst[3] = src[4];
+	dst[4] = src[3];
+	dst[5] = src[2];
+	dst[6] = src[1];
+	dst[7] = src[0];
+
+	return tmp;
+	}
+
+inline double htond(double d) { return ntohd(d); }
+
+#endif
+
+#endif
diff --git a/src/netflow-analyzer.pac b/src/netflow-analyzer.pac
new file mode 100644
index 0000000000..68de4d4a4e
--- /dev/null
+++ b/src/netflow-analyzer.pac
@@ -0,0 +1,172 @@
+# $Id:$
+# Code written by Bernhard Ager (2007).
+
+analyzer NetFlow withcontext {
+	analyzer:	NetFlow_Analyzer;
+	flow:		NetFlow_Flow;
+}
+
+analyzer NetFlow_Analyzer {
+	downflow = NetFlow_Flow;
+	upflow = NetFlow_Flow;
+};
+
+flow NetFlow_Flow {
+	datagram = NetFlowPacket withcontext(connection, this);
+
+	%member{
+		RecordType* nf_v5_header_type;
+		RecordType* nf_v5_record_type;
+		RecordType* nfheader_id_type;
+		char* identifier;
+		uint32 exporter_ip;
+		uint32 uptime;
+		double export_time;
+		bro_uint_t pdu_id;
+	%}
+
+	%init{
+		nf_v5_header_type =
+			internal_type("nf_v5_header")->AsRecordType();
+		nf_v5_record_type =
+			internal_type("nf_v5_record")->AsRecordType();
+		nfheader_id_type =
+			internal_type("nfheader_id")->AsRecordType();
+		pdu_id = 0;
+		identifier = NULL;
+	%}
+
+	# %cleanup does not only put the cleanup code into the destructor,
+	# but also at the end of the catch clause in NewData().  This is
+	# different from the documentation at
+	# http://www.bro-ids.org/wiki/index.php/BinPAC_Userguide#.25cleanup.7B....25.7D
+	#
+	# Unfortunately this means that we cannot clean up the identifier
+	# string.  Note that IOSource destructors seemingly are never
+	# called anyway.
+	#
+	#    %cleanup{
+	#	delete[] identifier;
+	#    %}
+
+	function set_exporter_ip(exporter_ip: uint32): bool
+		%{
+		this->exporter_ip = exporter_ip;
+		return true;
+		%}
+
+	function set_identifier(idf: const_charptr): bool
+		%{
+		if ( identifier )
+			delete[] identifier;
+		identifier = new char[strlen(idf) + 1];
+		strcpy(identifier, idf);
+		return true;
+		%}
+
+	function deliver_v5_header(count: uint16, sysuptime: uint32,
+				unix_secs: uint32, unix_nsecs: uint32,
+				flow_seq: uint32, eng_type: uint8,
+				eng_id: uint8, sample_int: uint16): bool
+		%{
+		uptime = sysuptime;
+		export_time = unix_secs + unix_nsecs / 1e9;
+		++pdu_id;
+
+		if ( ! ::netflow_v5_header )
+			return false;
+
+		RecordVal* nfheader = new RecordVal(nfheader_id_type);
+		nfheader->Assign(0, new StringVal(identifier));
+		nfheader->Assign(1, new Val(pdu_id, TYPE_COUNT));
+
+		RecordVal* v5header = new RecordVal(nf_v5_header_type);
+		v5header->Assign(0, nfheader);
+		v5header->Assign(1, new Val(count, TYPE_COUNT));
+		v5header->Assign(2, new IntervalVal(sysuptime, Milliseconds));
+		v5header->Assign(3, new Val(export_time, TYPE_TIME));
+		v5header->Assign(4, new Val(flow_seq, TYPE_COUNT));
+		v5header->Assign(5, new Val(eng_type, TYPE_COUNT));
+		v5header->Assign(6, new Val(eng_id, TYPE_COUNT));
+		v5header->Assign(7, new Val(sample_int, TYPE_COUNT));
+		v5header->Assign(8, new AddrVal(exporter_ip));
+
+		val_list* vl = new val_list;
+		vl->append(v5header);
+		mgr.QueueEvent(netflow_v5_header, vl);
+
+		return true;
+		%}
+
+	function deliver_v5_record(srcaddr: uint32, dstaddr: uint32,
+				nexthop: uint32, input: uint16, output: uint16,
+				dPkts: uint32, dOctets: uint32,
+				first: uint32, last: uint32,
+				srcport: uint16, dstport: uint16,
+				tcp_flags: uint8, prot: uint8, tos: uint8,
+				src_as: uint16, dst_as: uint16,
+				src_mask: uint8, dst_mask: uint8): bool
+		%{
+		if ( ! ::netflow_v5_record )
+			return false;
+
+		TransportProto proto = TRANSPORT_UNKNOWN;
+		switch ( prot ) {
+		case 1: proto = TRANSPORT_ICMP; break;
+		case 6: proto = TRANSPORT_TCP; break;
+		case 17: proto = TRANSPORT_UDP; break;
+		}
+
+		RecordVal* connid = new RecordVal(conn_id);
+		connid->Assign(0, new AddrVal(htonl(srcaddr)));
+		connid->Assign(1, new PortVal(srcport, proto));
+		connid->Assign(2, new AddrVal(htonl(dstaddr)));
+		connid->Assign(3, new PortVal(dstport, proto));
+
+		RecordVal* nfheader = new RecordVal(nfheader_id_type);
+		nfheader->Assign(0, new StringVal(identifier));
+		nfheader->Assign(1, new Val(pdu_id, TYPE_COUNT));
+
+		RecordVal* v5record = new RecordVal(nf_v5_record_type);
+		v5record->Assign(0, nfheader);
+		v5record->Assign(1, connid);
+		v5record->Assign(2, new AddrVal(htonl(nexthop)));
+		v5record->Assign(3, new Val(input, TYPE_COUNT));
+		v5record->Assign(4, new Val(output, TYPE_COUNT));
+		v5record->Assign(5, new Val(dPkts, TYPE_COUNT));
+		v5record->Assign(6, new Val(dOctets, TYPE_COUNT));
+
+		// Overflows are handled correctly by using 32 bit
+		// unsigned integer arithmetic.
+		double c_first = export_time - (uptime - first) * Milliseconds;
+		double c_last = export_time - (uptime - last) * Milliseconds;
+		v5record->Assign(7, new Val(c_first, TYPE_TIME));
+		v5record->Assign(8, new Val(c_last, TYPE_TIME));
+
+		v5record->Assign(9,
+			new Val((tcp_flags & TH_FIN) != 0, TYPE_BOOL));
+		v5record->Assign(10,
+			new Val((tcp_flags & TH_SYN) != 0, TYPE_BOOL));
+		v5record->Assign(11,
+			new Val((tcp_flags & TH_RST) != 0, TYPE_BOOL));
+		v5record->Assign(12,
+			new Val((tcp_flags & TH_PUSH) != 0, TYPE_BOOL));
+		v5record->Assign(13,
+			new Val((tcp_flags & TH_ACK) != 0, TYPE_BOOL));
+		v5record->Assign(14,
+			new Val((tcp_flags & TH_URG) != 0, TYPE_BOOL));
+
+		v5record->Assign(15, new Val(prot, TYPE_COUNT));
+		v5record->Assign(16, new Val(tos, TYPE_COUNT));
+		v5record->Assign(17, new Val(src_as, TYPE_COUNT));
+		v5record->Assign(18, new Val(dst_as, TYPE_COUNT));
+		v5record->Assign(19, new Val(src_mask, TYPE_COUNT));
+		v5record->Assign(20, new Val(dst_mask, TYPE_COUNT));
+
+		val_list* vl = new val_list;
+		vl->append(v5record);
+		mgr.QueueEvent(netflow_v5_record, vl);
+
+		return true;
+		%}
+	};
diff --git a/src/netflow-protocol.pac b/src/netflow-protocol.pac
new file mode 100644
index 0000000000..7d106aed34
--- /dev/null
+++ b/src/netflow-protocol.pac
@@ -0,0 +1,90 @@
+# $Id:$
+# Code written by Bernhard Ager (2007).
+
+type NetFlowPacket = record {
+	# Count and version are the first two fields, at least for
+	# versions 1, 5, 7, 8 and 9.
+	version: uint16;
+
+	# This does not generate any code in current binpac.
+	count: uint16 &check(count <= 30);
+
+	header: NFHeader(version, count);
+	records: NFRecord(version)[count];
+} &byteorder = bigendian;
+
+type NFHeader(version: uint16, count: uint16) = case version of {
+	5 -> v5header: NFv5HeaderRest(count);
+	9 -> v9header: NFv9HeaderRest(count);
+	# default -> string: bytestring &restofdata &transient;
+};
+
+type NFv5HeaderRest(count: uint16) = record {
+	sysuptime: uint32;
+	unix_secs: uint32;
+	unix_nsecs: uint32;
+	flow_seq: uint32;
+	eng_type: uint8;
+	eng_id: uint8;
+	sample_int: uint16;
+} &let {
+	delivered: bool =
+		$context.flow.deliver_v5_header(count, sysuptime,
+					     unix_secs, unix_nsecs,
+					     flow_seq, eng_type,
+					     eng_id, sample_int);
+};
+
+type NFv9HeaderRest(count: uint16) = record {
+	sysuptime: uint32;
+	unix_secs: uint32;
+	pack_seq: uint32;
+	src_id: uint32;
+};
+
+# We only handle version 5 and 9.  Others will throw a parsing exception.
+type NFRecord(nf_version: uint32) = case nf_version of {
+	5 -> v5: NFv5Record;
+	9 -> v9: NFv9Record;
+};
+
+type NFv5Record = record {
+	srcaddr: uint32;
+	dstaddr: uint32;
+	nexthop: uint32;
+	input: uint16;
+	output: uint16;
+	dPkts: uint32;
+	dOctets: uint32;
+	first: uint32;
+	last: uint32;
+	srcport: uint16;
+	dstport: uint16;
+	: uint8;      # PAD1
+	tcp_flags: uint8;
+	prot: uint8;
+	tos: uint8;
+	src_as: uint16;
+	dst_as: uint16;
+	src_mask: uint8;
+	dst_mask: uint8;
+	: uint16;     # PAD2
+} &let {
+	delivered: bool =
+		$context.flow.deliver_v5_record(srcaddr, dstaddr,
+					      nexthop, input, output,
+					      dPkts, dOctets, first,
+					      last, srcport, dstport,
+					      tcp_flags, prot, tos,
+					      src_as, dst_as,
+					      src_mask, dst_mask);
+};
+
+# Works for both template and data flow sets.  Data parsing will have
+# to be done externally - no event generation yet.  We need sample
+# flow data to implement that.
+type NFv9Record = record {
+	flowset_id: uint32;
+	length: uint32;
+	data: bytestring &length = length - 8;
+};
diff --git a/src/netflow.pac b/src/netflow.pac
new file mode 100644
index 0000000000..8d1e87a1f9
--- /dev/null
+++ b/src/netflow.pac
@@ -0,0 +1,11 @@
+# $Id:$
+# Code written by Bernhard Ager (2007).
+
+%extern{
+#include "Event.h"
+extern RecordType* conn_id;
+%}
+
+%include bro.pac
+%include netflow-analyzer.pac
+%include netflow-protocol.pac
diff --git a/src/parse.in b/src/parse.in
new file mode 100644
index 0000000000..b0bb39f0ea
--- /dev/null
+++ b/src/parse.in
@@ -0,0 +1,1308 @@
+%{
+// $Id: parse.in 6688 2009-04-16 22:44:55Z vern $
+// See the file "COPYING" in the main distribution directory for copyright.
+%}
+
+%token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ALARM TOK_ANY
+%token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF
+%token TOK_BOOL TOK_BREAK TOK_CASE TOK_CONST
+%token TOK_CONSTANT TOK_COPY TOK_COUNT TOK_COUNTER TOK_DEFAULT TOK_DELETE
+%token TOK_DOUBLE TOK_ELSE TOK_ENUM TOK_EVENT TOK_EXPORT TOK_FILE TOK_FOR
+%token TOK_FUNCTION TOK_GLOBAL TOK_GLOBAL_ATTR TOK_ID TOK_IF TOK_INT
+%token TOK_INTERVAL TOK_LIST TOK_LOCAL TOK_MODULE TOK_MATCH TOK_NET
+%token TOK_NEXT TOK_OF TOK_PATTERN TOK_PATTERN_TEXT
+%token TOK_PORT TOK_PRINT TOK_RECORD TOK_REDEF
+%token TOK_REMOVE_FROM TOK_RETURN TOK_SCHEDULE TOK_SET
+%token TOK_STRING TOK_SUBNET TOK_SWITCH TOK_TABLE TOK_THIS
+%token TOK_TIME TOK_TIMEOUT TOK_TIMER TOK_TYPE TOK_UNION TOK_VECTOR TOK_WHEN
+
+%token TOK_ATTR_ADD_FUNC TOK_ATTR_ATTR TOK_ATTR_ENCRYPT TOK_ATTR_DEFAULT
+%token TOK_ATTR_OPTIONAL TOK_ATTR_REDEF TOK_ATTR_ROTATE_INTERVAL
+%token TOK_ATTR_ROTATE_SIZE TOK_ATTR_DEL_FUNC TOK_ATTR_EXPIRE_FUNC
+%token TOK_ATTR_EXPIRE_CREATE TOK_ATTR_EXPIRE_READ TOK_ATTR_EXPIRE_WRITE
+%token TOK_ATTR_PERSISTENT TOK_ATTR_SYNCHRONIZED
+%token TOK_ATTR_DISABLE_PRINT_HOOK TOK_ATTR_RAW_OUTPUT TOK_ATTR_MERGEABLE
+%token TOK_ATTR_PRIORITY TOK_ATTR_GROUP
+
+%token TOK_DEBUG
+
+%left ',' '|'
+%right '=' TOK_ADD_TO TOK_REMOVE_FROM
+%right '?' ':' TOK_USING
+%left TOK_OR
+%left TOK_AND
+%nonassoc '<' '>' TOK_LE TOK_GE TOK_EQ TOK_NE
+%left TOK_IN TOK_NOT_IN
+%left '+' '-'
+%left '*' '/' '%'
+%left TOK_INCR TOK_DECR
+%right '!'
+%left '$' '[' ']' '(' ')' TOK_HAS_FIELD TOK_HAS_ATTR
+
+%type <str> TOK_ID TOK_PATTERN_TEXT single_pattern
+%type <id> local_id global_id event_id global_or_event_id resolve_id begin_func
+%type <id_l> local_id_list
+%type <ic> init_class
+%type <expr> opt_init
+%type <val> TOK_CONSTANT
+%type <re> pattern
+%type <expr> expr init anonymous_function
+%type <event_expr> event
+%type <stmt> stmt stmt_list func_body for_head
+%type <type> type opt_type refined_type enum_id_list
+%type <func_type> func_hdr func_params
+%type <type_l> type_list
+%type <type_decl> type_decl formal_args_decl
+%type <type_decl_l> type_decl_list formal_args_decl_list opt_attr_attr
+%type <record> formal_args
+%type <list> expr_list opt_expr_list
+%type <c_case> case
+%type <case_l> case_list
+%type <attr> attr
+%type <attr_l> attr_list opt_attr
+
+%{
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+
+#include "input.h"
+#include "Expr.h"
+#include "Stmt.h"
+#include "Var.h"
+#include "DNS.h"
+#include "RE.h"
+#include "Scope.h"
+
+YYLTYPE GetCurrentLocation();
+extern int yyerror(const char[]);
+extern int brolex();
+
+#define YYLLOC_DEFAULT(Current, Rhs, N) \
+	(Current) = (Rhs)[(N)];
+
+/*
+ * Part of the module facility: while parsing, keep track of which
+ * module to put things in.
+ */
+string current_module = GLOBAL_MODULE_NAME;
+bool is_export = false; // true if in an export {} block
+
+/*
+ * When parsing an expression for the debugger, where to put the result
+ * (obviously not reentrant).
+ */
+extern Expr* g_curr_debug_expr;
+
+#define YYLTYPE yyltype
+
+Expr* bro_this = 0;
+int in_init = 0;
+bool in_debug = false;
+bool resolving_global_ID = false;
+
+ID* func_id = 0;
+%}
+
+%union {
+	char* str;
+	ID* id;
+	id_list* id_l;
+	init_class ic;
+	Val* val;
+	RE_Matcher* re;
+	Expr* expr;
+	CallExpr* call_expr;
+	EventExpr* event_expr;
+	Stmt* stmt;
+	ListExpr* list;
+	BroType* type;
+	RecordType* record;
+	FuncType* func_type;
+	TypeList* type_l;
+	TypeDecl* type_decl;
+	type_decl_list* type_decl_l;
+	Case* c_case;
+	case_list* case_l;
+	Attr* attr;
+	attr_list* attr_l;
+	attr_tag attrtag;
+}
+
+%%
+
+bro:
+		decl_list stmt_list
+			{
+			if ( optimize )
+				$2 = $2->Simplify();
+
+			if ( stmts )
+				stmts->AsStmtList()->Stmts().append($2);
+			else
+				stmts = $2;
+
+			// Any objects creates from hereon out should not
+			// have file positions associated with them.
+			set_location(no_location);
+			}
+	|
+		/* Silly way of allowing the debugger to call yyparse()
+		 * on an expr rather than a file.
+		 */
+		TOK_DEBUG { in_debug = true; } expr
+			{
+			g_curr_debug_expr = $3;
+			in_debug = false;
+			}
+	;
+
+decl_list:
+		decl_list decl
+	|
+	;
+
+expr:
+		'(' expr ')'
+			{
+			set_location(@1, @3);
+			$$ = $2; $$->MarkParen();
+			}
+
+	|	TOK_COPY '(' expr ')'
+			{
+			set_location(@1, @4);
+			$$ = new CloneExpr($3);
+			}
+
+	|	TOK_INCR expr
+			{
+			set_location(@1, @2);
+			$$ = new IncrExpr(EXPR_INCR, $2);
+			}
+
+	|	TOK_DECR expr
+			{
+			set_location(@1, @2);
+			$$ = new IncrExpr(EXPR_DECR, $2);
+			}
+
+	|	'!' expr
+			{
+			set_location(@1, @2);
+			$$ = new NotExpr($2);
+			}
+
+	|	'-' expr	%prec '!'
+			{
+			set_location(@1, @2);
+			$$ = new NegExpr($2);
+			}
+
+	|	'+' expr	%prec '!'
+			{
+			set_location(@1, @2);
+			$$ = new PosExpr($2);
+			}
+
+	|	expr '+' expr
+			{
+			set_location(@1, @3);
+			$$ = new AddExpr($1, $3);
+			}
+
+	|	expr TOK_ADD_TO expr
+			{
+			set_location(@1, @3);
+			$$ = new AddToExpr($1, $3);
+			}
+
+	|	expr '-' expr
+			{
+			set_location(@1, @3);
+			$$ = new SubExpr($1, $3);
+			}
+
+	|	expr TOK_REMOVE_FROM expr
+			{
+			set_location(@1, @3);
+			$$ = new RemoveFromExpr($1, $3);
+			}
+
+	|	expr '*' expr
+			{
+			set_location(@1, @3);
+			$$ = new TimesExpr($1, $3);
+			}
+
+	|	expr '/' expr
+			{
+			set_location(@1, @3);
+			$$ = new DivideExpr($1, $3);
+			}
+
+	|	expr '%' expr
+			{
+			set_location(@1, @3);
+			$$ = new ModExpr($1, $3);
+			}
+
+	|	expr TOK_AND expr
+			{
+			set_location(@1, @3);
+			$$ = new BoolExpr(EXPR_AND, $1, $3);
+			}
+
+	|	expr TOK_OR expr
+			{
+			set_location(@1, @3);
+			$$ = new BoolExpr(EXPR_OR, $1, $3);
+			}
+
+	|	expr TOK_EQ expr
+			{
+			set_location(@1, @3);
+			$$ = new EqExpr(EXPR_EQ, $1, $3);
+			}
+
+	|	expr TOK_NE expr
+			{
+			set_location(@1, @3);
+			$$ = new EqExpr(EXPR_NE, $1, $3);
+			}
+
+	|	expr '<' expr
+			{
+			set_location(@1, @3);
+			$$ = new RelExpr(EXPR_LT, $1, $3);
+			}
+
+	|	expr TOK_LE expr
+			{
+			set_location(@1, @3);
+			$$ = new RelExpr(EXPR_LE, $1, $3);
+			}
+
+	|	expr '>' expr
+			{
+			set_location(@1, @3);
+			$$ = new RelExpr(EXPR_GT, $1, $3);
+			}
+
+	|	expr TOK_GE expr
+			{
+			set_location(@1, @3);
+			$$ = new RelExpr(EXPR_GE, $1, $3);
+			}
+
+	|	expr '?' expr ':' expr
+			{
+			set_location(@1, @5);
+			$$ = new CondExpr($1, $3, $5);
+			}
+
+	|	expr '=' expr
+			{
+			set_location(@1, @3);
+			$$ = get_assign_expr($1, $3, in_init);
+			}
+
+	|	TOK_LOCAL local_id '=' expr
+			{
+			set_location(@2, @4);
+			$$ = add_and_assign_local($2, $4, new Val(1, TYPE_BOOL));
+			}
+
+	|	expr '[' expr_list ']'
+			{
+			set_location(@1, @4);
+			$$ = new IndexExpr($1, $3);
+			}
+
+	|	expr '$' TOK_ID
+			{
+			set_location(@1, @3);
+			$$ = new FieldExpr($1, $3);
+			}
+
+	|	'$' TOK_ID '=' expr
+			{
+			set_location(@1, @4);
+			$$ = new FieldAssignExpr($2, $4);
+			}
+
+	|       '$' TOK_ID func_params '='
+	                {
+			func_id = current_scope()->GenerateTemporary("anonymous-function");
+			func_id->SetInferReturnType(true);
+			begin_func(func_id,
+				   current_module.c_str(),
+				   FUNC_FLAVOR_FUNCTION,
+				   0,
+				   $3);
+			}
+		 func_body
+	                {
+			$$ = new FieldAssignExpr($2, new ConstExpr(func_id->ID_Val()));
+			}
+
+	|	expr TOK_IN expr
+			{
+			set_location(@1, @3);
+			$$ = new InExpr($1, $3);
+			}
+
+	|	expr TOK_NOT_IN expr
+			{
+			set_location(@1, @3);
+			$$ = new NotExpr(new InExpr($1, $3));
+			}
+
+	|	'[' expr_list ']'
+			{
+			// A little crufty: we peek at the type of
+			// the first expression in the list.  If it's
+			// a record or a field assignment, then this
+			// is a record constructor.  If not, then this
+			// is a list used for an initializer.
+
+			set_location(@1, @3);
+
+			Expr* e0 = $2->Exprs()[0];
+			if ( e0->Tag() == EXPR_FIELD_ASSIGN ||
+			     e0->Type()->Tag() == TYPE_RECORD )
+				$$ = new RecordConstructorExpr($2);
+			else
+				$$ = $2;
+			}
+
+
+	|	TOK_RECORD '(' expr_list ')'
+			{
+			set_location(@1, @4);
+			$$ = new RecordConstructorExpr($3);
+			}
+
+	|	TOK_TABLE '(' { ++in_init; } opt_expr_list ')' { --in_init; }
+		opt_attr
+			{ // the ++in_init fixes up the parsing of "[x] = y"
+			set_location(@1, @5);
+			$$ = new TableConstructorExpr($4, $7);
+			}
+
+	|	TOK_SET '(' opt_expr_list ')' opt_attr
+			{
+			set_location(@1, @4);
+			$$ = new SetConstructorExpr($3, $5);
+			}
+
+	|	TOK_VECTOR '(' opt_expr_list ')'
+			{
+			set_location(@1, @4);
+			$$ = new VectorConstructorExpr($3);
+			}
+
+	|	TOK_MATCH expr TOK_USING expr
+			{
+			set_location(@1, @4);
+			$$ = new RecordMatchExpr($2, $4);
+			}
+
+	|	expr '(' opt_expr_list ')'
+			{
+			set_location(@1, @4);
+			$$ = new CallExpr($1, $3);
+			}
+
+	|	expr TOK_HAS_FIELD TOK_ID
+			{
+			set_location(@1, @3);
+			$$ = new HasFieldExpr($1, $3, false);
+			}
+
+	|	expr TOK_HAS_ATTR TOK_ID
+			{
+			set_location(@1, @3);
+			$$ = new HasFieldExpr($1, $3, true);
+			}
+
+	|	anonymous_function
+
+	|	TOK_SCHEDULE expr '{' event '}'
+			{
+			set_location(@1, @5);
+			$$ = new ScheduleExpr($2, $4);
+			}
+
+	|	TOK_ID
+			{
+			set_location(@1);
+
+			ID* id = lookup_ID($1, current_module.c_str());
+			if ( ! id )
+				{
+				if ( ! in_debug )
+					{
+/*	// CHECK THAT THIS IS NOT GLOBAL.
+					id = install_ID($1, current_module.c_str(),
+							false, is_export);
+*/
+
+					yyerror(fmt("unknown identifier %s", $1));
+					YYERROR;
+					}
+				else
+					{
+					yyerror(fmt("unknown identifier %s", $1));
+					YYERROR;
+					}
+				}
+			else
+				{
+				if ( ! id->Type() )
+					{
+					id->Error("undeclared variable");
+					id->SetType(error_type());
+					$$ = new NameExpr(id);
+					}
+
+				else if ( id->IsEnumConst() )
+					{
+					EnumType* t = id->Type()->AsEnumType();
+					int intval = t->Lookup(id->ModuleName(),
+							       id->Name());
+					if ( intval < 0 )
+						internal_error("enum value not found for %s", id->Name());
+					$$ = new ConstExpr(new EnumVal(intval, t));
+					}
+				else
+					$$ = new NameExpr(id);
+				}
+			}
+
+	|	TOK_CONSTANT
+			{
+			set_location(@1);
+			$$ = new ConstExpr($1);
+			}
+
+	|	pattern
+			{
+			set_location(@1);
+			$1->Compile();
+			$$ = new ConstExpr(new PatternVal($1));
+			}
+
+	|	TOK_THIS
+			{
+			set_location(@1);
+			$$ = bro_this->Ref();
+			}
+
+	|       '|' expr '|'
+			{
+			set_location(@1, @3);
+			$$ = new SizeExpr($2);
+			}
+	;
+
+expr_list:
+		expr_list ',' expr
+			{
+			set_location(@1, @3);
+			$1->Append($3);
+			}
+
+	|	expr
+			{
+			set_location(@1);
+			$$ = new ListExpr($1);
+			}
+	;
+
+opt_expr_list:
+		expr_list
+	|
+		{ $$ = new ListExpr(); }
+	;
+
+opt_comma:
+		','
+	|
+	;
+
+pattern:
+		pattern '|' single_pattern
+			{
+			$1->AddPat($3);
+			delete [] $3;
+			}
+
+	|	single_pattern
+			{
+			$$ = new RE_Matcher($1);
+			delete [] $1;
+			}
+	;
+
+single_pattern:
+		'/' { begin_RE(); } TOK_PATTERN_TEXT { end_RE(); } '/'
+			{ $$ = $3; }
+	;
+
+enum_id_list:
+		TOK_ID
+			{
+			set_location(@1);
+
+			EnumType* et = new EnumType(is_export);
+			if ( et->AddName(current_module, $1) < 0 )
+				error("identifier in enumerated type definition already exists");
+			$$ = et;
+			}
+
+	|	enum_id_list ',' TOK_ID
+			{
+			set_location(@1, @3);
+
+			if ( $1->AsEnumType()->AddName(current_module, $3) < 1 )
+				error("identifier in enumerated type definition already exists");
+			$$ = $1;
+			}
+	;
+
+type:
+		TOK_BOOL	{
+				set_location(@1);
+				$$ = base_type(TYPE_BOOL);
+				}
+
+	|	TOK_INT		{
+				set_location(@1);
+				$$ = base_type(TYPE_INT);
+				}
+
+	|	TOK_COUNT	{
+				set_location(@1);
+				$$ = base_type(TYPE_COUNT);
+				}
+
+	|	TOK_COUNTER	{
+				set_location(@1);
+				$$ = base_type(TYPE_COUNTER);
+				}
+
+	|	TOK_DOUBLE	{
+				set_location(@1);
+				$$ = base_type(TYPE_DOUBLE);
+				}
+
+	|	TOK_TIME	{
+				set_location(@1);
+				$$ = base_type(TYPE_TIME);
+				}
+
+	|	TOK_INTERVAL	{
+				set_location(@1);
+				$$ = base_type(TYPE_INTERVAL);
+				}
+
+	|	TOK_STRING	{
+				set_location(@1);
+				$$ = base_type(TYPE_STRING);
+				}
+
+	|	TOK_PATTERN	{
+				set_location(@1);
+				$$ = base_type(TYPE_PATTERN);
+				}
+
+	|	TOK_TIMER	{
+				set_location(@1);
+				$$ = base_type(TYPE_TIMER);
+				}
+
+	|	TOK_PORT	{
+				set_location(@1);
+				$$ = base_type(TYPE_PORT);
+				}
+
+	|	TOK_ADDR	{
+				set_location(@1);
+				$$ = base_type(TYPE_ADDR);
+				}
+
+	|	TOK_NET		{
+				set_location(@1);
+				$$ = base_type(TYPE_NET);
+				}
+
+	|	TOK_SUBNET	{
+				set_location(@1);
+				$$ = base_type(TYPE_SUBNET);
+				}
+
+	|	TOK_ANY		{
+				set_location(@1);
+				$$ = base_type(TYPE_ANY);
+				}
+
+	|	TOK_TABLE '[' type_list ']' TOK_OF type
+				{
+				set_location(@1, @6);
+				$$ = new TableType($3, $6);
+				}
+
+	|	TOK_SET '[' type_list ']'
+				{
+				set_location(@1, @4);
+				$$ = new SetType($3, 0);
+				}
+
+	|	TOK_RECORD '{' type_decl_list '}'
+				{
+				set_location(@1, @4);
+				$$ = new RecordType($3);
+				}
+
+	|	TOK_UNION '{' type_list '}'
+				{
+				set_location(@1, @4);
+				error("union type not implemented");
+				$$ = 0;
+				}
+
+	|	TOK_ENUM '{' enum_id_list opt_comma '}'
+				{
+				set_location(@1, @4);
+				$$ = $3;
+				}
+
+	|	TOK_LIST
+				{
+				set_location(@1);
+				// $$ = new TypeList();
+				error("list type not implemented");
+				$$ = 0;
+				}
+
+	|	TOK_LIST TOK_OF type
+				{
+				set_location(@1);
+				// $$ = new TypeList($3);
+				error("list type not implemented");
+				$$ = 0;
+				}
+
+	|	TOK_VECTOR TOK_OF type
+				{
+				set_location(@1, @3);
+				$$ = new VectorType($3);
+				}
+
+	|	TOK_FUNCTION func_params
+				{
+				set_location(@1, @2);
+				$$ = $2;
+				}
+
+	|	TOK_EVENT '(' formal_args ')'
+				{
+				set_location(@1, @3);
+				$$ = new FuncType($3, 0, 1);
+				}
+
+	|	TOK_FILE TOK_OF type
+				{
+				set_location(@1, @3);
+				$$ = new FileType($3);
+				}
+
+	|	TOK_FILE
+				{
+				set_location(@1);
+				$$ = new FileType(base_type(TYPE_STRING));
+				}
+
+	|	resolve_id
+			{
+			if ( ! $1 || ! ($$ = $1->AsType()) )
+				{
+				NullStmt here;
+				if ( $1 )
+					$1->Error("not a BRO type", &here);
+				$$ = error_type();
+				}
+			else
+				Ref($$);
+			}
+	;
+
+type_list:
+		type_list ',' type
+			{ $1->AppendEvenIfNotPure($3); }
+	|	type
+			{
+			$$ = new TypeList($1);
+			$$->Append($1);
+			}
+	;
+
+type_decl_list:
+		type_decl_list type_decl
+			{ $1->append($2); }
+	|
+			{ $$ = new type_decl_list(); }
+	;
+
+type_decl:
+		TOK_ID ':' type opt_attr ';'
+			{
+			set_location(@1, @5);
+			$$ = new TypeDecl($3, $1, $4);
+			}
+	;
+
+formal_args:
+		formal_args_decl_list
+			{ $$ = new RecordType($1); }
+	|	formal_args_decl_list ';'
+			{ $$ = new RecordType($1); }
+	|
+			{ $$ = new RecordType(new type_decl_list()); }
+	;
+
+formal_args_decl_list:
+		formal_args_decl_list ';' formal_args_decl
+			{ $1->append($3); }
+	|	formal_args_decl_list ',' formal_args_decl
+			{ $1->append($3); }
+	|	formal_args_decl
+			{ $$ = new type_decl_list(); $$->append($1); }
+	;
+
+formal_args_decl:
+		TOK_ID ':' type opt_attr
+			{
+			set_location(@1, @4);
+			$$ = new TypeDecl($3, $1, $4);
+			}
+	;
+
+decl:
+		TOK_MODULE TOK_ID ';'
+			{ current_module = $2; }
+
+	|	TOK_EXPORT '{' { is_export = true; } decl_list '}'
+			{ is_export = false; }
+
+	|	TOK_GLOBAL global_id opt_type init_class opt_init opt_attr ';'
+			{ add_global($2, $3, $4, $5, $6, VAR_REGULAR); }
+
+	|	TOK_CONST global_id opt_type init_class opt_init opt_attr ';'
+			{ add_global($2, $3, $4, $5, $6, VAR_CONST); }
+
+	|	TOK_REDEF global_id opt_type init_class opt_init opt_attr ';'
+			{ add_global($2, $3, $4, $5, $6, VAR_REDEF); }
+
+	|       TOK_REDEF TOK_ENUM global_id TOK_ADD_TO
+		'{' enum_id_list opt_comma '}' ';'
+			{
+			if ( ! $3->Type() )
+				$3->Error("unknown identifier");
+			else
+				{
+				EnumType* add_to = $3->Type()->AsEnumType();
+				if ( ! add_to )
+					$3->Error("not an enum");
+				else
+					add_to->AddNamesFrom(current_module,
+							     $6->AsEnumType());
+				}
+			}
+
+	|	TOK_TYPE global_id ':' refined_type opt_attr opt_attr_attr ';'
+			{
+			add_type($2, $4, $5, 0);
+			if ( $6 )
+				$2->AsType()->SetAttributesType($6);
+			}
+
+	|	TOK_GLOBAL_ATTR ':' { in_global_attr_decl = true; }
+		'{' type_decl_list '}' ';' { in_global_attr_decl = false; }
+			{
+			global_attributes_type = new RecordType($5);
+			}
+
+	|	TOK_EVENT event_id ':' refined_type opt_attr ';'
+			{ add_type($2, $4, $5, 1); }
+
+	|	func_hdr func_body
+			{ }
+
+	|	conditional
+	;
+
+conditional:
+		TOK_ATIF '(' expr ')'
+			{ do_atif($3); }
+	|	TOK_ATIFDEF '(' TOK_ID ')'
+			{ do_atifdef($3); }
+	|	TOK_ATIFNDEF '(' TOK_ID ')'
+			{ do_atifndef($3); }
+	|	TOK_ATENDIF
+			{ do_atendif(); }
+	|	TOK_ATELSE
+			{ do_atelse(); }
+	;
+
+opt_attr_attr:
+		TOK_ATTR_ATTR '=' '{' type_decl_list '}'
+			{ $$ = $4; }
+	|
+			{ $$ = 0; }
+	;
+
+func_hdr:
+		TOK_FUNCTION global_id func_params
+			{
+			begin_func($2, current_module.c_str(),
+				   FUNC_FLAVOR_FUNCTION, 0, $3);
+			$$ = $3;
+			}
+	|	TOK_EVENT event_id func_params
+			{
+			begin_func($2, current_module.c_str(),
+				   FUNC_FLAVOR_EVENT, 0, $3);
+			$$ = $3;
+			}
+	|	TOK_REDEF TOK_EVENT event_id func_params
+			{
+			begin_func($3, current_module.c_str(),
+				   FUNC_FLAVOR_EVENT, 1, $4);
+			$$ = $4;
+			}
+	;
+
+func_body:
+		opt_attr '{' stmt_list '}'
+			{
+			if ( optimize )
+				$3 = $3->Simplify();
+
+			end_func($3, $1);
+			}
+	;
+
+anonymous_function:
+		TOK_FUNCTION begin_func func_body
+			{ $$ = new ConstExpr($2->ID_Val()); }
+	;
+
+begin_func:
+		func_params
+			{
+			$$ = current_scope()->GenerateTemporary("anonymous-function");
+			begin_func($$, current_module.c_str(),
+				   FUNC_FLAVOR_FUNCTION, 0, $1);
+			}
+	;
+
+func_params:
+		'(' formal_args ')' ':' type
+			{ $$ = new FuncType($2, $5, 0); }
+	|	'(' formal_args ')'
+			{ $$ = new FuncType($2, base_type(TYPE_VOID), 0); }
+	;
+
+refined_type:
+		type_list '{' type_decl_list '}'
+			{ $$ = refine_type($1, $3); }
+	|	type_list
+			{ $$ = refine_type($1, 0); }
+	;
+
+opt_type:
+		':' type
+			{ $$ = $2; }
+	|
+			{ $$ = 0; }
+	;
+
+init_class:
+				{ $$ = INIT_NONE; }
+	|	'='		{ $$ = INIT_FULL; }
+	|	TOK_ADD_TO	{ $$ = INIT_EXTRA; }
+	|	TOK_REMOVE_FROM	{ $$ = INIT_REMOVE; }
+	;
+
+opt_init:
+		{ ++in_init; } init { --in_init; }
+			{ $$ = $2; }
+	|
+			{ $$ = 0; }
+	;
+
+init:
+		'{' opt_expr_list '}'
+			{ $$ = $2; }
+	|	'{' expr_list ',' '}'
+			{ $$ = $2; }
+	|	expr
+	;
+
+opt_attr:
+		attr_list
+	|
+			{ $$ = 0; }
+	;
+
+attr_list:
+		attr_list attr
+			{ $1->append($2); }
+	|	attr
+			{
+			$$ = new attr_list;
+			$$->append($1);
+			}
+	;
+
+attr:
+		TOK_ATTR_DEFAULT '=' expr
+			{ $$ = new Attr(ATTR_DEFAULT, $3); }
+	|	TOK_ATTR_OPTIONAL
+			{ $$ = new Attr(ATTR_OPTIONAL); }
+	|	TOK_ATTR_REDEF
+			{ $$ = new Attr(ATTR_REDEF); }
+	|	TOK_ATTR_ROTATE_INTERVAL '=' expr
+			{ $$ = new Attr(ATTR_ROTATE_INTERVAL, $3); }
+	|	TOK_ATTR_ROTATE_SIZE '=' expr
+			{ $$ = new Attr(ATTR_ROTATE_SIZE, $3); }
+	|	TOK_ATTR_ADD_FUNC '=' expr
+			{ $$ = new Attr(ATTR_ADD_FUNC, $3); }
+	|	TOK_ATTR_DEL_FUNC '=' expr
+			{ $$ = new Attr(ATTR_DEL_FUNC, $3); }
+	|	TOK_ATTR_EXPIRE_FUNC '=' expr
+			{ $$ = new Attr(ATTR_EXPIRE_FUNC, $3); }
+	|	TOK_ATTR_EXPIRE_CREATE '=' expr
+			{ $$ = new Attr(ATTR_EXPIRE_CREATE, $3); }
+	|	TOK_ATTR_EXPIRE_READ '=' expr
+			{ $$ = new Attr(ATTR_EXPIRE_READ, $3); }
+	|	TOK_ATTR_EXPIRE_WRITE '=' expr
+			{ $$ = new Attr(ATTR_EXPIRE_WRITE, $3); }
+	|	TOK_ATTR_PERSISTENT
+			{ $$ = new Attr(ATTR_PERSISTENT); }
+	|	TOK_ATTR_SYNCHRONIZED
+			{ $$ = new Attr(ATTR_SYNCHRONIZED); }
+	|	TOK_ATTR_ENCRYPT
+			{ $$ = new Attr(ATTR_ENCRYPT); }
+	|	TOK_ATTR_ENCRYPT '=' expr
+			{ $$ = new Attr(ATTR_ENCRYPT, $3); }
+	|	TOK_ATTR_DISABLE_PRINT_HOOK
+			{ $$ = new Attr(ATTR_DISABLE_PRINT_HOOK); }
+	|	TOK_ATTR_RAW_OUTPUT
+			{ $$ = new Attr(ATTR_RAW_OUTPUT); }
+	|	TOK_ATTR_MERGEABLE
+			{ $$ = new Attr(ATTR_MERGEABLE); }
+	|	TOK_ATTR_PRIORITY '=' expr
+			{ $$ = new Attr(ATTR_PRIORITY, $3); }
+	|	TOK_ATTR_GROUP '=' expr
+			{ $$ = new Attr(ATTR_GROUP, $3); }
+	;
+
+stmt:
+		'{' stmt_list '}'
+			{
+			set_location(@1, @3);
+			$$ = $2;
+			}
+
+	|	TOK_ALARM expr_list ';'
+			{
+			set_location(@1, @3);
+			$$ = new AlarmStmt($2);
+			}
+
+	|	TOK_PRINT expr_list ';'
+			{
+			set_location(@1, @3);
+			$$ = new PrintStmt($2);
+			}
+
+	|	TOK_EVENT event ';'
+			{
+			set_location(@1, @3);
+			$$ = new EventStmt($2);
+			}
+
+	|	TOK_IF '(' expr ')' stmt
+			{
+			set_location(@1, @4);
+			$$ = new IfStmt($3, $5, new NullStmt());
+			}
+
+	|	TOK_IF '(' expr ')' stmt TOK_ELSE stmt
+			{
+			set_location(@1, @4);
+			$$ = new IfStmt($3, $5, $7);
+			}
+
+	|	TOK_SWITCH expr '{' case_list '}'
+			{
+			set_location(@1, @2);
+			$$ = new SwitchStmt($2, $4);
+			}
+
+	|	for_head stmt
+			{ $1->AsForStmt()->AddBody($2); }
+
+	|	TOK_NEXT ';'
+			{
+			set_location(@1, @2);
+			$$ = new NextStmt;
+			}
+
+	|	TOK_BREAK ';'
+			{
+			set_location(@1, @2);
+			$$ = new BreakStmt;
+			}
+
+	|	TOK_RETURN ';'
+			{
+			set_location(@1, @2);
+			$$ = new ReturnStmt(0);
+			}
+
+	|	TOK_RETURN expr ';'
+			{
+			set_location(@1, @2);
+			$$ = new ReturnStmt($2);
+			}
+
+	|	TOK_ADD expr ';'
+			{
+			set_location(@1, @3);
+			$$ = new AddStmt($2);
+			}
+
+	|	TOK_DELETE expr ';'
+			{
+			set_location(@1, @3);
+			$$ = new DelStmt($2);
+			}
+
+	|	TOK_LOCAL local_id opt_type init_class opt_init opt_attr ';'
+			{
+			set_location(@1, @7);
+			$$ = add_local($2, $3, $4, $5, $6, VAR_REGULAR);
+			}
+
+	|	TOK_CONST local_id opt_type init_class opt_init opt_attr ';'
+			{
+			set_location(@1, @6);
+			$$ = add_local($2, $3, $4, $5, $6, VAR_CONST);
+			}
+
+	|	TOK_WHEN '(' expr ')' stmt
+			{
+			set_location(@3, @5);
+			$$ = new WhenStmt($3, $5, 0, 0, false);
+			}
+
+	|	TOK_WHEN '(' expr ')' stmt TOK_TIMEOUT expr '{' stmt_list '}'
+			{
+			set_location(@3, @8);
+			$$ = new WhenStmt($3, $5, $9, $7, false);
+			}
+
+
+	|	TOK_RETURN TOK_WHEN '(' expr ')' stmt
+			{
+			set_location(@4, @6);
+			$$ = new WhenStmt($4, $6, 0, 0, true);
+			}
+
+	|	TOK_RETURN TOK_WHEN '(' expr ')' stmt TOK_TIMEOUT expr '{' stmt_list '}'
+			{
+			set_location(@4, @9);
+			$$ = new WhenStmt($4, $6, $10, $8, true);
+			}
+
+	|	expr ';'
+			{
+			set_location(@1, @2);
+			$$ = new ExprStmt($1);
+			}
+
+	|	';'
+			{
+			set_location(@1, @1);
+			$$ = new NullStmt;
+			}
+
+	|	conditional
+			{ $$ = new NullStmt; }
+	;
+
+stmt_list:
+		stmt_list stmt
+			{
+			set_location(@1, @2);
+			$1->AsStmtList()->Stmts().append($2);
+			$1->UpdateLocationEndInfo(@2);
+			}
+	|
+			{ $$ = new StmtList(); }
+	;
+
+event:
+		TOK_ID '(' opt_expr_list ')'
+			{
+			set_location(@1, @4);
+			$$ = new EventExpr($1, $3);
+			}
+	;
+
+case_list:
+		case_list case
+			{ $1->append($2); }
+	|
+			{ $$ = new case_list; }
+	;
+
+case:
+		TOK_CASE expr_list ':' stmt_list
+			{ $$ = new Case($2, $4); }
+	|
+		TOK_DEFAULT ':' stmt_list
+			{ $$ = new Case(0, $3); }
+	;
+
+for_head:
+		TOK_FOR '(' TOK_ID TOK_IN expr ')'
+			{
+			set_location(@1, @6);
+
+			// This rule needs to be separate from the loop
+			// body so that we execute these actions - defining
+			// the local variable - prior to parsing the body,
+			// which might refer to the variable.
+			ID* loop_var = lookup_ID($3, current_module.c_str());
+
+			if ( loop_var )
+				{
+				if ( loop_var->IsGlobal() )
+					loop_var->Error("global used in for loop");
+				}
+
+			else
+				loop_var = install_ID($3, current_module.c_str(),
+						      false, false);
+
+			id_list* loop_vars = new id_list;
+			loop_vars->append(loop_var);
+
+			$$ = new ForStmt(loop_vars, $5);
+			}
+	|
+		TOK_FOR '(' '[' local_id_list ']' TOK_IN expr ')'
+			{ $$ = new ForStmt($4, $7); }
+		;
+
+local_id_list:
+		local_id_list ',' local_id
+			{ $1->append($3); }
+	|	local_id
+			{
+			$$ = new id_list;
+			$$->append($1);
+			}
+	;
+
+local_id:
+		TOK_ID
+			{
+			set_location(@1);
+
+			$$ = lookup_ID($1, current_module.c_str());
+			if ( $$ )
+				{
+				if ( $$->IsGlobal() )
+					$$->Error("already a global identifier");
+				delete [] $1;
+				}
+
+			else
+				{
+				$$ = install_ID($1, current_module.c_str(),
+						false, is_export);
+				}
+			}
+	;
+
+global_id:
+	{ resolving_global_ID = 1; } global_or_event_id
+		{ $$ = $2; }
+	;
+
+event_id:
+	{ resolving_global_ID = 0; } global_or_event_id
+		{ $$ = $2; }
+	;
+
+global_or_event_id:
+		TOK_ID
+			{
+			set_location(@1);
+
+			$$ = lookup_ID($1, current_module.c_str(), false);
+			if ( $$ )
+				{
+				if ( ! $$->IsGlobal() )
+					$$->Error("already a local identifier");
+
+				delete [] $1;
+				}
+
+			else
+				{
+				const char* module_name =
+					resolving_global_ID ?
+						current_module.c_str() : 0;
+					
+				$$ = install_ID($1, module_name,
+						true, is_export);
+				}
+			}
+	;
+
+
+resolve_id:
+		TOK_ID
+			{
+			set_location(@1);
+			$$ = lookup_ID($1, current_module.c_str());
+			if ( ! $$ )
+				error("identifier not defined:", $1);
+			delete [] $1;
+			}
+	;
+
+%%
+
+int yyerror(const char msg[])
+	{
+	char* msgbuf = new char[strlen(msg) + strlen(last_tok) + 64];
+
+	if ( last_tok[0] == '\n' )
+		sprintf(msgbuf, "%s, on previous line", msg);
+	else if ( last_tok[0] == '\0' )
+		sprintf(msgbuf, "%s, at end of file", msg);
+	else
+		sprintf(msgbuf, "%s, at or near \"%s\"", msg, last_tok);
+
+	error(msgbuf);
+
+	return 0;
+	}
diff --git a/src/patricia.c b/src/patricia.c
new file mode 100644
index 0000000000..c9d271803c
--- /dev/null
+++ b/src/patricia.c
@@ -0,0 +1,1051 @@
+/*
+ * $Id: patricia.c 80 2004-07-14 20:15:50Z jason $
+ * Dave Plonka <plonka@doit.wisc.edu>
+ *
+ * This product includes software developed by the University of Michigan,
+ * Merit Network, Inc., and their contributors. 
+ *
+ * This file had been called "radix.c" in the MRT sources.
+ *
+ * I renamed it to "patricia.c" since it's not an implementation of a general
+ * radix trie.  Also I pulled in various requirements from "prefix.c" and
+ * "demo.c" so that it could be used as a standalone API.
+ */
+
+/* From copyright.txt:
+ * 
+ * Copyright (c) 1997, 1998, 1999
+ * 
+ * 
+ * The Regents of the University of Michigan ("The Regents") and Merit Network,
+ * Inc.  All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * 1.  Redistributions of source code must retain the above 
+ *     copyright notice, this list of conditions and the 
+ *     following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above 
+ *     copyright notice, this list of conditions and the 
+ *     following disclaimer in the documentation and/or other 
+ *     materials provided with the distribution.
+ * 3.  All advertising materials mentioning features or use of 
+ *     this software must display the following acknowledgement:  
+ * This product includes software developed by the University of Michigan, Merit
+ * Network, Inc., and their contributors. 
+ * 4.  Neither the name of the University, Merit Network, nor the
+ *     names of their contributors may be used to endorse or 
+ *     promote products derived from this software without 
+ *     specific prior written permission.
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.  
+ */
+
+static char copyright[] =
+"This product includes software developed by the University of Michigan, Merit"
+"Network, Inc., and their contributors.";
+
+#include <assert.h> /* assert */
+#include <ctype.h> /* isdigit */
+#include <errno.h> /* errno */
+#include <math.h> /* sin */
+#include <stddef.h> /* NULL */
+#include <stdio.h> /* sprintf, fprintf, stderr */
+#include <stdlib.h> /* free, atol, calloc */
+#include <string.h> /* memcpy, strchr, strlen */
+#include <arpa/inet.h> /* for inet_addr */
+#include <sys/types.h> /* for u_short, etc. */
+
+#include "patricia.h"
+
+#define Delete free
+
+/* { from prefix.c */
+
+/* prefix_tochar
+ * convert prefix information to bytes
+ */
+u_char *
+prefix_tochar (prefix_t * prefix)
+{
+    if (prefix == NULL)
+	return (NULL);
+
+    return ((u_char *) & prefix->add.sin);
+}
+
+int 
+comp_with_mask (void *addr, void *dest, u_int mask)
+{
+
+    if ( /* mask/8 == 0 || */ memcmp (addr, dest, mask / 8) == 0) {
+	int n = mask / 8;
+	int m = ((-1) << (8 - (mask % 8)));
+
+	if (mask % 8 == 0 || (((u_char *)addr)[n] & m) == (((u_char *)dest)[n] & m))
+	    return (1);
+    }
+    return (0);
+}
+
+/* inet_pton substitute implementation
+ * Uses inet_addr to convert an IP address in dotted decimal notation into 
+ * unsigned long and copies the result to dst.
+ * Only supports AF_INET.  Follows standard error return conventions of 
+ * inet_pton.
+ */
+int
+local_inet_pton (int af, const char *src, void *dst)
+{
+    u_long result;  
+
+    if (af == AF_INET) {
+	result = inet_addr(src);
+	if (result == -1)
+	    return 0;
+	else {
+			memcpy (dst, &result, 4);
+	    return 1;
+		}
+	}
+#ifdef NT
+#ifdef HAVE_IPV6
+	else if (af == AF_INET6) {
+		struct in6_addr Address;
+		return (inet6_addr(src, &Address));
+	}
+#endif /* HAVE_IPV6 */
+#endif /* NT */
+#ifndef NT
+    else {
+
+	errno = EAFNOSUPPORT;
+	return -1;
+    }
+#endif /* NT */
+}
+
+/* this allows imcomplete prefix */
+int
+my_inet_pton (int af, const char *src, void *dst)
+{
+    if (af == AF_INET) {
+        int i, c, val;
+        u_char xp[4] = {0, 0, 0, 0};
+
+        for (i = 0; ; i++) {
+	    c = *src++;
+	    if (!isdigit (c))
+		return (-1);
+	    val = 0;
+	    do {
+		val = val * 10 + c - '0';
+		if (val > 255)
+		    return (0);
+		c = *src++;
+	    } while (c && isdigit (c));
+            xp[i] = val;
+	    if (c == '\0')
+		break;
+            if (c != '.')
+                return (0);
+	    if (i >= 3)
+		return (0);
+        }
+	memcpy (dst, xp, 4);
+        return (1);
+#ifdef HAVE_IPV6
+    } else if (af == AF_INET6) {
+        return (local_inet_pton (af, src, dst));
+#endif /* HAVE_IPV6 */
+    } else {
+#ifndef NT
+	errno = EAFNOSUPPORT;
+#endif /* NT */
+	return -1;
+    }
+}
+
+/* 
+ * convert prefix information to ascii string with length
+ * thread safe and (almost) re-entrant implementation
+ */
+char *
+prefix_toa2x (prefix_t *prefix, char *buff, int with_len)
+{
+    if (prefix == NULL)
+	return ("(Null)");
+    assert (prefix->ref_count >= 0);
+    if (buff == NULL) {
+
+        struct buffer {
+            char buffs[16][48+5];
+            u_int i;
+        } *buffp;
+
+#    if 0
+	THREAD_SPECIFIC_DATA (struct buffer, buffp, 1);
+#    else
+        { /* for scope only */
+	   static struct buffer local_buff;
+           buffp = &local_buff;
+	}
+#    endif
+	if (buffp == NULL) {
+	    /* XXX should we report an error? */
+	    return (NULL);
+	}
+
+	buff = buffp->buffs[buffp->i++%16];
+    }
+    if (prefix->family == AF_INET) {
+	u_char *a;
+	assert (prefix->bitlen <= 32);
+	a = prefix_touchar (prefix);
+	if (with_len) {
+	    sprintf (buff, "%d.%d.%d.%d/%d", a[0], a[1], a[2], a[3],
+		     prefix->bitlen);
+	}
+	else {
+	    sprintf (buff, "%d.%d.%d.%d", a[0], a[1], a[2], a[3]);
+	}
+	return (buff);
+    }
+#ifdef HAVE_IPV6
+    else if (prefix->family == AF_INET6) {
+	char *r;
+	r = (char *) inet_ntop (AF_INET6, &prefix->add.sin6, buff, 48 /* a guess value */ );
+	if (r && with_len) {
+	    assert (prefix->bitlen <= 128);
+	    sprintf (buff + strlen (buff), "/%d", prefix->bitlen);
+	}
+	return (buff);
+    }
+#endif /* HAVE_IPV6 */
+    else
+	return (NULL);
+}
+
+/* prefix_toa2
+ * convert prefix information to ascii string
+ */
+char *
+prefix_toa2 (prefix_t *prefix, char *buff)
+{
+    return (prefix_toa2x (prefix, buff, 0));
+}
+
+/* prefix_toa
+ */
+char *
+prefix_toa (prefix_t * prefix)
+{
+    return (prefix_toa2 (prefix, (char *) NULL));
+}
+
+prefix_t *
+New_Prefix2 (int family, void *dest, int bitlen, prefix_t *prefix)
+{
+    int dynamic_allocated = 0;
+    int default_bitlen = 32;
+
+#ifdef HAVE_IPV6
+    if (family == AF_INET6) {
+        default_bitlen = 128;
+	if (prefix == NULL) {
+            prefix = calloc(1, sizeof (prefix6_t));
+	    dynamic_allocated++;
+	}
+	memcpy (&prefix->add.sin6, dest, 16);
+    }
+    else
+#endif /* HAVE_IPV6 */
+    if (family == AF_INET) {
+		if (prefix == NULL) {
+#ifndef NT
+            prefix = calloc(1, sizeof (prefix4_t));
+#else
+			//for some reason, compiler is getting
+			//prefix4_t size incorrect on NT
+			prefix = calloc(1, sizeof (prefix_t)); 
+#endif /* NT */
+		
+			dynamic_allocated++;
+		}
+		memcpy (&prefix->add.sin, dest, 4);
+    }
+    else {
+        return (NULL);
+    }
+
+    prefix->bitlen = (bitlen >= 0)? bitlen: default_bitlen;
+    prefix->family = family;
+    prefix->ref_count = 0;
+    if (dynamic_allocated) {
+        prefix->ref_count++;
+   }
+/* fprintf(stderr, "[C %s, %d]\n", prefix_toa (prefix), prefix->ref_count); */
+    return (prefix);
+}
+
+prefix_t *
+New_Prefix (int family, void *dest, int bitlen)
+{
+    return (New_Prefix2 (family, dest, bitlen, NULL));
+}
+
+/* ascii2prefix
+ */
+prefix_t *
+ascii2prefix (int family, char *string)
+{
+    u_long bitlen, maxbitlen = 0;
+    char *cp;
+    struct in_addr sin;
+#ifdef HAVE_IPV6
+    struct in6_addr sin6;
+#endif /* HAVE_IPV6 */
+    int result;
+    char save[MAXLINE];
+
+    if (string == NULL)
+		return (NULL);
+
+    /* easy way to handle both families */
+    if (family == 0) {
+       family = AF_INET;
+#ifdef HAVE_IPV6
+       if (strchr (string, ':')) family = AF_INET6;
+#endif /* HAVE_IPV6 */
+    }
+
+    if (family == AF_INET) {
+		maxbitlen = 32;
+    }
+#ifdef HAVE_IPV6
+    else if (family == AF_INET6) {
+		maxbitlen = 128;
+    }
+#endif /* HAVE_IPV6 */
+
+    if ((cp = strchr (string, '/')) != NULL) {
+		bitlen = atol (cp + 1);
+		/* *cp = '\0'; */
+		/* copy the string to save. Avoid destroying the string */
+		assert (cp - string < MAXLINE);
+		memcpy (save, string, cp - string);
+		save[cp - string] = '\0';
+		string = save;
+		if (bitlen < 0 || bitlen > maxbitlen)
+			bitlen = maxbitlen;
+		}
+		else {
+			bitlen = maxbitlen;
+		}
+
+		if (family == AF_INET) {
+			if ((result = my_inet_pton (AF_INET, string, &sin)) <= 0)
+				return (NULL);
+			return (New_Prefix (AF_INET, &sin, bitlen));
+		}
+
+#ifdef HAVE_IPV6
+		else if (family == AF_INET6) {
+// Get rid of this with next IPv6 upgrade
+#if defined(NT) && !defined(HAVE_INET_NTOP)
+			inet6_addr(string, &sin6);
+			return (New_Prefix (AF_INET6, &sin6, bitlen));
+#else
+			if ((result = local_inet_pton (AF_INET6, string, &sin6)) <= 0)
+				return (NULL);
+#endif /* NT */
+			return (New_Prefix (AF_INET6, &sin6, bitlen));
+		}
+#endif /* HAVE_IPV6 */
+		else
+			return (NULL);
+}
+
+prefix_t *
+Ref_Prefix (prefix_t * prefix)
+{
+    if (prefix == NULL)
+	return (NULL);
+    if (prefix->ref_count == 0) {
+	/* make a copy in case of a static prefix */
+        return (New_Prefix2 (prefix->family, &prefix->add, prefix->bitlen, NULL));
+    }
+    prefix->ref_count++;
+/* fprintf(stderr, "[A %s, %d]\n", prefix_toa (prefix), prefix->ref_count); */
+    return (prefix);
+}
+
+void 
+Deref_Prefix (prefix_t * prefix)
+{
+    if (prefix == NULL)
+	return;
+    /* for secure programming, raise an assert. no static prefix can call this */
+    assert (prefix->ref_count > 0);
+
+    prefix->ref_count--;
+    assert (prefix->ref_count >= 0);
+    if (prefix->ref_count <= 0) {
+	Delete (prefix);
+	return;
+    }
+}
+
+/* } */
+
+/* #define PATRICIA_DEBUG 1 */
+
+static int num_active_patricia = 0;
+
+/* these routines support continuous mask only */
+
+patricia_tree_t *
+New_Patricia (int maxbits)
+{
+    patricia_tree_t *patricia = calloc(1, sizeof *patricia);
+
+    patricia->maxbits = maxbits;
+    patricia->head = NULL;
+    patricia->num_active_node = 0;
+    assert (maxbits <= PATRICIA_MAXBITS); /* XXX */
+    num_active_patricia++;
+    return (patricia);
+}
+
+
+/*
+ * if func is supplied, it will be called as func(node->data)
+ * before deleting the node
+ */
+
+void
+Clear_Patricia (patricia_tree_t *patricia, void_fn_t func)
+{
+    assert (patricia);
+    if (patricia->head) {
+
+        patricia_node_t *Xstack[PATRICIA_MAXBITS+1];
+        patricia_node_t **Xsp = Xstack;
+        patricia_node_t *Xrn = patricia->head;
+
+        while (Xrn) {
+            patricia_node_t *l = Xrn->l;
+            patricia_node_t *r = Xrn->r;
+
+    	    if (Xrn->prefix) {
+		Deref_Prefix (Xrn->prefix);
+		if (Xrn->data && func)
+	    	    func (Xrn->data);
+    	    }
+    	    else {
+		assert (Xrn->data == NULL);
+    	    }
+    	    Delete (Xrn);
+	    patricia->num_active_node--;
+
+            if (l) {
+                if (r) {
+                    *Xsp++ = r;
+                }
+                Xrn = l;
+            } else if (r) {
+                Xrn = r;
+            } else if (Xsp != Xstack) {
+                Xrn = *(--Xsp);
+            } else {
+                Xrn = (patricia_node_t *) 0;
+            }
+        }
+    }
+    assert (patricia->num_active_node == 0);
+    /* Delete (patricia); */
+}
+
+
+void
+Destroy_Patricia (patricia_tree_t *patricia, void_fn_t func)
+{
+    Clear_Patricia (patricia, func);
+    Delete (patricia);
+    num_active_patricia--;
+}
+
+
+/*
+ * if func is supplied, it will be called as func(node->prefix, node->data)
+ */
+
+void
+patricia_process (patricia_tree_t *patricia, void_fn_t func)
+{
+    patricia_node_t *node;
+    assert (func);
+
+    PATRICIA_WALK (patricia->head, node) {
+	func (node->prefix, node->data);
+    } PATRICIA_WALK_END;
+}
+
+
+patricia_node_t *
+patricia_search_exact (patricia_tree_t *patricia, prefix_t *prefix)
+{
+    patricia_node_t *node;
+    u_char *addr;
+    u_int bitlen;
+
+    assert (patricia);
+    assert (prefix);
+    assert (prefix->bitlen <= patricia->maxbits);
+
+    if (patricia->head == NULL)
+	return (NULL);
+
+    node = patricia->head;
+    addr = prefix_touchar (prefix);
+    bitlen = prefix->bitlen;
+
+    while (node->bit < bitlen) {
+
+	if (BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) {
+#ifdef PATRICIA_DEBUG
+	    if (node->prefix)
+    	        fprintf (stderr, "patricia_search_exact: take right %s/%d\n", 
+	                 prefix_toa (node->prefix), node->prefix->bitlen);
+	    else
+    	        fprintf (stderr, "patricia_search_exact: take right at %d\n", 
+			 node->bit);
+#endif /* PATRICIA_DEBUG */
+	    node = node->r;
+	}
+	else {
+#ifdef PATRICIA_DEBUG
+	    if (node->prefix)
+    	        fprintf (stderr, "patricia_search_exact: take left %s/%d\n", 
+	                 prefix_toa (node->prefix), node->prefix->bitlen);
+	    else
+    	        fprintf (stderr, "patricia_search_exact: take left at %d\n", 
+			 node->bit);
+#endif /* PATRICIA_DEBUG */
+	    node = node->l;
+	}
+
+	if (node == NULL)
+	    return (NULL);
+    }
+
+#ifdef PATRICIA_DEBUG
+    if (node->prefix)
+        fprintf (stderr, "patricia_search_exact: stop at %s/%d\n", 
+	         prefix_toa (node->prefix), node->prefix->bitlen);
+    else
+        fprintf (stderr, "patricia_search_exact: stop at %d\n", node->bit);
+#endif /* PATRICIA_DEBUG */
+    if (node->bit > bitlen || node->prefix == NULL)
+	return (NULL);
+    assert (node->bit == bitlen);
+    assert (node->bit == node->prefix->bitlen);
+    if (comp_with_mask (prefix_tochar (node->prefix), prefix_tochar (prefix),
+			bitlen)) {
+#ifdef PATRICIA_DEBUG
+        fprintf (stderr, "patricia_search_exact: found %s/%d\n", 
+	         prefix_toa (node->prefix), node->prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+	return (node);
+    }
+    return (NULL);
+}
+
+
+/* if inclusive != 0, "best" may be the given prefix itself */
+patricia_node_t *
+patricia_search_best2 (patricia_tree_t *patricia, prefix_t *prefix, int inclusive)
+{
+    patricia_node_t *node;
+    patricia_node_t *stack[PATRICIA_MAXBITS + 1];
+    u_char *addr;
+    u_int bitlen;
+    int cnt = 0;
+
+    assert (patricia);
+    assert (prefix);
+    assert (prefix->bitlen <= patricia->maxbits);
+
+    if (patricia->head == NULL)
+	return (NULL);
+
+    node = patricia->head;
+    addr = prefix_touchar (prefix);
+    bitlen = prefix->bitlen;
+
+    while (node->bit < bitlen) {
+
+	if (node->prefix) {
+#ifdef PATRICIA_DEBUG
+            fprintf (stderr, "patricia_search_best: push %s/%d\n", 
+	             prefix_toa (node->prefix), node->prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+	    stack[cnt++] = node;
+	}
+
+	if (BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) {
+#ifdef PATRICIA_DEBUG
+	    if (node->prefix)
+    	        fprintf (stderr, "patricia_search_best: take right %s/%d\n", 
+	                 prefix_toa (node->prefix), node->prefix->bitlen);
+	    else
+    	        fprintf (stderr, "patricia_search_best: take right at %d\n", 
+			 node->bit);
+#endif /* PATRICIA_DEBUG */
+	    node = node->r;
+	}
+	else {
+#ifdef PATRICIA_DEBUG
+	    if (node->prefix)
+    	        fprintf (stderr, "patricia_search_best: take left %s/%d\n", 
+	                 prefix_toa (node->prefix), node->prefix->bitlen);
+	    else
+    	        fprintf (stderr, "patricia_search_best: take left at %d\n", 
+			 node->bit);
+#endif /* PATRICIA_DEBUG */
+	    node = node->l;
+	}
+
+	if (node == NULL)
+	    break;
+    }
+
+    if (inclusive && node && node->prefix)
+	stack[cnt++] = node;
+
+#ifdef PATRICIA_DEBUG
+    if (node == NULL)
+        fprintf (stderr, "patricia_search_best: stop at null\n");
+    else if (node->prefix)
+        fprintf (stderr, "patricia_search_best: stop at %s/%d\n", 
+	         prefix_toa (node->prefix), node->prefix->bitlen);
+    else
+        fprintf (stderr, "patricia_search_best: stop at %d\n", node->bit);
+#endif /* PATRICIA_DEBUG */
+
+    if (cnt <= 0)
+	return (NULL);
+
+    while (--cnt >= 0) {
+	node = stack[cnt];
+#ifdef PATRICIA_DEBUG
+        fprintf (stderr, "patricia_search_best: pop %s/%d\n", 
+	         prefix_toa (node->prefix), node->prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+	if (comp_with_mask (prefix_tochar (node->prefix), 
+			    prefix_tochar (prefix),
+			    node->prefix->bitlen)) {
+#ifdef PATRICIA_DEBUG
+            fprintf (stderr, "patricia_search_best: found %s/%d\n", 
+	             prefix_toa (node->prefix), node->prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+	    return (node);
+	}
+    }
+    return (NULL);
+}
+
+
+patricia_node_t *
+patricia_search_best (patricia_tree_t *patricia, prefix_t *prefix)
+{
+    return (patricia_search_best2 (patricia, prefix, 1));
+}
+
+
+patricia_node_t *
+patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix)
+{
+    patricia_node_t *node, *new_node, *parent, *glue;
+    u_char *addr, *test_addr;
+    u_int bitlen, check_bit, differ_bit;
+    int i, j, r;
+
+    assert (patricia);
+    assert (prefix);
+    assert (prefix->bitlen <= patricia->maxbits);
+
+    if (patricia->head == NULL) {
+	node = calloc(1, sizeof *node);
+	node->bit = prefix->bitlen;
+	node->prefix = Ref_Prefix (prefix);
+	node->parent = NULL;
+	node->l = node->r = NULL;
+	node->data = NULL;
+	patricia->head = node;
+#ifdef PATRICIA_DEBUG
+	fprintf (stderr, "patricia_lookup: new_node #0 %s/%d (head)\n", 
+		 prefix_toa (prefix), prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+	patricia->num_active_node++;
+	return (node);
+    }
+
+    addr = prefix_touchar (prefix);
+    bitlen = prefix->bitlen;
+    node = patricia->head;
+
+    while (node->bit < bitlen || node->prefix == NULL) {
+
+	if (node->bit < patricia->maxbits &&
+	    BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) {
+	    if (node->r == NULL)
+		break;
+#ifdef PATRICIA_DEBUG
+	    if (node->prefix)
+    	        fprintf (stderr, "patricia_lookup: take right %s/%d\n", 
+	                 prefix_toa (node->prefix), node->prefix->bitlen);
+	    else
+    	        fprintf (stderr, "patricia_lookup: take right at %d\n", node->bit);
+#endif /* PATRICIA_DEBUG */
+	    node = node->r;
+	}
+	else {
+	    if (node->l == NULL)
+		break;
+#ifdef PATRICIA_DEBUG
+	    if (node->prefix)
+    	        fprintf (stderr, "patricia_lookup: take left %s/%d\n", 
+	             prefix_toa (node->prefix), node->prefix->bitlen);
+	    else
+    	        fprintf (stderr, "patricia_lookup: take left at %d\n", node->bit);
+#endif /* PATRICIA_DEBUG */
+	    node = node->l;
+	}
+
+	assert (node);
+    }
+
+    assert (node->prefix);
+#ifdef PATRICIA_DEBUG
+    fprintf (stderr, "patricia_lookup: stop at %s/%d\n", 
+	     prefix_toa (node->prefix), node->prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+
+    test_addr = prefix_touchar (node->prefix);
+    /* find the first bit different */
+    check_bit = (node->bit < bitlen)? node->bit: bitlen;
+    differ_bit = 0;
+    for (i = 0; i*8 < check_bit; i++) {
+	if ((r = (addr[i] ^ test_addr[i])) == 0) {
+	    differ_bit = (i + 1) * 8;
+	    continue;
+	}
+	/* I know the better way, but for now */
+	for (j = 0; j < 8; j++) {
+	    if (BIT_TEST (r, (0x80 >> j)))
+		break;
+	}
+	/* must be found */
+	assert (j < 8);
+	differ_bit = i * 8 + j;
+	break;
+    }
+    if (differ_bit > check_bit)
+	differ_bit = check_bit;
+#ifdef PATRICIA_DEBUG
+    fprintf (stderr, "patricia_lookup: differ_bit %d\n", differ_bit);
+#endif /* PATRICIA_DEBUG */
+
+    parent = node->parent;
+    while (parent && parent->bit >= differ_bit) {
+	node = parent;
+	parent = node->parent;
+#ifdef PATRICIA_DEBUG
+	if (node->prefix)
+            fprintf (stderr, "patricia_lookup: up to %s/%d\n", 
+	             prefix_toa (node->prefix), node->prefix->bitlen);
+	else
+            fprintf (stderr, "patricia_lookup: up to %d\n", node->bit);
+#endif /* PATRICIA_DEBUG */
+    }
+
+    if (differ_bit == bitlen && node->bit == bitlen) {
+	if (node->prefix) {
+#ifdef PATRICIA_DEBUG 
+    	    fprintf (stderr, "patricia_lookup: found %s/%d\n", 
+		     prefix_toa (node->prefix), node->prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+	    return (node);
+	}
+	node->prefix = Ref_Prefix (prefix);
+#ifdef PATRICIA_DEBUG
+	fprintf (stderr, "patricia_lookup: new node #1 %s/%d (glue mod)\n",
+		 prefix_toa (prefix), prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+	assert (node->data == NULL);
+	return (node);
+    }
+
+    new_node = calloc(1, sizeof *new_node);
+    new_node->bit = prefix->bitlen;
+    new_node->prefix = Ref_Prefix (prefix);
+    new_node->parent = NULL;
+    new_node->l = new_node->r = NULL;
+    new_node->data = NULL;
+    patricia->num_active_node++;
+
+    if (node->bit == differ_bit) {
+	new_node->parent = node;
+	if (node->bit < patricia->maxbits &&
+	    BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) {
+	    assert (node->r == NULL);
+	    node->r = new_node;
+	}
+	else {
+	    assert (node->l == NULL);
+	    node->l = new_node;
+	}
+#ifdef PATRICIA_DEBUG
+	fprintf (stderr, "patricia_lookup: new_node #2 %s/%d (child)\n", 
+		 prefix_toa (prefix), prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+	return (new_node);
+    }
+
+    if (bitlen == differ_bit) {
+	if (bitlen < patricia->maxbits &&
+	    BIT_TEST (test_addr[bitlen >> 3], 0x80 >> (bitlen & 0x07))) {
+	    new_node->r = node;
+	}
+	else {
+	    new_node->l = node;
+	}
+	new_node->parent = node->parent;
+	if (node->parent == NULL) {
+	    assert (patricia->head == node);
+	    patricia->head = new_node;
+	}
+	else if (node->parent->r == node) {
+	    node->parent->r = new_node;
+	}
+	else {
+	    node->parent->l = new_node;
+	}
+	node->parent = new_node;
+#ifdef PATRICIA_DEBUG
+	fprintf (stderr, "patricia_lookup: new_node #3 %s/%d (parent)\n", 
+		 prefix_toa (prefix), prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+    }
+    else {
+        glue = calloc(1, sizeof *glue);
+        glue->bit = differ_bit;
+        glue->prefix = NULL;
+        glue->parent = node->parent;
+        glue->data = NULL;
+        patricia->num_active_node++;
+	if (differ_bit < patricia->maxbits &&
+	    BIT_TEST (addr[differ_bit >> 3], 0x80 >> (differ_bit & 0x07))) {
+	    glue->r = new_node;
+	    glue->l = node;
+	}
+	else {
+	    glue->r = node;
+	    glue->l = new_node;
+	}
+	new_node->parent = glue;
+
+	if (node->parent == NULL) {
+	    assert (patricia->head == node);
+	    patricia->head = glue;
+	}
+	else if (node->parent->r == node) {
+	    node->parent->r = glue;
+	}
+	else {
+	    node->parent->l = glue;
+	}
+	node->parent = glue;
+#ifdef PATRICIA_DEBUG
+	fprintf (stderr, "patricia_lookup: new_node #4 %s/%d (glue+node)\n", 
+		 prefix_toa (prefix), prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+    }
+    return (new_node);
+}
+
+
+void
+patricia_remove (patricia_tree_t *patricia, patricia_node_t *node)
+{
+    patricia_node_t *parent, *child;
+
+    assert (patricia);
+    assert (node);
+
+    if (node->r && node->l) {
+#ifdef PATRICIA_DEBUG
+	fprintf (stderr, "patricia_remove: #0 %s/%d (r & l)\n", 
+		 prefix_toa (node->prefix), node->prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+	
+	/* this might be a placeholder node -- have to check and make sure
+	 * there is a prefix aossciated with it ! */
+	if (node->prefix != NULL) 
+	  Deref_Prefix (node->prefix);
+	node->prefix = NULL;
+	/* Also I needed to clear data pointer -- masaki */
+	node->data = NULL;
+	return;
+    }
+
+    if (node->r == NULL && node->l == NULL) {
+#ifdef PATRICIA_DEBUG
+	fprintf (stderr, "patricia_remove: #1 %s/%d (!r & !l)\n", 
+		 prefix_toa (node->prefix), node->prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+	parent = node->parent;
+	Deref_Prefix (node->prefix);
+	Delete (node);
+        patricia->num_active_node--;
+
+	if (parent == NULL) {
+	    assert (patricia->head == node);
+	    patricia->head = NULL;
+	    return;
+	}
+
+	if (parent->r == node) {
+	    parent->r = NULL;
+	    child = parent->l;
+	}
+	else {
+	    assert (parent->l == node);
+	    parent->l = NULL;
+	    child = parent->r;
+	}
+
+	if (parent->prefix)
+	    return;
+
+	/* we need to remove parent too */
+
+	if (parent->parent == NULL) {
+	    assert (patricia->head == parent);
+	    patricia->head = child;
+	}
+	else if (parent->parent->r == parent) {
+	    parent->parent->r = child;
+	}
+	else {
+	    assert (parent->parent->l == parent);
+	    parent->parent->l = child;
+	}
+	child->parent = parent->parent;
+	Delete (parent);
+        patricia->num_active_node--;
+	return;
+    }
+
+#ifdef PATRICIA_DEBUG
+    fprintf (stderr, "patricia_remove: #2 %s/%d (r ^ l)\n", 
+	     prefix_toa (node->prefix), node->prefix->bitlen);
+#endif /* PATRICIA_DEBUG */
+    if (node->r) {
+	child = node->r;
+    }
+    else {
+	assert (node->l);
+	child = node->l;
+    }
+    parent = node->parent;
+    child->parent = parent;
+
+    Deref_Prefix (node->prefix);
+    Delete (node);
+    patricia->num_active_node--;
+
+    if (parent == NULL) {
+	assert (patricia->head == node);
+	patricia->head = child;
+	return;
+    }
+
+    if (parent->r == node) {
+	parent->r = child;
+    }
+    else {
+        assert (parent->l == node);
+	parent->l = child;
+    }
+}
+
+/* { from demo.c */
+
+patricia_node_t *
+make_and_lookup (patricia_tree_t *tree, char *string)
+{
+    prefix_t *prefix;
+    patricia_node_t *node;
+
+    prefix = ascii2prefix (AF_INET, string);
+    printf ("make_and_lookup: %s/%d\n", prefix_toa (prefix), prefix->bitlen);
+    node = patricia_lookup (tree, prefix);
+    Deref_Prefix (prefix);
+    return (node);
+}
+
+patricia_node_t *
+try_search_exact (patricia_tree_t *tree, char *string)
+{
+    prefix_t *prefix;
+    patricia_node_t *node;
+
+    prefix = ascii2prefix (AF_INET, string);
+    printf ("try_search_exact: %s/%d\n", prefix_toa (prefix), prefix->bitlen);
+    if ((node = patricia_search_exact (tree, prefix)) == NULL) {
+        printf ("try_search_exact: not found\n");
+    }
+    else {
+        printf ("try_search_exact: %s/%d found\n", 
+	        prefix_toa (node->prefix), node->prefix->bitlen);
+    }
+    Deref_Prefix (prefix);
+    return (node);
+}
+
+void
+lookup_then_remove (patricia_tree_t *tree, char *string)
+{
+    patricia_node_t *node;
+
+    if (node = try_search_exact (tree, string))
+        patricia_remove (tree, node);
+}
+
+patricia_node_t *
+try_search_best (patricia_tree_t *tree, char *string)
+{
+    prefix_t *prefix;
+    patricia_node_t *node;
+
+    prefix = ascii2prefix (AF_INET, string);
+    printf ("try_search_best: %s/%d\n", prefix_toa (prefix), prefix->bitlen);
+    if ((node = patricia_search_best (tree, prefix)) == NULL)
+        printf ("try_search_best: not found\n");
+    else
+        printf ("try_search_best: %s/%d found\n", 
+	        prefix_toa (node->prefix), node->prefix->bitlen);
+    Deref_Prefix (prefix);
+    return 0; // [RS] What is supposed to be returned here?
+ }
+
+/* } */
diff --git a/src/patricia.h b/src/patricia.h
new file mode 100644
index 0000000000..0118679331
--- /dev/null
+++ b/src/patricia.h
@@ -0,0 +1,186 @@
+/*
+ * $Id: patricia.h 967 2005-01-03 07:19:06Z vern $
+ * Dave Plonka <plonka@doit.wisc.edu>
+ *
+ * This product includes software developed by the University of Michigan,
+ * Merit Network, Inc., and their contributors. 
+ *
+ * This file had been called "radix.h" in the MRT sources.
+ *
+ * I renamed it to "patricia.h" since it's not an implementation of a general
+ * radix trie.  Also, pulled in various requirements from "mrt.h" and added
+ * some other things it could be used as a standalone API.
+ */
+
+/* From copyright.txt:
+ * 
+ * Copyright (c) 1997, 1998, 1999
+ * 
+ * 
+ * The Regents of the University of Michigan ("The Regents") and Merit Network,
+ * Inc.  All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * 1.  Redistributions of source code must retain the above 
+ *     copyright notice, this list of conditions and the 
+ *     following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above 
+ *     copyright notice, this list of conditions and the 
+ *     following disclaimer in the documentation and/or other 
+ *     materials provided with the distribution.
+ * 3.  All advertising materials mentioning features or use of 
+ *     this software must display the following acknowledgement:  
+ * This product includes software developed by the University of Michigan, Merit
+ * Network, Inc., and their contributors. 
+ * 4.  Neither the name of the University, Merit Network, nor the
+ *     names of their contributors may be used to endorse or 
+ *     promote products derived from this software without 
+ *     specific prior written permission.
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.  
+ */
+
+#ifndef _PATRICIA_H
+#define _PATRICIA_H
+
+#include <sys/types.h>
+
+
+#ifdef BROv6
+#ifndef HAVE_IPV6
+#define HAVE_IPV6
+#endif
+#endif
+
+/* typedef unsigned int u_int; */
+typedef void (*void_fn_t)();
+/* { from defs.h */
+#define prefix_touchar(prefix) ((u_char *)&(prefix)->add.sin)
+#define MAXLINE 1024
+#define BIT_TEST(f, b)  ((f) & (b))
+/* } */
+
+#define addroute make_and_lookup
+
+#include <netinet/in.h> /* for struct in_addr */
+
+#include <sys/socket.h> /* for AF_INET */
+
+/* { from mrt.h */
+
+typedef struct _prefix4_t {
+    u_short family;		/* AF_INET | AF_INET6 */
+    u_short bitlen;		/* same as mask? */
+    int ref_count;		/* reference count */
+    struct in_addr sin;
+} prefix4_t;
+
+typedef struct _prefix_t {
+    u_short family;		/* AF_INET | AF_INET6 */
+    u_short bitlen;		/* same as mask? */
+    int ref_count;		/* reference count */
+    union {
+		struct in_addr sin;
+#ifdef HAVE_IPV6
+		struct in6_addr sin6;
+#endif /* IPV6 */
+    } add;
+} prefix_t;
+
+/* } */
+
+typedef struct _patricia_node_t {
+   u_int bit;			/* flag if this node used */
+   prefix_t *prefix;		/* who we are in patricia tree */
+   struct _patricia_node_t *l, *r;	/* left and right children */
+   struct _patricia_node_t *parent;/* may be used */
+   void *data;			/* pointer to data */
+   void	*user1;			/* pointer to usr data (ex. route flap info) */
+} patricia_node_t;
+
+typedef struct _patricia_tree_t {
+   patricia_node_t 	*head;
+   u_int		maxbits;	/* for IP, 32 bit addresses */
+   int num_active_node;		/* for debug purpose */
+} patricia_tree_t;
+
+
+patricia_node_t *patricia_search_exact (patricia_tree_t *patricia, prefix_t *prefix);
+patricia_node_t *patricia_search_best (patricia_tree_t *patricia, prefix_t *prefix);
+patricia_node_t * patricia_search_best2 (patricia_tree_t *patricia, prefix_t *prefix, 
+				   int inclusive);
+patricia_node_t *patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix);
+void patricia_remove (patricia_tree_t *patricia, patricia_node_t *node);
+patricia_tree_t *New_Patricia (int maxbits);
+void Clear_Patricia (patricia_tree_t *patricia, void_fn_t func);
+void Destroy_Patricia (patricia_tree_t *patricia, void_fn_t func);
+void patricia_process (patricia_tree_t *patricia, void_fn_t func);
+
+void Deref_Prefix (prefix_t * prefix);
+
+/* { from demo.c */
+
+prefix_t *
+ascii2prefix (int family, char *string);
+
+patricia_node_t *
+make_and_lookup (patricia_tree_t *tree, char *string);
+
+/* } */
+
+#define PATRICIA_MAXBITS 128
+#define PATRICIA_NBIT(x)        (0x80 >> ((x) & 0x7f))
+#define PATRICIA_NBYTE(x)       ((x) >> 3)
+
+#define PATRICIA_DATA_GET(node, type) (type *)((node)->data)
+#define PATRICIA_DATA_SET(node, value) ((node)->data = (void *)(value))
+
+#define PATRICIA_WALK(Xhead, Xnode) \
+    do { \
+        patricia_node_t *Xstack[PATRICIA_MAXBITS+1]; \
+        patricia_node_t **Xsp = Xstack; \
+        patricia_node_t *Xrn = (Xhead); \
+        while ((Xnode = Xrn)) { \
+            if (Xnode->prefix)
+
+#define PATRICIA_WALK_ALL(Xhead, Xnode) \
+do { \
+        patricia_node_t *Xstack[PATRICIA_MAXBITS+1]; \
+        patricia_node_t **Xsp = Xstack; \
+        patricia_node_t *Xrn = (Xhead); \
+        while ((Xnode = Xrn)) { \
+	    if (1)
+
+#define PATRICIA_WALK_BREAK { \
+	    if (Xsp != Xstack) { \
+		Xrn = *(--Xsp); \
+	     } else { \
+		Xrn = (patricia_node_t *) 0; \
+	    } \
+	    continue; }
+
+#define PATRICIA_WALK_END \
+            if (Xrn->l) { \
+                if (Xrn->r) { \
+                    *Xsp++ = Xrn->r; \
+                } \
+                Xrn = Xrn->l; \
+            } else if (Xrn->r) { \
+                Xrn = Xrn->r; \
+            } else if (Xsp != Xstack) { \
+                Xrn = *(--Xsp); \
+            } else { \
+                Xrn = (patricia_node_t *) 0; \
+            } \
+        } \
+    } while (0)
+
+#endif /* _PATRICIA_H */
diff --git a/src/portmap-analyzer.pac b/src/portmap-analyzer.pac
new file mode 100644
index 0000000000..546be2e9cc
--- /dev/null
+++ b/src/portmap-analyzer.pac
@@ -0,0 +1,187 @@
+# $Id:$
+
+%include portmap-protocol.pac
+
+# Add a function to the hook in the RPC connection to build the call Val.
+refine casefunc RPC_BuildCallVal += {
+	RPC_SERVICE_PORTMAP ->
+		PortmapBuildCallVal(call, call.params.portmap);
+};
+
+# ... and a function invocation to handle successful portmap replies.
+refine typeattr PortmapResults += &let {
+	action_reply: bool = $context.connection.ProcessPortmapReply(this);
+};
+
+# ... and a function to handle failed portmap calls.
+refine casefunc RPC_CallFailed += {
+	RPC_SERVICE_PORTMAP	-> PortmapCallFailed(connection, call, status);
+};
+
+# Build portmap call Val.
+function PortmapBuildCallVal(call: RPC_Call, params: PortmapParams): BroVal =
+	case call.proc of {
+		PMAPPROC_NULL, PMAPPROC_DUMP
+			-> NULL;
+		PMAPPROC_SET, PMAPPROC_UNSET
+			-> PortmapBuildMappingVal(params.mapping);
+		PMAPPROC_GETPORT
+			-> PortmapBuildPortRequest(params.mapping);
+		PMAPPROC_CALLIT
+			-> PortmapBuildCallItVal(params.callit);
+	};
+
+function PortmapBuildPortVal(port: uint32, proto: uint32): BroPortVal
+	%{
+	// TODO: replace port with CheckPort(port)
+	return new PortVal(port, proto == IPPROTO_TCP ?
+					TRANSPORT_TCP : TRANSPORT_UDP);
+	%}
+
+function PortmapBuildMappingVal(params: PortmapMapping): BroVal
+	%{
+	RecordVal* mapping = new RecordVal(pm_mapping);
+
+	mapping->Assign(0, new Val(params->prog(), TYPE_COUNT));
+	mapping->Assign(1, new Val(params->vers(), TYPE_COUNT));
+	mapping->Assign(2, PortmapBuildPortVal(params->port(),
+	                                       params->proto()));
+
+	return mapping;
+	%}
+
+function PortmapBuildPortRequest(params: PortmapMapping): BroVal
+	%{
+	RecordVal* request = new RecordVal(pm_port_request);
+
+	request->Assign(0, new Val(params->prog(), TYPE_COUNT));
+	request->Assign(1, new Val(params->vers(), TYPE_COUNT));
+	request->Assign(2, new Val(params->proto() == IPPROTO_TCP, TYPE_BOOL));
+
+	return request;
+	%}
+
+function PortmapBuildCallItVal(params: PortmapCallItParams): BroVal
+	%{
+	RecordVal* c = new RecordVal(pm_callit_request);
+
+	c->Assign(0, new Val(params->prog(), TYPE_COUNT));
+	c->Assign(1, new Val(params->vers(), TYPE_COUNT));
+	c->Assign(2, new Val(params->proc(), TYPE_COUNT));
+	c->Assign(3, new Val(params->params()->length(), TYPE_COUNT));
+
+	return c;
+	%}
+
+function PortmapBuildDumpVal(params: PortmapDumpResults): BroVal
+	%{
+	TableVal* mappings = new TableVal(pm_mappings);
+
+	for ( int i = 0; i < params->size(); ++i )
+		{
+		Val* m = PortmapBuildMappingVal((*params)[i]->mapping());
+		Val* index = new Val(i + 1, TYPE_COUNT);
+		mappings->Assign(index, m);
+		Unref(index);
+		}
+
+	return mappings;
+	%}
+
+refine connection RPC_Conn += {
+	function ProcessPortmapReply(results: PortmapResults): bool
+		%{
+		RPC_Call const* call = results->call();
+		PortmapParams const* params = call->params()->portmap();
+
+		switch ( call->proc() ) {
+		case PMAPPROC_NULL:
+			bro_event_pm_request_null(bro_analyzer(), bro_analyzer()->Conn());
+			break;
+
+		case PMAPPROC_SET:
+			bro_event_pm_request_set(bro_analyzer(),
+				bro_analyzer()->Conn(),
+				call->call_val(), results->set());
+			break;
+
+		case PMAPPROC_UNSET:
+			bro_event_pm_request_unset(bro_analyzer(),
+				bro_analyzer()->Conn(),
+				call->call_val(), results->unset());
+			break;
+
+		case PMAPPROC_GETPORT:
+			bro_event_pm_request_getport(bro_analyzer(),
+				bro_analyzer()->Conn(),
+				call->call_val(),
+				PortmapBuildPortVal(results->getport(),
+					params->mapping()->proto()));
+			break;
+
+		case PMAPPROC_DUMP:
+			bro_event_pm_request_dump(bro_analyzer(),
+				bro_analyzer()->Conn(),
+				PortmapBuildDumpVal(results->dump()));
+			break;
+
+		case PMAPPROC_CALLIT:
+			bro_event_pm_request_callit(bro_analyzer(),
+				bro_analyzer()->Conn(),
+				call->call_val(),
+				new PortVal(results->callit()->port(),
+					    TRANSPORT_UDP));
+			break;
+
+		default:
+			return false;
+		}
+
+		return true;
+		%}
+};
+
+function PortmapCallFailed(connection: RPC_Conn,
+			call: RPC_Call,
+			status: EnumRPCStatus): bool
+	%{
+	// BroEnum::rpc_status st = static_cast<BroEnum::rpc_status>(status);
+	BroEnum::rpc_status st = (BroEnum::rpc_status) status;
+
+	switch ( call->proc() ) {
+	case PMAPPROC_NULL:
+		bro_event_pm_attempt_null(connection->bro_analyzer(),
+			connection->bro_analyzer()->Conn(), st);
+		break;
+
+	case PMAPPROC_SET:
+		bro_event_pm_attempt_set(connection->bro_analyzer(),
+			connection->bro_analyzer()->Conn(), st, call->call_val());
+		break;
+
+	case PMAPPROC_UNSET:
+		bro_event_pm_attempt_unset(connection->bro_analyzer(),
+			connection->bro_analyzer()->Conn(), st, call->call_val());
+		break;
+
+	case PMAPPROC_GETPORT:
+		bro_event_pm_attempt_getport(connection->bro_analyzer(),
+			connection->bro_analyzer()->Conn(), st, call->call_val());
+		break;
+
+	case PMAPPROC_DUMP:
+		bro_event_pm_attempt_dump(connection->bro_analyzer(),
+			connection->bro_analyzer()->Conn(), st);
+		break;
+
+	case PMAPPROC_CALLIT:
+		bro_event_pm_attempt_callit(connection->bro_analyzer(),
+			connection->bro_analyzer()->Conn(), st, call->call_val());
+		break;
+
+	default:
+		return false;
+	}
+
+	return true;
+	%}
diff --git a/src/portmap-protocol.pac b/src/portmap-protocol.pac
new file mode 100644
index 0000000000..d9f3e5be97
--- /dev/null
+++ b/src/portmap-protocol.pac
@@ -0,0 +1,76 @@
+# $Id:$
+
+# Extends rpc-protocol.pac.
+
+###################
+# Hooks into RPC data structures.
+
+refine casefunc RPC_Service += {
+	100000	-> RPC_SERVICE_PORTMAP;
+};
+
+refine casetype RPC_Params += {
+	RPC_SERVICE_PORTMAP	-> portmap:	PortmapParams(call);
+};
+
+refine casetype RPC_Results += {
+	RPC_SERVICE_PORTMAP	-> portmap:	PortmapResults(call);
+};
+
+###################
+# Portmap types.
+
+enum PortmapProc {
+	PMAPPROC_NULL		= 0,
+	PMAPPROC_SET		= 1,
+	PMAPPROC_UNSET		= 2,
+	PMAPPROC_GETPORT	= 3,
+	PMAPPROC_DUMP		= 4,
+	PMAPPROC_CALLIT		= 5,
+};
+
+type PortmapParams(call: RPC_Call) = case call.proc of {
+	PMAPPROC_NULL		-> null:	empty;
+	PMAPPROC_SET, PMAPPROC_UNSET, PMAPPROC_GETPORT
+				-> mapping:	PortmapMapping;
+	PMAPPROC_DUMP		-> dump:	empty;
+	PMAPPROC_CALLIT		-> callit:	PortmapCallItParams;
+};
+
+type PortmapResults(call: RPC_Call) = case call.proc of {
+	PMAPPROC_NULL		-> null:	empty;
+	PMAPPROC_SET		-> set:		uint32;
+	PMAPPROC_UNSET		-> unset:	uint32;
+	PMAPPROC_GETPORT	-> getport:	uint32;
+	PMAPPROC_DUMP		-> dump:	PortmapDumpResults;
+	PMAPPROC_CALLIT		-> callit:	PortmapCallItResults;
+};
+
+type PortmapMapping = record {
+	prog:	uint32;
+	vers:	uint32;
+	proto:	uint32;
+	port:	uint32;
+};
+
+type PortmapCallItParams = record {
+	prog:	uint32;
+	vers:	uint32;
+	proc:	uint32;
+	params:	RPC_Opaque;	# TODO: parse params
+};
+
+type PortmapDumpEntry = record {
+	cont:		uint32;
+	optmapping:	case cont of {
+		0 ->		none: empty;
+		default ->	mapping: PortmapMapping;
+	};
+};
+
+type PortmapDumpResults = PortmapDumpEntry[] &until($element.cont != 1);
+
+type PortmapCallItResults = record {
+	port:	uint32;
+	results: RPC_Opaque;	# TODO: parse results
+};
diff --git a/src/re-parse.y b/src/re-parse.y
new file mode 100644
index 0000000000..f4c0722c51
--- /dev/null
+++ b/src/re-parse.y
@@ -0,0 +1,228 @@
+// parse.y - parser for flex input
+
+%{
+// $Id: re-parse.y 5857 2008-06-26 23:00:03Z vern $
+
+#include <stdlib.h>
+
+#include "CCL.h"
+#include "NFA.h"
+#include "EquivClass.h"
+
+int csize = 256;
+int syntax_error = 0;
+
+int clower(int sym);
+void yyerror(const char msg[]);
+%}
+
+%token TOK_CHAR TOK_NUMBER TOK_CCL TOK_CCE
+
+%union {
+	int int_val;
+	cce_func cce_val;
+	CCL* ccl_val;
+	NFA_Machine* mach_val;
+}
+
+%type <int_val> TOK_CHAR TOK_NUMBER
+%type <cce_val> TOK_CCE
+%type <ccl_val> TOK_CCL ccl full_ccl
+%type <mach_val> re singleton series string
+
+%%
+flexrule	:	re
+			{ $1->AddAccept(1); nfa = $1; }
+
+		|  error
+			{ return 1; }
+		;
+
+re		:  re '|' series
+			{ $$ = make_alternate($1, $3); }
+		|  series
+		| 
+			{ $$ = new NFA_Machine(new EpsilonState()); }
+		;
+
+series		:  series singleton
+			{ $1->AppendMachine($2); }
+		|  singleton
+		;
+
+singleton	:  singleton '*'
+			{ $1->MakeClosure(); }
+
+		|  singleton '+'
+			{ $1->MakePositiveClosure(); }
+
+		|  singleton '?'
+			{ $1->MakeOptional(); }
+
+		|  singleton '{' TOK_NUMBER ',' TOK_NUMBER '}'
+			{
+			if ( $3 > $5 || $3 < 0 )
+				synerr("bad iteration values");
+			else
+				{
+				if ( $3 == 0 )
+					{
+					if ( $5 == 0 )
+						{
+						$$ = new NFA_Machine(new EpsilonState());
+						Unref($1);
+						}
+					else
+						{
+						$1->MakeRepl(1, $5);
+						$1->MakeOptional();
+						}
+					}
+				else
+					$1->MakeRepl($3, $5);
+				}
+			}
+
+		|  singleton '{' TOK_NUMBER ',' '}'
+			{
+			if ( $3 < 0 )
+				synerr("iteration value must be positive");
+			else if ( $3 == 0 )
+				$1->MakeClosure();
+			else
+				$1->MakeRepl($3, NO_UPPER_BOUND);
+			}
+
+		|  singleton '{' TOK_NUMBER '}'
+			{
+			if ( $3 < 0 )
+				synerr("iteration value must be positive");
+			else if ( $3 == 0 )
+				{
+				Unref($1);
+				$$ = new NFA_Machine(new EpsilonState());
+				}
+			else
+				$1->LinkCopies($3-1);
+			}
+
+		|  '.'
+			{
+			$$ = new NFA_Machine(new NFA_State(rem->AnyCCL()));
+			}
+
+		|  full_ccl
+			{
+			$1->Sort();
+			rem->EC()->CCL_Use($1);
+			$$ = new NFA_Machine(new NFA_State($1));
+			}
+
+		|  TOK_CCL
+			{ $$ = new NFA_Machine(new NFA_State($1)); }
+
+		|  '"' string '"'
+			{ $$ = $2; }
+
+		|  '(' re ')'
+			{ $$ = $2; }
+
+		|  TOK_CHAR
+			{
+			if ( case_insensitive && $1 >= 'A' && $1 <= 'Z' )
+				$1 = clower($1);
+			$$ = new NFA_Machine(new NFA_State($1, rem->EC()));
+			}
+
+		|  '^'
+			{
+			$$ = new NFA_Machine(new NFA_State(SYM_BOL, rem->EC()));
+			$$->MarkBOL();
+			}
+
+		|  '$'
+			{
+			$$ = new NFA_Machine(new NFA_State(SYM_EOL, rem->EC()));
+			$$->MarkEOL();
+			}
+		;
+
+full_ccl	:  '[' ccl ']'
+			{ $$ = $2; }
+
+		|  '[' '^' ccl ']'
+			{
+			$3->Negate();
+			$$ = $3;
+			}
+		;
+
+ccl		:  ccl TOK_CHAR '-' TOK_CHAR
+			{
+			if ( case_insensitive )
+				{
+				if ( $2 >= 'A' && $2 <= 'Z' )
+					$2 = clower($2);
+				if ( $4 >= 'A' && $4 <= 'Z' )
+					$4 = clower($4);
+				}
+
+			if ( $2 > $4 )
+				synerr("negative range in character class");
+
+			else
+				{
+				for ( int i = $2; i <= $4; ++i )
+					$1->Add(i);
+				}
+			}
+
+		|  ccl TOK_CHAR
+			{
+			if ( case_insensitive && $2 >= 'A' && $2 <= 'Z' )
+				$2 = clower($2);
+
+			$1->Add($2);
+			}
+
+		|  ccl ccl_expr
+
+		|
+			{ $$ = curr_ccl; }
+		;
+
+ccl_expr:	   TOK_CCE
+			{
+			for ( int c = 0; c < csize; ++c )
+				if ( isascii(c) && $1(c) )
+					curr_ccl->Add(c);
+			}
+		;
+
+string		:  string TOK_CHAR
+			{
+			if ( case_insensitive && $2 >= 'A' && $2 <= 'Z' )
+				$2 = clower($2);
+
+			$1->AppendState(new NFA_State($2, rem->EC()));
+			}
+
+		|
+			{ $$ = new NFA_Machine(new EpsilonState()); }
+		;
+%%
+
+int clower(int sym)
+	{
+	return (isascii(sym) && isupper(sym)) ?  tolower(sym) : sym;
+	}
+
+void synerr(const char str[])
+	{
+	syntax_error = true;
+	run_time("%s (compiling pattern /%s/)", str, RE_parse_input);
+	}
+
+void yyerror(const char msg[])
+	{
+	}
diff --git a/src/re-scan.l b/src/re-scan.l
new file mode 100644
index 0000000000..fbd85899a4
--- /dev/null
+++ b/src/re-scan.l
@@ -0,0 +1,205 @@
+/* scan.l - scanner for Bro regular expressions */
+
+/*
+ * See the file "COPYING" in the main distribution directory for copyright.
+ */
+
+%{
+// $Id: re-scan.l 6219 2008-10-01 05:39:07Z vern $
+
+#include "CCL.h"
+#include "NFA.h"
+#include "util.h"
+
+#define yylval RE_lval
+
+#include "re-parse.h"
+
+const char* RE_parse_input = 0;
+
+#define RET_CCE(func) \
+	BEGIN(SC_CCL); \
+	yylval.cce_val = func; \
+	return TOK_CCE;
+
+// We need the following because isblank() is not globally available.
+static int my_isblank(int c)	{ return c == ' ' || c == '\t'; }
+
+// And the following so we have portability to systems where these are
+// defined as macros.
+static int my_isalnum(int c)	{ return isalnum(c); }
+static int my_isalpha(int c)	{ return isalpha(c); }
+static int my_iscntrl(int c)	{ return iscntrl(c); }
+static int my_isdigit(int c)	{ return isdigit(c); }
+static int my_isgraph(int c)	{ return isgraph(c); }
+static int my_islower(int c)	{ return islower(c); }
+static int my_isupper(int c)	{ return isupper(c); }
+static int my_isprint(int c)	{ return isprint(c); }
+static int my_ispunct(int c)	{ return ispunct(c); }
+static int my_isspace(int c)	{ return isspace(c); }
+static int my_isxdigit(int c)	{ return isxdigit(c); }
+%}
+
+%option caseless nodefault nostdinit noyywrap
+
+%x SC_NUM SC_QUOTE SC_FIRST_CCL SC_CCL
+
+NAME		([[:alpha:]_][[:alnum:]_-]*)
+
+ESCSEQ		(\\([^\n]|[0-7]+|x[[:xdigit:]]{2}))
+
+FIRST_CCL_CHAR	([^\\\n]|{ESCSEQ})
+CCL_CHAR	([^\\\n\]]|{ESCSEQ})
+CCL_EXPR	("[:"[[:alpha:]]+":]")
+
+%%
+
+<INITIAL>{
+	"^"		return '^';
+	\"		BEGIN(SC_QUOTE); return '"';
+	"{"/[[:digit:]]	BEGIN(SC_NUM); return '{';
+	"$"		return '$';
+
+	"["({FIRST_CCL_CHAR}|{CCL_EXPR})({CCL_CHAR}|{CCL_EXPR})*	{
+			curr_ccl = rem->LookupCCL(yytext);
+			if ( curr_ccl )
+				{
+				if ( yyinput() != ']' )
+					synerr("bad character class");
+				yylval.ccl_val = curr_ccl;
+				return TOK_CCL;
+				}
+			else
+				{
+				curr_ccl = new CCL();
+				rem->InsertCCL(yytext, curr_ccl);
+
+				// Push back everything but the leading bracket
+				// so the ccl can be rescanned.
+				yyless(1);
+
+				BEGIN(SC_FIRST_CCL);
+				return '[';
+				}
+			}
+
+	"{"{NAME}"}"	{
+			char* nmstr = copy_string(yytext+1);
+			nmstr[yyleng - 2] = '\0';  // chop trailing brace
+
+			const char* namedef = rem->LookupDef(nmstr);
+			delete nmstr;
+
+			if ( ! namedef )
+				synerr("undefined definition");
+			else
+				{ // push back name surrounded by ()'s
+				int len = strlen(namedef);
+
+				if ( namedef[0] == '^' ||
+				     (len > 0 && namedef[len - 1] == '$') )
+					{ // don't use ()'s after all
+					for ( int i = len - 1; i >= 0; --i )
+						unput(namedef[i]);
+
+					if ( namedef[0] == '^' )
+						yy_set_bol(1);
+					}
+
+				else
+					{
+					unput(')');
+					for ( int i = len - 1; i >= 0; --i )
+						unput(namedef[i]);
+					unput('(');
+					}
+				}
+			}
+
+	[|*+?.(){}]	return yytext[0];
+	.		yylval.int_val = yytext[0]; return TOK_CHAR;
+	\n		return 0;	// treat as end of pattern
+}
+
+<SC_QUOTE>{
+	[^"\n]$		synerr("missing quote"); return '"';
+	[^"\n]		yylval.int_val = yytext[0]; return TOK_CHAR;
+	\"		BEGIN(INITIAL); return '"';
+}
+
+<SC_FIRST_CCL>{
+	"^"/[^-\]\n]	BEGIN(SC_CCL); return '^';
+	"^"/("-"|"]")	return '^';
+	.		BEGIN(SC_CCL); yylval.int_val = yytext[0]; return TOK_CHAR;
+}
+
+<SC_CCL>{
+	-/[^\]\n]	return '-';
+	[^\]\n]		yylval.int_val = yytext[0]; return TOK_CHAR;
+	"]"		BEGIN(INITIAL); return ']';
+	[^\]]$		{
+			synerr("bad character class");
+			BEGIN(INITIAL);
+			return ']';
+			}
+}
+
+<SC_FIRST_CCL,SC_CCL>{
+	"[:alnum:]"	RET_CCE(my_isalnum)
+	"[:alpha:]"	RET_CCE(my_isalpha)
+	"[:blank:]"	RET_CCE(my_isblank)
+	"[:cntrl:]"	RET_CCE(my_iscntrl)
+	"[:digit:]"	RET_CCE(my_isdigit)
+	"[:graph:]"	RET_CCE(my_isgraph)
+	"[:lower:]"	RET_CCE(my_islower)
+	"[:print:]"	RET_CCE(my_isprint)
+	"[:punct:]"	RET_CCE(my_ispunct)
+	"[:space:]"	RET_CCE(my_isspace)
+	"[:xdigit:]"	RET_CCE(my_isxdigit)
+	"[:upper:]"	{
+			BEGIN(SC_CCL);
+			yylval.cce_val =
+				case_insensitive ? my_isupper : my_islower;
+			return TOK_CCE;
+			}
+
+	{CCL_EXPR}	{
+			synerr("bad character class expression");
+			BEGIN(SC_CCL);
+			yylval.cce_val = my_isalnum;
+			return TOK_CCE;
+			}
+}
+
+<SC_NUM>{
+	[[:digit:]]+	yylval.int_val = atoi(yytext); return TOK_NUMBER;
+
+	","		return ',';
+	"}"		BEGIN(INITIAL); return '}';
+
+	.		{
+			synerr("bad character inside {}'s");
+			BEGIN(INITIAL);
+			return '}';
+			}
+}
+
+<INITIAL,SC_QUOTE,SC_FIRST_CCL,SC_CCL>{ESCSEQ}	{
+			const char* esc_text = yytext + 1;
+			yylval.int_val = expand_escape(esc_text);
+
+			if ( YY_START == SC_FIRST_CCL )
+				BEGIN(SC_CCL);
+
+			return TOK_CHAR;
+			}
+
+<*>.|\n			synerr("bad character");
+
+%%
+
+void RE_set_input(const char* str)
+	{
+	RE_parse_input = str;
+	yy_scan_string(str);
+	}
diff --git a/src/rpc-analyzer.pac b/src/rpc-analyzer.pac
new file mode 100644
index 0000000000..6c455f7028
--- /dev/null
+++ b/src/rpc-analyzer.pac
@@ -0,0 +1,196 @@
+# $Id:$
+
+########################################
+# Protocol Syntax.
+
+%include rpc-protocol.pac
+
+########################################
+# Connections and flows.
+
+# External headers (placed outside the "binpac" namespace).
+%extern{
+#include <map>
+using namespace std;
+%}
+
+# Extensible function for building a Bro Val for the RPC call.
+# See portmap-connection.pac.
+function RPC_BuildCallVal(call: RPC_Call): BroVal =
+	case RPC_Service(call) of {
+		default		-> NULL;
+	};
+
+# Adding extra let-fields to type RPC_Call.
+refine typeattr RPC_Call += &let {
+	start_time: double = network_time();
+
+	# Build the Bro Val.
+	call_val: BroVal = RPC_BuildCallVal(this);
+
+	action_call: bool = $context.flow.ProcessCall(this);
+};
+
+# ... and to RPC_Reply.
+refine typeattr RPC_Reply += &let {
+	status = RPC_Status(this);
+	action_reply: bool = $context.flow.ProcessReply(this);
+};
+
+# RPC status in Bro (this is a repeat of enum rpc_status in const.bif :-().
+enum EnumRPCStatus {
+	RPC_STATUS_SUCCESS	= 0,
+	RPC_STATUS_PROG_UNAVAIL	= 1,
+	RPC_STATUS_PROG_MISMATCH= 2,
+	RPC_STATUS_PROC_UNAVAIL	= 3,
+	RPC_STATUS_GARBAGE_ARGS	= 4,
+	RPC_STATUS_SYSTEM_ERR	= 5,
+	RPC_STATUS_TIMEOUT	= 6,
+	RPC_STATUS_MISMATCH	= 7,
+	RPC_STATUS_AUTH_ERROR	= 8,
+	RPC_STATUS_UNKNOWN_ERROR = 9,
+};
+
+function RPC_Status(reply: RPC_Reply): EnumRPCStatus =
+	case reply.stat of {
+		MSG_ACCEPTED	-> reply.areply.stat;
+		MSG_DENIED	-> case reply.rreply.stat of {
+			RPC_MISMATCH	-> RPC_STATUS_MISMATCH;
+			AUTH_ERROR	-> RPC_STATUS_AUTH_ERROR;
+		};
+	};
+
+# An RPC interpreter.
+connection RPC_Conn(bro_analyzer: BroAnalyzer) {
+	upflow = RPC_Flow(true);
+	downflow = RPC_Flow(false);
+
+	# Returns the call corresponding to the xid. Returns
+	# NULL if not found.
+	function FindCall(xid: uint32): RPC_Call
+		%{
+		RPC_CallTable::const_iterator it = call_table.find(xid);
+		return it == call_table.end() ? 0 : it->second;
+		%}
+
+	function NewCall(xid: uint32, call: RPC_Call): bool
+		%{
+		if ( call_table.find(xid) != call_table.end() )
+			{
+			// Compare retransmission with the original.
+			RPC_Call* orig_call = call_table[xid];
+			if ( RPC_CompareRexmit(orig_call, call) )
+				Weird("RPC_rexmit_inconsistency");
+			return false;
+			}
+		else
+			{
+			// Add reference count to msg.
+			call->msg()->Ref();
+			call_table[xid] = call;
+			return true;
+			}
+		%}
+
+	# Returns true if different.
+	function RPC_CompareRexmit(orig_call: RPC_Call, new_call: RPC_Call): bool
+		%{
+		if ( ${orig_call.msg.length} != ${new_call.msg.length} )
+			return true;
+
+		return memcmp(${orig_call.msg_source_data}.begin(),
+		              ${new_call.msg_source_data}.begin(),
+		              ${orig_call.msg.length}) != 0;
+		%}
+
+	function FinishCall(call: RPC_Call): void
+		%{
+		call_table.erase(call->msg()->xid());
+		Unref(call->msg());
+		%}
+
+	function Timeout(): void
+		%{
+		for ( RPC_CallTable::const_iterator it = call_table.begin();
+		      it != call_table.end(); ++it )
+			{
+			RPC_Call* call = it->second;
+			RPC_CallFailed(this, call, RPC_STATUS_TIMEOUT);
+			Unref(call->msg());
+			}
+
+		call_table.clear();
+		%}
+
+	function Weird(msg: string): void
+		%{
+		bro_analyzer()->Weird(msg.c_str());
+		%}
+
+	%member{
+		typedef ::std::map<uint32, RPC_Call*> RPC_CallTable;
+		RPC_CallTable call_table;
+	%}
+};
+
+# A virtual RPC flow.
+flow RPC_Flow (is_orig: bool) {
+	# An RPC flow consists of RPC_Message datagrams.
+	datagram = RPC_Message withcontext (connection, this);
+
+	function ProcessCall(call: RPC_Call): bool
+		%{
+		if ( ! is_orig() )
+			Weird("responder_RPC_call");
+		return true;
+		%}
+
+	function ProcessReply(reply: RPC_Reply): bool
+		%{
+		if ( is_orig() )
+			Weird("originator_RPC_reply");
+
+		RPC_Call* call = reply->call();
+		if ( ! call )
+			{
+			Weird("unpaired_RPC_response");
+			return false;
+			}
+
+		bro_event_rpc_call(connection()->bro_analyzer(),
+		                   connection()->bro_analyzer()->Conn(),
+		                   call->prog(),
+		                   call->vers(),
+		                   call->proc(),
+		                   reply->status(),
+		                   call->start_time(),
+		                   call->msg()->length(),
+		                   reply->msg()->length());
+
+		if ( ! reply->success() )
+			RPC_CallFailed(connection(), call, reply->status());
+
+		connection()->FinishCall(call);
+
+		return true;
+		%}
+
+	function Weird(msg: string): void
+		%{
+		connection()->Weird(msg);
+		%}
+
+#	TODO: deal with exceptions
+#	exception(e: Exception)
+#		{
+#		Weird(string("bad RPC: ") + e.msg());
+#		}
+};
+
+# Extensible function for handling failed (rejected/timeout) RPC calls.
+function RPC_CallFailed(connection: RPC_Conn,
+                        call: RPC_Call,
+                        status: EnumRPCStatus): bool =
+	case RPC_Service(call) of {
+		default		-> false;
+	};
diff --git a/src/rpc-protocol.pac b/src/rpc-protocol.pac
new file mode 100644
index 0000000000..d70195bac6
--- /dev/null
+++ b/src/rpc-protocol.pac
@@ -0,0 +1,164 @@
+# $Id:$
+
+# RPCv2. RFC 1831: http://www.ietf.org/rfc/rfc1831.txt
+
+# This is an analyzer-independent (almost) description of the RPC protocol.
+
+########################################
+# Constants.
+
+enum RPC_MsgType {
+	RPC_CALL	= 0,
+	RPC_REPLY	= 1,
+};
+
+enum RPC_ReplyStat {
+	MSG_ACCEPTED	= 0,
+	MSG_DENIED	= 1,
+};
+
+enum RPC_AcceptStat {
+	SUCCESS		= 0,
+	PROG_UNAVAIL	= 1,
+	PROG_MISMATCH	= 2,
+	PROC_UNAVAIL	= 3,
+	GARBAGE_ARGS	= 4,
+	SYSTEM_ERR	= 5,
+};
+
+enum RPC_RejectStat {
+	RPC_MISMATCH	= 0,
+	AUTH_ERROR	= 1,
+};
+
+enum RPC_AuthStat {
+	AUTH_OK			= 0,
+
+	# failed at remote end
+	AUTH_BADCRED		= 1,  # bad credential (seal broken)
+	AUTH_REJECTEDCRED	= 2,  # client must begin new session
+	AUTH_BADVERF		= 3,  # bad verifier (seal broken)
+	AUTH_REJECTEDVERF	= 4,  # verifier expired or replayed
+	AUTH_TOOWEAK		= 5,  # rejected for security reasons
+	# failed locally
+	AUTH_INVALIDRESP	= 6,  # bogus response verifier
+	AUTH_FAILED		= 7,  # reason unknown
+};
+
+
+########################################
+
+# To be redef'ed in various protocols.
+function RPC_Service(prog: uint32, vers: uint32): EnumRPCService =
+	case prog of {
+		default -> RPC_SERVICE_UNKNOWN;
+	};
+
+# Param "call" might be NULL for RPC_Results, thus "RPC_Service(call)"
+# rather than simply "call.service".
+
+%code{
+
+inline EnumRPCService RPC_Service(const RPC_Call* call)
+	{
+	// If it's an unpaired response, we ignore it for now and
+	// complain later in the analyzer.
+	return call ? call->service() : RPC_SERVICE_UNKNOWN;
+	}
+%}
+
+
+########################################
+# Data structures.
+
+# Export the source data for each RPC_Message for RPC retransmission checking.
+# With &exportsourcedata, "sourcedata" are defined as members of
+# class RPC_Message.
+
+type RPC_Message = record {
+	xid:		uint32;
+	msg_type:	uint32;
+	msg_body:	case msg_type of {
+		RPC_CALL	-> call:	RPC_Call(this);
+		RPC_REPLY	-> reply:	RPC_Reply(this);
+	} &requires(length);
+} &let {
+	length = sourcedata.length();	# length of the RPC_Message
+} &byteorder = bigendian, &exportsourcedata, &refcount;
+
+type RPC_Call(msg: RPC_Message) = record {
+	rpcvers:	uint32;
+	prog:		uint32;
+	vers:		uint32;
+	proc:		uint32;
+	cred:		RPC_OpaqueAuth;
+	verf:		RPC_OpaqueAuth;
+
+	# Compute 'service' before parsing params.
+	params:		RPC_Params(this) &requires(service);
+} &let {
+	service: EnumRPCService = RPC_Service(prog, vers);
+
+	# Copy the source data for retransmission checking.
+	msg_source_data: bytestring = msg.sourcedata;
+
+	# Register the RPC call by the xid.
+	newcall: bool = context.connection.NewCall(msg.xid, this)
+		&requires(msg_source_data);
+};
+
+type RPC_Reply(msg: RPC_Message) = record {
+	# Find the corresponding RPC call.
+	# Further parsing of reply depends on call.{prog, vers, proc}
+	stat:		uint32;
+	reply:		case stat of {
+		MSG_ACCEPTED	-> areply:	RPC_AcceptedReply(call);
+		MSG_DENIED	-> rreply:	RPC_RejectedReply(call);
+	} &requires(call);
+} &let {
+	call: RPC_Call = context.connection.FindCall(msg.xid);
+	success: bool = (stat == MSG_ACCEPTED && areply.stat == SUCCESS);
+};
+
+type RPC_AcceptedReply(call: RPC_Call) = record {
+	verf:		RPC_OpaqueAuth;
+	stat:		uint32;
+	data:		case stat of {
+		SUCCESS		-> results:	RPC_Results(call);
+		PROG_MISMATCH	-> mismatch:	RPC_MismatchInfo;
+		default		-> other:	empty;
+	};
+};
+
+type RPC_RejectedReply(call: RPC_Call) = record {
+	stat:		uint32;
+	data:		case stat of {
+		RPC_MISMATCH	-> mismatch:	RPC_MismatchInfo;
+		AUTH_ERROR	-> auth_stat:	uint32;	# RPC_AuthStat
+	};
+};
+
+type RPC_MismatchInfo = record {
+	hi:	uint32;
+	low:	uint32;
+};
+
+type RPC_Opaque = record {
+	length:	uint32;
+	data:	uint8[length];
+	pad:	padding align 4;	# pad to 4-byte boundary
+};
+
+type RPC_OpaqueAuth = record {
+	flavor: uint32;
+	opaque: RPC_Opaque;
+};
+
+# To be extended by higher level protocol analyzers. See portmap-protocol.pac.
+type RPC_Params(call: RPC_Call) = case RPC_Service(call) of {
+	default			-> stub: uint8[] &restofdata;
+};
+
+type RPC_Results(call: RPC_Call) = case RPC_Service(call) of {
+	default		-> stub: uint8[] &restofdata;
+};
diff --git a/src/rpc.pac b/src/rpc.pac
new file mode 100644
index 0000000000..486a3f4f5c
--- /dev/null
+++ b/src/rpc.pac
@@ -0,0 +1,19 @@
+# $Id:$
+
+# RPCv2. RFC 1831: http://www.ietf.org/rfc/rfc1831.txt
+
+%include binpac.pac
+%include bro.pac
+
+analyzer SunRPC withcontext {
+	connection:	RPC_Conn;
+	flow:		RPC_Flow;
+};
+
+enum EnumRPCService {
+	RPC_SERVICE_UNKNOWN,
+	RPC_SERVICE_PORTMAP,
+};
+
+%include rpc-analyzer.pac
+%include portmap-analyzer.pac
diff --git a/src/rule-parse.y b/src/rule-parse.y
new file mode 100644
index 0000000000..da3437d9e8
--- /dev/null
+++ b/src/rule-parse.y
@@ -0,0 +1,342 @@
+%{
+/* $Id: rule-parse.y 5988 2008-07-19 07:02:12Z vern $ */
+
+#include <stdio.h>
+#include "RuleMatcher.h"
+
+extern void begin_PS();
+extern void end_PS();
+
+Rule* current_rule = 0;
+const char* current_rule_file = 0;
+%}
+
+%token TOK_COMP
+%token TOK_DISABLE
+%token TOK_DST_IP
+%token TOK_DST_PORT
+%token TOK_ENABLE
+%token TOK_EVAL
+%token TOK_EVENT
+%token TOK_HEADER
+%token TOK_IDENT
+%token TOK_INT
+%token TOK_IP
+%token TOK_IP_OPTIONS
+%token TOK_IP_OPTION_SYM
+%token TOK_IP_PROTO
+%token TOK_PATTERN
+%token TOK_PATTERN_TYPE
+%token TOK_PAYLOAD_SIZE
+%token TOK_PROT
+%token TOK_REQUIRES_SIGNATURE
+%token TOK_REQUIRES_REVERSE_SIGNATURE
+%token TOK_SIGNATURE
+%token TOK_SAME_IP
+%token TOK_SRC_IP
+%token TOK_SRC_PORT
+%token TOK_TCP_STATE
+%token TOK_STRING
+%token TOK_TCP_STATE_SYM
+%token TOK_ACTIVE
+%token TOK_BOOL
+%token TOK_POLICY_SYMBOL
+
+%type <str> TOK_STRING TOK_IDENT TOK_POLICY_SYMBOL TOK_PATTERN pattern string
+%type <val> TOK_INT TOK_TCP_STATE_SYM TOK_IP_OPTION_SYM TOK_COMP
+%type <val> integer ipoption_list tcpstate_list
+%type <rule> rule
+%type <bl> TOK_BOOL
+%type <hdr_test> hdr_expr
+%type <range> range rangeopt
+%type <vallist> value_list
+%type <mval> TOK_IP value
+%type <prot> TOK_PROT
+%type <ptype> TOK_PATTERN_TYPE
+
+%union {
+	Rule* rule;
+	RuleHdrTest* hdr_test;
+	maskedvalue_list* vallist;
+
+	bool bl;
+	int val;
+	char* str;
+	MaskedValue mval;
+	RuleHdrTest::Prot prot;
+	Range range;
+	Rule::PatternType ptype;
+}
+
+%%
+
+rule_list:
+		rule_list rule
+			{ rule_matcher->AddRule($2); }
+	|
+	;
+
+rule:
+		TOK_SIGNATURE TOK_IDENT
+			{
+			Location l(current_rule_file, rules_line_number+1, 0, 0, 0);
+			current_rule = new Rule(yylval.str, l);
+			}
+		'{' rule_attr_list '}'
+			{ $$ = current_rule; }
+	;
+
+rule_attr_list:
+		rule_attr_list rule_attr
+	|
+	;
+
+rule_attr:
+		TOK_DST_IP TOK_COMP value_list
+			{
+			current_rule->AddHdrTest(new RuleHdrTest(
+				RuleHdrTest::IP, 16, 4,
+				(RuleHdrTest::Comp) $2, $3));
+			}
+
+	|	TOK_DST_PORT TOK_COMP value_list
+			{ // Works for both TCP and UDP
+			current_rule->AddHdrTest(new RuleHdrTest(
+				RuleHdrTest::TCP, 2, 2,
+				(RuleHdrTest::Comp) $2, $3));
+			}
+
+	|	TOK_EVAL { begin_PS(); } TOK_POLICY_SYMBOL { end_PS(); }
+			{
+			current_rule->AddCondition(new RuleConditionEval($3));
+			}
+
+	|	TOK_HEADER hdr_expr
+			{ current_rule->AddHdrTest($2); }
+
+	|	TOK_IP_OPTIONS ipoption_list
+			{
+			current_rule->AddCondition(
+				new RuleConditionIPOptions($2));
+			}
+
+	|	TOK_IP_PROTO TOK_COMP TOK_PROT
+			{
+			int proto = 0;
+			switch ( $3 ) {
+			case RuleHdrTest::ICMP: proto = 1; break;
+			case RuleHdrTest::IP: proto = 0; break;
+			case RuleHdrTest::TCP: proto = 6; break;
+			case RuleHdrTest::UDP: proto = 17; break;
+			default:
+				rules_error("internal_error: unknown protocol");
+			}
+
+			if ( proto )
+				{
+				maskedvalue_list* vallist = new maskedvalue_list;
+				MaskedValue* val = new MaskedValue();
+
+				val->val = proto;
+				val->mask = 0xffffffff;
+				vallist->append(val);
+
+				current_rule->AddHdrTest(new RuleHdrTest(
+					RuleHdrTest::IP, 9, 1,
+					(RuleHdrTest::Comp) $2, vallist));
+				}
+			}
+
+	|	TOK_IP_PROTO TOK_COMP value_list
+			{
+			current_rule->AddHdrTest(new RuleHdrTest(
+				RuleHdrTest::IP, 9, 1,
+				(RuleHdrTest::Comp) $2, $3));
+			}
+
+	|	TOK_EVENT string
+			{ current_rule->AddAction(new RuleActionEvent($2)); }
+
+	|	TOK_ENABLE TOK_STRING
+			{ current_rule->AddAction(new RuleActionEnable($2)); }
+
+	|	TOK_DISABLE TOK_STRING
+			{ current_rule->AddAction(new RuleActionDisable($2)); }
+
+	|	TOK_PATTERN_TYPE pattern
+			{ current_rule->AddPattern($2, $1); }
+
+	|	TOK_PATTERN_TYPE '[' rangeopt ']' pattern
+			{
+			if ( $3.offset > 0 )
+				warn("Offsets are currently ignored for patterns");
+			current_rule->AddPattern($5, $1, 0, $3.len);
+			}
+
+	|	TOK_PAYLOAD_SIZE TOK_COMP integer
+			{
+			current_rule->AddCondition(
+				new RuleConditionPayloadSize($3, (RuleConditionPayloadSize::Comp) ($2)));
+			}
+
+	|	TOK_REQUIRES_SIGNATURE TOK_IDENT
+			{ current_rule->AddRequires($2, 0, 0); }
+
+	|	TOK_REQUIRES_SIGNATURE '!' TOK_IDENT
+			{ current_rule->AddRequires($3, 0, 1); }
+
+	|	TOK_REQUIRES_REVERSE_SIGNATURE TOK_IDENT
+			{ current_rule->AddRequires($2, 1, 0); }
+
+	|	TOK_REQUIRES_REVERSE_SIGNATURE '!' TOK_IDENT
+			{ current_rule->AddRequires($3, 1, 1); }
+
+	|	TOK_SAME_IP
+			{ current_rule->AddCondition(new RuleConditionSameIP()); }
+
+	|	TOK_SRC_IP TOK_COMP value_list
+			{
+			current_rule->AddHdrTest(new RuleHdrTest(
+				RuleHdrTest::IP, 12, 4,
+				(RuleHdrTest::Comp) $2, $3));
+			}
+
+	|	TOK_SRC_PORT TOK_COMP value_list
+			{ // Works for both TCP and UDP
+			current_rule->AddHdrTest(new RuleHdrTest(
+				RuleHdrTest::TCP, 0, 2,
+				(RuleHdrTest::Comp) $2, $3));
+			}
+
+	|	TOK_TCP_STATE tcpstate_list
+			{
+			current_rule->AddCondition(new RuleConditionTCPState($2));
+			}
+
+	|	TOK_ACTIVE TOK_BOOL
+			{ current_rule->SetActiveStatus($2); }
+	;
+
+hdr_expr:
+		TOK_PROT '[' range ']' '&' integer TOK_COMP value
+			{
+			maskedvalue_list* vallist = new maskedvalue_list;
+			MaskedValue* val = new MaskedValue();
+
+			val->val = $8.val;
+			val->mask = $6;
+			vallist->append(val);
+
+			$$ = new RuleHdrTest($1, $3.offset, $3.len,
+					(RuleHdrTest::Comp) $7, vallist);
+			}
+
+	|	TOK_PROT '[' range ']' TOK_COMP value_list
+			{
+			$$ = new RuleHdrTest($1, $3.offset, $3.len,
+						(RuleHdrTest::Comp) $5, $6);
+			}
+	;
+
+value_list:
+		value_list ',' value
+			{ $1->append(new MaskedValue($3)); $$ = $1; }
+	|	value_list ',' TOK_IDENT
+			{ id_to_maskedvallist($3, $1); $$ = $1; }
+	|	value
+			{
+			$$ = new maskedvalue_list();
+			$$->append(new MaskedValue($1));
+			}
+	|	TOK_IDENT
+			{
+			$$ = new maskedvalue_list();
+			id_to_maskedvallist($1, $$);
+			}
+	;
+
+value:
+		TOK_INT
+			{ $$.val = $1; $$.mask = 0xffffffff; }
+	|	TOK_IP
+	;
+
+rangeopt:
+		range
+			{ $$ = $1; }
+	|	':' integer
+			{ $$.offset = 0; $$.len = $2; }
+	|	integer ':'
+			{ $$.offset = $1; $$.len = UINT_MAX; }
+	;
+
+range:
+		integer
+			{ $$.offset = $1; $$.len = 1; }
+	|	integer ':' integer
+			{ $$.offset = $1; $$.len = $3; }
+	;
+
+ipoption_list:
+		ipoption_list ',' TOK_IP_OPTION_SYM
+			{ $$ = $1 | $3; }
+	|	TOK_IP_OPTION_SYM
+			{ $$ = $1; }
+	;
+
+tcpstate_list:
+		tcpstate_list ',' TOK_TCP_STATE_SYM
+			{ $$ = $1 | $3; }
+	|	TOK_TCP_STATE_SYM
+			{ $$ = $1; }
+	;
+
+integer:
+		TOK_INT
+			{ $$ = $1; }
+	|	TOK_IDENT
+			{ $$ = id_to_uint($1); }
+	;
+
+string:
+		TOK_STRING
+			{ $$ = $1; }
+	|	TOK_IDENT
+			{ $$ = id_to_str($1); }
+	;
+
+pattern:
+		TOK_PATTERN
+			{ $$ = $1; }
+	|	TOK_IDENT
+			{ $$ = id_to_str($1); }
+	;
+
+%%
+
+void rules_error(const char* msg)
+	{
+	fprintf(stderr, "Error in signature (%s:%d): %s\n",
+			current_rule_file, rules_line_number+1, msg);
+	rule_matcher->SetParseError();
+	}
+
+void rules_error(const char* msg, const char* addl)
+	{
+	fprintf(stderr, "Error in signature (%s:%d): %s (%s)\n",
+			current_rule_file, rules_line_number+1, msg, addl);
+	rule_matcher->SetParseError();
+	}
+
+void rules_error(Rule* r, const char* msg)
+	{
+	const Location& l = r->GetLocation();
+	fprintf(stderr, "Error in signature %s (%s:%d): %s\n",
+			r->ID(), l.filename, l.first_line, msg);
+	rule_matcher->SetParseError();
+	}
+
+int rules_wrap(void)
+	{
+	return 1;
+	}
diff --git a/src/rule-scan.l b/src/rule-scan.l
new file mode 100644
index 0000000000..0c444543b2
--- /dev/null
+++ b/src/rule-scan.l
@@ -0,0 +1,190 @@
+/* $Id: rule-scan.l 6914 2009-09-22 00:35:24Z vern $ */
+
+%{
+typedef unsigned int uint32;
+
+#include <string.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include "RuleMatcher.h"
+#include "rule-parse.h"
+
+int rules_line_number = 0;
+%}
+
+%x PS
+
+WS	[ \t]+
+D	[0-9]+
+H	[0-9a-fA-F]+
+STRING	\"([^\n\"]|\\\")*\"
+ID	[0-9a-zA-Z_-]+
+RE	\/(\\\/)?([^/]|[^\\]\\\/)*\/
+META	\.[^ \t]+{WS}[^\n]+
+PID	([0-9a-zA-Z_-]|"::")+
+
+%option nounput nodefault
+
+%%
+
+<*>{
+	#.*	/* eat comments */
+	{WS}	/* eat white space */
+	{META}	/* eat any meta-data/comments */
+	\n	++rules_line_number;
+}
+
+[!\]\[{}&:,]	return rules_text[0];
+
+"<="	{ rules_lval.val = RuleHdrTest::LE; return TOK_COMP; }
+">="	{ rules_lval.val = RuleHdrTest::GE; return TOK_COMP; }
+"<"	{ rules_lval.val = RuleHdrTest::LT; return TOK_COMP; }
+">"	{ rules_lval.val = RuleHdrTest::GT; return TOK_COMP; }
+"="	{ rules_lval.val = RuleHdrTest::EQ; return TOK_COMP; }
+"=="	{ rules_lval.val = RuleHdrTest::EQ; return TOK_COMP; }
+"!="	{ rules_lval.val = RuleHdrTest::NE; return TOK_COMP; }
+
+ip	{ rules_lval.val = RuleHdrTest::IP; return TOK_PROT; }
+icmp	{ rules_lval.val = RuleHdrTest::ICMP; return TOK_PROT; }
+tcp	{ rules_lval.val = RuleHdrTest::TCP; return TOK_PROT; }
+udp	{ rules_lval.val = RuleHdrTest::UDP; return TOK_PROT; }
+
+true	{ rules_lval.val = true; return TOK_BOOL; }
+false	{ rules_lval.val = false; return TOK_BOOL; }
+
+established	{
+		rules_lval.val = RuleConditionTCPState::STATE_ESTABLISHED;
+		return TOK_TCP_STATE_SYM;
+		}
+
+originator	{
+		rules_lval.val = RuleConditionTCPState::STATE_ORIG;
+		return TOK_TCP_STATE_SYM;
+		}
+
+responder	{
+		rules_lval.val = RuleConditionTCPState::STATE_RESP;
+		return TOK_TCP_STATE_SYM;
+		}
+
+stateless	{
+		rules_lval.val = RuleConditionTCPState::STATE_STATELESS;
+		return TOK_TCP_STATE_SYM;
+		}
+
+lsrr		{
+		rules_lval.val = RuleConditionIPOptions::OPT_LSRR;
+		return TOK_IP_OPTION_SYM;
+		}
+
+lsrre		{
+		rules_lval.val = RuleConditionIPOptions::OPT_LSRRE;
+		return TOK_IP_OPTION_SYM;
+		}
+
+rr		{
+		rules_lval.val = RuleConditionIPOptions::OPT_RR;
+		return TOK_IP_OPTION_SYM;
+		}
+
+ssrr		{
+		rules_lval.val = RuleConditionIPOptions::OPT_SSRR;
+		return TOK_IP_OPTION_SYM;
+		}
+
+disable	return TOK_DISABLE;
+dst-ip		return TOK_DST_IP;
+dst-port	return TOK_DST_PORT;
+enable		return TOK_ENABLE;
+eval		return TOK_EVAL;
+event		return TOK_EVENT;
+header		return TOK_HEADER;
+ip-options	return TOK_IP_OPTIONS;
+ip-proto	return TOK_IP_PROTO;
+payload-size	return TOK_PAYLOAD_SIZE;
+requires-signature	return TOK_REQUIRES_SIGNATURE;
+requires-reverse-signature	return TOK_REQUIRES_REVERSE_SIGNATURE;
+signature	return TOK_SIGNATURE;
+same-ip		return TOK_SAME_IP;
+src-ip		return TOK_SRC_IP;
+src-port	return TOK_SRC_PORT;
+tcp-state	return TOK_TCP_STATE;
+active		return TOK_ACTIVE;
+
+payload	{ rules_lval.val = Rule::PAYLOAD; return TOK_PATTERN_TYPE; }
+http-request	{ rules_lval.val = Rule::HTTP_REQUEST; return TOK_PATTERN_TYPE; }
+http-request-body	{ rules_lval.val = Rule::HTTP_REQUEST_BODY; return TOK_PATTERN_TYPE; }
+http-reply-body	{ rules_lval.val = Rule::HTTP_REPLY_BODY; return TOK_PATTERN_TYPE; }
+http-body	{ rules_lval.val = Rule::HTTP_REPLY_BODY; return TOK_PATTERN_TYPE; }
+http-request-header	{ rules_lval.val = Rule::HTTP_REQUEST_HEADER; return TOK_PATTERN_TYPE; }
+http-reply-header	{ rules_lval.val = Rule::HTTP_REPLY_HEADER; return TOK_PATTERN_TYPE; }
+http	{ rules_lval.val = Rule::HTTP_REQUEST; return TOK_PATTERN_TYPE; }
+
+ftp	{ rules_lval.val = Rule::FTP; return TOK_PATTERN_TYPE; }
+finger	{ rules_lval.val = Rule::FINGER; return TOK_PATTERN_TYPE; }
+
+{D}("."{D}){3}"/"{D}	{
+	char* s = strchr(yytext, '/');
+	*s++ = '\0';
+
+	rules_lval.mval.mask = ~((1 << (32 - atoi(s))) - 1);
+	rules_lval.mval.val = ntohl(inet_addr(yytext)) & rules_lval.mval.mask;
+
+	return TOK_IP;
+	}
+
+{D}("."{D}){3}	{
+	rules_lval.mval.val = ntohl(inet_addr(yytext));
+	rules_lval.mval.mask = 0xffffffff;
+	return TOK_IP;
+	}
+
+{D}	{
+	rules_lval.val = (uint32) atoi(yytext);
+	return TOK_INT;
+	}
+
+0x{H}	{
+	rules_lval.val = (uint32) strtol(yytext, 0, 16);
+	return TOK_INT;
+	}
+
+
+{STRING}	{
+	*(yytext + strlen(yytext) - 1) = '\0';
+	rules_lval.str = yytext + 1;
+	return TOK_STRING;
+	}
+
+{ID}	{
+	rules_lval.str = yytext;
+	return TOK_IDENT;
+	}
+
+<PS>{PID}	{
+	rules_lval.str = yytext;
+	return TOK_POLICY_SYMBOL;
+	}
+
+{RE}	{
+	*(yytext + strlen(yytext) - 1) = '\0';
+	rules_lval.str = yytext + 1;
+	return TOK_PATTERN;
+	}
+
+<*>.	rules_error("unrecognized character in input", yytext);
+
+%%
+
+// We're about to parse a Bro policy-layer symbol.
+void begin_PS()
+	{
+	BEGIN(PS);
+	}
+
+void end_PS()
+	{
+	BEGIN(INITIAL);
+	}
diff --git a/src/scan.l b/src/scan.l
new file mode 100644
index 0000000000..0d479dc44e
--- /dev/null
+++ b/src/scan.l
@@ -0,0 +1,783 @@
+/* $Id: scan.l 6510 2009-01-08 14:51:04Z vern $ */
+%{
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <errno.h>
+
+#include "input.h"
+#include "util.h"
+#include "Scope.h"
+#include "DNS_Mgr.h"
+#include "Expr.h"
+#include "Func.h"
+#include "Stmt.h"
+#include "Var.h"
+#include "Debug.h"
+#include "PolicyFile.h"
+#include "broparse.h"
+
+#include <stack>
+
+extern YYLTYPE yylloc;	// holds start line and column of token
+extern int print_loaded_scripts;
+
+int nwarn = 0;
+int nerr = 0;
+int nruntime = 0;
+
+// Track the @if... depth.
+ptr_compat_int current_depth = 0;
+
+declare(List,ptr_compat_int);
+typedef List(ptr_compat_int) int_list;
+int_list if_stack;
+
+int line_number = 1;
+int include_level = 0;
+const char* filename = 0;
+
+char last_tok[128];
+
+#define YY_USER_ACTION	strncpy(last_tok, yytext, sizeof(last_tok) - 1);
+#define YY_USER_INIT	last_tok[0] = '\0';
+
+// We define our own YY_INPUT because we want to trap the case where
+// a read fails.
+#define YY_INPUT(buf,result,max_size) \
+	if ( ((result = fread(buf, 1, max_size, yyin)) == 0) && ferror(yyin) ) \
+		error(fmt("read failed with \"%s\"", strerror(errno)));
+
+// Files we have already scanned (or are in the process of scanning).
+static PList(char) files_scanned;
+
+class FileInfo {
+public:
+	FileInfo(string restore_module = "");
+	~FileInfo();
+
+	YY_BUFFER_STATE buffer_state;
+	string restore_module;
+	const char* name;
+	int line;
+	int level;
+};
+
+// A stack of input buffers we're scanning.  file_stack[len-1] is the
+// top of the stack.
+declare(PList,FileInfo);
+static PList(FileInfo) file_stack;
+
+#define RET_CONST(v) \
+	{ \
+	yylval.val = v; \
+	return TOK_CONSTANT; \
+	}
+
+// Returns true if the file is new, false if it's already been scanned.
+static int load_files_with_prefix(const char* file);
+
+// If print_loaded_files is true, print current filename if we haven't
+// reported it already.
+static void report_file();
+
+// ### TODO: columns too - use yyless with '.' action?
+%}
+
+%option nounput nodefault
+
+%x RE
+%x IGNORE
+
+OWS	[ \t]*
+WS	[ \t]+
+D	[0-9]+
+HEX	[0-9a-fA-F]+
+IDCOMPONENT [A-Za-z_][A-Za-z_0-9]*
+ID	{IDCOMPONENT}(::{IDCOMPONENT})*
+FILE	[^ \t\n]+
+PREFIX	[^ \t\n]+
+FLOAT	(({D}*"."?{D})|({D}"."?{D}*))([eE][-+]?{D})?
+H	[A-Za-z0-9][A-Za-z0-9\-]*
+ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
+
+%%
+
+#.*	/* eat comments */
+
+{WS}	/* eat whitespace */
+
+<INITIAL,IGNORE>\n	{
+			report_file();
+			++line_number;
+			++yylloc.first_line;
+			++yylloc.last_line;
+			}
+
+[!%*/+\-,:;<=>?()\[\]{}~$|]	return yytext[0];
+
+"--"	return TOK_DECR;
+"++"	return TOK_INCR;
+
+"+="	return TOK_ADD_TO;
+"-="	return TOK_REMOVE_FROM;
+
+"=="	return TOK_EQ;
+"!="	return TOK_NE;
+">="	return TOK_GE;
+"<="	return TOK_LE;
+
+"&&"	return TOK_AND;
+"||"	return TOK_OR;
+
+add	return TOK_ADD;
+addr	return TOK_ADDR;
+alarm	return TOK_ALARM;
+any	return TOK_ANY;
+bool	return TOK_BOOL;
+break	return TOK_BREAK;
+case	return TOK_CASE;
+const	return TOK_CONST;
+copy	return TOK_COPY;
+count	return TOK_COUNT;
+counter	return TOK_COUNTER;
+default	return TOK_DEFAULT;
+delete	return TOK_DELETE;
+double	return TOK_DOUBLE;
+else	return TOK_ELSE;
+enum	return TOK_ENUM;
+event	return TOK_EVENT;
+export	return TOK_EXPORT;
+file	return TOK_FILE;
+for	return TOK_FOR;
+function	return TOK_FUNCTION;
+global	return TOK_GLOBAL;
+global_attr	return TOK_GLOBAL_ATTR;
+"?$"	return TOK_HAS_FIELD;
+"?$$"	return TOK_HAS_ATTR;
+if	return TOK_IF;
+in	return TOK_IN;
+"!"{OWS}in/[^A-Za-z0-9]	return TOK_NOT_IN;	/* don't confuse w "! infoo"! */
+int	return TOK_INT;
+interval	return TOK_INTERVAL;
+list	return TOK_LIST;
+local	return TOK_LOCAL;
+match	return TOK_MATCH;
+module	return TOK_MODULE;
+net	return TOK_NET;
+next	return TOK_NEXT;
+of	return TOK_OF;
+pattern	return TOK_PATTERN;
+port	return TOK_PORT;
+print	return TOK_PRINT;
+record	return TOK_RECORD;
+redef	return TOK_REDEF;
+return	return TOK_RETURN;
+schedule	return TOK_SCHEDULE;
+set	return TOK_SET;
+string	return TOK_STRING;
+subnet	return TOK_SUBNET;
+switch	return TOK_SWITCH;
+table	return TOK_TABLE;
+this	return TOK_THIS;
+time	return TOK_TIME;
+timeout	return TOK_TIMEOUT;
+timer	return TOK_TIMER;
+type	return TOK_TYPE;
+union	return TOK_UNION;
+using	return TOK_USING;
+vector	return TOK_VECTOR;
+when	return TOK_WHEN;
+
+&add_func	return TOK_ATTR_ADD_FUNC;
+&attr		return TOK_ATTR_ATTR;
+&create_expire	return TOK_ATTR_EXPIRE_CREATE;
+&default	return TOK_ATTR_DEFAULT;
+&delete_func	return TOK_ATTR_DEL_FUNC;
+&disable_print_hook	return TOK_ATTR_DISABLE_PRINT_HOOK;
+&raw_output return TOK_ATTR_RAW_OUTPUT;
+&encrypt	return TOK_ATTR_ENCRYPT;
+&expire_func	return TOK_ATTR_EXPIRE_FUNC;
+&group		return TOK_ATTR_GROUP;
+&mergeable	return TOK_ATTR_MERGEABLE;
+&optional	return TOK_ATTR_OPTIONAL;
+&persistent	return TOK_ATTR_PERSISTENT;
+&priority	return TOK_ATTR_PRIORITY;
+&read_expire	return TOK_ATTR_EXPIRE_READ;
+&redef		return TOK_ATTR_REDEF;
+&rotate_interval	return TOK_ATTR_ROTATE_INTERVAL;
+&rotate_size		return TOK_ATTR_ROTATE_SIZE;
+&synchronized	return TOK_ATTR_SYNCHRONIZED;
+&write_expire	return TOK_ATTR_EXPIRE_WRITE;
+
+@DEBUG	return TOK_DEBUG;	// marks input for debugger
+
+@load{WS}{FILE}	{
+	const char* new_file = skip_whitespace(yytext + 5);	// Skip "@load".
+	(void) load_files_with_prefix(new_file);
+	}
+
+@unload{WS}{FILE}	{
+	// Skip "@unload".
+	const char* new_file = skip_whitespace(yytext + 7);
+
+	// All we have to do is pretend we've already scanned it.
+	files_scanned.append(copy_string(new_file));
+	}
+
+@prefixes{WS}("+"?)={WS}{PREFIX}	{
+	char* pref = skip_whitespace(yytext + 9);	// Skip "@prefixes".
+
+	int append = 0;
+	if ( *pref == '+' )
+		{
+		append = 1;
+		++pref;
+		}
+
+	pref = skip_whitespace(pref + 1);	// Skip over '='.
+
+	if ( ! append )
+		while ( prefixes.length() > 1 )	// don't delete "" prefix
+			delete prefixes.remove_nth(1);
+
+	add_to_name_list(pref, ':', prefixes);
+	}
+
+@if	return TOK_ATIF;
+@ifdef	return TOK_ATIFDEF;
+@ifndef	return TOK_ATIFNDEF;
+@else   return TOK_ATELSE;
+@endif	--current_depth;
+
+<IGNORE>@if	++current_depth;
+<IGNORE>@ifdef	++current_depth;
+<IGNORE>@ifndef	++current_depth;
+<IGNORE>@else   return TOK_ATELSE;
+<IGNORE>@endif	return TOK_ATENDIF;
+<IGNORE>[^@\n]+	/* eat */
+<IGNORE>.	/* eat */
+
+T	RET_CONST(new Val(true, TYPE_BOOL))
+F	RET_CONST(new Val(false, TYPE_BOOL))
+
+{ID}	{
+	yylval.str = copy_string(yytext);
+	return TOK_ID;
+	}
+
+{D}		{
+ 		// TODO: check if we can use strtoull instead of atol, 
+		// and similarly for {HEX}.
+		RET_CONST(new Val(static_cast<unsigned int>(atol(yytext)), 
+			  TYPE_COUNT))		
+		}
+{FLOAT}		RET_CONST(new Val(atof(yytext), TYPE_DOUBLE))
+
+{D}"/tcp"	{
+		uint32 p = atoi(yytext);
+		if ( p > 65535 )
+			{
+			error("bad port number -", yytext);
+			p = 0;
+			}
+		RET_CONST(new PortVal(p, TRANSPORT_TCP))
+		}
+{D}"/udp"	{
+		uint32 p = atoi(yytext);
+		if ( p > 65535 )
+			{
+			error("bad port number -", yytext);
+			p = 0;
+			}
+		RET_CONST(new PortVal(p, TRANSPORT_UDP))
+		}
+{D}"/icmp"	{
+		uint32 p = atoi(yytext);
+		if ( p > 255 )
+			{
+			error("bad port number -", yytext);
+			p = 0;
+			}
+		RET_CONST(new PortVal(p, TRANSPORT_ICMP))
+		}
+{D}"/unknown"	{
+		uint32 p = atoi(yytext);
+		if ( p > 255 )
+			{
+			error("bad port number -", yytext);
+			p = 0;
+			}
+		RET_CONST(new PortVal(p, TRANSPORT_UNKNOWN))
+		}
+
+{D}"."{D}"."		RET_CONST(new NetVal(yytext))
+({D}"."){2}{D}		RET_CONST(new NetVal(yytext))
+({D}"."){3}{D}		RET_CONST(new AddrVal(yytext))
+
+({HEX}:){7}{HEX}	RET_CONST(new AddrVal(yytext))
+
+0x{HEX}({HEX}|:)*"::"({HEX}|:)*	RET_CONST(new AddrVal(yytext+2))
+(({D}|:)({HEX}|:)*)?"::"({HEX}|:)*	RET_CONST(new AddrVal(yytext))
+
+"0x"{HEX}+	RET_CONST(new Val(static_cast<bro_uint_t>(strtol(yytext, 0, 16)), TYPE_COUNT))
+
+{H}("."{H})+		RET_CONST(dns_mgr->LookupHost(yytext))
+
+{FLOAT}{OWS}day(s?)	RET_CONST(new IntervalVal(atof(yytext),Days))
+{FLOAT}{OWS}hr(s?)	RET_CONST(new IntervalVal(atof(yytext),Hours))
+{FLOAT}{OWS}min(s?)	RET_CONST(new IntervalVal(atof(yytext),Minutes))
+{FLOAT}{OWS}sec(s?)	RET_CONST(new IntervalVal(atof(yytext),Seconds))
+{FLOAT}{OWS}msec(s?)	RET_CONST(new IntervalVal(atof(yytext),Milliseconds))
+{FLOAT}{OWS}usec(s?)	RET_CONST(new IntervalVal(atof(yytext),Microseconds))
+
+\"([^\\\n\"]|{ESCSEQ})*\"	{
+	const char* text = yytext;
+	int len = strlen(text) + 1;
+	int i = 0;
+
+	char* s = new char[len];
+
+	// Skip leading quote.
+	for ( ++text; *text; ++text )
+		{
+		if ( *text == '\\' )
+			{
+			++text;	// skip '\'
+			s[i++] = expand_escape(text);
+			--text;	// point to end of sequence
+			}
+		else
+			{
+			s[i++] = *text;
+			if ( i >= len )
+				internal_error("bad string length computation");
+			}
+		}
+
+	// Get rid of trailing quote.
+	if ( s[i-1] != '"' )
+		internal_error("string scanning confused");
+
+	s[i-1] = '\0';
+
+	RET_CONST(new StringVal(new BroString(1, (byte_vec) s, i-1)))
+	}
+
+<RE>([^/\\\n]|{ESCSEQ})+	{
+	yylval.str = copy_string(yytext);
+	return TOK_PATTERN_TEXT;
+	}
+
+<RE>[/\\\n]	return yytext[0];
+
+<*>.	error("unrecognized character -", yytext);
+
+<<EOF>>	last_tok[0] = '\0'; return EOF;
+
+%%
+
+YYLTYPE GetCurrentLocation()
+	{
+	static YYLTYPE currloc;
+
+	currloc.filename = filename;
+	currloc.first_line = currloc.last_line = line_number;
+
+	return currloc;
+	}
+
+static int load_files_with_prefix(const char* orig_file)
+	{
+	loop_over_list(files_scanned, j)
+		{
+		if ( streq(files_scanned[j], orig_file) )
+			return 0;
+		}
+
+	// Be sure to copy "orig_file", since it could be an alias
+	// for yytext, which is ephemeral and will be zapped
+	// if we do a yy_switch_to_buffer() below.
+	char* file = copy_string(orig_file);
+
+	// Whether we pushed on a FileInfo that will restore the
+	// current module after the final file has been scanned. 
+	bool did_module_restore = false;
+
+	files_scanned.append(file);
+
+	// If the file has a .bro extension, add a second version to the list
+	// of known files which has it stripped.
+	char* ext = strrchr(file, '.');
+	if ( ext && streq(ext, ".bro") )
+		{
+		char* s = copy_string(file);
+		s[ext - file] = '\0';
+		files_scanned.append(s);
+		}
+
+	// Note, we need to loop through the prefixes backwards, since
+	// we push them onto a stack, with the last one we push on the
+	// stack being the first one we will scan.
+	for ( int i = prefixes.length() - 1; i >= 0; --i )
+		{
+		const char* prefix = prefixes[i];
+
+		const char* full_filename = "<internal error>";
+		FILE* f;
+
+		if ( streq(file, "-") )
+			{
+			f = stdin;
+			full_filename = "<stdin>";
+
+			if ( g_policy_debug )
+				{
+				debug_msg("Warning: can't use debugger while reading policy from stdin; turning off debugging.\n");
+				g_policy_debug = false;
+				}
+			}
+
+		else
+			{
+			int n = strlen(prefix) + strlen(file) + 2;
+			char* new_filename = new char[n];
+
+			if ( prefix[0] )
+				sprintf(new_filename, "%s.%s", prefix, file);
+			else
+				strcpy(new_filename, file);
+
+			f = search_for_file(new_filename, "bro", &full_filename);
+
+			delete [] new_filename;
+			}
+
+		if ( f )
+			{
+			if ( g_policy_debug )
+				{
+				// Add the filename to the file mapping
+				// table (Debug.h).
+				Filemap* map = new Filemap;
+
+				// Make sure it wasn't already read in.
+				HashKey* key = new HashKey(full_filename);
+				if ( g_dbgfilemaps.Lookup(key) )
+					{
+					// warn("Not re-reading policy file; check BRO_PREFIXES:", full_filename);
+					fclose(f);
+					delete key;
+					continue;
+					}
+				else
+					{
+					g_dbgfilemaps.Insert(key, map);
+					}
+
+				if ( full_filename )
+					LoadPolicyFileText(full_filename);
+				}
+
+			// Remember where we were.  If this is the first
+			// file being pushed on the stack, i.e., the *last*
+			// one that will be processed, then we want to
+			// restore the module scope in which this @load
+			// was done when we're finished processing it.
+			if ( ! did_module_restore )
+				{
+				file_stack.append(new FileInfo(current_module));
+				did_module_restore = true;
+				}
+			else
+				file_stack.append(new FileInfo);
+
+			yy_switch_to_buffer(yy_create_buffer(f, YY_BUF_SIZE));
+
+			yylloc.first_line = yylloc.last_line = line_number = 1;
+
+			// Don't delete the old filename - it's pointed to by
+			// every BroObj created when parsing it.
+			yylloc.filename = filename = full_filename;
+			}
+
+		else
+			{
+			if ( streq(prefixes[i], "") )
+				{
+				error("can't open", full_filename);
+				exit(1);
+				}
+			}
+		}
+
+	return 1;
+	}
+
+void begin_RE()
+	{
+	BEGIN(RE);
+	}
+
+void end_RE()
+	{
+	BEGIN(INITIAL);
+	}
+
+void do_atif(Expr* expr)
+	{
+	++current_depth;
+
+	Val* val = expr->Eval(0);
+	if ( ! val->AsBool() )
+		{
+		if_stack.append(current_depth);
+		BEGIN(IGNORE);
+		}
+	}
+
+void do_atifdef(const char* id)
+	{
+	++current_depth;
+
+	if ( ! lookup_ID(id, current_module.c_str()) )
+		{
+		if_stack.append(current_depth);
+		BEGIN(IGNORE);
+		}
+	}
+
+void do_atifndef(const char *id)
+	{
+	++current_depth;
+
+	if ( lookup_ID(id, current_module.c_str()) )
+		{
+		if_stack.append(current_depth);
+		BEGIN(IGNORE);
+		}
+	}
+
+void do_atelse()
+	{
+	if ( current_depth == 0 )
+		error("@else without @if...");
+
+	if ( if_stack.length() && current_depth > if_stack.last() )
+		return;
+
+	if ( YY_START == INITIAL )
+		{
+		if_stack.append(current_depth);
+		BEGIN(IGNORE);
+		}
+	else
+		{
+		if_stack.get();
+		BEGIN(INITIAL);
+		}
+	}
+
+void do_atendif()
+	{
+	if ( current_depth == 0 )
+		error("unbalanced @if... @endif");
+
+	if ( current_depth == if_stack.last() )
+		{
+		BEGIN(INITIAL);
+		if_stack.get();
+		}
+
+	--current_depth;
+	}
+
+// Be careful to never delete things from this list, as the strings
+// are referred to (in order to save the locations of tokens and statements,
+// for error reporting and debugging).
+static name_list input_files;
+
+const char* get_current_input_filename()
+	{
+	return ::filename;
+	}
+
+void add_input_file(const char* file)
+	{
+	if ( ! file )
+		internal_error("empty filename");
+
+	if ( ! filename )
+		(void) load_files_with_prefix(file);
+	else
+		input_files.append(copy_string(file));
+	}
+
+void add_to_name_list(char* s, char delim, name_list& nl)
+	{
+	while ( s )
+		{
+		char* s_delim = strchr(s, delim);
+		if ( s_delim )
+			*s_delim = 0;
+
+		nl.append(copy_string(s));
+
+		if ( s_delim )
+			s = s_delim + 1;
+		else
+			break;
+		}
+	}
+
+int yywrap()
+	{
+	if ( nerr > 0 )
+		return 1;
+
+	--include_level;
+
+	if ( ! did_builtin_init && file_stack.length() == 1 )
+		{
+		// ### This is a gross hack - we know that the first file
+		// we parse is bro.init, and after it it's safe to initialize
+		// the built-ins.  Furthermore, we want to initialize the
+		// built-in's *right* after parsing bro.init, so that other
+		// source files can use built-in's when initializing globals.
+		init_builtin_funcs();
+		}
+
+	yy_delete_buffer(YY_CURRENT_BUFFER);
+
+	delete file_stack.remove_nth(file_stack.length() - 1);
+
+	if ( YY_CURRENT_BUFFER )
+		// There's more on the stack to scan.
+		return 0;
+
+	// Stack is now empty.
+	while ( input_files.length() > 0 )
+		{
+		if ( load_files_with_prefix(input_files[0]) )
+			{
+			// Don't delete the filename - it's pointed to by
+			// every BroObj created when parsing it.
+			(void) input_files.remove_nth(0);
+			return 0;
+			}
+
+		// We already scanned the file.  Pop it and try the next,
+		// if any.
+		(void) input_files.remove_nth(0);
+		}
+
+	// Add redef statements for any X=Y command line parameters.
+	if ( params.size() > 0 )
+		{
+		string policy;
+
+		for ( unsigned int i = 0; i < params.size(); ++i )
+			{
+			char* param = copy_string(params[i].c_str());
+			char* eq = strchr(param, '=');
+			char* val = eq + 1;
+
+			*eq = '\0';
+
+			if ( strlen(val) == 0 )
+				{
+				delete [] param;
+				continue;
+				}
+
+			// Try to find the type of the param, and interpret
+			// the value intelligently for that type.  (So far,
+			// that just means quoting the value if it's a
+			// string type.)  If no type is found, the value
+			// is left unchanged.
+			string opt_quote;	// no optional quote by default
+			Val* v = opt_internal_val(param);
+
+			if ( v && v->Type() && v->Type()->Tag() == TYPE_STRING )
+				opt_quote = "\"";	// use quotes
+
+			policy += string("redef ") + param + "="
+					+ opt_quote + val + opt_quote + ";";
+
+			delete [] param;
+			}
+
+		params.clear();
+		yylloc.filename = filename = "<params>";
+		yy_scan_string(policy.c_str());
+		return 0;
+		}
+
+	// If we got this far, then we ran out of files. Check if the user
+	// specified additional code on the command line, if so, parse it.
+	// Use a synthetic filename, and add an extra semicolon on its own
+	// line (so that things like @load work), so that a semicolon is
+	// not strictly necessary.
+	if ( command_line_policy )
+		{
+		int tmp_len = strlen(command_line_policy) + 32;
+		char* tmp = new char[tmp_len];
+		snprintf(tmp, tmp_len, "%s\n;\n", command_line_policy);
+		yylloc.filename = filename = "<command line>";
+
+		yy_scan_string(tmp);
+		delete [] tmp;
+
+		// Make sure we do not get here again:
+		command_line_policy = 0;
+
+		return 0;
+		}
+
+	// Otherwise, we are done.
+	return 1;
+	}
+
+FileInfo::FileInfo(string arg_restore_module)
+	{
+	buffer_state = YY_CURRENT_BUFFER;
+	restore_module = arg_restore_module;
+	name = ::filename;
+	line = ::line_number;
+	level = ::include_level;
+	}
+
+FileInfo::~FileInfo()
+	{
+	if ( yyin && yyin != stdin )
+		fclose(yyin);
+
+	yy_switch_to_buffer(buffer_state);
+	yylloc.filename = filename = name;
+	yylloc.first_line = yylloc.last_line = line_number = line;
+	include_level = level;
+
+	if ( restore_module != "" )
+		current_module = restore_module;
+	}
+
+static void report_file()
+	{
+	if ( ! print_loaded_scripts || ! filename )
+		return;
+
+	static PList(char) files_reported;
+
+	loop_over_list(files_reported, i)
+		{
+		if ( streq(files_reported[i], filename) )
+			return;
+		}
+
+	for ( int i = include_level - 1; i >= 0; --i )
+		fprintf(stderr, "   ");
+	fprintf(stderr, "loading %s\n", filename);
+
+	++include_level;
+	files_reported.append(copy_string(filename));
+	}
+
diff --git a/src/setsignal.c b/src/setsignal.c
new file mode 100644
index 0000000000..f5263bb06d
--- /dev/null
+++ b/src/setsignal.c
@@ -0,0 +1,58 @@
+/*
+ * See the file "COPYING" in the main distribution directory for copyright.
+ */
+
+#ifndef lint
+static const char rcsid[] =
+    "@(#) $Id: setsignal.c 6219 2008-10-01 05:39:07Z vern $ (LBL)";
+#endif
+
+#include "config.h"			/* must appear before first ifdef */
+
+#include <sys/types.h>
+
+#ifdef HAVE_MEMORY_H
+#include <memory.h>
+#endif
+#include <signal.h>
+#ifdef HAVE_SIGACTION
+#include <string.h>
+#endif
+
+#include "setsignal.h"
+
+/*
+ * An os independent signal() with BSD semantics, e.g. the signal
+ * catcher is restored following service of the signal.
+ *
+ * When sigset() is available, signal() has SYSV semantics and sigset()
+ * has BSD semantics and call interface. Unfortunately, Linux does not
+ * have sigset() so we use the more complicated sigaction() interface
+ * there.
+ *
+ * Did I mention that signals suck?
+ */
+RETSIGTYPE
+(*setsignal (int sig, RETSIGTYPE (*func)(int)))(int)
+{
+#ifdef HAVE_SIGACTION
+	struct sigaction old, new;
+
+	memset(&new, 0, sizeof(new));
+	new.sa_handler = func;
+#ifdef SA_RESTART
+	new.sa_flags |= SA_RESTART;
+#endif
+	if (sigaction(sig, &new, &old) < 0)
+		return (SIG_ERR);
+	return (old.sa_handler);
+
+#else
+#ifdef HAVE_SIGSET
+	return (sigset(sig, func));
+#else
+	return (signal(sig, func));
+#endif
+#endif
+}
+
diff --git a/src/setsignal.h b/src/setsignal.h
new file mode 100644
index 0000000000..8bacdca8db
--- /dev/null
+++ b/src/setsignal.h
@@ -0,0 +1,10 @@
+/*
+ * See the file "COPYING" in the main distribution directory for copyright.
+ *
+ * @(#) $Id: setsignal.h 6219 2008-10-01 05:39:07Z vern $ (LBL)
+ */
+#ifndef setsignal_h
+#define setsignal_h
+
+RETSIGTYPE (*setsignal(int, RETSIGTYPE (*)(int)))(int);
+#endif
diff --git a/src/smb-mailslot.pac b/src/smb-mailslot.pac
new file mode 100644
index 0000000000..a386ae105c
--- /dev/null
+++ b/src/smb-mailslot.pac
@@ -0,0 +1,94 @@
+
+enum SMB_MailSlot_opcode {
+	HOST_ANNOUNCEMENT		= 1,
+	ANNOUCEMENT_REQUEST	= 2,
+	REQUEST_ELECTION		= 8,
+	GET_BACKUP_LIST_REQUEST = 9,
+	GET_BACKUP_LIST_RESPONSE	= 10,
+	BECOME_BACKUP_REQUEST		= 11, #uncommon
+	DOMAIN_ANNOUNCEMENT		= 12,
+	MASTER_ANNOUNCEMENT	= 13, #uncommon
+	RESET_BROWSER_STATE	= 14, #uncommon
+	LOCAL_MASTER_ANNOUNCEMENT = 15,
+};
+
+type SMB_MailSlot_message( unicode: bool, byte_count: uint16 ) = record {
+
+	opcode : uint8;
+	data : SMB_MailSlot_command( unicode, opcode, byte_count );
+
+} &byteorder = littleendian;
+
+type SMB_MailSlot_command(unicode: bool, code: uint8, byte_count: uint16 ) = case code of {
+	HOST_ANNOUNCEMENT		-> announce : SMB_MailSlot_host_announcement(unicode);
+	ANNOUCEMENT_REQUEST	-> announce_req : SMB_MailSlot_announcement_request(unicode);
+	REQUEST_ELECTION		-> election_req : SMB_MailSlot_request_election(unicode);
+	GET_BACKUP_LIST_REQUEST -> get_backup_req : SMB_MailSlot_get_backup_list_request(unicode);
+	GET_BACKUP_LIST_RESPONSE	-> get_backup_resp : SMB_MailSlot_get_backup_list_response(unicode);
+	DOMAIN_ANNOUNCEMENT		-> domain_announce : SMB_MailSlot_domain_announcement(unicode);
+	LOCAL_MASTER_ANNOUNCEMENT -> lm_announce : SMB_MailSlot_local_master_announcement(unicode);
+	default -> data : bytestring &restofdata;
+} &byteorder = littleendian;
+
+type SMB_MailSlot_host_announcement(unicode: bool) = record {
+	update_count : uint8;
+	periodicity : uint32;
+	server_name : SMB_string(unicode, offsetof(server_name));
+	os_major_ver : uint8;
+	os_minor_ver : uint8;
+	server_type : uint32;
+	bro_major_ver : uint8;
+	bro_minor_ver : uint8;
+	signature : uint16;
+	comment : SMB_string(unicode, offsetof(comment));
+} &byteorder = littleendian;
+
+type SMB_MailSlot_announcement_request(unicode: bool) = record {
+	unused : uint8;
+	response_name : SMB_string(unicode, offsetof(response_name));
+} &byteorder = littleendian;
+
+type SMB_MailSlot_request_election(unicode: bool) = record {
+	version : uint8;
+	criteria : uint32;
+	uptime : uint32;
+	reserved : uint32;
+	server_name : SMB_string(unicode, offsetof(server_name));
+} &byteorder = littleendian;
+
+type SMB_MailSlot_get_backup_list_request(unicode: bool) = record {
+	req_count : uint8;
+	token : uint32;
+} &byteorder = littleendian;
+
+type SMB_MailSlot_get_backup_list_response(unicode: bool) = record {
+	backup_count : uint8;
+	token : uint32;
+	backup_list : SMB_string(unicode, offsetof(backup_list));
+} &byteorder = littleendian;
+
+type SMB_MailSlot_domain_announcement(unicode: bool) = record {
+	update_count : uint8;
+	periodicity : uint32;
+	server_name : SMB_string(unicode, offsetof(server_name));
+	os_major_ver : uint8;
+	os_minor_ver : uint8;
+	server_type : uint32;
+	bro_major_ver : uint8;
+	bro_minor_ver : uint8;
+	signature : uint16;
+	comment : SMB_string(unicode, offsetof(comment));
+} &byteorder = littleendian;
+
+type SMB_MailSlot_local_master_announcement(unicode: bool) = record {
+	update_count : uint8;
+	periodicity : uint32;
+	server_name : SMB_string(unicode, offsetof(server_name));
+	os_major_ver : uint8;
+	os_minor_ver : uint8;
+	server_type : uint32;
+	bro_major_ver : uint8;
+	bro_minor_ver : uint8;
+	signature : uint16;
+	comment : SMB_string(unicode, offsetof(comment));
+} &byteorder = littleendian;
diff --git a/src/smb-pipe.pac b/src/smb-pipe.pac
new file mode 100644
index 0000000000..aa8f7a4db3
--- /dev/null
+++ b/src/smb-pipe.pac
@@ -0,0 +1,19 @@
+# this won't work correctly yet, since sometimes the parameters
+# field in the transaction takes up all of the data field
+
+type SMB_Pipe_message( unicode: bool, byte_count: uint16, sub_cmd: uint16 ) = record { 
+
+	# there's a problem with byte_count here, not sure why ... its
+	# not the real length of the rest of the packet
+	data : bytestring &restofdata; 
+
+} &byteorder = littleendian;
+
+type SMB_RAP_message( unicode: bool, byte_count: uint16 ) = record { 
+
+	rap_code : uint16;
+	param_desc : SMB_string(unicode, offsetof(param_desc) );
+	data_desc : SMB_string(unicode, offsetof(data_desc) );
+	data : bytestring &restofdata; 
+
+} &byteorder = littleendian;
diff --git a/src/smb-protocol.pac b/src/smb-protocol.pac
new file mode 100644
index 0000000000..b00613f16c
--- /dev/null
+++ b/src/smb-protocol.pac
@@ -0,0 +1,467 @@
+# $Id$
+#
+# CIFS/SMB
+
+# TODO:
+# - Built support for unicode strings
+# - Unicode as an implicit attribute (as byteorder)
+# - &truncation_ok attribute for the last field of a record to deal with partial data
+
+enum TransactionType {
+	SMB_MAILSLOT_BROWSE, # \MAILSLOT\BROWSE - MS Browse Protocol
+	SMB_MAILSLOT_LANMAN, # \MAILSLOT\LANMAN - deprecated cmds
+	SMB_PIPE, # \PIPE\* named pipes?
+	SMB_RAP, # \PIPE\LANMAN - remote administration protocol
+	SMB_UNKNOWN, # there's probably lots of these
+};
+
+function extract_string(s: SMB_string) : const_bytestring
+	%{
+	int length = 0;
+
+	char* buf;
+	const char* sp;
+
+	if( s->val_case_index() == 0 )
+		{
+		length = s->a()->size();
+		buf = new char[ length ];
+
+		for( int i = 0; i < length; i++)
+			{
+			unsigned char t = (*(s->a()))[i];
+			buf[i] = t;
+			}
+		}
+	else
+		{
+		length = s->u()->s()->size();
+		buf = new char[ length ];
+
+		for( int i = 0; i < length; i++)
+			{
+			unsigned short temp = (*(s->u()->s()))[i];
+			buf[i] = temp & 0xff;
+			}
+		}
+
+	return bytestring((uint8*) buf, length);
+	%}
+
+function determine_transaction_type(setup_count: int, name: SMB_string): TransactionType
+	%{
+	// This logic needs to be verified! the relationship between
+	// setup_count and type is very unclear.
+	if ( name == NULL )
+		return SMB_UNKNOWN;
+
+	if ( bytestring_caseprefix( extract_string(name),
+			"\\PIPE\\LANMAN" ) )
+		{
+		return SMB_RAP;
+		}
+	else if ( bytestring_caseprefix( extract_string(name),
+			"\\MAILSLOT\\LANMAN" ) )
+		{
+		return SMB_MAILSLOT_LANMAN;
+		//return SMB_MAILSLOT_BROWSE;
+		}
+	else if ( bytestring_caseprefix( extract_string(name),
+			"\\MAILSLOT\\NET\\NETLOGON" ) )
+		{
+		/* Don't really know what to do here, its got a Mailslot
+		 * type but its a depricated packet format that handles
+		 * old windows logon
+		 */
+		return SMB_UNKNOWN;
+		}
+	else if(setup_count == 2 ||
+			bytestring_caseprefix( extract_string(name), "\\PIPE\\" ) )
+		{
+		return SMB_PIPE;
+		}
+	else if (setup_count == 3 ||
+			bytestring_caseprefix( extract_string(name), "\\MAILSLOT\\" ) )
+		{
+		return SMB_MAILSLOT_BROWSE;
+		}
+	else
+		return SMB_UNKNOWN;
+	%}
+
+function name_string(trans: SMB_transaction): SMB_string
+	%{
+	if( trans->trans_type() == 1 )
+		return trans->name();
+	else
+		return NULL;
+	%}
+
+
+type SMB_dos_error = record {
+	error_class	: uint8;
+	reserved	: uint8;
+	error		: uint16;
+};
+
+type SMB_error (err_status_type: int) = case err_status_type of {
+	0 -> dos_error: SMB_dos_error;
+	1 -> status: int32;
+};
+
+type SMB_header = record {
+	protocol	: bytestring &length = 4;
+	command		: uint8;
+	status		: SMB_error(err_status_type);
+	flags		: uint8;
+	flags2		: uint16;
+	pad		: padding[12];
+	tid		: uint16;
+	pid		: uint16;
+	uid		: uint16;
+	mid		: uint16;
+} &let {
+	err_status_type = (flags2 >> 14) & 1;
+	unicode = (flags2 >> 15) & 1;
+} &byteorder = littleendian;
+
+# TODO: compute this as
+# let smb_header_length = sizeof(SMB_header);
+let smb_header_length = 32;
+
+type SMB_body = record {
+	word_count	: uint8;
+	parameter_words : uint16[word_count];
+	byte_count	: uint16;
+	# buffer	: uint8[byte_count];
+} &let {
+	body_length = 1 + word_count * 2 + 2 + byte_count;
+} &byteorder = littleendian;
+
+type SMB_ascii_string		= uint8[] &until($element == 0);
+type SMB_unicode_string(offset: int) = record {
+	pad	: padding[offset & 1];
+	s	: uint16[] &until($element == 0);
+};
+
+type SMB_string(unicode: bool, offset: int) = case unicode of {
+	true	-> u: SMB_unicode_string(offset);
+	false	-> a: SMB_ascii_string;
+};
+
+type SMB_time = record {
+	two_seconds : uint16;
+	minutes	: uint16;
+	hours		: uint16;
+} &byteorder = littleendian;
+
+type SMB_date = record {
+	day		: uint16;
+	month		: uint16;
+	year		: uint16;
+} &byteorder = littleendian;
+
+type SMB_andx = record {
+	command		: uint8;
+	reserved	: uint8;
+	offset		: uint16;
+} &refcount;
+
+type SMB_generic_andx = record {
+	word_count	: uint8;
+	andx_u		: case word_count of {
+		0	-> null : empty;
+		default -> andx	: SMB_andx;
+	};
+	data		: bytestring &restofdata;
+} &byteorder = littleendian;
+
+type SMB_dialect = record {
+	bufferformat	: uint8;	# must be 0x2
+	dialectname	: SMB_ascii_string;
+};
+
+type SMB_negotiate = record {
+	word_count	: uint8;	# must be 0
+	byte_count	: uint16;
+	dialects	: SMB_dialect[] &length = byte_count;
+} &byteorder = littleendian;
+
+type SMB_negotiate_response = record {
+	word_count  : uint8; # should be 1
+	dialect_index : uint16;
+	byte_count  : uint16; # should be 0
+} &byteorder = littleendian;
+
+type SMB_negotiate_response_long(unicode: bool) = record {
+	word_count  : uint8; # should be 13
+	dialect_index : uint16;
+	security_mode : uint16; # bit 0: 0=share 1=user, bit 1: 1=chalenge/response
+	max_buffer_size : uint16;
+	max_mpx_count : uint16;
+	max_number_vcs : uint16;
+	raw_mode : uint16;
+	session_key : uint32;
+	server_time : SMB_time;
+	server_date : SMB_date;
+	server_tz	: uint16;
+	enc_key_len : uint16;
+	reserved	: uint16; # must be 0
+	byte_count : uint16;
+	encryption_key : uint8[enc_key_len];
+	primary_domain : SMB_string(unicode, offsetof(primary_domain));
+} &byteorder = littleendian;
+
+# pre NT LM 0.12
+type SMB_setup_andx_basic(unicode: bool) = record {
+	word_count	: uint8;
+	andx		: SMB_andx;
+	max_buffer_size : uint16;
+	max_mpx_count	: uint16;
+	vc_number	: uint16;
+	session_key	: uint32;
+	passwd_length	: uint8;
+	reserved	: uint32;
+	byte_count	: uint8;
+	password	: uint8[passwd_length];
+	name		: SMB_string(unicode, offsetof(name));
+	domain		: SMB_string(unicode, offsetof(domain));
+	native_os	: SMB_string(unicode, offsetof(native_os));
+	native_lanman	: SMB_string(unicode, offsetof(native_lanman));
+} &byteorder = littleendian;
+
+type SMB_setup_andx_basic_response(unicode: bool) = record {
+	word_count	: uint8;
+	andx		: SMB_andx;
+	action		: uint8;
+	byte_count	: uint8;
+	native_os	: SMB_string(unicode, offsetof(native_os));
+	native_lanman	: SMB_string(unicode, offsetof(native_lanman));
+	primary_domain	: SMB_string(unicode, offsetof(primary_domain));
+} &byteorder = littleendian;
+
+# NT LM 0.12 && CAP_EXTENDED_SECURITY
+type SMB_setup_andx_ext(unicode: bool) = record {
+	word_count	: uint8;
+	andx		: SMB_andx;
+	max_buffer_size : uint16;
+	max_mpx_count	: uint16;
+	vc_number	: uint16;
+	session_key	: uint32;
+	security_length : uint8;
+	reserved	: uint32;
+	capabilities	: uint32;
+	byte_count	: uint8;
+	security_blob	: uint8[security_length];
+	native_os	: SMB_string(unicode, offsetof(native_os));
+	native_lanman	: SMB_string(unicode, offsetof(native_lanman));
+} &byteorder = littleendian;
+
+type SMB_setup_andx_ext_response(unicode: bool) = record {
+	word_count	: uint8;
+	andx		: SMB_andx;
+	action		: uint8;
+	security_length : uint8;
+	byte_count	: uint8;
+	security_blob	: uint8[security_length];
+	native_os	: SMB_string(unicode, offsetof(native_os));
+	native_lanman	: SMB_string(unicode, offsetof(native_lanman));
+	primary_domain	: SMB_string(unicode, offsetof(primary_domain));
+} &byteorder = littleendian;
+
+type SMB_logoff_andx(unicode: bool) = record {
+	word_count	: uint8;
+	andx		: SMB_andx;
+	byte_count	: uint16;
+} &byteorder = littleendian;
+
+type SMB_tree_connect_andx(unicode: bool) = record {
+	word_count	: uint8;
+	andx		: SMB_andx;
+	flags		: uint16;
+	password_length	: uint16;
+	byte_count	: uint16;
+	password	: uint8[password_length];
+	path		: SMB_string(unicode, offsetof(path));
+	service		: SMB_ascii_string;
+} &byteorder = littleendian;
+
+type SMB_close(unicode: bool) = record {
+	word_count  : uint8;
+	fid		: uint16;
+	time		: SMB_time;
+	byte_count  : uint16;
+} &byteorder = littleendian;
+
+type SMB_tree_disconnect(unicode: bool) = record {
+	word_count	: uint8;
+	byte_count	: uint16;
+} &byteorder = littleendian;
+
+type SMB_nt_create_andx(unicode: bool) = record {
+	word_count	: uint8;
+	andx		: SMB_andx;
+	reserved	: uint8;
+	name_length	: uint16;
+	flags		: uint32;
+	rest_words	: uint8[word_count * 2 - 11];
+	byte_count	: uint16;
+	name		: SMB_string(unicode, offsetof(name));
+} &byteorder = littleendian;
+
+type SMB_read_andx = record {
+	word_count	: uint8;
+	andx		: SMB_andx;
+	fid		: uint16;
+	offset		: uint32;
+	max_count	: uint16;
+	min_count	: uint16;
+	max_count_high	: uint16;
+	remaining	: uint16;
+	offset_high_u	: case word_count of {
+		12-> offset_high : uint32;
+		10-> null : empty;
+	};
+	byte_count	: uint16;
+} &byteorder = littleendian;
+
+type SMB_read_andx_response = record {
+	word_count	: uint8;
+	andx		: SMB_andx;
+	remaining	: uint16;
+	data_compact	: uint16;
+	reserved	: uint16;
+	data_len	: uint16;
+	data_offset	: uint16;
+	data_len_high	: uint16;
+	reserved2	: uint16[4];
+	byte_count	: uint16;
+	pad		: padding[padding_length];
+	data		: bytestring &length = data_length;
+	# Chris: the length here is causing problems - could we be having
+	# issues with the packet format or is the data_length just not
+	# right. The problem is that the padding isn't always filled right,
+	# espeically when its not the first command in the packet.
+	#data		: bytestring &restofdata;
+} &let {
+	data_length = data_len_high * 0x10000 + data_len;
+	padding_length = byte_count - data_length;
+} &byteorder = littleendian;
+
+type SMB_write_andx = record {
+	word_count	: uint8;
+	andx		: SMB_andx;
+	fid		: uint16;
+	offset		: uint32;
+	reserved	: uint32;
+	write_mode	: uint16;
+	remaining	: uint16;
+	data_len_high	: uint16;
+	data_len	: uint16;
+	data_offset	: uint16;
+	rest_words	: uint8[word_count * 2 - offsetof(rest_words) + 1];
+	byte_count	: uint16;
+	pad		: padding to data_offset - smb_header_length;
+	data		: bytestring &length = data_length;
+} &let {
+	data_length = data_len_high * 0x10000 + data_len;
+} &byteorder = littleendian;
+
+type SMB_write_andx_response = record {
+	word_count	: uint8;
+	andx		: SMB_andx;
+	count		: uint16;	# written bytes
+	remaining	: uint16;
+	reserved	: uint32;
+	byte_count	: uint16;
+} &byteorder = littleendian;
+
+type SMB_transaction_data(unicode: bool, count: uint16, sub_cmd: uint16,
+				trans_type: TransactionType ) = case trans_type of {
+
+	SMB_MAILSLOT_BROWSE -> mailslot : SMB_MailSlot_message(unicode, count);
+	SMB_MAILSLOT_LANMAN -> lanman : SMB_MailSlot_message(unicode, count);
+	SMB_RAP -> rap	: SMB_Pipe_message(unicode, count, sub_cmd);
+	SMB_PIPE -> pipe : SMB_Pipe_message(unicode, count, sub_cmd);
+	SMB_UNKNOWN -> unknown : bytestring &restofdata;
+	default -> data : bytestring &restofdata;
+
+};
+
+type SMB_transaction(trans_type: int, unicode: bool) = record {
+	word_count		: uint8;
+	total_param_count	: uint16;
+	total_data_count	: uint16;
+	max_param_count		: uint16;
+	max_data_count		: uint16;
+	max_setup_count		: uint8;
+	reserved		: uint8;
+	flags			: uint16;
+	timeout			: uint32;
+	reserved2		: uint16;
+	param_count		: uint16;
+	param_offset	: uint16;
+	data_count		: uint16;
+	data_offset		: uint16;
+	setup_count		: uint8;
+	reserved3		: uint8;
+	setup			: uint16[setup_count];
+	byte_count		: uint16;
+	name_u			: case trans_type of {
+		1 -> name: SMB_string(unicode, offsetof(name_u));
+		2 -> null: empty;
+		};
+	pad0			: padding to param_offset - smb_header_length;
+	parameters		: bytestring &length = param_count;
+	pad1			: padding to data_offset - smb_header_length;
+	data			: SMB_transaction_data(unicode, data_count, sub_cmd,
+						determine_transaction_type( setup_count, name_string( this )));
+} &let {
+	# does this work?
+	sub_cmd : uint16 = setup_count ? setup[0] : 0;
+
+} &byteorder = littleendian;
+
+type SMB_transaction_secondary(unicode: bool) = record {
+	word_count		: uint8;
+	total_param_count	: uint16;
+	total_data_count	: uint16;
+	param_count		: uint16;
+	param_offset		: uint16;
+	param_displacement	: uint16;
+	data_count		: uint16;
+	data_offset		: uint16;
+	data_displacement	: uint16;
+	fid			: uint16;
+	byte_count		: uint16;
+	pad0			: padding to param_offset - smb_header_length;
+	parameters		: bytestring &length = param_count;
+	pad1			: padding to data_offset - smb_header_length;
+	data			: SMB_transaction_data(unicode, data_count, 0, SMB_UNKNOWN);
+} &byteorder = littleendian;
+
+type SMB_transaction_response(unicode: bool) = record {
+	word_count		: uint8;
+	total_param_count	: uint16;
+	total_data_count	: uint16;
+	reserved		: uint16;
+	param_count		: uint16;
+	param_offset		: uint16;
+	param_displacement	: uint16;
+	data_count		: uint16;
+	data_offset		: uint16;
+	data_displacement	: uint16;
+	setup_count		: uint8;
+	reserved2		: uint8;
+	setup			: uint16[setup_count];
+	byte_count		: uint16;
+	pad0			: padding to param_offset - smb_header_length;
+	parameters		: bytestring &length = param_count;
+	pad1			: padding to data_offset - smb_header_length;
+	data			: SMB_transaction_data(unicode, data_count, 0, SMB_UNKNOWN);
+} &byteorder = littleendian;
+
+type SMB_get_dfs_referral(unicode: bool) = record {
+	max_referral_level	: uint16;
+	file_name		: SMB_string(unicode, offsetof(file_name));
+} &byteorder = littleendian;
diff --git a/src/smb-rw.bif b/src/smb-rw.bif
new file mode 100644
index 0000000000..49cfeeaa24
--- /dev/null
+++ b/src/smb-rw.bif
@@ -0,0 +1,16 @@
+rewriter smb_header%(is_orig: bool, hdr: smb_hdr%)
+	%{
+	const int is_orig = 0;
+
+	@WRITE@(is_orig, 1, "\xff");
+	@WRITE@(is_orig, 3, "SMB");
+	@WRITE@(is_orig, 1, hdr->command);
+	@WRITE@(is_orig, 4, hdr->error);
+	@WRITE@(is_orig, 1, hdr->flags);
+	@WRITE@(is_orig, 2, hdr->flags2);
+	@WRITE@(is_orig, 6, "\x0\x0\x0\x0\x0\x0");
+	@WRITE@(is_orig, 6, "\x0\x0\x0\x0\x0\x0");
+	@WRITE@(is_orig, 2, hdr->tid);
+	@WRITE@(is_orig, 2, hdr->pid);
+	@WRITE@(is_orig, 2, hdr->mid);
+	%}
diff --git a/src/smb.pac b/src/smb.pac
new file mode 100644
index 0000000000..4bd2c34bc5
--- /dev/null
+++ b/src/smb.pac
@@ -0,0 +1,10 @@
+# $Id: smb.pac 3929 2007-01-14 00:37:59Z vern $
+
+%include binpac.pac
+%include bro.pac
+
+analyzer SMB withcontext { };
+
+%include smb-protocol.pac
+%include smb-mailslot.pac
+%include smb-pipe.pac
diff --git a/src/smtp-rw.bif b/src/smtp-rw.bif
new file mode 100644
index 0000000000..a74ce776c2
--- /dev/null
+++ b/src/smtp-rw.bif
@@ -0,0 +1,45 @@
+rewriter smtp_request%(is_orig: bool, command: string, arg: string%)
+	%{
+	if ( command->Len() > 0 )
+		{
+		u_char ch = command->Bytes()[0];
+
+		if ( isalpha(ch) )
+			{ // Do not dump artificial commands: ">", ".", "***"
+			@WRITE@(is_orig, command->AsString());
+			@WRITE@(is_orig, 1, " ");
+			}
+		}
+
+	@WRITE@(is_orig, arg->AsString());
+	@WRITE@(is_orig, 2, "\r\n");
+	%}
+
+rewriter smtp_reply%(is_orig: bool, code: count, msg: string, cont_resp: bool%)
+	%{
+	const char* str = fmt("%lu", (unsigned long) code);
+	int len = strlen(str);
+
+	@WRITE@(is_orig, len, str);
+
+	if ( cont_resp )
+		@WRITE@(is_orig, "-");
+	else
+		@WRITE@(is_orig, " ");
+
+	@WRITE@(is_orig, msg->AsString());
+	@WRITE@(is_orig, "\r\n");
+	%}
+
+# Since SMTP data is delivered by lines ending with CRLF, this
+# function takes a line without the trailing CRLF and dumps the string
+# followed by CRLF. If you want to dump multiple lines, please dump
+# them one at a time (without trailing CRLF's).
+rewriter smtp_data%(is_orig: bool, data: string%)
+	%{
+	if ( data->Len() > 0 && data->Bytes()[0] == '.')
+		@WRITE@(is_orig, ".");
+
+	@WRITE@(is_orig, data->AsString());
+	@WRITE@(is_orig, "\r\n");
+	%}
diff --git a/src/ssl-analyzer.pac b/src/ssl-analyzer.pac
new file mode 100644
index 0000000000..bbebdc0fa3
--- /dev/null
+++ b/src/ssl-analyzer.pac
@@ -0,0 +1,578 @@
+# $Id:$
+
+# Analyzer for SSL (Bro-specific part).
+
+%extern{
+#include <vector>
+#include <algorithm>
+#include <iostream>
+#include <iterator>
+
+#include "util.h"
+
+#ifdef USE_OPENSSL
+#include <openssl/x509.h>
+#include <openssl/x509_vfy.h>
+#include "X509.h"
+#endif
+%}
+
+
+%header{
+	class extract_certs {
+	public:
+		bytestring const& operator() (X509Certificate* cert) const
+			{
+			return cert->certificate();
+			}
+	};
+
+#ifdef USE_OPENSSL
+	void free_X509(void *);
+	X509* d2i_X509_binpac(X509** px, const uint8** in, int len);
+#endif
+	%}
+
+%code{
+#ifdef USE_OPENSSL
+	void free_X509(void* cert)
+		{
+		X509_free((X509*) cert);
+		}
+
+	X509* d2i_X509_binpac(X509** px, const uint8** in, int len)
+		{
+#ifdef OPENSSL_D2I_X509_USES_CONST_CHAR
+		return d2i_X509(px, in, len);
+#else
+		return d2i_X509(px, (u_char**) in, len);
+#endif
+		}
+
+#endif
+%}
+
+
+function to_table_val(data : uint8[]) : TableVal
+	%{
+	TableVal* tv = new TableVal(SSL_sessionID);
+	for ( unsigned int i = 0; i < data->size(); i += 4 )
+		{
+		uint32 temp = 0;
+		for ( unsigned int j = 0; j < 4; ++j )
+		if ( i + j < data->size() )
+			temp |= (*data)[i + j] << (24 - 8 * j);
+
+		Val* idx = new Val(i / 4, TYPE_COUNT);
+		tv->Assign(idx, new Val((*data)[i], TYPE_COUNT));
+		Unref(idx);
+		}
+
+	return tv;
+	%}
+
+function version_ok(vers : uint16) : bool
+	%{
+	switch ( vers ) {
+	case SSLv20:
+	case SSLv30:
+	case TLSv10:
+	case TLSv11:
+		return true;
+
+	default:
+		return false;
+	}
+	%}
+
+function convert_ciphers_uint24(ciph : uint24[]) : int[]
+	%{
+	vector<int>* newciph = new vector<int>();
+
+	std::transform(ciph->begin(), ciph->end(),
+	std::back_inserter(*newciph), to_int());
+
+	return newciph;
+	%}
+
+function convert_ciphers_uint16(ciph : uint16[]) : int[]
+	%{
+	vector<int>* newciph = new vector<int>();
+
+	std::copy(ciph->begin(), ciph->end(),
+	std::back_inserter(*newciph));
+
+	return newciph;
+	%}
+
+refine analyzer SSLAnalyzer += {
+	%member{
+		Analyzer* bro_analyzer_;
+
+		vector<uint8>* client_session_id_;
+		vector<int>* advertised_ciphers_;
+		int version_;
+		int cipher_;
+	%}
+
+	%init{
+		bro_analyzer_ = 0;
+
+		client_session_id_ = 0;
+		advertised_ciphers_ = new vector<int>;
+		version_ = -1;
+		cipher_ = -1;
+
+#ifdef USE_OPENSSL
+		if ( ! X509_Cert::bInited )
+			X509_Cert::init();
+#endif
+	%}
+
+	%eof{
+		if ( state_ != STATE_CONN_ESTABLISHED &&
+		     state_ != STATE_TRACK_LOST && state_ != STATE_INITIAL )
+			bro_analyzer()->ProtocolViolation(fmt("unexpected end of connection in state %s",
+				state_label(state_).c_str()));
+	%}
+
+	%cleanup{
+		delete client_session_id_;
+		client_session_id_ = 0;
+
+		delete advertised_ciphers_;
+		advertised_ciphers_ = 0;
+	%}
+
+	function bro_analyzer() : Analyzer
+		%{
+		return bro_analyzer_;
+		%}
+
+	function set_bro_analyzer(a : Analyzer) : void
+		%{
+		bro_analyzer_ = a;
+		%}
+
+	function check_cipher(cipher : int) : bool
+		%{
+		if ( ! ssl_compare_cipherspecs )
+			return true;
+
+		if ( std::find(advertised_ciphers_->begin(),
+				advertised_ciphers_->end(), cipher) ==
+		     advertised_ciphers_->end() )
+			{
+			bro_analyzer()->ProtocolViolation("chosen cipher not advertised before");
+			return false;
+			}
+
+		return true;
+		%}
+
+	function certificate_error(err_num : int) : void
+		%{
+#ifdef USE_OPENSSL
+		StringVal* err_str =
+			new StringVal(X509_verify_cert_error_string(err_num));
+		bro_event_ssl_X509_error(bro_analyzer_, bro_analyzer_->Conn(),
+						err_num, err_str);
+#endif
+		%}
+
+	function proc_change_cipher_spec(msg : ChangeCipherSpec) : bool
+		%{
+		if ( state_ == STATE_TRACK_LOST )
+			bro_analyzer()->ProtocolViolation(fmt("unexpected ChangeCipherSpec from %s at state %s",
+				orig_label(current_record_is_orig_).c_str(),
+				state_label(old_state_).c_str()));
+		return true;
+		%}
+
+	function proc_application_data(msg : ApplicationData) : bool
+		%{
+		if ( state_ != STATE_CONN_ESTABLISHED )
+			bro_analyzer()->ProtocolViolation(fmt("unexpected ApplicationData from %s at state %s",
+				orig_label(current_record_is_orig_).c_str(),
+				state_label(old_state_).c_str()));
+		return true;
+		%}
+
+	function proc_alert(level : int, description : int) : bool
+		%{
+		bro_event_ssl_conn_alert(bro_analyzer_, bro_analyzer_->Conn(),
+						current_record_version_, level,
+						description);
+		return true;
+		%}
+
+	function proc_client_hello(version : uint16, session_id : uint8[],
+					csuits : int[]) : bool
+		%{
+		if ( state_ == STATE_TRACK_LOST )
+			bro_analyzer()->ProtocolViolation(fmt("unexpected client hello message from %s in state %s",
+				orig_label(current_record_is_orig_).c_str(),
+				state_label(old_state_).c_str()));
+
+		if ( ! version_ok(version) )
+			bro_analyzer()->ProtocolViolation(fmt("unsupported client SSL version 0x%04x", version));
+
+		delete client_session_id_;
+		client_session_id_ = new vector<uint8>(*session_id);
+
+		TableVal* cipher_table = new TableVal(cipher_suites_list);
+		for ( unsigned int i = 0; i < csuits->size(); ++i )
+			{
+			Val* ciph = new Val((*csuits)[i], TYPE_COUNT);
+			cipher_table->Assign(ciph, 0);
+			Unref(ciph);
+			}
+
+		bro_event_ssl_conn_attempt(bro_analyzer_, bro_analyzer_->Conn(),
+						version, cipher_table);
+
+		if ( ssl_compare_cipherspecs )
+			{
+			delete advertised_ciphers_;
+			advertised_ciphers_ = csuits;
+			}
+		else
+			delete csuits;
+
+		return true;
+		%}
+
+	function proc_server_hello(version : uint16, session_id : uint8[],
+				ciphers : int[], v2_sess_hit : int) : bool
+		%{
+		if ( state_ == STATE_TRACK_LOST )
+			bro_analyzer()->ProtocolViolation(fmt("unexpected server hello message from %s in state %s",
+				orig_label(current_record_is_orig_).c_str(),
+				state_label(old_state_).c_str()));
+
+		if ( ! version_ok(version) )
+			bro_analyzer()->ProtocolViolation(fmt("unsupported server SSL version 0x%04x", version));
+
+		version_ = version;
+
+		TableVal* chosen_ciphers = new TableVal(cipher_suites_list);
+		for ( unsigned int i = 0; i < ciphers->size(); ++i )
+			{
+			Val* ciph = new Val((*ciphers)[i], TYPE_COUNT);
+			chosen_ciphers->Assign(ciph, 0);
+			Unref(ciph);
+			}
+
+		bro_event_ssl_conn_server_reply(bro_analyzer_,
+						bro_analyzer_->Conn(),
+						version_, chosen_ciphers);
+
+		if ( v2_sess_hit < 0 )
+			{ // this is SSLv3
+			cipher_ = (*ciphers)[0];
+			check_cipher(cipher_);
+			TableVal* tv = to_table_val(session_id);
+			if ( client_session_id_ &&
+			     *client_session_id_ == *session_id )
+				bro_event_ssl_conn_reused(bro_analyzer_,
+						bro_analyzer_->Conn(), tv);
+			else
+				bro_event_ssl_session_insertion(bro_analyzer_,
+						bro_analyzer_->Conn(), tv);
+
+			delete ciphers;
+			}
+
+		else if ( v2_sess_hit > 0 )
+			{ // this is SSLv2 and a session hit
+			if ( client_session_id_ )
+				{
+				TableVal* tv = to_table_val(client_session_id_);
+				bro_event_ssl_conn_reused(bro_analyzer_,
+						bro_analyzer_->Conn(), tv);
+				}
+
+			// We don't know the chosen cipher, as there is
+			// no session storage.
+			bro_event_ssl_conn_established(bro_analyzer_,
+							bro_analyzer_->Conn(),
+							version_, 0xffffffff);
+			delete ciphers;
+			}
+
+		else
+			{
+			// This is SSLv2; we have to set advertised
+			// ciphers to server ciphers.
+			if ( ssl_compare_cipherspecs )
+				{
+				delete advertised_ciphers_;
+				advertised_ciphers_ = ciphers;
+				}
+			}
+
+		bro_analyzer()->ProtocolConfirmation();
+		return true;
+		%}
+
+	function proc_certificate(certificates : bytestring[]) : bool
+		%{
+		if ( state_ == STATE_TRACK_LOST )
+			bro_analyzer()->ProtocolViolation(fmt("unexpected certificate message from %s in state %s",
+				orig_label(current_record_is_orig_).c_str(),
+				state_label(old_state_).c_str()));
+
+		if ( ! ssl_analyze_certificates )
+			return true;
+		if ( certificates->size() == 0 )
+			return true;
+
+		bro_event_ssl_certificate_seen(bro_analyzer_,
+						bro_analyzer_->Conn(),
+						! current_record_is_orig_);
+
+#ifdef USE_OPENSSL
+		const bytestring& cert = (*certificates)[0];
+		const uint8* data = cert.data();
+
+		X509* pCert = d2i_X509_binpac(NULL, &data, cert.length());
+		if ( ! pCert )
+			{
+			// X509_V_UNABLE_TO_DECRYPT_CERT_SIGNATURE
+			certificate_error(4);
+			return false;
+			}
+
+		RecordVal* pX509Cert = new RecordVal(x509_type);
+
+		char tmp[256];
+		X509_NAME_oneline(X509_get_issuer_name(pCert), tmp, sizeof tmp);
+		pX509Cert->Assign(0, new StringVal(tmp));
+		X509_NAME_oneline(X509_get_subject_name(pCert), tmp, sizeof tmp);
+
+		pX509Cert->Assign(1, new StringVal(tmp));
+		pX509Cert->Assign(2, new AddrVal(bro_analyzer_->Conn()->OrigAddr()));
+
+		bro_event_ssl_certificate(bro_analyzer_, bro_analyzer_->Conn(),
+					pX509Cert, current_record_is_orig_);
+
+		if ( X509_get_ext_count(pCert) > 0 )
+			{
+			TableVal* x509ex = new TableVal(x509_extension);
+
+			for ( int k = 0; k < X509_get_ext_count(pCert); ++k )
+				{
+				X509_EXTENSION* ex = X509_get_ext(pCert, k);
+				ASN1_OBJECT* obj = X509_EXTENSION_get_object(ex);
+
+				char buf[256];
+				i2t_ASN1_OBJECT(buf, sizeof(buf), obj);
+				Val* index = new Val(k+1, TYPE_COUNT);
+				Val* value = new StringVal(strlen(buf), buf);
+				x509ex->Assign(index, value);
+				Unref(index);
+				}
+
+			bro_event_process_X509_extensions(bro_analyzer_,
+						bro_analyzer_->Conn(), x509ex);
+			}
+
+		if ( ssl_verify_certificates )
+			{
+			STACK_OF(X509)* untrusted_certs = 0;
+			if ( certificates->size() > 1 )
+				{
+				untrusted_certs = sk_new_null();
+				if ( ! untrusted_certs )
+					{
+					// X509_V_ERR_OUT_OF_MEM;
+					certificate_error(17);
+					return false;
+					}
+
+				for ( unsigned int i = 1;
+				      i < certificates->size(); ++i )
+					{
+					const bytestring& temp =
+						(*certificates)[i];
+					const uint8* tdata = temp.data();
+					X509* pTemp = d2i_X509_binpac(NULL,
+							&tdata, temp.length());
+					if ( ! pTemp )
+						{
+						// X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
+						certificate_error(2);
+						return false;
+						}
+
+					sk_push(untrusted_certs, (char*) pTemp);
+					}
+				}
+
+			X509_STORE_CTX csc;
+			X509_STORE_CTX_init(&csc, X509_Cert::ctx,
+						pCert, untrusted_certs);
+			X509_STORE_CTX_set_time(&csc, 0, time_t(network_time()));
+			if (! X509_verify_cert(&csc))
+				certificate_error(csc.error);
+			X509_STORE_CTX_cleanup(&csc);
+
+			sk_pop_free(untrusted_certs, free_X509);
+			}
+
+		X509_free(pCert);
+#endif
+	return true;
+		%}
+
+	function proc_v2_certificate(cert : bytestring) : bool
+		%{
+		vector<bytestring>* cert_list = new vector<bytestring>(1,cert);
+		bool ret = proc_certificate(cert_list);
+		delete cert_list;
+		return ret;
+		%}
+
+	function proc_v3_certificate(cl : CertificateList) : bool
+		%{
+		vector<X509Certificate*>* certs = cl->val();
+		vector<bytestring>* cert_list = new vector<bytestring>();
+
+		std::transform(certs->begin(), certs->end(),
+		std::back_inserter(*cert_list), extract_certs());
+
+		bool ret = proc_certificate(cert_list);
+		delete cert_list;
+
+		return ret;
+		%}
+
+	function proc_v2_client_master_key(cipher : int) : bool
+		%{
+		if ( state_ == STATE_TRACK_LOST )
+			bro_analyzer()->ProtocolViolation(fmt("unexpected v2 client master key message from %s in state %s",
+				orig_label(current_record_is_orig_).c_str(),
+				state_label(old_state_).c_str()));
+
+		check_cipher(cipher);
+		bro_event_ssl_conn_established(bro_analyzer_,
+				bro_analyzer_->Conn(), version_, cipher);
+
+		return true;
+		%}
+
+	function proc_unknown_handshake(msg_type : int) : bool
+		%{
+		bro_analyzer()->ProtocolViolation(fmt("unknown handshake message (%d) from %s",
+			msg_type, orig_label(current_record_is_orig_).c_str()));
+		return true;
+		%}
+
+	function proc_handshake(msg : Handshake) : bool
+		%{
+		if ( state_ == STATE_TRACK_LOST )
+			bro_analyzer()->ProtocolViolation(fmt("unexpected Handshake message %s from %s in state %s",
+				handshake_type_label(msg->msg_type()).c_str(),
+				orig_label(current_record_is_orig_).c_str(),
+				state_label(old_state_).c_str()));
+		return true;
+		%}
+
+	function proc_unknown_record(msg : UnknownRecord) : bool
+		%{
+		bro_analyzer()->ProtocolViolation(fmt("unknown SSL record type (%d) from %s",
+				current_record_type_,
+				orig_label(current_record_is_orig_).c_str()));
+		return true;
+		%}
+
+	function proc_ciphertext_record(msg : CiphertextRecord) : bool
+		%{
+		if ( state_ == STATE_TRACK_LOST )
+			bro_analyzer()->ProtocolViolation(fmt("unexpected ciphertext record from %s in state %s",
+				orig_label(current_record_is_orig_).c_str(),
+				state_label(old_state_).c_str()));
+
+		if ( state_ == STATE_CONN_ESTABLISHED &&
+		     old_state_ == STATE_COMM_ENCRYPTED )
+			{
+			bro_event_ssl_conn_established(bro_analyzer_,
+							bro_analyzer_->Conn(),
+							version_, cipher_);
+			}
+
+		return true;
+		%}
+
+};
+
+refine typeattr ChangeCipherSpec += &let {
+	proc : bool = $context.analyzer.proc_change_cipher_spec(this)
+		&requires(state_changed);
+};
+
+refine typeattr Alert += &let {
+	proc : bool = $context.analyzer.proc_alert(level, description);
+};
+
+refine typeattr V2Error += &let {
+	proc : bool = $context.analyzer.proc_alert(-1, error_code);
+};
+
+refine typeattr ApplicationData += &let {
+	proc : bool = $context.analyzer.proc_application_data(this);
+};
+
+refine typeattr ClientHello += &let {
+	proc : bool = $context.analyzer.proc_client_hello(client_version,
+				session_id, convert_ciphers_uint16(csuits))
+		&requires(state_changed);
+};
+
+refine typeattr V2ClientHello += &let {
+	proc : bool = $context.analyzer.proc_client_hello(client_version,
+				session_id, convert_ciphers_uint24(ciphers))
+		&requires(state_changed);
+};
+
+refine typeattr ServerHello += &let {
+	proc : bool = $context.analyzer.proc_server_hello(server_version,
+			session_id, convert_ciphers_uint16(cipher_suite), -1)
+		&requires(state_changed);
+};
+
+refine typeattr V2ServerHello += &let {
+	proc : bool = $context.analyzer.proc_server_hello(server_version, 0,
+				convert_ciphers_uint24(ciphers), session_id_hit)
+		&requires(state_changed);
+
+	cert : bool = $context.analyzer.proc_v2_certificate(cert_data)
+		&requires(proc);
+};
+
+refine typeattr Certificate += &let {
+	proc : bool = $context.analyzer.proc_v3_certificate(certificates)
+		&requires(state_changed);
+};
+
+refine typeattr V2ClientMasterKey += &let {
+	proc : bool = $context.analyzer.proc_v2_client_master_key(to_int()(cipher_kind))
+		&requires(state_changed);
+};
+
+refine typeattr UnknownHandshake += &let {
+	proc : bool = $context.analyzer.proc_unknown_handshake(msg_type);
+};
+
+refine typeattr Handshake += &let {
+	proc : bool = $context.analyzer.proc_handshake(this);
+};
+
+refine typeattr UnknownRecord += &let {
+	proc : bool = $context.analyzer.proc_unknown_record(this);
+};
+
+refine typeattr CiphertextRecord += &let {
+	proc : bool = $context.analyzer.proc_ciphertext_record(this)
+		&requires(state_changed);
+};
diff --git a/src/ssl-defs.pac b/src/ssl-defs.pac
new file mode 100644
index 0000000000..6a4a91bb36
--- /dev/null
+++ b/src/ssl-defs.pac
@@ -0,0 +1,57 @@
+# $Id:$
+
+# Some common definitions for the SSL and SSL record-layer analyzers.
+
+%extern{
+#include <string>
+using std::string;
+%}
+
+enum ContentType {
+	CHANGE_CIPHER_SPEC = 20,
+	ALERT = 21,
+	HANDSHAKE = 22,
+	APPLICATION_DATA = 23,
+	V2_ERROR = 300,
+	V2_CLIENT_HELLO = 301,
+	V2_CLIENT_MASTER_KEY = 302,
+	V2_SERVER_HELLO = 304,
+	UNKNOWN_OR_V2_ENCRYPTED = 400
+};
+
+%code{
+	string* record_type_label(int type)
+		{
+		switch ( type ) {
+		case CHANGE_CIPHER_SPEC:
+			return new string("CHANGE_CIPHER_SPEC");
+		case ALERT:
+			return new string("ALERT");
+		case HANDSHAKE:
+			return new string("HANDSHAKE");
+		case APPLICATION_DATA:
+			return new string("APPLICATION_DATA");
+		case V2_ERROR:
+			return new string("V2_ERROR");
+		case V2_CLIENT_HELLO:
+			return new string("V2_CLIENT_HELLO");
+		case V2_CLIENT_MASTER_KEY:
+			return new string("V2_CLIENT_MASTER_KEY");
+		case V2_SERVER_HELLO:
+			return new string("V2_SERVER_HELLO");
+		case UNKNOWN_OR_V2_ENCRYPTED:
+			return new string("UNKNOWN_OR_V2_ENCRYPTED");
+
+		default:
+			return new string(fmt("UNEXPECTED (%d)", type));
+		}
+		}
+%}
+
+enum SSLVersions {
+	UNKNOWN_VERSION	= 0x0000,
+	SSLv20		= 0x0002,
+	SSLv30		= 0x0300,
+	TLSv10		= 0x0301,
+	TLSv11		= 0x0302
+};
diff --git a/src/ssl-protocol.pac b/src/ssl-protocol.pac
new file mode 100644
index 0000000000..a0121c2496
--- /dev/null
+++ b/src/ssl-protocol.pac
@@ -0,0 +1,630 @@
+# $Id:$
+
+# Analyzer for SSL messages (general part).
+# To be used in conjunction with an SSL record-layer analyzer.
+# Separation is necessary due to possible fragmentation of SSL records.
+
+######################################################################
+# General definitions
+######################################################################
+
+type uint24 = record {
+	byte1 : uint8;
+	byte2 : uint8;
+	byte3 : uint8;
+};
+
+%header{
+	class to_int {
+	public:
+		int operator()(uint24 * num) const
+		{
+		return (num->byte1() << 16) | (num->byte2() << 8) | num->byte3();
+		}
+	};
+%}
+
+extern type to_int;
+
+######################################################################
+# state management according to Section 7.3. in spec
+######################################################################
+
+enum AnalyzerState {
+	STATE_INITIAL,
+	STATE_CLIENT_HELLO_RCVD,
+	STATE_IN_SERVER_HELLO,
+	STATE_SERVER_HELLO_DONE,
+	STATE_CLIENT_CERT,
+	STATE_CLIENT_KEY_WITH_CERT,
+	STATE_CLIENT_KEY_NO_CERT,
+	STATE_CLIENT_CERT_VERIFIED,
+	STATE_CLIENT_ENCRYPTED,
+	STATE_CLIENT_FINISHED,
+	STATE_ABBREV_SERVER_ENCRYPTED,
+	STATE_ABBREV_SERVER_FINISHED,
+	STATE_COMM_ENCRYPTED,
+	STATE_CONN_ESTABLISHED,
+	STATE_V2_CL_MASTER_KEY_EXPECTED,
+
+	STATE_TRACK_LOST,
+	STATE_ANY
+};
+
+%code{
+	string state_label(int state_nr)
+		{
+		switch ( state_nr ) {
+		case STATE_INITIAL:
+			return string("INITIAL");
+		case STATE_CLIENT_HELLO_RCVD:
+			return string("CLIENT_HELLO_RCVD");
+		case STATE_IN_SERVER_HELLO:
+			return string("IN_SERVER_HELLO");
+		case STATE_SERVER_HELLO_DONE:
+			return string("SERVER_HELLO_DONE");
+		case STATE_CLIENT_CERT:
+			return string("CLIENT_CERT");
+		case STATE_CLIENT_KEY_WITH_CERT:
+			return string("CLIENT_KEY_WITH_CERT");
+		case STATE_CLIENT_KEY_NO_CERT:
+			return string("CLIENT_KEY_NO_CERT");
+		case STATE_CLIENT_CERT_VERIFIED:
+			return string("CLIENT_CERT_VERIFIED");
+		case STATE_CLIENT_ENCRYPTED:
+			return string("CLIENT_ENCRYPTED");
+		case STATE_CLIENT_FINISHED:
+			return string("CLIENT_FINISHED");
+		case STATE_ABBREV_SERVER_ENCRYPTED:
+			return string("ABBREV_SERVER_ENCRYPTED");
+		case STATE_ABBREV_SERVER_FINISHED:
+			return string("ABBREV_SERVER_FINISHED");
+		case STATE_COMM_ENCRYPTED:
+			return string("COMM_ENCRYPTED");
+		case STATE_CONN_ESTABLISHED:
+			return string("CONN_ESTABLISHED");
+		case STATE_V2_CL_MASTER_KEY_EXPECTED:
+			return string("STATE_V2_CL_MASTER_KEY_EXPECTED");
+		case STATE_TRACK_LOST:
+			return string("TRACK_LOST");
+		case STATE_ANY:
+			return string("ANY");
+
+		default:
+			return string(fmt("UNKNOWN (%d)", state_nr));
+		}
+		}
+
+	string orig_label(bool is_orig)
+		{
+		return string(is_orig ? "originator" :"responder");
+		}
+%}
+
+######################################################################
+# SSLv3 Handshake Protocols (7.)
+######################################################################
+
+enum HandshakeType {
+	HELLO_REQUEST		= 0,
+	CLIENT_HELLO		= 1,
+	SERVER_HELLO		= 2,
+	CERTIFICATE		= 11,
+	SERVER_KEY_EXCHANGE	= 12,
+	CERTIFICATE_REQUEST	= 13,
+	SERVER_HELLO_DONE	= 14,
+	CERTIFICATE_VERIFY	= 15,
+	CLIENT_KEY_EXCHANGE	= 16,
+	FINISHED		= 20
+};
+
+%code{
+	string handshake_type_label(int type)
+		{
+		switch ( type ) {
+		case HELLO_REQUEST: return string("HELLO_REQUEST");
+		case CLIENT_HELLO: return string("CLIENT_HELLO");
+		case SERVER_HELLO: return string("SERVER_HELLO");
+		case CERTIFICATE: return string("CERTIFICATE");
+		case SERVER_KEY_EXCHANGE: return string("SERVER_KEY_EXCHANGE");
+		case CERTIFICATE_REQUEST: return string("CERTIFICATE_REQUEST");
+		case SERVER_HELLO_DONE: return string("SERVER_HELLO_DONE");
+		case CERTIFICATE_VERIFY: return string("CERTIFICATE_VERIFY");
+		case CLIENT_KEY_EXCHANGE: return string("CLIENT_KEY_EXCHANGE");
+		case FINISHED: return string("FINISHED");
+		default: return string(fmt("UNKNOWN (%d)", type));
+		}
+		}
+%}
+
+
+######################################################################
+# V3 Change Cipher Spec Protocol (7.1.)
+######################################################################
+
+type ChangeCipherSpec = record {
+	type : uint8;
+} &length = 1, &let {
+	state_changed : bool =
+	    $context.analyzer.transition(STATE_CLIENT_FINISHED,
+					 STATE_COMM_ENCRYPTED, false) ||
+	    $context.analyzer.transition(STATE_IN_SERVER_HELLO,
+					 STATE_ABBREV_SERVER_ENCRYPTED, false) ||
+	    $context.analyzer.transition(STATE_CLIENT_KEY_NO_CERT,
+					 STATE_CLIENT_ENCRYPTED, true) ||
+	    $context.analyzer.transition(STATE_CLIENT_CERT_VERIFIED,
+					 STATE_CLIENT_ENCRYPTED, true) ||
+	    $context.analyzer.transition(STATE_CLIENT_KEY_WITH_CERT,
+					 STATE_CLIENT_ENCRYPTED, true) ||
+	    $context.analyzer.transition(STATE_ABBREV_SERVER_FINISHED,
+					 STATE_COMM_ENCRYPTED, true) ||
+	    $context.analyzer.lost_track();
+};
+
+
+######################################################################
+# V3 Alert Protocol (7.2.)
+######################################################################
+
+type Alert = record {
+	level : uint8;
+	description: uint8;
+} &length = 2;
+
+
+######################################################################
+# V2 Error Records (SSLv2 2.7.)
+######################################################################
+
+type V2Error = record {
+	error_code : uint16;
+} &length = 2;
+
+
+######################################################################
+# V3 Application Data
+######################################################################
+
+# Application data should always be encrypted, so we should not
+# reach this point.
+type ApplicationData = empty &let {
+	discard: bool = $context.flow.discard_data();
+};
+
+######################################################################
+# Handshake Protocol (7.4.)
+######################################################################
+
+######################################################################
+# V3 Hello Request (7.4.1.1.)
+######################################################################
+
+# Hello Request is empty
+type HelloRequest = empty &let {
+	hr: bool = $context.analyzer.set_hello_requested(true);
+};
+
+
+######################################################################
+# V3 Client Hello (7.4.1.2.)
+######################################################################
+
+type ClientHello = record {
+	client_version : uint16;
+	gmt_unix_time : uint32;
+	random_bytes : bytestring &length = 28 &transient;
+	session_len : uint8;
+	session_id : uint8[session_len];
+	csuit_len : uint16 &check(csuit_len > 1 && csuit_len % 2 == 0);
+	csuits : uint16[csuit_len/2];
+	cmeth_len : uint8 &check(cmeth_len > 0);
+	cmeths : uint8[cmeth_len];
+} &let {
+	state_changed : bool =
+		$context.analyzer.transition(STATE_INITIAL,
+				STATE_CLIENT_HELLO_RCVD, true) ||
+		($context.analyzer.hello_requested() &&
+		 $context.analyzer.transition(STATE_ANY, STATE_CLIENT_HELLO_RCVD, true)) ||
+		$context.analyzer.lost_track();
+};
+
+
+######################################################################
+# V2 Client Hello (SSLv2 2.5.)
+######################################################################
+
+type V2ClientHello = record {
+	client_version : uint16;
+	csuit_len : uint16;
+	session_len : uint16;
+	chal_len : uint16;
+	ciphers : uint24[csuit_len/3];
+	session_id : uint8[session_len];
+	challenge : bytestring &length = chal_len;
+} &length = 8 + csuit_len + session_len + chal_len, &let {
+	state_changed : bool =
+		$context.analyzer.transition(STATE_INITIAL,
+			STATE_CLIENT_HELLO_RCVD, true) ||
+		($context.analyzer.hello_requested() &&
+		 $context.analyzer.transition(STATE_ANY, STATE_CLIENT_HELLO_RCVD, true)) ||
+		$context.analyzer.lost_track();
+};
+
+
+######################################################################
+# V3 Server Hello (7.4.1.3.)
+######################################################################
+
+type ServerHello = record {
+	server_version : uint16;
+	gmt_unix_time : uint32;
+	random_bytes : bytestring &length = 28 &transient;
+	session_len : uint8;
+	session_id : uint8[session_len];
+	cipher_suite : uint16[1];
+	compression_method : uint8;
+} &let {
+	state_changed : bool =
+		$context.analyzer.transition(STATE_CLIENT_HELLO_RCVD,
+					   STATE_IN_SERVER_HELLO, false) ||
+		$context.analyzer.lost_track();
+};
+
+
+######################################################################
+# V2 Server Hello (SSLv2 2.6.)
+######################################################################
+
+type V2ServerHello = record {
+	session_id_hit : uint8;
+	cert_type : uint8;
+	server_version : uint16;
+	cert_len : uint16;
+	ciph_len : uint16;
+	conn_id_len : uint16;
+	cert_data : bytestring &length = cert_len;
+	ciphers : uint24[ciph_len/3];
+	conn_id_data : bytestring &length = conn_id_len;
+} &length = 10 + cert_len + ciph_len + conn_id_len, &let {
+	state_changed : bool =
+		(session_id_hit > 0 ?
+			$context.analyzer.transition(STATE_CLIENT_HELLO_RCVD,
+				STATE_CONN_ESTABLISHED, false) :
+			$context.analyzer.transition(STATE_CLIENT_HELLO_RCVD,
+				STATE_V2_CL_MASTER_KEY_EXPECTED, false)) ||
+		$context.analyzer.lost_track();
+};
+
+
+######################################################################
+# V3 Server Certificate (7.4.2.)
+######################################################################
+
+type X509Certificate = record {
+	length : uint24;
+	certificate : bytestring &length = to_int()(length);
+};
+
+type CertificateList = X509Certificate[] &until($input.length() == 0);
+
+type Certificate = record {
+	length : uint24;
+	certificates : CertificateList &length = to_int()(length);
+} &let {
+	state_changed : bool =
+		$context.analyzer.transition(STATE_IN_SERVER_HELLO,
+					STATE_IN_SERVER_HELLO, false) ||
+		$context.analyzer.transition(STATE_SERVER_HELLO_DONE,
+					STATE_CLIENT_CERT, true) ||
+		$context.analyzer.lost_track();
+};
+
+
+######################################################################
+# V3 Server Key Exchange Message (7.4.3.)
+######################################################################
+
+# For now ignore details; just eat up complete message
+type ServerKeyExchange = record {
+	cont : bytestring &restofdata &transient;
+} &let {
+	state_changed : bool =
+		$context.analyzer.transition(STATE_IN_SERVER_HELLO,
+				STATE_IN_SERVER_HELLO, false) ||
+		$context.analyzer.lost_track();
+};
+
+
+######################################################################
+# V3 Certificate Request (7.4.4.)
+######################################################################
+
+# For now, ignore Certificate Request Details; just eat up message.
+type CertificateRequest = record {
+	cont : bytestring &restofdata &transient;
+} &let {
+	state_changed : bool =
+		$context.analyzer.transition(STATE_IN_SERVER_HELLO,
+					STATE_IN_SERVER_HELLO, false) ||
+		$context.analyzer.lost_track();
+};
+
+
+######################################################################
+# V3 Server Hello Done (7.4.5.)
+######################################################################
+
+# Server Hello Done is empty
+type ServerHelloDone = empty &let {
+	state_changed : bool =
+		$context.analyzer.transition(STATE_IN_SERVER_HELLO,
+					STATE_SERVER_HELLO_DONE, false) ||
+		$context.analyzer.lost_track();
+};
+
+
+######################################################################
+# V3 Client Certificate (7.4.6.)
+######################################################################
+
+# Client Certificate is identical to Server Certificate;
+# no further definition here
+
+
+######################################################################
+# V3 Client Key Exchange Message (7.4.7.)
+######################################################################
+
+# For now ignore details of ClientKeyExchange (most of it is
+# encrypted anyway); just eat up message.
+type ClientKeyExchange = record {
+	cont : bytestring &restofdata &transient;
+} &let {
+	state_changed : bool =
+		$context.analyzer.transition(STATE_SERVER_HELLO_DONE,
+					STATE_CLIENT_KEY_NO_CERT, true) ||
+		$context.analyzer.transition(STATE_CLIENT_CERT,
+					STATE_CLIENT_KEY_WITH_CERT, true) ||
+		$context.analyzer.lost_track();
+};
+
+######################################################################
+# V2 Client Master Key (SSLv2 2.5.)
+######################################################################
+
+type V2ClientMasterKey = record {
+	cipher_kind : uint24;
+	cl_key_len : uint16;
+	en_key_len : uint16;
+	key_arg_len : uint16;
+	cl_key_data : bytestring &length = cl_key_len &transient;
+	en_key_data : bytestring &length = en_key_len &transient;
+	key_arg_data : bytestring &length = key_arg_len &transient;
+} &length = 9 + cl_key_len + en_key_len + key_arg_len, &let {
+	state_changed : bool =
+		$context.analyzer.transition(STATE_V2_CL_MASTER_KEY_EXPECTED,
+					STATE_CONN_ESTABLISHED, true) ||
+		$context.analyzer.lost_track();
+};
+
+
+######################################################################
+# V3 Certificate Verify (7.4.8.)
+######################################################################
+
+# For now, ignore Certificate Verify; just eat up the message.
+type CertificateVerify = record {
+	cont : bytestring &restofdata &transient;
+} &let {
+	state_changed : bool =
+		$context.analyzer.transition(STATE_CLIENT_KEY_WITH_CERT,
+					STATE_CLIENT_CERT_VERIFIED, true) ||
+		$context.analyzer.lost_track();
+};
+
+
+######################################################################
+# V3 Finished (7.4.9.)
+######################################################################
+
+# The Finished messages are always sent after encryption is in effect,
+# so we will not be able to read those message
+
+
+######################################################################
+# V3 Handshake Protocol (7.)
+######################################################################
+
+type UnknownHandshake(msg_type : uint8) =  record {
+	cont : bytestring &restofdata &transient;
+} &let {
+	state_changed : bool = $context.analyzer.lost_track();
+};
+
+type Handshake = record {
+	msg_type : uint8;
+	length : uint24;
+
+	body : case msg_type of {
+	HELLO_REQUEST ->	hello_request : HelloRequest;
+	CLIENT_HELLO ->		client_hello : ClientHello;
+	SERVER_HELLO ->		server_hello : ServerHello;
+	CERTIFICATE ->		certificate : Certificate;
+	SERVER_KEY_EXCHANGE ->	server_key_exchange : ServerKeyExchange;
+	CERTIFICATE_REQUEST ->	certificate_request : CertificateRequest;
+	SERVER_HELLO_DONE ->	server_hello_done : ServerHelloDone;
+	CERTIFICATE_VERIFY ->	certificate_verify : CertificateVerify;
+	CLIENT_KEY_EXCHANGE ->	client_key_exchange : ClientKeyExchange;
+	default ->		unknown_handshake : UnknownHandshake(msg_type);
+	};
+} &length = 4 + to_int()(length);
+
+
+######################################################################
+# Fragmentation (6.2.1.)
+######################################################################
+
+type UnknownRecord =  record {
+	cont : empty;
+} &let {
+	discard : bool = $context.flow.discard_data();
+	state_changed : bool = $context.analyzer.lost_track();
+};
+
+type PlaintextRecord =  case $context.analyzer.current_record_type() of {
+	CHANGE_CIPHER_SPEC	-> ch_cipher : ChangeCipherSpec;
+	ALERT			-> alert : Alert;
+	HANDSHAKE		-> handshakes : Handshake;
+	APPLICATION_DATA	-> app_data : ApplicationData;
+	V2_ERROR		-> v2_error : V2Error;
+	V2_CLIENT_HELLO		-> v2_client_hello : V2ClientHello;
+	V2_CLIENT_MASTER_KEY	-> v2_client_master_key : V2ClientMasterKey;
+	V2_SERVER_HELLO		-> v2_server_hello : V2ServerHello;
+	UNKNOWN_OR_V2_ENCRYPTED	-> unknown_record : UnknownRecord;
+};
+
+type CiphertextRecord = empty &let {
+	discard : bool = $context.flow.discard_data();
+	state_changed : bool =
+		$context.analyzer.transition(STATE_ABBREV_SERVER_ENCRYPTED,
+					STATE_ABBREV_SERVER_FINISHED, false) ||
+		$context.analyzer.transition(STATE_CLIENT_ENCRYPTED,
+					STATE_CLIENT_FINISHED, true) ||
+		$context.analyzer.transition(STATE_COMM_ENCRYPTED,
+					STATE_CONN_ESTABLISHED, false) ||
+		$context.analyzer.transition(STATE_COMM_ENCRYPTED,
+					STATE_CONN_ESTABLISHED, true) ||
+		$context.analyzer.transition(STATE_CONN_ESTABLISHED,
+					STATE_CONN_ESTABLISHED, false) ||
+		$context.analyzer.transition(STATE_CONN_ESTABLISHED,
+					STATE_CONN_ESTABLISHED, true) ||
+		$context.analyzer.lost_track();
+};
+
+
+######################################################################
+# initial datatype for binpac
+######################################################################
+
+type SSLPDU = case $context.analyzer.state() of {
+	STATE_ABBREV_SERVER_ENCRYPTED, STATE_CLIENT_ENCRYPTED,
+	STATE_COMM_ENCRYPTED, STATE_CONN_ESTABLISHED
+		-> ciphertext : CiphertextRecord;
+	default
+		-> plaintext : PlaintextRecord;
+} &byteorder = bigendian, &let {
+	consumed : bool = $context.flow.consume_data();
+};
+
+
+######################################################################
+# binpac analyzer for SSL including
+######################################################################
+
+analyzer SSLAnalyzer {
+	upflow = SSLFlow(true);
+	downflow = SSLFlow(false);
+
+	%member{
+		int current_record_type_;
+		int current_record_version_;
+		int current_record_length_;
+		bool current_record_is_orig_;
+		int state_;
+		int old_state_;
+		bool hello_requested_;
+	%}
+
+	%init{
+		current_record_type_ = -1;
+		current_record_version_ = -1;
+		current_record_length_ = -1;
+		current_record_is_orig_ = false;
+		state_ = STATE_INITIAL;
+		old_state_ = STATE_INITIAL;
+		hello_requested_ = false;
+	%}
+
+	function current_record_type() : int
+					%{ return current_record_type_; %}
+	function current_record_version() : int
+					%{ return current_record_version_; %}
+	function current_record_length() : int
+					%{ return current_record_length_; %}
+	function current_record_is_orig() : bool
+					%{ return current_record_is_orig_; %}
+
+	function next_record(rec : const_bytestring, type : int,
+				version : int, is_orig : bool) : bool
+		%{
+		current_record_type_ = type;
+		current_record_version_ = version;
+		current_record_length_ = rec.length();
+		current_record_is_orig_ = is_orig;
+
+		NewData(is_orig, rec.begin(), rec.end());
+
+		return true;
+		%}
+
+	function state() : int %{ return state_; %}
+	function old_state() : int %{ return old_state_; %}
+
+	function transition(olds : AnalyzerState, news : AnalyzerState,
+				is_orig : bool) : bool
+		%{
+		if ( (olds != STATE_ANY && olds != state_) ||
+		     current_record_is_orig_ != is_orig )
+			return false;
+
+		old_state_ = state_;
+		state_ = news;
+
+		return true;
+		%}
+
+	function lost_track() : bool
+		%{
+		state_ = STATE_TRACK_LOST;
+		return false;
+		%}
+
+	function hello_requested() : bool
+		%{
+		bool ret = hello_requested_;
+		hello_requested_ = false;
+		return ret;
+		%}
+
+	function set_hello_requested(val : bool) : bool
+		%{
+		hello_requested_ = val;
+		return val;
+		%}
+};
+
+
+######################################################################
+# binpac flow for SSL
+######################################################################
+
+flow SSLFlow(is_orig : bool) {
+	flowunit = SSLPDU withcontext(connection, this);
+
+	function discard_data() : bool
+		%{
+		flow_buffer_->DiscardData();
+		return true;
+		%}
+
+	function data_available() : bool
+		%{
+		return flow_buffer_->data_available();
+		%}
+
+	function consume_data() : bool
+		%{
+		flow_buffer_->NewFrame(0, false);
+		return true;
+		%}
+};
diff --git a/src/ssl-record-layer.pac b/src/ssl-record-layer.pac
new file mode 100644
index 0000000000..ad6c4ca260
--- /dev/null
+++ b/src/ssl-record-layer.pac
@@ -0,0 +1,141 @@
+# $Id:$
+
+# binpac analyzer representing the SSLv3 record layer
+#
+# This additional layering in the analyzer hierarchy is necessary due to
+# fragmentation that can be introduced in the SSL record layer.
+
+%include binpac.pac
+%include bro.pac
+
+analyzer SSLRecordLayer withcontext {
+	analyzer : SSLRecordLayerAnalyzer;
+	flow : SSLRecordLayerFlow;
+};
+
+%include ssl-defs.pac
+
+%extern{
+#include "ssl_pac.h"
+using binpac::SSL::SSLAnalyzer;
+%}
+
+extern type const_bytestring;
+
+
+type SSLPDU = record {
+	head0 : uint8;
+	head1 : uint8;
+	head2 : uint8;
+	head3 : uint8;
+	head4 : uint8;
+	fragment : bytestring &restofdata;
+} &length = 5 + length, &byteorder = bigendian, &let {
+	version : int =
+		$context.analyzer.determine_ssl_version(head0, head1, head2);
+
+	length : int = case version of {
+		UNKNOWN_VERSION -> 0;
+		SSLv20 -> (((head0 & 0x7f) << 8) | head1) - 3;
+		default -> (head3 << 8) | head4;
+	};
+
+	fw : bool = case version of {
+		UNKNOWN_VERSION ->
+			$context.analyzer.forward_record(const_bytestring(),
+				UNKNOWN_OR_V2_ENCRYPTED, UNKNOWN_VERSION,
+				$context.flow.is_orig)
+			&& $context.flow.discard_data();
+
+	SSLv20 -> $context.analyzer.forward_v2_record(head2, head3, head4,
+					fragment, $context.flow.is_orig);
+	default -> $context.analyzer.forward_record(fragment, head0,
+				(head1 << 8) | head2, $context.flow.is_orig);
+	};
+};
+
+# binpac-specific definitions
+
+analyzer SSLRecordLayerAnalyzer {
+	upflow = SSLRecordLayerFlow(true);
+	downflow = SSLRecordLayerFlow(false);
+
+	%member{
+		SSLAnalyzer* ssl_analyzer_;
+
+		int ssl_version_;
+		int record_length_;
+	%}
+
+	%init{
+		ssl_analyzer_ = 0;
+		ssl_version_ = UNKNOWN_VERSION;
+		record_length_ = 0;
+	%}
+
+	%eof{
+		ssl_analyzer_->FlowEOF(true);
+		ssl_analyzer_->FlowEOF(false);
+	%}
+
+	function set_ssl_analyzer(a : SSLAnalyzer) : void
+		%{ ssl_analyzer_ = a; %}
+
+	function ssl_version() : int %{ return ssl_version_; %}
+	function record_length() : int %{ return record_length_; %}
+
+	function determine_ssl_version(head0 : uint8, head1 : uint8,
+					head2 : uint8) : int
+		%{
+		if ( head0 >= 20 && head0 <= 23 &&
+		     head1 == 0x03 && head2 <  0x03 )
+			// This is most probably SSL version 3.
+			ssl_version_ = (head1 << 8) | head2;
+
+		else if ( head0 >= 128 && head2 < 5 && head2 != 3 )
+			// Not very strong evidence, but we suspect
+			// this to be SSLv2.
+			ssl_version_ = SSLv20;
+
+		else
+			ssl_version_ = UNKNOWN_VERSION;
+
+		return ssl_version_;
+		%}
+
+	function forward_record(fragment : const_bytestring, type : int,
+				version : uint16, is_orig : bool) : bool
+		%{
+		return ssl_analyzer_->next_record(fragment, type,
+							version, is_orig);
+		%}
+
+	function forward_v2_record(b1 : uint8, b2 : uint8, b3 : uint8,
+					fragment : const_bytestring,
+					is_orig : bool) : bool
+		%{
+		uint8* buffer = new uint8[2 + fragment.length()];
+
+		// Byte 1 is the record type.
+		buffer[0] = b2;
+		buffer[1] = b3;
+
+		memcpy(buffer + 2, fragment.begin(), fragment.length());
+		const_bytestring bs(buffer, 2 + fragment.length());
+
+		bool ret = ssl_analyzer_->next_record(bs, 300 + b1, SSLv20,
+							is_orig);
+		delete [] buffer;
+		return ret;
+		%}
+};
+
+flow SSLRecordLayerFlow(is_orig : bool) {
+	flowunit = SSLPDU withcontext(connection, this);
+
+	function discard_data() : bool
+		%{
+		flow_buffer_->DiscardData();
+		return true;
+		%}
+};
diff --git a/src/ssl.pac b/src/ssl.pac
new file mode 100644
index 0000000000..f2cd92eedf
--- /dev/null
+++ b/src/ssl.pac
@@ -0,0 +1,22 @@
+# $Id:$
+
+# binpac file for SSL analyzer
+
+# split in three parts:
+#  - ssl-protocol.pac: describes the SSL protocol messages
+#  - ssl-analyzer.pac: contains the SSL analyzer code
+#  - ssl-record-layer.pac: describes the SSL record layer
+
+%include binpac.pac
+%include bro.pac
+
+analyzer SSL withcontext {
+	analyzer : SSLAnalyzer;
+	flow : SSLFlow;
+};
+
+
+%include ssl-defs.pac
+
+%include ssl-protocol.pac
+%include ssl-analyzer.pac
diff --git a/src/strings.bif b/src/strings.bif
new file mode 100644
index 0000000000..44b0c57eb6
--- /dev/null
+++ b/src/strings.bif
@@ -0,0 +1,828 @@
+# $Id: strings.bif 6920 2009-10-03 20:47:25Z vern $
+#
+# Definitions of Bro built-in functions related to strings.
+
+
+%%{ // C segment
+#include <vector>
+#include <algorithm>
+using namespace std;
+
+#include "SmithWaterman.h"
+%%}
+
+
+function string_cat%(...%): string
+	%{
+	int n = 0;
+	loop_over_list(@ARG@, i)
+		n += @ARG@[i]->AsString()->Len();
+
+	u_char* b = new u_char[n+1];
+	BroString* s = new BroString(1, b, n);
+
+	loop_over_list(@ARG@, j)
+		{
+		const BroString* s = @ARG@[j]->AsString();
+		memcpy(b, s->Bytes(), s->Len());
+		b += s->Len();
+		}
+	*b = 0;
+
+	return new StringVal(s);
+	%}
+
+%%{
+int string_array_to_vs(TableVal* tbl, int start, int end,
+			vector<const BroString*>& vs)
+	{
+	vs.clear();
+	for ( int i = start; i <= end; ++i )
+		{
+		Val* ind = new Val(i, TYPE_COUNT);
+		Val* v = tbl->Lookup(ind);
+		if ( ! v )
+			return 0;
+		vs.push_back(v->AsString());
+#if 0
+		char* str = v->AsString()->Render();
+		DEBUG_MSG("string_array[%d] = \"%s\"\n", i, str);
+		delete [] str;
+#endif
+		delete ind;
+		}
+	return 1;
+	}
+
+int vs_to_string_array(vector<const BroString*>& vs, TableVal* tbl,
+			int start, int end)
+	{
+	for ( int i = start, j = 0; i <= end; ++i, ++j )
+		{
+		Val* ind = new Val(i, TYPE_COUNT);
+		tbl->Assign(ind, new StringVal(vs[j]->Len(),
+						(const char *)vs[j]->Bytes()));
+		Unref(ind);
+		}
+	return 1;
+	}
+
+BroString* cat_string_array_n(TableVal* tbl, int start, int end)
+	{
+	vector<const BroString*> vs;
+	string_array_to_vs(tbl, start, end, vs);
+	return concatenate(vs);
+	}
+%%}
+
+function cat_string_array%(a: string_array%): string
+	%{
+	TableVal* tbl = a->AsTableVal();
+	return new StringVal(cat_string_array_n(tbl, 1, a->AsTable()->Length()));
+	%}
+
+function cat_string_array_n%(a: string_array, start: count, end: count%): string
+	%{
+	TableVal* tbl = a->AsTableVal();
+	return new StringVal(cat_string_array_n(tbl, start, end));
+	%}
+
+function join_string_array%(sep: string, a: string_array%): string
+	%{
+	vector<const BroString*> vs;
+	TableVal* tbl = a->AsTableVal();
+	int n = a->AsTable()->Length();
+
+	for ( int i = 1; i <= n; ++i )
+		{
+		Val* ind = new Val(i, TYPE_COUNT);
+		Val* v = tbl->Lookup(ind);
+		if ( ! v )
+			return 0;
+
+		vs.push_back(v->AsString());
+		Unref(ind);
+
+		if ( i < n )
+			vs.push_back(sep->AsString());
+		}
+
+	return new StringVal(concatenate(vs));
+	%}
+
+function sort_string_array%(a: string_array%): string_array
+	%{
+	TableVal* tbl = a->AsTableVal();
+	int n = a->AsTable()->Length();
+
+	vector<const BroString*> vs;
+	string_array_to_vs(tbl, 1, n, vs);
+
+	unsigned int i, j;
+	for ( i = 0; i < vs.size(); ++i )
+		{
+		const BroString* x = vs[i];
+		for ( j = i; j > 0; --j )
+			if ( Bstr_cmp(vs[j-1], x) <= 0 )
+				break;
+			else
+				vs[j] = vs[j-1];
+		vs[j] = x;
+		}
+	// sort(vs.begin(), vs.end(), Bstr_cmp);
+
+	TableVal* b = new TableVal(internal_type("string_array")->AsTableType());
+	vs_to_string_array(vs, b, 1, n);
+	return b;
+	%}
+
+function edit%(arg_s: string, arg_edit_char: string%): string
+	%{
+	const char* s = arg_s->AsString()->CheckString();
+	const char* edit_s = arg_edit_char->AsString()->CheckString();
+
+	if ( strlen(edit_s) != 1 )
+		builtin_run_time("not exactly one edit character", @ARG@[1]);
+
+	char edit_c = *edit_s;
+
+	int n = strlen(s) + 1;
+	char* new_s = new char[n];
+	int ind = 0;
+
+	for ( ; *s; ++s )
+		{
+		if ( *s == edit_c )
+			{ // Delete last character
+			if ( --ind < 0 )
+				ind = 0;
+			}
+		else
+			new_s[ind++] = *s;
+		}
+
+	new_s[ind] = '\0';
+
+	return new StringVal(new BroString(1, byte_vec(new_s), ind));
+	%}
+
+function byte_len%(s: string%): count
+	%{
+	return new Val(s->Len(), TYPE_COUNT);
+	%}
+
+function sub_bytes%(s: string, start: count, n: int%): string
+	%{
+	if ( start > 0 )
+		--start;	// make it 0-based
+
+	BroString* ss = s->AsString()->GetSubstring(start, n);
+
+	if ( ! ss )
+		ss = new BroString("");
+
+	return new StringVal(ss);
+	%}
+
+%%{
+static int match_prefix(int s_len, const char* s, int t_len, const char* t)
+	{
+	for ( int i = 0; i < t_len; ++i )
+		{
+		if ( i >= s_len || s[i] != t[i] )
+			return 0;
+		}
+	return 1;
+	}
+
+Val* do_split(StringVal* str_val, RE_Matcher* re, TableVal* other_sep,
+		int incl_sep, int max_num_sep)
+	{
+	const BroString* str = str_val->AsString();
+	TableVal* a = new TableVal(internal_type("string_array")->AsTableType());
+	ListVal* other_strings = 0;
+
+	if ( other_sep && other_sep->Size() > 0 )
+		other_strings = other_sep->ConvertToPureList();
+
+	// Currently let us assume that str is NUL-terminated. In
+	// the future we expect to change this by giving RE_Matcher a
+	// const char* segment.
+
+	const char* s = str->CheckString();
+	int len = strlen(s);
+	const char* end_of_s = s + len;
+	int num = 0;
+	int num_sep = 0;
+
+	while ( 1 )
+		{
+		int offset = 0;
+		const char* t;
+
+		if ( max_num_sep > 0 && num_sep >= max_num_sep )
+			t = end_of_s;
+		else
+			{
+			for ( t = s; t < end_of_s; ++t )
+				{
+				offset = re->MatchPrefix(t);
+
+				if ( other_strings )
+					{
+					val_list* vl = other_strings->Vals();
+					loop_over_list(*vl, i)
+						{
+						const BroString* sub =
+							(*vl)[i]->AsString();
+						if ( sub->Len() > offset &&
+						     match_prefix(end_of_s - t,
+								t, sub->Len(),
+								(const char*) (sub->Bytes())) )
+							{
+							offset = sub->Len();
+							}
+						}
+					}
+
+				if ( offset > 0 )
+					break;
+				}
+			}
+
+		Val* ind = new Val(++num, TYPE_COUNT);
+		a->Assign(ind, new StringVal(t - s, s));
+		Unref(ind);
+
+		if ( t >= end_of_s )
+			break;
+
+		++num_sep;
+
+		if ( incl_sep )
+			{ // including the part that matches the pattern
+			ind = new Val(++num, TYPE_COUNT);
+			a->Assign(ind, new StringVal(offset, t));
+			Unref(ind);
+			}
+
+		s = t + offset;
+		if ( s > end_of_s )
+			internal_error("RegMatch in split goes beyond the string");
+		}
+
+	if ( other_strings )
+		delete other_strings;
+
+	return a;
+	}
+
+Val* do_sub(StringVal* str_val, RE_Matcher* re, StringVal* repl, int do_all)
+	{
+	const u_char* s = str_val->Bytes();
+	int offset = 0;
+	int n = str_val->Len();
+
+	// cut_points is a set of pairs of indices in str that should
+	// be removed/replaced.  A pair <x,y> means "delete starting
+	// at offset x, up to but not including offset y".
+	List(ptr_compat_int) cut_points;	// where RE matches pieces of str
+
+	int size = 0;	// size of result
+
+	while ( n > 0 )
+		{
+		// Find next match offset.
+		int end_of_match;
+		while ( n > 0 &&
+			(end_of_match = re->MatchPrefix(&s[offset], n)) <= 0 )
+			{
+			// This character is going to be copied to the result.
+			++size;
+
+			// Move on to next character.
+			++offset;
+			--n;
+			}
+
+		if ( n <= 0 )
+			break;
+
+		// s[offset .. offset+end_of_match-1] matches re.
+		cut_points.append(offset);
+		cut_points.append(offset + end_of_match);
+
+		offset += end_of_match;
+		n -= end_of_match;
+
+		if ( ! do_all )
+			{
+			// We've now done the first substitution - finished.
+			// Include the remainder of the string in the result.
+			size += n;
+			break;
+			}
+		}
+
+	// size now reflects amount of space copied.  Factor in amount
+	// of space for replacement text.
+	int num_cut_points = cut_points.length() / 2;
+	size += num_cut_points * repl->Len();
+
+	// And a final NUL for good health.
+	++size;
+
+	byte_vec result = new u_char[size];
+	byte_vec r = result;
+
+	// Copy it all over.
+	int start_offset = 0;
+	for ( int i = 0; i < cut_points.length(); i += 2 /* loop over pairs */ )
+		{
+		int num_to_copy = cut_points[i] - start_offset;
+		memcpy(r, s + start_offset, num_to_copy);
+
+		r += num_to_copy;
+		start_offset = cut_points[i+1];
+
+		// Now add in replacement text.
+		memcpy(r, repl->Bytes(), repl->Len());
+		r += repl->Len();
+		}
+
+	// Copy final trailing characters.
+	int num_to_copy = str_val->Len() - start_offset;
+	memcpy(r, s + start_offset, num_to_copy);
+	r += num_to_copy;
+
+	// Final NUL.  No need to increment r, since the length
+	// computed from it in the next statement does not include
+	// the NUL.
+	r[0] = '\0';
+
+	return new StringVal(new BroString(1, result, r - result));
+	}
+%%}
+
+# Similar to split in awk.
+
+function split%(str: string, re: pattern%): string_array
+	%{
+	return do_split(str, re, 0, 0, 0);
+	%}
+
+# split1(str, pattern, include_separator): table[count] of string
+#
+# Same as split, except that str is only split (if possible) at the
+# earliest position and an array of two strings is returned.
+# An array of one string is returned when str cannot be splitted.
+
+function split1%(str: string, re: pattern%): string_array
+	%{
+	return do_split(str, re, 0, 0, 1);
+	%}
+
+# Same as split, except that the array returned by split_all also
+# includes parts of string that match the pattern in the array.
+
+# For example, split_all("a-b--cd", /(\-)+/) returns {"a", "-", "b",
+# "--", "cd"}: odd-indexed elements do not match the pattern
+# and even-indexed ones do.
+
+function split_all%(str: string, re: pattern%): string_array
+	%{
+	return do_split(str, re, 0, 1, 0);
+	%}
+
+function split_n%(str: string, re: pattern,
+		incl_sep: bool, max_num_sep: count%): string_array
+	%{
+	return do_split(str, re, 0, incl_sep, max_num_sep);
+	%}
+
+function split_complete%(str: string,
+		re: pattern, other: string_set,
+		incl_sep: bool, max_num_sep: count%): string_array
+	%{
+	return do_split(str, re, other->AsTableVal(), incl_sep, max_num_sep);
+	%}
+
+function sub%(str: string, re: pattern, repl: string%): string
+	%{
+	return do_sub(str, re, repl, 0);
+	%}
+
+function gsub%(str: string, re: pattern, repl: string%): string
+	%{
+	return do_sub(str, re, repl, 1);
+	%}
+
+function strcmp%(s1: string, s2: string%): int
+	%{
+	return new Val(Bstr_cmp(s1->AsString(), s2->AsString()), TYPE_INT);
+	%}
+
+# Returns 0 if $little is not found in $big.
+function strstr%(big: string, little: string%): count
+	%{
+	return new Val(
+		1 + big->AsString()->FindSubstring(little->AsString()),
+		TYPE_COUNT);
+	%}
+
+# Substitute each (non-overlapping) appearance of $from in $s to $to,
+# and return the resulting string.
+function subst_string%(s: string, from: string, to: string%): string
+	%{
+	const int little_len = from->Len();
+	if ( little_len == 0 )
+		return s->Ref();
+
+	int big_len = s->Len();
+	const u_char* big = s->Bytes();
+	data_chunk_t dc;
+	vector<data_chunk_t> vs;
+
+	while ( big_len >= little_len )
+		{
+		int j = strstr_n(big_len, big, little_len, from->Bytes());
+
+		if ( j < 0 )
+			break;
+
+		if ( j > 0 )
+			{
+			dc.length = j; dc.data = (const char*) big;
+			vs.push_back(dc);
+			}
+
+		dc.length = to->Len();
+		dc.data = (const char*) (to->Bytes());
+		vs.push_back(dc);
+
+		j += little_len;
+		big += j;
+		big_len -= j;
+		}
+
+	if ( big_len > 0 )
+		{
+		dc.length = big_len; dc.data = (const char*) big;
+		vs.push_back(dc);
+		}
+
+	return new StringVal(concatenate(vs));
+	%}
+
+function to_lower%(str: string%): string
+	%{
+	const char* s = str->CheckString();
+	int n = strlen(s) + 1;
+	char* lower_s = new char[n];
+
+	char* ls;
+	for ( ls = lower_s; *s; ++s )
+		{
+		if ( isascii(*s) && isupper(*s) )
+			*ls++ = tolower(*s);
+		else
+			*ls++ = *s;
+		}
+
+	*ls = '\0';
+
+	return new StringVal(new BroString(1, byte_vec(lower_s), n-1));
+	%}
+
+function to_upper%(str: string%): string
+	%{
+	const char* s = str->CheckString();
+	int n = strlen(s) + 1;
+	char* upper_s = new char[n];
+
+	char* us;
+	for ( us = upper_s; *s; ++s )
+		{
+		if ( isascii(*s) && islower(*s) )
+			*us++ = toupper(*s);
+		else
+			*us++ = *s;
+		}
+
+	*us = '\0';
+
+	return new StringVal(new BroString(1, byte_vec(upper_s), n-1));
+	%}
+
+function clean%(str: string%): string
+	%{
+	char* s = str->AsString()->Render();
+	return new StringVal(new BroString(1, byte_vec(s), strlen(s)));
+	%}
+
+function to_string_literal%(str: string%): string
+	%{
+	char* s = str->AsString()->Render(BroString::BRO_STRING_LITERAL);
+	return new StringVal(new BroString(1, byte_vec(s), strlen(s)));
+	%}
+
+function is_ascii%(str: string%): bool
+	%{
+	int n = str->Len();
+	const u_char* s = str->Bytes();
+
+	for ( int i = 0; i < n; ++i )
+		if ( s[i] > 127 )
+			return new Val(0, TYPE_BOOL);
+
+	return new Val(1, TYPE_BOOL);
+	%}
+
+# Make printable version of string.
+function escape_string%(s: string%): string
+	%{
+	char* escstr = s->AsString()->Render();
+	Val* val = new StringVal(escstr);
+	delete [] escstr;
+	return val;
+	%}
+
+# Returns an ASCII hexadecimal representation of a string.
+function string_to_ascii_hex%(s: string%): string
+	%{
+	char* x = new char[s->Len() * 2 + 1];
+	const u_char* sp = s->Bytes();
+
+	for ( int i = 0; i < s->Len(); ++i )
+		sprintf(x + i * 2, "%02x", sp[i]);
+
+	return new StringVal(new BroString(1, (u_char*) x, s->Len() * 2));
+	%}
+
+function str_smith_waterman%(s1: string, s2: string, params: sw_params%)
+: sw_substring_vec
+	%{
+	SWParams sw_params(params->AsRecordVal()->Lookup(0)->AsCount(),
+			   SWVariant(params->AsRecordVal()->Lookup(1)->AsCount()));
+
+	BroSubstring::Vec* subseq =
+		smith_waterman(s1->AsString(), s2->AsString(), sw_params);
+	VectorVal* result = BroSubstring::VecToPolicy(subseq);
+	delete_each(subseq);
+	delete subseq;
+
+	return result;
+	%}
+
+function str_split%(s: string, idx: index_vec%): string_vec
+	%{
+	vector<Val*>* idx_v = idx->AsVector();
+	BroString::IdxVec indices(idx_v->size());
+	unsigned int i;
+
+	for ( i = 0; i < idx_v->size(); i++ )
+		indices[i] = (*idx_v)[i]->AsCount();
+
+	BroString::Vec* result = s->AsString()->Split(indices);
+	VectorVal* result_v =
+		new VectorVal(new VectorType(base_type(TYPE_STRING)));
+
+	if ( result )
+		{
+		i = 1;
+
+		for ( BroString::VecIt it = result->begin();
+		      it != result->end(); ++it, ++i )
+			result_v->Assign(i, new StringVal(*it), 0);
+			// StringVal now possesses string.
+
+		delete result;
+		}
+
+	return result_v;
+	%}
+
+function strip%(str: string%): string
+	%{
+	const char* s = str->CheckString();
+
+	int n = strlen(s) + 1;
+	char* strip_s = new char[n];
+
+	if ( n == 1 )
+		// Empty string.
+		return new StringVal(new BroString(1, byte_vec(strip_s), 0));
+
+	while ( isspace(*s) )
+		++s;
+
+	strncpy(strip_s, s, n);
+
+	char* s2 = strip_s;
+	char* e = &s2[strlen(s2) - 1];
+
+	while ( e > s2 && isspace(*e) )
+		--e;
+
+	e[1] = '\0';	// safe even if e hasn't changed, due to n = strlen + 1
+
+	return new StringVal(new BroString(1, byte_vec(s2), (e-s2)+1));
+	%}
+
+function string_fill%(len: int, source: string%): string
+	%{
+	const char* src = source->CheckString();
+
+	int sn = strlen(src);
+	char* dst = new char[len];
+
+	for ( int i = 0; i < len; i += sn )
+		::memcpy((dst + i), src, min(sn, len - i));
+
+	dst[len - 1] = 0;
+
+	return new StringVal(new BroString(1, byte_vec(dst), len));
+	%}
+
+# Takes a string and escapes characters that would allow execution of commands
+# at the shell level.  Must be used before including strings in system() or
+# similar calls.
+#
+function str_shell_escape%(source: string%): string
+	%{
+	unsigned j = 0;
+	const char* src = source->CheckString();
+	char* dst = new char[strlen(src) * 2 + 1];
+
+	for ( unsigned i = 0; i < strlen(src); ++i )
+		{
+		switch ( src[i] ) {
+		case '`': case '"': case '\\': case '$':
+
+		// case '|': case '&': case ';': case '(': case ')': case '<':
+		// case '>': case '\'': case '*': case '?': case '[': case ']':
+		// case '!': case '#': case '{': case '}':
+			dst[j++] = '\\';
+			break;
+		default:
+			break;
+		}
+
+		dst[j++] = src[i];
+		}
+
+	dst[j] = '\0';
+	return new StringVal(new BroString(1, byte_vec(dst), j));
+	%}
+
+# Returns all occurrences of the given pattern in the given string (an empty
+# empty set if none).
+function find_all%(str: string, re: pattern%) : string_set
+	%{
+	TableVal* a = new TableVal(internal_type("string_set")->AsTableType());
+
+	const u_char* s = str->Bytes();
+	const u_char* e = s + str->Len();
+
+	for ( const u_char* t = s; t < e; ++t )
+		{
+		int n = re->MatchPrefix(t, e - t);
+		if ( n >= 0 )
+			{
+			a->Assign(new StringVal(n, (const char*) t), 0);
+			t += n - 1;
+			}
+		}
+
+	return a;
+	%}
+
+# Returns the last occurrence of the given pattern in the given string.
+# If not found, returns an empty string.  Note that this function returns
+# the match that starts at the largest index in the string, which is
+# not necessarily the longest match.  For example, a pattern of /.*/
+# will return the final character in the string.
+function find_last%(str: string, re: pattern%) : string
+	%{
+	const u_char* s = str->Bytes();
+	const u_char* e = s + str->Len();
+
+	for ( const u_char* t = e - 1; t >= s; --t )
+		{
+		int n = re->MatchPrefix(t, e - t);
+		if ( n >= 0 )
+			return new StringVal(n, (const char*) t);
+		}
+
+	return new StringVal("");
+	%}
+
+# Returns a hex dump for given input data.  The hex dump renders
+# 16 bytes per line, with hex on the left and ASCII (where printable)
+# on the right.  Based on Netdude's hex editor code.
+#
+function hexdump%(data_str: string%) : string
+	%{
+
+// The width of a line of text in the hex-mode view, consisting
+// of offset, hex view and ASCII view:
+//
+// 32 +     16 characters per 8 bytes, twice
+// (2*7) +  Single space between bytes, twice
+// 4 +      Two spaces between 8-byte sets and ASCII
+// 1 +      For newline
+// 17 +     For ASCII display, with spacer column
+// 6        For 5-digit offset counter, including spacer
+//
+#define HEX_LINE_WIDTH               74
+
+#define HEX_LINE_START                6
+#define HEX_LINE_END                 53
+#define HEX_LINE_START_ASCII         56
+#define HEX_LINE_START_RIGHT_ASCII   65
+#define HEX_LINE_LEFT_MIDDLE         28
+#define HEX_LINE_RIGHT_MIDDLE        31
+#define HEX_BLOCK_LEN                23
+#define HEX_LINE_BYTES               16
+#define NULL_CHAR                    '.'
+#define NONPRINT_CHAR                '.'
+
+	const u_char* data = data_str->Bytes();
+	unsigned data_size = data_str->Len();
+
+	if ( ! data )
+		return new StringVal("");
+
+	int num_lines = (data_size / 16) + 1;
+	int len = num_lines * HEX_LINE_WIDTH;
+	u_char* hex_data = new u_char[len + 1];
+	if ( ! hex_data )
+		return new StringVal("");
+
+	memset(hex_data, ' ', len);
+
+	u_char* hex_data_ptr = hex_data;
+	u_char* ascii_ptr = hex_data_ptr + 50;
+	int x = 0, y = 0;
+
+	for ( const u_char* data_ptr = data; data_ptr < data + data_size;
+	      ++data_ptr )
+		{
+		if ( x == 0 )
+			{
+			char offset[5];
+			safe_snprintf(offset, sizeof(offset),
+					"%.4x", data_ptr - data);
+			memcpy(hex_data_ptr, offset, 4);
+			hex_data_ptr += 6;
+			ascii_ptr = hex_data_ptr + 50;
+			}
+
+		char hex_byte[3];
+		safe_snprintf(hex_byte, sizeof(hex_byte),
+				"%.2x", (u_char) *data_ptr);
+
+		int val = (u_char) *data_ptr;
+
+		u_char ascii_byte = val;
+
+		// If unprintable, use special characters:
+		if ( val < 0x20 || val >= 0x7f )
+			{
+			if ( val == 0 )
+				ascii_byte = NULL_CHAR;
+			else
+				ascii_byte = NONPRINT_CHAR;
+			}
+
+		*hex_data_ptr++ = hex_byte[0];
+		*hex_data_ptr++ = hex_byte[1];
+		*hex_data_ptr++ = ' ';
+		*ascii_ptr++ = ascii_byte;
+
+		if ( x == 7 )
+			{
+			*hex_data_ptr++ = ' ';
+			*ascii_ptr++ = ' ';
+			}
+
+		++x;
+
+		if ( x == 16 )
+			{
+			x = 0;
+			*ascii_ptr++ = '\n';
+			hex_data_ptr = ascii_ptr;
+			}
+		}
+
+	// Terminate the string, but ensure it ends with a newline.
+	if ( ascii_ptr[-1] != '\n' )
+		*ascii_ptr++ = '\n';
+	*ascii_ptr = 0;
+
+	StringVal* result = new StringVal((const char*) hex_data);
+	delete [] hex_data;
+
+	return result;
+	%}
diff --git a/src/strsep.c b/src/strsep.c
new file mode 100644
index 0000000000..15a750885d
--- /dev/null
+++ b/src/strsep.c
@@ -0,0 +1,93 @@
+/*-
+ * Copyright (c) 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#ifndef HAVE_STRSEP
+
+#include <sys/types.h>
+
+#include <string.h>
+#include <stdio.h>
+
+char *strsep(char **, const char *);
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char sccsid[] = "@(#)strsep.c	8.1 (Berkeley) 6/4/93";
+#endif /* LIBC_SCCS and not lint */
+#ifndef lint
+static const char rcsid[] =
+  "$FreeBSD: src/lib/libc/string/strsep.c,v 1.2.12.1 2001/07/09 23:30:07 obrien Exp $";
+#endif
+
+/*
+ * Get next token from string *stringp, where tokens are possibly-empty
+ * strings separated by characters from delim.
+ *
+ * Writes NULs into the string at *stringp to end tokens.
+ * delim need not remain constant from call to call.
+ * On return, *stringp points past the last NUL written (if there might
+ * be further tokens), or is NULL (if there are definitely no more tokens).
+ *
+ * If *stringp is NULL, strsep returns NULL.
+ */
+char *
+strsep(stringp, delim)
+	register char **stringp;
+	register const char *delim;
+{
+	register char *s;
+	register const char *spanp;
+	register int c, sc;
+	char *tok;
+
+	if ((s = *stringp) == NULL)
+		return (NULL);
+	for (tok = s;;) {
+		c = *s++;
+		spanp = delim;
+		do {
+			if ((sc = *spanp++) == c) {
+				if (c == 0)
+					s = NULL;
+				else
+					s[-1] = 0;
+				*stringp = s;
+				return (tok);
+			}
+		} while (sc != 0);
+	}
+	/* NOTREACHED */
+}
+
+#endif
diff --git a/src/util.cc b/src/util.cc
new file mode 100644
index 0000000000..0e49600cc2
--- /dev/null
+++ b/src/util.cc
@@ -0,0 +1,1144 @@
+// $Id: util.cc 6916 2009-09-24 20:48:36Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#if TIME_WITH_SYS_TIME
+# include <sys/time.h>
+# include <time.h>
+#else
+# if HAVE_SYS_TIME_H
+#  include <sys/time.h>
+# else
+#  include <time.h>
+# endif
+#endif
+
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/resource.h>
+#include <fcntl.h>
+#include <stdarg.h>
+#include <errno.h>
+#include <signal.h>
+
+#ifdef HAVE_MALLINFO
+# include <malloc.h>
+#endif
+
+#include "input.h"
+#include "util.h"
+#include "Obj.h"
+#include "md5.h"
+#include "Val.h"
+#include "NetVar.h"
+#include "Net.h"
+
+char* copy_string(const char* s)
+	{
+	char* c = new char[strlen(s)+1];
+	strcpy(c, s);
+	return c;
+	}
+
+int streq(const char* s1, const char* s2)
+	{
+	return ! strcmp(s1, s2);
+	}
+
+int expand_escape(const char*& s)
+	{
+	switch ( *(s++) ) {
+	case 'b': return '\b';
+	case 'f': return '\f';
+	case 'n': return '\n';
+	case 'r': return '\r';
+	case 't': return '\t';
+	case 'a': return '\a';
+	case 'v': return '\v';
+
+	case '0': case '1': case '2': case '3': case '4':
+	case '5': case '6': case '7':
+		{ // \<octal>{1,3}
+		--s;	// put back the first octal digit
+		const char* start = s;
+
+		// Don't increment inside loop control
+		// because if isdigit() is a macro it might
+		// expand into multiple increments ...
+
+		// Here we define a maximum length for escape sequence
+		// to allow easy handling of string like: "^H0" as
+		// "\0100".
+
+		for ( int len = 0; len < 3 && isascii(*s) && isdigit(*s);
+		      ++s, ++len)
+			;
+
+		int result;
+		if ( sscanf(start, "%3o", &result) != 1 )
+			{
+			warn("bad octal escape: ", start);
+			result = 0;
+			}
+
+		return result;
+		}
+
+	case 'x':
+		{ /* \x<hex> */
+		const char* start = s;
+
+		// Look at most 2 characters, so that "\x0ddir" -> "^Mdir".
+		for ( int len = 0; len < 2 && isascii(*s) && isxdigit(*s);
+		      ++s, ++len)
+			;
+
+		int result;
+		if ( sscanf(start, "%2x", &result) != 1 )
+			{
+			warn("bad hexadecimal escape: ", start);
+			result = 0;
+			}
+
+		return result;
+		}
+
+	default:
+		return s[-1];
+	}
+	}
+
+char* skip_whitespace(char* s)
+	{
+	while ( *s == ' ' || *s == '\t' )
+		++s;
+	return s;
+	}
+
+const char* skip_whitespace(const char* s)
+	{
+	while ( *s == ' ' || *s == '\t' )
+		++s;
+	return s;
+	}
+
+char* skip_whitespace(char* s, char* end_of_s)
+	{
+	while ( s < end_of_s && (*s == ' ' || *s == '\t') )
+		++s;
+	return s;
+	}
+
+const char* skip_whitespace(const char* s, const char* end_of_s)
+	{
+	while ( s < end_of_s && (*s == ' ' || *s == '\t') )
+		++s;
+	return s;
+	}
+
+char* skip_digits(char* s)
+	{
+	while ( *s && isdigit(*s) )
+		++s;
+	return s;
+	}
+
+char* get_word(char*& s)
+	{
+	char* w = s;
+	while ( *s && ! isspace(*s) )
+		++s;
+
+	if ( *s )
+		{
+		*s = '\0';	// terminate the word
+		s = skip_whitespace(s+1);
+		}
+
+	return w;
+	}
+
+void get_word(int length, const char* s, int& pwlen, const char*& pw)
+	{
+	pw = s;
+
+	int len = 0;
+	while ( len < length && *s && ! isspace(*s) )
+		{
+		++s;
+		++len;
+		}
+
+	pwlen = len;
+	}
+
+void to_upper(char* s)
+	{
+	while ( *s )
+		{
+		if ( islower(*s) )
+			*s = toupper(*s);
+		++s;
+		}
+	}
+
+const char* strchr_n(const char* s, const char* end_of_s, char ch)
+	{
+	for ( ; s < end_of_s; ++s )
+		if ( *s == ch )
+			return s;
+
+	return 0;
+	}
+
+const char* strrchr_n(const char* s, const char* end_of_s, char ch)
+	{
+	for ( --end_of_s; end_of_s >= s; --end_of_s )
+		if ( *end_of_s == ch )
+			return end_of_s;
+
+	return 0;
+	}
+
+int decode_hex(char ch)
+	{
+	if ( ch >= '0' && ch <= '9' )
+		return ch - '0';
+
+	if ( ch >= 'A' && ch <= 'F' )
+		return ch - 'A' + 10;
+
+	if ( ch >= 'a' && ch <= 'f' )
+		return ch - 'a' + 10;
+
+	return -1;
+	}
+
+unsigned char encode_hex(int h)
+	{
+	static const char hex[16] = {
+		'0', '1', '2', '3', '4', '5', '6', '7', '8',
+		'9', 'A', 'B', 'C', 'D', 'E', 'F'
+	};
+
+	if  ( h < 0 || h >= 16 )
+		{
+		internal_error("illegal value for encode_hex: %d", h);
+		return 'X';
+		}
+
+	return hex[h];
+	}
+
+// Same as strpbrk except that s is not NUL-terminated, but limited by
+// len. Note that '\0' is always implicitly contained in charset.
+const char* strpbrk_n(size_t len, const char* s, const char* charset)
+	{
+	for ( const char* p = s; p < s + len; ++p )
+		if ( strchr(charset, *p) )
+			return p;
+
+	return 0;
+	}
+
+int strcasecmp_n(int b_len, const char* b, const char* t)
+	{
+	if ( ! b )
+		return -1;
+
+	int i;
+	for ( i = 0; i < b_len; ++i )
+		{
+		char c1 = islower(b[i]) ? toupper(b[i]) : b[i];
+		char c2 = islower(t[i]) ? toupper(t[i]) : t[i];
+
+		if ( c1 < c2 )
+			return -1;
+
+		if ( c1 > c2 )
+			return 1;
+		}
+
+	return t[i] != '\0';
+	}
+
+#ifndef HAVE_STRCASESTR
+// This code is derived from software contributed to BSD by Chris Torek.
+char* strcasestr(const char* s, const char* find)
+	{
+	char c = *find++;
+	if ( c )
+		{
+		c = tolower((unsigned char) c);
+
+		size_t len = strlen(find);
+
+		do {
+			char sc;
+			do {
+				sc = *s++;
+				if ( sc == 0 )
+					return 0;
+			} while ( char(tolower((unsigned char) sc)) != c );
+		} while ( strcasecmp_n(len, s, find) != 0 );
+
+		--s;
+		}
+
+	return (char*) s;
+	}
+#endif
+
+int atoi_n(int len, const char* s, const char** end, int base, int& result)
+	{
+	int n = 0;
+	int neg = 0;
+
+	if ( len > 0 && *s == '-' )
+		{
+		neg = 1;
+		--len; ++s;
+		}
+
+	int i;
+	for ( i = 0; i < len; ++i )
+		{
+		unsigned int d;
+
+		if ( isdigit(s[i]) )
+			d = s[i] - '0';
+
+		else if ( s[i] >= 'a' && s[i] < 'a' - 10 + base )
+			d = s[i] - 'a' + 10;
+
+		else if ( s[i] >= 'A' && s[i] < 'A' - 10 + base )
+			d = s[i] - 'A' + 10;
+
+		else if ( i > 0 )
+			break;
+
+		else
+			return 0;
+
+		n = n * base + d;
+		}
+
+	if ( neg )
+		result = -n;
+	else
+		result = n;
+
+	if ( end )
+		*end = s + i;
+
+	return 1;
+	}
+
+int strstr_n(const int big_len, const u_char* big,
+		const int little_len, const u_char* little)
+	{
+	if ( little_len > big_len )
+		return -1;
+
+	for ( int i = 0; i <= big_len - little_len; ++i )
+		{
+		if ( ! memcmp(big + i, little, little_len) )
+			return i;
+		}
+
+	return -1;
+	}
+
+int fputs(int len, const char* s, FILE* fp)
+	{
+	for ( int i = 0; i < len; ++i )
+		if ( fputc(s[i], fp) == EOF )
+			return EOF;
+	return 0;
+	}
+
+bool is_printable(const char* s, int len)
+	{
+	while ( --len >= 0 )
+		if ( ! isprint(*s++) )
+			return false;
+	return true;
+	}
+
+const char* fmt_bytes(const char* data, int len)
+	{
+	static char buf[1024];
+	char* p = buf;
+
+	for ( int i = 0; i < len && p - buf < int(sizeof(buf)); ++i )
+		{
+		if ( isprint(data[i]) )
+			*p++ = data[i];
+		else
+			p += snprintf(p, sizeof(buf) - (p - buf),
+					"\\x%02x", (unsigned char) data[i]);
+		}
+
+	if ( p - buf < int(sizeof(buf)) )
+		*p = '\0';
+	else
+		buf[sizeof(buf) - 1] = '\0';
+
+	return buf;
+	}
+
+const char* fmt(const char* format, ...)
+	{
+	static char* buf = 0;
+	static unsigned int buf_len = 1024;
+
+	if ( ! buf )
+		buf = (char*) malloc(buf_len);
+
+	va_list al;
+	va_start(al, format);
+	int n = safe_vsnprintf(buf, buf_len, format, al);
+	va_end(al);
+
+	if ( (unsigned int) n >= buf_len )
+		{ // Not enough room, grow the buffer.
+		buf_len = n + 32;
+		buf = (char*) realloc(buf, buf_len);
+
+		// Is it portable to restart?
+		va_start(al, format);
+		n = safe_vsnprintf(buf, buf_len, format, al);
+		va_end(al);
+
+		if ( (unsigned int) n >= buf_len )
+			internal_error("confusion reformatting in fmt()");
+		}
+
+	return buf;
+	}
+
+const char* fmt_access_time(double t)
+	{
+	static char buf[256];
+	time_t time = (time_t) t;
+	strftime(buf, sizeof(buf), "%d/%m-%H:%M", localtime(&time));
+	return buf;
+	}
+
+bool ensure_dir(const char *dirname)
+	{
+	struct stat st;
+	if ( stat(dirname, &st) < 0 )
+		{
+		if ( errno != ENOENT )
+			{
+			warn(fmt("can't stat directory %s: %s",
+				dirname, strerror(errno)));
+			return false;
+			}
+
+		if ( mkdir(dirname, 0700) < 0 )
+			{
+			warn(fmt("can't create directory %s: %s",
+				dirname, strerror(errno)));
+			return false;
+			}
+		}
+
+	else if ( ! S_ISDIR(st.st_mode) )
+		{
+		warn(fmt("%s exists but is not a directory", dirname));
+		return false;
+		}
+
+	return true;
+	}
+
+bool is_dir(const char* path)
+	{
+	struct stat st;
+	if ( stat(path, &st) < 0 )
+		{
+		if ( errno != ENOENT )
+			warn(fmt("can't stat %s: %s", path, strerror(errno)));
+
+		return false;
+		}
+
+	return S_ISDIR(st.st_mode);
+	}
+
+void hash_md5(size_t size, const unsigned char* bytes, unsigned char digest[16])
+	{
+	md5_state_s h;
+	md5_init(&h);
+	md5_append(&h, bytes, size);
+	md5_finish(&h, digest);
+	}
+
+const char* md5_digest_print(const unsigned char digest[16])
+	{
+	static char digest_print[256];
+
+	for ( int i = 0; i < 16; ++i )
+		snprintf(digest_print + i * 2, 3, "%02x", digest[i]);
+
+	return digest_print;
+	}
+
+int hmac_key_set = 0;
+uint8 shared_hmac_md5_key[16];
+
+void hmac_md5(size_t size, const unsigned char* bytes, unsigned char digest[16])
+	{
+	if ( ! hmac_key_set )
+		internal_error("HMAC-MD5 invoked before the HMAC key is set");
+
+	hash_md5(size, bytes, digest);
+
+	for ( int i = 0; i < 16; ++i )
+		digest[i] ^= shared_hmac_md5_key[i];
+
+	hash_md5(16, digest, digest);
+	}
+
+static bool read_random_seeds(const char* read_file, uint32* seed,
+				uint32* buf, int bufsiz)
+	{
+	struct stat st;
+	FILE* f = 0;
+
+	if ( stat(read_file, &st) < 0 )
+		{
+		warn(fmt("Seed file '%s' does not exist: %s",
+				read_file, strerror(errno)));
+		return false;
+		}
+
+	if ( ! (f = fopen(read_file, "r")) )
+		{
+		warn(fmt("Could not open seed file '%s': %s",
+				read_file, strerror(errno)));
+		return false;
+		}
+
+	// Read seed for srandom().
+	if ( fscanf(f, "%u", seed) != 1 )
+		{
+		fclose(f);
+		return false;
+		}
+
+	// Read seeds for MD5.
+	for ( int i = 0; i < bufsiz; ++i )
+		{
+		int tmp;
+		if ( fscanf(f, "%u", &tmp) != 1 )
+			{
+			fclose(f);
+			return false;
+			}
+
+		buf[i] = tmp;
+		}
+
+	fclose(f);
+	return true;
+	}
+
+static bool write_random_seeds(const char* write_file, uint32 seed,
+				uint32* buf, int bufsiz)
+	{
+	FILE* f = 0;
+
+	if ( ! (f = fopen(write_file, "w+")) )
+		{
+		warn(fmt("Could not create seed file '%s': %s",
+				write_file, strerror(errno)));
+		return false;
+		}
+
+	fprintf(f, "%u\n", seed);
+
+	for ( int i = 0; i < bufsiz; ++i )
+		fprintf(f, "%u\n", buf[i]);
+
+	fclose(f);
+	return true;
+	}
+
+void init_random_seed(uint32 seed, const char* read_file, const char* write_file)
+	{
+	static const int bufsiz = 16;
+	uint32 buf[bufsiz];
+	int pos = 0;	// accumulates entropy
+	bool seeds_done = false;
+
+	if ( read_file )
+		{
+		if ( ! read_random_seeds(read_file, &seed, buf, bufsiz) )
+			fprintf(stderr, "Could not load seeds from file '%s'.\n",
+					read_file);
+		else
+			seeds_done = true;
+		}
+
+	if ( ! seeds_done )
+		{
+		// Gather up some entropy.
+		gettimeofday((struct timeval *)(buf + pos), 0);
+		pos += sizeof(struct timeval) / sizeof(uint32);
+
+#if defined(O_NONBLOCK)
+		int fd = open("/dev/random", O_RDONLY | O_NONBLOCK);
+#elif defined(O_NDELAY)
+		int fd = open("/dev/random", O_RDONLY | O_NDELAY);
+#else
+		int fd = open("/dev/random", O_RDONLY);
+#endif
+
+		if ( fd >= 0 )
+			{
+			int amt = read(fd, buf + pos,
+					sizeof(uint32) * (bufsiz - pos));
+			close(fd);
+
+			if ( amt > 0 )
+				pos += amt / sizeof(uint32);
+			else
+				// Clear errno, which can be set on some
+				// systems due to a lack of entropy.
+				errno = 0;
+			}
+
+		if ( pos < bufsiz )
+			{
+			buf[pos++] = getpid();
+
+			if ( pos < bufsiz )
+				buf[pos++] = getuid();
+			}
+
+		if ( ! seed )
+			{
+			for ( int i = 0; i < pos; ++i )
+				{
+				seed ^= buf[i];
+				seed = (seed << 1) | (seed >> 31);
+				}
+			}
+		}
+
+	srandom(seed);
+
+	if ( ! hmac_key_set )
+		{
+		hash_md5(sizeof(buf), (u_char*) buf, shared_hmac_md5_key);
+		hmac_key_set = 1;
+		}
+
+	if ( write_file && ! write_random_seeds(write_file, seed, buf, bufsiz) )
+		fprintf(stderr, "Could not write seeds to file '%s'.\n",
+				write_file);
+	}
+
+
+// Returns a 64-bit random string.
+uint64 rand64bit()
+	{
+	uint64 base = 0;
+	int i;
+
+	for ( i = 1; i <= 4; ++i )
+		base = (base<<16) | random();
+	return base;
+	}
+
+void message(const char* msg)
+	{
+	pinpoint();
+	fprintf(stderr, "%s\n", msg);
+	}
+
+void warn(const char* msg)
+	{
+	pinpoint();
+	fprintf(stderr, "warning: %s\n", msg);
+	++nwarn;
+	}
+
+void warn(const char* msg, const char* addl)
+	{
+	pinpoint();
+	fprintf(stderr, "warning: %s %s\n", msg, addl);
+	++nwarn;
+	}
+
+void error(const char* msg)
+	{
+	pinpoint();
+	fprintf(stderr, "error: %s\n", msg);
+	++nerr;
+	}
+
+void error(const char* msg, const char* addl)
+	{
+	pinpoint();
+	fprintf(stderr, "error: %s %s\n", msg, addl);
+	++nerr;
+	}
+
+void error(const char* msg, uint32 addl)
+	{
+	pinpoint();
+	fprintf(stderr, "error: %s - %u\n", msg, addl);
+	++nerr;
+	}
+
+void run_time(const char* msg)
+	{
+	pinpoint();
+	fprintf(stderr, "run-time error: %s\n", msg);
+	++nruntime;
+	}
+
+void run_time(const char* fmt, BroObj* obj)
+	{
+	ODesc d;
+	obj->Describe(&d);
+	run_time(fmt, d.Description());
+	}
+
+void run_time(const char* fmt, const char* arg)
+	{
+	pinpoint();
+	fprintf(stderr, "run-time error: ");
+	fprintf(stderr, fmt, arg);
+	fprintf(stderr, "\n");
+	++nruntime;
+	}
+
+void run_time(const char* fmt, const char* arg1, const char* arg2)
+	{
+	pinpoint();
+	fprintf(stderr, "run-time error: ");
+	fprintf(stderr, fmt, arg1, arg2);
+	fprintf(stderr, "\n");
+	++nruntime;
+	}
+
+void internal_error(const char* fmt, ...)
+	{
+	va_list al;
+
+	pinpoint();
+	fprintf(stderr, "internal error: ");
+	va_start(al, fmt);
+	vfprintf(stderr, fmt, al);
+	va_end(al);
+	fprintf(stderr, "\n");
+	set_processing_status("TERMINATED", "internal_error");
+	abort();
+	}
+
+void pinpoint()
+	{
+	if ( network_time > 0.0 )
+		fprintf(stderr, "%.6f ", network_time);
+	else
+		{
+		if ( filename )
+			fprintf(stderr, "%s, ", filename);
+		fprintf(stderr, "line %d: ", line_number);
+		}
+	}
+
+int int_list_cmp(const void* v1, const void* v2)
+	{
+	ptr_compat_int i1 = *(ptr_compat_int*) v1;
+	ptr_compat_int i2 = *(ptr_compat_int*) v2;
+
+	if ( i1 < i2 )
+		return -1;
+	else if ( i1 == i2 )
+		return 0;
+	else
+		return 1;
+	}
+
+const char* bro_path()
+	{
+	const char* path = getenv("BROPATH");
+	if ( ! path )
+		path = ".:policy:policy/sigs:policy/time-machine:"
+			POLICYDEST ":"
+			POLICYDEST "/sigs:" 
+			POLICYDEST "/time-machine:"
+			POLICYDEST "/site";
+
+	return path;
+	}
+
+const char* bro_prefixes()
+	{
+	int len = 1;	// room for \0
+	loop_over_list(prefixes, i)
+		len += strlen(prefixes[i]) + 1;
+
+	char* p = new char[len];
+
+	loop_over_list(prefixes, j)
+		if ( j == 0 )
+			strcpy(p, prefixes[j]);
+		else
+			{
+			strcat(p, ":");
+			strcat(p, prefixes[j]);
+			}
+
+	return p;
+	}
+
+FILE* open_file(const char* filename, const char** full_filename)
+	{
+	if ( full_filename )
+		*full_filename = copy_string(filename);
+
+	FILE* f = fopen(filename, "r");
+
+	return f;
+	}
+
+FILE* search_for_file(const char* filename, const char* ext,
+			const char** full_filename)
+	{
+	if ( filename[0] == '/' || filename[0] == '.' )
+		return open_file(filename, full_filename);
+
+	char path[1024], full_filename_buf[1024];
+	safe_strncpy(path, bro_path(), sizeof(path));
+
+	char* dir_beginning = path;
+	char* dir_ending = path;
+	int more = *dir_beginning != '\0';
+
+	while ( more )
+		{
+		while ( *dir_ending && *dir_ending != ':' )
+			++dir_ending;
+
+		if ( *dir_ending == ':' )
+			*dir_ending = '\0';
+		else
+			more = 0;
+
+		safe_snprintf(full_filename_buf, sizeof(full_filename_buf),
+				"%s/%s.%s", dir_beginning, filename, ext);
+		if ( access(full_filename_buf, R_OK) == 0 &&
+		     ! is_dir(full_filename_buf) )
+			return open_file(full_filename_buf, full_filename);
+
+		safe_snprintf(full_filename_buf, sizeof(full_filename_buf),
+				"%s/%s", dir_beginning, filename);
+		if ( access(full_filename_buf, R_OK) == 0 &&
+		      ! is_dir(full_filename_buf) )
+			return open_file(full_filename_buf, full_filename);
+
+		dir_beginning = ++dir_ending;
+		}
+
+	if ( full_filename )
+		*full_filename = copy_string(filename);
+
+	return 0;
+	}
+
+FILE* rotate_file(const char* name, RecordVal* rotate_info)
+	{
+	// Build file names.
+	const int buflen = strlen(name) + 128;
+
+	char tmpname[buflen], newname[buflen+4];
+
+	safe_snprintf(newname, buflen, "%s.%d.%.06f.tmp",
+			name, getpid(), network_time);
+	newname[buflen-1] = '\0';
+	strcpy(tmpname, newname);
+	strcat(tmpname, ".tmp");
+
+	// First open the new file using a temporary name.
+	FILE* newf = fopen(tmpname, "w");
+	if ( ! newf )
+		{
+		run_time(fmt("rotate_file: can't open %s: %s", tmpname, strerror(errno)));
+		return 0;
+		}
+
+	// Then move old file to "<name>.<pid>.<timestamp>" and make sure
+	// it really gets created.
+	struct stat dummy;
+	if ( link(name, newname) < 0 || stat(newname, &dummy) < 0 )
+		{
+		run_time(fmt("rotate_file: can't move %s to %s: %s", name, newname, strerror(errno)));
+		fclose(newf);
+		unlink(newname);
+		unlink(tmpname);
+		return 0;
+		}
+
+	// Close current file, and move the tmp to its place.
+	if ( unlink(name) < 0 || link(tmpname, name) < 0 || unlink(tmpname) < 0 )
+		{
+		run_time(fmt("rotate_file: can't move %s to %s: %s", tmpname, name, strerror(errno)));
+		exit(1);	// hard to fix, but shouldn't happen anyway...
+		}
+
+	// Init rotate_info.
+	if ( rotate_info )
+		{
+		rotate_info->Assign(0, new StringVal(name));
+		rotate_info->Assign(1, new StringVal(newname));
+		rotate_info->Assign(2, new Val(network_time, TYPE_TIME));
+		rotate_info->Assign(3, new Val(network_time, TYPE_TIME));
+		}
+
+	return newf;
+	}
+
+const char* log_file_name(const char* tag)
+	{
+	const char* env = getenv("BRO_LOG_SUFFIX");
+	return fmt("%s.%s", tag, (env ? env : "log"));
+	}
+
+double calc_next_rotate(double interval, const char* rotate_base_time)
+	{
+	double current = network_time;
+
+	// Calculate start of day.
+	time_t teatime = time_t(current);
+
+	struct tm t;
+	t = *localtime(&teatime);
+	t.tm_hour = t.tm_min = t.tm_sec = 0;
+	double startofday = mktime(&t);
+
+	double base = -1;
+
+	if ( rotate_base_time && rotate_base_time[0] != '\0' )
+		{
+		struct tm t;
+		if ( ! strptime(rotate_base_time, "%H:%M", &t) )
+			run_time("calc_next_rotate(): can't parse rotation base time");
+		else
+			base = t.tm_min * 60 + t.tm_hour * 60 * 60;
+		}
+
+	if ( base < 0 )
+		// No base time given. To get nice timestamps, we round
+		// the time up to the next multiple of the rotation interval.
+		return floor(current / interval) * interval
+			+ interval - current;
+
+	// current < startofday + base + i * interval <= current + interval
+	return startofday + base +
+		ceil((current - startofday - base) / interval) * interval -
+			current;
+	}
+
+
+RETSIGTYPE sig_handler(int signo);
+
+void terminate_processing()
+	{
+	if ( ! terminating )
+		sig_handler(SIGTERM);
+	}
+
+extern const char* proc_status_file;
+void _set_processing_status(const char* status)
+	{
+	if ( ! proc_status_file )
+		return;
+
+	// This function can be called from a signal context, so we have to
+	// make sure to only call reentrant functions and to restore errno
+	// afterwards.
+
+	int old_errno = errno;
+
+	int fd = open(proc_status_file, O_CREAT | O_WRONLY | O_TRUNC, 0700);
+
+	int len = strlen(status);
+	while ( len )
+		{
+		int n = write(fd, status, len);
+
+		if ( n < 0 && errno != EINTR && errno != EAGAIN )
+			// Ignore errors, as they're too difficult to
+			// safely report here.
+			break;
+
+		status += n;
+		len -= n;
+		}
+
+	close(fd);
+
+	errno = old_errno;
+	}
+
+double current_time(bool real)
+	{
+	struct timeval tv;
+	if ( gettimeofday(&tv, 0) < 0 )
+		internal_error("gettimeofday failed in current_time()");
+
+	double t = double(tv.tv_sec) + double(tv.tv_usec) / 1e6;
+
+	if ( ! pseudo_realtime || real || pkt_srcs.length() == 0 )
+		return t;
+
+	// This obviously only works for a single source ...
+	PktSrc* src = pkt_srcs[0];
+
+	if ( net_is_processing_suspended() )
+		return src->CurrentPacketTimestamp();
+
+	// We don't scale with pseudo_realtime here as that would give us a
+	// jumping real-time.
+	return src->CurrentPacketTimestamp() +
+		(t - src->CurrentPacketWallClock());
+	}
+
+struct timeval double_to_timeval(double t)
+	{
+	struct timeval tv;
+
+	double t1 = floor(t);
+	tv.tv_sec = int(t1);
+	tv.tv_usec = int((t - t1) * 1e6 + 0.5);
+
+	return tv;
+	}
+
+int time_compare(struct timeval* tv_a, struct timeval* tv_b)
+	{
+	if ( tv_a->tv_sec == tv_b->tv_sec )
+		return tv_a->tv_usec - tv_b->tv_usec;
+	else
+		return tv_a->tv_sec - tv_b->tv_sec;
+	}
+
+void out_of_memory(const char* where)
+	{
+	fprintf( stderr, "bro: out of memory in %s.\n", where );
+	abort();
+	}
+
+void get_memory_usage(unsigned int* total, unsigned int* malloced)
+	{
+	unsigned int ret_total;
+
+#ifdef HAVE_MALLINFO
+	// For memory, getrusage() gives bogus results on Linux. Grmpf.
+	struct mallinfo mi = mallinfo();
+
+	if ( malloced )
+		*malloced = mi.uordblks;
+
+	ret_total = mi.arena;
+
+	if ( total )
+		*total = ret_total;
+#else
+	struct rusage r;
+	getrusage(RUSAGE_SELF, &r);
+
+	if ( malloced )
+		*malloced = 0;
+
+	// At least on FreeBSD it's in KB.
+	ret_total = r.ru_maxrss * 1024;
+
+	if ( total )
+		*total = ret_total;
+#endif
+
+	// return ret_total;
+	}
+
+#ifdef malloc
+
+#undef malloc
+#undef realloc
+#undef free
+
+extern "C" {
+void* malloc(size_t);
+void* realloc(void*, size_t);
+void free(void*);
+}
+
+static int malloc_debug = 0;
+
+void* debug_malloc(size_t t)
+	{
+	void* v = malloc(t);
+	if ( malloc_debug )
+		printf("%.6f malloc %x %d\n", network_time, v, t);
+	return v;
+	}
+
+void* debug_realloc(void* v, size_t t)
+	{
+	v = realloc(v, t);
+	if ( malloc_debug )
+		printf("%.6f realloc %x %d\n", network_time, v, t);
+	return v;
+	}
+
+void debug_free(void* v)
+	{
+	if ( malloc_debug )
+		printf("%.6f free %x\n", network_time, v);
+	free(v);
+	}
+
+void* operator new(size_t t)
+	{
+	void* v = malloc(t);
+	if ( malloc_debug )
+		printf("%.6f new %x %d\n", network_time, v, t);
+	return v;
+	}
+
+void* operator new[](size_t t)
+	{
+	void* v = malloc(t);
+	if ( malloc_debug )
+		printf("%.6f new[] %x %d\n", network_time, v, t);
+	return v;
+	}
+
+void operator delete(void* v)
+	{
+	if ( malloc_debug )
+		printf("%.6f delete %x\n", network_time, v);
+	free(v);
+	}
+
+void operator delete[](void* v)
+	{
+	if ( malloc_debug )
+		printf("%.6f delete %x\n", network_time, v);
+	free(v);
+	}
+
+#endif
diff --git a/src/util.h b/src/util.h
new file mode 100644
index 0000000000..96aeb761e1
--- /dev/null
+++ b/src/util.h
@@ -0,0 +1,327 @@
+// $Id: util.h 6782 2009-06-28 02:19:03Z vern $
+//
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef util_h
+#define util_h
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include "config.h"
+
+#if __STDC__
+#define myattribute __attribute__
+#else
+#define myattribute(x)
+#endif
+
+#ifdef DEBUG
+
+#include <assert.h>
+
+#define ASSERT(x)	assert(x)
+#define DEBUG_MSG(x...)	fprintf(stderr, x)
+#define DEBUG_fputs	fputs
+
+#else
+
+#define ASSERT(x)
+#define DEBUG_MSG(x...)
+#define DEBUG_fputs(x...)
+
+#endif
+
+#ifdef USE_PERFTOOLS
+#include <google/heap-checker.h>
+#include <google/heap-profiler.h>
+extern HeapLeakChecker* heap_checker;
+#endif
+
+typedef unsigned long long int uint64;
+typedef unsigned int uint32;
+typedef unsigned short uint16;
+typedef unsigned char uint8;
+typedef long long int int64;
+
+#ifdef USE_INT64
+	typedef int64 bro_int_t;
+	typedef uint64 bro_uint_t;
+#else
+	typedef int bro_int_t;
+	typedef uint32 bro_uint_t;
+// #	error "USE_INT64 not defined!"
+#endif
+
+#if SIZEOF_LONG_LONG == 8
+typedef unsigned long long uint64;
+typedef long long int64;
+#elif SIZEOF_LONG_INT == 8
+typedef unsigned long int uint64;
+typedef long int int64;
+#else
+# error "Couldn't reliably identify 64-bit type. Please report to bro@bro-ids.org."
+#endif
+
+// "ptr_compat_uint" and "ptr_compat_int" are (un)signed integers of
+// pointer size. They can be cast safely to a pointer, e.g. in Lists,
+// which represent their entities as void* pointers.
+//
+#if SIZEOF_VOID_P == 8
+typedef uint64 ptr_compat_uint;
+typedef int64 ptr_compat_int;
+#elif SIZEOF_VOID_P == 4
+typedef uint32 ptr_compat_uint;
+typedef int ptr_compat_int;
+#else
+# error "Unusual pointer size. Please report to bro@bro-ids.org."
+#endif
+
+template <class T>
+void delete_each(T* t)
+	{
+	typedef typename T::iterator iterator;
+	for ( iterator it = t->begin(); it != t->end(); ++it )
+		delete *it;
+	}
+
+extern char* copy_string(const char* s);
+extern int streq(const char* s1, const char* s2);
+
+// Returns the character corresponding to the given escape sequence (s points
+// just past the '\'), and updates s to point just beyond the last character
+// of the sequence.
+extern int expand_escape(const char*& s);
+
+extern char* skip_whitespace(char* s);
+extern const char* skip_whitespace(const char* s);
+extern char* skip_whitespace(char* s, char* end_of_s);
+extern const char* skip_whitespace(const char* s, const char* end_of_s);
+extern char* skip_digits(char* s);
+extern char* get_word(char*& s);
+extern void get_word(int length, const char* s, int& pwlen, const char*& pw);
+extern void to_upper(char* s);
+extern const char* strchr_n(const char* s, const char* end_of_s, char ch);
+extern const char* strrchr_n(const char* s, const char* end_of_s, char ch);
+extern int decode_hex(char ch);
+extern unsigned char encode_hex(int h);
+extern int strcasecmp_n(int s_len, const char* s, const char* t);
+#ifndef HAVE_STRCASESTR
+extern char* strcasestr(const char* s, const char* find);
+#endif
+extern const char* strpbrk_n(size_t len, const char* s, const char* charset);
+extern int atoi_n(int len, const char* s, const char** end,
+			int base, int& result);
+int strstr_n(const int big_len, const unsigned char* big,
+		const int little_len, const unsigned char* little);
+extern int fputs(int len, const char* s, FILE* fp);
+extern bool is_printable(const char* s, int len);
+
+extern const char* fmt_bytes(const char* data, int len);
+
+// Note: returns a pointer into a shared buffer.
+extern const char* fmt(const char* format, ...)
+	myattribute((format (printf, 1, 2)));
+extern const char* fmt_access_time(double time);
+
+extern bool ensure_dir(const char *dirname);
+
+// Returns true if path exists and is a directory.
+bool is_dir(const char* path); 
+
+extern uint8 shared_hmac_md5_key[16];
+extern void hash_md5(size_t size, const unsigned char* bytes,
+			unsigned char digest[16]);
+
+extern int hmac_key_set;
+extern unsigned char shared_hmac_md5_key[16];
+extern void hmac_md5(size_t size, const unsigned char* bytes,
+			unsigned char digest[16]);
+
+extern const char* md5_digest_print(const unsigned char digest[16]);
+
+// Initializes RNGs for random() and MD5 usage.  If seed is given, then
+// it is used (to provide determinism).  If load_file is given, the seeds
+// (both random & MD5) are loaded from that file.  This takes precedence
+// over the "seed" argument.  If write_file is given, the seeds are written
+// to that file.
+//
+extern void init_random_seed(uint32 seed, const char* load_file,
+				const char* write_file);
+
+extern uint64 rand64bit();
+
+#define UHASH_KEY_SIZE	32
+extern uint8 uhash_key[UHASH_KEY_SIZE];
+
+// Each event source that may generate events gets an internally unique ID.
+// This is always LOCAL for a local Bro. For remote event sources, it gets
+// assigned by the RemoteSerializer.
+//
+// FIXME: Find a nicer place for this type definition.
+// Unfortunately, it introduces circular dependencies when defined in one of
+// the obvious places (like Event.h or RemoteSerializer.h)
+
+typedef ptr_compat_uint SourceID;
+static const SourceID SOURCE_LOCAL = 0;
+
+class BroObj;
+extern void message(const char* msg);
+extern void warn(const char* msg);
+extern void warn(const char* msg, const char* addl);
+extern void error(const char* msg);
+extern void error(const char* msg, const char* addl);
+extern void error(const char* msg, uint32 addl);
+extern void run_time(const char* msg);
+extern void run_time(const char* fmt, BroObj* obj);
+extern void run_time(const char* fmt, const char* arg);
+extern void run_time(const char* fmt, const char* arg1, const char* arg2);
+extern void internal_error(const char* fmt, ...)
+	myattribute((volatile, format (printf, 1, 2)));
+extern void pinpoint();
+extern int int_list_cmp(const void* v1, const void* v2);
+
+extern const char* bro_path();
+extern const char* bro_prefixes();
+extern FILE* search_for_file(const char* filename, const char* ext,
+	const char** full_filename);
+
+// Renames the given file to a new temporary name, and opens a new file with
+// the original name. Returns new file or NULL on error. Inits rotate_info if
+// given (open time is set network time).
+class RecordVal;
+extern FILE* rotate_file(const char* name, RecordVal* rotate_info);
+
+// This mimics the script-level function with the same name.
+const char* log_file_name(const char* tag);
+
+// Calculate the duration until the next time a file is to be rotated, based
+// on the given rotate_interval and rotate_base_time.
+double calc_next_rotate(double rotate_interval, const char* rotate_base_time);
+
+// Terminates processing gracefully, similar to pressing CTRL-C.
+void terminate_processing();
+
+// Sets the current status of the Bro process to the given string.
+// If the option --status-file has been set, this is written into
+// the the corresponding file.  Otherwise, the function is a no-op.
+#define set_processing_status(status, location) \
+	_set_processing_status(status " [" location "]\n");
+void _set_processing_status(const char* status);
+
+// Current timestamp, from a networking perspective, not a wall-clock
+// perspective.  In particular, if we're reading from a savefile this
+// is the time of the most recent packet, not the time returned by
+// gettimeofday().
+extern double network_time;
+
+// Returns the current time.
+// (In pseudo-realtime mode this is faked to be the start time of the
+// trace plus the time interval Bro has been running. To avoid this,
+// call with real=true).
+extern double current_time(bool real=false);
+
+// Convert a time represented as a double to a timeval struct.
+extern struct timeval double_to_timeval(double t);
+
+// Return > 0 if tv_a > tv_b, 0 if equal, < 0 if tv_a < tv_b.
+extern int time_compare(struct timeval* tv_a, struct timeval* tv_b);
+
+inline int min(int a, int b)
+	{
+	return a < b ? a : b;
+	}
+
+inline int max(int a, int b)
+	{
+	return a > b ? a : b;
+	}
+
+// For now, don't use hash_maps - they're not fully portable.
+#if 0
+// Use for hash_map's string keys.
+struct eqstr {
+	bool operator()(const char* s1, const char* s2) const
+		{
+		return strcmp(s1, s2) == 0;
+		}
+};
+#endif
+
+// Use for map's string keys.
+struct ltstr {
+	bool operator()(const char* s1, const char* s2) const
+	{
+	return strcmp(s1, s2) < 0;
+	}
+};
+
+// Versions of realloc/malloc which abort() on out of memory
+
+inline size_t pad_size(size_t size)
+	{
+	// We emulate glibc here (values measured on Linux i386).
+	// FIXME: We should better copy the portable value definitions from glibc.
+	if ( size == 0 )
+		return 0;	// glibc allocated 16 bytes anyway.
+
+	const int pad = 8;
+	if ( size < 12 )
+		return 2 * pad;
+
+	return ((size+3) / pad + 1) * pad;
+	}
+
+#define padded_sizeof(x) (pad_size(sizeof(x)))
+
+extern void out_of_memory(const char* where);
+
+inline void* safe_realloc(void* ptr, size_t size)
+	{
+	ptr = realloc(ptr, size);
+	if ( size && ! ptr )
+		out_of_memory("realloc");
+
+	return ptr;
+	}
+
+inline void* safe_malloc(size_t size)
+	{
+	void* ptr = malloc(size);
+	if ( ! ptr )
+		out_of_memory("malloc");
+
+	return ptr;
+	}
+
+inline char* safe_strncpy(char* dest, const char* src, size_t n)
+	{
+	char* result = strncpy(dest, src, n);
+	dest[n-1] = '\0';
+	return result;
+	}
+
+inline int safe_snprintf(char* str, size_t size, const char* format, ...)
+	{
+	va_list al;
+	va_start(al, format);
+	int result = vsnprintf(str, size, format, al);
+	va_end(al);
+	str[size-1] = '\0';
+
+	return result;
+	}
+
+inline int safe_vsnprintf(char* str, size_t size, const char* format, va_list al)
+	{
+	int result = vsnprintf(str, size, format, al);
+	str[size-1] = '\0';
+	return result;
+	}
+
+// Returns total memory allocations and (if available) amount actually
+// handed out by malloc.
+extern void get_memory_usage(unsigned int* total,
+			     unsigned int* malloced);
+#endif
diff --git a/testing/README b/testing/README
new file mode 100644
index 0000000000..02c8d71ce7
--- /dev/null
+++ b/testing/README
@@ -0,0 +1,10 @@
+This directory contains some of the suites for testing for Bro's
+correct operation:
+
+istate/
+	Tests Bro's independent state facilities.  These include persistent
+	values and inter-process event/value communication.
+
+(Note that the Bro developers maintain a separate test suite for
+ Bro's trace analysis capabilities.  This is kept private as it uses
+ sensitive raw traces for input.)
diff --git a/testing/istate/README b/testing/istate/README
new file mode 100644
index 0000000000..78e855074f
--- /dev/null
+++ b/testing/istate/README
@@ -0,0 +1,11 @@
+To run these tests, invoke:
+
+	./istate.py
+
+To see differences leading to test failures, invoke:
+
+	./istate.py -s
+
+Build a new test baseline using:
+
+	./istate.py -b
diff --git a/testing/istate/base/bro-ping/remote.log b/testing/istate/base/bro-ping/remote.log
new file mode 100644
index 0000000000..4f86bd62d6
--- /dev/null
+++ b/testing/istate/base/bro-ping/remote.log
@@ -0,0 +1,17 @@
+xxxxxxxxxx.xxxxxx [info]  [parent] pipe's socket buffer size is 8192, setting to 1048576
+xxxxxxxxxx.xxxxxx [info]  [parent] communication started, parent 
+xxxxxxxxxx.xxxxxx [info]  [child]  listening on 0.0.0.0:47758 (clear)
+xxxxxxxxxx.xxxxxx [info]  [child]  [#10000/] accepted clear connection
+xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] added peer
+xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] peer connected
+xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] phase: version
+xxxxxxxxxx.xxxxxx [info]  [script] [#10000/] connection established
+xxxxxxxxxx.xxxxxx [info]  [script] [#10000/] requesting events matching /^?(ping)$?/
+xxxxxxxxxx.xxxxxx [info]  [script] [#10000/] accepting state
+xxxxxxxxxx.xxxxxx [info]  [script] [#10000/] requesting synchronized state
+xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] phase: handshake
+xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] registered for event pong
+xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] peer does not support 64bit PIDs; using compatibility mode
+xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] phase: sync (receiver)
+xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] phase: running
+xxxxxxxxxx.xxxxxx [info]  [parent] [#10000/] closing connection
diff --git a/testing/istate/base/bro-ping/stderr.log b/testing/istate/base/bro-ping/stderr.log
new file mode 100644
index 0000000000..bb611b7eb0
--- /dev/null
+++ b/testing/istate/base/bro-ping/stderr.log
@@ -0,0 +1,3 @@
+xxxxxxxxxx.xxxxxx processing suspended
+xxxxxxxxxx.xxxxxx processing continued
+xxxxxxxxxx.xxxxxx received termination signal
diff --git a/testing/istate/base/bro-ping/stdout.log b/testing/istate/base/bro-ping/stdout.log
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/istate/base/broccoli-ping/stderr.log b/testing/istate/base/broccoli-ping/stderr.log
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/istate/base/broccoli-ping/stdout.log b/testing/istate/base/broccoli-ping/stdout.log
new file mode 100644
index 0000000000..6174e6cce8
--- /dev/null
+++ b/testing/istate/base/broccoli-ping/stdout.log
@@ -0,0 +1,5 @@
+pong event from 127.0.0.1: seq=0, 
+pong event from 127.0.0.1: seq=1, 
+pong event from 127.0.0.1: seq=2, 
+pong event from 127.0.0.1: seq=3, 
+pong event from 127.0.0.1: seq=4, 
diff --git a/testing/istate/base/events-display/stdout.log b/testing/istate/base/events-display/stdout.log
new file mode 100644
index 0000000000..a68f969a3c
--- /dev/null
+++ b/testing/istate/base/events-display/stdout.log
@@ -0,0 +1,36 @@
+Event [xxxxxxxxxx.xxxxxx] bro_done()
+Event [xxxxxxxxxx.xxxxxx] connection_established([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=0, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.182510137557983, service={}, addl="", hot=0, history="Sh"])
+Event [xxxxxxxxxx.xxxxxx] connection_finished([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=5], resp=[size=9417, state=5], start_time=xxxxxxxxxx.xxxxxx, duration=1.73330307006836, service={}, addl="%events-send-1", hot=0, history="ShADdFaf"])
+Event [xxxxxxxxxx.xxxxxx] connection_pending([id=[orig_h=141.42.64.125, orig_p=56729/tcp, resp_h=125.190.109.199, resp_p=12345/tcp], orig=[size=0, state=1], resp=[size=0, state=6], start_time=xxxxxxxxxx.xxxxxx, duration=0.182432889938354, service={}, addl="", hot=0, history="Sr"])
+Event [xxxxxxxxxx.xxxxxx] connection_state_remove([id=[orig_h=141.42.64.125, orig_p=56729/tcp, resp_h=125.190.109.199, resp_p=12345/tcp], orig=[size=0, state=1], resp=[size=0, state=6], start_time=xxxxxxxxxx.xxxxxx, duration=0.182432889938354, service={}, addl="", hot=0, history="Sr"])
+Event [xxxxxxxxxx.xxxxxx] connection_state_remove([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=5], resp=[size=9417, state=5], start_time=xxxxxxxxxx.xxxxxx, duration=1.73330307006836, service={}, addl="%events-send-1", hot=0, history="ShADdFaf"])
+Event [xxxxxxxxxx.xxxxxx] http_begin_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1", hot=0, history="ShAD"]T)
+Event [xxxxxxxxxx.xxxxxx] http_begin_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F)
+Event [xxxxxxxxxx.xxxxxx] http_content_type([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"TEXT""PLAIN")
+Event [xxxxxxxxxx.xxxxxx] http_content_type([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"TEXT""HTML")
+Event [xxxxxxxxxx.xxxxxx] http_end_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T)
+Event [xxxxxxxxxx.xxxxxx] http_end_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=9417, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.73563814163208, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F)
+Event [xxxxxxxxxx.xxxxxx] http_entity_data([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=5792, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.551820039749146, service={}, addl="%events-send-1", hot=0, history="ShADd"]F4096"<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"^J"http://www.w3.org/TR/REC-html40/loose.dtd">^J<HEAD><TITLE>ICIR</TITLE></HEAD>^J<BODY bgcolor="#ffffff" text="#000000" link="#0000ff" vlink="#b20000">^J<img src=icir.gif alt="ICIR"><br>^J<p>^JICIR (The ICSI Center for Internet Research)^Jis a ^Jnon-profit^Jresearch institute at^J<a href="http://www.icsi.berkeley.edu">ICSI</a>^Jin ^J<a href="http://dir.yahoo.com/Regional/U_S__States/California/Cities/Berkeley/">Berkeley</a>, ^JCalifornia.<br>^JFor the three years from 1999 to 2001 we were named^JACIRI, the AT&T Center for Internet Research at ICSI, ^Jand were funded by <a href="http://www.att.com">AT&amp;T</a>.<br>^J^JThe goals of ICIR are to:^J<ul>^J<li>Pursue research on the Internet architecture and related networking issues,^J<li>^JParticipate actively in the research (<a href="http://www.acm.org/sigcomm/">SIGCOMM</a> and <a href="http://www.irtf.org/">IRTF</a>) and^Jstandards (<a href="http://www.ietf.org/">IETF</a>) communities,^J<li> Bridge the gap between the Internet research community and commercial ^Jinterests by providing a neutral forum where topics of mutual technical ^Jinterest can be addressed.^J</ul>^J<p>^J<!--^JICIR is now ^J<a href="jobs.html">^Jhiring</a> for both postdoctoral positions and summer interns.^J-->^J<hr>^J^J<DIV ALIGN="CENTER">^J^J<table width="100%" cellspacing=16 cellpadding=0>^J^J<tr>^J<td width="35%" valign=top>^J^J<h2>^JPeople^J</h2>^J<ul>^J<li>^J<a href="./shenker/">^JScott Shenker</a>, Group Leader<br> ^J<li><a href="http://www.icir.org/mallman/">Mark Allman</a>^J<li>^J<a href="./floyd/">Sally Floyd</a>^J<!--^J<li><a href="http://www.isi.edu/~govindan/">Ramesh Govindan</a>^J-->^J<li>^J<a href="./karp/papers.html">^JRichard Karp</a>  ^J<!-- (also with the ^J<a href="http://www.icsi.berkeley.edu/Theory/">ICSI Theory Group</a>, ^J<a href="http://www.msri.org/">MSRI</a>, and^J<a href="http://www.cs.berkeley.edu/">UC Berkeley</a>) -->^J<li>^J<a href="./vern/">^JVern Paxson</a>  ^J<li>^J<a href="http://www.icir.org/robin/">^JRobin Sommer</a>^J<li>^J<a href="http://www.cs.berkeley.edu/~nweaver/">^JNicholas Weaver</a>^J<li>^J<a href="http://www.icsi.berkeley.edu/~zhao/">^JJerry Zhao</a>^J<!-- </ul> &nbsp; &nbsp;<b>Group Members</b> <ul> -->^J<li><b><a href="pastvisitors.html">Past Group Members</a></b>,^J<br>including:^J<ul>^J<li>^J<a href="http://www.cs.ucl.ac.uk/staff/M.Handley/">^JMark Handley</a> (UCL)^J<li><a href="./kohler/">Eddie Kohler</a> (UCLA)^J</ul>^J<li><b>Affiliated <a href="http://www.xorp.org/">Xorp</a>^JResearchers</b>:^J  <ul>^J  <li><a href="./jcardona/">Javier Cardona</a>^J  <li><a href="./atanu/">Atanu Ghosh</a> ^J  <li><a href="./hodson/">Orion Hodson</a>^J  <li><a href="./pavlin/">Pavlin Radoslavov</a> ^J  <li><a href="http://www.iet.unipi.it/~luigi">Luigi Rizzo</a>^J  <li><a href="http://people.freebsd.org/~bms/">Bruce Simpson</a>^J</ul>^J<li><b>Affiliated UCB Researchers</b>:^J  <ul>^J  <li><a href="http://www.cs.berkeley.edu/~christos/">Christos Papadimitriou</a>^J  <li><a href="http://www.cs.berkeley.edu/~istoica/">Ion Stoica</a>^J  </ul>^J<li><b>Visitors</b>:^J  <ul>^J  <li><a href="http://grid.sjtu.edu.cn/teachers/dengqn/dengqn.htm">Professor Quin-Ni Deng</a>^J<!--^J  from Shanghai Jiaotong University^J-->^J  <li>Teemu Koponen^J<!--^J  , Helsinki Institute for Information Technology^J-->^J  </ul>^J<!--^J<li><a href="pastvisitors.html">Other researchers</a>^J-->^J<a name=Visitors></a>^J<li><b>Interns:</b>^J<ul>^J<li>Juan Caballero^J<li><a href="http://www.stanford.edu/~casado/">Martin Casado</a>^J<li><a href="http://www.cs.rice.edu/~scrosby/">Scott Crosby</a>^J<li><a href="http://bnrg.cs.berkeley.edu/~wdc/">Weidong Cui</a>^J<li><a href="http://www.cs.berkeley.edu/~chema">Chema Gonzalez</a>^J<li>Halldor Isak Gylfason^J<li><a href="http://www.cl.cam.ac.uk/~cpk25/">Christian Kreibich</a>^J<li><a href="http://www.cs.ucsd.edu/~braghava">Barath Raghavan</a>^J<!--^J<li><a href="newinterns.html">New Interns:</a> ^J-->^J</ul>^J<li><b>Undergraduate Interns:</b>^J<ul>^J<li>Michael Hoisie^J<li>Arthur Wayne Liao^J<li>Christopher Portka^J</ul>^J<li><b><a href="pastvisitors.html">Past Visitors and Interns:</a></b>^J</ul>^J^J</td>^J<td width="30%" vali")
+Event [xxxxxxxxxx.xxxxxx] http_entity_data([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=8688, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.552114009857178, service={}, addl="%events-send-1", hot=0, history="ShADd"]F4096"gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<li><a href="./rfcs.html">^JRFCs</a> with ICIR authors.^J<li>^J<a href="./internetdrafts.html">^JInternet drafts</a> with ICIR authors, 3/2004 ^J(or <a href="http://www.rfc-editor.org/idsearch.html">search</a>^Jthe current list).^J<!--^Jfor "Shenker OR Floyd OR Allman OR Paxson".^J(or the ^J<a^Jhref="^Jhttp://search.ietf.org:80/search/cgi-bin/BrokerQuery.pl.cgi?broker=internet-drafts&query=%28Author%3A+Shenker+OR+Floyd+OR+Handley+OR+Paxson+OR+Kohler%29&caseflag=on&wordflag=off&errorflag=0&maxlineflag=50&maxresultflag=1000&descflag=on&sort=by-NML&verbose=on&maxobjflag=25">current list</a>.)^J^Jhttp://search.ietf.org:80/search/cgi-bin/BrokerQuery.pl.cgi?broker=internet-drafts&query=(Shenker+OR+Floyd+OR+Handley+OR+Paxson+OR+Kohler)&descflag=on">current list</a>).^J-->^J<!--^Jfrom the ^J<a href="http://search.ietf.org/search/brokers/internet-drafts/query.html">^JInternet-Drafts Search Engine</a>).^J-->^J<li>Papers by ^J<a href="./shenker/papers.html">Scott Shenker</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Scott%20w/2%20Shenker%20or%20S%20w/2%20Shenker&co=Citations">RI</a>),^J^J<a href="./mallman/papers/">Mark Allman</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Mark%20w/2%20Allman%20or%20S%20w/2%20Allman&co=Citations">RI</a>),^J^J<a href="./floyd/papers.html">Sally Floyd</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Sally%20w/2%20Floyd%20or%20S%20w/2%20Floyd&co=Citations">RI</a>),^J^J<a href="./karp/papers.html">Richard Karp</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Richard%20w/2%20Karp%20or%20R%20w/2%20Karp&co=Citations">RI</a>),^J<a href="./kohler/pubs/">Eddie Kohler</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=eddie%20w/2%20kohler%20or%20e%20w/2%20kohler&co=Citations">RI</a>),^J<a href="./vern/papers.html">Vern Paxson</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Vern%20w/2%20Paxson%20or%20V%20w/2%20Paxson&co=Citations">RI</a>).^J<li>The <a href="http://citeseer.ist.psu.edu/">^JResearchIndex</a> (RI) and the ^J<a href="http://citeseer.ist.psu.edu/cs">Search</a>^Jand ^J<a href="http://citeseer.ist.psu.edu/Networking/">^JNetworking</a> pages. ^J</ul>^J^J<h2>^JProjects ^J</h2>^J<ul>^J<li>^J<a href="./vern/bro-info.html">Bro</a>^J(detecting network intruders). ^J<li>The <a href="http://www.isi.edu/newarch/">NewArch</a> Project:^JFuture-Generation Internet Architecture.^J<LI>The <a href="http://www.isi.edu/nsnam/ns/">NS</a>^Jnetwork simulator.^J<li> <a href="./tbit/">TBIT</a>^J(TCP Behavior Identification Tool).^J<li> <a href="http://www.xorp.org/">Xorp</a>^J(Extensible Open Router Platform).^J<li>^J<a href="./funded_projects.html">^JOther Funded Projects</a>.^J<li>^J<a href="./research.html">^JAdditional Research Links</a>.^J</ul>^J^J^J</td>^J^J<td width="35%" valign=top>^J    ^J<h2>Research</h2>^J&nbsp; &nbsp;<b>Transport and Congestion</b>^J<ul>^J<li>^J<a href="./kohler/dcp/">DCCP</a>^J(Datagram Congestion Control Protocol).^J<li>^J<a href="./floyd/ecn.html">ECN</a>^J(Explicit Congestion Notification).^J<li>^J<a href="http://www.ietf.org/html.charters/intserv-charter.html">^JIntegrated services</a>.^J<li>^J<a href="./floyd/red.html">RED</a> ^Jqueue management, and^J<a href="./red-pd/">RED-PD</a>.^J<li>^J<a href="./floyd/hstcp.html">HighSpeed TCP</a>.^J<li>^J<a^Jhref="http://www.ietf.cnri.reston.va.us/html.charters/OLD/tcpimpl-charter.html">^JTCP Implementation</a>.^J<li>^JReordering-Robust TCP ^J(<a href="./bkarp/RR-TCP/">RR-TCP</a>).^J<li>TCP^J<a href="./floyd/sacks.html">SACK</a> ^J(Selective Acknowledgment).^J<li>^J<a href="./tfrc/">TFRC</a> ^J(TCP-Friendly Rate Control).^J</ul>^J^J&nbsp; &nbsp;<b>Traffic and Topology</b>^J<ul>^J<LI>^J<a href="http://idmaps.eecs.umich.edu/">IDMaps</a> ^J(Internet Distance Mapping).^J<LI>The <a href="http://www.acm.org/sigcomm/ITA/">^JInternet Traffic Archive</a>.^J<li>^J<a href="http://www-net.cs.umass.edu/minc/">MINC</a>^J(Multicast-based Inference of Network-internal Characteristics).^J<li>^J<a href="http://www.psc.edu/networking/nimi/">NIMI</a>^J(N")
+Event [xxxxxxxxxx.xxxxxx] http_entity_data([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=9417, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.73563814163208, service={}, addl="%events-send-1", hot=0, history="ShADd"]F938"ational Internet Measurement Infrastructure).^J</ul>^J^J<h2>^J<a href="./collaborators.html">^JCollaborators</a>^J</h2>^J^J<!--^J&nbsp; &nbsp;<b>Multicast and Multimedia</b>^J<ul>^J<LI><A href="/malloc/">MALLOC</a>^J(Multicast Address Allocation).^J<LI><a href="http://www.cs.columbia.edu/~hgs/sip/">SIP</a>^J(Session Initiation Protocol).^J<li> <a href="yoid"> Yoid</a> (host-based content distribution). ^J</ul>^J-->^J^J</td>^J^J</tr>^J</table>^J</DIV>^J^J<hr>^J<h2>Information for <a href="./abouticir.html">visitors</a> and <a href="/sysdocs/">local users</a>.</h2>^J<hr>^JLast modified: June 2004. <a href="./COPYRIGHTS">Copyright notice</a>.^J<a href="http://web.archive.org/web/*/http://www.aciri.org/">^JOlder versions</a> of this web page, in its ACIRI incarnation..^J<BR>^JFor more information about this server, mail <I>www@aciri.org</I>.  ^J<BR>^JTo report <a href="scanning.html">unusual activity</a> by any of our hosts, mail <I>abuse@aciri.org</I>.^J</BODY>^J")
+Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"ACCEPT""*/*")
+Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"CONNECTION""Keep-Alive")
+Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"HOST""www.icir.org")
+Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"USER-AGENT""Wget/1.10")
+Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"ACCEPT-RANGES""bytes")
+Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"CONNECTION""Keep-Alive")
+Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"CONTENT-LENGTH""9130")
+Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"CONTENT-TYPE""text/html")
+Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"DATE""Fri, 07 Oct 2005 23:23:55 GMT")
+Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"ETAG"""2c96c-23aa-4346a0e5"")
+Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"KEEP-ALIVE""timeout=15, max=100")
+Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"LAST-MODIFIED""Fri, 07 Oct 2005 16:23:01 GMT")
+Event [xxxxxxxxxx.xxxxxx] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"SERVER""Apache/1.3.33 (Unix)")
+Event [xxxxxxxxxx.xxxxxx] http_message_done([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T[start=xxxxxxxxxx.xxxxxx, interrupted=F, finish_msg="message ends normally", body_length=0, content_gap_length=0, header_length=86])
+Event [xxxxxxxxxx.xxxxxx] http_message_done([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=9417, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.73563814163208, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F[start=xxxxxxxxxx.xxxxxx, interrupted=F, finish_msg="message ends normally", body_length=9130, content_gap_length=0, header_length=265])
+Event [xxxxxxxxxx.xxxxxx] http_reply([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.367331027984619, service={}, addl="%events-send-1", hot=0, history="ShADd"]"1.1"200"OK")
+Event [xxxxxxxxxx.xxxxxx] http_request([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="", hot=0, history="ShAD"]"GET""/""/""1.0")
+Event [xxxxxxxxxx.xxxxxx] net_done(xxxxxxxxxx.xxxxxx)
+Event [xxxxxxxxxx.xxxxxx] new_connection([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=0, state=0], resp=[size=0, state=0], start_time=xxxxxxxxxx.xxxxxx, duration=0.0, service={}, addl="", hot=0, history=""])
+Event [xxxxxxxxxx.xxxxxx] new_connection([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=0, state=1], resp=[size=0, state=0], start_time=xxxxxxxxxx.xxxxxx, duration=0.0, service={}, addl="cc=1", hot=0, history=""])
+Event [xxxxxxxxxx.xxxxxx] protocol_confirmation([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=xxxxxxxxxx.xxxxxx, duration=0.183290958404541, service={}, addl="", hot=0, history="ShAD"]165)
diff --git a/testing/istate/base/events-rcv/conn.log b/testing/istate/base/events-rcv/conn.log
new file mode 100644
index 0000000000..b38c0a2e70
--- /dev/null
+++ b/testing/istate/base/events-rcv/conn.log
@@ -0,0 +1,2 @@
+xxxxxxxxxx.xxxxxx 0.182433 141.42.64.125 125.190.109.199 other 56729 12345 tcp ? ? REJ X
+xxxxxxxxxx.xxxxxx 1.733303 141.42.64.125 125.190.109.199 http 56730 80 tcp 98 9417 SF X %events-send-1
diff --git a/testing/istate/base/events-rcv/http.log b/testing/istate/base/events-rcv/http.log
new file mode 100644
index 0000000000..db049772d8
--- /dev/null
+++ b/testing/istate/base/events-rcv/http.log
@@ -0,0 +1,18 @@
+xxxxxxxxxx.xxxxxx %events-rcv-1 start 141.42.64.125:56730 > 125.190.109.199:80
+xxxxxxxxxx.xxxxxx %events-rcv-1 > USER-AGENT: Wget/1.10
+xxxxxxxxxx.xxxxxx %events-rcv-1 > ACCEPT: */*
+xxxxxxxxxx.xxxxxx %events-rcv-1 > HOST: www.icir.org
+xxxxxxxxxx.xxxxxx %events-rcv-1 > CONNECTION: Keep-Alive
+xxxxxxxxxx.xxxxxx %events-rcv-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
+xxxxxxxxxx.xxxxxx %events-rcv-1 < SERVER: Apache/1.3.33 (Unix)
+xxxxxxxxxx.xxxxxx %events-rcv-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
+xxxxxxxxxx.xxxxxx %events-rcv-1 < ETAG: "2c96c-23aa-4346a0e5"
+xxxxxxxxxx.xxxxxx %events-rcv-1 < ACCEPT-RANGES: bytes
+xxxxxxxxxx.xxxxxx %events-rcv-1 < CONTENT-LENGTH: 9130
+xxxxxxxxxx.xxxxxx %events-rcv-1 < KEEP-ALIVE: timeout=15, max=100
+xxxxxxxxxx.xxxxxx %events-rcv-1 < CONNECTION: Keep-Alive
+xxxxxxxxxx.xxxxxx %events-rcv-1 < CONTENT-TYPE: text/html
+xxxxxxxxxx.xxxxxx %events-rcv-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
+xxxxxxxxxx.xxxxxx %events-rcv-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
+xxxxxxxxxx.xxxxxx %events-rcv-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
+xxxxxxxxxx.xxxxxx %events-rcv-1 GET / (200 "OK" [9130] www.icir.org)
diff --git a/testing/istate/base/events-rcv/stderr.log b/testing/istate/base/events-rcv/stderr.log
new file mode 100644
index 0000000000..bb611b7eb0
--- /dev/null
+++ b/testing/istate/base/events-rcv/stderr.log
@@ -0,0 +1,3 @@
+xxxxxxxxxx.xxxxxx processing suspended
+xxxxxxxxxx.xxxxxx processing continued
+xxxxxxxxxx.xxxxxx received termination signal
diff --git a/testing/istate/base/events-rcv/stdout.log b/testing/istate/base/events-rcv/stdout.log
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/istate/base/events-send/conn.log b/testing/istate/base/events-send/conn.log
new file mode 100644
index 0000000000..3ac12d6d4b
--- /dev/null
+++ b/testing/istate/base/events-send/conn.log
@@ -0,0 +1,3 @@
+xxxxxxxxxx.xxxxxx 0.182433 141.42.64.125 125.190.109.199 other 56729 12345 tcp ? ? REJ X
+xxxxxxxxxx.xxxxxx 1.733303 141.42.64.125 125.190.109.199 http 56730 80 tcp 98 9417 SF X %events-send-1
+xxxxxxxxxx.xxxxxx ? 141.42.64.125 125.190.109.199 http 56730 80 tcp ? ? OTH X
diff --git a/testing/istate/base/events-send/http.log b/testing/istate/base/events-send/http.log
new file mode 100644
index 0000000000..2ffab6810e
--- /dev/null
+++ b/testing/istate/base/events-send/http.log
@@ -0,0 +1,18 @@
+xxxxxxxxxx.xxxxxx %events-send-1 start 141.42.64.125:56730 > 125.190.109.199:80
+xxxxxxxxxx.xxxxxx %events-send-1 > USER-AGENT: Wget/1.10
+xxxxxxxxxx.xxxxxx %events-send-1 > ACCEPT: */*
+xxxxxxxxxx.xxxxxx %events-send-1 > HOST: www.icir.org
+xxxxxxxxxx.xxxxxx %events-send-1 > CONNECTION: Keep-Alive
+xxxxxxxxxx.xxxxxx %events-send-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
+xxxxxxxxxx.xxxxxx %events-send-1 < SERVER: Apache/1.3.33 (Unix)
+xxxxxxxxxx.xxxxxx %events-send-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
+xxxxxxxxxx.xxxxxx %events-send-1 < ETAG: "2c96c-23aa-4346a0e5"
+xxxxxxxxxx.xxxxxx %events-send-1 < ACCEPT-RANGES: bytes
+xxxxxxxxxx.xxxxxx %events-send-1 < CONTENT-LENGTH: 9130
+xxxxxxxxxx.xxxxxx %events-send-1 < KEEP-ALIVE: timeout=15, max=100
+xxxxxxxxxx.xxxxxx %events-send-1 < CONNECTION: Keep-Alive
+xxxxxxxxxx.xxxxxx %events-send-1 < CONTENT-TYPE: text/html
+xxxxxxxxxx.xxxxxx %events-send-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
+xxxxxxxxxx.xxxxxx %events-send-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
+xxxxxxxxxx.xxxxxx %events-send-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
+xxxxxxxxxx.xxxxxx %events-send-1 GET / (200 "OK" [9130] www.icir.org)
diff --git a/testing/istate/base/events-send/stderr.log b/testing/istate/base/events-send/stderr.log
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/istate/base/events-send/stdout.log b/testing/istate/base/events-send/stdout.log
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/istate/base/persistence-read/stderr.log b/testing/istate/base/persistence-read/stderr.log
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/istate/base/persistence-read/stdout.log b/testing/istate/base/persistence-read/stdout.log
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/istate/base/persistence-read/vars.log b/testing/istate/base/persistence-read/vars.log
new file mode 100644
index 0000000000..9a7d2c771e
--- /dev/null
+++ b/testing/istate/base/persistence-read/vars.log
@@ -0,0 +1,33 @@
+42
+-42
+Hallihallo
+1.2.3.4
+1.2.0.0/16
+3.14
+131.159
+42.0 secs
+{
+[1] = qwerty,
+[2] = uiop
+}
+file "test" of string
+/^?(12345)$?/
+{
+3,
+5,
+4,
+1,
+2
+}
+{
+[3, GHI] = 103,
+[2, DEF] = 102,
+[1, ABC] = 101
+}
+{
+[12345] = /^?(12345)$?/,
+[12346] = /^?(12345)$?/
+}
+42/udp
+[1, 2, 3]
+[a=yuyuyu, b=[a=rec1, b=100, c=1.24], c=[a=rec2, b=200, c=2.24], d=7.77]
diff --git a/testing/istate/base/persistence-write/stderr.log b/testing/istate/base/persistence-write/stderr.log
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/istate/base/persistence-write/stdout.log b/testing/istate/base/persistence-write/stdout.log
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/istate/base/persistence-write/vars.log b/testing/istate/base/persistence-write/vars.log
new file mode 100644
index 0000000000..9a7d2c771e
--- /dev/null
+++ b/testing/istate/base/persistence-write/vars.log
@@ -0,0 +1,33 @@
+42
+-42
+Hallihallo
+1.2.3.4
+1.2.0.0/16
+3.14
+131.159
+42.0 secs
+{
+[1] = qwerty,
+[2] = uiop
+}
+file "test" of string
+/^?(12345)$?/
+{
+3,
+5,
+4,
+1,
+2
+}
+{
+[3, GHI] = 103,
+[2, DEF] = 102,
+[1, ABC] = 101
+}
+{
+[12345] = /^?(12345)$?/,
+[12346] = /^?(12345)$?/
+}
+42/udp
+[1, 2, 3]
+[a=yuyuyu, b=[a=rec1, b=100, c=1.24], c=[a=rec2, b=200, c=2.24], d=7.77]
diff --git a/testing/istate/base/python-bro/stdout.log b/testing/istate/base/python-bro/stdout.log
new file mode 100644
index 0000000000..bdfea5e4d7
--- /dev/null
+++ b/testing/istate/base/python-bro/stdout.log
@@ -0,0 +1,14 @@
+==== atomic
+-10
+2
+xxxxxxxxxx.xxxxxx
+2.0 mins
+F
+1.5
+Servus
+5555/tcp
+6.7.6.5
+0.0
+192.168.0.0/16
+==== record
+42, 6.6.7.7
diff --git a/testing/istate/base/python-script/stdout.log b/testing/istate/base/python-script/stdout.log
new file mode 100644
index 0000000000..5af3e6a47e
--- /dev/null
+++ b/testing/istate/base/python-script/stdout.log
@@ -0,0 +1,44 @@
+==== atomic a 1 ====
+-4 -4
+42 42
+xxxxxxxxxx.xxxxxx xxxxxxxxxx.xxxxxx
+60.0 60.0
+True True
+3.1400000000000001 3.14
+'Hurz' Hurz
+'12345/udp' 12345/udp
+'1.2.3.4' 1.2.3.4
+'X.X.X' X.X.X
+'X.X.X' 22.33.44.0/24
+==== atomic a 2 ====
+-10 -10
+2 2
+xxxxxxxxxx.xxxxxx xxxxxxxxxx.xxxxxx
+120.0 120.0
+False False
+1.5 1.5
+'Servus' Servus
+'5555/tcp' 5555/tcp
+'6.7.6.5' 6.7.6.5
+'X.X.X' X.X.X
+'X.X.X' 192.168.0.0/16
+==== atomic b 2 ====
+-10 -10
+<broccoli.count instance at > 2
+<broccoli.time instance at > xxxxxxxxxx.xxxxxx
+<broccoli.interval instance at > 120.0
+False False
+1.5 1.5
+'Servus' Servus
+<broccoli.port instance at > 5555/tcp
+<broccoli.addr instance at > 6.7.6.5
+<broccoli.net instance at > X.X.X
+<broccoli.net instance at > 192.168.0.0/16
+==== record 1 ====
+<broccoli.record instance at >
+42 42
+'6.6.7.7' 6.6.7.7
+==== record 2 ====
+<broccoli.record instance at >
+99 99
+'3.4.5.1' 3.4.5.1
diff --git a/testing/istate/base/sync-rcv/remote.log b/testing/istate/base/sync-rcv/remote.log
new file mode 100644
index 0000000000..4feea4ccc3
--- /dev/null
+++ b/testing/istate/base/sync-rcv/remote.log
@@ -0,0 +1,21 @@
+xxxxxxxxxx.xxxxxx [info]  [parent] pipe's socket buffer size is 8192, setting to 1048576
+xxxxxxxxxx.xxxxxx [info]  [parent] communication started, parent 
+xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] added peer
+xxxxxxxxxx.xxxxxx [info]  [child]  [#1/127.0.0.1:47757] connected
+xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] peer connected
+xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] phase: version
+xxxxxxxxxx.xxxxxx [info]  [script] [#1/127.0.0.1:47757] connection established
+xxxxxxxxxx.xxxxxx [info]  [script] [#1/127.0.0.1:47757] requesting events matching /^?(.*)$?/
+xxxxxxxxxx.xxxxxx [info]  [script] [#1/127.0.0.1:47757] accepting state
+xxxxxxxxxx.xxxxxx [info]  [script] [#1/127.0.0.1:47757] requesting synchronized state
+xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] phase: handshake
+xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] peer_description is not set
+xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] peer supports keep-in-cache; using that
+xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] phase: sync (sender)
+xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] starting to send full state
+xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] done sending full state
+xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] phase: running
+xxxxxxxxxx.xxxxxx [info]  [script] [#1/127.0.0.1:47757] connection closed
+xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] peer disconnected
+xxxxxxxxxx.xxxxxx [info]  [child]  [#1/127.0.0.1:47757] connection closed
+xxxxxxxxxx.xxxxxx [info]  [parent] [#1/127.0.0.1:47757] closing connection
diff --git a/testing/istate/base/sync-rcv/stderr.log b/testing/istate/base/sync-rcv/stderr.log
new file mode 100644
index 0000000000..788f8009fe
--- /dev/null
+++ b/testing/istate/base/sync-rcv/stderr.log
@@ -0,0 +1 @@
+xxxxxxxxxx.xxxxxx received termination signal
diff --git a/testing/istate/base/sync-rcv/stdout.log b/testing/istate/base/sync-rcv/stdout.log
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/istate/base/sync-rcv/vars.log b/testing/istate/base/sync-rcv/vars.log
new file mode 100644
index 0000000000..428ac7929d
--- /dev/null
+++ b/testing/istate/base/sync-rcv/vars.log
@@ -0,0 +1,34 @@
+421
+1234567
+Jodel
+4.3.2.1
+4.0.0.0/8
+21.0
+192.150.186
+42.0 secs
+{
+[3] = asdfg1,
+[1] = asdfg2
+}
+file "test2" of string
+/^?(abbcdefgh)$?/
+{
+3,
+5,
+6,
+4,
+2
+}
+{
+[3, GHI] = 103,
+[4, JKL] = 104,
+[2, DEF] = 103
+}
+{
+[12345] = /^?(12345)$?/,
+[6767] = /^?(QWERTZ)$?/,
+[12346] = /^?(12345)$?/
+}
+6667/tcp
+[2, 20, 3, 4]
+[a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666]
diff --git a/testing/istate/base/sync-send/stderr.log b/testing/istate/base/sync-send/stderr.log
new file mode 100644
index 0000000000..4f2df4e549
--- /dev/null
+++ b/testing/istate/base/sync-send/stderr.log
@@ -0,0 +1,2 @@
+xxxxxxxxxx.xxxxxx processing suspended
+xxxxxxxxxx.xxxxxx processing continued
diff --git a/testing/istate/base/sync-send/stdout.log b/testing/istate/base/sync-send/stdout.log
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/istate/base/sync-send/vars.log b/testing/istate/base/sync-send/vars.log
new file mode 100644
index 0000000000..428ac7929d
--- /dev/null
+++ b/testing/istate/base/sync-send/vars.log
@@ -0,0 +1,34 @@
+421
+1234567
+Jodel
+4.3.2.1
+4.0.0.0/8
+21.0
+192.150.186
+42.0 secs
+{
+[3] = asdfg1,
+[1] = asdfg2
+}
+file "test2" of string
+/^?(abbcdefgh)$?/
+{
+3,
+5,
+6,
+4,
+2
+}
+{
+[3, GHI] = 103,
+[4, JKL] = 104,
+[2, DEF] = 103
+}
+{
+[12345] = /^?(12345)$?/,
+[6767] = /^?(QWERTZ)$?/,
+[12346] = /^?(12345)$?/
+}
+6667/tcp
+[2, 20, 3, 4]
+[a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666]
diff --git a/testing/istate/istate.py b/testing/istate/istate.py
new file mode 100755
index 0000000000..8c7b28fe4a
--- /dev/null
+++ b/testing/istate/istate.py
@@ -0,0 +1,174 @@
+#! /usr/bin/env python
+# 
+# Tests persistence.
+#
+# $Id: istate.py,v 1.1.2.4 2005/10/11 22:31:42 sommer Exp $
+
+import time
+import os
+import os.path
+import optparse
+import sys
+import subprocess
+
+import tests
+
+optparser = optparse.OptionParser( usage = "%prog [options]", version = "0.1" )
+optparser.add_option( "-s", "--show-diff", action = "store_true", dest = "showdiff", 
+                    default = False, help = "show diffs of mismatches" )
+optparser.add_option( "-b", "--new-base", action = "store_true", dest = "newbase", 
+                    default = False, help = "create new baseline" )
+optparser.add_option( "-d", "--debug", action = "store_true", dest = "debug", 
+                    default = False, help = "enable debug output" )
+optparser.add_option( "-t", "--set", action = "store", type = "string", dest = "set", 
+                    default = None, help = "only do given test set" )
+
+                    
+( tests.Options, args ) = optparser.parse_args()
+
+if len(args) != 0:
+    optparser.error( "Wrong number of arguments" )
+
+##########################################    
+# Write persistent data and read it back.
+##########################################
+
+if tests.testSet("persistence"):
+
+    tests.spawnBro("persistence-write", 
+               ["-r", os.path.join(tests.Traces, "empty.trace"), 
+                os.path.join(tests.Scripts, "vars-init.bro"),
+                os.path.join(tests.Scripts, "vars-print.bro")])
+    tests.waitProc("persistence-write")
+    tests.finishTest("persistence-write", ["stdout.log", "stderr.log", "vars.log"])
+
+    tests.spawnBro("persistence-read", 
+               [os.path.join(tests.Scripts, "vars-declare.bro"),
+                os.path.join(tests.Scripts, "vars-print.bro")], 
+                copy=[os.path.join(tests.workDir("persistence-write"), ".state")])
+    tests.waitProc("persistence-read")
+    tests.finishTest("persistence-read", ["stdout.log", "stderr.log", "vars.log"])
+
+    tests.compareFiles("persistence-write", "persistence-read", ["vars.log"])
+
+##########################################    
+# Exchange events (clear-text).
+#
+# The used trace contains two connections separated by a silence of a 
+# couple of seconds. We start the processes so that the events for the 
+# *second* one (which is a full HTTP connection) are exchanged.
+##########################################    
+
+if tests.testSet("events"):
+
+    tests.spawnBro("events-send", 
+               ["-r", os.path.join(tests.Scripts, os.path.join(tests.Traces, "web.trace")), 
+                "--pseudo-realtime", 
+                "-C",
+               os.path.join(tests.Scripts, "events-send.bro")])
+    time.sleep(2)
+    tests.spawnBro("events-rcv", 
+               [os.path.join(tests.Scripts, "events-rcv.bro")])
+    tests.waitProc("events-send")
+    tests.killProc("events-rcv")
+    tests.finishTest("events-send", ["stdout.log", "stderr.log", "http.log", "conn.log"], ignoreTime=True)
+    tests.finishTest("events-rcv", ["stdout.log", "stderr.log", "http.log", "conn.log"], ignoreTime=True)
+
+    tests.spawnBro("events-display", 
+               ["-x", os.path.join(tests.workDir("events-rcv"), "events.bst")])
+    tests.waitProc("events-display")
+    tests.finishTest("events-display", ["stdout.log"], ignoreTime=True, sort=True, delete=['127.0.0.1:[0-9]*',"Event.*remote_.*"])
+
+    tests.compareFiles("events-send", "events-rcv", ["http.log"], ignoreTime=True, ignoreSessionID=True)
+
+##########################################    
+# Exchange synchronized state
+##########################################    
+
+if tests.testSet("sync"):
+
+    tests.spawnBro("sync-send", 
+               [os.path.join(tests.Scripts, "vars-sync-send.bro")])
+    tests.spawnBro("sync-rcv", 
+               [os.path.join(tests.Scripts, "vars-sync-rcv.bro")])
+    tests.waitProc("sync-send")
+    time.sleep(1)
+    tests.killProc("sync-rcv")
+    tests.finishTest("sync-send", ["stdout.log", "stderr.log", "vars.log"], ignoreTime=True)
+    tests.finishTest("sync-rcv", ["stdout.log", "stderr.log", "vars.log", "remote.log"], ignoreTime=True, delete=["pid.*pid.*", "temporarily unavailable \\[..\\]"])
+
+    tests.compareFiles("sync-send", "sync-rcv", ["vars.log"], ignoreTime=True)
+
+# Old version    
+#    tests.spawnBro("sync-send", 
+#               ["-r", os.path.join(tests.Scripts, os.path.join(tests.Traces, "web.trace")), 
+#       	        "--pseudo-realtime", 
+#                "-C",
+#               os.path.join(tests.Scripts, "vars-sync-send.bro")])
+
+##########################################
+# Test Broccoli with bro-ping
+##########################################
+
+
+if tests.testSet("broccoli"):
+
+    broctest = os.path.join(tests.Bro, "aux/broccoli/test")    
+    broclib = os.path.join(tests.Bro, "aux/broccoli/src/.libs")
+    broping = os.path.join(broctest, "broping")
+
+    brocpy = os.path.join(tests.Bro, "aux/broccoli/bindings/python")    
+
+    broccoli = True
+    
+    # Test if Broccoli was compiled.
+    if not os.path.exists(broping):
+        print "    Broccoli was not compiled, skipping tests."
+        broccoli = False
+        
+    # Test if this is a IPv6 Bro. 
+    if broccoli:
+        v6 = subprocess.call(["grep", "-q", "#define BROv6", os.path.join(tests.Bro, "config.h")])
+        if v6 == 0:
+            print "    Bro built with IPv6 support not compatible with Broccoli, skipping tests."
+            broccoli = False
+
+    if broccoli:
+        tests.spawnBro("bro-ping", [os.path.join(broctest, "broping-record.bro")])
+        time.sleep(1)
+        tests.spawnProc("broccoli-ping", 
+                        [broping, 
+                        "-r", 
+                        "-c", "5", 
+                        "127.0.0.1"])
+        tests.waitProc("broccoli-ping")
+        tests.killProc("bro-ping")
+    
+        tests.finishTest("bro-ping", ["stdout.log", "stderr.log", "remote.log"], 
+                         ignoreTime=True, delete=["127.0.0.1:[0-9]*", "pid.*pid.*", 
+                         ".*Resource temporarily unavailable.*", ".*connection closed.*", 
+                         ".*peer disconnected.*"])
+        tests.finishTest("broccoli-ping", ["stdout.log", "stderr.log"],
+                         delete=["time=.* s$"])
+                         
+        # Test if Python binding are installed.
+        sopath = subprocess.Popen(["find", brocpy, "-name", "_broccoli_intern.so"], stdout=subprocess.PIPE).communicate()[0]
+        if sopath != "":
+
+            os.environ["LD_LIBRARY_PATH"] = broclib
+            os.environ["DYLD_LIBRARY_PATH"] = broclib
+            os.environ["PYTHONPATH"] = os.path.dirname(sopath)
+            
+            tests.spawnBro("python-bro", [os.path.join(brocpy, "tests/test.bro")])
+            time.sleep(1)
+            tests.spawnProc("python-script", [os.path.join(brocpy, "tests/test.py")])
+            tests.waitProc("python-script")
+            tests.killProc("python-bro")
+            tests.finishTest("python-bro", ["stdout.log"], ignoreTime=True)
+            tests.finishTest("python-script", ["stdout.log"], ignoreTime=True, delete=["0x[^>]*", ".[0-9]{2}"])
+        else:
+            print "    Python bindings not built, skipping test."
+            print "       (To build: cd %s && python setup.py build)" % brocpy
+                         
+
+    
diff --git a/testing/istate/rndseed.dat b/testing/istate/rndseed.dat
new file mode 100644
index 0000000000..3bc70c899b
--- /dev/null
+++ b/testing/istate/rndseed.dat
@@ -0,0 +1,17 @@
+1971283154
+1128552575
+26676
+875311974
+790730425
+1553617948
+3593004090
+2070230499
+1420669195
+754343139
+2906181924
+542878596
+2459738795
+924396623
+743111462
+3363354015
+198575356
diff --git a/testing/istate/scripts/events-rcv.bro b/testing/istate/scripts/events-rcv.bro
new file mode 100644
index 0000000000..a345e3fa49
--- /dev/null
+++ b/testing/istate/scripts/events-rcv.bro
@@ -0,0 +1,18 @@
+# $Id: events-rcv.bro,v 1.1.2.1 2005/10/07 01:59:12 sommer Exp $
+
+@load tcp
+@load http-request
+@load http-reply
+@load http-header
+@load http-body
+@load http-abstract
+	
+@load capture-events	
+@load remote
+	
+redef peer_description = "events-rcv";
+	
+redef Remote::destinations += {
+    ["foo"] = [$host = 127.0.0.1, $events = /.*/, $connect=T]
+};
+
diff --git a/testing/istate/scripts/events-send.bro b/testing/istate/scripts/events-send.bro
new file mode 100644
index 0000000000..00975fd723
--- /dev/null
+++ b/testing/istate/scripts/events-send.bro
@@ -0,0 +1,21 @@
+# $Id: events-send.bro,v 1.1.2.1 2005/10/07 01:59:12 sommer Exp $
+
+@load tcp
+@load http-request
+@load http-reply
+@load http-header
+@load http-body
+@load http-abstract
+@load listen-clear
+	
+@load capture-events	
+	
+redef peer_description = "events-send";
+
+# Make sure the HTTP connection really gets out.
+# (We still miss one final connection event because we shutdown before
+# it gets propagated but that's ok.)
+redef tcp_close_delay = 0secs;
+
+	
+	
diff --git a/testing/istate/scripts/vars-declare.bro b/testing/istate/scripts/vars-declare.bro
new file mode 100644
index 0000000000..871e518109
--- /dev/null
+++ b/testing/istate/scripts/vars-declare.bro
@@ -0,0 +1,36 @@
+# $Id: vars-declare.bro,v 1.1.2.2 2005/10/11 21:15:05 sommer Exp $
+#
+# Declares variables.
+
+global foo1: count &persistent &synchronized;
+global foo2: int &persistent &synchronized;
+global foo3: string &persistent &synchronized; 
+global foo4: addr &persistent &synchronized; 
+global foo5: subnet &persistent &synchronized; 
+global foo6: double &persistent &synchronized; 
+global foo7: net &persistent &synchronized; 
+global foo8: interval &persistent &synchronized; 
+global foo9: table[count] of string &persistent &synchronized;
+global foo10: file &persistent &synchronized; 
+global foo11: pattern &persistent &synchronized; 
+global foo12: set[count] &persistent &synchronized; 
+global foo13: table[count, string] of count &persistent &synchronized;
+global foo14: table[count] of pattern &persistent &synchronized;
+global foo15: port &persistent &synchronized;
+global foo16: vector of count &persistent &synchronized;
+
+type type1: record {
+    a: string;
+    b: count &default=42;
+    c: double &optional;
+    };
+
+type type2: record {
+    a: string;
+    b: type1;
+    c: type1;
+    d: double;
+    };
+
+global foo17: type2  &persistent &synchronized;
+
diff --git a/testing/istate/scripts/vars-init.bro b/testing/istate/scripts/vars-init.bro
new file mode 100644
index 0000000000..79b1345f31
--- /dev/null
+++ b/testing/istate/scripts/vars-init.bro
@@ -0,0 +1,42 @@
+# $Id: vars-init.bro,v 1.1.2.2 2005/10/11 21:15:05 sommer Exp $
+# 
+# Instantiates variables.
+
+global foo1 = 42 &persistent &synchronized;
+global foo2 = -42 &persistent &synchronized;
+global foo3 = "Hallihallo" &persistent &synchronized; 
+global foo4 = 1.2.3.4 &persistent &synchronized; 
+global foo5 = 1.2.0.0/16 &persistent &synchronized; 
+global foo6 = 3.14 &persistent &synchronized; 
+global foo7 = 131.159. &persistent &synchronized; 
+global foo8 = 42 secs &persistent &synchronized; 
+global foo9 = { [1] = "qwerty", [2] = "uiop" } &persistent &synchronized;
+global foo10 = open("test") &persistent &synchronized; 
+global foo11 = /12345/ &persistent &synchronized; 
+global foo12 = { 1,2,3,4,5 } &persistent &synchronized; 
+global foo13  =  { [1,"ABC"] = 101, [2,"DEF"] = 102, [3,"GHI"] = 103 } &persistent &synchronized;
+global foo14  =  { [12345] = foo11, [12346] = foo11 } &persistent &synchronized;
+global foo15 = 42/udp &persistent &synchronized;
+global foo16: vector of count = [1,2,3] &persistent &synchronized;
+ 
+type type1: record {
+    a: string;
+    b: count &default=42;
+    c: double &optional;
+    };
+
+type type2: record {
+    a: string;
+    b: type1;
+    c: type1;
+    d: double;
+    };
+
+global foo17: type2 = [
+	$a = "yuyuyu",
+    $b = [$a="rec1", $b=100, $c=1.24],
+    $c = [$a="rec2", $b=200, $c=2.24],
+   	$d = 7.77				   
+	] &persistent &synchronized;
+
+
diff --git a/testing/istate/scripts/vars-modify.bro b/testing/istate/scripts/vars-modify.bro
new file mode 100644
index 0000000000..51f723f90d
--- /dev/null
+++ b/testing/istate/scripts/vars-modify.bro
@@ -0,0 +1,61 @@
+# $Id: vars-modify.bro,v 1.1.2.2 2005/10/11 21:15:05 sommer Exp $
+#
+# Performs modifications on variables.
+
+function modify()
+	{
+	foo1 = 420;
+	++foo1;
+	
+	--foo2;
+	
+	foo3 = "Jodel";
+	
+	foo4 = 4.3.2.1; 
+	
+	foo5 = 4.0.0.0/8; 
+	
+	foo6 = 21;
+	
+	foo7 = 192.150.186; 
+	
+	foo9[3] = "asdfg1";
+	foo9[1] = "asdfg2";
+	delete foo9[2];
+	
+	foo10 = open("test2");
+	
+	foo11 = /abbcdefgh/;
+	
+	add foo12[6];
+	delete foo12[1];
+	
+	foo13[4,"JKL"] = 104;
+	delete foo13[1,"ABC"];
+	++foo13[2,"DEF"];
+	
+	foo14[6767] = /QWERTZ/;
+	
+	foo15 = 6667/tcp;
+	
+	foo16[4] = 4;
+	foo16[2] = 20;
+	++foo16[1];
+	
+	local x: type1;
+	x$a = "pop";
+	++x$b;
+	x$c = 9.999;
+	foo17$a = "zxzxzx";
+	foo17$b = x;
+	foo17$c$a = "IOIOI";
+	++foo17$c$b;
+	foo17$c$c = 612.2;
+	foo17$d = 6.6666;
+	
+	foo2 = 1234567;
+	}
+
+
+
+
diff --git a/testing/istate/scripts/vars-print.bro b/testing/istate/scripts/vars-print.bro
new file mode 100644
index 0000000000..26d846c9cc
--- /dev/null
+++ b/testing/istate/scripts/vars-print.bro
@@ -0,0 +1,29 @@
+# $Id: vars-print.bro,v 1.1.2.2 2005/10/11 21:15:05 sommer Exp $
+#
+# Print variables.
+
+event bro_done()
+	{
+	local out = open("vars.log");
+	print out, foo1;
+	print out, foo2;
+	print out, foo3;
+	print out, foo4;
+	print out, foo5;
+	print out, foo6;
+	print out, foo7;
+	print out, foo8;
+	print out, foo9;
+	print out, foo10;
+	print out, foo11;
+	print out, foo12;
+	print out, foo13;
+	print out, foo14;
+	print out, foo15;
+	print out, foo16;
+	print out, foo17;
+	}
+
+	
+	
+	
diff --git a/testing/istate/scripts/vars-sync-rcv.bro b/testing/istate/scripts/vars-sync-rcv.bro
new file mode 100644
index 0000000000..145afd6ff6
--- /dev/null
+++ b/testing/istate/scripts/vars-sync-rcv.bro
@@ -0,0 +1,13 @@
+# $Id: vars-sync-rcv.bro,v 1.1.2.1 2005/10/11 21:15:05 sommer Exp $
+
+@load vars-init
+@load vars-print
+
+@load capture-events	
+@load remote
+
+	
+redef Remote::destinations += {
+    ["foo"] = [$host = 127.0.0.1, $events = /.*/, $connect=T, $sync=T]
+};
+
diff --git a/testing/istate/scripts/vars-sync-send.bro b/testing/istate/scripts/vars-sync-send.bro
new file mode 100644
index 0000000000..655c8a36ea
--- /dev/null
+++ b/testing/istate/scripts/vars-sync-send.bro
@@ -0,0 +1,20 @@
+# $Id: vars-sync-send.bro,v 1.1.2.1 2005/10/11 21:15:05 sommer Exp $
+#
+
+@load vars-init
+@load vars-print
+@load vars-modify
+
+@load listen-clear
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	modify();
+	terminate_communication();
+	}
+			 
+redef Remote::destinations += {
+    ["foo"] = [$host = 127.0.0.1, $sync=T]
+};
+
+	
diff --git a/testing/istate/tests.py b/testing/istate/tests.py
new file mode 100644
index 0000000000..a8bbb5172a
--- /dev/null
+++ b/testing/istate/tests.py
@@ -0,0 +1,297 @@
+# $Id: tests.py,v 1.1.2.5 2005/10/11 22:31:42 sommer Exp $
+#
+# Various helper functions.
+
+import sys
+import os
+import copy
+import errno
+import signal
+import subprocess
+
+# Path to our files.
+Testing = os.path.abspath(".")
+
+# Path to top-level Bro directory.
+if os.path.exists("../../src/bro"):
+    Bro = os.path.abspath("../..")
+else:
+    Bro = os.path.abspath("../../bro")
+    
+# Path where tmp files are created.
+Tmp = os.path.join(Testing, "tmp")
+
+# Path to seed file.
+BroSeed = os.path.join(Testing, "rndseed.dat")
+
+# Path to our test scripts.
+Scripts = os.path.join(Testing, "scripts")
+
+# Path to our test traces.
+Traces = os.path.join(Testing, "traces")
+
+# Where the base files to compare against are stored.
+Base = os.path.join(os.getcwd(), "./base")
+ 
+# Process ID of all processes we've spawned, indexed by textual tag *and* pid.
+Running = {}
+
+# Set to true when at least one check failed.
+Failed = False
+
+# getopt options
+Options = None
+
+def error(str):
+    print >>sys.stderr, "Error:", str
+    sys.exit(1)
+
+def debug(str):    
+    if Options.debug:
+        print >>sys.stderr, "Debug:", str
+
+def log(str):    
+    print >>sys.stderr, str
+
+# Returns full path of given process' working directory.
+def workDir(tag):     
+    return os.path.join(Tmp, tag)
+
+# Intializes work dir for given process.
+def initWorkDir(tag):
+    
+    try:
+        os.mkdir(Tmp)
+    except OSError, e:
+        if e.errno != errno.EEXIST:
+            raise
+        
+    os.system("rm -rf " + workDir(tag))
+    os.mkdir(workDir(tag))
+
+# Spawns process identified by the given tag. Enters process into RunningBro.
+def spawnProc(tag, cmdline, copy=[]):    
+    initWorkDir(tag)
+    os.chdir(workDir(tag))
+
+    for i in copy:
+        debug("Copying %s into workdir of %s" % (i, tag))
+        os.system("cp -r %s %s" % (i, workDir(tag)))
+    
+    debug("Spawning '%s' as %s" % (" ".join(cmdline), tag))
+    
+    saved_stdin = os.dup(0)
+    saved_stdout = os.dup(1)
+    saved_stderr = os.dup(2)
+    child_stdin = open("/dev/null", "r")
+    child_stdout = open("stdout.log", "w")
+    child_stderr = open("stderr.log", "w")
+    os.dup2(child_stdin.fileno(), 0)
+    os.dup2(child_stdout.fileno(), 1)
+    os.dup2(child_stderr.fileno(), 2)
+    pid = os.spawnvp(os.P_NOWAIT, cmdline[0], cmdline)
+    os.dup2(saved_stdin, 0)
+    os.dup2(saved_stdout, 1)
+    os.dup2(saved_stderr, 2)
+    
+    Running[tag] = pid
+    Running[pid] = tag
+
+# Spaws a Bro process.    
+def spawnBro(tag, args, copy=[]):
+    os.putenv("BROPATH", os.path.join(Bro, "policy") + ":" + Scripts)
+    os.unsetenv("BRO_LOG_SUFFIX")
+    args += ["--load-seeds", BroSeed, "-B", "state,comm"]
+    spawnProc(tag, [os.path.join(Bro, "src/bro")] + args, copy=copy)
+    
+# Examines a process' exit code.    
+def parseExitCode(tag, result):    
+    if os.WCOREDUMP(result):
+        error("process %s core dumped." % tag)
+
+    if os.WIFSIGNALED(result):
+        error("process %s got signal %d." % (tag, os.WTERMSIG(result)))
+        
+    if not os.WIFEXITED(result):
+        error("process %s exited abnormally (%d)." % (tag, result))
+
+    result = os.WEXITSTATUS(result)
+    debug("process %s exited with %d" % (tag, result)) 
+        
+    return result
+
+# Waits for process to finish.
+def waitProc(tag):
+    (pid, result) = os.waitpid(Running[tag], 0)
+    result = parseExitCode(tag, result)
+    if result != 0:
+	error("Execution of %s failed." % tag)
+	
+    del Running[pid]
+    del Running[tag]
+
+# Waits for all of our processes to terminte.
+def waitProcs():
+    while Running:
+        (pid, result) = os.waitpid(0, 0)
+        parseExitCode(Running[pid], result)
+        del Running[Running[pid]]
+        del Running[pid]
+
+# Kills the process and waits for its termination.
+def killProc(tag):
+    pid = Running[tag]
+    debug("Killing %s..." % tag)
+    os.kill(pid, signal.SIGTERM)
+    (pid, result) = os.waitpid(pid, 0)
+    parseExitCode(tag, result)
+    del Running[pid]
+    del Running[tag]
+	
+# Cleans up temporary stuff
+def cleanup():
+    os.system("rm -rf " + Tmp)
+
+# Canonicalizes file content for diffing.
+def canonicalizeFile(file, ignoreTime, ignoreSessionID, sort, delete):
+    
+    cmd = []
+    
+    if delete:
+        for i in delete:
+            cmd += ["sed 's/%s//g' | grep -v '^$'" % i]
+        
+    if ignoreTime:
+        cmd += ["sed 's/[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]\.[0-9][0-9]\{0,6\}/xxxxxxxxxx.xxxxxx/g'"]
+
+    if ignoreSessionID:
+        # A session is either "%1" or "%my-peer-description-1"
+        cmd += ["sed 's/%\([^ ]*-\)\{0,1\}[0-9][0-9]*/%XXX/g'"]
+        
+    if sort:
+        cmd += ["LC_ALL=c sort"]
+        
+    if not cmd:
+        return
+        
+    tmp = file + ".tmp"
+    cmd = "cat %s | %s >%s" % (file, " | ".join(cmd), tmp) 
+
+    debug("Canonicalizing '%s'" % cmd)
+    os.system(cmd)
+    os.system("mv %s %s" % (tmp, file))
+
+# Diffs the two files, If mismatch, prints "FAILED" and returns true.    
+def diff(file1, file2):
+    
+    quiet = ">/dev/null"
+    if Options.showdiff:
+        quiet = ""
+
+    for f in (file1, file2):
+        if not os.path.exists(f):
+            print "FAILED (%s does not exist)" % f
+            return False
+        
+    diff = "diff -u %s %s %s" % (file1, file2, quiet)
+        
+    debug("Executing '%s'" % diff)
+    result = os.system(diff)
+        
+    if os.WEXITSTATUS(result) != 0:
+        print "FAILED"
+        return False
+    
+    return True
+    
+# Compares files of process against base version. Returns false if mismatch found.
+def checkFiles(tag, files, ignoreTime, sort, delete):
+    base = os.path.join(Base, tag)
+    work = workDir(tag)
+    
+    print "    Checking %s..." % tag,
+    
+    failed = False
+    
+    for file in files:
+        oldfile = os.path.join(base, file)
+        newfile = os.path.join(work, file)
+
+        canonicalizeFile(newfile, ignoreTime, False, sort, delete)
+	
+        if not diff(oldfile, newfile):
+            failed = True
+            break
+    
+    if not failed:
+        print "ok"
+    else:
+        Failed = failed
+
+# Compares files of two processes. Return false if mismatch found.
+def compareFiles(tag1, tag2, files, ignoreTime=False, ignoreSessionID=False, sort=False, delete=None):
+    work1 = workDir(tag1)
+    work2 = workDir(tag2)
+
+    print "    Comparing %s with %s..." % (tag1, tag2),
+    
+    failed = False
+    
+    for file in files:
+        file1 = os.path.join(work1, file)
+        file2 = os.path.join(work2, file)
+
+        canonicalizeFile(file1, ignoreTime, ignoreSessionID, sort, delete)
+        canonicalizeFile(file2, ignoreTime, ignoreSessionID, sort, delete)
+	
+        if not diff(file1, file2):
+            failed = True
+            break
+    
+    if not failed:
+        print "ok"
+    else:
+        Failed = failed
+        
+# Make the result of process new baseline.
+def makeNewBase(tag, files, ignoreTime, sort, delete):
+
+    try:
+        os.mkdir(Base)
+    except OSError, e:
+        if e.errno != errno.EEXIST:
+            raise
+        
+    base = os.path.join(Base, tag)
+    work = workDir(tag)
+
+    print "    Copying files for %s..." % tag
+    
+    try:
+        os.mkdir(base)
+    except OSError, e:
+        if e.errno != errno.EEXIST:
+            raise
+        
+    # Delete all files but those belonging to CVS.
+    os.system("find %s -type f -not -path '*/CVS/*' -not -path '*/.svn/*' -exec rm '{}' ';'" % base)
+    
+    for file in files:
+        oldfile = os.path.join(work, file)
+        newfile = os.path.join(base, file)
+	os.system("cp %s %s" % (oldfile, newfile))
+        canonicalizeFile(newfile, ignoreTime, False, sort, delete)
+
+def testSet(set):
+    if Options.set and set != Options.set:
+        return False
+    
+    print "Running set '%s' ..." % set
+    return True
+        
+# Either check given files or make it new baseline, depending on options.
+def finishTest(tag, files, ignoreTime=False, sort=False, delete=None):
+    if Options.newbase:
+	makeNewBase(tag, files, ignoreTime, sort, delete)
+    else:
+	checkFiles(tag, files, ignoreTime, sort, delete)    
diff --git a/testing/istate/traces/empty.trace b/testing/istate/traces/empty.trace
new file mode 100644
index 0000000000..3ee1117122
Binary files /dev/null and b/testing/istate/traces/empty.trace differ
diff --git a/testing/istate/traces/web.trace b/testing/istate/traces/web.trace
new file mode 100644
index 0000000000..1651085190
Binary files /dev/null and b/testing/istate/traces/web.trace differ